heimdal: Vendor import f62e2f278vendor/heimdal/7.8.0-2023-06-10-f62e2f278vendor/heimdal

Heimdal 7.8.0 does not support OpenSSL 3.0. 7.9.0 will but it hasn't
been released yet. We are importing f62e2f278 for its OpenSSL 3.0
support.

122 files changed, 10308 insertions, 13856 deletions

diff --git a/lib/hx509/Makefile.am b/lib/hx509/Makefile.am
index b21d85202c1f..fe13451d1f24 100644
--- a/lib/hx509/Makefile.am
+++ b/lib/hx509/Makefile.am
@@ -2,56 +2,16 @@ include $(top_srcdir)/Makefile.am.common
 
 AM_CPPFLAGS += $(INCLUDE_openssl_crypto)
 
-lib_LTLIBRARIES = libhx509.la
+lib_LTLIBRARIES = libhx509.la libhx509template.la
 libhx509_la_LDFLAGS = -version-info 5:0:0
+libhx509template_la_LDFLAGS = -version-info 5:0:0
 
 BUILT_SOURCES =				\
 	sel-gram.h			\
-	$(gen_files_ocsp:.x=.c)		\
-	$(gen_files_pkcs10:.x=.c)	\
 	hx509_err.c			\
 	hx509_err.h
 
-gen_files_ocsp = 			\
-	asn1_OCSPBasicOCSPResponse.x	\
-	asn1_OCSPCertID.x		\
-	asn1_OCSPCertStatus.x		\
-	asn1_OCSPInnerRequest.x		\
-	asn1_OCSPKeyHash.x		\
-	asn1_OCSPRequest.x		\
-	asn1_OCSPResponderID.x		\
-	asn1_OCSPResponse.x		\
-	asn1_OCSPResponseBytes.x	\
-	asn1_OCSPResponseData.x		\
-	asn1_OCSPResponseStatus.x	\
-	asn1_OCSPSignature.x		\
-	asn1_OCSPSingleResponse.x	\
-	asn1_OCSPTBSRequest.x		\
-	asn1_OCSPVersion.x		\
-	asn1_id_pkix_ocsp.x		\
-	asn1_id_pkix_ocsp_basic.x	\
-	asn1_id_pkix_ocsp_nonce.x
-
-gen_files_pkcs10 = 			\
-	asn1_CertificationRequestInfo.x	\
-	asn1_CertificationRequest.x
-
-gen_files_crmf = 			\
-	asn1_CRMFRDNSequence.x		\
-	asn1_CertReqMessages.x		\
-	asn1_CertReqMsg.x		\
-	asn1_CertRequest.x		\
-	asn1_CertTemplate.x		\
-	asn1_Controls.x			\
-	asn1_PBMParameter.x		\
-	asn1_PKMACValue.x		\
-	asn1_POPOPrivKey.x		\
-	asn1_POPOSigningKey.x		\
-	asn1_POPOSigningKeyInput.x	\
-	asn1_ProofOfPossession.x	\
-	asn1_SubsequentMessage.x	
-
-AM_YFLAGS = -d
+AM_YFLAGS = -d -o sel-gram.c
 
 dist_libhx509_la_SOURCES = \
 	ca.c \
@@ -88,9 +48,13 @@ dist_libhx509_la_SOURCES = \
 	req.c \
 	revoke.c
 
+dist_libhx509template_la_SOURCES = $(dist_libhx509_la_SOURCES)
+
+sel-gram.h: sel-gram.c
 sel-lex.c: sel-gram.h
 
 libhx509_la_DEPENDENCIES = version-script.map
+libhx509template_la_DEPENDENCIES = version-script.map
 
 libhx509_la_LIBADD = \
 	$(LIB_com_err) \
@@ -102,43 +66,36 @@ libhx509_la_LIBADD = \
 	$(LIBADD_roken) \
 	$(LIB_dlopen)
 
+libhx509template_la_LIBADD = \
+	$(LIB_com_err) \
+	$(LIB_hcrypto) \
+	$(LIB_openssl_crypto) \
+	$(top_builddir)/lib/asn1/libasn1template.la \
+	$(top_builddir)/lib/wind/libwind.la \
+	$(top_builddir)/lib/base/libheimbase.la \
+	$(LIBADD_roken) \
+	$(LIB_dlopen)
+
 if FRAMEWORK_SECURITY
 libhx509_la_LDFLAGS += -framework Security -framework CoreFoundation
+libhx509template_la_LDFLAGS += -framework Security -framework CoreFoundation
 endif
 
 if versionscript
 libhx509_la_LDFLAGS += $(LDFLAGS_VERSION_SCRIPT)$(srcdir)/version-script.map
+libhx509template_la_LDFLAGS += $(LDFLAGS_VERSION_SCRIPT)$(srcdir)/version-script.map
 endif
 $(libhx509_la_OBJECTS): $(srcdir)/version-script.map $(nodist_include_HEADERS) $(priv_headers)
+$(libhx509template_la_OBJECTS): $(srcdir)/version-script.map $(nodist_include_HEADERS) $(priv_headers)
 
 nodist_libhx509_la_SOURCES = $(BUILT_SOURCES)
-
-$(gen_files_ocsp) ocsp_asn1.hx ocsp_asn1-priv.hx: ocsp_asn1_files
-$(gen_files_pkcs10) pkcs10_asn1.hx pkcs10_asn1-priv.hx: pkcs10_asn1_files
-$(gen_files_crmf) crmf_asn1.hx crmf_asn1-priv.hx: crmf_asn1_files
+nodist_libhx509template_la_SOURCES = $(BUILT_SOURCES)
 
 dist_include_HEADERS = hx509.h $(srcdir)/hx509-protos.h
 
 noinst_HEADERS = $(srcdir)/hx509-private.h
 
 nodist_include_HEADERS = hx509_err.h
-nodist_include_HEADERS += ocsp_asn1.h
-nodist_include_HEADERS += pkcs10_asn1.h
-nodist_include_HEADERS += crmf_asn1.h
-
-priv_headers  = ocsp_asn1-priv.h
-priv_headers += pkcs10_asn1-priv.h
-priv_headers += crmf_asn1-priv.h
-
-
-ocsp_asn1_files: $(ASN1_COMPILE_DEP) $(srcdir)/ocsp.asn1 $(srcdir)/ocsp.opt
-	$(heim_verbose)$(ASN1_COMPILE) --option-file=$(srcdir)/ocsp.opt $(srcdir)/ocsp.asn1 ocsp_asn1 || (rm -f ocsp_asn1_files ; exit 1)
-
-pkcs10_asn1_files: $(ASN1_COMPILE_DEP) $(srcdir)/pkcs10.asn1 $(srcdir)/pkcs10.opt
-	$(heim_verbose)$(ASN1_COMPILE) --option-file=$(srcdir)/pkcs10.opt $(srcdir)/pkcs10.asn1 pkcs10_asn1 || (rm -f pkcs10_asn1_files ; exit 1)
-
-crmf_asn1_files: $(ASN1_COMPILE_DEP) $(srcdir)/crmf.asn1
-	$(heim_verbose)$(ASN1_COMPILE) $(srcdir)/crmf.asn1 crmf_asn1 || (rm -f crmf_asn1_files ; exit 1)
 
 ALL_OBJECTS  = $(libhx509_la_OBJECTS)
 ALL_OBJECTS += $(hxtool_OBJECTS)
@@ -148,7 +105,7 @@ HX509_PROTOS = $(srcdir)/hx509-protos.h $(srcdir)/hx509-private.h
 $(ALL_OBJECTS): $(HX509_PROTOS)
 
 $(libhx509_la_OBJECTS): $(srcdir)/hx_locl.h
-$(libhx509_la_OBJECTS): ocsp_asn1.h pkcs10_asn1.h
+$(libhx509template_la_OBJECTS): $(srcdir)/hx_locl.h
 
 $(srcdir)/hx509-protos.h: $(dist_libhx509_la_SOURCES)
 	$(heim_verbose)cd $(srcdir) && perl ../../cf/make-proto.pl -R '^(_|^C)' -E HX509_LIB -q -P comment -o hx509-protos.h $(dist_libhx509_la_SOURCES) || rm -f hx509-protos.h
@@ -167,19 +124,13 @@ nodist_hxtool_SOURCES = hxtool-commands.c hxtool-commands.h
 $(hxtool_OBJECTS): hxtool-commands.h $(nodist_include_HEADERS)
 
 hxtool_LDADD = \
-	libhx509.la \
+	libhx509template.la \
 	$(top_builddir)/lib/asn1/libasn1.la \
 	$(LIB_hcrypto) \
 	$(LIB_roken) \
 	$(top_builddir)/lib/sl/libsl.la
 
 CLEANFILES = $(BUILT_SOURCES) sel-gram.c sel-lex.c \
-	$(gen_files_ocsp) ocsp_asn1_files ocsp_asn1{,-priv}.h* \
-	ocsp_asn1-template.[chx]* \
-	$(gen_files_pkcs10) pkcs10_asn1_files pkcs10_asn1{,-priv}.h* \
-	pkcs10_asn1-template.[chx]* \
-	$(gen_files_crmf) crmf_asn1_files crmf_asn1{,-priv}.h* \
-	crmf_asn1-template.[chx]* \
 	$(TESTS) \
 	hxtool-commands.c hxtool-commands.h *.tmp \
 	request.out \
@@ -314,14 +265,9 @@ EXTRA_DIST = \
 	hxtool-version.rc \
 	libhx509-exports.def \
 	version-script.map \
-	crmf.asn1 \
 	hx509_err.et \
 	hxtool-commands.in \
 	quote.py \
-	ocsp.asn1 \
-	ocsp.opt \
-	pkcs10.asn1 \
-	pkcs10.opt \
 	test_ca.in \
 	test_chain.in \
 	test_cert.in \
diff --git a/lib/hx509/Makefile.in b/lib/hx509/Makefile.in
deleted file mode 100644
index 19eabe4bc552..000000000000
--- a/lib/hx509/Makefile.in
+++ /dev/null
@@ -1,2337 +0,0 @@
-# Makefile.in generated by automake 1.16.5 from Makefile.am.
-# @configure_input@
-
-# Copyright (C) 1994-2021 Free Software Foundation, Inc.
-
-# This Makefile.in is free software; the Free Software Foundation
-# gives unlimited permission to copy and/or distribute it,
-# with or without modifications, as long as this notice is preserved.
-
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY, to the extent permitted by law; without
-# even the implied warranty of MERCHANTABILITY or FITNESS FOR A
-# PARTICULAR PURPOSE.
-
-@SET_MAKE@
-
-# $Id$
-
-# $Id$
-
-
-
-VPATH = @srcdir@
-am__is_gnu_make = { \
-  if test -z '$(MAKELEVEL)'; then \
-    false; \
-  elif test -n '$(MAKE_HOST)'; then \
-    true; \
-  elif test -n '$(MAKE_VERSION)' && test -n '$(CURDIR)'; then \
-    true; \
-  else \
-    false; \
-  fi; \
-}
-am__make_running_with_option = \
-  case $${target_option-} in \
-      ?) ;; \
-      *) echo "am__make_running_with_option: internal error: invalid" \
-              "target option '$${target_option-}' specified" >&2; \
-         exit 1;; \
-  esac; \
-  has_opt=no; \
-  sane_makeflags=$$MAKEFLAGS; \
-  if $(am__is_gnu_make); then \
-    sane_makeflags=$$MFLAGS; \
-  else \
-    case $$MAKEFLAGS in \
-      *\\[\ \	]*) \
-        bs=\\; \
-        sane_makeflags=`printf '%s\n' "$$MAKEFLAGS" \
-          | sed "s/$$bs$$bs[$$bs $$bs	]*//g"`;; \
-    esac; \
-  fi; \
-  skip_next=no; \
-  strip_trailopt () \
-  { \
-    flg=`printf '%s\n' "$$flg" | sed "s/$$1.*$$//"`; \
-  }; \
-  for flg in $$sane_makeflags; do \
-    test $$skip_next = yes && { skip_next=no; continue; }; \
-    case $$flg in \
-      *=*|--*) continue;; \
-        -*I) strip_trailopt 'I'; skip_next=yes;; \
-      -*I?*) strip_trailopt 'I';; \
-        -*O) strip_trailopt 'O'; skip_next=yes;; \
-      -*O?*) strip_trailopt 'O';; \
-        -*l) strip_trailopt 'l'; skip_next=yes;; \
-      -*l?*) strip_trailopt 'l';; \
-      -[dEDm]) skip_next=yes;; \
-      -[JT]) skip_next=yes;; \
-    esac; \
-    case $$flg in \
-      *$$target_option*) has_opt=yes; break;; \
-    esac; \
-  done; \
-  test $$has_opt = yes
-am__make_dryrun = (target_option=n; $(am__make_running_with_option))
-am__make_keepgoing = (target_option=k; $(am__make_running_with_option))
-pkgdatadir = $(datadir)/@PACKAGE@
-pkgincludedir = $(includedir)/@PACKAGE@
-pkglibdir = $(libdir)/@PACKAGE@
-pkglibexecdir = $(libexecdir)/@PACKAGE@
-am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd
-install_sh_DATA = $(install_sh) -c -m 644
-install_sh_PROGRAM = $(install_sh) -c
-install_sh_SCRIPT = $(install_sh) -c
-INSTALL_HEADER = $(INSTALL_DATA)
-transform = $(program_transform_name)
-NORMAL_INSTALL = :
-PRE_INSTALL = :
-POST_INSTALL = :
-NORMAL_UNINSTALL = :
-PRE_UNINSTALL = :
-POST_UNINSTALL = :
-build_triplet = @build@
-host_triplet = @host@
-@FRAMEWORK_SECURITY_TRUE@am__append_1 = -framework Security -framework CoreFoundation
-@versionscript_TRUE@am__append_2 = $(LDFLAGS_VERSION_SCRIPT)$(srcdir)/version-script.map
-bin_PROGRAMS = hxtool$(EXEEXT)
-check_PROGRAMS = $(am__EXEEXT_1) test_soft_pkcs11$(EXEEXT)
-TESTS = $(SCRIPT_TESTS) $(am__EXEEXT_1)
-subdir = lib/hx509
-ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
-am__aclocal_m4_deps = $(top_srcdir)/cf/aix.m4 \
-	$(top_srcdir)/cf/auth-modules.m4 \
-	$(top_srcdir)/cf/broken-glob.m4 \
-	$(top_srcdir)/cf/broken-realloc.m4 \
-	$(top_srcdir)/cf/broken-snprintf.m4 $(top_srcdir)/cf/broken.m4 \
-	$(top_srcdir)/cf/broken2.m4 $(top_srcdir)/cf/c-attribute.m4 \
-	$(top_srcdir)/cf/capabilities.m4 \
-	$(top_srcdir)/cf/check-compile-et.m4 \
-	$(top_srcdir)/cf/check-getpwnam_r-posix.m4 \
-	$(top_srcdir)/cf/check-man.m4 \
-	$(top_srcdir)/cf/check-netinet-ip-and-tcp.m4 \
-	$(top_srcdir)/cf/check-type-extra.m4 \
-	$(top_srcdir)/cf/check-var.m4 $(top_srcdir)/cf/crypto.m4 \
-	$(top_srcdir)/cf/db.m4 $(top_srcdir)/cf/destdirs.m4 \
-	$(top_srcdir)/cf/dispatch.m4 $(top_srcdir)/cf/dlopen.m4 \
-	$(top_srcdir)/cf/find-func-no-libs.m4 \
-	$(top_srcdir)/cf/find-func-no-libs2.m4 \
-	$(top_srcdir)/cf/find-func.m4 \
-	$(top_srcdir)/cf/find-if-not-broken.m4 \
-	$(top_srcdir)/cf/framework-security.m4 \
-	$(top_srcdir)/cf/have-struct-field.m4 \
-	$(top_srcdir)/cf/have-type.m4 $(top_srcdir)/cf/irix.m4 \
-	$(top_srcdir)/cf/krb-bigendian.m4 \
-	$(top_srcdir)/cf/krb-func-getlogin.m4 \
-	$(top_srcdir)/cf/krb-ipv6.m4 $(top_srcdir)/cf/krb-prog-ln-s.m4 \
-	$(top_srcdir)/cf/krb-prog-perl.m4 \
-	$(top_srcdir)/cf/krb-readline.m4 \
-	$(top_srcdir)/cf/krb-struct-spwd.m4 \
-	$(top_srcdir)/cf/krb-struct-winsize.m4 \
-	$(top_srcdir)/cf/largefile.m4 $(top_srcdir)/cf/libtool.m4 \
-	$(top_srcdir)/cf/ltoptions.m4 $(top_srcdir)/cf/ltsugar.m4 \
-	$(top_srcdir)/cf/ltversion.m4 $(top_srcdir)/cf/lt~obsolete.m4 \
-	$(top_srcdir)/cf/mips-abi.m4 $(top_srcdir)/cf/misc.m4 \
-	$(top_srcdir)/cf/need-proto.m4 $(top_srcdir)/cf/osfc2.m4 \
-	$(top_srcdir)/cf/otp.m4 $(top_srcdir)/cf/pkg.m4 \
-	$(top_srcdir)/cf/proto-compat.m4 $(top_srcdir)/cf/pthreads.m4 \
-	$(top_srcdir)/cf/resolv.m4 $(top_srcdir)/cf/retsigtype.m4 \
-	$(top_srcdir)/cf/roken-frag.m4 \
-	$(top_srcdir)/cf/socket-wrapper.m4 $(top_srcdir)/cf/sunos.m4 \
-	$(top_srcdir)/cf/telnet.m4 $(top_srcdir)/cf/test-package.m4 \
-	$(top_srcdir)/cf/version-script.m4 $(top_srcdir)/cf/wflags.m4 \
-	$(top_srcdir)/cf/win32.m4 $(top_srcdir)/cf/with-all.m4 \
-	$(top_srcdir)/acinclude.m4 $(top_srcdir)/configure.ac
-am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
-	$(ACLOCAL_M4)
-DIST_COMMON = $(srcdir)/Makefile.am $(dist_include_HEADERS) \
-	$(noinst_HEADERS) $(am__DIST_COMMON)
-mkinstalldirs = $(install_sh) -d
-CONFIG_HEADER = $(top_builddir)/include/config.h
-CONFIG_CLEAN_FILES =
-CONFIG_CLEAN_VPATH_FILES =
-am__installdirs = "$(DESTDIR)$(bindir)" "$(DESTDIR)$(libdir)" \
-	"$(DESTDIR)$(includedir)" "$(DESTDIR)$(includedir)"
-am__EXEEXT_1 = test_name$(EXEEXT) test_expr$(EXEEXT)
-PROGRAMS = $(bin_PROGRAMS)
-am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`;
-am__vpath_adj = case $$p in \
-    $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \
-    *) f=$$p;; \
-  esac;
-am__strip_dir = f=`echo $$p | sed -e 's|^.*/||'`;
-am__install_max = 40
-am__nobase_strip_setup = \
-  srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*|]/\\\\&/g'`
-am__nobase_strip = \
-  for p in $$list; do echo "$$p"; done | sed -e "s|$$srcdirstrip/||"
-am__nobase_list = $(am__nobase_strip_setup); \
-  for p in $$list; do echo "$$p $$p"; done | \
-  sed "s| $$srcdirstrip/| |;"' / .*\//!s/ .*/ ./; s,\( .*\)/[^/]*$$,\1,' | \
-  $(AWK) 'BEGIN { files["."] = "" } { files[$$2] = files[$$2] " " $$1; \
-    if (++n[$$2] == $(am__install_max)) \
-      { print $$2, files[$$2]; n[$$2] = 0; files[$$2] = "" } } \
-    END { for (dir in files) print dir, files[dir] }'
-am__base_list = \
-  sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
-  sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
-am__uninstall_files_from_dir = { \
-  test -z "$$files" \
-    || { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \
-    || { echo " ( cd '$$dir' && rm -f" $$files ")"; \
-         $(am__cd) "$$dir" && rm -f $$files; }; \
-  }
-LTLIBRARIES = $(lib_LTLIBRARIES)
-am__DEPENDENCIES_1 =
-dist_libhx509_la_OBJECTS = ca.lo cert.lo cms.lo collector.lo crypto.lo \
-	crypto-ec.lo doxygen.lo error.lo env.lo file.lo sel.lo \
-	sel-gram.lo sel-lex.lo keyset.lo ks_dir.lo ks_file.lo \
-	ks_mem.lo ks_null.lo ks_p11.lo ks_p12.lo ks_keychain.lo \
-	lock.lo name.lo peer.lo print.lo softp11.lo req.lo revoke.lo
-am__objects_1 = asn1_OCSPBasicOCSPResponse.lo asn1_OCSPCertID.lo \
-	asn1_OCSPCertStatus.lo asn1_OCSPInnerRequest.lo \
-	asn1_OCSPKeyHash.lo asn1_OCSPRequest.lo \
-	asn1_OCSPResponderID.lo asn1_OCSPResponse.lo \
-	asn1_OCSPResponseBytes.lo asn1_OCSPResponseData.lo \
-	asn1_OCSPResponseStatus.lo asn1_OCSPSignature.lo \
-	asn1_OCSPSingleResponse.lo asn1_OCSPTBSRequest.lo \
-	asn1_OCSPVersion.lo asn1_id_pkix_ocsp.lo \
-	asn1_id_pkix_ocsp_basic.lo asn1_id_pkix_ocsp_nonce.lo
-am__objects_2 = asn1_CertificationRequestInfo.lo \
-	asn1_CertificationRequest.lo
-am__objects_3 = $(am__objects_1) $(am__objects_2) hx509_err.lo
-nodist_libhx509_la_OBJECTS = $(am__objects_3)
-libhx509_la_OBJECTS = $(dist_libhx509_la_OBJECTS) \
-	$(nodist_libhx509_la_OBJECTS)
-AM_V_lt = $(am__v_lt_@AM_V@)
-am__v_lt_ = $(am__v_lt_@AM_DEFAULT_V@)
-am__v_lt_0 = --silent
-am__v_lt_1 = 
-libhx509_la_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
-	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
-	$(libhx509_la_LDFLAGS) $(LDFLAGS) -o $@
-dist_hxtool_OBJECTS = hxtool.$(OBJEXT)
-nodist_hxtool_OBJECTS = hxtool-commands.$(OBJEXT)
-hxtool_OBJECTS = $(dist_hxtool_OBJECTS) $(nodist_hxtool_OBJECTS)
-hxtool_DEPENDENCIES = libhx509.la $(top_builddir)/lib/asn1/libasn1.la \
-	$(am__DEPENDENCIES_1) $(am__DEPENDENCIES_1) \
-	$(top_builddir)/lib/sl/libsl.la
-test_expr_SOURCES = test_expr.c
-test_expr_OBJECTS = test_expr.$(OBJEXT)
-test_expr_DEPENDENCIES = libhx509.la $(am__DEPENDENCIES_1) \
-	$(top_builddir)/lib/asn1/libasn1.la
-test_name_SOURCES = test_name.c
-test_name_OBJECTS = test_name.$(OBJEXT)
-test_name_DEPENDENCIES = libhx509.la $(am__DEPENDENCIES_1) \
-	$(top_builddir)/lib/asn1/libasn1.la
-test_soft_pkcs11_SOURCES = test_soft_pkcs11.c
-test_soft_pkcs11_OBJECTS = test_soft_pkcs11.$(OBJEXT)
-test_soft_pkcs11_DEPENDENCIES = libhx509.la \
-	$(top_builddir)/lib/asn1/libasn1.la
-AM_V_P = $(am__v_P_@AM_V@)
-am__v_P_ = $(am__v_P_@AM_DEFAULT_V@)
-am__v_P_0 = false
-am__v_P_1 = :
-AM_V_GEN = $(am__v_GEN_@AM_V@)
-am__v_GEN_ = $(am__v_GEN_@AM_DEFAULT_V@)
-am__v_GEN_0 = @echo "  GEN     " $@;
-am__v_GEN_1 = 
-AM_V_at = $(am__v_at_@AM_V@)
-am__v_at_ = $(am__v_at_@AM_DEFAULT_V@)
-am__v_at_0 = @
-am__v_at_1 = 
-depcomp = $(SHELL) $(top_srcdir)/depcomp
-am__maybe_remake_depfiles = depfiles
-am__depfiles_remade = ./$(DEPDIR)/asn1_CertificationRequest.Plo \
-	./$(DEPDIR)/asn1_CertificationRequestInfo.Plo \
-	./$(DEPDIR)/asn1_OCSPBasicOCSPResponse.Plo \
-	./$(DEPDIR)/asn1_OCSPCertID.Plo \
-	./$(DEPDIR)/asn1_OCSPCertStatus.Plo \
-	./$(DEPDIR)/asn1_OCSPInnerRequest.Plo \
-	./$(DEPDIR)/asn1_OCSPKeyHash.Plo \
-	./$(DEPDIR)/asn1_OCSPRequest.Plo \
-	./$(DEPDIR)/asn1_OCSPResponderID.Plo \
-	./$(DEPDIR)/asn1_OCSPResponse.Plo \
-	./$(DEPDIR)/asn1_OCSPResponseBytes.Plo \
-	./$(DEPDIR)/asn1_OCSPResponseData.Plo \
-	./$(DEPDIR)/asn1_OCSPResponseStatus.Plo \
-	./$(DEPDIR)/asn1_OCSPSignature.Plo \
-	./$(DEPDIR)/asn1_OCSPSingleResponse.Plo \
-	./$(DEPDIR)/asn1_OCSPTBSRequest.Plo \
-	./$(DEPDIR)/asn1_OCSPVersion.Plo \
-	./$(DEPDIR)/asn1_id_pkix_ocsp.Plo \
-	./$(DEPDIR)/asn1_id_pkix_ocsp_basic.Plo \
-	./$(DEPDIR)/asn1_id_pkix_ocsp_nonce.Plo ./$(DEPDIR)/ca.Plo \
-	./$(DEPDIR)/cert.Plo ./$(DEPDIR)/cms.Plo \
-	./$(DEPDIR)/collector.Plo ./$(DEPDIR)/crypto-ec.Plo \
-	./$(DEPDIR)/crypto.Plo ./$(DEPDIR)/doxygen.Plo \
-	./$(DEPDIR)/env.Plo ./$(DEPDIR)/error.Plo ./$(DEPDIR)/file.Plo \
-	./$(DEPDIR)/hx509_err.Plo ./$(DEPDIR)/hxtool-commands.Po \
-	./$(DEPDIR)/hxtool.Po ./$(DEPDIR)/keyset.Plo \
-	./$(DEPDIR)/ks_dir.Plo ./$(DEPDIR)/ks_file.Plo \
-	./$(DEPDIR)/ks_keychain.Plo ./$(DEPDIR)/ks_mem.Plo \
-	./$(DEPDIR)/ks_null.Plo ./$(DEPDIR)/ks_p11.Plo \
-	./$(DEPDIR)/ks_p12.Plo ./$(DEPDIR)/lock.Plo \
-	./$(DEPDIR)/name.Plo ./$(DEPDIR)/peer.Plo \
-	./$(DEPDIR)/print.Plo ./$(DEPDIR)/req.Plo \
-	./$(DEPDIR)/revoke.Plo ./$(DEPDIR)/sel-gram.Plo \
-	./$(DEPDIR)/sel-lex.Plo ./$(DEPDIR)/sel.Plo \
-	./$(DEPDIR)/softp11.Plo ./$(DEPDIR)/test_expr.Po \
-	./$(DEPDIR)/test_name.Po ./$(DEPDIR)/test_soft_pkcs11.Po
-am__mv = mv -f
-COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
-	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
-LTCOMPILE = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
-	$(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) \
-	$(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) \
-	$(AM_CFLAGS) $(CFLAGS)
-AM_V_CC = $(am__v_CC_@AM_V@)
-am__v_CC_ = $(am__v_CC_@AM_DEFAULT_V@)
-am__v_CC_0 = @echo "  CC      " $@;
-am__v_CC_1 = 
-CCLD = $(CC)
-LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
-	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
-	$(AM_LDFLAGS) $(LDFLAGS) -o $@
-AM_V_CCLD = $(am__v_CCLD_@AM_V@)
-am__v_CCLD_ = $(am__v_CCLD_@AM_DEFAULT_V@)
-am__v_CCLD_0 = @echo "  CCLD    " $@;
-am__v_CCLD_1 = 
-@MAINTAINER_MODE_FALSE@am__skiplex = test -f $@ ||
-LEXCOMPILE = $(LEX) $(AM_LFLAGS) $(LFLAGS)
-LTLEXCOMPILE = $(LIBTOOL) $(AM_V_lt) $(AM_LIBTOOLFLAGS) \
-	$(LIBTOOLFLAGS) --mode=compile $(LEX) $(AM_LFLAGS) $(LFLAGS)
-AM_V_LEX = $(am__v_LEX_@AM_V@)
-am__v_LEX_ = $(am__v_LEX_@AM_DEFAULT_V@)
-am__v_LEX_0 = @echo "  LEX     " $@;
-am__v_LEX_1 = 
-YLWRAP = $(top_srcdir)/ylwrap
-@MAINTAINER_MODE_FALSE@am__skipyacc = test -f $@ ||
-am__yacc_c2h = sed -e s/cc$$/hh/ -e s/cpp$$/hpp/ -e s/cxx$$/hxx/ \
-		   -e s/c++$$/h++/ -e s/c$$/h/
-YACCCOMPILE = $(YACC) $(AM_YFLAGS) $(YFLAGS)
-LTYACCCOMPILE = $(LIBTOOL) $(AM_V_lt) $(AM_LIBTOOLFLAGS) \
-	$(LIBTOOLFLAGS) --mode=compile $(YACC) $(AM_YFLAGS) $(YFLAGS)
-AM_V_YACC = $(am__v_YACC_@AM_V@)
-am__v_YACC_ = $(am__v_YACC_@AM_DEFAULT_V@)
-am__v_YACC_0 = @echo "  YACC    " $@;
-am__v_YACC_1 = 
-SOURCES = $(dist_libhx509_la_SOURCES) $(nodist_libhx509_la_SOURCES) \
-	$(dist_hxtool_SOURCES) $(nodist_hxtool_SOURCES) test_expr.c \
-	test_name.c test_soft_pkcs11.c
-DIST_SOURCES = $(dist_libhx509_la_SOURCES) $(dist_hxtool_SOURCES) \
-	test_expr.c test_name.c test_soft_pkcs11.c
-am__can_run_installinfo = \
-  case $$AM_UPDATE_INFO_DIR in \
-    n|no|NO) false;; \
-    *) (install-info --version) >/dev/null 2>&1;; \
-  esac
-HEADERS = $(dist_include_HEADERS) $(nodist_include_HEADERS) \
-	$(noinst_HEADERS)
-am__tagged_files = $(HEADERS) $(SOURCES) $(TAGS_FILES) $(LISP)
-# Read a list of newline-separated strings from the standard input,
-# and print each of them once, without duplicates.  Input order is
-# *not* preserved.
-am__uniquify_input = $(AWK) '\
-  BEGIN { nonempty = 0; } \
-  { items[$$0] = 1; nonempty = 1; } \
-  END { if (nonempty) { for (i in items) print i; }; } \
-'
-# Make sure the list of sources is unique.  This is necessary because,
-# e.g., the same source file might be shared among _SOURCES variables
-# for different programs/libraries.
-am__define_uniq_tagged_files = \
-  list='$(am__tagged_files)'; \
-  unique=`for i in $$list; do \
-    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
-  done | $(am__uniquify_input)`
-am__tty_colors_dummy = \
-  mgn= red= grn= lgn= blu= brg= std=; \
-  am__color_tests=no
-am__tty_colors = { \
-  $(am__tty_colors_dummy); \
-  if test "X$(AM_COLOR_TESTS)" = Xno; then \
-    am__color_tests=no; \
-  elif test "X$(AM_COLOR_TESTS)" = Xalways; then \
-    am__color_tests=yes; \
-  elif test "X$$TERM" != Xdumb && { test -t 1; } 2>/dev/null; then \
-    am__color_tests=yes; \
-  fi; \
-  if test $$am__color_tests = yes; then \
-    red=''; \
-    grn=''; \
-    lgn=''; \
-    blu=''; \
-    mgn=''; \
-    brg=''; \
-    std=''; \
-  fi; \
-}
-am__recheck_rx = ^[ 	]*:recheck:[ 	]*
-am__global_test_result_rx = ^[ 	]*:global-test-result:[ 	]*
-am__copy_in_global_log_rx = ^[ 	]*:copy-in-global-log:[ 	]*
-# A command that, given a newline-separated list of test names on the
-# standard input, print the name of the tests that are to be re-run
-# upon "make recheck".
-am__list_recheck_tests = $(AWK) '{ \
-  recheck = 1; \
-  while ((rc = (getline line < ($$0 ".trs"))) != 0) \
-    { \
-      if (rc < 0) \
-        { \
-          if ((getline line2 < ($$0 ".log")) < 0) \
-	    recheck = 0; \
-          break; \
-        } \
-      else if (line ~ /$(am__recheck_rx)[nN][Oo]/) \
-        { \
-          recheck = 0; \
-          break; \
-        } \
-      else if (line ~ /$(am__recheck_rx)[yY][eE][sS]/) \
-        { \
-          break; \
-        } \
-    }; \
-  if (recheck) \
-    print $$0; \
-  close ($$0 ".trs"); \
-  close ($$0 ".log"); \
-}'
-# A command that, given a newline-separated list of test names on the
-# standard input, create the global log from their .trs and .log files.
-am__create_global_log = $(AWK) ' \
-function fatal(msg) \
-{ \
-  print "fatal: making $@: " msg | "cat >&2"; \
-  exit 1; \
-} \
-function rst_section(header) \
-{ \
-  print header; \
-  len = length(header); \
-  for (i = 1; i <= len; i = i + 1) \
-    printf "="; \
-  printf "\n\n"; \
-} \
-{ \
-  copy_in_global_log = 1; \
-  global_test_result = "RUN"; \
-  while ((rc = (getline line < ($$0 ".trs"))) != 0) \
-    { \
-      if (rc < 0) \
-         fatal("failed to read from " $$0 ".trs"); \
-      if (line ~ /$(am__global_test_result_rx)/) \
-        { \
-          sub("$(am__global_test_result_rx)", "", line); \
-          sub("[ 	]*$$", "", line); \
-          global_test_result = line; \
-        } \
-      else if (line ~ /$(am__copy_in_global_log_rx)[nN][oO]/) \
-        copy_in_global_log = 0; \
-    }; \
-  if (copy_in_global_log) \
-    { \
-      rst_section(global_test_result ": " $$0); \
-      while ((rc = (getline line < ($$0 ".log"))) != 0) \
-      { \
-        if (rc < 0) \
-          fatal("failed to read from " $$0 ".log"); \
-        print line; \
-      }; \
-      printf "\n"; \
-    }; \
-  close ($$0 ".trs"); \
-  close ($$0 ".log"); \
-}'
-# Restructured Text title.
-am__rst_title = { sed 's/.*/   &   /;h;s/./=/g;p;x;s/ *$$//;p;g' && echo; }
-# Solaris 10 'make', and several other traditional 'make' implementations,
-# pass "-e" to $(SHELL), and POSIX 2008 even requires this.  Work around it
-# by disabling -e (using the XSI extension "set +e") if it's set.
-am__sh_e_setup = case $$- in *e*) set +e;; esac
-# Default flags passed to test drivers.
-am__common_driver_flags = \
-  --color-tests "$$am__color_tests" \
-  --enable-hard-errors "$$am__enable_hard_errors" \
-  --expect-failure "$$am__expect_failure"
-# To be inserted before the command running the test.  Creates the
-# directory for the log if needed.  Stores in $dir the directory
-# containing $f, in $tst the test, in $log the log.  Executes the
-# developer- defined test setup AM_TESTS_ENVIRONMENT (if any), and
-# passes TESTS_ENVIRONMENT.  Set up options for the wrapper that
-# will run the test scripts (or their associated LOG_COMPILER, if
-# thy have one).
-am__check_pre = \
-$(am__sh_e_setup);					\
-$(am__vpath_adj_setup) $(am__vpath_adj)			\
-$(am__tty_colors);					\
-srcdir=$(srcdir); export srcdir;			\
-case "$@" in						\
-  */*) am__odir=`echo "./$@" | sed 's|/[^/]*$$||'`;;	\
-    *) am__odir=.;; 					\
-esac;							\
-test "x$$am__odir" = x"." || test -d "$$am__odir" 	\
-  || $(MKDIR_P) "$$am__odir" || exit $$?;		\
-if test -f "./$$f"; then dir=./;			\
-elif test -f "$$f"; then dir=;				\
-else dir="$(srcdir)/"; fi;				\
-tst=$$dir$$f; log='$@'; 				\
-if test -n '$(DISABLE_HARD_ERRORS)'; then		\
-  am__enable_hard_errors=no; 				\
-else							\
-  am__enable_hard_errors=yes; 				\
-fi; 							\
-case " $(XFAIL_TESTS) " in				\
-  *[\ \	]$$f[\ \	]* | *[\ \	]$$dir$$f[\ \	]*) \
-    am__expect_failure=yes;;				\
-  *)							\
-    am__expect_failure=no;;				\
-esac; 							\
-$(AM_TESTS_ENVIRONMENT) $(TESTS_ENVIRONMENT)
-# A shell command to get the names of the tests scripts with any registered
-# extension removed (i.e., equivalently, the names of the test logs, with
-# the '.log' extension removed).  The result is saved in the shell variable
-# '$bases'.  This honors runtime overriding of TESTS and TEST_LOGS.  Sadly,
-# we cannot use something simpler, involving e.g., "$(TEST_LOGS:.log=)",
-# since that might cause problem with VPATH rewrites for suffix-less tests.
-# See also 'test-harness-vpath-rewrite.sh' and 'test-trs-basic.sh'.
-am__set_TESTS_bases = \
-  bases='$(TEST_LOGS)'; \
-  bases=`for i in $$bases; do echo $$i; done | sed 's/\.log$$//'`; \
-  bases=`echo $$bases`
-AM_TESTSUITE_SUMMARY_HEADER = ' for $(PACKAGE_STRING)'
-RECHECK_LOGS = $(TEST_LOGS)
-AM_RECURSIVE_TARGETS = check recheck
-TEST_SUITE_LOG = test-suite.log
-TEST_EXTENSIONS = @EXEEXT@ .test
-LOG_DRIVER = $(SHELL) $(top_srcdir)/test-driver
-LOG_COMPILE = $(LOG_COMPILER) $(AM_LOG_FLAGS) $(LOG_FLAGS)
-am__set_b = \
-  case '$@' in \
-    */*) \
-      case '$*' in \
-        */*) b='$*';; \
-          *) b=`echo '$@' | sed 's/\.log$$//'`; \
-       esac;; \
-    *) \
-      b='$*';; \
-  esac
-am__test_logs1 = $(TESTS:=.log)
-am__test_logs2 = $(am__test_logs1:@EXEEXT@.log=.log)
-TEST_LOGS = $(am__test_logs2:.test.log=.log)
-TEST_LOG_DRIVER = $(SHELL) $(top_srcdir)/test-driver
-TEST_LOG_COMPILE = $(TEST_LOG_COMPILER) $(AM_TEST_LOG_FLAGS) \
-	$(TEST_LOG_FLAGS)
-am__DIST_COMMON = $(srcdir)/Makefile.in \
-	$(top_srcdir)/Makefile.am.common \
-	$(top_srcdir)/cf/Makefile.am.common $(top_srcdir)/depcomp \
-	$(top_srcdir)/test-driver $(top_srcdir)/ylwrap ChangeLog TODO \
-	sel-gram.c sel-gram.h sel-lex.c
-DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
-ACLOCAL = @ACLOCAL@
-AIX_EXTRA_KAFS = @AIX_EXTRA_KAFS@
-AMTAR = @AMTAR@
-AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@
-AR = @AR@
-AS = @AS@
-ASN1_COMPILE = @ASN1_COMPILE@
-ASN1_COMPILE_DEP = @ASN1_COMPILE_DEP@
-AUTOCONF = @AUTOCONF@
-AUTOHEADER = @AUTOHEADER@
-AUTOMAKE = @AUTOMAKE@
-AWK = @AWK@
-CANONICAL_HOST = @CANONICAL_HOST@
-CAPNG_CFLAGS = @CAPNG_CFLAGS@
-CAPNG_LIBS = @CAPNG_LIBS@
-CATMAN = @CATMAN@
-CATMANEXT = @CATMANEXT@
-CC = @CC@
-CCDEPMODE = @CCDEPMODE@
-CFLAGS = @CFLAGS@
-CLANG_FORMAT = @CLANG_FORMAT@
-COMPILE_ET = @COMPILE_ET@
-CPP = @CPP@
-CPPFLAGS = @CPPFLAGS@
-CSCOPE = @CSCOPE@
-CTAGS = @CTAGS@
-CYGPATH_W = @CYGPATH_W@
-DB1LIB = @DB1LIB@
-DB3LIB = @DB3LIB@
-DBHEADER = @DBHEADER@
-DEFS = @DEFS@
-DEPDIR = @DEPDIR@
-DIR_com_err = @DIR_com_err@
-DIR_hdbdir = @DIR_hdbdir@
-DIR_roken = @DIR_roken@
-DLLTOOL = @DLLTOOL@
-DSYMUTIL = @DSYMUTIL@
-DUMPBIN = @DUMPBIN@
-ECHO_C = @ECHO_C@
-ECHO_N = @ECHO_N@
-ECHO_T = @ECHO_T@
-EGREP = @EGREP@
-ENABLE_AFS_STRING_TO_KEY = @ENABLE_AFS_STRING_TO_KEY@
-ETAGS = @ETAGS@
-EXEEXT = @EXEEXT@
-FGREP = @FGREP@
-FILECMD = @FILECMD@
-GCD_MIG = @GCD_MIG@
-GREP = @GREP@
-GROFF = @GROFF@
-INCLUDES_roken = @INCLUDES_roken@
-INCLUDE_libedit = @INCLUDE_libedit@
-INCLUDE_libintl = @INCLUDE_libintl@
-INCLUDE_openldap = @INCLUDE_openldap@
-INCLUDE_openssl_crypto = @INCLUDE_openssl_crypto@
-INCLUDE_readline = @INCLUDE_readline@
-INCLUDE_sqlite3 = @INCLUDE_sqlite3@
-INSTALL = @INSTALL@
-INSTALL_DATA = @INSTALL_DATA@
-INSTALL_PROGRAM = @INSTALL_PROGRAM@
-INSTALL_SCRIPT = @INSTALL_SCRIPT@
-INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
-LD = @LD@
-LDFLAGS = @LDFLAGS@
-LDFLAGS_VERSION_SCRIPT = @LDFLAGS_VERSION_SCRIPT@
-LEX = @LEX@
-LEXLIB = @LEXLIB@
-LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@
-LIBADD_roken = @LIBADD_roken@
-LIBOBJS = @LIBOBJS@
-LIBS = @LIBS@
-LIBTOOL = @LIBTOOL@
-LIB_AUTH_SUBDIRS = @LIB_AUTH_SUBDIRS@
-LIB_bswap16 = @LIB_bswap16@
-LIB_bswap32 = @LIB_bswap32@
-LIB_bswap64 = @LIB_bswap64@
-LIB_com_err = @LIB_com_err@
-LIB_com_err_a = @LIB_com_err_a@
-LIB_com_err_so = @LIB_com_err_so@
-LIB_crypt = @LIB_crypt@
-LIB_db_create = @LIB_db_create@
-LIB_dbm_firstkey = @LIB_dbm_firstkey@
-LIB_dbopen = @LIB_dbopen@
-LIB_dispatch_async_f = @LIB_dispatch_async_f@
-LIB_dladdr = @LIB_dladdr@
-LIB_dlopen = @LIB_dlopen@
-LIB_dn_expand = @LIB_dn_expand@
-LIB_dns_search = @LIB_dns_search@
-LIB_door_create = @LIB_door_create@
-LIB_freeaddrinfo = @LIB_freeaddrinfo@
-LIB_gai_strerror = @LIB_gai_strerror@
-LIB_getaddrinfo = @LIB_getaddrinfo@
-LIB_gethostbyname = @LIB_gethostbyname@
-LIB_gethostbyname2 = @LIB_gethostbyname2@
-LIB_getnameinfo = @LIB_getnameinfo@
-LIB_getpwnam_r = @LIB_getpwnam_r@
-LIB_getsockopt = @LIB_getsockopt@
-LIB_hcrypto = @LIB_hcrypto@
-LIB_hcrypto_a = @LIB_hcrypto_a@
-LIB_hcrypto_appl = @LIB_hcrypto_appl@
-LIB_hcrypto_so = @LIB_hcrypto_so@
-LIB_hstrerror = @LIB_hstrerror@
-LIB_kdb = @LIB_kdb@
-LIB_libedit = @LIB_libedit@
-LIB_libintl = @LIB_libintl@
-LIB_loadquery = @LIB_loadquery@
-LIB_logout = @LIB_logout@
-LIB_logwtmp = @LIB_logwtmp@
-LIB_openldap = @LIB_openldap@
-LIB_openpty = @LIB_openpty@
-LIB_openssl_crypto = @LIB_openssl_crypto@
-LIB_otp = @LIB_otp@
-LIB_pidfile = @LIB_pidfile@
-LIB_readline = @LIB_readline@
-LIB_res_ndestroy = @LIB_res_ndestroy@
-LIB_res_nsearch = @LIB_res_nsearch@
-LIB_res_search = @LIB_res_search@
-LIB_roken = @LIB_roken@
-LIB_security = @LIB_security@
-LIB_setsockopt = @LIB_setsockopt@
-LIB_socket = @LIB_socket@
-LIB_sqlite3 = @LIB_sqlite3@
-LIB_syslog = @LIB_syslog@
-LIB_tgetent = @LIB_tgetent@
-LIPO = @LIPO@
-LMDBLIB = @LMDBLIB@
-LN_S = @LN_S@
-LTLIBOBJS = @LTLIBOBJS@
-LT_SYS_LIBRARY_PATH = @LT_SYS_LIBRARY_PATH@
-MAINT = @MAINT@
-MAKEINFO = @MAKEINFO@
-MANIFEST_TOOL = @MANIFEST_TOOL@
-MKDIR_P = @MKDIR_P@
-NDBMLIB = @NDBMLIB@
-NM = @NM@
-NMEDIT = @NMEDIT@
-NO_AFS = @NO_AFS@
-NROFF = @NROFF@
-OBJDUMP = @OBJDUMP@
-OBJEXT = @OBJEXT@
-OTOOL = @OTOOL@
-OTOOL64 = @OTOOL64@
-PACKAGE = @PACKAGE@
-PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
-PACKAGE_NAME = @PACKAGE_NAME@
-PACKAGE_STRING = @PACKAGE_STRING@
-PACKAGE_TARNAME = @PACKAGE_TARNAME@
-PACKAGE_URL = @PACKAGE_URL@
-PACKAGE_VERSION = @PACKAGE_VERSION@
-PATH_SEPARATOR = @PATH_SEPARATOR@
-PERL = @PERL@
-PKG_CONFIG = @PKG_CONFIG@
-PTHREAD_CFLAGS = @PTHREAD_CFLAGS@
-PTHREAD_LDADD = @PTHREAD_LDADD@
-PTHREAD_LIBADD = @PTHREAD_LIBADD@
-PYTHON = @PYTHON@
-PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
-PYTHON_PLATFORM = @PYTHON_PLATFORM@
-PYTHON_PREFIX = @PYTHON_PREFIX@
-PYTHON_VERSION = @PYTHON_VERSION@
-RANLIB = @RANLIB@
-SED = @SED@
-SET_MAKE = @SET_MAKE@
-SHELL = @SHELL@
-SLC = @SLC@
-SLC_DEP = @SLC_DEP@
-STRIP = @STRIP@
-VERSION = @VERSION@
-VERSIONING = @VERSIONING@
-WFLAGS = @WFLAGS@
-WFLAGS_LITE = @WFLAGS_LITE@
-YACC = @YACC@
-YFLAGS = @YFLAGS@
-abs_builddir = @abs_builddir@
-abs_srcdir = @abs_srcdir@
-abs_top_builddir = @abs_top_builddir@
-abs_top_srcdir = @abs_top_srcdir@
-ac_ct_AR = @ac_ct_AR@
-ac_ct_CC = @ac_ct_CC@
-ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
-am__include = @am__include@
-am__leading_dot = @am__leading_dot@
-am__quote = @am__quote@
-am__tar = @am__tar@
-am__untar = @am__untar@
-bindir = @bindir@
-build = @build@
-build_alias = @build_alias@
-build_cpu = @build_cpu@
-build_os = @build_os@
-build_vendor = @build_vendor@
-builddir = @builddir@
-datadir = @datadir@
-datarootdir = @datarootdir@
-db_type = @db_type@
-db_type_preference = @db_type_preference@
-docdir = @docdir@
-dpagaix_cflags = @dpagaix_cflags@
-dpagaix_ldadd = @dpagaix_ldadd@
-dpagaix_ldflags = @dpagaix_ldflags@
-dvidir = @dvidir@
-exec_prefix = @exec_prefix@
-host = @host@
-host_alias = @host_alias@
-host_cpu = @host_cpu@
-host_os = @host_os@
-host_vendor = @host_vendor@
-htmldir = @htmldir@
-includedir = @includedir@
-infodir = @infodir@
-install_sh = @install_sh@
-libdir = @libdir@
-libexecdir = @libexecdir@
-localedir = @localedir@
-localstatedir = @localstatedir@
-mandir = @mandir@
-mkdir_p = @mkdir_p@
-oldincludedir = @oldincludedir@
-pdfdir = @pdfdir@
-pkgpyexecdir = @pkgpyexecdir@
-pkgpythondir = @pkgpythondir@
-prefix = @prefix@
-program_transform_name = @program_transform_name@
-psdir = @psdir@
-pyexecdir = @pyexecdir@
-pythondir = @pythondir@
-runstatedir = @runstatedir@
-sbindir = @sbindir@
-sharedstatedir = @sharedstatedir@
-srcdir = @srcdir@
-subdirs = @subdirs@
-sysconfdir = @sysconfdir@
-target_alias = @target_alias@
-top_build_prefix = @top_build_prefix@
-top_builddir = @top_builddir@
-top_srcdir = @top_srcdir@
-SUFFIXES = .et .h .pc.in .pc .x .z .hx .1 .3 .5 .7 .8 .cat1 .cat3 \
-	.cat5 .cat7 .cat8
-DEFAULT_INCLUDES = -I. -I$(srcdir) -I$(top_builddir)/include -I$(top_srcdir)/include
-AM_CPPFLAGS = $(INCLUDES_roken) $(INCLUDE_openssl_crypto)
-@do_roken_rename_TRUE@ROKEN_RENAME = -DROKEN_RENAME
-AM_CFLAGS = $(WFLAGS)
-CP = cp
-buildinclude = $(top_builddir)/include
-LIB_XauReadAuth = @LIB_XauReadAuth@
-LIB_el_init = @LIB_el_init@
-LIB_getattr = @LIB_getattr@
-LIB_getpwent_r = @LIB_getpwent_r@
-LIB_odm_initialize = @LIB_odm_initialize@
-LIB_setpcred = @LIB_setpcred@
-INCLUDE_krb4 = @INCLUDE_krb4@
-LIB_krb4 = @LIB_krb4@
-libexec_heimdaldir = $(libexecdir)/heimdal
-NROFF_MAN = groff -mandoc -Tascii
-@NO_AFS_FALSE@LIB_kafs = $(top_builddir)/lib/kafs/libkafs.la $(AIX_EXTRA_KAFS)
-@NO_AFS_TRUE@LIB_kafs = 
-@KRB5_TRUE@LIB_krb5 = $(top_builddir)/lib/krb5/libkrb5.la \
-@KRB5_TRUE@	$(top_builddir)/lib/asn1/libasn1.la
-
-@KRB5_TRUE@LIB_gssapi = $(top_builddir)/lib/gssapi/libgssapi.la
-LIB_heimbase = $(top_builddir)/lib/base/libheimbase.la
-@DCE_TRUE@LIB_kdfs = $(top_builddir)/lib/kdfs/libkdfs.la
-
-#silent-rules
-heim_verbose = $(heim_verbose_$(V))
-heim_verbose_ = $(heim_verbose_$(AM_DEFAULT_VERBOSITY))
-heim_verbose_0 = @echo "  GEN    "$@;
-lib_LTLIBRARIES = libhx509.la
-libhx509_la_LDFLAGS = -version-info 5:0:0 $(am__append_1) \
-	$(am__append_2)
-BUILT_SOURCES = \
-	sel-gram.h			\
-	$(gen_files_ocsp:.x=.c)		\
-	$(gen_files_pkcs10:.x=.c)	\
-	hx509_err.c			\
-	hx509_err.h
-
-gen_files_ocsp = \
-	asn1_OCSPBasicOCSPResponse.x	\
-	asn1_OCSPCertID.x		\
-	asn1_OCSPCertStatus.x		\
-	asn1_OCSPInnerRequest.x		\
-	asn1_OCSPKeyHash.x		\
-	asn1_OCSPRequest.x		\
-	asn1_OCSPResponderID.x		\
-	asn1_OCSPResponse.x		\
-	asn1_OCSPResponseBytes.x	\
-	asn1_OCSPResponseData.x		\
-	asn1_OCSPResponseStatus.x	\
-	asn1_OCSPSignature.x		\
-	asn1_OCSPSingleResponse.x	\
-	asn1_OCSPTBSRequest.x		\
-	asn1_OCSPVersion.x		\
-	asn1_id_pkix_ocsp.x		\
-	asn1_id_pkix_ocsp_basic.x	\
-	asn1_id_pkix_ocsp_nonce.x
-
-gen_files_pkcs10 = \
-	asn1_CertificationRequestInfo.x	\
-	asn1_CertificationRequest.x
-
-gen_files_crmf = \
-	asn1_CRMFRDNSequence.x		\
-	asn1_CertReqMessages.x		\
-	asn1_CertReqMsg.x		\
-	asn1_CertRequest.x		\
-	asn1_CertTemplate.x		\
-	asn1_Controls.x			\
-	asn1_PBMParameter.x		\
-	asn1_PKMACValue.x		\
-	asn1_POPOPrivKey.x		\
-	asn1_POPOSigningKey.x		\
-	asn1_POPOSigningKeyInput.x	\
-	asn1_ProofOfPossession.x	\
-	asn1_SubsequentMessage.x	
-
-AM_YFLAGS = -d
-dist_libhx509_la_SOURCES = \
-	ca.c \
-	cert.c \
-	char_map.h \
-	cms.c \
-	collector.c \
-	crypto.c \
-	crypto-ec.c \
-	doxygen.c \
-	error.c \
-	env.c \
-	file.c \
-	hx509.h \
-	hx_locl.h \
-	sel.c \
-	sel.h \
-	sel-gram.y \
-	sel-lex.l \
-	keyset.c \
-	ks_dir.c \
-	ks_file.c \
-	ks_mem.c \
-	ks_null.c \
-	ks_p11.c \
-	ks_p12.c \
-	ks_keychain.c \
-	lock.c \
-	name.c \
-	peer.c \
-	print.c \
-	softp11.c \
-	ref/pkcs11.h \
-	req.c \
-	revoke.c
-
-libhx509_la_DEPENDENCIES = version-script.map
-libhx509_la_LIBADD = \
-	$(LIB_com_err) \
-	$(LIB_hcrypto) \
-	$(LIB_openssl_crypto) \
-	$(top_builddir)/lib/asn1/libasn1.la \
-	$(top_builddir)/lib/wind/libwind.la \
-	$(top_builddir)/lib/base/libheimbase.la \
-	$(LIBADD_roken) \
-	$(LIB_dlopen)
-
-nodist_libhx509_la_SOURCES = $(BUILT_SOURCES)
-dist_include_HEADERS = hx509.h $(srcdir)/hx509-protos.h
-noinst_HEADERS = $(srcdir)/hx509-private.h
-nodist_include_HEADERS = hx509_err.h ocsp_asn1.h pkcs10_asn1.h \
-	crmf_asn1.h
-priv_headers = ocsp_asn1-priv.h pkcs10_asn1-priv.h crmf_asn1-priv.h
-ALL_OBJECTS = $(libhx509_la_OBJECTS) $(hxtool_OBJECTS)
-HX509_PROTOS = $(srcdir)/hx509-protos.h $(srcdir)/hx509-private.h
-dist_hxtool_SOURCES = hxtool.c
-nodist_hxtool_SOURCES = hxtool-commands.c hxtool-commands.h
-hxtool_LDADD = \
-	libhx509.la \
-	$(top_builddir)/lib/asn1/libasn1.la \
-	$(LIB_hcrypto) \
-	$(LIB_roken) \
-	$(top_builddir)/lib/sl/libsl.la
-
-CLEANFILES = $(BUILT_SOURCES) sel-gram.c sel-lex.c \
-	$(gen_files_ocsp) ocsp_asn1_files ocsp_asn1{,-priv}.h* \
-	ocsp_asn1-template.[chx]* \
-	$(gen_files_pkcs10) pkcs10_asn1_files pkcs10_asn1{,-priv}.h* \
-	pkcs10_asn1-template.[chx]* \
-	$(gen_files_crmf) crmf_asn1_files crmf_asn1{,-priv}.h* \
-	crmf_asn1-template.[chx]* \
-	$(TESTS) \
-	hxtool-commands.c hxtool-commands.h *.tmp \
-	request.out \
-	out.pem out2.pem \
-	sd sd.pem \
-	sd.data sd.data.out \
-	ev.data ev.data.out \
-	cert-null.pem cert-sub-ca2.pem \
-	cert-ee.pem cert-ca.pem \
-	cert-sub-ee.pem cert-sub-ca.pem \
-	cert-proxy.der cert-ca.der cert-ee.der pkcs10-request.der \
-	wca.pem wuser.pem wdc.pem wcrl.crl \
-	random-data statfile crl.crl \
-	test p11dbg.log pkcs11.cfg \
-	test-rc-file.rc
-
-
-#
-# regression tests
-#
-check_SCRIPTS = $(SCRIPT_TESTS)
-LDADD = libhx509.la
-test_soft_pkcs11_LDADD = libhx509.la $(top_builddir)/lib/asn1/libasn1.la
-test_name_LDADD = libhx509.la $(LIB_roken) $(top_builddir)/lib/asn1/libasn1.la
-test_expr_LDADD = libhx509.la $(LIB_roken) $(top_builddir)/lib/asn1/libasn1.la
-PROGRAM_TESTS = \
-	test_name		\
-	test_expr
-
-SCRIPT_TESTS = \
-	test_ca			\
-	test_cert		\
-	test_chain		\
-	test_cms		\
-	test_crypto		\
-	test_nist		\
-	test_nist2		\
-	test_pkcs11		\
-	test_java_pkcs11	\
-	test_nist_cert		\
-	test_nist_pkcs12	\
-	test_req		\
-	test_windows		\
-	test_query
-
-do_subst = $(heim_verbose)sed -e 's,[@]srcdir[@],$(srcdir),g' \
-	-e 's,[@]objdir[@],$(top_builddir)/lib/hx509,g' \
-	-e 's,[@]egrep[@],$(EGREP),g'
-
-EXTRA_DIST = \
-	NTMakefile \
-	hxtool-version.rc \
-	libhx509-exports.def \
-	version-script.map \
-	crmf.asn1 \
-	hx509_err.et \
-	hxtool-commands.in \
-	quote.py \
-	ocsp.asn1 \
-	ocsp.opt \
-	pkcs10.asn1 \
-	pkcs10.opt \
-	test_ca.in \
-	test_chain.in \
-	test_cert.in \
-	test_cms.in \
-	test_crypto.in \
-	test_nist.in \
-	test_nist2.in \
-	test_nist_cert.in \
-	test_nist_pkcs12.in \
-	test_pkcs11.in \
-	test_java_pkcs11.in \
-	test_query.in \
-	test_req.in \
-	test_windows.in \
-	tst-crypto-available1 \
-	tst-crypto-available2 \
-	tst-crypto-available3 \
-	tst-crypto-select \
-	tst-crypto-select1 \
-	tst-crypto-select2 \
-	tst-crypto-select3 \
-	tst-crypto-select4 \
-	tst-crypto-select5 \
-	tst-crypto-select6 \
-	tst-crypto-select7 \
-	data/PKITS_data.zip \
-	data/eccurve.pem \
-	data/https.crt \
-	data/https.key \
-	data/mkcert.sh \
-	data/nist-result2 \
-	data/n0ll.pem \
-	data/secp256r1TestCA.cert.pem \
-	data/secp256r1TestCA.key.pem \
-	data/secp256r1TestCA.pem \
-	data/secp256r2TestClient.cert.pem \
-	data/secp256r2TestClient.key.pem \
-	data/secp256r2TestClient.pem \
-	data/secp256r2TestServer.cert.pem \
-	data/secp256r2TestServer.key.pem \
-	data/secp256r2TestServer.pem \
-	data/bleichenbacher-bad.pem \
-	data/bleichenbacher-good.pem \
-	data/bleichenbacher-sf-pad-correct.pem \
-	data/ca.crt \
-	data/ca.key \
-	data/crl1.crl \
-	data/crl1.der \
-	data/gen-req.sh \
-	data/j.pem \
-	data/kdc.crt \
-	data/kdc.key \
-	data/key.der \
-	data/key2.der \
-	data/nist-data \
-	data/nist-data2 \
-	data/no-proxy-test.crt \
-	data/no-proxy-test.key \
-	data/ocsp-req1.der \
-	data/ocsp-req2.der \
-	data/ocsp-resp1-2.der \
-	data/ocsp-resp1-3.der \
-	data/ocsp-resp1-ca.der \
-	data/ocsp-resp1-keyhash.der \
-	data/ocsp-resp1-ocsp-no-cert.der \
-	data/ocsp-resp1-ocsp.der \
-	data/ocsp-resp1.der \
-	data/ocsp-resp2.der \
-	data/ocsp-responder.crt \
-	data/ocsp-responder.key \
-	data/openssl.1.0.cnf \
-	data/openssl.1.1.cnf \
-	data/pkinit-proxy-chain.crt \
-	data/pkinit-proxy.crt \
-	data/pkinit-proxy.key \
-	data/pkinit-pw.key \
-	data/pkinit.crt \
-	data/pkinit.key \
-	data/pkinit-ec.crt \
-	data/pkinit-ec.key \
-	data/proxy-level-test.crt \
-	data/proxy-level-test.key \
-	data/proxy-test.crt \
-	data/proxy-test.key \
-	data/proxy10-child-test.crt \
-	data/proxy10-child-test.key \
-	data/proxy10-child-child-test.crt \
-	data/proxy10-child-child-test.key \
-	data/proxy10-test.crt \
-	data/proxy10-test.key \
-	data/revoke.crt \
-	data/revoke.key \
-	data/sf-class2-root.pem \
-	data/static-file \
-	data/sub-ca.crt \
-	data/sub-ca.key \
-	data/sub-cert.crt \
-	data/sub-cert.key \
-	data/sub-cert.p12 \
-	data/test-ds-only.crt \
-	data/test-ds-only.key \
-	data/test-enveloped-aes-128 \
-	data/test-enveloped-aes-256 \
-	data/test-enveloped-des \
-	data/test-enveloped-des-ede3 \
-	data/test-enveloped-rc2-128 \
-	data/test-enveloped-rc2-40 \
-	data/test-enveloped-rc2-64 \
-	data/test-ke-only.crt \
-	data/test-ke-only.key \
-	data/test-nopw.p12 \
-	data/test-pw.key \
-	data/test-signed-data \
-	data/test-signed-data-noattr \
-	data/test-signed-data-noattr-nocerts \
-	data/test-signed-sha-1 \
-	data/test-signed-sha-256 \
-	data/test-signed-sha-512 \
-	data/test.combined.crt \
-	data/test.crt \
-	data/test.key \
-	data/test.p12 \
-	data/win-u16-in-printablestring.der \
-	data/yutaka-pad-broken-ca.pem \
-	data/yutaka-pad-broken-cert.pem \
-	data/yutaka-pad-ok-ca.pem \
-	data/yutaka-pad-ok-cert.pem \
-	data/yutaka-pad.key
-
-all: $(BUILT_SOURCES)
-	$(MAKE) $(AM_MAKEFLAGS) all-am
-
-.SUFFIXES:
-.SUFFIXES: .et .h .pc.in .pc .x .z .hx .1 .3 .5 .7 .8 .cat1 .cat3 .cat5 .cat7 .cat8 .c .l .lo .log .o .obj .test .test$(EXEEXT) .trs .y
-$(srcdir)/Makefile.in: @MAINTAINER_MODE_TRUE@ $(srcdir)/Makefile.am $(top_srcdir)/Makefile.am.common $(top_srcdir)/cf/Makefile.am.common $(am__configure_deps)
-	@for dep in $?; do \
-	  case '$(am__configure_deps)' in \
-	    *$$dep*) \
-	      ( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \
-	        && { if test -f $@; then exit 0; else break; fi; }; \
-	      exit 1;; \
-	  esac; \
-	done; \
-	echo ' cd $(top_srcdir) && $(AUTOMAKE) --foreign lib/hx509/Makefile'; \
-	$(am__cd) $(top_srcdir) && \
-	  $(AUTOMAKE) --foreign lib/hx509/Makefile
-Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
-	@case '$?' in \
-	  *config.status*) \
-	    cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \
-	  *) \
-	    echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__maybe_remake_depfiles)'; \
-	    cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__maybe_remake_depfiles);; \
-	esac;
-$(top_srcdir)/Makefile.am.common $(top_srcdir)/cf/Makefile.am.common $(am__empty):
-
-$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES)
-	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
-
-$(top_srcdir)/configure: @MAINTAINER_MODE_TRUE@ $(am__configure_deps)
-	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
-$(ACLOCAL_M4): @MAINTAINER_MODE_TRUE@ $(am__aclocal_m4_deps)
-	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
-$(am__aclocal_m4_deps):
-install-binPROGRAMS: $(bin_PROGRAMS)
-	@$(NORMAL_INSTALL)
-	@list='$(bin_PROGRAMS)'; test -n "$(bindir)" || list=; \
-	if test -n "$$list"; then \
-	  echo " $(MKDIR_P) '$(DESTDIR)$(bindir)'"; \
-	  $(MKDIR_P) "$(DESTDIR)$(bindir)" || exit 1; \
-	fi; \
-	for p in $$list; do echo "$$p $$p"; done | \
-	sed 's/$(EXEEXT)$$//' | \
-	while read p p1; do if test -f $$p \
-	 || test -f $$p1 \
-	  ; then echo "$$p"; echo "$$p"; else :; fi; \
-	done | \
-	sed -e 'p;s,.*/,,;n;h' \
-	    -e 's|.*|.|' \
-	    -e 'p;x;s,.*/,,;s/$(EXEEXT)$$//;$(transform);s/$$/$(EXEEXT)/' | \
-	sed 'N;N;N;s,\n, ,g' | \
-	$(AWK) 'BEGIN { files["."] = ""; dirs["."] = 1 } \
-	  { d=$$3; if (dirs[d] != 1) { print "d", d; dirs[d] = 1 } \
-	    if ($$2 == $$4) files[d] = files[d] " " $$1; \
-	    else { print "f", $$3 "/" $$4, $$1; } } \
-	  END { for (d in files) print "f", d, files[d] }' | \
-	while read type dir files; do \
-	    if test "$$dir" = .; then dir=; else dir=/$$dir; fi; \
-	    test -z "$$files" || { \
-	    echo " $(INSTALL_PROGRAM_ENV) $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL_PROGRAM) $$files '$(DESTDIR)$(bindir)$$dir'"; \
-	    $(INSTALL_PROGRAM_ENV) $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL_PROGRAM) $$files "$(DESTDIR)$(bindir)$$dir" || exit $$?; \
-	    } \
-	; done
-
-uninstall-binPROGRAMS:
-	@$(NORMAL_UNINSTALL)
-	@list='$(bin_PROGRAMS)'; test -n "$(bindir)" || list=; \
-	files=`for p in $$list; do echo "$$p"; done | \
-	  sed -e 'h;s,^.*/,,;s/$(EXEEXT)$$//;$(transform)' \
-	      -e 's/$$/$(EXEEXT)/' \
-	`; \
-	test -n "$$list" || exit 0; \
-	echo " ( cd '$(DESTDIR)$(bindir)' && rm -f" $$files ")"; \
-	cd "$(DESTDIR)$(bindir)" && rm -f $$files
-
-clean-binPROGRAMS:
-	@list='$(bin_PROGRAMS)'; test -n "$$list" || exit 0; \
-	echo " rm -f" $$list; \
-	rm -f $$list || exit $$?; \
-	test -n "$(EXEEXT)" || exit 0; \
-	list=`for p in $$list; do echo "$$p"; done | sed 's/$(EXEEXT)$$//'`; \
-	echo " rm -f" $$list; \
-	rm -f $$list
-
-clean-checkPROGRAMS:
-	@list='$(check_PROGRAMS)'; test -n "$$list" || exit 0; \
-	echo " rm -f" $$list; \
-	rm -f $$list || exit $$?; \
-	test -n "$(EXEEXT)" || exit 0; \
-	list=`for p in $$list; do echo "$$p"; done | sed 's/$(EXEEXT)$$//'`; \
-	echo " rm -f" $$list; \
-	rm -f $$list
-
-install-libLTLIBRARIES: $(lib_LTLIBRARIES)
-	@$(NORMAL_INSTALL)
-	@list='$(lib_LTLIBRARIES)'; test -n "$(libdir)" || list=; \
-	list2=; for p in $$list; do \
-	  if test -f $$p; then \
-	    list2="$$list2 $$p"; \
-	  else :; fi; \
-	done; \
-	test -z "$$list2" || { \
-	  echo " $(MKDIR_P) '$(DESTDIR)$(libdir)'"; \
-	  $(MKDIR_P) "$(DESTDIR)$(libdir)" || exit 1; \
-	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(libdir)'"; \
-	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(libdir)"; \
-	}
-
-uninstall-libLTLIBRARIES:
-	@$(NORMAL_UNINSTALL)
-	@list='$(lib_LTLIBRARIES)'; test -n "$(libdir)" || list=; \
-	for p in $$list; do \
-	  $(am__strip_dir) \
-	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f '$(DESTDIR)$(libdir)/$$f'"; \
-	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f "$(DESTDIR)$(libdir)/$$f"; \
-	done
-
-clean-libLTLIBRARIES:
-	-test -z "$(lib_LTLIBRARIES)" || rm -f $(lib_LTLIBRARIES)
-	@list='$(lib_LTLIBRARIES)'; \
-	locs=`for p in $$list; do echo $$p; done | \
-	      sed 's|^[^/]*$$|.|; s|/[^/]*$$||; s|$$|/so_locations|' | \
-	      sort -u`; \
-	test -z "$$locs" || { \
-	  echo rm -f $${locs}; \
-	  rm -f $${locs}; \
-	}
-sel-gram.h: sel-gram.c
-	@if test ! -f $@; then rm -f sel-gram.c; else :; fi
-	@if test ! -f $@; then $(MAKE) $(AM_MAKEFLAGS) sel-gram.c; else :; fi
-
-libhx509.la: $(libhx509_la_OBJECTS) $(libhx509_la_DEPENDENCIES) $(EXTRA_libhx509_la_DEPENDENCIES) 
-	$(AM_V_CCLD)$(libhx509_la_LINK) -rpath $(libdir) $(libhx509_la_OBJECTS) $(libhx509_la_LIBADD) $(LIBS)
-
-hxtool$(EXEEXT): $(hxtool_OBJECTS) $(hxtool_DEPENDENCIES) $(EXTRA_hxtool_DEPENDENCIES) 
-	@rm -f hxtool$(EXEEXT)
-	$(AM_V_CCLD)$(LINK) $(hxtool_OBJECTS) $(hxtool_LDADD) $(LIBS)
-
-test_expr$(EXEEXT): $(test_expr_OBJECTS) $(test_expr_DEPENDENCIES) $(EXTRA_test_expr_DEPENDENCIES) 
-	@rm -f test_expr$(EXEEXT)
-	$(AM_V_CCLD)$(LINK) $(test_expr_OBJECTS) $(test_expr_LDADD) $(LIBS)
-
-test_name$(EXEEXT): $(test_name_OBJECTS) $(test_name_DEPENDENCIES) $(EXTRA_test_name_DEPENDENCIES) 
-	@rm -f test_name$(EXEEXT)
-	$(AM_V_CCLD)$(LINK) $(test_name_OBJECTS) $(test_name_LDADD) $(LIBS)
-
-test_soft_pkcs11$(EXEEXT): $(test_soft_pkcs11_OBJECTS) $(test_soft_pkcs11_DEPENDENCIES) $(EXTRA_test_soft_pkcs11_DEPENDENCIES) 
-	@rm -f test_soft_pkcs11$(EXEEXT)
-	$(AM_V_CCLD)$(LINK) $(test_soft_pkcs11_OBJECTS) $(test_soft_pkcs11_LDADD) $(LIBS)
-
-mostlyclean-compile:
-	-rm -f *.$(OBJEXT)
-
-distclean-compile:
-	-rm -f *.tab.c
-
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/asn1_CertificationRequest.Plo@am__quote@ # am--include-marker
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/asn1_CertificationRequestInfo.Plo@am__quote@ # am--include-marker
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/asn1_OCSPBasicOCSPResponse.Plo@am__quote@ # am--include-marker
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/asn1_OCSPCertID.Plo@am__quote@ # am--include-marker
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/asn1_OCSPCertStatus.Plo@am__quote@ # am--include-marker
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/asn1_OCSPInnerRequest.Plo@am__quote@ # am--include-marker
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/asn1_OCSPKeyHash.Plo@am__quote@ # am--include-marker
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/asn1_OCSPRequest.Plo@am__quote@ # am--include-marker
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/asn1_OCSPResponderID.Plo@am__quote@ # am--include-marker
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/asn1_OCSPResponse.Plo@am__quote@ # am--include-marker
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/asn1_OCSPResponseBytes.Plo@am__quote@ # am--include-marker
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/asn1_OCSPResponseData.Plo@am__quote@ # am--include-marker
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/asn1_OCSPResponseStatus.Plo@am__quote@ # am--include-marker
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/asn1_OCSPSignature.Plo@am__quote@ # am--include-marker
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/asn1_OCSPSingleResponse.Plo@am__quote@ # am--include-marker
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/asn1_OCSPTBSRequest.Plo@am__quote@ # am--include-marker
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/asn1_OCSPVersion.Plo@am__quote@ # am--include-marker
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/asn1_id_pkix_ocsp.Plo@am__quote@ # am--include-marker
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/asn1_id_pkix_ocsp_basic.Plo@am__quote@ # am--include-marker
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/asn1_id_pkix_ocsp_nonce.Plo@am__quote@ # am--include-marker
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ca.Plo@am__quote@ # am--include-marker
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/cert.Plo@am__quote@ # am--include-marker
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/cms.Plo@am__quote@ # am--include-marker
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/collector.Plo@am__quote@ # am--include-marker
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/crypto-ec.Plo@am__quote@ # am--include-marker
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/crypto.Plo@am__quote@ # am--include-marker
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/doxygen.Plo@am__quote@ # am--include-marker
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/env.Plo@am__quote@ # am--include-marker
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/error.Plo@am__quote@ # am--include-marker
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/file.Plo@am__quote@ # am--include-marker
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/hx509_err.Plo@am__quote@ # am--include-marker
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/hxtool-commands.Po@am__quote@ # am--include-marker
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/hxtool.Po@am__quote@ # am--include-marker
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/keyset.Plo@am__quote@ # am--include-marker
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ks_dir.Plo@am__quote@ # am--include-marker
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ks_file.Plo@am__quote@ # am--include-marker
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ks_keychain.Plo@am__quote@ # am--include-marker
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ks_mem.Plo@am__quote@ # am--include-marker
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ks_null.Plo@am__quote@ # am--include-marker
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ks_p11.Plo@am__quote@ # am--include-marker
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ks_p12.Plo@am__quote@ # am--include-marker
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/lock.Plo@am__quote@ # am--include-marker
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/name.Plo@am__quote@ # am--include-marker
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/peer.Plo@am__quote@ # am--include-marker
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/print.Plo@am__quote@ # am--include-marker
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/req.Plo@am__quote@ # am--include-marker
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/revoke.Plo@am__quote@ # am--include-marker
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/sel-gram.Plo@am__quote@ # am--include-marker
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/sel-lex.Plo@am__quote@ # am--include-marker
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/sel.Plo@am__quote@ # am--include-marker
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/softp11.Plo@am__quote@ # am--include-marker
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/test_expr.Po@am__quote@ # am--include-marker
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/test_name.Po@am__quote@ # am--include-marker
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/test_soft_pkcs11.Po@am__quote@ # am--include-marker
-
-$(am__depfiles_remade):
-	@$(MKDIR_P) $(@D)
-	@echo '# dummy' >$@-t && $(am__mv) $@-t $@
-
-am--depfiles: $(am__depfiles_remade)
-
-.c.o:
-@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c -o $@ $<
-
-.c.obj:
-@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
-@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c -o $@ `$(CYGPATH_W) '$<'`
-
-.c.lo:
-@am__fastdepCC_TRUE@	$(AM_V_CC)$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LTCOMPILE) -c -o $@ $<
-
-.l.c:
-	$(AM_V_LEX)$(am__skiplex) $(SHELL) $(YLWRAP) $< $(LEX_OUTPUT_ROOT).c $@ -- $(LEXCOMPILE)
-
-.y.c:
-	$(AM_V_YACC)$(am__skipyacc) $(SHELL) $(YLWRAP) $< y.tab.c $@ y.tab.h `echo $@ | $(am__yacc_c2h)` y.output $*.output -- $(YACCCOMPILE)
-
-mostlyclean-libtool:
-	-rm -f *.lo
-
-clean-libtool:
-	-rm -rf .libs _libs
-install-dist_includeHEADERS: $(dist_include_HEADERS)
-	@$(NORMAL_INSTALL)
-	@list='$(dist_include_HEADERS)'; test -n "$(includedir)" || list=; \
-	if test -n "$$list"; then \
-	  echo " $(MKDIR_P) '$(DESTDIR)$(includedir)'"; \
-	  $(MKDIR_P) "$(DESTDIR)$(includedir)" || exit 1; \
-	fi; \
-	for p in $$list; do \
-	  if test -f "$$p"; then d=; else d="$(srcdir)/"; fi; \
-	  echo "$$d$$p"; \
-	done | $(am__base_list) | \
-	while read files; do \
-	  echo " $(INSTALL_HEADER) $$files '$(DESTDIR)$(includedir)'"; \
-	  $(INSTALL_HEADER) $$files "$(DESTDIR)$(includedir)" || exit $$?; \
-	done
-
-uninstall-dist_includeHEADERS:
-	@$(NORMAL_UNINSTALL)
-	@list='$(dist_include_HEADERS)'; test -n "$(includedir)" || list=; \
-	files=`for p in $$list; do echo $$p; done | sed -e 's|^.*/||'`; \
-	dir='$(DESTDIR)$(includedir)'; $(am__uninstall_files_from_dir)
-install-nodist_includeHEADERS: $(nodist_include_HEADERS)
-	@$(NORMAL_INSTALL)
-	@list='$(nodist_include_HEADERS)'; test -n "$(includedir)" || list=; \
-	if test -n "$$list"; then \
-	  echo " $(MKDIR_P) '$(DESTDIR)$(includedir)'"; \
-	  $(MKDIR_P) "$(DESTDIR)$(includedir)" || exit 1; \
-	fi; \
-	for p in $$list; do \
-	  if test -f "$$p"; then d=; else d="$(srcdir)/"; fi; \
-	  echo "$$d$$p"; \
-	done | $(am__base_list) | \
-	while read files; do \
-	  echo " $(INSTALL_HEADER) $$files '$(DESTDIR)$(includedir)'"; \
-	  $(INSTALL_HEADER) $$files "$(DESTDIR)$(includedir)" || exit $$?; \
-	done
-
-uninstall-nodist_includeHEADERS:
-	@$(NORMAL_UNINSTALL)
-	@list='$(nodist_include_HEADERS)'; test -n "$(includedir)" || list=; \
-	files=`for p in $$list; do echo $$p; done | sed -e 's|^.*/||'`; \
-	dir='$(DESTDIR)$(includedir)'; $(am__uninstall_files_from_dir)
-
-ID: $(am__tagged_files)
-	$(am__define_uniq_tagged_files); mkid -fID $$unique
-tags: tags-am
-TAGS: tags
-
-tags-am: $(TAGS_DEPENDENCIES) $(am__tagged_files)
-	set x; \
-	here=`pwd`; \
-	$(am__define_uniq_tagged_files); \
-	shift; \
-	if test -z "$(ETAGS_ARGS)$$*$$unique"; then :; else \
-	  test -n "$$unique" || unique=$$empty_fix; \
-	  if test $$# -gt 0; then \
-	    $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
-	      "$$@" $$unique; \
-	  else \
-	    $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
-	      $$unique; \
-	  fi; \
-	fi
-ctags: ctags-am
-
-CTAGS: ctags
-ctags-am: $(TAGS_DEPENDENCIES) $(am__tagged_files)
-	$(am__define_uniq_tagged_files); \
-	test -z "$(CTAGS_ARGS)$$unique" \
-	  || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \
-	     $$unique
-
-GTAGS:
-	here=`$(am__cd) $(top_builddir) && pwd` \
-	  && $(am__cd) $(top_srcdir) \
-	  && gtags -i $(GTAGS_ARGS) "$$here"
-cscopelist: cscopelist-am
-
-cscopelist-am: $(am__tagged_files)
-	list='$(am__tagged_files)'; \
-	case "$(srcdir)" in \
-	  [\\/]* | ?:[\\/]*) sdir="$(srcdir)" ;; \
-	  *) sdir=$(subdir)/$(srcdir) ;; \
-	esac; \
-	for i in $$list; do \
-	  if test -f "$$i"; then \
-	    echo "$(subdir)/$$i"; \
-	  else \
-	    echo "$$sdir/$$i"; \
-	  fi; \
-	done >> $(top_builddir)/cscope.files
-
-distclean-tags:
-	-rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags
-
-# Recover from deleted '.trs' file; this should ensure that
-# "rm -f foo.log; make foo.trs" re-run 'foo.test', and re-create
-# both 'foo.log' and 'foo.trs'.  Break the recipe in two subshells
-# to avoid problems with "make -n".
-.log.trs:
-	rm -f $< $@
-	$(MAKE) $(AM_MAKEFLAGS) $<
-
-# Leading 'am--fnord' is there to ensure the list of targets does not
-# expand to empty, as could happen e.g. with make check TESTS=''.
-am--fnord $(TEST_LOGS) $(TEST_LOGS:.log=.trs): $(am__force_recheck)
-am--force-recheck:
-	@:
-
-$(TEST_SUITE_LOG): $(TEST_LOGS)
-	@$(am__set_TESTS_bases); \
-	am__f_ok () { test -f "$$1" && test -r "$$1"; }; \
-	redo_bases=`for i in $$bases; do \
-	              am__f_ok $$i.trs && am__f_ok $$i.log || echo $$i; \
-	            done`; \
-	if test -n "$$redo_bases"; then \
-	  redo_logs=`for i in $$redo_bases; do echo $$i.log; done`; \
-	  redo_results=`for i in $$redo_bases; do echo $$i.trs; done`; \
-	  if $(am__make_dryrun); then :; else \
-	    rm -f $$redo_logs && rm -f $$redo_results || exit 1; \
-	  fi; \
-	fi; \
-	if test -n "$$am__remaking_logs"; then \
-	  echo "fatal: making $(TEST_SUITE_LOG): possible infinite" \
-	       "recursion detected" >&2; \
-	elif test -n "$$redo_logs"; then \
-	  am__remaking_logs=yes $(MAKE) $(AM_MAKEFLAGS) $$redo_logs; \
-	fi; \
-	if $(am__make_dryrun); then :; else \
-	  st=0;  \
-	  errmsg="fatal: making $(TEST_SUITE_LOG): failed to create"; \
-	  for i in $$redo_bases; do \
-	    test -f $$i.trs && test -r $$i.trs \
-	      || { echo "$$errmsg $$i.trs" >&2; st=1; }; \
-	    test -f $$i.log && test -r $$i.log \
-	      || { echo "$$errmsg $$i.log" >&2; st=1; }; \
-	  done; \
-	  test $$st -eq 0 || exit 1; \
-	fi
-	@$(am__sh_e_setup); $(am__tty_colors); $(am__set_TESTS_bases); \
-	ws='[ 	]'; \
-	results=`for b in $$bases; do echo $$b.trs; done`; \
-	test -n "$$results" || results=/dev/null; \
-	all=`  grep "^$$ws*:test-result:"           $$results | wc -l`; \
-	pass=` grep "^$$ws*:test-result:$$ws*PASS"  $$results | wc -l`; \
-	fail=` grep "^$$ws*:test-result:$$ws*FAIL"  $$results | wc -l`; \
-	skip=` grep "^$$ws*:test-result:$$ws*SKIP"  $$results | wc -l`; \
-	xfail=`grep "^$$ws*:test-result:$$ws*XFAIL" $$results | wc -l`; \
-	xpass=`grep "^$$ws*:test-result:$$ws*XPASS" $$results | wc -l`; \
-	error=`grep "^$$ws*:test-result:$$ws*ERROR" $$results | wc -l`; \
-	if test `expr $$fail + $$xpass + $$error` -eq 0; then \
-	  success=true; \
-	else \
-	  success=false; \
-	fi; \
-	br='==================='; br=$$br$$br$$br$$br; \
-	result_count () \
-	{ \
-	    if test x"$$1" = x"--maybe-color"; then \
-	      maybe_colorize=yes; \
-	    elif test x"$$1" = x"--no-color"; then \
-	      maybe_colorize=no; \
-	    else \
-	      echo "$@: invalid 'result_count' usage" >&2; exit 4; \
-	    fi; \
-	    shift; \
-	    desc=$$1 count=$$2; \
-	    if test $$maybe_colorize = yes && test $$count -gt 0; then \
-	      color_start=$$3 color_end=$$std; \
-	    else \
-	      color_start= color_end=; \
-	    fi; \
-	    echo "$${color_start}# $$desc $$count$${color_end}"; \
-	}; \
-	create_testsuite_report () \
-	{ \
-	  result_count $$1 "TOTAL:" $$all   "$$brg"; \
-	  result_count $$1 "PASS: " $$pass  "$$grn"; \
-	  result_count $$1 "SKIP: " $$skip  "$$blu"; \
-	  result_count $$1 "XFAIL:" $$xfail "$$lgn"; \
-	  result_count $$1 "FAIL: " $$fail  "$$red"; \
-	  result_count $$1 "XPASS:" $$xpass "$$red"; \
-	  result_count $$1 "ERROR:" $$error "$$mgn"; \
-	}; \
-	{								\
-	  echo "$(PACKAGE_STRING): $(subdir)/$(TEST_SUITE_LOG)" |	\
-	    $(am__rst_title);						\
-	  create_testsuite_report --no-color;				\
-	  echo;								\
-	  echo ".. contents:: :depth: 2";				\
-	  echo;								\
-	  for b in $$bases; do echo $$b; done				\
-	    | $(am__create_global_log);					\
-	} >$(TEST_SUITE_LOG).tmp || exit 1;				\
-	mv $(TEST_SUITE_LOG).tmp $(TEST_SUITE_LOG);			\
-	if $$success; then						\
-	  col="$$grn";							\
-	 else								\
-	  col="$$red";							\
-	  test x"$$VERBOSE" = x || cat $(TEST_SUITE_LOG);		\
-	fi;								\
-	echo "$${col}$$br$${std}"; 					\
-	echo "$${col}Testsuite summary"$(AM_TESTSUITE_SUMMARY_HEADER)"$${std}";	\
-	echo "$${col}$$br$${std}"; 					\
-	create_testsuite_report --maybe-color;				\
-	echo "$$col$$br$$std";						\
-	if $$success; then :; else					\
-	  echo "$${col}See $(subdir)/$(TEST_SUITE_LOG)$${std}";		\
-	  if test -n "$(PACKAGE_BUGREPORT)"; then			\
-	    echo "$${col}Please report to $(PACKAGE_BUGREPORT)$${std}";	\
-	  fi;								\
-	  echo "$$col$$br$$std";					\
-	fi;								\
-	$$success || exit 1
-
-check-TESTS: $(check_PROGRAMS) $(check_SCRIPTS)
-	@list='$(RECHECK_LOGS)';           test -z "$$list" || rm -f $$list
-	@list='$(RECHECK_LOGS:.log=.trs)'; test -z "$$list" || rm -f $$list
-	@test -z "$(TEST_SUITE_LOG)" || rm -f $(TEST_SUITE_LOG)
-	@set +e; $(am__set_TESTS_bases); \
-	log_list=`for i in $$bases; do echo $$i.log; done`; \
-	trs_list=`for i in $$bases; do echo $$i.trs; done`; \
-	log_list=`echo $$log_list`; trs_list=`echo $$trs_list`; \
-	$(MAKE) $(AM_MAKEFLAGS) $(TEST_SUITE_LOG) TEST_LOGS="$$log_list"; \
-	exit $$?;
-recheck: all $(check_PROGRAMS) $(check_SCRIPTS)
-	@test -z "$(TEST_SUITE_LOG)" || rm -f $(TEST_SUITE_LOG)
-	@set +e; $(am__set_TESTS_bases); \
-	bases=`for i in $$bases; do echo $$i; done \
-	         | $(am__list_recheck_tests)` || exit 1; \
-	log_list=`for i in $$bases; do echo $$i.log; done`; \
-	log_list=`echo $$log_list`; \
-	$(MAKE) $(AM_MAKEFLAGS) $(TEST_SUITE_LOG) \
-	        am__force_recheck=am--force-recheck \
-	        TEST_LOGS="$$log_list"; \
-	exit $$?
-test_ca.log: test_ca
-	@p='test_ca'; \
-	b='test_ca'; \
-	$(am__check_pre) $(LOG_DRIVER) --test-name "$$f" \
-	--log-file $$b.log --trs-file $$b.trs \
-	$(am__common_driver_flags) $(AM_LOG_DRIVER_FLAGS) $(LOG_DRIVER_FLAGS) -- $(LOG_COMPILE) \
-	"$$tst" $(AM_TESTS_FD_REDIRECT)
-test_cert.log: test_cert
-	@p='test_cert'; \
-	b='test_cert'; \
-	$(am__check_pre) $(LOG_DRIVER) --test-name "$$f" \
-	--log-file $$b.log --trs-file $$b.trs \
-	$(am__common_driver_flags) $(AM_LOG_DRIVER_FLAGS) $(LOG_DRIVER_FLAGS) -- $(LOG_COMPILE) \
-	"$$tst" $(AM_TESTS_FD_REDIRECT)
-test_chain.log: test_chain
-	@p='test_chain'; \
-	b='test_chain'; \
-	$(am__check_pre) $(LOG_DRIVER) --test-name "$$f" \
-	--log-file $$b.log --trs-file $$b.trs \
-	$(am__common_driver_flags) $(AM_LOG_DRIVER_FLAGS) $(LOG_DRIVER_FLAGS) -- $(LOG_COMPILE) \
-	"$$tst" $(AM_TESTS_FD_REDIRECT)
-test_cms.log: test_cms
-	@p='test_cms'; \
-	b='test_cms'; \
-	$(am__check_pre) $(LOG_DRIVER) --test-name "$$f" \
-	--log-file $$b.log --trs-file $$b.trs \
-	$(am__common_driver_flags) $(AM_LOG_DRIVER_FLAGS) $(LOG_DRIVER_FLAGS) -- $(LOG_COMPILE) \
-	"$$tst" $(AM_TESTS_FD_REDIRECT)
-test_crypto.log: test_crypto
-	@p='test_crypto'; \
-	b='test_crypto'; \
-	$(am__check_pre) $(LOG_DRIVER) --test-name "$$f" \
-	--log-file $$b.log --trs-file $$b.trs \
-	$(am__common_driver_flags) $(AM_LOG_DRIVER_FLAGS) $(LOG_DRIVER_FLAGS) -- $(LOG_COMPILE) \
-	"$$tst" $(AM_TESTS_FD_REDIRECT)
-test_nist.log: test_nist
-	@p='test_nist'; \
-	b='test_nist'; \
-	$(am__check_pre) $(LOG_DRIVER) --test-name "$$f" \
-	--log-file $$b.log --trs-file $$b.trs \
-	$(am__common_driver_flags) $(AM_LOG_DRIVER_FLAGS) $(LOG_DRIVER_FLAGS) -- $(LOG_COMPILE) \
-	"$$tst" $(AM_TESTS_FD_REDIRECT)
-test_nist2.log: test_nist2
-	@p='test_nist2'; \
-	b='test_nist2'; \
-	$(am__check_pre) $(LOG_DRIVER) --test-name "$$f" \
-	--log-file $$b.log --trs-file $$b.trs \
-	$(am__common_driver_flags) $(AM_LOG_DRIVER_FLAGS) $(LOG_DRIVER_FLAGS) -- $(LOG_COMPILE) \
-	"$$tst" $(AM_TESTS_FD_REDIRECT)
-test_pkcs11.log: test_pkcs11
-	@p='test_pkcs11'; \
-	b='test_pkcs11'; \
-	$(am__check_pre) $(LOG_DRIVER) --test-name "$$f" \
-	--log-file $$b.log --trs-file $$b.trs \
-	$(am__common_driver_flags) $(AM_LOG_DRIVER_FLAGS) $(LOG_DRIVER_FLAGS) -- $(LOG_COMPILE) \
-	"$$tst" $(AM_TESTS_FD_REDIRECT)
-test_java_pkcs11.log: test_java_pkcs11
-	@p='test_java_pkcs11'; \
-	b='test_java_pkcs11'; \
-	$(am__check_pre) $(LOG_DRIVER) --test-name "$$f" \
-	--log-file $$b.log --trs-file $$b.trs \
-	$(am__common_driver_flags) $(AM_LOG_DRIVER_FLAGS) $(LOG_DRIVER_FLAGS) -- $(LOG_COMPILE) \
-	"$$tst" $(AM_TESTS_FD_REDIRECT)
-test_nist_cert.log: test_nist_cert
-	@p='test_nist_cert'; \
-	b='test_nist_cert'; \
-	$(am__check_pre) $(LOG_DRIVER) --test-name "$$f" \
-	--log-file $$b.log --trs-file $$b.trs \
-	$(am__common_driver_flags) $(AM_LOG_DRIVER_FLAGS) $(LOG_DRIVER_FLAGS) -- $(LOG_COMPILE) \
-	"$$tst" $(AM_TESTS_FD_REDIRECT)
-test_nist_pkcs12.log: test_nist_pkcs12
-	@p='test_nist_pkcs12'; \
-	b='test_nist_pkcs12'; \
-	$(am__check_pre) $(LOG_DRIVER) --test-name "$$f" \
-	--log-file $$b.log --trs-file $$b.trs \
-	$(am__common_driver_flags) $(AM_LOG_DRIVER_FLAGS) $(LOG_DRIVER_FLAGS) -- $(LOG_COMPILE) \
-	"$$tst" $(AM_TESTS_FD_REDIRECT)
-test_req.log: test_req
-	@p='test_req'; \
-	b='test_req'; \
-	$(am__check_pre) $(LOG_DRIVER) --test-name "$$f" \
-	--log-file $$b.log --trs-file $$b.trs \
-	$(am__common_driver_flags) $(AM_LOG_DRIVER_FLAGS) $(LOG_DRIVER_FLAGS) -- $(LOG_COMPILE) \
-	"$$tst" $(AM_TESTS_FD_REDIRECT)
-test_windows.log: test_windows
-	@p='test_windows'; \
-	b='test_windows'; \
-	$(am__check_pre) $(LOG_DRIVER) --test-name "$$f" \
-	--log-file $$b.log --trs-file $$b.trs \
-	$(am__common_driver_flags) $(AM_LOG_DRIVER_FLAGS) $(LOG_DRIVER_FLAGS) -- $(LOG_COMPILE) \
-	"$$tst" $(AM_TESTS_FD_REDIRECT)
-test_query.log: test_query
-	@p='test_query'; \
-	b='test_query'; \
-	$(am__check_pre) $(LOG_DRIVER) --test-name "$$f" \
-	--log-file $$b.log --trs-file $$b.trs \
-	$(am__common_driver_flags) $(AM_LOG_DRIVER_FLAGS) $(LOG_DRIVER_FLAGS) -- $(LOG_COMPILE) \
-	"$$tst" $(AM_TESTS_FD_REDIRECT)
-test_name.log: test_name$(EXEEXT)
-	@p='test_name$(EXEEXT)'; \
-	b='test_name'; \
-	$(am__check_pre) $(LOG_DRIVER) --test-name "$$f" \
-	--log-file $$b.log --trs-file $$b.trs \
-	$(am__common_driver_flags) $(AM_LOG_DRIVER_FLAGS) $(LOG_DRIVER_FLAGS) -- $(LOG_COMPILE) \
-	"$$tst" $(AM_TESTS_FD_REDIRECT)
-test_expr.log: test_expr$(EXEEXT)
-	@p='test_expr$(EXEEXT)'; \
-	b='test_expr'; \
-	$(am__check_pre) $(LOG_DRIVER) --test-name "$$f" \
-	--log-file $$b.log --trs-file $$b.trs \
-	$(am__common_driver_flags) $(AM_LOG_DRIVER_FLAGS) $(LOG_DRIVER_FLAGS) -- $(LOG_COMPILE) \
-	"$$tst" $(AM_TESTS_FD_REDIRECT)
-.test.log:
-	@p='$<'; \
-	$(am__set_b); \
-	$(am__check_pre) $(TEST_LOG_DRIVER) --test-name "$$f" \
-	--log-file $$b.log --trs-file $$b.trs \
-	$(am__common_driver_flags) $(AM_TEST_LOG_DRIVER_FLAGS) $(TEST_LOG_DRIVER_FLAGS) -- $(TEST_LOG_COMPILE) \
-	"$$tst" $(AM_TESTS_FD_REDIRECT)
-@am__EXEEXT_TRUE@.test$(EXEEXT).log:
-@am__EXEEXT_TRUE@	@p='$<'; \
-@am__EXEEXT_TRUE@	$(am__set_b); \
-@am__EXEEXT_TRUE@	$(am__check_pre) $(TEST_LOG_DRIVER) --test-name "$$f" \
-@am__EXEEXT_TRUE@	--log-file $$b.log --trs-file $$b.trs \
-@am__EXEEXT_TRUE@	$(am__common_driver_flags) $(AM_TEST_LOG_DRIVER_FLAGS) $(TEST_LOG_DRIVER_FLAGS) -- $(TEST_LOG_COMPILE) \
-@am__EXEEXT_TRUE@	"$$tst" $(AM_TESTS_FD_REDIRECT)
-distdir: $(BUILT_SOURCES)
-	$(MAKE) $(AM_MAKEFLAGS) distdir-am
-
-distdir-am: $(DISTFILES)
-	@srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
-	topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
-	list='$(DISTFILES)'; \
-	  dist_files=`for file in $$list; do echo $$file; done | \
-	  sed -e "s|^$$srcdirstrip/||;t" \
-	      -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \
-	case $$dist_files in \
-	  */*) $(MKDIR_P) `echo "$$dist_files" | \
-			   sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \
-			   sort -u` ;; \
-	esac; \
-	for file in $$dist_files; do \
-	  if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \
-	  if test -d $$d/$$file; then \
-	    dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \
-	    if test -d "$(distdir)/$$file"; then \
-	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
-	    fi; \
-	    if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \
-	      cp -fpR $(srcdir)/$$file "$(distdir)$$dir" || exit 1; \
-	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
-	    fi; \
-	    cp -fpR $$d/$$file "$(distdir)$$dir" || exit 1; \
-	  else \
-	    test -f "$(distdir)/$$file" \
-	    || cp -p $$d/$$file "$(distdir)/$$file" \
-	    || exit 1; \
-	  fi; \
-	done
-	$(MAKE) $(AM_MAKEFLAGS) \
-	  top_distdir="$(top_distdir)" distdir="$(distdir)" \
-	  dist-hook
-check-am: all-am
-	$(MAKE) $(AM_MAKEFLAGS) $(check_PROGRAMS) $(check_SCRIPTS)
-	$(MAKE) $(AM_MAKEFLAGS) check-TESTS check-local
-check: $(BUILT_SOURCES)
-	$(MAKE) $(AM_MAKEFLAGS) check-am
-all-am: Makefile $(PROGRAMS) $(LTLIBRARIES) $(HEADERS) all-local
-install-binPROGRAMS: install-libLTLIBRARIES
-
-install-checkPROGRAMS: install-libLTLIBRARIES
-
-installdirs:
-	for dir in "$(DESTDIR)$(bindir)" "$(DESTDIR)$(libdir)" "$(DESTDIR)$(includedir)" "$(DESTDIR)$(includedir)"; do \
-	  test -z "$$dir" || $(MKDIR_P) "$$dir"; \
-	done
-install: $(BUILT_SOURCES)
-	$(MAKE) $(AM_MAKEFLAGS) install-am
-install-exec: $(BUILT_SOURCES)
-	$(MAKE) $(AM_MAKEFLAGS) install-exec-am
-install-data: install-data-am
-uninstall: uninstall-am
-
-install-am: all-am
-	@$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am
-
-installcheck: installcheck-am
-install-strip:
-	if test -z '$(STRIP)'; then \
-	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
-	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
-	      install; \
-	else \
-	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
-	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
-	    "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \
-	fi
-mostlyclean-generic:
-	-test -z "$(TEST_LOGS)" || rm -f $(TEST_LOGS)
-	-test -z "$(TEST_LOGS:.log=.trs)" || rm -f $(TEST_LOGS:.log=.trs)
-	-test -z "$(TEST_SUITE_LOG)" || rm -f $(TEST_SUITE_LOG)
-
-clean-generic:
-	-test -z "$(CLEANFILES)" || rm -f $(CLEANFILES)
-
-distclean-generic:
-	-test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES)
-	-test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES)
-
-maintainer-clean-generic:
-	@echo "This command is intended for maintainers to use"
-	@echo "it deletes files that may require special tools to rebuild."
-	-rm -f sel-gram.c
-	-rm -f sel-gram.h
-	-rm -f sel-lex.c
-	-test -z "$(BUILT_SOURCES)" || rm -f $(BUILT_SOURCES)
-clean: clean-am
-
-clean-am: clean-binPROGRAMS clean-checkPROGRAMS clean-generic \
-	clean-libLTLIBRARIES clean-libtool clean-local mostlyclean-am
-
-distclean: distclean-am
-		-rm -f ./$(DEPDIR)/asn1_CertificationRequest.Plo
-	-rm -f ./$(DEPDIR)/asn1_CertificationRequestInfo.Plo
-	-rm -f ./$(DEPDIR)/asn1_OCSPBasicOCSPResponse.Plo
-	-rm -f ./$(DEPDIR)/asn1_OCSPCertID.Plo
-	-rm -f ./$(DEPDIR)/asn1_OCSPCertStatus.Plo
-	-rm -f ./$(DEPDIR)/asn1_OCSPInnerRequest.Plo
-	-rm -f ./$(DEPDIR)/asn1_OCSPKeyHash.Plo
-	-rm -f ./$(DEPDIR)/asn1_OCSPRequest.Plo
-	-rm -f ./$(DEPDIR)/asn1_OCSPResponderID.Plo
-	-rm -f ./$(DEPDIR)/asn1_OCSPResponse.Plo
-	-rm -f ./$(DEPDIR)/asn1_OCSPResponseBytes.Plo
-	-rm -f ./$(DEPDIR)/asn1_OCSPResponseData.Plo
-	-rm -f ./$(DEPDIR)/asn1_OCSPResponseStatus.Plo
-	-rm -f ./$(DEPDIR)/asn1_OCSPSignature.Plo
-	-rm -f ./$(DEPDIR)/asn1_OCSPSingleResponse.Plo
-	-rm -f ./$(DEPDIR)/asn1_OCSPTBSRequest.Plo
-	-rm -f ./$(DEPDIR)/asn1_OCSPVersion.Plo
-	-rm -f ./$(DEPDIR)/asn1_id_pkix_ocsp.Plo
-	-rm -f ./$(DEPDIR)/asn1_id_pkix_ocsp_basic.Plo
-	-rm -f ./$(DEPDIR)/asn1_id_pkix_ocsp_nonce.Plo
-	-rm -f ./$(DEPDIR)/ca.Plo
-	-rm -f ./$(DEPDIR)/cert.Plo
-	-rm -f ./$(DEPDIR)/cms.Plo
-	-rm -f ./$(DEPDIR)/collector.Plo
-	-rm -f ./$(DEPDIR)/crypto-ec.Plo
-	-rm -f ./$(DEPDIR)/crypto.Plo
-	-rm -f ./$(DEPDIR)/doxygen.Plo
-	-rm -f ./$(DEPDIR)/env.Plo
-	-rm -f ./$(DEPDIR)/error.Plo
-	-rm -f ./$(DEPDIR)/file.Plo
-	-rm -f ./$(DEPDIR)/hx509_err.Plo
-	-rm -f ./$(DEPDIR)/hxtool-commands.Po
-	-rm -f ./$(DEPDIR)/hxtool.Po
-	-rm -f ./$(DEPDIR)/keyset.Plo
-	-rm -f ./$(DEPDIR)/ks_dir.Plo
-	-rm -f ./$(DEPDIR)/ks_file.Plo
-	-rm -f ./$(DEPDIR)/ks_keychain.Plo
-	-rm -f ./$(DEPDIR)/ks_mem.Plo
-	-rm -f ./$(DEPDIR)/ks_null.Plo
-	-rm -f ./$(DEPDIR)/ks_p11.Plo
-	-rm -f ./$(DEPDIR)/ks_p12.Plo
-	-rm -f ./$(DEPDIR)/lock.Plo
-	-rm -f ./$(DEPDIR)/name.Plo
-	-rm -f ./$(DEPDIR)/peer.Plo
-	-rm -f ./$(DEPDIR)/print.Plo
-	-rm -f ./$(DEPDIR)/req.Plo
-	-rm -f ./$(DEPDIR)/revoke.Plo
-	-rm -f ./$(DEPDIR)/sel-gram.Plo
-	-rm -f ./$(DEPDIR)/sel-lex.Plo
-	-rm -f ./$(DEPDIR)/sel.Plo
-	-rm -f ./$(DEPDIR)/softp11.Plo
-	-rm -f ./$(DEPDIR)/test_expr.Po
-	-rm -f ./$(DEPDIR)/test_name.Po
-	-rm -f ./$(DEPDIR)/test_soft_pkcs11.Po
-	-rm -f Makefile
-distclean-am: clean-am distclean-compile distclean-generic \
-	distclean-tags
-
-dvi: dvi-am
-
-dvi-am:
-
-html: html-am
-
-html-am:
-
-info: info-am
-
-info-am:
-
-install-data-am: install-dist_includeHEADERS \
-	install-nodist_includeHEADERS
-	@$(NORMAL_INSTALL)
-	$(MAKE) $(AM_MAKEFLAGS) install-data-hook
-install-dvi: install-dvi-am
-
-install-dvi-am:
-
-install-exec-am: install-binPROGRAMS install-exec-local \
-	install-libLTLIBRARIES
-
-install-html: install-html-am
-
-install-html-am:
-
-install-info: install-info-am
-
-install-info-am:
-
-install-man:
-
-install-pdf: install-pdf-am
-
-install-pdf-am:
-
-install-ps: install-ps-am
-
-install-ps-am:
-
-installcheck-am:
-
-maintainer-clean: maintainer-clean-am
-		-rm -f ./$(DEPDIR)/asn1_CertificationRequest.Plo
-	-rm -f ./$(DEPDIR)/asn1_CertificationRequestInfo.Plo
-	-rm -f ./$(DEPDIR)/asn1_OCSPBasicOCSPResponse.Plo
-	-rm -f ./$(DEPDIR)/asn1_OCSPCertID.Plo
-	-rm -f ./$(DEPDIR)/asn1_OCSPCertStatus.Plo
-	-rm -f ./$(DEPDIR)/asn1_OCSPInnerRequest.Plo
-	-rm -f ./$(DEPDIR)/asn1_OCSPKeyHash.Plo
-	-rm -f ./$(DEPDIR)/asn1_OCSPRequest.Plo
-	-rm -f ./$(DEPDIR)/asn1_OCSPResponderID.Plo
-	-rm -f ./$(DEPDIR)/asn1_OCSPResponse.Plo
-	-rm -f ./$(DEPDIR)/asn1_OCSPResponseBytes.Plo
-	-rm -f ./$(DEPDIR)/asn1_OCSPResponseData.Plo
-	-rm -f ./$(DEPDIR)/asn1_OCSPResponseStatus.Plo
-	-rm -f ./$(DEPDIR)/asn1_OCSPSignature.Plo
-	-rm -f ./$(DEPDIR)/asn1_OCSPSingleResponse.Plo
-	-rm -f ./$(DEPDIR)/asn1_OCSPTBSRequest.Plo
-	-rm -f ./$(DEPDIR)/asn1_OCSPVersion.Plo
-	-rm -f ./$(DEPDIR)/asn1_id_pkix_ocsp.Plo
-	-rm -f ./$(DEPDIR)/asn1_id_pkix_ocsp_basic.Plo
-	-rm -f ./$(DEPDIR)/asn1_id_pkix_ocsp_nonce.Plo
-	-rm -f ./$(DEPDIR)/ca.Plo
-	-rm -f ./$(DEPDIR)/cert.Plo
-	-rm -f ./$(DEPDIR)/cms.Plo
-	-rm -f ./$(DEPDIR)/collector.Plo
-	-rm -f ./$(DEPDIR)/crypto-ec.Plo
-	-rm -f ./$(DEPDIR)/crypto.Plo
-	-rm -f ./$(DEPDIR)/doxygen.Plo
-	-rm -f ./$(DEPDIR)/env.Plo
-	-rm -f ./$(DEPDIR)/error.Plo
-	-rm -f ./$(DEPDIR)/file.Plo
-	-rm -f ./$(DEPDIR)/hx509_err.Plo
-	-rm -f ./$(DEPDIR)/hxtool-commands.Po
-	-rm -f ./$(DEPDIR)/hxtool.Po
-	-rm -f ./$(DEPDIR)/keyset.Plo
-	-rm -f ./$(DEPDIR)/ks_dir.Plo
-	-rm -f ./$(DEPDIR)/ks_file.Plo
-	-rm -f ./$(DEPDIR)/ks_keychain.Plo
-	-rm -f ./$(DEPDIR)/ks_mem.Plo
-	-rm -f ./$(DEPDIR)/ks_null.Plo
-	-rm -f ./$(DEPDIR)/ks_p11.Plo
-	-rm -f ./$(DEPDIR)/ks_p12.Plo
-	-rm -f ./$(DEPDIR)/lock.Plo
-	-rm -f ./$(DEPDIR)/name.Plo
-	-rm -f ./$(DEPDIR)/peer.Plo
-	-rm -f ./$(DEPDIR)/print.Plo
-	-rm -f ./$(DEPDIR)/req.Plo
-	-rm -f ./$(DEPDIR)/revoke.Plo
-	-rm -f ./$(DEPDIR)/sel-gram.Plo
-	-rm -f ./$(DEPDIR)/sel-lex.Plo
-	-rm -f ./$(DEPDIR)/sel.Plo
-	-rm -f ./$(DEPDIR)/softp11.Plo
-	-rm -f ./$(DEPDIR)/test_expr.Po
-	-rm -f ./$(DEPDIR)/test_name.Po
-	-rm -f ./$(DEPDIR)/test_soft_pkcs11.Po
-	-rm -f Makefile
-maintainer-clean-am: distclean-am maintainer-clean-generic
-
-mostlyclean: mostlyclean-am
-
-mostlyclean-am: mostlyclean-compile mostlyclean-generic \
-	mostlyclean-libtool
-
-pdf: pdf-am
-
-pdf-am:
-
-ps: ps-am
-
-ps-am:
-
-uninstall-am: uninstall-binPROGRAMS uninstall-dist_includeHEADERS \
-	uninstall-libLTLIBRARIES uninstall-nodist_includeHEADERS
-	@$(NORMAL_INSTALL)
-	$(MAKE) $(AM_MAKEFLAGS) uninstall-hook
-.MAKE: all check check-am install install-am install-data-am \
-	install-exec install-strip uninstall-am
-
-.PHONY: CTAGS GTAGS TAGS all all-am all-local am--depfiles check \
-	check-TESTS check-am check-local clean clean-binPROGRAMS \
-	clean-checkPROGRAMS clean-generic clean-libLTLIBRARIES \
-	clean-libtool clean-local cscopelist-am ctags ctags-am \
-	dist-hook distclean distclean-compile distclean-generic \
-	distclean-libtool distclean-tags distdir dvi dvi-am html \
-	html-am info info-am install install-am install-binPROGRAMS \
-	install-data install-data-am install-data-hook \
-	install-dist_includeHEADERS install-dvi install-dvi-am \
-	install-exec install-exec-am install-exec-local install-html \
-	install-html-am install-info install-info-am \
-	install-libLTLIBRARIES install-man \
-	install-nodist_includeHEADERS install-pdf install-pdf-am \
-	install-ps install-ps-am install-strip installcheck \
-	installcheck-am installdirs maintainer-clean \
-	maintainer-clean-generic mostlyclean mostlyclean-compile \
-	mostlyclean-generic mostlyclean-libtool pdf pdf-am ps ps-am \
-	recheck tags tags-am uninstall uninstall-am \
-	uninstall-binPROGRAMS uninstall-dist_includeHEADERS \
-	uninstall-hook uninstall-libLTLIBRARIES \
-	uninstall-nodist_includeHEADERS
-
-.PRECIOUS: Makefile
-
-
-install-suid-programs:
-	@foo='$(bin_SUIDS)'; \
-	for file in $$foo; do \
-		x=$(DESTDIR)$(bindir)/$$file; \
-		if chown 0:0 $$x && chmod u+s $$x; then :; else \
-			echo "*"; \
-			echo "* Failed to install $$x setuid root"; \
-			echo "*"; \
-		fi; \
-	done
-
-install-exec-local: install-suid-programs
-
-codesign-all:
-	@if [ X"$$CODE_SIGN_IDENTITY" != X ] ; then \
-		foo='$(bin_PROGRAMS) $(sbin_PROGRAMS) $(libexec_PROGRAMS)' ; \
-		for file in $$foo ; do \
-			echo "CODESIGN $$file" ; \
-			codesign -f -s "$$CODE_SIGN_IDENTITY" $$file || exit 1 ; \
-		done ; \
-	fi
-
-all-local: codesign-all
-
-install-build-headers:: $(include_HEADERS) $(dist_include_HEADERS) $(nodist_include_HEADERS) $(build_HEADERZ) $(nobase_include_HEADERS) $(noinst_HEADERS)
-	@foo='$(include_HEADERS) $(dist_include_HEADERS) $(nodist_include_HEADERS) $(build_HEADERZ) $(noinst_HEADERS)'; \
-	for f in $$foo; do \
-		f=`basename $$f`; \
-		if test -f "$(srcdir)/$$f"; then file="$(srcdir)/$$f"; \
-		else file="$$f"; fi; \
-		if cmp -s  $$file $(buildinclude)/$$f 2> /dev/null ; then \
-		: ; else \
-			echo " $(CP) $$file $(buildinclude)/$$f"; \
-			$(CP) $$file $(buildinclude)/$$f || true; \
-		fi ; \
-	done ; \
-	foo='$(nobase_include_HEADERS)'; \
-	for f in $$foo; do \
-		if test -f "$(srcdir)/$$f"; then file="$(srcdir)/$$f"; \
-		else file="$$f"; fi; \
-		$(mkdir_p) $(buildinclude)/`dirname $$f` ; \
-		if cmp -s  $$file $(buildinclude)/$$f 2> /dev/null ; then \
-		: ; else \
-			echo " $(CP) $$file $(buildinclude)/$$f"; \
-			$(CP) $$file $(buildinclude)/$$f; \
-		fi ; \
-	done
-
-all-local: install-build-headers
-
-check-local::
-	@if test '$(CHECK_LOCAL)' = "no-check-local"; then \
-	  foo=''; elif test '$(CHECK_LOCAL)'; then \
-	  foo='$(CHECK_LOCAL)'; else \
-	  foo='$(PROGRAMS)'; fi; \
-	  if test "$$foo"; then \
-	  failed=0; all=0; \
-	  for i in $$foo; do \
-	    all=`expr $$all + 1`; \
-	    if (./$$i --version && ./$$i --help) > /dev/null 2>&1; then \
-	      echo "PASS: $$i"; \
-	    else \
-	      echo "FAIL: $$i"; \
-	      failed=`expr $$failed + 1`; \
-	    fi; \
-	  done; \
-	  if test "$$failed" -eq 0; then \
-	    banner="All $$all tests passed"; \
-	  else \
-	    banner="$$failed of $$all tests failed"; \
-	  fi; \
-	  dashes=`echo "$$banner" | sed s/./=/g`; \
-	  echo "$$dashes"; \
-	  echo "$$banner"; \
-	  echo "$$dashes"; \
-	  test "$$failed" -eq 0 || exit 1; \
-	fi
-
-# It's useful for debugging to format generated sources.  The default for all
-# clang-format styles is to sort includes, but in many cases in-tree we really
-# don't want to do that.
-.x.c:
-	@if [ -z "$(CLANG_FORMAT)" ]; then \
-	    cmp -s $< $@ 2> /dev/null || cp $< $@; \
-	else \
-	    cp $< $@.tmp.c; \
-            $(CLANG_FORMAT) -style='{BasedOnStyle: Chromium, SortIncludes: false}' -i $@.tmp.c; \
-	    cmp -s $@.tmp.c $@ 2> /dev/null || mv $@.tmp.c $@; \
-	fi
-
-.hx.h:
-	@cmp -s $< $@ 2> /dev/null || cp $< $@;
-#NROFF_MAN = nroff -man
-.1.cat1:
-	$(NROFF_MAN) $< > $@
-.3.cat3:
-	$(NROFF_MAN) $< > $@
-.5.cat5:
-	$(NROFF_MAN) $< > $@
-.7.cat7:
-	$(NROFF_MAN) $< > $@
-.8.cat8:
-	$(NROFF_MAN) $< > $@
-
-dist-cat1-mans:
-	@foo='$(man1_MANS)'; \
-	bar='$(man_MANS)'; \
-	for i in $$bar; do \
-	case $$i in \
-	*.1) foo="$$foo $$i";; \
-	esac; done ;\
-	for i in $$foo; do \
-		x=`echo $$i | sed 's/\.[^.]*$$/.cat1/'`; \
-		echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \
-		$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \
-	done
-
-dist-cat3-mans:
-	@foo='$(man3_MANS)'; \
-	bar='$(man_MANS)'; \
-	for i in $$bar; do \
-	case $$i in \
-	*.3) foo="$$foo $$i";; \
-	esac; done ;\
-	for i in $$foo; do \
-		x=`echo $$i | sed 's/\.[^.]*$$/.cat3/'`; \
-		echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \
-		$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \
-	done
-
-dist-cat5-mans:
-	@foo='$(man5_MANS)'; \
-	bar='$(man_MANS)'; \
-	for i in $$bar; do \
-	case $$i in \
-	*.5) foo="$$foo $$i";; \
-	esac; done ;\
-	for i in $$foo; do \
-		x=`echo $$i | sed 's/\.[^.]*$$/.cat5/'`; \
-		echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \
-		$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \
-	done
-
-dist-cat7-mans:
-	@foo='$(man7_MANS)'; \
-	bar='$(man_MANS)'; \
-	for i in $$bar; do \
-	case $$i in \
-	*.7) foo="$$foo $$i";; \
-	esac; done ;\
-	for i in $$foo; do \
-		x=`echo $$i | sed 's/\.[^.]*$$/.cat7/'`; \
-		echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \
-		$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \
-	done
-
-dist-cat8-mans:
-	@foo='$(man8_MANS)'; \
-	bar='$(man_MANS)'; \
-	for i in $$bar; do \
-	case $$i in \
-	*.8) foo="$$foo $$i";; \
-	esac; done ;\
-	for i in $$foo; do \
-		x=`echo $$i | sed 's/\.[^.]*$$/.cat8/'`; \
-		echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \
-		$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \
-	done
-
-dist-hook: dist-cat1-mans dist-cat3-mans dist-cat5-mans dist-cat7-mans dist-cat8-mans
-
-install-cat-mans:
-	$(SHELL) $(top_srcdir)/cf/install-catman.sh install "$(INSTALL_DATA)" "$(mkinstalldirs)" "$(srcdir)" "$(DESTDIR)$(mandir)" '$(CATMANEXT)' $(man_MANS) $(man1_MANS) $(man3_MANS) $(man5_MANS) $(man7_MANS) $(man8_MANS)
-
-uninstall-cat-mans:
-	$(SHELL) $(top_srcdir)/cf/install-catman.sh uninstall "$(INSTALL_DATA)" "$(mkinstalldirs)" "$(srcdir)" "$(DESTDIR)$(mandir)" '$(CATMANEXT)' $(man_MANS) $(man1_MANS) $(man3_MANS) $(man5_MANS) $(man7_MANS) $(man8_MANS)
-
-install-data-hook: install-cat-mans
-uninstall-hook: uninstall-cat-mans
-
-.et.h:
-	$(COMPILE_ET) $<
-.et.c:
-	$(COMPILE_ET) $<
-
-#
-# Useful target for debugging
-#
-
-check-valgrind:
-	tobjdir=`cd $(top_builddir) && pwd` ; \
-	tsrcdir=`cd $(top_srcdir) && pwd` ; \
-	env TESTS_ENVIRONMENT="$${tsrcdir}/cf/maybe-valgrind.sh -s $${tsrcdir} -o $${tobjdir}" make check
-
-#
-# Target to please samba build farm, builds distfiles in-tree.
-# Will break when automake changes...
-#
-
-distdir-in-tree: $(DISTFILES) $(INFO_DEPS)
-	list='$(DIST_SUBDIRS)'; for subdir in $$list; do \
-	  if test "$$subdir" != .; then \
-	  (cd $$subdir && $(MAKE) $(AM_MAKEFLAGS) distdir-in-tree) ; \
-	  fi ; \
-	done
-
-sel-lex.c: sel-gram.h
-$(libhx509_la_OBJECTS): $(srcdir)/version-script.map $(nodist_include_HEADERS) $(priv_headers)
-
-$(gen_files_ocsp) ocsp_asn1.hx ocsp_asn1-priv.hx: ocsp_asn1_files
-$(gen_files_pkcs10) pkcs10_asn1.hx pkcs10_asn1-priv.hx: pkcs10_asn1_files
-$(gen_files_crmf) crmf_asn1.hx crmf_asn1-priv.hx: crmf_asn1_files
-
-ocsp_asn1_files: $(ASN1_COMPILE_DEP) $(srcdir)/ocsp.asn1 $(srcdir)/ocsp.opt
-	$(heim_verbose)$(ASN1_COMPILE) --option-file=$(srcdir)/ocsp.opt $(srcdir)/ocsp.asn1 ocsp_asn1 || (rm -f ocsp_asn1_files ; exit 1)
-
-pkcs10_asn1_files: $(ASN1_COMPILE_DEP) $(srcdir)/pkcs10.asn1 $(srcdir)/pkcs10.opt
-	$(heim_verbose)$(ASN1_COMPILE) --option-file=$(srcdir)/pkcs10.opt $(srcdir)/pkcs10.asn1 pkcs10_asn1 || (rm -f pkcs10_asn1_files ; exit 1)
-
-crmf_asn1_files: $(ASN1_COMPILE_DEP) $(srcdir)/crmf.asn1
-	$(heim_verbose)$(ASN1_COMPILE) $(srcdir)/crmf.asn1 crmf_asn1 || (rm -f crmf_asn1_files ; exit 1)
-
-$(ALL_OBJECTS): $(HX509_PROTOS)
-
-$(libhx509_la_OBJECTS): $(srcdir)/hx_locl.h
-$(libhx509_la_OBJECTS): ocsp_asn1.h pkcs10_asn1.h
-
-$(srcdir)/hx509-protos.h: $(dist_libhx509_la_SOURCES)
-	$(heim_verbose)cd $(srcdir) && perl ../../cf/make-proto.pl -R '^(_|^C)' -E HX509_LIB -q -P comment -o hx509-protos.h $(dist_libhx509_la_SOURCES) || rm -f hx509-protos.h
-
-$(srcdir)/hx509-private.h: $(dist_libhx509_la_SOURCES)
-	$(heim_verbose)cd $(srcdir) && perl ../../cf/make-proto.pl -q -P comment -p hx509-private.h $(dist_libhx509_la_SOURCES) || rm -f hx509-private.h
-
-hxtool-commands.c hxtool-commands.h: hxtool-commands.in $(SLC)
-	$(heim_verbose)$(SLC) $(srcdir)/hxtool-commands.in
-
-$(hxtool_OBJECTS): hxtool-commands.h $(nodist_include_HEADERS)
-
-clean-local:
-	@echo "cleaning PKITS" ; rm -rf PKITS_data
-
-test_ca: test_ca.in Makefile
-	$(do_subst) < $(srcdir)/test_ca.in > test_ca.tmp
-	$(heim_verbose)chmod +x test_ca.tmp
-	mv test_ca.tmp test_ca
-
-test_cert: test_cert.in Makefile
-	$(do_subst) < $(srcdir)/test_cert.in > test_cert.tmp
-	$(heim_verbose)chmod +x test_cert.tmp
-	mv test_cert.tmp test_cert
-
-test_chain: test_chain.in Makefile
-	$(do_subst) < $(srcdir)/test_chain.in > test_chain.tmp
-	$(heim_verbose)chmod +x test_chain.tmp
-	mv test_chain.tmp test_chain
-
-test_cms: test_cms.in Makefile
-	$(do_subst) < $(srcdir)/test_cms.in > test_cms.tmp
-	$(heim_verbose)chmod +x test_cms.tmp
-	mv test_cms.tmp test_cms
-
-test_crypto: test_crypto.in Makefile
-	$(do_subst) < $(srcdir)/test_crypto.in > test_crypto.tmp
-	$(heim_verbose)chmod +x test_crypto.tmp
-	mv test_crypto.tmp test_crypto
-
-test_nist: test_nist.in Makefile
-	$(do_subst) < $(srcdir)/test_nist.in > test_nist.tmp
-	$(heim_verbose)chmod +x test_nist.tmp
-	mv test_nist.tmp test_nist
-
-test_nist2: test_nist2.in Makefile
-	$(do_subst) < $(srcdir)/test_nist2.in > test_nist2.tmp
-	$(heim_verbose)chmod +x test_nist2.tmp
-	mv test_nist2.tmp test_nist2
-
-test_pkcs11: test_pkcs11.in Makefile
-	$(do_subst) < $(srcdir)/test_pkcs11.in > test_pkcs11.tmp
-	$(heim_verbose)chmod +x test_pkcs11.tmp
-	mv test_pkcs11.tmp test_pkcs11
-
-test_java_pkcs11: test_java_pkcs11.in Makefile
-	$(do_subst) < $(srcdir)/test_java_pkcs11.in > test_java_pkcs11.tmp
-	$(heim_verbose)chmod +x test_java_pkcs11.tmp
-	mv test_java_pkcs11.tmp test_java_pkcs11
-
-test_nist_cert: test_nist_cert.in Makefile
-	$(do_subst) < $(srcdir)/test_nist_cert.in > test_nist_cert.tmp
-	$(heim_verbose)chmod +x test_nist_cert.tmp
-	mv test_nist_cert.tmp test_nist_cert
-
-test_nist_pkcs12: test_nist_pkcs12.in Makefile
-	$(do_subst) < $(srcdir)/test_nist_pkcs12.in > test_nist_pkcs12.tmp
-	$(heim_verbose)chmod +x test_nist_pkcs12.tmp
-	mv test_nist_pkcs12.tmp test_nist_pkcs12
-
-test_req: test_req.in Makefile
-	$(do_subst) < $(srcdir)/test_req.in > test_req.tmp
-	$(heim_verbose)chmod +x test_req.tmp
-	mv test_req.tmp test_req
-
-test_windows: test_windows.in Makefile
-	$(do_subst) < $(srcdir)/test_windows.in > test_windows.tmp
-	$(heim_verbose)chmod +x test_windows.tmp
-	mv test_windows.tmp test_windows
-
-test_query: test_query.in Makefile
-	$(do_subst) < $(srcdir)/test_query.in > test_query.tmp
-	$(heim_verbose)chmod +x test_query.tmp
-	mv test_query.tmp test_query
-
-# Tell versions [3.59,3.63) of GNU make to not export all variables.
-# Otherwise a system limit (for SysV at least) may be exceeded.
-.NOEXPORT:
diff --git a/lib/hx509/NTMakefile b/lib/hx509/NTMakefile
index ee1bb69d09d6..4d5ff09e734d 100644
--- a/lib/hx509/NTMakefile
+++ b/lib/hx509/NTMakefile
@@ -35,12 +35,6 @@ localcflags=-DASN1_LIB
 
 !include ../../windows/NTMakefile.w32
 
-gen_files_ocsp = $(OBJ)\asn1_ocsp_asn1.x
-
-gen_files_pkcs10 = $(OBJ)\asn1_pkcs10_asn1.x
-
-gen_files_crmf = $(OBJ)\asn1_crmf_asn1.x
-
 libhx509_la_OBJS =			\
 	$(OBJ)\ca.obj			\
 	$(OBJ)\cert.obj			\
@@ -69,9 +63,7 @@ libhx509_la_OBJS =			\
 	$(OBJ)\print.obj		\
 	$(OBJ)\softp11.obj		\
 	$(OBJ)\req.obj			\
-	$(OBJ)\revoke.obj		\
-	$(gen_files_ocsp:.x=.obj)	\
-	$(gen_files_pkcs10:.x=.obj)
+	$(OBJ)\revoke.obj
 
 $(LIBHX509): $(libhx509_la_OBJS)
 	$(LIBCON)
@@ -110,48 +102,19 @@ dist_libhx509_la_SOURCES =	\
 	$(SRCDIR)\req.c		\
 	$(SRCDIR)\revoke.c
 
-asn1_compile=$(BINDIR)\asn1_compile.exe
-
-$(gen_files_ocsp:.x=.c): $$(@R).x
-
-$(gen_files_pkcs10:.x=.c): $$(@R).x
+{}.c{$(OBJ)}.obj::
+	$(C2OBJ_P) -DBUILD_HX509_LIB -DASN1_LIB
 
-$(gen_files_crmf:.x=.c): $$(@R).x
+{$(OBJ)}.c{$(OBJ)}.obj::
+	$(C2OBJ_P) -DBUILD_HX509_LIB -DASN1_LIB
 
-$(gen_files_ocsp) $(OBJ)\ocsp_asn1.hx: $(asn1_compile) ocsp.asn1
-	cd $(OBJ)
-	$(asn1_compile) --one-code-file \
-		--preserve-binary=OCSPTBSRequest \
-		--preserve-binary=OCSPResponseData \
-		$(SRCDIR)\ocsp.asn1 ocsp_asn1 \
-	|| ( $(RM) -f $(gen_files_ocsp) $(OBJ)\ocsp_asn1.h ; exit /b 1 )
-	cd $(SRCDIR)
-
-$(gen_files_pkcs10) $(OBJ)\pkcs10_asn1.hx: $(asn1_compile) pkcs10.asn1
-	cd $(OBJ)
-	$(asn1_compile) --one-code-file \
-		--preserve-binary=CertificationRequestInfo \
-		$(SRCDIR)\pkcs10.asn1 pkcs10_asn1 \
-	|| ( $(RM) -f $(gen_files_pkcs10) $(OBJ)\pkcs10_asn1.h ; exit /b 1 )
-	cd $(SRCDIR)
-
-$(gen_files_crmf) $(OBJ)\crmf_asn1.hx: $(asn1_compile) crmf.asn1
-	cd $(OBJ)
-	$(asn1_compile) --one-code-file $(SRCDIR)\crmf.asn1 crmf_asn1 \
-	|| ( $(RM) -f $(gen_files_crmf) $(OBJ)\crmf_asn1.h ; exit /b 1 )
-	cd $(SRCDIR)
+asn1_compile=$(BINDIR)\asn1_compile.exe
 
 INCFILES=			    \
 	$(INCDIR)\hx509.h	    \
 	$(INCDIR)\hx509-protos.h    \
 	$(INCDIR)\hx509-private.h   \
-	$(INCDIR)\hx509_err.h	    \
-	$(INCDIR)\ocsp_asn1.h	    \
-	$(INCDIR)\pkcs10_asn1.h	    \
-	$(INCDIR)\crmf_asn1.h	    \
-	$(OBJ)\ocsp_asn1-priv.h	    \
-	$(OBJ)\pkcs10_asn1-priv.h   \
-	$(OBJ)\crmf_asn1-priv.h
+	$(INCDIR)\hx509_err.h
 
 hxtool.c: $(OBJ)\hxtool-commands.h
 
diff --git a/lib/hx509/ca.c b/lib/hx509/ca.c
index 418a404b4aa9..1ca8d51da39e 100644
--- a/lib/hx509/ca.c
+++ b/lib/hx509/ca.c
@@ -32,7 +32,6 @@
  */
 
 #include "hx_locl.h"
-#include <pkinit_asn1.h>
 
 /**
  * @page page_ca Hx509 CA functions
@@ -43,9 +42,11 @@
 struct hx509_ca_tbs {
     hx509_name subject;
     SubjectPublicKeyInfo spki;
+    KeyUsage ku;
     ExtKeyUsage eku;
     GeneralNames san;
-    unsigned key_usage;
+    CertificatePolicies cps;
+    PolicyMappings pms;
     heim_integer serial;
     struct {
 	unsigned int proxy:1;
@@ -57,6 +58,7 @@ struct hx509_ca_tbs {
     } flags;
     time_t notBefore;
     time_t notAfter;
+    HeimPkinitPrincMaxLifeSecs pkinitTicketMaxLife;
     int pathLenConstraint; /* both for CA and Proxy */
     CRLDistributionPoints crldp;
     heim_bit_string subjectUniqueID;
@@ -77,7 +79,7 @@ struct hx509_ca_tbs {
  * @ingroup hx509_ca
  */
 
-int
+HX509_LIB_FUNCTION int HX509_LIB_CALL
 hx509_ca_tbs_init(hx509_context context, hx509_ca_tbs *tbs)
 {
     *tbs = calloc(1, sizeof(**tbs));
@@ -95,20 +97,23 @@ hx509_ca_tbs_init(hx509_context context, hx509_ca_tbs *tbs)
  * @ingroup hx509_ca
  */
 
-void
+HX509_LIB_FUNCTION void HX509_LIB_CALL
 hx509_ca_tbs_free(hx509_ca_tbs *tbs)
 {
     if (tbs == NULL || *tbs == NULL)
 	return;
 
     free_SubjectPublicKeyInfo(&(*tbs)->spki);
+    free_CertificatePolicies(&(*tbs)->cps);
+    free_PolicyMappings(&(*tbs)->pms);
     free_GeneralNames(&(*tbs)->san);
     free_ExtKeyUsage(&(*tbs)->eku);
     der_free_heim_integer(&(*tbs)->serial);
     free_CRLDistributionPoints(&(*tbs)->crldp);
     der_free_bit_string(&(*tbs)->subjectUniqueID);
     der_free_bit_string(&(*tbs)->issuerUniqueID);
-    hx509_name_free(&(*tbs)->subject);
+    if ((*tbs)->subject)
+        hx509_name_free(&(*tbs)->subject);
     if ((*tbs)->sigalg) {
 	free_AlgorithmIdentifier((*tbs)->sigalg);
 	free((*tbs)->sigalg);
@@ -132,7 +137,7 @@ hx509_ca_tbs_free(hx509_ca_tbs *tbs)
  * @ingroup hx509_ca
  */
 
-int
+HX509_LIB_FUNCTION int HX509_LIB_CALL
 hx509_ca_tbs_set_notBefore(hx509_context context,
 			   hx509_ca_tbs tbs,
 			   time_t t)
@@ -153,7 +158,7 @@ hx509_ca_tbs_set_notBefore(hx509_context context,
  * @ingroup hx509_ca
  */
 
-int
+HX509_LIB_FUNCTION int HX509_LIB_CALL
 hx509_ca_tbs_set_notAfter(hx509_context context,
 			   hx509_ca_tbs tbs,
 			   time_t t)
@@ -174,7 +179,7 @@ hx509_ca_tbs_set_notAfter(hx509_context context,
  * @ingroup hx509_ca
  */
 
-int
+HX509_LIB_FUNCTION int HX509_LIB_CALL
 hx509_ca_tbs_set_notAfter_lifetime(hx509_context context,
 				   hx509_ca_tbs tbs,
 				   time_t delta)
@@ -182,6 +187,15 @@ hx509_ca_tbs_set_notAfter_lifetime(hx509_context context,
     return hx509_ca_tbs_set_notAfter(context, tbs, time(NULL) + delta);
 }
 
+HX509_LIB_FUNCTION int HX509_LIB_CALL
+hx509_ca_tbs_set_pkinit_max_life(hx509_context context,
+                                 hx509_ca_tbs tbs,
+                                 time_t max_life)
+{
+    tbs->pkinitTicketMaxLife = max_life;
+    return 0;
+}
+
 static const struct units templatebits[] = {
     { "ExtendedKeyUsage", HX509_CA_TEMPLATE_EKU },
     { "KeyUsage", HX509_CA_TEMPLATE_KU },
@@ -190,6 +204,7 @@ static const struct units templatebits[] = {
     { "notBefore", HX509_CA_TEMPLATE_NOTBEFORE },
     { "serial", HX509_CA_TEMPLATE_SERIAL },
     { "subject", HX509_CA_TEMPLATE_SUBJECT },
+    { "pkinitMaxLife", HX509_CA_TEMPLATE_PKINIT_MAX_LIFE },
     { NULL, 0 }
 };
 
@@ -202,19 +217,19 @@ static const struct units templatebits[] = {
  * @ingroup hx509_ca
  */
 
-const struct units *
+HX509_LIB_FUNCTION const struct units * HX509_LIB_CALL
 hx509_ca_tbs_template_units(void)
 {
     return templatebits;
 }
 
 /**
- * Initialize the to-be-signed certificate object from a template certifiate.
+ * Initialize the to-be-signed certificate object from a template certificate.
  *
  * @param context A hx509 context.
  * @param tbs object to be signed.
  * @param flags bit field selecting what to copy from the template
- * certifiate.
+ * certificate.
  * @param cert template certificate.
  *
  * @return An hx509 error code, see hx509_get_error_string().
@@ -222,7 +237,7 @@ hx509_ca_tbs_template_units(void)
  * @ingroup hx509_ca
  */
 
-int
+HX509_LIB_FUNCTION int HX509_LIB_CALL
 hx509_ca_tbs_set_template(hx509_context context,
 			  hx509_ca_tbs tbs,
 			  int flags,
@@ -262,11 +277,9 @@ hx509_ca_tbs_set_template(hx509_context context,
 	    return ret;
     }
     if (flags & HX509_CA_TEMPLATE_KU) {
-	KeyUsage ku;
-	ret = _hx509_cert_get_keyusage(context, cert, &ku);
+	ret = _hx509_cert_get_keyusage(context, cert, &tbs->ku);
 	if (ret)
 	    return ret;
-	tbs->key_usage = KeyUsage2int(ku);
     }
     if (flags & HX509_CA_TEMPLATE_EKU) {
 	ExtKeyUsage eku;
@@ -283,6 +296,12 @@ hx509_ca_tbs_set_template(hx509_context context,
 	}
 	free_ExtKeyUsage(&eku);
     }
+    if (flags & HX509_CA_TEMPLATE_PKINIT_MAX_LIFE) {
+        time_t max_life;
+
+        if ((max_life = hx509_cert_get_pkinit_max_life(context, cert, 0)) > 0)
+            hx509_ca_tbs_set_pkinit_max_life(context, tbs, max_life);
+    }
     return 0;
 }
 
@@ -300,7 +319,7 @@ hx509_ca_tbs_set_template(hx509_context context,
  * @ingroup hx509_ca
  */
 
-int
+HX509_LIB_FUNCTION int HX509_LIB_CALL
 hx509_ca_tbs_set_ca(hx509_context context,
 		    hx509_ca_tbs tbs,
 		    int pathLenConstraint)
@@ -324,7 +343,7 @@ hx509_ca_tbs_set_ca(hx509_context context,
  * @ingroup hx509_ca
  */
 
-int
+HX509_LIB_FUNCTION int HX509_LIB_CALL
 hx509_ca_tbs_set_proxy(hx509_context context,
 		       hx509_ca_tbs tbs,
 		       int pathLenConstraint)
@@ -346,7 +365,7 @@ hx509_ca_tbs_set_proxy(hx509_context context,
  * @ingroup hx509_ca
  */
 
-int
+HX509_LIB_FUNCTION int HX509_LIB_CALL
 hx509_ca_tbs_set_domaincontroller(hx509_context context,
 				  hx509_ca_tbs tbs)
 {
@@ -368,7 +387,7 @@ hx509_ca_tbs_set_domaincontroller(hx509_context context,
  * @ingroup hx509_ca
  */
 
-int
+HX509_LIB_FUNCTION int HX509_LIB_CALL
 hx509_ca_tbs_set_spki(hx509_context context,
 		      hx509_ca_tbs tbs,
 		      const SubjectPublicKeyInfo *spki)
@@ -393,7 +412,7 @@ hx509_ca_tbs_set_spki(hx509_context context,
  * @ingroup hx509_ca
  */
 
-int
+HX509_LIB_FUNCTION int HX509_LIB_CALL
 hx509_ca_tbs_set_serialnumber(hx509_context context,
 			      hx509_ca_tbs tbs,
 			      const heim_integer *serialNumber)
@@ -406,6 +425,65 @@ hx509_ca_tbs_set_serialnumber(hx509_context context,
 }
 
 /**
+ * Copy elements of a CSR into a TBS, but only if all of them are authorized.
+ *
+ * @param context A hx509 context.
+ * @param tbs object to be signed.
+ * @param req CSR
+ *
+ * @return An hx509 error code, see hx509_get_error_string().
+ *
+ * @ingroup hx509_ca
+ */
+
+HX509_LIB_FUNCTION int HX509_LIB_CALL
+hx509_ca_tbs_set_from_csr(hx509_context context,
+	                  hx509_ca_tbs tbs,
+	                  hx509_request req)
+{
+    hx509_san_type san_type;
+    heim_oid oid = { 0, 0 };
+    KeyUsage ku;
+    size_t i;
+    char *s = NULL;
+    int ret;
+
+    if (hx509_request_count_unauthorized(req)) {
+        hx509_set_error_string(context, 0, ENOMEM, "out of memory");
+        return EACCES;
+    }
+
+    ret = hx509_request_get_ku(context, req, &ku);
+    if (ret == 0 && KeyUsage2int(ku))
+        ret = hx509_ca_tbs_add_ku(context, tbs, ku);
+
+    for (i = 0; ret == 0; i++) {
+        free(s); s = NULL;
+        der_free_oid(&oid);
+        ret = hx509_request_get_eku(req, i, &s);
+        if (ret == 0)
+            ret = der_parse_heim_oid(s, ".", &oid);
+        if (ret == 0)
+            ret = hx509_ca_tbs_add_eku(context, tbs, &oid);
+    }
+    if (ret == HX509_NO_ITEM)
+        ret = 0;
+
+    for (i = 0; ret == 0; i++) {
+        free(s); s = NULL;
+        ret = hx509_request_get_san(req, i, &san_type, &s);
+        if (ret == 0)
+            ret = hx509_ca_tbs_add_san(context, tbs, san_type, s);
+    }
+    if (ret == HX509_NO_ITEM)
+        ret = 0;
+
+    der_free_oid(&oid);
+    free(s);
+    return ret;
+}
+
+/**
  * An an extended key usage to the to-be-signed certificate object.
  * Duplicates will detected and not added.
  *
@@ -418,7 +496,29 @@ hx509_ca_tbs_set_serialnumber(hx509_context context,
  * @ingroup hx509_ca
  */
 
-int
+HX509_LIB_FUNCTION int HX509_LIB_CALL
+hx509_ca_tbs_add_ku(hx509_context context,
+		    hx509_ca_tbs tbs,
+		    KeyUsage ku)
+{
+    tbs->ku = ku;
+    return 0;
+}
+
+/**
+ * An an extended key usage to the to-be-signed certificate object.
+ * Duplicates will detected and not added.
+ *
+ * @param context A hx509 context.
+ * @param tbs object to be signed.
+ * @param oid extended key usage to add.
+ *
+ * @return An hx509 error code, see hx509_get_error_string().
+ *
+ * @ingroup hx509_ca
+ */
+
+HX509_LIB_FUNCTION int HX509_LIB_CALL
 hx509_ca_tbs_add_eku(hx509_context context,
 		     hx509_ca_tbs tbs,
 		     const heim_oid *oid)
@@ -449,6 +549,127 @@ hx509_ca_tbs_add_eku(hx509_context context,
 }
 
 /**
+ * Add a certificate policy to the to-be-signed certificate object.  Duplicates
+ * will detected and not added.
+ *
+ * @param context A hx509 context.
+ * @param tbs object to be signed.
+ * @param oid policy OID.
+ * @param cps_uri CPS URI to qualify policy with.
+ * @param user_notice user notice display text to qualify policy with.
+ *
+ * @return An hx509 error code, see hx509_get_error_string().
+ *
+ * @ingroup hx509_ca
+ */
+
+HX509_LIB_FUNCTION int HX509_LIB_CALL
+hx509_ca_tbs_add_pol(hx509_context context,
+		     hx509_ca_tbs tbs,
+		     const heim_oid *oid,
+                     const char *cps_uri,
+                     const char *user_notice)
+{
+    PolicyQualifierInfos pqis;
+    PolicyQualifierInfo pqi;
+    PolicyInformation pi;
+    size_t i, size;
+    int ret = 0;
+
+    /* search for duplicates */
+    for (i = 0; i < tbs->cps.len; i++) {
+	if (der_heim_oid_cmp(oid, &tbs->cps.val[i].policyIdentifier) == 0)
+	    return 0;
+    }
+
+    memset(&pi, 0, sizeof(pi));
+    memset(&pqi, 0, sizeof(pqi));
+    memset(&pqis, 0, sizeof(pqis));
+
+    pi.policyIdentifier = *oid;
+    if (cps_uri) {
+        CPSuri uri;
+
+        uri.length = strlen(cps_uri);
+        uri.data = (void *)(uintptr_t)cps_uri;
+        pqi.policyQualifierId = asn1_oid_id_pkix_qt_cps;
+
+	ASN1_MALLOC_ENCODE(CPSuri,
+			   pqi.qualifier.data,
+			   pqi.qualifier.length,
+			   &uri, &size, ret);
+        if (ret == 0) {
+            ret = add_PolicyQualifierInfos(&pqis, &pqi);
+            free_heim_any(&pqi.qualifier);
+        }
+    }
+    if (ret == 0 && user_notice) {
+        DisplayText dt;
+        UserNotice un;
+
+        dt.element = choice_DisplayText_utf8String;
+        dt.u.utf8String = (void *)(uintptr_t)user_notice;
+        un.explicitText = &dt;
+        un.noticeRef = 0;
+
+        pqi.policyQualifierId = asn1_oid_id_pkix_qt_unotice;
+	ASN1_MALLOC_ENCODE(UserNotice,
+			   pqi.qualifier.data,
+			   pqi.qualifier.length,
+			   &un, &size, ret);
+        if (ret == 0) {
+            ret = add_PolicyQualifierInfos(&pqis, &pqi);
+            free_heim_any(&pqi.qualifier);
+        }
+    }
+
+    pi.policyQualifiers = pqis.len ? &pqis : 0;
+
+    if (ret == 0)
+        ret = add_CertificatePolicies(&tbs->cps, &pi);
+
+    free_PolicyQualifierInfos(&pqis);
+    return ret;
+}
+
+/**
+ * Add a certificate policy mapping to the to-be-signed certificate object.
+ * Duplicates will detected and not added.
+ *
+ * @param context A hx509 context.
+ * @param tbs object to be signed.
+ * @param issuer issuerDomainPolicy policy OID.
+ * @param subject subjectDomainPolicy policy OID.
+ *
+ * @return An hx509 error code, see hx509_get_error_string().
+ *
+ * @ingroup hx509_ca
+ */
+
+HX509_LIB_FUNCTION int HX509_LIB_CALL
+hx509_ca_tbs_add_pol_mapping(hx509_context context,
+                             hx509_ca_tbs tbs,
+                             const heim_oid *issuer,
+                             const heim_oid *subject)
+{
+    PolicyMapping pm;
+    size_t i;
+
+    /* search for duplicates */
+    for (i = 0; i < tbs->pms.len; i++) {
+        PolicyMapping *pmp = &tbs->pms.val[i];
+	if (der_heim_oid_cmp(issuer, &pmp->issuerDomainPolicy) == 0 &&
+            der_heim_oid_cmp(subject, &pmp->subjectDomainPolicy) == 0)
+	    return 0;
+    }
+
+    memset(&pm, 0, sizeof(pm));
+    pm.issuerDomainPolicy = *issuer;
+    pm.subjectDomainPolicy = *subject;
+    return add_PolicyMappings(&tbs->pms, &pm);
+}
+
+/**
  * Add CRL distribution point URI to the to-be-signed certificate
  * object.
  *
@@ -462,94 +683,49 @@ hx509_ca_tbs_add_eku(hx509_context context,
  * @ingroup hx509_ca
  */
 
-int
+HX509_LIB_FUNCTION int HX509_LIB_CALL
 hx509_ca_tbs_add_crl_dp_uri(hx509_context context,
 			    hx509_ca_tbs tbs,
 			    const char *uri,
 			    hx509_name issuername)
 {
+    DistributionPointName dpn;
     DistributionPoint dp;
+    GeneralNames crlissuer;
+    GeneralName gn, ign;
+    Name in;
     int ret;
 
     memset(&dp, 0, sizeof(dp));
-
-    dp.distributionPoint = ecalloc(1, sizeof(*dp.distributionPoint));
-
-    {
-	DistributionPointName name;
-	GeneralName gn;
-	size_t size;
-
-	name.element = choice_DistributionPointName_fullName;
-	name.u.fullName.len = 1;
-	name.u.fullName.val = &gn;
-
-	gn.element = choice_GeneralName_uniformResourceIdentifier;
-	gn.u.uniformResourceIdentifier.data = rk_UNCONST(uri);
-	gn.u.uniformResourceIdentifier.length = strlen(uri);
-
-	ASN1_MALLOC_ENCODE(DistributionPointName,
-			   dp.distributionPoint->data,
-			   dp.distributionPoint->length,
-			   &name, &size, ret);
-	if (ret) {
-	    hx509_set_error_string(context, 0, ret,
-				   "Failed to encoded DistributionPointName");
-	    goto out;
-	}
-	if (dp.distributionPoint->length != size)
-	    _hx509_abort("internal ASN.1 encoder error");
-    }
+    memset(&gn, 0, sizeof(gn));
+    memset(&ign, 0, sizeof(ign));
+    memset(&in, 0, sizeof(in));
+    gn.element = choice_GeneralName_uniformResourceIdentifier;
+    gn.u.uniformResourceIdentifier.data = rk_UNCONST(uri);
+    gn.u.uniformResourceIdentifier.length = strlen(uri);
+    dpn.element = choice_DistributionPointName_fullName;
+    dpn.u.fullName.len = 1;
+    dpn.u.fullName.val = &gn;
+    dp.distributionPoint = &dpn;
 
     if (issuername) {
-#if 1
-	/**
-	 * issuername not supported
-	 */
-	hx509_set_error_string(context, 0, EINVAL,
-			       "CRLDistributionPoints.name.issuername not yet supported");
-	return EINVAL;
-#else
-	GeneralNames *crlissuer;
-	GeneralName gn;
-	Name n;
-
-	crlissuer = calloc(1, sizeof(*crlissuer));
-	if (crlissuer == NULL) {
-	    return ENOMEM;
-	}
-	memset(&gn, 0, sizeof(gn));
-
-	gn.element = choice_GeneralName_directoryName;
-	ret = hx509_name_to_Name(issuername, &n);
-	if (ret) {
-	    hx509_set_error_string(context, 0, ret, "out of memory");
-	    goto out;
-	}
-
-	gn.u.directoryName.element = n.element;
-	gn.u.directoryName.u.rdnSequence = n.u.rdnSequence;
-
-	ret = add_GeneralNames(&crlissuer, &gn);
-	free_Name(&n);
+	ign.element = choice_GeneralName_directoryName;
+	ret = hx509_name_to_Name(issuername, &ign.u.directoryName);
 	if (ret) {
 	    hx509_set_error_string(context, 0, ret, "out of memory");
-	    goto out;
+	    return ret;
 	}
-
+        crlissuer.len = 1;
+        crlissuer.val = &ign;
 	dp.cRLIssuer = &crlissuer;
-#endif
     }
 
     ret = add_CRLDistributionPoints(&tbs->crldp, &dp);
-    if (ret) {
-	hx509_set_error_string(context, 0, ret, "out of memory");
-	goto out;
-    }
-
-out:
-    free_DistributionPoint(&dp);
+    if (issuername)
+        free_Name(&ign.u.directoryName);
 
+    if (ret)
+	hx509_set_error_string(context, 0, ret, "out of memory");
     return ret;
 }
 
@@ -567,7 +743,7 @@ out:
  * @ingroup hx509_ca
  */
 
-int
+HX509_LIB_FUNCTION int HX509_LIB_CALL
 hx509_ca_tbs_add_san_otherName(hx509_context context,
 			       hx509_ca_tbs tbs,
 			       const heim_oid *oid,
@@ -583,52 +759,100 @@ hx509_ca_tbs_add_san_otherName(hx509_context context,
     return add_GeneralNames(&tbs->san, &gn);
 }
 
-/**
- * Add Kerberos Subject Alternative Name to the to-be-signed
- * certificate object. The principal string is a UTF8 string.
- *
- * @param context A hx509 context.
- * @param tbs object to be signed.
- * @param principal Kerberos principal to add to the certificate.
- *
- * @return An hx509 error code, see hx509_get_error_string().
- *
- * @ingroup hx509_ca
- */
+static
+int
+dequote_strndup(hx509_context context, const char *in, size_t len, char **out)
+{
+    size_t i, k;
+    char *s;
+
+    *out = NULL;
+    if ((s = malloc(len + 1)) == NULL) {
+        hx509_set_error_string(context, 0, ENOMEM, "malloc: out of memory");
+        return ENOMEM;
+    }
+
+    for (k = i = 0; i < len; i++) {
+        if (in[i] == '\\') {
+            switch (in[++i]) {
+            case 't': s[k++] = '\t'; break;
+            case 'b': s[k++] = '\b'; break;
+            case 'n': s[k++] = '\n'; break;
+            case '0':
+                for (i++; i < len; i++) {
+                    if (in[i] == '\0')
+                        break;
+                    if (in[i++] == '\\' && in[i] == '0')
+                        continue;
+                    hx509_set_error_string(context, 0,
+                                           HX509_PARSING_NAME_FAILED,
+                                           "embedded NULs not supported in "
+                                           "PKINIT SANs");
+                    free(s);
+                    return HX509_PARSING_NAME_FAILED;
+                }
+                break;
+            case '\0':
+                hx509_set_error_string(context, 0,
+                                       HX509_PARSING_NAME_FAILED,
+                                       "trailing unquoted backslashes not "
+                                       "allowed in PKINIT SANs");
+                free(s);
+                return HX509_PARSING_NAME_FAILED;
+            default:  s[k++] = in[i]; break;
+            }
+        } else {
+            s[k++] = in[i];
+        }
+    }
+    s[k] = '\0';
+
+    *out = s;
+    return 0;
+}
 
 int
-hx509_ca_tbs_add_san_pkinit(hx509_context context,
-			    hx509_ca_tbs tbs,
-			    const char *principal)
+_hx509_make_pkinit_san(hx509_context context,
+                       const char *principal,
+                       heim_octet_string *os)
 {
-    heim_octet_string os;
     KRB5PrincipalName p;
     size_t size;
     int ret;
-    char *s = NULL;
 
+    os->data = NULL;
+    os->length = 0;
     memset(&p, 0, sizeof(p));
 
-    /* parse principal */
+    /* Parse principal */
     {
-	const char *str;
-	char *q;
-	int n;
+	const char *str, *str_start;
+        size_t n, i;
 
-	/* count number of component */
+	/* Count number of components */
 	n = 1;
-	for(str = principal; *str != '\0' && *str != '@'; str++){
-	    if(*str=='\\'){
-		if(str[1] == '\0' || str[1] == '@') {
+	for (str = principal; *str != '\0' && *str != '@'; str++) {
+	    if (*str == '\\') {
+		if (str[1] == '\0') {
 		    ret = HX509_PARSING_NAME_FAILED;
 		    hx509_set_error_string(context, 0, ret,
 					   "trailing \\ in principal name");
 		    goto out;
 		}
 		str++;
-	    } else if(*str == '/')
+	    } else if(*str == '/') {
 		n++;
+	    } else if(*str == '@') {
+		break;
+            }
 	}
+	if (*str != '@') {
+            /* Note that we allow the realm to be empty */
+	    ret = HX509_PARSING_NAME_FAILED;
+	    hx509_set_error_string(context, 0, ret, "Missing @ in principal");
+	    goto out;
+	};
+
 	p.principalName.name_string.val =
 	    calloc(n, sizeof(*p.principalName.name_string.val));
 	if (p.principalName.name_string.val == NULL) {
@@ -637,49 +861,136 @@ hx509_ca_tbs_add_san_pkinit(hx509_context context,
 	    goto out;
 	}
 	p.principalName.name_string.len = n;
-
 	p.principalName.name_type = KRB5_NT_PRINCIPAL;
-	q = s = strdup(principal);
-	if (q == NULL) {
-	    ret = ENOMEM;
-	    hx509_set_error_string(context, 0, ret, "malloc: out of memory");
-	    goto out;
-	}
-	p.realm = strrchr(q, '@');
-	if (p.realm == NULL) {
-	    ret = HX509_PARSING_NAME_FAILED;
-	    hx509_set_error_string(context, 0, ret, "Missing @ in principal");
-	    goto out;
-	};
-	*p.realm++ = '\0';
-
-	n = 0;
-	while (q) {
-	    p.principalName.name_string.val[n++] = q;
-	    q = strchr(q, '/');
-	    if (q)
-		*q++ = '\0';
+
+	for (i = 0, str_start = str = principal; *str != '\0'; str++) {
+	    if (*str=='\\') {
+		str++;
+	    } else if(*str == '/') {
+                /* Note that we allow components to be empty */
+                ret = dequote_strndup(context, str_start, str - str_start,
+                                      &p.principalName.name_string.val[i++]);
+                if (ret)
+                    goto out;
+                str_start = str + 1;
+	    } else if(*str == '@') {
+                ret = dequote_strndup(context, str_start, str - str_start,
+                                      &p.principalName.name_string.val[i++]);
+                if (ret == 0)
+                    ret = dequote_strndup(context, str + 1, strlen(str + 1), &p.realm);
+                if (ret)
+                    goto out;
+                break;
+            }
 	}
     }
 
-    ASN1_MALLOC_ENCODE(KRB5PrincipalName, os.data, os.length, &p, &size, ret);
+    ASN1_MALLOC_ENCODE(KRB5PrincipalName, os->data, os->length, &p, &size, ret);
     if (ret) {
 	hx509_set_error_string(context, 0, ret, "Out of memory");
 	goto out;
     }
+    if (size != os->length)
+	_hx509_abort("internal ASN.1 encoder error");
+
+out:
+    free_KRB5PrincipalName(&p);
+    return ret;
+}
+
+static int
+add_ia5string_san(hx509_context context,
+                  hx509_ca_tbs tbs,
+                  const heim_oid *oid,
+                  const char *string)
+{
+    SRVName ustring;
+    heim_octet_string os;
+    size_t size;
+    int ret;
+
+    ustring.data = (void *)(uintptr_t)string;
+    ustring.length = strlen(string);
+
+    os.length = 0;
+    os.data = NULL;
+
+    ASN1_MALLOC_ENCODE(SRVName, os.data, os.length, &ustring, &size, ret);
+    if (ret) {
+	hx509_set_error_string(context, 0, ret, "Out of memory");
+	return ret;
+    }
     if (size != os.length)
 	_hx509_abort("internal ASN.1 encoder error");
 
-    ret = hx509_ca_tbs_add_san_otherName(context,
-					 tbs,
-					 &asn1_oid_id_pkinit_san,
-					 &os);
+    ret = hx509_ca_tbs_add_san_otherName(context, tbs, oid, &os);
+    free(os.data);
+    return ret;
+}
+
+/**
+ * Add DNSSRV Subject Alternative Name to the to-be-signed certificate object.
+ *
+ * @param context A hx509 context.
+ * @param tbs object to be signed.
+ * @param dnssrv An ASCII string of the for _Service.Name.
+ *
+ * @return An hx509 error code, see hx509_get_error_string().
+ *
+ * @ingroup hx509_ca
+ */
+
+HX509_LIB_FUNCTION int HX509_LIB_CALL
+hx509_ca_tbs_add_san_dnssrv(hx509_context context,
+			    hx509_ca_tbs tbs,
+			    const char *dnssrv)
+{
+    size_t i, len;
+
+    /* Minimal DNSSRV input validation */
+    if (dnssrv == 0 || dnssrv[0] != '_') {
+        hx509_set_error_string(context, 0, EINVAL, "Invalid DNSSRV name");
+        return EINVAL;
+    }
+    for (i = 1, len = strlen(dnssrv); i < len; i++) {
+        if (dnssrv[i] == '.' && dnssrv[i + 1] != '\0')
+            break;
+    }
+    if (i == len) {
+        hx509_set_error_string(context, 0, EINVAL, "Invalid DNSSRV name");
+        return EINVAL;
+    }
+
+    return add_ia5string_san(context, tbs,
+                             &asn1_oid_id_pkix_on_dnsSRV, dnssrv);
+}
+
+/**
+ * Add Kerberos Subject Alternative Name to the to-be-signed
+ * certificate object. The principal string is a UTF8 string.
+ *
+ * @param context A hx509 context.
+ * @param tbs object to be signed.
+ * @param principal Kerberos principal to add to the certificate.
+ *
+ * @return An hx509 error code, see hx509_get_error_string().
+ *
+ * @ingroup hx509_ca
+ */
+
+HX509_LIB_FUNCTION int HX509_LIB_CALL
+hx509_ca_tbs_add_san_pkinit(hx509_context context,
+			    hx509_ca_tbs tbs,
+			    const char *principal)
+{
+    heim_octet_string os;
+    int ret;
+
+    ret = _hx509_make_pkinit_san(context, principal, &os);
+    if (ret == 0)
+        ret = hx509_ca_tbs_add_san_otherName(context, tbs,
+                                             &asn1_oid_id_pkinit_san, &os);
     free(os.data);
-out:
-    if (p.principalName.name_string.val)
-	free (p.principalName.name_string.val);
-    if (s)
-	free(s);
     return ret;
 }
 
@@ -693,7 +1004,7 @@ add_utf8_san(hx509_context context,
 	     const heim_oid *oid,
 	     const char *string)
 {
-    const PKIXXmppAddr ustring = (const PKIXXmppAddr)(intptr_t)string;
+    const PKIXXmppAddr ustring = (const PKIXXmppAddr)(uintptr_t)string;
     heim_octet_string os;
     size_t size;
     int ret;
@@ -704,17 +1015,13 @@ add_utf8_san(hx509_context context,
     ASN1_MALLOC_ENCODE(PKIXXmppAddr, os.data, os.length, &ustring, &size, ret);
     if (ret) {
 	hx509_set_error_string(context, 0, ret, "Out of memory");
-	goto out;
+	return ret;
     }
     if (size != os.length)
 	_hx509_abort("internal ASN.1 encoder error");
 
-    ret = hx509_ca_tbs_add_san_otherName(context,
-					 tbs,
-					 oid,
-					 &os);
+    ret = hx509_ca_tbs_add_san_otherName(context, tbs, oid, &os);
     free(os.data);
-out:
     return ret;
 }
 
@@ -731,7 +1038,7 @@ out:
  * @ingroup hx509_ca
  */
 
-int
+HX509_LIB_FUNCTION int HX509_LIB_CALL
 hx509_ca_tbs_add_san_ms_upn(hx509_context context,
 			    hx509_ca_tbs tbs,
 			    const char *principal)
@@ -752,7 +1059,7 @@ hx509_ca_tbs_add_san_ms_upn(hx509_context context,
  * @ingroup hx509_ca
  */
 
-int
+HX509_LIB_FUNCTION int HX509_LIB_CALL
 hx509_ca_tbs_add_san_jid(hx509_context context,
 			 hx509_ca_tbs tbs,
 			 const char *jid)
@@ -777,7 +1084,7 @@ hx509_ca_tbs_add_san_jid(hx509_context context,
  * @ingroup hx509_ca
  */
 
-int
+HX509_LIB_FUNCTION int HX509_LIB_CALL
 hx509_ca_tbs_add_san_hostname(hx509_context context,
 			      hx509_ca_tbs tbs,
 			      const char *dnsname)
@@ -805,7 +1112,7 @@ hx509_ca_tbs_add_san_hostname(hx509_context context,
  * @ingroup hx509_ca
  */
 
-int
+HX509_LIB_FUNCTION int HX509_LIB_CALL
 hx509_ca_tbs_add_san_rfc822name(hx509_context context,
 				hx509_ca_tbs tbs,
 				const char *rfc822Name)
@@ -820,6 +1127,295 @@ hx509_ca_tbs_add_san_rfc822name(hx509_context context,
     return add_GeneralNames(&tbs->san, &gn);
 }
 
+/*
+ * PermanentIdentifier is one SAN for naming devices with TPMs after their
+ * endorsement keys or EK certificates.  See TPM 2.0 Keys for Device Identity
+ * and Attestation, Version 1.00, Revision 2, 9/17/2020 (DRAFT).
+ *
+ * The text on the form of permanent identifiers for TPM endorsement keys sans
+ * certificates is clearly problematic, saying: "When the TPM does not have an
+ * EK certificate, the identifierValue is a digest of a concatenation of the
+ * UTF8 string “EkPubkey” (terminating NULL not included) with the binary EK
+ * public key", but since arbitrary binary is not necessarily valid UTF-8...
+ * and since NULs embedded in UTF-8 might be OK in some contexts but really
+ * isn't in C (and Heimdal's ASN.1 compiler does not allow NULs in the
+ * middle of strings)...  That just cannot be correct.  Since elsewhere the TCG
+ * specs use the hex encoding of the SHA-256 digest of the DER encoding of
+ * public keys, that's what we should support in Heimdal, and maybe send in a
+ * comment.
+ *
+ * Also, even where one should use hex encoding of the SHA-256 digest of the
+ * DER encoding of public keys, how should the public keys be represented?
+ * Presumably as SPKIs, with all the required parameters and no more.
+ */
+
+/**
+ * Add a Subject Alternative Name of PermanentIdentifier type to a to-be-signed
+ * certificate object.  The permanent identifier form for TPM endorsement key
+ * certificates is the hex encoding of the SHA-256 digest of the DER encoding
+ * of the certificate.  The permanent identifier form for TPM endorsement keys
+ * are of the form "EkPubkey<public-key>", where the form of <public-key> is
+ * not well specified at this point.  It is the caller's responsibility to
+ * format the identifierValue.
+ *
+ * @param context A hx509 context.
+ * @param tbs object to be signed.
+ * @param str permanent identifier name in the form "[<assigner-oid>]:[<id>]".
+ * @param assigner The OID of an assigner.
+ *
+ * @return An hx509 error code, see hx509_get_error_string().
+ *
+ * @ingroup hx509_ca
+ */
+
+HX509_LIB_FUNCTION int HX509_LIB_CALL
+hx509_ca_tbs_add_san_permanentIdentifier_string(hx509_context context,
+                                                hx509_ca_tbs tbs,
+                                                const char *str)
+{
+    const heim_oid *found = NULL;
+    heim_oid oid;
+    const char *oidstr, *id;
+    char *freeme, *p;
+    int ret;
+
+    memset(&oid, 0, sizeof(oid));
+    if ((freeme = strdup(str)) == NULL)
+        return hx509_enomem(context);
+
+    oidstr = freeme;
+    p = strchr(freeme, ':');
+    if (!p) {
+        hx509_set_error_string(context, 0, EINVAL,
+                               "Invalid PermanentIdentifier string (should be \"[<oid>]:[<id>]\")",
+                               oidstr);
+        free(freeme);
+        return EINVAL;
+    }
+    if (p) {
+        *(p++) = '\0';
+        id = p;
+    }
+    if (oidstr[0] != '\0') {
+        ret = der_find_heim_oid_by_name(oidstr, &found);
+        if (ret) {
+            ret = der_parse_heim_oid(oidstr, " .", &oid);
+            if (ret == 0)
+                found = &oid;
+        }
+    }
+    ret = hx509_ca_tbs_add_san_permanentIdentifier(context, tbs, id, found);
+    if (found == &oid)
+        der_free_oid(&oid);
+    free(freeme);
+    return ret;
+}
+
+/**
+ * Add a Subject Alternative Name of PermanentIdentifier type to a to-be-signed
+ * certificate object.  The permanent identifier form for TPM endorsement key
+ * certificates is the hex encoding of the SHA-256 digest of the DER encoding
+ * of the certificate.  The permanent identifier form for TPM endorsement keys
+ * are of the form "EkPubkey<public-key>", where the form of <public-key> is
+ * not well specified at this point.  It is the caller's responsibility to
+ * format the identifierValue.
+ *
+ * @param context A hx509 context.
+ * @param tbs object to be signed.
+ * @param identifierValue The permanent identifier name.
+ * @param assigner The OID of an assigner.
+ *
+ * @return An hx509 error code, see hx509_get_error_string().
+ *
+ * @ingroup hx509_ca
+ */
+
+HX509_LIB_FUNCTION int HX509_LIB_CALL
+hx509_ca_tbs_add_san_permanentIdentifier(hx509_context context,
+                                         hx509_ca_tbs tbs,
+                                         const char *identifierValue,
+                                         const heim_oid *assigner)
+{
+    PermanentIdentifier pi;
+    heim_utf8_string s = (void *)(uintptr_t)identifierValue;
+    heim_octet_string os;
+    size_t size;
+    int ret;
+
+    pi.identifierValue = &s;
+    pi.assigner = (heim_oid*)(uintptr_t)assigner;
+    os.length = 0;
+    os.data = NULL;
+
+    ASN1_MALLOC_ENCODE(PermanentIdentifier, os.data, os.length, &pi, &size,
+                       ret);
+    if (ret) {
+	hx509_set_error_string(context, 0, ret, "Out of memory");
+	return ret;
+    }
+    if (size != os.length)
+	_hx509_abort("internal ASN.1 encoder error");
+
+    ret = hx509_ca_tbs_add_san_otherName(context, tbs,
+                                         &asn1_oid_id_pkix_on_permanentIdentifier,
+                                         &os);
+    free(os.data);
+    return ret;
+}
+
+/**
+ * Add a Subject Alternative Name of HardwareModuleName type to a to-be-signed
+ * certificate object.
+ *
+ * @param context A hx509 context.
+ * @param tbs object to be signed.
+ * @param str a string of the form "<oid>:<serial>".
+ * @param hwserial The serial number.
+ *
+ * @return An hx509 error code, see hx509_get_error_string().
+ *
+ * @ingroup hx509_ca
+ */
+
+HX509_LIB_FUNCTION int HX509_LIB_CALL
+hx509_ca_tbs_add_san_hardwareModuleName_string(hx509_context context,
+                                               hx509_ca_tbs tbs,
+                                               const char *str)
+{
+    const heim_oid *found = NULL;
+    heim_oid oid;
+    const char *oidstr, *sno;
+    char *freeme, *p;
+    int ret;
+
+    memset(&oid, 0, sizeof(oid));
+    if ((freeme = strdup(str)) == NULL)
+        return hx509_enomem(context);
+
+    oidstr = freeme;
+    p = strchr(freeme, ':');
+    if (!p) {
+        hx509_set_error_string(context, 0, EINVAL,
+                               "Invalid HardwareModuleName string (should be "
+                               "\"<oid>:<serial>\")",
+                               oidstr);
+        free(freeme);
+        return EINVAL;
+    }
+    if (p) {
+        *(p++) = '\0';
+        sno = p;
+    }
+    if (oidstr[0] == '\0') {
+        found = &asn1_oid_tcg_tpm20;
+    } else {
+        ret = der_find_heim_oid_by_name(oidstr, &found);
+        if (ret) {
+            ret = der_parse_heim_oid(oidstr, " .", &oid);
+            if (ret == 0)
+                found = &oid;
+        }
+    }
+    if (!found) {
+        hx509_set_error_string(context, 0, EINVAL,
+                               "Could not resolve or parse OID \"%s\"",
+                               oidstr);
+        free(freeme);
+        return EINVAL;
+    }
+    ret = hx509_ca_tbs_add_san_hardwareModuleName(context, tbs, found, sno);
+    if (found == &oid)
+        der_free_oid(&oid);
+    free(freeme);
+    return ret;
+}
+
+/**
+ * Add a Subject Alternative Name of HardwareModuleName type to a to-be-signed
+ * certificate object.
+ *
+ * @param context A hx509 context.
+ * @param tbs object to be signed.
+ * @param hwtype The hardwar module type (e.g., `&asn1_oid_tcg_tpm20').
+ * @param hwserial The serial number.
+ *
+ * @return An hx509 error code, see hx509_get_error_string().
+ *
+ * @ingroup hx509_ca
+ */
+
+HX509_LIB_FUNCTION int HX509_LIB_CALL
+hx509_ca_tbs_add_san_hardwareModuleName(hx509_context context,
+                                        hx509_ca_tbs tbs,
+                                        const heim_oid *hwtype,
+                                        const char *hwserial)
+{
+    HardwareModuleName hm;
+    heim_octet_string os;
+    size_t size;
+    int ret;
+
+    hm.hwType = *hwtype;
+    hm.hwSerialNum.data = (void *)(uintptr_t)hwserial;
+    hm.hwSerialNum.length = strlen(hwserial);
+    os.length = 0;
+    os.data = NULL;
+
+    ASN1_MALLOC_ENCODE(HardwareModuleName, os.data, os.length, &hm, &size,
+                       ret);
+    if (ret) {
+	hx509_set_error_string(context, 0, ret, "Out of memory");
+	return ret;
+    }
+    if (size != os.length)
+	_hx509_abort("internal ASN.1 encoder error");
+
+    ret = hx509_ca_tbs_add_san_otherName(context, tbs,
+                                         &asn1_oid_id_on_hardwareModuleName,
+                                         &os);
+    free(os.data);
+    return ret;
+}
+
+/**
+ * Add a Subject Alternative Name of the given type to the
+ * to-be-signed certificate object.
+ *
+ * @param context A hx509 context.
+ * @param tbs object to be signed.
+ * @param rfc822Name a string to a email address.
+ *
+ * @return An hx509 error code, see hx509_get_error_string().
+ *
+ * @ingroup hx509_ca
+ */
+
+HX509_LIB_FUNCTION int HX509_LIB_CALL
+hx509_ca_tbs_add_san(hx509_context context,
+                     hx509_ca_tbs tbs,
+                     hx509_san_type type,
+                     const char *s)
+{
+    switch (type) {
+    case HX509_SAN_TYPE_EMAIL:
+        return hx509_ca_tbs_add_san_rfc822name(context, tbs, s);
+    case HX509_SAN_TYPE_DNSNAME:
+        return hx509_ca_tbs_add_san_hostname(context, tbs, s);
+    case HX509_SAN_TYPE_DN:
+        return ENOTSUP;
+    case HX509_SAN_TYPE_REGISTERED_ID:
+        return ENOTSUP;
+    case HX509_SAN_TYPE_XMPP:
+        return hx509_ca_tbs_add_san_jid(context, tbs, s);
+    case HX509_SAN_TYPE_PKINIT:
+        return hx509_ca_tbs_add_san_pkinit(context, tbs, s);
+    case HX509_SAN_TYPE_MS_UPN:
+        return hx509_ca_tbs_add_san_ms_upn(context, tbs, s);
+    default:
+        return ENOTSUP;
+    }
+}
+
 /**
  * Set the subject name of a to-be-signed certificate object.
  *
@@ -832,7 +1428,7 @@ hx509_ca_tbs_add_san_rfc822name(hx509_context context,
  * @ingroup hx509_ca
  */
 
-int
+HX509_LIB_FUNCTION int HX509_LIB_CALL
 hx509_ca_tbs_set_subject(hx509_context context,
 			 hx509_ca_tbs tbs,
 			 hx509_name subject)
@@ -860,7 +1456,7 @@ hx509_ca_tbs_set_subject(hx509_context context,
  * @ingroup hx509_ca
  */
 
-int
+HX509_LIB_FUNCTION int HX509_LIB_CALL
 hx509_ca_tbs_set_unique(hx509_context context,
 			hx509_ca_tbs tbs,
 			const heim_bit_string *subjectUniqueID,
@@ -900,7 +1496,7 @@ hx509_ca_tbs_set_unique(hx509_context context,
  * @ingroup hx509_ca
  */
 
-int
+HX509_LIB_FUNCTION int HX509_LIB_CALL
 hx509_ca_tbs_subject_expand(hx509_context context,
 			    hx509_ca_tbs tbs,
 			    hx509_env env)
@@ -909,6 +1505,23 @@ hx509_ca_tbs_subject_expand(hx509_context context,
 }
 
 /**
+ * Get the name of a to-be-signed certificate object.
+ *
+ * @param context A hx509 context.
+ * @param tbs object to be signed.
+ *
+ * @return An hx509 name.
+ *
+ * @ingroup hx509_ca
+ */
+
+HX509_LIB_FUNCTION hx509_name HX509_LIB_CALL
+hx509_ca_tbs_get_name(hx509_ca_tbs tbs)
+{
+    return tbs->subject;
+}
+
+/**
  * Set signature algorithm on the to be signed certificate
  *
  * @param context A hx509 context.
@@ -920,7 +1533,7 @@ hx509_ca_tbs_subject_expand(hx509_context context,
  * @ingroup hx509_ca
  */
 
-int
+HX509_LIB_FUNCTION int HX509_LIB_CALL
 hx509_ca_tbs_set_signature_algorithm(hx509_context context,
 				     hx509_ca_tbs tbs,
 				     const AlgorithmIdentifier *sigalg)
@@ -957,16 +1570,7 @@ add_extension(hx509_context context,
 
     memset(&ext, 0, sizeof(ext));
 
-    if (critical_flag) {
-	ext.critical = malloc(sizeof(*ext.critical));
-	if (ext.critical == NULL) {
-	    ret = ENOMEM;
-	    hx509_set_error_string(context, 0, ret, "Out of memory");
-	    goto out;
-	}
-	*ext.critical = TRUE;
-    }
-
+    ext.critical = critical_flag;
     ret = der_copy_oid(oid, &ext.extnID);
     if (ret) {
 	hx509_set_error_string(context, 0, ret, "Out of memory");
@@ -1033,7 +1637,6 @@ ca_sign(hx509_context context,
     const AlgorithmIdentifier *sigalg;
     time_t notBefore;
     time_t notAfter;
-    unsigned key_usage;
 
     sigalg = tbs->sigalg;
     if (sigalg == NULL)
@@ -1053,21 +1656,12 @@ ca_sign(hx509_context context,
     if (notAfter == 0)
 	notAfter = time(NULL) + 3600 * 24 * 365;
 
-    key_usage = tbs->key_usage;
-    if (key_usage == 0) {
-	KeyUsage ku;
-	memset(&ku, 0, sizeof(ku));
-	ku.digitalSignature = 1;
-	ku.keyEncipherment = 1;
-	key_usage = KeyUsage2int(ku);
-    }
-
     if (tbs->flags.ca) {
-	KeyUsage ku;
-	memset(&ku, 0, sizeof(ku));
-	ku.keyCertSign = 1;
-	ku.cRLSign = 1;
-	key_usage |= KeyUsage2int(ku);
+	tbs->ku.keyCertSign = 1;
+	tbs->ku.cRLSign = 1;
+    } else if (KeyUsage2int(tbs->ku) == 0) {
+	tbs->ku.digitalSignature = 1;
+	tbs->ku.keyEncipherment = 1;
     }
 
     /*
@@ -1076,6 +1670,12 @@ ca_sign(hx509_context context,
 
     tbsc = &c.tbsCertificate;
 
+    /* Default subject Name to empty */
+    if (tbs->subject == NULL &&
+        (ret = hx509_empty_name(context, &tbs->subject)))
+        return ret;
+
+    /* Sanity checks */
     if (tbs->flags.key == 0) {
 	ret = EINVAL;
 	hx509_set_error_string(context, 0, ret, "No public key set");
@@ -1086,13 +1686,9 @@ ca_sign(hx509_context context,
      * will be generated below.
      */
     if (!tbs->flags.proxy) {
-	if (tbs->subject == NULL) {
-	    hx509_set_error_string(context, 0, EINVAL, "No subject name set");
-	    return EINVAL;
-	}
 	if (hx509_name_is_null_p(tbs->subject) && tbs->san.len == 0) {
 	    hx509_set_error_string(context, 0, EINVAL,
-				   "NULL subject and no SubjectAltNames");
+				   "Empty subject and no SubjectAltNames");
 	    return EINVAL;
 	}
     }
@@ -1146,7 +1742,7 @@ ca_sign(hx509_context context,
     /* signature            AlgorithmIdentifier, */
     ret = copy_AlgorithmIdentifier(sigalg, &tbsc->signature);
     if (ret) {
-	hx509_set_error_string(context, 0, ret, "Failed to copy sigature alg");
+	hx509_set_error_string(context, 0, ret, "Failed to copy signature alg");
 	goto out;
     }
     /* issuer               Name, */
@@ -1159,10 +1755,32 @@ ca_sign(hx509_context context,
 	goto out;
     }
     /* validity             Validity, */
-    tbsc->validity.notBefore.element = choice_Time_generalTime;
-    tbsc->validity.notBefore.u.generalTime = notBefore;
-    tbsc->validity.notAfter.element = choice_Time_generalTime;
-    tbsc->validity.notAfter.u.generalTime = notAfter;
+    {
+        /*
+         * From RFC 5280, section 4.1.2.5:
+         *
+         *    CAs conforming to this profile MUST always encode certificate
+         *    validity dates through the year 2049 as UTCTime; certificate validity
+         *    dates in 2050 or later MUST be encoded as GeneralizedTime.
+         *    Conforming applications MUST be able to process validity dates that
+         *    are encoded in either UTCTime or GeneralizedTime.
+         *
+         * 2524608000 is seconds since the epoch for 2050-01-01T00:00:00Z.
+         *
+         * Both, ...u.generalTime and ...u..utcTime are time_t.
+         */
+        if (notBefore < 1 || (int64_t)notBefore < 2524608000)
+            tbsc->validity.notBefore.element = choice_Time_utcTime;
+        else
+            tbsc->validity.notBefore.element = choice_Time_generalTime;
+        tbsc->validity.notBefore.u.generalTime = notBefore;
+
+        if (notAfter < 1 || (int64_t)notAfter < 2524608000)
+            tbsc->validity.notAfter.element = choice_Time_utcTime;
+        else
+            tbsc->validity.notAfter.element = choice_Time_generalTime;
+        tbsc->validity.notAfter.u.generalTime = notAfter;
+    }
     /* subject              Name, */
     if (tbs->flags.proxy) {
 	ret = build_proxy_prefix(context, &tbsc->issuer, &tbsc->subject);
@@ -1236,12 +1854,10 @@ ca_sign(hx509_context context,
 	    goto out;
     }
 
-    /* add KeyUsage */
-    {
-	KeyUsage ku;
-
-	ku = int2KeyUsage(key_usage);
-	ASN1_MALLOC_ENCODE(KeyUsage, data.data, data.length, &ku, &size, ret);
+    /* Add KeyUsage */
+    if (KeyUsage2int(tbs->ku) > 0) {
+        ASN1_MALLOC_ENCODE(KeyUsage, data.data, data.length,
+                           &tbs->ku, &size, ret);
 	if (ret) {
 	    hx509_set_error_string(context, 0, ret, "Out of memory");
 	    goto out;
@@ -1255,7 +1871,7 @@ ca_sign(hx509_context context,
 	    goto out;
     }
 
-    /* add ExtendedKeyUsage */
+    /* Add ExtendedKeyUsage */
     if (tbs->eku.len > 0) {
 	ASN1_MALLOC_ENCODE(ExtKeyUsage, data.data, data.length,
 			   &tbs->eku, &size, ret);
@@ -1265,14 +1881,14 @@ ca_sign(hx509_context context,
 	}
 	if (size != data.length)
 	    _hx509_abort("internal ASN.1 encoder error");
-	ret = add_extension(context, tbsc, 0,
+	ret = add_extension(context, tbsc, 1,
 			    &asn1_oid_id_x509_ce_extKeyUsage, &data);
 	free(data.data);
 	if (ret)
 	    goto out;
     }
 
-    /* add Subject Alternative Name */
+    /* Add Subject Alternative Name */
     if (tbs->san.len > 0) {
 	ASN1_MALLOC_ENCODE(GeneralNames, data.data, data.length,
 			   &tbs->san, &size, ret);
@@ -1282,9 +1898,10 @@ ca_sign(hx509_context context,
 	}
 	if (size != data.length)
 	    _hx509_abort("internal ASN.1 encoder error");
-	ret = add_extension(context, tbsc, 0,
-			    &asn1_oid_id_x509_ce_subjectAltName,
-			    &data);
+
+        /* The SAN extension is critical if the subject Name is empty */
+        ret = add_extension(context, tbsc, hx509_name_is_null_p(tbs->subject),
+                            &asn1_oid_id_x509_ce_subjectAltName, &data);
 	free(data.data);
 	if (ret)
 	    goto out;
@@ -1346,13 +1963,12 @@ ca_sign(hx509_context context,
     /* Add BasicConstraints */
     {
 	BasicConstraints bc;
-	int aCA = 1;
 	unsigned int path;
 
 	memset(&bc, 0, sizeof(bc));
 
 	if (tbs->flags.ca) {
-	    bc.cA = &aCA;
+	    bc.cA = 1;
 	    if (tbs->pathLenConstraint >= 0) {
 		path = tbs->pathLenConstraint;
 		bc.pathLenConstraint = &path;
@@ -1376,7 +1992,7 @@ ca_sign(hx509_context context,
 	    goto out;
     }
 
-    /* add Proxy */
+    /* Add Proxy */
     if (tbs->flags.proxy) {
 	ProxyCertInfo info;
 
@@ -1418,8 +2034,8 @@ ca_sign(hx509_context context,
 	    goto out;
     }
 
+    /* Add CRL distribution point */
     if (tbs->crldp.len) {
-
 	ASN1_MALLOC_ENCODE(CRLDistributionPoints, data.data, data.length,
 			   &tbs->crldp, &size, ret);
 	if (ret) {
@@ -1436,6 +2052,57 @@ ca_sign(hx509_context context,
 	    goto out;
     }
 
+    /* Add CertificatePolicies */
+    if (tbs->cps.len) {
+	ASN1_MALLOC_ENCODE(CertificatePolicies, data.data, data.length,
+			   &tbs->cps, &size, ret);
+	if (ret) {
+	    hx509_set_error_string(context, 0, ret, "Out of memory");
+	    goto out;
+	}
+	if (size != data.length)
+	    _hx509_abort("internal ASN.1 encoder error");
+        ret = add_extension(context, tbsc, FALSE,
+                            &asn1_oid_id_x509_ce_certificatePolicies, &data);
+        free(data.data);
+	if (ret)
+	    goto out;
+    }
+
+    /* Add PolicyMappings */
+    if (tbs->cps.len) {
+	ASN1_MALLOC_ENCODE(PolicyMappings, data.data, data.length,
+			   &tbs->pms, &size, ret);
+	if (ret) {
+	    hx509_set_error_string(context, 0, ret, "Out of memory");
+	    goto out;
+	}
+	if (size != data.length)
+	    _hx509_abort("internal ASN.1 encoder error");
+        ret = add_extension(context, tbsc, FALSE,
+                            &asn1_oid_id_x509_ce_policyMappings, &data);
+        free(data.data);
+	if (ret)
+	    goto out;
+    }
+
+    /* Add Heimdal PKINIT ticket max life extension */
+    if (tbs->pkinitTicketMaxLife > 0) {
+        ASN1_MALLOC_ENCODE(HeimPkinitPrincMaxLifeSecs, data.data, data.length,
+                           &tbs->pkinitTicketMaxLife, &size, ret);
+	if (ret) {
+	    hx509_set_error_string(context, 0, ret, "Out of memory");
+	    goto out;
+	}
+	if (size != data.length)
+	    _hx509_abort("internal ASN.1 encoder error");
+        ret = add_extension(context, tbsc, FALSE,
+                            &asn1_oid_id_heim_ce_pkinit_princ_max_life, &data);
+        free(data.data);
+	if (ret)
+	    goto out;
+    }
+
     ASN1_MALLOC_ENCODE(TBSCertificate, data.data, data.length,tbsc, &size, ret);
     if (ret) {
 	hx509_set_error_string(context, 0, ret, "malloc out of memory");
@@ -1531,8 +2198,7 @@ get_AuthorityKeyIdentifier(hx509_context context,
 
 	memset(&gn, 0, sizeof(gn));
 	gn.element = choice_GeneralName_directoryName;
-	gn.u.directoryName.element =
-	    choice_GeneralName_directoryName_rdnSequence;
+	gn.u.directoryName.element = choice_Name_rdnSequence;
 	gn.u.directoryName.u.rdnSequence = name.u.rdnSequence;
 
 	ret = add_GeneralNames(&gns, &gn);
@@ -1583,7 +2249,7 @@ out:
  * @ingroup hx509_ca
  */
 
-int
+HX509_LIB_FUNCTION int HX509_LIB_CALL
 hx509_ca_sign(hx509_context context,
 	      hx509_ca_tbs tbs,
 	      hx509_cert signer,
@@ -1627,7 +2293,7 @@ out:
  * @ingroup hx509_ca
  */
 
-int
+HX509_LIB_FUNCTION int HX509_LIB_CALL
 hx509_ca_sign_self(hx509_context context,
 		   hx509_ca_tbs tbs,
 		   hx509_private_key signer,
@@ -1640,3 +2306,790 @@ hx509_ca_sign_self(hx509_context context,
 		   NULL,
 		   certificate);
 }
+
+/*
+ * The following used to be `kdc_issue_certificate()', which was added for
+ * kx509 support in the kdc, then adapted for bx509d.  It now has no
+ * kdc-specific code and very little krb5-specific code, and is named
+ * `hx509_ca_issue_certificate()'.
+ */
+
+/* From lib/krb5/principal.c */
+#define princ_num_comp(P) ((P)->principalName.name_string.len)
+#define princ_type(P) ((P)->principalName.name_type)
+#define princ_comp(P) ((P)->principalName.name_string.val)
+#define princ_ncomp(P, N) ((P)->principalName.name_string.val[(N)])
+#define princ_realm(P) ((P)->realm)
+
+static const char *
+princ_get_comp_string(KRB5PrincipalName *principal, unsigned int component)
+{
+    if (component >= princ_num_comp(principal))
+       return NULL;
+    return princ_ncomp(principal, component);
+}
+/* XXX Add unparse_name() */
+
+typedef enum {
+    CERT_NOTSUP = 0,
+    CERT_CLIENT = 1,
+    CERT_SERVER = 2,
+    CERT_MIXED  = 3
+} cert_type;
+
+static void
+frees(char **s)
+{
+    free(*s);
+    *s = NULL;
+}
+
+static heim_error_code
+count_sans(hx509_request req, size_t *n)
+{
+    size_t i;
+    char *s = NULL;
+    int ret = 0;
+
+    *n = 0;
+    for (i = 0; ret == 0; i++) {
+        hx509_san_type san_type;
+
+        ret = hx509_request_get_san(req, i, &san_type, &s);
+        if (ret)
+            break;
+        switch (san_type) {
+        case HX509_SAN_TYPE_DNSNAME:
+        case HX509_SAN_TYPE_EMAIL:
+        case HX509_SAN_TYPE_XMPP:
+        case HX509_SAN_TYPE_PKINIT:
+        case HX509_SAN_TYPE_MS_UPN:
+            (*n)++;
+            break;
+        default:
+            ret = ENOTSUP;
+        }
+        frees(&s);
+    }
+    free(s);
+    return ret == HX509_NO_ITEM ? 0 : ret;
+}
+
+static int
+has_sans(hx509_request req)
+{
+    hx509_san_type san_type;
+    char *s = NULL;
+    int ret = hx509_request_get_san(req, 0, &san_type, &s);
+
+    frees(&s);
+    return ret == HX509_NO_ITEM ? 0 : 1;
+}
+
+static cert_type
+characterize_cprinc(hx509_context context,
+                    KRB5PrincipalName *cprinc)
+{
+    unsigned int ncomp = princ_num_comp(cprinc);
+    const char *comp1 = princ_get_comp_string(cprinc, 1);
+
+    switch (ncomp) {
+    case 1:
+        return CERT_CLIENT;
+    case 2:
+        if (strchr(comp1, '.') == NULL)
+            return CERT_CLIENT;
+        return CERT_SERVER;
+    case 3:
+        if (strchr(comp1, '.'))
+            return CERT_SERVER;
+        return CERT_NOTSUP;
+    default:
+        return CERT_NOTSUP;
+    }
+}
+
+/* Characterize request as client or server cert req */
+static cert_type
+characterize(hx509_context context,
+             KRB5PrincipalName *cprinc,
+             hx509_request req)
+{
+    heim_error_code ret = 0;
+    cert_type res = CERT_NOTSUP;
+    size_t i;
+    char *s = NULL;
+    int want_ekus = 0;
+
+    if (!has_sans(req))
+        return characterize_cprinc(context, cprinc);
+
+    for (i = 0; ret == 0; i++) {
+        heim_oid oid;
+
+        frees(&s);
+        ret = hx509_request_get_eku(req, i, &s);
+        if (ret)
+            break;
+
+        want_ekus = 1;
+        ret = der_parse_heim_oid(s, ".", &oid);
+        if (ret)
+            break;
+        /*
+         * If the client wants only a server certificate, then we'll be
+         * willing to issue one that may be longer-lived than the client's
+         * ticket/token.
+         *
+         * There may be other server EKUs, but these are the ones we know
+         * of.
+         */
+        if (der_heim_oid_cmp(&asn1_oid_id_pkix_kp_serverAuth, &oid) &&
+            der_heim_oid_cmp(&asn1_oid_id_pkix_kp_OCSPSigning, &oid) &&
+            der_heim_oid_cmp(&asn1_oid_id_pkix_kp_secureShellServer, &oid))
+            res |= CERT_CLIENT;
+        else
+            res |= CERT_SERVER;
+        der_free_oid(&oid);
+    }
+    frees(&s);
+    if (ret == HX509_NO_ITEM)
+        ret = 0;
+
+    for (i = 0; ret == 0; i++) {
+        hx509_san_type san_type;
+
+        frees(&s);
+        ret = hx509_request_get_san(req, i, &san_type, &s);
+        if (ret)
+            break;
+        switch (san_type) {
+        case HX509_SAN_TYPE_DNSNAME:
+            if (!want_ekus)
+                res |= CERT_SERVER;
+            break;
+        case HX509_SAN_TYPE_EMAIL:
+        case HX509_SAN_TYPE_XMPP:
+        case HX509_SAN_TYPE_PKINIT:
+        case HX509_SAN_TYPE_MS_UPN:
+            if (!want_ekus)
+                res |= CERT_CLIENT;
+            break;
+        default:
+            ret = ENOTSUP;
+        }
+        if (ret)
+            break;
+    }
+    frees(&s);
+    if (ret == HX509_NO_ITEM)
+        ret = 0;
+    return ret ? CERT_NOTSUP : res;
+}
+
+/*
+ * Get a configuration sub-tree for kx509 based on what's being requested and
+ * by whom.
+ *
+ * We have a number of cases:
+ *
+ *  - default certificate (no CSR used, or no certificate extensions requested)
+ *     - for client principals
+ *     - for service principals
+ *  - client certificate requested (CSR used and client-y SANs/EKUs requested)
+ *  - server certificate requested (CSR used and server-y SANs/EKUs requested)
+ *  - mixed client/server certificate requested (...)
+ */
+static heim_error_code
+get_cf(hx509_context context,
+       const heim_config_binding *cf,
+       heim_log_facility *logf,
+       hx509_request req,
+       KRB5PrincipalName *cprinc,
+       const heim_config_binding **out)
+{
+    heim_error_code ret;
+    unsigned int ncomp = princ_num_comp(cprinc);
+    const char *realm = princ_realm(cprinc);
+    const char *comp0 = princ_get_comp_string(cprinc, 0);
+    const char *comp1 = princ_get_comp_string(cprinc, 1);
+    const char *label = NULL;
+    const char *svc = NULL;
+    const char *def = NULL;
+    cert_type certtype = CERT_NOTSUP;
+    size_t nsans = 0;
+
+    *out = NULL;
+    if (ncomp == 0) {
+        heim_log_msg(context->hcontext, logf, 5, NULL,
+                     "Client principal has no components!");
+        hx509_set_error_string(context, 0, ret = ENOTSUP,
+                               "Client principal has no components!");
+        return ret;
+    }
+
+    if ((ret = count_sans(req, &nsans)) ||
+        (certtype = characterize(context, cprinc, req)) == CERT_NOTSUP) {
+        heim_log_msg(context->hcontext, logf, 5, NULL,
+                     "Could not characterize CSR");
+        hx509_set_error_string(context, 0, ret, "Could not characterize CSR");
+        return ret;
+    }
+
+    if (nsans) {
+        def = "custom";
+        /* Client requested some certificate extension, a SAN or EKU */
+        switch (certtype) {
+        case CERT_MIXED:    label = "mixed";  break;
+        case CERT_CLIENT:   label = "client"; break;
+        case CERT_SERVER:   label = "server"; break;
+        default:
+            hx509_set_error_string(context, 0, ret = ENOTSUP,
+                                   "Requested SAN/EKU combination not "
+                                   "supported");
+            return ret;
+        }
+    } else {
+        def = "default";
+        /* Default certificate desired */
+        if (ncomp == 1) {
+            label = "user";
+        } else if (ncomp == 2 && strcmp(comp1, "root") == 0) {
+            label = "root_user";
+        } else if (ncomp == 2 && strcmp(comp1, "admin") == 0) {
+            label = "admin_user";
+        } else if (strchr(comp1, '.')) {
+            label = "hostbased_service";
+            svc = comp0;
+        } else {
+            label = "other";
+        }
+    }
+
+    *out = heim_config_get_list(context->hcontext, cf, label, svc, NULL);
+    if (*out) {
+        ret = 0;
+    } else {
+        heim_log_msg(context->hcontext, logf, 3, NULL,
+                     "No configuration for %s %s certificate's realm "
+                     "-> %s -> kx509 -> %s%s%s", def, label, realm, label,
+                     svc ? " -> " : "", svc ? svc : "");
+        hx509_set_error_string(context, 0, EACCES,
+                "No configuration for %s %s certificate's realm "
+                "-> %s -> kx509 -> %s%s%s", def, label, realm, label,
+                svc ? " -> " : "", svc ? svc : "");
+    }
+    return ret;
+}
+
+
+/*
+ * Find and set a certificate template using a configuration sub-tree
+ * appropriate to the requesting principal.
+ *
+ * This allows for the specification of the following in configuration:
+ *
+ *  - certificates as templates, with ${var} tokens in subjectName attribute
+ *    values that will be expanded later
+ *  - a plain string with ${var} tokens to use as the subjectName
+ *  - EKUs
+ *  - whether to include a PKINIT SAN
+ */
+static heim_error_code
+set_template(hx509_context context,
+             heim_log_facility *logf,
+             const heim_config_binding *cf,
+             hx509_ca_tbs tbs)
+{
+    heim_error_code ret = 0;
+    const char *cert_template = NULL;
+    const char *subj_name = NULL;
+    char **ekus = NULL;
+
+    if (cf == NULL)
+        return EACCES; /* Can't happen */
+
+    cert_template = heim_config_get_string(context->hcontext, cf,
+                                           "template_cert", NULL);
+    subj_name = heim_config_get_string(context->hcontext, cf, "subject_name",
+                                       NULL);
+
+    if (cert_template) {
+        hx509_certs certs;
+        hx509_cert template;
+
+        ret = hx509_certs_init(context, cert_template, 0, NULL, &certs);
+        if (ret == 0)
+            ret = hx509_get_one_cert(context, certs, &template);
+        hx509_certs_free(&certs);
+        if (ret) {
+            heim_log_msg(context->hcontext, logf, 1, NULL,
+                         "Failed to load certificate template from %s",
+                         cert_template);
+            hx509_set_error_string(context, 0, EACCES,
+                                   "Failed to load certificate template from "
+                                   "%s", cert_template);
+            return ret;
+        }
+
+        /*
+         * Only take the subjectName, the keyUsage, and EKUs from the template
+         * certificate.
+         */
+        ret = hx509_ca_tbs_set_template(context, tbs,
+                                        HX509_CA_TEMPLATE_SUBJECT |
+                                        HX509_CA_TEMPLATE_KU |
+                                        HX509_CA_TEMPLATE_EKU,
+                                        template);
+        hx509_cert_free(template);
+        if (ret)
+            return ret;
+    }
+
+    if (subj_name) {
+        hx509_name dn = NULL;
+
+        ret = hx509_parse_name(context, subj_name, &dn);
+        if (ret == 0)
+            ret = hx509_ca_tbs_set_subject(context, tbs, dn);
+        hx509_name_free(&dn);
+        if (ret)
+            return ret;
+    }
+
+    if (cert_template == NULL && subj_name == NULL) {
+        hx509_name dn = NULL;
+
+        ret = hx509_empty_name(context, &dn);
+        if (ret == 0)
+            ret = hx509_ca_tbs_set_subject(context, tbs, dn);
+        hx509_name_free(&dn);
+        if (ret)
+            return ret;
+    }
+
+    ekus = heim_config_get_strings(context->hcontext, cf, "ekus", NULL);
+    if (ekus) {
+        size_t i;
+
+        for (i = 0; ret == 0 && ekus[i]; i++) {
+            heim_oid oid = { 0, 0 };
+
+            if ((ret = der_find_or_parse_heim_oid(ekus[i], ".", &oid)) == 0)
+                ret = hx509_ca_tbs_add_eku(context, tbs, &oid);
+            der_free_oid(&oid);
+        }
+        heim_config_free_strings(ekus);
+    }
+
+    /*
+     * XXX A KeyUsage template would be nice, but it needs some smarts to
+     * remove, e.g., encipherOnly, decipherOnly, keyEncipherment, if the SPKI
+     * algorithm does not support encryption.  The same logic should be added
+     * to hx509_ca_tbs_set_template()'s HX509_CA_TEMPLATE_KU functionality.
+     */
+    return ret;
+}
+
+/*
+ * Find and set a certificate template, set "variables" in `env', and add add
+ * default SANs/EKUs as appropriate.
+ *
+ * TODO:
+ *  - lookup a template for the client principal in its HDB entry
+ *  - lookup subjectName, SANs for a principal in its HDB entry
+ *  - lookup a host-based client principal's HDB entry and add its canonical
+ *    name / aliases as dNSName SANs
+ *    (this would have to be if requested by the client, perhaps)
+ */
+static heim_error_code
+set_tbs(hx509_context context,
+        heim_log_facility *logf,
+        const heim_config_binding *cf,
+        hx509_request req,
+        KRB5PrincipalName *cprinc,
+        hx509_env *env,
+        hx509_ca_tbs tbs)
+{
+    KRB5PrincipalName cprinc_no_realm = *cprinc;
+    heim_error_code ret;
+    unsigned int ncomp = princ_num_comp(cprinc);
+    const char *realm = princ_realm(cprinc);
+    const char *comp0 = princ_get_comp_string(cprinc, 0);
+    const char *comp1 = princ_get_comp_string(cprinc, 1);
+    const char *comp2 = princ_get_comp_string(cprinc, 2);
+    struct rk_strpool *strpool;
+    char *princ_no_realm = NULL;
+    char *princ = NULL;
+
+    strpool = _hx509_unparse_kerberos_name(NULL, cprinc);
+    if (strpool)
+        princ = rk_strpoolcollect(strpool);
+    cprinc_no_realm.realm = NULL;
+    strpool = _hx509_unparse_kerberos_name(NULL, &cprinc_no_realm);
+    if (strpool)
+        princ_no_realm = rk_strpoolcollect(strpool);
+    if (princ == NULL || princ_no_realm == NULL) {
+        free(princ);
+        return hx509_enomem(context);
+    }
+    strpool = NULL;
+    ret = hx509_env_add(context, env, "principal-name-without-realm",
+                        princ_no_realm);
+    if (ret == 0)
+        ret = hx509_env_add(context, env, "principal-name", princ);
+    if (ret == 0)
+        ret = hx509_env_add(context, env, "principal-name-realm",
+                            realm);
+
+    /* Populate requested certificate extensions from CSR/CSRPlus if allowed */
+    if (ret == 0)
+        ret = hx509_ca_tbs_set_from_csr(context, tbs, req);
+    if (ret == 0)
+        ret = set_template(context, logf, cf, tbs);
+
+    /*
+     * Optionally add PKINIT SAN.
+     *
+     * Adding an id-pkinit-san means the client can use the certificate to
+     * initiate PKINIT.  That might seem odd, but it enables a sort of PKIX
+     * credential delegation by allowing forwarded Kerberos tickets to be
+     * used to acquire PKIX credentials.  Thus this can work:
+     *
+     *      PKIX (w/ HW token) -> Kerberos ->
+     *        PKIX (w/ softtoken) -> Kerberos ->
+     *          PKIX (w/ softtoken) -> Kerberos ->
+     *            ...
+     *
+     * Note that we may not have added the PKINIT EKU -- that depends on the
+     * template, and host-based service templates might well not include it.
+     */
+    if (ret == 0 && !has_sans(req) &&
+        heim_config_get_bool_default(context->hcontext, cf, FALSE,
+                                     "include_pkinit_san", NULL)) {
+        ret = hx509_ca_tbs_add_san_pkinit(context, tbs, princ);
+    }
+
+    if (ret)
+        goto out;
+
+    if (ncomp == 1) {
+        const char *email_domain;
+
+        ret = hx509_env_add(context, env, "principal-component0",
+                            princ_no_realm);
+
+        /*
+         * If configured, include an rfc822Name that's just the client's
+         * principal name sans realm @ configured email domain.
+         */
+        if (ret == 0 && !has_sans(req) &&
+            (email_domain = heim_config_get_string(context->hcontext, cf,
+                                                   "email_domain", NULL))) {
+            char *email;
+
+            if (asprintf(&email, "%s@%s", princ_no_realm, email_domain) == -1 ||
+                email == NULL)
+                goto enomem;
+            ret = hx509_ca_tbs_add_san_rfc822name(context, tbs, email);
+            free(email);
+        }
+    } else if (ncomp == 2 || ncomp == 3) {
+        /*
+         * 2- and 3-component principal name.
+         *
+         * We do not have a reliable name-type indicator.  If the second
+         * component has a '.' in it then we'll assume that the name is a
+         * host-based (2-component) or domain-based (3-component) service
+         * principal name.  Else we'll assume it's a two-component admin-style
+         * username.
+         */
+
+        ret = hx509_env_add(context, env, "principal-component0", comp0);
+        if (ret == 0)
+            ret = hx509_env_add(context, env, "principal-component1", comp1);
+        if (ret == 0 && ncomp == 3)
+            ret = hx509_env_add(context, env, "principal-component2", comp2);
+        if (ret == 0 && strchr(comp1, '.')) {
+            /* Looks like host-based or domain-based service */
+            ret = hx509_env_add(context, env, "principal-service-name", comp0);
+            if (ret == 0)
+                ret = hx509_env_add(context, env, "principal-host-name",
+                                    comp1);
+            if (ret == 0 && ncomp == 3)
+                ret = hx509_env_add(context, env, "principal-domain-name",
+                                    comp2);
+            if (ret == 0 && !has_sans(req) &&
+                heim_config_get_bool_default(context->hcontext, cf, FALSE,
+                                             "include_dnsname_san", NULL)) {
+                ret = hx509_ca_tbs_add_san_hostname(context, tbs, comp1);
+            }
+        }
+    } else {
+        heim_log_msg(context->hcontext, logf, 5, NULL,
+                     "kx509/bx509 client %s has too many components!", princ);
+        hx509_set_error_string(context, 0, ret = EACCES,
+                               "kx509/bx509 client %s has too many "
+                               "components!", princ);
+    }
+
+out:
+    if (ret == ENOMEM)
+        goto enomem;
+    free(princ_no_realm);
+    free(princ);
+    return ret;
+
+enomem:
+    heim_log_msg(context->hcontext, logf, 0, NULL,
+                 "Could not set up TBSCertificate: Out of memory");
+    ret = hx509_enomem(context);
+    goto out;
+}
+
+/*
+ * Set the notBefore/notAfter for the certificate to be issued.
+ *
+ * Here `starttime' is the supplicant's credentials' notBefore equivalent,
+ * while `endtime' is the supplicant's credentials' notAfter equivalent.
+ *
+ * `req_life' is the lifetime requested by the supplicant.
+ *
+ * `endtime' must be larger than the current time.
+ *
+ * `starttime' can be zero or negative, in which case the notBefore will be the
+ * current time minus five minutes.
+ *
+ * `endtime', `req_life' and configuration parameters will be used to compute
+ * the actual notAfter.
+ */
+static heim_error_code
+tbs_set_times(hx509_context context,
+              const heim_config_binding *cf,
+              heim_log_facility *logf,
+              time_t starttime,
+              time_t endtime,
+              time_t req_life,
+              hx509_ca_tbs tbs)
+{
+    time_t now = time(NULL);
+    time_t force = heim_config_get_time_default(context->hcontext,
+                                                cf, 5 * 24 * 3600,
+                                                "force_cert_lifetime", NULL);
+    time_t clamp = heim_config_get_time_default(context->hcontext, cf, 0,
+                                                "max_cert_lifetime", NULL);
+    int allow_more = heim_config_get_bool_default(context->hcontext, cf, FALSE,
+                                                  "allow_extra_lifetime",
+                                                  NULL);
+    starttime = starttime > 0 ? starttime : now - 5 * 60;
+
+    if (endtime < now) {
+        heim_log_msg(context->hcontext, logf, 3, NULL,
+                     "Endtime is in the past");
+        hx509_set_error_string(context, 0, ERANGE, "Endtime is in the past");
+        return ERANGE;
+    }
+
+    /* Apply requested lifetime if shorter or if allowed more */
+    if (req_life > 0 && req_life <= endtime - now)
+        endtime = now + req_life;
+    else if (req_life > 0 && allow_more)
+        endtime = now + req_life;
+
+    /* Apply floor */
+    if (force > 0 && force > endtime - now)
+        endtime = now + force;
+
+    /* Apply ceiling */
+    if (clamp > 0 && clamp < endtime - now)
+        endtime = now + clamp;
+
+    hx509_ca_tbs_set_notAfter(context, tbs, endtime);
+    hx509_ca_tbs_set_notBefore(context, tbs, starttime);
+    return 0;
+}
+
+/*
+ * Build a certifate for `principal' and its CSR.
+ *
+ * XXX Make `cprinc' a GeneralName!  That's why this is private for now.
+ */
+heim_error_code
+_hx509_ca_issue_certificate(hx509_context context,
+                            const heim_config_binding *cf,
+                            heim_log_facility *logf,
+                            hx509_request req,
+                            KRB5PrincipalName *cprinc,
+                            time_t starttime,
+                            time_t endtime,
+                            time_t req_life,
+                            int send_chain,
+                            hx509_certs *out)
+{
+    heim_error_code ret;
+    const char *ca;
+    hx509_ca_tbs tbs = NULL;
+    hx509_certs chain = NULL;
+    hx509_cert signer = NULL;
+    hx509_cert cert = NULL;
+    hx509_env env = NULL;
+    KeyUsage ku;
+
+    *out = NULL;
+    /* Force KU */
+    ku = int2KeyUsage(0);
+    ku.digitalSignature = 1;
+    hx509_request_authorize_ku(req, ku);
+
+    ret = get_cf(context, cf, logf, req, cprinc, &cf);
+    if (ret)
+        return ret;
+
+    if ((ca = heim_config_get_string(context->hcontext, cf,
+                                     "ca", NULL)) == NULL) {
+        heim_log_msg(context->hcontext, logf, 3, NULL,
+                     "No kx509 CA issuer credential specified");
+        hx509_set_error_string(context, 0, ret = EACCES,
+                               "No kx509 CA issuer credential specified");
+        return ret;
+    }
+
+    ret = hx509_ca_tbs_init(context, &tbs);
+    if (ret) {
+        heim_log_msg(context->hcontext, logf, 0, NULL,
+                     "Failed to create certificate: Out of memory");
+        return ret;
+    }
+
+    /* Lookup a template and set things in `env' and `tbs' as appropriate */
+    if (ret == 0)
+        ret = set_tbs(context, logf, cf, req, cprinc, &env, tbs);
+
+    /* Populate generic template "env" variables */
+
+    /*
+     * The `tbs' and `env' are now complete as to naming and EKUs.
+     *
+     * We check that the `tbs' is not name-less, after which all remaining
+     * failures here will not be policy failures.  So we also log the intent to
+     * issue a certificate now.
+     */
+    if (ret == 0 && hx509_name_is_null_p(hx509_ca_tbs_get_name(tbs)) &&
+        !has_sans(req)) {
+        heim_log_msg(context->hcontext, logf, 3, NULL,
+                     "Not issuing certificate because it would have no names");
+        hx509_set_error_string(context, 0, ret = EACCES,
+                               "Not issuing certificate because it "
+                               "would have no names");
+    }
+    if (ret)
+        goto out;
+
+    /*
+     * Still to be done below:
+     *
+     *  - set certificate spki
+     *  - set certificate validity
+     *  - expand variables in certificate subject name template
+     *  - sign certificate
+     *  - encode certificate and chain
+     */
+
+    /* Load the issuer certificate and private key */
+    {
+        hx509_certs certs;
+        hx509_query *q;
+
+        ret = hx509_certs_init(context, ca, 0, NULL, &certs);
+        if (ret) {
+            heim_log_msg(context->hcontext, logf, 1, NULL,
+                         "Failed to load CA certificate and private key %s",
+                         ca);
+            hx509_set_error_string(context, 0, ret, "Failed to load "
+                                   "CA certificate and private key %s", ca);
+            goto out;
+        }
+        ret = hx509_query_alloc(context, &q);
+        if (ret) {
+            hx509_certs_free(&certs);
+            goto out;
+        }
+
+        hx509_query_match_option(q, HX509_QUERY_OPTION_PRIVATE_KEY);
+        hx509_query_match_option(q, HX509_QUERY_OPTION_KU_KEYCERTSIGN);
+
+        ret = hx509_certs_find(context, certs, q, &signer);
+        hx509_query_free(context, q);
+        hx509_certs_free(&certs);
+        if (ret) {
+            heim_log_msg(context->hcontext, logf, 1, NULL,
+                         "Failed to find a CA certificate in %s", ca);
+            hx509_set_error_string(context, 0, ret,
+                                   "Failed to find a CA certificate in %s",
+                                   ca);
+            goto out;
+        }
+    }
+
+    /* Populate the subject public key in the TBS context */
+    {
+        SubjectPublicKeyInfo spki;
+
+        ret = hx509_request_get_SubjectPublicKeyInfo(context,
+                                                     req, &spki);
+        if (ret == 0)
+            ret = hx509_ca_tbs_set_spki(context, tbs, &spki);
+        free_SubjectPublicKeyInfo(&spki);
+        if (ret)
+            goto out;
+    }
+
+    /* Work out cert expiration */
+    if (ret == 0)
+        ret = tbs_set_times(context, cf, logf, starttime, endtime, req_life,
+                            tbs);
+
+    /* Expand the subjectName template in the TBS using the env */
+    if (ret == 0)
+        ret = hx509_ca_tbs_subject_expand(context, tbs, env);
+    hx509_env_free(&env);
+
+    /* All done with the TBS, sign/issue the certificate */
+    if (ret == 0)
+        ret = hx509_ca_sign(context, tbs, signer, &cert);
+
+    /*
+     * Gather the certificate and chain into a MEMORY store, being careful not
+     * to include private keys in the chain.
+     *
+     * We could have specified a separate configuration parameter for an hx509
+     * store meant to have only the chain and no private keys, but expecting
+     * the full chain in the issuer credential store and copying only the certs
+     * (but not the private keys) is safer and easier to configure.
+     */
+    if (ret == 0)
+        ret = hx509_certs_init(context, "MEMORY:certs",
+                               HX509_CERTS_NO_PRIVATE_KEYS, NULL, out);
+    if (ret == 0)
+        ret = hx509_certs_add(context, *out, cert);
+    if (ret == 0 && send_chain) {
+        ret = hx509_certs_init(context, ca,
+                               HX509_CERTS_NO_PRIVATE_KEYS, NULL, &chain);
+        if (ret == 0)
+            ret = hx509_certs_merge(context, *out, chain);
+    }
+
+out:
+    hx509_certs_free(&chain);
+    if (env)
+        hx509_env_free(&env);
+    if (tbs)
+        hx509_ca_tbs_free(&tbs);
+    if (cert)
+        hx509_cert_free(cert);
+    if (signer)
+        hx509_cert_free(signer);
+    if (ret)
+        hx509_certs_free(out);
+    return ret;
+}
diff --git a/lib/hx509/cert.c b/lib/hx509/cert.c
index dcd467c56f9a..e7e2423c54dc 100644
--- a/lib/hx509/cert.c
+++ b/lib/hx509/cert.c
@@ -102,6 +102,44 @@ init_context_once(void *ignored)
 }
 
 /**
+ * Return a cookie identifying this instance of a library.
+ *
+ * Inputs:
+ *
+ * @context     A krb5_context
+ * @module      Our library name or a library we depend on
+ *
+ * Outputs:     The instance cookie
+ *
+ * @ingroup     krb5_support
+ */
+
+HX509_LIB_FUNCTION uintptr_t HX509_LIB_CALL
+hx509_get_instance(const char *libname)
+{
+    static const char *instance = "libhx509";
+
+    if (strcmp(libname, "hx509") == 0)
+        return (uintptr_t)instance;
+
+    return 0;
+}
+
+#ifndef PATH_SEP
+# define PATH_SEP ":"
+#endif
+static const char *hx509_config_file =
+"~/.hx509/config" PATH_SEP
+SYSCONFDIR "/hx509.conf" PATH_SEP
+#ifdef _WIN32
+"%{COMMON_APPDATA}/Heimdal/hx509.conf" PATH_SEP
+"%{WINDOWS}/hx509.ini"
+#else /* _WIN32 */
+"/etc/hx509.conf"
+#endif /* _WIN32 */
+;
+
+/**
  * Creates a hx509 context that most functions in the library
  * uses. The context is only allowed to be used by one thread at each
  * moment. Free the context with hx509_context_free().
@@ -113,38 +151,90 @@ init_context_once(void *ignored)
  * @ingroup hx509
  */
 
-int
-hx509_context_init(hx509_context *context)
+HX509_LIB_FUNCTION int HX509_LIB_CALL
+hx509_context_init(hx509_context *contextp)
 {
     static heim_base_once_t init_context = HEIM_BASE_ONCE_INIT;
-
-    *context = calloc(1, sizeof(**context));
-    if (*context == NULL)
+    heim_error_code ret;
+    hx509_context context;
+    const char *anchors;
+    char **files = NULL;
+
+    *contextp = NULL;
+    context = calloc(1, sizeof(*context));
+    if (context == NULL)
 	return ENOMEM;
 
     heim_base_once_f(&init_context, NULL, init_context_once);
 
-    _hx509_ks_null_register(*context);
-    _hx509_ks_mem_register(*context);
-    _hx509_ks_file_register(*context);
-    _hx509_ks_pkcs12_register(*context);
-    _hx509_ks_pkcs11_register(*context);
-    _hx509_ks_dir_register(*context);
-    _hx509_ks_keychain_register(*context);
+    if ((context->hcontext = heim_context_init()) == NULL) {
+        free(context);
+        return ENOMEM;
+    }
 
-    (*context)->ocsp_time_diff = HX509_DEFAULT_OCSP_TIME_DIFF;
+    if ((ret = heim_get_default_config_files(hx509_config_file,
+                                             "HX509_CONFIG",
+                                             &files))) {
+        heim_context_free(&context->hcontext);
+        free(context);
+        return ret;
+    }
+
+    /* If there's no hx509 config, we continue, as we never needed it before */
+    if (files)
+        (void) heim_set_config_files(context->hcontext, files, &context->cf);
+    heim_free_config_files(files);
+
+    _hx509_ks_null_register(context);
+    _hx509_ks_mem_register(context);
+    _hx509_ks_file_register(context);
+    _hx509_ks_pkcs12_register(context);
+    _hx509_ks_pkcs11_register(context);
+    _hx509_ks_dir_register(context);
+    _hx509_ks_keychain_register(context);
 
-    initialize_hx_error_table_r(&(*context)->et_list);
-    initialize_asn1_error_table_r(&(*context)->et_list);
+    context->ocsp_time_diff =
+        heim_config_get_time_default(context->hcontext, context->cf,
+                                     HX509_DEFAULT_OCSP_TIME_DIFF,
+                                     "libdefaults", "ocsp_time_dif", NULL);
+
+    initialize_hx_error_table_r(&context->et_list);
+    initialize_asn1_error_table_r(&context->et_list);
 
 #ifdef HX509_DEFAULT_ANCHORS
-    (void)hx509_certs_init(*context, HX509_DEFAULT_ANCHORS, 0,
-			   NULL, &(*context)->default_trust_anchors);
+    anchors = heim_config_get_string_default(context->hcontext, context->cf,
+                                             HX509_DEFAULT_ANCHORS,
+                                             "libdefaults", "anchors", NULL);
+#else
+    anchors = heim_config_get_string(context->hcontext, context->cf,
+                                     "libdefaults", "anchors", NULL);
 #endif
+    if (anchors)
+        (void)hx509_certs_init(context, anchors, 0, NULL,
+                               &context->default_trust_anchors);
 
+    *contextp = context;
     return 0;
 }
 
+HX509_LIB_FUNCTION int HX509_LIB_CALL
+hx509_set_log_dest(hx509_context context, heim_log_facility *fac)
+{
+    return heim_set_log_dest(context->hcontext, fac);
+}
+
+HX509_LIB_FUNCTION int HX509_LIB_CALL
+hx509_set_debug_dest(hx509_context context, heim_log_facility *fac)
+{
+    return heim_set_debug_dest(context->hcontext, fac);
+}
+
+HX509_LIB_FUNCTION int HX509_LIB_CALL
+hx509_set_warn_dest(hx509_context context, heim_log_facility *fac)
+{
+    return heim_set_warn_dest(context->hcontext, fac);
+}
+
 /**
  * Selects if the hx509_revoke_verify() function is going to require
  * the existans of a revokation method (OCSP, CRL) or not. Note that
@@ -158,7 +248,7 @@ hx509_context_init(hx509_context *context)
  * @ingroup hx509_verify
  */
 
-void
+HX509_LIB_FUNCTION void HX509_LIB_CALL
 hx509_context_set_missing_revoke(hx509_context context, int flag)
 {
     if (flag)
@@ -175,9 +265,12 @@ hx509_context_set_missing_revoke(hx509_context context, int flag)
  * @ingroup hx509
  */
 
-void
+HX509_LIB_FUNCTION void HX509_LIB_CALL
 hx509_context_free(hx509_context *context)
 {
+    if (!*context)
+        return;
+
     hx509_clear_error_string(*context);
     if ((*context)->ks_ops) {
 	free((*context)->ks_ops);
@@ -187,6 +280,9 @@ hx509_context_free(hx509_context *context)
     free_error_table ((*context)->et_list);
     if ((*context)->querystat)
 	free((*context)->querystat);
+    hx509_certs_free(&(*context)->default_trust_anchors);
+    heim_config_file_free((*context)->hcontext, (*context)->cf);
+    heim_context_free(&(*context)->hcontext);
     memset(*context, 0, sizeof(**context));
     free(*context);
     *context = NULL;
@@ -196,7 +292,7 @@ hx509_context_free(hx509_context *context)
  *
  */
 
-Certificate *
+HX509_LIB_FUNCTION Certificate * HX509_LIB_CALL
 _hx509_get_cert(hx509_cert cert)
 {
     return cert->data;
@@ -206,12 +302,35 @@ _hx509_get_cert(hx509_cert cert)
  *
  */
 
-int
+HX509_LIB_FUNCTION int HX509_LIB_CALL
 _hx509_cert_get_version(const Certificate *t)
 {
     return t->tbsCertificate.version ? *t->tbsCertificate.version + 1 : 1;
 }
 
+static hx509_cert
+cert_init(hx509_context context, heim_error_t *error)
+{
+    hx509_cert cert;
+
+    cert = malloc(sizeof(*cert));
+    if (cert == NULL) {
+	if (error)
+	    *error = heim_error_create_enomem();
+	return NULL;
+    }
+    cert->ref = 1;
+    cert->friendlyname = NULL;
+    cert->attrs.len = 0;
+    cert->attrs.val = NULL;
+    cert->private_key = NULL;
+    cert->basename = NULL;
+    cert->release = NULL;
+    cert->ctx = NULL;
+    cert->data= NULL;
+    return cert;
+}
+
 /**
  * Allocate and init an hx509 certificate object from the decoded
  * certificate `c´.
@@ -225,26 +344,14 @@ _hx509_cert_get_version(const Certificate *t)
  * @ingroup hx509_cert
  */
 
-hx509_cert
+HX509_LIB_FUNCTION hx509_cert HX509_LIB_CALL
 hx509_cert_init(hx509_context context, const Certificate *c, heim_error_t *error)
 {
     hx509_cert cert;
     int ret;
 
-    cert = malloc(sizeof(*cert));
-    if (cert == NULL) {
-	if (error)
-	    *error = heim_error_create_enomem();
-	return NULL;
-    }
-    cert->ref = 1;
-    cert->friendlyname = NULL;
-    cert->attrs.len = 0;
-    cert->attrs.val = NULL;
-    cert->private_key = NULL;
-    cert->basename = NULL;
-    cert->release = NULL;
-    cert->ctx = NULL;
+    if ((cert = cert_init(context, error)) == NULL)
+        return NULL;
 
     cert->data = calloc(1, sizeof(*(cert->data)));
     if (cert->data == NULL) {
@@ -263,6 +370,51 @@ hx509_cert_init(hx509_context context, const Certificate *c, heim_error_t *error
 }
 
 /**
+ * Copy a certificate object, but drop any private key assignment.
+ *
+ * @param context A hx509 context.
+ * @param src Certificate object
+ * @param error
+ *
+ * @return Returns an hx509 certificate
+ *
+ * @ingroup hx509_cert
+ */
+
+HX509_LIB_FUNCTION hx509_cert HX509_LIB_CALL
+hx509_cert_copy_no_private_key(hx509_context context,
+                               hx509_cert src,
+                               heim_error_t *error)
+{
+    return hx509_cert_init(context, src->data, error);
+}
+
+/**
+ * Allocate and init an hx509 certificate object containing only a private key
+ * (but no Certificate).
+ *
+ * @param context A hx509 context.
+ * @param key
+ * @param error
+ *
+ * @return Returns an hx509 certificate
+ *
+ * @ingroup hx509_cert
+ */
+
+HX509_LIB_FUNCTION hx509_cert HX509_LIB_CALL
+hx509_cert_init_private_key(hx509_context context,
+                            hx509_private_key key,
+                            heim_error_t *error)
+{
+    hx509_cert cert;
+
+    if ((cert = cert_init(context, error)))
+        (void) _hx509_cert_assign_key(cert, key);
+    return cert;
+}
+
+/**
  * Just like hx509_cert_init(), but instead of a decode certificate
  * takes an pointer and length to a memory region that contains a
  * DER/BER encoded certificate.
@@ -281,7 +433,7 @@ hx509_cert_init(hx509_context context, const Certificate *c, heim_error_t *error
  * @ingroup hx509_cert
  */
 
-hx509_cert
+HX509_LIB_FUNCTION hx509_cert HX509_LIB_CALL
 hx509_cert_init_data(hx509_context context,
 		     const void *ptr,
 		     size_t len,
@@ -296,6 +448,7 @@ hx509_cert_init_data(hx509_context context,
     if (ret) {
 	if (error)
 	    *error = heim_error_create(ret, "Failed to decode certificate");
+        errno = ret;
 	return NULL;
     }
     if (size != len) {
@@ -303,6 +456,7 @@ hx509_cert_init_data(hx509_context context,
 	if (error)
 	    *error = heim_error_create(HX509_EXTRA_DATA_AFTER_STRUCTURE,
 				       "Extra data after certificate");
+        errno = HX509_EXTRA_DATA_AFTER_STRUCTURE;
 	return NULL;
     }
 
@@ -311,7 +465,7 @@ hx509_cert_init_data(hx509_context context,
     return cert;
 }
 
-void
+HX509_LIB_FUNCTION void HX509_LIB_CALL
 _hx509_cert_set_release(hx509_cert cert,
 			_hx509_cert_release_func release,
 			void *ctx)
@@ -323,7 +477,7 @@ _hx509_cert_set_release(hx509_cert cert,
 
 /* Doesn't make a copy of `private_key'. */
 
-int
+HX509_LIB_FUNCTION int HX509_LIB_CALL
 _hx509_cert_assign_key(hx509_cert cert, hx509_private_key private_key)
 {
     if (cert->private_key)
@@ -341,7 +495,7 @@ _hx509_cert_assign_key(hx509_cert cert, hx509_private_key private_key)
  * @ingroup hx509_cert
  */
 
-void
+HX509_LIB_FUNCTION void HX509_LIB_CALL
 hx509_cert_free(hx509_cert cert)
 {
     size_t i;
@@ -360,7 +514,8 @@ hx509_cert_free(hx509_cert cert)
     if (cert->private_key)
 	hx509_private_key_free(&cert->private_key);
 
-    free_Certificate(cert->data);
+    if (cert->data)
+        free_Certificate(cert->data);
     free(cert->data);
 
     for (i = 0; i < cert->attrs.len; i++) {
@@ -386,7 +541,7 @@ hx509_cert_free(hx509_cert cert)
  * @ingroup hx509_cert
  */
 
-hx509_cert
+HX509_LIB_FUNCTION hx509_cert HX509_LIB_CALL
 hx509_cert_ref(hx509_cert cert)
 {
     if (cert == NULL)
@@ -411,7 +566,7 @@ hx509_cert_ref(hx509_cert cert)
  * @ingroup hx509_verify
  */
 
-int
+HX509_LIB_FUNCTION int HX509_LIB_CALL
 hx509_verify_init_ctx(hx509_context context, hx509_verify_ctx *ctx)
 {
     hx509_verify_ctx c;
@@ -435,7 +590,7 @@ hx509_verify_init_ctx(hx509_context context, hx509_verify_ctx *ctx)
  * @ingroup hx509_verify
  */
 
-void
+HX509_LIB_FUNCTION void HX509_LIB_CALL
 hx509_verify_destroy_ctx(hx509_verify_ctx ctx)
 {
     if (ctx) {
@@ -458,7 +613,7 @@ hx509_verify_destroy_ctx(hx509_verify_ctx ctx)
  * @ingroup hx509_verify
  */
 
-void
+HX509_LIB_FUNCTION void HX509_LIB_CALL
 hx509_verify_attach_anchors(hx509_verify_ctx ctx, hx509_certs set)
 {
     if (ctx->trust_anchors)
@@ -479,7 +634,7 @@ hx509_verify_attach_anchors(hx509_verify_ctx ctx, hx509_certs set)
  * @ingroup hx509_verify
  */
 
-void
+HX509_LIB_FUNCTION void HX509_LIB_CALL
 hx509_verify_attach_revoke(hx509_verify_ctx ctx, hx509_revoke_ctx revoke_ctx)
 {
     if (ctx->revoke_ctx)
@@ -499,14 +654,14 @@ hx509_verify_attach_revoke(hx509_verify_ctx ctx, hx509_revoke_ctx revoke_ctx)
  * @ingroup hx509_verify
  */
 
-void
+HX509_LIB_FUNCTION void HX509_LIB_CALL
 hx509_verify_set_time(hx509_verify_ctx ctx, time_t t)
 {
     ctx->flags |= HX509_VERIFY_CTX_F_TIME_SET;
     ctx->time_now = t;
 }
 
-time_t
+HX509_LIB_FUNCTION time_t HX509_LIB_CALL
 _hx509_verify_get_time(hx509_verify_ctx ctx)
 {
     return ctx->time_now;
@@ -523,7 +678,7 @@ _hx509_verify_get_time(hx509_verify_ctx ctx)
  * @ingroup hx509_verify
  */
 
-void
+HX509_LIB_FUNCTION void HX509_LIB_CALL
 hx509_verify_set_max_depth(hx509_verify_ctx ctx, unsigned int max_depth)
 {
     ctx->max_depth = max_depth;
@@ -538,7 +693,7 @@ hx509_verify_set_max_depth(hx509_verify_ctx ctx, unsigned int max_depth)
  * @ingroup hx509_verify
  */
 
-void
+HX509_LIB_FUNCTION void HX509_LIB_CALL
 hx509_verify_set_proxy_certificate(hx509_verify_ctx ctx, int boolean)
 {
     if (boolean)
@@ -558,7 +713,7 @@ hx509_verify_set_proxy_certificate(hx509_verify_ctx ctx, int boolean)
  * @ingroup hx509_verify
  */
 
-void
+HX509_LIB_FUNCTION void HX509_LIB_CALL
 hx509_verify_set_strict_rfc3280_verification(hx509_verify_ctx ctx, int boolean)
 {
     if (boolean)
@@ -581,7 +736,7 @@ hx509_verify_set_strict_rfc3280_verification(hx509_verify_ctx ctx, int boolean)
  * @ingroup hx509_cert
  */
 
-void
+HX509_LIB_FUNCTION void HX509_LIB_CALL
 hx509_verify_ctx_f_allow_default_trustanchors(hx509_verify_ctx ctx, int boolean)
 {
     if (boolean)
@@ -590,7 +745,7 @@ hx509_verify_ctx_f_allow_default_trustanchors(hx509_verify_ctx ctx, int boolean)
 	ctx->flags |= HX509_VERIFY_CTX_F_NO_DEFAULT_ANCHORS;
 }
 
-void
+HX509_LIB_FUNCTION void HX509_LIB_CALL
 hx509_verify_ctx_f_allow_best_before_signature_algs(hx509_context ctx,
 						    int boolean)
 {
@@ -634,7 +789,7 @@ find_extension_auth_key_id(const Certificate *subject,
 					 ai, &size);
 }
 
-int
+HX509_LIB_FUNCTION int HX509_LIB_CALL
 _hx509_find_extension_subject_key_id(const Certificate *issuer,
 				     SubjectKeyIdentifier *si)
 {
@@ -734,13 +889,16 @@ add_to_list(hx509_octet_string_list *list, const heim_octet_string *entry)
  * @ingroup hx509_misc
  */
 
-void
+HX509_LIB_FUNCTION void HX509_LIB_CALL
 hx509_free_octet_string_list(hx509_octet_string_list *list)
 {
     size_t i;
-    for (i = 0; i < list->len; i++)
-	der_free_octet_string(&list->val[i]);
-    free(list->val);
+
+    if (list->val) {
+        for (i = 0; i < list->len; i++)
+            der_free_octet_string(&list->val[i]);
+        free(list->val);
+    }
     list->val = NULL;
     list->len = 0;
 }
@@ -762,7 +920,7 @@ hx509_free_octet_string_list(hx509_octet_string_list *list)
  * @ingroup hx509_cert
  */
 
-int
+HX509_LIB_FUNCTION int HX509_LIB_CALL
 hx509_cert_find_subjectAltName_otherName(hx509_context context,
 					 hx509_cert cert,
 					 const heim_oid *oid,
@@ -816,7 +974,7 @@ check_key_usage(hx509_context context, const Certificate *cert,
     size_t size;
     int ret;
     size_t i = 0;
-    unsigned ku_flags;
+    uint64_t ku_flags;
 
     if (_hx509_cert_get_version(cert) < 3)
 	return 0;
@@ -826,7 +984,7 @@ check_key_usage(hx509_context context, const Certificate *cert,
 	if (req_present) {
 	    hx509_set_error_string(context, 0, HX509_KU_CERT_MISSING,
 				   "Required extension key "
-				   "usage missing from certifiate");
+				   "usage missing from certificate");
 	    return HX509_KU_CERT_MISSING;
 	}
 	return 0;
@@ -837,14 +995,16 @@ check_key_usage(hx509_context context, const Certificate *cert,
 	return ret;
     ku_flags = KeyUsage2int(ku);
     if ((ku_flags & flags) != flags) {
-	unsigned missing = (~ku_flags) & flags;
+	uint64_t missing = (~ku_flags) & flags;
 	char buf[256], *name;
 
-	unparse_flags(missing, asn1_KeyUsage_units(), buf, sizeof(buf));
+	int result = unparse_flags(missing, asn1_KeyUsage_units(),
+				   buf, sizeof(buf));
 	_hx509_unparse_Name(&cert->tbsCertificate.subject, &name);
 	hx509_set_error_string(context, 0, HX509_KU_CERT_MISSING,
 			       "Key usage %s required but missing "
-			       "from certifiate %s", buf,
+			       "from certificate %s",
+			       (result > 0) ? buf : "<unknown>",
                                name ? name : "<unknown>");
 	free(name);
 	return HX509_KU_CERT_MISSING;
@@ -854,11 +1014,11 @@ check_key_usage(hx509_context context, const Certificate *cert,
 
 /*
  * Return 0 on matching key usage 'flags' for 'cert', otherwise return
- * an error code. If 'req_present' the existance is required of the
+ * an error code. If 'req_present' the existence is required of the
  * KeyUsage extension.
  */
 
-int
+HX509_LIB_FUNCTION int HX509_LIB_CALL
 _hx509_check_key_usage(hx509_context context, hx509_cert cert,
 		       unsigned flags, int req_present)
 {
@@ -906,14 +1066,14 @@ check_basic_constraints(hx509_context context, const Certificate *cert,
 	return ret;
     switch(type) {
     case PROXY_CERT:
-	if (bc.cA != NULL && *bc.cA)
+	if (bc.cA)
 	    ret = HX509_PARENT_IS_CA;
 	break;
     case EE_CERT:
 	ret = 0;
 	break;
     case CA_CERT:
-	if (bc.cA == NULL || !*bc.cA)
+	if (!bc.cA)
 	    ret = HX509_PARENT_NOT_CA;
 	else if (bc.pathLenConstraint)
 	    if (depth - 1 > *bc.pathLenConstraint)
@@ -924,7 +1084,7 @@ check_basic_constraints(hx509_context context, const Certificate *cert,
     return ret;
 }
 
-int
+HX509_LIB_FUNCTION int HX509_LIB_CALL
 _hx509_cert_is_parent_cmp(const Certificate *subject,
 			  const Certificate *issuer,
 			  int allow_self_signed)
@@ -1047,12 +1207,71 @@ certificate_is_self_signed(hx509_context context,
     if (ret) {
 	hx509_set_error_string(context, 0, ret,
 			       "Failed to check if self signed");
-    } else
+    } else if (diff == 0)
 	ret = _hx509_self_signed_valid(context, &cert->signatureAlgorithm);
 
     return ret;
 }
 
+HX509_LIB_FUNCTION int HX509_LIB_CALL
+hx509_cert_is_self_signed(hx509_context context,
+                          hx509_cert c,
+                          int *self_signed)
+{
+    return certificate_is_self_signed(context, c->data, self_signed);
+}
+
+HX509_LIB_FUNCTION int HX509_LIB_CALL
+hx509_cert_is_ca(hx509_context context,
+                 hx509_cert c,
+                 int *is_ca)
+{
+    BasicConstraints bc;
+    const Extension *e;
+    size_t size;
+    size_t i = 0;
+    int ret = 0;
+
+    *is_ca = 0;
+    if (_hx509_cert_get_version(c->data) < 3)
+        return certificate_is_self_signed(context, c->data, is_ca);
+
+    e = find_extension(c->data, &asn1_oid_id_x509_ce_basicConstraints, &i);
+    if (e == NULL) {
+        *is_ca = 0;
+        return 0;
+    }
+
+    ret = decode_BasicConstraints(e->extnValue.data,
+				  e->extnValue.length, &bc,
+				  &size);
+    if (ret)
+        return ret;
+
+    *is_ca = bc.cA;
+    free_BasicConstraints(&bc);
+    return 0;
+}
+
+HX509_LIB_FUNCTION int HX509_LIB_CALL
+hx509_cert_is_root(hx509_context context,
+                   hx509_cert c,
+                   int *is_root)
+{
+    int ret;
+
+    *is_root = 0;
+    ret = hx509_cert_is_ca(context, c, is_root);
+    if (ret)
+        return ret;
+    if (*is_root == 0)
+        /* Not a CA certificate -> not a root certificate */
+        return 0;
+
+    /* A CA certificate.  If it's self-signed, it's a root certificate. */
+    return hx509_cert_is_self_signed(context, c, is_root);
+}
+
 /*
  * The subjectName is "null" when it's empty set of relative DBs.
  */
@@ -1203,7 +1422,7 @@ is_proxy_cert(hx509_context context,
  * internal so we can do easy searches.
  */
 
-int
+HX509_LIB_FUNCTION int HX509_LIB_CALL
 _hx509_path_append(hx509_context context, hx509_path *path, hx509_cert cert)
 {
     hx509_cert *val;
@@ -1220,7 +1439,7 @@ _hx509_path_append(hx509_context context, hx509_path *path, hx509_cert cert)
     return 0;
 }
 
-void
+HX509_LIB_FUNCTION void HX509_LIB_CALL
 _hx509_path_free(hx509_path *path)
 {
     unsigned i;
@@ -1249,7 +1468,7 @@ _hx509_path_free(hx509_path *path)
  * failure.
  */
 
-int
+HX509_LIB_FUNCTION int HX509_LIB_CALL
 _hx509_calculate_path(hx509_context context,
 		      int flags,
 		      time_t time_now,
@@ -1305,7 +1524,7 @@ _hx509_calculate_path(hx509_context context,
     return 0;
 }
 
-int
+HX509_LIB_FUNCTION int HX509_LIB_CALL
 _hx509_AlgorithmIdentifier_cmp(const AlgorithmIdentifier *p,
 			       const AlgorithmIdentifier *q)
 {
@@ -1327,7 +1546,7 @@ _hx509_AlgorithmIdentifier_cmp(const AlgorithmIdentifier *p,
     }
 }
 
-int
+HX509_LIB_FUNCTION int HX509_LIB_CALL
 _hx509_Certificate_cmp(const Certificate *p, const Certificate *q)
 {
     int diff;
@@ -1355,7 +1574,7 @@ _hx509_Certificate_cmp(const Certificate *p, const Certificate *q)
  * @ingroup hx509_cert
  */
 
-int
+HX509_LIB_FUNCTION int HX509_LIB_CALL
 hx509_cert_cmp(hx509_cert p, hx509_cert q)
 {
     return _hx509_Certificate_cmp(p->data, q->data);
@@ -1373,7 +1592,7 @@ hx509_cert_cmp(hx509_cert p, hx509_cert q)
  * @ingroup hx509_cert
  */
 
-int
+HX509_LIB_FUNCTION int HX509_LIB_CALL
 hx509_cert_get_issuer(hx509_cert p, hx509_name *name)
 {
     return _hx509_name_from_Name(&p->data->tbsCertificate.issuer, name);
@@ -1391,7 +1610,7 @@ hx509_cert_get_issuer(hx509_cert p, hx509_name *name)
  * @ingroup hx509_cert
  */
 
-int
+HX509_LIB_FUNCTION int HX509_LIB_CALL
 hx509_cert_get_subject(hx509_cert p, hx509_name *name)
 {
     return _hx509_name_from_Name(&p->data->tbsCertificate.subject, name);
@@ -1414,7 +1633,7 @@ hx509_cert_get_subject(hx509_cert p, hx509_name *name)
  * @ingroup hx509_cert
  */
 
-int
+HX509_LIB_FUNCTION int HX509_LIB_CALL
 hx509_cert_get_base_subject(hx509_context context, hx509_cert c,
 			    hx509_name *name)
 {
@@ -1423,8 +1642,8 @@ hx509_cert_get_base_subject(hx509_context context, hx509_cert c,
     if (is_proxy_cert(context, c->data, NULL) == 0) {
 	int ret = HX509_PROXY_CERTIFICATE_NOT_CANONICALIZED;
 	hx509_set_error_string(context, 0, ret,
-			       "Proxy certificate have not been "
-			       "canonicalize yet, no base name");
+			       "Proxy certificate has not been "
+			       "canonicalized yet: no base name");
 	return ret;
     }
     return _hx509_name_from_Name(&c->data->tbsCertificate.subject, name);
@@ -1441,7 +1660,7 @@ hx509_cert_get_base_subject(hx509_context context, hx509_cert c,
  * @ingroup hx509_cert
  */
 
-int
+HX509_LIB_FUNCTION int HX509_LIB_CALL
 hx509_cert_get_serialnumber(hx509_cert p, heim_integer *i)
 {
     return der_copy_heim_integer(&p->data->tbsCertificate.serialNumber, i);
@@ -1457,7 +1676,7 @@ hx509_cert_get_serialnumber(hx509_cert p, heim_integer *i)
  * @ingroup hx509_cert
  */
 
-time_t
+HX509_LIB_FUNCTION time_t HX509_LIB_CALL
 hx509_cert_get_notBefore(hx509_cert p)
 {
     return _hx509_Time2time_t(&p->data->tbsCertificate.validity.notBefore);
@@ -1473,13 +1692,70 @@ hx509_cert_get_notBefore(hx509_cert p)
  * @ingroup hx509_cert
  */
 
-time_t
+HX509_LIB_FUNCTION time_t HX509_LIB_CALL
 hx509_cert_get_notAfter(hx509_cert p)
 {
     return _hx509_Time2time_t(&p->data->tbsCertificate.validity.notAfter);
 }
 
 /**
+ * Get a maximum Kerberos credential lifetime from a Heimdal certificate
+ * extension.
+ *
+ * @param context hx509 context.
+ * @param cert Certificate.
+ * @param bound If larger than zero, return no more than this.
+ *
+ * @return maximum ticket lifetime.
+ */
+HX509_LIB_FUNCTION time_t HX509_LIB_CALL
+hx509_cert_get_pkinit_max_life(hx509_context context,
+                               hx509_cert cert,
+                               time_t bound)
+{
+    HeimPkinitPrincMaxLifeSecs r = 0;
+    size_t sz, i;
+    time_t b, e;
+    int ret;
+
+    for (i = 0; i < cert->data->tbsCertificate.extensions->len; i++) {
+        Extension *ext = &cert->data->tbsCertificate.extensions->val[i];
+
+        if (ext->_ioschoice_extnValue.element !=
+            choice_Extension_iosnumunknown &&
+            ext->_ioschoice_extnValue.element !=
+            choice_Extension_iosnum_id_heim_ce_pkinit_princ_max_life)
+            continue;
+        if (ext->_ioschoice_extnValue.element == choice_Extension_iosnumunknown &&
+            der_heim_oid_cmp(&asn1_oid_id_heim_ce_pkinit_princ_max_life, &ext->extnID))
+            continue;
+        if (ext->_ioschoice_extnValue.u.ext_HeimPkinitPrincMaxLife) {
+            r = *ext->_ioschoice_extnValue.u.ext_HeimPkinitPrincMaxLife;
+        } else {
+            ret = decode_HeimPkinitPrincMaxLifeSecs(ext->extnValue.data,
+                                                    ext->extnValue.length,
+                                                    &r, &sz);
+            /* No need to free_HeimPkinitPrincMaxLifeSecs(); it's an int */
+            if (ret || r < 1)
+                return 0;
+        }
+        if (bound > 0 && r > bound)
+            return bound;
+        return r;
+    }
+    if (hx509_cert_check_eku(context, cert,
+                             &asn1_oid_id_heim_eku_pkinit_certlife_is_max_life, 0))
+        return 0;
+    b = hx509_cert_get_notBefore(cert);
+    e = hx509_cert_get_notAfter(cert);
+    if (e > b)
+        r = e - b;
+    if (bound > 0 && r > bound)
+        return bound;
+    return r;
+}
+
+/**
  * Get the SubjectPublicKeyInfo structure from the hx509 certificate.
  *
  * @param context a hx509 context.
@@ -1492,7 +1768,7 @@ hx509_cert_get_notAfter(hx509_cert p)
  * @ingroup hx509_cert
  */
 
-int
+HX509_LIB_FUNCTION int HX509_LIB_CALL
 hx509_cert_get_SPKI(hx509_context context, hx509_cert p, SubjectPublicKeyInfo *spki)
 {
     int ret;
@@ -1518,7 +1794,7 @@ hx509_cert_get_SPKI(hx509_context context, hx509_cert p, SubjectPublicKeyInfo *s
  * @ingroup hx509_cert
  */
 
-int
+HX509_LIB_FUNCTION int HX509_LIB_CALL
 hx509_cert_get_SPKI_AlgorithmIdentifier(hx509_context context,
 					hx509_cert p,
 					AlgorithmIdentifier *alg)
@@ -1540,7 +1816,7 @@ get_x_unique_id(hx509_context context, const char *name,
 
     if (cert == NULL) {
 	ret = HX509_EXTENSION_NOT_FOUND;
-	hx509_set_error_string(context, 0, ret, "%s unique id doesn't exists", name);
+	hx509_set_error_string(context, 0, ret, "%s unique id doesn't exist", name);
 	return ret;
     }
     ret = der_copy_bit_string(cert, subject);
@@ -1565,7 +1841,7 @@ get_x_unique_id(hx509_context context, const char *name,
  * @ingroup hx509_cert
  */
 
-int
+HX509_LIB_FUNCTION int HX509_LIB_CALL
 hx509_cert_get_issuer_unique_id(hx509_context context, hx509_cert p, heim_bit_string *issuer)
 {
     return get_x_unique_id(context, "issuer", p->data->tbsCertificate.issuerUniqueID, issuer);
@@ -1585,27 +1861,51 @@ hx509_cert_get_issuer_unique_id(hx509_context context, hx509_cert p, heim_bit_st
  * @ingroup hx509_cert
  */
 
-int
+HX509_LIB_FUNCTION int HX509_LIB_CALL
 hx509_cert_get_subject_unique_id(hx509_context context, hx509_cert p, heim_bit_string *subject)
 {
     return get_x_unique_id(context, "subject", p->data->tbsCertificate.subjectUniqueID, subject);
 }
 
 
-hx509_private_key
+HX509_LIB_FUNCTION hx509_private_key HX509_LIB_CALL
 _hx509_cert_private_key(hx509_cert p)
 {
     return p->private_key;
 }
 
-int
+/**
+ * Indicate whether a hx509_cert has a private key.
+ *
+ * @param p a hx509 certificate
+ *
+ * @return 1 if p has a private key, 0 otherwise.
+ *
+ * @ingroup hx509_cert
+ */
+HX509_LIB_FUNCTION int HX509_LIB_CALL
 hx509_cert_have_private_key(hx509_cert p)
 {
     return p->private_key ? 1 : 0;
 }
 
+/**
+ * Indicate whether a hx509_cert has a private key only (no certificate).
+ *
+ * @param p a hx509 certificate
+ *
+ * @return 1 if p has a private key only (no certificate), 0 otherwise.
+ *
+ * @ingroup hx509_cert
+ */
+HX509_LIB_FUNCTION int HX509_LIB_CALL
+hx509_cert_have_private_key_only(hx509_cert p)
+{
+    return p->private_key && !p->data ? 1 : 0;
+}
+
 
-int
+HX509_LIB_FUNCTION int HX509_LIB_CALL
 _hx509_cert_private_key_exportable(hx509_cert p)
 {
     if (p->private_key == NULL)
@@ -1613,7 +1913,7 @@ _hx509_cert_private_key_exportable(hx509_cert p)
     return _hx509_private_key_exportable(p->private_key);
 }
 
-int
+HX509_LIB_FUNCTION int HX509_LIB_CALL
 _hx509_cert_private_decrypt(hx509_context context,
 			    const heim_octet_string *ciphertext,
 			    const heim_oid *encryption_oid,
@@ -1636,7 +1936,7 @@ _hx509_cert_private_decrypt(hx509_context context,
 					      cleartext);
 }
 
-int
+HX509_LIB_FUNCTION int HX509_LIB_CALL
 hx509_cert_public_encrypt(hx509_context context,
 			   const heim_octet_string *cleartext,
 			   const hx509_cert p,
@@ -1652,7 +1952,7 @@ hx509_cert_public_encrypt(hx509_context context,
  *
  */
 
-time_t
+HX509_LIB_FUNCTION time_t HX509_LIB_CALL
 _hx509_Time2time_t(const Time *t)
 {
     switch(t->element) {
@@ -1896,7 +2196,7 @@ match_tree(const GeneralSubtrees *t, const Certificate *c, int *match)
 
 	    memset(&certname, 0, sizeof(certname));
 	    certname.element = choice_GeneralName_directoryName;
-	    certname.u.directoryName.element = (enum GeneralName_directoryName_enum)
+	    certname.u.directoryName.element = (enum Name_enum)
 		c->tbsCertificate.subject.element;
 	    certname.u.directoryName.u.rdnSequence =
 		c->tbsCertificate.subject.u.rdnSequence;
@@ -1937,7 +2237,7 @@ check_name_constraints(hx509_context context,
 	    /* allow null subjectNames, they wont matches anything */
 	    if (match == 0 && !subject_null_p(c)) {
 		hx509_set_error_string(context, 0, HX509_VERIFY_CONSTRAINTS,
-				       "Error verify constraints, "
+				       "Error verifying constraints: "
 				       "certificate didn't match any "
 				       "permitted subtree");
 		return HX509_VERIFY_CONSTRAINTS;
@@ -1952,7 +2252,7 @@ check_name_constraints(hx509_context context,
 	    }
 	    if (match) {
 		hx509_set_error_string(context, 0, HX509_VERIFY_CONSTRAINTS,
-				       "Error verify constraints, "
+				       "Error verifying constraints: "
 				       "certificate included in excluded "
 				       "subtree");
 		return HX509_VERIFY_CONSTRAINTS;
@@ -1987,7 +2287,7 @@ free_name_constraints(hx509_name_constraints *nc)
  * @ingroup hx509_verify
  */
 
-int
+HX509_LIB_FUNCTION int HX509_LIB_CALL
 hx509_verify_path(hx509_context context,
 		  hx509_verify_ctx ctx,
 		  hx509_cert cert,
@@ -2009,7 +2309,7 @@ hx509_verify_path(hx509_context context,
 	ret = HX509_PROXY_CERT_INVALID;
 	hx509_set_error_string(context, 0, ret,
 			       "Proxy certificate is not allowed as an EE "
-			       "certificae if proxy certificate is disabled");
+			       "certificate if proxy certificate is disabled");
 	return ret;
     }
 
@@ -2110,7 +2410,7 @@ hx509_verify_path(hx509_context context,
 		    ret = HX509_PATH_TOO_LONG;
 		    hx509_set_error_string(context, 0, ret,
 					   "Proxy certificate chain "
-					   "longer then allowed");
+					   "longer than allowed");
 		    goto out;
 		}
 		/* XXX MUST check info.proxyPolicy */
@@ -2120,7 +2420,7 @@ hx509_verify_path(hx509_context context,
 		if (find_extension(c, &asn1_oid_id_x509_ce_subjectAltName, &j)) {
 		    ret = HX509_PROXY_CERT_INVALID;
 		    hx509_set_error_string(context, 0, ret,
-					   "Proxy certificate have explicity "
+					   "Proxy certificate has explicitly "
 					   "forbidden subjectAltName");
 		    goto out;
 		}
@@ -2129,7 +2429,7 @@ hx509_verify_path(hx509_context context,
 		if (find_extension(c, &asn1_oid_id_x509_ce_issuerAltName, &j)) {
 		    ret = HX509_PROXY_CERT_INVALID;
 		    hx509_set_error_string(context, 0, ret,
-					   "Proxy certificate have explicity "
+					   "Proxy certificate has explicitly "
 					   "forbidden issuerAltName");
 		    goto out;
 		}
@@ -2202,7 +2502,7 @@ hx509_verify_path(hx509_context context,
 		type = EE_CERT;
 	    }
 	}
-            /* FALLTHROUGH */
+        HEIM_FALLTHROUGH;
 	case EE_CERT:
 	    /*
 	     * If there where any proxy certificates in the chain
@@ -2415,7 +2715,7 @@ out:
  * @ingroup hx509_crypto
  */
 
-int
+HX509_LIB_FUNCTION int HX509_LIB_CALL
 hx509_verify_signature(hx509_context context,
 		       const hx509_cert signer,
 		       const AlgorithmIdentifier *alg,
@@ -2425,7 +2725,7 @@ hx509_verify_signature(hx509_context context,
     return _hx509_verify_signature(context, signer, alg, data, sig);
 }
 
-int
+HX509_LIB_FUNCTION int HX509_LIB_CALL
 _hx509_verify_signature_bitstring(hx509_context context,
 				  const hx509_cert signer,
 				  const AlgorithmIdentifier *alg,
@@ -2468,7 +2768,7 @@ _hx509_verify_signature_bitstring(hx509_context context,
  * @ingroup hx509_cert
  */
 
-int
+HX509_LIB_FUNCTION int HX509_LIB_CALL
 hx509_verify_hostname(hx509_context context,
 		      const hx509_cert cert,
 		      int flags,
@@ -2561,7 +2861,7 @@ hx509_verify_hostname(hx509_context context,
     return ret;
 }
 
-int
+HX509_LIB_FUNCTION int HX509_LIB_CALL
 _hx509_set_cert_attribute(hx509_context context,
 			  hx509_cert cert,
 			  const heim_oid *oid,
@@ -2569,6 +2869,12 @@ _hx509_set_cert_attribute(hx509_context context,
 {
     hx509_cert_attribute a;
     void *d;
+    int ret;
+
+    /*
+     * TODO: Rewrite this (and hx509_cert_attribute, and _hx509_cert_attrs) to
+     * use the add_AttributeValues() util generated by asn1_compile.
+     */
 
     if (hx509_cert_get_attribute(cert, oid) != NULL)
 	return 0;
@@ -2585,13 +2891,18 @@ _hx509_set_cert_attribute(hx509_context context,
     if (a == NULL)
 	return ENOMEM;
 
-    der_copy_octet_string(attr, &a->data);
-    der_copy_oid(oid, &a->oid);
-
-    cert->attrs.val[cert->attrs.len] = a;
-    cert->attrs.len++;
+    ret = der_copy_octet_string(attr, &a->data);
+    if (ret == 0)
+        ret = der_copy_oid(oid, &a->oid);
+    if (ret == 0) {
+        cert->attrs.val[cert->attrs.len] = a;
+        cert->attrs.len++;
+    } else {
+        der_free_octet_string(&a->data);
+        free(a);
+    }
 
-    return 0;
+    return ret;
 }
 
 /**
@@ -2607,7 +2918,7 @@ _hx509_set_cert_attribute(hx509_context context,
  * @ingroup hx509_cert
  */
 
-hx509_cert_attribute
+HX509_LIB_FUNCTION hx509_cert_attribute HX509_LIB_CALL
 hx509_cert_get_attribute(hx509_cert cert, const heim_oid *oid)
 {
     size_t i;
@@ -2628,7 +2939,7 @@ hx509_cert_get_attribute(hx509_cert cert, const heim_oid *oid)
  * @ingroup hx509_cert
  */
 
-int
+HX509_LIB_FUNCTION int HX509_LIB_CALL
 hx509_cert_set_friendly_name(hx509_cert cert, const char *name)
 {
     if (cert->friendlyname)
@@ -2650,7 +2961,7 @@ hx509_cert_set_friendly_name(hx509_cert cert, const char *name)
  * @ingroup hx509_cert
  */
 
-const char *
+HX509_LIB_FUNCTION const char * HX509_LIB_CALL
 hx509_cert_get_friendly_name(hx509_cert cert)
 {
     hx509_cert_attribute a;
@@ -2703,7 +3014,7 @@ hx509_cert_get_friendly_name(hx509_cert cert)
     return cert->friendlyname;
 }
 
-void
+HX509_LIB_FUNCTION void HX509_LIB_CALL
 _hx509_query_clear(hx509_query *q)
 {
     memset(q, 0, sizeof(*q));
@@ -2720,7 +3031,7 @@ _hx509_query_clear(hx509_query *q)
  * @ingroup hx509_cert
  */
 
-int
+HX509_LIB_FUNCTION int HX509_LIB_CALL
 hx509_query_alloc(hx509_context context, hx509_query **q)
 {
     *q = calloc(1, sizeof(**q));
@@ -2741,7 +3052,7 @@ hx509_query_alloc(hx509_context context, hx509_query **q)
  * @ingroup hx509_cert
  */
 
-void
+HX509_LIB_FUNCTION void HX509_LIB_CALL
 hx509_query_match_option(hx509_query *q, hx509_query_option option)
 {
     switch(option) {
@@ -2776,7 +3087,7 @@ hx509_query_match_option(hx509_query *q, hx509_query_option option)
  * @ingroup hx509_cert
  */
 
-int
+HX509_LIB_FUNCTION int HX509_LIB_CALL
 hx509_query_match_issuer_serial(hx509_query *q,
 				const Name *issuer,
 				const heim_integer *serialNumber)
@@ -2823,7 +3134,7 @@ hx509_query_match_issuer_serial(hx509_query *q,
  * @ingroup hx509_cert
  */
 
-int
+HX509_LIB_FUNCTION int HX509_LIB_CALL
 hx509_query_match_friendly_name(hx509_query *q, const char *name)
 {
     if (q->friendlyname)
@@ -2848,7 +3159,7 @@ hx509_query_match_friendly_name(hx509_query *q, const char *name)
  * @ingroup hx509_cert
  */
 
-int
+HX509_LIB_FUNCTION int HX509_LIB_CALL
 hx509_query_match_eku(hx509_query *q, const heim_oid *eku)
 {
     int ret;
@@ -2879,7 +3190,7 @@ hx509_query_match_eku(hx509_query *q, const heim_oid *eku)
     return 0;
 }
 
-int
+HX509_LIB_FUNCTION int HX509_LIB_CALL
 hx509_query_match_expr(hx509_context context, hx509_query *q, const char *expr)
 {
     if (q->expr) {
@@ -2889,12 +3200,21 @@ hx509_query_match_expr(hx509_context context, hx509_query *q, const char *expr)
 
     if (expr == NULL) {
 	q->match &= ~HX509_QUERY_MATCH_EXPR;
-    } else {
-	q->expr = _hx509_expr_parse(expr);
-	if (q->expr)
-	    q->match |= HX509_QUERY_MATCH_EXPR;
+        return 0;
+    }
+
+    q->expr = _hx509_expr_parse(expr);
+    if (q->expr == NULL) {
+        const char *reason = _hx509_expr_parse_error();
+
+        hx509_set_error_string(context, 0, EINVAL,
+                               "Invalid certificate query match expression: "
+                               "%s (%s)", expr,
+                               reason ? reason : "syntax error");
+        return EINVAL;
     }
 
+    q->match |= HX509_QUERY_MATCH_EXPR;
     return 0;
 }
 
@@ -2911,7 +3231,7 @@ hx509_query_match_expr(hx509_context context, hx509_query *q, const char *expr)
  * @ingroup hx509_cert
  */
 
-int
+HX509_LIB_FUNCTION int HX509_LIB_CALL
 hx509_query_match_cmp_func(hx509_query *q,
 			   int (*func)(hx509_context, hx509_cert, void *),
 			   void *ctx)
@@ -2934,7 +3254,7 @@ hx509_query_match_cmp_func(hx509_query *q,
  * @ingroup hx509_cert
  */
 
-void
+HX509_LIB_FUNCTION void HX509_LIB_CALL
 hx509_query_free(hx509_context context, hx509_query *q)
 {
     if (q == NULL)
@@ -2961,7 +3281,7 @@ hx509_query_free(hx509_context context, hx509_query *q)
     free(q);
 }
 
-int
+HX509_LIB_FUNCTION int HX509_LIB_CALL
 _hx509_query_match_cert(hx509_context context, const hx509_query *q, hx509_cert cert)
 {
     Certificate *c = _hx509_get_cert(cert);
@@ -3122,7 +3442,7 @@ _hx509_query_match_cert(hx509_context context, const hx509_query *q, hx509_cert
  * @ingroup hx509_cert
  */
 
-void
+HX509_LIB_FUNCTION void HX509_LIB_CALL
 hx509_query_statistic_file(hx509_context context, const char *fn)
 {
     if (context->querystat)
@@ -3130,7 +3450,7 @@ hx509_query_statistic_file(hx509_context context, const char *fn)
     context->querystat = strdup(fn);
 }
 
-void
+HX509_LIB_FUNCTION void HX509_LIB_CALL
 _hx509_query_statistic(hx509_context context, int type, const hx509_query *q)
 {
     FILE *f;
@@ -3193,7 +3513,7 @@ stat_sort(const void *a, const void *b)
  * @ingroup hx509_cert
  */
 
-void
+HX509_LIB_FUNCTION void HX509_LIB_CALL
 hx509_query_unparse_stats(hx509_context context, int printtype, FILE *out)
 {
     rtbl_t t;
@@ -3207,7 +3527,7 @@ hx509_query_unparse_stats(hx509_context context, int printtype, FILE *out)
 	return;
     f = fopen(context->querystat, "r");
     if (f == NULL) {
-	fprintf(out, "No statistic file %s: %s.\n",
+	fprintf(out, "No statistics file %s: %s.\n",
 		context->querystat, strerror(errno));
 	return;
     }
@@ -3282,7 +3602,7 @@ hx509_query_unparse_stats(hx509_context context, int printtype, FILE *out)
  * @ingroup hx509_cert
  */
 
-int
+HX509_LIB_FUNCTION int HX509_LIB_CALL
 hx509_cert_check_eku(hx509_context context, hx509_cert cert,
 		     const heim_oid *eku, int allow_any_eku)
 {
@@ -3302,12 +3622,11 @@ hx509_cert_check_eku(hx509_context context, hx509_cert cert,
 	    return 0;
 	}
 	if (allow_any_eku) {
-#if 0
-	    if (der_heim_oid_cmp(id_any_eku, &e.val[i]) == 0) {
+	    if (der_heim_oid_cmp(&asn1_oid_id_x509_ce_anyExtendedKeyUsage,
+                                 &e.val[i]) == 0) {
 		free_ExtKeyUsage(&e);
 		return 0;
 	    }
-#endif
 	}
     }
     free_ExtKeyUsage(&e);
@@ -3315,7 +3634,7 @@ hx509_cert_check_eku(hx509_context context, hx509_cert cert,
     return HX509_CERTIFICATE_MISSING_EKU;
 }
 
-int
+HX509_LIB_FUNCTION int HX509_LIB_CALL
 _hx509_cert_get_keyusage(hx509_context context,
 			 hx509_cert c,
 			 KeyUsage *ku)
@@ -3343,7 +3662,7 @@ _hx509_cert_get_keyusage(hx509_context context,
     return 0;
 }
 
-int
+HX509_LIB_FUNCTION int HX509_LIB_CALL
 _hx509_cert_get_eku(hx509_context context,
 		    hx509_cert cert,
 		    ExtKeyUsage *e)
@@ -3373,7 +3692,7 @@ _hx509_cert_get_eku(hx509_context context,
  * @ingroup hx509_cert
  */
 
-int
+HX509_LIB_FUNCTION int HX509_LIB_CALL
 hx509_cert_binary(hx509_context context, hx509_cert c, heim_octet_string *os)
 {
     size_t size;
@@ -3391,7 +3710,6 @@ hx509_cert_binary(hx509_context context, hx509_cert c, heim_octet_string *os)
     }
     if (os->length != size)
 	_hx509_abort("internal ASN.1 encoder error");
-
     return ret;
 }
 
@@ -3402,7 +3720,7 @@ hx509_cert_binary(hx509_context context, hx509_cert c, heim_octet_string *os)
 #undef __attribute__
 #define __attribute__(X)
 
-void
+HX509_LIB_NORETURN_FUNCTION void HX509_LIB_CALL
 _hx509_abort(const char *fmt, ...)
      __attribute__ ((__noreturn__, __format__ (__printf__, 1, 2)))
 {
@@ -3423,7 +3741,7 @@ _hx509_abort(const char *fmt, ...)
  * @ingroup hx509_misc
  */
 
-void
+HX509_LIB_FUNCTION void HX509_LIB_CALL
 hx509_xfree(void *ptr)
 {
     free(ptr);
@@ -3433,7 +3751,7 @@ hx509_xfree(void *ptr)
  *
  */
 
-int
+HX509_LIB_FUNCTION int HX509_LIB_CALL
 _hx509_cert_to_env(hx509_context context, hx509_cert cert, hx509_env *env)
 {
     ExtKeyUsage eku;
@@ -3459,13 +3777,12 @@ _hx509_cert_to_env(hx509_context context, hx509_cert cert, hx509_env *env)
 	goto out;
 
     ret = hx509_name_to_string(name, &buf);
-    if (ret) {
-	hx509_name_free(&name);
+    hx509_name_free(&name);
+    if (ret)
 	goto out;
-    }
 
     ret = hx509_env_add(context, &envcert, "subject", buf);
-    hx509_name_free(&name);
+    hx509_xfree(buf);
     if (ret)
 	goto out;
 
@@ -3582,7 +3899,7 @@ out:
  * @ingroup hx509_cert
  */
 
-int
+HX509_LIB_FUNCTION int HX509_LIB_CALL
 hx509_print_cert(hx509_context context, hx509_cert cert, FILE *out)
 {
     hx509_name name;
@@ -3622,7 +3939,7 @@ hx509_print_cert(hx509_context context, hx509_cert cert, FILE *out)
 	free(str);
     }
 
-    printf("    keyusage: ");
+    fprintf(out, "    keyusage: ");
     ret = hx509_cert_keyusage_print(context, cert, &str);
     if (ret == 0) {
 	fprintf(out, "%s\n", str);
diff --git a/lib/hx509/cms.c b/lib/hx509/cms.c
index 1da8a93d343a..c770b8132624 100644
--- a/lib/hx509/cms.c
+++ b/lib/hx509/cms.c
@@ -71,7 +71,7 @@
  * @ingroup hx509_cms
  */
 
-int
+HX509_LIB_FUNCTION int HX509_LIB_CALL
 hx509_cms_wrap_ContentInfo(const heim_oid *oid,
 			   const heim_octet_string *buf,
 			   heim_octet_string *res)
@@ -125,7 +125,7 @@ hx509_cms_wrap_ContentInfo(const heim_oid *oid,
  * @ingroup hx509_cms
  */
 
-int
+HX509_LIB_FUNCTION int HX509_LIB_CALL
 hx509_cms_unwrap_ContentInfo(const heim_octet_string *in,
 			     heim_oid *oid,
 			     heim_octet_string *out,
@@ -182,7 +182,7 @@ fill_CMSIdentifier(const hx509_cert cert,
 						   &id->u.subjectKeyIdentifier);
 	if (ret == 0)
 	    break;
-	/* FALLTHROUGH */
+        HEIM_FALLTHROUGH;
     case CMS_ID_NAME: {
 	hx509_name name;
 
@@ -349,7 +349,7 @@ find_CMSIdentifier(hx509_context context,
  * @ingroup hx509_cms
  */
 
-int
+HX509_LIB_FUNCTION int HX509_LIB_CALL
 hx509_cms_unenvelope(hx509_context context,
 		     hx509_certs certs,
 		     int flags,
@@ -555,7 +555,7 @@ out:
  * @ingroup hx509_cms
  */
 
-int
+HX509_LIB_FUNCTION int HX509_LIB_CALL
 hx509_cms_envelope_1(hx509_context context,
 		     int flags,
 		     hx509_cert cert,
@@ -633,7 +633,7 @@ hx509_cms_envelope_1(hx509_context context,
 	if (enc_alg->parameters == NULL) {
 	    ret = ENOMEM;
 	    hx509_set_error_string(context, 0, ret,
-				   "Failed to allocate crypto paramaters "
+				   "Failed to allocate crypto parameters "
 				   "for EnvelopedData");
 	    goto out;
 	}
@@ -789,7 +789,7 @@ find_attribute(const CMSAttributes *attr, const heim_oid *oid)
  * @ingroup hx509_cms
  */
 
-int
+HX509_LIB_FUNCTION int HX509_LIB_CALL
 hx509_cms_verify_signed(hx509_context context,
 			hx509_verify_ctx ctx,
 			unsigned int flags,
@@ -801,6 +801,60 @@ hx509_cms_verify_signed(hx509_context context,
 			heim_octet_string *content,
 			hx509_certs *signer_certs)
 {
+    unsigned int verify_flags;
+
+    return hx509_cms_verify_signed_ext(context,
+				       ctx,
+				       flags,
+				       data,
+				       length,
+				       signedContent,
+				       pool,
+				       contentType,
+				       content,
+				       signer_certs,
+				       &verify_flags);
+}
+
+/**
+ * Decode SignedData and verify that the signature is correct.
+ *
+ * @param context A hx509 context.
+ * @param ctx a hx509 verify context.
+ * @param flags to control the behaivor of the function.
+ *    - HX509_CMS_VS_NO_KU_CHECK - Don't check KeyUsage
+ *    - HX509_CMS_VS_ALLOW_DATA_OID_MISMATCH - allow oid mismatch
+ *    - HX509_CMS_VS_ALLOW_ZERO_SIGNER - no signer, see below.
+ * @param data pointer to CMS SignedData encoded data.
+ * @param length length of the data that data point to.
+ * @param signedContent external data used for signature.
+ * @param pool certificate pool to build certificates paths.
+ * @param contentType free with der_free_oid().
+ * @param content the output of the function, free with
+ * der_free_octet_string().
+ * @param signer_certs list of the cerficates used to sign this
+ * request, free with hx509_certs_free().
+ * @param verify_flags flags indicating whether the certificate
+ * was verified or not
+ *
+ * @return an hx509 error code.
+ *
+ * @ingroup hx509_cms
+ */
+
+HX509_LIB_FUNCTION int HX509_LIB_CALL
+hx509_cms_verify_signed_ext(hx509_context context,
+			    hx509_verify_ctx ctx,
+			    unsigned int flags,
+			    const void *data,
+			    size_t length,
+			    const heim_octet_string *signedContent,
+			    hx509_certs pool,
+			    heim_oid *contentType,
+			    heim_octet_string *content,
+			    hx509_certs *signer_certs,
+			    unsigned int *verify_flags)
+{
     SignerInfo *signer_info;
     hx509_cert cert = NULL;
     hx509_certs certs = NULL;
@@ -810,6 +864,8 @@ hx509_cms_verify_signed(hx509_context context,
     size_t i;
 
     *signer_certs = NULL;
+    *verify_flags = 0;
+
     content->data = NULL;
     content->length = 0;
     contentType->length = 0;
@@ -1038,22 +1094,19 @@ hx509_cms_verify_signed(hx509_context context,
 	    goto next_sigature;
 
 	/**
-	 * If HX509_CMS_VS_NO_VALIDATE flags is set, do not verify the
-	 * signing certificates and leave that up to the caller.
+	 * If HX509_CMS_VS_NO_VALIDATE flags is set, return the signer
+	 * certificate unconditionally but do not set HX509_CMS_VSE_VALIDATED.
 	 */
-
-	if ((flags & HX509_CMS_VS_NO_VALIDATE) == 0) {
-	    ret = hx509_verify_path(context, ctx, cert, certs);
-	    if (ret)
-		goto next_sigature;
+	ret = hx509_verify_path(context, ctx, cert, certs);
+	if (ret == 0 || (flags & HX509_CMS_VS_NO_VALIDATE)) {
+	    if (ret == 0)
+		*verify_flags |= HX509_CMS_VSE_VALIDATED;
+
+	    ret = hx509_certs_add(context, *signer_certs, cert);
+	    if (ret == 0)
+		found_valid_sig++;
 	}
 
-	ret = hx509_certs_add(context, *signer_certs, cert);
-	if (ret)
-	    goto next_sigature;
-
-	found_valid_sig++;
-
     next_sigature:
 	if (cert)
 	    hx509_cert_free(cert);
@@ -1158,7 +1211,7 @@ add_one_attribute(Attribute **attr,
  * @ingroup hx509_cms
  */
 
-int
+HX509_LIB_FUNCTION int HX509_LIB_CALL
 hx509_cms_create_signed_1(hx509_context context,
 			  int flags,
 			  const heim_oid *eContentType,
@@ -1205,7 +1258,7 @@ struct sigctx {
     hx509_certs pool;
 };
 
-static int
+static int HX509_LIB_CALL
 sig_process(hx509_context context, void *ctx, hx509_cert cert)
 {
     struct sigctx *sigctx = ctx;
@@ -1423,7 +1476,7 @@ sig_process(hx509_context context, void *ctx, hx509_cert cert)
     return ret;
 }
 
-static int
+static int HX509_LIB_CALL
 cert_process(hx509_context context, void *ctx, hx509_cert cert)
 {
     struct sigctx *sigctx = ctx;
@@ -1451,7 +1504,7 @@ cmp_AlgorithmIdentifier(const AlgorithmIdentifier *p, const AlgorithmIdentifier
     return der_heim_oid_cmp(&p->algorithm, &q->algorithm);
 }
 
-int
+HX509_LIB_FUNCTION int HX509_LIB_CALL
 hx509_cms_create_signed(hx509_context context,
 			int flags,
 			const heim_oid *eContentType,
@@ -1510,9 +1563,11 @@ hx509_cms_create_signed(hx509_context context,
     sigctx.anchors = anchors;
     sigctx.pool = pool;
 
-    sigctx.sd.version = CMSVersion_v3;
+    sigctx.sd.version = cMSVersion_v3;
 
-    der_copy_oid(eContentType, &sigctx.sd.encapContentInfo.eContentType);
+    ret = der_copy_oid(eContentType, &sigctx.sd.encapContentInfo.eContentType);
+    if (ret)
+        goto out;
 
     /**
      * Use HX509_CMS_SIGNATURE_DETACHED to create detached signatures.
@@ -1600,7 +1655,7 @@ out:
     return ret;
 }
 
-int
+HX509_LIB_FUNCTION int HX509_LIB_CALL
 hx509_cms_decrypt_encrypted(hx509_context context,
 			    hx509_lock lock,
 			    const void *data,
diff --git a/lib/hx509/collector.c b/lib/hx509/collector.c
index 15f8163f8093..f1423aced2f3 100644
--- a/lib/hx509/collector.c
+++ b/lib/hx509/collector.c
@@ -50,7 +50,7 @@ struct hx509_collector {
 };
 
 
-int
+HX509_LIB_FUNCTION int HX509_LIB_CALL
 _hx509_collector_alloc(hx509_context context, hx509_lock lock, struct hx509_collector **collector)
 {
     struct hx509_collector *c;
@@ -85,14 +85,14 @@ _hx509_collector_alloc(hx509_context context, hx509_lock lock, struct hx509_coll
     return 0;
 }
 
-hx509_lock
+HX509_LIB_FUNCTION hx509_lock HX509_LIB_CALL
 _hx509_collector_get_lock(struct hx509_collector *c)
 {
     return c->lock;
 }
 
 
-int
+HX509_LIB_FUNCTION int HX509_LIB_CALL
 _hx509_collector_certs_add(hx509_context context,
 			   struct hx509_collector *c,
 			   hx509_cert cert)
@@ -110,7 +110,7 @@ free_private_key(struct private_key *key)
     free(key);
 }
 
-int
+HX509_LIB_FUNCTION int HX509_LIB_CALL
 _hx509_collector_private_key_add(hx509_context context,
 				 struct hx509_collector *c,
 				 const AlgorithmIdentifier *alg,
@@ -147,6 +147,16 @@ _hx509_collector_private_key_add(hx509_context context,
 				       key_data->data, key_data->length,
 				       HX509_KEY_FORMAT_DER,
 				       &key->private_key);
+        if (ret && localKeyId) {
+            int ret2;
+
+            ret2 = hx509_parse_private_key(context, alg,
+                                           localKeyId->data, localKeyId->length,
+                                           HX509_KEY_FORMAT_PKCS8,
+                                           &key->private_key);
+            if (ret2 == 0)
+                ret = 0;
+        }
 	if (ret)
 	    goto out;
     }
@@ -191,8 +201,9 @@ match_localkeyid(hx509_context context,
     q.local_key_id = &value->localKeyId;
 
     ret = hx509_certs_find(context, certs, &q, &cert);
+    if (ret == 0 && cert == NULL)
+        ret = HX509_CERT_NOT_FOUND;
     if (ret == 0) {
-
 	if (value->private_key)
 	    _hx509_cert_assign_key(cert, value->private_key);
 	hx509_cert_free(cert);
@@ -247,7 +258,7 @@ match_keys(hx509_context context, struct private_key *value, hx509_certs certs)
     return found;
 }
 
-int
+HX509_LIB_FUNCTION int HX509_LIB_CALL
 _hx509_collector_collect_certs(hx509_context context,
 			       struct hx509_collector *c,
 			       hx509_certs *ret_certs)
@@ -282,7 +293,7 @@ _hx509_collector_collect_certs(hx509_context context,
     return 0;
 }
 
-int
+HX509_LIB_FUNCTION int HX509_LIB_CALL
 _hx509_collector_collect_private_keys(hx509_context context,
 				      struct hx509_collector *c,
 				      hx509_private_key **keys)
@@ -313,7 +324,7 @@ _hx509_collector_collect_private_keys(hx509_context context,
 }
 
 
-void
+HX509_LIB_FUNCTION void HX509_LIB_CALL
 _hx509_collector_free(struct hx509_collector *c)
 {
     size_t i;
diff --git a/lib/hx509/crmf.asn1 b/lib/hx509/crmf.asn1
deleted file mode 100644
index 3d8403c8e86a..000000000000
--- a/lib/hx509/crmf.asn1
+++ /dev/null
@@ -1,113 +0,0 @@
--- $Id$
-PKCS10 DEFINITIONS ::=
-
-BEGIN
-
-IMPORTS
-	Time,
-	GeneralName,
-	SubjectPublicKeyInfo,
-	RelativeDistinguishedName,
-	AttributeTypeAndValue,
-	Extension,
-	AlgorithmIdentifier
-	FROM rfc2459
-	heim_any
-	FROM heim;
-
-CRMFRDNSequence ::= SEQUENCE OF RelativeDistinguishedName
-
-Controls  ::= SEQUENCE -- SIZE(1..MAX) -- OF AttributeTypeAndValue
-
--- XXX IMPLICIT brokenness
-POPOSigningKey ::= SEQUENCE {
-	poposkInput           [0] IMPLICIT POPOSigningKeyInput OPTIONAL,
-	algorithmIdentifier   AlgorithmIdentifier,
-	signature             BIT STRING }
-
-PKMACValue ::= SEQUENCE {
-	algId  AlgorithmIdentifier,
-	value  BIT STRING
-}
-
--- XXX IMPLICIT brokenness
-POPOSigningKeyInput ::= SEQUENCE {
-	authInfo            CHOICE {
-		sender              [0] IMPLICIT GeneralName,
-		publicKeyMAC        PKMACValue
-	},
-	publicKey           SubjectPublicKeyInfo
-}  -- from CertTemplate
-
-
-PBMParameter ::= SEQUENCE {
-   salt                OCTET STRING,
-   owf                 AlgorithmIdentifier,
-   iterationCount      INTEGER,
-   mac                 AlgorithmIdentifier
-}
-
-SubsequentMessage ::= INTEGER {
-	encrCert (0),
-	challengeResp (1)
-}
-
--- XXX IMPLICIT brokenness
-POPOPrivKey ::= CHOICE {
-	thisMessage       [0] BIT STRING,         -- Deprecated
-	subsequentMessage [1] IMPLICIT SubsequentMessage,
-	dhMAC             [2] BIT STRING,         -- Deprecated
-	agreeMAC          [3] IMPLICIT PKMACValue,
-	encryptedKey      [4] heim_any
-}
-
--- XXX IMPLICIT brokenness
-ProofOfPossession ::= CHOICE {
-	raVerified        [0] NULL,
-	signature         [1] POPOSigningKey,
-	keyEncipherment   [2] POPOPrivKey,
-	keyAgreement      [3] POPOPrivKey
-}
-
-CertTemplate ::= SEQUENCE {
-	version      [0] INTEGER OPTIONAL,
-	serialNumber [1] INTEGER OPTIONAL,
-	signingAlg   [2] SEQUENCE {
-		algorithm	OBJECT IDENTIFIER,
-		parameters	heim_any OPTIONAL
-	} -- AlgorithmIdentifier --   OPTIONAL,
-	issuer       [3] IMPLICIT CHOICE {
-		rdnSequence  CRMFRDNSequence
-	} -- Name --  OPTIONAL,
-	validity     [4] SEQUENCE {
-		notBefore  [0] Time OPTIONAL,
-		notAfter   [1] Time OPTIONAL
-	} -- OptionalValidity -- OPTIONAL,
-	subject      [5] IMPLICIT CHOICE {
-		rdnSequence  CRMFRDNSequence
-	} -- Name -- OPTIONAL,
-	publicKey    [6] IMPLICIT SEQUENCE  {
-		algorithm            AlgorithmIdentifier,
-		subjectPublicKey     BIT STRING OPTIONAL
-	} -- SubjectPublicKeyInfo -- OPTIONAL,
-	issuerUID    [7] IMPLICIT BIT STRING OPTIONAL,
-	subjectUID   [8] IMPLICIT BIT STRING OPTIONAL,
-	extensions   [9] IMPLICIT SEQUENCE OF Extension OPTIONAL
-}
-
-CertRequest ::= SEQUENCE {
-	certReqId	INTEGER,
-	certTemplate	CertTemplate,
-	controls	Controls OPTIONAL
-}
-
-CertReqMsg ::= SEQUENCE {
-	certReq		CertRequest,
-	popo		ProofOfPossession  OPTIONAL,
-	regInfo		SEQUENCE OF AttributeTypeAndValue OPTIONAL }
-
-CertReqMessages ::= SEQUENCE OF CertReqMsg
-
-
-END
-
diff --git a/lib/hx509/crypto-ec.c b/lib/hx509/crypto-ec.c
index 4777171cae52..bd5d01a609ad 100644
--- a/lib/hx509/crypto-ec.c
+++ b/lib/hx509/crypto-ec.c
@@ -34,11 +34,16 @@
 #include <config.h>
 
 #ifdef HAVE_HCRYPTO_W_OPENSSL
+#include <openssl/evp.h>
 #include <openssl/ec.h>
 #include <openssl/ecdsa.h>
 #include <openssl/rsa.h>
 #include <openssl/bn.h>
 #include <openssl/objects.h>
+#ifdef HAVE_OPENSSL_30
+#include <openssl/asn1.h>
+#include <openssl/core_names.h>
+#endif
 #define HEIM_NO_CRYPTO_HDRS
 #endif /* HAVE_HCRYPTO_W_OPENSSL */
 
@@ -49,47 +54,54 @@ extern const AlgorithmIdentifier _hx509_signature_sha384_data;
 extern const AlgorithmIdentifier _hx509_signature_sha256_data;
 extern const AlgorithmIdentifier _hx509_signature_sha1_data;
 
-void
+HX509_LIB_FUNCTION void HX509_LIB_CALL
 _hx509_private_eckey_free(void *eckey)
 {
 #ifdef HAVE_HCRYPTO_W_OPENSSL
+#ifdef HAVE_OPENSSL_30
+    EVP_PKEY_free(eckey);
+#else
     EC_KEY_free(eckey);
 #endif
+#endif
 }
 
 #ifdef HAVE_HCRYPTO_W_OPENSSL
-static int
-heim_oid2ecnid(heim_oid *oid)
-{
-    /*
-     * Now map to openssl OID fun
-     */
-
-    if (der_heim_oid_cmp(oid, ASN1_OID_ID_EC_GROUP_SECP256R1) == 0)
-	return NID_X9_62_prime256v1;
+static struct oid2nid_st {
+    const heim_oid *oid;
+    int nid;
+} oid2nid[] = {
+    { ASN1_OID_ID_EC_GROUP_SECP256R1, NID_X9_62_prime256v1 },
 #ifdef NID_secp521r1
-    else if (der_heim_oid_cmp(oid, ASN1_OID_ID_EC_GROUP_SECP521R1) == 0)
-        return NID_secp521r1;
+    { ASN1_OID_ID_EC_GROUP_SECP521R1, NID_secp521r1 },
 #endif
 #ifdef NID_secp384r1
-    else if (der_heim_oid_cmp(oid, ASN1_OID_ID_EC_GROUP_SECP384R1) == 0)
-        return NID_secp384r1;
+    { ASN1_OID_ID_EC_GROUP_SECP384R1, NID_secp384r1 },
 #endif
 #ifdef NID_secp160r1
-    else if (der_heim_oid_cmp(oid, ASN1_OID_ID_EC_GROUP_SECP160R1) == 0)
-	return NID_secp160r1;
+    { ASN1_OID_ID_EC_GROUP_SECP160R1, NID_secp160r1 },
 #endif
 #ifdef NID_secp160r2
-    else if (der_heim_oid_cmp(oid, ASN1_OID_ID_EC_GROUP_SECP160R2) == 0)
-	return NID_secp160r2;
+    { ASN1_OID_ID_EC_GROUP_SECP160R2, NID_secp160r2 },
 #endif
+    /* XXX Add more!  Add X25519! */
+};
+
+int
+_hx509_ossl_oid2nid(heim_oid *oid)
+{
+    size_t i;
 
+    for (i = 0; i < sizeof(oid2nid)/sizeof(oid2nid[0]); i++)
+        if (der_heim_oid_cmp(oid, oid2nid[i].oid) == 0)
+            return oid2nid[i].nid;
     return NID_undef;
 }
 
 static int
-parse_ECParameters(hx509_context context,
-		   heim_octet_string *parameters, int *nid)
+ECParameters2nid(hx509_context context,
+                 heim_octet_string *parameters,
+                 int *nid)
 {
     ECParameters ecparam;
     size_t size;
@@ -117,7 +129,7 @@ parse_ECParameters(hx509_context context,
 	return HX509_CRYPTO_SIG_INVALID_FORMAT;
     }
 
-    *nid = heim_oid2ecnid(&ecparam.u.namedCurve);
+    *nid = _hx509_ossl_oid2nid(&ecparam.u.namedCurve);
     free_ECParameters(&ecparam);
     if (*nid == NID_undef) {
 	hx509_set_error_string(context, 0, ret,
@@ -127,6 +139,39 @@ parse_ECParameters(hx509_context context,
     return 0;
 }
 
+#ifdef HAVE_OPENSSL_30
+static const EVP_MD *
+signature_alg2digest_evp_md(hx509_context context,
+                            const AlgorithmIdentifier *digest_alg)
+{
+    if ((&digest_alg->algorithm == &asn1_oid_id_sha512 ||
+         der_heim_oid_cmp(&digest_alg->algorithm, &asn1_oid_id_sha512) == 0))
+        return EVP_sha512();
+    if ((&digest_alg->algorithm == &asn1_oid_id_sha384 ||
+         der_heim_oid_cmp(&digest_alg->algorithm, &asn1_oid_id_sha384) == 0))
+        return EVP_sha384();
+    if ((&digest_alg->algorithm == &asn1_oid_id_sha256 ||
+         der_heim_oid_cmp(&digest_alg->algorithm, &asn1_oid_id_sha256) == 0))
+        return EVP_sha256();
+    if ((&digest_alg->algorithm == &asn1_oid_id_secsig_sha_1 ||
+         der_heim_oid_cmp(&digest_alg->algorithm, &asn1_oid_id_secsig_sha_1) == 0))
+        return EVP_sha1();
+    if ((&digest_alg->algorithm == &asn1_oid_id_rsa_digest_md5 ||
+         der_heim_oid_cmp(&digest_alg->algorithm,
+                          &asn1_oid_id_rsa_digest_md5) == 0))
+        return EVP_md5();
+
+    /*
+     * XXX Decode the `digest_alg->algorithm' OID and include it in the error
+     * message.
+     */
+    hx509_set_error_string(context, 0, EINVAL,
+                           "Digest algorithm not found");
+    return NULL;
+}
+#endif
+
+
 
 /*
  *
@@ -140,6 +185,106 @@ ecdsa_verify_signature(hx509_context context,
 		       const heim_octet_string *data,
 		       const heim_octet_string *sig)
 {
+#ifdef HAVE_OPENSSL_30
+    const AlgorithmIdentifier *digest_alg = sig_alg->digest_alg;
+    const EVP_MD *md = signature_alg2digest_evp_md(context, digest_alg);
+    const SubjectPublicKeyInfo *spi;
+    const char *curve_sn = NULL; /* sn == short name in OpenSSL parlance */
+    OSSL_PARAM params[2];
+    EVP_PKEY_CTX *pctx = NULL;
+    EVP_MD_CTX *mdctx = NULL;
+    EVP_PKEY *template = NULL;
+    EVP_PKEY *public = NULL;
+    const unsigned char *p;
+    size_t len;
+    char *curve_sn_dup = NULL;
+    int groupnid;
+    int ret = 0;
+
+    spi = &signer->tbsCertificate.subjectPublicKeyInfo;
+    if (der_heim_oid_cmp(&spi->algorithm.algorithm,
+                         ASN1_OID_ID_ECPUBLICKEY) != 0)
+        hx509_set_error_string(context, 0,
+                               ret =  HX509_CRYPTO_SIG_INVALID_FORMAT,
+                               /* XXX Include the OID in the message */
+                               "Unsupported subjectPublicKey algorithm");
+    if (ret == 0)
+        ret = ECParameters2nid(context, spi->algorithm.parameters, &groupnid);
+    if (ret == 0 && (curve_sn = OBJ_nid2sn(groupnid)) == NULL)
+        hx509_set_error_string(context, 0,
+                               ret = HX509_CRYPTO_SIG_INVALID_FORMAT,
+                               "Could not resolve curve NID %d to its short name",
+                               groupnid);
+    if (ret == 0 && (curve_sn_dup = strdup(curve_sn)) == NULL)
+        ret = hx509_enomem(context);
+    if (ret == 0 && (mdctx = EVP_MD_CTX_new()) == NULL)
+        ret = hx509_enomem(context);
+
+    /*
+     * In order for d2i_PublicKey() to work we need to create a template key
+     * that has the curve parameters for the subjectPublicKey.
+     *
+     * Or maybe we could learn to use the OSSL_DECODER(3) API.  But this works,
+     * at least until OpenSSL deprecates d2i_PublicKey() and forces us to use
+     * OSSL_DECODER(3).
+     */
+    if (ret == 0) {
+        /*
+         * Apparently there's no error checking to be done here?  Why does
+         * OSSL_PARAM_construct_utf8_string() want a non-const for the value?
+         * Is that a bug in OpenSSL?
+         */
+        params[0] = OSSL_PARAM_construct_utf8_string(OSSL_PKEY_PARAM_GROUP_NAME,
+                                                     curve_sn_dup, 0);
+        params[1] = OSSL_PARAM_construct_end();
+
+        if ((pctx = EVP_PKEY_CTX_new_from_name(NULL, "EC", NULL)) == NULL)
+            ret = hx509_enomem(context);
+    }
+    if (ret == 0 && EVP_PKEY_fromdata_init(pctx) != 1)
+        ret = hx509_enomem(context);
+    if (ret == 0 &&
+        EVP_PKEY_fromdata(pctx, &template,
+                          OSSL_KEYMGMT_SELECT_DOMAIN_PARAMETERS, params) != 1)
+        hx509_set_error_string(context, 0,
+                               ret = HX509_CRYPTO_SIG_INVALID_FORMAT,
+                               "Could not set up to parse key for curve %s",
+                               curve_sn);
+
+    /* Finally we can decode the subjectPublicKey */
+    p = spi->subjectPublicKey.data;
+    len = spi->subjectPublicKey.length / 8;
+    if (ret == 0 &&
+        (public = d2i_PublicKey(EVP_PKEY_EC, &template, &p, len)) == NULL)
+        ret = HX509_CRYPTO_SIG_INVALID_FORMAT;
+
+    /* EVP_DigestVerifyInit() will allocate a new pctx */
+    EVP_PKEY_CTX_free(pctx);
+    pctx = NULL;
+
+    if (ret == 0 &&
+        EVP_DigestVerifyInit(mdctx, &pctx, md, NULL, public) != 1)
+        hx509_set_error_string(context, 0,
+                               ret = HX509_CRYPTO_SIG_INVALID_FORMAT,
+                               "Could not initialize "
+                               "OpenSSL signature verification");
+    if (ret == 0 &&
+        EVP_DigestVerifyUpdate(mdctx, data->data, data->length) != 1)
+        hx509_set_error_string(context, 0,
+                               ret = HX509_CRYPTO_SIG_INVALID_FORMAT,
+                               "Could not initialize "
+                               "OpenSSL signature verification");
+    if (ret == 0 &&
+        EVP_DigestVerifyFinal(mdctx, sig->data, sig->length) != 1)
+        hx509_set_error_string(context, 0,
+                               ret = HX509_CRYPTO_SIG_INVALID_FORMAT,
+                               "Signature verification failed");
+
+    EVP_MD_CTX_free(mdctx);
+    EVP_PKEY_free(template);
+    free(curve_sn_dup);
+    return ret;
+#else
     const AlgorithmIdentifier *digest_alg;
     const SubjectPublicKeyInfo *spi;
     heim_octet_string digest;
@@ -153,28 +298,28 @@ ecdsa_verify_signature(hx509_context context,
     digest_alg = sig_alg->digest_alg;
 
     ret = _hx509_create_signature(context,
-				  NULL,
-				  digest_alg,
-				  data,
-				  NULL,
-				  &digest);
+                                 NULL,
+                                 digest_alg,
+                                 data,
+                                 NULL,
+                                 &digest);
     if (ret)
-	return ret;
+       return ret;
 
     /* set up EC KEY */
     spi = &signer->tbsCertificate.subjectPublicKeyInfo;
 
     if (der_heim_oid_cmp(&spi->algorithm.algorithm, ASN1_OID_ID_ECPUBLICKEY) != 0)
-	return HX509_CRYPTO_SIG_INVALID_FORMAT;
+       return HX509_CRYPTO_SIG_INVALID_FORMAT;
 
     /*
      * Find the group id
      */
 
-    ret = parse_ECParameters(context, spi->algorithm.parameters, &groupnid);
+    ret = ECParameters2nid(context, spi->algorithm.parameters, &groupnid);
     if (ret) {
-	der_free_octet_string(&digest);
-	return ret;
+       der_free_octet_string(&digest);
+       return ret;
     }
 
     /*
@@ -190,20 +335,21 @@ ecdsa_verify_signature(hx509_context context,
     len = spi->subjectPublicKey.length / 8;
 
     if (o2i_ECPublicKey(&key, &p, len) == NULL) {
-	EC_KEY_free(key);
-	return HX509_CRYPTO_SIG_INVALID_FORMAT;
+       EC_KEY_free(key);
+       return HX509_CRYPTO_SIG_INVALID_FORMAT;
     }
 
     ret = ECDSA_verify(-1, digest.data, digest.length,
-		       sig->data, sig->length, key);
+                      sig->data, sig->length, key);
     der_free_octet_string(&digest);
     EC_KEY_free(key);
     if (ret != 1) {
-	ret = HX509_CRYPTO_SIG_INVALID_FORMAT;
-	return ret;
+       ret = HX509_CRYPTO_SIG_INVALID_FORMAT;
+       return ret;
     }
 
     return 0;
+#endif
 }
 
 static int
@@ -215,6 +361,56 @@ ecdsa_create_signature(hx509_context context,
 		       AlgorithmIdentifier *signatureAlgorithm,
 		       heim_octet_string *sig)
 {
+#ifdef HAVE_OPENSSL_30
+    const AlgorithmIdentifier *digest_alg = sig_alg->digest_alg;
+    const EVP_MD *md = signature_alg2digest_evp_md(context, digest_alg);
+    EVP_MD_CTX *mdctx = NULL;
+    EVP_PKEY_CTX *pctx = NULL;
+    const heim_oid *sig_oid;
+    int ret = 0;
+
+    sig->data = NULL;
+    sig->length = 0;
+    if (signer->ops && der_heim_oid_cmp(signer->ops->key_oid, ASN1_OID_ID_ECPUBLICKEY) != 0)
+	_hx509_abort("internal error passing private key to wrong ops");
+
+    sig_oid = sig_alg->sig_oid;
+    digest_alg = sig_alg->digest_alg;
+
+    if (signatureAlgorithm)
+        ret = _hx509_set_digest_alg(signatureAlgorithm, sig_oid,
+                                    "\x05\x00", 2);
+    mdctx = EVP_MD_CTX_new();
+    if (mdctx == NULL)
+        ret = hx509_enomem(context);
+    if (ret == 0 && EVP_DigestSignInit(mdctx, &pctx, md, NULL,
+                                       signer->private_key.ecdsa) != 1)
+        ret = HX509_CMS_FAILED_CREATE_SIGATURE;
+    if (ret == 0 && EVP_DigestSignUpdate(mdctx, data->data, data->length) != 1)
+        ret = HX509_CMS_FAILED_CREATE_SIGATURE;
+    if (ret == 0 && EVP_DigestSignFinal(mdctx, NULL, &sig->length) != 1)
+        ret = HX509_CMS_FAILED_CREATE_SIGATURE;
+    if (ret == 0 && (sig->data = malloc(sig->length)) == NULL)
+        ret = hx509_enomem(context);
+    if (ret == 0 && EVP_DigestSignFinal(mdctx, sig->data, &sig->length) != 1)
+        ret = HX509_CMS_FAILED_CREATE_SIGATURE;
+
+    if (ret == HX509_CMS_FAILED_CREATE_SIGATURE) {
+        /* XXX Extract error detail from OpenSSL */
+	hx509_set_error_string(context, 0, ret,
+			       "ECDSA sign failed");
+    }
+
+    if (ret) {
+        if (signatureAlgorithm)
+            free_AlgorithmIdentifier(signatureAlgorithm);
+        free(sig->data);
+        sig->data = NULL;
+        sig->length = 0;
+    }
+    EVP_MD_CTX_free(mdctx);
+    return ret;
+#else
     const AlgorithmIdentifier *digest_alg;
     heim_octet_string indata;
     const heim_oid *sig_oid;
@@ -222,7 +418,7 @@ ecdsa_create_signature(hx509_context context,
     int ret;
 
     if (signer->ops && der_heim_oid_cmp(signer->ops->key_oid, ASN1_OID_ID_ECPUBLICKEY) != 0)
-	_hx509_abort("internal error passing private key to wrong ops");
+        _hx509_abort("internal error passing private key to wrong ops");
 
     sig_oid = sig_alg->sig_oid;
     digest_alg = sig_alg->digest_alg;
@@ -230,59 +426,63 @@ ecdsa_create_signature(hx509_context context,
     if (signatureAlgorithm) {
         ret = _hx509_set_digest_alg(signatureAlgorithm, sig_oid,
                                     "\x05\x00", 2);
-	if (ret) {
-	    hx509_clear_error_string(context);
-	    return ret;
-	}
+        if (ret) {
+            hx509_clear_error_string(context);
+            return ret;
+        }
     }
 
     ret = _hx509_create_signature(context,
-				  NULL,
-				  digest_alg,
-				  data,
-				  NULL,
-				  &indata);
+                                  NULL,
+                                  digest_alg,
+                                  data,
+                                  NULL,
+                                  &indata);
     if (ret)
-	goto error;
+        goto error;
 
     sig->length = ECDSA_size(signer->private_key.ecdsa);
     sig->data = malloc(sig->length);
     if (sig->data == NULL) {
-	der_free_octet_string(&indata);
-	ret = ENOMEM;
-	hx509_set_error_string(context, 0, ret, "out of memory");
-	goto error;
+        der_free_octet_string(&indata);
+        ret = ENOMEM;
+        hx509_set_error_string(context, 0, ret, "out of memory");
+        goto error;
     }
 
     siglen = sig->length;
 
     ret = ECDSA_sign(-1, indata.data, indata.length,
-		     sig->data, &siglen, signer->private_key.ecdsa);
+                     sig->data, &siglen, signer->private_key.ecdsa);
     der_free_octet_string(&indata);
     if (ret != 1) {
-	ret = HX509_CMS_FAILED_CREATE_SIGATURE;
-	hx509_set_error_string(context, 0, ret,
-			       "ECDSA sign failed: %d", ret);
-	goto error;
+        ret = HX509_CMS_FAILED_CREATE_SIGATURE;
+        hx509_set_error_string(context, 0, ret,
+                               "ECDSA sign failed: %d", ret);
+        goto error;
     }
     if (siglen > sig->length)
-	_hx509_abort("ECDSA signature prelen longer the output len");
+        _hx509_abort("ECDSA signature prelen longer the output len");
 
     sig->length = siglen;
 
     return 0;
- error:
+error:
     if (signatureAlgorithm)
-	free_AlgorithmIdentifier(signatureAlgorithm);
+        free_AlgorithmIdentifier(signatureAlgorithm);
     return ret;
+#endif
 }
 
 static int
 ecdsa_available(const hx509_private_key signer,
 		const AlgorithmIdentifier *sig_alg)
 {
+#ifdef HAVE_OPENSSL_30
     const struct signature_alg *sig;
-    const EC_GROUP *group;
+    size_t group_name_len = 0;
+    char group_name_buf[96];
+    EC_GROUP *group = NULL;
     BN_CTX *bnctx = NULL;
     BIGNUM *order = NULL;
     int ret = 0;
@@ -291,34 +491,75 @@ ecdsa_available(const hx509_private_key signer,
 	_hx509_abort("internal error passing private key to wrong ops");
 
     sig = _hx509_find_sig_alg(&sig_alg->algorithm);
-
     if (sig == NULL || sig->digest_size == 0)
 	return 0;
 
+    if (EVP_PKEY_get_group_name(signer->private_key.ecdsa, group_name_buf,
+                                sizeof(group_name_buf),
+                                &group_name_len) != 1 ||
+        group_name_len >= sizeof(group_name_buf)) {
+        return 0;
+    }
+    group = EC_GROUP_new_by_curve_name(OBJ_txt2nid(group_name_buf));
+    bnctx = BN_CTX_new();
+    order = BN_new();
+    if (group && bnctx && order &&
+        EC_GROUP_get_order(group, order, bnctx) == 1)
+	ret = 1;
+
+#if 0
+    /*
+     * If anything, require a digest at least as wide as the EC key size
+     *
+     *  if (BN_num_bytes(order) > sig->digest_size)
+     *      ret = 0;
+     */
+#endif
+
+    BN_CTX_free(bnctx);
+    BN_clear_free(order);
+    EC_GROUP_free(group);
+    return ret;
+#else
+    const struct signature_alg *sig;
+    const EC_GROUP *group;
+    BN_CTX *bnctx = NULL;
+    BIGNUM *order = NULL;
+    int ret = 0;
+
+    if (der_heim_oid_cmp(signer->ops->key_oid, &asn1_oid_id_ecPublicKey) != 0)
+       _hx509_abort("internal error passing private key to wrong ops");
+
+    sig = _hx509_find_sig_alg(&sig_alg->algorithm);
+
+    if (sig == NULL || sig->digest_size == 0)
+       return 0;
+
     group = EC_KEY_get0_group(signer->private_key.ecdsa);
     if (group == NULL)
-	return 0;
+       return 0;
 
     bnctx = BN_CTX_new();
     order = BN_new();
     if (order == NULL)
-	goto err;
+       goto err;
 
     if (EC_GROUP_get_order(group, order, bnctx) != 1)
-	goto err;
+       goto err;
 
 #if 0
     /* If anything, require a digest at least as wide as the EC key size */
     if (BN_num_bytes(order) > sig->digest_size)
 #endif
-	ret = 1;
+       ret = 1;
  err:
     if (bnctx)
-	BN_CTX_free(bnctx);
+       BN_CTX_free(bnctx);
     if (order)
-	BN_clear_free(order);
+       BN_clear_free(order);
 
-    return ret;
+     return ret;
+#endif
 }
 
 static int
@@ -347,55 +588,119 @@ ecdsa_private_key_import(hx509_context context,
 			 hx509_key_format_t format,
 			 hx509_private_key private_key)
 {
+#ifdef HAVE_OPENSSL_30
+    const unsigned char *p = data;
+    EVP_PKEY *key = NULL;
+    int ret = 0;
+
+    switch (format) {
+    case HX509_KEY_FORMAT_PKCS8:
+        key = d2i_PrivateKey(EVP_PKEY_EC, NULL, &p, len);
+	if (key == NULL) {
+	    hx509_set_error_string(context, 0, HX509_PARSING_KEY_FAILED,
+				   "Failed to parse EC private key");
+	    return HX509_PARSING_KEY_FAILED;
+	}
+	break;
+
+    default:
+	return HX509_CRYPTO_KEY_FORMAT_UNSUPPORTED;
+    }
+
+    /*
+     * We used to have to call EC_KEY_new(), then EC_KEY_set_group() the group
+     * (curve) on the resulting EC_KEY _before_ we could d2i_ECPrivateKey() the
+     * key, but that's all deprecated in OpenSSL 3.0.
+     *
+     * In fact, it's not clear how ever to assign a group to a private key,
+     * but that's what the documentation for d2i_PrivateKey() says: that
+     * its `EVP_PKEY **' argument must be non-NULL pointing to a key that
+     * has had the group set.
+     *
+     * However, from code inspection it's clear that when the ECParameters
+     * are present in the private key payload passed to d2i_PrivateKey(),
+     * the group will be taken from that.
+     *
+     * What we'll do is that if we have `keyai->parameters' we'll check if the
+     * key we got is for the same group.
+     */
+    if (keyai->parameters) {
+        size_t gname_len = 0;
+        char buf[96];
+        int got_group_nid = NID_undef;
+        int want_groupnid = NID_undef;
+
+        ret = ECParameters2nid(context, keyai->parameters, &want_groupnid);
+        if (ret == 0 &&
+            (EVP_PKEY_get_group_name(key, buf, sizeof(buf), &gname_len) != 1 ||
+             gname_len >= sizeof(buf)))
+            ret = HX509_ALG_NOT_SUPP;
+        if (ret == 0)
+            got_group_nid = OBJ_txt2nid(buf);
+        if (ret == 0 &&
+            (got_group_nid == NID_undef || want_groupnid != got_group_nid))
+            ret = HX509_ALG_NOT_SUPP;
+    }
+
+    if (ret == 0) {
+        private_key->private_key.ecdsa = key;
+        private_key->signature_alg = ASN1_OID_ID_ECDSA_WITH_SHA256;
+        key = NULL;
+    }
+
+    EVP_PKEY_free(key);
+    return ret;
+#else
     const unsigned char *p = data;
     EC_KEY **pkey = NULL;
     EC_KEY *key;
 
     if (keyai->parameters) {
-	EC_GROUP *group;
-	int groupnid;
-	int ret;
-
-	ret = parse_ECParameters(context, keyai->parameters, &groupnid);
-	if (ret)
-	    return ret;
-
-	key = EC_KEY_new();
-	if (key == NULL)
-	    return ENOMEM;
-
-	group = EC_GROUP_new_by_curve_name(groupnid);
-	if (group == NULL) {
-	    EC_KEY_free(key);
-	    return ENOMEM;
-	}
-	EC_GROUP_set_asn1_flag(group, OPENSSL_EC_NAMED_CURVE);
-	if (EC_KEY_set_group(key, group) == 0) {
-	    EC_KEY_free(key);
-	    EC_GROUP_free(group);
-	    return ENOMEM;
-	}
-	EC_GROUP_free(group);
-	pkey = &key;
+       EC_GROUP *group;
+       int groupnid;
+       int ret;
+
+       ret = ECParameters2nid(context, keyai->parameters, &groupnid);
+       if (ret)
+           return ret;
+
+       key = EC_KEY_new();
+       if (key == NULL)
+           return ENOMEM;
+
+       group = EC_GROUP_new_by_curve_name(groupnid);
+       if (group == NULL) {
+           EC_KEY_free(key);
+           return ENOMEM;
+       }
+       EC_GROUP_set_asn1_flag(group, OPENSSL_EC_NAMED_CURVE);
+       if (EC_KEY_set_group(key, group) != 1) {
+           EC_KEY_free(key);
+           EC_GROUP_free(group);
+           return ENOMEM;
+       }
+       EC_GROUP_free(group);
+       pkey = &key;
     }
 
     switch (format) {
     case HX509_KEY_FORMAT_DER:
 
-	private_key->private_key.ecdsa = d2i_ECPrivateKey(pkey, &p, len);
-	if (private_key->private_key.ecdsa == NULL) {
-	    hx509_set_error_string(context, 0, HX509_PARSING_KEY_FAILED,
-				   "Failed to parse EC private key");
-	    return HX509_PARSING_KEY_FAILED;
-	}
-	private_key->signature_alg = ASN1_OID_ID_ECDSA_WITH_SHA256;
-	break;
+       private_key->private_key.ecdsa = d2i_ECPrivateKey(pkey, &p, len);
+       if (private_key->private_key.ecdsa == NULL) {
+           hx509_set_error_string(context, 0, HX509_PARSING_KEY_FAILED,
+                                  "Failed to parse EC private key");
+           return HX509_PARSING_KEY_FAILED;
+       }
+       private_key->signature_alg = ASN1_OID_ID_ECDSA_WITH_SHA256;
+       break;
 
     default:
-	return HX509_CRYPTO_KEY_FORMAT_UNSUPPORTED;
+       return HX509_CRYPTO_KEY_FORMAT_UNSUPPORTED;
     }
 
     return 0;
+#endif
 }
 
 static int
@@ -512,7 +817,7 @@ const struct signature_alg ecdsa_with_sha1_alg = {
 
 #endif /* HAVE_HCRYPTO_W_OPENSSL */
 
-const AlgorithmIdentifier *
+HX509_LIB_FUNCTION const AlgorithmIdentifier * HX509_LIB_CALL
 hx509_signature_ecPublicKey(void)
 {
 #ifdef HAVE_HCRYPTO_W_OPENSSL
@@ -522,7 +827,7 @@ hx509_signature_ecPublicKey(void)
 #endif /* HAVE_HCRYPTO_W_OPENSSL */
 }
 
-const AlgorithmIdentifier *
+HX509_LIB_FUNCTION const AlgorithmIdentifier * HX509_LIB_CALL
 hx509_signature_ecdsa_with_sha256(void)
 {
 #ifdef HAVE_HCRYPTO_W_OPENSSL
diff --git a/lib/hx509/crypto.c b/lib/hx509/crypto.c
index 0df91699b513..05f694b41c58 100644
--- a/lib/hx509/crypto.c
+++ b/lib/hx509/crypto.c
@@ -136,7 +136,7 @@ heim_int2BN(const heim_integer *i)
  *
  */
 
-int
+HX509_LIB_FUNCTION int HX509_LIB_CALL
 _hx509_set_digest_alg(DigestAlgorithmIdentifier *id,
                       const heim_oid *oid,
                       const void *param, size_t length)
@@ -436,6 +436,8 @@ rsa_private_key2SPKI(hx509_context context,
     memset(spki, 0, sizeof(*spki));
 
     len = i2d_RSAPublicKey(private_key->private_key.rsa, NULL);
+    if (len < 0)
+	return -1;
 
     spki->subjectPublicKey.data = malloc(len);
     if (spki->subjectPublicKey.data == NULL) {
@@ -1041,7 +1043,7 @@ static struct hx509_private_key_ops *private_algs[] = {
     NULL
 };
 
-hx509_private_key_ops *
+HX509_LIB_FUNCTION hx509_private_key_ops * HX509_LIB_CALL
 hx509_find_private_alg(const heim_oid *oid)
 {
     int i;
@@ -1059,7 +1061,7 @@ hx509_find_private_alg(const heim_oid *oid)
  * des, make sure the its before the time `t'.
  */
 
-int
+HX509_LIB_FUNCTION int HX509_LIB_CALL
 _hx509_signature_is_weak(hx509_context context, const AlgorithmIdentifier *alg)
 {
     const struct signature_alg *md;
@@ -1077,7 +1079,7 @@ _hx509_signature_is_weak(hx509_context context, const AlgorithmIdentifier *alg)
     return 0;
 }
 
-int
+HX509_LIB_FUNCTION int HX509_LIB_CALL
 _hx509_self_signed_valid(hx509_context context,
 			 const AlgorithmIdentifier *alg)
 {
@@ -1098,7 +1100,7 @@ _hx509_self_signed_valid(hx509_context context,
 }
 
 
-int
+HX509_LIB_FUNCTION int HX509_LIB_CALL
 _hx509_verify_signature(hx509_context context,
 			const hx509_cert cert,
 			const AlgorithmIdentifier *alg,
@@ -1136,7 +1138,7 @@ _hx509_verify_signature(hx509_context context,
     return (*md->verify_signature)(context, md, signer, alg, data, sig);
 }
 
-int
+HX509_LIB_FUNCTION int HX509_LIB_CALL
 _hx509_create_signature(hx509_context context,
 			const hx509_private_key signer,
 			const AlgorithmIdentifier *alg,
@@ -1163,7 +1165,7 @@ _hx509_create_signature(hx509_context context,
 				   signatureAlgorithm, sig);
 }
 
-int
+HX509_LIB_FUNCTION int HX509_LIB_CALL
 _hx509_create_signature_bitstring(hx509_context context,
 				  const hx509_private_key signer,
 				  const AlgorithmIdentifier *alg,
@@ -1183,7 +1185,7 @@ _hx509_create_signature_bitstring(hx509_context context,
     return 0;
 }
 
-int
+HX509_LIB_FUNCTION int HX509_LIB_CALL
 _hx509_public_encrypt(hx509_context context,
 		      const heim_octet_string *cleartext,
 		      const Certificate *cert,
@@ -1246,7 +1248,7 @@ _hx509_public_encrypt(hx509_context context,
     return 0;
 }
 
-int
+HX509_LIB_FUNCTION int HX509_LIB_CALL
 hx509_private_key_private_decrypt(hx509_context context,
 				   const heim_octet_string *ciphertext,
 				   const heim_oid *encryption_oid,
@@ -1289,7 +1291,7 @@ hx509_private_key_private_decrypt(hx509_context context,
 }
 
 
-int
+HX509_LIB_FUNCTION int HX509_LIB_CALL
 hx509_parse_private_key(hx509_context context,
 			 const AlgorithmIdentifier *keyai,
 			 const void *data,
@@ -1318,6 +1320,30 @@ hx509_parse_private_key(hx509_context context,
     if (ret)
 	hx509_private_key_free(private_key);
 
+    if (ret && format == HX509_KEY_FORMAT_PKCS8) {
+        PKCS8PrivateKeyInfo ki;
+        hx509_private_key key;
+
+        /* Re-enter to try parsing the DER-encoded key from PKCS#8 envelope */
+        ret = decode_PKCS8PrivateKeyInfo(data, len, &ki, NULL);
+        if (ret) {
+	    hx509_set_error_string(context, 0, HX509_PARSING_KEY_FAILED,
+				   "Failed to parse PKCS#8-encoded private "
+                                   "key");
+	    return HX509_PARSING_KEY_FAILED;
+        }
+        ret = hx509_parse_private_key(context, &ki.privateKeyAlgorithm,
+                                      ki.privateKey.data, ki.privateKey.length,
+                                      HX509_KEY_FORMAT_DER, &key);
+        free_PKCS8PrivateKeyInfo(&ki);
+        if (ret) {
+            hx509_set_error_string(context, 0, HX509_PARSING_KEY_FAILED,
+                                   "Failed to parse RSA key from PKCS#8 "
+                                   "envelope");
+            return HX509_PARSING_KEY_FAILED;
+        }
+        *private_key = key;
+    }
     return ret;
 }
 
@@ -1325,7 +1351,7 @@ hx509_parse_private_key(hx509_context context,
  *
  */
 
-int
+HX509_LIB_FUNCTION int HX509_LIB_CALL
 hx509_private_key2SPKI(hx509_context context,
 			hx509_private_key private_key,
 			SubjectPublicKeyInfo *spki)
@@ -1339,7 +1365,7 @@ hx509_private_key2SPKI(hx509_context context,
     return (*ops->get_spki)(context, private_key, spki);
 }
 
-int
+HX509_LIB_FUNCTION int HX509_LIB_CALL
 _hx509_generate_private_key_init(hx509_context context,
 				 const heim_oid *oid,
 				 struct hx509_generate_private_context **ctx)
@@ -1362,7 +1388,7 @@ _hx509_generate_private_key_init(hx509_context context,
     return 0;
 }
 
-int
+HX509_LIB_FUNCTION int HX509_LIB_CALL
 _hx509_generate_private_key_is_ca(hx509_context context,
 				  struct hx509_generate_private_context *ctx)
 {
@@ -1370,7 +1396,7 @@ _hx509_generate_private_key_is_ca(hx509_context context,
     return 0;
 }
 
-int
+HX509_LIB_FUNCTION int HX509_LIB_CALL
 _hx509_generate_private_key_bits(hx509_context context,
 				 struct hx509_generate_private_context *ctx,
 				 unsigned long bits)
@@ -1380,14 +1406,14 @@ _hx509_generate_private_key_bits(hx509_context context,
 }
 
 
-void
+HX509_LIB_FUNCTION void HX509_LIB_CALL
 _hx509_generate_private_key_free(struct hx509_generate_private_context **ctx)
 {
     free(*ctx);
     *ctx = NULL;
 }
 
-int
+HX509_LIB_FUNCTION int HX509_LIB_CALL
 _hx509_generate_private_key(hx509_context context,
 			    struct hx509_generate_private_context *ctx,
 			    hx509_private_key *private_key)
@@ -1495,7 +1521,7 @@ const AlgorithmIdentifier * _hx509_crypto_default_secret_alg =
  *
  */
 
-int
+HX509_LIB_FUNCTION int HX509_LIB_CALL
 hx509_private_key_init(hx509_private_key *key,
 			hx509_private_key_ops *ops,
 			void *keydata)
@@ -1509,7 +1535,7 @@ hx509_private_key_init(hx509_private_key *key,
     return 0;
 }
 
-hx509_private_key
+HX509_LIB_FUNCTION hx509_private_key HX509_LIB_CALL
 _hx509_private_key_ref(hx509_private_key key)
 {
     if (key->ref == 0)
@@ -1520,13 +1546,13 @@ _hx509_private_key_ref(hx509_private_key key)
     return key;
 }
 
-const char *
+HX509_LIB_FUNCTION const char * HX509_LIB_CALL
 _hx509_private_pem_name(hx509_private_key key)
 {
     return key->ops->pemtype;
 }
 
-int
+HX509_LIB_FUNCTION int HX509_LIB_CALL
 hx509_private_key_free(hx509_private_key *key)
 {
     if (key == NULL || *key == NULL)
@@ -1551,7 +1577,7 @@ hx509_private_key_free(hx509_private_key *key)
     return 0;
 }
 
-void
+HX509_LIB_FUNCTION void HX509_LIB_CALL
 hx509_private_key_assign_rsa(hx509_private_key key, void *ptr)
 {
     if (key->private_key.rsa)
@@ -1561,7 +1587,7 @@ hx509_private_key_assign_rsa(hx509_private_key key, void *ptr)
     key->md = &pkcs1_rsa_sha1_alg;
 }
 
-int
+HX509_LIB_FUNCTION int HX509_LIB_CALL
 _hx509_private_key_oid(hx509_context context,
 		       const hx509_private_key key,
 		       heim_oid *data)
@@ -1573,7 +1599,7 @@ _hx509_private_key_oid(hx509_context context,
     return ret;
 }
 
-int
+HX509_LIB_FUNCTION int HX509_LIB_CALL
 _hx509_private_key_exportable(hx509_private_key key)
 {
     if (key->ops->export == NULL)
@@ -1581,7 +1607,7 @@ _hx509_private_key_exportable(hx509_private_key key)
     return 1;
 }
 
-BIGNUM *
+HX509_LIB_FUNCTION BIGNUM * HX509_LIB_CALL
 _hx509_private_key_get_internal(hx509_context context,
 				hx509_private_key key,
 				const char *type)
@@ -1591,16 +1617,56 @@ _hx509_private_key_get_internal(hx509_context context,
     return (*key->ops->get_internal)(context, key, type);
 }
 
-int
+HX509_LIB_FUNCTION int HX509_LIB_CALL
 _hx509_private_key_export(hx509_context context,
 			  const hx509_private_key key,
 			  hx509_key_format_t format,
 			  heim_octet_string *data)
 {
+    data->length = 0;
+    data->data = NULL;
     if (key->ops->export == NULL) {
 	hx509_clear_error_string(context);
 	return HX509_UNIMPLEMENTED_OPERATION;
     }
+    if (format == HX509_KEY_FORMAT_PKCS8) {
+        PKCS8PrivateKeyInfo ki;
+        size_t size;
+        int ret;
+
+        memset(&ki, 0, sizeof(ki));
+        ki.attributes = NULL; /* No localKeyId needed */
+        ki.privateKey.data = NULL;
+        ki.privateKeyAlgorithm.algorithm.components = NULL;
+        ret = der_parse_hex_heim_integer("00", &ki.version);
+        if (ret == 0)
+            ret = _hx509_private_key_oid(context, key,
+                                         &ki.privateKeyAlgorithm.algorithm);
+        if (ret == 0)
+            /* Re-enter */
+            ret = _hx509_private_key_export(context, key, HX509_KEY_FORMAT_DER,
+                                            &ki.privateKey);
+
+        /*
+         * XXX To set ki.privateKeyAlgorithm.parameters we'll need to either
+         * move this code into the *key->ops->export() functions, or expand
+         * their signature to allow them to set it for us, or add a method to
+         * hx509_private_key_ops that allows us to get the parameters from the
+         * backend.
+         */
+        ki.privateKeyAlgorithm.parameters = NULL;
+
+        if (ret == 0)
+            ASN1_MALLOC_ENCODE(PKCS8PrivateKeyInfo, data->data, data->length,
+                               &ki, &size, ret);
+        free_PKCS8PrivateKeyInfo(&ki);
+        if (ret == 0 && size != data->length)
+            ret = EINVAL;
+        if (ret)
+            hx509_set_error_string(context, 0, ret,
+                                   "Private key PKCS#8 encoding failed");
+        return ret;
+    }
     return (*key->ops->export)(context, key, format, data);
 }
 
@@ -1880,7 +1946,7 @@ find_cipher_by_name(const char *name)
 }
 
 
-const heim_oid *
+HX509_LIB_FUNCTION const heim_oid * HX509_LIB_CALL
 hx509_crypto_enctype_by_name(const char *name)
 {
     const struct hx509cipher *cipher;
@@ -1891,7 +1957,7 @@ hx509_crypto_enctype_by_name(const char *name)
     return cipher->oid;
 }
 
-int
+HX509_LIB_FUNCTION int HX509_LIB_CALL
 hx509_crypto_init(hx509_context context,
 		  const char *provider,
 		  const heim_oid *enctype,
@@ -1928,13 +1994,13 @@ hx509_crypto_init(hx509_context context,
     return 0;
 }
 
-const char *
+HX509_LIB_FUNCTION const char * HX509_LIB_CALL
 hx509_crypto_provider(hx509_crypto crypto)
 {
     return "unknown";
 }
 
-void
+HX509_LIB_FUNCTION void HX509_LIB_CALL
 hx509_crypto_destroy(hx509_crypto crypto)
 {
     if (crypto->name)
@@ -1948,19 +2014,19 @@ hx509_crypto_destroy(hx509_crypto crypto)
     free(crypto);
 }
 
-int
+HX509_LIB_FUNCTION int HX509_LIB_CALL
 hx509_crypto_set_key_name(hx509_crypto crypto, const char *name)
 {
     return 0;
 }
 
-void
+HX509_LIB_FUNCTION void HX509_LIB_CALL
 hx509_crypto_allow_weak(hx509_crypto crypto)
 {
     crypto->flags |= ALLOW_WEAK;
 }
 
-void
+HX509_LIB_FUNCTION void HX509_LIB_CALL
 hx509_crypto_set_padding(hx509_crypto crypto, int padding_type)
 {
     switch (padding_type) {
@@ -1977,7 +2043,7 @@ hx509_crypto_set_padding(hx509_crypto crypto, int padding_type)
     }
 }
 
-int
+HX509_LIB_FUNCTION int HX509_LIB_CALL
 hx509_crypto_set_key_data(hx509_crypto crypto, const void *data, size_t length)
 {
     if (EVP_CIPHER_key_length(crypto->c) > (int)length)
@@ -1997,7 +2063,7 @@ hx509_crypto_set_key_data(hx509_crypto crypto, const void *data, size_t length)
     return 0;
 }
 
-int
+HX509_LIB_FUNCTION int HX509_LIB_CALL
 hx509_crypto_set_random_key(hx509_crypto crypto, heim_octet_string *key)
 {
     if (crypto->key.data) {
@@ -2023,7 +2089,7 @@ hx509_crypto_set_random_key(hx509_crypto crypto, heim_octet_string *key)
 	return 0;
 }
 
-int
+HX509_LIB_FUNCTION int HX509_LIB_CALL
 hx509_crypto_set_params(hx509_context context,
 			hx509_crypto crypto,
 			const heim_octet_string *param,
@@ -2032,7 +2098,7 @@ hx509_crypto_set_params(hx509_context context,
     return (*crypto->cipher->set_params)(context, param, crypto, ivec);
 }
 
-int
+HX509_LIB_FUNCTION int HX509_LIB_CALL
 hx509_crypto_get_params(hx509_context context,
 			hx509_crypto crypto,
 			const heim_octet_string *ivec,
@@ -2041,7 +2107,7 @@ hx509_crypto_get_params(hx509_context context,
     return (*crypto->cipher->get_params)(context, crypto, ivec, param);
 }
 
-int
+HX509_LIB_FUNCTION int HX509_LIB_CALL
 hx509_crypto_random_iv(hx509_crypto crypto, heim_octet_string *ivec)
 {
     ivec->length = EVP_CIPHER_iv_length(crypto->c);
@@ -2060,7 +2126,7 @@ hx509_crypto_random_iv(hx509_crypto crypto, heim_octet_string *ivec)
     return 0;
 }
 
-int
+HX509_LIB_FUNCTION int HX509_LIB_CALL
 hx509_crypto_encrypt(hx509_crypto crypto,
 		     const void *data,
 		     const size_t length,
@@ -2148,7 +2214,7 @@ hx509_crypto_encrypt(hx509_crypto crypto,
     return ret;
 }
 
-int
+HX509_LIB_FUNCTION int HX509_LIB_CALL
 hx509_crypto_decrypt(hx509_crypto crypto,
 		     const void *data,
 		     const size_t length,
@@ -2365,7 +2431,7 @@ find_string2key(const heim_oid *oid,
  *
  */
 
-int
+HX509_LIB_FUNCTION int HX509_LIB_CALL
 _hx509_pbe_encrypt(hx509_context context,
 		   hx509_lock lock,
 		   const AlgorithmIdentifier *ai,
@@ -2380,7 +2446,7 @@ _hx509_pbe_encrypt(hx509_context context,
  *
  */
 
-int
+HX509_LIB_FUNCTION int HX509_LIB_CALL
 _hx509_pbe_decrypt(hx509_context context,
 		   hx509_lock lock,
 		   const AlgorithmIdentifier *ai,
@@ -2530,7 +2596,7 @@ match_keys_ec(hx509_cert c, hx509_private_key private_key)
 }
 
 
-int
+HX509_LIB_FUNCTION int HX509_LIB_CALL
 _hx509_match_keys(hx509_cert c, hx509_private_key key)
 {
     if (!key->ops)
@@ -2558,7 +2624,7 @@ find_keytype(const hx509_private_key key)
     return md->key_oid;
 }
 
-int
+HX509_LIB_FUNCTION int HX509_LIB_CALL
 hx509_crypto_select(const hx509_context context,
 		    int type,
 		    const hx509_private_key source,
@@ -2638,7 +2704,7 @@ hx509_crypto_select(const hx509_context context,
     return ret;
 }
 
-int
+HX509_LIB_FUNCTION int HX509_LIB_CALL
 hx509_crypto_available(hx509_context context,
 		       int type,
 		       hx509_cert source,
@@ -2723,7 +2789,7 @@ out:
     return ENOMEM;
 }
 
-void
+HX509_LIB_FUNCTION void HX509_LIB_CALL
 hx509_crypto_free_algs(AlgorithmIdentifier *val,
 		       unsigned int len)
 {
diff --git a/lib/hx509/data/PKITS.pdf b/lib/hx509/data/PKITS.pdf
new file mode 100644
index 000000000000..3a56862a2ae5
--- /dev/null
+++ b/lib/hx509/data/PKITS.pdf
diff --git a/lib/hx509/data/ca.crt b/lib/hx509/data/ca.crt
index b8e7bb789556..7aa8bcf7fa85 100644
--- a/lib/hx509/data/ca.crt
+++ b/lib/hx509/data/ca.crt
@@ -1,32 +1,32 @@
 -----BEGIN CERTIFICATE-----
-MIIFcTCCA1mgAwIBAgIJAJll+TTDkMFyMA0GCSqGSIb3DQEBCwUAMCoxGzAZBgNV
-BAMMEmh4NTA5IFRlc3QgUm9vdCBDQTELMAkGA1UEBhMCU0UwHhcNMTkwNTIzMTUw
-NTExWhcNMzgwMTE2MTUwNTExWjAqMRswGQYDVQQDDBJoeDUwOSBUZXN0IFJvb3Qg
-Q0ExCzAJBgNVBAYTAlNFMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA
-vQovoPWtDeqaAUSXDD7gFfXXfxbI4M6yho6C+lc9JqnzeVYk5obeyM14Er+HHNS0
-pGJGvgelSeR0UCUmifr12zQT3hne/J225fobuO6UwcRNstTTaRxO1BdYSsIzixq+
-XJzDb3MRCY/TpE3AJZ5SqdXUexfFzCH12FXuMv4wvOlvrq2pbcKiRMBzgrWK756b
-LRR2uD9JjsN7KawVSZCRbc0gudiCX++kZAuIviv2G+kys81gBmZXJAVsVPrb+9+y
-wQXvRq2p7XPn6XpPndMHaQgD/2iNOTXbuBby0v71rheaOWFtYVbMseiB0rsdv6Ik
-Zl/L55usKDGzgLs8w6kPieDpebYmlXQW3V8LW+QyYHWvcdSmNcqej4Y+FiZqDjin
-xPzvqPVJQydVw/yi8gWILNLKB947O5O8NjSxhzHCjB+aIXgLx8uSXXY2EesR8lJz
-2SZKdCawut+kWSgHqH5UYf5IXKo+Skg+f1hWdjc44OZyMveMLzk4hTJZWYqVNxll
-OiBfz/Hke54CXaDKd4S1C3NVbrZ8w6NADaNQTMyFlHy2VEHDXRrqGrl0h0/4HIrF
-7i9ZKkz6uhr209chvFAuSbM4M5dPHE/bIMivVkk4UAm2Y1O9hAnzOMMtpkHnb4M+
-7fTwUXTLT4cSWurzcrAsIG20R3KgApQ95mQlw63gebcCAwEAAaOBmTCBljAdBgNV
-HQ4EFgQU/cZWcrzqghlIALCji/d5P/cm/CMwWgYDVR0jBFMwUYAU/cZWcrzqghlI
-ALCji/d5P/cm/COhLqQsMCoxGzAZBgNVBAMMEmh4NTA5IFRlc3QgUm9vdCBDQTEL
-MAkGA1UEBhMCU0WCCQCZZfk0w5DBcjAMBgNVHRMEBTADAQH/MAsGA1UdDwQEAwIB
-5jANBgkqhkiG9w0BAQsFAAOCAgEAAuwu6a/S/Jc05hjMKWx3VG5leTiUr+DyA+/y
-9kHP+FInHa+qd9xil2Ms1kvW4d+A8709On+Gfv96Tzw/FKIr86kgJScwQ5dWHgDV
-DN+ogZ9MLW7sjbShSGVrUuJti/nCax5nOw0yzBvkq5tBefDIt185pS+j8utNZYQT
-6A1DNVIjWZUywCXZDiAsSXmp+LmAI9fTyUsN5ioLgaVLq/GN8zAUyXmf+VLbNnM3
-k4ZsWmjU98GZYLwuf/cocBiJMf09kwJ3o2NIdb/hgaOjlmY15LehDLVbIuF+FVp3
-hEjohF43zcFxSOLlCLhCVhcM79mzZef+xT9iCtVPiWySEhalmfXIPQ6tTY80doLW
-Ed6HhmiRx0sW3yKFfINb12qk4hZJMCMoxBK1AZlEbaB2mQxzz6Iph3kOthIJxilf
-/2dmGGi76bT66zz/sK3kz8xHUr+DUCUyVSqDdxS8ODOL4fUxT570JjVZQtzQtD3G
-CAq41zsDMGByy+vp61CyU9qrq9OxX2POTQJ7LEegKqLeksGqfFclYnEFKe8VKJRL
-kDKIqCk7CeYF3t/7aaUNAHOfNSOiFyRYXYYZLCGmIQyujJFHDz2ziPn/OD/WMkVP
-090LkDNjg4FW+DT74Iyda7dl4YQAuE9oZdVk5ZBoruJOOIW7J3e8AuL9znmIBzju
-n61nXvY=
+MIIFczCCA1ugAwIBAgIJAI34CtjBcJHEMA0GCSqGSIb3DQEBCwUAMCoxGzAZBgNV
+BAMMEmh4NTA5IFRlc3QgUm9vdCBDQTELMAkGA1UEBhMCU0UwIBcNMTkwMzIyMjIy
+NTAxWhgPMjUxODExMjEyMjI1MDFaMCoxGzAZBgNVBAMMEmh4NTA5IFRlc3QgUm9v
+dCBDQTELMAkGA1UEBhMCU0UwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoIC
+AQDE4gbVQ/vlPFU2W62rukqiUkJ/EIDo1HE4r+xpxO12Ke45NtqSep0d2FfSvEu8
+dhot1jWIkijF7B/bFuB0LyFryCAV/zlU9rLoadCmur5ONIgXRm7eW19wxo5YRD4C
+A1IRwvT+Axz0TC3eyquUN1C0r7ZWbiOY8uQy3Sjfar16Z3TtqlKgo4R/yF7dIPJO
+OVHaznC+xsfLsYE2r9PqbTjBF3O1pIhwV9oA3tfs23EtvcZBP3y3LSsjnKaF0b/N
+XmjLNW9hbmAfN+16TEMOlVZvBjUPO3CC/GU0PJzm1/FqyzXWeRx5FZNi7fCPKg8J
+9QDAgK5mMn+ZPazuUt70uxUFrnRLCjCia/TgC+t2d+3AqsnRlYnLYDv/MeP/QwqH
+GK3+WuAS6uqXZMtilDhY+oiMTZ4vDHvwzJ5q3UhIpWXj5cSGWAxQurKgUsjT9sta
+gGmXlBauMYSzFM5T+TXica1qE7dNXjXr2sTy9BHIp+aWJuGkX9rSx8tHwbkIkVTp
+4UCZ+QoxBRaSmiuyFPM77yg6wZBuSuRRN/BNKvAhuJaE1MdA+vobbyyNbv56MU0+
+WI4ucD+b08JmJp3k+fgM0fKXBQlEL4mp7zeUoLmC1yCy48Zk1foPZTRH9pIGB/zU
+z4B8o20NmereB9bX0IjJ6eqMDqvAZWZ99Nf16Q3X88T88wIDAQABo4GZMIGWMB0G
+A1UdDgQWBBRTuMwJxp9C6tXkdCC0Ze1o+J21BTBaBgNVHSMEUzBRgBRTuMwJxp9C
+6tXkdCC0Ze1o+J21BaEupCwwKjEbMBkGA1UEAwwSaHg1MDkgVGVzdCBSb290IENB
+MQswCQYDVQQGEwJTRYIJAI34CtjBcJHEMAwGA1UdEwQFMAMBAf8wCwYDVR0PBAQD
+AgHmMA0GCSqGSIb3DQEBCwUAA4ICAQCdea8Tx/1vuQCqn2AOmIzEO9xgmaY3opl9
+0Px82DafNuFFJu9WlPrsKeADtSqpA/MwBjL8K+T3dhL4Bxhq8jed0gGsS3C3xFTl
+/RJbnFiLuveMErPTEtxaRYpa3oibQ15eJbDq533Is1x8oeK6NnHB6St3nboST0f3
+6SeAsoeHrI16eUEJQ3UKJYJlxATEqOpeaWwdlT6jF9u0WyENz0ijD0b9FPY/zq6D
+zx47Zd5F6aisrtKNXFjB9/oHV6jOh9OGxz6WfT1z2AZ+69jEm+xE8coq4nyWcJrS
+cf7ENBIw1Rknpxk3/H1p0q+Zze5/JBYlKOtEML1dwRIRquVgfhcI/tOq7m5jUxTl
+/6dW8FCnuEFBnUvUrZ0Hv3g2jvHElpPjYkLwZyKFYyvY/G+xCZAiqaYZ2kQqRmti
+KvSfh8fJlV2Jj2aDI1I4JjACG7LYBe7WXCs7TccRrhnx/RUY7cpJwEQrIOKBq8wx
+DD58oPgvkmNPP5lZcFARjnWcY8xS9KzT+KaZWM3ZPefg3Vk//3HfwZfDE3Y7IMgu
+quuLcpeGtMDyurnm6piUdPITt8yW+MMJR8V+PeF0zLdN4dA0nuJpZWZ3fvnevmAL
+jh/ia0LuzkhVSj1R1dXXopZevazh/tmAuKU9BbeYGvwI1RFXVvyzpGRfMbgaze3Q
+tIrreKeFxg==
 -----END CERTIFICATE-----
diff --git a/lib/hx509/data/ca.key b/lib/hx509/data/ca.key
index e635b57ccd09..83cff752b77a 100644
--- a/lib/hx509/data/ca.key
+++ b/lib/hx509/data/ca.key
@@ -1,52 +1,52 @@
 -----BEGIN PRIVATE KEY-----
-MIIJQwIBADANBgkqhkiG9w0BAQEFAASCCS0wggkpAgEAAoICAQC9Ci+g9a0N6poB
-RJcMPuAV9dd/FsjgzrKGjoL6Vz0mqfN5ViTmht7IzXgSv4cc1LSkYka+B6VJ5HRQ
-JSaJ+vXbNBPeGd78nbbl+hu47pTBxE2y1NNpHE7UF1hKwjOLGr5cnMNvcxEJj9Ok
-TcAlnlKp1dR7F8XMIfXYVe4y/jC86W+uraltwqJEwHOCtYrvnpstFHa4P0mOw3sp
-rBVJkJFtzSC52IJf76RkC4i+K/Yb6TKzzWAGZlckBWxU+tv737LBBe9Grantc+fp
-ek+d0wdpCAP/aI05Ndu4FvLS/vWuF5o5YW1hVsyx6IHSux2/oiRmX8vnm6woMbOA
-uzzDqQ+J4Ol5tiaVdBbdXwtb5DJgda9x1KY1yp6Phj4WJmoOOKfE/O+o9UlDJ1XD
-/KLyBYgs0soH3js7k7w2NLGHMcKMH5oheAvHy5JddjYR6xHyUnPZJkp0JrC636RZ
-KAeoflRh/khcqj5KSD5/WFZ2Nzjg5nIy94wvOTiFMllZipU3GWU6IF/P8eR7ngJd
-oMp3hLULc1VutnzDo0ANo1BMzIWUfLZUQcNdGuoauXSHT/gcisXuL1kqTPq6GvbT
-1yG8UC5Jszgzl08cT9sgyK9WSThQCbZjU72ECfM4wy2mQedvgz7t9PBRdMtPhxJa
-6vNysCwgbbRHcqAClD3mZCXDreB5twIDAQABAoICAGl8N5ufu5NaZ9lxRsAkjbJz
-Xm6ibjFT5bbD6z56U7sxdpUshqbEd6ihTvFXQrPJ1Yss88CyT39uJaFbOaghC/Pn
-mXaEBTP9ZcPqznFhYEzHl3vE2rt6elpLNI9y0oQ6xiKzrzKPiOBHC5hRcnkLYaE3
-mrudRlhkUuUG/kYiJVwk/pcAfNyskRPAODSlzQNtA7YiByVE22z4k89rIO3N5/jX
-T/2kXQvfk2HoNcO4kDp+5DYE0iKAFPwaspqw6PQhnYOsJhrQaVQBK1XTVH4C9c2c
-FW7+Dl/wN8z/sTwf3UPqE7sVLI32e36C+X53v1/hwGIH7qYs7eH36exZjsy3l90o
-jbWvavSNB5U94rNVU42LuQUSL8ftAA9YjpmuqeZlhiumSGaz+ezC/BQ2SE0aUjyg
-/C4ZWTbwkMXif5p8DJng9vNofQJQ4qcLGnykan0tvI1naGNyVpvXcL+qGo5znN8E
-xH9hPZHk/axbV9U5sIhUM8IjGPCHldU9W+t+Ngy+k+yF9cYVQSwBnyeVM0dlWVOb
-Fy4kmXYxG7mZc6HI1aRg1Xd6rQadJ+5RkfPCa+2p2ZafoJIkNr+LbuTsri7AWlrf
-aI8MS27Wp6BmXL5YnofX2pFstLL4tStAknAMzK16RtYSs/dd69gbUdaTrmpVCi1s
-YzOmtNXFLZs+Lh0X+KgBAoIBAQDl6mycpf3clYkJ/sFaY1svX/L0Zs4BJqajKIuJ
-K1SoVCTtmiEcA0n9tZzEBp1rBgpAYdxkI8tWge6weel6Ckbunl8CLYZ0VvmAaYaJ
-/VHBzAorcH/RIlAUV/P5WSdGjtAnPK0TSdAARRppW1k01kO+XmIL/f0Mk+6KD4MX
-wgiKVKyutJ8/SjOkfzhpe/zyqAMZV0W1aDkq5focaIqy2pVZsuX47jWZyZeeCy8i
-OzpYzlCE9os+0sQU107LLcQ3YsmLFP93MA+nsatUaMzeXE5VcHsq1UbqgV3tEPgA
-QALbn7ulw6ChGzHrTyJc93dHWqGfqVi0incienn4NRnHZRYBAoIBAQDSfJQSLPBp
-UQL6kGkIPc0C8y836cNmrj5QZppbIyoTggA2ZTC8E+qKJ0rHrbzKkBZBwhLhmjcs
-qsGwuoOqQfdWW+1AAVIrjrjjoSwrT4CZqOR/vvu/2Rvb1DTxyq8Ysf4Ure/sjDUo
-EenufVQTqeBlYpvaIZirMPrvWNq0Ky7AHi5sUYQ0J6nx5uB4iwboWGB7aBf7KSh9
-hMXivYKI1hiHylkvRzGY91OCOsiHyqGrEC77lH4tMGexbkUxc+VnAhuwxdhDDJ3l
-34O4iMEhS10gBLYc6Gi174YmHQMpPvbjtcNQ8DjNDqWr7wBYhfUVw3aqpRs5D8JX
-Jxco6PRXM7+3AoIBAQC8gGr0NBPjGqb0ju4wEW3ddalYQEF+KBZPhxqAKAqMyBBO
-ziN/OCMd5BzXiyTdbmJRTurHH6HDF1x/TDTkXjCxyx7SRkkKcZS2d85arFqvrX5Z
-By+EY8GMLGBXe4T8EHMQ+GpeehITZpS09LQ64cFA/1kbw+4ItfDJONaeT/N4ltvN
-kUFPPqMAp120/nbw7Fc+G5OHnB/i0BMz33J4GUaB+G8cnRFNOT8Z0MmgIzc/QEg7
-+3dG1r7052IuqyNI1bGwWlLpgXoUX1K9Lf9p//wpiMMy5xHxiodbqqHqcpDlSB0t
-VysHa6iN6J+f4TTmR6RjpxCXVT9AAXKm0cKE/JgBAoIBAQDRbUCKoQoHT6KOGddX
-at4rnDkUAdP4u0+nAZ99JIy94jBB7wbBa3OGSDgAWx4n0ZtDjEzrCVzyZWfYZouQ
-gJgO5eI2N9pBGn1dh0SCR1UmDkRj0mt75BHy9L5FAayb/qVWgAXjL1HIb6J5N1vL
-QM/TMHzvWVQkqNRUBu18LCcU4jLAdY77sadG17fqWDHkReKhht2tebMeyFd4FaTm
-b1by7OM1xjlUAGmnfsN9UKDwqmaEzKeKYMobYSMZZD4Q8qkIhqF5fPkx+eV+WxsF
-/I1IyUdFlfxxYUPxchZuGIbf5D7Url9lr7gpTODkM0y6fcP5X9OpP8PWoT9K5hYP
-GZ8bAoIBADA78xaN+InvJYPY/a7mPmLpLm44KsCRvB/aYZmwQl00Cz1miOLZgKC0
-9crfkTdZKt8v/RZSAAduyiYMFNaXMBR9mNYCwmLzFfcNydI4ow6sJYr3nj0SOsN5
-v0XJp+cJxqlC2ZGNlNYZVGcoxXyM00PSAA1AL/oRyplC99o5DgLDhMr01ok1PuPQ
-7K3z06yCKBrAwEFXxzhI7YwdN97iY050TQLvOfO+conf5KIbb3EHycfeF0mM4OdO
-q4WdmPePVkve8PwRBdENjjrdgbUCPJV9Nk9MiAQOf5CpuH6SvuhhaRQTJgSJnxmN
-iW68RMhfob7KD8lBv9mlYZ4ZQSwJRtM=
+MIIJRAIBADANBgkqhkiG9w0BAQEFAASCCS4wggkqAgEAAoICAQDE4gbVQ/vlPFU2
+W62rukqiUkJ/EIDo1HE4r+xpxO12Ke45NtqSep0d2FfSvEu8dhot1jWIkijF7B/b
+FuB0LyFryCAV/zlU9rLoadCmur5ONIgXRm7eW19wxo5YRD4CA1IRwvT+Axz0TC3e
+yquUN1C0r7ZWbiOY8uQy3Sjfar16Z3TtqlKgo4R/yF7dIPJOOVHaznC+xsfLsYE2
+r9PqbTjBF3O1pIhwV9oA3tfs23EtvcZBP3y3LSsjnKaF0b/NXmjLNW9hbmAfN+16
+TEMOlVZvBjUPO3CC/GU0PJzm1/FqyzXWeRx5FZNi7fCPKg8J9QDAgK5mMn+ZPazu
+Ut70uxUFrnRLCjCia/TgC+t2d+3AqsnRlYnLYDv/MeP/QwqHGK3+WuAS6uqXZMti
+lDhY+oiMTZ4vDHvwzJ5q3UhIpWXj5cSGWAxQurKgUsjT9stagGmXlBauMYSzFM5T
++TXica1qE7dNXjXr2sTy9BHIp+aWJuGkX9rSx8tHwbkIkVTp4UCZ+QoxBRaSmiuy
+FPM77yg6wZBuSuRRN/BNKvAhuJaE1MdA+vobbyyNbv56MU0+WI4ucD+b08JmJp3k
++fgM0fKXBQlEL4mp7zeUoLmC1yCy48Zk1foPZTRH9pIGB/zUz4B8o20NmereB9bX
+0IjJ6eqMDqvAZWZ99Nf16Q3X88T88wIDAQABAoICAQCD8TXDFpxpM9WnaCkrPN1n
+itklbln1rulxo/Q7rc21ssQDc89m+uTwa1vvzmCzHDLPJQ8bR1gry+JNYTdqpWsw
+YB2goDo7xlh/iOpb0ipXHr1VW85RFcsQOQCMBq/HiZImdRDaahutXKAg/pGd8rQT
+Yu4/XfBdP+nObIhHsbDppwules+E+BCD0jRA3SOFaMSCbncAYxbiW0LM82iBYlD2
+llDlGi6Vm0pt6umpwiZHETcb4wAhghO2+fRfGgIAD5ULGfRaxy2DvmdX3mPSEiKq
+pO5KFvt/zMXGDBjaWz1e5HBgGyoJu3vagLsGNpl9gsPOPm6h7pW0jLCnxsHEINwk
+lGbhCR9ubaZMCNuwEppPNeusURG35XiSEHC4fBPhlG6pB737a6ih/w9dwOkLuijJ
+X3vOaVj2K5waExi72uij+GnZBylemOTAy9lE3xlUzhO74h9F8DuoJHMxXKU5a24L
+/hmnnIYHOJpHQIfcfkMIx9VuG/qsug+DdOxlgByT6hbkRbX2gGSP3iqy7XUnb2g0
+3QQdyQpz8wJ2x568EAAC0HKhQj2fcL1L5lpM5xpbg6s87o50reMhcAogb2mGjx3Q
+r8u9PJeYgJ5FOqu0zLbenWkb4OLtLz6kHhOdimkCrybL+bLQFdl9lNAOqgVuJxyT
+NaClP+v9lAACBkONihU8AQKCAQEA9hxExY0NXFDZHiLq4M4DG79BthLWLi4QFZI5
+2vpzrS5kT90rptAzBenTBWdUifAI8JPkq2R8VKB8j7F5YELQ9UTmoT+qMGEslQ1p
+RTE8fZln6UhLUIv5tTwhL6Afbs2Faz7Vd7rUq9eUkyxsjxtZe5cPH1dGplx0iPQI
+QQ1OasSWc8TmZWXRvcRWe5vWiJLFZKt6fJZWYyBBvu8L7PZ6QR5Oa2EO1UTPPX+W
+7+BwsoH9Bguv+hYliKEReN8SIfOF9E/OElrNooy7eANFTQ3pNEou68rqpzX4jgdW
+G4Nnsu9rkO8K+bb+/MLBvdxrEiKrNb+xwcVOFaJNqz6aNMC14QKCAQEAzMtbIpig
+dLUha3QXrXIsEjH/hlGx0c6Q9VH/toQbBNE4LOrS4QlurX3iRz79tNYLYdwLrZ2Q
++tK31/ilX/hGIiA1w6fHcrQokddMJhhGoR6nSUiybs+75Ac01xHDSYXCo/YOkr8m
+HOtRWi+0qJqzU4sticPwi2YStM6L2gNpEDU9FQTG/wgLLHPxDEjRpkhmgQbt8nEQ
+M+amXK1othrZVSTJl1hREF11DkzhkZYyGgY4ifAyAOPW7z5K0nS2drV8PExFSkr+
+2eriVvavu/40WbvadhTy1cyVL7N3svzY34TgwqsXX1Stz8dQBa+uImt9gxmZIK9I
+reONiErKBhClUwKCAQEAjY1IyM8OBjDCECFJMq+K/iSM6OoAomMAAUgvWpF+gvcR
+3xV4i+Nn1VjddFgwOX4Dxktp1GJhWFNOEV+kTgdgJBHTDJ+PhW/+smQaTh+5iQv4
+xiY8m0FHCERjWf8g1RwERuDG6qxcsdG2tMdyUQUL/JevrPkHu5ulszeYn8HFfoc/
+eaqgUWW0sw8AJuxFAhxYyEQQmSPm3/Cnn+fh1hMV0epadExIucVv5RFDgQh4CVPW
+cem6935RbDon0HuM9FYaj6BvCAOODpYfJTHMZDtCDD82qYv2VuIl6ZqynfSAalxm
+Y9/5UhM8qahiwo7KTo3+J1XwKWEQPkUxovLIwtqsQQKCAQEAgMgwWyUXYcy1Y1jx
+usRdKmP+h3zAEWuQhHQ4FZIlW3YlmTlhutmvm7HZpWvbJuii57r0LQ00qkXwDgPy
+GtOJZtRSeuL67QqVqIB3Bk2lvJQGJnNsoXpIcTCG7efhok5XA7wrleRWF0FzOv9c
+39nIgvS2gjeRAFgD02c/Uq1qWCLicmE6sg1g2WdfYZY5IBPPQbwVzauDwN9+JjF1
+824W1Q/5JQ8Iiv36Ki/2eRK2Ft9qlnNRPnYIJxJJAucaBrRBl7luqTVX5blq87zU
+7acBTJxw2Gh7/C5WclStJQUTbBunK0NjwzMAyfRQQgMjwclOeC6UuJUBYzgBPH+r
+Yvz8uQKCAQA8WchJ0UQmOP98voo0cnIX0lcZcddwzdsZm78p1PrXqmsrxnlmRILA
+wZ5okzIzEqu1Xltu5DS/CAAWdRkY/2LFGty1dW5UR47xsWE7fMf4dbPeOcBxgfh4
+sQgG7KcWY9mw3PZ4PmPP63nRC/1Ws/+dlvpNA77BjyHH7laTVZbUadS/0bCzhJG0
+RW27r5UcPV8IhKTNU8iOxvaN2U0N2RaaxZ8AaYj8UEeMlFp91DXYa5SCWY1yM0c7
+QYpO3EtSLj+ECk09lDzQBPUo4jzb5CoTFYDEdXr8Rt4I/r03fkOwHslWUzXVyqRe
+xC/DrYbFBHh4yQWuQPsmCbi6OkGKDvwA
 -----END PRIVATE KEY-----
diff --git a/lib/hx509/data/crl1.crl b/lib/hx509/data/crl1.crl
index 606efb7240e5..575f80ea7da7 100644
--- a/lib/hx509/data/crl1.crl
+++ b/lib/hx509/data/crl1.crl
@@ -1,16 +1,16 @@
 -----BEGIN X509 CRL-----
 MIIChTBvMA0GCSqGSIb3DQEBBQUAMCoxGzAZBgNVBAMMEmh4NTA5IFRlc3QgUm9v
-dCBDQTELMAkGA1UEBhMCU0UXDTE5MDUyMzE1MDUzMFoXDTI5MDMzMTE1MDUzMFow
-FDASAgEDFw0xOTA1MjMxNTA1MzBaMA0GCSqGSIb3DQEBBQUAA4ICAQBV451IywmB
-L153EAciLerLs05gqigj3qrqnmzS7AVV9u05u4bq/XYllIIWua7kCnGXmx0xqY+p
-FpFlS3BKrSIOkSHL4gpwMOmZmCssaOivd88/tHCGeOtMKz3q811m4q8MyfzEc+T3
-EHg6yjsCWrWbZmrM+A8MYO2S/XZOPG88N87nQxKYbrZA/SDspNODujdXdKFMI8Qj
-9xY7aqI6w9GYiTYDXrJ+2VGtFacYwVrY1Xk3pt7DoFbq6VwVfpsYHf0zRag/xfGW
-EbIQywJDhLuLWB3gtWTYnZ3MD2LS5uCEfolckuFBw66JOZCmUq66VscTHOE5d59q
-bld2YoPVUme4QJfYMygWgyi8rnN4YkSfYaCxnDPO9vFk968N6PA+py5jHjecyVw9
-ih2rXNIk/Ia2wvyN84MBu/vpC7GyD0bBpB+aMxQvHuNYUDDnIeMRCu+Hs2Td6U57
-lmdFudCxJ8S0kF6eCx5HdOrvyRtHagsGPt1aFLxnNEc2x4ewJa1iggTBcs+X5qXC
-pk6D5FDLN5TXooi9NbLFSCdLWpoMI+KOB40Ma3KaGej0a2pZiJe8j4EPQ6WhR6Og
-nZSdwCtgTyoynI6g6YeGzkD0ZzuPujt8rsyu+cBZOdxnhuAn7F1UtIcwE4jVmmca
-EuMR2oFhjnEH4ooS/kWmgmzGPEMixKSbpA==
+dCBDQTELMAkGA1UEBhMCU0UXDTE5MDMyMjIyMjUxNloXDTI5MDEyODIyMjUxNlow
+FDASAgEDFw0xOTAzMjIyMjI1MTZaMA0GCSqGSIb3DQEBBQUAA4ICAQBCM4u2dByD
+hPsQUpPAPsZ/a7tPdvkgmcLtk2CFhtJqtDBT96SAr0tVpcpIbZoB0tH/MvJfhAaR
+AOLrgdmrwlKaIbq3uyEDIghRlRiG2WXX+gsP9yK1xS6AuQnXS8Pnyng0xo2V8fMy
+UCN+gKvO70O6dqcDApU1Tt5jxkPFACBYSSMsuunrjWGuttKGebJJGeBzU+PYt7bZ
+7CT2BgsLgl5J2DL6KO9tGjDmlGKKC2joF1PDkjzbIfs389eyOZqJu/3Q4EtBFzad
+Yz0DAEDzDrn7dj53NJp6dxbqOM86woak37dtDG5Mwu8KTQEGpfsqdofQf39nluJu
+70NHJrXP+9IQ7Tvb3bakZbyigw7J9PBXaHyImXN/gejYD/FQjghnmS2QU72JsSKT
+3nAN3I6MRAEIhoaxForCl3f+uHgtvQBBITSIUdnGaTZnI0mXrkHS9H4eWWJREZbc
+wBqKGZxbfy8ZbPaKv75Zzj0ZMns7vNybUqLEE/OcwrEjd/pCLwWZ6KzgtS1t22TU
+o3H26GNLzMQvg/1dVsRZWrkWxAjVNHtUIXXbmBOvSii3BX7jPIfH1bCZrfsl0xrS
+BsqhtIZj74hyTV1FX79CdFu0Ag/ugtzY4K8rdIu9kaPe2Ju6ulQBtpmCK++H7szP
+48fJOwV1aKzJGVCH61kSGc8ljyGjDEDn4Q==
 -----END X509 CRL-----
diff --git a/lib/hx509/data/crl1.der b/lib/hx509/data/crl1.der
index f42512706a12..a6674231a379 100644
--- a/lib/hx509/data/crl1.der
+++ b/lib/hx509/data/crl1.der
diff --git a/lib/hx509/data/https.crt b/lib/hx509/data/https.crt
index 0d393a8e1db0..54d5df11ec48 100644
--- a/lib/hx509/data/https.crt
+++ b/lib/hx509/data/https.crt
@@ -5,48 +5,48 @@ Certificate:
     Signature Algorithm: sha1WithRSAEncryption
         Issuer: CN=hx509 Test Root CA, C=SE
         Validity
-            Not Before: May 23 15:05:17 2019 GMT
-            Not After : Jan 16 15:05:17 2038 GMT
+            Not Before: Mar 22 22:25:10 2019 GMT
+            Not After : Nov 21 22:25:10 2518 GMT
         Subject: C=SE, CN=www.test.h5l.se
         Subject Public Key Info:
             Public Key Algorithm: rsaEncryption
                 Public-Key: (4096 bit)
                 Modulus:
-                    00:b5:58:e9:eb:2d:b3:7c:94:b7:a2:08:ec:fd:50:
-                    c2:61:a4:35:c8:eb:ad:d6:93:4c:50:9a:ad:e0:9a:
-                    00:ae:4e:ef:ed:5e:ef:d9:cb:98:a6:5e:65:7f:a6:
-                    38:c0:ee:17:48:90:80:4c:6c:71:7a:11:af:11:22:
-                    1b:17:2c:db:c2:cc:2c:d0:0e:de:ea:95:6a:d0:42:
-                    bb:b0:a1:eb:7c:9e:f0:28:64:dd:44:7f:c8:f6:d5:
-                    48:e4:80:be:f7:58:18:d6:d4:57:7a:09:07:3f:23:
-                    d8:00:53:84:0f:72:e9:0d:a8:b9:49:57:80:f4:00:
-                    9c:92:16:bd:a7:ea:12:81:96:59:48:8b:ff:b9:8b:
-                    9d:68:e6:7c:0d:fb:c8:57:cc:ba:6a:4c:57:cc:e4:
-                    eb:af:cc:6e:38:80:e6:47:a0:f2:e4:09:39:79:fb:
-                    42:c4:29:b2:8d:f1:8f:b9:45:1f:47:c2:e8:30:84:
-                    a5:e7:fa:7c:df:f0:07:89:1e:fd:6f:a5:1d:88:57:
-                    4e:76:bf:91:c7:39:ac:87:6f:b0:29:0b:c0:04:89:
-                    95:9a:8a:b3:4a:22:63:7c:26:e2:ea:fc:e5:f8:43:
-                    b5:67:50:0f:99:e0:9d:e2:2b:3f:fa:19:e4:61:1a:
-                    e4:c7:68:66:43:a1:05:15:24:c4:09:3b:5d:b4:3a:
-                    f8:87:d4:d8:80:cf:6c:ed:fa:b1:b7:7d:2b:68:ca:
-                    3a:26:a6:49:1e:e7:27:fc:4f:89:7b:19:ce:8d:c9:
-                    9d:cd:55:63:72:29:b1:2b:1b:35:a4:07:32:4f:13:
-                    f1:bd:03:1f:b4:fc:f0:05:c4:9e:b0:c8:72:37:2c:
-                    0c:82:bc:d4:a7:87:d3:33:10:f3:80:fe:bf:61:1b:
-                    5e:c0:5b:c0:09:3d:db:c0:9d:91:92:c4:7c:7a:eb:
-                    ec:b0:8e:69:a1:47:66:53:02:51:55:90:d1:e2:9a:
-                    86:70:7b:63:d4:b9:03:18:c8:01:69:c6:e9:63:bc:
-                    2b:b5:75:dc:03:5f:ef:b2:d3:3a:c8:db:3c:b6:3d:
-                    59:91:fc:7d:96:bf:43:97:5a:40:d6:f2:f8:82:44:
-                    fb:9d:36:47:3f:3a:33:43:6d:9c:44:ba:60:1a:9d:
-                    77:02:44:14:d0:73:99:53:6d:ef:70:34:0b:11:b1:
-                    16:c3:c9:4b:41:66:64:4c:88:fe:12:8f:3d:4f:29:
-                    2f:b3:e8:15:8b:26:5a:ba:f9:fc:6b:ec:9d:8a:d9:
-                    65:17:de:e5:ce:a7:84:1b:1e:f1:ad:32:b3:78:15:
-                    7a:08:e3:93:9e:e5:eb:3c:33:9e:d5:2a:21:20:62:
-                    90:c7:d8:3e:d4:1e:0f:06:20:01:6e:22:a4:67:de:
-                    68:f0:b9
+                    00:bb:ca:85:9c:3d:6b:5a:21:1b:2c:84:35:48:37:
+                    bc:13:62:93:ff:7b:be:49:40:e2:36:b5:7a:54:a4:
+                    e3:0f:b1:87:29:de:6b:7d:86:ec:b6:25:c5:9c:dc:
+                    13:06:57:4c:80:1b:86:f0:ac:e6:64:8f:aa:63:cc:
+                    28:49:5c:84:09:b8:0f:31:99:dd:36:d2:42:b5:aa:
+                    df:31:f6:27:ca:c2:4c:50:11:5b:01:94:17:da:2a:
+                    5c:21:e5:b5:81:23:69:3e:4f:1d:08:48:95:57:30:
+                    77:96:ae:9b:78:87:10:e4:6d:90:e8:78:ad:19:41:
+                    3d:b8:91:1c:b6:04:78:52:e5:e4:3f:28:df:01:13:
+                    da:aa:cb:24:cf:f5:93:f9:02:b8:c5:dc:47:fb:79:
+                    e5:de:9e:19:b3:28:ab:2d:bd:73:48:0f:71:0a:b6:
+                    81:5a:6d:02:6d:9c:c8:c3:14:d5:82:bf:19:b8:d0:
+                    6f:58:32:6c:76:91:f3:07:6b:25:4a:59:f4:2d:c9:
+                    8d:da:ee:cc:30:5b:5b:d8:f3:0d:63:28:8d:9c:df:
+                    21:b5:3a:41:e0:55:d0:5f:f1:32:45:0b:6b:40:b6:
+                    d8:43:0c:7b:28:3d:2d:7c:40:19:a2:e0:d6:a2:0b:
+                    32:65:a3:81:e9:1c:e5:6a:f6:61:7c:66:fa:c6:10:
+                    bf:5d:1d:d9:c1:1a:67:fb:a0:43:15:ff:f5:40:5a:
+                    0c:8a:4b:48:38:d5:c7:77:48:19:f7:21:de:73:17:
+                    97:cf:03:d7:c3:84:22:38:ae:f2:be:d2:61:af:37:
+                    38:31:41:01:97:58:93:ba:80:da:bb:00:33:a8:2b:
+                    98:34:80:8b:00:1e:83:02:c4:26:3f:5c:51:a9:29:
+                    e3:ac:b1:36:31:57:87:43:94:57:3a:17:f4:6d:34:
+                    bf:23:b6:a2:56:d2:b7:72:7e:35:34:d9:58:46:c1:
+                    64:2d:3f:e7:ff:e4:fd:42:11:d9:04:98:ba:9d:88:
+                    ec:e7:ae:bb:11:42:fd:00:cb:24:17:27:94:2c:a0:
+                    34:df:18:8b:7a:bc:39:55:6c:02:3b:44:cf:a4:42:
+                    f3:e3:81:5b:d6:90:8e:78:d7:3f:4c:ef:6c:de:4d:
+                    7e:41:ce:87:8f:c0:38:a4:57:05:63:32:85:c3:de:
+                    88:aa:8c:0b:04:df:c3:86:64:4c:19:91:e1:e4:b2:
+                    f8:f6:f3:fe:93:c3:3e:c1:b1:74:b4:72:ff:88:94:
+                    8d:34:a3:b0:9d:55:aa:fe:bc:bc:41:55:49:8a:f1:
+                    ee:dd:fa:0e:a1:fa:b9:71:a7:d5:fc:b7:fc:ab:c2:
+                    af:8f:bd:6e:48:ec:54:f0:f8:a8:b4:d7:6c:11:0e:
+                    f9:16:ab
                 Exponent: 65537 (0x10001)
         X509v3 extensions:
             X509v3 Basic Constraints: 
@@ -54,63 +54,63 @@ Certificate:
             X509v3 Key Usage: 
                 Digital Signature, Non Repudiation, Key Encipherment
             X509v3 Subject Key Identifier: 
-                91:03:3F:14:E3:BD:43:98:B2:D4:7F:46:C2:A7:B7:BB:0F:74:99:F3
+                AA:3C:0D:95:CD:14:0A:9C:A5:2D:09:6E:EE:5B:43:A9:AF:3F:6E:54
     Signature Algorithm: sha1WithRSAEncryption
-         27:3f:d8:cb:68:c8:ef:35:ed:a0:50:d7:58:60:77:48:76:45:
-         7a:2c:20:22:81:62:e3:e2:0d:10:48:d7:74:23:95:76:fb:78:
-         c3:98:d2:39:13:13:7f:2a:38:dc:2a:80:ba:33:0a:51:d6:9e:
-         0c:44:04:84:f0:ae:20:1e:e6:e8:89:09:cd:87:66:1b:80:21:
-         e7:bc:03:e0:c7:15:19:23:b7:05:0b:f9:64:50:b6:6f:7d:14:
-         68:96:bb:4d:d6:c0:29:7f:e3:a1:48:c4:ad:6f:a7:bf:d2:63:
-         de:b7:fa:4f:8c:5e:ad:8e:c8:7e:4f:a4:9a:95:71:29:10:64:
-         78:a0:55:ac:ec:9a:f0:27:03:2e:c4:ec:fb:4f:d2:a0:7e:98:
-         90:88:30:02:45:07:10:d5:ad:f6:a8:e7:01:6c:87:c7:2e:0d:
-         d1:35:3a:e6:b0:e9:19:c9:c9:f7:ce:5e:77:d1:50:84:8a:c3:
-         d1:f1:56:2d:6e:65:0d:6f:e2:a0:c5:0e:48:82:6e:da:37:42:
-         fa:cf:5d:92:84:3a:67:bd:41:28:19:b8:81:1c:c3:eb:00:f0:
-         b0:a9:59:17:79:87:4b:d9:4f:e8:cf:30:76:42:55:9c:57:00:
-         d1:b2:2e:19:59:31:24:c2:9c:fa:c1:0b:54:56:a5:29:19:fd:
-         14:82:c0:3f:a8:d1:a1:c9:6d:1e:f4:11:89:50:58:4f:8d:8a:
-         f8:f2:47:29:8c:a8:2d:21:1b:9b:ef:c6:1f:63:90:85:f1:c7:
-         d0:40:a0:53:29:9b:49:6a:73:38:d2:25:95:f7:52:2f:a0:24:
-         1c:af:f1:f9:6e:78:d3:81:03:cd:3d:91:b0:99:45:fb:87:39:
-         6e:b3:7c:fb:f7:60:01:86:71:40:5f:85:8b:7e:fb:cf:95:df:
-         76:cc:7b:2c:06:d9:a5:cf:4d:f7:62:ab:57:2c:da:83:6e:34:
-         bc:bd:d8:d1:d4:5f:1b:94:78:c0:d3:b1:8c:82:d7:b1:f5:2c:
-         e5:30:bf:59:3e:d2:1f:a4:8e:0b:0c:d6:d1:fd:08:24:2c:31:
-         cb:b0:e6:36:3f:d7:b0:46:99:e1:48:18:8f:9f:42:fd:44:cb:
-         6d:cc:b3:07:3b:7c:eb:44:d2:b4:52:12:2a:ba:c3:cb:f8:04:
-         65:02:27:61:b9:35:9c:0d:0b:70:a1:d4:e7:c8:49:91:37:03:
-         9e:8f:6e:a5:91:e8:6e:5e:ec:c4:17:4c:f6:dd:93:11:9d:40:
-         ad:e2:3c:05:dc:22:ff:1a:04:d7:b0:d4:a4:c0:03:e3:ba:4c:
-         5e:b3:7a:bc:08:73:52:92:42:ab:7a:85:e1:64:e1:4e:b5:63:
-         98:a9:b1:fb:23:61:1e:d5
+         a3:ec:06:1b:66:b3:cb:a3:12:38:ef:30:dc:a6:a1:fc:d3:52:
+         d0:73:c8:a9:4d:0b:8e:02:2a:08:a6:4f:55:41:2f:46:2b:cf:
+         e9:04:07:9d:42:47:0d:88:64:1f:39:ae:d7:9b:30:43:47:f9:
+         ba:96:a8:2f:7a:6e:4b:22:9c:65:c7:9c:8c:c6:d2:f2:5f:a9:
+         fd:de:eb:9e:7a:13:b8:22:0c:59:15:90:ba:65:b7:08:3d:dd:
+         2e:e2:09:be:47:53:25:0a:8c:d3:e0:78:e9:1a:15:8e:32:b2:
+         5f:76:e1:68:3c:2f:33:3f:38:17:ff:3b:ad:43:b7:0e:87:08:
+         97:6b:8d:a7:6c:3b:de:1a:18:3d:5b:74:0b:87:03:8a:49:b0:
+         22:84:2a:72:f1:01:c3:b5:55:9e:4a:56:c1:96:6c:ba:9c:eb:
+         58:ce:4e:53:fd:b8:99:02:c1:d5:62:ef:b5:44:73:1c:c6:4f:
+         26:f9:8d:6b:e9:58:be:3c:4a:56:ef:65:6a:f5:71:1c:3b:8e:
+         f4:ae:43:44:ab:26:80:41:da:a9:6b:9b:63:49:bc:39:76:3b:
+         1e:fe:a5:24:0e:4c:59:51:9d:47:c4:ce:2b:90:65:e8:f8:ae:
+         ab:aa:14:cc:d2:4a:cf:85:20:40:dd:80:49:ea:7c:98:04:ee:
+         57:41:e6:bc:13:fc:28:5e:08:5c:ee:fa:1b:72:ea:80:e8:ba:
+         7e:d6:34:eb:fc:88:f1:16:42:b2:bb:22:9c:e0:36:84:23:f5:
+         20:86:dc:38:55:89:dc:0e:67:7c:c7:bb:2f:36:25:bc:ca:be:
+         2b:1c:79:26:79:2b:49:17:3c:76:02:cf:f9:e3:8a:3f:15:69:
+         2c:12:5c:99:93:85:11:c8:90:68:d6:f1:8d:87:30:bf:0d:ec:
+         89:9a:f4:48:cc:26:95:c7:65:cd:30:cc:d0:93:c3:80:3f:ad:
+         a6:fa:7c:88:82:53:0e:9b:16:c3:dd:27:9a:d0:99:05:fb:2d:
+         d0:e6:fa:08:92:46:ee:dd:44:9d:56:b2:95:52:99:db:5a:20:
+         16:c9:a7:a3:0b:a3:c5:d8:0a:b7:c2:cf:f7:95:a4:df:4c:f9:
+         2f:69:a0:27:6e:0f:85:3e:76:b4:3d:6b:f7:4a:de:1a:de:a4:
+         d3:01:91:f1:44:59:44:2c:93:15:52:99:da:6e:93:b8:da:54:
+         b5:06:ff:82:9b:cf:57:0c:7d:06:6b:ff:ce:b9:c9:47:62:c9:
+         15:f4:67:4e:57:12:74:d7:b5:31:53:cc:eb:d7:05:4d:34:58:
+         a9:5d:33:85:2d:72:6f:12:99:7e:60:63:27:05:74:8b:85:0c:
+         0b:f9:b3:b4:e7:f6:4e:4b
 -----BEGIN CERTIFICATE-----
-MIIFBTCCAu2gAwIBAgIBCTANBgkqhkiG9w0BAQUFADAqMRswGQYDVQQDDBJoeDUw
-OSBUZXN0IFJvb3QgQ0ExCzAJBgNVBAYTAlNFMB4XDTE5MDUyMzE1MDUxN1oXDTM4
-MDExNjE1MDUxN1owJzELMAkGA1UEBhMCU0UxGDAWBgNVBAMMD3d3dy50ZXN0Lmg1
-bC5zZTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBALVY6ests3yUt6II
-7P1QwmGkNcjrrdaTTFCareCaAK5O7+1e79nLmKZeZX+mOMDuF0iQgExscXoRrxEi
-Gxcs28LMLNAO3uqVatBCu7Ch63ye8Chk3UR/yPbVSOSAvvdYGNbUV3oJBz8j2ABT
-hA9y6Q2ouUlXgPQAnJIWvafqEoGWWUiL/7mLnWjmfA37yFfMumpMV8zk66/MbjiA
-5keg8uQJOXn7QsQpso3xj7lFH0fC6DCEpef6fN/wB4ke/W+lHYhXTna/kcc5rIdv
-sCkLwASJlZqKs0oiY3wm4ur85fhDtWdQD5ngneIrP/oZ5GEa5MdoZkOhBRUkxAk7
-XbQ6+IfU2IDPbO36sbd9K2jKOiamSR7nJ/xPiXsZzo3Jnc1VY3IpsSsbNaQHMk8T
-8b0DH7T88AXEnrDIcjcsDIK81KeH0zMQ84D+v2EbXsBbwAk928CdkZLEfHrr7LCO
-aaFHZlMCUVWQ0eKahnB7Y9S5AxjIAWnG6WO8K7V13ANf77LTOsjbPLY9WZH8fZa/
-Q5daQNby+IJE+502Rz86M0NtnES6YBqddwJEFNBzmVNt73A0CxGxFsPJS0FmZEyI
-/hKPPU8pL7PoFYsmWrr5/GvsnYrZZRfe5c6nhBse8a0ys3gVegjjk57l6zwzntUq
-ISBikMfYPtQeDwYgAW4ipGfeaPC5AgMBAAGjOTA3MAkGA1UdEwQCMAAwCwYDVR0P
-BAQDAgXgMB0GA1UdDgQWBBSRAz8U471DmLLUf0bCp7e7D3SZ8zANBgkqhkiG9w0B
-AQUFAAOCAgEAJz/Yy2jI7zXtoFDXWGB3SHZFeiwgIoFi4+INEEjXdCOVdvt4w5jS
-ORMTfyo43CqAujMKUdaeDEQEhPCuIB7m6IkJzYdmG4Ah57wD4McVGSO3BQv5ZFC2
-b30UaJa7TdbAKX/joUjErW+nv9Jj3rf6T4xerY7Ifk+kmpVxKRBkeKBVrOya8CcD
-LsTs+0/SoH6YkIgwAkUHENWt9qjnAWyHxy4N0TU65rDpGcnJ985ed9FQhIrD0fFW
-LW5lDW/ioMUOSIJu2jdC+s9dkoQ6Z71BKBm4gRzD6wDwsKlZF3mHS9lP6M8wdkJV
-nFcA0bIuGVkxJMKc+sELVFalKRn9FILAP6jRocltHvQRiVBYT42K+PJHKYyoLSEb
-m+/GH2OQhfHH0ECgUymbSWpzONIllfdSL6AkHK/x+W5404EDzT2RsJlF+4c5brN8
-+/dgAYZxQF+Fi377z5Xfdsx7LAbZpc9N92KrVyzag240vL3Y0dRfG5R4wNOxjILX
-sfUs5TC/WT7SH6SOCwzW0f0IJCwxy7DmNj/XsEaZ4UgYj59C/UTLbcyzBzt860TS
-tFISKrrDy/gEZQInYbk1nA0LcKHU58hJkTcDno9upZHobl7sxBdM9t2TEZ1AreI8
-Bdwi/xoE17DUpMAD47pMXrN6vAhzUpJCq3qF4WThTrVjmKmx+yNhHtU=
+MIIFBzCCAu+gAwIBAgIBCTANBgkqhkiG9w0BAQUFADAqMRswGQYDVQQDDBJoeDUw
+OSBUZXN0IFJvb3QgQ0ExCzAJBgNVBAYTAlNFMCAXDTE5MDMyMjIyMjUxMFoYDzI1
+MTgxMTIxMjIyNTEwWjAnMQswCQYDVQQGEwJTRTEYMBYGA1UEAwwPd3d3LnRlc3Qu
+aDVsLnNlMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAu8qFnD1rWiEb
+LIQ1SDe8E2KT/3u+SUDiNrV6VKTjD7GHKd5rfYbstiXFnNwTBldMgBuG8KzmZI+q
+Y8woSVyECbgPMZndNtJCtarfMfYnysJMUBFbAZQX2ipcIeW1gSNpPk8dCEiVVzB3
+lq6beIcQ5G2Q6HitGUE9uJEctgR4UuXkPyjfARPaqsskz/WT+QK4xdxH+3nl3p4Z
+syirLb1zSA9xCraBWm0CbZzIwxTVgr8ZuNBvWDJsdpHzB2slSln0LcmN2u7MMFtb
+2PMNYyiNnN8htTpB4FXQX/EyRQtrQLbYQwx7KD0tfEAZouDWogsyZaOB6RzlavZh
+fGb6xhC/XR3ZwRpn+6BDFf/1QFoMiktIONXHd0gZ9yHecxeXzwPXw4QiOK7yvtJh
+rzc4MUEBl1iTuoDauwAzqCuYNICLAB6DAsQmP1xRqSnjrLE2MVeHQ5RXOhf0bTS/
+I7aiVtK3cn41NNlYRsFkLT/n/+T9QhHZBJi6nYjs5667EUL9AMskFyeULKA03xiL
+erw5VWwCO0TPpELz44Fb1pCOeNc/TO9s3k1+Qc6Hj8A4pFcFYzKFw96IqowLBN/D
+hmRMGZHh5LL49vP+k8M+wbF0tHL/iJSNNKOwnVWq/ry8QVVJivHu3foOofq5cafV
+/Lf8q8Kvj71uSOxU8PiotNdsEQ75FqsCAwEAAaM5MDcwCQYDVR0TBAIwADALBgNV
+HQ8EBAMCBeAwHQYDVR0OBBYEFKo8DZXNFAqcpS0Jbu5bQ6mvP25UMA0GCSqGSIb3
+DQEBBQUAA4ICAQCj7AYbZrPLoxI47zDcpqH801LQc8ipTQuOAioIpk9VQS9GK8/p
+BAedQkcNiGQfOa7XmzBDR/m6lqgvem5LIpxlx5yMxtLyX6n93uueehO4IgxZFZC6
+ZbcIPd0u4gm+R1MlCozT4HjpGhWOMrJfduFoPC8zPzgX/zutQ7cOhwiXa42nbDve
+Ghg9W3QLhwOKSbAihCpy8QHDtVWeSlbBlmy6nOtYzk5T/biZAsHVYu+1RHMcxk8m
++Y1r6Vi+PEpW72Vq9XEcO470rkNEqyaAQdqpa5tjSbw5djse/qUkDkxZUZ1HxM4r
+kGXo+K6rqhTM0krPhSBA3YBJ6nyYBO5XQea8E/woXghc7vobcuqA6Lp+1jTr/Ijx
+FkKyuyKc4DaEI/Ughtw4VYncDmd8x7svNiW8yr4rHHkmeStJFzx2As/544o/FWks
+ElyZk4URyJBo1vGNhzC/DeyJmvRIzCaVx2XNMMzQk8OAP62m+nyIglMOmxbD3Sea
+0JkF+y3Q5voIkkbu3USdVrKVUpnbWiAWyaejC6PF2Aq3ws/3laTfTPkvaaAnbg+F
+Pna0PWv3St4a3qTTAZHxRFlELJMVUpnabpO42lS1Bv+Cm89XDH0Ga//OuclHYskV
+9GdOVxJ017UxU8zr1wVNNFipXTOFLXJvEpl+YGMnBXSLhQwL+bO05/ZOSw==
 -----END CERTIFICATE-----
diff --git a/lib/hx509/data/https.key b/lib/hx509/data/https.key
index 1a1c28e5eac8..59d7bfd2ae52 100644
--- a/lib/hx509/data/https.key
+++ b/lib/hx509/data/https.key
@@ -1,52 +1,52 @@
 -----BEGIN PRIVATE KEY-----
-MIIJQwIBADANBgkqhkiG9w0BAQEFAASCCS0wggkpAgEAAoICAQC1WOnrLbN8lLei
-COz9UMJhpDXI663Wk0xQmq3gmgCuTu/tXu/Zy5imXmV/pjjA7hdIkIBMbHF6Ea8R
-IhsXLNvCzCzQDt7qlWrQQruwoet8nvAoZN1Ef8j21UjkgL73WBjW1Fd6CQc/I9gA
-U4QPcukNqLlJV4D0AJySFr2n6hKBlllIi/+5i51o5nwN+8hXzLpqTFfM5OuvzG44
-gOZHoPLkCTl5+0LEKbKN8Y+5RR9HwugwhKXn+nzf8AeJHv1vpR2IV052v5HHOayH
-b7ApC8AEiZWairNKImN8JuLq/OX4Q7VnUA+Z4J3iKz/6GeRhGuTHaGZDoQUVJMQJ
-O120OviH1NiAz2zt+rG3fStoyjompkke5yf8T4l7Gc6NyZ3NVWNyKbErGzWkBzJP
-E/G9Ax+0/PAFxJ6wyHI3LAyCvNSnh9MzEPOA/r9hG17AW8AJPdvAnZGSxHx66+yw
-jmmhR2ZTAlFVkNHimoZwe2PUuQMYyAFpxuljvCu1ddwDX++y0zrI2zy2PVmR/H2W
-v0OXWkDW8viCRPudNkc/OjNDbZxEumAanXcCRBTQc5lTbe9wNAsRsRbDyUtBZmRM
-iP4Sjz1PKS+z6BWLJlq6+fxr7J2K2WUX3uXOp4QbHvGtMrN4FXoI45Oe5es8M57V
-KiEgYpDH2D7UHg8GIAFuIqRn3mjwuQIDAQABAoICAQCmrGPCHSzcEat9J4r5f2JI
-b65nTgVmM9duNdwdlC2QB0kI97qmiDNypUvQOKvs1mdb8EOa+giJ0vr+WkRf1oDc
-1t9REnnbTRzw8ISk4Q0YatP7rEiZjoDcLEdkjNf3aWba/CqyJN4eMAl0s02rDUgZ
-n7s8J0qD+JPuySviyoXbyJ2iydltZV51bXETQRhvaeDjlesUjEn6N4AOOpprtwfG
-gpvq+v3wYQqU3zHjbB5FzGOvRBtfzJ89CtVCN9Ni63TrPKMHDSck3mMtz38vGneP
-NAzmDxidyGF7WBozM+EBfumZXMIaAZHarzmL2oRGo3sls1RaUAHl3va2LXQAFDsa
-vwAZBc5vcoBvnBCmnQCGnOF4NLSvo+x1CBWpDl7hatUfO35D/aLtIPZh6RofEVCy
-IQAM/ScZfk9kGyy7QfoTiPNjzCx+YF8iXQV/04Q2E2/nHRhq5OnyL3gzXd5PWuzM
-SLsEcYZecAJ3K4OJCtXTMguaaPNQqdGbkBKW47/lun216QL2CVAeKcRnqC+xNJ51
-Rv9sQTMrBhByPZvhO7I6m0PA1CU5ACcVYHHx1zkVRNYbC9Wv8KSk3Nj3Yi0br8wO
-akPDFCUcA5VSysQ3Be5VxF5yUiwuAb+sjl1E815l+ElvVFH4I1AY8GyC1kgBg0Q4
-L3lTiKS7EVZJTOvDGgH4iQKCAQEA6ufkBK3t6JOgq1LRl5+XdSZtMklwh7/0E7ma
-Kwma55gpmiOZmEK5mkBowR2J7NS1XXtOJkV2oj9vVU6hFFipU/5eNTEc7FqhJzxs
-WPtsJmVrwzEXq9rTDQ+EsOoyfPamocg3eMeWIfpjtWue7rn779/enamkUVuxal+C
-Tpw7zC/V3cg8jvjOMktafCUGtO4GtsRyxJeiNxWkd1Dfb4WYkc9pye6m7SpciKUJ
-HunNtLzHuXCc0nlt60JffecGgfGl6M2rWDPROYR64WXmYufus4JrP/qdBiWYV9zl
-33NNuTRuLKitFQsPv12+MHB6vUWj2x5SpfH5sJAK0LiMRTQW9wKCAQEAxaHMdh7e
-Votke9cQ8n/AXAkczLEI2XnGUFYkqCirqw+kQhNyzyy0iO36N1bUY5GyaJP2xz4X
-gUYoxcNnnjXghiJ8aEqnrbpcS/4YxvgVf4wMDaBgc3PNFA5zrKplYDVzUT8rYsmR
-6m/q84CGcmPYelP/reVBpMqJKucB4vIY+tbBoF2jre1EPJBTjNggaHavQ+j5Hi6Q
-ec+n18KhXZt+vFKFHmkYxMweHnOFEMNDY5s7q5pwnee93f+2NCtYmcmkNaNRUMRf
-3N4t8HRPLbtObYYp9A3u8C8p3Zcj7GjiWA7uzKOB0hCQaf8zEKmVky5GuvawZhm3
-vT1FSKJ1aQXZzwKCAQA1xLh7nbg8KTZ4oK9a7mvDo/UQsqCwYe6jaTNxsHQlmL3F
-C2sH4BYNybpwoatFa3bMHAJKXlIGV1DLjQDv4E9561pzAHfnXeNPUNRYFcyuiT5+
-YklRy/fNIIU13ZWK5wZDN8oCumSSCHc0OpsZd7bENFEHc6IqATv95ji0d6x0U2q3
-pjK+YxMHjhn7GpqLZYRh51uBxleaFjkcGoXaSBEhJwHG9/p7hNvDZ0tMKSYtvZxV
-xQIQZz0SwZGMBwqFSeO5AwK6YLn+WWWrHCD8+Ku5qRuVfG7ezlItomF3oTPkNa0W
-SdG8ZFjJa9Kx0b02f68+45T1aQrHMGFZXzS0TnUHAoIBAHPAxZF1mQIVmKAUIj/2
-ZUNCrxSQqD9AXNAW9FdtosaJXcq5u2fupjsBL6mT+MfswRMRftvJ2ViFMEJMpfb7
-VWsa7cTj3PwbCA4WYIrBKU5QR4r/oR5d+ALESCocj03fYJB4sD+nEgi+zl0arSR4
-qIVVh45hlaYgXmC7dtZmuAzLFhOIZOLs8ieK3PTEbY7h3Nuoq6hq24INByCPRZYf
-CgbhSki6g6BYcVeij5B23ZSMilGDHmzOG93X9O7vaHCCsuQbqPfmXMNvena4mNuP
-NmtdxlrEgms5JIs+B/Nipxeuf11qcxIHU55Rs6YRvaK72v+Ml1rlu0Fijp7xUFVX
-8O8CggEBALa5eXFkbBLudIrvum4+trQDD1WWjUO6WmR+VuddKSsEsKj4q6ubbCEZ
-Dj4RyRNlDJ4yCaJtMFdfT8bjRcbLrHw5ZVgUpvtPBWGAvuVc9Tr/xq1Hn75w6isu
-BEeWN2DSWSofpWCaAQk20EKzXxkIrzgzt1Ht5t22wsZ9Def07G6eUWlRQy1hRbH+
-G8sv+E5soYm5/3mAcUuUqsbyCqm4zaxSPquvbuywYPjQXyU24tfr8TtQz3XiWpzM
-ZS0Wou4EgiJQUZGcwV8rX5j8ELSTNkm5UnBaLRWT/raG3s30F6B3WjLbsxr926mB
-2zmdO3l0e9ryWpkYHrKaEdZhkQx6ryE=
+MIIJRAIBADANBgkqhkiG9w0BAQEFAASCCS4wggkqAgEAAoICAQC7yoWcPWtaIRss
+hDVIN7wTYpP/e75JQOI2tXpUpOMPsYcp3mt9huy2JcWc3BMGV0yAG4bwrOZkj6pj
+zChJXIQJuA8xmd020kK1qt8x9ifKwkxQEVsBlBfaKlwh5bWBI2k+Tx0ISJVXMHeW
+rpt4hxDkbZDoeK0ZQT24kRy2BHhS5eQ/KN8BE9qqyyTP9ZP5ArjF3Ef7eeXenhmz
+KKstvXNID3EKtoFabQJtnMjDFNWCvxm40G9YMmx2kfMHayVKWfQtyY3a7swwW1vY
+8w1jKI2c3yG1OkHgVdBf8TJFC2tAtthDDHsoPS18QBmi4NaiCzJlo4HpHOVq9mF8
+ZvrGEL9dHdnBGmf7oEMV//VAWgyKS0g41cd3SBn3Id5zF5fPA9fDhCI4rvK+0mGv
+NzgxQQGXWJO6gNq7ADOoK5g0gIsAHoMCxCY/XFGpKeOssTYxV4dDlFc6F/RtNL8j
+tqJW0rdyfjU02VhGwWQtP+f/5P1CEdkEmLqdiOznrrsRQv0AyyQXJ5QsoDTfGIt6
+vDlVbAI7RM+kQvPjgVvWkI541z9M72zeTX5BzoePwDikVwVjMoXD3oiqjAsE38OG
+ZEwZkeHksvj28/6Twz7BsXS0cv+IlI00o7CdVar+vLxBVUmK8e7d+g6h+rlxp9X8
+t/yrwq+PvW5I7FTw+Ki012wRDvkWqwIDAQABAoICAQCUxRFqQGIeieGsN6S6bKUL
+umnC2XZbNBLCAq1CB0p2sU6CBdmkHVLDzlKqPNK5kEljp+sUGfV/ryzuWNuFmsxj
+orQuuFU+y/3bS938B6VohNrOB6HQM1FeHXbVx9Qt1S7YFPbMDCx7YUMsVXGHX4Er
+Zf2JnaiMPFo4MIXNUOc9zTAwNSHOCbuO2NZ2BXhPqi9VWHiSKfTIkvmLLGnIF7EP
+YmRMd18skvV8ftuxaHzpUpl/B2leNrwkhuVAeEqXh4HhEC7YRZvvp0CxM4PkjUj7
+AO4EU33CylkE2ODZP/2cy/2xyF5891Jkf6ePmI2Q3Ev1pz4QvjqlrUB3vGForfXa
+4fLUY+UjmIUPrfF81qryfVbie96wcXIKLEa9osnd/vSJLvs5jrKtpuN1z2lsonz+
+kwwV3lBVeL+DtBJnpGV0qHGaa0GFxjtQKtVPm2HMjPpk0oUh1lAnv4rfdxR0QQIP
+JWhYTt6TfqvClmvKKNuu1O8WGw7ngpUniqenWvHXmgnZtfuVMUvjn55nPWSyV2gf
+r1qRSYZQKlgzCOrCvX1+tXpRfsYqdQccxgBnxrnXTBknwvIEbFbK/QrLnfUnskuQ
+GHbTJUsM3wXChFsx3l4HsxuJG8hbvk5ayX64R8WKzw4tcE78b+vII489GjjuSqdp
+L5uniS8kOO99OqZydUiYeQKCAQEA+ALfEEa70OzH5rJxGEbQu34LB3rQTMGONKrc
+dbdO2MWfsnIJsmybSYOH1YHT2DdUe9aQUNvlu8CVQKEElyG3YPHDR2a0/9roMmy+
+89vw0OScpqjdhl6ULiyzJGM0f23HfbpugBNRhAdrSK02aPDQrenw8Yuk9abhFi+k
+V3VOd+q3Vx9QZ+5BIugqBnWr+2P7tCUxr5sjp5Srj3iyEzH24Yt5OEGPq5GuM2T1
+xYWmjJ5DkJEh5lG1/aeYjZAj4vHFkUZMnIH/A9EYcZG7cHXifwT1/o/SCRazLK1u
+yTV5fJ2Cj5Fc4AtbNzR6nt8nQ3yYOpU/jiNRZZ3rz/PIMksTFwKCAQEAwdcRlA9u
+mDkKQF2xcyFbdjE+FBz4ZdenpjBtoCOLlDJpOhC+rc7meCbnWfwV52dmMOEJVjj8
+y/8Aa2+ZAIGm1GfFaYxR0kdqoiAmbNdUtqqIS0gqOngAZ3kgDBxWCW7vEtggE9wS
+84Nb+2OrhuqxhEo4vJAtlqDLo8ajjgg1iwIrtjfuFGJsBfLiM/AR0E1ZUi6X+FDW
+StGZfzwM9/3VNrJ2yzVXy1VKzS6nzX5OjzDlbdDXHl0XbEKXwkSMXrkfPCvqJmy1
+R9Hiz4ajYnEBJ47SPuV6vfivV591HKEdVWGgS9ezh2wAG1yHUATlUHjFuaTjYJO1
+efc5YXe3kFTljQKCAQEAz//4fHoWQp6S+NRnLWkW3mhTb658zCL41QsHYmKeagc0
+bEBgCZg0lG8PmO0NcqTU4heNaYNDJTfa9R0V8HqChXe9w0BMRNifLMsvSu4HBer1
+xoCRaYQg2qj6hWX+PXEggj29NwT8tLJUM9uxakmtem5dePcZHj0bQbQrLH5hlQjx
+Qswsbz3OuyvjMw+1cVzlWKxpA1IlkQKK8ATVtGuPFpIW1CuIBuhjJQ9jYIk6qWyC
+Vdiiibu12kqZEwD0V/1VKQXAcvJDojvXOEh031i+4LCUby7HhH/ZPXsnEvEaNn0T
+Zr0PG4fqtF37CQs2rs7sDRXm+5p7RbIwd3OJT0TPeQKCAQBObUn7cdL5W/q92Cq3
+vkNXKs1HLgGCkyKNpwJzzG3o5AyXJbdAc3nkGzl3uvrRyZAbLrGsZRpDH0V4Morh
+HZP2VJYXAmMIhUSrm/5wAx+PWKgUbXpIdc0UEHna7IwS/QNVyIQSBPTV+cv5hnYb
+/FEeiTkzcdJAI4bBGNmL2d5wA8zTyQVW0guKzJ6hDPzoHqOJELkECxDo7K0CQbWt
+kNH3c3WE+mwvJK9DHSFfjz8RyGLLb7fZ3Shg8QCd5UY1/QiaO9pc+ZbPHCh8dqkc
+Z0RkUPDX6dkji77F4QptLvLDXOCSTw+gNx5D88f7pD9zs6msVv54UMsYMeLRgLKQ
+fwjxAoIBAQD3C6bhnfTvlphLX+Fq9ObNJNNIYm5+k5cWjgAYJG9ZbC/hbVE3ZUuL
+kYynfu56rA73yb1TBJswpem1tEwDRCUfuEcgIWmjlKdQOMqVaW3EtZDDZpJyZJpQ
+Vf4P46WCsM8pzDK2eYsy3IHRhJgrDMu+cLNOtq/7e1zeOtmPzutuZm5eo9KP7jJ2
+bse1S5e5j2VwOeyHW5wUGer99JizbbcoSn4GkejRTj8I+SHsOu1kQzAV3pQCcvJe
+4Kk7itN65RsZOxh5BShk+X3TIna8QholzxuqSi9aZdBUouUWXYHpM8ch8UDEXCy+
+PJKGZjLpgXkldTcRw00N0NRePp73WR86
 -----END PRIVATE KEY-----
diff --git a/lib/hx509/data/kdc.crt b/lib/hx509/data/kdc.crt
index 6a0e32934a6d..a92fcc0a6863 100644
--- a/lib/hx509/data/kdc.crt
+++ b/lib/hx509/data/kdc.crt
@@ -5,48 +5,48 @@ Certificate:
     Signature Algorithm: sha1WithRSAEncryption
         Issuer: CN=hx509 Test Root CA, C=SE
         Validity
-            Not Before: May 23 15:05:16 2019 GMT
-            Not After : Jan 16 15:05:16 2038 GMT
+            Not Before: Mar 22 22:25:09 2019 GMT
+            Not After : Nov 21 22:25:09 2518 GMT
         Subject: C=SE, CN=kdc
         Subject Public Key Info:
             Public Key Algorithm: rsaEncryption
                 Public-Key: (4096 bit)
                 Modulus:
-                    00:ab:f2:c2:da:bb:d1:bc:5a:96:c0:76:11:4e:7a:
-                    52:49:8b:84:ae:ca:44:4c:5b:30:ad:9a:6d:94:5b:
-                    1a:52:3f:d5:9b:d9:62:4b:96:51:bd:e3:55:be:5b:
-                    09:65:7b:3a:3b:2a:1f:9b:a2:95:e5:a6:f6:85:1f:
-                    7b:35:b8:2c:55:14:19:13:91:bd:56:6e:5b:f7:49:
-                    03:a8:53:01:16:27:53:8e:3e:71:1d:9c:dc:38:30:
-                    38:c2:55:e3:58:15:bb:de:53:8d:2a:5f:68:b0:49:
-                    e4:7f:dc:38:57:fe:89:1b:6f:5d:52:fc:fd:cc:ef:
-                    37:71:e6:70:13:3f:24:5a:a2:8d:b5:a4:90:4a:2a:
-                    0e:e0:c2:6f:4d:0e:ef:ab:c9:2f:90:0a:ee:20:e8:
-                    be:6b:bb:4e:43:8b:56:9f:50:aa:e0:71:2b:0f:2b:
-                    b6:68:d6:11:c0:c4:31:b0:ab:32:a1:2e:93:54:6d:
-                    ab:d3:c1:84:4f:c3:fc:10:a5:fa:6a:ae:8c:80:05:
-                    7c:54:4c:c1:aa:bc:50:ec:3c:19:9e:aa:df:82:0c:
-                    e7:6e:ed:c9:f4:46:3e:60:6b:81:d9:b3:d7:64:19:
-                    5f:64:bc:b5:a6:f6:38:03:02:ab:f2:b3:ba:2f:4f:
-                    be:e3:c3:34:cb:d8:01:42:3d:43:81:9d:a9:4f:5e:
-                    6f:14:d1:84:05:b6:f3:f0:9b:fa:b5:e8:1f:e6:40:
-                    e2:b9:ce:a9:eb:1c:c4:da:85:b2:6b:b1:c7:a5:91:
-                    0f:a0:79:7a:85:b2:b4:b5:4e:a6:8c:cd:c6:45:5c:
-                    97:d2:e8:3c:01:2a:77:b2:e1:a7:2f:ed:2c:bf:42:
-                    77:94:a4:47:bf:c7:58:43:14:08:66:4e:5d:24:99:
-                    bd:5f:0d:e1:b1:56:f1:c3:db:97:f6:b5:22:92:23:
-                    eb:a5:f5:49:4d:76:80:4a:83:af:a8:17:31:38:b6:
-                    3b:49:1e:37:5e:fb:e7:9e:90:1d:8c:b0:8a:c2:dd:
-                    5e:1d:1c:2f:c4:71:aa:d2:2b:c5:16:09:f1:5d:63:
-                    7c:02:dc:b6:e0:b9:f6:2b:a1:56:1b:20:8f:13:c4:
-                    60:d0:21:c9:91:a4:43:de:f9:64:d8:4a:5c:4a:cd:
-                    51:87:66:55:ec:9c:2d:10:b3:23:6e:0e:48:44:2b:
-                    86:01:73:2e:77:28:5b:6e:43:09:ea:0f:cc:0e:da:
-                    da:88:f9:ef:6b:37:48:bd:e4:47:4a:4f:f9:72:bd:
-                    b9:c4:a0:bc:67:29:ec:5a:55:22:b6:8e:f0:23:9f:
-                    c1:fb:86:9c:18:59:43:4c:eb:b6:bd:2e:18:fb:44:
-                    ae:27:15:e7:3d:6d:9a:c7:6f:61:99:e1:7a:80:de:
-                    64:a8:e7
+                    00:d1:73:ec:58:67:7a:65:30:ab:19:15:a1:bf:1e:
+                    de:db:e5:4a:92:f0:99:8a:eb:02:6d:e4:31:1a:c7:
+                    4d:07:57:b1:82:9e:d2:d2:c7:f3:0b:b2:82:61:5c:
+                    ba:38:c3:54:e9:e1:be:6b:5f:0d:22:62:2b:cb:d5:
+                    34:0e:63:0b:50:8a:8b:b3:be:6a:e1:85:dc:b1:28:
+                    13:ee:dd:6e:40:d5:48:1d:eb:aa:04:0b:e7:c8:1c:
+                    6d:60:54:b6:cc:be:52:5a:88:22:ce:07:2d:3f:cb:
+                    fc:00:ab:8b:a5:e7:32:8e:b1:8b:03:d8:81:a2:69:
+                    d4:9f:3a:ff:da:b5:e3:0d:e3:21:54:29:cb:61:ba:
+                    16:13:94:97:1b:72:24:6d:da:d7:d9:35:b1:57:f1:
+                    3b:9d:ee:90:76:4e:58:1f:4e:76:12:c6:89:2a:54:
+                    bf:e8:53:5a:de:05:79:93:0b:41:2c:03:c5:30:58:
+                    a8:e6:57:08:f9:47:7c:c0:3a:5c:eb:1b:33:68:52:
+                    02:19:08:e6:35:48:05:a7:51:22:89:1c:1e:c8:0b:
+                    55:73:b2:c9:75:f9:74:aa:de:5e:3a:54:f8:96:47:
+                    cf:25:2d:75:e7:71:74:31:91:17:85:44:89:8a:16:
+                    88:ca:12:dd:0e:36:4d:e5:af:b3:db:d3:7c:53:8d:
+                    7a:08:69:92:72:81:c8:13:c7:71:96:8f:2d:54:98:
+                    c9:63:10:26:be:59:8f:db:82:47:c1:29:c6:28:7f:
+                    a0:16:bf:85:a2:eb:2f:2f:46:86:6b:77:1f:31:30:
+                    d4:52:35:32:09:16:cd:48:ec:3c:4c:2c:03:e5:b9:
+                    90:e9:f7:b4:7d:97:91:31:27:4e:df:b6:bd:b6:ec:
+                    ca:47:16:00:58:e9:87:4f:20:af:ef:4c:34:42:5b:
+                    3e:28:aa:cd:39:75:3b:6f:7c:b9:7b:50:76:67:25:
+                    31:46:f5:34:aa:c6:5a:22:77:b5:9d:6d:88:4d:f1:
+                    e6:e7:ca:d2:d8:70:10:58:39:58:0f:ce:8d:b3:4d:
+                    e4:f4:80:ca:31:75:3c:38:61:6c:d9:17:d2:aa:72:
+                    f9:e0:ac:86:ab:33:16:84:e8:c8:de:58:9d:78:ac:
+                    f1:2a:64:b8:e3:f2:cb:20:42:dd:f9:bd:2e:c2:84:
+                    6e:11:34:76:a5:c5:54:c5:51:9b:cb:85:d1:05:82:
+                    1c:33:d5:95:18:ad:4c:94:d2:7b:4f:72:23:ff:c1:
+                    4b:a2:ea:1a:3a:18:c2:f5:c8:08:76:00:12:25:e5:
+                    ee:30:b9:8d:2f:0f:95:3d:70:ac:6a:eb:d8:c5:71:
+                    9a:cf:a9:a6:6a:ce:45:07:a4:41:de:85:fb:ad:e0:
+                    39:0b:6f
                 Exponent: 65537 (0x10001)
         X509v3 extensions:
             X509v3 Basic Constraints: 
@@ -56,67 +56,67 @@ Certificate:
             X509v3 Extended Key Usage: 
                 Signing KDC Response
             X509v3 Subject Key Identifier: 
-                E6:0A:BC:C8:0C:58:A4:53:82:C7:15:E0:42:D6:73:67:26:2C:39:D1
+                62:AF:D5:17:E4:9F:2A:8D:8A:CA:2B:05:E1:25:66:BB:61:03:77:EA
             X509v3 Subject Alternative Name: 
                 othername:<unsupported>
     Signature Algorithm: sha1WithRSAEncryption
-         31:6b:88:4f:57:8a:4b:7b:25:d8:53:0f:04:e9:52:a7:e3:93:
-         12:ed:bc:96:03:c3:ae:53:6a:10:60:76:18:85:1d:9c:b6:93:
-         d8:92:d1:d8:e5:af:23:d6:64:93:11:f3:23:8e:ed:43:12:dc:
-         5d:1b:d5:49:b8:3d:fd:e7:52:58:a9:26:2c:cb:49:09:d4:54:
-         6e:e6:45:c9:1c:3f:50:b9:f3:13:65:84:45:a7:1c:23:48:ad:
-         93:c0:f9:b2:fa:1e:25:d0:40:d5:8f:7a:c8:8c:72:ba:88:22:
-         19:a7:3a:08:cf:7d:9c:45:da:3e:12:64:3f:b4:e0:c4:36:97:
-         a9:be:ef:e2:4a:1a:cc:c7:f9:8f:4f:30:04:11:f4:16:cf:ff:
-         6e:85:f1:cf:98:3d:09:e9:f1:98:30:ff:a2:3c:d5:96:50:3d:
-         cb:21:db:89:56:8c:f4:a6:87:e3:78:44:49:c5:53:c9:19:a1:
-         ff:a0:0d:4e:a7:89:d9:11:52:39:21:b4:b9:21:e8:af:39:9e:
-         2c:41:3d:82:3e:20:b8:60:8a:b6:de:d6:6c:f3:b7:5a:10:ce:
-         ba:92:a7:6a:0d:5f:22:e6:98:e4:2c:d7:2d:7a:d4:22:bd:15:
-         ce:2c:79:7f:d6:d0:78:f8:d9:a6:e7:87:84:cb:0b:8b:1e:aa:
-         0c:57:4b:8c:3a:a9:e5:66:92:eb:00:b2:2c:05:1f:14:ab:23:
-         7a:61:b0:00:02:bf:24:42:8e:0e:1d:52:20:11:93:94:b5:2a:
-         56:33:f4:bb:63:21:ea:64:cf:d2:92:8c:70:7e:b5:f9:4a:c2:
-         aa:a5:81:36:bb:76:cb:ec:98:bb:3c:8c:67:1a:0c:3e:97:f1:
-         4c:dc:25:e2:59:a2:6d:fd:db:54:ea:9b:14:5f:18:dc:2c:e1:
-         45:89:27:a0:b7:f0:09:57:94:b5:dd:9e:84:51:35:98:12:c7:
-         20:ad:75:4d:42:54:44:30:e2:b9:cb:25:0f:e0:a9:6d:d5:6d:
-         7a:97:b6:fe:b7:54:4e:83:ed:bb:4d:d3:80:99:2b:1b:ee:a1:
-         3b:b8:69:52:64:f7:d2:bc:2f:18:73:d6:8d:04:54:c1:3f:14:
-         05:65:fb:cf:c2:38:25:92:33:cc:f1:48:cf:e5:d1:a6:c2:57:
-         1d:06:d8:1d:a1:0d:d6:e6:8e:ba:b6:d6:88:3c:a7:87:02:bb:
-         32:47:82:aa:d6:5f:8a:69:d8:5e:38:99:a6:1d:09:a8:d5:b8:
-         4c:80:23:ed:83:67:5f:b8:8e:f2:c4:8f:8b:76:b6:a2:09:b5:
-         44:1c:70:d2:5b:61:cb:c6:68:f9:9b:93:72:5a:bc:08:98:80:
-         90:64:a7:d3:a1:f8:ee:b7
+         41:29:9f:70:6b:36:28:cc:86:e1:4d:ae:25:34:b1:24:ab:f8:
+         03:de:28:da:d1:13:8e:03:d3:5a:57:72:69:f9:04:1c:e0:1d:
+         14:91:c7:a0:8b:ab:c7:61:6e:4e:86:2a:2a:40:22:10:10:58:
+         0c:18:95:eb:d2:15:18:35:3c:fc:42:25:1a:dc:03:cb:ba:f3:
+         81:80:d2:45:4e:c6:90:11:2f:e9:db:76:9a:e3:1d:0c:04:dc:
+         fb:d9:ec:bd:48:38:66:78:d6:52:c2:bc:ae:20:9b:1d:87:28:
+         9f:38:fa:db:8f:17:1f:3e:29:85:17:a0:95:bd:72:88:0c:93:
+         88:ba:8e:31:67:2b:03:b0:bf:3a:7e:e4:e2:82:f7:6c:36:1a:
+         d1:8e:7c:87:63:17:e4:68:7f:4b:e7:dc:40:b5:02:5a:62:be:
+         54:ee:11:30:39:80:2a:c0:3e:8f:3b:67:cb:9d:9f:ee:c1:ea:
+         f1:4c:e8:55:24:6a:73:84:ef:82:ca:99:ec:84:05:5e:82:a1:
+         52:40:5e:71:10:c9:c3:9b:18:ce:7f:50:db:8a:49:d4:b6:b9:
+         5e:ef:13:4c:e8:be:76:2b:cc:f9:eb:9e:9b:4b:29:8e:ee:1c:
+         e5:bd:08:f0:50:63:e2:c3:94:20:2f:fe:cb:6a:ed:2b:2a:e2:
+         51:44:3d:06:d1:b4:43:26:43:07:4d:c9:e1:4f:9d:3d:0f:a6:
+         74:93:ff:51:74:c8:aa:2d:76:ab:93:6f:84:47:2d:70:37:d2:
+         21:f0:cb:4d:a5:8b:df:91:4b:95:f0:ba:fe:d9:fc:f2:ed:b5:
+         e7:91:03:5a:ad:12:43:f3:ba:c8:a7:51:34:9b:40:bd:71:39:
+         af:b1:9f:e4:9f:3f:1b:27:a5:84:43:a2:c3:3f:52:63:a8:bf:
+         8b:59:82:53:b5:26:64:16:73:90:f8:7b:7d:ce:f6:41:b6:8b:
+         81:56:90:c2:ff:46:46:8f:63:3d:95:d9:f0:49:73:37:d9:14:
+         2b:26:95:ac:19:29:1d:cb:c2:03:d7:36:4e:4a:39:3e:51:02:
+         de:aa:dc:6b:77:a8:57:ba:50:21:0e:8e:b7:48:bc:44:fa:45:
+         db:c9:bb:72:ea:e4:2a:7a:35:75:3c:68:29:5d:b9:57:0b:d3:
+         2e:2c:4f:01:1b:f0:21:0c:fc:95:17:b7:40:be:aa:0c:f9:04:
+         60:6a:d1:54:0d:b9:68:d7:e9:7a:f4:96:ad:f1:a0:15:15:c2:
+         51:61:44:5f:0e:bb:98:d1:81:9f:c1:81:d6:e2:26:d5:11:56:
+         d2:cd:0f:9c:6b:69:f0:78:24:ff:bf:df:02:2b:0d:d1:83:5b:
+         14:4d:c0:e2:80:47:65:2b
 -----BEGIN CERTIFICATE-----
-MIIFWTCCA0GgAwIBAgIBCDANBgkqhkiG9w0BAQUFADAqMRswGQYDVQQDDBJoeDUw
-OSBUZXN0IFJvb3QgQ0ExCzAJBgNVBAYTAlNFMB4XDTE5MDUyMzE1MDUxNloXDTM4
-MDExNjE1MDUxNlowGzELMAkGA1UEBhMCU0UxDDAKBgNVBAMMA2tkYzCCAiIwDQYJ
-KoZIhvcNAQEBBQADggIPADCCAgoCggIBAKvywtq70bxalsB2EU56UkmLhK7KRExb
-MK2abZRbGlI/1ZvZYkuWUb3jVb5bCWV7OjsqH5uileWm9oUfezW4LFUUGRORvVZu
-W/dJA6hTARYnU44+cR2c3DgwOMJV41gVu95TjSpfaLBJ5H/cOFf+iRtvXVL8/czv
-N3HmcBM/JFqijbWkkEoqDuDCb00O76vJL5AK7iDovmu7TkOLVp9QquBxKw8rtmjW
-EcDEMbCrMqEuk1Rtq9PBhE/D/BCl+mqujIAFfFRMwaq8UOw8GZ6q34IM527tyfRG
-PmBrgdmz12QZX2S8tab2OAMCq/Kzui9PvuPDNMvYAUI9Q4GdqU9ebxTRhAW28/Cb
-+rXoH+ZA4rnOqescxNqFsmuxx6WRD6B5eoWytLVOpozNxkVcl9LoPAEqd7Lhpy/t
-LL9Cd5SkR7/HWEMUCGZOXSSZvV8N4bFW8cPbl/a1IpIj66X1SU12gEqDr6gXMTi2
-O0keN177556QHYywisLdXh0cL8RxqtIrxRYJ8V1jfALctuC59iuhVhsgjxPEYNAh
-yZGkQ975ZNhKXErNUYdmVeycLRCzI24OSEQrhgFzLncoW25DCeoPzA7a2oj572s3
-SL3kR0pP+XK9ucSgvGcp7FpVIraO8COfwfuGnBhZQ0zrtr0uGPtEricV5z1tmsdv
-YZnheoDeZKjnAgMBAAGjgZgwgZUwCQYDVR0TBAIwADALBgNVHQ8EBAMCBeAwEgYD
-VR0lBAswCQYHKwYBBQIDBTAdBgNVHQ4EFgQU5gq8yAxYpFOCxxXgQtZzZyYsOdEw
-SAYDVR0RBEEwP6A9BgYrBgEFAgKgMzAxoA0bC1RFU1QuSDVMLlNFoSAwHqADAgEB
-oRcwFRsGa3JidGd0GwtURVNULkg1TC5TRTANBgkqhkiG9w0BAQUFAAOCAgEAMWuI
-T1eKS3sl2FMPBOlSp+OTEu28lgPDrlNqEGB2GIUdnLaT2JLR2OWvI9ZkkxHzI47t
-QxLcXRvVSbg9/edSWKkmLMtJCdRUbuZFyRw/ULnzE2WERaccI0itk8D5svoeJdBA
-1Y96yIxyuogiGac6CM99nEXaPhJkP7TgxDaXqb7v4koazMf5j08wBBH0Fs//boXx
-z5g9CenxmDD/ojzVllA9yyHbiVaM9KaH43hEScVTyRmh/6ANTqeJ2RFSOSG0uSHo
-rzmeLEE9gj4guGCKtt7WbPO3WhDOupKnag1fIuaY5CzXLXrUIr0Vzix5f9bQePjZ
-pueHhMsLix6qDFdLjDqp5WaS6wCyLAUfFKsjemGwAAK/JEKODh1SIBGTlLUqVjP0
-u2Mh6mTP0pKMcH61+UrCqqWBNrt2y+yYuzyMZxoMPpfxTNwl4lmibf3bVOqbFF8Y
-3CzhRYknoLfwCVeUtd2ehFE1mBLHIK11TUJURDDiucslD+CpbdVtepe2/rdUToPt
-u03TgJkrG+6hO7hpUmT30rwvGHPWjQRUwT8UBWX7z8I4JZIzzPFIz+XRpsJXHQbY
-HaEN1uaOurbWiDynhwK7MkeCqtZfimnYXjiZph0JqNW4TIAj7YNnX7iO8sSPi3a2
-ogm1RBxw0lthy8Zo+ZuTclq8CJiAkGSn06H47rc=
+MIIFWzCCA0OgAwIBAgIBCDANBgkqhkiG9w0BAQUFADAqMRswGQYDVQQDDBJoeDUw
+OSBUZXN0IFJvb3QgQ0ExCzAJBgNVBAYTAlNFMCAXDTE5MDMyMjIyMjUwOVoYDzI1
+MTgxMTIxMjIyNTA5WjAbMQswCQYDVQQGEwJTRTEMMAoGA1UEAwwDa2RjMIICIjAN
+BgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA0XPsWGd6ZTCrGRWhvx7e2+VKkvCZ
+iusCbeQxGsdNB1exgp7S0sfzC7KCYVy6OMNU6eG+a18NImIry9U0DmMLUIqLs75q
+4YXcsSgT7t1uQNVIHeuqBAvnyBxtYFS2zL5SWogizgctP8v8AKuLpecyjrGLA9iB
+omnUnzr/2rXjDeMhVCnLYboWE5SXG3IkbdrX2TWxV/E7ne6Qdk5YH052EsaJKlS/
+6FNa3gV5kwtBLAPFMFio5lcI+Ud8wDpc6xszaFICGQjmNUgFp1EiiRweyAtVc7LJ
+dfl0qt5eOlT4lkfPJS1153F0MZEXhUSJihaIyhLdDjZN5a+z29N8U416CGmScoHI
+E8dxlo8tVJjJYxAmvlmP24JHwSnGKH+gFr+FousvL0aGa3cfMTDUUjUyCRbNSOw8
+TCwD5bmQ6fe0fZeRMSdO37a9tuzKRxYAWOmHTyCv70w0Qls+KKrNOXU7b3y5e1B2
+ZyUxRvU0qsZaIne1nW2ITfHm58rS2HAQWDlYD86Ns03k9IDKMXU8OGFs2RfSqnL5
+4KyGqzMWhOjI3lideKzxKmS44/LLIELd+b0uwoRuETR2pcVUxVGby4XRBYIcM9WV
+GK1MlNJ7T3Ij/8FLouoaOhjC9cgIdgASJeXuMLmNLw+VPXCsauvYxXGaz6mmas5F
+B6RB3oX7reA5C28CAwEAAaOBmDCBlTAJBgNVHRMEAjAAMAsGA1UdDwQEAwIF4DAS
+BgNVHSUECzAJBgcrBgEFAgMFMB0GA1UdDgQWBBRir9UX5J8qjYrKKwXhJWa7YQN3
+6jBIBgNVHREEQTA/oD0GBisGAQUCAqAzMDGgDRsLVEVTVC5INUwuU0WhIDAeoAMC
+AQGhFzAVGwZrcmJ0Z3QbC1RFU1QuSDVMLlNFMA0GCSqGSIb3DQEBBQUAA4ICAQBB
+KZ9wazYozIbhTa4lNLEkq/gD3ija0ROOA9NaV3Jp+QQc4B0Ukcegi6vHYW5Ohioq
+QCIQEFgMGJXr0hUYNTz8QiUa3APLuvOBgNJFTsaQES/p23aa4x0MBNz72ey9SDhm
+eNZSwryuIJsdhyifOPrbjxcfPimFF6CVvXKIDJOIuo4xZysDsL86fuTigvdsNhrR
+jnyHYxfkaH9L59xAtQJaYr5U7hEwOYAqwD6PO2fLnZ/uwerxTOhVJGpzhO+Cypns
+hAVegqFSQF5xEMnDmxjOf1DbiknUtrle7xNM6L52K8z5656bSymO7hzlvQjwUGPi
+w5QgL/7Lau0rKuJRRD0G0bRDJkMHTcnhT509D6Z0k/9RdMiqLXark2+ERy1wN9Ih
+8MtNpYvfkUuV8Lr+2fzy7bXnkQNarRJD87rIp1E0m0C9cTmvsZ/knz8bJ6WEQ6LD
+P1JjqL+LWYJTtSZkFnOQ+Ht9zvZBtouBVpDC/0ZGj2M9ldnwSXM32RQrJpWsGSkd
+y8ID1zZOSjk+UQLeqtxrd6hXulAhDo63SLxE+kXbybty6uQqejV1PGgpXblXC9Mu
+LE8BG/AhDPyVF7dAvqoM+QRgatFUDblo1+l69Jat8aAVFcJRYURfDruY0YGfwYHW
+4ibVEVbSzQ+ca2nweCT/v98CKw3Rg1sUTcDigEdlKw==
 -----END CERTIFICATE-----
diff --git a/lib/hx509/data/kdc.key b/lib/hx509/data/kdc.key
index bdb97b919a9e..1984f201178d 100644
--- a/lib/hx509/data/kdc.key
+++ b/lib/hx509/data/kdc.key
@@ -1,52 +1,52 @@
 -----BEGIN PRIVATE KEY-----
-MIIJQgIBADANBgkqhkiG9w0BAQEFAASCCSwwggkoAgEAAoICAQCr8sLau9G8WpbA
-dhFOelJJi4SuykRMWzCtmm2UWxpSP9Wb2WJLllG941W+Wwllezo7Kh+bopXlpvaF
-H3s1uCxVFBkTkb1Wblv3SQOoUwEWJ1OOPnEdnNw4MDjCVeNYFbveU40qX2iwSeR/
-3DhX/okbb11S/P3M7zdx5nATPyRaoo21pJBKKg7gwm9NDu+ryS+QCu4g6L5ru05D
-i1afUKrgcSsPK7Zo1hHAxDGwqzKhLpNUbavTwYRPw/wQpfpqroyABXxUTMGqvFDs
-PBmeqt+CDOdu7cn0Rj5ga4HZs9dkGV9kvLWm9jgDAqvys7ovT77jwzTL2AFCPUOB
-nalPXm8U0YQFtvPwm/q16B/mQOK5zqnrHMTahbJrscelkQ+geXqFsrS1TqaMzcZF
-XJfS6DwBKney4acv7Sy/QneUpEe/x1hDFAhmTl0kmb1fDeGxVvHD25f2tSKSI+ul
-9UlNdoBKg6+oFzE4tjtJHjde++eekB2MsIrC3V4dHC/EcarSK8UWCfFdY3wC3Lbg
-ufYroVYbII8TxGDQIcmRpEPe+WTYSlxKzVGHZlXsnC0QsyNuDkhEK4YBcy53KFtu
-QwnqD8wO2tqI+e9rN0i95EdKT/lyvbnEoLxnKexaVSK2jvAjn8H7hpwYWUNM67a9
-Lhj7RK4nFec9bZrHb2GZ4XqA3mSo5wIDAQABAoICAHA3A/df76ausAd2hiDjL2ST
-ysmPczcppAEH8U+KjQj0Y+FL4xxVQ49bF5AdNWqnGv+Vo/8cAhtX9TY3r18FjNkR
-PrRIvnnzl80wN1TYprLgg2UnVwbuYcHBpqkdCDtqI6sad9wZW+cAskDHZXX3xV7E
-NPF97dyamWKZ8rZ81KrZvwW2Gfxsqj0AZ0aw4rUHnSSyHWoYunzwRklKXAOoz3ue
-H23NJ0QPwJI+9/bGI0qRbNECqcqOVl0AGDZ9O4n30/WQnu0dEp7sOxuQtV+ZQDhN
-V5RLVys11Gt0fc+n0H+hF2JUzW/i6/b6/WBs7qsFrhxSPthxZZDnDnE+hUoo5PBt
-OTn3eeyMBP4SdZmB8z3ekWeDd6qS+EnbEee0Y8CwW3YU2KKo5jRCpL18regVW0HW
-4t2NRjB4ioMLCSVrCukiWM6vPnStaeg5klTnb9GzsO99ruXNDSENjStEcoRCGjfk
-9OPb4inrKIcKiNxvfOOvXNtpi9+7UDR9w15oHscxU13LySMQVPc2TCwACx6G55iD
-MFGPDkDsm9m4Xee96To0abxiu/7Vc1H9lrnOMXfZP0DgNcOWFwa73QfSJvKwTl1w
-kHQTnk9yDYHgn/DPLAbhELxkNkIJNTz66tknhak8pkIFTsrTdEwMOqvdRCr9z7XL
-tStd7GcxCSVQskthkSSxAoIBAQDYYHjCGoEKojMUZzCbNDq+Z3ZiZ7m/sl8xduO5
-zUvY0sWuJi5ijOLfiGwDm+wEIannQhSnhVskevFC6ZXoynYufzSBD1z4wPsLpIwY
-TAxUB1NEHKBONWECiOpXeiEP0itRXxqoV4Gb9SFjrRbA/yvQqonNtMoeWZ/Sco1O
-CAzi20/LRtv/oMUsEzyOnvsDlHORIKgu1hpj/d/ik6e1F+k/1lqtzaRKLwPwgwfA
-LbLlYppu/6MzhAI5E3ujq3NeiqPU29tpxrQJnEOxPaPTrpwKjM/qBLF/H5o5e9Q0
-MkZFkPKQWLVQJFb+AWTWAGJzFdcw6X7KFURoafljsrN7DlPNAoIBAQDLb4YCUUDk
-pIzizpSuhhJCmh6B7/bSvoCr9pMwJadPhuADs9f4AZhaJGv745uxjaNx9seWCP4s
-4tEEhYFASzYyTfi6ChJZb+5+RJlkYkUplx1RVFCrEmi+X0Sy4SlhdTxTsnVd3Qtb
-0Ak7br422pc75YiEGf7Iz2k/ry8xif6pRsU7eeXm3e/rNIAr0x9RZ5aRl9Xg43N9
-GYcjdTK7G2KTUPYkRwFT/u3WK0DulTVnRX1+qraemq+fiyelox/SwY6n0c6K9hiD
-M21LOGBmjEirWU/OtCD6fsIYIilEu+u6RhyoKNWYwRxmdKQoKfow52gpyGU7lCI7
-plFXCFyJxeODAoIBAQDFwlZcQVETYO+ChFV+ZJwUDge7JMY2GFa8pMa5uJLL1sfp
-xOe8Frv8RXlDSyzJEeNxg4nRGicVDnCXEVp76x9cm9Jm6p20lNxd5cRNKKRT4GYP
-6IHzOQIzCOP1k5/ID/SbaGq61U+WNNKRgU88kXuAOX29TrE0UAGsnBnd6amtZXhm
-d5r25f+Pqv079L3CpdmCGPDd7b0tComnUgCDmRkLyWQTWdIAIzxcg8V/tcS9tgMj
-0+1bVhmaBN6J1leZXukh0NeWs481AWc1BPtIq1veoJgecK+xWjbgtvZZxmFHj5TC
-rPD6EFyZxrhchvlz6dBF2gKRvCJLtB/FKTy1CYE5AoIBAGFbqgKJ6EiEB3iz7Kvp
-Nevx3g/JS5Jn4SRrCN3N51hD8AlVlFH4UXUyYQtXTjeW1VXBCJthCmNo2ScUzVp7
-pCBG+HXwQ//RdY2wPsivzvGshDdb5o84bDBPX41L/IXLmWdkzI5zLvBtiz2KLjYK
-Pr5HhyHRXwGzYWc865UFuX5BhDqGh+QI6rzhj0Vp8F8A+CoNRCowMCD6ipYJjJHG
-9VITOPj7kkMkiaYpZRXJCpm1w+1Ovb8BwHLWIc8/VgeC4kamPfZ6+BgyEGgjPt9U
-26JFR9BgnDfFWhY6ow1l8dZfn29Ku44zPOg7giRGkpm85Ti50tjEd+2cFulT8xVs
-QwkCggEAJ5+tgWw3kHch4pK94R8hSzv5OzNQUZvdXYZk751/k92ZSrYeiZ7cj8de
-kcFLiQjY5pkOrkF7oKUKDZXyVU2BQN0jjX5/0Hqpwwj9gBXuXnit4J0mrPDFBEh6
-KcC2Cjw/ul7MdzWlJEdAgu0sR9EPIPmTO9pdziH2k6uNSfj1S+hIAPNQ1tvME4zg
-M+0THn2pVqhAZxBj4VREbGzk8tIBl1LZEx88REdSbe9FKcS/wiGCpnttQqL/WSu0
-9pXx0T27VSdxXoSQF3kVdEdQ9EEsfAi9t95UJqOfpkKamEefao3xDrE5whSddD+q
-HWEzextsObokaNciuMPKlJLizq1W+w==
+MIIJQgIBADANBgkqhkiG9w0BAQEFAASCCSwwggkoAgEAAoICAQDRc+xYZ3plMKsZ
+FaG/Ht7b5UqS8JmK6wJt5DEax00HV7GCntLSx/MLsoJhXLo4w1Tp4b5rXw0iYivL
+1TQOYwtQiouzvmrhhdyxKBPu3W5A1Ugd66oEC+fIHG1gVLbMvlJaiCLOBy0/y/wA
+q4ul5zKOsYsD2IGiadSfOv/ateMN4yFUKcthuhYTlJcbciRt2tfZNbFX8Tud7pB2
+TlgfTnYSxokqVL/oU1reBXmTC0EsA8UwWKjmVwj5R3zAOlzrGzNoUgIZCOY1SAWn
+USKJHB7IC1Vzssl1+XSq3l46VPiWR88lLXXncXQxkReFRImKFojKEt0ONk3lr7Pb
+03xTjXoIaZJygcgTx3GWjy1UmMljECa+WY/bgkfBKcYof6AWv4Wi6y8vRoZrdx8x
+MNRSNTIJFs1I7DxMLAPluZDp97R9l5ExJ07ftr227MpHFgBY6YdPIK/vTDRCWz4o
+qs05dTtvfLl7UHZnJTFG9TSqxloid7WdbYhN8ebnytLYcBBYOVgPzo2zTeT0gMox
+dTw4YWzZF9KqcvngrIarMxaE6MjeWJ14rPEqZLjj8ssgQt35vS7ChG4RNHalxVTF
+UZvLhdEFghwz1ZUYrUyU0ntPciP/wUui6ho6GML1yAh2ABIl5e4wuY0vD5U9cKxq
+69jFcZrPqaZqzkUHpEHehfut4DkLbwIDAQABAoICAH37+GGEfH55M7E27b+D1hD2
+blDMH88LZL6sz0yILLEJ8l/bIHxggLS8fugJWoniFCVJ/7udxMy1uBo298TflmKv
+szA+jRNx7TkyHitDTZn5sBMvOWiNsLERSEj1K68jm22RDT5X2sPQ8peEl88GrcZe
+zHtXs0H53kaYumTXmuczg0yYhxkVUUodynZbxcW+KK8iOLXpCC8K3CINJbxO+X55
+pO+tYnFgEfwR1vq3fk/3RJi7+3vxRhiLA2KsuE9CYT2SdmiQjcfmtl/Z0agfHfS9
+vHyHQd6QWbidYJg9m/jo4JRAL/cyqu1VlIw4mXJR8514kzaFO324nbrQDqxDIO7v
+jvFL9SjnReVxUjfnQ7W5BackMn7rxaa4gGm3P1ZAYY0DrSBThlleKkuGhuOHaRFG
+P3uPjfar4ybGnozqCrVpuFJLOtQocdJpPBdQtS0WuE3sMOUkOV9HfqxusnS074on
+2qn3Yy7PhKBfqBYKVqd0l99QHjwr3/0VLjDpnVvvFZFDcH9uL9daD+JfZj3aaGdv
+bmPGwO4svlVEDzfScoI3NnReGEH/bgmdbaPBcSiX42NX12XHWZ55d9grQlJWdSw5
+W8+Dqy86/gCA0VJ4fKaJM5ZGbngOwjgCYZkNHyFo42/zTFSI1S9PiWTNAHPGqZyD
+nOjpXLR1N+dk0yBwpOQhAoIBAQDy5BeFO+mqp3NWHZXVoy+THqumajCR5AjEsbFl
+aWosL99Zk/avfA7G8orHXrAj1XEsGxkFtCnRUlg35LqMYK1tYYIk5NqdFCAeQUOe
+7NgNlicjiKG+a69bQ5TOtgmtdhIh+Uu1yNgbNelWJFizyxoFFFX7jp52utNWix3r
+x6LfTZmNUQqbFetuMKln0WzVwa0uqezzvxZ7oPLVeEc4LT7wtKTPDf6/VTfoeLoO
+JvvMb5cnKZGQmpC8Jub5mRkEFcUIGmbKM2G9sRFPNt2Lh08xVCDXEJSFZPiBpLGP
+6TvJ9DkKEd0Shj0VdnV9304XkcFdfjWIDHlfLJnzwn++Wx9rAoIBAQDcwdUVfsFE
+kVJtdWjtAAj1uSEAPDiggfDhTlOsJMQ3U7PlmdgiafNMKpzmLwqH8Pe5IK4Z9KZ1
+pT+d89udXGOUXhqU6kvxfVu3S7skE9r5DYS/kg7xXJerir+fGsZ5lGDqz90xYxhp
+ect5jOtsRxDlI7Vg5guUp30h8FsAdrP42jiUZxy4AkBdVuyqKAbl5ZtnV4eCk3fV
+iLyVmD27I6h8jnvGvPVODjpesuu7XzQe9ZhyAU/7JSsshLKoKIjwZSx77dhfqI9i
+pm1cwhKbT7opZa2zuXd1h/nDo4SLOfBRTQ+424NPhfk754HKup+lskXuedlumqhj
+z6V8QbfjVRkNAoIBAG+WxQuMC/1AMyfkLbtZ3niLxbaN4MSV7EVZkbOSq5mjYMyJ
+wvK6XxudwI55/RhpbjYiOOu66t9lImyDZAUsQWEYRC9pCNrTrTHZMBTqoRQU4ORd
+WFngpU6bjNkvHuEXdpsvKk5Y+Jf/u7S8vBfV/p1Iy3vn+Pt5N7Dx9wwkyromr54S
+FnpLpr8YEixFNeg6s7LVlKwjJVQlDItwV+ACQYFarMEHn/sNTsM5+9iWpmY0+k+e
+tGan7EjU4pbXdHvA+KWRY5oP4x7AI8Ct5zi8MHDsQq4ryuBCFD2TiZQhRjuxPSdY
+L6XcEGI06yOqHPmNGDY4zqUzfetw1UX9HK06tgMCggEAF5UZRz+QM9v2Wz0UpWTA
+kEdjkBvezL601czBQX13/JUTfa6OmTaKSBOxSSGzVUxXmk40aw9ojN7HSf9X8ZqC
+BMJ8wnW5ASYsGwubBUKdvMdF7BUVRZFnnmqnB78bfrdsFwl3jqQQYowhQW3dZGa/
+FktXP++zQwEVa/+6KPWFSks9ihTty3ZqG86CX7cA7aQ2kraWAkvwnD4ML0rhJVGs
+2Ql7jYJ4DguVDrK8XfrQnZIM4/jh62lQEGRolXAnGM8mDmMdHzLphldTDXqp9C9z
+KqLzCGUCruqEsvKP4TOiSX0a9dt1TpR4SH71rYt8LH473DrmEFuzK15uRjTbCQz5
+LQKCAQEA0hy4cQ07D32jcaN0xQ40Av8fO3dDwgcrSrTfBIk2naa7w9ssshhIFCWT
+pXC68HjbXJAm+FUmzp1wyj1ss+1CWSHD9sWPUwJj/T0fGSfpPKC5UpuvSMXRsych
+DX2WwGIExAHDF1vHlhc9mn26IZo+oZPA1X2SqurKz7RYuDXpiAdMQx1azjMuzQF0
+xBPoILyT4ZgDW1YCs87QF+Rk7x6S1HePF0dCDo6vke34ydZe+by/UnLhiGtbTtI7
+uBLJkF39dTie3vP+2I6eQbV+RUhhf1MGHSf8tVw7sIdtTbB3b7pEemMQhpyGJ02P
+RCBsiAswkZ1vTsDII1BKYPknuvgH9g==
 -----END PRIVATE KEY-----
diff --git a/lib/hx509/data/no-proxy-test.crt b/lib/hx509/data/no-proxy-test.crt
index 7e38cd9b564f..5f27bcd50800 100644
--- a/lib/hx509/data/no-proxy-test.crt
+++ b/lib/hx509/data/no-proxy-test.crt
@@ -1,30 +1,30 @@
 -----BEGIN CERTIFICATE-----
-MIIFETCCAvmgAwIBAgIJAKQmPUkmhyKoMA0GCSqGSIb3DQEBCwUAMCExCzAJBgNV
-BAYTAlNFMRIwEAYDVQQDDAlUZXN0IGNlcnQwHhcNMTkwNTIzMTUwNTI2WhcNMzgw
-MTE2MTUwNTI2WjA0MQswCQYDVQQGEwJTRTESMBAGA1UEAwwJVGVzdCBjZXJ0MREw
-DwYDVQQDDAhuby1wcm94eTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIB
-AJ++Eu48QHbj9zWx743IdmFihU06xR/IAezZPoZYhQsxw0kVQXNnC1sdGqpl7DWe
-IQGmokhpfRq0LPOtK4QhZBAqvpWohdreJfPrEM75U9LdPQXtKcbzV5hfz4tVUbcH
-jvgvH+M5Zyr1SvDWsK7/CEyNC7d9EYfLcVtas+uPtq6YWtRW7A1SeHiZKGPikkQy
-cSwtsqtyrbNyHvz32GdasW1exOLXwqH4dXNeO/C7EQCQu8gv/klWfKC9d3wBp+6h
-LQsXoTh3JqaszucAMhen4RihyRcofsEbWLpmzGIyIDIB2IQ/ZYwF1xfOFi7gTGFF
-Il80EdEvw8x7GcZFVMJUQzYH8rnHEU73bzAuEVJay4vR5SwWjGIgIcZl5gYWSGMq
-4VhLQisIVfo1hcLniPCSQH3GExCQ8QvVi8Ks8tkd+0zs/24B5HFzWHJspKSnuOya
-dZreKjAvNWPPflolipjKDORxocJDojIbW03cgZwHULRP6sU8H/dXnLBw8t9natJk
-zHGslG8rZoR61QHVcalk2qAzP78lhRfOU/XlGTkOX8zbfnaVS/O6IbBxhagtBApc
-Ms2aunf0H6fxyyzSAllAu+fnDsUMBhQWTkQmK2GmEEba8FYbS+K5rbn/fzn+xaS4
-+Lh3GaaPI67+2EwcDWdfBAzHC4Mj3UF2i4o3r3fAazHrAgMBAAGjOTA3MAkGA1Ud
-EwQCMAAwCwYDVR0PBAQDAgXgMB0GA1UdDgQWBBQU3CICEd4bSVDR3MKEOFoAqRYt
-8jANBgkqhkiG9w0BAQsFAAOCAgEAMAG64y2s7lZi+1yZtIfvgBe/QwO0s3TrZVc/
-VTSmVgcsI4pOW9A2NYxJR5RwEg1fNAoKPz8+D/9FeZwVED8Q9xUAuvtEsr2npd6d
-ogQblbVBFkuQ+3Wt7ILYBKXgFQB+473yu91o/k7Mg07/2XsWMhkNspMpBo4frUo1
-7JlXH4wLs1pAGbhFZ7e4s+8Xm3zSPa9UuhYNDqwheeVulwiP4v4zf5DZD9iyFcYj
-9COnCYNvY2gSi+GaT712jLR9/0CUfFbiY02e6VS9TI8pvHlCbOaUAqTeYAr8GkpH
-qupkvOmTWwgubeK7BrDvuKJIavK8sN5mqK/KzFpzRjMzzppeuv/ArKMnjbr52BtG
-fZK8LxbeXuxbcqHpxRT2uFIoQAtIxf1oMYoqac2TNZ2V+x3nRMfsgW6JK+huoQpB
-Z9pyRNTGb5B6JNDaW5qeXmJz3zVKWFCRO9kwWajBDmQcd9A2BMukCtcWIDR9PSuO
-zqRXI64gh/Pm+pHrG+U8/m/WhEmMquJHjbeU7lpd7wiRwHyvGqka/pHIKt3Eozkh
-FCthDU5sK1pLWCyQU+DmrL3+LKJaL+Yiok0lKiPT42II3d0yVIeV6BtVHpFQLYBm
-rJHozXOvFEE1i8o4jl7mjvXJHfkUHgmpuny5RicuxOrE12YrdQIq4qyTZiskd4N4
-fDTnu7M=
+MIIFEzCCAvugAwIBAgIJAKQmPUkmhyKiMA0GCSqGSIb3DQEBCwUAMCExCzAJBgNV
+BAYTAlNFMRIwEAYDVQQDDAlUZXN0IGNlcnQwIBcNMTkwMzIyMjIyNTEzWhgPMjUx
+ODExMjEyMjI1MTNaMDQxCzAJBgNVBAYTAlNFMRIwEAYDVQQDDAlUZXN0IGNlcnQx
+ETAPBgNVBAMMCG5vLXByb3h5MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKC
+AgEA1wY5NrUAYbdIiJyOwEG5zo6892LuPxYrJ39qy0868pQMPuViT3IjP8fOockf
+IHFqM1M/rYEKBCaHm3W5d0+QET1T3pJq7eOTuG8Ep4BiMDm2mD0VeWOCeLJjfnuR
+8WPG3Fz//55NBCByMc4as5+Gw9b6z6Mh8pFMyz4zyMQI420Gss9hHoTiD9o4fhM4
+U5M+l+gvVYmvLhZ0Z8hIJAqnlRJoIKeEbcHS1qIqkN0vkdRZc5usJmxhpJi8SjTS
+pGiP53QDmGDJMHd5Fsfyv98n6T6fIkf+O2sAVnxdgOBIyYibdMH021/UzbXZHoDK
+Nx5HH9lr1R9vE5fy969yCQ10lgaNmlp68j8/5B8QPeRbe29DQ1rRBzheji1kkxbg
+8FU7GKu92GHrDhK5dasl7tH3qx4WKOAD4ENJI4vSDWo/IxkKYLLuNIMcVhmGORGl
+IvxaDVxr5wHdGgpBJwc2BxcHU6/8cuYGDewR2h/TWb6jTVmfq7lx+fefEkTDmOxI
+WbXwGtbZqqX5EzWp3VTBakONdRjJwxg3MShWJ1ZhYawzeTwZg3FOIn9W2tLkPNU7
+Ly/fZMBD6qJ5X/0gJGkx9QRlANMJnj0POaBvIyzkGz95QlyIoiAJyuzCKbX5WQdd
+jy1drnB2VdAjWyAjUP+9JsMJJKyLYOWxvemE1yAIIL9yjVMCAwEAAaM5MDcwCQYD
+VR0TBAIwADALBgNVHQ8EBAMCBeAwHQYDVR0OBBYEFN8mmgQlHmnWopRs35laOYZ9
+/02LMA0GCSqGSIb3DQEBCwUAA4ICAQB6dmCcY2XRzeZz2CQ2DdGJRyBDdHFf7W3O
+4Tk/w2ZQLFx6BwttOB94LcaVFRUHp9arkNDH6ne9ntQ1LZ3fPoRR4RXwQO8c+pIf
+ZDWPEr7Exv1F1zrjAEHx2UcP1pu4PU9PDqmGs2BarnHgKotfY8AXdJkl1g128LIQ
+WOmQFyI6Ny//4MT/5YB6OSr2zzrKz5FyGxKSG49xfPSSAf3mHAUxHzBJ1orpHIpo
+zQcrt6oRbi9G9cKVYTEVRVM2CgqMJwBUH7d9BRIab4hp7lqynFJKg3uOH90cmms1
+dY5NRmy+jmAqveEGvCw2+vmHtbj5NikwUBnRqZGW/XHLSj8niCtO2PT30xzpDiEa
+iYBGyuETV5vwFIbucdbenaBrrbvumr4lWqhjadQVwjhNcqdmhIxuGGXF/XGG5+do
+hFaYD5fguyfQDGaeFQIipPEyZcx0QcGA77g7eKYgPyBFZxGHS7P1x1GrchZIOH1q
+W59AuSwxKWGEAM2tlp2+Esp3Zj8UBy2nL9fXRyDEMerCuJUcbCLODGYDc0/s/7Cs
+G8ZNK+GXs68CgxJCbxY5uUcYQyVpRFi62jvghuPGQkxytQ/GWM+q94ncr8I2+lsO
+kTcdzYbAapst+XoPL9enQwAkw4yksJ8Rx2P2TDRAZl58+utRrdQyL0oD9cJy57LE
+cpMYhZWsyQ==
 -----END CERTIFICATE-----
diff --git a/lib/hx509/data/no-proxy-test.key b/lib/hx509/data/no-proxy-test.key
index 37d7f29962ff..9f304001c152 100644
--- a/lib/hx509/data/no-proxy-test.key
+++ b/lib/hx509/data/no-proxy-test.key
@@ -1,52 +1,52 @@
 -----BEGIN PRIVATE KEY-----
-MIIJRAIBADANBgkqhkiG9w0BAQEFAASCCS4wggkqAgEAAoICAQCfvhLuPEB24/c1
-se+NyHZhYoVNOsUfyAHs2T6GWIULMcNJFUFzZwtbHRqqZew1niEBpqJIaX0atCzz
-rSuEIWQQKr6VqIXa3iXz6xDO+VPS3T0F7SnG81eYX8+LVVG3B474Lx/jOWcq9Urw
-1rCu/whMjQu3fRGHy3FbWrPrj7aumFrUVuwNUnh4mShj4pJEMnEsLbKrcq2zch78
-99hnWrFtXsTi18Kh+HVzXjvwuxEAkLvIL/5JVnygvXd8AafuoS0LF6E4dyamrM7n
-ADIXp+EYockXKH7BG1i6ZsxiMiAyAdiEP2WMBdcXzhYu4ExhRSJfNBHRL8PMexnG
-RVTCVEM2B/K5xxFO928wLhFSWsuL0eUsFoxiICHGZeYGFkhjKuFYS0IrCFX6NYXC
-54jwkkB9xhMQkPEL1YvCrPLZHftM7P9uAeRxc1hybKSkp7jsmnWa3iowLzVjz35a
-JYqYygzkcaHCQ6IyG1tN3IGcB1C0T+rFPB/3V5ywcPLfZ2rSZMxxrJRvK2aEetUB
-1XGpZNqgMz+/JYUXzlP15Rk5Dl/M2352lUvzuiGwcYWoLQQKXDLNmrp39B+n8css
-0gJZQLvn5w7FDAYUFk5EJithphBG2vBWG0viua25/385/sWkuPi4dxmmjyOu/thM
-HA1nXwQMxwuDI91BdouKN693wGsx6wIDAQABAoICAQCVA0tHf18nSOrf5PexjFGZ
-8Lym2W7vgbUCC3m++y5Izgf80d43V+WI/jJUyDU7oyHpF1eFMxpn4bGZMm5ImJlu
-V2Fn3EfZbqd6zUnluUHPj2AQejchhvishJvnvxQ2J8/fhp45ad/qe92Hos44wGEu
-f9hxNzM2OLqq3Ia/9FUWs7rvH5KdrtQAs+awnreQ9HkMHCjytEyC+68ajd0KNNkU
-THZfoaPHUi3GDB7gJrDqlRkG2nZcVVh23adrP2Q3P5T0JvvW35dnngZ4CH+x/4IE
-Z09d0gHEA82WPLTl2Rqda4ldfIIux3fple6tlcDKcCJrKvh/6g29XwwhH6W8jbwP
-Xq++ZK8SYY5Fk2puBzDGH/pX+ljxRh0jRD7FpsUwF+9Bk0aqkycbX+75T8R3LLXt
-mi2n/gBs5CyQHRBKnrui85KkM5nCQiYiUQbyilcbZSHOKPQi7bNGBK4/idEcmDjR
-iIwpV/lvAJPMetFJe+3c3CSqU8xHKz3vK97LX1qoQJE/ozUU+iCv6qVMUZjOCiNh
-p/Oa5/UWO1GDrM9rcmeufjwKu/OuZyoivi4Je4GDVVfPHswIyAg72bmhFmx0M8Qu
-+G9QidwDfRjezX/hFFtMqaC+PKyabHVfoNKm+bv/XjXq4mbsmUUK67qrZhdwyRyV
-XRIpnsBs6pEjmzUiQI21OQKCAQEAzWsewm+YCfmuY/W61Q88F4ew4CnYjI/saP0J
-kDOLNeKh/1UeWhAaHrZxW0c1F+R57aYMyQtzh92OQ7bd218DXwkzsdX5VXH4ThvK
-jW/hLe178RBABk9lWXYU3u1UndbfDH3FRa3fKfd7uQXoSdK02l9i9WtHFdSqv1uW
-jjXIC4tfBlIaN+H2KSvNAxmejcwfnCEZgdoUGfXbzyOaiIj/J8EORty7n4HdFM8L
-AUT+vNDARHKY/5L01Dp92bsWltibIFuCX53fPZ51ZCfNeDe3e/zgxr+VUL5VVy7P
-6r28ersysIzhDK3YiSMaCl9EI8YOHOedp1Gh6MO/taoRTp0mrQKCAQEAxxOyTG2G
-qzGqXgI1uduPo1DBfNKJYSA9d7lJneANjCtBj4ovMt2mzwojgPOaYj9lit5xnXFU
-qki8wZI1+xM8ylE7AKzUt/Jb7EE02QihUBgItFF1xyVIyvHDGrf9KRO7JVM2/erq
-NeF5Ol5eI61azNEzCAm8X47R5DvyYZApO/+gU2t9U2dNXJ9w+7YU3oeMxj+YMfud
-IZTmIXQgFVezwLf/VMSxJa5eeffCdCW6BKGArYvwk2eg7fbhCw6MDmOtAFOoI5Eu
-8zVlbvg/1IjJ+YEJZZqugzQxVL5x217dCnLdu1Hnf5SxvJ2cfoRbEIqJByVDSSxs
-Qe7PG8O59d+F9wKCAQEAs/Rk1Qc4FX0TZmSOUTpwdVic/jQKjlFDVVJfP2G4UfOB
-4ZJq7ZFvoHpJ4iIGhDDXE/dE+hc7FcplaDLaNuUMqgQAsol2TYFzetHj53YcucRz
-sOKAhEanzfChJg6Z81CaxHGmEX3ZpAU38QYY0htx7mBj7AYYFyrgjpUo1tqMrnhh
-PcNNTql4oebKSi32ddhd1MQ2eUhYFcoJz3QsW/JQPT5mSHP1Ni5pRGKBDJKp6zWh
-ShVurW7LZuT6/XRlvK5zb6xbEXLXcD7SLnSkDu4YotkM/XA22a50StUqtkWTyZ0X
-Mg2o1heyO6lxlaaRphlKoc3SkhL0mVprJzWexdTsXQKCAQAjoNnLJdrxLo1QD9Mv
-tSTK1LwcK83cbRmzIJ0VPTEPgfpUxyVVVCfza9wYywA5TyFMLi1lQRAm/aeSeSli
-CvpZNxp5L3VOinh7Gtxrb0j3faWpJ98NShXyBDynvn/3ZwmaT39LCEzsYbMBiDwO
-5IqYl2Qrrxpge74Cu9vQLC3FCCXYaCdg0t8ckYh19AteHCJMpLsHTwG7LdvV5uOL
-DkwkVInE0QLnPIK6D2ZkxQ+6nnDaHm5q4yQBEqsKAIt+U8Z1hYNVAjnF2yuRJaq+
-zdBf8AEPhxRudNvTT9YurZaftRkL2ke1JJZ+rDKCzgtCNZj6h2e4Y9PoJOY6ENhq
-MZvXAoIBAQCFrLrJwWFpRCAUGRygAVeyEMiSHhWuG38dHLrDd6t+8taoOSy2AsXo
-vPyCKAFwElan0cehYY31WTSg1L9KfnIw2S2e6dMJEiJidMj95v9+Vh5+X4WJeF6F
-WtwmgyN24p/6ymEPSuCeENAZQjyWFj1gT5jp0KjbCFYZ8V2ubERpNzt0CLqZ0zJb
-WTgptd/MKT398ENPU1fQRnFScm74SHnxbvhPzuhRI66vBC6ofx0Irx4KWfQaEGcD
-OzU0LeCarXE7JWSbG3+AHOglPYBRCQ3/KaTOZiDALR3KKaJ6od7EkPqNWzTUd23K
-IMZ41x5JPzpQTmrb056vt40ifw3+I946
+MIIJQwIBADANBgkqhkiG9w0BAQEFAASCCS0wggkpAgEAAoICAQDXBjk2tQBht0iI
+nI7AQbnOjrz3Yu4/Fisnf2rLTzrylAw+5WJPciM/x86hyR8gcWozUz+tgQoEJoeb
+dbl3T5ARPVPekmrt45O4bwSngGIwObaYPRV5Y4J4smN+e5HxY8bcXP//nk0EIHIx
+zhqzn4bD1vrPoyHykUzLPjPIxAjjbQayz2EehOIP2jh+EzhTkz6X6C9Via8uFnRn
+yEgkCqeVEmggp4RtwdLWoiqQ3S+R1Flzm6wmbGGkmLxKNNKkaI/ndAOYYMkwd3kW
+x/K/3yfpPp8iR/47awBWfF2A4EjJiJt0wfTbX9TNtdkegMo3Hkcf2WvVH28Tl/L3
+r3IJDXSWBo2aWnryPz/kHxA95Ft7b0NDWtEHOF6OLWSTFuDwVTsYq73YYesOErl1
+qyXu0ferHhYo4APgQ0kji9INaj8jGQpgsu40gxxWGYY5EaUi/FoNXGvnAd0aCkEn
+BzYHFwdTr/xy5gYN7BHaH9NZvqNNWZ+ruXH5958SRMOY7EhZtfAa1tmqpfkTNand
+VMFqQ411GMnDGDcxKFYnVmFhrDN5PBmDcU4if1ba0uQ81TsvL99kwEPqonlf/SAk
+aTH1BGUA0wmePQ85oG8jLOQbP3lCXIiiIAnK7MIptflZB12PLV2ucHZV0CNbICNQ
+/70mwwkkrItg5bG96YTXIAggv3KNUwIDAQABAoICAQDKOoMyzZbXUC66tSuY6/fZ
+qetVa8kQskPR+QcywYh6Pv0pZklI2NsIEF5pUKOiuqgcL26TOup1rtsZPeY5rS2c
+2SX5DZHdvIzhCCDDfH5cRttRYRnCOfGqnHPwsD05XxLXi+wEuBhNCkr8RpBcYWu4
+4oavJAk4fqlP+WdwqdaGNrL3Fw2LS4TlTeKVyHPQPoq/CdMCyuRkHyBJv1cB9rdX
+/6DJHWPyajlmPcx0xGIJ8EJU9ZM56/MFf9SOohF+KQ02rKj49gYiPCs5XsIS7Mk3
+l/rInhcgQOlnbb3vCIHMcVtru0MT05RsCFx0UMJehm50KOM+5TptnhoYEvzYQLxk
+578RDQUNiQxdonmcF8QXvCBHArP20SLyfwavNsFtvfNe26i+9ti/+GaLsKHRC/ZI
+NsaIsO3wGT2E2/qoyFt+aOxrlNeT4zq+tHX01U8UzK3qhp6/RuSrQeCdmE7e/Mjb
+GVDpBYBbscfcApSCVyrpJ51Fs2VKt9QBliocrxG0Voa4xpdwC9XCI3AfTyzzG5le
+fSqhl4kB0iDboWJQgiH7hJKhFtBnrBVhPQ+bcl/G4+OZYV9HNZ98gNurCW9qO7Bf
+8jP3/A1YWYY4GI7LVqsjOZdFk3EXz1g0PR8UH4+4RRrmVAe6QD4zzQmk7ecGu5k7
+nZXuAluURI6ExdBoGGxU8QKCAQEA8GYwOHkZjNNWVDBkhjVliUHtwHof+8MoJp/L
+pHR2dwIH3UXU9RrFfzfz2sQ07Vi7aiyyebVXAA1q8ENHfeHvlWbT0SPBZOKbujVJ
+S+cNYZJvlWrvS/1ZgNld5SDSaV6R5tMIdAOyWvYm3ijgVGOmEccZVdby0MagTvJx
+fwxcNe5H86KGbZrEFieaCjz69Mg9jQh9QhfRxom1H38EcXd5O9wRSpLoXBH4c8Ha
+WBiFGaNZJrvOtCZz5YYsWVoaW9GHa4fTs9aQEirDoIR1GD+b6srD/bWX+CfM/SwG
+7bDNh2NZuH/24R+55/SUxBdhttImtiE1TmJ8XkhnocuZc03SuQKCAQEA5Pp55xqe
+cAELtdHv6iyM25e8Iv9KVMJ9y9HGH9cLdk9OwOwWroIhdIYe/yvYmHSSSiCQI+JB
+DC+2n9qxda1DHMpJWPIS4bEkKEPRsVmUyQp68OSxKcPh60m1lWk+UMhcPFWJEggz
+XKDacyjC596r4FBMk6n84lhu3HII3Zfho25IeMOgOcGlFHn5TETaqUQG1D0dParO
+rtP151TKFjyihOn8WibkcZ8uT0PXjREVCXgiha4Z/eNFeIknC007uus8bCWKUz0n
+krNTz9hiGDJHRoyGdUS9PlusW1rA8kXMvQ+8SWzHCqgwfx6zB/Nzii+glFOzzIhG
+Vydp/zFrLhJKawKCAQBAddY2PlqYhU6fsn4x8n1waYo700NiObk5ah2r0kK1tIix
+T3lD49LTQwiTP4tFnUZbuPJ+ah6S+AYVuKSh34Rjljfz21ePGqhRLNqjjKfs4twi
+v5K82Ik4YJCp0Lw63s3Wi/23Rgp8E4bmiSVl23Z7S9zCRKnFS41Ovfmq7ICJQYRv
+ksPi/d3YZvQKDMHqAwtmFsGniEWKrAAyGtfxKO0MHP1R9sRxc6wgNfm7J5ABCOjt
+1uwdKDZpdCnOJ7frqOpb7gbZMQ5eoLLmBr5zKxM+yPH2xMukEeAIfta4w3DI/d3f
++AgV43Dw/ocpcW+VGxKgQZVOmF/q1BVdr/9MiLCZAoIBAEEFZ2xawLbpdRvSW6BR
+ukX5FnGRsNfUysf/75THCfg0mRZrdB1l0n42P8MR/lV8dLYb/RJTg0kkm2VVQqM5
+6h7Yym85fmccWDoe2ALWf0t/cF3Lcwt7FkIsEiY1Vn62BosTdvLp5TveaWneH0qc
+jo4J/1THJopXtlNfBml2YZp5DJdOZcdA19GyuToRK055hL7sA8upHzvB8MgZ6bDa
+0wOPNhubg69IFmxnxWPHgAPKW3M+dx8DVIzf1Xh+HAH+HpBPMLJmYUBlL92Lgn+A
+d4DvEpdmR57XhWADq1qgu3zMZRksjHDYRb0zSH9vgFWzJJQ6GIpyABdrl8vhip/w
+jbUCggEBAMelGQB2zBBbo1F+InIPkCZH/r0Z/VrB6bQG2UY5c5Em5dTliKjE9r7U
+EGJBgLxPiHQomxG6Z/AWVzbUiv650sjfTu/W9qZ4iCEAQvGtR5FxhgtBTspMURxR
+W+QiMmkKrkkQgVBXslXgOGerj1RUe+gjaaO6qEdH5famYBXOYAG1gnq3hYa8DWMg
+OOQPoWBv2bCrtFNmuMFuHI4dTACvzbEipBTsTs0AbAQbvcSuo+KQqCcXhFfENJ/d
+7F9XN3fxSG7g4YAiIVOUjNZYz36bcpV0zpHUde+mbOvE9uXny5CFRkMHkio0Kj8h
+vMvFV9XqcWhoGHKX/S/Hmjljr7ln1Dc=
 -----END PRIVATE KEY-----
diff --git a/lib/hx509/data/ocsp-req1.der b/lib/hx509/data/ocsp-req1.der
index 650c87976956..e536ebbf9ba1 100644
--- a/lib/hx509/data/ocsp-req1.der
+++ b/lib/hx509/data/ocsp-req1.der
diff --git a/lib/hx509/data/ocsp-req2.der b/lib/hx509/data/ocsp-req2.der
index 1c010149a2f3..e224fa61d825 100644
--- a/lib/hx509/data/ocsp-req2.der
+++ b/lib/hx509/data/ocsp-req2.der
diff --git a/lib/hx509/data/ocsp-resp1-ca.der b/lib/hx509/data/ocsp-resp1-ca.der
index 38efc09e8cc1..228918c3522a 100644
--- a/lib/hx509/data/ocsp-resp1-ca.der
+++ b/lib/hx509/data/ocsp-resp1-ca.der
diff --git a/lib/hx509/data/ocsp-resp1-keyhash.der b/lib/hx509/data/ocsp-resp1-keyhash.der
index b3b3feb76509..250a1f1934a3 100644
--- a/lib/hx509/data/ocsp-resp1-keyhash.der
+++ b/lib/hx509/data/ocsp-resp1-keyhash.der
diff --git a/lib/hx509/data/ocsp-resp1-ocsp-no-cert.der b/lib/hx509/data/ocsp-resp1-ocsp-no-cert.der
index ec51b0c94e4e..6ebbd840b56a 100644
--- a/lib/hx509/data/ocsp-resp1-ocsp-no-cert.der
+++ b/lib/hx509/data/ocsp-resp1-ocsp-no-cert.der
diff --git a/lib/hx509/data/ocsp-resp1-ocsp.der b/lib/hx509/data/ocsp-resp1-ocsp.der
index 864f8dc32d35..c97654a9acac 100644
--- a/lib/hx509/data/ocsp-resp1-ocsp.der
+++ b/lib/hx509/data/ocsp-resp1-ocsp.der
diff --git a/lib/hx509/data/ocsp-resp2.der b/lib/hx509/data/ocsp-resp2.der
index f600bd64d97e..d731f3834ffa 100644
--- a/lib/hx509/data/ocsp-resp2.der
+++ b/lib/hx509/data/ocsp-resp2.der
diff --git a/lib/hx509/data/ocsp-responder.crt b/lib/hx509/data/ocsp-responder.crt
index 7df15421a7df..753ca5602606 100644
--- a/lib/hx509/data/ocsp-responder.crt
+++ b/lib/hx509/data/ocsp-responder.crt
@@ -5,48 +5,48 @@ Certificate:
     Signature Algorithm: sha1WithRSAEncryption
         Issuer: CN=hx509 Test Root CA, C=SE
         Validity
-            Not Before: May 23 15:05:11 2019 GMT
-            Not After : Jan 16 15:05:11 2038 GMT
+            Not Before: Mar 22 22:25:01 2019 GMT
+            Not After : Nov 21 22:25:01 2518 GMT
         Subject: C=SE, CN=OCSP responder
         Subject Public Key Info:
             Public Key Algorithm: rsaEncryption
                 Public-Key: (4096 bit)
                 Modulus:
-                    00:a0:76:7e:fa:ce:3d:80:e7:2a:c4:1f:02:27:f1:
-                    4d:72:1f:78:57:3f:30:9d:06:2f:d4:3e:64:15:a2:
-                    16:78:de:9d:f9:db:81:b2:96:50:b4:e8:3b:c1:bd:
-                    6f:80:00:4a:3b:b7:ef:5e:8f:20:dd:1d:6e:36:8f:
-                    e4:05:66:c7:17:7f:ad:5d:e1:1a:a1:fa:5e:d2:84:
-                    24:fa:00:46:26:8b:e8:68:ed:c0:86:3c:45:f5:64:
-                    0f:3b:00:cb:cb:3f:45:3d:98:11:f3:cc:de:e2:cb:
-                    e5:b5:91:59:43:99:41:86:79:75:a2:42:4e:5e:16:
-                    7a:f3:0f:ec:e4:c0:e2:9d:b5:cf:9b:a9:ea:97:70:
-                    7a:20:20:8c:30:56:4b:16:29:04:d5:c6:6e:ad:14:
-                    73:2d:cf:23:a5:38:11:5d:c9:bd:9d:57:f3:1a:c9:
-                    ff:16:64:97:d5:60:0c:08:2b:1f:a9:99:3b:5c:ac:
-                    b2:d7:3e:d5:f3:32:62:6e:20:8a:c2:74:29:6e:aa:
-                    35:72:1b:25:dd:d1:33:94:1e:87:e8:51:9b:35:45:
-                    62:19:70:b7:d7:a7:64:48:02:08:74:c3:aa:2b:21:
-                    f6:bc:3c:b4:74:b7:25:7a:41:23:1a:5e:e3:1b:0f:
-                    1c:cd:98:d0:1a:d3:f6:7a:4a:fb:78:cf:85:6d:02:
-                    c4:e6:be:c7:4d:ba:90:59:c2:33:13:5e:3e:89:3c:
-                    76:9f:bb:68:03:cb:26:e6:bf:fa:fd:8b:54:42:69:
-                    c9:12:e8:57:e3:2d:72:f5:be:7b:35:b4:60:9a:a7:
-                    3d:29:9f:e6:f5:38:5a:96:36:72:ad:d8:9e:26:0c:
-                    d0:2a:58:34:8a:dc:75:ef:ad:a5:f2:36:68:b0:6a:
-                    1c:8e:c3:9f:43:09:5c:53:48:16:6e:58:4c:46:1e:
-                    a6:d0:d8:de:7a:85:d0:59:cb:10:e6:86:5e:a4:71:
-                    d5:8e:8b:4e:d9:a5:8a:8e:91:30:23:fc:22:35:fc:
-                    78:8b:aa:66:2b:e2:f0:2f:c9:72:ee:ab:ec:a9:0f:
-                    1c:ad:7a:15:f3:dc:7d:db:39:bd:e1:ee:88:de:04:
-                    5f:43:d4:3d:7a:1b:f8:b9:9e:38:6b:06:8d:04:28:
-                    5a:93:8b:2d:16:03:99:ac:60:a5:40:c3:94:10:0f:
-                    87:0d:3b:db:74:59:fa:c2:5f:f7:ef:2c:87:29:f0:
-                    76:7e:50:29:86:5c:cc:7b:89:6b:11:e3:b2:9b:aa:
-                    9d:36:58:d1:89:ad:77:53:9f:e3:85:89:65:29:6f:
-                    d8:f7:79:68:49:c6:09:97:e5:fa:a2:79:23:b7:48:
-                    c7:da:98:ea:ba:bc:16:9b:3c:ca:71:0c:6a:10:08:
-                    df:ef:1b
+                    00:b1:21:1d:c9:2b:44:9e:62:fe:13:94:ea:a1:e1:
+                    cd:17:0e:bb:4d:1c:62:27:ee:d3:f7:61:c8:26:c1:
+                    0f:45:fc:10:d8:39:c3:da:86:a0:00:30:d7:ad:86:
+                    ff:c6:36:6c:f5:e2:26:8c:f6:76:1b:d0:09:b6:a5:
+                    f8:cb:d5:88:fc:ca:ca:28:49:ed:64:2b:f3:88:4e:
+                    8e:ec:7c:63:b8:75:6a:cc:73:b6:66:6c:c3:7c:e4:
+                    d7:50:95:88:12:84:e7:5c:50:87:db:4c:bf:91:98:
+                    b1:3a:44:57:0b:1a:7a:f1:93:e3:4c:69:8b:9f:d7:
+                    b9:20:8d:0e:cb:ff:de:38:6f:6a:91:55:1a:6f:a6:
+                    82:1d:05:f6:fc:46:8c:83:8b:ab:6e:3f:6a:6f:c5:
+                    0c:cc:ff:3c:78:74:d4:f8:56:be:59:60:d5:3f:4d:
+                    3e:e4:e1:4b:2d:c5:2a:d1:6a:7a:21:b9:6e:61:10:
+                    03:79:88:5b:74:f4:29:0d:56:d3:6b:d5:7d:8c:59:
+                    5d:4e:89:0d:a3:a6:8b:43:28:e8:e2:f1:bb:d5:eb:
+                    65:9b:c2:d6:62:aa:df:66:d5:92:dd:84:6c:29:28:
+                    1a:e8:29:b3:09:d1:45:14:44:cb:30:03:73:3a:94:
+                    a3:a3:24:89:15:fb:ca:e0:a6:62:35:48:f8:92:50:
+                    3a:ff:17:d8:4a:1e:a0:9c:d9:68:cc:21:e1:c9:36:
+                    d1:47:bc:f1:56:3e:87:18:10:0d:f5:56:9a:c9:79:
+                    16:c0:08:a0:59:65:b2:00:dd:9a:e9:97:e7:8f:85:
+                    ee:cd:0d:20:5e:2d:58:ff:8e:e3:ce:4f:36:65:c3:
+                    f1:88:39:dd:34:29:db:8c:ed:6e:c8:7b:30:ad:49:
+                    58:e6:f9:5b:85:46:0a:04:0f:9e:ea:ca:a8:2a:35:
+                    0d:66:f3:48:b6:e3:c7:e0:e8:a3:ed:6c:f3:e4:cd:
+                    1d:45:f3:e2:2c:6c:5b:91:b8:26:dd:49:d4:78:d3:
+                    4e:57:3a:b5:af:cd:3a:05:d5:89:63:f5:bc:73:1f:
+                    26:cc:2c:4b:2d:81:b3:5d:49:28:04:46:f8:24:5a:
+                    68:1d:06:1b:2d:be:56:f9:b3:f4:d1:50:2f:95:9b:
+                    9f:45:c7:62:35:bc:46:a9:df:c6:45:21:e9:1c:7d:
+                    a8:2e:b1:87:91:0b:7c:fb:97:52:31:f9:41:73:ba:
+                    83:22:4a:80:f9:ff:f1:95:74:79:f7:20:95:f0:17:
+                    20:7d:ac:55:e8:b0:c6:b2:a6:56:c6:c0:cf:3d:78:
+                    d5:9e:37:41:b4:78:aa:30:f0:2d:59:7c:6a:c8:68:
+                    cc:91:09:13:f8:9f:04:e3:a9:86:c2:74:ba:f6:32:
+                    44:0d:bd
                 Exponent: 65537 (0x10001)
         X509v3 extensions:
             X509v3 Basic Constraints: 
@@ -56,64 +56,64 @@ Certificate:
             X509v3 Extended Key Usage: 
                 OCSP No Check, OCSP Signing
             X509v3 Subject Key Identifier: 
-                D4:A0:90:A6:79:F7:F8:6A:CE:29:92:37:2D:36:32:22:B5:41:75:45
+                D0:3C:E8:05:07:BB:9A:96:36:88:44:AA:9A:4F:62:9E:9F:33:5B:03
     Signature Algorithm: sha1WithRSAEncryption
-         1c:37:c2:22:e7:c3:1e:f9:b5:7a:9b:ee:fe:bc:15:89:cb:34:
-         59:2c:b9:c5:e1:c6:56:3a:da:6a:6b:08:df:f4:69:3c:5d:62:
-         4d:b9:e2:65:8f:23:48:30:8b:9a:a3:55:7b:8a:4b:d2:ab:8b:
-         85:31:78:09:45:2d:9b:fc:59:ad:67:0b:ef:20:b5:70:23:71:
-         21:26:d2:e1:c4:4c:54:8f:02:1e:84:35:ff:7b:67:90:05:7c:
-         25:2e:ca:13:a4:32:ba:0a:9a:aa:6b:79:53:81:6b:3b:95:fe:
-         17:51:57:89:71:22:6b:3e:15:06:6f:1c:d6:8a:9c:e1:49:67:
-         4b:3f:4e:f5:2b:b3:8f:89:5b:f7:c9:94:78:02:b7:f9:db:c3:
-         b9:2f:b9:17:9b:0c:ba:e2:ab:49:e7:5f:0d:85:ef:4b:35:f2:
-         39:e7:4c:ef:6a:88:81:99:7e:a7:8c:b1:f7:d9:ec:fd:70:92:
-         8d:12:1d:22:49:3e:ef:62:54:92:34:e7:67:27:a1:5c:38:d5:
-         1e:b8:95:c2:9b:12:95:4f:8c:64:d6:c5:06:a6:bf:19:fe:c3:
-         b7:fd:68:d7:7f:f2:7d:7f:aa:4f:71:7a:78:c2:af:b6:6a:5a:
-         56:cf:5a:99:82:4b:39:d3:83:03:07:b9:7b:35:31:6c:ac:4c:
-         c6:8c:46:dc:d3:4c:57:3d:01:6d:5e:76:94:53:9c:ba:e8:42:
-         d9:8b:2e:88:4d:9a:8f:12:c7:2b:cc:e2:f9:9f:1d:b1:5f:55:
-         bb:15:4e:e6:f5:bc:7d:03:a1:00:47:b0:1f:26:0e:58:64:24:
-         a8:ef:96:51:d5:66:cc:4b:0d:0b:37:16:33:ef:d3:a6:c2:05:
-         e1:6c:38:b6:21:f2:c3:0f:3e:65:d0:6a:0f:37:4b:c5:db:01:
-         0a:ce:f7:c5:e1:4e:3f:55:aa:8a:51:23:7b:66:59:ab:20:64:
-         7a:0d:bd:dc:cb:79:46:0b:57:51:cf:6f:37:94:03:96:19:a5:
-         61:e4:a8:4d:7c:84:0b:b8:79:ba:22:8c:e0:67:0f:8c:ff:44:
-         02:3b:a2:54:6e:3f:f9:a6:d0:46:b3:ed:e1:d1:18:16:ea:4a:
-         56:b5:9b:a0:b6:ab:40:2e:6b:c4:8d:7f:75:c9:92:b6:ed:31:
-         92:1a:24:94:c7:67:16:fe:6d:9b:d1:f8:2b:25:9d:34:a6:18:
-         21:8f:33:5c:9b:81:31:69:c6:f4:b3:f2:51:2e:7d:17:96:50:
-         33:07:f6:f7:1d:df:62:bf:29:a7:da:8e:15:e2:62:83:36:a5:
-         77:17:f7:29:11:0d:cf:8f:e0:97:b7:24:6c:b6:64:78:8d:e7:
-         f6:97:d0:1a:3d:ea:38:4f
+         c0:72:d2:af:26:74:de:f8:7c:96:bf:ab:d2:ed:95:d9:bb:0b:
+         07:31:8a:4b:21:f0:b5:7e:ab:b4:50:b0:af:bf:96:64:ce:38:
+         99:3d:f3:26:02:4d:5a:da:71:ad:6d:a6:f7:fc:5e:46:16:3d:
+         9e:cf:95:a3:5d:0c:4a:64:a1:84:88:b0:31:0e:eb:54:cb:99:
+         42:45:09:92:ea:b7:74:f5:fb:ff:c6:91:31:27:bd:54:55:9f:
+         6c:bb:e2:45:4a:33:ed:00:a5:4e:e2:7b:2c:98:f1:3b:bc:f2:
+         87:33:e5:22:d8:fc:a8:4c:90:e2:df:ce:48:c8:3c:56:43:6c:
+         ac:f1:f6:e0:75:c2:a7:f9:33:87:4e:75:a6:22:17:78:32:88:
+         aa:f9:2a:40:4c:e0:25:6c:4c:0c:cb:6f:1a:7b:13:0d:35:a6:
+         23:86:42:75:3c:c1:69:c1:c5:79:77:51:4b:19:14:e7:4b:f9:
+         df:0b:30:aa:c4:97:84:6e:57:7b:00:b3:a5:31:c6:9f:17:f1:
+         b0:4c:81:f7:e6:df:e8:c0:d2:91:03:c2:e3:dd:94:c4:f0:ee:
+         1c:73:1c:33:ae:91:60:fe:cf:48:08:0a:95:c1:95:28:af:31:
+         23:a6:2a:1c:d1:6c:7f:68:e8:a9:a4:27:8f:6f:29:33:a9:48:
+         0c:03:8f:fa:b5:ef:2a:9a:ce:ed:ba:74:39:88:ef:3b:d9:93:
+         77:34:30:d1:a3:5c:9d:f1:3c:30:19:c2:ca:2e:41:5b:23:bb:
+         6a:67:35:e3:e2:c6:6e:a0:3e:76:50:db:6b:ee:02:98:81:bf:
+         75:ac:3a:78:4f:f4:fb:d1:7a:1f:85:1a:24:cd:b8:06:7e:95:
+         28:85:2a:c6:41:23:35:08:31:59:ce:ad:a3:23:1a:7a:11:26:
+         d9:45:57:bf:ea:e0:72:3a:f8:48:e0:c1:5c:b3:20:93:b5:1a:
+         93:75:ef:f3:19:9d:ed:5d:9f:81:73:21:02:96:fa:ee:c9:4c:
+         c7:95:1b:aa:65:b9:69:15:3c:ef:b3:f6:e1:f5:89:78:05:50:
+         d3:54:c4:c9:40:e5:5f:3e:bd:36:d2:0e:27:99:5e:83:e5:4b:
+         bf:72:84:13:64:8d:d9:db:69:8b:04:37:e8:db:22:46:29:84:
+         08:83:40:34:d8:e0:bf:cc:5c:7c:b2:bd:c5:38:7d:59:e6:9d:
+         8a:78:87:08:13:6f:a5:7d:2f:88:80:ce:e5:86:38:6f:53:b8:
+         99:ba:f5:21:9e:8f:5f:aa:3a:07:73:9b:02:f1:97:1f:8b:52:
+         53:5e:24:af:d7:b9:a4:3f:4e:64:c8:62:26:b3:c0:44:dd:bb:
+         29:8c:b5:66:05:5d:fd:f7
 -----BEGIN CERTIFICATE-----
-MIIFJDCCAwygAwIBAgIBATANBgkqhkiG9w0BAQUFADAqMRswGQYDVQQDDBJoeDUw
-OSBUZXN0IFJvb3QgQ0ExCzAJBgNVBAYTAlNFMB4XDTE5MDUyMzE1MDUxMVoXDTM4
-MDExNjE1MDUxMVowJjELMAkGA1UEBhMCU0UxFzAVBgNVBAMMDk9DU1AgcmVzcG9u
-ZGVyMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAoHZ++s49gOcqxB8C
-J/FNch94Vz8wnQYv1D5kFaIWeN6d+duBspZQtOg7wb1vgABKO7fvXo8g3R1uNo/k
-BWbHF3+tXeEaofpe0oQk+gBGJovoaO3AhjxF9WQPOwDLyz9FPZgR88ze4svltZFZ
-Q5lBhnl1okJOXhZ68w/s5MDinbXPm6nql3B6ICCMMFZLFikE1cZurRRzLc8jpTgR
-Xcm9nVfzGsn/FmSX1WAMCCsfqZk7XKyy1z7V8zJibiCKwnQpbqo1chsl3dEzlB6H
-6FGbNUViGXC316dkSAIIdMOqKyH2vDy0dLclekEjGl7jGw8czZjQGtP2ekr7eM+F
-bQLE5r7HTbqQWcIzE14+iTx2n7toA8sm5r/6/YtUQmnJEuhX4y1y9b57NbRgmqc9
-KZ/m9ThaljZyrdieJgzQKlg0itx1762l8jZosGocjsOfQwlcU0gWblhMRh6m0Nje
-eoXQWcsQ5oZepHHVjotO2aWKjpEwI/wiNfx4i6pmK+LwL8ly7qvsqQ8crXoV89x9
-2zm94e6I3gRfQ9Q9ehv4uZ44awaNBChak4stFgOZrGClQMOUEA+HDTvbdFn6wl/3
-7yyHKfB2flAphlzMe4lrEeOym6qdNljRia13U5/jhYllKW/Y93loScYJl+X6onkj
-t0jH2pjqurwWmzzKcQxqEAjf7xsCAwEAAaNZMFcwCQYDVR0TBAIwADALBgNVHQ8E
-BAMCBeAwHgYDVR0lBBcwFQYJKwYBBQUHMAEFBggrBgEFBQcDCTAdBgNVHQ4EFgQU
-1KCQpnn3+GrOKZI3LTYyIrVBdUUwDQYJKoZIhvcNAQEFBQADggIBABw3wiLnwx75
-tXqb7v68FYnLNFksucXhxlY62mprCN/0aTxdYk254mWPI0gwi5qjVXuKS9Kri4Ux
-eAlFLZv8Wa1nC+8gtXAjcSEm0uHETFSPAh6ENf97Z5AFfCUuyhOkMroKmqpreVOB
-azuV/hdRV4lxIms+FQZvHNaKnOFJZ0s/TvUrs4+JW/fJlHgCt/nbw7kvuRebDLri
-q0nnXw2F70s18jnnTO9qiIGZfqeMsffZ7P1wko0SHSJJPu9iVJI052cnoVw41R64
-lcKbEpVPjGTWxQamvxn+w7f9aNd/8n1/qk9xenjCr7ZqWlbPWpmCSznTgwMHuXs1
-MWysTMaMRtzTTFc9AW1edpRTnLroQtmLLohNmo8SxyvM4vmfHbFfVbsVTub1vH0D
-oQBHsB8mDlhkJKjvllHVZsxLDQs3FjPv06bCBeFsOLYh8sMPPmXQag83S8XbAQrO
-98XhTj9VqopRI3tmWasgZHoNvdzLeUYLV1HPbzeUA5YZpWHkqE18hAu4eboijOBn
-D4z/RAI7olRuP/mm0Eaz7eHRGBbqSla1m6C2q0Aua8SNf3XJkrbtMZIaJJTHZxb+
-bZvR+CslnTSmGCGPM1ybgTFpxvSz8lEufReWUDMH9vcd32K/KafajhXiYoM2pXcX
-9ykRDc+P4Je3JGy2ZHiN5/aX0Bo96jhP
+MIIFJjCCAw6gAwIBAgIBATANBgkqhkiG9w0BAQUFADAqMRswGQYDVQQDDBJoeDUw
+OSBUZXN0IFJvb3QgQ0ExCzAJBgNVBAYTAlNFMCAXDTE5MDMyMjIyMjUwMVoYDzI1
+MTgxMTIxMjIyNTAxWjAmMQswCQYDVQQGEwJTRTEXMBUGA1UEAwwOT0NTUCByZXNw
+b25kZXIwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQCxIR3JK0SeYv4T
+lOqh4c0XDrtNHGIn7tP3YcgmwQ9F/BDYOcPahqAAMNethv/GNmz14iaM9nYb0Am2
+pfjL1Yj8ysooSe1kK/OITo7sfGO4dWrMc7ZmbMN85NdQlYgShOdcUIfbTL+RmLE6
+RFcLGnrxk+NMaYuf17kgjQ7L/944b2qRVRpvpoIdBfb8RoyDi6tuP2pvxQzM/zx4
+dNT4Vr5ZYNU/TT7k4UstxSrRanohuW5hEAN5iFt09CkNVtNr1X2MWV1OiQ2jpotD
+KOji8bvV62WbwtZiqt9m1ZLdhGwpKBroKbMJ0UUURMswA3M6lKOjJIkV+8rgpmI1
+SPiSUDr/F9hKHqCc2WjMIeHJNtFHvPFWPocYEA31VprJeRbACKBZZbIA3Zrpl+eP
+he7NDSBeLVj/juPOTzZlw/GIOd00KduM7W7IezCtSVjm+VuFRgoED57qyqgqNQ1m
+80i248fg6KPtbPPkzR1F8+IsbFuRuCbdSdR4005XOrWvzToF1Ylj9bxzHybMLEst
+gbNdSSgERvgkWmgdBhstvlb5s/TRUC+Vm59Fx2I1vEap38ZFIekcfagusYeRC3z7
+l1Ix+UFzuoMiSoD5//GVdHn3IJXwFyB9rFXosMayplbGwM89eNWeN0G0eKow8C1Z
+fGrIaMyRCRP4nwTjqYbCdLr2MkQNvQIDAQABo1kwVzAJBgNVHRMEAjAAMAsGA1Ud
+DwQEAwIF4DAeBgNVHSUEFzAVBgkrBgEFBQcwAQUGCCsGAQUFBwMJMB0GA1UdDgQW
+BBTQPOgFB7ualjaIRKqaT2KenzNbAzANBgkqhkiG9w0BAQUFAAOCAgEAwHLSryZ0
+3vh8lr+r0u2V2bsLBzGKSyHwtX6rtFCwr7+WZM44mT3zJgJNWtpxrW2m9/xeRhY9
+ns+Vo10MSmShhIiwMQ7rVMuZQkUJkuq3dPX7/8aRMSe9VFWfbLviRUoz7QClTuJ7
+LJjxO7zyhzPlItj8qEyQ4t/OSMg8VkNsrPH24HXCp/kzh051piIXeDKIqvkqQEzg
+JWxMDMtvGnsTDTWmI4ZCdTzBacHFeXdRSxkU50v53wswqsSXhG5XewCzpTHGnxfx
+sEyB9+bf6MDSkQPC492UxPDuHHMcM66RYP7PSAgKlcGVKK8xI6YqHNFsf2joqaQn
+j28pM6lIDAOP+rXvKprO7bp0OYjvO9mTdzQw0aNcnfE8MBnCyi5BWyO7amc14+LG
+bqA+dlDba+4CmIG/daw6eE/0+9F6H4UaJM24Bn6VKIUqxkEjNQgxWc6toyMaehEm
+2UVXv+rgcjr4SODBXLMgk7Uak3Xv8xmd7V2fgXMhApb67slMx5UbqmW5aRU877P2
+4fWJeAVQ01TEyUDlXz69NtIOJ5leg+VLv3KEE2SN2dtpiwQ36NsiRimECINANNjg
+v8xcfLK9xTh9WeadiniHCBNvpX0viIDO5YY4b1O4mbr1IZ6PX6o6B3ObAvGXH4tS
+U14kr9e5pD9OZMhiJrPARN27KYy1ZgVd/fc=
 -----END CERTIFICATE-----
diff --git a/lib/hx509/data/ocsp-responder.key b/lib/hx509/data/ocsp-responder.key
index 98cdf65d0b18..140aaf807095 100644
--- a/lib/hx509/data/ocsp-responder.key
+++ b/lib/hx509/data/ocsp-responder.key
@@ -1,52 +1,52 @@
 -----BEGIN PRIVATE KEY-----
-MIIJRQIBADANBgkqhkiG9w0BAQEFAASCCS8wggkrAgEAAoICAQCgdn76zj2A5yrE
-HwIn8U1yH3hXPzCdBi/UPmQVohZ43p3524GyllC06DvBvW+AAEo7t+9ejyDdHW42
-j+QFZscXf61d4Rqh+l7ShCT6AEYmi+ho7cCGPEX1ZA87AMvLP0U9mBHzzN7iy+W1
-kVlDmUGGeXWiQk5eFnrzD+zkwOKdtc+bqeqXcHogIIwwVksWKQTVxm6tFHMtzyOl
-OBFdyb2dV/Mayf8WZJfVYAwIKx+pmTtcrLLXPtXzMmJuIIrCdCluqjVyGyXd0TOU
-HofoUZs1RWIZcLfXp2RIAgh0w6orIfa8PLR0tyV6QSMaXuMbDxzNmNAa0/Z6Svt4
-z4VtAsTmvsdNupBZwjMTXj6JPHafu2gDyybmv/r9i1RCackS6FfjLXL1vns1tGCa
-pz0pn+b1OFqWNnKt2J4mDNAqWDSK3HXvraXyNmiwahyOw59DCVxTSBZuWExGHqbQ
-2N56hdBZyxDmhl6kcdWOi07ZpYqOkTAj/CI1/HiLqmYr4vAvyXLuq+ypDxytehXz
-3H3bOb3h7ojeBF9D1D16G/i5njhrBo0EKFqTiy0WA5msYKVAw5QQD4cNO9t0WfrC
-X/fvLIcp8HZ+UCmGXMx7iWsR47Kbqp02WNGJrXdTn+OFiWUpb9j3eWhJxgmX5fqi
-eSO3SMfamOq6vBabPMpxDGoQCN/vGwIDAQABAoICAQCHnl8H3xPARKCyjXqnA5zv
-HYX6R1/w9u+ptOmmFw5jLdPa/xkJNV4U6ErJHjCEwLn86yKWiuW9vEgQOWEA57LR
-O4ntVHnL+O33gtQ1r9GadpkBRiB3061VDzKILc4Qg/MjccmKgtbGXIpTAPuu1HK7
-EyDG+L9/agSUNhuD4zolDSrgZ6XsRJYTXS7fE6/2lMiPXVzhT+1hBDceRtr2p7Fo
-sJK5S4wbAv4Iy1qf9MKX9vhjBVtJ7MOq/iSO61Ybr03tSFJPlH5WkZ/ESmGXipFh
-Xrjgw5G95K4u5fj7pvvF5LjCs5PZKYm1YCQo/5V2ozk20zbf1dH13jXYD5y3W6XK
-APscRKXMjP4sXBq1GrjSqeWbgHpLeL9Gct3E40ytNw93hkjWDdT8xihlDrekT/hQ
-bUcB+4ok1qXqurZzf7A49UGK9la/5/jHDMNvG0L5Ssecz9zPtEdA5dcTwVZtndmk
-QzrxykvHZPSlcTm4plySGMo0JWvDhBQlAZdnzkEF84OTkT1Irc0SXQ65N0N5ouRI
-p5f8/e6hjPKjhRetg7wYmgZbsR9HHFJQrGiSUeQi83PHmmJtn/EUCgFIiGDNkUge
-djIY4OSwk8vsfwVgw6Alc0X3pqOcc3jJpHtwtKvAHBaeI1+qXywqK6IeXMzKDNyz
-wP2Raxms7IVcTAEXdVs9AQKCAQEA07PS3OfV6of8E7l+kMdN3a2xrlMEtHVjGQ2L
-tzaUbn35mE9xDCCgaEjQcx2VU9imGrSnv24KFNPIzmzH6N2ftyCQ/8XVnerEGmle
-L4AMIEV9VUIIf3Au5oW0zw+pVU6my9Q40cBGnun84oUMW55mEA0QNrfQh4br10H3
-+D4Z4NYT64ecyvexX1a7oKGJTSBSWV4+KxS8Yk9Q9llLI9GEr+nXY2IwMKjjYpaJ
-g26AWhsnPy/xkGmus5ed10HkG67+fsHr/zmucDgI8Jj023nsnggiv1NrbrYld6QF
-1CyhA+dvza+o4jriLb77kVHc7wVrfVhxDRwloTmbHfvdgIt12wKCAQEAwgnxrvph
-Ko+kARo+00s0rlEAqHiJ21Ty8YWZQH2LuSN9BK3POWzKSQJpxRFzTKdhXU1FVU5r
-gULdsGlA0MSNoZxSgYkVJFywFR8SYHDekjIYyoLVtRxKepmLqVUHbefbvRDu8NVD
-7elBmgCinGWigPNlCsnxSN9HtQ+exhQAYx6eoLQzZfocyf/i4QVnRnHSj93yTTT5
-u/OmNEJPLEb9Tt5OoYRMHf4IR+rNxm+H474XrYdn01h2nNUkEG2L3W7qJXPocWSZ
-43HnNYuwFUKF78EghO3eGWLv7H4laD0MpF842eJmt2PGOGcWYOLpn2Df8fEPXOZd
-I5xnoY4BxVDPwQKCAQEAq90MjjHXw/JpfknUqgxi9lgQKwlShH3X2XrZtf8lOR4k
-BrZXfBTwpDiYoRufItZ64qtOk2Xt4UKdfpdpI27oPm69yCb/aJgyY46u27kEHx7K
-xPA6ndqg+JwLUR3RxmN3nXnINt/1dQVYOzzv72EEUnuIciN/ssahp7ryaCFiONkS
-it8pNs0mvdNXtuvs3yQiNlL//VF0LgteGuAa1BU/tuAL767CmH5DOsIjGQQYRw5M
-Kkvtu+NP5JRtm1burFrAWH9t62EUcB3NhCVogtTUdub77n72dIaCnEIYSUuB2/2D
-EmRMonxTKfglmq/uwEySGsw12wLCucReXVUfWT/eiQKCAQEAktIdaq4PmbnIegEW
-6qAsQ34NRmy2uxxjG3dgh5i3gaYlscWmWChGQ8osqC3VFXpNROD0BmFpHQywXAy4
-O3+OP2veTh+gvLvZjJHPQOQGtY5sjcdD11+Jx4ypTb6F+ZaIAV5vvhFQ7hMiTVoP
-sNGCjZodqXU2OlKgmpMwK2b1CAsiMi1H+vCumfYiAOwqwfXcQnnJHrxn/tyUtVQ7
-PiCVCPlTfAlz4vnV4Dz96Rl5NE0g82/SkuuMDI2GVVveifWj/CThC/P4MU59iVmi
-KeQFHm3+ojauaH0hV8v3mBEhoLpgdRVHbZp0YTc3iqYH6k3OBe7GFiBE924gR/EA
-zAGiwQKCAQEAtNHidzC/J8qQql9+DPczfpSSu5wiZPf7y3rLK5flByysg/TmnjG1
-21V5JnOETy69sTAqEz4pzuf14lsNHlz4fjUKo8u3LKLtmrYlfaM3XT8B1vGIkZYv
-XZ1U8DReOIgAgjDgs3MTHJZ2JeAo6naHNIheQDWm+PUuRfG2ojz8srfVFvp+6M8l
-yv7UOmSKJZTWc4KFntdsPv5leEw+Mm428mdnw+mqAspEv1i27JC5eJ9c3wi8IBus
-YDwA8sGkOyty1rELE28s8rOJ2LqT2Pf/SoZfvp2O1FUuU0T7Ma/zg+oYJ/heUkPu
-Nv1cW+onrP/nvshX+2f5xy2Yy6uQYK9Khg==
+MIIJQgIBADANBgkqhkiG9w0BAQEFAASCCSwwggkoAgEAAoICAQCxIR3JK0SeYv4T
+lOqh4c0XDrtNHGIn7tP3YcgmwQ9F/BDYOcPahqAAMNethv/GNmz14iaM9nYb0Am2
+pfjL1Yj8ysooSe1kK/OITo7sfGO4dWrMc7ZmbMN85NdQlYgShOdcUIfbTL+RmLE6
+RFcLGnrxk+NMaYuf17kgjQ7L/944b2qRVRpvpoIdBfb8RoyDi6tuP2pvxQzM/zx4
+dNT4Vr5ZYNU/TT7k4UstxSrRanohuW5hEAN5iFt09CkNVtNr1X2MWV1OiQ2jpotD
+KOji8bvV62WbwtZiqt9m1ZLdhGwpKBroKbMJ0UUURMswA3M6lKOjJIkV+8rgpmI1
+SPiSUDr/F9hKHqCc2WjMIeHJNtFHvPFWPocYEA31VprJeRbACKBZZbIA3Zrpl+eP
+he7NDSBeLVj/juPOTzZlw/GIOd00KduM7W7IezCtSVjm+VuFRgoED57qyqgqNQ1m
+80i248fg6KPtbPPkzR1F8+IsbFuRuCbdSdR4005XOrWvzToF1Ylj9bxzHybMLEst
+gbNdSSgERvgkWmgdBhstvlb5s/TRUC+Vm59Fx2I1vEap38ZFIekcfagusYeRC3z7
+l1Ix+UFzuoMiSoD5//GVdHn3IJXwFyB9rFXosMayplbGwM89eNWeN0G0eKow8C1Z
+fGrIaMyRCRP4nwTjqYbCdLr2MkQNvQIDAQABAoICAF7zLJ9Y5ViuIhrnGfubKjBx
+AjBsxaU4XkHfFcbIeOKAI5t1I6rxvbU8eXEYy+U56aDJEPdBasCv/XT+dWb22Y8B
+Oers7idjdBGeYvkcGOyZbJ2aba1sIkLB/TXCYoXi3o7a0GjbNFnc6ywb1Dksgbkc
+GJ0uet09a4yqcMMkLsA74Xl0kE5HiLn8J5DGVK5zYXsg3XJ6w8jkDUtY/Yz+Gt2Y
+jdd4Ff3lU0J+zdwiYsPPPf8j8WjlknkYJSV0ZLMKZ1mj0eO2jiwqq75doLF++bzL
+idU8VWXgyQ678BV01fIeAIZxS/s4Rfp+ghkD0HIXmbxralzxc6iHKF/99Nmhzm1o
+/1PxIqTkso1G1MvizXgr54Uxdv7N01nuL+nDp4q1kBieCqAfkDbbbk9NQb/BUntx
+ZZH2VJxFk8iit8O9BLPM5xiwsdx0QNeYEYQ+fXl75QCLN2zEMaPeOXpV6zWy2NR4
+P+eUEmOC+8Uj44/k21R/Zf46SAEB9YZPmAmq7rW9ACj17sj6e2F1hsVStMy3aG3h
+59GG+sxMSIHwMJ/xB9r+xfaoX4iUapogy1N8pKyYL2CT6c2VB+wBW0gJsuxEGIt3
+x5LugOkCiArTOxTO54tTNeO/5+G+PkYrZwQazCuj9PQPTymHd4ieh61t/8CpasxT
+faIJQt+GxtrBWI8Pc2h1AoIBAQDn22N6+XkouiQcg+sunLFwT5jxQsUZIOVAjx8r
+WFoCW6onzltldxrpP+dx0nOaeBbwHTCRDYrHJhA3bmpaXjBYI8MunfYzHTxmCS1p
+0/cGCMhcZc4dokOh60c1C9/UTG5hAEUAB9kP5C3H1OoL63OM24XQl7hwwX7WFOdL
+VzzADDssLlfhsWRuXa9H5uD2ziqmWE6EZE9Jx5UlolgGpAGcS4YoJi5PaMnYdIJF
+Cpf4gqhtuuUWD7brF9QCKF+e2lLqt4FHSrInqUIYD8HL4xToDPdKfxzUrI3S9dDh
+g7yWWIRKR1W2IFSxBCwedLHl7VGpmgJ+RVovsTbnU+DLplGnAoIBAQDDktp+6FJP
+WorkWUOUWLz4Ao3R3Cd/s7zZlhyNd2fjonH4uBry+X0Vunz2525YtOEVXcVM8Mqa
+KDRyluAwp9pHYc3mhqGafWjoyH1+aDbkALSRcrGw1MkodqgSqxSt1RjgjXwbJb9Y
+wUQSTxd7eJym2WtWAp0WQjH20ygMLu4Lt79HK6M+L0hi9lcxbNNxlQEC5FKgplLn
+urpACHtzrUiIBfpu0LJL0E3dUytQUSVXE02R8j8STRO4lu3n90lZktEl0XuHEHqr
+JXn+p1EhgxpMaYbKr+/v1dFc1RFnaDJO1b2IIaX4psKPPjF408EGqzwXeUen4RLJ
+oaaDSTftN+n7AoIBACBe8w6yUgYrpusMSAOkAOoLUvEsP1R40UkoMlPc7AQ0RBd2
+qjAKZwl10JyFo3pHlfxENwmpeFzBpbX3hoXDbMCBjbiueTc9t7cPRPXnkC+Zfk/Y
+LuTYSNUMgk6Xr9J2MVr9rKSKc/XSB8pEocC0SNe7tn0fEbM8cLb3CCvurB6sFn7e
+oYpzN/BoyBYj1/jdY/sBjUTStHc6lEpC1kNnFop5yOtGGWUg3j2IVr/I8NrTcyyO
+0Xk5DHLaStFaTa9iD/2RTU1k0mbTLNUrLgWHWN3lIYmXIbFXvh1cEKPLvsLG7QFp
+4D+jV++3A2nlJQlTDvm89OgoSqUp+t5lSZdlSzUCggEBAJ+BA+aA/7Bsfd6i1rUE
+coorOxMvZJ+ILbuf7AWMnxROhnl9Xa1QwS2ZfRW5xoteajyMz79imzqDE9NpLctA
++otBPzaGEwL2yTshWQhhYnMuCBaf3kAEK1NvAsDG+wSTScjKW6+gZ6Cxbx0nmFVB
+FzIVHK93Tjq7HhjaOk1FcSvpXn1jH641zem4U4Ch6wk1py9+m80eGXuZFRHoWRcM
++pzFk2wRlXizmO2rSSYmKDgOLDOdyMbaSf1ASyPm0NHXJfCcGw0a6ZDv7cE9ILQe
+QrKTVjW0rBGE5025EIqvtmgJdpyyJLTY/NDqvlp3CXSw7z+N0F0g+bustStZ6dz0
+v0UCggEAXsErHCyXn4LGb77CKdqLPC+VzXUtpY7ydBBOZ/4jemRdGn1YjgDPBrOl
+tESL90Ir1F36zAQOenEOn2VIfCX0DWFLKA5FE2dRM/7X79yTOFwZ2n9Ubz0ulNVH
+zHB2eSHsUhhVszRgqXFwWWwDnkqB7V8HkEXGodl77qf79KL6BQdBj9HbX/4Es1KS
+C4OedUoFIgkvDppiG3mS9JftlHpKM60ckDpkTREdbsRxy2UEjXSdaW/ycJne+xYs
+KKwq1IWDGJYoAfcH6f/9ipG/tC7e5ckUXIQO2bQdtVwqpL0b2VneiWdK4F8EmdiZ
+SSGDNVUC8knNaz9M5HYwvqUl1if8yg==
 -----END PRIVATE KEY-----
diff --git a/lib/hx509/data/pkinit-ec.crt b/lib/hx509/data/pkinit-ec.crt
index 7029daa66e5a..54435d387f1b 100644
--- a/lib/hx509/data/pkinit-ec.crt
+++ b/lib/hx509/data/pkinit-ec.crt
@@ -5,18 +5,18 @@ Certificate:
     Signature Algorithm: sha1WithRSAEncryption
         Issuer: CN=hx509 Test Root CA, C=SE
         Validity
-            Not Before: May 23 15:05:15 2019 GMT
-            Not After : Jan 16 15:05:15 2038 GMT
+            Not Before: Mar 22 22:25:06 2019 GMT
+            Not After : Nov 21 22:25:06 2518 GMT
         Subject: C=SE, CN=pkinit-ec
         Subject Public Key Info:
             Public Key Algorithm: id-ecPublicKey
                 Public-Key: (256 bit)
                 pub:
-                    04:57:a2:25:14:5b:a7:ac:55:9e:e0:ea:c2:92:98:
-                    c9:13:91:d3:c4:13:00:0c:f9:d6:29:a4:45:c3:53:
-                    f2:f6:92:8e:d9:ce:d4:24:48:56:80:1c:04:8e:13:
-                    ec:49:c1:4d:78:5e:f5:1c:d7:c2:0e:8d:93:da:a4:
-                    79:18:6b:0a:9a
+                    04:c0:2b:8e:f3:0c:c3:1b:88:94:eb:4e:6a:12:f2:
+                    fb:63:99:77:a2:13:7a:16:ce:48:dc:48:9a:83:91:
+                    5e:a9:b8:ab:17:77:94:ae:55:09:8d:69:4a:a4:a8:
+                    6b:77:12:01:fb:3c:6f:cd:b1:e3:02:be:63:b1:43:
+                    8d:8f:df:8c:75
                 ASN1 OID: prime256v1
                 NIST CURVE: P-256
         X509v3 extensions:
@@ -25,57 +25,57 @@ Certificate:
             X509v3 Key Usage: 
                 Digital Signature, Non Repudiation, Key Encipherment
             X509v3 Subject Key Identifier: 
-                1D:2E:2D:D0:63:94:5A:99:95:87:DD:A3:11:F8:82:5A:2A:43:2B:28
+                77:9B:74:4B:75:90:50:CE:20:C3:00:9B:A5:23:F7:69:A8:C7:CC:34
             X509v3 Subject Alternative Name: 
                 othername:<unsupported>
     Signature Algorithm: sha1WithRSAEncryption
-         b3:3e:84:9b:be:cd:a0:cc:21:dd:f7:12:41:90:8e:9e:25:30:
-         0b:2d:b5:1c:35:a1:15:76:9c:7e:dc:23:33:16:bf:ab:60:82:
-         ad:3a:2e:4f:84:f1:62:21:7c:1c:a1:37:45:01:12:cf:99:aa:
-         a3:b4:72:fe:c9:e3:bd:25:ef:4d:bf:b5:e2:ac:15:3f:b3:b7:
-         df:78:2b:0e:2d:95:71:0b:c7:6c:31:54:c0:c1:e0:8f:00:10:
-         31:20:a6:5e:71:bd:d6:6f:45:cc:25:11:3d:ce:26:75:8b:ba:
-         03:3c:d4:87:89:c7:93:5b:d9:76:b1:20:96:83:07:91:34:05:
-         12:2d:56:e8:18:b2:4a:2d:ba:b0:59:02:65:81:60:3b:92:96:
-         7d:d1:c9:ab:bf:ac:bb:aa:f7:b3:a5:0b:de:e5:cb:0c:16:ac:
-         65:1c:da:6a:c5:16:43:15:b7:14:55:b9:6d:0f:f0:79:ef:b1:
-         d0:6e:bf:85:fb:bb:93:6b:30:69:98:db:da:8c:f2:3a:e8:a3:
-         c9:57:3c:d0:fa:7e:db:cd:48:93:7a:cd:af:a4:71:06:3d:a6:
-         94:b4:99:3a:2e:9c:3a:ac:2f:19:f5:19:1d:71:3d:96:00:74:
-         c9:99:58:40:0d:c2:bf:cf:85:8f:dd:f6:ff:b0:cf:1a:84:6d:
-         02:87:4d:96:7d:db:2f:f1:8a:e5:39:30:8b:89:c4:8d:34:60:
-         05:85:96:92:fc:a0:6a:b9:df:54:53:e6:f3:9a:27:2d:bc:9d:
-         8d:a5:44:bd:81:83:d3:8a:d6:96:b1:71:b3:4b:40:b6:95:e2:
-         45:19:e3:a5:3c:17:af:a8:39:2a:52:68:e4:7c:0f:fa:fd:15:
-         07:fd:e5:e8:1c:cb:b3:2c:d4:97:21:7b:86:fb:fb:78:9a:6a:
-         f2:71:0b:b7:2e:d7:df:96:cb:2e:83:2e:81:29:50:0f:e0:50:
-         0f:d5:34:7d:13:eb:a2:68:d2:a1:26:35:15:08:a9:ac:7e:f5:
-         8d:4c:68:01:a2:01:05:db:5b:7d:ea:ba:45:ea:34:93:db:89:
-         0e:46:58:6e:a3:6f:aa:4a:6c:ac:28:58:a0:48:cc:e2:75:54:
-         e4:79:19:b3:d5:6c:c9:04:b3:d0:9b:51:f5:07:0e:e1:a0:07:
-         61:e9:53:dc:0f:83:3c:7f:54:7b:ca:7e:35:b9:6c:0a:e5:b4:
-         61:48:11:a1:92:27:1d:2e:57:07:67:f0:b0:66:61:0b:a5:15:
-         d1:1a:10:05:34:90:52:a3:c4:a8:19:cf:3e:52:b3:c9:ab:49:
-         e8:84:96:a9:9f:d7:bb:a4:43:2b:ef:b2:bf:8b:01:46:b0:48:
-         e4:80:b8:3e:4a:ab:85:5f
+         70:02:b8:13:0f:d9:2b:7a:e9:42:5c:82:6a:9d:ea:f8:51:dc:
+         a9:2e:67:ec:c3:cb:67:48:fe:6a:bd:58:86:67:c2:1f:d4:a0:
+         dc:7d:17:41:93:8d:e0:67:60:01:60:cc:34:1f:0e:b0:fc:9b:
+         5f:f6:cf:91:2b:a3:ec:28:5b:80:ff:31:21:14:5b:3c:a2:5c:
+         6b:3b:32:94:de:ab:03:d9:41:70:c1:4f:4e:49:4d:63:8f:9a:
+         8b:be:14:87:b0:df:bc:64:83:e1:99:ce:e6:77:12:5a:43:e3:
+         3b:d7:e9:10:5e:68:36:38:de:88:c2:78:af:97:a3:a2:4e:bf:
+         a9:2d:e1:98:f4:9a:35:ec:b4:2a:70:18:09:99:ff:80:fb:73:
+         49:75:47:54:31:7a:e1:43:28:4b:53:71:81:92:4c:42:db:9b:
+         52:38:ad:90:47:db:4e:da:75:6f:37:14:ce:56:6e:06:d0:40:
+         8e:df:f1:71:23:98:ee:b4:43:b7:77:3a:1c:a5:a3:6f:3e:d3:
+         5f:86:0b:6d:d4:b8:4a:2e:8a:e0:d7:d2:75:5f:ca:bc:9c:e2:
+         d8:b9:04:bf:ec:8a:1e:78:28:f5:13:73:9c:dd:2c:10:73:55:
+         cf:40:96:8d:8a:b4:1c:79:bd:aa:01:de:b2:de:c4:30:04:11:
+         af:d5:fb:cb:28:44:25:02:ab:b3:68:22:02:1b:99:b1:96:eb:
+         f7:f3:ad:6e:32:76:67:be:bb:78:bc:46:9a:1c:b3:8e:66:39:
+         eb:cb:d8:76:c8:06:e5:79:1e:f0:fa:54:3f:a1:ea:ff:60:e8:
+         fb:55:d9:1c:47:3a:e7:67:df:c8:69:1d:d1:9a:56:96:2b:01:
+         79:ad:22:f2:7a:3b:e6:be:32:84:9a:e3:50:db:89:69:c1:3e:
+         19:09:d5:b3:3c:2c:08:90:8b:93:aa:39:ae:48:90:ec:cf:79:
+         3d:15:91:86:3e:38:0e:0a:99:b1:d9:78:14:59:17:44:c0:76:
+         70:a0:7a:92:64:2a:60:04:aa:ce:6b:b1:d5:c1:3b:e8:1b:58:
+         6f:7d:dd:dc:90:49:55:e1:37:5a:7b:75:89:da:08:c1:a5:33:
+         c9:f9:0d:4a:1d:08:e0:a8:be:3f:0e:a2:e0:10:71:92:50:f8:
+         75:33:98:7c:be:c9:2f:c8:7c:b2:19:94:14:59:0b:1c:ca:bc:
+         34:ff:03:a4:3c:f0:bd:ac:c8:f6:63:8f:59:d3:eb:65:e9:96:
+         9b:21:a9:94:a7:7d:fe:dd:62:cd:77:62:6a:58:38:de:63:4c:
+         0c:c3:ea:09:4f:6a:80:76:07:59:ba:15:d2:b4:c1:46:1e:11:
+         50:5b:be:8d:8e:21:4e:78
 -----BEGIN CERTIFICATE-----
-MIIDbjCCAVagAwIBAgIBBzANBgkqhkiG9w0BAQUFADAqMRswGQYDVQQDDBJoeDUw
-OSBUZXN0IFJvb3QgQ0ExCzAJBgNVBAYTAlNFMB4XDTE5MDUyMzE1MDUxNVoXDTM4
-MDExNjE1MDUxNVowITELMAkGA1UEBhMCU0UxEjAQBgNVBAMMCXBraW5pdC1lYzBZ
-MBMGByqGSM49AgEGCCqGSM49AwEHA0IABFeiJRRbp6xVnuDqwpKYyROR08QTAAz5
-1imkRcNT8vaSjtnO1CRIVoAcBI4T7EnBTXhe9RzXwg6Nk9qkeRhrCpqjczBxMAkG
-A1UdEwQCMAAwCwYDVR0PBAQDAgXgMB0GA1UdDgQWBBQdLi3QY5RamZWH3aMR+IJa
-KkMrKDA4BgNVHREEMTAvoC0GBisGAQUCAqAjMCGgDRsLVEVTVC5INUwuU0WhEDAO
-oAMCAQGhBzAFGwNiYXIwDQYJKoZIhvcNAQEFBQADggIBALM+hJu+zaDMId33EkGQ
-jp4lMAsttRw1oRV2nH7cIzMWv6tggq06Lk+E8WIhfByhN0UBEs+ZqqO0cv7J470l
-702/teKsFT+zt994Kw4tlXELx2wxVMDB4I8AEDEgpl5xvdZvRcwlET3OJnWLugM8
-1IeJx5Nb2XaxIJaDB5E0BRItVugYskoturBZAmWBYDuSln3Ryau/rLuq97OlC97l
-ywwWrGUc2mrFFkMVtxRVuW0P8HnvsdBuv4X7u5NrMGmY29qM8jroo8lXPND6ftvN
-SJN6za+kcQY9ppS0mTounDqsLxn1GR1xPZYAdMmZWEANwr/PhY/d9v+wzxqEbQKH
-TZZ92y/xiuU5MIuJxI00YAWFlpL8oGq531RT5vOaJy28nY2lRL2Bg9OK1paxcbNL
-QLaV4kUZ46U8F6+oOSpSaOR8D/r9FQf95egcy7Ms1Jche4b7+3iaavJxC7cu19+W
-yy6DLoEpUA/gUA/VNH0T66Jo0qEmNRUIqax+9Y1MaAGiAQXbW33qukXqNJPbiQ5G
-WG6jb6pKbKwoWKBIzOJ1VOR5GbPVbMkEs9CbUfUHDuGgB2HpU9wPgzx/VHvKfjW5
-bArltGFIEaGSJx0uVwdn8LBmYQulFdEaEAU0kFKjxKgZzz5Ss8mrSeiElqmf17uk
-Qyvvsr+LAUawSOSAuD5Kq4Vf
+MIIDcDCCAVigAwIBAgIBBzANBgkqhkiG9w0BAQUFADAqMRswGQYDVQQDDBJoeDUw
+OSBUZXN0IFJvb3QgQ0ExCzAJBgNVBAYTAlNFMCAXDTE5MDMyMjIyMjUwNloYDzI1
+MTgxMTIxMjIyNTA2WjAhMQswCQYDVQQGEwJTRTESMBAGA1UEAwwJcGtpbml0LWVj
+MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEwCuO8wzDG4iU605qEvL7Y5l3ohN6
+Fs5I3Eiag5FeqbirF3eUrlUJjWlKpKhrdxIB+zxvzbHjAr5jsUONj9+MdaNzMHEw
+CQYDVR0TBAIwADALBgNVHQ8EBAMCBeAwHQYDVR0OBBYEFHebdEt1kFDOIMMAm6Uj
+92mox8w0MDgGA1UdEQQxMC+gLQYGKwYBBQICoCMwIaANGwtURVNULkg1TC5TRaEQ
+MA6gAwIBAaEHMAUbA2JhcjANBgkqhkiG9w0BAQUFAAOCAgEAcAK4Ew/ZK3rpQlyC
+ap3q+FHcqS5n7MPLZ0j+ar1YhmfCH9Sg3H0XQZON4GdgAWDMNB8OsPybX/bPkSuj
+7ChbgP8xIRRbPKJcazsylN6rA9lBcMFPTklNY4+ai74Uh7DfvGSD4ZnO5ncSWkPj
+O9fpEF5oNjjeiMJ4r5ejok6/qS3hmPSaNey0KnAYCZn/gPtzSXVHVDF64UMoS1Nx
+gZJMQtubUjitkEfbTtp1bzcUzlZuBtBAjt/xcSOY7rRDt3c6HKWjbz7TX4YLbdS4
+Si6K4NfSdV/KvJzi2LkEv+yKHngo9RNznN0sEHNVz0CWjYq0HHm9qgHest7EMAQR
+r9X7yyhEJQKrs2giAhuZsZbr9/OtbjJ2Z767eLxGmhyzjmY568vYdsgG5Xke8PpU
+P6Hq/2Do+1XZHEc652ffyGkd0ZpWlisBea0i8no75r4yhJrjUNuJacE+GQnVszws
+CJCLk6o5rkiQ7M95PRWRhj44DgqZsdl4FFkXRMB2cKB6kmQqYASqzmux1cE76BtY
+b33d3JBJVeE3Wnt1idoIwaUzyfkNSh0I4Ki+Pw6i4BBxklD4dTOYfL7JL8h8shmU
+FFkLHMq8NP8DpDzwvazI9mOPWdPrZemWmyGplKd9/t1izXdialg43mNMDMPqCU9q
+gHYHWboV0rTBRh4RUFu+jY4hTng=
 -----END CERTIFICATE-----
diff --git a/lib/hx509/data/pkinit-ec.key b/lib/hx509/data/pkinit-ec.key
index 846bb51aae15..0ac3fe4861e3 100644
--- a/lib/hx509/data/pkinit-ec.key
+++ b/lib/hx509/data/pkinit-ec.key
@@ -1,5 +1,5 @@
 -----BEGIN PRIVATE KEY-----
-MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQgf0P72e36G4JST5z5
-hGIETF9eViQ6rCu3pu3793hC6DuhRANCAARXoiUUW6esVZ7g6sKSmMkTkdPEEwAM
-+dYppEXDU/L2ko7ZztQkSFaAHASOE+xJwU14XvUc18IOjZPapHkYawqa
+MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQg38AlgS7f0d6rvR6u
+mLJVGl/UF04RYiIeWsVJYUNS7RKhRANCAATAK47zDMMbiJTrTmoS8vtjmXeiE3oW
+zkjcSJqDkV6puKsXd5SuVQmNaUqkqGt3EgH7PG/NseMCvmOxQ42P34x1
 -----END PRIVATE KEY-----
diff --git a/lib/hx509/data/pkinit-proxy-chain.crt b/lib/hx509/data/pkinit-proxy-chain.crt
index 15fd65fdc846..2b425bcb28f6 100644
--- a/lib/hx509/data/pkinit-proxy-chain.crt
+++ b/lib/hx509/data/pkinit-proxy-chain.crt
@@ -1,32 +1,32 @@
 -----BEGIN CERTIFICATE-----
-MIIFNjCCAx6gAwIBAgIJAJd7zCsMMPvCMA0GCSqGSIb3DQEBCwUAMB4xCzAJBgNV
-BAYTAlNFMQ8wDQYDVQQDDAZwa2luaXQwHhcNMTkwNTIzMTUwNTE1WhcNMzgwMTE2
-MTUwNTE1WjA1MQswCQYDVQQGEwJTRTEPMA0GA1UEAwwGcGtpbml0MRUwEwYDVQQD
-DAxwa2luaXQtcHJveHkwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQCh
-U0hTlQYhDONlH8153Wn2/H6/OW15S9pvg/RcQ9+Mc7a3kOEnImHt4B/zevv1rfYa
-EernC2mrTxvSSy2Oxx3yNFsV1Kys+kMYiIygswPohTHYhMQKEjqGPTN97E1JcvMQ
-iZy19sl6tG+kLZKa5pSTUoFrlqw2NN9U1WjlgaZ7WnLxwLlatQnZOnA6+MoU1bJe
-pkPUAcjOOQZTd2D/3tAOcBKfQ6z97XFqfxzcnclz+9BXgFdZWTR1efd5yYNy17ny
-8hoEHuc34+a/hrrhfiFiXYKFF6f07YI6lt+ElPOc93oz19fE4wVskXjvxLOwahzM
-q2jRalsj/XlYCEHrZqaYjHvY8MYNFleThQEwJ/zldgQjx2MMnUD3ApxRDutfYM9e
-MFSv0ATDFoKi55mGySMD3dMpI1I/TER459Am5c88SfxJNJXAW/2GJXQAJ7tCL3dM
-sYcqkl5uVZXPJxSQbfFCl95lhlzOtoXZTS1+cxYN0oz9YfLoG3tz3x5Xtxo0eUbI
-NJBq1sWi6bO6+6GyQOxs45sawl906XFqW/qzSywNOOsT/hcuEvc4IGdZKLP/wxF0
-HJzeaqDwfmiT1tz8jArGsbqw/i77xND6tq+56rur5/BhfIapXZ9wKDfawQttpDnX
-PTcaT8BSqQejfZa0RiRvt70pypm98eZ1XRzWhC6bvQIDAQABo2AwXjAJBgNVHRME
-AjAAMAsGA1UdDwQEAwIF4DAdBgNVHQ4EFgQUzoShaVViBQhilqB70YV+yuLcWIEw
-JQYIKwYBBQUHAQ4BAf8EFjAUAgEAMA8GCCsGAQUFBxUABANmb28wDQYJKoZIhvcN
-AQELBQADggIBAL45/vKz88cBG7c11gyePde86H7qWgIKrWocohn6eoXF1p2ZkLvP
-na4o7WVr/WC7t4DiBZVUNVvrqss/nOI3wMVjU9Mn9wrJbycvrVPAWH1nIhlKR3gM
-H8PTcZiHI+Vf14aHTjeRFEXxy0i+K7JxtKRQC/Bi+MuwnBvPwvar3tqFLXprRk4p
-p42I7/ngT8WcAzz/LWj0rWYNl/TEFU3esDBr3rz+B5TFVcp2dLpcZW7ScFRh9bLT
-OwJ/QNhzvnH5cwsWlb8cpDTFVeyTOBgqh9t6ut6SnDfCu03xIBVuCk+P5KhOGWAS
-3cOVqvGn3Y3q1glE2XdKgyYqU2z3itneUyiCeopItFaKZIV52s4WuIuGO+PK8XOi
-QhwtnsWO91toEFUpUNkxf/C6C61G4xuvHeMVLdTzO1Xi5kuHyN9gD8rLAuUfaV1c
-Zv3f2S8WpvEGkSSu8Ap1k3ExfIaFhgxzu3pjGL5e6YV2lK9d/UGXOpDRFZOUuoRm
-dyowQcF3XcH6zTDu+ThXlPSq5bkjrnMnNt2z2LfqGb/GFp1vl11LsXeLgpHmFTq2
-4umDDUwMHVzrmFoa3BtUkgO3BUoSrt2l63TFqTQZgZAf/D042jBcmOhV6Mt5MsDK
-MFZkoYjtv+8jTeRwxP2zi3EceCvGkV1Mf3t2/h4wYGa25J6HFq86VVRU
+MIIFODCCAyCgAwIBAgIJAJd7zCsMMPvAMA0GCSqGSIb3DQEBCwUAMB4xCzAJBgNV
+BAYTAlNFMQ8wDQYDVQQDDAZwa2luaXQwIBcNMTkwMzIyMjIyNTA3WhgPMjUxODEx
+MjEyMjI1MDdaMDUxCzAJBgNVBAYTAlNFMQ8wDQYDVQQDDAZwa2luaXQxFTATBgNV
+BAMMDHBraW5pdC1wcm94eTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIB
+AM1Z218qhKJXqYoQ/5DZgDYNtgJ9QLkPF0vsu6cScVhykomP1H2Qjj3+u6ZFB9oj
+YS/ynPgkCjwexA7nDGVxfrR0OksDNFGHwCu/O1wagzyeImgvYYzPlKyFqT+0IN0U
+TgEoMdtXUduxmJGr0wEr2aMeiETUGZmRc02icTPZIznhf9elXmAp7EQspjtN9P04
+OCkVygr/FKkeI7XsZR8Ekzqdaf400g1Cy+X2kMvnRs/Tyf3qp/xv1RG7cDz+vfiB
+8S/Vd2zSyBFboOZZi0xVo2vEs9nzBbmTQFAFINSEtIjJWb9Tupz4YwU/xK9bq2G7
+/eOrt4e9pXry1gUKNN/qZIEkbaebhWxW6twMVO/nyXlnklpF1PvPKHsWP2JqhJK7
+9SZcqZkeRit1wlwXsWhb+Zzl27K74P1WgNQF9lbPwhQ6bPmadirCs0kkMBDjmh4U
+SJe/5wIOLVPY0KrhQeC7Vn+hkCxqRTwZQuLKDWUKgd4jmvsjfLYAZVQfGUBX1x7D
+Wng44pW7ytOSbn/4pAu38FGGLbPcKNw+cRRtHtBpWiCthDIJ6gOmJo8JngaU2Iss
+ozmxfGZsdQscUEFVwL5X9YaBpWcGKKxZH7UXq3S3wOEm2yQ6/UrdJnuP+xIYFEiA
+c7tQIFBYoX11+/cZGyVZmn8ESM4ytw9QqmxxaDAEdaJjAgMBAAGjYDBeMAkGA1Ud
+EwQCMAAwCwYDVR0PBAQDAgXgMB0GA1UdDgQWBBSU/W8lX964Gjrb5YqSo3zg3XLl
+vzAlBggrBgEFBQcBDgEB/wQWMBQCAQAwDwYIKwYBBQUHFQAEA2ZvbzANBgkqhkiG
+9w0BAQsFAAOCAgEA2bcpIO8UZ7eDFPtIZd6BWVrQZ5Dj+LZA0KV2v+FjoZQN0/w6
+gzloDy0x3yym6lOtCNPnjxcYP2yfGl5WZet1VXCR+KXXHGID2MkOXhXTCH7eSCGC
+GZpOsSEWs+CXyP/X5B85nkweK8MzLRdJc4Ilxf1UMMOdobgQnRq41NgWyQxA8xLR
+jEeGV+CD5dvteyqBeXvq4IBBUTqAiyoH57XXZRPwWH7z3h9f7B4GdoQuRBQK+idM
+hLgtQ9nkT+DDyoMC6iAtIVwntxsAIg5rUSkQ6RgS3ap6SC94+v3q5V2BJaJl/R+0
+X5ybK2hRKWsUAvU280UX/xT5EGeokHwegI+F7yQflTGI1p090uhBYZvWYj2G8wf5
+nlE7a2h8IG3SmS7qUlKe+RyPwHce+jgHU0aS3ROxreLGf/VX1k3yR2Vk0wpVWFis
+WeC7U5g+iqv/UomqxpFwP3iH8RJhL3eGYVmatHIXjm838wepofexqUL4UKoY/t+h
+FmMusCz2SFZFbgOHF1Vd9C3c/mr6J4HbYju1hO09iOFuQmoo4CjNjdKyLvP1HSap
+g7IPdLP0f++1gGcRq8AkFC9U/vZx5OPwjIku645WeOBoLhFcSoLxyhMeekSNXpwS
+WHArnvVC7cmuvuzmzf5+XqmBzSD0RWGK09drTZdryXuzv8djbeqldeRr1Zg=
 -----END CERTIFICATE-----
 Certificate:
     Data:
@@ -35,48 +35,48 @@ Certificate:
     Signature Algorithm: sha1WithRSAEncryption
         Issuer: CN=hx509 Test Root CA, C=SE
         Validity
-            Not Before: May 23 15:05:15 2019 GMT
-            Not After : Jan 16 15:05:15 2038 GMT
+            Not Before: Mar 22 22:25:06 2019 GMT
+            Not After : Nov 21 22:25:06 2518 GMT
         Subject: C=SE, CN=pkinit
         Subject Public Key Info:
             Public Key Algorithm: rsaEncryption
                 Public-Key: (4096 bit)
                 Modulus:
-                    00:bf:4b:44:8f:d1:dd:56:18:41:5c:c2:c4:2b:ff:
-                    28:e6:7f:68:26:d4:0f:08:e6:af:dd:72:28:9b:ec:
-                    5f:5a:2f:f1:9a:7b:21:0f:c2:01:96:d8:85:32:20:
-                    5c:c7:91:fb:2d:71:33:d7:dc:81:06:32:2e:e5:ec:
-                    61:37:8a:0b:0c:23:57:cd:9c:ae:93:79:58:26:1e:
-                    de:26:18:12:52:c3:76:7a:d1:6a:dc:98:67:13:4d:
-                    73:dc:8f:7f:7b:dc:97:15:dd:eb:6e:0b:54:cc:f7:
-                    ef:db:14:8f:d2:89:47:3e:8c:e7:de:ef:61:34:67:
-                    10:60:8a:87:13:6d:86:91:9d:8a:92:64:72:5c:ef:
-                    64:57:b9:0e:91:ea:41:2c:03:e0:67:c7:51:cf:ea:
-                    09:5a:e9:0e:ba:eb:be:53:10:90:e5:0f:87:33:3b:
-                    e6:53:11:1c:6d:75:34:ea:4a:7c:59:f4:6b:da:82:
-                    30:4d:f5:72:ad:ae:41:f7:c1:ca:b2:7e:74:a4:45:
-                    bd:2d:80:c5:47:d3:ed:c2:02:fb:d9:85:76:00:3d:
-                    a6:ab:da:2a:ef:a4:c7:d6:74:c4:88:02:63:d5:a0:
-                    5f:6b:88:ee:bc:df:0f:43:78:8f:62:1a:c6:c8:e5:
-                    3a:43:aa:75:94:d0:71:15:a4:8a:f9:67:5d:93:93:
-                    bd:78:04:46:39:90:48:22:05:78:17:ec:b9:26:3f:
-                    4f:7b:a9:e2:79:b3:cf:13:ce:34:9f:3c:7a:8f:a8:
-                    b7:b4:12:39:01:4f:26:44:33:b9:7d:eb:c7:0d:c7:
-                    1c:d3:c5:52:2b:cb:65:a2:48:b8:c6:b2:e5:17:d3:
-                    df:ed:ef:e9:ea:21:5f:2e:42:23:40:35:7e:97:23:
-                    28:42:0e:22:25:79:f6:ea:ae:a3:cf:c6:c4:ef:ed:
-                    c3:1f:14:05:5f:66:ab:20:a0:5e:80:11:32:1f:ff:
-                    69:10:e2:8e:d6:70:e4:97:ab:82:89:37:57:74:43:
-                    81:e6:85:ca:6e:3b:1d:ae:3f:ca:7f:da:2b:7b:db:
-                    ee:ab:ad:a1:a1:16:38:9c:b6:f2:af:be:b0:19:e1:
-                    63:14:6f:26:24:f4:a8:3a:04:0e:9a:9c:5a:0a:bd:
-                    22:91:c4:c3:ab:2f:ea:54:d7:ca:ad:ed:b7:a0:98:
-                    8a:c8:94:15:ea:13:22:97:29:df:3a:85:4c:80:0d:
-                    ee:3f:d0:66:3d:9c:0f:41:2b:fd:1e:90:f5:8a:fb:
-                    4c:10:20:3b:91:cc:fc:ab:d8:89:ac:7a:9f:bc:c9:
-                    e4:09:fe:81:ba:53:cf:f5:13:1b:4b:b0:f3:bf:34:
-                    3d:3d:2c:8c:90:89:d6:37:78:cc:7c:f0:a8:97:08:
-                    ac:ea:f5
+                    00:e4:e6:1a:b1:de:91:30:34:8a:c7:f2:d9:0a:09:
+                    82:13:46:e9:db:c8:54:1e:0e:b0:b0:0a:e3:a3:b5:
+                    55:3c:6f:f8:45:8f:24:ed:56:c5:16:23:aa:ad:86:
+                    5a:5a:e0:8f:a2:f5:82:59:cc:70:b7:45:cc:1b:44:
+                    a7:49:4b:ff:63:28:9d:01:22:79:ca:1a:6a:2b:75:
+                    f8:40:c0:f0:93:b1:ab:85:cd:af:88:ac:30:f3:cb:
+                    42:87:fc:be:76:bb:fd:1c:a4:45:7a:66:37:47:ea:
+                    aa:bf:c4:4b:47:fb:5b:ab:3f:c1:22:a9:06:f2:61:
+                    3d:5b:20:51:fc:ce:a7:82:74:6f:3d:ac:68:d6:78:
+                    a2:77:83:26:af:23:63:20:3f:21:6e:29:1f:55:4c:
+                    a6:d0:5a:51:e5:96:c1:cd:22:03:22:ee:de:42:3c:
+                    82:4d:29:20:c6:be:85:5b:04:3a:5f:8b:c7:e8:4e:
+                    aa:3c:8e:dd:0d:d8:e5:d0:ff:0b:52:37:40:51:0d:
+                    33:f7:a8:05:07:76:dc:48:20:cd:52:38:a4:1f:44:
+                    11:cf:6d:58:a9:5a:9a:34:cb:93:07:30:e3:66:7b:
+                    dc:d3:0b:6b:a2:1c:3f:19:ec:0b:0c:ea:29:6c:75:
+                    4d:7a:86:cf:35:87:9e:50:15:f3:34:73:0e:ac:4b:
+                    a5:aa:1f:a2:f9:d5:8f:34:bd:5f:19:ae:22:8c:7f:
+                    f7:ca:64:e6:ed:42:75:e5:92:9c:53:53:b7:66:68:
+                    e5:07:eb:08:40:ec:bd:7c:ae:b0:c4:a5:4b:d7:4b:
+                    58:86:05:a8:91:db:ee:7a:3f:c4:fd:83:e5:7b:cb:
+                    d0:8c:87:68:3b:83:67:e5:6a:5e:fa:28:b5:ee:07:
+                    b1:0d:6a:93:1e:b0:c7:5c:57:fd:ce:e2:9c:0f:5e:
+                    fe:41:cf:20:f2:1d:88:52:00:d4:83:fe:5b:d7:87:
+                    49:b0:78:2b:a7:60:c2:55:c6:c3:a2:6d:16:04:7f:
+                    8b:12:f7:65:c6:91:41:53:d8:ac:70:c0:3d:83:d8:
+                    e0:6c:bb:3e:48:b8:c2:72:be:c0:35:61:40:ff:9f:
+                    97:18:9e:c7:39:0f:93:36:8f:0e:a6:3c:6d:5b:fd:
+                    89:6a:bb:ee:5e:43:f8:0d:29:7a:cf:23:bf:0b:c1:
+                    29:76:ae:a2:9a:73:b2:d0:b9:bd:48:51:25:8a:6b:
+                    a9:c5:07:94:26:03:10:74:7b:fc:b7:5d:8f:2d:97:
+                    55:11:3e:7c:04:89:0e:b9:b9:73:2a:6c:5b:12:19:
+                    65:92:48:64:d5:4f:2c:79:3f:16:ad:65:97:21:db:
+                    3c:30:68:67:aa:42:14:86:59:57:b0:79:15:9e:a3:
+                    05:4f:33
                 Exponent: 65537 (0x10001)
         X509v3 extensions:
             X509v3 Basic Constraints: 
@@ -84,66 +84,66 @@ Certificate:
             X509v3 Key Usage: 
                 Digital Signature, Non Repudiation, Key Encipherment
             X509v3 Subject Key Identifier: 
-                76:9F:AA:4D:D1:1E:92:61:23:CE:AE:DC:C3:CD:07:EB:A7:13:43:2F
+                7A:C6:DB:B8:D2:75:D1:8D:BB:72:AE:B5:25:6E:6F:8C:AF:63:3A:4D
             X509v3 Subject Alternative Name: 
                 othername:<unsupported>
     Signature Algorithm: sha1WithRSAEncryption
-         3d:2f:62:54:90:6a:d1:f1:93:cc:21:b6:45:d2:d8:d3:ae:c8:
-         c4:63:6d:9a:25:a1:c3:33:3a:c0:90:ea:ac:4b:67:a4:af:dd:
-         75:3f:03:13:44:a9:7e:5a:9e:3b:6f:df:06:d0:6d:ae:bf:fc:
-         bf:23:b0:5e:c9:1b:98:d1:e6:6c:20:83:48:2f:b1:8d:ef:c1:
-         33:fd:d1:7f:d0:ca:03:9a:e4:3a:42:17:0d:e6:40:25:2f:f3:
-         80:83:36:c4:cc:8e:4b:7b:90:9d:22:ca:83:c1:a3:d0:c9:13:
-         af:b4:a6:d7:d9:3b:be:fd:d1:5a:da:71:f8:6e:18:c8:8e:82:
-         d0:b8:a6:de:58:c8:9b:8f:c1:20:ab:81:a8:3b:29:81:2d:cb:
-         a2:f3:b2:9b:81:7d:78:c6:55:ed:05:75:7f:4c:64:6b:fe:00:
-         e7:2b:6e:17:d5:32:de:e1:1d:33:f6:ce:89:4b:c6:be:92:54:
-         f7:16:ea:91:b7:af:46:80:41:8f:6c:47:d6:07:d7:62:34:1b:
-         7c:69:e8:6c:ac:6f:39:b2:3c:60:cd:b3:89:95:3a:9e:ef:75:
-         fa:b1:ad:b4:bc:89:69:1c:69:53:dd:94:25:93:7c:64:56:75:
-         0a:a9:8d:2b:6d:ed:9c:e7:cf:9a:ad:02:ca:79:f4:fa:59:4e:
-         51:33:c3:f9:4d:a6:35:62:50:e7:f3:2d:aa:32:b3:60:2f:1e:
-         e3:71:6b:78:98:f7:9f:fe:0f:0f:f1:a5:6a:4f:f7:01:22:52:
-         60:6b:62:b5:5b:15:6d:4f:41:e0:23:a0:43:45:39:70:f3:a0:
-         bd:30:14:63:01:01:f4:1f:fb:65:43:c8:99:57:aa:47:2d:53:
-         0c:f6:c2:65:f3:1a:64:69:67:f3:7b:b1:2f:0f:c1:e8:a2:5e:
-         78:bd:df:a6:d8:3e:ce:6a:fc:bb:c6:14:a1:6b:de:fa:47:5d:
-         ce:6a:24:60:da:1b:5d:fd:c1:5f:27:34:a2:b6:dc:bb:e5:f4:
-         cb:14:88:e6:66:e7:49:e8:a0:22:49:da:af:1a:30:f6:ac:a7:
-         99:56:5e:b4:b0:19:71:67:59:cd:0d:67:4b:82:54:0d:c9:88:
-         cb:ea:36:7f:60:d5:df:8a:74:78:25:2a:b5:ca:89:ac:9a:0b:
-         bc:a4:25:f9:38:c0:13:58:1b:5c:60:0a:b7:9c:74:de:b1:7b:
-         e2:5e:1d:85:50:e0:69:22:c5:2f:e1:1a:1c:ca:cd:a7:ab:0d:
-         a2:ce:f1:88:92:68:10:fa:1d:ca:f4:62:6d:cd:8b:1b:72:2f:
-         67:a1:b6:f6:ef:b9:f1:e8:bd:42:54:d8:4b:e0:8b:9b:6d:2d:
-         1c:ca:c3:eb:79:5c:d7:00
+         7f:5c:76:fd:3d:ef:0c:7f:70:c7:09:d3:5c:c1:b6:40:25:47:
+         a3:6a:bf:4e:ad:d1:e6:cc:92:86:b6:6a:42:3d:4f:bc:f1:6f:
+         fd:7e:22:52:9c:dc:a6:0b:71:98:80:44:cf:f1:91:bb:50:c8:
+         15:cd:8c:d8:9c:7d:8d:69:61:1b:4c:66:40:77:44:45:33:9c:
+         9a:04:01:a1:4b:82:3a:d7:39:97:27:90:a6:71:9a:b1:9c:ce:
+         60:01:8b:a5:6f:39:a3:e1:75:de:3c:5c:61:66:a5:50:db:0f:
+         4a:03:32:8d:dd:e5:b6:ab:6a:b2:53:6a:4c:c9:99:74:f7:f5:
+         1e:a5:06:1a:d3:64:26:c5:77:f4:a6:40:1a:c4:7e:22:05:a6:
+         a5:25:f7:5d:74:a5:c9:86:c0:3a:88:2e:6e:0e:58:4f:e5:6e:
+         e9:2a:34:2a:1d:1d:a4:e4:74:f3:a5:e5:56:5d:5f:02:c4:eb:
+         c7:12:f2:55:6a:f1:6c:ec:6e:b8:c1:2d:aa:4a:7d:ed:91:c8:
+         78:1b:b7:b9:37:17:32:ee:1b:b5:d9:5c:98:d2:cf:d8:c6:90:
+         a5:c9:f1:eb:8d:2c:d4:90:b2:8c:e5:53:9a:66:20:92:8b:a2:
+         0c:8b:76:9b:5f:5b:39:77:69:67:a7:8c:de:10:57:85:45:a4:
+         8f:85:3a:59:5f:fc:0c:70:de:1c:67:33:5e:9b:a5:21:3d:bd:
+         2e:de:3e:c2:0d:cf:8f:52:43:92:01:cc:47:da:af:47:85:69:
+         94:d3:9f:c9:d5:5d:50:ca:27:a5:bb:c0:53:12:e0:e8:3c:ed:
+         0d:bd:47:97:af:be:b8:f9:0c:10:2a:79:21:3c:15:ef:c0:a5:
+         eb:33:38:93:5b:a3:de:1a:97:eb:c3:db:04:1f:e8:f4:23:10:
+         ff:2d:1e:9b:4e:1f:8e:27:7d:71:34:e2:be:74:a2:62:69:9a:
+         83:7b:6e:9e:e4:a2:7c:84:82:ff:83:b3:cd:d2:0f:74:05:72:
+         b8:b0:45:23:b6:cd:04:25:2d:58:7f:92:ce:68:f9:ba:d0:9e:
+         a8:e1:f8:c0:86:0e:aa:ee:f9:af:ff:5c:bf:46:76:08:b1:83:
+         e7:66:8b:ca:1b:8f:f4:9f:6a:ac:71:4e:3a:d1:77:fd:97:81:
+         ff:0e:d0:d1:4a:7e:6d:94:e6:8c:e1:28:92:b1:68:83:5a:62:
+         48:0d:26:ee:28:60:57:ff:52:b8:1e:8c:03:d8:fb:c1:6e:4f:
+         fd:7a:46:0b:0f:c8:05:ad:3a:a4:68:be:fd:30:62:ce:f2:0a:
+         b1:34:2c:95:e7:e2:91:ec:a3:c6:4e:2d:a5:fe:09:45:84:38:
+         9c:d7:f4:0b:18:22:9d:df
 -----BEGIN CERTIFICATE-----
-MIIFNjCCAx6gAwIBAgIBBjANBgkqhkiG9w0BAQUFADAqMRswGQYDVQQDDBJoeDUw
-OSBUZXN0IFJvb3QgQ0ExCzAJBgNVBAYTAlNFMB4XDTE5MDUyMzE1MDUxNVoXDTM4
-MDExNjE1MDUxNVowHjELMAkGA1UEBhMCU0UxDzANBgNVBAMMBnBraW5pdDCCAiIw
-DQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAL9LRI/R3VYYQVzCxCv/KOZ/aCbU
-Dwjmr91yKJvsX1ov8Zp7IQ/CAZbYhTIgXMeR+y1xM9fcgQYyLuXsYTeKCwwjV82c
-rpN5WCYe3iYYElLDdnrRatyYZxNNc9yPf3vclxXd624LVMz379sUj9KJRz6M597v
-YTRnEGCKhxNthpGdipJkclzvZFe5DpHqQSwD4GfHUc/qCVrpDrrrvlMQkOUPhzM7
-5lMRHG11NOpKfFn0a9qCME31cq2uQffByrJ+dKRFvS2AxUfT7cIC+9mFdgA9pqva
-Ku+kx9Z0xIgCY9WgX2uI7rzfD0N4j2IaxsjlOkOqdZTQcRWkivlnXZOTvXgERjmQ
-SCIFeBfsuSY/T3up4nmzzxPONJ88eo+ot7QSOQFPJkQzuX3rxw3HHNPFUivLZaJI
-uMay5RfT3+3v6eohXy5CI0A1fpcjKEIOIiV59uquo8/GxO/twx8UBV9mqyCgXoAR
-Mh//aRDijtZw5Jergok3V3RDgeaFym47Ha4/yn/aK3vb7qutoaEWOJy28q++sBnh
-YxRvJiT0qDoEDpqcWgq9IpHEw6sv6lTXyq3tt6CYisiUFeoTIpcp3zqFTIAN7j/Q
-Zj2cD0Er/R6Q9Yr7TBAgO5HM/KvYiax6n7zJ5An+gbpTz/UTG0uw8780PT0sjJCJ
-1jd4zHzwqJcIrOr1AgMBAAGjczBxMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgXgMB0G
-A1UdDgQWBBR2n6pN0R6SYSPOrtzDzQfrpxNDLzA4BgNVHREEMTAvoC0GBisGAQUC
-AqAjMCGgDRsLVEVTVC5INUwuU0WhEDAOoAMCAQGhBzAFGwNiYXIwDQYJKoZIhvcN
-AQEFBQADggIBAD0vYlSQatHxk8whtkXS2NOuyMRjbZolocMzOsCQ6qxLZ6Sv3XU/
-AxNEqX5anjtv3wbQba6//L8jsF7JG5jR5mwgg0gvsY3vwTP90X/QygOa5DpCFw3m
-QCUv84CDNsTMjkt7kJ0iyoPBo9DJE6+0ptfZO7790VracfhuGMiOgtC4pt5YyJuP
-wSCrgag7KYEty6LzspuBfXjGVe0FdX9MZGv+AOcrbhfVMt7hHTP2zolLxr6SVPcW
-6pG3r0aAQY9sR9YH12I0G3xp6GysbzmyPGDNs4mVOp7vdfqxrbS8iWkcaVPdlCWT
-fGRWdQqpjStt7Zznz5qtAsp59PpZTlEzw/lNpjViUOfzLaoys2AvHuNxa3iY95/+
-Dw/xpWpP9wEiUmBrYrVbFW1PQeAjoENFOXDzoL0wFGMBAfQf+2VDyJlXqkctUwz2
-wmXzGmRpZ/N7sS8PweiiXni936bYPs5q/LvGFKFr3vpHXc5qJGDaG139wV8nNKK2
-3Lvl9MsUiOZm50nooCJJ2q8aMPasp5lWXrSwGXFnWc0NZ0uCVA3JiMvqNn9g1d+K
-dHglKrXKiayaC7ykJfk4wBNYG1xgCrecdN6xe+JeHYVQ4GkixS/hGhzKzaerDaLO
-8YiSaBD6Hcr0Ym3NixtyL2ehtvbvufHovUJU2Evgi5ttLRzKw+t5XNcA
+MIIFODCCAyCgAwIBAgIBBjANBgkqhkiG9w0BAQUFADAqMRswGQYDVQQDDBJoeDUw
+OSBUZXN0IFJvb3QgQ0ExCzAJBgNVBAYTAlNFMCAXDTE5MDMyMjIyMjUwNloYDzI1
+MTgxMTIxMjIyNTA2WjAeMQswCQYDVQQGEwJTRTEPMA0GA1UEAwwGcGtpbml0MIIC
+IjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA5OYasd6RMDSKx/LZCgmCE0bp
+28hUHg6wsArjo7VVPG/4RY8k7VbFFiOqrYZaWuCPovWCWcxwt0XMG0SnSUv/Yyid
+ASJ5yhpqK3X4QMDwk7Grhc2viKww88tCh/y+drv9HKRFemY3R+qqv8RLR/tbqz/B
+IqkG8mE9WyBR/M6ngnRvPaxo1niid4MmryNjID8hbikfVUym0FpR5ZbBzSIDIu7e
+QjyCTSkgxr6FWwQ6X4vH6E6qPI7dDdjl0P8LUjdAUQ0z96gFB3bcSCDNUjikH0QR
+z21YqVqaNMuTBzDjZnvc0wtrohw/GewLDOopbHVNeobPNYeeUBXzNHMOrEulqh+i
++dWPNL1fGa4ijH/3ymTm7UJ15ZKcU1O3ZmjlB+sIQOy9fK6wxKVL10tYhgWokdvu
+ej/E/YPle8vQjIdoO4Nn5Wpe+ii17gexDWqTHrDHXFf9zuKcD17+Qc8g8h2IUgDU
+g/5b14dJsHgrp2DCVcbDom0WBH+LEvdlxpFBU9iscMA9g9jgbLs+SLjCcr7ANWFA
+/5+XGJ7HOQ+TNo8OpjxtW/2JarvuXkP4DSl6zyO/C8Epdq6imnOy0Lm9SFElimup
+xQeUJgMQdHv8t12PLZdVET58BIkOublzKmxbEhllkkhk1U8seT8WrWWXIds8MGhn
+qkIUhllXsHkVnqMFTzMCAwEAAaNzMHEwCQYDVR0TBAIwADALBgNVHQ8EBAMCBeAw
+HQYDVR0OBBYEFHrG27jSddGNu3KutSVub4yvYzpNMDgGA1UdEQQxMC+gLQYGKwYB
+BQICoCMwIaANGwtURVNULkg1TC5TRaEQMA6gAwIBAaEHMAUbA2JhcjANBgkqhkiG
+9w0BAQUFAAOCAgEAf1x2/T3vDH9wxwnTXMG2QCVHo2q/Tq3R5syShrZqQj1PvPFv
+/X4iUpzcpgtxmIBEz/GRu1DIFc2M2Jx9jWlhG0xmQHdERTOcmgQBoUuCOtc5lyeQ
+pnGasZzOYAGLpW85o+F13jxcYWalUNsPSgMyjd3ltqtqslNqTMmZdPf1HqUGGtNk
+JsV39KZAGsR+IgWmpSX3XXSlyYbAOogubg5YT+Vu6So0Kh0dpOR086XlVl1fAsTr
+xxLyVWrxbOxuuMEtqkp97ZHIeBu3uTcXMu4btdlcmNLP2MaQpcnx640s1JCyjOVT
+mmYgkouiDIt2m19bOXdpZ6eM3hBXhUWkj4U6WV/8DHDeHGczXpulIT29Lt4+wg3P
+j1JDkgHMR9qvR4VplNOfydVdUMonpbvAUxLg6DztDb1Hl6++uPkMECp5ITwV78Cl
+6zM4k1uj3hqX68PbBB/o9CMQ/y0em04fjid9cTTivnSiYmmag3tunuSifISC/4Oz
+zdIPdAVyuLBFI7bNBCUtWH+Szmj5utCeqOH4wIYOqu75r/9cv0Z2CLGD52aLyhuP
+9J9qrHFOOtF3/ZeB/w7Q0Up+bZTmjOEokrFog1piSA0m7ihgV/9SuB6MA9j7wW5P
+/XpGCw/IBa06pGi+/TBizvIKsTQslefikeyjxk4tpf4JRYQ4nNf0Cxgind8=
 -----END CERTIFICATE-----
diff --git a/lib/hx509/data/pkinit-proxy.crt b/lib/hx509/data/pkinit-proxy.crt
index 3fe393e4193e..d92acdfceafd 100644
--- a/lib/hx509/data/pkinit-proxy.crt
+++ b/lib/hx509/data/pkinit-proxy.crt
@@ -1,30 +1,30 @@
 -----BEGIN CERTIFICATE-----
-MIIFNjCCAx6gAwIBAgIJAJd7zCsMMPvCMA0GCSqGSIb3DQEBCwUAMB4xCzAJBgNV
-BAYTAlNFMQ8wDQYDVQQDDAZwa2luaXQwHhcNMTkwNTIzMTUwNTE1WhcNMzgwMTE2
-MTUwNTE1WjA1MQswCQYDVQQGEwJTRTEPMA0GA1UEAwwGcGtpbml0MRUwEwYDVQQD
-DAxwa2luaXQtcHJveHkwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQCh
-U0hTlQYhDONlH8153Wn2/H6/OW15S9pvg/RcQ9+Mc7a3kOEnImHt4B/zevv1rfYa
-EernC2mrTxvSSy2Oxx3yNFsV1Kys+kMYiIygswPohTHYhMQKEjqGPTN97E1JcvMQ
-iZy19sl6tG+kLZKa5pSTUoFrlqw2NN9U1WjlgaZ7WnLxwLlatQnZOnA6+MoU1bJe
-pkPUAcjOOQZTd2D/3tAOcBKfQ6z97XFqfxzcnclz+9BXgFdZWTR1efd5yYNy17ny
-8hoEHuc34+a/hrrhfiFiXYKFF6f07YI6lt+ElPOc93oz19fE4wVskXjvxLOwahzM
-q2jRalsj/XlYCEHrZqaYjHvY8MYNFleThQEwJ/zldgQjx2MMnUD3ApxRDutfYM9e
-MFSv0ATDFoKi55mGySMD3dMpI1I/TER459Am5c88SfxJNJXAW/2GJXQAJ7tCL3dM
-sYcqkl5uVZXPJxSQbfFCl95lhlzOtoXZTS1+cxYN0oz9YfLoG3tz3x5Xtxo0eUbI
-NJBq1sWi6bO6+6GyQOxs45sawl906XFqW/qzSywNOOsT/hcuEvc4IGdZKLP/wxF0
-HJzeaqDwfmiT1tz8jArGsbqw/i77xND6tq+56rur5/BhfIapXZ9wKDfawQttpDnX
-PTcaT8BSqQejfZa0RiRvt70pypm98eZ1XRzWhC6bvQIDAQABo2AwXjAJBgNVHRME
-AjAAMAsGA1UdDwQEAwIF4DAdBgNVHQ4EFgQUzoShaVViBQhilqB70YV+yuLcWIEw
-JQYIKwYBBQUHAQ4BAf8EFjAUAgEAMA8GCCsGAQUFBxUABANmb28wDQYJKoZIhvcN
-AQELBQADggIBAL45/vKz88cBG7c11gyePde86H7qWgIKrWocohn6eoXF1p2ZkLvP
-na4o7WVr/WC7t4DiBZVUNVvrqss/nOI3wMVjU9Mn9wrJbycvrVPAWH1nIhlKR3gM
-H8PTcZiHI+Vf14aHTjeRFEXxy0i+K7JxtKRQC/Bi+MuwnBvPwvar3tqFLXprRk4p
-p42I7/ngT8WcAzz/LWj0rWYNl/TEFU3esDBr3rz+B5TFVcp2dLpcZW7ScFRh9bLT
-OwJ/QNhzvnH5cwsWlb8cpDTFVeyTOBgqh9t6ut6SnDfCu03xIBVuCk+P5KhOGWAS
-3cOVqvGn3Y3q1glE2XdKgyYqU2z3itneUyiCeopItFaKZIV52s4WuIuGO+PK8XOi
-QhwtnsWO91toEFUpUNkxf/C6C61G4xuvHeMVLdTzO1Xi5kuHyN9gD8rLAuUfaV1c
-Zv3f2S8WpvEGkSSu8Ap1k3ExfIaFhgxzu3pjGL5e6YV2lK9d/UGXOpDRFZOUuoRm
-dyowQcF3XcH6zTDu+ThXlPSq5bkjrnMnNt2z2LfqGb/GFp1vl11LsXeLgpHmFTq2
-4umDDUwMHVzrmFoa3BtUkgO3BUoSrt2l63TFqTQZgZAf/D042jBcmOhV6Mt5MsDK
-MFZkoYjtv+8jTeRwxP2zi3EceCvGkV1Mf3t2/h4wYGa25J6HFq86VVRU
+MIIFODCCAyCgAwIBAgIJAJd7zCsMMPvAMA0GCSqGSIb3DQEBCwUAMB4xCzAJBgNV
+BAYTAlNFMQ8wDQYDVQQDDAZwa2luaXQwIBcNMTkwMzIyMjIyNTA3WhgPMjUxODEx
+MjEyMjI1MDdaMDUxCzAJBgNVBAYTAlNFMQ8wDQYDVQQDDAZwa2luaXQxFTATBgNV
+BAMMDHBraW5pdC1wcm94eTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIB
+AM1Z218qhKJXqYoQ/5DZgDYNtgJ9QLkPF0vsu6cScVhykomP1H2Qjj3+u6ZFB9oj
+YS/ynPgkCjwexA7nDGVxfrR0OksDNFGHwCu/O1wagzyeImgvYYzPlKyFqT+0IN0U
+TgEoMdtXUduxmJGr0wEr2aMeiETUGZmRc02icTPZIznhf9elXmAp7EQspjtN9P04
+OCkVygr/FKkeI7XsZR8Ekzqdaf400g1Cy+X2kMvnRs/Tyf3qp/xv1RG7cDz+vfiB
+8S/Vd2zSyBFboOZZi0xVo2vEs9nzBbmTQFAFINSEtIjJWb9Tupz4YwU/xK9bq2G7
+/eOrt4e9pXry1gUKNN/qZIEkbaebhWxW6twMVO/nyXlnklpF1PvPKHsWP2JqhJK7
+9SZcqZkeRit1wlwXsWhb+Zzl27K74P1WgNQF9lbPwhQ6bPmadirCs0kkMBDjmh4U
+SJe/5wIOLVPY0KrhQeC7Vn+hkCxqRTwZQuLKDWUKgd4jmvsjfLYAZVQfGUBX1x7D
+Wng44pW7ytOSbn/4pAu38FGGLbPcKNw+cRRtHtBpWiCthDIJ6gOmJo8JngaU2Iss
+ozmxfGZsdQscUEFVwL5X9YaBpWcGKKxZH7UXq3S3wOEm2yQ6/UrdJnuP+xIYFEiA
+c7tQIFBYoX11+/cZGyVZmn8ESM4ytw9QqmxxaDAEdaJjAgMBAAGjYDBeMAkGA1Ud
+EwQCMAAwCwYDVR0PBAQDAgXgMB0GA1UdDgQWBBSU/W8lX964Gjrb5YqSo3zg3XLl
+vzAlBggrBgEFBQcBDgEB/wQWMBQCAQAwDwYIKwYBBQUHFQAEA2ZvbzANBgkqhkiG
+9w0BAQsFAAOCAgEA2bcpIO8UZ7eDFPtIZd6BWVrQZ5Dj+LZA0KV2v+FjoZQN0/w6
+gzloDy0x3yym6lOtCNPnjxcYP2yfGl5WZet1VXCR+KXXHGID2MkOXhXTCH7eSCGC
+GZpOsSEWs+CXyP/X5B85nkweK8MzLRdJc4Ilxf1UMMOdobgQnRq41NgWyQxA8xLR
+jEeGV+CD5dvteyqBeXvq4IBBUTqAiyoH57XXZRPwWH7z3h9f7B4GdoQuRBQK+idM
+hLgtQ9nkT+DDyoMC6iAtIVwntxsAIg5rUSkQ6RgS3ap6SC94+v3q5V2BJaJl/R+0
+X5ybK2hRKWsUAvU280UX/xT5EGeokHwegI+F7yQflTGI1p090uhBYZvWYj2G8wf5
+nlE7a2h8IG3SmS7qUlKe+RyPwHce+jgHU0aS3ROxreLGf/VX1k3yR2Vk0wpVWFis
+WeC7U5g+iqv/UomqxpFwP3iH8RJhL3eGYVmatHIXjm838wepofexqUL4UKoY/t+h
+FmMusCz2SFZFbgOHF1Vd9C3c/mr6J4HbYju1hO09iOFuQmoo4CjNjdKyLvP1HSap
+g7IPdLP0f++1gGcRq8AkFC9U/vZx5OPwjIku645WeOBoLhFcSoLxyhMeekSNXpwS
+WHArnvVC7cmuvuzmzf5+XqmBzSD0RWGK09drTZdryXuzv8djbeqldeRr1Zg=
 -----END CERTIFICATE-----
diff --git a/lib/hx509/data/pkinit-proxy.key b/lib/hx509/data/pkinit-proxy.key
index 3567bf5d1d7e..6ef1f814d47d 100644
--- a/lib/hx509/data/pkinit-proxy.key
+++ b/lib/hx509/data/pkinit-proxy.key
@@ -1,52 +1,52 @@
 -----BEGIN PRIVATE KEY-----
-MIIJQgIBADANBgkqhkiG9w0BAQEFAASCCSwwggkoAgEAAoICAQChU0hTlQYhDONl
-H8153Wn2/H6/OW15S9pvg/RcQ9+Mc7a3kOEnImHt4B/zevv1rfYaEernC2mrTxvS
-Sy2Oxx3yNFsV1Kys+kMYiIygswPohTHYhMQKEjqGPTN97E1JcvMQiZy19sl6tG+k
-LZKa5pSTUoFrlqw2NN9U1WjlgaZ7WnLxwLlatQnZOnA6+MoU1bJepkPUAcjOOQZT
-d2D/3tAOcBKfQ6z97XFqfxzcnclz+9BXgFdZWTR1efd5yYNy17ny8hoEHuc34+a/
-hrrhfiFiXYKFF6f07YI6lt+ElPOc93oz19fE4wVskXjvxLOwahzMq2jRalsj/XlY
-CEHrZqaYjHvY8MYNFleThQEwJ/zldgQjx2MMnUD3ApxRDutfYM9eMFSv0ATDFoKi
-55mGySMD3dMpI1I/TER459Am5c88SfxJNJXAW/2GJXQAJ7tCL3dMsYcqkl5uVZXP
-JxSQbfFCl95lhlzOtoXZTS1+cxYN0oz9YfLoG3tz3x5Xtxo0eUbINJBq1sWi6bO6
-+6GyQOxs45sawl906XFqW/qzSywNOOsT/hcuEvc4IGdZKLP/wxF0HJzeaqDwfmiT
-1tz8jArGsbqw/i77xND6tq+56rur5/BhfIapXZ9wKDfawQttpDnXPTcaT8BSqQej
-fZa0RiRvt70pypm98eZ1XRzWhC6bvQIDAQABAoICAGfmvKFgTIdCxr3dgrgnO1Ug
-f/1m3jQN/4xs/xfhevv5lseZXvmWcl4DSHDHV7l+pg9aVOEjf5YeqDuDwb7ATXAt
-+jAQPnpV4JrPb0scoLrD9juOHrihzuGgTyad55UTnKqdBrpHTLJjvbeOxmpPcYeE
-zufdLeLnoKMBo8KVAwVVVsyPJJHgIYyvz5Kbo4NRssS07uB/mbYAEiv1qhqBhZyW
-39eFfcg5gh9l6M/KK/IwT5nbheZ8xoWW3SWp/KgdepyXAtx+jsp3VKkr+/a5BoVU
-1ngjqT/dLE/R1fmM+W2yEhmLvWMIF/k5pBtAo75OSWgkSaj+h96hJOLmxpX3EfoO
-UdEYWnToOyovTUqs0mQREolOvPPjQPdgSGJsnuEsNzT3cJGrM9Nq+exQUXXXKCCa
-No06TS46ILykvT+GBXxoyIVkWmpqDHHh4NuBUAcrB5yTYn3MoMeo4y7bvE8pl3C9
-wC/5un+lzNixHNmHRNDzre8uLjhmR0PnP5y7EThOaBS9/DTjzoJqfaw1K2WC9lbe
-vdpWSf/Kwjk3SGCXaneXfaWvLaB+mSHW1JJjtdOuxOdGGGXiJN/qYz8C+pTHzVxj
-uJGNkcz2nlGLG9RdaVBenItO3lUx5Zk7uHJdIZuQf31fmEXTFms4YGTdK9+GQIQv
-N3ivhfvtuBwWoBCHK49hAoIBAQDMOhPQJlQnlPnosdOAFDNOh+2fEPEpeY9SKvGA
-zn3jsO/UphtagulkPWCE7ld4D7b1IBDFSh9CnDGPljzz6uQCGi7FHAlOauTel6eh
-lJp8sp8STc/H2QrLE00BzhSlLPxGIAS+tBBwLG2jXBmi2l/K2aFbheUak7mev7nF
-b4oWTKC9fweygfP87NX0Tsu2Wzfd2TR7gYz3r+/+wkd15pTBtuBUp0YUkCNKfhk/
-qqHOgO3neokb5YZrhq1dM+qhT9/2rM1zon0b9kt3r6+7mbdC4iAy9Ek6LOEGDu4N
-jGNhQSEj+usKJhW7X2m0dcG46JytCMOFLPVmdwTIHm6/O2PZAoIBAQDKOPqv2luX
-49Dat3A+zqQfecVmffdHbRF5EgIRfHYYHXvccJtD8MnkXBrJAwe4Y0UI00SECGzZ
-jK2ReyRWbq+qHQGLk3Zu3ojbXw0wXRR5iivGckSd1IevS5pbmVnc7FzZjxWaoqbT
-Uo7Y1LtUqulfqCJHbDB+l+kIv/kwTQG2rb1WnTY8Y4YEHuy54zh0Ke6t8XFqGME5
-/ASgTWnEIyFSuiptA+CeBm0NVMUH0MDd4j0OkYMNkIQODC72o7Qw9mwvij0xrOWq
-fXaxYocB8Z/hRSTv0r/qnPP8wjNCLtZt0iHcq+y63nANTQYk8v6PS6nl6Ppiz+hu
-M5W7ajwtqByFAoIBAQCnXYEXOBIHTiNv+ytk7ykM1oB5txyr7J7zq5W3BYJNspcZ
-IfeQuXAjYdlTly+/iMFbKSgVRqVPpUlIbssM6hZpUqO5jTxjM17UvFv4IxxnzMpn
-6bS6Bri9q9eT/xsUMkWcAmlhD5fZFc/T7Ipl16hhSPDfXF9g5GdeHalUkBAOLkYc
-hZn9RFp7kGvWhyyTCTZDbNmBza2E3n5DvVtq18hY6FH3jg30lBsX1TdD4cYwwaA1
-70mlvvfl7rzsgLtr71WPhhXpCeSVocY/E49koph5C29v0pqgPl8648la+Q4IiaNr
-JRqxenyczZiG92oG6zpa46+32BxUGH2msqn3teghAoIBAFKQrRn7p4X+iBmk5/lc
-2XnYeBZ+u+W3zHiIN7v3+yehch7xAxPcTjIkwPLtf8tzDI6r47+cyQSSAZPymUWI
-78QfD7BzRtnBllMrHfFvL5roJTNjGEzwp22VCrL3i8892jMhzopSepaxkI1LXikV
-ly9tMIHE1I/7ajQeXZmw91Ak47dnfOtvHxqznafP9A7JyB/RAqN08/++vAzPTq28
-QjDKvePAv4cFzKSyxbeJLhXp90/pbX6uUJyDsPEWqc2L72QBpzaPBz5y93E5bzIF
-+2c4mfopLB6Ycq3yhIczJG22bAjzUTaC93EWz7lqVTEgjX/HfeO2S4ojGbFpkKR7
-jRkCggEAE9shCbl5bHJR2l5FgNOr99rkpNs33WJa9ZQpsQ2oXq5yLL2plhIJO2tg
-kKM/ld6PwFinxBoLhd4Knb3X8Kf4mWCALO0lJRzB3qiEu4SP15UYchayDpjGFzNQ
-EejcYcJ59XT6PC0nlckmsBeTSXWTEsjk4vaca01kp0tM1DNuJ4V6iXXJhj70xkqr
-NRlFuTLBxE/PIs8eg6Da/4sQZ5MnZq1WRylbda42xCMebGV6zxuc9HiI348LlAhn
-Kw/dTg2m5gwYznLHSpEH1n0ILrDtMyb5tZ9KfJzVuyz1Glo7UKf5hYoqZY/n/bCN
-gvWFSlv63UgRaUrIlQWr2X01y9IGjw==
+MIIJQwIBADANBgkqhkiG9w0BAQEFAASCCS0wggkpAgEAAoICAQDNWdtfKoSiV6mK
+EP+Q2YA2DbYCfUC5DxdL7LunEnFYcpKJj9R9kI49/rumRQfaI2Ev8pz4JAo8HsQO
+5wxlcX60dDpLAzRRh8ArvztcGoM8niJoL2GMz5Sshak/tCDdFE4BKDHbV1HbsZiR
+q9MBK9mjHohE1BmZkXNNonEz2SM54X/XpV5gKexELKY7TfT9ODgpFcoK/xSpHiO1
+7GUfBJM6nWn+NNINQsvl9pDL50bP08n96qf8b9URu3A8/r34gfEv1Xds0sgRW6Dm
+WYtMVaNrxLPZ8wW5k0BQBSDUhLSIyVm/U7qc+GMFP8SvW6thu/3jq7eHvaV68tYF
+CjTf6mSBJG2nm4VsVurcDFTv58l5Z5JaRdT7zyh7Fj9iaoSSu/UmXKmZHkYrdcJc
+F7FoW/mc5duyu+D9VoDUBfZWz8IUOmz5mnYqwrNJJDAQ45oeFEiXv+cCDi1T2NCq
+4UHgu1Z/oZAsakU8GULiyg1lCoHeI5r7I3y2AGVUHxlAV9cew1p4OOKVu8rTkm5/
++KQLt/BRhi2z3CjcPnEUbR7QaVogrYQyCeoDpiaPCZ4GlNiLLKM5sXxmbHULHFBB
+VcC+V/WGgaVnBiisWR+1F6t0t8DhJtskOv1K3SZ7j/sSGBRIgHO7UCBQWKF9dfv3
+GRslWZp/BEjOMrcPUKpscWgwBHWiYwIDAQABAoICAQCIK2e+qXEePccc2Ly/jpro
+PRtOd0Qt8wXdwPOGjEJBBmiJc6jSQsMv9PT2Apx8WC2gH99a5Hss9rHHuAqOUj5U
+5yWojE1rKvuRhtOT9bjEv4/NSm4Dc7sA0/kxVv7b2xUGy2KUMkkDx7aGEkxvYGaH
+Nj3idksrfDnbZzZtzTUAsrmVhAEa/3G+m2T3unAUYe1LwTkjJZbLtkKz5jf/44bF
+vZCFkv0e8gZHTcMikxBvy98L00jlqjq98W8x4zKR0Yjf0UvKC9PDPuFpHkOysK8X
+TW59vhszvaNN7LiidAVLF0m+B4WdhVAUMP750W3J92EaUcn35xgOeWzWFriNKt7N
+W9P288jWeNazQoNS6ygi9zJERX869UWxw+SAiWlymhmFC9tQgMEH1RJy3TtrFQpa
+krDv8mnkYBLU7BUI//jEbWLSfrXndHKgsLEO+bXViVV80PqX3d6xxTRItuANcZKy
+Yz4kA4aKDg1lrDcDMUTG4BZJthHD1xlCg7d+xnxVmamsoQ89AyErsYmVMxd5C2IA
+TbCKseKyPd7nztHc1ktEdpM6DhXqrZw0o1pCVSQeXkPpFqG3b0vwtZFYiyNwJGpW
+Wzn3w7f6ZRwZYAbj3t1Esxjw+ej++6DTbUBZWRllhgpMoryCbtCfWRsL7S4u6I7E
+1dzmF8pdJ+vvOaeC5BZxoQKCAQEA7dPAX7ZCOp6Mgp88VIBw4Rb6duSBPWqiL3mn
+4BtV2UFbU+So4Ro5SRUF1O6KJ8tZsyRfGZn+B+wSjPUsgp4dFfpP1GSQvIk3HkEU
+Zg6VNvxPRd/oloRjvG119BBXr7mpkCDEmGxLqXAvxvafFc4gGajFBRISPWLsDAYu
+0yDMkCmPWMWMLx/sYLv2lE/0GLa7oOO/5flHFM/Mom4HOactq6nghHT8Rn77b9zg
+WOyNsX0nZTtjLlWGjH/R2mRLYwI1mq3cUTCnwRNPYhgbgIQS7666jtfUP17H1W2H
++hZrggrmVVHzYSW1Z2fLUTAMXuPUE98bnF5LytoZ1huMQU6ESwKCAQEA3QrTAZwj
+KU9Kc/Ur9K047Xfs56XpOtlo67sWY8GQRxFv+pIKT5zJIJBm6O/9Ps+ZuhykzOdZ
+uuee8pDzszFw6jprRpEutFRh//xBE+VKW1SQipKKS8hHYIH+BJlLBJ0VdvQCtoLX
+sTOmmL7E3szuKUEmCPQqYj3VrAWQXqzNF7uQdns62lSBLI2b8ZuwBbS6Pk4J9Ic8
+d902+y9kTO2j4jipMQHxVVEoaksZxdVTUZgAlku+xkMM/oxQclMoXnx4uemiQoxq
+u6k0waZpW5yvlNys23YCFPl8A3tMWZ0HC5UOQVXL2KgsVLAoYvNJAhQxWbSj0i6m
+sRSsEN/SmJobSQKCAQBJkZRTxzyLh5otmfZ+qVDBwGrwNlVoW0EacIamw631y8rl
+k7lOEN+hpNgt+zBPiQ8RZHHqqIE1kChY5ErFiQW0U784E3fWapfbSwR1YZN08+3N
+zqrTTNbRZgbz3c5SNJuoUwqdn/pzypls8cNaam3xogx4OhPcW2precooU2AURFbs
+fgeUWEq1zc9EJ8t5jaVS6sDk8gyz+mfx4xlnEzkEfkNOliWn5QYAn5Hi0CIwwmda
+YFmY7qn1cmDHLvlHAlr0o02g6+0ow8FttclkIvb8n89j+o3UoIwukHhcu2y8SITh
+5bzk01ZfS3NQhQ1+mPl0wDJ5V44YjQkq+1CSrygrAoIBAQDN9K/26Ay7CO5ObTqv
+mFdarEtI7AYMl1Zzjral7E0Kauzzg++njma4uNOqZzKHu9d42geUBFxPElG/od/w
+LzkOhbA+6DekPpuxcNESQKqvvnOPKktBoTMgcP7GOi7z9YlydJmyhOeEbKPl3pqB
+HmEqf1F5NkfnkcXtqqGCFXBjlJheTSPhGqvhX3DWBkJUjriaJQyRkxB8ftoj4VyL
+cUEqH7FFwJGk9SG7KI6zDrm7ZO3nHFx9TyxkYUjzvRf4MfIrB83wQ/WPNXG6ndu9
+SJkxEwzcz2/RK0Sp2dCiDvXpjNDjf5WYIdpsblazHAwCq93vv6iExoL6rFBGyMXo
++m5BAoIBAEEH9DWpYZRLw2SQbsdSgMRRFo2Kvu7jpmCbQVWlBA2WjAUIPhie4hkt
+DUUKVROwzPXinMCkZuZ1YL/A1R9gJ30Qo+c4Cj6tKlZ8Ux5cmEOjLfQuREMsJ9Tv
+wYyFodqKW4wRvtNn2Ij+C/VV4dDncIMM0mw8EoQ4/DP2aseqzG49rOrYGl43gs1l
+RTMyyPiWyweJZ2e0IRSnqrcSEcvPfw9ViZWNVAHMycA6ttt3gSi0+57OjPmxeEPC
+9z9x5N+7zKOfpUo6/jguC1TRFzmKJYpMlRhM/0Ruz2imghKMn86PUKI/GBrOXhx4
+k2odOmvIh8CJ2ZSNtza8KPoCHxzIOQU=
 -----END PRIVATE KEY-----
diff --git a/lib/hx509/data/pkinit-pw.key b/lib/hx509/data/pkinit-pw.key
index ac89d6af05fa..3fef51f6cd01 100644
--- a/lib/hx509/data/pkinit-pw.key
+++ b/lib/hx509/data/pkinit-pw.key
@@ -1,54 +1,54 @@
 -----BEGIN RSA PRIVATE KEY-----
 Proc-Type: 4,ENCRYPTED
-DEK-Info: AES-256-CBC,EF2C2237F4387D5197FBFEC26EFA3487
+DEK-Info: AES-256-CBC,0D7945ED368F10EDD0E5FB517DA6CEDD
 
-m1mmDR2qaA0u6ZSC1Xvw6o9Uyt0NvNgKM2Lln0BOvE3UvsbUxE5NEGynlthge4zX
-HfLX6PNZ4vkQASzm+e0M/cwUijDADmuHhsaZP30BriJ8SzZoeYq7WUVkv1EbCZFZ
-o/lsVFBPzW6K2Vfjphj1WRwZZEsgef+kFtwNSQxcHXRmK3njcKaP67fKzsH2rjPE
-HMEo/9vAShCmFH4Tnzxy91SF4Gftdov0xqRQZpG/1maCx0/76RJL7lxpYUYmIOPa
-j2l6SUFSOP742bLWuHQXT36/SyocF2pk9kFzTfNb0lP7lriYrWhSDqqRWtoU0m3M
-Ulku3bcDd/HH0Br70qfDDOvWuGb2ayHRKoDDVlRnwXZ9tzl9BHqzvLIORKEt2vns
-6pHNU+8GwvYgtAlLMaN7KAH6hFUkVRi49lvTJbtrVJjMcGU7Vl5zurcyrfL2eLEZ
-tdyR1lL01JWZW1gz177dn9drcB//r2ZIq6g9Ah0e1ZBj7aEFfSabfRuLgUaF859q
-lWKt8112uuVn9vqOkiOlZVsNMRzP+NUEggVQ7Jn3H8CEqHgC1a0JElaQh/kd6BkP
-RthT1Qz0WyPMz1LE2aInFavnrFXqNyuLkkd8WSb+wo8V+jZL/a2jl8d7thQsxOHt
-OjfRyioX1YmeGBWz7I1ZObk1O0xi7vj7f4LoqabUqnU2Z6FQLCNRBlnO+SJq0DJj
-Ca6r1bN3NPGH9vhL8sd6Ce+C/fMXyDLX3qp9qS6ZmiSDOTIC5si8JmWMeCC8yrim
-RjBWEtTC4ve41ObrPHeDqDQOGdPpnPH5unQZA2jul3xizbr1ToYD4Uk3FuUYd2dH
-Fp/OutvsPUz6Eu6gllOJ/KYwSakncWZknJt7spwHjoyKoqRVbqyIrMWrQDCd491M
-ezZPeFursXyMeTezWcgUvh/NWA7+neQg99CP7hBs4v7LV9GYXJOxcJ97Hwl4m7mF
-u3QZb8Izgu7IVRFju3u5kU13hi/yO+q9Yg2wvZAg5C7znpm2d/QDJCEdjqqUIjE+
-/r+a4QxSCbl7y4fiuHZqY+qTgFK4kQBCDGIixc+tDcZru4wiGKDYoMhcERDvxKLT
-Upwbx3CqA28L42A+6IwapWO+jSBmCdfD6B+GEEWPaf5YzNZmM7td+DLeyOKAEK8w
-GCZkd58hn9x0BZxEvxTcLqWFO0BMC8FSHyjPRnW9Ik5H2a8vllb3Wiq7LFZum1of
-w2s9eb3vY2Lv6WNU2Mug+QwwbCwwmQmEJfROp/CWuHMmDlBudtDvVi2zUhNrqLoI
-LSNBlyxCIHO21R2IWOpZ+xglOh7+Qc4oXZHnhttREsOL7FnE6IYdcP1hfF0uWAtc
-kArTtgvFJurlZO+k840KPS1cfYLBNTgPK+6xssC2qZr3u6zP5Oh30gGgBQeETUxW
-JrMW3LzoMH0I/RcYK3FkEb38KAQpYLvJPKzNRD3/ZU2judjlslobHhvJaXTeOxiK
-B3NoFGi9+BXFBDyuKcHwUuFA7XCM9iIUbGoMzrSKFkc0CsCrJCWVvF/1cRNpJUQz
-SOxKM/HvWD9VdpTyJ8qDoI0lKS0jn+rCcF9lMwvORVPebkypGkXC0RSwvx4+cFnT
-oRjqpfLKzJlcEk+U7hPH5ZjsDUYq+FargGDmNvGZohpGNxsdYV1v6B6l3c7sLcWf
-lShZVLMTYzAlgBpywzsoyPQxm32hVMcpme+nzMq74QB3ZHv/uy/xgTbOCnTTQQZv
-hPvnEYcsNW9IBhGLr4kIsex5O5sLuatgDLh9xWgPObriu5BBVDNNqApze6AcqnIN
-3TW/qzmyc3R95nxHCxVocwU1Pl9ZPGP+Mc+osUQD3seHAKmNQKWPiVzven8NdiBC
-nSIjmBxVRtHdoiVLXk9LkTBoS+w1iPG1ztVsf+Vjg3PUoROD0XuzqwZ4XlkT64IT
-6zcjD0IrSYgbO56Oqga8quibZl3+BVLexj/veFv2SKw31dMZ95ntnwuKpwCv3jHf
-lrxrkPzj9Fsqup+HR3yh36FKyZkgPEU4KUrraXbsQMDdJdcec944QBIftj0p44W0
-T2SeGk0rkHSFZiZqoeyJ6ubKxalnre6PwJwtvVrx0QzREIGdCG5+SyphYEtd+mBr
-ATh0LbMqD6vyJ66t4SuOdiCSfVbEomKaftS3C752Gk2QxFT+XEgNPuSDp5V8DqBR
-W3W8DB03d3DolznjjcHTUJH65A1ADepUFpIteIkhHUrQP6IqQUNaaCIFd462IDCL
-lL/4V7b1kq1pZJcF/yyDvdDAZM/6aTorKXy9l/v3SUN4z6smraISVTwShyof7Olf
-2dQx1Eh/OjYNEATG86eoW15p6EWclO0osvIxR21xeOTFQUuiR9SijtLOOTiNKrTu
-ug4/57HvGI3rI6Lujcx+js2B2aBdk+O8AkpCAcFTM7FkFRQCngP7ayyVt3I6x+M/
-8vxz6L7fdXYX/RYSIVLKlbSKo15f9NyDJiaHpACIpRzYUQLjrXcKsTiAcDoFaFGz
-TLsTLnA3QDbTRptaDSvQfPhrOM5QezKVmhT6MSzCeJFAskpIgRm4XwaOQjZ/XP0J
-ua7IG2WD6k8f62cszlbCEvMZWMBvb8JYVB/UGcBLtolFG8EGvvUrWAHWLWVvngNb
-HCI7t/Z4SqIexcBTAOal1bAT/gcvNrAmSBXkcNg3hMqMXOXuC7W5Qbqtk6Bd1uiN
-5BWMJOnGXrALbpHxNtC4QBjCAC6MshkMOJvIpNn4f30Qq4Of+NyJrIJl1jo/WLqG
-hsHXYzZYI2LcfOi7a+4oSHQ2OfsGvdKWwmJha6Koo1VlF8gnHSJaGAH/soilan0w
-KSOqSW4DJnAc3zry0jfDeLJLktrEn86xen1v2HjnS1WohfkFL5sSk3z5bVqQ6NrK
-9OOeeXIzWC7AETBc6N3TY7rKljH0ZdtiB7axVI/0Vfmiqw9vOzJ3fij9BcLvXBQs
-JKy80AdUvT4o3PGW9DJX/Ki04NBB9Y/Jlmtu2j1Iq2NVERqma/HzUliGosffdwYw
-EswIfbMjKhghu6mbHguE2DdW2vXkKgmbUJcBFb2tnc97ESslJoxssWB3uZJNQqRW
-FLl+I56S4CVUDLg6WmB7ZMyhCWJ0u2d/zvombQBnPN6GEc+VkZUzVE7NFYmK8j2Y
+U4MlgA6Abbuv+8v7XUYDCxGw8Sd4xWCuxFWu3+twUWfpN3MG95RPuCf21m1rXb0q
+BmmyRECQg6Kk+wuFKVeKEVsBT5pJ/CmutPeE3Y1Oxkn0G09RygO3+mrZInnMdACM
+9TYYUA6AGp67hF4G5pJUk7T+Zdfu5+pxhzsRC24UussXFlUtnPCS1QlRWUraVpzs
+Ei7whYsfz3Fcw5ZEo5b9z+NHqU3OIMfLH2Q0dPJ7Y2gHtteaftmOcRALcz7l4Jug
++9YCAOChw110BII76z6fwPDKbJuMAlZuzhB4XFfYbwVqvMbddQslANb2PiaReIRk
+g52kJY/cMb/nSbGwf0ZG9rGhcuw6xdvMoTFPtqqy7NXEPxfwlxoAxsJVg3Rp/4d9
+M8h4mOyvDjuluIK1GpPfoHGCOYFyduaQQM+KZ00D08j/d8y8RkaD07eXOLQE3CHY
+qXO8fE91lpcnxVRVCv1s4v63/FgqYrrU7rqSgGaQwKrcZK4hZEbL8yMcJFe4KOoJ
+m2k7pqi6hL9JILz7G9+oMnrObOZ9aK+ZiXz09+CxWYhwCcQrFXaK9XKDUWLqoSZn
+ZBj1xYqwW1kvhybdUENHXUVh3G4lA2+sWbEKvSLwcAsiIVkYxuiWwb9Ix5MPCKDK
+ZuzIQaQ5Ji5PWPqCR4iYdt8BOq/r2iMEUwJ2KZtxRcPknbH94rt31dz0cXr/fFO7
+OPxGTuJILIvf+wRZ88x8hmYA6JjRvEHZDrlwmk+uoUBsOYEcVOg7hd/AQYd1BZWQ
+HvlELIHaGgLxmq/C1InRbU/mtnIElBHAI3NLKpSgGyFH4/Mis/M/VnHJaC3sWKFR
+bJ5SobVa8HYgRy6y3mA/DsssGVj/dz2riTzjCXpNmju83D8wGJ8iDjJP0183R6Zh
+Rb83W3EAjkHHLIkli40E7H6cq1RjXTrzUpvE21Yq5vbk6rBnLRO/lDX4lpFq0S09
+Rd8UQUhXqTxtOGXIFv/4sS2P4oIAx+mk4pf+iJMltjvCLCNkPQRL+NewVHMm4zhK
+25Yo9SNObY/zk3MBKH0FnI9xAmS7xUdzjRTQvP8yqBu0lQfJo2np3FsjtGyvjYWO
+b11L4mc+n19LCA2PpU4VaWxzPfZraBBHJy75Cqk0xXx/9obtrgZ89qXgv6H6PZod
+8W64PUK+895+07plpOAmrS0WZL0muh5m9qarabmY0dcoiG16Ln2iAEJTvepKn/7f
+H7rC8OoFr6AWYRx3hj0dLCSs6VPVFLAyQvEPIQlPFndT8rhuP9z8W1W6OkLpe8wE
+fVFL3jNMwRTYTB9aAwFFeyrf1CbaTs8iRmp0eZgTteNbhshx1UdAasj7sLLUhPFe
+cU9evtCKFqoRfSiuR0uzetWMJ7vODxGDzGkbDhIqVRpcUaBz6cQs4NlslT/ebXe9
+5xL6KWI3vUIJeWcTEJbl0sUTBbmRUxPB636XdQ4l3OIYI32NK29fX2+2pHXqaWql
+L8iVwsLJM422pxHdixGmO0eLEJ1Y62tvmTWQ3Nr+/ZJP8h9yk61gj2QTHOVAyz7o
+UxZie77035ni7vZG0AjJDz80hj9rnMpznTUZCiEzArJ65RTrUmiiedSyatHYEREK
+pC3+2aqvrOaGCikIfFTAEOKlE2ZjDVZ1jYCFCVFmJE6sqtpIigMeiChsFlxg4FCo
+zIvfFEY6QdnqHPvUMsXNr/p5xcVQjZhitk8Av/Lr1gSsHapiRthbty2Yry1r2QYb
+T79qdouzk0sGdIORM5SmEvPAp/459cy91nIEav4eC5JB/owPyPB5KNuz6wL1Guo1
+TUDoOyR/vkB4Ybm9A4se6ldYftK3nxiFCL96SgqFP5WC6JAwZROBKFn5HWLdVPOD
+/lXB3SxGe48PjcAX2ugo8KySpDC41uUIHOdxPeRBUPWB9bRpAmLfV7lsBC0X7fPn
+ghdnQav0TcQTOwChNaCLpUSzRzk71y7IR/4LASgm7WZUoV3YF8SarsA+wOvKCuKf
+GJJThmSRzhSU8xbyU8hdVAd0XT8d2tSNJLuJ8PT//dqbh4Ft6U+DjpNX2XUtAINe
+9L61Wpj5HduTqcXSTeHnhdDqjuAEGrFkR3P/SmA/r+uaaVvi/sbbh8cBqvjC3O40
+Z+e4JDd2XvjCgChdJIOUJfHfvLGjkaGJIecizT8YYGO0FyebnPPah/Jj1R4XPaWZ
++Wu2ro1/GKKnHCsIMbEz4BbGrapi63RWGRufNhVE518CX7vMsqgbMFgspfbUinrq
+N6+5MD/VLrMkbCrYxVFRP8Lcug4IJhRjV9olI9GEN7/ulMV8A4UQXh0K9zPox21H
+qPf9kgPpd8GNWXZ+/kQkuLL74BjWCiiUxqDLFY6xKN+5yPwe9l0TNymuSNAxJCMZ
+2Jyfhaq3R7AlqNisoNFO99g3HVXXowi1dK9hc2AqXdqyN5w6LrO8eAy3FQsBv8iD
+pFruJeMve+Fohzrnb8L9B+Wm5nNUH9Z1/jsR+/rnaoqOYl1qza88URqlcy8ovPXh
+1y3d0YGZi877nzLPTe0WPSy0ueJkolqx27hrwvLA6SLBFwzg174pS/vmH1cmEKep
+ZekUuAUxp3pJ70Dzu+lsSnye66mUxx56JHGcCD1uiUkB8qWXTGrnTGkxUJYfZoip
+0nX6YWChnuXkQ46B/tYIaP0+d94LkqjB2VzEDv71oXU4uTD2hqK2i2oTRlXQUBV6
+iNutj1sawU7WUXBRUf0ls8GRIHb6xvNVwnus0/P0VnUkTMCVE3ohQCw2SLkCiPtX
+o24G7A6jNCsM3XTfK68P0TqkMKg5wYJM7Pbt4FLBRxy0uzeR6GarMneLP173rH+Z
+LX5zVvEveL6yHnmKHZm9OoXj+NNn9HkUdCWqxmOvYNl8TTRh58ZCIUDJn4ZQcMkw
+jjOSPfaPWkNrLXm/PxW55JmLuewgHGWo/1gfJCrewrvkuXWJffL09An1/rJoqb0B
+TSFAKj6c/WhJvG7qFYLd7+tMfoet2exw34uP6tvi8Lq/u6cG63wXKbzhpXtvyqOs
+wOOVZDnTskF5syX20FojeKCLCUQWIMv/vYKlrCeA0zpxL4qQFxpHlHAI2cw8MtVa
+Cd8XFmQihZRm+7A8dDsL0AU5ai0kh7yIAhZZ/bR4sUscnbO2y/w+AItcBbfcCK8T
 -----END RSA PRIVATE KEY-----
diff --git a/lib/hx509/data/pkinit.crt b/lib/hx509/data/pkinit.crt
index 86642369ce41..3f206294112c 100644
--- a/lib/hx509/data/pkinit.crt
+++ b/lib/hx509/data/pkinit.crt
@@ -5,48 +5,48 @@ Certificate:
     Signature Algorithm: sha1WithRSAEncryption
         Issuer: CN=hx509 Test Root CA, C=SE
         Validity
-            Not Before: May 23 15:05:15 2019 GMT
-            Not After : Jan 16 15:05:15 2038 GMT
+            Not Before: Mar 22 22:25:06 2019 GMT
+            Not After : Nov 21 22:25:06 2518 GMT
         Subject: C=SE, CN=pkinit
         Subject Public Key Info:
             Public Key Algorithm: rsaEncryption
                 Public-Key: (4096 bit)
                 Modulus:
-                    00:bf:4b:44:8f:d1:dd:56:18:41:5c:c2:c4:2b:ff:
-                    28:e6:7f:68:26:d4:0f:08:e6:af:dd:72:28:9b:ec:
-                    5f:5a:2f:f1:9a:7b:21:0f:c2:01:96:d8:85:32:20:
-                    5c:c7:91:fb:2d:71:33:d7:dc:81:06:32:2e:e5:ec:
-                    61:37:8a:0b:0c:23:57:cd:9c:ae:93:79:58:26:1e:
-                    de:26:18:12:52:c3:76:7a:d1:6a:dc:98:67:13:4d:
-                    73:dc:8f:7f:7b:dc:97:15:dd:eb:6e:0b:54:cc:f7:
-                    ef:db:14:8f:d2:89:47:3e:8c:e7:de:ef:61:34:67:
-                    10:60:8a:87:13:6d:86:91:9d:8a:92:64:72:5c:ef:
-                    64:57:b9:0e:91:ea:41:2c:03:e0:67:c7:51:cf:ea:
-                    09:5a:e9:0e:ba:eb:be:53:10:90:e5:0f:87:33:3b:
-                    e6:53:11:1c:6d:75:34:ea:4a:7c:59:f4:6b:da:82:
-                    30:4d:f5:72:ad:ae:41:f7:c1:ca:b2:7e:74:a4:45:
-                    bd:2d:80:c5:47:d3:ed:c2:02:fb:d9:85:76:00:3d:
-                    a6:ab:da:2a:ef:a4:c7:d6:74:c4:88:02:63:d5:a0:
-                    5f:6b:88:ee:bc:df:0f:43:78:8f:62:1a:c6:c8:e5:
-                    3a:43:aa:75:94:d0:71:15:a4:8a:f9:67:5d:93:93:
-                    bd:78:04:46:39:90:48:22:05:78:17:ec:b9:26:3f:
-                    4f:7b:a9:e2:79:b3:cf:13:ce:34:9f:3c:7a:8f:a8:
-                    b7:b4:12:39:01:4f:26:44:33:b9:7d:eb:c7:0d:c7:
-                    1c:d3:c5:52:2b:cb:65:a2:48:b8:c6:b2:e5:17:d3:
-                    df:ed:ef:e9:ea:21:5f:2e:42:23:40:35:7e:97:23:
-                    28:42:0e:22:25:79:f6:ea:ae:a3:cf:c6:c4:ef:ed:
-                    c3:1f:14:05:5f:66:ab:20:a0:5e:80:11:32:1f:ff:
-                    69:10:e2:8e:d6:70:e4:97:ab:82:89:37:57:74:43:
-                    81:e6:85:ca:6e:3b:1d:ae:3f:ca:7f:da:2b:7b:db:
-                    ee:ab:ad:a1:a1:16:38:9c:b6:f2:af:be:b0:19:e1:
-                    63:14:6f:26:24:f4:a8:3a:04:0e:9a:9c:5a:0a:bd:
-                    22:91:c4:c3:ab:2f:ea:54:d7:ca:ad:ed:b7:a0:98:
-                    8a:c8:94:15:ea:13:22:97:29:df:3a:85:4c:80:0d:
-                    ee:3f:d0:66:3d:9c:0f:41:2b:fd:1e:90:f5:8a:fb:
-                    4c:10:20:3b:91:cc:fc:ab:d8:89:ac:7a:9f:bc:c9:
-                    e4:09:fe:81:ba:53:cf:f5:13:1b:4b:b0:f3:bf:34:
-                    3d:3d:2c:8c:90:89:d6:37:78:cc:7c:f0:a8:97:08:
-                    ac:ea:f5
+                    00:e4:e6:1a:b1:de:91:30:34:8a:c7:f2:d9:0a:09:
+                    82:13:46:e9:db:c8:54:1e:0e:b0:b0:0a:e3:a3:b5:
+                    55:3c:6f:f8:45:8f:24:ed:56:c5:16:23:aa:ad:86:
+                    5a:5a:e0:8f:a2:f5:82:59:cc:70:b7:45:cc:1b:44:
+                    a7:49:4b:ff:63:28:9d:01:22:79:ca:1a:6a:2b:75:
+                    f8:40:c0:f0:93:b1:ab:85:cd:af:88:ac:30:f3:cb:
+                    42:87:fc:be:76:bb:fd:1c:a4:45:7a:66:37:47:ea:
+                    aa:bf:c4:4b:47:fb:5b:ab:3f:c1:22:a9:06:f2:61:
+                    3d:5b:20:51:fc:ce:a7:82:74:6f:3d:ac:68:d6:78:
+                    a2:77:83:26:af:23:63:20:3f:21:6e:29:1f:55:4c:
+                    a6:d0:5a:51:e5:96:c1:cd:22:03:22:ee:de:42:3c:
+                    82:4d:29:20:c6:be:85:5b:04:3a:5f:8b:c7:e8:4e:
+                    aa:3c:8e:dd:0d:d8:e5:d0:ff:0b:52:37:40:51:0d:
+                    33:f7:a8:05:07:76:dc:48:20:cd:52:38:a4:1f:44:
+                    11:cf:6d:58:a9:5a:9a:34:cb:93:07:30:e3:66:7b:
+                    dc:d3:0b:6b:a2:1c:3f:19:ec:0b:0c:ea:29:6c:75:
+                    4d:7a:86:cf:35:87:9e:50:15:f3:34:73:0e:ac:4b:
+                    a5:aa:1f:a2:f9:d5:8f:34:bd:5f:19:ae:22:8c:7f:
+                    f7:ca:64:e6:ed:42:75:e5:92:9c:53:53:b7:66:68:
+                    e5:07:eb:08:40:ec:bd:7c:ae:b0:c4:a5:4b:d7:4b:
+                    58:86:05:a8:91:db:ee:7a:3f:c4:fd:83:e5:7b:cb:
+                    d0:8c:87:68:3b:83:67:e5:6a:5e:fa:28:b5:ee:07:
+                    b1:0d:6a:93:1e:b0:c7:5c:57:fd:ce:e2:9c:0f:5e:
+                    fe:41:cf:20:f2:1d:88:52:00:d4:83:fe:5b:d7:87:
+                    49:b0:78:2b:a7:60:c2:55:c6:c3:a2:6d:16:04:7f:
+                    8b:12:f7:65:c6:91:41:53:d8:ac:70:c0:3d:83:d8:
+                    e0:6c:bb:3e:48:b8:c2:72:be:c0:35:61:40:ff:9f:
+                    97:18:9e:c7:39:0f:93:36:8f:0e:a6:3c:6d:5b:fd:
+                    89:6a:bb:ee:5e:43:f8:0d:29:7a:cf:23:bf:0b:c1:
+                    29:76:ae:a2:9a:73:b2:d0:b9:bd:48:51:25:8a:6b:
+                    a9:c5:07:94:26:03:10:74:7b:fc:b7:5d:8f:2d:97:
+                    55:11:3e:7c:04:89:0e:b9:b9:73:2a:6c:5b:12:19:
+                    65:92:48:64:d5:4f:2c:79:3f:16:ad:65:97:21:db:
+                    3c:30:68:67:aa:42:14:86:59:57:b0:79:15:9e:a3:
+                    05:4f:33
                 Exponent: 65537 (0x10001)
         X509v3 extensions:
             X509v3 Basic Constraints: 
@@ -54,66 +54,66 @@ Certificate:
             X509v3 Key Usage: 
                 Digital Signature, Non Repudiation, Key Encipherment
             X509v3 Subject Key Identifier: 
-                76:9F:AA:4D:D1:1E:92:61:23:CE:AE:DC:C3:CD:07:EB:A7:13:43:2F
+                7A:C6:DB:B8:D2:75:D1:8D:BB:72:AE:B5:25:6E:6F:8C:AF:63:3A:4D
             X509v3 Subject Alternative Name: 
                 othername:<unsupported>
     Signature Algorithm: sha1WithRSAEncryption
-         3d:2f:62:54:90:6a:d1:f1:93:cc:21:b6:45:d2:d8:d3:ae:c8:
-         c4:63:6d:9a:25:a1:c3:33:3a:c0:90:ea:ac:4b:67:a4:af:dd:
-         75:3f:03:13:44:a9:7e:5a:9e:3b:6f:df:06:d0:6d:ae:bf:fc:
-         bf:23:b0:5e:c9:1b:98:d1:e6:6c:20:83:48:2f:b1:8d:ef:c1:
-         33:fd:d1:7f:d0:ca:03:9a:e4:3a:42:17:0d:e6:40:25:2f:f3:
-         80:83:36:c4:cc:8e:4b:7b:90:9d:22:ca:83:c1:a3:d0:c9:13:
-         af:b4:a6:d7:d9:3b:be:fd:d1:5a:da:71:f8:6e:18:c8:8e:82:
-         d0:b8:a6:de:58:c8:9b:8f:c1:20:ab:81:a8:3b:29:81:2d:cb:
-         a2:f3:b2:9b:81:7d:78:c6:55:ed:05:75:7f:4c:64:6b:fe:00:
-         e7:2b:6e:17:d5:32:de:e1:1d:33:f6:ce:89:4b:c6:be:92:54:
-         f7:16:ea:91:b7:af:46:80:41:8f:6c:47:d6:07:d7:62:34:1b:
-         7c:69:e8:6c:ac:6f:39:b2:3c:60:cd:b3:89:95:3a:9e:ef:75:
-         fa:b1:ad:b4:bc:89:69:1c:69:53:dd:94:25:93:7c:64:56:75:
-         0a:a9:8d:2b:6d:ed:9c:e7:cf:9a:ad:02:ca:79:f4:fa:59:4e:
-         51:33:c3:f9:4d:a6:35:62:50:e7:f3:2d:aa:32:b3:60:2f:1e:
-         e3:71:6b:78:98:f7:9f:fe:0f:0f:f1:a5:6a:4f:f7:01:22:52:
-         60:6b:62:b5:5b:15:6d:4f:41:e0:23:a0:43:45:39:70:f3:a0:
-         bd:30:14:63:01:01:f4:1f:fb:65:43:c8:99:57:aa:47:2d:53:
-         0c:f6:c2:65:f3:1a:64:69:67:f3:7b:b1:2f:0f:c1:e8:a2:5e:
-         78:bd:df:a6:d8:3e:ce:6a:fc:bb:c6:14:a1:6b:de:fa:47:5d:
-         ce:6a:24:60:da:1b:5d:fd:c1:5f:27:34:a2:b6:dc:bb:e5:f4:
-         cb:14:88:e6:66:e7:49:e8:a0:22:49:da:af:1a:30:f6:ac:a7:
-         99:56:5e:b4:b0:19:71:67:59:cd:0d:67:4b:82:54:0d:c9:88:
-         cb:ea:36:7f:60:d5:df:8a:74:78:25:2a:b5:ca:89:ac:9a:0b:
-         bc:a4:25:f9:38:c0:13:58:1b:5c:60:0a:b7:9c:74:de:b1:7b:
-         e2:5e:1d:85:50:e0:69:22:c5:2f:e1:1a:1c:ca:cd:a7:ab:0d:
-         a2:ce:f1:88:92:68:10:fa:1d:ca:f4:62:6d:cd:8b:1b:72:2f:
-         67:a1:b6:f6:ef:b9:f1:e8:bd:42:54:d8:4b:e0:8b:9b:6d:2d:
-         1c:ca:c3:eb:79:5c:d7:00
+         7f:5c:76:fd:3d:ef:0c:7f:70:c7:09:d3:5c:c1:b6:40:25:47:
+         a3:6a:bf:4e:ad:d1:e6:cc:92:86:b6:6a:42:3d:4f:bc:f1:6f:
+         fd:7e:22:52:9c:dc:a6:0b:71:98:80:44:cf:f1:91:bb:50:c8:
+         15:cd:8c:d8:9c:7d:8d:69:61:1b:4c:66:40:77:44:45:33:9c:
+         9a:04:01:a1:4b:82:3a:d7:39:97:27:90:a6:71:9a:b1:9c:ce:
+         60:01:8b:a5:6f:39:a3:e1:75:de:3c:5c:61:66:a5:50:db:0f:
+         4a:03:32:8d:dd:e5:b6:ab:6a:b2:53:6a:4c:c9:99:74:f7:f5:
+         1e:a5:06:1a:d3:64:26:c5:77:f4:a6:40:1a:c4:7e:22:05:a6:
+         a5:25:f7:5d:74:a5:c9:86:c0:3a:88:2e:6e:0e:58:4f:e5:6e:
+         e9:2a:34:2a:1d:1d:a4:e4:74:f3:a5:e5:56:5d:5f:02:c4:eb:
+         c7:12:f2:55:6a:f1:6c:ec:6e:b8:c1:2d:aa:4a:7d:ed:91:c8:
+         78:1b:b7:b9:37:17:32:ee:1b:b5:d9:5c:98:d2:cf:d8:c6:90:
+         a5:c9:f1:eb:8d:2c:d4:90:b2:8c:e5:53:9a:66:20:92:8b:a2:
+         0c:8b:76:9b:5f:5b:39:77:69:67:a7:8c:de:10:57:85:45:a4:
+         8f:85:3a:59:5f:fc:0c:70:de:1c:67:33:5e:9b:a5:21:3d:bd:
+         2e:de:3e:c2:0d:cf:8f:52:43:92:01:cc:47:da:af:47:85:69:
+         94:d3:9f:c9:d5:5d:50:ca:27:a5:bb:c0:53:12:e0:e8:3c:ed:
+         0d:bd:47:97:af:be:b8:f9:0c:10:2a:79:21:3c:15:ef:c0:a5:
+         eb:33:38:93:5b:a3:de:1a:97:eb:c3:db:04:1f:e8:f4:23:10:
+         ff:2d:1e:9b:4e:1f:8e:27:7d:71:34:e2:be:74:a2:62:69:9a:
+         83:7b:6e:9e:e4:a2:7c:84:82:ff:83:b3:cd:d2:0f:74:05:72:
+         b8:b0:45:23:b6:cd:04:25:2d:58:7f:92:ce:68:f9:ba:d0:9e:
+         a8:e1:f8:c0:86:0e:aa:ee:f9:af:ff:5c:bf:46:76:08:b1:83:
+         e7:66:8b:ca:1b:8f:f4:9f:6a:ac:71:4e:3a:d1:77:fd:97:81:
+         ff:0e:d0:d1:4a:7e:6d:94:e6:8c:e1:28:92:b1:68:83:5a:62:
+         48:0d:26:ee:28:60:57:ff:52:b8:1e:8c:03:d8:fb:c1:6e:4f:
+         fd:7a:46:0b:0f:c8:05:ad:3a:a4:68:be:fd:30:62:ce:f2:0a:
+         b1:34:2c:95:e7:e2:91:ec:a3:c6:4e:2d:a5:fe:09:45:84:38:
+         9c:d7:f4:0b:18:22:9d:df
 -----BEGIN CERTIFICATE-----
-MIIFNjCCAx6gAwIBAgIBBjANBgkqhkiG9w0BAQUFADAqMRswGQYDVQQDDBJoeDUw
-OSBUZXN0IFJvb3QgQ0ExCzAJBgNVBAYTAlNFMB4XDTE5MDUyMzE1MDUxNVoXDTM4
-MDExNjE1MDUxNVowHjELMAkGA1UEBhMCU0UxDzANBgNVBAMMBnBraW5pdDCCAiIw
-DQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAL9LRI/R3VYYQVzCxCv/KOZ/aCbU
-Dwjmr91yKJvsX1ov8Zp7IQ/CAZbYhTIgXMeR+y1xM9fcgQYyLuXsYTeKCwwjV82c
-rpN5WCYe3iYYElLDdnrRatyYZxNNc9yPf3vclxXd624LVMz379sUj9KJRz6M597v
-YTRnEGCKhxNthpGdipJkclzvZFe5DpHqQSwD4GfHUc/qCVrpDrrrvlMQkOUPhzM7
-5lMRHG11NOpKfFn0a9qCME31cq2uQffByrJ+dKRFvS2AxUfT7cIC+9mFdgA9pqva
-Ku+kx9Z0xIgCY9WgX2uI7rzfD0N4j2IaxsjlOkOqdZTQcRWkivlnXZOTvXgERjmQ
-SCIFeBfsuSY/T3up4nmzzxPONJ88eo+ot7QSOQFPJkQzuX3rxw3HHNPFUivLZaJI
-uMay5RfT3+3v6eohXy5CI0A1fpcjKEIOIiV59uquo8/GxO/twx8UBV9mqyCgXoAR
-Mh//aRDijtZw5Jergok3V3RDgeaFym47Ha4/yn/aK3vb7qutoaEWOJy28q++sBnh
-YxRvJiT0qDoEDpqcWgq9IpHEw6sv6lTXyq3tt6CYisiUFeoTIpcp3zqFTIAN7j/Q
-Zj2cD0Er/R6Q9Yr7TBAgO5HM/KvYiax6n7zJ5An+gbpTz/UTG0uw8780PT0sjJCJ
-1jd4zHzwqJcIrOr1AgMBAAGjczBxMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgXgMB0G
-A1UdDgQWBBR2n6pN0R6SYSPOrtzDzQfrpxNDLzA4BgNVHREEMTAvoC0GBisGAQUC
-AqAjMCGgDRsLVEVTVC5INUwuU0WhEDAOoAMCAQGhBzAFGwNiYXIwDQYJKoZIhvcN
-AQEFBQADggIBAD0vYlSQatHxk8whtkXS2NOuyMRjbZolocMzOsCQ6qxLZ6Sv3XU/
-AxNEqX5anjtv3wbQba6//L8jsF7JG5jR5mwgg0gvsY3vwTP90X/QygOa5DpCFw3m
-QCUv84CDNsTMjkt7kJ0iyoPBo9DJE6+0ptfZO7790VracfhuGMiOgtC4pt5YyJuP
-wSCrgag7KYEty6LzspuBfXjGVe0FdX9MZGv+AOcrbhfVMt7hHTP2zolLxr6SVPcW
-6pG3r0aAQY9sR9YH12I0G3xp6GysbzmyPGDNs4mVOp7vdfqxrbS8iWkcaVPdlCWT
-fGRWdQqpjStt7Zznz5qtAsp59PpZTlEzw/lNpjViUOfzLaoys2AvHuNxa3iY95/+
-Dw/xpWpP9wEiUmBrYrVbFW1PQeAjoENFOXDzoL0wFGMBAfQf+2VDyJlXqkctUwz2
-wmXzGmRpZ/N7sS8PweiiXni936bYPs5q/LvGFKFr3vpHXc5qJGDaG139wV8nNKK2
-3Lvl9MsUiOZm50nooCJJ2q8aMPasp5lWXrSwGXFnWc0NZ0uCVA3JiMvqNn9g1d+K
-dHglKrXKiayaC7ykJfk4wBNYG1xgCrecdN6xe+JeHYVQ4GkixS/hGhzKzaerDaLO
-8YiSaBD6Hcr0Ym3NixtyL2ehtvbvufHovUJU2Evgi5ttLRzKw+t5XNcA
+MIIFODCCAyCgAwIBAgIBBjANBgkqhkiG9w0BAQUFADAqMRswGQYDVQQDDBJoeDUw
+OSBUZXN0IFJvb3QgQ0ExCzAJBgNVBAYTAlNFMCAXDTE5MDMyMjIyMjUwNloYDzI1
+MTgxMTIxMjIyNTA2WjAeMQswCQYDVQQGEwJTRTEPMA0GA1UEAwwGcGtpbml0MIIC
+IjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA5OYasd6RMDSKx/LZCgmCE0bp
+28hUHg6wsArjo7VVPG/4RY8k7VbFFiOqrYZaWuCPovWCWcxwt0XMG0SnSUv/Yyid
+ASJ5yhpqK3X4QMDwk7Grhc2viKww88tCh/y+drv9HKRFemY3R+qqv8RLR/tbqz/B
+IqkG8mE9WyBR/M6ngnRvPaxo1niid4MmryNjID8hbikfVUym0FpR5ZbBzSIDIu7e
+QjyCTSkgxr6FWwQ6X4vH6E6qPI7dDdjl0P8LUjdAUQ0z96gFB3bcSCDNUjikH0QR
+z21YqVqaNMuTBzDjZnvc0wtrohw/GewLDOopbHVNeobPNYeeUBXzNHMOrEulqh+i
++dWPNL1fGa4ijH/3ymTm7UJ15ZKcU1O3ZmjlB+sIQOy9fK6wxKVL10tYhgWokdvu
+ej/E/YPle8vQjIdoO4Nn5Wpe+ii17gexDWqTHrDHXFf9zuKcD17+Qc8g8h2IUgDU
+g/5b14dJsHgrp2DCVcbDom0WBH+LEvdlxpFBU9iscMA9g9jgbLs+SLjCcr7ANWFA
+/5+XGJ7HOQ+TNo8OpjxtW/2JarvuXkP4DSl6zyO/C8Epdq6imnOy0Lm9SFElimup
+xQeUJgMQdHv8t12PLZdVET58BIkOublzKmxbEhllkkhk1U8seT8WrWWXIds8MGhn
+qkIUhllXsHkVnqMFTzMCAwEAAaNzMHEwCQYDVR0TBAIwADALBgNVHQ8EBAMCBeAw
+HQYDVR0OBBYEFHrG27jSddGNu3KutSVub4yvYzpNMDgGA1UdEQQxMC+gLQYGKwYB
+BQICoCMwIaANGwtURVNULkg1TC5TRaEQMA6gAwIBAaEHMAUbA2JhcjANBgkqhkiG
+9w0BAQUFAAOCAgEAf1x2/T3vDH9wxwnTXMG2QCVHo2q/Tq3R5syShrZqQj1PvPFv
+/X4iUpzcpgtxmIBEz/GRu1DIFc2M2Jx9jWlhG0xmQHdERTOcmgQBoUuCOtc5lyeQ
+pnGasZzOYAGLpW85o+F13jxcYWalUNsPSgMyjd3ltqtqslNqTMmZdPf1HqUGGtNk
+JsV39KZAGsR+IgWmpSX3XXSlyYbAOogubg5YT+Vu6So0Kh0dpOR086XlVl1fAsTr
+xxLyVWrxbOxuuMEtqkp97ZHIeBu3uTcXMu4btdlcmNLP2MaQpcnx640s1JCyjOVT
+mmYgkouiDIt2m19bOXdpZ6eM3hBXhUWkj4U6WV/8DHDeHGczXpulIT29Lt4+wg3P
+j1JDkgHMR9qvR4VplNOfydVdUMonpbvAUxLg6DztDb1Hl6++uPkMECp5ITwV78Cl
+6zM4k1uj3hqX68PbBB/o9CMQ/y0em04fjid9cTTivnSiYmmag3tunuSifISC/4Oz
+zdIPdAVyuLBFI7bNBCUtWH+Szmj5utCeqOH4wIYOqu75r/9cv0Z2CLGD52aLyhuP
+9J9qrHFOOtF3/ZeB/w7Q0Up+bZTmjOEokrFog1piSA0m7ihgV/9SuB6MA9j7wW5P
+/XpGCw/IBa06pGi+/TBizvIKsTQslefikeyjxk4tpf4JRYQ4nNf0Cxgind8=
 -----END CERTIFICATE-----
diff --git a/lib/hx509/data/pkinit.key b/lib/hx509/data/pkinit.key
index 804b7dc77d64..ee1c8423233a 100644
--- a/lib/hx509/data/pkinit.key
+++ b/lib/hx509/data/pkinit.key
@@ -1,52 +1,52 @@
 -----BEGIN PRIVATE KEY-----
-MIIJRAIBADANBgkqhkiG9w0BAQEFAASCCS4wggkqAgEAAoICAQC/S0SP0d1WGEFc
-wsQr/yjmf2gm1A8I5q/dciib7F9aL/GaeyEPwgGW2IUyIFzHkfstcTPX3IEGMi7l
-7GE3igsMI1fNnK6TeVgmHt4mGBJSw3Z60WrcmGcTTXPcj3973JcV3etuC1TM9+/b
-FI/SiUc+jOfe72E0ZxBgiocTbYaRnYqSZHJc72RXuQ6R6kEsA+Bnx1HP6gla6Q66
-675TEJDlD4czO+ZTERxtdTTqSnxZ9GvagjBN9XKtrkH3wcqyfnSkRb0tgMVH0+3C
-AvvZhXYAPaar2irvpMfWdMSIAmPVoF9riO683w9DeI9iGsbI5TpDqnWU0HEVpIr5
-Z12Tk714BEY5kEgiBXgX7LkmP097qeJ5s88TzjSfPHqPqLe0EjkBTyZEM7l968cN
-xxzTxVIry2WiSLjGsuUX09/t7+nqIV8uQiNANX6XIyhCDiIlefbqrqPPxsTv7cMf
-FAVfZqsgoF6AETIf/2kQ4o7WcOSXq4KJN1d0Q4HmhcpuOx2uP8p/2it72+6rraGh
-FjictvKvvrAZ4WMUbyYk9Kg6BA6anFoKvSKRxMOrL+pU18qt7begmIrIlBXqEyKX
-Kd86hUyADe4/0GY9nA9BK/0ekPWK+0wQIDuRzPyr2Imsep+8yeQJ/oG6U8/1ExtL
-sPO/ND09LIyQidY3eMx88KiXCKzq9QIDAQABAoICAQC0fcQ3HwEEFua1K2AFUz+4
-HEadPEDjWSZefzQpyqE9azc/VyYexCLTvYAPh9GCzA5/FeygpAFpYzg04Q/pY2qB
-DWfvLQLbSwcNENryfovrY1oLEEUP1wyKfe3wEcVrjPtROo7EyhQ9QUMjJwd80uJR
-9olhI+RHmWcucAZ7IkBybH8vGW9+mLHIw2cn7iuH6DB4OuzKjDw/dt7bJ0vw/BR6
-zGf4w2/SuLZl4M0IszcZeTG6flQteoW1slGz/znNqNtNlC+nG3UJDMGs6TvQRcjM
-+V6lj7grXQLhKlO1MOwZyLO/tvfrZVv1gW9oVXNyYjbTWaaPvwy0Kwilwg3dDO0b
-CvBGS8c9PtxkUnU9ZCjkA7rmE/Nr2r78bhhMkBZs38w/MTYDUadmjhIxjnjaNu+3
-pV/kOLn8h0ZDCsLCJXUNAbcqwlz2IEDPFIYzW47+agMM21Y41um1lfLXOFcZ/61I
-vStquOwqyhciydomWyyaT0oyu1QPSaKwuVFYTBMn5fUfP3oYEehaN2VEcQaMCHt9
-OxiiXapiNEF1p4Rf+mt80yFxDhWrM7/VxDxHkS64HpULweW+/zx1J7l+Leqn8rGC
-k2puihHSAGnZ+thSnIkiimIfnijdUGRb09y5mQJoIm/pGopPTz8e6jag84a3tm7J
-08NBhWDMVMk25a6TOsl3AQKCAQEA3v5gi9C8bMcjEipI3fbgQ2mz18CzFFsIdSaE
-qvPyEZ07G6vRZg+i3Z0vOMaSiIr9nKmXIAPInpeCn4n55aJRktO5OxmF2F7qjVt+
-uEm2TPDrrkIILqT8/pINN6R7onwOcKlIb0gfyK7FyCYgjbtQlNjou0b/5CGq8qw0
-Y2E6htBPAtyXEIU8ozW/vnsMSqHsxHZKyzzHZRL8Ii1jjdXCJioKnWn36cLZrZml
-jxlgoh/4p+Jr0+otpQCJCzYjTuKmmOBlkEjoVe5yunD68O7VZWA5N8lb8t/2g6hq
-TS1kYZRlPnmtBi+iQUVbtx1eOpRXQA6YcZnyS4thY5VWj0MBZQKCAQEA25u8ODF6
-AZM33Chs9zQ9nmpsrCzZUq+2Wpv8HmzQbvWQ/OzGqgxi7GlLoi6sevxX+a2t9Qfn
-I3oaV5Fd1zZQT5mH9zlzoZp8QfwXgI9yTTF8tvFFUAMmMFHz9P5U9WLrILyvsMob
-i31y04uRe666YRSx7ra0mf1o6m4WezwQIGPOF3jsug4npuG86v7fRNrp/53bpV+V
-EGsvJN+oHZQ1t2QhYNLPXw5br1EMwjunn9P1JZfynS6VLrKQ2KiA2/1+F55ppA1i
-thtl4ZlU1nF1XkK0YR3KPYfzFSeujhtiZ/rPFW7226rUgvRP0N6YfvT08xyO639Y
-8VnERKtI6gjyUQKCAQAFnT3tBzpXOsRFRs9C115aFCU0/2MC1i/mUyvv6ehkTSMZ
-1T+WZDpjffucYFN8IJO2CAcIBVBdvc7KGX0zLN0E51O4izH1ep5JJM6R8TknwsEM
-SBlQo1LDTgYLKpb6RklOyNRMCPLT6KKOIXecWeTzemqRnH4AzmAxb+h5wA7rKf9z
-QP6EqfYW3dmQACUVE/KUF65WY5dZkhrK+X2SKpmSwGg4Alz9g6xbVIz4h1kJe+iU
-wXyZf0Ha76KDp79H0ykCnFOySEOhNjmpPAL1Ye35eWy3XNh1yvG36tuSSdxHIKdT
-5VhX2YcqQYbHm3Ot4eI4eKWZ5phVEpNHIJFnVfaJAoIBAQCWAbT5tWIffU4kxkBY
-Q4jrksqUeTYhcwDet7nplm5xvK/C9IFnWnqf/fS53aPXhlMZq3ct7q4F37vqoNM2
-1FTbaoYja0z+0CWcdPQgzttGu0zzMa8kzmHhk7lOWgPychUmEXz5B7T0/UXYFnfT
-wjBxa892vbpzjVOC/pvApfBmD4aRJfqdxFl1drCy3FHqGJbKEiwctEOAKZbUWync
-uoZOtMjP+G/KAGbERFqwukrvs7q6aSZCE7W3ZiXmuIL8whTFUWHbu4D335MiHLiE
-mo+PSYUo6U5h5WE3zBlB3JbFa97URy28Mt5ibTuv8ry7y9sdzR4a4qwAgE6+kTmH
-E4FhAoIBAQCqpFY8FPwJkDDe194tARJYXVdgvZhIcL0IP+lbNxAid+vmd1405fpx
-W4qoSHTn5aL1Vuo0qMudoUdzvHyB0fWHlVnWHhWlstkSMTMnl5DU7xhp5MP2ALXL
-LO73drcWe3r2NPYxOPWMzVvFd8o9WlnEtZ03C7s/DYUD1bWd2Z974b0tpiXNlZu0
-hn0+GgeZzmy8pyHbuyOj6+AW3zCIoIy39V68i13PjVzZKLR5vVLBaba1fZdqhYjk
-qHp+tpVdjmF+WgA0ia+hWRKkRGwX+mgi36aRzdjXPDrSxQsnEbp1LvZ80IsXM7jj
-60UoyAUhtvNbBCWkTske6/ey/kjJTUD4
+MIIJRAIBADANBgkqhkiG9w0BAQEFAASCCS4wggkqAgEAAoICAQDk5hqx3pEwNIrH
+8tkKCYITRunbyFQeDrCwCuOjtVU8b/hFjyTtVsUWI6qthlpa4I+i9YJZzHC3Rcwb
+RKdJS/9jKJ0BInnKGmordfhAwPCTsauFza+IrDDzy0KH/L52u/0cpEV6ZjdH6qq/
+xEtH+1urP8EiqQbyYT1bIFH8zqeCdG89rGjWeKJ3gyavI2MgPyFuKR9VTKbQWlHl
+lsHNIgMi7t5CPIJNKSDGvoVbBDpfi8foTqo8jt0N2OXQ/wtSN0BRDTP3qAUHdtxI
+IM1SOKQfRBHPbVipWpo0y5MHMONme9zTC2uiHD8Z7AsM6ilsdU16hs81h55QFfM0
+cw6sS6WqH6L51Y80vV8ZriKMf/fKZObtQnXlkpxTU7dmaOUH6whA7L18rrDEpUvX
+S1iGBaiR2+56P8T9g+V7y9CMh2g7g2flal76KLXuB7ENapMesMdcV/3O4pwPXv5B
+zyDyHYhSANSD/lvXh0mweCunYMJVxsOibRYEf4sS92XGkUFT2KxwwD2D2OBsuz5I
+uMJyvsA1YUD/n5cYnsc5D5M2jw6mPG1b/Ylqu+5eQ/gNKXrPI78LwSl2rqKac7LQ
+ub1IUSWKa6nFB5QmAxB0e/y3XY8tl1URPnwEiQ65uXMqbFsSGWWSSGTVTyx5Pxat
+ZZch2zwwaGeqQhSGWVeweRWeowVPMwIDAQABAoICABdRKV79ISUb9RcxMdLH7Swx
+iRkOayM0s+L6+P1wN2KUtWHAly5mLGV49KYAjau8PGWJROII5WKGBaixcakRyM49
+EOFQtb9UuYP73HIcNWWWL7bNoRf3EnWDOx/HK0/FDp+gTEOPrgnxabtnL5QBkvD6
+6Z2yQjbmmO1zeWabVoz/d2V87qEKYOJzxbkJjct3Ityp67swt715teYBWXSgBlnE
+o3dz2oIpsmEMf2EqKRgakR6lBMpucy457g9AK9MQNckL40NTJlAAV6gxTzkU9AML
+WBUdOm7l/9do9W1CGagS7gfBnhFBd1wYo3eJUvbtbBsTKIB3dDUMR14Mam46toFQ
+pxRjTOpywwePQSJAxR3M1QbnOup3w8Mw9+Vw++mVS0woXhCz2zwmPTuC6/YN1WCM
+Zs4jRFQrc1fw3o6BBNmoMb9TL2aDOLbAtMSvFlH4FQQTy4RLzOoZnNAvy5f4qmzp
+VvEqiZzgXhg+VjPlQpGEoBptt3Jru9vOBCdPTd1L7jMUjC3lf+MR1QrJxFNdK0cH
+0YeSehTFOtZ4fTPwXlKJsPXSGyu3ZvN3ukt15X/qQypeqqlnln7BjKuUyltkAl8z
+727G1tgiObFDUL/oPbeqkmGoN+z8mn6PlyN3pe/mYwZES6F5RoEy/AAOrhp0HINz
+lzt7bZVoFY+tVkZU6AyBAoIBAQD6Wc6rzhwa2klX1BjOJXbgsh8tA5zvYM44fcZz
+JSanqwMfiu60nvVW0nF0jVfHKGckJ2KQYbNKucTBJRgAY4a2eXrcEIkOPY50b9Dv
+BtCNhiwfQ31VQct+qoS2693d9N3Q17d0sqUwvSAN33YcePTb/uC8L3Ys6pFrsrn/
+RRTdlcF3077jaYjKFAGRRWhHDaJNsm3XZm1jgHWRktRgiJe+EN6NjW2ScC1UqN1l
+5To2AFbxg/87T89rLcKi47CNF1akFV5o0csQX3KUZtLse5VM5R4j7NGtd8deHgJv
+c+/xC6RblmX6AgXTXUICNBjgIF/QV5XyKTvA3QEvG3eErfBDAoIBAQDqEGBL6MGG
+PT9M7GGFq7pc/BAHkm31+Zq0pTV6EbBwu4SGZtFkhXZJXAi6cAhKBr9u8colZmEW
+EG+OVPhNN4cNOPrbDESFaM5D0dNED5AAUlyE0ozI+Rlx7m91UhPufyWCg66SJNj9
+7o3Kh57N7p8RqpBicuXv6bBBna1+AA6/v3JImE4FWRyg8LwUWWmCVU8CDKzuUdQ2
+Os+irE/eXq20/FYNoFkYNiS28wh9c06v90f9n1QV6ma3tSy11g7a/uTZ4oX6HVoj
+26sMx+z+SDWnKCgTSiELdzpeLooMMAI9toyNLLLw2knzHhOz1M2wcxuYa4hSo6Dj
+N6odujQwCu5RAoIBAQD2ymNG0Aa6nebhMs9FIH+A33aGLGKfQ6Hm5G4mAkCJ1rZc
+eNv5qB2Yehmn2NHoHTcX1899HyLcjiacdBGmCHa7GSP5Hj/NjvcIZ1Xi26fpa5PB
+OgmqaxLMihIMNJXhgMrNXmmWG6lmU3nu0xOe28oduLMYL/1iJ9Y1AdoC/7mi+kbe
+9hjeG6Hh+zjUWUSDjrgpubQ4O9un0/GSENlVVDGqBv0tM3cJfZXiOBkQopjwtQMA
+UKvhbzq8oD6XzrazT4d0dzA7SlzQhhbwnjBdOTKju9Urev/z7fjWGeUys2qcB2r9
+clSS0T2m7+7rNyoyfxeUzVKehvFFnVfWdVArtj/7AoIBAQDE66wokRUn/CVicUkG
+7din3EUcKbyrgij/LDNWlMVNwuWXMa+fE43V4EFToWfH5+9sxq2cU4sAxikkpSYV
+yM6teC/M1IBdgTRv6HsGutUbAC/oaz+Y4cHfkYtiOACe2YfUSzc2qxuIYAgYyYr4
+lHZtpYM94I7FDmWEfsT0ydWeytG6c7DIXRVx7bc+o47Z4S3Mep+PDXctfMMtiCzV
+1+/q4ZUAd9QdQ4gWB1gwOy+Lac6+eSqEGaX7jsij3wi2hFZDXYn8SG+K1YgOA7HG
+qTfCf01gFTDB9bg8fokUAdwQ0aFkMKQHcI9gpABNfo7ikaU40ddqN1Hnd/B+fCbl
++HxRAoIBAQCA98OxfQECOxve0RMTAslR1mq7MqHMcmk/ukENJsErxWYp2r4Ghgmu
+wWeweGBFwTPJ1lqm0+mpyUphE20m8A6QxN4dR7ckAQfGjuc6ZRBJDhSY/rPv+3j0
+fBhKyJl+DL4RiNCXncQFD4sa8YH6UcsGDo8OkWr1ZzOQp0jTSa8yOmswDlt7boch
+5DGHb5xtngPe5lpVg+t2VZeXF7sTy7BZwwTLLZWtI5wHuUAnOeLvwCMHmZTrpwe+
+cN0oo2nQTI/EgYf5ZyVj+zfiaxvST5AN6BKj8QApwC0q/TipqoLghxD3YNzUokFI
+RGobyk3036+cucUBlLFJBboNBbUzUX7l
 -----END PRIVATE KEY-----
diff --git a/lib/hx509/data/proxy-level-test.crt b/lib/hx509/data/proxy-level-test.crt
index 24e8a8f6742c..51422e91a6fe 100644
--- a/lib/hx509/data/proxy-level-test.crt
+++ b/lib/hx509/data/proxy-level-test.crt
@@ -1,31 +1,31 @@
 -----BEGIN CERTIFICATE-----
-MIIFVTCCAz2gAwIBAgIJAOXO+qv/iXxEMA0GCSqGSIb3DQEBCwUAMDExCzAJBgNV
-BAYTAlNFMRIwEAYDVQQDDAlUZXN0IGNlcnQxDjAMBgNVBAMMBXByb3h5MB4XDTE5
-MDUyMzE1MDUyNFoXDTM4MDExNjE1MDUyNFowQTELMAkGA1UEBhMCU0UxEjAQBgNV
-BAMMCVRlc3QgY2VydDEOMAwGA1UEAwwFcHJveHkxDjAMBgNVBAMMBWNoaWxkMIIC
-IjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEArcTnrpY2+DYyaO9DDllOz237
-auNMA2z86fS3monYx0feQ06cCdwA1xLNk/3BlkAsTH+7Q/Z8SGRFyzMKgbt8i97j
-lyuLuXxwWK87Tz14S94BK6HIGN9yc4wNtZ8p6l3uaIeTlcEZJpltViEc+I/9kjNg
-LK/0+s6OBuSEa6bEXJ5ecPFe7OeaSctN+7CMOS8FQJHFhH6zpq5uCcSnFS7ZxOGK
-wdjziJWn7zd3qEc01cWsR7HZrRII31ctbmDxt0suAGfIZaMm8fkCQkH24w/xuNQH
-ldH3q2/H7AdWvh6copqY5sxTAfaT9TSzOu9MaH129cz7x31+xMo64YxsUDP0yC9s
-fmV3APEGX8Q8PIgs1FJjsknV9F1F78aBFAYTKlBhgMki3Fi+iC64QPfu12sGuzK7
-eoDbtD3Q3p4NpwVeQYZ8972zwhnPTT6tgoh50MaRb6c+5PmSRhKt3QL0aUp+URmY
-SAdO8V0BI+exK5/T89Yd9c0uMn+TOUMHc5OEckBi9Fi/oOsYPBahyKAZxcERHdXo
-+mZht5kl8mBVbk2hfQl75eUQ9sWvVQxn1uS4x/j4k8mMqLdbXL5keIXGOyA9S28n
-IodERwwJdxgJ9JKw5WR4wdqeZJjIUw8qe7Du2FSH6L4eHMYOcS6nXlVM6Vl65nJh
-vnqqmW6DQ+L22uBst7sCAwEAAaNgMF4wCQYDVR0TBAIwADALBgNVHQ8EBAMCBeAw
-HQYDVR0OBBYEFFjF34ZepMQe/Lgd/kmm+fXkMFhtMCUGCCsGAQUFBwEOAQH/BBYw
-FAIBADAPBggrBgEFBQcVAAQDZm9vMA0GCSqGSIb3DQEBCwUAA4ICAQBza0sK8s5r
-9PBUTZGQTylDsJgj6+siu6fwEOeUwJpag+9kDbyMHUTnueO4kPbahWdVtx5rwCxg
-NqHtHl0g8GwwLJ1wX0e8bi4fNimx08W9b5PnhOzUzbZnUIuwc2q0YL3yp0yfDo5h
-2R6BlCz/2AKM7i2PqoOsoctwJs5mE3I5E0AQto0tPaKqB2Z1FyU8ArY+2jrsgQq2
-EGbEeKSavjaIiuq3YQ9zyrZH17Npryw0brDkGBOvi2jANfQbvQJWlL7tklh8j/Xa
-61/VAm4wU82P8NGM1LYjxH0Ad46Ca8cUq63Qxa2hb7igdOoUbvlSGNctgtENJPAd
-XeUt1/bxjsBTgPo89tg0Hc1UBb/msd6q8/8a7mA69GrHG6yEEVHOQDal92PbP8WU
-ajv4vAM0OxOHO3eyWqh1nGlYRmwE6iGtbVZypWgh30mKELjxn1q82+HvrKMAeS+S
-4j34v4877EC+EXRPsHw5sGpmTp4eVtuFM87gGtrFLOheGi/2JHBYdgjJkuqPDYoE
-0J4U30+xaz0mtY5hSTt6LknMQEOM1REcQ/NBovq/CsMs7vbaoNtfavu+ZSX9AgvU
-5SKJ38KFndrV4VZq+hzTOXj3IhfLqSBm1EtbTQO1W8vLIR+SK6Ct0D76P+Ht5Ddg
-Z/fMiB95hkiTG72ZnjMTvLn4U9mNFWanTg==
+MIIFVzCCAz+gAwIBAgIJAOXO+qv/iXxCMA0GCSqGSIb3DQEBCwUAMDExCzAJBgNV
+BAYTAlNFMRIwEAYDVQQDDAlUZXN0IGNlcnQxDjAMBgNVBAMMBXByb3h5MCAXDTE5
+MDMyMjIyMjUxM1oYDzI1MTgxMTIxMjIyNTEzWjBBMQswCQYDVQQGEwJTRTESMBAG
+A1UEAwwJVGVzdCBjZXJ0MQ4wDAYDVQQDDAVwcm94eTEOMAwGA1UEAwwFY2hpbGQw
+ggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQDPMfDYnc56LmPFqSovq3KU
+JcBypPhCtrOiJ3vwLIumg+NDlsWdhG0EP8xwGnbikR5RNAi/PtCV8cGsbQ3+Fio8
+AFVQs956itoNEvzoL+mbyNpyRVr1ph9qJ/lO5mzdNfCQb++b73bkygUaNKJPpdL5
+VNEwdG6bEEw59+WWqATO1geUv//AeNPqLrKFDMg5HQzCjGXhwE99J156AQ4fw6lB
+0Yubssk6AfHLKd+UKh8qRPdO1EYzgHRuSGW7olXUbiS3wmPe1/JYMEiILjGmvAaA
+Y55qsxFxZlTEehO99WF6rOrP1lC3ddcBd0fXBvJTiQeQsHT29tiVlPMFolmnQMbO
++bzLUPSx9ukW2deirFViXnC7pb5Cv8ZIJ2jsZEG3D4JM5WqZ1ycrKAq49r284LbX
+LZH0ZnKZyGJmOjsXqIwWJJthMSlb7l/TA4IdRePYlaYQNQqIYwsPv9o+wv3owUaV
+1PePDbn3PY/LENshooIV1yqhbA/Kr4ayiYuTFLtugPcWwi8sAXFNC3t6x4+xTK3n
+S0n30hvIWZGKes8Zz46E6ANAf+stiKWxhTROrfLNKvenKXc4iVETOzZkBhQPyhk5
+dM1aC9rylQnm30o8oVnNpn/z9rePdCDbBluHKcJE4xcX5QpU3qybO5W5A7dhxsjw
+0iVfuheSt5AkE4ixHAy/6wIDAQABo2AwXjAJBgNVHRMEAjAAMAsGA1UdDwQEAwIF
+4DAdBgNVHQ4EFgQUcMWBbIV1HXTcW9hfIFew2urXq5QwJQYIKwYBBQUHAQ4BAf8E
+FjAUAgEAMA8GCCsGAQUFBxUABANmb28wDQYJKoZIhvcNAQELBQADggIBAGygvoGy
+/aUbaxSh8v1ug6qHHDMuKAddD4qnTx/JKFyUbVDKOUsiu4kuwH5uoIMhhPd5XYBw
+2gNjptKIK/o5CMGXQpAFV9cfd7h57bhBTBU5xPvdsTsXSRObkmESE07XF81Vmqbz
+3+YvbhYy98mHszMnsBzG24pJYn+Xhv0KfUINV+BzZZPZmwTkZki8gnAYpSfA85d2
+o1SO2iP0kZPUOoTRDrvN6v7EHFxar8Prka2jpHBPRXUMANbGl/Iu8SvzukVDc6g2
+pEBa9vDPl2Tf44kct+hB7Q735xSfHF5PJaUt/kzVclFNNWyNRr99S1mM5IEnAzF3
+PpkWHOke/L1dvWJT7wBSPfwMtyQz7gIGdA6Oq5CkFxE259bb7XJxRwfQV12pB4p5
+ZYUDTpd1P3D+VHQzmGi+EcgKEgoydVp4ikQj7aDUQWzZ49st+xLf0suE6wmNNSd+
+4dSuAeHbV0rglwlo/LZ3UPCd8nzhGTC5t6L8vFcDkrC7RyaBR8X2OeTU8FLP02me
+q1eMF8k89L6ar1etLfC2+PKRGhcohJjm1Yz7sTSIeT6SnSxZeoSGAkFFwy70in0m
+9mJNpNGfBCr2DS+XncpvVcIIYjHmrKWYfbnxYcouh/PJqpKKp4JXceV0u1e2DlvQ
+Cew9o2dZuv5HXMmm4xpp8gyrzCzfZuExPIZd
 -----END CERTIFICATE-----
diff --git a/lib/hx509/data/proxy-level-test.key b/lib/hx509/data/proxy-level-test.key
index e1c99879af1b..352bfa823b72 100644
--- a/lib/hx509/data/proxy-level-test.key
+++ b/lib/hx509/data/proxy-level-test.key
@@ -1,52 +1,52 @@
 -----BEGIN PRIVATE KEY-----
-MIIJQwIBADANBgkqhkiG9w0BAQEFAASCCS0wggkpAgEAAoICAQCtxOeuljb4NjJo
-70MOWU7Pbftq40wDbPzp9LeaidjHR95DTpwJ3ADXEs2T/cGWQCxMf7tD9nxIZEXL
-MwqBu3yL3uOXK4u5fHBYrztPPXhL3gErocgY33JzjA21nynqXe5oh5OVwRkmmW1W
-IRz4j/2SM2Asr/T6zo4G5IRrpsRcnl5w8V7s55pJy037sIw5LwVAkcWEfrOmrm4J
-xKcVLtnE4YrB2POIlafvN3eoRzTVxaxHsdmtEgjfVy1uYPG3Sy4AZ8hloybx+QJC
-QfbjD/G41AeV0ferb8fsB1a+HpyimpjmzFMB9pP1NLM670xofXb1zPvHfX7Eyjrh
-jGxQM/TIL2x+ZXcA8QZfxDw8iCzUUmOySdX0XUXvxoEUBhMqUGGAySLcWL6ILrhA
-9+7Xawa7Mrt6gNu0PdDeng2nBV5Bhnz3vbPCGc9NPq2CiHnQxpFvpz7k+ZJGEq3d
-AvRpSn5RGZhIB07xXQEj57Ern9Pz1h31zS4yf5M5Qwdzk4RyQGL0WL+g6xg8FqHI
-oBnFwREd1ej6ZmG3mSXyYFVuTaF9CXvl5RD2xa9VDGfW5LjH+PiTyYyot1tcvmR4
-hcY7ID1Lbycih0RHDAl3GAn0krDlZHjB2p5kmMhTDyp7sO7YVIfovh4cxg5xLqde
-VUzpWXrmcmG+eqqZboND4vba4Gy3uwIDAQABAoICAGTtlieIZhsa14KtXYRLCQRf
-/ASkSnU+61Mz6SRgZkGxE36CfQ0Y9H/3EuKfI76SPWidU/ZwhtVBMGyKk9KwQ/G1
-nvkhuMEebt6DwO4QZPuj0Yg3KlKQDhjgwuG3tY/DyQJ7pJP5mRMbUC8TgpE4iO5O
-2tB5zs+SA1orhmJEdY7aCT6OYzU0fB/absv+SiO4lNNhF5kSQmRQsecIioc6NBAv
-c/mNej3dtrGxxNU/rodvjdYCjc0BSZf3OZL/ycVNbEWeAf5OmgM3P0GesLhHfX19
-4X36e2Dexv7ncFFy1EV5h8+d46SjRGLKnkNf1EBohxzTV3YSBPxl/XcdqZeX5dce
-Q6CYwtjv8tHFqx5vuo5hgwkssbDMqgdPaNFANCJHEVAFj/xPIa7wi4hnSeJCuGXs
-ts7prLqW4thnqd37kT0L1KToKiUVjxf8e1Yn4WiApfjqk77GkmTr7hZ5JWTuRu4e
-dMIdjWtF95NIEz3/wJVRlPOofpNTmIA//8btzNMOTSiC4P3DuwmGdGwwMwNEQFYZ
-n5YeS3+9AN/NeZ9m06eSQ1TRRogA5Unz9o7X2wzOdcB5luNsEIq97IlvTKFK6a+M
-ddt99ExDf8RzWnDQxad/FgcdoBn8u2xfe3eFjGMs++E6BBHy0T2TMcMEfr/S4qhj
-g83I2xhAxa3TvJCcrZuZAoIBAQDjoE1eCqsSPOzsBYVDFzgjMAvPLuOWXGjCmjmd
-2bvUTEKxvucMFKYssNp/GvPH/fwPrNhTewnC7RANZmJ82rsKKk8cYIvb/TTS4LvD
-ILsfaFpakjJ/+vuDqNSwzZLHkwlggDxbs44dydET+jGd4yoQkDI3ZrKI5isy80E7
-EvlgZjX8p6wFPi47YtTFUfiI8oNi3e7RSmT9AZe8o9blaE+0SBQTETu+rWGhNDSQ
-JWEid3yZZ85KQd/EO8AS9OUub1tF8dk+J75wXueTwqffEzFOvCgNlEiECQvqRx/v
-Bk85hFI3JIL71nsC/gaCRBMHjBtFwnqF3GjVm7FCBYaQxbAVAoIBAQDDbf2avR2R
-LZqupSigX8vrnbRLdjkKCfoyeVApMtgf/SwFbwrcMGjIPCJOHq9KG3jsdLhM5Rsz
-BR2T33y4dQxcGN6hE2udoqhtSLaipe60xq5UtPlDhKN44TleAmZH+qiJ1D5dJUWQ
-v5c2bP2bDWyXTUJ5yyjeijf97wompoeCKSAXlEUqqPiMGINPAaSkus28scZb+bKF
-+J7YcAwP0ztSc9FAVR7NNv6fGQKBtBpCgLG4eIlaP6maeBV0TbeE0gtRIITMo+uB
-asOvMZGkQki8n1nWrOmdf1icRUrzYyPtUlqO4BJUM3raEUL166B8dekbjUsYGc8N
-yppK8ytz/OyPAoIBAQCZodM2Gss1xws9jchQ7PYFweLmlkYjcQF//unOYWvFsSb+
-otN8st8poMAIM9+/5uvehJGJXqzK9If2E1l73YGKLd4xT/R1qWOixO3VmFzTqPH6
-2VveRz7EsQnEvytHKjWU/Vg/qGPONS25Zw9f+jek8D4EaHstrPQRMl+fiIHqD3J2
-sZCIBVzc1iq3d0jg3ZXR/+q1NZoNraqFNqvPMGVDT7bE28fQPWN8kyi69Y+m3LCr
-NYXlVqq53n4YDVQ10BDxl3dB3T9KxrNUZng5NtH7y0DZUXDUNOrm19R01nRYZLe8
-4hbJ9QwXi+5Gs72IRYcOwWFCwe275pZv8hzNz6+1AoIBADoeYcc86qgcKd46W8Sl
-+J0Pf2jZtcjYgsGz9jTqW//XaNoM1ev5sY+q4oDc+0BMvz+CzrR/hgE8SjmJwyuQ
-E6bn9n1sqxpsHy6w6y+frUextnKWh3Ke5YazZD4i9Iv/bVPf/NPym6eacrvK2fjc
-myi730MdOgBElrY7+obYC4CX/mVEwPUY3yG6wIIkePRMYZb2P4lmzsKs14CCgfPK
-299/dgFtzwU0j7B83ZP5Hb4dS70Si7Z9LFE12RuHaUZkuNzdkODS9ty8BYn6cdep
-prwBn9QKBEfEcXO337xWBX80eJ344TqNPMHRVFqSQl4BKtv4vxZhxoPRduVHP+r0
-kt0CggEBAJ+hD8bH6oxb4eCueAA708S88b/6xrULe7Dmt2wcADJMZS4z9bnkc6TD
-INu8RpeLUivji2qRuURrFVBRm4wL1aX1T/MxFoKkWPvp3dR0oA6qfw6KGeEpOtzw
-umneJvAumlfD4Nr6HMYGRpi12FxfhHCYfTmo1l6VSR9Wa4vtDkecqp7hddPYsL/+
-AMyTPnvimlXJEwU1O760wU1zXFKqhP85zY4GOxPS3QG6pyTSC1zpAk49IRo2CXzH
-eOHc7c/DLtJRfKCCWMm8zedEgTC37OZgcbHw3OwYUr+N58xihN9DhvZVBxmxm0eI
-FcKB1ity0sQYMAUGvDAqSodhrsSjn6o=
+MIIJRAIBADANBgkqhkiG9w0BAQEFAASCCS4wggkqAgEAAoICAQDPMfDYnc56LmPF
+qSovq3KUJcBypPhCtrOiJ3vwLIumg+NDlsWdhG0EP8xwGnbikR5RNAi/PtCV8cGs
+bQ3+Fio8AFVQs956itoNEvzoL+mbyNpyRVr1ph9qJ/lO5mzdNfCQb++b73bkygUa
+NKJPpdL5VNEwdG6bEEw59+WWqATO1geUv//AeNPqLrKFDMg5HQzCjGXhwE99J156
+AQ4fw6lB0Yubssk6AfHLKd+UKh8qRPdO1EYzgHRuSGW7olXUbiS3wmPe1/JYMEiI
+LjGmvAaAY55qsxFxZlTEehO99WF6rOrP1lC3ddcBd0fXBvJTiQeQsHT29tiVlPMF
+olmnQMbO+bzLUPSx9ukW2deirFViXnC7pb5Cv8ZIJ2jsZEG3D4JM5WqZ1ycrKAq4
+9r284LbXLZH0ZnKZyGJmOjsXqIwWJJthMSlb7l/TA4IdRePYlaYQNQqIYwsPv9o+
+wv3owUaV1PePDbn3PY/LENshooIV1yqhbA/Kr4ayiYuTFLtugPcWwi8sAXFNC3t6
+x4+xTK3nS0n30hvIWZGKes8Zz46E6ANAf+stiKWxhTROrfLNKvenKXc4iVETOzZk
+BhQPyhk5dM1aC9rylQnm30o8oVnNpn/z9rePdCDbBluHKcJE4xcX5QpU3qybO5W5
+A7dhxsjw0iVfuheSt5AkE4ixHAy/6wIDAQABAoICAQCfHKLwNn+RpH5KFJao9OiQ
+jE01vSpJUTSxmdC7p/m2biHgjbBEPqXZVYURscEKTJcTlPoCo6JbA8TPPRA5x5u3
+aCocR4TaZjb9Q0+knuavE5dtmYU4j9IgG4KA7MM9PWb4BH3lKggLunggn7rln1pc
+zp22sDMgMWvYOF6/S1gl3ocD3E3y6NcUR7ggJKi982kRHfA/ZQel/M24s4a9LeyU
+9u5XKv0M5uFgO0/O4Gn+c+fXSXx/oG3JIx+87/UppUvdMhKv1vXsc2e/7HmEqW/0
+uIu3NLx4cTU3jOgMQJwTMSdBZDuoJ35tScSJhHQjYl/E5T1tSjMY68GU2hAvOLdy
+Z+rsZTcu9orvnMij0kmxjbXdQGK3PlcLiiwYZKrwuyn3b3aMq0nq0OwTsGtSRPDf
+30dOSuTEf8GKnxB9wtogYD6aEDOhFJNXYh819W9weNyIeGu6sarsReKAJJihyO3I
+1VtlexqEWB5OFn5KbHZoRp4Fvc8XtaXolajHsCcic1uKUOG/Iuegum9EemcPnmPW
+XVe6JknXhrjxd48KiaXLQ7dYoIGCQMjvdsOvIwzppf6ZZ7WMyqxGnb3TtmDDJxIf
+ovSu43s9uWhTOA5Nrp5sY3VFSyzq0g5U8NgEC+HjGVgA3UB0GDsB+vUaEseZg0Kf
+faXIuvJg3WoGJ/VVWnaTwQKCAQEA+FSa4kjKmD+fm4LA9bmVldB+cfsqSl3TUcfr
+oxb0i2ouYhrG0eV6EjvXizswF3CuVGKQCtWg7GDeG3vKbVFtkSTg1KU9jir4ha3k
+5spAxqNBB5S+IK6xeGipHiu6AuHZZN/8Z2T2FWkGNTdRRKnw8cdfSlBq9wG/LXJW
+g/Cnxsvyu8temursSIX2nKYSUsHZIBnJZAXUwBOWUMLpzaS6UtdKIJDCaPprx4Kz
+elYqJhddT8eO3HIXXWthVzjm+dgyKnxSjIUVyVekKareNzGxZxjMu1lg6tybnR2O
+rBejni9//y2HQyFRuWUzRV9FwjiWS6AJNm1V4OvaxOIjKHFG5wKCAQEA1Zgaierq
+g8OudyNGFpNQ9TAS7lcERP3z/nyR0kgnSBlTpppaWzUgkdifmK8tMmiu+M7Mj8Qf
+Nb5/h+HdwY62xA476/iI8yrSppHj3nuC2aWn9wg6gP/iKUF0ZvaxR3MsU+k1gs6Z
+IcozjzIxuyY1whMm+FaPrHx+1l/P1Dn6JotZ1uFhikzmoZc8atLIK6wPylkz2i/X
+7OkOkkz10BpvbC44F66Owlf49Gjwa1c7Mj9kJYsY+Dqoo4nk6j7EqzJN3e3Pa+n6
+pAfQhddVUKl1ULBlnLHGh6x3vAb4L6sfmsq7EhbTGQFd/M1oxUtPW6BAJ63gYPAh
+AWU8Emg59lBSXQKCAQAxTApbNXwScT7sDi7kGO1bCkKvud6RWMLkjz116M6vBmsi
+ypIBhP6QtBR77UoEvTe+RLq3i+UgR7KP3ik3Plzz3VBMpmjr2hfv4a95KVlmlW4J
+ZTvBHSzZ7Fz2QlPw0ojnf5eJpv87DNhQpCSb7uiH9r4x8HjrhAtBqFsIYjPMQRx0
+r1CejFhPpVhpjIZCq3zA5J2YH5g2cSz751WmnzblzxtGD7aoRF41AvtCI+zGFwlN
+Fx6DIJsGzpRKTl975bE/weJZRuomSCGsq+DlMBY5kzDBWGLm/NhffkieXSr78g4E
+yDL73pdsqGxfLySYA8fCR4jMpzPPLMMHJqU4GBStAoIBAQCBwLi+d5qnGMRvU1pM
+dImFqQKXDv1k+/Cw8/ORjotuXRRX7QRey9NRRgsNsbz/FmDUfKv/2eArweGvJiKU
+ZqHYT91O59gqACWfUpjemqFOnjd+9dy0aL122nBf7BSdlvWis9Tx9ZdI05CmuJNF
+YVze3MubqNn2qlpS2DlkbyPrLlQRGTEr1rN0Dm+BZTJ8dTXScoXxUYcWQC296kqZ
+dLWjPiCNIllO7ioqL2V9j6xCRggMVoeApAG19xq8wgyvAwwSeVi78ZN0+dpOtBT7
+vzWpIr9XhRdZbAgAjStPqeC1I9qojn0Gf7Ic1JuE3s8ClkLi19mqibVDJ8BqXi53
+1ytxAoIBAQDCgJk3PsF9v2W2SVHrs1zpcEOP3JR9Oj6q6ThAHLF6uUqXsWEbXjKk
+z3ReI7tMO8A5J0rpPuCEJUdiPtly8FsyiXIheSOQ7UN0w6ip3abDwuJFGFYBqrib
+MEI+r7b6xT5o3U+csGbimhwCtGeCDL9W9YwK4nYGi/+NO+6qfX4dovOyydCZff5m
+Gl5MRo7L76EnLheVHDGq4PQLZtLJCT6O2OAA/p+5IUFWzf1uOnoceDyw2KueijN4
+67gtUS9T6ex5/MWRoWeIcNhmXM+aFcAbW79hAycliP8jIF7q5feUER5QepYGfZ3c
+JKt/SLgrlhrJ0BbcNKAnbzOeBZGPpEJk
 -----END PRIVATE KEY-----
diff --git a/lib/hx509/data/proxy-test.crt b/lib/hx509/data/proxy-test.crt
index a0d7f9862d73..9f9cd577cb40 100644
--- a/lib/hx509/data/proxy-test.crt
+++ b/lib/hx509/data/proxy-test.crt
@@ -1,30 +1,30 @@
 -----BEGIN CERTIFICATE-----
-MIIFNTCCAx2gAwIBAgIJAKQmPUkmhyKnMA0GCSqGSIb3DQEBCwUAMCExCzAJBgNV
-BAYTAlNFMRIwEAYDVQQDDAlUZXN0IGNlcnQwHhcNMTkwNTIzMTUwNTIxWhcNMzgw
-MTE2MTUwNTIxWjAxMQswCQYDVQQGEwJTRTESMBAGA1UEAwwJVGVzdCBjZXJ0MQ4w
-DAYDVQQDDAVwcm94eTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAMIM
-AgaAGNSDMgLYghbdvgtiyY4FoxSi2aJ02jC4Ji+QLWW0V9iWOW1IRNyEYRHX3AhE
-1lX+zousMm9Yni6NEtNUERvaN/9hLGJzBQMIH5grWKU4AsUZKFLAa1P/DiLh+U7I
-Blj2YESWh8BFnnfrMA2r94CYQmDCZyXL5xX5d75U5Y14isAUvthC9mbhhROu75C7
-OO2YFgMwDp0mlL02vp7z3NhbWqDxak+09LLuNwqy2H+E+qFou7mUNm1NP9dlUaYS
-tKkk6QaRe6X7tO09mYHMx5AnhsH3NU7hc8nBPIDbToRHaEXzW8gtXukXUa3KwvSq
-blqk0pWU3v/VV2Huwu4yfrzkL/Eb9Fyw6mlAP6Tui2lnqveb6xBPmyGr2UJ/pDfo
-Nd1SNKE8kfwD2MK57xwSa8unVDUQYguCs9LhdJFZ52Cb6UtfffR8OlFuzA8I7BWt
-0/Hh1lUIhTcvS6UaO3jP/7RmqmCwA6/9I5zAIh1bjSzpkJQLpEyPou9Ro+MarUOt
-YSDK1Xq5LTYiP1hZqhOkhtU9XLCCsRd5sDYHo1IsTPLLBRdU+NYjlP4qrCuZHKEM
-fLVSsMk/S8+W4nA/WrqZe+KIbgoxrQ2Zm4wTzdZWZC3ZEvF+IUjrm+nuXWTa/NBu
-fFo8OB5waYS0jrWm27FkPfZwtcWQHpjxdf9YlsifAgMBAAGjYDBeMAkGA1UdEwQC
-MAAwCwYDVR0PBAQDAgXgMB0GA1UdDgQWBBTZHxVeBpBui9FNbSHOWqtVj8r98TAl
-BggrBgEFBQcBDgEB/wQWMBQCAQAwDwYIKwYBBQUHFQAEA2ZvbzANBgkqhkiG9w0B
-AQsFAAOCAgEAXHVRH3wJdrTjJV0ywc1rrI1cH1itMOqzvZtbLUgMEJQuRRnRVHys
-ZG8HxNeesfTiHAH635GeJh66rCbxmJWqczLUoTib/GRO3o+NbtcvAyEpT9SXD201
-x9tVUhEb0lBmZDpnvpfaC7MF3tS/PXMurlFV5xxFRG+xRbUo7+EAQfCEuADgdlRv
-v75YrH5ShohTk5nP2SxYu6NLNqvawIb7a/GRCwD585FklQydJjPlYgPcbFW7FXBz
-nopYKJriBJdttirZ2DW0HrZyjF5FNpGIEUOxkvYoiqTOTqOhTOrm1sziS3S0DbfT
-eoMXIIV8vcFykmSh9ri/k+RKnznje6he7bt0yV3Fb+e/YnAdlxLVPCULWHS6IZtA
-g8SZ6m0pKQByH/yF3dSEzLCP9XyNUybwPIbLXq0LVII46CtjNiAIgFSDDtQ11tS2
-Ja/rhsUsSE1eRggTXSPrYSB2D5J+j5zcT35nqmlTm4ZGuG05T/yh6c6UCwA7hXmj
-YJxo+1BR+pNl6Q83mvPDKnZ7qkZdxCnuxkPEShatf5ntAxVVZPsfTbDwwkcMSCJA
-Wvp2/2Ss6rv2o7+vs2AbygXdF9H7QmOkJj1TgDKwDTkFOLvgggMHZOSZBef8Tluh
-gaX5p1Zxb9fvAhkTiSdTuos1YMPuu2zeQTmWXJqtjpGBJQBnDTA3b9k=
+MIIFNzCCAx+gAwIBAgIJAKQmPUkmhyKhMA0GCSqGSIb3DQEBCwUAMCExCzAJBgNV
+BAYTAlNFMRIwEAYDVQQDDAlUZXN0IGNlcnQwIBcNMTkwMzIyMjIyNTEyWhgPMjUx
+ODExMjEyMjI1MTJaMDExCzAJBgNVBAYTAlNFMRIwEAYDVQQDDAlUZXN0IGNlcnQx
+DjAMBgNVBAMMBXByb3h5MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA
+mPssWfri3hoR0eHC6FCqD3arIBwD+XeYJXS2y1zA9UgijF3rLDtyubOpp/5Or6Q9
+cO7m4S+4xPquasRUS8A9rJZbxi3rvptVFD2DBmpEUNbIjlW2TdymVpAtD4uHKpOA
+xeEtn6eXlhDiiJcrrqLds9cLGRG0XaPSeTwzOWqhtyEeMp3rvVQ/NeMfYsMF87m/
+txopxdJnpEoArfxxudLSQ0HrILLVV/VbQZEcoJXEMjhZg0Qnw5rHRV5dacLT1gmp
+w2yRQID0rbcKk6b3ukRHXD9OWNt074afzQJmMx1MDlHv8IeFtksxEhhA9i612LTi
+KaU5Ac11ZJ+ew2YnV3HU3roH6BHeGeWHDhxqfpV7DPXZsUVo18kgrY+w1E+lcntT
+FfWzWXF6p7gIPQKBy/IG3FsdP9ugx4y54Jl2HsrBEOjA+x45TL80T0zA0FXuu6fo
+oljNGUrQfPQiWJCnQmWkjIhbVo+aovSlBRnOSsAxr7H8Ry4jhF2eQG8TIDgPRGs3
+DSwIUJyQwoRvRpo01ZJ1akfUkJFzv519EuN/zfNVTO2KBGVXprkONCZVN6eVpDVb
+rClN5iUqCimn4xhv2T7VhDKO6mjOMMR38kdLvsrtAWBpob7hDHr0zAXCwSwheVVM
+fMkYHZEyVfsxS7/ooA+oLwbHewhV3zJQDK6zAgyi+jUCAwEAAaNgMF4wCQYDVR0T
+BAIwADALBgNVHQ8EBAMCBeAwHQYDVR0OBBYEFFyuJ+5Hf8HzZNaew6ZLRnQubKRB
+MCUGCCsGAQUFBwEOAQH/BBYwFAIBADAPBggrBgEFBQcVAAQDZm9vMA0GCSqGSIb3
+DQEBCwUAA4ICAQAqn4xPkjg5lR+wOQwxKyxfzjS2ycEW+8WLp+l5p7qHmv4JOSwO
+/XFf+6sRSGiBwHAoOq3yJlU0NzEq+uLjEg20/MXQ1+R4N2AsWeD4wUxRkjoukmc+
+at4wza4SoJLzfv8rYtZRx7quXDq+tFgAHxZv/AB3tghCyjS9JiaAc2aA015XmAec
+qZcLjWoDmIH4mgT+LuenPbS9Dus8mGbOiTsns+iVCMZKJOBU1KF1UUy+f+J3SGqX
+nsHzfMiFqU8qA6sQ3mZy4yqPG0Yu7r6YfpV2HQPCLXy1VZ3BINf/9YINaUCe/NpQ
+Md1Pd6Q3U8+QObyAxXVfmTRFGCDu+S0NlpEfZzPnRYxr0ZfwC3SKWMwVHugv9v3k
+qkZAgB4T9u0TqBjuB9mWoyzYEqwRgFg0AjrtgWXPJ8MSnth3eSrJjcXhEqgq1NvJ
+SZVPzYW9RKB7lAM/4cDmrGXB1Lq2g4b5R8H1wzBtjL+CGjCuly9uR5HvxCOPLzPm
+btZTRQtdA96L490wcv4D3JHN9ro0cq4QB2m6XKr2wDDh3CEgQQmaTKufWR8zAL8R
+5HYtKxt1dcz6w4FiLgq9g+ADZMwJpErmGgldX/NKMz4Rfy0qMCprIn6XgPWWlSC4
+BT/0EyLjDJhwap661H5sMkchCx4uywG6EvQBRf4bxpWQgxReSO1znefULQ==
 -----END CERTIFICATE-----
diff --git a/lib/hx509/data/proxy-test.key b/lib/hx509/data/proxy-test.key
index a94127e88f68..fc303ea6c1a5 100644
--- a/lib/hx509/data/proxy-test.key
+++ b/lib/hx509/data/proxy-test.key
@@ -1,52 +1,52 @@
 -----BEGIN PRIVATE KEY-----
-MIIJQwIBADANBgkqhkiG9w0BAQEFAASCCS0wggkpAgEAAoICAQDCDAIGgBjUgzIC
-2IIW3b4LYsmOBaMUotmidNowuCYvkC1ltFfYljltSETchGER19wIRNZV/s6LrDJv
-WJ4ujRLTVBEb2jf/YSxicwUDCB+YK1ilOALFGShSwGtT/w4i4flOyAZY9mBElofA
-RZ536zANq/eAmEJgwmcly+cV+Xe+VOWNeIrAFL7YQvZm4YUTru+QuzjtmBYDMA6d
-JpS9Nr6e89zYW1qg8WpPtPSy7jcKsth/hPqhaLu5lDZtTT/XZVGmErSpJOkGkXul
-+7TtPZmBzMeQJ4bB9zVO4XPJwTyA206ER2hF81vILV7pF1GtysL0qm5apNKVlN7/
-1Vdh7sLuMn685C/xG/RcsOppQD+k7otpZ6r3m+sQT5shq9lCf6Q36DXdUjShPJH8
-A9jCue8cEmvLp1Q1EGILgrPS4XSRWedgm+lLX330fDpRbswPCOwVrdPx4dZVCIU3
-L0ulGjt4z/+0ZqpgsAOv/SOcwCIdW40s6ZCUC6RMj6LvUaPjGq1DrWEgytV6uS02
-Ij9YWaoTpIbVPVywgrEXebA2B6NSLEzyywUXVPjWI5T+KqwrmRyhDHy1UrDJP0vP
-luJwP1q6mXviiG4KMa0NmZuME83WVmQt2RLxfiFI65vp7l1k2vzQbnxaPDgecGmE
-tI61ptuxZD32cLXFkB6Y8XX/WJbInwIDAQABAoICADcofKbmYKh/xoaCjq/7Rhss
-cIibV5j1FZIVTzRMFCavAAiJ8/KP+TD0OwbH5mPRDS2Yi6iULpgLUabO9N/cn/5M
-RjS5mfNQ5vHxKfqLo5d4stD8E+V82jZzlc6hkJ4fx+M5/nvpRMIaW+oun/YMd3Nb
-b5YxMaUZfYKD7GMVr5D9xuao3h/thbYpiqsB7fcDYfutDGiVM6SiU3UeU2dZmWPL
-g/pINYHMPeD8WhZGmoTDA8Fzxl59S+dblwEI1V3f4g6oAIyX/lksn4419178hJcd
-45g5dBfMsm2CrowqDo2+SRpWxfAkVfGX3AO76i7RlQtBKu8/LNDyKVVlilo/KU9X
-eFstgoWDaux1ffezj2pkxa37wEaQIlPTrxTBZDB/ZO0+JMzvbmchLzBn4fY+1sXs
-CnPdAA+Ls1UQMCGn4jfdIS1B2oBrA58sQ15YX4o7El1NvAQ5CbAOob6Y7TfpWhgR
-2FKOxaRuK5Ep4rFY6bAKrSMigti+PGb1xx4E12hondwuEl15s1rIyB0/qjNQy4/D
-VVjujBFBbPkexI9UQOzzh3bXSfYNtYiSAEqpbp9aYiK2fKMIE+pjWivXaJH3Th61
-bxKZwIsMBBcNa/S9VPiAFL5hIab+WVueI51M9o+eWYIADPq8SgyTqCryQpEyKDic
-UQgM8EMSYnbttvKPE7x5AoIBAQDh4Gynf/FuZ2fbidv5UrnondQerFNfpCgco3gl
-dwKIWfsT/MRrCsv7Q0j0gOZ8C3RjkXzM7+ySTNuGki+XML4B60k7Vj2m/Q1nHffp
-nZUzY8PYctt2GsKnf1vi3X8NN8DsIHi/rFZu10ots5WGRnx4aqogZ0e9C0e5QaFL
-TwxKAYre/brg4zHorgkRCKQFyJkDJcupgUFbgCZvqF1RdbUzQFsJWHci1X5JFSxM
-FDnj7nOm3Eu7cjOMiL60+xHFLoePAISGc4XJvz8sWZdB04yZ+5GeCbOJ2gOiiFiY
-/3a7fHKrok8THu1cChwEjRsJwHWNvslMY7IbEEBBMIHxTu7dAoIBAQDb7OUluo1i
-7OsnRhF+1xGiuTOyeY8+6r1oA0uwHnnMUBjBV0YOWdqJp52tJsWnEgYbYc48P+oP
-h6ljcPH2glPlPQRbnet38Wft3q5P4LqiD3sgfRuu6yw+c2CZwlWeK93ft248QV+G
-v9FEQq0nC2x/aBNXxrWY4pPEAYaWYhG6D700X7+7EyKKgpVp1Gv528g7pTi92k9f
-8Ut3F3hJVoGwTpcyTnz+S4xozL0N3LZQjfw/OgN6UXk/prMj4yUlswWoPkUN/LR3
-xYcOtmPkmiMwXEN8hDCqaQWAfqq8CRCy/iRha87e4Xg9YeNQvVPODLmxkCuP3H/K
-WGlecH+knverAoIBAQCnI/lizLLrfksE0fNbf9KfhcKD3AJpwEAKSRBLsM/H88Vt
-2dnCV5/vUq+2dXeYDKXYU7zkrRkCfSroXl4m42OGagOri7pdSd1UE4HydbAE8erm
-zL8GmvC1HvHwYvRz5HC2iaSwOKdQp7B1NvELBjdup4cyKRqVkbZGKIFhB6JRVOjc
-7yYM6TFyOu3sk9dDjFdlU99rk4C4Y5CNiSlccNxfi1ySAstNlGs5SxiXR1Q7DKS5
-sUO89dmdQUbVBv/0R+T5dWmbT/qM+h6WA8mAZTkibFwpdIZNGG0eJQRiWo8SVxlH
-VfhrbrQ3KifnWj7KrYaPF8E+7HrLue/CDVHqLP1lAoIBAAfJCxOa1wZ5fJmXUWc8
-FdO82qemxftkM/BKrZM+gPFKpJWzkTdQ1vuog1xt0vFnIfA2NibL3G1QUB7FEMu5
-MV8cGdtka8GDOjqhd2o8el7iTWmJBEHc8WQEkZbf2kgPJXuV8sEPT2Jlx/KyqY6I
-SP75oDWrQyJ2YuS9aRZJwnbjt77y5Maqlr5wgPmOG4Rs01nJL4kJAWZUFGfS3N87
-wLuNDK0rOiGGayIKnWawOYQAgr16QEVEPRaTwCO1FsuO2tRp3+fu2jSjOXS74C1n
-h3dezMTLqS1fKmKyGTku2Ph9JqyMNHaPZMJHhNSG30CcErbGc8RT+fIfzxsYwGwD
-dKECggEBAIk5NwbiRe8EJmhLlHUuALYrzBJDgTSSNwrqUBt3lyP46XC3dAyQavzy
-OX1Bznr1AauC1w5JEfr5DHJ2MeRVR2V+Spb+5e7KQGemoe3jaM3724smxfhThW/W
-+nmiJ3Gk20lwBVBDZ9KTBnptg3zr4kORlNP2+EooYj/1dvzkflwDm2dLX8taSn8h
-d81XaKBBwrNi6MYBYLDzw/tSbCkMGWK+odUguw+X/IDXiFcKJ1J2lRelJxdv6h7g
-NeeTX0a6esQQO1MMTIVZSib5CubwgMhz18XvMA9mkcDjzifFhCrE7P1KlQLUYIGx
-lUR8W/if6GM2wU/6ijdEVsMAQJUI5cY=
+MIIJQwIBADANBgkqhkiG9w0BAQEFAASCCS0wggkpAgEAAoICAQCY+yxZ+uLeGhHR
+4cLoUKoPdqsgHAP5d5gldLbLXMD1SCKMXessO3K5s6mn/k6vpD1w7ubhL7jE+q5q
+xFRLwD2sllvGLeu+m1UUPYMGakRQ1siOVbZN3KZWkC0Pi4cqk4DF4S2fp5eWEOKI
+lyuuot2z1wsZEbRdo9J5PDM5aqG3IR4yneu9VD814x9iwwXzub+3GinF0mekSgCt
+/HG50tJDQesgstVX9VtBkRyglcQyOFmDRCfDmsdFXl1pwtPWCanDbJFAgPSttwqT
+pve6REdcP05Y23Tvhp/NAmYzHUwOUe/wh4W2SzESGED2LrXYtOIppTkBzXVkn57D
+ZidXcdTeugfoEd4Z5YcOHGp+lXsM9dmxRWjXySCtj7DUT6Vye1MV9bNZcXqnuAg9
+AoHL8gbcWx0/26DHjLngmXYeysEQ6MD7HjlMvzRPTMDQVe67p+iiWM0ZStB89CJY
+kKdCZaSMiFtWj5qi9KUFGc5KwDGvsfxHLiOEXZ5AbxMgOA9EazcNLAhQnJDChG9G
+mjTVknVqR9SQkXO/nX0S43/N81VM7YoEZVemuQ40JlU3p5WkNVusKU3mJSoKKafj
+GG/ZPtWEMo7qaM4wxHfyR0u+yu0BYGmhvuEMevTMBcLBLCF5VUx8yRgdkTJV+zFL
+v+igD6gvBsd7CFXfMlAMrrMCDKL6NQIDAQABAoICAHwnJAhmXyYHHD0sLmUhydJA
+6YJmmickkvqa7Rq/zO2DPF6Ufh5opKPnFiH7dlp/PUng6MkKVLawB0soyIytmJ/v
+as28SN1o7LQ/c42KQqUkmqFBGHG6R9hqq9c40lqQWOq+46r1dUVZsK9PmCjjjm+8
+bwpKXwm7wT2YyK2pR1L68qn7le0SaTZPfBJH2hXBwsBT4GDmcCxZzpFlFdrMKM5i
+ufLQj+oRep0MqqH8ybxEFQk+D9NkUqKOgdsqPYcwUnECNCOYRHqS2WeZEuU9Mni/
++9KLUCxwIlJbxxtmhGn+v26CXdbi0RExU883e2dC7WUE7O30k3g1PsCvr+/8ttdG
+AwzeeLb1o+dYIJrFBb/YmpehrE2JP5aTi47AtSAkKnYo5lSkxPEdqxSNuU6VQp4l
++MtPvV6JKY0HfDYKPxdXFdrGDQurNeRjrgyXZ0MSxxVCscR0TXij2bkiGd6Euknf
+Oxgg6KqFRFwXA+aWupNA1lknTEU9AIPb4QBYH8Je3st+Q4FxBCFHE6N0+uKdbX9j
+GlZ01d4WJxo3rJf2q11Wq24G3v+UBtHV/RRrWy7ZBedlr0XFQ+i4lhFFPOvLFSS1
+Hv+7Hzuh4h22RhsAOxNveX89MlhPb6ZrR+3C8U2K7EjHxVlGzAvcoutD7qjUF9N7
+rXOHJG2qwkmoGO5L6z6lAoIBAQDHlvHduYwxfAanrITkQRRodkl8V0xcQhQTNFNj
+1vhQWqzBo1C1p1A4ICuTEmAPR7r8LuCYAP07RbfxPbMS6qfCT4nnJmGPONgkn1my
+s/9s7o5k07TST/Z9VVPCewc0+XcyWHwpgZMPeLSDqB5yRK+t3NoqGOnX3LI4fNE/
+YB5zQWh7cG60SKl18kXvCunMnh0pE8mGE+Mx70RMOrmBxnLv0xDbwbqfY5K8nY7b
+ccaFVMLHkE3YipF+0/zp2H0SVlV48h/fkwYdIzcDNje7ejMRJk0/zviPuTJz4S+0
+sJC3IJ6Cyzk12zmyV7zc0VShFutUbLccmKxfWde4N9I2FiUTAoIBAQDEN+49eQho
+0q0aNLe4LxCXsjJLhDB7XcZiGsFtKrfd79jAo7v/C0HiqbZCecrbcG62Hip4aEc8
+0bFj980LM57XM89QUylzKFJXtQe7/nxvmozQTuX6tFb2AxwSwFcYHfeFPkjsqWTF
+iBsREZ4l7CS1wsgC2vb36rk6GfkAjGd6ZYn7Jl1JXHr6868gBtle1Ad3H/S7BW+J
+Io6upgPHbI11/29ScMu8c7oYk6jQiBrVZd6PEq47AhWatFqlSyq2mjlgGkleRzrN
+J4SogzRs9Emd0xF23bjdGzK1B8GJY6GqUN+lZ2SvkKT2PyQvDuWSOurlOv9GQuBq
+kELci3kNb/SXAoIBAQC0JcEfYQdx7sFO/H9iSn9yHjoL2fvZVecqwlL2TaUJWh6O
+FKuXmnHkhtztvWsov5S9ZE5hxJrMsgvp2cfVLinHT+Vn1pO+Iw+sVowuqRrGJrgt
+t4yBO51+2NJmOodxwC1fKtC+4e5ry4YbQ1ZfyzFKW4oq7xu6M8BFDhwL+OTjIMl+
+iSfS37bc95U5wn7uqlQlrG977l1lx9G8gFDKGuXJI5gW0lBw5v4d8pRr69DErZG1
+cMFizweuEwc3xqh1MamqJdixAtJE4HEaHAjH1e9b7ldRXa2qg/1O7JUToT6tm+qW
+oXl86+ey2lBkeyjI0ZgNNqc8T21eDwiPhQreuLQzAoIBACHdgVnMvN3SlpuyQ48f
+WF7GG5Ya/38bRTUDZyTfPZKpZaCB4d135Owo3FMG0DMlaYY3GJ9lZ/4gNtyJFTN8
+ukpsH7i+UaYVbHjEvsv8dR+R7gG5zEmDvIqDKOI3nhCEg4bUpCNsbP8GqZ09jC0B
+X6ibMIgFoKBTO5rChs5IbUebpL/a9DjIJFWRn0UIyZVrRMqTklqA6qohc7zC3F4b
+5yJZbq4s14zz8EdznKw5AWCZT1skHzwB9RaZUBe9LGcNoR9sCgOiiYyE6Ilo87Bm
+TRpXJml8hP5sRkkmSInczzck9CSI/sCqVz5E0YrpqEefsZDUqOBIhJD/yvpjfAYM
+r4sCggEBALY2BvWagNcnTdINCI25Tt0S6J4vAScyG/LESS+qRxTUklpqAsXNPMQ+
+O9n3B8knb/1UuXeHC7yAScNUSGqq+Z68D9my5cXanSVzOlLwRu6tUa7J58fbkkif
+I3PoVDPjEkYy/yWJEIjqKu5z0x7uMKXid/rf9BHCIH802v0s+EsQZn36kmU3MMpB
+Rriubez85f37vXES6A6DD5EmWUvAAuKvfvXWXtml0f9d/JZd+8jMrHQCwFprdTyM
+fN1crepFBAl6oheb3ColMByiMvU/WzcT5vwCnUEd+46QLuTU0BdXcKWKXviHI1Us
+2f09X6R0XLrRpaAyQD+H/2DVhYM4CV0=
 -----END PRIVATE KEY-----
diff --git a/lib/hx509/data/proxy10-child-child-test.crt b/lib/hx509/data/proxy10-child-child-test.crt
index 9ec7112aa3ee..a606da6ef85a 100644
--- a/lib/hx509/data/proxy10-child-child-test.crt
+++ b/lib/hx509/data/proxy10-child-child-test.crt
@@ -1,32 +1,32 @@
 -----BEGIN CERTIFICATE-----
-MIIFeTCCA2GgAwIBAgIJAIZ6hp81I2P7MA0GCSqGSIb3DQEBCwUAMEMxCzAJBgNV
+MIIFezCCA2OgAwIBAgIJAIZ6hp81I2P5MA0GCSqGSIb3DQEBCwUAMEMxCzAJBgNV
 BAYTAlNFMRIwEAYDVQQDDAlUZXN0IGNlcnQxEDAOBgNVBAMMB3Byb3h5MTAxDjAM
-BgNVBAMMBWNoaWxkMB4XDTE5MDUyMzE1MDUzMFoXDTM4MDExNjE1MDUzMFowUzEL
-MAkGA1UEBhMCU0UxEjAQBgNVBAMMCVRlc3QgY2VydDEQMA4GA1UEAwwHcHJveHkx
-MDEOMAwGA1UEAwwFY2hpbGQxDjAMBgNVBAMMBWNoaWxkMIICIjANBgkqhkiG9w0B
-AQEFAAOCAg8AMIICCgKCAgEA5rd/XFWt7tSsRUHIdPgK+CNxME9zqxPFzb0MpToG
-3BJmFnhSA+1qFigBNHEsESN0pCG2nn/j9PXFflYOEvhcMRVd+b/dhTkyrmZScaaG
-4/hrQuHNW/k9CXsq/FEQbWqVxiHbs7KNjmHHYHSdmZ9Y19qS5kTFEE7ma2hySyJr
-7yQ1Fd9yVJyzUr4dSkxx6kGh+aILgVbNqSrd7ElBIhPMl4Qd4UVLadfFyJYmxiG0
-Gur1wXDUN4ElCh8I70elpjQH0fXmBG/FZl8zdMJVnQMSeFG2Ob42Atu/4Ndz0N3w
-9+4hVQW6v8C4TbPRaIYyUB8Lt9jxZWmOfXKAfEF1uQrZaFttQbIBNBxUmu7tRMAQ
-4OEUbNTFJ/+ErhPHHStIx1emP22WaTmQ4v3qVPr7REYuNKBLsLUZJd6qTftlUd79
-x8E81aJaAk23QW+0xldVlt7bAXF02iy2oZnJcj9Uwe/l6XQgHoPuG4Lz6q4OA5WM
-ROG2vgOtu6phY5jY16YiVvMPocW9mdJQCjRAbIGFpmUeYiB6wWr9EGZpp+RVOchG
-zS6GJCGLgyxcxHWmGYSNvdMnEacyXiCnC8DQZMcgVnqsDFBsM6QyICwXZr72qkU1
-QiWswudnspE+hw9xgceZqzNpAKhUw2skiLZOO0rnpLc/Rtd9FR65Hnvscz9Xu+p9
-pCMCAwEAAaNgMF4wCQYDVR0TBAIwADALBgNVHQ8EBAMCBeAwHQYDVR0OBBYEFLD1
-SUEhi6VToeKjUn/AKcXzGbOFMCUGCCsGAQUFBwEOAQH/BBYwFAIBCjAPBggrBgEF
-BQcVAAQDZm9vMA0GCSqGSIb3DQEBCwUAA4ICAQBy1ZfOf9nkMOa4p7Rm2uzJ8hn/
-7htPNcawOUlSiq0JjctHoYBthHAHvUrrkjjR303c21adSdjs1KusOn0sbynaEMgP
-dU2tiLn7/Tb6bAAC61vvBErsqzPwPQJX0/M+qdoqop43DG1Pv53VR5LSISjXB7Sl
-oXbJs4cV7oksxWy0eeSa3IXFEnH+NhmHIC6MtpHqRAY0dXS5IWWo1q2Hiutcdd2l
-Nc2IBgIY38oM8vpFoQp0Z9S23WIBZzKJ/eqyYZewmSKLnJ1zPvlDJX7g9sIDuO6T
-SIod413DgFYSqKAv1u8brT1KnTytyxRQOeXqLTMaJEGB/u4z+CH5Z8U5WlA3X8IO
-dHKAZM4LhGWLloyIGjSJ628Ow8VVdP3ptkKXJ4cVka92SDocCtsEdXFYoU1NA6U1
-D4VkExZTVN1sLmIsBiG8i9O8VltjMpPYvKjlUaoezCczIuEFVefuNpYLx7quoIry
-8FFW6Ccw/kMSgAhaO1l0OlMVcuZTVns1/fmAF1eOscb5ud7u6YvqQeAbouPt3I2d
-eTFG1EJgmfG4JjqTWMXIJdt2VuLutMPUSPAZ0pM0pGsrHW6FVzgHNFlgrO6gOeUq
-ytDsdPEy5H1Dk6dzoPzbfSkMQ7a6HGf1ANeNLsTXV/0+kn/T/RhZAjjRQLWeRzDv
-N0angzihXX4AspaYJg==
+BgNVBAMMBWNoaWxkMCAXDTE5MDMyMjIyMjUxNloYDzI1MTgxMTIxMjIyNTE2WjBT
+MQswCQYDVQQGEwJTRTESMBAGA1UEAwwJVGVzdCBjZXJ0MRAwDgYDVQQDDAdwcm94
+eTEwMQ4wDAYDVQQDDAVjaGlsZDEOMAwGA1UEAwwFY2hpbGQwggIiMA0GCSqGSIb3
+DQEBAQUAA4ICDwAwggIKAoICAQDOIxKHoKGi1/5V21RKfDqag54mjcz/ye0NvVHq
+QKXJ4I8EVZyP7fwtl4ElcZ0GyHhqetXsulqgzuoGns5eCAq9mMkX4+3/EXvy0lyz
+rVa+K5ysq6rsUMg7LPpiWA6RM3YYahNedzk3gsRghJ8q0vbvpTzNZQ1A+IOY1kdX
+AeqyBqUT6kLycPYzU/eL2WzVe6pTRt1p2LKckDjxCKJI1ocYhWrdFhbB9YduvEVp
+IRTINGXGvTpk8ZwzvgUQk1BmeGc1qqnmY+/wEEfpu1OZD2+5rJWQ7pSyB1jnMBxq
+mTc5jkrMkzJX9F5JleVY9+bKZcBGu34mmAa4vXfwQOnM2HXAvjw3DJGlZCuNKExs
+Ji9RyZcbe1NZqlBkp9l79cnlqURV6HftFFTyBNloEaNdzi81rYiMlxEoHEHqjLvo
+9HCNV90WDDHPxDG+iOKyY6OAZ/QtjGEAjizp1NYHYkvTG3PzVvqQCsNF4iWzksQY
+3M0OgyDybskOxvUN0NzDrF7Zw0+SqBSnYGWokVoghzQHMQHEOv/gYvrdw4kGs5Db
+RXPfiYKJSPlsFgi0zXpZgm8Br2GxEW6ZfADaK/eONC6FW2W4aL9oqC8XyV2kYi/v
+69G+UeULhVELL4bsUf0moPELFpuwyShHqfQ4l5Us5m66zxc/I0ekz2N66mWv/WQ9
+LNJBBwIDAQABo2AwXjAJBgNVHRMEAjAAMAsGA1UdDwQEAwIF4DAdBgNVHQ4EFgQU
+W8uH0Ungtk49Eykz3IE+8z536hswJQYIKwYBBQUHAQ4BAf8EFjAUAgEKMA8GCCsG
+AQUFBxUABANmb28wDQYJKoZIhvcNAQELBQADggIBAAJxESHv3qYUiqzpmWI13Bbe
+v9UqS/Le+WmWosv7JfbBV/aL9T2FF0uw/sMojKxxs88wfipYAaf7Or92JBlaSyt0
+YMhmhW7+miLEoWqeKkRfBx0q5IHvtmQMpNjDxA9uTXJW0U6FIyhVxXRte/3x4owk
+KUfq5P43ErPMEVipaM0ns2y4+d9WimFtUY/52l/NqH84pwgP/2JuNYtRaOZ5pjyO
+//zSUpiDbyE1OCeBG2b+YqKwDnCdxdqj0pZps/1fLieBr89GbS4SEMlqRgqN6LxO
+XHkfS3frkD87l32zTuQnhD8vxKU01Kr85t6CPL+FIUhjUCxG3Tll8Z+coxgZp8IX
+bjpyJfEx9834UqA3EDKpcuh3vndvov0nXe5XnxpmYevuCpd5fIjnbAdimFMshni7
+WhW+9HzKGTAKqaGXqRyEsPybm6Psw6F60p5Kbr9X8/+WM8j3mReQI4n1yKfW25kR
+HlqLPmwrJUOGDsf2NV0kYg/8Zd+D5uT02LUKQPh5gd/9X/vm/YNJfmLvkK9V0yI9
+5U6nxRe+kQDreWSpP0mS2Bl3o/mOKDwinn4zZLU3IStrvhoVEo9LeIuehsul8zpk
+57x1zHsKwviywBdAeJOXglQRhGhy76+jcN6Ii5rx6Na7uSlTSQqyz23bXfK8BcJr
+TpIzMZLfa2s8faTjnjAD
 -----END CERTIFICATE-----
diff --git a/lib/hx509/data/proxy10-child-child-test.key b/lib/hx509/data/proxy10-child-child-test.key
index cd3e0ad4797c..7a5560171f57 100644
--- a/lib/hx509/data/proxy10-child-child-test.key
+++ b/lib/hx509/data/proxy10-child-child-test.key
@@ -1,52 +1,52 @@
 -----BEGIN PRIVATE KEY-----
-MIIJRQIBADANBgkqhkiG9w0BAQEFAASCCS8wggkrAgEAAoICAQDmt39cVa3u1KxF
-Qch0+Ar4I3EwT3OrE8XNvQylOgbcEmYWeFID7WoWKAE0cSwRI3SkIbaef+P09cV+
-Vg4S+FwxFV35v92FOTKuZlJxpobj+GtC4c1b+T0Jeyr8URBtapXGIduzso2OYcdg
-dJ2Zn1jX2pLmRMUQTuZraHJLImvvJDUV33JUnLNSvh1KTHHqQaH5oguBVs2pKt3s
-SUEiE8yXhB3hRUtp18XIlibGIbQa6vXBcNQ3gSUKHwjvR6WmNAfR9eYEb8VmXzN0
-wlWdAxJ4UbY5vjYC27/g13PQ3fD37iFVBbq/wLhNs9FohjJQHwu32PFlaY59coB8
-QXW5CtloW21BsgE0HFSa7u1EwBDg4RRs1MUn/4SuE8cdK0jHV6Y/bZZpOZDi/epU
-+vtERi40oEuwtRkl3qpN+2VR3v3HwTzVoloCTbdBb7TGV1WW3tsBcXTaLLahmcly
-P1TB7+XpdCAeg+4bgvPqrg4DlYxE4ba+A627qmFjmNjXpiJW8w+hxb2Z0lAKNEBs
-gYWmZR5iIHrBav0QZmmn5FU5yEbNLoYkIYuDLFzEdaYZhI290ycRpzJeIKcLwNBk
-xyBWeqwMUGwzpDIgLBdmvvaqRTVCJazC52eykT6HD3GBx5mrM2kAqFTDaySItk47
-Suektz9G130VHrkee+xzP1e76n2kIwIDAQABAoICAQCeoD0Vu+bZVSmYeHEdUskf
-8CZLY+UQE4klOjyugSXkO1YrTtB82MfeseSaLNFyeyEgE/neIeoWKsB9aydEDbQ9
-Hwa8xxjEFx5sX/eBIlCN/ueoVV1/Re6cTS2xyv5zbBvL3M2UUEgZQ8rz21ncHH3V
-8vabEV84JjcwU+B5HhJ9mjRRdI7D8/UrB4FV6xdLS5LU8n/cjlTaYZmxcnAwwNIi
-vnhYwO7nt63Jisrf4J5W/4K2XB/chZN00P+wnF8c1Zsm1V0vYbWj/AKB3XdFe65A
-QVX7f3bdIj9blGaRjXa2z+fk8AqE+jj9W4u3xMRk5+ODpMnbwuZwA8CpLcyFzBrK
-4gWQlZztfvvV8+nIJRo9BNOCtxitsEflq9S9FsfOE23H78+Tr43iJIikaBy2TwjC
-HupNvpuqCSzwBD/Gqkd+zAsZmYJeqAduPyAqUIRDjcnR4srpzU5UGmrSbYCCtRT8
-pnDIUoktcV4GSlpZZRoImpCtX6qkr3JOoDuTaEhqFKAy3vHzzyJYpkBWlPqRatZ0
-elw2zVjmbgaBGkBGNU7HU7pwsiSl38CXVrxv613IlRBTTGyThl4luuZoVxgLEHwN
-c3quCQ+O9fNcD9s/8u2Y20KcPb9cr6eGl1Klj11VRkF/DrpQqUx9yBPnmFxZQD2G
-Vw0piDNSWEntLu2xvASsSQKCAQEA+Ee3TdWSh/tLTw5DMcoZTrUddtEyiI7Pm8li
-LAwxR63M1SebhTD8cQOijGJ70HEftUn0DRlbTYUuJYcH44mHVCmm3crz42aIC0Xq
-yiDoQIGsdhsusRsHqIELUiOphMIlt9Yj9H1r1FPfLNioCsmigZs2soSbBshpUr6t
-VMr1DcDmJdeIk5eiRtnpeTB53fhObMuYN7QbB+NnQyqldwTVX9LHl/Al8QTnuF5R
-m1tSCNV3EeMGp1asFX5C2noDZkXYy3XXp8nmPvOf7PgyexjOD3l6qdlGWKmAsaxT
-NgTdMjidobgmNUsXwSJ6PVpJOvokCdfTQRKMW7a2nz4qDW+OBwKCAQEA7eP6oItP
-yjxGB6wrEKV0U7KEbxMYJ+IAVOZ1sR4SbYKyncDf8msbKfFshIJrI1WpXVCgK4Wu
-nvIEymvga7fsQKKiqPhMYWgFr2oSRAIt7BpfQY6VWjYpnzQXf4drAZjq2wAZQVzt
-JA7RYxrCLixRAJ+oEBo2MxlznW4zlzT/C0w5fYtGDyYU6wl6rdULOgkIGfgMFd+2
-CHCK/szMhUV20xIrwlErj/im9P5uBqa2+UJkf1LOwv+YLTKgqE40Wfk1eITtK8Ol
-bXnZstAAIyokKq3j93jr9O0kgdchV5vEOq5JJroR9eAguhMJOQbhQGfv6U+xBWkD
-1hxsXsULETmyBQKCAQEAqiT7iWuDL40W3uZ3RfepwDZ+Kp7ScqLrw2cO0ADLBMQm
-Sy0Jdw1K8mf7TRlwoDfl8ubrSM7HsyhBp5YR4eytwQ+KOxSKbpwlPxR7Amnqv8od
-1hJqvRQ4+1Dz4SZvVXt3PbSSj0okSy3vE1ymTD5CD2++3DfjxZIyG3Jwdltf9Dzt
-e6FpBzwzCTrstRBzc5pmpEgh2Iqku5MrgOwI2LeHQlPAVG9OkQ07fy2j30OFxGgF
-YUyjkqni5BfS2MYk7kGPgF8RmvrRvvJV9p9geNtW22P0m9E6VChU+W2O2MYcj/4c
-iGcaSAteDA0EmGb3KGOjrtso+r8rUO612AtR5kM8oQKCAQEApuIS1QNF8zJ7UjCW
-eXQIehq2yxETFg92ehi+IYVeGhLg6MgAkphOkwr5PLAdJsmWKY9A/acnS/uuHq60
-3fxFsUYmY/Dj7EVED72SmMEKpCIQBvZWkdWDN1sczOsbxyAWSZH1JaRh+7SlcSe5
-ZxjRrmVSShGJSimlsKA5cu7LqIpNnmPQvxnQ/N1GgaH94TWqyET5fXLVyW/iIkNb
-inajmAicSBIXREWEIkRGvUXBAHVx+NwHjkYt5C8rA0bxdNjdiPF/S/9REs6zSLyg
-DAspGgOo89eRd93QiYF4s3PjoeLYEGHh7aHQc5idFLNd24fOhtbP8WKtPUvtPkJu
-tCPMXQKCAQEAs1/6EmojSIvZB2HjE2AGPGxD3hktqwUcgf3s3xD0MToSbdBVVgc6
-ZeIGQjtfSE5sVhxi3E/lNQFPvwLzIO4HhkOsZ6DRhAO2mixuZwaniSv0v0zAhnxU
-jZoY+mAwhUTM47Bs6Q+G/WYhJHocAG/Lk1ChTSA96bwJaB0CzObnn5loM+7FK95y
-waGm1RXNgPSQaQMylLlrO/KKj0X868PuDgD4+u795G6E6WBWvRGiHrDH92v1eV5J
-u949lT7ltg2iVBUQqENQeHMtomAkeIGGJRtAMjn4QrtbC64UEAPbTd8hYoe3q/XN
-eyMm+IBLsR7OBZ2PvfCkhvJ3qDXzx1+BdQ==
+MIIJQwIBADANBgkqhkiG9w0BAQEFAASCCS0wggkpAgEAAoICAQDOIxKHoKGi1/5V
+21RKfDqag54mjcz/ye0NvVHqQKXJ4I8EVZyP7fwtl4ElcZ0GyHhqetXsulqgzuoG
+ns5eCAq9mMkX4+3/EXvy0lyzrVa+K5ysq6rsUMg7LPpiWA6RM3YYahNedzk3gsRg
+hJ8q0vbvpTzNZQ1A+IOY1kdXAeqyBqUT6kLycPYzU/eL2WzVe6pTRt1p2LKckDjx
+CKJI1ocYhWrdFhbB9YduvEVpIRTINGXGvTpk8ZwzvgUQk1BmeGc1qqnmY+/wEEfp
+u1OZD2+5rJWQ7pSyB1jnMBxqmTc5jkrMkzJX9F5JleVY9+bKZcBGu34mmAa4vXfw
+QOnM2HXAvjw3DJGlZCuNKExsJi9RyZcbe1NZqlBkp9l79cnlqURV6HftFFTyBNlo
+EaNdzi81rYiMlxEoHEHqjLvo9HCNV90WDDHPxDG+iOKyY6OAZ/QtjGEAjizp1NYH
+YkvTG3PzVvqQCsNF4iWzksQY3M0OgyDybskOxvUN0NzDrF7Zw0+SqBSnYGWokVog
+hzQHMQHEOv/gYvrdw4kGs5DbRXPfiYKJSPlsFgi0zXpZgm8Br2GxEW6ZfADaK/eO
+NC6FW2W4aL9oqC8XyV2kYi/v69G+UeULhVELL4bsUf0moPELFpuwyShHqfQ4l5Us
+5m66zxc/I0ekz2N66mWv/WQ9LNJBBwIDAQABAoICAHrZ6CcwkmRMueVNS9UAaKTB
+oDV1+SDQpRi1JeaoFKZV0KZSp3YX7Vz2mB9KsLzkKO+8uVXWUkDYUB0V9AOSY2RP
+dDlqu+Jx9x7mRB1JRxMbRsqZnMot8sdhrO+Db1sWAmHWhiicgVsV8hdbssiA5m44
+Wh5HBTkdYsBppCa0m7zxvNw7lx6KOBCrEDMmp3grtXzgFQEKBpjMU0NDVAR45ha1
+HNUaXwHFZKuYRP28m3gd0jI5gF28qM0liDsysI4BX/FZ/tux38OA0Hr6C36C9qD/
+vDueFLxtKIzP3X+iRIlmxilZ6H0GxFKypPb6927UaV0+TJaPsCHVuW9UIILW1oWw
+asv7C6hix0Pkyv2mX4E/wIXEbURuNLXidWJdc86PrFHJh4vtogGpLaLJt8ez6hUh
+3fpqUG/abQrPS+Sa+B+8XdgbruU9u+egfv+kZ2tXzbB/HMlLthgFpjQdHVgU1ZQj
+gCr00fe97BU4oLJO5k+cz0idxNnoBgrgxWL/ffxdETo+Y494D9Gx6oj7JtagqPat
++tG2MVyXzcrV82GWejBPt5IhGcl2xPRSxuJ2xI9VndyAemBNGWL5150PNWAuZmCF
+38x5snuuKibeUryek4qndPHeQ6bYT5jNIkgwBjlv8o2KjFnrzA56/v125psL6sSZ
+XmkloJNZfpnAehzXWeyBAoIBAQDspyysQoCYp7dFvkJUK3LLX/wCkrPHlP4N0QiO
+sa5CUEf6jSrt32a3IR9oo1JycvxMb9zaF+6u03P/y11gVZi6V7plmhlKNDUTg9it
+skR6aBt85wrahK6CWRyKnN9hOI8G4gv7jAyW+yVCDaRHTKPMB1KoQkZ+XUFUVt1v
+tZxGG1gso7nJTjAPTnR3V9SV6I/T00x7LcrWpr39YWO9dkPzXK4kQzmAnVAIw8Jr
+RiEkTjGYWJlTYgGDmhas5u8IsUqJnjbmYMOsXy+hgL5FDp/BssP/Wk8dmHQwEVXw
+ksZfeUh67L6+D12J09LXX2f2NObO1lTqGbzTTGqfgo3QEkVhAoIBAQDe/T0zIDSF
+x2gPUNaBbaXRVSUg4MjxGtTkBfsf89bzoVeMgrR7tJ1ixu0tv5RcBmmeonGt/BS3
+qQZTHM0GUROnTYME8UqqlwfxGXptawCnyffJDEolE+UzHgm+hKsrajJZN6i+hop6
+ATrSPYwyB1dpcC9IYoaaavlkOxpCeZPvIm5r4eMDkiggip/EngmhnbzzRSv1uoUb
+j79VhTbJyOR4uDc9pSBYhtzBEv+bxhbWoH6UUfEPlbw63TtJ3Mtm1gwGy2VDtP5W
+tnTNT4U5VGHN7Y4KTKRROwerB/omWAuZfuSK8JAktQ87jCdULn8ZSdkYh3m9CHRr
+N7beNCFR4LdnAoIBAQCwF91X+Mwzy2jGjsJQW1w6FRwy1fLMqgM5SLfzZidi1NYa
+i/zLsBaAYjc653ysCP/P6NUPvAsxL8r7Jdo/mrHgxvK+M6Jp4tszwEH1TddCtkDt
++gXLgDtSZvij9AMMFsfmuUFtVlLv7cVVl00MeOzRHwnUhixqTv4TwedX/m1ghWxh
+Gxtdvb5pRVnIjCR1v+12E56vce2jN8PbzSIokt4RMn+qIBOjrmslenUq2a5Dk6O3
+1wWQVDcINBp3YgewEiyCpqX3Wz1+//0zUddDD5S0z06krhB81zptohiuwKi31kmm
+no94YXqa2nHjLOzw+YBdnILnB2vIVu5n7v+TOmVBAoIBAAUZr7uqoejpbbTj+XQO
+aPuHwgile5MgNPxeMqdBcYozB4icOLqXn/3xZN1mA2Ozddj+CDGdkW+9+voNr5bU
+ZemuuS90wWtzdugJ2CYGi4ZK9VLw6AU/Fj/8EOb9q9ibXjlyL3bkJuixfIHwjHNc
+faBYw4wZTNDdX4TuYSRiGYMfu3zWNtYPEsHjydG6d6ftrrO1wlKliIPf3tV67Yzh
+/m/QbtsHGt1LgGMeJyCOAFm6ZArKcQQVPa/u/XssBK7+eFnzbwaEbkjXdYZ4qihs
+iKwoIdaUeDGvcvZzgUI9Q06oe1u+Mt3UElwfUYr4YUnXyZJpDtzHA7qsFI+yi4yO
+4kMCggEBALjlyMbOBKzr95yhoTiO8zONQR4PzYt/mOqVrT5JUQqN7FBlGC5rWaG5
+d8Ur1lXiUtuGEVSzhAERyosr7+10nUWaAKnuFhhtLpggauXHKor7vABeu93dC2KA
+6O/K+dMfkx1sMaGXI79B6fCClbEEMJf1J0Zbm5/+UdO4/CyntbVM3tDAPNf0GgIE
+5fI84disd4D8HmLW6Snv93bS7BygXYlBq7Cq8xAw5OvxIl6eroYa6vXcymL1P1XY
+ksRGLm50drZPooekZlQyPIIUvmP/C+Byz347Hz2sDv4KuTjHV5PZSLbDIUYXinQS
+9MZTi7RGridSLpg1QpqCUOcbhOQ1MKQ=
 -----END PRIVATE KEY-----
diff --git a/lib/hx509/data/proxy10-child-test.crt b/lib/hx509/data/proxy10-child-test.crt
index e759447a3ba7..41cb81455e7a 100644
--- a/lib/hx509/data/proxy10-child-test.crt
+++ b/lib/hx509/data/proxy10-child-test.crt
@@ -1,31 +1,31 @@
 -----BEGIN CERTIFICATE-----
-MIIFWTCCA0GgAwIBAgIJAM764JrT/2XzMA0GCSqGSIb3DQEBCwUAMDMxCzAJBgNV
-BAYTAlNFMRIwEAYDVQQDDAlUZXN0IGNlcnQxEDAOBgNVBAMMB3Byb3h5MTAwHhcN
-MTkwNTIzMTUwNTI5WhcNMzgwMTE2MTUwNTI5WjBDMQswCQYDVQQGEwJTRTESMBAG
-A1UEAwwJVGVzdCBjZXJ0MRAwDgYDVQQDDAdwcm94eTEwMQ4wDAYDVQQDDAVjaGls
-ZDCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAMyady7cAVLnQae6jZG0
-QWzGcIa+0EJdjG5PyLmw4nJSAWBno68VmIPzqThNPn8aHhJ28aMYdS/oLyi5+Vau
-afOvG7gOW2ayxmPelafk4J0Olbg+dHG0XzfA6Y2Y8gBigXtVR176GR418uy31HpO
-O3BnlvJFU7QkBr9A9zROTnlfUUw0mN/io9I+LAO2GsbdFl+HTbx+T3LDKORf4jWW
-suHBFEdwm0piJbP5nIk72jLp71ulubi4j5E0tVElv0DpF4FaQeCRGMXOfTYwswar
-qg2TzXBTyeq+Kmuk1hslrphEVu1IZc0D8+aAr/hvrsI90oyTysASAfoCYKASnZWN
-vcYi2Vt8Kkb1f4sxISqtm2PmHllD6grHdK1iKfoa9al7VvAu7sGyu0DF1uwmyehJ
-1FNnQl0BIbFlfXiEVv6gRAazOJkxGO3kjneFVWffFwv9F9chdSCcMKO8USOV2qey
-ySHaO+YTP+ImXD65dP7Ks9r1dBKxcU5vxJG0orHSiwstY5cRRqDeKatRdJ1kOavc
-DWTlz/MJkMS8o5QNjsvWd+a8MkW0rkjYIuPzNHkg5ydFtm4lfRj8tZkJ56M8B5Oz
-KFTD8JQ1PgxyPtzC5gnOaDuiTrmZQd+6ob02nvP7S2PgmKLyVbb28987/CG7MczD
-g1BjCYRGsQnUcnvNM5EuMNlLAgMBAAGjYDBeMAkGA1UdEwQCMAAwCwYDVR0PBAQD
-AgXgMB0GA1UdDgQWBBRtG+s2dgue8pi+jKTQONY6Gu0vdjAlBggrBgEFBQcBDgEB
-/wQWMBQCAQowDwYIKwYBBQUHFQAEA2ZvbzANBgkqhkiG9w0BAQsFAAOCAgEAcSYX
-JZ8+DUUab6RvbRAxyK483Bw7DbJuqFy90zy9RNDHV1Og/YdEey1Qvne85sVhUGhb
-PLCRyM6dgT7BRsyBT00CYFp2sjETFm2KCkEevpfUgpbdYmxccV4vlOMguYJ6DWn/
-eV8OBOkdmc4RxZ3ibZ5XvNbs7lR5B01qHviAp8MT7+QFACCnC7gpD2b5lv11ZUac
-STkklsuSY4nPBaD1NcgysG5EAUxoP6x1J7nJM4ukb762H0/svmsaYSo9kk6KGNXM
-D3VbPCF4huNJcT+GkdtFfUmFHKC7yVekLDhs4Nh2GrOLJii3alcZXEOvq2TKq4No
-Tl1nTLFVLZ9pMsWzL4aDySYGPpNDZPvetfqGprw/uLohgd6k3eFdnWWBkOk8jX7y
-V/wLTTQlQHxMENFwj/eguEI7Kav8UcoZNaRWIjUXyZ29pzuM+aRJ4SFB21iq/vTR
-mqTB7I20eh4dcjVpytU9KeQkWhhvxdiUj7dfgIkSViMG3Cy9hvu19S+nUZyvuBGQ
-TwAGQlzfc5hEBbV5qBZhF/iOiDZJfBFcrULke5FfmFE6mW23eSwisqV4l0YfpyBw
-nAhC+u25wG1JC2xXitBLqDnZqoFoX7dSzEMG01ia+c1yn9sK9mRr5ahas/QnSSC7
-2C0QAQMNb+C32deKlAfuSbtk6H5Mwf2YmArqQ38=
+MIIFWzCCA0OgAwIBAgIJAM764JrT/2XxMA0GCSqGSIb3DQEBCwUAMDMxCzAJBgNV
+BAYTAlNFMRIwEAYDVQQDDAlUZXN0IGNlcnQxEDAOBgNVBAMMB3Byb3h5MTAwIBcN
+MTkwMzIyMjIyNTE1WhgPMjUxODExMjEyMjI1MTVaMEMxCzAJBgNVBAYTAlNFMRIw
+EAYDVQQDDAlUZXN0IGNlcnQxEDAOBgNVBAMMB3Byb3h5MTAxDjAMBgNVBAMMBWNo
+aWxkMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAunD1wwgtFwDOISki
+iVAOjL6Q5UHHTFfGMkeXoa6/awWWjRBZT3IdmQlxxXlIEafS9vBMHW4xvAVf2qmg
+Y6IZUy4EGqdrzzzmf64E/QcRW6vGbqRQY+HBqYDum+se4s/XfCo7sSpTLbZexhoM
+Uz22k3reKzT3xurXtbxF+GQcpb2HnESnTL2omtU2PgEZ8BwhjisEB3rHTtQFqBdF
+1uKSvRDJtDlRSUbqgY+cYCFUMdIEtn4djesLdH7yt34i5kukN6RajXJjQTSQFGce
+egHaMOcQ7phIv7j305RFJ6waCXBwTCsBoIPtE2wt9pfgFu8zbcWenXpaxR+en/n/
+2gU7LnK3Odiyh3d0/8a+79gWxXWbmXYV2oYVl9ZxSTqa+wvzYQNaw1BPyhGxd95S
+ACJOw8XuZ16ZEqQArEH59A36NKdca3OYjAf82fOEfRdIHm/CD9SEv9NRQpgzfzBF
+cmiaIdBJg+QJJ0eNr4wZq8sVp1BKlnDosEq0nJ2ywRB3SeTbUrz3VxR3pzjtNYO1
+fIXUnBsoymZtUYqKiNLVP96RyWplxF204zEMP3zx0vIx6pKMmsWivEURxNdo/Hih
+eiDaHB93aw+5+2pgKQOfIg0jj4ChE1JN2FOKBDAFq5+9rJIDuhS0Nk4PtYy/7n4R
+iIDKiqWDNc2syEZYlEO+1QQuuRkCAwEAAaNgMF4wCQYDVR0TBAIwADALBgNVHQ8E
+BAMCBeAwHQYDVR0OBBYEFD4E+/XklnqAWUXZrJa01AuHb6IbMCUGCCsGAQUFBwEO
+AQH/BBYwFAIBCjAPBggrBgEFBQcVAAQDZm9vMA0GCSqGSIb3DQEBCwUAA4ICAQCW
+nwXJetxx3Y82aBcyG9sQ5CTObsP1TyHRLVOKeA5jTwVxzSjQOChuUijLFbJ3QYds
+vP8h56rjn/hLSi7kdyh1s1+mDBRFWAdJCfRfQhQWvgK7eaphln7qUXUXa3JR66Um
+R56cXa6A4KG/Qk2vKw+NLjwA01vF+YzynSijwlaRptYLeOZMUMRzD8IwgqkdOAHr
+6+RgiRrRIfdZHYmMX3/7sTvzub/d4QfANjKYPVkciW3E71yeAOLOfjjK68u4OMhn
+F3I1vHdhCwxh87gZdiutmUjd+xTHhyIVObpSYIfSDCWqjp70s6sTJBdTCDnzIzcp
+ta/iI1EkyOH0aOSzz4bclcWAA2R95JeQDP8PLUA8gddvkbW4f9RJbWMjAk3r6WMM
+aSlx7djzbKdXIPd7ecFRWPf5uianNHlTHH2pZkHQoENCfuNTs688OzjBEDzUIvOZ
+S3WbVlqSzdf8Xp8xDp01QbC/bwFJwOeZjdj4IVyF2vXB2AaE5Xy/umQz1NVnIqK1
+CUyv/EP4HMbWIW5hpaMZJ4VyhrkoX4sLDj25UN1VAzD9lTyAGpMv5KpWd98MhYIX
+7KHP69Xo4CHf1RibdRVX6jW+GvzRZGHPb8/V8qgDwOM7UPjsPuwq5Cacatu0L7tQ
+hqtYGxcBDAIRIrmm5sZCW4F3l4efUtzozWZS0vzTyQ==
 -----END CERTIFICATE-----
diff --git a/lib/hx509/data/proxy10-child-test.key b/lib/hx509/data/proxy10-child-test.key
index 357de74a396d..7bc4a02caecc 100644
--- a/lib/hx509/data/proxy10-child-test.key
+++ b/lib/hx509/data/proxy10-child-test.key
@@ -1,52 +1,52 @@
 -----BEGIN PRIVATE KEY-----
-MIIJQgIBADANBgkqhkiG9w0BAQEFAASCCSwwggkoAgEAAoICAQDMmncu3AFS50Gn
-uo2RtEFsxnCGvtBCXYxuT8i5sOJyUgFgZ6OvFZiD86k4TT5/Gh4SdvGjGHUv6C8o
-uflWrmnzrxu4DltmssZj3pWn5OCdDpW4PnRxtF83wOmNmPIAYoF7VUde+hkeNfLs
-t9R6TjtwZ5byRVO0JAa/QPc0Tk55X1FMNJjf4qPSPiwDthrG3RZfh028fk9ywyjk
-X+I1lrLhwRRHcJtKYiWz+ZyJO9oy6e9bpbm4uI+RNLVRJb9A6ReBWkHgkRjFzn02
-MLMGq6oNk81wU8nqviprpNYbJa6YRFbtSGXNA/PmgK/4b67CPdKMk8rAEgH6AmCg
-Ep2Vjb3GItlbfCpG9X+LMSEqrZtj5h5ZQ+oKx3StYin6GvWpe1bwLu7BsrtAxdbs
-JsnoSdRTZ0JdASGxZX14hFb+oEQGsziZMRjt5I53hVVn3xcL/RfXIXUgnDCjvFEj
-ldqnsskh2jvmEz/iJlw+uXT+yrPa9XQSsXFOb8SRtKKx0osLLWOXEUag3imrUXSd
-ZDmr3A1k5c/zCZDEvKOUDY7L1nfmvDJFtK5I2CLj8zR5IOcnRbZuJX0Y/LWZCeej
-PAeTsyhUw/CUNT4Mcj7cwuYJzmg7ok65mUHfuqG9Np7z+0tj4Jii8lW29vPfO/wh
-uzHMw4NQYwmERrEJ1HJ7zTORLjDZSwIDAQABAoICAQCG+91nf+QrssBBDTW7C+Yi
-AmVYsGircBZm7KIryAQNkgaweI+nwiKl40ogB+4UYsG2Qty2Ujt2CMOcJd3XDyh9
-iWhLLMWmYom6d63aX4jEdUvXivS901cCbHZpYZ8/G737BU8Z3PxXTxZekAVRT22t
-gdo3Kf/IGACPiyfMTWE+d+El2omFI3wbB8N4C1ttGY1aJuTlV5vIxfKjgJK38h1A
-DWb4ntUE5O2k6Cga7e7NqkKs/xAhSzoEfXal+7ZK97z3LPnLU065qbo31zc1TmnZ
-nUprMgxDn4RTEiPjMyAV+vgygZIQCOyPhRUTXXM5WRogfpzDzN2a+JiQ4tcuRJ4O
-/AnCmH2MSwrTsnV1W/IgZo2/Va6eyqe3jfoN91e6q4jmoVvEyTA7oaX3PzJRggP9
-yySPLTiWJPZTgp7i8eoePdaDs1xkQyj7cX64+PtSwcf9GDssWsSUpHVtIgtZLYRH
-NI4Z+nSSDqDQzC++cQsaODKYarNmvIgIaFxGiFVnjlSk6wXFXpe3IT2I1Q02wvxr
-lSVlwwHOpbaTY+oZNE3XTl2YXx2VIVGZpjac3Bz/ML/jty7AlW50NKHgZulG8Dt6
-mV8daKR2YJIoAKMramJ9+h/qXAcpJmQQ4yqnGGRKjweVFOmxCJuCjmkhkkJ9IC9C
-6fZxzPMWcNLzcDoHK06RYQKCAQEA+I5U2Cm0XLU+TYOOpXIOjNJjOU+jUM00CD6o
-hWN54ArJxdGJjmk6V6y4ZY8mYV+PhDJGcop2kzeuEeJm7wlhSZ1nMWUVZ4bB3E25
-YAboVnAhk8uP0LVT/8O2+ENRX4WFXE4GKjytHPrHZ33rZtLg6AVJscsXg/JfKSMz
-NxahI0zYNdNcifXY8ekKvJPC0oCr7TuVp956Cc1OdSEx+j0iDkqcYp8ipDEf5GoA
-MR4FTyamaom/A3wC/WihzFmfSpB9HdvUX4uGwgaAtTEGMQBpJRcNCtZdtbrzwJnS
-ufPpmdr4xMFD8+BMcPzah8j5rOQBY4NaUAzIkKeoMpcd0OKfsQKCAQEA0rsmvfVa
-mY2mDjWZUtsohh9lPo8Upx0Ggxzn+8RMzQFtiUqns+/B/GdoGyVtJiYB0XzXKehz
-LD4+rgFK2kWm7ze6SSr+RaOaJi8eH7xLq2AjfZFhoTIAwIlpkEW2A1LuITBkbW9j
-1v64ssAJpUuM8/ljg2/OImCQk922uLRCayp+/CoyAHCJLgyBRhDy2NNuk/p59Any
-OFzgPsiTAejcigTq/AqQpgv6SDW14zdvt6De9pm2Cq9xYWUPaqkYNwJpsAGPqH+R
-Ncwigo3b9CWJPpfeCAT2qybj8ZE7yUzNeWqo3dnalXFUROpUi0rYUYPGqcg0340K
-+h3lBaVFNyEjuwKCAQBd3AGWD0mYqKh6RO+c8lEkRF5LyhL19EdtxZuFo2bmf6xq
-ExJKwNnTOdn4H/JyWs+rMAECR983AJOvFTuhkH04e0P4lx9aFL0oIAGcjX83BOjp
-ErmgKpkpwBJb9a/IznbpwFz7niYRB3I9VoOKNJ/Rfg2yIesjXGcq9avlZZo75kzP
-Jp2PS1M9Jq9zPqkXLJe/4fxFg/G5udmiyYJB6MvvcaVUaJuAPTy52H1yDtAab5Hw
-MUv8WNwYLWbL8BwC4EUe/WBZJCsjIamAwp5/6pPJ+cZnDUQd2Bcr5+p3ZfAUtWez
-hPfQJCc5k4JCPFZsPz13AqccC3fBiE4vrHkJ5EpBAoIBACEcCJ1GBIMlz1ZiM4Hi
-Lz7LhgPLRUpwdAp7qzNSh2Kae9RbZ3gNDqSStre1LK4WwKhifgf2nsnvybdbOqCK
-2wyw69L9L1BPwTOIqaoA0r7NbyYWholmKtoVfQGPAmcJS6LpUI4lN0Gbafej1qAi
-+7WFlI4dLf0WwQCKkF/66oid96+1DYAmLleO3Wzd0togdjpH24ttWKJkbVNP/lEJ
-fkUtOqJ5InsEXMGltrtJhYMLgpyqUADjyeOsljyC7uwNs/9Ub3bg/DbAqRdsJIf6
-sdKk19zYssz3Yk8dK5CYQZx3FqssxHxAfyYIz1nHW6+LDda1PyF0rqnXspkte2+L
-BGsCggEAPMUwXKXsMjE77m3jhGtxPGFk6mGOXeVdBjdamuRWcdufqDP2Ctlb6+ki
-gXsotGl/lV+ZQp88nXkHqmhsCIBHDrNLw8um2M1cLernah2qzfNPMqbj1UAntLud
-bYCUoitUFxnkMietqQtEpQlVWDazlgxaWp0AZU4iSfdhxmD+QRSBp14aBwJ+InAg
-HRYkelR8EBB5KU376QOXBViknRBgvW9yieD3n+CkFGDNkQII0D7v9gNXYK2NbVYG
-IClPaF7y+OVlauhIRaRmRjF4a49sssKd3qLNT34sM/JC2G3XXxyX+zPhDjf6dQLP
-wVvqDgPCDWKi204uIah9SC95JGv/BA==
+MIIJQQIBADANBgkqhkiG9w0BAQEFAASCCSswggknAgEAAoICAQC6cPXDCC0XAM4h
+KSKJUA6MvpDlQcdMV8YyR5ehrr9rBZaNEFlPch2ZCXHFeUgRp9L28EwdbjG8BV/a
+qaBjohlTLgQap2vPPOZ/rgT9BxFbq8ZupFBj4cGpgO6b6x7iz9d8KjuxKlMttl7G
+GgxTPbaTet4rNPfG6te1vEX4ZBylvYecRKdMvaia1TY+ARnwHCGOKwQHesdO1AWo
+F0XW4pK9EMm0OVFJRuqBj5xgIVQx0gS2fh2N6wt0fvK3fiLmS6Q3pFqNcmNBNJAU
+Zx56Adow5xDumEi/uPfTlEUnrBoJcHBMKwGgg+0TbC32l+AW7zNtxZ6delrFH56f
++f/aBTsucrc52LKHd3T/xr7v2BbFdZuZdhXahhWX1nFJOpr7C/NhA1rDUE/KEbF3
+3lIAIk7Dxe5nXpkSpACsQfn0Dfo0p1xrc5iMB/zZ84R9F0geb8IP1IS/01FCmDN/
+MEVyaJoh0EmD5AknR42vjBmryxWnUEqWcOiwSrScnbLBEHdJ5NtSvPdXFHenOO01
+g7V8hdScGyjKZm1RioqI0tU/3pHJamXEXbTjMQw/fPHS8jHqkoyaxaK8RRHE12j8
+eKF6INocH3drD7n7amApA58iDSOPgKETUk3YU4oEMAWrn72skgO6FLQ2Tg+1jL/u
+fhGIgMqKpYM1zazIRliUQ77VBC65GQIDAQABAoICAA5i4wPeoKQSwtUaOHkB/W1s
+0v9tuPQyHbAJiDDIrCqU7s4Jwep4csI5UVcciawbGBNH7Yej1iCdBY1441Bs1Klv
+do+b9ZyzJVIa2nWv0u4Q7inhcfaTF/99XGwZk3OK+CSzmZGNI4f2d4+vuN2/eFQe
++f+5gZkOzABQ+9Ez4GYFnu42+fXY+Kah5yKXsSmu8gPnW9M77R8vCxSyXwg6yXnf
+TsEiXxxZZYUD0Nw2FioV+5kdWCh4R5UAqrfv+r9sfMpyWy5o8jG43ZlFb7uYYv69
+BbhzdcGdgzoHSeLKy+OIkpG+C80YAPYrtcw+YeNDJ+PDiP67zz9Atlu/zbdEChHk
+tazsDmDqv6ML07X4fPrkPi5PRMN0AXqDz94nXKEAh9fvgrW7c/jhakNgHWX039Ph
+5fGD09GjKUkzHr7zIZ5S6LrBrb9BLe8BiTfaZGqpSmRFEKxGwCr15k5w0Mzj/UpJ
+Ftcr78u9qthfooaGYGMXiMWZy1138TD/V6Kro/ajMUDhkmmXNuJghDBAQOhHUmcG
+Jldth0gwgyVzbQDpbEhI0ZOL4urGyNqylMmfGkN2uAfBfp0TnQT+7msru5BpNqnW
+RRAplCh47TpUJ871P7Tm5bSS4SjysfaFXiG0qQXFUSzaRFCYFkzMRoxHV1PBXr0X
+/ZmU8r9MtwRh8O+tXy6BAoIBAQDk04GAIlhDBpHmgCPWKTQ9GiYGhXsY9Wb2rbD5
+VaPdF46RW6mHDUJ+SMvNpwGZGfe59Yox1PJG1f8i7B+UCMZZFShttdBGuKRCH+aJ
+SIlkBmXK37ikAQREU+hmp0/mbMgq8Lspsjrxmlmi8rsLRKyHlAK3AUAoC2KqoohT
+dLEg3uY+5UzpkZQOfeK5/+DaKXjjkHE6dVkjQm0pNtXHJsMQMvcjfH1T6XCuwUKw
+zN8aOfvy/mFv5eOJazhAOZ3+QlUbOWh3EpBeEt7Sqqo7kQ5BZZKR+jDjWZETONya
+aYQetRHKnFlYWjewpyp+z7SDPNHcXqtK57+QRLXyrOuuQg1RAoIBAQDQlOs8TOht
+dJChYks2eiC5sQ8hC0ybMi+x7lJ8KALwPvf9VCKJIri2BxTvxkbC03YnUTsKlCm6
+7Jgkkx3Vy33FCXfaRhwLHaAuA+DwfzMn7WXtP4MJoKWyOJEck5HJzKWCqetdf7Dh
+ie/HsgtH2DHqljjhSleEYWVBcjoXVwWL2ctEcl3qr1JSpsRp+TadnIpoyDVWWszt
+xQwXpmVPs24svwI0x7p4Q2JzTAqd1oM+o2P48eFThXOobvRA+XGvucse0wWm3N+T
+4p1LbH07fguriOGqHea5ZPw7spURcP3CFEfUlsgiKUWjonuCvqjGGLV1U6RZ83FT
+S9o35O1Rut1JAoIBAEXL1dZVo4JeQKaEM2ohi1OP5EVc9Z05TTy04iRLYP4RL2Vb
+BiyxeLS4U6HY7P3cE9ne8VYd1ACTSY1HZKJswsNtVrWQHYVU0JVy0YjSXUXrRaVJ
+9DHiNYD57wtQwWhRigS/BPfE64HCSNERJMhdHBsGpIVZlk4gmundRaPfFiAmnShW
+HM2pn/WDpGKDj/w7ZipTZpYkMRo2KsHFfhOO2TTZttRWJowvyjUjscnn061WPmlx
++hp9jpfd4nyElpJ1fSweqKSZPvvS2bB8agxdRHHiH4DzRXIzYbLxRyi6QphzNogM
+hJwUeKQjeSzRAgh9xq1nGuxwH9hLfQwWfpTahOECggEAcBL0aswwP0/Yvr5gB3+L
+wfr/VBQML3/B3OtfatLc8VYEThw9Ck6bzUL03vk84EZbQDkHbmG6InQqM8zQxSW4
+CH1T5vaw7tAWV2NCJDdUt2l50QbFVBD7t01pu18XgMTzUcgXbX/E/QruyfBC23Gx
+MIlTOsqFR95FV+sWh5/8nO6Dp92D1SwrIbn147NCw2FvhWm+Lw5O+ptcKgEAgti4
+pFZlyxJegWxDpAwB0FmI38lPWF4vYn9ca+5iU980VOWR3Jgqe0RG5eFn/zTl/Wd2
+wc6k4pF6fbdjSHhmXJ7H2tam2fXCx4hBoPEXSGNFsFtqdQZiUurZw5YIROw/ECFF
+8QKCAQA8PV4eu8rzdw37cJnZOZRYg60PZ80c6LteqBnXwDp7HP7cAR11GUp1fous
+o4L1Od8aNUSVpfmmSOR28MuVhZ4wNbV/t+g9VzO4r2zuI/kkEeMstf85hXPLrkjL
+eo2HCu2xgM54vNVhG4MN2G5OWgMMkDDX3sPWeYN4Em428iYPHTgod2GaGQ9AnGI0
+wUGHhfGlP690xAvjQJLk0OvTrzKcjdPKrpUmCzIfT7ljfl2PE7l944C9aNvS9cEY
+iGkrbALi+EgfcfahEdEbQyIZU6GFDRltgnGtLeOE8NmqabQQgm0THXPjn/CzR3Os
+Qshwvh4gXup0rcomkC+d8vVJ2p35
 -----END PRIVATE KEY-----
diff --git a/lib/hx509/data/proxy10-test.crt b/lib/hx509/data/proxy10-test.crt
index bf129830ecc9..9c89f7187425 100644
--- a/lib/hx509/data/proxy10-test.crt
+++ b/lib/hx509/data/proxy10-test.crt
@@ -1,30 +1,30 @@
 -----BEGIN CERTIFICATE-----
-MIIFNzCCAx+gAwIBAgIJAKQmPUkmhyKpMA0GCSqGSIb3DQEBCwUAMCExCzAJBgNV
-BAYTAlNFMRIwEAYDVQQDDAlUZXN0IGNlcnQwHhcNMTkwNTIzMTUwNTI2WhcNMzgw
-MTE2MTUwNTI2WjAzMQswCQYDVQQGEwJTRTESMBAGA1UEAwwJVGVzdCBjZXJ0MRAw
-DgYDVQQDDAdwcm94eTEwMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA
-1RLpk560fH8JMomm7OaAxwXICdeuqhJZHlu/RegfDIsqo/qGyrEJczQVFGKnISoZ
-rDthg+005e7VtTvVC6caKRhewogFBOiLwk7SmoyzXFHcpAdLGJgUL9UCUnxL42UR
-djmY7jEtgAIcCwtvCwJb7TXZSaOaYtov5iUTeKmjP6Ixu37CjEUL0CSh2f4/5auC
-cRXDfiHmYoUK/9q0BxUaGgDOyCuyrtI25jaMtZMNtCGTGJCWeZJDk+7+/tyNGuQt
-NGNKRmJyENvgx6HXQiytXnxYbDABpLNQ8fw31gQVvSiuSHvE6zZa4VNPPjMFIXXU
-jk4LwFsuw47OZYiHrMJpuSXLY/v62uID0+88NM+naD4R+DYtxkL1RATSwbhHg5zL
-np9i3D1BL9WrPnzlKHEpW4orjeEUljJqu2IVW1OFojAMHC9cqwU2LGIhRqcf2osr
-zltVS0f+ssXPhMu/G0Ib31ow24EYZFR2C3uT5oVgDfZ59mArknUHooWjhb9WqO0q
-LoyI+5YxKDroNm8QnEhZAzye85JRuXmGt/G0xg99kq0WAlFjb2Y88oimgdpVFrDd
-BTzNEjDcG2z2L3IJyekElWeTF/qlweQfExpg+WnseCNUrTWjCVDv94vGKUXvA+Va
-xpnQWNdGnX+741vHbg3CkQhDFiQoAu9pjI3W18YUWKkCAwEAAaNgMF4wCQYDVR0T
-BAIwADALBgNVHQ8EBAMCBeAwHQYDVR0OBBYEFHQh/SEjpZ7xoyS/k1Dzsq4CqoyF
-MCUGCCsGAQUFBwEOAQH/BBYwFAIBCjAPBggrBgEFBQcVAAQDZm9vMA0GCSqGSIb3
-DQEBCwUAA4ICAQCTubaEkl971rzVIKGtzpV6Pa2uYTijFOsCUYUPOPjgtPQ+h45A
-rfgdVYKd9sbujQf9buZb8Tut7Dt3XJvpig4xopzQezkNdLCwLfYOfDEfWWAY4gJE
-ZZ6wrVeB2jgwS+xGGYSjXWWM75wgvpeptQSJ57jvVzX6wCWrPjw9RpemkoGJyqex
-4iMILSQRFCjYYulbK2B8kWfUUxqz38l6mwbB9nk4FR8OQ9b6AhwFaVYNqbTMP7kw
-SDx4s4h54lkWJ3Z4ktxs3DpOmIyIE9yl7rq+T6RZvkgZX9+9Ftm5XfmEmxyzjSyN
-FEjrBAk4v/ryKS3JUDHKjR2MiJmNn171lfxc16MgpRL6assUSJInZ3cEEaUQoK/I
-zKFpwa2vepGkQhZ7E1cO/ynotiRsJY7K1i3H3Ai3fQid+2N+KODPV3mpXPOOWYAg
-oJXsQMUG0EaBVogtDgTsRpnv08OO/OKeXvrTTi9wDrnaedMhdSA2XpHBditBbADX
-31lISHXD/c7Va+ispKnEG1LqR+yo4XhV4qH0v6SX/493/UKZDAUEGQIA2nJ+NvPA
-INiEa2aGsdLmbu66R1OVF8cKpn03a4Dul2XbwfL3zjhHICw6hMACvxrArcN/JLku
-bZWhpWleT0Im/HqqlwS9Qp2CTneyTsvDfnyDzPA57lmUJtpVy8mFq+MHYQ==
+MIIFOTCCAyGgAwIBAgIJAKQmPUkmhyKjMA0GCSqGSIb3DQEBCwUAMCExCzAJBgNV
+BAYTAlNFMRIwEAYDVQQDDAlUZXN0IGNlcnQwIBcNMTkwMzIyMjIyNTE0WhgPMjUx
+ODExMjEyMjI1MTRaMDMxCzAJBgNVBAYTAlNFMRIwEAYDVQQDDAlUZXN0IGNlcnQx
+EDAOBgNVBAMMB3Byb3h5MTAwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoIC
+AQDNg69jn3h/uqasiOdUD/MC0vJoty8ncj9NNGfU7YHSLpRnuoyPL8YCRRbxreUP
+lIQ5oAP4ERJSrrRoGWuwiboLthVj6OgM1IrU3h9M2sM7fGdLuQ1QCDP0Bsu23MPJ
+KWMCUpd3p7jXrPaf1WzUtaIql0pjFFlqZRf1RLKvH4CfDgrx/k3z49RsiZtgxlw2
+VxpGL3cPUO1MfXEq4roMWdT0sGTdJ56l+PkF3Ud2DxhNytmDv1ld2gZhC5H+k5ZI
+i3Xr8zvV2dCbSlnnXk8qTG+aWwYGpHFQPwP7UxQDUAk1XAX5/EBXwCTtTDNIhsNI
+qB6k9MF3/mreD5frofvx6xEW8CShdAf2vUXC4OB8hkO/NfdaoQj99PL7d8LiICoQ
+u4fOZ20g6zpkS+jir5p3KcVbotN0cMkx+k2YwyK3PoLV74RTsigOjp828eoT24Wz
+3/ztjn4C0uMHcJz4yHmbrn7xOf7VcaNvfm9qz9H/MpA2Eg0Nj4nBOnTf25WLvgAB
+KN0Ctb6rNbF3UfVR9h+QK4kQqhlwjMfPqeT2AL0fOFptotcdPj86z2ux1cvC/w/x
+nZrgUdcj2GLLwvCxsmVx5RWOWU7wFoo3WrWpyx228CvaPTQXN5LKBIgpf1wmk4b1
+wR3afu0I5RQp8kSD/2kQBW24D4+AAH1jFbP9IfxxSXCazwIDAQABo2AwXjAJBgNV
+HRMEAjAAMAsGA1UdDwQEAwIF4DAdBgNVHQ4EFgQUiFCNi8YSDjclAz4L6ZPKi9Ea
+afQwJQYIKwYBBQUHAQ4BAf8EFjAUAgEKMA8GCCsGAQUFBxUABANmb28wDQYJKoZI
+hvcNAQELBQADggIBAKEy0OrFQkrc3ngQXWBhOEoLElCYIpM5sVDn3aV8i8UAQ9KB
+uLfxmcJm5CPZcIAFive2TWVFm1eq6Fr1WEwZ2QtAOXwoQwCzKISsdFRHEV2SNtpg
+uUaKlhGUwiYWt9aPkmJD4f/VZB7LeKE4CWij88ey+76Lujkr+ILZnrXnc2Mwf3J/
+x+/RfINh4oM+7rHccAJtznwZ2TCBvF3p5cLlLH413IGnZjO/myz/EMQ8MJoFNc1G
+dWXOZiGnbq2+W9rHKOV9rYhIZ5YLLiK6L7vKsLph83KTzWCZW7tZDAmwtFFXw406
+bdWL2+gWBC9SxN3RI2jB9VQtaLspOW+v8qH7cpDaO0xTXufsVjiGbh1hPdAMonQd
+k0rrrkLY6ADguTYkHs1E3Eebki6LvyyXBEKJYTtEHfJnU2T1YWwFpqvvFOghFljH
+QyZC29QR0rLB2B6uepQXl6d4fFYfYkhjx7SANDx4QA8QqrLgeGjufj9H3yk9e/XX
+lto6sjNsOOncP9svCxJgQkp4w7tQxqZ/51RBQAJkUDkwPImstxTIFRdqeXHxLynX
+3zTv6rt/767S7SlDfLZs8OrGKPeILGDBF/Q0UQrnrk9Oa+yP2QV3Msg79odKqBzK
+MfcQ4DFIfnN9ZRq7d0ffaZ6AqJVbwYM/LlGFAC57z2xsuEAR+Ea0/bjzbaib
 -----END CERTIFICATE-----
diff --git a/lib/hx509/data/proxy10-test.key b/lib/hx509/data/proxy10-test.key
index 624e90cbaeb1..733c2ffb23b2 100644
--- a/lib/hx509/data/proxy10-test.key
+++ b/lib/hx509/data/proxy10-test.key
@@ -1,52 +1,52 @@
 -----BEGIN PRIVATE KEY-----
-MIIJQwIBADANBgkqhkiG9w0BAQEFAASCCS0wggkpAgEAAoICAQDVEumTnrR8fwky
-iabs5oDHBcgJ166qElkeW79F6B8Miyqj+obKsQlzNBUUYqchKhmsO2GD7TTl7tW1
-O9ULpxopGF7CiAUE6IvCTtKajLNcUdykB0sYmBQv1QJSfEvjZRF2OZjuMS2AAhwL
-C28LAlvtNdlJo5pi2i/mJRN4qaM/ojG7fsKMRQvQJKHZ/j/lq4JxFcN+IeZihQr/
-2rQHFRoaAM7IK7Ku0jbmNoy1kw20IZMYkJZ5kkOT7v7+3I0a5C00Y0pGYnIQ2+DH
-oddCLK1efFhsMAGks1Dx/DfWBBW9KK5Ie8TrNlrhU08+MwUhddSOTgvAWy7Djs5l
-iIeswmm5Jctj+/ra4gPT7zw0z6doPhH4Ni3GQvVEBNLBuEeDnMuen2LcPUEv1as+
-fOUocSlbiiuN4RSWMmq7YhVbU4WiMAwcL1yrBTYsYiFGpx/aiyvOW1VLR/6yxc+E
-y78bQhvfWjDbgRhkVHYLe5PmhWAN9nn2YCuSdQeihaOFv1ao7SoujIj7ljEoOug2
-bxCcSFkDPJ7zklG5eYa38bTGD32SrRYCUWNvZjzyiKaB2lUWsN0FPM0SMNwbbPYv
-cgnJ6QSVZ5MX+qXB5B8TGmD5aex4I1StNaMJUO/3i8YpRe8D5VrGmdBY10adf7vj
-W8duDcKRCEMWJCgC72mMjdbXxhRYqQIDAQABAoICAQCuw9ZlyFSNkL0AgLszsFSL
-6YgL2qZexLHoHqSiOCPPbA5LdV89vTvdDCkGEWy33Qo1pHb1eIhc2CrdfffemO7y
-KhT/RgWn4v1PIMvJDALJhDOPLpQ/1e0o1nQTJ/QuzWUnLVLse9WwGwrZXEV2KDcy
-N2rD5bbpwcBr6pkv7SQDO4vDF9OGrdNko8dFQC80uBpDmvA/8po+0JUXClGDRaGl
-FmiE8qKalb2F0dRT0gv5ZVh7W4ywpnFbUzo/3LK4DdOuFoqDdJfOkCqsU2h11KNW
-znLQOgf/CT0pXhCGL8+M2WMp/Kqlqm2cR3LFt59LtJPlLMqiuad/qxBLY1K1Nrjz
-LYJcgyQ00EzKuoY0c5f2b1p7JG4jrsocerUYCmMFMaQc9qDOicUyagjcXnUfggf6
-TyHAPFY0nYRqzGbVHOF4HPx28CJ3aE3egvlgC7G5XrHI7CIHrelazEC0iIkfutbj
-SE6MEKde8XBiXB6R/pXFlJJGUHum8VLtHjHJR8qMlI7LOmasmIsSs9py1j1V8gKr
-lPKLpGHN180RVPoYvULlJiJejmw/ODPWEaOXQQItemTSuYnD118Cb3y/nVev0wys
-yqWwVmqP1WgEixGKAg1msVrQB2iY55aNlT2auZAtc5v3OSSNX0tLNQtsvxZC6hjW
-YcSKPhFie1JxtETHxjgSCQKCAQEA+7c4SOF+V7Xme7FFOwvUb7+P+Lf68aFpKxeC
-tUS2dnL5qfLFNFjMP+qte1xFKy+zQKQbZg7vcJ1v2SLI2rmHFAFNxp+pd4q6C4oj
-eoWn5UgZutFfin6AZCIxO2i/4uVfOS8jEiIkw7eCflEvS6jB9EpieknnoFPjg42H
-Bs2kDCf/1dlUlgcADcun02ffve9WkKBCOU+FOXZFKk0LGN6KQCdrJrGutwToMefv
-ULzc7QVl1D2ARA7INjWB7PYqiWFYwRQXB4oEUVI4v2T0DPrCf+qpHvn+01fle+uN
-W7gE3POLWbS8vuTQ34tdmOzZJoJkJ9/x9tTIOD4aa06mKoo7twKCAQEA2LNSWpmd
-NjOf3W+Q9hyjpikiMJhvhaYO2jgfiNcCDDt8YRbMW2dpbWiGryzxwVMkVXkWMZLc
-1MBjKYnlaAL+NXr7J3Upga5sjXkl801CqEZT8y/J3rzWmgwwvpd8mriqtX2jI78m
-GgA6p4NmChou797GJci3Ai8cNCTzmQmLwWEgnuJKlaPcHZ5eRotGceSQ/CCFtbeC
-TIcpNWaxhvtf5aSbhoAyS4RcpVEUanEE2gPGUNngYq/19ofC7mphChBV528075bi
-661wrmmUlywrbcgsGfjUT+8y0aafWQq9JAmlRql68w0Gi30t/xznQPAlIUG8z2vR
-6POpzeuV6zTOnwKCAQAUFmUJe+VHPp7sFBOASMtlN5ZXtObzzXvFEpU9vgQJo9dE
-trkCGmwCVcoOZCio75+Qcwg0ttBo3keEvn/k5JVhBVGdnjQ58/ow3Y9DQdNKOtzC
-yd6kAMBiPVBMe2mEw+U7fQWBdvQUIlrplbT+hrMjuaPuOmOfqdIoN20lH9gNmEuU
-V0mmx1w7vZrhBhMW5zizRfbC+BObqFKQs6FFFM1XnU2xwtA8jsmw4d95Q/kleR7N
-NzM7OyrDGLYLoQF4ASrCDcZgtaTukG8y5u2K85/98U4ZyL2LRCJuJzgar67DqzPd
-rsy5Ny1sCYUopQ4XQqSXggmfNw/bXSlikt4z2uA1AoIBAFn1/99a3FgvEFP2SADU
-HOATPX1dGxcpvAq9t+GwGMqJO3Z253mesbbY6Oj6SJbQdEoDjcIgzQqJn+ETvSfz
-7iK3nmJgEk4i4i/NNoMN9Pk00Q8pLK4KSTEElIvbCcCVn1DfCoYBicjLhY4bT5Ys
-DoZIPoxbChafBh9jo7lJrDoon0k2em4q62tkXpD8qs8Ha2Uv/zJUL4Sjq+jebB60
-ZrhIIMSyna6aEXgT89zIdJIpdQAFo1B06jBhZfxiL0zlQTRmB1zbj/L1Os09SZGE
-pbbanexeT42rqLY+bPKjMagvVOzD2SXjp27rFdhN4Hcl+tQWnVKi2S7TURAKmF9f
-udMCggEBAJxkdEJ7RDZej/Fw9xbqfslU449Tp3U9B8P+SkJEfGfCLX+3SwbyB5Xz
-J0p8fMvc0iWhJ15bx+JIy6Qmi8/EPxZibZDDhPSpBgok1RrzRMh61cO/Gz8aB9xl
-jciQPCsMaWqt0rFSE2L/xZvX0DUlvPOzBYIVOeWN+5JoeEHbHLxRtDMnTXaky/Vf
-PTBLv6jSvdd4cWPOhoIRovvEBFvE8GqOusHJ5bNjRpY71F2PSJ7sYMP7RfTFfvkO
-moF8U+ZpMIIFR8H5DJSAeocbVXXNLI6iRMbXqCecc4oTYU58kC0Xm7H/3/2Gqzl/
-XnrAAFMk+GLkZE8dvbKiMb+/IIDXWsg=
+MIIJQgIBADANBgkqhkiG9w0BAQEFAASCCSwwggkoAgEAAoICAQDNg69jn3h/uqas
+iOdUD/MC0vJoty8ncj9NNGfU7YHSLpRnuoyPL8YCRRbxreUPlIQ5oAP4ERJSrrRo
+GWuwiboLthVj6OgM1IrU3h9M2sM7fGdLuQ1QCDP0Bsu23MPJKWMCUpd3p7jXrPaf
+1WzUtaIql0pjFFlqZRf1RLKvH4CfDgrx/k3z49RsiZtgxlw2VxpGL3cPUO1MfXEq
+4roMWdT0sGTdJ56l+PkF3Ud2DxhNytmDv1ld2gZhC5H+k5ZIi3Xr8zvV2dCbSlnn
+Xk8qTG+aWwYGpHFQPwP7UxQDUAk1XAX5/EBXwCTtTDNIhsNIqB6k9MF3/mreD5fr
+ofvx6xEW8CShdAf2vUXC4OB8hkO/NfdaoQj99PL7d8LiICoQu4fOZ20g6zpkS+ji
+r5p3KcVbotN0cMkx+k2YwyK3PoLV74RTsigOjp828eoT24Wz3/ztjn4C0uMHcJz4
+yHmbrn7xOf7VcaNvfm9qz9H/MpA2Eg0Nj4nBOnTf25WLvgABKN0Ctb6rNbF3UfVR
+9h+QK4kQqhlwjMfPqeT2AL0fOFptotcdPj86z2ux1cvC/w/xnZrgUdcj2GLLwvCx
+smVx5RWOWU7wFoo3WrWpyx228CvaPTQXN5LKBIgpf1wmk4b1wR3afu0I5RQp8kSD
+/2kQBW24D4+AAH1jFbP9IfxxSXCazwIDAQABAoICAAXV+HQGwkA2R6dcl90OOuNY
+pCOPGBqxptSFaXFlcStLwVEUvgsO2zuTRKyGOJvxprOQNKylp3SLm3ndRu6TaqIM
+gJz+ryA2JN8Yk6D2EVcuGCzRS2x7XyZNzxkZOcILl9EoET8HlzsgoTw2rkl4Auvc
+sfMQT92ykzSWx9ArP9bEalEm3IXRcWXHno7n8xRj8s4NaP8ZWDO02DLUj13saxyr
+qaGSD3I9GK0u9GmI0jLbUMPp+hqtJ0M4NeQZwsm6lBWoKYnQDplqShVE21CjLQQg
+E5K6trEFqRJI8KeLbUeDnnPT0uvq++F1KXukwATfKUeb36aNpfE6ViENz362Ix0L
+lDqWU6gSOPBOO0hD/LLSzGJY/61MrIy4P8S3gS2u40jm8YaW45Bed72pTGwkyz7Z
+9c3YbSJYWNg+o18yI7z4JVlJkptMsq3KJwj7BXIAgFT+uIteCbf7UXCNdsUzSiE8
+k2JxiNKlaaw7xnQvGuwFdDB+uCQC3PGngmDU222mq1Twm8rMHAgjt6RMO3tv42H3
+Fsap/MIDiVUQfYrTHoN2FVG852CzVbnGxPaxDJYS/vfVmSFcMeW91lbQM9J88721
+gG7hs55IrBvEse7U21EtlLISf3HYpLnMlHqH4S61VuKKS9Tmx67llfi6HMKupG27
+NfDFfoLiQCFltTCBcrHxAoIBAQD1YhrgDXmOiVCFuSdiu3k063+2pC/r4uUSo9QZ
+zPAMq9XIgXdGJoWCcQ1kg+/qEvhBxBbzywoU5zJQluu3V33JrT1Y2tNzyPaLNIpb
+aFYUP27/yC1xOyD5bcYvaVV612pVuORzN8PRShbpTyfSDhGxx8/KxXBg6iN0Adk/
+Rk1rzgl9UH0WLy7hS5hecroX/bfqlKWLjfWEtsDo+dyA/HoL6ku0YDuQvJvzZrDB
+gQfDo+FewaL+idZC2Bx61f36h93dlggeJgC4sOHh/j/AXkMaKEHFRvM0SLOE1lrm
+RyT3kdhCUoX799+Ke/BxcjfPwY1GKxsVWaiwbFUAwFcWYyPJAoIBAQDWZ/zw75El
+PjsrwIGr3BLmmyxMeJKPniIdhdEvgj4/2jY3ao7DdRcLe2RZy6J0vdrA2XfeQDdf
+zX03T23Ha0uCGXgqRUUa1wKFrzDnXTD1YAXFqQc8XXozTyEkF7+oz3wQnqpMhK6I
+X5CAwmZc6s7mObF4MiBKWQFlyL+rHybc+ZFe2LvS6UgP2btCsWvUJ1xCgwnnCA4a
+Q/8ximehCSJqYrt/icOVSdNf4rzzgzQxCObvplw3E/stRgahQcYSI61JN9Ja0ONe
+bCpuUpDNShPrE5W6uDB9ogfjX9BN9Zbwq4bR8WwhBGZLDS0Peqfe20yJ4mbsEEez
+9mgvvEeBtaXXAoIBAHPTnin6UlGUwXyNnGi/Y4Q2UW+N6szmqgh1ao3PLdRdXCkr
+63gigMzEvnSezqVn1OV+QPNM+PJK+3YM9zDwzIBhFN8XU86Ios+suk5RXqhqFOQJ
+wmF7bqIuTeldSCsW+auC/drhDL6CwXPZmEtPtsx7K7tkHRqyCpAcu0Zh0fO8KsCL
+OLA7D17rRv32G59tdN320nmgRa8icMbIAmykQJvVOWzoK9WzIc3vwClm1ZpkheIr
+dtu9hnTA/BiDYEJc1b5drnFEsPx9CfKaB8+u7u+u5vTO+8fHNW3TnM6r8Ggn4LPV
+rkb0hwEgZau3JV8c1qmzeTJHwxeb2zfiknkPzPkCggEAMsEnFXoAqApVQ4QsrhxI
+tSJimC+qsijC9q4o2NBCICdt0ix9YzOiousw1DjqWixfTmusfoZBFYK1c5Rv7lct
+5rxUv9zqAPKI/FB+iSZ8Ynm6pBHhTp7qQJ8ovzyH+FQ1kFGfCsIV9t54fKKITNKg
+68sYgdWL402ykP+2r7GOJ51ElmlD/SeQEYB/XchWOEChDHWssG4tuHYEQRv8cBiT
+dw+sRwK7s+loCjjIdfTHNBxhXrXI+pjWSt9azm2dj8m2SbDXMPxl9oIwgTE2agJx
+OKLIPQ1BHVxv9ZlG3E2Yz5wrLCO0bxR1iqqx0go9Fvpe4f0gVB1+e9GG1FYDr2bq
+vQKCAQEA5HDb2Va1e9QkK8mvTKcWad9czLwNXKdvWanv2j2+VJTmjWG0KuzNsoQQ
+5ZUpUQ1XFpC8aYaJRuWVsXShZ69E3RHGrH9jtYQ36mf+Aao0oMW4FoJ+szAHoN2K
+8f4PES5TcK7wlQafq61Tkgsrr8KT6UbNWr7F97UgcPKI0HVs6yEJ/hY3HExaBxug
+VHLUSTOPIx3Sey47wR9I6XvbESSVLh27cy/GIDBOI4OEQTN6bg3t/7Pf7o4agan+
+r41oGtzuhX2CXbiqEaynU1wOrSjBshO29Cm++5MBnqiGUA7UCv5BHX/vU0ECKEW8
+M4C7UTY7JIl5vsDk5aoxq4Rt6pBkQQ==
 -----END PRIVATE KEY-----
diff --git a/lib/hx509/data/revoke.crt b/lib/hx509/data/revoke.crt
index 07a419938218..ded23252b8c0 100644
--- a/lib/hx509/data/revoke.crt
+++ b/lib/hx509/data/revoke.crt
@@ -5,48 +5,48 @@ Certificate:
     Signature Algorithm: sha1WithRSAEncryption
         Issuer: CN=hx509 Test Root CA, C=SE
         Validity
-            Not Before: May 23 15:05:12 2019 GMT
-            Not After : Jan 16 15:05:12 2038 GMT
+            Not Before: Mar 22 22:25:03 2019 GMT
+            Not After : Nov 21 22:25:03 2518 GMT
         Subject: C=SE, CN=Revoke cert
         Subject Public Key Info:
             Public Key Algorithm: rsaEncryption
                 Public-Key: (4096 bit)
                 Modulus:
-                    00:bf:d0:af:36:d0:76:65:eb:21:0c:44:48:66:6e:
-                    43:c8:d4:07:73:4f:2f:36:b7:1b:ec:6a:aa:7b:60:
-                    f2:87:9a:94:bc:ba:91:f8:1c:c8:1a:01:e4:fb:d1:
-                    ac:3f:a6:07:26:2a:b7:8f:79:f8:31:ea:4f:e3:9d:
-                    2d:84:43:0f:ee:d4:1d:5d:e3:f6:16:31:5c:bf:f9:
-                    ce:3e:b8:4a:e3:77:2b:bc:41:ee:84:52:2a:c0:7a:
-                    aa:86:a5:21:9c:c5:a0:2a:e6:d8:46:33:c5:87:14:
-                    76:a5:71:2d:ae:7a:e6:60:0c:3c:35:cb:af:80:6c:
-                    bf:cf:eb:25:f3:0f:be:5b:53:59:cb:b2:9b:c9:17:
-                    86:2d:08:a7:60:1e:42:d5:80:ea:74:b3:d0:7c:3c:
-                    42:33:58:c2:bf:35:5b:e6:7a:8a:9c:fc:7f:fc:c9:
-                    cc:3f:7e:52:d6:8c:33:1a:2b:03:de:a4:fb:04:86:
-                    13:a9:b6:0f:d2:a4:12:1d:88:a6:4d:aa:85:c2:ff:
-                    19:11:bf:04:e0:57:1c:2e:03:97:b8:83:9b:0d:75:
-                    95:d7:15:f4:31:5c:2e:76:39:25:f3:fa:b1:9a:ca:
-                    de:c8:39:cf:03:72:d8:23:0a:00:3a:e9:66:ef:8a:
-                    f2:b0:fc:56:04:3d:b8:e6:dc:f4:a0:ae:73:1b:ae:
-                    e4:03:42:79:f0:ee:14:51:18:8f:bb:d5:7f:cb:5a:
-                    21:6d:b9:9d:b9:3c:9e:15:24:23:2d:bf:c5:a3:66:
-                    45:f6:33:dc:06:7b:e1:68:f7:75:2d:58:9d:e1:73:
-                    06:79:a0:de:68:e2:70:5f:5a:fc:05:a7:26:d6:76:
-                    57:f8:12:7b:48:07:93:65:a8:d1:04:94:a0:42:9e:
-                    a8:8e:ff:3a:c7:aa:54:6d:c1:99:2d:2a:c2:33:65:
-                    49:82:e7:df:bd:18:10:e3:69:df:d6:d7:16:4b:72:
-                    b3:3c:fb:81:72:97:cd:28:35:13:b9:2e:09:55:4d:
-                    40:eb:e0:2e:24:f5:f2:0c:04:e4:38:90:db:1f:7e:
-                    79:42:97:9d:74:7a:87:c3:18:da:ec:9e:8c:00:25:
-                    36:87:88:05:49:77:c2:76:fc:68:76:59:b0:1f:d7:
-                    d5:81:d9:47:f9:e9:62:c6:f5:08:06:d0:21:50:eb:
-                    c7:b6:d4:9e:dc:94:68:d0:0f:df:74:f1:43:2e:38:
-                    3c:76:ed:b1:b8:4d:88:8e:ae:e5:52:a9:9e:29:fa:
-                    da:a6:aa:28:e2:0e:cf:c9:c7:4d:fd:cb:14:a3:aa:
-                    d2:87:bf:e2:9f:09:86:e6:0e:77:14:c8:d8:96:b2:
-                    51:65:d6:bf:23:9b:da:ed:70:47:c5:7a:3e:1e:be:
-                    75:8b:8d
+                    00:ce:ac:a3:c6:69:47:c4:dd:f4:d9:0e:ac:42:90:
+                    ae:57:f2:68:c4:77:89:9a:65:cd:8f:97:fc:68:6b:
+                    6b:65:0f:52:2d:d1:db:83:2c:1e:39:35:dd:fb:f6:
+                    e8:c1:40:e9:ab:a6:48:23:e9:f0:e1:8f:72:27:6c:
+                    e2:8d:04:e9:ca:e3:fe:ac:d9:28:16:be:db:19:fc:
+                    9a:20:d6:93:1f:15:b8:b6:97:cf:07:5a:da:ab:aa:
+                    97:c0:e9:39:7d:f9:df:96:c9:99:8f:6f:51:3f:64:
+                    13:0e:ad:0e:4e:2e:66:6f:72:6f:63:a6:a5:fd:85:
+                    0f:ac:ea:03:4d:81:14:bc:f3:5b:e5:fc:f6:6a:f7:
+                    57:b3:c3:b0:ed:4b:43:b1:cf:e2:1f:f6:44:07:83:
+                    27:b8:ef:19:9f:35:2b:95:59:b9:e1:69:c5:19:07:
+                    06:d7:17:da:35:4b:ba:74:68:c3:d3:28:ab:1e:b4:
+                    8a:ba:2b:f3:5e:06:75:0c:c8:a2:a9:ea:ec:29:1a:
+                    98:fb:b6:00:e0:98:78:cf:ea:36:2c:e1:51:8e:15:
+                    74:ba:4e:2d:8c:df:9b:72:72:52:b7:c7:82:45:35:
+                    ba:c3:62:bf:29:d0:c0:17:6b:be:3b:e4:87:6a:26:
+                    34:4f:84:b5:ad:34:72:5f:4c:96:d8:d4:cd:5d:6f:
+                    a3:ac:b1:55:a8:c8:c6:5d:99:0b:f0:bd:5e:f2:85:
+                    3e:74:05:d7:0f:9f:95:5a:14:1f:19:31:af:55:75:
+                    2a:80:22:7b:f7:ff:89:4b:70:5a:74:52:77:7a:ac:
+                    6b:86:2d:cc:5e:ca:57:3d:a1:20:d0:95:80:0b:48:
+                    26:52:69:9d:19:7f:0e:a9:63:97:70:b6:25:64:79:
+                    ae:19:45:f8:7f:fd:23:75:9b:0f:d5:57:ae:56:50:
+                    9a:0c:fd:eb:f2:1b:a9:0a:3d:a2:1d:f3:07:cd:b9:
+                    63:5b:3d:95:21:9a:f6:27:2e:46:6a:3f:8f:48:b9:
+                    e5:d7:ef:27:08:fc:45:37:70:23:88:a2:89:50:7e:
+                    a3:ba:06:b3:b9:50:60:7d:aa:d6:eb:1c:b9:79:1c:
+                    16:06:d2:07:d3:c6:09:73:2a:8a:92:10:93:cc:52:
+                    b4:bf:4b:09:d6:71:c1:60:57:3e:2f:12:13:90:18:
+                    06:44:cf:79:6f:50:78:11:8c:e9:ab:2b:97:19:5f:
+                    b2:67:a9:fa:9b:b0:99:44:35:0e:00:18:6f:9a:00:
+                    39:e2:ac:e2:79:25:e1:46:d2:18:e4:80:d5:ca:ed:
+                    15:dc:7f:a7:90:7f:26:71:26:38:6b:ef:be:92:0c:
+                    07:64:24:64:a7:85:9d:2b:d9:14:bc:64:40:46:eb:
+                    78:b9:dd
                 Exponent: 65537 (0x10001)
         X509v3 extensions:
             X509v3 Basic Constraints: 
@@ -54,63 +54,63 @@ Certificate:
             X509v3 Key Usage: 
                 Digital Signature, Non Repudiation, Key Encipherment
             X509v3 Subject Key Identifier: 
-                C0:C4:1E:26:C8:53:2E:80:A5:50:44:F1:79:38:05:B4:12:CA:AA:7F
+                3B:AC:F2:D9:72:19:FF:77:61:0C:6B:2C:C0:69:D0:28:46:8A:C1:D7
     Signature Algorithm: sha1WithRSAEncryption
-         b1:f4:93:82:51:8f:d2:a0:c0:a7:9a:da:d3:f6:fc:01:aa:ae:
-         e9:a1:05:32:62:9b:63:a2:a3:05:ea:9e:f8:b3:af:d2:50:42:
-         70:6f:35:88:86:f2:f5:bb:6f:44:a7:9b:51:14:c8:e1:9e:13:
-         c4:e6:ab:5a:bb:40:50:c2:ae:d5:b5:64:48:ab:29:30:d6:90:
-         f6:6f:24:b2:e9:aa:8d:12:54:68:5f:70:bc:99:5c:cf:c5:7d:
-         ae:e7:d2:7c:50:c0:7f:a6:a8:ae:0f:3b:9d:1a:e4:18:b3:f8:
-         90:2c:a4:cf:83:41:c8:54:82:20:df:bc:4e:6a:6e:e6:61:dd:
-         d1:fa:95:2e:4b:22:28:84:db:d8:47:fb:a6:d7:65:07:41:64:
-         1f:16:db:39:ea:75:23:63:d5:59:df:03:cf:4f:28:2a:73:07:
-         da:0c:f2:3f:3a:cb:40:3b:73:92:2e:93:79:90:a0:4c:ed:bc:
-         aa:7a:c4:40:54:5f:39:cf:e2:81:59:98:73:ce:5e:71:2a:3a:
-         1f:60:94:fd:c3:c4:7f:24:05:31:66:d2:5f:ba:62:db:5c:ec:
-         40:38:79:ee:5a:6d:90:8d:f7:99:49:cc:e0:1e:8e:47:0e:50:
-         c4:19:c2:43:bc:87:33:c0:fd:8a:cf:af:71:35:0b:fb:14:7a:
-         c4:5b:01:09:86:5e:8a:ab:b9:8b:81:50:bc:a3:d9:59:53:30:
-         2c:97:32:97:da:16:3b:42:78:84:31:13:9a:ad:a9:a4:9d:5c:
-         5d:69:6a:eb:53:71:e8:95:11:04:d7:ef:50:c0:c2:32:55:75:
-         a9:db:0d:4a:5c:b4:10:91:60:88:ec:25:8c:26:52:a9:be:5b:
-         71:5e:ba:e0:df:ad:ac:e0:cd:01:7b:8f:ff:c5:c6:f0:9e:e6:
-         e2:f6:44:31:07:3c:99:d5:8f:43:1d:c4:5e:57:58:0e:72:4b:
-         76:5d:4e:14:f5:03:08:c4:d4:05:71:2b:da:71:8f:c8:ec:b2:
-         1f:cd:c3:52:6e:6d:53:db:9a:40:37:77:53:71:02:1f:a5:12:
-         e6:32:1d:bc:0e:83:b5:03:e4:85:ba:54:b2:3c:2e:c0:70:77:
-         a5:86:21:fc:6e:f7:46:24:84:75:9a:0f:f5:af:fa:12:26:b9:
-         65:e5:8c:89:7e:42:d3:5a:22:22:dc:96:ed:92:17:65:e4:12:
-         21:9c:ae:8d:03:c3:3b:d6:bf:68:b8:ba:08:51:44:8a:77:07:
-         9d:be:de:a1:0e:93:cf:17:29:e3:67:ff:9c:e5:ea:5a:0d:b0:
-         bc:8d:5f:f3:44:d1:f8:12:b3:53:82:09:30:13:e4:12:99:3c:
-         d0:73:09:85:64:95:9e:bb
+         23:5d:75:da:82:54:6a:eb:29:cf:e0:55:da:4e:69:c3:d1:7b:
+         27:20:37:ca:3e:ac:ba:55:30:0d:a6:57:44:de:1b:71:aa:57:
+         80:8d:55:e1:48:fb:43:dc:23:d3:fd:85:ab:36:35:11:1d:41:
+         30:59:ff:e4:61:e1:4d:14:8b:64:9e:cc:a0:71:19:a3:a9:10:
+         84:47:72:dd:2b:56:5e:78:a9:ed:f1:32:8b:b4:5b:87:aa:bd:
+         74:4f:ee:50:ba:36:d5:70:56:40:7d:64:d6:04:42:ae:50:2b:
+         95:48:f5:74:8b:a6:b5:5c:49:9d:9c:f1:0c:0f:0a:f1:53:43:
+         ec:1f:59:6f:1e:54:ca:9d:b2:39:73:58:28:b7:0b:74:e3:ed:
+         d4:36:ef:7d:1d:c6:1f:2c:ff:a7:df:a2:a7:9e:94:b9:3f:3d:
+         18:fa:07:d6:e9:03:f6:3a:d1:79:55:df:af:12:13:ef:45:af:
+         63:57:fc:ef:db:5c:bd:e7:93:b5:81:35:e9:a9:e4:39:99:b9:
+         32:7b:6f:1a:14:41:3a:fa:68:3c:0a:ae:9e:95:51:72:32:dc:
+         d6:e9:98:7d:65:db:ce:57:1f:1a:e5:2a:5a:c0:07:26:64:f0:
+         49:ff:af:97:74:fe:98:20:94:7f:f7:3c:a7:46:ed:ad:e5:1b:
+         7a:08:c4:d4:ce:3f:8a:ef:07:79:ec:d5:f1:1b:2b:f6:e0:95:
+         31:ef:8e:bd:b8:ec:a7:84:f8:ff:c6:39:7a:15:8d:4b:4e:05:
+         c8:e6:2e:bb:bb:74:5a:51:92:f7:b1:04:55:2b:dc:42:18:d5:
+         83:95:c4:d0:73:10:62:d5:55:8d:ea:a0:fd:ff:ef:10:9b:8f:
+         b3:ba:8a:91:75:5e:b9:9d:36:7d:53:5d:8d:1b:0d:c5:bb:1c:
+         23:fc:08:5b:1f:3a:d5:1c:35:61:48:58:8e:c0:42:7c:3c:c8:
+         a0:17:8a:04:13:a6:03:49:cf:86:18:39:32:e4:fe:32:38:bd:
+         53:bd:49:fa:65:63:3d:41:6a:c7:65:f5:df:7d:7b:8d:d0:74:
+         b2:c3:8b:bd:1e:4f:96:15:a0:7b:23:fe:81:e0:de:7f:06:b3:
+         f8:a2:52:cf:43:91:49:6f:ae:d8:6f:4f:51:85:7b:c2:f7:f8:
+         c8:4d:e0:a8:48:9a:5b:05:e2:60:fd:b7:bb:b7:7a:2b:35:e6:
+         15:f3:e8:5f:b6:cb:d5:b0:7b:45:70:db:fe:82:97:c5:6b:be:
+         a9:60:21:87:19:b6:91:32:2f:01:b3:04:84:a3:1d:8b:06:00:
+         3e:37:f4:c3:ff:b4:55:cb:cc:d1:d1:96:9b:d8:1a:0b:9f:47:
+         66:b7:90:9c:d1:09:c2:aa
 -----BEGIN CERTIFICATE-----
-MIIFATCCAumgAwIBAgIBAzANBgkqhkiG9w0BAQUFADAqMRswGQYDVQQDDBJoeDUw
-OSBUZXN0IFJvb3QgQ0ExCzAJBgNVBAYTAlNFMB4XDTE5MDUyMzE1MDUxMloXDTM4
-MDExNjE1MDUxMlowIzELMAkGA1UEBhMCU0UxFDASBgNVBAMMC1Jldm9rZSBjZXJ0
-MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAv9CvNtB2ZeshDERIZm5D
-yNQHc08vNrcb7Gqqe2Dyh5qUvLqR+BzIGgHk+9GsP6YHJiq3j3n4MepP450thEMP
-7tQdXeP2FjFcv/nOPrhK43crvEHuhFIqwHqqhqUhnMWgKubYRjPFhxR2pXEtrnrm
-YAw8NcuvgGy/z+sl8w++W1NZy7KbyReGLQinYB5C1YDqdLPQfDxCM1jCvzVb5nqK
-nPx//MnMP35S1owzGisD3qT7BIYTqbYP0qQSHYimTaqFwv8ZEb8E4FccLgOXuIOb
-DXWV1xX0MVwudjkl8/qxmsreyDnPA3LYIwoAOulm74rysPxWBD245tz0oK5zG67k
-A0J58O4UURiPu9V/y1ohbbmduTyeFSQjLb/Fo2ZF9jPcBnvhaPd1LVid4XMGeaDe
-aOJwX1r8Bacm1nZX+BJ7SAeTZajRBJSgQp6ojv86x6pUbcGZLSrCM2VJguffvRgQ
-42nf1tcWS3KzPPuBcpfNKDUTuS4JVU1A6+AuJPXyDATkOJDbH355QpeddHqHwxja
-7J6MACU2h4gFSXfCdvxodlmwH9fVgdlH+elixvUIBtAhUOvHttSe3JRo0A/fdPFD
-Ljg8du2xuE2Ijq7lUqmeKfrapqoo4g7PycdN/csUo6rSh7/inwmG5g53FMjYlrJR
-Zda/I5va7XBHxXo+Hr51i40CAwEAAaM5MDcwCQYDVR0TBAIwADALBgNVHQ8EBAMC
-BeAwHQYDVR0OBBYEFMDEHibIUy6ApVBE8Xk4BbQSyqp/MA0GCSqGSIb3DQEBBQUA
-A4ICAQCx9JOCUY/SoMCnmtrT9vwBqq7poQUyYptjoqMF6p74s6/SUEJwbzWIhvL1
-u29Ep5tRFMjhnhPE5qtau0BQwq7VtWRIqykw1pD2bySy6aqNElRoX3C8mVzPxX2u
-59J8UMB/pqiuDzudGuQYs/iQLKTPg0HIVIIg37xOam7mYd3R+pUuSyIohNvYR/um
-12UHQWQfFts56nUjY9VZ3wPPTygqcwfaDPI/OstAO3OSLpN5kKBM7byqesRAVF85
-z+KBWZhzzl5xKjofYJT9w8R/JAUxZtJfumLbXOxAOHnuWm2QjfeZSczgHo5HDlDE
-GcJDvIczwP2Kz69xNQv7FHrEWwEJhl6Kq7mLgVC8o9lZUzAslzKX2hY7QniEMROa
-ramknVxdaWrrU3HolREE1+9QwMIyVXWp2w1KXLQQkWCI7CWMJlKpvltxXrrg362s
-4M0Be4//xcbwnubi9kQxBzyZ1Y9DHcReV1gOckt2XU4U9QMIxNQFcSvacY/I7LIf
-zcNSbm1T25pAN3dTcQIfpRLmMh28DoO1A+SFulSyPC7AcHelhiH8bvdGJIR1mg/1
-r/oSJrll5YyJfkLTWiIi3Jbtkhdl5BIhnK6NA8M71r9ouLoIUUSKdwedvt6hDpPP
-FynjZ/+c5epaDbC8jV/zRNH4ErNTggkwE+QSmTzQcwmFZJWeuw==
+MIIFAzCCAuugAwIBAgIBAzANBgkqhkiG9w0BAQUFADAqMRswGQYDVQQDDBJoeDUw
+OSBUZXN0IFJvb3QgQ0ExCzAJBgNVBAYTAlNFMCAXDTE5MDMyMjIyMjUwM1oYDzI1
+MTgxMTIxMjIyNTAzWjAjMQswCQYDVQQGEwJTRTEUMBIGA1UEAwwLUmV2b2tlIGNl
+cnQwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQDOrKPGaUfE3fTZDqxC
+kK5X8mjEd4maZc2Pl/xoa2tlD1It0duDLB45Nd379ujBQOmrpkgj6fDhj3InbOKN
+BOnK4/6s2SgWvtsZ/Jog1pMfFbi2l88HWtqrqpfA6Tl9+d+WyZmPb1E/ZBMOrQ5O
+LmZvcm9jpqX9hQ+s6gNNgRS881vl/PZq91ezw7DtS0Oxz+If9kQHgye47xmfNSuV
+WbnhacUZBwbXF9o1S7p0aMPTKKsetIq6K/NeBnUMyKKp6uwpGpj7tgDgmHjP6jYs
+4VGOFXS6Ti2M35tyclK3x4JFNbrDYr8p0MAXa7475IdqJjRPhLWtNHJfTJbY1M1d
+b6OssVWoyMZdmQvwvV7yhT50BdcPn5VaFB8ZMa9VdSqAInv3/4lLcFp0Und6rGuG
+Lcxeylc9oSDQlYALSCZSaZ0Zfw6pY5dwtiVkea4ZRfh//SN1mw/VV65WUJoM/evy
+G6kKPaId8wfNuWNbPZUhmvYnLkZqP49IueXX7ycI/EU3cCOIoolQfqO6BrO5UGB9
+qtbrHLl5HBYG0gfTxglzKoqSEJPMUrS/SwnWccFgVz4vEhOQGAZEz3lvUHgRjOmr
+K5cZX7JnqfqbsJlENQ4AGG+aADnirOJ5JeFG0hjkgNXK7RXcf6eQfyZxJjhr776S
+DAdkJGSnhZ0r2RS8ZEBG63i53QIDAQABozkwNzAJBgNVHRMEAjAAMAsGA1UdDwQE
+AwIF4DAdBgNVHQ4EFgQUO6zy2XIZ/3dhDGsswGnQKEaKwdcwDQYJKoZIhvcNAQEF
+BQADggIBACNdddqCVGrrKc/gVdpOacPReycgN8o+rLpVMA2mV0TeG3GqV4CNVeFI
++0PcI9P9has2NREdQTBZ/+Rh4U0Ui2SezKBxGaOpEIRHct0rVl54qe3xMou0W4eq
+vXRP7lC6NtVwVkB9ZNYEQq5QK5VI9XSLprVcSZ2c8QwPCvFTQ+wfWW8eVMqdsjlz
+WCi3C3Tj7dQ2730dxh8s/6ffoqeelLk/PRj6B9bpA/Y60XlV368SE+9Fr2NX/O/b
+XL3nk7WBNemp5DmZuTJ7bxoUQTr6aDwKrp6VUXIy3NbpmH1l285XHxrlKlrAByZk
+8En/r5d0/pgglH/3PKdG7a3lG3oIxNTOP4rvB3ns1fEbK/bglTHvjr247KeE+P/G
+OXoVjUtOBcjmLru7dFpRkvexBFUr3EIY1YOVxNBzEGLVVY3qoP3/7xCbj7O6ipF1
+XrmdNn1TXY0bDcW7HCP8CFsfOtUcNWFIWI7AQnw8yKAXigQTpgNJz4YYOTLk/jI4
+vVO9SfplYz1Basdl9d99e43QdLLDi70eT5YVoHsj/oHg3n8Gs/iiUs9DkUlvrthv
+T1GFe8L3+MhN4KhImlsF4mD9t7u3eis15hXz6F+2y9Wwe0Vw2/6Cl8VrvqlgIYcZ
+tpEyLwGzBISjHYsGAD439MP/tFXLzNHRlpvYGgufR2a3kJzRCcKq
 -----END CERTIFICATE-----
diff --git a/lib/hx509/data/revoke.key b/lib/hx509/data/revoke.key
index 374bed15b7b2..d70b74f08cc7 100644
--- a/lib/hx509/data/revoke.key
+++ b/lib/hx509/data/revoke.key
@@ -1,52 +1,52 @@
 -----BEGIN PRIVATE KEY-----
-MIIJQwIBADANBgkqhkiG9w0BAQEFAASCCS0wggkpAgEAAoICAQC/0K820HZl6yEM
-REhmbkPI1AdzTy82txvsaqp7YPKHmpS8upH4HMgaAeT70aw/pgcmKrePefgx6k/j
-nS2EQw/u1B1d4/YWMVy/+c4+uErjdyu8Qe6EUirAeqqGpSGcxaAq5thGM8WHFHal
-cS2ueuZgDDw1y6+AbL/P6yXzD75bU1nLspvJF4YtCKdgHkLVgOp0s9B8PEIzWMK/
-NVvmeoqc/H/8ycw/flLWjDMaKwPepPsEhhOptg/SpBIdiKZNqoXC/xkRvwTgVxwu
-A5e4g5sNdZXXFfQxXC52OSXz+rGayt7IOc8DctgjCgA66WbvivKw/FYEPbjm3PSg
-rnMbruQDQnnw7hRRGI+71X/LWiFtuZ25PJ4VJCMtv8WjZkX2M9wGe+Fo93UtWJ3h
-cwZ5oN5o4nBfWvwFpybWdlf4EntIB5NlqNEElKBCnqiO/zrHqlRtwZktKsIzZUmC
-59+9GBDjad/W1xZLcrM8+4Fyl80oNRO5LglVTUDr4C4k9fIMBOQ4kNsffnlCl510
-eofDGNrsnowAJTaHiAVJd8J2/Gh2WbAf19WB2Uf56WLG9QgG0CFQ68e21J7clGjQ
-D9908UMuODx27bG4TYiOruVSqZ4p+tqmqijiDs/Jx039yxSjqtKHv+KfCYbmDncU
-yNiWslFl1r8jm9rtcEfFej4evnWLjQIDAQABAoICACTzfZ1woS5XEmG7kbrxyOsa
-NWk4Ot8ufRmZHshvz6jh1X9Z7Z6/ZKjl7oe4R5dnU389wWjJVU/AVK2DbO5KwPoA
-MLwSmyiBT93HsLySYhLZtTop9VnWPlggCVOw4f3CcG1zVPyJIqc4APc0C1nOYSzl
-jn/Kgj+aM4VJRmFBiikrsGO2P56IgpeQUDYK/lME56Wdsi8MqLAdjD6rd825k5RU
-bA91jHw6yJh+H6YN3Uv5ukWP0p/h68BnTPoVhfv2Ophq7hhmFPlmro4KsSKhb7Az
-E6+Aki8kE+tAbRhIFgi8xhgKUt/WMt7lIVA4AFVrDf+cTLG6djE7JYECujf+A/xq
-jC+BOn2BFzo5CNuc1+B0xZ6wLrQoKYSyAp2N7EbhNEb3xthxE940+PDAB0nfmDDl
-B6LPkjsBFVe7Cd63F85uVHTMclbLC/yfiKaAolNb3pNh4UMWLhHYouLRNiVM+NLY
-u06FTJPFsgUGmBPATFuV6IaHii6sMqMdArN+dU/NqMT1KTBGyZ79g6XwVSWVU2+S
-oDZYRNERihwtr8vImQky17TY2rAbZKk9OK/Re67UOwnxkVSihv1Rt4CDwKkIWrh9
-+BPiC8nd/al/XjV4hN3hQeU2CVcHt23uobtPUvaL9Scf+1+e8WToLSSPeGwfD6EM
-jpNBeI/V1IdiNUJnr8e9AoIBAQD/B5AThJW+avTqa2EfqhnB5KsVEKy8LWfUbH5I
-PcUtiStlb+RatZb4yQXVQ1TpSSAFEXL6TZR4uHQsw1wXhRyi8CGWKxSxrxhxkw2V
-RpAcuU2u9sHtmSzJHOn+sRnJPgJOijZ/EAHqc/Hi7VNdaSz6tFfFeYLYmVpeS0EU
-CY/0JqHAQ5IrzGjrl2doG7myFhLA1oAYWElhtVMcE+mowgDxE4a1UOQQyrKA2p7T
-9LuguPhOgvjB4t6uJ35HO2w3hvwAdsnsOb8g0qBdYlUpcATyb1Nl0252+ZWwA3gT
-tVZ8iQ+bibMopyns60GbVnArfVkFn7a3hS/0ZW5Zy8aKI+G3AoIBAQDAi4qTbdVv
-6BS3ePoUwsYDkC/17RGkfoFfH/jXWVhP7UNu5X/UFCM+VJwrYK3f6cpKMBtBIRPw
-uHXeFCh2Mi3x/hrz3VRfY0qrgckByxhNTuXokQBec8mU4TzpPmc5XjADtVmaxnP8
-uU6cny+0s1lJ5xZM3nPvkZ9DMV+CbTbMiWIODJ+3Ak2S6FDB+wNemMpp3ppMrWNZ
-5N0d+o/VSUTEGr/FmNAw0gZhsy8pdcDqoULDceqA40rL8F46kzAk58E4Gvb+rVMR
-bVQcBrwSVOgY6MAtY5qLZcDLHcq9JU+tMB8AJHO1io2k4Xsz5WVBLlzTudHpgmJp
-M5ELOUBwyCzbAoIBAQDrf6pVu6sjiVTcW4f2W3cpiuVIsHsx0aP9jqoWP6Qi5nXC
-V87AzMq6tbbDNkfknHgK9g/8f0NJLttosoYJ2guVkrURHHshkRS7XBXA8MYHID5S
-AN8XbsjidebGH/g10yMCL7MfJkL+o06MRKckrQiyAXLDke934DSIumk//YyG4l2f
-U0ZZV4rTcp40jtWtU6DBndHvqScqKOy0EtdD1NJVy7grGqVftC2du0PLakUQp33z
-0hGvyLXkj+eWE5NcuzNdolPX5YNO5fDcCv+lIiIPVSnn75QkHVlSjgGGAX/5w/87
-m65rLeITOzL8JJe0MS3ReaiaU0zzG+8I0Jln2raFAoIBAAGoMcUbCN8xrBv4Go7b
-LkERmJgRNjmoLQzYhZe02SG29QGbUAJPOg5rQ/zLlDN9G5SP3WwuELHdpIYIvmBm
-Bicy/KBkozk+7YGUWFp/mPHxX+EkflBRxsZVOeT3+INx4A/oG6FNW+os3hRS+mIf
-uQD90B9ROsYxBqHZZu0Ea5hPBl0Als9IYcqF3UwOEPVbc0J9++31AAniAlUjtuEr
-BEB7ynK04fXJmOx2Uk2VCdf7E0wDSvVY/2fJ5cWzRpLKu8rz0HRYoYJg4nxrQmsV
-9/le52h8lvPkKEiXNQtzqr/eziV+KtDBJH7qwdisfLaW442e58OOr7IgE3t5Pqi5
-0EkCggEBAP3J+c6s88lfGnU35CzFK93IkumaYtHlrNj/87EBPMjpL38ykFCkeXXq
-wtKAWI+i9Y7Y38xYvkWwNj8m44hCES7z8yc+blxlyg4UBTg6ms6/AMCF1OkkdAsl
-xyacDGAm7JIj1w/B7qxWOkZOI25c0YY74kq4nBIP8lklHr0iykqc8BhwlYofEh/U
-TMXAg0z+luS9Uiq4SayBeUcEkNguJu5syLtOvy+vR04fyOzHF9YFXqaRbJoCPnZg
-RRx6Jo2dRdiy9yhOHzZRykuAH92M4jACE3V3wJMjlJea+YmZgaDwv5a5xT8dUw2W
-waMpuNHGyfEypx5NFeO8UU95fKkcTWM=
+MIIJQwIBADANBgkqhkiG9w0BAQEFAASCCS0wggkpAgEAAoICAQDOrKPGaUfE3fTZ
+DqxCkK5X8mjEd4maZc2Pl/xoa2tlD1It0duDLB45Nd379ujBQOmrpkgj6fDhj3In
+bOKNBOnK4/6s2SgWvtsZ/Jog1pMfFbi2l88HWtqrqpfA6Tl9+d+WyZmPb1E/ZBMO
+rQ5OLmZvcm9jpqX9hQ+s6gNNgRS881vl/PZq91ezw7DtS0Oxz+If9kQHgye47xmf
+NSuVWbnhacUZBwbXF9o1S7p0aMPTKKsetIq6K/NeBnUMyKKp6uwpGpj7tgDgmHjP
+6jYs4VGOFXS6Ti2M35tyclK3x4JFNbrDYr8p0MAXa7475IdqJjRPhLWtNHJfTJbY
+1M1db6OssVWoyMZdmQvwvV7yhT50BdcPn5VaFB8ZMa9VdSqAInv3/4lLcFp0Und6
+rGuGLcxeylc9oSDQlYALSCZSaZ0Zfw6pY5dwtiVkea4ZRfh//SN1mw/VV65WUJoM
+/evyG6kKPaId8wfNuWNbPZUhmvYnLkZqP49IueXX7ycI/EU3cCOIoolQfqO6BrO5
+UGB9qtbrHLl5HBYG0gfTxglzKoqSEJPMUrS/SwnWccFgVz4vEhOQGAZEz3lvUHgR
+jOmrK5cZX7JnqfqbsJlENQ4AGG+aADnirOJ5JeFG0hjkgNXK7RXcf6eQfyZxJjhr
+776SDAdkJGSnhZ0r2RS8ZEBG63i53QIDAQABAoICAQCH6WxCXJW/1x7fZxDNLYwZ
+deaD3QB2sp/94DszCAE2El8+lpU+q9KsWMpEmljyTZfdM5qZU4z/KHAvkSFjD2oX
+7NtcG+qLGrPHYSCSm8lgVc6E9UxGT+8hmSv2xujx+VKaPLVpaBEMGOmXayLPMyBW
+BfFOnRbno4ttcO7/FvXmVDuJAVOjgEkChJxjUG2SD11rG24dapjCuyokUrj4nGrq
+272r+bz70knDZquVRhgRUttFdAEO8Tw4BxMOdxrRlxX66ezVCxmEmYBJaoJ5/Sq+
+v0lmA2ddDueQ2bGf/emjTfQl7Vg9TXQlcstFY8HRgpJAAMvgvW7BUQKaUUdEPNhq
+177x6a450fc3oN7sC/gOFXrx0bPmwJMa1gDGIAkdzB6p1R2aeM0WwFPny0iflgf9
+3oNFdA/zvK8eCSiY3TbD/F3qyzdw0j7lRW3BSYn9XWS0FJHQTXYb4H8rjFkcHMHp
+Zg7rv8C7H/vS2eCdS6j/7UhJnXLapodmxwLkcpsuilMUT9IjcdMHCqRyuEQT8vtZ
+u4Dl9nf9Rw4SMVeCwkEWFmMQUdNDSo4CO2Yyo2Qv4kEh307lFuX5icDFdbY0ODbD
+qrBaWKVkSDNKRrzwBu6dwrW5X/zTHNCi+i8nJNCUysm/Pue98x1pHzkKcE0tbSQf
+uaT+qSeTR5/iVsmgmNlbAQKCAQEA8g2YTH9SgCXoaanghvbgk4Q5uimEFdEaza6H
+XWEgC7PQDehBoJCwBhuMtSj237uU6XB8Q9o1fV1Lv0Y9Xl6Ht9QlAI5p05jXM7a8
+/e9qIg1ZJy0eUmC+ICCdW8UbWnEyb8JAGucRJ4xHSc4QIbE0uYvKlt6n/AidEYiU
+zasNUANEdT7BL0EY5XheQ8IIloI8/olz02WxJtyCnvVkfHszXaB9+l/zEQhYXBIy
+oo+PLkd0rApB/JDnive1rlwG40eLp5CvlA0uATX6ZKWOGY0UhDbQfuBwzqOoCiXf
+0qmmUk3dCAJeRSQcY8zcVn8u8qq9z56IFcaWBHKfPPnDG4kBPQKCAQEA2pUw1KnE
+rxcKHs2Giqz4edx35gddaNgvKbX1/iFrFRqjctmf74KVx7E9CAs30UUMgohVhccl
+xsbvn3SLkiGKKxp+cK8Sciq2O7g9AXwsKHWzMG6hl/tXjBYAQx7XSkbDYgDJdE9i
+PhfUkBi2PAPJzSBGT9BJiPNm5uxCLrkj+YG5qe64fG5ZiBdQ2iLz3ggrWcwUBM6t
+a1SaqDbysTiUStoUr8URbZeveRS0NmTUt5YNhQvkYHyWRD8JNMSKBoCMCRrhykEI
+oA2tzptesQs92kUrl7C7XHUczFULGH/KrXD9RAVxLFC8rlqiU0PwUEYDbGYVd/+R
+f8q+TOAjNsTlIQKCAQEA6CEFh4crFV5FTt/tRUGJCa9qtQ+PbmTEcbAIfRLh6pcc
+1dmA5n0bciAFhs6sQs/f9Sc85M1lMr7AH8U6oT/CpBa9DZWGA7i12RBMmrJ5dAKd
+Fyb7x0Cj1KeygQm8O7YHCoqdc69ZEjZDP5Jwgf8xcyeOt7T8IIYaK3ByU/LQp4Ua
+p93w4mJpf9c5f32bQsvPtsMW4wrJI12hntPy9DYqgoWhivVtY04/frys9pz6UQWR
+7FNCCPbmNq1r/LSgnmJEmgP1feRN1Ddx1Ae5COP1Yv42YRbY2DK2ulSsG5k6uf+W
+E1JCGciRuVwDiqgZ2/rGYU/FbiyuPcG22IEmDUgMeQKCAQB4sWY8Ft2WfFdHON7w
+VaAB0b2Wkzx9ttkb4/BHeXZiOcpEkWvhWS6RDAmSFnekosbMkLEAZD00rAYF+tlS
+QBjFwiRM3i6GQZVMFmgBGOpdENh3hq7Nd6gYntFYPoBL8BTUWXDjOy4Y8Rma0zpU
+mxbjn82TJoRkDVolahEFMY9uprW44iqV8myXW6B2QlR7pfEh7TCkkuZo3FdlSKnr
+Nz2SsyY3A86iv93RMqBrZHOcR0uBylY4/LIQTuora9Z2zqYEJQbFofE8RzFQYrP/
+eCCYFBeE874QyE21ecPdrDpiWIBP/d1GxfHZKAx3g4z/Fhmv0hJKpyBU+sLnOd/X
+zxJhAoIBAA1EoDaxl2E8VYtFEb/PSdXI2n1OJJ5Vo5M6ChEtkU1tc3j0GkibRzKH
+y4MpFTUYKUaAr0TYil9aZSasCLC3IpHZtTW//QcqalO76Xv/ZTDXIEDq5KIQ0/H6
+3K0cwUl6VzKgwtK+wkqR/vdQnB3uhJgHrYQQ2/9vkpcAJmeYx7Pfjor9hpivloCD
+iRhpPjE4H4yiG+85/dRZaZ21X59FKoBleVown6ZYI4Z5BKHEULesTl/kqWXvsHpu
+RD4yQ+gR2yKNYmpZ10pqZ+0EYZWf6iqrFZCWJ7pvMO0hMye17yC5QD4qMqJCtJZL
+oSgi/Llzrh+HYp+WubHP32IPhXGX+w0=
 -----END PRIVATE KEY-----
diff --git a/lib/hx509/data/sub-ca.crt b/lib/hx509/data/sub-ca.crt
index befbd28d8d65..25f3ae8e62b7 100644
--- a/lib/hx509/data/sub-ca.crt
+++ b/lib/hx509/data/sub-ca.crt
@@ -5,119 +5,119 @@ Certificate:
     Signature Algorithm: sha1WithRSAEncryption
         Issuer: CN=hx509 Test Root CA, C=SE
         Validity
-            Not Before: May 23 15:05:18 2019 GMT
-            Not After : Jan 16 15:05:18 2038 GMT
+            Not Before: Mar 22 22:25:10 2019 GMT
+            Not After : Nov 21 22:25:10 2518 GMT
         Subject: C=SE, CN=Sub CA
         Subject Public Key Info:
             Public Key Algorithm: rsaEncryption
                 Public-Key: (4096 bit)
                 Modulus:
-                    00:ea:9c:d3:ba:0e:de:f9:c6:3c:2e:ef:7e:91:40:
-                    8e:58:04:16:4f:ff:81:61:0c:fd:b4:d2:86:3c:8a:
-                    6a:f9:33:63:0b:8e:2b:ac:9c:5c:00:28:16:fe:32:
-                    bc:75:55:00:d2:91:0c:92:c9:0a:2d:c7:e2:f4:dd:
-                    14:fe:20:d8:45:79:d1:a0:1e:5d:91:a5:d2:00:17:
-                    a4:bd:44:35:9c:f4:5f:63:dc:b9:19:a5:66:73:b1:
-                    16:ae:e7:d5:59:bd:d3:85:b1:b7:ae:3e:a8:a8:9e:
-                    0d:d9:cd:f5:38:30:d3:56:d9:44:08:11:23:ca:bb:
-                    5e:96:fd:8d:e8:77:7e:c4:8e:58:a8:02:6d:20:77:
-                    9a:9d:4b:bd:6a:6e:c0:a4:77:d2:37:cb:b5:c4:4a:
-                    87:03:a9:aa:a8:22:4b:e9:13:f2:22:64:44:0c:b4:
-                    2b:60:56:9b:c7:76:1e:7d:ba:06:15:9a:ad:ae:36:
-                    9a:9d:f0:df:83:e5:64:4b:18:53:b1:1d:ed:bc:70:
-                    08:48:45:7e:c6:ab:ad:d9:bc:79:03:3d:af:e8:f6:
-                    cd:4e:04:27:ce:8c:d7:09:d9:50:87:f7:76:37:eb:
-                    a3:3b:96:46:b6:05:85:3c:f2:0a:23:3c:d2:8e:0e:
-                    86:08:19:6f:8f:56:2f:bd:90:80:98:a9:8a:c4:9a:
-                    71:9d:25:08:9b:d0:14:23:d4:99:ac:f9:68:44:fd:
-                    01:bd:e4:b0:1f:87:f2:0c:16:88:31:01:5e:af:df:
-                    81:c0:29:d1:05:c8:37:6f:4c:b6:81:b3:d0:f1:f5:
-                    d9:1c:cf:e6:95:40:41:ec:2f:b9:39:d2:1b:48:c9:
-                    03:ca:0a:9f:4b:41:74:ff:31:bd:40:d5:46:cc:c9:
-                    84:94:e9:aa:d3:ae:df:fc:07:0e:4b:6c:68:07:70:
-                    92:aa:ff:9a:21:c0:67:aa:e8:72:7b:db:97:f4:d0:
-                    fb:e9:6d:4c:48:19:55:fb:c4:f3:fa:78:c6:94:2f:
-                    fd:88:b1:c7:58:fd:03:2a:28:51:5e:8e:2d:95:fa:
-                    46:57:b9:6c:93:b5:8a:44:21:82:1d:d2:c7:0b:88:
-                    24:2d:e0:45:0d:8f:3a:23:c4:1f:e2:2d:00:a4:71:
-                    a7:01:c7:17:b8:03:29:fc:2e:92:9b:dd:75:cc:1e:
-                    0e:01:72:71:a7:80:9f:7b:e1:eb:35:42:1f:0c:1d:
-                    ae:69:2c:ee:70:65:19:4c:5b:d7:07:27:c8:2c:ce:
-                    cc:d1:67:39:de:88:0a:e1:21:c9:ad:50:f2:88:79:
-                    15:6d:7a:46:23:4a:93:bd:72:b5:3c:a4:d2:91:27:
-                    ab:d2:f0:f7:5f:17:8c:7e:01:33:6e:2e:3e:8f:48:
-                    18:06:ef
+                    00:c7:18:39:67:2a:c4:6b:c6:1a:64:23:bb:ba:4c:
+                    47:22:35:91:b7:c9:eb:57:b9:8b:8f:83:62:be:0a:
+                    56:49:cc:ed:de:7e:f9:44:db:8f:f9:f9:ec:db:a2:
+                    4a:d3:fa:b1:36:c0:93:e9:2b:d0:9a:64:65:43:52:
+                    64:0e:af:3c:0a:23:57:d9:66:44:0c:ef:a6:73:7e:
+                    4d:71:94:76:5d:d2:2e:9c:02:1e:44:4b:67:0d:61:
+                    05:ff:f1:cc:29:94:93:ab:f7:b6:d7:33:d0:9e:b4:
+                    02:1a:7b:03:bb:9c:52:00:21:43:97:ff:59:f3:b1:
+                    eb:16:67:b1:5a:66:26:99:04:12:28:bb:68:97:38:
+                    66:cf:d3:cc:da:41:d8:4f:e2:f9:59:48:da:ca:55:
+                    b9:2a:63:43:6b:0d:c5:58:75:8e:6e:55:d2:77:cd:
+                    df:8a:14:82:a2:72:f3:e8:93:a1:e4:72:f3:c0:93:
+                    b3:0b:72:98:ad:53:93:53:86:fc:b0:3b:77:1c:aa:
+                    f5:64:77:ce:92:0c:07:82:60:39:e9:d6:bc:df:dc:
+                    ad:f9:4f:42:d2:db:42:76:6e:0b:f5:fa:58:05:7f:
+                    3c:d9:cf:eb:d2:c0:9a:26:2c:e8:90:73:0a:3c:42:
+                    e5:f9:0b:cd:53:2d:16:14:75:f8:47:2e:04:1a:47:
+                    d8:a6:20:0f:ec:96:fe:14:30:87:30:84:04:74:42:
+                    45:b3:3b:c1:48:84:54:4e:69:9b:f5:cb:7a:da:75:
+                    1e:26:93:87:5e:a2:c6:8f:fd:0f:96:84:76:2d:18:
+                    86:f7:87:1e:95:47:10:45:b5:45:ea:38:b7:e0:22:
+                    28:c6:98:42:5f:ed:69:d6:73:a3:d4:72:de:74:f7:
+                    2a:d2:90:5d:66:86:a1:b5:a4:fb:c7:37:94:65:82:
+                    80:d7:88:84:be:d6:5f:fd:25:88:0b:ee:6b:bb:4b:
+                    94:c6:e1:39:95:74:93:44:44:8e:3f:7e:13:33:49:
+                    8e:e3:f4:a0:43:e7:2d:15:f7:02:e9:bf:a8:94:65:
+                    71:df:45:35:f7:cc:03:b6:e4:d6:32:d2:98:66:ba:
+                    d6:da:76:35:e0:81:76:25:0a:94:3f:6c:a6:53:49:
+                    52:c5:38:44:4d:ea:b4:fd:50:ee:63:e1:1b:51:ef:
+                    62:64:0e:39:cb:10:73:9d:fd:b0:2e:15:5a:cb:90:
+                    1c:9f:e9:88:37:14:92:32:7b:7a:00:fd:35:b4:d3:
+                    8c:99:90:74:95:7d:bf:25:41:04:68:56:38:3e:f1:
+                    f5:97:b5:f3:cc:b8:16:99:40:1f:9d:eb:51:88:46:
+                    2a:62:b9:a5:bd:ad:97:db:58:5a:d4:6c:ed:32:db:
+                    b4:5a:f5
                 Exponent: 65537 (0x10001)
         X509v3 extensions:
             X509v3 Subject Key Identifier: 
-                4D:9F:B8:92:F4:98:3B:7E:1F:EA:AE:A3:3C:DF:CF:E7:56:4E:F6:25
+                63:34:08:C8:42:04:47:74:99:65:DD:4F:EA:C5:0F:05:D9:F8:CE:47
             X509v3 Authority Key Identifier: 
-                keyid:FD:C6:56:72:BC:EA:82:19:48:00:B0:A3:8B:F7:79:3F:F7:26:FC:23
+                keyid:53:B8:CC:09:C6:9F:42:EA:D5:E4:74:20:B4:65:ED:68:F8:9D:B5:05
                 DirName:/CN=hx509 Test Root CA/C=SE
-                serial:99:65:F9:34:C3:90:C1:72
+                serial:8D:F8:0A:D8:C1:70:91:C4
 
             X509v3 Basic Constraints: 
                 CA:TRUE
             X509v3 Key Usage: 
                 Digital Signature, Non Repudiation, Key Encipherment, Certificate Sign, CRL Sign
     Signature Algorithm: sha1WithRSAEncryption
-         8f:4e:97:f7:a7:87:17:27:af:2f:30:23:97:2e:09:35:03:01:
-         9c:13:38:12:85:49:10:ce:69:c4:74:69:67:6d:61:3a:bb:c5:
-         5a:e7:55:da:f0:a3:06:be:ff:55:eb:89:a2:65:2e:35:ca:24:
-         49:0a:fa:01:3a:c8:50:af:94:ee:cd:e9:67:2a:1b:1b:a3:40:
-         1e:e4:4a:7a:31:93:1c:e6:77:9e:a3:41:19:66:64:dd:f3:73:
-         34:d7:28:38:3f:f5:94:2d:58:3f:bd:24:cd:5b:ed:77:81:53:
-         31:45:67:e4:d7:85:ce:d2:10:f1:b7:0f:03:22:3c:c1:be:aa:
-         8a:d1:92:b6:03:e5:92:a3:4c:d3:76:ee:8a:83:01:c8:a0:0a:
-         53:3a:c6:a4:36:8d:51:35:a5:07:dc:8c:35:c9:03:fa:1d:ec:
-         49:05:f0:b0:0e:fe:24:f5:4e:db:be:f3:00:b0:35:57:d6:31:
-         02:c2:e1:6f:3a:2c:2c:42:f9:87:5b:c3:72:f7:46:6a:1f:0e:
-         16:50:ee:a6:00:42:30:ad:05:07:d4:8e:0a:0d:c6:23:b3:d7:
-         9b:01:57:12:7b:7d:1b:5d:60:b7:fe:78:4f:91:1b:76:df:a6:
-         a7:f5:61:76:3b:1c:6f:7c:c7:57:7f:bf:c7:ac:23:c5:c5:cf:
-         6b:5e:83:1c:4c:7e:83:2d:f6:db:51:85:7c:d3:6b:dc:f6:f7:
-         53:1f:26:3a:8d:91:f1:6a:43:cb:57:1a:24:71:94:48:74:72:
-         a1:58:ea:f8:0d:3e:71:5b:35:2f:30:b4:3a:2c:6e:b4:51:27:
-         7e:66:e5:f8:cc:2b:88:bc:98:cf:24:6b:5f:46:31:3e:ce:58:
-         d4:26:01:87:c8:1b:d9:10:a1:76:3a:f1:8b:16:2f:3f:54:b0:
-         95:ff:c0:4f:3a:67:2d:28:6e:2c:fb:81:87:92:c8:8c:13:45:
-         3e:d0:ec:12:b8:52:0e:71:dc:dc:50:1f:57:44:1d:6f:80:bd:
-         50:db:26:3e:63:27:53:9f:99:46:39:04:2b:66:a7:f9:f3:f3:
-         99:c6:33:4a:44:0b:90:ea:5d:17:1c:41:1e:44:db:73:c5:68:
-         d1:e4:04:01:99:49:59:23:0d:2b:06:5a:fc:db:56:90:67:6d:
-         28:b8:66:6c:56:70:12:ae:36:dd:f0:b9:6d:f1:c9:5c:77:0f:
-         30:d9:46:e1:57:e5:d3:92:92:c1:74:40:99:24:00:ff:57:59:
-         2d:48:e5:1f:97:34:8b:7f:26:3e:24:9e:a6:96:14:16:d7:be:
-         94:1a:55:37:5a:d2:94:1f:df:9d:f2:8a:88:5d:e2:8b:c4:59:
-         60:06:44:52:a9:73:29:ed
+         77:0b:fc:11:37:04:49:92:2b:97:e1:ee:b6:94:33:11:be:bb:
+         db:8b:6e:ce:42:11:39:b2:be:61:03:a2:ef:d4:06:1f:63:d2:
+         af:1f:c5:43:80:67:1d:10:a0:3d:93:d1:7f:bd:be:9e:21:48:
+         d0:a8:ea:8c:32:0a:f7:eb:b0:c7:0f:ac:a7:8b:c6:1a:18:10:
+         51:88:fd:1a:53:4b:1b:7b:94:5e:59:02:92:72:6c:df:32:3a:
+         9c:f5:87:c9:fd:a2:f8:d3:df:34:be:75:7e:51:15:eb:b0:df:
+         87:1b:15:df:fc:97:1e:06:f9:6e:8b:79:45:3d:c4:76:d2:1d:
+         8e:04:8f:72:d6:b0:7c:09:79:23:47:7a:9a:41:76:7e:c3:3d:
+         2d:46:26:db:72:64:a8:1d:ca:94:fe:d8:69:e7:24:1f:dc:c8:
+         7b:4f:2f:89:7b:a3:8c:33:7f:0f:54:16:f4:45:60:e1:df:68:
+         f5:5b:3a:ce:1c:63:e6:81:ca:a6:aa:e4:a2:c1:07:e3:ec:ef:
+         ef:ad:cc:ac:5a:e1:57:40:15:09:b3:0f:f1:58:b2:2a:45:eb:
+         5e:16:03:9c:2c:c1:ce:22:48:67:06:5e:0a:fd:fd:d5:76:8e:
+         a8:db:2c:38:15:b4:c1:e4:0f:12:98:0a:43:19:e6:74:b9:8b:
+         e3:7a:92:2e:2a:30:1d:b7:85:39:d5:29:2f:54:16:7d:b0:f6:
+         f9:17:e2:95:07:ff:0f:e6:16:55:6d:97:c8:41:c6:5f:8f:a9:
+         3c:3a:19:8d:66:29:13:f3:00:6d:31:f3:f1:14:a5:e8:c7:2c:
+         c0:18:4b:5e:15:88:eb:59:44:97:91:1c:78:d7:a0:4d:a1:bf:
+         bf:b0:67:4f:68:df:d3:d0:c4:6e:b8:1d:36:bd:a8:c8:b4:67:
+         34:c0:b2:28:8a:e9:1a:30:14:b3:be:d5:a3:a0:57:4f:b7:ff:
+         a0:9e:c0:28:58:90:43:57:e7:7c:d0:81:90:41:54:85:56:4b:
+         cd:f4:a3:63:3b:1a:8f:82:0d:2c:9d:79:58:40:f4:f6:37:a0:
+         fc:77:db:82:ab:de:fa:0c:7f:c2:ce:35:80:4e:f7:d8:0d:8b:
+         cd:5b:8c:a9:82:ec:a3:a1:ca:b8:4e:29:fd:35:79:dc:4d:f3:
+         bf:ee:41:a0:88:63:b9:65:22:bb:0d:27:e8:91:d4:20:51:06:
+         f9:e7:9a:e9:7c:4c:4a:64:b5:4f:22:79:36:ad:79:e8:b8:6a:
+         6f:f8:e8:39:48:7b:3f:87:14:9a:22:ec:7d:33:94:35:42:29:
+         56:11:de:15:bd:4c:c2:5d:ff:9f:82:72:a2:00:b3:e9:68:38:
+         5b:ab:dd:0d:90:73:cd:80
 -----BEGIN CERTIFICATE-----
-MIIFXTCCA0WgAwIBAgIBCjANBgkqhkiG9w0BAQUFADAqMRswGQYDVQQDDBJoeDUw
-OSBUZXN0IFJvb3QgQ0ExCzAJBgNVBAYTAlNFMB4XDTE5MDUyMzE1MDUxOFoXDTM4
-MDExNjE1MDUxOFowHjELMAkGA1UEBhMCU0UxDzANBgNVBAMMBlN1YiBDQTCCAiIw
-DQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAOqc07oO3vnGPC7vfpFAjlgEFk//
-gWEM/bTShjyKavkzYwuOK6ycXAAoFv4yvHVVANKRDJLJCi3H4vTdFP4g2EV50aAe
-XZGl0gAXpL1ENZz0X2PcuRmlZnOxFq7n1Vm904Wxt64+qKieDdnN9Tgw01bZRAgR
-I8q7Xpb9jeh3fsSOWKgCbSB3mp1LvWpuwKR30jfLtcRKhwOpqqgiS+kT8iJkRAy0
-K2BWm8d2Hn26BhWara42mp3w34PlZEsYU7Ed7bxwCEhFfsarrdm8eQM9r+j2zU4E
-J86M1wnZUIf3djfrozuWRrYFhTzyCiM80o4OhggZb49WL72QgJipisSacZ0lCJvQ
-FCPUmaz5aET9Ab3ksB+H8gwWiDEBXq/fgcAp0QXIN29MtoGz0PH12RzP5pVAQewv
-uTnSG0jJA8oKn0tBdP8xvUDVRszJhJTpqtOu3/wHDktsaAdwkqr/miHAZ6rocnvb
-l/TQ++ltTEgZVfvE8/p4xpQv/Yixx1j9AyooUV6OLZX6Rle5bJO1ikQhgh3SxwuI
-JC3gRQ2POiPEH+ItAKRxpwHHF7gDKfwukpvddcweDgFycaeAn3vh6zVCHwwdrmks
-7nBlGUxb1wcnyCzOzNFnOd6ICuEhya1Q8oh5FW16RiNKk71ytTyk0pEnq9Lw918X
-jH4BM24uPo9IGAbvAgMBAAGjgZkwgZYwHQYDVR0OBBYEFE2fuJL0mDt+H+quozzf
-z+dWTvYlMFoGA1UdIwRTMFGAFP3GVnK86oIZSACwo4v3eT/3JvwjoS6kLDAqMRsw
-GQYDVQQDDBJoeDUwOSBUZXN0IFJvb3QgQ0ExCzAJBgNVBAYTAlNFggkAmWX5NMOQ
-wXIwDAYDVR0TBAUwAwEB/zALBgNVHQ8EBAMCAeYwDQYJKoZIhvcNAQEFBQADggIB
-AI9Ol/enhxcnry8wI5cuCTUDAZwTOBKFSRDOacR0aWdtYTq7xVrnVdrwowa+/1Xr
-iaJlLjXKJEkK+gE6yFCvlO7N6WcqGxujQB7kSnoxkxzmd56jQRlmZN3zczTXKDg/
-9ZQtWD+9JM1b7XeBUzFFZ+TXhc7SEPG3DwMiPMG+qorRkrYD5ZKjTNN27oqDAcig
-ClM6xqQ2jVE1pQfcjDXJA/od7EkF8LAO/iT1Ttu+8wCwNVfWMQLC4W86LCxC+Ydb
-w3L3RmofDhZQ7qYAQjCtBQfUjgoNxiOz15sBVxJ7fRtdYLf+eE+RG3bfpqf1YXY7
-HG98x1d/v8esI8XFz2tegxxMfoMt9ttRhXzTa9z291MfJjqNkfFqQ8tXGiRxlEh0
-cqFY6vgNPnFbNS8wtDosbrRRJ35m5fjMK4i8mM8ka19GMT7OWNQmAYfIG9kQoXY6
-8YsWLz9UsJX/wE86Zy0obiz7gYeSyIwTRT7Q7BK4Ug5x3NxQH1dEHW+AvVDbJj5j
-J1OfmUY5BCtmp/nz85nGM0pEC5DqXRccQR5E23PFaNHkBAGZSVkjDSsGWvzbVpBn
-bSi4ZmxWcBKuNt3wuW3xyVx3DzDZRuFX5dOSksF0QJkkAP9XWS1I5R+XNIt/Jj4k
-nqaWFBbXvpQaVTda0pQf353yiohd4ovEWWAGRFKpcynt
+MIIFXzCCA0egAwIBAgIBCjANBgkqhkiG9w0BAQUFADAqMRswGQYDVQQDDBJoeDUw
+OSBUZXN0IFJvb3QgQ0ExCzAJBgNVBAYTAlNFMCAXDTE5MDMyMjIyMjUxMFoYDzI1
+MTgxMTIxMjIyNTEwWjAeMQswCQYDVQQGEwJTRTEPMA0GA1UEAwwGU3ViIENBMIIC
+IjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAxxg5ZyrEa8YaZCO7ukxHIjWR
+t8nrV7mLj4NivgpWSczt3n75RNuP+fns26JK0/qxNsCT6SvQmmRlQ1JkDq88CiNX
+2WZEDO+mc35NcZR2XdIunAIeREtnDWEF//HMKZSTq/e21zPQnrQCGnsDu5xSACFD
+l/9Z87HrFmexWmYmmQQSKLtolzhmz9PM2kHYT+L5WUjaylW5KmNDaw3FWHWOblXS
+d83fihSConLz6JOh5HLzwJOzC3KYrVOTU4b8sDt3HKr1ZHfOkgwHgmA56da839yt
++U9C0ttCdm4L9fpYBX882c/r0sCaJizokHMKPELl+QvNUy0WFHX4Ry4EGkfYpiAP
+7Jb+FDCHMIQEdEJFszvBSIRUTmmb9ct62nUeJpOHXqLGj/0PloR2LRiG94celUcQ
+RbVF6ji34CIoxphCX+1p1nOj1HLedPcq0pBdZoahtaT7xzeUZYKA14iEvtZf/SWI
+C+5ru0uUxuE5lXSTRESOP34TM0mO4/SgQ+ctFfcC6b+olGVx30U198wDtuTWMtKY
+ZrrW2nY14IF2JQqUP2ymU0lSxThETeq0/VDuY+EbUe9iZA45yxBznf2wLhVay5Ac
+n+mINxSSMnt6AP01tNOMmZB0lX2/JUEEaFY4PvH1l7XzzLgWmUAfnetRiEYqYrml
+va2X21ha1GztMtu0WvUCAwEAAaOBmTCBljAdBgNVHQ4EFgQUYzQIyEIER3SZZd1P
+6sUPBdn4zkcwWgYDVR0jBFMwUYAUU7jMCcafQurV5HQgtGXtaPidtQWhLqQsMCox
+GzAZBgNVBAMMEmh4NTA5IFRlc3QgUm9vdCBDQTELMAkGA1UEBhMCU0WCCQCN+ArY
+wXCRxDAMBgNVHRMEBTADAQH/MAsGA1UdDwQEAwIB5jANBgkqhkiG9w0BAQUFAAOC
+AgEAdwv8ETcESZIrl+HutpQzEb6724tuzkIRObK+YQOi79QGH2PSrx/FQ4BnHRCg
+PZPRf72+niFI0KjqjDIK9+uwxw+sp4vGGhgQUYj9GlNLG3uUXlkCknJs3zI6nPWH
+yf2i+NPfNL51flEV67DfhxsV3/yXHgb5bot5RT3EdtIdjgSPctawfAl5I0d6mkF2
+fsM9LUYm23JkqB3KlP7YaeckH9zIe08viXujjDN/D1QW9EVg4d9o9Vs6zhxj5oHK
+pqrkosEH4+zv763MrFrhV0AVCbMP8ViyKkXrXhYDnCzBziJIZwZeCv391XaOqNss
+OBW0weQPEpgKQxnmdLmL43qSLiowHbeFOdUpL1QWfbD2+RfilQf/D+YWVW2XyEHG
+X4+pPDoZjWYpE/MAbTHz8RSl6McswBhLXhWI61lEl5EceNegTaG/v7BnT2jf09DE
+brgdNr2oyLRnNMCyKIrpGjAUs77Vo6BXT7f/oJ7AKFiQQ1fnfNCBkEFUhVZLzfSj
+Yzsaj4INLJ15WED09jeg/Hfbgqve+gx/ws41gE732A2LzVuMqYLso6HKuE4p/TV5
+3E3zv+5BoIhjuWUiuw0n6JHUIFEG+eea6XxMSmS1TyJ5Nq156Lhqb/joOUh7P4cU
+miLsfTOUNUIpVhHeFb1Mwl3/n4JyogCz6Wg4W6vdDZBzzYA=
 -----END CERTIFICATE-----
diff --git a/lib/hx509/data/sub-ca.key b/lib/hx509/data/sub-ca.key
index 13570b1e2acf..1475e42dbac3 100644
--- a/lib/hx509/data/sub-ca.key
+++ b/lib/hx509/data/sub-ca.key
@@ -1,52 +1,52 @@
 -----BEGIN PRIVATE KEY-----
-MIIJQgIBADANBgkqhkiG9w0BAQEFAASCCSwwggkoAgEAAoICAQDqnNO6Dt75xjwu
-736RQI5YBBZP/4FhDP200oY8imr5M2MLjiusnFwAKBb+Mrx1VQDSkQySyQotx+L0
-3RT+INhFedGgHl2RpdIAF6S9RDWc9F9j3LkZpWZzsRau59VZvdOFsbeuPqiong3Z
-zfU4MNNW2UQIESPKu16W/Y3od37EjlioAm0gd5qdS71qbsCkd9I3y7XESocDqaqo
-IkvpE/IiZEQMtCtgVpvHdh59ugYVmq2uNpqd8N+D5WRLGFOxHe28cAhIRX7Gq63Z
-vHkDPa/o9s1OBCfOjNcJ2VCH93Y366M7lka2BYU88gojPNKODoYIGW+PVi+9kICY
-qYrEmnGdJQib0BQj1Jms+WhE/QG95LAfh/IMFogxAV6v34HAKdEFyDdvTLaBs9Dx
-9dkcz+aVQEHsL7k50htIyQPKCp9LQXT/Mb1A1UbMyYSU6arTrt/8Bw5LbGgHcJKq
-/5ohwGeq6HJ725f00PvpbUxIGVX7xPP6eMaUL/2IscdY/QMqKFFeji2V+kZXuWyT
-tYpEIYId0scLiCQt4EUNjzojxB/iLQCkcacBxxe4Ayn8LpKb3XXMHg4BcnGngJ97
-4es1Qh8MHa5pLO5wZRlMW9cHJ8gszszRZzneiArhIcmtUPKIeRVtekYjSpO9crU8
-pNKRJ6vS8PdfF4x+ATNuLj6PSBgG7wIDAQABAoICAEljDQeiJzVSQPkdiSW+X8hA
-XwpfDgVhnuq0/7BoS9XvsQeoTRkNP+n8oFSbYkABeuRi4t/3auuvHtshXLOxanUx
-CdVgKjyo9et5edqKP4r9FemS3YOcLVP7DPFhK2eK7WNgl+g1SWSVLBf5SL9u5mzA
-QXuUgPGlco0gewdAebLaI/lJ6QDC6OZTDskAI9pOcL9rRUxFU75dkDhPohciWhdP
-7clbgkX8UXYvCJKjYcvYOoPIKM1Gz2PemWS0E1nP1tGe6bhRpLpYcWUug1v0K9Zf
-fRDuU9VUUN+PzpT5X01WtBSriSrexzKtM2aaW/J7sIlQC4l2mDBfxxn5zqJ4/Rhl
-aOJ6MDrBaA0IiVSJaYtSXS13G6MS3H3zLm7z5ZeTIa5ysqlg0Sb44xVDDhGshb3k
-/seBYviwHfZY8d2b2pp5FVUbwC3gL7wqr4oUN1iE3q8xdDxqRZfqqhvyBWuTOPvS
-TqRjcx+eK+Y4xSdlldgsj/gIiRiWe6MOYwoC0mBOXOqO5hBOKPGWX26FmqUirmJt
-3MCThLYcDTexLYiu+mpOl69YaoGCyXoWtiQpzdaJ/oPCmqLbMyL0O4t6eecK80d6
-mYSHBhqqXzNm03SMI2PyeuGadAjmJUY5GmT2V1+6JKWcVT/luMluEyfqjbZLxU7u
-s8QGchKj1btBN21iQ7RBAoIBAQD5ghu4Jm9X9V+Z4RKrSDIrcep/gkm3LoTQ7jrm
-tcZ0gOf0TLkCNEIMcCHGNj5V1seCbmsk7ysVVw0Ew1UeVBv5JlNroixV2/rF+G62
-MPT0o9BuboFfusM9G1fZP7IoTE2WL/6LXejRyxqxpdXLkT8+a/+52xpcmZzgLAJo
-rd2+4ODywc2a2K97rBYFq+I7XajHs0NI/EMAAVUUmuY3ekyo3+YDPA9ys6sRJnAu
-hhSvXPgeOep0UeDCXJFb3o+lXXnrEp6TUUPwxsmz88BNGrI3T7N5LT/6mV8Wm2i5
-gI0+KSVY2j/2aZmNk04xqVf9sYm+4OJyPqKbOPaJ9i7jzrx5AoIBAQDwt4EBESia
-YLARxkWEJkfKhRcPBC/iYLSikrJh/LwCbAT/T4M/VotBJv4qGZgQLCVSX2lDZy2e
-XPQZqmvcQbcA+rm/JX/jZkU4mW08GY4NtqZf4wAQv2vb7SCML86+QzzP2zTobyga
-a4uXF/vJCFkxQz05fGuYS5NhPYZcCIjLLb6Lx02jy8S40am7JKErrjVzyQZVKxgS
-hhvm5qW9wpbzvnczGkBWWf/bFVfzotO1Ghrdu1iBeJAN88wHNL0g8rFYAnO6ZigA
-tj2l2qSeIzZ8IU43Tqm24DH9/GQNOdw90ML/kZkp/0rr0ZXD3KMxICpGlYdbjMgx
-eZrFRFkT5rSnAoIBADMCDFSrVtvuh+rXfo+RpOAI293RbuyKEBD+gwAjbTzoFYN2
-I+R1doNAcUcqU7gMvqDFnhXg5zfnofu1SzN2EnnvAeLhNpse67eJQGjyvUE+NCA/
-ayd88OkPK/h38x4V606m5Szst+ob0Ys70edZ/EnwnkkKp+sCZHXXyW5JDSo2owY9
-5KChZ86qsZ3bM9bbIOQim8DSAYiAvToHKMVytTVZAJbssmPKo1BQQWLhel0XbooP
-YQUCsCZL8lOLvmYaJBCQr+aCGJeirB2j2U5qBMEWBCTjwU6kCDKA9vnlc/qfQslV
-ZPolQIUW9kdkzV5J61UgeGrOr0N4c75km9VqsFECggEBAJvNCfBY3MDe59b5T7Ey
-3bCU59HOUffhw8idzlthq4adx7ZADqEGMOegh01Ud3mwOQ/RtV3tADfJzix2g41x
-8zLtFSBE8zuJzC/QDkWh/LGfkJvrXvV4ECWumyxhHR1Eg629Icd3eqtvBFBtM4hw
-oNojvRLiFvnhoKiFm9shovhuyS/LddMYZmGBQqxgDvkormwcpr6lP9Vte829Z3Uk
-53MnyhsHWLELW3C/pceJkiFbnhv50FUsZYDCVUIsvmT+8A4YuDLjP+0GB2y70WSR
-QgihvfBKN8qn3XOY0mFFG+nenvevk0T9ec6cPqUgv3dibDp3Ob7lpgVvwd8AV+9r
-mW0CggEAW2N9dnmQ9Wz4l3WNGJsiEOdOgYXgFv4IqmPbUFBvVsr7EjpJ4QiEwwwK
-rAY+RZW0kFrxK0a1IeMG9WYNWwPfnmA+5jarOnVQDctcWzPWTKQMkMm6r9HTK29b
-BS5TNMyr0Tw58zhG65Y2fvqyHnnd+DeOLzAuRBNPiNDolwEHz/3NkygCYZ/vTWv5
-KzIdRRamjt2G3EAcQkmQB338Z16liqBbiAkVNfP6TaJ/f/T4McVXML1poG2Hna/k
-cdhyTVWVjzTR/awu/w27dUG5DbkaACmAmIrvKVcQOLdnCxYsuAwSgyVC5obTkMv8
-FAyxqmq2U5lLkxSX9M7dtz1OfJnbxA==
+MIIJQwIBADANBgkqhkiG9w0BAQEFAASCCS0wggkpAgEAAoICAQDHGDlnKsRrxhpk
+I7u6TEciNZG3yetXuYuPg2K+ClZJzO3efvlE24/5+ezbokrT+rE2wJPpK9CaZGVD
+UmQOrzwKI1fZZkQM76Zzfk1xlHZd0i6cAh5ES2cNYQX/8cwplJOr97bXM9CetAIa
+ewO7nFIAIUOX/1nzsesWZ7FaZiaZBBIou2iXOGbP08zaQdhP4vlZSNrKVbkqY0Nr
+DcVYdY5uVdJ3zd+KFIKicvPok6HkcvPAk7MLcpitU5NThvywO3ccqvVkd86SDAeC
+YDnp1rzf3K35T0LS20J2bgv1+lgFfzzZz+vSwJomLOiQcwo8QuX5C81TLRYUdfhH
+LgQaR9imIA/slv4UMIcwhAR0QkWzO8FIhFROaZv1y3radR4mk4deosaP/Q+WhHYt
+GIb3hx6VRxBFtUXqOLfgIijGmEJf7WnWc6PUct509yrSkF1mhqG1pPvHN5RlgoDX
+iIS+1l/9JYgL7mu7S5TG4TmVdJNERI4/fhMzSY7j9KBD5y0V9wLpv6iUZXHfRTX3
+zAO25NYy0phmutbadjXggXYlCpQ/bKZTSVLFOERN6rT9UO5j4RtR72JkDjnLEHOd
+/bAuFVrLkByf6Yg3FJIye3oA/TW004yZkHSVfb8lQQRoVjg+8fWXtfPMuBaZQB+d
+61GIRipiuaW9rZfbWFrUbO0y27Ra9QIDAQABAoICAHBMg6RjhSNdPGmbljoA6Gat
+XKIULMDwkX3DmCClaAJ8qvdDG4rxZYaUqDtCkX57+xVtDoEJC8LqOgv9Hx8BTJZT
+VSv0+RFq47JlXX1hRlqpQU0SDMxs05XCUkYJtyUE/z6SnPlJ6rR5yG3zUSmzhLU6
+DgxgJfbFNlsO5gSddcv9ddivzNDvKV60kunRFhgJaKgp5e8W5zi3gMGTpOq+dDZc
+Bjk5UItsAjtrJ5TaIQjgpgjLxsQAQYoSiBknHMSy5f6vl3ax9Tx/uISbjk8Npr+G
+lEL5qDGTJyvx6qE2Mgv3tvUMyHG53bkGv68qlG1lNp6BP7FYzwl/eSl9FSdVuycK
+UsUMi+dpuQlXOVprKAKTxYw+E7n8TV7ewmudbOEFR/ao6qCJqNtSQJa5dFFhU9An
+ld/rKIcY9gfobYtS0qRiGAt18Be7qt6qGpwAZogfe+VM/G3S00yVP21gGN2qju3M
+6vF99CTVLeD+g8JUJT+olzShLpZAgw09hXMx1JJJksl+kv6FNG0EotxlXCdIQTsG
+TtWvOFXck7E5FZHjj+5eXCyRNVKzWRJAU6POr3Qr0gLpcg0DBbzfLAvDEA8k3V2Y
+DqQeyi7xrd7ALKZmrLWnLQQdXQ8rUN0f/8lsus3TOiXjly3/GIediaYb+uxdACmC
+4d+twAWpdnWrAiWDaICBAoIBAQDm7vUgSu2rsbd+YvBhYrNhTmmyVr/5HWOGaDjX
+YJWj2Vqh4sVeoVjRpVgC4Yyx/iE9f4MPsiBzWmudMuG/yytxIfWWXEBGXmAHYL8Z
+d6acVWer0yZik/xYV8nUUVUzzB7EvB7XdFtGMYPTZNiqhyZ9CGMeIHcaXndqejeJ
+ycbOr+IDgBKQ9fGdpAZjTprrB0WqOhnxy6EJoObg6bicgIPCBxzdVCDo6mmkkRrQ
+lIYRMAtjIzbGdwT6OADUf9Lr2aPBuKBQeEKFbADyNNyenqvcSFKcGcug2DZ8sIYN
+US28VHke87mOg6qrNh166e00Hlp0q42Q2hV/8XxRQDDwxoqFAoIBAQDctIx8lGcJ
+kxftf5j7ss0iUYSkT77HF7V9q81X7iMSjHTEyIYD2UHt2PS0gUL1jnjOXjIDFFHU
+HzfymvsEjV8Vr8nUvKVkSUXWFnYPQ4rFP2d+Zyv64AhDKRrIOiG9ozLhqDdu7wui
+XXigEuuwG6+LObO09FwKOhDRNgpuQnDlgHPidyu4PHoz56SlzGpTXM1/nTIGkWMi
+v2aZF2hAzQM3bEqeyRUTnX/DvOQbFLDYLDc/KWaPDvBTJCwa2tPSZRA5ArmEmloc
+yxTdf+DaSBy7P2EExfXkKNgvO978GYHUBk3SdA/2BLy0kNU1BSrajtjrxSLqUD8j
+aVYafGb5eNGxAoIBAQCBZOkCVBmBt406CtPnrTcXUalVnNfqDHaEjAc1Xs/Zw+LN
+jFPMpxkuNrfuvVRpMxyK6dSUydj26XYc2bK2FW/c7ws9WalGBIFIAQRyj6FSPWRe
+WWxLleGx2lajWYMlB71BvKqHTJIL7ZiQrRPd0OZW7okjC0vRAZdlmN9fnCiCDPjV
+v0An6zabfpl5sUSKZkO5kt6QpekwjPBwm2SuhC/PWs7okMfz2cyhwhBFSMMqBEKN
+JOD/KRcn4JNOfeS/8+2WkQ16qTeUrKSHEemAEyX2wqtO/gEjuaImEX67HX5D5Q0M
+s8GHweyyDBtOkJ4xMsS6VJl4zUl4q+VdXVtOveBFAoIBAEbpl+37PLP92AVOJxhQ
+Fcr+CDFHEhQkEQNE7SBgelJeYLJNf4nDB4TlXZKVqa7+TOB5sXX91GDkevRvSVHo
+HnH4XlAFINr9E/w6kUpMOE0yFw2tFptv2hfCIEHPM8IbqqCIjO8OzV0ozTYZfjLC
+Yn/IVW5ByUTb7UVbKLTOkjmbMSDFi32RqO3+co93A36vZbOoDUfA9OpYNx3fQHb5
+qBvppnwoPaZkx4Vbrqro1f1PD50yryot8Ze1GpqyTrbeE/1NW9A4S9XOhnC4wsU/
+wEOFlKWU+XGKkhNzGC1GAMngEKca9XnlgcA+fNKhS2iX1yjB2XsRt4eoM6sk520m
+nbECggEBAM2u917mgRcyRrOF3orTy0p5aRkHmAi7rdlr/E2CC/I+Uk00cSEJKgfL
+IzLOs5ZARc6kkBAilNhz8lWWADaonmE5qDZjAzYwIuNWlZgWGYO74RwpavNaK7UM
+MhRWCzomZUyNHKJiubkM8CTaioVsqoZS/OiWGHtGtSTAAknCb1wc5fppNU0xUQ/5
+AZGlrpUdb86VGN/lNNsF16tZ0mWUazXMXDCZgT9869p41OQYgIGDPvf9y9mWyYR6
+VbQSyfvDh4Wiu4Sf7L6OP8VG+xvhD+sRZPB9i3TzvhFWrzkcP3sXRqPxpdSSWgyP
+Ca7fU8eAAjotw7SSdeefJ+CduL/cNQE=
 -----END PRIVATE KEY-----
diff --git a/lib/hx509/data/sub-cert.crt b/lib/hx509/data/sub-cert.crt
index 3186c83946e6..b98c463c09d9 100644
--- a/lib/hx509/data/sub-cert.crt
+++ b/lib/hx509/data/sub-cert.crt
@@ -5,48 +5,48 @@ Certificate:
     Signature Algorithm: sha1WithRSAEncryption
         Issuer: C=SE, CN=Sub CA
         Validity
-            Not Before: May 23 15:05:20 2019 GMT
-            Not After : Jan 16 15:05:20 2038 GMT
+            Not Before: Mar 22 22:25:12 2019 GMT
+            Not After : Nov 21 22:25:12 2518 GMT
         Subject: C=SE, CN=Test sub cert
         Subject Public Key Info:
             Public Key Algorithm: rsaEncryption
                 Public-Key: (4096 bit)
                 Modulus:
-                    00:b0:b9:77:f4:5d:e2:66:7d:10:16:aa:24:16:3b:
-                    13:8d:ad:b1:00:12:eb:49:14:8d:73:3a:e2:ee:f7:
-                    fe:13:98:da:d9:d6:72:e2:8e:a9:dc:c6:d9:5c:86:
-                    e6:03:fd:29:a5:de:46:05:02:4f:a9:79:25:61:5f:
-                    f7:53:64:03:cd:2e:9d:c8:43:d9:45:48:14:7e:59:
-                    ae:c6:ad:25:78:10:71:57:43:30:45:65:d4:0c:5d:
-                    52:91:97:dc:b8:93:38:64:9a:0b:4f:da:16:f7:1b:
-                    8e:aa:f5:e5:cc:3d:0d:84:ba:d7:fd:f9:5f:4a:ed:
-                    c3:c8:36:66:f4:42:fc:5d:00:2b:7d:7b:8b:51:94:
-                    35:a9:27:3a:71:fb:ac:f5:2f:e4:d2:8b:c6:22:e5:
-                    e5:a3:1b:13:95:3e:0f:0d:3e:07:1f:6e:23:b0:5d:
-                    f7:60:01:e5:08:85:01:ac:48:31:32:38:1e:57:e8:
-                    1b:3c:38:c3:70:3a:81:1b:04:60:3b:c7:20:a9:8a:
-                    fe:b9:c5:4b:c7:10:28:32:0a:7c:1d:f3:8f:5c:d0:
-                    2a:2e:83:97:3a:5f:42:34:95:1b:c4:b1:73:ff:23:
-                    a9:e6:fb:9f:f4:40:2e:2f:c0:ad:9f:d6:c2:45:21:
-                    40:51:f9:2e:98:db:90:34:3e:f6:54:e5:fc:cc:d5:
-                    06:4c:19:81:53:af:bd:a1:8d:83:3a:b5:c7:1b:85:
-                    78:dc:64:65:f8:ed:88:b6:69:4d:c0:3b:da:9b:d5:
-                    eb:32:e0:e0:1c:00:65:e7:f0:5b:f1:bc:e2:e8:8a:
-                    a5:31:9e:d6:da:d3:c3:2f:d0:84:9a:f3:f1:2d:e1:
-                    b3:63:3e:2a:ce:c9:98:45:1b:7e:8a:bc:2f:0a:f1:
-                    39:82:39:70:d0:f7:28:18:3a:74:eb:d0:4c:e7:99:
-                    e5:e6:b1:f7:33:57:60:14:cf:2b:24:59:ed:30:f6:
-                    a5:b1:6b:54:3d:74:ef:68:7c:69:b1:35:e8:1b:9e:
-                    0a:d4:38:27:ea:7c:1e:01:11:46:4e:07:b2:da:00:
-                    f5:8c:a5:a6:d0:7f:24:a7:d9:32:a2:bf:6e:92:a3:
-                    16:83:1d:ed:74:e6:3f:6b:ab:1b:23:65:84:32:51:
-                    94:2f:1e:01:1d:13:b7:b3:6e:c2:2e:67:bd:33:8e:
-                    41:44:14:29:07:92:01:99:2d:f6:ac:51:26:a3:44:
-                    67:5e:cd:0e:35:e7:83:43:3a:20:78:63:23:4c:ee:
-                    f4:5b:32:0f:17:49:14:d6:14:9d:d4:32:2d:b6:15:
-                    42:2a:7e:1f:3a:90:df:df:92:6d:b8:41:e3:39:29:
-                    d9:c2:2c:bf:94:67:9e:a9:8b:10:14:3a:ca:0a:10:
-                    cf:a4:5d
+                    00:ef:45:00:67:2b:7e:d2:ea:7d:80:b1:ae:81:5e:
+                    fb:dd:82:ca:de:db:98:37:70:e8:3c:a2:01:87:8b:
+                    88:2e:40:30:22:d4:65:1d:7e:cb:cb:d5:40:e0:51:
+                    06:f0:f3:d9:00:db:5d:6a:0f:d3:11:bc:a1:3c:69:
+                    25:65:a9:87:b5:8a:3e:6c:79:2a:e8:5b:1a:9e:b4:
+                    a4:81:5b:c3:83:f6:fd:9a:a8:48:6a:c4:ce:7f:81:
+                    26:83:c9:e5:b5:c9:a2:18:ed:0c:ea:1a:26:59:49:
+                    df:56:ea:c2:33:2f:65:c2:14:30:5d:78:4e:91:09:
+                    6d:f5:77:ee:e8:0e:fe:ca:14:92:af:73:c4:8e:91:
+                    b1:62:1a:c1:46:3e:36:d2:33:6a:7f:05:4e:d5:7b:
+                    fe:69:4f:6c:b1:be:89:e6:7e:8d:5b:de:10:6c:a6:
+                    bc:4a:05:66:17:19:71:e3:2c:62:bf:8b:4b:3c:6d:
+                    fb:2a:7b:95:d5:d4:02:f0:43:e0:ce:cc:7a:30:fb:
+                    a9:93:d2:50:a0:17:67:c6:08:8d:3c:9c:83:69:1f:
+                    b7:ab:cf:d0:77:b6:8e:cc:89:0d:82:cd:e1:fb:53:
+                    2c:1d:f6:6b:81:0d:8f:da:dc:6a:34:93:06:23:32:
+                    fb:83:90:40:8a:7f:ad:cf:2c:81:6a:10:cb:59:29:
+                    d4:f2:af:b2:ee:f0:7b:b2:d5:0f:9d:5c:e6:d3:eb:
+                    18:9b:89:01:11:5f:e7:f4:50:34:e6:2c:31:b1:f3:
+                    60:af:03:a5:40:00:47:88:76:cd:52:da:1b:11:03:
+                    57:f5:3d:a1:01:f6:2f:9e:f5:01:37:22:a0:7d:5f:
+                    40:87:2d:69:72:70:80:05:16:24:2d:a6:b1:5e:ca:
+                    40:ad:f2:da:7f:c9:8f:7a:32:b2:8c:be:9b:de:66:
+                    17:92:81:83:8d:1a:f5:c9:8b:9a:3b:4a:84:b2:24:
+                    63:97:60:f6:3a:c0:84:88:2a:dd:6b:f8:e7:44:29:
+                    79:cf:98:d9:ab:36:93:10:a8:7a:7b:90:bc:bb:e0:
+                    43:c1:93:13:80:9d:cb:a6:68:67:94:67:6b:3a:58:
+                    bd:02:39:20:88:e1:64:8e:a1:7a:6b:99:3b:9b:00:
+                    65:11:b5:fd:b7:18:55:fe:67:f4:94:ab:c2:08:a7:
+                    3a:d8:a7:b4:6e:d9:e9:89:1e:b0:81:1e:23:31:a9:
+                    17:b7:c7:f9:df:5b:90:2c:46:96:c5:d5:a6:cc:8b:
+                    e4:db:fd:4b:47:8d:8f:bb:e4:41:d0:99:fe:81:83:
+                    88:a7:f0:a5:81:ae:c9:62:f6:4f:d8:12:60:33:20:
+                    6f:d1:39:37:f5:1f:05:40:62:43:9b:97:a5:7b:16:
+                    cc:93:e5
                 Exponent: 65537 (0x10001)
         X509v3 extensions:
             X509v3 Basic Constraints: 
@@ -54,63 +54,63 @@ Certificate:
             X509v3 Key Usage: 
                 Digital Signature, Non Repudiation, Key Encipherment
             X509v3 Subject Key Identifier: 
-                C8:FC:4C:74:0D:42:18:8E:0A:4B:7C:61:C7:CD:36:FD:A9:96:8E:64
+                48:26:75:6B:4D:E0:98:93:39:02:40:D3:F1:1C:6D:D0:D8:45:A6:04
     Signature Algorithm: sha1WithRSAEncryption
-         5c:65:de:68:c8:80:3b:8b:08:74:2d:f4:89:51:42:7e:ac:41:
-         83:d0:7f:ff:cb:d4:95:84:10:52:f9:2f:77:62:04:b9:03:8f:
-         a5:b2:16:92:19:c9:94:62:ae:3a:2b:73:89:59:73:2e:e3:05:
-         05:0a:dc:e4:00:be:6b:fc:1e:ad:92:e2:8d:1d:a8:e2:71:6e:
-         10:3b:50:5d:1c:c1:97:e7:4a:14:c3:1e:9a:a3:4c:e6:5f:4a:
-         fe:21:43:94:e1:e5:11:7c:42:c6:b7:06:d5:11:45:5d:3c:bf:
-         e7:9d:9b:4e:0a:9b:7a:94:09:ed:b1:fb:07:c4:2f:16:a3:8b:
-         92:50:23:b6:5c:33:fa:2c:39:83:3a:6a:92:d2:00:a8:e0:a7:
-         28:25:8a:b6:09:ee:17:6a:f3:be:38:c8:48:04:2e:81:96:9c:
-         08:a2:3b:48:6e:f2:75:d8:5b:07:00:13:64:1f:a5:a1:7e:bf:
-         d1:a4:fa:5f:61:55:40:67:8a:76:31:28:1c:f8:a7:f0:9e:bb:
-         e0:bd:18:89:6c:9c:e7:21:9f:49:ab:3f:1b:43:12:c3:4d:fc:
-         cc:e7:f4:4c:4f:c0:45:5b:30:f7:9b:09:60:a7:46:a5:f0:8b:
-         ea:ab:62:78:3c:7a:cc:ea:09:2b:f7:7c:06:04:b2:f7:31:68:
-         b0:25:e0:7e:bf:50:b5:a3:b6:f3:1d:c0:42:95:d9:79:f6:8e:
-         94:cc:b4:da:f9:e6:fe:7a:44:93:80:0b:25:d9:54:69:8e:d8:
-         7e:08:a8:63:55:67:3c:32:87:52:73:38:fa:0a:e0:4c:ac:1e:
-         b1:7d:bc:89:ee:a5:d6:79:ed:79:2c:97:f0:c6:a4:1f:ff:ca:
-         1e:38:a9:86:22:46:d3:ff:69:44:aa:7c:9d:c0:35:d3:99:03:
-         86:5e:b4:d0:e4:16:c9:f1:83:16:5f:b8:b9:a0:8b:16:c2:31:
-         17:2d:59:de:a7:b0:16:cc:63:10:16:17:20:cf:e3:af:02:92:
-         48:d3:64:38:44:9c:16:a9:62:5b:be:7f:c8:1f:4e:69:d6:44:
-         35:92:cd:69:fc:e5:23:60:4e:a3:93:92:1f:aa:6e:ae:77:cc:
-         63:fe:ff:49:10:10:c4:3c:53:34:1c:d9:51:41:d8:73:86:5e:
-         d5:a8:22:38:b0:20:3a:11:3f:a0:50:ba:4a:ad:8f:1b:34:51:
-         68:6e:66:6a:77:22:ec:a8:8a:14:ff:cc:3d:32:20:76:d9:a5:
-         d1:fc:4c:60:35:dc:1e:38:a4:02:ee:65:8b:79:8e:65:6c:2d:
-         dd:c8:54:70:c2:9e:03:29:a5:99:ac:9b:83:52:c4:19:1b:8e:
-         f1:15:cd:71:c8:1d:0a:de
+         aa:a0:db:44:96:6c:b5:c7:96:93:a3:11:e5:dc:1f:69:08:87:
+         f5:5f:50:25:99:03:6c:d2:89:55:4c:04:d4:8a:49:73:e8:e1:
+         82:4f:f6:45:24:1c:ef:46:09:b2:19:09:16:5f:11:05:13:e7:
+         3f:ca:5b:af:4f:6f:39:df:a8:71:1c:cb:62:2b:8d:42:b9:a7:
+         58:76:72:db:88:8d:3a:e0:33:5c:ef:41:c7:30:d6:d0:9a:9c:
+         70:f1:72:74:e6:0d:6c:1c:11:ff:f3:4a:ee:3d:d2:f7:3a:56:
+         9f:41:63:83:60:4c:6b:63:d5:9a:a1:c8:22:b2:a5:8c:03:99:
+         2f:04:65:a8:52:1b:1c:cb:4b:e4:b1:a0:86:7c:d7:85:e9:9a:
+         8b:8f:f1:2d:e9:45:d0:f4:ee:51:cf:13:da:ff:ea:e8:cc:30:
+         cc:ed:f3:7e:f9:4d:59:a3:d2:ca:f2:4f:5b:73:65:63:de:39:
+         0e:87:e1:16:30:65:d0:fa:da:0d:57:df:82:de:09:2c:24:7a:
+         ef:9c:d8:fa:7c:5a:25:f1:1e:e3:e1:56:c5:79:c3:13:37:38:
+         03:dd:b4:6f:c0:61:b7:cb:41:bb:77:0c:c3:4f:14:e0:8c:e9:
+         89:4b:55:6b:dc:ce:11:9b:f0:68:32:e2:64:c8:75:6a:80:26:
+         88:fc:c1:ad:56:07:57:07:2d:fc:10:c8:42:94:f6:f4:7a:e2:
+         94:ee:05:aa:28:7a:f3:d6:62:4a:fb:99:c0:df:dd:ca:77:14:
+         70:6e:63:d1:68:25:6b:de:51:8b:8c:0c:5e:68:79:25:a5:68:
+         74:c1:43:23:75:4f:eb:30:c6:84:79:a9:df:25:a6:66:56:cd:
+         9c:95:40:b0:12:c0:60:9d:b3:99:02:4d:d1:de:25:2d:00:49:
+         e4:8f:81:8f:14:5d:3e:1c:c4:ac:11:ac:ef:0d:a7:ca:0c:01:
+         88:54:26:bb:38:c7:24:b8:4b:45:97:40:9b:21:ea:7b:e0:5b:
+         5f:d4:3d:dc:01:0a:8e:3d:db:31:8b:e8:23:8b:5c:48:34:95:
+         de:71:cc:61:43:aa:59:0e:be:0a:7f:75:8d:fb:b9:f0:fd:28:
+         e9:76:8d:5f:ea:9c:59:07:28:a5:b4:df:8f:0b:3c:c7:ad:00:
+         fe:9e:28:86:cd:52:fe:e3:78:81:ed:5e:73:40:1c:06:02:a8:
+         b1:84:b3:ec:56:ce:a3:70:22:ce:ab:0f:4b:8d:36:09:2d:6d:
+         5e:93:2d:c4:20:c4:bd:8e:78:68:0a:84:81:b9:85:b7:cb:03:
+         c0:26:b9:c3:d8:e7:ab:c6:a6:7c:55:a4:e6:96:b3:65:84:5b:
+         7e:bd:1e:c9:94:f6:25:c7
 -----BEGIN CERTIFICATE-----
-MIIE9zCCAt+gAwIBAgIBCzANBgkqhkiG9w0BAQUFADAeMQswCQYDVQQGEwJTRTEP
-MA0GA1UEAwwGU3ViIENBMB4XDTE5MDUyMzE1MDUyMFoXDTM4MDExNjE1MDUyMFow
-JTELMAkGA1UEBhMCU0UxFjAUBgNVBAMMDVRlc3Qgc3ViIGNlcnQwggIiMA0GCSqG
-SIb3DQEBAQUAA4ICDwAwggIKAoICAQCwuXf0XeJmfRAWqiQWOxONrbEAEutJFI1z
-OuLu9/4TmNrZ1nLijqncxtlchuYD/Sml3kYFAk+peSVhX/dTZAPNLp3IQ9lFSBR+
-Wa7GrSV4EHFXQzBFZdQMXVKRl9y4kzhkmgtP2hb3G46q9eXMPQ2Eutf9+V9K7cPI
-Nmb0QvxdACt9e4tRlDWpJzpx+6z1L+TSi8Yi5eWjGxOVPg8NPgcfbiOwXfdgAeUI
-hQGsSDEyOB5X6Bs8OMNwOoEbBGA7xyCpiv65xUvHECgyCnwd849c0Coug5c6X0I0
-lRvEsXP/I6nm+5/0QC4vwK2f1sJFIUBR+S6Y25A0PvZU5fzM1QZMGYFTr72hjYM6
-tccbhXjcZGX47Yi2aU3AO9qb1esy4OAcAGXn8FvxvOLoiqUxntba08Mv0ISa8/Et
-4bNjPirOyZhFG36KvC8K8TmCOXDQ9ygYOnTr0EznmeXmsfczV2AUzyskWe0w9qWx
-a1Q9dO9ofGmxNegbngrUOCfqfB4BEUZOB7LaAPWMpabQfySn2TKiv26SoxaDHe10
-5j9rqxsjZYQyUZQvHgEdE7ezbsIuZ70zjkFEFCkHkgGZLfasUSajRGdezQ4154ND
-OiB4YyNM7vRbMg8XSRTWFJ3UMi22FUIqfh86kN/fkm24QeM5KdnCLL+UZ56pixAU
-OsoKEM+kXQIDAQABozkwNzAJBgNVHRMEAjAAMAsGA1UdDwQEAwIF4DAdBgNVHQ4E
-FgQUyPxMdA1CGI4KS3xhx802/amWjmQwDQYJKoZIhvcNAQEFBQADggIBAFxl3mjI
-gDuLCHQt9IlRQn6sQYPQf//L1JWEEFL5L3diBLkDj6WyFpIZyZRirjorc4lZcy7j
-BQUK3OQAvmv8Hq2S4o0dqOJxbhA7UF0cwZfnShTDHpqjTOZfSv4hQ5Th5RF8Qsa3
-BtURRV08v+edm04Km3qUCe2x+wfELxaji5JQI7ZcM/osOYM6apLSAKjgpyglirYJ
-7hdq8744yEgELoGWnAiiO0hu8nXYWwcAE2QfpaF+v9Gk+l9hVUBninYxKBz4p/Ce
-u+C9GIlsnOchn0mrPxtDEsNN/Mzn9ExPwEVbMPebCWCnRqXwi+qrYng8eszqCSv3
-fAYEsvcxaLAl4H6/ULWjtvMdwEKV2Xn2jpTMtNr55v56RJOACyXZVGmO2H4IqGNV
-Zzwyh1JzOPoK4EysHrF9vInupdZ57Xksl/DGpB//yh44qYYiRtP/aUSqfJ3ANdOZ
-A4ZetNDkFsnxgxZfuLmgixbCMRctWd6nsBbMYxAWFyDP468CkkjTZDhEnBapYlu+
-f8gfTmnWRDWSzWn85SNgTqOTkh+qbq53zGP+/0kQEMQ8UzQc2VFB2HOGXtWoIjiw
-IDoRP6BQukqtjxs0UWhuZmp3IuyoihT/zD0yIHbZpdH8TGA13B44pALuZYt5jmVs
-Ld3IVHDCngMppZmsm4NSxBkbjvEVzXHIHQre
+MIIE+TCCAuGgAwIBAgIBCzANBgkqhkiG9w0BAQUFADAeMQswCQYDVQQGEwJTRTEP
+MA0GA1UEAwwGU3ViIENBMCAXDTE5MDMyMjIyMjUxMloYDzI1MTgxMTIxMjIyNTEy
+WjAlMQswCQYDVQQGEwJTRTEWMBQGA1UEAwwNVGVzdCBzdWIgY2VydDCCAiIwDQYJ
+KoZIhvcNAQEBBQADggIPADCCAgoCggIBAO9FAGcrftLqfYCxroFe+92Cyt7bmDdw
+6DyiAYeLiC5AMCLUZR1+y8vVQOBRBvDz2QDbXWoP0xG8oTxpJWWph7WKPmx5Kuhb
+Gp60pIFbw4P2/ZqoSGrEzn+BJoPJ5bXJohjtDOoaJllJ31bqwjMvZcIUMF14TpEJ
+bfV37ugO/soUkq9zxI6RsWIawUY+NtIzan8FTtV7/mlPbLG+ieZ+jVveEGymvEoF
+ZhcZceMsYr+LSzxt+yp7ldXUAvBD4M7MejD7qZPSUKAXZ8YIjTycg2kft6vP0He2
+jsyJDYLN4ftTLB32a4ENj9rcajSTBiMy+4OQQIp/rc8sgWoQy1kp1PKvsu7we7LV
+D51c5tPrGJuJARFf5/RQNOYsMbHzYK8DpUAAR4h2zVLaGxEDV/U9oQH2L571ATci
+oH1fQIctaXJwgAUWJC2msV7KQK3y2n/Jj3oysoy+m95mF5KBg40a9cmLmjtKhLIk
+Y5dg9jrAhIgq3Wv450Qpec+Y2as2kxCoenuQvLvgQ8GTE4Cdy6ZoZ5RnazpYvQI5
+IIjhZI6hemuZO5sAZRG1/bcYVf5n9JSrwginOtintG7Z6YkesIEeIzGpF7fH+d9b
+kCxGlsXVpsyL5Nv9S0eNj7vkQdCZ/oGDiKfwpYGuyWL2T9gSYDMgb9E5N/UfBUBi
+Q5uXpXsWzJPlAgMBAAGjOTA3MAkGA1UdEwQCMAAwCwYDVR0PBAQDAgXgMB0GA1Ud
+DgQWBBRIJnVrTeCYkzkCQNPxHG3Q2EWmBDANBgkqhkiG9w0BAQUFAAOCAgEAqqDb
+RJZstceWk6MR5dwfaQiH9V9QJZkDbNKJVUwE1IpJc+jhgk/2RSQc70YJshkJFl8R
+BRPnP8pbr09vOd+ocRzLYiuNQrmnWHZy24iNOuAzXO9BxzDW0JqccPFydOYNbBwR
+//NK7j3S9zpWn0Fjg2BMa2PVmqHIIrKljAOZLwRlqFIbHMtL5LGghnzXhemai4/x
+LelF0PTuUc8T2v/q6MwwzO3zfvlNWaPSyvJPW3NlY945DofhFjBl0PraDVffgt4J
+LCR675zY+nxaJfEe4+FWxXnDEzc4A920b8Bht8tBu3cMw08U4IzpiUtVa9zOEZvw
+aDLiZMh1aoAmiPzBrVYHVwct/BDIQpT29HrilO4Fqih689ZiSvuZwN/dyncUcG5j
+0Wgla95Ri4wMXmh5JaVodMFDI3VP6zDGhHmp3yWmZlbNnJVAsBLAYJ2zmQJN0d4l
+LQBJ5I+BjxRdPhzErBGs7w2nygwBiFQmuzjHJLhLRZdAmyHqe+BbX9Q93AEKjj3b
+MYvoI4tcSDSV3nHMYUOqWQ6+Cn91jfu58P0o6XaNX+qcWQcopbTfjws8x60A/p4o
+hs1S/uN4ge1ec0AcBgKosYSz7FbOo3AizqsPS402CS1tXpMtxCDEvY54aAqEgbmF
+t8sDwCa5w9jnq8amfFWk5pazZYRbfr0eyZT2Jcc=
 -----END CERTIFICATE-----
diff --git a/lib/hx509/data/sub-cert.key b/lib/hx509/data/sub-cert.key
index e9fcb0d3fb15..481dabb647d0 100644
--- a/lib/hx509/data/sub-cert.key
+++ b/lib/hx509/data/sub-cert.key
@@ -1,52 +1,52 @@
 -----BEGIN PRIVATE KEY-----
-MIIJQgIBADANBgkqhkiG9w0BAQEFAASCCSwwggkoAgEAAoICAQCwuXf0XeJmfRAW
-qiQWOxONrbEAEutJFI1zOuLu9/4TmNrZ1nLijqncxtlchuYD/Sml3kYFAk+peSVh
-X/dTZAPNLp3IQ9lFSBR+Wa7GrSV4EHFXQzBFZdQMXVKRl9y4kzhkmgtP2hb3G46q
-9eXMPQ2Eutf9+V9K7cPINmb0QvxdACt9e4tRlDWpJzpx+6z1L+TSi8Yi5eWjGxOV
-Pg8NPgcfbiOwXfdgAeUIhQGsSDEyOB5X6Bs8OMNwOoEbBGA7xyCpiv65xUvHECgy
-Cnwd849c0Coug5c6X0I0lRvEsXP/I6nm+5/0QC4vwK2f1sJFIUBR+S6Y25A0PvZU
-5fzM1QZMGYFTr72hjYM6tccbhXjcZGX47Yi2aU3AO9qb1esy4OAcAGXn8FvxvOLo
-iqUxntba08Mv0ISa8/Et4bNjPirOyZhFG36KvC8K8TmCOXDQ9ygYOnTr0EznmeXm
-sfczV2AUzyskWe0w9qWxa1Q9dO9ofGmxNegbngrUOCfqfB4BEUZOB7LaAPWMpabQ
-fySn2TKiv26SoxaDHe105j9rqxsjZYQyUZQvHgEdE7ezbsIuZ70zjkFEFCkHkgGZ
-LfasUSajRGdezQ4154NDOiB4YyNM7vRbMg8XSRTWFJ3UMi22FUIqfh86kN/fkm24
-QeM5KdnCLL+UZ56pixAUOsoKEM+kXQIDAQABAoICAAxzNIExsAZ6XwzJtbsfNFRx
-3RtdOdgvK3vntR8St4KX7SsVkYhmdo8ILz32fvPe/PUjgJlPvV76GukOQrVMQXxO
-AW2fYgogdtkj5k0224Hm3qVAJYFuGA8679sz8KfML1ffBlb8zUthVJ60rhjCYFZu
-d1L8I3t63qUXOA+TPIYsweOYNYtsvo8JJXPsQBYR5rPyhuXkflYMTUfhVFwhd4z+
-TGNba1cHKyR7gk+p0lVwYKrevjRy50nbxUaq+0Ca2bE4CpP500nV2I8V8AKIKxxl
-yeL3AEtrdJWRv6AOxFZAI/MS3QTvFJHmqBSvo4YNPqPHw0GfjjwwB1iZz0J663OI
-5hZ1dHdaLk3HSb3XdemMnwi5guJru+ojmGv9w4si9gpVdayzRiar4BG3Q2s2u68b
-t/Gr/5grWUFzhZua2BVTRpYzMQ2dX9aX/YNJdXV67Syg1sNb6jasjYXdjMhBhkD7
-UrgyUFgB/dC2M55AuCYtuSXbEdQAlMtrHOgdYfLSNRRj8FLCgnhe/72KB1hAhCrh
-S5NKWdIfd3eDDoRYcCmiiKJ+5dPppy4G1xYxx/CvJep6NybSK18fsVYBDoXD3c00
-YoseUWueKcJshWDn71nYupwvvlbIegvOllvijcLMnFFKCDP0Yxfp8cZBZTYZrCH1
-Y4C/r4dnhCaxbS86Xf0dAoIBAQDrAqNl0BzrOBsDRDpdDy9yJgdiumII76yQFzEh
-xm0OgBleKvx50awbuACDGoVQ9wFExX3NajDX5G5hwQkzy4UnG87RS2NZuaIgkN9o
-IbSqDlswurlGYHG1azfBeOivnaGFMtxx+X0aM9TfXy50WgCnjgogXOcvfKkiCQiQ
-kQuoLwBCEDX730gzrypcfbpECuo8lKP3s3dgan6uDkvmmAVQSW30maZOltToAljq
-Hdf73JB+UNwTUrpCZH5F5EhKXZSRexDBGr5FeaxHi/R+whg73LS8Y6X97mpqs7Hq
-FSmayZ3ILJx3sWJCyV2D+6k2Sk9gBWbMSUdGpS9BmBIZKS1fAoIBAQDAgil3ZhI1
-25DxeHLAS+ZcLVl5v/j3DfZsBfn4F6MjpqI9GAjaWnq/H54nv8PcYSlhWuFsN2dz
-haJYzDJtFevor/I6DPYfrM2Sfxcz9rsi3m8+qGNLdVO/++hg9bxcUrIwiT8kv2Xi
-OJnXvEFil5Ldmb/NM98TaUu//jYg4yr2w6f70rrtyVAsio3q7xrV1r7q2FjpF/Gq
-BFJJ0pBwXtnYHJojaA2im9BnTtRmBxA4Y5/ImVofp7XFIuqI5SfYO9RNd/LX95Lv
-pIg9DofsIMnK9v8Zp09s7UtNh76JbrG35mVvR9c7VZ5bBqbAJuk6WoRKyerkrMOE
-7WfaNPtf4QvDAoIBAGyjk5WFV1kFXrdr2u8aDfzex5tEPf2Tjlot3nCWoeOKJC/7
-/yrxWnaV4Oa6Y9bB2LxJ75X9+QZUexKFghOHic5CdKEcEJlxzxju39frfPEAIfes
-2elGvEn5fpTZp/dHD1vb3zxw8Pwj6cw42+i9kn/ikZvUVqsFHcq2EleCNblRwPTJ
-Oatt1JrP5u1K0ciSoyXOMN5ZAF553IXp5fx7Wjl7OHFSdibuYw29yAyyLx4nIETE
-bHgiTihS/Gyi0yhNiliWY3BhRIQpcxLACA5w+3Lw3DwadKmmhVs+Jojnr4v2mBHp
-TYunXJ0zKR/SPq7yOy9QT+0wEtr9kZLpEbS/7FECggEAO69fadxkovwbOTKN6V7e
-4g9RYXUKnJZgo2dK9AdoFiKQxH5SKFjLG7ySzWIgOJCLQtrpbyLSWTfCeON+cuHM
-DY2XfTYNjQ6HgfcTW5IQvSPXu8Z7Wqbau3g/uOgXaUxeYLv8rskErpm74O5GG2pB
-J6GGnPmLHTqVOMZ5Q8MKzA0nZOUV/alfyR+AFqnhWRFGigtfrY016O+ED81P6PcP
-dXiQtY+KQrMqbw06vxNLjSAeJxSco5ncum0z6BOcQedy0D3zNdBVZyVM9BkwPR6B
-UgM4XlzIPE5p/XSrt3JxeUHeixzr90J5YWFzi7nEr8nmoEVwJUwHJoxwmW+5zCU6
-/wKCAQEAgg9azbPTBLQsvQxp1G+nNeGfQzwe1QrlHFdW8e/rKudsXUoEoBoT77Z/
-xEcErH5uhFPz6twMYv2qaZPTY+mmB0/5q/TCo/KXguahr5eLrunYgkkjtRz4Tw2x
-ebBwoVSorX75txGIw+AZLgzYamkZpYc8ZC46aCLEbpFj8hNAuhibY+s/1oc+zL7P
-eCe+MYKKbk91KajbceSRIzFeyFa9nUOd4EM31Ebp4lxGSaLcp386C8naFa+EowoI
-4TLagaViDshP1ysaHdpiEjt0DnjKC/TlzE17ttpdSFTwFe0GsND2TuV0Fgk0SAjG
-uj2qsRY0KoByw9kyWVQeMxTuF6/EaQ==
+MIIJQwIBADANBgkqhkiG9w0BAQEFAASCCS0wggkpAgEAAoICAQDvRQBnK37S6n2A
+sa6BXvvdgsre25g3cOg8ogGHi4guQDAi1GUdfsvL1UDgUQbw89kA211qD9MRvKE8
+aSVlqYe1ij5seSroWxqetKSBW8OD9v2aqEhqxM5/gSaDyeW1yaIY7QzqGiZZSd9W
+6sIzL2XCFDBdeE6RCW31d+7oDv7KFJKvc8SOkbFiGsFGPjbSM2p/BU7Ve/5pT2yx
+vonmfo1b3hBsprxKBWYXGXHjLGK/i0s8bfsqe5XV1ALwQ+DOzHow+6mT0lCgF2fG
+CI08nINpH7erz9B3to7MiQ2CzeH7Uywd9muBDY/a3Go0kwYjMvuDkECKf63PLIFq
+EMtZKdTyr7Lu8Huy1Q+dXObT6xibiQERX+f0UDTmLDGx82CvA6VAAEeIds1S2hsR
+A1f1PaEB9i+e9QE3IqB9X0CHLWlycIAFFiQtprFeykCt8tp/yY96MrKMvpveZheS
+gYONGvXJi5o7SoSyJGOXYPY6wISIKt1r+OdEKXnPmNmrNpMQqHp7kLy74EPBkxOA
+ncumaGeUZ2s6WL0COSCI4WSOoXprmTubAGURtf23GFX+Z/SUq8IIpzrYp7Ru2emJ
+HrCBHiMxqRe3x/nfW5AsRpbF1abMi+Tb/UtHjY+75EHQmf6Bg4in8KWBrsli9k/Y
+EmAzIG/ROTf1HwVAYkObl6V7FsyT5QIDAQABAoICAQC9cwIdrlfNwrM6mfVVJBMC
+0hO1n2QHydNoZtIVM8rQ7Cvw+AFT+Fh+/UxQEHgRgtI4lniBiSQTcCquPYbJ1xDI
+EjzZAJuTvMb4EIoMjs7hB0jIEyS7vTbPyD/pq4vBg3Rgjhlipu/kVNSM6nZ3tri4
+kem1qJN0zWWOLbcxcOYWtXFrkJt6UyuDRTHxX0Ni7ikNh/Nin7nSQnwKxJZFtcBR
+lCOnE+IULfAmrBP7zuIlTbJ1l5N+kLoTw7nL6cLvmwHJFQqxK56BE+cr6wuBiV+X
+dfClDne+wgKROpdDEaczqyhMVRfL6CQWI93H4P3EExMImcgwoWXKmy+g/skzwSaE
+tbFeN2cxFd3Ow3f8BWqrWEzXdwp4+26SzVXMNpjbyQoaYtxp0OhyTKI65FmaQjVS
+9We5D0asPl7Fbc+xobXQ+1InkrQevZDPcU3ejqsrm9qtGzctpv8wWaU3ByvodkQg
+ZxAzXuE8bwwJ/m/jbirXxnKfNo+22nH0ksCYH6UmQEgHdkFO22QpaiDZFvudC3mZ
+JMbP/bjXHvzukltMPXXiGcNEeP/PPVtD2EewOZV2vNVYXP/wXu9Gt2djclV1jj9j
+X3ABa7WE65ZhREqBT5RpSPizTvlyEYIUwvawnPCrwfEeVbMq/t3em1hquk2d9RTs
+UyVjuEaqKDyZdGMumiPEhQKCAQEA/09qzOJWJv5XsPUlbvmzL9Zbsv0vMlchFiNB
+zESdSmYbeNBdj9CsJjEIZldqxERAErcsHdtHUuyWNKe4phi1s5bSR3cgcjhdv4LI
+bRghUsqf7p86sINxqz5yA4jx+JmLMUbghBCSlbCKruEli0FSxUtpeYzxftEb+jZA
+PamBTNDsbaXmNhm6f95I39zxn9Gx++p+7H4/hHpXBAk7PCa1ePAzKWKiDobJbelo
+CuFxQSzPFOmhze0wVq98QIvnNnxB/x3wX8ybk4vrJSbX6NQlSWhYsrUt3HnsTDZs
+zF++euPTL04kMoaitYvZW9Mg3ZPBxazn2Cu0cswkXn4gHZ6gIwKCAQEA7+p9cMuR
+KAv4dllBm3WWxPsX7hP1f8l2d7hmyYW4r5AaWMWNI84HhArpi3EPLxd/DUwvBU57
+YejR4DXQxrZoGr5uYkzXwgPAYQujV80GGK/wpj09jQh1Xn3lE7kpPEweK9SBIJB+
+anD+8FzGo17Bz23/Wp5zjVDi/yovRZdTSqQCowiZ5df4ls42Oms5u9lipwUTv4Rk
+QFQsh7zn5JQ30U3Ef36FMpRcM4GlR+gw/JjM9zB5aboxLJmws/e3rfS/eGNXCPKE
++xiDAhdmsx44HOONBEgJ5myxJ44uifY83xIQwaE+nyuXWBIqJLKiEmEm8GJ9bgdz
+L1iD1UiNaTm4VwKCAQB49tzIRDjDcuCDdDMPOHmgobSCwpi5BjUj8wJ60Muhc21y
+uW6K9DiMQ9ESBDsO0LN26piZcMqDTJsCSbEf6Tc15rCssZGK7I/mbAWgQr2PJ3fN
+LF43QZ/6nbSRXjIfMkiTyVwY1m1NRP8ASqZqK0IXPlqz/4ZwKo1R6KBZVtVvWtGa
+Re8kFN6bNOtcPaexrD3i+MC4NjzL/Nb7j5AkOMbkjRIAer4DmfMYA22LMjNhyOQ4
+qVVDZyzu9WgugNrEouz1/e5kxWG076cyzAuiQdmExU65JUScYJwHpAW6c2ahfQ4T
+LLfTxJyU3bTXX9oDgb1edkTG1DZD6dsVdjarMfv3AoIBAC3J9z772yxlfHo59seQ
+3cGimqKZtJU7Ah0/WH7FwsXfHugqbBGVVOHio0g1v8whE+KZ06+TlwDMyqGcI8iJ
+L71K8w5X1CX3SVQ8QGSVgMBdc/SGY6TzJFNwe7QT9sbHUErVN//bFAWEo2OEkXTE
+tQC94aqN60fhVDGW/4aspvzr6ITtM1Imsg82NCtaI56ykp2F3osC3Y9ZgVY2u5to
+nm6YBRTANPO+VQqPh9f9fLv4/cV/vuxq2M/GVW9DrA7LU2/KpeXTQ4YY24gepz8w
+WU1KMLPMe/c6b2U5QbCbCmsYq5IJEEaYrz3j2Z8/aKdRW3ktkvrY+SbkIeUm/7ZB
+iekCggEBANkmkU/Mxj0C6Exv9YbrFehPxfgPcuyfAt7qdEzazjVmPWbhgpriPW55
+z/FEx/clfhaR8EWTNESKkLhX/qfGXHytlxUn8VWzcM6GIhvBTF6gUTX5hp1+peh+
+hztIBCQVPLpAXhf4Sf9+WwtBGrgo7RkIbzq/S1DynaymuVjBemSUvjKOKrVJm7gr
+DTIbmVjw5RXe5/HhPp7w8XlR4nDOYRuSd7ycG2l2xmK4VMK5QqaPEIrKDtsX0dsK
++VsrO5897j4ZZOdBif0YSRL5/zbZEA/HIA3kJ45jZDKMNPNfQBIK8yzW9KhLlBgL
+G2q8/Es7kVEQkUPyRNnHTWdnKW+vIQ0=
 -----END PRIVATE KEY-----
diff --git a/lib/hx509/data/sub-cert.p12 b/lib/hx509/data/sub-cert.p12
index c929d7c89667..18898c890cd9 100644
--- a/lib/hx509/data/sub-cert.p12
+++ b/lib/hx509/data/sub-cert.p12
diff --git a/lib/hx509/data/tcg-devid.pem b/lib/hx509/data/tcg-devid.pem
new file mode 100644
index 000000000000..66b769c7a67a
--- /dev/null
+++ b/lib/hx509/data/tcg-devid.pem
@@ -0,0 +1,24 @@
+-----BEGIN CERTIFICATE-----
+MIIEGDCCAwCgAwIBAgIBATANBgkqhkiG9w0BAQsFADAUMRIwEAYDVQQDDAlFeGFt
+cGxlQ0EwHhcNMTQwMTE1MTU0MDUwWhcNMTUwMTE1MTU0MDUwWjAAMIIBIjANBgkq
+hkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAncvm0aOBK05rdNInYXzJGV5SFteVUFpt
+XFxg4evROvlulB3BzUmFGQYFDcItVnJX2fAvf0UJLtLBVBQggb5ylL6bRpj72cS3
+oyNbs0CGmix9Z1QDjkZZFvIsD1GcKO0tvsCvsEItH8Cm0fq8WcGFijWLdRD5eulP
+55pq1bAHAvIo4+VLMJVBG71xrKGZeHPjKoq6seYjh7AGy+hk2vmFzpZ8Ghdgqv+K
+02IZ7FEdzuylHW8U3qsxBHysMut4inj6AiVf467OOs5meHiifIK9MGkovMrfY9iX
+uUVUs/KXpE1sgeoX9BLvx1BPcODosr5K+z5i71OtIXy4CXrPvcGzRwIDAQABo4IB
+hzCCAYMwQAYIKwYBBQUHAQEENDAyMDAGCCsGAQUFBzAChiRodHRwOi8vd3d3LmV4
+YW1wbGUuY29tL0V4YW1wbGVDQS5jcnQwDgYDVR0PAQH/BAQDAgAgMIGBBgNVHREB
+Af8EdzB1pEswSTEWMBQGBWeBBQIBDAtpZDo1NDQzNDcwMDEXMBUGBWeBBQICDAxB
+QkNERUYxMjM0NTYxFjAUBgVngQUCAwwLaWQ6MDAwMTAwMjOgJgYIKwYBBQUHCASg
+GjAYBgVngQUBAgQPdHBtc2VyaWFsbnVtYmVyMAwGA1UdEwEB/wQCMAAwNQYDVR0f
+BC4wLDAqoCigJoYkaHR0cDovL3d3dy5leGFtcGxlLmNvbS9FeGFtcGxlQ0EuY3Js
+MBAGA1UdIAQJMAcwBQYDKgMEMB8GA1UdIwQYMBaAFDR3ZyRMRK/nnirgskxpV5Uk
+sz3aMBAGA1UdJQQJMAcGBWeBBQgBMCEGA1UdCQQaMBgwFgYFZ4EFAhAxDTALDAMy
+LjACAQACAWMwDQYJKoZIhvcNAQELBQADggEBABtrZu0n/7jPTYxak2n30AUakS7f
+Ihomojo14e8Lp/HF7/2VaUcohJH4KekCHTf8wpPxM/b9xRKLSOORA2Ey255Q2h8T
+v19he0dcdTvDPNQVY3AKaFO4cNiXeOYPR8n3IDYK5QdPqrdRX4/Bc34QcTWFDALx
+C00L/kDvBjV7l0Et2DBJIiBNziVKxs1xn136buZYRam6ZJhTRzNMMQ0eZ279Um4M
+39EI4DIFv6FzX0sC5waacVg6HFYd933NtdkDWV0VTGuk+5V8rH4Sjx+sywHahkoz
+BJhQBai2qiWEt7bB0ExGN2ZXPjiQiG4UHvLgGlCOUHX7EDNf0dvfUIZ6hLY=
+-----END CERTIFICATE-----
diff --git a/lib/hx509/data/tcg-ek-cp.pem b/lib/hx509/data/tcg-ek-cp.pem
new file mode 100644
index 000000000000..f6631b2e06f6
--- /dev/null
+++ b/lib/hx509/data/tcg-ek-cp.pem
@@ -0,0 +1,24 @@
+-----BEGIN CERTIFICATE-----
+MIID7zCCAtegAwIBAgIBATANBgkqhkiG9w0BAQsFADAUMRIwEAYDVQQDDAlFeGFt
+cGxlQ0EwHhcNMTQwMTE1MTU0MDUwWhcNMTUwMTE1MTU0MDUwWjAAMIIBIjANBgkq
+hkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAncvm0aOBK05rdNInYXzJGV5SFteVUFpt
+XFxg4evROvlulB3BzUmFGQYFDcItVnJX2fAvf0UJLtLBVBQggb5ylL6bRpj72cS3
+oyNbs0CGmix9Z1QDjkZZFvIsD1GcKO0tvsCvsEItH8Cm0fq8WcGFijWLdRD5eulP
+55pq1bAHAvIo4+VLMJVBG71xrKGZeHPjKoq6seYjh7AGy+hk2vmFzpZ8Ghdgqv+K
+02IZ7FEdzuylHW8U3qsxBHysMut4inj6AiVf467OOs5meHiifIK9MGkovMrfY9iX
+uUVUs/KXpE1sgeoX9BLvx1BPcODosr5K+z5i71OtIXy4CXrPvcGzRwIDAQABo4IB
+XjCCAVowQAYIKwYBBQUHAQEENDAyMDAGCCsGAQUFBzAChiRodHRwOi8vd3d3LmV4
+YW1wbGUuY29tL0V4YW1wbGVDQS5jcnQwDgYDVR0PAQH/BAQDAgAgMFkGA1UdEQEB
+/wRPME2kSzBJMRYwFAYFZ4EFAgEMC2lkOjU0NDM0NzAwMRcwFQYFZ4EFAgIMDEFC
+Q0RFRjEyMzQ1NjEWMBQGBWeBBQIDDAtpZDowMDAxMDAyMzAMBgNVHRMBAf8EAjAA
+MDUGA1UdHwQuMCwwKqAooCaGJGh0dHA6Ly93d3cuZXhhbXBsZS5jb20vRXhhbXBs
+ZUNBLmNybDAQBgNVHSAECTAHMAUGAyoDBDAfBgNVHSMEGDAWgBQ0d2ckTESv554q
+4LJMaVeVJLM92jAQBgNVHSUECTAHBgVngQUIATAhBgNVHQkEGjAYMBYGBWeBBQIQ
+MQ0wCwwDMi4wAgEAAgFjMA0GCSqGSIb3DQEBCwUAA4IBAQAba2btJ/+4z02MWpNp
+99AFGpEu3yIaJqI6NeHvC6fxxe/9lWlHKISR+CnpAh03/MKT8TP2/cUSi0jjkQNh
+MtueUNofE79fYXtHXHU7wzzUFWNwCmhTuHDYl3jmD0fJ9yA2CuUHT6q3UV+PwXN+
+EHE1hQwC8QtNC/5A7wY1e5dBLdgwSSIgTc4lSsbNcZ9d+m7mWEWpumSYU0czTDEN
+Hmdu/VJuDN/RCOAyBb+hc19LAucGmnFYOhxWHfd9zbXZA1ldFUxrpPuVfKx+Eo8f
+rMsB2oZKMwSYUAWotqolhLe2wdBMRjdmVz44kIhuFB7y4BpQjlB1+xAzX9Hb31CG
+eoS2
+-----END CERTIFICATE-----
diff --git a/lib/hx509/data/test-ds-only.crt b/lib/hx509/data/test-ds-only.crt
index 95df000b3007..ce0de74ed094 100644
--- a/lib/hx509/data/test-ds-only.crt
+++ b/lib/hx509/data/test-ds-only.crt
@@ -5,48 +5,48 @@ Certificate:
     Signature Algorithm: sha1WithRSAEncryption
         Issuer: CN=hx509 Test Root CA, C=SE
         Validity
-            Not Before: May 23 15:05:14 2019 GMT
-            Not After : Jan 16 15:05:14 2038 GMT
+            Not Before: Mar 22 22:25:05 2019 GMT
+            Not After : Nov 21 22:25:05 2518 GMT
         Subject: C=SE, CN=Test cert DigitalSignature
         Subject Public Key Info:
             Public Key Algorithm: rsaEncryption
                 Public-Key: (4096 bit)
                 Modulus:
-                    00:db:8d:a2:5f:bd:67:a2:66:d7:80:3d:9b:5e:d7:
-                    31:5b:05:06:4f:0c:aa:5c:e8:0b:06:bc:30:8f:f9:
-                    fc:b3:1d:de:4f:c4:18:0d:7a:ab:00:7a:7e:5d:b2:
-                    fd:85:d8:22:9d:d8:b7:e2:e8:98:e6:47:b6:63:01:
-                    90:d5:e9:80:c7:ac:e4:32:bf:df:10:af:73:11:d2:
-                    82:21:bf:5b:76:37:d2:03:67:c5:9a:7b:44:a5:4a:
-                    4e:a6:05:d3:95:09:fb:13:3a:7a:ca:b9:4f:28:24:
-                    e2:cb:75:ee:6d:97:a6:62:fb:bc:57:ed:6e:2f:e9:
-                    0a:7f:61:4b:c7:9a:45:7c:49:5d:03:fe:4e:09:8b:
-                    9c:30:60:67:42:0f:89:44:08:0b:4e:65:96:6f:f8:
-                    83:27:10:de:99:7a:8d:bc:e1:ab:23:cd:d2:83:57:
-                    0f:5a:99:26:dd:6e:16:3b:d5:4d:7e:4d:d1:85:e8:
-                    37:44:69:de:ea:9e:79:af:eb:b3:6f:87:0b:23:97:
-                    53:81:b3:e4:64:2a:1d:f9:2c:6d:54:63:15:8e:39:
-                    9c:70:b0:c1:85:91:be:21:4b:4d:73:21:0a:59:fc:
-                    20:b9:60:6c:7d:ca:ed:ab:e7:22:79:cf:c4:5b:bc:
-                    9e:fe:90:ec:e7:48:c0:0d:60:2c:6d:db:bb:ed:95:
-                    70:cc:14:b4:45:9b:9b:45:92:fa:d2:50:ab:5a:60:
-                    1b:96:6c:81:d7:2a:4f:60:df:29:38:26:9a:7b:ea:
-                    68:e8:cf:dc:c3:25:a8:2a:d4:79:ea:69:7b:96:2d:
-                    2d:aa:8c:39:1e:9c:00:bf:51:8c:66:4b:14:20:f0:
-                    cb:3a:19:b2:03:5c:78:63:72:56:bf:8f:fa:49:19:
-                    98:d0:25:1b:24:ad:85:51:1f:07:d9:72:94:70:7d:
-                    47:b1:9d:88:86:26:d5:01:d6:10:c9:04:60:01:b7:
-                    c5:5d:6f:e6:10:c4:7e:85:87:b6:8b:ce:15:ec:79:
-                    bb:05:83:3d:98:91:90:42:5a:28:f9:1f:65:07:63:
-                    15:97:3d:8d:c2:33:f8:9c:70:c2:a5:53:6d:90:db:
-                    6c:15:30:1e:6f:a1:09:8e:e5:56:79:fd:7e:11:f8:
-                    bd:44:5c:99:35:7c:56:03:1a:bf:15:fa:1f:08:8f:
-                    1f:82:a8:2e:c3:a5:f4:94:a1:4e:9f:ef:4b:c6:6f:
-                    af:12:ee:ee:c0:c0:39:3e:47:bf:17:6e:09:c6:8c:
-                    47:89:b0:a3:26:92:95:91:38:07:c9:eb:5e:2b:8a:
-                    65:c1:26:21:60:68:f1:27:5b:76:7e:a8:81:25:31:
-                    6e:14:06:08:09:62:13:9c:c8:af:01:e8:9b:4a:9e:
-                    18:b1:35
+                    00:d2:e5:b6:27:f7:6c:c1:d0:ba:8a:4a:6a:4e:b5:
+                    a6:92:2e:5b:98:d7:0c:6a:7e:f4:bf:19:30:2d:ee:
+                    1c:5a:ee:28:f6:5c:a8:12:03:20:c7:e8:2b:b1:44:
+                    9f:b7:54:27:6e:17:fc:c0:f6:f7:ea:38:d2:c8:77:
+                    ab:6a:ae:d1:ab:9f:1e:79:df:8a:51:55:aa:6c:6a:
+                    13:74:74:2f:c0:20:57:ef:f3:e1:71:da:b0:ec:62:
+                    e9:8a:01:da:f6:e6:c6:5a:fe:11:61:58:5c:a0:01:
+                    ec:0e:af:70:0d:72:94:a1:d4:1c:76:53:ae:39:a0:
+                    cf:70:d8:d9:7c:95:18:2b:5f:36:00:2f:5c:be:a2:
+                    d5:8e:0e:e3:aa:76:0c:1f:86:b3:69:fe:e4:29:0a:
+                    30:b1:ca:83:1a:f2:88:fc:91:2f:58:be:a4:a0:25:
+                    82:bf:16:b3:ca:70:09:7e:cf:29:f9:2e:58:0b:4a:
+                    3a:3c:6d:e7:05:63:d5:53:90:ed:ee:96:9e:8e:d7:
+                    a8:ef:50:8b:37:bd:dc:88:f5:12:bc:04:4e:e4:f3:
+                    ec:5d:9d:e6:46:14:e1:e1:6b:15:ab:f4:52:f6:12:
+                    76:ae:2d:a7:65:ec:8f:bd:90:51:52:4d:e7:cf:ba:
+                    23:01:7a:85:8b:22:41:a6:98:08:e4:33:00:c1:e2:
+                    82:b0:b2:c6:f4:6a:34:c6:a9:d7:b1:cc:c6:1a:0b:
+                    ad:69:1f:89:af:e0:63:cd:51:c9:36:7f:08:f0:31:
+                    97:ea:78:bb:ae:21:4c:aa:2d:32:de:36:03:cf:64:
+                    f8:8a:c0:c5:b3:c4:f9:79:74:7a:8b:d5:ec:bf:19:
+                    87:c9:25:0c:99:7d:56:a3:93:68:97:c3:cc:08:fb:
+                    37:c0:2c:cb:87:f2:b4:4e:fe:ce:86:69:2b:8e:c3:
+                    9e:40:a9:b6:43:6e:d6:b6:3d:08:43:24:09:58:8d:
+                    af:d2:5d:1c:0e:cd:bc:e3:0b:b3:4b:a5:69:a8:3c:
+                    d7:07:d0:7f:d7:78:c7:5c:a4:9f:e1:a2:bc:76:77:
+                    80:25:0e:82:2b:43:1e:e4:67:49:47:d9:65:45:57:
+                    ed:59:d7:6e:a1:8d:76:a0:c2:65:52:c8:c8:57:5d:
+                    dd:b4:d2:4f:27:a5:08:f1:88:7e:d2:3e:5d:60:c6:
+                    67:fb:c9:19:e7:78:cc:41:6d:24:11:cd:a4:e6:cf:
+                    56:8c:41:4d:af:d6:e2:22:c0:a3:64:2c:4b:27:f6:
+                    b3:87:9d:08:e6:2a:2f:db:c8:50:57:95:a3:cf:67:
+                    77:f8:80:15:f3:45:00:47:f8:80:6e:21:b5:80:f1:
+                    81:29:45:3f:a9:8a:e2:12:12:4d:c4:90:e3:da:ab:
+                    08:80:bd
                 Exponent: 65537 (0x10001)
         X509v3 extensions:
             X509v3 Basic Constraints: 
@@ -54,64 +54,64 @@ Certificate:
             X509v3 Key Usage: 
                 Digital Signature, Non Repudiation
             X509v3 Subject Key Identifier: 
-                6B:E9:29:4E:C6:18:4A:A0:2F:A9:AC:67:3D:F7:80:7C:CE:8A:97:66
+                C4:44:DE:34:6C:55:F0:21:00:F4:CF:F0:55:67:92:FB:8F:B3:40:46
     Signature Algorithm: sha1WithRSAEncryption
-         9e:b3:b6:2d:27:65:c4:2e:2a:a2:f1:d6:3c:ba:4b:c6:b9:47:
-         fe:72:5a:fe:f4:f7:92:4c:17:7c:f5:88:91:eb:f9:1a:6a:c3:
-         82:a9:8b:6f:4e:e1:62:d2:15:d8:50:12:aa:cf:ef:2e:73:2a:
-         86:cb:59:49:1a:35:17:4e:c4:2e:ac:65:5a:f0:13:da:35:78:
-         20:59:e7:f9:8c:9a:97:0f:76:cf:cf:2d:79:69:b2:9f:15:77:
-         d9:af:20:ff:ab:07:18:f4:ef:5d:4d:c2:56:bc:fb:a6:52:aa:
-         53:a3:5f:91:5b:83:61:e7:fe:c1:89:4f:57:c3:8a:ba:d2:89:
-         ed:9f:28:b0:f7:18:25:dc:d1:e8:4e:f0:ef:50:70:e5:cf:6d:
-         ba:1e:d9:98:11:13:02:53:15:9b:98:95:b2:8a:60:a4:6c:f9:
-         c6:23:4a:9d:25:ce:31:fe:17:fc:1f:11:43:52:4c:45:ef:f6:
-         38:c5:e7:94:98:34:3c:05:8f:d0:a1:82:71:9d:d1:ec:93:ef:
-         7e:7d:9d:ba:2c:7d:82:14:e7:ce:8a:e1:e9:bf:6a:82:0b:44:
-         1e:5d:1e:85:b4:81:0e:f2:c1:1c:54:8b:b1:e9:35:82:c2:44:
-         23:22:b0:96:3a:ab:0e:6c:f0:24:41:e0:bf:62:86:01:1e:e2:
-         29:af:d0:cd:06:83:84:66:a6:2a:32:d4:f8:f5:31:3f:d4:20:
-         34:07:6e:78:d0:f7:a7:64:fa:d4:81:15:c0:71:bc:10:3c:44:
-         8b:fc:f0:8b:03:7e:ca:9e:6f:e0:d2:f3:14:67:3b:ea:1b:79:
-         59:3c:98:5d:70:3a:b4:87:d8:45:99:91:63:f6:db:7d:35:d3:
-         39:df:ac:31:db:94:fc:90:c8:87:01:11:1b:10:9f:2f:15:53:
-         5c:f2:5f:08:cb:72:d3:f6:ed:63:39:e9:45:b7:ae:bd:db:21:
-         93:4a:fc:42:78:2b:db:ac:cd:ed:ca:f0:06:2a:f9:45:18:ed:
-         de:31:3d:78:fd:94:a2:65:63:ba:ce:13:37:4a:ce:68:8b:39:
-         eb:e1:24:d7:ea:ca:7f:25:d1:a3:63:97:8c:a9:f6:19:f9:68:
-         d3:8a:0b:bf:2e:8a:db:58:9c:97:42:40:de:c3:b5:e8:84:d9:
-         3b:02:56:7e:d7:83:ab:e0:4d:e0:49:4f:8a:bd:c1:e9:aa:90:
-         c7:96:bb:09:e0:6c:77:1c:15:48:20:4e:95:6f:7e:87:59:33:
-         75:da:5f:91:d6:35:65:67:15:a8:1f:1a:ff:23:c8:89:90:8c:
-         38:a6:12:70:5f:78:c2:1b:ea:66:64:23:95:d2:b1:4c:fb:e1:
-         ed:22:24:b0:3b:da:8f:1b
+         a3:9c:c7:b7:3d:fc:8e:3d:5b:58:98:b0:05:63:fd:a7:50:c2:
+         d4:e8:c2:48:b8:b0:a8:e3:f9:c2:8b:11:47:a1:11:5e:e8:4d:
+         75:c5:b8:d9:ec:af:81:95:1e:ec:d8:f6:8a:b6:17:12:ab:d4:
+         30:84:cb:35:6a:c8:50:5e:1c:55:26:77:ee:84:f0:80:92:95:
+         c3:37:50:b3:23:21:7a:3b:63:5a:18:e4:48:fc:de:9b:26:50:
+         38:9e:2f:a3:ad:03:5f:0c:b0:a1:0e:41:0b:01:71:b9:a2:df:
+         84:f6:c4:d6:9d:8b:f7:a8:ed:cc:7e:b6:8c:5c:bc:26:0c:97:
+         77:15:dc:fb:66:4b:0d:01:d9:8e:58:8e:1c:bf:35:47:b8:10:
+         d4:12:e5:80:09:b3:d8:4a:f4:0a:3f:6a:2f:9f:47:16:80:a7:
+         92:6a:d4:3b:79:7b:25:b9:3e:14:a9:90:4e:92:6e:92:7b:6f:
+         04:3a:0d:c6:63:77:82:e2:2d:e9:24:63:ce:a0:b1:8c:23:1d:
+         db:79:b8:4f:77:b8:7f:d2:49:5d:b4:60:a0:78:bb:d6:d7:56:
+         ff:23:c1:fa:46:cd:9a:2b:0d:87:df:b5:98:eb:7e:fd:af:6e:
+         9d:03:de:d3:97:e7:19:09:20:13:ce:2e:b5:89:f0:47:ad:b2:
+         3d:f1:5e:77:8b:dd:d3:6e:e2:a8:3c:cd:6a:22:a1:63:92:8c:
+         2e:ca:0a:0d:aa:2c:15:98:de:27:08:e5:ee:a5:e0:e5:54:30:
+         26:2f:32:ab:c3:de:e0:82:32:2a:dd:39:cb:3c:75:95:8f:9e:
+         37:34:34:80:14:27:aa:c6:89:d3:8f:7a:35:19:3b:8b:c1:56:
+         06:76:b3:0c:12:05:10:f4:5a:62:ff:d5:ef:e0:f8:da:aa:dc:
+         2b:14:73:ad:31:c8:da:19:fe:54:51:32:0f:3b:7f:13:21:0d:
+         5c:4f:33:e7:07:92:36:fd:01:04:d4:e6:4c:ba:dc:b4:75:c0:
+         f6:1f:3c:5a:4a:34:40:87:3b:8c:44:60:de:11:8d:18:41:0a:
+         e4:e9:d6:19:f5:7b:8f:53:3c:d8:3d:7c:4f:f4:b0:86:93:69:
+         c1:f1:e0:cd:8f:df:cd:ef:33:31:a8:e1:93:cf:bd:13:13:66:
+         55:ef:44:63:06:0a:11:7a:78:e7:5c:6f:d0:f9:9d:bf:90:e5:
+         f4:d1:54:31:b8:0d:ed:ed:c0:e2:63:5c:13:01:ff:a8:11:c5:
+         7d:42:e1:94:63:6a:63:99:0f:82:ef:49:f7:93:92:e6:72:d7:
+         ed:88:d6:ab:b2:25:8c:37:8d:08:22:a0:80:9b:14:fb:a4:a2:
+         4f:43:be:ff:d4:e9:7e:79
 -----BEGIN CERTIFICATE-----
-MIIFEDCCAvigAwIBAgIBBTANBgkqhkiG9w0BAQUFADAqMRswGQYDVQQDDBJoeDUw
-OSBUZXN0IFJvb3QgQ0ExCzAJBgNVBAYTAlNFMB4XDTE5MDUyMzE1MDUxNFoXDTM4
-MDExNjE1MDUxNFowMjELMAkGA1UEBhMCU0UxIzAhBgNVBAMMGlRlc3QgY2VydCBE
-aWdpdGFsU2lnbmF0dXJlMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA
-242iX71nombXgD2bXtcxWwUGTwyqXOgLBrwwj/n8sx3eT8QYDXqrAHp+XbL9hdgi
-ndi34uiY5ke2YwGQ1emAx6zkMr/fEK9zEdKCIb9bdjfSA2fFmntEpUpOpgXTlQn7
-Ezp6yrlPKCTiy3XubZemYvu8V+1uL+kKf2FLx5pFfEldA/5OCYucMGBnQg+JRAgL
-TmWWb/iDJxDemXqNvOGrI83Sg1cPWpkm3W4WO9VNfk3Rheg3RGne6p55r+uzb4cL
-I5dTgbPkZCod+SxtVGMVjjmccLDBhZG+IUtNcyEKWfwguWBsfcrtq+ciec/EW7ye
-/pDs50jADWAsbdu77ZVwzBS0RZubRZL60lCrWmAblmyB1ypPYN8pOCaae+po6M/c
-wyWoKtR56ml7li0tqow5HpwAv1GMZksUIPDLOhmyA1x4Y3JWv4/6SRmY0CUbJK2F
-UR8H2XKUcH1HsZ2IhibVAdYQyQRgAbfFXW/mEMR+hYe2i84V7Hm7BYM9mJGQQloo
-+R9lB2MVlz2NwjP4nHDCpVNtkNtsFTAeb6EJjuVWef1+Efi9RFyZNXxWAxq/Ffof
-CI8fgqguw6X0lKFOn+9Lxm+vEu7uwMA5Pke/F24JxoxHibCjJpKVkTgHyeteK4pl
-wSYhYGjxJ1t2fqiBJTFuFAYICWITnMivAeibSp4YsTUCAwEAAaM5MDcwCQYDVR0T
-BAIwADALBgNVHQ8EBAMCBsAwHQYDVR0OBBYEFGvpKU7GGEqgL6msZz33gHzOipdm
-MA0GCSqGSIb3DQEBBQUAA4ICAQCes7YtJ2XELiqi8dY8ukvGuUf+clr+9PeSTBd8
-9YiR6/kaasOCqYtvTuFi0hXYUBKqz+8ucyqGy1lJGjUXTsQurGVa8BPaNXggWef5
-jJqXD3bPzy15abKfFXfZryD/qwcY9O9dTcJWvPumUqpTo1+RW4Nh5/7BiU9Xw4q6
-0ontnyiw9xgl3NHoTvDvUHDlz226HtmYERMCUxWbmJWyimCkbPnGI0qdJc4x/hf8
-HxFDUkxF7/Y4xeeUmDQ8BY/QoYJxndHsk+9+fZ26LH2CFOfOiuHpv2qCC0QeXR6F
-tIEO8sEcVIux6TWCwkQjIrCWOqsObPAkQeC/YoYBHuIpr9DNBoOEZqYqMtT49TE/
-1CA0B2540PenZPrUgRXAcbwQPESL/PCLA37Knm/g0vMUZzvqG3lZPJhdcDq0h9hF
-mZFj9tt9NdM536wx25T8kMiHAREbEJ8vFVNc8l8Iy3LT9u1jOelFt6692yGTSvxC
-eCvbrM3tyvAGKvlFGO3eMT14/ZSiZWO6zhM3Ss5oiznr4STX6sp/JdGjY5eMqfYZ
-+WjTigu/LorbWJyXQkDew7XohNk7AlZ+14Or4E3gSU+KvcHpqpDHlrsJ4Gx3HBVI
-IE6Vb36HWTN12l+R1jVlZxWoHxr/I8iJkIw4phJwX3jCG+pmZCOV0rFM++HtIiSw
-O9qPGw==
+MIIFEjCCAvqgAwIBAgIBBTANBgkqhkiG9w0BAQUFADAqMRswGQYDVQQDDBJoeDUw
+OSBUZXN0IFJvb3QgQ0ExCzAJBgNVBAYTAlNFMCAXDTE5MDMyMjIyMjUwNVoYDzI1
+MTgxMTIxMjIyNTA1WjAyMQswCQYDVQQGEwJTRTEjMCEGA1UEAwwaVGVzdCBjZXJ0
+IERpZ2l0YWxTaWduYXR1cmUwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoIC
+AQDS5bYn92zB0LqKSmpOtaaSLluY1wxqfvS/GTAt7hxa7ij2XKgSAyDH6CuxRJ+3
+VCduF/zA9vfqONLId6tqrtGrnx5534pRVapsahN0dC/AIFfv8+Fx2rDsYumKAdr2
+5sZa/hFhWFygAewOr3ANcpSh1Bx2U645oM9w2Nl8lRgrXzYAL1y+otWODuOqdgwf
+hrNp/uQpCjCxyoMa8oj8kS9YvqSgJYK/FrPKcAl+zyn5LlgLSjo8becFY9VTkO3u
+lp6O16jvUIs3vdyI9RK8BE7k8+xdneZGFOHhaxWr9FL2EnauLadl7I+9kFFSTefP
+uiMBeoWLIkGmmAjkMwDB4oKwssb0ajTGqdexzMYaC61pH4mv4GPNUck2fwjwMZfq
+eLuuIUyqLTLeNgPPZPiKwMWzxPl5dHqL1ey/GYfJJQyZfVajk2iXw8wI+zfALMuH
+8rRO/s6GaSuOw55AqbZDbta2PQhDJAlYja/SXRwOzbzjC7NLpWmoPNcH0H/XeMdc
+pJ/horx2d4AlDoIrQx7kZ0lH2WVFV+1Z126hjXagwmVSyMhXXd200k8npQjxiH7S
+Pl1gxmf7yRnneMxBbSQRzaTmz1aMQU2v1uIiwKNkLEsn9rOHnQjmKi/byFBXlaPP
+Z3f4gBXzRQBH+IBuIbWA8YEpRT+piuISEk3EkOPaqwiAvQIDAQABozkwNzAJBgNV
+HRMEAjAAMAsGA1UdDwQEAwIGwDAdBgNVHQ4EFgQUxETeNGxV8CEA9M/wVWeS+4+z
+QEYwDQYJKoZIhvcNAQEFBQADggIBAKOcx7c9/I49W1iYsAVj/adQwtTowki4sKjj
++cKLEUehEV7oTXXFuNnsr4GVHuzY9oq2FxKr1DCEyzVqyFBeHFUmd+6E8ICSlcM3
+ULMjIXo7Y1oY5Ej83psmUDieL6OtA18MsKEOQQsBcbmi34T2xNadi/eo7cx+toxc
+vCYMl3cV3PtmSw0B2Y5Yjhy/NUe4ENQS5YAJs9hK9Ao/ai+fRxaAp5Jq1Dt5eyW5
+PhSpkE6SbpJ7bwQ6DcZjd4LiLekkY86gsYwjHdt5uE93uH/SSV20YKB4u9bXVv8j
+wfpGzZorDYfftZjrfv2vbp0D3tOX5xkJIBPOLrWJ8Eetsj3xXneL3dNu4qg8zWoi
+oWOSjC7KCg2qLBWY3icI5e6l4OVUMCYvMqvD3uCCMirdOcs8dZWPnjc0NIAUJ6rG
+idOPejUZO4vBVgZ2swwSBRD0WmL/1e/g+Nqq3CsUc60xyNoZ/lRRMg87fxMhDVxP
+M+cHkjb9AQTU5ky63LR1wPYfPFpKNECHO4xEYN4RjRhBCuTp1hn1e49TPNg9fE/0
+sIaTacHx4M2P383vMzGo4ZPPvRMTZlXvRGMGChF6eOdcb9D5nb+Q5fTRVDG4De3t
+wOJjXBMB/6gRxX1C4ZRjamOZD4LvSfeTkuZy1+2I1quyJYw3jQgioICbFPukok9D
+vv/U6X55
 -----END CERTIFICATE-----
diff --git a/lib/hx509/data/test-ds-only.key b/lib/hx509/data/test-ds-only.key
index 236df841bf58..91290387a5f8 100644
--- a/lib/hx509/data/test-ds-only.key
+++ b/lib/hx509/data/test-ds-only.key
@@ -1,52 +1,52 @@
 -----BEGIN PRIVATE KEY-----
-MIIJQwIBADANBgkqhkiG9w0BAQEFAASCCS0wggkpAgEAAoICAQDbjaJfvWeiZteA
-PZte1zFbBQZPDKpc6AsGvDCP+fyzHd5PxBgNeqsAen5dsv2F2CKd2Lfi6JjmR7Zj
-AZDV6YDHrOQyv98Qr3MR0oIhv1t2N9IDZ8Wae0SlSk6mBdOVCfsTOnrKuU8oJOLL
-de5tl6Zi+7xX7W4v6Qp/YUvHmkV8SV0D/k4Ji5wwYGdCD4lECAtOZZZv+IMnEN6Z
-eo284asjzdKDVw9amSbdbhY71U1+TdGF6DdEad7qnnmv67Nvhwsjl1OBs+RkKh35
-LG1UYxWOOZxwsMGFkb4hS01zIQpZ/CC5YGx9yu2r5yJ5z8RbvJ7+kOznSMANYCxt
-27vtlXDMFLRFm5tFkvrSUKtaYBuWbIHXKk9g3yk4Jpp76mjoz9zDJagq1HnqaXuW
-LS2qjDkenAC/UYxmSxQg8Ms6GbIDXHhjcla/j/pJGZjQJRskrYVRHwfZcpRwfUex
-nYiGJtUB1hDJBGABt8Vdb+YQxH6Fh7aLzhXsebsFgz2YkZBCWij5H2UHYxWXPY3C
-M/iccMKlU22Q22wVMB5voQmO5VZ5/X4R+L1EXJk1fFYDGr8V+h8Ijx+CqC7DpfSU
-oU6f70vGb68S7u7AwDk+R78XbgnGjEeJsKMmkpWROAfJ614rimXBJiFgaPEnW3Z+
-qIElMW4UBggJYhOcyK8B6JtKnhixNQIDAQABAoICAFOpQ99xoCT9RU8DqsnX/GGv
-p3jF3cErVtBJM8QZQVbLoeQJWBUC0liLVM3Fn9+5vW8inuejNGhDmVdeyF8K7Fyq
-IAbKoGiOQq3e5mGPtn10xd0wVNcJ8918VD3laHuZYwgvt4y6UlR8wcM//AvcxrVf
-MaTbv6oYBj0FyUeVHLdAiWY1KG1wuqKgiZhdrTO0UQKdqVaffvKK9hfL4GjCIWGy
-U25i5WHjjDDCe0xvemkPpDB/jVfPc/c5TitgCG8OKYt1ZYe+EeCtP+CsMjj+zL72
-awtx/zwzjhzHwgqF45jof1vER3Mjua9Qkw2Rw0QluvxMI0n6qdwu8p8mJRViZalZ
-waaUk4EvlB4ZE3tA3NRKFyrmEn2zehzna0o72Je06NuShtnxPKkGAnw3ieys5noJ
-c8IB7v0R3r9xwJOt5ZO/OEnI68v6ijcGPcPkSTfJP5hlVxwtNCg6n0wCVnojemmm
-nqpEGritdpe53FkDR/EYfX/Idn4yAaJs/Z0SuN6Q2KNVSXJjlSZLg8PHATxlRWtd
-4rX4W+gFVudT59EYWY7cxa0yrrQOJXxLzxiPt0H+aKJTiwQ0mYKLH/HAugl7byhe
-U4QwJ0VNU2JxpX+1OhRQaMhooMH3Y6XSYITq04OIxYzdAlflb2WffZ3JyIpIAv7+
-Tymxyu7/DkQzFpb0QngdAoIBAQD29SgKA3n17R1MJkfmRxE5JlQpkZXRkzw1vDbW
-48b6JYna6jRvb8ktpn738iW+VJ+1j96q5MyofR/SlkO1ZOtsh3V9i1ddZTGt8Zqe
-Bgq6HYxCSZmc24wtq3G4nMNfbvcpOgssSmh/LMQeKTCVQTwmGnf1xLoI9D8qshIT
-vwQTB7/820qHsraiLVdrHpuuBCiaLo/uEy8hRwBeCzgKjo2HvrzrDtjVE8vEafYV
-7MRUtfyhwXAD5TZPhcTT0SvysISCt7NHrUEPyNN+ISs4Eeql+o93Zv7sOTQPfsIk
-ajzguDSu7E71hu4RBW185IbVj8CELi5GnCMMKlI38AosWKPXAoIBAQDjl5q7Yrz+
-nsC47scggwCStU+sXv5cKYi+gLOctj/oBLJKqnsK6o3JI2AyAIBLq/DxrZ7kvtbb
-IFrxaNQWPJKKyx+e2pcCwlgcQCIZ8spQ0cdqW0UcZmMEN/T2b16V3BoaSUnIqBlL
-yye+NsCDNNX9pTf6+8Si3WzbnWRvGO+yMJuzIbPy0I4JupKChNKdjhsZe3yGCcmJ
-dzNy2rJAX2Qtx4NNdunF2jSNqcN9ZYG8wX7cQ+JH+BXa2efqpXC7eZB0QtjVqwIm
-Awpi3FkcWlshgofo4AhcsLfBzkiZ9NyGlm+vZswNqOiTM4mLajlB0/EapEDEgru+
-P3/LIQ5+DrHTAoIBAQDrL4wjBS6H63nERIyinDml0H/EWrZwMSTdE9KyEZg0L726
-cuLe4XmY9P/kB4K0YQj8MvhejajuKMM+nQX8YRDneZWFq0bXVgDa48VZCu36Uxt5
-IXiebmNwNt8Fbp2NbDML2xA67N3Zh3t6McXnzomGzBxEPUbiMiFZ+t3GWlp5+R54
-oyq2UpclmcKv7CVcsu8r7n35v+FZcrHB3jNPsnTMuvRVcv1C5yhedH78YFCVT/84
-2OxheU+gqgdJpeGRrVN03ZdqAnB8pMftTY9IRZ/O0/D/SGIr+0o+G3yui1JQvHzH
-vZpwr0BXi3C6yTQzfEReXVCKxDWIZ2GHjh1SIFRfAoIBAD0mufuJXzCm5S+LcNOK
-f3fr4Zl1+LA4tLZDDH+Z9HfZ8zHetqrLNQeLSsiEm/Q5Icc+GEhsAnzkJ6tfuES1
-R8alJzzejN6/6z7D+KWyN6wZgZRRK7Oiyw4SHu6sI+TuO9E+SeXxTMKxtl8EhRt7
-8ddyMiVsynvcNOiZVKgJMjZVmzA5aQlgAhoZGE6bc5/D1AI3zNCTBqS584fzvRtQ
-xjEKv3vr7IotxBsgNxeVU5OtBfIXB1DBFtYz4H2KsEyfMDIc1/gpN62Q+ZRwkjzt
-BjltwijPMU/+Z5FaZOWBBlPfTej6HO+6p6sNmPJtuy61zL2UzpY+bkWC+EpS+nri
-ZeMCggEBAJRin7+udPZRw43qycfjPSIQs35QmbT922ti4l/7ywOC5RTcmb4/tB4Y
-qMliOl09FPuvBbxoZxIMX4sUVHGsmic6UAy2JxLGTok0inmtOKgwXl7eB2m+5+8C
-j8VbfUNs5mnkD7f60Huo/vLFsdV29j8wNmbEN+fMQUXNa6n//PoNqs+cYLU+2Ysx
-G78x6sdjDKvjyRmz+m43dE5aS5EddDWXSwYRhcKkXI6zqg4jHtqqPHNNsXPzTQKg
-ubXoF0YU1IIV1+HrdlxqfnbHqApB9qF8pA+ovDLMWW4Vzi8MIuebR0N78KRyaF2s
-CB/IgCJRaFy9Ch2Nz4ODay/Vbyj//Js=
+MIIJQwIBADANBgkqhkiG9w0BAQEFAASCCS0wggkpAgEAAoICAQDS5bYn92zB0LqK
+SmpOtaaSLluY1wxqfvS/GTAt7hxa7ij2XKgSAyDH6CuxRJ+3VCduF/zA9vfqONLI
+d6tqrtGrnx5534pRVapsahN0dC/AIFfv8+Fx2rDsYumKAdr25sZa/hFhWFygAewO
+r3ANcpSh1Bx2U645oM9w2Nl8lRgrXzYAL1y+otWODuOqdgwfhrNp/uQpCjCxyoMa
+8oj8kS9YvqSgJYK/FrPKcAl+zyn5LlgLSjo8becFY9VTkO3ulp6O16jvUIs3vdyI
+9RK8BE7k8+xdneZGFOHhaxWr9FL2EnauLadl7I+9kFFSTefPuiMBeoWLIkGmmAjk
+MwDB4oKwssb0ajTGqdexzMYaC61pH4mv4GPNUck2fwjwMZfqeLuuIUyqLTLeNgPP
+ZPiKwMWzxPl5dHqL1ey/GYfJJQyZfVajk2iXw8wI+zfALMuH8rRO/s6GaSuOw55A
+qbZDbta2PQhDJAlYja/SXRwOzbzjC7NLpWmoPNcH0H/XeMdcpJ/horx2d4AlDoIr
+Qx7kZ0lH2WVFV+1Z126hjXagwmVSyMhXXd200k8npQjxiH7SPl1gxmf7yRnneMxB
+bSQRzaTmz1aMQU2v1uIiwKNkLEsn9rOHnQjmKi/byFBXlaPPZ3f4gBXzRQBH+IBu
+IbWA8YEpRT+piuISEk3EkOPaqwiAvQIDAQABAoICAQDFT5tL6yY6ctGDvrmVKEhO
+bcbOySvZmyvaenNkFWk7/aQfUnMAXyLVRTdTo3OWbspxK0oTMzyhS0aRvbyHlEWg
+Pr+hoG3lSLOouNm401c1dk0vt0mOXt+2WZhLwQ6efyzHRvr1y1jlbsbuul6ohjHe
+8fcrEYFoczaBSrC36TnyoiKAq88moGwSe4WvHsCa4kiLe6j1aI5EWMaueImHW0Ij
+0kFtf4rCwze0x3tqw+FuO1iuP2Ua0mwY091rUKX62bpAxC5OsFl/7kcdb8R2WcWC
+WWAj+i3OFY17e9eLyIuxo3ab4STDrD6TSSl8Slz+MRS9Nmco1AT+GzH+ZmVoAEbp
+3LeAwXK0oGdbQqi+eSiM3mPH9KTgLs2rfqh/6oKLE/eNsU7CmLWXuMME9ORfSB+i
+dLqp3s1HWXJOS8hkJAhoJgHLEQn8XWsOtRFUw4kSgaWu23fultTv5trM3ZyaGR0o
+xDpeptKDnV85oul0nT8+Qpbj/w4MQU/INC/sxN29Qkiy3lvHE/y/C7a4GxB8DY6K
+kFUdcwT5dWw6SHqqPFxeDf3sz8Uo7RQSiXZkpHHg1U/Md456G7lgQTB5YtpZPVeY
+vJt2nlyeeP/61D0K7Im/DmS0Owenz4LyvBIiTA2gZXEbvxBd1Aq9iL/LT+GIDJJN
+dC7nbMKaHRXhcG0rysOWIQKCAQEA9+b2neaBBCEoZkH4iQteocBxgXZw60BugMIL
+v5KKh58VKC6P720d2TcL3gRfwo+9tuYcXIjn2r/mjM7N1ppDNM9/VNaelQlttK1b
+sd3C7RKjhWozWhPSfh8gHl2BKeBT+2wS26pSZX43oIyyj+sa6f7JnVbn7sGqcSFD
+js5hw3jIX3z8SR06zqUHOGes9OFn1GABvxAU70PpsCfAnMLvM9TvBopG/4RtGjBA
+HyhQYN2wdPnym32P+Ectf0z+SpVqtmTA2uy0VdbacHzhvObI+zN0/PWJhPsj4QMa
+8ycDpccwBvpD2XbkC6mEEbTJBfgbmjn+0J60hNh4+kg73Sh6hQKCAQEA2clNNbfh
+6AxN5V/MT/aPA/CONexzlAPTfpV1SS6MOcPlzhUScKzcigfMLJ5eHrXpJNRrq9cL
+TQOSQq+N8dXI0ZtmLvWFIeLq51jFe3WwCN3RuwWqOpzGHPpXaq/Ib/HUR0AMJ3uV
+ofm8kCpF9szx3xb8KeAK5Z3ZPciubETVdAj6ep7T6RrAXMHF+wXhW+yZSNju38tc
+IsZgt7LPKqElsSIbilE3qYdfVoHGKabqYZkmWTESURbWQe9wC1WnePyLv8/1ROfU
+C9U4Eh/w+WlocEa/1k6pkVu0etTh0v2bKnF4XRE6FoYbMz1dOSD4yxSTG7zKhdka
+m/3wEDYJqd3u2QKCAQEAl2ZWLZ8uIjCB9NnLiR8Jf24BpFiKpBJoqnhYJnq/4g41
+JKIzQ713YkatF73CIhgZfE9S+Oyf9UgH7O0MZ0k1TFaBZHXiyhDFEHhjrOBMAO/G
+MF/o1tWOU3p86i6fCM05XS7m4YNG6TdJj+L91sl2WXxC87W01msuxgLTuK6wpGnq
+re6uQZT5amT9YORoi/HxsJGl32NZ9bqbSPsuNk8TOauNA4iFzd25qCnZr222kUIz
+V22jTnVD7RTDY6DJGRHh51znL40qodYi+Fo8n1qvWkNV6numrjGW+wAjgGbOYnuh
+CFHmCDUFF15DC3FG6D9b1DghOJYEl7GBSRG+hdYH5QKCAQAuoGFuYcr00kWPGR51
+9DSURFk+BDyOcO9Dx53PqC6PY3h80ZgcFXY1+wtkdhdyfcHHh87xgF3EBEK5EjrS
+jtGqxplu7lOteJaQJzpIf17L1ynC36idWdk0dQhoJ/BCv0SSaIzxmwzjG8OaHeLS
+vvf9qj8cfAH5PP04tBFbzrTgXde6juyRmI+cjEPlxVGFS7dZmFA0C6bTLyOf0KF3
+3/5g2QuKZm8DVZ88txYE7t55PL+wEsh4IeqHPUsAsjrjtTX6P/yj3vpP+jtB7iK6
+Uy3v88W4jSjSnQ6byZ37fR5OTPLXAgwsrFOAed/OjleVqvb/1kCJvXxr70cJQXh6
+LLCpAoIBAFckgxXk4i3X3grFXa1nhORfvdGtxSzP1Rvq1cLdOTVxtB7Xf+18dAgZ
+3OHMW0Q6WKh4hP0pEeLpiptxhhHl0I9nFJBYAd9UrLwmLzUYYySqVQvFO2JifcY2
+Zer0KdNlej0PGjzXMcOkNXyF5IctAD7svPjZ/B3KzL88xHUumKLYhTMflaMhsqhW
+RKiMQbo2NT/38Vu3j9EWG6zbizVV9owXrb7atmR/JLZsaIS1Uory7ccIq8svFAW1
+SrQP7eZ1GDg7Kbh+0rfJf6N+Hh9Qumao97yqAYJHS/Udpw5uVhVtXeAEdR2lRoDB
+dDGZmYTPMav2jSUmg7BMOO1iyjFI0hg=
 -----END PRIVATE KEY-----
diff --git a/lib/hx509/data/test-enveloped-aes-128 b/lib/hx509/data/test-enveloped-aes-128
index a4e0c0db8b2d..a75409b969c8 100644
--- a/lib/hx509/data/test-enveloped-aes-128
+++ b/lib/hx509/data/test-enveloped-aes-128
diff --git a/lib/hx509/data/test-enveloped-aes-256 b/lib/hx509/data/test-enveloped-aes-256
index f94371304eea..4fda391ab5bc 100644
--- a/lib/hx509/data/test-enveloped-aes-256
+++ b/lib/hx509/data/test-enveloped-aes-256
diff --git a/lib/hx509/data/test-enveloped-des b/lib/hx509/data/test-enveloped-des
index a2df2df10b7c..944da00e5d79 100644
--- a/lib/hx509/data/test-enveloped-des
+++ b/lib/hx509/data/test-enveloped-des
diff --git a/lib/hx509/data/test-enveloped-des-ede3 b/lib/hx509/data/test-enveloped-des-ede3
index d0e451e189ab..c27dfbc08319 100644
--- a/lib/hx509/data/test-enveloped-des-ede3
+++ b/lib/hx509/data/test-enveloped-des-ede3
diff --git a/lib/hx509/data/test-enveloped-rc2-128 b/lib/hx509/data/test-enveloped-rc2-128
index ddc2a27c6609..72f81584680b 100644
--- a/lib/hx509/data/test-enveloped-rc2-128
+++ b/lib/hx509/data/test-enveloped-rc2-128
diff --git a/lib/hx509/data/test-enveloped-rc2-40 b/lib/hx509/data/test-enveloped-rc2-40
index 13c57648bb46..0e5eb02c7a4f 100644
--- a/lib/hx509/data/test-enveloped-rc2-40
+++ b/lib/hx509/data/test-enveloped-rc2-40
diff --git a/lib/hx509/data/test-enveloped-rc2-64 b/lib/hx509/data/test-enveloped-rc2-64
index 02fa0f3ecfaf..9ce6694018e4 100644
--- a/lib/hx509/data/test-enveloped-rc2-64
+++ b/lib/hx509/data/test-enveloped-rc2-64
diff --git a/lib/hx509/data/test-ke-only.crt b/lib/hx509/data/test-ke-only.crt
index 27e759950536..a6cc06a2663c 100644
--- a/lib/hx509/data/test-ke-only.crt
+++ b/lib/hx509/data/test-ke-only.crt
@@ -5,48 +5,48 @@ Certificate:
     Signature Algorithm: sha1WithRSAEncryption
         Issuer: CN=hx509 Test Root CA, C=SE
         Validity
-            Not Before: May 23 15:05:13 2019 GMT
-            Not After : Jan 16 15:05:13 2038 GMT
+            Not Before: Mar 22 22:25:04 2019 GMT
+            Not After : Nov 21 22:25:04 2518 GMT
         Subject: C=SE, CN=Test cert KeyEncipherment
         Subject Public Key Info:
             Public Key Algorithm: rsaEncryption
                 Public-Key: (4096 bit)
                 Modulus:
-                    00:cc:e5:88:ad:77:9f:da:7d:88:28:88:b6:0f:e6:
-                    f6:2b:a1:55:da:7e:4e:75:8b:46:8c:e6:9c:f6:c4:
-                    06:ea:68:0e:85:7d:c4:d6:bb:a9:c5:82:3a:88:9e:
-                    d1:e5:71:f9:2b:2e:48:62:f7:ac:7a:de:cc:f4:ae:
-                    07:da:86:2f:07:21:be:ec:f5:de:3b:0c:d0:66:88:
-                    a7:75:0a:ee:17:c6:9e:b3:2f:9b:b0:88:3a:ad:de:
-                    b3:bd:36:2d:20:30:9e:36:f0:3b:9d:e2:5f:4a:d4:
-                    1c:42:49:29:5b:70:35:02:40:79:82:a7:9d:ee:a7:
-                    05:85:d0:75:46:c2:77:4c:b9:20:6f:93:4a:85:8f:
-                    fa:44:08:6a:ef:26:7f:af:20:e7:b3:a2:18:4d:78:
-                    dc:e6:5e:c1:06:aa:54:a3:6c:07:a0:6b:92:14:f0:
-                    52:62:cf:d1:c4:08:81:4e:73:3b:27:19:34:a0:32:
-                    0d:66:70:05:ca:3e:13:18:85:18:d6:9c:30:b9:66:
-                    93:af:df:ff:71:07:ab:77:ab:00:32:d5:c4:64:7f:
-                    af:06:e6:aa:7d:90:e3:7b:82:46:1b:d8:42:f5:7a:
-                    15:5f:b3:ca:b2:4d:e6:8d:65:29:ff:aa:88:73:15:
-                    85:21:69:23:a6:24:48:95:8e:a4:e5:2e:a0:c9:e2:
-                    75:bf:79:85:1d:b9:2a:e8:da:b2:fa:15:f9:c2:1b:
-                    b3:69:3b:01:9c:54:4b:2b:19:ef:b8:f7:60:d9:78:
-                    8b:a8:b8:84:e4:0a:73:21:22:de:d8:27:9b:a7:7d:
-                    61:dc:da:55:8f:c0:36:4e:e4:99:8b:1b:44:03:d2:
-                    51:24:37:d5:2e:a2:32:7c:65:20:0a:4a:9b:9f:8f:
-                    ea:16:7b:ac:fe:cf:57:a3:dc:75:98:4d:35:84:cf:
-                    20:63:39:d4:13:34:7e:f7:10:e5:ec:31:d9:5d:1d:
-                    bd:e3:d9:c1:b7:ef:ce:39:d0:89:0e:b8:84:f5:9e:
-                    5b:1e:da:48:1a:32:d3:0d:95:92:02:e2:bb:19:6f:
-                    09:f6:6e:38:38:3c:56:1a:0c:38:81:d9:a0:d2:ac:
-                    99:18:43:33:e9:0c:1c:cb:f1:80:1c:7d:9e:e3:07:
-                    41:24:51:82:a5:04:00:fb:77:dd:9e:7d:7e:04:32:
-                    40:d6:da:76:1a:88:77:37:64:34:44:e9:b6:c5:45:
-                    50:54:28:bd:dc:aa:a8:53:f3:4c:26:77:89:56:be:
-                    d6:89:82:83:d6:0e:27:0a:8b:ab:7b:aa:51:d8:4d:
-                    e4:d5:4f:b1:27:0d:cf:80:ba:e1:ab:51:f2:47:45:
-                    30:34:e2:55:a8:55:cd:03:c8:f7:12:0c:78:ac:05:
-                    2c:99:47
+                    00:bf:5f:55:ca:c5:c6:c5:00:a6:40:17:fc:1f:a2:
+                    c7:e7:41:1b:29:37:6e:ba:7c:01:19:f3:4a:d7:c4:
+                    9a:83:17:4d:40:cd:30:d1:9f:fd:94:49:41:5c:7a:
+                    2d:32:83:81:29:15:e3:b2:1f:06:1b:f5:f3:7f:91:
+                    cf:dc:82:b1:4e:d5:a9:48:da:63:49:b8:b8:41:0d:
+                    cf:eb:76:df:1a:33:5a:7b:2f:ed:13:5d:ce:77:85:
+                    bc:1f:52:b4:ff:96:20:48:09:19:d7:0d:55:ed:a8:
+                    9f:de:bd:26:2a:cf:2c:f4:48:d3:eb:94:f1:b4:ca:
+                    5b:6d:1b:21:82:46:98:23:84:d7:be:08:90:54:f4:
+                    46:ef:59:6e:8b:8c:7f:65:90:5a:c3:fb:c4:1d:97:
+                    9e:1a:be:82:96:d7:86:5b:d7:1a:0e:04:1f:30:71:
+                    99:70:40:28:6c:b2:16:3c:19:f1:f3:9f:54:22:9c:
+                    e0:e5:2b:c9:30:a1:01:cf:7e:1f:a2:40:d7:d3:ad:
+                    23:6d:fe:55:dc:ad:87:88:ee:e8:9b:81:e8:72:8d:
+                    2a:25:58:ff:81:18:f0:24:9a:13:31:f9:30:7c:ed:
+                    f1:d5:4b:13:ce:bf:83:48:47:9c:44:99:0d:52:e7:
+                    52:4f:02:91:10:fe:77:39:f3:fc:ce:04:bf:57:4e:
+                    3b:17:a3:c2:94:85:10:d6:76:a2:c0:04:45:d1:ff:
+                    96:a7:c0:a8:39:bb:7a:4c:f4:96:4c:5f:2d:63:85:
+                    52:6e:74:5d:70:7a:de:35:7c:92:9f:ed:e6:85:c8:
+                    f0:1d:b7:be:29:54:78:5e:7c:4a:a2:b8:85:ee:b7:
+                    20:2d:0c:78:a6:32:be:c0:a2:89:4f:f4:c8:e0:3c:
+                    3a:4c:b3:68:a1:a7:eb:b5:c7:21:74:b9:3d:0e:07:
+                    3f:ce:35:29:b5:33:1f:ac:d8:36:dd:d1:54:3d:47:
+                    c9:29:c6:26:23:e8:51:8d:25:9a:8c:96:84:74:e9:
+                    f0:10:d8:96:f5:ad:22:31:8f:e9:6a:a5:9b:3b:00:
+                    93:5e:80:22:f1:3a:e5:2d:10:7b:c6:a8:b9:6b:8f:
+                    ab:33:64:99:fe:aa:77:7a:0f:96:f9:3f:fe:15:6d:
+                    8e:4a:95:a7:35:9b:f4:20:cb:a2:a1:d9:f6:62:6b:
+                    a7:4e:b4:22:3d:22:73:f4:7e:0d:af:62:41:7a:d2:
+                    15:ab:b9:a2:25:a8:87:e0:b5:1b:be:c0:16:d1:e4:
+                    40:5b:56:a7:ab:39:d1:85:02:f5:4f:95:3f:37:dc:
+                    97:e4:89:c8:20:ab:11:9f:d8:f1:77:d6:b0:60:4f:
+                    ab:f9:88:37:ef:9f:bc:2a:f3:22:3d:2e:21:82:63:
+                    c6:21:73
                 Exponent: 65537 (0x10001)
         X509v3 extensions:
             X509v3 Basic Constraints: 
@@ -54,64 +54,64 @@ Certificate:
             X509v3 Key Usage: 
                 Non Repudiation, Key Encipherment
             X509v3 Subject Key Identifier: 
-                A1:E1:E0:08:58:84:EB:A7:1E:0E:7C:44:D0:E7:CA:B2:BC:93:8F:2B
+                FF:78:58:BD:A5:C2:4D:D1:07:04:05:DD:15:6A:A2:2C:92:EB:54:04
     Signature Algorithm: sha1WithRSAEncryption
-         62:5e:48:de:71:64:4f:fd:94:97:49:a0:1d:a0:50:f1:6f:56:
-         d6:90:79:51:a0:8c:04:c5:d3:ec:d2:e0:d6:4d:0e:ab:19:55:
-         0c:9e:e2:5d:e8:5b:8c:cd:14:c3:b6:28:ff:21:f7:21:37:9f:
-         0b:6e:cd:52:22:eb:61:23:4a:28:ce:80:c7:68:41:a7:4b:9a:
-         4f:9d:b2:8f:04:6d:6f:57:f1:91:e9:a4:d7:26:f9:78:c9:c2:
-         6d:e0:d7:25:9c:12:91:73:eb:2b:1e:e7:32:3f:46:1e:58:56:
-         a1:fc:b9:9a:dc:85:8f:1e:51:a8:a8:d8:5b:cb:18:75:ea:1b:
-         9c:75:66:50:a1:9a:95:0f:50:8b:54:1a:7b:5f:4e:5a:c3:31:
-         1a:c4:11:81:31:d2:35:4a:d0:be:13:70:63:9f:b5:0d:6c:ce:
-         08:e9:fa:5e:41:28:92:74:f9:26:37:26:18:ca:44:b6:d7:ca:
-         1b:63:22:c1:71:86:4f:fc:e8:ef:fd:e8:ef:b6:f1:2d:a1:7a:
-         e4:b5:12:f5:8e:60:fe:bc:de:8f:a9:c2:4a:29:60:f4:1b:26:
-         7a:0f:cd:34:94:a4:d2:56:21:b0:33:a9:4d:7f:fc:6c:d8:71:
-         17:8a:1b:d6:e5:78:98:76:f0:8d:d1:0e:85:bc:69:36:ec:99:
-         d6:56:13:22:35:9a:dc:43:b4:f2:d7:6f:25:6d:7c:6e:70:54:
-         53:c4:fb:4f:33:c0:20:f9:fd:4e:51:b1:e9:fa:65:05:cc:09:
-         d6:47:4e:3a:a0:8c:bc:e9:fe:1b:07:b7:06:3c:62:05:17:a5:
-         9e:46:79:04:9c:20:41:77:f9:50:e8:f3:86:0f:72:63:c9:6e:
-         74:1b:1e:dd:ef:e4:b7:a0:e6:83:3d:d7:38:a0:8a:80:c9:3d:
-         1b:ca:7b:96:ce:ac:37:a8:b9:51:30:98:d5:60:b5:26:c8:53:
-         a1:7a:ab:18:2c:36:22:83:9f:95:19:8a:78:2d:17:e4:aa:d5:
-         37:e9:1e:fe:2a:ae:34:64:d4:9d:a7:0a:a9:a8:1b:c3:29:38:
-         89:e7:57:4f:8b:f6:3b:74:4c:39:82:ce:36:2e:24:ab:90:fb:
-         dd:da:ec:eb:81:3a:66:0c:01:d6:03:8c:00:39:b0:83:96:51:
-         7f:27:0e:e5:8c:d4:ba:c7:6b:f4:13:b9:ba:5a:02:71:44:62:
-         21:33:51:6d:93:6b:04:6b:dd:e1:64:f5:3f:ca:98:39:b1:91:
-         94:68:3d:1f:ea:91:b8:db:98:c3:a5:82:aa:24:b2:32:e3:f6:
-         8e:7e:8f:e3:eb:0c:57:1f:27:70:10:d0:97:db:7a:8f:46:d9:
-         8f:db:ff:5f:2d:ff:a2:fd
+         0d:b6:af:48:3b:0f:01:49:0b:12:d7:bc:9f:35:09:2a:42:e4:
+         d2:86:d2:c5:53:65:1b:a4:d5:52:87:28:dc:01:70:97:f3:0b:
+         87:35:67:bb:b7:dd:f9:80:09:d3:84:33:11:2a:fe:0b:85:75:
+         4b:d1:84:0c:46:35:d3:69:b8:fe:fc:a3:5a:c7:10:8c:2b:36:
+         c8:f0:ab:e7:f8:98:6c:b5:ec:1e:26:69:31:9b:07:29:03:ee:
+         21:34:5c:52:1a:58:4a:c5:10:43:6b:8e:fc:9d:94:12:67:d0:
+         12:40:55:14:f0:8f:d5:a7:a9:c7:d4:65:99:53:0d:3f:9a:23:
+         ab:13:ed:25:eb:33:56:b8:b3:ed:f5:6d:6b:a4:26:6c:80:6d:
+         4c:27:8e:e5:5f:4d:e8:83:0b:c8:ca:17:6c:de:b9:af:ff:2f:
+         cb:9c:25:24:5f:09:e4:d9:62:a8:6e:de:da:c9:9e:1f:be:bf:
+         19:1a:df:01:e2:dc:8c:ef:64:40:8e:b3:2a:0d:29:a9:7f:e7:
+         fa:bb:4b:76:41:c4:82:e7:07:d0:21:d5:1a:88:64:27:58:1a:
+         8f:9e:48:e8:cb:40:d2:f0:ff:68:06:10:1b:5a:c3:1b:9f:48:
+         52:b6:a0:8a:4c:0e:be:f3:e4:ed:a1:7a:9c:52:91:38:15:fc:
+         92:ff:82:55:10:bd:d7:a2:1c:bb:e4:8c:56:d5:f6:c7:77:12:
+         2f:cb:61:c6:75:a2:71:9c:4e:96:b3:0f:b6:d7:85:cb:52:0f:
+         96:87:4a:05:15:ba:f7:31:b0:76:54:07:b8:59:38:5e:7a:03:
+         a4:87:60:e9:12:4d:aa:3a:98:d6:b9:46:a1:73:40:87:27:cf:
+         aa:87:66:e8:32:37:74:0c:93:ff:a9:ef:52:3b:a2:36:1e:16:
+         1c:07:45:e9:65:9f:9e:de:ff:7b:b1:c4:a8:7e:59:25:79:1f:
+         da:7f:35:85:36:ea:cf:79:ff:71:96:77:28:3a:e6:af:68:f5:
+         4c:c3:1a:20:7b:09:8d:66:15:b0:92:0a:4b:39:e4:f1:06:9e:
+         9e:4e:f1:ca:bf:81:77:e7:00:82:79:26:0f:d1:f9:a2:4d:9a:
+         c8:7a:da:f6:d0:1e:65:04:02:2b:14:0b:84:45:eb:5d:6c:68:
+         04:d7:a6:98:85:8c:fb:7e:de:42:63:68:5d:cd:a1:3d:4b:85:
+         5e:e5:c3:38:a6:79:f4:02:5c:d0:ea:53:c6:91:84:08:b2:eb:
+         2f:02:bb:5d:3b:bc:f2:e7:8d:67:44:70:0f:96:63:25:25:1a:
+         38:1a:cc:a6:72:2d:41:23:8c:cc:95:12:4b:4f:64:91:21:79:
+         96:46:70:8d:68:dc:dc:d5
 -----BEGIN CERTIFICATE-----
-MIIFDzCCAvegAwIBAgIBBDANBgkqhkiG9w0BAQUFADAqMRswGQYDVQQDDBJoeDUw
-OSBUZXN0IFJvb3QgQ0ExCzAJBgNVBAYTAlNFMB4XDTE5MDUyMzE1MDUxM1oXDTM4
-MDExNjE1MDUxM1owMTELMAkGA1UEBhMCU0UxIjAgBgNVBAMMGVRlc3QgY2VydCBL
-ZXlFbmNpcGhlcm1lbnQwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQDM
-5Yitd5/afYgoiLYP5vYroVXafk51i0aM5pz2xAbqaA6FfcTWu6nFgjqIntHlcfkr
-Lkhi96x63sz0rgfahi8HIb7s9d47DNBmiKd1Cu4Xxp6zL5uwiDqt3rO9Ni0gMJ42
-8Dud4l9K1BxCSSlbcDUCQHmCp53upwWF0HVGwndMuSBvk0qFj/pECGrvJn+vIOez
-ohhNeNzmXsEGqlSjbAega5IU8FJiz9HECIFOczsnGTSgMg1mcAXKPhMYhRjWnDC5
-ZpOv3/9xB6t3qwAy1cRkf68G5qp9kON7gkYb2EL1ehVfs8qyTeaNZSn/qohzFYUh
-aSOmJEiVjqTlLqDJ4nW/eYUduSro2rL6FfnCG7NpOwGcVEsrGe+492DZeIuouITk
-CnMhIt7YJ5unfWHc2lWPwDZO5JmLG0QD0lEkN9UuojJ8ZSAKSpufj+oWe6z+z1ej
-3HWYTTWEzyBjOdQTNH73EOXsMdldHb3j2cG378450IkOuIT1nlse2kgaMtMNlZIC
-4rsZbwn2bjg4PFYaDDiB2aDSrJkYQzPpDBzL8YAcfZ7jB0EkUYKlBAD7d92efX4E
-MkDW2nYaiHc3ZDRE6bbFRVBUKL3cqqhT80wmd4lWvtaJgoPWDicKi6t7qlHYTeTV
-T7EnDc+AuuGrUfJHRTA04lWoVc0DyPcSDHisBSyZRwIDAQABozkwNzAJBgNVHRME
-AjAAMAsGA1UdDwQEAwIFYDAdBgNVHQ4EFgQUoeHgCFiE66ceDnxE0OfKsryTjysw
-DQYJKoZIhvcNAQEFBQADggIBAGJeSN5xZE/9lJdJoB2gUPFvVtaQeVGgjATF0+zS
-4NZNDqsZVQye4l3oW4zNFMO2KP8h9yE3nwtuzVIi62EjSijOgMdoQadLmk+dso8E
-bW9X8ZHppNcm+XjJwm3g1yWcEpFz6yse5zI/Rh5YVqH8uZrchY8eUaio2FvLGHXq
-G5x1ZlChmpUPUItUGntfTlrDMRrEEYEx0jVK0L4TcGOftQ1szgjp+l5BKJJ0+SY3
-JhjKRLbXyhtjIsFxhk/86O/96O+28S2heuS1EvWOYP683o+pwkopYPQbJnoPzTSU
-pNJWIbAzqU1//GzYcReKG9bleJh28I3RDoW8aTbsmdZWEyI1mtxDtPLXbyVtfG5w
-VFPE+08zwCD5/U5Rsen6ZQXMCdZHTjqgjLzp/hsHtwY8YgUXpZ5GeQScIEF3+VDo
-84YPcmPJbnQbHt3v5Leg5oM91zigioDJPRvKe5bOrDeouVEwmNVgtSbIU6F6qxgs
-NiKDn5UZingtF+Sq1TfpHv4qrjRk1J2nCqmoG8MpOInnV0+L9jt0TDmCzjYuJKuQ
-+93a7OuBOmYMAdYDjAA5sIOWUX8nDuWM1LrHa/QTubpaAnFEYiEzUW2TawRr3eFk
-9T/KmDmxkZRoPR/qkbjbmMOlgqoksjLj9o5+j+PrDFcfJ3AQ0Jfbeo9G2Y/b/18t
-/6L9
+MIIFETCCAvmgAwIBAgIBBDANBgkqhkiG9w0BAQUFADAqMRswGQYDVQQDDBJoeDUw
+OSBUZXN0IFJvb3QgQ0ExCzAJBgNVBAYTAlNFMCAXDTE5MDMyMjIyMjUwNFoYDzI1
+MTgxMTIxMjIyNTA0WjAxMQswCQYDVQQGEwJTRTEiMCAGA1UEAwwZVGVzdCBjZXJ0
+IEtleUVuY2lwaGVybWVudDCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIB
+AL9fVcrFxsUApkAX/B+ix+dBGyk3brp8ARnzStfEmoMXTUDNMNGf/ZRJQVx6LTKD
+gSkV47IfBhv183+Rz9yCsU7VqUjaY0m4uEENz+t23xozWnsv7RNdzneFvB9StP+W
+IEgJGdcNVe2on969JirPLPRI0+uU8bTKW20bIYJGmCOE174IkFT0Ru9ZbouMf2WQ
+WsP7xB2Xnhq+gpbXhlvXGg4EHzBxmXBAKGyyFjwZ8fOfVCKc4OUryTChAc9+H6JA
+19OtI23+Vdyth4ju6JuB6HKNKiVY/4EY8CSaEzH5MHzt8dVLE86/g0hHnESZDVLn
+Uk8CkRD+dznz/M4Ev1dOOxejwpSFENZ2osAERdH/lqfAqDm7ekz0lkxfLWOFUm50
+XXB63jV8kp/t5oXI8B23vilUeF58SqK4he63IC0MeKYyvsCiiU/0yOA8OkyzaKGn
+67XHIXS5PQ4HP841KbUzH6zYNt3RVD1HySnGJiPoUY0lmoyWhHTp8BDYlvWtIjGP
+6WqlmzsAk16AIvE65S0Qe8aouWuPqzNkmf6qd3oPlvk//hVtjkqVpzWb9CDLoqHZ
+9mJrp060Ij0ic/R+Da9iQXrSFau5oiWoh+C1G77AFtHkQFtWp6s50YUC9U+VPzfc
+l+SJyCCrEZ/Y8XfWsGBPq/mIN++fvCrzIj0uIYJjxiFzAgMBAAGjOTA3MAkGA1Ud
+EwQCMAAwCwYDVR0PBAQDAgVgMB0GA1UdDgQWBBT/eFi9pcJN0QcEBd0VaqIskutU
+BDANBgkqhkiG9w0BAQUFAAOCAgEADbavSDsPAUkLEte8nzUJKkLk0obSxVNlG6TV
+Uoco3AFwl/MLhzVnu7fd+YAJ04QzESr+C4V1S9GEDEY102m4/vyjWscQjCs2yPCr
+5/iYbLXsHiZpMZsHKQPuITRcUhpYSsUQQ2uO/J2UEmfQEkBVFPCP1aepx9RlmVMN
+P5ojqxPtJeszVriz7fVta6QmbIBtTCeO5V9N6IMLyMoXbN65r/8vy5wlJF8J5Nli
+qG7e2smeH76/GRrfAeLcjO9kQI6zKg0pqX/n+rtLdkHEgucH0CHVGohkJ1gaj55I
+6MtA0vD/aAYQG1rDG59IUragikwOvvPk7aF6nFKROBX8kv+CVRC916Icu+SMVtX2
+x3cSL8thxnWicZxOlrMPtteFy1IPlodKBRW69zGwdlQHuFk4XnoDpIdg6RJNqjqY
+1rlGoXNAhyfPqodm6DI3dAyT/6nvUjuiNh4WHAdF6WWfnt7/e7HEqH5ZJXkf2n81
+hTbqz3n/cZZ3KDrmr2j1TMMaIHsJjWYVsJIKSznk8Qaenk7xyr+Bd+cAgnkmD9H5
+ok2ayHra9tAeZQQCKxQLhEXrXWxoBNemmIWM+37eQmNoXc2hPUuFXuXDOKZ59AJc
+0OpTxpGECLLrLwK7XTu88ueNZ0RwD5ZjJSUaOBrMpnItQSOMzJUSS09kkSF5lkZw
+jWjc3NU=
 -----END CERTIFICATE-----
diff --git a/lib/hx509/data/test-ke-only.key b/lib/hx509/data/test-ke-only.key
index d3617847d84a..1b463b95f1bb 100644
--- a/lib/hx509/data/test-ke-only.key
+++ b/lib/hx509/data/test-ke-only.key
@@ -1,52 +1,52 @@
 -----BEGIN PRIVATE KEY-----
-MIIJQgIBADANBgkqhkiG9w0BAQEFAASCCSwwggkoAgEAAoICAQDM5Yitd5/afYgo
-iLYP5vYroVXafk51i0aM5pz2xAbqaA6FfcTWu6nFgjqIntHlcfkrLkhi96x63sz0
-rgfahi8HIb7s9d47DNBmiKd1Cu4Xxp6zL5uwiDqt3rO9Ni0gMJ428Dud4l9K1BxC
-SSlbcDUCQHmCp53upwWF0HVGwndMuSBvk0qFj/pECGrvJn+vIOezohhNeNzmXsEG
-qlSjbAega5IU8FJiz9HECIFOczsnGTSgMg1mcAXKPhMYhRjWnDC5ZpOv3/9xB6t3
-qwAy1cRkf68G5qp9kON7gkYb2EL1ehVfs8qyTeaNZSn/qohzFYUhaSOmJEiVjqTl
-LqDJ4nW/eYUduSro2rL6FfnCG7NpOwGcVEsrGe+492DZeIuouITkCnMhIt7YJ5un
-fWHc2lWPwDZO5JmLG0QD0lEkN9UuojJ8ZSAKSpufj+oWe6z+z1ej3HWYTTWEzyBj
-OdQTNH73EOXsMdldHb3j2cG378450IkOuIT1nlse2kgaMtMNlZIC4rsZbwn2bjg4
-PFYaDDiB2aDSrJkYQzPpDBzL8YAcfZ7jB0EkUYKlBAD7d92efX4EMkDW2nYaiHc3
-ZDRE6bbFRVBUKL3cqqhT80wmd4lWvtaJgoPWDicKi6t7qlHYTeTVT7EnDc+AuuGr
-UfJHRTA04lWoVc0DyPcSDHisBSyZRwIDAQABAoICAGWOQz9PcnDWFX2ZvTuGi282
-qRoBzpueK5q81wHMSW03pDLwEncoTs5xbNe4eGqUIh8P8przDY9dDRMdixD5vyd2
-x24lsz9ra4PWqcFuaHJqZNCFgVJvQz5Yipf22UkCL/kk+zeXMwogtdz47EHBDNUP
-5eoncDUQncEkgGxRCNaDT5td0ur+YNoFnhLo7xJ7abx0VD1Z8YtRXbUTCZ5ydhlC
-GAa+0ubdAKh8WrLqlGAdsyLPjCrAzW3fdJGLrrL4eYH7YKokiTSZy5glrpSDtbLm
-QndWLxzLiqT1/g/hEdcf6qYjtAzKZcKhaL6q5LS97t2Pgjbf9wYBzKM3iERoNVmO
-D8sWmSg9fiNRjzZY1b1ulE9PQhQOUB8MWUCBPBeimQtCJKqxC9HoH+WH2OkV+ikV
-cj3pwVqvK/fJtLZ5jC42ZEsLD5YpnDpxtcj3yrrJ0g5ikWhMU94EcOOsIgkpeqCT
-L/G8x/H5rgmdN15rI3qERdJRbkDzq8AEriaNo8lbr9xEWRggzs6vmg1x5scNfpFW
-hFRkGO5iGheScrR9rIwmFVSz+N1g9K4RhKXsgGmmj0pHSn+2NozxKPXsSzNSrgGZ
-YJc1c7Yv3S5Nqwkzzy+o4WICejJAjzGf5y2bUQ+CIA/SUtmyygADYCClLQ0hjpjc
-llslljxigyjVDNFTOV3ZAoIBAQDtcdnK3Iy32+cJ1yuL2t8lWSlu1Bbazmz7heH1
-FSYzPyqidwQKIKuuZEMfRb0dBZGxPszoiWZxn3Dc8oDbHGDp9TwDkfxT2S51fvOE
-PUdc6sAFUn79joTl5kak+rPDjNWiNpax4kQJU4/kUtibs1bHkZx1voYZ3J2ZeWDH
-td3OY+lHMOU6dUpXYoQEYLbc95gU+fCLZRLP/ZVSrvhZm2/Q8HUHohf6Wb9l2ufC
-cGwUkb3iUk+OyboEu3oQgUY5DBX8rQsvje+sbmk0my6vhCO8LuuqNfxUrijSJuzW
-aWSC0khPcOolJpNJLYVDYbuzqckev/GCzCLAj55z60WQA1gVAoIBAQDc6IyFJbn8
-gPWvXPa53e2Me4kdzb6VnYHSyvAeBXMLbxXJTPFmBTa+MV2jpA6JO4pmOyfjdtZw
-a9zEXIRG/RpFitxQCcsHVI5TnARyU/J0tkrdRy/ujHYh1lg3lk2EAPxmmkzRLpES
-VatfjzQLt+teBCNWi08aeQmzwlVcwId5frEkhnz60C2YXqUIPLAHz9peMWrElSbB
-TT9pHnT+gRE/WgqHiov9va7Zz3wFYo5p1GmBIIKTvlIoWHQYIh7ily9O7Oe4kDIQ
-3rFLEtwAeiBrICRsOs3bidcdtAV9H+OTl+H6sILZGuWZfHH9Bhiwhfv0Q6qsD2du
-Jukz/jLcMUbrAoIBADYvwTAWXNaojHUmcX2dGUeArX/pTr3oVd6gkwxHI0yWobgp
-yPY2tnc50keUtq+k0bbNSh3XHVXYuPzzKozWUReTK3r1GcxYx81wh0oqYdrGh8Ov
-K+PZXmLIxl5oCBYcUbSPGJzHshcexruoXF5L8wXgKQCF1jyYqC6aEIgC7PdovZfN
-hMJueeSvSslk+NY8eqxuzYJCMqTcjfMskuiAHGhmN47iYu5zBMbNyg4JceDP0bGQ
-by96wcTKs/SIS+pA49Oh+eeEUKndGI00zNapJS6Q1p8lasw4YoBy+aGEs7dXHcFj
-V0vbHcmZZcwWxasemBM4Ynki9NtU6ygxDNLssHECggEBALXkXN+9IpjAbotIFncQ
-PupvRYVexVBX8m9oXbG6dvGxM9UeH54LKPoNl7aH/NgOSHTIvJ1UWlkS1yJvsxLo
-kFs2bRUSGzQb8Vzyl86zRG3JM3djiBn5WcOew+BxR74rOagZ4KpUl2rrU0JJnWcQ
-tyIgciBucGGxy8VRfAv1Exd8s8sJWZsDEqflNinEHoUwJfNs6SaYUOLVAiNByr9L
-8rGhKA5Wi9IP/wqlBs9ASVbmaUDDTgDssqU5v82nOpsENRXdhya2xCKT2pOgIbna
-1Rqfyp27BYmAw7lXYzWVrkL2ykEqWXL97JMmnoziGi4vBDgqBzvJKzbNnzMKWUJo
-6KUCggEAWseXquzJlsbVLjowrIua9lwfFm+YUyqKMPmZ1TUblMEv9IrkbHGyXv49
-H9jSs85g8GAH/BwB1G9oDZjnP+Yj0Zjsd9ZImFz2+VRcVCSCBUj4Qv1HAxls/Aq/
-/QCUhj0o/TIcbO5V8ImUOlwKUyoNW7rXGEl4b152J+wakxiA1LYTs08usxsv0KtY
-qbqv0VicOBYXjnn3SSSoR7i11vm9CZPa7g3YEBuI0T3QaPvZHRueovgsdmL6OLH/
-hdFb/mA9f8aEsCVUbbDstRnlldZOtfHuqj3f4NbmxcaxX0D95kl7QqRibehFTOGG
-VNAP/Wqk5Tqv9O/YM7QH6VFyharThw==
+MIIJQwIBADANBgkqhkiG9w0BAQEFAASCCS0wggkpAgEAAoICAQC/X1XKxcbFAKZA
+F/wfosfnQRspN266fAEZ80rXxJqDF01AzTDRn/2USUFcei0yg4EpFeOyHwYb9fN/
+kc/cgrFO1alI2mNJuLhBDc/rdt8aM1p7L+0TXc53hbwfUrT/liBICRnXDVXtqJ/e
+vSYqzyz0SNPrlPG0ylttGyGCRpgjhNe+CJBU9EbvWW6LjH9lkFrD+8Qdl54avoKW
+14Zb1xoOBB8wcZlwQChsshY8GfHzn1QinODlK8kwoQHPfh+iQNfTrSNt/lXcrYeI
+7uibgehyjSolWP+BGPAkmhMx+TB87fHVSxPOv4NIR5xEmQ1S51JPApEQ/nc58/zO
+BL9XTjsXo8KUhRDWdqLABEXR/5anwKg5u3pM9JZMXy1jhVJudF1wet41fJKf7eaF
+yPAdt74pVHhefEqiuIXutyAtDHimMr7AoolP9MjgPDpMs2ihp+u1xyF0uT0OBz/O
+NSm1Mx+s2Dbd0VQ9R8kpxiYj6FGNJZqMloR06fAQ2Jb1rSIxj+lqpZs7AJNegCLx
+OuUtEHvGqLlrj6szZJn+qnd6D5b5P/4VbY5Klac1m/Qgy6Kh2fZia6dOtCI9InP0
+fg2vYkF60hWruaIlqIfgtRu+wBbR5EBbVqerOdGFAvVPlT833JfkicggqxGf2PF3
+1rBgT6v5iDfvn7wq8yI9LiGCY8YhcwIDAQABAoICADokNcV4Vw5tRxU79D6MTx2k
+OyNHkx2XJSKENx3cvnDLeI4SiR129SzDINd+yxKIv4oC+32XTVzbWZJNc5B0KHhi
+E59tsjKoq1ogXyYTpG6qYXgBtI5otpy7hc8iapkoPECGe1JJ2+xrib67SshAz1Cc
+e74cL18VB7fbQU/6MKjB6GX05hzZZl+7lQlSszXhKKJYcFnpQYCwlq5LZqeqb2EI
+wY0PRmXDKET1yimSXF7+7inh7bXSmrpqgElQ8T1zY98MwDHfzqhQFFh29TahvkRn
+PQHBy0amk/ca1HAfXCrog8uglrD+oF0qXIC+2zxvySL2DarTFNgHl6vj51oYC315
+pThrEPf8SZX6d7rg7t0TGAnAfYFwn9ba+cVW8YmSI78CZ/tD2kzD0QA2nnFbuQTW
+a/fwWJvPW7Fnw9S5TaCff8vYk3r4eO+R3qdR5zsxJ5io/uB6TVrFmG4JwBSOa2fR
+YvBf6SEZ/9VkQffqg6UIVhcj5BhaEIlST/lsLhgSA2nsW6ms7bfMfGjLxWrchNFy
+VKgrRC63E58vgkOw1AS8KUzzhqKvJUG2cgvZVoFylNwWY5oVI5shp08XgvoChLOS
+S8OY9MQUZby0BbXECRsa0c9/LIjk9wGILXfzORfblNE29IbLXxNsjrRnD0pzdu6k
+uGJ1khRueU9JxorWsPKRAoIBAQDeuvOyilg0wVI0Z7qSeKd/Eo9Gc7oSgiEb7uir
+XkRjWaO7H1w07b0s0pTww2GfyisgkeJgqi+k4vmYt2+gy4xHFpYJ9Pxa3cTHVRh6
+Ptb3CxXfOoE8pY3k4NH88LLz6j/3c3b8gGOUHKDBdXovPQ/uNgq5IROnMBWyopbE
+odPIErOI2Qt8bTywczCnCGaXNDtTijVvZShz3GxOlAHcL+1HIE8Sq12NehFk6MF/
+CDEd4PcIlNmTpz9/7S6fdth+tOrVo9glgC9p8TQpzE6UZEZsfD+N2nYYrmRQ/jQM
+WINC7M5rOkOu0QHMrpV7C2BWcnlcSK3xhX2RWVjCIo1ossuZAoIBAQDb9Ue32sI6
+6uAmh2dZ3EMQFTlo4pmk87YSUHaMQlr0KL/ggXxJJ2rINCxnaJXapSHqFu0X06uv
+/JaS5Hiyc1xGZdGX9UNPz4PfYDt0akGxPXtYXsLsNRpye1PGYiXeKbWWlI2Vvlpc
+wpFFf6lyXvoPZ7Pd4vjH7SgFmh3SsF84IJ6O2I6F/s4sJydROIDdmHfQRy8HpcPS
+5QOnsFwK1DKAvas9y73clAohrcfjQnLHIw1pEUtYIWXxLmVNHy73n3YeD9sajNfs
+0aypuaQ4T+BxLyqfLrCntwfdk7GljzK/ICQfsFzC/PCLZEmrMjD2cUlng7q4Ctwf
+qdURukQMtJzrAoIBAQClFm0LKP+4GpKTxU7EwilkRp1r2ttQXKOt0KckXfrSqN5z
+FAuEL7LIRk2fJzJ0/aR5v6fLfllSHepjB5P12ulex57uQmfJ8haoqKo78dfjxJOx
+oeuoyA0kWH9MvBvoLvi6sRrAjWlBnvaIbkriOKBWMDhCgAHRKhLrFRgrJseSxEnO
+ZRHeaBlTsA2fwNpJuK1AfnCc4J3bQsYEeC/oxJ1a2tfBPsNY2eGKqfrB7ZB6VQTF
+l46toomuiF7GU5CkWfS15XuQUDLUk7PWR1j3JFwOjQmOWx6trJUuczyg6fpg4KUf
+VVBVgxWSYNTrHsOJT9AkVrqXChrIYTEos/OcZuoBAoIBAQCglFfwZHdqFfDgj/em
+xcP76NLJvKyYnQeuJSn2ybanC1zRZRa8PVeao2RLdjH4tpek02nx/CkaSNgQk1V+
+SfPyvQCf5IFoscG/gPzGx4//+jejU0MQuM//BgQqD5s/rsmQDhGzYY2MrMrrpwCo
+q6f5OSc59SrUolGWjWX6W6KYUlAPTw/1yQjxeQAeLpb9sALAfkdaWO02eNULRhhc
+G4BnNpDeg3CvqTAgWENWqTssIG3455RO2csXoVx5Siu6waK03bSClJJKpORd4FaA
+eegMGXgPUEHNnzTR0bJegMV2fNuCevmtrIVb7jJOFk1ijWAefzAAjoUXZKBV2ds2
+P2FTAoIBAF7XhtL2lcAo5dPYzpOR/9p6ue1XLpZf+nbvm0mhrC/Z1jrea1e89Gzg
+TurHhSIZFUT7y9yXd2A0qDwJICKkm63XZzZ5rm4B+tfMdT9DPIxIeJMNrnatL4an
+IwgSTyvgIoKC6G93nOL9nC3Wa2AJ8dp4MeWKXa7VHGQBRc8JlPoVi9UrwMBXgGVB
+uUHvwxhUnUlsJ5kJRyF9ln2wGPba0d+HvddZZY4gPM88vn2JNleke70V0W1DkEPs
+BQBJIix7XfvXQqPHiMMaIof9IEgTHHRkhd7gYZohEZ02jlT6CwJMgkjb8+Qosfs3
+hFXFVI1+i1ntO6Nf9NvTPVfjJNWzW7Y=
 -----END PRIVATE KEY-----
diff --git a/lib/hx509/data/test-nopw.p12 b/lib/hx509/data/test-nopw.p12
index 9349b0fc7b6f..e94aa9aa370a 100644
--- a/lib/hx509/data/test-nopw.p12
+++ b/lib/hx509/data/test-nopw.p12
diff --git a/lib/hx509/data/test-pw.key b/lib/hx509/data/test-pw.key
index 066e58170a74..495eef64247e 100644
--- a/lib/hx509/data/test-pw.key
+++ b/lib/hx509/data/test-pw.key
@@ -1,54 +1,54 @@
 -----BEGIN RSA PRIVATE KEY-----
 Proc-Type: 4,ENCRYPTED
-DEK-Info: AES-256-CBC,AE4D50F1D037E93C416E5EE0BA31DED7
+DEK-Info: AES-256-CBC,AE05E89E216F377B4B073A88DA8A284B
 
-RwILhdS+r3Tt/J+aXaydLB4AX3vuR/qXW4/Qi3LOgY5bIDEJvoc5m52gTtDgefc4
-H/Evvn9jLq72TkOipLgnnCga9uYbJgiE3/dTZXDwcnCzsorkNIECs2KyGVAR7ouT
-FDoRpx+2zC6Yt2kV3vkI+wgtkB/u+hfrZ0hiC/NjmH+3/6gSmceb6L34cAKcvLb/
-OeaI3beTSlTEQ22CtxNwmFTGSqiEdw9pFYOTjcGus4s39zGNDnFtp17jZAFQf/v/
-dm//a93yGS2ytkAsNuMNOwGTFe54ipwXOWNxenCWUWltvaHH8UbT9qcVnZ/RbKtY
-QzDl8nJGPzatM+R9xdWfjI5VU3DxfrgEzHtEUGlU1Cr17k8MubEzHQPimVYqfU9s
-9GjM3PXuLUw11tXzUS8udWhA9kHZ3VTNie+y7+XlCSibODw4BSAFokBp7uJLe7dF
-G5UH+unv7rsBtuOhqCKSnoRgztc5SsoarCt0cKadJRkLK4trgki1g6Vcq4QdqbyI
-8+qfG787fWISC6CGOQMXnpsQX3XfzpodXpEsaQDpjomAUOKcSmMdEvhf5qHlBnS1
-TNoA8qRb4e08BBez00jTAu/7M46MxgmKDFzavYsWfEqqvwPQVDAFyQkcuT3ZXwtl
-m5Ay7TBB7hh/yDH+BTXfg4l62ZlGWG0rVczhcNTLMWuWj/HErFmRD2ousUmqPJz+
-3B//V3ad0eVVfJv2bLmT4f4VTmcpvGjtFflMtrR/hGzDLaWnlswr69F8ZREdxX40
-7W0fePlUhYpT/OsA5wQylHcYx9GcA+LOS9vXK5JgaL7jH4FP/5z61VG64CBhTMYc
-aAQl4jVwKz9yvQpMCWNf2wIghNRw0p4Ih2ZEFBY1wzjL+n4uzmSNwLhX5yZ0Y9oO
-T6u38KvazXutWn6+jAOZaE/EaacOrj3m3ZCSPs6Gtre8k6lfpniY0EPGcf+x5MON
-oIGZXB43G9CQv6hLBG1Vr49CW3yFxtyX4UQlBcn+62A6CeLR9qoPdrWS3utT/sgF
-PrbhGXNbROIFd+zf/ZDCh7Gfm76+R/yJ32tZQXCAoTHitNf6UPlzQxamoFrWgJ7+
-S5+Xeh/DVvJq1P6mbo8n8Noyci+zrZIQXWMSKyirk3pnMZ9e/MtUnjG6S9fb7V7n
-eRuN3Z1k/jyKLAAPJVPe7myG5L+Cz6BS1rwT9h43Pi/pKW65Le5PU+h/9qCBOHNW
-fEegF2Bqu2/cJZovUAyekXwYQp7XQrSaxLG8EA57SGkC66tBhiyyScW271dDA5hy
-TU8nBMh39xj27uRh5AO9LrK4Q6Wn6l/b+KVMV+Kg3S7iMyuvfsHTL+vM8DlPtcb4
-e4yjGT5V4A4RsiDxs2+rDHQV24eWEgEamlzIMJsyVvFPVwKWPwSPgMd9S6uHMI7T
-Na8SGnO239JzHMav88cq1MVLUv2XH4mmqk7i/JNjl3nzQRwOlXtgICjHjlACJut1
-7vH4U8l1DmfVzrcfh2Vc9XahnTA5aWuQsPjrRv1hFTW3HVcpFwtxV1wTAwCN9dnQ
-cB9nTSe+RosfRypuwPRGOWaiWckUOAFVLJiIThuh2e5/SZkIuMgtID86rjDTAKB6
-0JP1DxMOXa0gv0SdrIwv5cQl2kG+uaXhListTm3pl/XAqpSmCyY53wRm2RWDJuNs
-m8myLHyjDCoYxWPqqhV9LYpU4VFYGgo3eZK/b9Tw4IcOpdosJxhpvGxu1a2ZmQxU
-bkx1hyzKj7ZmfGhvG/f7J+n5tuEloa1EbicAhLZDWi8lBMnKV3rAAADXXm4rhFUO
-ar8sBfJfRC0dGpgE5zoR0pU2Wx8dIFFqLlHvT0DkPIrTDYnxbbmT0CGNHzVgetn+
-N+4tGdP1v8+Vd+BipaQAXor6kd1pn+oywKttx6eZE1jHHnZzJpX6VrqwnIdxtlEJ
-3Pp4l04+bcu+/1WUKRvNXwPLjNzIZjaFJxdKUVjC/9JbB/Vx3nKi/VB+ymy/cCoM
-Zte4Owf0cxnYRXE6pBw4FkZJPitf6b67G21cbnzQPC3ZLpm0TOA6eO+Lsgb+WBo/
-3MGnIhFuT5PmIiSTLiajfKR1H6pP/Sf55P2B/qCX+aTdpvMrytnz1n9rbF8w9mYN
-QPb1UbJyZJDEOCtoYLH9hNTI5msHeBoQMCeTbDML7SqQRNHcFynXY4qqVF/avt36
-ZLrKv6PZuQTRsXr+1JbgJydHQVanqeK4XPwK84FE+guHZWo3ug6+eEgqMKYkzAKA
-GAN3Oinitkcpnt74ZH0XocmMwUGS7qj5UiNm73gIP6MEA1uYXqpb7FnJRALwb33r
-qYJ72qomcNt/iow4M3kkMDSSPlat/2OhtWtWijYKwk3c5yZmV6Bc+QX6MZS3MZXy
-vrk0L/bUV1m8YCCiuSiwuyQslEZUfY6klIJlTJ7NkHHT47vgwmJGYU1LamsuZfwe
-LzH1xeDCxtCUUGgvtngj+dgoNMr7CxB9MemJo/gFOa0XlZq0CezSfM457RgM536A
-b+62dmd12tARkRlvlNj3wck70r16Xz7tUmFWFdsro/ga9wvqnjwKVKUsA/xpZy7H
-nhtLvMnvnk0Zv+wvRWB3D16TC6kHQjnI3PjLGYa7fwMTErmBNDxMz+8JvFwMqrJd
-an4QBQocGTSO+HMsb3krHo9AdBBSsiRNYWNPda9an9qjARy7rbo9Fy5khWyZA89q
-+pGDtn5nPrNvbCz48aaGH9FBZlywweDQdCnWe4hNl3+z9NQxxf+pKRIu6AI58iqj
-IWezU+pwyJjPA3e6u5zZ7IiRfmRnuxeouH0c6YcKsgMNlsIM7D/vjo2YXpkbyQqV
-aEpAVzknHcypN1PIsfXU2Zo51jG66AD8y5zQ2nUlZnat7YciryxnpvFVef9Nf62N
-kYxzdJdAT6pfEXk2L7xORX3a97yN3mCzPp2i5jIkhOtVbVdvG7xgGcoPNGEIhMIo
-Al4YdPiMb/dJPmKAkJJptAYKpQAaEvhKtv4t8NZ0c3EEYVwJc8eJaz+cKCsLJEMX
-+7OMT8Tj6IMWIY1aWetQix3A/iQjBSUfM7AmqvYRv8Y/F14EM5eC4RLFK5o4RWWf
-Ck9XeE5fG0q1pSpbnrjeopakwy008unT+CILpjWLBnIXJ6kI8fTASeFrLtWurNkv
+4DWOJFa1qSC1Mcf/mGI09WyyEbxgbSKmRzZaPaFH7obN2o/D9zMQ6BqjnUVR6Rm7
+UXcXPpzObks/EJVyIPc/vfiGLkq/wWEiqVKWZebV4r0OhCetKdyXipiiSGLUzta8
+olQXfEthbeE9+NPB0hspGzt4owyoPuhvrgO5m+7h++iQj2ljbbUG3WLJf9Frd7eN
+GMXKJwtBUVgGPxjs89etY9JMXig9bgUDPwVhE/3VPiG+LlHeZDD5C2+gUi09d2sv
+gCN53XD1x7bFWKBzEPmGjFXMraZAd85Ew20re1RJP/R2+KJV+z72Af2DNUl3HL4f
+KgeyXkjy8xgKILnkN17hraHCwR4d/onFwjEhHyNeCHgqYSGqD5Tp80eUwHOIC8od
+Iwnw1Pe5ZrO9i1w3bdIMhOcP5jyMEAt/l3+Yc4bG34zNgRDam5V2PMYiY//OQ/Ge
+pn+Ug4WBNkab7eSOt7Dz+TskKtVy4/twBp1o6WndRwbvu3fTPkVxrOuPH1YYMmUn
+xQL/C3aMZXcjytiSHzQ09dQrOXYeT+RYcTrpXvY1RiVFawkPlBn5pSvzNG2mvXhG
+ed3iDDfBdLvqjdEeoANYOafuuuvaUBRq1ouq4sPA5zLCWmDCsH/J72RZ1ECyc2rT
+BR4Kld47cbw3+oLZmyrIfChOG/ah6IyDbF1qFiV6plmLca8JrmnCxBPbBxP4PG1f
+uT6a4ABkXbhGW3iBEzSEAjLIQssMeyHHJ6/87/+ZmvQBy02N5kwRmXRhePy1JnTF
+4LPOA/yWDqvNniOfozKvS9g3RZX5ZLKY2NQ9Xz4mPfwv3BdRbNr+8Jyf2jYJGpgQ
+pVkLdKJErW9XogbpWDbCeI5q/aA/tbwfjbM4rvH7nXhC44jzg4sHEYPmuFBpvDF0
+gNgU0mglkAFitoCh5yY688ZhbquRZF8lI2/ZwXWjmpUafkTRfrrUJSLLm3izUvtS
+R/2OBscqTiWWp7pkaivUX9/nEB7cEoXVYyE/PdbRAf3lSylgHFLfshzKkii2N1pO
+jnJ9ZUlduolaHxMMPcu5CJSEQHOavI5gLULld37iNjJwIHfh8hgaP39bcXZeVsMT
+EdePCUX2i6moBcmwuOtz2o0jGjGOmoxLv7yFAiRSCxDI04tOa0ulikf5tt/EBKKF
+p7h5/DVWN1KkbGu9Ys5xi2GBIAnyK4T7UTdWkvE4xZw6pVL0WUX/qdj42MDu4ocR
+ZP8mQqfmoiprzdO+y7J6lo4ZnRV7EK82Q2SFsoyG+Ev3vLGA6Xdr4e7cd9WFuim6
+V7eErJFpt1cHx04nJxuy43nruohDH+wOX6KZnxNQAQHoM7O5JoLGkdN/s+MNirmH
+IWUjKlm71lWTllD3UXt+sg0E9+aPbjNA8blc8zZ2VUj+3GoLt0kUTjED81TVT+Qz
+uXlGTVWUXnBYBSNN2Gbfv3/cZSHr2eraM4TiKQJ07LvgP1+VioDPG9ZyVjMVbWVT
+2Yl7xzF97O5MLIVS0HDIxIEV7MgpCF98SRXGsr4MLgG14u/FByyH6vXHNPIlDd0z
++AXnXWXEJpn73Oh6f1ht/3mXiYSNmXrr7W8kRabZmrrCajQ5Hi8eC4qV/2Z49bWu
+ryFbhI8/1+CYrkYzgFkrjptgrUHSZL0VLFINeP9uF1WNkGp3kMzW/ZZK7aksqmEM
+v5JE2HoD7+Dn7mNsHL9NfvhbH2kfwHKwrMPa9C3u5OrSX2KyyMS4UJGQ1QX+/6c4
+oYuLhslEwh+Iw1jwVentWTApNw7ONgrsxac59dOiaF/UQUBfWSDmwwlnvoAqJEVp
+l4CfetCTgZApsxKUQZWC2ls4cZDcMa3BGdyORV/5vXrxAxYQyIIkACkT3Zsxnu9V
+cjkOj/G07To8wgncc+u++yOErQ0m5OrdR0T+cJTgiyeWVgXMahiWZ5qt+GMbCzaJ
+xeKb/V6Es9ZPj2Qzqi7Sj1LRtKahh8E3XH5WVMdNKZVWZwXkd3sButezHEzB80p2
+2lhuajOolcwTfgQEtF/F/HuaokjB9r6lN0RmjUq5eIIMQ1KMRrzFsdQNDgCxGdAv
+GxjrvxOm5xM/QQ7QlXzNTxkwP4QbBDdn/nMWjAlVtQxurqtz6kxp4p03nkpToydM
+P2EeP243RpxRquadw9TqiL5IEqXdjpBon1RlKk+ZNVm4rYJWZ0UXk/CRvMeWKUeb
+Ib/0xCe2ZugyZbYQziZzrMl9WX6LKHhJP8bWA7t4Bb05bvDju0casma6gslQ/JdB
+1Ok59w59TpJYtSSEU3llMbCS4ll130/OlbKZa2Hy7LKgXkRsjVeYTBzvXC34/PKl
+v1E0PY8P6Vz60j1bxHlrEaCb+j4yxZF54cqgmvoWiKdwXSvEDw3Wb64wATFzPQKj
+T87vtU4FEVokRxgumF8BKHldKc7RPwmMuISSwG5+G7zOeOpuz7ETF4EyzX/D+a2W
+mOqX6WxS08BjzShzkdLEQtJU0TbtTPaYMQ8tVxiosypVQ+UlWh5qRtzQBodmCNYD
+3dwmrn/1IJ4LhUq0RFIczjzEP8QfkkwaNUUNp7T7DCFCn6ktkU/IBqzQf9CygfRp
+8vCdp0jMNn1JDpAW8SRvvqMlly6QeN9ndQO1Ql22k5Ihlw4yCw2/44XhEmlGsB3x
+jKEkSej5ipuQ2xX3DjFfsSKgceF0zOCGeTbw4Kt0CuwGLh6ZQLUHQktD2/BysJZu
+XH+y4NtD4Sr06DIgF43ECuTxWdptGiaDgk7neW2/1f7eLDOj8IooCHkt0a1DDzFF
+Xt5trABWgb2Qa9sjWJ89eUMc6gC48vyiLeXeaZQ5YuWcCdDcjZHY7KAvLY+r2OKN
+49O/X2WY6WmVoByoyi4S2MOER4VUbbyZEcvAqTOBcj6e4JJprtHsl4ppiDYVXVot
+U8GSYqxgNN7jyNthIti5sr/kczM3Q9peCLZN92j2CKU2wQb1qilEMkCSWpGUfyzD
+9M40fssEtIMAnwVfi8XjAezHFzdlKID0AR/b+aKndeR+4xEMdzEWkNsH452e0tRz
+vgebV+wM5Zva0+/+tG57iPQLwEpjv2septoQuuh3ACdgFkmPgcHspcu495+Wdi3g
+2Ipxrx/e1o4ragEEQXaaSSGBSCTz8qeWcvKtRm0d8fMtnERc5yzLYHRzhEm/8oc3
 -----END RSA PRIVATE KEY-----
diff --git a/lib/hx509/data/test-signed-data b/lib/hx509/data/test-signed-data
index edba3857b3df..1228c8547d52 100644
--- a/lib/hx509/data/test-signed-data
+++ b/lib/hx509/data/test-signed-data
diff --git a/lib/hx509/data/test-signed-data-noattr b/lib/hx509/data/test-signed-data-noattr
index 5d768f88b2a7..f2307794f91d 100644
--- a/lib/hx509/data/test-signed-data-noattr
+++ b/lib/hx509/data/test-signed-data-noattr
diff --git a/lib/hx509/data/test-signed-data-noattr-nocerts b/lib/hx509/data/test-signed-data-noattr-nocerts
index 5f20eeec2cbe..49fba9bb3c5d 100644
--- a/lib/hx509/data/test-signed-data-noattr-nocerts
+++ b/lib/hx509/data/test-signed-data-noattr-nocerts
diff --git a/lib/hx509/data/test-signed-sha-1 b/lib/hx509/data/test-signed-sha-1
index 3580544a0aa9..8ad1121bac62 100644
--- a/lib/hx509/data/test-signed-sha-1
+++ b/lib/hx509/data/test-signed-sha-1
diff --git a/lib/hx509/data/test-signed-sha-256 b/lib/hx509/data/test-signed-sha-256
index edba3857b3df..1228c8547d52 100644
--- a/lib/hx509/data/test-signed-sha-256
+++ b/lib/hx509/data/test-signed-sha-256
diff --git a/lib/hx509/data/test-signed-sha-512 b/lib/hx509/data/test-signed-sha-512
index 0816fab839c1..1e40abed4598 100644
--- a/lib/hx509/data/test-signed-sha-512
+++ b/lib/hx509/data/test-signed-sha-512
diff --git a/lib/hx509/data/test.combined.crt b/lib/hx509/data/test.combined.crt
index 2adab3347413..a07dbf127567 100644
--- a/lib/hx509/data/test.combined.crt
+++ b/lib/hx509/data/test.combined.crt
@@ -5,48 +5,48 @@ Certificate:
     Signature Algorithm: sha1WithRSAEncryption
         Issuer: CN=hx509 Test Root CA, C=SE
         Validity
-            Not Before: May 23 15:05:12 2019 GMT
-            Not After : Jan 16 15:05:12 2038 GMT
+            Not Before: Mar 22 22:25:02 2019 GMT
+            Not After : Nov 21 22:25:02 2518 GMT
         Subject: C=SE, CN=Test cert
         Subject Public Key Info:
             Public Key Algorithm: rsaEncryption
                 Public-Key: (4096 bit)
                 Modulus:
-                    00:a9:c9:ce:f8:b7:77:99:3c:72:54:8c:cf:0a:63:
-                    9d:f2:df:0d:07:6f:22:54:17:71:ff:76:a6:d1:9e:
-                    33:f5:05:3f:ac:32:be:58:e5:7c:a7:d3:29:dd:3d:
-                    38:62:64:8d:82:d2:aa:f5:05:36:f3:bc:ad:7f:4e:
-                    b9:c5:56:89:ea:c2:d7:b1:96:69:fd:f7:4e:35:56:
-                    59:7c:03:91:79:60:f4:a1:a8:78:a0:1a:04:2e:0a:
-                    98:b7:cc:be:f3:ea:28:6a:d7:5e:80:8d:74:c7:f4:
-                    d8:96:48:44:94:1b:ce:4f:9a:65:8d:54:c6:c4:69:
-                    b3:be:fb:e4:91:79:5e:c5:ba:f9:df:03:de:14:e2:
-                    68:1a:6a:e9:51:83:01:0f:e6:09:0f:c9:a1:78:b4:
-                    75:45:18:f0:43:7c:11:37:b2:91:cd:50:6e:71:42:
-                    69:c0:36:da:e1:bc:24:fa:bd:8f:c5:ce:ca:d4:af:
-                    b3:f1:d7:20:c1:ac:4d:31:42:c5:cd:6e:6c:41:0c:
-                    8e:8d:08:8f:2c:b0:76:02:18:d7:0d:0f:fe:ca:67:
-                    3f:b6:fe:1b:36:a7:ca:33:bd:01:36:7e:97:f6:e3:
-                    55:9c:4b:a5:fa:48:58:a7:07:ca:c8:71:2c:e9:05:
-                    7e:3a:40:4a:aa:b7:34:13:e1:b0:5a:eb:58:50:0e:
-                    99:31:bd:6f:e9:fb:bd:4b:f8:05:70:5e:01:41:36:
-                    cf:cd:7f:6e:d1:e6:de:e7:23:a9:86:49:61:26:fc:
-                    a9:58:a3:45:37:b2:47:fa:ee:cd:74:e1:a1:28:cc:
-                    50:5f:e9:b0:fe:67:0b:7e:dc:4f:e9:fe:5d:ea:55:
-                    9a:87:d0:13:6d:9e:b9:f1:cd:08:b3:da:c7:d2:3e:
-                    dc:fa:d2:03:58:f7:e6:43:03:5b:c9:0d:ee:d6:26:
-                    b0:fa:eb:36:5e:a3:d0:ae:cb:00:4c:97:bb:9a:63:
-                    09:59:10:6b:c5:f9:e7:4a:3f:76:eb:a2:63:8f:45:
-                    cc:43:8f:4a:15:2f:dc:3e:f2:11:3d:07:03:c4:b8:
-                    c5:e5:65:1a:c7:d2:87:42:53:d3:a9:3f:fb:99:a0:
-                    b8:45:43:45:ec:09:59:c9:bd:55:22:e0:0e:19:ed:
-                    49:fd:b6:db:5c:84:b0:01:89:50:a3:ca:1e:41:ba:
-                    82:87:db:da:b5:2b:71:08:ae:1b:70:41:41:ca:24:
-                    70:6b:9a:c9:db:1d:b2:65:94:01:9d:ed:b8:b5:36:
-                    4c:f0:f0:39:be:bf:e4:49:02:d4:55:ec:11:dd:23:
-                    e3:6f:c1:28:99:77:44:29:70:a2:6e:ec:b2:53:86:
-                    e1:c1:45:3c:67:ea:12:08:b3:be:d2:be:9f:00:b0:
-                    9b:1f:61
+                    00:da:1d:4d:ca:51:9d:f1:9f:d7:a4:7a:45:f8:75:
+                    98:66:b2:c5:7d:53:de:42:35:74:81:cd:1e:9f:f3:
+                    43:d7:a7:83:7f:fb:a2:ce:3c:44:37:80:4f:21:36:
+                    a6:f6:c9:51:74:9e:e2:9b:bf:ad:e4:eb:72:11:64:
+                    36:88:b3:a9:91:63:c7:ee:38:c4:f5:8c:06:71:e5:
+                    09:b7:eb:57:5d:bf:db:5b:72:07:c5:29:e8:6f:33:
+                    b3:a2:27:ef:1f:50:f0:55:33:63:41:23:e0:b2:f7:
+                    21:77:4b:ab:9d:73:2a:bb:b6:4e:88:7f:7c:e5:c6:
+                    37:3e:b6:20:c1:57:3e:6d:57:78:ef:0d:47:e9:41:
+                    e7:fa:b6:2d:32:3f:42:05:8d:56:af:f5:c4:b8:6e:
+                    99:1a:e7:07:d5:a1:3f:29:7d:ce:b2:39:a6:ab:06:
+                    7a:e2:26:39:d8:96:9e:3b:c8:af:79:3e:9a:24:4e:
+                    4b:b2:af:e4:07:0e:71:dc:2f:70:27:97:3c:a2:fa:
+                    69:9b:57:4b:c5:53:5e:28:0c:b0:c7:57:1f:a2:b2:
+                    26:0f:5f:bf:d3:45:78:90:5a:2c:fc:6a:67:33:b6:
+                    c1:7e:cd:17:c0:58:9e:ba:85:c5:15:5a:5a:67:db:
+                    bf:2f:05:cd:38:d9:94:c9:95:7f:9b:68:b0:62:ff:
+                    37:92:cf:d8:77:be:cb:72:3d:0f:b9:80:44:57:c0:
+                    c9:10:01:fd:07:25:30:eb:d8:48:05:af:98:fa:c4:
+                    64:6d:59:a6:6a:8d:1b:d4:4b:f3:07:98:68:e3:bb:
+                    59:c9:21:f8:11:b4:a2:82:1b:0d:e8:8c:e0:a5:e1:
+                    1c:71:ca:c3:2d:90:43:c3:ee:99:2c:7d:41:48:39:
+                    c8:00:72:0d:80:39:23:a1:3a:27:ed:07:ca:32:8f:
+                    34:ca:bb:9d:67:13:7d:31:ed:4a:db:35:7a:ce:b3:
+                    89:e3:64:9d:3e:47:4e:d3:b7:bd:ab:12:16:10:bb:
+                    66:e8:1a:77:4c:2a:e0:b9:16:69:66:14:83:4e:4a:
+                    f3:6f:ab:85:6a:70:c6:9b:ce:93:ab:75:36:a3:a5:
+                    aa:9f:45:d6:a2:7f:17:c7:6f:f9:f5:e7:35:51:a5:
+                    75:c5:07:be:26:ce:7b:3f:29:3a:74:6b:17:79:4e:
+                    cf:4c:0a:69:75:58:db:eb:a8:dd:f1:e6:cc:a3:18:
+                    53:a5:c5:a5:5a:a1:cf:37:6a:b1:9f:d3:d4:eb:0f:
+                    02:40:d2:ae:68:ce:bc:c5:46:e3:ee:f8:97:88:ee:
+                    c8:a7:01:7a:a1:23:af:f3:31:2c:2a:6f:12:77:dc:
+                    3c:51:9d:40:f4:9a:2a:7b:85:29:1f:3e:c3:d5:37:
+                    8e:6e:09
                 Exponent: 65537 (0x10001)
         X509v3 extensions:
             X509v3 Basic Constraints: 
@@ -54,115 +54,115 @@ Certificate:
             X509v3 Key Usage: 
                 Digital Signature, Non Repudiation, Key Encipherment
             X509v3 Subject Key Identifier: 
-                D3:E1:59:20:A1:DE:3D:12:57:0A:3D:BA:0A:6E:67:0E:40:A7:9A:88
+                1B:F4:EC:34:42:BA:8B:67:AC:55:F2:37:5D:B4:68:A9:D8:5E:58:7B
     Signature Algorithm: sha1WithRSAEncryption
-         0f:2c:68:90:33:67:b2:86:09:26:ec:65:29:ae:76:d6:a6:2f:
-         53:0e:d3:16:cd:2e:0d:a8:d1:14:22:f5:63:66:a9:3d:78:43:
-         40:a9:db:ef:02:52:d1:a9:c3:0b:ad:24:8e:a0:56:63:1f:ba:
-         23:48:64:74:ac:2c:bd:67:f8:87:6d:bf:d6:83:68:aa:99:ce:
-         4c:0b:30:d6:06:59:7c:74:0e:2c:8b:ee:5a:61:af:ff:f7:3c:
-         51:10:a7:93:44:6f:bb:f4:8b:5a:2b:5e:1c:4c:89:60:71:af:
-         fd:bf:c0:fd:19:04:12:81:a0:ce:ed:b4:dc:64:12:80:36:18:
-         9f:1c:33:25:94:dd:94:51:eb:a1:c6:21:06:b5:16:05:7d:d3:
-         20:53:de:60:5d:40:6c:f1:7b:a1:98:7f:1a:bd:39:46:0a:ec:
-         a6:cc:eb:7a:96:d5:43:6d:e5:c7:61:d2:f9:ed:76:a8:44:3f:
-         c8:9d:45:1a:2c:3b:52:f8:08:7b:67:39:aa:ae:88:4f:eb:90:
-         99:9c:f8:8b:ae:c7:7a:eb:40:b1:ea:78:51:74:e9:11:2c:c2:
-         d7:c0:93:35:c3:27:59:89:dd:1e:e6:4a:ed:fd:dc:1f:08:e2:
-         80:ce:a0:72:ec:04:d7:2c:1d:d6:2c:67:f3:b9:ce:e9:be:70:
-         10:82:b5:bf:45:29:c1:cc:36:11:5d:83:3d:17:11:03:b0:17:
-         e1:3c:05:f0:ea:07:c6:3e:62:ce:2b:d9:55:41:dc:0c:55:82:
-         0f:e0:d5:a8:02:65:fa:c8:bd:60:16:b4:6d:53:08:9b:06:25:
-         94:c7:8f:ee:ac:5d:25:ad:cd:9d:af:7f:a8:5a:99:49:fc:fb:
-         ad:69:8e:c4:c9:57:7c:88:2c:32:2b:ec:11:ed:61:cc:44:92:
-         a7:18:11:19:96:e6:be:88:5d:ed:0f:dc:ca:2a:31:e9:2d:aa:
-         03:75:03:f4:42:5e:6c:86:b9:7f:b7:59:70:ba:09:b1:ba:28:
-         3a:be:68:45:a0:2e:89:0b:ea:a6:d9:85:58:bf:54:1c:02:56:
-         3a:d4:4f:88:7a:5e:c8:21:33:64:76:74:68:36:7a:a4:1c:a6:
-         5b:b8:f1:ef:98:10:82:84:d4:df:2d:34:4b:6d:15:62:55:31:
-         b2:78:93:33:37:20:db:a0:30:85:db:cf:00:7c:b3:b3:a2:a9:
-         31:d7:06:fb:e7:ec:38:4f:3d:61:73:bf:b8:21:b0:c5:f8:3f:
-         98:8d:db:aa:23:01:41:d4:3c:99:cb:ce:4a:ff:10:fe:a7:52:
-         3b:8c:0f:30:6d:a4:4e:53:4d:60:2b:6a:05:ab:ef:b8:61:9c:
-         a4:85:99:ae:b8:63:c8:e3
+         95:f7:1c:99:72:42:4f:d3:bd:ba:3f:7a:75:bb:01:3a:ad:ce:
+         6b:7b:b7:3d:5d:3b:46:51:ea:9a:36:94:70:36:1c:3b:fc:ba:
+         9d:8b:0d:44:36:08:ad:a6:73:82:bc:23:ed:f9:5a:09:8f:9d:
+         62:11:c1:94:7c:61:66:1f:8b:b9:0a:dc:3a:b5:eb:22:54:de:
+         a3:e5:8a:94:10:1f:84:52:6d:fe:27:c8:e5:cb:a5:8e:a9:83:
+         16:95:0d:6c:3e:57:85:e1:ec:82:05:47:6d:28:ad:0d:84:fa:
+         40:a0:96:f4:84:aa:d1:e1:0b:b7:91:e2:47:4f:05:97:f8:10:
+         a0:e8:57:bd:ed:48:65:55:75:da:e5:34:e8:f1:20:95:d6:40:
+         8c:42:bf:b4:d9:55:c8:30:e8:d5:ce:d8:1d:30:65:90:39:eb:
+         e2:83:ed:11:03:cd:07:c0:e1:c4:91:84:a0:97:8e:6d:22:e6:
+         75:77:21:7c:32:8b:48:ed:d6:b2:19:2e:af:26:ad:7d:6c:ce:
+         09:e1:78:b6:72:61:60:22:92:b8:df:42:6b:34:6b:5f:35:ef:
+         f1:d3:c6:7f:92:05:3c:d0:08:77:01:66:f7:57:b8:65:de:d3:
+         d2:b1:bf:93:b1:8c:a3:27:e6:d4:e2:2b:9b:cd:9d:be:31:82:
+         5b:53:dd:5a:bd:39:05:5f:8c:56:f2:7f:9b:b7:ef:e6:07:96:
+         bf:8a:d9:8d:bb:62:98:86:de:aa:91:c3:fe:e7:bb:a7:1f:f0:
+         fd:1f:6c:a6:04:04:f0:c2:51:a1:91:8c:9a:ee:f9:87:42:37:
+         7e:9c:27:72:59:dc:60:a8:8e:d1:81:97:f1:15:c3:d8:a9:4e:
+         9a:09:e9:81:76:39:36:b3:08:a1:e5:5e:97:37:ba:43:8f:06:
+         1a:70:69:3b:fe:79:a6:5e:2d:26:04:e9:bc:5f:57:c9:d0:80:
+         c2:0d:4b:c7:0e:dd:04:e5:15:49:9d:d7:ff:ee:a3:1c:04:56:
+         7d:e2:a0:d3:39:1a:59:bd:85:b0:eb:54:ea:81:8b:e1:17:94:
+         a5:fe:e3:0c:d0:74:42:ee:4a:f4:66:90:49:4b:64:bc:47:35:
+         f5:b2:60:8e:74:05:d0:a6:d2:94:b4:e0:0f:4b:3f:35:ea:2a:
+         e0:24:58:c1:6e:d0:65:6e:58:f7:e1:90:02:ae:40:23:25:e9:
+         80:9a:d2:a7:ea:5d:fc:6d:f8:45:0f:db:53:91:55:32:46:e3:
+         6a:c0:54:0a:5a:4c:e8:1a:1e:a6:33:3e:fe:ed:b6:ad:cf:6a:
+         3c:2f:b2:6c:47:75:f1:29:43:31:69:c3:0c:42:56:5b:d9:b8:
+         99:7b:ff:2b:50:87:34:2e
 -----BEGIN CERTIFICATE-----
-MIIE/zCCAuegAwIBAgIBAjANBgkqhkiG9w0BAQUFADAqMRswGQYDVQQDDBJoeDUw
-OSBUZXN0IFJvb3QgQ0ExCzAJBgNVBAYTAlNFMB4XDTE5MDUyMzE1MDUxMloXDTM4
-MDExNjE1MDUxMlowITELMAkGA1UEBhMCU0UxEjAQBgNVBAMMCVRlc3QgY2VydDCC
-AiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAKnJzvi3d5k8clSMzwpjnfLf
-DQdvIlQXcf92ptGeM/UFP6wyvljlfKfTKd09OGJkjYLSqvUFNvO8rX9OucVWierC
-17GWaf33TjVWWXwDkXlg9KGoeKAaBC4KmLfMvvPqKGrXXoCNdMf02JZIRJQbzk+a
-ZY1UxsRps7775JF5XsW6+d8D3hTiaBpq6VGDAQ/mCQ/JoXi0dUUY8EN8ETeykc1Q
-bnFCacA22uG8JPq9j8XOytSvs/HXIMGsTTFCxc1ubEEMjo0IjyywdgIY1w0P/spn
-P7b+GzanyjO9ATZ+l/bjVZxLpfpIWKcHyshxLOkFfjpASqq3NBPhsFrrWFAOmTG9
-b+n7vUv4BXBeAUE2z81/btHm3ucjqYZJYSb8qVijRTeyR/ruzXThoSjMUF/psP5n
-C37cT+n+XepVmofQE22eufHNCLPax9I+3PrSA1j35kMDW8kN7tYmsPrrNl6j0K7L
-AEyXu5pjCVkQa8X550o/duuiY49FzEOPShUv3D7yET0HA8S4xeVlGsfSh0JT06k/
-+5mguEVDRewJWcm9VSLgDhntSf2221yEsAGJUKPKHkG6gofb2rUrcQiuG3BBQcok
-cGuaydsdsmWUAZ3tuLU2TPDwOb6/5EkC1FXsEd0j42/BKJl3RClwom7sslOG4cFF
-PGfqEgizvtK+nwCwmx9hAgMBAAGjOTA3MAkGA1UdEwQCMAAwCwYDVR0PBAQDAgXg
-MB0GA1UdDgQWBBTT4Vkgod49ElcKPboKbmcOQKeaiDANBgkqhkiG9w0BAQUFAAOC
-AgEADyxokDNnsoYJJuxlKa521qYvUw7TFs0uDajRFCL1Y2apPXhDQKnb7wJS0anD
-C60kjqBWYx+6I0hkdKwsvWf4h22/1oNoqpnOTAsw1gZZfHQOLIvuWmGv//c8URCn
-k0Rvu/SLWiteHEyJYHGv/b/A/RkEEoGgzu203GQSgDYYnxwzJZTdlFHrocYhBrUW
-BX3TIFPeYF1AbPF7oZh/Gr05RgrspszrepbVQ23lx2HS+e12qEQ/yJ1FGiw7UvgI
-e2c5qq6IT+uQmZz4i67HeutAsep4UXTpESzC18CTNcMnWYndHuZK7f3cHwjigM6g
-cuwE1ywd1ixn87nO6b5wEIK1v0Upwcw2EV2DPRcRA7AX4TwF8OoHxj5izivZVUHc
-DFWCD+DVqAJl+si9YBa0bVMImwYllMeP7qxdJa3Nna9/qFqZSfz7rWmOxMlXfIgs
-MivsEe1hzESSpxgRGZbmvohd7Q/cyiox6S2qA3UD9EJebIa5f7dZcLoJsbooOr5o
-RaAuiQvqptmFWL9UHAJWOtRPiHpeyCEzZHZ0aDZ6pBymW7jx75gQgoTU3y00S20V
-YlUxsniTMzcg26AwhdvPAHyzs6KpMdcG++fsOE89YXO/uCGwxfg/mI3bqiMBQdQ8
-mcvOSv8Q/qdSO4wPMG2kTlNNYCtqBavvuGGcpIWZrrhjyOM=
+MIIFATCCAumgAwIBAgIBAjANBgkqhkiG9w0BAQUFADAqMRswGQYDVQQDDBJoeDUw
+OSBUZXN0IFJvb3QgQ0ExCzAJBgNVBAYTAlNFMCAXDTE5MDMyMjIyMjUwMloYDzI1
+MTgxMTIxMjIyNTAyWjAhMQswCQYDVQQGEwJTRTESMBAGA1UEAwwJVGVzdCBjZXJ0
+MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA2h1NylGd8Z/XpHpF+HWY
+ZrLFfVPeQjV0gc0en/ND16eDf/uizjxEN4BPITam9slRdJ7im7+t5OtyEWQ2iLOp
+kWPH7jjE9YwGceUJt+tXXb/bW3IHxSnobzOzoifvH1DwVTNjQSPgsvchd0urnXMq
+u7ZOiH985cY3PrYgwVc+bVd47w1H6UHn+rYtMj9CBY1Wr/XEuG6ZGucH1aE/KX3O
+sjmmqwZ64iY52JaeO8iveT6aJE5Lsq/kBw5x3C9wJ5c8ovppm1dLxVNeKAywx1cf
+orImD1+/00V4kFos/GpnM7bBfs0XwFieuoXFFVpaZ9u/LwXNONmUyZV/m2iwYv83
+ks/Yd77Lcj0PuYBEV8DJEAH9ByUw69hIBa+Y+sRkbVmmao0b1EvzB5ho47tZySH4
+EbSighsN6IzgpeEcccrDLZBDw+6ZLH1BSDnIAHINgDkjoTon7QfKMo80yrudZxN9
+Me1K2zV6zrOJ42SdPkdO07e9qxIWELtm6Bp3TCrguRZpZhSDTkrzb6uFanDGm86T
+q3U2o6Wqn0XWon8Xx2/59ec1UaV1xQe+Js57Pyk6dGsXeU7PTAppdVjb66jd8ebM
+oxhTpcWlWqHPN2qxn9PU6w8CQNKuaM68xUbj7viXiO7IpwF6oSOv8zEsKm8Sd9w8
+UZ1A9Joqe4UpHz7D1TeObgkCAwEAAaM5MDcwCQYDVR0TBAIwADALBgNVHQ8EBAMC
+BeAwHQYDVR0OBBYEFBv07DRCuotnrFXyN120aKnYXlh7MA0GCSqGSIb3DQEBBQUA
+A4ICAQCV9xyZckJP0726P3p1uwE6rc5re7c9XTtGUeqaNpRwNhw7/Lqdiw1ENgit
+pnOCvCPt+VoJj51iEcGUfGFmH4u5Ctw6tesiVN6j5YqUEB+EUm3+J8jly6WOqYMW
+lQ1sPleF4eyCBUdtKK0NhPpAoJb0hKrR4Qu3keJHTwWX+BCg6Fe97UhlVXXa5TTo
+8SCV1kCMQr+02VXIMOjVztgdMGWQOevig+0RA80HwOHEkYSgl45tIuZ1dyF8MotI
+7dayGS6vJq19bM4J4Xi2cmFgIpK430JrNGtfNe/x08Z/kgU80Ah3AWb3V7hl3tPS
+sb+TsYyjJ+bU4iubzZ2+MYJbU91avTkFX4xW8n+bt+/mB5a/itmNu2KYht6qkcP+
+57unH/D9H2ymBATwwlGhkYya7vmHQjd+nCdyWdxgqI7RgZfxFcPYqU6aCemBdjk2
+swih5V6XN7pDjwYacGk7/nmmXi0mBOm8X1fJ0IDCDUvHDt0E5RVJndf/7qMcBFZ9
+4qDTORpZvYWw61TqgYvhF5Sl/uMM0HRC7kr0ZpBJS2S8RzX1smCOdAXQptKUtOAP
+Sz816irgJFjBbtBlblj34ZACrkAjJemAmtKn6l38bfhFD9tTkVUyRuNqwFQKWkzo
+Gh6mMz7+7batz2o8L7JsR3XxKUMxacMMQlZb2biZe/8rUIc0Lg==
 -----END CERTIFICATE-----
 -----BEGIN PRIVATE KEY-----
-MIIJQwIBADANBgkqhkiG9w0BAQEFAASCCS0wggkpAgEAAoICAQCpyc74t3eZPHJU
-jM8KY53y3w0HbyJUF3H/dqbRnjP1BT+sMr5Y5Xyn0yndPThiZI2C0qr1BTbzvK1/
-TrnFVonqwtexlmn99041Vll8A5F5YPShqHigGgQuCpi3zL7z6ihq116AjXTH9NiW
-SESUG85PmmWNVMbEabO+++SReV7FuvnfA94U4mgaaulRgwEP5gkPyaF4tHVFGPBD
-fBE3spHNUG5xQmnANtrhvCT6vY/FzsrUr7Px1yDBrE0xQsXNbmxBDI6NCI8ssHYC
-GNcND/7KZz+2/hs2p8ozvQE2fpf241WcS6X6SFinB8rIcSzpBX46QEqqtzQT4bBa
-61hQDpkxvW/p+71L+AVwXgFBNs/Nf27R5t7nI6mGSWEm/KlYo0U3skf67s104aEo
-zFBf6bD+Zwt+3E/p/l3qVZqH0BNtnrnxzQiz2sfSPtz60gNY9+ZDA1vJDe7WJrD6
-6zZeo9CuywBMl7uaYwlZEGvF+edKP3bromOPRcxDj0oVL9w+8hE9BwPEuMXlZRrH
-0odCU9OpP/uZoLhFQ0XsCVnJvVUi4A4Z7Un9tttchLABiVCjyh5BuoKH29q1K3EI
-rhtwQUHKJHBrmsnbHbJllAGd7bi1Nkzw8Dm+v+RJAtRV7BHdI+NvwSiZd0QpcKJu
-7LJThuHBRTxn6hIIs77Svp8AsJsfYQIDAQABAoICAGR9MKY7z+k9wV0RSaiYdO89
-3HQ97k9e4PWVv/3oaE/oH1tHXSk4CaM6c1ih1zFE2gxHqy8BOxje3sCuU3zcTxxG
-3WoZ3/mT2RHwXV3srrjsDV1wXJRFUZv+YYzG/W1XdTxm42OqVSfTXizz8MLIAj9S
-3i/bsRimht/OLeV7s//LPgAkRdiOd5bLF/RKWOKT/2D8sTjDdXTD4c/PKlGQuoKN
-zA/0gqpkzP81X52Xe/RTA/EFXLcR4C1AUR+KqY+Af0mwqN4H5tVIS0/Ka90rTl10
-5lzj4C9k92PPxVv/aOmSeyTaEQ4kq3OQRRCFC1OPELphOs/3RjdOKBZnnAkl2ryC
-pg2EquKfA4W1LGqI+MbNhKlppnyBef5FNOHK9PsH6luF/KASTtLvc5/Xu/d0Lza5
-flS9ah/srA4ejwDsUnREjajwfroGxpl7Nem9NCneETqOc0yBRsJalDhbsxTbotQ+
-tHq2CqMNtuxXRDk59QHDSszzjUMKnDqkADdKjHy2cWkKkjgBnk4iqL+BKN7pUU50
-R7t0Fh3HNa6EGW8UQwPQFAEE7C9AhhI+keT5zyQZ3F+Dppx+qDbUv3xKwti/9Y53
-IttHyi+N3SBWNTiJZmJ1X1tY5KGXIWvbotuU8jSxXvzebn1nOjQtxcEuNdgJv5Bk
-m7mRe5VjtaFtj0qM0yJRAoIBAQDZWanHESJ/IU1BrYx10tp92CYbgZiV8g+LJB1j
-EdkaMg6ak0mzWPWmeKPKalMEcF6/RwBcicBZYZaOLGVfl3wVd9Qk+O7k5sc7HaV3
-9hIdAlpLgbl3Owf7IcW+D7A48+Cd6dHDx0pWijf17OYaPis2+2m1Kdx+VC4QA1Jb
-w/h8dctUlqrkAFBnrAxHG3RPtE4fk8SknS8MWYwNTqPaVEhHpbS7PRvSX8nAk0EP
-aLlNV+G+twqng4aZWTN/usPYW05eh4kmhnSaSNe93EQIkwcyqk1hASxgFhFxid1c
-QkiwSoJl06ilbNietbEBcdepmJKEHJyzUPFuCBe1bTdRukBbAoIBAQDH+wFG3ADb
-S8CHXVgN+YuOYgKihkPqJxWYwZJaRDg/8Brp3+U4gWy8crwAr3yyu1ZxloRjUoxw
-31Jc0ec6lGLMYWqSVjAOFWs0OL2IG27qVxZ4qiAjO+Y88KFj4b9ZJnZBGBt0bjhk
-ZTDnEJlK1F27IIFiFU1Z/lG9gjEisFf4OFDbCLzgy39IampF6FvteEx9lTcWjFSC
-dQJwGRDwvm5jWF0BYyf6yCrnkQUk80Fc6DXm5gUhFyA6qu0cbm5Z+BpGC9J2+QlE
-vANLTGeol8f3iDv264U6iQ5S6pdzcg+BHcG8F3uXvMmnEKBTKxyJeACAJzlmL/Oc
-VqCdbN5v3mvzAoIBAQDVtJmAR9K5WU8TAscWmmmGTt65MOWMmWK7FplmbYgff5Ro
-W+WdWBzAv+GcBor11F70h6VNV4wu1gsoY3KRWOsCWL3YVILfwiGmeHHXz7TjnQqX
-L0fiecJRJFW/mMFWXkQ+QEalzu/Cw0hen71nlDT9bJn1LOHFvJNF3149KCTMiy2P
-UE1avQxRwxKXX+Eu9UPTPIGesYYvCGTyOJ5W74PaHo3jhCQ050YB+UeBFSENcRlf
-Ya4yItpXMSO3tTUXKD+YJn+tx4oioPivj0G9hIMRR+2pMXQmTcx87GcgbXP3EmvA
-Hyq07J7Y/iC6IOtBr+hvyYoxraaU35QgKPC5hP39AoIBAQCjg1bt62E/7daEWAxx
-kMNNLlJdNU8+m6qK9muGJxWfIeG/rPQtmZWhGGckYFijg44Q3jNtSsfOWqtrfa2F
-NmL6HgUXliVAvr6jOmmuak/siDy1eNVCOe3tkgtEMgdVC5/RZba9Ioo1fI/Zvra4
-eqARK2jfG+/dT5biTxuB85JaQSHLln9phrqSKYCvnGfd6WkRnfonE6Ld8HKH2dcC
-IZL84/lX8w1zfkumf+sm5UdigfPg0d8LyW7uyWeKwbi1E6nX8D6sTMAJVXmUDesL
-7N7yRJBTOwv6aqotnecr2+1Vc1E/TCwgS5rOYUfV+QAiXt556piCN18HS8WUMrpF
-2iWFAoIBAD2Dn6bz86duyuuQ4CPAnawONcEVmUpajbrIKi0hqYEVIN5IF/LshvNY
-Lqtf/PWWWocF9b1K71wDuMs499Tf6Kr0b+AuBRZs9WbMthJhY5+xzU9IqwbRzgFJ
-81BGu796PezbBOS7vVqrGkpi3CBG0nDg3gQ3ZbBLVtEcx0WfX8QMXw9Ib9UxfOOX
-jKVEvNoy1R0p2C21xan5/fUyR5K/Dq5DIylUrpxWMUgC8lIktDulItGKh/3llCq+
-uu+wN91SkXC1pxTG3yDKP49PrcTV6M7G1JYUXkSQaiWgwNEz59f/7pMH7xxFsaHI
-nC68md8aa7+0IQEQqbKOdr+LhyMXCFA=
+MIIJQQIBADANBgkqhkiG9w0BAQEFAASCCSswggknAgEAAoICAQDaHU3KUZ3xn9ek
+ekX4dZhmssV9U95CNXSBzR6f80PXp4N/+6LOPEQ3gE8hNqb2yVF0nuKbv63k63IR
+ZDaIs6mRY8fuOMT1jAZx5Qm361ddv9tbcgfFKehvM7OiJ+8fUPBVM2NBI+Cy9yF3
+S6udcyq7tk6If3zlxjc+tiDBVz5tV3jvDUfpQef6ti0yP0IFjVav9cS4bpka5wfV
+oT8pfc6yOaarBnriJjnYlp47yK95PpokTkuyr+QHDnHcL3Anlzyi+mmbV0vFU14o
+DLDHVx+isiYPX7/TRXiQWiz8amcztsF+zRfAWJ66hcUVWlpn278vBc042ZTJlX+b
+aLBi/zeSz9h3vstyPQ+5gERXwMkQAf0HJTDr2EgFr5j6xGRtWaZqjRvUS/MHmGjj
+u1nJIfgRtKKCGw3ojOCl4RxxysMtkEPD7pksfUFIOcgAcg2AOSOhOiftB8oyjzTK
+u51nE30x7UrbNXrOs4njZJ0+R07Tt72rEhYQu2boGndMKuC5FmlmFINOSvNvq4Vq
+cMabzpOrdTajpaqfRdaifxfHb/n15zVRpXXFB74mzns/KTp0axd5Ts9MCml1WNvr
+qN3x5syjGFOlxaVaoc83arGf09TrDwJA0q5ozrzFRuPu+JeI7sinAXqhI6/zMSwq
+bxJ33DxRnUD0mip7hSkfPsPVN45uCQIDAQABAoICAQDC4zgktLSJtyb5Yf+vN3PL
+H6VyjEOlqRnG+T6J8NUHljfbXT5lRFg3tz/9D1Y0YEGWEHmubKC2UOIFRCOuFcpH
+jH6SDst+E3WWwu3iFjhkHg+kL8ldlEqJQgsZstDojGuR1W60P5iAkGyoqUZYUxU1
+0HlvYWp57JhkQlwWJRw0mtoFzzoX47mhvLG5megmCdoRM2po2PmYniHT8lX7ftv3
+R6fyXMHj3AAH1Nzh0jln/lXAZu0gZiU7YN6/vOtblLirb1B5apDbadhRtLUoCGLN
+/pwfVJCT+Bj38nsLtw8rl/pgkGTOiuCZDPnCUI9DCYhUPbzXNSLK0/fHJs2kRyKh
+Nv+skWwmHdkCnzIliutxMlzehRHvRINoQ+/U/mNTE1FaNYnNEnSxpUSMKnPYUyTD
+YBhjFjtwkRpRDzbbcMBQk7Tbj2aISvFiAz/KOtRBDmBx70IxzxvqZ/5s94lyHZ5H
+fozf6LgBfJ5dmboNqHA18oBTAQDO2UBrIxyPSYExWdJ4o0vpTqwpmk8RTwgBsYfU
+EfDj3UqO5KJHTJAqdqdhXhz2c5J6EAyxDDItNg10rEVQVQbGbTPLtI8spjWfwJ6g
+P5L0j/cJx+nxNQvhrIMQgJfCrZS92PL6Yt0OqTS44m8mJgmt4z9OqZUtoT21fmcS
+uIOMYOY/NZBc+wMJ27UoeQKCAQEA8w6aZ+NAqmdDfEi/37XsbadsxDppPZ+/Ss2b
+aWOYwNU8P65rt3+EWjLrwMugiKOH1063QmZYcj74C4iaAhLblBiQH24YtiJi9tYs
+JCcFLWp01ZEqcxqBqI2kaHd9tuIaANGM+nKZH2MwTkzZ5IX1eAqZ0qgkC7Dx0JvO
+x1fXuhRTuFwTSkKZM3w4ba5G4DgczmKQr2SXm19PsMF61YX0n7HFuss85Z6xkONH
+gF6yokmPT7k/Ly4PLXZ9kycNx2EI5s1B79iAjaJAK8ifaEfUNNIi/xBf97oX6+hy
+AhO8aiC7snt6Tf2DNaJCZR1IKeO0M+5pkN6DZfV0hbQ9ulhD6wKCAQEA5bqt2VJJ
+9Vuuu8jcRlHfc4Cbubu+bMt9gbVp33ckAtRtQGQM4tHoHdd2hv4q8lV/f/K3m6Ps
+EMGeQ6QBuCWtkqD659eI5hvkchKjF+YGx/jt7k6EUlVUU1bfKXCgQv6W2VmrckzG
+ULsedOBLeT0Keppgw4kHqx+o/5DB9G3pZnVBITqGUP471q5X+c3BbAwN+9q8yRyY
+BimYJZKx0qgmpHSZ+4l3L6eLlcQiHev7TxGw1sGkpt3OF8NmR5PEzXUYC8qoi8na
+neLwTs9NKyb6hmOwTNJiWR5PNxWJeURxfl6GIfoxyUjptIrc5dve6k+ESxGgsSI1
+vyXgRUeiMlP82wKCAQEAuqx2jl+NZNLWk/fT1d+FbFpwQO2Tso6kfrEXMYQa589d
+7JLrjA1V+2ishHBgJVFjnUuJmGe+elA+da0+i2UsW7vZxSnrtMcINwga8tE9OrpO
+bVCGx8yN1ISkxs8vMGzLB+HpYtjtHZwyl5CSsN7pvn510cLtnEUUE+H2mEexGetO
+uYOOFTS9MTuwoxx8tuyhwykUcoDRp7U2IU0YKDIvxQ7mDCbX6ItPWTYVzlPs4pOY
+i+R80KGRaptcqs4N2Rl/mrP+dlVTtnPs0TPOqmqwYrkZw8gxzLOSd88Y8NtzlBb7
+0YLgVlHkmia606n/qJyH5HKxhWBAjuhLy/y4hAwSbQKB/1xtv4SwlxEg0iy7o+Sn
+DEBsfjs8TmF3fgex9ebzCIoa7dn6ZzTbP4jCJ+4oVR8rRyEzhqwYR+J2BDcyxX5R
+qoRUQJ8HGQ18K226EeSLqC7M+O3oqVR3AHaHfUIvDkvmIstQSKq0ORZCMv7TP4qI
+BK9PbZ8+gtdW5aftlhvCHSYcBxhXc7MilvDJNJxNLIVMVFQArfQ8jO3tzklPvDwF
+a4a/YzTRGiMSRhb70r43M+WcOIovXw/ELidhdsVVrtj7Q7F62FVl4Y+kvwr2XRX/
+mMx5T3WZL/irOTPwdl9UKlWtskn5YA6cR2tcc4QH8qhTVebeMMkT+ovtsU4uhBO7
+twKCAQAnvazlAlCSy/OeRqucmyqKjWTMEey6c/5dYlCkirF9J5o3n1YHhOSp8DY8
+iEjyl6ptsASapBhD6BpI4AwI6u92WBEwG15bleMlctVmtj7v39AFwNwSvvZtBZcZ
+jJ+TWaTT0nMvP90cZe5ql2DTrp/Mp4K9+3oR5qk9+EszobSoHxpgDzLogG+Zp/k/
+2NMj125uhuC0GTV5lKcrY6JquXPtqFBKOiBLr3j5sRe+iZ4UqZEjTo91nrV2E3HD
+kFJSP1weCD2HQ48T74nS775yrQnR+mWAJjuLpyDW5UXIDpvYlSbnmJ08+4C5Mu/e
+UK2bY3PmI10F5vBYLQpLlCYUyBDf
 -----END PRIVATE KEY-----
diff --git a/lib/hx509/data/test.crt b/lib/hx509/data/test.crt
index 2c06613ae595..40663c4241f0 100644
--- a/lib/hx509/data/test.crt
+++ b/lib/hx509/data/test.crt
@@ -5,48 +5,48 @@ Certificate:
     Signature Algorithm: sha1WithRSAEncryption
         Issuer: CN=hx509 Test Root CA, C=SE
         Validity
-            Not Before: May 23 15:05:12 2019 GMT
-            Not After : Jan 16 15:05:12 2038 GMT
+            Not Before: Mar 22 22:25:02 2019 GMT
+            Not After : Nov 21 22:25:02 2518 GMT
         Subject: C=SE, CN=Test cert
         Subject Public Key Info:
             Public Key Algorithm: rsaEncryption
                 Public-Key: (4096 bit)
                 Modulus:
-                    00:a9:c9:ce:f8:b7:77:99:3c:72:54:8c:cf:0a:63:
-                    9d:f2:df:0d:07:6f:22:54:17:71:ff:76:a6:d1:9e:
-                    33:f5:05:3f:ac:32:be:58:e5:7c:a7:d3:29:dd:3d:
-                    38:62:64:8d:82:d2:aa:f5:05:36:f3:bc:ad:7f:4e:
-                    b9:c5:56:89:ea:c2:d7:b1:96:69:fd:f7:4e:35:56:
-                    59:7c:03:91:79:60:f4:a1:a8:78:a0:1a:04:2e:0a:
-                    98:b7:cc:be:f3:ea:28:6a:d7:5e:80:8d:74:c7:f4:
-                    d8:96:48:44:94:1b:ce:4f:9a:65:8d:54:c6:c4:69:
-                    b3:be:fb:e4:91:79:5e:c5:ba:f9:df:03:de:14:e2:
-                    68:1a:6a:e9:51:83:01:0f:e6:09:0f:c9:a1:78:b4:
-                    75:45:18:f0:43:7c:11:37:b2:91:cd:50:6e:71:42:
-                    69:c0:36:da:e1:bc:24:fa:bd:8f:c5:ce:ca:d4:af:
-                    b3:f1:d7:20:c1:ac:4d:31:42:c5:cd:6e:6c:41:0c:
-                    8e:8d:08:8f:2c:b0:76:02:18:d7:0d:0f:fe:ca:67:
-                    3f:b6:fe:1b:36:a7:ca:33:bd:01:36:7e:97:f6:e3:
-                    55:9c:4b:a5:fa:48:58:a7:07:ca:c8:71:2c:e9:05:
-                    7e:3a:40:4a:aa:b7:34:13:e1:b0:5a:eb:58:50:0e:
-                    99:31:bd:6f:e9:fb:bd:4b:f8:05:70:5e:01:41:36:
-                    cf:cd:7f:6e:d1:e6:de:e7:23:a9:86:49:61:26:fc:
-                    a9:58:a3:45:37:b2:47:fa:ee:cd:74:e1:a1:28:cc:
-                    50:5f:e9:b0:fe:67:0b:7e:dc:4f:e9:fe:5d:ea:55:
-                    9a:87:d0:13:6d:9e:b9:f1:cd:08:b3:da:c7:d2:3e:
-                    dc:fa:d2:03:58:f7:e6:43:03:5b:c9:0d:ee:d6:26:
-                    b0:fa:eb:36:5e:a3:d0:ae:cb:00:4c:97:bb:9a:63:
-                    09:59:10:6b:c5:f9:e7:4a:3f:76:eb:a2:63:8f:45:
-                    cc:43:8f:4a:15:2f:dc:3e:f2:11:3d:07:03:c4:b8:
-                    c5:e5:65:1a:c7:d2:87:42:53:d3:a9:3f:fb:99:a0:
-                    b8:45:43:45:ec:09:59:c9:bd:55:22:e0:0e:19:ed:
-                    49:fd:b6:db:5c:84:b0:01:89:50:a3:ca:1e:41:ba:
-                    82:87:db:da:b5:2b:71:08:ae:1b:70:41:41:ca:24:
-                    70:6b:9a:c9:db:1d:b2:65:94:01:9d:ed:b8:b5:36:
-                    4c:f0:f0:39:be:bf:e4:49:02:d4:55:ec:11:dd:23:
-                    e3:6f:c1:28:99:77:44:29:70:a2:6e:ec:b2:53:86:
-                    e1:c1:45:3c:67:ea:12:08:b3:be:d2:be:9f:00:b0:
-                    9b:1f:61
+                    00:da:1d:4d:ca:51:9d:f1:9f:d7:a4:7a:45:f8:75:
+                    98:66:b2:c5:7d:53:de:42:35:74:81:cd:1e:9f:f3:
+                    43:d7:a7:83:7f:fb:a2:ce:3c:44:37:80:4f:21:36:
+                    a6:f6:c9:51:74:9e:e2:9b:bf:ad:e4:eb:72:11:64:
+                    36:88:b3:a9:91:63:c7:ee:38:c4:f5:8c:06:71:e5:
+                    09:b7:eb:57:5d:bf:db:5b:72:07:c5:29:e8:6f:33:
+                    b3:a2:27:ef:1f:50:f0:55:33:63:41:23:e0:b2:f7:
+                    21:77:4b:ab:9d:73:2a:bb:b6:4e:88:7f:7c:e5:c6:
+                    37:3e:b6:20:c1:57:3e:6d:57:78:ef:0d:47:e9:41:
+                    e7:fa:b6:2d:32:3f:42:05:8d:56:af:f5:c4:b8:6e:
+                    99:1a:e7:07:d5:a1:3f:29:7d:ce:b2:39:a6:ab:06:
+                    7a:e2:26:39:d8:96:9e:3b:c8:af:79:3e:9a:24:4e:
+                    4b:b2:af:e4:07:0e:71:dc:2f:70:27:97:3c:a2:fa:
+                    69:9b:57:4b:c5:53:5e:28:0c:b0:c7:57:1f:a2:b2:
+                    26:0f:5f:bf:d3:45:78:90:5a:2c:fc:6a:67:33:b6:
+                    c1:7e:cd:17:c0:58:9e:ba:85:c5:15:5a:5a:67:db:
+                    bf:2f:05:cd:38:d9:94:c9:95:7f:9b:68:b0:62:ff:
+                    37:92:cf:d8:77:be:cb:72:3d:0f:b9:80:44:57:c0:
+                    c9:10:01:fd:07:25:30:eb:d8:48:05:af:98:fa:c4:
+                    64:6d:59:a6:6a:8d:1b:d4:4b:f3:07:98:68:e3:bb:
+                    59:c9:21:f8:11:b4:a2:82:1b:0d:e8:8c:e0:a5:e1:
+                    1c:71:ca:c3:2d:90:43:c3:ee:99:2c:7d:41:48:39:
+                    c8:00:72:0d:80:39:23:a1:3a:27:ed:07:ca:32:8f:
+                    34:ca:bb:9d:67:13:7d:31:ed:4a:db:35:7a:ce:b3:
+                    89:e3:64:9d:3e:47:4e:d3:b7:bd:ab:12:16:10:bb:
+                    66:e8:1a:77:4c:2a:e0:b9:16:69:66:14:83:4e:4a:
+                    f3:6f:ab:85:6a:70:c6:9b:ce:93:ab:75:36:a3:a5:
+                    aa:9f:45:d6:a2:7f:17:c7:6f:f9:f5:e7:35:51:a5:
+                    75:c5:07:be:26:ce:7b:3f:29:3a:74:6b:17:79:4e:
+                    cf:4c:0a:69:75:58:db:eb:a8:dd:f1:e6:cc:a3:18:
+                    53:a5:c5:a5:5a:a1:cf:37:6a:b1:9f:d3:d4:eb:0f:
+                    02:40:d2:ae:68:ce:bc:c5:46:e3:ee:f8:97:88:ee:
+                    c8:a7:01:7a:a1:23:af:f3:31:2c:2a:6f:12:77:dc:
+                    3c:51:9d:40:f4:9a:2a:7b:85:29:1f:3e:c3:d5:37:
+                    8e:6e:09
                 Exponent: 65537 (0x10001)
         X509v3 extensions:
             X509v3 Basic Constraints: 
@@ -54,63 +54,63 @@ Certificate:
             X509v3 Key Usage: 
                 Digital Signature, Non Repudiation, Key Encipherment
             X509v3 Subject Key Identifier: 
-                D3:E1:59:20:A1:DE:3D:12:57:0A:3D:BA:0A:6E:67:0E:40:A7:9A:88
+                1B:F4:EC:34:42:BA:8B:67:AC:55:F2:37:5D:B4:68:A9:D8:5E:58:7B
     Signature Algorithm: sha1WithRSAEncryption
-         0f:2c:68:90:33:67:b2:86:09:26:ec:65:29:ae:76:d6:a6:2f:
-         53:0e:d3:16:cd:2e:0d:a8:d1:14:22:f5:63:66:a9:3d:78:43:
-         40:a9:db:ef:02:52:d1:a9:c3:0b:ad:24:8e:a0:56:63:1f:ba:
-         23:48:64:74:ac:2c:bd:67:f8:87:6d:bf:d6:83:68:aa:99:ce:
-         4c:0b:30:d6:06:59:7c:74:0e:2c:8b:ee:5a:61:af:ff:f7:3c:
-         51:10:a7:93:44:6f:bb:f4:8b:5a:2b:5e:1c:4c:89:60:71:af:
-         fd:bf:c0:fd:19:04:12:81:a0:ce:ed:b4:dc:64:12:80:36:18:
-         9f:1c:33:25:94:dd:94:51:eb:a1:c6:21:06:b5:16:05:7d:d3:
-         20:53:de:60:5d:40:6c:f1:7b:a1:98:7f:1a:bd:39:46:0a:ec:
-         a6:cc:eb:7a:96:d5:43:6d:e5:c7:61:d2:f9:ed:76:a8:44:3f:
-         c8:9d:45:1a:2c:3b:52:f8:08:7b:67:39:aa:ae:88:4f:eb:90:
-         99:9c:f8:8b:ae:c7:7a:eb:40:b1:ea:78:51:74:e9:11:2c:c2:
-         d7:c0:93:35:c3:27:59:89:dd:1e:e6:4a:ed:fd:dc:1f:08:e2:
-         80:ce:a0:72:ec:04:d7:2c:1d:d6:2c:67:f3:b9:ce:e9:be:70:
-         10:82:b5:bf:45:29:c1:cc:36:11:5d:83:3d:17:11:03:b0:17:
-         e1:3c:05:f0:ea:07:c6:3e:62:ce:2b:d9:55:41:dc:0c:55:82:
-         0f:e0:d5:a8:02:65:fa:c8:bd:60:16:b4:6d:53:08:9b:06:25:
-         94:c7:8f:ee:ac:5d:25:ad:cd:9d:af:7f:a8:5a:99:49:fc:fb:
-         ad:69:8e:c4:c9:57:7c:88:2c:32:2b:ec:11:ed:61:cc:44:92:
-         a7:18:11:19:96:e6:be:88:5d:ed:0f:dc:ca:2a:31:e9:2d:aa:
-         03:75:03:f4:42:5e:6c:86:b9:7f:b7:59:70:ba:09:b1:ba:28:
-         3a:be:68:45:a0:2e:89:0b:ea:a6:d9:85:58:bf:54:1c:02:56:
-         3a:d4:4f:88:7a:5e:c8:21:33:64:76:74:68:36:7a:a4:1c:a6:
-         5b:b8:f1:ef:98:10:82:84:d4:df:2d:34:4b:6d:15:62:55:31:
-         b2:78:93:33:37:20:db:a0:30:85:db:cf:00:7c:b3:b3:a2:a9:
-         31:d7:06:fb:e7:ec:38:4f:3d:61:73:bf:b8:21:b0:c5:f8:3f:
-         98:8d:db:aa:23:01:41:d4:3c:99:cb:ce:4a:ff:10:fe:a7:52:
-         3b:8c:0f:30:6d:a4:4e:53:4d:60:2b:6a:05:ab:ef:b8:61:9c:
-         a4:85:99:ae:b8:63:c8:e3
+         95:f7:1c:99:72:42:4f:d3:bd:ba:3f:7a:75:bb:01:3a:ad:ce:
+         6b:7b:b7:3d:5d:3b:46:51:ea:9a:36:94:70:36:1c:3b:fc:ba:
+         9d:8b:0d:44:36:08:ad:a6:73:82:bc:23:ed:f9:5a:09:8f:9d:
+         62:11:c1:94:7c:61:66:1f:8b:b9:0a:dc:3a:b5:eb:22:54:de:
+         a3:e5:8a:94:10:1f:84:52:6d:fe:27:c8:e5:cb:a5:8e:a9:83:
+         16:95:0d:6c:3e:57:85:e1:ec:82:05:47:6d:28:ad:0d:84:fa:
+         40:a0:96:f4:84:aa:d1:e1:0b:b7:91:e2:47:4f:05:97:f8:10:
+         a0:e8:57:bd:ed:48:65:55:75:da:e5:34:e8:f1:20:95:d6:40:
+         8c:42:bf:b4:d9:55:c8:30:e8:d5:ce:d8:1d:30:65:90:39:eb:
+         e2:83:ed:11:03:cd:07:c0:e1:c4:91:84:a0:97:8e:6d:22:e6:
+         75:77:21:7c:32:8b:48:ed:d6:b2:19:2e:af:26:ad:7d:6c:ce:
+         09:e1:78:b6:72:61:60:22:92:b8:df:42:6b:34:6b:5f:35:ef:
+         f1:d3:c6:7f:92:05:3c:d0:08:77:01:66:f7:57:b8:65:de:d3:
+         d2:b1:bf:93:b1:8c:a3:27:e6:d4:e2:2b:9b:cd:9d:be:31:82:
+         5b:53:dd:5a:bd:39:05:5f:8c:56:f2:7f:9b:b7:ef:e6:07:96:
+         bf:8a:d9:8d:bb:62:98:86:de:aa:91:c3:fe:e7:bb:a7:1f:f0:
+         fd:1f:6c:a6:04:04:f0:c2:51:a1:91:8c:9a:ee:f9:87:42:37:
+         7e:9c:27:72:59:dc:60:a8:8e:d1:81:97:f1:15:c3:d8:a9:4e:
+         9a:09:e9:81:76:39:36:b3:08:a1:e5:5e:97:37:ba:43:8f:06:
+         1a:70:69:3b:fe:79:a6:5e:2d:26:04:e9:bc:5f:57:c9:d0:80:
+         c2:0d:4b:c7:0e:dd:04:e5:15:49:9d:d7:ff:ee:a3:1c:04:56:
+         7d:e2:a0:d3:39:1a:59:bd:85:b0:eb:54:ea:81:8b:e1:17:94:
+         a5:fe:e3:0c:d0:74:42:ee:4a:f4:66:90:49:4b:64:bc:47:35:
+         f5:b2:60:8e:74:05:d0:a6:d2:94:b4:e0:0f:4b:3f:35:ea:2a:
+         e0:24:58:c1:6e:d0:65:6e:58:f7:e1:90:02:ae:40:23:25:e9:
+         80:9a:d2:a7:ea:5d:fc:6d:f8:45:0f:db:53:91:55:32:46:e3:
+         6a:c0:54:0a:5a:4c:e8:1a:1e:a6:33:3e:fe:ed:b6:ad:cf:6a:
+         3c:2f:b2:6c:47:75:f1:29:43:31:69:c3:0c:42:56:5b:d9:b8:
+         99:7b:ff:2b:50:87:34:2e
 -----BEGIN CERTIFICATE-----
-MIIE/zCCAuegAwIBAgIBAjANBgkqhkiG9w0BAQUFADAqMRswGQYDVQQDDBJoeDUw
-OSBUZXN0IFJvb3QgQ0ExCzAJBgNVBAYTAlNFMB4XDTE5MDUyMzE1MDUxMloXDTM4
-MDExNjE1MDUxMlowITELMAkGA1UEBhMCU0UxEjAQBgNVBAMMCVRlc3QgY2VydDCC
-AiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAKnJzvi3d5k8clSMzwpjnfLf
-DQdvIlQXcf92ptGeM/UFP6wyvljlfKfTKd09OGJkjYLSqvUFNvO8rX9OucVWierC
-17GWaf33TjVWWXwDkXlg9KGoeKAaBC4KmLfMvvPqKGrXXoCNdMf02JZIRJQbzk+a
-ZY1UxsRps7775JF5XsW6+d8D3hTiaBpq6VGDAQ/mCQ/JoXi0dUUY8EN8ETeykc1Q
-bnFCacA22uG8JPq9j8XOytSvs/HXIMGsTTFCxc1ubEEMjo0IjyywdgIY1w0P/spn
-P7b+GzanyjO9ATZ+l/bjVZxLpfpIWKcHyshxLOkFfjpASqq3NBPhsFrrWFAOmTG9
-b+n7vUv4BXBeAUE2z81/btHm3ucjqYZJYSb8qVijRTeyR/ruzXThoSjMUF/psP5n
-C37cT+n+XepVmofQE22eufHNCLPax9I+3PrSA1j35kMDW8kN7tYmsPrrNl6j0K7L
-AEyXu5pjCVkQa8X550o/duuiY49FzEOPShUv3D7yET0HA8S4xeVlGsfSh0JT06k/
-+5mguEVDRewJWcm9VSLgDhntSf2221yEsAGJUKPKHkG6gofb2rUrcQiuG3BBQcok
-cGuaydsdsmWUAZ3tuLU2TPDwOb6/5EkC1FXsEd0j42/BKJl3RClwom7sslOG4cFF
-PGfqEgizvtK+nwCwmx9hAgMBAAGjOTA3MAkGA1UdEwQCMAAwCwYDVR0PBAQDAgXg
-MB0GA1UdDgQWBBTT4Vkgod49ElcKPboKbmcOQKeaiDANBgkqhkiG9w0BAQUFAAOC
-AgEADyxokDNnsoYJJuxlKa521qYvUw7TFs0uDajRFCL1Y2apPXhDQKnb7wJS0anD
-C60kjqBWYx+6I0hkdKwsvWf4h22/1oNoqpnOTAsw1gZZfHQOLIvuWmGv//c8URCn
-k0Rvu/SLWiteHEyJYHGv/b/A/RkEEoGgzu203GQSgDYYnxwzJZTdlFHrocYhBrUW
-BX3TIFPeYF1AbPF7oZh/Gr05RgrspszrepbVQ23lx2HS+e12qEQ/yJ1FGiw7UvgI
-e2c5qq6IT+uQmZz4i67HeutAsep4UXTpESzC18CTNcMnWYndHuZK7f3cHwjigM6g
-cuwE1ywd1ixn87nO6b5wEIK1v0Upwcw2EV2DPRcRA7AX4TwF8OoHxj5izivZVUHc
-DFWCD+DVqAJl+si9YBa0bVMImwYllMeP7qxdJa3Nna9/qFqZSfz7rWmOxMlXfIgs
-MivsEe1hzESSpxgRGZbmvohd7Q/cyiox6S2qA3UD9EJebIa5f7dZcLoJsbooOr5o
-RaAuiQvqptmFWL9UHAJWOtRPiHpeyCEzZHZ0aDZ6pBymW7jx75gQgoTU3y00S20V
-YlUxsniTMzcg26AwhdvPAHyzs6KpMdcG++fsOE89YXO/uCGwxfg/mI3bqiMBQdQ8
-mcvOSv8Q/qdSO4wPMG2kTlNNYCtqBavvuGGcpIWZrrhjyOM=
+MIIFATCCAumgAwIBAgIBAjANBgkqhkiG9w0BAQUFADAqMRswGQYDVQQDDBJoeDUw
+OSBUZXN0IFJvb3QgQ0ExCzAJBgNVBAYTAlNFMCAXDTE5MDMyMjIyMjUwMloYDzI1
+MTgxMTIxMjIyNTAyWjAhMQswCQYDVQQGEwJTRTESMBAGA1UEAwwJVGVzdCBjZXJ0
+MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA2h1NylGd8Z/XpHpF+HWY
+ZrLFfVPeQjV0gc0en/ND16eDf/uizjxEN4BPITam9slRdJ7im7+t5OtyEWQ2iLOp
+kWPH7jjE9YwGceUJt+tXXb/bW3IHxSnobzOzoifvH1DwVTNjQSPgsvchd0urnXMq
+u7ZOiH985cY3PrYgwVc+bVd47w1H6UHn+rYtMj9CBY1Wr/XEuG6ZGucH1aE/KX3O
+sjmmqwZ64iY52JaeO8iveT6aJE5Lsq/kBw5x3C9wJ5c8ovppm1dLxVNeKAywx1cf
+orImD1+/00V4kFos/GpnM7bBfs0XwFieuoXFFVpaZ9u/LwXNONmUyZV/m2iwYv83
+ks/Yd77Lcj0PuYBEV8DJEAH9ByUw69hIBa+Y+sRkbVmmao0b1EvzB5ho47tZySH4
+EbSighsN6IzgpeEcccrDLZBDw+6ZLH1BSDnIAHINgDkjoTon7QfKMo80yrudZxN9
+Me1K2zV6zrOJ42SdPkdO07e9qxIWELtm6Bp3TCrguRZpZhSDTkrzb6uFanDGm86T
+q3U2o6Wqn0XWon8Xx2/59ec1UaV1xQe+Js57Pyk6dGsXeU7PTAppdVjb66jd8ebM
+oxhTpcWlWqHPN2qxn9PU6w8CQNKuaM68xUbj7viXiO7IpwF6oSOv8zEsKm8Sd9w8
+UZ1A9Joqe4UpHz7D1TeObgkCAwEAAaM5MDcwCQYDVR0TBAIwADALBgNVHQ8EBAMC
+BeAwHQYDVR0OBBYEFBv07DRCuotnrFXyN120aKnYXlh7MA0GCSqGSIb3DQEBBQUA
+A4ICAQCV9xyZckJP0726P3p1uwE6rc5re7c9XTtGUeqaNpRwNhw7/Lqdiw1ENgit
+pnOCvCPt+VoJj51iEcGUfGFmH4u5Ctw6tesiVN6j5YqUEB+EUm3+J8jly6WOqYMW
+lQ1sPleF4eyCBUdtKK0NhPpAoJb0hKrR4Qu3keJHTwWX+BCg6Fe97UhlVXXa5TTo
+8SCV1kCMQr+02VXIMOjVztgdMGWQOevig+0RA80HwOHEkYSgl45tIuZ1dyF8MotI
+7dayGS6vJq19bM4J4Xi2cmFgIpK430JrNGtfNe/x08Z/kgU80Ah3AWb3V7hl3tPS
+sb+TsYyjJ+bU4iubzZ2+MYJbU91avTkFX4xW8n+bt+/mB5a/itmNu2KYht6qkcP+
+57unH/D9H2ymBATwwlGhkYya7vmHQjd+nCdyWdxgqI7RgZfxFcPYqU6aCemBdjk2
+swih5V6XN7pDjwYacGk7/nmmXi0mBOm8X1fJ0IDCDUvHDt0E5RVJndf/7qMcBFZ9
+4qDTORpZvYWw61TqgYvhF5Sl/uMM0HRC7kr0ZpBJS2S8RzX1smCOdAXQptKUtOAP
+Sz816irgJFjBbtBlblj34ZACrkAjJemAmtKn6l38bfhFD9tTkVUyRuNqwFQKWkzo
+Gh6mMz7+7batz2o8L7JsR3XxKUMxacMMQlZb2biZe/8rUIc0Lg==
 -----END CERTIFICATE-----
diff --git a/lib/hx509/data/test.key b/lib/hx509/data/test.key
index 927813f76062..03de157b44c9 100644
--- a/lib/hx509/data/test.key
+++ b/lib/hx509/data/test.key
@@ -1,52 +1,52 @@
 -----BEGIN PRIVATE KEY-----
-MIIJQwIBADANBgkqhkiG9w0BAQEFAASCCS0wggkpAgEAAoICAQCpyc74t3eZPHJU
-jM8KY53y3w0HbyJUF3H/dqbRnjP1BT+sMr5Y5Xyn0yndPThiZI2C0qr1BTbzvK1/
-TrnFVonqwtexlmn99041Vll8A5F5YPShqHigGgQuCpi3zL7z6ihq116AjXTH9NiW
-SESUG85PmmWNVMbEabO+++SReV7FuvnfA94U4mgaaulRgwEP5gkPyaF4tHVFGPBD
-fBE3spHNUG5xQmnANtrhvCT6vY/FzsrUr7Px1yDBrE0xQsXNbmxBDI6NCI8ssHYC
-GNcND/7KZz+2/hs2p8ozvQE2fpf241WcS6X6SFinB8rIcSzpBX46QEqqtzQT4bBa
-61hQDpkxvW/p+71L+AVwXgFBNs/Nf27R5t7nI6mGSWEm/KlYo0U3skf67s104aEo
-zFBf6bD+Zwt+3E/p/l3qVZqH0BNtnrnxzQiz2sfSPtz60gNY9+ZDA1vJDe7WJrD6
-6zZeo9CuywBMl7uaYwlZEGvF+edKP3bromOPRcxDj0oVL9w+8hE9BwPEuMXlZRrH
-0odCU9OpP/uZoLhFQ0XsCVnJvVUi4A4Z7Un9tttchLABiVCjyh5BuoKH29q1K3EI
-rhtwQUHKJHBrmsnbHbJllAGd7bi1Nkzw8Dm+v+RJAtRV7BHdI+NvwSiZd0QpcKJu
-7LJThuHBRTxn6hIIs77Svp8AsJsfYQIDAQABAoICAGR9MKY7z+k9wV0RSaiYdO89
-3HQ97k9e4PWVv/3oaE/oH1tHXSk4CaM6c1ih1zFE2gxHqy8BOxje3sCuU3zcTxxG
-3WoZ3/mT2RHwXV3srrjsDV1wXJRFUZv+YYzG/W1XdTxm42OqVSfTXizz8MLIAj9S
-3i/bsRimht/OLeV7s//LPgAkRdiOd5bLF/RKWOKT/2D8sTjDdXTD4c/PKlGQuoKN
-zA/0gqpkzP81X52Xe/RTA/EFXLcR4C1AUR+KqY+Af0mwqN4H5tVIS0/Ka90rTl10
-5lzj4C9k92PPxVv/aOmSeyTaEQ4kq3OQRRCFC1OPELphOs/3RjdOKBZnnAkl2ryC
-pg2EquKfA4W1LGqI+MbNhKlppnyBef5FNOHK9PsH6luF/KASTtLvc5/Xu/d0Lza5
-flS9ah/srA4ejwDsUnREjajwfroGxpl7Nem9NCneETqOc0yBRsJalDhbsxTbotQ+
-tHq2CqMNtuxXRDk59QHDSszzjUMKnDqkADdKjHy2cWkKkjgBnk4iqL+BKN7pUU50
-R7t0Fh3HNa6EGW8UQwPQFAEE7C9AhhI+keT5zyQZ3F+Dppx+qDbUv3xKwti/9Y53
-IttHyi+N3SBWNTiJZmJ1X1tY5KGXIWvbotuU8jSxXvzebn1nOjQtxcEuNdgJv5Bk
-m7mRe5VjtaFtj0qM0yJRAoIBAQDZWanHESJ/IU1BrYx10tp92CYbgZiV8g+LJB1j
-EdkaMg6ak0mzWPWmeKPKalMEcF6/RwBcicBZYZaOLGVfl3wVd9Qk+O7k5sc7HaV3
-9hIdAlpLgbl3Owf7IcW+D7A48+Cd6dHDx0pWijf17OYaPis2+2m1Kdx+VC4QA1Jb
-w/h8dctUlqrkAFBnrAxHG3RPtE4fk8SknS8MWYwNTqPaVEhHpbS7PRvSX8nAk0EP
-aLlNV+G+twqng4aZWTN/usPYW05eh4kmhnSaSNe93EQIkwcyqk1hASxgFhFxid1c
-QkiwSoJl06ilbNietbEBcdepmJKEHJyzUPFuCBe1bTdRukBbAoIBAQDH+wFG3ADb
-S8CHXVgN+YuOYgKihkPqJxWYwZJaRDg/8Brp3+U4gWy8crwAr3yyu1ZxloRjUoxw
-31Jc0ec6lGLMYWqSVjAOFWs0OL2IG27qVxZ4qiAjO+Y88KFj4b9ZJnZBGBt0bjhk
-ZTDnEJlK1F27IIFiFU1Z/lG9gjEisFf4OFDbCLzgy39IampF6FvteEx9lTcWjFSC
-dQJwGRDwvm5jWF0BYyf6yCrnkQUk80Fc6DXm5gUhFyA6qu0cbm5Z+BpGC9J2+QlE
-vANLTGeol8f3iDv264U6iQ5S6pdzcg+BHcG8F3uXvMmnEKBTKxyJeACAJzlmL/Oc
-VqCdbN5v3mvzAoIBAQDVtJmAR9K5WU8TAscWmmmGTt65MOWMmWK7FplmbYgff5Ro
-W+WdWBzAv+GcBor11F70h6VNV4wu1gsoY3KRWOsCWL3YVILfwiGmeHHXz7TjnQqX
-L0fiecJRJFW/mMFWXkQ+QEalzu/Cw0hen71nlDT9bJn1LOHFvJNF3149KCTMiy2P
-UE1avQxRwxKXX+Eu9UPTPIGesYYvCGTyOJ5W74PaHo3jhCQ050YB+UeBFSENcRlf
-Ya4yItpXMSO3tTUXKD+YJn+tx4oioPivj0G9hIMRR+2pMXQmTcx87GcgbXP3EmvA
-Hyq07J7Y/iC6IOtBr+hvyYoxraaU35QgKPC5hP39AoIBAQCjg1bt62E/7daEWAxx
-kMNNLlJdNU8+m6qK9muGJxWfIeG/rPQtmZWhGGckYFijg44Q3jNtSsfOWqtrfa2F
-NmL6HgUXliVAvr6jOmmuak/siDy1eNVCOe3tkgtEMgdVC5/RZba9Ioo1fI/Zvra4
-eqARK2jfG+/dT5biTxuB85JaQSHLln9phrqSKYCvnGfd6WkRnfonE6Ld8HKH2dcC
-IZL84/lX8w1zfkumf+sm5UdigfPg0d8LyW7uyWeKwbi1E6nX8D6sTMAJVXmUDesL
-7N7yRJBTOwv6aqotnecr2+1Vc1E/TCwgS5rOYUfV+QAiXt556piCN18HS8WUMrpF
-2iWFAoIBAD2Dn6bz86duyuuQ4CPAnawONcEVmUpajbrIKi0hqYEVIN5IF/LshvNY
-Lqtf/PWWWocF9b1K71wDuMs499Tf6Kr0b+AuBRZs9WbMthJhY5+xzU9IqwbRzgFJ
-81BGu796PezbBOS7vVqrGkpi3CBG0nDg3gQ3ZbBLVtEcx0WfX8QMXw9Ib9UxfOOX
-jKVEvNoy1R0p2C21xan5/fUyR5K/Dq5DIylUrpxWMUgC8lIktDulItGKh/3llCq+
-uu+wN91SkXC1pxTG3yDKP49PrcTV6M7G1JYUXkSQaiWgwNEz59f/7pMH7xxFsaHI
-nC68md8aa7+0IQEQqbKOdr+LhyMXCFA=
+MIIJQQIBADANBgkqhkiG9w0BAQEFAASCCSswggknAgEAAoICAQDaHU3KUZ3xn9ek
+ekX4dZhmssV9U95CNXSBzR6f80PXp4N/+6LOPEQ3gE8hNqb2yVF0nuKbv63k63IR
+ZDaIs6mRY8fuOMT1jAZx5Qm361ddv9tbcgfFKehvM7OiJ+8fUPBVM2NBI+Cy9yF3
+S6udcyq7tk6If3zlxjc+tiDBVz5tV3jvDUfpQef6ti0yP0IFjVav9cS4bpka5wfV
+oT8pfc6yOaarBnriJjnYlp47yK95PpokTkuyr+QHDnHcL3Anlzyi+mmbV0vFU14o
+DLDHVx+isiYPX7/TRXiQWiz8amcztsF+zRfAWJ66hcUVWlpn278vBc042ZTJlX+b
+aLBi/zeSz9h3vstyPQ+5gERXwMkQAf0HJTDr2EgFr5j6xGRtWaZqjRvUS/MHmGjj
+u1nJIfgRtKKCGw3ojOCl4RxxysMtkEPD7pksfUFIOcgAcg2AOSOhOiftB8oyjzTK
+u51nE30x7UrbNXrOs4njZJ0+R07Tt72rEhYQu2boGndMKuC5FmlmFINOSvNvq4Vq
+cMabzpOrdTajpaqfRdaifxfHb/n15zVRpXXFB74mzns/KTp0axd5Ts9MCml1WNvr
+qN3x5syjGFOlxaVaoc83arGf09TrDwJA0q5ozrzFRuPu+JeI7sinAXqhI6/zMSwq
+bxJ33DxRnUD0mip7hSkfPsPVN45uCQIDAQABAoICAQDC4zgktLSJtyb5Yf+vN3PL
+H6VyjEOlqRnG+T6J8NUHljfbXT5lRFg3tz/9D1Y0YEGWEHmubKC2UOIFRCOuFcpH
+jH6SDst+E3WWwu3iFjhkHg+kL8ldlEqJQgsZstDojGuR1W60P5iAkGyoqUZYUxU1
+0HlvYWp57JhkQlwWJRw0mtoFzzoX47mhvLG5megmCdoRM2po2PmYniHT8lX7ftv3
+R6fyXMHj3AAH1Nzh0jln/lXAZu0gZiU7YN6/vOtblLirb1B5apDbadhRtLUoCGLN
+/pwfVJCT+Bj38nsLtw8rl/pgkGTOiuCZDPnCUI9DCYhUPbzXNSLK0/fHJs2kRyKh
+Nv+skWwmHdkCnzIliutxMlzehRHvRINoQ+/U/mNTE1FaNYnNEnSxpUSMKnPYUyTD
+YBhjFjtwkRpRDzbbcMBQk7Tbj2aISvFiAz/KOtRBDmBx70IxzxvqZ/5s94lyHZ5H
+fozf6LgBfJ5dmboNqHA18oBTAQDO2UBrIxyPSYExWdJ4o0vpTqwpmk8RTwgBsYfU
+EfDj3UqO5KJHTJAqdqdhXhz2c5J6EAyxDDItNg10rEVQVQbGbTPLtI8spjWfwJ6g
+P5L0j/cJx+nxNQvhrIMQgJfCrZS92PL6Yt0OqTS44m8mJgmt4z9OqZUtoT21fmcS
+uIOMYOY/NZBc+wMJ27UoeQKCAQEA8w6aZ+NAqmdDfEi/37XsbadsxDppPZ+/Ss2b
+aWOYwNU8P65rt3+EWjLrwMugiKOH1063QmZYcj74C4iaAhLblBiQH24YtiJi9tYs
+JCcFLWp01ZEqcxqBqI2kaHd9tuIaANGM+nKZH2MwTkzZ5IX1eAqZ0qgkC7Dx0JvO
+x1fXuhRTuFwTSkKZM3w4ba5G4DgczmKQr2SXm19PsMF61YX0n7HFuss85Z6xkONH
+gF6yokmPT7k/Ly4PLXZ9kycNx2EI5s1B79iAjaJAK8ifaEfUNNIi/xBf97oX6+hy
+AhO8aiC7snt6Tf2DNaJCZR1IKeO0M+5pkN6DZfV0hbQ9ulhD6wKCAQEA5bqt2VJJ
+9Vuuu8jcRlHfc4Cbubu+bMt9gbVp33ckAtRtQGQM4tHoHdd2hv4q8lV/f/K3m6Ps
+EMGeQ6QBuCWtkqD659eI5hvkchKjF+YGx/jt7k6EUlVUU1bfKXCgQv6W2VmrckzG
+ULsedOBLeT0Keppgw4kHqx+o/5DB9G3pZnVBITqGUP471q5X+c3BbAwN+9q8yRyY
+BimYJZKx0qgmpHSZ+4l3L6eLlcQiHev7TxGw1sGkpt3OF8NmR5PEzXUYC8qoi8na
+neLwTs9NKyb6hmOwTNJiWR5PNxWJeURxfl6GIfoxyUjptIrc5dve6k+ESxGgsSI1
+vyXgRUeiMlP82wKCAQEAuqx2jl+NZNLWk/fT1d+FbFpwQO2Tso6kfrEXMYQa589d
+7JLrjA1V+2ishHBgJVFjnUuJmGe+elA+da0+i2UsW7vZxSnrtMcINwga8tE9OrpO
+bVCGx8yN1ISkxs8vMGzLB+HpYtjtHZwyl5CSsN7pvn510cLtnEUUE+H2mEexGetO
+uYOOFTS9MTuwoxx8tuyhwykUcoDRp7U2IU0YKDIvxQ7mDCbX6ItPWTYVzlPs4pOY
+i+R80KGRaptcqs4N2Rl/mrP+dlVTtnPs0TPOqmqwYrkZw8gxzLOSd88Y8NtzlBb7
+0YLgVlHkmia606n/qJyH5HKxhWBAjuhLy/y4hAwSbQKB/1xtv4SwlxEg0iy7o+Sn
+DEBsfjs8TmF3fgex9ebzCIoa7dn6ZzTbP4jCJ+4oVR8rRyEzhqwYR+J2BDcyxX5R
+qoRUQJ8HGQ18K226EeSLqC7M+O3oqVR3AHaHfUIvDkvmIstQSKq0ORZCMv7TP4qI
+BK9PbZ8+gtdW5aftlhvCHSYcBxhXc7MilvDJNJxNLIVMVFQArfQ8jO3tzklPvDwF
+a4a/YzTRGiMSRhb70r43M+WcOIovXw/ELidhdsVVrtj7Q7F62FVl4Y+kvwr2XRX/
+mMx5T3WZL/irOTPwdl9UKlWtskn5YA6cR2tcc4QH8qhTVebeMMkT+ovtsU4uhBO7
+twKCAQAnvazlAlCSy/OeRqucmyqKjWTMEey6c/5dYlCkirF9J5o3n1YHhOSp8DY8
+iEjyl6ptsASapBhD6BpI4AwI6u92WBEwG15bleMlctVmtj7v39AFwNwSvvZtBZcZ
+jJ+TWaTT0nMvP90cZe5ql2DTrp/Mp4K9+3oR5qk9+EszobSoHxpgDzLogG+Zp/k/
+2NMj125uhuC0GTV5lKcrY6JquXPtqFBKOiBLr3j5sRe+iZ4UqZEjTo91nrV2E3HD
+kFJSP1weCD2HQ48T74nS775yrQnR+mWAJjuLpyDW5UXIDpvYlSbnmJ08+4C5Mu/e
+UK2bY3PmI10F5vBYLQpLlCYUyBDf
 -----END PRIVATE KEY-----
diff --git a/lib/hx509/data/test.p12 b/lib/hx509/data/test.p12
index 2184547cdc77..32d9c81d8148 100644
--- a/lib/hx509/data/test.p12
+++ b/lib/hx509/data/test.p12
diff --git a/lib/hx509/env.c b/lib/hx509/env.c
index 70969504b3a8..79704382e228 100644
--- a/lib/hx509/env.c
+++ b/lib/hx509/env.c
@@ -52,7 +52,7 @@
  * @ingroup hx509_env
  */
 
-int
+HX509_LIB_FUNCTION int HX509_LIB_CALL
 hx509_env_add(hx509_context context, hx509_env *env,
 	      const char *key, const char *value)
 {
@@ -103,7 +103,7 @@ hx509_env_add(hx509_context context, hx509_env *env,
  * @ingroup hx509_env
  */
 
-int
+HX509_LIB_FUNCTION int HX509_LIB_CALL
 hx509_env_add_binding(hx509_context context, hx509_env *env,
 		      const char *key, hx509_env list)
 {
@@ -150,7 +150,7 @@ hx509_env_add_binding(hx509_context context, hx509_env *env,
  * @ingroup hx509_env
  */
 
-const char *
+HX509_LIB_FUNCTION const char * HX509_LIB_CALL
 hx509_env_lfind(hx509_context context, hx509_env env,
 		const char *key, size_t len)
 {
@@ -175,7 +175,7 @@ hx509_env_lfind(hx509_context context, hx509_env env,
  * @ingroup hx509_env
  */
 
-const char *
+HX509_LIB_FUNCTION const char * HX509_LIB_CALL
 hx509_env_find(hx509_context context, hx509_env env, const char *key)
 {
     while(env) {
@@ -236,7 +236,7 @@ env_free(hx509_env b)
  * @ingroup hx509_env
  */
 
-void
+HX509_LIB_FUNCTION void HX509_LIB_CALL
 hx509_env_free(hx509_env *env)
 {
     if (*env)
diff --git a/lib/hx509/error.c b/lib/hx509/error.c
index be09414bfffa..aee4f79e747d 100644
--- a/lib/hx509/error.c
+++ b/lib/hx509/error.c
@@ -53,7 +53,7 @@ struct hx509_error_data {
  * @ingroup hx509_error
  */
 
-void
+HX509_LIB_FUNCTION void HX509_LIB_CALL
 hx509_clear_error_string(hx509_context context)
 {
     if (context) {
@@ -76,7 +76,7 @@ hx509_clear_error_string(hx509_context context)
  * @ingroup hx509_error
  */
 
-void
+HX509_LIB_FUNCTION void HX509_LIB_CALL
 hx509_set_error_stringv(hx509_context context, int flags, int code,
 			const char *fmt, va_list ap)
 {
@@ -108,7 +108,7 @@ hx509_set_error_stringv(hx509_context context, int flags, int code,
  * @ingroup hx509_error
  */
 
-void
+HX509_LIB_FUNCTION void HX509_LIB_CALL
 hx509_set_error_string(hx509_context context, int flags, int code,
 		       const char *fmt, ...)
 {
@@ -120,6 +120,20 @@ hx509_set_error_string(hx509_context context, int flags, int code,
 }
 
 /**
+ * Sets ENOMEM as the error on a hx509 context.
+ *
+ * @param context A hx509 context.
+ *
+ * @ingroup hx509_error
+ */
+
+HX509_LIB_FUNCTION int HX509_LIB_CALL
+hx509_enomem(hx509_context context)
+{
+    return heim_enomem(context->hcontext);
+}
+
+/**
  * Get an error string from context associated with error_code.
  *
  * @param context A hx509 context.
@@ -130,34 +144,31 @@ hx509_set_error_string(hx509_context context, int flags, int code,
  * @ingroup hx509_error
  */
 
-char *
+HX509_LIB_FUNCTION char * HX509_LIB_CALL
 hx509_get_error_string(hx509_context context, int error_code)
 {
-    heim_error_t msg = context->error;
-    heim_string_t s;
-    char *str = NULL;
-
-    if (msg == NULL || heim_error_get_code(msg) != error_code) {
-	const char *cstr;
-
-	cstr = com_right(context->et_list, error_code);
-	if (cstr)
-	    return strdup(cstr);
-	cstr = strerror(error_code);
-	if (cstr)
-	    return strdup(cstr);
-	if (asprintf(&str, "<unknown error: %d>", error_code) == -1)
-	    return NULL;
-	return str;
-    }
+    heim_string_t s = NULL;
+    const char *cstr = NULL;
+    char *str;
 
-    s = heim_error_copy_string(msg);
-    if (s) {
-	const char *cstr = heim_string_get_utf8(s);
-	if (cstr)
-	    str = strdup(cstr);
-	heim_release(s);
-    }
+    if (context) {
+        if (context->error &&
+            heim_error_get_code(context->error) == error_code &&
+            (s = heim_error_copy_string(context->error)))
+            cstr = heim_string_get_utf8(s);
+
+        if (cstr == NULL)
+            cstr = com_right(context->et_list, error_code);
+
+        if (cstr == NULL && error_code > -1)
+            cstr = strerror(error_code);
+    } /* else this could be an error in hx509_context_init() */
+
+    if (cstr == NULL)
+        cstr = error_message(error_code); /* never returns NULL */
+
+    str = strdup(cstr);
+    heim_release(s);
     return str;
 }
 
@@ -169,7 +180,7 @@ hx509_get_error_string(hx509_context context, int error_code)
  * @ingroup hx509_error
  */
 
-void
+HX509_LIB_FUNCTION void HX509_LIB_CALL
 hx509_free_error_string(char *str)
 {
     free(str);
@@ -187,9 +198,11 @@ hx509_free_error_string(char *str)
  * @ingroup hx509_error
  */
 
-void
+HX509_LIB_NORETURN_FUNCTION
+     __attribute__ ((__noreturn__, __format__ (__printf__, 4, 5)))
+void HX509_LIB_CALL
 hx509_err(hx509_context context, int exit_code,
-	  int error_code, const char *fmt, ...)
+          int error_code, const char *fmt, ...)
 {
     va_list ap;
     const char *msg;
diff --git a/lib/hx509/file.c b/lib/hx509/file.c
index 6f34d3b74a9b..00f723c38bad 100644
--- a/lib/hx509/file.c
+++ b/lib/hx509/file.c
@@ -33,7 +33,7 @@
 
 #include "hx_locl.h"
 
-int
+HX509_LIB_FUNCTION int HX509_LIB_CALL
 _hx509_map_file_os(const char *fn, heim_octet_string *os)
 {
     size_t length;
@@ -48,13 +48,13 @@ _hx509_map_file_os(const char *fn, heim_octet_string *os)
     return ret;
 }
 
-void
+HX509_LIB_FUNCTION void HX509_LIB_CALL
 _hx509_unmap_file_os(heim_octet_string *os)
 {
     rk_xfree(os->data);
 }
 
-int
+HX509_LIB_FUNCTION int HX509_LIB_CALL
 _hx509_write_file(const char *fn, const void *data, size_t length)
 {
     rk_dumpdata(fn, data, length);
@@ -71,7 +71,7 @@ print_pem_stamp(FILE *f, const char *type, const char *str)
     fprintf(f, "-----%s %s-----\n", type, str);
 }
 
-int
+HX509_LIB_FUNCTION int HX509_LIB_CALL
 hx509_pem_write(hx509_context context, const char *type,
 		hx509_pem_header *headers, FILE *f,
 		const void *data, size_t size)
@@ -119,7 +119,7 @@ hx509_pem_write(hx509_context context, const char *type,
  *
  */
 
-int
+HX509_LIB_FUNCTION int HX509_LIB_CALL
 hx509_pem_add_header(hx509_pem_header **headers,
 		     const char *header, const char *value)
 {
@@ -146,7 +146,7 @@ hx509_pem_add_header(hx509_pem_header **headers,
     return 0;
 }
 
-void
+HX509_LIB_FUNCTION void HX509_LIB_CALL
 hx509_pem_free_header(hx509_pem_header *headers)
 {
     hx509_pem_header *h;
@@ -163,7 +163,7 @@ hx509_pem_free_header(hx509_pem_header *headers)
  *
  */
 
-const char *
+HX509_LIB_FUNCTION const char * HX509_LIB_CALL
 hx509_pem_find_header(const hx509_pem_header *h, const char *header)
 {
     while(h) {
@@ -179,7 +179,7 @@ hx509_pem_find_header(const hx509_pem_header *h, const char *header)
  *
  */
 
-int
+HX509_LIB_FUNCTION int HX509_LIB_CALL
 hx509_pem_read(hx509_context context,
 	       FILE *f,
 	       hx509_pem_read_func func,
@@ -230,7 +230,7 @@ hx509_pem_read(hx509_context context,
 		where = INDATA;
 		goto indata;
 	    }
-	    /* FALLTHROUGH */
+            HEIM_FALLTHROUGH;
 	case INHEADER:
 	    if (buf[0] == '\0') {
 		where = INDATA;
@@ -239,7 +239,7 @@ hx509_pem_read(hx509_context context,
 	    p = strchr(buf, ':');
 	    if (p) {
 		*p++ = '\0';
-		while (isspace((int)*p))
+		while (isspace((unsigned char)*p))
 		    p++;
 		ret = hx509_pem_add_header(&headers, buf, p);
 		if (ret)
@@ -300,3 +300,88 @@ hx509_pem_read(hx509_context context,
 
     return ret;
 }
+
+/*
+ * On modern systems there's no such thing as scrubbing a file.  Not this way
+ * anyways.  However, for now we'll cargo-cult this along just as in lib/krb5.
+ */
+static int
+scrub_file(int fd, ssize_t sz)
+{
+    char buf[128];
+
+    memset(buf, 0, sizeof(buf));
+    while (sz > 0) {
+        ssize_t tmp;
+        size_t wr = sizeof(buf) > sz ? (size_t)sz : sizeof(buf);
+
+        tmp = write(fd, buf, wr);
+        if (tmp == -1)
+            return errno;
+        sz -= tmp;
+    }
+#ifdef _MSC_VER
+    return _commit(fd);
+#else
+    return fsync(fd);
+#endif
+}
+
+int
+_hx509_erase_file(hx509_context context, const char *fn)
+{
+    struct stat sb1, sb2;
+    int ret;
+    int fd;
+
+    if (fn == NULL)
+        return 0;
+
+    /* This is based on _krb5_erase_file(), minus file locking */
+    ret = lstat(fn, &sb1);
+    if (ret == -1 && errno == ENOENT)
+        return 0;
+    if (ret == -1) {
+        hx509_set_error_string(context, 0, errno, "hx509_certs_destroy: "
+                               "stat of \"%s\": %s", fn, strerror(errno));
+        return errno;
+    }
+
+    fd = open(fn, O_RDWR | O_BINARY | O_CLOEXEC | O_NOFOLLOW);
+    if (fd < 0)
+	return errno == ENOENT ? 0 : errno;
+    rk_cloexec(fd);
+
+    if (unlink(fn) < 0) {
+	ret = errno;
+        (void) close(fd);
+        hx509_set_error_string(context, 0, ret, "hx509_certs_destroy: "
+                               "unlinking \"%s\": %s", fn, strerror(ret));
+        return ret;
+    }
+
+    /* check TOCTOU, symlinks */
+    ret = fstat(fd, &sb2);
+    if (ret < 0) {
+	ret = errno;
+        hx509_set_error_string(context, 0, ret, "hx509_certs_destroy: "
+                               "fstat of %d, \"%s\": %s", fd, fn,
+                               strerror(ret));
+	(void) close(fd);
+	return ret;
+    }
+    if (sb1.st_dev != sb2.st_dev || sb1.st_ino != sb2.st_ino) {
+	(void) close(fd);
+	return EPERM;
+    }
+
+    /* there are still hard links to this file */
+    if (sb2.st_nlink != 0) {
+        close(fd);
+        return 0;
+    }
+
+    ret = scrub_file(fd, sb2.st_size);
+    (void) close(fd);
+    return ret;
+}
diff --git a/lib/hx509/hx509-private.h b/lib/hx509/hx509-private.h
deleted file mode 100644
index 72d3bbdfa748..000000000000
--- a/lib/hx509/hx509-private.h
+++ /dev/null
@@ -1,493 +0,0 @@
-/* This is a generated file */
-#ifndef __hx509_private_h__
-#define __hx509_private_h__
-
-#include <stdarg.h>
-
-#if !defined(__GNUC__) && !defined(__attribute__)
-#define __attribute__(x)
-#endif
-
-int
-_hx509_AlgorithmIdentifier_cmp (
-	const AlgorithmIdentifier */*p*/,
-	const AlgorithmIdentifier */*q*/);
-
-int
-_hx509_Certificate_cmp (
-	const Certificate */*p*/,
-	const Certificate */*q*/);
-
-int
-_hx509_Name_to_string (
-	const Name */*n*/,
-	char **/*str*/);
-
-time_t
-_hx509_Time2time_t (const Time */*t*/);
-
-void
-_hx509_abort (
-	const char */*fmt*/,
-	...)
-     __attribute__ ((__noreturn__, __format__ (__printf__, 1, 2)));
-
-int
-_hx509_calculate_path (
-	hx509_context /*context*/,
-	int /*flags*/,
-	time_t /*time_now*/,
-	hx509_certs /*anchors*/,
-	unsigned int /*max_depth*/,
-	hx509_cert /*cert*/,
-	hx509_certs /*pool*/,
-	hx509_path */*path*/);
-
-int
-_hx509_cert_assign_key (
-	hx509_cert /*cert*/,
-	hx509_private_key /*private_key*/);
-
-int
-_hx509_cert_get_eku (
-	hx509_context /*context*/,
-	hx509_cert /*cert*/,
-	ExtKeyUsage */*e*/);
-
-int
-_hx509_cert_get_keyusage (
-	hx509_context /*context*/,
-	hx509_cert /*c*/,
-	KeyUsage */*ku*/);
-
-int
-_hx509_cert_get_version (const Certificate */*t*/);
-
-int
-_hx509_cert_is_parent_cmp (
-	const Certificate */*subject*/,
-	const Certificate */*issuer*/,
-	int /*allow_self_signed*/);
-
-int
-_hx509_cert_private_decrypt (
-	hx509_context /*context*/,
-	const heim_octet_string */*ciphertext*/,
-	const heim_oid */*encryption_oid*/,
-	hx509_cert /*p*/,
-	heim_octet_string */*cleartext*/);
-
-hx509_private_key
-_hx509_cert_private_key (hx509_cert /*p*/);
-
-int
-_hx509_cert_private_key_exportable (hx509_cert /*p*/);
-
-void
-_hx509_cert_set_release (
-	hx509_cert /*cert*/,
-	_hx509_cert_release_func /*release*/,
-	void */*ctx*/);
-
-int
-_hx509_cert_to_env (
-	hx509_context /*context*/,
-	hx509_cert /*cert*/,
-	hx509_env */*env*/);
-
-int
-_hx509_certs_keys_add (
-	hx509_context /*context*/,
-	hx509_certs /*certs*/,
-	hx509_private_key /*key*/);
-
-void
-_hx509_certs_keys_free (
-	hx509_context /*context*/,
-	hx509_private_key */*keys*/);
-
-int
-_hx509_certs_keys_get (
-	hx509_context /*context*/,
-	hx509_certs /*certs*/,
-	hx509_private_key **/*keys*/);
-
-int
-_hx509_check_key_usage (
-	hx509_context /*context*/,
-	hx509_cert /*cert*/,
-	unsigned /*flags*/,
-	int /*req_present*/);
-
-int
-_hx509_collector_alloc (
-	hx509_context /*context*/,
-	hx509_lock /*lock*/,
-	struct hx509_collector **/*collector*/);
-
-int
-_hx509_collector_certs_add (
-	hx509_context /*context*/,
-	struct hx509_collector */*c*/,
-	hx509_cert /*cert*/);
-
-int
-_hx509_collector_collect_certs (
-	hx509_context /*context*/,
-	struct hx509_collector */*c*/,
-	hx509_certs */*ret_certs*/);
-
-int
-_hx509_collector_collect_private_keys (
-	hx509_context /*context*/,
-	struct hx509_collector */*c*/,
-	hx509_private_key **/*keys*/);
-
-void
-_hx509_collector_free (struct hx509_collector */*c*/);
-
-hx509_lock
-_hx509_collector_get_lock (struct hx509_collector */*c*/);
-
-int
-_hx509_collector_private_key_add (
-	hx509_context /*context*/,
-	struct hx509_collector */*c*/,
-	const AlgorithmIdentifier */*alg*/,
-	hx509_private_key /*private_key*/,
-	const heim_octet_string */*key_data*/,
-	const heim_octet_string */*localKeyId*/);
-
-int
-_hx509_create_signature (
-	hx509_context /*context*/,
-	const hx509_private_key /*signer*/,
-	const AlgorithmIdentifier */*alg*/,
-	const heim_octet_string */*data*/,
-	AlgorithmIdentifier */*signatureAlgorithm*/,
-	heim_octet_string */*sig*/);
-
-int
-_hx509_create_signature_bitstring (
-	hx509_context /*context*/,
-	const hx509_private_key /*signer*/,
-	const AlgorithmIdentifier */*alg*/,
-	const heim_octet_string */*data*/,
-	AlgorithmIdentifier */*signatureAlgorithm*/,
-	heim_bit_string */*sig*/);
-
-int
-_hx509_expr_eval (
-	hx509_context /*context*/,
-	hx509_env /*env*/,
-	struct hx_expr */*expr*/);
-
-void
-_hx509_expr_free (struct hx_expr */*expr*/);
-
-struct hx_expr *
-_hx509_expr_parse (const char */*buf*/);
-
-int
-_hx509_find_extension_subject_key_id (
-	const Certificate */*issuer*/,
-	SubjectKeyIdentifier */*si*/);
-
-const struct signature_alg *
-_hx509_find_sig_alg (const heim_oid */*oid*/);
-
-int
-_hx509_generate_private_key (
-	hx509_context /*context*/,
-	struct hx509_generate_private_context */*ctx*/,
-	hx509_private_key */*private_key*/);
-
-int
-_hx509_generate_private_key_bits (
-	hx509_context /*context*/,
-	struct hx509_generate_private_context */*ctx*/,
-	unsigned long /*bits*/);
-
-void
-_hx509_generate_private_key_free (struct hx509_generate_private_context **/*ctx*/);
-
-int
-_hx509_generate_private_key_init (
-	hx509_context /*context*/,
-	const heim_oid */*oid*/,
-	struct hx509_generate_private_context **/*ctx*/);
-
-int
-_hx509_generate_private_key_is_ca (
-	hx509_context /*context*/,
-	struct hx509_generate_private_context */*ctx*/);
-
-Certificate *
-_hx509_get_cert (hx509_cert /*cert*/);
-
-void
-_hx509_ks_dir_register (hx509_context /*context*/);
-
-void
-_hx509_ks_file_register (hx509_context /*context*/);
-
-void
-_hx509_ks_keychain_register (hx509_context /*context*/);
-
-void
-_hx509_ks_mem_register (hx509_context /*context*/);
-
-void
-_hx509_ks_null_register (hx509_context /*context*/);
-
-void
-_hx509_ks_pkcs11_register (hx509_context /*context*/);
-
-void
-_hx509_ks_pkcs12_register (hx509_context /*context*/);
-
-void
-_hx509_ks_register (
-	hx509_context /*context*/,
-	struct hx509_keyset_ops */*ops*/);
-
-int
-_hx509_lock_find_cert (
-	hx509_lock /*lock*/,
-	const hx509_query */*q*/,
-	hx509_cert */*c*/);
-
-const struct _hx509_password *
-_hx509_lock_get_passwords (hx509_lock /*lock*/);
-
-hx509_certs
-_hx509_lock_unlock_certs (hx509_lock /*lock*/);
-
-struct hx_expr *
-_hx509_make_expr (
-	enum hx_expr_op /*op*/,
-	void */*arg1*/,
-	void */*arg2*/);
-
-int
-_hx509_map_file_os (
-	const char */*fn*/,
-	heim_octet_string */*os*/);
-
-int
-_hx509_match_keys (
-	hx509_cert /*c*/,
-	hx509_private_key /*key*/);
-
-int
-_hx509_name_cmp (
-	const Name */*n1*/,
-	const Name */*n2*/,
-	int */*c*/);
-
-int
-_hx509_name_ds_cmp (
-	const DirectoryString */*ds1*/,
-	const DirectoryString */*ds2*/,
-	int */*diff*/);
-
-int
-_hx509_name_from_Name (
-	const Name */*n*/,
-	hx509_name */*name*/);
-
-int
-_hx509_name_modify (
-	hx509_context /*context*/,
-	Name */*name*/,
-	int /*append*/,
-	const heim_oid */*oid*/,
-	const char */*str*/);
-
-int
-_hx509_path_append (
-	hx509_context /*context*/,
-	hx509_path */*path*/,
-	hx509_cert /*cert*/);
-
-void
-_hx509_path_free (hx509_path */*path*/);
-
-int
-_hx509_pbe_decrypt (
-	hx509_context /*context*/,
-	hx509_lock /*lock*/,
-	const AlgorithmIdentifier */*ai*/,
-	const heim_octet_string */*econtent*/,
-	heim_octet_string */*content*/);
-
-int
-_hx509_pbe_encrypt (
-	hx509_context /*context*/,
-	hx509_lock /*lock*/,
-	const AlgorithmIdentifier */*ai*/,
-	const heim_octet_string */*content*/,
-	heim_octet_string */*econtent*/);
-
-void
-_hx509_pi_printf (
-	int (*/*func*/)(void *, const char *),
-	void */*ctx*/,
-	const char */*fmt*/,
-	...);
-
-void
-_hx509_private_eckey_free (void */*eckey*/);
-
-int
-_hx509_private_key_export (
-	hx509_context /*context*/,
-	const hx509_private_key /*key*/,
-	hx509_key_format_t /*format*/,
-	heim_octet_string */*data*/);
-
-int
-_hx509_private_key_exportable (hx509_private_key /*key*/);
-
-BIGNUM *
-_hx509_private_key_get_internal (
-	hx509_context /*context*/,
-	hx509_private_key /*key*/,
-	const char */*type*/);
-
-int
-_hx509_private_key_oid (
-	hx509_context /*context*/,
-	const hx509_private_key /*key*/,
-	heim_oid */*data*/);
-
-hx509_private_key
-_hx509_private_key_ref (hx509_private_key /*key*/);
-
-const char *
-_hx509_private_pem_name (hx509_private_key /*key*/);
-
-int
-_hx509_public_encrypt (
-	hx509_context /*context*/,
-	const heim_octet_string */*cleartext*/,
-	const Certificate */*cert*/,
-	heim_oid */*encryption_oid*/,
-	heim_octet_string */*ciphertext*/);
-
-void
-_hx509_query_clear (hx509_query */*q*/);
-
-int
-_hx509_query_match_cert (
-	hx509_context /*context*/,
-	const hx509_query */*q*/,
-	hx509_cert /*cert*/);
-
-void
-_hx509_query_statistic (
-	hx509_context /*context*/,
-	int /*type*/,
-	const hx509_query */*q*/);
-
-int
-_hx509_request_add_dns_name (
-	hx509_context /*context*/,
-	hx509_request /*req*/,
-	const char */*hostname*/);
-
-int
-_hx509_request_add_eku (
-	hx509_context /*context*/,
-	hx509_request /*req*/,
-	const heim_oid */*oid*/);
-
-int
-_hx509_request_add_email (
-	hx509_context /*context*/,
-	hx509_request /*req*/,
-	const char */*email*/);
-
-int
-_hx509_request_parse (
-	hx509_context /*context*/,
-	const char */*path*/,
-	hx509_request */*req*/);
-
-int
-_hx509_request_print (
-	hx509_context /*context*/,
-	hx509_request /*req*/,
-	FILE */*f*/);
-
-int
-_hx509_request_to_pkcs10 (
-	hx509_context /*context*/,
-	const hx509_request /*req*/,
-	const hx509_private_key /*signer*/,
-	heim_octet_string */*request*/);
-
-hx509_revoke_ctx
-_hx509_revoke_ref (hx509_revoke_ctx /*ctx*/);
-
-void
-_hx509_sel_yyerror (const char */*s*/);
-
-int
-_hx509_self_signed_valid (
-	hx509_context /*context*/,
-	const AlgorithmIdentifier */*alg*/);
-
-int
-_hx509_set_cert_attribute (
-	hx509_context /*context*/,
-	hx509_cert /*cert*/,
-	const heim_oid */*oid*/,
-	const heim_octet_string */*attr*/);
-
-int
-_hx509_set_digest_alg (
-	DigestAlgorithmIdentifier */*id*/,
-	const heim_oid */*oid*/,
-	const void */*param*/,
-	size_t /*length*/);
-
-int
-_hx509_signature_is_weak (
-	hx509_context /*context*/,
-	const AlgorithmIdentifier */*alg*/);
-
-void
-_hx509_unmap_file_os (heim_octet_string */*os*/);
-
-int
-_hx509_unparse_Name (
-	const Name */*aname*/,
-	char **/*str*/);
-
-time_t
-_hx509_verify_get_time (hx509_verify_ctx /*ctx*/);
-
-int
-_hx509_verify_signature (
-	hx509_context /*context*/,
-	const hx509_cert /*cert*/,
-	const AlgorithmIdentifier */*alg*/,
-	const heim_octet_string */*data*/,
-	const heim_octet_string */*sig*/);
-
-int
-_hx509_verify_signature_bitstring (
-	hx509_context /*context*/,
-	const hx509_cert /*signer*/,
-	const AlgorithmIdentifier */*alg*/,
-	const heim_octet_string */*data*/,
-	const heim_bit_string */*sig*/);
-
-int
-_hx509_write_file (
-	const char */*fn*/,
-	const void */*data*/,
-	size_t /*length*/);
-
-#endif /* __hx509_private_h__ */
diff --git a/lib/hx509/hx509-protos.h b/lib/hx509/hx509-protos.h
deleted file mode 100644
index ed9bfb552db3..000000000000
--- a/lib/hx509/hx509-protos.h
+++ /dev/null
@@ -1,3154 +0,0 @@
-/* This is a generated file */
-#ifndef __hx509_protos_h__
-#define __hx509_protos_h__
-#ifndef DOXY
-
-#include <stdarg.h>
-
-#ifdef __cplusplus
-extern "C" {
-#endif
-
-#ifndef HX509_LIB
-#ifndef HX509_LIB_FUNCTION
-#if defined(_WIN32)
-#define HX509_LIB_FUNCTION __declspec(dllimport)
-#define HX509_LIB_CALL __stdcall
-#define HX509_LIB_VARIABLE __declspec(dllimport)
-#else
-#define HX509_LIB_FUNCTION
-#define HX509_LIB_CALL
-#define HX509_LIB_VARIABLE
-#endif
-#endif
-#endif
-/**
- * Print a bitstring using a hx509_vprint_func function. To print to
- * stdout use hx509_print_stdout().
- *
- * @param b bit string to print.
- * @param func hx509_vprint_func to print with.
- * @param ctx context variable to hx509_vprint_func function.
- *
- * @ingroup hx509_print
- */
-
-void
-hx509_bitstring_print (
-	const heim_bit_string */*b*/,
-	hx509_vprint_func /*func*/,
-	void */*ctx*/);
-
-/**
- * Sign a to-be-signed certificate object with a issuer certificate.
- *
- * The caller needs to at least have called the following functions on the
- * to-be-signed certificate object:
- * - hx509_ca_tbs_init()
- * - hx509_ca_tbs_set_subject()
- * - hx509_ca_tbs_set_spki()
- *
- * When done the to-be-signed certificate object should be freed with
- * hx509_ca_tbs_free().
- *
- * When creating self-signed certificate use hx509_ca_sign_self() instead.
- *
- * @param context A hx509 context.
- * @param tbs object to be signed.
- * @param signer the CA certificate object to sign with (need private key).
- * @param certificate return cerificate, free with hx509_cert_free().
- *
- * @return An hx509 error code, see hx509_get_error_string().
- *
- * @ingroup hx509_ca
- */
-
-int
-hx509_ca_sign (
-	hx509_context /*context*/,
-	hx509_ca_tbs /*tbs*/,
-	hx509_cert /*signer*/,
-	hx509_cert */*certificate*/);
-
-/**
- * Work just like hx509_ca_sign() but signs it-self.
- *
- * @param context A hx509 context.
- * @param tbs object to be signed.
- * @param signer private key to sign with.
- * @param certificate return cerificate, free with hx509_cert_free().
- *
- * @return An hx509 error code, see hx509_get_error_string().
- *
- * @ingroup hx509_ca
- */
-
-int
-hx509_ca_sign_self (
-	hx509_context /*context*/,
-	hx509_ca_tbs /*tbs*/,
-	hx509_private_key /*signer*/,
-	hx509_cert */*certificate*/);
-
-/**
- * Add CRL distribution point URI to the to-be-signed certificate
- * object.
- *
- * @param context A hx509 context.
- * @param tbs object to be signed.
- * @param uri uri to the CRL.
- * @param issuername name of the issuer.
- *
- * @return An hx509 error code, see hx509_get_error_string().
- *
- * @ingroup hx509_ca
- */
-
-int
-hx509_ca_tbs_add_crl_dp_uri (
-	hx509_context /*context*/,
-	hx509_ca_tbs /*tbs*/,
-	const char */*uri*/,
-	hx509_name /*issuername*/);
-
-/**
- * An an extended key usage to the to-be-signed certificate object.
- * Duplicates will detected and not added.
- *
- * @param context A hx509 context.
- * @param tbs object to be signed.
- * @param oid extended key usage to add.
- *
- * @return An hx509 error code, see hx509_get_error_string().
- *
- * @ingroup hx509_ca
- */
-
-int
-hx509_ca_tbs_add_eku (
-	hx509_context /*context*/,
-	hx509_ca_tbs /*tbs*/,
-	const heim_oid */*oid*/);
-
-/**
- * Add a Subject Alternative Name hostname to to-be-signed certificate
- * object. A domain match starts with ., an exact match does not.
- *
- * Example of a an domain match: .domain.se matches the hostname
- * host.domain.se.
- *
- * @param context A hx509 context.
- * @param tbs object to be signed.
- * @param dnsname a hostame.
- *
- * @return An hx509 error code, see hx509_get_error_string().
- *
- * @ingroup hx509_ca
- */
-
-int
-hx509_ca_tbs_add_san_hostname (
-	hx509_context /*context*/,
-	hx509_ca_tbs /*tbs*/,
-	const char */*dnsname*/);
-
-/**
- * Add a Jabber/XMPP jid Subject Alternative Name to the to-be-signed
- * certificate object. The jid is an UTF8 string.
- *
- * @param context A hx509 context.
- * @param tbs object to be signed.
- * @param jid string of an a jabber id in UTF8.
- *
- * @return An hx509 error code, see hx509_get_error_string().
- *
- * @ingroup hx509_ca
- */
-
-int
-hx509_ca_tbs_add_san_jid (
-	hx509_context /*context*/,
-	hx509_ca_tbs /*tbs*/,
-	const char */*jid*/);
-
-/**
- * Add Microsoft UPN Subject Alternative Name to the to-be-signed
- * certificate object. The principal string is a UTF8 string.
- *
- * @param context A hx509 context.
- * @param tbs object to be signed.
- * @param principal Microsoft UPN string.
- *
- * @return An hx509 error code, see hx509_get_error_string().
- *
- * @ingroup hx509_ca
- */
-
-int
-hx509_ca_tbs_add_san_ms_upn (
-	hx509_context /*context*/,
-	hx509_ca_tbs /*tbs*/,
-	const char */*principal*/);
-
-/**
- * Add Subject Alternative Name otherName to the to-be-signed
- * certificate object.
- *
- * @param context A hx509 context.
- * @param tbs object to be signed.
- * @param oid the oid of the OtherName.
- * @param os data in the other name.
- *
- * @return An hx509 error code, see hx509_get_error_string().
- *
- * @ingroup hx509_ca
- */
-
-int
-hx509_ca_tbs_add_san_otherName (
-	hx509_context /*context*/,
-	hx509_ca_tbs /*tbs*/,
-	const heim_oid */*oid*/,
-	const heim_octet_string */*os*/);
-
-/**
- * Add Kerberos Subject Alternative Name to the to-be-signed
- * certificate object. The principal string is a UTF8 string.
- *
- * @param context A hx509 context.
- * @param tbs object to be signed.
- * @param principal Kerberos principal to add to the certificate.
- *
- * @return An hx509 error code, see hx509_get_error_string().
- *
- * @ingroup hx509_ca
- */
-
-int
-hx509_ca_tbs_add_san_pkinit (
-	hx509_context /*context*/,
-	hx509_ca_tbs /*tbs*/,
-	const char */*principal*/);
-
-/**
- * Add a Subject Alternative Name rfc822 (email address) to
- * to-be-signed certificate object.
- *
- * @param context A hx509 context.
- * @param tbs object to be signed.
- * @param rfc822Name a string to a email address.
- *
- * @return An hx509 error code, see hx509_get_error_string().
- *
- * @ingroup hx509_ca
- */
-
-int
-hx509_ca_tbs_add_san_rfc822name (
-	hx509_context /*context*/,
-	hx509_ca_tbs /*tbs*/,
-	const char */*rfc822Name*/);
-
-/**
- * Free an To Be Signed object.
- *
- * @param tbs object to free.
- *
- * @ingroup hx509_ca
- */
-
-void
-hx509_ca_tbs_free (hx509_ca_tbs */*tbs*/);
-
-/**
- * Allocate an to-be-signed certificate object that will be converted
- * into an certificate.
- *
- * @param context A hx509 context.
- * @param tbs returned to-be-signed certicate object, free with
- * hx509_ca_tbs_free().
- *
- * @return An hx509 error code, see hx509_get_error_string().
- *
- * @ingroup hx509_ca
- */
-
-int
-hx509_ca_tbs_init (
-	hx509_context /*context*/,
-	hx509_ca_tbs */*tbs*/);
-
-/**
- * Make the to-be-signed certificate object a CA certificate. If the
- * pathLenConstraint is negative path length constraint is used.
- *
- * @param context A hx509 context.
- * @param tbs object to be signed.
- * @param pathLenConstraint path length constraint, negative, no
- * constraint.
- *
- * @return An hx509 error code, see hx509_get_error_string().
- *
- * @ingroup hx509_ca
- */
-
-int
-hx509_ca_tbs_set_ca (
-	hx509_context /*context*/,
-	hx509_ca_tbs /*tbs*/,
-	int /*pathLenConstraint*/);
-
-/**
- * Make the to-be-signed certificate object a windows domain controller certificate.
- *
- * @param context A hx509 context.
- * @param tbs object to be signed.
- *
- * @return An hx509 error code, see hx509_get_error_string().
- *
- * @ingroup hx509_ca
- */
-
-int
-hx509_ca_tbs_set_domaincontroller (
-	hx509_context /*context*/,
-	hx509_ca_tbs /*tbs*/);
-
-/**
- * Set the absolute time when the certificate is valid to.
- *
- * @param context A hx509 context.
- * @param tbs object to be signed.
- * @param t time when the certificate will expire
- *
- * @return An hx509 error code, see hx509_get_error_string().
- *
- * @ingroup hx509_ca
- */
-
-int
-hx509_ca_tbs_set_notAfter (
-	hx509_context /*context*/,
-	hx509_ca_tbs /*tbs*/,
-	time_t /*t*/);
-
-/**
- * Set the relative time when the certificiate is going to expire.
- *
- * @param context A hx509 context.
- * @param tbs object to be signed.
- * @param delta seconds to the certificate is going to expire.
- *
- * @return An hx509 error code, see hx509_get_error_string().
- *
- * @ingroup hx509_ca
- */
-
-int
-hx509_ca_tbs_set_notAfter_lifetime (
-	hx509_context /*context*/,
-	hx509_ca_tbs /*tbs*/,
-	time_t /*delta*/);
-
-/**
- * Set the absolute time when the certificate is valid from. If not
- * set the current time will be used.
- *
- * @param context A hx509 context.
- * @param tbs object to be signed.
- * @param t time the certificated will start to be valid
- *
- * @return An hx509 error code, see hx509_get_error_string().
- *
- * @ingroup hx509_ca
- */
-
-int
-hx509_ca_tbs_set_notBefore (
-	hx509_context /*context*/,
-	hx509_ca_tbs /*tbs*/,
-	time_t /*t*/);
-
-/**
- * Make the to-be-signed certificate object a proxy certificate. If the
- * pathLenConstraint is negative path length constraint is used.
- *
- * @param context A hx509 context.
- * @param tbs object to be signed.
- * @param pathLenConstraint path length constraint, negative, no
- * constraint.
- *
- * @return An hx509 error code, see hx509_get_error_string().
- *
- * @ingroup hx509_ca
- */
-
-int
-hx509_ca_tbs_set_proxy (
-	hx509_context /*context*/,
-	hx509_ca_tbs /*tbs*/,
-	int /*pathLenConstraint*/);
-
-/**
- * Set the serial number to use for to-be-signed certificate object.
- *
- * @param context A hx509 context.
- * @param tbs object to be signed.
- * @param serialNumber serial number to use for the to-be-signed
- * certificate object.
- *
- * @return An hx509 error code, see hx509_get_error_string().
- *
- * @ingroup hx509_ca
- */
-
-int
-hx509_ca_tbs_set_serialnumber (
-	hx509_context /*context*/,
-	hx509_ca_tbs /*tbs*/,
-	const heim_integer */*serialNumber*/);
-
-/**
- * Set signature algorithm on the to be signed certificate
- *
- * @param context A hx509 context.
- * @param tbs object to be signed.
- * @param sigalg signature algorithm to use
- *
- * @return An hx509 error code, see hx509_get_error_string().
- *
- * @ingroup hx509_ca
- */
-
-int
-hx509_ca_tbs_set_signature_algorithm (
-	hx509_context /*context*/,
-	hx509_ca_tbs /*tbs*/,
-	const AlgorithmIdentifier */*sigalg*/);
-
-/**
- * Set the subject public key info (SPKI) in the to-be-signed certificate
- * object. SPKI is the public key and key related parameters in the
- * certificate.
- *
- * @param context A hx509 context.
- * @param tbs object to be signed.
- * @param spki subject public key info to use for the to-be-signed certificate object.
- *
- * @return An hx509 error code, see hx509_get_error_string().
- *
- * @ingroup hx509_ca
- */
-
-int
-hx509_ca_tbs_set_spki (
-	hx509_context /*context*/,
-	hx509_ca_tbs /*tbs*/,
-	const SubjectPublicKeyInfo */*spki*/);
-
-/**
- * Set the subject name of a to-be-signed certificate object.
- *
- * @param context A hx509 context.
- * @param tbs object to be signed.
- * @param subject the name to set a subject.
- *
- * @return An hx509 error code, see hx509_get_error_string().
- *
- * @ingroup hx509_ca
- */
-
-int
-hx509_ca_tbs_set_subject (
-	hx509_context /*context*/,
-	hx509_ca_tbs /*tbs*/,
-	hx509_name /*subject*/);
-
-/**
- * Initialize the to-be-signed certificate object from a template certifiate.
- *
- * @param context A hx509 context.
- * @param tbs object to be signed.
- * @param flags bit field selecting what to copy from the template
- * certifiate.
- * @param cert template certificate.
- *
- * @return An hx509 error code, see hx509_get_error_string().
- *
- * @ingroup hx509_ca
- */
-
-int
-hx509_ca_tbs_set_template (
-	hx509_context /*context*/,
-	hx509_ca_tbs /*tbs*/,
-	int /*flags*/,
-	hx509_cert /*cert*/);
-
-/**
- * Set the issuerUniqueID and subjectUniqueID
- *
- * These are only supposed to be used considered with version 2
- * certificates, replaced by the two extensions SubjectKeyIdentifier
- * and IssuerKeyIdentifier. This function is to allow application
- * using legacy protocol to issue them.
- *
- * @param context A hx509 context.
- * @param tbs object to be signed.
- * @param issuerUniqueID to be set
- * @param subjectUniqueID to be set
- *
- * @return An hx509 error code, see hx509_get_error_string().
- *
- * @ingroup hx509_ca
- */
-
-int
-hx509_ca_tbs_set_unique (
-	hx509_context /*context*/,
-	hx509_ca_tbs /*tbs*/,
-	const heim_bit_string */*subjectUniqueID*/,
-	const heim_bit_string */*issuerUniqueID*/);
-
-/**
- * Expand the the subject name in the to-be-signed certificate object
- * using hx509_name_expand().
- *
- * @param context A hx509 context.
- * @param tbs object to be signed.
- * @param env environment variable to expand variables in the subject
- * name, see hx509_env_init().
- *
- * @return An hx509 error code, see hx509_get_error_string().
- *
- * @ingroup hx509_ca
- */
-
-int
-hx509_ca_tbs_subject_expand (
-	hx509_context /*context*/,
-	hx509_ca_tbs /*tbs*/,
-	hx509_env /*env*/);
-
-/**
- * Make of template units, use to build flags argument to
- * hx509_ca_tbs_set_template() with parse_units().
- *
- * @return an units structure.
- *
- * @ingroup hx509_ca
- */
-
-const struct units *
-hx509_ca_tbs_template_units (void);
-
-/**
- * Encodes the hx509 certificate as a DER encode binary.
- *
- * @param context A hx509 context.
- * @param c the certificate to encode.
- * @param os the encode certificate, set to NULL, 0 on case of
- * error. Free the os->data with hx509_xfree().
- *
- * @return An hx509 error code, see hx509_get_error_string().
- *
- * @ingroup hx509_cert
- */
-
-int
-hx509_cert_binary (
-	hx509_context /*context*/,
-	hx509_cert /*c*/,
-	heim_octet_string */*os*/);
-
-/**
- * Check the extended key usage on the hx509 certificate.
- *
- * @param context A hx509 context.
- * @param cert A hx509 context.
- * @param eku the EKU to check for
- * @param allow_any_eku if the any EKU is set, allow that to be a
- * substitute.
- *
- * @return An hx509 error code, see hx509_get_error_string().
- *
- * @ingroup hx509_cert
- */
-
-int
-hx509_cert_check_eku (
-	hx509_context /*context*/,
-	hx509_cert /*cert*/,
-	const heim_oid */*eku*/,
-	int /*allow_any_eku*/);
-
-/**
- * Compare to hx509 certificate object, useful for sorting.
- *
- * @param p a hx509 certificate object.
- * @param q a hx509 certificate object.
- *
- * @return 0 the objects are the same, returns > 0 is p is "larger"
- * then q, < 0 if p is "smaller" then q.
- *
- * @ingroup hx509_cert
- */
-
-int
-hx509_cert_cmp (
-	hx509_cert /*p*/,
-	hx509_cert /*q*/);
-
-/**
- * Return a list of subjectAltNames specified by oid in the
- * certificate. On error the
- *
- * The returned list of octet string should be freed with
- * hx509_free_octet_string_list().
- *
- * @param context A hx509 context.
- * @param cert a hx509 certificate object.
- * @param oid an oid to for SubjectAltName.
- * @param list list of matching SubjectAltName.
- *
- * @return An hx509 error code, see hx509_get_error_string().
- *
- * @ingroup hx509_cert
- */
-
-int
-hx509_cert_find_subjectAltName_otherName (
-	hx509_context /*context*/,
-	hx509_cert /*cert*/,
-	const heim_oid */*oid*/,
-	hx509_octet_string_list */*list*/);
-
-/**
- * Free reference to the hx509 certificate object, if the refcounter
- * reaches 0, the object if freed. Its allowed to pass in NULL.
- *
- * @param cert the cert to free.
- *
- * @ingroup hx509_cert
- */
-
-void
-hx509_cert_free (hx509_cert /*cert*/);
-
-/**
- * Get the SubjectPublicKeyInfo structure from the hx509 certificate.
- *
- * @param context a hx509 context.
- * @param p a hx509 certificate object.
- * @param spki SubjectPublicKeyInfo, should be freed with
- * free_SubjectPublicKeyInfo().
- *
- * @return An hx509 error code, see hx509_get_error_string().
- *
- * @ingroup hx509_cert
- */
-
-int
-hx509_cert_get_SPKI (
-	hx509_context /*context*/,
-	hx509_cert /*p*/,
-	SubjectPublicKeyInfo */*spki*/);
-
-/**
- * Get the AlgorithmIdentifier from the hx509 certificate.
- *
- * @param context a hx509 context.
- * @param p a hx509 certificate object.
- * @param alg AlgorithmIdentifier, should be freed with
- *            free_AlgorithmIdentifier(). The algorithmidentifier is
- *            typicly rsaEncryption, or id-ecPublicKey, or some other
- *            public key mechanism.
- *
- * @return An hx509 error code, see hx509_get_error_string().
- *
- * @ingroup hx509_cert
- */
-
-int
-hx509_cert_get_SPKI_AlgorithmIdentifier (
-	hx509_context /*context*/,
-	hx509_cert /*p*/,
-	AlgorithmIdentifier */*alg*/);
-
-/**
- * Get an external attribute for the certificate, examples are
- * friendly name and id.
- *
- * @param cert hx509 certificate object to search
- * @param oid an oid to search for.
- *
- * @return an hx509_cert_attribute, only valid as long as the
- * certificate is referenced.
- *
- * @ingroup hx509_cert
- */
-
-hx509_cert_attribute
-hx509_cert_get_attribute (
-	hx509_cert /*cert*/,
-	const heim_oid */*oid*/);
-
-/**
- * Return the name of the base subject of the hx509 certificate. If
- * the certiicate is a verified proxy certificate, the this function
- * return the base certificate (root of the proxy chain). If the proxy
- * certificate is not verified with the base certificate
- * HX509_PROXY_CERTIFICATE_NOT_CANONICALIZED is returned.
- *
- * @param context a hx509 context.
- * @param c a hx509 certificate object.
- * @param name a pointer to a hx509 name, should be freed by
- * hx509_name_free(). See also hx509_cert_get_subject().
- *
- * @return An hx509 error code, see hx509_get_error_string().
- *
- * @ingroup hx509_cert
- */
-
-int
-hx509_cert_get_base_subject (
-	hx509_context /*context*/,
-	hx509_cert /*c*/,
-	hx509_name */*name*/);
-
-/**
- * Get friendly name of the certificate.
- *
- * @param cert cert to get the friendly name from.
- *
- * @return an friendly name or NULL if there is. The friendly name is
- * only valid as long as the certificate is referenced.
- *
- * @ingroup hx509_cert
- */
-
-const char *
-hx509_cert_get_friendly_name (hx509_cert /*cert*/);
-
-/**
- * Return the name of the issuer of the hx509 certificate.
- *
- * @param p a hx509 certificate object.
- * @param name a pointer to a hx509 name, should be freed by
- * hx509_name_free().
- *
- * @return An hx509 error code, see hx509_get_error_string().
- *
- * @ingroup hx509_cert
- */
-
-int
-hx509_cert_get_issuer (
-	hx509_cert /*p*/,
-	hx509_name */*name*/);
-
-/**
- * Get a copy of the Issuer Unique ID
- *
- * @param context a hx509_context
- * @param p a hx509 certificate
- * @param issuer the issuer id returned, free with der_free_bit_string()
- *
- * @return An hx509 error code, see hx509_get_error_string(). The
- * error code HX509_EXTENSION_NOT_FOUND is returned if the certificate
- * doesn't have a issuerUniqueID
- *
- * @ingroup hx509_cert
- */
-
-int
-hx509_cert_get_issuer_unique_id (
-	hx509_context /*context*/,
-	hx509_cert /*p*/,
-	heim_bit_string */*issuer*/);
-
-/**
- * Get notAfter time of the certificate.
- *
- * @param p a hx509 certificate object.
- *
- * @return return not after time.
- *
- * @ingroup hx509_cert
- */
-
-time_t
-hx509_cert_get_notAfter (hx509_cert /*p*/);
-
-/**
- * Get notBefore time of the certificate.
- *
- * @param p a hx509 certificate object.
- *
- * @return return not before time
- *
- * @ingroup hx509_cert
- */
-
-time_t
-hx509_cert_get_notBefore (hx509_cert /*p*/);
-
-/**
- * Get serial number of the certificate.
- *
- * @param p a hx509 certificate object.
- * @param i serial number, should be freed ith der_free_heim_integer().
- *
- * @return An hx509 error code, see hx509_get_error_string().
- *
- * @ingroup hx509_cert
- */
-
-int
-hx509_cert_get_serialnumber (
-	hx509_cert /*p*/,
-	heim_integer */*i*/);
-
-/**
- * Return the name of the subject of the hx509 certificate.
- *
- * @param p a hx509 certificate object.
- * @param name a pointer to a hx509 name, should be freed by
- * hx509_name_free(). See also hx509_cert_get_base_subject().
- *
- * @return An hx509 error code, see hx509_get_error_string().
- *
- * @ingroup hx509_cert
- */
-
-int
-hx509_cert_get_subject (
-	hx509_cert /*p*/,
-	hx509_name */*name*/);
-
-/**
- * Get a copy of the Subect Unique ID
- *
- * @param context a hx509_context
- * @param p a hx509 certificate
- * @param subject the subject id returned, free with der_free_bit_string()
- *
- * @return An hx509 error code, see hx509_get_error_string(). The
- * error code HX509_EXTENSION_NOT_FOUND is returned if the certificate
- * doesn't have a subjectUniqueID
- *
- * @ingroup hx509_cert
- */
-
-int
-hx509_cert_get_subject_unique_id (
-	hx509_context /*context*/,
-	hx509_cert /*p*/,
-	heim_bit_string */*subject*/);
-
-int
-hx509_cert_have_private_key (hx509_cert /*p*/);
-
-/**
- * Allocate and init an hx509 certificate object from the decoded
- * certificate `c´.
- *
- * @param context A hx509 context.
- * @param c
- * @param error
- *
- * @return Returns an hx509 certificate
- *
- * @ingroup hx509_cert
- */
-
-hx509_cert
-hx509_cert_init (
-	hx509_context /*context*/,
-	const Certificate */*c*/,
-	heim_error_t */*error*/);
-
-/**
- * Just like hx509_cert_init(), but instead of a decode certificate
- * takes an pointer and length to a memory region that contains a
- * DER/BER encoded certificate.
- *
- * If the memory region doesn't contain just the certificate and
- * nothing more the function will fail with
- * HX509_EXTRA_DATA_AFTER_STRUCTURE.
- *
- * @param context A hx509 context.
- * @param ptr pointer to memory region containing encoded certificate.
- * @param len length of memory region.
- * @param error possibly returns an error
- *
- * @return An hx509 certificate
- *
- * @ingroup hx509_cert
- */
-
-hx509_cert
-hx509_cert_init_data (
-	hx509_context /*context*/,
-	const void */*ptr*/,
-	size_t /*len*/,
-	heim_error_t */*error*/);
-
-/**
- * Print certificate usage for a certificate to a string.
- *
- * @param context A hx509 context.
- * @param c a certificate print the keyusage for.
- * @param s the return string with the keysage printed in to, free
- * with hx509_xfree().
- *
- * @return An hx509 error code, see hx509_get_error_string().
- *
- * @ingroup hx509_print
- */
-
-int
-hx509_cert_keyusage_print (
-	hx509_context /*context*/,
-	hx509_cert /*c*/,
-	char **/*s*/);
-
-int
-hx509_cert_public_encrypt (
-	hx509_context /*context*/,
-	const heim_octet_string */*cleartext*/,
-	const hx509_cert /*p*/,
-	heim_oid */*encryption_oid*/,
-	heim_octet_string */*ciphertext*/);
-
-/**
- * Add a reference to a hx509 certificate object.
- *
- * @param cert a pointer to an hx509 certificate object.
- *
- * @return the same object as is passed in.
- *
- * @ingroup hx509_cert
- */
-
-hx509_cert
-hx509_cert_ref (hx509_cert /*cert*/);
-
-/**
- * Set the friendly name on the certificate.
- *
- * @param cert The certificate to set the friendly name on
- * @param name Friendly name.
- *
- * @return An hx509 error code, see hx509_get_error_string().
- *
- * @ingroup hx509_cert
- */
-
-int
-hx509_cert_set_friendly_name (
-	hx509_cert /*cert*/,
-	const char */*name*/);
-
-/**
- * Add a certificate to the certificiate store.
- *
- * The receiving keyset certs will either increase reference counter
- * of the cert or make a deep copy, either way, the caller needs to
- * free the cert itself.
- *
- * @param context a hx509 context.
- * @param certs certificate store to add the certificate to.
- * @param cert certificate to add.
- *
- * @return Returns an hx509 error code.
- *
- * @ingroup hx509_keyset
- */
-
-int
-hx509_certs_add (
-	hx509_context /*context*/,
-	hx509_certs /*certs*/,
-	hx509_cert /*cert*/);
-
-/**
- * Same a hx509_certs_merge() but use a lock and name to describe the
- * from source.
- *
- * @param context a hx509 context.
- * @param to the store to merge into.
- * @param lock a lock that unlocks the certificates store, use NULL to
- * select no password/certifictes/prompt lock (see @ref page_lock).
- * @param name name of the source store
- *
- * @return Returns an hx509 error code.
- *
- * @ingroup hx509_keyset
- */
-
-int
-hx509_certs_append (
-	hx509_context /*context*/,
-	hx509_certs /*to*/,
-	hx509_lock /*lock*/,
-	const char */*name*/);
-
-/**
- * End the iteration over certificates.
- *
- * @param context a hx509 context.
- * @param certs certificate store to iterate over.
- * @param cursor cursor that will keep track of progress, freed.
- *
- * @return Returns an hx509 error code.
- *
- * @ingroup hx509_keyset
- */
-
-int
-hx509_certs_end_seq (
-	hx509_context /*context*/,
-	hx509_certs /*certs*/,
-	hx509_cursor /*cursor*/);
-
-/**
- * Filter certificate matching the query.
- *
- * @param context a hx509 context.
- * @param certs certificate store to search.
- * @param q query allocated with @ref hx509_query functions.
- * @param result the filtered certificate store, caller must free with
- *        hx509_certs_free().
- *
- * @return Returns an hx509 error code.
- *
- * @ingroup hx509_keyset
- */
-
-int
-hx509_certs_filter (
-	hx509_context /*context*/,
-	hx509_certs /*certs*/,
-	const hx509_query */*q*/,
-	hx509_certs */*result*/);
-
-/**
- * Find a certificate matching the query.
- *
- * @param context a hx509 context.
- * @param certs certificate store to search.
- * @param q query allocated with @ref hx509_query functions.
- * @param r return certificate (or NULL on error), should be freed
- * with hx509_cert_free().
- *
- * @return Returns an hx509 error code.
- *
- * @ingroup hx509_keyset
- */
-
-int
-hx509_certs_find (
-	hx509_context /*context*/,
-	hx509_certs /*certs*/,
-	const hx509_query */*q*/,
-	hx509_cert */*r*/);
-
-/**
- * Free a certificate store.
- *
- * @param certs certificate store to free.
- *
- * @ingroup hx509_keyset
- */
-
-void
-hx509_certs_free (hx509_certs */*certs*/);
-
-/**
- * Print some info about the certificate store.
- *
- * @param context a hx509 context.
- * @param certs certificate store to print information about.
- * @param func function that will get each line of the information, if
- * NULL is used the data is printed on a FILE descriptor that should
- * be passed in ctx, if ctx also is NULL, stdout is used.
- * @param ctx parameter to func.
- *
- * @return Returns an hx509 error code.
- *
- * @ingroup hx509_keyset
- */
-
-int
-hx509_certs_info (
-	hx509_context /*context*/,
-	hx509_certs /*certs*/,
-	int (*/*func*/)(void *, const char *),
-	void */*ctx*/);
-
-/**
- * Open or creates a new hx509 certificate store.
- *
- * @param context A hx509 context
- * @param name name of the store, format is TYPE:type-specific-string,
- * if NULL is used the MEMORY store is used.
- * @param flags list of flags:
- * - HX509_CERTS_CREATE create a new keystore of the specific TYPE.
- * - HX509_CERTS_UNPROTECT_ALL fails if any private key failed to be extracted.
- * @param lock a lock that unlocks the certificates store, use NULL to
- * select no password/certifictes/prompt lock (see @ref page_lock).
- * @param certs return pointer, free with hx509_certs_free().
- *
- * @return Returns an hx509 error code.
- *
- * @ingroup hx509_keyset
- */
-
-int
-hx509_certs_init (
-	hx509_context /*context*/,
-	const char */*name*/,
-	int /*flags*/,
-	hx509_lock /*lock*/,
-	hx509_certs */*certs*/);
-
-/**
- * Iterate over all certificates in a keystore and call a block
- * for each of them.
- *
- * @param context a hx509 context.
- * @param certs certificate store to iterate over.
- * @param func block to call for each certificate. The function
- * should return non-zero to abort the iteration, that value is passed
- * back to the caller of hx509_certs_iter().
- *
- * @return Returns an hx509 error code.
- *
- * @ingroup hx509_keyset
- */
-
-#ifdef __BLOCKS__
-int
-hx509_certs_iter (
-	hx509_context /*context*/,
-	hx509_certs /*certs*/,
-	int (^func)(hx509_cert));
-#endif /* __BLOCKS__ */
-
-/**
- * Iterate over all certificates in a keystore and call a function
- * for each of them.
- *
- * @param context a hx509 context.
- * @param certs certificate store to iterate over.
- * @param func function to call for each certificate. The function
- * should return non-zero to abort the iteration, that value is passed
- * back to the caller of hx509_certs_iter_f().
- * @param ctx context variable that will passed to the function.
- *
- * @return Returns an hx509 error code.
- *
- * @ingroup hx509_keyset
- */
-
-int
-hx509_certs_iter_f (
-	hx509_context /*context*/,
-	hx509_certs /*certs*/,
-	int (*/*func*/)(hx509_context, void *, hx509_cert),
-	void */*ctx*/);
-
-/**
- * Merge a certificate store into another. The from store is keep
- * intact.
- *
- * @param context a hx509 context.
- * @param to the store to merge into.
- * @param from the store to copy the object from.
- *
- * @return Returns an hx509 error code.
- *
- * @ingroup hx509_keyset
- */
-
-int
-hx509_certs_merge (
-	hx509_context /*context*/,
-	hx509_certs /*to*/,
-	hx509_certs /*from*/);
-
-/**
- * Get next ceritificate from the certificate keystore pointed out by
- * cursor.
- *
- * @param context a hx509 context.
- * @param certs certificate store to iterate over.
- * @param cursor cursor that keeps track of progress.
- * @param cert return certificate next in store, NULL if the store
- * contains no more certificates. Free with hx509_cert_free().
- *
- * @return Returns an hx509 error code.
- *
- * @ingroup hx509_keyset
- */
-
-int
-hx509_certs_next_cert (
-	hx509_context /*context*/,
-	hx509_certs /*certs*/,
-	hx509_cursor /*cursor*/,
-	hx509_cert */*cert*/);
-
-hx509_certs
-hx509_certs_ref (hx509_certs /*certs*/);
-
-/**
- * Start the integration
- *
- * @param context a hx509 context.
- * @param certs certificate store to iterate over
- * @param cursor cursor that will keep track of progress, free with
- * hx509_certs_end_seq().
- *
- * @return Returns an hx509 error code. HX509_UNSUPPORTED_OPERATION is
- * returned if the certificate store doesn't support the iteration
- * operation.
- *
- * @ingroup hx509_keyset
- */
-
-int
-hx509_certs_start_seq (
-	hx509_context /*context*/,
-	hx509_certs /*certs*/,
-	hx509_cursor */*cursor*/);
-
-/**
- * Write the certificate store to stable storage.
- *
- * @param context A hx509 context.
- * @param certs a certificate store to store.
- * @param flags currently unused, use 0.
- * @param lock a lock that unlocks the certificates store, use NULL to
- * select no password/certifictes/prompt lock (see @ref page_lock).
- *
- * @return Returns an hx509 error code. HX509_UNSUPPORTED_OPERATION if
- * the certificate store doesn't support the store operation.
- *
- * @ingroup hx509_keyset
- */
-
-int
-hx509_certs_store (
-	hx509_context /*context*/,
-	hx509_certs /*certs*/,
-	int /*flags*/,
-	hx509_lock /*lock*/);
-
-/**
- * Function to use to hx509_certs_iter_f() as a function argument, the
- * ctx variable to hx509_certs_iter_f() should be a FILE file descriptor.
- *
- * @param context a hx509 context.
- * @param ctx used by hx509_certs_iter_f().
- * @param c a certificate
- *
- * @return Returns an hx509 error code.
- *
- * @ingroup hx509_keyset
- */
-
-int
-hx509_ci_print_names (
-	hx509_context /*context*/,
-	void */*ctx*/,
-	hx509_cert /*c*/);
-
-/**
- * Resets the error strings the hx509 context.
- *
- * @param context A hx509 context.
- *
- * @ingroup hx509_error
- */
-
-void
-hx509_clear_error_string (hx509_context /*context*/);
-
-int
-hx509_cms_create_signed (
-	hx509_context /*context*/,
-	int /*flags*/,
-	const heim_oid */*eContentType*/,
-	const void */*data*/,
-	size_t /*length*/,
-	const AlgorithmIdentifier */*digest_alg*/,
-	hx509_certs /*certs*/,
-	hx509_peer_info /*peer*/,
-	hx509_certs /*anchors*/,
-	hx509_certs /*pool*/,
-	heim_octet_string */*signed_data*/);
-
-/**
- * Decode SignedData and verify that the signature is correct.
- *
- * @param context A hx509 context.
- * @param flags
- * @param eContentType the type of the data.
- * @param data data to sign
- * @param length length of the data that data point to.
- * @param digest_alg digest algorithm to use, use NULL to get the
- * default or the peer determined algorithm.
- * @param cert certificate to use for sign the data.
- * @param peer info about the peer the message to send the message to,
- * like what digest algorithm to use.
- * @param anchors trust anchors that the client will use, used to
- * polulate the certificates included in the message
- * @param pool certificates to use in try to build the path to the
- * trust anchors.
- * @param signed_data the output of the function, free with
- * der_free_octet_string().
- *
- * @return Returns an hx509 error code.
- *
- * @ingroup hx509_cms
- */
-
-int
-hx509_cms_create_signed_1 (
-	hx509_context /*context*/,
-	int /*flags*/,
-	const heim_oid */*eContentType*/,
-	const void */*data*/,
-	size_t /*length*/,
-	const AlgorithmIdentifier */*digest_alg*/,
-	hx509_cert /*cert*/,
-	hx509_peer_info /*peer*/,
-	hx509_certs /*anchors*/,
-	hx509_certs /*pool*/,
-	heim_octet_string */*signed_data*/);
-
-/**
-     * Use HX509_CMS_SIGNATURE_NO_SIGNER to create no sigInfo (no
-     * signatures).
- */
-
-int
-hx509_cms_decrypt_encrypted (
-	hx509_context /*context*/,
-	hx509_lock /*lock*/,
-	const void */*data*/,
-	size_t /*length*/,
-	heim_oid */*contentType*/,
-	heim_octet_string */*content*/);
-
-/**
- * Encrypt end encode EnvelopedData.
- *
- * Encrypt and encode EnvelopedData. The data is encrypted with a
- * random key and the the random key is encrypted with the
- * certificates private key. This limits what private key type can be
- * used to RSA.
- *
- * @param context A hx509 context.
- * @param flags flags to control the behavior.
- *    - HX509_CMS_EV_NO_KU_CHECK - Don't check KU on certificate
- *    - HX509_CMS_EV_ALLOW_WEAK - Allow weak crytpo
- *    - HX509_CMS_EV_ID_NAME - prefer issuer name and serial number
- * @param cert Certificate to encrypt the EnvelopedData encryption key
- * with.
- * @param data pointer the data to encrypt.
- * @param length length of the data that data point to.
- * @param encryption_type Encryption cipher to use for the bulk data,
- * use NULL to get default.
- * @param contentType type of the data that is encrypted
- * @param content the output of the function,
- * free with der_free_octet_string().
- *
- * @return an hx509 error code.
- *
- * @ingroup hx509_cms
- */
-
-int
-hx509_cms_envelope_1 (
-	hx509_context /*context*/,
-	int /*flags*/,
-	hx509_cert /*cert*/,
-	const void */*data*/,
-	size_t /*length*/,
-	const heim_oid */*encryption_type*/,
-	const heim_oid */*contentType*/,
-	heim_octet_string */*content*/);
-
-/**
- * Decode and unencrypt EnvelopedData.
- *
- * Extract data and parameteres from from the EnvelopedData. Also
- * supports using detached EnvelopedData.
- *
- * @param context A hx509 context.
- * @param certs Certificate that can decrypt the EnvelopedData
- * encryption key.
- * @param flags HX509_CMS_UE flags to control the behavior.
- * @param data pointer the structure the contains the DER/BER encoded
- * EnvelopedData stucture.
- * @param length length of the data that data point to.
- * @param encryptedContent in case of detached signature, this
- * contains the actual encrypted data, othersize its should be NULL.
- * @param time_now set the current time, if zero the library uses now as the date.
- * @param contentType output type oid, should be freed with der_free_oid().
- * @param content the data, free with der_free_octet_string().
- *
- * @return an hx509 error code.
- *
- * @ingroup hx509_cms
- */
-
-int
-hx509_cms_unenvelope (
-	hx509_context /*context*/,
-	hx509_certs /*certs*/,
-	int /*flags*/,
-	const void */*data*/,
-	size_t /*length*/,
-	const heim_octet_string */*encryptedContent*/,
-	time_t /*time_now*/,
-	heim_oid */*contentType*/,
-	heim_octet_string */*content*/);
-
-/**
- * Decode an ContentInfo and unwrap data and oid it.
- *
- * @param in the encoded buffer.
- * @param oid type of the content.
- * @param out data to be wrapped.
- * @param have_data since the data is optional, this flags show dthe
- * diffrence between no data and the zero length data.
- *
- * @return Returns an hx509 error code.
- *
- * @ingroup hx509_cms
- */
-
-int
-hx509_cms_unwrap_ContentInfo (
-	const heim_octet_string */*in*/,
-	heim_oid */*oid*/,
-	heim_octet_string */*out*/,
-	int */*have_data*/);
-
-/**
- * Decode SignedData and verify that the signature is correct.
- *
- * @param context A hx509 context.
- * @param ctx a hx509 verify context.
- * @param flags to control the behaivor of the function.
- *    - HX509_CMS_VS_NO_KU_CHECK - Don't check KeyUsage
- *    - HX509_CMS_VS_ALLOW_DATA_OID_MISMATCH - allow oid mismatch
- *    - HX509_CMS_VS_ALLOW_ZERO_SIGNER - no signer, see below.
- * @param data pointer to CMS SignedData encoded data.
- * @param length length of the data that data point to.
- * @param signedContent external data used for signature.
- * @param pool certificate pool to build certificates paths.
- * @param contentType free with der_free_oid().
- * @param content the output of the function, free with
- * der_free_octet_string().
- * @param signer_certs list of the cerficates used to sign this
- * request, free with hx509_certs_free().
- *
- * @return an hx509 error code.
- *
- * @ingroup hx509_cms
- */
-
-int
-hx509_cms_verify_signed (
-	hx509_context /*context*/,
-	hx509_verify_ctx /*ctx*/,
-	unsigned int /*flags*/,
-	const void */*data*/,
-	size_t /*length*/,
-	const heim_octet_string */*signedContent*/,
-	hx509_certs /*pool*/,
-	heim_oid */*contentType*/,
-	heim_octet_string */*content*/,
-	hx509_certs */*signer_certs*/);
-
-/**
- * Wrap data and oid in a ContentInfo and encode it.
- *
- * @param oid type of the content.
- * @param buf data to be wrapped. If a NULL pointer is passed in, the
- * optional content field in the ContentInfo is not going be filled
- * in.
- * @param res the encoded buffer, the result should be freed with
- * der_free_octet_string().
- *
- * @return Returns an hx509 error code.
- *
- * @ingroup hx509_cms
- */
-
-int
-hx509_cms_wrap_ContentInfo (
-	const heim_oid */*oid*/,
-	const heim_octet_string */*buf*/,
-	heim_octet_string */*res*/);
-
-/**
- * Free the context allocated by hx509_context_init().
- *
- * @param context context to be freed.
- *
- * @ingroup hx509
- */
-
-void
-hx509_context_free (hx509_context */*context*/);
-
-/**
- * Creates a hx509 context that most functions in the library
- * uses. The context is only allowed to be used by one thread at each
- * moment. Free the context with hx509_context_free().
- *
- * @param context Returns a pointer to new hx509 context.
- *
- * @return Returns an hx509 error code.
- *
- * @ingroup hx509
- */
-
-int
-hx509_context_init (hx509_context */*context*/);
-
-/**
- * Selects if the hx509_revoke_verify() function is going to require
- * the existans of a revokation method (OCSP, CRL) or not. Note that
- * hx509_verify_path(), hx509_cms_verify_signed(), and other function
- * call hx509_revoke_verify().
- *
- * @param context hx509 context to change the flag for.
- * @param flag zero, revokation method required, non zero missing
- * revokation method ok
- *
- * @ingroup hx509_verify
- */
-
-void
-hx509_context_set_missing_revoke (
-	hx509_context /*context*/,
-	int /*flag*/);
-
-/**
- * Add revoked certificate to an CRL context.
- *
- * @param context a hx509 context.
- * @param crl the CRL to add the revoked certificate to.
- * @param certs keyset of certificate to revoke.
- *
- * @return An hx509 error code, see hx509_get_error_string().
- *
- * @ingroup hx509_verify
- */
-
-int
-hx509_crl_add_revoked_certs (
-	hx509_context /*context*/,
-	hx509_crl /*crl*/,
-	hx509_certs /*certs*/);
-
-/**
- * Create a CRL context. Use hx509_crl_free() to free the CRL context.
- *
- * @param context a hx509 context.
- * @param crl return pointer to a newly allocated CRL context.
- *
- * @return An hx509 error code, see hx509_get_error_string().
- *
- * @ingroup hx509_verify
- */
-
-int
-hx509_crl_alloc (
-	hx509_context /*context*/,
-	hx509_crl */*crl*/);
-
-/**
- * Free a CRL context.
- *
- * @param context a hx509 context.
- * @param crl a CRL context to free.
- *
- * @ingroup hx509_verify
- */
-
-void
-hx509_crl_free (
-	hx509_context /*context*/,
-	hx509_crl */*crl*/);
-
-/**
- * Set the lifetime of a CRL context.
- *
- * @param context a hx509 context.
- * @param crl a CRL context
- * @param delta delta time the certificate is valid, library adds the
- * current time to this.
- *
- * @return An hx509 error code, see hx509_get_error_string().
- *
- * @ingroup hx509_verify
- */
-
-int
-hx509_crl_lifetime (
-	hx509_context /*context*/,
-	hx509_crl /*crl*/,
-	int /*delta*/);
-
-/**
- * Sign a CRL and return an encode certificate.
- *
- * @param context a hx509 context.
- * @param signer certificate to sign the CRL with
- * @param crl the CRL to sign
- * @param os return the signed and encoded CRL, free with
- * free_heim_octet_string()
- *
- * @return An hx509 error code, see hx509_get_error_string().
- *
- * @ingroup hx509_verify
- */
-
-int
-hx509_crl_sign (
-	hx509_context /*context*/,
-	hx509_cert /*signer*/,
-	hx509_crl /*crl*/,
-	heim_octet_string */*os*/);
-
-const AlgorithmIdentifier *
-hx509_crypto_aes128_cbc (void);
-
-const AlgorithmIdentifier *
-hx509_crypto_aes256_cbc (void);
-
-void
-hx509_crypto_allow_weak (hx509_crypto /*crypto*/);
-
-int
-hx509_crypto_available (
-	hx509_context /*context*/,
-	int /*type*/,
-	hx509_cert /*source*/,
-	AlgorithmIdentifier **/*val*/,
-	unsigned int */*plen*/);
-
-int
-hx509_crypto_decrypt (
-	hx509_crypto /*crypto*/,
-	const void */*data*/,
-	const size_t /*length*/,
-	heim_octet_string */*ivec*/,
-	heim_octet_string */*clear*/);
-
-const AlgorithmIdentifier *
-hx509_crypto_des_rsdi_ede3_cbc (void);
-
-void
-hx509_crypto_destroy (hx509_crypto /*crypto*/);
-
-int
-hx509_crypto_encrypt (
-	hx509_crypto /*crypto*/,
-	const void */*data*/,
-	const size_t /*length*/,
-	const heim_octet_string */*ivec*/,
-	heim_octet_string **/*ciphertext*/);
-
-const heim_oid *
-hx509_crypto_enctype_by_name (const char */*name*/);
-
-void
-hx509_crypto_free_algs (
-	AlgorithmIdentifier */*val*/,
-	unsigned int /*len*/);
-
-int
-hx509_crypto_get_params (
-	hx509_context /*context*/,
-	hx509_crypto /*crypto*/,
-	const heim_octet_string */*ivec*/,
-	heim_octet_string */*param*/);
-
-int
-hx509_crypto_init (
-	hx509_context /*context*/,
-	const char */*provider*/,
-	const heim_oid */*enctype*/,
-	hx509_crypto */*crypto*/);
-
-const char *
-hx509_crypto_provider (hx509_crypto /*crypto*/);
-
-int
-hx509_crypto_random_iv (
-	hx509_crypto /*crypto*/,
-	heim_octet_string */*ivec*/);
-
-int
-hx509_crypto_select (
-	const hx509_context /*context*/,
-	int /*type*/,
-	const hx509_private_key /*source*/,
-	hx509_peer_info /*peer*/,
-	AlgorithmIdentifier */*selected*/);
-
-int
-hx509_crypto_set_key_data (
-	hx509_crypto /*crypto*/,
-	const void */*data*/,
-	size_t /*length*/);
-
-int
-hx509_crypto_set_key_name (
-	hx509_crypto /*crypto*/,
-	const char */*name*/);
-
-void
-hx509_crypto_set_padding (
-	hx509_crypto /*crypto*/,
-	int /*padding_type*/);
-
-int
-hx509_crypto_set_params (
-	hx509_context /*context*/,
-	hx509_crypto /*crypto*/,
-	const heim_octet_string */*param*/,
-	heim_octet_string */*ivec*/);
-
-int
-hx509_crypto_set_random_key (
-	hx509_crypto /*crypto*/,
-	heim_octet_string */*key*/);
-
-/**
- * Add a new key/value pair to the hx509_env.
- *
- * @param context A hx509 context.
- * @param env environment to add the environment variable too.
- * @param key key to add
- * @param value value to add
- *
- * @return An hx509 error code, see hx509_get_error_string().
- *
- * @ingroup hx509_env
- */
-
-int
-hx509_env_add (
-	hx509_context /*context*/,
-	hx509_env */*env*/,
-	const char */*key*/,
-	const char */*value*/);
-
-/**
- * Add a new key/binding pair to the hx509_env.
- *
- * @param context A hx509 context.
- * @param env environment to add the environment variable too.
- * @param key key to add
- * @param list binding list to add
- *
- * @return An hx509 error code, see hx509_get_error_string().
- *
- * @ingroup hx509_env
- */
-
-int
-hx509_env_add_binding (
-	hx509_context /*context*/,
-	hx509_env */*env*/,
-	const char */*key*/,
-	hx509_env /*list*/);
-
-/**
- * Search the hx509_env for a key.
- *
- * @param context A hx509 context.
- * @param env environment to add the environment variable too.
- * @param key key to search for.
- *
- * @return the value if the key is found, NULL otherwise.
- *
- * @ingroup hx509_env
- */
-
-const char *
-hx509_env_find (
-	hx509_context /*context*/,
-	hx509_env /*env*/,
-	const char */*key*/);
-
-/**
- * Search the hx509_env for a binding.
- *
- * @param context A hx509 context.
- * @param env environment to add the environment variable too.
- * @param key key to search for.
- *
- * @return the binding if the key is found, NULL if not found.
- *
- * @ingroup hx509_env
- */
-
-hx509_env
-hx509_env_find_binding (
-	hx509_context /*context*/,
-	hx509_env /*env*/,
-	const char */*key*/);
-
-/**
- * Free an hx509_env environment context.
- *
- * @param env the environment to free.
- *
- * @ingroup hx509_env
- */
-
-void
-hx509_env_free (hx509_env */*env*/);
-
-/**
- * Search the hx509_env for a length based key.
- *
- * @param context A hx509 context.
- * @param env environment to add the environment variable too.
- * @param key key to search for.
- * @param len length of key.
- *
- * @return the value if the key is found, NULL otherwise.
- *
- * @ingroup hx509_env
- */
-
-const char *
-hx509_env_lfind (
-	hx509_context /*context*/,
-	hx509_env /*env*/,
-	const char */*key*/,
-	size_t /*len*/);
-
-/**
- * Print error message and fatally exit from error code
- *
- * @param context A hx509 context.
- * @param exit_code exit() code from process.
- * @param error_code Error code for the reason to exit.
- * @param fmt format string with the exit message.
- * @param ... argument to format string.
- *
- * @ingroup hx509_error
- */
-
-void
-hx509_err (
-	hx509_context /*context*/,
-	int /*exit_code*/,
-	int /*error_code*/,
-	const char */*fmt*/,
-	...);
-
-hx509_private_key_ops *
-hx509_find_private_alg (const heim_oid */*oid*/);
-
-/**
- * Free error string returned by hx509_get_error_string().
- *
- * @param str error string to free.
- *
- * @ingroup hx509_error
- */
-
-void
-hx509_free_error_string (char */*str*/);
-
-/**
- * Free a list of octet strings returned by another hx509 library
- * function.
- *
- * @param list list to be freed.
- *
- * @ingroup hx509_misc
- */
-
-void
-hx509_free_octet_string_list (hx509_octet_string_list */*list*/);
-
-/**
- * Unparse the hx509 name in name into a string.
- *
- * @param name the name to print
- * @param str an allocated string returns the name in string form
- *
- * @return An hx509 error code, see hx509_get_error_string().
- *
- * @ingroup hx509_name
- */
-
-int
-hx509_general_name_unparse (
-	GeneralName */*name*/,
-	char **/*str*/);
-
-/**
- * Get an error string from context associated with error_code.
- *
- * @param context A hx509 context.
- * @param error_code Get error message for this error code.
- *
- * @return error string, free with hx509_free_error_string().
- *
- * @ingroup hx509_error
- */
-
-char *
-hx509_get_error_string (
-	hx509_context /*context*/,
-	int /*error_code*/);
-
-/**
- * Get one random certificate from the certificate store.
- *
- * @param context a hx509 context.
- * @param certs a certificate store to get the certificate from.
- * @param c return certificate, should be freed with hx509_cert_free().
- *
- * @return Returns an hx509 error code.
- *
- * @ingroup hx509_keyset
- */
-
-int
-hx509_get_one_cert (
-	hx509_context /*context*/,
-	hx509_certs /*certs*/,
-	hx509_cert */*c*/);
-
-int
-hx509_lock_add_cert (
-	hx509_context /*context*/,
-	hx509_lock /*lock*/,
-	hx509_cert /*cert*/);
-
-int
-hx509_lock_add_certs (
-	hx509_context /*context*/,
-	hx509_lock /*lock*/,
-	hx509_certs /*certs*/);
-
-int
-hx509_lock_add_password (
-	hx509_lock /*lock*/,
-	const char */*password*/);
-
-int
-hx509_lock_command_string (
-	hx509_lock /*lock*/,
-	const char */*string*/);
-
-void
-hx509_lock_free (hx509_lock /*lock*/);
-
-/**
- * @page page_lock Locking and unlocking certificates and encrypted data.
- *
- * See the library functions here: @ref hx509_lock
- */
-
-int
-hx509_lock_init (
-	hx509_context /*context*/,
-	hx509_lock */*lock*/);
-
-int
-hx509_lock_prompt (
-	hx509_lock /*lock*/,
-	hx509_prompt */*prompt*/);
-
-void
-hx509_lock_reset_certs (
-	hx509_context /*context*/,
-	hx509_lock /*lock*/);
-
-void
-hx509_lock_reset_passwords (hx509_lock /*lock*/);
-
-void
-hx509_lock_reset_promper (hx509_lock /*lock*/);
-
-int
-hx509_lock_set_prompter (
-	hx509_lock /*lock*/,
-	hx509_prompter_fct /*prompt*/,
-	void */*data*/);
-
-/**
- * Convert a hx509_name object to DER encoded name.
- *
- * @param name name to concert
- * @param os data to a DER encoded name, free the resulting octet
- * string with hx509_xfree(os->data).
- *
- * @return An hx509 error code, see hx509_get_error_string().
- *
- * @ingroup hx509_name
- */
-
-int
-hx509_name_binary (
-	const hx509_name /*name*/,
-	heim_octet_string */*os*/);
-
-/**
- * Compare to hx509 name object, useful for sorting.
- *
- * @param n1 a hx509 name object.
- * @param n2 a hx509 name object.
- *
- * @return 0 the objects are the same, returns > 0 is n2 is "larger"
- * then n2, < 0 if n1 is "smaller" then n2.
- *
- * @ingroup hx509_name
- */
-
-int
-hx509_name_cmp (
-	hx509_name /*n1*/,
-	hx509_name /*n2*/);
-
-/**
- * Copy a hx509 name object.
- *
- * @param context A hx509 cotext.
- * @param from the name to copy from
- * @param to the name to copy to
- *
- * @return An hx509 error code, see hx509_get_error_string().
- *
- * @ingroup hx509_name
- */
-
-int
-hx509_name_copy (
-	hx509_context /*context*/,
-	const hx509_name /*from*/,
-	hx509_name */*to*/);
-
-/**
- * Expands variables in the name using env. Variables are on the form
- * ${name}. Useful when dealing with certificate templates.
- *
- * @param context A hx509 cotext.
- * @param name the name to expand.
- * @param env environment variable to expand.
- *
- * @return An hx509 error code, see hx509_get_error_string().
- *
- * @ingroup hx509_name
- */
-
-int
-hx509_name_expand (
-	hx509_context /*context*/,
-	hx509_name /*name*/,
-	hx509_env /*env*/);
-
-/**
- * Free a hx509 name object, upond return *name will be NULL.
- *
- * @param name a hx509 name object to be freed.
- *
- * @ingroup hx509_name
- */
-
-void
-hx509_name_free (hx509_name */*name*/);
-
-/**
- * Unparse the hx509 name in name into a string.
- *
- * @param name the name to check if its empty/null.
- *
- * @return non zero if the name is empty/null.
- *
- * @ingroup hx509_name
- */
-
-int
-hx509_name_is_null_p (const hx509_name /*name*/);
-
-int
-hx509_name_normalize (
-	hx509_context /*context*/,
-	hx509_name /*name*/);
-
-/**
- * Convert a hx509_name into a Name.
- *
- * @param from the name to copy from
- * @param to the name to copy to
- *
- * @return An hx509 error code, see hx509_get_error_string().
- *
- * @ingroup hx509_name
- */
-
-int
-hx509_name_to_Name (
-	const hx509_name /*from*/,
-	Name */*to*/);
-
-/**
- * Convert the hx509 name object into a printable string.
- * The resulting string should be freed with free().
- *
- * @param name name to print
- * @param str the string to return
- *
- * @return An hx509 error code, see hx509_get_error_string().
- *
- * @ingroup hx509_name
- */
-
-int
-hx509_name_to_string (
-	const hx509_name /*name*/,
-	char **/*str*/);
-
-/**
- * Create an OCSP request for a set of certificates.
- *
- * @param context a hx509 context
- * @param reqcerts list of certificates to request ocsp data for
- * @param pool certificate pool to use when signing
- * @param signer certificate to use to sign the request
- * @param digest the signing algorithm in the request, if NULL use the
- * default signature algorithm,
- * @param request the encoded request, free with free_heim_octet_string().
- * @param nonce nonce in the request, free with free_heim_octet_string().
- *
- * @return An hx509 error code, see hx509_get_error_string().
- *
- * @ingroup hx509_revoke
- */
-
-int
-hx509_ocsp_request (
-	hx509_context /*context*/,
-	hx509_certs /*reqcerts*/,
-	hx509_certs /*pool*/,
-	hx509_cert /*signer*/,
-	const AlgorithmIdentifier */*digest*/,
-	heim_octet_string */*request*/,
-	heim_octet_string */*nonce*/);
-
-/**
- * Verify that the certificate is part of the OCSP reply and it's not
- * expired. Doesn't verify signature the OCSP reply or it's done by a
- * authorized sender, that is assumed to be already done.
- *
- * @param context a hx509 context
- * @param now the time right now, if 0, use the current time.
- * @param cert the certificate to verify
- * @param flags flags control the behavior
- * @param data pointer to the encode ocsp reply
- * @param length the length of the encode ocsp reply
- * @param expiration return the time the OCSP will expire and need to
- * be rechecked.
- *
- * @return An hx509 error code, see hx509_get_error_string().
- *
- * @ingroup hx509_verify
- */
-
-int
-hx509_ocsp_verify (
-	hx509_context /*context*/,
-	time_t /*now*/,
-	hx509_cert /*cert*/,
-	int /*flags*/,
-	const void */*data*/,
-	size_t /*length*/,
-	time_t */*expiration*/);
-
-/**
- * Print a oid using a hx509_vprint_func function. To print to stdout
- * use hx509_print_stdout().
- *
- * @param oid oid to print
- * @param func hx509_vprint_func to print with.
- * @param ctx context variable to hx509_vprint_func function.
- *
- * @ingroup hx509_print
- */
-
-void
-hx509_oid_print (
-	const heim_oid */*oid*/,
-	hx509_vprint_func /*func*/,
-	void */*ctx*/);
-
-/**
- * Print a oid to a string.
- *
- * @param oid oid to print
- * @param str allocated string, free with hx509_xfree().
- *
- * @return An hx509 error code, see hx509_get_error_string().
- *
- * @ingroup hx509_print
- */
-
-int
-hx509_oid_sprint (
-	const heim_oid */*oid*/,
-	char **/*str*/);
-
-/**
- * Parse a string into a hx509 name object.
- *
- * @param context A hx509 context.
- * @param str a string to parse.
- * @param name the resulting object, NULL in case of error.
- *
- * @return An hx509 error code, see hx509_get_error_string().
- *
- * @ingroup hx509_name
- */
-
-int
-hx509_parse_name (
-	hx509_context /*context*/,
-	const char */*str*/,
-	hx509_name */*name*/);
-
-int
-hx509_parse_private_key (
-	hx509_context /*context*/,
-	const AlgorithmIdentifier */*keyai*/,
-	const void */*data*/,
-	size_t /*len*/,
-	hx509_key_format_t /*format*/,
-	hx509_private_key */*private_key*/);
-
-/**
- * Add an additional algorithm that the peer supports.
- *
- * @param context A hx509 context.
- * @param peer the peer to set the new algorithms for
- * @param val an AlgorithmsIdentier to add
- *
- * @return An hx509 error code, see hx509_get_error_string().
- *
- * @ingroup hx509_peer
- */
-
-int
-hx509_peer_info_add_cms_alg (
-	hx509_context /*context*/,
-	hx509_peer_info /*peer*/,
-	const AlgorithmIdentifier */*val*/);
-
-/**
- * Allocate a new peer info structure an init it to default values.
- *
- * @param context A hx509 context.
- * @param peer return an allocated peer, free with hx509_peer_info_free().
- *
- * @return An hx509 error code, see hx509_get_error_string().
- *
- * @ingroup hx509_peer
- */
-
-int
-hx509_peer_info_alloc (
-	hx509_context /*context*/,
-	hx509_peer_info */*peer*/);
-
-/**
- * Free a peer info structure.
- *
- * @param peer peer info to be freed.
- *
- * @ingroup hx509_peer
- */
-
-void
-hx509_peer_info_free (hx509_peer_info /*peer*/);
-
-/**
- * Set the certificate that remote peer is using.
- *
- * @param peer peer info to update
- * @param cert cerificate of the remote peer.
- *
- * @return An hx509 error code, see hx509_get_error_string().
- *
- * @ingroup hx509_peer
- */
-
-int
-hx509_peer_info_set_cert (
-	hx509_peer_info /*peer*/,
-	hx509_cert /*cert*/);
-
-/**
- * Set the algorithms that the peer supports.
- *
- * @param context A hx509 context.
- * @param peer the peer to set the new algorithms for
- * @param val array of supported AlgorithmsIdentiers
- * @param len length of array val.
- *
- * @return An hx509 error code, see hx509_get_error_string().
- *
- * @ingroup hx509_peer
- */
-
-int
-hx509_peer_info_set_cms_algs (
-	hx509_context /*context*/,
-	hx509_peer_info /*peer*/,
-	const AlgorithmIdentifier */*val*/,
-	size_t /*len*/);
-
-int
-hx509_pem_add_header (
-	hx509_pem_header **/*headers*/,
-	const char */*header*/,
-	const char */*value*/);
-
-const char *
-hx509_pem_find_header (
-	const hx509_pem_header */*h*/,
-	const char */*header*/);
-
-void
-hx509_pem_free_header (hx509_pem_header */*headers*/);
-
-int
-hx509_pem_read (
-	hx509_context /*context*/,
-	FILE */*f*/,
-	hx509_pem_read_func /*func*/,
-	void */*ctx*/);
-
-int
-hx509_pem_write (
-	hx509_context /*context*/,
-	const char */*type*/,
-	hx509_pem_header */*headers*/,
-	FILE */*f*/,
-	const void */*data*/,
-	size_t /*size*/);
-
-/**
- * Print a simple representation of a certificate
- *
- * @param context A hx509 context, can be NULL
- * @param cert certificate to print
- * @param out the stdio output stream, if NULL, stdout is used
- *
- * @return An hx509 error code
- *
- * @ingroup hx509_cert
- */
-
-int
-hx509_print_cert (
-	hx509_context /*context*/,
-	hx509_cert /*cert*/,
-	FILE */*out*/);
-
-/**
- * Helper function to print on stdout for:
- * - hx509_oid_print(),
- * - hx509_bitstring_print(),
- * - hx509_validate_ctx_set_print().
- *
- * @param ctx the context to the print function. If the ctx is NULL,
- * stdout is used.
- * @param fmt the printing format.
- * @param va the argumet list.
- *
- * @ingroup hx509_print
- */
-
-void
-hx509_print_stdout (
-	void */*ctx*/,
-	const char */*fmt*/,
-	va_list /*va*/);
-
-int
-hx509_private_key2SPKI (
-	hx509_context /*context*/,
-	hx509_private_key /*private_key*/,
-	SubjectPublicKeyInfo */*spki*/);
-
-void
-hx509_private_key_assign_rsa (
-	hx509_private_key /*key*/,
-	void */*ptr*/);
-
-int
-hx509_private_key_free (hx509_private_key */*key*/);
-
-int
-hx509_private_key_init (
-	hx509_private_key */*key*/,
-	hx509_private_key_ops */*ops*/,
-	void */*keydata*/);
-
-int
-hx509_private_key_private_decrypt (
-	hx509_context /*context*/,
-	const heim_octet_string */*ciphertext*/,
-	const heim_oid */*encryption_oid*/,
-	hx509_private_key /*p*/,
-	heim_octet_string */*cleartext*/);
-
-int
-hx509_prompt_hidden (hx509_prompt_type /*type*/);
-
-/**
- * Allocate an query controller. Free using hx509_query_free().
- *
- * @param context A hx509 context.
- * @param q return pointer to a hx509_query.
- *
- * @return An hx509 error code, see hx509_get_error_string().
- *
- * @ingroup hx509_cert
- */
-
-int
-hx509_query_alloc (
-	hx509_context /*context*/,
-	hx509_query **/*q*/);
-
-/**
- * Free the query controller.
- *
- * @param context A hx509 context.
- * @param q a pointer to the query controller.
- *
- * @ingroup hx509_cert
- */
-
-void
-hx509_query_free (
-	hx509_context /*context*/,
-	hx509_query */*q*/);
-
-/**
- * Set the query controller to match using a specific match function.
- *
- * @param q a hx509 query controller.
- * @param func function to use for matching, if the argument is NULL,
- * the match function is removed.
- * @param ctx context passed to the function.
- *
- * @return An hx509 error code, see hx509_get_error_string().
- *
- * @ingroup hx509_cert
- */
-
-int
-hx509_query_match_cmp_func (
-	hx509_query */*q*/,
-	int (*/*func*/)(hx509_context, hx509_cert, void *),
-	void */*ctx*/);
-
-/**
- * Set the query controller to require an one specific EKU (extended
- * key usage). Any previous EKU matching is overwitten. If NULL is
- * passed in as the eku, the EKU requirement is reset.
- *
- * @param q a hx509 query controller.
- * @param eku an EKU to match on.
- *
- * @return An hx509 error code, see hx509_get_error_string().
- *
- * @ingroup hx509_cert
- */
-
-int
-hx509_query_match_eku (
-	hx509_query */*q*/,
-	const heim_oid */*eku*/);
-
-int
-hx509_query_match_expr (
-	hx509_context /*context*/,
-	hx509_query */*q*/,
-	const char */*expr*/);
-
-/**
- * Set the query controller to match on a friendly name
- *
- * @param q a hx509 query controller.
- * @param name a friendly name to match on
- *
- * @return An hx509 error code, see hx509_get_error_string().
- *
- * @ingroup hx509_cert
- */
-
-int
-hx509_query_match_friendly_name (
-	hx509_query */*q*/,
-	const char */*name*/);
-
-/**
- * Set the issuer and serial number of match in the query
- * controller. The function make copies of the isser and serial number.
- *
- * @param q a hx509 query controller
- * @param issuer issuer to search for
- * @param serialNumber the serialNumber of the issuer.
- *
- * @return An hx509 error code, see hx509_get_error_string().
- *
- * @ingroup hx509_cert
- */
-
-int
-hx509_query_match_issuer_serial (
-	hx509_query */*q*/,
-	const Name */*issuer*/,
-	const heim_integer */*serialNumber*/);
-
-/**
- * Set match options for the hx509 query controller.
- *
- * @param q query controller.
- * @param option options to control the query controller.
- *
- * @return An hx509 error code, see hx509_get_error_string().
- *
- * @ingroup hx509_cert
- */
-
-void
-hx509_query_match_option (
-	hx509_query */*q*/,
-	hx509_query_option /*option*/);
-
-/**
- * Set a statistic file for the query statistics.
- *
- * @param context A hx509 context.
- * @param fn statistics file name
- *
- * @ingroup hx509_cert
- */
-
-void
-hx509_query_statistic_file (
-	hx509_context /*context*/,
-	const char */*fn*/);
-
-/**
- * Unparse the statistics file and print the result on a FILE descriptor.
- *
- * @param context A hx509 context.
- * @param printtype tyep to print
- * @param out the FILE to write the data on.
- *
- * @ingroup hx509_cert
- */
-
-void
-hx509_query_unparse_stats (
-	hx509_context /*context*/,
-	int /*printtype*/,
-	FILE */*out*/);
-
-void
-hx509_request_free (hx509_request */*req*/);
-
-int
-hx509_request_get_SubjectPublicKeyInfo (
-	hx509_context /*context*/,
-	hx509_request /*req*/,
-	SubjectPublicKeyInfo */*key*/);
-
-int
-hx509_request_get_name (
-	hx509_context /*context*/,
-	hx509_request /*req*/,
-	hx509_name */*name*/);
-
-int
-hx509_request_init (
-	hx509_context /*context*/,
-	hx509_request */*req*/);
-
-int
-hx509_request_set_SubjectPublicKeyInfo (
-	hx509_context /*context*/,
-	hx509_request /*req*/,
-	const SubjectPublicKeyInfo */*key*/);
-
-int
-hx509_request_set_name (
-	hx509_context /*context*/,
-	hx509_request /*req*/,
-	hx509_name /*name*/);
-
-/**
- * Add a CRL file to the revokation context.
- *
- * @param context hx509 context
- * @param ctx hx509 revokation context
- * @param path path to file that is going to be added to the context.
- *
- * @return An hx509 error code, see hx509_get_error_string().
- *
- * @ingroup hx509_revoke
- */
-
-int
-hx509_revoke_add_crl (
-	hx509_context /*context*/,
-	hx509_revoke_ctx /*ctx*/,
-	const char */*path*/);
-
-/**
- * Add a OCSP file to the revokation context.
- *
- * @param context hx509 context
- * @param ctx hx509 revokation context
- * @param path path to file that is going to be added to the context.
- *
- * @return An hx509 error code, see hx509_get_error_string().
- *
- * @ingroup hx509_revoke
- */
-
-int
-hx509_revoke_add_ocsp (
-	hx509_context /*context*/,
-	hx509_revoke_ctx /*ctx*/,
-	const char */*path*/);
-
-/**
- * Free a hx509 revokation context.
- *
- * @param ctx context to be freed
- *
- * @ingroup hx509_revoke
- */
-
-void
-hx509_revoke_free (hx509_revoke_ctx */*ctx*/);
-
-/**
- * Allocate a revokation context. Free with hx509_revoke_free().
- *
- * @param context A hx509 context.
- * @param ctx returns a newly allocated revokation context.
- *
- * @return An hx509 error code, see hx509_get_error_string().
- *
- * @ingroup hx509_revoke
- */
-
-int
-hx509_revoke_init (
-	hx509_context /*context*/,
-	hx509_revoke_ctx */*ctx*/);
-
-/**
- * Print the OCSP reply stored in a file.
- *
- * @param context a hx509 context
- * @param path path to a file with a OCSP reply
- * @param out the out FILE descriptor to print the reply on
- *
- * @return An hx509 error code, see hx509_get_error_string().
- *
- * @ingroup hx509_revoke
- */
-
-int
-hx509_revoke_ocsp_print (
-	hx509_context /*context*/,
-	const char */*path*/,
-	FILE */*out*/);
-
-int
-hx509_revoke_print (
-	hx509_context /*context*/,
-	hx509_revoke_ctx /*ctx*/,
-	FILE */*out*/);
-
-/**
- * Check that a certificate is not expired according to a revokation
- * context. Also need the parent certificte to the check OCSP
- * parent identifier.
- *
- * @param context hx509 context
- * @param ctx hx509 revokation context
- * @param certs
- * @param now
- * @param cert
- * @param parent_cert
- *
- * @return An hx509 error code, see hx509_get_error_string().
- *
- * @ingroup hx509_revoke
- */
-
-int
-hx509_revoke_verify (
-	hx509_context /*context*/,
-	hx509_revoke_ctx /*ctx*/,
-	hx509_certs /*certs*/,
-	time_t /*now*/,
-	hx509_cert /*cert*/,
-	hx509_cert /*parent_cert*/);
-
-/**
- * See hx509_set_error_stringv().
- *
- * @param context A hx509 context.
- * @param flags
- * - HX509_ERROR_APPEND appends the error string to the old messages
-     (code is updated).
- * @param code error code related to error message
- * @param fmt error message format
- * @param ... arguments to error message format
- *
- * @ingroup hx509_error
- */
-
-void
-hx509_set_error_string (
-	hx509_context /*context*/,
-	int /*flags*/,
-	int /*code*/,
-	const char */*fmt*/,
-	...);
-
-/**
- * Add an error message to the hx509 context.
- *
- * @param context A hx509 context.
- * @param flags
- * - HX509_ERROR_APPEND appends the error string to the old messages
-     (code is updated).
- * @param code error code related to error message
- * @param fmt error message format
- * @param ap arguments to error message format
- *
- * @ingroup hx509_error
- */
-
-void
-hx509_set_error_stringv (
-	hx509_context /*context*/,
-	int /*flags*/,
-	int /*code*/,
-	const char */*fmt*/,
-	va_list /*ap*/);
-
-const AlgorithmIdentifier *
-hx509_signature_ecPublicKey (void);
-
-const AlgorithmIdentifier *
-hx509_signature_ecdsa_with_sha256 (void);
-
-const AlgorithmIdentifier *
-hx509_signature_md5 (void);
-
-const AlgorithmIdentifier *
-hx509_signature_rsa (void);
-
-const AlgorithmIdentifier *
-hx509_signature_rsa_pkcs1_x509 (void);
-
-const AlgorithmIdentifier *
-hx509_signature_rsa_with_md5 (void);
-
-const AlgorithmIdentifier *
-hx509_signature_rsa_with_sha1 (void);
-
-const AlgorithmIdentifier *
-hx509_signature_rsa_with_sha256 (void);
-
-const AlgorithmIdentifier *
-hx509_signature_rsa_with_sha384 (void);
-
-const AlgorithmIdentifier *
-hx509_signature_rsa_with_sha512 (void);
-
-const AlgorithmIdentifier *
-hx509_signature_sha1 (void);
-
-const AlgorithmIdentifier *
-hx509_signature_sha256 (void);
-
-const AlgorithmIdentifier *
-hx509_signature_sha384 (void);
-
-const AlgorithmIdentifier *
-hx509_signature_sha512 (void);
-
-/**
- * Convert a DER encoded name info a string.
- *
- * @param data data to a DER/BER encoded name
- * @param length length of data
- * @param str the resulting string, is NULL on failure.
- *
- * @return An hx509 error code, see hx509_get_error_string().
- *
- * @ingroup hx509_name
- */
-
-int
-hx509_unparse_der_name (
-	const void */*data*/,
-	size_t /*length*/,
-	char **/*str*/);
-
-/**
- * Validate/Print the status of the certificate.
- *
- * @param context A hx509 context.
- * @param ctx A hx509 validation context.
- * @param cert the cerificate to validate/print.
-
- * @return An hx509 error code, see hx509_get_error_string().
- *
- * @ingroup hx509_print
- */
-
-int
-hx509_validate_cert (
-	hx509_context /*context*/,
-	hx509_validate_ctx /*ctx*/,
-	hx509_cert /*cert*/);
-
-/**
- * Add flags to control the behaivor of the hx509_validate_cert()
- * function.
- *
- * @param ctx A hx509 validation context.
- * @param flags flags to add to the validation context.
- *
- * @return An hx509 error code, see hx509_get_error_string().
- *
- * @ingroup hx509_print
- */
-
-void
-hx509_validate_ctx_add_flags (
-	hx509_validate_ctx /*ctx*/,
-	int /*flags*/);
-
-/**
- * Free an hx509 validate context.
- *
- * @param ctx the hx509 validate context to free.
- *
- * @ingroup hx509_print
- */
-
-void
-hx509_validate_ctx_free (hx509_validate_ctx /*ctx*/);
-
-/**
- * Allocate a hx509 validation/printing context.
- *
- * @param context A hx509 context.
- * @param ctx a new allocated hx509 validation context, free with
- * hx509_validate_ctx_free().
-
- * @return An hx509 error code, see hx509_get_error_string().
- *
- * @ingroup hx509_print
- */
-
-int
-hx509_validate_ctx_init (
-	hx509_context /*context*/,
-	hx509_validate_ctx */*ctx*/);
-
-/**
- * Set the printing functions for the validation context.
- *
- * @param ctx a hx509 valication context.
- * @param func the printing function to usea.
- * @param c the context variable to the printing function.
- *
- * @return An hx509 error code, see hx509_get_error_string().
- *
- * @ingroup hx509_print
- */
-
-void
-hx509_validate_ctx_set_print (
-	hx509_validate_ctx /*ctx*/,
-	hx509_vprint_func /*func*/,
-	void */*c*/);
-
-/**
- * Set the trust anchors in the verification context, makes an
- * reference to the keyset, so the consumer can free the keyset
- * independent of the destruction of the verification context (ctx).
- * If there already is a keyset attached, it's released.
- *
- * @param ctx a verification context
- * @param set a keyset containing the trust anchors.
- *
- * @ingroup hx509_verify
- */
-
-void
-hx509_verify_attach_anchors (
-	hx509_verify_ctx /*ctx*/,
-	hx509_certs /*set*/);
-
-/**
- * Attach an revocation context to the verfication context, , makes an
- * reference to the revoke context, so the consumer can free the
- * revoke context independent of the destruction of the verification
- * context. If there is no revoke context, the verification process is
- * NOT going to check any verification status.
- *
- * @param ctx a verification context.
- * @param revoke_ctx a revoke context.
- *
- * @ingroup hx509_verify
- */
-
-void
-hx509_verify_attach_revoke (
-	hx509_verify_ctx /*ctx*/,
-	hx509_revoke_ctx /*revoke_ctx*/);
-
-void
-hx509_verify_ctx_f_allow_best_before_signature_algs (
-	hx509_context /*ctx*/,
-	int /*boolean*/);
-
-/**
- * Allow using the operating system builtin trust anchors if no other
- * trust anchors are configured.
- *
- * @param ctx a verification context
- * @param boolean if non zero, useing the operating systems builtin
- * trust anchors.
- *
- *
- * @return An hx509 error code, see hx509_get_error_string().
- *
- * @ingroup hx509_cert
- */
-
-void
-hx509_verify_ctx_f_allow_default_trustanchors (
-	hx509_verify_ctx /*ctx*/,
-	int /*boolean*/);
-
-/**
- * Free an hx509 verification context.
- *
- * @param ctx the context to be freed.
- *
- * @ingroup hx509_verify
- */
-
-void
-hx509_verify_destroy_ctx (hx509_verify_ctx /*ctx*/);
-
-/**
- * Verify that the certificate is allowed to be used for the hostname
- * and address.
- *
- * @param context A hx509 context.
- * @param cert the certificate to match with
- * @param flags Flags to modify the behavior:
- * - HX509_VHN_F_ALLOW_NO_MATCH no match is ok
- * @param type type of hostname:
- * - HX509_HN_HOSTNAME for plain hostname.
- * - HX509_HN_DNSSRV for DNS SRV names.
- * @param hostname the hostname to check
- * @param sa address of the host
- * @param sa_size length of address
- *
- * @return An hx509 error code, see hx509_get_error_string().
- *
- * @ingroup hx509_cert
- */
-
-int
-hx509_verify_hostname (
-	hx509_context /*context*/,
-	const hx509_cert /*cert*/,
-	int /*flags*/,
-	hx509_hostname_type /*type*/,
-	const char */*hostname*/,
-	const struct sockaddr */*sa*/,
-	int /*sa_size*/);
-
-/**
- * Allocate an verification context that is used fo control the
- * verification process.
- *
- * @param context A hx509 context.
- * @param ctx returns a pointer to a hx509_verify_ctx object.
- *
- * @return An hx509 error code, see hx509_get_error_string().
- *
- * @ingroup hx509_verify
- */
-
-int
-hx509_verify_init_ctx (
-	hx509_context /*context*/,
-	hx509_verify_ctx */*ctx*/);
-
-/**
- * Build and verify the path for the certificate to the trust anchor
- * specified in the verify context. The path is constructed from the
- * certificate, the pool and the trust anchors.
- *
- * @param context A hx509 context.
- * @param ctx A hx509 verification context.
- * @param cert the certificate to build the path from.
- * @param pool A keyset of certificates to build the chain from.
- *
- * @return An hx509 error code, see hx509_get_error_string().
- *
- * @ingroup hx509_verify
- */
-
-int
-hx509_verify_path (
-	hx509_context /*context*/,
-	hx509_verify_ctx /*ctx*/,
-	hx509_cert /*cert*/,
-	hx509_certs /*pool*/);
-
-/**
- * Set the maximum depth of the certificate chain that the path
- * builder is going to try.
- *
- * @param ctx a verification context
- * @param max_depth maxium depth of the certificate chain, include
- * trust anchor.
- *
- * @ingroup hx509_verify
- */
-
-void
-hx509_verify_set_max_depth (
-	hx509_verify_ctx /*ctx*/,
-	unsigned int /*max_depth*/);
-
-/**
- * Allow or deny the use of proxy certificates
- *
- * @param ctx a verification context
- * @param boolean if non zero, allow proxy certificates.
- *
- * @ingroup hx509_verify
- */
-
-void
-hx509_verify_set_proxy_certificate (
-	hx509_verify_ctx /*ctx*/,
-	int /*boolean*/);
-
-/**
- * Select strict RFC3280 verification of certificiates. This means
- * checking key usage on CA certificates, this will make version 1
- * certificiates unuseable.
- *
- * @param ctx a verification context
- * @param boolean if non zero, use strict verification.
- *
- * @ingroup hx509_verify
- */
-
-void
-hx509_verify_set_strict_rfc3280_verification (
-	hx509_verify_ctx /*ctx*/,
-	int /*boolean*/);
-
-/**
- * Set the clock time the the verification process is going to
- * use. Used to check certificate in the past and future time. If not
- * set the current time will be used.
- *
- * @param ctx a verification context.
- * @param t the time the verifiation is using.
- *
- *
- * @ingroup hx509_verify
- */
-
-void
-hx509_verify_set_time (
-	hx509_verify_ctx /*ctx*/,
-	time_t /*t*/);
-
-/**
- * Verify a signature made using the private key of an certificate.
- *
- * @param context A hx509 context.
- * @param signer the certificate that made the signature.
- * @param alg algorthm that was used to sign the data.
- * @param data the data that was signed.
- * @param sig the sigature to verify.
- *
- * @return An hx509 error code, see hx509_get_error_string().
- *
- * @ingroup hx509_crypto
- */
-
-int
-hx509_verify_signature (
-	hx509_context /*context*/,
-	const hx509_cert /*signer*/,
-	const AlgorithmIdentifier */*alg*/,
-	const heim_octet_string */*data*/,
-	const heim_octet_string */*sig*/);
-
-/**
- * Free a data element allocated in the library.
- *
- * @param ptr data to be freed.
- *
- * @ingroup hx509_misc
- */
-
-void
-hx509_xfree (void */*ptr*/);
-
-int
-yywrap (void);
-
-#ifdef __cplusplus
-}
-#endif
-
-#endif /* DOXY */
-#endif /* __hx509_protos_h__ */
diff --git a/lib/hx509/hx509.h b/lib/hx509/hx509.h
index 781f4a59cc73..6bd36e98b157 100644
--- a/lib/hx509/hx509.h
+++ b/lib/hx509/hx509.h
@@ -37,6 +37,7 @@
 #define HEIMDAL_HX509_H 1
 
 #include <rfc2459_asn1.h>
+#include <rfc4108_asn1.h>
 #include <stdarg.h>
 #include <stdio.h>
 #include <heimbase.h>
@@ -64,6 +65,29 @@ typedef struct hx509_crl *hx509_crl;
 
 typedef void (*hx509_vprint_func)(void *, const char *, va_list);
 
+typedef enum {
+    HX509_SAN_TYPE_UNSUPPORTED = 0,
+    /* The following correspond to the enum GeneralName_enum values: */
+    HX509_SAN_TYPE_EMAIL = 2,
+    HX509_SAN_TYPE_DNSNAME = 3,
+    HX509_SAN_TYPE_DN = 4,
+    HX509_SAN_TYPE_REGISTERED_ID = 7,
+    /*
+     * Missing support for:
+     *  - URI SANs
+     *  - IP address SANs
+     *  - various otherName SANs we know about (e.g., DNSSRV)
+     *
+     * The following are otherName SAN types, and assigned manually here:
+     */
+    HX509_SAN_TYPE_XMPP = 32,
+    HX509_SAN_TYPE_PKINIT = 33,
+    HX509_SAN_TYPE_MS_UPN = 34,
+    HX509_SAN_TYPE_DNSSRV = 35,         /* SRVName             [RFC4985] */
+    HX509_SAN_TYPE_PERMANENT_ID = 36,   /* PermanentIdentifier [RFC4043] */
+    HX509_SAN_TYPE_HW_MODULE = 37,      /* HardwareModuleName  [RFC4108] */
+} hx509_san_type;
+
 enum {
     HX509_VHN_F_ALLOW_NO_MATCH = 1
 };
@@ -81,7 +105,8 @@ enum {
 enum {
     HX509_KEY_FORMAT_GUESS = 0,
     HX509_KEY_FORMAT_DER = 1,
-    HX509_KEY_FORMAT_WIN_BACKUPKEY = 2
+    HX509_KEY_FORMAT_WIN_BACKUPKEY = 2,
+    HX509_KEY_FORMAT_PKCS8 = 3,
 };
 typedef uint32_t hx509_key_format_t;
 
@@ -133,6 +158,12 @@ typedef enum {
 /* flags to hx509_certs_init */
 #define HX509_CERTS_CREATE				0x01
 #define HX509_CERTS_UNPROTECT_ALL			0x02
+#define HX509_CERTS_NO_PRIVATE_KEYS			0x04
+
+/* flags to hx509_certs_store */
+#define HX509_CERTS_STORE_NO_PRIVATE_KEYS		0x04
+#define HX509_CERTS_STORE_NO_ROOTS			0x08
+
 
 /* flags to hx509_set_error_string */
 #define HX509_ERROR_APPEND				0x01
@@ -152,6 +183,9 @@ typedef enum {
 #define HX509_CMS_VS_ALLOW_ZERO_SIGNER			0x04
 #define HX509_CMS_VS_NO_VALIDATE			0x08
 
+/* flags from hx509_cms_verify_signed_ext (out verify_flags) */
+#define HX509_CMS_VSE_VALIDATED				0x01
+
 /* selectors passed to hx509_crypto_select and hx509_crypto_available */
 #define HX509_SELECT_ALL 0
 #define HX509_SELECT_DIGEST 1
@@ -167,6 +201,7 @@ typedef enum {
 #define HX509_CA_TEMPLATE_SPKI 16
 #define HX509_CA_TEMPLATE_KU 32
 #define HX509_CA_TEMPLATE_EKU 64
+#define HX509_CA_TEMPLATE_PKINIT_MAX_LIFE 128
 
 /* flags hx509_cms_create_signed* */
 #define HX509_CMS_SIGNATURE_DETACHED			0x01
diff --git a/lib/hx509/hx509_err.et b/lib/hx509/hx509_err.et
index f0a27e83620c..db81f5d294b0 100644
--- a/lib/hx509/hx509_err.et
+++ b/lib/hx509/hx509_err.et
@@ -36,6 +36,7 @@ error_code NAME_MALFORMED, "Name is malformed"
 error_code CERTIFICATE_MALFORMED, "Certificate is malformed"
 error_code CERTIFICATE_MISSING_EKU, "Certificate is missing a required EKU"
 error_code PROXY_CERTIFICATE_NOT_CANONICALIZED, "Proxy certificate not canonicalized"
+error_code NO_ITEM, "No such item / iteration end"
 
 # cms related errors
 index 32
diff --git a/lib/hx509/hx_locl.h b/lib/hx509/hx_locl.h
index 44d241f350ae..d653f7d98ece 100644
--- a/lib/hx509/hx_locl.h
+++ b/lib/hx509/hx_locl.h
@@ -59,6 +59,7 @@
 #include <krb5-types.h>
 
 #include <rfc2459_asn1.h>
+#include <rfc4108_asn1.h>
 #include <cms_asn1.h>
 #include <pkcs8_asn1.h>
 #include <pkcs9_asn1.h>
@@ -70,6 +71,13 @@
 
 #include <der.h>
 
+#ifndef O_CLOEXEC
+#define O_CLOEXEC 0
+#endif
+#ifndef O_BINARY
+#define O_BINARY 0
+#endif
+
 /*
  * We use OpenSSL for EC, but to do this we need to disable cross-references
  * between OpenSSL and hcrypto bn.h and such.  Source files that use OpenSSL EC
@@ -180,6 +188,7 @@ struct hx509_keyset_ops {
 		     void *, int (*)(void *, const char *), void *);
     int (*getkeys)(hx509_context, hx509_certs, void *, hx509_private_key **);
     int (*addkey)(hx509_context, hx509_certs, void *, hx509_private_key);
+    int (*destroy)(hx509_context, hx509_certs, void *);
 };
 
 struct _hx509_password {
@@ -200,6 +209,8 @@ struct hx509_context_data {
     struct et_list *et_list;
     char *querystat;
     hx509_certs default_trust_anchors;
+    heim_context hcontext;
+    heim_config_section *cf;
 };
 
 /* _hx509_calculate_path flag field */
diff --git a/lib/hx509/hxtool-commands.in b/lib/hx509/hxtool-commands.in
index 49e392d038ef..1bd0119ad724 100644
--- a/lib/hx509/hxtool-commands.in
+++ b/lib/hx509/hxtool-commands.in
@@ -33,6 +33,13 @@
 /* $Id$ */
 
 command = {
+	name = "list-oids"
+	help = "List known OIDs"
+	function = "hxtool_list_oids"
+	min_args="0"
+	max_args="0"
+}
+command = {
 	name = "cms-create-sd"
 	name = "cms-sign"
 	option = {
@@ -171,6 +178,11 @@ command = {
 		type = "string"
 		help = "file containing content"
 	}
+	option = {
+		long = "oid-sym"
+		type = "flag"
+		help = "show symbolic name for OID"
+	}
 	min_args="1"
 	max_args="2"
 	argument="in-file [out-file]"
@@ -305,6 +317,11 @@ command = {
 		help = "print the content of the certificates"
 	}
 	option = {
+		long = "raw-json"
+		type = "flag"
+		help = "print the DER content of the certificates as JSON"
+	}
+	option = {
 		long = "never-fail"
 		type = "flag"
 		help = "never fail with an error code"
@@ -346,6 +363,21 @@ command = {
 		argument = "password"
 		help = "password, prompter, or environment"
 	}
+	option = {
+		long = "append"
+		type = "flag"
+		help = "append source to destination"
+	}
+	option = {
+		long = "root-certs"
+		type = "-flag"
+		help = "do not copy root certificates"
+	}
+	option = {
+		long = "private-keys"
+		type = "-flag"
+		help = "do not copy private keys"
+	}
 	min_args="2"
 	argument="in-certificates-1 ... out-certificate"
 	help = "Copy in certificates stores into out certificate store"
@@ -420,6 +452,28 @@ command = {
 	help = "Print the OCSP/CRL files"
 }
 command = {
+	name = "generate-key"
+	option = {
+		long = "type"
+		type = "string"
+		help = "keytype"
+	}
+	option = {
+	        long = "key-bits"
+		type = "integer"
+		help = "number of bits in the generated key";
+	}
+	option = {
+		long = "verbose"
+		type = "flag"
+		help = "verbose status"
+	}
+	min_args="1"
+	max_args="1"
+	argument="output-file"
+	help = "Generate a private key"
+}
+command = {
 	name = "request-create"
 	option = {
 		long = "subject"
@@ -427,16 +481,47 @@ command = {
 		help = "Subject DN"
 	}
 	option = {
+		long = "eku"
+		type = "strings"
+		argument = "oid-string"
+		help = "Add Extended Key Usage OID"
+	}
+	option = {
 		long = "email"
 		type = "strings"
 		help = "Email address in SubjectAltName"
 	}
 	option = {
+		long = "jid"
+		type = "strings"
+		help = "XMPP (Jabber) address in SubjectAltName"
+	}
+	option = {
 		long = "dnsname"
 		type = "strings"
 		help = "Hostname or domainname in SubjectAltName"
 	}
 	option = {
+		long = "kerberos"
+		type = "strings"
+		help = "Kerberos principal name as SubjectAltName"
+	}
+	option = {
+		long = "ms-kerberos"
+		type = "strings"
+		help = "Kerberos principal name as SubjectAltName (Microsoft variant)"
+	}
+	option = {
+		long = "registered"
+		type = "strings"
+		help = "Registered object ID as SubjectAltName"
+	}
+	option = {
+		long = "dn"
+		type = "strings"
+		help = "Directory name as SubjectAltName"
+	}
+	option = {
 		long = "type"
 		type = "string"
 		help = "Type of request CRMF or PKCS10, defaults to PKCS10"
@@ -547,6 +632,11 @@ command = {
 		type = "string"
 		help = "type of CMS algorithm"
 	}
+	option = {
+		long = "oid-syms"
+		type = "flag"
+		help = "show symbolic names for OIDs"
+	}
 	name = "crypto-available"
 	min_args="0"
 	help = "Print available CMS crypto types"
@@ -567,6 +657,11 @@ command = {
 		type = "strings"
 		help = "peer limiting cmstypes"
 	}
+	option = {
+		long = "oid-sym"
+		type = "flag"
+		help = "show symbolic name for OID"
+	}
 	name = "crypto-select"
 	min_args="0"
 	help = "Print selected CMS type"
@@ -651,11 +746,27 @@ command = {
 		help = "Maximum path length (CA and proxy certificates), -1 no limit"
 	}
 	option = {
+		long = "eku"
+		type = "strings"
+		argument = "oid-string"
+		help = "Add Extended Key Usage OID"
+	}
+	option = {
+		long = "ku"
+		type = "strings"
+		help = "Key Usage (digitalSignature, keyEncipherment, dataEncipherment, keyAgreement, keyCertSign, cRLSign, encipherOnly, decipherOnly)"
+	}
+	option = {
 		long = "hostname"
 		type = "strings"
 		help = "DNS names this certificate is allowed to serve"
 	}
 	option = {
+		long = "dnssrv"
+		type = "strings"
+		help = "DNS SRV names this certificate is allowed to serve"
+	}
+	option = {
 		long = "email"
 		type = "strings"
 		help = "email addresses assigned to this certificate"
@@ -676,6 +787,31 @@ command = {
 		help = "XMPP jabber id (for SAN)"
 	}
 	option = {
+		long = "permanent-id"
+		type = "string"
+		help = "PermanentIdentifier ([oid]:[serial])"
+	}
+	option = {
+		long = "hardware-module-name"
+		type = "string"
+		help = "HardwareModuleName (oid:serial)"
+	}
+	option = {
+		long = "policy"
+		type = "strings"
+		help = "Certificate Policy OID and optional URI and/or notice (OID:URI<space>notice_text)"
+	}
+	option = {
+		long = "policy-mapping"
+		type = "strings"
+		help = "Certificate Policy mapping (OID:OID)"
+	}
+	option = {
+		long = "pkinit-max-life"
+		type = "string"
+		help = "maximum Kerberos ticket lifetime extension for PKINIT"
+	}
+	option = {
 		long = "req"
 		type = "string"
 		help = "certificate request"
@@ -773,6 +909,160 @@ command = {
 	help = "Create a CRL"
 }
 command = {
+        option = {
+	        long = "verbose"
+                short = "v"
+		type = "flag"
+                help = "verbose"
+        }
+        option = {
+	        long = "end-entity"
+		type = "flag"
+                help = "check the first EE certificate in the store"
+        }
+        option = {
+	        long = "ca"
+		type = "flag"
+                help = "check the first CA certificate in the store"
+        }
+        option = {
+	        long = "cert-num"
+		type = "integer"
+                default = "-1"
+                help = "check the nth certificate in the store"
+        }
+        option = {
+		long = "expr"
+		type = "string"
+		argument = "expression"
+		help = "test the first certificate matching expression"
+        }
+        option = {
+                long = "has-email-san"
+		short = "M"
+                type = "strings"
+                argument = "email-address"
+                help = "check that cert has email SAN"
+        }
+        option = {
+                long = "has-xmpp-san"
+                type = "strings"
+		short = "X"
+                argument = "jabber address"
+                help = "check that cert has XMPP SAN"
+        }
+        option = {
+                long = "has-ms-upn-san"
+		short = "U"
+                type = "strings"
+                argument = "UPN"
+                help = "check that cert has UPN SAN"
+        }
+        option = {
+                long = "has-dnsname-san"
+		short = "D"
+                type = "strings"
+                argument = "domainname"
+                help = "check that cert has domainname SAN"
+        }
+        option = {
+                long = "has-pkinit-san"
+		short = "P"
+                type = "strings"
+                argument = "Kerberos principal name"
+                help = "check that cert has PKINIT SAN"
+        }
+        option = {
+                long = "has-registeredID-san"
+		short = "R"
+                type = "strings"
+                argument = "OID"
+                help = "check that cert has registeredID SAN"
+        }
+        option = {
+                long = "has-eku"
+		short = "E"
+                type = "strings"
+                argument = "OID"
+                help = "check that cert has EKU"
+        }
+        option = {
+                long = "has-ku"
+                short = "K"
+                type = "strings"
+                argument = "key usage element"
+                help = "check that cert has key usage"
+        }
+        option = {
+                long = "exact"
+                type = "flag"
+                help = "check that cert has only given SANs/EKUs/KUs"
+        }
+        option = {
+                long = "valid-now"
+                short = "n"
+                type = "flag"
+                help = "check that current time is in certicate's validity period"
+        }
+        option = {
+                long = "valid-at"
+                type = "string"
+                argument = "datetime"
+                help = "check that the certificate is valid at given time"
+        }
+        option = {
+                long = "not-after-eq"
+                type = "string"
+                argument = "datetime"
+                help = "check that the certificate's notAfter is as given"
+        }
+        option = {
+                long = "not-after-lt"
+                type = "string"
+                argument = "datetime"
+                help = "check that the certificate's notAfter is before the given time"
+        }
+        option = {
+                long = "not-after-gt"
+                type = "string"
+                argument = "datetime"
+                help = "check that the certificate's notAfter is after the given time"
+        }
+        option = {
+                long = "not-before-eq"
+                type = "string"
+                argument = "datetime"
+                help = "check that the certificate's notBefore is as given"
+        }
+        option = {
+                long = "not-before-lt"
+                type = "string"
+                argument = "datetime"
+                help = "check that the certificate's notBefore is before the given time"
+        }
+        option = {
+                long = "not-before-gt"
+                type = "string"
+                argument = "datetime"
+                help = "check that the certificate's notBefore is after the given time"
+        }
+        option = {
+                long = "has-private-key"
+                type = "flag"
+                help = "check that the certificate has a private key"
+        }
+        option = {
+                long = "lacks-private-key"
+                type = "flag"
+                help = "check that the certificate does not have a private key"
+        }
+        name = "acert"
+        min_args = "1"
+        max_args = "1"
+        argument = "certificate-store"
+        help = "Assert certificate content"
+}
+command = {
 	name = "help"
 	name = "?"
 	argument = "[command]"
diff --git a/lib/hx509/hxtool.1 b/lib/hx509/hxtool.1
new file mode 100644
index 000000000000..040573f4cde9
--- /dev/null
+++ b/lib/hx509/hxtool.1
@@ -0,0 +1,380 @@
+.\" Copyright (c) 2022 Kungliga Tekniska Högskolan
+.\" (Royal Institute of Technology, Stockholm, Sweden).
+.\" All rights reserved.
+.\"
+.\" Redistribution and use in source and binary forms, with or without
+.\" modification, are permitted provided that the following conditions
+.\" are met:
+.\"
+.\" 1. Redistributions of source code must retain the above copyright
+.\"    notice, this list of conditions and the following disclaimer.
+.\"
+.\" 2. Redistributions in binary form must reproduce the above copyright
+.\"    notice, this list of conditions and the following disclaimer in the
+.\"    documentation and/or other materials provided with the distribution.
+.\"
+.\" 3. Neither the name of the Institute nor the names of its contributors
+.\"    may be used to endorse or promote products derived from this software
+.\"    without specific prior written permission.
+.\"
+.\" THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+.\" ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+.\" SUCH DAMAGE.
+.\"
+.\" $Id$
+.\"
+.Dd February 22, 2022
+.Dt HXTOOL 1
+.Os HEIMDAL
+.Sh NAME
+.Nm hxtool
+.Nd PKIX command-line utility
+.Sh SYNOPSIS
+.Nm
+.Bk -words
+.Oo Fl Fl version Oc
+.Oo Fl Fl help Oc
+.Op Ar sub-command
+.Ek
+.Sh DESCRIPTION
+.Nm
+is a utility for making certificate sigining requests (CSRs),
+displaying CSRs, signing certificates, etc.
+are given, then the value will be parsed and displayed using just
+the self-describing nature of DER.
+.Pp
+All sub-commands have their own help message, shown when invoked
+with the
+.Fl Fl help
+or
+.Fl h
+option.
+.Pp
+Supported commands:
+.Bl -tag -width Ds -offset indent
+.It help
+.It list-oids
+.It verify
+Verify a certificate and its certification path up to a trust
+anchor, possibly checking CRLs.
+.It print
+Prints a human-readable rendering of certificates in a store.
+See
+.Sx CERTIFICATE STORES.
+.It validate
+Validate a certificate (but not a full chain).
+.It certificate-copy, cc
+Copy ceritificates and possibly private keys from one store to
+another.
+See
+.Sx CERTIFICATE STORES.
+.It ocsp-fetch
+Fetch an OCSP response.
+.It ocsp-verify
+Fetch an OCSP response chain.
+.It ocsp-print
+Prints a human-readable rendering of an OCSP response chain.
+.It revoke-print
+Prints a human-readable rendering of a CRL or OCSP response
+chain.
+.It generate-key
+Generates a private key.
+.It request-create
+Generates a Certificate Signing Request (CSR).
+.It request-print
+Prints a human-readable rendering of a CSR.
+.It query
+Queries a certificate store.
+.It info
+Prints information about supported algorithms.
+.It random-data
+Outputs entropy using a random number generator.
+.It crypto-available
+Tests if a cryptographic algorithm is available.
+.It crypto-select
+Selects a supported cryptographic algorithm given a peer's
+capabilities.
+.It hex
+Hex-encode/decode utility.
+.It certificate-sign, cert-sign, issue-certificate, ca
+Issue a certificate.
+.It crl-sign
+Sign a CRL.
+.It cms-create-sd, cms-sign
+Created a CMS SignedData.
+.It cms-verify-sd
+Verifies a CMS SignedData.
+.It cms-unenvelope
+Extracts enveloped data from a CMS SignedData.
+.It cms-envelope
+Creates an enveloped CMS SignedData.
+.El
+Other sub-commands reported by the
+.Nm help
+sub-command are not stable or fully supported at this time.
+.Sh CERTIFICATE STORES
+Stores of certificates and/or keys have string names that can be
+used with
+.Nm 's
+commands as well as in various configuration parameters and
+command-line arguments of Heimdal's Kerberos implementation (for
+PKINIT).
+.Pp
+For example,
+.Ql FILE:/path/to/file ,
+.Ql PEM-FILE:/path/to/file ,
+.Ql DER-FILE:/path/to/file ,
+etc.
+See below for a full list of store types.
+.Pp
+A certificate store name starts with a store TYPE followed by a
+colon followed by a name of form specific to that store type.
+.Pp
+Private keys can be stored in the same stores as the certificates
+that certify their public keys.
+.Pp
+Private keys can also be stored in separate files, but still be
+referenced in one certificate store name by joining two with a
+comma:
+.Ql FILE:/path/to/certificate,/path/to/private/key
+.
+.Pp
+Heimdal supports a variety of certificate and private key store
+types:
+.Bl -tag -width Ds -offset indent
+.It PEM-FILE:/path
+If writing, PEM will be written (private keys may be written in
+algorithm-specific formats or in PKCS#8).
+If reading, PEM will be expected (private keys may be in
+algorithm-specific formats or in PKCS#8).
+.It DER-FILE:/path
+If writing, DER will be written.
+If reading, DER will be expected.
+Private keys will be in algorithm-specific formats.
+.It FILE:/path
+If writing, PEM will be written as if
+.Ql PEM-FILE
+had been used.
+If reading, PEM or DER will be detected and read as if
+.Ql PEM-FILE
+or
+.Ql DER-FILE
+had been used.
+.It PKCS12:/path
+If writing, PKCS#12 will be written.
+If reading, PKCS#12 will be expected.
+Note that PKCS#12 support is currently very limited.
+.It DIR:/path
+OpenSSL-style hashed directory of trust anchors.
+.It KEYCHAIN:system-anchors
+On OS X this refers to the system's trust anchors.
+.It KEYCHAIN:FILE:/path
+On OS X this refers to an OS X keychain at the given path.
+.It PKCS11:/path/to/shared/object[,slot=NUMBER]
+Loads the given PKCS#11 provider object and uses the token at the
+given slot number, or else the first token found.
+.It NULL:
+An empty store.
+.It MEMORY:name
+An in-memory only, ephemeral store, usually never used in
+.NM 's
+commands.
+The MEMORY store name exists primarily for internal
+.Sq hx509
+APIs.
+.El
+.Pp
+Use the
+.Nm certificate-copy
+command to copy certificates from one store to another.
+This is useful for, e.g., converting DER files to PEM or
+vice-versa, removing private keys, adding certificate chains,
+and removing root certificates from chains.
+.Sh CERTIFICATES
+You can validate a certificate with the
+.Nm validate
+sub-command, or verify a certificate and its certification path
+with the
+.Nm verify
+sub-command.
+.Pp
+You can display a certificate using the
+.Nm print 
+sub-command:
+.Pp
+.Nm print
+.Oo options Oc
+.Ar STORE
+.Pp
+Options:
+.Bl -tag -width Ds -offset indent
+.It Fl Fl content
+.It Fl Fl info
+.It Fl Fl never-fail
+.It Fl Fl pass=password
+.It Fl Fl raw-json
+.El
+.Pp
+The
+.Fl Fl pass=password
+option is for PKCS#8 (PEM), PKCS#12 and PKCS#11 stores, and if
+needed and not given, will be prompted for.
+Note that it's not secure to pass passwords as command-line
+arguments on multi-tenant systems.
+.Pp
+The
+.Fl Fl raw-json
+option prints the certificate(s) in the given
+.Ar STORE
+as a JSON dump of their DER using an experimental (i.e.,
+unstable) schema.
+.Sh KEYS
+The
+.Nm generate-key
+sub-command will generate a key.
+.Sh CERTIFICATE SIGNING REQUESTS
+The
+.Nm request-create
+sub-command will create a CSR, and has support for requesting
+subject alternative names and extended key usage extensions.
+See its
+.Fl Fl help
+option, and see
+.Sx EXAMPLES
+below.
+.Pp
+The
+.Nm request-print
+sub-command will display a CSR.
+.Sh CERTIFICATE ISSUANCE / CERTIFICATION AUTHORITY
+The
+.Nm certificate-sign
+sub-command will issue a certificate.
+See its usage message.
+.Sh ONLINE CERTIFICATE STATUS PROTOCOL
+The
+.Nm ocsp-fetch
+sub-command will fetch OCSP Responses for the given
+certificates.
+.Pp
+The
+.Nm ocsp-verify
+sub-command will verify OCSP Responses.
+.Pp
+The
+.Nm ocsp-print
+sub-command will display OCSP Responses.
+.Sh CERTIFICATE REVOCATION LIST
+The
+.Nm crl-sign
+sub-command will add certificates to a certificate revocation
+list.
+.Sh EXAMPLES
+Generate an RSA key:
+.Bd -literal -offset indent
+hxtool generate-key --type=rsa --key-bits=4096 PEM-FILE:key.pem
+.Ed
+.Pp
+Create a CSR (with an empty name) for some key:
+.Bd -literal -offset indent
+hxtool request-create --subject= --key=FILE:key.pem csr.der
+.Ed
+.Pp
+Generate a key and create a CSR (with an empty name) for it:
+.Bd -literal -offset indent
+hxtool request-create       \\
+	--subject=          \\
+	--generate-key=rsa  \\
+	--key-bits=4096     \\
+	--key=FILE:key.pem  \\
+	csr.der
+.Ed
+.Pp
+Generate a key and create a CSR with an empty name but also
+requesting a specific dNSName subject alternative name (SAN) for
+it:
+.Bd -literal -offset indent
+hxtool request-create               \\
+	--subject=                  \\
+	--generate-key=rsa          \\
+	--dnsname=foo.test.h5l.se   \\
+	--key=FILE:key.pem          \\
+	csr.der
+.Ed
+.Pp
+Print a CSR:
+.Bd -literal -offset indent
+hxtool request-print csr.der
+.Ed
+which outputs:
+.Bd -literal -offset indent
+request print
+PKCS#10 CertificationRequest:
+  name:
+    san: dNSName: foo.test.h5l.se
+.Ed
+.Pp
+Issue a end-entity certificate for an HTTPS server given a CSR:
+.Bd -literal -offset indent
+hxtool issue-certificate                            \\
+	--type=https-server                         \\
+	--subject=                                  \\
+	--hostname=foo.test.h5l.se                  \\
+	--ca-certificate=FILE:cacert.pem            \\
+	--ca-private-key=FILE:cakey.pem             \\
+	--req=PKCS10:csr.der                        \\
+	--certificate=PEM-FILE:ee.pem
+.Ed
+.Pp
+Add a chain to a PEM file:
+.Bd -literal -offset indent
+hxtool copy-certificiate    \\
+	--no-private-keys   \\
+	--no-root-certs     \\
+	FILE:ca.pem FILE:ee.pem
+.Ed
+.Pp
+Create a self-signed end-entity certificate for an HTTPS server:
+.Bd -literal -offset indent
+hxtool issue-certificate                        \\
+	--self-signed                           \\
+	--type=https-server                     \\
+	--subject=                              \\
+	--hostname=foo.test.h5l.se              \\
+	--ca-private-key=FILE:key.pem           \\
+	--certificate-private-key=FILE:key.pem  \\
+	--certificate=PEM-FILE:cert.pem
+.Ed
+.Pp
+Create a root certification authority certificate:
+.Bd -literal -offset indent
+hxtool issue-certificate                            \\
+	--issue-ca                                  \\
+	--self-signed                               \\
+	--subject=CN=SomeRootCA                     \\
+	--ca-private-key=FILE:rootkey.pem           \\
+	--certificate=PEM-FILE:rootcert.pem
+.Ed
+.Pp
+Create an intermediate certification authority certificate from a
+CSR:
+.Bd -literal -offset indent
+hxtool issue-certificate                            \\
+	--type=https-server                         \\
+	--subject=CN=SomeIntermediateCA             \\
+	--ca-certificate=FILE:parent-cert.pem       \\
+	--ca-private-key=FILE:parent-key.pem        \\
+	--req=PKCS10:csr.der                        \\
+	--certificate=PEM-FILE:intermediate.pem
+.Ed
+.Pp
+.Sh SEE ALSO
+.Xr openssl 1
diff --git a/lib/hx509/hxtool.c b/lib/hx509/hxtool.c
index af339c50acd4..9dbb5ccb1979 100644
--- a/lib/hx509/hxtool.c
+++ b/lib/hx509/hxtool.c
@@ -33,6 +33,7 @@
 
 #include "hx_locl.h"
 
+#include <stdint.h>
 #include <hxtool-commands.h>
 #include <sl.h>
 #include <rtbl.h>
@@ -75,6 +76,39 @@ lock_strings(hx509_lock lock, getarg_strings *pass)
     }
 }
 
+static char *
+fix_store_name(hx509_context contextp, const char *sn, const char *def_type)
+{
+    const char *residue = strchr(sn, ':');
+    char *s = NULL;
+
+    if (residue) {
+        s = estrdup(sn);
+        s[residue - sn] = '\0';
+        if (_hx509_ks_type(contextp, s)) {
+            free(s);
+            return estrdup(sn);
+        }
+        free(s);
+        s = NULL;
+    }
+    if (asprintf(&s, "%s:%s", def_type, sn) == -1 || s == NULL)
+        err(1, "Out of memory");
+    return s;
+}
+
+static char *
+fix_csr_name(const char *cn, const char *def_type)
+{
+    char *s = NULL;
+
+    if (strncmp(cn, "PKCS10:", sizeof("PKCS10:") - 1) == 0 || strchr(cn, ':'))
+        return estrdup(cn);
+    if (asprintf(&s, "%s:%s", def_type, cn) == -1 || s == NULL)
+        err(1, "Out of memory");
+    return s;
+}
+
 /*
  *
  */
@@ -86,10 +120,13 @@ certs_strings(hx509_context contextp, const char *type, hx509_certs certs,
     int i, ret;
 
     for (i = 0; i < s->num_strings; i++) {
-	ret = hx509_certs_append(contextp, certs, lock, s->strings[i]);
+        char *sn = fix_store_name(contextp, s->strings[i], "FILE");
+
+	ret = hx509_certs_append(contextp, certs, lock, sn);
 	if (ret)
 	    hx509_err(contextp, 1, ret,
-		      "hx509_certs_append: %s %s", type, s->strings[i]);
+		      "hx509_certs_append: %s %s", type, sn);
+        free(sn);
     }
 }
 
@@ -101,11 +138,19 @@ static void
 parse_oid(const char *str, const heim_oid *def, heim_oid *oid)
 {
     int ret;
-    if (str)
-	ret = der_parse_heim_oid (str, " .", oid);
-    else
+
+    if (str) {
+        const heim_oid *found = NULL;
+
+        ret = der_find_heim_oid_by_name(str, &found);
+        if (ret == 0)
+            ret = der_copy_oid(found, oid);
+        else
+            ret = der_parse_heim_oid(str, " .", oid);
+    } else {
 	ret = der_copy_oid(def, oid);
-    if  (ret)
+    }
+    if (ret)
 	errx(1, "parse_oid failed for: %s", str ? str : "default oid");
 }
 
@@ -296,7 +341,10 @@ cms_verify_sd(struct cms_verify_sd_options *opt, int argc, char **argv)
 
     {
 	char *str;
-	der_print_heim_oid(&type, '.', &str);
+        if (opt->oid_sym_flag)
+            der_print_heim_oid_sym(&type, '.', &str);
+        else
+            der_print_heim_oid(&type, '.', &str);
 	printf("type: %s\n", str);
 	free(str);
 	der_free_oid(&type);
@@ -330,7 +378,7 @@ cms_verify_sd(struct cms_verify_sd_options *opt, int argc, char **argv)
     return 0;
 }
 
-static int
+static int HX509_LIB_CALL
 print_signer(hx509_context contextp, void *ctx, hx509_cert cert)
 {
     hx509_pem_header **header = ctx;
@@ -365,17 +413,19 @@ cms_create_sd(struct cms_create_sd_options *opt, int argc, char **argv)
     size_t sz;
     void *p;
     int ret, flags = 0;
-    char *infile, *outfile = NULL;
+    const char *outfile = NULL;
+    char *infile, *freeme = NULL;
 
     memset(&contentType, 0, sizeof(contentType));
 
     infile = argv[0];
 
     if (argc < 2) {
-	ret = asprintf(&outfile, "%s.%s", infile,
+	ret = asprintf(&freeme, "%s.%s", infile,
 		       opt->pem_flag ? "pem" : "cms-signeddata");
-	if (ret == -1 || outfile == NULL)
+	if (ret == -1 || freeme == NULL)
 	    errx(1, "out of memory");
+        outfile = freeme;
     } else
 	outfile = argv[1];
 
@@ -502,6 +552,7 @@ cms_create_sd(struct cms_create_sd_options *opt, int argc, char **argv)
 
     hx509_certs_free(&signer);
     free(o.data);
+    free(freeme);
 
     return 0;
 }
@@ -669,7 +720,7 @@ print_certificate(hx509_context hxcontext, hx509_cert cert, int verbose)
     printf("    private key: %s\n",
 	   _hx509_cert_private_key(cert) ? "yes" : "no");
 
-    ret = hx509_print_cert(hxcontext, cert, NULL);
+    ret = hx509_print_cert(hxcontext, cert, stdout);
     if (ret)
 	errx(1, "failed to print cert");
 
@@ -693,7 +744,7 @@ struct print_s {
     int verbose;
 };
 
-static int
+static int HX509_LIB_CALL
 print_f(hx509_context hxcontext, void *ctx, hx509_cert cert)
 {
     struct print_s *s = ctx;
@@ -704,6 +755,24 @@ print_f(hx509_context hxcontext, void *ctx, hx509_cert cert)
     return 0;
 }
 
+static int HX509_LIB_CALL
+print_fjson(hx509_context hxcontext, void *ctx, hx509_cert cert)
+{
+    const Certificate *c = NULL;
+    char *json = NULL;
+
+    c = _hx509_get_cert(cert);
+    if (c)
+        json = print_Certificate(c, ASN1_PRINT_INDENT);
+    if (json)
+        printf("%s\n", json);
+    else
+        hx509_err(context, 1, errno, "Could not format certificate as JSON");
+    free(json);
+    return 0;
+}
+
+
 int
 pcert_print(struct print_options *opt, int argc, char **argv)
 {
@@ -718,8 +787,11 @@ pcert_print(struct print_options *opt, int argc, char **argv)
     lock_strings(lock, &opt->pass_strings);
 
     while(argc--) {
+        char *sn = fix_store_name(context, argv[0], "FILE");
 	int ret;
-	ret = hx509_certs_init(context, argv[0], 0, lock, &certs);
+
+	ret = hx509_certs_init(context, sn, 0, lock, &certs);
+        free(sn);
 	if (ret) {
 	    if (opt->never_fail_flag) {
 		printf("ignoreing failure: %d\n", ret);
@@ -727,9 +799,13 @@ pcert_print(struct print_options *opt, int argc, char **argv)
 	    }
 	    hx509_err(context, 1, ret, "hx509_certs_init");
 	}
-	if (opt->info_flag)
-	    hx509_certs_info(context, certs, NULL, NULL);
-	hx509_certs_iter_f(context, certs, print_f, &s);
+        if (opt->raw_json_flag) {
+            hx509_certs_iter_f(context, certs, print_fjson, &s);
+        } else {
+            if (opt->info_flag)
+                hx509_certs_info(context, certs, NULL, NULL);
+            hx509_certs_iter_f(context, certs, print_f, &s);
+        }
 	hx509_certs_free(&certs);
 	argv++;
     }
@@ -740,7 +816,7 @@ pcert_print(struct print_options *opt, int argc, char **argv)
 }
 
 
-static int
+static int HX509_LIB_CALL
 validate_f(hx509_context hxcontext, void *ctx, hx509_cert c)
 {
     hx509_validate_cert(hxcontext, ctx, c);
@@ -762,13 +838,16 @@ pcert_validate(struct validate_options *opt, int argc, char **argv)
     hx509_validate_ctx_add_flags(ctx, HX509_VALIDATE_F_VALIDATE);
 
     while(argc--) {
+        char *sn = fix_store_name(context, argv[0], "FILE");
 	int ret;
-	ret = hx509_certs_init(context, argv[0], 0, lock, &certs);
+
+	ret = hx509_certs_init(context, sn, 0, lock, &certs);
 	if (ret)
 	    errx(1, "hx509_certs_init: %d", ret);
 	hx509_certs_iter_f(context, certs, validate_f, ctx);
 	hx509_certs_free(&certs);
 	argv++;
+        free(sn);
     }
     hx509_validate_ctx_free(ctx);
 
@@ -782,11 +861,27 @@ certificate_copy(struct certificate_copy_options *opt, int argc, char **argv)
 {
     hx509_certs certs;
     hx509_lock inlock, outlock = NULL;
+    char *sn;
+    int flags = 0;
+    int store_flags = 0;
     int ret;
 
     hx509_lock_init(context, &inlock);
     lock_strings(inlock, &opt->in_pass_strings);
 
+    if (!opt->root_certs_flag)
+        /*
+         * We're probably copying an EE cert, its issuer, and all intermediates
+         * up to and excluding the root.
+         */
+        store_flags |= HX509_CERTS_STORE_NO_ROOTS;
+
+    if (!opt->private_keys_flag) {
+        /* Neither read nor store private keys */
+        store_flags |= HX509_CERTS_NO_PRIVATE_KEYS;
+        flags |= HX509_CERTS_NO_PRIVATE_KEYS;
+    }
+
     if (opt->out_pass_string) {
 	hx509_lock_init(context, &outlock);
 	ret = hx509_lock_command_string(outlock, opt->out_pass_string);
@@ -795,20 +890,53 @@ certificate_copy(struct certificate_copy_options *opt, int argc, char **argv)
 		 opt->out_pass_string, ret);
     }
 
-    ret = hx509_certs_init(context, argv[argc - 1],
-			   HX509_CERTS_CREATE, inlock, &certs);
+    if (argc < 2)
+        errx(1, "hxtool copy-certificate requires at least two positional "
+             "arguments");
+
+    /*
+     * The _last_ positional argument is the destination store.  Because we use
+     * HX509_CERTS_CREATE we'll ignore its contents and then truncate to write
+     * it (well, if it's a file; see key store plugins).
+     *
+     * But note that the truncation doesn't happen until we call
+     * hx509_certs_store(), which means we still have a chance to _read_ this
+     * store.  That means that one can write this:
+     *
+     *      hxtool cc FILE:b FILE:a FILE:b
+     *
+     * to notionally append FILE:a to FILE:b.  Still, we'll have an option to
+     * do the append anyways:
+     *
+     *      hxtool cc --append FILE:a FILE:b
+     */
+    sn = fix_store_name(context, argv[argc - 1], "FILE");
+    ret = hx509_certs_init(context, sn,
+			   HX509_CERTS_CREATE | flags, inlock, &certs);
     if (ret)
-	hx509_err(context, 1, ret, "hx509_certs_init");
+	hx509_err(context, 1, ret, "hx509_certs_init %s", sn);
+
+    if (opt->append_flag) {
+        /* Append == read the certs in the dst prior to doing anything else */
+        ret = hx509_certs_append(context, certs, inlock, sn);
+        if (ret)
+            hx509_err(context, 1, ret, "hx509_certs_append %s", sn);
+    }
+    free(sn);
 
+    /*
+     * Read all the certificate stores in all but the last positional argument.
+     */
     while(argc-- > 1) {
-	int retx;
-	retx = hx509_certs_append(context, certs, inlock, argv[0]);
-	if (retx)
-	    hx509_err(context, 1, retx, "hx509_certs_append");
+        sn = fix_store_name(context, argv[0], "FILE");
+	ret = hx509_certs_append(context, certs, inlock, sn);
+	if (ret)
+	    hx509_err(context, 1, ret, "hx509_certs_append %s", sn);
+        free(sn);
 	argv++;
     }
 
-    ret = hx509_certs_store(context, certs, 0, outlock);
+    ret = hx509_certs_store(context, certs, store_flags, outlock);
 	if (ret)
 	    hx509_err(context, 1, ret, "hx509_certs_store");
 
@@ -827,7 +955,7 @@ struct verify {
     int count;
 };
 
-static int
+static int HX509_LIB_CALL
 verify_f(hx509_context hxcontext, void *ctx, hx509_cert c)
 {
     struct verify *v = ctx;
@@ -913,29 +1041,35 @@ pcert_verify(struct verify_options *opt, int argc, char **argv)
 	errx(1, "hx509_revoke_init: %d", ret);
 
     while(argc--) {
-	char *s = *argv++;
+	const char *s = *argv++;
+        char *sn = NULL;
 
 	if (strncmp(s, "chain:", 6) == 0) {
 	    s += 6;
 
-	    ret = hx509_certs_append(context, chain, NULL, s);
+            sn = fix_store_name(context, s, "FILE");
+	    ret = hx509_certs_append(context, chain, NULL, sn);
 	    if (ret)
-		hx509_err(context, 1, ret, "hx509_certs_append: chain: %s: %d", s, ret);
+                hx509_err(context, 1, ret, "hx509_certs_append: chain: %s: %d",
+                          sn, ret);
 
 	} else if (strncmp(s, "anchor:", 7) == 0) {
 	    s += 7;
 
-	    ret = hx509_certs_append(context, anchors, NULL, s);
+            sn = fix_store_name(context, s, "FILE");
+	    ret = hx509_certs_append(context, anchors, NULL, sn);
 	    if (ret)
-		hx509_err(context, 1, ret, "hx509_certs_append: anchor: %s: %d", s, ret);
+		hx509_err(context, 1, ret,
+                          "hx509_certs_append: anchor: %s: %d", sn, ret);
 
 	} else if (strncmp(s, "cert:", 5) == 0) {
 	    s += 5;
 
-	    ret = hx509_certs_append(context, certs, NULL, s);
+            sn = fix_store_name(context, s, "FILE");
+	    ret = hx509_certs_append(context, certs, NULL, sn);
 	    if (ret)
 		hx509_err(context, 1, ret, "hx509_certs_append: certs: %s: %d",
-			  s, ret);
+			  sn, ret);
 
 	} else if (strncmp(s, "crl:", 4) == 0) {
 	    s += 4;
@@ -944,7 +1078,7 @@ pcert_verify(struct verify_options *opt, int argc, char **argv)
 	    if (ret)
 		errx(1, "hx509_revoke_add_crl: %s: %d", s, ret);
 
-	} else if (strncmp(s, "ocsp:", 4) == 0) {
+	} else if (strncmp(s, "ocsp:", 5) == 0) {
 	    s += 5;
 
 	    ret = hx509_revoke_add_ocsp(context, revoke_ctx, s);
@@ -954,6 +1088,7 @@ pcert_verify(struct verify_options *opt, int argc, char **argv)
 	} else {
 	    errx(1, "unknown option to verify: `%s'\n", s);
 	}
+        free(sn);
     }
 
     hx509_verify_attach_anchors(ctx, anchors);
@@ -1006,10 +1141,12 @@ query(struct query_options *opt, int argc, char **argv)
     if (ret) hx509_err(context, 1, ret, "hx509_certs_init: MEMORY");
 
     while (argc > 0) {
+        char *sn = fix_store_name(context, argv[0], "FILE");
 
-	ret = hx509_certs_append(context, certs, lock, argv[0]);
+	ret = hx509_certs_append(context, certs, lock, sn);
 	if (ret)
-	    errx(1, "hx509_certs_append: %s: %d", argv[0], ret);
+	    errx(1, "hx509_certs_append: %s: %d", sn, ret);
+        free(sn);
 
 	argc--;
 	argv++;
@@ -1092,9 +1229,12 @@ ocsp_fetch(struct ocsp_fetch_options *opt, int argc, char **argv)
     if (ret) hx509_err(context, 1, ret, "hx509_certs_init: MEMORY");
 
     for (i = 1; i < argc; i++) {
-	ret = hx509_certs_append(context, reqcerts, lock, argv[i]);
+        char *sn = fix_store_name(context, argv[i], "FILE");
+
+	ret = hx509_certs_append(context, reqcerts, lock, sn);
 	if (ret)
-	    errx(1, "hx509_certs_append: req: %s: %d", argv[i], ret);
+	    errx(1, "hx509_certs_append: req: %s: %d", sn, ret);
+        free(sn);
     }
 
     ret = hx509_ocsp_request(context, reqcerts, pool, NULL, NULL, &req, nonce);
@@ -1155,7 +1295,7 @@ revoke_print(struct revoke_print_options *opt, int argc, char **argv)
 	    if (ret)
 		errx(1, "hx509_revoke_add_crl: %s: %d", s, ret);
 
-	} else if (strncmp(s, "ocsp:", 4) == 0) {
+	} else if (strncmp(s, "ocsp:", 5) == 0) {
 	    s += 5;
 
 	    ret = hx509_revoke_add_ocsp(context, revoke_ctx, s);
@@ -1171,6 +1311,7 @@ revoke_print(struct revoke_print_options *opt, int argc, char **argv)
     if (ret)
 	warnx("hx509_revoke_print: %d", ret);
 
+    hx509_revoke_free(&revoke_ctx);
     return ret;
 }
 
@@ -1178,7 +1319,7 @@ revoke_print(struct revoke_print_options *opt, int argc, char **argv)
  *
  */
 
-static int
+static int HX509_LIB_CALL
 verify_o(hx509_context hxcontext, void *ctx, hx509_cert c)
 {
     heim_octet_string *os = ctx;
@@ -1219,9 +1360,12 @@ ocsp_verify(struct ocsp_verify_options *opt, int argc, char **argv)
     if (ret) hx509_err(context, 1, ret, "hx509_certs_init: MEMORY");
 
     for (i = 0; i < argc; i++) {
-	ret = hx509_certs_append(context, certs, lock, argv[i]);
+        char *sn = fix_store_name(context, argv[i], "FILE");
+
+	ret = hx509_certs_append(context, certs, lock, sn);
 	if (ret)
-	    hx509_err(context, 1, ret, "hx509_certs_append: %s", argv[i]);
+	    hx509_err(context, 1, ret, "hx509_certs_append: %s", sn);
+        free(sn);
     }
 
     ret = hx509_certs_iter_f(context, certs, verify_o, &os);
@@ -1238,20 +1382,22 @@ read_private_key(const char *fn, hx509_private_key *key)
 {
     hx509_private_key *keys;
     hx509_certs certs;
+    char *sn = fix_store_name(context, fn, "FILE");
     int ret;
 
     *key = NULL;
 
-    ret = hx509_certs_init(context, fn, 0, NULL, &certs);
+    ret = hx509_certs_init(context, sn, 0, NULL, &certs);
     if (ret)
-	hx509_err(context, 1, ret, "hx509_certs_init: %s", fn);
+	hx509_err(context, 1, ret, "hx509_certs_init: %s", sn);
 
     ret = _hx509_certs_keys_get(context, certs, &keys);
     hx509_certs_free(&certs);
     if (ret)
 	hx509_err(context, 1, ret, "hx509_certs_keys_get");
     if (keys[0] == NULL)
-	errx(1, "no keys in key store: %s", fn);
+	errx(1, "no keys in key store: %s", sn);
+    free(sn);
 
     *key = _hx509_private_key_ref(keys[0]);
     _hx509_certs_keys_free(context, keys);
@@ -1263,57 +1409,71 @@ static void
 get_key(const char *fn, const char *type, int optbits,
 	hx509_private_key *signer)
 {
-    int ret;
+    int ret = 0;
 
     if (type) {
-	BIGNUM *e;
-	RSA *rsa;
-	unsigned char *p0, *p;
-	size_t len;
-	int bits = 1024;
-
-	if (fn == NULL)
-	    errx(1, "no key argument, don't know here to store key");
+        struct hx509_generate_private_context *gen_ctx = NULL;
 
 	if (strcasecmp(type, "rsa") != 0)
 	    errx(1, "can only handle rsa keys for now");
 
-	e = BN_new();
-	BN_set_word(e, 0x10001);
-
-	if (optbits)
-	    bits = optbits;
-
-	rsa = RSA_new();
-	if(rsa == NULL)
-	    errx(1, "RSA_new failed");
-
-	ret = RSA_generate_key_ex(rsa, bits, e, NULL);
-	if(ret != 1)
-	    errx(1, "RSA_new failed");
-
-	BN_free(e);
-
-	len = i2d_RSAPrivateKey(rsa, NULL);
-
-	p0 = p = malloc(len);
-	if (p == NULL)
-	    errx(1, "out of memory");
-
-	i2d_RSAPrivateKey(rsa, &p);
-
-	rk_dumpdata(fn, p0, len);
-	memset(p0, 0, len);
-	free(p0);
-
-	RSA_free(rsa);
+        ret = _hx509_generate_private_key_init(context,
+                                               ASN1_OID_ID_PKCS1_RSAENCRYPTION,
+                                               &gen_ctx);
+        if (ret == 0)
+            ret = _hx509_generate_private_key_bits(context, gen_ctx, optbits);
+        if (ret == 0)
+            ret = _hx509_generate_private_key(context, gen_ctx, signer);
+        _hx509_generate_private_key_free(&gen_ctx);
+        if (ret)
+            hx509_err(context, 1, ret, "failed to generate private key of type %s", type);
+
+        if (fn) {
+            char *sn = fix_store_name(context, fn, "FILE");
+            hx509_certs certs = NULL;
+            hx509_cert cert = NULL;
+
+            cert = hx509_cert_init_private_key(context, *signer, NULL);
+            if (cert)
+                ret = hx509_certs_init(context, sn,
+                                       HX509_CERTS_CREATE |
+                                       HX509_CERTS_UNPROTECT_ALL,
+                                       NULL, &certs);
+            if (ret == 0)
+                ret = hx509_certs_add(context, certs, cert);
+            if (ret == 0)
+                ret = hx509_certs_store(context, certs, 0, NULL);
+            if (ret)
+                hx509_err(context, 1, ret, "failed to store generated private "
+                          "key in %s", sn);
+
+            if (certs)
+                hx509_certs_free(&certs);
+            if (cert)
+                hx509_cert_free(cert);
+            free(sn);
+        }
+    } else {
+        if (fn == NULL)
+            err(1, "no private key");
+        ret = read_private_key(fn, signer);
+        if (ret)
+            hx509_err(context, 1, ret, "failed to read private key from %s",
+                      fn);
+    }
+}
 
-    } else if (fn == NULL)
-	err(1, "no private key");
+int
+generate_key(struct generate_key_options *opt, int argc, char **argv)
+{
+    hx509_private_key signer;
+    const char *type = opt->type_string ? opt->type_string : "rsa";
+    int bits = opt->key_bits_integer ? opt->key_bits_integer : 2048;
 
-    ret = read_private_key(fn, signer);
-    if (ret)
-	err(1, "read_private_key");
+    memset(&signer, 0, sizeof(signer));
+    get_key(argv[0], type, bits, &signer);
+    hx509_private_key_free(&signer);
+    return 0;
 }
 
 int
@@ -1334,7 +1494,9 @@ request_create(struct request_create_options *opt, int argc, char **argv)
 	    opt->key_bits_integer,
 	    &signer);
 
-    hx509_request_init(context, &req);
+    ret = hx509_request_init(context, &req);
+    if (ret)
+	hx509_err(context, 1, ret, "Could not initialize CSR context");
 
     if (opt->subject_string) {
 	hx509_name name = NULL;
@@ -1348,24 +1510,66 @@ request_create(struct request_create_options *opt, int argc, char **argv)
 	    char *s;
 	    hx509_name_to_string(name, &s);
 	    printf("%s\n", s);
+            free(s);
 	}
 	hx509_name_free(&name);
     }
 
     for (i = 0; i < opt->email_strings.num_strings; i++) {
-	ret = _hx509_request_add_email(context, req,
-				       opt->email_strings.strings[i]);
+        ret = hx509_request_add_email(context, req,
+                                      opt->email_strings.strings[i]);
 	if (ret)
 	    hx509_err(context, 1, ret, "hx509_request_add_email");
     }
 
+    for (i = 0; i < opt->jid_strings.num_strings; i++) {
+        ret = hx509_request_add_xmpp_name(context, req,
+                                          opt->jid_strings.strings[i]);
+	if (ret)
+	    hx509_err(context, 1, ret, "hx509_request_add_xmpp_name");
+    }
+
     for (i = 0; i < opt->dnsname_strings.num_strings; i++) {
-	ret = _hx509_request_add_dns_name(context, req,
-					  opt->dnsname_strings.strings[i]);
+        ret = hx509_request_add_dns_name(context, req,
+                                         opt->dnsname_strings.strings[i]);
 	if (ret)
 	    hx509_err(context, 1, ret, "hx509_request_add_dns_name");
     }
 
+    for (i = 0; i < opt->kerberos_strings.num_strings; i++) {
+        ret = hx509_request_add_pkinit(context, req,
+                                       opt->kerberos_strings.strings[i]);
+	if (ret)
+	    hx509_err(context, 1, ret, "hx509_request_add_pkinit");
+    }
+
+    for (i = 0; i < opt->ms_kerberos_strings.num_strings; i++) {
+        ret = hx509_request_add_ms_upn_name(context, req,
+                                            opt->ms_kerberos_strings.strings[i]);
+	if (ret)
+	    hx509_err(context, 1, ret, "hx509_request_add_ms_upn_name");
+    }
+
+    for (i = 0; i < opt->registered_strings.num_strings; i++) {
+        heim_oid oid;
+
+	parse_oid(opt->registered_strings.strings[i], NULL, &oid);
+        ret = hx509_request_add_registered(context, req, &oid);
+        der_free_oid(&oid);
+	if (ret)
+	    hx509_err(context, 1, ret, "hx509_request_add_registered");
+    }
+
+    for (i = 0; i < opt->eku_strings.num_strings; i++) {
+	heim_oid oid;
+
+	parse_oid(opt->eku_strings.strings[i], NULL, &oid);
+	ret = hx509_request_add_eku(context, req, &oid);
+        der_free_oid(&oid);
+	if (ret)
+	    hx509_err(context, 1, ret, "hx509_request_add_eku");
+    }
+
 
     ret = hx509_private_key2SPKI(context, signer, &key);
     if (ret)
@@ -1378,12 +1582,12 @@ request_create(struct request_create_options *opt, int argc, char **argv)
     if (ret)
 	hx509_err(context, 1, ret, "hx509_request_set_SubjectPublicKeyInfo");
 
-    ret = _hx509_request_to_pkcs10(context,
-				   req,
-				   signer,
-				   &request);
+    ret = hx509_request_to_pkcs10(context,
+                                  req,
+                                  signer,
+                                  &request);
     if (ret)
-	hx509_err(context, 1, ret, "_hx509_request_to_pkcs10");
+	hx509_err(context, 1, ret, "hx509_request_to_pkcs10");
 
     hx509_private_key_free(&signer);
     hx509_request_free(&req);
@@ -1404,15 +1608,17 @@ request_print(struct request_print_options *opt, int argc, char **argv)
 
     for (i = 0; i < argc; i++) {
 	hx509_request req;
+        char *cn = fix_csr_name(argv[i], "PKCS10");
 
-	ret = _hx509_request_parse(context, argv[i], &req);
+	ret = hx509_request_parse(context, cn, &req);
 	if (ret)
-	    hx509_err(context, 1, ret, "parse_request: %s", argv[i]);
+	    hx509_err(context, 1, ret, "parse_request: %s", cn);
 
-	ret = _hx509_request_print(context, req, stdout);
+	ret = hx509_request_print(context, req, stdout);
 	hx509_request_free(&req);
 	if (ret)
-	    hx509_err(context, 1, ret, "Failed to print file %s", argv[i]);
+	    hx509_err(context, 1, ret, "Failed to print file %s", cn);
+        free(cn);
     }
 
     return 0;
@@ -1455,13 +1661,16 @@ int
 random_data(void *opt, int argc, char **argv)
 {
     void *ptr;
-    int len, ret;
+    ssize_t len;
+    int64_t bytes;
+    int ret;
 
-    len = parse_bytes(argv[0], "byte");
-    if (len <= 0) {
+    bytes = parse_bytes(argv[0], "byte");
+    if (bytes <= 0 || bytes > SSIZE_MAX) {
 	fprintf(stderr, "bad argument to random-data\n");
 	return 1;
     }
+    len = bytes;
 
     ptr = malloc(len);
     if (ptr == NULL) {
@@ -1510,7 +1719,10 @@ crypto_available(struct crypto_available_options *opt, int argc, char **argv)
 
     for (i = 0; i < len; i++) {
 	char *s;
-	der_print_heim_oid (&val[i].algorithm, '.', &s);
+        if (opt->oid_syms_flag)
+            der_print_heim_oid_sym(&val[i].algorithm, '.', &s);
+        else
+            der_print_heim_oid(&val[i].algorithm, '.', &s);
 	printf("%s\n", s);
 	free(s);
     }
@@ -1546,7 +1758,10 @@ crypto_select(struct crypto_select_options *opt, int argc, char **argv)
     if (ret)
 	errx(1, "hx509_crypto_available");
 
-    der_print_heim_oid (&selected.algorithm, '.', &s);
+    if (opt->oid_sym_flag)
+        der_print_heim_oid_sym(&selected.algorithm, '.', &s);
+    else
+        der_print_heim_oid(&selected.algorithm, '.', &s);
     printf("%s\n", s);
     free(s);
     free_AlgorithmIdentifier(&selected);
@@ -1602,6 +1817,16 @@ https_server(hx509_context contextp, hx509_ca_tbs tbs, struct cert_type_opt *opt
 }
 
 static int
+https_negotiate_server(hx509_context contextp, hx509_ca_tbs tbs, struct cert_type_opt *opt)
+{
+    int ret = hx509_ca_tbs_add_eku(contextp, tbs, &asn1_oid_id_pkekuoid);
+    if (ret == 0)
+        ret = hx509_ca_tbs_add_eku(contextp, tbs, &asn1_oid_id_pkix_kp_serverAuth);
+    opt->pkinit++;
+    return ret;
+}
+
+static int
 https_client(hx509_context contextp, hx509_ca_tbs tbs, struct cert_type_opt *opt)
 {
     return hx509_ca_tbs_add_eku(contextp, tbs, &asn1_oid_id_pkix_kp_clientAuth);
@@ -1631,7 +1856,7 @@ pkinit_client(hx509_context contextp, hx509_ca_tbs tbs, struct cert_type_opt *op
     if (ret)
 	return ret;
 
-    ret = hx509_ca_tbs_add_eku(context, tbs, &asn1_oid_id_ms_client_authentication);
+    ret = hx509_ca_tbs_add_eku(context, tbs, &asn1_oid_id_pkix_kp_clientAuth);
     if (ret)
 	return ret;
 
@@ -1675,6 +1900,11 @@ struct {
 	pkinit_kdc
     },
     {
+	"https-negotiate-server",
+	"Used for HTTPS server and many other TLS server certificate types",
+	https_negotiate_server
+    },
+    {
 	"peap-server",
 	"Certificate used for Radius PEAP (Protected EAP)",
 	peap_server
@@ -1761,6 +1991,14 @@ eval_types(hx509_context contextp,
 	    hx509_err(contextp, 1, ret, "hx509_ca_tbs_add_san_hostname");
     }
 
+    for (i = 0; i < opt->dnssrv_strings.num_strings; i++) {
+	const char *dnssrv = opt->dnssrv_strings.strings[i];
+
+	ret = hx509_ca_tbs_add_san_dnssrv(contextp, tbs, dnssrv);
+	if (ret)
+	    hx509_err(contextp, 1, ret, "hx509_ca_tbs_add_san_dnssrv");
+    }
+
     for (i = 0; i < opt->email_strings.num_strings; i++) {
 	const char *email = opt->email_strings.strings[i];
 
@@ -1793,8 +2031,11 @@ hxtool_ca(struct certificate_sign_options *opt, int argc, char **argv)
     hx509_private_key cert_key = NULL;
     hx509_name subject = NULL;
     SubjectPublicKeyInfo spki;
+    heim_oid oid;
+    size_t i;
     int delta = 0;
 
+    memset(&oid, 0, sizeof(oid));
     memset(&spki, 0, sizeof(spki));
 
     if (opt->ca_certificate_string == NULL && !opt->self_signed_flag)
@@ -1804,10 +2045,8 @@ hxtool_ca(struct certificate_sign_options *opt, int argc, char **argv)
     if (opt->certificate_string == NULL)
 	errx(1, "--certificate argument missing");
 
-    if (opt->template_certificate_string) {
-	if (opt->template_fields_string == NULL)
-	    errx(1, "--template-certificate not no --template-fields");
-    }
+    if (opt->template_certificate_string && opt->template_fields_string == NULL)
+        errx(1, "--template-certificate used but no --template-fields given");
 
     if (opt->lifetime_string) {
 	delta = parse_time(opt->lifetime_string, "day");
@@ -1818,12 +2057,11 @@ hxtool_ca(struct certificate_sign_options *opt, int argc, char **argv)
     if (opt->ca_certificate_string) {
 	hx509_certs cacerts = NULL;
 	hx509_query *q;
+        char *sn = fix_store_name(context, opt->ca_certificate_string, "FILE");
 
-	ret = hx509_certs_init(context, opt->ca_certificate_string, 0,
-			       NULL, &cacerts);
+        ret = hx509_certs_init(context, sn, 0, NULL, &cacerts);
 	if (ret)
-	    hx509_err(context, 1, ret,
-		      "hx509_certs_init: %s", opt->ca_certificate_string);
+	    hx509_err(context, 1, ret, "hx509_certs_init: %s", sn);
 
 	ret = hx509_query_alloc(context, &q);
 	if (ret)
@@ -1838,6 +2076,7 @@ hxtool_ca(struct certificate_sign_options *opt, int argc, char **argv)
 	hx509_certs_free(&cacerts);
 	if (ret)
 	    hx509_err(context, 1, ret, "no CA certificate found");
+        free(sn);
     } else if (opt->self_signed_flag) {
 	if (opt->generate_key_string == NULL
 	    && opt->ca_private_key_string == NULL)
@@ -1864,10 +2103,16 @@ hxtool_ca(struct certificate_sign_options *opt, int argc, char **argv)
 
     if (opt->req_string) {
 	hx509_request req;
+        char *cn = fix_csr_name(opt->req_string, "PKCS10");
 
-	ret = _hx509_request_parse(context, opt->req_string, &req);
+        /*
+         * Extract the CN and other attributes we want to preserve from the
+         * requested subjectName and then set them in the hx509_env for the
+         * template.
+         */
+	ret = hx509_request_parse(context, cn, &req);
 	if (ret)
-	    hx509_err(context, 1, ret, "parse_request: %s", opt->req_string);
+	    hx509_err(context, 1, ret, "parse_request: %s", cn);
 	ret = hx509_request_get_name(context, req, &subject);
 	if (ret)
 	    hx509_err(context, 1, ret, "get name");
@@ -1875,42 +2120,37 @@ hxtool_ca(struct certificate_sign_options *opt, int argc, char **argv)
 	if (ret)
 	    hx509_err(context, 1, ret, "get spki");
 	hx509_request_free(&req);
+        free(cn);
     }
 
     if (opt->generate_key_string) {
-	struct hx509_generate_private_context *keyctx;
+        /*
+         * Note that we used to set isCA in the key gen context.  Now that we
+         * use get_key() we no longer set isCA in the key gen context.  But
+         * nothing uses that field of the key gen context.
+         */
+        get_key(opt->certificate_private_key_string,
+                opt->generate_key_string,
+                opt->key_bits_integer,
+                &cert_key);
 
-	ret = _hx509_generate_private_key_init(context,
-					       &asn1_oid_id_pkcs1_rsaEncryption,
-					       &keyctx);
+	ret = hx509_private_key2SPKI(context, cert_key, &spki);
 	if (ret)
-	    hx509_err(context, 1, ret, "generate private key");
-
-	if (opt->issue_ca_flag)
-	    _hx509_generate_private_key_is_ca(context, keyctx);
-
-	if (opt->key_bits_integer)
-	    _hx509_generate_private_key_bits(context, keyctx,
-					     opt->key_bits_integer);
+	    errx(1, "hx509_private_key2SPKI: %d\n", ret);
 
-	ret = _hx509_generate_private_key(context, keyctx,
-					  &cert_key);
-	_hx509_generate_private_key_free(&keyctx);
+        if (opt->self_signed_flag)
+            private_key = cert_key;
+    } else if (opt->certificate_private_key_string) {
+	ret = read_private_key(opt->certificate_private_key_string, &cert_key);
 	if (ret)
-	    hx509_err(context, 1, ret, "generate private key");
+	    err(1, "read_private_key for certificate");
 
 	ret = hx509_private_key2SPKI(context, cert_key, &spki);
 	if (ret)
 	    errx(1, "hx509_private_key2SPKI: %d\n", ret);
 
-	if (opt->self_signed_flag)
-	    private_key = cert_key;
-    }
-
-    if (opt->certificate_private_key_string) {
-	ret = read_private_key(opt->certificate_private_key_string, &cert_key);
-	if (ret)
-	    err(1, "read_private_key for certificate");
+        if (opt->self_signed_flag)
+            private_key = cert_key;
     }
 
     if (opt->subject_string) {
@@ -1929,6 +2169,30 @@ hxtool_ca(struct certificate_sign_options *opt, int argc, char **argv)
     if (ret)
 	hx509_err(context, 1, ret, "hx509_ca_tbs_init");
 
+    for (i = 0; i < opt->eku_strings.num_strings; i++) {
+	parse_oid(opt->eku_strings.strings[i], NULL, &oid);
+	ret = hx509_ca_tbs_add_eku(context, tbs, &oid);
+	if (ret)
+	    hx509_err(context, 1, ret, "hx509_request_add_eku");
+        der_free_oid(&oid);
+    }
+    if (opt->ku_strings.num_strings) {
+        const struct units *kus = asn1_KeyUsage_units();
+        const struct units *kup;
+        uint64_t n = 0;
+
+        for (i = 0; i < opt->ku_strings.num_strings; i++) {
+            for (kup = kus; kup->name; kup++) {
+                if (strcmp(kup->name, opt->ku_strings.strings[i]))
+                    continue;
+                n |= kup->mult;
+                break;
+            }
+        }
+        ret = hx509_ca_tbs_add_ku(context, tbs, int2KeyUsage(n));
+        if (ret)
+            hx509_err(context, 1, ret, "hx509_request_add_ku");
+    }
     if (opt->signature_algorithm_string) {
 	const AlgorithmIdentifier *sigalg;
 	if (strcasecmp(opt->signature_algorithm_string, "rsa-with-sha1") == 0)
@@ -1943,13 +2207,13 @@ hxtool_ca(struct certificate_sign_options *opt, int argc, char **argv)
     if (opt->template_certificate_string) {
 	hx509_cert template;
 	hx509_certs tcerts;
+        char *sn = fix_store_name(context, opt->template_certificate_string,
+                                  "FILE");
 	int flags;
 
-	ret = hx509_certs_init(context, opt->template_certificate_string, 0,
-			       NULL, &tcerts);
+	ret = hx509_certs_init(context, sn, 0, NULL, &tcerts);
 	if (ret)
-	    hx509_err(context, 1, ret,
-		      "hx509_certs_init: %s", opt->template_certificate_string);
+	    hx509_err(context, 1, ret, "hx509_certs_init: %s", sn);
 
 	ret = hx509_get_one_cert(context, tcerts, &template);
 
@@ -1965,6 +2229,7 @@ hxtool_ca(struct certificate_sign_options *opt, int argc, char **argv)
 	    hx509_err(context, 1, ret, "hx509_ca_tbs_set_template");
 
 	hx509_cert_free(template);
+        free(sn);
     }
 
     if (opt->serial_number_string) {
@@ -2001,6 +2266,62 @@ hxtool_ca(struct certificate_sign_options *opt, int argc, char **argv)
 
     eval_types(context, tbs, opt);
 
+    if (opt->permanent_id_string) {
+        ret = hx509_ca_tbs_add_san_permanentIdentifier_string(context, tbs,
+                                                              opt->permanent_id_string);
+	if (ret)
+	    hx509_err(context, 1, ret, "hx509_ca_tbs_add_san_permanentIdentifier");
+    }
+
+    if (opt->hardware_module_name_string) {
+        ret = hx509_ca_tbs_add_san_hardwareModuleName_string(context, tbs,
+                                                             opt->hardware_module_name_string);
+	if (ret)
+	    hx509_err(context, 1, ret, "hx509_ca_tbs_add_san_hardwareModuleName_string");
+    }
+
+    for (i = 0; ret == 0 && i < opt->policy_strings.num_strings; i++) {
+        char *oidstr, *uri, *dt;
+
+        if ((oidstr = strdup(opt->policy_strings.strings[i])) == NULL)
+            hx509_err(context, 1, ENOMEM, "out of memory");
+        uri = strchr(oidstr, ':');
+        if (uri)
+            *(uri++) = '\0';
+        dt = strchr(uri ? uri : "", ' ');
+        if (dt)
+            *(dt++) = '\0';
+
+	parse_oid(oidstr, NULL, &oid);
+        ret = hx509_ca_tbs_add_pol(context, tbs, &oid, uri, dt);
+        der_free_oid(&oid);
+        free(oidstr);
+    }
+
+    for (i = 0; ret == 0 && i < opt->policy_mapping_strings.num_strings; i++) {
+        char *issuer_oidstr, *subject_oidstr;
+        heim_oid issuer_oid, subject_oid;
+
+        if ((issuer_oidstr =
+             strdup(opt->policy_mapping_strings.strings[i])) == NULL)
+            hx509_err(context, 1, ENOMEM, "out of memory");
+        subject_oidstr = strchr(issuer_oidstr, ':');
+        if (subject_oidstr == NULL)
+            subject_oidstr = issuer_oidstr;
+        else
+            *(subject_oidstr++) = '\0';
+
+	parse_oid(issuer_oidstr, NULL, &issuer_oid);
+	parse_oid(subject_oidstr, NULL, &subject_oid);
+        ret = hx509_ca_tbs_add_pol_mapping(context, tbs, &issuer_oid,
+                                           &subject_oid);
+        if (ret)
+            hx509_err(context, 1, ret, "failed to add policy mapping");
+        der_free_oid(&issuer_oid);
+        der_free_oid(&subject_oid);
+        free(issuer_oidstr);
+    }
+
     if (opt->issue_ca_flag) {
 	ret = hx509_ca_tbs_set_ca(context, tbs, opt->path_length_integer);
 	if (ret)
@@ -2022,6 +2343,13 @@ hxtool_ca(struct certificate_sign_options *opt, int argc, char **argv)
 	if (ret)
 	    hx509_err(context, 1, ret, "hx509_ca_tbs_set_notAfter_lifetime");
     }
+    if (opt->pkinit_max_life_string) {
+        time_t t = parse_time(opt->pkinit_max_life_string, "s");
+
+        ret = hx509_ca_tbs_set_pkinit_max_life(context, tbs, t);
+	if (ret)
+	    hx509_err(context, 1, ret, "hx509_ca_tbs_set_pkinit_max_life");
+    }
 
     if (opt->self_signed_flag) {
 	ret = hx509_ca_sign_self(context, tbs, private_key, &cert);
@@ -2033,7 +2361,31 @@ hxtool_ca(struct certificate_sign_options *opt, int argc, char **argv)
 	    hx509_err(context, 1, ret, "hx509_ca_sign");
     }
 
-    if (cert_key) {
+    /* Copy the private key to the output store, maybe */
+    if (cert_key && opt->generate_key_string &&
+        !opt->certificate_private_key_string) {
+        /*
+         * Yes: because we're generating the key and --certificate-private-key
+         * was not given.
+         */
+	ret = _hx509_cert_assign_key(cert, cert_key);
+	if (ret)
+	    hx509_err(context, 1, ret, "_hx509_cert_assign_key");
+    } else if (opt->certificate_private_key_string && opt->certificate_string &&
+               strcmp(opt->certificate_private_key_string,
+                      opt->certificate_string) == 0) {
+        /*
+         * Yes: because we're re-writing the store whence the private key.  We
+         * would lose the key otherwise.
+         */
+	ret = _hx509_cert_assign_key(cert, cert_key);
+	if (ret)
+	    hx509_err(context, 1, ret, "_hx509_cert_assign_key");
+    } else if (opt->self_signed_flag && opt->ca_private_key_string &&
+               opt->certificate_string &&
+               strcmp(opt->ca_private_key_string,
+                      opt->certificate_string) == 0) {
+        /* Yes: same as preceding */
 	ret = _hx509_cert_assign_key(cert, cert_key);
 	if (ret)
 	    hx509_err(context, 1, ret, "_hx509_cert_assign_key");
@@ -2041,9 +2393,9 @@ hxtool_ca(struct certificate_sign_options *opt, int argc, char **argv)
 
     {
 	hx509_certs certs;
+        char *sn = fix_store_name(context, opt->certificate_string, "FILE");
 
-	ret = hx509_certs_init(context, opt->certificate_string,
-			       HX509_CERTS_CREATE, NULL, &certs);
+        ret = hx509_certs_init(context, sn, HX509_CERTS_CREATE, NULL, &certs);
 	if (ret)
 	    hx509_err(context, 1, ret, "hx509_certs_init");
 
@@ -2056,6 +2408,7 @@ hxtool_ca(struct certificate_sign_options *opt, int argc, char **argv)
 	    hx509_err(context, 1, ret, "hx509_certs_store");
 
 	hx509_certs_free(&certs);
+        free(sn);
     }
 
     if (subject)
@@ -2074,7 +2427,7 @@ hxtool_ca(struct certificate_sign_options *opt, int argc, char **argv)
     return 0;
 }
 
-static int
+static int HX509_LIB_CALL
 test_one_cert(hx509_context hxcontext, void *ctx, hx509_cert cert)
 {
     heim_octet_string sd, c;
@@ -2119,9 +2472,11 @@ test_crypto(struct test_crypto_options *opt, int argc, char ** argv)
     if (ret) hx509_err(context, 1, ret, "hx509_certs_init: MEMORY");
 
     for (i = 0; i < argc; i++) {
-	ret = hx509_certs_append(context, certs, lock, argv[i]);
+        char *sn = fix_store_name(context, argv[i], "FILE");
+	ret = hx509_certs_append(context, certs, lock, sn);
 	if (ret)
-	    hx509_err(context, 1, ret, "hx509_certs_append");
+	    hx509_err(context, 1, ret, "hx509_certs_append %s", sn);
+        free(sn);
     }
 
     ret = hx509_verify_init_ctx(context, &vctx);
@@ -2135,6 +2490,7 @@ test_crypto(struct test_crypto_options *opt, int argc, char ** argv)
 	hx509_err(context, 1, ret, "hx509_cert_iter");
 
     hx509_certs_free(&certs);
+    hx509_verify_destroy_ctx(vctx);
 
     return 0;
 }
@@ -2180,12 +2536,11 @@ crl_sign(struct crl_sign_options *opt, int argc, char **argv)
     {
 	hx509_certs certs = NULL;
 	hx509_query *q;
+        char *sn = fix_store_name(context, opt->signer_string, "FILE");
 
-	ret = hx509_certs_init(context, opt->signer_string, 0,
-			       NULL, &certs);
+        ret = hx509_certs_init(context, sn, 0, NULL, &certs);
 	if (ret)
-	    hx509_err(context, 1, ret,
-		      "hx509_certs_init: %s", opt->signer_string);
+	    hx509_err(context, 1, ret, "hx509_certs_init: %s", sn);
 
 	ret = hx509_query_alloc(context, &q);
 	if (ret)
@@ -2198,6 +2553,7 @@ crl_sign(struct crl_sign_options *opt, int argc, char **argv)
 	hx509_certs_free(&certs);
 	if (ret)
 	    hx509_err(context, 1, ret, "no signer certificate found");
+        free(sn);
     }
 
     if (opt->lifetime_string) {
@@ -2221,9 +2577,12 @@ crl_sign(struct crl_sign_options *opt, int argc, char **argv)
 		      "hx509_certs_init: MEMORY cert");
 
 	for (i = 0; i < argc; i++) {
-	    ret = hx509_certs_append(context, revoked, lock, argv[i]);
+            char *sn = fix_store_name(context, argv[i], "FILE");
+
+	    ret = hx509_certs_append(context, revoked, lock, sn);
 	    if (ret)
-		hx509_err(context, 1, ret, "hx509_certs_append: %s", argv[i]);
+		hx509_err(context, 1, ret, "hx509_certs_append: %s", sn);
+            free(sn);
 	}
 
 	hx509_crl_add_revoked_certs(context, crl, revoked);
@@ -2244,6 +2603,582 @@ crl_sign(struct crl_sign_options *opt, int argc, char **argv)
     return 0;
 }
 
+int
+hxtool_list_oids(void *opt, int argc, char **argv)
+{
+    const heim_oid *oid;
+    int cursor = -1;
+
+    while (der_match_heim_oid_by_name("", &cursor, &oid) == 0) {
+        char *s = NULL;
+
+        if ((errno = der_print_heim_oid_sym(oid, '.', &s)) > 0)
+            err(1, "der_print_heim_oid_sym");
+        printf("%s\n", s);
+        free(s);
+    }
+    return 0;
+}
+
+static int
+acert1_sans_utf8_other(struct acert_options *opt,
+                       struct getarg_strings *wanted,
+                       const char *type,
+                       heim_any *san,
+                       size_t *count)
+{
+    size_t k, len;
+
+    if (!wanted->num_strings)
+        return 0;
+    for (k = 0; k < wanted->num_strings; k++) {
+        len = strlen(wanted->strings[k]);
+        if (len == san->length &&
+            strncmp(san->data, wanted->strings[k], len) == 0) {
+            if (opt->verbose_flag)
+                fprintf(stderr, "Matched OtherName SAN %s (%s)\n",
+                        wanted->strings[k], type);
+            (*count)++;
+            return 0;
+        }
+    }
+    if (opt->verbose_flag)
+        fprintf(stderr, "Did not match OtherName SAN %s (%s)\n",
+                wanted->strings[k], type);
+    return -1;
+}
+
+static int
+acert1_sans_other(struct acert_options *opt,
+                  heim_oid *type_id,
+                  heim_any *value,
+                  size_t *count)
+{
+    heim_any pkinit;
+    size_t k, match;
+    const char *type_str = NULL;
+    char *s = NULL;
+    int ret;
+
+    (void) der_print_heim_oid_sym(type_id, '.', &s);
+    type_str = s ? s : "<unknown>";
+    if (der_heim_oid_cmp(type_id, &asn1_oid_id_pkix_on_xmppAddr) == 0) {
+        ret = acert1_sans_utf8_other(opt, &opt->has_xmpp_san_strings,
+                                     s ? s : "xmpp", value, count);
+        free(s);
+        return ret;
+    }
+    if (der_heim_oid_cmp(type_id, &asn1_oid_id_pkinit_san) != 0) {
+        if (opt->verbose_flag)
+            fprintf(stderr, "Ignoring OtherName SAN of type %s\n", type_str);
+        free(s);
+        return -1;
+    }
+
+    free(s);
+    type_str = s = NULL;
+
+    if (opt->has_pkinit_san_strings.num_strings == 0)
+        return 0;
+
+    for (k = 0; k < opt->has_pkinit_san_strings.num_strings; k++) {
+        const char *s2 = opt->has_pkinit_san_strings.strings[k];
+
+        if ((ret = _hx509_make_pkinit_san(context, s2, &pkinit)))
+            return ret;
+        match = (pkinit.length == value->length &&
+            memcmp(pkinit.data, value->data, pkinit.length) == 0);
+        free(pkinit.data);
+        if (match) {
+            if (opt->verbose_flag)
+                fprintf(stderr, "Matched PKINIT SAN %s\n", s2);
+            (*count)++;
+            return 0;
+        }
+    }
+    if (opt->verbose_flag)
+        fprintf(stderr, "Unexpected PKINIT SAN\n");
+    return -1;
+}
+
+static int
+acert1_sans(struct acert_options *opt,
+            Extension *e,
+            size_t *count,
+            size_t *found)
+{
+    heim_printable_string hps;
+    GeneralNames gns;
+    size_t i, k, sz;
+    size_t unwanted = 0;
+    int ret = 0;
+
+    memset(&gns, 0, sizeof(gns));
+    decode_GeneralNames(e->extnValue.data, e->extnValue.length, &gns, &sz);
+    for (i = 0; (ret == -1 || ret == 0) && i < gns.len; i++) {
+        GeneralName *gn = &gns.val[i];
+        const char *s;
+
+        (*found)++;
+        if (gn->element == choice_GeneralName_rfc822Name) {
+            for (k = 0; k < opt->has_email_san_strings.num_strings; k++) {
+                s = opt->has_email_san_strings.strings[k];
+                hps.data = rk_UNCONST(s);
+                hps.length = strlen(s);
+                if (der_printable_string_cmp(&gn->u.rfc822Name, &hps) == 0) {
+                    if (opt->verbose_flag)
+                        fprintf(stderr, "Matched e-mail address SAN %s\n", s);
+                    (*count)++;
+                    break;
+                }
+            }
+            if (k && k == opt->has_email_san_strings.num_strings) {
+                if (opt->verbose_flag)
+                    fprintf(stderr, "Unexpected e-mail address SAN %.*s\n",
+                            (int)gn->u.rfc822Name.length,
+                            (const char *)gn->u.rfc822Name.data);
+                unwanted++;
+            }
+        } else if (gn->element == choice_GeneralName_dNSName) {
+            for (k = 0; k < opt->has_dnsname_san_strings.num_strings; k++) {
+                s = opt->has_dnsname_san_strings.strings[k];
+                hps.data = rk_UNCONST(s);
+                hps.length = strlen(s);
+                if (der_printable_string_cmp(&gn->u.dNSName, &hps) == 0) {
+                    if (opt->verbose_flag)
+                        fprintf(stderr, "Matched dNSName SAN %s\n", s);
+                    (*count)++;
+                    break;
+                }
+            }
+            if (k && k == opt->has_dnsname_san_strings.num_strings) {
+                if (opt->verbose_flag)
+                    fprintf(stderr, "Unexpected e-mail address SAN %.*s\n",
+                            (int)gn->u.dNSName.length,
+                            (const char *)gn->u.dNSName.data);
+                unwanted++;
+            }
+        } else if (gn->element == choice_GeneralName_registeredID) {
+            for (k = 0; k < opt->has_registeredID_san_strings.num_strings; k++) {
+                heim_oid oid;
+
+                s = opt->has_registeredID_san_strings.strings[k];
+                memset(&oid, 0, sizeof(oid));
+                parse_oid(s, NULL, &oid);
+                if (der_heim_oid_cmp(&gn->u.registeredID, &oid) == 0) {
+                    der_free_oid(&oid);
+                    if (opt->verbose_flag)
+                        fprintf(stderr, "Matched registeredID SAN %s\n", s);
+                    (*count)++;
+                    break;
+                }
+                der_free_oid(&oid);
+            }
+            if (k && k == opt->has_dnsname_san_strings.num_strings) {
+                if (opt->verbose_flag)
+                    fprintf(stderr, "Unexpected registeredID SAN\n");
+                unwanted++;
+            }
+        } else if (gn->element == choice_GeneralName_otherName) {
+            ret = acert1_sans_other(opt, &gn->u.otherName.type_id,
+                                    &gn->u.otherName.value, count);
+        } else if (opt->verbose_flag) {
+            fprintf(stderr, "Unexpected unsupported SAN\n");
+            unwanted++;
+        }
+    }
+    free_GeneralNames(&gns);
+    if (ret == 0 && unwanted && opt->exact_flag)
+        return -1;
+    return ret;
+}
+
+static int
+acert1_ekus(struct acert_options *opt,
+            Extension *e,
+            size_t *count,
+            size_t *found)
+{
+    ExtKeyUsage eku;
+    size_t i, k, sz;
+    size_t unwanted = 0;
+    int ret = 0;
+
+    memset(&eku, 0, sizeof(eku));
+    decode_ExtKeyUsage(e->extnValue.data, e->extnValue.length, &eku, &sz);
+    for (i = 0; (ret == -1 || ret == 0) && i < eku.len; i++) {
+        (*found)++;
+        for (k = 0; k < opt->has_eku_strings.num_strings; k++) {
+            const char *s = opt->has_eku_strings.strings[k];
+            heim_oid oid;
+
+            memset(&oid, 0, sizeof(oid));
+            parse_oid(s, NULL, &oid);
+            if (der_heim_oid_cmp(&eku.val[i], &oid) == 0) {
+                der_free_oid(&oid);
+                if (opt->verbose_flag)
+                    fprintf(stderr, "Matched EKU OID %s\n", s);
+                (*count)++;
+                break;
+            }
+            der_free_oid(&oid);
+        }
+        if (k && k == opt->has_eku_strings.num_strings) {
+            char *oids = NULL;
+
+            (void) der_print_heim_oid_sym(&eku.val[i], '.', &oids);
+            if (opt->verbose_flag)
+                fprintf(stderr, "Unexpected EKU OID %s\n",
+                        oids ? oids : "<could-not-format-OID>");
+            unwanted++;
+        }
+    }
+    free_ExtKeyUsage(&eku);
+    if (ret == 0 && unwanted && opt->exact_flag)
+        return -1;
+    return ret;
+}
+
+static int
+acert1_kus(struct acert_options *opt,
+           Extension *e,
+           size_t *count,
+           size_t *found)
+{
+    const struct units *u = asn1_KeyUsage_units();
+    uint64_t ku_num;
+    KeyUsage ku;
+    size_t unwanted = 0;
+    size_t wanted = opt->has_ku_strings.num_strings;
+    size_t i, k, sz;
+    int ret;
+
+    memset(&ku, 0, sizeof(ku));
+    ret = decode_KeyUsage(e->extnValue.data, e->extnValue.length, &ku, &sz);
+    if (ret)
+        return ret;
+    ku_num = KeyUsage2int(ku);
+
+    /* Validate requested key usage values */
+    for (k = 0; k < wanted; k++) {
+        const char *s = opt->has_ku_strings.strings[k];
+
+        for (i = 0; u[i].name; i++)
+            if (strcmp(s, u[i].name) == 0)
+                break;
+
+        if (u[i].name == NULL)
+            warnx("Warning: requested key usage %s unknown", s);
+    }
+
+    for (i = 0; u[i].name; i++) {
+        if ((u[i].mult & ku_num))
+            (*found)++;
+        for (k = 0; k < wanted; k++) {
+            const char *s = opt->has_ku_strings.strings[k];
+
+            if (!(u[i].mult & ku_num) || strcmp(s, u[i].name) != 0)
+                continue;
+
+            if (opt->verbose_flag)
+                fprintf(stderr, "Matched key usage %s\n", s);
+            (*count)++;
+            break;
+        }
+        if ((u[i].mult & ku_num) && k == wanted) {
+            if (opt->verbose_flag)
+                fprintf(stderr, "Unexpected key usage %s\n", u[i].name);
+            unwanted++;
+        }
+    }
+
+    return (unwanted && opt->exact_flag) ? -1 : 0;
+}
+
+static time_t
+ptime(const char *s)
+{
+    struct tm at_tm;
+    char *rest;
+    int at_s;
+
+    if ((rest = strptime(s, "%Y-%m-%dT%H:%M:%S", &at_tm)) != NULL &&
+        rest[0] == '\0')
+        return mktime(&at_tm);
+    if ((rest = strptime(s, "%Y%m%d%H%M%S", &at_tm)) != NULL && rest[0] == '\0')
+        return mktime(&at_tm);
+    if ((at_s = parse_time(s, "s")) != -1)
+        return time(NULL) + at_s;
+    errx(1, "Could not parse time spec %s", s);
+}
+
+static int
+acert1_validity(struct acert_options *opt, hx509_cert cert)
+{
+    time_t not_before_eq = 0;
+    time_t not_before_lt = 0;
+    time_t not_before_gt = 0;
+    time_t not_after_eq = 0;
+    time_t not_after_lt = 0;
+    time_t not_after_gt = 0;
+    int ret = 0;
+
+    if (opt->valid_now_flag) {
+        time_t now = time(NULL);
+
+        if (hx509_cert_get_notBefore(cert) > now) {
+            if (opt->verbose_flag)
+                fprintf(stderr, "Certificate not valid yet\n");
+            ret = -1;
+        }
+        if (hx509_cert_get_notAfter(cert) < now) {
+            if (opt->verbose_flag)
+                fprintf(stderr, "Certificate currently expired\n");
+            ret = -1;
+        }
+    }
+    if (opt->valid_at_string) {
+        time_t at = ptime(opt->valid_at_string);
+
+        if (hx509_cert_get_notBefore(cert) > at) {
+            if (opt->verbose_flag)
+                fprintf(stderr, "Certificate not valid yet at %s\n",
+                        opt->valid_at_string);
+            ret = -1;
+        }
+        if (hx509_cert_get_notAfter(cert) < at) {
+            if (opt->verbose_flag)
+                fprintf(stderr, "Certificate expired before %s\n",
+                        opt->valid_at_string);
+            ret = -1;
+        }
+    }
+
+    if (opt->not_before_eq_string)
+        not_before_eq = ptime(opt->not_before_eq_string);
+    if (opt->not_before_lt_string)
+        not_before_lt = ptime(opt->not_before_lt_string);
+    if (opt->not_before_gt_string)
+        not_before_gt = ptime(opt->not_before_gt_string);
+    if (opt->not_after_eq_string)
+        not_after_eq = ptime(opt->not_after_eq_string);
+    if (opt->not_after_lt_string)
+        not_after_lt = ptime(opt->not_after_lt_string);
+    if (opt->not_after_gt_string)
+        not_after_gt = ptime(opt->not_after_gt_string);
+
+    if ((not_before_eq && hx509_cert_get_notBefore(cert) != not_before_eq) ||
+        (not_before_lt && hx509_cert_get_notBefore(cert) >= not_before_lt) ||
+        (not_before_gt && hx509_cert_get_notBefore(cert) <= not_before_gt)) {
+        if (opt->verbose_flag)
+            fprintf(stderr, "Certificate notBefore not as requested\n");
+        ret = -1;
+    }
+    if ((not_after_eq && hx509_cert_get_notAfter(cert) != not_after_eq) ||
+        (not_after_lt && hx509_cert_get_notAfter(cert) >= not_after_lt) ||
+        (not_after_gt && hx509_cert_get_notAfter(cert) <= not_after_gt)) {
+        if (opt->verbose_flag)
+            fprintf(stderr, "Certificate notAfter not as requested\n");
+        ret = -1;
+    }
+
+    if (opt->has_private_key_flag && !hx509_cert_have_private_key(cert)) {
+        if (opt->verbose_flag)
+            fprintf(stderr, "Certificate does not have a private key\n");
+        ret = -1;
+    }
+
+    if (opt->lacks_private_key_flag && hx509_cert_have_private_key(cert)) {
+        if (opt->verbose_flag)
+            fprintf(stderr, "Certificate does not have a private key\n");
+        ret = -1;
+    }
+
+    return ret;
+}
+
+static int
+acert1(struct acert_options *opt, size_t cert_num, hx509_cert cert, int *matched)
+{
+    const heim_oid *misc_exts [] = {
+        &asn1_oid_id_x509_ce_authorityKeyIdentifier,
+        &asn1_oid_id_x509_ce_subjectKeyIdentifier,
+        &asn1_oid_id_x509_ce_basicConstraints,
+        &asn1_oid_id_x509_ce_nameConstraints,
+        &asn1_oid_id_x509_ce_certificatePolicies,
+        &asn1_oid_id_x509_ce_policyMappings,
+        &asn1_oid_id_x509_ce_issuerAltName,
+        &asn1_oid_id_x509_ce_subjectDirectoryAttributes,
+        &asn1_oid_id_x509_ce_policyConstraints,
+        &asn1_oid_id_x509_ce_cRLDistributionPoints,
+        &asn1_oid_id_x509_ce_deltaCRLIndicator,
+        &asn1_oid_id_x509_ce_issuingDistributionPoint,
+        &asn1_oid_id_x509_ce_inhibitAnyPolicy,
+        &asn1_oid_id_x509_ce_cRLNumber,
+        &asn1_oid_id_x509_ce_freshestCRL,
+        NULL
+    };
+    const Certificate *c;
+    const Extensions *e;
+    KeyUsage ku;
+    size_t matched_elements = 0;
+    size_t wanted, sans_wanted, ekus_wanted, kus_wanted;
+    size_t found, sans_found, ekus_found, kus_found;
+    size_t i, k;
+    int ret;
+
+    if ((c = _hx509_get_cert(cert)) == NULL)
+        errx(1, "Could not get Certificate");
+    e = c->tbsCertificate.extensions;
+
+    ret = _hx509_cert_get_keyusage(context, cert, &ku);
+    if (ret && ret != HX509_KU_CERT_MISSING)
+        hx509_err(context, 1, ret, "Could not get key usage of certificate");
+    if (ret == HX509_KU_CERT_MISSING && opt->ca_flag)
+        return 0; /* want CA cert; this isn't it */
+    if (ret == 0 && opt->ca_flag && !ku.keyCertSign)
+        return 0; /* want CA cert; this isn't it */
+    if (ret == 0 && opt->end_entity_flag && ku.keyCertSign)
+        return 0; /* want EE cert; this isn't it */
+
+    if (opt->cert_num_integer != -1 && cert_num <= INT_MAX &&
+        opt->cert_num_integer != (int)cert_num)
+        return 0;
+    if (opt->cert_num_integer == -1 || opt->cert_num_integer == (int)cert_num)
+        *matched = 1;
+
+    if (_hx509_cert_get_version(c) < 3) {
+        warnx("Certificate with version %d < 3 ignored",
+              _hx509_cert_get_version(c));
+        return 0;
+    }
+
+    sans_wanted = opt->has_email_san_strings.num_strings
+        + opt->has_xmpp_san_strings.num_strings
+        + opt->has_ms_upn_san_strings.num_strings
+        + opt->has_dnsname_san_strings.num_strings
+        + opt->has_pkinit_san_strings.num_strings
+        + opt->has_registeredID_san_strings.num_strings;
+    ekus_wanted = opt->has_eku_strings.num_strings;
+    kus_wanted = opt->has_ku_strings.num_strings;
+    wanted = sans_wanted + ekus_wanted + kus_wanted;
+    sans_found = ekus_found = kus_found = 0;
+
+    if (e == NULL) {
+        if (wanted)
+            return -1;
+        return acert1_validity(opt, cert);
+    }
+
+    for (i = 0; i < e->len; i++) {
+        if (der_heim_oid_cmp(&e->val[i].extnID,
+                             &asn1_oid_id_x509_ce_subjectAltName) == 0) {
+            ret = acert1_sans(opt, &e->val[i], &matched_elements, &sans_found);
+            if (ret == -1 && sans_wanted == 0 &&
+                (!opt->exact_flag || sans_found == 0))
+                ret = 0;
+        } else if (der_heim_oid_cmp(&e->val[i].extnID,
+                                  &asn1_oid_id_x509_ce_extKeyUsage) == 0) {
+            ret = acert1_ekus(opt, &e->val[i], &matched_elements, &ekus_found);
+            if (ret == -1 && ekus_wanted == 0 &&
+                (!opt->exact_flag || ekus_found == 0))
+                ret = 0;
+        } else if (der_heim_oid_cmp(&e->val[i].extnID,
+                                  &asn1_oid_id_x509_ce_keyUsage) == 0) {
+            ret = acert1_kus(opt, &e->val[i], &matched_elements, &kus_found);
+            if (ret == -1 && kus_wanted == 0 &&
+                (!opt->exact_flag || kus_found == 0))
+                ret = 0;
+        } else {
+            char *oids = NULL;
+
+            for (k = 0; misc_exts[k]; k++) {
+                if (der_heim_oid_cmp(&e->val[i].extnID, misc_exts[k]) == 0)
+                    break;
+            }
+            if (misc_exts[k])
+                continue;
+
+            (void) der_print_heim_oid(&e->val[i].extnID, '.', &oids);
+            warnx("Matching certificate has unexpected certificate "
+                  "extension %s", oids ? oids : "<could not display OID>");
+            free(oids);
+            ret = -1;
+        }
+        if (ret && ret != -1)
+            hx509_err(context, 1, ret, "Error checking matching certificate");
+        if (ret == -1)
+            break;
+    }
+    if (matched_elements != wanted)
+        return -1;
+    found = sans_found + ekus_found + kus_found;
+    if (matched_elements != found && opt->exact_flag)
+        return -1;
+    if (ret)
+        return ret;
+    return acert1_validity(opt, cert);
+}
+
+int
+acert(struct acert_options *opt, int argc, char **argv)
+{
+    hx509_cursor cursor = NULL;
+    hx509_query *q = NULL;
+    hx509_certs certs = NULL;
+    hx509_cert cert = NULL;
+    char *sn = fix_store_name(context, argv[0], "FILE");
+    size_t n = 0;
+    int matched = 0;
+    int ret;
+
+    if (opt->not_after_eq_string &&
+        (opt->not_after_lt_string || opt->not_after_gt_string))
+        errx(1, "--not-after-eq should not be given with --not-after-lt/gt");
+    if (opt->not_before_eq_string &&
+        (opt->not_before_lt_string || opt->not_before_gt_string))
+        errx(1, "--not-before-eq should not be given with --not-before-lt/gt");
+
+    if ((ret = hx509_certs_init(context, sn, 0, NULL, &certs)))
+        hx509_err(context, 1, ret, "Could not load certificates from %s", sn);
+
+    if (opt->expr_string) {
+        if ((ret = hx509_query_alloc(context, &q)) ||
+	    (ret = hx509_query_match_expr(context, q, opt->expr_string)))
+            hx509_err(context, 1, ret, "Could not initialize query");
+        if ((ret = hx509_certs_find(context, certs, q, &cert)) || !cert)
+            hx509_err(context, 1, ret, "No matching certificate");
+        ret = acert1(opt, -1, cert, &matched);
+        matched = 1;
+    } else {
+        ret = hx509_certs_start_seq(context, certs, &cursor);
+        while (ret == 0 &&
+               (ret = hx509_certs_next_cert(context, certs,
+                                            cursor, &cert)) == 0 &&
+               cert) {
+            ret = acert1(opt, n++, cert, &matched);
+            if (matched)
+                break;
+            hx509_cert_free(cert);
+            cert = NULL;
+        }
+        if (cursor)
+            (void) hx509_certs_end_seq(context, certs, cursor);
+    }
+    if (!matched && ret)
+        hx509_err(context, 1, ret, "Could not find certificate");
+    if (!matched)
+        errx(1, "Could not find certificate");
+    if (ret == -1)
+        errx(1, "Matching certificate did not meet requirements");
+    if (ret)
+        hx509_err(context, 1, ret, "Matching certificate did not meet "
+                  "requirements");
+    hx509_cert_free(cert);
+    free(sn);
+    return 0;
+}
+
 /*
  *
  */
diff --git a/lib/hx509/keyset.c b/lib/hx509/keyset.c
index ed5b22b981d3..f25cdf4e419b 100644
--- a/lib/hx509/keyset.c
+++ b/lib/hx509/keyset.c
@@ -40,7 +40,7 @@
  *
  * Type of certificates store:
  * - MEMORY
- *   In memory based format. Doesnt support storing.
+ *   In memory based format. Doesn't support storing.
  * - FILE
  *   FILE supports raw DER certicates and PEM certicates. When PEM is
  *   used the file can contain may certificates and match private
@@ -63,9 +63,10 @@ struct hx509_certs_data {
     unsigned int ref;
     struct hx509_keyset_ops *ops;
     void *ops_data;
+    int flags;
 };
 
-static struct hx509_keyset_ops *
+struct hx509_keyset_ops *
 _hx509_ks_type(hx509_context context, const char *type)
 {
     int i;
@@ -77,7 +78,7 @@ _hx509_ks_type(hx509_context context, const char *type)
     return NULL;
 }
 
-void
+HX509_LIB_FUNCTION void HX509_LIB_CALL
 _hx509_ks_register(hx509_context context, struct hx509_keyset_ops *ops)
 {
     struct hx509_keyset_ops **val;
@@ -103,6 +104,7 @@ _hx509_ks_register(hx509_context context, struct hx509_keyset_ops *ops)
  * @param flags list of flags:
  * - HX509_CERTS_CREATE create a new keystore of the specific TYPE.
  * - HX509_CERTS_UNPROTECT_ALL fails if any private key failed to be extracted.
+ * - HX509_CERTS_NO_PRIVATE_KEYS does not load or permit adding private keys
  * @param lock a lock that unlocks the certificates store, use NULL to
  * select no password/certifictes/prompt lock (see @ref page_lock).
  * @param certs return pointer, free with hx509_certs_free().
@@ -112,7 +114,7 @@ _hx509_ks_register(hx509_context context, struct hx509_keyset_ops *ops)
  * @ingroup hx509_keyset
  */
 
-int
+HX509_LIB_FUNCTION int HX509_LIB_CALL
 hx509_certs_init(hx509_context context,
 		 const char *name, int flags,
 		 hx509_lock lock, hx509_certs *certs)
@@ -125,6 +127,9 @@ hx509_certs_init(hx509_context context,
 
     *certs = NULL;
 
+    if (name == NULL)
+        name = "";
+
     residue = strchr(name, ':');
     if (residue) {
 	type = malloc(residue - name + 1);
@@ -155,6 +160,7 @@ hx509_certs_init(hx509_context context,
 	hx509_clear_error_string(context);
 	return ENOMEM;
     }
+    c->flags = flags;
     c->ops = ops;
     c->ref = 1;
 
@@ -169,11 +175,41 @@ hx509_certs_init(hx509_context context,
 }
 
 /**
+ * Destroys and frees a hx509 certificate store.
+ *
+ * @param context A hx509 context
+ * @param certs A store to destroy
+ *
+ * @return Returns an hx509 error code.
+ *
+ * @ingroup hx509_keyset
+ */
+
+HX509_LIB_FUNCTION int HX509_LIB_CALL
+hx509_certs_destroy(hx509_context context,
+                    hx509_certs *certs)
+{
+    int ret = 0;
+
+    if (*certs) {
+        if ((*certs)->ops->destroy)
+            ret = ((*certs)->ops->destroy)(context, *certs, (*certs)->ops_data);
+        else
+            ret = ENOTSUP;
+    }
+    hx509_certs_free(certs);
+    return ret;
+}
+
+/**
  * Write the certificate store to stable storage.
  *
+ * Use the HX509_CERTS_STORE_NO_PRIVATE_KEYS flag to ensure that no private
+ * keys are stored, even if added.
+ *
  * @param context A hx509 context.
  * @param certs a certificate store to store.
- * @param flags currently unused, use 0.
+ * @param flags currently one flag is defined: HX509_CERTS_STORE_NO_PRIVATE_KEYS
  * @param lock a lock that unlocks the certificates store, use NULL to
  * select no password/certifictes/prompt lock (see @ref page_lock).
  *
@@ -183,7 +219,7 @@ hx509_certs_init(hx509_context context,
  * @ingroup hx509_keyset
  */
 
-int
+HX509_LIB_FUNCTION int HX509_LIB_CALL
 hx509_certs_store(hx509_context context,
 		  hx509_certs certs,
 		  int flags,
@@ -201,7 +237,7 @@ hx509_certs_store(hx509_context context,
 }
 
 
-hx509_certs
+HX509_LIB_FUNCTION hx509_certs HX509_LIB_CALL
 hx509_certs_ref(hx509_certs certs)
 {
     if (certs == NULL)
@@ -222,7 +258,7 @@ hx509_certs_ref(hx509_certs certs)
  * @ingroup hx509_keyset
  */
 
-void
+HX509_LIB_FUNCTION void HX509_LIB_CALL
 hx509_certs_free(hx509_certs *certs)
 {
     if (*certs) {
@@ -252,7 +288,7 @@ hx509_certs_free(hx509_certs *certs)
  * @ingroup hx509_keyset
  */
 
-int
+HX509_LIB_FUNCTION int HX509_LIB_CALL
 hx509_certs_start_seq(hx509_context context,
 		      hx509_certs certs,
 		      hx509_cursor *cursor)
@@ -288,7 +324,7 @@ hx509_certs_start_seq(hx509_context context,
  * @ingroup hx509_keyset
  */
 
-int
+HX509_LIB_FUNCTION int HX509_LIB_CALL
 hx509_certs_next_cert(hx509_context context,
 		      hx509_certs certs,
 		      hx509_cursor cursor,
@@ -310,7 +346,7 @@ hx509_certs_next_cert(hx509_context context,
  * @ingroup hx509_keyset
  */
 
-int
+HX509_LIB_FUNCTION int HX509_LIB_CALL
 hx509_certs_end_seq(hx509_context context,
 		    hx509_certs certs,
 		    hx509_cursor cursor)
@@ -335,10 +371,10 @@ hx509_certs_end_seq(hx509_context context,
  * @ingroup hx509_keyset
  */
 
-int
+HX509_LIB_FUNCTION int HX509_LIB_CALL
 hx509_certs_iter_f(hx509_context context,
 		   hx509_certs certs,
-		   int (*func)(hx509_context, void *, hx509_cert),
+		   int (HX509_LIB_CALL *func)(hx509_context, void *, hx509_cert),
 		   void *ctx)
 {
     hx509_cursor cursor;
@@ -392,7 +428,7 @@ certs_iter(hx509_context context, void *ctx, hx509_cert cert)
  * @ingroup hx509_keyset
  */
 
-int
+HX509_LIB_FUNCTION int HX509_LIB_CALL
 hx509_certs_iter(hx509_context context,
 		 hx509_certs certs,
 		 int (^func)(hx509_cert))
@@ -415,7 +451,7 @@ hx509_certs_iter(hx509_context context,
  * @ingroup hx509_keyset
  */
 
-int
+HX509_LIB_FUNCTION int HX509_LIB_CALL
 hx509_ci_print_names(hx509_context context, void *ctx, hx509_cert c)
 {
     Certificate *cert;
@@ -452,9 +488,12 @@ hx509_ci_print_names(hx509_context context, void *ctx, hx509_cert c)
  * @ingroup hx509_keyset
  */
 
-int
+HX509_LIB_FUNCTION int HX509_LIB_CALL
 hx509_certs_add(hx509_context context, hx509_certs certs, hx509_cert cert)
 {
+    hx509_cert copy = NULL;
+    int ret;
+
     if (certs->ops->add == NULL) {
 	hx509_set_error_string(context, 0, ENOENT,
 			       "Keyset type %s doesn't support add operation",
@@ -462,7 +501,20 @@ hx509_certs_add(hx509_context context, hx509_certs certs, hx509_cert cert)
 	return ENOENT;
     }
 
-    return (*certs->ops->add)(context, certs, certs->ops_data, cert);
+    if ((certs->flags & HX509_CERTS_NO_PRIVATE_KEYS) &&
+        hx509_cert_have_private_key(cert)) {
+        if ((copy = hx509_cert_copy_no_private_key(context, cert,
+                                                   NULL)) == NULL) {
+            hx509_set_error_string(context, 0, ENOMEM,
+                                   "Could not add certificate to store");
+            return ENOMEM;
+        }
+        cert = copy;
+    }
+
+    ret = (*certs->ops->add)(context, certs, certs->ops_data, cert);
+    hx509_cert_free(copy);
+    return ret;
 }
 
 /**
@@ -479,7 +531,7 @@ hx509_certs_add(hx509_context context, hx509_certs certs, hx509_cert cert)
  * @ingroup hx509_keyset
  */
 
-int
+HX509_LIB_FUNCTION int HX509_LIB_CALL
 hx509_certs_find(hx509_context context,
 		 hx509_certs certs,
 		 const hx509_query *q,
@@ -509,11 +561,14 @@ hx509_certs_find(hx509_context context,
 	    break;
 	if (_hx509_query_match_cert(context, q, c)) {
 	    *r = c;
+            c = NULL;
 	    break;
 	}
 	hx509_cert_free(c);
+        c = NULL;
     }
 
+    hx509_cert_free(c);
     hx509_certs_end_seq(context, certs, cursor);
     if (ret)
 	return ret;
@@ -521,7 +576,7 @@ hx509_certs_find(hx509_context context,
      * Return HX509_CERT_NOT_FOUND if no certificate in certs matched
      * the query.
      */
-    if (c == NULL) {
+    if (*r == NULL) {
 	hx509_clear_error_string(context);
 	return HX509_CERT_NOT_FOUND;
     }
@@ -543,7 +598,7 @@ hx509_certs_find(hx509_context context,
  * @ingroup hx509_keyset
  */
 
-int
+HX509_LIB_FUNCTION int HX509_LIB_CALL
 hx509_certs_filter(hx509_context context,
 		   hx509_certs certs,
 		   const hx509_query *q,
@@ -600,15 +655,14 @@ hx509_certs_filter(hx509_context context,
 }
 
 
-static int
+static int HX509_LIB_CALL
 certs_merge_func(hx509_context context, void *ctx, hx509_cert c)
 {
     return hx509_certs_add(context, (hx509_certs)ctx, c);
 }
 
 /**
- * Merge a certificate store into another. The from store is keep
- * intact.
+ * Merge one certificate store into another. The from store is kept intact.
  *
  * @param context a hx509 context.
  * @param to the store to merge into.
@@ -619,7 +673,7 @@ certs_merge_func(hx509_context context, void *ctx, hx509_cert c)
  * @ingroup hx509_keyset
  */
 
-int
+HX509_LIB_FUNCTION int HX509_LIB_CALL
 hx509_certs_merge(hx509_context context, hx509_certs to, hx509_certs from)
 {
     if (from == NULL)
@@ -642,7 +696,7 @@ hx509_certs_merge(hx509_context context, hx509_certs to, hx509_certs from)
  * @ingroup hx509_keyset
  */
 
-int
+HX509_LIB_FUNCTION int HX509_LIB_CALL
 hx509_certs_append(hx509_context context,
 		   hx509_certs to,
 		   hx509_lock lock,
@@ -671,7 +725,7 @@ hx509_certs_append(hx509_context context,
  * @ingroup hx509_keyset
  */
 
-int
+HX509_LIB_FUNCTION int HX509_LIB_CALL
 hx509_get_one_cert(hx509_context context, hx509_certs certs, hx509_cert *c)
 {
     hx509_cursor cursor;
@@ -714,7 +768,7 @@ certs_info_stdio(void *ctx, const char *str)
  * @ingroup hx509_keyset
  */
 
-int
+HX509_LIB_FUNCTION int HX509_LIB_CALL
 hx509_certs_info(hx509_context context,
 		 hx509_certs certs,
 		 int (*func)(void *, const char *),
@@ -733,7 +787,7 @@ hx509_certs_info(hx509_context context,
 				    func, ctx);
 }
 
-void
+HX509_LIB_FUNCTION void HX509_LIB_CALL
 _hx509_pi_printf(int (*func)(void *, const char *), void *ctx,
 		 const char *fmt, ...)
 {
@@ -750,7 +804,7 @@ _hx509_pi_printf(int (*func)(void *, const char *), void *ctx,
     free(str);
 }
 
-int
+HX509_LIB_FUNCTION int HX509_LIB_CALL
 _hx509_certs_keys_get(hx509_context context,
 		      hx509_certs certs,
 		      hx509_private_key **keys)
@@ -762,7 +816,7 @@ _hx509_certs_keys_get(hx509_context context,
     return (*certs->ops->getkeys)(context, certs, certs->ops_data, keys);
 }
 
-int
+HX509_LIB_FUNCTION int HX509_LIB_CALL
 _hx509_certs_keys_add(hx509_context context,
 		      hx509_certs certs,
 		      hx509_private_key key)
@@ -778,11 +832,14 @@ _hx509_certs_keys_add(hx509_context context,
 }
 
 
-void
+HX509_LIB_FUNCTION void HX509_LIB_CALL
 _hx509_certs_keys_free(hx509_context context,
 		       hx509_private_key *keys)
 {
-    int i;
+    size_t i;
+
+    if (keys == NULL)
+        return;
     for (i = 0; keys[i]; i++)
 	hx509_private_key_free(&keys[i]);
     free(keys);
diff --git a/lib/hx509/ks_dir.c b/lib/hx509/ks_dir.c
index 1740dfe42c74..3bc99f2dc6cf 100644
--- a/lib/hx509/ks_dir.c
+++ b/lib/hx509/ks_dir.c
@@ -59,6 +59,12 @@ dir_init(hx509_context context,
 {
     *data = NULL;
 
+    if (residue == NULL || residue[0] == '\0') {
+        hx509_set_error_string(context, 0, EINVAL,
+                               "DIR file name not specified");
+        return EINVAL;
+    }
+
     {
 	struct stat sb;
 	int ret;
@@ -214,10 +220,11 @@ static struct hx509_keyset_ops keyset_dir = {
     dir_iter_end,
     NULL,
     NULL,
+    NULL,
     NULL
 };
 
-void
+HX509_LIB_FUNCTION void HX509_LIB_CALL
 _hx509_ks_dir_register(hx509_context context)
 {
     _hx509_ks_register(context, &keyset_dir);
diff --git a/lib/hx509/ks_file.c b/lib/hx509/ks_file.c
index b9c2f420d5b8..6d8c77bd2402 100644
--- a/lib/hx509/ks_file.c
+++ b/lib/hx509/ks_file.c
@@ -32,6 +32,9 @@
  */
 
 #include "hx_locl.h"
+#ifndef WIN32
+#include <libgen.h>
+#endif
 
 typedef enum { USE_PEM, USE_DER } outformat;
 
@@ -46,7 +49,7 @@ struct ks_file {
  */
 
 static int
-parse_certificate(hx509_context context, const char *fn,
+parse_certificate(hx509_context context, const char *fn, int flags,
 		  struct hx509_collector *c,
 		  const hx509_pem_header *headers,
 		  const void *data, size_t len,
@@ -71,6 +74,7 @@ parse_certificate(hx509_context context, const char *fn,
 static int
 try_decrypt(hx509_context context,
 	    struct hx509_collector *collector,
+            int flags,
 	    const AlgorithmIdentifier *alg,
 	    const EVP_CIPHER *c,
 	    const void *ivdata,
@@ -119,12 +123,9 @@ try_decrypt(hx509_context context,
 	EVP_CIPHER_CTX_cleanup(&ctx);
     }
 
-    ret = _hx509_collector_private_key_add(context,
-					   collector,
-					   alg,
-					   NULL,
-					   &clear,
-					   NULL);
+    if (!(flags & HX509_CERTS_NO_PRIVATE_KEYS))
+        ret = _hx509_collector_private_key_add(context, collector, alg, NULL,
+                                               &clear, NULL);
 
     memset_s(clear.data, clear.length, 0, clear.length);
     free(clear.data);
@@ -135,7 +136,7 @@ out:
 }
 
 static int
-parse_pkcs8_private_key(hx509_context context, const char *fn,
+parse_pkcs8_private_key(hx509_context context, const char *fn, int flags,
 			struct hx509_collector *c,
 			const hx509_pem_header *headers,
 			const void *data, size_t length,
@@ -143,28 +144,28 @@ parse_pkcs8_private_key(hx509_context context, const char *fn,
 {
     PKCS8PrivateKeyInfo ki;
     heim_octet_string keydata;
-
     int ret;
 
     ret = decode_PKCS8PrivateKeyInfo(data, length, &ki, NULL);
     if (ret)
 	return ret;
 
-    keydata.data = rk_UNCONST(data);
-    keydata.length = length;
-
-    ret = _hx509_collector_private_key_add(context,
-					   c,
-					   &ki.privateKeyAlgorithm,
-					   NULL,
-					   &ki.privateKey,
-					   &keydata);
+    if (!(flags & HX509_CERTS_NO_PRIVATE_KEYS)) {
+        keydata.data = rk_UNCONST(data);
+        keydata.length = length;
+        ret = _hx509_collector_private_key_add(context,
+                                               c,
+                                               &ki.privateKeyAlgorithm,
+                                               NULL,
+                                               &ki.privateKey,
+                                               &keydata);
+    }
     free_PKCS8PrivateKeyInfo(&ki);
     return ret;
 }
 
 static int
-parse_pem_private_key(hx509_context context, const char *fn,
+parse_pem_private_key(hx509_context context, const char *fn, int flags,
 		      struct hx509_collector *c,
 		      const hx509_pem_header *headers,
 		      const void *data, size_t len,
@@ -268,7 +269,7 @@ parse_pem_private_key(hx509_context context, const char *fn,
 		password = pw->val[i];
 		passwordlen = strlen(password);
 
-		ret = try_decrypt(context, c, ai, cipher, ivdata,
+		ret = try_decrypt(context, c, flags, ai, cipher, ivdata,
 				  password, passwordlen, data, len);
 		if (ret == 0) {
 		    decrypted = 1;
@@ -289,21 +290,21 @@ parse_pem_private_key(hx509_context context, const char *fn,
 
 	    ret = hx509_lock_prompt(lock, &prompt);
 	    if (ret == 0)
-		ret = try_decrypt(context, c, ai, cipher, ivdata, password,
-				  strlen(password), data, len);
+                ret = try_decrypt(context, c, flags, ai, cipher, ivdata,
+                                  password, strlen(password), data, len);
 	    /* XXX add password to lock password collection ? */
 	    memset_s(password, sizeof(password), 0, sizeof(password));
 	}
 	free(ivdata);
 
-    } else {
+    } else if (!(flags & HX509_CERTS_NO_PRIVATE_KEYS)) {
 	heim_octet_string keydata;
 
 	keydata.data = rk_UNCONST(data);
 	keydata.length = len;
 
-	ret = _hx509_collector_private_key_add(context, c, ai, NULL,
-					       &keydata, NULL);
+        ret = _hx509_collector_private_key_add(context, c, ai, NULL,
+                                               &keydata, NULL);
     }
 
     return ret;
@@ -312,7 +313,7 @@ parse_pem_private_key(hx509_context context, const char *fn,
 
 struct pem_formats {
     const char *name;
-    int (*func)(hx509_context, const char *, struct hx509_collector *,
+    int (*func)(hx509_context, const char *, int, struct hx509_collector *,
 		const hx509_pem_header *, const void *, size_t,
 		const AlgorithmIdentifier *);
     const AlgorithmIdentifier *(*ai)(void);
@@ -344,11 +345,12 @@ pem_func(hx509_context context, const char *type,
 	const char *q = formats[j].name;
 	if (strcasecmp(type, q) == 0) {
 	    const AlgorithmIdentifier *ai = NULL;
+
 	    if (formats[j].ai != NULL)
 		ai = (*formats[j].ai)();
 
-	    ret = (*formats[j].func)(context, NULL, pem_ctx->c,
-				     header, data, len, ai);
+            ret = (*formats[j].func)(context, NULL, pem_ctx->flags, pem_ctx->c,
+                                     header, data, len, ai);
 	    if (ret && (pem_ctx->flags & HX509_CERTS_UNPROTECT_ALL)) {
 		hx509_set_error_string(context, HX509_ERROR_APPEND, ret,
 				       "Failed parseing PEM format %s", type);
@@ -384,6 +386,12 @@ file_init_common(hx509_context context,
     pem_ctx.flags = flags;
     pem_ctx.c = NULL;
 
+    if (residue == NULL || residue[0] == '\0') {
+        hx509_set_error_string(context, 0, EINVAL,
+                               "PEM file name not specified");
+        return EINVAL;
+    }
+
     *data = NULL;
 
     if (lock == NULL)
@@ -409,6 +417,10 @@ file_init_common(hx509_context context,
      */
 
     if (flags & HX509_CERTS_CREATE) {
+        /*
+         * Note that the file creation is deferred until file_store() is
+         * called.
+         */
 	ret = hx509_certs_init(context, "MEMORY:ks-file-create",
 			       0, lock, &ksf->certs);
 	if (ret)
@@ -455,10 +467,12 @@ file_init_common(hx509_context context,
 
 	    for (i = 0; i < sizeof(formats)/sizeof(formats[0]); i++) {
 		const AlgorithmIdentifier *ai = NULL;
+
 		if (formats[i].ai != NULL)
 		    ai = (*formats[i].ai)();
 
-		ret = (*formats[i].func)(context, p, pem_ctx.c, NULL, ptr, length, ai);
+                ret = (*formats[i].func)(context, p, pem_ctx.flags, pem_ctx.c,
+                                         NULL, ptr, length, ai);
 		if (ret == 0)
 		    break;
 	    }
@@ -526,63 +540,148 @@ file_free(hx509_certs certs, void *data)
 struct store_ctx {
     FILE *f;
     outformat format;
+    int store_flags;
 };
 
-static int
+static int HX509_LIB_CALL
 store_func(hx509_context context, void *ctx, hx509_cert c)
 {
     struct store_ctx *sc = ctx;
     heim_octet_string data;
     int ret = 0;
 
-    ret = hx509_cert_binary(context, c, &data);
-    if (ret)
-	return ret;
+    if ((sc->store_flags & HX509_CERTS_STORE_NO_ROOTS)) {
+        int self_signed = 0;
+
+        ret = hx509_cert_is_self_signed(context, c, &self_signed);
+        if (ret || self_signed)
+            return ret;
+    }
+
+    if (hx509_cert_have_private_key_only(c)) {
+        data.length = 0;
+        data.data = NULL;
+    } else {
+        ret = hx509_cert_binary(context, c, &data);
+        if (ret)
+            return ret;
+    }
 
     switch (sc->format) {
     case USE_DER:
-	fwrite(data.data, data.length, 1, sc->f);
-	free(data.data);
+        /* Can't store both.  Well, we could, but nothing will support it */
+        if (data.data) {
+            fwrite(data.data, data.length, 1, sc->f);
+        } else if (_hx509_cert_private_key_exportable(c) &&
+                   !(sc->store_flags & HX509_CERTS_STORE_NO_PRIVATE_KEYS)) {
+            hx509_private_key key = _hx509_cert_private_key(c);
+
+            free(data.data);
+            data.length = 0;
+            data.data = NULL;
+            ret = _hx509_private_key_export(context, key,
+                                            HX509_KEY_FORMAT_DER, &data);
+            if (ret == 0 && data.length)
+                fwrite(data.data, data.length, 1, sc->f);
+        }
 	break;
     case USE_PEM:
-	hx509_pem_write(context, "CERTIFICATE", NULL, sc->f,
-			data.data, data.length);
-	free(data.data);
-	if (_hx509_cert_private_key_exportable(c)) {
+	if (_hx509_cert_private_key_exportable(c) &&
+            !(sc->store_flags & HX509_CERTS_STORE_NO_PRIVATE_KEYS)) {
+            heim_octet_string priv_key;
 	    hx509_private_key key = _hx509_cert_private_key(c);
+
 	    ret = _hx509_private_key_export(context, key,
-					    HX509_KEY_FORMAT_DER, &data);
-	    if (ret)
-		break;
-            ret = hx509_pem_write(context, _hx509_private_pem_name(key), NULL,
-                                  sc->f, data.data, data.length);
-	    free(data.data);
+					    HX509_KEY_FORMAT_DER, &priv_key);
+            if (ret == 0)
+                ret = hx509_pem_write(context, _hx509_private_pem_name(key), NULL,
+                                      sc->f, priv_key.data, priv_key.length);
+	    free(priv_key.data);
 	}
+        if (ret == 0 && data.data) {
+            ret = hx509_pem_write(context, "CERTIFICATE", NULL, sc->f,
+                                  data.data, data.length);
+        }
 	break;
     }
 
+    free(data.data);
     return ret;
 }
 
 static int
+mk_temp(const char *fn, char **tfn)
+{
+    char *ds;
+    int ret = -1;
+
+#ifdef WIN32
+    char buf[PATH_MAX];
+    char *p;
+
+    *tfn = NULL;
+
+    if ((ds = _fullpath(buf, fn, sizeof(buf))) == NULL) {
+        errno = errno ? errno : ENAMETOOLONG;
+        return -1;
+    }
+
+    if ((p = strrchr(ds, '\\')) == NULL) {
+        ret = asprintf(tfn, ".%s-XXXXXX", ds); /* XXX can't happen */
+    } else {
+        *(p++) = '\0';
+        ret = asprintf(tfn, "%s/.%s-XXXXXX", ds, p);
+    }
+#else
+    *tfn = NULL;
+    if ((ds = strdup(fn)))
+        ret = asprintf(tfn, "%s/.%s-XXXXXX", dirname(ds), basename(ds));
+    free(ds);
+#endif
+
+    /*
+     * Using mkostemp() risks leaving garbage files lying around.  To do better
+     * without resorting to file locks (which have their own problems) we need
+     * O_TMPFILE and linkat(2), which only Linux has.
+     */
+    return  (ret == -1 || *tfn == NULL) ? -1 : mkostemp(*tfn, O_CLOEXEC);
+}
+
+static int
 file_store(hx509_context context,
 	   hx509_certs certs, void *data, int flags, hx509_lock lock)
 {
     struct ks_file *ksf = data;
     struct store_ctx sc;
+    char *tfn;
     int ret;
+    int fd;
 
-    sc.f = fopen(ksf->fn, "w");
+    sc.f = NULL;
+    fd = mk_temp(ksf->fn, &tfn);
+    if (fd > -1)
+        sc.f = fdopen(fd, "w");
     if (sc.f == NULL) {
-	hx509_set_error_string(context, 0, ENOENT,
-			       "Failed to open file %s for writing");
-	return ENOENT;
+	hx509_set_error_string(context, 0, ret = errno,
+			       "Failed to open file %s for writing", ksf->fn);
+        if (fd > -1)
+            (void) close(fd);
+	return ret;
     }
     rk_cloexec_file(sc.f);
+    sc.store_flags = flags;
     sc.format = ksf->format;
 
     ret = hx509_certs_iter_f(context, ksf->certs, store_func, &sc);
-    fclose(sc.f);
+    if (ret == 0)
+        ret = fclose(sc.f);
+    else
+        (void) fclose(sc.f);
+    if (ret)
+        (void) unlink(tfn);
+    else
+        (void) rename(tfn, ksf->fn);
+    free(tfn);
     return ret;
 }
 
@@ -639,6 +738,15 @@ file_addkey(hx509_context context,
     return _hx509_certs_keys_add(context, ksf->certs, key);
 }
 
+static int
+file_destroy(hx509_context context,
+             hx509_certs certs,
+             void *data)
+{
+    struct ks_file *ksf = data;
+    return _hx509_erase_file(context, ksf->fn);
+}
+
 static struct hx509_keyset_ops keyset_file = {
     "FILE",
     0,
@@ -652,7 +760,8 @@ static struct hx509_keyset_ops keyset_file = {
     file_iter_end,
     NULL,
     file_getkeys,
-    file_addkey
+    file_addkey,
+    file_destroy
 };
 
 static struct hx509_keyset_ops keyset_pemfile = {
@@ -668,7 +777,8 @@ static struct hx509_keyset_ops keyset_pemfile = {
     file_iter_end,
     NULL,
     file_getkeys,
-    file_addkey
+    file_addkey,
+    file_destroy
 };
 
 static struct hx509_keyset_ops keyset_derfile = {
@@ -684,11 +794,12 @@ static struct hx509_keyset_ops keyset_derfile = {
     file_iter_end,
     NULL,
     file_getkeys,
-    file_addkey
+    file_addkey,
+    file_destroy
 };
 
 
-void
+HX509_LIB_FUNCTION void HX509_LIB_CALL
 _hx509_ks_file_register(hx509_context context)
 {
     _hx509_ks_register(context, &keyset_file);
diff --git a/lib/hx509/ks_keychain.c b/lib/hx509/ks_keychain.c
index 9b8224f1d237..3243ee8b26c3 100644
--- a/lib/hx509/ks_keychain.c
+++ b/lib/hx509/ks_keychain.c
@@ -328,6 +328,13 @@ keychain_init(hx509_context context,
 {
     struct ks_keychain *ctx;
 
+    if (flags & HX509_CERTS_NO_PRIVATE_KEYS) {
+        hx509_set_error_string(context, 0, ENOTSUP,
+                               "KEYCHAIN store does not support not reading "
+                               "private keys");
+        return ENOTSUP;
+    }
+
     ctx = calloc(1, sizeof(*ctx));
     if (ctx == NULL) {
 	hx509_clear_error_string(context);
@@ -599,6 +606,7 @@ struct hx509_keyset_ops keyset_keychain = {
     keychain_iter_end,
     NULL,
     NULL,
+    NULL,
     NULL
 };
 
@@ -610,7 +618,7 @@ struct hx509_keyset_ops keyset_keychain = {
  *
  */
 
-void
+HX509_LIB_FUNCTION void HX509_LIB_CALL
 _hx509_ks_keychain_register(hx509_context context)
 {
 #ifdef HAVE_FRAMEWORK_SECURITY
diff --git a/lib/hx509/ks_mem.c b/lib/hx509/ks_mem.c
index 684acb0adf35..f325d12be2a0 100644
--- a/lib/hx509/ks_mem.c
+++ b/lib/hx509/ks_mem.c
@@ -213,10 +213,11 @@ static struct hx509_keyset_ops keyset_mem = {
     mem_iter_end,
     NULL,
     mem_getkeys,
-    mem_addkey
+    mem_addkey,
+    NULL
 };
 
-void
+HX509_LIB_FUNCTION void HX509_LIB_CALL
 _hx509_ks_mem_register(hx509_context context)
 {
     _hx509_ks_register(context, &keyset_mem);
diff --git a/lib/hx509/ks_null.c b/lib/hx509/ks_null.c
index 5ac0beb7bf91..c241d30f34e3 100644
--- a/lib/hx509/ks_null.c
+++ b/lib/hx509/ks_null.c
@@ -90,10 +90,11 @@ struct hx509_keyset_ops keyset_null = {
     null_iter_end,
     NULL,
     NULL,
+    NULL,
     NULL
 };
 
-void
+HX509_LIB_FUNCTION void HX509_LIB_CALL
 _hx509_ks_null_register(hx509_context context)
 {
     _hx509_ks_register(context, &keyset_null);
diff --git a/lib/hx509/ks_p11.c b/lib/hx509/ks_p11.c
index 1b2309e20d50..265523b38603 100644
--- a/lib/hx509/ks_p11.c
+++ b/lib/hx509/ks_p11.c
@@ -32,16 +32,13 @@
  */
 
 #include "hx_locl.h"
-#ifdef HAVE_DLFCN_H
-#include <dlfcn.h>
-#endif
 
 #ifdef HAVE_DLOPEN
 
 #include "ref/pkcs11.h"
 
 struct p11_slot {
-    int flags;
+    uint64_t flags;
 #define P11_SESSION		1
 #define P11_SESSION_IN_USE	2
 #define P11_LOGIN_REQ		4
@@ -823,6 +820,18 @@ p11_init(hx509_context context,
 
     *data = NULL;
 
+    if (flags & HX509_CERTS_NO_PRIVATE_KEYS) {
+	hx509_set_error_string(context, 0, ENOTSUP,
+			       "PKCS#11 store does not support "
+                               "HX509_CERTS_NO_PRIVATE_KEYS flag");
+        return ENOTSUP;
+    }
+
+    if (residue == NULL || residue[0] == '\0') {
+	hx509_set_error_string(context, 0, EINVAL,
+			       "PKCS#11 store not specified");
+        return EINVAL;
+    }
     list = strdup(residue);
     if (list == NULL)
 	return ENOMEM;
@@ -849,7 +858,7 @@ p11_init(hx509_context context,
 	str = strnext;
     }
 
-    p->dl_handle = dlopen(list, RTLD_NOW);
+    p->dl_handle = dlopen(list, RTLD_NOW | RTLD_LOCAL | RTLD_GROUP);
     if (p->dl_handle == NULL) {
 	ret = HX509_PKCS11_LOAD;
 	hx509_set_error_string(context, 0, ret,
@@ -1206,12 +1215,13 @@ static struct hx509_keyset_ops keyset_pkcs11 = {
     p11_iter_end,
     p11_printinfo,
     NULL,
+    NULL,
     NULL
 };
 
 #endif /* HAVE_DLOPEN */
 
-void
+HX509_LIB_FUNCTION void HX509_LIB_CALL
 _hx509_ks_pkcs11_register(hx509_context context)
 {
 #ifdef HAVE_DLOPEN
diff --git a/lib/hx509/ks_p12.c b/lib/hx509/ks_p12.c
index b7df0be32aca..1e9a92a4ff54 100644
--- a/lib/hx509/ks_p12.c
+++ b/lib/hx509/ks_p12.c
@@ -36,10 +36,12 @@
 struct ks_pkcs12 {
     hx509_certs certs;
     char *fn;
+    unsigned int store_no_priv_keys;
 };
 
 typedef int (*collector_func)(hx509_context,
 			      struct hx509_collector *,
+                              int,
 			      const void *, size_t,
 			      const PKCS12_Attributes *);
 
@@ -49,8 +51,9 @@ struct type {
 };
 
 static void
-parse_pkcs12_type(hx509_context, struct hx509_collector *, const heim_oid *,
-		  const void *, size_t, const PKCS12_Attributes *);
+parse_pkcs12_type(hx509_context, struct hx509_collector *, int,
+                  const heim_oid *, const void *, size_t,
+                  const PKCS12_Attributes *);
 
 
 static const PKCS12_Attribute *
@@ -68,6 +71,7 @@ find_attribute(const PKCS12_Attributes *attrs, const heim_oid *oid)
 static int
 keyBag_parser(hx509_context context,
 	      struct hx509_collector *c,
+              int flags,
 	      const void *data, size_t length,
 	      const PKCS12_Attributes *attrs)
 {
@@ -76,6 +80,9 @@ keyBag_parser(hx509_context context,
     const heim_octet_string *os = NULL;
     int ret;
 
+    if (flags & HX509_CERTS_NO_PRIVATE_KEYS)
+        return 0;
+
     attr = find_attribute(attrs, &asn1_oid_id_pkcs_9_at_localKeyId);
     if (attr)
 	os = &attr->attrValues;
@@ -84,19 +91,20 @@ keyBag_parser(hx509_context context,
     if (ret)
 	return ret;
 
-    _hx509_collector_private_key_add(context,
-				     c,
-				     &ki.privateKeyAlgorithm,
-				     NULL,
-				     &ki.privateKey,
-				     os);
+    ret = _hx509_collector_private_key_add(context,
+                                           c,
+                                           &ki.privateKeyAlgorithm,
+                                           NULL,
+                                           &ki.privateKey,
+                                           os);
     free_PKCS8PrivateKeyInfo(&ki);
-    return 0;
+    return ret;
 }
 
 static int
 ShroudedKeyBag_parser(hx509_context context,
 		      struct hx509_collector *c,
+                      int flags,
 		      const void *data, size_t length,
 		      const PKCS12_Attributes *attrs)
 {
@@ -119,7 +127,8 @@ ShroudedKeyBag_parser(hx509_context context,
     if (ret)
 	return ret;
 
-    ret = keyBag_parser(context, c, content.data, content.length, attrs);
+    ret = keyBag_parser(context, c, flags, content.data, content.length,
+                        attrs);
     der_free_octet_string(&content);
     return ret;
 }
@@ -127,6 +136,7 @@ ShroudedKeyBag_parser(hx509_context context,
 static int
 certBag_parser(hx509_context context,
 	       struct hx509_collector *c,
+               int flags,
 	       const void *data, size_t length,
 	       const PKCS12_Attributes *attrs)
 {
@@ -191,6 +201,7 @@ certBag_parser(hx509_context context,
 static int
 parse_safe_content(hx509_context context,
 		   struct hx509_collector *c,
+                   int flags,
 		   const unsigned char *p, size_t len)
 {
     PKCS12_SafeContents sc;
@@ -206,6 +217,7 @@ parse_safe_content(hx509_context context,
     for (i = 0; i < sc.len ; i++)
 	parse_pkcs12_type(context,
 			  c,
+                          flags,
 			  &sc.val[i].bagId,
 			  sc.val[i].bagValue.data,
 			  sc.val[i].bagValue.length,
@@ -218,6 +230,7 @@ parse_safe_content(hx509_context context,
 static int
 safeContent_parser(hx509_context context,
 		   struct hx509_collector *c,
+                   int flags,
 		   const void *data, size_t length,
 		   const PKCS12_Attributes *attrs)
 {
@@ -227,7 +240,7 @@ safeContent_parser(hx509_context context,
     ret = decode_PKCS12_OctetString(data, length, &os, NULL);
     if (ret)
 	return ret;
-    ret = parse_safe_content(context, c, os.data, os.length);
+    ret = parse_safe_content(context, c, flags, os.data, os.length);
     der_free_octet_string(&os);
     return ret;
 }
@@ -235,6 +248,7 @@ safeContent_parser(hx509_context context,
 static int
 encryptedData_parser(hx509_context context,
 		     struct hx509_collector *c,
+                     int flags,
 		     const void *data, size_t length,
 		     const PKCS12_Attributes *attrs)
 {
@@ -253,7 +267,8 @@ encryptedData_parser(hx509_context context,
 	return ret;
 
     if (der_heim_oid_cmp(&contentType, &asn1_oid_id_pkcs7_data) == 0)
-	ret = parse_safe_content(context, c, content.data, content.length);
+	ret = parse_safe_content(context, c, flags,
+                                 content.data, content.length);
 
     der_free_octet_string(&content);
     der_free_oid(&contentType);
@@ -263,6 +278,7 @@ encryptedData_parser(hx509_context context,
 static int
 envelopedData_parser(hx509_context context,
 		     struct hx509_collector *c,
+                     int flags,
 		     const void *data, size_t length,
 		     const PKCS12_Attributes *attrs)
 {
@@ -290,7 +306,8 @@ envelopedData_parser(hx509_context context,
     }
 
     if (der_heim_oid_cmp(&contentType, &asn1_oid_id_pkcs7_data) == 0)
-	ret = parse_safe_content(context, c, content.data, content.length);
+	ret = parse_safe_content(context, c, flags,
+                                 content.data, content.length);
 
     der_free_octet_string(&content);
     der_free_oid(&contentType);
@@ -311,6 +328,7 @@ struct type bagtypes[] = {
 static void
 parse_pkcs12_type(hx509_context context,
 		  struct hx509_collector *c,
+                  int flags,
 		  const heim_oid *oid,
 		  const void *data, size_t length,
 		  const PKCS12_Attributes *attrs)
@@ -319,7 +337,7 @@ parse_pkcs12_type(hx509_context context,
 
     for (i = 0; i < sizeof(bagtypes)/sizeof(bagtypes[0]); i++)
 	if (der_heim_oid_cmp(bagtypes[i].oid, oid) == 0)
-	    (*bagtypes[i].func)(context, c, data, length, attrs);
+	    (*bagtypes[i].func)(context, c, flags, data, length, attrs);
 }
 
 static int
@@ -338,6 +356,12 @@ p12_init(hx509_context context,
 
     *data = NULL;
 
+    if (residue == NULL || residue[0] == '\0') {
+	hx509_set_error_string(context, 0, EINVAL,
+                               "PKCS#12 file not specified");
+        return EINVAL;
+    }
+
     if (lock == NULL)
 	lock = _hx509_empty_lock;
 
@@ -423,6 +447,7 @@ p12_init(hx509_context context,
     for (i = 0; i < as.len; i++)
 	parse_pkcs12_type(context,
 			  c,
+                          flags,
 			  &as.val[i].contentType,
 			  as.val[i].content->data,
 			  as.val[i].content->length,
@@ -486,15 +511,28 @@ addBag(hx509_context context,
     return 0;
 }
 
-static int
-store_func(hx509_context context, void *ctx, hx509_cert c)
+struct store_func_ctx {
+    PKCS12_AuthenticatedSafe as;
+    int store_flags;
+};
+
+static int HX509_LIB_CALL
+store_func(hx509_context context, void *d, hx509_cert c)
 {
-    PKCS12_AuthenticatedSafe *as = ctx;
+    struct store_func_ctx *ctx = d;
     PKCS12_OctetString os;
     PKCS12_CertBag cb;
     size_t size;
     int ret;
 
+    if ((ctx->store_flags & HX509_CERTS_STORE_NO_ROOTS)) {
+        int is_root = 0;
+
+        ret = hx509_cert_is_root(context, c, &is_root);
+        if (ret || is_root)
+            return ret;
+    }
+
     memset(&os, 0, sizeof(os));
     memset(&cb, 0, sizeof(cb));
 
@@ -522,9 +560,11 @@ store_func(hx509_context context, void *ctx, hx509_cert c)
     if (ret)
 	goto out;
 
-    ret = addBag(context, as, &asn1_oid_id_pkcs12_certBag, os.data, os.length);
+    ret = addBag(context, &ctx->as, &asn1_oid_id_pkcs12_certBag, os.data,
+                 os.length);
 
-    if (_hx509_cert_private_key_exportable(c)) {
+    if (_hx509_cert_private_key_exportable(c) &&
+        !(ctx->store_flags & HX509_CERTS_STORE_NO_PRIVATE_KEYS)) {
 	hx509_private_key key = _hx509_cert_private_key(c);
 	PKCS8PrivateKeyInfo pki;
 
@@ -555,7 +595,8 @@ store_func(hx509_context context, void *ctx, hx509_cert c)
 	if (ret)
 	    return ret;
 
-	ret = addBag(context, as, &asn1_oid_id_pkcs12_keyBag, os.data, os.length);
+        ret = addBag(context, &ctx->as, &asn1_oid_id_pkcs12_keyBag, os.data,
+                     os.length);
 	if (ret)
 	    return ret;
     }
@@ -570,21 +611,22 @@ p12_store(hx509_context context,
 {
     struct ks_pkcs12 *p12 = data;
     PKCS12_PFX pfx;
-    PKCS12_AuthenticatedSafe as;
+    struct store_func_ctx ctx;
     PKCS12_OctetString asdata;
     size_t size;
     int ret;
 
-    memset(&as, 0, sizeof(as));
+    memset(&ctx, 0, sizeof(ctx));
     memset(&pfx, 0, sizeof(pfx));
+    ctx.store_flags = flags;
 
-    ret = hx509_certs_iter_f(context, p12->certs, store_func, &as);
+    ret = hx509_certs_iter_f(context, p12->certs, store_func, &ctx);
     if (ret)
 	goto out;
 
     ASN1_MALLOC_ENCODE(PKCS12_AuthenticatedSafe, asdata.data, asdata.length,
-		       &as, &size, ret);
-    free_PKCS12_AuthenticatedSafe(&as);
+		       &ctx.as, &size, ret);
+    free_PKCS12_AuthenticatedSafe(&ctx.as);
     if (ret)
 	return ret;
 
@@ -636,7 +678,7 @@ p12_store(hx509_context context,
     free(asdata.data);
 
 out:
-    free_PKCS12_AuthenticatedSafe(&as);
+    free_PKCS12_AuthenticatedSafe(&ctx.as);
     free_PKCS12_PFX(&pfx);
 
     return ret;
@@ -691,6 +733,13 @@ p12_iter_end(hx509_context context,
     return hx509_certs_end_seq(context, p12->certs, cursor);
 }
 
+static int
+p12_destroy(hx509_context context, hx509_certs certs, void *data)
+{
+    struct ks_pkcs12 *p12 = data;
+    return _hx509_erase_file(context, p12->fn);
+}
+
 static struct hx509_keyset_ops keyset_pkcs12 = {
     "PKCS12",
     0,
@@ -704,10 +753,11 @@ static struct hx509_keyset_ops keyset_pkcs12 = {
     p12_iter_end,
     NULL,
     NULL,
-    NULL
+    NULL,
+    p12_destroy
 };
 
-void
+HX509_LIB_FUNCTION void HX509_LIB_CALL
 _hx509_ks_pkcs12_register(hx509_context context)
 {
     _hx509_ks_register(context, &keyset_pkcs12);
diff --git a/lib/hx509/libhx509-exports.def b/lib/hx509/libhx509-exports.def
index f4417730158c..81783ff7c34c 100644
--- a/lib/hx509/libhx509-exports.def
+++ b/lib/hx509/libhx509-exports.def
@@ -1,6 +1,8 @@
 
 EXPORTS
 	_hx509_cert_assign_key
+	_hx509_cert_get_keyusage
+	_hx509_cert_get_version
 	_hx509_cert_private_key
 	_hx509_certs_keys_free
 	_hx509_certs_keys_get
@@ -12,44 +14,92 @@ EXPORTS
 	_hx509_generate_private_key_free
 	_hx509_generate_private_key_init
 	_hx509_generate_private_key_is_ca
+	_hx509_get_cert
+	_hx509_ks_type
+	_hx509_make_pkinit_san
 	_hx509_map_file_os
 	_hx509_name_from_Name
+	_hx509_private_key_export
+	_hx509_private_key_exportable
+	_hx509_private_key_get_internal
+	_hx509_private_key_oid
+	_hx509_private_key_ref
 	hx509_private_key2SPKI
 	hx509_private_key_free
 	_hx509_private_key_ref
-	_hx509_request_add_dns_name
-	_hx509_request_add_email
+	hx509_request_add_GeneralName
+	hx509_request_add_dns_name
+	hx509_request_add_dns_srv
+	hx509_request_add_eku
+	hx509_request_add_email
+	hx509_request_add_ms_upn_name
+	hx509_request_add_pkinit
+	hx509_request_add_registered
+	hx509_request_add_xmpp_name
+	hx509_request_authorize_ku
+	hx509_request_authorize_eku
+	hx509_request_authorize_san
+	hx509_request_count_unsupported
+	hx509_request_count_unauthorized
+	_hx509_private_key_export
+	_hx509_private_key_exportable
+	_hx509_private_key_get_internal
+	_hx509_private_key_oid
+	_hx509_private_key_ref
+	hx509_request_eku_authorized_p
 	hx509_request_free
+	hx509_request_get_eku
+	hx509_request_get_exts
+	hx509_request_get_ku
+	hx509_request_get_name
+	hx509_request_get_san
 	hx509_request_get_SubjectPublicKeyInfo
 	hx509_request_get_name
 	hx509_request_init
-	_hx509_request_parse
-	_hx509_request_print
+	hx509_request_parse
+	hx509_request_parse_der
+	hx509_request_print
 	hx509_request_set_SubjectPublicKeyInfo
-;	_hx509_request_set_email
+	hx509_request_add_email
+	hx509_request_reject_eku
+	hx509_request_reject_san
 	hx509_request_set_name
-	_hx509_request_to_pkcs10
-	_hx509_request_to_pkcs10
+	hx509_request_set_ku
+	hx509_request_san_authorized_p
+	hx509_request_to_pkcs10
 	_hx509_unmap_file_os
 	_hx509_write_file
 	hx509_bitstring_print
+	_hx509_ca_issue_certificate
 	hx509_ca_sign
 	hx509_ca_sign_self
 	hx509_ca_tbs_add_crl_dp_uri
 	hx509_ca_tbs_add_eku
+	hx509_ca_tbs_add_ku
+	hx509_ca_tbs_add_pol
+	hx509_ca_tbs_add_pol_mapping
+	hx509_ca_tbs_add_san
+	hx509_ca_tbs_add_san_dnssrv
+	hx509_ca_tbs_add_san_hardwareModuleName
+	hx509_ca_tbs_add_san_hardwareModuleName_string
 	hx509_ca_tbs_add_san_hostname
 	hx509_ca_tbs_add_san_jid
 	hx509_ca_tbs_add_san_ms_upn
 	hx509_ca_tbs_add_san_otherName
+	hx509_ca_tbs_add_san_permanentIdentifier
+	hx509_ca_tbs_add_san_permanentIdentifier_string
 	hx509_ca_tbs_add_san_pkinit
 	hx509_ca_tbs_add_san_rfc822name
 	hx509_ca_tbs_free
+	hx509_ca_tbs_get_name
 	hx509_ca_tbs_init
 	hx509_ca_tbs_set_ca
 	hx509_ca_tbs_set_domaincontroller
+	hx509_ca_tbs_set_from_csr
 	hx509_ca_tbs_set_notAfter
 	hx509_ca_tbs_set_notAfter_lifetime
 	hx509_ca_tbs_set_notBefore
+	hx509_ca_tbs_set_pkinit_max_life
 	hx509_ca_tbs_set_proxy
 	hx509_ca_tbs_set_serialnumber
 	hx509_ca_tbs_set_signature_algorithm
@@ -73,15 +123,23 @@ EXPORTS
 	hx509_cert_get_issuer
 	hx509_cert_get_notAfter
 	hx509_cert_get_notBefore
+	hx509_cert_get_pkinit_max_life
 	hx509_cert_get_serialnumber
 	hx509_cert_get_subject
+	hx509_cert_have_private_key
+	hx509_cert_have_private_key_only
 	hx509_cert_init
 	hx509_cert_init_data
+	hx509_cert_init_private_key
+	hx509_cert_is_ca
+	hx509_cert_is_root
+	hx509_cert_is_self_signed
 	hx509_cert_keyusage_print
 	hx509_cert_ref
 	hx509_cert_set_friendly_name
 	hx509_certs_add
 	hx509_certs_append
+	hx509_certs_destroy
 	hx509_certs_end_seq
 	hx509_certs_ref
 	hx509_certs_filter
@@ -104,6 +162,7 @@ EXPORTS
 	hx509_cms_unenvelope
 	hx509_cms_unwrap_ContentInfo
 	hx509_cms_verify_signed
+	hx509_cms_verify_signed_ext
 	hx509_cms_wrap_ContentInfo
 	hx509_context_free
 	hx509_context_init
@@ -132,6 +191,7 @@ EXPORTS
 	hx509_crypto_set_padding
 	hx509_crypto_set_params
 	hx509_crypto_set_random_key
+	hx509_empty_name
 	hx509_env_add
 	hx509_env_add_binding
 	hx509_env_find
@@ -144,6 +204,7 @@ EXPORTS
 	hx509_free_octet_string_list
 	hx509_general_name_unparse
 	hx509_get_error_string
+	hx509_get_instance
 	hx509_get_one_cert
 	hx509_lock_add_cert
 	hx509_lock_add_certs
@@ -170,6 +231,7 @@ EXPORTS
 	hx509_oid_print
 	hx509_oid_sprint
 	hx509_parse_name
+	hx509_parse_private_key
 	hx509_peer_info_add_cms_alg
 	hx509_peer_info_alloc
 	hx509_peer_info_free
diff --git a/lib/hx509/lock.c b/lib/hx509/lock.c
index 52f72dba1b71..7f767d2362a6 100644
--- a/lib/hx509/lock.c
+++ b/lib/hx509/lock.c
@@ -59,7 +59,7 @@ hx509_lock _hx509_empty_lock = &empty_lock_data;
  *
  */
 
-int
+HX509_LIB_FUNCTION int HX509_LIB_CALL
 hx509_lock_init(hx509_context context, hx509_lock *lock)
 {
     hx509_lock l;
@@ -86,7 +86,7 @@ hx509_lock_init(hx509_context context, hx509_lock *lock)
     return 0;
 }
 
-int
+HX509_LIB_FUNCTION int HX509_LIB_CALL
 hx509_lock_add_password(hx509_lock lock, const char *password)
 {
     void *d;
@@ -109,19 +109,19 @@ hx509_lock_add_password(hx509_lock lock, const char *password)
     return 0;
 }
 
-const struct _hx509_password *
+HX509_LIB_FUNCTION const struct _hx509_password * HX509_LIB_CALL
 _hx509_lock_get_passwords(hx509_lock lock)
 {
     return &lock->password;
 }
 
-hx509_certs
+HX509_LIB_FUNCTION hx509_certs HX509_LIB_CALL
 _hx509_lock_unlock_certs(hx509_lock lock)
 {
     return lock->certs;
 }
 
-void
+HX509_LIB_FUNCTION void HX509_LIB_CALL
 hx509_lock_reset_passwords(hx509_lock lock)
 {
     size_t i;
@@ -132,19 +132,19 @@ hx509_lock_reset_passwords(hx509_lock lock)
     lock->password.len = 0;
 }
 
-int
+HX509_LIB_FUNCTION int HX509_LIB_CALL
 hx509_lock_add_cert(hx509_context context, hx509_lock lock, hx509_cert cert)
 {
     return hx509_certs_add(context, lock->certs, cert);
 }
 
-int
+HX509_LIB_FUNCTION int HX509_LIB_CALL
 hx509_lock_add_certs(hx509_context context, hx509_lock lock, hx509_certs certs)
 {
     return hx509_certs_merge(context, lock->certs, certs);
 }
 
-void
+HX509_LIB_FUNCTION void HX509_LIB_CALL
 hx509_lock_reset_certs(hx509_context context, hx509_lock lock)
 {
     hx509_certs certs = lock->certs;
@@ -161,14 +161,14 @@ hx509_lock_reset_certs(hx509_context context, hx509_lock lock)
 	lock->certs = certs;
 }
 
-int
+HX509_LIB_FUNCTION int HX509_LIB_CALL
 _hx509_lock_find_cert(hx509_lock lock, const hx509_query *q, hx509_cert *c)
 {
     *c = NULL;
     return 0;
 }
 
-int
+HX509_LIB_FUNCTION int HX509_LIB_CALL
 hx509_lock_set_prompter(hx509_lock lock, hx509_prompter_fct prompt, void *data)
 {
     lock->prompt = prompt;
@@ -176,7 +176,7 @@ hx509_lock_set_prompter(hx509_lock lock, hx509_prompter_fct prompt, void *data)
     return 0;
 }
 
-void
+HX509_LIB_FUNCTION void HX509_LIB_CALL
 hx509_lock_reset_promper(hx509_lock lock)
 {
     lock->prompt = NULL;
@@ -206,7 +206,7 @@ default_prompter(void *data, const hx509_prompt *prompter)
     return 0;
 }
 
-int
+HX509_LIB_FUNCTION int HX509_LIB_CALL
 hx509_lock_prompt(hx509_lock lock, hx509_prompt *prompt)
 {
     if (lock->prompt == NULL)
@@ -214,7 +214,7 @@ hx509_lock_prompt(hx509_lock lock, hx509_prompt *prompt)
     return (*lock->prompt)(lock->prompt_data, prompt);
 }
 
-void
+HX509_LIB_FUNCTION void HX509_LIB_CALL
 hx509_lock_free(hx509_lock lock)
 {
     if (lock) {
@@ -225,7 +225,7 @@ hx509_lock_free(hx509_lock lock)
     }
 }
 
-int
+HX509_LIB_FUNCTION int HX509_LIB_CALL
 hx509_prompt_hidden(hx509_prompt_type type)
 {
     /* default to hidden if unknown */
@@ -239,7 +239,7 @@ hx509_prompt_hidden(hx509_prompt_type type)
     }
 }
 
-int
+HX509_LIB_FUNCTION int HX509_LIB_CALL
 hx509_lock_command_string(hx509_lock lock, const char *string)
 {
     if (strncasecmp(string, "PASS:", 5) == 0) {
diff --git a/lib/hx509/name.c b/lib/hx509/name.c
index 5cb344b6c161..7d67716b953a 100644
--- a/lib/hx509/name.c
+++ b/lib/hx509/name.c
@@ -64,19 +64,44 @@
 static const struct {
     const char *n;
     const heim_oid *o;
+    int type_choice; /* Preference for DirectoryString choice; 0 -> no pref */
     wind_profile_flags flags;
+    /*
+     * RFC52380 imposes maximum lengths for some strings in Names.  These are
+     * ASN.1 size limits.  We should implement these in our copy of the PKIX
+     * ASN.1 module.  For now we treat them as maximum byte counts rather than
+     * maximum character counts, and we encode and enforce them here.
+     *
+     * 0 -> no max
+     *
+     * Some of these attributes aren't of type DirectoryString, so our
+     * type_choice isn't really correct.  We're not really set up for
+     * attributes whose types aren't DirectoryString or one of its choice arms'
+     * type, much less are we set up for non-string attribute value types.
+     */
+    size_t max_bytes;
 } no[] = {
-    { "C", &asn1_oid_id_at_countryName, 0 },
-    { "CN", &asn1_oid_id_at_commonName, 0 },
-    { "DC", &asn1_oid_id_domainComponent, 0 },
-    { "L", &asn1_oid_id_at_localityName, 0 },
-    { "O", &asn1_oid_id_at_organizationName, 0 },
-    { "OU", &asn1_oid_id_at_organizationalUnitName, 0 },
-    { "S", &asn1_oid_id_at_stateOrProvinceName, 0 },
-    { "STREET", &asn1_oid_id_at_streetAddress, 0 },
-    { "UID", &asn1_oid_id_Userid, 0 },
-    { "emailAddress", &asn1_oid_id_pkcs9_emailAddress, 0 },
-    { "serialNumber", &asn1_oid_id_at_serialNumber, 0 }
+    { "C", &asn1_oid_id_at_countryName,
+        choice_DirectoryString_printableString, 0, 2 },
+    { "CN", &asn1_oid_id_at_commonName, 0, 0, ub_common_name },
+    { "DC", &asn1_oid_id_domainComponent, choice_DirectoryString_ia5String,
+        0, 63 }, /* DNS label */
+    { "L", &asn1_oid_id_at_localityName, 0, 0, ub_locality_name },
+    { "O", &asn1_oid_id_at_organizationName, 0, 0, ub_organization_name },
+    { "OU", &asn1_oid_id_at_organizationalUnitName, 0, 0,
+        ub_organizational_unit_name },
+    { "S", &asn1_oid_id_at_stateOrProvinceName, 0, 0, ub_state_name },
+    { "STREET", &asn1_oid_id_at_streetAddress, 0, 0, 0 }, /* ENOTSUP */
+    { "UID", &asn1_oid_id_Userid, 0, 0, ub_numeric_user_id_length },
+    { "emailAddress", &asn1_oid_id_pkcs9_emailAddress,
+        choice_DirectoryString_ia5String, 0, ub_emailaddress_length },
+    /* This is for DevID certificates and maybe others */
+    { "serialNumber", &asn1_oid_id_at_serialNumber, 0, 0, ub_serial_number },
+    /* These are for TPM 2.0 Endorsement Key Certificates (EKCerts) */
+    { "TPMManufacturer", &asn1_oid_tcg_at_tpmManufacturer, 0, 0,
+        ub_emailaddress_length },
+    { "TPMModel", &asn1_oid_tcg_at_tpmModel, 0, 0, ub_emailaddress_length },
+    { "TPMVersion", &asn1_oid_tcg_at_tpmVersion, 0, 0, ub_emailaddress_length },
 };
 
 static char *
@@ -142,20 +167,38 @@ append_string(char **str, size_t *total_len, const char *ss,
 }
 
 static char *
-oidtostring(const heim_oid *type)
+oidtostring(const heim_oid *type, int *type_choice)
 {
     char *s;
     size_t i;
 
+    if (type_choice)
+        *type_choice = choice_DirectoryString_utf8String;
+
     for (i = 0; i < sizeof(no)/sizeof(no[0]); i++) {
-	if (der_heim_oid_cmp(no[i].o, type) == 0)
+	if (der_heim_oid_cmp(no[i].o, type) == 0) {
+            if (type_choice && no[i].type_choice)
+                *type_choice = no[i].type_choice;
 	    return strdup(no[i].n);
+        }
     }
     if (der_print_heim_oid(type, '.', &s) != 0)
 	return NULL;
     return s;
 }
 
+static size_t
+oidtomaxlen(const heim_oid *type)
+{
+    size_t i;
+
+    for (i = 0; i < sizeof(no)/sizeof(no[0]); i++) {
+	if (der_heim_oid_cmp(no[i].o, type) == 0)
+	    return no[i].max_bytes;
+    }
+    return 0;
+}
+
 static int
 stringtooid(const char *name, size_t len, heim_oid *oid)
 {
@@ -191,13 +234,13 @@ stringtooid(const char *name, size_t len, heim_oid *oid)
  * @ingroup hx509_name
  */
 
-int
+HX509_LIB_FUNCTION int HX509_LIB_CALL
 hx509_name_to_string(const hx509_name name, char **str)
 {
     return _hx509_Name_to_string(&name->der_name, str);
 }
 
-int
+HX509_LIB_FUNCTION int HX509_LIB_CALL
 _hx509_Name_to_string(const Name *n, char **str)
 {
     size_t total_len = 0;
@@ -217,7 +260,7 @@ _hx509_Name_to_string(const Name *n, char **str)
 	    char *oidname;
 	    char *ss;
 
-	    oidname = oidtostring(&n->u.rdnSequence.val[i].val[j].type);
+	    oidname = oidtostring(&n->u.rdnSequence.val[i].val[j].type, NULL);
 
 	    switch(ds->element) {
 	    case choice_DirectoryString_ia5String:
@@ -315,29 +358,29 @@ _hx509_Name_to_string(const Name *n, char **str)
     return 0;
 }
 
-#define COPYCHARARRAY(_ds,_el,_l,_n)		\
-        (_l) = strlen(_ds->u._el);		\
-	(_n) = malloc((_l) * sizeof((_n)[0]));	\
-	if ((_n) == NULL)			\
-	    return ENOMEM;			\
-	for (i = 0; i < (_l); i++)		\
+#define COPYCHARARRAY(_ds,_el,_l,_n)			\
+        (_l) = strlen(_ds->u._el);			\
+	(_n) = malloc((_l + 1) * sizeof((_n)[0]));	\
+	if ((_n) == NULL)				\
+	    return ENOMEM;				\
+	for (i = 0; i < (_l); i++)			\
 	    (_n)[i] = _ds->u._el[i]
 
 
-#define COPYVALARRAY(_ds,_el,_l,_n)		\
-        (_l) = _ds->u._el.length;		\
-	(_n) = malloc((_l) * sizeof((_n)[0]));	\
-	if ((_n) == NULL)			\
-	    return ENOMEM;			\
-	for (i = 0; i < (_l); i++)		\
+#define COPYVALARRAY(_ds,_el,_l,_n)			\
+        (_l) = _ds->u._el.length;			\
+	(_n) = malloc((_l + 1) * sizeof((_n)[0]));	\
+	if ((_n) == NULL)				\
+	    return ENOMEM;				\
+	for (i = 0; i < (_l); i++)			\
 	    (_n)[i] = _ds->u._el.data[i]
 
-#define COPYVOIDARRAY(_ds,_el,_l,_n)		\
-        (_l) = _ds->u._el.length;		\
-	(_n) = malloc((_l) * sizeof((_n)[0]));	\
-	if ((_n) == NULL)			\
-	    return ENOMEM;			\
-	for (i = 0; i < (_l); i++)		\
+#define COPYVOIDARRAY(_ds,_el,_l,_n)			\
+        (_l) = _ds->u._el.length;			\
+	(_n) = malloc((_l + 1) * sizeof((_n)[0]));	\
+	if ((_n) == NULL)				\
+	    return ENOMEM;				\
+	for (i = 0; i < (_l); i++)			\
 	    (_n)[i] = ((unsigned char *)_ds->u._el.data)[i]
 
 
@@ -347,7 +390,7 @@ dsstringprep(const DirectoryString *ds, uint32_t **rname, size_t *rlen)
 {
     wind_profile_flags flags;
     size_t i, len;
-    int ret;
+    int ret = 0;
     uint32_t *name;
 
     *rname = NULL;
@@ -380,7 +423,7 @@ dsstringprep(const DirectoryString *ds, uint32_t **rname, size_t *rlen)
 	ret = wind_utf8ucs4_length(ds->u.utf8String, &len);
 	if (ret)
 	    return ret;
-	name = malloc(len * sizeof(name[0]));
+	name = malloc((len + 1) * sizeof(name[0]));
 	if (name == NULL)
 	    return ENOMEM;
 	ret = wind_utf8ucs4(ds->u.utf8String, name, &len);
@@ -397,7 +440,10 @@ dsstringprep(const DirectoryString *ds, uint32_t **rname, size_t *rlen)
     /* try a couple of times to get the length right, XXX gross */
     for (i = 0; i < 4; i++) {
 	*rlen = *rlen * 2;
-	*rname = malloc(*rlen * sizeof((*rname)[0]));
+	if ((*rname = malloc((rlen[0] + 1) * sizeof((*rname)[0]))) == NULL) {
+            ret = ENOMEM;
+            break;
+        }
 
 	ret = wind_stringprep(name, len, *rname, rlen, flags);
 	if (ret == WIND_ERR_OVERRUN) {
@@ -419,7 +465,7 @@ dsstringprep(const DirectoryString *ds, uint32_t **rname, size_t *rlen)
     return 0;
 }
 
-int
+HX509_LIB_FUNCTION int HX509_LIB_CALL
 _hx509_name_ds_cmp(const DirectoryString *ds1,
 		   const DirectoryString *ds2,
 		   int *diff)
@@ -452,7 +498,7 @@ _hx509_name_ds_cmp(const DirectoryString *ds1,
     return 0;
 }
 
-int
+HX509_LIB_FUNCTION int HX509_LIB_CALL
 _hx509_name_cmp(const Name *n1, const Name *n2, int *c)
 {
     int ret;
@@ -498,7 +544,7 @@ _hx509_name_cmp(const Name *n1, const Name *n2, int *c)
  * @ingroup hx509_name
  */
 
-int
+HX509_LIB_FUNCTION int HX509_LIB_CALL
 hx509_name_cmp(hx509_name n1, hx509_name n2)
 {
     int ret, diff;
@@ -509,7 +555,7 @@ hx509_name_cmp(hx509_name n1, hx509_name n2)
 }
 
 
-int
+HX509_LIB_FUNCTION int HX509_LIB_CALL
 _hx509_name_from_Name(const Name *n, hx509_name *name)
 {
     int ret;
@@ -524,49 +570,129 @@ _hx509_name_from_Name(const Name *n, hx509_name *name)
     return ret;
 }
 
-int
+HX509_LIB_FUNCTION int HX509_LIB_CALL
 _hx509_name_modify(hx509_context context,
 		   Name *name,
 		   int append,
 		   const heim_oid *oid,
 		   const char *str)
 {
-    RelativeDistinguishedName *rdn;
+    RelativeDistinguishedName rdn;
+    size_t max_len = oidtomaxlen(oid);
+    char *s = NULL;
+    int type_choice = choice_DirectoryString_printableString;
     int ret;
-    void *ptr;
 
-    ptr = realloc(name->u.rdnSequence.val,
-		  sizeof(name->u.rdnSequence.val[0]) *
-		  (name->u.rdnSequence.len + 1));
-    if (ptr == NULL) {
+    /*
+     * Check string length upper bounds.
+     *
+     * Because we don't have these bounds in our copy of the PKIX ASN.1 module,
+     * and because we might like to catch these early anyways, we enforce them
+     * here.
+     */
+    if (max_len && strlen(str) > max_len) {
+        char *a = oidtostring(oid, &type_choice);
+
+        ret = HX509_PARSING_NAME_FAILED;
+        hx509_set_error_string(context, 0, ret, "RDN attribute %s value too "
+                               "long (max %llu): %s", a ? a : "<unknown>",
+                               max_len, str);
+        free(a);
+        return ret;
+    }
+
+    memset(&rdn, 0, sizeof(rdn));
+    if ((rdn.val = malloc(sizeof(rdn.val[0]))) == NULL) {
 	hx509_set_error_string(context, 0, ENOMEM, "Out of memory");
 	return ENOMEM;
     }
-    name->u.rdnSequence.val = ptr;
-
-    if (append) {
-	rdn = &name->u.rdnSequence.val[name->u.rdnSequence.len];
-    } else {
-	memmove(&name->u.rdnSequence.val[1],
-		&name->u.rdnSequence.val[0],
-		name->u.rdnSequence.len *
-		sizeof(name->u.rdnSequence.val[0]));
+    rdn.len = 1;
+
+    /*
+     * How best to pick a type for this attribute value?
+     *
+     * Options:
+     *
+     * 1) the API deals only in UTF-8, let the callers convert to/from UTF-8
+     *    and whatever the current locale wants
+     *
+     * 2) use the best type for the codeset of the current locale.
+     *
+     * We choose (1).
+     *
+     * However, for some cases we really should prefer other types when the
+     * input string is all printable ASCII.
+     */
+    rdn.val[0].value.element = type_choice;
+    if ((s = strdup(str)) == NULL ||
+        der_copy_oid(oid, &rdn.val[0].type)) {
+        free(rdn.val);
+        free(s);
+	return hx509_enomem(context);
+    }
+    switch (rdn.val[0].value.element) {
+    /* C strings: */
+    case choice_DirectoryString_utf8String:
+        rdn.val[0].value.u.utf8String = s;
+        break;
+    case choice_DirectoryString_teletexString:
+        rdn.val[0].value.u.teletexString = s;
+        break;
 
-	rdn = &name->u.rdnSequence.val[0];
+    /* Length and pointer */
+    case choice_DirectoryString_ia5String:
+        rdn.val[0].value.u.ia5String.data = s;
+        rdn.val[0].value.u.ia5String.length = strlen(s);
+        break;
+    case choice_DirectoryString_printableString:
+        rdn.val[0].value.u.printableString.data = s;
+        rdn.val[0].value.u.printableString.length = strlen(s);
+        break;
+    case choice_DirectoryString_universalString:
+        free(s);
+        free(rdn.val);
+	hx509_set_error_string(context, 0, ENOTSUP, "UniversalString not supported");
+        return ENOTSUP;
+    case choice_DirectoryString_bmpString:
+        free(s);
+        free(rdn.val);
+	hx509_set_error_string(context, 0, ENOTSUP, "BMPString not supported");
+        return ENOTSUP;
+    default:
+        free(s);
+        free(rdn.val);
+	hx509_set_error_string(context, 0, ENOTSUP,
+                               "Internal error; unknown DirectoryString choice");
+        return ENOTSUP;
     }
-    rdn->val = malloc(sizeof(rdn->val[0]));
-    if (rdn->val == NULL)
-	return ENOMEM;
-    rdn->len = 1;
-    ret = der_copy_oid(oid, &rdn->val[0].type);
-    if (ret)
-	return ret;
-    rdn->val[0].value.element = choice_DirectoryString_utf8String;
-    rdn->val[0].value.u.utf8String = strdup(str);
-    if (rdn->val[0].value.u.utf8String == NULL)
-	return ENOMEM;
-    name->u.rdnSequence.len += 1;
 
+    /* Append RDN.  If the caller wanted to prepend instead, we'll rotate. */
+    ret = add_RDNSequence(&name->u.rdnSequence, &rdn);
+    free_RelativeDistinguishedName(&rdn);
+
+    if (ret || append || name->u.rdnSequence.len < 2)
+        return ret;
+
+    /* Rotate */
+    rdn = name->u.rdnSequence.val[name->u.rdnSequence.len - 1];
+    memmove(&name->u.rdnSequence.val[1],
+            &name->u.rdnSequence.val[0],
+            (name->u.rdnSequence.len - 1) *
+            sizeof(name->u.rdnSequence.val[0]));
+    name->u.rdnSequence.val[0] = rdn;
+    return 0;
+}
+
+HX509_LIB_FUNCTION int HX509_LIB_CALL
+hx509_empty_name(hx509_context context, hx509_name *name)
+{
+    if ((*name = calloc(1, sizeof(**name))) == NULL) {
+	hx509_set_error_string(context, 0, ENOMEM, "out of memory");
+	return ENOMEM;
+    }
+    (*name)->der_name.element = choice_Name_rdnSequence;
+    (*name)->der_name.u.rdnSequence.val = 0;
+    (*name)->der_name.u.rdnSequence.len = 0;
     return 0;
 }
 
@@ -582,7 +708,7 @@ _hx509_name_modify(hx509_context context,
  * @ingroup hx509_name
  */
 
-int
+HX509_LIB_FUNCTION int HX509_LIB_CALL
 hx509_parse_name(hx509_context context, const char *str, hx509_name *name)
 {
     const char *p, *q;
@@ -686,7 +812,7 @@ out:
  * @ingroup hx509_name
  */
 
-int
+HX509_LIB_FUNCTION int HX509_LIB_CALL
 hx509_name_copy(hx509_context context, const hx509_name from, hx509_name *to)
 {
     int ret;
@@ -714,13 +840,13 @@ hx509_name_copy(hx509_context context, const hx509_name from, hx509_name *to)
  * @ingroup hx509_name
  */
 
-int
+HX509_LIB_FUNCTION int HX509_LIB_CALL
 hx509_name_to_Name(const hx509_name from, Name *to)
 {
     return copy_Name(&from->der_name, to);
 }
 
-int
+HX509_LIB_FUNCTION int HX509_LIB_CALL
 hx509_name_normalize(hx509_context context, hx509_name name)
 {
     return 0;
@@ -739,13 +865,14 @@ hx509_name_normalize(hx509_context context, hx509_name name)
  * @ingroup hx509_name
  */
 
-int
+HX509_LIB_FUNCTION int HX509_LIB_CALL
 hx509_name_expand(hx509_context context,
 		  hx509_name name,
 		  hx509_env env)
 {
     Name *n = &name->der_name;
     size_t i, j;
+    int bounds_check = 1;
 
     if (env == NULL)
 	return 0;
@@ -768,23 +895,49 @@ hx509_name_expand(hx509_context context,
 	      free normalized utf8 string
 	    */
 	    DirectoryString *ds = &n->u.rdnSequence.val[i].val[j].value;
+            heim_oid *type = &n->u.rdnSequence.val[i].val[j].type;
+            const char *sval = NULL;
 	    char *p, *p2;
+            char *s = NULL;
 	    struct rk_strpool *strpool = NULL;
 
-	    if (ds->element != choice_DirectoryString_utf8String) {
-		hx509_set_error_string(context, 0, EINVAL, "unsupported type");
-		return EINVAL;
-	    }
-	    p = strstr(ds->u.utf8String, "${");
+            switch (ds->element) {
+            case choice_DirectoryString_utf8String:
+                sval = ds->u.utf8String;
+                break;
+            case choice_DirectoryString_teletexString:
+                sval = ds->u.utf8String;
+                break;
+            case choice_DirectoryString_ia5String:
+                s = strndup(ds->u.ia5String.data,
+                            ds->u.ia5String.length);
+                break;
+            case choice_DirectoryString_printableString:
+                s = strndup(ds->u.printableString.data,
+                            ds->u.printableString.length);
+                break;
+            case choice_DirectoryString_universalString:
+                hx509_set_error_string(context, 0, ENOTSUP, "UniversalString not supported");
+                return ENOTSUP;
+            case choice_DirectoryString_bmpString:
+                hx509_set_error_string(context, 0, ENOTSUP, "BMPString not supported");
+                return ENOTSUP;
+            }
+            if (sval == NULL && s == NULL)
+                return hx509_enomem(context);
+            if (s)
+                sval = s;
+
+	    p = strstr(sval, "${");
 	    if (p) {
-		strpool = rk_strpoolprintf(strpool, "%.*s",
-					   (int)(p - ds->u.utf8String),
-					   ds->u.utf8String);
+		strpool = rk_strpoolprintf(strpool, "%.*s", (int)(p - sval), sval);
 		if (strpool == NULL) {
 		    hx509_set_error_string(context, 0, ENOMEM, "out of memory");
+                    free(s);
 		    return ENOMEM;
 		}
 	    }
+
 	    while (p != NULL) {
 		/* expand variables */
 		const char *value;
@@ -792,6 +945,7 @@ hx509_name_expand(hx509_context context,
 		if (p2 == NULL) {
 		    hx509_set_error_string(context, 0, EINVAL, "missing }");
 		    rk_strpoolfree(strpool);
+                    free(s);
 		    return EINVAL;
 		}
 		p += 2;
@@ -801,11 +955,13 @@ hx509_name_expand(hx509_context context,
 					   "variable %.*s missing",
 					   (int)(p2 - p), p);
 		    rk_strpoolfree(strpool);
+                    free(s);
 		    return EINVAL;
 		}
 		strpool = rk_strpoolprintf(strpool, "%s", value);
 		if (strpool == NULL) {
 		    hx509_set_error_string(context, 0, ENOMEM, "out of memory");
+                    free(s);
 		    return ENOMEM;
 		}
 		p2++;
@@ -818,19 +974,60 @@ hx509_name_expand(hx509_context context,
 		    strpool = rk_strpoolprintf(strpool, "%s", p2);
 		if (strpool == NULL) {
 		    hx509_set_error_string(context, 0, ENOMEM, "out of memory");
+                    free(s);
 		    return ENOMEM;
 		}
 	    }
+
+            free(s);
+            s = NULL;
+
 	    if (strpool) {
-		free(ds->u.utf8String);
-		ds->u.utf8String = rk_strpoolcollect(strpool);
-		if (ds->u.utf8String == NULL) {
-		    hx509_set_error_string(context, 0, ENOMEM, "out of memory");
-		    return ENOMEM;
-		}
+                size_t max_bytes;
+
+                if ((s = rk_strpoolcollect(strpool)) == NULL) {
+                    hx509_set_error_string(context, 0, ENOMEM, "out of memory");
+                    return ENOMEM;
+                }
+
+                /* Check upper bounds! */
+                if ((max_bytes = oidtomaxlen(type)) && strlen(s) > max_bytes)
+                    bounds_check = 0;
+
+                switch (ds->element) {
+                /* C strings: */
+                case choice_DirectoryString_utf8String:
+                    free(ds->u.utf8String);
+                    ds->u.utf8String = s;
+                    break;
+                case choice_DirectoryString_teletexString:
+                    free(ds->u.teletexString);
+                    ds->u.teletexString = s;
+                    break;
+
+                /* Length and pointer */
+                case choice_DirectoryString_ia5String:
+                    free(ds->u.ia5String.data);
+                    ds->u.ia5String.data = s;
+                    ds->u.ia5String.length = strlen(s);
+                    break;
+                case choice_DirectoryString_printableString:
+                    free(ds->u.printableString.data);
+                    ds->u.printableString.data = s;
+                    ds->u.printableString.length = strlen(s);
+                    break;
+                default:
+                    break; /* Handled above */
+                }
 	    }
 	}
     }
+
+    if (!bounds_check) {
+        hx509_set_error_string(context, 0, HX509_PARSING_NAME_FAILED,
+                               "some expanded RDNs are too long");
+        return HX509_PARSING_NAME_FAILED;
+    }
     return 0;
 }
 
@@ -842,7 +1039,7 @@ hx509_name_expand(hx509_context context,
  * @ingroup hx509_name
  */
 
-void
+HX509_LIB_FUNCTION void HX509_LIB_CALL
 hx509_name_free(hx509_name *name)
 {
     free_Name(&(*name)->der_name);
@@ -863,7 +1060,7 @@ hx509_name_free(hx509_name *name)
  * @ingroup hx509_name
  */
 
-int
+HX509_LIB_FUNCTION int HX509_LIB_CALL
 hx509_unparse_der_name(const void *data, size_t length, char **str)
 {
     Name name;
@@ -891,7 +1088,7 @@ hx509_unparse_der_name(const void *data, size_t length, char **str)
  * @ingroup hx509_name
  */
 
-int
+HX509_LIB_FUNCTION int HX509_LIB_CALL
 hx509_name_binary(const hx509_name name, heim_octet_string *os)
 {
     size_t size;
@@ -906,7 +1103,7 @@ hx509_name_binary(const hx509_name name, heim_octet_string *os)
     return 0;
 }
 
-int
+HX509_LIB_FUNCTION int HX509_LIB_CALL
 _hx509_unparse_Name(const Name *aname, char **str)
 {
     hx509_name name;
@@ -922,7 +1119,7 @@ _hx509_unparse_Name(const Name *aname, char **str)
 }
 
 /**
- * Unparse the hx509 name in name into a string.
+ * Check if a name is empty.
  *
  * @param name the name to check if its empty/null.
  *
@@ -931,12 +1128,259 @@ _hx509_unparse_Name(const Name *aname, char **str)
  * @ingroup hx509_name
  */
 
-int
+HX509_LIB_FUNCTION int HX509_LIB_CALL
 hx509_name_is_null_p(const hx509_name name)
 {
-    return name->der_name.u.rdnSequence.len == 0;
+    return name->der_name.element == choice_Name_rdnSequence &&
+        name->der_name.u.rdnSequence.len == 0;
 }
 
+int
+_hx509_unparse_PermanentIdentifier(hx509_context context,
+                                   struct rk_strpool **strpool,
+                                   heim_any *value)
+{
+    PermanentIdentifier pi;
+    size_t len;
+    const char *pid = "";
+    char *s = NULL;
+    int ret;
+
+    ret = decode_PermanentIdentifier(value->data, value->length, &pi, &len);
+    if (ret == 0 && pi.assigner &&
+        der_print_heim_oid(pi.assigner, '.', &s) != 0)
+	ret = hx509_enomem(context);
+    if (pi.identifierValue && *pi.identifierValue)
+        pid = *pi.identifierValue;
+    if (ret == 0 &&
+        (*strpool = rk_strpoolprintf(*strpool, "%s:%s", s ? s : "", pid)) == NULL)
+        ret = hx509_enomem(context);
+    free_PermanentIdentifier(&pi);
+    free(s);
+    if (ret) {
+        rk_strpoolfree(*strpool);
+        *strpool = rk_strpoolprintf(NULL,
+                                    "<error-decoding-PermanentIdentifier");
+        hx509_set_error_string(context, 0, ret,
+                               "Failed to decode PermanentIdentifier");
+    }
+    return ret;
+}
+
+int
+_hx509_unparse_HardwareModuleName(hx509_context context,
+                                  struct rk_strpool **strpool,
+                                  heim_any *value)
+{
+    HardwareModuleName hm;
+    size_t len;
+    char *s = NULL;
+    int ret;
+
+    ret = decode_HardwareModuleName(value->data, value->length, &hm, &len);
+    if (ret == 0 && hm.hwSerialNum.length > 256)
+        hm.hwSerialNum.length = 256;
+    if (ret == 0)
+        ret = der_print_heim_oid(&hm.hwType, '.', &s);
+    if (ret == 0) {
+        *strpool = rk_strpoolprintf(*strpool, "%s:%.*s%s", s,
+                                    (int)hm.hwSerialNum.length,
+                                    (char *)hm.hwSerialNum.data,
+                                    value->length == len ? "" : ", <garbage>");
+        if (*strpool == NULL)
+            ret = hx509_enomem(context);
+    }
+    free_HardwareModuleName(&hm);
+    free(s);
+    if (ret) {
+        rk_strpoolfree(*strpool);
+        *strpool = rk_strpoolprintf(NULL,
+                                    "<error-decoding-HardwareModuleName");
+        hx509_set_error_string(context, 0, ret,
+                               "Failed to decode HardwareModuleName");
+    }
+    return ret;
+}
+
+/*
+ * This necessarily duplicates code from libkrb5, and has to unless we move
+ * common code here or to lib/roken for it.  We do have slightly different
+ * needs (e.g., we want space quoted, and we want to indicate whether we saw
+ * trailing garbage, we have no need for flags, no special realm treatment,
+ * etc) than the corresponding code in libkrb5, so for now we duplicate this
+ * code.
+ *
+ * The relevant RFCs here are RFC1964 for the string representation of Kerberos
+ * principal names, and RFC4556 for the KRB5PrincipalName ASN.1 type (Kerberos
+ * lacks such a type because on the wire the name and realm are sent
+ * separately as a form of cheap compression).
+ *
+ * Note that we cannot handle embedded NULs because of Heimdal's representation
+ * of ASN.1 strings as C strings.
+ */
+int
+_hx509_unparse_KRB5PrincipalName(hx509_context context,
+                                 struct rk_strpool **strpool,
+                                 heim_any *value)
+{
+    KRB5PrincipalName kn;
+    size_t len;
+    int ret;
+
+    ret = decode_KRB5PrincipalName(value->data, value->length, &kn, &len);
+    if (ret == 0 &&
+        (*strpool = _hx509_unparse_kerberos_name(*strpool, &kn)) == NULL)
+        ret = hx509_enomem(context);
+    free_KRB5PrincipalName(&kn);
+    if (ret == 0 && (value->length != len) &&
+        (*strpool = rk_strpoolprintf(*strpool, " <garbage>")) == NULL)
+        ret = hx509_enomem(context);
+    if (ret) {
+        rk_strpoolfree(*strpool);
+        *strpool = rk_strpoolprintf(NULL,
+                                    "<error-decoding-PrincipalName");
+        hx509_set_error_string(context, 0, ret,
+                               "Failed to decode PermanentIdentifier");
+    }
+    return ret;
+}
+
+struct rk_strpool *
+_hx509_unparse_kerberos_name(struct rk_strpool *strpool, KRB5PrincipalName *kn)
+{
+    static const char comp_quotable_chars[] = " \n\t\b\\/@";
+    static const char realm_quotable_chars[] = " \n\t\b\\@";
+    const char *s;
+    size_t i, k, len, plen;
+    int need_slash = 0;
+
+    for (i = 0; i < kn->principalName.name_string.len; i++) {
+        s = kn->principalName.name_string.val[i];
+        len = strlen(s);
+
+        if (need_slash)
+            strpool = rk_strpoolprintf(strpool, "/");
+        need_slash = 1;
+
+        for (k = 0; k < len; s += plen, k += plen) {
+            char c;
+
+            plen = strcspn(s, comp_quotable_chars);
+            if (plen)
+                strpool = rk_strpoolprintf(strpool, "%.*s", (int)plen, s);
+            if (k + plen >= len)
+                continue;
+            switch ((c = s[plen++])) {
+            case '\n':  strpool = rk_strpoolprintf(strpool, "\\n");     break;
+            case '\t':  strpool = rk_strpoolprintf(strpool, "\\t");     break;
+            case '\b':  strpool = rk_strpoolprintf(strpool, "\\b");     break;
+                        /* default -> '@', ' ', '\\', or '/' */
+            default:    strpool = rk_strpoolprintf(strpool, "\\%c", c); break;
+            }
+        }
+    }
+    if (!kn->realm)
+        return strpool;
+    strpool = rk_strpoolprintf(strpool, "@");
+
+    s = kn->realm;
+    len = strlen(kn->realm);
+    for (k = 0; k < len; s += plen, k += plen) {
+        char c;
+
+        plen = strcspn(s, realm_quotable_chars);
+        if (plen)
+            strpool = rk_strpoolprintf(strpool, "%.*s", (int)plen, s);
+        if (k + plen >= len)
+            continue;
+        switch ((c = s[plen++])) {
+        case '\n':  strpool = rk_strpoolprintf(strpool, "\\n");     break;
+        case '\t':  strpool = rk_strpoolprintf(strpool, "\\t");     break;
+        case '\b':  strpool = rk_strpoolprintf(strpool, "\\b");     break;
+                    /* default -> '@', ' ', or '\\' */
+        default:    strpool = rk_strpoolprintf(strpool, "\\%c", c); break;
+        }
+    }
+    return strpool;
+}
+
+int
+_hx509_unparse_utf8_string_name(hx509_context context,
+                                struct rk_strpool **strpool,
+                                heim_any *value)
+{
+    PKIXXmppAddr us;
+    size_t size;
+    int ret;
+
+    ret = decode_PKIXXmppAddr(value->data, value->length, &us, &size);
+    if (ret == 0 &&
+        (*strpool = rk_strpoolprintf(*strpool, "%s", us)) == NULL)
+        ret = hx509_enomem(context);
+    if (ret) {
+        rk_strpoolfree(*strpool);
+        *strpool = rk_strpoolprintf(NULL,
+                                    "<error-decoding-UTF8String-SAN>");
+        hx509_set_error_string(context, 0, ret,
+                               "Failed to decode UTF8String SAN");
+    }
+    free_PKIXXmppAddr(&us);
+    return ret;
+}
+
+int
+_hx509_unparse_ia5_string_name(hx509_context context,
+                               struct rk_strpool **strpool,
+                               heim_any *value)
+{
+    SRVName us;
+    size_t size;
+    int ret;
+
+    ret = decode_SRVName(value->data, value->length, &us, &size);
+    if (ret == 0) {
+        rk_strpoolfree(*strpool);
+        *strpool = rk_strpoolprintf(NULL,
+                                    "<error-decoding-IA5String-SAN>");
+        hx509_set_error_string(context, 0, ret,
+                               "Failed to decode UTF8String SAN");
+        return ret;
+    }
+    *strpool = rk_strpoolprintf(*strpool, "%.*s",
+                                (int)us.length, (char *)us.data);
+    free_SRVName(&us);
+    return ret;
+}
+
+typedef int (*other_unparser_f)(hx509_context,
+                                struct rk_strpool **,
+                                heim_any *);
+
+struct {
+    const heim_oid *oid;
+    const char *friendly_name;
+    other_unparser_f f;
+} o_unparsers[] = {
+    { &asn1_oid_id_pkinit_san,
+        "KerberosPrincipalName",
+        _hx509_unparse_KRB5PrincipalName },
+    { &asn1_oid_id_pkix_on_permanentIdentifier,
+        "PermanentIdentifier",
+        _hx509_unparse_PermanentIdentifier },
+    { &asn1_oid_id_on_hardwareModuleName,
+        "HardwareModuleName",
+        _hx509_unparse_HardwareModuleName },
+    { &asn1_oid_id_pkix_on_xmppAddr,
+        "XMPPName",
+        _hx509_unparse_utf8_string_name },
+    { &asn1_oid_id_pkinit_ms_san,
+        "MSFTKerberosPrincipalName",
+        _hx509_unparse_utf8_string_name },
+    { &asn1_oid_id_pkix_on_dnsSRV,
+        "SRVName",
+        _hx509_unparse_ia5_string_name },
+};
+
 /**
  * Unparse the hx509 name in name into a string.
  *
@@ -948,9 +1392,36 @@ hx509_name_is_null_p(const hx509_name name)
  * @ingroup hx509_name
  */
 
-int
+HX509_LIB_FUNCTION int HX509_LIB_CALL
 hx509_general_name_unparse(GeneralName *name, char **str)
 {
+    hx509_context context;
+    int ret;
+
+    if ((ret = hx509_context_init(&context)))
+        return ret;
+    ret = hx509_general_name_unparse2(context, name, str);
+    hx509_context_free(&context);
+    return ret;
+}
+
+/**
+ * Unparse the hx509 name in name into a string.
+ *
+ * @param context hx509 library context
+ * @param name the name to print
+ * @param str an allocated string returns the name in string form
+ *
+ * @return An hx509 error code, see hx509_get_error_string().
+ *
+ * @ingroup hx509_name
+ */
+
+HX509_LIB_FUNCTION int HX509_LIB_CALL
+hx509_general_name_unparse2(hx509_context context,
+                            GeneralName *name,
+                            char **str)
+{
     struct rk_strpool *strpool = NULL;
     int ret = 0;
 
@@ -958,21 +1429,40 @@ hx509_general_name_unparse(GeneralName *name, char **str)
 
     switch (name->element) {
     case choice_GeneralName_otherName: {
+        size_t i;
 	char *oid;
-	hx509_oid_sprint(&name->u.otherName.type_id, &oid);
-	if (oid == NULL)
-	    return ENOMEM;
-	strpool = rk_strpoolprintf(strpool, "otherName: %s", oid);
+
+	ret = hx509_oid_sprint(&name->u.otherName.type_id, &oid);
+        if (ret == 0)
+            strpool = rk_strpoolprintf(strpool, "otherName: %s ", oid);
+        if (strpool == NULL)
+            ret = ENOMEM;
+
+        for (i = 0; ret == 0 && i < sizeof(o_unparsers)/sizeof(o_unparsers[0]); i++) {
+            if (der_heim_oid_cmp(&name->u.otherName.type_id,
+                                 o_unparsers[i].oid))
+                continue;
+            strpool = rk_strpoolprintf(strpool, "%s ",o_unparsers[i].friendly_name);
+            if (strpool == NULL)
+                ret = ENOMEM;
+            if (ret == 0)
+                ret = o_unparsers[i].f(context, &strpool, &name->u.otherName.value);
+            break;
+        }
+        if (ret == 0 && i == sizeof(o_unparsers)/sizeof(o_unparsers[0])) {
+            strpool = rk_strpoolprintf(strpool, "<unknown-other-name-type>");
+            ret = ENOTSUP;
+        }
 	free(oid);
 	break;
     }
     case choice_GeneralName_rfc822Name:
-	strpool = rk_strpoolprintf(strpool, "rfc822Name: %.*s\n",
+	strpool = rk_strpoolprintf(strpool, "rfc822Name: %.*s",
 				   (int)name->u.rfc822Name.length,
 				   (char *)name->u.rfc822Name.data);
 	break;
     case choice_GeneralName_dNSName:
-	strpool = rk_strpoolprintf(strpool, "dNSName: %.*s\n",
+	strpool = rk_strpoolprintf(strpool, "dNSName: %.*s",
 				   (int)name->u.dNSName.length,
 				   (char *)name->u.dNSName.data);
 	break;
diff --git a/lib/hx509/ocsp.asn1 b/lib/hx509/ocsp.asn1
deleted file mode 100644
index eb090a4cc768..000000000000
--- a/lib/hx509/ocsp.asn1
+++ /dev/null
@@ -1,113 +0,0 @@
--- From rfc2560
--- $Id$
-OCSP DEFINITIONS EXPLICIT TAGS::=
-
-BEGIN
-
-IMPORTS
-	Certificate, AlgorithmIdentifier, CRLReason,
-	Name, GeneralName, CertificateSerialNumber, Extensions
-	FROM rfc2459;
-
-OCSPVersion  ::=  INTEGER {  ocsp-v1(0) }
-
-OCSPCertStatus ::= CHOICE {
-    good                [0]     IMPLICIT NULL,
-    revoked             [1]     IMPLICIT -- OCSPRevokedInfo -- SEQUENCE {
-    			revocationTime		GeneralizedTime,
-			revocationReason[0]	EXPLICIT CRLReason OPTIONAL
-    },
-    unknown             [2]     IMPLICIT NULL }
-
-OCSPCertID ::= SEQUENCE {
-    hashAlgorithm            AlgorithmIdentifier,
-    issuerNameHash     OCTET STRING, -- Hash of Issuer's DN
-    issuerKeyHash      OCTET STRING, -- Hash of Issuers public key
-    serialNumber       CertificateSerialNumber }
-
-OCSPSingleResponse ::= SEQUENCE {
-   certID                       OCSPCertID,
-   certStatus                   OCSPCertStatus,
-   thisUpdate                   GeneralizedTime,
-   nextUpdate           [0]     EXPLICIT GeneralizedTime OPTIONAL,
-   singleExtensions     [1]     EXPLICIT Extensions OPTIONAL }
-
-OCSPInnerRequest ::=     SEQUENCE {
-    reqCert                    OCSPCertID,
-    singleRequestExtensions    [0] EXPLICIT Extensions OPTIONAL }
-
-OCSPTBSRequest      ::=     SEQUENCE {
-    version             [0] EXPLICIT OCSPVersion -- DEFAULT v1 -- OPTIONAL,
-    requestorName       [1] EXPLICIT GeneralName OPTIONAL,
-    requestList             SEQUENCE OF OCSPInnerRequest,
-    requestExtensions   [2] EXPLICIT Extensions OPTIONAL }
-
-OCSPSignature       ::=     SEQUENCE {
-    signatureAlgorithm   AlgorithmIdentifier,
-    signature            BIT STRING,
-    certs                [0] EXPLICIT SEQUENCE OF Certificate OPTIONAL }
-
-OCSPRequest     ::=     SEQUENCE {
-    tbsRequest                  OCSPTBSRequest,
-    optionalSignature   [0]     EXPLICIT OCSPSignature OPTIONAL }
-
-OCSPResponseBytes ::=       SEQUENCE {
-    responseType   OBJECT IDENTIFIER,
-    response       OCTET STRING }
-
-OCSPResponseStatus ::= ENUMERATED {
-    successful            (0),      --Response has valid confirmations
-    malformedRequest      (1),      --Illegal confirmation request
-    internalError         (2),      --Internal error in issuer
-    tryLater              (3),      --Try again later
-                                    --(4) is not used
-    sigRequired           (5),      --Must sign the request
-    unauthorized          (6)       --Request unauthorized
-}
-
-OCSPResponse ::= SEQUENCE {
-   responseStatus         OCSPResponseStatus,
-   responseBytes          [0] EXPLICIT OCSPResponseBytes OPTIONAL }
-
-OCSPKeyHash ::= OCTET STRING --SHA-1 hash of responder's public key
-                         --(excluding the tag and length fields)
-
-OCSPResponderID ::= CHOICE {
-   byName   [1] Name,
-   byKey    [2] OCSPKeyHash }
-
-OCSPResponseData ::= SEQUENCE {
-   version              [0] EXPLICIT OCSPVersion -- DEFAULT v1 -- OPTIONAL,
-   responderID              OCSPResponderID,
-   producedAt               GeneralizedTime,
-   responses                SEQUENCE OF OCSPSingleResponse,
-   responseExtensions   [1] EXPLICIT Extensions OPTIONAL }
-
-OCSPBasicOCSPResponse       ::= SEQUENCE {
-   tbsResponseData      OCSPResponseData,
-   signatureAlgorithm   AlgorithmIdentifier,
-   signature            BIT STRING,
-   certs                [0] EXPLICIT SEQUENCE OF Certificate OPTIONAL }
-
--- ArchiveCutoff ::= GeneralizedTime
-
--- AcceptableResponses ::= SEQUENCE OF OBJECT IDENTIFIER
-
--- Object Identifiers
-
-id-pkix-ocsp         OBJECT IDENTIFIER ::= {
- 	 iso(1) identified-organization(3) dod(6) internet(1)
-	 security(5) mechanisms(5) pkix(7) pkix-ad(48) 1
-}
-
-id-pkix-ocsp-basic		OBJECT IDENTIFIER ::= { id-pkix-ocsp 1 }
-id-pkix-ocsp-nonce		OBJECT IDENTIFIER ::= { id-pkix-ocsp 2 }
--- id-pkix-ocsp-crl             OBJECT IDENTIFIER ::= { id-pkix-ocsp 3 }
--- id-pkix-ocsp-response        OBJECT IDENTIFIER ::= { id-pkix-ocsp 4 }
--- id-pkix-ocsp-nocheck         OBJECT IDENTIFIER ::= { id-pkix-ocsp 5 }
--- id-pkix-ocsp-archive-cutoff  OBJECT IDENTIFIER ::= { id-pkix-ocsp 6 }
--- id-pkix-ocsp-service-locator OBJECT IDENTIFIER ::= { id-pkix-ocsp 7 }
-
-
-END
-
diff --git a/lib/hx509/ocsp.opt b/lib/hx509/ocsp.opt
deleted file mode 100644
index 697aa03e19e8..000000000000
--- a/lib/hx509/ocsp.opt
+++ /dev/null
@@ -1,2 +0,0 @@
---preserve-binary=OCSPTBSRequest
---preserve-binary=OCSPResponseData
diff --git a/lib/hx509/peer.c b/lib/hx509/peer.c
index 457f6c4d04b6..2501f0107430 100644
--- a/lib/hx509/peer.c
+++ b/lib/hx509/peer.c
@@ -55,7 +55,7 @@
  * @ingroup hx509_peer
  */
 
-int
+HX509_LIB_FUNCTION int HX509_LIB_CALL
 hx509_peer_info_alloc(hx509_context context, hx509_peer_info *peer)
 {
     *peer = calloc(1, sizeof(**peer));
@@ -88,7 +88,7 @@ free_cms_alg(hx509_peer_info peer)
  * @ingroup hx509_peer
  */
 
-void
+HX509_LIB_FUNCTION void HX509_LIB_CALL
 hx509_peer_info_free(hx509_peer_info peer)
 {
     if (peer == NULL)
@@ -111,7 +111,7 @@ hx509_peer_info_free(hx509_peer_info peer)
  * @ingroup hx509_peer
  */
 
-int
+HX509_LIB_FUNCTION int HX509_LIB_CALL
 hx509_peer_info_set_cert(hx509_peer_info peer,
 			 hx509_cert cert)
 {
@@ -133,7 +133,7 @@ hx509_peer_info_set_cert(hx509_peer_info peer,
  * @ingroup hx509_peer
  */
 
-int
+HX509_LIB_FUNCTION int HX509_LIB_CALL
 hx509_peer_info_add_cms_alg(hx509_context context,
 			    hx509_peer_info peer,
 			    const AlgorithmIdentifier *val)
@@ -168,7 +168,7 @@ hx509_peer_info_add_cms_alg(hx509_context context,
  * @ingroup hx509_peer
  */
 
-int
+HX509_LIB_FUNCTION int HX509_LIB_CALL
 hx509_peer_info_set_cms_algs(hx509_context context,
 			     hx509_peer_info peer,
 			     const AlgorithmIdentifier *val,
@@ -203,14 +203,14 @@ hx509_peer_info_set_cms_algs(hx509_context context,
  * S/MIME
  */
 
-int
+HX509_LIB_FUNCTION int HX509_LIB_CALL
 hx509_peer_info_parse_smime(hx509_peer_info peer,
 			    const heim_octet_string *data)
 {
     return 0;
 }
 
-int
+HX509_LIB_FUNCTION int HX509_LIB_CALL
 hx509_peer_info_unparse_smime(hx509_peer_info peer,
 			      heim_octet_string *data)
 {
@@ -221,14 +221,14 @@ hx509_peer_info_unparse_smime(hx509_peer_info peer,
  * For storing hx509_peer_info to be able to cache them.
  */
 
-int
+HX509_LIB_FUNCTION int HX509_LIB_CALL
 hx509_peer_info_parse(hx509_peer_info peer,
 		      const heim_octet_string *data)
 {
     return 0;
 }
 
-int
+HX509_LIB_FUNCTION int HX509_LIB_CALL
 hx509_peer_info_unparse(hx509_peer_info peer,
 			heim_octet_string *data)
 {
diff --git a/lib/hx509/pkcs10.asn1 b/lib/hx509/pkcs10.asn1
deleted file mode 100644
index f3fe37b1bf9e..000000000000
--- a/lib/hx509/pkcs10.asn1
+++ /dev/null
@@ -1,25 +0,0 @@
--- $Id$
-PKCS10 DEFINITIONS ::=
-
-BEGIN
-
-IMPORTS
-	Name, SubjectPublicKeyInfo, Attribute, AlgorithmIdentifier
-	FROM rfc2459;
-
-
-CertificationRequestInfo ::= SEQUENCE {
-    version       INTEGER { pkcs10-v1(0) },
-    subject       Name,
-    subjectPKInfo SubjectPublicKeyInfo,
-    attributes    [0] IMPLICIT SET OF Attribute OPTIONAL 
-}
-
-CertificationRequest ::= SEQUENCE {
-    certificationRequestInfo CertificationRequestInfo,
-    signatureAlgorithm	     AlgorithmIdentifier,
-    signature                BIT STRING
-}
-
-END
-
diff --git a/lib/hx509/pkcs10.opt b/lib/hx509/pkcs10.opt
deleted file mode 100644
index 499fab2f6ba2..000000000000
--- a/lib/hx509/pkcs10.opt
+++ /dev/null
@@ -1 +0,0 @@
---preserve-binary=CertificationRequestInfo
diff --git a/lib/hx509/print.c b/lib/hx509/print.c
index 01c275455a54..3309913f3575 100644
--- a/lib/hx509/print.c
+++ b/lib/hx509/print.c
@@ -32,6 +32,8 @@
  */
 
 #include "hx_locl.h"
+#include <vis.h>
+#include <vis-extras.h>
 
 /**
  * @page page_print Hx509 printing functions
@@ -40,6 +42,7 @@
  */
 
 struct hx509_validate_ctx_data {
+    hx509_context context;
     int flags;
     hx509_vprint_func vprint_func;
     void *ctx;
@@ -93,7 +96,7 @@ Time2string(const Time *T, char **str)
  * @ingroup hx509_print
  */
 
-void
+HX509_LIB_FUNCTION void
 hx509_print_stdout(void *ctx, const char *fmt, va_list va)
 {
     FILE *f = ctx;
@@ -122,7 +125,7 @@ print_func(hx509_vprint_func func, void *ctx, const char *fmt, ...)
  * @ingroup hx509_print
  */
 
-int
+HX509_LIB_FUNCTION int HX509_LIB_CALL
 hx509_oid_sprint(const heim_oid *oid, char **str)
 {
     return der_print_heim_oid(oid, '.', str);
@@ -139,7 +142,7 @@ hx509_oid_sprint(const heim_oid *oid, char **str)
  * @ingroup hx509_print
  */
 
-void
+HX509_LIB_FUNCTION void HX509_LIB_CALL
 hx509_oid_print(const heim_oid *oid, hx509_vprint_func func, void *ctx)
 {
     char *str;
@@ -159,7 +162,7 @@ hx509_oid_print(const heim_oid *oid, hx509_vprint_func func, void *ctx)
  * @ingroup hx509_print
  */
 
-void
+HX509_LIB_FUNCTION void HX509_LIB_CALL
 hx509_bitstring_print(const heim_bit_string *b,
 		      hx509_vprint_func func, void *ctx)
 {
@@ -187,7 +190,7 @@ hx509_bitstring_print(const heim_bit_string *b,
  * @ingroup hx509_print
  */
 
-int
+HX509_LIB_FUNCTION int HX509_LIB_CALL
 hx509_cert_keyusage_print(hx509_context context, hx509_cert c, char **s)
 {
     KeyUsage ku;
@@ -358,6 +361,7 @@ check_authorityKeyIdentifier(hx509_validate_ctx ctx,
 	}
     }
 
+    free_AuthorityKeyIdentifier(&ai);
     return 0;
 }
 
@@ -413,67 +417,6 @@ check_extKeyUsage(hx509_validate_ctx ctx,
 }
 
 static int
-check_pkinit_san(hx509_validate_ctx ctx, heim_any *a)
-{
-    KRB5PrincipalName kn;
-    unsigned i;
-    size_t size;
-    int ret;
-
-    ret = decode_KRB5PrincipalName(a->data, a->length, &kn, &size);
-    if (ret) {
-	validate_print(ctx, HX509_VALIDATE_F_VALIDATE,
-		       "Decoding kerberos name in SAN failed: %d", ret);
-	return 1;
-    }
-
-    if (size != a->length) {
-	validate_print(ctx, HX509_VALIDATE_F_VALIDATE,
-		       "Decoding kerberos name have extra bits on the end");
-	return 1;
-    }
-
-    /* print kerberos principal, add code to quote / within components */
-    for (i = 0; i < kn.principalName.name_string.len; i++) {
-	validate_print(ctx, HX509_VALIDATE_F_VERBOSE, "%s",
-		       kn.principalName.name_string.val[i]);
-	if (i + 1 < kn.principalName.name_string.len)
-	    validate_print(ctx, HX509_VALIDATE_F_VERBOSE, "/");
-    }
-    validate_print(ctx, HX509_VALIDATE_F_VERBOSE, "@");
-    validate_print(ctx, HX509_VALIDATE_F_VERBOSE, "%s", kn.realm);
-
-    free_KRB5PrincipalName(&kn);
-    return 0;
-}
-
-static int
-check_utf8_string_san(hx509_validate_ctx ctx, heim_any *a)
-{
-    PKIXXmppAddr jid;
-    size_t size;
-    int ret;
-
-    ret = decode_PKIXXmppAddr(a->data, a->length, &jid, &size);
-    if (ret) {
-	validate_print(ctx, HX509_VALIDATE_F_VALIDATE,
-		       "Decoding JID in SAN failed: %d", ret);
-	return 1;
-    }
-
-    validate_print(ctx, HX509_VALIDATE_F_VERBOSE, "%s", jid);
-    free_PKIXXmppAddr(&jid);
-
-    return 0;
-}
-
-static int
-check_altnull(hx509_validate_ctx ctx, heim_any *a)
-{
-    return 0;
-}
-
-static int
 check_CRLDistributionPoints(hx509_validate_ctx ctx,
 			   struct cert_status *status,
 			   enum critical_flag cf,
@@ -498,18 +441,9 @@ check_CRLDistributionPoints(hx509_validate_ctx ctx,
     validate_print(ctx, HX509_VALIDATE_F_VERBOSE, "CRL Distribution Points:\n");
     for (i = 0 ; i < dp.len; i++) {
 	if (dp.val[i].distributionPoint) {
-	    DistributionPointName dpname;
-	    heim_any *data = dp.val[i].distributionPoint;
+	    DistributionPointName dpname = dp.val[i].distributionPoint[0];
 	    size_t j;
 
-	    ret = decode_DistributionPointName(data->data, data->length,
-					       &dpname, NULL);
-	    if (ret) {
-		validate_print(ctx, HX509_VALIDATE_F_VALIDATE,
-			       "Failed to parse CRL Distribution Point Name: %d\n", ret);
-		continue;
-	    }
-
 	    switch (dpname.element) {
 	    case choice_DistributionPointName_fullName:
 		validate_print(ctx, HX509_VALIDATE_F_VERBOSE, "Fullname:\n");
@@ -518,8 +452,13 @@ check_CRLDistributionPoints(hx509_validate_ctx ctx,
 		    char *s;
 		    GeneralName *name = &dpname.u.fullName.val[j];
 
-		    ret = hx509_general_name_unparse(name, &s);
-		    if (ret == 0 && s != NULL) {
+		    ret = hx509_general_name_unparse2(ctx->context, name, &s);
+		    if (ret) {
+                        s = hx509_get_error_string(ctx->context, ret);
+                        validate_print(ctx, HX509_VALIDATE_F_VALIDATE,
+                                       "Unknown DistributionPointName: %s", s);
+                        hx509_free_error_string(s);
+                    } else {
 			validate_print(ctx, HX509_VALIDATE_F_VERBOSE, "   %s\n", s);
 			free(s);
 		    }
@@ -534,7 +473,6 @@ check_CRLDistributionPoints(hx509_validate_ctx ctx,
 			       "Unknown DistributionPointName");
 		break;
 	    }
-	    free_DistributionPointName(&dpname);
 	}
     }
     free_CRLDistributionPoints(&dp);
@@ -544,19 +482,6 @@ check_CRLDistributionPoints(hx509_validate_ctx ctx,
     return 0;
 }
 
-
-struct {
-    const char *name;
-    const heim_oid *oid;
-    int (*func)(hx509_validate_ctx, heim_any *);
-} altname_types[] = {
-    { "pk-init", &asn1_oid_id_pkinit_san, check_pkinit_san },
-    { "jabber", &asn1_oid_id_pkix_on_xmppAddr, check_utf8_string_san },
-    { "dns-srv", &asn1_oid_id_pkix_on_dnsSRV, check_altnull },
-    { "card-id", &asn1_oid_id_uspkicommon_card_id, check_altnull },
-    { "Microsoft NT-PRINCIPAL-NAME", &asn1_oid_id_pkinit_ms_san, check_utf8_string_san }
-};
-
 static int
 check_altName(hx509_validate_ctx ctx,
 	      struct cert_status *status,
@@ -591,48 +516,21 @@ check_altName(hx509_validate_ctx ctx,
     }
 
     for (i = 0; i < gn.len; i++) {
-	switch (gn.val[i].element) {
-	case choice_GeneralName_otherName: {
-	    unsigned j;
-
-	    validate_print(ctx, HX509_VALIDATE_F_VERBOSE,
-			   "%sAltName otherName ", name);
-
-	    for (j = 0; j < sizeof(altname_types)/sizeof(altname_types[0]); j++) {
-		if (der_heim_oid_cmp(altname_types[j].oid,
-				     &gn.val[i].u.otherName.type_id) != 0)
-		    continue;
-
-		validate_print(ctx, HX509_VALIDATE_F_VERBOSE, "%s: ",
-			       altname_types[j].name);
-		(*altname_types[j].func)(ctx, &gn.val[i].u.otherName.value);
-		break;
-	    }
-	    if (j == sizeof(altname_types)/sizeof(altname_types[0])) {
-		hx509_oid_print(&gn.val[i].u.otherName.type_id,
-				validate_vprint, ctx);
-		validate_print(ctx, HX509_VALIDATE_F_VERBOSE, " unknown");
-	    }
-	    validate_print(ctx, HX509_VALIDATE_F_VERBOSE, "\n");
-	    break;
-	}
-	default: {
-	    char *s;
-	    ret = hx509_general_name_unparse(&gn.val[i], &s);
-	    if (ret) {
-		validate_print(ctx, HX509_VALIDATE_F_VALIDATE,
-			       "ret = %d unparsing GeneralName\n", ret);
-		return 1;
-	    }
-	    validate_print(ctx, HX509_VALIDATE_F_VERBOSE, "%s\n", s);
-	    free(s);
-	    break;
-	}
-	}
+        char *s;
+
+        ret = hx509_general_name_unparse2(ctx->context, &gn.val[i], &s);
+        if (ret) {
+            s = hx509_get_error_string(ctx->context, ret);
+            validate_print(ctx, HX509_VALIDATE_F_VALIDATE,
+                           "Error unparsing GeneralName: %s\n", s);
+            hx509_free_error_string(s);
+            return 1;
+        }
+        validate_print(ctx, HX509_VALIDATE_F_VERBOSE, "\t%s\n", s);
+        free(s);
     }
 
     free_GeneralNames(&gn);
-
     return 0;
 }
 
@@ -679,21 +577,16 @@ check_basicConstraints(hx509_validate_ctx ctx,
 	printf("\tlength of der data isn't same as extension\n");
 
     validate_print(ctx, HX509_VALIDATE_F_VERBOSE,
-		   "\tis %sa CA\n", b.cA && *b.cA ? "" : "NOT ");
+		   "\tis %sa CA\n", b.cA ? "" : "NOT ");
     if (b.pathLenConstraint)
 	validate_print(ctx, HX509_VALIDATE_F_VERBOSE,
 		       "\tpathLenConstraint: %d\n", *b.pathLenConstraint);
 
     if (b.cA) {
-	if (*b.cA) {
-	    if (!e->critical)
-		validate_print(ctx, HX509_VALIDATE_F_VALIDATE,
-			       "Is a CA and not BasicConstraints CRITICAL\n");
-	    status->isca = 1;
-	}
-	else
-	    validate_print(ctx, HX509_VALIDATE_F_VALIDATE,
-			   "cA is FALSE, not allowed to be\n");
+        if (!e->critical)
+            validate_print(ctx, HX509_VALIDATE_F_VALIDATE,
+                           "Is a CA and not BasicConstraints CRITICAL\n");
+        status->isca = 1;
     }
     free_BasicConstraints(&b);
 
@@ -737,13 +630,225 @@ check_authorityInfoAccess(hx509_validate_ctx ctx,
 	validate_print(ctx, HX509_VALIDATE_F_VERBOSE,
 		       "\ttype: ");
 	hx509_oid_print(&aia.val[i].accessMethod, validate_vprint, ctx);
-	hx509_general_name_unparse(&aia.val[i].accessLocation, &str);
-	validate_print(ctx, HX509_VALIDATE_F_VERBOSE,
-		       "\n\tdirname: %s\n", str);
-	free(str);
+        ret = hx509_general_name_unparse2(ctx->context,
+                                          &aia.val[i].accessLocation, &str);
+        if (ret) {
+            str = hx509_get_error_string(ctx->context, ret);
+            validate_print(ctx, HX509_VALIDATE_F_VALIDATE,
+                           "Error unparsing AuthorityInfoAccessSyntax "
+                           "accessLocation: %s", str);
+            hx509_free_error_string(str);
+        } else {
+            validate_print(ctx, HX509_VALIDATE_F_VERBOSE,
+                           "\n\tdirname: %s\n", str);
+            free(str);
+        }
     }
     free_AuthorityInfoAccessSyntax(&aia);
 
+    return ret;
+}
+
+static int
+get_display_text(DisplayText *dt, char **out)
+{
+    int r = -1;
+
+    *out = NULL;
+
+    /*
+     * XXX We're cheating with various string types here.
+     *
+     * Proper support for IA5String is a real pain, and we don't have it.
+     *
+     * We also don't have support for BMPString.
+     */
+    switch (dt->element) {
+    case choice_DisplayText_ia5String:
+        r = rk_strasvisx(out, dt->u.ia5String.data, dt->u.ia5String.length,
+                         VIS_CSTYLE | VIS_TAB | VIS_NL, "");
+        break;
+    case choice_DisplayText_visibleString:
+        r = rk_strasvis(out, dt->u.visibleString,
+                        VIS_CSTYLE | VIS_TAB | VIS_NL, "");
+        break;
+    case choice_DisplayText_bmpString:
+        errno = ENOTSUP; /* XXX Need a UTF-16 -> UTF-8 conversion */
+        break;
+    case choice_DisplayText_utf8String:
+        r = rk_strasvis(out, dt->u.visibleString,
+                        VIS_CSTYLE | VIS_TAB | VIS_NL, "");
+        break;
+    default:
+        errno = EINVAL;
+    }
+    return r < 0 ? errno : 0;
+}
+
+static int
+check_certificatePolicies(hx509_validate_ctx ctx,
+                          struct cert_status *status,
+                          enum critical_flag cf,
+                          const Extension *e)
+{
+    CertificatePolicies cp;
+    size_t i, size;
+    int ret = 0;
+
+    check_Null(ctx, status, cf, e);
+
+    if (e->extnValue.length == 0) {
+	validate_print(ctx, HX509_VALIDATE_F_VALIDATE,
+		       "CertificatePolicies empty, not allowed");
+	return 1;
+    }
+    ret = decode_CertificatePolicies(e->extnValue.data, e->extnValue.length,
+                                     &cp, &size);
+    if (ret) {
+	validate_print(ctx, HX509_VALIDATE_F_VALIDATE,
+                       "\tret = %d while decoding CertificatePolicies\n", ret);
+	return 1;
+    }
+    if (cp.len == 0) {
+	validate_print(ctx, HX509_VALIDATE_F_VALIDATE,
+		       "CertificatePolicies empty, not allowed\n");
+	return 1;
+    }
+
+    for (i = 0; ret == 0 && i < cp.len; i++) {
+        size_t k;
+        char *poid = NULL;
+        char *qoid = NULL;
+        char *dt = NULL;
+
+        ret = der_print_heim_oid(&cp.val[i].policyIdentifier, '.', &poid);
+        if (ret == 0)
+        validate_print(ctx, HX509_VALIDATE_F_VERBOSE, "\tPolicy: %s", poid);
+
+        for (k = 0;
+             ret == 0 && cp.val[i].policyQualifiers &&
+             k < cp.val[i].policyQualifiers->len;
+             k++) {
+            PolicyQualifierInfo *pi = &cp.val[i].policyQualifiers->val[k];
+
+            if (der_heim_oid_cmp(&pi->policyQualifierId,
+                                 &asn1_oid_id_pkix_qt_cps) == 0) {
+                CPSuri cps;
+
+                ret = decode_CPSuri(pi->qualifier.data, pi->qualifier.length,
+                                    &cps, &size);
+                if (ret == 0) {
+                    if (cps.length > 4096)
+                        cps.length = 4096;
+                    validate_print(ctx, HX509_VALIDATE_F_VERBOSE,
+                                   ":CPSuri:%.*s",
+                                   (int)cps.length, (char *)cps.data);
+                    free_CPSuri(&cps);
+                }
+            } else if (der_heim_oid_cmp(&pi->policyQualifierId,
+                                        &asn1_oid_id_pkix_qt_unotice) == 0) {
+                UserNotice un;
+
+                ret = decode_UserNotice(pi->qualifier.data,
+                                        pi->qualifier.length, &un, &size);
+                if (ret == 0) {
+                    if (un.explicitText) {
+                        /*
+                         * get_display_text() will strvis to make it safer to
+                         * print.
+                         */
+                        ret = get_display_text(un.explicitText, &dt);
+                        validate_print(ctx, HX509_VALIDATE_F_VERBOSE,
+                                       " UserNotice:DistplayText:%s", dt);
+                    } else if (un.noticeRef) {
+                        validate_print(ctx, HX509_VALIDATE_F_VERBOSE,
+                                       " UserNotice:NoticeRef:<noticeRef-not-supported>",
+                                       qoid);
+                    } else {
+                        ret = der_print_heim_oid(&pi->policyQualifierId, '.',
+                                                 &qoid);
+                        if (ret)
+                            break;
+                        validate_print(ctx, HX509_VALIDATE_F_VERBOSE,
+                                       " Unknown:%s", qoid);
+                    }
+                    free_UserNotice(&un);
+                }
+            } else {
+                validate_print(ctx, HX509_VALIDATE_F_VERBOSE,
+                               ", qualifier %s:<unknown>", qoid);
+            }
+            free(qoid);
+            free(dt);
+            qoid = dt = 0;
+        }
+        if (ret == 0) {
+            validate_print(ctx, HX509_VALIDATE_F_VERBOSE, "\n");
+        } else {
+            validate_print(ctx, HX509_VALIDATE_F_VALIDATE,
+                           "\nOut of memory formatting certificate policy");
+            ret = ENOMEM;
+        }
+        free(poid);
+        free(qoid);
+        free(dt);
+        poid = qoid = dt = 0;
+    }
+
+    free_CertificatePolicies(&cp);
+
+    return ret ? 1 : 0;
+}
+
+static int
+check_policyMappings(hx509_validate_ctx ctx,
+                     struct cert_status *status,
+                     enum critical_flag cf,
+                     const Extension *e)
+{
+    PolicyMappings pm;
+    size_t i, size;
+    int ret = 0;
+
+    check_Null(ctx, status, cf, e);
+
+    if (e->extnValue.length == 0) {
+	validate_print(ctx, HX509_VALIDATE_F_VALIDATE,
+		       "PolicyMappings empty, not allowed");
+	return 1;
+    }
+    ret = decode_PolicyMappings(e->extnValue.data, e->extnValue.length,
+                                &pm, &size);
+    if (ret) {
+	validate_print(ctx, HX509_VALIDATE_F_VALIDATE,
+		       "\tret = %d while decoding PolicyMappings\n", ret);
+	return 1;
+    }
+    if (pm.len == 0) {
+	validate_print(ctx, HX509_VALIDATE_F_VALIDATE,
+		       "PolicyMappings empty, not allowed\n");
+	return 1;
+    }
+
+    for (i = 0; ret == 0 && i < pm.len; i++) {
+        char *idpoid = NULL;
+        char *sdpoid = NULL;
+
+        ret = der_print_heim_oid(&pm.val[i].issuerDomainPolicy, '.', &idpoid);
+        if (ret == 0)
+            ret = der_print_heim_oid(&pm.val[i].subjectDomainPolicy, '.',
+                                     &sdpoid);
+        if (ret == 0)
+            validate_print(ctx, HX509_VALIDATE_F_VERBOSE,
+                           "\tPolicy mapping %s -> %s\n", idpoid, sdpoid);
+        else
+            validate_print(ctx, HX509_VALIDATE_F_VALIDATE,
+                           "ret=%d while decoding PolicyMappings\n", ret);
+        free(sdpoid);
+        free(idpoid);
+    }
+
+    free_PolicyMappings(&pm);
     return 0;
 }
 
@@ -776,8 +881,8 @@ struct {
     { ext(certificateIssuer, Null), M_C },
     { ext(nameConstraints, Null), M_C },
     { ext(cRLDistributionPoints, CRLDistributionPoints), S_N_C },
-    { ext(certificatePolicies, Null), 0 },
-    { ext(policyMappings, Null), M_N_C },
+    { ext(certificatePolicies, certificatePolicies), 0 },
+    { ext(policyMappings, policyMappings), M_N_C },
     { ext(authorityKeyIdentifier, authorityKeyIdentifier), M_N_C },
     { ext(policyConstraints, Null), D_C },
     { ext(extKeyUsage, extKeyUsage), D_C },
@@ -807,13 +912,13 @@ struct {
  * @ingroup hx509_print
  */
 
-int
+HX509_LIB_FUNCTION int HX509_LIB_CALL
 hx509_validate_ctx_init(hx509_context context, hx509_validate_ctx *ctx)
 {
-    *ctx = malloc(sizeof(**ctx));
+    *ctx = calloc(1, sizeof(**ctx));
     if (*ctx == NULL)
-	return ENOMEM;
-    memset(*ctx, 0, sizeof(**ctx));
+	return hx509_enomem(context);
+    (*ctx)->context = context;
     return 0;
 }
 
@@ -829,7 +934,7 @@ hx509_validate_ctx_init(hx509_context context, hx509_validate_ctx *ctx)
  * @ingroup hx509_print
  */
 
-void
+HX509_LIB_FUNCTION void HX509_LIB_CALL
 hx509_validate_ctx_set_print(hx509_validate_ctx ctx,
 			     hx509_vprint_func func,
 			     void *c)
@@ -850,7 +955,7 @@ hx509_validate_ctx_set_print(hx509_validate_ctx ctx,
  * @ingroup hx509_print
  */
 
-void
+HX509_LIB_FUNCTION void HX509_LIB_CALL
 hx509_validate_ctx_add_flags(hx509_validate_ctx ctx, int flags)
 {
     ctx->flags |= flags;
@@ -864,7 +969,7 @@ hx509_validate_ctx_add_flags(hx509_validate_ctx ctx, int flags)
  * @ingroup hx509_print
  */
 
-void
+HX509_LIB_FUNCTION void HX509_LIB_CALL
 hx509_validate_ctx_free(hx509_validate_ctx ctx)
 {
     free(ctx);
@@ -882,7 +987,7 @@ hx509_validate_ctx_free(hx509_validate_ctx ctx)
  * @ingroup hx509_print
  */
 
-int
+HX509_LIB_FUNCTION int HX509_LIB_CALL
 hx509_validate_cert(hx509_context context,
 		    hx509_validate_ctx ctx,
 		    hx509_cert cert)
diff --git a/lib/hx509/req.c b/lib/hx509/req.c
index e70ab4b6cce5..d0bfe91a948b 100644
--- a/lib/hx509/req.c
+++ b/lib/hx509/req.c
@@ -34,41 +34,85 @@
 #include "hx_locl.h"
 #include <pkcs10_asn1.h>
 
+typedef struct abitstring_s {
+    unsigned char *feats;
+    size_t feat_bytes;
+} *abitstring;
+
 struct hx509_request_data {
+    hx509_context context;
     hx509_name name;
     SubjectPublicKeyInfo key;
+    KeyUsage ku;
     ExtKeyUsage eku;
     GeneralNames san;
+    struct abitstring_s authorized_EKUs;
+    struct abitstring_s authorized_SANs;
+    uint32_t nunsupported;  /* Count of unsupported features requested */
+    uint32_t nauthorized;   /* Count of supported   features authorized */
+    uint32_t ku_are_authorized:1;
 };
 
-/*
+/**
+ * Allocate and initialize an hx509_request structure representing a PKCS#10
+ * certificate signing request.
+ *
+ * @param context An hx509 context.
+ * @param req Where to put the new hx509_request object.
  *
+ * @return An hx509 error code, see hx509_get_error_string().
+ *
+ * @ingroup hx509_request
  */
-
-int
+HX509_LIB_FUNCTION int HX509_LIB_CALL
 hx509_request_init(hx509_context context, hx509_request *req)
 {
     *req = calloc(1, sizeof(**req));
     if (*req == NULL)
 	return ENOMEM;
 
+    (*req)->context = context;
     return 0;
 }
 
-void
-hx509_request_free(hx509_request *req)
+/**
+ * Free a certificate signing request object.
+ *
+ * @param req A pointer to the hx509_request to free.
+ *
+ * @ingroup hx509_request
+ */
+HX509_LIB_FUNCTION void HX509_LIB_CALL
+hx509_request_free(hx509_request *reqp)
 {
-    if ((*req)->name)
-	hx509_name_free(&(*req)->name);
-    free_SubjectPublicKeyInfo(&(*req)->key);
-    free_ExtKeyUsage(&(*req)->eku);
-    free_GeneralNames(&(*req)->san);
-    memset(*req, 0, sizeof(**req));
-    free(*req);
-    *req = NULL;
+    hx509_request req = *reqp;
+
+    *reqp = NULL;
+    if (req == NULL)
+        return;
+    if (req->name)
+	hx509_name_free(&req->name);
+    free(req->authorized_EKUs.feats);
+    free(req->authorized_SANs.feats);
+    free_SubjectPublicKeyInfo(&req->key);
+    free_ExtKeyUsage(&req->eku);
+    free_GeneralNames(&req->san);
+    memset(req, 0, sizeof(*req));
+    free(req);
 }
 
-int
+/**
+ * Set the subjectName of the CSR.
+ *
+ * @param context An hx509 context.
+ * @param req The hx509_request to alter.
+ * @param name The subjectName.
+ *
+ * @return An hx509 error code, see hx509_get_error_string().
+ *
+ * @ingroup hx509_request
+ */
+HX509_LIB_FUNCTION int HX509_LIB_CALL
 hx509_request_set_name(hx509_context context,
 			hx509_request req,
 			hx509_name name)
@@ -83,7 +127,18 @@ hx509_request_set_name(hx509_context context,
     return 0;
 }
 
-int
+/**
+ * Get the subject name requested by a CSR.
+ *
+ * @param context An hx509 context.
+ * @param req The hx509_request object.
+ * @param name Where to put the name.
+ *
+ * @return An hx509 error code, see hx509_get_error_string().
+ *
+ * @ingroup hx509_request
+ */
+HX509_LIB_FUNCTION int HX509_LIB_CALL
 hx509_request_get_name(hx509_context context,
 			hx509_request req,
 			hx509_name *name)
@@ -95,7 +150,18 @@ hx509_request_get_name(hx509_context context,
     return hx509_name_copy(context, req->name, name);
 }
 
-int
+/**
+ * Set the subject public key requested by a CSR.
+ *
+ * @param context An hx509 context.
+ * @param req The hx509_request object.
+ * @param key The public key.
+ *
+ * @return An hx509 error code, see hx509_get_error_string().
+ *
+ * @ingroup hx509_request
+ */
+HX509_LIB_FUNCTION int HX509_LIB_CALL
 hx509_request_set_SubjectPublicKeyInfo(hx509_context context,
 					hx509_request req,
 					const SubjectPublicKeyInfo *key)
@@ -104,7 +170,18 @@ hx509_request_set_SubjectPublicKeyInfo(hx509_context context,
     return copy_SubjectPublicKeyInfo(key, &req->key);
 }
 
-int
+/**
+ * Get the subject public key requested by a CSR.
+ *
+ * @param context An hx509 context.
+ * @param req The hx509_request object.
+ * @param key Where to put the key.
+ *
+ * @return An hx509 error code, see hx509_get_error_string().
+ *
+ * @ingroup hx509_request
+ */
+HX509_LIB_FUNCTION int HX509_LIB_CALL
 hx509_request_get_SubjectPublicKeyInfo(hx509_context context,
 					hx509_request req,
 					SubjectPublicKeyInfo *key)
@@ -112,10 +189,61 @@ hx509_request_get_SubjectPublicKeyInfo(hx509_context context,
     return copy_SubjectPublicKeyInfo(&req->key, key);
 }
 
-int
-_hx509_request_add_eku(hx509_context context,
-		       hx509_request req,
-		       const heim_oid *oid)
+/**
+ * Set the key usage requested by a CSR.
+ *
+ * @param context An hx509 context.
+ * @param req The hx509_request object.
+ * @param ku The key usage.
+ *
+ * @return An hx509 error code, see hx509_get_error_string().
+ *
+ * @ingroup hx509_request
+ */
+HX509_LIB_FUNCTION int HX509_LIB_CALL
+hx509_request_set_ku(hx509_context context, hx509_request req, KeyUsage ku)
+{
+    uint64_t n = KeyUsage2int(ku);
+
+    if ((KeyUsage2int(req->ku) & n) != n)
+        req->ku_are_authorized = 0;
+    req->ku = ku;
+    return 0;
+}
+
+/**
+ * Get the key usage requested by a CSR.
+ *
+ * @param context An hx509 context.
+ * @param req The hx509_request object.
+ * @param ku Where to put the key usage.
+ *
+ * @return An hx509 error code, see hx509_get_error_string().
+ *
+ * @ingroup hx509_request
+ */
+HX509_LIB_FUNCTION int HX509_LIB_CALL
+hx509_request_get_ku(hx509_context context, hx509_request req, KeyUsage *ku)
+{
+    *ku = req->ku;
+    return 0;
+}
+
+/**
+ * Add an extended key usage OID to a CSR.
+ *
+ * @param context An hx509 context.
+ * @param req The hx509_request object.
+ * @param oid The EKU OID.
+ *
+ * @return An hx509 error code, see hx509_get_error_string().
+ *
+ * @ingroup hx509_request
+ */
+HX509_LIB_FUNCTION int HX509_LIB_CALL
+hx509_request_add_eku(hx509_context context,
+                      hx509_request req,
+                      const heim_oid *oid)
 {
     void *val;
     int ret;
@@ -134,10 +262,112 @@ _hx509_request_add_eku(hx509_context context,
     return 0;
 }
 
-int
-_hx509_request_add_dns_name(hx509_context context,
-			    hx509_request req,
-			    const char *hostname)
+/**
+ * Add a GeneralName (Jabber ID) subject alternative name to a CSR.
+ *
+ * XXX Make this take a heim_octet_string, not a GeneralName*.
+ *
+ * @param context An hx509 context.
+ * @param req The hx509_request object.
+ * @param gn The GeneralName object.
+ *
+ * @return An hx509 error code, see hx509_get_error_string().
+ *
+ * @ingroup hx509_request
+ */
+HX509_LIB_FUNCTION int HX509_LIB_CALL
+hx509_request_add_GeneralName(hx509_context context,
+                              hx509_request req,
+                              const GeneralName *gn)
+{
+    return add_GeneralNames(&req->san, gn);
+}
+
+static int
+add_utf8_other_san(hx509_context context,
+                   GeneralNames *gns,
+                   const heim_oid *oid,
+                   const char *s)
+{
+    const PKIXXmppAddr us = (const PKIXXmppAddr)(uintptr_t)s;
+    GeneralName gn;
+    size_t size;
+    int ret;
+
+    gn.element = choice_GeneralName_otherName;
+    gn.u.otherName.type_id.length = 0;
+    gn.u.otherName.type_id.components = 0;
+    gn.u.otherName.value.data = NULL;
+    gn.u.otherName.value.length = 0;
+    ret = der_copy_oid(oid, &gn.u.otherName.type_id);
+    if (ret == 0)
+        ASN1_MALLOC_ENCODE(PKIXXmppAddr, gn.u.otherName.value.data,
+                           gn.u.otherName.value.length, &us, &size, ret);
+    if (ret == 0 && size != gn.u.otherName.value.length)
+        _hx509_abort("internal ASN.1 encoder error");
+    if (ret == 0)
+        ret = add_GeneralNames(gns, &gn);
+    free_GeneralName(&gn);
+    if (ret)
+        hx509_set_error_string(context, 0, ret, "Out of memory");
+    return ret;
+}
+
+/**
+ * Add an xmppAddr (Jabber ID) subject alternative name to a CSR.
+ *
+ * @param context An hx509 context.
+ * @param req The hx509_request object.
+ * @param jid The XMPP address.
+ *
+ * @return An hx509 error code, see hx509_get_error_string().
+ *
+ * @ingroup hx509_request
+ */
+HX509_LIB_FUNCTION int HX509_LIB_CALL
+hx509_request_add_xmpp_name(hx509_context context,
+                            hx509_request req,
+                            const char *jid)
+{
+    return add_utf8_other_san(context, &req->san,
+                              &asn1_oid_id_pkix_on_xmppAddr, jid);
+}
+
+/**
+ * Add a Microsoft UPN subject alternative name to a CSR.
+ *
+ * @param context An hx509 context.
+ * @param req The hx509_request object.
+ * @param hostname The XMPP address.
+ *
+ * @return An hx509 error code, see hx509_get_error_string().
+ *
+ * @ingroup hx509_request
+ */
+HX509_LIB_FUNCTION int HX509_LIB_CALL
+hx509_request_add_ms_upn_name(hx509_context context,
+                              hx509_request req,
+                              const char *upn)
+{
+    return add_utf8_other_san(context, &req->san, &asn1_oid_id_pkinit_ms_san,
+                              upn);
+}
+
+/**
+ * Add a dNSName (hostname) subject alternative name to a CSR.
+ *
+ * @param context An hx509 context.
+ * @param req The hx509_request object.
+ * @param hostname The fully-qualified hostname.
+ *
+ * @return An hx509 error code, see hx509_get_error_string().
+ *
+ * @ingroup hx509_request
+ */
+HX509_LIB_FUNCTION int HX509_LIB_CALL
+hx509_request_add_dns_name(hx509_context context,
+                           hx509_request req,
+                           const char *hostname)
 {
     GeneralName name;
 
@@ -149,33 +379,271 @@ _hx509_request_add_dns_name(hx509_context context,
     return add_GeneralNames(&req->san, &name);
 }
 
-int
-_hx509_request_add_email(hx509_context context,
-			 hx509_request req,
-			 const char *email)
+/**
+ * Add a dnsSRV (_service.hostname) subject alternative name to a CSR.
+ *
+ * @param context An hx509 context.
+ * @param req The hx509_request object.
+ * @param dnssrv The DNS SRV name.
+ *
+ * @return An hx509 error code, see hx509_get_error_string().
+ *
+ * @ingroup hx509_request
+ */
+HX509_LIB_FUNCTION int HX509_LIB_CALL
+hx509_request_add_dns_srv(hx509_context context,
+                          hx509_request req,
+                          const char *dnssrv)
+{
+    GeneralName gn;
+    SRVName n;
+    size_t size;
+    int ret;
+
+    memset(&n, 0, sizeof(n));
+    memset(&gn, 0, sizeof(gn));
+    gn.element = choice_GeneralName_otherName;
+    gn.u.otherName.type_id.length = 0;
+    gn.u.otherName.type_id.components = 0;
+    gn.u.otherName.value.data = NULL;
+    gn.u.otherName.value.length = 0;
+    n.length = strlen(dnssrv);
+    n.data = (void *)(uintptr_t)dnssrv;
+    ASN1_MALLOC_ENCODE(SRVName,
+                       gn.u.otherName.value.data,
+                       gn.u.otherName.value.length, &n, &size, ret);
+    if (ret == 0)
+        ret = der_copy_oid(&asn1_oid_id_pkix_on_dnsSRV, &gn.u.otherName.type_id);
+    if (ret == 0)
+        ret = add_GeneralNames(&req->san, &gn);
+    free_GeneralName(&gn);
+    return ret;
+}
+
+/**
+ * Add an rfc822Name (e-mail address) subject alternative name to a CSR.
+ *
+ * @param context An hx509 context.
+ * @param req The hx509_request object.
+ * @param email The e-mail address.
+ *
+ * @return An hx509 error code, see hx509_get_error_string().
+ *
+ * @ingroup hx509_request
+ */
+HX509_LIB_FUNCTION int HX509_LIB_CALL
+hx509_request_add_email(hx509_context context,
+                        hx509_request req,
+                        const char *email)
 {
     GeneralName name;
 
     memset(&name, 0, sizeof(name));
     name.element = choice_GeneralName_rfc822Name;
-    name.u.dNSName.data = rk_UNCONST(email);
-    name.u.dNSName.length = strlen(email);
+    name.u.rfc822Name.data = rk_UNCONST(email);
+    name.u.rfc822Name.length = strlen(email);
 
     return add_GeneralNames(&req->san, &name);
 }
 
+/**
+ * Add a registeredID (OID) subject alternative name to a CSR.
+ *
+ * @param context An hx509 context.
+ * @param req The hx509_request object.
+ * @param oid The OID.
+ *
+ * @return An hx509 error code, see hx509_get_error_string().
+ *
+ * @ingroup hx509_request
+ */
+HX509_LIB_FUNCTION int HX509_LIB_CALL
+hx509_request_add_registered(hx509_context context,
+                             hx509_request req,
+                             heim_oid *oid)
+{
+    GeneralName name;
+    int ret;
 
+    memset(&name, 0, sizeof(name));
+    name.element = choice_GeneralName_registeredID;
+    ret = der_copy_oid(oid, &name.u.registeredID);
+    if (ret)
+        return ret;
+    ret = add_GeneralNames(&req->san, &name);
+    free_GeneralName(&name);
+    return ret;
+}
 
-int
-_hx509_request_to_pkcs10(hx509_context context,
-			 const hx509_request req,
-			 const hx509_private_key signer,
-			 heim_octet_string *request)
+/**
+ * Add a Kerberos V5 principal subject alternative name to a CSR.
+ *
+ * @param context An hx509 context.
+ * @param req The hx509_request object.
+ * @param princ The Kerberos principal name.
+ *
+ * @return An hx509 error code, see hx509_get_error_string().
+ *
+ * @ingroup hx509_request
+ */
+HX509_LIB_FUNCTION int HX509_LIB_CALL
+hx509_request_add_pkinit(hx509_context context,
+                         hx509_request req,
+                         const char *princ)
 {
-    CertificationRequest r;
-    heim_octet_string data, os;
+    KRB5PrincipalName kn;
+    GeneralName gn;
     int ret;
+
+    memset(&kn, 0, sizeof(kn));
+    memset(&gn, 0, sizeof(gn));
+    gn.element = choice_GeneralName_otherName;
+    gn.u.otherName.type_id.length = 0;
+    gn.u.otherName.type_id.components = 0;
+    gn.u.otherName.value.data = NULL;
+    gn.u.otherName.value.length = 0;
+    ret = der_copy_oid(&asn1_oid_id_pkinit_san, &gn.u.otherName.type_id);
+    if (ret == 0)
+        ret = _hx509_make_pkinit_san(context, princ, &gn.u.otherName.value);
+    if (ret == 0)
+        ret = add_GeneralNames(&req->san, &gn);
+    free_GeneralName(&gn);
+    return ret;
+}
+
+/* XXX Add DNSSRV and other SANs */
+
+static int
+get_exts(hx509_context context,
+         const hx509_request req,
+         Extensions *exts)
+{
     size_t size;
+    int ret = 0;
+
+    exts->val = NULL;
+    exts->len = 0;
+
+    if (KeyUsage2int(req->ku)) {
+        Extension e;
+
+        memset(&e, 0, sizeof(e));
+        /* The critical field needs to be made DEFAULT FALSE... */
+        e.critical = 1;
+        if (ret == 0)
+            ASN1_MALLOC_ENCODE(KeyUsage, e.extnValue.data, e.extnValue.length,
+                               &req->ku, &size, ret);
+        if (ret == 0)
+            ret = der_copy_oid(&asn1_oid_id_x509_ce_keyUsage, &e.extnID);
+        if (ret == 0)
+            ret = add_Extensions(exts, &e);
+        free_Extension(&e);
+    }
+    if (ret == 0 && req->eku.len) {
+        Extension e;
+
+        memset(&e, 0, sizeof(e));
+        e.critical = 1;
+        if (ret == 0)
+            ASN1_MALLOC_ENCODE(ExtKeyUsage,
+                               e.extnValue.data, e.extnValue.length,
+                               &req->eku, &size, ret);
+        if (ret == 0)
+            ret = der_copy_oid(&asn1_oid_id_x509_ce_extKeyUsage, &e.extnID);
+        if (ret == 0)
+            ret = add_Extensions(exts, &e);
+        free_Extension(&e);
+    }
+    if (ret == 0 && req->san.len) {
+        Extension e;
+
+        memset(&e, 0, sizeof(e));
+        /*
+         * SANs are critical when the subject Name is empty.
+         *
+         * The empty DN check could probably stand to be a function we export.
+         */
+        e.critical = FALSE;
+        if (req->name &&
+            req->name->der_name.element == choice_Name_rdnSequence &&
+            req->name->der_name.u.rdnSequence.len == 0)
+            e.critical = 1;
+        if (ret == 0)
+            ASN1_MALLOC_ENCODE(GeneralNames,
+                               e.extnValue.data, e.extnValue.length,
+                               &req->san,
+                               &size, ret);
+        if (ret == 0)
+            ret = der_copy_oid(&asn1_oid_id_x509_ce_subjectAltName, &e.extnID);
+        if (ret == 0)
+            ret = add_Extensions(exts, &e);
+        free_Extension(&e);
+    }
+
+    return ret;
+}
+
+/**
+ * Get the KU/EKUs/SANs set on a request as a DER-encoding of Extensions.
+ *
+ * @param context An hx509 context.
+ * @param req The hx509_request object.
+ * @param exts_der Where to put the DER-encoded Extensions.
+ *
+ * @return An hx509 error code, see hx509_get_error_string().
+ *
+ * @ingroup hx509_request
+ */
+HX509_LIB_FUNCTION int HX509_LIB_CALL
+hx509_request_get_exts(hx509_context context,
+                       const hx509_request req,
+                       heim_octet_string *exts_der)
+{
+    Extensions exts;
+    size_t size;
+    int ret;
+
+    exts_der->data = NULL;
+    exts_der->length = 0;
+    ret = get_exts(context, req, &exts);
+    if (ret == 0 && exts.len /* Extensions has a min size constraint of 1 */)
+        ASN1_MALLOC_ENCODE(Extensions, exts_der->data, exts_der->length,
+                           &exts, &size, ret);
+    free_Extensions(&exts);
+    return ret;
+}
+
+/* XXX Add PEM */
+
+/**
+ * Encode a CSR.
+ *
+ * @param context An hx509 context.
+ * @param req The hx509_request object.
+ * @param signer The private key corresponding to the CSR's subject public key.
+ * @param request Where to put the DER-encoded CSR.
+ *
+ * @return An hx509 error code, see hx509_get_error_string().
+ *
+ * @ingroup hx509_request
+ */
+HX509_LIB_FUNCTION int HX509_LIB_CALL
+hx509_request_to_pkcs10(hx509_context context,
+                        const hx509_request req,
+                        const hx509_private_key signer,
+                        heim_octet_string *request)
+{
+    CertificationRequest r;
+    Extensions exts;
+    heim_octet_string data;
+    size_t size;
+    int ret;
+
+    request->data = NULL;
+    request->length = 0;
+
+    data.length = 0;
+    data.data = NULL;
 
     if (req->name == NULL) {
 	hx509_set_error_string(context, 0, EINVAL,
@@ -184,131 +652,790 @@ _hx509_request_to_pkcs10(hx509_context context,
     }
 
     memset(&r, 0, sizeof(r));
-    memset(request, 0, sizeof(*request));
 
+    /* Setup CSR */
     r.certificationRequestInfo.version = pkcs10_v1;
-
     ret = copy_Name(&req->name->der_name,
 		    &r.certificationRequestInfo.subject);
-    if (ret)
-	goto out;
-    ret = copy_SubjectPublicKeyInfo(&req->key,
-				    &r.certificationRequestInfo.subjectPKInfo);
-    if (ret)
-	goto out;
-    r.certificationRequestInfo.attributes =
-	calloc(1, sizeof(*r.certificationRequestInfo.attributes));
-    if (r.certificationRequestInfo.attributes == NULL) {
-	ret = ENOMEM;
-	goto out;
+    if (ret == 0)
+        ret = copy_SubjectPublicKeyInfo(&req->key,
+                                        &r.certificationRequestInfo.subjectPKInfo);
+
+    /* Encode extReq attribute with requested Certificate Extensions */
+
+    if (ret == 0)
+        ret = get_exts(context, req, &exts);
+    if (ret == 0 && exts.len) {
+        Attribute *a = NULL; /* Quiet VC */
+        heim_any extns;
+
+        extns.data = NULL;
+        extns.length = 0;
+        r.certificationRequestInfo.attributes =
+            calloc(1, sizeof(r.certificationRequestInfo.attributes[0]));
+        if (r.certificationRequestInfo.attributes == NULL)
+            ret = ENOMEM;
+        if (ret == 0) {
+            r.certificationRequestInfo.attributes[0].len = 1;
+            r.certificationRequestInfo.attributes[0].val =
+                calloc(1, sizeof(r.certificationRequestInfo.attributes[0].val[0]));
+            if (r.certificationRequestInfo.attributes[0].val == NULL)
+                ret = ENOMEM;
+            if (ret == 0)
+                a = r.certificationRequestInfo.attributes[0].val;
+        }
+        if (ret == 0)
+            ASN1_MALLOC_ENCODE(Extensions, extns.data, extns.length,
+                               &exts, &size, ret);
+        if (ret == 0 && a)
+            ret = der_copy_oid(&asn1_oid_id_pkcs9_extReq, &a->type);
+        if (ret == 0)
+            ret = add_AttributeValues(&a->value, &extns);
+        free_heim_any(&extns);
     }
 
-    ASN1_MALLOC_ENCODE(CertificationRequestInfo, data.data, data.length,
-		       &r.certificationRequestInfo, &size, ret);
-    if (ret)
-	goto out;
-    if (data.length != size)
+    /* Encode CSR body for signing */
+    if (ret == 0)
+        ASN1_MALLOC_ENCODE(CertificationRequestInfo, data.data, data.length,
+                           &r.certificationRequestInfo, &size, ret);
+    if (ret == 0 && data.length != size)
 	abort();
 
-    ret = _hx509_create_signature(context,
-				  signer,
-				  _hx509_crypto_default_sig_alg,
-				  &data,
-				  &r.signatureAlgorithm,
-				  &os);
+    /* Self-sign CSR body */
+    if (ret == 0) {
+        ret = _hx509_create_signature_bitstring(context, signer,
+                                                _hx509_crypto_default_sig_alg,
+                                                &data,
+                                                &r.signatureAlgorithm,
+                                                &r.signature);
+    }
     free(data.data);
+
+    /* Encode CSR */
+    if (ret == 0)
+        ASN1_MALLOC_ENCODE(CertificationRequest, request->data, request->length,
+                           &r, &size, ret);
+    if (ret == 0 && request->length != size)
+	abort();
+
+    free_CertificationRequest(&r);
+    free_Extensions(&exts);
+    return ret;
+}
+
+/**
+ * Parse an encoded CSR and verify its self-signature.
+ *
+ * @param context An hx509 context.
+ * @param der The DER-encoded CSR.
+ * @param req Where to put request object.
+ *
+ * @return An hx509 error code, see hx509_get_error_string().
+ *
+ * @ingroup hx509_request
+ */
+HX509_LIB_FUNCTION int HX509_LIB_CALL
+hx509_request_parse_der(hx509_context context,
+                        heim_octet_string *der,
+                        hx509_request *req)
+{
+    CertificationRequestInfo *rinfo = NULL;
+    CertificationRequest r;
+    hx509_cert signer = NULL;
+    Extensions exts;
+    size_t i, size;
+    int ret;
+
+    memset(&exts, 0, sizeof(exts));
+
+    /* Initial setup and decoding of CSR */
+    ret = hx509_request_init(context, req);
     if (ret)
-	goto out;
-    r.signature.data = os.data;
-    r.signature.length = os.length * 8;
+        return ret;
+    ret = decode_CertificationRequest(der->data, der->length, &r, &size);
+    if (ret) {
+        hx509_set_error_string(context, 0, ret, "Failed to decode CSR");
+        free(*req);
+        *req = NULL;
+        return ret;
+    }
+    rinfo = &r.certificationRequestInfo;
 
-    ASN1_MALLOC_ENCODE(CertificationRequest, data.data, data.length,
-		       &r, &size, ret);
+    /*
+     * Setup a 'signer' for verifying the self-signature for proof of
+     * possession.
+     *
+     * Sadly we need a "certificate" here because _hx509_verify_signature_*()
+     * functions want one as a signer even though all the verification
+     * functions that use the signer argument only ever use the spki of the
+     * signer certificate.
+     *
+     * FIXME Change struct signature_alg's verify_signature's prototype to use
+     *       an spki instead of an hx509_cert as the signer!  The we won't have
+     *       to do this.
+     */
+    if (ret == 0) {
+        Certificate c;
+        memset(&c, 0, sizeof(c));
+        c.tbsCertificate.subjectPublicKeyInfo = rinfo->subjectPKInfo;
+        if ((signer = hx509_cert_init(context, &c, NULL)) == NULL)
+            ret = ENOMEM;
+    }
+
+    /* Verify the signature */
+    if (ret == 0)
+        ret = _hx509_verify_signature_bitstring(context, signer,
+                                                &r.signatureAlgorithm,
+                                                &rinfo->_save,
+                                                &r.signature);
     if (ret)
-	goto out;
-    if (data.length != size)
-	abort();
+        hx509_set_error_string(context, 0, ret,
+                               "CSR signature verification failed");
+    hx509_cert_free(signer);
 
-    *request = data;
+    /* Populate the hx509_request */
+    if (ret == 0)
+        ret = hx509_request_set_SubjectPublicKeyInfo(context, *req,
+                                                     &rinfo->subjectPKInfo);
+    if (ret == 0)
+        ret = _hx509_name_from_Name(&rinfo->subject, &(*req)->name);
+
+    /* Extract KUs, EKUs, and SANs from the CSR's attributes */
+    if (ret || !rinfo->attributes || !rinfo->attributes[0].len)
+        goto out;
+
+    for (i = 0; ret == 0 && i < rinfo->attributes[0].len; i++) {
+        Attribute *a = &rinfo->attributes[0].val[i];
+        heim_any *av = NULL;
+
+        /* We only support Extensions request attributes */
+        if (der_heim_oid_cmp(&a->type, &asn1_oid_id_pkcs9_extReq) != 0) {
+            char *oidstr = NULL;
+
+            /*
+             * We need an HX509_TRACE facility for this sort of warning.
+             *
+             * We'd put the warning in the context and then allow the caller to
+             * extract and reset the warning.
+             *
+             * FIXME
+             */
+            der_print_heim_oid(&a->type, '.', &oidstr);
+            warnx("Unknown or unsupported CSR attribute %s",
+                  oidstr ? oidstr : "<error decoding OID>");
+            free(oidstr);
+            continue;
+        }
+        if (!a->value.val)
+            continue;
+
+        av = a->value.val;
+        ret = decode_Extensions(av->data, av->length, &exts, NULL);
+        if (ret) {
+            hx509_set_error_string(context, 0, ret,
+                                   "CSR signature verification failed "
+                                   "due to invalid extReq attribute");
+            goto out;
+        }
+    }
+    for (i = 0; ret == 0 && i < exts.len; i++) {
+        const char *what = "";
+        Extension *e = &exts.val[i];
+
+        if (der_heim_oid_cmp(&e->extnID,
+                             &asn1_oid_id_x509_ce_keyUsage) == 0) {
+            ret = decode_KeyUsage(e->extnValue.data, e->extnValue.length,
+                                  &(*req)->ku, NULL);
+            what = "keyUsage";
+            /*
+             * Count all KUs as one requested extension to be authorized,
+             * though the caller will have to check the KU values individually.
+             */
+            if (KeyUsage2int((*req)->ku) & ~KeyUsage2int(int2KeyUsage(~0)))
+                (*req)->nunsupported++;
+        } else if (der_heim_oid_cmp(&e->extnID,
+                                    &asn1_oid_id_x509_ce_extKeyUsage) == 0) {
+            ret = decode_ExtKeyUsage(e->extnValue.data, e->extnValue.length,
+                                     &(*req)->eku, NULL);
+            what = "extKeyUsage";
+
+            /*
+             * Count each EKU as a separate requested extension to be
+             * authorized.
+             */
+        } else if (der_heim_oid_cmp(&e->extnID,
+                                    &asn1_oid_id_x509_ce_subjectAltName) == 0) {
+            ret = decode_GeneralNames(e->extnValue.data, e->extnValue.length,
+                                      &(*req)->san, NULL);
+            what = "subjectAlternativeName";
+
+            /*
+             * Count each SAN as a separate requested extension to be
+             * authorized.
+             */
+        } else {
+            char *oidstr = NULL;
+
+            (*req)->nunsupported++;
+
+            /*
+             * We need an HX509_TRACE facility for this sort of warning.
+             *
+             * We'd put the warning in the context and then allow the caller to
+             * extract and reset the warning.
+             *
+             * FIXME
+             */
+            der_print_heim_oid(&e->extnID, '.', &oidstr);
+            warnx("Unknown or unsupported CSR extension request %s",
+                  oidstr ? oidstr : "<error decoding OID>");
+            free(oidstr);
+        }
+        if (ret) {
+            hx509_set_error_string(context, 0, ret,
+                                   "CSR signature verification failed "
+                                   "due to invalid %s extension", what);
+            break;
+        }
+    }
 
 out:
     free_CertificationRequest(&r);
-
+    free_Extensions(&exts);
+    if (ret)
+        hx509_request_free(req);
     return ret;
 }
 
-int
-_hx509_request_parse(hx509_context context,
-		     const char *path,
-		     hx509_request *req)
+/**
+ * Parse an encoded CSR and verify its self-signature.
+ *
+ * @param context An hx509 context.
+ * @param csr The name of a store containing the CSR ("PKCS10:/path/to/file")
+ * @param req Where to put request object.
+ *
+ * @return An hx509 error code, see hx509_get_error_string().
+ *
+ * @ingroup hx509_request
+ */
+HX509_LIB_FUNCTION int HX509_LIB_CALL
+hx509_request_parse(hx509_context context,
+                    const char *csr,
+                    hx509_request *req)
 {
-    CertificationRequest r;
-    CertificationRequestInfo *rinfo;
-    hx509_name subject;
-    size_t len, size;
-    void *p;
+    heim_octet_string d;
     int ret;
 
-    if (strncmp(path, "PKCS10:", 7) != 0) {
+    /* XXX Add support for PEM */
+    if (strncmp(csr, "PKCS10:", 7) != 0) {
 	hx509_set_error_string(context, 0, HX509_UNSUPPORTED_OPERATION,
-			       "unsupport type in %s", path);
+                               "CSR location does not start with \"PKCS10:\": %s",
+                               csr);
 	return HX509_UNSUPPORTED_OPERATION;
     }
-    path += 7;
-
-    /* XXX PEM request */
 
-    ret = rk_undumpdata(path, &p, &len);
+    ret = rk_undumpdata(csr + 7, &d.data, &d.length);
     if (ret) {
-	hx509_set_error_string(context, 0, ret, "Failed to map file %s", path);
+	hx509_set_error_string(context, 0, ret, "Could not read %s", csr);
 	return ret;
     }
 
-    ret = decode_CertificationRequest(p, len, &r, &size);
-    rk_xfree(p);
-    if (ret) {
-	hx509_set_error_string(context, 0, ret, "Failed to decode %s", path);
-	return ret;
+    ret = hx509_request_parse_der(context, &d, req);
+    free(d.data);
+    if (ret)
+        hx509_set_error_string(context, HX509_ERROR_APPEND, ret,
+                               " (while parsing CSR from %s)", csr);
+    return ret;
+}
+
+/**
+ * Get some EKU from a CSR.  Usable as an iterator.
+ *
+ * @param context An hx509 context.
+ * @param req The hx509_request object.
+ * @param idx The index of the EKU (0 for the first) to return
+ * @param out A pointer to a char * variable where the OID will be placed
+ *            (caller must free with free())
+ *
+ * @return Zero on success, HX509_NO_ITEM if no such item exists (denoting
+ *         iteration end), or an error.
+ *
+ * @ingroup hx509_request
+ */
+HX509_LIB_FUNCTION int HX509_LIB_CALL
+hx509_request_get_eku(hx509_request req,
+                      size_t idx,
+                      char **out)
+{
+    *out = NULL;
+    if (idx >= req->eku.len)
+        return HX509_NO_ITEM;
+    return der_print_heim_oid(&req->eku.val[idx], '.', out);
+}
+
+static int
+abitstring_check(abitstring a, size_t n, int idx)
+{
+    size_t bytes;
+
+    if (idx >= n)
+        return HX509_NO_ITEM;
+
+    bytes = (idx + 1) / CHAR_BIT + (((idx + 1) % CHAR_BIT) ? 1 : 0);
+    if (a->feat_bytes < bytes)
+        return 0;
+
+    return !!(a->feats[idx / CHAR_BIT] & (1UL<<(idx % CHAR_BIT)));
+}
+
+/*
+ * Sets and returns 0 if not already set, -1 if already set.  Positive return
+ * values are system errors.
+ */
+static int
+abitstring_set(abitstring a, size_t n, int idx)
+{
+    size_t bytes;
+
+    if (idx >= n)
+        return HX509_NO_ITEM;
+
+    bytes = n / CHAR_BIT + ((n % CHAR_BIT) ? 1 : 0);
+    if (a->feat_bytes < bytes) {
+        unsigned char *tmp;
+
+        if ((tmp = realloc(a->feats, bytes)) == NULL)
+            return ENOMEM;
+        memset(tmp + a->feat_bytes, 0, bytes - a->feat_bytes);
+        a->feats = tmp;
+        a->feat_bytes = bytes;
     }
 
-    ret = hx509_request_init(context, req);
-    if (ret) {
-	free_CertificationRequest(&r);
-	return ret;
+    if (!(a->feats[idx / CHAR_BIT] & (1UL<<(idx % CHAR_BIT)))) {
+        a->feats[idx / CHAR_BIT] |= 1UL<<(idx % CHAR_BIT);
+        return 0;
     }
+    return -1;
+}
 
-    rinfo = &r.certificationRequestInfo;
+/*
+ * Resets and returns 0 if not already reset, -1 if already reset.  Positive
+ * return values are system errors.
+ */
+static int
+abitstring_reset(abitstring a, size_t n, int idx)
+{
+    size_t bytes;
 
-    ret = hx509_request_set_SubjectPublicKeyInfo(context, *req,
-						  &rinfo->subjectPKInfo);
-    if (ret) {
-	free_CertificationRequest(&r);
-	hx509_request_free(req);
-	return ret;
+    if (idx >= n)
+        return HX509_NO_ITEM;
+
+    bytes = (idx + 1) / CHAR_BIT + (((idx + 1) % CHAR_BIT) ? 1 : 0);
+    if (a->feat_bytes >= bytes &&
+        (a->feats[idx / CHAR_BIT] & (1UL<<(idx % CHAR_BIT)))) {
+        a->feats[idx / CHAR_BIT] &= ~(1UL<<(idx % CHAR_BIT));
+        return 0;
     }
+    return -1;
+}
 
-    ret = _hx509_name_from_Name(&rinfo->subject, &subject);
-    if (ret) {
-	free_CertificationRequest(&r);
-	hx509_request_free(req);
-	return ret;
+static int
+authorize_feat(hx509_request req, abitstring a, size_t n, int idx)
+{
+    int ret;
+
+    ret = abitstring_set(a, n, idx);
+    switch (ret) {
+    case 0:
+        req->nauthorized++;
+        HEIM_FALLTHROUGH;
+    case -1:
+        return 0;
+    default:
+        return ret;
     }
-    ret = hx509_request_set_name(context, *req, subject);
-    hx509_name_free(&subject);
-    free_CertificationRequest(&r);
-    if (ret) {
-	hx509_request_free(req);
-	return ret;
+}
+
+static int
+reject_feat(hx509_request req, abitstring a, size_t n, int idx)
+{
+    int ret;
+
+    ret = abitstring_reset(a, n, idx);
+    switch (ret) {
+    case 0:
+        req->nauthorized--;
+        HEIM_FALLTHROUGH;
+    case -1:
+        return 0;
+    default:
+        return ret;
     }
+}
 
-    return 0;
+/**
+ * Filter the requested KeyUsage and mark it authorized.
+ *
+ * @param req The hx509_request object.
+ * @param ku Permitted KeyUsage
+ *
+ * @ingroup hx509_request
+ */
+HX509_LIB_FUNCTION void HX509_LIB_CALL
+hx509_request_authorize_ku(hx509_request req, KeyUsage ku)
+{
+    (void) hx509_request_set_ku(NULL, req, ku);
+    req->ku = int2KeyUsage(KeyUsage2int(req->ku) & KeyUsage2int(ku));
+    if (KeyUsage2int(ku))
+        req->ku_are_authorized = 1;
+}
+
+/**
+ * Mark a requested EKU as authorized.
+ *
+ * @param req The hx509_request object.
+ * @param idx The index of an EKU that can be fetched with
+ *            hx509_request_get_eku()
+ *
+ * @return Zero on success, an error otherwise.
+ *
+ * @ingroup hx509_request
+ */
+HX509_LIB_FUNCTION int HX509_LIB_CALL
+hx509_request_authorize_eku(hx509_request req, size_t idx)
+{
+    return authorize_feat(req, &req->authorized_EKUs, req->eku.len, idx);
 }
 
+/**
+ * Mark a requested EKU as not authorized.
+ *
+ * @param req The hx509_request object.
+ * @param idx The index of an EKU that can be fetched with
+ *            hx509_request_get_eku()
+ *
+ * @return Zero on success, an error otherwise.
+ *
+ * @ingroup hx509_request
+ */
+HX509_LIB_FUNCTION int HX509_LIB_CALL
+hx509_request_reject_eku(hx509_request req, size_t idx)
+{
+    return reject_feat(req, &req->authorized_EKUs, req->eku.len, idx);
+}
 
-int
-_hx509_request_print(hx509_context context, hx509_request req, FILE *f)
+/**
+ * Check if an EKU has been marked authorized.
+ *
+ * @param req The hx509_request object.
+ * @param idx The index of an EKU that can be fetched with
+ *            hx509_request_get_eku()
+ *
+ * @return Non-zero if authorized, zero if not.
+ *
+ * @ingroup hx509_request
+ */
+HX509_LIB_FUNCTION int HX509_LIB_CALL
+hx509_request_eku_authorized_p(hx509_request req, size_t idx)
 {
-    int ret;
+    return abitstring_check(&req->authorized_EKUs, req->eku.len, idx);
+}
+
+/**
+ * Mark a requested SAN as authorized.
+ *
+ * @param req The hx509_request object.
+ * @param idx The cursor as modified by a SAN iterator.
+ *
+ * @return Zero on success, an error otherwise.
+ *
+ * @ingroup hx509_request
+ */
+HX509_LIB_FUNCTION int HX509_LIB_CALL
+hx509_request_authorize_san(hx509_request req, size_t idx)
+{
+    return authorize_feat(req, &req->authorized_SANs, req->san.len, idx);
+}
+
+/**
+ * Mark a requested SAN as not authorized.
+ *
+ * @param req The hx509_request object.
+ * @param idx The cursor as modified by a SAN iterator.
+ *
+ * @return Zero on success, an error otherwise.
+ *
+ * @ingroup hx509_request
+ */
+HX509_LIB_FUNCTION int HX509_LIB_CALL
+hx509_request_reject_san(hx509_request req, size_t idx)
+{
+    return reject_feat(req, &req->authorized_SANs, req->san.len, idx);
+}
+
+/**
+ * Check if a SAN has been marked authorized.
+ *
+ * @param req The hx509_request object.
+ * @param idx The index of a SAN that can be fetched with
+ *            hx509_request_get_san()
+ *
+ * @return Non-zero if authorized, zero if not.
+ *
+ * @ingroup hx509_request
+ */
+HX509_LIB_FUNCTION int HX509_LIB_CALL
+hx509_request_san_authorized_p(hx509_request req, size_t idx)
+{
+    return abitstring_check(&req->authorized_SANs, req->san.len, idx);
+}
+
+/**
+ * Return the count of unsupported requested certificate extensions.
+ *
+ * @param req The hx509_request object.
+ * @return The number of unsupported certificate extensions requested.
+ *
+ * @ingroup hx509_request
+ */
+HX509_LIB_FUNCTION size_t HX509_LIB_CALL
+hx509_request_count_unsupported(hx509_request req)
+{
+    return req->nunsupported;
+}
+
+/**
+ * Return the count of as-yet unauthorized certificate extensions requested.
+ *
+ * @param req The hx509_request object.
+ * @return The number of as-yet unauthorized certificate extensions requested.
+ *
+ * @ingroup hx509_request
+ */
+HX509_LIB_FUNCTION size_t HX509_LIB_CALL
+hx509_request_count_unauthorized(hx509_request req)
+{
+    size_t nrequested = req->eku.len + req->san.len +
+        (KeyUsage2int(req->ku) ? 1 : 0) + req->nunsupported;
+
+    return nrequested - (req->nauthorized + req->ku_are_authorized);
+}
+
+static hx509_san_type
+san_map_type(GeneralName *san)
+{
+    static const struct {
+        const heim_oid *oid;
+        hx509_san_type type;
+    } map[] = {
+        { &asn1_oid_id_pkix_on_dnsSRV, HX509_SAN_TYPE_DNSSRV },
+        { &asn1_oid_id_pkinit_san, HX509_SAN_TYPE_PKINIT },
+        { &asn1_oid_id_pkix_on_xmppAddr, HX509_SAN_TYPE_XMPP },
+        { &asn1_oid_id_pkinit_ms_san, HX509_SAN_TYPE_MS_UPN },
+        { &asn1_oid_id_pkix_on_permanentIdentifier, HX509_SAN_TYPE_PERMANENT_ID },
+        { &asn1_oid_id_on_hardwareModuleName, HX509_SAN_TYPE_HW_MODULE },
+    };
+    size_t i;
+
+    switch (san->element) {
+    case choice_GeneralName_rfc822Name:    return HX509_SAN_TYPE_EMAIL;
+    case choice_GeneralName_dNSName:       return HX509_SAN_TYPE_DNSNAME;
+    case choice_GeneralName_directoryName: return HX509_SAN_TYPE_DN;
+    case choice_GeneralName_registeredID:  return HX509_SAN_TYPE_REGISTERED_ID;
+    case choice_GeneralName_otherName: {
+        for (i = 0; i < sizeof(map)/sizeof(map[0]); i++)
+            if (der_heim_oid_cmp(&san->u.otherName.type_id, map[i].oid) == 0)
+                return map[i].type;
+    }
+        HEIM_FALLTHROUGH;
+    default:                               return HX509_SAN_TYPE_UNSUPPORTED;
+    }
+}
+
+/**
+ * Return the count of as-yet unauthorized certificate extensions requested.
+ *
+ * @param req The hx509_request object.
+ *
+ * @ingroup hx509_request
+ */
+HX509_LIB_FUNCTION size_t HX509_LIB_CALL
+hx509_request_get_san(hx509_request req,
+                      size_t idx,
+                      hx509_san_type *type,
+                      char **out)
+{
+    struct rk_strpool *pool = NULL;
+    GeneralName *san;
+
+    *out = NULL;
+    if (idx >= req->san.len)
+        return HX509_NO_ITEM;
+
+    san = &req->san.val[idx];
+    switch ((*type = san_map_type(san))) {
+    case HX509_SAN_TYPE_UNSUPPORTED: return 0;
+    case HX509_SAN_TYPE_EMAIL:
+        *out = strndup(san->u.rfc822Name.data,
+                       san->u.rfc822Name.length);
+        break;
+    case HX509_SAN_TYPE_DNSNAME:
+        *out = strndup(san->u.dNSName.data,
+                       san->u.dNSName.length);
+        break;
+    case HX509_SAN_TYPE_DNSSRV: {
+        SRVName name;
+        size_t size;
+        int ret;
+
+        ret = decode_SRVName(san->u.otherName.value.data,
+                             san->u.otherName.value.length, &name, &size);
+        if (ret)
+            return ret;
+        *out = strndup(name.data, name.length);
+        break;
+    }
+    case HX509_SAN_TYPE_PERMANENT_ID: {
+        PermanentIdentifier pi;
+        size_t size;
+        char *s = NULL;
+        int ret;
+
+        ret = decode_PermanentIdentifier(san->u.otherName.value.data,
+                                         san->u.otherName.value.length,
+                                         &pi, &size);
+        if (ret == 0 && pi.assigner) {
+            ret = der_print_heim_oid(pi.assigner, '.', &s);
+            if (ret == 0 &&
+                (pool = rk_strpoolprintf(NULL, "%s", s)) == NULL)
+                ret = ENOMEM;
+        } else if (ret == 0) {
+            pool = rk_strpoolprintf(NULL, "-");
+        }
+        if (ret == 0 &&
+            (pool = rk_strpoolprintf(pool, "%s%s",
+                                     *pi.identifierValue ? " " : "",
+                                     *pi.identifierValue ? *pi.identifierValue : "")) == NULL)
+            ret = ENOMEM;
+        if (ret == 0 && (*out = rk_strpoolcollect(pool)) == NULL)
+            ret = ENOMEM;
+        free_PermanentIdentifier(&pi);
+        free(s);
+        return ret;
+    }
+    case HX509_SAN_TYPE_HW_MODULE: {
+        HardwareModuleName hn;
+        size_t size;
+        char *s = NULL;
+        int ret;
+
+        ret = decode_HardwareModuleName(san->u.otherName.value.data,
+                                        san->u.otherName.value.length,
+                                        &hn, &size);
+        if (ret == 0 && hn.hwSerialNum.length > 256)
+            hn.hwSerialNum.length = 256;
+        if (ret == 0)
+            ret = der_print_heim_oid(&hn.hwType, '.', &s);
+        if (ret == 0)
+            pool = rk_strpoolprintf(NULL, "%s", s);
+        if (ret == 0 && pool)
+            pool = rk_strpoolprintf(pool, " %.*s",
+                                    (int)hn.hwSerialNum.length,
+                                    (char *)hn.hwSerialNum.data);
+        if (ret == 0 &&
+            (pool == NULL || (*out = rk_strpoolcollect(pool)) == NULL))
+            ret = ENOMEM;
+        free_HardwareModuleName(&hn);
+        return ret;
+    }
+    case HX509_SAN_TYPE_DN: {
+        Name name;
+
+        if (san->u.directoryName.element == choice_Name_rdnSequence) {
+            name.element = choice_Name_rdnSequence;
+            name.u.rdnSequence = san->u.directoryName.u.rdnSequence;
+            return _hx509_Name_to_string(&name, out);
+        }
+        *type = HX509_SAN_TYPE_UNSUPPORTED;
+        return 0;
+    }
+    case HX509_SAN_TYPE_REGISTERED_ID:
+        return der_print_heim_oid(&san->u.registeredID, '.', out);
+    case HX509_SAN_TYPE_XMPP:
+        HEIM_FALLTHROUGH;
+    case HX509_SAN_TYPE_MS_UPN: {
+        int ret;
+
+        ret = _hx509_unparse_utf8_string_name(req->context, &pool,
+                                              &san->u.otherName.value);
+        if ((*out = rk_strpoolcollect(pool)) == NULL)
+            return hx509_enomem(req->context);
+        return ret;
+    }
+    case HX509_SAN_TYPE_PKINIT: {
+        int ret;
+
+        ret = _hx509_unparse_KRB5PrincipalName(req->context, &pool,
+                                               &san->u.otherName.value);
+        if ((*out = rk_strpoolcollect(pool)) == NULL)
+            return hx509_enomem(req->context);
+        return ret;
+    }
+    default:
+        *type = HX509_SAN_TYPE_UNSUPPORTED;
+        return 0;
+    }
+    if (*out == NULL)
+        return ENOMEM;
+    return 0;
+}
+
+/**
+ * Display a CSR.
+ *
+ * @param context An hx509 context.
+ * @param req The hx509_request object.
+ * @param f A FILE * to print the CSR to.
+ *
+ * @return An hx509 error code, see hx509_get_error_string().
+ *
+ * @ingroup hx509_request
+ */
+HX509_LIB_FUNCTION int HX509_LIB_CALL
+hx509_request_print(hx509_context context, hx509_request req, FILE *f)
+{
+    uint64_t ku_num;
+    size_t i;
+    char *s = NULL;
+    int ret = 0;
+
+    /*
+     * It's really unformatunate that we can't reuse more of the
+     * lib/hx509/print.c infrastructure here, as it's too focused on
+     * Certificates.
+     *
+     * For that matter, it's really annoying that CSRs don't more resemble
+     * Certificates.  Indeed, an ideal CSR would look like this:
+     *
+     *      CSRInfo ::= {
+     *          desiredTbsCertificate TBSCertificate,
+     *          attributes [1] SEQUENCE OF Attribute OPTIONAL,
+     *      }
+     *      CSR :: = {
+     *          csrInfo CSRInfo,
+     *          sigAlg AlgorithmIdentifier,
+     *          signature BIT STRING
+     *      }
+     *
+     * with everything related to the desired certificate in
+     * desiredTbsCertificate and anything not related to the CSR's contents in
+     * the 'attributes' field.
+     *
+     * That wouldn't allow one to have optional desired TBSCertificate
+     * features, but hey.  One could express "gimme all or gimme nothing" as an
+     * attribute, or "gimme what you can", then check what one got.
+     */
+    fprintf(f, "PKCS#10 CertificationRequest:\n");
 
     if (req->name) {
 	char *subject;
@@ -317,10 +1444,79 @@ _hx509_request_print(hx509_context context, hx509_request req, FILE *f)
 	    hx509_set_error_string(context, 0, ret, "Failed to print name");
 	    return ret;
 	}
-        fprintf(f, "name: %s\n", subject);
+        fprintf(f, "  name: %s\n", subject);
 	free(subject);
     }
+    /* XXX Use hx509_request_get_ku() accessor */
+    if ((ku_num = KeyUsage2int(req->ku))) {
+        const struct units *u;
+        const char *first = " ";
 
-    return 0;
-}
+        fprintf(f, "  key usage:");
+        for (u = asn1_KeyUsage_units(); u->name; ++u) {
+            if ((ku_num & u->mult)) {
+                fprintf(f, "%s%s", first, u->name);
+                first = ", ";
+                ku_num &= ~u->mult;
+            }
+        }
+        if (ku_num)
+            fprintf(f, "%s<unknown-KeyUsage-value(s)>", first);
+        fprintf(f, "\n");
+    }
+    if (req->eku.len) {
+        const char *first = " ";
 
+        fprintf(f, "  eku:");
+        for (i = 0; ret == 0; i++) {
+            free(s); s = NULL;
+            ret = hx509_request_get_eku(req, i, &s);
+            if (ret)
+                break;
+            fprintf(f, "%s{%s}", first, s);
+            first = ", ";
+        }
+        fprintf(f, "\n");
+    }
+    free(s); s = NULL;
+    if (ret == HX509_NO_ITEM)
+        ret = 0;
+    for (i = 0; ret == 0; i++) {
+        hx509_san_type san_type;
+
+        free(s); s = NULL;
+        ret = hx509_request_get_san(req, i, &san_type, &s);
+        if (ret)
+            break;
+        switch (san_type) {
+        case HX509_SAN_TYPE_EMAIL:
+            fprintf(f, "  san: rfc822Name: %s\n", s);
+            break;
+        case HX509_SAN_TYPE_DNSNAME:
+            fprintf(f, "  san: dNSName: %s\n", s);
+            break;
+        case HX509_SAN_TYPE_DN:
+            fprintf(f, "  san: dn: %s\n", s);
+            break;
+        case HX509_SAN_TYPE_REGISTERED_ID:
+            fprintf(f, "  san: registeredID: %s\n", s);
+            break;
+        case HX509_SAN_TYPE_XMPP:
+            fprintf(f, "  san: xmpp: %s\n", s);
+            break;
+        case HX509_SAN_TYPE_PKINIT:
+            fprintf(f, "  san: pkinit: %s\n", s);
+            break;
+        case HX509_SAN_TYPE_MS_UPN:
+            fprintf(f, "  san: ms-upn: %s\n", s);
+            break;
+        default:
+            fprintf(f, "  san: <SAN type not supported>\n");
+            break;
+        }
+    }
+    free(s); s = NULL;
+    if (ret == HX509_NO_ITEM)
+        ret = 0;
+    return ret;
+}
diff --git a/lib/hx509/revoke.c b/lib/hx509/revoke.c
index a777226db29e..4cfdaaee48c4 100644
--- a/lib/hx509/revoke.c
+++ b/lib/hx509/revoke.c
@@ -40,7 +40,7 @@
  * revocation for destroyed private keys too (smartcard broken), but
  * that should not be a problem.
  *
- * CRL is a list of certifiates that have expired.
+ * CRL is a list of certificates that have expired.
  *
  * OCSP is an online checking method where the requestor sends a list
  * of certificates to the OCSP server to return a signed reply if they
@@ -91,7 +91,7 @@ struct hx509_revoke_ctx_data {
  * @ingroup hx509_revoke
  */
 
-int
+HX509_LIB_FUNCTION int HX509_LIB_CALL
 hx509_revoke_init(hx509_context context, hx509_revoke_ctx *ctx)
 {
     *ctx = calloc(1, sizeof(**ctx));
@@ -107,7 +107,7 @@ hx509_revoke_init(hx509_context context, hx509_revoke_ctx *ctx)
     return 0;
 }
 
-hx509_revoke_ctx
+HX509_LIB_FUNCTION hx509_revoke_ctx HX509_LIB_CALL
 _hx509_revoke_ref(hx509_revoke_ctx ctx)
 {
     if (ctx == NULL)
@@ -137,7 +137,7 @@ free_ocsp(struct revoke_ocsp *ocsp)
  * @ingroup hx509_revoke
  */
 
-void
+HX509_LIB_FUNCTION void HX509_LIB_CALL
 hx509_revoke_free(hx509_revoke_ctx *ctx)
 {
     size_t i ;
@@ -202,6 +202,8 @@ verify_ocsp(hx509_context context,
     ret = hx509_certs_find(context, certs, &q, &signer);
     if (ret && ocsp->certs)
 	ret = hx509_certs_find(context, ocsp->certs, &q, &signer);
+    if (ret == 0 && signer == NULL)
+        ret = HX509_CERT_NOT_FOUND;
     if (ret)
 	goto out;
 
@@ -217,7 +219,7 @@ verify_ocsp(hx509_context context,
 	ret = _hx509_cert_is_parent_cmp(s, p, 0);
 	if (ret != 0) {
 	    ret = HX509_PARENT_NOT_CA;
-	    hx509_set_error_string(context, 0, ret, "Revoke OCSP signer is "
+	    hx509_set_error_string(context, 0, ret, "Revoke OCSP signer "
 				   "doesn't have CA as signer certificate");
 	    goto out;
 	}
@@ -399,7 +401,7 @@ load_ocsp(hx509_context context, struct revoke_ocsp *ocsp)
  * @ingroup hx509_revoke
  */
 
-int
+HX509_LIB_FUNCTION int HX509_LIB_CALL
 hx509_revoke_add_ocsp(hx509_context context,
 		      hx509_revoke_ctx ctx,
 		      const char *path)
@@ -500,6 +502,8 @@ verify_crl(hx509_context context,
 	q.subject_name = &crl->tbsCertList.issuer;
 
 	ret = hx509_certs_find(context, certs, &q, &signer);
+        if (ret == 0 && signer == NULL)
+            ret = HX509_CERT_NOT_FOUND;
 	if (ret) {
 	    hx509_set_error_string(context, HX509_ERROR_APPEND, ret,
 				   "Failed to find certificate for CRL");
@@ -550,7 +554,7 @@ verify_crl(hx509_context context,
 	signer = crl_parent;
 	if (ret) {
 	    hx509_set_error_string(context, HX509_ERROR_APPEND, ret,
-				   "Failed to verify revoke "
+				   "Failed to verify revocation "
 				   "status of CRL signer");
 	    goto out;
 	}
@@ -596,18 +600,15 @@ load_crl(hx509_context context, const char *path, time_t *t, CRLCertificateList
     FILE *f;
     int ret;
 
+    *t = 0;
     memset(crl, 0, sizeof(*crl));
-
-    ret = stat(path, &sb);
-    if (ret)
-	return errno;
-    
-    *t = sb.st_mtime;
 	
     if ((f = fopen(path, "r")) == NULL)
 	return errno;
 
     rk_cloexec_file(f);
+    if (fstat(fileno(f), &sb) == 0)
+	*t = sb.st_mtime;
 
     ret = hx509_pem_read(context, f, crl_parser, crl);
     fclose(f);
@@ -636,7 +637,7 @@ load_crl(hx509_context context, const char *path, time_t *t, CRLCertificateList
  * @ingroup hx509_revoke
  */
 
-int
+HX509_LIB_FUNCTION int HX509_LIB_CALL
 hx509_revoke_add_crl(hx509_context context,
 		     hx509_revoke_ctx ctx,
 		     const char *path)
@@ -647,7 +648,7 @@ hx509_revoke_add_crl(hx509_context context,
 
     if (strncmp(path, "FILE:", 5) != 0) {
 	hx509_set_error_string(context, 0, HX509_UNSUPPORTED_OPERATION,
-			       "unsupport type in %s", path);
+			       "unsupported type in %s", path);
 	return HX509_UNSUPPORTED_OPERATION;
     }
 
@@ -706,7 +707,7 @@ hx509_revoke_add_crl(hx509_context context,
  * @ingroup hx509_revoke
  */
 
-int
+HX509_LIB_FUNCTION int HX509_LIB_CALL
 hx509_revoke_verify(hx509_context context,
 		    hx509_revoke_ctx ctx,
 		    hx509_certs certs,
@@ -879,8 +880,7 @@ hx509_revoke_verify(hx509_context context,
 	return 0;
     hx509_set_error_string(context, HX509_ERROR_APPEND,
 			   HX509_REVOKE_STATUS_MISSING,
-			   "No revoke status found for "
-			   "certificates");
+			   "No revocation status found for certificates");
     return HX509_REVOKE_STATUS_MISSING;
 }
 
@@ -891,7 +891,7 @@ struct ocsp_add_ctx {
     hx509_cert parent;
 };
 
-static int
+static int HX509_LIB_CALL
 add_to_req(hx509_context context, void *ptr, hx509_cert cert)
 {
     struct ocsp_add_ctx *ctx = ptr;
@@ -994,7 +994,7 @@ out:
  * @ingroup hx509_revoke
  */
 
-int
+HX509_LIB_FUNCTION int HX509_LIB_CALL
 hx509_ocsp_request(hx509_context context,
 		   hx509_certs reqcerts,
 		   hx509_certs pool,
@@ -1194,7 +1194,7 @@ print_crl(hx509_context context, struct revoke_crl *crl, FILE *out)
  *
  */
 
-int
+HX509_LIB_FUNCTION int HX509_LIB_CALL
 hx509_revoke_print(hx509_context context,
 		   hx509_revoke_ctx ctx,
 		   FILE *out)
@@ -1241,7 +1241,7 @@ hx509_revoke_print(hx509_context context,
  * @ingroup hx509_revoke
  */
 
-int
+HX509_LIB_FUNCTION int HX509_LIB_CALL
 hx509_revoke_ocsp_print(hx509_context context, const char *path, FILE *out)
 {
     struct revoke_ocsp ocsp;
@@ -1287,7 +1287,7 @@ hx509_revoke_ocsp_print(hx509_context context, const char *path, FILE *out)
  * @ingroup hx509_verify
  */
 
-int
+HX509_LIB_FUNCTION int HX509_LIB_CALL
 hx509_ocsp_verify(hx509_context context,
 		  time_t now,
 		  hx509_cert cert,
@@ -1396,7 +1396,7 @@ struct hx509_crl {
  * @ingroup hx509_verify
  */
 
-int
+HX509_LIB_FUNCTION int HX509_LIB_CALL
 hx509_crl_alloc(hx509_context context, hx509_crl *crl)
 {
     int ret;
@@ -1429,7 +1429,7 @@ hx509_crl_alloc(hx509_context context, hx509_crl *crl)
  * @ingroup hx509_verify
  */
 
-int
+HX509_LIB_FUNCTION int HX509_LIB_CALL
 hx509_crl_add_revoked_certs(hx509_context context,
 			    hx509_crl crl,
 			    hx509_certs certs)
@@ -1450,7 +1450,7 @@ hx509_crl_add_revoked_certs(hx509_context context,
  * @ingroup hx509_verify
  */
 
-int
+HX509_LIB_FUNCTION int HX509_LIB_CALL
 hx509_crl_lifetime(hx509_context context, hx509_crl crl, int delta)
 {
     crl->expire = time(NULL) + delta;
@@ -1466,7 +1466,7 @@ hx509_crl_lifetime(hx509_context context, hx509_crl crl, int delta)
  * @ingroup hx509_verify
  */
 
-void
+HX509_LIB_FUNCTION void HX509_LIB_CALL
 hx509_crl_free(hx509_context context, hx509_crl *crl)
 {
     if (*crl == NULL)
@@ -1477,7 +1477,7 @@ hx509_crl_free(hx509_context context, hx509_crl *crl)
     *crl = NULL;
 }
 
-static int
+static int HX509_LIB_CALL
 add_revoked(hx509_context context, void *ctx, hx509_cert cert)
 {
     TBSCRLCertList *c = ctx;
@@ -1525,7 +1525,7 @@ add_revoked(hx509_context context, void *ctx, hx509_cert cert)
  * @ingroup hx509_verify
  */
 
-int
+HX509_LIB_FUNCTION int HX509_LIB_CALL
 hx509_crl_sign(hx509_context context,
 	       hx509_cert signer,
 	       hx509_crl crl,
diff --git a/lib/hx509/sel-gram.c b/lib/hx509/sel-gram.c
deleted file mode 100644
index c09d1c188bd7..000000000000
--- a/lib/hx509/sel-gram.c
+++ /dev/null
@@ -1,1546 +0,0 @@
-/* A Bison parser, made by GNU Bison 3.8.2.  */
-
-/* Bison implementation for Yacc-like parsers in C
-
-   Copyright (C) 1984, 1989-1990, 2000-2015, 2018-2021 Free Software Foundation,
-   Inc.
-
-   This program is free software: you can redistribute it and/or modify
-   it under the terms of the GNU General Public License as published by
-   the Free Software Foundation, either version 3 of the License, or
-   (at your option) any later version.
-
-   This program is distributed in the hope that it will be useful,
-   but WITHOUT ANY WARRANTY; without even the implied warranty of
-   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-   GNU General Public License for more details.
-
-   You should have received a copy of the GNU General Public License
-   along with this program.  If not, see <https://www.gnu.org/licenses/>.  */
-
-/* As a special exception, you may create a larger work that contains
-   part or all of the Bison parser skeleton and distribute that work
-   under terms of your choice, so long as that work isn't itself a
-   parser generator using the skeleton or a modified version thereof
-   as a parser skeleton.  Alternatively, if you modify or redistribute
-   the parser skeleton itself, you may (at your option) remove this
-   special exception, which will cause the skeleton and the resulting
-   Bison output files to be licensed under the GNU General Public
-   License without this special exception.
-
-   This special exception was added by the Free Software Foundation in
-   version 2.2 of Bison.  */
-
-/* C LALR(1) parser skeleton written by Richard Stallman, by
-   simplifying the original so-called "semantic" parser.  */
-
-/* DO NOT RELY ON FEATURES THAT ARE NOT DOCUMENTED in the manual,
-   especially those whose name start with YY_ or yy_.  They are
-   private implementation details that can be changed or removed.  */
-
-/* All symbols defined below should begin with yy or YY, to avoid
-   infringing on user name space.  This should be done even for local
-   variables, as they might otherwise be expanded by user macros.
-   There are some unavoidable exceptions within include files to
-   define necessary library symbols; they are noted "INFRINGES ON
-   USER NAME SPACE" below.  */
-
-/* Identify Bison output, and Bison version.  */
-#define YYBISON 30802
-
-/* Bison version string.  */
-#define YYBISON_VERSION "3.8.2"
-
-/* Skeleton name.  */
-#define YYSKELETON_NAME "yacc.c"
-
-/* Pure parsers.  */
-#define YYPURE 0
-
-/* Push parsers.  */
-#define YYPUSH 0
-
-/* Pull parsers.  */
-#define YYPULL 1
-
-
-
-
-/* First part of user prologue.  */
-#line 34 "sel-gram.y"
-
-#ifdef HAVE_CONFIG_H
-#include <config.h>
-#endif
-#include <stdio.h>
-#include <stdlib.h>
-#include <hx_locl.h>
-
-#if !defined(yylex)
-#define yylex   _hx509_sel_yylex
-#define yywrap  _hx509_sel_yywrap
-#endif
-#if !defined(yyparse)
-#define yyparse _hx509_sel_yyparse
-#define yyerror _hx509_sel_yyerror
-#define yylval  _hx509_sel_yylval
-#define yychar  _hx509_sel_yychar
-#define yydebug _hx509_sel_yydebug
-#define yynerrs _hx509_sel_yynerrs
-#endif
-
-
-#line 94 "sel-gram.c"
-
-# ifndef YY_CAST
-#  ifdef __cplusplus
-#   define YY_CAST(Type, Val) static_cast<Type> (Val)
-#   define YY_REINTERPRET_CAST(Type, Val) reinterpret_cast<Type> (Val)
-#  else
-#   define YY_CAST(Type, Val) ((Type) (Val))
-#   define YY_REINTERPRET_CAST(Type, Val) ((Type) (Val))
-#  endif
-# endif
-# ifndef YY_NULLPTR
-#  if defined __cplusplus
-#   if 201103L <= __cplusplus
-#    define YY_NULLPTR nullptr
-#   else
-#    define YY_NULLPTR 0
-#   endif
-#  else
-#   define YY_NULLPTR ((void*)0)
-#  endif
-# endif
-
-/* Use api.header.include to #include this header
-   instead of duplicating it here.  */
-#ifndef YY_YY_SEL_GRAM_H_INCLUDED
-# define YY_YY_SEL_GRAM_H_INCLUDED
-/* Debug traces.  */
-#ifndef YYDEBUG
-# define YYDEBUG 0
-#endif
-#if YYDEBUG
-extern int yydebug;
-#endif
-
-/* Token kinds.  */
-#ifndef YYTOKENTYPE
-# define YYTOKENTYPE
-  enum yytokentype
-  {
-    YYEMPTY = -2,
-    YYEOF = 0,                     /* "end of file"  */
-    YYerror = 256,                 /* error  */
-    YYUNDEF = 257,                 /* "invalid token"  */
-    kw_TRUE = 258,                 /* kw_TRUE  */
-    kw_FALSE = 259,                /* kw_FALSE  */
-    kw_AND = 260,                  /* kw_AND  */
-    kw_OR = 261,                   /* kw_OR  */
-    kw_IN = 262,                   /* kw_IN  */
-    kw_TAILMATCH = 263,            /* kw_TAILMATCH  */
-    NUMBER = 264,                  /* NUMBER  */
-    STRING = 265,                  /* STRING  */
-    IDENTIFIER = 266               /* IDENTIFIER  */
-  };
-  typedef enum yytokentype yytoken_kind_t;
-#endif
-/* Token kinds.  */
-#define YYEMPTY -2
-#define YYEOF 0
-#define YYerror 256
-#define YYUNDEF 257
-#define kw_TRUE 258
-#define kw_FALSE 259
-#define kw_AND 260
-#define kw_OR 261
-#define kw_IN 262
-#define kw_TAILMATCH 263
-#define NUMBER 264
-#define STRING 265
-#define IDENTIFIER 266
-
-/* Value type.  */
-#if ! defined YYSTYPE && ! defined YYSTYPE_IS_DECLARED
-union YYSTYPE
-{
-#line 57 "sel-gram.y"
-
-    char *string;
-    struct hx_expr *expr;
-
-#line 174 "sel-gram.c"
-
-};
-typedef union YYSTYPE YYSTYPE;
-# define YYSTYPE_IS_TRIVIAL 1
-# define YYSTYPE_IS_DECLARED 1
-#endif
-
-
-extern YYSTYPE yylval;
-
-
-int yyparse (void);
-
-
-#endif /* !YY_YY_SEL_GRAM_H_INCLUDED  */
-/* Symbol kind.  */
-enum yysymbol_kind_t
-{
-  YYSYMBOL_YYEMPTY = -2,
-  YYSYMBOL_YYEOF = 0,                      /* "end of file"  */
-  YYSYMBOL_YYerror = 1,                    /* error  */
-  YYSYMBOL_YYUNDEF = 2,                    /* "invalid token"  */
-  YYSYMBOL_kw_TRUE = 3,                    /* kw_TRUE  */
-  YYSYMBOL_kw_FALSE = 4,                   /* kw_FALSE  */
-  YYSYMBOL_kw_AND = 5,                     /* kw_AND  */
-  YYSYMBOL_kw_OR = 6,                      /* kw_OR  */
-  YYSYMBOL_kw_IN = 7,                      /* kw_IN  */
-  YYSYMBOL_kw_TAILMATCH = 8,               /* kw_TAILMATCH  */
-  YYSYMBOL_NUMBER = 9,                     /* NUMBER  */
-  YYSYMBOL_STRING = 10,                    /* STRING  */
-  YYSYMBOL_IDENTIFIER = 11,                /* IDENTIFIER  */
-  YYSYMBOL_12_ = 12,                       /* '!'  */
-  YYSYMBOL_13_ = 13,                       /* '('  */
-  YYSYMBOL_14_ = 14,                       /* ')'  */
-  YYSYMBOL_15_ = 15,                       /* ','  */
-  YYSYMBOL_16_ = 16,                       /* '='  */
-  YYSYMBOL_17_ = 17,                       /* '%'  */
-  YYSYMBOL_18_ = 18,                       /* '{'  */
-  YYSYMBOL_19_ = 19,                       /* '}'  */
-  YYSYMBOL_20_ = 20,                       /* '.'  */
-  YYSYMBOL_YYACCEPT = 21,                  /* $accept  */
-  YYSYMBOL_start = 22,                     /* start  */
-  YYSYMBOL_expr = 23,                      /* expr  */
-  YYSYMBOL_words = 24,                     /* words  */
-  YYSYMBOL_comp = 25,                      /* comp  */
-  YYSYMBOL_word = 26,                      /* word  */
-  YYSYMBOL_number = 27,                    /* number  */
-  YYSYMBOL_string = 28,                    /* string  */
-  YYSYMBOL_function = 29,                  /* function  */
-  YYSYMBOL_variable = 30,                  /* variable  */
-  YYSYMBOL_variables = 31                  /* variables  */
-};
-typedef enum yysymbol_kind_t yysymbol_kind_t;
-
-
-
-
-#ifdef short
-# undef short
-#endif
-
-/* On compilers that do not define __PTRDIFF_MAX__ etc., make sure
-   <limits.h> and (if available) <stdint.h> are included
-   so that the code can choose integer types of a good width.  */
-
-#ifndef __PTRDIFF_MAX__
-# include <limits.h> /* INFRINGES ON USER NAME SPACE */
-# if defined __STDC_VERSION__ && 199901 <= __STDC_VERSION__
-#  include <stdint.h> /* INFRINGES ON USER NAME SPACE */
-#  define YY_STDINT_H
-# endif
-#endif
-
-/* Narrow types that promote to a signed type and that can represent a
-   signed or unsigned integer of at least N bits.  In tables they can
-   save space and decrease cache pressure.  Promoting to a signed type
-   helps avoid bugs in integer arithmetic.  */
-
-#ifdef __INT_LEAST8_MAX__
-typedef __INT_LEAST8_TYPE__ yytype_int8;
-#elif defined YY_STDINT_H
-typedef int_least8_t yytype_int8;
-#else
-typedef signed char yytype_int8;
-#endif
-
-#ifdef __INT_LEAST16_MAX__
-typedef __INT_LEAST16_TYPE__ yytype_int16;
-#elif defined YY_STDINT_H
-typedef int_least16_t yytype_int16;
-#else
-typedef short yytype_int16;
-#endif
-
-/* Work around bug in HP-UX 11.23, which defines these macros
-   incorrectly for preprocessor constants.  This workaround can likely
-   be removed in 2023, as HPE has promised support for HP-UX 11.23
-   (aka HP-UX 11i v2) only through the end of 2022; see Table 2 of
-   <https://h20195.www2.hpe.com/V2/getpdf.aspx/4AA4-7673ENW.pdf>.  */
-#ifdef __hpux
-# undef UINT_LEAST8_MAX
-# undef UINT_LEAST16_MAX
-# define UINT_LEAST8_MAX 255
-# define UINT_LEAST16_MAX 65535
-#endif
-
-#if defined __UINT_LEAST8_MAX__ && __UINT_LEAST8_MAX__ <= __INT_MAX__
-typedef __UINT_LEAST8_TYPE__ yytype_uint8;
-#elif (!defined __UINT_LEAST8_MAX__ && defined YY_STDINT_H \
-       && UINT_LEAST8_MAX <= INT_MAX)
-typedef uint_least8_t yytype_uint8;
-#elif !defined __UINT_LEAST8_MAX__ && UCHAR_MAX <= INT_MAX
-typedef unsigned char yytype_uint8;
-#else
-typedef short yytype_uint8;
-#endif
-
-#if defined __UINT_LEAST16_MAX__ && __UINT_LEAST16_MAX__ <= __INT_MAX__
-typedef __UINT_LEAST16_TYPE__ yytype_uint16;
-#elif (!defined __UINT_LEAST16_MAX__ && defined YY_STDINT_H \
-       && UINT_LEAST16_MAX <= INT_MAX)
-typedef uint_least16_t yytype_uint16;
-#elif !defined __UINT_LEAST16_MAX__ && USHRT_MAX <= INT_MAX
-typedef unsigned short yytype_uint16;
-#else
-typedef int yytype_uint16;
-#endif
-
-#ifndef YYPTRDIFF_T
-# if defined __PTRDIFF_TYPE__ && defined __PTRDIFF_MAX__
-#  define YYPTRDIFF_T __PTRDIFF_TYPE__
-#  define YYPTRDIFF_MAXIMUM __PTRDIFF_MAX__
-# elif defined PTRDIFF_MAX
-#  ifndef ptrdiff_t
-#   include <stddef.h> /* INFRINGES ON USER NAME SPACE */
-#  endif
-#  define YYPTRDIFF_T ptrdiff_t
-#  define YYPTRDIFF_MAXIMUM PTRDIFF_MAX
-# else
-#  define YYPTRDIFF_T long
-#  define YYPTRDIFF_MAXIMUM LONG_MAX
-# endif
-#endif
-
-#ifndef YYSIZE_T
-# ifdef __SIZE_TYPE__
-#  define YYSIZE_T __SIZE_TYPE__
-# elif defined size_t
-#  define YYSIZE_T size_t
-# elif defined __STDC_VERSION__ && 199901 <= __STDC_VERSION__
-#  include <stddef.h> /* INFRINGES ON USER NAME SPACE */
-#  define YYSIZE_T size_t
-# else
-#  define YYSIZE_T unsigned
-# endif
-#endif
-
-#define YYSIZE_MAXIMUM                                  \
-  YY_CAST (YYPTRDIFF_T,                                 \
-           (YYPTRDIFF_MAXIMUM < YY_CAST (YYSIZE_T, -1)  \
-            ? YYPTRDIFF_MAXIMUM                         \
-            : YY_CAST (YYSIZE_T, -1)))
-
-#define YYSIZEOF(X) YY_CAST (YYPTRDIFF_T, sizeof (X))
-
-
-/* Stored state numbers (used for stacks). */
-typedef yytype_int8 yy_state_t;
-
-/* State numbers in computations.  */
-typedef int yy_state_fast_t;
-
-#ifndef YY_
-# if defined YYENABLE_NLS && YYENABLE_NLS
-#  if ENABLE_NLS
-#   include <libintl.h> /* INFRINGES ON USER NAME SPACE */
-#   define YY_(Msgid) dgettext ("bison-runtime", Msgid)
-#  endif
-# endif
-# ifndef YY_
-#  define YY_(Msgid) Msgid
-# endif
-#endif
-
-
-#ifndef YY_ATTRIBUTE_PURE
-# if defined __GNUC__ && 2 < __GNUC__ + (96 <= __GNUC_MINOR__)
-#  define YY_ATTRIBUTE_PURE __attribute__ ((__pure__))
-# else
-#  define YY_ATTRIBUTE_PURE
-# endif
-#endif
-
-#ifndef YY_ATTRIBUTE_UNUSED
-# if defined __GNUC__ && 2 < __GNUC__ + (7 <= __GNUC_MINOR__)
-#  define YY_ATTRIBUTE_UNUSED __attribute__ ((__unused__))
-# else
-#  define YY_ATTRIBUTE_UNUSED
-# endif
-#endif
-
-/* Suppress unused-variable warnings by "using" E.  */
-#if ! defined lint || defined __GNUC__
-# define YY_USE(E) ((void) (E))
-#else
-# define YY_USE(E) /* empty */
-#endif
-
-/* Suppress an incorrect diagnostic about yylval being uninitialized.  */
-#if defined __GNUC__ && ! defined __ICC && 406 <= __GNUC__ * 100 + __GNUC_MINOR__
-# if __GNUC__ * 100 + __GNUC_MINOR__ < 407
-#  define YY_IGNORE_MAYBE_UNINITIALIZED_BEGIN                           \
-    _Pragma ("GCC diagnostic push")                                     \
-    _Pragma ("GCC diagnostic ignored \"-Wuninitialized\"")
-# else
-#  define YY_IGNORE_MAYBE_UNINITIALIZED_BEGIN                           \
-    _Pragma ("GCC diagnostic push")                                     \
-    _Pragma ("GCC diagnostic ignored \"-Wuninitialized\"")              \
-    _Pragma ("GCC diagnostic ignored \"-Wmaybe-uninitialized\"")
-# endif
-# define YY_IGNORE_MAYBE_UNINITIALIZED_END      \
-    _Pragma ("GCC diagnostic pop")
-#else
-# define YY_INITIAL_VALUE(Value) Value
-#endif
-#ifndef YY_IGNORE_MAYBE_UNINITIALIZED_BEGIN
-# define YY_IGNORE_MAYBE_UNINITIALIZED_BEGIN
-# define YY_IGNORE_MAYBE_UNINITIALIZED_END
-#endif
-#ifndef YY_INITIAL_VALUE
-# define YY_INITIAL_VALUE(Value) /* Nothing. */
-#endif
-
-#if defined __cplusplus && defined __GNUC__ && ! defined __ICC && 6 <= __GNUC__
-# define YY_IGNORE_USELESS_CAST_BEGIN                          \
-    _Pragma ("GCC diagnostic push")                            \
-    _Pragma ("GCC diagnostic ignored \"-Wuseless-cast\"")
-# define YY_IGNORE_USELESS_CAST_END            \
-    _Pragma ("GCC diagnostic pop")
-#endif
-#ifndef YY_IGNORE_USELESS_CAST_BEGIN
-# define YY_IGNORE_USELESS_CAST_BEGIN
-# define YY_IGNORE_USELESS_CAST_END
-#endif
-
-
-#define YY_ASSERT(E) ((void) (0 && (E)))
-
-#if !defined yyoverflow
-
-/* The parser invokes alloca or malloc; define the necessary symbols.  */
-
-# ifdef YYSTACK_USE_ALLOCA
-#  if YYSTACK_USE_ALLOCA
-#   ifdef __GNUC__
-#    define YYSTACK_ALLOC __builtin_alloca
-#   elif defined __BUILTIN_VA_ARG_INCR
-#    include <alloca.h> /* INFRINGES ON USER NAME SPACE */
-#   elif defined _AIX
-#    define YYSTACK_ALLOC __alloca
-#   elif defined _MSC_VER
-#    include <malloc.h> /* INFRINGES ON USER NAME SPACE */
-#    define alloca _alloca
-#   else
-#    define YYSTACK_ALLOC alloca
-#    if ! defined _ALLOCA_H && ! defined EXIT_SUCCESS
-#     include <stdlib.h> /* INFRINGES ON USER NAME SPACE */
-      /* Use EXIT_SUCCESS as a witness for stdlib.h.  */
-#     ifndef EXIT_SUCCESS
-#      define EXIT_SUCCESS 0
-#     endif
-#    endif
-#   endif
-#  endif
-# endif
-
-# ifdef YYSTACK_ALLOC
-   /* Pacify GCC's 'empty if-body' warning.  */
-#  define YYSTACK_FREE(Ptr) do { /* empty */; } while (0)
-#  ifndef YYSTACK_ALLOC_MAXIMUM
-    /* The OS might guarantee only one guard page at the bottom of the stack,
-       and a page size can be as small as 4096 bytes.  So we cannot safely
-       invoke alloca (N) if N exceeds 4096.  Use a slightly smaller number
-       to allow for a few compiler-allocated temporary stack slots.  */
-#   define YYSTACK_ALLOC_MAXIMUM 4032 /* reasonable circa 2006 */
-#  endif
-# else
-#  define YYSTACK_ALLOC YYMALLOC
-#  define YYSTACK_FREE YYFREE
-#  ifndef YYSTACK_ALLOC_MAXIMUM
-#   define YYSTACK_ALLOC_MAXIMUM YYSIZE_MAXIMUM
-#  endif
-#  if (defined __cplusplus && ! defined EXIT_SUCCESS \
-       && ! ((defined YYMALLOC || defined malloc) \
-             && (defined YYFREE || defined free)))
-#   include <stdlib.h> /* INFRINGES ON USER NAME SPACE */
-#   ifndef EXIT_SUCCESS
-#    define EXIT_SUCCESS 0
-#   endif
-#  endif
-#  ifndef YYMALLOC
-#   define YYMALLOC malloc
-#   if ! defined malloc && ! defined EXIT_SUCCESS
-void *malloc (YYSIZE_T); /* INFRINGES ON USER NAME SPACE */
-#   endif
-#  endif
-#  ifndef YYFREE
-#   define YYFREE free
-#   if ! defined free && ! defined EXIT_SUCCESS
-void free (void *); /* INFRINGES ON USER NAME SPACE */
-#   endif
-#  endif
-# endif
-#endif /* !defined yyoverflow */
-
-#if (! defined yyoverflow \
-     && (! defined __cplusplus \
-         || (defined YYSTYPE_IS_TRIVIAL && YYSTYPE_IS_TRIVIAL)))
-
-/* A type that is properly aligned for any stack member.  */
-union yyalloc
-{
-  yy_state_t yyss_alloc;
-  YYSTYPE yyvs_alloc;
-};
-
-/* The size of the maximum gap between one aligned stack and the next.  */
-# define YYSTACK_GAP_MAXIMUM (YYSIZEOF (union yyalloc) - 1)
-
-/* The size of an array large to enough to hold all stacks, each with
-   N elements.  */
-# define YYSTACK_BYTES(N) \
-     ((N) * (YYSIZEOF (yy_state_t) + YYSIZEOF (YYSTYPE)) \
-      + YYSTACK_GAP_MAXIMUM)
-
-# define YYCOPY_NEEDED 1
-
-/* Relocate STACK from its old location to the new one.  The
-   local variables YYSIZE and YYSTACKSIZE give the old and new number of
-   elements in the stack, and YYPTR gives the new location of the
-   stack.  Advance YYPTR to a properly aligned location for the next
-   stack.  */
-# define YYSTACK_RELOCATE(Stack_alloc, Stack)                           \
-    do                                                                  \
-      {                                                                 \
-        YYPTRDIFF_T yynewbytes;                                         \
-        YYCOPY (&yyptr->Stack_alloc, Stack, yysize);                    \
-        Stack = &yyptr->Stack_alloc;                                    \
-        yynewbytes = yystacksize * YYSIZEOF (*Stack) + YYSTACK_GAP_MAXIMUM; \
-        yyptr += yynewbytes / YYSIZEOF (*yyptr);                        \
-      }                                                                 \
-    while (0)
-
-#endif
-
-#if defined YYCOPY_NEEDED && YYCOPY_NEEDED
-/* Copy COUNT objects from SRC to DST.  The source and destination do
-   not overlap.  */
-# ifndef YYCOPY
-#  if defined __GNUC__ && 1 < __GNUC__
-#   define YYCOPY(Dst, Src, Count) \
-      __builtin_memcpy (Dst, Src, YY_CAST (YYSIZE_T, (Count)) * sizeof (*(Src)))
-#  else
-#   define YYCOPY(Dst, Src, Count)              \
-      do                                        \
-        {                                       \
-          YYPTRDIFF_T yyi;                      \
-          for (yyi = 0; yyi < (Count); yyi++)   \
-            (Dst)[yyi] = (Src)[yyi];            \
-        }                                       \
-      while (0)
-#  endif
-# endif
-#endif /* !YYCOPY_NEEDED */
-
-/* YYFINAL -- State number of the termination state.  */
-#define YYFINAL  21
-/* YYLAST -- Last index in YYTABLE.  */
-#define YYLAST   50
-
-/* YYNTOKENS -- Number of terminals.  */
-#define YYNTOKENS  21
-/* YYNNTS -- Number of nonterminals.  */
-#define YYNNTS  11
-/* YYNRULES -- Number of rules.  */
-#define YYNRULES  26
-/* YYNSTATES -- Number of states.  */
-#define YYNSTATES  50
-
-/* YYMAXUTOK -- Last valid token kind.  */
-#define YYMAXUTOK   266
-
-
-/* YYTRANSLATE(TOKEN-NUM) -- Symbol number corresponding to TOKEN-NUM
-   as returned by yylex, with out-of-bounds checking.  */
-#define YYTRANSLATE(YYX)                                \
-  (0 <= (YYX) && (YYX) <= YYMAXUTOK                     \
-   ? YY_CAST (yysymbol_kind_t, yytranslate[YYX])        \
-   : YYSYMBOL_YYUNDEF)
-
-/* YYTRANSLATE[TOKEN-NUM] -- Symbol number corresponding to TOKEN-NUM
-   as returned by yylex.  */
-static const yytype_int8 yytranslate[] =
-{
-       0,     2,     2,     2,     2,     2,     2,     2,     2,     2,
-       2,     2,     2,     2,     2,     2,     2,     2,     2,     2,
-       2,     2,     2,     2,     2,     2,     2,     2,     2,     2,
-       2,     2,     2,    12,     2,     2,     2,    17,     2,     2,
-      13,    14,     2,     2,    15,     2,    20,     2,     2,     2,
-       2,     2,     2,     2,     2,     2,     2,     2,     2,     2,
-       2,    16,     2,     2,     2,     2,     2,     2,     2,     2,
-       2,     2,     2,     2,     2,     2,     2,     2,     2,     2,
-       2,     2,     2,     2,     2,     2,     2,     2,     2,     2,
-       2,     2,     2,     2,     2,     2,     2,     2,     2,     2,
-       2,     2,     2,     2,     2,     2,     2,     2,     2,     2,
-       2,     2,     2,     2,     2,     2,     2,     2,     2,     2,
-       2,     2,     2,    18,     2,    19,     2,     2,     2,     2,
-       2,     2,     2,     2,     2,     2,     2,     2,     2,     2,
-       2,     2,     2,     2,     2,     2,     2,     2,     2,     2,
-       2,     2,     2,     2,     2,     2,     2,     2,     2,     2,
-       2,     2,     2,     2,     2,     2,     2,     2,     2,     2,
-       2,     2,     2,     2,     2,     2,     2,     2,     2,     2,
-       2,     2,     2,     2,     2,     2,     2,     2,     2,     2,
-       2,     2,     2,     2,     2,     2,     2,     2,     2,     2,
-       2,     2,     2,     2,     2,     2,     2,     2,     2,     2,
-       2,     2,     2,     2,     2,     2,     2,     2,     2,     2,
-       2,     2,     2,     2,     2,     2,     2,     2,     2,     2,
-       2,     2,     2,     2,     2,     2,     2,     2,     2,     2,
-       2,     2,     2,     2,     2,     2,     2,     2,     2,     2,
-       2,     2,     2,     2,     2,     2,     1,     2,     3,     4,
-       5,     6,     7,     8,     9,    10,    11
-};
-
-#if YYDEBUG
-/* YYRLINE[YYN] -- Source line where rule number YYN was defined.  */
-static const yytype_int8 yyrline[] =
-{
-       0,    85,    85,    87,    88,    89,    90,    91,    92,    93,
-      96,    97,   100,   101,   102,   103,   104,   107,   108,   109,
-     110,   113,   114,   116,   119,   122,   124
-};
-#endif
-
-/** Accessing symbol of state STATE.  */
-#define YY_ACCESSING_SYMBOL(State) YY_CAST (yysymbol_kind_t, yystos[State])
-
-#if YYDEBUG || 0
-/* The user-facing name of the symbol whose (internal) number is
-   YYSYMBOL.  No bounds checking.  */
-static const char *yysymbol_name (yysymbol_kind_t yysymbol) YY_ATTRIBUTE_UNUSED;
-
-/* YYTNAME[SYMBOL-NUM] -- String name of the symbol SYMBOL-NUM.
-   First, the terminals, then, starting at YYNTOKENS, nonterminals.  */
-static const char *const yytname[] =
-{
-  "\"end of file\"", "error", "\"invalid token\"", "kw_TRUE", "kw_FALSE",
-  "kw_AND", "kw_OR", "kw_IN", "kw_TAILMATCH", "NUMBER", "STRING",
-  "IDENTIFIER", "'!'", "'('", "')'", "','", "'='", "'%'", "'{'", "'}'",
-  "'.'", "$accept", "start", "expr", "words", "comp", "word", "number",
-  "string", "function", "variable", "variables", YY_NULLPTR
-};
-
-static const char *
-yysymbol_name (yysymbol_kind_t yysymbol)
-{
-  return yytname[yysymbol];
-}
-#endif
-
-#define YYPACT_NINF (-31)
-
-#define yypact_value_is_default(Yyn) \
-  ((Yyn) == YYPACT_NINF)
-
-#define YYTABLE_NINF (-1)
-
-#define yytable_value_is_error(Yyn) \
-  0
-
-/* YYPACT[STATE-NUM] -- Index in YYTABLE of the portion describing
-   STATE-NUM.  */
-static const yytype_int8 yypact[] =
-{
-      22,   -31,   -31,   -31,   -31,    -1,    22,    22,   -11,    27,
-      11,   -31,    -6,   -31,   -31,   -31,   -31,    19,    11,     9,
-      26,   -31,    22,    22,    -4,    19,    24,    25,    28,    23,
-     -31,    29,    31,    11,    11,    19,   -31,   -31,    19,    19,
-     -31,    19,    26,   -31,    30,   -31,   -31,   -31,   -31,   -31
-};
-
-/* YYDEFACT[STATE-NUM] -- Default reduction number in state STATE-NUM.
-   Performed when YYTABLE does not specify something else to do.  Zero
-   means the default is an error.  */
-static const yytype_int8 yydefact[] =
-{
-       0,     3,     4,    21,    22,     0,     0,     0,     0,     0,
-       2,     9,     0,    17,    18,    19,    20,     0,     5,     0,
-       0,     1,     0,     0,     0,     0,     0,     0,     0,    10,
-       8,    26,     0,     6,     7,     0,    16,    14,     0,     0,
-      23,     0,     0,    24,     0,    13,    12,    11,    25,    15
-};
-
-/* YYPGOTO[NTERM-NUM].  */
-static const yytype_int8 yypgoto[] =
-{
-     -31,   -31,    -3,   -30,   -31,   -17,   -31,   -31,   -31,    21,
-       1
-};
-
-/* YYDEFGOTO[NTERM-NUM].  */
-static const yytype_int8 yydefgoto[] =
-{
-       0,     9,    10,    28,    11,    12,    13,    14,    15,    16,
-      32
-};
-
-/* YYTABLE[YYPACT[STATE-NUM]] -- What to do in state STATE-NUM.  If
-   positive, shift that token.  If negative, reduce the rule whose
-   number is the opposite.  If YYTABLE_NINF, syntax error.  */
-static const yytype_int8 yytable[] =
-{
-      29,    24,    25,    18,    19,    44,    26,    20,    37,    35,
-      27,    47,    17,     8,    22,    23,    22,    23,    29,    33,
-      34,    45,    46,    30,    29,     1,     2,    21,     3,     4,
-       5,     3,     4,     5,     6,     7,     8,    31,    41,     8,
-      38,    39,    40,    48,    49,    36,     0,     0,     0,    42,
-      43
-};
-
-static const yytype_int8 yycheck[] =
-{
-      17,     7,     8,     6,     7,    35,    12,    18,    25,    13,
-      16,    41,    13,    17,     5,     6,     5,     6,    35,    22,
-      23,    38,    39,    14,    41,     3,     4,     0,     9,    10,
-      11,     9,    10,    11,    12,    13,    17,    11,    15,    17,
-      16,    16,    14,    42,    14,    24,    -1,    -1,    -1,    20,
-      19
-};
-
-/* YYSTOS[STATE-NUM] -- The symbol kind of the accessing symbol of
-   state STATE-NUM.  */
-static const yytype_int8 yystos[] =
-{
-       0,     3,     4,     9,    10,    11,    12,    13,    17,    22,
-      23,    25,    26,    27,    28,    29,    30,    13,    23,    23,
-      18,     0,     5,     6,     7,     8,    12,    16,    24,    26,
-      14,    11,    31,    23,    23,    13,    30,    26,    16,    16,
-      14,    15,    20,    19,    24,    26,    26,    24,    31,    14
-};
-
-/* YYR1[RULE-NUM] -- Symbol kind of the left-hand side of rule RULE-NUM.  */
-static const yytype_int8 yyr1[] =
-{
-       0,    21,    22,    23,    23,    23,    23,    23,    23,    23,
-      24,    24,    25,    25,    25,    25,    25,    26,    26,    26,
-      26,    27,    28,    29,    30,    31,    31
-};
-
-/* YYR2[RULE-NUM] -- Number of symbols on the right-hand side of rule RULE-NUM.  */
-static const yytype_int8 yyr2[] =
-{
-       0,     2,     1,     1,     1,     2,     3,     3,     3,     1,
-       1,     3,     4,     4,     3,     5,     3,     1,     1,     1,
-       1,     1,     1,     4,     4,     3,     1
-};
-
-
-enum { YYENOMEM = -2 };
-
-#define yyerrok         (yyerrstatus = 0)
-#define yyclearin       (yychar = YYEMPTY)
-
-#define YYACCEPT        goto yyacceptlab
-#define YYABORT         goto yyabortlab
-#define YYERROR         goto yyerrorlab
-#define YYNOMEM         goto yyexhaustedlab
-
-
-#define YYRECOVERING()  (!!yyerrstatus)
-
-#define YYBACKUP(Token, Value)                                    \
-  do                                                              \
-    if (yychar == YYEMPTY)                                        \
-      {                                                           \
-        yychar = (Token);                                         \
-        yylval = (Value);                                         \
-        YYPOPSTACK (yylen);                                       \
-        yystate = *yyssp;                                         \
-        goto yybackup;                                            \
-      }                                                           \
-    else                                                          \
-      {                                                           \
-        yyerror (YY_("syntax error: cannot back up")); \
-        YYERROR;                                                  \
-      }                                                           \
-  while (0)
-
-/* Backward compatibility with an undocumented macro.
-   Use YYerror or YYUNDEF. */
-#define YYERRCODE YYUNDEF
-
-
-/* Enable debugging if requested.  */
-#if YYDEBUG
-
-# ifndef YYFPRINTF
-#  include <stdio.h> /* INFRINGES ON USER NAME SPACE */
-#  define YYFPRINTF fprintf
-# endif
-
-# define YYDPRINTF(Args)                        \
-do {                                            \
-  if (yydebug)                                  \
-    YYFPRINTF Args;                             \
-} while (0)
-
-
-
-
-# define YY_SYMBOL_PRINT(Title, Kind, Value, Location)                    \
-do {                                                                      \
-  if (yydebug)                                                            \
-    {                                                                     \
-      YYFPRINTF (stderr, "%s ", Title);                                   \
-      yy_symbol_print (stderr,                                            \
-                  Kind, Value); \
-      YYFPRINTF (stderr, "\n");                                           \
-    }                                                                     \
-} while (0)
-
-
-/*-----------------------------------.
-| Print this symbol's value on YYO.  |
-`-----------------------------------*/
-
-static void
-yy_symbol_value_print (FILE *yyo,
-                       yysymbol_kind_t yykind, YYSTYPE const * const yyvaluep)
-{
-  FILE *yyoutput = yyo;
-  YY_USE (yyoutput);
-  if (!yyvaluep)
-    return;
-  YY_IGNORE_MAYBE_UNINITIALIZED_BEGIN
-  YY_USE (yykind);
-  YY_IGNORE_MAYBE_UNINITIALIZED_END
-}
-
-
-/*---------------------------.
-| Print this symbol on YYO.  |
-`---------------------------*/
-
-static void
-yy_symbol_print (FILE *yyo,
-                 yysymbol_kind_t yykind, YYSTYPE const * const yyvaluep)
-{
-  YYFPRINTF (yyo, "%s %s (",
-             yykind < YYNTOKENS ? "token" : "nterm", yysymbol_name (yykind));
-
-  yy_symbol_value_print (yyo, yykind, yyvaluep);
-  YYFPRINTF (yyo, ")");
-}
-
-/*------------------------------------------------------------------.
-| yy_stack_print -- Print the state stack from its BOTTOM up to its |
-| TOP (included).                                                   |
-`------------------------------------------------------------------*/
-
-static void
-yy_stack_print (yy_state_t *yybottom, yy_state_t *yytop)
-{
-  YYFPRINTF (stderr, "Stack now");
-  for (; yybottom <= yytop; yybottom++)
-    {
-      int yybot = *yybottom;
-      YYFPRINTF (stderr, " %d", yybot);
-    }
-  YYFPRINTF (stderr, "\n");
-}
-
-# define YY_STACK_PRINT(Bottom, Top)                            \
-do {                                                            \
-  if (yydebug)                                                  \
-    yy_stack_print ((Bottom), (Top));                           \
-} while (0)
-
-
-/*------------------------------------------------.
-| Report that the YYRULE is going to be reduced.  |
-`------------------------------------------------*/
-
-static void
-yy_reduce_print (yy_state_t *yyssp, YYSTYPE *yyvsp,
-                 int yyrule)
-{
-  int yylno = yyrline[yyrule];
-  int yynrhs = yyr2[yyrule];
-  int yyi;
-  YYFPRINTF (stderr, "Reducing stack by rule %d (line %d):\n",
-             yyrule - 1, yylno);
-  /* The symbols being reduced.  */
-  for (yyi = 0; yyi < yynrhs; yyi++)
-    {
-      YYFPRINTF (stderr, "   $%d = ", yyi + 1);
-      yy_symbol_print (stderr,
-                       YY_ACCESSING_SYMBOL (+yyssp[yyi + 1 - yynrhs]),
-                       &yyvsp[(yyi + 1) - (yynrhs)]);
-      YYFPRINTF (stderr, "\n");
-    }
-}
-
-# define YY_REDUCE_PRINT(Rule)          \
-do {                                    \
-  if (yydebug)                          \
-    yy_reduce_print (yyssp, yyvsp, Rule); \
-} while (0)
-
-/* Nonzero means print parse trace.  It is left uninitialized so that
-   multiple parsers can coexist.  */
-int yydebug;
-#else /* !YYDEBUG */
-# define YYDPRINTF(Args) ((void) 0)
-# define YY_SYMBOL_PRINT(Title, Kind, Value, Location)
-# define YY_STACK_PRINT(Bottom, Top)
-# define YY_REDUCE_PRINT(Rule)
-#endif /* !YYDEBUG */
-
-
-/* YYINITDEPTH -- initial size of the parser's stacks.  */
-#ifndef YYINITDEPTH
-# define YYINITDEPTH 200
-#endif
-
-/* YYMAXDEPTH -- maximum size the stacks can grow to (effective only
-   if the built-in stack extension method is used).
-
-   Do not make this value too large; the results are undefined if
-   YYSTACK_ALLOC_MAXIMUM < YYSTACK_BYTES (YYMAXDEPTH)
-   evaluated with infinite-precision integer arithmetic.  */
-
-#ifndef YYMAXDEPTH
-# define YYMAXDEPTH 10000
-#endif
-
-
-
-
-
-
-/*-----------------------------------------------.
-| Release the memory associated to this symbol.  |
-`-----------------------------------------------*/
-
-static void
-yydestruct (const char *yymsg,
-            yysymbol_kind_t yykind, YYSTYPE *yyvaluep)
-{
-  YY_USE (yyvaluep);
-  if (!yymsg)
-    yymsg = "Deleting";
-  YY_SYMBOL_PRINT (yymsg, yykind, yyvaluep, yylocationp);
-
-  YY_IGNORE_MAYBE_UNINITIALIZED_BEGIN
-  YY_USE (yykind);
-  YY_IGNORE_MAYBE_UNINITIALIZED_END
-}
-
-
-/* Lookahead token kind.  */
-int yychar;
-
-/* The semantic value of the lookahead symbol.  */
-YYSTYPE yylval;
-/* Number of syntax errors so far.  */
-int yynerrs;
-
-
-
-
-/*----------.
-| yyparse.  |
-`----------*/
-
-int
-yyparse (void)
-{
-    yy_state_fast_t yystate = 0;
-    /* Number of tokens to shift before error messages enabled.  */
-    int yyerrstatus = 0;
-
-    /* Refer to the stacks through separate pointers, to allow yyoverflow
-       to reallocate them elsewhere.  */
-
-    /* Their size.  */
-    YYPTRDIFF_T yystacksize = YYINITDEPTH;
-
-    /* The state stack: array, bottom, top.  */
-    yy_state_t yyssa[YYINITDEPTH];
-    yy_state_t *yyss = yyssa;
-    yy_state_t *yyssp = yyss;
-
-    /* The semantic value stack: array, bottom, top.  */
-    YYSTYPE yyvsa[YYINITDEPTH];
-    YYSTYPE *yyvs = yyvsa;
-    YYSTYPE *yyvsp = yyvs;
-
-  int yyn;
-  /* The return value of yyparse.  */
-  int yyresult;
-  /* Lookahead symbol kind.  */
-  yysymbol_kind_t yytoken = YYSYMBOL_YYEMPTY;
-  /* The variables used to return semantic value and location from the
-     action routines.  */
-  YYSTYPE yyval;
-
-
-
-#define YYPOPSTACK(N)   (yyvsp -= (N), yyssp -= (N))
-
-  /* The number of symbols on the RHS of the reduced rule.
-     Keep to zero when no symbol should be popped.  */
-  int yylen = 0;
-
-  YYDPRINTF ((stderr, "Starting parse\n"));
-
-  yychar = YYEMPTY; /* Cause a token to be read.  */
-
-  goto yysetstate;
-
-
-/*------------------------------------------------------------.
-| yynewstate -- push a new state, which is found in yystate.  |
-`------------------------------------------------------------*/
-yynewstate:
-  /* In all cases, when you get here, the value and location stacks
-     have just been pushed.  So pushing a state here evens the stacks.  */
-  yyssp++;
-
-
-/*--------------------------------------------------------------------.
-| yysetstate -- set current state (the top of the stack) to yystate.  |
-`--------------------------------------------------------------------*/
-yysetstate:
-  YYDPRINTF ((stderr, "Entering state %d\n", yystate));
-  YY_ASSERT (0 <= yystate && yystate < YYNSTATES);
-  YY_IGNORE_USELESS_CAST_BEGIN
-  *yyssp = YY_CAST (yy_state_t, yystate);
-  YY_IGNORE_USELESS_CAST_END
-  YY_STACK_PRINT (yyss, yyssp);
-
-  if (yyss + yystacksize - 1 <= yyssp)
-#if !defined yyoverflow && !defined YYSTACK_RELOCATE
-    YYNOMEM;
-#else
-    {
-      /* Get the current used size of the three stacks, in elements.  */
-      YYPTRDIFF_T yysize = yyssp - yyss + 1;
-
-# if defined yyoverflow
-      {
-        /* Give user a chance to reallocate the stack.  Use copies of
-           these so that the &'s don't force the real ones into
-           memory.  */
-        yy_state_t *yyss1 = yyss;
-        YYSTYPE *yyvs1 = yyvs;
-
-        /* Each stack pointer address is followed by the size of the
-           data in use in that stack, in bytes.  This used to be a
-           conditional around just the two extra args, but that might
-           be undefined if yyoverflow is a macro.  */
-        yyoverflow (YY_("memory exhausted"),
-                    &yyss1, yysize * YYSIZEOF (*yyssp),
-                    &yyvs1, yysize * YYSIZEOF (*yyvsp),
-                    &yystacksize);
-        yyss = yyss1;
-        yyvs = yyvs1;
-      }
-# else /* defined YYSTACK_RELOCATE */
-      /* Extend the stack our own way.  */
-      if (YYMAXDEPTH <= yystacksize)
-        YYNOMEM;
-      yystacksize *= 2;
-      if (YYMAXDEPTH < yystacksize)
-        yystacksize = YYMAXDEPTH;
-
-      {
-        yy_state_t *yyss1 = yyss;
-        union yyalloc *yyptr =
-          YY_CAST (union yyalloc *,
-                   YYSTACK_ALLOC (YY_CAST (YYSIZE_T, YYSTACK_BYTES (yystacksize))));
-        if (! yyptr)
-          YYNOMEM;
-        YYSTACK_RELOCATE (yyss_alloc, yyss);
-        YYSTACK_RELOCATE (yyvs_alloc, yyvs);
-#  undef YYSTACK_RELOCATE
-        if (yyss1 != yyssa)
-          YYSTACK_FREE (yyss1);
-      }
-# endif
-
-      yyssp = yyss + yysize - 1;
-      yyvsp = yyvs + yysize - 1;
-
-      YY_IGNORE_USELESS_CAST_BEGIN
-      YYDPRINTF ((stderr, "Stack size increased to %ld\n",
-                  YY_CAST (long, yystacksize)));
-      YY_IGNORE_USELESS_CAST_END
-
-      if (yyss + yystacksize - 1 <= yyssp)
-        YYABORT;
-    }
-#endif /* !defined yyoverflow && !defined YYSTACK_RELOCATE */
-
-
-  if (yystate == YYFINAL)
-    YYACCEPT;
-
-  goto yybackup;
-
-
-/*-----------.
-| yybackup.  |
-`-----------*/
-yybackup:
-  /* Do appropriate processing given the current state.  Read a
-     lookahead token if we need one and don't already have one.  */
-
-  /* First try to decide what to do without reference to lookahead token.  */
-  yyn = yypact[yystate];
-  if (yypact_value_is_default (yyn))
-    goto yydefault;
-
-  /* Not known => get a lookahead token if don't already have one.  */
-
-  /* YYCHAR is either empty, or end-of-input, or a valid lookahead.  */
-  if (yychar == YYEMPTY)
-    {
-      YYDPRINTF ((stderr, "Reading a token\n"));
-      yychar = yylex ();
-    }
-
-  if (yychar <= YYEOF)
-    {
-      yychar = YYEOF;
-      yytoken = YYSYMBOL_YYEOF;
-      YYDPRINTF ((stderr, "Now at end of input.\n"));
-    }
-  else if (yychar == YYerror)
-    {
-      /* The scanner already issued an error message, process directly
-         to error recovery.  But do not keep the error token as
-         lookahead, it is too special and may lead us to an endless
-         loop in error recovery. */
-      yychar = YYUNDEF;
-      yytoken = YYSYMBOL_YYerror;
-      goto yyerrlab1;
-    }
-  else
-    {
-      yytoken = YYTRANSLATE (yychar);
-      YY_SYMBOL_PRINT ("Next token is", yytoken, &yylval, &yylloc);
-    }
-
-  /* If the proper action on seeing token YYTOKEN is to reduce or to
-     detect an error, take that action.  */
-  yyn += yytoken;
-  if (yyn < 0 || YYLAST < yyn || yycheck[yyn] != yytoken)
-    goto yydefault;
-  yyn = yytable[yyn];
-  if (yyn <= 0)
-    {
-      if (yytable_value_is_error (yyn))
-        goto yyerrlab;
-      yyn = -yyn;
-      goto yyreduce;
-    }
-
-  /* Count tokens shifted since error; after three, turn off error
-     status.  */
-  if (yyerrstatus)
-    yyerrstatus--;
-
-  /* Shift the lookahead token.  */
-  YY_SYMBOL_PRINT ("Shifting", yytoken, &yylval, &yylloc);
-  yystate = yyn;
-  YY_IGNORE_MAYBE_UNINITIALIZED_BEGIN
-  *++yyvsp = yylval;
-  YY_IGNORE_MAYBE_UNINITIALIZED_END
-
-  /* Discard the shifted token.  */
-  yychar = YYEMPTY;
-  goto yynewstate;
-
-
-/*-----------------------------------------------------------.
-| yydefault -- do the default action for the current state.  |
-`-----------------------------------------------------------*/
-yydefault:
-  yyn = yydefact[yystate];
-  if (yyn == 0)
-    goto yyerrlab;
-  goto yyreduce;
-
-
-/*-----------------------------.
-| yyreduce -- do a reduction.  |
-`-----------------------------*/
-yyreduce:
-  /* yyn is the number of a rule to reduce with.  */
-  yylen = yyr2[yyn];
-
-  /* If YYLEN is nonzero, implement the default value of the action:
-     '$$ = $1'.
-
-     Otherwise, the following line sets YYVAL to garbage.
-     This behavior is undocumented and Bison
-     users should not rely upon it.  Assigning to YYVAL
-     unconditionally makes the parser a bit smaller, and it avoids a
-     GCC warning that YYVAL may be used uninitialized.  */
-  yyval = yyvsp[1-yylen];
-
-
-  YY_REDUCE_PRINT (yyn);
-  switch (yyn)
-    {
-  case 2: /* start: expr  */
-#line 85 "sel-gram.y"
-                                { _hx509_expr_input.expr = (yyvsp[0].expr); }
-#line 1204 "sel-gram.c"
-    break;
-
-  case 3: /* expr: kw_TRUE  */
-#line 87 "sel-gram.y"
-                                { (yyval.expr) = _hx509_make_expr(op_TRUE, NULL, NULL); }
-#line 1210 "sel-gram.c"
-    break;
-
-  case 4: /* expr: kw_FALSE  */
-#line 88 "sel-gram.y"
-                                { (yyval.expr) = _hx509_make_expr(op_FALSE, NULL, NULL); }
-#line 1216 "sel-gram.c"
-    break;
-
-  case 5: /* expr: '!' expr  */
-#line 89 "sel-gram.y"
-                                { (yyval.expr) = _hx509_make_expr(op_NOT, (yyvsp[0].expr), NULL); }
-#line 1222 "sel-gram.c"
-    break;
-
-  case 6: /* expr: expr kw_AND expr  */
-#line 90 "sel-gram.y"
-                                { (yyval.expr) = _hx509_make_expr(op_AND, (yyvsp[-2].expr), (yyvsp[0].expr)); }
-#line 1228 "sel-gram.c"
-    break;
-
-  case 7: /* expr: expr kw_OR expr  */
-#line 91 "sel-gram.y"
-                                { (yyval.expr) = _hx509_make_expr(op_OR, (yyvsp[-2].expr), (yyvsp[0].expr)); }
-#line 1234 "sel-gram.c"
-    break;
-
-  case 8: /* expr: '(' expr ')'  */
-#line 92 "sel-gram.y"
-                                { (yyval.expr) = (yyvsp[-1].expr); }
-#line 1240 "sel-gram.c"
-    break;
-
-  case 9: /* expr: comp  */
-#line 93 "sel-gram.y"
-                                { (yyval.expr) = _hx509_make_expr(op_COMP, (yyvsp[0].expr), NULL); }
-#line 1246 "sel-gram.c"
-    break;
-
-  case 10: /* words: word  */
-#line 96 "sel-gram.y"
-                                { (yyval.expr) = _hx509_make_expr(expr_WORDS, (yyvsp[0].expr), NULL); }
-#line 1252 "sel-gram.c"
-    break;
-
-  case 11: /* words: word ',' words  */
-#line 97 "sel-gram.y"
-                                { (yyval.expr) = _hx509_make_expr(expr_WORDS, (yyvsp[-2].expr), (yyvsp[0].expr)); }
-#line 1258 "sel-gram.c"
-    break;
-
-  case 12: /* comp: word '=' '=' word  */
-#line 100 "sel-gram.y"
-                                { (yyval.expr) = _hx509_make_expr(comp_EQ, (yyvsp[-3].expr), (yyvsp[0].expr)); }
-#line 1264 "sel-gram.c"
-    break;
-
-  case 13: /* comp: word '!' '=' word  */
-#line 101 "sel-gram.y"
-                                { (yyval.expr) = _hx509_make_expr(comp_NE, (yyvsp[-3].expr), (yyvsp[0].expr)); }
-#line 1270 "sel-gram.c"
-    break;
-
-  case 14: /* comp: word kw_TAILMATCH word  */
-#line 102 "sel-gram.y"
-                                 { (yyval.expr) = _hx509_make_expr(comp_TAILEQ, (yyvsp[-2].expr), (yyvsp[0].expr)); }
-#line 1276 "sel-gram.c"
-    break;
-
-  case 15: /* comp: word kw_IN '(' words ')'  */
-#line 103 "sel-gram.y"
-                                   { (yyval.expr) = _hx509_make_expr(comp_IN, (yyvsp[-4].expr), (yyvsp[-1].expr)); }
-#line 1282 "sel-gram.c"
-    break;
-
-  case 16: /* comp: word kw_IN variable  */
-#line 104 "sel-gram.y"
-                                { (yyval.expr) = _hx509_make_expr(comp_IN, (yyvsp[-2].expr), (yyvsp[0].expr)); }
-#line 1288 "sel-gram.c"
-    break;
-
-  case 17: /* word: number  */
-#line 107 "sel-gram.y"
-                                { (yyval.expr) = (yyvsp[0].expr); }
-#line 1294 "sel-gram.c"
-    break;
-
-  case 18: /* word: string  */
-#line 108 "sel-gram.y"
-                                { (yyval.expr) = (yyvsp[0].expr); }
-#line 1300 "sel-gram.c"
-    break;
-
-  case 19: /* word: function  */
-#line 109 "sel-gram.y"
-                                { (yyval.expr) = (yyvsp[0].expr); }
-#line 1306 "sel-gram.c"
-    break;
-
-  case 20: /* word: variable  */
-#line 110 "sel-gram.y"
-                                { (yyval.expr) = (yyvsp[0].expr); }
-#line 1312 "sel-gram.c"
-    break;
-
-  case 21: /* number: NUMBER  */
-#line 113 "sel-gram.y"
-                        { (yyval.expr) = _hx509_make_expr(expr_NUMBER, (yyvsp[0].string), NULL); }
-#line 1318 "sel-gram.c"
-    break;
-
-  case 22: /* string: STRING  */
-#line 114 "sel-gram.y"
-                        { (yyval.expr) = _hx509_make_expr(expr_STRING, (yyvsp[0].string), NULL); }
-#line 1324 "sel-gram.c"
-    break;
-
-  case 23: /* function: IDENTIFIER '(' words ')'  */
-#line 116 "sel-gram.y"
-                                   {
-			(yyval.expr) = _hx509_make_expr(expr_FUNCTION, (yyvsp[-3].string), (yyvsp[-1].expr)); }
-#line 1331 "sel-gram.c"
-    break;
-
-  case 24: /* variable: '%' '{' variables '}'  */
-#line 119 "sel-gram.y"
-                                { (yyval.expr) = (yyvsp[-1].expr); }
-#line 1337 "sel-gram.c"
-    break;
-
-  case 25: /* variables: IDENTIFIER '.' variables  */
-#line 122 "sel-gram.y"
-                                        {
-			(yyval.expr) = _hx509_make_expr(expr_VAR, (yyvsp[-2].string), (yyvsp[0].expr)); }
-#line 1344 "sel-gram.c"
-    break;
-
-  case 26: /* variables: IDENTIFIER  */
-#line 124 "sel-gram.y"
-                                        {
-			(yyval.expr) = _hx509_make_expr(expr_VAR, (yyvsp[0].string), NULL); }
-#line 1351 "sel-gram.c"
-    break;
-
-
-#line 1355 "sel-gram.c"
-
-      default: break;
-    }
-  /* User semantic actions sometimes alter yychar, and that requires
-     that yytoken be updated with the new translation.  We take the
-     approach of translating immediately before every use of yytoken.
-     One alternative is translating here after every semantic action,
-     but that translation would be missed if the semantic action invokes
-     YYABORT, YYACCEPT, or YYERROR immediately after altering yychar or
-     if it invokes YYBACKUP.  In the case of YYABORT or YYACCEPT, an
-     incorrect destructor might then be invoked immediately.  In the
-     case of YYERROR or YYBACKUP, subsequent parser actions might lead
-     to an incorrect destructor call or verbose syntax error message
-     before the lookahead is translated.  */
-  YY_SYMBOL_PRINT ("-> $$ =", YY_CAST (yysymbol_kind_t, yyr1[yyn]), &yyval, &yyloc);
-
-  YYPOPSTACK (yylen);
-  yylen = 0;
-
-  *++yyvsp = yyval;
-
-  /* Now 'shift' the result of the reduction.  Determine what state
-     that goes to, based on the state we popped back to and the rule
-     number reduced by.  */
-  {
-    const int yylhs = yyr1[yyn] - YYNTOKENS;
-    const int yyi = yypgoto[yylhs] + *yyssp;
-    yystate = (0 <= yyi && yyi <= YYLAST && yycheck[yyi] == *yyssp
-               ? yytable[yyi]
-               : yydefgoto[yylhs]);
-  }
-
-  goto yynewstate;
-
-
-/*--------------------------------------.
-| yyerrlab -- here on detecting error.  |
-`--------------------------------------*/
-yyerrlab:
-  /* Make sure we have latest lookahead translation.  See comments at
-     user semantic actions for why this is necessary.  */
-  yytoken = yychar == YYEMPTY ? YYSYMBOL_YYEMPTY : YYTRANSLATE (yychar);
-  /* If not already recovering from an error, report this error.  */
-  if (!yyerrstatus)
-    {
-      ++yynerrs;
-      yyerror (YY_("syntax error"));
-    }
-
-  if (yyerrstatus == 3)
-    {
-      /* If just tried and failed to reuse lookahead token after an
-         error, discard it.  */
-
-      if (yychar <= YYEOF)
-        {
-          /* Return failure if at end of input.  */
-          if (yychar == YYEOF)
-            YYABORT;
-        }
-      else
-        {
-          yydestruct ("Error: discarding",
-                      yytoken, &yylval);
-          yychar = YYEMPTY;
-        }
-    }
-
-  /* Else will try to reuse lookahead token after shifting the error
-     token.  */
-  goto yyerrlab1;
-
-
-/*---------------------------------------------------.
-| yyerrorlab -- error raised explicitly by YYERROR.  |
-`---------------------------------------------------*/
-yyerrorlab:
-  /* Pacify compilers when the user code never invokes YYERROR and the
-     label yyerrorlab therefore never appears in user code.  */
-  if (0)
-    YYERROR;
-  ++yynerrs;
-
-  /* Do not reclaim the symbols of the rule whose action triggered
-     this YYERROR.  */
-  YYPOPSTACK (yylen);
-  yylen = 0;
-  YY_STACK_PRINT (yyss, yyssp);
-  yystate = *yyssp;
-  goto yyerrlab1;
-
-
-/*-------------------------------------------------------------.
-| yyerrlab1 -- common code for both syntax error and YYERROR.  |
-`-------------------------------------------------------------*/
-yyerrlab1:
-  yyerrstatus = 3;      /* Each real token shifted decrements this.  */
-
-  /* Pop stack until we find a state that shifts the error token.  */
-  for (;;)
-    {
-      yyn = yypact[yystate];
-      if (!yypact_value_is_default (yyn))
-        {
-          yyn += YYSYMBOL_YYerror;
-          if (0 <= yyn && yyn <= YYLAST && yycheck[yyn] == YYSYMBOL_YYerror)
-            {
-              yyn = yytable[yyn];
-              if (0 < yyn)
-                break;
-            }
-        }
-
-      /* Pop the current state because it cannot handle the error token.  */
-      if (yyssp == yyss)
-        YYABORT;
-
-
-      yydestruct ("Error: popping",
-                  YY_ACCESSING_SYMBOL (yystate), yyvsp);
-      YYPOPSTACK (1);
-      yystate = *yyssp;
-      YY_STACK_PRINT (yyss, yyssp);
-    }
-
-  YY_IGNORE_MAYBE_UNINITIALIZED_BEGIN
-  *++yyvsp = yylval;
-  YY_IGNORE_MAYBE_UNINITIALIZED_END
-
-
-  /* Shift the error token.  */
-  YY_SYMBOL_PRINT ("Shifting", YY_ACCESSING_SYMBOL (yyn), yyvsp, yylsp);
-
-  yystate = yyn;
-  goto yynewstate;
-
-
-/*-------------------------------------.
-| yyacceptlab -- YYACCEPT comes here.  |
-`-------------------------------------*/
-yyacceptlab:
-  yyresult = 0;
-  goto yyreturnlab;
-
-
-/*-----------------------------------.
-| yyabortlab -- YYABORT comes here.  |
-`-----------------------------------*/
-yyabortlab:
-  yyresult = 1;
-  goto yyreturnlab;
-
-
-/*-----------------------------------------------------------.
-| yyexhaustedlab -- YYNOMEM (memory exhaustion) comes here.  |
-`-----------------------------------------------------------*/
-yyexhaustedlab:
-  yyerror (YY_("memory exhausted"));
-  yyresult = 2;
-  goto yyreturnlab;
-
-
-/*----------------------------------------------------------.
-| yyreturnlab -- parsing is finished, clean up and return.  |
-`----------------------------------------------------------*/
-yyreturnlab:
-  if (yychar != YYEMPTY)
-    {
-      /* Make sure we have latest lookahead translation.  See comments at
-         user semantic actions for why this is necessary.  */
-      yytoken = YYTRANSLATE (yychar);
-      yydestruct ("Cleanup: discarding lookahead",
-                  yytoken, &yylval);
-    }
-  /* Do not reclaim the symbols of the rule whose action triggered
-     this YYABORT or YYACCEPT.  */
-  YYPOPSTACK (yylen);
-  YY_STACK_PRINT (yyss, yyssp);
-  while (yyssp != yyss)
-    {
-      yydestruct ("Cleanup: popping",
-                  YY_ACCESSING_SYMBOL (+*yyssp), yyvsp);
-      YYPOPSTACK (1);
-    }
-#ifndef yyoverflow
-  if (yyss != yyssa)
-    YYSTACK_FREE (yyss);
-#endif
-
-  return yyresult;
-}
-
diff --git a/lib/hx509/sel-gram.h b/lib/hx509/sel-gram.h
deleted file mode 100644
index 04880d2492ff..000000000000
--- a/lib/hx509/sel-gram.h
+++ /dev/null
@@ -1,108 +0,0 @@
-/* A Bison parser, made by GNU Bison 3.8.2.  */
-
-/* Bison interface for Yacc-like parsers in C
-
-   Copyright (C) 1984, 1989-1990, 2000-2015, 2018-2021 Free Software Foundation,
-   Inc.
-
-   This program is free software: you can redistribute it and/or modify
-   it under the terms of the GNU General Public License as published by
-   the Free Software Foundation, either version 3 of the License, or
-   (at your option) any later version.
-
-   This program is distributed in the hope that it will be useful,
-   but WITHOUT ANY WARRANTY; without even the implied warranty of
-   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-   GNU General Public License for more details.
-
-   You should have received a copy of the GNU General Public License
-   along with this program.  If not, see <https://www.gnu.org/licenses/>.  */
-
-/* As a special exception, you may create a larger work that contains
-   part or all of the Bison parser skeleton and distribute that work
-   under terms of your choice, so long as that work isn't itself a
-   parser generator using the skeleton or a modified version thereof
-   as a parser skeleton.  Alternatively, if you modify or redistribute
-   the parser skeleton itself, you may (at your option) remove this
-   special exception, which will cause the skeleton and the resulting
-   Bison output files to be licensed under the GNU General Public
-   License without this special exception.
-
-   This special exception was added by the Free Software Foundation in
-   version 2.2 of Bison.  */
-
-/* DO NOT RELY ON FEATURES THAT ARE NOT DOCUMENTED in the manual,
-   especially those whose name start with YY_ or yy_.  They are
-   private implementation details that can be changed or removed.  */
-
-#ifndef YY_YY_SEL_GRAM_H_INCLUDED
-# define YY_YY_SEL_GRAM_H_INCLUDED
-/* Debug traces.  */
-#ifndef YYDEBUG
-# define YYDEBUG 0
-#endif
-#if YYDEBUG
-extern int yydebug;
-#endif
-
-/* Token kinds.  */
-#ifndef YYTOKENTYPE
-# define YYTOKENTYPE
-  enum yytokentype
-  {
-    YYEMPTY = -2,
-    YYEOF = 0,                     /* "end of file"  */
-    YYerror = 256,                 /* error  */
-    YYUNDEF = 257,                 /* "invalid token"  */
-    kw_TRUE = 258,                 /* kw_TRUE  */
-    kw_FALSE = 259,                /* kw_FALSE  */
-    kw_AND = 260,                  /* kw_AND  */
-    kw_OR = 261,                   /* kw_OR  */
-    kw_IN = 262,                   /* kw_IN  */
-    kw_TAILMATCH = 263,            /* kw_TAILMATCH  */
-    NUMBER = 264,                  /* NUMBER  */
-    STRING = 265,                  /* STRING  */
-    IDENTIFIER = 266               /* IDENTIFIER  */
-  };
-  typedef enum yytokentype yytoken_kind_t;
-#endif
-/* Token kinds.  */
-#define YYEMPTY -2
-#define YYEOF 0
-#define YYerror 256
-#define YYUNDEF 257
-#define kw_TRUE 258
-#define kw_FALSE 259
-#define kw_AND 260
-#define kw_OR 261
-#define kw_IN 262
-#define kw_TAILMATCH 263
-#define NUMBER 264
-#define STRING 265
-#define IDENTIFIER 266
-
-/* Value type.  */
-#if ! defined YYSTYPE && ! defined YYSTYPE_IS_DECLARED
-union YYSTYPE
-{
-#line 57 "sel-gram.y"
-
-    char *string;
-    struct hx_expr *expr;
-
-#line 94 "sel-gram.h"
-
-};
-typedef union YYSTYPE YYSTYPE;
-# define YYSTYPE_IS_TRIVIAL 1
-# define YYSTYPE_IS_DECLARED 1
-#endif
-
-
-extern YYSTYPE yylval;
-
-
-int yyparse (void);
-
-
-#endif /* !YY_YY_SEL_GRAM_H_INCLUDED  */
diff --git a/lib/hx509/sel-gram.y b/lib/hx509/sel-gram.y
index 7e9d4f26d9c2..09f641d7c051 100644
--- a/lib/hx509/sel-gram.y
+++ b/lib/hx509/sel-gram.y
@@ -78,6 +78,10 @@
 %token <string> STRING
 %token <string> IDENTIFIER
 
+%left '!'
+%left kw_AND
+%left kw_OR
+
 %start start
 
 %%
diff --git a/lib/hx509/sel-lex.c b/lib/hx509/sel-lex.c
deleted file mode 100644
index 44bd8d3f5213..000000000000
--- a/lib/hx509/sel-lex.c
+++ /dev/null
@@ -1,1941 +0,0 @@
-
-#line 2 "sel-lex.c"
-
-#define  YY_INT_ALIGNED short int
-
-/* A lexical scanner generated by flex */
-
-#define FLEX_SCANNER
-#define YY_FLEX_MAJOR_VERSION 2
-#define YY_FLEX_MINOR_VERSION 6
-#define YY_FLEX_SUBMINOR_VERSION 4
-#if YY_FLEX_SUBMINOR_VERSION > 0
-#define FLEX_BETA
-#endif
-
-/* First, we deal with  platform-specific or compiler-specific issues. */
-
-/* begin standard C headers. */
-#include <stdio.h>
-#include <string.h>
-#include <errno.h>
-#include <stdlib.h>
-
-/* end standard C headers. */
-
-/* flex integer type definitions */
-
-#ifndef FLEXINT_H
-#define FLEXINT_H
-
-/* C99 systems have <inttypes.h>. Non-C99 systems may or may not. */
-
-#if defined (__STDC_VERSION__) && __STDC_VERSION__ >= 199901L
-
-/* C99 says to define __STDC_LIMIT_MACROS before including stdint.h,
- * if you want the limit (max/min) macros for int types. 
- */
-#ifndef __STDC_LIMIT_MACROS
-#define __STDC_LIMIT_MACROS 1
-#endif
-
-#include <inttypes.h>
-typedef int8_t flex_int8_t;
-typedef uint8_t flex_uint8_t;
-typedef int16_t flex_int16_t;
-typedef uint16_t flex_uint16_t;
-typedef int32_t flex_int32_t;
-typedef uint32_t flex_uint32_t;
-#else
-typedef signed char flex_int8_t;
-typedef short int flex_int16_t;
-typedef int flex_int32_t;
-typedef unsigned char flex_uint8_t; 
-typedef unsigned short int flex_uint16_t;
-typedef unsigned int flex_uint32_t;
-
-/* Limits of integral types. */
-#ifndef INT8_MIN
-#define INT8_MIN               (-128)
-#endif
-#ifndef INT16_MIN
-#define INT16_MIN              (-32767-1)
-#endif
-#ifndef INT32_MIN
-#define INT32_MIN              (-2147483647-1)
-#endif
-#ifndef INT8_MAX
-#define INT8_MAX               (127)
-#endif
-#ifndef INT16_MAX
-#define INT16_MAX              (32767)
-#endif
-#ifndef INT32_MAX
-#define INT32_MAX              (2147483647)
-#endif
-#ifndef UINT8_MAX
-#define UINT8_MAX              (255U)
-#endif
-#ifndef UINT16_MAX
-#define UINT16_MAX             (65535U)
-#endif
-#ifndef UINT32_MAX
-#define UINT32_MAX             (4294967295U)
-#endif
-
-#ifndef SIZE_MAX
-#define SIZE_MAX               (~(size_t)0)
-#endif
-
-#endif /* ! C99 */
-
-#endif /* ! FLEXINT_H */
-
-/* begin standard C++ headers. */
-
-/* TODO: this is always defined, so inline it */
-#define yyconst const
-
-#if defined(__GNUC__) && __GNUC__ >= 3
-#define yynoreturn __attribute__((__noreturn__))
-#else
-#define yynoreturn
-#endif
-
-/* Returned upon end-of-file. */
-#define YY_NULL 0
-
-/* Promotes a possibly negative, possibly signed char to an
- *   integer in range [0..255] for use as an array index.
- */
-#define YY_SC_TO_UI(c) ((YY_CHAR) (c))
-
-/* Enter a start condition.  This macro really ought to take a parameter,
- * but we do it the disgusting crufty way forced on us by the ()-less
- * definition of BEGIN.
- */
-#define BEGIN (yy_start) = 1 + 2 *
-/* Translate the current start state into a value that can be later handed
- * to BEGIN to return to the state.  The YYSTATE alias is for lex
- * compatibility.
- */
-#define YY_START (((yy_start) - 1) / 2)
-#define YYSTATE YY_START
-/* Action number for EOF rule of a given start state. */
-#define YY_STATE_EOF(state) (YY_END_OF_BUFFER + state + 1)
-/* Special action meaning "start processing a new file". */
-#define YY_NEW_FILE yyrestart( yyin  )
-#define YY_END_OF_BUFFER_CHAR 0
-
-/* Size of default input buffer. */
-#ifndef YY_BUF_SIZE
-#ifdef __ia64__
-/* On IA-64, the buffer size is 16k, not 8k.
- * Moreover, YY_BUF_SIZE is 2*YY_READ_BUF_SIZE in the general case.
- * Ditto for the __ia64__ case accordingly.
- */
-#define YY_BUF_SIZE 32768
-#else
-#define YY_BUF_SIZE 16384
-#endif /* __ia64__ */
-#endif
-
-/* The state buf must be large enough to hold one state per character in the main buffer.
- */
-#define YY_STATE_BUF_SIZE   ((YY_BUF_SIZE + 2) * sizeof(yy_state_type))
-
-#ifndef YY_TYPEDEF_YY_BUFFER_STATE
-#define YY_TYPEDEF_YY_BUFFER_STATE
-typedef struct yy_buffer_state *YY_BUFFER_STATE;
-#endif
-
-#ifndef YY_TYPEDEF_YY_SIZE_T
-#define YY_TYPEDEF_YY_SIZE_T
-typedef size_t yy_size_t;
-#endif
-
-extern int yyleng;
-
-extern FILE *yyin, *yyout;
-
-#define EOB_ACT_CONTINUE_SCAN 0
-#define EOB_ACT_END_OF_FILE 1
-#define EOB_ACT_LAST_MATCH 2
-    
-    #define YY_LESS_LINENO(n)
-    #define YY_LINENO_REWIND_TO(ptr)
-    
-/* Return all but the first "n" matched characters back to the input stream. */
-#define yyless(n) \
-	do \
-		{ \
-		/* Undo effects of setting up yytext. */ \
-        int yyless_macro_arg = (n); \
-        YY_LESS_LINENO(yyless_macro_arg);\
-		*yy_cp = (yy_hold_char); \
-		YY_RESTORE_YY_MORE_OFFSET \
-		(yy_c_buf_p) = yy_cp = yy_bp + yyless_macro_arg - YY_MORE_ADJ; \
-		YY_DO_BEFORE_ACTION; /* set up yytext again */ \
-		} \
-	while ( 0 )
-#define unput(c) yyunput( c, (yytext_ptr)  )
-
-#ifndef YY_STRUCT_YY_BUFFER_STATE
-#define YY_STRUCT_YY_BUFFER_STATE
-struct yy_buffer_state
-	{
-	FILE *yy_input_file;
-
-	char *yy_ch_buf;		/* input buffer */
-	char *yy_buf_pos;		/* current position in input buffer */
-
-	/* Size of input buffer in bytes, not including room for EOB
-	 * characters.
-	 */
-	int yy_buf_size;
-
-	/* Number of characters read into yy_ch_buf, not including EOB
-	 * characters.
-	 */
-	int yy_n_chars;
-
-	/* Whether we "own" the buffer - i.e., we know we created it,
-	 * and can realloc() it to grow it, and should free() it to
-	 * delete it.
-	 */
-	int yy_is_our_buffer;
-
-	/* Whether this is an "interactive" input source; if so, and
-	 * if we're using stdio for input, then we want to use getc()
-	 * instead of fread(), to make sure we stop fetching input after
-	 * each newline.
-	 */
-	int yy_is_interactive;
-
-	/* Whether we're considered to be at the beginning of a line.
-	 * If so, '^' rules will be active on the next match, otherwise
-	 * not.
-	 */
-	int yy_at_bol;
-
-    int yy_bs_lineno; /**< The line count. */
-    int yy_bs_column; /**< The column count. */
-
-	/* Whether to try to fill the input buffer when we reach the
-	 * end of it.
-	 */
-	int yy_fill_buffer;
-
-	int yy_buffer_status;
-
-#define YY_BUFFER_NEW 0
-#define YY_BUFFER_NORMAL 1
-	/* When an EOF's been seen but there's still some text to process
-	 * then we mark the buffer as YY_EOF_PENDING, to indicate that we
-	 * shouldn't try reading from the input source any more.  We might
-	 * still have a bunch of tokens to match, though, because of
-	 * possible backing-up.
-	 *
-	 * When we actually see the EOF, we change the status to "new"
-	 * (via yyrestart()), so that the user can continue scanning by
-	 * just pointing yyin at a new input file.
-	 */
-#define YY_BUFFER_EOF_PENDING 2
-
-	};
-#endif /* !YY_STRUCT_YY_BUFFER_STATE */
-
-/* Stack of input buffers. */
-static size_t yy_buffer_stack_top = 0; /**< index of top of stack. */
-static size_t yy_buffer_stack_max = 0; /**< capacity of stack. */
-static YY_BUFFER_STATE * yy_buffer_stack = NULL; /**< Stack as an array. */
-
-/* We provide macros for accessing buffer states in case in the
- * future we want to put the buffer states in a more general
- * "scanner state".
- *
- * Returns the top of the stack, or NULL.
- */
-#define YY_CURRENT_BUFFER ( (yy_buffer_stack) \
-                          ? (yy_buffer_stack)[(yy_buffer_stack_top)] \
-                          : NULL)
-/* Same as previous macro, but useful when we know that the buffer stack is not
- * NULL or when we need an lvalue. For internal use only.
- */
-#define YY_CURRENT_BUFFER_LVALUE (yy_buffer_stack)[(yy_buffer_stack_top)]
-
-/* yy_hold_char holds the character lost when yytext is formed. */
-static char yy_hold_char;
-static int yy_n_chars;		/* number of characters read into yy_ch_buf */
-int yyleng;
-
-/* Points to current character in buffer. */
-static char *yy_c_buf_p = NULL;
-static int yy_init = 0;		/* whether we need to initialize */
-static int yy_start = 0;	/* start state number */
-
-/* Flag which is used to allow yywrap()'s to do buffer switches
- * instead of setting up a fresh yyin.  A bit of a hack ...
- */
-static int yy_did_buffer_switch_on_eof;
-
-void yyrestart ( FILE *input_file  );
-void yy_switch_to_buffer ( YY_BUFFER_STATE new_buffer  );
-YY_BUFFER_STATE yy_create_buffer ( FILE *file, int size  );
-void yy_delete_buffer ( YY_BUFFER_STATE b  );
-void yy_flush_buffer ( YY_BUFFER_STATE b  );
-void yypush_buffer_state ( YY_BUFFER_STATE new_buffer  );
-void yypop_buffer_state ( void );
-
-static void yyensure_buffer_stack ( void );
-static void yy_load_buffer_state ( void );
-static void yy_init_buffer ( YY_BUFFER_STATE b, FILE *file  );
-#define YY_FLUSH_BUFFER yy_flush_buffer( YY_CURRENT_BUFFER )
-
-YY_BUFFER_STATE yy_scan_buffer ( char *base, yy_size_t size  );
-YY_BUFFER_STATE yy_scan_string ( const char *yy_str  );
-YY_BUFFER_STATE yy_scan_bytes ( const char *bytes, int len  );
-
-void *yyalloc ( yy_size_t  );
-void *yyrealloc ( void *, yy_size_t  );
-void yyfree ( void *  );
-
-#define yy_new_buffer yy_create_buffer
-#define yy_set_interactive(is_interactive) \
-	{ \
-	if ( ! YY_CURRENT_BUFFER ){ \
-        yyensure_buffer_stack (); \
-		YY_CURRENT_BUFFER_LVALUE =    \
-            yy_create_buffer( yyin, YY_BUF_SIZE ); \
-	} \
-	YY_CURRENT_BUFFER_LVALUE->yy_is_interactive = is_interactive; \
-	}
-#define yy_set_bol(at_bol) \
-	{ \
-	if ( ! YY_CURRENT_BUFFER ){\
-        yyensure_buffer_stack (); \
-		YY_CURRENT_BUFFER_LVALUE =    \
-            yy_create_buffer( yyin, YY_BUF_SIZE ); \
-	} \
-	YY_CURRENT_BUFFER_LVALUE->yy_at_bol = at_bol; \
-	}
-#define YY_AT_BOL() (YY_CURRENT_BUFFER_LVALUE->yy_at_bol)
-
-/* Begin user sect3 */
-typedef flex_uint8_t YY_CHAR;
-
-FILE *yyin = NULL, *yyout = NULL;
-
-typedef int yy_state_type;
-
-extern int yylineno;
-int yylineno = 1;
-
-extern char *yytext;
-#ifdef yytext_ptr
-#undef yytext_ptr
-#endif
-#define yytext_ptr yytext
-
-static yy_state_type yy_get_previous_state ( void );
-static yy_state_type yy_try_NUL_trans ( yy_state_type current_state  );
-static int yy_get_next_buffer ( void );
-static void yynoreturn yy_fatal_error ( const char* msg  );
-
-/* Done after the current pattern has been matched and before the
- * corresponding action - sets up yytext.
- */
-#define YY_DO_BEFORE_ACTION \
-	(yytext_ptr) = yy_bp; \
-	yyleng = (int) (yy_cp - yy_bp); \
-	(yy_hold_char) = *yy_cp; \
-	*yy_cp = '\0'; \
-	(yy_c_buf_p) = yy_cp;
-#define YY_NUM_RULES 12
-#define YY_END_OF_BUFFER 13
-/* This struct is not used in this scanner,
-   but its presence is necessary. */
-struct yy_trans_info
-	{
-	flex_int32_t yy_verify;
-	flex_int32_t yy_nxt;
-	};
-static const flex_int16_t yy_accept[36] =
-    {   0,
-        0,    0,   13,   12,   11,    9,   10,    8,    7,    7,
-        7,    7,    7,    7,    7,    7,    7,    5,    4,    7,
-        7,    3,    7,    7,    7,    7,    7,    1,    2,    7,
-        7,    7,    7,    6,    0
-    } ;
-
-static const YY_CHAR yy_ec[256] =
-    {   0,
-        1,    1,    1,    1,    1,    1,    1,    1,    2,    3,
-        1,    1,    1,    1,    1,    1,    1,    1,    1,    1,
-        1,    1,    1,    1,    1,    1,    1,    1,    1,    1,
-        1,    2,    4,    5,    1,    1,    4,    1,    1,    4,
-        4,    1,    1,    4,    6,    4,    1,    6,    6,    6,
-        6,    6,    6,    6,    6,    6,    6,    1,    1,    1,
-        4,    1,    1,    1,    7,    8,    9,   10,   11,   12,
-        8,   13,   14,    8,    8,   15,   16,   17,   18,    8,
-        8,   19,   20,   21,   22,    8,    8,    8,    8,    8,
-        1,    1,    1,    1,    6,    1,    8,    8,    8,    8,
-
-        8,    8,    8,    8,    8,    8,    8,    8,    8,    8,
-        8,    8,    8,    8,    8,    8,    8,    8,    8,    8,
-        8,    8,    4,    1,    4,    1,    1,    1,    1,    1,
-        1,    1,    1,    1,    1,    1,    1,    1,    1,    1,
-        1,    1,    1,    1,    1,    1,    1,    1,    1,    1,
-        1,    1,    1,    1,    1,    1,    1,    1,    1,    1,
-        1,    1,    1,    1,    1,    1,    1,    1,    1,    1,
-        1,    1,    1,    1,    1,    1,    1,    1,    1,    1,
-        1,    1,    1,    1,    1,    1,    1,    1,    1,    1,
-        1,    1,    1,    1,    1,    1,    1,    1,    1,    1,
-
-        1,    1,    1,    1,    1,    1,    1,    1,    1,    1,
-        1,    1,    1,    1,    1,    1,    1,    1,    1,    1,
-        1,    1,    1,    1,    1,    1,    1,    1,    1,    1,
-        1,    1,    1,    1,    1,    1,    1,    1,    1,    1,
-        1,    1,    1,    1,    1,    1,    1,    1,    1,    1,
-        1,    1,    1,    1,    1
-    } ;
-
-static const YY_CHAR yy_meta[23] =
-    {   0,
-        1,    1,    1,    1,    1,    2,    2,    2,    2,    2,
-        2,    2,    2,    2,    2,    2,    2,    2,    2,    2,
-        2,    2
-    } ;
-
-static const flex_int16_t yy_base[37] =
-    {   0,
-        0,    0,   43,   44,   44,   44,   44,   44,   25,    0,
-       34,   23,   20,   16,    0,   28,   22,    0,    0,   22,
-       12,    0,   13,   17,   20,   19,   13,    0,    0,   21,
-        6,   17,   12,    0,   44,   22
-    } ;
-
-static const flex_int16_t yy_def[37] =
-    {   0,
-       35,    1,   35,   35,   35,   35,   35,   35,   36,   36,
-       36,   36,   36,   36,   36,   36,   36,   36,   36,   36,
-       36,   36,   36,   36,   36,   36,   36,   36,   36,   36,
-       36,   36,   36,   36,    0,   35
-    } ;
-
-static const flex_int16_t yy_nxt[67] =
-    {   0,
-        4,    5,    6,    7,    8,    4,    9,   10,   10,   10,
-       10,   11,   10,   12,   10,   10,   10,   13,   10,   10,
-       14,   10,   20,   15,   34,   33,   32,   31,   30,   29,
-       28,   27,   26,   25,   21,   24,   23,   22,   19,   18,
-       17,   16,   35,    3,   35,   35,   35,   35,   35,   35,
-       35,   35,   35,   35,   35,   35,   35,   35,   35,   35,
-       35,   35,   35,   35,   35,   35
-    } ;
-
-static const flex_int16_t yy_chk[67] =
-    {   0,
-        1,    1,    1,    1,    1,    1,    1,    1,    1,    1,
-        1,    1,    1,    1,    1,    1,    1,    1,    1,    1,
-        1,    1,   14,   36,   33,   32,   31,   30,   27,   26,
-       25,   24,   23,   21,   14,   20,   17,   16,   13,   12,
-       11,    9,    3,   35,   35,   35,   35,   35,   35,   35,
-       35,   35,   35,   35,   35,   35,   35,   35,   35,   35,
-       35,   35,   35,   35,   35,   35
-    } ;
-
-static yy_state_type yy_last_accepting_state;
-static char *yy_last_accepting_cpos;
-
-extern int yy_flex_debug;
-int yy_flex_debug = 0;
-
-/* The intent behind this definition is that it'll catch
- * any uses of REJECT which flex missed.
- */
-#define REJECT reject_used_but_not_detected
-#define yymore() yymore_used_but_not_detected
-#define YY_MORE_ADJ 0
-#define YY_RESTORE_YY_MORE_OFFSET
-char *yytext;
-#line 1 "sel-lex.l"
-#line 2 "sel-lex.l"
-/*
- * Copyright (c) 2004 - 2017 Kungliga Tekniska Högskolan
- * (Royal Institute of Technology, Stockholm, Sweden).
- * All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- *
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer.
- *
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- *
- * 3. Neither the name of the Institute nor the names of its contributors
- *    may be used to endorse or promote products derived from this software
- *    without specific prior written permission.
- *
- * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
- * SUCH DAMAGE.
- */
-
-/* $Id$ */
-
-#ifdef __GNUC__
-#pragma GCC diagnostic ignored "-Wunused-function"
-#endif
-
-
-#ifdef HAVE_CONFIG_H
-#include <config.h>
-#endif
-
-#undef ECHO
-
-#include <stdio.h>
-#include <string.h>
-#include <stdarg.h>
-#include <stdlib.h>
-#include "sel.h"
-#include "sel-gram.h"
-unsigned lineno = 1;
-
-static char * handle_string(void);
-static int lex_input(char *, int);
-
-struct hx_expr_input _hx509_expr_input;
-
-#ifndef YY_NULL
-#define YY_NULL 0
-#endif
-
-#define YY_NO_UNPUT 1
-
-#undef YY_INPUT
-#define YY_INPUT(buf,res,maxsize) (res = lex_input(buf, maxsize))
-
-#undef ECHO
-
-#line 534 "sel-lex.c"
-#line 535 "sel-lex.c"
-
-#define INITIAL 0
-
-#ifndef YY_NO_UNISTD_H
-/* Special case for "unistd.h", since it is non-ANSI. We include it way
- * down here because we want the user's section 1 to have been scanned first.
- * The user has a chance to override it with an option.
- */
-#include <unistd.h>
-#endif
-
-#ifndef YY_EXTRA_TYPE
-#define YY_EXTRA_TYPE void *
-#endif
-
-static int yy_init_globals ( void );
-
-/* Accessor methods to globals.
-   These are made visible to non-reentrant scanners for convenience. */
-
-int yylex_destroy ( void );
-
-int yyget_debug ( void );
-
-void yyset_debug ( int debug_flag  );
-
-YY_EXTRA_TYPE yyget_extra ( void );
-
-void yyset_extra ( YY_EXTRA_TYPE user_defined  );
-
-FILE *yyget_in ( void );
-
-void yyset_in  ( FILE * _in_str  );
-
-FILE *yyget_out ( void );
-
-void yyset_out  ( FILE * _out_str  );
-
-			int yyget_leng ( void );
-
-char *yyget_text ( void );
-
-int yyget_lineno ( void );
-
-void yyset_lineno ( int _line_number  );
-
-/* Macros after this point can all be overridden by user definitions in
- * section 1.
- */
-
-#ifndef YY_SKIP_YYWRAP
-#ifdef __cplusplus
-extern "C" int yywrap ( void );
-#else
-extern int yywrap ( void );
-#endif
-#endif
-
-#ifndef YY_NO_UNPUT
-    
-    static void yyunput ( int c, char *buf_ptr  );
-    
-#endif
-
-#ifndef yytext_ptr
-static void yy_flex_strncpy ( char *, const char *, int );
-#endif
-
-#ifdef YY_NEED_STRLEN
-static int yy_flex_strlen ( const char * );
-#endif
-
-#ifndef YY_NO_INPUT
-#ifdef __cplusplus
-static int yyinput ( void );
-#else
-static int input ( void );
-#endif
-
-#endif
-
-/* Amount of stuff to slurp up with each read. */
-#ifndef YY_READ_BUF_SIZE
-#ifdef __ia64__
-/* On IA-64, the buffer size is 16k, not 8k */
-#define YY_READ_BUF_SIZE 16384
-#else
-#define YY_READ_BUF_SIZE 8192
-#endif /* __ia64__ */
-#endif
-
-/* Copy whatever the last rule matched to the standard output. */
-#ifndef ECHO
-/* This used to be an fputs(), but since the string might contain NUL's,
- * we now use fwrite().
- */
-#define ECHO do { if (fwrite( yytext, (size_t) yyleng, 1, yyout )) {} } while (0)
-#endif
-
-/* Gets input and stuffs it into "buf".  number of characters read, or YY_NULL,
- * is returned in "result".
- */
-#ifndef YY_INPUT
-#define YY_INPUT(buf,result,max_size) \
-	if ( YY_CURRENT_BUFFER_LVALUE->yy_is_interactive ) \
-		{ \
-		int c = '*'; \
-		int n; \
-		for ( n = 0; n < max_size && \
-			     (c = getc( yyin )) != EOF && c != '\n'; ++n ) \
-			buf[n] = (char) c; \
-		if ( c == '\n' ) \
-			buf[n++] = (char) c; \
-		if ( c == EOF && ferror( yyin ) ) \
-			YY_FATAL_ERROR( "input in flex scanner failed" ); \
-		result = n; \
-		} \
-	else \
-		{ \
-		errno=0; \
-		while ( (result = (int) fread(buf, 1, (yy_size_t) max_size, yyin)) == 0 && ferror(yyin)) \
-			{ \
-			if( errno != EINTR) \
-				{ \
-				YY_FATAL_ERROR( "input in flex scanner failed" ); \
-				break; \
-				} \
-			errno=0; \
-			clearerr(yyin); \
-			} \
-		}\
-\
-
-#endif
-
-/* No semi-colon after return; correct usage is to write "yyterminate();" -
- * we don't want an extra ';' after the "return" because that will cause
- * some compilers to complain about unreachable statements.
- */
-#ifndef yyterminate
-#define yyterminate() return YY_NULL
-#endif
-
-/* Number of entries by which start-condition stack grows. */
-#ifndef YY_START_STACK_INCR
-#define YY_START_STACK_INCR 25
-#endif
-
-/* Report a fatal error. */
-#ifndef YY_FATAL_ERROR
-#define YY_FATAL_ERROR(msg) yy_fatal_error( msg )
-#endif
-
-/* end tables serialization structures and prototypes */
-
-/* Default declaration of generated scanner - a define so the user can
- * easily add parameters.
- */
-#ifndef YY_DECL
-#define YY_DECL_IS_OURS 1
-
-extern int yylex (void);
-
-#define YY_DECL int yylex (void)
-#endif /* !YY_DECL */
-
-/* Code executed at the beginning of each rule, after yytext and yyleng
- * have been set up.
- */
-#ifndef YY_USER_ACTION
-#define YY_USER_ACTION
-#endif
-
-/* Code executed at the end of each rule. */
-#ifndef YY_BREAK
-#define YY_BREAK /*LINTED*/break;
-#endif
-
-#define YY_RULE_SETUP \
-	YY_USER_ACTION
-
-/** The main scanner function which does all the work.
- */
-YY_DECL
-{
-	yy_state_type yy_current_state;
-	char *yy_cp, *yy_bp;
-	int yy_act;
-    
-	if ( !(yy_init) )
-		{
-		(yy_init) = 1;
-
-#ifdef YY_USER_INIT
-		YY_USER_INIT;
-#endif
-
-		if ( ! (yy_start) )
-			(yy_start) = 1;	/* first start state */
-
-		if ( ! yyin )
-			yyin = stdin;
-
-		if ( ! yyout )
-			yyout = stdout;
-
-		if ( ! YY_CURRENT_BUFFER ) {
-			yyensure_buffer_stack ();
-			YY_CURRENT_BUFFER_LVALUE =
-				yy_create_buffer( yyin, YY_BUF_SIZE );
-		}
-
-		yy_load_buffer_state(  );
-		}
-
-	{
-#line 73 "sel-lex.l"
-
-
-#line 755 "sel-lex.c"
-
-	while ( /*CONSTCOND*/1 )		/* loops until end-of-file is reached */
-		{
-		yy_cp = (yy_c_buf_p);
-
-		/* Support of yytext. */
-		*yy_cp = (yy_hold_char);
-
-		/* yy_bp points to the position in yy_ch_buf of the start of
-		 * the current run.
-		 */
-		yy_bp = yy_cp;
-
-		yy_current_state = (yy_start);
-yy_match:
-		do
-			{
-			YY_CHAR yy_c = yy_ec[YY_SC_TO_UI(*yy_cp)] ;
-			if ( yy_accept[yy_current_state] )
-				{
-				(yy_last_accepting_state) = yy_current_state;
-				(yy_last_accepting_cpos) = yy_cp;
-				}
-			while ( yy_chk[yy_base[yy_current_state] + yy_c] != yy_current_state )
-				{
-				yy_current_state = (int) yy_def[yy_current_state];
-				if ( yy_current_state >= 36 )
-					yy_c = yy_meta[yy_c];
-				}
-			yy_current_state = yy_nxt[yy_base[yy_current_state] + yy_c];
-			++yy_cp;
-			}
-		while ( yy_base[yy_current_state] != 44 );
-
-yy_find_action:
-		yy_act = yy_accept[yy_current_state];
-		if ( yy_act == 0 )
-			{ /* have to back up */
-			yy_cp = (yy_last_accepting_cpos);
-			yy_current_state = (yy_last_accepting_state);
-			yy_act = yy_accept[yy_current_state];
-			}
-
-		YY_DO_BEFORE_ACTION;
-
-do_action:	/* This label is used only to access EOF actions. */
-
-		switch ( yy_act )
-	{ /* beginning of action switch */
-			case 0: /* must back up */
-			/* undo the effects of YY_DO_BEFORE_ACTION */
-			*yy_cp = (yy_hold_char);
-			yy_cp = (yy_last_accepting_cpos);
-			yy_current_state = (yy_last_accepting_state);
-			goto yy_find_action;
-
-case 1:
-YY_RULE_SETUP
-#line 75 "sel-lex.l"
-{ return kw_TRUE; }
-	YY_BREAK
-case 2:
-YY_RULE_SETUP
-#line 76 "sel-lex.l"
-{ return kw_FALSE; }
-	YY_BREAK
-case 3:
-YY_RULE_SETUP
-#line 77 "sel-lex.l"
-{ return kw_AND; }
-	YY_BREAK
-case 4:
-YY_RULE_SETUP
-#line 78 "sel-lex.l"
-{ return kw_OR; }
-	YY_BREAK
-case 5:
-YY_RULE_SETUP
-#line 79 "sel-lex.l"
-{ return kw_IN; }
-	YY_BREAK
-case 6:
-YY_RULE_SETUP
-#line 80 "sel-lex.l"
-{ return kw_TAILMATCH; }
-	YY_BREAK
-case 7:
-YY_RULE_SETUP
-#line 82 "sel-lex.l"
-{
-			  yylval.string = strdup ((const char *)yytext);
-			  return IDENTIFIER;
-			}
-	YY_BREAK
-case 8:
-YY_RULE_SETUP
-#line 86 "sel-lex.l"
-{ yylval.string = handle_string(); return STRING; }
-	YY_BREAK
-case 9:
-/* rule 9 can match eol */
-YY_RULE_SETUP
-#line 87 "sel-lex.l"
-{ ++lineno; }
-	YY_BREAK
-case 10:
-YY_RULE_SETUP
-#line 88 "sel-lex.l"
-{ return *yytext; }
-	YY_BREAK
-case 11:
-YY_RULE_SETUP
-#line 89 "sel-lex.l"
-;
-	YY_BREAK
-case 12:
-YY_RULE_SETUP
-#line 90 "sel-lex.l"
-ECHO;
-	YY_BREAK
-#line 876 "sel-lex.c"
-case YY_STATE_EOF(INITIAL):
-	yyterminate();
-
-	case YY_END_OF_BUFFER:
-		{
-		/* Amount of text matched not including the EOB char. */
-		int yy_amount_of_matched_text = (int) (yy_cp - (yytext_ptr)) - 1;
-
-		/* Undo the effects of YY_DO_BEFORE_ACTION. */
-		*yy_cp = (yy_hold_char);
-		YY_RESTORE_YY_MORE_OFFSET
-
-		if ( YY_CURRENT_BUFFER_LVALUE->yy_buffer_status == YY_BUFFER_NEW )
-			{
-			/* We're scanning a new file or input source.  It's
-			 * possible that this happened because the user
-			 * just pointed yyin at a new source and called
-			 * yylex().  If so, then we have to assure
-			 * consistency between YY_CURRENT_BUFFER and our
-			 * globals.  Here is the right place to do so, because
-			 * this is the first action (other than possibly a
-			 * back-up) that will match for the new input source.
-			 */
-			(yy_n_chars) = YY_CURRENT_BUFFER_LVALUE->yy_n_chars;
-			YY_CURRENT_BUFFER_LVALUE->yy_input_file = yyin;
-			YY_CURRENT_BUFFER_LVALUE->yy_buffer_status = YY_BUFFER_NORMAL;
-			}
-
-		/* Note that here we test for yy_c_buf_p "<=" to the position
-		 * of the first EOB in the buffer, since yy_c_buf_p will
-		 * already have been incremented past the NUL character
-		 * (since all states make transitions on EOB to the
-		 * end-of-buffer state).  Contrast this with the test
-		 * in input().
-		 */
-		if ( (yy_c_buf_p) <= &YY_CURRENT_BUFFER_LVALUE->yy_ch_buf[(yy_n_chars)] )
-			{ /* This was really a NUL. */
-			yy_state_type yy_next_state;
-
-			(yy_c_buf_p) = (yytext_ptr) + yy_amount_of_matched_text;
-
-			yy_current_state = yy_get_previous_state(  );
-
-			/* Okay, we're now positioned to make the NUL
-			 * transition.  We couldn't have
-			 * yy_get_previous_state() go ahead and do it
-			 * for us because it doesn't know how to deal
-			 * with the possibility of jamming (and we don't
-			 * want to build jamming into it because then it
-			 * will run more slowly).
-			 */
-
-			yy_next_state = yy_try_NUL_trans( yy_current_state );
-
-			yy_bp = (yytext_ptr) + YY_MORE_ADJ;
-
-			if ( yy_next_state )
-				{
-				/* Consume the NUL. */
-				yy_cp = ++(yy_c_buf_p);
-				yy_current_state = yy_next_state;
-				goto yy_match;
-				}
-
-			else
-				{
-				yy_cp = (yy_c_buf_p);
-				goto yy_find_action;
-				}
-			}
-
-		else switch ( yy_get_next_buffer(  ) )
-			{
-			case EOB_ACT_END_OF_FILE:
-				{
-				(yy_did_buffer_switch_on_eof) = 0;
-
-				if ( yywrap(  ) )
-					{
-					/* Note: because we've taken care in
-					 * yy_get_next_buffer() to have set up
-					 * yytext, we can now set up
-					 * yy_c_buf_p so that if some total
-					 * hoser (like flex itself) wants to
-					 * call the scanner after we return the
-					 * YY_NULL, it'll still work - another
-					 * YY_NULL will get returned.
-					 */
-					(yy_c_buf_p) = (yytext_ptr) + YY_MORE_ADJ;
-
-					yy_act = YY_STATE_EOF(YY_START);
-					goto do_action;
-					}
-
-				else
-					{
-					if ( ! (yy_did_buffer_switch_on_eof) )
-						YY_NEW_FILE;
-					}
-				break;
-				}
-
-			case EOB_ACT_CONTINUE_SCAN:
-				(yy_c_buf_p) =
-					(yytext_ptr) + yy_amount_of_matched_text;
-
-				yy_current_state = yy_get_previous_state(  );
-
-				yy_cp = (yy_c_buf_p);
-				yy_bp = (yytext_ptr) + YY_MORE_ADJ;
-				goto yy_match;
-
-			case EOB_ACT_LAST_MATCH:
-				(yy_c_buf_p) =
-				&YY_CURRENT_BUFFER_LVALUE->yy_ch_buf[(yy_n_chars)];
-
-				yy_current_state = yy_get_previous_state(  );
-
-				yy_cp = (yy_c_buf_p);
-				yy_bp = (yytext_ptr) + YY_MORE_ADJ;
-				goto yy_find_action;
-			}
-		break;
-		}
-
-	default:
-		YY_FATAL_ERROR(
-			"fatal flex scanner internal error--no action found" );
-	} /* end of action switch */
-		} /* end of scanning one token */
-	} /* end of user's declarations */
-} /* end of yylex */
-
-/* yy_get_next_buffer - try to read in a new buffer
- *
- * Returns a code representing an action:
- *	EOB_ACT_LAST_MATCH -
- *	EOB_ACT_CONTINUE_SCAN - continue scanning from current position
- *	EOB_ACT_END_OF_FILE - end of file
- */
-static int yy_get_next_buffer (void)
-{
-    	char *dest = YY_CURRENT_BUFFER_LVALUE->yy_ch_buf;
-	char *source = (yytext_ptr);
-	int number_to_move, i;
-	int ret_val;
-
-	if ( (yy_c_buf_p) > &YY_CURRENT_BUFFER_LVALUE->yy_ch_buf[(yy_n_chars) + 1] )
-		YY_FATAL_ERROR(
-		"fatal flex scanner internal error--end of buffer missed" );
-
-	if ( YY_CURRENT_BUFFER_LVALUE->yy_fill_buffer == 0 )
-		{ /* Don't try to fill the buffer, so this is an EOF. */
-		if ( (yy_c_buf_p) - (yytext_ptr) - YY_MORE_ADJ == 1 )
-			{
-			/* We matched a single character, the EOB, so
-			 * treat this as a final EOF.
-			 */
-			return EOB_ACT_END_OF_FILE;
-			}
-
-		else
-			{
-			/* We matched some text prior to the EOB, first
-			 * process it.
-			 */
-			return EOB_ACT_LAST_MATCH;
-			}
-		}
-
-	/* Try to read more data. */
-
-	/* First move last chars to start of buffer. */
-	number_to_move = (int) ((yy_c_buf_p) - (yytext_ptr) - 1);
-
-	for ( i = 0; i < number_to_move; ++i )
-		*(dest++) = *(source++);
-
-	if ( YY_CURRENT_BUFFER_LVALUE->yy_buffer_status == YY_BUFFER_EOF_PENDING )
-		/* don't do the read, it's not guaranteed to return an EOF,
-		 * just force an EOF
-		 */
-		YY_CURRENT_BUFFER_LVALUE->yy_n_chars = (yy_n_chars) = 0;
-
-	else
-		{
-			int num_to_read =
-			YY_CURRENT_BUFFER_LVALUE->yy_buf_size - number_to_move - 1;
-
-		while ( num_to_read <= 0 )
-			{ /* Not enough room in the buffer - grow it. */
-
-			/* just a shorter name for the current buffer */
-			YY_BUFFER_STATE b = YY_CURRENT_BUFFER_LVALUE;
-
-			int yy_c_buf_p_offset =
-				(int) ((yy_c_buf_p) - b->yy_ch_buf);
-
-			if ( b->yy_is_our_buffer )
-				{
-				int new_size = b->yy_buf_size * 2;
-
-				if ( new_size <= 0 )
-					b->yy_buf_size += b->yy_buf_size / 8;
-				else
-					b->yy_buf_size *= 2;
-
-				b->yy_ch_buf = (char *)
-					/* Include room in for 2 EOB chars. */
-					yyrealloc( (void *) b->yy_ch_buf,
-							 (yy_size_t) (b->yy_buf_size + 2)  );
-				}
-			else
-				/* Can't grow it, we don't own it. */
-				b->yy_ch_buf = NULL;
-
-			if ( ! b->yy_ch_buf )
-				YY_FATAL_ERROR(
-				"fatal error - scanner input buffer overflow" );
-
-			(yy_c_buf_p) = &b->yy_ch_buf[yy_c_buf_p_offset];
-
-			num_to_read = YY_CURRENT_BUFFER_LVALUE->yy_buf_size -
-						number_to_move - 1;
-
-			}
-
-		if ( num_to_read > YY_READ_BUF_SIZE )
-			num_to_read = YY_READ_BUF_SIZE;
-
-		/* Read in more data. */
-		YY_INPUT( (&YY_CURRENT_BUFFER_LVALUE->yy_ch_buf[number_to_move]),
-			(yy_n_chars), num_to_read );
-
-		YY_CURRENT_BUFFER_LVALUE->yy_n_chars = (yy_n_chars);
-		}
-
-	if ( (yy_n_chars) == 0 )
-		{
-		if ( number_to_move == YY_MORE_ADJ )
-			{
-			ret_val = EOB_ACT_END_OF_FILE;
-			yyrestart( yyin  );
-			}
-
-		else
-			{
-			ret_val = EOB_ACT_LAST_MATCH;
-			YY_CURRENT_BUFFER_LVALUE->yy_buffer_status =
-				YY_BUFFER_EOF_PENDING;
-			}
-		}
-
-	else
-		ret_val = EOB_ACT_CONTINUE_SCAN;
-
-	if (((yy_n_chars) + number_to_move) > YY_CURRENT_BUFFER_LVALUE->yy_buf_size) {
-		/* Extend the array by 50%, plus the number we really need. */
-		int new_size = (yy_n_chars) + number_to_move + ((yy_n_chars) >> 1);
-		YY_CURRENT_BUFFER_LVALUE->yy_ch_buf = (char *) yyrealloc(
-			(void *) YY_CURRENT_BUFFER_LVALUE->yy_ch_buf, (yy_size_t) new_size  );
-		if ( ! YY_CURRENT_BUFFER_LVALUE->yy_ch_buf )
-			YY_FATAL_ERROR( "out of dynamic memory in yy_get_next_buffer()" );
-		/* "- 2" to take care of EOB's */
-		YY_CURRENT_BUFFER_LVALUE->yy_buf_size = (int) (new_size - 2);
-	}
-
-	(yy_n_chars) += number_to_move;
-	YY_CURRENT_BUFFER_LVALUE->yy_ch_buf[(yy_n_chars)] = YY_END_OF_BUFFER_CHAR;
-	YY_CURRENT_BUFFER_LVALUE->yy_ch_buf[(yy_n_chars) + 1] = YY_END_OF_BUFFER_CHAR;
-
-	(yytext_ptr) = &YY_CURRENT_BUFFER_LVALUE->yy_ch_buf[0];
-
-	return ret_val;
-}
-
-/* yy_get_previous_state - get the state just before the EOB char was reached */
-
-    static yy_state_type yy_get_previous_state (void)
-{
-	yy_state_type yy_current_state;
-	char *yy_cp;
-    
-	yy_current_state = (yy_start);
-
-	for ( yy_cp = (yytext_ptr) + YY_MORE_ADJ; yy_cp < (yy_c_buf_p); ++yy_cp )
-		{
-		YY_CHAR yy_c = (*yy_cp ? yy_ec[YY_SC_TO_UI(*yy_cp)] : 1);
-		if ( yy_accept[yy_current_state] )
-			{
-			(yy_last_accepting_state) = yy_current_state;
-			(yy_last_accepting_cpos) = yy_cp;
-			}
-		while ( yy_chk[yy_base[yy_current_state] + yy_c] != yy_current_state )
-			{
-			yy_current_state = (int) yy_def[yy_current_state];
-			if ( yy_current_state >= 36 )
-				yy_c = yy_meta[yy_c];
-			}
-		yy_current_state = yy_nxt[yy_base[yy_current_state] + yy_c];
-		}
-
-	return yy_current_state;
-}
-
-/* yy_try_NUL_trans - try to make a transition on the NUL character
- *
- * synopsis
- *	next_state = yy_try_NUL_trans( current_state );
- */
-    static yy_state_type yy_try_NUL_trans  (yy_state_type yy_current_state )
-{
-	int yy_is_jam;
-    	char *yy_cp = (yy_c_buf_p);
-
-	YY_CHAR yy_c = 1;
-	if ( yy_accept[yy_current_state] )
-		{
-		(yy_last_accepting_state) = yy_current_state;
-		(yy_last_accepting_cpos) = yy_cp;
-		}
-	while ( yy_chk[yy_base[yy_current_state] + yy_c] != yy_current_state )
-		{
-		yy_current_state = (int) yy_def[yy_current_state];
-		if ( yy_current_state >= 36 )
-			yy_c = yy_meta[yy_c];
-		}
-	yy_current_state = yy_nxt[yy_base[yy_current_state] + yy_c];
-	yy_is_jam = (yy_current_state == 35);
-
-		return yy_is_jam ? 0 : yy_current_state;
-}
-
-#ifndef YY_NO_UNPUT
-
-    static void yyunput (int c, char * yy_bp )
-{
-	char *yy_cp;
-    
-    yy_cp = (yy_c_buf_p);
-
-	/* undo effects of setting up yytext */
-	*yy_cp = (yy_hold_char);
-
-	if ( yy_cp < YY_CURRENT_BUFFER_LVALUE->yy_ch_buf + 2 )
-		{ /* need to shift things up to make room */
-		/* +2 for EOB chars. */
-		int number_to_move = (yy_n_chars) + 2;
-		char *dest = &YY_CURRENT_BUFFER_LVALUE->yy_ch_buf[
-					YY_CURRENT_BUFFER_LVALUE->yy_buf_size + 2];
-		char *source =
-				&YY_CURRENT_BUFFER_LVALUE->yy_ch_buf[number_to_move];
-
-		while ( source > YY_CURRENT_BUFFER_LVALUE->yy_ch_buf )
-			*--dest = *--source;
-
-		yy_cp += (int) (dest - source);
-		yy_bp += (int) (dest - source);
-		YY_CURRENT_BUFFER_LVALUE->yy_n_chars =
-			(yy_n_chars) = (int) YY_CURRENT_BUFFER_LVALUE->yy_buf_size;
-
-		if ( yy_cp < YY_CURRENT_BUFFER_LVALUE->yy_ch_buf + 2 )
-			YY_FATAL_ERROR( "flex scanner push-back overflow" );
-		}
-
-	*--yy_cp = (char) c;
-
-	(yytext_ptr) = yy_bp;
-	(yy_hold_char) = *yy_cp;
-	(yy_c_buf_p) = yy_cp;
-}
-
-#endif
-
-#ifndef YY_NO_INPUT
-#ifdef __cplusplus
-    static int yyinput (void)
-#else
-    static int input  (void)
-#endif
-
-{
-	int c;
-    
-	*(yy_c_buf_p) = (yy_hold_char);
-
-	if ( *(yy_c_buf_p) == YY_END_OF_BUFFER_CHAR )
-		{
-		/* yy_c_buf_p now points to the character we want to return.
-		 * If this occurs *before* the EOB characters, then it's a
-		 * valid NUL; if not, then we've hit the end of the buffer.
-		 */
-		if ( (yy_c_buf_p) < &YY_CURRENT_BUFFER_LVALUE->yy_ch_buf[(yy_n_chars)] )
-			/* This was really a NUL. */
-			*(yy_c_buf_p) = '\0';
-
-		else
-			{ /* need more input */
-			int offset = (int) ((yy_c_buf_p) - (yytext_ptr));
-			++(yy_c_buf_p);
-
-			switch ( yy_get_next_buffer(  ) )
-				{
-				case EOB_ACT_LAST_MATCH:
-					/* This happens because yy_g_n_b()
-					 * sees that we've accumulated a
-					 * token and flags that we need to
-					 * try matching the token before
-					 * proceeding.  But for input(),
-					 * there's no matching to consider.
-					 * So convert the EOB_ACT_LAST_MATCH
-					 * to EOB_ACT_END_OF_FILE.
-					 */
-
-					/* Reset buffer status. */
-					yyrestart( yyin );
-
-					/*FALLTHROUGH*/
-
-				case EOB_ACT_END_OF_FILE:
-					{
-					if ( yywrap(  ) )
-						return 0;
-
-					if ( ! (yy_did_buffer_switch_on_eof) )
-						YY_NEW_FILE;
-#ifdef __cplusplus
-					return yyinput();
-#else
-					return input();
-#endif
-					}
-
-				case EOB_ACT_CONTINUE_SCAN:
-					(yy_c_buf_p) = (yytext_ptr) + offset;
-					break;
-				}
-			}
-		}
-
-	c = *(unsigned char *) (yy_c_buf_p);	/* cast for 8-bit char's */
-	*(yy_c_buf_p) = '\0';	/* preserve yytext */
-	(yy_hold_char) = *++(yy_c_buf_p);
-
-	return c;
-}
-#endif	/* ifndef YY_NO_INPUT */
-
-/** Immediately switch to a different input stream.
- * @param input_file A readable stream.
- * 
- * @note This function does not reset the start condition to @c INITIAL .
- */
-    void yyrestart  (FILE * input_file )
-{
-    
-	if ( ! YY_CURRENT_BUFFER ){
-        yyensure_buffer_stack ();
-		YY_CURRENT_BUFFER_LVALUE =
-            yy_create_buffer( yyin, YY_BUF_SIZE );
-	}
-
-	yy_init_buffer( YY_CURRENT_BUFFER, input_file );
-	yy_load_buffer_state(  );
-}
-
-/** Switch to a different input buffer.
- * @param new_buffer The new input buffer.
- * 
- */
-    void yy_switch_to_buffer  (YY_BUFFER_STATE  new_buffer )
-{
-    
-	/* TODO. We should be able to replace this entire function body
-	 * with
-	 *		yypop_buffer_state();
-	 *		yypush_buffer_state(new_buffer);
-     */
-	yyensure_buffer_stack ();
-	if ( YY_CURRENT_BUFFER == new_buffer )
-		return;
-
-	if ( YY_CURRENT_BUFFER )
-		{
-		/* Flush out information for old buffer. */
-		*(yy_c_buf_p) = (yy_hold_char);
-		YY_CURRENT_BUFFER_LVALUE->yy_buf_pos = (yy_c_buf_p);
-		YY_CURRENT_BUFFER_LVALUE->yy_n_chars = (yy_n_chars);
-		}
-
-	YY_CURRENT_BUFFER_LVALUE = new_buffer;
-	yy_load_buffer_state(  );
-
-	/* We don't actually know whether we did this switch during
-	 * EOF (yywrap()) processing, but the only time this flag
-	 * is looked at is after yywrap() is called, so it's safe
-	 * to go ahead and always set it.
-	 */
-	(yy_did_buffer_switch_on_eof) = 1;
-}
-
-static void yy_load_buffer_state  (void)
-{
-    	(yy_n_chars) = YY_CURRENT_BUFFER_LVALUE->yy_n_chars;
-	(yytext_ptr) = (yy_c_buf_p) = YY_CURRENT_BUFFER_LVALUE->yy_buf_pos;
-	yyin = YY_CURRENT_BUFFER_LVALUE->yy_input_file;
-	(yy_hold_char) = *(yy_c_buf_p);
-}
-
-/** Allocate and initialize an input buffer state.
- * @param file A readable stream.
- * @param size The character buffer size in bytes. When in doubt, use @c YY_BUF_SIZE.
- * 
- * @return the allocated buffer state.
- */
-    YY_BUFFER_STATE yy_create_buffer  (FILE * file, int  size )
-{
-	YY_BUFFER_STATE b;
-    
-	b = (YY_BUFFER_STATE) yyalloc( sizeof( struct yy_buffer_state )  );
-	if ( ! b )
-		YY_FATAL_ERROR( "out of dynamic memory in yy_create_buffer()" );
-
-	b->yy_buf_size = size;
-
-	/* yy_ch_buf has to be 2 characters longer than the size given because
-	 * we need to put in 2 end-of-buffer characters.
-	 */
-	b->yy_ch_buf = (char *) yyalloc( (yy_size_t) (b->yy_buf_size + 2)  );
-	if ( ! b->yy_ch_buf )
-		YY_FATAL_ERROR( "out of dynamic memory in yy_create_buffer()" );
-
-	b->yy_is_our_buffer = 1;
-
-	yy_init_buffer( b, file );
-
-	return b;
-}
-
-/** Destroy the buffer.
- * @param b a buffer created with yy_create_buffer()
- * 
- */
-    void yy_delete_buffer (YY_BUFFER_STATE  b )
-{
-    
-	if ( ! b )
-		return;
-
-	if ( b == YY_CURRENT_BUFFER ) /* Not sure if we should pop here. */
-		YY_CURRENT_BUFFER_LVALUE = (YY_BUFFER_STATE) 0;
-
-	if ( b->yy_is_our_buffer )
-		yyfree( (void *) b->yy_ch_buf  );
-
-	yyfree( (void *) b  );
-}
-
-/* Initializes or reinitializes a buffer.
- * This function is sometimes called more than once on the same buffer,
- * such as during a yyrestart() or at EOF.
- */
-    static void yy_init_buffer  (YY_BUFFER_STATE  b, FILE * file )
-
-{
-	int oerrno = errno;
-    
-	yy_flush_buffer( b );
-
-	b->yy_input_file = file;
-	b->yy_fill_buffer = 1;
-
-    /* If b is the current buffer, then yy_init_buffer was _probably_
-     * called from yyrestart() or through yy_get_next_buffer.
-     * In that case, we don't want to reset the lineno or column.
-     */
-    if (b != YY_CURRENT_BUFFER){
-        b->yy_bs_lineno = 1;
-        b->yy_bs_column = 0;
-    }
-
-        b->yy_is_interactive = file ? (isatty( fileno(file) ) > 0) : 0;
-    
-	errno = oerrno;
-}
-
-/** Discard all buffered characters. On the next scan, YY_INPUT will be called.
- * @param b the buffer state to be flushed, usually @c YY_CURRENT_BUFFER.
- * 
- */
-    void yy_flush_buffer (YY_BUFFER_STATE  b )
-{
-    	if ( ! b )
-		return;
-
-	b->yy_n_chars = 0;
-
-	/* We always need two end-of-buffer characters.  The first causes
-	 * a transition to the end-of-buffer state.  The second causes
-	 * a jam in that state.
-	 */
-	b->yy_ch_buf[0] = YY_END_OF_BUFFER_CHAR;
-	b->yy_ch_buf[1] = YY_END_OF_BUFFER_CHAR;
-
-	b->yy_buf_pos = &b->yy_ch_buf[0];
-
-	b->yy_at_bol = 1;
-	b->yy_buffer_status = YY_BUFFER_NEW;
-
-	if ( b == YY_CURRENT_BUFFER )
-		yy_load_buffer_state(  );
-}
-
-/** Pushes the new state onto the stack. The new state becomes
- *  the current state. This function will allocate the stack
- *  if necessary.
- *  @param new_buffer The new state.
- *  
- */
-void yypush_buffer_state (YY_BUFFER_STATE new_buffer )
-{
-    	if (new_buffer == NULL)
-		return;
-
-	yyensure_buffer_stack();
-
-	/* This block is copied from yy_switch_to_buffer. */
-	if ( YY_CURRENT_BUFFER )
-		{
-		/* Flush out information for old buffer. */
-		*(yy_c_buf_p) = (yy_hold_char);
-		YY_CURRENT_BUFFER_LVALUE->yy_buf_pos = (yy_c_buf_p);
-		YY_CURRENT_BUFFER_LVALUE->yy_n_chars = (yy_n_chars);
-		}
-
-	/* Only push if top exists. Otherwise, replace top. */
-	if (YY_CURRENT_BUFFER)
-		(yy_buffer_stack_top)++;
-	YY_CURRENT_BUFFER_LVALUE = new_buffer;
-
-	/* copied from yy_switch_to_buffer. */
-	yy_load_buffer_state(  );
-	(yy_did_buffer_switch_on_eof) = 1;
-}
-
-/** Removes and deletes the top of the stack, if present.
- *  The next element becomes the new top.
- *  
- */
-void yypop_buffer_state (void)
-{
-    	if (!YY_CURRENT_BUFFER)
-		return;
-
-	yy_delete_buffer(YY_CURRENT_BUFFER );
-	YY_CURRENT_BUFFER_LVALUE = NULL;
-	if ((yy_buffer_stack_top) > 0)
-		--(yy_buffer_stack_top);
-
-	if (YY_CURRENT_BUFFER) {
-		yy_load_buffer_state(  );
-		(yy_did_buffer_switch_on_eof) = 1;
-	}
-}
-
-/* Allocates the stack if it does not exist.
- *  Guarantees space for at least one push.
- */
-static void yyensure_buffer_stack (void)
-{
-	yy_size_t num_to_alloc;
-    
-	if (!(yy_buffer_stack)) {
-
-		/* First allocation is just for 2 elements, since we don't know if this
-		 * scanner will even need a stack. We use 2 instead of 1 to avoid an
-		 * immediate realloc on the next call.
-         */
-      num_to_alloc = 1; /* After all that talk, this was set to 1 anyways... */
-		(yy_buffer_stack) = (struct yy_buffer_state**)yyalloc
-								(num_to_alloc * sizeof(struct yy_buffer_state*)
-								);
-		if ( ! (yy_buffer_stack) )
-			YY_FATAL_ERROR( "out of dynamic memory in yyensure_buffer_stack()" );
-
-		memset((yy_buffer_stack), 0, num_to_alloc * sizeof(struct yy_buffer_state*));
-
-		(yy_buffer_stack_max) = num_to_alloc;
-		(yy_buffer_stack_top) = 0;
-		return;
-	}
-
-	if ((yy_buffer_stack_top) >= ((yy_buffer_stack_max)) - 1){
-
-		/* Increase the buffer to prepare for a possible push. */
-		yy_size_t grow_size = 8 /* arbitrary grow size */;
-
-		num_to_alloc = (yy_buffer_stack_max) + grow_size;
-		(yy_buffer_stack) = (struct yy_buffer_state**)yyrealloc
-								((yy_buffer_stack),
-								num_to_alloc * sizeof(struct yy_buffer_state*)
-								);
-		if ( ! (yy_buffer_stack) )
-			YY_FATAL_ERROR( "out of dynamic memory in yyensure_buffer_stack()" );
-
-		/* zero only the new slots.*/
-		memset((yy_buffer_stack) + (yy_buffer_stack_max), 0, grow_size * sizeof(struct yy_buffer_state*));
-		(yy_buffer_stack_max) = num_to_alloc;
-	}
-}
-
-/** Setup the input buffer state to scan directly from a user-specified character buffer.
- * @param base the character buffer
- * @param size the size in bytes of the character buffer
- * 
- * @return the newly allocated buffer state object.
- */
-YY_BUFFER_STATE yy_scan_buffer  (char * base, yy_size_t  size )
-{
-	YY_BUFFER_STATE b;
-    
-	if ( size < 2 ||
-	     base[size-2] != YY_END_OF_BUFFER_CHAR ||
-	     base[size-1] != YY_END_OF_BUFFER_CHAR )
-		/* They forgot to leave room for the EOB's. */
-		return NULL;
-
-	b = (YY_BUFFER_STATE) yyalloc( sizeof( struct yy_buffer_state )  );
-	if ( ! b )
-		YY_FATAL_ERROR( "out of dynamic memory in yy_scan_buffer()" );
-
-	b->yy_buf_size = (int) (size - 2);	/* "- 2" to take care of EOB's */
-	b->yy_buf_pos = b->yy_ch_buf = base;
-	b->yy_is_our_buffer = 0;
-	b->yy_input_file = NULL;
-	b->yy_n_chars = b->yy_buf_size;
-	b->yy_is_interactive = 0;
-	b->yy_at_bol = 1;
-	b->yy_fill_buffer = 0;
-	b->yy_buffer_status = YY_BUFFER_NEW;
-
-	yy_switch_to_buffer( b  );
-
-	return b;
-}
-
-/** Setup the input buffer state to scan a string. The next call to yylex() will
- * scan from a @e copy of @a str.
- * @param yystr a NUL-terminated string to scan
- * 
- * @return the newly allocated buffer state object.
- * @note If you want to scan bytes that may contain NUL values, then use
- *       yy_scan_bytes() instead.
- */
-YY_BUFFER_STATE yy_scan_string (const char * yystr )
-{
-    
-	return yy_scan_bytes( yystr, (int) strlen(yystr) );
-}
-
-/** Setup the input buffer state to scan the given bytes. The next call to yylex() will
- * scan from a @e copy of @a bytes.
- * @param yybytes the byte buffer to scan
- * @param _yybytes_len the number of bytes in the buffer pointed to by @a bytes.
- * 
- * @return the newly allocated buffer state object.
- */
-YY_BUFFER_STATE yy_scan_bytes  (const char * yybytes, int  _yybytes_len )
-{
-	YY_BUFFER_STATE b;
-	char *buf;
-	yy_size_t n;
-	int i;
-    
-	/* Get memory for full buffer, including space for trailing EOB's. */
-	n = (yy_size_t) (_yybytes_len + 2);
-	buf = (char *) yyalloc( n  );
-	if ( ! buf )
-		YY_FATAL_ERROR( "out of dynamic memory in yy_scan_bytes()" );
-
-	for ( i = 0; i < _yybytes_len; ++i )
-		buf[i] = yybytes[i];
-
-	buf[_yybytes_len] = buf[_yybytes_len+1] = YY_END_OF_BUFFER_CHAR;
-
-	b = yy_scan_buffer( buf, n );
-	if ( ! b )
-		YY_FATAL_ERROR( "bad buffer in yy_scan_bytes()" );
-
-	/* It's okay to grow etc. this buffer, and we should throw it
-	 * away when we're done.
-	 */
-	b->yy_is_our_buffer = 1;
-
-	return b;
-}
-
-#ifndef YY_EXIT_FAILURE
-#define YY_EXIT_FAILURE 2
-#endif
-
-static void yynoreturn yy_fatal_error (const char* msg )
-{
-			fprintf( stderr, "%s\n", msg );
-	exit( YY_EXIT_FAILURE );
-}
-
-/* Redefine yyless() so it works in section 3 code. */
-
-#undef yyless
-#define yyless(n) \
-	do \
-		{ \
-		/* Undo effects of setting up yytext. */ \
-        int yyless_macro_arg = (n); \
-        YY_LESS_LINENO(yyless_macro_arg);\
-		yytext[yyleng] = (yy_hold_char); \
-		(yy_c_buf_p) = yytext + yyless_macro_arg; \
-		(yy_hold_char) = *(yy_c_buf_p); \
-		*(yy_c_buf_p) = '\0'; \
-		yyleng = yyless_macro_arg; \
-		} \
-	while ( 0 )
-
-/* Accessor  methods (get/set functions) to struct members. */
-
-/** Get the current line number.
- * 
- */
-int yyget_lineno  (void)
-{
-    
-    return yylineno;
-}
-
-/** Get the input stream.
- * 
- */
-FILE *yyget_in  (void)
-{
-        return yyin;
-}
-
-/** Get the output stream.
- * 
- */
-FILE *yyget_out  (void)
-{
-        return yyout;
-}
-
-/** Get the length of the current token.
- * 
- */
-int yyget_leng  (void)
-{
-        return yyleng;
-}
-
-/** Get the current token.
- * 
- */
-
-char *yyget_text  (void)
-{
-        return yytext;
-}
-
-/** Set the current line number.
- * @param _line_number line number
- * 
- */
-void yyset_lineno (int  _line_number )
-{
-    
-    yylineno = _line_number;
-}
-
-/** Set the input stream. This does not discard the current
- * input buffer.
- * @param _in_str A readable stream.
- * 
- * @see yy_switch_to_buffer
- */
-void yyset_in (FILE *  _in_str )
-{
-        yyin = _in_str ;
-}
-
-void yyset_out (FILE *  _out_str )
-{
-        yyout = _out_str ;
-}
-
-int yyget_debug  (void)
-{
-        return yy_flex_debug;
-}
-
-void yyset_debug (int  _bdebug )
-{
-        yy_flex_debug = _bdebug ;
-}
-
-static int yy_init_globals (void)
-{
-        /* Initialization is the same as for the non-reentrant scanner.
-     * This function is called from yylex_destroy(), so don't allocate here.
-     */
-
-    (yy_buffer_stack) = NULL;
-    (yy_buffer_stack_top) = 0;
-    (yy_buffer_stack_max) = 0;
-    (yy_c_buf_p) = NULL;
-    (yy_init) = 0;
-    (yy_start) = 0;
-
-/* Defined in main.c */
-#ifdef YY_STDINIT
-    yyin = stdin;
-    yyout = stdout;
-#else
-    yyin = NULL;
-    yyout = NULL;
-#endif
-
-    /* For future reference: Set errno on error, since we are called by
-     * yylex_init()
-     */
-    return 0;
-}
-
-/* yylex_destroy is for both reentrant and non-reentrant scanners. */
-int yylex_destroy  (void)
-{
-    
-    /* Pop the buffer stack, destroying each element. */
-	while(YY_CURRENT_BUFFER){
-		yy_delete_buffer( YY_CURRENT_BUFFER  );
-		YY_CURRENT_BUFFER_LVALUE = NULL;
-		yypop_buffer_state();
-	}
-
-	/* Destroy the stack itself. */
-	yyfree((yy_buffer_stack) );
-	(yy_buffer_stack) = NULL;
-
-    /* Reset the globals. This is important in a non-reentrant scanner so the next time
-     * yylex() is called, initialization will occur. */
-    yy_init_globals( );
-
-    return 0;
-}
-
-/*
- * Internal utility routines.
- */
-
-#ifndef yytext_ptr
-static void yy_flex_strncpy (char* s1, const char * s2, int n )
-{
-		
-	int i;
-	for ( i = 0; i < n; ++i )
-		s1[i] = s2[i];
-}
-#endif
-
-#ifdef YY_NEED_STRLEN
-static int yy_flex_strlen (const char * s )
-{
-	int n;
-	for ( n = 0; s[n]; ++n )
-		;
-
-	return n;
-}
-#endif
-
-void *yyalloc (yy_size_t  size )
-{
-			return malloc(size);
-}
-
-void *yyrealloc  (void * ptr, yy_size_t  size )
-{
-		
-	/* The cast to (char *) in the following accommodates both
-	 * implementations that use char* generic pointers, and those
-	 * that use void* generic pointers.  It works with the latter
-	 * because both ANSI C and C++ allow castless assignment from
-	 * any pointer type to void*, and deal with argument conversions
-	 * as though doing an assignment.
-	 */
-	return realloc(ptr, size);
-}
-
-void yyfree (void * ptr )
-{
-			free( (char *) ptr );	/* see yyrealloc() for (char *) cast */
-}
-
-#define YYTABLES_NAME "yytables"
-
-#line 90 "sel-lex.l"
-
-
-static char *
-handle_string(void)
-{
-    char x[1024];
-    int i = 0;
-    int c;
-    int quote = 0;
-    while((c = input()) != EOF){
-	if(quote) {
-	    x[i++] = '\\';
-	    x[i++] = c;
-	    quote = 0;
-	    continue;
-	}
-	if(c == '\n'){
-	    _hx509_sel_yyerror("unterminated string");
-	    lineno++;
-	    break;
-	}
-	if(c == '\\'){
-	    quote++;
-	    continue;
-	}
-	if(c == '\"')
-	    break;
-	x[i++] = c;
-    }
-    x[i] = '\0';
-    return strdup(x);
-}
-
-#if !defined(yywrap)
-#define yywrap  _hx509_sel_yywrap
-#endif
-
-int
-yywrap ()
-{
-     return 1;
-}
-
-static int
-lex_input(char *buf, int max_size)
-{
-    int n;
-
-    n = _hx509_expr_input.length - _hx509_expr_input.offset;
-    if (max_size < n)
-        n = max_size;
-    if (n <= 0)
-	return YY_NULL;
-
-    memcpy(buf, _hx509_expr_input.buf + _hx509_expr_input.offset, n);
-    _hx509_expr_input.offset += n;
-
-    return n;
-}
-
diff --git a/lib/hx509/sel.c b/lib/hx509/sel.c
index 6930b50f7cda..bfd55e938fc0 100644
--- a/lib/hx509/sel.c
+++ b/lib/hx509/sel.c
@@ -33,7 +33,7 @@
 
 #include "hx_locl.h"
 
-struct hx_expr *
+HX509_LIB_FUNCTION struct hx_expr * HX509_LIB_CALL
 _hx509_make_expr(enum hx_expr_op op, void *arg1, void *arg2)
 {
     struct hx_expr *expr;
@@ -155,7 +155,7 @@ eval_comp(hx509_context context, hx509_env env, struct hx_expr *expr)
     return FALSE;
 }
 
-int
+HX509_LIB_FUNCTION int HX509_LIB_CALL
 _hx509_expr_eval(hx509_context context, hx509_env env, struct hx_expr *expr)
 {
     switch (expr->op) {
@@ -179,7 +179,7 @@ _hx509_expr_eval(hx509_context context, hx509_env env, struct hx_expr *expr)
     }
 }
 
-void
+HX509_LIB_FUNCTION void HX509_LIB_CALL
 _hx509_expr_free(struct hx_expr *expr)
 {
     switch (expr->op) {
@@ -204,7 +204,8 @@ _hx509_expr_free(struct hx_expr *expr)
     free(expr);
 }
 
-struct hx_expr *
+/* XXX Horrible, no good cause not thread-safe */
+HX509_LIB_FUNCTION struct hx_expr * HX509_LIB_CALL
 _hx509_expr_parse(const char *buf)
 {
     _hx509_expr_input.buf = buf;
@@ -222,6 +223,12 @@ _hx509_expr_parse(const char *buf)
     return _hx509_expr_input.expr;
 }
 
+const char *
+_hx509_expr_parse_error(void)
+{
+    return _hx509_expr_input.error;
+}
+
 void
 _hx509_sel_yyerror (const char *s)
 {
diff --git a/lib/hx509/sel.h b/lib/hx509/sel.h
index 52a84d31c5ae..daa471e25ec8 100644
--- a/lib/hx509/sel.h
+++ b/lib/hx509/sel.h
@@ -67,6 +67,20 @@ struct hx_expr_input {
 
 extern struct hx_expr_input _hx509_expr_input;
 
+/*
+ * With bison/flex, the more modern way to allow multiple yacc/lex grammars to
+ * be linked into a single executable is to use the
+ *
+ *         bison: -p, --name-prefix=,PREFIX/, -Dapi.prefix=PREFIX
+ *         flex: -Pprefix, --prefix=STRING
+ *
+ * options, these take care of renaming all the machine-generated global entry
+ * points, some of which are new.  When these options are used "yylex",
+ * "yyparse", ... are already defined and our (potentially incomplete) attempt
+ * to do the same conflicts with the "right" new way to handle this.  The below
+ * logic gets us out of the way when the job has already been taken care of by
+ * the parser-generator.
+ */
 #if !defined(yylex)
 #define yylex   _hx509_sel_yylex
 #define yywrap  _hx509_sel_yywrap
diff --git a/lib/hx509/softp11.c b/lib/hx509/softp11.c
index eeb9ae373425..75f675579c77 100644
--- a/lib/hx509/softp11.c
+++ b/lib/hx509/softp11.c
@@ -311,7 +311,7 @@ add_st_object(void)
 	return NULL;
 
     for (i = 0; i < soft_token.object.num_objs; i++) {
-	if (soft_token.object.objs == NULL) {
+	if (soft_token.object.objs[i] == NULL) {
 	    soft_token.object.objs[i] = o;
 	    break;
 	}
@@ -422,7 +422,7 @@ struct foo {
     char *id;
 };
 
-static int
+static int HX509_LIB_CALL
 add_cert(hx509_context hxctx, void *ctx, hx509_cert cert)
 {
     static char empty[] = "";
@@ -822,48 +822,26 @@ func_not_supported(void)
 static char *
 get_config_file_for_user(void)
 {
-    char *fn = NULL;
-
-#ifndef _WIN32
-    char *home = NULL;
+    char *fn;
     int ret;
 
-    if (!issuid()) {
-        fn = getenv("SOFTPKCS11RC");
-        if (fn)
-            fn = strdup(fn);
-        home = getenv("HOME");
-    }
-    if (fn == NULL && home == NULL) {
-        struct passwd *pw = getpwuid(getuid());
-        if(pw != NULL)
-            home = pw->pw_dir;
-    }
+    fn = secure_getenv("SOFTPKCS11RC");
+    if (fn)
+        fn = strdup(fn);
     if (fn == NULL) {
+        char homebuf[MAX_PATH];
+        const char *home = roken_get_appdatadir(homebuf, sizeof(homebuf));
+
         if (home) {
             ret = asprintf(&fn, "%s/.soft-token.rc", home);
 	    if (ret == -1)
 		fn = NULL;
-        } else
+        } else {
+#ifndef WIN32
             fn = strdup("/etc/soft-token.rc");
+#endif
+        }
     }
-#else  /* Windows */
-
-    char appdatafolder[MAX_PATH];
-
-    fn = getenv("SOFTPKCS11RC");
-
-    /* Retrieve the roaming AppData folder for the current user.  The
-       current user is the user account represented by the current
-       thread token. */
-
-    if (fn == NULL &&
-        SUCCEEDED(SHGetFolderPath(NULL, CSIDL_APPDATA, NULL, SHGFP_TYPE_CURRENT, appdatafolder))) {
-
-        asprintf(&fn, "%s\\.soft-token.rc", appdatafolder);
-    }
-
-#endif  /* _WIN32 */
 
     return fn;
 }
diff --git a/lib/hx509/test_ca.in b/lib/hx509/test_ca.in
index 0264116bbe69..cf739a1f90e9 100644
--- a/lib/hx509/test_ca.in
+++ b/lib/hx509/test_ca.in
@@ -89,6 +89,8 @@ ${hxtool} verify \
 	crl:FILE:crl.crl \
 	anchor:FILE:$srcdir/data/ca.crt > /dev/null && exit 1
 
+# XXX Check that the certs issued below have the requested content
+
 echo "issue crl (with cert)"
 ${hxtool} crl-sign \
 	--crl-file=crl.crl \
@@ -108,7 +110,14 @@ ${hxtool} issue-certificate \
 	  --subject="cn=foo" \
           --lifetime="10years 1 month" \
 	  --req="PKCS10:pkcs10-request.der" \
+          --permanent-id=1.2.3.4.5.6.6:SomeVendor:A0B1C2D3 \
+          --hardware-module-name=tcg-tpm20:SomeVendor:Z0Y1X2W3 \
+          --policy="1.2.3.4.5.6:data:foo this is a warning" \
+          --policy="id-x509-ce-certificatePolicies-anyPolicy" \
+          --policy-mapping="1.2.3.4.5.6:1.2.3.4.5.6" \
+          --policy-mapping="1.2.3.4.5.6:1.2.3.4.5.7" \
 	  --certificate="FILE:cert-ee.pem" || exit 1
+${hxtool} print --content FILE:cert-ee.pem || exit 1
 
 echo "issue certificate (with https ekus)"
 ${hxtool} issue-certificate \
@@ -118,6 +127,7 @@ ${hxtool} issue-certificate \
 	  --type="https-client" \
 	  --req="PKCS10:pkcs10-request.der" \
 	  --certificate="FILE:cert-ee.pem" || exit 1
+${hxtool} print --content FILE:cert-ee.pem || exit 1
 
 echo "issue certificate (pkinit KDC)"
 ${hxtool} issue-certificate \
@@ -127,6 +137,7 @@ ${hxtool} issue-certificate \
           --pk-init-principal="krbtgt/TEST.H5L.SE@TEST.H5L.SE" \
 	  --req="PKCS10:pkcs10-request.der" \
 	  --certificate="FILE:cert-ee.pem" || exit 1
+${hxtool} print --content FILE:cert-ee.pem || exit 1
 
 echo "issue certificate (pkinit client)"
 ${hxtool} issue-certificate \
@@ -136,6 +147,7 @@ ${hxtool} issue-certificate \
           --pk-init-principal="lha@TEST.H5L.SE" \
 	  --req="PKCS10:pkcs10-request.der" \
 	  --certificate="FILE:cert-ee.pem" || exit 1
+${hxtool} print --content FILE:cert-ee.pem || exit 1
 
 echo "issue certificate (hostnames)"
 ${hxtool} issue-certificate \
@@ -146,6 +158,7 @@ ${hxtool} issue-certificate \
           --hostname="ftp.test.h5l.se" \
 	  --req="PKCS10:pkcs10-request.der" \
 	  --certificate="FILE:cert-ee.pem" || exit 1
+${hxtool} print --content FILE:cert-ee.pem || exit 1
 
 echo "verify certificate hostname (ok)"
 ${hxtool} verify --missing-revoke \
@@ -172,6 +185,7 @@ ${hxtool} issue-certificate \
 	  --type="https-server" \
 	  --req="PKCS10:pkcs10-request.der" \
 	  --certificate="FILE:cert-ee.pem" || exit 1
+${hxtool} print --content FILE:cert-ee.pem || exit 1
 
 echo "verify certificate hostname (ok)"
 ${hxtool} verify --missing-revoke \
@@ -193,6 +207,7 @@ ${hxtool} issue-certificate \
           --email="test@test.h5l.se" \
 	  --req="PKCS10:pkcs10-request.der" \
 	  --certificate="FILE:cert-ee.pem" || exit 1
+${hxtool} print --content FILE:cert-ee.pem || exit 1
 
 echo "issue certificate (email, null subject DN)"
 ${hxtool} issue-certificate \
@@ -201,6 +216,7 @@ ${hxtool} issue-certificate \
           --email="lha@test.h5l.se" \
 	  --req="PKCS10:pkcs10-request.der" \
 	  --certificate="FILE:cert-null.pem" || exit 1
+${hxtool} print --content FILE:cert-null.pem || exit 1
 
 echo "issue certificate (jabber)"
 ${hxtool} issue-certificate \
@@ -209,6 +225,7 @@ ${hxtool} issue-certificate \
           --jid="lha@test.h5l.se" \
 	  --req="PKCS10:pkcs10-request.der" \
 	  --certificate="FILE:cert-ee.pem" || exit 1
+${hxtool} print --content FILE:cert-ee.pem || exit 1
 
 echo "issue self-signed cert"
 ${hxtool} issue-certificate \
@@ -216,6 +233,7 @@ ${hxtool} issue-certificate \
 	  --ca-private-key=FILE:$srcdir/data/key.der \
 	  --subject="cn=test" \
 	  --certificate="FILE:cert-ee.pem" || exit 1
+${hxtool} print --content FILE:cert-ee.pem || exit 1
 
 echo "issue ca cert"
 ${hxtool} issue-certificate \
@@ -224,6 +242,7 @@ ${hxtool} issue-certificate \
 	  --subject="cn=ca-cert" \
 	  --req="PKCS10:pkcs10-request.der" \
 	  --certificate="FILE:cert-ca.der" || exit 1
+${hxtool} print --content FILE:cert-ca.der || exit 1
 
 echo "issue self-signed ca cert"
 ${hxtool} issue-certificate \
@@ -232,6 +251,7 @@ ${hxtool} issue-certificate \
 	  --ca-private-key=FILE:$srcdir/data/key.der \
 	  --subject="cn=ca-root" \
 	  --certificate="FILE:cert-ca.der" || exit 1
+${hxtool} print --content FILE:cert-ca.der || exit 1
 
 echo "issue proxy certificate"
 ${hxtool} issue-certificate \
@@ -239,6 +259,7 @@ ${hxtool} issue-certificate \
 	  --issue-proxy \
 	  --req="PKCS10:pkcs10-request.der" \
 	  --certificate="FILE:cert-proxy.der" || exit 1
+${hxtool} print --content FILE:cert-proxy.der || exit 1
 
 echo "verify proxy cert"
 ${hxtool} verify --missing-revoke \
@@ -256,6 +277,7 @@ ${hxtool} issue-certificate \
           --path-length=-1 \
 	  --subject="cn=ca2-cert" \
 	  --certificate="FILE:cert-ca.pem" || exit 1
+${hxtool} print --content FILE:cert-ca.pem || exit 1
 
 echo "issue sub-ca cert (generate rsa key)"
 ${hxtool} issue-certificate \
@@ -265,6 +287,7 @@ ${hxtool} issue-certificate \
 	  --generate-key=rsa \
 	  --subject="cn=sub-ca2-cert" \
 	  --certificate="FILE:cert-sub-ca.pem" || exit 1
+${hxtool} print --content FILE:cert-sub-ca.pem || exit 1
 
 echo "issue ee cert (generate rsa key)"
 ${hxtool} issue-certificate \
@@ -272,6 +295,7 @@ ${hxtool} issue-certificate \
 	  --generate-key=rsa \
 	  --subject="cn=cert-ee2" \
 	  --certificate="FILE:cert-ee.pem" || exit 1
+${hxtool} print --content FILE:cert-ee.pem || exit 1
 
 echo "issue sub-ca ee cert (generate rsa key)"
 ${hxtool} issue-certificate \
@@ -279,6 +303,7 @@ ${hxtool} issue-certificate \
 	  --generate-key=rsa \
 	  --subject="cn=cert-sub-ee2" \
 	  --certificate="FILE:cert-sub-ee.pem" || exit 1
+${hxtool} print --content FILE:cert-sub-ee.pem || exit 1
 
 echo "verify certificate (ee)"
 ${hxtool} verify --missing-revoke \
@@ -313,6 +338,7 @@ ${hxtool} issue-certificate \
 	  --ca-private-key=FILE:cert-ca.pem \
 	  --subject="cn=ca2-cert" \
 	  --certificate="FILE:cert-ca.pem" || exit 1
+${hxtool} print --content FILE:cert-ca.pem || exit 1
 
 echo "verify certificate generated by previous ca"
 ${hxtool} verify --missing-revoke \
@@ -329,6 +355,7 @@ ${hxtool} issue-certificate \
           --path-length=-1 \
 	  --ca-private-key=FILE:cert-ca.pem \
 	  --certificate="FILE:cert-ca.pem" || exit 1
+${hxtool} print --content FILE:cert-ca.pem || exit 1
 
 echo "verify certificate generated by previous ca"
 ${hxtool} verify --missing-revoke \
@@ -343,6 +370,7 @@ ${hxtool} issue-certificate \
 	  --template-certificate="FILE:cert-sub-ca.pem" \
 	  --template-fields="serialNumber,notBefore,subject,SPKI" \
 	  --certificate="FILE:cert-sub-ca2.pem" || exit 1
+${hxtool} print --content FILE:cert-sub-ca2.pem || exit 1
 
 echo "verify certificate (sub-ee) with extended chain"
 ${hxtool} verify --missing-revoke \
diff --git a/lib/hx509/test_name.c b/lib/hx509/test_name.c
index 9d21a7f65b03..ba4cbaac85d8 100644
--- a/lib/hx509/test_name.c
+++ b/lib/hx509/test_name.c
@@ -349,6 +349,74 @@ test_compare(hx509_context context)
     return 0;
 }
 
+static int
+test_pkinit_san(hx509_context context, const char *p, const char *realm, ...)
+{
+    KRB5PrincipalName kn;
+    GeneralName gn;
+    va_list ap;
+    size_t i, sz;
+    char *round_trip;
+    int ret;
+
+    memset(&kn, 0, sizeof(kn));
+    memset(&gn, 0, sizeof(gn));
+
+    ret = _hx509_make_pkinit_san(context, p, &gn.u.otherName.value);
+    if (ret == 0)
+        ret = decode_KRB5PrincipalName(gn.u.otherName.value.data,
+                                       gn.u.otherName.value.length, &kn, &sz);
+    if (ret)
+        return 1;
+    if (strcmp(realm, kn.realm) != 0)
+        return 1;
+
+    va_start(ap, realm);
+    for (i = 0; i < kn.principalName.name_string.len; i++) {
+        const char *s = va_arg(ap, const char *);
+
+        if (s == NULL || strcmp(kn.principalName.name_string.val[i], s) != 0)
+            return 1;
+    }
+    if (va_arg(ap, const char *) != NULL)
+        return 1;
+    va_end(ap);
+
+    gn.element = choice_GeneralName_otherName;
+    gn.u.otherName.type_id.length = 0;
+    gn.u.otherName.type_id.components = 0;
+    ret = der_copy_oid(&asn1_oid_id_pkinit_san, &gn.u.otherName.type_id);
+    if (ret == 0)
+        ret = hx509_general_name_unparse(&gn, &round_trip);
+    if (ret)
+        return 1;
+    if (strncmp(round_trip, "otherName: 1.3.6.1.5.2.2 KerberosPrincipalName ",
+                sizeof("otherName: 1.3.6.1.5.2.2 KerberosPrincipalName ") - 1))
+        return 1;
+    if (ret || strcmp(round_trip + sizeof("otherName: 1.3.6.1.5.2.2 KerberosPrincipalName ") - 1, p) != 0)
+        return 1;
+    free_KRB5PrincipalName(&kn);
+    free_GeneralName(&gn);
+    free(round_trip);
+    return 0;
+}
+
+static int
+test_pkinit_san_fail(hx509_context context, const char *p)
+{
+    heim_octet_string os;
+    KRB5PrincipalName kn;
+    int ret;
+
+    memset(&kn, 0, sizeof(kn));
+    ret = _hx509_make_pkinit_san(context, p, &os);
+    if (ret == 0) {
+        free(os.data);
+        return 1;
+    }
+    return 0;
+}
+
 
 int
 main(int argc, char **argv)
@@ -376,7 +444,25 @@ main(int argc, char **argv)
 
     ret += test_compare(context);
 
+    ret += test_pkinit_san(context, "foo@BAR.H5L.SE",
+                           "BAR.H5L.SE", "foo", NULL);
+    ret += test_pkinit_san(context, "foo\\ bar@BAR.H5L.SE",
+                           "BAR.H5L.SE", "foo bar", NULL);
+    ret += test_pkinit_san(context, "foo\\/bar@BAR.H5L.SE",
+                           "BAR.H5L.SE", "foo/bar", NULL);
+    ret += test_pkinit_san(context, "foo/bar@BAR.H5L.SE",
+                           "BAR.H5L.SE", "foo", "bar", NULL);
+    ret += test_pkinit_san(context, "foo\\tbar@BAR.H5L.SE",
+                           "BAR.H5L.SE", "foo\tbar", NULL);
+    ret += test_pkinit_san(context, "foo\\nbar@BAR.H5L.SE",
+                           "BAR.H5L.SE", "foo\nbar", NULL);
+    ret += test_pkinit_san(context, "foo@\\ BAR.H5L.SE",
+                           " BAR.H5L.SE", "foo", NULL);
+    ret += test_pkinit_san(context, "foo@\\nBAR.H5L.SE",
+                           "\nBAR.H5L.SE", "foo", NULL);
+    ret += test_pkinit_san_fail(context, "foo\\0bar@BAR.H5L.SE");
+
     hx509_context_free(&context);
 
-    return ret;
+    return !!ret;
 }
diff --git a/lib/hx509/test_nist.in b/lib/hx509/test_nist.in
index 9dffbe69177c..09034fe629b5 100644
--- a/lib/hx509/test_nist.in
+++ b/lib/hx509/test_nist.in
@@ -60,6 +60,7 @@ if [ ! -d "$nistdir" ] ; then
 	{ rm -rf "$nistdir" ; exit 1; }
 fi
 
+ec=0
 while read id verify cert arg1 arg2 arg3 arg4 arg5 ; do
     expr "$id" : "#" > /dev/null && continue
     
@@ -98,14 +99,14 @@ while read id verify cert arg1 arg2 arg3 arg4 arg5 ; do
 
     if ${hxtool} verify --time=2008-05-20 $args > /dev/null; then
 	if test "$verify" = "f"; then
+            echo ${hxtool} verify --time=2008-05-20 $args
 	    echo "verify passed on fail: $id $cert"
-	    exit 1
-	fi
-    else
-	if test "$verify" = "p"; then
-	    echo "verify failed on pass: $id $cert"
-	    exit 1
+	    ec=1
 	fi
+    elif test "$verify" = "p"; then
+        echo ${hxtool} verify --time=2008-05-20 $args
+        echo "verify failed on pass: $id $cert"
+        ec=1
     fi
 
 done < $srcdir/data/nist-data
@@ -113,4 +114,4 @@ done < $srcdir/data/nist-data
 
 echo "done!"
 
-exit 0
+exit $ec
diff --git a/lib/hx509/test_req.in b/lib/hx509/test_req.in
index 49919d918fa3..9288df6738f3 100644
--- a/lib/hx509/test_req.in
+++ b/lib/hx509/test_req.in
@@ -50,14 +50,114 @@ fi
 
 ${hxtool} request-create \
 	 --subject="CN=Love,DC=it,DC=su,DC=se" \
-	 --key=FILE:$srcdir/data/key.der \
-	 request.out || exit 1
+	 --key="FILE:$srcdir/data/key.der" \
+	 "${objdir}/request.out" || exit 1
 
 ${hxtool} request-print \
 	 PKCS10:request.out > /dev/null || exit 1
 
 ${hxtool} request-create \
 	 --subject="CN=Love,DC=it,DC=su,DC=se" \
-	 --dnsname=nutcracker.it.su.se \
-	 --key=FILE:$srcdir/data/key.der \
-	 request.out || exit 1
+         --eku=1.2.3.4.5.6.7 --eku=1.2.3.4.5.6.8 \
+         --registered=1.2.3.4.5.6.9 --eku=1.2.3.4.5.6.10 \
+	 --dnsname=nutcracker.test.h5l.se \
+	 --dnsname=foo.nutcracker.test.h5l.se \
+	 --kerberos=HTTP/foo.nutcracker.it.su.se@TEST.H5L.SE \
+	 --kerberos=host/foo.nutcracker.it.su.se@TEST.H5L.SE \
+	 --email=foo@test.h5l.se \
+	 --key="FILE:$srcdir/data/key.der" \
+	 "${objdir}/request.out" || exit 1
+
+cat > "$objdir/expected" <<EOF
+request print
+PKCS#10 CertificationRequest:
+  name: CN=Love,DC=it,DC=su,DC=se
+  eku: {1.2.3.4.5.6.7}, {1.2.3.4.5.6.8}, {1.2.3.4.5.6.10}
+  san: rfc822Name: foo@test.h5l.se
+  san: dNSName: nutcracker.test.h5l.se
+  san: dNSName: foo.nutcracker.test.h5l.se
+  san: pkinit: HTTP/foo.nutcracker.it.su.se@TEST.H5L.SE
+  san: pkinit: host/foo.nutcracker.it.su.se@TEST.H5L.SE
+  san: registeredID: 1.2.3.4.5.6.9
+EOF
+
+# Check that we got what we wanted:
+${hxtool} request-print \
+	 PKCS10:request.out > "${objdir}/actual" || exit 1
+
+diff "$objdir/expected" "${objdir}/actual" || exit 1
+
+# Check that OpenSSL can parse our request:
+if openssl version > /dev/null; then
+    openssl req -inform DER -in "${objdir}/request.out" -text | head -25 > "${objdir}/actual"
+
+    # Various versions of openssl differ slightly in their text output for our
+    # CSR.  Figure out what to expect:
+    if grep "Version: 0" "${objdir}/actual" > /dev/null; then
+        v=0
+    else
+        v=1
+    fi
+    if grep "RSA Public-Key:" "${objdir}/actual" > /dev/null; then
+        k="RSA "
+    else
+        k=""
+    fi
+    # Note interpolation of $v and $k in the here doc below:
+    cat > "$objdir/expected" <<EOF
+Certificate Request:
+    Data:
+        Version: $v (0x0)
+        Subject: DC = se, DC = su, DC = it, CN = Love
+        Subject Public Key Info:
+            Public Key Algorithm: rsaEncryption
+                ${k}Public-Key: (1024 bit)
+                Modulus:
+                    00:c2:aa:a2:42:b7:5b:99:a3:fd:ba:f0:9b:75:db:
+                    ef:3c:9b:8c:cf:63:5f:46:d8:95:be:09:4a:a7:76:
+                    79:77:61:30:ef:0b:98:d2:47:ea:9c:09:b9:b9:b7:
+                    15:ac:4b:9c:2d:3f:f0:d9:99:9d:4d:5a:68:67:24:
+                    58:5e:65:60:13:9f:4d:dc:2f:03:1d:cd:e9:b6:33:
+                    c2:5c:c6:de:c9:93:6c:ec:8d:9a:67:0e:dd:31:20:
+                    ac:91:39:7a:c1:8f:39:65:ff:b3:1f:cf:7a:aa:79:
+                    8b:ed:eb:ad:a0:be:01:10:4c:5a:a7:47:1d:c6:ee:
+                    79:39:5c:c7:11:6c:b9:e7:2b
+                Exponent: 65537 (0x10001)
+        Attributes:
+        Requested Extensions:
+            X509v3 Extended Key Usage: critical
+                1.2.3.4.5.6.7, 1.2.3.4.5.6.8, 1.2.3.4.5.6.10
+            X509v3 Subject Alternative Name:
+                email:foo@test.h5l.se, DNS:nutcracker.test.h5l.se, DNS:foo.nutcracker.test.h5l.se, othername:<unsupported>, othername:<unsupported>, Registered ID:1.2.3.4.5.6.9
+    Signature Algorithm: sha256WithRSAEncryption
+EOF
+    if ! diff -u -w "${objdir}/expected" "${objdir}/actual"; then
+    cat > "$objdir/expected" <<EOF
+Certificate Request:
+    Data:
+        Version: $v (0x0)
+        Subject: DC = se, DC = su, DC = it, CN = Love
+        Subject Public Key Info:
+            Public Key Algorithm: rsaEncryption
+                ${k}Public-Key: (1024 bit)
+                Modulus:
+                    00:c2:aa:a2:42:b7:5b:99:a3:fd:ba:f0:9b:75:db:
+                    ef:3c:9b:8c:cf:63:5f:46:d8:95:be:09:4a:a7:76:
+                    79:77:61:30:ef:0b:98:d2:47:ea:9c:09:b9:b9:b7:
+                    15:ac:4b:9c:2d:3f:f0:d9:99:9d:4d:5a:68:67:24:
+                    58:5e:65:60:13:9f:4d:dc:2f:03:1d:cd:e9:b6:33:
+                    c2:5c:c6:de:c9:93:6c:ec:8d:9a:67:0e:dd:31:20:
+                    ac:91:39:7a:c1:8f:39:65:ff:b3:1f:cf:7a:aa:79:
+                    8b:ed:eb:ad:a0:be:01:10:4c:5a:a7:47:1d:c6:ee:
+                    79:39:5c:c7:11:6c:b9:e7:2b
+                Exponent: 65537 (0x10001)
+        Attributes:
+        Requested Extensions:
+            X509v3 Extended Key Usage: critical
+                    1.2.3.4.5.6.7, 1.2.3.4.5.6.8, 1.2.3.4.5.6.10
+            X509v3 Subject Alternative Name:
+                    email:foo@test.h5l.se, DNS:nutcracker.test.h5l.se, DNS:foo.nutcracker.test.h5l.se, othername: 1.3.6.1.5.2.2::<unsupported>, othername: 1.3.6.1.5.2.2::<unsupported>, Registered ID:1.2.3.4.5.6.9
+    Signature Algorithm: sha256WithRSAEncryption
+EOF
+    fi
+fi
diff --git a/lib/hx509/version-script.map b/lib/hx509/version-script.map
index f040cd834496..8f46b0ac051a 100644
--- a/lib/hx509/version-script.map
+++ b/lib/hx509/version-script.map
@@ -3,6 +3,8 @@
 HEIMDAL_X509_1.2 {
 	global:
 		_hx509_cert_assign_key;
+		_hx509_cert_get_keyusage;
+		_hx509_cert_get_version;
 		_hx509_cert_private_key;
 		_hx509_certs_keys_free;
 		_hx509_certs_keys_get;
@@ -14,35 +16,70 @@ HEIMDAL_X509_1.2 {
 		_hx509_generate_private_key_free;
 		_hx509_generate_private_key_init;
 		_hx509_generate_private_key_is_ca;
+		_hx509_get_cert;
+		_hx509_ks_type;
+		_hx509_make_pkinit_san;
 		_hx509_map_file_os;
 		_hx509_name_from_Name;
+		_hx509_ossl_oid2nid;
+		_hx509_private_key_export;
+		_hx509_private_key_exportable;
+		_hx509_private_key_get_internal;
+		_hx509_private_key_oid;
 		_hx509_private_key_ref;
-		_hx509_request_add_dns_name;
-		_hx509_request_add_email;
-		_hx509_request_parse;
-		_hx509_request_print;
-		_hx509_request_set_email;
-		_hx509_request_to_pkcs10;
+		hx509_request_add_GeneralName;
+		hx509_request_add_dns_name;
+		hx509_request_add_dns_srv;
+		hx509_request_add_eku;
+		hx509_request_add_email;
+		hx509_request_add_ms_upn_name;
+		hx509_request_add_pkinit;
+		hx509_request_add_registered;
+		hx509_request_add_xmpp_name;
+		hx509_request_authorize_ku;
+		hx509_request_authorize_eku;
+		hx509_request_authorize_san;
+		hx509_request_count_unsupported;
+		hx509_request_count_unauthorized;
+		hx509_request_eku_authorized_p;
+		hx509_request_print;
+		hx509_request_reject_eku;
+		hx509_request_reject_san;
+		hx509_request_san_authorized_p;
+		hx509_request_to_pkcs10;
 		_hx509_unmap_file_os;
 		_hx509_write_file;
 		hx509_bitstring_print;
+		_hx509_ca_issue_certificate;
 		hx509_ca_sign;
 		hx509_ca_sign_self;
 		hx509_ca_tbs_add_crl_dp_uri;
 		hx509_ca_tbs_add_eku;
+		hx509_ca_tbs_add_ku;
+		hx509_ca_tbs_add_pol;
+		hx509_ca_tbs_add_pol_mapping;
+		hx509_ca_tbs_add_san;
+		hx509_ca_tbs_add_san_dnssrv;
+		hx509_ca_tbs_add_san_hardwareModuleName;
+		hx509_ca_tbs_add_san_hardwareModuleName_string;
 		hx509_ca_tbs_add_san_hostname;
 		hx509_ca_tbs_add_san_jid;
 		hx509_ca_tbs_add_san_ms_upn;
 		hx509_ca_tbs_add_san_otherName;
+		hx509_ca_tbs_add_san_permanentIdentifier;
+		hx509_ca_tbs_add_san_permanentIdentifier_string;
 		hx509_ca_tbs_add_san_pkinit;
 		hx509_ca_tbs_add_san_rfc822name;
 		hx509_ca_tbs_free;
+		hx509_ca_tbs_get_name;
 		hx509_ca_tbs_init;
 		hx509_ca_tbs_set_ca;
 		hx509_ca_tbs_set_domaincontroller;
+		hx509_ca_tbs_set_from_csr;
 		hx509_ca_tbs_set_notAfter;
 		hx509_ca_tbs_set_notAfter_lifetime;
 		hx509_ca_tbs_set_notBefore;
+		hx509_ca_tbs_set_pkinit_max_life;
 		hx509_ca_tbs_set_proxy;
 		hx509_ca_tbs_set_serialnumber;
 		hx509_ca_tbs_set_spki;
@@ -66,12 +103,19 @@ HEIMDAL_X509_1.2 {
 		hx509_cert_get_issuer;
 		hx509_cert_get_notAfter;
 		hx509_cert_get_notBefore;
+		hx509_cert_get_pkinit_max_life;
 		hx509_cert_get_serialnumber;
 		hx509_cert_get_subject;
 		hx509_cert_get_issuer_unique_id;
 		hx509_cert_get_subject_unique_id;
+		hx509_cert_have_private_key;
+		hx509_cert_have_private_key_only;
 		hx509_cert_init;
 		hx509_cert_init_data;
+		hx509_cert_init_private_key;
+		hx509_cert_is_ca;
+		hx509_cert_is_root;
+		hx509_cert_is_self_signed;
 		hx509_cert_keyusage_print;
 		hx509_cert_public_encrypt;
 		hx509_cert_ref;
@@ -79,6 +123,7 @@ HEIMDAL_X509_1.2 {
 		hx509_certs_add;
 		hx509_certs_append;
 		hx509_certs_end_seq;
+		hx509_certs_destroy;
 		hx509_certs_ref;
 		hx509_certs_filter;
 		hx509_certs_find;
@@ -100,6 +145,7 @@ HEIMDAL_X509_1.2 {
 		hx509_cms_unenvelope;
 		hx509_cms_unwrap_ContentInfo;
 		hx509_cms_verify_signed;
+		hx509_cms_verify_signed_ext;
 		hx509_cms_wrap_ContentInfo;
 		hx509_context_free;
 		hx509_context_init;
@@ -128,6 +174,7 @@ HEIMDAL_X509_1.2 {
 		hx509_crypto_set_padding;
 		hx509_crypto_set_params;
 		hx509_crypto_set_random_key;
+		hx509_empty_name;
 		hx509_env_add;
 		hx509_env_add_binding;
 		hx509_env_find;
@@ -141,6 +188,7 @@ HEIMDAL_X509_1.2 {
 		hx509_find_private_alg;
 		hx509_general_name_unparse;
 		hx509_get_error_string;
+		hx509_get_instance;
 		hx509_get_one_cert;
 		hx509_lock_add_cert;
 		hx509_lock_add_certs;
@@ -196,10 +244,17 @@ HEIMDAL_X509_1.2 {
 		hx509_query_match_option;
 		hx509_query_statistic_file;
 		hx509_query_unparse_stats;
+		hx509_request_get_eku;
+		hx509_request_get_exts;
+		hx509_request_get_ku;
 		hx509_request_get_name;
+		hx509_request_get_san;
 		hx509_request_get_SubjectPublicKeyInfo;
 		hx509_request_free;
 		hx509_request_init;
+		hx509_request_parse;
+		hx509_request_parse_der;
+		hx509_request_set_ku;
 		hx509_request_set_name;
 		hx509_request_set_SubjectPublicKeyInfo;
 		hx509_revoke_add_crl;