Gitweb:
http://git.exim.org/exim.git/commitdiff/f5d786885721c374cc22a1f1311ca01408a496fd
Commit: f5d786885721c374cc22a1f1311ca01408a496fd
Parent: 26e72755c101f59e24735e9ca9a320d5f1ebc2b7
Author: Jeremy Harris <jgh146exb@???>
AuthorDate: Sun Mar 24 21:49:12 2013 +0000
Committer: Jeremy Harris <jgh146exb@???>
CommitDate: Mon Mar 25 22:42:48 2013 +0000
OCSP-stapling enhancement and testing.
Server:
Honor environment variable as well as running_in_test_harness in permitting bogus staplings
Update server tests
Add "-ocsp" option to client-ssl.
Server side: add verification of stapled status.
First cut server-mode ocsp testing.
Fix some uninitialized ocsp-related data.
Client (new):
Verify stapling using only the chain that verified the server cert, not any acceptable chain.
Add check for multiple responses in a stapling, which is not handled
Refuse verification on expired and revoking staplings.
Handle OCSP client refusal on lack of stapling from server.
More fixing in client OCSP: use the server cert signing chain to verify the OCSP info.
Add transport hosts_require_ocsp option.
Log stapling responses.
Start on tests for client-side.
Testing support:
Add CRL generation code and documentation update
Initial CA & certificate set for testing.
BUGFIX:
Once a single OCSP response has been extracted the validation
routine return code is no longer about the structure, but the actual
returned OCSP status.
---
doc/doc-txt/experimental-spec.txt | 11 +-
src/src/functions.h | 5 +-
src/src/tls-gnu.c | 9 +-
src/src/tls-openssl.c | 358 ++++++++++++++++----
src/src/transports/smtp.c | 11 +-
src/src/transports/smtp.h | 3 +
src/src/verify.c | 8 +-
test/README | 8 +-
test/aux-fixed/exim-ca/README | 51 +++
test/aux-fixed/exim-ca/example.com/BLANK/CA.pem | 10 +
.../aux-fixed/exim-ca/example.com/BLANK/Signer.pem | 11 +
test/aux-fixed/exim-ca/example.com/BLANK/cert8.db | Bin 0 -> 65536 bytes
test/aux-fixed/exim-ca/example.com/BLANK/key3.db | Bin 0 -> 16384 bytes
test/aux-fixed/exim-ca/example.com/BLANK/pwdfile | 1 +
test/aux-fixed/exim-ca/example.com/BLANK/secmod.db | Bin 0 -> 16384 bytes
test/aux-fixed/exim-ca/example.com/CA/CA.pem | 10 +
test/aux-fixed/exim-ca/example.com/CA/OCSP.key | 14 +
test/aux-fixed/exim-ca/example.com/CA/OCSP.p12 | Bin 0 -> 2210 bytes
test/aux-fixed/exim-ca/example.com/CA/OCSP.pem | 11 +
test/aux-fixed/exim-ca/example.com/CA/Signer.pem | 11 +
test/aux-fixed/exim-ca/example.com/CA/ca.conf | 18 +
test/aux-fixed/exim-ca/example.com/CA/cert8.db | Bin 0 -> 65536 bytes
test/aux-fixed/exim-ca/example.com/CA/crl.empty | Bin 0 -> 175 bytes
.../exim-ca/example.com/CA/crl.empty.in.txt | 1 +
.../aux-fixed/exim-ca/example.com/CA/crl.empty.pem | 6 +
test/aux-fixed/exim-ca/example.com/CA/crl.v2 | Bin 0 -> 223 bytes
.../aux-fixed/exim-ca/example.com/CA/crl.v2.in.txt | 3 +
test/aux-fixed/exim-ca/example.com/CA/crl.v2.pem | 7 +
.../exim-ca/example.com/CA/index.revoked.txt | 6 +
.../exim-ca/example.com/CA/index.valid.txt | 6 +
test/aux-fixed/exim-ca/example.com/CA/key3.db | Bin 0 -> 16384 bytes
test/aux-fixed/exim-ca/example.com/CA/noise.file | 342 +++++++++++++++++++
test/aux-fixed/exim-ca/example.com/CA/pwdfile | 1 +
test/aux-fixed/exim-ca/example.com/CA/secmod.db | Bin 0 -> 16384 bytes
.../example.com/expired1.example.com/ca_chain.pem | 47 +++
.../example.com/expired1.example.com/cert8.db | Bin 0 -> 65536 bytes
.../expired1.example.com.chain.pem | 29 ++
.../expired1.example.com/expired1.example.com.key | 15 +
.../expired1.example.com.ocsp.dated.resp | Bin 0 -> 725 bytes
.../expired1.example.com.ocsp.good.resp | Bin 0 -> 706 bytes
.../expired1.example.com.ocsp.req | Bin 0 -> 105 bytes
.../expired1.example.com.ocsp.revoked.resp | Bin 0 -> 728 bytes
.../expired1.example.com/expired1.example.com.p12 | Bin 0 -> 2380 bytes
.../expired1.example.com/expired1.example.com.pem | 18 +
.../expired1.example.com.unlocked.key | 9 +
.../example.com/expired1.example.com/key3.db | Bin 0 -> 16384 bytes
.../example.com/expired1.example.com/pwdfile | 1 +
.../example.com/expired1.example.com/secmod.db | Bin 0 -> 16384 bytes
.../example.com/expired2.example.com/ca_chain.pem | 47 +++
.../example.com/expired2.example.com/cert8.db | Bin 0 -> 65536 bytes
.../expired2.example.com.chain.pem | 29 ++
.../expired2.example.com/expired2.example.com.key | 15 +
.../expired2.example.com.ocsp.dated.resp | Bin 0 -> 726 bytes
.../expired2.example.com.ocsp.good.resp | Bin 0 -> 707 bytes
.../expired2.example.com.ocsp.req | Bin 0 -> 106 bytes
.../expired2.example.com.ocsp.revoked.resp | Bin 0 -> 707 bytes
.../expired2.example.com/expired2.example.com.p12 | Bin 0 -> 2388 bytes
.../expired2.example.com/expired2.example.com.pem | 18 +
.../expired2.example.com.unlocked.key | 9 +
.../example.com/expired2.example.com/key3.db | Bin 0 -> 16384 bytes
.../example.com/expired2.example.com/pwdfile | 1 +
.../example.com/expired2.example.com/secmod.db | Bin 0 -> 16384 bytes
.../example.com/revoked1.example.com/ca_chain.pem | 47 +++
.../example.com/revoked1.example.com/cert8.db | Bin 0 -> 65536 bytes
.../example.com/revoked1.example.com/key3.db | Bin 0 -> 16384 bytes
.../example.com/revoked1.example.com/pwdfile | 1 +
.../revoked1.example.com.chain.pem | 29 ++
.../revoked1.example.com/revoked1.example.com.key | 15 +
.../revoked1.example.com.ocsp.dated.resp | Bin 0 -> 725 bytes
.../revoked1.example.com.ocsp.good.resp | Bin 0 -> 706 bytes
.../revoked1.example.com.ocsp.req | Bin 0 -> 105 bytes
.../revoked1.example.com.ocsp.revoked.resp | Bin 0 -> 728 bytes
.../revoked1.example.com/revoked1.example.com.p12 | Bin 0 -> 2380 bytes
.../revoked1.example.com/revoked1.example.com.pem | 18 +
.../revoked1.example.com.unlocked.key | 9 +
.../example.com/revoked1.example.com/secmod.db | Bin 0 -> 16384 bytes
.../example.com/revoked2.example.com/ca_chain.pem | 47 +++
.../example.com/revoked2.example.com/cert8.db | Bin 0 -> 65536 bytes
.../example.com/revoked2.example.com/key3.db | Bin 0 -> 16384 bytes
.../example.com/revoked2.example.com/pwdfile | 1 +
.../revoked2.example.com.chain.pem | 29 ++
.../revoked2.example.com/revoked2.example.com.key | 15 +
.../revoked2.example.com.ocsp.dated.resp | Bin 0 -> 726 bytes
.../revoked2.example.com.ocsp.good.resp | Bin 0 -> 707 bytes
.../revoked2.example.com.ocsp.req | Bin 0 -> 106 bytes
.../revoked2.example.com.ocsp.revoked.resp | Bin 0 -> 707 bytes
.../revoked2.example.com/revoked2.example.com.p12 | Bin 0 -> 2388 bytes
.../revoked2.example.com/revoked2.example.com.pem | 18 +
.../revoked2.example.com.unlocked.key | 9 +
.../example.com/revoked2.example.com/secmod.db | Bin 0 -> 16384 bytes
.../example.com/server1.example.com/ca_chain.pem | 47 +++
.../example.com/server1.example.com/cert8.db | Bin 0 -> 65536 bytes
.../example.com/server1.example.com/key3.db | Bin 0 -> 16384 bytes
.../example.com/server1.example.com/pwdfile | 1 +
.../example.com/server1.example.com/secmod.db | Bin 0 -> 16384 bytes
.../server1.example.com.chain.pem | 29 ++
.../server1.example.com/server1.example.com.key | 15 +
.../server1.example.com.ocsp.dated.resp | Bin 0 -> 725 bytes
.../server1.example.com.ocsp.good.resp | Bin 0 -> 706 bytes
.../server1.example.com.ocsp.req | Bin 0 -> 105 bytes
.../server1.example.com.ocsp.revoked.resp | Bin 0 -> 728 bytes
.../server1.example.com/server1.example.com.p12 | Bin 0 -> 2370 bytes
.../server1.example.com/server1.example.com.pem | 18 +
.../server1.example.com.unlocked.key | 9 +
.../example.com/server2.example.com/ca_chain.pem | 47 +++
.../example.com/server2.example.com/cert8.db | Bin 0 -> 65536 bytes
.../example.com/server2.example.com/key3.db | Bin 0 -> 16384 bytes
.../example.com/server2.example.com/pwdfile | 1 +
.../example.com/server2.example.com/secmod.db | Bin 0 -> 16384 bytes
.../server2.example.com.chain.pem | 29 ++
.../server2.example.com/server2.example.com.key | 15 +
.../server2.example.com.ocsp.dated.resp | Bin 0 -> 726 bytes
.../server2.example.com.ocsp.good.resp | Bin 0 -> 707 bytes
.../server2.example.com.ocsp.req | Bin 0 -> 106 bytes
.../server2.example.com.ocsp.revoked.resp | Bin 0 -> 707 bytes
.../server2.example.com/server2.example.com.p12 | Bin 0 -> 2378 bytes
.../server2.example.com/server2.example.com.pem | 18 +
.../server2.example.com.unlocked.key | 9 +
test/aux-fixed/exim-ca/example.net/BLANK/CA.pem | 10 +
.../aux-fixed/exim-ca/example.net/BLANK/Signer.pem | 11 +
test/aux-fixed/exim-ca/example.net/BLANK/cert8.db | Bin 0 -> 65536 bytes
test/aux-fixed/exim-ca/example.net/BLANK/key3.db | Bin 0 -> 16384 bytes
test/aux-fixed/exim-ca/example.net/BLANK/pwdfile | 1 +
test/aux-fixed/exim-ca/example.net/BLANK/secmod.db | Bin 0 -> 16384 bytes
test/aux-fixed/exim-ca/example.net/CA/CA.pem | 10 +
test/aux-fixed/exim-ca/example.net/CA/OCSP.key | 14 +
test/aux-fixed/exim-ca/example.net/CA/OCSP.p12 | Bin 0 -> 2218 bytes
test/aux-fixed/exim-ca/example.net/CA/OCSP.pem | 11 +
test/aux-fixed/exim-ca/example.net/CA/Signer.pem | 11 +
test/aux-fixed/exim-ca/example.net/CA/ca.conf | 18 +
test/aux-fixed/exim-ca/example.net/CA/cert8.db | Bin 0 -> 65536 bytes
test/aux-fixed/exim-ca/example.net/CA/crl.empty | Bin 0 -> 175 bytes
.../exim-ca/example.net/CA/crl.empty.in.txt | 1 +
.../aux-fixed/exim-ca/example.net/CA/crl.empty.pem | 6 +
test/aux-fixed/exim-ca/example.net/CA/crl.v2 | Bin 0 -> 223 bytes
.../aux-fixed/exim-ca/example.net/CA/crl.v2.in.txt | 3 +
test/aux-fixed/exim-ca/example.net/CA/crl.v2.pem | 7 +
.../exim-ca/example.net/CA/index.revoked.txt | 6 +
.../exim-ca/example.net/CA/index.valid.txt | 6 +
test/aux-fixed/exim-ca/example.net/CA/key3.db | Bin 0 -> 16384 bytes
test/aux-fixed/exim-ca/example.net/CA/noise.file | 342 +++++++++++++++++++
test/aux-fixed/exim-ca/example.net/CA/pwdfile | 1 +
test/aux-fixed/exim-ca/example.net/CA/secmod.db | Bin 0 -> 16384 bytes
.../example.net/expired1.example.net/ca_chain.pem | 47 +++
.../example.net/expired1.example.net/cert8.db | Bin 0 -> 65536 bytes
.../expired1.example.net.chain.pem | 29 ++
.../expired1.example.net/expired1.example.net.key | 15 +
.../expired1.example.net.ocsp.dated.resp | Bin 0 -> 725 bytes
.../expired1.example.net.ocsp.good.resp | Bin 0 -> 706 bytes
.../expired1.example.net.ocsp.req | Bin 0 -> 105 bytes
.../expired1.example.net.ocsp.revoked.resp | Bin 0 -> 728 bytes
.../expired1.example.net/expired1.example.net.p12 | Bin 0 -> 2388 bytes
.../expired1.example.net/expired1.example.net.pem | 18 +
.../expired1.example.net.unlocked.key | 9 +
.../example.net/expired1.example.net/key3.db | Bin 0 -> 16384 bytes
.../example.net/expired1.example.net/pwdfile | 1 +
.../example.net/expired1.example.net/secmod.db | Bin 0 -> 16384 bytes
.../example.net/expired2.example.net/ca_chain.pem | 47 +++
.../example.net/expired2.example.net/cert8.db | Bin 0 -> 65536 bytes
.../expired2.example.net.chain.pem | 29 ++
.../expired2.example.net/expired2.example.net.key | 15 +
.../expired2.example.net.ocsp.dated.resp | Bin 0 -> 726 bytes
.../expired2.example.net.ocsp.good.resp | Bin 0 -> 707 bytes
.../expired2.example.net.ocsp.req | Bin 0 -> 106 bytes
.../expired2.example.net.ocsp.revoked.resp | Bin 0 -> 707 bytes
.../expired2.example.net/expired2.example.net.p12 | Bin 0 -> 2388 bytes
.../expired2.example.net/expired2.example.net.pem | 18 +
.../expired2.example.net.unlocked.key | 9 +
.../example.net/expired2.example.net/key3.db | Bin 0 -> 16384 bytes
.../example.net/expired2.example.net/pwdfile | 1 +
.../example.net/expired2.example.net/secmod.db | Bin 0 -> 16384 bytes
.../example.net/revoked1.example.net/ca_chain.pem | 47 +++
.../example.net/revoked1.example.net/cert8.db | Bin 0 -> 65536 bytes
.../example.net/revoked1.example.net/key3.db | Bin 0 -> 16384 bytes
.../example.net/revoked1.example.net/pwdfile | 1 +
.../revoked1.example.net.chain.pem | 29 ++
.../revoked1.example.net/revoked1.example.net.key | 15 +
.../revoked1.example.net.ocsp.dated.resp | Bin 0 -> 725 bytes
.../revoked1.example.net.ocsp.good.resp | Bin 0 -> 706 bytes
.../revoked1.example.net.ocsp.req | Bin 0 -> 105 bytes
.../revoked1.example.net.ocsp.revoked.resp | Bin 0 -> 728 bytes
.../revoked1.example.net/revoked1.example.net.p12 | Bin 0 -> 2388 bytes
.../revoked1.example.net/revoked1.example.net.pem | 18 +
.../revoked1.example.net.unlocked.key | 9 +
.../example.net/revoked1.example.net/secmod.db | Bin 0 -> 16384 bytes
.../example.net/revoked2.example.net/ca_chain.pem | 47 +++
.../example.net/revoked2.example.net/cert8.db | Bin 0 -> 65536 bytes
.../example.net/revoked2.example.net/key3.db | Bin 0 -> 16384 bytes
.../example.net/revoked2.example.net/pwdfile | 1 +
.../revoked2.example.net.chain.pem | 29 ++
.../revoked2.example.net/revoked2.example.net.key | 15 +
.../revoked2.example.net.ocsp.dated.resp | Bin 0 -> 726 bytes
.../revoked2.example.net.ocsp.good.resp | Bin 0 -> 707 bytes
.../revoked2.example.net.ocsp.req | Bin 0 -> 106 bytes
.../revoked2.example.net.ocsp.revoked.resp | Bin 0 -> 707 bytes
.../revoked2.example.net/revoked2.example.net.p12 | Bin 0 -> 2388 bytes
.../revoked2.example.net/revoked2.example.net.pem | 18 +
.../revoked2.example.net.unlocked.key | 9 +
.../example.net/revoked2.example.net/secmod.db | Bin 0 -> 16384 bytes
.../example.net/server1.example.net/ca_chain.pem | 47 +++
.../example.net/server1.example.net/cert8.db | Bin 0 -> 65536 bytes
.../example.net/server1.example.net/key3.db | Bin 0 -> 16384 bytes
.../example.net/server1.example.net/pwdfile | 1 +
.../example.net/server1.example.net/secmod.db | Bin 0 -> 16384 bytes
.../server1.example.net.chain.pem | 29 ++
.../server1.example.net/server1.example.net.key | 15 +
.../server1.example.net.ocsp.dated.resp | Bin 0 -> 725 bytes
.../server1.example.net.ocsp.good.resp | Bin 0 -> 706 bytes
.../server1.example.net.ocsp.req | Bin 0 -> 105 bytes
.../server1.example.net.ocsp.revoked.resp | Bin 0 -> 728 bytes
.../server1.example.net/server1.example.net.p12 | Bin 0 -> 2378 bytes
.../server1.example.net/server1.example.net.pem | 18 +
.../server1.example.net.unlocked.key | 9 +
.../example.net/server2.example.net/ca_chain.pem | 47 +++
.../example.net/server2.example.net/cert8.db | Bin 0 -> 65536 bytes
.../example.net/server2.example.net/key3.db | Bin 0 -> 16384 bytes
.../example.net/server2.example.net/pwdfile | 1 +
.../example.net/server2.example.net/secmod.db | Bin 0 -> 16384 bytes
.../server2.example.net.chain.pem | 29 ++
.../server2.example.net/server2.example.net.key | 15 +
.../server2.example.net.ocsp.dated.resp | Bin 0 -> 726 bytes
.../server2.example.net.ocsp.good.resp | Bin 0 -> 707 bytes
.../server2.example.net.ocsp.req | Bin 0 -> 106 bytes
.../server2.example.net.ocsp.revoked.resp | Bin 0 -> 707 bytes
.../server2.example.net/server2.example.net.p12 | Bin 0 -> 2386 bytes
.../server2.example.net/server2.example.net.pem | 18 +
.../server2.example.net.unlocked.key | 9 +
test/aux-fixed/exim-ca/example.org/BLANK/CA.pem | 10 +
.../aux-fixed/exim-ca/example.org/BLANK/Signer.pem | 11 +
test/aux-fixed/exim-ca/example.org/BLANK/cert8.db | Bin 0 -> 65536 bytes
test/aux-fixed/exim-ca/example.org/BLANK/key3.db | Bin 0 -> 16384 bytes
test/aux-fixed/exim-ca/example.org/BLANK/pwdfile | 1 +
test/aux-fixed/exim-ca/example.org/BLANK/secmod.db | Bin 0 -> 16384 bytes
test/aux-fixed/exim-ca/example.org/CA/CA.pem | 10 +
test/aux-fixed/exim-ca/example.org/CA/OCSP.key | 14 +
test/aux-fixed/exim-ca/example.org/CA/OCSP.p12 | Bin 0 -> 2218 bytes
test/aux-fixed/exim-ca/example.org/CA/OCSP.pem | 11 +
test/aux-fixed/exim-ca/example.org/CA/Signer.pem | 11 +
test/aux-fixed/exim-ca/example.org/CA/ca.conf | 18 +
test/aux-fixed/exim-ca/example.org/CA/cert8.db | Bin 0 -> 65536 bytes
test/aux-fixed/exim-ca/example.org/CA/crl.empty | Bin 0 -> 175 bytes
.../exim-ca/example.org/CA/crl.empty.in.txt | 1 +
.../aux-fixed/exim-ca/example.org/CA/crl.empty.pem | 6 +
test/aux-fixed/exim-ca/example.org/CA/crl.v2 | Bin 0 -> 223 bytes
.../aux-fixed/exim-ca/example.org/CA/crl.v2.in.txt | 3 +
test/aux-fixed/exim-ca/example.org/CA/crl.v2.pem | 7 +
.../exim-ca/example.org/CA/index.revoked.txt | 6 +
.../exim-ca/example.org/CA/index.valid.txt | 6 +
test/aux-fixed/exim-ca/example.org/CA/key3.db | Bin 0 -> 16384 bytes
test/aux-fixed/exim-ca/example.org/CA/noise.file | 342 +++++++++++++++++++
test/aux-fixed/exim-ca/example.org/CA/pwdfile | 1 +
test/aux-fixed/exim-ca/example.org/CA/secmod.db | Bin 0 -> 16384 bytes
.../example.org/expired1.example.org/ca_chain.pem | 47 +++
.../example.org/expired1.example.org/cert8.db | Bin 0 -> 65536 bytes
.../expired1.example.org.chain.pem | 29 ++
.../expired1.example.org/expired1.example.org.key | 15 +
.../expired1.example.org.ocsp.dated.resp | Bin 0 -> 725 bytes
.../expired1.example.org.ocsp.good.resp | Bin 0 -> 706 bytes
.../expired1.example.org.ocsp.req | Bin 0 -> 105 bytes
.../expired1.example.org.ocsp.revoked.resp | Bin 0 -> 728 bytes
.../expired1.example.org/expired1.example.org.p12 | Bin 0 -> 2388 bytes
.../expired1.example.org/expired1.example.org.pem | 18 +
.../expired1.example.org.unlocked.key | 9 +
.../example.org/expired1.example.org/key3.db | Bin 0 -> 16384 bytes
.../example.org/expired1.example.org/pwdfile | 1 +
.../example.org/expired1.example.org/secmod.db | Bin 0 -> 16384 bytes
.../example.org/expired2.example.org/ca_chain.pem | 47 +++
.../example.org/expired2.example.org/cert8.db | Bin 0 -> 65536 bytes
.../expired2.example.org.chain.pem | 29 ++
.../expired2.example.org/expired2.example.org.key | 15 +
.../expired2.example.org.ocsp.dated.resp | Bin 0 -> 726 bytes
.../expired2.example.org.ocsp.good.resp | Bin 0 -> 707 bytes
.../expired2.example.org.ocsp.req | Bin 0 -> 106 bytes
.../expired2.example.org.ocsp.revoked.resp | Bin 0 -> 707 bytes
.../expired2.example.org/expired2.example.org.p12 | Bin 0 -> 2388 bytes
.../expired2.example.org/expired2.example.org.pem | 18 +
.../expired2.example.org.unlocked.key | 9 +
.../example.org/expired2.example.org/key3.db | Bin 0 -> 16384 bytes
.../example.org/expired2.example.org/pwdfile | 1 +
.../example.org/expired2.example.org/secmod.db | Bin 0 -> 16384 bytes
.../example.org/revoked1.example.org/ca_chain.pem | 47 +++
.../example.org/revoked1.example.org/cert8.db | Bin 0 -> 65536 bytes
.../example.org/revoked1.example.org/key3.db | Bin 0 -> 16384 bytes
.../example.org/revoked1.example.org/pwdfile | 1 +
.../revoked1.example.org.chain.pem | 29 ++
.../revoked1.example.org/revoked1.example.org.key | 15 +
.../revoked1.example.org.ocsp.dated.resp | Bin 0 -> 725 bytes
.../revoked1.example.org.ocsp.good.resp | Bin 0 -> 706 bytes
.../revoked1.example.org.ocsp.req | Bin 0 -> 105 bytes
.../revoked1.example.org.ocsp.revoked.resp | Bin 0 -> 728 bytes
.../revoked1.example.org/revoked1.example.org.p12 | Bin 0 -> 2380 bytes
.../revoked1.example.org/revoked1.example.org.pem | 18 +
.../revoked1.example.org.unlocked.key | 9 +
.../example.org/revoked1.example.org/secmod.db | Bin 0 -> 16384 bytes
.../example.org/revoked2.example.org/ca_chain.pem | 47 +++
.../example.org/revoked2.example.org/cert8.db | Bin 0 -> 65536 bytes
.../example.org/revoked2.example.org/key3.db | Bin 0 -> 16384 bytes
.../example.org/revoked2.example.org/pwdfile | 1 +
.../revoked2.example.org.chain.pem | 29 ++
.../revoked2.example.org/revoked2.example.org.key | 15 +
.../revoked2.example.org.ocsp.dated.resp | Bin 0 -> 726 bytes
.../revoked2.example.org.ocsp.good.resp | Bin 0 -> 707 bytes
.../revoked2.example.org.ocsp.req | Bin 0 -> 106 bytes
.../revoked2.example.org.ocsp.revoked.resp | Bin 0 -> 707 bytes
.../revoked2.example.org/revoked2.example.org.p12 | Bin 0 -> 2388 bytes
.../revoked2.example.org/revoked2.example.org.pem | 18 +
.../revoked2.example.org.unlocked.key | 9 +
.../example.org/revoked2.example.org/secmod.db | Bin 0 -> 16384 bytes
.../example.org/server1.example.org/ca_chain.pem | 47 +++
.../example.org/server1.example.org/cert8.db | Bin 0 -> 65536 bytes
.../example.org/server1.example.org/key3.db | Bin 0 -> 16384 bytes
.../example.org/server1.example.org/pwdfile | 1 +
.../example.org/server1.example.org/secmod.db | Bin 0 -> 16384 bytes
.../server1.example.org.chain.pem | 29 ++
.../server1.example.org/server1.example.org.key | 15 +
.../server1.example.org.ocsp.dated.resp | Bin 0 -> 725 bytes
.../server1.example.org.ocsp.good.resp | Bin 0 -> 706 bytes
.../server1.example.org.ocsp.req | Bin 0 -> 105 bytes
.../server1.example.org.ocsp.revoked.resp | Bin 0 -> 728 bytes
.../server1.example.org/server1.example.org.p12 | Bin 0 -> 2378 bytes
.../server1.example.org/server1.example.org.pem | 18 +
.../server1.example.org.unlocked.key | 9 +
.../example.org/server2.example.org/ca_chain.pem | 47 +++
.../example.org/server2.example.org/cert8.db | Bin 0 -> 65536 bytes
.../example.org/server2.example.org/key3.db | Bin 0 -> 16384 bytes
.../example.org/server2.example.org/pwdfile | 1 +
.../example.org/server2.example.org/secmod.db | Bin 0 -> 16384 bytes
.../server2.example.org.chain.pem | 29 ++
.../server2.example.org/server2.example.org.key | 15 +
.../server2.example.org.ocsp.dated.resp | Bin 0 -> 726 bytes
.../server2.example.org.ocsp.good.resp | Bin 0 -> 707 bytes
.../server2.example.org.ocsp.req | Bin 0 -> 106 bytes
.../server2.example.org.ocsp.revoked.resp | Bin 0 -> 707 bytes
.../server2.example.org/server2.example.org.p12 | Bin 0 -> 2386 bytes
.../server2.example.org/server2.example.org.pem | 18 +
.../server2.example.org.unlocked.key | 9 +
test/aux-fixed/exim-ca/genall | 101 ++++++
test/aux-fixed/ocsp_file.der | Bin 0 -> 1367 bytes
test/confs/5600 | 66 ++++
test/confs/5601 | 121 +++++++
test/log/5600 | 6 +
test/log/5601 | 41 +++
test/msglog/2145.10HmaX-0005vi-00 | 1 +
test/scripts/5600-OCSP-OpenSSL/5600 | 80 +++++
test/scripts/5600-OCSP-OpenSSL/5601 | 65 ++++
test/scripts/5600-OCSP-OpenSSL/REQUIRES | 3 +
test/src/client.c | 109 ++++++-
test/stderr/5600 | 2 +
test/stderr/5601 | 2 +
test/stdout/5600 | 142 ++++++++
test/trusted_configs | 1 +
351 files changed, 4631 insertions(+), 89 deletions(-)
diff --git a/doc/doc-txt/experimental-spec.txt b/doc/doc-txt/experimental-spec.txt
index 8d1ebef..385f052 100644
--- a/doc/doc-txt/experimental-spec.txt
+++ b/doc/doc-txt/experimental-spec.txt
@@ -69,7 +69,7 @@ starts retrying to fetch an OCSP proof some time before its current
proof expires. The downside is that it requires server support.
If Exim is built with EXPERIMENTAL_OCSP and it was built with OpenSSL,
-then it gains one new option: "tls_ocsp_file".
+then it gains a new global option: "tls_ocsp_file".
The file specified therein is expected to be in DER format, and contain
an OCSP proof. Exim will serve it as part of the TLS handshake. This
@@ -86,10 +86,15 @@ next connection.
Exim will check for a valid next update timestamp in the OCSP proof;
if not present, or if the proof has expired, it will be ignored.
+Also, given EXPERIMENTAL_OCSP and OpenSSL, the smtp transport gains
+a "hosts_require_ocsp" option; a host-list for which an OCSP Stapling
+is requested and required for the connection to proceed. The host(s)
+should also be in "hosts_require_tls", and "tls_verify_certificates"
+configured for the transport.
+
At this point in time, we're gathering feedback on use, to determine if
it's worth adding complexity to the Exim daemon to periodically re-fetch
-OCSP files and somehow handling multiple files. There is no client support
-for OCSP in Exim, this is feature expected to be used by mail clients.
+OCSP files and somehow handling multiple files.
diff --git a/src/src/functions.h b/src/src/functions.h
index 604dd4a..20fc9a0 100644
--- a/src/src/functions.h
+++ b/src/src/functions.h
@@ -25,8 +25,11 @@ extern const char *
std_dh_prime_default(void);
extern const char *
std_dh_prime_named(const uschar *);
-extern int tls_client_start(int, host_item *, address_item *, uschar *,
+extern int tls_client_start(int, host_item *, address_item *,
uschar *, uschar *, uschar *, uschar *, uschar *, uschar *,
+# ifdef EXPERIMENTAL_OCSP
+ uschar *,
+# endif
int, int);
extern void tls_close(BOOL, BOOL);
extern int tls_feof(void);
diff --git a/src/src/tls-gnu.c b/src/src/tls-gnu.c
index 2399857..c357ba4 100644
--- a/src/src/tls-gnu.c
+++ b/src/src/tls-gnu.c
@@ -1547,7 +1547,6 @@ Arguments:
fd the fd of the connection
host connected host (for messages)
addr the first address (not used)
- dhparam DH parameter file (ignored, we're a client)
certificate certificate file
privatekey private key file
sni TLS SNI to send to remote host
@@ -1563,10 +1562,14 @@ Returns: OK/DEFER/FAIL (because using common functions),
int
tls_client_start(int fd, host_item *host,
- address_item *addr ARG_UNUSED, uschar *dhparam ARG_UNUSED,
+ address_item *addr ARG_UNUSED,
uschar *certificate, uschar *privatekey, uschar *sni,
uschar *verify_certs, uschar *verify_crl,
- uschar *require_ciphers, int dh_min_bits, int timeout)
+ uschar *require_ciphers,
+#ifdef EXPERIMENTAL_OCSP
+ uschar *require_ocsp ARG_UNUSED,
+#endif
+ int dh_min_bits, int timeout)
{
int rc;
const char *error;
diff --git a/src/src/tls-openssl.c b/src/src/tls-openssl.c
index 42afd39..93ee079 100644
--- a/src/src/tls-openssl.c
+++ b/src/src/tls-openssl.c
@@ -5,6 +5,8 @@
/* Copyright (c) University of Cambridge 1995 - 2012 */
/* See the file NOTICE for conditions of use and distribution. */
+/* Portions Copyright (c) The OpenSSL Project 1999 */
+
/* This module provides the TLS (aka SSL) support for Exim using the OpenSSL
library. It is #included into the tls.c file when that library is used. The
code herein is based on a patch that was originally contributed by Steve
@@ -80,16 +82,24 @@ static int ssl_session_timeout = 200;
static BOOL client_verify_optional = FALSE;
static BOOL server_verify_optional = FALSE;
-static BOOL reexpand_tls_files_for_sni = FALSE;
+static BOOL reexpand_tls_files_for_sni = FALSE;
typedef struct tls_ext_ctx_cb {
uschar *certificate;
uschar *privatekey;
#ifdef EXPERIMENTAL_OCSP
- uschar *ocsp_file;
- uschar *ocsp_file_expanded;
- OCSP_RESPONSE *ocsp_response;
+ BOOL is_server;
+ union {
+ struct {
+ uschar *file;
+ uschar *file_expanded;
+ OCSP_RESPONSE *response;
+ } server;
+ struct {
+ X509_STORE *verify_store;
+ } client;
+ } u_ocsp;
#endif
uschar *dhparam;
/* these are cached from first expand */
@@ -112,7 +122,7 @@ setup_certs(SSL_CTX *sctx, uschar *certs, uschar *crl, host_item *host, BOOL opt
static int tls_servername_cb(SSL *s, int *ad ARG_UNUSED, void *arg);
#endif
#ifdef EXPERIMENTAL_OCSP
-static int tls_stapling_cb(SSL *s, void *arg);
+static int tls_server_stapling_cb(SSL *s, void *arg);
#endif
@@ -196,6 +206,29 @@ return rsa_key;
+/* Extreme debug
+#if defined(EXPERIMENTAL_OCSP)
+void
+x509_store_dump_cert_s_names(X509_STORE * store)
+{
+STACK_OF(X509_OBJECT) * roots= store->objs;
+int i;
+static uschar name[256];
+
+for(i= 0; i<sk_X509_OBJECT_num(roots); i++)
+ {
+ X509_OBJECT * tmp_obj= sk_X509_OBJECT_value(roots, i);
+ if(tmp_obj->type == X509_LU_X509)
+ {
+ X509 * current_cert= tmp_obj->data.x509;
+ X509_NAME_oneline(X509_get_subject_name(current_cert), CS name, sizeof(name));
+ debug_printf(" %s\n", name);
+ }
+ }
+}
+#endif
+*/
+
/*************************************************
* Callback for verification *
@@ -227,25 +260,9 @@ Returns: 1 if verified, 0 if not
*/
static int
-verify_callback(int state, X509_STORE_CTX *x509ctx, BOOL client)
+verify_callback(int state, X509_STORE_CTX *x509ctx, tls_support *tlsp, BOOL *calledp, BOOL *optionalp)
{
static uschar txt[256];
-tls_support * tlsp;
-BOOL * calledp;
-BOOL * optionalp;
-
-if (client)
- {
- tlsp= &tls_out;
- calledp= &client_verify_callback_called;
- optionalp= &client_verify_optional;
- }
-else
- {
- tlsp= &tls_in;
- calledp= &server_verify_callback_called;
- optionalp= &server_verify_optional;
- }
X509_NAME_oneline(X509_get_subject_name(x509ctx->current_cert),
CS txt, sizeof(txt));
@@ -268,6 +285,17 @@ if (x509ctx->error_depth != 0)
{
DEBUG(D_tls) debug_printf("SSL verify ok: depth=%d cert=%s\n",
x509ctx->error_depth, txt);
+#ifdef EXPERIMENTAL_OCSP
+ if (tlsp == &tls_out && client_static_cbinfo->u_ocsp.client.verify_store)
+ { /* client, wanting stapling */
+ /* Add the server cert's signing chain as the one
+ for the verification of the OCSP stapled information. */
+
+ if (!X509_STORE_add_cert(client_static_cbinfo->u_ocsp.client.verify_store,
+ x509ctx->current_cert))
+ ERR_clear_error();
+ }
+#endif
}
else
{
@@ -276,6 +304,10 @@ else
tlsp->peerdn = txt;
}
+/*XXX JGH: this looks bogus - we set "verified" first time through, which
+will be for the root CS cert (calls work down the chain). Why should it
+not be on the last call, where we're setting peerdn?
+*/
if (!*calledp) tlsp->certificate_verified = TRUE;
*calledp = TRUE;
@@ -285,13 +317,13 @@ return 1; /* accept */
static int
verify_callback_client(int state, X509_STORE_CTX *x509ctx)
{
-return verify_callback(state, x509ctx, TRUE);
+return verify_callback(state, x509ctx, &tls_out, &client_verify_callback_called, &client_verify_optional);
}
static int
verify_callback_server(int state, X509_STORE_CTX *x509ctx)
{
-return verify_callback(state, x509ctx, FALSE);
+return verify_callback(state, x509ctx, &tls_in, &server_verify_callback_called, &server_verify_optional);
}
@@ -418,7 +450,7 @@ return TRUE;
* Load OCSP information into state *
*************************************************/
-/* Called to load the OCSP response from the given file into memory, once
+/* Called to load the server OCSP response from the given file into memory, once
caller has determined this is needed. Checks validity. Debugs a message
if invalid.
@@ -432,9 +464,7 @@ Arguments:
*/
static void
-ocsp_load_response(SSL_CTX *sctx,
- tls_ext_ctx_cb *cbinfo,
- const uschar *expanded)
+ocsp_load_response(SSL_CTX *sctx, tls_ext_ctx_cb *cbinfo, const uschar *expanded)
{
BIO *bio;
OCSP_RESPONSE *resp;
@@ -445,18 +475,18 @@ X509_STORE *store;
unsigned long verify_flags;
int status, reason, i;
-cbinfo->ocsp_file_expanded = string_copy(expanded);
-if (cbinfo->ocsp_response)
+cbinfo->u_ocsp.server.file_expanded = string_copy(expanded);
+if (cbinfo->u_ocsp.server.response)
{
- OCSP_RESPONSE_free(cbinfo->ocsp_response);
- cbinfo->ocsp_response = NULL;
+ OCSP_RESPONSE_free(cbinfo->u_ocsp.server.response);
+ cbinfo->u_ocsp.server.response = NULL;
}
-bio = BIO_new_file(CS cbinfo->ocsp_file_expanded, "rb");
+bio = BIO_new_file(CS cbinfo->u_ocsp.server.file_expanded, "rb");
if (!bio)
{
DEBUG(D_tls) debug_printf("Failed to open OCSP response file \"%s\"\n",
- cbinfo->ocsp_file_expanded);
+ cbinfo->u_ocsp.server.file_expanded);
return;
}
@@ -473,7 +503,7 @@ if (status != OCSP_RESPONSE_STATUS_SUCCESSFUL)
{
DEBUG(D_tls) debug_printf("OCSP response not valid: %s (%d)\n",
OCSP_response_status_str(status), status);
- return;
+ goto bad;
}
basic_response = OCSP_response_get1_basic(resp);
@@ -481,7 +511,7 @@ if (!basic_response)
{
DEBUG(D_tls)
debug_printf("OCSP response parse error: unable to extract basic response.\n");
- return;
+ goto bad;
}
store = SSL_CTX_get_cert_store(sctx);
@@ -497,8 +527,8 @@ if (i <= 0)
DEBUG(D_tls) {
ERR_error_string(ERR_get_error(), ssl_errstring);
debug_printf("OCSP response verify failure: %s\n", US ssl_errstring);
- }
- return;
+ }
+ goto bad;
}
/* Here's the simplifying assumption: there's only one response, for the
@@ -513,27 +543,43 @@ if (!single_response)
{
DEBUG(D_tls)
debug_printf("Unable to get first response from OCSP basic response.\n");
- return;
+ goto bad;
}
status = OCSP_single_get0_status(single_response, &reason, &rev, &thisupd, &nextupd);
-/* how does this status differ from the one above? */
-if (status != OCSP_RESPONSE_STATUS_SUCCESSFUL)
+if (status != V_OCSP_CERTSTATUS_GOOD)
{
- DEBUG(D_tls) debug_printf("OCSP response not valid (take 2): %s (%d)\n",
- OCSP_response_status_str(status), status);
- return;
+ DEBUG(D_tls) debug_printf("OCSP response bad cert status: %s (%d) %s (%d)\n",
+ OCSP_cert_status_str(status), status,
+ OCSP_crl_reason_str(reason), reason);
+ goto bad;
}
if (!OCSP_check_validity(thisupd, nextupd, EXIM_OCSP_SKEW_SECONDS, EXIM_OCSP_MAX_AGE))
{
DEBUG(D_tls) debug_printf("OCSP status invalid times.\n");
- return;
+ goto bad;
}
-cbinfo->ocsp_response = resp;
+supply_response:
+cbinfo->u_ocsp.server.response = resp;
+return;
+
+bad:
+if (running_in_test_harness)
+ {
+ extern char ** environ;
+ uschar ** p;
+ for (p = USS environ; *p != NULL; p++)
+ if (Ustrncmp(*p, "EXIM_TESTHARNESS_DISABLE_OCSPVALIDITYCHECK", 42) == 0)
+ {
+ DEBUG(D_tls) debug_printf("Supplying known bad OCSP response\n");
+ goto supply_response;
+ }
+ }
+return;
}
-#endif
+#endif /*EXPERIMENTAL_OCSP*/
@@ -542,7 +588,7 @@ cbinfo->ocsp_response = resp;
* Expand key and cert file specs *
*************************************************/
-/* Called once during tls_init and possibly againt during TLS setup, for a
+/* Called once during tls_init and possibly again during TLS setup, for a
new context, if Server Name Indication was used and tls_sni was seen in
the certificate string.
@@ -596,16 +642,16 @@ if (expanded != NULL && *expanded != 0)
}
#ifdef EXPERIMENTAL_OCSP
-if (cbinfo->ocsp_file != NULL)
+if (cbinfo->is_server && cbinfo->u_ocsp.server.file != NULL)
{
- if (!expand_check(cbinfo->ocsp_file, US"tls_ocsp_file", &expanded))
+ if (!expand_check(cbinfo->u_ocsp.server.file, US"tls_ocsp_file", &expanded))
return DEFER;
if (expanded != NULL && *expanded != 0)
{
DEBUG(D_tls) debug_printf("tls_ocsp_file %s\n", expanded);
- if (cbinfo->ocsp_file_expanded &&
- (Ustrcmp(expanded, cbinfo->ocsp_file_expanded) == 0))
+ if (cbinfo->u_ocsp.server.file_expanded &&
+ (Ustrcmp(expanded, cbinfo->u_ocsp.server.file_expanded) == 0))
{
DEBUG(D_tls)
debug_printf("tls_ocsp_file value unchanged, using existing values.\n");
@@ -686,9 +732,9 @@ SSL_CTX_set_tlsext_servername_arg(server_sni, cbinfo);
if (cbinfo->server_cipher_list)
SSL_CTX_set_cipher_list(server_sni, CS cbinfo->server_cipher_list);
#ifdef EXPERIMENTAL_OCSP
-if (cbinfo->ocsp_file)
+if (cbinfo->u_ocsp.server.file)
{
- SSL_CTX_set_tlsext_status_cb(server_sni, tls_stapling_cb);
+ SSL_CTX_set_tlsext_status_cb(server_sni, tls_server_stapling_cb);
SSL_CTX_set_tlsext_status_arg(server_sni, cbinfo);
}
#endif
@@ -715,6 +761,7 @@ return SSL_TLSEXT_ERR_OK;
#ifdef EXPERIMENTAL_OCSP
+
/*************************************************
* Callback to handle OCSP Stapling *
*************************************************/
@@ -728,19 +775,24 @@ project.
*/
static int
-tls_stapling_cb(SSL *s, void *arg)
+tls_server_stapling_cb(SSL *s, void *arg)
{
const tls_ext_ctx_cb *cbinfo = (tls_ext_ctx_cb *) arg;
uschar *response_der;
int response_der_len;
-DEBUG(D_tls) debug_printf("Received TLS status request (OCSP stapling); %s response.\n",
- cbinfo->ocsp_response ? "have" : "lack");
-if (!cbinfo->ocsp_response)
+if (log_extra_selector & LX_tls_cipher)
+ log_write(0, LOG_MAIN, "[%s] Recieved OCSP stapling req;%s responding",
+ sender_host_address, cbinfo->u_ocsp.server.response ? "":" not");
+else
+ DEBUG(D_tls) debug_printf("Received TLS status request (OCSP stapling); %s response.",
+ cbinfo->u_ocsp.server.response ? "have" : "lack");
+
+if (!cbinfo->u_ocsp.server.response)
return SSL_TLSEXT_ERR_NOACK;
response_der = NULL;
-response_der_len = i2d_OCSP_RESPONSE(cbinfo->ocsp_response, &response_der);
+response_der_len = i2d_OCSP_RESPONSE(cbinfo->u_ocsp.server.response, &response_der);
if (response_der_len <= 0)
return SSL_TLSEXT_ERR_NOACK;
@@ -748,8 +800,133 @@ SSL_set_tlsext_status_ocsp_resp(server_ssl, response_der, response_der_len);
return SSL_TLSEXT_ERR_OK;
}
-#endif /* EXPERIMENTAL_OCSP */
+static void
+time_print(BIO * bp, const char * str, ASN1_GENERALIZEDTIME * time)
+{
+BIO_printf(bp, "\t%s: ", str);
+ASN1_GENERALIZEDTIME_print(bp, time);
+BIO_puts(bp, "\n");
+}
+
+static int
+tls_client_stapling_cb(SSL *s, void *arg)
+{
+tls_ext_ctx_cb * cbinfo = arg;
+const unsigned char * p;
+int len;
+OCSP_RESPONSE * rsp;
+OCSP_BASICRESP * bs;
+int i;
+
+DEBUG(D_tls) debug_printf("Received TLS status response (OCSP stapling):");
+len = SSL_get_tlsext_status_ocsp_resp(s, &p);
+if(!p)
+ {
+ if (log_extra_selector & LX_tls_cipher)
+ log_write(0, LOG_MAIN, "Received TLS status response, null content");
+ else
+ DEBUG(D_tls) debug_printf(" null\n");
+ return 0; /* This is the fail case for require-ocsp; none from server */
+ }
+if(!(rsp = d2i_OCSP_RESPONSE(NULL, &p, len)))
+ {
+ if (log_extra_selector & LX_tls_cipher)
+ log_write(0, LOG_MAIN, "Received TLS status response, parse error");
+ else
+ DEBUG(D_tls) debug_printf(" parse error\n");
+ return 0;
+ }
+
+if(!(bs = OCSP_response_get1_basic(rsp)))
+ {
+ if (log_extra_selector & LX_tls_cipher)
+ log_write(0, LOG_MAIN, "Received TLS status response, error parsing response");
+ else
+ DEBUG(D_tls) debug_printf(" error parsing response\n");
+ OCSP_RESPONSE_free(rsp);
+ return 0;
+ }
+
+/* We'd check the nonce here if we'd put one in the request. */
+/* However that would defeat cacheability on the server so we don't. */
+
+
+/* This section of code reworked from OpenSSL apps source;
+ The OpenSSL Project retains copyright:
+ Copyright (c) 1999 The OpenSSL Project. All rights reserved.
+*/
+ {
+ BIO * bp = NULL;
+ OCSP_CERTID *id;
+ int status, reason;
+ ASN1_GENERALIZEDTIME *rev, *thisupd, *nextupd;
+
+ DEBUG(D_tls) bp = BIO_new_fp(stderr, BIO_NOCLOSE);
+
+ /*OCSP_RESPONSE_print(bp, rsp, 0); extreme debug: stapling content */
+
+ /* Use the chain that verified the server cert to verify the stapled info */
+ /* DEBUG(D_tls) x509_store_dump_cert_s_names(cbinfo->u_ocsp.client.verify_store); */
+
+ if ((i = OCSP_basic_verify(bs, NULL, cbinfo->u_ocsp.client.verify_store, 0)) <= 0)
+ {
+ BIO_printf(bp, "OCSP response verify failure\n");
+ ERR_print_errors(bp);
+ i = 0;
+ goto out;
+ }
+
+ BIO_printf(bp, "OCSP response well-formed and signed OK\n");
+
+ {
+ STACK_OF(OCSP_SINGLERESP) * sresp = bs->tbsResponseData->responses;
+ OCSP_SINGLERESP * single;
+
+ if (sk_OCSP_SINGLERESP_num(sresp) != 1)
+ {
+ log_write(0, LOG_MAIN, "OCSP stapling with multiple responses not handled");
+ goto out;
+ }
+ single = OCSP_resp_get0(bs, 0);
+ status = OCSP_single_get0_status(single, &reason, &rev, &thisupd, &nextupd);
+ }
+
+ i = 0;
+ DEBUG(D_tls) time_print(bp, "This OCSP Update", thisupd);
+ DEBUG(D_tls) if(nextupd) time_print(bp, "Next OCSP Update", nextupd);
+ if (!OCSP_check_validity(thisupd, nextupd, EXIM_OCSP_SKEW_SECONDS, EXIM_OCSP_MAX_AGE))
+ {
+ DEBUG(D_tls) ERR_print_errors(bp);
+ log_write(0, LOG_MAIN, "Server OSCP dates invalid");
+ goto out;
+ }
+
+ DEBUG(D_tls) BIO_printf(bp, "Certificate status: %s\n", OCSP_cert_status_str(status));
+ switch(status)
+ {
+ case V_OCSP_CERTSTATUS_GOOD:
+ i = 1;
+ break;
+ case V_OCSP_CERTSTATUS_REVOKED:
+ log_write(0, LOG_MAIN, "Server certificate revoked%s%s",
+ reason != -1 ? "; reason: " : "", reason != -1 ? OCSP_crl_reason_str(reason) : "");
+ DEBUG(D_tls) time_print(bp, "Revocation Time", rev);
+ i = 0;
+ break;
+ default:
+ log_write(0, LOG_MAIN, "Server certificate status unknown, in OCSP stapling");
+ i = 0;
+ break;
+ }
+ out:
+ BIO_free(bp);
+ }
+
+OCSP_RESPONSE_free(rsp);
+return i;
+}
+#endif /*EXPERIMENTAL_OCSP*/
@@ -765,6 +942,7 @@ Arguments:
dhparam DH parameter file
certificate certificate file
privatekey private key
+ ocsp_file file of stapling info (server); flag for require ocsp (client)
addr address if client; NULL if server (for some randomness)
Returns: OK/DEFER/FAIL
@@ -787,9 +965,14 @@ cbinfo = store_malloc(sizeof(tls_ext_ctx_cb));
cbinfo->certificate = certificate;
cbinfo->privatekey = privatekey;
#ifdef EXPERIMENTAL_OCSP
-cbinfo->ocsp_file = ocsp_file;
-cbinfo->ocsp_file_expanded = NULL;
-cbinfo->ocsp_response = NULL;
+if ((cbinfo->is_server = host==NULL))
+ {
+ cbinfo->u_ocsp.server.file = ocsp_file;
+ cbinfo->u_ocsp.server.file_expanded = NULL;
+ cbinfo->u_ocsp.server.response = NULL;
+ }
+else
+ cbinfo->u_ocsp.client.verify_store = NULL;
#endif
cbinfo->dhparam = dhparam;
cbinfo->host = host;
@@ -881,24 +1064,37 @@ if (rc != OK) return rc;
/* If we need to handle SNI, do so */
#ifdef EXIM_HAVE_OPENSSL_TLSEXT
-if (host == NULL)
+if (host == NULL) /* server */
{
-#ifdef EXPERIMENTAL_OCSP
- /* We check ocsp_file, not ocsp_response, because we care about if
+# ifdef EXPERIMENTAL_OCSP
+ /* We check u_ocsp.server.file, not server.response, because we care about if
the option exists, not what the current expansion might be, as SNI might
change the certificate and OCSP file in use between now and the time the
callback is invoked. */
- if (cbinfo->ocsp_file)
+ if (cbinfo->u_ocsp.server.file)
{
- SSL_CTX_set_tlsext_status_cb(server_ctx, tls_stapling_cb);
+ SSL_CTX_set_tlsext_status_cb(server_ctx, tls_server_stapling_cb);
SSL_CTX_set_tlsext_status_arg(server_ctx, cbinfo);
}
-#endif
+# endif
/* We always do this, so that $tls_sni is available even if not used in
tls_certificate */
SSL_CTX_set_tlsext_servername_callback(*ctxp, tls_servername_cb);
SSL_CTX_set_tlsext_servername_arg(*ctxp, cbinfo);
}
+# ifdef EXPERIMENTAL_OCSP
+else /* client */
+ if(ocsp_file) /* wanting stapling */
+ {
+ if (!(cbinfo->u_ocsp.client.verify_store = X509_STORE_new()))
+ {
+ DEBUG(D_tls) debug_printf("failed to create store for stapling verify\n");
+ return FAIL;
+ }
+ SSL_CTX_set_tlsext_status_cb(*ctxp, tls_client_stapling_cb);
+ SSL_CTX_set_tlsext_status_arg(*ctxp, cbinfo);
+ }
+# endif
#endif
/* Set up the RSA callback */
@@ -1292,7 +1488,6 @@ Argument:
fd the fd of the connection
host connected host (for messages)
addr the first address
- dhparam DH parameter file
certificate certificate file
privatekey private key file
sni TLS SNI to send to remote host
@@ -1309,20 +1504,28 @@ Returns: OK on success
*/
int
-tls_client_start(int fd, host_item *host, address_item *addr, uschar *dhparam,
+tls_client_start(int fd, host_item *host, address_item *addr,
uschar *certificate, uschar *privatekey, uschar *sni,
uschar *verify_certs, uschar *crl,
- uschar *require_ciphers, int dh_min_bits ARG_UNUSED, int timeout)
+ uschar *require_ciphers,
+#ifdef EXPERIMENTAL_OCSP
+ uschar *hosts_require_ocsp,
+#endif
+ int dh_min_bits ARG_UNUSED, int timeout)
{
static uschar txt[256];
uschar *expciphers;
X509* server_cert;
int rc;
static uschar cipherbuf[256];
+#ifdef EXPERIMENTAL_OCSP
+BOOL require_ocsp = verify_check_this_host(&hosts_require_ocsp,
+ NULL, host->name, host->address, NULL) == OK;
+#endif
-rc = tls_init(&client_ctx, host, dhparam, certificate, privatekey,
+rc = tls_init(&client_ctx, host, NULL, certificate, privatekey,
#ifdef EXPERIMENTAL_OCSP
- NULL,
+ require_ocsp ? US"" : NULL,
#endif
addr, &client_static_cbinfo);
if (rc != OK) return rc;
@@ -1377,6 +1580,13 @@ if (sni)
}
}
+#ifdef EXPERIMENTAL_OCSP
+/* Request certificate status at connection-time. If the server
+does OCSP stapling we will get the callback (set in tls_init()) */
+if (require_ocsp)
+ SSL_set_tlsext_status_type(client_ssl, TLSEXT_STATUSTYPE_ocsp);
+#endif
+
/* There doesn't seem to be a built-in timeout on connection. */
DEBUG(D_tls) debug_printf("Calling SSL_connect\n");
diff --git a/src/src/transports/smtp.c b/src/src/transports/smtp.c
index ee260a1..4b5529f 100644
--- a/src/src/transports/smtp.c
+++ b/src/src/transports/smtp.c
@@ -101,6 +101,10 @@ optionlist smtp_transport_options[] = {
{ "hosts_require_auth", opt_stringptr,
(void *)offsetof(smtp_transport_options_block, hosts_require_auth) },
#ifdef SUPPORT_TLS
+# if defined EXPERIMENTAL_OCSP
+ { "hosts_require_ocsp", opt_stringptr,
+ (void *)offsetof(smtp_transport_options_block, hosts_require_ocsp) },
+# endif
{ "hosts_require_tls", opt_stringptr,
(void *)offsetof(smtp_transport_options_block, hosts_require_tls) },
#endif
@@ -179,6 +183,9 @@ smtp_transport_options_block smtp_transport_option_defaults = {
#ifdef EXPERIMENTAL_PRDR
NULL, /* hosts_try_prdr */
#endif
+#ifdef EXPERIMENTAL_OCSP
+ NULL, /* hosts_require_ocsp */
+#endif
NULL, /* hosts_require_tls */
NULL, /* hosts_avoid_tls */
US"*", /* hosts_verify_avoid_tls */
@@ -1147,13 +1154,15 @@ if (tls_offered && !suppress_tls &&
int rc = tls_client_start(inblock.sock,
host,
addrlist,
- NULL, /* No DH param */
ob->tls_certificate,
ob->tls_privatekey,
ob->tls_sni,
ob->tls_verify_certificates,
ob->tls_crl,
ob->tls_require_ciphers,
+#ifdef EXPERIMENTAL_OCSP
+ ob->hosts_require_ocsp,
+#endif
ob->tls_dh_min_bits,
ob->command_timeout);
diff --git a/src/src/transports/smtp.h b/src/src/transports/smtp.h
index ef53292..4bea203 100644
--- a/src/src/transports/smtp.h
+++ b/src/src/transports/smtp.h
@@ -24,6 +24,9 @@ typedef struct {
#ifdef EXPERIMENTAL_PRDR
uschar *hosts_try_prdr;
#endif
+#ifdef EXPERIMENTAL_OCSP
+ uschar *hosts_require_ocsp;
+#endif
uschar *hosts_require_tls;
uschar *hosts_avoid_tls;
uschar *hosts_verify_avoid_tls;
diff --git a/src/src/verify.c b/src/src/verify.c
index a1b8142..5240457 100644
--- a/src/src/verify.c
+++ b/src/src/verify.c
@@ -634,12 +634,14 @@ else
else
{
int rc = tls_client_start(inblock.sock, host, addr,
- NULL, /* No DH param */
ob->tls_certificate, ob->tls_privatekey,
ob->tls_sni,
ob->tls_verify_certificates, ob->tls_crl,
- ob->tls_require_ciphers, ob->tls_dh_min_bits,
- callout);
+ ob->tls_require_ciphers,
+#ifdef EXPERIMENTAL_OCSP
+ ob->hosts_require_ocsp,
+#endif
+ ob->tls_dh_min_bits, callout);
/* TLS negotiation failed; give an error. Try in clear on a new connection,
if the options permit it for this host. */
diff --git a/test/README b/test/README
index 7e778ee..c64b022 100644
--- a/test/README
+++ b/test/README
@@ -843,9 +843,11 @@ and port, using the specified interface, if one is given.
When OpenSSL is available on the host, an alternative version of the client
program is compiled, one that supports TLS using OpenSSL. The additional
-arguments specify a certificate and key file when required. There is one
-additional option, -tls-on-connect, that causes the client to initiate TLS
-negotiation immediately on connection.
+arguments specify a certificate and key file when required for the connection.
+There are two additional options: -tls-on-connect, that causes the client to
+initiate TLS negociation immediately on connection; -ocsp that causes the TLS
+negotiation to include a certificate-status request. The latter takes a
+filename argument, the CA info for verifying the stapled response.
client-gnutls [<options>] <ip address> <port> [<outgoing interface>] \
diff --git a/test/aux-fixed/exim-ca/README b/test/aux-fixed/exim-ca/README
new file mode 100644
index 0000000..b8d2a41
--- /dev/null
+++ b/test/aux-fixed/exim-ca/README
@@ -0,0 +1,51 @@
+
+The three directories each contain a complete CA with server signing
+certificate, OCSP signing certificate and a selection of server
+certificates under each domain.
+
+For each directory there are a number of subdirectories.
+
+ CA - The main certificate signing directory.
+
+ Within this directory the primary file sof interest
+ will be the two CRL files, crl.empty and crl.v2
+ These are valid CRLs; the "v2" containing the two
+ revoked certs.
+
+ BLANK - a template usable for client-only machines
+ for clients of this private CA.
+
+ *.example.* - individual server certificates.
+
+The six certificate subdirs each contain a cert for a machine
+by that name; those in the "expired" ones are out-of-date (the
+rest expire in 2038). The "1" and "2" systems/certs have
+equivalent properties.
+
+In each certicate subdir: the ".db" files are NSS version of the cert,
+the ".pem", ".key" and ".unlocked.key" are usable by OpenSSL (the
+ca_chain.pem being a copy of the CA public information and signer
+public information).
+
+The ".p12" file rolls up the CA, Signer and cert info. Both the ".p12"
+and NSS info are passworded using the "pwdfile".
+The ocsp request file is one a client would send to an OCSP responder.
+The ocsp response files are those gotten that way. in .der format;
+"good" being all well, "dated" meaning the response (not the cert)
+is out-of-date, and "revoked" meaning the cert has been revoked.
+
+
+The files were created using the genall script which utilises a
+combination of tools,
+
+ openssl
+ nss-tools
+ clica
+
+of these the only unfamiliar one is likely to be clica, a command
+line CA tool which can be found at
+
+ http://people.redhat.com/mpoole/clica/
+
+
+
diff --git a/test/aux-fixed/exim-ca/example.com/BLANK/CA.pem b/test/aux-fixed/exim-ca/example.com/BLANK/CA.pem
new file mode 100644
index 0000000..d51c5d0
--- /dev/null
+++ b/test/aux-fixed/exim-ca/example.com/BLANK/CA.pem
@@ -0,0 +1,10 @@
+-----BEGIN CERTIFICATE-----
+MIIBaTCCAROgAwIBAgIBATANBgkqhkiG9w0BAQUFADApMRQwEgYDVQQKEwtleGFt
+cGxlLmNvbTERMA8GA1UEAxMIY2xpY2EgQ0EwHhcNMTIxMTAxMTIzNDAwWhcNMzgw
+MTAxMTIzNDAwWjApMRQwEgYDVQQKEwtleGFtcGxlLmNvbTERMA8GA1UEAxMIY2xp
+Y2EgQ0EwXDANBgkqhkiG9w0BAQEFAANLADBIAkEAxYR8NYQvEd7/e4MvOj9dh2+o
+mnywT9ajMo1589DWt2z14ouRKhSZWlx4O4AicPZc6n4uvt7++t0tTHhmm5JIbwID
+AQABoyYwJDASBgNVHRMBAf8ECDAGAQH/AgEBMA4GA1UdDwEB/wQEAwIBBjANBgkq
+hkiG9w0BAQUFAANBALjVd1KMBadFJFIzTEspoPYxJvXKvLMclekQs5QY0lmmUj5+
+ugITEG6ywu3s+REUB+8Dj+ofQz3tgIm9NBpkfsA=
+-----END CERTIFICATE-----
diff --git a/test/aux-fixed/exim-ca/example.com/BLANK/Signer.pem b/test/aux-fixed/exim-ca/example.com/BLANK/Signer.pem
new file mode 100644
index 0000000..fc29ebb
--- /dev/null
+++ b/test/aux-fixed/exim-ca/example.com/BLANK/Signer.pem
@@ -0,0 +1,11 @@
+-----BEGIN CERTIFICATE-----
+MIIBpzCCAVGgAwIBAgIBAjANBgkqhkiG9w0BAQUFADApMRQwEgYDVQQKEwtleGFt
+cGxlLmNvbTERMA8GA1UEAxMIY2xpY2EgQ0EwHhcNMTIxMTAxMTIzNDAxWhcNMzgw
+MTAxMTIzNDAxWjAzMRQwEgYDVQQKEwtleGFtcGxlLmNvbTEbMBkGA1UEAxMSY2xp
+Y2EgU2lnbmluZyBDZXJ0MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBALGUYGllRw9Y
+7ATtT3iqwv3rnnpYYWaxGdamUYznYS6l8lAyHFOqfEktdHZ+bUyRVWsbvyx/a2St
+u1vpZpkihvMCAwEAAaNaMFgwDgYDVR0PAQH/BAQDAgEGMBIGA1UdEwEB/wQIMAYB
+Af8CAQAwMgYDVR0fBCswKTAnoCWgI4YhaHR0cDovL2NybC5leGFtcGxlLmNvbS9s
+YXRlc3QuY3JsMA0GCSqGSIb3DQEBBQUAA0EApouSZ4cX2rx+pZWcDHJH+KaCMpMa
+ScrHO8bFSCWI02ckzoIxWfu1DMNO++EpyzrTgyaXoCROjvhdslwucMqAIg==
+-----END CERTIFICATE-----
diff --git a/test/aux-fixed/exim-ca/example.com/BLANK/cert8.db b/test/aux-fixed/exim-ca/example.com/BLANK/cert8.db
new file mode 100644
index 0000000..f82510f
Binary files /dev/null and b/test/aux-fixed/exim-ca/example.com/BLANK/cert8.db differ
diff --git a/test/aux-fixed/exim-ca/example.com/BLANK/key3.db b/test/aux-fixed/exim-ca/example.com/BLANK/key3.db
new file mode 100644
index 0000000..cb031c0
Binary files /dev/null and b/test/aux-fixed/exim-ca/example.com/BLANK/key3.db differ
diff --git a/test/aux-fixed/exim-ca/example.com/BLANK/pwdfile b/test/aux-fixed/exim-ca/example.com/BLANK/pwdfile
new file mode 100644
index 0000000..8b13789
--- /dev/null
+++ b/test/aux-fixed/exim-ca/example.com/BLANK/pwdfile
@@ -0,0 +1 @@
+
diff --git a/test/aux-fixed/exim-ca/example.com/BLANK/secmod.db b/test/aux-fixed/exim-ca/example.com/BLANK/secmod.db
new file mode 100644
index 0000000..8a83193
Binary files /dev/null and b/test/aux-fixed/exim-ca/example.com/BLANK/secmod.db differ
diff --git a/test/aux-fixed/exim-ca/example.com/CA/CA.pem b/test/aux-fixed/exim-ca/example.com/CA/CA.pem
new file mode 100644
index 0000000..d51c5d0
--- /dev/null
+++ b/test/aux-fixed/exim-ca/example.com/CA/CA.pem
@@ -0,0 +1,10 @@
+-----BEGIN CERTIFICATE-----
+MIIBaTCCAROgAwIBAgIBATANBgkqhkiG9w0BAQUFADApMRQwEgYDVQQKEwtleGFt
+cGxlLmNvbTERMA8GA1UEAxMIY2xpY2EgQ0EwHhcNMTIxMTAxMTIzNDAwWhcNMzgw
+MTAxMTIzNDAwWjApMRQwEgYDVQQKEwtleGFtcGxlLmNvbTERMA8GA1UEAxMIY2xp
+Y2EgQ0EwXDANBgkqhkiG9w0BAQEFAANLADBIAkEAxYR8NYQvEd7/e4MvOj9dh2+o
+mnywT9ajMo1589DWt2z14ouRKhSZWlx4O4AicPZc6n4uvt7++t0tTHhmm5JIbwID
+AQABoyYwJDASBgNVHRMBAf8ECDAGAQH/AgEBMA4GA1UdDwEB/wQEAwIBBjANBgkq
+hkiG9w0BAQUFAANBALjVd1KMBadFJFIzTEspoPYxJvXKvLMclekQs5QY0lmmUj5+
+ugITEG6ywu3s+REUB+8Dj+ofQz3tgIm9NBpkfsA=
+-----END CERTIFICATE-----
diff --git a/test/aux-fixed/exim-ca/example.com/CA/OCSP.key b/test/aux-fixed/exim-ca/example.com/CA/OCSP.key
new file mode 100644
index 0000000..7a361dc
--- /dev/null
+++ b/test/aux-fixed/exim-ca/example.com/CA/OCSP.key
@@ -0,0 +1,14 @@
+Bag Attributes
+ friendlyName: OCSP Signer
+ localKeyID: A6 E7 21 3B BE A3 47 BE 58 6F 34 77 E2 AA D5 22 91 AA 0F D6
+Key Attributes: <No Attributes>
+-----BEGIN PRIVATE KEY-----
+MIIBUwIBADANBgkqhkiG9w0BAQEFAASCAT0wggE5AgEAAkEAuGANFQATQUtX6l1r
+tDa/TimQ722a/2wGSmty/n9Va36t7O9S0Uxi7yQMN11I284FekjzP82THLWv4TJZ
+x7AvywIDAQABAkAhrko1f+IEl4Lj6VT3gtjHqogzdM5PwqgTiDVlkFVGYXp6a8o6
+ySmMofHeEjDgPFI7sz12eQOoofjhjTCnTcJhAiEA3Afe796M2vm5+V6t1ayFhgP0
+9QnSVde6mLvqHFHAKHUCIQDWhAVspNc3bw2PIBqlK2ibANwi9BFurBlATBHhKP3v
+PwIgTiwttKMpABOBU2uj7ypgNgDp4rUemYkPrnv07SLOVpECIAVXhEsQT8uxmETY
+J9G1IwW5H8I/EbAP2REg09EnlCtBAiBgZn9NxSr05na0P+NjyIPQ44Y9L5R9P3PL
+2PceGVDcQw==
+-----END PRIVATE KEY-----
diff --git a/test/aux-fixed/exim-ca/example.com/CA/OCSP.p12 b/test/aux-fixed/exim-ca/example.com/CA/OCSP.p12
new file mode 100644
index 0000000..208dc69
Binary files /dev/null and b/test/aux-fixed/exim-ca/example.com/CA/OCSP.p12 differ
diff --git a/test/aux-fixed/exim-ca/example.com/CA/OCSP.pem b/test/aux-fixed/exim-ca/example.com/CA/OCSP.pem
new file mode 100644
index 0000000..f78456d
--- /dev/null
+++ b/test/aux-fixed/exim-ca/example.com/CA/OCSP.pem
@@ -0,0 +1,11 @@
+-----BEGIN CERTIFICATE-----
+MIIBgDCCASqgAwIBAgIBAzANBgkqhkiG9w0BAQUFADAzMRQwEgYDVQQKEwtleGFt
+cGxlLmNvbTEbMBkGA1UEAxMSY2xpY2EgU2lnbmluZyBDZXJ0MB4XDTEyMTEwMTEy
+MzQwMVoXDTM4MDEwMTEyMzQwMVowMjEUMBIGA1UEChMLZXhhbXBsZS5jb20xGjAY
+BgNVBAMTEWNsaWNhIE9DU1AgU2lnbmVyMFwwDQYJKoZIhvcNAQEBBQADSwAwSAJB
+ALhgDRUAE0FLV+pda7Q2v04pkO9tmv9sBkprcv5/VWt+rezvUtFMYu8kDDddSNvO
+BXpI8z/Nkxy1r+EyWcewL8sCAwEAAaMqMCgwDgYDVR0PAQH/BAQDAgeAMBYGA1Ud
+JQEB/wQMMAoGCCsGAQUFBwMJMA0GCSqGSIb3DQEBBQUAA0EAQalK8cinGimBjryO
+q8scOPr7Zkv2RlhnUUTtpPfFKkTne9yXyXxBVDfy8wwPTz7ZTOzMVtPTgFT9g0Kf
+tXze7g==
+-----END CERTIFICATE-----
diff --git a/test/aux-fixed/exim-ca/example.com/CA/Signer.pem b/test/aux-fixed/exim-ca/example.com/CA/Signer.pem
new file mode 100644
index 0000000..fc29ebb
--- /dev/null
+++ b/test/aux-fixed/exim-ca/example.com/CA/Signer.pem
@@ -0,0 +1,11 @@
+-----BEGIN CERTIFICATE-----
+MIIBpzCCAVGgAwIBAgIBAjANBgkqhkiG9w0BAQUFADApMRQwEgYDVQQKEwtleGFt
+cGxlLmNvbTERMA8GA1UEAxMIY2xpY2EgQ0EwHhcNMTIxMTAxMTIzNDAxWhcNMzgw
+MTAxMTIzNDAxWjAzMRQwEgYDVQQKEwtleGFtcGxlLmNvbTEbMBkGA1UEAxMSY2xp
+Y2EgU2lnbmluZyBDZXJ0MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBALGUYGllRw9Y
+7ATtT3iqwv3rnnpYYWaxGdamUYznYS6l8lAyHFOqfEktdHZ+bUyRVWsbvyx/a2St
+u1vpZpkihvMCAwEAAaNaMFgwDgYDVR0PAQH/BAQDAgEGMBIGA1UdEwEB/wQIMAYB
+Af8CAQAwMgYDVR0fBCswKTAnoCWgI4YhaHR0cDovL2NybC5leGFtcGxlLmNvbS9s
+YXRlc3QuY3JsMA0GCSqGSIb3DQEBBQUAA0EApouSZ4cX2rx+pZWcDHJH+KaCMpMa
+ScrHO8bFSCWI02ckzoIxWfu1DMNO++EpyzrTgyaXoCROjvhdslwucMqAIg==
+-----END CERTIFICATE-----
diff --git a/test/aux-fixed/exim-ca/example.com/CA/ca.conf b/test/aux-fixed/exim-ca/example.com/CA/ca.conf
new file mode 100644
index 0000000..9087589
--- /dev/null
+++ b/test/aux-fixed/exim-ca/example.com/CA/ca.conf
@@ -0,0 +1,18 @@
+; Config::Simple 4.59
+; Thu Nov 1 12:34:00 2012
+
+[CLICA]
+crl_url=http://crl.example.com/latest.crl
+crl_signer=Signing Cert
+level=1
+signer=Signing Cert
+ocsp_signer=OCSP Signer
+ocsp_url=http://oscp/example.com/
+
+[CA]
+org=example.com
+subject=clica CA
+name=Certificate Authority
+bits=512
+
+
diff --git a/test/aux-fixed/exim-ca/example.com/CA/cert8.db b/test/aux-fixed/exim-ca/example.com/CA/cert8.db
new file mode 100644
index 0000000..5ae1201
Binary files /dev/null and b/test/aux-fixed/exim-ca/example.com/CA/cert8.db differ
diff --git a/test/aux-fixed/exim-ca/example.com/CA/crl.empty b/test/aux-fixed/exim-ca/example.com/CA/crl.empty
new file mode 100644
index 0000000..7814b80
Binary files /dev/null and b/test/aux-fixed/exim-ca/example.com/CA/crl.empty differ
diff --git a/test/aux-fixed/exim-ca/example.com/CA/crl.empty.in.txt b/test/aux-fixed/exim-ca/example.com/CA/crl.empty.in.txt
new file mode 100644
index 0000000..250311c
--- /dev/null
+++ b/test/aux-fixed/exim-ca/example.com/CA/crl.empty.in.txt
@@ -0,0 +1 @@
+update=20130127152434Z
diff --git a/test/aux-fixed/exim-ca/example.com/CA/crl.empty.pem b/test/aux-fixed/exim-ca/example.com/CA/crl.empty.pem
new file mode 100644
index 0000000..fdc506d
--- /dev/null
+++ b/test/aux-fixed/exim-ca/example.com/CA/crl.empty.pem
@@ -0,0 +1,6 @@
+-----BEGIN X509 CRL-----
+MIGsMFgCAQEwDQYJKoZIhvcNAQEFBQAwMzEUMBIGA1UEChMLZXhhbXBsZS5jb20x
+GzAZBgNVBAMTEmNsaWNhIFNpZ25pbmcgQ2VydBgPMjAxMzAxMjcxNTI0MzRaMA0G
+CSqGSIb3DQEBBQUAA0EAjClqFKe0w0T5ARNSMOSfuDtbOA0iN2yOrUwJfidgQdVQ
+YPW+5TwKhe+Vm6skgHSIWNcuMVzojsuDZcBZnNimPA==
+-----END X509 CRL-----
diff --git a/test/aux-fixed/exim-ca/example.com/CA/crl.v2 b/test/aux-fixed/exim-ca/example.com/CA/crl.v2
new file mode 100644
index 0000000..66fb34d
Binary files /dev/null and b/test/aux-fixed/exim-ca/example.com/CA/crl.v2 differ
diff --git a/test/aux-fixed/exim-ca/example.com/CA/crl.v2.in.txt b/test/aux-fixed/exim-ca/example.com/CA/crl.v2.in.txt
new file mode 100644
index 0000000..434045f
--- /dev/null
+++ b/test/aux-fixed/exim-ca/example.com/CA/crl.v2.in.txt
@@ -0,0 +1,3 @@
+update=20130127152437Z
+addcert 102 20130127152437Z
+addcert 202 20130127152437Z
diff --git a/test/aux-fixed/exim-ca/example.com/CA/crl.v2.pem b/test/aux-fixed/exim-ca/example.com/CA/crl.v2.pem
new file mode 100644
index 0000000..da781d7
--- /dev/null
+++ b/test/aux-fixed/exim-ca/example.com/CA/crl.v2.pem
@@ -0,0 +1,7 @@
+-----BEGIN X509 CRL-----
+MIHcMIGHAgEBMA0GCSqGSIb3DQEBBQUAMDMxFDASBgNVBAoTC2V4YW1wbGUuY29t
+MRswGQYDVQQDExJjbGljYSBTaWduaW5nIENlcnQYDzIwMTMwMTI3MTUyNDM3WjAt
+MBQCAWYYDzIwMTMwMTI3MTUyNDM3WjAVAgIAyhgPMjAxMzAxMjcxNTI0MzdaMA0G
+CSqGSIb3DQEBBQUAA0EAS5A0/pStULkfIhBRMt+DfehLBbppc6FftG3TpBMvBW4k
+xGwMPKUN8lk3uMuQxk/cvbaFqPtiR/WnkAFc3i1bpA==
+-----END X509 CRL-----
diff --git a/test/aux-fixed/exim-ca/example.com/CA/index.revoked.txt b/test/aux-fixed/exim-ca/example.com/CA/index.revoked.txt
new file mode 100644
index 0000000..d69d74d
--- /dev/null
+++ b/test/aux-fixed/exim-ca/example.com/CA/index.revoked.txt
@@ -0,0 +1,6 @@
+R 130110200751Z 100201142709Z,superseded 65 unknown CN=server1.example.com
+R 130110200751Z 100201142709Z,superseded 66 unknown CN=revoked1.example.com
+R 130110200751Z 100201142709Z,superseded 67 unknown CN=expired1.example.com
+R 130110200751Z 100201142709Z,superseded c9 unknown CN=server2.example.com
+R 130110200751Z 100201142709Z,superseded ca unknown CN=revoked2.example.com
+R 130110200751Z 100201142709Z,superseded cb unknown CN=expired2.example.com
diff --git a/test/aux-fixed/exim-ca/example.com/CA/index.valid.txt b/test/aux-fixed/exim-ca/example.com/CA/index.valid.txt
new file mode 100644
index 0000000..126acf7
--- /dev/null
+++ b/test/aux-fixed/exim-ca/example.com/CA/index.valid.txt
@@ -0,0 +1,6 @@
+V 130110200751Z 65 unknown CN=server1.example.com
+V 130110200751Z 66 unknown CN=revoked1.example.com
+V 130110200751Z 67 unknown CN=expired1.example.com
+V 130110200751Z c9 unknown CN=server2.example.com
+V 130110200751Z ca unknown CN=revoked2.example.com
+V 130110200751Z cb unknown CN=expired2.example.com
diff --git a/test/aux-fixed/exim-ca/example.com/CA/key3.db b/test/aux-fixed/exim-ca/example.com/CA/key3.db
new file mode 100644
index 0000000..30718a9
Binary files /dev/null and b/test/aux-fixed/exim-ca/example.com/CA/key3.db differ
diff --git a/test/aux-fixed/exim-ca/example.com/CA/noise.file b/test/aux-fixed/exim-ca/example.com/CA/noise.file
new file mode 100644
index 0000000..0003cbb
--- /dev/null
+++ b/test/aux-fixed/exim-ca/example.com/CA/noise.file
@@ -0,0 +1,342 @@
+processor : 0
+vendor_id : GenuineIntel
+cpu family : 6
+model : 26
+model name : Intel(R) Xeon(R) CPU E5520 @ 2.27GHz
+stepping : 5
+cpu MHz : 2260.628
+cache size : 8192 KB
+fpu : yes
+fpu_exception : yes
+cpuid level : 11
+wp : yes
+flags : fpu vme de pse tsc msr pae mce cx8 apic mtrr pge mca cmov pat pse36 clflush dts mmx fxsr sse sse2 ss syscall nx rdtscp lm constant_tsc arch_perfmon pebs bts xtopology tsc_reliable nonstop_tsc aperfmperf unfair_spinlock pni ssse3 cx16 sse4_1 sse4_2 x2apic popcnt hypervisor lahf_lm ida dts
+bogomips : 4521.25
+clflush size : 64
+cache_alignment : 64
+address sizes : 40 bits physical, 48 bits virtual
+power management:
+
+processor : 1
+vendor_id : GenuineIntel
+cpu family : 6
+model : 26
+model name : Intel(R) Xeon(R) CPU E5520 @ 2.27GHz
+stepping : 5
+cpu MHz : 2260.628
+cache size : 8192 KB
+fpu : yes
+fpu_exception : yes
+cpuid level : 11
+wp : yes
+flags : fpu vme de pse tsc msr pae mce cx8 apic mtrr pge mca cmov pat pse36 clflush dts mmx fxsr sse sse2 ss syscall nx rdtscp lm constant_tsc arch_perfmon pebs bts xtopology tsc_reliable nonstop_tsc aperfmperf unfair_spinlock pni ssse3 cx16 sse4_1 sse4_2 x2apic popcnt hypervisor lahf_lm ida dts
+bogomips : 4521.25
+clflush size : 64
+cache_alignment : 64
+address sizes : 40 bits physical, 48 bits virtual
+power management:
+
+ CPU0 CPU1
+ 0: 2481 0 IO-APIC-edge timer
+ 1: 21441 346 IO-APIC-edge i8042
+ 3: 1 0 IO-APIC-edge
+ 4: 1 0 IO-APIC-edge
+ 7: 0 0 IO-APIC-edge parport0
+ 8: 1 0 IO-APIC-edge rtc0
+ 9: 0 0 IO-APIC-fasteoi acpi
+ 12: 78986 1718 IO-APIC-edge i8042
+ 14: 0 0 IO-APIC-edge ata_piix
+ 15: 2423330 1435 IO-APIC-edge ata_piix
+ 16: 1025 0 IO-APIC-fasteoi Ensoniq AudioPCI
+ 17: 239842 2559 IO-APIC-fasteoi ehci_hcd:usb1, ioc0
+ 18: 246 0 IO-APIC-fasteoi uhci_hcd:usb2
+ 19: 1868676 51479 IO-APIC-fasteoi eth0
+ 24: 0 0 PCI-MSI-edge pciehp
+ 25: 0 0 PCI-MSI-edge pciehp
+ 26: 0 0 PCI-MSI-edge pciehp
+ 27: 0 0 PCI-MSI-edge pciehp
+ 28: 0 0 PCI-MSI-edge pciehp
+ 29: 0 0 PCI-MSI-edge pciehp
+ 30: 0 0 PCI-MSI-edge pciehp
+ 31: 0 0 PCI-MSI-edge pciehp
+ 32: 0 0 PCI-MSI-edge pciehp
+ 33: 0 0 PCI-MSI-edge pciehp
+ 34: 0 0 PCI-MSI-edge pciehp
+ 35: 0 0 PCI-MSI-edge pciehp
+ 36: 0 0 PCI-MSI-edge pciehp
+ 37: 0 0 PCI-MSI-edge pciehp
+ 38: 0 0 PCI-MSI-edge pciehp
+ 39: 0 0 PCI-MSI-edge pciehp
+ 40: 0 0 PCI-MSI-edge pciehp
+ 41: 0 0 PCI-MSI-edge pciehp
+ 42: 0 0 PCI-MSI-edge pciehp
+ 43: 0 0 PCI-MSI-edge pciehp
+ 44: 0 0 PCI-MSI-edge pciehp
+ 45: 0 0 PCI-MSI-edge pciehp
+ 46: 0 0 PCI-MSI-edge pciehp
+ 47: 0 0 PCI-MSI-edge pciehp
+ 48: 0 0 PCI-MSI-edge pciehp
+ 49: 0 0 PCI-MSI-edge pciehp
+ 50: 0 0 PCI-MSI-edge pciehp
+ 51: 0 0 PCI-MSI-edge pciehp
+ 52: 0 0 PCI-MSI-edge pciehp
+ 53: 0 0 PCI-MSI-edge pciehp
+ 54: 0 0 PCI-MSI-edge pciehp
+ 55: 0 0 PCI-MSI-edge pciehp
+ 56: 1 0 PCI-MSI-edge vmci
+ 57: 0 0 PCI-MSI-edge vmci
+NMI: 0 0 Non-maskable interrupts
+LOC: 12397935 14240444 Local timer interrupts
+SPU: 0 0 Spurious interrupts
+PMI: 0 0 Performance monitoring interrupts
+IWI: 0 0 IRQ work interrupts
+RES: 282548 308972 Rescheduling interrupts
+CAL: 1955 163540 Function call interrupts
+TLB: 17884 15542 TLB shootdowns
+TRM: 0 0 Thermal event interrupts
+THR: 0 0 Threshold APIC interrupts
+MCE: 0 0 Machine check exceptions
+MCP: 2310 2310 Machine check polls
+ERR: 0
+MIS: 0
+MemTotal: 1914844 kB
+MemFree: 135496 kB
+Buffers: 142048 kB
+Cached: 951840 kB
+SwapCached: 108 kB
+Active: 980724 kB
+Inactive: 540136 kB
+Active(anon): 287056 kB
+Inactive(anon): 143480 kB
+Active(file): 693668 kB
+Inactive(file): 396656 kB
+Unevictable: 0 kB
+Mlocked: 0 kB
+SwapTotal: 4194296 kB
+SwapFree: 4193560 kB
+Dirty: 928 kB
+Writeback: 0 kB
+AnonPages: 427064 kB
+Mapped: 70976 kB
+Shmem: 3400 kB
+Slab: 190892 kB
+SReclaimable: 125404 kB
+SUnreclaim: 65488 kB
+KernelStack: 2304 kB
+PageTables: 23476 kB
+NFS_Unstable: 0 kB
+Bounce: 0 kB
+WritebackTmp: 0 kB
+CommitLimit: 5151716 kB
+Committed_AS: 973184 kB
+VmallocTotal: 34359738367 kB
+VmallocUsed: 280772 kB
+VmallocChunk: 34359441168 kB
+HardwareCorrupted: 0 kB
+AnonHugePages: 249856 kB
+HugePages_Total: 0
+HugePages_Free: 0
+HugePages_Rsvd: 0
+HugePages_Surp: 0
+Hugepagesize: 2048 kB
+DirectMap4k: 8192 kB
+DirectMap2M: 2088960 kB
+slabinfo - version: 2.1
+# name <active_objs> <num_objs> <objsize> <objperslab> <pagesperslab> : tunables <limit> <batchcount> <sharedfactor> : slabdata <active_slabs> <num_slabs> <sharedavail>
+bridge_fdb_cache 0 0 64 59 1 : tunables 120 60 8 : slabdata 0 0 0
+fuse_request 0 0 632 6 1 : tunables 54 27 8 : slabdata 0 0 0
+fuse_inode 0 0 768 5 1 : tunables 54 27 8 : slabdata 0 0 0
+rpc_buffers 8 8 2048 2 1 : tunables 24 12 8 : slabdata 4 4 0
+rpc_tasks 8 15 256 15 1 : tunables 120 60 8 : slabdata 1 1 0
+rpc_inode_cache 8 8 832 4 1 : tunables 54 27 8 : slabdata 2 2 0
+hgfsInodeCache 1 6 640 6 1 : tunables 54 27 8 : slabdata 1 1 0
+AF_VMCI 0 0 1024 4 1 : tunables 54 27 8 : slabdata 0 0 0
+nf_conntrack_expect 0 0 240 16 1 : tunables 120 60 8 : slabdata 0 0 0
+nf_conntrack_ffffffff8200cec0 22 26 304 13 1 : tunables 54 27 8 : slabdata 2 2 0
+fib6_nodes 22 59 64 59 1 : tunables 120 60 8 : slabdata 1 1 0
+ip6_dst_cache 13 30 384 10 1 : tunables 54 27 8 : slabdata 3 3 0
+ndisc_cache 1 15 256 15 1 : tunables 120 60 8 : slabdata 1 1 0
+ip6_mrt_cache 0 0 128 30 1 : tunables 120 60 8 : slabdata 0 0 0
+RAWv6 67 68 1024 4 1 : tunables 54 27 8 : slabdata 17 17 0
+UDPLITEv6 0 0 1024 4 1 : tunables 54 27 8 : slabdata 0 0 0
+UDPv6 4 4 1024 4 1 : tunables 54 27 8 : slabdata 1 1 0
+tw_sock_TCPv6 0 0 320 12 1 : tunables 54 27 8 : slabdata 0 0 0
+request_sock_TCPv6 0 0 192 20 1 : tunables 120 60 8 : slabdata 0 0 0
+TCPv6 9 10 1856 2 1 : tunables 24 12 8 : slabdata 5 5 0
+jbd2_1k 0 0 1024 4 1 : tunables 54 27 8 : slabdata 0 0 0
+avtab_node 502203 502416 24 144 1 : tunables 120 60 8 : slabdata 3489 3489 0
+ext4_inode_cache 74762 74820 1024 4 1 : tunables 54 27 8 : slabdata 18705 18705 0
+ext4_xattr 9 44 88 44 1 : tunables 120 60 8 : slabdata 1 1 0
+ext4_free_block_extents 32 67 56 67 1 : tunables 120 60 8 : slabdata 1 1 0
+ext4_alloc_context 28 28 136 28 1 : tunables 120 60 8 : slabdata 1 1 0
+ext4_prealloc_space 18 37 104 37 1 : tunables 120 60 8 : slabdata 1 1 0
+ext4_system_zone 0 0 40 92 1 : tunables 120 60 8 : slabdata 0 0 0
+jbd2_journal_handle 32 144 24 144 1 : tunables 120 60 8 : slabdata 1 1 0
+jbd2_journal_head 74 102 112 34 1 : tunables 120 60 8 : slabdata 3 3 0
+jbd2_revoke_table 4 202 16 202 1 : tunables 120 60 8 : slabdata 1 1 0
+jbd2_revoke_record 0 0 32 112 1 : tunables 120 60 8 : slabdata 0 0 0
+dm_crypt_io 50 50 152 25 1 : tunables 120 60 8 : slabdata 2 2 0
+sd_ext_cdb 2 112 32 112 1 : tunables 120 60 8 : slabdata 1 1 0
+scsi_sense_cache 25 60 128 30 1 : tunables 120 60 8 : slabdata 2 2 0
+scsi_cmd_cache 28 45 256 15 1 : tunables 120 60 8 : slabdata 3 3 0
+dm_raid1_read_record 0 0 1064 7 2 : tunables 24 12 8 : slabdata 0 0 0
+kcopyd_job 0 0 3240 2 2 : tunables 24 12 8 : slabdata 0 0 0
+io 0 0 64 59 1 : tunables 120 60 8 : slabdata 0 0 0
+dm_uevent 0 0 2608 3 2 : tunables 24 12 8 : slabdata 0 0 0
+dm_rq_clone_bio_info 0 0 16 202 1 : tunables 120 60 8 : slabdata 0 0 0
+dm_rq_target_io 0 0 392 10 1 : tunables 54 27 8 : slabdata 0 0 0
+dm_target_io 844 864 24 144 1 : tunables 120 60 8 : slabdata 6 6 0
+dm_io 828 828 40 92 1 : tunables 120 60 8 : slabdata 9 9 0
+flow_cache 0 0 96 40 1 : tunables 120 60 8 : slabdata 0 0 0
+uhci_urb_priv 6 67 56 67 1 : tunables 120 60 8 : slabdata 1 1 0
+cfq_io_context 4 28 136 28 1 : tunables 120 60 8 : slabdata 1 1 0
+cfq_queue 5 16 240 16 1 : tunables 120 60 8 : slabdata 1 1 0
+bsg_cmd 0 0 312 12 1 : tunables 54 27 8 : slabdata 0 0 0
+mqueue_inode_cache 1 4 896 4 1 : tunables 54 27 8 : slabdata 1 1 0
+isofs_inode_cache 0 0 640 6 1 : tunables 54 27 8 : slabdata 0 0 0
+hugetlbfs_inode_cache 1 6 608 6 1 : tunables 54 27 8 : slabdata 1 1 0
+dquot 0 0 256 15 1 : tunables 120 60 8 : slabdata 0 0 0
+kioctx 0 0 384 10 1 : tunables 54 27 8 : slabdata 0 0 0
+kiocb 0 0 256 15 1 : tunables 120 60 8 : slabdata 0 0 0
+inotify_event_private_data 0 0 32 112 1 : tunables 120 60 8 : slabdata 0 0 0
+inotify_inode_mark_entry 186 204 112 34 1 : tunables 120 60 8 : slabdata 6 6 0
+dnotify_mark_entry 1 34 112 34 1 : tunables 120 60 8 : slabdata 1 1 0
+dnotify_struct 1 112 32 112 1 : tunables 120 60 8 : slabdata 1 1 0
+fasync_cache 6 144 24 144 1 : tunables 120 60 8 : slabdata 1 1 0
+khugepaged_mm_slot 83 92 40 92 1 : tunables 120 60 8 : slabdata 1 1 0
+ksm_mm_slot 0 0 48 77 1 : tunables 120 60 8 : slabdata 0 0 0
+ksm_stable_node 0 0 40 92 1 : tunables 120 60 8 : slabdata 0 0 0
+ksm_rmap_item 0 0 64 59 1 : tunables 120 60 8 : slabdata 0 0 0
+utrace_engine 0 0 56 67 1 : tunables 120 60 8 : slabdata 0 0 0
+utrace 0 0 64 59 1 : tunables 120 60 8 : slabdata 0 0 0
+pid_namespace 0 0 2120 3 2 : tunables 24 12 8 : slabdata 0 0 0
+nsproxy 0 0 48 77 1 : tunables 120 60 8 : slabdata 0 0 0
+posix_timers_cache 0 0 176 22 1 : tunables 120 60 8 : slabdata 0 0 0
+uid_cache 10 60 128 30 1 : tunables 120 60 8 : slabdata 2 2 0
+UNIX 459 480 768 5 1 : tunables 54 27 8 : slabdata 96 96 0
+ip_mrt_cache 0 0 128 30 1 : tunables 120 60 8 : slabdata 0 0 0
+UDP-Lite 0 0 832 9 2 : tunables 54 27 8 : slabdata 0 0 0
+tcp_bind_bucket 15 59 64 59 1 : tunables 120 60 8 : slabdata 1 1 0
+inet_peer_cache 4 59 64 59 1 : tunables 120 60 8 : slabdata 1 1 0
+secpath_cache 0 0 64 59 1 : tunables 120 60 8 : slabdata 0 0 0
+xfrm_dst_cache 0 0 384 10 1 : tunables 54 27 8 : slabdata 0 0 0
+ip_fib_alias 0 0 32 112 1 : tunables 120 60 8 : slabdata 0 0 0
+ip_fib_hash 10 106 72 53 1 : tunables 120 60 8 : slabdata 2 2 0
+ip_dst_cache 29 50 384 10 1 : tunables 54 27 8 : slabdata 5 5 0
+arp_cache 4 15 256 15 1 : tunables 120 60 8 : slabdata 1 1 0
+RAW 65 72 832 9 2 : tunables 54 27 8 : slabdata 8 8 0
+UDP 6 18 832 9 2 : tunables 54 27 8 : slabdata 2 2 0
+tw_sock_TCP 0 0 256 15 1 : tunables 120 60 8 : slabdata 0 0 0
+request_sock_TCP 0 0 192 20 1 : tunables 120 60 8 : slabdata 0 0 0
+TCP 20 24 1664 4 2 : tunables 24 12 8 : slabdata 6 6 0
+eventpoll_pwq 126 212 72 53 1 : tunables 120 60 8 : slabdata 4 4 0
+eventpoll_epi 126 180 128 30 1 : tunables 120 60 8 : slabdata 6 6 0
+sgpool-128 2 2 4096 1 1 : tunables 24 12 8 : slabdata 2 2 0
+sgpool-64 2 2 2048 2 1 : tunables 24 12 8 : slabdata 1 1 0
+sgpool-32 2 4 1024 4 1 : tunables 54 27 8 : slabdata 1 1 0
+sgpool-16 2 8 512 8 1 : tunables 54 27 8 : slabdata 1 1 0
+sgpool-8 15 15 256 15 1 : tunables 120 60 8 : slabdata 1 1 0
+scsi_data_buffer 0 0 24 144 1 : tunables 120 60 8 : slabdata 0 0 0
+blkdev_integrity 0 0 112 34 1 : tunables 120 60 8 : slabdata 0 0 0
+blkdev_queue 29 30 2856 2 2 : tunables 24 12 8 : slabdata 15 15 0
+blkdev_requests 42 66 352 11 1 : tunables 54 27 8 : slabdata 5 6 0
+blkdev_ioc 5 48 80 48 1 : tunables 120 60 8 : slabdata 1 1 0
+fsnotify_event_holder 0 0 24 144 1 : tunables 120 60 8 : slabdata 0 0 0
+fsnotify_event 0 0 104 37 1 : tunables 120 60 8 : slabdata 0 0 0
+bio-0 180 180 192 20 1 : tunables 120 60 8 : slabdata 9 9 0
+biovec-256 66 66 4096 1 1 : tunables 24 12 8 : slabdata 66 66 0
+biovec-128 0 0 2048 2 1 : tunables 24 12 8 : slabdata 0 0 0
+biovec-64 0 0 1024 4 1 : tunables 54 27 8 : slabdata 0 0 0
+biovec-16 0 0 256 15 1 : tunables 120 60 8 : slabdata 0 0 0
+bip-256 2 2 4224 1 2 : tunables 8 4 0 : slabdata 2 2 0
+bip-128 0 0 2176 3 2 : tunables 24 12 8 : slabdata 0 0 0
+bip-64 0 0 1152 7 2 : tunables 24 12 8 : slabdata 0 0 0
+bip-16 0 0 384 10 1 : tunables 54 27 8 : slabdata 0 0 0
+bip-4 0 0 192 20 1 : tunables 120 60 8 : slabdata 0 0 0
+bip-1 0 0 128 30 1 : tunables 120 60 8 : slabdata 0 0 0
+sock_inode_cache 667 685 704 5 1 : tunables 54 27 8 : slabdata 137 137 0
+skbuff_fclone_cache 7 7 512 7 1 : tunables 54 27 8 : slabdata 1 1 0
+skbuff_head_cache 302 450 256 15 1 : tunables 120 60 8 : slabdata 30 30 0
+file_lock_cache 38 44 176 22 1 : tunables 120 60 8 : slabdata 2 2 0
+net_namespace 0 0 2112 3 2 : tunables 24 12 8 : slabdata 0 0 0
+shmem_inode_cache 774 775 800 5 1 : tunables 54 27 8 : slabdata 155 155 0
+Acpi-Operand 4563 4664 72 53 1 : tunables 120 60 8 : slabdata 88 88 0
+Acpi-ParseExt 0 0 72 53 1 : tunables 120 60 8 : slabdata 0 0 0
+Acpi-Parse 0 0 48 77 1 : tunables 120 60 8 : slabdata 0 0 0
+Acpi-State 0 0 80 48 1 : tunables 120 60 8 : slabdata 0 0 0
+Acpi-Namespace 3311 3312 40 92 1 : tunables 120 60 8 : slabdata 36 36 0
+task_delay_info 332 340 112 34 1 : tunables 120 60 8 : slabdata 10 10 0
+taskstats 5 12 328 12 1 : tunables 54 27 8 : slabdata 1 1 0
+proc_inode_cache 1008 1008 640 6 1 : tunables 54 27 8 : slabdata 168 168 0
+sigqueue 35 48 160 24 1 : tunables 120 60 8 : slabdata 2 2 0
+bdev_cache 32 36 832 4 1 : tunables 54 27 8 : slabdata 9 9 0
+sysfs_dir_cache 11356 11367 144 27 1 : tunables 120 60 8 : slabdata 421 421 0
+mnt_cache 37 45 256 15 1 : tunables 120 60 8 : slabdata 3 3 0
+filp 4614 4700 192 20 1 : tunables 120 60 8 : slabdata 235 235 60
+inode_cache 6883 7308 592 6 1 : tunables 54 27 8 : slabdata 1218 1218 0
+dentry 61000 63960 192 20 1 : tunables 120 60 8 : slabdata 3198 3198 0
+names_cache 26 26 4096 1 1 : tunables 24 12 8 : slabdata 26 26 0
+avc_node 518 1239 64 59 1 : tunables 120 60 8 : slabdata 21 21 0
+selinux_inode_security 84086 86072 72 53 1 : tunables 120 60 8 : slabdata 1624 1624 0
+radix_tree_node 11552 11781 560 7 1 : tunables 54 27 8 : slabdata 1683 1683 0
+key_jar 11 20 192 20 1 : tunables 120 60 8 : slabdata 1 1 0
+buffer_head 220986 230214 104 37 1 : tunables 120 60 8 : slabdata 6222 6222 0
+vm_area_struct 12932 13034 200 19 1 : tunables 120 60 8 : slabdata 686 686 60
+mm_struct 145 145 1408 5 2 : tunables 24 12 8 : slabdata 29 29 0
+fs_cache 137 177 64 59 1 : tunables 120 60 8 : slabdata 3 3 0
+files_cache 162 165 704 11 2 : tunables 54 27 8 : slabdata 15 15 0
+signal_cache 204 204 1024 4 1 : tunables 54 27 8 : slabdata 51 51 0
+sighand_cache 195 195 2112 3 2 : tunables 24 12 8 : slabdata 65 65 0
+task_xstate 232 232 512 8 1 : tunables 54 27 8 : slabdata 29 29 0
+task_struct 303 303 2656 3 2 : tunables 24 12 8 : slabdata 101 101 0
+cred_jar 580 580 192 20 1 : tunables 120 60 8 : slabdata 29 29 0
+anon_vma_chain 7844 8162 48 77 1 : tunables 120 60 8 : slabdata 106 106 60
+anon_vma 5773 5888 40 92 1 : tunables 120 60 8 : slabdata 64 64 60
+pid 322 330 128 30 1 : tunables 120 60 8 : slabdata 11 11 0
+shared_policy_node 0 0 48 77 1 : tunables 120 60 8 : slabdata 0 0 0
+numa_policy 1 28 136 28 1 : tunables 120 60 8 : slabdata 1 1 0
+idr_layer_cache 428 434 544 7 1 : tunables 54 27 8 : slabdata 62 62 0
+size-4194304(DMA) 0 0 4194304 1 1024 : tunables 1 1 0 : slabdata 0 0 0
+size-4194304 0 0 4194304 1 1024 : tunables 1 1 0 : slabdata 0 0 0
+size-2097152(DMA) 0 0 2097152 1 512 : tunables 1 1 0 : slabdata 0 0 0
+size-2097152 0 0 2097152 1 512 : tunables 1 1 0 : slabdata 0 0 0
+size-1048576(DMA) 0 0 1048576 1 256 : tunables 1 1 0 : slabdata 0 0 0
+size-1048576 0 0 1048576 1 256 : tunables 1 1 0 : slabdata 0 0 0
+size-524288(DMA) 0 0 524288 1 128 : tunables 1 1 0 : slabdata 0 0 0
+size-524288 0 0 524288 1 128 : tunables 1 1 0 : slabdata 0 0 0
+size-262144(DMA) 0 0 262144 1 64 : tunables 1 1 0 : slabdata 0 0 0
+size-262144 0 0 262144 1 64 : tunables 1 1 0 : slabdata 0 0 0
+size-131072(DMA) 0 0 131072 1 32 : tunables 8 4 0 : slabdata 0 0 0
+size-131072 1 1 131072 1 32 : tunables 8 4 0 : slabdata 1 1 0
+size-65536(DMA) 0 0 65536 1 16 : tunables 8 4 0 : slabdata 0 0 0
+size-65536 2 2 65536 1 16 : tunables 8 4 0 : slabdata 2 2 0
+size-32768(DMA) 0 0 32768 1 8 : tunables 8 4 0 : slabdata 0 0 0
+size-32768 3 3 32768 1 8 : tunables 8 4 0 : slabdata 3 3 0
+size-16384(DMA) 0 0 16384 1 4 : tunables 8 4 0 : slabdata 0 0 0
+size-16384 11 11 16384 1 4 : tunables 8 4 0 : slabdata 11 11 0
+size-8192(DMA) 0 0 8192 1 2 : tunables 8 4 0 : slabdata 0 0 0
+size-8192 27 27 8192 1 2 : tunables 8 4 0 : slabdata 27 27 0
+size-4096(DMA) 0 0 4096 1 1 : tunables 24 12 8 : slabdata 0 0 0
+size-4096 425 425 4096 1 1 : tunables 24 12 8 : slabdata 425 425 0
+size-2048(DMA) 0 0 2048 2 1 : tunables 24 12 8 : slabdata 0 0 0
+size-2048 578 578 2048 2 1 : tunables 24 12 8 : slabdata 289 289 0
+size-1024(DMA) 0 0 1024 4 1 : tunables 54 27 8 : slabdata 0 0 0
+size-1024 1304 1304 1024 4 1 : tunables 54 27 8 : slabdata 326 326 0
+size-512(DMA) 0 0 512 8 1 : tunables 54 27 8 : slabdata 0 0 0
+size-512 1123 1176 512 8 1 : tunables 54 27 8 : slabdata 147 147 0
+size-256(DMA) 0 0 256 15 1 : tunables 120 60 8 : slabdata 0 0 0
+size-256 870 870 256 15 1 : tunables 120 60 8 : slabdata 58 58 0
+size-192(DMA) 0 0 192 20 1 : tunables 120 60 8 : slabdata 0 0 0
+size-192 2119 2160 192 20 1 : tunables 120 60 8 : slabdata 108 108 0
+size-128(DMA) 0 0 128 30 1 : tunables 120 60 8 : slabdata 0 0 0
+size-64(DMA) 0 0 64 59 1 : tunables 120 60 8 : slabdata 0 0 0
+size-64 33003 40887 64 59 1 : tunables 120 60 8 : slabdata 693 693 0
+size-32(DMA) 0 0 32 112 1 : tunables 120 60 8 : slabdata 0 0 0
+size-128 3921 4800 128 30 1 : tunables 120 60 8 : slabdata 160 160 0
+size-32 332359 332976 32 112 1 : tunables 120 60 8 : slabdata 2973 2973 0
+kmem_cache 191 191 32896 1 16 : tunables 8 4 0 : slabdata 191 191 0
+Inter-| Receive | Transmit
+ face |bytes packets errs drop fifo frame compressed multicast|bytes packets errs drop fifo colls carrier compressed
+ lo:267102759 105357 0 0 0 0 0 0 267102759 105357 0 0 0 0 0 0
+ eth0:1013756074 1354469 0 0 0 0 0 0 245526499 966773 0 0 0 0 0 0
+ pan0: 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
diff --git a/test/aux-fixed/exim-ca/example.com/CA/pwdfile b/test/aux-fixed/exim-ca/example.com/CA/pwdfile
new file mode 100644
index 0000000..f3097ab
--- /dev/null
+++ b/test/aux-fixed/exim-ca/example.com/CA/pwdfile
@@ -0,0 +1 @@
+password
diff --git a/test/aux-fixed/exim-ca/example.com/CA/secmod.db b/test/aux-fixed/exim-ca/example.com/CA/secmod.db
new file mode 100644
index 0000000..c7f115b
Binary files /dev/null and b/test/aux-fixed/exim-ca/example.com/CA/secmod.db differ
diff --git a/test/aux-fixed/exim-ca/example.com/expired1.example.com/ca_chain.pem b/test/aux-fixed/exim-ca/example.com/expired1.example.com/ca_chain.pem
new file mode 100644
index 0000000..f8f9275
--- /dev/null
+++ b/test/aux-fixed/exim-ca/example.com/expired1.example.com/ca_chain.pem
@@ -0,0 +1,47 @@
+Bag Attributes
+ friendlyName: Signing Cert
+subject=/O=example.com/CN=clica Signing Cert
+issuer=/O=example.com/CN=clica CA
+-----BEGIN CERTIFICATE-----
+MIIBpzCCAVGgAwIBAgIBAjANBgkqhkiG9w0BAQUFADApMRQwEgYDVQQKEwtleGFt
+cGxlLmNvbTERMA8GA1UEAxMIY2xpY2EgQ0EwHhcNMTIxMTAxMTIzNDAxWhcNMzgw
+MTAxMTIzNDAxWjAzMRQwEgYDVQQKEwtleGFtcGxlLmNvbTEbMBkGA1UEAxMSY2xp
+Y2EgU2lnbmluZyBDZXJ0MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBALGUYGllRw9Y
+7ATtT3iqwv3rnnpYYWaxGdamUYznYS6l8lAyHFOqfEktdHZ+bUyRVWsbvyx/a2St
+u1vpZpkihvMCAwEAAaNaMFgwDgYDVR0PAQH/BAQDAgEGMBIGA1UdEwEB/wQIMAYB
+Af8CAQAwMgYDVR0fBCswKTAnoCWgI4YhaHR0cDovL2NybC5leGFtcGxlLmNvbS9s
+YXRlc3QuY3JsMA0GCSqGSIb3DQEBBQUAA0EApouSZ4cX2rx+pZWcDHJH+KaCMpMa
+ScrHO8bFSCWI02ckzoIxWfu1DMNO++EpyzrTgyaXoCROjvhdslwucMqAIg==
+-----END CERTIFICATE-----
+Bag Attributes
+ friendlyName: Certificate Authority
+subject=/O=example.com/CN=clica CA
+issuer=/O=example.com/CN=clica CA
+-----BEGIN CERTIFICATE-----
+MIIBaTCCAROgAwIBAgIBATANBgkqhkiG9w0BAQUFADApMRQwEgYDVQQKEwtleGFt
+cGxlLmNvbTERMA8GA1UEAxMIY2xpY2EgQ0EwHhcNMTIxMTAxMTIzNDAwWhcNMzgw
+MTAxMTIzNDAwWjApMRQwEgYDVQQKEwtleGFtcGxlLmNvbTERMA8GA1UEAxMIY2xp
+Y2EgQ0EwXDANBgkqhkiG9w0BAQEFAANLADBIAkEAxYR8NYQvEd7/e4MvOj9dh2+o
+mnywT9ajMo1589DWt2z14ouRKhSZWlx4O4AicPZc6n4uvt7++t0tTHhmm5JIbwID
+AQABoyYwJDASBgNVHRMBAf8ECDAGAQH/AgEBMA4GA1UdDwEB/wQEAwIBBjANBgkq
+hkiG9w0BAQUFAANBALjVd1KMBadFJFIzTEspoPYxJvXKvLMclekQs5QY0lmmUj5+
+ugITEG6ywu3s+REUB+8Dj+ofQz3tgIm9NBpkfsA=
+-----END CERTIFICATE-----
+Bag Attributes
+ friendlyName: expired1.example.com
+ localKeyID: C3 70 0A 4C 75 DB 50 B7 1F 67 60 9C DC AD 17 A3 C0 65 5F FF
+subject=/CN=expired1.example.com
+issuer=/O=example.com/CN=clica Signing Cert
+-----BEGIN CERTIFICATE-----
+MIICBDCCAa6gAwIBAgIBZzANBgkqhkiG9w0BAQUFADAzMRQwEgYDVQQKEwtleGFt
+cGxlLmNvbTEbMBkGA1UEAxMSY2xpY2EgU2lnbmluZyBDZXJ0MB4XDTEyMTEwMTEy
+MzQwMVoXDTEyMTIwMTEyMzQwMVowHzEdMBsGA1UEAxMUZXhwaXJlZDEuZXhhbXBs
+ZS5jb20wXDANBgkqhkiG9w0BAQEFAANLADBIAkEAuhbGp8Jqy4UZdYGiPLl+q1m4
+dBdrY6689kqn5x5FUZ4PNl9ty9+mnC2Dx5WiYbrOybQZViM9lAIvGRI1GKsHdwID
+AQABo4HAMIG9MA4GA1UdDwEB/wQEAwIE8DAgBgNVHSUBAf8EFjAUBggrBgEFBQcD
+AQYIKwYBBQUHAwIwMgYDVR0fBCswKTAnoCWgI4YhaHR0cDovL2NybC5leGFtcGxl
+LmNvbS9sYXRlc3QuY3JsMDQGCCsGAQUFBwEBBCgwJjAkBggrBgEFBQcwAYYYaHR0
+cDovL29zY3AvZXhhbXBsZS5jb20vMB8GA1UdEQQYMBaCFGV4cGlyZWQxLmV4YW1w
+bGUuY29tMA0GCSqGSIb3DQEBBQUAA0EAkrXPLW+etluRGUilUcMsAWEZJ8Syu317
+kXvPuyjNVz3+lGo/4hzhehSusTzy4+22UgsBmgZpjG+uI8tNRmDnAQ==
+-----END CERTIFICATE-----
diff --git a/test/aux-fixed/exim-ca/example.com/expired1.example.com/cert8.db b/test/aux-fixed/exim-ca/example.com/expired1.example.com/cert8.db
new file mode 100644
index 0000000..29784ae
Binary files /dev/null and b/test/aux-fixed/exim-ca/example.com/expired1.example.com/cert8.db differ
diff --git a/test/aux-fixed/exim-ca/example.com/expired1.example.com/expired1.example.com.chain.pem b/test/aux-fixed/exim-ca/example.com/expired1.example.com/expired1.example.com.chain.pem
new file mode 100644
index 0000000..fe5dcdf
--- /dev/null
+++ b/test/aux-fixed/exim-ca/example.com/expired1.example.com/expired1.example.com.chain.pem
@@ -0,0 +1,29 @@
+Bag Attributes
+ friendlyName: expired1.example.com
+ localKeyID: C3 70 0A 4C 75 DB 50 B7 1F 67 60 9C DC AD 17 A3 C0 65 5F FF
+subject=/CN=expired1.example.com
+issuer=/O=example.com/CN=clica Signing Cert
+-----BEGIN CERTIFICATE-----
+MIICBDCCAa6gAwIBAgIBZzANBgkqhkiG9w0BAQUFADAzMRQwEgYDVQQKEwtleGFt
+cGxlLmNvbTEbMBkGA1UEAxMSY2xpY2EgU2lnbmluZyBDZXJ0MB4XDTEyMTEwMTEy
+MzQwMVoXDTEyMTIwMTEyMzQwMVowHzEdMBsGA1UEAxMUZXhwaXJlZDEuZXhhbXBs
+ZS5jb20wXDANBgkqhkiG9w0BAQEFAANLADBIAkEAuhbGp8Jqy4UZdYGiPLl+q1m4
+dBdrY6689kqn5x5FUZ4PNl9ty9+mnC2Dx5WiYbrOybQZViM9lAIvGRI1GKsHdwID
+AQABo4HAMIG9MA4GA1UdDwEB/wQEAwIE8DAgBgNVHSUBAf8EFjAUBggrBgEFBQcD
+AQYIKwYBBQUHAwIwMgYDVR0fBCswKTAnoCWgI4YhaHR0cDovL2NybC5leGFtcGxl
+LmNvbS9sYXRlc3QuY3JsMDQGCCsGAQUFBwEBBCgwJjAkBggrBgEFBQcwAYYYaHR0
+cDovL29zY3AvZXhhbXBsZS5jb20vMB8GA1UdEQQYMBaCFGV4cGlyZWQxLmV4YW1w
+bGUuY29tMA0GCSqGSIb3DQEBBQUAA0EAkrXPLW+etluRGUilUcMsAWEZJ8Syu317
+kXvPuyjNVz3+lGo/4hzhehSusTzy4+22UgsBmgZpjG+uI8tNRmDnAQ==
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIIBpzCCAVGgAwIBAgIBAjANBgkqhkiG9w0BAQUFADApMRQwEgYDVQQKEwtleGFt
+cGxlLmNvbTERMA8GA1UEAxMIY2xpY2EgQ0EwHhcNMTIxMTAxMTIzNDAxWhcNMzgw
+MTAxMTIzNDAxWjAzMRQwEgYDVQQKEwtleGFtcGxlLmNvbTEbMBkGA1UEAxMSY2xp
+Y2EgU2lnbmluZyBDZXJ0MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBALGUYGllRw9Y
+7ATtT3iqwv3rnnpYYWaxGdamUYznYS6l8lAyHFOqfEktdHZ+bUyRVWsbvyx/a2St
+u1vpZpkihvMCAwEAAaNaMFgwDgYDVR0PAQH/BAQDAgEGMBIGA1UdEwEB/wQIMAYB
+Af8CAQAwMgYDVR0fBCswKTAnoCWgI4YhaHR0cDovL2NybC5leGFtcGxlLmNvbS9s
+YXRlc3QuY3JsMA0GCSqGSIb3DQEBBQUAA0EApouSZ4cX2rx+pZWcDHJH+KaCMpMa
+ScrHO8bFSCWI02ckzoIxWfu1DMNO++EpyzrTgyaXoCROjvhdslwucMqAIg==
+-----END CERTIFICATE-----
diff --git a/test/aux-fixed/exim-ca/example.com/expired1.example.com/expired1.example.com.key b/test/aux-fixed/exim-ca/example.com/expired1.example.com/expired1.example.com.key
new file mode 100644
index 0000000..ecfb0cb
--- /dev/null
+++ b/test/aux-fixed/exim-ca/example.com/expired1.example.com/expired1.example.com.key
@@ -0,0 +1,15 @@
+Bag Attributes
+ friendlyName: expired1.example.com
+ localKeyID: C3 70 0A 4C 75 DB 50 B7 1F 67 60 9C DC AD 17 A3 C0 65 5F FF
+Key Attributes: <No Attributes>
+-----BEGIN ENCRYPTED PRIVATE KEY-----
+MIIBnjBABgkqhkiG9w0BBQ0wMzAbBgkqhkiG9w0BBQwwDgQINZM2aHxF3EcCAggA
+MBQGCCqGSIb3DQMHBAjc9XMhJPg/ZwSCAVicoTPaeGXGPJyPdhflErlI9EWbj0PH
+bv8AchovLDfYq1Q4EJzkUG1XyelHNha+BS/zFxCcmtpdQtXedL/SdXsOyM99wdJH
+tjpJyWxM3bysqDUdhv2g11KTG0M9L7RBtKmbQq0zcHf9oTZbABKSe4EzX6a9khJY
+5bRVBSQPNtj3/5aAr0BOQQnythh0880FcYmvbFmZQNR12Cexc0+X0/aTaQ/LhM1y
+8GlRBFXGACP+mrY4RfEk/EatcGmqn4JCVASF7Z7zu7JKsEskLDArF9nvVh2xN22n
+DugUfQDRPph4ug2MyUcKNSZzGs+khWmS2TgPgUV0gr1tqS4Sqo+59NuZInyGSMRn
+FeiFTSYcd+zmxinF20MCs+Y6fFasErs6/zdK5oeV8pMlTCX0/yky9Ye4kfth2oHl
+UV+Rfe2Bo40wn6QkxuptagYdoDTJrMUCH9WL/ODRn4IA1Q==
+-----END ENCRYPTED PRIVATE KEY-----
diff --git a/test/aux-fixed/exim-ca/example.com/expired1.example.com/expired1.example.com.ocsp.dated.resp b/test/aux-fixed/exim-ca/example.com/expired1.example.com/expired1.example.com.ocsp.dated.resp
new file mode 100644
index 0000000..d7ba631
Binary files /dev/null and b/test/aux-fixed/exim-ca/example.com/expired1.example.com/expired1.example.com.ocsp.dated.resp differ
diff --git a/test/aux-fixed/exim-ca/example.com/expired1.example.com/expired1.example.com.ocsp.good.resp b/test/aux-fixed/exim-ca/example.com/expired1.example.com/expired1.example.com.ocsp.good.resp
new file mode 100644
index 0000000..3714a90
Binary files /dev/null and b/test/aux-fixed/exim-ca/example.com/expired1.example.com/expired1.example.com.ocsp.good.resp differ
diff --git a/test/aux-fixed/exim-ca/example.com/expired1.example.com/expired1.example.com.ocsp.req b/test/aux-fixed/exim-ca/example.com/expired1.example.com/expired1.example.com.ocsp.req
new file mode 100644
index 0000000..37b83a6
Binary files /dev/null and b/test/aux-fixed/exim-ca/example.com/expired1.example.com/expired1.example.com.ocsp.req differ
diff --git a/test/aux-fixed/exim-ca/example.com/expired1.example.com/expired1.example.com.ocsp.revoked.resp b/test/aux-fixed/exim-ca/example.com/expired1.example.com/expired1.example.com.ocsp.revoked.resp
new file mode 100644
index 0000000..4a25940
Binary files /dev/null and b/test/aux-fixed/exim-ca/example.com/expired1.example.com/expired1.example.com.ocsp.revoked.resp differ
diff --git a/test/aux-fixed/exim-ca/example.com/expired1.example.com/expired1.example.com.p12 b/test/aux-fixed/exim-ca/example.com/expired1.example.com/expired1.example.com.p12
new file mode 100644
index 0000000..488e3e5
Binary files /dev/null and b/test/aux-fixed/exim-ca/example.com/expired1.example.com/expired1.example.com.p12 differ
diff --git a/test/aux-fixed/exim-ca/example.com/expired1.example.com/expired1.example.com.pem b/test/aux-fixed/exim-ca/example.com/expired1.example.com/expired1.example.com.pem
new file mode 100644
index 0000000..d30bbe0
--- /dev/null
+++ b/test/aux-fixed/exim-ca/example.com/expired1.example.com/expired1.example.com.pem
@@ -0,0 +1,18 @@
+Bag Attributes
+ friendlyName: expired1.example.com
+ localKeyID: C3 70 0A 4C 75 DB 50 B7 1F 67 60 9C DC AD 17 A3 C0 65 5F FF
+subject=/CN=expired1.example.com
+issuer=/O=example.com/CN=clica Signing Cert
+-----BEGIN CERTIFICATE-----
+MIICBDCCAa6gAwIBAgIBZzANBgkqhkiG9w0BAQUFADAzMRQwEgYDVQQKEwtleGFt
+cGxlLmNvbTEbMBkGA1UEAxMSY2xpY2EgU2lnbmluZyBDZXJ0MB4XDTEyMTEwMTEy
+MzQwMVoXDTEyMTIwMTEyMzQwMVowHzEdMBsGA1UEAxMUZXhwaXJlZDEuZXhhbXBs
+ZS5jb20wXDANBgkqhkiG9w0BAQEFAANLADBIAkEAuhbGp8Jqy4UZdYGiPLl+q1m4
+dBdrY6689kqn5x5FUZ4PNl9ty9+mnC2Dx5WiYbrOybQZViM9lAIvGRI1GKsHdwID
+AQABo4HAMIG9MA4GA1UdDwEB/wQEAwIE8DAgBgNVHSUBAf8EFjAUBggrBgEFBQcD
+AQYIKwYBBQUHAwIwMgYDVR0fBCswKTAnoCWgI4YhaHR0cDovL2NybC5leGFtcGxl
+LmNvbS9sYXRlc3QuY3JsMDQGCCsGAQUFBwEBBCgwJjAkBggrBgEFBQcwAYYYaHR0
+cDovL29zY3AvZXhhbXBsZS5jb20vMB8GA1UdEQQYMBaCFGV4cGlyZWQxLmV4YW1w
+bGUuY29tMA0GCSqGSIb3DQEBBQUAA0EAkrXPLW+etluRGUilUcMsAWEZJ8Syu317
+kXvPuyjNVz3+lGo/4hzhehSusTzy4+22UgsBmgZpjG+uI8tNRmDnAQ==
+-----END CERTIFICATE-----
diff --git a/test/aux-fixed/exim-ca/example.com/expired1.example.com/expired1.example.com.unlocked.key b/test/aux-fixed/exim-ca/example.com/expired1.example.com/expired1.example.com.unlocked.key
new file mode 100644
index 0000000..9754e14
--- /dev/null
+++ b/test/aux-fixed/exim-ca/example.com/expired1.example.com/expired1.example.com.unlocked.key
@@ -0,0 +1,9 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIBOQIBAAJBALoWxqfCasuFGXWBojy5fqtZuHQXa2OuvPZKp+ceRVGeDzZfbcvf
+ppwtg8eVomG6zsm0GVYjPZQCLxkSNRirB3cCAwEAAQJAbb0wuY21XP/I27ru6dCa
+GoJ2fD+zXL2XQccU7P608kO6R9g73lx48QT21OGvLkKGA4J2U3qqvqJWKP580o3X
+gQIhAN8A4PM0w3cLBnibnQcr+5TfhSUye/4AQcaqUQBnjQW5AiEA1Z+eWtugFdR3
+D6ntc4UdyXsO1DMDn6QyuyEyrJqUDq8CIGGfrtqJVLB+gRy3cuy60m3/0/fOu/0b
++6+Oy9sTeebxAiBK7m5RWHBSt+/7YpOTzcGhBrUw4aQHv0S8Nuzbdm0wqQIgYW0B
+7KVyChX6OpKifrdrSK3Jp3iXP9pgNunxGNj1QbM=
+-----END RSA PRIVATE KEY-----
diff --git a/test/aux-fixed/exim-ca/example.com/expired1.example.com/key3.db b/test/aux-fixed/exim-ca/example.com/expired1.example.com/key3.db
new file mode 100644
index 0000000..706f876
Binary files /dev/null and b/test/aux-fixed/exim-ca/example.com/expired1.example.com/key3.db differ
diff --git a/test/aux-fixed/exim-ca/example.com/expired1.example.com/pwdfile b/test/aux-fixed/exim-ca/example.com/expired1.example.com/pwdfile
new file mode 100644
index 0000000..f3097ab
--- /dev/null
+++ b/test/aux-fixed/exim-ca/example.com/expired1.example.com/pwdfile
@@ -0,0 +1 @@
+password
diff --git a/test/aux-fixed/exim-ca/example.com/expired1.example.com/secmod.db b/test/aux-fixed/exim-ca/example.com/expired1.example.com/secmod.db
new file mode 100644
index 0000000..db5dae7
Binary files /dev/null and b/test/aux-fixed/exim-ca/example.com/expired1.example.com/secmod.db differ
diff --git a/test/aux-fixed/exim-ca/example.com/expired2.example.com/ca_chain.pem b/test/aux-fixed/exim-ca/example.com/expired2.example.com/ca_chain.pem
new file mode 100644
index 0000000..cb3f975
--- /dev/null
+++ b/test/aux-fixed/exim-ca/example.com/expired2.example.com/ca_chain.pem
@@ -0,0 +1,47 @@
+Bag Attributes
+ friendlyName: Signing Cert
+subject=/O=example.com/CN=clica Signing Cert
+issuer=/O=example.com/CN=clica CA
+-----BEGIN CERTIFICATE-----
+MIIBpzCCAVGgAwIBAgIBAjANBgkqhkiG9w0BAQUFADApMRQwEgYDVQQKEwtleGFt
+cGxlLmNvbTERMA8GA1UEAxMIY2xpY2EgQ0EwHhcNMTIxMTAxMTIzNDAxWhcNMzgw
+MTAxMTIzNDAxWjAzMRQwEgYDVQQKEwtleGFtcGxlLmNvbTEbMBkGA1UEAxMSY2xp
+Y2EgU2lnbmluZyBDZXJ0MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBALGUYGllRw9Y
+7ATtT3iqwv3rnnpYYWaxGdamUYznYS6l8lAyHFOqfEktdHZ+bUyRVWsbvyx/a2St
+u1vpZpkihvMCAwEAAaNaMFgwDgYDVR0PAQH/BAQDAgEGMBIGA1UdEwEB/wQIMAYB
+Af8CAQAwMgYDVR0fBCswKTAnoCWgI4YhaHR0cDovL2NybC5leGFtcGxlLmNvbS9s
+YXRlc3QuY3JsMA0GCSqGSIb3DQEBBQUAA0EApouSZ4cX2rx+pZWcDHJH+KaCMpMa
+ScrHO8bFSCWI02ckzoIxWfu1DMNO++EpyzrTgyaXoCROjvhdslwucMqAIg==
+-----END CERTIFICATE-----
+Bag Attributes
+ friendlyName: Certificate Authority
+subject=/O=example.com/CN=clica CA
+issuer=/O=example.com/CN=clica CA
+-----BEGIN CERTIFICATE-----
+MIIBaTCCAROgAwIBAgIBATANBgkqhkiG9w0BAQUFADApMRQwEgYDVQQKEwtleGFt
+cGxlLmNvbTERMA8GA1UEAxMIY2xpY2EgQ0EwHhcNMTIxMTAxMTIzNDAwWhcNMzgw
+MTAxMTIzNDAwWjApMRQwEgYDVQQKEwtleGFtcGxlLmNvbTERMA8GA1UEAxMIY2xp
+Y2EgQ0EwXDANBgkqhkiG9w0BAQEFAANLADBIAkEAxYR8NYQvEd7/e4MvOj9dh2+o
+mnywT9ajMo1589DWt2z14ouRKhSZWlx4O4AicPZc6n4uvt7++t0tTHhmm5JIbwID
+AQABoyYwJDASBgNVHRMBAf8ECDAGAQH/AgEBMA4GA1UdDwEB/wQEAwIBBjANBgkq
+hkiG9w0BAQUFAANBALjVd1KMBadFJFIzTEspoPYxJvXKvLMclekQs5QY0lmmUj5+
+ugITEG6ywu3s+REUB+8Dj+ofQz3tgIm9NBpkfsA=
+-----END CERTIFICATE-----
+Bag Attributes
+ friendlyName: expired2.example.com
+ localKeyID: 00 5E 8C 89 32 69 66 73 D9 E7 D3 9C E8 6A 72 27 1D C2 65 87
+subject=/CN=expired2.example.com
+issuer=/O=example.com/CN=clica Signing Cert
+-----BEGIN CERTIFICATE-----
+MIICBTCCAa+gAwIBAgICAMswDQYJKoZIhvcNAQEFBQAwMzEUMBIGA1UEChMLZXhh
+bXBsZS5jb20xGzAZBgNVBAMTEmNsaWNhIFNpZ25pbmcgQ2VydDAeFw0xMjExMDEx
+MjM0MDJaFw0xMjEyMDExMjM0MDJaMB8xHTAbBgNVBAMTFGV4cGlyZWQyLmV4YW1w
+bGUuY29tMFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANs6ryDCjUepqaS5l0ZmpJ3m
+bU0/nDE43cIfDCU+70Jjvf4rxfiQu1N1iiTO2IdRcxai/STBGxpaJRvo/G5l778C
+AwEAAaOBwDCBvTAOBgNVHQ8BAf8EBAMCBPAwIAYDVR0lAQH/BBYwFAYIKwYBBQUH
+AwEGCCsGAQUFBwMCMDIGA1UdHwQrMCkwJ6AloCOGIWh0dHA6Ly9jcmwuZXhhbXBs
+ZS5jb20vbGF0ZXN0LmNybDA0BggrBgEFBQcBAQQoMCYwJAYIKwYBBQUHMAGGGGh0
+dHA6Ly9vc2NwL2V4YW1wbGUuY29tLzAfBgNVHREEGDAWghRleHBpcmVkMi5leGFt
+cGxlLmNvbTANBgkqhkiG9w0BAQUFAANBABTJbEBMPo/NbiMz+shKPbN+T+oAoneT
+mb1n+3cM5I3RGkkzF8mYDyamimNn+T8GKWdVkiM/Jov1kv+KY5Twg+U=
+-----END CERTIFICATE-----
diff --git a/test/aux-fixed/exim-ca/example.com/expired2.example.com/cert8.db b/test/aux-fixed/exim-ca/example.com/expired2.example.com/cert8.db
new file mode 100644
index 0000000..1f5daa2
Binary files /dev/null and b/test/aux-fixed/exim-ca/example.com/expired2.example.com/cert8.db differ
diff --git a/test/aux-fixed/exim-ca/example.com/expired2.example.com/expired2.example.com.chain.pem b/test/aux-fixed/exim-ca/example.com/expired2.example.com/expired2.example.com.chain.pem
new file mode 100644
index 0000000..153025b
--- /dev/null
+++ b/test/aux-fixed/exim-ca/example.com/expired2.example.com/expired2.example.com.chain.pem
@@ -0,0 +1,29 @@
+Bag Attributes
+ friendlyName: expired2.example.com
+ localKeyID: 00 5E 8C 89 32 69 66 73 D9 E7 D3 9C E8 6A 72 27 1D C2 65 87
+subject=/CN=expired2.example.com
+issuer=/O=example.com/CN=clica Signing Cert
+-----BEGIN CERTIFICATE-----
+MIICBTCCAa+gAwIBAgICAMswDQYJKoZIhvcNAQEFBQAwMzEUMBIGA1UEChMLZXhh
+bXBsZS5jb20xGzAZBgNVBAMTEmNsaWNhIFNpZ25pbmcgQ2VydDAeFw0xMjExMDEx
+MjM0MDJaFw0xMjEyMDExMjM0MDJaMB8xHTAbBgNVBAMTFGV4cGlyZWQyLmV4YW1w
+bGUuY29tMFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANs6ryDCjUepqaS5l0ZmpJ3m
+bU0/nDE43cIfDCU+70Jjvf4rxfiQu1N1iiTO2IdRcxai/STBGxpaJRvo/G5l778C
+AwEAAaOBwDCBvTAOBgNVHQ8BAf8EBAMCBPAwIAYDVR0lAQH/BBYwFAYIKwYBBQUH
+AwEGCCsGAQUFBwMCMDIGA1UdHwQrMCkwJ6AloCOGIWh0dHA6Ly9jcmwuZXhhbXBs
+ZS5jb20vbGF0ZXN0LmNybDA0BggrBgEFBQcBAQQoMCYwJAYIKwYBBQUHMAGGGGh0
+dHA6Ly9vc2NwL2V4YW1wbGUuY29tLzAfBgNVHREEGDAWghRleHBpcmVkMi5leGFt
+cGxlLmNvbTANBgkqhkiG9w0BAQUFAANBABTJbEBMPo/NbiMz+shKPbN+T+oAoneT
+mb1n+3cM5I3RGkkzF8mYDyamimNn+T8GKWdVkiM/Jov1kv+KY5Twg+U=
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIIBpzCCAVGgAwIBAgIBAjANBgkqhkiG9w0BAQUFADApMRQwEgYDVQQKEwtleGFt
+cGxlLmNvbTERMA8GA1UEAxMIY2xpY2EgQ0EwHhcNMTIxMTAxMTIzNDAxWhcNMzgw
+MTAxMTIzNDAxWjAzMRQwEgYDVQQKEwtleGFtcGxlLmNvbTEbMBkGA1UEAxMSY2xp
+Y2EgU2lnbmluZyBDZXJ0MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBALGUYGllRw9Y
+7ATtT3iqwv3rnnpYYWaxGdamUYznYS6l8lAyHFOqfEktdHZ+bUyRVWsbvyx/a2St
+u1vpZpkihvMCAwEAAaNaMFgwDgYDVR0PAQH/BAQDAgEGMBIGA1UdEwEB/wQIMAYB
+Af8CAQAwMgYDVR0fBCswKTAnoCWgI4YhaHR0cDovL2NybC5leGFtcGxlLmNvbS9s
+YXRlc3QuY3JsMA0GCSqGSIb3DQEBBQUAA0EApouSZ4cX2rx+pZWcDHJH+KaCMpMa
+ScrHO8bFSCWI02ckzoIxWfu1DMNO++EpyzrTgyaXoCROjvhdslwucMqAIg==
+-----END CERTIFICATE-----
diff --git a/test/aux-fixed/exim-ca/example.com/expired2.example.com/expired2.example.com.key b/test/aux-fixed/exim-ca/example.com/expired2.example.com/expired2.example.com.key
new file mode 100644
index 0000000..4390919
--- /dev/null
+++ b/test/aux-fixed/exim-ca/example.com/expired2.example.com/expired2.example.com.key
@@ -0,0 +1,15 @@
+Bag Attributes
+ friendlyName: expired2.example.com
+ localKeyID: 00 5E 8C 89 32 69 66 73 D9 E7 D3 9C E8 6A 72 27 1D C2 65 87
+Key Attributes: <No Attributes>
+-----BEGIN ENCRYPTED PRIVATE KEY-----
+MIIBpjBABgkqhkiG9w0BBQ0wMzAbBgkqhkiG9w0BBQwwDgQI0nrN9i220lwCAggA
+MBQGCCqGSIb3DQMHBAjYbPQkuir8nQSCAWANYVbKcEW9iaRzdj6AmMMZw4wnklZI
+rR+R/Eaz92xDWHLv9Qo03JK2OoGgkhE3QvyNxP7Sm69hgErN202M1s7CW66HAt60
+T0XmvbZoXYkn3iPzi6Txi1GQnzo7gfd1S0phD/4q+Tq38nRzJjvHjsL1ebjiFZ2y
+t5cF+gW7+3LEKT/s0K/WpS6QKTgl/W5iV09Tix1eOPckv7z4Cs2fiurohPocUTFa
+B/hdKTun4MwmcchFrgjRda+jz/P42xtgaSmhIETD+C3jnbdEZWFY4xYijyffEUR0
+gUHKH6UPxqoJyeL8ziQmz2jc4j1glnedslHjS+fKlLCU1QKYbhgCcRB4tqILxd9M
+e3/QQksgTFZtGymqPuwPMngcR2Om+E3f0UJnCXcaINJp971l971H/yhieYjxQua4
+8NNKVdz6EzYa/46Gv77Nu7+OQ0zGhMowpjGS4kTE9qOQ3udrdL2kFYJm
+-----END ENCRYPTED PRIVATE KEY-----
diff --git a/test/aux-fixed/exim-ca/example.com/expired2.example.com/expired2.example.com.ocsp.dated.resp b/test/aux-fixed/exim-ca/example.com/expired2.example.com/expired2.example.com.ocsp.dated.resp
new file mode 100644
index 0000000..5690dfa
Binary files /dev/null and b/test/aux-fixed/exim-ca/example.com/expired2.example.com/expired2.example.com.ocsp.dated.resp differ
diff --git a/test/aux-fixed/exim-ca/example.com/expired2.example.com/expired2.example.com.ocsp.good.resp b/test/aux-fixed/exim-ca/example.com/expired2.example.com/expired2.example.com.ocsp.good.resp
new file mode 100644
index 0000000..db5b8e0
Binary files /dev/null and b/test/aux-fixed/exim-ca/example.com/expired2.example.com/expired2.example.com.ocsp.good.resp differ
diff --git a/test/aux-fixed/exim-ca/example.com/expired2.example.com/expired2.example.com.ocsp.req b/test/aux-fixed/exim-ca/example.com/expired2.example.com/expired2.example.com.ocsp.req
new file mode 100644
index 0000000..0242fc4
Binary files /dev/null and b/test/aux-fixed/exim-ca/example.com/expired2.example.com/expired2.example.com.ocsp.req differ
diff --git a/test/aux-fixed/exim-ca/example.com/expired2.example.com/expired2.example.com.ocsp.revoked.resp b/test/aux-fixed/exim-ca/example.com/expired2.example.com/expired2.example.com.ocsp.revoked.resp
new file mode 100644
index 0000000..db5b8e0
Binary files /dev/null and b/test/aux-fixed/exim-ca/example.com/expired2.example.com/expired2.example.com.ocsp.revoked.resp differ
diff --git a/test/aux-fixed/exim-ca/example.com/expired2.example.com/expired2.example.com.p12 b/test/aux-fixed/exim-ca/example.com/expired2.example.com/expired2.example.com.p12
new file mode 100644
index 0000000..d8327d3
Binary files /dev/null and b/test/aux-fixed/exim-ca/example.com/expired2.example.com/expired2.example.com.p12 differ
diff --git a/test/aux-fixed/exim-ca/example.com/expired2.example.com/expired2.example.com.pem b/test/aux-fixed/exim-ca/example.com/expired2.example.com/expired2.example.com.pem
new file mode 100644
index 0000000..91a46f9
--- /dev/null
+++ b/test/aux-fixed/exim-ca/example.com/expired2.example.com/expired2.example.com.pem
@@ -0,0 +1,18 @@
+Bag Attributes
+ friendlyName: expired2.example.com
+ localKeyID: 00 5E 8C 89 32 69 66 73 D9 E7 D3 9C E8 6A 72 27 1D C2 65 87
+subject=/CN=expired2.example.com
+issuer=/O=example.com/CN=clica Signing Cert
+-----BEGIN CERTIFICATE-----
+MIICBTCCAa+gAwIBAgICAMswDQYJKoZIhvcNAQEFBQAwMzEUMBIGA1UEChMLZXhh
+bXBsZS5jb20xGzAZBgNVBAMTEmNsaWNhIFNpZ25pbmcgQ2VydDAeFw0xMjExMDEx
+MjM0MDJaFw0xMjEyMDExMjM0MDJaMB8xHTAbBgNVBAMTFGV4cGlyZWQyLmV4YW1w
+bGUuY29tMFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANs6ryDCjUepqaS5l0ZmpJ3m
+bU0/nDE43cIfDCU+70Jjvf4rxfiQu1N1iiTO2IdRcxai/STBGxpaJRvo/G5l778C
+AwEAAaOBwDCBvTAOBgNVHQ8BAf8EBAMCBPAwIAYDVR0lAQH/BBYwFAYIKwYBBQUH
+AwEGCCsGAQUFBwMCMDIGA1UdHwQrMCkwJ6AloCOGIWh0dHA6Ly9jcmwuZXhhbXBs
+ZS5jb20vbGF0ZXN0LmNybDA0BggrBgEFBQcBAQQoMCYwJAYIKwYBBQUHMAGGGGh0
+dHA6Ly9vc2NwL2V4YW1wbGUuY29tLzAfBgNVHREEGDAWghRleHBpcmVkMi5leGFt
+cGxlLmNvbTANBgkqhkiG9w0BAQUFAANBABTJbEBMPo/NbiMz+shKPbN+T+oAoneT
+mb1n+3cM5I3RGkkzF8mYDyamimNn+T8GKWdVkiM/Jov1kv+KY5Twg+U=
+-----END CERTIFICATE-----
diff --git a/test/aux-fixed/exim-ca/example.com/expired2.example.com/expired2.example.com.unlocked.key b/test/aux-fixed/exim-ca/example.com/expired2.example.com/expired2.example.com.unlocked.key
new file mode 100644
index 0000000..cc0620b
--- /dev/null
+++ b/test/aux-fixed/exim-ca/example.com/expired2.example.com/expired2.example.com.unlocked.key
@@ -0,0 +1,9 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIBOgIBAAJBANs6ryDCjUepqaS5l0ZmpJ3mbU0/nDE43cIfDCU+70Jjvf4rxfiQ
+u1N1iiTO2IdRcxai/STBGxpaJRvo/G5l778CAwEAAQJAads7RulKSMkuxgBrgC39
+3NSwAHXvmIDp61sMhUuPQhF8kxF9IistHoa4TBW3tdSVepBSDoMk0Ote+0UgO3wK
+SQIhAPC8xBwjNC+gpnaxOvz2iLGbVwISPgM/TMaa+goBJ3o1AiEA6SDVyZi34Gia
+W0YYzmQaJv2VcmGYh0JQ+diJT7qaoKMCIQCfZy6nvvu4KbTv1MzNYWUDzWsgePnM
+5qYsv8OeykLcnQIgU4JDkrd2Bpjx0ghGEoihJZ5ozlRPgwQqZZU/eqPph+kCIBAd
+MOImezJcizVRRG9PuyxuSvwLlPqjvFKnw2ixRkuW
+-----END RSA PRIVATE KEY-----
diff --git a/test/aux-fixed/exim-ca/example.com/expired2.example.com/key3.db b/test/aux-fixed/exim-ca/example.com/expired2.example.com/key3.db
new file mode 100644
index 0000000..9bce6fa
Binary files /dev/null and b/test/aux-fixed/exim-ca/example.com/expired2.example.com/key3.db differ
diff --git a/test/aux-fixed/exim-ca/example.com/expired2.example.com/pwdfile b/test/aux-fixed/exim-ca/example.com/expired2.example.com/pwdfile
new file mode 100644
index 0000000..f3097ab
--- /dev/null
+++ b/test/aux-fixed/exim-ca/example.com/expired2.example.com/pwdfile
@@ -0,0 +1 @@
+password
diff --git a/test/aux-fixed/exim-ca/example.com/expired2.example.com/secmod.db b/test/aux-fixed/exim-ca/example.com/expired2.example.com/secmod.db
new file mode 100644
index 0000000..a21c55f
Binary files /dev/null and b/test/aux-fixed/exim-ca/example.com/expired2.example.com/secmod.db differ
diff --git a/test/aux-fixed/exim-ca/example.com/revoked1.example.com/ca_chain.pem b/test/aux-fixed/exim-ca/example.com/revoked1.example.com/ca_chain.pem
new file mode 100644
index 0000000..ea68b96
--- /dev/null
+++ b/test/aux-fixed/exim-ca/example.com/revoked1.example.com/ca_chain.pem
@@ -0,0 +1,47 @@
+Bag Attributes
+ friendlyName: Signing Cert
+subject=/O=example.com/CN=clica Signing Cert
+issuer=/O=example.com/CN=clica CA
+-----BEGIN CERTIFICATE-----
+MIIBpzCCAVGgAwIBAgIBAjANBgkqhkiG9w0BAQUFADApMRQwEgYDVQQKEwtleGFt
+cGxlLmNvbTERMA8GA1UEAxMIY2xpY2EgQ0EwHhcNMTIxMTAxMTIzNDAxWhcNMzgw
+MTAxMTIzNDAxWjAzMRQwEgYDVQQKEwtleGFtcGxlLmNvbTEbMBkGA1UEAxMSY2xp
+Y2EgU2lnbmluZyBDZXJ0MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBALGUYGllRw9Y
+7ATtT3iqwv3rnnpYYWaxGdamUYznYS6l8lAyHFOqfEktdHZ+bUyRVWsbvyx/a2St
+u1vpZpkihvMCAwEAAaNaMFgwDgYDVR0PAQH/BAQDAgEGMBIGA1UdEwEB/wQIMAYB
+Af8CAQAwMgYDVR0fBCswKTAnoCWgI4YhaHR0cDovL2NybC5leGFtcGxlLmNvbS9s
+YXRlc3QuY3JsMA0GCSqGSIb3DQEBBQUAA0EApouSZ4cX2rx+pZWcDHJH+KaCMpMa
+ScrHO8bFSCWI02ckzoIxWfu1DMNO++EpyzrTgyaXoCROjvhdslwucMqAIg==
+-----END CERTIFICATE-----
+Bag Attributes
+ friendlyName: Certificate Authority
+subject=/O=example.com/CN=clica CA
+issuer=/O=example.com/CN=clica CA
+-----BEGIN CERTIFICATE-----
+MIIBaTCCAROgAwIBAgIBATANBgkqhkiG9w0BAQUFADApMRQwEgYDVQQKEwtleGFt
+cGxlLmNvbTERMA8GA1UEAxMIY2xpY2EgQ0EwHhcNMTIxMTAxMTIzNDAwWhcNMzgw
+MTAxMTIzNDAwWjApMRQwEgYDVQQKEwtleGFtcGxlLmNvbTERMA8GA1UEAxMIY2xp
+Y2EgQ0EwXDANBgkqhkiG9w0BAQEFAANLADBIAkEAxYR8NYQvEd7/e4MvOj9dh2+o
+mnywT9ajMo1589DWt2z14ouRKhSZWlx4O4AicPZc6n4uvt7++t0tTHhmm5JIbwID
+AQABoyYwJDASBgNVHRMBAf8ECDAGAQH/AgEBMA4GA1UdDwEB/wQEAwIBBjANBgkq
+hkiG9w0BAQUFAANBALjVd1KMBadFJFIzTEspoPYxJvXKvLMclekQs5QY0lmmUj5+
+ugITEG6ywu3s+REUB+8Dj+ofQz3tgIm9NBpkfsA=
+-----END CERTIFICATE-----
+Bag Attributes
+ friendlyName: revoked1.example.com
+ localKeyID: 33 F8 A9 1F FC 62 68 49 CC C9 26 E0 24 22 40 40 B5 8E E6 07
+subject=/CN=revoked1.example.com
+issuer=/O=example.com/CN=clica Signing Cert
+-----BEGIN CERTIFICATE-----
+MIICBDCCAa6gAwIBAgIBZjANBgkqhkiG9w0BAQUFADAzMRQwEgYDVQQKEwtleGFt
+cGxlLmNvbTEbMBkGA1UEAxMSY2xpY2EgU2lnbmluZyBDZXJ0MB4XDTEyMTEwMTEy
+MzQwMVoXDTM4MDEwMTEyMzQwMVowHzEdMBsGA1UEAxMUcmV2b2tlZDEuZXhhbXBs
+ZS5jb20wXDANBgkqhkiG9w0BAQEFAANLADBIAkEAtmfFkNpuJsl8xF0EINs9YniA
+h0NKsf8Tt61IVzDsR5ULJOSpA7rcqmbniYuWJ7H1q8Rm5WTqjLs5zIKG+cR/lwID
+AQABo4HAMIG9MA4GA1UdDwEB/wQEAwIE8DAgBgNVHSUBAf8EFjAUBggrBgEFBQcD
+AQYIKwYBBQUHAwIwMgYDVR0fBCswKTAnoCWgI4YhaHR0cDovL2NybC5leGFtcGxl
+LmNvbS9sYXRlc3QuY3JsMDQGCCsGAQUFBwEBBCgwJjAkBggrBgEFBQcwAYYYaHR0
+cDovL29zY3AvZXhhbXBsZS5jb20vMB8GA1UdEQQYMBaCFHJldm9rZWQxLmV4YW1w
+bGUuY29tMA0GCSqGSIb3DQEBBQUAA0EAXzFO3fDq0RRzNgmAa9aorYUQUx1f6ifG
+e9zS1V/Qua9HguY4FCm5NkLDSA46OA/NYEtnC3tDNF6PLSNi1Ww9NQ==
+-----END CERTIFICATE-----
diff --git a/test/aux-fixed/exim-ca/example.com/revoked1.example.com/cert8.db b/test/aux-fixed/exim-ca/example.com/revoked1.example.com/cert8.db
new file mode 100644
index 0000000..d74575f
Binary files /dev/null and b/test/aux-fixed/exim-ca/example.com/revoked1.example.com/cert8.db differ
diff --git a/test/aux-fixed/exim-ca/example.com/revoked1.example.com/key3.db b/test/aux-fixed/exim-ca/example.com/revoked1.example.com/key3.db
new file mode 100644
index 0000000..a35bc26
Binary files /dev/null and b/test/aux-fixed/exim-ca/example.com/revoked1.example.com/key3.db differ
diff --git a/test/aux-fixed/exim-ca/example.com/revoked1.example.com/pwdfile b/test/aux-fixed/exim-ca/example.com/revoked1.example.com/pwdfile
new file mode 100644
index 0000000..f3097ab
--- /dev/null
+++ b/test/aux-fixed/exim-ca/example.com/revoked1.example.com/pwdfile
@@ -0,0 +1 @@
+password
diff --git a/test/aux-fixed/exim-ca/example.com/revoked1.example.com/revoked1.example.com.chain.pem b/test/aux-fixed/exim-ca/example.com/revoked1.example.com/revoked1.example.com.chain.pem
new file mode 100644
index 0000000..abb2b6c
--- /dev/null
+++ b/test/aux-fixed/exim-ca/example.com/revoked1.example.com/revoked1.example.com.chain.pem
@@ -0,0 +1,29 @@
+Bag Attributes
+ friendlyName: revoked1.example.com
+ localKeyID: 33 F8 A9 1F FC 62 68 49 CC C9 26 E0 24 22 40 40 B5 8E E6 07
+subject=/CN=revoked1.example.com
+issuer=/O=example.com/CN=clica Signing Cert
+-----BEGIN CERTIFICATE-----
+MIICBDCCAa6gAwIBAgIBZjANBgkqhkiG9w0BAQUFADAzMRQwEgYDVQQKEwtleGFt
+cGxlLmNvbTEbMBkGA1UEAxMSY2xpY2EgU2lnbmluZyBDZXJ0MB4XDTEyMTEwMTEy
+MzQwMVoXDTM4MDEwMTEyMzQwMVowHzEdMBsGA1UEAxMUcmV2b2tlZDEuZXhhbXBs
+ZS5jb20wXDANBgkqhkiG9w0BAQEFAANLADBIAkEAtmfFkNpuJsl8xF0EINs9YniA
+h0NKsf8Tt61IVzDsR5ULJOSpA7rcqmbniYuWJ7H1q8Rm5WTqjLs5zIKG+cR/lwID
+AQABo4HAMIG9MA4GA1UdDwEB/wQEAwIE8DAgBgNVHSUBAf8EFjAUBggrBgEFBQcD
+AQYIKwYBBQUHAwIwMgYDVR0fBCswKTAnoCWgI4YhaHR0cDovL2NybC5leGFtcGxl
+LmNvbS9sYXRlc3QuY3JsMDQGCCsGAQUFBwEBBCgwJjAkBggrBgEFBQcwAYYYaHR0
+cDovL29zY3AvZXhhbXBsZS5jb20vMB8GA1UdEQQYMBaCFHJldm9rZWQxLmV4YW1w
+bGUuY29tMA0GCSqGSIb3DQEBBQUAA0EAXzFO3fDq0RRzNgmAa9aorYUQUx1f6ifG
+e9zS1V/Qua9HguY4FCm5NkLDSA46OA/NYEtnC3tDNF6PLSNi1Ww9NQ==
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIIBpzCCAVGgAwIBAgIBAjANBgkqhkiG9w0BAQUFADApMRQwEgYDVQQKEwtleGFt
+cGxlLmNvbTERMA8GA1UEAxMIY2xpY2EgQ0EwHhcNMTIxMTAxMTIzNDAxWhcNMzgw
+MTAxMTIzNDAxWjAzMRQwEgYDVQQKEwtleGFtcGxlLmNvbTEbMBkGA1UEAxMSY2xp
+Y2EgU2lnbmluZyBDZXJ0MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBALGUYGllRw9Y
+7ATtT3iqwv3rnnpYYWaxGdamUYznYS6l8lAyHFOqfEktdHZ+bUyRVWsbvyx/a2St
+u1vpZpkihvMCAwEAAaNaMFgwDgYDVR0PAQH/BAQDAgEGMBIGA1UdEwEB/wQIMAYB
+Af8CAQAwMgYDVR0fBCswKTAnoCWgI4YhaHR0cDovL2NybC5leGFtcGxlLmNvbS9s
+YXRlc3QuY3JsMA0GCSqGSIb3DQEBBQUAA0EApouSZ4cX2rx+pZWcDHJH+KaCMpMa
+ScrHO8bFSCWI02ckzoIxWfu1DMNO++EpyzrTgyaXoCROjvhdslwucMqAIg==
+-----END CERTIFICATE-----
diff --git a/test/aux-fixed/exim-ca/example.com/revoked1.example.com/revoked1.example.com.key b/test/aux-fixed/exim-ca/example.com/revoked1.example.com/revoked1.example.com.key
new file mode 100644
index 0000000..0507231
--- /dev/null
+++ b/test/aux-fixed/exim-ca/example.com/revoked1.example.com/revoked1.example.com.key
@@ -0,0 +1,15 @@
+Bag Attributes
+ friendlyName: revoked1.example.com
+ localKeyID: 33 F8 A9 1F FC 62 68 49 CC C9 26 E0 24 22 40 40 B5 8E E6 07
+Key Attributes: <No Attributes>
+-----BEGIN ENCRYPTED PRIVATE KEY-----
+MIIBnjBABgkqhkiG9w0BBQ0wMzAbBgkqhkiG9w0BBQwwDgQIxIBGy/hgXxwCAggA
+MBQGCCqGSIb3DQMHBAj96WZ8xRBC6QSCAVjQ7DTLCFeVW0ah1ECV+1bvGiQy9JwH
+fxHD3s2Wg7+McsAfF2oSx8R0Za7miR70Ke94xrraIuH0NeltyalI5iQOjbGe1W8V
+exnRfXI+87W9QHVI85TW2l6pXCR96cj6zrxQAhXFamDY/SfgwTbaQibrduD2eoct
+IvJ8QsaywSKwpnQAN/4XlQ6aus7w1ywtvFek+15oAfgACG/mXaZZa9sg/pRzHT3a
+8qJjMpJSDOd5QUxKIShidYPNKA88EIvdg9+0wNj42w9A4rAwaoqol4RzdLu8dXbG
+lGjiRdGwkMvlwnAWY68hPnAPOiH8ev7lNPkOkk+YsIVoJK7AoEGyvNk2N02kaBBf
+xfrHIt8jh8Suvfp0HJbdeBTTT1qu/acwNbeA2TVVXdXyoZTrSWiwmv4P0lBYXJIx
+raWLqaaImi5JvL1o5ATr3s8RtD+0iWH5LUuWdzI/agJKUw==
+-----END ENCRYPTED PRIVATE KEY-----
diff --git a/test/aux-fixed/exim-ca/example.com/revoked1.example.com/revoked1.example.com.ocsp.dated.resp b/test/aux-fixed/exim-ca/example.com/revoked1.example.com/revoked1.example.com.ocsp.dated.resp
new file mode 100644
index 0000000..6924826
Binary files /dev/null and b/test/aux-fixed/exim-ca/example.com/revoked1.example.com/revoked1.example.com.ocsp.dated.resp differ
diff --git a/test/aux-fixed/exim-ca/example.com/revoked1.example.com/revoked1.example.com.ocsp.good.resp b/test/aux-fixed/exim-ca/example.com/revoked1.example.com/revoked1.example.com.ocsp.good.resp
new file mode 100644
index 0000000..ed8cdb3
Binary files /dev/null and b/test/aux-fixed/exim-ca/example.com/revoked1.example.com/revoked1.example.com.ocsp.good.resp differ
diff --git a/test/aux-fixed/exim-ca/example.com/revoked1.example.com/revoked1.example.com.ocsp.req b/test/aux-fixed/exim-ca/example.com/revoked1.example.com/revoked1.example.com.ocsp.req
new file mode 100644
index 0000000..c16dc37
Binary files /dev/null and b/test/aux-fixed/exim-ca/example.com/revoked1.example.com/revoked1.example.com.ocsp.req differ
diff --git a/test/aux-fixed/exim-ca/example.com/revoked1.example.com/revoked1.example.com.ocsp.revoked.resp b/test/aux-fixed/exim-ca/example.com/revoked1.example.com/revoked1.example.com.ocsp.revoked.resp
new file mode 100644
index 0000000..76a2e14
Binary files /dev/null and b/test/aux-fixed/exim-ca/example.com/revoked1.example.com/revoked1.example.com.ocsp.revoked.resp differ
diff --git a/test/aux-fixed/exim-ca/example.com/revoked1.example.com/revoked1.example.com.p12 b/test/aux-fixed/exim-ca/example.com/revoked1.example.com/revoked1.example.com.p12
new file mode 100644
index 0000000..bcc39e5
Binary files /dev/null and b/test/aux-fixed/exim-ca/example.com/revoked1.example.com/revoked1.example.com.p12 differ
diff --git a/test/aux-fixed/exim-ca/example.com/revoked1.example.com/revoked1.example.com.pem b/test/aux-fixed/exim-ca/example.com/revoked1.example.com/revoked1.example.com.pem
new file mode 100644
index 0000000..ada2bfd
--- /dev/null
+++ b/test/aux-fixed/exim-ca/example.com/revoked1.example.com/revoked1.example.com.pem
@@ -0,0 +1,18 @@
+Bag Attributes
+ friendlyName: revoked1.example.com
+ localKeyID: 33 F8 A9 1F FC 62 68 49 CC C9 26 E0 24 22 40 40 B5 8E E6 07
+subject=/CN=revoked1.example.com
+issuer=/O=example.com/CN=clica Signing Cert
+-----BEGIN CERTIFICATE-----
+MIICBDCCAa6gAwIBAgIBZjANBgkqhkiG9w0BAQUFADAzMRQwEgYDVQQKEwtleGFt
+cGxlLmNvbTEbMBkGA1UEAxMSY2xpY2EgU2lnbmluZyBDZXJ0MB4XDTEyMTEwMTEy
+MzQwMVoXDTM4MDEwMTEyMzQwMVowHzEdMBsGA1UEAxMUcmV2b2tlZDEuZXhhbXBs
+ZS5jb20wXDANBgkqhkiG9w0BAQEFAANLADBIAkEAtmfFkNpuJsl8xF0EINs9YniA
+h0NKsf8Tt61IVzDsR5ULJOSpA7rcqmbniYuWJ7H1q8Rm5WTqjLs5zIKG+cR/lwID
+AQABo4HAMIG9MA4GA1UdDwEB/wQEAwIE8DAgBgNVHSUBAf8EFjAUBggrBgEFBQcD
+AQYIKwYBBQUHAwIwMgYDVR0fBCswKTAnoCWgI4YhaHR0cDovL2NybC5leGFtcGxl
+LmNvbS9sYXRlc3QuY3JsMDQGCCsGAQUFBwEBBCgwJjAkBggrBgEFBQcwAYYYaHR0
+cDovL29zY3AvZXhhbXBsZS5jb20vMB8GA1UdEQQYMBaCFHJldm9rZWQxLmV4YW1w
+bGUuY29tMA0GCSqGSIb3DQEBBQUAA0EAXzFO3fDq0RRzNgmAa9aorYUQUx1f6ifG
+e9zS1V/Qua9HguY4FCm5NkLDSA46OA/NYEtnC3tDNF6PLSNi1Ww9NQ==
+-----END CERTIFICATE-----
diff --git a/test/aux-fixed/exim-ca/example.com/revoked1.example.com/revoked1.example.com.unlocked.key b/test/aux-fixed/exim-ca/example.com/revoked1.example.com/revoked1.example.com.unlocked.key
new file mode 100644
index 0000000..f124bcc
--- /dev/null
+++ b/test/aux-fixed/exim-ca/example.com/revoked1.example.com/revoked1.example.com.unlocked.key
@@ -0,0 +1,9 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIBOQIBAAJBALZnxZDabibJfMRdBCDbPWJ4gIdDSrH/E7etSFcw7EeVCyTkqQO6
+3Kpm54mLliex9avEZuVk6oy7OcyChvnEf5cCAwEAAQJALGjPfRjxQJhFvDk5TBaU
+t2jHQidsBDIqRsn1luTeYf7KVwL5p51LV27UBqIF+UPa3Wl04rc5IWSCp5CIpASa
+IQIhAN6Ekj/LESey/9nn85fDMUH45PgW/7J+NeqwgK6zoyulAiEA0doPRY/U2ano
+Hu94mggwB693XasYuRsSsGZWK1+nCYsCIF1BXjGSH0xt/kAKr9IoodouP3eh2+Oo
+dVw4QJX2/ylpAiAZUYjUKLVSiZhS2yue0ewRkU8CgxkZhDWuCLrOwtyhXwIgJr3H
+b3LNAipslDnHrNzBK2GB6MlM7/+foJ7Lu7pbK+o=
+-----END RSA PRIVATE KEY-----
diff --git a/test/aux-fixed/exim-ca/example.com/revoked1.example.com/secmod.db b/test/aux-fixed/exim-ca/example.com/revoked1.example.com/secmod.db
new file mode 100644
index 0000000..f95ff68
Binary files /dev/null and b/test/aux-fixed/exim-ca/example.com/revoked1.example.com/secmod.db differ
diff --git a/test/aux-fixed/exim-ca/example.com/revoked2.example.com/ca_chain.pem b/test/aux-fixed/exim-ca/example.com/revoked2.example.com/ca_chain.pem
new file mode 100644
index 0000000..d9830bc
--- /dev/null
+++ b/test/aux-fixed/exim-ca/example.com/revoked2.example.com/ca_chain.pem
@@ -0,0 +1,47 @@
+Bag Attributes
+ friendlyName: Signing Cert
+subject=/O=example.com/CN=clica Signing Cert
+issuer=/O=example.com/CN=clica CA
+-----BEGIN CERTIFICATE-----
+MIIBpzCCAVGgAwIBAgIBAjANBgkqhkiG9w0BAQUFADApMRQwEgYDVQQKEwtleGFt
+cGxlLmNvbTERMA8GA1UEAxMIY2xpY2EgQ0EwHhcNMTIxMTAxMTIzNDAxWhcNMzgw
+MTAxMTIzNDAxWjAzMRQwEgYDVQQKEwtleGFtcGxlLmNvbTEbMBkGA1UEAxMSY2xp
+Y2EgU2lnbmluZyBDZXJ0MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBALGUYGllRw9Y
+7ATtT3iqwv3rnnpYYWaxGdamUYznYS6l8lAyHFOqfEktdHZ+bUyRVWsbvyx/a2St
+u1vpZpkihvMCAwEAAaNaMFgwDgYDVR0PAQH/BAQDAgEGMBIGA1UdEwEB/wQIMAYB
+Af8CAQAwMgYDVR0fBCswKTAnoCWgI4YhaHR0cDovL2NybC5leGFtcGxlLmNvbS9s
+YXRlc3QuY3JsMA0GCSqGSIb3DQEBBQUAA0EApouSZ4cX2rx+pZWcDHJH+KaCMpMa
+ScrHO8bFSCWI02ckzoIxWfu1DMNO++EpyzrTgyaXoCROjvhdslwucMqAIg==
+-----END CERTIFICATE-----
+Bag Attributes
+ friendlyName: Certificate Authority
+subject=/O=example.com/CN=clica CA
+issuer=/O=example.com/CN=clica CA
+-----BEGIN CERTIFICATE-----
+MIIBaTCCAROgAwIBAgIBATANBgkqhkiG9w0BAQUFADApMRQwEgYDVQQKEwtleGFt
+cGxlLmNvbTERMA8GA1UEAxMIY2xpY2EgQ0EwHhcNMTIxMTAxMTIzNDAwWhcNMzgw
+MTAxMTIzNDAwWjApMRQwEgYDVQQKEwtleGFtcGxlLmNvbTERMA8GA1UEAxMIY2xp
+Y2EgQ0EwXDANBgkqhkiG9w0BAQEFAANLADBIAkEAxYR8NYQvEd7/e4MvOj9dh2+o
+mnywT9ajMo1589DWt2z14ouRKhSZWlx4O4AicPZc6n4uvt7++t0tTHhmm5JIbwID
+AQABoyYwJDASBgNVHRMBAf8ECDAGAQH/AgEBMA4GA1UdDwEB/wQEAwIBBjANBgkq
+hkiG9w0BAQUFAANBALjVd1KMBadFJFIzTEspoPYxJvXKvLMclekQs5QY0lmmUj5+
+ugITEG6ywu3s+REUB+8Dj+ofQz3tgIm9NBpkfsA=
+-----END CERTIFICATE-----
+Bag Attributes
+ friendlyName: revoked2.example.com
+ localKeyID: 17 78 A2 B6 AD CE 30 23 61 D1 78 DA EF AD AC 2D 72 C6 16 34
+subject=/CN=revoked2.example.com
+issuer=/O=example.com/CN=clica Signing Cert
+-----BEGIN CERTIFICATE-----
+MIICBTCCAa+gAwIBAgICAMowDQYJKoZIhvcNAQEFBQAwMzEUMBIGA1UEChMLZXhh
+bXBsZS5jb20xGzAZBgNVBAMTEmNsaWNhIFNpZ25pbmcgQ2VydDAeFw0xMjExMDEx
+MjM0MDJaFw0zODAxMDExMjM0MDJaMB8xHTAbBgNVBAMTFHJldm9rZWQyLmV4YW1w
+bGUuY29tMFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBALl7NO1x6uz5p6etz9g+bD4n
+/s5Wh/XGDL1IHD78fRFFX9B8dCyoMrzjFTIz8QkOr/sA4RD2B2uk83ZnqtNImY0C
+AwEAAaOBwDCBvTAOBgNVHQ8BAf8EBAMCBPAwIAYDVR0lAQH/BBYwFAYIKwYBBQUH
+AwEGCCsGAQUFBwMCMDIGA1UdHwQrMCkwJ6AloCOGIWh0dHA6Ly9jcmwuZXhhbXBs
+ZS5jb20vbGF0ZXN0LmNybDA0BggrBgEFBQcBAQQoMCYwJAYIKwYBBQUHMAGGGGh0
+dHA6Ly9vc2NwL2V4YW1wbGUuY29tLzAfBgNVHREEGDAWghRyZXZva2VkMi5leGFt
+cGxlLmNvbTANBgkqhkiG9w0BAQUFAANBAKtwWm1WtnL+jH97DwIutT6s4CkIY2uY
+JkpV4segUV03S1pN9Cnamy4prQYPCfOI1BQO4krsDNOoV/PtDvqxuso=
+-----END CERTIFICATE-----
diff --git a/test/aux-fixed/exim-ca/example.com/revoked2.example.com/cert8.db b/test/aux-fixed/exim-ca/example.com/revoked2.example.com/cert8.db
new file mode 100644
index 0000000..45ca163
Binary files /dev/null and b/test/aux-fixed/exim-ca/example.com/revoked2.example.com/cert8.db differ
diff --git a/test/aux-fixed/exim-ca/example.com/revoked2.example.com/key3.db b/test/aux-fixed/exim-ca/example.com/revoked2.example.com/key3.db
new file mode 100644
index 0000000..4976f14
Binary files /dev/null and b/test/aux-fixed/exim-ca/example.com/revoked2.example.com/key3.db differ
diff --git a/test/aux-fixed/exim-ca/example.com/revoked2.example.com/pwdfile b/test/aux-fixed/exim-ca/example.com/revoked2.example.com/pwdfile
new file mode 100644
index 0000000..f3097ab
--- /dev/null
+++ b/test/aux-fixed/exim-ca/example.com/revoked2.example.com/pwdfile
@@ -0,0 +1 @@
+password
diff --git a/test/aux-fixed/exim-ca/example.com/revoked2.example.com/revoked2.example.com.chain.pem b/test/aux-fixed/exim-ca/example.com/revoked2.example.com/revoked2.example.com.chain.pem
new file mode 100644
index 0000000..ecdf2a5
--- /dev/null
+++ b/test/aux-fixed/exim-ca/example.com/revoked2.example.com/revoked2.example.com.chain.pem
@@ -0,0 +1,29 @@
+Bag Attributes
+ friendlyName: revoked2.example.com
+ localKeyID: 17 78 A2 B6 AD CE 30 23 61 D1 78 DA EF AD AC 2D 72 C6 16 34
+subject=/CN=revoked2.example.com
+issuer=/O=example.com/CN=clica Signing Cert
+-----BEGIN CERTIFICATE-----
+MIICBTCCAa+gAwIBAgICAMowDQYJKoZIhvcNAQEFBQAwMzEUMBIGA1UEChMLZXhh
+bXBsZS5jb20xGzAZBgNVBAMTEmNsaWNhIFNpZ25pbmcgQ2VydDAeFw0xMjExMDEx
+MjM0MDJaFw0zODAxMDExMjM0MDJaMB8xHTAbBgNVBAMTFHJldm9rZWQyLmV4YW1w
+bGUuY29tMFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBALl7NO1x6uz5p6etz9g+bD4n
+/s5Wh/XGDL1IHD78fRFFX9B8dCyoMrzjFTIz8QkOr/sA4RD2B2uk83ZnqtNImY0C
+AwEAAaOBwDCBvTAOBgNVHQ8BAf8EBAMCBPAwIAYDVR0lAQH/BBYwFAYIKwYBBQUH
+AwEGCCsGAQUFBwMCMDIGA1UdHwQrMCkwJ6AloCOGIWh0dHA6Ly9jcmwuZXhhbXBs
+ZS5jb20vbGF0ZXN0LmNybDA0BggrBgEFBQcBAQQoMCYwJAYIKwYBBQUHMAGGGGh0
+dHA6Ly9vc2NwL2V4YW1wbGUuY29tLzAfBgNVHREEGDAWghRyZXZva2VkMi5leGFt
+cGxlLmNvbTANBgkqhkiG9w0BAQUFAANBAKtwWm1WtnL+jH97DwIutT6s4CkIY2uY
+JkpV4segUV03S1pN9Cnamy4prQYPCfOI1BQO4krsDNOoV/PtDvqxuso=
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIIBpzCCAVGgAwIBAgIBAjANBgkqhkiG9w0BAQUFADApMRQwEgYDVQQKEwtleGFt
+cGxlLmNvbTERMA8GA1UEAxMIY2xpY2EgQ0EwHhcNMTIxMTAxMTIzNDAxWhcNMzgw
+MTAxMTIzNDAxWjAzMRQwEgYDVQQKEwtleGFtcGxlLmNvbTEbMBkGA1UEAxMSY2xp
+Y2EgU2lnbmluZyBDZXJ0MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBALGUYGllRw9Y
+7ATtT3iqwv3rnnpYYWaxGdamUYznYS6l8lAyHFOqfEktdHZ+bUyRVWsbvyx/a2St
+u1vpZpkihvMCAwEAAaNaMFgwDgYDVR0PAQH/BAQDAgEGMBIGA1UdEwEB/wQIMAYB
+Af8CAQAwMgYDVR0fBCswKTAnoCWgI4YhaHR0cDovL2NybC5leGFtcGxlLmNvbS9s
+YXRlc3QuY3JsMA0GCSqGSIb3DQEBBQUAA0EApouSZ4cX2rx+pZWcDHJH+KaCMpMa
+ScrHO8bFSCWI02ckzoIxWfu1DMNO++EpyzrTgyaXoCROjvhdslwucMqAIg==
+-----END CERTIFICATE-----
diff --git a/test/aux-fixed/exim-ca/example.com/revoked2.example.com/revoked2.example.com.key b/test/aux-fixed/exim-ca/example.com/revoked2.example.com/revoked2.example.com.key
new file mode 100644
index 0000000..41e2717
--- /dev/null
+++ b/test/aux-fixed/exim-ca/example.com/revoked2.example.com/revoked2.example.com.key
@@ -0,0 +1,15 @@
+Bag Attributes
+ friendlyName: revoked2.example.com
+ localKeyID: 17 78 A2 B6 AD CE 30 23 61 D1 78 DA EF AD AC 2D 72 C6 16 34
+Key Attributes: <No Attributes>
+-----BEGIN ENCRYPTED PRIVATE KEY-----
+MIIBpjBABgkqhkiG9w0BBQ0wMzAbBgkqhkiG9w0BBQwwDgQIFV1GIQOsrw4CAggA
+MBQGCCqGSIb3DQMHBAgtBn7nWaro7ASCAWArJ92GA0suBbeIF2CisKcYFfGP+KD5
+LUOKocnSVgVeEvjQmoLzb/YAnXQsh3HtfHjbsJg1Hix4XIRI6skZD33JhhQZha/0
+M8QsA3GBCPcskjQCIMg0FVltjZOVnR20JxlI0HtMybZrIlhNCcWrLkVhU8CRbzFc
+Pubs7P9xIxlfuWVAEBmlOb1LkctHKnWlvVDR4Bef7epwa/KttSmLbBHuayQiwvms
+axUke+NYJvzFWfKpTXP0OHOfz7cdb5dN/BcF642LIGu2f7nY7vGbSG9+iZ4Mb85k
+FBbuSFquqAdxho6IHL7p/xfsW3k8+o6jKhCqkFaY1O1TNLmNtyJSyULDEbJMBiBF
+Q0pLC3AF6EtPDvN7gIvlY6jERZb7j8DJrCnjbEJR1IF09DrH3EdfaYLnGd+0/SRn
+UPY0jNEmT8hwj1ANacuSlBaIXYSjtjDYwJTz4DJA36z+03TDo/ahxwaW
+-----END ENCRYPTED PRIVATE KEY-----
diff --git a/test/aux-fixed/exim-ca/example.com/revoked2.example.com/revoked2.example.com.ocsp.dated.resp b/test/aux-fixed/exim-ca/example.com/revoked2.example.com/revoked2.example.com.ocsp.dated.resp
new file mode 100644
index 0000000..2d46e90
Binary files /dev/null and b/test/aux-fixed/exim-ca/example.com/revoked2.example.com/revoked2.example.com.ocsp.dated.resp differ
diff --git a/test/aux-fixed/exim-ca/example.com/revoked2.example.com/revoked2.example.com.ocsp.good.resp b/test/aux-fixed/exim-ca/example.com/revoked2.example.com/revoked2.example.com.ocsp.good.resp
new file mode 100644
index 0000000..4651403
Binary files /dev/null and b/test/aux-fixed/exim-ca/example.com/revoked2.example.com/revoked2.example.com.ocsp.good.resp differ
diff --git a/test/aux-fixed/exim-ca/example.com/revoked2.example.com/revoked2.example.com.ocsp.req b/test/aux-fixed/exim-ca/example.com/revoked2.example.com/revoked2.example.com.ocsp.req
new file mode 100644
index 0000000..78aa197
Binary files /dev/null and b/test/aux-fixed/exim-ca/example.com/revoked2.example.com/revoked2.example.com.ocsp.req differ
diff --git a/test/aux-fixed/exim-ca/example.com/revoked2.example.com/revoked2.example.com.ocsp.revoked.resp b/test/aux-fixed/exim-ca/example.com/revoked2.example.com/revoked2.example.com.ocsp.revoked.resp
new file mode 100644
index 0000000..4651403
Binary files /dev/null and b/test/aux-fixed/exim-ca/example.com/revoked2.example.com/revoked2.example.com.ocsp.revoked.resp differ
diff --git a/test/aux-fixed/exim-ca/example.com/revoked2.example.com/revoked2.example.com.p12 b/test/aux-fixed/exim-ca/example.com/revoked2.example.com/revoked2.example.com.p12
new file mode 100644
index 0000000..d94652e
Binary files /dev/null and b/test/aux-fixed/exim-ca/example.com/revoked2.example.com/revoked2.example.com.p12 differ
diff --git a/test/aux-fixed/exim-ca/example.com/revoked2.example.com/revoked2.example.com.pem b/test/aux-fixed/exim-ca/example.com/revoked2.example.com/revoked2.example.com.pem
new file mode 100644
index 0000000..529be66
--- /dev/null
+++ b/test/aux-fixed/exim-ca/example.com/revoked2.example.com/revoked2.example.com.pem
@@ -0,0 +1,18 @@
+Bag Attributes
+ friendlyName: revoked2.example.com
+ localKeyID: 17 78 A2 B6 AD CE 30 23 61 D1 78 DA EF AD AC 2D 72 C6 16 34
+subject=/CN=revoked2.example.com
+issuer=/O=example.com/CN=clica Signing Cert
+-----BEGIN CERTIFICATE-----
+MIICBTCCAa+gAwIBAgICAMowDQYJKoZIhvcNAQEFBQAwMzEUMBIGA1UEChMLZXhh
+bXBsZS5jb20xGzAZBgNVBAMTEmNsaWNhIFNpZ25pbmcgQ2VydDAeFw0xMjExMDEx
+MjM0MDJaFw0zODAxMDExMjM0MDJaMB8xHTAbBgNVBAMTFHJldm9rZWQyLmV4YW1w
+bGUuY29tMFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBALl7NO1x6uz5p6etz9g+bD4n
+/s5Wh/XGDL1IHD78fRFFX9B8dCyoMrzjFTIz8QkOr/sA4RD2B2uk83ZnqtNImY0C
+AwEAAaOBwDCBvTAOBgNVHQ8BAf8EBAMCBPAwIAYDVR0lAQH/BBYwFAYIKwYBBQUH
+AwEGCCsGAQUFBwMCMDIGA1UdHwQrMCkwJ6AloCOGIWh0dHA6Ly9jcmwuZXhhbXBs
+ZS5jb20vbGF0ZXN0LmNybDA0BggrBgEFBQcBAQQoMCYwJAYIKwYBBQUHMAGGGGh0
+dHA6Ly9vc2NwL2V4YW1wbGUuY29tLzAfBgNVHREEGDAWghRyZXZva2VkMi5leGFt
+cGxlLmNvbTANBgkqhkiG9w0BAQUFAANBAKtwWm1WtnL+jH97DwIutT6s4CkIY2uY
+JkpV4segUV03S1pN9Cnamy4prQYPCfOI1BQO4krsDNOoV/PtDvqxuso=
+-----END CERTIFICATE-----
diff --git a/test/aux-fixed/exim-ca/example.com/revoked2.example.com/revoked2.example.com.unlocked.key b/test/aux-fixed/exim-ca/example.com/revoked2.example.com/revoked2.example.com.unlocked.key
new file mode 100644
index 0000000..9c8a59b
--- /dev/null
+++ b/test/aux-fixed/exim-ca/example.com/revoked2.example.com/revoked2.example.com.unlocked.key
@@ -0,0 +1,9 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIBPAIBAAJBALl7NO1x6uz5p6etz9g+bD4n/s5Wh/XGDL1IHD78fRFFX9B8dCyo
+MrzjFTIz8QkOr/sA4RD2B2uk83ZnqtNImY0CAwEAAQJBAKkeAI07YDOAEnCd1zPY
+/sLRns+uMDtUwArZs/9uIe7a3X4ussXCv60z9epuGre7StXrVyDGBnGqGexsKIiH
+uaECIQDzrY97z+Zcb1RZ/ncQfiep40jMGmpDX/un+wtfkeICWQIhAMLcSIgL/FTH
+t7ehuH5pClcJY0bX0tbOpfNgOWvMniJVAiEAyrYMkewOb8Dxg/gLJn48ErkP2zLy
+SWA0orZV7MgYIukCIBcGcIui3u4lq0/HjEVjpBUkxtZYKlG3mWRoumBCjW0BAiEA
+tqIijH5G06iofDnTIJzXFfetUPNl/wqJ1Xz6ECFh84s=
+-----END RSA PRIVATE KEY-----
diff --git a/test/aux-fixed/exim-ca/example.com/revoked2.example.com/secmod.db b/test/aux-fixed/exim-ca/example.com/revoked2.example.com/secmod.db
new file mode 100644
index 0000000..b7f2179
Binary files /dev/null and b/test/aux-fixed/exim-ca/example.com/revoked2.example.com/secmod.db differ
diff --git a/test/aux-fixed/exim-ca/example.com/server1.example.com/ca_chain.pem b/test/aux-fixed/exim-ca/example.com/server1.example.com/ca_chain.pem
new file mode 100644
index 0000000..5bb0677
--- /dev/null
+++ b/test/aux-fixed/exim-ca/example.com/server1.example.com/ca_chain.pem
@@ -0,0 +1,47 @@
+Bag Attributes
+ friendlyName: Signing Cert
+subject=/O=example.com/CN=clica Signing Cert
+issuer=/O=example.com/CN=clica CA
+-----BEGIN CERTIFICATE-----
+MIIBpzCCAVGgAwIBAgIBAjANBgkqhkiG9w0BAQUFADApMRQwEgYDVQQKEwtleGFt
+cGxlLmNvbTERMA8GA1UEAxMIY2xpY2EgQ0EwHhcNMTIxMTAxMTIzNDAxWhcNMzgw
+MTAxMTIzNDAxWjAzMRQwEgYDVQQKEwtleGFtcGxlLmNvbTEbMBkGA1UEAxMSY2xp
+Y2EgU2lnbmluZyBDZXJ0MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBALGUYGllRw9Y
+7ATtT3iqwv3rnnpYYWaxGdamUYznYS6l8lAyHFOqfEktdHZ+bUyRVWsbvyx/a2St
+u1vpZpkihvMCAwEAAaNaMFgwDgYDVR0PAQH/BAQDAgEGMBIGA1UdEwEB/wQIMAYB
+Af8CAQAwMgYDVR0fBCswKTAnoCWgI4YhaHR0cDovL2NybC5leGFtcGxlLmNvbS9s
+YXRlc3QuY3JsMA0GCSqGSIb3DQEBBQUAA0EApouSZ4cX2rx+pZWcDHJH+KaCMpMa
+ScrHO8bFSCWI02ckzoIxWfu1DMNO++EpyzrTgyaXoCROjvhdslwucMqAIg==
+-----END CERTIFICATE-----
+Bag Attributes
+ friendlyName: Certificate Authority
+subject=/O=example.com/CN=clica CA
+issuer=/O=example.com/CN=clica CA
+-----BEGIN CERTIFICATE-----
+MIIBaTCCAROgAwIBAgIBATANBgkqhkiG9w0BAQUFADApMRQwEgYDVQQKEwtleGFt
+cGxlLmNvbTERMA8GA1UEAxMIY2xpY2EgQ0EwHhcNMTIxMTAxMTIzNDAwWhcNMzgw
+MTAxMTIzNDAwWjApMRQwEgYDVQQKEwtleGFtcGxlLmNvbTERMA8GA1UEAxMIY2xp
+Y2EgQ0EwXDANBgkqhkiG9w0BAQEFAANLADBIAkEAxYR8NYQvEd7/e4MvOj9dh2+o
+mnywT9ajMo1589DWt2z14ouRKhSZWlx4O4AicPZc6n4uvt7++t0tTHhmm5JIbwID
+AQABoyYwJDASBgNVHRMBAf8ECDAGAQH/AgEBMA4GA1UdDwEB/wQEAwIBBjANBgkq
+hkiG9w0BAQUFAANBALjVd1KMBadFJFIzTEspoPYxJvXKvLMclekQs5QY0lmmUj5+
+ugITEG6ywu3s+REUB+8Dj+ofQz3tgIm9NBpkfsA=
+-----END CERTIFICATE-----
+Bag Attributes
+ friendlyName: server1.example.com
+ localKeyID: 7B 32 26 98 D0 B8 1E 75 99 29 DC F8 13 EE 29 B7 59 E3 DC DC
+subject=/CN=server1.example.com
+issuer=/O=example.com/CN=clica Signing Cert
+-----BEGIN CERTIFICATE-----
+MIICAjCCAaygAwIBAgIBZTANBgkqhkiG9w0BAQUFADAzMRQwEgYDVQQKEwtleGFt
+cGxlLmNvbTEbMBkGA1UEAxMSY2xpY2EgU2lnbmluZyBDZXJ0MB4XDTEyMTEwMTEy
+MzQwMVoXDTM4MDEwMTEyMzQwMVowHjEcMBoGA1UEAxMTc2VydmVyMS5leGFtcGxl
+LmNvbTBcMA0GCSqGSIb3DQEBAQUAA0sAMEgCQQC6EbKf3ZB2Zm+SVn7KzSofX5I+
+3KANkvS0aVxUS/mtnKJg6JLKc2dVav1OmPTF/M8J21F6tVd8EHWBrlsgS3QdAgMB
+AAGjgb8wgbwwDgYDVR0PAQH/BAQDAgTwMCAGA1UdJQEB/wQWMBQGCCsGAQUFBwMB
+BggrBgEFBQcDAjAyBgNVHR8EKzApMCegJaAjhiFodHRwOi8vY3JsLmV4YW1wbGUu
+Y29tL2xhdGVzdC5jcmwwNAYIKwYBBQUHAQEEKDAmMCQGCCsGAQUFBzABhhhodHRw
+Oi8vb3NjcC9leGFtcGxlLmNvbS8wHgYDVR0RBBcwFYITc2VydmVyMS5leGFtcGxl
+LmNvbTANBgkqhkiG9w0BAQUFAANBALDva+1Fm8VMNtBTzLmk0wd+rAGNry/HPB++
+vNngBR33/8N/529Zr4WPrL2BeOZkQeDO1qH/2giCAvYfZoBOIO4=
+-----END CERTIFICATE-----
diff --git a/test/aux-fixed/exim-ca/example.com/server1.example.com/cert8.db b/test/aux-fixed/exim-ca/example.com/server1.example.com/cert8.db
new file mode 100644
index 0000000..9d730fe
Binary files /dev/null and b/test/aux-fixed/exim-ca/example.com/server1.example.com/cert8.db differ
diff --git a/test/aux-fixed/exim-ca/example.com/server1.example.com/key3.db b/test/aux-fixed/exim-ca/example.com/server1.example.com/key3.db
new file mode 100644
index 0000000..672b088
Binary files /dev/null and b/test/aux-fixed/exim-ca/example.com/server1.example.com/key3.db differ
diff --git a/test/aux-fixed/exim-ca/example.com/server1.example.com/pwdfile b/test/aux-fixed/exim-ca/example.com/server1.example.com/pwdfile
new file mode 100644
index 0000000..f3097ab
--- /dev/null
+++ b/test/aux-fixed/exim-ca/example.com/server1.example.com/pwdfile
@@ -0,0 +1 @@
+password
diff --git a/test/aux-fixed/exim-ca/example.com/server1.example.com/secmod.db b/test/aux-fixed/exim-ca/example.com/server1.example.com/secmod.db
new file mode 100644
index 0000000..0883379
Binary files /dev/null and b/test/aux-fixed/exim-ca/example.com/server1.example.com/secmod.db differ
diff --git a/test/aux-fixed/exim-ca/example.com/server1.example.com/server1.example.com.chain.pem b/test/aux-fixed/exim-ca/example.com/server1.example.com/server1.example.com.chain.pem
new file mode 100644
index 0000000..6ea0a52
--- /dev/null
+++ b/test/aux-fixed/exim-ca/example.com/server1.example.com/server1.example.com.chain.pem
@@ -0,0 +1,29 @@
+Bag Attributes
+ friendlyName: server1.example.com
+ localKeyID: 7B 32 26 98 D0 B8 1E 75 99 29 DC F8 13 EE 29 B7 59 E3 DC DC
+subject=/CN=server1.example.com
+issuer=/O=example.com/CN=clica Signing Cert
+-----BEGIN CERTIFICATE-----
+MIICAjCCAaygAwIBAgIBZTANBgkqhkiG9w0BAQUFADAzMRQwEgYDVQQKEwtleGFt
+cGxlLmNvbTEbMBkGA1UEAxMSY2xpY2EgU2lnbmluZyBDZXJ0MB4XDTEyMTEwMTEy
+MzQwMVoXDTM4MDEwMTEyMzQwMVowHjEcMBoGA1UEAxMTc2VydmVyMS5leGFtcGxl
+LmNvbTBcMA0GCSqGSIb3DQEBAQUAA0sAMEgCQQC6EbKf3ZB2Zm+SVn7KzSofX5I+
+3KANkvS0aVxUS/mtnKJg6JLKc2dVav1OmPTF/M8J21F6tVd8EHWBrlsgS3QdAgMB
+AAGjgb8wgbwwDgYDVR0PAQH/BAQDAgTwMCAGA1UdJQEB/wQWMBQGCCsGAQUFBwMB
+BggrBgEFBQcDAjAyBgNVHR8EKzApMCegJaAjhiFodHRwOi8vY3JsLmV4YW1wbGUu
+Y29tL2xhdGVzdC5jcmwwNAYIKwYBBQUHAQEEKDAmMCQGCCsGAQUFBzABhhhodHRw
+Oi8vb3NjcC9leGFtcGxlLmNvbS8wHgYDVR0RBBcwFYITc2VydmVyMS5leGFtcGxl
+LmNvbTANBgkqhkiG9w0BAQUFAANBALDva+1Fm8VMNtBTzLmk0wd+rAGNry/HPB++
+vNngBR33/8N/529Zr4WPrL2BeOZkQeDO1qH/2giCAvYfZoBOIO4=
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIIBpzCCAVGgAwIBAgIBAjANBgkqhkiG9w0BAQUFADApMRQwEgYDVQQKEwtleGFt
+cGxlLmNvbTERMA8GA1UEAxMIY2xpY2EgQ0EwHhcNMTIxMTAxMTIzNDAxWhcNMzgw
+MTAxMTIzNDAxWjAzMRQwEgYDVQQKEwtleGFtcGxlLmNvbTEbMBkGA1UEAxMSY2xp
+Y2EgU2lnbmluZyBDZXJ0MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBALGUYGllRw9Y
+7ATtT3iqwv3rnnpYYWaxGdamUYznYS6l8lAyHFOqfEktdHZ+bUyRVWsbvyx/a2St
+u1vpZpkihvMCAwEAAaNaMFgwDgYDVR0PAQH/BAQDAgEGMBIGA1UdEwEB/wQIMAYB
+Af8CAQAwMgYDVR0fBCswKTAnoCWgI4YhaHR0cDovL2NybC5leGFtcGxlLmNvbS9s
+YXRlc3QuY3JsMA0GCSqGSIb3DQEBBQUAA0EApouSZ4cX2rx+pZWcDHJH+KaCMpMa
+ScrHO8bFSCWI02ckzoIxWfu1DMNO++EpyzrTgyaXoCROjvhdslwucMqAIg==
+-----END CERTIFICATE-----
diff --git a/test/aux-fixed/exim-ca/example.com/server1.example.com/server1.example.com.key b/test/aux-fixed/exim-ca/example.com/server1.example.com/server1.example.com.key
new file mode 100644
index 0000000..02d5161
--- /dev/null
+++ b/test/aux-fixed/exim-ca/example.com/server1.example.com/server1.example.com.key
@@ -0,0 +1,15 @@
+Bag Attributes
+ friendlyName: server1.example.com
+ localKeyID: 7B 32 26 98 D0 B8 1E 75 99 29 DC F8 13 EE 29 B7 59 E3 DC DC
+Key Attributes: <No Attributes>
+-----BEGIN ENCRYPTED PRIVATE KEY-----
+MIIBnjBABgkqhkiG9w0BBQ0wMzAbBgkqhkiG9w0BBQwwDgQIt+n3xYebFlACAggA
+MBQGCCqGSIb3DQMHBAi30QtCXj3kIQSCAVjO+WdU7jaPYN1v7ev2qNehi8MrvllJ
+Q03/xCaiGTI7fUQM55W4Tc5+b952ni6ZtCnYfCojIQ6Wr0uyrabRE9nCRTudKAGv
++RG/vO576Wv69XblZaKwPp1ru5Fb+TqMRDmHsJKzmjx4/iN3l/673w8QEW+opYjI
+i+azRCzMjUcFDkExEqXunJCDD4k0iWv/LTiXa/WfKoPncY6dmtjGt/ceGG7gn+sy
+IGTPbVyX85I4lfSb42mQjticlqpNWNv+BasZNGIAGkreGEIR1HqvoIeIjyze4j/k
+yAA/oAO7WucowZfX6Rcno9yO5Cjsbn60RPMe5aSnCKXH8OnaklegbzQCIXwlRapH
+VCE28ladQ1+7zwCBhCW60WwhRN0UDQz9aFTrbhZ0uUZ13t/EcRr17f43hXnjwCVg
++q6ixyRnx4zSncCTL6iOe2ybUV8IXCFdrWnd7CYJOz804w==
+-----END ENCRYPTED PRIVATE KEY-----
diff --git a/test/aux-fixed/exim-ca/example.com/server1.example.com/server1.example.com.ocsp.dated.resp b/test/aux-fixed/exim-ca/example.com/server1.example.com/server1.example.com.ocsp.dated.resp
new file mode 100644
index 0000000..0e35bdf
Binary files /dev/null and b/test/aux-fixed/exim-ca/example.com/server1.example.com/server1.example.com.ocsp.dated.resp differ
diff --git a/test/aux-fixed/exim-ca/example.com/server1.example.com/server1.example.com.ocsp.good.resp b/test/aux-fixed/exim-ca/example.com/server1.example.com/server1.example.com.ocsp.good.resp
new file mode 100644
index 0000000..c616136
Binary files /dev/null and b/test/aux-fixed/exim-ca/example.com/server1.example.com/server1.example.com.ocsp.good.resp differ
diff --git a/test/aux-fixed/exim-ca/example.com/server1.example.com/server1.example.com.ocsp.req b/test/aux-fixed/exim-ca/example.com/server1.example.com/server1.example.com.ocsp.req
new file mode 100644
index 0000000..fb9674a
Binary files /dev/null and b/test/aux-fixed/exim-ca/example.com/server1.example.com/server1.example.com.ocsp.req differ
diff --git a/test/aux-fixed/exim-ca/example.com/server1.example.com/server1.example.com.ocsp.revoked.resp b/test/aux-fixed/exim-ca/example.com/server1.example.com/server1.example.com.ocsp.revoked.resp
new file mode 100644
index 0000000..aa6d371
Binary files /dev/null and b/test/aux-fixed/exim-ca/example.com/server1.example.com/server1.example.com.ocsp.revoked.resp differ
diff --git a/test/aux-fixed/exim-ca/example.com/server1.example.com/server1.example.com.p12 b/test/aux-fixed/exim-ca/example.com/server1.example.com/server1.example.com.p12
new file mode 100644
index 0000000..e7f3cfb
Binary files /dev/null and b/test/aux-fixed/exim-ca/example.com/server1.example.com/server1.example.com.p12 differ
diff --git a/test/aux-fixed/exim-ca/example.com/server1.example.com/server1.example.com.pem b/test/aux-fixed/exim-ca/example.com/server1.example.com/server1.example.com.pem
new file mode 100644
index 0000000..5080ef8
--- /dev/null
+++ b/test/aux-fixed/exim-ca/example.com/server1.example.com/server1.example.com.pem
@@ -0,0 +1,18 @@
+Bag Attributes
+ friendlyName: server1.example.com
+ localKeyID: 7B 32 26 98 D0 B8 1E 75 99 29 DC F8 13 EE 29 B7 59 E3 DC DC
+subject=/CN=server1.example.com
+issuer=/O=example.com/CN=clica Signing Cert
+-----BEGIN CERTIFICATE-----
+MIICAjCCAaygAwIBAgIBZTANBgkqhkiG9w0BAQUFADAzMRQwEgYDVQQKEwtleGFt
+cGxlLmNvbTEbMBkGA1UEAxMSY2xpY2EgU2lnbmluZyBDZXJ0MB4XDTEyMTEwMTEy
+MzQwMVoXDTM4MDEwMTEyMzQwMVowHjEcMBoGA1UEAxMTc2VydmVyMS5leGFtcGxl
+LmNvbTBcMA0GCSqGSIb3DQEBAQUAA0sAMEgCQQC6EbKf3ZB2Zm+SVn7KzSofX5I+
+3KANkvS0aVxUS/mtnKJg6JLKc2dVav1OmPTF/M8J21F6tVd8EHWBrlsgS3QdAgMB
+AAGjgb8wgbwwDgYDVR0PAQH/BAQDAgTwMCAGA1UdJQEB/wQWMBQGCCsGAQUFBwMB
+BggrBgEFBQcDAjAyBgNVHR8EKzApMCegJaAjhiFodHRwOi8vY3JsLmV4YW1wbGUu
+Y29tL2xhdGVzdC5jcmwwNAYIKwYBBQUHAQEEKDAmMCQGCCsGAQUFBzABhhhodHRw
+Oi8vb3NjcC9leGFtcGxlLmNvbS8wHgYDVR0RBBcwFYITc2VydmVyMS5leGFtcGxl
+LmNvbTANBgkqhkiG9w0BAQUFAANBALDva+1Fm8VMNtBTzLmk0wd+rAGNry/HPB++
+vNngBR33/8N/529Zr4WPrL2BeOZkQeDO1qH/2giCAvYfZoBOIO4=
+-----END CERTIFICATE-----
diff --git a/test/aux-fixed/exim-ca/example.com/server1.example.com/server1.example.com.unlocked.key b/test/aux-fixed/exim-ca/example.com/server1.example.com/server1.example.com.unlocked.key
new file mode 100644
index 0000000..a616974
--- /dev/null
+++ b/test/aux-fixed/exim-ca/example.com/server1.example.com/server1.example.com.unlocked.key
@@ -0,0 +1,9 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIBOQIBAAJBALoRsp/dkHZmb5JWfsrNKh9fkj7coA2S9LRpXFRL+a2comDokspz
+Z1Vq/U6Y9MX8zwnbUXq1V3wQdYGuWyBLdB0CAwEAAQJAC7hRqAAsuUh6fp00H1IM
+9Szv6UW8Tx6Si0qXpjei4mx/reGBvQGTIUJuGdXmuBH5tQHLPskjEqXmgiccWydz
+gQIhAPCP3JccbCUpKELah84ikXuQs0PEnGfyg4oP22x0B5q3AiEAxgKV7eFrd5Qa
+FfjHsK/HfrL8YQYynm8yDqqHnSsJY8sCIFei4Sa/uPoUs1EfkWfcGgnc3iGrB5uq
+spbiTfqFjpujAiAcWvhvdU13dUz7AoJOKg3udeEwX7vV9mR7ty3ucuBIWwIgEy7b
+le8z7zokRTzIKSMpl5xr/0Vp6DWlS0KwuLNuJjc=
+-----END RSA PRIVATE KEY-----
diff --git a/test/aux-fixed/exim-ca/example.com/server2.example.com/ca_chain.pem b/test/aux-fixed/exim-ca/example.com/server2.example.com/ca_chain.pem
new file mode 100644
index 0000000..dc1fbb7
--- /dev/null
+++ b/test/aux-fixed/exim-ca/example.com/server2.example.com/ca_chain.pem
@@ -0,0 +1,47 @@
+Bag Attributes
+ friendlyName: Signing Cert
+subject=/O=example.com/CN=clica Signing Cert
+issuer=/O=example.com/CN=clica CA
+-----BEGIN CERTIFICATE-----
+MIIBpzCCAVGgAwIBAgIBAjANBgkqhkiG9w0BAQUFADApMRQwEgYDVQQKEwtleGFt
+cGxlLmNvbTERMA8GA1UEAxMIY2xpY2EgQ0EwHhcNMTIxMTAxMTIzNDAxWhcNMzgw
+MTAxMTIzNDAxWjAzMRQwEgYDVQQKEwtleGFtcGxlLmNvbTEbMBkGA1UEAxMSY2xp
+Y2EgU2lnbmluZyBDZXJ0MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBALGUYGllRw9Y
+7ATtT3iqwv3rnnpYYWaxGdamUYznYS6l8lAyHFOqfEktdHZ+bUyRVWsbvyx/a2St
+u1vpZpkihvMCAwEAAaNaMFgwDgYDVR0PAQH/BAQDAgEGMBIGA1UdEwEB/wQIMAYB
+Af8CAQAwMgYDVR0fBCswKTAnoCWgI4YhaHR0cDovL2NybC5leGFtcGxlLmNvbS9s
+YXRlc3QuY3JsMA0GCSqGSIb3DQEBBQUAA0EApouSZ4cX2rx+pZWcDHJH+KaCMpMa
+ScrHO8bFSCWI02ckzoIxWfu1DMNO++EpyzrTgyaXoCROjvhdslwucMqAIg==
+-----END CERTIFICATE-----
+Bag Attributes
+ friendlyName: Certificate Authority
+subject=/O=example.com/CN=clica CA
+issuer=/O=example.com/CN=clica CA
+-----BEGIN CERTIFICATE-----
+MIIBaTCCAROgAwIBAgIBATANBgkqhkiG9w0BAQUFADApMRQwEgYDVQQKEwtleGFt
+cGxlLmNvbTERMA8GA1UEAxMIY2xpY2EgQ0EwHhcNMTIxMTAxMTIzNDAwWhcNMzgw
+MTAxMTIzNDAwWjApMRQwEgYDVQQKEwtleGFtcGxlLmNvbTERMA8GA1UEAxMIY2xp
+Y2EgQ0EwXDANBgkqhkiG9w0BAQEFAANLADBIAkEAxYR8NYQvEd7/e4MvOj9dh2+o
+mnywT9ajMo1589DWt2z14ouRKhSZWlx4O4AicPZc6n4uvt7++t0tTHhmm5JIbwID
+AQABoyYwJDASBgNVHRMBAf8ECDAGAQH/AgEBMA4GA1UdDwEB/wQEAwIBBjANBgkq
+hkiG9w0BAQUFAANBALjVd1KMBadFJFIzTEspoPYxJvXKvLMclekQs5QY0lmmUj5+
+ugITEG6ywu3s+REUB+8Dj+ofQz3tgIm9NBpkfsA=
+-----END CERTIFICATE-----
+Bag Attributes
+ friendlyName: server2.example.com
+ localKeyID: 69 B2 C3 8A B6 1C C2 19 F4 1B 4E 74 28 AF 12 89 E8 2E D9 BE
+subject=/CN=server2.example.com
+issuer=/O=example.com/CN=clica Signing Cert
+-----BEGIN CERTIFICATE-----
+MIICAzCCAa2gAwIBAgICAMkwDQYJKoZIhvcNAQEFBQAwMzEUMBIGA1UEChMLZXhh
+bXBsZS5jb20xGzAZBgNVBAMTEmNsaWNhIFNpZ25pbmcgQ2VydDAeFw0xMjExMDEx
+MjM0MDFaFw0zODAxMDExMjM0MDFaMB4xHDAaBgNVBAMTE3NlcnZlcjIuZXhhbXBs
+ZS5jb20wXDANBgkqhkiG9w0BAQEFAANLADBIAkEA2TCJENbO0UK+Cjs2HSqq1OlM
+VIJQs/ctua3DEcPOphjNwLrUqVGv5qkWFDHbsJ00hpiW7uK9tDfawSWmcFis1wID
+AQABo4G/MIG8MA4GA1UdDwEB/wQEAwIE8DAgBgNVHSUBAf8EFjAUBggrBgEFBQcD
+AQYIKwYBBQUHAwIwMgYDVR0fBCswKTAnoCWgI4YhaHR0cDovL2NybC5leGFtcGxl
+LmNvbS9sYXRlc3QuY3JsMDQGCCsGAQUFBwEBBCgwJjAkBggrBgEFBQcwAYYYaHR0
+cDovL29zY3AvZXhhbXBsZS5jb20vMB4GA1UdEQQXMBWCE3NlcnZlcjIuZXhhbXBs
+ZS5jb20wDQYJKoZIhvcNAQEFBQADQQCeF6NprEufUaSaqXhBk7hP7kX2NtTEkHmg
+hm1yvEzKL1/7gmqhMAGFapGV90k/8J6L4FiIEaxIHuTvm94KfKZi
+-----END CERTIFICATE-----
diff --git a/test/aux-fixed/exim-ca/example.com/server2.example.com/cert8.db b/test/aux-fixed/exim-ca/example.com/server2.example.com/cert8.db
new file mode 100644
index 0000000..840f694
Binary files /dev/null and b/test/aux-fixed/exim-ca/example.com/server2.example.com/cert8.db differ
diff --git a/test/aux-fixed/exim-ca/example.com/server2.example.com/key3.db b/test/aux-fixed/exim-ca/example.com/server2.example.com/key3.db
new file mode 100644
index 0000000..89bff13
Binary files /dev/null and b/test/aux-fixed/exim-ca/example.com/server2.example.com/key3.db differ
diff --git a/test/aux-fixed/exim-ca/example.com/server2.example.com/pwdfile b/test/aux-fixed/exim-ca/example.com/server2.example.com/pwdfile
new file mode 100644
index 0000000..f3097ab
--- /dev/null
+++ b/test/aux-fixed/exim-ca/example.com/server2.example.com/pwdfile
@@ -0,0 +1 @@
+password
diff --git a/test/aux-fixed/exim-ca/example.com/server2.example.com/secmod.db b/test/aux-fixed/exim-ca/example.com/server2.example.com/secmod.db
new file mode 100644
index 0000000..8ea139c
Binary files /dev/null and b/test/aux-fixed/exim-ca/example.com/server2.example.com/secmod.db differ
diff --git a/test/aux-fixed/exim-ca/example.com/server2.example.com/server2.example.com.chain.pem b/test/aux-fixed/exim-ca/example.com/server2.example.com/server2.example.com.chain.pem
new file mode 100644
index 0000000..52263a2
--- /dev/null
+++ b/test/aux-fixed/exim-ca/example.com/server2.example.com/server2.example.com.chain.pem
@@ -0,0 +1,29 @@
+Bag Attributes
+ friendlyName: server2.example.com
+ localKeyID: 69 B2 C3 8A B6 1C C2 19 F4 1B 4E 74 28 AF 12 89 E8 2E D9 BE
+subject=/CN=server2.example.com
+issuer=/O=example.com/CN=clica Signing Cert
+-----BEGIN CERTIFICATE-----
+MIICAzCCAa2gAwIBAgICAMkwDQYJKoZIhvcNAQEFBQAwMzEUMBIGA1UEChMLZXhh
+bXBsZS5jb20xGzAZBgNVBAMTEmNsaWNhIFNpZ25pbmcgQ2VydDAeFw0xMjExMDEx
+MjM0MDFaFw0zODAxMDExMjM0MDFaMB4xHDAaBgNVBAMTE3NlcnZlcjIuZXhhbXBs
+ZS5jb20wXDANBgkqhkiG9w0BAQEFAANLADBIAkEA2TCJENbO0UK+Cjs2HSqq1OlM
+VIJQs/ctua3DEcPOphjNwLrUqVGv5qkWFDHbsJ00hpiW7uK9tDfawSWmcFis1wID
+AQABo4G/MIG8MA4GA1UdDwEB/wQEAwIE8DAgBgNVHSUBAf8EFjAUBggrBgEFBQcD
+AQYIKwYBBQUHAwIwMgYDVR0fBCswKTAnoCWgI4YhaHR0cDovL2NybC5leGFtcGxl
+LmNvbS9sYXRlc3QuY3JsMDQGCCsGAQUFBwEBBCgwJjAkBggrBgEFBQcwAYYYaHR0
+cDovL29zY3AvZXhhbXBsZS5jb20vMB4GA1UdEQQXMBWCE3NlcnZlcjIuZXhhbXBs
+ZS5jb20wDQYJKoZIhvcNAQEFBQADQQCeF6NprEufUaSaqXhBk7hP7kX2NtTEkHmg
+hm1yvEzKL1/7gmqhMAGFapGV90k/8J6L4FiIEaxIHuTvm94KfKZi
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIIBpzCCAVGgAwIBAgIBAjANBgkqhkiG9w0BAQUFADApMRQwEgYDVQQKEwtleGFt
+cGxlLmNvbTERMA8GA1UEAxMIY2xpY2EgQ0EwHhcNMTIxMTAxMTIzNDAxWhcNMzgw
+MTAxMTIzNDAxWjAzMRQwEgYDVQQKEwtleGFtcGxlLmNvbTEbMBkGA1UEAxMSY2xp
+Y2EgU2lnbmluZyBDZXJ0MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBALGUYGllRw9Y
+7ATtT3iqwv3rnnpYYWaxGdamUYznYS6l8lAyHFOqfEktdHZ+bUyRVWsbvyx/a2St
+u1vpZpkihvMCAwEAAaNaMFgwDgYDVR0PAQH/BAQDAgEGMBIGA1UdEwEB/wQIMAYB
+Af8CAQAwMgYDVR0fBCswKTAnoCWgI4YhaHR0cDovL2NybC5leGFtcGxlLmNvbS9s
+YXRlc3QuY3JsMA0GCSqGSIb3DQEBBQUAA0EApouSZ4cX2rx+pZWcDHJH+KaCMpMa
+ScrHO8bFSCWI02ckzoIxWfu1DMNO++EpyzrTgyaXoCROjvhdslwucMqAIg==
+-----END CERTIFICATE-----
diff --git a/test/aux-fixed/exim-ca/example.com/server2.example.com/server2.example.com.key b/test/aux-fixed/exim-ca/example.com/server2.example.com/server2.example.com.key
new file mode 100644
index 0000000..a4960f9
--- /dev/null
+++ b/test/aux-fixed/exim-ca/example.com/server2.example.com/server2.example.com.key
@@ -0,0 +1,15 @@
+Bag Attributes
+ friendlyName: server2.example.com
+ localKeyID: 69 B2 C3 8A B6 1C C2 19 F4 1B 4E 74 28 AF 12 89 E8 2E D9 BE
+Key Attributes: <No Attributes>
+-----BEGIN ENCRYPTED PRIVATE KEY-----
+MIIBnjBABgkqhkiG9w0BBQ0wMzAbBgkqhkiG9w0BBQwwDgQIFmRnQVx4IM4CAggA
+MBQGCCqGSIb3DQMHBAj96PHFOGcW+gSCAVhUx92WT6m/52ZEGgqV+RyBKgHPv0Vk
+NCrmKEJJAvGRWGl+jnpU780hLNx+qWHxGV6r+wyPN9F81oDhqeYQtIRIYC8tWBeC
+9mouIU/iNXYUkun4ZaH6sIJSFfB/2l/pz5/GaiCqgQPPufGmRFsHcGcZlYpnLHkb
+PyRFagan7QYIwUouBTyJ0o/OKBU/r6QM+ZO1zB4YqUutpYMTUbcD9zkj3eAFpIDZ
+fuci+WK1imuUek9LdKifM8f5jdc4n/Ya5rFcpHg45CXz+pLntsprjQVzhFdQblZW
+60ZyiJm682h7ioHhcJYmYyEa5DMItEqzLasQncMi/s8+SUCqTE0QaWYWJ+ofv1cD
+GBYWoM7Ar47zaqgQYlKMKs9mDfUQ4FQy382yrnsPnyo+K8ra5ESUA++uIxMwouHo
+x3dD4wV51jP8VC9VN2GWprZWffnxwMP4PxZejmZVbSWvPw==
+-----END ENCRYPTED PRIVATE KEY-----
diff --git a/test/aux-fixed/exim-ca/example.com/server2.example.com/server2.example.com.ocsp.dated.resp b/test/aux-fixed/exim-ca/example.com/server2.example.com/server2.example.com.ocsp.dated.resp
new file mode 100644
index 0000000..baa2281
Binary files /dev/null and b/test/aux-fixed/exim-ca/example.com/server2.example.com/server2.example.com.ocsp.dated.resp differ
diff --git a/test/aux-fixed/exim-ca/example.com/server2.example.com/server2.example.com.ocsp.good.resp b/test/aux-fixed/exim-ca/example.com/server2.example.com/server2.example.com.ocsp.good.resp
new file mode 100644
index 0000000..80180be
Binary files /dev/null and b/test/aux-fixed/exim-ca/example.com/server2.example.com/server2.example.com.ocsp.good.resp differ
diff --git a/test/aux-fixed/exim-ca/example.com/server2.example.com/server2.example.com.ocsp.req b/test/aux-fixed/exim-ca/example.com/server2.example.com/server2.example.com.ocsp.req
new file mode 100644
index 0000000..fe4957e
Binary files /dev/null and b/test/aux-fixed/exim-ca/example.com/server2.example.com/server2.example.com.ocsp.req differ
diff --git a/test/aux-fixed/exim-ca/example.com/server2.example.com/server2.example.com.ocsp.revoked.resp b/test/aux-fixed/exim-ca/example.com/server2.example.com/server2.example.com.ocsp.revoked.resp
new file mode 100644
index 0000000..80180be
Binary files /dev/null and b/test/aux-fixed/exim-ca/example.com/server2.example.com/server2.example.com.ocsp.revoked.resp differ
diff --git a/test/aux-fixed/exim-ca/example.com/server2.example.com/server2.example.com.p12 b/test/aux-fixed/exim-ca/example.com/server2.example.com/server2.example.com.p12
new file mode 100644
index 0000000..c080a6a
Binary files /dev/null and b/test/aux-fixed/exim-ca/example.com/server2.example.com/server2.example.com.p12 differ
diff --git a/test/aux-fixed/exim-ca/example.com/server2.example.com/server2.example.com.pem b/test/aux-fixed/exim-ca/example.com/server2.example.com/server2.example.com.pem
new file mode 100644
index 0000000..eacf55c
--- /dev/null
+++ b/test/aux-fixed/exim-ca/example.com/server2.example.com/server2.example.com.pem
@@ -0,0 +1,18 @@
+Bag Attributes
+ friendlyName: server2.example.com
+ localKeyID: 69 B2 C3 8A B6 1C C2 19 F4 1B 4E 74 28 AF 12 89 E8 2E D9 BE
+subject=/CN=server2.example.com
+issuer=/O=example.com/CN=clica Signing Cert
+-----BEGIN CERTIFICATE-----
+MIICAzCCAa2gAwIBAgICAMkwDQYJKoZIhvcNAQEFBQAwMzEUMBIGA1UEChMLZXhh
+bXBsZS5jb20xGzAZBgNVBAMTEmNsaWNhIFNpZ25pbmcgQ2VydDAeFw0xMjExMDEx
+MjM0MDFaFw0zODAxMDExMjM0MDFaMB4xHDAaBgNVBAMTE3NlcnZlcjIuZXhhbXBs
+ZS5jb20wXDANBgkqhkiG9w0BAQEFAANLADBIAkEA2TCJENbO0UK+Cjs2HSqq1OlM
+VIJQs/ctua3DEcPOphjNwLrUqVGv5qkWFDHbsJ00hpiW7uK9tDfawSWmcFis1wID
+AQABo4G/MIG8MA4GA1UdDwEB/wQEAwIE8DAgBgNVHSUBAf8EFjAUBggrBgEFBQcD
+AQYIKwYBBQUHAwIwMgYDVR0fBCswKTAnoCWgI4YhaHR0cDovL2NybC5leGFtcGxl
+LmNvbS9sYXRlc3QuY3JsMDQGCCsGAQUFBwEBBCgwJjAkBggrBgEFBQcwAYYYaHR0
+cDovL29zY3AvZXhhbXBsZS5jb20vMB4GA1UdEQQXMBWCE3NlcnZlcjIuZXhhbXBs
+ZS5jb20wDQYJKoZIhvcNAQEFBQADQQCeF6NprEufUaSaqXhBk7hP7kX2NtTEkHmg
+hm1yvEzKL1/7gmqhMAGFapGV90k/8J6L4FiIEaxIHuTvm94KfKZi
+-----END CERTIFICATE-----
diff --git a/test/aux-fixed/exim-ca/example.com/server2.example.com/server2.example.com.unlocked.key b/test/aux-fixed/exim-ca/example.com/server2.example.com/server2.example.com.unlocked.key
new file mode 100644
index 0000000..6e0c41e
--- /dev/null
+++ b/test/aux-fixed/exim-ca/example.com/server2.example.com/server2.example.com.unlocked.key
@@ -0,0 +1,9 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIBOQIBAAJBANkwiRDWztFCvgo7Nh0qqtTpTFSCULP3LbmtwxHDzqYYzcC61KlR
+r+apFhQx27CdNIaYlu7ivbQ32sElpnBYrNcCAwEAAQJAAT7+ClKxLRIs9PISBWjR
+Qhd0kKeOvvmUEZSlodx1uw42qqDQ0vfYMSOWzn8dlGQ/XGJ4xVwvFFklNCfWva4M
+QQIhAPaoF/TqmR/dc2CLsQkWoZQqdu7w+uBnTnqqcQ1A2ci9AiEA4Wqw3SszsAwV
+ELV+DCDouyncyMmCzJkDjYA1WYNiVyMCIAc3AYRjfFknRCG11Fbct5s65sG0gNIh
+k3UZGTd3ByfNAiAbwAqt75eZYKNnPzCZRaPhBrJLdaNIlL2/Ob1Xm7kLiQIgWtVa
+weFGKWW86QXScrel5sjNDxFv+ZvMd+heAiPqkXs=
+-----END RSA PRIVATE KEY-----
diff --git a/test/aux-fixed/exim-ca/example.net/BLANK/CA.pem b/test/aux-fixed/exim-ca/example.net/BLANK/CA.pem
new file mode 100644
index 0000000..bed3d2f
--- /dev/null
+++ b/test/aux-fixed/exim-ca/example.net/BLANK/CA.pem
@@ -0,0 +1,10 @@
+-----BEGIN CERTIFICATE-----
+MIIBaTCCAROgAwIBAgIBATANBgkqhkiG9w0BAQUFADApMRQwEgYDVQQKEwtleGFt
+cGxlLm5ldDERMA8GA1UEAxMIY2xpY2EgQ0EwHhcNMTIxMTAxMTIzNDAzWhcNMzgw
+MTAxMTIzNDAzWjApMRQwEgYDVQQKEwtleGFtcGxlLm5ldDERMA8GA1UEAxMIY2xp
+Y2EgQ0EwXDANBgkqhkiG9w0BAQEFAANLADBIAkEAp2tm7DhEtMNQPz23MpsxYVje
+SgMgmkDx8qdr97SBBVqtPcHMMrCEZ9dQiYCFxbshxXfeova+DbLZISDlHA9xjQID
+AQABoyYwJDASBgNVHRMBAf8ECDAGAQH/AgEBMA4GA1UdDwEB/wQEAwIBBjANBgkq
+hkiG9w0BAQUFAANBAG/rfiV0UE6Q//VIKN5CprvNXDGQFfcFCWNRCu6ZGTPpaDf2
+iPqVISD9trZrvtlUIgKjGgOQQbdNH9RBj5+6QKo=
+-----END CERTIFICATE-----
diff --git a/test/aux-fixed/exim-ca/example.net/BLANK/Signer.pem b/test/aux-fixed/exim-ca/example.net/BLANK/Signer.pem
new file mode 100644
index 0000000..5d2b2ea
--- /dev/null
+++ b/test/aux-fixed/exim-ca/example.net/BLANK/Signer.pem
@@ -0,0 +1,11 @@
+-----BEGIN CERTIFICATE-----
+MIIBpzCCAVGgAwIBAgIBAjANBgkqhkiG9w0BAQUFADApMRQwEgYDVQQKEwtleGFt
+cGxlLm5ldDERMA8GA1UEAxMIY2xpY2EgQ0EwHhcNMTIxMTAxMTIzNDAzWhcNMzgw
+MTAxMTIzNDAzWjAzMRQwEgYDVQQKEwtleGFtcGxlLm5ldDEbMBkGA1UEAxMSY2xp
+Y2EgU2lnbmluZyBDZXJ0MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAN9lXg/7R2gY
+392B325b/0eHLOrQG1px0aPuSwCBG0cKwCATtsKjYne15vNXAskVAdejY0Ujvo+a
+d4jVi2qYJ8sCAwEAAaNaMFgwDgYDVR0PAQH/BAQDAgEGMBIGA1UdEwEB/wQIMAYB
+Af8CAQAwMgYDVR0fBCswKTAnoCWgI4YhaHR0cDovL2NybC5leGFtcGxlLm5ldC9s
+YXRlc3QuY3JsMA0GCSqGSIb3DQEBBQUAA0EAlm29nFrjiJPaldOtHxpmWzE3Zxit
+Sl4RxdeJcJ7aGL2gDOAWmiVh6UPbMm/o6Vg2PxHp2YviOhVunp1C2t85ow==
+-----END CERTIFICATE-----
diff --git a/test/aux-fixed/exim-ca/example.net/BLANK/cert8.db b/test/aux-fixed/exim-ca/example.net/BLANK/cert8.db
new file mode 100644
index 0000000..0d794a0
Binary files /dev/null and b/test/aux-fixed/exim-ca/example.net/BLANK/cert8.db differ
diff --git a/test/aux-fixed/exim-ca/example.net/BLANK/key3.db b/test/aux-fixed/exim-ca/example.net/BLANK/key3.db
new file mode 100644
index 0000000..31b9ac7
Binary files /dev/null and b/test/aux-fixed/exim-ca/example.net/BLANK/key3.db differ
diff --git a/test/aux-fixed/exim-ca/example.net/BLANK/pwdfile b/test/aux-fixed/exim-ca/example.net/BLANK/pwdfile
new file mode 100644
index 0000000..8b13789
--- /dev/null
+++ b/test/aux-fixed/exim-ca/example.net/BLANK/pwdfile
@@ -0,0 +1 @@
+
diff --git a/test/aux-fixed/exim-ca/example.net/BLANK/secmod.db b/test/aux-fixed/exim-ca/example.net/BLANK/secmod.db
new file mode 100644
index 0000000..8a83193
Binary files /dev/null and b/test/aux-fixed/exim-ca/example.net/BLANK/secmod.db differ
diff --git a/test/aux-fixed/exim-ca/example.net/CA/CA.pem b/test/aux-fixed/exim-ca/example.net/CA/CA.pem
new file mode 100644
index 0000000..bed3d2f
--- /dev/null
+++ b/test/aux-fixed/exim-ca/example.net/CA/CA.pem
@@ -0,0 +1,10 @@
+-----BEGIN CERTIFICATE-----
+MIIBaTCCAROgAwIBAgIBATANBgkqhkiG9w0BAQUFADApMRQwEgYDVQQKEwtleGFt
+cGxlLm5ldDERMA8GA1UEAxMIY2xpY2EgQ0EwHhcNMTIxMTAxMTIzNDAzWhcNMzgw
+MTAxMTIzNDAzWjApMRQwEgYDVQQKEwtleGFtcGxlLm5ldDERMA8GA1UEAxMIY2xp
+Y2EgQ0EwXDANBgkqhkiG9w0BAQEFAANLADBIAkEAp2tm7DhEtMNQPz23MpsxYVje
+SgMgmkDx8qdr97SBBVqtPcHMMrCEZ9dQiYCFxbshxXfeova+DbLZISDlHA9xjQID
+AQABoyYwJDASBgNVHRMBAf8ECDAGAQH/AgEBMA4GA1UdDwEB/wQEAwIBBjANBgkq
+hkiG9w0BAQUFAANBAG/rfiV0UE6Q//VIKN5CprvNXDGQFfcFCWNRCu6ZGTPpaDf2
+iPqVISD9trZrvtlUIgKjGgOQQbdNH9RBj5+6QKo=
+-----END CERTIFICATE-----
diff --git a/test/aux-fixed/exim-ca/example.net/CA/OCSP.key b/test/aux-fixed/exim-ca/example.net/CA/OCSP.key
new file mode 100644
index 0000000..5ab675c
--- /dev/null
+++ b/test/aux-fixed/exim-ca/example.net/CA/OCSP.key
@@ -0,0 +1,14 @@
+Bag Attributes
+ friendlyName: OCSP Signer
+ localKeyID: 16 61 1B 08 43 C0 0E C4 AF 4D 7B E9 27 1D EB B0 D7 05 E9 75
+Key Attributes: <No Attributes>
+-----BEGIN PRIVATE KEY-----
+MIIBVQIBADANBgkqhkiG9w0BAQEFAASCAT8wggE7AgEAAkEAsT/jRe87h2kyfvbt
+YbvgOPS3y6+BPP8pVdU2CefZAy4mYhuj4ZejZgOf8W9XoonCKTW0Y31feBcy0cM+
+2TNM3QIDAQABAkEApPyuBevggnP2T95zKfUiioGoD43HA8sTY9T53xCTnPOrNNCv
+Vn5+ZXao86JF3ly2jY8Eg0b1hFpfZsZMhG/PgQIhAOg/SgSXqPL8oON/Uot1IUHe
+xLfwqW4toMwTknwdWO39AiEAw2ClhCYw/YTDdbh8sstP7k9HDNBPynwAuURLqc6/
+oGECIBDxVQgCvFuFnIMcLbxovhVdGALHNsUH5RweLWiKh4tNAiBSgpVD6tETr6bQ
+J1paM6yM6uQJkEuyKo4vr5z4mHyq4QIhAMtfRG4+QspRY6aaAAebWBS4zwDiAZCH
+6bnyjSzbUHsm
+-----END PRIVATE KEY-----
diff --git a/test/aux-fixed/exim-ca/example.net/CA/OCSP.p12 b/test/aux-fixed/exim-ca/example.net/CA/OCSP.p12
new file mode 100644
index 0000000..4ebddda
Binary files /dev/null and b/test/aux-fixed/exim-ca/example.net/CA/OCSP.p12 differ
diff --git a/test/aux-fixed/exim-ca/example.net/CA/OCSP.pem b/test/aux-fixed/exim-ca/example.net/CA/OCSP.pem
new file mode 100644
index 0000000..2d71376
--- /dev/null
+++ b/test/aux-fixed/exim-ca/example.net/CA/OCSP.pem
@@ -0,0 +1,11 @@
+-----BEGIN CERTIFICATE-----
+MIIBgDCCASqgAwIBAgIBAzANBgkqhkiG9w0BAQUFADAzMRQwEgYDVQQKEwtleGFt
+cGxlLm5ldDEbMBkGA1UEAxMSY2xpY2EgU2lnbmluZyBDZXJ0MB4XDTEyMTEwMTEy
+MzQwM1oXDTM4MDEwMTEyMzQwM1owMjEUMBIGA1UEChMLZXhhbXBsZS5uZXQxGjAY
+BgNVBAMTEWNsaWNhIE9DU1AgU2lnbmVyMFwwDQYJKoZIhvcNAQEBBQADSwAwSAJB
+ALE/40XvO4dpMn727WG74Dj0t8uvgTz/KVXVNgnn2QMuJmIbo+GXo2YDn/FvV6KJ
+wik1tGN9X3gXMtHDPtkzTN0CAwEAAaMqMCgwDgYDVR0PAQH/BAQDAgeAMBYGA1Ud
+JQEB/wQMMAoGCCsGAQUFBwMJMA0GCSqGSIb3DQEBBQUAA0EAjPHbFyZJZHxLSqn5
+i4i7+sWFAueHbbVXyDkzbspOeAbUeuc+lyZ7gMkRofbfIyXIMzSggVKiBetK5gf8
+OhXNJA==
+-----END CERTIFICATE-----
diff --git a/test/aux-fixed/exim-ca/example.net/CA/Signer.pem b/test/aux-fixed/exim-ca/example.net/CA/Signer.pem
new file mode 100644
index 0000000..5d2b2ea
--- /dev/null
+++ b/test/aux-fixed/exim-ca/example.net/CA/Signer.pem
@@ -0,0 +1,11 @@
+-----BEGIN CERTIFICATE-----
+MIIBpzCCAVGgAwIBAgIBAjANBgkqhkiG9w0BAQUFADApMRQwEgYDVQQKEwtleGFt
+cGxlLm5ldDERMA8GA1UEAxMIY2xpY2EgQ0EwHhcNMTIxMTAxMTIzNDAzWhcNMzgw
+MTAxMTIzNDAzWjAzMRQwEgYDVQQKEwtleGFtcGxlLm5ldDEbMBkGA1UEAxMSY2xp
+Y2EgU2lnbmluZyBDZXJ0MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAN9lXg/7R2gY
+392B325b/0eHLOrQG1px0aPuSwCBG0cKwCATtsKjYne15vNXAskVAdejY0Ujvo+a
+d4jVi2qYJ8sCAwEAAaNaMFgwDgYDVR0PAQH/BAQDAgEGMBIGA1UdEwEB/wQIMAYB
+Af8CAQAwMgYDVR0fBCswKTAnoCWgI4YhaHR0cDovL2NybC5leGFtcGxlLm5ldC9s
+YXRlc3QuY3JsMA0GCSqGSIb3DQEBBQUAA0EAlm29nFrjiJPaldOtHxpmWzE3Zxit
+Sl4RxdeJcJ7aGL2gDOAWmiVh6UPbMm/o6Vg2PxHp2YviOhVunp1C2t85ow==
+-----END CERTIFICATE-----
diff --git a/test/aux-fixed/exim-ca/example.net/CA/ca.conf b/test/aux-fixed/exim-ca/example.net/CA/ca.conf
new file mode 100644
index 0000000..d162ea3
--- /dev/null
+++ b/test/aux-fixed/exim-ca/example.net/CA/ca.conf
@@ -0,0 +1,18 @@
+; Config::Simple 4.59
+; Thu Nov 1 12:34:03 2012
+
+[CLICA]
+crl_url=http://crl.example.net/latest.crl
+crl_signer=Signing Cert
+level=1
+signer=Signing Cert
+ocsp_signer=OCSP Signer
+ocsp_url=http://oscp/example.net/
+
+[CA]
+org=example.net
+subject=clica CA
+name=Certificate Authority
+bits=512
+
+
diff --git a/test/aux-fixed/exim-ca/example.net/CA/cert8.db b/test/aux-fixed/exim-ca/example.net/CA/cert8.db
new file mode 100644
index 0000000..6a130c8
Binary files /dev/null and b/test/aux-fixed/exim-ca/example.net/CA/cert8.db differ
diff --git a/test/aux-fixed/exim-ca/example.net/CA/crl.empty b/test/aux-fixed/exim-ca/example.net/CA/crl.empty
new file mode 100644
index 0000000..364b43d
Binary files /dev/null and b/test/aux-fixed/exim-ca/example.net/CA/crl.empty differ
diff --git a/test/aux-fixed/exim-ca/example.net/CA/crl.empty.in.txt b/test/aux-fixed/exim-ca/example.net/CA/crl.empty.in.txt
new file mode 100644
index 0000000..250311c
--- /dev/null
+++ b/test/aux-fixed/exim-ca/example.net/CA/crl.empty.in.txt
@@ -0,0 +1 @@
+update=20130127152434Z
diff --git a/test/aux-fixed/exim-ca/example.net/CA/crl.empty.pem b/test/aux-fixed/exim-ca/example.net/CA/crl.empty.pem
new file mode 100644
index 0000000..8236f85
--- /dev/null
+++ b/test/aux-fixed/exim-ca/example.net/CA/crl.empty.pem
@@ -0,0 +1,6 @@
+-----BEGIN X509 CRL-----
+MIGsMFgCAQEwDQYJKoZIhvcNAQEFBQAwMzEUMBIGA1UEChMLZXhhbXBsZS5uZXQx
+GzAZBgNVBAMTEmNsaWNhIFNpZ25pbmcgQ2VydBgPMjAxMzAxMjcxNTI0MzRaMA0G
+CSqGSIb3DQEBBQUAA0EAnGNQN1GnKB2PGg9C+vguhNlTRLgf9j9lziLPBkPff4+k
+8JLTVhcuQYnYTdw1WKq/DeXJRyZwd7Z8vAMMdsW5ZA==
+-----END X509 CRL-----
diff --git a/test/aux-fixed/exim-ca/example.net/CA/crl.v2 b/test/aux-fixed/exim-ca/example.net/CA/crl.v2
new file mode 100644
index 0000000..7473ce8
Binary files /dev/null and b/test/aux-fixed/exim-ca/example.net/CA/crl.v2 differ
diff --git a/test/aux-fixed/exim-ca/example.net/CA/crl.v2.in.txt b/test/aux-fixed/exim-ca/example.net/CA/crl.v2.in.txt
new file mode 100644
index 0000000..434045f
--- /dev/null
+++ b/test/aux-fixed/exim-ca/example.net/CA/crl.v2.in.txt
@@ -0,0 +1,3 @@
+update=20130127152437Z
+addcert 102 20130127152437Z
+addcert 202 20130127152437Z
diff --git a/test/aux-fixed/exim-ca/example.net/CA/crl.v2.pem b/test/aux-fixed/exim-ca/example.net/CA/crl.v2.pem
new file mode 100644
index 0000000..dceb45c
--- /dev/null
+++ b/test/aux-fixed/exim-ca/example.net/CA/crl.v2.pem
@@ -0,0 +1,7 @@
+-----BEGIN X509 CRL-----
+MIHcMIGHAgEBMA0GCSqGSIb3DQEBBQUAMDMxFDASBgNVBAoTC2V4YW1wbGUubmV0
+MRswGQYDVQQDExJjbGljYSBTaWduaW5nIENlcnQYDzIwMTMwMTI3MTUyNDM3WjAt
+MBQCAWYYDzIwMTMwMTI3MTUyNDM3WjAVAgIAyhgPMjAxMzAxMjcxNTI0MzdaMA0G
+CSqGSIb3DQEBBQUAA0EAL1D/ZMfKSVVozt/TtAPIR/PMLTvBCGrRDbH31tI3pGUJ
+l+FZTnkR48HXOkuaPCxMclubZ0ptQ6wXHP58iwKacA==
+-----END X509 CRL-----
diff --git a/test/aux-fixed/exim-ca/example.net/CA/index.revoked.txt b/test/aux-fixed/exim-ca/example.net/CA/index.revoked.txt
new file mode 100644
index 0000000..b141dca
--- /dev/null
+++ b/test/aux-fixed/exim-ca/example.net/CA/index.revoked.txt
@@ -0,0 +1,6 @@
+R 130110200751Z 100201142709Z,superseded 65 unknown CN=server1.example.net
+R 130110200751Z 100201142709Z,superseded 66 unknown CN=revoked1.example.net
+R 130110200751Z 100201142709Z,superseded 67 unknown CN=expired1.example.net
+R 130110200751Z 100201142709Z,superseded c9 unknown CN=server2.example.net
+R 130110200751Z 100201142709Z,superseded ca unknown CN=revoked2.example.net
+R 130110200751Z 100201142709Z,superseded cb unknown CN=expired2.example.net
diff --git a/test/aux-fixed/exim-ca/example.net/CA/index.valid.txt b/test/aux-fixed/exim-ca/example.net/CA/index.valid.txt
new file mode 100644
index 0000000..ee52d83
--- /dev/null
+++ b/test/aux-fixed/exim-ca/example.net/CA/index.valid.txt
@@ -0,0 +1,6 @@
+V 130110200751Z 65 unknown CN=server1.example.net
+V 130110200751Z 66 unknown CN=revoked1.example.net
+V 130110200751Z 67 unknown CN=expired1.example.net
+V 130110200751Z c9 unknown CN=server2.example.net
+V 130110200751Z ca unknown CN=revoked2.example.net
+V 130110200751Z cb unknown CN=expired2.example.net
diff --git a/test/aux-fixed/exim-ca/example.net/CA/key3.db b/test/aux-fixed/exim-ca/example.net/CA/key3.db
new file mode 100644
index 0000000..e17cadf
Binary files /dev/null and b/test/aux-fixed/exim-ca/example.net/CA/key3.db differ
diff --git a/test/aux-fixed/exim-ca/example.net/CA/noise.file b/test/aux-fixed/exim-ca/example.net/CA/noise.file
new file mode 100644
index 0000000..c19c41f
--- /dev/null
+++ b/test/aux-fixed/exim-ca/example.net/CA/noise.file
@@ -0,0 +1,342 @@
+processor : 0
+vendor_id : GenuineIntel
+cpu family : 6
+model : 26
+model name : Intel(R) Xeon(R) CPU E5520 @ 2.27GHz
+stepping : 5
+cpu MHz : 2260.628
+cache size : 8192 KB
+fpu : yes
+fpu_exception : yes
+cpuid level : 11
+wp : yes
+flags : fpu vme de pse tsc msr pae mce cx8 apic mtrr pge mca cmov pat pse36 clflush dts mmx fxsr sse sse2 ss syscall nx rdtscp lm constant_tsc arch_perfmon pebs bts xtopology tsc_reliable nonstop_tsc aperfmperf unfair_spinlock pni ssse3 cx16 sse4_1 sse4_2 x2apic popcnt hypervisor lahf_lm ida dts
+bogomips : 4521.25
+clflush size : 64
+cache_alignment : 64
+address sizes : 40 bits physical, 48 bits virtual
+power management:
+
+processor : 1
+vendor_id : GenuineIntel
+cpu family : 6
+model : 26
+model name : Intel(R) Xeon(R) CPU E5520 @ 2.27GHz
+stepping : 5
+cpu MHz : 2260.628
+cache size : 8192 KB
+fpu : yes
+fpu_exception : yes
+cpuid level : 11
+wp : yes
+flags : fpu vme de pse tsc msr pae mce cx8 apic mtrr pge mca cmov pat pse36 clflush dts mmx fxsr sse sse2 ss syscall nx rdtscp lm constant_tsc arch_perfmon pebs bts xtopology tsc_reliable nonstop_tsc aperfmperf unfair_spinlock pni ssse3 cx16 sse4_1 sse4_2 x2apic popcnt hypervisor lahf_lm ida dts
+bogomips : 4521.25
+clflush size : 64
+cache_alignment : 64
+address sizes : 40 bits physical, 48 bits virtual
+power management:
+
+ CPU0 CPU1
+ 0: 2481 0 IO-APIC-edge timer
+ 1: 21441 346 IO-APIC-edge i8042
+ 3: 1 0 IO-APIC-edge
+ 4: 1 0 IO-APIC-edge
+ 7: 0 0 IO-APIC-edge parport0
+ 8: 1 0 IO-APIC-edge rtc0
+ 9: 0 0 IO-APIC-fasteoi acpi
+ 12: 78986 1718 IO-APIC-edge i8042
+ 14: 0 0 IO-APIC-edge ata_piix
+ 15: 2423337 1435 IO-APIC-edge ata_piix
+ 16: 1025 0 IO-APIC-fasteoi Ensoniq AudioPCI
+ 17: 239858 2559 IO-APIC-fasteoi ehci_hcd:usb1, ioc0
+ 18: 246 0 IO-APIC-fasteoi uhci_hcd:usb2
+ 19: 1868825 51479 IO-APIC-fasteoi eth0
+ 24: 0 0 PCI-MSI-edge pciehp
+ 25: 0 0 PCI-MSI-edge pciehp
+ 26: 0 0 PCI-MSI-edge pciehp
+ 27: 0 0 PCI-MSI-edge pciehp
+ 28: 0 0 PCI-MSI-edge pciehp
+ 29: 0 0 PCI-MSI-edge pciehp
+ 30: 0 0 PCI-MSI-edge pciehp
+ 31: 0 0 PCI-MSI-edge pciehp
+ 32: 0 0 PCI-MSI-edge pciehp
+ 33: 0 0 PCI-MSI-edge pciehp
+ 34: 0 0 PCI-MSI-edge pciehp
+ 35: 0 0 PCI-MSI-edge pciehp
+ 36: 0 0 PCI-MSI-edge pciehp
+ 37: 0 0 PCI-MSI-edge pciehp
+ 38: 0 0 PCI-MSI-edge pciehp
+ 39: 0 0 PCI-MSI-edge pciehp
+ 40: 0 0 PCI-MSI-edge pciehp
+ 41: 0 0 PCI-MSI-edge pciehp
+ 42: 0 0 PCI-MSI-edge pciehp
+ 43: 0 0 PCI-MSI-edge pciehp
+ 44: 0 0 PCI-MSI-edge pciehp
+ 45: 0 0 PCI-MSI-edge pciehp
+ 46: 0 0 PCI-MSI-edge pciehp
+ 47: 0 0 PCI-MSI-edge pciehp
+ 48: 0 0 PCI-MSI-edge pciehp
+ 49: 0 0 PCI-MSI-edge pciehp
+ 50: 0 0 PCI-MSI-edge pciehp
+ 51: 0 0 PCI-MSI-edge pciehp
+ 52: 0 0 PCI-MSI-edge pciehp
+ 53: 0 0 PCI-MSI-edge pciehp
+ 54: 0 0 PCI-MSI-edge pciehp
+ 55: 0 0 PCI-MSI-edge pciehp
+ 56: 1 0 PCI-MSI-edge vmci
+ 57: 0 0 PCI-MSI-edge vmci
+NMI: 0 0 Non-maskable interrupts
+LOC: 12398590 14242910 Local timer interrupts
+SPU: 0 0 Spurious interrupts
+PMI: 0 0 Performance monitoring interrupts
+IWI: 0 0 IRQ work interrupts
+RES: 282808 309226 Rescheduling interrupts
+CAL: 1955 163556 Function call interrupts
+TLB: 18075 15578 TLB shootdowns
+TRM: 0 0 Thermal event interrupts
+THR: 0 0 Threshold APIC interrupts
+MCE: 0 0 Machine check exceptions
+MCP: 2310 2310 Machine check polls
+ERR: 0
+MIS: 0
+MemTotal: 1914844 kB
+MemFree: 133340 kB
+Buffers: 142048 kB
+Cached: 953728 kB
+SwapCached: 108 kB
+Active: 982140 kB
+Inactive: 540820 kB
+Active(anon): 287228 kB
+Inactive(anon): 143480 kB
+Active(file): 694912 kB
+Inactive(file): 397340 kB
+Unevictable: 0 kB
+Mlocked: 0 kB
+SwapTotal: 4194296 kB
+SwapFree: 4193560 kB
+Dirty: 2760 kB
+Writeback: 0 kB
+AnonPages: 427016 kB
+Mapped: 70844 kB
+Shmem: 3400 kB
+Slab: 191064 kB
+SReclaimable: 125460 kB
+SUnreclaim: 65604 kB
+KernelStack: 2312 kB
+PageTables: 23528 kB
+NFS_Unstable: 0 kB
+Bounce: 0 kB
+WritebackTmp: 0 kB
+CommitLimit: 5151716 kB
+Committed_AS: 973184 kB
+VmallocTotal: 34359738367 kB
+VmallocUsed: 280772 kB
+VmallocChunk: 34359441168 kB
+HardwareCorrupted: 0 kB
+AnonHugePages: 249856 kB
+HugePages_Total: 0
+HugePages_Free: 0
+HugePages_Rsvd: 0
+HugePages_Surp: 0
+Hugepagesize: 2048 kB
+DirectMap4k: 8192 kB
+DirectMap2M: 2088960 kB
+slabinfo - version: 2.1
+# name <active_objs> <num_objs> <objsize> <objperslab> <pagesperslab> : tunables <limit> <batchcount> <sharedfactor> : slabdata <active_slabs> <num_slabs> <sharedavail>
+bridge_fdb_cache 0 0 64 59 1 : tunables 120 60 8 : slabdata 0 0 0
+fuse_request 0 0 632 6 1 : tunables 54 27 8 : slabdata 0 0 0
+fuse_inode 0 0 768 5 1 : tunables 54 27 8 : slabdata 0 0 0
+rpc_buffers 8 8 2048 2 1 : tunables 24 12 8 : slabdata 4 4 0
+rpc_tasks 8 15 256 15 1 : tunables 120 60 8 : slabdata 1 1 0
+rpc_inode_cache 8 8 832 4 1 : tunables 54 27 8 : slabdata 2 2 0
+hgfsInodeCache 1 6 640 6 1 : tunables 54 27 8 : slabdata 1 1 0
+AF_VMCI 0 0 1024 4 1 : tunables 54 27 8 : slabdata 0 0 0
+nf_conntrack_expect 0 0 240 16 1 : tunables 120 60 8 : slabdata 0 0 0
+nf_conntrack_ffffffff8200cec0 11 26 304 13 1 : tunables 54 27 8 : slabdata 2 2 0
+fib6_nodes 22 59 64 59 1 : tunables 120 60 8 : slabdata 1 1 0
+ip6_dst_cache 13 30 384 10 1 : tunables 54 27 8 : slabdata 3 3 0
+ndisc_cache 1 15 256 15 1 : tunables 120 60 8 : slabdata 1 1 0
+ip6_mrt_cache 0 0 128 30 1 : tunables 120 60 8 : slabdata 0 0 0
+RAWv6 67 68 1024 4 1 : tunables 54 27 8 : slabdata 17 17 0
+UDPLITEv6 0 0 1024 4 1 : tunables 54 27 8 : slabdata 0 0 0
+UDPv6 4 4 1024 4 1 : tunables 54 27 8 : slabdata 1 1 0
+tw_sock_TCPv6 0 0 320 12 1 : tunables 54 27 8 : slabdata 0 0 0
+request_sock_TCPv6 0 0 192 20 1 : tunables 120 60 8 : slabdata 0 0 0
+TCPv6 9 10 1856 2 1 : tunables 24 12 8 : slabdata 5 5 0
+jbd2_1k 0 0 1024 4 1 : tunables 54 27 8 : slabdata 0 0 0
+avtab_node 502203 502416 24 144 1 : tunables 120 60 8 : slabdata 3489 3489 0
+ext4_inode_cache 74880 74880 1024 4 1 : tunables 54 27 8 : slabdata 18720 18720 0
+ext4_xattr 9 44 88 44 1 : tunables 120 60 8 : slabdata 1 1 0
+ext4_free_block_extents 32 67 56 67 1 : tunables 120 60 8 : slabdata 1 1 0
+ext4_alloc_context 28 28 136 28 1 : tunables 120 60 8 : slabdata 1 1 0
+ext4_prealloc_space 18 37 104 37 1 : tunables 120 60 8 : slabdata 1 1 0
+ext4_system_zone 0 0 40 92 1 : tunables 120 60 8 : slabdata 0 0 0
+jbd2_journal_handle 32 144 24 144 1 : tunables 120 60 8 : slabdata 1 1 0
+jbd2_journal_head 102 102 112 34 1 : tunables 120 60 8 : slabdata 3 3 0
+jbd2_revoke_table 4 202 16 202 1 : tunables 120 60 8 : slabdata 1 1 0
+jbd2_revoke_record 0 0 32 112 1 : tunables 120 60 8 : slabdata 0 0 0
+dm_crypt_io 50 50 152 25 1 : tunables 120 60 8 : slabdata 2 2 0
+sd_ext_cdb 2 112 32 112 1 : tunables 120 60 8 : slabdata 1 1 0
+scsi_sense_cache 22 60 128 30 1 : tunables 120 60 8 : slabdata 2 2 0
+scsi_cmd_cache 23 45 256 15 1 : tunables 120 60 8 : slabdata 3 3 0
+dm_raid1_read_record 0 0 1064 7 2 : tunables 24 12 8 : slabdata 0 0 0
+kcopyd_job 0 0 3240 2 2 : tunables 24 12 8 : slabdata 0 0 0
+io 0 0 64 59 1 : tunables 120 60 8 : slabdata 0 0 0
+dm_uevent 0 0 2608 3 2 : tunables 24 12 8 : slabdata 0 0 0
+dm_rq_clone_bio_info 0 0 16 202 1 : tunables 120 60 8 : slabdata 0 0 0
+dm_rq_target_io 0 0 392 10 1 : tunables 54 27 8 : slabdata 0 0 0
+dm_target_io 844 864 24 144 1 : tunables 120 60 8 : slabdata 6 6 0
+dm_io 828 828 40 92 1 : tunables 120 60 8 : slabdata 9 9 0
+flow_cache 0 0 96 40 1 : tunables 120 60 8 : slabdata 0 0 0
+uhci_urb_priv 6 67 56 67 1 : tunables 120 60 8 : slabdata 1 1 0
+cfq_io_context 4 28 136 28 1 : tunables 120 60 8 : slabdata 1 1 0
+cfq_queue 5 16 240 16 1 : tunables 120 60 8 : slabdata 1 1 0
+bsg_cmd 0 0 312 12 1 : tunables 54 27 8 : slabdata 0 0 0
+mqueue_inode_cache 1 4 896 4 1 : tunables 54 27 8 : slabdata 1 1 0
+isofs_inode_cache 0 0 640 6 1 : tunables 54 27 8 : slabdata 0 0 0
+hugetlbfs_inode_cache 1 6 608 6 1 : tunables 54 27 8 : slabdata 1 1 0
+dquot 0 0 256 15 1 : tunables 120 60 8 : slabdata 0 0 0
+kioctx 0 0 384 10 1 : tunables 54 27 8 : slabdata 0 0 0
+kiocb 0 0 256 15 1 : tunables 120 60 8 : slabdata 0 0 0
+inotify_event_private_data 0 0 32 112 1 : tunables 120 60 8 : slabdata 0 0 0
+inotify_inode_mark_entry 186 204 112 34 1 : tunables 120 60 8 : slabdata 6 6 0
+dnotify_mark_entry 1 34 112 34 1 : tunables 120 60 8 : slabdata 1 1 0
+dnotify_struct 1 112 32 112 1 : tunables 120 60 8 : slabdata 1 1 0
+fasync_cache 6 144 24 144 1 : tunables 120 60 8 : slabdata 1 1 0
+khugepaged_mm_slot 83 92 40 92 1 : tunables 120 60 8 : slabdata 1 1 0
+ksm_mm_slot 0 0 48 77 1 : tunables 120 60 8 : slabdata 0 0 0
+ksm_stable_node 0 0 40 92 1 : tunables 120 60 8 : slabdata 0 0 0
+ksm_rmap_item 0 0 64 59 1 : tunables 120 60 8 : slabdata 0 0 0
+utrace_engine 0 0 56 67 1 : tunables 120 60 8 : slabdata 0 0 0
+utrace 0 0 64 59 1 : tunables 120 60 8 : slabdata 0 0 0
+pid_namespace 0 0 2120 3 2 : tunables 24 12 8 : slabdata 0 0 0
+nsproxy 0 0 48 77 1 : tunables 120 60 8 : slabdata 0 0 0
+posix_timers_cache 0 0 176 22 1 : tunables 120 60 8 : slabdata 0 0 0
+uid_cache 10 60 128 30 1 : tunables 120 60 8 : slabdata 2 2 0
+UNIX 459 480 768 5 1 : tunables 54 27 8 : slabdata 96 96 0
+ip_mrt_cache 0 0 128 30 1 : tunables 120 60 8 : slabdata 0 0 0
+UDP-Lite 0 0 832 9 2 : tunables 54 27 8 : slabdata 0 0 0
+tcp_bind_bucket 15 59 64 59 1 : tunables 120 60 8 : slabdata 1 1 0
+inet_peer_cache 4 59 64 59 1 : tunables 120 60 8 : slabdata 1 1 0
+secpath_cache 0 0 64 59 1 : tunables 120 60 8 : slabdata 0 0 0
+xfrm_dst_cache 0 0 384 10 1 : tunables 54 27 8 : slabdata 0 0 0
+ip_fib_alias 0 0 32 112 1 : tunables 120 60 8 : slabdata 0 0 0
+ip_fib_hash 10 106 72 53 1 : tunables 120 60 8 : slabdata 2 2 0
+ip_dst_cache 29 50 384 10 1 : tunables 54 27 8 : slabdata 5 5 0
+arp_cache 4 15 256 15 1 : tunables 120 60 8 : slabdata 1 1 0
+RAW 65 72 832 9 2 : tunables 54 27 8 : slabdata 8 8 0
+UDP 6 18 832 9 2 : tunables 54 27 8 : slabdata 2 2 0
+tw_sock_TCP 0 0 256 15 1 : tunables 120 60 8 : slabdata 0 0 0
+request_sock_TCP 0 0 192 20 1 : tunables 120 60 8 : slabdata 0 0 0
+TCP 20 24 1664 4 2 : tunables 24 12 8 : slabdata 6 6 0
+eventpoll_pwq 126 212 72 53 1 : tunables 120 60 8 : slabdata 4 4 0
+eventpoll_epi 126 180 128 30 1 : tunables 120 60 8 : slabdata 6 6 0
+sgpool-128 2 2 4096 1 1 : tunables 24 12 8 : slabdata 2 2 0
+sgpool-64 2 2 2048 2 1 : tunables 24 12 8 : slabdata 1 1 0
+sgpool-32 2 4 1024 4 1 : tunables 54 27 8 : slabdata 1 1 0
+sgpool-16 2 8 512 8 1 : tunables 54 27 8 : slabdata 1 1 0
+sgpool-8 15 15 256 15 1 : tunables 120 60 8 : slabdata 1 1 0
+scsi_data_buffer 0 0 24 144 1 : tunables 120 60 8 : slabdata 0 0 0
+blkdev_integrity 0 0 112 34 1 : tunables 120 60 8 : slabdata 0 0 0
+blkdev_queue 29 30 2856 2 2 : tunables 24 12 8 : slabdata 15 15 0
+blkdev_requests 31 44 352 11 1 : tunables 54 27 8 : slabdata 4 4 0
+blkdev_ioc 5 48 80 48 1 : tunables 120 60 8 : slabdata 1 1 0
+fsnotify_event_holder 0 0 24 144 1 : tunables 120 60 8 : slabdata 0 0 0
+fsnotify_event 0 0 104 37 1 : tunables 120 60 8 : slabdata 0 0 0
+bio-0 180 180 192 20 1 : tunables 120 60 8 : slabdata 9 9 0
+biovec-256 66 66 4096 1 1 : tunables 24 12 8 : slabdata 66 66 0
+biovec-128 0 0 2048 2 1 : tunables 24 12 8 : slabdata 0 0 0
+biovec-64 0 0 1024 4 1 : tunables 54 27 8 : slabdata 0 0 0
+biovec-16 0 0 256 15 1 : tunables 120 60 8 : slabdata 0 0 0
+bip-256 2 2 4224 1 2 : tunables 8 4 0 : slabdata 2 2 0
+bip-128 0 0 2176 3 2 : tunables 24 12 8 : slabdata 0 0 0
+bip-64 0 0 1152 7 2 : tunables 24 12 8 : slabdata 0 0 0
+bip-16 0 0 384 10 1 : tunables 54 27 8 : slabdata 0 0 0
+bip-4 0 0 192 20 1 : tunables 120 60 8 : slabdata 0 0 0
+bip-1 0 0 128 30 1 : tunables 120 60 8 : slabdata 0 0 0
+sock_inode_cache 666 685 704 5 1 : tunables 54 27 8 : slabdata 137 137 0
+skbuff_fclone_cache 42 42 512 7 1 : tunables 54 27 8 : slabdata 6 6 0
+skbuff_head_cache 302 450 256 15 1 : tunables 120 60 8 : slabdata 30 30 0
+file_lock_cache 38 44 176 22 1 : tunables 120 60 8 : slabdata 2 2 0
+net_namespace 0 0 2112 3 2 : tunables 24 12 8 : slabdata 0 0 0
+shmem_inode_cache 774 775 800 5 1 : tunables 54 27 8 : slabdata 155 155 0
+Acpi-Operand 4563 4664 72 53 1 : tunables 120 60 8 : slabdata 88 88 0
+Acpi-ParseExt 0 0 72 53 1 : tunables 120 60 8 : slabdata 0 0 0
+Acpi-Parse 0 0 48 77 1 : tunables 120 60 8 : slabdata 0 0 0
+Acpi-State 0 0 80 48 1 : tunables 120 60 8 : slabdata 0 0 0
+Acpi-Namespace 3311 3312 40 92 1 : tunables 120 60 8 : slabdata 36 36 0
+task_delay_info 332 340 112 34 1 : tunables 120 60 8 : slabdata 10 10 0
+taskstats 5 12 328 12 1 : tunables 54 27 8 : slabdata 1 1 0
+proc_inode_cache 1008 1008 640 6 1 : tunables 54 27 8 : slabdata 168 168 0
+sigqueue 35 48 160 24 1 : tunables 120 60 8 : slabdata 2 2 0
+bdev_cache 32 36 832 4 1 : tunables 54 27 8 : slabdata 9 9 0
+sysfs_dir_cache 11356 11367 144 27 1 : tunables 120 60 8 : slabdata 421 421 0
+mnt_cache 37 45 256 15 1 : tunables 120 60 8 : slabdata 3 3 0
+filp 4644 4700 192 20 1 : tunables 120 60 8 : slabdata 235 235 120
+inode_cache 6883 7308 592 6 1 : tunables 54 27 8 : slabdata 1218 1218 0
+dentry 61240 63960 192 20 1 : tunables 120 60 8 : slabdata 3198 3198 0
+names_cache 26 26 4096 1 1 : tunables 24 12 8 : slabdata 26 26 0
+avc_node 510 1239 64 59 1 : tunables 120 60 8 : slabdata 21 21 0
+selinux_inode_security 84206 86072 72 53 1 : tunables 120 60 8 : slabdata 1624 1624 0
+radix_tree_node 11606 11781 560 7 1 : tunables 54 27 8 : slabdata 1683 1683 0
+key_jar 11 20 192 20 1 : tunables 120 60 8 : slabdata 1 1 0
+buffer_head 221526 230214 104 37 1 : tunables 120 60 8 : slabdata 6222 6222 0
+vm_area_struct 12962 13034 200 19 1 : tunables 120 60 8 : slabdata 686 686 0
+mm_struct 145 145 1408 5 2 : tunables 24 12 8 : slabdata 29 29 0
+fs_cache 177 177 64 59 1 : tunables 120 60 8 : slabdata 3 3 0
+files_cache 162 165 704 11 2 : tunables 54 27 8 : slabdata 15 15 0
+signal_cache 208 208 1024 4 1 : tunables 54 27 8 : slabdata 52 52 0
+sighand_cache 201 201 2112 3 2 : tunables 24 12 8 : slabdata 67 67 0
+task_xstate 240 240 512 8 1 : tunables 54 27 8 : slabdata 30 30 0
+task_struct 306 306 2656 3 2 : tunables 24 12 8 : slabdata 102 102 0
+cred_jar 580 580 192 20 1 : tunables 120 60 8 : slabdata 29 29 0
+anon_vma_chain 7874 8162 48 77 1 : tunables 120 60 8 : slabdata 106 106 0
+anon_vma 5773 5888 40 92 1 : tunables 120 60 8 : slabdata 64 64 0
+pid 322 330 128 30 1 : tunables 120 60 8 : slabdata 11 11 0
+shared_policy_node 0 0 48 77 1 : tunables 120 60 8 : slabdata 0 0 0
+numa_policy 1 28 136 28 1 : tunables 120 60 8 : slabdata 1 1 0
+idr_layer_cache 428 434 544 7 1 : tunables 54 27 8 : slabdata 62 62 0
+size-4194304(DMA) 0 0 4194304 1 1024 : tunables 1 1 0 : slabdata 0 0 0
+size-4194304 0 0 4194304 1 1024 : tunables 1 1 0 : slabdata 0 0 0
+size-2097152(DMA) 0 0 2097152 1 512 : tunables 1 1 0 : slabdata 0 0 0
+size-2097152 0 0 2097152 1 512 : tunables 1 1 0 : slabdata 0 0 0
+size-1048576(DMA) 0 0 1048576 1 256 : tunables 1 1 0 : slabdata 0 0 0
+size-1048576 0 0 1048576 1 256 : tunables 1 1 0 : slabdata 0 0 0
+size-524288(DMA) 0 0 524288 1 128 : tunables 1 1 0 : slabdata 0 0 0
+size-524288 0 0 524288 1 128 : tunables 1 1 0 : slabdata 0 0 0
+size-262144(DMA) 0 0 262144 1 64 : tunables 1 1 0 : slabdata 0 0 0
+size-262144 0 0 262144 1 64 : tunables 1 1 0 : slabdata 0 0 0
+size-131072(DMA) 0 0 131072 1 32 : tunables 8 4 0 : slabdata 0 0 0
+size-131072 1 1 131072 1 32 : tunables 8 4 0 : slabdata 1 1 0
+size-65536(DMA) 0 0 65536 1 16 : tunables 8 4 0 : slabdata 0 0 0
+size-65536 2 2 65536 1 16 : tunables 8 4 0 : slabdata 2 2 0
+size-32768(DMA) 0 0 32768 1 8 : tunables 8 4 0 : slabdata 0 0 0
+size-32768 3 3 32768 1 8 : tunables 8 4 0 : slabdata 3 3 0
+size-16384(DMA) 0 0 16384 1 4 : tunables 8 4 0 : slabdata 0 0 0
+size-16384 12 12 16384 1 4 : tunables 8 4 0 : slabdata 12 12 0
+size-8192(DMA) 0 0 8192 1 2 : tunables 8 4 0 : slabdata 0 0 0
+size-8192 27 27 8192 1 2 : tunables 8 4 0 : slabdata 27 27 0
+size-4096(DMA) 0 0 4096 1 1 : tunables 24 12 8 : slabdata 0 0 0
+size-4096 425 425 4096 1 1 : tunables 24 12 8 : slabdata 425 425 0
+size-2048(DMA) 0 0 2048 2 1 : tunables 24 12 8 : slabdata 0 0 0
+size-2048 573 578 2048 2 1 : tunables 24 12 8 : slabdata 289 289 0
+size-1024(DMA) 0 0 1024 4 1 : tunables 54 27 8 : slabdata 0 0 0
+size-1024 1340 1340 1024 4 1 : tunables 54 27 8 : slabdata 335 335 0
+size-512(DMA) 0 0 512 8 1 : tunables 54 27 8 : slabdata 0 0 0
+size-512 1123 1176 512 8 1 : tunables 54 27 8 : slabdata 147 147 0
+size-256(DMA) 0 0 256 15 1 : tunables 120 60 8 : slabdata 0 0 0
+size-256 930 930 256 15 1 : tunables 120 60 8 : slabdata 62 62 0
+size-192(DMA) 0 0 192 20 1 : tunables 120 60 8 : slabdata 0 0 0
+size-192 2119 2160 192 20 1 : tunables 120 60 8 : slabdata 108 108 0
+size-128(DMA) 0 0 128 30 1 : tunables 120 60 8 : slabdata 0 0 0
+size-64(DMA) 0 0 64 59 1 : tunables 120 60 8 : slabdata 0 0 0
+size-64 33093 40887 64 59 1 : tunables 120 60 8 : slabdata 693 693 0
+size-32(DMA) 0 0 32 112 1 : tunables 120 60 8 : slabdata 0 0 0
+size-128 3921 4800 128 30 1 : tunables 120 60 8 : slabdata 160 160 0
+size-32 332389 332976 32 112 1 : tunables 120 60 8 : slabdata 2973 2973 0
+kmem_cache 191 191 32896 1 16 : tunables 8 4 0 : slabdata 191 191 0
+Inter-| Receive | Transmit
+ face |bytes packets errs drop fifo frame compressed multicast|bytes packets errs drop fifo colls carrier compressed
+ lo:267102759 105357 0 0 0 0 0 0 267102759 105357 0 0 0 0 0 0
+ eth0:1013761672 1354551 0 0 0 0 0 0 245537245 966850 0 0 0 0 0 0
+ pan0: 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
diff --git a/test/aux-fixed/exim-ca/example.net/CA/pwdfile b/test/aux-fixed/exim-ca/example.net/CA/pwdfile
new file mode 100644
index 0000000..f3097ab
--- /dev/null
+++ b/test/aux-fixed/exim-ca/example.net/CA/pwdfile
@@ -0,0 +1 @@
+password
diff --git a/test/aux-fixed/exim-ca/example.net/CA/secmod.db b/test/aux-fixed/exim-ca/example.net/CA/secmod.db
new file mode 100644
index 0000000..c7f115b
Binary files /dev/null and b/test/aux-fixed/exim-ca/example.net/CA/secmod.db differ
diff --git a/test/aux-fixed/exim-ca/example.net/expired1.example.net/ca_chain.pem b/test/aux-fixed/exim-ca/example.net/expired1.example.net/ca_chain.pem
new file mode 100644
index 0000000..d0ee061
--- /dev/null
+++ b/test/aux-fixed/exim-ca/example.net/expired1.example.net/ca_chain.pem
@@ -0,0 +1,47 @@
+Bag Attributes
+ friendlyName: Signing Cert
+subject=/O=example.net/CN=clica Signing Cert
+issuer=/O=example.net/CN=clica CA
+-----BEGIN CERTIFICATE-----
+MIIBpzCCAVGgAwIBAgIBAjANBgkqhkiG9w0BAQUFADApMRQwEgYDVQQKEwtleGFt
+cGxlLm5ldDERMA8GA1UEAxMIY2xpY2EgQ0EwHhcNMTIxMTAxMTIzNDAzWhcNMzgw
+MTAxMTIzNDAzWjAzMRQwEgYDVQQKEwtleGFtcGxlLm5ldDEbMBkGA1UEAxMSY2xp
+Y2EgU2lnbmluZyBDZXJ0MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAN9lXg/7R2gY
+392B325b/0eHLOrQG1px0aPuSwCBG0cKwCATtsKjYne15vNXAskVAdejY0Ujvo+a
+d4jVi2qYJ8sCAwEAAaNaMFgwDgYDVR0PAQH/BAQDAgEGMBIGA1UdEwEB/wQIMAYB
+Af8CAQAwMgYDVR0fBCswKTAnoCWgI4YhaHR0cDovL2NybC5leGFtcGxlLm5ldC9s
+YXRlc3QuY3JsMA0GCSqGSIb3DQEBBQUAA0EAlm29nFrjiJPaldOtHxpmWzE3Zxit
+Sl4RxdeJcJ7aGL2gDOAWmiVh6UPbMm/o6Vg2PxHp2YviOhVunp1C2t85ow==
+-----END CERTIFICATE-----
+Bag Attributes
+ friendlyName: Certificate Authority
+subject=/O=example.net/CN=clica CA
+issuer=/O=example.net/CN=clica CA
+-----BEGIN CERTIFICATE-----
+MIIBaTCCAROgAwIBAgIBATANBgkqhkiG9w0BAQUFADApMRQwEgYDVQQKEwtleGFt
+cGxlLm5ldDERMA8GA1UEAxMIY2xpY2EgQ0EwHhcNMTIxMTAxMTIzNDAzWhcNMzgw
+MTAxMTIzNDAzWjApMRQwEgYDVQQKEwtleGFtcGxlLm5ldDERMA8GA1UEAxMIY2xp
+Y2EgQ0EwXDANBgkqhkiG9w0BAQEFAANLADBIAkEAp2tm7DhEtMNQPz23MpsxYVje
+SgMgmkDx8qdr97SBBVqtPcHMMrCEZ9dQiYCFxbshxXfeova+DbLZISDlHA9xjQID
+AQABoyYwJDASBgNVHRMBAf8ECDAGAQH/AgEBMA4GA1UdDwEB/wQEAwIBBjANBgkq
+hkiG9w0BAQUFAANBAG/rfiV0UE6Q//VIKN5CprvNXDGQFfcFCWNRCu6ZGTPpaDf2
+iPqVISD9trZrvtlUIgKjGgOQQbdNH9RBj5+6QKo=
+-----END CERTIFICATE-----
+Bag Attributes
+ friendlyName: expired1.example.net
+ localKeyID: 1E 0D 7E 35 C6 DD 12 8A 56 2B C8 44 4B 60 A9 95 DC 68 6F 37
+subject=/CN=expired1.example.net
+issuer=/O=example.net/CN=clica Signing Cert
+-----BEGIN CERTIFICATE-----
+MIICBDCCAa6gAwIBAgIBZzANBgkqhkiG9w0BAQUFADAzMRQwEgYDVQQKEwtleGFt
+cGxlLm5ldDEbMBkGA1UEAxMSY2xpY2EgU2lnbmluZyBDZXJ0MB4XDTEyMTEwMTEy
+MzQwNFoXDTEyMTIwMTEyMzQwNFowHzEdMBsGA1UEAxMUZXhwaXJlZDEuZXhhbXBs
+ZS5uZXQwXDANBgkqhkiG9w0BAQEFAANLADBIAkEA+LXqjv5NnRW2OlKWyYYH8ZFb
+Fj4xAdg4qSa1WK/wlUUdpQldGzpDuq/BzuyQdJjp1vSnqhKjfxz0ef9xJievdwID
+AQABo4HAMIG9MA4GA1UdDwEB/wQEAwIE8DAgBgNVHSUBAf8EFjAUBggrBgEFBQcD
+AQYIKwYBBQUHAwIwMgYDVR0fBCswKTAnoCWgI4YhaHR0cDovL2NybC5leGFtcGxl
+Lm5ldC9sYXRlc3QuY3JsMDQGCCsGAQUFBwEBBCgwJjAkBggrBgEFBQcwAYYYaHR0
+cDovL29zY3AvZXhhbXBsZS5uZXQvMB8GA1UdEQQYMBaCFGV4cGlyZWQxLmV4YW1w
+bGUubmV0MA0GCSqGSIb3DQEBBQUAA0EA0dUUjXeu21xQo+AsptLSwmzhn+EV8ixI
+757XRkCnAN0mOZZHcv+imuiEXpf62J+wNyWKNCWu2iPttov/JAcYKA==
+-----END CERTIFICATE-----
diff --git a/test/aux-fixed/exim-ca/example.net/expired1.example.net/cert8.db b/test/aux-fixed/exim-ca/example.net/expired1.example.net/cert8.db
new file mode 100644
index 0000000..85ea017
Binary files /dev/null and b/test/aux-fixed/exim-ca/example.net/expired1.example.net/cert8.db differ
diff --git a/test/aux-fixed/exim-ca/example.net/expired1.example.net/expired1.example.net.chain.pem b/test/aux-fixed/exim-ca/example.net/expired1.example.net/expired1.example.net.chain.pem
new file mode 100644
index 0000000..1550cf2
--- /dev/null
+++ b/test/aux-fixed/exim-ca/example.net/expired1.example.net/expired1.example.net.chain.pem
@@ -0,0 +1,29 @@
+Bag Attributes
+ friendlyName: expired1.example.net
+ localKeyID: 1E 0D 7E 35 C6 DD 12 8A 56 2B C8 44 4B 60 A9 95 DC 68 6F 37
+subject=/CN=expired1.example.net
+issuer=/O=example.net/CN=clica Signing Cert
+-----BEGIN CERTIFICATE-----
+MIICBDCCAa6gAwIBAgIBZzANBgkqhkiG9w0BAQUFADAzMRQwEgYDVQQKEwtleGFt
+cGxlLm5ldDEbMBkGA1UEAxMSY2xpY2EgU2lnbmluZyBDZXJ0MB4XDTEyMTEwMTEy
+MzQwNFoXDTEyMTIwMTEyMzQwNFowHzEdMBsGA1UEAxMUZXhwaXJlZDEuZXhhbXBs
+ZS5uZXQwXDANBgkqhkiG9w0BAQEFAANLADBIAkEA+LXqjv5NnRW2OlKWyYYH8ZFb
+Fj4xAdg4qSa1WK/wlUUdpQldGzpDuq/BzuyQdJjp1vSnqhKjfxz0ef9xJievdwID
+AQABo4HAMIG9MA4GA1UdDwEB/wQEAwIE8DAgBgNVHSUBAf8EFjAUBggrBgEFBQcD
+AQYIKwYBBQUHAwIwMgYDVR0fBCswKTAnoCWgI4YhaHR0cDovL2NybC5leGFtcGxl
+Lm5ldC9sYXRlc3QuY3JsMDQGCCsGAQUFBwEBBCgwJjAkBggrBgEFBQcwAYYYaHR0
+cDovL29zY3AvZXhhbXBsZS5uZXQvMB8GA1UdEQQYMBaCFGV4cGlyZWQxLmV4YW1w
+bGUubmV0MA0GCSqGSIb3DQEBBQUAA0EA0dUUjXeu21xQo+AsptLSwmzhn+EV8ixI
+757XRkCnAN0mOZZHcv+imuiEXpf62J+wNyWKNCWu2iPttov/JAcYKA==
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIIBpzCCAVGgAwIBAgIBAjANBgkqhkiG9w0BAQUFADApMRQwEgYDVQQKEwtleGFt
+cGxlLm5ldDERMA8GA1UEAxMIY2xpY2EgQ0EwHhcNMTIxMTAxMTIzNDAzWhcNMzgw
+MTAxMTIzNDAzWjAzMRQwEgYDVQQKEwtleGFtcGxlLm5ldDEbMBkGA1UEAxMSY2xp
+Y2EgU2lnbmluZyBDZXJ0MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAN9lXg/7R2gY
+392B325b/0eHLOrQG1px0aPuSwCBG0cKwCATtsKjYne15vNXAskVAdejY0Ujvo+a
+d4jVi2qYJ8sCAwEAAaNaMFgwDgYDVR0PAQH/BAQDAgEGMBIGA1UdEwEB/wQIMAYB
+Af8CAQAwMgYDVR0fBCswKTAnoCWgI4YhaHR0cDovL2NybC5leGFtcGxlLm5ldC9s
+YXRlc3QuY3JsMA0GCSqGSIb3DQEBBQUAA0EAlm29nFrjiJPaldOtHxpmWzE3Zxit
+Sl4RxdeJcJ7aGL2gDOAWmiVh6UPbMm/o6Vg2PxHp2YviOhVunp1C2t85ow==
+-----END CERTIFICATE-----
diff --git a/test/aux-fixed/exim-ca/example.net/expired1.example.net/expired1.example.net.key b/test/aux-fixed/exim-ca/example.net/expired1.example.net/expired1.example.net.key
new file mode 100644
index 0000000..00adfe8
--- /dev/null
+++ b/test/aux-fixed/exim-ca/example.net/expired1.example.net/expired1.example.net.key
@@ -0,0 +1,15 @@
+Bag Attributes
+ friendlyName: expired1.example.net
+ localKeyID: 1E 0D 7E 35 C6 DD 12 8A 56 2B C8 44 4B 60 A9 95 DC 68 6F 37
+Key Attributes: <No Attributes>
+-----BEGIN ENCRYPTED PRIVATE KEY-----
+MIIBpjBABgkqhkiG9w0BBQ0wMzAbBgkqhkiG9w0BBQwwDgQIEobdAguY51UCAggA
+MBQGCCqGSIb3DQMHBAjyQJzMIkx+swSCAWBoW5JocLm3XvmW7cnK8Np23KqUs4ST
+MG68rJY6pLqdGkn8aK0yZfecdpuHoFCZRdxQy9ztdofB50tkr7evlTuM1u40/9b0
+ygZ9ajxESZmF5mS8r6dFGXOBq7UrMpEvod1lujpP3hwtkqJOlPFhacPUestqDjP4
+zDmEmKQYyRx4DQ3QM4T2Wuc1S8TSECcMLsOgZhOxGULIzmtxceftS/V9NYewZsne
+Q05TKH7ygWGvUyYEgDlFlBAk8CAiqIBBz3fU2bmWfR5p6hoSTqGeLlAL7fTid8Vf
+g4HEfthygRC28+s5r/MbMBJKwTdRHnQbmK4rOxFUhYCkV8Df28Ukx/RaA9CKjbQl
+2fnuTRAms72szZRoKsdS3xVgyaOdgdhVJKWP2QAUvzblX/wpKr9BwrbqIhXOqEiv
+9/yCVqUg20sjNvYyw/2Zv9t+g9u3d5CMyU37e8AT8X3DExmpleiOdX4J
+-----END ENCRYPTED PRIVATE KEY-----
diff --git a/test/aux-fixed/exim-ca/example.net/expired1.example.net/expired1.example.net.ocsp.dated.resp b/test/aux-fixed/exim-ca/example.net/expired1.example.net/expired1.example.net.ocsp.dated.resp
new file mode 100644
index 0000000..8831013
Binary files /dev/null and b/test/aux-fixed/exim-ca/example.net/expired1.example.net/expired1.example.net.ocsp.dated.resp differ
diff --git a/test/aux-fixed/exim-ca/example.net/expired1.example.net/expired1.example.net.ocsp.good.resp b/test/aux-fixed/exim-ca/example.net/expired1.example.net/expired1.example.net.ocsp.good.resp
new file mode 100644
index 0000000..3b2606d
Binary files /dev/null and b/test/aux-fixed/exim-ca/example.net/expired1.example.net/expired1.example.net.ocsp.good.resp differ
diff --git a/test/aux-fixed/exim-ca/example.net/expired1.example.net/expired1.example.net.ocsp.req b/test/aux-fixed/exim-ca/example.net/expired1.example.net/expired1.example.net.ocsp.req
new file mode 100644
index 0000000..c67ed9c
Binary files /dev/null and b/test/aux-fixed/exim-ca/example.net/expired1.example.net/expired1.example.net.ocsp.req differ
diff --git a/test/aux-fixed/exim-ca/example.net/expired1.example.net/expired1.example.net.ocsp.revoked.resp b/test/aux-fixed/exim-ca/example.net/expired1.example.net/expired1.example.net.ocsp.revoked.resp
new file mode 100644
index 0000000..6b8b763
Binary files /dev/null and b/test/aux-fixed/exim-ca/example.net/expired1.example.net/expired1.example.net.ocsp.revoked.resp differ
diff --git a/test/aux-fixed/exim-ca/example.net/expired1.example.net/expired1.example.net.p12 b/test/aux-fixed/exim-ca/example.net/expired1.example.net/expired1.example.net.p12
new file mode 100644
index 0000000..84f4bf5
Binary files /dev/null and b/test/aux-fixed/exim-ca/example.net/expired1.example.net/expired1.example.net.p12 differ
diff --git a/test/aux-fixed/exim-ca/example.net/expired1.example.net/expired1.example.net.pem b/test/aux-fixed/exim-ca/example.net/expired1.example.net/expired1.example.net.pem
new file mode 100644
index 0000000..310db9b
--- /dev/null
+++ b/test/aux-fixed/exim-ca/example.net/expired1.example.net/expired1.example.net.pem
@@ -0,0 +1,18 @@
+Bag Attributes
+ friendlyName: expired1.example.net
+ localKeyID: 1E 0D 7E 35 C6 DD 12 8A 56 2B C8 44 4B 60 A9 95 DC 68 6F 37
+subject=/CN=expired1.example.net
+issuer=/O=example.net/CN=clica Signing Cert
+-----BEGIN CERTIFICATE-----
+MIICBDCCAa6gAwIBAgIBZzANBgkqhkiG9w0BAQUFADAzMRQwEgYDVQQKEwtleGFt
+cGxlLm5ldDEbMBkGA1UEAxMSY2xpY2EgU2lnbmluZyBDZXJ0MB4XDTEyMTEwMTEy
+MzQwNFoXDTEyMTIwMTEyMzQwNFowHzEdMBsGA1UEAxMUZXhwaXJlZDEuZXhhbXBs
+ZS5uZXQwXDANBgkqhkiG9w0BAQEFAANLADBIAkEA+LXqjv5NnRW2OlKWyYYH8ZFb
+Fj4xAdg4qSa1WK/wlUUdpQldGzpDuq/BzuyQdJjp1vSnqhKjfxz0ef9xJievdwID
+AQABo4HAMIG9MA4GA1UdDwEB/wQEAwIE8DAgBgNVHSUBAf8EFjAUBggrBgEFBQcD
+AQYIKwYBBQUHAwIwMgYDVR0fBCswKTAnoCWgI4YhaHR0cDovL2NybC5leGFtcGxl
+Lm5ldC9sYXRlc3QuY3JsMDQGCCsGAQUFBwEBBCgwJjAkBggrBgEFBQcwAYYYaHR0
+cDovL29zY3AvZXhhbXBsZS5uZXQvMB8GA1UdEQQYMBaCFGV4cGlyZWQxLmV4YW1w
+bGUubmV0MA0GCSqGSIb3DQEBBQUAA0EA0dUUjXeu21xQo+AsptLSwmzhn+EV8ixI
+757XRkCnAN0mOZZHcv+imuiEXpf62J+wNyWKNCWu2iPttov/JAcYKA==
+-----END CERTIFICATE-----
diff --git a/test/aux-fixed/exim-ca/example.net/expired1.example.net/expired1.example.net.unlocked.key b/test/aux-fixed/exim-ca/example.net/expired1.example.net/expired1.example.net.unlocked.key
new file mode 100644
index 0000000..77c8dad
--- /dev/null
+++ b/test/aux-fixed/exim-ca/example.net/expired1.example.net/expired1.example.net.unlocked.key
@@ -0,0 +1,9 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIBOgIBAAJBAPi16o7+TZ0VtjpSlsmGB/GRWxY+MQHYOKkmtViv8JVFHaUJXRs6
+Q7qvwc7skHSY6db0p6oSo38c9Hn/cSYnr3cCAwEAAQJBAK1O9tgV1Te1PXp+upxL
+TZXD2FkzlSrX5QPZ+VyHnXolg8XNhx2pA1J4iJrnvooWQRZuWRhi/p8g2ygJ8B6I
+60ECIQD/cO5OrdRWg3EBgoCWN7WAZ53qMmSRxAnMt95W5yujGQIhAPlBNzbQr2Z7
+DVvwCc2ERxuaFGTcLZH/x+oRhZ9jr0kPAiB/79froDSRgBPBZdNxaUWGol79RXAJ
+cd5WomDBtdatQQIgAVyP1qbRLnghnIz1IMBGOypeTia9wPxqtSafWj2LKZUCID/d
+8buaLYm3yYYAQwbTBtb89+gpRg0I51DFS6fNIuU4
+-----END RSA PRIVATE KEY-----
diff --git a/test/aux-fixed/exim-ca/example.net/expired1.example.net/key3.db b/test/aux-fixed/exim-ca/example.net/expired1.example.net/key3.db
new file mode 100644
index 0000000..9919dfa
Binary files /dev/null and b/test/aux-fixed/exim-ca/example.net/expired1.example.net/key3.db differ
diff --git a/test/aux-fixed/exim-ca/example.net/expired1.example.net/pwdfile b/test/aux-fixed/exim-ca/example.net/expired1.example.net/pwdfile
new file mode 100644
index 0000000..f3097ab
--- /dev/null
+++ b/test/aux-fixed/exim-ca/example.net/expired1.example.net/pwdfile
@@ -0,0 +1 @@
+password
diff --git a/test/aux-fixed/exim-ca/example.net/expired1.example.net/secmod.db b/test/aux-fixed/exim-ca/example.net/expired1.example.net/secmod.db
new file mode 100644
index 0000000..4347c0d
Binary files /dev/null and b/test/aux-fixed/exim-ca/example.net/expired1.example.net/secmod.db differ
diff --git a/test/aux-fixed/exim-ca/example.net/expired2.example.net/ca_chain.pem b/test/aux-fixed/exim-ca/example.net/expired2.example.net/ca_chain.pem
new file mode 100644
index 0000000..323ae16
--- /dev/null
+++ b/test/aux-fixed/exim-ca/example.net/expired2.example.net/ca_chain.pem
@@ -0,0 +1,47 @@
+Bag Attributes
+ friendlyName: Signing Cert
+subject=/O=example.net/CN=clica Signing Cert
+issuer=/O=example.net/CN=clica CA
+-----BEGIN CERTIFICATE-----
+MIIBpzCCAVGgAwIBAgIBAjANBgkqhkiG9w0BAQUFADApMRQwEgYDVQQKEwtleGFt
+cGxlLm5ldDERMA8GA1UEAxMIY2xpY2EgQ0EwHhcNMTIxMTAxMTIzNDAzWhcNMzgw
+MTAxMTIzNDAzWjAzMRQwEgYDVQQKEwtleGFtcGxlLm5ldDEbMBkGA1UEAxMSY2xp
+Y2EgU2lnbmluZyBDZXJ0MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAN9lXg/7R2gY
+392B325b/0eHLOrQG1px0aPuSwCBG0cKwCATtsKjYne15vNXAskVAdejY0Ujvo+a
+d4jVi2qYJ8sCAwEAAaNaMFgwDgYDVR0PAQH/BAQDAgEGMBIGA1UdEwEB/wQIMAYB
+Af8CAQAwMgYDVR0fBCswKTAnoCWgI4YhaHR0cDovL2NybC5leGFtcGxlLm5ldC9s
+YXRlc3QuY3JsMA0GCSqGSIb3DQEBBQUAA0EAlm29nFrjiJPaldOtHxpmWzE3Zxit
+Sl4RxdeJcJ7aGL2gDOAWmiVh6UPbMm/o6Vg2PxHp2YviOhVunp1C2t85ow==
+-----END CERTIFICATE-----
+Bag Attributes
+ friendlyName: Certificate Authority
+subject=/O=example.net/CN=clica CA
+issuer=/O=example.net/CN=clica CA
+-----BEGIN CERTIFICATE-----
+MIIBaTCCAROgAwIBAgIBATANBgkqhkiG9w0BAQUFADApMRQwEgYDVQQKEwtleGFt
+cGxlLm5ldDERMA8GA1UEAxMIY2xpY2EgQ0EwHhcNMTIxMTAxMTIzNDAzWhcNMzgw
+MTAxMTIzNDAzWjApMRQwEgYDVQQKEwtleGFtcGxlLm5ldDERMA8GA1UEAxMIY2xp
+Y2EgQ0EwXDANBgkqhkiG9w0BAQEFAANLADBIAkEAp2tm7DhEtMNQPz23MpsxYVje
+SgMgmkDx8qdr97SBBVqtPcHMMrCEZ9dQiYCFxbshxXfeova+DbLZISDlHA9xjQID
+AQABoyYwJDASBgNVHRMBAf8ECDAGAQH/AgEBMA4GA1UdDwEB/wQEAwIBBjANBgkq
+hkiG9w0BAQUFAANBAG/rfiV0UE6Q//VIKN5CprvNXDGQFfcFCWNRCu6ZGTPpaDf2
+iPqVISD9trZrvtlUIgKjGgOQQbdNH9RBj5+6QKo=
+-----END CERTIFICATE-----
+Bag Attributes
+ friendlyName: expired2.example.net
+ localKeyID: 1A 68 61 A3 03 A4 DC 65 19 7A 7E 5E 65 37 39 DB E3 CB 56 AC
+subject=/CN=expired2.example.net
+issuer=/O=example.net/CN=clica Signing Cert
+-----BEGIN CERTIFICATE-----
+MIICBTCCAa+gAwIBAgICAMswDQYJKoZIhvcNAQEFBQAwMzEUMBIGA1UEChMLZXhh
+bXBsZS5uZXQxGzAZBgNVBAMTEmNsaWNhIFNpZ25pbmcgQ2VydDAeFw0xMjExMDEx
+MjM0MDVaFw0xMjEyMDExMjM0MDVaMB8xHTAbBgNVBAMTFGV4cGlyZWQyLmV4YW1w
+bGUubmV0MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAMRPNIrjXhmHfWrc/c+K9esj
+3cXECi38lpKgZyhqN8CjRvifIaMoZaCPoXoppyC3MmtLhT5JnYe8+1vSApl9jPUC
+AwEAAaOBwDCBvTAOBgNVHQ8BAf8EBAMCBPAwIAYDVR0lAQH/BBYwFAYIKwYBBQUH
+AwEGCCsGAQUFBwMCMDIGA1UdHwQrMCkwJ6AloCOGIWh0dHA6Ly9jcmwuZXhhbXBs
+ZS5uZXQvbGF0ZXN0LmNybDA0BggrBgEFBQcBAQQoMCYwJAYIKwYBBQUHMAGGGGh0
+dHA6Ly9vc2NwL2V4YW1wbGUubmV0LzAfBgNVHREEGDAWghRleHBpcmVkMi5leGFt
+cGxlLm5ldDANBgkqhkiG9w0BAQUFAANBAMmrnrUFZRECJcDk4BGSMQp5vvC/uHi0
+1NSP3Ki4Yu+CbXUHtgZqwOB5abU8INeLbJoab2stMFsdevzRYuuqb7s=
+-----END CERTIFICATE-----
diff --git a/test/aux-fixed/exim-ca/example.net/expired2.example.net/cert8.db b/test/aux-fixed/exim-ca/example.net/expired2.example.net/cert8.db
new file mode 100644
index 0000000..6df2cda
Binary files /dev/null and b/test/aux-fixed/exim-ca/example.net/expired2.example.net/cert8.db differ
diff --git a/test/aux-fixed/exim-ca/example.net/expired2.example.net/expired2.example.net.chain.pem b/test/aux-fixed/exim-ca/example.net/expired2.example.net/expired2.example.net.chain.pem
new file mode 100644
index 0000000..b8e34d0
--- /dev/null
+++ b/test/aux-fixed/exim-ca/example.net/expired2.example.net/expired2.example.net.chain.pem
@@ -0,0 +1,29 @@
+Bag Attributes
+ friendlyName: expired2.example.net
+ localKeyID: 1A 68 61 A3 03 A4 DC 65 19 7A 7E 5E 65 37 39 DB E3 CB 56 AC
+subject=/CN=expired2.example.net
+issuer=/O=example.net/CN=clica Signing Cert
+-----BEGIN CERTIFICATE-----
+MIICBTCCAa+gAwIBAgICAMswDQYJKoZIhvcNAQEFBQAwMzEUMBIGA1UEChMLZXhh
+bXBsZS5uZXQxGzAZBgNVBAMTEmNsaWNhIFNpZ25pbmcgQ2VydDAeFw0xMjExMDEx
+MjM0MDVaFw0xMjEyMDExMjM0MDVaMB8xHTAbBgNVBAMTFGV4cGlyZWQyLmV4YW1w
+bGUubmV0MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAMRPNIrjXhmHfWrc/c+K9esj
+3cXECi38lpKgZyhqN8CjRvifIaMoZaCPoXoppyC3MmtLhT5JnYe8+1vSApl9jPUC
+AwEAAaOBwDCBvTAOBgNVHQ8BAf8EBAMCBPAwIAYDVR0lAQH/BBYwFAYIKwYBBQUH
+AwEGCCsGAQUFBwMCMDIGA1UdHwQrMCkwJ6AloCOGIWh0dHA6Ly9jcmwuZXhhbXBs
+ZS5uZXQvbGF0ZXN0LmNybDA0BggrBgEFBQcBAQQoMCYwJAYIKwYBBQUHMAGGGGh0
+dHA6Ly9vc2NwL2V4YW1wbGUubmV0LzAfBgNVHREEGDAWghRleHBpcmVkMi5leGFt
+cGxlLm5ldDANBgkqhkiG9w0BAQUFAANBAMmrnrUFZRECJcDk4BGSMQp5vvC/uHi0
+1NSP3Ki4Yu+CbXUHtgZqwOB5abU8INeLbJoab2stMFsdevzRYuuqb7s=
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIIBpzCCAVGgAwIBAgIBAjANBgkqhkiG9w0BAQUFADApMRQwEgYDVQQKEwtleGFt
+cGxlLm5ldDERMA8GA1UEAxMIY2xpY2EgQ0EwHhcNMTIxMTAxMTIzNDAzWhcNMzgw
+MTAxMTIzNDAzWjAzMRQwEgYDVQQKEwtleGFtcGxlLm5ldDEbMBkGA1UEAxMSY2xp
+Y2EgU2lnbmluZyBDZXJ0MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAN9lXg/7R2gY
+392B325b/0eHLOrQG1px0aPuSwCBG0cKwCATtsKjYne15vNXAskVAdejY0Ujvo+a
+d4jVi2qYJ8sCAwEAAaNaMFgwDgYDVR0PAQH/BAQDAgEGMBIGA1UdEwEB/wQIMAYB
+Af8CAQAwMgYDVR0fBCswKTAnoCWgI4YhaHR0cDovL2NybC5leGFtcGxlLm5ldC9s
+YXRlc3QuY3JsMA0GCSqGSIb3DQEBBQUAA0EAlm29nFrjiJPaldOtHxpmWzE3Zxit
+Sl4RxdeJcJ7aGL2gDOAWmiVh6UPbMm/o6Vg2PxHp2YviOhVunp1C2t85ow==
+-----END CERTIFICATE-----
diff --git a/test/aux-fixed/exim-ca/example.net/expired2.example.net/expired2.example.net.key b/test/aux-fixed/exim-ca/example.net/expired2.example.net/expired2.example.net.key
new file mode 100644
index 0000000..382ad41
--- /dev/null
+++ b/test/aux-fixed/exim-ca/example.net/expired2.example.net/expired2.example.net.key
@@ -0,0 +1,15 @@
+Bag Attributes
+ friendlyName: expired2.example.net
+ localKeyID: 1A 68 61 A3 03 A4 DC 65 19 7A 7E 5E 65 37 39 DB E3 CB 56 AC
+Key Attributes: <No Attributes>
+-----BEGIN ENCRYPTED PRIVATE KEY-----
+MIIBpjBABgkqhkiG9w0BBQ0wMzAbBgkqhkiG9w0BBQwwDgQIU+oGNqBSHjcCAggA
+MBQGCCqGSIb3DQMHBAjYaI7Iob+lDASCAWDAZIbvl/AbphvMZhynrCFGzj6iN309
+N+U1mQPGWD6hisPfA4aTpIQyHtVah6KCE1fbzGFgiNULsfByVj4XBRbetiVKMuWA
+xs/EEcPhNRG0KOeRxzDtSpM0lG078XAC4p7wgqvhf4R9524Vq4PpYzt+tKfh0rPC
+leF7VFJ5vi7Tms7q1wqtL76Wgibq4m43XoFrYMbQL2qbXl98rRAP6R6u852f4L/D
+Cy1EGsgWIdGjCPQRxdwC0Vf1vIjaspXBmVhbFJR9Djp48DShbAO11cXRSIligH6t
+7p+aesQM/illunmCaMzMYFAjdrMYZEO1bqVdU5Nd7/tlQQLgHSdo+iD6XLnci7dw
+elQ9bRxYVMEDX16kTXd4NU6xP0Zpac5XHu4ji2PKlSOSxQh5GbPICXdEH7K/Oshv
+CUIZbYnlGsOT2uFgnChtUeIwc6OXcSv3LLXIwzg0ec7yN83j0r3jQRQx
+-----END ENCRYPTED PRIVATE KEY-----
diff --git a/test/aux-fixed/exim-ca/example.net/expired2.example.net/expired2.example.net.ocsp.dated.resp b/test/aux-fixed/exim-ca/example.net/expired2.example.net/expired2.example.net.ocsp.dated.resp
new file mode 100644
index 0000000..7f6c27b
Binary files /dev/null and b/test/aux-fixed/exim-ca/example.net/expired2.example.net/expired2.example.net.ocsp.dated.resp differ
diff --git a/test/aux-fixed/exim-ca/example.net/expired2.example.net/expired2.example.net.ocsp.good.resp b/test/aux-fixed/exim-ca/example.net/expired2.example.net/expired2.example.net.ocsp.good.resp
new file mode 100644
index 0000000..a9ad370
Binary files /dev/null and b/test/aux-fixed/exim-ca/example.net/expired2.example.net/expired2.example.net.ocsp.good.resp differ
diff --git a/test/aux-fixed/exim-ca/example.net/expired2.example.net/expired2.example.net.ocsp.req b/test/aux-fixed/exim-ca/example.net/expired2.example.net/expired2.example.net.ocsp.req
new file mode 100644
index 0000000..4684f07
Binary files /dev/null and b/test/aux-fixed/exim-ca/example.net/expired2.example.net/expired2.example.net.ocsp.req differ
diff --git a/test/aux-fixed/exim-ca/example.net/expired2.example.net/expired2.example.net.ocsp.revoked.resp b/test/aux-fixed/exim-ca/example.net/expired2.example.net/expired2.example.net.ocsp.revoked.resp
new file mode 100644
index 0000000..a9ad370
Binary files /dev/null and b/test/aux-fixed/exim-ca/example.net/expired2.example.net/expired2.example.net.ocsp.revoked.resp differ
diff --git a/test/aux-fixed/exim-ca/example.net/expired2.example.net/expired2.example.net.p12 b/test/aux-fixed/exim-ca/example.net/expired2.example.net/expired2.example.net.p12
new file mode 100644
index 0000000..8f9ef94
Binary files /dev/null and b/test/aux-fixed/exim-ca/example.net/expired2.example.net/expired2.example.net.p12 differ
diff --git a/test/aux-fixed/exim-ca/example.net/expired2.example.net/expired2.example.net.pem b/test/aux-fixed/exim-ca/example.net/expired2.example.net/expired2.example.net.pem
new file mode 100644
index 0000000..8c10ace
--- /dev/null
+++ b/test/aux-fixed/exim-ca/example.net/expired2.example.net/expired2.example.net.pem
@@ -0,0 +1,18 @@
+Bag Attributes
+ friendlyName: expired2.example.net
+ localKeyID: 1A 68 61 A3 03 A4 DC 65 19 7A 7E 5E 65 37 39 DB E3 CB 56 AC
+subject=/CN=expired2.example.net
+issuer=/O=example.net/CN=clica Signing Cert
+-----BEGIN CERTIFICATE-----
+MIICBTCCAa+gAwIBAgICAMswDQYJKoZIhvcNAQEFBQAwMzEUMBIGA1UEChMLZXhh
+bXBsZS5uZXQxGzAZBgNVBAMTEmNsaWNhIFNpZ25pbmcgQ2VydDAeFw0xMjExMDEx
+MjM0MDVaFw0xMjEyMDExMjM0MDVaMB8xHTAbBgNVBAMTFGV4cGlyZWQyLmV4YW1w
+bGUubmV0MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAMRPNIrjXhmHfWrc/c+K9esj
+3cXECi38lpKgZyhqN8CjRvifIaMoZaCPoXoppyC3MmtLhT5JnYe8+1vSApl9jPUC
+AwEAAaOBwDCBvTAOBgNVHQ8BAf8EBAMCBPAwIAYDVR0lAQH/BBYwFAYIKwYBBQUH
+AwEGCCsGAQUFBwMCMDIGA1UdHwQrMCkwJ6AloCOGIWh0dHA6Ly9jcmwuZXhhbXBs
+ZS5uZXQvbGF0ZXN0LmNybDA0BggrBgEFBQcBAQQoMCYwJAYIKwYBBQUHMAGGGGh0
+dHA6Ly9vc2NwL2V4YW1wbGUubmV0LzAfBgNVHREEGDAWghRleHBpcmVkMi5leGFt
+cGxlLm5ldDANBgkqhkiG9w0BAQUFAANBAMmrnrUFZRECJcDk4BGSMQp5vvC/uHi0
+1NSP3Ki4Yu+CbXUHtgZqwOB5abU8INeLbJoab2stMFsdevzRYuuqb7s=
+-----END CERTIFICATE-----
diff --git a/test/aux-fixed/exim-ca/example.net/expired2.example.net/expired2.example.net.unlocked.key b/test/aux-fixed/exim-ca/example.net/expired2.example.net/expired2.example.net.unlocked.key
new file mode 100644
index 0000000..12a48de
--- /dev/null
+++ b/test/aux-fixed/exim-ca/example.net/expired2.example.net/expired2.example.net.unlocked.key
@@ -0,0 +1,9 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIBOgIBAAJBAMRPNIrjXhmHfWrc/c+K9esj3cXECi38lpKgZyhqN8CjRvifIaMo
+ZaCPoXoppyC3MmtLhT5JnYe8+1vSApl9jPUCAwEAAQJAOCkksfs8B3ewlKrmXcK2
+ee/H2XUtKFzTwtzqxjAlBRHwxgSOZr4rn10t+R4j6cvLqhfbXGu0p+1oGgFCYAe6
+/QIhAOU/L1TRGgE1Q0gR+BSyWTlHNSXu1wmy0j/nVSk1fb2bAiEA2zgBX7vxRt1M
+d7AKLfqjpMKolmMUyWNQdGFI/+Ch0K8CIHsFMkAgygS18XoecnOg1bKgHMxTZEBH
+Hv6+BHxNwUFbAiBpXA98/Y1G69F2rMsXsiC4bT4tmU1CRVNDvAYjxMjAzQIhAOHO
+1ynQHqtSfjlkpZtcNqey2SlcqXz7xI/aEXVYj5Q4
+-----END RSA PRIVATE KEY-----
diff --git a/test/aux-fixed/exim-ca/example.net/expired2.example.net/key3.db b/test/aux-fixed/exim-ca/example.net/expired2.example.net/key3.db
new file mode 100644
index 0000000..4489ac3
Binary files /dev/null and b/test/aux-fixed/exim-ca/example.net/expired2.example.net/key3.db differ
diff --git a/test/aux-fixed/exim-ca/example.net/expired2.example.net/pwdfile b/test/aux-fixed/exim-ca/example.net/expired2.example.net/pwdfile
new file mode 100644
index 0000000..f3097ab
--- /dev/null
+++ b/test/aux-fixed/exim-ca/example.net/expired2.example.net/pwdfile
@@ -0,0 +1 @@
+password
diff --git a/test/aux-fixed/exim-ca/example.net/expired2.example.net/secmod.db b/test/aux-fixed/exim-ca/example.net/expired2.example.net/secmod.db
new file mode 100644
index 0000000..372213d
Binary files /dev/null and b/test/aux-fixed/exim-ca/example.net/expired2.example.net/secmod.db differ
diff --git a/test/aux-fixed/exim-ca/example.net/revoked1.example.net/ca_chain.pem b/test/aux-fixed/exim-ca/example.net/revoked1.example.net/ca_chain.pem
new file mode 100644
index 0000000..cba5fac
--- /dev/null
+++ b/test/aux-fixed/exim-ca/example.net/revoked1.example.net/ca_chain.pem
@@ -0,0 +1,47 @@
+Bag Attributes
+ friendlyName: Signing Cert
+subject=/O=example.net/CN=clica Signing Cert
+issuer=/O=example.net/CN=clica CA
+-----BEGIN CERTIFICATE-----
+MIIBpzCCAVGgAwIBAgIBAjANBgkqhkiG9w0BAQUFADApMRQwEgYDVQQKEwtleGFt
+cGxlLm5ldDERMA8GA1UEAxMIY2xpY2EgQ0EwHhcNMTIxMTAxMTIzNDAzWhcNMzgw
+MTAxMTIzNDAzWjAzMRQwEgYDVQQKEwtleGFtcGxlLm5ldDEbMBkGA1UEAxMSY2xp
+Y2EgU2lnbmluZyBDZXJ0MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAN9lXg/7R2gY
+392B325b/0eHLOrQG1px0aPuSwCBG0cKwCATtsKjYne15vNXAskVAdejY0Ujvo+a
+d4jVi2qYJ8sCAwEAAaNaMFgwDgYDVR0PAQH/BAQDAgEGMBIGA1UdEwEB/wQIMAYB
+Af8CAQAwMgYDVR0fBCswKTAnoCWgI4YhaHR0cDovL2NybC5leGFtcGxlLm5ldC9s
+YXRlc3QuY3JsMA0GCSqGSIb3DQEBBQUAA0EAlm29nFrjiJPaldOtHxpmWzE3Zxit
+Sl4RxdeJcJ7aGL2gDOAWmiVh6UPbMm/o6Vg2PxHp2YviOhVunp1C2t85ow==
+-----END CERTIFICATE-----
+Bag Attributes
+ friendlyName: Certificate Authority
+subject=/O=example.net/CN=clica CA
+issuer=/O=example.net/CN=clica CA
+-----BEGIN CERTIFICATE-----
+MIIBaTCCAROgAwIBAgIBATANBgkqhkiG9w0BAQUFADApMRQwEgYDVQQKEwtleGFt
+cGxlLm5ldDERMA8GA1UEAxMIY2xpY2EgQ0EwHhcNMTIxMTAxMTIzNDAzWhcNMzgw
+MTAxMTIzNDAzWjApMRQwEgYDVQQKEwtleGFtcGxlLm5ldDERMA8GA1UEAxMIY2xp
+Y2EgQ0EwXDANBgkqhkiG9w0BAQEFAANLADBIAkEAp2tm7DhEtMNQPz23MpsxYVje
+SgMgmkDx8qdr97SBBVqtPcHMMrCEZ9dQiYCFxbshxXfeova+DbLZISDlHA9xjQID
+AQABoyYwJDASBgNVHRMBAf8ECDAGAQH/AgEBMA4GA1UdDwEB/wQEAwIBBjANBgkq
+hkiG9w0BAQUFAANBAG/rfiV0UE6Q//VIKN5CprvNXDGQFfcFCWNRCu6ZGTPpaDf2
+iPqVISD9trZrvtlUIgKjGgOQQbdNH9RBj5+6QKo=
+-----END CERTIFICATE-----
+Bag Attributes
+ friendlyName: revoked1.example.net
+ localKeyID: 3A 08 2E BA 85 F0 DD 7E C5 FE 51 92 BD 0B C7 35 9D 56 6B A5
+subject=/CN=revoked1.example.net
+issuer=/O=example.net/CN=clica Signing Cert
+-----BEGIN CERTIFICATE-----
+MIICBDCCAa6gAwIBAgIBZjANBgkqhkiG9w0BAQUFADAzMRQwEgYDVQQKEwtleGFt
+cGxlLm5ldDEbMBkGA1UEAxMSY2xpY2EgU2lnbmluZyBDZXJ0MB4XDTEyMTEwMTEy
+MzQwNFoXDTM4MDEwMTEyMzQwNFowHzEdMBsGA1UEAxMUcmV2b2tlZDEuZXhhbXBs
+ZS5uZXQwXDANBgkqhkiG9w0BAQEFAANLADBIAkEAr20bGUprpXdQGlk/FW+RJ19l
+FZ//slFysFeG3PEVjVjCnvsoxBFZJFVyfHhyxTvVYdoC6BVZfs9HRAjgZuBImQID
+AQABo4HAMIG9MA4GA1UdDwEB/wQEAwIE8DAgBgNVHSUBAf8EFjAUBggrBgEFBQcD
+AQYIKwYBBQUHAwIwMgYDVR0fBCswKTAnoCWgI4YhaHR0cDovL2NybC5leGFtcGxl
+Lm5ldC9sYXRlc3QuY3JsMDQGCCsGAQUFBwEBBCgwJjAkBggrBgEFBQcwAYYYaHR0
+cDovL29zY3AvZXhhbXBsZS5uZXQvMB8GA1UdEQQYMBaCFHJldm9rZWQxLmV4YW1w
+bGUubmV0MA0GCSqGSIb3DQEBBQUAA0EACw87yNDj6DBkvF+i1qUyw6vqijmPyOQZ
+4S+UOCyyNSsJrA1VMjRjAqGTgyU0OFtfcGuhvZ1ZnlFrvVog/icGcw==
+-----END CERTIFICATE-----
diff --git a/test/aux-fixed/exim-ca/example.net/revoked1.example.net/cert8.db b/test/aux-fixed/exim-ca/example.net/revoked1.example.net/cert8.db
new file mode 100644
index 0000000..e10dae1
Binary files /dev/null and b/test/aux-fixed/exim-ca/example.net/revoked1.example.net/cert8.db differ
diff --git a/test/aux-fixed/exim-ca/example.net/revoked1.example.net/key3.db b/test/aux-fixed/exim-ca/example.net/revoked1.example.net/key3.db
new file mode 100644
index 0000000..57ab103
Binary files /dev/null and b/test/aux-fixed/exim-ca/example.net/revoked1.example.net/key3.db differ
diff --git a/test/aux-fixed/exim-ca/example.net/revoked1.example.net/pwdfile b/test/aux-fixed/exim-ca/example.net/revoked1.example.net/pwdfile
new file mode 100644
index 0000000..f3097ab
--- /dev/null
+++ b/test/aux-fixed/exim-ca/example.net/revoked1.example.net/pwdfile
@@ -0,0 +1 @@
+password
diff --git a/test/aux-fixed/exim-ca/example.net/revoked1.example.net/revoked1.example.net.chain.pem b/test/aux-fixed/exim-ca/example.net/revoked1.example.net/revoked1.example.net.chain.pem
new file mode 100644
index 0000000..6db7016
--- /dev/null
+++ b/test/aux-fixed/exim-ca/example.net/revoked1.example.net/revoked1.example.net.chain.pem
@@ -0,0 +1,29 @@
+Bag Attributes
+ friendlyName: revoked1.example.net
+ localKeyID: 3A 08 2E BA 85 F0 DD 7E C5 FE 51 92 BD 0B C7 35 9D 56 6B A5
+subject=/CN=revoked1.example.net
+issuer=/O=example.net/CN=clica Signing Cert
+-----BEGIN CERTIFICATE-----
+MIICBDCCAa6gAwIBAgIBZjANBgkqhkiG9w0BAQUFADAzMRQwEgYDVQQKEwtleGFt
+cGxlLm5ldDEbMBkGA1UEAxMSY2xpY2EgU2lnbmluZyBDZXJ0MB4XDTEyMTEwMTEy
+MzQwNFoXDTM4MDEwMTEyMzQwNFowHzEdMBsGA1UEAxMUcmV2b2tlZDEuZXhhbXBs
+ZS5uZXQwXDANBgkqhkiG9w0BAQEFAANLADBIAkEAr20bGUprpXdQGlk/FW+RJ19l
+FZ//slFysFeG3PEVjVjCnvsoxBFZJFVyfHhyxTvVYdoC6BVZfs9HRAjgZuBImQID
+AQABo4HAMIG9MA4GA1UdDwEB/wQEAwIE8DAgBgNVHSUBAf8EFjAUBggrBgEFBQcD
+AQYIKwYBBQUHAwIwMgYDVR0fBCswKTAnoCWgI4YhaHR0cDovL2NybC5leGFtcGxl
+Lm5ldC9sYXRlc3QuY3JsMDQGCCsGAQUFBwEBBCgwJjAkBggrBgEFBQcwAYYYaHR0
+cDovL29zY3AvZXhhbXBsZS5uZXQvMB8GA1UdEQQYMBaCFHJldm9rZWQxLmV4YW1w
+bGUubmV0MA0GCSqGSIb3DQEBBQUAA0EACw87yNDj6DBkvF+i1qUyw6vqijmPyOQZ
+4S+UOCyyNSsJrA1VMjRjAqGTgyU0OFtfcGuhvZ1ZnlFrvVog/icGcw==
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIIBpzCCAVGgAwIBAgIBAjANBgkqhkiG9w0BAQUFADApMRQwEgYDVQQKEwtleGFt
+cGxlLm5ldDERMA8GA1UEAxMIY2xpY2EgQ0EwHhcNMTIxMTAxMTIzNDAzWhcNMzgw
+MTAxMTIzNDAzWjAzMRQwEgYDVQQKEwtleGFtcGxlLm5ldDEbMBkGA1UEAxMSY2xp
+Y2EgU2lnbmluZyBDZXJ0MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAN9lXg/7R2gY
+392B325b/0eHLOrQG1px0aPuSwCBG0cKwCATtsKjYne15vNXAskVAdejY0Ujvo+a
+d4jVi2qYJ8sCAwEAAaNaMFgwDgYDVR0PAQH/BAQDAgEGMBIGA1UdEwEB/wQIMAYB
+Af8CAQAwMgYDVR0fBCswKTAnoCWgI4YhaHR0cDovL2NybC5leGFtcGxlLm5ldC9s
+YXRlc3QuY3JsMA0GCSqGSIb3DQEBBQUAA0EAlm29nFrjiJPaldOtHxpmWzE3Zxit
+Sl4RxdeJcJ7aGL2gDOAWmiVh6UPbMm/o6Vg2PxHp2YviOhVunp1C2t85ow==
+-----END CERTIFICATE-----
diff --git a/test/aux-fixed/exim-ca/example.net/revoked1.example.net/revoked1.example.net.key b/test/aux-fixed/exim-ca/example.net/revoked1.example.net/revoked1.example.net.key
new file mode 100644
index 0000000..d67c105
--- /dev/null
+++ b/test/aux-fixed/exim-ca/example.net/revoked1.example.net/revoked1.example.net.key
@@ -0,0 +1,15 @@
+Bag Attributes
+ friendlyName: revoked1.example.net
+ localKeyID: 3A 08 2E BA 85 F0 DD 7E C5 FE 51 92 BD 0B C7 35 9D 56 6B A5
+Key Attributes: <No Attributes>
+-----BEGIN ENCRYPTED PRIVATE KEY-----
+MIIBpjBABgkqhkiG9w0BBQ0wMzAbBgkqhkiG9w0BBQwwDgQITLxrgeizo7ACAggA
+MBQGCCqGSIb3DQMHBAiR0pknm91lSASCAWAoe8AKx1R5elFbE1FAZaGyPjegmgc5
+qFLKuVzK43OMKRphZJPKRSa12rzz40qRozJItXiDNL1+qt+IbOirtUlvvKu+5cdC
+oHQgSjA58Is1DN6f+OqD7v7S1ZdXrtyMmtvaHLfjsgX7f9acq8Q7OrcdVcJksVRL
+7yCULtR0NRxG+elh5lF9SNY+1f8Hee/dfP3LmyE+leO5ECfOWcIFLBCjLbdmMQFf
+lIodgPiy1qjuGwuXZQy/3s1tZ4p2R6dQ7FrPWCyDAxkd/Vw5+BWZ/UJD8GDKtvLL
+E9lyYuUg7KUaWiSSdsHmXMyrs+xdW+1GHqAVkuJqjWR2nxtXBDQ7GIaDfZr7nosR
+OR5ABpVtZ0eAiJz7qX3WjxtoQJ/7RRPYOnINzyRVgHHHVekyFdYd1OiQDgVoh+08
+HOOA6ZbXLyOCGqh5Syp0RAn7d8qSfX/Z8l6wnxblNG16noDPRbNGf9rU
+-----END ENCRYPTED PRIVATE KEY-----
diff --git a/test/aux-fixed/exim-ca/example.net/revoked1.example.net/revoked1.example.net.ocsp.dated.resp b/test/aux-fixed/exim-ca/example.net/revoked1.example.net/revoked1.example.net.ocsp.dated.resp
new file mode 100644
index 0000000..3c7ac69
Binary files /dev/null and b/test/aux-fixed/exim-ca/example.net/revoked1.example.net/revoked1.example.net.ocsp.dated.resp differ
diff --git a/test/aux-fixed/exim-ca/example.net/revoked1.example.net/revoked1.example.net.ocsp.good.resp b/test/aux-fixed/exim-ca/example.net/revoked1.example.net/revoked1.example.net.ocsp.good.resp
new file mode 100644
index 0000000..71c6b2d
Binary files /dev/null and b/test/aux-fixed/exim-ca/example.net/revoked1.example.net/revoked1.example.net.ocsp.good.resp differ
diff --git a/test/aux-fixed/exim-ca/example.net/revoked1.example.net/revoked1.example.net.ocsp.req b/test/aux-fixed/exim-ca/example.net/revoked1.example.net/revoked1.example.net.ocsp.req
new file mode 100644
index 0000000..829b621
Binary files /dev/null and b/test/aux-fixed/exim-ca/example.net/revoked1.example.net/revoked1.example.net.ocsp.req differ
diff --git a/test/aux-fixed/exim-ca/example.net/revoked1.example.net/revoked1.example.net.ocsp.revoked.resp b/test/aux-fixed/exim-ca/example.net/revoked1.example.net/revoked1.example.net.ocsp.revoked.resp
new file mode 100644
index 0000000..8549f0e
Binary files /dev/null and b/test/aux-fixed/exim-ca/example.net/revoked1.example.net/revoked1.example.net.ocsp.revoked.resp differ
diff --git a/test/aux-fixed/exim-ca/example.net/revoked1.example.net/revoked1.example.net.p12 b/test/aux-fixed/exim-ca/example.net/revoked1.example.net/revoked1.example.net.p12
new file mode 100644
index 0000000..91af59f
Binary files /dev/null and b/test/aux-fixed/exim-ca/example.net/revoked1.example.net/revoked1.example.net.p12 differ
diff --git a/test/aux-fixed/exim-ca/example.net/revoked1.example.net/revoked1.example.net.pem b/test/aux-fixed/exim-ca/example.net/revoked1.example.net/revoked1.example.net.pem
new file mode 100644
index 0000000..286a0ef
--- /dev/null
+++ b/test/aux-fixed/exim-ca/example.net/revoked1.example.net/revoked1.example.net.pem
@@ -0,0 +1,18 @@
+Bag Attributes
+ friendlyName: revoked1.example.net
+ localKeyID: 3A 08 2E BA 85 F0 DD 7E C5 FE 51 92 BD 0B C7 35 9D 56 6B A5
+subject=/CN=revoked1.example.net
+issuer=/O=example.net/CN=clica Signing Cert
+-----BEGIN CERTIFICATE-----
+MIICBDCCAa6gAwIBAgIBZjANBgkqhkiG9w0BAQUFADAzMRQwEgYDVQQKEwtleGFt
+cGxlLm5ldDEbMBkGA1UEAxMSY2xpY2EgU2lnbmluZyBDZXJ0MB4XDTEyMTEwMTEy
+MzQwNFoXDTM4MDEwMTEyMzQwNFowHzEdMBsGA1UEAxMUcmV2b2tlZDEuZXhhbXBs
+ZS5uZXQwXDANBgkqhkiG9w0BAQEFAANLADBIAkEAr20bGUprpXdQGlk/FW+RJ19l
+FZ//slFysFeG3PEVjVjCnvsoxBFZJFVyfHhyxTvVYdoC6BVZfs9HRAjgZuBImQID
+AQABo4HAMIG9MA4GA1UdDwEB/wQEAwIE8DAgBgNVHSUBAf8EFjAUBggrBgEFBQcD
+AQYIKwYBBQUHAwIwMgYDVR0fBCswKTAnoCWgI4YhaHR0cDovL2NybC5leGFtcGxl
+Lm5ldC9sYXRlc3QuY3JsMDQGCCsGAQUFBwEBBCgwJjAkBggrBgEFBQcwAYYYaHR0
+cDovL29zY3AvZXhhbXBsZS5uZXQvMB8GA1UdEQQYMBaCFHJldm9rZWQxLmV4YW1w
+bGUubmV0MA0GCSqGSIb3DQEBBQUAA0EACw87yNDj6DBkvF+i1qUyw6vqijmPyOQZ
+4S+UOCyyNSsJrA1VMjRjAqGTgyU0OFtfcGuhvZ1ZnlFrvVog/icGcw==
+-----END CERTIFICATE-----
diff --git a/test/aux-fixed/exim-ca/example.net/revoked1.example.net/revoked1.example.net.unlocked.key b/test/aux-fixed/exim-ca/example.net/revoked1.example.net/revoked1.example.net.unlocked.key
new file mode 100644
index 0000000..412042f
--- /dev/null
+++ b/test/aux-fixed/exim-ca/example.net/revoked1.example.net/revoked1.example.net.unlocked.key
@@ -0,0 +1,9 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIBOwIBAAJBAK9tGxlKa6V3UBpZPxVvkSdfZRWf/7JRcrBXhtzxFY1Ywp77KMQR
+WSRVcnx4csU71WHaAugVWX7PR0QI4GbgSJkCAwEAAQJAMvRiFqqDMgDCB6U8qaFK
+bEFNP0bGIql9wrLpvWtZc0CFyhV6LSjMBQSQp92r1tMlB4NKQ7leLb7XXgrPRswY
+AQIhANW94AFeO6+yIhd1OQuizl8SBQwCi0gvlMqsrf3kyDrZAiEA0hv3G/VQWPKY
+n/wikupIE/8jbJvLWLRYYWn6eGg6Y8ECIQC7RN0a1cFdsqkD/IS6mS5PRa5+U0xN
+NsMawCjBps14IQIhAL24JLypGSEIBYrIl8uDIwxzYGBMmSQCzJ9Bm7onmznBAiAe
+YGSy1e3Vji/YwZGuEyGrVl+BEIQ1p0vUgRZ7aEpVpQ==
+-----END RSA PRIVATE KEY-----
diff --git a/test/aux-fixed/exim-ca/example.net/revoked1.example.net/secmod.db b/test/aux-fixed/exim-ca/example.net/revoked1.example.net/secmod.db
new file mode 100644
index 0000000..d38550f
Binary files /dev/null and b/test/aux-fixed/exim-ca/example.net/revoked1.example.net/secmod.db differ
diff --git a/test/aux-fixed/exim-ca/example.net/revoked2.example.net/ca_chain.pem b/test/aux-fixed/exim-ca/example.net/revoked2.example.net/ca_chain.pem
new file mode 100644
index 0000000..9bd3617
--- /dev/null
+++ b/test/aux-fixed/exim-ca/example.net/revoked2.example.net/ca_chain.pem
@@ -0,0 +1,47 @@
+Bag Attributes
+ friendlyName: Signing Cert
+subject=/O=example.net/CN=clica Signing Cert
+issuer=/O=example.net/CN=clica CA
+-----BEGIN CERTIFICATE-----
+MIIBpzCCAVGgAwIBAgIBAjANBgkqhkiG9w0BAQUFADApMRQwEgYDVQQKEwtleGFt
+cGxlLm5ldDERMA8GA1UEAxMIY2xpY2EgQ0EwHhcNMTIxMTAxMTIzNDAzWhcNMzgw
+MTAxMTIzNDAzWjAzMRQwEgYDVQQKEwtleGFtcGxlLm5ldDEbMBkGA1UEAxMSY2xp
+Y2EgU2lnbmluZyBDZXJ0MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAN9lXg/7R2gY
+392B325b/0eHLOrQG1px0aPuSwCBG0cKwCATtsKjYne15vNXAskVAdejY0Ujvo+a
+d4jVi2qYJ8sCAwEAAaNaMFgwDgYDVR0PAQH/BAQDAgEGMBIGA1UdEwEB/wQIMAYB
+Af8CAQAwMgYDVR0fBCswKTAnoCWgI4YhaHR0cDovL2NybC5leGFtcGxlLm5ldC9s
+YXRlc3QuY3JsMA0GCSqGSIb3DQEBBQUAA0EAlm29nFrjiJPaldOtHxpmWzE3Zxit
+Sl4RxdeJcJ7aGL2gDOAWmiVh6UPbMm/o6Vg2PxHp2YviOhVunp1C2t85ow==
+-----END CERTIFICATE-----
+Bag Attributes
+ friendlyName: Certificate Authority
+subject=/O=example.net/CN=clica CA
+issuer=/O=example.net/CN=clica CA
+-----BEGIN CERTIFICATE-----
+MIIBaTCCAROgAwIBAgIBATANBgkqhkiG9w0BAQUFADApMRQwEgYDVQQKEwtleGFt
+cGxlLm5ldDERMA8GA1UEAxMIY2xpY2EgQ0EwHhcNMTIxMTAxMTIzNDAzWhcNMzgw
+MTAxMTIzNDAzWjApMRQwEgYDVQQKEwtleGFtcGxlLm5ldDERMA8GA1UEAxMIY2xp
+Y2EgQ0EwXDANBgkqhkiG9w0BAQEFAANLADBIAkEAp2tm7DhEtMNQPz23MpsxYVje
+SgMgmkDx8qdr97SBBVqtPcHMMrCEZ9dQiYCFxbshxXfeova+DbLZISDlHA9xjQID
+AQABoyYwJDASBgNVHRMBAf8ECDAGAQH/AgEBMA4GA1UdDwEB/wQEAwIBBjANBgkq
+hkiG9w0BAQUFAANBAG/rfiV0UE6Q//VIKN5CprvNXDGQFfcFCWNRCu6ZGTPpaDf2
+iPqVISD9trZrvtlUIgKjGgOQQbdNH9RBj5+6QKo=
+-----END CERTIFICATE-----
+Bag Attributes
+ friendlyName: revoked2.example.net
+ localKeyID: 60 8E D5 FB A7 97 B2 E8 F9 84 11 4F 91 1D 3C 91 B8 19 E8 97
+subject=/CN=revoked2.example.net
+issuer=/O=example.net/CN=clica Signing Cert
+-----BEGIN CERTIFICATE-----
+MIICBTCCAa+gAwIBAgICAMowDQYJKoZIhvcNAQEFBQAwMzEUMBIGA1UEChMLZXhh
+bXBsZS5uZXQxGzAZBgNVBAMTEmNsaWNhIFNpZ25pbmcgQ2VydDAeFw0xMjExMDEx
+MjM0MDRaFw0zODAxMDExMjM0MDRaMB8xHTAbBgNVBAMTFHJldm9rZWQyLmV4YW1w
+bGUubmV0MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAMj2mEnZY8N38XJ5ZLTymH2J
+hBNiubBU4ddvVQ0y48E/b5fbYwJI458bKgyNhqQtO/MG15oIndFpbazcp1p8++8C
+AwEAAaOBwDCBvTAOBgNVHQ8BAf8EBAMCBPAwIAYDVR0lAQH/BBYwFAYIKwYBBQUH
+AwEGCCsGAQUFBwMCMDIGA1UdHwQrMCkwJ6AloCOGIWh0dHA6Ly9jcmwuZXhhbXBs
+ZS5uZXQvbGF0ZXN0LmNybDA0BggrBgEFBQcBAQQoMCYwJAYIKwYBBQUHMAGGGGh0
+dHA6Ly9vc2NwL2V4YW1wbGUubmV0LzAfBgNVHREEGDAWghRyZXZva2VkMi5leGFt
+cGxlLm5ldDANBgkqhkiG9w0BAQUFAANBAD46Iw05ofRAaw9+yeTDPIydjl1Pkb1/
+ma4/qSK7p8BU/pMN3SH4qxKW7z6nNregMW48d5KcSxUPBmWmDCM8u70=
+-----END CERTIFICATE-----
diff --git a/test/aux-fixed/exim-ca/example.net/revoked2.example.net/cert8.db b/test/aux-fixed/exim-ca/example.net/revoked2.example.net/cert8.db
new file mode 100644
index 0000000..b05fa01
Binary files /dev/null and b/test/aux-fixed/exim-ca/example.net/revoked2.example.net/cert8.db differ
diff --git a/test/aux-fixed/exim-ca/example.net/revoked2.example.net/key3.db b/test/aux-fixed/exim-ca/example.net/revoked2.example.net/key3.db
new file mode 100644
index 0000000..5f70c4b
Binary files /dev/null and b/test/aux-fixed/exim-ca/example.net/revoked2.example.net/key3.db differ
diff --git a/test/aux-fixed/exim-ca/example.net/revoked2.example.net/pwdfile b/test/aux-fixed/exim-ca/example.net/revoked2.example.net/pwdfile
new file mode 100644
index 0000000..f3097ab
--- /dev/null
+++ b/test/aux-fixed/exim-ca/example.net/revoked2.example.net/pwdfile
@@ -0,0 +1 @@
+password
diff --git a/test/aux-fixed/exim-ca/example.net/revoked2.example.net/revoked2.example.net.chain.pem b/test/aux-fixed/exim-ca/example.net/revoked2.example.net/revoked2.example.net.chain.pem
new file mode 100644
index 0000000..e872801
--- /dev/null
+++ b/test/aux-fixed/exim-ca/example.net/revoked2.example.net/revoked2.example.net.chain.pem
@@ -0,0 +1,29 @@
+Bag Attributes
+ friendlyName: revoked2.example.net
+ localKeyID: 60 8E D5 FB A7 97 B2 E8 F9 84 11 4F 91 1D 3C 91 B8 19 E8 97
+subject=/CN=revoked2.example.net
+issuer=/O=example.net/CN=clica Signing Cert
+-----BEGIN CERTIFICATE-----
+MIICBTCCAa+gAwIBAgICAMowDQYJKoZIhvcNAQEFBQAwMzEUMBIGA1UEChMLZXhh
+bXBsZS5uZXQxGzAZBgNVBAMTEmNsaWNhIFNpZ25pbmcgQ2VydDAeFw0xMjExMDEx
+MjM0MDRaFw0zODAxMDExMjM0MDRaMB8xHTAbBgNVBAMTFHJldm9rZWQyLmV4YW1w
+bGUubmV0MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAMj2mEnZY8N38XJ5ZLTymH2J
+hBNiubBU4ddvVQ0y48E/b5fbYwJI458bKgyNhqQtO/MG15oIndFpbazcp1p8++8C
+AwEAAaOBwDCBvTAOBgNVHQ8BAf8EBAMCBPAwIAYDVR0lAQH/BBYwFAYIKwYBBQUH
+AwEGCCsGAQUFBwMCMDIGA1UdHwQrMCkwJ6AloCOGIWh0dHA6Ly9jcmwuZXhhbXBs
+ZS5uZXQvbGF0ZXN0LmNybDA0BggrBgEFBQcBAQQoMCYwJAYIKwYBBQUHMAGGGGh0
+dHA6Ly9vc2NwL2V4YW1wbGUubmV0LzAfBgNVHREEGDAWghRyZXZva2VkMi5leGFt
+cGxlLm5ldDANBgkqhkiG9w0BAQUFAANBAD46Iw05ofRAaw9+yeTDPIydjl1Pkb1/
+ma4/qSK7p8BU/pMN3SH4qxKW7z6nNregMW48d5KcSxUPBmWmDCM8u70=
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIIBpzCCAVGgAwIBAgIBAjANBgkqhkiG9w0BAQUFADApMRQwEgYDVQQKEwtleGFt
+cGxlLm5ldDERMA8GA1UEAxMIY2xpY2EgQ0EwHhcNMTIxMTAxMTIzNDAzWhcNMzgw
+MTAxMTIzNDAzWjAzMRQwEgYDVQQKEwtleGFtcGxlLm5ldDEbMBkGA1UEAxMSY2xp
+Y2EgU2lnbmluZyBDZXJ0MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAN9lXg/7R2gY
+392B325b/0eHLOrQG1px0aPuSwCBG0cKwCATtsKjYne15vNXAskVAdejY0Ujvo+a
+d4jVi2qYJ8sCAwEAAaNaMFgwDgYDVR0PAQH/BAQDAgEGMBIGA1UdEwEB/wQIMAYB
+Af8CAQAwMgYDVR0fBCswKTAnoCWgI4YhaHR0cDovL2NybC5leGFtcGxlLm5ldC9s
+YXRlc3QuY3JsMA0GCSqGSIb3DQEBBQUAA0EAlm29nFrjiJPaldOtHxpmWzE3Zxit
+Sl4RxdeJcJ7aGL2gDOAWmiVh6UPbMm/o6Vg2PxHp2YviOhVunp1C2t85ow==
+-----END CERTIFICATE-----
diff --git a/test/aux-fixed/exim-ca/example.net/revoked2.example.net/revoked2.example.net.key b/test/aux-fixed/exim-ca/example.net/revoked2.example.net/revoked2.example.net.key
new file mode 100644
index 0000000..681886b
--- /dev/null
+++ b/test/aux-fixed/exim-ca/example.net/revoked2.example.net/revoked2.example.net.key
@@ -0,0 +1,15 @@
+Bag Attributes
+ friendlyName: revoked2.example.net
+ localKeyID: 60 8E D5 FB A7 97 B2 E8 F9 84 11 4F 91 1D 3C 91 B8 19 E8 97
+Key Attributes: <No Attributes>
+-----BEGIN ENCRYPTED PRIVATE KEY-----
+MIIBpjBABgkqhkiG9w0BBQ0wMzAbBgkqhkiG9w0BBQwwDgQIfHUUKZHRP88CAggA
+MBQGCCqGSIb3DQMHBAiGHts1xOcjYASCAWA+TB8P6+MMx7kHWAIrO7eIwxXI/ivw
+gKWa/XVFtZeZcBYCdjR0Ubfsv3emeWtZ72badVNNOgbUqaMsTraqYePGS9fVIk8e
+Pn3PjKdd7rODvSTN647CrN6ng0x1yYW/RVo5v5CnoantSojUY5eNhO+iSGPFgbvj
+h8s0uKZ3+KxlySpIJX9RU/LJQUfrdCAGkdIuPEi4graL8Z9pjyORqppYNCI+u+VG
+m76zMJq9vxBcn6v3/DpVCFL7gokwD0GgMtWtTeXiP1Yn92dsn3DPVNI/ieE1ogJs
+8WVWmTNBm0UuN0GiUWqQUXv3cqFpNArL/BObHJGWyHObUz3FgDpkP4crmhrFN2Ao
+cT34tYaN9SGfoYA+MI2DqKQ0M8aGBvbL5CVGqJqWiVB71jG+JsdS0Q+7K5JQ5d/O
+xiynUVJ8FhZBQshqPXAkPD8lOeFQ2QZp53RUSlI3d04Cy8FAZr3HzqEZ
+-----END ENCRYPTED PRIVATE KEY-----
diff --git a/test/aux-fixed/exim-ca/example.net/revoked2.example.net/revoked2.example.net.ocsp.dated.resp b/test/aux-fixed/exim-ca/example.net/revoked2.example.net/revoked2.example.net.ocsp.dated.resp
new file mode 100644
index 0000000..834df2a
Binary files /dev/null and b/test/aux-fixed/exim-ca/example.net/revoked2.example.net/revoked2.example.net.ocsp.dated.resp differ
diff --git a/test/aux-fixed/exim-ca/example.net/revoked2.example.net/revoked2.example.net.ocsp.good.resp b/test/aux-fixed/exim-ca/example.net/revoked2.example.net/revoked2.example.net.ocsp.good.resp
new file mode 100644
index 0000000..f110fab
Binary files /dev/null and b/test/aux-fixed/exim-ca/example.net/revoked2.example.net/revoked2.example.net.ocsp.good.resp differ
diff --git a/test/aux-fixed/exim-ca/example.net/revoked2.example.net/revoked2.example.net.ocsp.req b/test/aux-fixed/exim-ca/example.net/revoked2.example.net/revoked2.example.net.ocsp.req
new file mode 100644
index 0000000..0c271ad
Binary files /dev/null and b/test/aux-fixed/exim-ca/example.net/revoked2.example.net/revoked2.example.net.ocsp.req differ
diff --git a/test/aux-fixed/exim-ca/example.net/revoked2.example.net/revoked2.example.net.ocsp.revoked.resp b/test/aux-fixed/exim-ca/example.net/revoked2.example.net/revoked2.example.net.ocsp.revoked.resp
new file mode 100644
index 0000000..f110fab
Binary files /dev/null and b/test/aux-fixed/exim-ca/example.net/revoked2.example.net/revoked2.example.net.ocsp.revoked.resp differ
diff --git a/test/aux-fixed/exim-ca/example.net/revoked2.example.net/revoked2.example.net.p12 b/test/aux-fixed/exim-ca/example.net/revoked2.example.net/revoked2.example.net.p12
new file mode 100644
index 0000000..368429e
Binary files /dev/null and b/test/aux-fixed/exim-ca/example.net/revoked2.example.net/revoked2.example.net.p12 differ
diff --git a/test/aux-fixed/exim-ca/example.net/revoked2.example.net/revoked2.example.net.pem b/test/aux-fixed/exim-ca/example.net/revoked2.example.net/revoked2.example.net.pem
new file mode 100644
index 0000000..8862a6b
--- /dev/null
+++ b/test/aux-fixed/exim-ca/example.net/revoked2.example.net/revoked2.example.net.pem
@@ -0,0 +1,18 @@
+Bag Attributes
+ friendlyName: revoked2.example.net
+ localKeyID: 60 8E D5 FB A7 97 B2 E8 F9 84 11 4F 91 1D 3C 91 B8 19 E8 97
+subject=/CN=revoked2.example.net
+issuer=/O=example.net/CN=clica Signing Cert
+-----BEGIN CERTIFICATE-----
+MIICBTCCAa+gAwIBAgICAMowDQYJKoZIhvcNAQEFBQAwMzEUMBIGA1UEChMLZXhh
+bXBsZS5uZXQxGzAZBgNVBAMTEmNsaWNhIFNpZ25pbmcgQ2VydDAeFw0xMjExMDEx
+MjM0MDRaFw0zODAxMDExMjM0MDRaMB8xHTAbBgNVBAMTFHJldm9rZWQyLmV4YW1w
+bGUubmV0MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAMj2mEnZY8N38XJ5ZLTymH2J
+hBNiubBU4ddvVQ0y48E/b5fbYwJI458bKgyNhqQtO/MG15oIndFpbazcp1p8++8C
+AwEAAaOBwDCBvTAOBgNVHQ8BAf8EBAMCBPAwIAYDVR0lAQH/BBYwFAYIKwYBBQUH
+AwEGCCsGAQUFBwMCMDIGA1UdHwQrMCkwJ6AloCOGIWh0dHA6Ly9jcmwuZXhhbXBs
+ZS5uZXQvbGF0ZXN0LmNybDA0BggrBgEFBQcBAQQoMCYwJAYIKwYBBQUHMAGGGGh0
+dHA6Ly9vc2NwL2V4YW1wbGUubmV0LzAfBgNVHREEGDAWghRyZXZva2VkMi5leGFt
+cGxlLm5ldDANBgkqhkiG9w0BAQUFAANBAD46Iw05ofRAaw9+yeTDPIydjl1Pkb1/
+ma4/qSK7p8BU/pMN3SH4qxKW7z6nNregMW48d5KcSxUPBmWmDCM8u70=
+-----END CERTIFICATE-----
diff --git a/test/aux-fixed/exim-ca/example.net/revoked2.example.net/revoked2.example.net.unlocked.key b/test/aux-fixed/exim-ca/example.net/revoked2.example.net/revoked2.example.net.unlocked.key
new file mode 100644
index 0000000..4c90105
--- /dev/null
+++ b/test/aux-fixed/exim-ca/example.net/revoked2.example.net/revoked2.example.net.unlocked.key
@@ -0,0 +1,9 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIBOwIBAAJBAMj2mEnZY8N38XJ5ZLTymH2JhBNiubBU4ddvVQ0y48E/b5fbYwJI
+458bKgyNhqQtO/MG15oIndFpbazcp1p8++8CAwEAAQJAdkDE9A+7qLXXmejc3a0z
+FgvpcA7T/XK1QjP89DtR0dAbM0tLdWyhshLNcNSW6urwYKkPmw7jPmW1wC14/Ob3
+IQIhAOg4d+nA1BNR2+L2dDJhdTPWzVWERwsMaBVMsKYg8TbjAiEA3Yq7xYMK0aNU
+XTvzTnmr+y51Ce5BQK9U2q/B1kyIKIUCIDQZ902K5govo5YYlZl4JEOtPgSh2Q6x
+iei9fCTJ31ThAiEAg28IQYCiDYeJyJqFmZwjxSxlsVORkO+0Nt2o8RuMeAUCIQCj
+IPd5zjwu8dkolqvof1uMm3An3YhSLWSlJK1BSAk2Yw==
+-----END RSA PRIVATE KEY-----
diff --git a/test/aux-fixed/exim-ca/example.net/revoked2.example.net/secmod.db b/test/aux-fixed/exim-ca/example.net/revoked2.example.net/secmod.db
new file mode 100644
index 0000000..a2fa5b6
Binary files /dev/null and b/test/aux-fixed/exim-ca/example.net/revoked2.example.net/secmod.db differ
diff --git a/test/aux-fixed/exim-ca/example.net/server1.example.net/ca_chain.pem b/test/aux-fixed/exim-ca/example.net/server1.example.net/ca_chain.pem
new file mode 100644
index 0000000..4696e4e
--- /dev/null
+++ b/test/aux-fixed/exim-ca/example.net/server1.example.net/ca_chain.pem
@@ -0,0 +1,47 @@
+Bag Attributes
+ friendlyName: Signing Cert
+subject=/O=example.net/CN=clica Signing Cert
+issuer=/O=example.net/CN=clica CA
+-----BEGIN CERTIFICATE-----
+MIIBpzCCAVGgAwIBAgIBAjANBgkqhkiG9w0BAQUFADApMRQwEgYDVQQKEwtleGFt
+cGxlLm5ldDERMA8GA1UEAxMIY2xpY2EgQ0EwHhcNMTIxMTAxMTIzNDAzWhcNMzgw
+MTAxMTIzNDAzWjAzMRQwEgYDVQQKEwtleGFtcGxlLm5ldDEbMBkGA1UEAxMSY2xp
+Y2EgU2lnbmluZyBDZXJ0MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAN9lXg/7R2gY
+392B325b/0eHLOrQG1px0aPuSwCBG0cKwCATtsKjYne15vNXAskVAdejY0Ujvo+a
+d4jVi2qYJ8sCAwEAAaNaMFgwDgYDVR0PAQH/BAQDAgEGMBIGA1UdEwEB/wQIMAYB
+Af8CAQAwMgYDVR0fBCswKTAnoCWgI4YhaHR0cDovL2NybC5leGFtcGxlLm5ldC9s
+YXRlc3QuY3JsMA0GCSqGSIb3DQEBBQUAA0EAlm29nFrjiJPaldOtHxpmWzE3Zxit
+Sl4RxdeJcJ7aGL2gDOAWmiVh6UPbMm/o6Vg2PxHp2YviOhVunp1C2t85ow==
+-----END CERTIFICATE-----
+Bag Attributes
+ friendlyName: Certificate Authority
+subject=/O=example.net/CN=clica CA
+issuer=/O=example.net/CN=clica CA
+-----BEGIN CERTIFICATE-----
+MIIBaTCCAROgAwIBAgIBATANBgkqhkiG9w0BAQUFADApMRQwEgYDVQQKEwtleGFt
+cGxlLm5ldDERMA8GA1UEAxMIY2xpY2EgQ0EwHhcNMTIxMTAxMTIzNDAzWhcNMzgw
+MTAxMTIzNDAzWjApMRQwEgYDVQQKEwtleGFtcGxlLm5ldDERMA8GA1UEAxMIY2xp
+Y2EgQ0EwXDANBgkqhkiG9w0BAQEFAANLADBIAkEAp2tm7DhEtMNQPz23MpsxYVje
+SgMgmkDx8qdr97SBBVqtPcHMMrCEZ9dQiYCFxbshxXfeova+DbLZISDlHA9xjQID
+AQABoyYwJDASBgNVHRMBAf8ECDAGAQH/AgEBMA4GA1UdDwEB/wQEAwIBBjANBgkq
+hkiG9w0BAQUFAANBAG/rfiV0UE6Q//VIKN5CprvNXDGQFfcFCWNRCu6ZGTPpaDf2
+iPqVISD9trZrvtlUIgKjGgOQQbdNH9RBj5+6QKo=
+-----END CERTIFICATE-----
+Bag Attributes
+ friendlyName: server1.example.net
+ localKeyID: 4C 81 72 95 D9 D6 9C FD 7A B1 C0 66 9F 85 A7 01 93 A4 6E D7
+subject=/CN=server1.example.net
+issuer=/O=example.net/CN=clica Signing Cert
+-----BEGIN CERTIFICATE-----
+MIICAjCCAaygAwIBAgIBZTANBgkqhkiG9w0BAQUFADAzMRQwEgYDVQQKEwtleGFt
+cGxlLm5ldDEbMBkGA1UEAxMSY2xpY2EgU2lnbmluZyBDZXJ0MB4XDTEyMTEwMTEy
+MzQwNFoXDTM4MDEwMTEyMzQwNFowHjEcMBoGA1UEAxMTc2VydmVyMS5leGFtcGxl
+Lm5ldDBcMA0GCSqGSIb3DQEBAQUAA0sAMEgCQQDCtN2Y0S4oROnlfkTeUH2ULUVs
+RShAIKdxlXRo+F09rEBzNKKNC4ZWIr+pc8U+iQzGGTiiCTfeq9bI0Uef1493AgMB
+AAGjgb8wgbwwDgYDVR0PAQH/BAQDAgTwMCAGA1UdJQEB/wQWMBQGCCsGAQUFBwMB
+BggrBgEFBQcDAjAyBgNVHR8EKzApMCegJaAjhiFodHRwOi8vY3JsLmV4YW1wbGUu
+bmV0L2xhdGVzdC5jcmwwNAYIKwYBBQUHAQEEKDAmMCQGCCsGAQUFBzABhhhodHRw
+Oi8vb3NjcC9leGFtcGxlLm5ldC8wHgYDVR0RBBcwFYITc2VydmVyMS5leGFtcGxl
+Lm5ldDANBgkqhkiG9w0BAQUFAANBAEMi4SnbMDOvnQk2UkvvNVGyBEXNsuskNzo9
+5wAY6x0bUZ6XWZ8+kM60gbmOqwfPA6pw/w7ui3XJ1Ac3BAUverQ=
+-----END CERTIFICATE-----
diff --git a/test/aux-fixed/exim-ca/example.net/server1.example.net/cert8.db b/test/aux-fixed/exim-ca/example.net/server1.example.net/cert8.db
new file mode 100644
index 0000000..3c1b67c
Binary files /dev/null and b/test/aux-fixed/exim-ca/example.net/server1.example.net/cert8.db differ
diff --git a/test/aux-fixed/exim-ca/example.net/server1.example.net/key3.db b/test/aux-fixed/exim-ca/example.net/server1.example.net/key3.db
new file mode 100644
index 0000000..f9104cf
Binary files /dev/null and b/test/aux-fixed/exim-ca/example.net/server1.example.net/key3.db differ
diff --git a/test/aux-fixed/exim-ca/example.net/server1.example.net/pwdfile b/test/aux-fixed/exim-ca/example.net/server1.example.net/pwdfile
new file mode 100644
index 0000000..f3097ab
--- /dev/null
+++ b/test/aux-fixed/exim-ca/example.net/server1.example.net/pwdfile
@@ -0,0 +1 @@
+password
diff --git a/test/aux-fixed/exim-ca/example.net/server1.example.net/secmod.db b/test/aux-fixed/exim-ca/example.net/server1.example.net/secmod.db
new file mode 100644
index 0000000..5353087
Binary files /dev/null and b/test/aux-fixed/exim-ca/example.net/server1.example.net/secmod.db differ
diff --git a/test/aux-fixed/exim-ca/example.net/server1.example.net/server1.example.net.chain.pem b/test/aux-fixed/exim-ca/example.net/server1.example.net/server1.example.net.chain.pem
new file mode 100644
index 0000000..4d4431b
--- /dev/null
+++ b/test/aux-fixed/exim-ca/example.net/server1.example.net/server1.example.net.chain.pem
@@ -0,0 +1,29 @@
+Bag Attributes
+ friendlyName: server1.example.net
+ localKeyID: 4C 81 72 95 D9 D6 9C FD 7A B1 C0 66 9F 85 A7 01 93 A4 6E D7
+subject=/CN=server1.example.net
+issuer=/O=example.net/CN=clica Signing Cert
+-----BEGIN CERTIFICATE-----
+MIICAjCCAaygAwIBAgIBZTANBgkqhkiG9w0BAQUFADAzMRQwEgYDVQQKEwtleGFt
+cGxlLm5ldDEbMBkGA1UEAxMSY2xpY2EgU2lnbmluZyBDZXJ0MB4XDTEyMTEwMTEy
+MzQwNFoXDTM4MDEwMTEyMzQwNFowHjEcMBoGA1UEAxMTc2VydmVyMS5leGFtcGxl
+Lm5ldDBcMA0GCSqGSIb3DQEBAQUAA0sAMEgCQQDCtN2Y0S4oROnlfkTeUH2ULUVs
+RShAIKdxlXRo+F09rEBzNKKNC4ZWIr+pc8U+iQzGGTiiCTfeq9bI0Uef1493AgMB
+AAGjgb8wgbwwDgYDVR0PAQH/BAQDAgTwMCAGA1UdJQEB/wQWMBQGCCsGAQUFBwMB
+BggrBgEFBQcDAjAyBgNVHR8EKzApMCegJaAjhiFodHRwOi8vY3JsLmV4YW1wbGUu
+bmV0L2xhdGVzdC5jcmwwNAYIKwYBBQUHAQEEKDAmMCQGCCsGAQUFBzABhhhodHRw
+Oi8vb3NjcC9leGFtcGxlLm5ldC8wHgYDVR0RBBcwFYITc2VydmVyMS5leGFtcGxl
+Lm5ldDANBgkqhkiG9w0BAQUFAANBAEMi4SnbMDOvnQk2UkvvNVGyBEXNsuskNzo9
+5wAY6x0bUZ6XWZ8+kM60gbmOqwfPA6pw/w7ui3XJ1Ac3BAUverQ=
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIIBpzCCAVGgAwIBAgIBAjANBgkqhkiG9w0BAQUFADApMRQwEgYDVQQKEwtleGFt
+cGxlLm5ldDERMA8GA1UEAxMIY2xpY2EgQ0EwHhcNMTIxMTAxMTIzNDAzWhcNMzgw
+MTAxMTIzNDAzWjAzMRQwEgYDVQQKEwtleGFtcGxlLm5ldDEbMBkGA1UEAxMSY2xp
+Y2EgU2lnbmluZyBDZXJ0MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAN9lXg/7R2gY
+392B325b/0eHLOrQG1px0aPuSwCBG0cKwCATtsKjYne15vNXAskVAdejY0Ujvo+a
+d4jVi2qYJ8sCAwEAAaNaMFgwDgYDVR0PAQH/BAQDAgEGMBIGA1UdEwEB/wQIMAYB
+Af8CAQAwMgYDVR0fBCswKTAnoCWgI4YhaHR0cDovL2NybC5leGFtcGxlLm5ldC9s
+YXRlc3QuY3JsMA0GCSqGSIb3DQEBBQUAA0EAlm29nFrjiJPaldOtHxpmWzE3Zxit
+Sl4RxdeJcJ7aGL2gDOAWmiVh6UPbMm/o6Vg2PxHp2YviOhVunp1C2t85ow==
+-----END CERTIFICATE-----
diff --git a/test/aux-fixed/exim-ca/example.net/server1.example.net/server1.example.net.key b/test/aux-fixed/exim-ca/example.net/server1.example.net/server1.example.net.key
new file mode 100644
index 0000000..d01d43b
--- /dev/null
+++ b/test/aux-fixed/exim-ca/example.net/server1.example.net/server1.example.net.key
@@ -0,0 +1,15 @@
+Bag Attributes
+ friendlyName: server1.example.net
+ localKeyID: 4C 81 72 95 D9 D6 9C FD 7A B1 C0 66 9F 85 A7 01 93 A4 6E D7
+Key Attributes: <No Attributes>
+-----BEGIN ENCRYPTED PRIVATE KEY-----
+MIIBpjBABgkqhkiG9w0BBQ0wMzAbBgkqhkiG9w0BBQwwDgQItqv8KkyfDOECAggA
+MBQGCCqGSIb3DQMHBAi+cLfRJYwdhASCAWDijpItKwM1N1Tk9po65/Et0DLcJt8h
+UNc26UWxg4uGMcbyHJv5+OZDhAjla1GwFLBZDQwCsnvwfjHfpwFpSx4Mxj4SMGrx
+YCwSB8smLl5cZNJpm2N3JVlrX/ZHR1plwtVccOf9Ry7MFoyj9YcXTs9N39zmpYDD
+Oi81eD2CzGEP2NqyycJK3Fu0OMUNT5RYHF7Nja6mGjzyul8rDPHPOcwQ0CCEHUmF
+3FaMqji+aCpJ+BeFwcVYZjiuQx4ajKXnu8g4KEa1S59KgSRiAdL8Ih1dN5qrDJB5
+dDTo37DneR1RkudMs2OcbMnbhyWQZ/AhfUqqFM7NLnDSVwhUtL9kPzjqIA1+l9V6
+27ANditdhs3fS6026sC3MMJRrPXmZGU3GuItxi1hU/CjiCb54VsK8MEhWpzU6QiS
++UXkPYKauZKsGtfn0sI8ZUCEyo2vF79KAIGK6DYQ6dIOmjvKqz2xgng/
+-----END ENCRYPTED PRIVATE KEY-----
diff --git a/test/aux-fixed/exim-ca/example.net/server1.example.net/server1.example.net.ocsp.dated.resp b/test/aux-fixed/exim-ca/example.net/server1.example.net/server1.example.net.ocsp.dated.resp
new file mode 100644
index 0000000..8dc2a09
Binary files /dev/null and b/test/aux-fixed/exim-ca/example.net/server1.example.net/server1.example.net.ocsp.dated.resp differ
diff --git a/test/aux-fixed/exim-ca/example.net/server1.example.net/server1.example.net.ocsp.good.resp b/test/aux-fixed/exim-ca/example.net/server1.example.net/server1.example.net.ocsp.good.resp
new file mode 100644
index 0000000..b2cb446
Binary files /dev/null and b/test/aux-fixed/exim-ca/example.net/server1.example.net/server1.example.net.ocsp.good.resp differ
diff --git a/test/aux-fixed/exim-ca/example.net/server1.example.net/server1.example.net.ocsp.req b/test/aux-fixed/exim-ca/example.net/server1.example.net/server1.example.net.ocsp.req
new file mode 100644
index 0000000..0057816
Binary files /dev/null and b/test/aux-fixed/exim-ca/example.net/server1.example.net/server1.example.net.ocsp.req differ
diff --git a/test/aux-fixed/exim-ca/example.net/server1.example.net/server1.example.net.ocsp.revoked.resp b/test/aux-fixed/exim-ca/example.net/server1.example.net/server1.example.net.ocsp.revoked.resp
new file mode 100644
index 0000000..5e9cee6
Binary files /dev/null and b/test/aux-fixed/exim-ca/example.net/server1.example.net/server1.example.net.ocsp.revoked.resp differ
diff --git a/test/aux-fixed/exim-ca/example.net/server1.example.net/server1.example.net.p12 b/test/aux-fixed/exim-ca/example.net/server1.example.net/server1.example.net.p12
new file mode 100644
index 0000000..9596af0
Binary files /dev/null and b/test/aux-fixed/exim-ca/example.net/server1.example.net/server1.example.net.p12 differ
diff --git a/test/aux-fixed/exim-ca/example.net/server1.example.net/server1.example.net.pem b/test/aux-fixed/exim-ca/example.net/server1.example.net/server1.example.net.pem
new file mode 100644
index 0000000..4d14e20
--- /dev/null
+++ b/test/aux-fixed/exim-ca/example.net/server1.example.net/server1.example.net.pem
@@ -0,0 +1,18 @@
+Bag Attributes
+ friendlyName: server1.example.net
+ localKeyID: 4C 81 72 95 D9 D6 9C FD 7A B1 C0 66 9F 85 A7 01 93 A4 6E D7
+subject=/CN=server1.example.net
+issuer=/O=example.net/CN=clica Signing Cert
+-----BEGIN CERTIFICATE-----
+MIICAjCCAaygAwIBAgIBZTANBgkqhkiG9w0BAQUFADAzMRQwEgYDVQQKEwtleGFt
+cGxlLm5ldDEbMBkGA1UEAxMSY2xpY2EgU2lnbmluZyBDZXJ0MB4XDTEyMTEwMTEy
+MzQwNFoXDTM4MDEwMTEyMzQwNFowHjEcMBoGA1UEAxMTc2VydmVyMS5leGFtcGxl
+Lm5ldDBcMA0GCSqGSIb3DQEBAQUAA0sAMEgCQQDCtN2Y0S4oROnlfkTeUH2ULUVs
+RShAIKdxlXRo+F09rEBzNKKNC4ZWIr+pc8U+iQzGGTiiCTfeq9bI0Uef1493AgMB
+AAGjgb8wgbwwDgYDVR0PAQH/BAQDAgTwMCAGA1UdJQEB/wQWMBQGCCsGAQUFBwMB
+BggrBgEFBQcDAjAyBgNVHR8EKzApMCegJaAjhiFodHRwOi8vY3JsLmV4YW1wbGUu
+bmV0L2xhdGVzdC5jcmwwNAYIKwYBBQUHAQEEKDAmMCQGCCsGAQUFBzABhhhodHRw
+Oi8vb3NjcC9leGFtcGxlLm5ldC8wHgYDVR0RBBcwFYITc2VydmVyMS5leGFtcGxl
+Lm5ldDANBgkqhkiG9w0BAQUFAANBAEMi4SnbMDOvnQk2UkvvNVGyBEXNsuskNzo9
+5wAY6x0bUZ6XWZ8+kM60gbmOqwfPA6pw/w7ui3XJ1Ac3BAUverQ=
+-----END CERTIFICATE-----
diff --git a/test/aux-fixed/exim-ca/example.net/server1.example.net/server1.example.net.unlocked.key b/test/aux-fixed/exim-ca/example.net/server1.example.net/server1.example.net.unlocked.key
new file mode 100644
index 0000000..4224283
--- /dev/null
+++ b/test/aux-fixed/exim-ca/example.net/server1.example.net/server1.example.net.unlocked.key
@@ -0,0 +1,9 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIBOgIBAAJBAMK03ZjRLihE6eV+RN5QfZQtRWxFKEAgp3GVdGj4XT2sQHM0oo0L
+hlYiv6lzxT6JDMYZOKIJN96r1sjRR5/Xj3cCAwEAAQJAYR333g6QeFOPWwH1dfIu
+ASfnlc6U+g+PlY8XhnhDgcu2le3IQuOaI0sw/X0vZdhEKJpDHJ1hKGxIQpOB2R/P
+EQIhAPUMh9+sUsZSnNbhEggO8h6F4TeLoAVJNzUtW5UvmBgvAiEAy2hlFkLXlP0t
+VYwmNqyCs8Jhf0SIrnhPw3ynJhxgYzkCIQDlHd48yAZs3/k9ABu35SGEYHD/WlE4
+IAi6c7pZdrKiiQIgEH48hBuTY29L973Pc2t1haHjSfCCrLLwtMcsvnhakHECIEuy
+0/MQz7IYZNJ7g36j3jjv8vFkAdDCGyKzuMGLoq9p
+-----END RSA PRIVATE KEY-----
diff --git a/test/aux-fixed/exim-ca/example.net/server2.example.net/ca_chain.pem b/test/aux-fixed/exim-ca/example.net/server2.example.net/ca_chain.pem
new file mode 100644
index 0000000..39e5eed
--- /dev/null
+++ b/test/aux-fixed/exim-ca/example.net/server2.example.net/ca_chain.pem
@@ -0,0 +1,47 @@
+Bag Attributes
+ friendlyName: Signing Cert
+subject=/O=example.net/CN=clica Signing Cert
+issuer=/O=example.net/CN=clica CA
+-----BEGIN CERTIFICATE-----
+MIIBpzCCAVGgAwIBAgIBAjANBgkqhkiG9w0BAQUFADApMRQwEgYDVQQKEwtleGFt
+cGxlLm5ldDERMA8GA1UEAxMIY2xpY2EgQ0EwHhcNMTIxMTAxMTIzNDAzWhcNMzgw
+MTAxMTIzNDAzWjAzMRQwEgYDVQQKEwtleGFtcGxlLm5ldDEbMBkGA1UEAxMSY2xp
+Y2EgU2lnbmluZyBDZXJ0MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAN9lXg/7R2gY
+392B325b/0eHLOrQG1px0aPuSwCBG0cKwCATtsKjYne15vNXAskVAdejY0Ujvo+a
+d4jVi2qYJ8sCAwEAAaNaMFgwDgYDVR0PAQH/BAQDAgEGMBIGA1UdEwEB/wQIMAYB
+Af8CAQAwMgYDVR0fBCswKTAnoCWgI4YhaHR0cDovL2NybC5leGFtcGxlLm5ldC9s
+YXRlc3QuY3JsMA0GCSqGSIb3DQEBBQUAA0EAlm29nFrjiJPaldOtHxpmWzE3Zxit
+Sl4RxdeJcJ7aGL2gDOAWmiVh6UPbMm/o6Vg2PxHp2YviOhVunp1C2t85ow==
+-----END CERTIFICATE-----
+Bag Attributes
+ friendlyName: Certificate Authority
+subject=/O=example.net/CN=clica CA
+issuer=/O=example.net/CN=clica CA
+-----BEGIN CERTIFICATE-----
+MIIBaTCCAROgAwIBAgIBATANBgkqhkiG9w0BAQUFADApMRQwEgYDVQQKEwtleGFt
+cGxlLm5ldDERMA8GA1UEAxMIY2xpY2EgQ0EwHhcNMTIxMTAxMTIzNDAzWhcNMzgw
+MTAxMTIzNDAzWjApMRQwEgYDVQQKEwtleGFtcGxlLm5ldDERMA8GA1UEAxMIY2xp
+Y2EgQ0EwXDANBgkqhkiG9w0BAQEFAANLADBIAkEAp2tm7DhEtMNQPz23MpsxYVje
+SgMgmkDx8qdr97SBBVqtPcHMMrCEZ9dQiYCFxbshxXfeova+DbLZISDlHA9xjQID
+AQABoyYwJDASBgNVHRMBAf8ECDAGAQH/AgEBMA4GA1UdDwEB/wQEAwIBBjANBgkq
+hkiG9w0BAQUFAANBAG/rfiV0UE6Q//VIKN5CprvNXDGQFfcFCWNRCu6ZGTPpaDf2
+iPqVISD9trZrvtlUIgKjGgOQQbdNH9RBj5+6QKo=
+-----END CERTIFICATE-----
+Bag Attributes
+ friendlyName: server2.example.net
+ localKeyID: E6 14 E8 D3 C2 D6 33 C5 46 4A 62 47 B7 C2 BA D6 3B 26 F2 56
+subject=/CN=server2.example.net
+issuer=/O=example.net/CN=clica Signing Cert
+-----BEGIN CERTIFICATE-----
+MIICAzCCAa2gAwIBAgICAMkwDQYJKoZIhvcNAQEFBQAwMzEUMBIGA1UEChMLZXhh
+bXBsZS5uZXQxGzAZBgNVBAMTEmNsaWNhIFNpZ25pbmcgQ2VydDAeFw0xMjExMDEx
+MjM0MDRaFw0zODAxMDExMjM0MDRaMB4xHDAaBgNVBAMTE3NlcnZlcjIuZXhhbXBs
+ZS5uZXQwXDANBgkqhkiG9w0BAQEFAANLADBIAkEAoXux6WdUK5xq7w+eMCFo2iEE
+GCUYpmqc4H6AmgxmglEfrndnKMv/fLRJpMUMe65a2fIPdMaZO6uX/fBDYSeUjwID
+AQABo4G/MIG8MA4GA1UdDwEB/wQEAwIE8DAgBgNVHSUBAf8EFjAUBggrBgEFBQcD
+AQYIKwYBBQUHAwIwMgYDVR0fBCswKTAnoCWgI4YhaHR0cDovL2NybC5leGFtcGxl
+Lm5ldC9sYXRlc3QuY3JsMDQGCCsGAQUFBwEBBCgwJjAkBggrBgEFBQcwAYYYaHR0
+cDovL29zY3AvZXhhbXBsZS5uZXQvMB4GA1UdEQQXMBWCE3NlcnZlcjIuZXhhbXBs
+ZS5uZXQwDQYJKoZIhvcNAQEFBQADQQBhKq+CoKmxvdEJ4+AlNsJGpByKiwsDo0Cz
+mtgyGnn4a+3kkKYb2/KWosrBBLIzZbuzQ6sAjDKKioKJy7+ENuki
+-----END CERTIFICATE-----
diff --git a/test/aux-fixed/exim-ca/example.net/server2.example.net/cert8.db b/test/aux-fixed/exim-ca/example.net/server2.example.net/cert8.db
new file mode 100644
index 0000000..0478b4b
Binary files /dev/null and b/test/aux-fixed/exim-ca/example.net/server2.example.net/cert8.db differ
diff --git a/test/aux-fixed/exim-ca/example.net/server2.example.net/key3.db b/test/aux-fixed/exim-ca/example.net/server2.example.net/key3.db
new file mode 100644
index 0000000..11649e0
Binary files /dev/null and b/test/aux-fixed/exim-ca/example.net/server2.example.net/key3.db differ
diff --git a/test/aux-fixed/exim-ca/example.net/server2.example.net/pwdfile b/test/aux-fixed/exim-ca/example.net/server2.example.net/pwdfile
new file mode 100644
index 0000000..f3097ab
--- /dev/null
+++ b/test/aux-fixed/exim-ca/example.net/server2.example.net/pwdfile
@@ -0,0 +1 @@
+password
diff --git a/test/aux-fixed/exim-ca/example.net/server2.example.net/secmod.db b/test/aux-fixed/exim-ca/example.net/server2.example.net/secmod.db
new file mode 100644
index 0000000..4bdbe54
Binary files /dev/null and b/test/aux-fixed/exim-ca/example.net/server2.example.net/secmod.db differ
diff --git a/test/aux-fixed/exim-ca/example.net/server2.example.net/server2.example.net.chain.pem b/test/aux-fixed/exim-ca/example.net/server2.example.net/server2.example.net.chain.pem
new file mode 100644
index 0000000..8f2b6af
--- /dev/null
+++ b/test/aux-fixed/exim-ca/example.net/server2.example.net/server2.example.net.chain.pem
@@ -0,0 +1,29 @@
+Bag Attributes
+ friendlyName: server2.example.net
+ localKeyID: E6 14 E8 D3 C2 D6 33 C5 46 4A 62 47 B7 C2 BA D6 3B 26 F2 56
+subject=/CN=server2.example.net
+issuer=/O=example.net/CN=clica Signing Cert
+-----BEGIN CERTIFICATE-----
+MIICAzCCAa2gAwIBAgICAMkwDQYJKoZIhvcNAQEFBQAwMzEUMBIGA1UEChMLZXhh
+bXBsZS5uZXQxGzAZBgNVBAMTEmNsaWNhIFNpZ25pbmcgQ2VydDAeFw0xMjExMDEx
+MjM0MDRaFw0zODAxMDExMjM0MDRaMB4xHDAaBgNVBAMTE3NlcnZlcjIuZXhhbXBs
+ZS5uZXQwXDANBgkqhkiG9w0BAQEFAANLADBIAkEAoXux6WdUK5xq7w+eMCFo2iEE
+GCUYpmqc4H6AmgxmglEfrndnKMv/fLRJpMUMe65a2fIPdMaZO6uX/fBDYSeUjwID
+AQABo4G/MIG8MA4GA1UdDwEB/wQEAwIE8DAgBgNVHSUBAf8EFjAUBggrBgEFBQcD
+AQYIKwYBBQUHAwIwMgYDVR0fBCswKTAnoCWgI4YhaHR0cDovL2NybC5leGFtcGxl
+Lm5ldC9sYXRlc3QuY3JsMDQGCCsGAQUFBwEBBCgwJjAkBggrBgEFBQcwAYYYaHR0
+cDovL29zY3AvZXhhbXBsZS5uZXQvMB4GA1UdEQQXMBWCE3NlcnZlcjIuZXhhbXBs
+ZS5uZXQwDQYJKoZIhvcNAQEFBQADQQBhKq+CoKmxvdEJ4+AlNsJGpByKiwsDo0Cz
+mtgyGnn4a+3kkKYb2/KWosrBBLIzZbuzQ6sAjDKKioKJy7+ENuki
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIIBpzCCAVGgAwIBAgIBAjANBgkqhkiG9w0BAQUFADApMRQwEgYDVQQKEwtleGFt
+cGxlLm5ldDERMA8GA1UEAxMIY2xpY2EgQ0EwHhcNMTIxMTAxMTIzNDAzWhcNMzgw
+MTAxMTIzNDAzWjAzMRQwEgYDVQQKEwtleGFtcGxlLm5ldDEbMBkGA1UEAxMSY2xp
+Y2EgU2lnbmluZyBDZXJ0MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAN9lXg/7R2gY
+392B325b/0eHLOrQG1px0aPuSwCBG0cKwCATtsKjYne15vNXAskVAdejY0Ujvo+a
+d4jVi2qYJ8sCAwEAAaNaMFgwDgYDVR0PAQH/BAQDAgEGMBIGA1UdEwEB/wQIMAYB
+Af8CAQAwMgYDVR0fBCswKTAnoCWgI4YhaHR0cDovL2NybC5leGFtcGxlLm5ldC9s
+YXRlc3QuY3JsMA0GCSqGSIb3DQEBBQUAA0EAlm29nFrjiJPaldOtHxpmWzE3Zxit
+Sl4RxdeJcJ7aGL2gDOAWmiVh6UPbMm/o6Vg2PxHp2YviOhVunp1C2t85ow==
+-----END CERTIFICATE-----
diff --git a/test/aux-fixed/exim-ca/example.net/server2.example.net/server2.example.net.key b/test/aux-fixed/exim-ca/example.net/server2.example.net/server2.example.net.key
new file mode 100644
index 0000000..0375904
--- /dev/null
+++ b/test/aux-fixed/exim-ca/example.net/server2.example.net/server2.example.net.key
@@ -0,0 +1,15 @@
+Bag Attributes
+ friendlyName: server2.example.net
+ localKeyID: E6 14 E8 D3 C2 D6 33 C5 46 4A 62 47 B7 C2 BA D6 3B 26 F2 56
+Key Attributes: <No Attributes>
+-----BEGIN ENCRYPTED PRIVATE KEY-----
+MIIBpjBABgkqhkiG9w0BBQ0wMzAbBgkqhkiG9w0BBQwwDgQId2/8mqWfInACAggA
+MBQGCCqGSIb3DQMHBAgvDNlX6TpnZQSCAWD27NSWhbC88NONthVEEIHARSoUieXl
+Hsker9qC52voq+kSQf4sFmifD9SgestoXFoxBOWi4mnO2uwUqu/yC3Igrr0DE0VH
+zXapBoEbd7Yr4y5BN7M5+oQPGjxCUocP3Bp9dxvo5T3lFLtmaBvdBucVHvn6UqzX
+uUZw3O1LdoMm6PqZXBh8vzhapYq5I5oMOhWJsJrauSfXaBJObeo3MgFF6WfUQlnI
+fR/O7uJ00t+ArvdkQVIDT70FWWAFvt9DDtVIUcva8BfiGEjPjqso0tElTzPRqRrs
+WmS1jn1Lf/EVaVSOIIecjHodxeA7R/vMlG+5U/PcgfeYMEFyn0Aj/tUvdR6tTAUy
+1K5zFEGG5YCY2e0HmVyc/qvOoSPwi7f8eJEziTuv2nXlPrjd74OcGn1ffXyMeDZ6
+gDAQB9pe/7m9OZ9MAxuak4DEyFMdNJTFJ3il0ILAi8R2GOGA+TVSrGAT
+-----END ENCRYPTED PRIVATE KEY-----
diff --git a/test/aux-fixed/exim-ca/example.net/server2.example.net/server2.example.net.ocsp.dated.resp b/test/aux-fixed/exim-ca/example.net/server2.example.net/server2.example.net.ocsp.dated.resp
new file mode 100644
index 0000000..edb418a
Binary files /dev/null and b/test/aux-fixed/exim-ca/example.net/server2.example.net/server2.example.net.ocsp.dated.resp differ
diff --git a/test/aux-fixed/exim-ca/example.net/server2.example.net/server2.example.net.ocsp.good.resp b/test/aux-fixed/exim-ca/example.net/server2.example.net/server2.example.net.ocsp.good.resp
new file mode 100644
index 0000000..dcb27f2
Binary files /dev/null and b/test/aux-fixed/exim-ca/example.net/server2.example.net/server2.example.net.ocsp.good.resp differ
diff --git a/test/aux-fixed/exim-ca/example.net/server2.example.net/server2.example.net.ocsp.req b/test/aux-fixed/exim-ca/example.net/server2.example.net/server2.example.net.ocsp.req
new file mode 100644
index 0000000..54d932e
Binary files /dev/null and b/test/aux-fixed/exim-ca/example.net/server2.example.net/server2.example.net.ocsp.req differ
diff --git a/test/aux-fixed/exim-ca/example.net/server2.example.net/server2.example.net.ocsp.revoked.resp b/test/aux-fixed/exim-ca/example.net/server2.example.net/server2.example.net.ocsp.revoked.resp
new file mode 100644
index 0000000..dda468d
Binary files /dev/null and b/test/aux-fixed/exim-ca/example.net/server2.example.net/server2.example.net.ocsp.revoked.resp differ
diff --git a/test/aux-fixed/exim-ca/example.net/server2.example.net/server2.example.net.p12 b/test/aux-fixed/exim-ca/example.net/server2.example.net/server2.example.net.p12
new file mode 100644
index 0000000..e54fff3
Binary files /dev/null and b/test/aux-fixed/exim-ca/example.net/server2.example.net/server2.example.net.p12 differ
diff --git a/test/aux-fixed/exim-ca/example.net/server2.example.net/server2.example.net.pem b/test/aux-fixed/exim-ca/example.net/server2.example.net/server2.example.net.pem
new file mode 100644
index 0000000..e973e00
--- /dev/null
+++ b/test/aux-fixed/exim-ca/example.net/server2.example.net/server2.example.net.pem
@@ -0,0 +1,18 @@
+Bag Attributes
+ friendlyName: server2.example.net
+ localKeyID: E6 14 E8 D3 C2 D6 33 C5 46 4A 62 47 B7 C2 BA D6 3B 26 F2 56
+subject=/CN=server2.example.net
+issuer=/O=example.net/CN=clica Signing Cert
+-----BEGIN CERTIFICATE-----
+MIICAzCCAa2gAwIBAgICAMkwDQYJKoZIhvcNAQEFBQAwMzEUMBIGA1UEChMLZXhh
+bXBsZS5uZXQxGzAZBgNVBAMTEmNsaWNhIFNpZ25pbmcgQ2VydDAeFw0xMjExMDEx
+MjM0MDRaFw0zODAxMDExMjM0MDRaMB4xHDAaBgNVBAMTE3NlcnZlcjIuZXhhbXBs
+ZS5uZXQwXDANBgkqhkiG9w0BAQEFAANLADBIAkEAoXux6WdUK5xq7w+eMCFo2iEE
+GCUYpmqc4H6AmgxmglEfrndnKMv/fLRJpMUMe65a2fIPdMaZO6uX/fBDYSeUjwID
+AQABo4G/MIG8MA4GA1UdDwEB/wQEAwIE8DAgBgNVHSUBAf8EFjAUBggrBgEFBQcD
+AQYIKwYBBQUHAwIwMgYDVR0fBCswKTAnoCWgI4YhaHR0cDovL2NybC5leGFtcGxl
+Lm5ldC9sYXRlc3QuY3JsMDQGCCsGAQUFBwEBBCgwJjAkBggrBgEFBQcwAYYYaHR0
+cDovL29zY3AvZXhhbXBsZS5uZXQvMB4GA1UdEQQXMBWCE3NlcnZlcjIuZXhhbXBs
+ZS5uZXQwDQYJKoZIhvcNAQEFBQADQQBhKq+CoKmxvdEJ4+AlNsJGpByKiwsDo0Cz
+mtgyGnn4a+3kkKYb2/KWosrBBLIzZbuzQ6sAjDKKioKJy7+ENuki
+-----END CERTIFICATE-----
diff --git a/test/aux-fixed/exim-ca/example.net/server2.example.net/server2.example.net.unlocked.key b/test/aux-fixed/exim-ca/example.net/server2.example.net/server2.example.net.unlocked.key
new file mode 100644
index 0000000..74b3501
--- /dev/null
+++ b/test/aux-fixed/exim-ca/example.net/server2.example.net/server2.example.net.unlocked.key
@@ -0,0 +1,9 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIBOgIBAAJBAKF7selnVCucau8PnjAhaNohBBglGKZqnOB+gJoMZoJRH653ZyjL
+/3y0SaTFDHuuWtnyD3TGmTurl/3wQ2EnlI8CAwEAAQJAGXXkRjWperrNzWV7/oC2
+BHZiK+Blc4+prmejpSZBX1hk5XFL8vMx3H1yYnYj3LLr2MzuZ7W410GXBvZkfOy5
+uQIhANSjR5qV2dgzdI7nTjPXZOVPHfh9S4RbgCa8nbm+Yg59AiEAwmnlkEP8BMHx
+8GeuItJyuIQYXU/TRFIAB5N9nDWO4PsCIFvZj/OJaUlHqMCVz6T7FL0suMB+tuEc
+eTXCYcs7HrYtAiEAi4ivv+xbbBq7B72SSOHcfrwoNIi/bBCifs2H4N67zpMCIBpU
+fl/bfvpZ2FtBsZ1yMTgTXzaZyOllhYkaZO3bvQYU
+-----END RSA PRIVATE KEY-----
diff --git a/test/aux-fixed/exim-ca/example.org/BLANK/CA.pem b/test/aux-fixed/exim-ca/example.org/BLANK/CA.pem
new file mode 100644
index 0000000..bdb4c06
--- /dev/null
+++ b/test/aux-fixed/exim-ca/example.org/BLANK/CA.pem
@@ -0,0 +1,10 @@
+-----BEGIN CERTIFICATE-----
+MIIBaTCCAROgAwIBAgIBATANBgkqhkiG9w0BAQUFADApMRQwEgYDVQQKEwtleGFt
+cGxlLm9yZzERMA8GA1UEAxMIY2xpY2EgQ0EwHhcNMTIxMTAxMTIzNDAyWhcNMzgw
+MTAxMTIzNDAyWjApMRQwEgYDVQQKEwtleGFtcGxlLm9yZzERMA8GA1UEAxMIY2xp
+Y2EgQ0EwXDANBgkqhkiG9w0BAQEFAANLADBIAkEAxY7JyBAI+e4vb4bz0HcjtE+O
+x0nLBB19Kz04yNARj1z/ZvY2c+uvOR3muHROCgFUQxGobP3n2HaTS/cmv2SVPwID
+AQABoyYwJDASBgNVHRMBAf8ECDAGAQH/AgEBMA4GA1UdDwEB/wQEAwIBBjANBgkq
+hkiG9w0BAQUFAANBAJLhs/m5Jx4oV++aylcAvIHa0vHSK4eh3zX1HqWwqK9I0/nl
+LqwwPgtgHQOpe7nd2g2B9wPZ82i6LiqY76A+9hI=
+-----END CERTIFICATE-----
diff --git a/test/aux-fixed/exim-ca/example.org/BLANK/Signer.pem b/test/aux-fixed/exim-ca/example.org/BLANK/Signer.pem
new file mode 100644
index 0000000..bbcf3ac
--- /dev/null
+++ b/test/aux-fixed/exim-ca/example.org/BLANK/Signer.pem
@@ -0,0 +1,11 @@
+-----BEGIN CERTIFICATE-----
+MIIBpzCCAVGgAwIBAgIBAjANBgkqhkiG9w0BAQUFADApMRQwEgYDVQQKEwtleGFt
+cGxlLm9yZzERMA8GA1UEAxMIY2xpY2EgQ0EwHhcNMTIxMTAxMTIzNDAyWhcNMzgw
+MTAxMTIzNDAyWjAzMRQwEgYDVQQKEwtleGFtcGxlLm9yZzEbMBkGA1UEAxMSY2xp
+Y2EgU2lnbmluZyBDZXJ0MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAJ2Y6E5WBXQE
+zFsWgxK4JXrpPWGEQZ+KNy3iXgmupAA6Yy0umCLu+eGCekkwZ0WfFhhd+Qy7P+qo
+F0mre7VDDHECAwEAAaNaMFgwDgYDVR0PAQH/BAQDAgEGMBIGA1UdEwEB/wQIMAYB
+Af8CAQAwMgYDVR0fBCswKTAnoCWgI4YhaHR0cDovL2NybC5leGFtcGxlLm9yZy9s
+YXRlc3QuY3JsMA0GCSqGSIb3DQEBBQUAA0EATmemAFFWLNA8natXhFyhrDYmTv8X
+PEJ3UVt0DmOMxmEBahIeDfplfTfj/NYvy/on7YCZO7F5PwVY2pNJqm8Tmw==
+-----END CERTIFICATE-----
diff --git a/test/aux-fixed/exim-ca/example.org/BLANK/cert8.db b/test/aux-fixed/exim-ca/example.org/BLANK/cert8.db
new file mode 100644
index 0000000..173ac18
Binary files /dev/null and b/test/aux-fixed/exim-ca/example.org/BLANK/cert8.db differ
diff --git a/test/aux-fixed/exim-ca/example.org/BLANK/key3.db b/test/aux-fixed/exim-ca/example.org/BLANK/key3.db
new file mode 100644
index 0000000..f4cc9de
Binary files /dev/null and b/test/aux-fixed/exim-ca/example.org/BLANK/key3.db differ
diff --git a/test/aux-fixed/exim-ca/example.org/BLANK/pwdfile b/test/aux-fixed/exim-ca/example.org/BLANK/pwdfile
new file mode 100644
index 0000000..8b13789
--- /dev/null
+++ b/test/aux-fixed/exim-ca/example.org/BLANK/pwdfile
@@ -0,0 +1 @@
+
diff --git a/test/aux-fixed/exim-ca/example.org/BLANK/secmod.db b/test/aux-fixed/exim-ca/example.org/BLANK/secmod.db
new file mode 100644
index 0000000..8a83193
Binary files /dev/null and b/test/aux-fixed/exim-ca/example.org/BLANK/secmod.db differ
diff --git a/test/aux-fixed/exim-ca/example.org/CA/CA.pem b/test/aux-fixed/exim-ca/example.org/CA/CA.pem
new file mode 100644
index 0000000..bdb4c06
--- /dev/null
+++ b/test/aux-fixed/exim-ca/example.org/CA/CA.pem
@@ -0,0 +1,10 @@
+-----BEGIN CERTIFICATE-----
+MIIBaTCCAROgAwIBAgIBATANBgkqhkiG9w0BAQUFADApMRQwEgYDVQQKEwtleGFt
+cGxlLm9yZzERMA8GA1UEAxMIY2xpY2EgQ0EwHhcNMTIxMTAxMTIzNDAyWhcNMzgw
+MTAxMTIzNDAyWjApMRQwEgYDVQQKEwtleGFtcGxlLm9yZzERMA8GA1UEAxMIY2xp
+Y2EgQ0EwXDANBgkqhkiG9w0BAQEFAANLADBIAkEAxY7JyBAI+e4vb4bz0HcjtE+O
+x0nLBB19Kz04yNARj1z/ZvY2c+uvOR3muHROCgFUQxGobP3n2HaTS/cmv2SVPwID
+AQABoyYwJDASBgNVHRMBAf8ECDAGAQH/AgEBMA4GA1UdDwEB/wQEAwIBBjANBgkq
+hkiG9w0BAQUFAANBAJLhs/m5Jx4oV++aylcAvIHa0vHSK4eh3zX1HqWwqK9I0/nl
+LqwwPgtgHQOpe7nd2g2B9wPZ82i6LiqY76A+9hI=
+-----END CERTIFICATE-----
diff --git a/test/aux-fixed/exim-ca/example.org/CA/OCSP.key b/test/aux-fixed/exim-ca/example.org/CA/OCSP.key
new file mode 100644
index 0000000..4248964
--- /dev/null
+++ b/test/aux-fixed/exim-ca/example.org/CA/OCSP.key
@@ -0,0 +1,14 @@
+Bag Attributes
+ friendlyName: OCSP Signer
+ localKeyID: 89 7C 3C C4 3E 60 FD AA 47 69 0A 11 1B 17 C9 BD 6B D2 DA 1E
+Key Attributes: <No Attributes>
+-----BEGIN PRIVATE KEY-----
+MIIBVQIBADANBgkqhkiG9w0BAQEFAASCAT8wggE7AgEAAkEAl1EzD7A3887Wit6D
+uE5WOuTdCD4RVQFBa85RFHZd/Q3Yiw5SXh7gQaykL/4mrFHzgbKNgj6WmjBp4tNI
+FQYqJQIDAQABAkBNigd/X46cef5IdRPMayAW19ZH9f5Nr/IFO1kjAjDRjfASDkBN
+V/rMV+78Rh5fOAj1S74VILvKTaaLWhvkDOF1AiEAxxhzyV1rOrdo/tp7W6uD5m0g
+OTxUZYn/6Ec/Kkb6SjsCIQDCkN8rSD+IkhJ3zQOvCi2Onxjon5mE4mkbhZLq84W3
+HwIhAJbbRlCbwnY5JwuEjNgG++iLY1E7D0/o4skjww7LvTalAiBCCbH1mtwVmp6y
+Et/BNY8o7U8jBaixtbc/JCMto+IquQIhAI6flaLC9nQbBh6BX6GVeGu3XS9M/jFe
+EK9fMWn71opJ
+-----END PRIVATE KEY-----
diff --git a/test/aux-fixed/exim-ca/example.org/CA/OCSP.p12 b/test/aux-fixed/exim-ca/example.org/CA/OCSP.p12
new file mode 100644
index 0000000..e247406
Binary files /dev/null and b/test/aux-fixed/exim-ca/example.org/CA/OCSP.p12 differ
diff --git a/test/aux-fixed/exim-ca/example.org/CA/OCSP.pem b/test/aux-fixed/exim-ca/example.org/CA/OCSP.pem
new file mode 100644
index 0000000..287e61e
--- /dev/null
+++ b/test/aux-fixed/exim-ca/example.org/CA/OCSP.pem
@@ -0,0 +1,11 @@
+-----BEGIN CERTIFICATE-----
+MIIBgDCCASqgAwIBAgIBAzANBgkqhkiG9w0BAQUFADAzMRQwEgYDVQQKEwtleGFt
+cGxlLm9yZzEbMBkGA1UEAxMSY2xpY2EgU2lnbmluZyBDZXJ0MB4XDTEyMTEwMTEy
+MzQwMloXDTM4MDEwMTEyMzQwMlowMjEUMBIGA1UEChMLZXhhbXBsZS5vcmcxGjAY
+BgNVBAMTEWNsaWNhIE9DU1AgU2lnbmVyMFwwDQYJKoZIhvcNAQEBBQADSwAwSAJB
+AJdRMw+wN/PO1oreg7hOVjrk3Qg+EVUBQWvOURR2Xf0N2IsOUl4e4EGspC/+JqxR
+84GyjYI+lpowaeLTSBUGKiUCAwEAAaMqMCgwDgYDVR0PAQH/BAQDAgeAMBYGA1Ud
+JQEB/wQMMAoGCCsGAQUFBwMJMA0GCSqGSIb3DQEBBQUAA0EAZe2NAm2FGEJuLkyZ
+AiGPi2pdu5ngE+vQhyTFR3EJ4L6HDkNGE5Mv7lrsSSWU47N3R+Oo+glEau6SyTb1
+zMIYxQ==
+-----END CERTIFICATE-----
diff --git a/test/aux-fixed/exim-ca/example.org/CA/Signer.pem b/test/aux-fixed/exim-ca/example.org/CA/Signer.pem
new file mode 100644
index 0000000..bbcf3ac
--- /dev/null
+++ b/test/aux-fixed/exim-ca/example.org/CA/Signer.pem
@@ -0,0 +1,11 @@
+-----BEGIN CERTIFICATE-----
+MIIBpzCCAVGgAwIBAgIBAjANBgkqhkiG9w0BAQUFADApMRQwEgYDVQQKEwtleGFt
+cGxlLm9yZzERMA8GA1UEAxMIY2xpY2EgQ0EwHhcNMTIxMTAxMTIzNDAyWhcNMzgw
+MTAxMTIzNDAyWjAzMRQwEgYDVQQKEwtleGFtcGxlLm9yZzEbMBkGA1UEAxMSY2xp
+Y2EgU2lnbmluZyBDZXJ0MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAJ2Y6E5WBXQE
+zFsWgxK4JXrpPWGEQZ+KNy3iXgmupAA6Yy0umCLu+eGCekkwZ0WfFhhd+Qy7P+qo
+F0mre7VDDHECAwEAAaNaMFgwDgYDVR0PAQH/BAQDAgEGMBIGA1UdEwEB/wQIMAYB
+Af8CAQAwMgYDVR0fBCswKTAnoCWgI4YhaHR0cDovL2NybC5leGFtcGxlLm9yZy9s
+YXRlc3QuY3JsMA0GCSqGSIb3DQEBBQUAA0EATmemAFFWLNA8natXhFyhrDYmTv8X
+PEJ3UVt0DmOMxmEBahIeDfplfTfj/NYvy/on7YCZO7F5PwVY2pNJqm8Tmw==
+-----END CERTIFICATE-----
diff --git a/test/aux-fixed/exim-ca/example.org/CA/ca.conf b/test/aux-fixed/exim-ca/example.org/CA/ca.conf
new file mode 100644
index 0000000..9d6d2ed
--- /dev/null
+++ b/test/aux-fixed/exim-ca/example.org/CA/ca.conf
@@ -0,0 +1,18 @@
+; Config::Simple 4.59
+; Thu Nov 1 12:34:02 2012
+
+[CLICA]
+crl_url=http://crl.example.org/latest.crl
+crl_signer=Signing Cert
+level=1
+signer=Signing Cert
+ocsp_signer=OCSP Signer
+ocsp_url=http://oscp/example.org/
+
+[CA]
+org=example.org
+subject=clica CA
+name=Certificate Authority
+bits=512
+
+
diff --git a/test/aux-fixed/exim-ca/example.org/CA/cert8.db b/test/aux-fixed/exim-ca/example.org/CA/cert8.db
new file mode 100644
index 0000000..7f25f8d
Binary files /dev/null and b/test/aux-fixed/exim-ca/example.org/CA/cert8.db differ
diff --git a/test/aux-fixed/exim-ca/example.org/CA/crl.empty b/test/aux-fixed/exim-ca/example.org/CA/crl.empty
new file mode 100644
index 0000000..f35edb0
Binary files /dev/null and b/test/aux-fixed/exim-ca/example.org/CA/crl.empty differ
diff --git a/test/aux-fixed/exim-ca/example.org/CA/crl.empty.in.txt b/test/aux-fixed/exim-ca/example.org/CA/crl.empty.in.txt
new file mode 100644
index 0000000..250311c
--- /dev/null
+++ b/test/aux-fixed/exim-ca/example.org/CA/crl.empty.in.txt
@@ -0,0 +1 @@
+update=20130127152434Z
diff --git a/test/aux-fixed/exim-ca/example.org/CA/crl.empty.pem b/test/aux-fixed/exim-ca/example.org/CA/crl.empty.pem
new file mode 100644
index 0000000..292e871
--- /dev/null
+++ b/test/aux-fixed/exim-ca/example.org/CA/crl.empty.pem
@@ -0,0 +1,6 @@
+-----BEGIN X509 CRL-----
+MIGsMFgCAQEwDQYJKoZIhvcNAQEFBQAwMzEUMBIGA1UEChMLZXhhbXBsZS5vcmcx
+GzAZBgNVBAMTEmNsaWNhIFNpZ25pbmcgQ2VydBgPMjAxMzAxMjcxNTI0MzRaMA0G
+CSqGSIb3DQEBBQUAA0EAL3N9NbP2jClLBlaFsAFB959JN6Hm7B6H5uYdGo55Rvt6
+1BZvz36DEQemcEmzrelVOR+bCBTTBkH8SC6jv9dsAQ==
+-----END X509 CRL-----
diff --git a/test/aux-fixed/exim-ca/example.org/CA/crl.v2 b/test/aux-fixed/exim-ca/example.org/CA/crl.v2
new file mode 100644
index 0000000..8c7f4d4
Binary files /dev/null and b/test/aux-fixed/exim-ca/example.org/CA/crl.v2 differ
diff --git a/test/aux-fixed/exim-ca/example.org/CA/crl.v2.in.txt b/test/aux-fixed/exim-ca/example.org/CA/crl.v2.in.txt
new file mode 100644
index 0000000..434045f
--- /dev/null
+++ b/test/aux-fixed/exim-ca/example.org/CA/crl.v2.in.txt
@@ -0,0 +1,3 @@
+update=20130127152437Z
+addcert 102 20130127152437Z
+addcert 202 20130127152437Z
diff --git a/test/aux-fixed/exim-ca/example.org/CA/crl.v2.pem b/test/aux-fixed/exim-ca/example.org/CA/crl.v2.pem
new file mode 100644
index 0000000..bff5953
--- /dev/null
+++ b/test/aux-fixed/exim-ca/example.org/CA/crl.v2.pem
@@ -0,0 +1,7 @@
+-----BEGIN X509 CRL-----
+MIHcMIGHAgEBMA0GCSqGSIb3DQEBBQUAMDMxFDASBgNVBAoTC2V4YW1wbGUub3Jn
+MRswGQYDVQQDExJjbGljYSBTaWduaW5nIENlcnQYDzIwMTMwMTI3MTUyNDM3WjAt
+MBQCAWYYDzIwMTMwMTI3MTUyNDM3WjAVAgIAyhgPMjAxMzAxMjcxNTI0MzdaMA0G
+CSqGSIb3DQEBBQUAA0EAVWskomLMAt1QAPrpuIC7WsNrAmPRG1XL+Ggm8d4rESya
+WGQxA0p4ZM6THLfJ3ZWAxlMHEGVkqAUQpUnZhNHmEQ==
+-----END X509 CRL-----
diff --git a/test/aux-fixed/exim-ca/example.org/CA/index.revoked.txt b/test/aux-fixed/exim-ca/example.org/CA/index.revoked.txt
new file mode 100644
index 0000000..8c67708
--- /dev/null
+++ b/test/aux-fixed/exim-ca/example.org/CA/index.revoked.txt
@@ -0,0 +1,6 @@
+R 130110200751Z 100201142709Z,superseded 65 unknown CN=server1.example.org
+R 130110200751Z 100201142709Z,superseded 66 unknown CN=revoked1.example.org
+R 130110200751Z 100201142709Z,superseded 67 unknown CN=expired1.example.org
+R 130110200751Z 100201142709Z,superseded c9 unknown CN=server2.example.org
+R 130110200751Z 100201142709Z,superseded ca unknown CN=revoked2.example.org
+R 130110200751Z 100201142709Z,superseded cb unknown CN=expired2.example.org
diff --git a/test/aux-fixed/exim-ca/example.org/CA/index.valid.txt b/test/aux-fixed/exim-ca/example.org/CA/index.valid.txt
new file mode 100644
index 0000000..c8fd76e
--- /dev/null
+++ b/test/aux-fixed/exim-ca/example.org/CA/index.valid.txt
@@ -0,0 +1,6 @@
+V 130110200751Z 65 unknown CN=server1.example.org
+V 130110200751Z 66 unknown CN=revoked1.example.org
+V 130110200751Z 67 unknown CN=expired1.example.org
+V 130110200751Z c9 unknown CN=server2.example.org
+V 130110200751Z ca unknown CN=revoked2.example.org
+V 130110200751Z cb unknown CN=expired2.example.org
diff --git a/test/aux-fixed/exim-ca/example.org/CA/key3.db b/test/aux-fixed/exim-ca/example.org/CA/key3.db
new file mode 100644
index 0000000..e11319f
Binary files /dev/null and b/test/aux-fixed/exim-ca/example.org/CA/key3.db differ
diff --git a/test/aux-fixed/exim-ca/example.org/CA/noise.file b/test/aux-fixed/exim-ca/example.org/CA/noise.file
new file mode 100644
index 0000000..8641648
--- /dev/null
+++ b/test/aux-fixed/exim-ca/example.org/CA/noise.file
@@ -0,0 +1,342 @@
+processor : 0
+vendor_id : GenuineIntel
+cpu family : 6
+model : 26
+model name : Intel(R) Xeon(R) CPU E5520 @ 2.27GHz
+stepping : 5
+cpu MHz : 2260.628
+cache size : 8192 KB
+fpu : yes
+fpu_exception : yes
+cpuid level : 11
+wp : yes
+flags : fpu vme de pse tsc msr pae mce cx8 apic mtrr pge mca cmov pat pse36 clflush dts mmx fxsr sse sse2 ss syscall nx rdtscp lm constant_tsc arch_perfmon pebs bts xtopology tsc_reliable nonstop_tsc aperfmperf unfair_spinlock pni ssse3 cx16 sse4_1 sse4_2 x2apic popcnt hypervisor lahf_lm ida dts
+bogomips : 4521.25
+clflush size : 64
+cache_alignment : 64
+address sizes : 40 bits physical, 48 bits virtual
+power management:
+
+processor : 1
+vendor_id : GenuineIntel
+cpu family : 6
+model : 26
+model name : Intel(R) Xeon(R) CPU E5520 @ 2.27GHz
+stepping : 5
+cpu MHz : 2260.628
+cache size : 8192 KB
+fpu : yes
+fpu_exception : yes
+cpuid level : 11
+wp : yes
+flags : fpu vme de pse tsc msr pae mce cx8 apic mtrr pge mca cmov pat pse36 clflush dts mmx fxsr sse sse2 ss syscall nx rdtscp lm constant_tsc arch_perfmon pebs bts xtopology tsc_reliable nonstop_tsc aperfmperf unfair_spinlock pni ssse3 cx16 sse4_1 sse4_2 x2apic popcnt hypervisor lahf_lm ida dts
+bogomips : 4521.25
+clflush size : 64
+cache_alignment : 64
+address sizes : 40 bits physical, 48 bits virtual
+power management:
+
+ CPU0 CPU1
+ 0: 2481 0 IO-APIC-edge timer
+ 1: 21441 346 IO-APIC-edge i8042
+ 3: 1 0 IO-APIC-edge
+ 4: 1 0 IO-APIC-edge
+ 7: 0 0 IO-APIC-edge parport0
+ 8: 1 0 IO-APIC-edge rtc0
+ 9: 0 0 IO-APIC-fasteoi acpi
+ 12: 78986 1718 IO-APIC-edge i8042
+ 14: 0 0 IO-APIC-edge ata_piix
+ 15: 2423330 1435 IO-APIC-edge ata_piix
+ 16: 1025 0 IO-APIC-fasteoi Ensoniq AudioPCI
+ 17: 239850 2559 IO-APIC-fasteoi ehci_hcd:usb1, ioc0
+ 18: 246 0 IO-APIC-fasteoi uhci_hcd:usb2
+ 19: 1868741 51479 IO-APIC-fasteoi eth0
+ 24: 0 0 PCI-MSI-edge pciehp
+ 25: 0 0 PCI-MSI-edge pciehp
+ 26: 0 0 PCI-MSI-edge pciehp
+ 27: 0 0 PCI-MSI-edge pciehp
+ 28: 0 0 PCI-MSI-edge pciehp
+ 29: 0 0 PCI-MSI-edge pciehp
+ 30: 0 0 PCI-MSI-edge pciehp
+ 31: 0 0 PCI-MSI-edge pciehp
+ 32: 0 0 PCI-MSI-edge pciehp
+ 33: 0 0 PCI-MSI-edge pciehp
+ 34: 0 0 PCI-MSI-edge pciehp
+ 35: 0 0 PCI-MSI-edge pciehp
+ 36: 0 0 PCI-MSI-edge pciehp
+ 37: 0 0 PCI-MSI-edge pciehp
+ 38: 0 0 PCI-MSI-edge pciehp
+ 39: 0 0 PCI-MSI-edge pciehp
+ 40: 0 0 PCI-MSI-edge pciehp
+ 41: 0 0 PCI-MSI-edge pciehp
+ 42: 0 0 PCI-MSI-edge pciehp
+ 43: 0 0 PCI-MSI-edge pciehp
+ 44: 0 0 PCI-MSI-edge pciehp
+ 45: 0 0 PCI-MSI-edge pciehp
+ 46: 0 0 PCI-MSI-edge pciehp
+ 47: 0 0 PCI-MSI-edge pciehp
+ 48: 0 0 PCI-MSI-edge pciehp
+ 49: 0 0 PCI-MSI-edge pciehp
+ 50: 0 0 PCI-MSI-edge pciehp
+ 51: 0 0 PCI-MSI-edge pciehp
+ 52: 0 0 PCI-MSI-edge pciehp
+ 53: 0 0 PCI-MSI-edge pciehp
+ 54: 0 0 PCI-MSI-edge pciehp
+ 55: 0 0 PCI-MSI-edge pciehp
+ 56: 1 0 PCI-MSI-edge vmci
+ 57: 0 0 PCI-MSI-edge vmci
+NMI: 0 0 Non-maskable interrupts
+LOC: 12398298 14241637 Local timer interrupts
+SPU: 0 0 Spurious interrupts
+PMI: 0 0 Performance monitoring interrupts
+IWI: 0 0 IRQ work interrupts
+RES: 282673 309097 Rescheduling interrupts
+CAL: 1955 163548 Function call interrupts
+TLB: 17977 15562 TLB shootdowns
+TRM: 0 0 Thermal event interrupts
+THR: 0 0 Threshold APIC interrupts
+MCE: 0 0 Machine check exceptions
+MCP: 2310 2310 Machine check polls
+ERR: 0
+MIS: 0
+MemTotal: 1914844 kB
+MemFree: 134216 kB
+Buffers: 142048 kB
+Cached: 952796 kB
+SwapCached: 108 kB
+Active: 981384 kB
+Inactive: 540556 kB
+Active(anon): 287092 kB
+Inactive(anon): 143480 kB
+Active(file): 694292 kB
+Inactive(file): 397076 kB
+Unevictable: 0 kB
+Mlocked: 0 kB
+SwapTotal: 4194296 kB
+SwapFree: 4193560 kB
+Dirty: 1732 kB
+Writeback: 0 kB
+AnonPages: 427116 kB
+Mapped: 70924 kB
+Shmem: 3400 kB
+Slab: 190944 kB
+SReclaimable: 125404 kB
+SUnreclaim: 65540 kB
+KernelStack: 2312 kB
+PageTables: 23536 kB
+NFS_Unstable: 0 kB
+Bounce: 0 kB
+WritebackTmp: 0 kB
+CommitLimit: 5151716 kB
+Committed_AS: 973184 kB
+VmallocTotal: 34359738367 kB
+VmallocUsed: 280772 kB
+VmallocChunk: 34359441168 kB
+HardwareCorrupted: 0 kB
+AnonHugePages: 249856 kB
+HugePages_Total: 0
+HugePages_Free: 0
+HugePages_Rsvd: 0
+HugePages_Surp: 0
+Hugepagesize: 2048 kB
+DirectMap4k: 8192 kB
+DirectMap2M: 2088960 kB
+slabinfo - version: 2.1
+# name <active_objs> <num_objs> <objsize> <objperslab> <pagesperslab> : tunables <limit> <batchcount> <sharedfactor> : slabdata <active_slabs> <num_slabs> <sharedavail>
+bridge_fdb_cache 0 0 64 59 1 : tunables 120 60 8 : slabdata 0 0 0
+fuse_request 0 0 632 6 1 : tunables 54 27 8 : slabdata 0 0 0
+fuse_inode 0 0 768 5 1 : tunables 54 27 8 : slabdata 0 0 0
+rpc_buffers 8 8 2048 2 1 : tunables 24 12 8 : slabdata 4 4 0
+rpc_tasks 8 15 256 15 1 : tunables 120 60 8 : slabdata 1 1 0
+rpc_inode_cache 8 8 832 4 1 : tunables 54 27 8 : slabdata 2 2 0
+hgfsInodeCache 1 6 640 6 1 : tunables 54 27 8 : slabdata 1 1 0
+AF_VMCI 0 0 1024 4 1 : tunables 54 27 8 : slabdata 0 0 0
+nf_conntrack_expect 0 0 240 16 1 : tunables 120 60 8 : slabdata 0 0 0
+nf_conntrack_ffffffff8200cec0 22 26 304 13 1 : tunables 54 27 8 : slabdata 2 2 0
+fib6_nodes 22 59 64 59 1 : tunables 120 60 8 : slabdata 1 1 0
+ip6_dst_cache 13 30 384 10 1 : tunables 54 27 8 : slabdata 3 3 0
+ndisc_cache 1 15 256 15 1 : tunables 120 60 8 : slabdata 1 1 0
+ip6_mrt_cache 0 0 128 30 1 : tunables 120 60 8 : slabdata 0 0 0
+RAWv6 67 68 1024 4 1 : tunables 54 27 8 : slabdata 17 17 0
+UDPLITEv6 0 0 1024 4 1 : tunables 54 27 8 : slabdata 0 0 0
+UDPv6 4 4 1024 4 1 : tunables 54 27 8 : slabdata 1 1 0
+tw_sock_TCPv6 0 0 320 12 1 : tunables 54 27 8 : slabdata 0 0 0
+request_sock_TCPv6 0 0 192 20 1 : tunables 120 60 8 : slabdata 0 0 0
+TCPv6 9 10 1856 2 1 : tunables 24 12 8 : slabdata 5 5 0
+jbd2_1k 0 0 1024 4 1 : tunables 54 27 8 : slabdata 0 0 0
+avtab_node 502203 502416 24 144 1 : tunables 120 60 8 : slabdata 3489 3489 0
+ext4_inode_cache 74816 74820 1024 4 1 : tunables 54 27 8 : slabdata 18705 18705 0
+ext4_xattr 9 44 88 44 1 : tunables 120 60 8 : slabdata 1 1 0
+ext4_free_block_extents 32 67 56 67 1 : tunables 120 60 8 : slabdata 1 1 0
+ext4_alloc_context 28 28 136 28 1 : tunables 120 60 8 : slabdata 1 1 0
+ext4_prealloc_space 18 37 104 37 1 : tunables 120 60 8 : slabdata 1 1 0
+ext4_system_zone 0 0 40 92 1 : tunables 120 60 8 : slabdata 0 0 0
+jbd2_journal_handle 32 144 24 144 1 : tunables 120 60 8 : slabdata 1 1 0
+jbd2_journal_head 74 102 112 34 1 : tunables 120 60 8 : slabdata 3 3 0
+jbd2_revoke_table 4 202 16 202 1 : tunables 120 60 8 : slabdata 1 1 0
+jbd2_revoke_record 0 0 32 112 1 : tunables 120 60 8 : slabdata 0 0 0
+dm_crypt_io 50 50 152 25 1 : tunables 120 60 8 : slabdata 2 2 0
+sd_ext_cdb 2 112 32 112 1 : tunables 120 60 8 : slabdata 1 1 0
+scsi_sense_cache 25 60 128 30 1 : tunables 120 60 8 : slabdata 2 2 0
+scsi_cmd_cache 28 45 256 15 1 : tunables 120 60 8 : slabdata 3 3 0
+dm_raid1_read_record 0 0 1064 7 2 : tunables 24 12 8 : slabdata 0 0 0
+kcopyd_job 0 0 3240 2 2 : tunables 24 12 8 : slabdata 0 0 0
+io 0 0 64 59 1 : tunables 120 60 8 : slabdata 0 0 0
+dm_uevent 0 0 2608 3 2 : tunables 24 12 8 : slabdata 0 0 0
+dm_rq_clone_bio_info 0 0 16 202 1 : tunables 120 60 8 : slabdata 0 0 0
+dm_rq_target_io 0 0 392 10 1 : tunables 54 27 8 : slabdata 0 0 0
+dm_target_io 844 864 24 144 1 : tunables 120 60 8 : slabdata 6 6 0
+dm_io 828 828 40 92 1 : tunables 120 60 8 : slabdata 9 9 0
+flow_cache 0 0 96 40 1 : tunables 120 60 8 : slabdata 0 0 0
+uhci_urb_priv 6 67 56 67 1 : tunables 120 60 8 : slabdata 1 1 0
+cfq_io_context 4 28 136 28 1 : tunables 120 60 8 : slabdata 1 1 0
+cfq_queue 5 16 240 16 1 : tunables 120 60 8 : slabdata 1 1 0
+bsg_cmd 0 0 312 12 1 : tunables 54 27 8 : slabdata 0 0 0
+mqueue_inode_cache 1 4 896 4 1 : tunables 54 27 8 : slabdata 1 1 0
+isofs_inode_cache 0 0 640 6 1 : tunables 54 27 8 : slabdata 0 0 0
+hugetlbfs_inode_cache 1 6 608 6 1 : tunables 54 27 8 : slabdata 1 1 0
+dquot 0 0 256 15 1 : tunables 120 60 8 : slabdata 0 0 0
+kioctx 0 0 384 10 1 : tunables 54 27 8 : slabdata 0 0 0
+kiocb 0 0 256 15 1 : tunables 120 60 8 : slabdata 0 0 0
+inotify_event_private_data 0 0 32 112 1 : tunables 120 60 8 : slabdata 0 0 0
+inotify_inode_mark_entry 186 204 112 34 1 : tunables 120 60 8 : slabdata 6 6 0
+dnotify_mark_entry 1 34 112 34 1 : tunables 120 60 8 : slabdata 1 1 0
+dnotify_struct 1 112 32 112 1 : tunables 120 60 8 : slabdata 1 1 0
+fasync_cache 6 144 24 144 1 : tunables 120 60 8 : slabdata 1 1 0
+khugepaged_mm_slot 83 92 40 92 1 : tunables 120 60 8 : slabdata 1 1 0
+ksm_mm_slot 0 0 48 77 1 : tunables 120 60 8 : slabdata 0 0 0
+ksm_stable_node 0 0 40 92 1 : tunables 120 60 8 : slabdata 0 0 0
+ksm_rmap_item 0 0 64 59 1 : tunables 120 60 8 : slabdata 0 0 0
+utrace_engine 0 0 56 67 1 : tunables 120 60 8 : slabdata 0 0 0
+utrace 0 0 64 59 1 : tunables 120 60 8 : slabdata 0 0 0
+pid_namespace 0 0 2120 3 2 : tunables 24 12 8 : slabdata 0 0 0
+nsproxy 0 0 48 77 1 : tunables 120 60 8 : slabdata 0 0 0
+posix_timers_cache 0 0 176 22 1 : tunables 120 60 8 : slabdata 0 0 0
+uid_cache 10 60 128 30 1 : tunables 120 60 8 : slabdata 2 2 0
+UNIX 459 480 768 5 1 : tunables 54 27 8 : slabdata 96 96 0
+ip_mrt_cache 0 0 128 30 1 : tunables 120 60 8 : slabdata 0 0 0
+UDP-Lite 0 0 832 9 2 : tunables 54 27 8 : slabdata 0 0 0
+tcp_bind_bucket 15 59 64 59 1 : tunables 120 60 8 : slabdata 1 1 0
+inet_peer_cache 4 59 64 59 1 : tunables 120 60 8 : slabdata 1 1 0
+secpath_cache 0 0 64 59 1 : tunables 120 60 8 : slabdata 0 0 0
+xfrm_dst_cache 0 0 384 10 1 : tunables 54 27 8 : slabdata 0 0 0
+ip_fib_alias 0 0 32 112 1 : tunables 120 60 8 : slabdata 0 0 0
+ip_fib_hash 10 106 72 53 1 : tunables 120 60 8 : slabdata 2 2 0
+ip_dst_cache 29 50 384 10 1 : tunables 54 27 8 : slabdata 5 5 0
+arp_cache 4 15 256 15 1 : tunables 120 60 8 : slabdata 1 1 0
+RAW 65 72 832 9 2 : tunables 54 27 8 : slabdata 8 8 0
+UDP 6 18 832 9 2 : tunables 54 27 8 : slabdata 2 2 0
+tw_sock_TCP 0 0 256 15 1 : tunables 120 60 8 : slabdata 0 0 0
+request_sock_TCP 0 0 192 20 1 : tunables 120 60 8 : slabdata 0 0 0
+TCP 20 24 1664 4 2 : tunables 24 12 8 : slabdata 6 6 0
+eventpoll_pwq 126 212 72 53 1 : tunables 120 60 8 : slabdata 4 4 0
+eventpoll_epi 126 180 128 30 1 : tunables 120 60 8 : slabdata 6 6 0
+sgpool-128 2 2 4096 1 1 : tunables 24 12 8 : slabdata 2 2 0
+sgpool-64 2 2 2048 2 1 : tunables 24 12 8 : slabdata 1 1 0
+sgpool-32 2 4 1024 4 1 : tunables 54 27 8 : slabdata 1 1 0
+sgpool-16 2 8 512 8 1 : tunables 54 27 8 : slabdata 1 1 0
+sgpool-8 15 15 256 15 1 : tunables 120 60 8 : slabdata 1 1 0
+scsi_data_buffer 0 0 24 144 1 : tunables 120 60 8 : slabdata 0 0 0
+blkdev_integrity 0 0 112 34 1 : tunables 120 60 8 : slabdata 0 0 0
+blkdev_queue 29 30 2856 2 2 : tunables 24 12 8 : slabdata 15 15 0
+blkdev_requests 42 66 352 11 1 : tunables 54 27 8 : slabdata 5 6 0
+blkdev_ioc 5 48 80 48 1 : tunables 120 60 8 : slabdata 1 1 0
+fsnotify_event_holder 0 0 24 144 1 : tunables 120 60 8 : slabdata 0 0 0
+fsnotify_event 0 0 104 37 1 : tunables 120 60 8 : slabdata 0 0 0
+bio-0 180 180 192 20 1 : tunables 120 60 8 : slabdata 9 9 0
+biovec-256 66 66 4096 1 1 : tunables 24 12 8 : slabdata 66 66 0
+biovec-128 0 0 2048 2 1 : tunables 24 12 8 : slabdata 0 0 0
+biovec-64 0 0 1024 4 1 : tunables 54 27 8 : slabdata 0 0 0
+biovec-16 0 0 256 15 1 : tunables 120 60 8 : slabdata 0 0 0
+bip-256 2 2 4224 1 2 : tunables 8 4 0 : slabdata 2 2 0
+bip-128 0 0 2176 3 2 : tunables 24 12 8 : slabdata 0 0 0
+bip-64 0 0 1152 7 2 : tunables 24 12 8 : slabdata 0 0 0
+bip-16 0 0 384 10 1 : tunables 54 27 8 : slabdata 0 0 0
+bip-4 0 0 192 20 1 : tunables 120 60 8 : slabdata 0 0 0
+bip-1 0 0 128 30 1 : tunables 120 60 8 : slabdata 0 0 0
+sock_inode_cache 667 685 704 5 1 : tunables 54 27 8 : slabdata 137 137 0
+skbuff_fclone_cache 35 35 512 7 1 : tunables 54 27 8 : slabdata 5 5 0
+skbuff_head_cache 302 450 256 15 1 : tunables 120 60 8 : slabdata 30 30 0
+file_lock_cache 38 44 176 22 1 : tunables 120 60 8 : slabdata 2 2 0
+net_namespace 0 0 2112 3 2 : tunables 24 12 8 : slabdata 0 0 0
+shmem_inode_cache 774 775 800 5 1 : tunables 54 27 8 : slabdata 155 155 0
+Acpi-Operand 4563 4664 72 53 1 : tunables 120 60 8 : slabdata 88 88 0
+Acpi-ParseExt 0 0 72 53 1 : tunables 120 60 8 : slabdata 0 0 0
+Acpi-Parse 0 0 48 77 1 : tunables 120 60 8 : slabdata 0 0 0
+Acpi-State 0 0 80 48 1 : tunables 120 60 8 : slabdata 0 0 0
+Acpi-Namespace 3311 3312 40 92 1 : tunables 120 60 8 : slabdata 36 36 0
+task_delay_info 332 340 112 34 1 : tunables 120 60 8 : slabdata 10 10 0
+taskstats 5 12 328 12 1 : tunables 54 27 8 : slabdata 1 1 0
+proc_inode_cache 1008 1008 640 6 1 : tunables 54 27 8 : slabdata 168 168 0
+sigqueue 35 48 160 24 1 : tunables 120 60 8 : slabdata 2 2 0
+bdev_cache 32 36 832 4 1 : tunables 54 27 8 : slabdata 9 9 0
+sysfs_dir_cache 11356 11367 144 27 1 : tunables 120 60 8 : slabdata 421 421 0
+mnt_cache 37 45 256 15 1 : tunables 120 60 8 : slabdata 3 3 0
+filp 4614 4700 192 20 1 : tunables 120 60 8 : slabdata 235 235 0
+inode_cache 6883 7308 592 6 1 : tunables 54 27 8 : slabdata 1218 1218 0
+dentry 61120 63960 192 20 1 : tunables 120 60 8 : slabdata 3198 3198 0
+names_cache 26 26 4096 1 1 : tunables 24 12 8 : slabdata 26 26 0
+avc_node 518 1239 64 59 1 : tunables 120 60 8 : slabdata 21 21 0
+selinux_inode_security 84146 86072 72 53 1 : tunables 120 60 8 : slabdata 1624 1624 0
+radix_tree_node 11579 11781 560 7 1 : tunables 54 27 8 : slabdata 1683 1683 0
+key_jar 11 20 192 20 1 : tunables 120 60 8 : slabdata 1 1 0
+buffer_head 221286 230214 104 37 1 : tunables 120 60 8 : slabdata 6222 6222 0
+vm_area_struct 12992 13034 200 19 1 : tunables 120 60 8 : slabdata 686 686 60
+mm_struct 145 145 1408 5 2 : tunables 24 12 8 : slabdata 29 29 0
+fs_cache 177 177 64 59 1 : tunables 120 60 8 : slabdata 3 3 0
+files_cache 162 165 704 11 2 : tunables 54 27 8 : slabdata 15 15 0
+signal_cache 208 208 1024 4 1 : tunables 54 27 8 : slabdata 52 52 0
+sighand_cache 198 198 2112 3 2 : tunables 24 12 8 : slabdata 66 66 0
+task_xstate 232 232 512 8 1 : tunables 54 27 8 : slabdata 29 29 0
+task_struct 303 303 2656 3 2 : tunables 24 12 8 : slabdata 101 101 0
+cred_jar 580 580 192 20 1 : tunables 120 60 8 : slabdata 29 29 0
+anon_vma_chain 7904 8162 48 77 1 : tunables 120 60 8 : slabdata 106 106 60
+anon_vma 5773 5888 40 92 1 : tunables 120 60 8 : slabdata 64 64 0
+pid 322 330 128 30 1 : tunables 120 60 8 : slabdata 11 11 0
+shared_policy_node 0 0 48 77 1 : tunables 120 60 8 : slabdata 0 0 0
+numa_policy 1 28 136 28 1 : tunables 120 60 8 : slabdata 1 1 0
+idr_layer_cache 428 434 544 7 1 : tunables 54 27 8 : slabdata 62 62 0
+size-4194304(DMA) 0 0 4194304 1 1024 : tunables 1 1 0 : slabdata 0 0 0
+size-4194304 0 0 4194304 1 1024 : tunables 1 1 0 : slabdata 0 0 0
+size-2097152(DMA) 0 0 2097152 1 512 : tunables 1 1 0 : slabdata 0 0 0
+size-2097152 0 0 2097152 1 512 : tunables 1 1 0 : slabdata 0 0 0
+size-1048576(DMA) 0 0 1048576 1 256 : tunables 1 1 0 : slabdata 0 0 0
+size-1048576 0 0 1048576 1 256 : tunables 1 1 0 : slabdata 0 0 0
+size-524288(DMA) 0 0 524288 1 128 : tunables 1 1 0 : slabdata 0 0 0
+size-524288 0 0 524288 1 128 : tunables 1 1 0 : slabdata 0 0 0
+size-262144(DMA) 0 0 262144 1 64 : tunables 1 1 0 : slabdata 0 0 0
+size-262144 0 0 262144 1 64 : tunables 1 1 0 : slabdata 0 0 0
+size-131072(DMA) 0 0 131072 1 32 : tunables 8 4 0 : slabdata 0 0 0
+size-131072 1 1 131072 1 32 : tunables 8 4 0 : slabdata 1 1 0
+size-65536(DMA) 0 0 65536 1 16 : tunables 8 4 0 : slabdata 0 0 0
+size-65536 2 2 65536 1 16 : tunables 8 4 0 : slabdata 2 2 0
+size-32768(DMA) 0 0 32768 1 8 : tunables 8 4 0 : slabdata 0 0 0
+size-32768 3 3 32768 1 8 : tunables 8 4 0 : slabdata 3 3 0
+size-16384(DMA) 0 0 16384 1 4 : tunables 8 4 0 : slabdata 0 0 0
+size-16384 12 12 16384 1 4 : tunables 8 4 0 : slabdata 12 12 0
+size-8192(DMA) 0 0 8192 1 2 : tunables 8 4 0 : slabdata 0 0 0
+size-8192 27 27 8192 1 2 : tunables 8 4 0 : slabdata 27 27 0
+size-4096(DMA) 0 0 4096 1 1 : tunables 24 12 8 : slabdata 0 0 0
+size-4096 425 425 4096 1 1 : tunables 24 12 8 : slabdata 425 425 0
+size-2048(DMA) 0 0 2048 2 1 : tunables 24 12 8 : slabdata 0 0 0
+size-2048 578 578 2048 2 1 : tunables 24 12 8 : slabdata 289 289 0
+size-1024(DMA) 0 0 1024 4 1 : tunables 54 27 8 : slabdata 0 0 0
+size-1024 1332 1332 1024 4 1 : tunables 54 27 8 : slabdata 333 333 0
+size-512(DMA) 0 0 512 8 1 : tunables 54 27 8 : slabdata 0 0 0
+size-512 1123 1176 512 8 1 : tunables 54 27 8 : slabdata 147 147 0
+size-256(DMA) 0 0 256 15 1 : tunables 120 60 8 : slabdata 0 0 0
+size-256 930 930 256 15 1 : tunables 120 60 8 : slabdata 62 62 0
+size-192(DMA) 0 0 192 20 1 : tunables 120 60 8 : slabdata 0 0 0
+size-192 2119 2160 192 20 1 : tunables 120 60 8 : slabdata 108 108 0
+size-128(DMA) 0 0 128 30 1 : tunables 120 60 8 : slabdata 0 0 0
+size-64(DMA) 0 0 64 59 1 : tunables 120 60 8 : slabdata 0 0 0
+size-64 33063 40887 64 59 1 : tunables 120 60 8 : slabdata 693 693 60
+size-32(DMA) 0 0 32 112 1 : tunables 120 60 8 : slabdata 0 0 0
+size-128 3921 4800 128 30 1 : tunables 120 60 8 : slabdata 160 160 0
+size-32 332419 332976 32 112 1 : tunables 120 60 8 : slabdata 2973 2973 60
+kmem_cache 191 191 32896 1 16 : tunables 8 4 0 : slabdata 191 191 0
+Inter-| Receive | Transmit
+ face |bytes packets errs drop fifo frame compressed multicast|bytes packets errs drop fifo colls carrier compressed
+ lo:267102759 105357 0 0 0 0 0 0 267102759 105357 0 0 0 0 0 0
+ eth0:1013758516 1354506 0 0 0 0 0 0 245531629 966810 0 0 0 0 0 0
+ pan0: 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
diff --git a/test/aux-fixed/exim-ca/example.org/CA/pwdfile b/test/aux-fixed/exim-ca/example.org/CA/pwdfile
new file mode 100644
index 0000000..f3097ab
--- /dev/null
+++ b/test/aux-fixed/exim-ca/example.org/CA/pwdfile
@@ -0,0 +1 @@
+password
diff --git a/test/aux-fixed/exim-ca/example.org/CA/secmod.db b/test/aux-fixed/exim-ca/example.org/CA/secmod.db
new file mode 100644
index 0000000..c7f115b
Binary files /dev/null and b/test/aux-fixed/exim-ca/example.org/CA/secmod.db differ
diff --git a/test/aux-fixed/exim-ca/example.org/expired1.example.org/ca_chain.pem b/test/aux-fixed/exim-ca/example.org/expired1.example.org/ca_chain.pem
new file mode 100644
index 0000000..45c5c63
--- /dev/null
+++ b/test/aux-fixed/exim-ca/example.org/expired1.example.org/ca_chain.pem
@@ -0,0 +1,47 @@
+Bag Attributes
+ friendlyName: Signing Cert
+subject=/O=example.org/CN=clica Signing Cert
+issuer=/O=example.org/CN=clica CA
+-----BEGIN CERTIFICATE-----
+MIIBpzCCAVGgAwIBAgIBAjANBgkqhkiG9w0BAQUFADApMRQwEgYDVQQKEwtleGFt
+cGxlLm9yZzERMA8GA1UEAxMIY2xpY2EgQ0EwHhcNMTIxMTAxMTIzNDAyWhcNMzgw
+MTAxMTIzNDAyWjAzMRQwEgYDVQQKEwtleGFtcGxlLm9yZzEbMBkGA1UEAxMSY2xp
+Y2EgU2lnbmluZyBDZXJ0MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAJ2Y6E5WBXQE
+zFsWgxK4JXrpPWGEQZ+KNy3iXgmupAA6Yy0umCLu+eGCekkwZ0WfFhhd+Qy7P+qo
+F0mre7VDDHECAwEAAaNaMFgwDgYDVR0PAQH/BAQDAgEGMBIGA1UdEwEB/wQIMAYB
+Af8CAQAwMgYDVR0fBCswKTAnoCWgI4YhaHR0cDovL2NybC5leGFtcGxlLm9yZy9s
+YXRlc3QuY3JsMA0GCSqGSIb3DQEBBQUAA0EATmemAFFWLNA8natXhFyhrDYmTv8X
+PEJ3UVt0DmOMxmEBahIeDfplfTfj/NYvy/on7YCZO7F5PwVY2pNJqm8Tmw==
+-----END CERTIFICATE-----
+Bag Attributes
+ friendlyName: Certificate Authority
+subject=/O=example.org/CN=clica CA
+issuer=/O=example.org/CN=clica CA
+-----BEGIN CERTIFICATE-----
+MIIBaTCCAROgAwIBAgIBATANBgkqhkiG9w0BAQUFADApMRQwEgYDVQQKEwtleGFt
+cGxlLm9yZzERMA8GA1UEAxMIY2xpY2EgQ0EwHhcNMTIxMTAxMTIzNDAyWhcNMzgw
+MTAxMTIzNDAyWjApMRQwEgYDVQQKEwtleGFtcGxlLm9yZzERMA8GA1UEAxMIY2xp
+Y2EgQ0EwXDANBgkqhkiG9w0BAQEFAANLADBIAkEAxY7JyBAI+e4vb4bz0HcjtE+O
+x0nLBB19Kz04yNARj1z/ZvY2c+uvOR3muHROCgFUQxGobP3n2HaTS/cmv2SVPwID
+AQABoyYwJDASBgNVHRMBAf8ECDAGAQH/AgEBMA4GA1UdDwEB/wQEAwIBBjANBgkq
+hkiG9w0BAQUFAANBAJLhs/m5Jx4oV++aylcAvIHa0vHSK4eh3zX1HqWwqK9I0/nl
+LqwwPgtgHQOpe7nd2g2B9wPZ82i6LiqY76A+9hI=
+-----END CERTIFICATE-----
+Bag Attributes
+ friendlyName: expired1.example.org
+ localKeyID: 0B 77 EA 83 E1 31 8B 71 88 DB 88 4E DE 08 91 19 A5 4A 4D A6
+subject=/CN=expired1.example.org
+issuer=/O=example.org/CN=clica Signing Cert
+-----BEGIN CERTIFICATE-----
+MIICBDCCAa6gAwIBAgIBZzANBgkqhkiG9w0BAQUFADAzMRQwEgYDVQQKEwtleGFt
+cGxlLm9yZzEbMBkGA1UEAxMSY2xpY2EgU2lnbmluZyBDZXJ0MB4XDTEyMTEwMTEy
+MzQwM1oXDTEyMTIwMTEyMzQwM1owHzEdMBsGA1UEAxMUZXhwaXJlZDEuZXhhbXBs
+ZS5vcmcwXDANBgkqhkiG9w0BAQEFAANLADBIAkEA4TTv655lwyf5lL4RkuLHqPdg
+mXI36dkjEL/864WoszwLRYYfnlOj4hmKfjq9VoslfDRnOoZSm0NebJJ9Y/ea2wID
+AQABo4HAMIG9MA4GA1UdDwEB/wQEAwIE8DAgBgNVHSUBAf8EFjAUBggrBgEFBQcD
+AQYIKwYBBQUHAwIwMgYDVR0fBCswKTAnoCWgI4YhaHR0cDovL2NybC5leGFtcGxl
+Lm9yZy9sYXRlc3QuY3JsMDQGCCsGAQUFBwEBBCgwJjAkBggrBgEFBQcwAYYYaHR0
+cDovL29zY3AvZXhhbXBsZS5vcmcvMB8GA1UdEQQYMBaCFGV4cGlyZWQxLmV4YW1w
+bGUub3JnMA0GCSqGSIb3DQEBBQUAA0EABG4yReI+VPyFc3kEejJr31rOi3BpgEfP
+FsN+9WoTa0B+VW125F47/FySYat+M6KBSW8fe6HFexU6FXQF+mCNvQ==
+-----END CERTIFICATE-----
diff --git a/test/aux-fixed/exim-ca/example.org/expired1.example.org/cert8.db b/test/aux-fixed/exim-ca/example.org/expired1.example.org/cert8.db
new file mode 100644
index 0000000..133a82f
Binary files /dev/null and b/test/aux-fixed/exim-ca/example.org/expired1.example.org/cert8.db differ
diff --git a/test/aux-fixed/exim-ca/example.org/expired1.example.org/expired1.example.org.chain.pem b/test/aux-fixed/exim-ca/example.org/expired1.example.org/expired1.example.org.chain.pem
new file mode 100644
index 0000000..d4f9ee3
--- /dev/null
+++ b/test/aux-fixed/exim-ca/example.org/expired1.example.org/expired1.example.org.chain.pem
@@ -0,0 +1,29 @@
+Bag Attributes
+ friendlyName: expired1.example.org
+ localKeyID: 0B 77 EA 83 E1 31 8B 71 88 DB 88 4E DE 08 91 19 A5 4A 4D A6
+subject=/CN=expired1.example.org
+issuer=/O=example.org/CN=clica Signing Cert
+-----BEGIN CERTIFICATE-----
+MIICBDCCAa6gAwIBAgIBZzANBgkqhkiG9w0BAQUFADAzMRQwEgYDVQQKEwtleGFt
+cGxlLm9yZzEbMBkGA1UEAxMSY2xpY2EgU2lnbmluZyBDZXJ0MB4XDTEyMTEwMTEy
+MzQwM1oXDTEyMTIwMTEyMzQwM1owHzEdMBsGA1UEAxMUZXhwaXJlZDEuZXhhbXBs
+ZS5vcmcwXDANBgkqhkiG9w0BAQEFAANLADBIAkEA4TTv655lwyf5lL4RkuLHqPdg
+mXI36dkjEL/864WoszwLRYYfnlOj4hmKfjq9VoslfDRnOoZSm0NebJJ9Y/ea2wID
+AQABo4HAMIG9MA4GA1UdDwEB/wQEAwIE8DAgBgNVHSUBAf8EFjAUBggrBgEFBQcD
+AQYIKwYBBQUHAwIwMgYDVR0fBCswKTAnoCWgI4YhaHR0cDovL2NybC5leGFtcGxl
+Lm9yZy9sYXRlc3QuY3JsMDQGCCsGAQUFBwEBBCgwJjAkBggrBgEFBQcwAYYYaHR0
+cDovL29zY3AvZXhhbXBsZS5vcmcvMB8GA1UdEQQYMBaCFGV4cGlyZWQxLmV4YW1w
+bGUub3JnMA0GCSqGSIb3DQEBBQUAA0EABG4yReI+VPyFc3kEejJr31rOi3BpgEfP
+FsN+9WoTa0B+VW125F47/FySYat+M6KBSW8fe6HFexU6FXQF+mCNvQ==
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIIBpzCCAVGgAwIBAgIBAjANBgkqhkiG9w0BAQUFADApMRQwEgYDVQQKEwtleGFt
+cGxlLm9yZzERMA8GA1UEAxMIY2xpY2EgQ0EwHhcNMTIxMTAxMTIzNDAyWhcNMzgw
+MTAxMTIzNDAyWjAzMRQwEgYDVQQKEwtleGFtcGxlLm9yZzEbMBkGA1UEAxMSY2xp
+Y2EgU2lnbmluZyBDZXJ0MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAJ2Y6E5WBXQE
+zFsWgxK4JXrpPWGEQZ+KNy3iXgmupAA6Yy0umCLu+eGCekkwZ0WfFhhd+Qy7P+qo
+F0mre7VDDHECAwEAAaNaMFgwDgYDVR0PAQH/BAQDAgEGMBIGA1UdEwEB/wQIMAYB
+Af8CAQAwMgYDVR0fBCswKTAnoCWgI4YhaHR0cDovL2NybC5leGFtcGxlLm9yZy9s
+YXRlc3QuY3JsMA0GCSqGSIb3DQEBBQUAA0EATmemAFFWLNA8natXhFyhrDYmTv8X
+PEJ3UVt0DmOMxmEBahIeDfplfTfj/NYvy/on7YCZO7F5PwVY2pNJqm8Tmw==
+-----END CERTIFICATE-----
diff --git a/test/aux-fixed/exim-ca/example.org/expired1.example.org/expired1.example.org.key b/test/aux-fixed/exim-ca/example.org/expired1.example.org/expired1.example.org.key
new file mode 100644
index 0000000..fab9097
--- /dev/null
+++ b/test/aux-fixed/exim-ca/example.org/expired1.example.org/expired1.example.org.key
@@ -0,0 +1,15 @@
+Bag Attributes
+ friendlyName: expired1.example.org
+ localKeyID: 0B 77 EA 83 E1 31 8B 71 88 DB 88 4E DE 08 91 19 A5 4A 4D A6
+Key Attributes: <No Attributes>
+-----BEGIN ENCRYPTED PRIVATE KEY-----
+MIIBpjBABgkqhkiG9w0BBQ0wMzAbBgkqhkiG9w0BBQwwDgQIL+kummor3pQCAggA
+MBQGCCqGSIb3DQMHBAhpvl78t5As+QSCAWBlOt1XpYY+o5G0MSANfiL7BfKlwwYh
+MDpKzsNWfwxrNZNmeT293TKVlXEav4FsEnbU0yVJ0HSLC1peXM32mjdezDdMQAwq
+QPrIRj5r5m4mTTWhUPnDUrzdwrYbD4flg0H6eO7gX1w2gJw8E/LS8nhAy6ZOfEvL
+jlghGljcALDPVDvNEAtcx+Wd4p71vp6wm/3kl3SAl7WXO1HcKwYYIEEL9DFZ/P4n
+kqlgCu3pcgKbH9HHjImOkYRWP2Poy3OLJ7h+i/rIEaxiaJFt/1zTm+DxkkM6nbwR
+2C0VnX6/gSbpz58xBlJUMiZqvh9ciFhuLCYeiJx+HnKKzTEIfnSyKV7Y7GSzqkUE
+kKPVa6NTXq0nlH1fuecTGv3iUE4AXWJPmGNYS0caR8oTFd5pFlOQGazRjLDxTIb/
+N6zXiTCpQt4MWHi71a/GnfUrv0e/Bl24ARJnVWcP4brT8jA/oiPeQGEq
+-----END ENCRYPTED PRIVATE KEY-----
diff --git a/test/aux-fixed/exim-ca/example.org/expired1.example.org/expired1.example.org.ocsp.dated.resp b/test/aux-fixed/exim-ca/example.org/expired1.example.org/expired1.example.org.ocsp.dated.resp
new file mode 100644
index 0000000..0825ec7
Binary files /dev/null and b/test/aux-fixed/exim-ca/example.org/expired1.example.org/expired1.example.org.ocsp.dated.resp differ
diff --git a/test/aux-fixed/exim-ca/example.org/expired1.example.org/expired1.example.org.ocsp.good.resp b/test/aux-fixed/exim-ca/example.org/expired1.example.org/expired1.example.org.ocsp.good.resp
new file mode 100644
index 0000000..e786da6
Binary files /dev/null and b/test/aux-fixed/exim-ca/example.org/expired1.example.org/expired1.example.org.ocsp.good.resp differ
diff --git a/test/aux-fixed/exim-ca/example.org/expired1.example.org/expired1.example.org.ocsp.req b/test/aux-fixed/exim-ca/example.org/expired1.example.org/expired1.example.org.ocsp.req
new file mode 100644
index 0000000..75ffacf
Binary files /dev/null and b/test/aux-fixed/exim-ca/example.org/expired1.example.org/expired1.example.org.ocsp.req differ
diff --git a/test/aux-fixed/exim-ca/example.org/expired1.example.org/expired1.example.org.ocsp.revoked.resp b/test/aux-fixed/exim-ca/example.org/expired1.example.org/expired1.example.org.ocsp.revoked.resp
new file mode 100644
index 0000000..f8709f4
Binary files /dev/null and b/test/aux-fixed/exim-ca/example.org/expired1.example.org/expired1.example.org.ocsp.revoked.resp differ
diff --git a/test/aux-fixed/exim-ca/example.org/expired1.example.org/expired1.example.org.p12 b/test/aux-fixed/exim-ca/example.org/expired1.example.org/expired1.example.org.p12
new file mode 100644
index 0000000..f7ef5e6
Binary files /dev/null and b/test/aux-fixed/exim-ca/example.org/expired1.example.org/expired1.example.org.p12 differ
diff --git a/test/aux-fixed/exim-ca/example.org/expired1.example.org/expired1.example.org.pem b/test/aux-fixed/exim-ca/example.org/expired1.example.org/expired1.example.org.pem
new file mode 100644
index 0000000..13da50b
--- /dev/null
+++ b/test/aux-fixed/exim-ca/example.org/expired1.example.org/expired1.example.org.pem
@@ -0,0 +1,18 @@
+Bag Attributes
+ friendlyName: expired1.example.org
+ localKeyID: 0B 77 EA 83 E1 31 8B 71 88 DB 88 4E DE 08 91 19 A5 4A 4D A6
+subject=/CN=expired1.example.org
+issuer=/O=example.org/CN=clica Signing Cert
+-----BEGIN CERTIFICATE-----
+MIICBDCCAa6gAwIBAgIBZzANBgkqhkiG9w0BAQUFADAzMRQwEgYDVQQKEwtleGFt
+cGxlLm9yZzEbMBkGA1UEAxMSY2xpY2EgU2lnbmluZyBDZXJ0MB4XDTEyMTEwMTEy
+MzQwM1oXDTEyMTIwMTEyMzQwM1owHzEdMBsGA1UEAxMUZXhwaXJlZDEuZXhhbXBs
+ZS5vcmcwXDANBgkqhkiG9w0BAQEFAANLADBIAkEA4TTv655lwyf5lL4RkuLHqPdg
+mXI36dkjEL/864WoszwLRYYfnlOj4hmKfjq9VoslfDRnOoZSm0NebJJ9Y/ea2wID
+AQABo4HAMIG9MA4GA1UdDwEB/wQEAwIE8DAgBgNVHSUBAf8EFjAUBggrBgEFBQcD
+AQYIKwYBBQUHAwIwMgYDVR0fBCswKTAnoCWgI4YhaHR0cDovL2NybC5leGFtcGxl
+Lm9yZy9sYXRlc3QuY3JsMDQGCCsGAQUFBwEBBCgwJjAkBggrBgEFBQcwAYYYaHR0
+cDovL29zY3AvZXhhbXBsZS5vcmcvMB8GA1UdEQQYMBaCFGV4cGlyZWQxLmV4YW1w
+bGUub3JnMA0GCSqGSIb3DQEBBQUAA0EABG4yReI+VPyFc3kEejJr31rOi3BpgEfP
+FsN+9WoTa0B+VW125F47/FySYat+M6KBSW8fe6HFexU6FXQF+mCNvQ==
+-----END CERTIFICATE-----
diff --git a/test/aux-fixed/exim-ca/example.org/expired1.example.org/expired1.example.org.unlocked.key b/test/aux-fixed/exim-ca/example.org/expired1.example.org/expired1.example.org.unlocked.key
new file mode 100644
index 0000000..132d2da
--- /dev/null
+++ b/test/aux-fixed/exim-ca/example.org/expired1.example.org/expired1.example.org.unlocked.key
@@ -0,0 +1,9 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIBOgIBAAJBAOE07+ueZcMn+ZS+EZLix6j3YJlyN+nZIxC//OuFqLM8C0WGH55T
+o+IZin46vVaLJXw0ZzqGUptDXmySfWP3mtsCAwEAAQJAbjXB08TIeCDv+uKpJwDk
+RMQK+gzzX/VrO5843umiDVPBs3FoDJJMMI1YIxiqmj61BNvh6YdTeYMbgsqdvUT/
+AQIhAP2hXPtUNCfSMbDZujRe7weCDynq2SdT9v5GwCABKNRLAiEA40+XExCBf3zV
+Eibj6fEWBlJjQPjCEvFLkbeOi44UmbECIF8u9qkvkZ88J//ZxiKvWf80VSKDC1nS
+DgihXqrkJIF/AiAhsUBhUQcA0I38fMs3d8ad9URE8xpBGIbs+FomkU64YQIhALds
+zCAiNfSE9O4vQvnSlbPdKT5KSbux/uGuPIhK+RA0
+-----END RSA PRIVATE KEY-----
diff --git a/test/aux-fixed/exim-ca/example.org/expired1.example.org/key3.db b/test/aux-fixed/exim-ca/example.org/expired1.example.org/key3.db
new file mode 100644
index 0000000..4122a84
Binary files /dev/null and b/test/aux-fixed/exim-ca/example.org/expired1.example.org/key3.db differ
diff --git a/test/aux-fixed/exim-ca/example.org/expired1.example.org/pwdfile b/test/aux-fixed/exim-ca/example.org/expired1.example.org/pwdfile
new file mode 100644
index 0000000..f3097ab
--- /dev/null
+++ b/test/aux-fixed/exim-ca/example.org/expired1.example.org/pwdfile
@@ -0,0 +1 @@
+password
diff --git a/test/aux-fixed/exim-ca/example.org/expired1.example.org/secmod.db b/test/aux-fixed/exim-ca/example.org/expired1.example.org/secmod.db
new file mode 100644
index 0000000..fb95521
Binary files /dev/null and b/test/aux-fixed/exim-ca/example.org/expired1.example.org/secmod.db differ
diff --git a/test/aux-fixed/exim-ca/example.org/expired2.example.org/ca_chain.pem b/test/aux-fixed/exim-ca/example.org/expired2.example.org/ca_chain.pem
new file mode 100644
index 0000000..1ca5e28
--- /dev/null
+++ b/test/aux-fixed/exim-ca/example.org/expired2.example.org/ca_chain.pem
@@ -0,0 +1,47 @@
+Bag Attributes
+ friendlyName: Signing Cert
+subject=/O=example.org/CN=clica Signing Cert
+issuer=/O=example.org/CN=clica CA
+-----BEGIN CERTIFICATE-----
+MIIBpzCCAVGgAwIBAgIBAjANBgkqhkiG9w0BAQUFADApMRQwEgYDVQQKEwtleGFt
+cGxlLm9yZzERMA8GA1UEAxMIY2xpY2EgQ0EwHhcNMTIxMTAxMTIzNDAyWhcNMzgw
+MTAxMTIzNDAyWjAzMRQwEgYDVQQKEwtleGFtcGxlLm9yZzEbMBkGA1UEAxMSY2xp
+Y2EgU2lnbmluZyBDZXJ0MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAJ2Y6E5WBXQE
+zFsWgxK4JXrpPWGEQZ+KNy3iXgmupAA6Yy0umCLu+eGCekkwZ0WfFhhd+Qy7P+qo
+F0mre7VDDHECAwEAAaNaMFgwDgYDVR0PAQH/BAQDAgEGMBIGA1UdEwEB/wQIMAYB
+Af8CAQAwMgYDVR0fBCswKTAnoCWgI4YhaHR0cDovL2NybC5leGFtcGxlLm9yZy9s
+YXRlc3QuY3JsMA0GCSqGSIb3DQEBBQUAA0EATmemAFFWLNA8natXhFyhrDYmTv8X
+PEJ3UVt0DmOMxmEBahIeDfplfTfj/NYvy/on7YCZO7F5PwVY2pNJqm8Tmw==
+-----END CERTIFICATE-----
+Bag Attributes
+ friendlyName: Certificate Authority
+subject=/O=example.org/CN=clica CA
+issuer=/O=example.org/CN=clica CA
+-----BEGIN CERTIFICATE-----
+MIIBaTCCAROgAwIBAgIBATANBgkqhkiG9w0BAQUFADApMRQwEgYDVQQKEwtleGFt
+cGxlLm9yZzERMA8GA1UEAxMIY2xpY2EgQ0EwHhcNMTIxMTAxMTIzNDAyWhcNMzgw
+MTAxMTIzNDAyWjApMRQwEgYDVQQKEwtleGFtcGxlLm9yZzERMA8GA1UEAxMIY2xp
+Y2EgQ0EwXDANBgkqhkiG9w0BAQEFAANLADBIAkEAxY7JyBAI+e4vb4bz0HcjtE+O
+x0nLBB19Kz04yNARj1z/ZvY2c+uvOR3muHROCgFUQxGobP3n2HaTS/cmv2SVPwID
+AQABoyYwJDASBgNVHRMBAf8ECDAGAQH/AgEBMA4GA1UdDwEB/wQEAwIBBjANBgkq
+hkiG9w0BAQUFAANBAJLhs/m5Jx4oV++aylcAvIHa0vHSK4eh3zX1HqWwqK9I0/nl
+LqwwPgtgHQOpe7nd2g2B9wPZ82i6LiqY76A+9hI=
+-----END CERTIFICATE-----
+Bag Attributes
+ friendlyName: expired2.example.org
+ localKeyID: C5 6F 48 06 54 0E B3 BB 1A BF 6D F3 86 B8 E6 D7 37 A4 65 F3
+subject=/CN=expired2.example.org
+issuer=/O=example.org/CN=clica Signing Cert
+-----BEGIN CERTIFICATE-----
+MIICBTCCAa+gAwIBAgICAMswDQYJKoZIhvcNAQEFBQAwMzEUMBIGA1UEChMLZXhh
+bXBsZS5vcmcxGzAZBgNVBAMTEmNsaWNhIFNpZ25pbmcgQ2VydDAeFw0xMjExMDEx
+MjM0MDNaFw0xMjEyMDExMjM0MDNaMB8xHTAbBgNVBAMTFGV4cGlyZWQyLmV4YW1w
+bGUub3JnMFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAK1KoNb3Cu3dTkQQssg1cXUb
+0Oo/o0v/BCm5A9JjE8eL0K694hJrk2pSmI+nF1ujtC+0Ilylzd2JyXvyu6jZqRUC
+AwEAAaOBwDCBvTAOBgNVHQ8BAf8EBAMCBPAwIAYDVR0lAQH/BBYwFAYIKwYBBQUH
+AwEGCCsGAQUFBwMCMDIGA1UdHwQrMCkwJ6AloCOGIWh0dHA6Ly9jcmwuZXhhbXBs
+ZS5vcmcvbGF0ZXN0LmNybDA0BggrBgEFBQcBAQQoMCYwJAYIKwYBBQUHMAGGGGh0
+dHA6Ly9vc2NwL2V4YW1wbGUub3JnLzAfBgNVHREEGDAWghRleHBpcmVkMi5leGFt
+cGxlLm9yZzANBgkqhkiG9w0BAQUFAANBAATDk4AOeRU7z4FPpjK6J2BvKeStcuon
+xoli6qipNnf95JXgo4ZOktbGD5eankcp4QRFEUMQ79DJuTCkOl/Zgs4=
+-----END CERTIFICATE-----
diff --git a/test/aux-fixed/exim-ca/example.org/expired2.example.org/cert8.db b/test/aux-fixed/exim-ca/example.org/expired2.example.org/cert8.db
new file mode 100644
index 0000000..24ee82e
Binary files /dev/null and b/test/aux-fixed/exim-ca/example.org/expired2.example.org/cert8.db differ
diff --git a/test/aux-fixed/exim-ca/example.org/expired2.example.org/expired2.example.org.chain.pem b/test/aux-fixed/exim-ca/example.org/expired2.example.org/expired2.example.org.chain.pem
new file mode 100644
index 0000000..3bbfb4c
--- /dev/null
+++ b/test/aux-fixed/exim-ca/example.org/expired2.example.org/expired2.example.org.chain.pem
@@ -0,0 +1,29 @@
+Bag Attributes
+ friendlyName: expired2.example.org
+ localKeyID: C5 6F 48 06 54 0E B3 BB 1A BF 6D F3 86 B8 E6 D7 37 A4 65 F3
+subject=/CN=expired2.example.org
+issuer=/O=example.org/CN=clica Signing Cert
+-----BEGIN CERTIFICATE-----
+MIICBTCCAa+gAwIBAgICAMswDQYJKoZIhvcNAQEFBQAwMzEUMBIGA1UEChMLZXhh
+bXBsZS5vcmcxGzAZBgNVBAMTEmNsaWNhIFNpZ25pbmcgQ2VydDAeFw0xMjExMDEx
+MjM0MDNaFw0xMjEyMDExMjM0MDNaMB8xHTAbBgNVBAMTFGV4cGlyZWQyLmV4YW1w
+bGUub3JnMFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAK1KoNb3Cu3dTkQQssg1cXUb
+0Oo/o0v/BCm5A9JjE8eL0K694hJrk2pSmI+nF1ujtC+0Ilylzd2JyXvyu6jZqRUC
+AwEAAaOBwDCBvTAOBgNVHQ8BAf8EBAMCBPAwIAYDVR0lAQH/BBYwFAYIKwYBBQUH
+AwEGCCsGAQUFBwMCMDIGA1UdHwQrMCkwJ6AloCOGIWh0dHA6Ly9jcmwuZXhhbXBs
+ZS5vcmcvbGF0ZXN0LmNybDA0BggrBgEFBQcBAQQoMCYwJAYIKwYBBQUHMAGGGGh0
+dHA6Ly9vc2NwL2V4YW1wbGUub3JnLzAfBgNVHREEGDAWghRleHBpcmVkMi5leGFt
+cGxlLm9yZzANBgkqhkiG9w0BAQUFAANBAATDk4AOeRU7z4FPpjK6J2BvKeStcuon
+xoli6qipNnf95JXgo4ZOktbGD5eankcp4QRFEUMQ79DJuTCkOl/Zgs4=
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIIBpzCCAVGgAwIBAgIBAjANBgkqhkiG9w0BAQUFADApMRQwEgYDVQQKEwtleGFt
+cGxlLm9yZzERMA8GA1UEAxMIY2xpY2EgQ0EwHhcNMTIxMTAxMTIzNDAyWhcNMzgw
+MTAxMTIzNDAyWjAzMRQwEgYDVQQKEwtleGFtcGxlLm9yZzEbMBkGA1UEAxMSY2xp
+Y2EgU2lnbmluZyBDZXJ0MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAJ2Y6E5WBXQE
+zFsWgxK4JXrpPWGEQZ+KNy3iXgmupAA6Yy0umCLu+eGCekkwZ0WfFhhd+Qy7P+qo
+F0mre7VDDHECAwEAAaNaMFgwDgYDVR0PAQH/BAQDAgEGMBIGA1UdEwEB/wQIMAYB
+Af8CAQAwMgYDVR0fBCswKTAnoCWgI4YhaHR0cDovL2NybC5leGFtcGxlLm9yZy9s
+YXRlc3QuY3JsMA0GCSqGSIb3DQEBBQUAA0EATmemAFFWLNA8natXhFyhrDYmTv8X
+PEJ3UVt0DmOMxmEBahIeDfplfTfj/NYvy/on7YCZO7F5PwVY2pNJqm8Tmw==
+-----END CERTIFICATE-----
diff --git a/test/aux-fixed/exim-ca/example.org/expired2.example.org/expired2.example.org.key b/test/aux-fixed/exim-ca/example.org/expired2.example.org/expired2.example.org.key
new file mode 100644
index 0000000..6bbf07e
--- /dev/null
+++ b/test/aux-fixed/exim-ca/example.org/expired2.example.org/expired2.example.org.key
@@ -0,0 +1,15 @@
+Bag Attributes
+ friendlyName: expired2.example.org
+ localKeyID: C5 6F 48 06 54 0E B3 BB 1A BF 6D F3 86 B8 E6 D7 37 A4 65 F3
+Key Attributes: <No Attributes>
+-----BEGIN ENCRYPTED PRIVATE KEY-----
+MIIBpjBABgkqhkiG9w0BBQ0wMzAbBgkqhkiG9w0BBQwwDgQIqYRYZdwd4cwCAggA
+MBQGCCqGSIb3DQMHBAguS/XNjyFFMASCAWBxEYbvvuvMpVOunc6orT3lMpGxNbCV
+kNeLvBHH2LkW1lQfLoo0zgqzyvjF7hTbeNm9NS8dL3ZzMG7Xb3hiR22ypuP7gdaA
+NFxt7XfO7pCLsFScmOthYseIBvuxAGN8Qze2KDrXTVnOyrgPGk2q6XTIblUnGekt
+MuxJAJIIGW0le9Ci23Z+156zv7BAPWiAR7qL4Lm6V3T4ppfSeGkpBhGVpCmdjnT1
+IhR4rcrLjvqE+QhqEY/gA4chFcnkZsmcLNjMAMgHXdsGgpkrv8WrbS4nTsNY71p5
+d+qA6Z6ORVyUOrxzr34NpAM9tpsvHniMEvlJAq5DMz64qnG/iZymTKH8tOhgvD9d
+a7pENj+x1Eo+qb/2g6zut4+O5WnkWfXQXtuh+rnUOB09IteV33o8OYOlLR0eQxqJ
+BOLi5FgNVfoSJuCZrR9oqufOb4ue7x7lmOw0r3EQYUp0weYLvDyh0ih+
+-----END ENCRYPTED PRIVATE KEY-----
diff --git a/test/aux-fixed/exim-ca/example.org/expired2.example.org/expired2.example.org.ocsp.dated.resp b/test/aux-fixed/exim-ca/example.org/expired2.example.org/expired2.example.org.ocsp.dated.resp
new file mode 100644
index 0000000..44f9d00
Binary files /dev/null and b/test/aux-fixed/exim-ca/example.org/expired2.example.org/expired2.example.org.ocsp.dated.resp differ
diff --git a/test/aux-fixed/exim-ca/example.org/expired2.example.org/expired2.example.org.ocsp.good.resp b/test/aux-fixed/exim-ca/example.org/expired2.example.org/expired2.example.org.ocsp.good.resp
new file mode 100644
index 0000000..0760bb3
Binary files /dev/null and b/test/aux-fixed/exim-ca/example.org/expired2.example.org/expired2.example.org.ocsp.good.resp differ
diff --git a/test/aux-fixed/exim-ca/example.org/expired2.example.org/expired2.example.org.ocsp.req b/test/aux-fixed/exim-ca/example.org/expired2.example.org/expired2.example.org.ocsp.req
new file mode 100644
index 0000000..96cb53d
Binary files /dev/null and b/test/aux-fixed/exim-ca/example.org/expired2.example.org/expired2.example.org.ocsp.req differ
diff --git a/test/aux-fixed/exim-ca/example.org/expired2.example.org/expired2.example.org.ocsp.revoked.resp b/test/aux-fixed/exim-ca/example.org/expired2.example.org/expired2.example.org.ocsp.revoked.resp
new file mode 100644
index 0000000..0760bb3
Binary files /dev/null and b/test/aux-fixed/exim-ca/example.org/expired2.example.org/expired2.example.org.ocsp.revoked.resp differ
diff --git a/test/aux-fixed/exim-ca/example.org/expired2.example.org/expired2.example.org.p12 b/test/aux-fixed/exim-ca/example.org/expired2.example.org/expired2.example.org.p12
new file mode 100644
index 0000000..5bd498b
Binary files /dev/null and b/test/aux-fixed/exim-ca/example.org/expired2.example.org/expired2.example.org.p12 differ
diff --git a/test/aux-fixed/exim-ca/example.org/expired2.example.org/expired2.example.org.pem b/test/aux-fixed/exim-ca/example.org/expired2.example.org/expired2.example.org.pem
new file mode 100644
index 0000000..a2cdafe
--- /dev/null
+++ b/test/aux-fixed/exim-ca/example.org/expired2.example.org/expired2.example.org.pem
@@ -0,0 +1,18 @@
+Bag Attributes
+ friendlyName: expired2.example.org
+ localKeyID: C5 6F 48 06 54 0E B3 BB 1A BF 6D F3 86 B8 E6 D7 37 A4 65 F3
+subject=/CN=expired2.example.org
+issuer=/O=example.org/CN=clica Signing Cert
+-----BEGIN CERTIFICATE-----
+MIICBTCCAa+gAwIBAgICAMswDQYJKoZIhvcNAQEFBQAwMzEUMBIGA1UEChMLZXhh
+bXBsZS5vcmcxGzAZBgNVBAMTEmNsaWNhIFNpZ25pbmcgQ2VydDAeFw0xMjExMDEx
+MjM0MDNaFw0xMjEyMDExMjM0MDNaMB8xHTAbBgNVBAMTFGV4cGlyZWQyLmV4YW1w
+bGUub3JnMFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAK1KoNb3Cu3dTkQQssg1cXUb
+0Oo/o0v/BCm5A9JjE8eL0K694hJrk2pSmI+nF1ujtC+0Ilylzd2JyXvyu6jZqRUC
+AwEAAaOBwDCBvTAOBgNVHQ8BAf8EBAMCBPAwIAYDVR0lAQH/BBYwFAYIKwYBBQUH
+AwEGCCsGAQUFBwMCMDIGA1UdHwQrMCkwJ6AloCOGIWh0dHA6Ly9jcmwuZXhhbXBs
+ZS5vcmcvbGF0ZXN0LmNybDA0BggrBgEFBQcBAQQoMCYwJAYIKwYBBQUHMAGGGGh0
+dHA6Ly9vc2NwL2V4YW1wbGUub3JnLzAfBgNVHREEGDAWghRleHBpcmVkMi5leGFt
+cGxlLm9yZzANBgkqhkiG9w0BAQUFAANBAATDk4AOeRU7z4FPpjK6J2BvKeStcuon
+xoli6qipNnf95JXgo4ZOktbGD5eankcp4QRFEUMQ79DJuTCkOl/Zgs4=
+-----END CERTIFICATE-----
diff --git a/test/aux-fixed/exim-ca/example.org/expired2.example.org/expired2.example.org.unlocked.key b/test/aux-fixed/exim-ca/example.org/expired2.example.org/expired2.example.org.unlocked.key
new file mode 100644
index 0000000..873f59f
--- /dev/null
+++ b/test/aux-fixed/exim-ca/example.org/expired2.example.org/expired2.example.org.unlocked.key
@@ -0,0 +1,9 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIBPAIBAAJBAK1KoNb3Cu3dTkQQssg1cXUb0Oo/o0v/BCm5A9JjE8eL0K694hJr
+k2pSmI+nF1ujtC+0Ilylzd2JyXvyu6jZqRUCAwEAAQJBAIKMYjcPzW/89OVaHxWt
+DVhIKE8Quhiaeaxk8Xgho9kDQXb9VUnY9uY+hQFL8jAlmr1xyqPL1ztA8Rx7b7DH
+toECIQDifcfwxsjaF2XMdkDdEtmoYlEow5sRoGzgNz29EQtUiQIhAMPedhNwRb2J
+0Vc6OgL4DCwu4oyjxcyGU3TywinwhCUtAiAnnYaGR87DzsngfGKWCIEHocK+VZBf
+AedpRGBJHJ0VuQIhALHy6Ylthh7WGBfMcaoC22RE0FR/8hOHskjcyGQ7/IKdAiEA
+lLVprJ0QmF5Z1+6RbIOcWwRWNOHEqAz4xY6HR65E2HE=
+-----END RSA PRIVATE KEY-----
diff --git a/test/aux-fixed/exim-ca/example.org/expired2.example.org/key3.db b/test/aux-fixed/exim-ca/example.org/expired2.example.org/key3.db
new file mode 100644
index 0000000..22278dd
Binary files /dev/null and b/test/aux-fixed/exim-ca/example.org/expired2.example.org/key3.db differ
diff --git a/test/aux-fixed/exim-ca/example.org/expired2.example.org/pwdfile b/test/aux-fixed/exim-ca/example.org/expired2.example.org/pwdfile
new file mode 100644
index 0000000..f3097ab
--- /dev/null
+++ b/test/aux-fixed/exim-ca/example.org/expired2.example.org/pwdfile
@@ -0,0 +1 @@
+password
diff --git a/test/aux-fixed/exim-ca/example.org/expired2.example.org/secmod.db b/test/aux-fixed/exim-ca/example.org/expired2.example.org/secmod.db
new file mode 100644
index 0000000..7201c72
Binary files /dev/null and b/test/aux-fixed/exim-ca/example.org/expired2.example.org/secmod.db differ
diff --git a/test/aux-fixed/exim-ca/example.org/revoked1.example.org/ca_chain.pem b/test/aux-fixed/exim-ca/example.org/revoked1.example.org/ca_chain.pem
new file mode 100644
index 0000000..6e46899
--- /dev/null
+++ b/test/aux-fixed/exim-ca/example.org/revoked1.example.org/ca_chain.pem
@@ -0,0 +1,47 @@
+Bag Attributes
+ friendlyName: Signing Cert
+subject=/O=example.org/CN=clica Signing Cert
+issuer=/O=example.org/CN=clica CA
+-----BEGIN CERTIFICATE-----
+MIIBpzCCAVGgAwIBAgIBAjANBgkqhkiG9w0BAQUFADApMRQwEgYDVQQKEwtleGFt
+cGxlLm9yZzERMA8GA1UEAxMIY2xpY2EgQ0EwHhcNMTIxMTAxMTIzNDAyWhcNMzgw
+MTAxMTIzNDAyWjAzMRQwEgYDVQQKEwtleGFtcGxlLm9yZzEbMBkGA1UEAxMSY2xp
+Y2EgU2lnbmluZyBDZXJ0MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAJ2Y6E5WBXQE
+zFsWgxK4JXrpPWGEQZ+KNy3iXgmupAA6Yy0umCLu+eGCekkwZ0WfFhhd+Qy7P+qo
+F0mre7VDDHECAwEAAaNaMFgwDgYDVR0PAQH/BAQDAgEGMBIGA1UdEwEB/wQIMAYB
+Af8CAQAwMgYDVR0fBCswKTAnoCWgI4YhaHR0cDovL2NybC5leGFtcGxlLm9yZy9s
+YXRlc3QuY3JsMA0GCSqGSIb3DQEBBQUAA0EATmemAFFWLNA8natXhFyhrDYmTv8X
+PEJ3UVt0DmOMxmEBahIeDfplfTfj/NYvy/on7YCZO7F5PwVY2pNJqm8Tmw==
+-----END CERTIFICATE-----
+Bag Attributes
+ friendlyName: Certificate Authority
+subject=/O=example.org/CN=clica CA
+issuer=/O=example.org/CN=clica CA
+-----BEGIN CERTIFICATE-----
+MIIBaTCCAROgAwIBAgIBATANBgkqhkiG9w0BAQUFADApMRQwEgYDVQQKEwtleGFt
+cGxlLm9yZzERMA8GA1UEAxMIY2xpY2EgQ0EwHhcNMTIxMTAxMTIzNDAyWhcNMzgw
+MTAxMTIzNDAyWjApMRQwEgYDVQQKEwtleGFtcGxlLm9yZzERMA8GA1UEAxMIY2xp
+Y2EgQ0EwXDANBgkqhkiG9w0BAQEFAANLADBIAkEAxY7JyBAI+e4vb4bz0HcjtE+O
+x0nLBB19Kz04yNARj1z/ZvY2c+uvOR3muHROCgFUQxGobP3n2HaTS/cmv2SVPwID
+AQABoyYwJDASBgNVHRMBAf8ECDAGAQH/AgEBMA4GA1UdDwEB/wQEAwIBBjANBgkq
+hkiG9w0BAQUFAANBAJLhs/m5Jx4oV++aylcAvIHa0vHSK4eh3zX1HqWwqK9I0/nl
+LqwwPgtgHQOpe7nd2g2B9wPZ82i6LiqY76A+9hI=
+-----END CERTIFICATE-----
+Bag Attributes
+ friendlyName: revoked1.example.org
+ localKeyID: CB 4F CF EE 43 43 65 BB 23 74 E0 40 65 36 FE 99 31 DF AB A8
+subject=/CN=revoked1.example.org
+issuer=/O=example.org/CN=clica Signing Cert
+-----BEGIN CERTIFICATE-----
+MIICBDCCAa6gAwIBAgIBZjANBgkqhkiG9w0BAQUFADAzMRQwEgYDVQQKEwtleGFt
+cGxlLm9yZzEbMBkGA1UEAxMSY2xpY2EgU2lnbmluZyBDZXJ0MB4XDTEyMTEwMTEy
+MzQwMloXDTM4MDEwMTEyMzQwMlowHzEdMBsGA1UEAxMUcmV2b2tlZDEuZXhhbXBs
+ZS5vcmcwXDANBgkqhkiG9w0BAQEFAANLADBIAkEAtH5k2k62LbnSi/B5Bgxk+zMn
+GiOYjeojLffbE73oSIws/sAwigOroZRxeDCK1Bvqlt3CsRlh1j7qGHTdf3JPEQID
+AQABo4HAMIG9MA4GA1UdDwEB/wQEAwIE8DAgBgNVHSUBAf8EFjAUBggrBgEFBQcD
+AQYIKwYBBQUHAwIwMgYDVR0fBCswKTAnoCWgI4YhaHR0cDovL2NybC5leGFtcGxl
+Lm9yZy9sYXRlc3QuY3JsMDQGCCsGAQUFBwEBBCgwJjAkBggrBgEFBQcwAYYYaHR0
+cDovL29zY3AvZXhhbXBsZS5vcmcvMB8GA1UdEQQYMBaCFHJldm9rZWQxLmV4YW1w
+bGUub3JnMA0GCSqGSIb3DQEBBQUAA0EAh2MZRLrAaQlspQCSvzB8GauDjhyc1ZMz
+/YeE550dEXzC3YtnTK6PKmDfm0xw/eVcSnwlsYUdLFzB5xBGbkxQbg==
+-----END CERTIFICATE-----
diff --git a/test/aux-fixed/exim-ca/example.org/revoked1.example.org/cert8.db b/test/aux-fixed/exim-ca/example.org/revoked1.example.org/cert8.db
new file mode 100644
index 0000000..276490b
Binary files /dev/null and b/test/aux-fixed/exim-ca/example.org/revoked1.example.org/cert8.db differ
diff --git a/test/aux-fixed/exim-ca/example.org/revoked1.example.org/key3.db b/test/aux-fixed/exim-ca/example.org/revoked1.example.org/key3.db
new file mode 100644
index 0000000..d0a1a89
Binary files /dev/null and b/test/aux-fixed/exim-ca/example.org/revoked1.example.org/key3.db differ
diff --git a/test/aux-fixed/exim-ca/example.org/revoked1.example.org/pwdfile b/test/aux-fixed/exim-ca/example.org/revoked1.example.org/pwdfile
new file mode 100644
index 0000000..f3097ab
--- /dev/null
+++ b/test/aux-fixed/exim-ca/example.org/revoked1.example.org/pwdfile
@@ -0,0 +1 @@
+password
diff --git a/test/aux-fixed/exim-ca/example.org/revoked1.example.org/revoked1.example.org.chain.pem b/test/aux-fixed/exim-ca/example.org/revoked1.example.org/revoked1.example.org.chain.pem
new file mode 100644
index 0000000..44a69f4
--- /dev/null
+++ b/test/aux-fixed/exim-ca/example.org/revoked1.example.org/revoked1.example.org.chain.pem
@@ -0,0 +1,29 @@
+Bag Attributes
+ friendlyName: revoked1.example.org
+ localKeyID: CB 4F CF EE 43 43 65 BB 23 74 E0 40 65 36 FE 99 31 DF AB A8
+subject=/CN=revoked1.example.org
+issuer=/O=example.org/CN=clica Signing Cert
+-----BEGIN CERTIFICATE-----
+MIICBDCCAa6gAwIBAgIBZjANBgkqhkiG9w0BAQUFADAzMRQwEgYDVQQKEwtleGFt
+cGxlLm9yZzEbMBkGA1UEAxMSY2xpY2EgU2lnbmluZyBDZXJ0MB4XDTEyMTEwMTEy
+MzQwMloXDTM4MDEwMTEyMzQwMlowHzEdMBsGA1UEAxMUcmV2b2tlZDEuZXhhbXBs
+ZS5vcmcwXDANBgkqhkiG9w0BAQEFAANLADBIAkEAtH5k2k62LbnSi/B5Bgxk+zMn
+GiOYjeojLffbE73oSIws/sAwigOroZRxeDCK1Bvqlt3CsRlh1j7qGHTdf3JPEQID
+AQABo4HAMIG9MA4GA1UdDwEB/wQEAwIE8DAgBgNVHSUBAf8EFjAUBggrBgEFBQcD
+AQYIKwYBBQUHAwIwMgYDVR0fBCswKTAnoCWgI4YhaHR0cDovL2NybC5leGFtcGxl
+Lm9yZy9sYXRlc3QuY3JsMDQGCCsGAQUFBwEBBCgwJjAkBggrBgEFBQcwAYYYaHR0
+cDovL29zY3AvZXhhbXBsZS5vcmcvMB8GA1UdEQQYMBaCFHJldm9rZWQxLmV4YW1w
+bGUub3JnMA0GCSqGSIb3DQEBBQUAA0EAh2MZRLrAaQlspQCSvzB8GauDjhyc1ZMz
+/YeE550dEXzC3YtnTK6PKmDfm0xw/eVcSnwlsYUdLFzB5xBGbkxQbg==
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIIBpzCCAVGgAwIBAgIBAjANBgkqhkiG9w0BAQUFADApMRQwEgYDVQQKEwtleGFt
+cGxlLm9yZzERMA8GA1UEAxMIY2xpY2EgQ0EwHhcNMTIxMTAxMTIzNDAyWhcNMzgw
+MTAxMTIzNDAyWjAzMRQwEgYDVQQKEwtleGFtcGxlLm9yZzEbMBkGA1UEAxMSY2xp
+Y2EgU2lnbmluZyBDZXJ0MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAJ2Y6E5WBXQE
+zFsWgxK4JXrpPWGEQZ+KNy3iXgmupAA6Yy0umCLu+eGCekkwZ0WfFhhd+Qy7P+qo
+F0mre7VDDHECAwEAAaNaMFgwDgYDVR0PAQH/BAQDAgEGMBIGA1UdEwEB/wQIMAYB
+Af8CAQAwMgYDVR0fBCswKTAnoCWgI4YhaHR0cDovL2NybC5leGFtcGxlLm9yZy9s
+YXRlc3QuY3JsMA0GCSqGSIb3DQEBBQUAA0EATmemAFFWLNA8natXhFyhrDYmTv8X
+PEJ3UVt0DmOMxmEBahIeDfplfTfj/NYvy/on7YCZO7F5PwVY2pNJqm8Tmw==
+-----END CERTIFICATE-----
diff --git a/test/aux-fixed/exim-ca/example.org/revoked1.example.org/revoked1.example.org.key b/test/aux-fixed/exim-ca/example.org/revoked1.example.org/revoked1.example.org.key
new file mode 100644
index 0000000..cd759c4
--- /dev/null
+++ b/test/aux-fixed/exim-ca/example.org/revoked1.example.org/revoked1.example.org.key
@@ -0,0 +1,15 @@
+Bag Attributes
+ friendlyName: revoked1.example.org
+ localKeyID: CB 4F CF EE 43 43 65 BB 23 74 E0 40 65 36 FE 99 31 DF AB A8
+Key Attributes: <No Attributes>
+-----BEGIN ENCRYPTED PRIVATE KEY-----
+MIIBnjBABgkqhkiG9w0BBQ0wMzAbBgkqhkiG9w0BBQwwDgQIYvHqW0ndOlQCAggA
+MBQGCCqGSIb3DQMHBAgXAj3LlhSYaQSCAVhHtecAjwqd7AvQnGWaErxhdo/AMfio
+SWCovkatfN0ExC0Q43QX2P7HKcP6ysQDg+oLHWiIP+2N6lOkQLBxF4KCAfEa9hcR
+GJhbBDLiL5mNgfxdPzM+NUfxGainUfwiGFM5ZZg4vZgvP8hMoVeCRJ+sBP4rHzyw
+0AdAMzAeJym8MVONUMadr/D7ReMGgxQdGGl/GrrmwOAeJNCh8KJVfI7hQZE0Ell7
+XWWZPl1VafuzErUz0Lm4NdbstlfpVE/ZWWuXCxGgJ5cPyMu5oloHPpPm+x0oR4Ik
+NxPkXZ74OZtc58nTgh+SEVe/myWTujMdj9jCxfJknyAlMwZCv/wu/EwcRFopvo16
+zLCsb2x4+sW5Uhduv0mQYEIPBjl+9Eg5eHrX6z+E/AhikE3C7OmQ7MM/8PLPqoUo
+xoXYK2O5seWWA5IjCbm7I9mMQpmZi847H9WpHLEaoh8gew==
+-----END ENCRYPTED PRIVATE KEY-----
diff --git a/test/aux-fixed/exim-ca/example.org/revoked1.example.org/revoked1.example.org.ocsp.dated.resp b/test/aux-fixed/exim-ca/example.org/revoked1.example.org/revoked1.example.org.ocsp.dated.resp
new file mode 100644
index 0000000..5a12466
Binary files /dev/null and b/test/aux-fixed/exim-ca/example.org/revoked1.example.org/revoked1.example.org.ocsp.dated.resp differ
diff --git a/test/aux-fixed/exim-ca/example.org/revoked1.example.org/revoked1.example.org.ocsp.good.resp b/test/aux-fixed/exim-ca/example.org/revoked1.example.org/revoked1.example.org.ocsp.good.resp
new file mode 100644
index 0000000..30c30f6
Binary files /dev/null and b/test/aux-fixed/exim-ca/example.org/revoked1.example.org/revoked1.example.org.ocsp.good.resp differ
diff --git a/test/aux-fixed/exim-ca/example.org/revoked1.example.org/revoked1.example.org.ocsp.req b/test/aux-fixed/exim-ca/example.org/revoked1.example.org/revoked1.example.org.ocsp.req
new file mode 100644
index 0000000..90263fd
Binary files /dev/null and b/test/aux-fixed/exim-ca/example.org/revoked1.example.org/revoked1.example.org.ocsp.req differ
diff --git a/test/aux-fixed/exim-ca/example.org/revoked1.example.org/revoked1.example.org.ocsp.revoked.resp b/test/aux-fixed/exim-ca/example.org/revoked1.example.org/revoked1.example.org.ocsp.revoked.resp
new file mode 100644
index 0000000..6273c03
Binary files /dev/null and b/test/aux-fixed/exim-ca/example.org/revoked1.example.org/revoked1.example.org.ocsp.revoked.resp differ
diff --git a/test/aux-fixed/exim-ca/example.org/revoked1.example.org/revoked1.example.org.p12 b/test/aux-fixed/exim-ca/example.org/revoked1.example.org/revoked1.example.org.p12
new file mode 100644
index 0000000..c4392fc
Binary files /dev/null and b/test/aux-fixed/exim-ca/example.org/revoked1.example.org/revoked1.example.org.p12 differ
diff --git a/test/aux-fixed/exim-ca/example.org/revoked1.example.org/revoked1.example.org.pem b/test/aux-fixed/exim-ca/example.org/revoked1.example.org/revoked1.example.org.pem
new file mode 100644
index 0000000..70bea88
--- /dev/null
+++ b/test/aux-fixed/exim-ca/example.org/revoked1.example.org/revoked1.example.org.pem
@@ -0,0 +1,18 @@
+Bag Attributes
+ friendlyName: revoked1.example.org
+ localKeyID: CB 4F CF EE 43 43 65 BB 23 74 E0 40 65 36 FE 99 31 DF AB A8
+subject=/CN=revoked1.example.org
+issuer=/O=example.org/CN=clica Signing Cert
+-----BEGIN CERTIFICATE-----
+MIICBDCCAa6gAwIBAgIBZjANBgkqhkiG9w0BAQUFADAzMRQwEgYDVQQKEwtleGFt
+cGxlLm9yZzEbMBkGA1UEAxMSY2xpY2EgU2lnbmluZyBDZXJ0MB4XDTEyMTEwMTEy
+MzQwMloXDTM4MDEwMTEyMzQwMlowHzEdMBsGA1UEAxMUcmV2b2tlZDEuZXhhbXBs
+ZS5vcmcwXDANBgkqhkiG9w0BAQEFAANLADBIAkEAtH5k2k62LbnSi/B5Bgxk+zMn
+GiOYjeojLffbE73oSIws/sAwigOroZRxeDCK1Bvqlt3CsRlh1j7qGHTdf3JPEQID
+AQABo4HAMIG9MA4GA1UdDwEB/wQEAwIE8DAgBgNVHSUBAf8EFjAUBggrBgEFBQcD
+AQYIKwYBBQUHAwIwMgYDVR0fBCswKTAnoCWgI4YhaHR0cDovL2NybC5leGFtcGxl
+Lm9yZy9sYXRlc3QuY3JsMDQGCCsGAQUFBwEBBCgwJjAkBggrBgEFBQcwAYYYaHR0
+cDovL29zY3AvZXhhbXBsZS5vcmcvMB8GA1UdEQQYMBaCFHJldm9rZWQxLmV4YW1w
+bGUub3JnMA0GCSqGSIb3DQEBBQUAA0EAh2MZRLrAaQlspQCSvzB8GauDjhyc1ZMz
+/YeE550dEXzC3YtnTK6PKmDfm0xw/eVcSnwlsYUdLFzB5xBGbkxQbg==
+-----END CERTIFICATE-----
diff --git a/test/aux-fixed/exim-ca/example.org/revoked1.example.org/revoked1.example.org.unlocked.key b/test/aux-fixed/exim-ca/example.org/revoked1.example.org/revoked1.example.org.unlocked.key
new file mode 100644
index 0000000..47e917b
--- /dev/null
+++ b/test/aux-fixed/exim-ca/example.org/revoked1.example.org/revoked1.example.org.unlocked.key
@@ -0,0 +1,9 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIBOQIBAAJBALR+ZNpOti250ovweQYMZPszJxojmI3qIy332xO96EiMLP7AMIoD
+q6GUcXgwitQb6pbdwrEZYdY+6hh03X9yTxECAwEAAQJADLoAyHfWVqEMnHtnPSrw
+j9nKfwhVgGQq+NnKI7k3QK4rQX1Z+wfSw0rxpE5sFqDUVheeFY/IMolXD32zJwUM
+pQIhAOEb6HbVqVqYr5lgN7CoRSVRXJEm1PvxmI6RKewtAPGTAiEAzUMl+oAfRboT
+tywwc4N8MdvAAapLnP9u7NmhG7fP80sCIHkXgCdcrCs180/4ODzpZ7i5WagjUXLt
+9XjLkdegJd/NAiAweI7bXK4F1S8arkCyxnXpgC8TNZetd1RGcg3tcbaViQIgIDmb
+d9wZOnDeMg3BlC5X+zfOyiGk3+/Jnp7Msya+nfc=
+-----END RSA PRIVATE KEY-----
diff --git a/test/aux-fixed/exim-ca/example.org/revoked1.example.org/secmod.db b/test/aux-fixed/exim-ca/example.org/revoked1.example.org/secmod.db
new file mode 100644
index 0000000..7621830
Binary files /dev/null and b/test/aux-fixed/exim-ca/example.org/revoked1.example.org/secmod.db differ
diff --git a/test/aux-fixed/exim-ca/example.org/revoked2.example.org/ca_chain.pem b/test/aux-fixed/exim-ca/example.org/revoked2.example.org/ca_chain.pem
new file mode 100644
index 0000000..d36ac20
--- /dev/null
+++ b/test/aux-fixed/exim-ca/example.org/revoked2.example.org/ca_chain.pem
@@ -0,0 +1,47 @@
+Bag Attributes
+ friendlyName: Signing Cert
+subject=/O=example.org/CN=clica Signing Cert
+issuer=/O=example.org/CN=clica CA
+-----BEGIN CERTIFICATE-----
+MIIBpzCCAVGgAwIBAgIBAjANBgkqhkiG9w0BAQUFADApMRQwEgYDVQQKEwtleGFt
+cGxlLm9yZzERMA8GA1UEAxMIY2xpY2EgQ0EwHhcNMTIxMTAxMTIzNDAyWhcNMzgw
+MTAxMTIzNDAyWjAzMRQwEgYDVQQKEwtleGFtcGxlLm9yZzEbMBkGA1UEAxMSY2xp
+Y2EgU2lnbmluZyBDZXJ0MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAJ2Y6E5WBXQE
+zFsWgxK4JXrpPWGEQZ+KNy3iXgmupAA6Yy0umCLu+eGCekkwZ0WfFhhd+Qy7P+qo
+F0mre7VDDHECAwEAAaNaMFgwDgYDVR0PAQH/BAQDAgEGMBIGA1UdEwEB/wQIMAYB
+Af8CAQAwMgYDVR0fBCswKTAnoCWgI4YhaHR0cDovL2NybC5leGFtcGxlLm9yZy9s
+YXRlc3QuY3JsMA0GCSqGSIb3DQEBBQUAA0EATmemAFFWLNA8natXhFyhrDYmTv8X
+PEJ3UVt0DmOMxmEBahIeDfplfTfj/NYvy/on7YCZO7F5PwVY2pNJqm8Tmw==
+-----END CERTIFICATE-----
+Bag Attributes
+ friendlyName: Certificate Authority
+subject=/O=example.org/CN=clica CA
+issuer=/O=example.org/CN=clica CA
+-----BEGIN CERTIFICATE-----
+MIIBaTCCAROgAwIBAgIBATANBgkqhkiG9w0BAQUFADApMRQwEgYDVQQKEwtleGFt
+cGxlLm9yZzERMA8GA1UEAxMIY2xpY2EgQ0EwHhcNMTIxMTAxMTIzNDAyWhcNMzgw
+MTAxMTIzNDAyWjApMRQwEgYDVQQKEwtleGFtcGxlLm9yZzERMA8GA1UEAxMIY2xp
+Y2EgQ0EwXDANBgkqhkiG9w0BAQEFAANLADBIAkEAxY7JyBAI+e4vb4bz0HcjtE+O
+x0nLBB19Kz04yNARj1z/ZvY2c+uvOR3muHROCgFUQxGobP3n2HaTS/cmv2SVPwID
+AQABoyYwJDASBgNVHRMBAf8ECDAGAQH/AgEBMA4GA1UdDwEB/wQEAwIBBjANBgkq
+hkiG9w0BAQUFAANBAJLhs/m5Jx4oV++aylcAvIHa0vHSK4eh3zX1HqWwqK9I0/nl
+LqwwPgtgHQOpe7nd2g2B9wPZ82i6LiqY76A+9hI=
+-----END CERTIFICATE-----
+Bag Attributes
+ friendlyName: revoked2.example.org
+ localKeyID: B9 99 5C A3 65 F8 67 93 A4 96 45 B2 7C B6 64 28 CB 71 1D 6C
+subject=/CN=revoked2.example.org
+issuer=/O=example.org/CN=clica Signing Cert
+-----BEGIN CERTIFICATE-----
+MIICBTCCAa+gAwIBAgICAMowDQYJKoZIhvcNAQEFBQAwMzEUMBIGA1UEChMLZXhh
+bXBsZS5vcmcxGzAZBgNVBAMTEmNsaWNhIFNpZ25pbmcgQ2VydDAeFw0xMjExMDEx
+MjM0MDNaFw0zODAxMDExMjM0MDNaMB8xHTAbBgNVBAMTFHJldm9rZWQyLmV4YW1w
+bGUub3JnMFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANLUlL/Fx0qhl0rhRZ3HTr+d
+wbKi0cDyZa97S5EDr3Dq1qurHmEs92C6P27df1r6ltVT7O1xH1+s40hTL5yzQ3sC
+AwEAAaOBwDCBvTAOBgNVHQ8BAf8EBAMCBPAwIAYDVR0lAQH/BBYwFAYIKwYBBQUH
+AwEGCCsGAQUFBwMCMDIGA1UdHwQrMCkwJ6AloCOGIWh0dHA6Ly9jcmwuZXhhbXBs
+ZS5vcmcvbGF0ZXN0LmNybDA0BggrBgEFBQcBAQQoMCYwJAYIKwYBBQUHMAGGGGh0
+dHA6Ly9vc2NwL2V4YW1wbGUub3JnLzAfBgNVHREEGDAWghRyZXZva2VkMi5leGFt
+cGxlLm9yZzANBgkqhkiG9w0BAQUFAANBAC0aZSfdH/PlvY+jfQnVAkmmYyawPdSu
+Osv4lwZYhBo2FSJdlufbwo3ElD4JK/BIHHTGiphM9++hpGLWaAcvT4k=
+-----END CERTIFICATE-----
diff --git a/test/aux-fixed/exim-ca/example.org/revoked2.example.org/cert8.db b/test/aux-fixed/exim-ca/example.org/revoked2.example.org/cert8.db
new file mode 100644
index 0000000..e1c3dae
Binary files /dev/null and b/test/aux-fixed/exim-ca/example.org/revoked2.example.org/cert8.db differ
diff --git a/test/aux-fixed/exim-ca/example.org/revoked2.example.org/key3.db b/test/aux-fixed/exim-ca/example.org/revoked2.example.org/key3.db
new file mode 100644
index 0000000..52cfbc2
Binary files /dev/null and b/test/aux-fixed/exim-ca/example.org/revoked2.example.org/key3.db differ
diff --git a/test/aux-fixed/exim-ca/example.org/revoked2.example.org/pwdfile b/test/aux-fixed/exim-ca/example.org/revoked2.example.org/pwdfile
new file mode 100644
index 0000000..f3097ab
--- /dev/null
+++ b/test/aux-fixed/exim-ca/example.org/revoked2.example.org/pwdfile
@@ -0,0 +1 @@
+password
diff --git a/test/aux-fixed/exim-ca/example.org/revoked2.example.org/revoked2.example.org.chain.pem b/test/aux-fixed/exim-ca/example.org/revoked2.example.org/revoked2.example.org.chain.pem
new file mode 100644
index 0000000..7bc3981
--- /dev/null
+++ b/test/aux-fixed/exim-ca/example.org/revoked2.example.org/revoked2.example.org.chain.pem
@@ -0,0 +1,29 @@
+Bag Attributes
+ friendlyName: revoked2.example.org
+ localKeyID: B9 99 5C A3 65 F8 67 93 A4 96 45 B2 7C B6 64 28 CB 71 1D 6C
+subject=/CN=revoked2.example.org
+issuer=/O=example.org/CN=clica Signing Cert
+-----BEGIN CERTIFICATE-----
+MIICBTCCAa+gAwIBAgICAMowDQYJKoZIhvcNAQEFBQAwMzEUMBIGA1UEChMLZXhh
+bXBsZS5vcmcxGzAZBgNVBAMTEmNsaWNhIFNpZ25pbmcgQ2VydDAeFw0xMjExMDEx
+MjM0MDNaFw0zODAxMDExMjM0MDNaMB8xHTAbBgNVBAMTFHJldm9rZWQyLmV4YW1w
+bGUub3JnMFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANLUlL/Fx0qhl0rhRZ3HTr+d
+wbKi0cDyZa97S5EDr3Dq1qurHmEs92C6P27df1r6ltVT7O1xH1+s40hTL5yzQ3sC
+AwEAAaOBwDCBvTAOBgNVHQ8BAf8EBAMCBPAwIAYDVR0lAQH/BBYwFAYIKwYBBQUH
+AwEGCCsGAQUFBwMCMDIGA1UdHwQrMCkwJ6AloCOGIWh0dHA6Ly9jcmwuZXhhbXBs
+ZS5vcmcvbGF0ZXN0LmNybDA0BggrBgEFBQcBAQQoMCYwJAYIKwYBBQUHMAGGGGh0
+dHA6Ly9vc2NwL2V4YW1wbGUub3JnLzAfBgNVHREEGDAWghRyZXZva2VkMi5leGFt
+cGxlLm9yZzANBgkqhkiG9w0BAQUFAANBAC0aZSfdH/PlvY+jfQnVAkmmYyawPdSu
+Osv4lwZYhBo2FSJdlufbwo3ElD4JK/BIHHTGiphM9++hpGLWaAcvT4k=
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIIBpzCCAVGgAwIBAgIBAjANBgkqhkiG9w0BAQUFADApMRQwEgYDVQQKEwtleGFt
+cGxlLm9yZzERMA8GA1UEAxMIY2xpY2EgQ0EwHhcNMTIxMTAxMTIzNDAyWhcNMzgw
+MTAxMTIzNDAyWjAzMRQwEgYDVQQKEwtleGFtcGxlLm9yZzEbMBkGA1UEAxMSY2xp
+Y2EgU2lnbmluZyBDZXJ0MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAJ2Y6E5WBXQE
+zFsWgxK4JXrpPWGEQZ+KNy3iXgmupAA6Yy0umCLu+eGCekkwZ0WfFhhd+Qy7P+qo
+F0mre7VDDHECAwEAAaNaMFgwDgYDVR0PAQH/BAQDAgEGMBIGA1UdEwEB/wQIMAYB
+Af8CAQAwMgYDVR0fBCswKTAnoCWgI4YhaHR0cDovL2NybC5leGFtcGxlLm9yZy9s
+YXRlc3QuY3JsMA0GCSqGSIb3DQEBBQUAA0EATmemAFFWLNA8natXhFyhrDYmTv8X
+PEJ3UVt0DmOMxmEBahIeDfplfTfj/NYvy/on7YCZO7F5PwVY2pNJqm8Tmw==
+-----END CERTIFICATE-----
diff --git a/test/aux-fixed/exim-ca/example.org/revoked2.example.org/revoked2.example.org.key b/test/aux-fixed/exim-ca/example.org/revoked2.example.org/revoked2.example.org.key
new file mode 100644
index 0000000..3c2d612
--- /dev/null
+++ b/test/aux-fixed/exim-ca/example.org/revoked2.example.org/revoked2.example.org.key
@@ -0,0 +1,15 @@
+Bag Attributes
+ friendlyName: revoked2.example.org
+ localKeyID: B9 99 5C A3 65 F8 67 93 A4 96 45 B2 7C B6 64 28 CB 71 1D 6C
+Key Attributes: <No Attributes>
+-----BEGIN ENCRYPTED PRIVATE KEY-----
+MIIBpjBABgkqhkiG9w0BBQ0wMzAbBgkqhkiG9w0BBQwwDgQIatK6XJ1l+7MCAggA
+MBQGCCqGSIb3DQMHBAjUZXz3pKENmgSCAWDbQs9Kd21OIstOoQdgYviX33loF2bH
+wpn0IP4P/2dFUmK07M146AEwPgXTI/mCewMgJ/cRQqnFAyoE1hjbZnk3WRi2SRXs
+dmIWAveseDuDsL7og72bHSvHIqsvcYs9SS8KBPCH6wY14a40QO1X26t7S8ZLTspu
+4V/YSNNiug6n8Z3N1Y2tuWPC8CQ9bBtL2jcqZT0WBJ8BXtn69jmVSWNm1DBaByET
+M4dqHGC//hFk1jnKBXaJ/VvBS5E6lOANwfUAr0gQT08NaJ7qJ6WUhpca7Rtky/KQ
+/passZZKeu7/R8VyQLvfk+vH2wW+5EX8+WtutWQJycW57+pnoXORrvIz3lc6B/6+
+Q91EJzABv5n93nynoZgEEr4vKiCCmLGYYJEciqQTERzCDNw3P73R+sd9PiTrku9g
+pKp12ieWWHZjeHcAMUZl8xWSytVT1fkeSPXcA43KoW93s78DegMh/HTr
+-----END ENCRYPTED PRIVATE KEY-----
diff --git a/test/aux-fixed/exim-ca/example.org/revoked2.example.org/revoked2.example.org.ocsp.dated.resp b/test/aux-fixed/exim-ca/example.org/revoked2.example.org/revoked2.example.org.ocsp.dated.resp
new file mode 100644
index 0000000..00a0d1c
Binary files /dev/null and b/test/aux-fixed/exim-ca/example.org/revoked2.example.org/revoked2.example.org.ocsp.dated.resp differ
diff --git a/test/aux-fixed/exim-ca/example.org/revoked2.example.org/revoked2.example.org.ocsp.good.resp b/test/aux-fixed/exim-ca/example.org/revoked2.example.org/revoked2.example.org.ocsp.good.resp
new file mode 100644
index 0000000..3e2585a
Binary files /dev/null and b/test/aux-fixed/exim-ca/example.org/revoked2.example.org/revoked2.example.org.ocsp.good.resp differ
diff --git a/test/aux-fixed/exim-ca/example.org/revoked2.example.org/revoked2.example.org.ocsp.req b/test/aux-fixed/exim-ca/example.org/revoked2.example.org/revoked2.example.org.ocsp.req
new file mode 100644
index 0000000..0348f98
Binary files /dev/null and b/test/aux-fixed/exim-ca/example.org/revoked2.example.org/revoked2.example.org.ocsp.req differ
diff --git a/test/aux-fixed/exim-ca/example.org/revoked2.example.org/revoked2.example.org.ocsp.revoked.resp b/test/aux-fixed/exim-ca/example.org/revoked2.example.org/revoked2.example.org.ocsp.revoked.resp
new file mode 100644
index 0000000..3e2585a
Binary files /dev/null and b/test/aux-fixed/exim-ca/example.org/revoked2.example.org/revoked2.example.org.ocsp.revoked.resp differ
diff --git a/test/aux-fixed/exim-ca/example.org/revoked2.example.org/revoked2.example.org.p12 b/test/aux-fixed/exim-ca/example.org/revoked2.example.org/revoked2.example.org.p12
new file mode 100644
index 0000000..f71eda5
Binary files /dev/null and b/test/aux-fixed/exim-ca/example.org/revoked2.example.org/revoked2.example.org.p12 differ
diff --git a/test/aux-fixed/exim-ca/example.org/revoked2.example.org/revoked2.example.org.pem b/test/aux-fixed/exim-ca/example.org/revoked2.example.org/revoked2.example.org.pem
new file mode 100644
index 0000000..9e24c7c
--- /dev/null
+++ b/test/aux-fixed/exim-ca/example.org/revoked2.example.org/revoked2.example.org.pem
@@ -0,0 +1,18 @@
+Bag Attributes
+ friendlyName: revoked2.example.org
+ localKeyID: B9 99 5C A3 65 F8 67 93 A4 96 45 B2 7C B6 64 28 CB 71 1D 6C
+subject=/CN=revoked2.example.org
+issuer=/O=example.org/CN=clica Signing Cert
+-----BEGIN CERTIFICATE-----
+MIICBTCCAa+gAwIBAgICAMowDQYJKoZIhvcNAQEFBQAwMzEUMBIGA1UEChMLZXhh
+bXBsZS5vcmcxGzAZBgNVBAMTEmNsaWNhIFNpZ25pbmcgQ2VydDAeFw0xMjExMDEx
+MjM0MDNaFw0zODAxMDExMjM0MDNaMB8xHTAbBgNVBAMTFHJldm9rZWQyLmV4YW1w
+bGUub3JnMFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANLUlL/Fx0qhl0rhRZ3HTr+d
+wbKi0cDyZa97S5EDr3Dq1qurHmEs92C6P27df1r6ltVT7O1xH1+s40hTL5yzQ3sC
+AwEAAaOBwDCBvTAOBgNVHQ8BAf8EBAMCBPAwIAYDVR0lAQH/BBYwFAYIKwYBBQUH
+AwEGCCsGAQUFBwMCMDIGA1UdHwQrMCkwJ6AloCOGIWh0dHA6Ly9jcmwuZXhhbXBs
+ZS5vcmcvbGF0ZXN0LmNybDA0BggrBgEFBQcBAQQoMCYwJAYIKwYBBQUHMAGGGGh0
+dHA6Ly9vc2NwL2V4YW1wbGUub3JnLzAfBgNVHREEGDAWghRyZXZva2VkMi5leGFt
+cGxlLm9yZzANBgkqhkiG9w0BAQUFAANBAC0aZSfdH/PlvY+jfQnVAkmmYyawPdSu
+Osv4lwZYhBo2FSJdlufbwo3ElD4JK/BIHHTGiphM9++hpGLWaAcvT4k=
+-----END CERTIFICATE-----
diff --git a/test/aux-fixed/exim-ca/example.org/revoked2.example.org/revoked2.example.org.unlocked.key b/test/aux-fixed/exim-ca/example.org/revoked2.example.org/revoked2.example.org.unlocked.key
new file mode 100644
index 0000000..c6895f7
--- /dev/null
+++ b/test/aux-fixed/exim-ca/example.org/revoked2.example.org/revoked2.example.org.unlocked.key
@@ -0,0 +1,9 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIBOwIBAAJBANLUlL/Fx0qhl0rhRZ3HTr+dwbKi0cDyZa97S5EDr3Dq1qurHmEs
+92C6P27df1r6ltVT7O1xH1+s40hTL5yzQ3sCAwEAAQJBALGnYBCY3+4LbCk02iyx
+nbHphSa5/HXRy82q32o66MMEGIfyMaluRfMoQHS9n3yieOn2i41s7+4w52ormZEx
+hEECIQDpSgUGrakvx2mqhAxIkfYTJgS3bMUINlRveYpYNvL65QIhAOda2XxChB3H
+TxTgJURPl1i4LOEm9ecMHlBNhzhadn7fAiEA0pp8BxdnkTaY8dLbs/fxCkBcKasM
+BOnnN+ulNRYGLPECIDrXJFEyKZ/ZPQe2KkRBaeCqlt98pTXqIxuRXD684z5JAiBi
+aAtGEXlUtwnseKyflSrEh0bAwnOsEEA7qEUCl/ExPw==
+-----END RSA PRIVATE KEY-----
diff --git a/test/aux-fixed/exim-ca/example.org/revoked2.example.org/secmod.db b/test/aux-fixed/exim-ca/example.org/revoked2.example.org/secmod.db
new file mode 100644
index 0000000..f7a91aa
Binary files /dev/null and b/test/aux-fixed/exim-ca/example.org/revoked2.example.org/secmod.db differ
diff --git a/test/aux-fixed/exim-ca/example.org/server1.example.org/ca_chain.pem b/test/aux-fixed/exim-ca/example.org/server1.example.org/ca_chain.pem
new file mode 100644
index 0000000..6cdbee1
--- /dev/null
+++ b/test/aux-fixed/exim-ca/example.org/server1.example.org/ca_chain.pem
@@ -0,0 +1,47 @@
+Bag Attributes
+ friendlyName: Signing Cert
+subject=/O=example.org/CN=clica Signing Cert
+issuer=/O=example.org/CN=clica CA
+-----BEGIN CERTIFICATE-----
+MIIBpzCCAVGgAwIBAgIBAjANBgkqhkiG9w0BAQUFADApMRQwEgYDVQQKEwtleGFt
+cGxlLm9yZzERMA8GA1UEAxMIY2xpY2EgQ0EwHhcNMTIxMTAxMTIzNDAyWhcNMzgw
+MTAxMTIzNDAyWjAzMRQwEgYDVQQKEwtleGFtcGxlLm9yZzEbMBkGA1UEAxMSY2xp
+Y2EgU2lnbmluZyBDZXJ0MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAJ2Y6E5WBXQE
+zFsWgxK4JXrpPWGEQZ+KNy3iXgmupAA6Yy0umCLu+eGCekkwZ0WfFhhd+Qy7P+qo
+F0mre7VDDHECAwEAAaNaMFgwDgYDVR0PAQH/BAQDAgEGMBIGA1UdEwEB/wQIMAYB
+Af8CAQAwMgYDVR0fBCswKTAnoCWgI4YhaHR0cDovL2NybC5leGFtcGxlLm9yZy9s
+YXRlc3QuY3JsMA0GCSqGSIb3DQEBBQUAA0EATmemAFFWLNA8natXhFyhrDYmTv8X
+PEJ3UVt0DmOMxmEBahIeDfplfTfj/NYvy/on7YCZO7F5PwVY2pNJqm8Tmw==
+-----END CERTIFICATE-----
+Bag Attributes
+ friendlyName: Certificate Authority
+subject=/O=example.org/CN=clica CA
+issuer=/O=example.org/CN=clica CA
+-----BEGIN CERTIFICATE-----
+MIIBaTCCAROgAwIBAgIBATANBgkqhkiG9w0BAQUFADApMRQwEgYDVQQKEwtleGFt
+cGxlLm9yZzERMA8GA1UEAxMIY2xpY2EgQ0EwHhcNMTIxMTAxMTIzNDAyWhcNMzgw
+MTAxMTIzNDAyWjApMRQwEgYDVQQKEwtleGFtcGxlLm9yZzERMA8GA1UEAxMIY2xp
+Y2EgQ0EwXDANBgkqhkiG9w0BAQEFAANLADBIAkEAxY7JyBAI+e4vb4bz0HcjtE+O
+x0nLBB19Kz04yNARj1z/ZvY2c+uvOR3muHROCgFUQxGobP3n2HaTS/cmv2SVPwID
+AQABoyYwJDASBgNVHRMBAf8ECDAGAQH/AgEBMA4GA1UdDwEB/wQEAwIBBjANBgkq
+hkiG9w0BAQUFAANBAJLhs/m5Jx4oV++aylcAvIHa0vHSK4eh3zX1HqWwqK9I0/nl
+LqwwPgtgHQOpe7nd2g2B9wPZ82i6LiqY76A+9hI=
+-----END CERTIFICATE-----
+Bag Attributes
+ friendlyName: server1.example.org
+ localKeyID: 5E 7F 83 85 31 F1 CA DC 88 07 2C 58 95 FA 36 16 65 F6 BB 8D
+subject=/CN=server1.example.org
+issuer=/O=example.org/CN=clica Signing Cert
+-----BEGIN CERTIFICATE-----
+MIICAjCCAaygAwIBAgIBZTANBgkqhkiG9w0BAQUFADAzMRQwEgYDVQQKEwtleGFt
+cGxlLm9yZzEbMBkGA1UEAxMSY2xpY2EgU2lnbmluZyBDZXJ0MB4XDTEyMTEwMTEy
+MzQwMloXDTM4MDEwMTEyMzQwMlowHjEcMBoGA1UEAxMTc2VydmVyMS5leGFtcGxl
+Lm9yZzBcMA0GCSqGSIb3DQEBAQUAA0sAMEgCQQDFIpfEcK4d3IEq3F7B6AIpepZk
+mKln9pcCm0RbAxm77YlhHucDzyVu9rmW7XSW/c4Dv3clwzHLpaoF2KURKLZ7AgMB
+AAGjgb8wgbwwDgYDVR0PAQH/BAQDAgTwMCAGA1UdJQEB/wQWMBQGCCsGAQUFBwMB
+BggrBgEFBQcDAjAyBgNVHR8EKzApMCegJaAjhiFodHRwOi8vY3JsLmV4YW1wbGUu
+b3JnL2xhdGVzdC5jcmwwNAYIKwYBBQUHAQEEKDAmMCQGCCsGAQUFBzABhhhodHRw
+Oi8vb3NjcC9leGFtcGxlLm9yZy8wHgYDVR0RBBcwFYITc2VydmVyMS5leGFtcGxl
+Lm9yZzANBgkqhkiG9w0BAQUFAANBACfk1MYCSbT2gbaT1Dv9FrMEybkFZtxUfz69
+Gnx/55Wfw936z2en+RImD3qF1qQxUwIMlWGm6SaitfmlQ5qVJ1A=
+-----END CERTIFICATE-----
diff --git a/test/aux-fixed/exim-ca/example.org/server1.example.org/cert8.db b/test/aux-fixed/exim-ca/example.org/server1.example.org/cert8.db
new file mode 100644
index 0000000..c9c908a
Binary files /dev/null and b/test/aux-fixed/exim-ca/example.org/server1.example.org/cert8.db differ
diff --git a/test/aux-fixed/exim-ca/example.org/server1.example.org/key3.db b/test/aux-fixed/exim-ca/example.org/server1.example.org/key3.db
new file mode 100644
index 0000000..db816ef
Binary files /dev/null and b/test/aux-fixed/exim-ca/example.org/server1.example.org/key3.db differ
diff --git a/test/aux-fixed/exim-ca/example.org/server1.example.org/pwdfile b/test/aux-fixed/exim-ca/example.org/server1.example.org/pwdfile
new file mode 100644
index 0000000..f3097ab
--- /dev/null
+++ b/test/aux-fixed/exim-ca/example.org/server1.example.org/pwdfile
@@ -0,0 +1 @@
+password
diff --git a/test/aux-fixed/exim-ca/example.org/server1.example.org/secmod.db b/test/aux-fixed/exim-ca/example.org/server1.example.org/secmod.db
new file mode 100644
index 0000000..ac46b48
Binary files /dev/null and b/test/aux-fixed/exim-ca/example.org/server1.example.org/secmod.db differ
diff --git a/test/aux-fixed/exim-ca/example.org/server1.example.org/server1.example.org.chain.pem b/test/aux-fixed/exim-ca/example.org/server1.example.org/server1.example.org.chain.pem
new file mode 100644
index 0000000..da43040
--- /dev/null
+++ b/test/aux-fixed/exim-ca/example.org/server1.example.org/server1.example.org.chain.pem
@@ -0,0 +1,29 @@
+Bag Attributes
+ friendlyName: server1.example.org
+ localKeyID: 5E 7F 83 85 31 F1 CA DC 88 07 2C 58 95 FA 36 16 65 F6 BB 8D
+subject=/CN=server1.example.org
+issuer=/O=example.org/CN=clica Signing Cert
+-----BEGIN CERTIFICATE-----
+MIICAjCCAaygAwIBAgIBZTANBgkqhkiG9w0BAQUFADAzMRQwEgYDVQQKEwtleGFt
+cGxlLm9yZzEbMBkGA1UEAxMSY2xpY2EgU2lnbmluZyBDZXJ0MB4XDTEyMTEwMTEy
+MzQwMloXDTM4MDEwMTEyMzQwMlowHjEcMBoGA1UEAxMTc2VydmVyMS5leGFtcGxl
+Lm9yZzBcMA0GCSqGSIb3DQEBAQUAA0sAMEgCQQDFIpfEcK4d3IEq3F7B6AIpepZk
+mKln9pcCm0RbAxm77YlhHucDzyVu9rmW7XSW/c4Dv3clwzHLpaoF2KURKLZ7AgMB
+AAGjgb8wgbwwDgYDVR0PAQH/BAQDAgTwMCAGA1UdJQEB/wQWMBQGCCsGAQUFBwMB
+BggrBgEFBQcDAjAyBgNVHR8EKzApMCegJaAjhiFodHRwOi8vY3JsLmV4YW1wbGUu
+b3JnL2xhdGVzdC5jcmwwNAYIKwYBBQUHAQEEKDAmMCQGCCsGAQUFBzABhhhodHRw
+Oi8vb3NjcC9leGFtcGxlLm9yZy8wHgYDVR0RBBcwFYITc2VydmVyMS5leGFtcGxl
+Lm9yZzANBgkqhkiG9w0BAQUFAANBACfk1MYCSbT2gbaT1Dv9FrMEybkFZtxUfz69
+Gnx/55Wfw936z2en+RImD3qF1qQxUwIMlWGm6SaitfmlQ5qVJ1A=
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIIBpzCCAVGgAwIBAgIBAjANBgkqhkiG9w0BAQUFADApMRQwEgYDVQQKEwtleGFt
+cGxlLm9yZzERMA8GA1UEAxMIY2xpY2EgQ0EwHhcNMTIxMTAxMTIzNDAyWhcNMzgw
+MTAxMTIzNDAyWjAzMRQwEgYDVQQKEwtleGFtcGxlLm9yZzEbMBkGA1UEAxMSY2xp
+Y2EgU2lnbmluZyBDZXJ0MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAJ2Y6E5WBXQE
+zFsWgxK4JXrpPWGEQZ+KNy3iXgmupAA6Yy0umCLu+eGCekkwZ0WfFhhd+Qy7P+qo
+F0mre7VDDHECAwEAAaNaMFgwDgYDVR0PAQH/BAQDAgEGMBIGA1UdEwEB/wQIMAYB
+Af8CAQAwMgYDVR0fBCswKTAnoCWgI4YhaHR0cDovL2NybC5leGFtcGxlLm9yZy9s
+YXRlc3QuY3JsMA0GCSqGSIb3DQEBBQUAA0EATmemAFFWLNA8natXhFyhrDYmTv8X
+PEJ3UVt0DmOMxmEBahIeDfplfTfj/NYvy/on7YCZO7F5PwVY2pNJqm8Tmw==
+-----END CERTIFICATE-----
diff --git a/test/aux-fixed/exim-ca/example.org/server1.example.org/server1.example.org.key b/test/aux-fixed/exim-ca/example.org/server1.example.org/server1.example.org.key
new file mode 100644
index 0000000..6e41e50
--- /dev/null
+++ b/test/aux-fixed/exim-ca/example.org/server1.example.org/server1.example.org.key
@@ -0,0 +1,15 @@
+Bag Attributes
+ friendlyName: server1.example.org
+ localKeyID: 5E 7F 83 85 31 F1 CA DC 88 07 2C 58 95 FA 36 16 65 F6 BB 8D
+Key Attributes: <No Attributes>
+-----BEGIN ENCRYPTED PRIVATE KEY-----
+MIIBpjBABgkqhkiG9w0BBQ0wMzAbBgkqhkiG9w0BBQwwDgQIhfu7ElRn7TUCAggA
+MBQGCCqGSIb3DQMHBAggde7b8jzc2ASCAWCNar4Td+ZM5Elbb16QeDTfzMoKoScb
+jQo/GS7f5h4An9vh/aTaKBoWDQ8gLcvbTUlpGxRznGt9mmOk9AOWsd03rTJ3TUud
++Cm4GfyEslvF8zXSPgJOz4YMiMMNZF3sEGGxs+D6Dav7isMrAIE/Se4Uh3pBY3Fg
+kio9fZfJSWorb3XO6LY9wyg33sz0ZxfhLfhenpeuveQfGuwc9l/DtYuhorqa4xXv
++T5W6HQ7g7nB/GMQF0rkm7BUSqawuLPK7ippBjpNg07iGOYNvQ5GKPahuBTbKyDc
+7LYzGNjZ+mNyL8vDNkwcdnUUqIbYsdMqmEZX+cu2wugXF1GshI9krcDHBXGcZH4G
+sogntcL8qR5KpPfBQCcp9An7TfLJkJtZOH6IYVZVy3/wb+OEou3UNckMe7PF8PWa
+T6/N9/zs49U6RxiYn+Vz/x0hQmRbLvLEsbotT1WStJq8LkcI0Zu9cJab
+-----END ENCRYPTED PRIVATE KEY-----
diff --git a/test/aux-fixed/exim-ca/example.org/server1.example.org/server1.example.org.ocsp.dated.resp b/test/aux-fixed/exim-ca/example.org/server1.example.org/server1.example.org.ocsp.dated.resp
new file mode 100644
index 0000000..43bb173
Binary files /dev/null and b/test/aux-fixed/exim-ca/example.org/server1.example.org/server1.example.org.ocsp.dated.resp differ
diff --git a/test/aux-fixed/exim-ca/example.org/server1.example.org/server1.example.org.ocsp.good.resp b/test/aux-fixed/exim-ca/example.org/server1.example.org/server1.example.org.ocsp.good.resp
new file mode 100644
index 0000000..7521479
Binary files /dev/null and b/test/aux-fixed/exim-ca/example.org/server1.example.org/server1.example.org.ocsp.good.resp differ
diff --git a/test/aux-fixed/exim-ca/example.org/server1.example.org/server1.example.org.ocsp.req b/test/aux-fixed/exim-ca/example.org/server1.example.org/server1.example.org.ocsp.req
new file mode 100644
index 0000000..6ec207d
Binary files /dev/null and b/test/aux-fixed/exim-ca/example.org/server1.example.org/server1.example.org.ocsp.req differ
diff --git a/test/aux-fixed/exim-ca/example.org/server1.example.org/server1.example.org.ocsp.revoked.resp b/test/aux-fixed/exim-ca/example.org/server1.example.org/server1.example.org.ocsp.revoked.resp
new file mode 100644
index 0000000..90cd6fa
Binary files /dev/null and b/test/aux-fixed/exim-ca/example.org/server1.example.org/server1.example.org.ocsp.revoked.resp differ
diff --git a/test/aux-fixed/exim-ca/example.org/server1.example.org/server1.example.org.p12 b/test/aux-fixed/exim-ca/example.org/server1.example.org/server1.example.org.p12
new file mode 100644
index 0000000..585738e
Binary files /dev/null and b/test/aux-fixed/exim-ca/example.org/server1.example.org/server1.example.org.p12 differ
diff --git a/test/aux-fixed/exim-ca/example.org/server1.example.org/server1.example.org.pem b/test/aux-fixed/exim-ca/example.org/server1.example.org/server1.example.org.pem
new file mode 100644
index 0000000..81679f8
--- /dev/null
+++ b/test/aux-fixed/exim-ca/example.org/server1.example.org/server1.example.org.pem
@@ -0,0 +1,18 @@
+Bag Attributes
+ friendlyName: server1.example.org
+ localKeyID: 5E 7F 83 85 31 F1 CA DC 88 07 2C 58 95 FA 36 16 65 F6 BB 8D
+subject=/CN=server1.example.org
+issuer=/O=example.org/CN=clica Signing Cert
+-----BEGIN CERTIFICATE-----
+MIICAjCCAaygAwIBAgIBZTANBgkqhkiG9w0BAQUFADAzMRQwEgYDVQQKEwtleGFt
+cGxlLm9yZzEbMBkGA1UEAxMSY2xpY2EgU2lnbmluZyBDZXJ0MB4XDTEyMTEwMTEy
+MzQwMloXDTM4MDEwMTEyMzQwMlowHjEcMBoGA1UEAxMTc2VydmVyMS5leGFtcGxl
+Lm9yZzBcMA0GCSqGSIb3DQEBAQUAA0sAMEgCQQDFIpfEcK4d3IEq3F7B6AIpepZk
+mKln9pcCm0RbAxm77YlhHucDzyVu9rmW7XSW/c4Dv3clwzHLpaoF2KURKLZ7AgMB
+AAGjgb8wgbwwDgYDVR0PAQH/BAQDAgTwMCAGA1UdJQEB/wQWMBQGCCsGAQUFBwMB
+BggrBgEFBQcDAjAyBgNVHR8EKzApMCegJaAjhiFodHRwOi8vY3JsLmV4YW1wbGUu
+b3JnL2xhdGVzdC5jcmwwNAYIKwYBBQUHAQEEKDAmMCQGCCsGAQUFBzABhhhodHRw
+Oi8vb3NjcC9leGFtcGxlLm9yZy8wHgYDVR0RBBcwFYITc2VydmVyMS5leGFtcGxl
+Lm9yZzANBgkqhkiG9w0BAQUFAANBACfk1MYCSbT2gbaT1Dv9FrMEybkFZtxUfz69
+Gnx/55Wfw936z2en+RImD3qF1qQxUwIMlWGm6SaitfmlQ5qVJ1A=
+-----END CERTIFICATE-----
diff --git a/test/aux-fixed/exim-ca/example.org/server1.example.org/server1.example.org.unlocked.key b/test/aux-fixed/exim-ca/example.org/server1.example.org/server1.example.org.unlocked.key
new file mode 100644
index 0000000..1b83abc
--- /dev/null
+++ b/test/aux-fixed/exim-ca/example.org/server1.example.org/server1.example.org.unlocked.key
@@ -0,0 +1,9 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIBPQIBAAJBAMUil8Rwrh3cgSrcXsHoAil6lmSYqWf2lwKbRFsDGbvtiWEe5wPP
+JW72uZbtdJb9zgO/dyXDMculqgXYpREotnsCAwEAAQJBAKDzsX4NkduHoV5hNmyT
+BNDg6dGQYyAi0QCrzI+SZHxt8ZYksM//or03aXE7xUUAeFmlSQYc9KfhADAB+mL8
+3YECIQDi4Q5nPCDr99odHTguDlTDi9vEEIiY2N7g8jsGAZH6KwIhAN5wME90eCX/
+oIzlAVqCbq9JuO8Zt3lxvqbasOGT3pzxAiEAwXcifhvDAxUGNF9vQa7Mzzca/vUO
+VjBQ1kcY18VNAqMCIQCxMe/aK67WnldYRcmZP1RLANB4cCUPcoPsyUOkvzXUEQIh
+AJEKAaavDZzn70+xnPw/8QPzHExNxIRtYrxBnc0Kv74r
+-----END RSA PRIVATE KEY-----
diff --git a/test/aux-fixed/exim-ca/example.org/server2.example.org/ca_chain.pem b/test/aux-fixed/exim-ca/example.org/server2.example.org/ca_chain.pem
new file mode 100644
index 0000000..35a92fb
--- /dev/null
+++ b/test/aux-fixed/exim-ca/example.org/server2.example.org/ca_chain.pem
@@ -0,0 +1,47 @@
+Bag Attributes
+ friendlyName: Signing Cert
+subject=/O=example.org/CN=clica Signing Cert
+issuer=/O=example.org/CN=clica CA
+-----BEGIN CERTIFICATE-----
+MIIBpzCCAVGgAwIBAgIBAjANBgkqhkiG9w0BAQUFADApMRQwEgYDVQQKEwtleGFt
+cGxlLm9yZzERMA8GA1UEAxMIY2xpY2EgQ0EwHhcNMTIxMTAxMTIzNDAyWhcNMzgw
+MTAxMTIzNDAyWjAzMRQwEgYDVQQKEwtleGFtcGxlLm9yZzEbMBkGA1UEAxMSY2xp
+Y2EgU2lnbmluZyBDZXJ0MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAJ2Y6E5WBXQE
+zFsWgxK4JXrpPWGEQZ+KNy3iXgmupAA6Yy0umCLu+eGCekkwZ0WfFhhd+Qy7P+qo
+F0mre7VDDHECAwEAAaNaMFgwDgYDVR0PAQH/BAQDAgEGMBIGA1UdEwEB/wQIMAYB
+Af8CAQAwMgYDVR0fBCswKTAnoCWgI4YhaHR0cDovL2NybC5leGFtcGxlLm9yZy9s
+YXRlc3QuY3JsMA0GCSqGSIb3DQEBBQUAA0EATmemAFFWLNA8natXhFyhrDYmTv8X
+PEJ3UVt0DmOMxmEBahIeDfplfTfj/NYvy/on7YCZO7F5PwVY2pNJqm8Tmw==
+-----END CERTIFICATE-----
+Bag Attributes
+ friendlyName: Certificate Authority
+subject=/O=example.org/CN=clica CA
+issuer=/O=example.org/CN=clica CA
+-----BEGIN CERTIFICATE-----
+MIIBaTCCAROgAwIBAgIBATANBgkqhkiG9w0BAQUFADApMRQwEgYDVQQKEwtleGFt
+cGxlLm9yZzERMA8GA1UEAxMIY2xpY2EgQ0EwHhcNMTIxMTAxMTIzNDAyWhcNMzgw
+MTAxMTIzNDAyWjApMRQwEgYDVQQKEwtleGFtcGxlLm9yZzERMA8GA1UEAxMIY2xp
+Y2EgQ0EwXDANBgkqhkiG9w0BAQEFAANLADBIAkEAxY7JyBAI+e4vb4bz0HcjtE+O
+x0nLBB19Kz04yNARj1z/ZvY2c+uvOR3muHROCgFUQxGobP3n2HaTS/cmv2SVPwID
+AQABoyYwJDASBgNVHRMBAf8ECDAGAQH/AgEBMA4GA1UdDwEB/wQEAwIBBjANBgkq
+hkiG9w0BAQUFAANBAJLhs/m5Jx4oV++aylcAvIHa0vHSK4eh3zX1HqWwqK9I0/nl
+LqwwPgtgHQOpe7nd2g2B9wPZ82i6LiqY76A+9hI=
+-----END CERTIFICATE-----
+Bag Attributes
+ friendlyName: server2.example.org
+ localKeyID: 86 3E B2 BF BC 60 4F 3F C4 EA AA FE 97 44 A9 48 6B 4F C1 77
+subject=/CN=server2.example.org
+issuer=/O=example.org/CN=clica Signing Cert
+-----BEGIN CERTIFICATE-----
+MIICAzCCAa2gAwIBAgICAMkwDQYJKoZIhvcNAQEFBQAwMzEUMBIGA1UEChMLZXhh
+bXBsZS5vcmcxGzAZBgNVBAMTEmNsaWNhIFNpZ25pbmcgQ2VydDAeFw0xMjExMDEx
+MjM0MDNaFw0zODAxMDExMjM0MDNaMB4xHDAaBgNVBAMTE3NlcnZlcjIuZXhhbXBs
+ZS5vcmcwXDANBgkqhkiG9w0BAQEFAANLADBIAkEA1bNd+LEj7UV8Riahrn/3TL1n
+NwaIvqkqCFscP5ae3dB5rJ8vdfIc0hOzh782zpXxJxYa7S340zjxfgdUzMAeWQID
+AQABo4G/MIG8MA4GA1UdDwEB/wQEAwIE8DAgBgNVHSUBAf8EFjAUBggrBgEFBQcD
+AQYIKwYBBQUHAwIwMgYDVR0fBCswKTAnoCWgI4YhaHR0cDovL2NybC5leGFtcGxl
+Lm9yZy9sYXRlc3QuY3JsMDQGCCsGAQUFBwEBBCgwJjAkBggrBgEFBQcwAYYYaHR0
+cDovL29zY3AvZXhhbXBsZS5vcmcvMB4GA1UdEQQXMBWCE3NlcnZlcjIuZXhhbXBs
+ZS5vcmcwDQYJKoZIhvcNAQEFBQADQQBCORy4CO4MMENsEtYwU7xE0Ck5i8VefJ6D
+txODMnRUzsthdbfjgXm3BfVPrhOuT0/bIKfyJtoSdCtN1SRPTJxO
+-----END CERTIFICATE-----
diff --git a/test/aux-fixed/exim-ca/example.org/server2.example.org/cert8.db b/test/aux-fixed/exim-ca/example.org/server2.example.org/cert8.db
new file mode 100644
index 0000000..2f8358e
Binary files /dev/null and b/test/aux-fixed/exim-ca/example.org/server2.example.org/cert8.db differ
diff --git a/test/aux-fixed/exim-ca/example.org/server2.example.org/key3.db b/test/aux-fixed/exim-ca/example.org/server2.example.org/key3.db
new file mode 100644
index 0000000..df16257
Binary files /dev/null and b/test/aux-fixed/exim-ca/example.org/server2.example.org/key3.db differ
diff --git a/test/aux-fixed/exim-ca/example.org/server2.example.org/pwdfile b/test/aux-fixed/exim-ca/example.org/server2.example.org/pwdfile
new file mode 100644
index 0000000..f3097ab
--- /dev/null
+++ b/test/aux-fixed/exim-ca/example.org/server2.example.org/pwdfile
@@ -0,0 +1 @@
+password
diff --git a/test/aux-fixed/exim-ca/example.org/server2.example.org/secmod.db b/test/aux-fixed/exim-ca/example.org/server2.example.org/secmod.db
new file mode 100644
index 0000000..92af259
Binary files /dev/null and b/test/aux-fixed/exim-ca/example.org/server2.example.org/secmod.db differ
diff --git a/test/aux-fixed/exim-ca/example.org/server2.example.org/server2.example.org.chain.pem b/test/aux-fixed/exim-ca/example.org/server2.example.org/server2.example.org.chain.pem
new file mode 100644
index 0000000..5bcc299
--- /dev/null
+++ b/test/aux-fixed/exim-ca/example.org/server2.example.org/server2.example.org.chain.pem
@@ -0,0 +1,29 @@
+Bag Attributes
+ friendlyName: server2.example.org
+ localKeyID: 86 3E B2 BF BC 60 4F 3F C4 EA AA FE 97 44 A9 48 6B 4F C1 77
+subject=/CN=server2.example.org
+issuer=/O=example.org/CN=clica Signing Cert
+-----BEGIN CERTIFICATE-----
+MIICAzCCAa2gAwIBAgICAMkwDQYJKoZIhvcNAQEFBQAwMzEUMBIGA1UEChMLZXhh
+bXBsZS5vcmcxGzAZBgNVBAMTEmNsaWNhIFNpZ25pbmcgQ2VydDAeFw0xMjExMDEx
+MjM0MDNaFw0zODAxMDExMjM0MDNaMB4xHDAaBgNVBAMTE3NlcnZlcjIuZXhhbXBs
+ZS5vcmcwXDANBgkqhkiG9w0BAQEFAANLADBIAkEA1bNd+LEj7UV8Riahrn/3TL1n
+NwaIvqkqCFscP5ae3dB5rJ8vdfIc0hOzh782zpXxJxYa7S340zjxfgdUzMAeWQID
+AQABo4G/MIG8MA4GA1UdDwEB/wQEAwIE8DAgBgNVHSUBAf8EFjAUBggrBgEFBQcD
+AQYIKwYBBQUHAwIwMgYDVR0fBCswKTAnoCWgI4YhaHR0cDovL2NybC5leGFtcGxl
+Lm9yZy9sYXRlc3QuY3JsMDQGCCsGAQUFBwEBBCgwJjAkBggrBgEFBQcwAYYYaHR0
+cDovL29zY3AvZXhhbXBsZS5vcmcvMB4GA1UdEQQXMBWCE3NlcnZlcjIuZXhhbXBs
+ZS5vcmcwDQYJKoZIhvcNAQEFBQADQQBCORy4CO4MMENsEtYwU7xE0Ck5i8VefJ6D
+txODMnRUzsthdbfjgXm3BfVPrhOuT0/bIKfyJtoSdCtN1SRPTJxO
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIIBpzCCAVGgAwIBAgIBAjANBgkqhkiG9w0BAQUFADApMRQwEgYDVQQKEwtleGFt
+cGxlLm9yZzERMA8GA1UEAxMIY2xpY2EgQ0EwHhcNMTIxMTAxMTIzNDAyWhcNMzgw
+MTAxMTIzNDAyWjAzMRQwEgYDVQQKEwtleGFtcGxlLm9yZzEbMBkGA1UEAxMSY2xp
+Y2EgU2lnbmluZyBDZXJ0MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAJ2Y6E5WBXQE
+zFsWgxK4JXrpPWGEQZ+KNy3iXgmupAA6Yy0umCLu+eGCekkwZ0WfFhhd+Qy7P+qo
+F0mre7VDDHECAwEAAaNaMFgwDgYDVR0PAQH/BAQDAgEGMBIGA1UdEwEB/wQIMAYB
+Af8CAQAwMgYDVR0fBCswKTAnoCWgI4YhaHR0cDovL2NybC5leGFtcGxlLm9yZy9s
+YXRlc3QuY3JsMA0GCSqGSIb3DQEBBQUAA0EATmemAFFWLNA8natXhFyhrDYmTv8X
+PEJ3UVt0DmOMxmEBahIeDfplfTfj/NYvy/on7YCZO7F5PwVY2pNJqm8Tmw==
+-----END CERTIFICATE-----
diff --git a/test/aux-fixed/exim-ca/example.org/server2.example.org/server2.example.org.key b/test/aux-fixed/exim-ca/example.org/server2.example.org/server2.example.org.key
new file mode 100644
index 0000000..6f62ee0
--- /dev/null
+++ b/test/aux-fixed/exim-ca/example.org/server2.example.org/server2.example.org.key
@@ -0,0 +1,15 @@
+Bag Attributes
+ friendlyName: server2.example.org
+ localKeyID: 86 3E B2 BF BC 60 4F 3F C4 EA AA FE 97 44 A9 48 6B 4F C1 77
+Key Attributes: <No Attributes>
+-----BEGIN ENCRYPTED PRIVATE KEY-----
+MIIBpjBABgkqhkiG9w0BBQ0wMzAbBgkqhkiG9w0BBQwwDgQIjfdds7UVEY0CAggA
+MBQGCCqGSIb3DQMHBAiY22+2lkjkEASCAWDm5MmTuUgMOkSWscoH1Qn/GVM2sawP
+TsknGm/HMV+bJlpGLCXwBrAKe6RDC+zlEmGVUSWJoxoPz1qQT9fcooyEFSCS8asN
+omSw+8wrxXTSB57b1OqpHoV8VlTT60/sdVV8l9B1Ef/vsdjKB0NDwqUwDVg4Xw32
+wV3Tv8pFRLg3CBCEDeykcJ+FkodSope9UL6E95Ukhae335bTmWsxbrR4IZCUhI2t
+/MOLyPnd6huPGlti2SH8PRRnei6TM/O8mH1uUzdSAqxoDA6wV+P6pIDI8GY1k61q
+53oeq9ocSJOQ+q3kIyBQlGgApME47hog3sVZ/WsU3r071g9VKhzlFUFPOOkbUR9+
+gl7MDV/r/6IjOAHEaLFBQrnRVKbs93sTtf8pNhIHJLJtTWjDV/nBbiHxsNFIWqGU
+ZlH0FU2DENHZqPiLxsfH1J9EmtTiHXgu/naD0m7RbmPm6ffIDPuYPVMw
+-----END ENCRYPTED PRIVATE KEY-----
diff --git a/test/aux-fixed/exim-ca/example.org/server2.example.org/server2.example.org.ocsp.dated.resp b/test/aux-fixed/exim-ca/example.org/server2.example.org/server2.example.org.ocsp.dated.resp
new file mode 100644
index 0000000..b15606a
Binary files /dev/null and b/test/aux-fixed/exim-ca/example.org/server2.example.org/server2.example.org.ocsp.dated.resp differ
diff --git a/test/aux-fixed/exim-ca/example.org/server2.example.org/server2.example.org.ocsp.good.resp b/test/aux-fixed/exim-ca/example.org/server2.example.org/server2.example.org.ocsp.good.resp
new file mode 100644
index 0000000..8fc3f99
Binary files /dev/null and b/test/aux-fixed/exim-ca/example.org/server2.example.org/server2.example.org.ocsp.good.resp differ
diff --git a/test/aux-fixed/exim-ca/example.org/server2.example.org/server2.example.org.ocsp.req b/test/aux-fixed/exim-ca/example.org/server2.example.org/server2.example.org.ocsp.req
new file mode 100644
index 0000000..f8731d0
Binary files /dev/null and b/test/aux-fixed/exim-ca/example.org/server2.example.org/server2.example.org.ocsp.req differ
diff --git a/test/aux-fixed/exim-ca/example.org/server2.example.org/server2.example.org.ocsp.revoked.resp b/test/aux-fixed/exim-ca/example.org/server2.example.org/server2.example.org.ocsp.revoked.resp
new file mode 100644
index 0000000..8fc3f99
Binary files /dev/null and b/test/aux-fixed/exim-ca/example.org/server2.example.org/server2.example.org.ocsp.revoked.resp differ
diff --git a/test/aux-fixed/exim-ca/example.org/server2.example.org/server2.example.org.p12 b/test/aux-fixed/exim-ca/example.org/server2.example.org/server2.example.org.p12
new file mode 100644
index 0000000..f2f2fe8
Binary files /dev/null and b/test/aux-fixed/exim-ca/example.org/server2.example.org/server2.example.org.p12 differ
diff --git a/test/aux-fixed/exim-ca/example.org/server2.example.org/server2.example.org.pem b/test/aux-fixed/exim-ca/example.org/server2.example.org/server2.example.org.pem
new file mode 100644
index 0000000..ed55c33
--- /dev/null
+++ b/test/aux-fixed/exim-ca/example.org/server2.example.org/server2.example.org.pem
@@ -0,0 +1,18 @@
+Bag Attributes
+ friendlyName: server2.example.org
+ localKeyID: 86 3E B2 BF BC 60 4F 3F C4 EA AA FE 97 44 A9 48 6B 4F C1 77
+subject=/CN=server2.example.org
+issuer=/O=example.org/CN=clica Signing Cert
+-----BEGIN CERTIFICATE-----
+MIICAzCCAa2gAwIBAgICAMkwDQYJKoZIhvcNAQEFBQAwMzEUMBIGA1UEChMLZXhh
+bXBsZS5vcmcxGzAZBgNVBAMTEmNsaWNhIFNpZ25pbmcgQ2VydDAeFw0xMjExMDEx
+MjM0MDNaFw0zODAxMDExMjM0MDNaMB4xHDAaBgNVBAMTE3NlcnZlcjIuZXhhbXBs
+ZS5vcmcwXDANBgkqhkiG9w0BAQEFAANLADBIAkEA1bNd+LEj7UV8Riahrn/3TL1n
+NwaIvqkqCFscP5ae3dB5rJ8vdfIc0hOzh782zpXxJxYa7S340zjxfgdUzMAeWQID
+AQABo4G/MIG8MA4GA1UdDwEB/wQEAwIE8DAgBgNVHSUBAf8EFjAUBggrBgEFBQcD
+AQYIKwYBBQUHAwIwMgYDVR0fBCswKTAnoCWgI4YhaHR0cDovL2NybC5leGFtcGxl
+Lm9yZy9sYXRlc3QuY3JsMDQGCCsGAQUFBwEBBCgwJjAkBggrBgEFBQcwAYYYaHR0
+cDovL29zY3AvZXhhbXBsZS5vcmcvMB4GA1UdEQQXMBWCE3NlcnZlcjIuZXhhbXBs
+ZS5vcmcwDQYJKoZIhvcNAQEFBQADQQBCORy4CO4MMENsEtYwU7xE0Ck5i8VefJ6D
+txODMnRUzsthdbfjgXm3BfVPrhOuT0/bIKfyJtoSdCtN1SRPTJxO
+-----END CERTIFICATE-----
diff --git a/test/aux-fixed/exim-ca/example.org/server2.example.org/server2.example.org.unlocked.key b/test/aux-fixed/exim-ca/example.org/server2.example.org/server2.example.org.unlocked.key
new file mode 100644
index 0000000..38b2718
--- /dev/null
+++ b/test/aux-fixed/exim-ca/example.org/server2.example.org/server2.example.org.unlocked.key
@@ -0,0 +1,9 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIBOwIBAAJBANWzXfixI+1FfEYmoa5/90y9ZzcGiL6pKghbHD+Wnt3QeayfL3Xy
+HNITs4e/Ns6V8ScWGu0t+NM48X4HVMzAHlkCAwEAAQJATzDe2+/Y3m5ndR+PvriR
+DhEKFKwJNI4/k0UgHLhWOt/+y02ZfO5zhZaLvYG1BQbGKyhypdAGS8QP19xRVjI9
+uQIhAPs7Ql00hIvZvfRMmgh90otggbrWIrkW8Oh10BMFBdkTAiEA2cG+l36A5NAs
+PlA7sOlQyFs5F4XNXzEy76vPsGR/pGMCIBjo3UGkjWfYZQ8t8S/aWd/b58EArlyv
+u58w3zqjitrlAiEAsJeqlPkGVolsF+zBO6s61AEGv8jG0Ff50twmxgn6abkCIQDJ
+pUSYU/YF7bYj5QuHRyemhzDytTQcAB7A4IEWZsSL9A==
+-----END RSA PRIVATE KEY-----
diff --git a/test/aux-fixed/exim-ca/genall b/test/aux-fixed/exim-ca/genall
new file mode 100755
index 0000000..63a3618
--- /dev/null
+++ b/test/aux-fixed/exim-ca/genall
@@ -0,0 +1,101 @@
+#!/bin/bash
+#
+
+echo Ensure time is set to 2012/11/01 12:34
+echo use - date -u 110112342012
+echo hit return when ready
+read junk
+for tld in com org net
+do
+ clica -D example.$tld -p password -B 512 -I -N example.$tld -F -C http://crl.example.$tld/latest.crl -O http://oscp/example.$tld/
+ clica -D example.$tld -p password -s 101 -S server1.example.$tld
+ clica -D example.$tld -p password -s 102 -S revoked1.example.$tld
+ clica -D example.$tld -p password -s 103 -S expired1.example.$tld -m 1
+ clica -D example.$tld -p password -s 201 -S server2.example.$tld
+ clica -D example.$tld -p password -s 202 -S revoked2.example.$tld
+ clica -D example.$tld -p password -s 203 -S expired2.example.$tld -m 1
+done
+
+# and loop again
+for tld in com org net
+do
+ CADIR=example.$tld/CA
+ #give ourselves an OSCP key to work with
+ pk12util -o $CADIR/OCSP.p12 -n 'OCSP Signer' -d $CADIR -K password -W password
+ openssl pkcs12 -in $CADIR/OCSP.p12 -passin pass:password -passout pass:password -nodes -nocerts -out $CADIR/OCSP.key
+
+
+ # create some index files for the ocsp responder to work with
+ cat >$CADIR/index.valid.txt <<EOF
+V 130110200751Z 65 unknown CN=server1.example.$tld
+V 130110200751Z 66 unknown CN=revoked1.example.$tld
+V 130110200751Z 67 unknown CN=expired1.example.$tld
+V 130110200751Z c9 unknown CN=server2.example.$tld
+V 130110200751Z ca unknown CN=revoked2.example.$tld
+V 130110200751Z cb unknown CN=expired2.example.$tld
+EOF
+ cat >$CADIR/index.revoked.txt <<EOF
+R 130110200751Z 100201142709Z,superseded 65 unknown CN=server1.example.$tld
+R 130110200751Z 100201142709Z,superseded 66 unknown CN=revoked1.example.$tld
+R 130110200751Z 100201142709Z,superseded 67 unknown CN=expired1.example.$tld
+R 130110200751Z 100201142709Z,superseded c9 unknown CN=server2.example.$tld
+R 130110200751Z 100201142709Z,superseded ca unknown CN=revoked2.example.$tld
+R 130110200751Z 100201142709Z,superseded cb unknown CN=expired2.example.$tld
+EOF
+
+ # Now create all the ocsp requests and responses
+ OGENCOMMON="-rsigner $CADIR/OCSP.pem -rkey $CADIR/OCSP.key -CA $CADIR/Signer.pem -noverify"
+ for server in server1 revoked1 expired1 server2 revoked2 expired2
+ do
+ SPFX=example.$tld/$server.example.$tld/$server.example.$tld
+ openssl ocsp -issuer $CADIR/Signer.pem -cert $SPFX.pem -reqout $SPFX.ocsp.req
+ openssl ocsp -index $CADIR/index.valid.txt $OGENCOMMON -reqin $SPFX.ocsp.req -respout $SPFX.ocsp.good.resp
+ openssl ocsp -index $CADIR/index.valid.txt $OGENCOMMON -ndays 30 -reqin $SPFX.ocsp.req -respout $SPFX.ocsp.dated.resp
+ openssl ocsp -index $CADIR/index.revoked.txt $OGENCOMMON -reqin $SPFX.ocsp.req -respout $SPFX.ocsp.revoked.resp
+ done
+done
+
+# and loop again to generate unlocked keys and client cert bundles
+for tld in com org net
+do
+ for server in server1 revoked1 expired1 server2 revoked2 expired2 do
+ SDIR=example.$tld/$server.example.$tld
+ SPFX=$SDIR/$server.example.$tld
+ openssl rsa -in $SPFX.key -passin file:$SDIR/pwdfile -out $SPFX.unlocked.key
+ cat $SPFX.pem example.$tld/CA/Signer.pem >$SPFX.chain.pem
+ done
+done
+
+echo Please to reset date to now.
+echo service ntpdate start
+echo
+echo Then hit return
+read junk
+
+# Create CRL files in .der and .pem
+# empty versions, and ones with the revoked servers
+for tld in com org net
+do
+ CADIR=example.$tld/CA
+ CRLIN=$CADIR/crl.empty.in.txt
+ DATENOW=`date -u +%Y%m%d%H%M%SZ`
+ echo "update=$DATENOW " >$CRLIN
+ crlutil -G -d $CADIR -f $CADIR/pwdfile \
+ -n 'Signing Cert' -c $CRLIN -o $CADIR/crl.empty
+ openssl crl -in $CADIR/crl.empty -inform der -out $CADIR/crl.empty.pem
+done
+sleep 2
+for tld in com org net
+do
+ CADIR=example.$tld/CA
+ CRLIN=$CADIR/crl.v2.in.txt
+ DATENOW=`date -u +%Y%m%d%H%M%SZ`
+ echo "update=$DATENOW " >$CRLIN
+ echo "addcert 102 $DATENOW" >>$CRLIN
+ echo "addcert 202 $DATENOW" >>$CRLIN
+ crlutil -G -d $CADIR -f $CADIR/pwdfile \
+ -n 'Signing Cert' -c $CRLIN -o $CADIR/crl.v2
+ openssl crl -in $CADIR/crl.v2 -inform der -out $CADIR/crl.v2.pem
+done
+
+echo "CA, Certificate, CRL and OSCP Response generation complete"
diff --git a/test/aux-fixed/ocsp_file.der b/test/aux-fixed/ocsp_file.der
new file mode 100644
index 0000000..f629d53
Binary files /dev/null and b/test/aux-fixed/ocsp_file.der differ
diff --git a/test/confs/5600 b/test/confs/5600
new file mode 100644
index 0000000..8b26ee7
--- /dev/null
+++ b/test/confs/5600
@@ -0,0 +1,66 @@
+# Exim test configuration 5600
+# OCSP stapling, server
+
+CRL=
+
+exim_path = EXIM_PATH
+host_lookup_order = bydns
+primary_hostname = server1.example.com
+rfc1413_query_timeout = 0s
+spool_directory = DIR/spool
+log_file_path = DIR/spool/log/%slog
+gecos_pattern = ""
+gecos_name = CALLER_NAME
+
+# ----- Main settings -----
+
+acl_smtp_rcpt = check_recipient
+
+log_selector = +tls_peerdn
+
+queue_only
+queue_run_in_order
+
+tls_advertise_hosts = *
+
+tls_certificate = DIR/aux-fixed/exim-ca/example.com/server1.example.com/server1.example.com.pem
+tls_privatekey = DIR/aux-fixed/exim-ca/example.com/server1.example.com/server1.example.com.unlocked.key
+
+tls_verify_hosts = HOSTIPV4
+tls_try_verify_hosts = *
+tls_verify_certificates = DIR/aux-fixed/cert2
+tls_crl = CRL
+tls_ocsp_file = OCSP
+
+
+# ------ ACL ------
+
+begin acl
+
+check_recipient:
+ deny message = certificate not verified: peerdn=$tls_peerdn
+ ! verify = certificate
+ accept
+
+
+# ----- Routers -----
+
+begin routers
+
+abc:
+ driver = accept
+ retry_use_local_part
+ transport = local_delivery
+
+
+# ----- Transports -----
+
+begin transports
+
+local_delivery:
+ driver = appendfile
+ file = DIR/test-mail/$local_part
+ headers_add = TLS: cipher=$tls_cipher peerdn=$tls_peerdn
+ user = CALLER
+
+# End
diff --git a/test/confs/5601 b/test/confs/5601
new file mode 100644
index 0000000..5172ff2
--- /dev/null
+++ b/test/confs/5601
@@ -0,0 +1,121 @@
+# Exim test configuration 5601
+# OCSP stapling, client
+
+SERVER =
+
+exim_path = EXIM_PATH
+host_lookup_order = bydns
+primary_hostname = server1.example.com
+rfc1413_query_timeout = 0s
+spool_directory = DIR/spool
+log_file_path = DIR/spool/log/SERVER%slog
+gecos_pattern = ""
+gecos_name = CALLER_NAME
+
+
+# ----- Main settings -----
+
+domainlist local_domains = test.ex : *.test.ex
+
+acl_smtp_rcpt = check_recipient
+log_selector = +tls_peerdn
+remote_max_parallel = 1
+
+tls_advertise_hosts = *
+
+# Set certificate only if server
+
+tls_certificate = ${if eq {SERVER}{server}\
+{DIR/aux-fixed/exim-ca/example.com/server1.example.com/server1.example.com.chain.pem}\
+fail\
+}
+
+#{DIR/aux-fixed/exim-ca/example.com/CA/CA.pem}\
+
+tls_privatekey = ${if eq {SERVER}{server}\
+{DIR/aux-fixed/exim-ca/example.com/server1.example.com/server1.example.com.unlocked.key}\
+fail}
+
+tls_ocsp_file = OCSP
+
+
+# ------ ACL ------
+
+begin acl
+
+check_recipient:
+ accept domains = +local_domains
+ deny message = relay not permitted
+
+
+# ----- Routers -----
+
+begin routers
+
+client:
+ driver = accept
+ condition = ${if eq {SERVER}{server}{no}{yes}}
+ retry_use_local_part
+ transport = send_to_server${if eq{$local_part}{nostaple}{1} \
+ {${if eq{$local_part}{smtps} {3}{2}}} \
+ }
+
+server:
+ driver = redirect
+ data = :blackhole:
+ #retry_use_local_part
+ #transport = local_delivery
+
+
+# ----- Transports -----
+
+begin transports
+
+local_delivery:
+ driver = appendfile
+ file = DIR/test-mail/$local_part
+ headers_add = TLS: cipher=$tls_cipher peerdn=$tls_peerdn
+ user = CALLER
+
+send_to_server1:
+ driver = smtp
+ allow_localhost
+ hosts = HOSTIPV4
+ port = PORT_D
+ tls_verify_certificates = DIR/aux-fixed/exim-ca/example.com/CA/CA.pem
+ hosts_require_tls = *
+# note no ocsp here
+
+send_to_server2:
+ driver = smtp
+ allow_localhost
+ hosts = 127.0.0.1
+ port = PORT_D
+ helo_data = helo.data.changed
+ #tls_verify_certificates = DIR/aux-fixed/exim-ca/example.com/server1.example.com/ca_chain.pem
+ tls_verify_certificates = DIR/aux-fixed/exim-ca/example.com/CA/CA.pem
+ hosts_require_tls = *
+ hosts_require_ocsp = *
+
+send_to_server3:
+ driver = smtp
+ allow_localhost
+ hosts = 127.0.0.1
+ port = PORT_D
+ helo_data = helo.data.changed
+ #tls_verify_certificates = DIR/aux-fixed/exim-ca/example.com/server1.example.com/ca_chain.pem
+ tls_verify_certificates = DIR/aux-fixed/exim-ca/example.com/CA/CA.pem
+ protocol = smtps
+ hosts_require_tls = *
+ hosts_require_ocsp = *
+
+
+# ----- Retry -----
+
+
+begin retry
+
+* * F,5d,1s
+
+
+# End
diff --git a/test/log/5600 b/test/log/5600
new file mode 100644
index 0000000..869883f
--- /dev/null
+++ b/test/log/5600
@@ -0,0 +1,6 @@
+1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port 1225
+1999-03-02 09:44:33 [ip4.ip4.ip4.ip4] Recieved OCSP stapling req; responding
+1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port 1225
+1999-03-02 09:44:33 [ip4.ip4.ip4.ip4] Recieved OCSP stapling req; not responding
+1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port 1225
+1999-03-02 09:44:33 [ip4.ip4.ip4.ip4] Recieved OCSP stapling req; not responding
diff --git a/test/log/5601 b/test/log/5601
new file mode 100644
index 0000000..40caa0f
--- /dev/null
+++ b/test/log/5601
@@ -0,0 +1,41 @@
+1999-03-02 09:44:33 10HmaX-0005vi-00 <= CALLER@??? U=CALLER P=local S=sss
+1999-03-02 09:44:33 10HmaX-0005vi-00 => nostaple@??? R=client T=send_to_server1 H=ip4.ip4.ip4.ip4 [ip4.ip4.ip4.ip4] X=TLSv1:AES256-SHA:256 DN="/CN=server1.example.com" C="250 OK id=10HmaY-0005vi-00"
+1999-03-02 09:44:33 10HmaX-0005vi-00 Completed
+1999-03-02 09:44:33 10HmaZ-0005vi-00 <= CALLER@??? U=CALLER P=local S=sss
+1999-03-02 09:44:33 10HmaZ-0005vi-00 => CALLER@??? R=client T=send_to_server2 H=127.0.0.1 [127.0.0.1] X=TLSv1:AES256-SHA:256 DN="/CN=server1.example.com" C="250 OK id=10HmbA-0005vi-00"
+1999-03-02 09:44:33 10HmaZ-0005vi-00 Completed
+1999-03-02 09:44:33 10HmbB-0005vi-00 <= CALLER@??? U=CALLER P=local S=sss
+1999-03-02 09:44:33 10HmbB-0005vi-00 Received TLS status response, null content
+1999-03-02 09:44:33 10HmbB-0005vi-00 TLS error on connection to 127.0.0.1 [127.0.0.1] (SSL_connect): error: <<detail omitted>>
+1999-03-02 09:44:33 10HmbB-0005vi-00 == CALLER@??? R=client T=send_to_server2 defer (-37): failure while setting up TLS session
+1999-03-02 09:44:33 10HmbC-0005vi-00 <= CALLER@??? U=CALLER P=local S=sss
+1999-03-02 09:44:33 10HmbC-0005vi-00 Server certificate revoked; reason: superseded
+1999-03-02 09:44:33 10HmbC-0005vi-00 TLS error on connection to 127.0.0.1 [127.0.0.1] (SSL_connect): error: <<detail omitted>>
+1999-03-02 09:44:33 10HmbC-0005vi-00 == CALLER@??? R=client T=send_to_server2 defer (-37): failure while setting up TLS session
+1999-03-02 09:44:33 10HmbD-0005vi-00 <= CALLER@??? U=CALLER P=local S=sss
+1999-03-02 09:44:33 10HmbD-0005vi-00 Server OSCP dates invalid
+1999-03-02 09:44:33 10HmbD-0005vi-00 TLS error on connection to 127.0.0.1 [127.0.0.1] (SSL_connect): error: <<detail omitted>>
+1999-03-02 09:44:33 10HmbD-0005vi-00 == CALLER@??? R=client T=send_to_server2 defer (-37): failure while setting up TLS session
+
+******** SERVER ********
+1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port 1225
+1999-03-02 09:44:33 10HmaY-0005vi-00 <= CALLER@??? H=the.local.host.name (server1.example.com) [ip4.ip4.ip4.ip4] P=esmtps X=TLSv1:AES256-SHA:256 S=sss id=E10HmaX-0005vi-00@???
+1999-03-02 09:44:33 10HmaY-0005vi-00 => :blackhole: <nostaple@???> R=server
+1999-03-02 09:44:33 10HmaY-0005vi-00 Completed
+1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port 1225
+1999-03-02 09:44:33 [127.0.0.1] Recieved OCSP stapling req; responding
+1999-03-02 09:44:33 10HmbA-0005vi-00 <= CALLER@??? H=(helo.data.changed) [127.0.0.1] P=esmtps X=TLSv1:AES256-SHA:256 S=sss id=E10HmaZ-0005vi-00@???
+1999-03-02 09:44:33 10HmbA-0005vi-00 => :blackhole: <CALLER@???> R=server
+1999-03-02 09:44:33 10HmbA-0005vi-00 Completed
+1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port 1225
+1999-03-02 09:44:33 [127.0.0.1] Recieved OCSP stapling req; not responding
+1999-03-02 09:44:33 TLS error on connection from (helo.data.changed) [127.0.0.1] (SSL_accept): error: <<detail omitted>>
+1999-03-02 09:44:33 TLS client disconnected cleanly (rejected our certificate?)
+1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port 1225
+1999-03-02 09:44:33 [127.0.0.1] Recieved OCSP stapling req; responding
+1999-03-02 09:44:33 TLS error on connection from (helo.data.changed) [127.0.0.1] (SSL_accept): error: <<detail omitted>>
+1999-03-02 09:44:33 TLS client disconnected cleanly (rejected our certificate?)
+1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port 1225
+1999-03-02 09:44:33 [127.0.0.1] Recieved OCSP stapling req; responding
+1999-03-02 09:44:33 TLS error on connection from (helo.data.changed) [127.0.0.1] (SSL_accept): error: <<detail omitted>>
+1999-03-02 09:44:33 TLS client disconnected cleanly (rejected our certificate?)
diff --git a/test/msglog/2145.10HmaX-0005vi-00 b/test/msglog/2145.10HmaX-0005vi-00
new file mode 100644
index 0000000..33692c6
--- /dev/null
+++ b/test/msglog/2145.10HmaX-0005vi-00
@@ -0,0 +1 @@
+1999-03-02 09:44:33 Received from CALLER@??? U=CALLER P=local S=sss
diff --git a/test/scripts/5600-OCSP-OpenSSL/5600 b/test/scripts/5600-OCSP-OpenSSL/5600
new file mode 100644
index 0000000..464da69
--- /dev/null
+++ b/test/scripts/5600-OCSP-OpenSSL/5600
@@ -0,0 +1,80 @@
+# TLS server: OCSP stapling
+#
+#
+#
+# 1: Server sends good staple on request
+exim -bd -oX PORT_D -DSERVER=server \
+ -DOCSP=DIR/aux-fixed/exim-ca/example.com/server1.example.com/server1.example.com.ocsp.good.resp
+****
+client-ssl \
+ -ocsp aux-fixed/exim-ca/example.com/server1.example.com/ca_chain.pem \
+ HOSTIPV4 PORT_D aux-fixed/cert2 aux-fixed/cert2
+??? 220
+ehlo rhu.barb
+??? 250-
+??? 250-
+??? 250-
+??? 250-
+??? 250-
+??? 250
+starttls
+??? 220
+mail from:<userx@???>
+??? 250
+rcpt to:<userx@???>
+??? 250
+quit
+??? 221
+****
+killdaemon
+#
+#
+#
+# 2: Server does not staple an outdated response
+exim -bd -oX PORT_D -DSERVER=server \
+ -DOCSP=DIR/aux-fixed/exim-ca/example.com/server1.example.com/server1.example.com.ocsp.dated.resp
+****
+# XXX test sequence might not be quite right; this is for a server refusal
+# and we're expecting a client refusal.
+client-ssl -ocsp aux-fixed/exim-ca/expired1.example.com/CA.pem HOSTIPV4 PORT_D aux-fixed/cert2 aux-fixed/cert2
+??? 220
+ehlo rhu.barb
+??? 250-
+??? 250-
+??? 250-
+??? 250-
+??? 250-
+??? 250
+starttls
+??? 220
+****
+killdaemon
+#
+#
+#
+#
+#
+# 3: Server does not staple a response for a revoked cert
+exim -bd -oX PORT_D -DSERVER=server \
+ -DOCSP=DIR/aux-fixed/exim-ca/example.com/server1.example.com/server1.example.com.ocsp.revoked.resp
+****
+client-ssl \
+ -ocsp aux-fixed/exim-ca/example.com/server1.example.com/ca_chain.pem \
+ HOSTIPV4 PORT_D aux-fixed/cert2 aux-fixed/cert2
+??? 220
+ehlo rhu.barb
+??? 250-
+??? 250-
+??? 250-
+??? 250-
+??? 250-
+??? 250
+starttls
+??? 220
+****
+killdaemon
+#
+#
+#
+#
+#
diff --git a/test/scripts/5600-OCSP-OpenSSL/5601 b/test/scripts/5600-OCSP-OpenSSL/5601
new file mode 100644
index 0000000..b2983eb
--- /dev/null
+++ b/test/scripts/5600-OCSP-OpenSSL/5601
@@ -0,0 +1,65 @@
+# OCSP stapling, client
+#
+#
+# Client works when we don't demand OCSP stapling
+exim -bd -oX PORT_D -DSERVER=server -DOCSP=/dev/null
+****
+exim nostaple@???
+test message.
+****
+sleep 1
+killdaemon
+#
+#
+#
+#
+# Client accepts good stapled info
+exim -bd -oX PORT_D -DSERVER=server \
+ -DOCSP=DIR/aux-fixed/exim-ca/example.com/server1.example.com/server1.example.com.ocsp.good.resp
+****
+exim CALLER@???
+test message.
+****
+sleep 1
+killdaemon
+#
+#
+#
+# Client fails on lack of requested stapled info
+exim -bd -oX PORT_D -DSERVER=server -DOCSP=/dev/null
+****
+exim CALLER@???
+test message.
+****
+sleep 1
+killdaemon
+no_msglog_check
+#
+#
+#
+# Client fails on revoked stapled info
+EXIM_TESTHARNESS_DISABLE_OCSPVALIDITYCHECK=y exim -bd -oX PORT_D -DSERVER=server \
+ -DOCSP=DIR/aux-fixed/exim-ca/example.com/server1.example.com/server1.example.com.ocsp.revoked.resp
+****
+exim CALLER@???
+test message.
+****
+sleep 1
+killdaemon
+#
+#
+#
+#
+# Client fails on expired stapled info
+EXIM_TESTHARNESS_DISABLE_OCSPVALIDITYCHECK=y exim -bd -oX PORT_D -DSERVER=server \
+ -DOCSP=DIR/aux-fixed/exim-ca/example.com/server1.example.com/server1.example.com.ocsp.dated.resp
+****
+exim CALLER@???
+test message.
+****
+sleep 1
+killdaemon
+#
+#
+#
+#
diff --git a/test/scripts/5600-OCSP-OpenSSL/REQUIRES b/test/scripts/5600-OCSP-OpenSSL/REQUIRES
new file mode 100644
index 0000000..3d15ede
--- /dev/null
+++ b/test/scripts/5600-OCSP-OpenSSL/REQUIRES
@@ -0,0 +1,3 @@
+support OpenSSL
+support Experimental_OCSP
+running IPv4
diff --git a/test/src/client.c b/test/src/client.c
index 58ab56d..3b782f3 100644
--- a/test/src/client.c
+++ b/test/src/client.c
@@ -1,7 +1,8 @@
/* A little hacked up program that makes a TCP/IP call and reads a script to
drive it, for testing Exim server code running as a daemon. It's got a bit
messy with the addition of support for either OpenSSL or GnuTLS. The code for
-those was hacked out of Exim itself. */
+those was hacked out of Exim itself, then code for OCSP stapling was ripped
+from the openssl ocsp and s_client utilities. */
/* ANSI C standard includes */
@@ -66,6 +67,9 @@ latter needs a whole pile of tables. */
#include <openssl/ssl.h>
#include <openssl/err.h>
#include <openssl/rand.h>
+#include <openssl/ocsp.h>
+
+char * ocsp_stapling = NULL;
#endif
@@ -145,6 +149,91 @@ sigalrm_seen = 1;
/****************************************************************************/
#ifdef HAVE_OPENSSL
+
+X509_STORE *
+setup_verify(BIO *bp, char *CAfile, char *CApath)
+{
+ X509_STORE *store;
+ X509_LOOKUP *lookup;
+ if(!(store = X509_STORE_new())) goto end;
+ lookup=X509_STORE_add_lookup(store,X509_LOOKUP_file());
+ if (lookup == NULL) goto end;
+ if (CAfile) {
+ if(!X509_LOOKUP_load_file(lookup,CAfile,X509_FILETYPE_PEM)) {
+ BIO_printf(bp, "Error loading file %s\n", CAfile);
+ goto end;
+ }
+ } else X509_LOOKUP_load_file(lookup,NULL,X509_FILETYPE_DEFAULT);
+
+ lookup=X509_STORE_add_lookup(store,X509_LOOKUP_hash_dir());
+ if (lookup == NULL) goto end;
+ if (CApath) {
+ if(!X509_LOOKUP_add_dir(lookup,CApath,X509_FILETYPE_PEM)) {
+ BIO_printf(bp, "Error loading directory %s\n", CApath);
+ goto end;
+ }
+ } else X509_LOOKUP_add_dir(lookup,NULL,X509_FILETYPE_DEFAULT);
+
+ ERR_clear_error();
+ return store;
+ end:
+ X509_STORE_free(store);
+ return NULL;
+}
+
+
+static int
+tls_client_stapling_cb(SSL *s, void *arg)
+{
+const unsigned char *p;
+int len;
+OCSP_RESPONSE *rsp;
+OCSP_BASICRESP *bs;
+char *CAfile = NULL;
+X509_STORE *store = NULL;
+int ret = 1;
+
+len = SSL_get_tlsext_status_ocsp_resp(s, &p);
+/*BIO_printf(arg, "OCSP response: ");*/
+if (!p)
+ {
+ BIO_printf(arg, "no response received\n");
+ return 1;
+ }
+if(!(rsp = d2i_OCSP_RESPONSE(NULL, &p, len)))
+ {
+ BIO_printf(arg, "response parse error\n");
+ BIO_dump_indent(arg, (char *)p, len, 4);
+ return 0;
+ }
+if(!(bs = OCSP_response_get1_basic(rsp)))
+ {
+ BIO_printf(arg, "error parsing response\n");
+ return 0;
+ }
+
+CAfile = ocsp_stapling;
+if(!(store = setup_verify(arg, CAfile, NULL)))
+ {
+ BIO_printf(arg, "error in cert setup\n");
+ return 0;
+ }
+
+/* No file of alternate certs, no options */
+if(OCSP_basic_verify(bs, NULL, store, 0) <= 0)
+ {
+ BIO_printf(arg, "Response Verify Failure\n");
+ ERR_print_errors(arg);
+ ret = 0;
+ }
+else
+ BIO_printf(arg, "Response verify OK\n");
+
+X509_STORE_free(store);
+return ret;
+}
+
+
/*************************************************
* Start an OpenSSL TLS session *
*************************************************/
@@ -161,6 +250,13 @@ SSL_set_session_id_context(*ssl, sid_ctx, strlen(sid_ctx));
SSL_set_fd (*ssl, sock);
SSL_set_connect_state(*ssl);
+if (ocsp_stapling)
+ {
+ SSL_CTX_set_tlsext_status_cb(ctx, tls_client_stapling_cb);
+ SSL_CTX_set_tlsext_status_arg(ctx, BIO_new_fp(stdout, BIO_NOCLOSE));
+ SSL_set_tlsext_status_type(*ssl, TLSEXT_STATUSTYPE_ocsp);
+ }
+
signal(SIGALRM, sigalrm_handler_flag);
sigalrm_seen = 0;
alarm(5);
@@ -418,6 +514,17 @@ while (argc >= argi + 1 && argv[argi][0] == '-')
tls_on_connect = 1;
argi++;
}
+#ifdef HAVE_OPENSSL
+ else if (strcmp(argv[argi], "-ocsp") == 0)
+ {
+ if (argc < ++argi + 1)
+ {
+ fprintf(stderr, "Missing required certificate file for ocsp option\n");
+ exit(1);
+ }
+ ocsp_stapling = argv[argi++];
+ }
+#endif
else if (argv[argi][1] == 't' && isdigit(argv[argi][2]))
{
tmplong = strtol(argv[argi]+2, &end, 10);
diff --git a/test/stderr/5600 b/test/stderr/5600
new file mode 100644
index 0000000..045fadc
--- /dev/null
+++ b/test/stderr/5600
@@ -0,0 +1,2 @@
+
+******** SERVER ********
diff --git a/test/stderr/5601 b/test/stderr/5601
new file mode 100644
index 0000000..045fadc
--- /dev/null
+++ b/test/stderr/5601
@@ -0,0 +1,2 @@
+
+******** SERVER ********
diff --git a/test/stdout/5600 b/test/stdout/5600
new file mode 100644
index 0000000..9020be1
--- /dev/null
+++ b/test/stdout/5600
@@ -0,0 +1,142 @@
+Connecting to ip4.ip4.ip4.ip4 port 1225 ... connected
+Certificate file = aux-fixed/cert2
+Key file = aux-fixed/cert2
+??? 220
+<<< 220 server1.example.com ESMTP Exim x.yz Tue, 2 Mar 1999 09:44:33 +0000
+>>> ehlo rhu.barb
+??? 250-
+<<< 250-server1.example.com Hello rhu.barb [ip4.ip4.ip4.ip4]
+??? 250-
+<<< 250-SIZE 52428800
+??? 250-
+<<< 250-8BITMIME
+??? 250-
+<<< 250-PIPELINING
+??? 250-
+<<< 250-STARTTLS
+??? 250
+<<< 250 HELP
+>>> starttls
+??? 220
+<<< 220 TLS go ahead
+Attempting to start TLS
+SSL info: before/connect initialization
+SSL info: before/connect initialization
+SSL info: SSLv2/v3 write client hello A
+SSL info: SSLv3 read server hello A
+SSL info: SSLv3 read server certificate A
+Response verify OK
+SSL info: unknown state
+SSL info: SSLv3 read server key exchange A
+SSL info: SSLv3 read server certificate request A
+SSL info: SSLv3 read server done A
+SSL info: SSLv3 write client certificate A
+SSL info: SSLv3 write client key exchange A
+SSL info: SSLv3 write certificate verify A
+SSL info: SSLv3 write change cipher spec A
+SSL info: SSLv3 write finished A
+SSL info: SSLv3 flush data
+SSL info: SSLv3 read server session ticket A
+SSL info: SSLv3 read finished A
+SSL info: SSL negotiation finished successfully
+SSL info: SSL negotiation finished successfully
+SSL connection using AES256-SHA
+Succeeded in starting TLS
+>>> mail from:<userx@???>
+??? 250
+<<< 250 OK
+>>> rcpt to:<userx@???>
+??? 250
+<<< 250 Accepted
+>>> quit
+??? 221
+<<< 221 server1.example.com closing connection
+End of script
+Connecting to ip4.ip4.ip4.ip4 port 1225 ... connected
+Certificate file = aux-fixed/cert2
+Key file = aux-fixed/cert2
+??? 220
+<<< 220 server1.example.com ESMTP Exim x.yz Tue, 2 Mar 1999 09:44:33 +0000
+>>> ehlo rhu.barb
+??? 250-
+<<< 250-server1.example.com Hello rhu.barb [ip4.ip4.ip4.ip4]
+??? 250-
+<<< 250-SIZE 52428800
+??? 250-
+<<< 250-8BITMIME
+??? 250-
+<<< 250-PIPELINING
+??? 250-
+<<< 250-STARTTLS
+??? 250
+<<< 250 HELP
+>>> starttls
+??? 220
+<<< 220 TLS go ahead
+Attempting to start TLS
+SSL info: before/connect initialization
+SSL info: before/connect initialization
+SSL info: SSLv2/v3 write client hello A
+no response received
+SSL info: SSLv3 read server hello A
+SSL info: SSLv3 read server certificate A
+SSL info: SSLv3 read server key exchange A
+SSL info: SSLv3 read server certificate request A
+SSL info: SSLv3 read server done A
+SSL info: SSLv3 write client certificate A
+SSL info: SSLv3 write client key exchange A
+SSL info: SSLv3 write certificate verify A
+SSL info: SSLv3 write change cipher spec A
+SSL info: SSLv3 write finished A
+SSL info: SSLv3 flush data
+SSL info: SSLv3 read server session ticket A
+SSL info: SSLv3 read finished A
+SSL info: SSL negotiation finished successfully
+SSL info: SSL negotiation finished successfully
+SSL connection using AES256-SHA
+Succeeded in starting TLS
+End of script
+Connecting to ip4.ip4.ip4.ip4 port 1225 ... connected
+Certificate file = aux-fixed/cert2
+Key file = aux-fixed/cert2
+??? 220
+<<< 220 server1.example.com ESMTP Exim x.yz Tue, 2 Mar 1999 09:44:33 +0000
+>>> ehlo rhu.barb
+??? 250-
+<<< 250-server1.example.com Hello rhu.barb [ip4.ip4.ip4.ip4]
+??? 250-
+<<< 250-SIZE 52428800
+??? 250-
+<<< 250-8BITMIME
+??? 250-
+<<< 250-PIPELINING
+??? 250-
+<<< 250-STARTTLS
+??? 250
+<<< 250 HELP
+>>> starttls
+??? 220
+<<< 220 TLS go ahead
+Attempting to start TLS
+SSL info: before/connect initialization
+SSL info: before/connect initialization
+SSL info: SSLv2/v3 write client hello A
+no response received
+SSL info: SSLv3 read server hello A
+SSL info: SSLv3 read server certificate A
+SSL info: SSLv3 read server key exchange A
+SSL info: SSLv3 read server certificate request A
+SSL info: SSLv3 read server done A
+SSL info: SSLv3 write client certificate A
+SSL info: SSLv3 write client key exchange A
+SSL info: SSLv3 write certificate verify A
+SSL info: SSLv3 write change cipher spec A
+SSL info: SSLv3 write finished A
+SSL info: SSLv3 flush data
+SSL info: SSLv3 read server session ticket A
+SSL info: SSLv3 read finished A
+SSL info: SSL negotiation finished successfully
+SSL info: SSL negotiation finished successfully
+SSL connection using AES256-SHA
+Succeeded in starting TLS
+End of script
diff --git a/test/trusted_configs b/test/trusted_configs
new file mode 100644
index 0000000..47a1ec9
--- /dev/null
+++ b/test/trusted_configs
@@ -0,0 +1 @@
+/root/git/exim/test/test-config