[exim-cvs] OCSP-stapling enhancement and testing.

Page principale
Supprimer ce message
Répondre à ce message
Auteur: Exim Git Commits Mailing List
Date:  
À: exim-cvs
Sujet: [exim-cvs] OCSP-stapling enhancement and testing.
Gitweb: http://git.exim.org/exim.git/commitdiff/f5d786885721c374cc22a1f1311ca01408a496fd
Commit:     f5d786885721c374cc22a1f1311ca01408a496fd
Parent:     26e72755c101f59e24735e9ca9a320d5f1ebc2b7
Author:     Jeremy Harris <jgh146exb@???>
AuthorDate: Sun Mar 24 21:49:12 2013 +0000
Committer:  Jeremy Harris <jgh146exb@???>
CommitDate: Mon Mar 25 22:42:48 2013 +0000


    OCSP-stapling enhancement and testing.


    Server:
      Honor environment variable as well as running_in_test_harness in permitting bogus staplings
      Update server tests
      Add "-ocsp" option to client-ssl.
      Server side: add verification of stapled status.
      First cut server-mode ocsp testing.
      Fix some uninitialized ocsp-related data.


    Client (new):
      Verify stapling using only the chain that verified the server cert, not any acceptable chain.
      Add check for multiple responses in a stapling, which is not handled
      Refuse verification on expired and revoking staplings.
      Handle OCSP client refusal on lack of stapling from server.
      More fixing in client OCSP: use the server cert signing chain to verify the OCSP info.
      Add transport hosts_require_ocsp option.
      Log stapling responses.
      Start on tests for client-side.


    Testing support:
        Add CRL generation code and documentation update
        Initial CA & certificate set for testing.


    BUGFIX:
        Once a single OCSP response has been extracted the validation
        routine return code is no longer about the structure, but the actual
        returned OCSP status.
---
 doc/doc-txt/experimental-spec.txt                  |   11 +-
 src/src/functions.h                                |    5 +-
 src/src/tls-gnu.c                                  |    9 +-
 src/src/tls-openssl.c                              |  358 ++++++++++++++++----
 src/src/transports/smtp.c                          |   11 +-
 src/src/transports/smtp.h                          |    3 +
 src/src/verify.c                                   |    8 +-
 test/README                                        |    8 +-
 test/aux-fixed/exim-ca/README                      |   51 +++
 test/aux-fixed/exim-ca/example.com/BLANK/CA.pem    |   10 +
 .../aux-fixed/exim-ca/example.com/BLANK/Signer.pem |   11 +
 test/aux-fixed/exim-ca/example.com/BLANK/cert8.db  |  Bin 0 -> 65536 bytes
 test/aux-fixed/exim-ca/example.com/BLANK/key3.db   |  Bin 0 -> 16384 bytes
 test/aux-fixed/exim-ca/example.com/BLANK/pwdfile   |    1 +
 test/aux-fixed/exim-ca/example.com/BLANK/secmod.db |  Bin 0 -> 16384 bytes
 test/aux-fixed/exim-ca/example.com/CA/CA.pem       |   10 +
 test/aux-fixed/exim-ca/example.com/CA/OCSP.key     |   14 +
 test/aux-fixed/exim-ca/example.com/CA/OCSP.p12     |  Bin 0 -> 2210 bytes
 test/aux-fixed/exim-ca/example.com/CA/OCSP.pem     |   11 +
 test/aux-fixed/exim-ca/example.com/CA/Signer.pem   |   11 +
 test/aux-fixed/exim-ca/example.com/CA/ca.conf      |   18 +
 test/aux-fixed/exim-ca/example.com/CA/cert8.db     |  Bin 0 -> 65536 bytes
 test/aux-fixed/exim-ca/example.com/CA/crl.empty    |  Bin 0 -> 175 bytes
 .../exim-ca/example.com/CA/crl.empty.in.txt        |    1 +
 .../aux-fixed/exim-ca/example.com/CA/crl.empty.pem |    6 +
 test/aux-fixed/exim-ca/example.com/CA/crl.v2       |  Bin 0 -> 223 bytes
 .../aux-fixed/exim-ca/example.com/CA/crl.v2.in.txt |    3 +
 test/aux-fixed/exim-ca/example.com/CA/crl.v2.pem   |    7 +
 .../exim-ca/example.com/CA/index.revoked.txt       |    6 +
 .../exim-ca/example.com/CA/index.valid.txt         |    6 +
 test/aux-fixed/exim-ca/example.com/CA/key3.db      |  Bin 0 -> 16384 bytes
 test/aux-fixed/exim-ca/example.com/CA/noise.file   |  342 +++++++++++++++++++
 test/aux-fixed/exim-ca/example.com/CA/pwdfile      |    1 +
 test/aux-fixed/exim-ca/example.com/CA/secmod.db    |  Bin 0 -> 16384 bytes
 .../example.com/expired1.example.com/ca_chain.pem  |   47 +++
 .../example.com/expired1.example.com/cert8.db      |  Bin 0 -> 65536 bytes
 .../expired1.example.com.chain.pem                 |   29 ++
 .../expired1.example.com/expired1.example.com.key  |   15 +
 .../expired1.example.com.ocsp.dated.resp           |  Bin 0 -> 725 bytes
 .../expired1.example.com.ocsp.good.resp            |  Bin 0 -> 706 bytes
 .../expired1.example.com.ocsp.req                  |  Bin 0 -> 105 bytes
 .../expired1.example.com.ocsp.revoked.resp         |  Bin 0 -> 728 bytes
 .../expired1.example.com/expired1.example.com.p12  |  Bin 0 -> 2380 bytes
 .../expired1.example.com/expired1.example.com.pem  |   18 +
 .../expired1.example.com.unlocked.key              |    9 +
 .../example.com/expired1.example.com/key3.db       |  Bin 0 -> 16384 bytes
 .../example.com/expired1.example.com/pwdfile       |    1 +
 .../example.com/expired1.example.com/secmod.db     |  Bin 0 -> 16384 bytes
 .../example.com/expired2.example.com/ca_chain.pem  |   47 +++
 .../example.com/expired2.example.com/cert8.db      |  Bin 0 -> 65536 bytes
 .../expired2.example.com.chain.pem                 |   29 ++
 .../expired2.example.com/expired2.example.com.key  |   15 +
 .../expired2.example.com.ocsp.dated.resp           |  Bin 0 -> 726 bytes
 .../expired2.example.com.ocsp.good.resp            |  Bin 0 -> 707 bytes
 .../expired2.example.com.ocsp.req                  |  Bin 0 -> 106 bytes
 .../expired2.example.com.ocsp.revoked.resp         |  Bin 0 -> 707 bytes
 .../expired2.example.com/expired2.example.com.p12  |  Bin 0 -> 2388 bytes
 .../expired2.example.com/expired2.example.com.pem  |   18 +
 .../expired2.example.com.unlocked.key              |    9 +
 .../example.com/expired2.example.com/key3.db       |  Bin 0 -> 16384 bytes
 .../example.com/expired2.example.com/pwdfile       |    1 +
 .../example.com/expired2.example.com/secmod.db     |  Bin 0 -> 16384 bytes
 .../example.com/revoked1.example.com/ca_chain.pem  |   47 +++
 .../example.com/revoked1.example.com/cert8.db      |  Bin 0 -> 65536 bytes
 .../example.com/revoked1.example.com/key3.db       |  Bin 0 -> 16384 bytes
 .../example.com/revoked1.example.com/pwdfile       |    1 +
 .../revoked1.example.com.chain.pem                 |   29 ++
 .../revoked1.example.com/revoked1.example.com.key  |   15 +
 .../revoked1.example.com.ocsp.dated.resp           |  Bin 0 -> 725 bytes
 .../revoked1.example.com.ocsp.good.resp            |  Bin 0 -> 706 bytes
 .../revoked1.example.com.ocsp.req                  |  Bin 0 -> 105 bytes
 .../revoked1.example.com.ocsp.revoked.resp         |  Bin 0 -> 728 bytes
 .../revoked1.example.com/revoked1.example.com.p12  |  Bin 0 -> 2380 bytes
 .../revoked1.example.com/revoked1.example.com.pem  |   18 +
 .../revoked1.example.com.unlocked.key              |    9 +
 .../example.com/revoked1.example.com/secmod.db     |  Bin 0 -> 16384 bytes
 .../example.com/revoked2.example.com/ca_chain.pem  |   47 +++
 .../example.com/revoked2.example.com/cert8.db      |  Bin 0 -> 65536 bytes
 .../example.com/revoked2.example.com/key3.db       |  Bin 0 -> 16384 bytes
 .../example.com/revoked2.example.com/pwdfile       |    1 +
 .../revoked2.example.com.chain.pem                 |   29 ++
 .../revoked2.example.com/revoked2.example.com.key  |   15 +
 .../revoked2.example.com.ocsp.dated.resp           |  Bin 0 -> 726 bytes
 .../revoked2.example.com.ocsp.good.resp            |  Bin 0 -> 707 bytes
 .../revoked2.example.com.ocsp.req                  |  Bin 0 -> 106 bytes
 .../revoked2.example.com.ocsp.revoked.resp         |  Bin 0 -> 707 bytes
 .../revoked2.example.com/revoked2.example.com.p12  |  Bin 0 -> 2388 bytes
 .../revoked2.example.com/revoked2.example.com.pem  |   18 +
 .../revoked2.example.com.unlocked.key              |    9 +
 .../example.com/revoked2.example.com/secmod.db     |  Bin 0 -> 16384 bytes
 .../example.com/server1.example.com/ca_chain.pem   |   47 +++
 .../example.com/server1.example.com/cert8.db       |  Bin 0 -> 65536 bytes
 .../example.com/server1.example.com/key3.db        |  Bin 0 -> 16384 bytes
 .../example.com/server1.example.com/pwdfile        |    1 +
 .../example.com/server1.example.com/secmod.db      |  Bin 0 -> 16384 bytes
 .../server1.example.com.chain.pem                  |   29 ++
 .../server1.example.com/server1.example.com.key    |   15 +
 .../server1.example.com.ocsp.dated.resp            |  Bin 0 -> 725 bytes
 .../server1.example.com.ocsp.good.resp             |  Bin 0 -> 706 bytes
 .../server1.example.com.ocsp.req                   |  Bin 0 -> 105 bytes
 .../server1.example.com.ocsp.revoked.resp          |  Bin 0 -> 728 bytes
 .../server1.example.com/server1.example.com.p12    |  Bin 0 -> 2370 bytes
 .../server1.example.com/server1.example.com.pem    |   18 +
 .../server1.example.com.unlocked.key               |    9 +
 .../example.com/server2.example.com/ca_chain.pem   |   47 +++
 .../example.com/server2.example.com/cert8.db       |  Bin 0 -> 65536 bytes
 .../example.com/server2.example.com/key3.db        |  Bin 0 -> 16384 bytes
 .../example.com/server2.example.com/pwdfile        |    1 +
 .../example.com/server2.example.com/secmod.db      |  Bin 0 -> 16384 bytes
 .../server2.example.com.chain.pem                  |   29 ++
 .../server2.example.com/server2.example.com.key    |   15 +
 .../server2.example.com.ocsp.dated.resp            |  Bin 0 -> 726 bytes
 .../server2.example.com.ocsp.good.resp             |  Bin 0 -> 707 bytes
 .../server2.example.com.ocsp.req                   |  Bin 0 -> 106 bytes
 .../server2.example.com.ocsp.revoked.resp          |  Bin 0 -> 707 bytes
 .../server2.example.com/server2.example.com.p12    |  Bin 0 -> 2378 bytes
 .../server2.example.com/server2.example.com.pem    |   18 +
 .../server2.example.com.unlocked.key               |    9 +
 test/aux-fixed/exim-ca/example.net/BLANK/CA.pem    |   10 +
 .../aux-fixed/exim-ca/example.net/BLANK/Signer.pem |   11 +
 test/aux-fixed/exim-ca/example.net/BLANK/cert8.db  |  Bin 0 -> 65536 bytes
 test/aux-fixed/exim-ca/example.net/BLANK/key3.db   |  Bin 0 -> 16384 bytes
 test/aux-fixed/exim-ca/example.net/BLANK/pwdfile   |    1 +
 test/aux-fixed/exim-ca/example.net/BLANK/secmod.db |  Bin 0 -> 16384 bytes
 test/aux-fixed/exim-ca/example.net/CA/CA.pem       |   10 +
 test/aux-fixed/exim-ca/example.net/CA/OCSP.key     |   14 +
 test/aux-fixed/exim-ca/example.net/CA/OCSP.p12     |  Bin 0 -> 2218 bytes
 test/aux-fixed/exim-ca/example.net/CA/OCSP.pem     |   11 +
 test/aux-fixed/exim-ca/example.net/CA/Signer.pem   |   11 +
 test/aux-fixed/exim-ca/example.net/CA/ca.conf      |   18 +
 test/aux-fixed/exim-ca/example.net/CA/cert8.db     |  Bin 0 -> 65536 bytes
 test/aux-fixed/exim-ca/example.net/CA/crl.empty    |  Bin 0 -> 175 bytes
 .../exim-ca/example.net/CA/crl.empty.in.txt        |    1 +
 .../aux-fixed/exim-ca/example.net/CA/crl.empty.pem |    6 +
 test/aux-fixed/exim-ca/example.net/CA/crl.v2       |  Bin 0 -> 223 bytes
 .../aux-fixed/exim-ca/example.net/CA/crl.v2.in.txt |    3 +
 test/aux-fixed/exim-ca/example.net/CA/crl.v2.pem   |    7 +
 .../exim-ca/example.net/CA/index.revoked.txt       |    6 +
 .../exim-ca/example.net/CA/index.valid.txt         |    6 +
 test/aux-fixed/exim-ca/example.net/CA/key3.db      |  Bin 0 -> 16384 bytes
 test/aux-fixed/exim-ca/example.net/CA/noise.file   |  342 +++++++++++++++++++
 test/aux-fixed/exim-ca/example.net/CA/pwdfile      |    1 +
 test/aux-fixed/exim-ca/example.net/CA/secmod.db    |  Bin 0 -> 16384 bytes
 .../example.net/expired1.example.net/ca_chain.pem  |   47 +++
 .../example.net/expired1.example.net/cert8.db      |  Bin 0 -> 65536 bytes
 .../expired1.example.net.chain.pem                 |   29 ++
 .../expired1.example.net/expired1.example.net.key  |   15 +
 .../expired1.example.net.ocsp.dated.resp           |  Bin 0 -> 725 bytes
 .../expired1.example.net.ocsp.good.resp            |  Bin 0 -> 706 bytes
 .../expired1.example.net.ocsp.req                  |  Bin 0 -> 105 bytes
 .../expired1.example.net.ocsp.revoked.resp         |  Bin 0 -> 728 bytes
 .../expired1.example.net/expired1.example.net.p12  |  Bin 0 -> 2388 bytes
 .../expired1.example.net/expired1.example.net.pem  |   18 +
 .../expired1.example.net.unlocked.key              |    9 +
 .../example.net/expired1.example.net/key3.db       |  Bin 0 -> 16384 bytes
 .../example.net/expired1.example.net/pwdfile       |    1 +
 .../example.net/expired1.example.net/secmod.db     |  Bin 0 -> 16384 bytes
 .../example.net/expired2.example.net/ca_chain.pem  |   47 +++
 .../example.net/expired2.example.net/cert8.db      |  Bin 0 -> 65536 bytes
 .../expired2.example.net.chain.pem                 |   29 ++
 .../expired2.example.net/expired2.example.net.key  |   15 +
 .../expired2.example.net.ocsp.dated.resp           |  Bin 0 -> 726 bytes
 .../expired2.example.net.ocsp.good.resp            |  Bin 0 -> 707 bytes
 .../expired2.example.net.ocsp.req                  |  Bin 0 -> 106 bytes
 .../expired2.example.net.ocsp.revoked.resp         |  Bin 0 -> 707 bytes
 .../expired2.example.net/expired2.example.net.p12  |  Bin 0 -> 2388 bytes
 .../expired2.example.net/expired2.example.net.pem  |   18 +
 .../expired2.example.net.unlocked.key              |    9 +
 .../example.net/expired2.example.net/key3.db       |  Bin 0 -> 16384 bytes
 .../example.net/expired2.example.net/pwdfile       |    1 +
 .../example.net/expired2.example.net/secmod.db     |  Bin 0 -> 16384 bytes
 .../example.net/revoked1.example.net/ca_chain.pem  |   47 +++
 .../example.net/revoked1.example.net/cert8.db      |  Bin 0 -> 65536 bytes
 .../example.net/revoked1.example.net/key3.db       |  Bin 0 -> 16384 bytes
 .../example.net/revoked1.example.net/pwdfile       |    1 +
 .../revoked1.example.net.chain.pem                 |   29 ++
 .../revoked1.example.net/revoked1.example.net.key  |   15 +
 .../revoked1.example.net.ocsp.dated.resp           |  Bin 0 -> 725 bytes
 .../revoked1.example.net.ocsp.good.resp            |  Bin 0 -> 706 bytes
 .../revoked1.example.net.ocsp.req                  |  Bin 0 -> 105 bytes
 .../revoked1.example.net.ocsp.revoked.resp         |  Bin 0 -> 728 bytes
 .../revoked1.example.net/revoked1.example.net.p12  |  Bin 0 -> 2388 bytes
 .../revoked1.example.net/revoked1.example.net.pem  |   18 +
 .../revoked1.example.net.unlocked.key              |    9 +
 .../example.net/revoked1.example.net/secmod.db     |  Bin 0 -> 16384 bytes
 .../example.net/revoked2.example.net/ca_chain.pem  |   47 +++
 .../example.net/revoked2.example.net/cert8.db      |  Bin 0 -> 65536 bytes
 .../example.net/revoked2.example.net/key3.db       |  Bin 0 -> 16384 bytes
 .../example.net/revoked2.example.net/pwdfile       |    1 +
 .../revoked2.example.net.chain.pem                 |   29 ++
 .../revoked2.example.net/revoked2.example.net.key  |   15 +
 .../revoked2.example.net.ocsp.dated.resp           |  Bin 0 -> 726 bytes
 .../revoked2.example.net.ocsp.good.resp            |  Bin 0 -> 707 bytes
 .../revoked2.example.net.ocsp.req                  |  Bin 0 -> 106 bytes
 .../revoked2.example.net.ocsp.revoked.resp         |  Bin 0 -> 707 bytes
 .../revoked2.example.net/revoked2.example.net.p12  |  Bin 0 -> 2388 bytes
 .../revoked2.example.net/revoked2.example.net.pem  |   18 +
 .../revoked2.example.net.unlocked.key              |    9 +
 .../example.net/revoked2.example.net/secmod.db     |  Bin 0 -> 16384 bytes
 .../example.net/server1.example.net/ca_chain.pem   |   47 +++
 .../example.net/server1.example.net/cert8.db       |  Bin 0 -> 65536 bytes
 .../example.net/server1.example.net/key3.db        |  Bin 0 -> 16384 bytes
 .../example.net/server1.example.net/pwdfile        |    1 +
 .../example.net/server1.example.net/secmod.db      |  Bin 0 -> 16384 bytes
 .../server1.example.net.chain.pem                  |   29 ++
 .../server1.example.net/server1.example.net.key    |   15 +
 .../server1.example.net.ocsp.dated.resp            |  Bin 0 -> 725 bytes
 .../server1.example.net.ocsp.good.resp             |  Bin 0 -> 706 bytes
 .../server1.example.net.ocsp.req                   |  Bin 0 -> 105 bytes
 .../server1.example.net.ocsp.revoked.resp          |  Bin 0 -> 728 bytes
 .../server1.example.net/server1.example.net.p12    |  Bin 0 -> 2378 bytes
 .../server1.example.net/server1.example.net.pem    |   18 +
 .../server1.example.net.unlocked.key               |    9 +
 .../example.net/server2.example.net/ca_chain.pem   |   47 +++
 .../example.net/server2.example.net/cert8.db       |  Bin 0 -> 65536 bytes
 .../example.net/server2.example.net/key3.db        |  Bin 0 -> 16384 bytes
 .../example.net/server2.example.net/pwdfile        |    1 +
 .../example.net/server2.example.net/secmod.db      |  Bin 0 -> 16384 bytes
 .../server2.example.net.chain.pem                  |   29 ++
 .../server2.example.net/server2.example.net.key    |   15 +
 .../server2.example.net.ocsp.dated.resp            |  Bin 0 -> 726 bytes
 .../server2.example.net.ocsp.good.resp             |  Bin 0 -> 707 bytes
 .../server2.example.net.ocsp.req                   |  Bin 0 -> 106 bytes
 .../server2.example.net.ocsp.revoked.resp          |  Bin 0 -> 707 bytes
 .../server2.example.net/server2.example.net.p12    |  Bin 0 -> 2386 bytes
 .../server2.example.net/server2.example.net.pem    |   18 +
 .../server2.example.net.unlocked.key               |    9 +
 test/aux-fixed/exim-ca/example.org/BLANK/CA.pem    |   10 +
 .../aux-fixed/exim-ca/example.org/BLANK/Signer.pem |   11 +
 test/aux-fixed/exim-ca/example.org/BLANK/cert8.db  |  Bin 0 -> 65536 bytes
 test/aux-fixed/exim-ca/example.org/BLANK/key3.db   |  Bin 0 -> 16384 bytes
 test/aux-fixed/exim-ca/example.org/BLANK/pwdfile   |    1 +
 test/aux-fixed/exim-ca/example.org/BLANK/secmod.db |  Bin 0 -> 16384 bytes
 test/aux-fixed/exim-ca/example.org/CA/CA.pem       |   10 +
 test/aux-fixed/exim-ca/example.org/CA/OCSP.key     |   14 +
 test/aux-fixed/exim-ca/example.org/CA/OCSP.p12     |  Bin 0 -> 2218 bytes
 test/aux-fixed/exim-ca/example.org/CA/OCSP.pem     |   11 +
 test/aux-fixed/exim-ca/example.org/CA/Signer.pem   |   11 +
 test/aux-fixed/exim-ca/example.org/CA/ca.conf      |   18 +
 test/aux-fixed/exim-ca/example.org/CA/cert8.db     |  Bin 0 -> 65536 bytes
 test/aux-fixed/exim-ca/example.org/CA/crl.empty    |  Bin 0 -> 175 bytes
 .../exim-ca/example.org/CA/crl.empty.in.txt        |    1 +
 .../aux-fixed/exim-ca/example.org/CA/crl.empty.pem |    6 +
 test/aux-fixed/exim-ca/example.org/CA/crl.v2       |  Bin 0 -> 223 bytes
 .../aux-fixed/exim-ca/example.org/CA/crl.v2.in.txt |    3 +
 test/aux-fixed/exim-ca/example.org/CA/crl.v2.pem   |    7 +
 .../exim-ca/example.org/CA/index.revoked.txt       |    6 +
 .../exim-ca/example.org/CA/index.valid.txt         |    6 +
 test/aux-fixed/exim-ca/example.org/CA/key3.db      |  Bin 0 -> 16384 bytes
 test/aux-fixed/exim-ca/example.org/CA/noise.file   |  342 +++++++++++++++++++
 test/aux-fixed/exim-ca/example.org/CA/pwdfile      |    1 +
 test/aux-fixed/exim-ca/example.org/CA/secmod.db    |  Bin 0 -> 16384 bytes
 .../example.org/expired1.example.org/ca_chain.pem  |   47 +++
 .../example.org/expired1.example.org/cert8.db      |  Bin 0 -> 65536 bytes
 .../expired1.example.org.chain.pem                 |   29 ++
 .../expired1.example.org/expired1.example.org.key  |   15 +
 .../expired1.example.org.ocsp.dated.resp           |  Bin 0 -> 725 bytes
 .../expired1.example.org.ocsp.good.resp            |  Bin 0 -> 706 bytes
 .../expired1.example.org.ocsp.req                  |  Bin 0 -> 105 bytes
 .../expired1.example.org.ocsp.revoked.resp         |  Bin 0 -> 728 bytes
 .../expired1.example.org/expired1.example.org.p12  |  Bin 0 -> 2388 bytes
 .../expired1.example.org/expired1.example.org.pem  |   18 +
 .../expired1.example.org.unlocked.key              |    9 +
 .../example.org/expired1.example.org/key3.db       |  Bin 0 -> 16384 bytes
 .../example.org/expired1.example.org/pwdfile       |    1 +
 .../example.org/expired1.example.org/secmod.db     |  Bin 0 -> 16384 bytes
 .../example.org/expired2.example.org/ca_chain.pem  |   47 +++
 .../example.org/expired2.example.org/cert8.db      |  Bin 0 -> 65536 bytes
 .../expired2.example.org.chain.pem                 |   29 ++
 .../expired2.example.org/expired2.example.org.key  |   15 +
 .../expired2.example.org.ocsp.dated.resp           |  Bin 0 -> 726 bytes
 .../expired2.example.org.ocsp.good.resp            |  Bin 0 -> 707 bytes
 .../expired2.example.org.ocsp.req                  |  Bin 0 -> 106 bytes
 .../expired2.example.org.ocsp.revoked.resp         |  Bin 0 -> 707 bytes
 .../expired2.example.org/expired2.example.org.p12  |  Bin 0 -> 2388 bytes
 .../expired2.example.org/expired2.example.org.pem  |   18 +
 .../expired2.example.org.unlocked.key              |    9 +
 .../example.org/expired2.example.org/key3.db       |  Bin 0 -> 16384 bytes
 .../example.org/expired2.example.org/pwdfile       |    1 +
 .../example.org/expired2.example.org/secmod.db     |  Bin 0 -> 16384 bytes
 .../example.org/revoked1.example.org/ca_chain.pem  |   47 +++
 .../example.org/revoked1.example.org/cert8.db      |  Bin 0 -> 65536 bytes
 .../example.org/revoked1.example.org/key3.db       |  Bin 0 -> 16384 bytes
 .../example.org/revoked1.example.org/pwdfile       |    1 +
 .../revoked1.example.org.chain.pem                 |   29 ++
 .../revoked1.example.org/revoked1.example.org.key  |   15 +
 .../revoked1.example.org.ocsp.dated.resp           |  Bin 0 -> 725 bytes
 .../revoked1.example.org.ocsp.good.resp            |  Bin 0 -> 706 bytes
 .../revoked1.example.org.ocsp.req                  |  Bin 0 -> 105 bytes
 .../revoked1.example.org.ocsp.revoked.resp         |  Bin 0 -> 728 bytes
 .../revoked1.example.org/revoked1.example.org.p12  |  Bin 0 -> 2380 bytes
 .../revoked1.example.org/revoked1.example.org.pem  |   18 +
 .../revoked1.example.org.unlocked.key              |    9 +
 .../example.org/revoked1.example.org/secmod.db     |  Bin 0 -> 16384 bytes
 .../example.org/revoked2.example.org/ca_chain.pem  |   47 +++
 .../example.org/revoked2.example.org/cert8.db      |  Bin 0 -> 65536 bytes
 .../example.org/revoked2.example.org/key3.db       |  Bin 0 -> 16384 bytes
 .../example.org/revoked2.example.org/pwdfile       |    1 +
 .../revoked2.example.org.chain.pem                 |   29 ++
 .../revoked2.example.org/revoked2.example.org.key  |   15 +
 .../revoked2.example.org.ocsp.dated.resp           |  Bin 0 -> 726 bytes
 .../revoked2.example.org.ocsp.good.resp            |  Bin 0 -> 707 bytes
 .../revoked2.example.org.ocsp.req                  |  Bin 0 -> 106 bytes
 .../revoked2.example.org.ocsp.revoked.resp         |  Bin 0 -> 707 bytes
 .../revoked2.example.org/revoked2.example.org.p12  |  Bin 0 -> 2388 bytes
 .../revoked2.example.org/revoked2.example.org.pem  |   18 +
 .../revoked2.example.org.unlocked.key              |    9 +
 .../example.org/revoked2.example.org/secmod.db     |  Bin 0 -> 16384 bytes
 .../example.org/server1.example.org/ca_chain.pem   |   47 +++
 .../example.org/server1.example.org/cert8.db       |  Bin 0 -> 65536 bytes
 .../example.org/server1.example.org/key3.db        |  Bin 0 -> 16384 bytes
 .../example.org/server1.example.org/pwdfile        |    1 +
 .../example.org/server1.example.org/secmod.db      |  Bin 0 -> 16384 bytes
 .../server1.example.org.chain.pem                  |   29 ++
 .../server1.example.org/server1.example.org.key    |   15 +
 .../server1.example.org.ocsp.dated.resp            |  Bin 0 -> 725 bytes
 .../server1.example.org.ocsp.good.resp             |  Bin 0 -> 706 bytes
 .../server1.example.org.ocsp.req                   |  Bin 0 -> 105 bytes
 .../server1.example.org.ocsp.revoked.resp          |  Bin 0 -> 728 bytes
 .../server1.example.org/server1.example.org.p12    |  Bin 0 -> 2378 bytes
 .../server1.example.org/server1.example.org.pem    |   18 +
 .../server1.example.org.unlocked.key               |    9 +
 .../example.org/server2.example.org/ca_chain.pem   |   47 +++
 .../example.org/server2.example.org/cert8.db       |  Bin 0 -> 65536 bytes
 .../example.org/server2.example.org/key3.db        |  Bin 0 -> 16384 bytes
 .../example.org/server2.example.org/pwdfile        |    1 +
 .../example.org/server2.example.org/secmod.db      |  Bin 0 -> 16384 bytes
 .../server2.example.org.chain.pem                  |   29 ++
 .../server2.example.org/server2.example.org.key    |   15 +
 .../server2.example.org.ocsp.dated.resp            |  Bin 0 -> 726 bytes
 .../server2.example.org.ocsp.good.resp             |  Bin 0 -> 707 bytes
 .../server2.example.org.ocsp.req                   |  Bin 0 -> 106 bytes
 .../server2.example.org.ocsp.revoked.resp          |  Bin 0 -> 707 bytes
 .../server2.example.org/server2.example.org.p12    |  Bin 0 -> 2386 bytes
 .../server2.example.org/server2.example.org.pem    |   18 +
 .../server2.example.org.unlocked.key               |    9 +
 test/aux-fixed/exim-ca/genall                      |  101 ++++++
 test/aux-fixed/ocsp_file.der                       |  Bin 0 -> 1367 bytes
 test/confs/5600                                    |   66 ++++
 test/confs/5601                                    |  121 +++++++
 test/log/5600                                      |    6 +
 test/log/5601                                      |   41 +++
 test/msglog/2145.10HmaX-0005vi-00                  |    1 +
 test/scripts/5600-OCSP-OpenSSL/5600                |   80 +++++
 test/scripts/5600-OCSP-OpenSSL/5601                |   65 ++++
 test/scripts/5600-OCSP-OpenSSL/REQUIRES            |    3 +
 test/src/client.c                                  |  109 ++++++-
 test/stderr/5600                                   |    2 +
 test/stderr/5601                                   |    2 +
 test/stdout/5600                                   |  142 ++++++++
 test/trusted_configs                               |    1 +
 351 files changed, 4631 insertions(+), 89 deletions(-)


diff --git a/doc/doc-txt/experimental-spec.txt b/doc/doc-txt/experimental-spec.txt
index 8d1ebef..385f052 100644
--- a/doc/doc-txt/experimental-spec.txt
+++ b/doc/doc-txt/experimental-spec.txt
@@ -69,7 +69,7 @@ starts retrying to fetch an OCSP proof some time before its current
proof expires. The downside is that it requires server support.

If Exim is built with EXPERIMENTAL_OCSP and it was built with OpenSSL,
-then it gains one new option: "tls_ocsp_file".
+then it gains a new global option: "tls_ocsp_file".

The file specified therein is expected to be in DER format, and contain
an OCSP proof. Exim will serve it as part of the TLS handshake. This
@@ -86,10 +86,15 @@ next connection.
Exim will check for a valid next update timestamp in the OCSP proof;
if not present, or if the proof has expired, it will be ignored.

+Also, given EXPERIMENTAL_OCSP and OpenSSL, the smtp transport gains
+a "hosts_require_ocsp" option; a host-list for which an OCSP Stapling
+is requested and required for the connection to proceed. The host(s)
+should also be in "hosts_require_tls", and "tls_verify_certificates"
+configured for the transport.
+
At this point in time, we're gathering feedback on use, to determine if
it's worth adding complexity to the Exim daemon to periodically re-fetch
-OCSP files and somehow handling multiple files. There is no client support
-for OCSP in Exim, this is feature expected to be used by mail clients.
+OCSP files and somehow handling multiple files.



diff --git a/src/src/functions.h b/src/src/functions.h
index 604dd4a..20fc9a0 100644
--- a/src/src/functions.h
+++ b/src/src/functions.h
@@ -25,8 +25,11 @@ extern const char *
                std_dh_prime_default(void);
 extern const char *
                std_dh_prime_named(const uschar *);
-extern int     tls_client_start(int, host_item *, address_item *, uschar *,
+extern int     tls_client_start(int, host_item *, address_item *,
                  uschar *, uschar *, uschar *, uschar *, uschar *, uschar *,
+# ifdef EXPERIMENTAL_OCSP
+                 uschar *,
+# endif
                  int, int);
 extern void    tls_close(BOOL, BOOL);
 extern int     tls_feof(void);
diff --git a/src/src/tls-gnu.c b/src/src/tls-gnu.c
index 2399857..c357ba4 100644
--- a/src/src/tls-gnu.c
+++ b/src/src/tls-gnu.c
@@ -1547,7 +1547,6 @@ Arguments:
   fd                the fd of the connection
   host              connected host (for messages)
   addr              the first address (not used)
-  dhparam           DH parameter file (ignored, we're a client)
   certificate       certificate file
   privatekey        private key file
   sni               TLS SNI to send to remote host
@@ -1563,10 +1562,14 @@ Returns:            OK/DEFER/FAIL (because using common functions),


 int
 tls_client_start(int fd, host_item *host,
-    address_item *addr ARG_UNUSED, uschar *dhparam ARG_UNUSED,
+    address_item *addr ARG_UNUSED,
     uschar *certificate, uschar *privatekey, uschar *sni,
     uschar *verify_certs, uschar *verify_crl,
-    uschar *require_ciphers, int dh_min_bits, int timeout)
+    uschar *require_ciphers,
+#ifdef EXPERIMENTAL_OCSP
+    uschar *require_ocsp ARG_UNUSED,
+#endif
+    int dh_min_bits, int timeout)
 {
 int rc;
 const char *error;
diff --git a/src/src/tls-openssl.c b/src/src/tls-openssl.c
index 42afd39..93ee079 100644
--- a/src/src/tls-openssl.c
+++ b/src/src/tls-openssl.c
@@ -5,6 +5,8 @@
 /* Copyright (c) University of Cambridge 1995 - 2012 */
 /* See the file NOTICE for conditions of use and distribution. */


+/* Portions Copyright (c) The OpenSSL Project 1999 */
+
/* This module provides the TLS (aka SSL) support for Exim using the OpenSSL
library. It is #included into the tls.c file when that library is used. The
code herein is based on a patch that was originally contributed by Steve
@@ -80,16 +82,24 @@ static int ssl_session_timeout = 200;
static BOOL client_verify_optional = FALSE;
static BOOL server_verify_optional = FALSE;

-static BOOL    reexpand_tls_files_for_sni = FALSE;
+static BOOL reexpand_tls_files_for_sni = FALSE;



 typedef struct tls_ext_ctx_cb {
   uschar *certificate;
   uschar *privatekey;
 #ifdef EXPERIMENTAL_OCSP
-  uschar *ocsp_file;
-  uschar *ocsp_file_expanded;
-  OCSP_RESPONSE *ocsp_response;
+  BOOL is_server;
+  union {
+    struct {
+      uschar        *file;
+      uschar        *file_expanded;
+      OCSP_RESPONSE *response;
+    } server;
+    struct {
+      X509_STORE    *verify_store;
+    } client;
+  } u_ocsp;
 #endif
   uschar *dhparam;
   /* these are cached from first expand */
@@ -112,7 +122,7 @@ setup_certs(SSL_CTX *sctx, uschar *certs, uschar *crl, host_item *host, BOOL opt
 static int tls_servername_cb(SSL *s, int *ad ARG_UNUSED, void *arg);
 #endif
 #ifdef EXPERIMENTAL_OCSP
-static int tls_stapling_cb(SSL *s, void *arg);
+static int tls_server_stapling_cb(SSL *s, void *arg);
 #endif



@@ -196,6 +206,29 @@ return rsa_key;



+/* Extreme debug
+#if defined(EXPERIMENTAL_OCSP)
+void
+x509_store_dump_cert_s_names(X509_STORE * store)
+{
+STACK_OF(X509_OBJECT) * roots= store->objs;
+int i;
+static uschar name[256];
+
+for(i= 0; i<sk_X509_OBJECT_num(roots); i++)
+  {
+  X509_OBJECT * tmp_obj= sk_X509_OBJECT_value(roots, i);
+  if(tmp_obj->type == X509_LU_X509)
+    {
+    X509 * current_cert= tmp_obj->data.x509;
+    X509_NAME_oneline(X509_get_subject_name(current_cert), CS name, sizeof(name));
+    debug_printf(" %s\n", name);
+    }
+  }
+}
+#endif
+*/
+


 /*************************************************
 *        Callback for verification               *
@@ -227,25 +260,9 @@ Returns:     1 if verified, 0 if not
 */


static int
-verify_callback(int state, X509_STORE_CTX *x509ctx, BOOL client)
+verify_callback(int state, X509_STORE_CTX *x509ctx, tls_support *tlsp, BOOL *calledp, BOOL *optionalp)
{
static uschar txt[256];
-tls_support * tlsp;
-BOOL * calledp;
-BOOL * optionalp;
-
-if (client)
- {
- tlsp= &tls_out;
- calledp= &client_verify_callback_called;
- optionalp= &client_verify_optional;
- }
-else
- {
- tlsp= &tls_in;
- calledp= &server_verify_callback_called;
- optionalp= &server_verify_optional;
- }

 X509_NAME_oneline(X509_get_subject_name(x509ctx->current_cert),
   CS txt, sizeof(txt));
@@ -268,6 +285,17 @@ if (x509ctx->error_depth != 0)
   {
   DEBUG(D_tls) debug_printf("SSL verify ok: depth=%d cert=%s\n",
      x509ctx->error_depth, txt);
+#ifdef EXPERIMENTAL_OCSP
+  if (tlsp == &tls_out && client_static_cbinfo->u_ocsp.client.verify_store)
+    {    /* client, wanting stapling  */
+    /* Add the server cert's signing chain as the one
+    for the verification of the OCSP stapled information. */
+  
+    if (!X509_STORE_add_cert(client_static_cbinfo->u_ocsp.client.verify_store,
+                             x509ctx->current_cert))
+      ERR_clear_error();
+    }
+#endif
   }
 else
   {
@@ -276,6 +304,10 @@ else
   tlsp->peerdn = txt;
   }


+/*XXX JGH: this looks bogus - we set "verified" first time through, which
+will be for the root CS cert (calls work down the chain). Why should it
+not be on the last call, where we're setting peerdn?
+*/
if (!*calledp) tlsp->certificate_verified = TRUE;
*calledp = TRUE;

@@ -285,13 +317,13 @@ return 1; /* accept */
static int
verify_callback_client(int state, X509_STORE_CTX *x509ctx)
{
-return verify_callback(state, x509ctx, TRUE);
+return verify_callback(state, x509ctx, &tls_out, &client_verify_callback_called, &client_verify_optional);
}

static int
verify_callback_server(int state, X509_STORE_CTX *x509ctx)
{
-return verify_callback(state, x509ctx, FALSE);
+return verify_callback(state, x509ctx, &tls_in, &server_verify_callback_called, &server_verify_optional);
}


@@ -418,7 +450,7 @@ return TRUE;
 *       Load OCSP information into state         *
 *************************************************/


-/* Called to load the OCSP response from the given file into memory, once
+/* Called to load the server OCSP response from the given file into memory, once
caller has determined this is needed. Checks validity. Debugs a message
if invalid.

@@ -432,9 +464,7 @@ Arguments:
*/

 static void
-ocsp_load_response(SSL_CTX *sctx,
-    tls_ext_ctx_cb *cbinfo,
-    const uschar *expanded)
+ocsp_load_response(SSL_CTX *sctx, tls_ext_ctx_cb *cbinfo, const uschar *expanded)
 {
 BIO *bio;
 OCSP_RESPONSE *resp;
@@ -445,18 +475,18 @@ X509_STORE *store;
 unsigned long verify_flags;
 int status, reason, i;


-cbinfo->ocsp_file_expanded = string_copy(expanded);
-if (cbinfo->ocsp_response)
+cbinfo->u_ocsp.server.file_expanded = string_copy(expanded);
+if (cbinfo->u_ocsp.server.response)
{
- OCSP_RESPONSE_free(cbinfo->ocsp_response);
- cbinfo->ocsp_response = NULL;
+ OCSP_RESPONSE_free(cbinfo->u_ocsp.server.response);
+ cbinfo->u_ocsp.server.response = NULL;
}

-bio = BIO_new_file(CS cbinfo->ocsp_file_expanded, "rb");
+bio = BIO_new_file(CS cbinfo->u_ocsp.server.file_expanded, "rb");
 if (!bio)
   {
   DEBUG(D_tls) debug_printf("Failed to open OCSP response file \"%s\"\n",
-      cbinfo->ocsp_file_expanded);
+      cbinfo->u_ocsp.server.file_expanded);
   return;
   }


@@ -473,7 +503,7 @@ if (status != OCSP_RESPONSE_STATUS_SUCCESSFUL)
   {
   DEBUG(D_tls) debug_printf("OCSP response not valid: %s (%d)\n",
       OCSP_response_status_str(status), status);
-  return;
+  goto bad;
   }


 basic_response = OCSP_response_get1_basic(resp);
@@ -481,7 +511,7 @@ if (!basic_response)
   {
   DEBUG(D_tls)
     debug_printf("OCSP response parse error: unable to extract basic response.\n");
-  return;
+  goto bad;
   }


 store = SSL_CTX_get_cert_store(sctx);
@@ -497,8 +527,8 @@ if (i <= 0)
   DEBUG(D_tls) {
     ERR_error_string(ERR_get_error(), ssl_errstring);
     debug_printf("OCSP response verify failure: %s\n", US ssl_errstring);
-  }
-  return;
+    }
+  goto bad;
   }


 /* Here's the simplifying assumption: there's only one response, for the
@@ -513,27 +543,43 @@ if (!single_response)
   {
   DEBUG(D_tls)
     debug_printf("Unable to get first response from OCSP basic response.\n");
-  return;
+  goto bad;
   }


 status = OCSP_single_get0_status(single_response, &reason, &rev, &thisupd, &nextupd);
-/* how does this status differ from the one above? */
-if (status != OCSP_RESPONSE_STATUS_SUCCESSFUL)
+if (status != V_OCSP_CERTSTATUS_GOOD)
   {
-  DEBUG(D_tls) debug_printf("OCSP response not valid (take 2): %s (%d)\n",
-      OCSP_response_status_str(status), status);
-  return;
+  DEBUG(D_tls) debug_printf("OCSP response bad cert status: %s (%d) %s (%d)\n",
+      OCSP_cert_status_str(status), status,
+      OCSP_crl_reason_str(reason), reason);
+  goto bad;
   }


if (!OCSP_check_validity(thisupd, nextupd, EXIM_OCSP_SKEW_SECONDS, EXIM_OCSP_MAX_AGE))
{
DEBUG(D_tls) debug_printf("OCSP status invalid times.\n");
- return;
+ goto bad;
}

-cbinfo->ocsp_response = resp;
+supply_response:
+cbinfo->u_ocsp.server.response = resp;
+return;
+
+bad:
+if (running_in_test_harness)
+  {
+  extern char ** environ;
+  uschar ** p;
+  for (p = USS environ; *p != NULL; p++)
+    if (Ustrncmp(*p, "EXIM_TESTHARNESS_DISABLE_OCSPVALIDITYCHECK", 42) == 0)
+      {
+      DEBUG(D_tls) debug_printf("Supplying known bad OCSP response\n");
+      goto supply_response;
+      }
+  }
+return;
 }
-#endif
+#endif    /*EXPERIMENTAL_OCSP*/




@@ -542,7 +588,7 @@ cbinfo->ocsp_response = resp;
 *        Expand key and cert file specs          *
 *************************************************/


-/* Called once during tls_init and possibly againt during TLS setup, for a
+/* Called once during tls_init and possibly again during TLS setup, for a
new context, if Server Name Indication was used and tls_sni was seen in
the certificate string.

@@ -596,16 +642,16 @@ if (expanded != NULL && *expanded != 0)
}

 #ifdef EXPERIMENTAL_OCSP
-if (cbinfo->ocsp_file != NULL)
+if (cbinfo->is_server &&  cbinfo->u_ocsp.server.file != NULL)
   {
-  if (!expand_check(cbinfo->ocsp_file, US"tls_ocsp_file", &expanded))
+  if (!expand_check(cbinfo->u_ocsp.server.file, US"tls_ocsp_file", &expanded))
     return DEFER;


   if (expanded != NULL && *expanded != 0)
     {
     DEBUG(D_tls) debug_printf("tls_ocsp_file %s\n", expanded);
-    if (cbinfo->ocsp_file_expanded &&
-        (Ustrcmp(expanded, cbinfo->ocsp_file_expanded) == 0))
+    if (cbinfo->u_ocsp.server.file_expanded &&
+        (Ustrcmp(expanded, cbinfo->u_ocsp.server.file_expanded) == 0))
       {
       DEBUG(D_tls)
         debug_printf("tls_ocsp_file value unchanged, using existing values.\n");
@@ -686,9 +732,9 @@ SSL_CTX_set_tlsext_servername_arg(server_sni, cbinfo);
 if (cbinfo->server_cipher_list)
   SSL_CTX_set_cipher_list(server_sni, CS cbinfo->server_cipher_list);
 #ifdef EXPERIMENTAL_OCSP
-if (cbinfo->ocsp_file)
+if (cbinfo->u_ocsp.server.file)
   {
-  SSL_CTX_set_tlsext_status_cb(server_sni, tls_stapling_cb);
+  SSL_CTX_set_tlsext_status_cb(server_sni, tls_server_stapling_cb);
   SSL_CTX_set_tlsext_status_arg(server_sni, cbinfo);
   }
 #endif
@@ -715,6 +761,7 @@ return SSL_TLSEXT_ERR_OK;



 #ifdef EXPERIMENTAL_OCSP
+
 /*************************************************
 *        Callback to handle OCSP Stapling        *
 *************************************************/
@@ -728,19 +775,24 @@ project.
 */


static int
-tls_stapling_cb(SSL *s, void *arg)
+tls_server_stapling_cb(SSL *s, void *arg)
{
const tls_ext_ctx_cb *cbinfo = (tls_ext_ctx_cb *) arg;
uschar *response_der;
int response_der_len;

-DEBUG(D_tls) debug_printf("Received TLS status request (OCSP stapling); %s response.\n",
-    cbinfo->ocsp_response ? "have" : "lack");
-if (!cbinfo->ocsp_response)
+if (log_extra_selector & LX_tls_cipher)
+  log_write(0, LOG_MAIN, "[%s] Recieved OCSP stapling req;%s responding",
+    sender_host_address, cbinfo->u_ocsp.server.response ? "":" not");
+else
+  DEBUG(D_tls) debug_printf("Received TLS status request (OCSP stapling); %s response.",
+    cbinfo->u_ocsp.server.response ? "have" : "lack");
+
+if (!cbinfo->u_ocsp.server.response)
   return SSL_TLSEXT_ERR_NOACK;


response_der = NULL;
-response_der_len = i2d_OCSP_RESPONSE(cbinfo->ocsp_response, &response_der);
+response_der_len = i2d_OCSP_RESPONSE(cbinfo->u_ocsp.server.response, &response_der);
if (response_der_len <= 0)
return SSL_TLSEXT_ERR_NOACK;

@@ -748,8 +800,133 @@ SSL_set_tlsext_status_ocsp_resp(server_ssl, response_der, response_der_len);
return SSL_TLSEXT_ERR_OK;
}

-#endif /* EXPERIMENTAL_OCSP */

+static void
+time_print(BIO * bp, const char * str, ASN1_GENERALIZEDTIME * time)
+{
+BIO_printf(bp, "\t%s: ", str);
+ASN1_GENERALIZEDTIME_print(bp, time);
+BIO_puts(bp, "\n");
+}
+
+static int
+tls_client_stapling_cb(SSL *s, void *arg)
+{
+tls_ext_ctx_cb * cbinfo = arg;
+const unsigned char * p;
+int len;
+OCSP_RESPONSE * rsp;
+OCSP_BASICRESP * bs;
+int i;
+
+DEBUG(D_tls) debug_printf("Received TLS status response (OCSP stapling):");
+len = SSL_get_tlsext_status_ocsp_resp(s, &p);
+if(!p)
+ {
+  if (log_extra_selector & LX_tls_cipher)
+    log_write(0, LOG_MAIN, "Received TLS status response, null content");
+  else
+    DEBUG(D_tls) debug_printf(" null\n");
+  return 0;    /* This is the fail case for require-ocsp; none from server */
+ }
+if(!(rsp = d2i_OCSP_RESPONSE(NULL, &p, len)))
+ {
+  if (log_extra_selector & LX_tls_cipher)
+    log_write(0, LOG_MAIN, "Received TLS status response, parse error");
+  else
+    DEBUG(D_tls) debug_printf(" parse error\n");
+  return 0;
+ }
+
+if(!(bs = OCSP_response_get1_basic(rsp)))
+  {
+  if (log_extra_selector & LX_tls_cipher)
+    log_write(0, LOG_MAIN, "Received TLS status response, error parsing response");
+  else
+    DEBUG(D_tls) debug_printf(" error parsing response\n");
+  OCSP_RESPONSE_free(rsp);
+  return 0;
+  }
+
+/* We'd check the nonce here if we'd put one in the request. */
+/* However that would defeat cacheability on the server so we don't. */
+
+
+/* This section of code reworked from OpenSSL apps source;
+   The OpenSSL Project retains copyright:
+   Copyright (c) 1999 The OpenSSL Project.  All rights reserved.
+*/
+  {
+    BIO * bp = NULL;
+    OCSP_CERTID *id;
+    int status, reason;
+    ASN1_GENERALIZEDTIME *rev, *thisupd, *nextupd;
+
+    DEBUG(D_tls) bp = BIO_new_fp(stderr, BIO_NOCLOSE);
+
+    /*OCSP_RESPONSE_print(bp, rsp, 0);   extreme debug: stapling content */
+
+    /* Use the chain that verified the server cert to verify the stapled info */
+    /* DEBUG(D_tls) x509_store_dump_cert_s_names(cbinfo->u_ocsp.client.verify_store); */
+
+    if ((i = OCSP_basic_verify(bs, NULL, cbinfo->u_ocsp.client.verify_store, 0)) <= 0)
+      {
+      BIO_printf(bp, "OCSP response verify failure\n");
+      ERR_print_errors(bp);
+      i = 0;
+      goto out;
+      }
+
+    BIO_printf(bp, "OCSP response well-formed and signed OK\n");
+
+      {
+      STACK_OF(OCSP_SINGLERESP) * sresp = bs->tbsResponseData->responses;
+      OCSP_SINGLERESP * single;
+
+      if (sk_OCSP_SINGLERESP_num(sresp) != 1)
+        {
+        log_write(0, LOG_MAIN, "OCSP stapling with multiple responses not handled");
+        goto out;
+        }
+      single = OCSP_resp_get0(bs, 0);
+      status = OCSP_single_get0_status(single, &reason, &rev, &thisupd, &nextupd);
+      }
+
+    i = 0;
+    DEBUG(D_tls) time_print(bp, "This OCSP Update", thisupd);
+    DEBUG(D_tls) if(nextupd) time_print(bp, "Next OCSP Update", nextupd);
+    if (!OCSP_check_validity(thisupd, nextupd, EXIM_OCSP_SKEW_SECONDS, EXIM_OCSP_MAX_AGE))
+      {
+      DEBUG(D_tls) ERR_print_errors(bp);
+      log_write(0, LOG_MAIN, "Server OSCP dates invalid");
+      goto out;
+      }
+
+    DEBUG(D_tls) BIO_printf(bp, "Certificate status: %s\n", OCSP_cert_status_str(status));
+    switch(status)
+      {
+      case V_OCSP_CERTSTATUS_GOOD:
+        i = 1;
+        break;
+      case V_OCSP_CERTSTATUS_REVOKED:
+        log_write(0, LOG_MAIN, "Server certificate revoked%s%s",
+            reason != -1 ? "; reason: " : "", reason != -1 ? OCSP_crl_reason_str(reason) : "");
+        DEBUG(D_tls) time_print(bp, "Revocation Time", rev);
+        i = 0;
+        break;
+      default:
+        log_write(0, LOG_MAIN, "Server certificate status unknown, in OCSP stapling");
+        i = 0;
+        break;
+      }
+  out:
+    BIO_free(bp);
+  }
+
+OCSP_RESPONSE_free(rsp);
+return i;
+}
+#endif    /*EXPERIMENTAL_OCSP*/




@@ -765,6 +942,7 @@ Arguments:
   dhparam         DH parameter file
   certificate     certificate file
   privatekey      private key
+  ocsp_file       file of stapling info (server); flag for require ocsp (client)
   addr            address if client; NULL if server (for some randomness)


 Returns:          OK/DEFER/FAIL
@@ -787,9 +965,14 @@ cbinfo = store_malloc(sizeof(tls_ext_ctx_cb));
 cbinfo->certificate = certificate;
 cbinfo->privatekey = privatekey;
 #ifdef EXPERIMENTAL_OCSP
-cbinfo->ocsp_file = ocsp_file;
-cbinfo->ocsp_file_expanded = NULL;
-cbinfo->ocsp_response = NULL;
+if ((cbinfo->is_server = host==NULL))
+  {
+  cbinfo->u_ocsp.server.file = ocsp_file;
+  cbinfo->u_ocsp.server.file_expanded = NULL;
+  cbinfo->u_ocsp.server.response = NULL;
+  }
+else
+  cbinfo->u_ocsp.client.verify_store = NULL;
 #endif
 cbinfo->dhparam = dhparam;
 cbinfo->host = host;
@@ -881,24 +1064,37 @@ if (rc != OK) return rc;


 /* If we need to handle SNI, do so */
 #ifdef EXIM_HAVE_OPENSSL_TLSEXT
-if (host == NULL)
+if (host == NULL)        /* server */
   {
-#ifdef EXPERIMENTAL_OCSP
-  /* We check ocsp_file, not ocsp_response, because we care about if
+# ifdef EXPERIMENTAL_OCSP
+  /* We check u_ocsp.server.file, not server.response, because we care about if
   the option exists, not what the current expansion might be, as SNI might
   change the certificate and OCSP file in use between now and the time the
   callback is invoked. */
-  if (cbinfo->ocsp_file)
+  if (cbinfo->u_ocsp.server.file)
     {
-    SSL_CTX_set_tlsext_status_cb(server_ctx, tls_stapling_cb);
+    SSL_CTX_set_tlsext_status_cb(server_ctx, tls_server_stapling_cb);
     SSL_CTX_set_tlsext_status_arg(server_ctx, cbinfo);
     }
-#endif
+# endif
   /* We always do this, so that $tls_sni is available even if not used in
   tls_certificate */
   SSL_CTX_set_tlsext_servername_callback(*ctxp, tls_servername_cb);
   SSL_CTX_set_tlsext_servername_arg(*ctxp, cbinfo);
   }
+# ifdef EXPERIMENTAL_OCSP
+else            /* client */
+  if(ocsp_file)        /* wanting stapling */
+    {
+    if (!(cbinfo->u_ocsp.client.verify_store = X509_STORE_new()))
+      {
+      DEBUG(D_tls) debug_printf("failed to create store for stapling verify\n");
+      return FAIL;
+      }
+    SSL_CTX_set_tlsext_status_cb(*ctxp, tls_client_stapling_cb);
+    SSL_CTX_set_tlsext_status_arg(*ctxp, cbinfo);
+    }
+# endif
 #endif


 /* Set up the RSA callback */
@@ -1292,7 +1488,6 @@ Argument:
   fd               the fd of the connection
   host             connected host (for messages)
   addr             the first address
-  dhparam          DH parameter file
   certificate      certificate file
   privatekey       private key file
   sni              TLS SNI to send to remote host
@@ -1309,20 +1504,28 @@ Returns:           OK on success
 */


int
-tls_client_start(int fd, host_item *host, address_item *addr, uschar *dhparam,
+tls_client_start(int fd, host_item *host, address_item *addr,
uschar *certificate, uschar *privatekey, uschar *sni,
uschar *verify_certs, uschar *crl,
- uschar *require_ciphers, int dh_min_bits ARG_UNUSED, int timeout)
+ uschar *require_ciphers,
+#ifdef EXPERIMENTAL_OCSP
+ uschar *hosts_require_ocsp,
+#endif
+ int dh_min_bits ARG_UNUSED, int timeout)
{
static uschar txt[256];
uschar *expciphers;
X509* server_cert;
int rc;
static uschar cipherbuf[256];
+#ifdef EXPERIMENTAL_OCSP
+BOOL require_ocsp = verify_check_this_host(&hosts_require_ocsp,
+ NULL, host->name, host->address, NULL) == OK;
+#endif

-rc = tls_init(&client_ctx, host, dhparam, certificate, privatekey,
+rc = tls_init(&client_ctx, host, NULL, certificate, privatekey,
 #ifdef EXPERIMENTAL_OCSP
-    NULL,
+    require_ocsp ? US"" : NULL,
 #endif
     addr, &client_static_cbinfo);
 if (rc != OK) return rc;
@@ -1377,6 +1580,13 @@ if (sni)
     }
   }


+#ifdef EXPERIMENTAL_OCSP
+/* Request certificate status at connection-time. If the server
+does OCSP stapling we will get the callback (set in tls_init()) */
+if (require_ocsp)
+ SSL_set_tlsext_status_type(client_ssl, TLSEXT_STATUSTYPE_ocsp);
+#endif
+
/* There doesn't seem to be a built-in timeout on connection. */

 DEBUG(D_tls) debug_printf("Calling SSL_connect\n");
diff --git a/src/src/transports/smtp.c b/src/src/transports/smtp.c
index ee260a1..4b5529f 100644
--- a/src/src/transports/smtp.c
+++ b/src/src/transports/smtp.c
@@ -101,6 +101,10 @@ optionlist smtp_transport_options[] = {
   { "hosts_require_auth",   opt_stringptr,
       (void *)offsetof(smtp_transport_options_block, hosts_require_auth) },
 #ifdef SUPPORT_TLS
+# if defined EXPERIMENTAL_OCSP
+  { "hosts_require_ocsp",   opt_stringptr,
+      (void *)offsetof(smtp_transport_options_block, hosts_require_ocsp) },
+# endif
   { "hosts_require_tls",    opt_stringptr,
       (void *)offsetof(smtp_transport_options_block, hosts_require_tls) },
 #endif
@@ -179,6 +183,9 @@ smtp_transport_options_block smtp_transport_option_defaults = {
 #ifdef EXPERIMENTAL_PRDR
   NULL,                /* hosts_try_prdr */
 #endif
+#ifdef EXPERIMENTAL_OCSP
+  NULL,                /* hosts_require_ocsp */
+#endif
   NULL,                /* hosts_require_tls */
   NULL,                /* hosts_avoid_tls */
   US"*",               /* hosts_verify_avoid_tls */
@@ -1147,13 +1154,15 @@ if (tls_offered && !suppress_tls &&
     int rc = tls_client_start(inblock.sock,
       host,
       addrlist,
-      NULL,                    /* No DH param */
       ob->tls_certificate,
       ob->tls_privatekey,
       ob->tls_sni,
       ob->tls_verify_certificates,
       ob->tls_crl,
       ob->tls_require_ciphers,
+#ifdef EXPERIMENTAL_OCSP
+      ob->hosts_require_ocsp,
+#endif
       ob->tls_dh_min_bits,
       ob->command_timeout);


diff --git a/src/src/transports/smtp.h b/src/src/transports/smtp.h
index ef53292..4bea203 100644
--- a/src/src/transports/smtp.h
+++ b/src/src/transports/smtp.h
@@ -24,6 +24,9 @@ typedef struct {
 #ifdef EXPERIMENTAL_PRDR
   uschar *hosts_try_prdr;
 #endif
+#ifdef EXPERIMENTAL_OCSP
+  uschar *hosts_require_ocsp;
+#endif
   uschar *hosts_require_tls;
   uschar *hosts_avoid_tls;
   uschar *hosts_verify_avoid_tls;
diff --git a/src/src/verify.c b/src/src/verify.c
index a1b8142..5240457 100644
--- a/src/src/verify.c
+++ b/src/src/verify.c
@@ -634,12 +634,14 @@ else
       else
         {
         int rc = tls_client_start(inblock.sock, host, addr,
-       NULL,                    /* No DH param */
        ob->tls_certificate, ob->tls_privatekey,
        ob->tls_sni,
        ob->tls_verify_certificates, ob->tls_crl,
-       ob->tls_require_ciphers,     ob->tls_dh_min_bits,
-       callout);
+       ob->tls_require_ciphers,
+#ifdef EXPERIMENTAL_OCSP
+       ob->hosts_require_ocsp,
+#endif
+     ob->tls_dh_min_bits,         callout);


         /* TLS negotiation failed; give an error.  Try in clear on a new connection,
            if the options permit it for this host. */
diff --git a/test/README b/test/README
index 7e778ee..c64b022 100644
--- a/test/README
+++ b/test/README
@@ -843,9 +843,11 @@ and port, using the specified interface, if one is given.


When OpenSSL is available on the host, an alternative version of the client
program is compiled, one that supports TLS using OpenSSL. The additional
-arguments specify a certificate and key file when required. There is one
-additional option, -tls-on-connect, that causes the client to initiate TLS
-negotiation immediately on connection.
+arguments specify a certificate and key file when required for the connection.
+There are two additional options: -tls-on-connect, that causes the client to
+initiate TLS negociation immediately on connection; -ocsp that causes the TLS
+negotiation to include a certificate-status request. The latter takes a
+filename argument, the CA info for verifying the stapled response.


   client-gnutls [<options>] <ip address> <port> [<outgoing interface>] \
diff --git a/test/aux-fixed/exim-ca/README b/test/aux-fixed/exim-ca/README
new file mode 100644
index 0000000..b8d2a41
--- /dev/null
+++ b/test/aux-fixed/exim-ca/README
@@ -0,0 +1,51 @@
+
+The three directories each contain a complete CA with server signing
+certificate, OCSP signing certificate and a selection of server
+certificates under each domain.
+
+For each directory there are a number of subdirectories.
+
+    CA    - The main certificate signing directory.
+
+        Within this directory the primary file sof interest
+        will be the two CRL files,  crl.empty and crl.v2
+        These are valid CRLs; the "v2" containing the two
+        revoked certs.
+
+    BLANK - a template usable for client-only machines
+        for clients of this private CA.
+
+    *.example.* - individual server certificates.
+
+The six certificate subdirs each contain a cert for a machine
+by that name; those in the "expired" ones are out-of-date (the
+rest expire in 2038).  The "1" and "2" systems/certs have
+equivalent properties.
+
+In each certicate subdir: the ".db" files are NSS version of the cert,
+the ".pem", ".key" and ".unlocked.key" are usable by OpenSSL (the
+ca_chain.pem being a copy of the CA public information and signer
+public information).
+
+The ".p12" file rolls up the CA, Signer and cert info. Both the ".p12"
+and NSS info are passworded using the "pwdfile".
+The ocsp request file is one a client would send to an OCSP responder.
+The ocsp response files are those gotten that way. in .der format;
+"good" being all well, "dated" meaning the response (not the cert)
+is out-of-date, and "revoked" meaning the cert has been revoked.
+
+
+The files were created using the genall script which utilises a
+combination of tools,
+
+    openssl
+    nss-tools
+    clica
+
+of these the only unfamiliar one is likely to be clica, a command
+line CA tool which can be found at
+
+    http://people.redhat.com/mpoole/clica/
+
+
+
diff --git a/test/aux-fixed/exim-ca/example.com/BLANK/CA.pem b/test/aux-fixed/exim-ca/example.com/BLANK/CA.pem
new file mode 100644
index 0000000..d51c5d0
--- /dev/null
+++ b/test/aux-fixed/exim-ca/example.com/BLANK/CA.pem
@@ -0,0 +1,10 @@
+-----BEGIN CERTIFICATE-----
+MIIBaTCCAROgAwIBAgIBATANBgkqhkiG9w0BAQUFADApMRQwEgYDVQQKEwtleGFt
+cGxlLmNvbTERMA8GA1UEAxMIY2xpY2EgQ0EwHhcNMTIxMTAxMTIzNDAwWhcNMzgw
+MTAxMTIzNDAwWjApMRQwEgYDVQQKEwtleGFtcGxlLmNvbTERMA8GA1UEAxMIY2xp
+Y2EgQ0EwXDANBgkqhkiG9w0BAQEFAANLADBIAkEAxYR8NYQvEd7/e4MvOj9dh2+o
+mnywT9ajMo1589DWt2z14ouRKhSZWlx4O4AicPZc6n4uvt7++t0tTHhmm5JIbwID
+AQABoyYwJDASBgNVHRMBAf8ECDAGAQH/AgEBMA4GA1UdDwEB/wQEAwIBBjANBgkq
+hkiG9w0BAQUFAANBALjVd1KMBadFJFIzTEspoPYxJvXKvLMclekQs5QY0lmmUj5+
+ugITEG6ywu3s+REUB+8Dj+ofQz3tgIm9NBpkfsA=
+-----END CERTIFICATE-----
diff --git a/test/aux-fixed/exim-ca/example.com/BLANK/Signer.pem b/test/aux-fixed/exim-ca/example.com/BLANK/Signer.pem
new file mode 100644
index 0000000..fc29ebb
--- /dev/null
+++ b/test/aux-fixed/exim-ca/example.com/BLANK/Signer.pem
@@ -0,0 +1,11 @@
+-----BEGIN CERTIFICATE-----
+MIIBpzCCAVGgAwIBAgIBAjANBgkqhkiG9w0BAQUFADApMRQwEgYDVQQKEwtleGFt
+cGxlLmNvbTERMA8GA1UEAxMIY2xpY2EgQ0EwHhcNMTIxMTAxMTIzNDAxWhcNMzgw
+MTAxMTIzNDAxWjAzMRQwEgYDVQQKEwtleGFtcGxlLmNvbTEbMBkGA1UEAxMSY2xp
+Y2EgU2lnbmluZyBDZXJ0MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBALGUYGllRw9Y
+7ATtT3iqwv3rnnpYYWaxGdamUYznYS6l8lAyHFOqfEktdHZ+bUyRVWsbvyx/a2St
+u1vpZpkihvMCAwEAAaNaMFgwDgYDVR0PAQH/BAQDAgEGMBIGA1UdEwEB/wQIMAYB
+Af8CAQAwMgYDVR0fBCswKTAnoCWgI4YhaHR0cDovL2NybC5leGFtcGxlLmNvbS9s
+YXRlc3QuY3JsMA0GCSqGSIb3DQEBBQUAA0EApouSZ4cX2rx+pZWcDHJH+KaCMpMa
+ScrHO8bFSCWI02ckzoIxWfu1DMNO++EpyzrTgyaXoCROjvhdslwucMqAIg==
+-----END CERTIFICATE-----
diff --git a/test/aux-fixed/exim-ca/example.com/BLANK/cert8.db b/test/aux-fixed/exim-ca/example.com/BLANK/cert8.db
new file mode 100644
index 0000000..f82510f
Binary files /dev/null and b/test/aux-fixed/exim-ca/example.com/BLANK/cert8.db differ
diff --git a/test/aux-fixed/exim-ca/example.com/BLANK/key3.db b/test/aux-fixed/exim-ca/example.com/BLANK/key3.db
new file mode 100644
index 0000000..cb031c0
Binary files /dev/null and b/test/aux-fixed/exim-ca/example.com/BLANK/key3.db differ
diff --git a/test/aux-fixed/exim-ca/example.com/BLANK/pwdfile b/test/aux-fixed/exim-ca/example.com/BLANK/pwdfile
new file mode 100644
index 0000000..8b13789
--- /dev/null
+++ b/test/aux-fixed/exim-ca/example.com/BLANK/pwdfile
@@ -0,0 +1 @@
+
diff --git a/test/aux-fixed/exim-ca/example.com/BLANK/secmod.db b/test/aux-fixed/exim-ca/example.com/BLANK/secmod.db
new file mode 100644
index 0000000..8a83193
Binary files /dev/null and b/test/aux-fixed/exim-ca/example.com/BLANK/secmod.db differ
diff --git a/test/aux-fixed/exim-ca/example.com/CA/CA.pem b/test/aux-fixed/exim-ca/example.com/CA/CA.pem
new file mode 100644
index 0000000..d51c5d0
--- /dev/null
+++ b/test/aux-fixed/exim-ca/example.com/CA/CA.pem
@@ -0,0 +1,10 @@
+-----BEGIN CERTIFICATE-----
+MIIBaTCCAROgAwIBAgIBATANBgkqhkiG9w0BAQUFADApMRQwEgYDVQQKEwtleGFt
+cGxlLmNvbTERMA8GA1UEAxMIY2xpY2EgQ0EwHhcNMTIxMTAxMTIzNDAwWhcNMzgw
+MTAxMTIzNDAwWjApMRQwEgYDVQQKEwtleGFtcGxlLmNvbTERMA8GA1UEAxMIY2xp
+Y2EgQ0EwXDANBgkqhkiG9w0BAQEFAANLADBIAkEAxYR8NYQvEd7/e4MvOj9dh2+o
+mnywT9ajMo1589DWt2z14ouRKhSZWlx4O4AicPZc6n4uvt7++t0tTHhmm5JIbwID
+AQABoyYwJDASBgNVHRMBAf8ECDAGAQH/AgEBMA4GA1UdDwEB/wQEAwIBBjANBgkq
+hkiG9w0BAQUFAANBALjVd1KMBadFJFIzTEspoPYxJvXKvLMclekQs5QY0lmmUj5+
+ugITEG6ywu3s+REUB+8Dj+ofQz3tgIm9NBpkfsA=
+-----END CERTIFICATE-----
diff --git a/test/aux-fixed/exim-ca/example.com/CA/OCSP.key b/test/aux-fixed/exim-ca/example.com/CA/OCSP.key
new file mode 100644
index 0000000..7a361dc
--- /dev/null
+++ b/test/aux-fixed/exim-ca/example.com/CA/OCSP.key
@@ -0,0 +1,14 @@
+Bag Attributes
+    friendlyName: OCSP Signer
+    localKeyID: A6 E7 21 3B BE A3 47 BE 58 6F 34 77 E2 AA D5 22 91 AA 0F D6 
+Key Attributes: <No Attributes>
+-----BEGIN PRIVATE KEY-----
+MIIBUwIBADANBgkqhkiG9w0BAQEFAASCAT0wggE5AgEAAkEAuGANFQATQUtX6l1r
+tDa/TimQ722a/2wGSmty/n9Va36t7O9S0Uxi7yQMN11I284FekjzP82THLWv4TJZ
+x7AvywIDAQABAkAhrko1f+IEl4Lj6VT3gtjHqogzdM5PwqgTiDVlkFVGYXp6a8o6
+ySmMofHeEjDgPFI7sz12eQOoofjhjTCnTcJhAiEA3Afe796M2vm5+V6t1ayFhgP0
+9QnSVde6mLvqHFHAKHUCIQDWhAVspNc3bw2PIBqlK2ibANwi9BFurBlATBHhKP3v
+PwIgTiwttKMpABOBU2uj7ypgNgDp4rUemYkPrnv07SLOVpECIAVXhEsQT8uxmETY
+J9G1IwW5H8I/EbAP2REg09EnlCtBAiBgZn9NxSr05na0P+NjyIPQ44Y9L5R9P3PL
+2PceGVDcQw==
+-----END PRIVATE KEY-----
diff --git a/test/aux-fixed/exim-ca/example.com/CA/OCSP.p12 b/test/aux-fixed/exim-ca/example.com/CA/OCSP.p12
new file mode 100644
index 0000000..208dc69
Binary files /dev/null and b/test/aux-fixed/exim-ca/example.com/CA/OCSP.p12 differ
diff --git a/test/aux-fixed/exim-ca/example.com/CA/OCSP.pem b/test/aux-fixed/exim-ca/example.com/CA/OCSP.pem
new file mode 100644
index 0000000..f78456d
--- /dev/null
+++ b/test/aux-fixed/exim-ca/example.com/CA/OCSP.pem
@@ -0,0 +1,11 @@
+-----BEGIN CERTIFICATE-----
+MIIBgDCCASqgAwIBAgIBAzANBgkqhkiG9w0BAQUFADAzMRQwEgYDVQQKEwtleGFt
+cGxlLmNvbTEbMBkGA1UEAxMSY2xpY2EgU2lnbmluZyBDZXJ0MB4XDTEyMTEwMTEy
+MzQwMVoXDTM4MDEwMTEyMzQwMVowMjEUMBIGA1UEChMLZXhhbXBsZS5jb20xGjAY
+BgNVBAMTEWNsaWNhIE9DU1AgU2lnbmVyMFwwDQYJKoZIhvcNAQEBBQADSwAwSAJB
+ALhgDRUAE0FLV+pda7Q2v04pkO9tmv9sBkprcv5/VWt+rezvUtFMYu8kDDddSNvO
+BXpI8z/Nkxy1r+EyWcewL8sCAwEAAaMqMCgwDgYDVR0PAQH/BAQDAgeAMBYGA1Ud
+JQEB/wQMMAoGCCsGAQUFBwMJMA0GCSqGSIb3DQEBBQUAA0EAQalK8cinGimBjryO
+q8scOPr7Zkv2RlhnUUTtpPfFKkTne9yXyXxBVDfy8wwPTz7ZTOzMVtPTgFT9g0Kf
+tXze7g==
+-----END CERTIFICATE-----
diff --git a/test/aux-fixed/exim-ca/example.com/CA/Signer.pem b/test/aux-fixed/exim-ca/example.com/CA/Signer.pem
new file mode 100644
index 0000000..fc29ebb
--- /dev/null
+++ b/test/aux-fixed/exim-ca/example.com/CA/Signer.pem
@@ -0,0 +1,11 @@
+-----BEGIN CERTIFICATE-----
+MIIBpzCCAVGgAwIBAgIBAjANBgkqhkiG9w0BAQUFADApMRQwEgYDVQQKEwtleGFt
+cGxlLmNvbTERMA8GA1UEAxMIY2xpY2EgQ0EwHhcNMTIxMTAxMTIzNDAxWhcNMzgw
+MTAxMTIzNDAxWjAzMRQwEgYDVQQKEwtleGFtcGxlLmNvbTEbMBkGA1UEAxMSY2xp
+Y2EgU2lnbmluZyBDZXJ0MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBALGUYGllRw9Y
+7ATtT3iqwv3rnnpYYWaxGdamUYznYS6l8lAyHFOqfEktdHZ+bUyRVWsbvyx/a2St
+u1vpZpkihvMCAwEAAaNaMFgwDgYDVR0PAQH/BAQDAgEGMBIGA1UdEwEB/wQIMAYB
+Af8CAQAwMgYDVR0fBCswKTAnoCWgI4YhaHR0cDovL2NybC5leGFtcGxlLmNvbS9s
+YXRlc3QuY3JsMA0GCSqGSIb3DQEBBQUAA0EApouSZ4cX2rx+pZWcDHJH+KaCMpMa
+ScrHO8bFSCWI02ckzoIxWfu1DMNO++EpyzrTgyaXoCROjvhdslwucMqAIg==
+-----END CERTIFICATE-----
diff --git a/test/aux-fixed/exim-ca/example.com/CA/ca.conf b/test/aux-fixed/exim-ca/example.com/CA/ca.conf
new file mode 100644
index 0000000..9087589
--- /dev/null
+++ b/test/aux-fixed/exim-ca/example.com/CA/ca.conf
@@ -0,0 +1,18 @@
+; Config::Simple 4.59
+; Thu Nov  1 12:34:00 2012
+
+[CLICA]
+crl_url=http://crl.example.com/latest.crl
+crl_signer=Signing Cert
+level=1
+signer=Signing Cert
+ocsp_signer=OCSP Signer
+ocsp_url=http://oscp/example.com/
+
+[CA]
+org=example.com
+subject=clica CA
+name=Certificate Authority
+bits=512
+
+
diff --git a/test/aux-fixed/exim-ca/example.com/CA/cert8.db b/test/aux-fixed/exim-ca/example.com/CA/cert8.db
new file mode 100644
index 0000000..5ae1201
Binary files /dev/null and b/test/aux-fixed/exim-ca/example.com/CA/cert8.db differ
diff --git a/test/aux-fixed/exim-ca/example.com/CA/crl.empty b/test/aux-fixed/exim-ca/example.com/CA/crl.empty
new file mode 100644
index 0000000..7814b80
Binary files /dev/null and b/test/aux-fixed/exim-ca/example.com/CA/crl.empty differ
diff --git a/test/aux-fixed/exim-ca/example.com/CA/crl.empty.in.txt b/test/aux-fixed/exim-ca/example.com/CA/crl.empty.in.txt
new file mode 100644
index 0000000..250311c
--- /dev/null
+++ b/test/aux-fixed/exim-ca/example.com/CA/crl.empty.in.txt
@@ -0,0 +1 @@
+update=20130127152434Z 
diff --git a/test/aux-fixed/exim-ca/example.com/CA/crl.empty.pem b/test/aux-fixed/exim-ca/example.com/CA/crl.empty.pem
new file mode 100644
index 0000000..fdc506d
--- /dev/null
+++ b/test/aux-fixed/exim-ca/example.com/CA/crl.empty.pem
@@ -0,0 +1,6 @@
+-----BEGIN X509 CRL-----
+MIGsMFgCAQEwDQYJKoZIhvcNAQEFBQAwMzEUMBIGA1UEChMLZXhhbXBsZS5jb20x
+GzAZBgNVBAMTEmNsaWNhIFNpZ25pbmcgQ2VydBgPMjAxMzAxMjcxNTI0MzRaMA0G
+CSqGSIb3DQEBBQUAA0EAjClqFKe0w0T5ARNSMOSfuDtbOA0iN2yOrUwJfidgQdVQ
+YPW+5TwKhe+Vm6skgHSIWNcuMVzojsuDZcBZnNimPA==
+-----END X509 CRL-----
diff --git a/test/aux-fixed/exim-ca/example.com/CA/crl.v2 b/test/aux-fixed/exim-ca/example.com/CA/crl.v2
new file mode 100644
index 0000000..66fb34d
Binary files /dev/null and b/test/aux-fixed/exim-ca/example.com/CA/crl.v2 differ
diff --git a/test/aux-fixed/exim-ca/example.com/CA/crl.v2.in.txt b/test/aux-fixed/exim-ca/example.com/CA/crl.v2.in.txt
new file mode 100644
index 0000000..434045f
--- /dev/null
+++ b/test/aux-fixed/exim-ca/example.com/CA/crl.v2.in.txt
@@ -0,0 +1,3 @@
+update=20130127152437Z 
+addcert 102 20130127152437Z
+addcert 202 20130127152437Z
diff --git a/test/aux-fixed/exim-ca/example.com/CA/crl.v2.pem b/test/aux-fixed/exim-ca/example.com/CA/crl.v2.pem
new file mode 100644
index 0000000..da781d7
--- /dev/null
+++ b/test/aux-fixed/exim-ca/example.com/CA/crl.v2.pem
@@ -0,0 +1,7 @@
+-----BEGIN X509 CRL-----
+MIHcMIGHAgEBMA0GCSqGSIb3DQEBBQUAMDMxFDASBgNVBAoTC2V4YW1wbGUuY29t
+MRswGQYDVQQDExJjbGljYSBTaWduaW5nIENlcnQYDzIwMTMwMTI3MTUyNDM3WjAt
+MBQCAWYYDzIwMTMwMTI3MTUyNDM3WjAVAgIAyhgPMjAxMzAxMjcxNTI0MzdaMA0G
+CSqGSIb3DQEBBQUAA0EAS5A0/pStULkfIhBRMt+DfehLBbppc6FftG3TpBMvBW4k
+xGwMPKUN8lk3uMuQxk/cvbaFqPtiR/WnkAFc3i1bpA==
+-----END X509 CRL-----
diff --git a/test/aux-fixed/exim-ca/example.com/CA/index.revoked.txt b/test/aux-fixed/exim-ca/example.com/CA/index.revoked.txt
new file mode 100644
index 0000000..d69d74d
--- /dev/null
+++ b/test/aux-fixed/exim-ca/example.com/CA/index.revoked.txt
@@ -0,0 +1,6 @@
+R    130110200751Z    100201142709Z,superseded    65    unknown    CN=server1.example.com
+R    130110200751Z    100201142709Z,superseded    66    unknown    CN=revoked1.example.com
+R    130110200751Z    100201142709Z,superseded    67    unknown    CN=expired1.example.com
+R    130110200751Z    100201142709Z,superseded    c9    unknown    CN=server2.example.com
+R    130110200751Z    100201142709Z,superseded    ca    unknown    CN=revoked2.example.com
+R    130110200751Z    100201142709Z,superseded    cb    unknown    CN=expired2.example.com
diff --git a/test/aux-fixed/exim-ca/example.com/CA/index.valid.txt b/test/aux-fixed/exim-ca/example.com/CA/index.valid.txt
new file mode 100644
index 0000000..126acf7
--- /dev/null
+++ b/test/aux-fixed/exim-ca/example.com/CA/index.valid.txt
@@ -0,0 +1,6 @@
+V    130110200751Z        65    unknown    CN=server1.example.com
+V    130110200751Z        66    unknown    CN=revoked1.example.com
+V    130110200751Z        67    unknown    CN=expired1.example.com
+V    130110200751Z        c9    unknown    CN=server2.example.com
+V    130110200751Z        ca    unknown    CN=revoked2.example.com
+V    130110200751Z        cb    unknown    CN=expired2.example.com
diff --git a/test/aux-fixed/exim-ca/example.com/CA/key3.db b/test/aux-fixed/exim-ca/example.com/CA/key3.db
new file mode 100644
index 0000000..30718a9
Binary files /dev/null and b/test/aux-fixed/exim-ca/example.com/CA/key3.db differ
diff --git a/test/aux-fixed/exim-ca/example.com/CA/noise.file b/test/aux-fixed/exim-ca/example.com/CA/noise.file
new file mode 100644
index 0000000..0003cbb
--- /dev/null
+++ b/test/aux-fixed/exim-ca/example.com/CA/noise.file
@@ -0,0 +1,342 @@
+processor    : 0
+vendor_id    : GenuineIntel
+cpu family    : 6
+model        : 26
+model name    : Intel(R) Xeon(R) CPU           E5520  @ 2.27GHz
+stepping    : 5
+cpu MHz        : 2260.628
+cache size    : 8192 KB
+fpu        : yes
+fpu_exception    : yes
+cpuid level    : 11
+wp        : yes
+flags        : fpu vme de pse tsc msr pae mce cx8 apic mtrr pge mca cmov pat pse36 clflush dts mmx fxsr sse sse2 ss syscall nx rdtscp lm constant_tsc arch_perfmon pebs bts xtopology tsc_reliable nonstop_tsc aperfmperf unfair_spinlock pni ssse3 cx16 sse4_1 sse4_2 x2apic popcnt hypervisor lahf_lm ida dts
+bogomips    : 4521.25
+clflush size    : 64
+cache_alignment    : 64
+address sizes    : 40 bits physical, 48 bits virtual
+power management:
+
+processor    : 1
+vendor_id    : GenuineIntel
+cpu family    : 6
+model        : 26
+model name    : Intel(R) Xeon(R) CPU           E5520  @ 2.27GHz
+stepping    : 5
+cpu MHz        : 2260.628
+cache size    : 8192 KB
+fpu        : yes
+fpu_exception    : yes
+cpuid level    : 11
+wp        : yes
+flags        : fpu vme de pse tsc msr pae mce cx8 apic mtrr pge mca cmov pat pse36 clflush dts mmx fxsr sse sse2 ss syscall nx rdtscp lm constant_tsc arch_perfmon pebs bts xtopology tsc_reliable nonstop_tsc aperfmperf unfair_spinlock pni ssse3 cx16 sse4_1 sse4_2 x2apic popcnt hypervisor lahf_lm ida dts
+bogomips    : 4521.25
+clflush size    : 64
+cache_alignment    : 64
+address sizes    : 40 bits physical, 48 bits virtual
+power management:
+
+           CPU0       CPU1       
+  0:       2481          0   IO-APIC-edge      timer
+  1:      21441        346   IO-APIC-edge      i8042
+  3:          1          0   IO-APIC-edge    
+  4:          1          0   IO-APIC-edge    
+  7:          0          0   IO-APIC-edge      parport0
+  8:          1          0   IO-APIC-edge      rtc0
+  9:          0          0   IO-APIC-fasteoi   acpi
+ 12:      78986       1718   IO-APIC-edge      i8042
+ 14:          0          0   IO-APIC-edge      ata_piix
+ 15:    2423330       1435   IO-APIC-edge      ata_piix
+ 16:       1025          0   IO-APIC-fasteoi   Ensoniq AudioPCI
+ 17:     239842       2559   IO-APIC-fasteoi   ehci_hcd:usb1, ioc0
+ 18:        246          0   IO-APIC-fasteoi   uhci_hcd:usb2
+ 19:    1868676      51479   IO-APIC-fasteoi   eth0
+ 24:          0          0   PCI-MSI-edge      pciehp
+ 25:          0          0   PCI-MSI-edge      pciehp
+ 26:          0          0   PCI-MSI-edge      pciehp
+ 27:          0          0   PCI-MSI-edge      pciehp
+ 28:          0          0   PCI-MSI-edge      pciehp
+ 29:          0          0   PCI-MSI-edge      pciehp
+ 30:          0          0   PCI-MSI-edge      pciehp
+ 31:          0          0   PCI-MSI-edge      pciehp
+ 32:          0          0   PCI-MSI-edge      pciehp
+ 33:          0          0   PCI-MSI-edge      pciehp
+ 34:          0          0   PCI-MSI-edge      pciehp
+ 35:          0          0   PCI-MSI-edge      pciehp
+ 36:          0          0   PCI-MSI-edge      pciehp
+ 37:          0          0   PCI-MSI-edge      pciehp
+ 38:          0          0   PCI-MSI-edge      pciehp
+ 39:          0          0   PCI-MSI-edge      pciehp
+ 40:          0          0   PCI-MSI-edge      pciehp
+ 41:          0          0   PCI-MSI-edge      pciehp
+ 42:          0          0   PCI-MSI-edge      pciehp
+ 43:          0          0   PCI-MSI-edge      pciehp
+ 44:          0          0   PCI-MSI-edge      pciehp
+ 45:          0          0   PCI-MSI-edge      pciehp
+ 46:          0          0   PCI-MSI-edge      pciehp
+ 47:          0          0   PCI-MSI-edge      pciehp
+ 48:          0          0   PCI-MSI-edge      pciehp
+ 49:          0          0   PCI-MSI-edge      pciehp
+ 50:          0          0   PCI-MSI-edge      pciehp
+ 51:          0          0   PCI-MSI-edge      pciehp
+ 52:          0          0   PCI-MSI-edge      pciehp
+ 53:          0          0   PCI-MSI-edge      pciehp
+ 54:          0          0   PCI-MSI-edge      pciehp
+ 55:          0          0   PCI-MSI-edge      pciehp
+ 56:          1          0   PCI-MSI-edge      vmci
+ 57:          0          0   PCI-MSI-edge      vmci
+NMI:          0          0   Non-maskable interrupts
+LOC:   12397935   14240444   Local timer interrupts
+SPU:          0          0   Spurious interrupts
+PMI:          0          0   Performance monitoring interrupts
+IWI:          0          0   IRQ work interrupts
+RES:     282548     308972   Rescheduling interrupts
+CAL:       1955     163540   Function call interrupts
+TLB:      17884      15542   TLB shootdowns
+TRM:          0          0   Thermal event interrupts
+THR:          0          0   Threshold APIC interrupts
+MCE:          0          0   Machine check exceptions
+MCP:       2310       2310   Machine check polls
+ERR:          0
+MIS:          0
+MemTotal:        1914844 kB
+MemFree:          135496 kB
+Buffers:          142048 kB
+Cached:           951840 kB
+SwapCached:          108 kB
+Active:           980724 kB
+Inactive:         540136 kB
+Active(anon):     287056 kB
+Inactive(anon):   143480 kB
+Active(file):     693668 kB
+Inactive(file):   396656 kB
+Unevictable:           0 kB
+Mlocked:               0 kB
+SwapTotal:       4194296 kB
+SwapFree:        4193560 kB
+Dirty:               928 kB
+Writeback:             0 kB
+AnonPages:        427064 kB
+Mapped:            70976 kB
+Shmem:              3400 kB
+Slab:             190892 kB
+SReclaimable:     125404 kB
+SUnreclaim:        65488 kB
+KernelStack:        2304 kB
+PageTables:        23476 kB
+NFS_Unstable:          0 kB
+Bounce:                0 kB
+WritebackTmp:          0 kB
+CommitLimit:     5151716 kB
+Committed_AS:     973184 kB
+VmallocTotal:   34359738367 kB
+VmallocUsed:      280772 kB
+VmallocChunk:   34359441168 kB
+HardwareCorrupted:     0 kB
+AnonHugePages:    249856 kB
+HugePages_Total:       0
+HugePages_Free:        0
+HugePages_Rsvd:        0
+HugePages_Surp:        0
+Hugepagesize:       2048 kB
+DirectMap4k:        8192 kB
+DirectMap2M:     2088960 kB
+slabinfo - version: 2.1
+# name            <active_objs> <num_objs> <objsize> <objperslab> <pagesperslab> : tunables <limit> <batchcount> <sharedfactor> : slabdata <active_slabs> <num_slabs> <sharedavail>
+bridge_fdb_cache       0      0     64   59    1 : tunables  120   60    8 : slabdata      0      0      0
+fuse_request           0      0    632    6    1 : tunables   54   27    8 : slabdata      0      0      0
+fuse_inode             0      0    768    5    1 : tunables   54   27    8 : slabdata      0      0      0
+rpc_buffers            8      8   2048    2    1 : tunables   24   12    8 : slabdata      4      4      0
+rpc_tasks              8     15    256   15    1 : tunables  120   60    8 : slabdata      1      1      0
+rpc_inode_cache        8      8    832    4    1 : tunables   54   27    8 : slabdata      2      2      0
+hgfsInodeCache         1      6    640    6    1 : tunables   54   27    8 : slabdata      1      1      0
+AF_VMCI                0      0   1024    4    1 : tunables   54   27    8 : slabdata      0      0      0
+nf_conntrack_expect      0      0    240   16    1 : tunables  120   60    8 : slabdata      0      0      0
+nf_conntrack_ffffffff8200cec0     22     26    304   13    1 : tunables   54   27    8 : slabdata      2      2      0
+fib6_nodes            22     59     64   59    1 : tunables  120   60    8 : slabdata      1      1      0
+ip6_dst_cache         13     30    384   10    1 : tunables   54   27    8 : slabdata      3      3      0
+ndisc_cache            1     15    256   15    1 : tunables  120   60    8 : slabdata      1      1      0
+ip6_mrt_cache          0      0    128   30    1 : tunables  120   60    8 : slabdata      0      0      0
+RAWv6                 67     68   1024    4    1 : tunables   54   27    8 : slabdata     17     17      0
+UDPLITEv6              0      0   1024    4    1 : tunables   54   27    8 : slabdata      0      0      0
+UDPv6                  4      4   1024    4    1 : tunables   54   27    8 : slabdata      1      1      0
+tw_sock_TCPv6          0      0    320   12    1 : tunables   54   27    8 : slabdata      0      0      0
+request_sock_TCPv6      0      0    192   20    1 : tunables  120   60    8 : slabdata      0      0      0
+TCPv6                  9     10   1856    2    1 : tunables   24   12    8 : slabdata      5      5      0
+jbd2_1k                0      0   1024    4    1 : tunables   54   27    8 : slabdata      0      0      0
+avtab_node        502203 502416     24  144    1 : tunables  120   60    8 : slabdata   3489   3489      0
+ext4_inode_cache   74762  74820   1024    4    1 : tunables   54   27    8 : slabdata  18705  18705      0
+ext4_xattr             9     44     88   44    1 : tunables  120   60    8 : slabdata      1      1      0
+ext4_free_block_extents     32     67     56   67    1 : tunables  120   60    8 : slabdata      1      1      0
+ext4_alloc_context     28     28    136   28    1 : tunables  120   60    8 : slabdata      1      1      0
+ext4_prealloc_space     18     37    104   37    1 : tunables  120   60    8 : slabdata      1      1      0
+ext4_system_zone       0      0     40   92    1 : tunables  120   60    8 : slabdata      0      0      0
+jbd2_journal_handle     32    144     24  144    1 : tunables  120   60    8 : slabdata      1      1      0
+jbd2_journal_head     74    102    112   34    1 : tunables  120   60    8 : slabdata      3      3      0
+jbd2_revoke_table      4    202     16  202    1 : tunables  120   60    8 : slabdata      1      1      0
+jbd2_revoke_record      0      0     32  112    1 : tunables  120   60    8 : slabdata      0      0      0
+dm_crypt_io           50     50    152   25    1 : tunables  120   60    8 : slabdata      2      2      0
+sd_ext_cdb             2    112     32  112    1 : tunables  120   60    8 : slabdata      1      1      0
+scsi_sense_cache      25     60    128   30    1 : tunables  120   60    8 : slabdata      2      2      0
+scsi_cmd_cache        28     45    256   15    1 : tunables  120   60    8 : slabdata      3      3      0
+dm_raid1_read_record      0      0   1064    7    2 : tunables   24   12    8 : slabdata      0      0      0
+kcopyd_job             0      0   3240    2    2 : tunables   24   12    8 : slabdata      0      0      0
+io                     0      0     64   59    1 : tunables  120   60    8 : slabdata      0      0      0
+dm_uevent              0      0   2608    3    2 : tunables   24   12    8 : slabdata      0      0      0
+dm_rq_clone_bio_info      0      0     16  202    1 : tunables  120   60    8 : slabdata      0      0      0
+dm_rq_target_io        0      0    392   10    1 : tunables   54   27    8 : slabdata      0      0      0
+dm_target_io         844    864     24  144    1 : tunables  120   60    8 : slabdata      6      6      0
+dm_io                828    828     40   92    1 : tunables  120   60    8 : slabdata      9      9      0
+flow_cache             0      0     96   40    1 : tunables  120   60    8 : slabdata      0      0      0
+uhci_urb_priv          6     67     56   67    1 : tunables  120   60    8 : slabdata      1      1      0
+cfq_io_context         4     28    136   28    1 : tunables  120   60    8 : slabdata      1      1      0
+cfq_queue              5     16    240   16    1 : tunables  120   60    8 : slabdata      1      1      0
+bsg_cmd                0      0    312   12    1 : tunables   54   27    8 : slabdata      0      0      0
+mqueue_inode_cache      1      4    896    4    1 : tunables   54   27    8 : slabdata      1      1      0
+isofs_inode_cache      0      0    640    6    1 : tunables   54   27    8 : slabdata      0      0      0
+hugetlbfs_inode_cache      1      6    608    6    1 : tunables   54   27    8 : slabdata      1      1      0
+dquot                  0      0    256   15    1 : tunables  120   60    8 : slabdata      0      0      0
+kioctx                 0      0    384   10    1 : tunables   54   27    8 : slabdata      0      0      0
+kiocb                  0      0    256   15    1 : tunables  120   60    8 : slabdata      0      0      0
+inotify_event_private_data      0      0     32  112    1 : tunables  120   60    8 : slabdata      0      0      0
+inotify_inode_mark_entry    186    204    112   34    1 : tunables  120   60    8 : slabdata      6      6      0
+dnotify_mark_entry      1     34    112   34    1 : tunables  120   60    8 : slabdata      1      1      0
+dnotify_struct         1    112     32  112    1 : tunables  120   60    8 : slabdata      1      1      0
+fasync_cache           6    144     24  144    1 : tunables  120   60    8 : slabdata      1      1      0
+khugepaged_mm_slot     83     92     40   92    1 : tunables  120   60    8 : slabdata      1      1      0
+ksm_mm_slot            0      0     48   77    1 : tunables  120   60    8 : slabdata      0      0      0
+ksm_stable_node        0      0     40   92    1 : tunables  120   60    8 : slabdata      0      0      0
+ksm_rmap_item          0      0     64   59    1 : tunables  120   60    8 : slabdata      0      0      0
+utrace_engine          0      0     56   67    1 : tunables  120   60    8 : slabdata      0      0      0
+utrace                 0      0     64   59    1 : tunables  120   60    8 : slabdata      0      0      0
+pid_namespace          0      0   2120    3    2 : tunables   24   12    8 : slabdata      0      0      0
+nsproxy                0      0     48   77    1 : tunables  120   60    8 : slabdata      0      0      0
+posix_timers_cache      0      0    176   22    1 : tunables  120   60    8 : slabdata      0      0      0
+uid_cache             10     60    128   30    1 : tunables  120   60    8 : slabdata      2      2      0
+UNIX                 459    480    768    5    1 : tunables   54   27    8 : slabdata     96     96      0
+ip_mrt_cache           0      0    128   30    1 : tunables  120   60    8 : slabdata      0      0      0
+UDP-Lite               0      0    832    9    2 : tunables   54   27    8 : slabdata      0      0      0
+tcp_bind_bucket       15     59     64   59    1 : tunables  120   60    8 : slabdata      1      1      0
+inet_peer_cache        4     59     64   59    1 : tunables  120   60    8 : slabdata      1      1      0
+secpath_cache          0      0     64   59    1 : tunables  120   60    8 : slabdata      0      0      0
+xfrm_dst_cache         0      0    384   10    1 : tunables   54   27    8 : slabdata      0      0      0
+ip_fib_alias           0      0     32  112    1 : tunables  120   60    8 : slabdata      0      0      0
+ip_fib_hash           10    106     72   53    1 : tunables  120   60    8 : slabdata      2      2      0
+ip_dst_cache          29     50    384   10    1 : tunables   54   27    8 : slabdata      5      5      0
+arp_cache              4     15    256   15    1 : tunables  120   60    8 : slabdata      1      1      0
+RAW                   65     72    832    9    2 : tunables   54   27    8 : slabdata      8      8      0
+UDP                    6     18    832    9    2 : tunables   54   27    8 : slabdata      2      2      0
+tw_sock_TCP            0      0    256   15    1 : tunables  120   60    8 : slabdata      0      0      0
+request_sock_TCP       0      0    192   20    1 : tunables  120   60    8 : slabdata      0      0      0
+TCP                   20     24   1664    4    2 : tunables   24   12    8 : slabdata      6      6      0
+eventpoll_pwq        126    212     72   53    1 : tunables  120   60    8 : slabdata      4      4      0
+eventpoll_epi        126    180    128   30    1 : tunables  120   60    8 : slabdata      6      6      0
+sgpool-128             2      2   4096    1    1 : tunables   24   12    8 : slabdata      2      2      0
+sgpool-64              2      2   2048    2    1 : tunables   24   12    8 : slabdata      1      1      0
+sgpool-32              2      4   1024    4    1 : tunables   54   27    8 : slabdata      1      1      0
+sgpool-16              2      8    512    8    1 : tunables   54   27    8 : slabdata      1      1      0
+sgpool-8              15     15    256   15    1 : tunables  120   60    8 : slabdata      1      1      0
+scsi_data_buffer       0      0     24  144    1 : tunables  120   60    8 : slabdata      0      0      0
+blkdev_integrity       0      0    112   34    1 : tunables  120   60    8 : slabdata      0      0      0
+blkdev_queue          29     30   2856    2    2 : tunables   24   12    8 : slabdata     15     15      0
+blkdev_requests       42     66    352   11    1 : tunables   54   27    8 : slabdata      5      6      0
+blkdev_ioc             5     48     80   48    1 : tunables  120   60    8 : slabdata      1      1      0
+fsnotify_event_holder      0      0     24  144    1 : tunables  120   60    8 : slabdata      0      0      0
+fsnotify_event         0      0    104   37    1 : tunables  120   60    8 : slabdata      0      0      0
+bio-0                180    180    192   20    1 : tunables  120   60    8 : slabdata      9      9      0
+biovec-256            66     66   4096    1    1 : tunables   24   12    8 : slabdata     66     66      0
+biovec-128             0      0   2048    2    1 : tunables   24   12    8 : slabdata      0      0      0
+biovec-64              0      0   1024    4    1 : tunables   54   27    8 : slabdata      0      0      0
+biovec-16              0      0    256   15    1 : tunables  120   60    8 : slabdata      0      0      0
+bip-256                2      2   4224    1    2 : tunables    8    4    0 : slabdata      2      2      0
+bip-128                0      0   2176    3    2 : tunables   24   12    8 : slabdata      0      0      0
+bip-64                 0      0   1152    7    2 : tunables   24   12    8 : slabdata      0      0      0
+bip-16                 0      0    384   10    1 : tunables   54   27    8 : slabdata      0      0      0
+bip-4                  0      0    192   20    1 : tunables  120   60    8 : slabdata      0      0      0
+bip-1                  0      0    128   30    1 : tunables  120   60    8 : slabdata      0      0      0
+sock_inode_cache     667    685    704    5    1 : tunables   54   27    8 : slabdata    137    137      0
+skbuff_fclone_cache      7      7    512    7    1 : tunables   54   27    8 : slabdata      1      1      0
+skbuff_head_cache    302    450    256   15    1 : tunables  120   60    8 : slabdata     30     30      0
+file_lock_cache       38     44    176   22    1 : tunables  120   60    8 : slabdata      2      2      0
+net_namespace          0      0   2112    3    2 : tunables   24   12    8 : slabdata      0      0      0
+shmem_inode_cache    774    775    800    5    1 : tunables   54   27    8 : slabdata    155    155      0
+Acpi-Operand        4563   4664     72   53    1 : tunables  120   60    8 : slabdata     88     88      0
+Acpi-ParseExt          0      0     72   53    1 : tunables  120   60    8 : slabdata      0      0      0
+Acpi-Parse             0      0     48   77    1 : tunables  120   60    8 : slabdata      0      0      0
+Acpi-State             0      0     80   48    1 : tunables  120   60    8 : slabdata      0      0      0
+Acpi-Namespace      3311   3312     40   92    1 : tunables  120   60    8 : slabdata     36     36      0
+task_delay_info      332    340    112   34    1 : tunables  120   60    8 : slabdata     10     10      0
+taskstats              5     12    328   12    1 : tunables   54   27    8 : slabdata      1      1      0
+proc_inode_cache    1008   1008    640    6    1 : tunables   54   27    8 : slabdata    168    168      0
+sigqueue              35     48    160   24    1 : tunables  120   60    8 : slabdata      2      2      0
+bdev_cache            32     36    832    4    1 : tunables   54   27    8 : slabdata      9      9      0
+sysfs_dir_cache    11356  11367    144   27    1 : tunables  120   60    8 : slabdata    421    421      0
+mnt_cache             37     45    256   15    1 : tunables  120   60    8 : slabdata      3      3      0
+filp                4614   4700    192   20    1 : tunables  120   60    8 : slabdata    235    235     60
+inode_cache         6883   7308    592    6    1 : tunables   54   27    8 : slabdata   1218   1218      0
+dentry             61000  63960    192   20    1 : tunables  120   60    8 : slabdata   3198   3198      0
+names_cache           26     26   4096    1    1 : tunables   24   12    8 : slabdata     26     26      0
+avc_node             518   1239     64   59    1 : tunables  120   60    8 : slabdata     21     21      0
+selinux_inode_security  84086  86072     72   53    1 : tunables  120   60    8 : slabdata   1624   1624      0
+radix_tree_node    11552  11781    560    7    1 : tunables   54   27    8 : slabdata   1683   1683      0
+key_jar               11     20    192   20    1 : tunables  120   60    8 : slabdata      1      1      0
+buffer_head       220986 230214    104   37    1 : tunables  120   60    8 : slabdata   6222   6222      0
+vm_area_struct     12932  13034    200   19    1 : tunables  120   60    8 : slabdata    686    686     60
+mm_struct            145    145   1408    5    2 : tunables   24   12    8 : slabdata     29     29      0
+fs_cache             137    177     64   59    1 : tunables  120   60    8 : slabdata      3      3      0
+files_cache          162    165    704   11    2 : tunables   54   27    8 : slabdata     15     15      0
+signal_cache         204    204   1024    4    1 : tunables   54   27    8 : slabdata     51     51      0
+sighand_cache        195    195   2112    3    2 : tunables   24   12    8 : slabdata     65     65      0
+task_xstate          232    232    512    8    1 : tunables   54   27    8 : slabdata     29     29      0
+task_struct          303    303   2656    3    2 : tunables   24   12    8 : slabdata    101    101      0
+cred_jar             580    580    192   20    1 : tunables  120   60    8 : slabdata     29     29      0
+anon_vma_chain      7844   8162     48   77    1 : tunables  120   60    8 : slabdata    106    106     60
+anon_vma            5773   5888     40   92    1 : tunables  120   60    8 : slabdata     64     64     60
+pid                  322    330    128   30    1 : tunables  120   60    8 : slabdata     11     11      0
+shared_policy_node      0      0     48   77    1 : tunables  120   60    8 : slabdata      0      0      0
+numa_policy            1     28    136   28    1 : tunables  120   60    8 : slabdata      1      1      0
+idr_layer_cache      428    434    544    7    1 : tunables   54   27    8 : slabdata     62     62      0
+size-4194304(DMA)      0      0 4194304    1 1024 : tunables    1    1    0 : slabdata      0      0      0
+size-4194304           0      0 4194304    1 1024 : tunables    1    1    0 : slabdata      0      0      0
+size-2097152(DMA)      0      0 2097152    1  512 : tunables    1    1    0 : slabdata      0      0      0
+size-2097152           0      0 2097152    1  512 : tunables    1    1    0 : slabdata      0      0      0
+size-1048576(DMA)      0      0 1048576    1  256 : tunables    1    1    0 : slabdata      0      0      0
+size-1048576           0      0 1048576    1  256 : tunables    1    1    0 : slabdata      0      0      0
+size-524288(DMA)       0      0 524288    1  128 : tunables    1    1    0 : slabdata      0      0      0
+size-524288            0      0 524288    1  128 : tunables    1    1    0 : slabdata      0      0      0
+size-262144(DMA)       0      0 262144    1   64 : tunables    1    1    0 : slabdata      0      0      0
+size-262144            0      0 262144    1   64 : tunables    1    1    0 : slabdata      0      0      0
+size-131072(DMA)       0      0 131072    1   32 : tunables    8    4    0 : slabdata      0      0      0
+size-131072            1      1 131072    1   32 : tunables    8    4    0 : slabdata      1      1      0
+size-65536(DMA)        0      0  65536    1   16 : tunables    8    4    0 : slabdata      0      0      0
+size-65536             2      2  65536    1   16 : tunables    8    4    0 : slabdata      2      2      0
+size-32768(DMA)        0      0  32768    1    8 : tunables    8    4    0 : slabdata      0      0      0
+size-32768             3      3  32768    1    8 : tunables    8    4    0 : slabdata      3      3      0
+size-16384(DMA)        0      0  16384    1    4 : tunables    8    4    0 : slabdata      0      0      0
+size-16384            11     11  16384    1    4 : tunables    8    4    0 : slabdata     11     11      0
+size-8192(DMA)         0      0   8192    1    2 : tunables    8    4    0 : slabdata      0      0      0
+size-8192             27     27   8192    1    2 : tunables    8    4    0 : slabdata     27     27      0
+size-4096(DMA)         0      0   4096    1    1 : tunables   24   12    8 : slabdata      0      0      0
+size-4096            425    425   4096    1    1 : tunables   24   12    8 : slabdata    425    425      0
+size-2048(DMA)         0      0   2048    2    1 : tunables   24   12    8 : slabdata      0      0      0
+size-2048            578    578   2048    2    1 : tunables   24   12    8 : slabdata    289    289      0
+size-1024(DMA)         0      0   1024    4    1 : tunables   54   27    8 : slabdata      0      0      0
+size-1024           1304   1304   1024    4    1 : tunables   54   27    8 : slabdata    326    326      0
+size-512(DMA)          0      0    512    8    1 : tunables   54   27    8 : slabdata      0      0      0
+size-512            1123   1176    512    8    1 : tunables   54   27    8 : slabdata    147    147      0
+size-256(DMA)          0      0    256   15    1 : tunables  120   60    8 : slabdata      0      0      0
+size-256             870    870    256   15    1 : tunables  120   60    8 : slabdata     58     58      0
+size-192(DMA)          0      0    192   20    1 : tunables  120   60    8 : slabdata      0      0      0
+size-192            2119   2160    192   20    1 : tunables  120   60    8 : slabdata    108    108      0
+size-128(DMA)          0      0    128   30    1 : tunables  120   60    8 : slabdata      0      0      0
+size-64(DMA)           0      0     64   59    1 : tunables  120   60    8 : slabdata      0      0      0
+size-64            33003  40887     64   59    1 : tunables  120   60    8 : slabdata    693    693      0
+size-32(DMA)           0      0     32  112    1 : tunables  120   60    8 : slabdata      0      0      0
+size-128            3921   4800    128   30    1 : tunables  120   60    8 : slabdata    160    160      0
+size-32           332359 332976     32  112    1 : tunables  120   60    8 : slabdata   2973   2973      0
+kmem_cache           191    191  32896    1   16 : tunables    8    4    0 : slabdata    191    191      0
+Inter-|   Receive                                                |  Transmit
+ face |bytes    packets errs drop fifo frame compressed multicast|bytes    packets errs drop fifo colls carrier compressed
+    lo:267102759  105357    0    0    0     0          0         0 267102759  105357    0    0    0     0       0          0
+  eth0:1013756074 1354469    0    0    0     0          0         0 245526499  966773    0    0    0     0       0          0
+  pan0:       0       0    0    0    0     0          0         0        0       0    0    0    0     0       0          0
diff --git a/test/aux-fixed/exim-ca/example.com/CA/pwdfile b/test/aux-fixed/exim-ca/example.com/CA/pwdfile
new file mode 100644
index 0000000..f3097ab
--- /dev/null
+++ b/test/aux-fixed/exim-ca/example.com/CA/pwdfile
@@ -0,0 +1 @@
+password
diff --git a/test/aux-fixed/exim-ca/example.com/CA/secmod.db b/test/aux-fixed/exim-ca/example.com/CA/secmod.db
new file mode 100644
index 0000000..c7f115b
Binary files /dev/null and b/test/aux-fixed/exim-ca/example.com/CA/secmod.db differ
diff --git a/test/aux-fixed/exim-ca/example.com/expired1.example.com/ca_chain.pem b/test/aux-fixed/exim-ca/example.com/expired1.example.com/ca_chain.pem
new file mode 100644
index 0000000..f8f9275
--- /dev/null
+++ b/test/aux-fixed/exim-ca/example.com/expired1.example.com/ca_chain.pem
@@ -0,0 +1,47 @@
+Bag Attributes
+    friendlyName: Signing Cert
+subject=/O=example.com/CN=clica Signing Cert
+issuer=/O=example.com/CN=clica CA
+-----BEGIN CERTIFICATE-----
+MIIBpzCCAVGgAwIBAgIBAjANBgkqhkiG9w0BAQUFADApMRQwEgYDVQQKEwtleGFt
+cGxlLmNvbTERMA8GA1UEAxMIY2xpY2EgQ0EwHhcNMTIxMTAxMTIzNDAxWhcNMzgw
+MTAxMTIzNDAxWjAzMRQwEgYDVQQKEwtleGFtcGxlLmNvbTEbMBkGA1UEAxMSY2xp
+Y2EgU2lnbmluZyBDZXJ0MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBALGUYGllRw9Y
+7ATtT3iqwv3rnnpYYWaxGdamUYznYS6l8lAyHFOqfEktdHZ+bUyRVWsbvyx/a2St
+u1vpZpkihvMCAwEAAaNaMFgwDgYDVR0PAQH/BAQDAgEGMBIGA1UdEwEB/wQIMAYB
+Af8CAQAwMgYDVR0fBCswKTAnoCWgI4YhaHR0cDovL2NybC5leGFtcGxlLmNvbS9s
+YXRlc3QuY3JsMA0GCSqGSIb3DQEBBQUAA0EApouSZ4cX2rx+pZWcDHJH+KaCMpMa
+ScrHO8bFSCWI02ckzoIxWfu1DMNO++EpyzrTgyaXoCROjvhdslwucMqAIg==
+-----END CERTIFICATE-----
+Bag Attributes
+    friendlyName: Certificate Authority
+subject=/O=example.com/CN=clica CA
+issuer=/O=example.com/CN=clica CA
+-----BEGIN CERTIFICATE-----
+MIIBaTCCAROgAwIBAgIBATANBgkqhkiG9w0BAQUFADApMRQwEgYDVQQKEwtleGFt
+cGxlLmNvbTERMA8GA1UEAxMIY2xpY2EgQ0EwHhcNMTIxMTAxMTIzNDAwWhcNMzgw
+MTAxMTIzNDAwWjApMRQwEgYDVQQKEwtleGFtcGxlLmNvbTERMA8GA1UEAxMIY2xp
+Y2EgQ0EwXDANBgkqhkiG9w0BAQEFAANLADBIAkEAxYR8NYQvEd7/e4MvOj9dh2+o
+mnywT9ajMo1589DWt2z14ouRKhSZWlx4O4AicPZc6n4uvt7++t0tTHhmm5JIbwID
+AQABoyYwJDASBgNVHRMBAf8ECDAGAQH/AgEBMA4GA1UdDwEB/wQEAwIBBjANBgkq
+hkiG9w0BAQUFAANBALjVd1KMBadFJFIzTEspoPYxJvXKvLMclekQs5QY0lmmUj5+
+ugITEG6ywu3s+REUB+8Dj+ofQz3tgIm9NBpkfsA=
+-----END CERTIFICATE-----
+Bag Attributes
+    friendlyName: expired1.example.com
+    localKeyID: C3 70 0A 4C 75 DB 50 B7 1F 67 60 9C DC AD 17 A3 C0 65 5F FF 
+subject=/CN=expired1.example.com
+issuer=/O=example.com/CN=clica Signing Cert
+-----BEGIN CERTIFICATE-----
+MIICBDCCAa6gAwIBAgIBZzANBgkqhkiG9w0BAQUFADAzMRQwEgYDVQQKEwtleGFt
+cGxlLmNvbTEbMBkGA1UEAxMSY2xpY2EgU2lnbmluZyBDZXJ0MB4XDTEyMTEwMTEy
+MzQwMVoXDTEyMTIwMTEyMzQwMVowHzEdMBsGA1UEAxMUZXhwaXJlZDEuZXhhbXBs
+ZS5jb20wXDANBgkqhkiG9w0BAQEFAANLADBIAkEAuhbGp8Jqy4UZdYGiPLl+q1m4
+dBdrY6689kqn5x5FUZ4PNl9ty9+mnC2Dx5WiYbrOybQZViM9lAIvGRI1GKsHdwID
+AQABo4HAMIG9MA4GA1UdDwEB/wQEAwIE8DAgBgNVHSUBAf8EFjAUBggrBgEFBQcD
+AQYIKwYBBQUHAwIwMgYDVR0fBCswKTAnoCWgI4YhaHR0cDovL2NybC5leGFtcGxl
+LmNvbS9sYXRlc3QuY3JsMDQGCCsGAQUFBwEBBCgwJjAkBggrBgEFBQcwAYYYaHR0
+cDovL29zY3AvZXhhbXBsZS5jb20vMB8GA1UdEQQYMBaCFGV4cGlyZWQxLmV4YW1w
+bGUuY29tMA0GCSqGSIb3DQEBBQUAA0EAkrXPLW+etluRGUilUcMsAWEZJ8Syu317
+kXvPuyjNVz3+lGo/4hzhehSusTzy4+22UgsBmgZpjG+uI8tNRmDnAQ==
+-----END CERTIFICATE-----
diff --git a/test/aux-fixed/exim-ca/example.com/expired1.example.com/cert8.db b/test/aux-fixed/exim-ca/example.com/expired1.example.com/cert8.db
new file mode 100644
index 0000000..29784ae
Binary files /dev/null and b/test/aux-fixed/exim-ca/example.com/expired1.example.com/cert8.db differ
diff --git a/test/aux-fixed/exim-ca/example.com/expired1.example.com/expired1.example.com.chain.pem b/test/aux-fixed/exim-ca/example.com/expired1.example.com/expired1.example.com.chain.pem
new file mode 100644
index 0000000..fe5dcdf
--- /dev/null
+++ b/test/aux-fixed/exim-ca/example.com/expired1.example.com/expired1.example.com.chain.pem
@@ -0,0 +1,29 @@
+Bag Attributes
+    friendlyName: expired1.example.com
+    localKeyID: C3 70 0A 4C 75 DB 50 B7 1F 67 60 9C DC AD 17 A3 C0 65 5F FF 
+subject=/CN=expired1.example.com
+issuer=/O=example.com/CN=clica Signing Cert
+-----BEGIN CERTIFICATE-----
+MIICBDCCAa6gAwIBAgIBZzANBgkqhkiG9w0BAQUFADAzMRQwEgYDVQQKEwtleGFt
+cGxlLmNvbTEbMBkGA1UEAxMSY2xpY2EgU2lnbmluZyBDZXJ0MB4XDTEyMTEwMTEy
+MzQwMVoXDTEyMTIwMTEyMzQwMVowHzEdMBsGA1UEAxMUZXhwaXJlZDEuZXhhbXBs
+ZS5jb20wXDANBgkqhkiG9w0BAQEFAANLADBIAkEAuhbGp8Jqy4UZdYGiPLl+q1m4
+dBdrY6689kqn5x5FUZ4PNl9ty9+mnC2Dx5WiYbrOybQZViM9lAIvGRI1GKsHdwID
+AQABo4HAMIG9MA4GA1UdDwEB/wQEAwIE8DAgBgNVHSUBAf8EFjAUBggrBgEFBQcD
+AQYIKwYBBQUHAwIwMgYDVR0fBCswKTAnoCWgI4YhaHR0cDovL2NybC5leGFtcGxl
+LmNvbS9sYXRlc3QuY3JsMDQGCCsGAQUFBwEBBCgwJjAkBggrBgEFBQcwAYYYaHR0
+cDovL29zY3AvZXhhbXBsZS5jb20vMB8GA1UdEQQYMBaCFGV4cGlyZWQxLmV4YW1w
+bGUuY29tMA0GCSqGSIb3DQEBBQUAA0EAkrXPLW+etluRGUilUcMsAWEZJ8Syu317
+kXvPuyjNVz3+lGo/4hzhehSusTzy4+22UgsBmgZpjG+uI8tNRmDnAQ==
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIIBpzCCAVGgAwIBAgIBAjANBgkqhkiG9w0BAQUFADApMRQwEgYDVQQKEwtleGFt
+cGxlLmNvbTERMA8GA1UEAxMIY2xpY2EgQ0EwHhcNMTIxMTAxMTIzNDAxWhcNMzgw
+MTAxMTIzNDAxWjAzMRQwEgYDVQQKEwtleGFtcGxlLmNvbTEbMBkGA1UEAxMSY2xp
+Y2EgU2lnbmluZyBDZXJ0MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBALGUYGllRw9Y
+7ATtT3iqwv3rnnpYYWaxGdamUYznYS6l8lAyHFOqfEktdHZ+bUyRVWsbvyx/a2St
+u1vpZpkihvMCAwEAAaNaMFgwDgYDVR0PAQH/BAQDAgEGMBIGA1UdEwEB/wQIMAYB
+Af8CAQAwMgYDVR0fBCswKTAnoCWgI4YhaHR0cDovL2NybC5leGFtcGxlLmNvbS9s
+YXRlc3QuY3JsMA0GCSqGSIb3DQEBBQUAA0EApouSZ4cX2rx+pZWcDHJH+KaCMpMa
+ScrHO8bFSCWI02ckzoIxWfu1DMNO++EpyzrTgyaXoCROjvhdslwucMqAIg==
+-----END CERTIFICATE-----
diff --git a/test/aux-fixed/exim-ca/example.com/expired1.example.com/expired1.example.com.key b/test/aux-fixed/exim-ca/example.com/expired1.example.com/expired1.example.com.key
new file mode 100644
index 0000000..ecfb0cb
--- /dev/null
+++ b/test/aux-fixed/exim-ca/example.com/expired1.example.com/expired1.example.com.key
@@ -0,0 +1,15 @@
+Bag Attributes
+    friendlyName: expired1.example.com
+    localKeyID: C3 70 0A 4C 75 DB 50 B7 1F 67 60 9C DC AD 17 A3 C0 65 5F FF 
+Key Attributes: <No Attributes>
+-----BEGIN ENCRYPTED PRIVATE KEY-----
+MIIBnjBABgkqhkiG9w0BBQ0wMzAbBgkqhkiG9w0BBQwwDgQINZM2aHxF3EcCAggA
+MBQGCCqGSIb3DQMHBAjc9XMhJPg/ZwSCAVicoTPaeGXGPJyPdhflErlI9EWbj0PH
+bv8AchovLDfYq1Q4EJzkUG1XyelHNha+BS/zFxCcmtpdQtXedL/SdXsOyM99wdJH
+tjpJyWxM3bysqDUdhv2g11KTG0M9L7RBtKmbQq0zcHf9oTZbABKSe4EzX6a9khJY
+5bRVBSQPNtj3/5aAr0BOQQnythh0880FcYmvbFmZQNR12Cexc0+X0/aTaQ/LhM1y
+8GlRBFXGACP+mrY4RfEk/EatcGmqn4JCVASF7Z7zu7JKsEskLDArF9nvVh2xN22n
+DugUfQDRPph4ug2MyUcKNSZzGs+khWmS2TgPgUV0gr1tqS4Sqo+59NuZInyGSMRn
+FeiFTSYcd+zmxinF20MCs+Y6fFasErs6/zdK5oeV8pMlTCX0/yky9Ye4kfth2oHl
+UV+Rfe2Bo40wn6QkxuptagYdoDTJrMUCH9WL/ODRn4IA1Q==
+-----END ENCRYPTED PRIVATE KEY-----
diff --git a/test/aux-fixed/exim-ca/example.com/expired1.example.com/expired1.example.com.ocsp.dated.resp b/test/aux-fixed/exim-ca/example.com/expired1.example.com/expired1.example.com.ocsp.dated.resp
new file mode 100644
index 0000000..d7ba631
Binary files /dev/null and b/test/aux-fixed/exim-ca/example.com/expired1.example.com/expired1.example.com.ocsp.dated.resp differ
diff --git a/test/aux-fixed/exim-ca/example.com/expired1.example.com/expired1.example.com.ocsp.good.resp b/test/aux-fixed/exim-ca/example.com/expired1.example.com/expired1.example.com.ocsp.good.resp
new file mode 100644
index 0000000..3714a90
Binary files /dev/null and b/test/aux-fixed/exim-ca/example.com/expired1.example.com/expired1.example.com.ocsp.good.resp differ
diff --git a/test/aux-fixed/exim-ca/example.com/expired1.example.com/expired1.example.com.ocsp.req b/test/aux-fixed/exim-ca/example.com/expired1.example.com/expired1.example.com.ocsp.req
new file mode 100644
index 0000000..37b83a6
Binary files /dev/null and b/test/aux-fixed/exim-ca/example.com/expired1.example.com/expired1.example.com.ocsp.req differ
diff --git a/test/aux-fixed/exim-ca/example.com/expired1.example.com/expired1.example.com.ocsp.revoked.resp b/test/aux-fixed/exim-ca/example.com/expired1.example.com/expired1.example.com.ocsp.revoked.resp
new file mode 100644
index 0000000..4a25940
Binary files /dev/null and b/test/aux-fixed/exim-ca/example.com/expired1.example.com/expired1.example.com.ocsp.revoked.resp differ
diff --git a/test/aux-fixed/exim-ca/example.com/expired1.example.com/expired1.example.com.p12 b/test/aux-fixed/exim-ca/example.com/expired1.example.com/expired1.example.com.p12
new file mode 100644
index 0000000..488e3e5
Binary files /dev/null and b/test/aux-fixed/exim-ca/example.com/expired1.example.com/expired1.example.com.p12 differ
diff --git a/test/aux-fixed/exim-ca/example.com/expired1.example.com/expired1.example.com.pem b/test/aux-fixed/exim-ca/example.com/expired1.example.com/expired1.example.com.pem
new file mode 100644
index 0000000..d30bbe0
--- /dev/null
+++ b/test/aux-fixed/exim-ca/example.com/expired1.example.com/expired1.example.com.pem
@@ -0,0 +1,18 @@
+Bag Attributes
+    friendlyName: expired1.example.com
+    localKeyID: C3 70 0A 4C 75 DB 50 B7 1F 67 60 9C DC AD 17 A3 C0 65 5F FF 
+subject=/CN=expired1.example.com
+issuer=/O=example.com/CN=clica Signing Cert
+-----BEGIN CERTIFICATE-----
+MIICBDCCAa6gAwIBAgIBZzANBgkqhkiG9w0BAQUFADAzMRQwEgYDVQQKEwtleGFt
+cGxlLmNvbTEbMBkGA1UEAxMSY2xpY2EgU2lnbmluZyBDZXJ0MB4XDTEyMTEwMTEy
+MzQwMVoXDTEyMTIwMTEyMzQwMVowHzEdMBsGA1UEAxMUZXhwaXJlZDEuZXhhbXBs
+ZS5jb20wXDANBgkqhkiG9w0BAQEFAANLADBIAkEAuhbGp8Jqy4UZdYGiPLl+q1m4
+dBdrY6689kqn5x5FUZ4PNl9ty9+mnC2Dx5WiYbrOybQZViM9lAIvGRI1GKsHdwID
+AQABo4HAMIG9MA4GA1UdDwEB/wQEAwIE8DAgBgNVHSUBAf8EFjAUBggrBgEFBQcD
+AQYIKwYBBQUHAwIwMgYDVR0fBCswKTAnoCWgI4YhaHR0cDovL2NybC5leGFtcGxl
+LmNvbS9sYXRlc3QuY3JsMDQGCCsGAQUFBwEBBCgwJjAkBggrBgEFBQcwAYYYaHR0
+cDovL29zY3AvZXhhbXBsZS5jb20vMB8GA1UdEQQYMBaCFGV4cGlyZWQxLmV4YW1w
+bGUuY29tMA0GCSqGSIb3DQEBBQUAA0EAkrXPLW+etluRGUilUcMsAWEZJ8Syu317
+kXvPuyjNVz3+lGo/4hzhehSusTzy4+22UgsBmgZpjG+uI8tNRmDnAQ==
+-----END CERTIFICATE-----
diff --git a/test/aux-fixed/exim-ca/example.com/expired1.example.com/expired1.example.com.unlocked.key b/test/aux-fixed/exim-ca/example.com/expired1.example.com/expired1.example.com.unlocked.key
new file mode 100644
index 0000000..9754e14
--- /dev/null
+++ b/test/aux-fixed/exim-ca/example.com/expired1.example.com/expired1.example.com.unlocked.key
@@ -0,0 +1,9 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIBOQIBAAJBALoWxqfCasuFGXWBojy5fqtZuHQXa2OuvPZKp+ceRVGeDzZfbcvf
+ppwtg8eVomG6zsm0GVYjPZQCLxkSNRirB3cCAwEAAQJAbb0wuY21XP/I27ru6dCa
+GoJ2fD+zXL2XQccU7P608kO6R9g73lx48QT21OGvLkKGA4J2U3qqvqJWKP580o3X
+gQIhAN8A4PM0w3cLBnibnQcr+5TfhSUye/4AQcaqUQBnjQW5AiEA1Z+eWtugFdR3
+D6ntc4UdyXsO1DMDn6QyuyEyrJqUDq8CIGGfrtqJVLB+gRy3cuy60m3/0/fOu/0b
++6+Oy9sTeebxAiBK7m5RWHBSt+/7YpOTzcGhBrUw4aQHv0S8Nuzbdm0wqQIgYW0B
+7KVyChX6OpKifrdrSK3Jp3iXP9pgNunxGNj1QbM=
+-----END RSA PRIVATE KEY-----
diff --git a/test/aux-fixed/exim-ca/example.com/expired1.example.com/key3.db b/test/aux-fixed/exim-ca/example.com/expired1.example.com/key3.db
new file mode 100644
index 0000000..706f876
Binary files /dev/null and b/test/aux-fixed/exim-ca/example.com/expired1.example.com/key3.db differ
diff --git a/test/aux-fixed/exim-ca/example.com/expired1.example.com/pwdfile b/test/aux-fixed/exim-ca/example.com/expired1.example.com/pwdfile
new file mode 100644
index 0000000..f3097ab
--- /dev/null
+++ b/test/aux-fixed/exim-ca/example.com/expired1.example.com/pwdfile
@@ -0,0 +1 @@
+password
diff --git a/test/aux-fixed/exim-ca/example.com/expired1.example.com/secmod.db b/test/aux-fixed/exim-ca/example.com/expired1.example.com/secmod.db
new file mode 100644
index 0000000..db5dae7
Binary files /dev/null and b/test/aux-fixed/exim-ca/example.com/expired1.example.com/secmod.db differ
diff --git a/test/aux-fixed/exim-ca/example.com/expired2.example.com/ca_chain.pem b/test/aux-fixed/exim-ca/example.com/expired2.example.com/ca_chain.pem
new file mode 100644
index 0000000..cb3f975
--- /dev/null
+++ b/test/aux-fixed/exim-ca/example.com/expired2.example.com/ca_chain.pem
@@ -0,0 +1,47 @@
+Bag Attributes
+    friendlyName: Signing Cert
+subject=/O=example.com/CN=clica Signing Cert
+issuer=/O=example.com/CN=clica CA
+-----BEGIN CERTIFICATE-----
+MIIBpzCCAVGgAwIBAgIBAjANBgkqhkiG9w0BAQUFADApMRQwEgYDVQQKEwtleGFt
+cGxlLmNvbTERMA8GA1UEAxMIY2xpY2EgQ0EwHhcNMTIxMTAxMTIzNDAxWhcNMzgw
+MTAxMTIzNDAxWjAzMRQwEgYDVQQKEwtleGFtcGxlLmNvbTEbMBkGA1UEAxMSY2xp
+Y2EgU2lnbmluZyBDZXJ0MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBALGUYGllRw9Y
+7ATtT3iqwv3rnnpYYWaxGdamUYznYS6l8lAyHFOqfEktdHZ+bUyRVWsbvyx/a2St
+u1vpZpkihvMCAwEAAaNaMFgwDgYDVR0PAQH/BAQDAgEGMBIGA1UdEwEB/wQIMAYB
+Af8CAQAwMgYDVR0fBCswKTAnoCWgI4YhaHR0cDovL2NybC5leGFtcGxlLmNvbS9s
+YXRlc3QuY3JsMA0GCSqGSIb3DQEBBQUAA0EApouSZ4cX2rx+pZWcDHJH+KaCMpMa
+ScrHO8bFSCWI02ckzoIxWfu1DMNO++EpyzrTgyaXoCROjvhdslwucMqAIg==
+-----END CERTIFICATE-----
+Bag Attributes
+    friendlyName: Certificate Authority
+subject=/O=example.com/CN=clica CA
+issuer=/O=example.com/CN=clica CA
+-----BEGIN CERTIFICATE-----
+MIIBaTCCAROgAwIBAgIBATANBgkqhkiG9w0BAQUFADApMRQwEgYDVQQKEwtleGFt
+cGxlLmNvbTERMA8GA1UEAxMIY2xpY2EgQ0EwHhcNMTIxMTAxMTIzNDAwWhcNMzgw
+MTAxMTIzNDAwWjApMRQwEgYDVQQKEwtleGFtcGxlLmNvbTERMA8GA1UEAxMIY2xp
+Y2EgQ0EwXDANBgkqhkiG9w0BAQEFAANLADBIAkEAxYR8NYQvEd7/e4MvOj9dh2+o
+mnywT9ajMo1589DWt2z14ouRKhSZWlx4O4AicPZc6n4uvt7++t0tTHhmm5JIbwID
+AQABoyYwJDASBgNVHRMBAf8ECDAGAQH/AgEBMA4GA1UdDwEB/wQEAwIBBjANBgkq
+hkiG9w0BAQUFAANBALjVd1KMBadFJFIzTEspoPYxJvXKvLMclekQs5QY0lmmUj5+
+ugITEG6ywu3s+REUB+8Dj+ofQz3tgIm9NBpkfsA=
+-----END CERTIFICATE-----
+Bag Attributes
+    friendlyName: expired2.example.com
+    localKeyID: 00 5E 8C 89 32 69 66 73 D9 E7 D3 9C E8 6A 72 27 1D C2 65 87 
+subject=/CN=expired2.example.com
+issuer=/O=example.com/CN=clica Signing Cert
+-----BEGIN CERTIFICATE-----
+MIICBTCCAa+gAwIBAgICAMswDQYJKoZIhvcNAQEFBQAwMzEUMBIGA1UEChMLZXhh
+bXBsZS5jb20xGzAZBgNVBAMTEmNsaWNhIFNpZ25pbmcgQ2VydDAeFw0xMjExMDEx
+MjM0MDJaFw0xMjEyMDExMjM0MDJaMB8xHTAbBgNVBAMTFGV4cGlyZWQyLmV4YW1w
+bGUuY29tMFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANs6ryDCjUepqaS5l0ZmpJ3m
+bU0/nDE43cIfDCU+70Jjvf4rxfiQu1N1iiTO2IdRcxai/STBGxpaJRvo/G5l778C
+AwEAAaOBwDCBvTAOBgNVHQ8BAf8EBAMCBPAwIAYDVR0lAQH/BBYwFAYIKwYBBQUH
+AwEGCCsGAQUFBwMCMDIGA1UdHwQrMCkwJ6AloCOGIWh0dHA6Ly9jcmwuZXhhbXBs
+ZS5jb20vbGF0ZXN0LmNybDA0BggrBgEFBQcBAQQoMCYwJAYIKwYBBQUHMAGGGGh0
+dHA6Ly9vc2NwL2V4YW1wbGUuY29tLzAfBgNVHREEGDAWghRleHBpcmVkMi5leGFt
+cGxlLmNvbTANBgkqhkiG9w0BAQUFAANBABTJbEBMPo/NbiMz+shKPbN+T+oAoneT
+mb1n+3cM5I3RGkkzF8mYDyamimNn+T8GKWdVkiM/Jov1kv+KY5Twg+U=
+-----END CERTIFICATE-----
diff --git a/test/aux-fixed/exim-ca/example.com/expired2.example.com/cert8.db b/test/aux-fixed/exim-ca/example.com/expired2.example.com/cert8.db
new file mode 100644
index 0000000..1f5daa2
Binary files /dev/null and b/test/aux-fixed/exim-ca/example.com/expired2.example.com/cert8.db differ
diff --git a/test/aux-fixed/exim-ca/example.com/expired2.example.com/expired2.example.com.chain.pem b/test/aux-fixed/exim-ca/example.com/expired2.example.com/expired2.example.com.chain.pem
new file mode 100644
index 0000000..153025b
--- /dev/null
+++ b/test/aux-fixed/exim-ca/example.com/expired2.example.com/expired2.example.com.chain.pem
@@ -0,0 +1,29 @@
+Bag Attributes
+    friendlyName: expired2.example.com
+    localKeyID: 00 5E 8C 89 32 69 66 73 D9 E7 D3 9C E8 6A 72 27 1D C2 65 87 
+subject=/CN=expired2.example.com
+issuer=/O=example.com/CN=clica Signing Cert
+-----BEGIN CERTIFICATE-----
+MIICBTCCAa+gAwIBAgICAMswDQYJKoZIhvcNAQEFBQAwMzEUMBIGA1UEChMLZXhh
+bXBsZS5jb20xGzAZBgNVBAMTEmNsaWNhIFNpZ25pbmcgQ2VydDAeFw0xMjExMDEx
+MjM0MDJaFw0xMjEyMDExMjM0MDJaMB8xHTAbBgNVBAMTFGV4cGlyZWQyLmV4YW1w
+bGUuY29tMFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANs6ryDCjUepqaS5l0ZmpJ3m
+bU0/nDE43cIfDCU+70Jjvf4rxfiQu1N1iiTO2IdRcxai/STBGxpaJRvo/G5l778C
+AwEAAaOBwDCBvTAOBgNVHQ8BAf8EBAMCBPAwIAYDVR0lAQH/BBYwFAYIKwYBBQUH
+AwEGCCsGAQUFBwMCMDIGA1UdHwQrMCkwJ6AloCOGIWh0dHA6Ly9jcmwuZXhhbXBs
+ZS5jb20vbGF0ZXN0LmNybDA0BggrBgEFBQcBAQQoMCYwJAYIKwYBBQUHMAGGGGh0
+dHA6Ly9vc2NwL2V4YW1wbGUuY29tLzAfBgNVHREEGDAWghRleHBpcmVkMi5leGFt
+cGxlLmNvbTANBgkqhkiG9w0BAQUFAANBABTJbEBMPo/NbiMz+shKPbN+T+oAoneT
+mb1n+3cM5I3RGkkzF8mYDyamimNn+T8GKWdVkiM/Jov1kv+KY5Twg+U=
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIIBpzCCAVGgAwIBAgIBAjANBgkqhkiG9w0BAQUFADApMRQwEgYDVQQKEwtleGFt
+cGxlLmNvbTERMA8GA1UEAxMIY2xpY2EgQ0EwHhcNMTIxMTAxMTIzNDAxWhcNMzgw
+MTAxMTIzNDAxWjAzMRQwEgYDVQQKEwtleGFtcGxlLmNvbTEbMBkGA1UEAxMSY2xp
+Y2EgU2lnbmluZyBDZXJ0MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBALGUYGllRw9Y
+7ATtT3iqwv3rnnpYYWaxGdamUYznYS6l8lAyHFOqfEktdHZ+bUyRVWsbvyx/a2St
+u1vpZpkihvMCAwEAAaNaMFgwDgYDVR0PAQH/BAQDAgEGMBIGA1UdEwEB/wQIMAYB
+Af8CAQAwMgYDVR0fBCswKTAnoCWgI4YhaHR0cDovL2NybC5leGFtcGxlLmNvbS9s
+YXRlc3QuY3JsMA0GCSqGSIb3DQEBBQUAA0EApouSZ4cX2rx+pZWcDHJH+KaCMpMa
+ScrHO8bFSCWI02ckzoIxWfu1DMNO++EpyzrTgyaXoCROjvhdslwucMqAIg==
+-----END CERTIFICATE-----
diff --git a/test/aux-fixed/exim-ca/example.com/expired2.example.com/expired2.example.com.key b/test/aux-fixed/exim-ca/example.com/expired2.example.com/expired2.example.com.key
new file mode 100644
index 0000000..4390919
--- /dev/null
+++ b/test/aux-fixed/exim-ca/example.com/expired2.example.com/expired2.example.com.key
@@ -0,0 +1,15 @@
+Bag Attributes
+    friendlyName: expired2.example.com
+    localKeyID: 00 5E 8C 89 32 69 66 73 D9 E7 D3 9C E8 6A 72 27 1D C2 65 87 
+Key Attributes: <No Attributes>
+-----BEGIN ENCRYPTED PRIVATE KEY-----
+MIIBpjBABgkqhkiG9w0BBQ0wMzAbBgkqhkiG9w0BBQwwDgQI0nrN9i220lwCAggA
+MBQGCCqGSIb3DQMHBAjYbPQkuir8nQSCAWANYVbKcEW9iaRzdj6AmMMZw4wnklZI
+rR+R/Eaz92xDWHLv9Qo03JK2OoGgkhE3QvyNxP7Sm69hgErN202M1s7CW66HAt60
+T0XmvbZoXYkn3iPzi6Txi1GQnzo7gfd1S0phD/4q+Tq38nRzJjvHjsL1ebjiFZ2y
+t5cF+gW7+3LEKT/s0K/WpS6QKTgl/W5iV09Tix1eOPckv7z4Cs2fiurohPocUTFa
+B/hdKTun4MwmcchFrgjRda+jz/P42xtgaSmhIETD+C3jnbdEZWFY4xYijyffEUR0
+gUHKH6UPxqoJyeL8ziQmz2jc4j1glnedslHjS+fKlLCU1QKYbhgCcRB4tqILxd9M
+e3/QQksgTFZtGymqPuwPMngcR2Om+E3f0UJnCXcaINJp971l971H/yhieYjxQua4
+8NNKVdz6EzYa/46Gv77Nu7+OQ0zGhMowpjGS4kTE9qOQ3udrdL2kFYJm
+-----END ENCRYPTED PRIVATE KEY-----
diff --git a/test/aux-fixed/exim-ca/example.com/expired2.example.com/expired2.example.com.ocsp.dated.resp b/test/aux-fixed/exim-ca/example.com/expired2.example.com/expired2.example.com.ocsp.dated.resp
new file mode 100644
index 0000000..5690dfa
Binary files /dev/null and b/test/aux-fixed/exim-ca/example.com/expired2.example.com/expired2.example.com.ocsp.dated.resp differ
diff --git a/test/aux-fixed/exim-ca/example.com/expired2.example.com/expired2.example.com.ocsp.good.resp b/test/aux-fixed/exim-ca/example.com/expired2.example.com/expired2.example.com.ocsp.good.resp
new file mode 100644
index 0000000..db5b8e0
Binary files /dev/null and b/test/aux-fixed/exim-ca/example.com/expired2.example.com/expired2.example.com.ocsp.good.resp differ
diff --git a/test/aux-fixed/exim-ca/example.com/expired2.example.com/expired2.example.com.ocsp.req b/test/aux-fixed/exim-ca/example.com/expired2.example.com/expired2.example.com.ocsp.req
new file mode 100644
index 0000000..0242fc4
Binary files /dev/null and b/test/aux-fixed/exim-ca/example.com/expired2.example.com/expired2.example.com.ocsp.req differ
diff --git a/test/aux-fixed/exim-ca/example.com/expired2.example.com/expired2.example.com.ocsp.revoked.resp b/test/aux-fixed/exim-ca/example.com/expired2.example.com/expired2.example.com.ocsp.revoked.resp
new file mode 100644
index 0000000..db5b8e0
Binary files /dev/null and b/test/aux-fixed/exim-ca/example.com/expired2.example.com/expired2.example.com.ocsp.revoked.resp differ
diff --git a/test/aux-fixed/exim-ca/example.com/expired2.example.com/expired2.example.com.p12 b/test/aux-fixed/exim-ca/example.com/expired2.example.com/expired2.example.com.p12
new file mode 100644
index 0000000..d8327d3
Binary files /dev/null and b/test/aux-fixed/exim-ca/example.com/expired2.example.com/expired2.example.com.p12 differ
diff --git a/test/aux-fixed/exim-ca/example.com/expired2.example.com/expired2.example.com.pem b/test/aux-fixed/exim-ca/example.com/expired2.example.com/expired2.example.com.pem
new file mode 100644
index 0000000..91a46f9
--- /dev/null
+++ b/test/aux-fixed/exim-ca/example.com/expired2.example.com/expired2.example.com.pem
@@ -0,0 +1,18 @@
+Bag Attributes
+    friendlyName: expired2.example.com
+    localKeyID: 00 5E 8C 89 32 69 66 73 D9 E7 D3 9C E8 6A 72 27 1D C2 65 87 
+subject=/CN=expired2.example.com
+issuer=/O=example.com/CN=clica Signing Cert
+-----BEGIN CERTIFICATE-----
+MIICBTCCAa+gAwIBAgICAMswDQYJKoZIhvcNAQEFBQAwMzEUMBIGA1UEChMLZXhh
+bXBsZS5jb20xGzAZBgNVBAMTEmNsaWNhIFNpZ25pbmcgQ2VydDAeFw0xMjExMDEx
+MjM0MDJaFw0xMjEyMDExMjM0MDJaMB8xHTAbBgNVBAMTFGV4cGlyZWQyLmV4YW1w
+bGUuY29tMFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANs6ryDCjUepqaS5l0ZmpJ3m
+bU0/nDE43cIfDCU+70Jjvf4rxfiQu1N1iiTO2IdRcxai/STBGxpaJRvo/G5l778C
+AwEAAaOBwDCBvTAOBgNVHQ8BAf8EBAMCBPAwIAYDVR0lAQH/BBYwFAYIKwYBBQUH
+AwEGCCsGAQUFBwMCMDIGA1UdHwQrMCkwJ6AloCOGIWh0dHA6Ly9jcmwuZXhhbXBs
+ZS5jb20vbGF0ZXN0LmNybDA0BggrBgEFBQcBAQQoMCYwJAYIKwYBBQUHMAGGGGh0
+dHA6Ly9vc2NwL2V4YW1wbGUuY29tLzAfBgNVHREEGDAWghRleHBpcmVkMi5leGFt
+cGxlLmNvbTANBgkqhkiG9w0BAQUFAANBABTJbEBMPo/NbiMz+shKPbN+T+oAoneT
+mb1n+3cM5I3RGkkzF8mYDyamimNn+T8GKWdVkiM/Jov1kv+KY5Twg+U=
+-----END CERTIFICATE-----
diff --git a/test/aux-fixed/exim-ca/example.com/expired2.example.com/expired2.example.com.unlocked.key b/test/aux-fixed/exim-ca/example.com/expired2.example.com/expired2.example.com.unlocked.key
new file mode 100644
index 0000000..cc0620b
--- /dev/null
+++ b/test/aux-fixed/exim-ca/example.com/expired2.example.com/expired2.example.com.unlocked.key
@@ -0,0 +1,9 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIBOgIBAAJBANs6ryDCjUepqaS5l0ZmpJ3mbU0/nDE43cIfDCU+70Jjvf4rxfiQ
+u1N1iiTO2IdRcxai/STBGxpaJRvo/G5l778CAwEAAQJAads7RulKSMkuxgBrgC39
+3NSwAHXvmIDp61sMhUuPQhF8kxF9IistHoa4TBW3tdSVepBSDoMk0Ote+0UgO3wK
+SQIhAPC8xBwjNC+gpnaxOvz2iLGbVwISPgM/TMaa+goBJ3o1AiEA6SDVyZi34Gia
+W0YYzmQaJv2VcmGYh0JQ+diJT7qaoKMCIQCfZy6nvvu4KbTv1MzNYWUDzWsgePnM
+5qYsv8OeykLcnQIgU4JDkrd2Bpjx0ghGEoihJZ5ozlRPgwQqZZU/eqPph+kCIBAd
+MOImezJcizVRRG9PuyxuSvwLlPqjvFKnw2ixRkuW
+-----END RSA PRIVATE KEY-----
diff --git a/test/aux-fixed/exim-ca/example.com/expired2.example.com/key3.db b/test/aux-fixed/exim-ca/example.com/expired2.example.com/key3.db
new file mode 100644
index 0000000..9bce6fa
Binary files /dev/null and b/test/aux-fixed/exim-ca/example.com/expired2.example.com/key3.db differ
diff --git a/test/aux-fixed/exim-ca/example.com/expired2.example.com/pwdfile b/test/aux-fixed/exim-ca/example.com/expired2.example.com/pwdfile
new file mode 100644
index 0000000..f3097ab
--- /dev/null
+++ b/test/aux-fixed/exim-ca/example.com/expired2.example.com/pwdfile
@@ -0,0 +1 @@
+password
diff --git a/test/aux-fixed/exim-ca/example.com/expired2.example.com/secmod.db b/test/aux-fixed/exim-ca/example.com/expired2.example.com/secmod.db
new file mode 100644
index 0000000..a21c55f
Binary files /dev/null and b/test/aux-fixed/exim-ca/example.com/expired2.example.com/secmod.db differ
diff --git a/test/aux-fixed/exim-ca/example.com/revoked1.example.com/ca_chain.pem b/test/aux-fixed/exim-ca/example.com/revoked1.example.com/ca_chain.pem
new file mode 100644
index 0000000..ea68b96
--- /dev/null
+++ b/test/aux-fixed/exim-ca/example.com/revoked1.example.com/ca_chain.pem
@@ -0,0 +1,47 @@
+Bag Attributes
+    friendlyName: Signing Cert
+subject=/O=example.com/CN=clica Signing Cert
+issuer=/O=example.com/CN=clica CA
+-----BEGIN CERTIFICATE-----
+MIIBpzCCAVGgAwIBAgIBAjANBgkqhkiG9w0BAQUFADApMRQwEgYDVQQKEwtleGFt
+cGxlLmNvbTERMA8GA1UEAxMIY2xpY2EgQ0EwHhcNMTIxMTAxMTIzNDAxWhcNMzgw
+MTAxMTIzNDAxWjAzMRQwEgYDVQQKEwtleGFtcGxlLmNvbTEbMBkGA1UEAxMSY2xp
+Y2EgU2lnbmluZyBDZXJ0MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBALGUYGllRw9Y
+7ATtT3iqwv3rnnpYYWaxGdamUYznYS6l8lAyHFOqfEktdHZ+bUyRVWsbvyx/a2St
+u1vpZpkihvMCAwEAAaNaMFgwDgYDVR0PAQH/BAQDAgEGMBIGA1UdEwEB/wQIMAYB
+Af8CAQAwMgYDVR0fBCswKTAnoCWgI4YhaHR0cDovL2NybC5leGFtcGxlLmNvbS9s
+YXRlc3QuY3JsMA0GCSqGSIb3DQEBBQUAA0EApouSZ4cX2rx+pZWcDHJH+KaCMpMa
+ScrHO8bFSCWI02ckzoIxWfu1DMNO++EpyzrTgyaXoCROjvhdslwucMqAIg==
+-----END CERTIFICATE-----
+Bag Attributes
+    friendlyName: Certificate Authority
+subject=/O=example.com/CN=clica CA
+issuer=/O=example.com/CN=clica CA
+-----BEGIN CERTIFICATE-----
+MIIBaTCCAROgAwIBAgIBATANBgkqhkiG9w0BAQUFADApMRQwEgYDVQQKEwtleGFt
+cGxlLmNvbTERMA8GA1UEAxMIY2xpY2EgQ0EwHhcNMTIxMTAxMTIzNDAwWhcNMzgw
+MTAxMTIzNDAwWjApMRQwEgYDVQQKEwtleGFtcGxlLmNvbTERMA8GA1UEAxMIY2xp
+Y2EgQ0EwXDANBgkqhkiG9w0BAQEFAANLADBIAkEAxYR8NYQvEd7/e4MvOj9dh2+o
+mnywT9ajMo1589DWt2z14ouRKhSZWlx4O4AicPZc6n4uvt7++t0tTHhmm5JIbwID
+AQABoyYwJDASBgNVHRMBAf8ECDAGAQH/AgEBMA4GA1UdDwEB/wQEAwIBBjANBgkq
+hkiG9w0BAQUFAANBALjVd1KMBadFJFIzTEspoPYxJvXKvLMclekQs5QY0lmmUj5+
+ugITEG6ywu3s+REUB+8Dj+ofQz3tgIm9NBpkfsA=
+-----END CERTIFICATE-----
+Bag Attributes
+    friendlyName: revoked1.example.com
+    localKeyID: 33 F8 A9 1F FC 62 68 49 CC C9 26 E0 24 22 40 40 B5 8E E6 07 
+subject=/CN=revoked1.example.com
+issuer=/O=example.com/CN=clica Signing Cert
+-----BEGIN CERTIFICATE-----
+MIICBDCCAa6gAwIBAgIBZjANBgkqhkiG9w0BAQUFADAzMRQwEgYDVQQKEwtleGFt
+cGxlLmNvbTEbMBkGA1UEAxMSY2xpY2EgU2lnbmluZyBDZXJ0MB4XDTEyMTEwMTEy
+MzQwMVoXDTM4MDEwMTEyMzQwMVowHzEdMBsGA1UEAxMUcmV2b2tlZDEuZXhhbXBs
+ZS5jb20wXDANBgkqhkiG9w0BAQEFAANLADBIAkEAtmfFkNpuJsl8xF0EINs9YniA
+h0NKsf8Tt61IVzDsR5ULJOSpA7rcqmbniYuWJ7H1q8Rm5WTqjLs5zIKG+cR/lwID
+AQABo4HAMIG9MA4GA1UdDwEB/wQEAwIE8DAgBgNVHSUBAf8EFjAUBggrBgEFBQcD
+AQYIKwYBBQUHAwIwMgYDVR0fBCswKTAnoCWgI4YhaHR0cDovL2NybC5leGFtcGxl
+LmNvbS9sYXRlc3QuY3JsMDQGCCsGAQUFBwEBBCgwJjAkBggrBgEFBQcwAYYYaHR0
+cDovL29zY3AvZXhhbXBsZS5jb20vMB8GA1UdEQQYMBaCFHJldm9rZWQxLmV4YW1w
+bGUuY29tMA0GCSqGSIb3DQEBBQUAA0EAXzFO3fDq0RRzNgmAa9aorYUQUx1f6ifG
+e9zS1V/Qua9HguY4FCm5NkLDSA46OA/NYEtnC3tDNF6PLSNi1Ww9NQ==
+-----END CERTIFICATE-----
diff --git a/test/aux-fixed/exim-ca/example.com/revoked1.example.com/cert8.db b/test/aux-fixed/exim-ca/example.com/revoked1.example.com/cert8.db
new file mode 100644
index 0000000..d74575f
Binary files /dev/null and b/test/aux-fixed/exim-ca/example.com/revoked1.example.com/cert8.db differ
diff --git a/test/aux-fixed/exim-ca/example.com/revoked1.example.com/key3.db b/test/aux-fixed/exim-ca/example.com/revoked1.example.com/key3.db
new file mode 100644
index 0000000..a35bc26
Binary files /dev/null and b/test/aux-fixed/exim-ca/example.com/revoked1.example.com/key3.db differ
diff --git a/test/aux-fixed/exim-ca/example.com/revoked1.example.com/pwdfile b/test/aux-fixed/exim-ca/example.com/revoked1.example.com/pwdfile
new file mode 100644
index 0000000..f3097ab
--- /dev/null
+++ b/test/aux-fixed/exim-ca/example.com/revoked1.example.com/pwdfile
@@ -0,0 +1 @@
+password
diff --git a/test/aux-fixed/exim-ca/example.com/revoked1.example.com/revoked1.example.com.chain.pem b/test/aux-fixed/exim-ca/example.com/revoked1.example.com/revoked1.example.com.chain.pem
new file mode 100644
index 0000000..abb2b6c
--- /dev/null
+++ b/test/aux-fixed/exim-ca/example.com/revoked1.example.com/revoked1.example.com.chain.pem
@@ -0,0 +1,29 @@
+Bag Attributes
+    friendlyName: revoked1.example.com
+    localKeyID: 33 F8 A9 1F FC 62 68 49 CC C9 26 E0 24 22 40 40 B5 8E E6 07 
+subject=/CN=revoked1.example.com
+issuer=/O=example.com/CN=clica Signing Cert
+-----BEGIN CERTIFICATE-----
+MIICBDCCAa6gAwIBAgIBZjANBgkqhkiG9w0BAQUFADAzMRQwEgYDVQQKEwtleGFt
+cGxlLmNvbTEbMBkGA1UEAxMSY2xpY2EgU2lnbmluZyBDZXJ0MB4XDTEyMTEwMTEy
+MzQwMVoXDTM4MDEwMTEyMzQwMVowHzEdMBsGA1UEAxMUcmV2b2tlZDEuZXhhbXBs
+ZS5jb20wXDANBgkqhkiG9w0BAQEFAANLADBIAkEAtmfFkNpuJsl8xF0EINs9YniA
+h0NKsf8Tt61IVzDsR5ULJOSpA7rcqmbniYuWJ7H1q8Rm5WTqjLs5zIKG+cR/lwID
+AQABo4HAMIG9MA4GA1UdDwEB/wQEAwIE8DAgBgNVHSUBAf8EFjAUBggrBgEFBQcD
+AQYIKwYBBQUHAwIwMgYDVR0fBCswKTAnoCWgI4YhaHR0cDovL2NybC5leGFtcGxl
+LmNvbS9sYXRlc3QuY3JsMDQGCCsGAQUFBwEBBCgwJjAkBggrBgEFBQcwAYYYaHR0
+cDovL29zY3AvZXhhbXBsZS5jb20vMB8GA1UdEQQYMBaCFHJldm9rZWQxLmV4YW1w
+bGUuY29tMA0GCSqGSIb3DQEBBQUAA0EAXzFO3fDq0RRzNgmAa9aorYUQUx1f6ifG
+e9zS1V/Qua9HguY4FCm5NkLDSA46OA/NYEtnC3tDNF6PLSNi1Ww9NQ==
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIIBpzCCAVGgAwIBAgIBAjANBgkqhkiG9w0BAQUFADApMRQwEgYDVQQKEwtleGFt
+cGxlLmNvbTERMA8GA1UEAxMIY2xpY2EgQ0EwHhcNMTIxMTAxMTIzNDAxWhcNMzgw
+MTAxMTIzNDAxWjAzMRQwEgYDVQQKEwtleGFtcGxlLmNvbTEbMBkGA1UEAxMSY2xp
+Y2EgU2lnbmluZyBDZXJ0MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBALGUYGllRw9Y
+7ATtT3iqwv3rnnpYYWaxGdamUYznYS6l8lAyHFOqfEktdHZ+bUyRVWsbvyx/a2St
+u1vpZpkihvMCAwEAAaNaMFgwDgYDVR0PAQH/BAQDAgEGMBIGA1UdEwEB/wQIMAYB
+Af8CAQAwMgYDVR0fBCswKTAnoCWgI4YhaHR0cDovL2NybC5leGFtcGxlLmNvbS9s
+YXRlc3QuY3JsMA0GCSqGSIb3DQEBBQUAA0EApouSZ4cX2rx+pZWcDHJH+KaCMpMa
+ScrHO8bFSCWI02ckzoIxWfu1DMNO++EpyzrTgyaXoCROjvhdslwucMqAIg==
+-----END CERTIFICATE-----
diff --git a/test/aux-fixed/exim-ca/example.com/revoked1.example.com/revoked1.example.com.key b/test/aux-fixed/exim-ca/example.com/revoked1.example.com/revoked1.example.com.key
new file mode 100644
index 0000000..0507231
--- /dev/null
+++ b/test/aux-fixed/exim-ca/example.com/revoked1.example.com/revoked1.example.com.key
@@ -0,0 +1,15 @@
+Bag Attributes
+    friendlyName: revoked1.example.com
+    localKeyID: 33 F8 A9 1F FC 62 68 49 CC C9 26 E0 24 22 40 40 B5 8E E6 07 
+Key Attributes: <No Attributes>
+-----BEGIN ENCRYPTED PRIVATE KEY-----
+MIIBnjBABgkqhkiG9w0BBQ0wMzAbBgkqhkiG9w0BBQwwDgQIxIBGy/hgXxwCAggA
+MBQGCCqGSIb3DQMHBAj96WZ8xRBC6QSCAVjQ7DTLCFeVW0ah1ECV+1bvGiQy9JwH
+fxHD3s2Wg7+McsAfF2oSx8R0Za7miR70Ke94xrraIuH0NeltyalI5iQOjbGe1W8V
+exnRfXI+87W9QHVI85TW2l6pXCR96cj6zrxQAhXFamDY/SfgwTbaQibrduD2eoct
+IvJ8QsaywSKwpnQAN/4XlQ6aus7w1ywtvFek+15oAfgACG/mXaZZa9sg/pRzHT3a
+8qJjMpJSDOd5QUxKIShidYPNKA88EIvdg9+0wNj42w9A4rAwaoqol4RzdLu8dXbG
+lGjiRdGwkMvlwnAWY68hPnAPOiH8ev7lNPkOkk+YsIVoJK7AoEGyvNk2N02kaBBf
+xfrHIt8jh8Suvfp0HJbdeBTTT1qu/acwNbeA2TVVXdXyoZTrSWiwmv4P0lBYXJIx
+raWLqaaImi5JvL1o5ATr3s8RtD+0iWH5LUuWdzI/agJKUw==
+-----END ENCRYPTED PRIVATE KEY-----
diff --git a/test/aux-fixed/exim-ca/example.com/revoked1.example.com/revoked1.example.com.ocsp.dated.resp b/test/aux-fixed/exim-ca/example.com/revoked1.example.com/revoked1.example.com.ocsp.dated.resp
new file mode 100644
index 0000000..6924826
Binary files /dev/null and b/test/aux-fixed/exim-ca/example.com/revoked1.example.com/revoked1.example.com.ocsp.dated.resp differ
diff --git a/test/aux-fixed/exim-ca/example.com/revoked1.example.com/revoked1.example.com.ocsp.good.resp b/test/aux-fixed/exim-ca/example.com/revoked1.example.com/revoked1.example.com.ocsp.good.resp
new file mode 100644
index 0000000..ed8cdb3
Binary files /dev/null and b/test/aux-fixed/exim-ca/example.com/revoked1.example.com/revoked1.example.com.ocsp.good.resp differ
diff --git a/test/aux-fixed/exim-ca/example.com/revoked1.example.com/revoked1.example.com.ocsp.req b/test/aux-fixed/exim-ca/example.com/revoked1.example.com/revoked1.example.com.ocsp.req
new file mode 100644
index 0000000..c16dc37
Binary files /dev/null and b/test/aux-fixed/exim-ca/example.com/revoked1.example.com/revoked1.example.com.ocsp.req differ
diff --git a/test/aux-fixed/exim-ca/example.com/revoked1.example.com/revoked1.example.com.ocsp.revoked.resp b/test/aux-fixed/exim-ca/example.com/revoked1.example.com/revoked1.example.com.ocsp.revoked.resp
new file mode 100644
index 0000000..76a2e14
Binary files /dev/null and b/test/aux-fixed/exim-ca/example.com/revoked1.example.com/revoked1.example.com.ocsp.revoked.resp differ
diff --git a/test/aux-fixed/exim-ca/example.com/revoked1.example.com/revoked1.example.com.p12 b/test/aux-fixed/exim-ca/example.com/revoked1.example.com/revoked1.example.com.p12
new file mode 100644
index 0000000..bcc39e5
Binary files /dev/null and b/test/aux-fixed/exim-ca/example.com/revoked1.example.com/revoked1.example.com.p12 differ
diff --git a/test/aux-fixed/exim-ca/example.com/revoked1.example.com/revoked1.example.com.pem b/test/aux-fixed/exim-ca/example.com/revoked1.example.com/revoked1.example.com.pem
new file mode 100644
index 0000000..ada2bfd
--- /dev/null
+++ b/test/aux-fixed/exim-ca/example.com/revoked1.example.com/revoked1.example.com.pem
@@ -0,0 +1,18 @@
+Bag Attributes
+    friendlyName: revoked1.example.com
+    localKeyID: 33 F8 A9 1F FC 62 68 49 CC C9 26 E0 24 22 40 40 B5 8E E6 07 
+subject=/CN=revoked1.example.com
+issuer=/O=example.com/CN=clica Signing Cert
+-----BEGIN CERTIFICATE-----
+MIICBDCCAa6gAwIBAgIBZjANBgkqhkiG9w0BAQUFADAzMRQwEgYDVQQKEwtleGFt
+cGxlLmNvbTEbMBkGA1UEAxMSY2xpY2EgU2lnbmluZyBDZXJ0MB4XDTEyMTEwMTEy
+MzQwMVoXDTM4MDEwMTEyMzQwMVowHzEdMBsGA1UEAxMUcmV2b2tlZDEuZXhhbXBs
+ZS5jb20wXDANBgkqhkiG9w0BAQEFAANLADBIAkEAtmfFkNpuJsl8xF0EINs9YniA
+h0NKsf8Tt61IVzDsR5ULJOSpA7rcqmbniYuWJ7H1q8Rm5WTqjLs5zIKG+cR/lwID
+AQABo4HAMIG9MA4GA1UdDwEB/wQEAwIE8DAgBgNVHSUBAf8EFjAUBggrBgEFBQcD
+AQYIKwYBBQUHAwIwMgYDVR0fBCswKTAnoCWgI4YhaHR0cDovL2NybC5leGFtcGxl
+LmNvbS9sYXRlc3QuY3JsMDQGCCsGAQUFBwEBBCgwJjAkBggrBgEFBQcwAYYYaHR0
+cDovL29zY3AvZXhhbXBsZS5jb20vMB8GA1UdEQQYMBaCFHJldm9rZWQxLmV4YW1w
+bGUuY29tMA0GCSqGSIb3DQEBBQUAA0EAXzFO3fDq0RRzNgmAa9aorYUQUx1f6ifG
+e9zS1V/Qua9HguY4FCm5NkLDSA46OA/NYEtnC3tDNF6PLSNi1Ww9NQ==
+-----END CERTIFICATE-----
diff --git a/test/aux-fixed/exim-ca/example.com/revoked1.example.com/revoked1.example.com.unlocked.key b/test/aux-fixed/exim-ca/example.com/revoked1.example.com/revoked1.example.com.unlocked.key
new file mode 100644
index 0000000..f124bcc
--- /dev/null
+++ b/test/aux-fixed/exim-ca/example.com/revoked1.example.com/revoked1.example.com.unlocked.key
@@ -0,0 +1,9 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIBOQIBAAJBALZnxZDabibJfMRdBCDbPWJ4gIdDSrH/E7etSFcw7EeVCyTkqQO6
+3Kpm54mLliex9avEZuVk6oy7OcyChvnEf5cCAwEAAQJALGjPfRjxQJhFvDk5TBaU
+t2jHQidsBDIqRsn1luTeYf7KVwL5p51LV27UBqIF+UPa3Wl04rc5IWSCp5CIpASa
+IQIhAN6Ekj/LESey/9nn85fDMUH45PgW/7J+NeqwgK6zoyulAiEA0doPRY/U2ano
+Hu94mggwB693XasYuRsSsGZWK1+nCYsCIF1BXjGSH0xt/kAKr9IoodouP3eh2+Oo
+dVw4QJX2/ylpAiAZUYjUKLVSiZhS2yue0ewRkU8CgxkZhDWuCLrOwtyhXwIgJr3H
+b3LNAipslDnHrNzBK2GB6MlM7/+foJ7Lu7pbK+o=
+-----END RSA PRIVATE KEY-----
diff --git a/test/aux-fixed/exim-ca/example.com/revoked1.example.com/secmod.db b/test/aux-fixed/exim-ca/example.com/revoked1.example.com/secmod.db
new file mode 100644
index 0000000..f95ff68
Binary files /dev/null and b/test/aux-fixed/exim-ca/example.com/revoked1.example.com/secmod.db differ
diff --git a/test/aux-fixed/exim-ca/example.com/revoked2.example.com/ca_chain.pem b/test/aux-fixed/exim-ca/example.com/revoked2.example.com/ca_chain.pem
new file mode 100644
index 0000000..d9830bc
--- /dev/null
+++ b/test/aux-fixed/exim-ca/example.com/revoked2.example.com/ca_chain.pem
@@ -0,0 +1,47 @@
+Bag Attributes
+    friendlyName: Signing Cert
+subject=/O=example.com/CN=clica Signing Cert
+issuer=/O=example.com/CN=clica CA
+-----BEGIN CERTIFICATE-----
+MIIBpzCCAVGgAwIBAgIBAjANBgkqhkiG9w0BAQUFADApMRQwEgYDVQQKEwtleGFt
+cGxlLmNvbTERMA8GA1UEAxMIY2xpY2EgQ0EwHhcNMTIxMTAxMTIzNDAxWhcNMzgw
+MTAxMTIzNDAxWjAzMRQwEgYDVQQKEwtleGFtcGxlLmNvbTEbMBkGA1UEAxMSY2xp
+Y2EgU2lnbmluZyBDZXJ0MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBALGUYGllRw9Y
+7ATtT3iqwv3rnnpYYWaxGdamUYznYS6l8lAyHFOqfEktdHZ+bUyRVWsbvyx/a2St
+u1vpZpkihvMCAwEAAaNaMFgwDgYDVR0PAQH/BAQDAgEGMBIGA1UdEwEB/wQIMAYB
+Af8CAQAwMgYDVR0fBCswKTAnoCWgI4YhaHR0cDovL2NybC5leGFtcGxlLmNvbS9s
+YXRlc3QuY3JsMA0GCSqGSIb3DQEBBQUAA0EApouSZ4cX2rx+pZWcDHJH+KaCMpMa
+ScrHO8bFSCWI02ckzoIxWfu1DMNO++EpyzrTgyaXoCROjvhdslwucMqAIg==
+-----END CERTIFICATE-----
+Bag Attributes
+    friendlyName: Certificate Authority
+subject=/O=example.com/CN=clica CA
+issuer=/O=example.com/CN=clica CA
+-----BEGIN CERTIFICATE-----
+MIIBaTCCAROgAwIBAgIBATANBgkqhkiG9w0BAQUFADApMRQwEgYDVQQKEwtleGFt
+cGxlLmNvbTERMA8GA1UEAxMIY2xpY2EgQ0EwHhcNMTIxMTAxMTIzNDAwWhcNMzgw
+MTAxMTIzNDAwWjApMRQwEgYDVQQKEwtleGFtcGxlLmNvbTERMA8GA1UEAxMIY2xp
+Y2EgQ0EwXDANBgkqhkiG9w0BAQEFAANLADBIAkEAxYR8NYQvEd7/e4MvOj9dh2+o
+mnywT9ajMo1589DWt2z14ouRKhSZWlx4O4AicPZc6n4uvt7++t0tTHhmm5JIbwID
+AQABoyYwJDASBgNVHRMBAf8ECDAGAQH/AgEBMA4GA1UdDwEB/wQEAwIBBjANBgkq
+hkiG9w0BAQUFAANBALjVd1KMBadFJFIzTEspoPYxJvXKvLMclekQs5QY0lmmUj5+
+ugITEG6ywu3s+REUB+8Dj+ofQz3tgIm9NBpkfsA=
+-----END CERTIFICATE-----
+Bag Attributes
+    friendlyName: revoked2.example.com
+    localKeyID: 17 78 A2 B6 AD CE 30 23 61 D1 78 DA EF AD AC 2D 72 C6 16 34 
+subject=/CN=revoked2.example.com
+issuer=/O=example.com/CN=clica Signing Cert
+-----BEGIN CERTIFICATE-----
+MIICBTCCAa+gAwIBAgICAMowDQYJKoZIhvcNAQEFBQAwMzEUMBIGA1UEChMLZXhh
+bXBsZS5jb20xGzAZBgNVBAMTEmNsaWNhIFNpZ25pbmcgQ2VydDAeFw0xMjExMDEx
+MjM0MDJaFw0zODAxMDExMjM0MDJaMB8xHTAbBgNVBAMTFHJldm9rZWQyLmV4YW1w
+bGUuY29tMFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBALl7NO1x6uz5p6etz9g+bD4n
+/s5Wh/XGDL1IHD78fRFFX9B8dCyoMrzjFTIz8QkOr/sA4RD2B2uk83ZnqtNImY0C
+AwEAAaOBwDCBvTAOBgNVHQ8BAf8EBAMCBPAwIAYDVR0lAQH/BBYwFAYIKwYBBQUH
+AwEGCCsGAQUFBwMCMDIGA1UdHwQrMCkwJ6AloCOGIWh0dHA6Ly9jcmwuZXhhbXBs
+ZS5jb20vbGF0ZXN0LmNybDA0BggrBgEFBQcBAQQoMCYwJAYIKwYBBQUHMAGGGGh0
+dHA6Ly9vc2NwL2V4YW1wbGUuY29tLzAfBgNVHREEGDAWghRyZXZva2VkMi5leGFt
+cGxlLmNvbTANBgkqhkiG9w0BAQUFAANBAKtwWm1WtnL+jH97DwIutT6s4CkIY2uY
+JkpV4segUV03S1pN9Cnamy4prQYPCfOI1BQO4krsDNOoV/PtDvqxuso=
+-----END CERTIFICATE-----
diff --git a/test/aux-fixed/exim-ca/example.com/revoked2.example.com/cert8.db b/test/aux-fixed/exim-ca/example.com/revoked2.example.com/cert8.db
new file mode 100644
index 0000000..45ca163
Binary files /dev/null and b/test/aux-fixed/exim-ca/example.com/revoked2.example.com/cert8.db differ
diff --git a/test/aux-fixed/exim-ca/example.com/revoked2.example.com/key3.db b/test/aux-fixed/exim-ca/example.com/revoked2.example.com/key3.db
new file mode 100644
index 0000000..4976f14
Binary files /dev/null and b/test/aux-fixed/exim-ca/example.com/revoked2.example.com/key3.db differ
diff --git a/test/aux-fixed/exim-ca/example.com/revoked2.example.com/pwdfile b/test/aux-fixed/exim-ca/example.com/revoked2.example.com/pwdfile
new file mode 100644
index 0000000..f3097ab
--- /dev/null
+++ b/test/aux-fixed/exim-ca/example.com/revoked2.example.com/pwdfile
@@ -0,0 +1 @@
+password
diff --git a/test/aux-fixed/exim-ca/example.com/revoked2.example.com/revoked2.example.com.chain.pem b/test/aux-fixed/exim-ca/example.com/revoked2.example.com/revoked2.example.com.chain.pem
new file mode 100644
index 0000000..ecdf2a5
--- /dev/null
+++ b/test/aux-fixed/exim-ca/example.com/revoked2.example.com/revoked2.example.com.chain.pem
@@ -0,0 +1,29 @@
+Bag Attributes
+    friendlyName: revoked2.example.com
+    localKeyID: 17 78 A2 B6 AD CE 30 23 61 D1 78 DA EF AD AC 2D 72 C6 16 34 
+subject=/CN=revoked2.example.com
+issuer=/O=example.com/CN=clica Signing Cert
+-----BEGIN CERTIFICATE-----
+MIICBTCCAa+gAwIBAgICAMowDQYJKoZIhvcNAQEFBQAwMzEUMBIGA1UEChMLZXhh
+bXBsZS5jb20xGzAZBgNVBAMTEmNsaWNhIFNpZ25pbmcgQ2VydDAeFw0xMjExMDEx
+MjM0MDJaFw0zODAxMDExMjM0MDJaMB8xHTAbBgNVBAMTFHJldm9rZWQyLmV4YW1w
+bGUuY29tMFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBALl7NO1x6uz5p6etz9g+bD4n
+/s5Wh/XGDL1IHD78fRFFX9B8dCyoMrzjFTIz8QkOr/sA4RD2B2uk83ZnqtNImY0C
+AwEAAaOBwDCBvTAOBgNVHQ8BAf8EBAMCBPAwIAYDVR0lAQH/BBYwFAYIKwYBBQUH
+AwEGCCsGAQUFBwMCMDIGA1UdHwQrMCkwJ6AloCOGIWh0dHA6Ly9jcmwuZXhhbXBs
+ZS5jb20vbGF0ZXN0LmNybDA0BggrBgEFBQcBAQQoMCYwJAYIKwYBBQUHMAGGGGh0
+dHA6Ly9vc2NwL2V4YW1wbGUuY29tLzAfBgNVHREEGDAWghRyZXZva2VkMi5leGFt
+cGxlLmNvbTANBgkqhkiG9w0BAQUFAANBAKtwWm1WtnL+jH97DwIutT6s4CkIY2uY
+JkpV4segUV03S1pN9Cnamy4prQYPCfOI1BQO4krsDNOoV/PtDvqxuso=
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIIBpzCCAVGgAwIBAgIBAjANBgkqhkiG9w0BAQUFADApMRQwEgYDVQQKEwtleGFt
+cGxlLmNvbTERMA8GA1UEAxMIY2xpY2EgQ0EwHhcNMTIxMTAxMTIzNDAxWhcNMzgw
+MTAxMTIzNDAxWjAzMRQwEgYDVQQKEwtleGFtcGxlLmNvbTEbMBkGA1UEAxMSY2xp
+Y2EgU2lnbmluZyBDZXJ0MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBALGUYGllRw9Y
+7ATtT3iqwv3rnnpYYWaxGdamUYznYS6l8lAyHFOqfEktdHZ+bUyRVWsbvyx/a2St
+u1vpZpkihvMCAwEAAaNaMFgwDgYDVR0PAQH/BAQDAgEGMBIGA1UdEwEB/wQIMAYB
+Af8CAQAwMgYDVR0fBCswKTAnoCWgI4YhaHR0cDovL2NybC5leGFtcGxlLmNvbS9s
+YXRlc3QuY3JsMA0GCSqGSIb3DQEBBQUAA0EApouSZ4cX2rx+pZWcDHJH+KaCMpMa
+ScrHO8bFSCWI02ckzoIxWfu1DMNO++EpyzrTgyaXoCROjvhdslwucMqAIg==
+-----END CERTIFICATE-----
diff --git a/test/aux-fixed/exim-ca/example.com/revoked2.example.com/revoked2.example.com.key b/test/aux-fixed/exim-ca/example.com/revoked2.example.com/revoked2.example.com.key
new file mode 100644
index 0000000..41e2717
--- /dev/null
+++ b/test/aux-fixed/exim-ca/example.com/revoked2.example.com/revoked2.example.com.key
@@ -0,0 +1,15 @@
+Bag Attributes
+    friendlyName: revoked2.example.com
+    localKeyID: 17 78 A2 B6 AD CE 30 23 61 D1 78 DA EF AD AC 2D 72 C6 16 34 
+Key Attributes: <No Attributes>
+-----BEGIN ENCRYPTED PRIVATE KEY-----
+MIIBpjBABgkqhkiG9w0BBQ0wMzAbBgkqhkiG9w0BBQwwDgQIFV1GIQOsrw4CAggA
+MBQGCCqGSIb3DQMHBAgtBn7nWaro7ASCAWArJ92GA0suBbeIF2CisKcYFfGP+KD5
+LUOKocnSVgVeEvjQmoLzb/YAnXQsh3HtfHjbsJg1Hix4XIRI6skZD33JhhQZha/0
+M8QsA3GBCPcskjQCIMg0FVltjZOVnR20JxlI0HtMybZrIlhNCcWrLkVhU8CRbzFc
+Pubs7P9xIxlfuWVAEBmlOb1LkctHKnWlvVDR4Bef7epwa/KttSmLbBHuayQiwvms
+axUke+NYJvzFWfKpTXP0OHOfz7cdb5dN/BcF642LIGu2f7nY7vGbSG9+iZ4Mb85k
+FBbuSFquqAdxho6IHL7p/xfsW3k8+o6jKhCqkFaY1O1TNLmNtyJSyULDEbJMBiBF
+Q0pLC3AF6EtPDvN7gIvlY6jERZb7j8DJrCnjbEJR1IF09DrH3EdfaYLnGd+0/SRn
+UPY0jNEmT8hwj1ANacuSlBaIXYSjtjDYwJTz4DJA36z+03TDo/ahxwaW
+-----END ENCRYPTED PRIVATE KEY-----
diff --git a/test/aux-fixed/exim-ca/example.com/revoked2.example.com/revoked2.example.com.ocsp.dated.resp b/test/aux-fixed/exim-ca/example.com/revoked2.example.com/revoked2.example.com.ocsp.dated.resp
new file mode 100644
index 0000000..2d46e90
Binary files /dev/null and b/test/aux-fixed/exim-ca/example.com/revoked2.example.com/revoked2.example.com.ocsp.dated.resp differ
diff --git a/test/aux-fixed/exim-ca/example.com/revoked2.example.com/revoked2.example.com.ocsp.good.resp b/test/aux-fixed/exim-ca/example.com/revoked2.example.com/revoked2.example.com.ocsp.good.resp
new file mode 100644
index 0000000..4651403
Binary files /dev/null and b/test/aux-fixed/exim-ca/example.com/revoked2.example.com/revoked2.example.com.ocsp.good.resp differ
diff --git a/test/aux-fixed/exim-ca/example.com/revoked2.example.com/revoked2.example.com.ocsp.req b/test/aux-fixed/exim-ca/example.com/revoked2.example.com/revoked2.example.com.ocsp.req
new file mode 100644
index 0000000..78aa197
Binary files /dev/null and b/test/aux-fixed/exim-ca/example.com/revoked2.example.com/revoked2.example.com.ocsp.req differ
diff --git a/test/aux-fixed/exim-ca/example.com/revoked2.example.com/revoked2.example.com.ocsp.revoked.resp b/test/aux-fixed/exim-ca/example.com/revoked2.example.com/revoked2.example.com.ocsp.revoked.resp
new file mode 100644
index 0000000..4651403
Binary files /dev/null and b/test/aux-fixed/exim-ca/example.com/revoked2.example.com/revoked2.example.com.ocsp.revoked.resp differ
diff --git a/test/aux-fixed/exim-ca/example.com/revoked2.example.com/revoked2.example.com.p12 b/test/aux-fixed/exim-ca/example.com/revoked2.example.com/revoked2.example.com.p12
new file mode 100644
index 0000000..d94652e
Binary files /dev/null and b/test/aux-fixed/exim-ca/example.com/revoked2.example.com/revoked2.example.com.p12 differ
diff --git a/test/aux-fixed/exim-ca/example.com/revoked2.example.com/revoked2.example.com.pem b/test/aux-fixed/exim-ca/example.com/revoked2.example.com/revoked2.example.com.pem
new file mode 100644
index 0000000..529be66
--- /dev/null
+++ b/test/aux-fixed/exim-ca/example.com/revoked2.example.com/revoked2.example.com.pem
@@ -0,0 +1,18 @@
+Bag Attributes
+    friendlyName: revoked2.example.com
+    localKeyID: 17 78 A2 B6 AD CE 30 23 61 D1 78 DA EF AD AC 2D 72 C6 16 34 
+subject=/CN=revoked2.example.com
+issuer=/O=example.com/CN=clica Signing Cert
+-----BEGIN CERTIFICATE-----
+MIICBTCCAa+gAwIBAgICAMowDQYJKoZIhvcNAQEFBQAwMzEUMBIGA1UEChMLZXhh
+bXBsZS5jb20xGzAZBgNVBAMTEmNsaWNhIFNpZ25pbmcgQ2VydDAeFw0xMjExMDEx
+MjM0MDJaFw0zODAxMDExMjM0MDJaMB8xHTAbBgNVBAMTFHJldm9rZWQyLmV4YW1w
+bGUuY29tMFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBALl7NO1x6uz5p6etz9g+bD4n
+/s5Wh/XGDL1IHD78fRFFX9B8dCyoMrzjFTIz8QkOr/sA4RD2B2uk83ZnqtNImY0C
+AwEAAaOBwDCBvTAOBgNVHQ8BAf8EBAMCBPAwIAYDVR0lAQH/BBYwFAYIKwYBBQUH
+AwEGCCsGAQUFBwMCMDIGA1UdHwQrMCkwJ6AloCOGIWh0dHA6Ly9jcmwuZXhhbXBs
+ZS5jb20vbGF0ZXN0LmNybDA0BggrBgEFBQcBAQQoMCYwJAYIKwYBBQUHMAGGGGh0
+dHA6Ly9vc2NwL2V4YW1wbGUuY29tLzAfBgNVHREEGDAWghRyZXZva2VkMi5leGFt
+cGxlLmNvbTANBgkqhkiG9w0BAQUFAANBAKtwWm1WtnL+jH97DwIutT6s4CkIY2uY
+JkpV4segUV03S1pN9Cnamy4prQYPCfOI1BQO4krsDNOoV/PtDvqxuso=
+-----END CERTIFICATE-----
diff --git a/test/aux-fixed/exim-ca/example.com/revoked2.example.com/revoked2.example.com.unlocked.key b/test/aux-fixed/exim-ca/example.com/revoked2.example.com/revoked2.example.com.unlocked.key
new file mode 100644
index 0000000..9c8a59b
--- /dev/null
+++ b/test/aux-fixed/exim-ca/example.com/revoked2.example.com/revoked2.example.com.unlocked.key
@@ -0,0 +1,9 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIBPAIBAAJBALl7NO1x6uz5p6etz9g+bD4n/s5Wh/XGDL1IHD78fRFFX9B8dCyo
+MrzjFTIz8QkOr/sA4RD2B2uk83ZnqtNImY0CAwEAAQJBAKkeAI07YDOAEnCd1zPY
+/sLRns+uMDtUwArZs/9uIe7a3X4ussXCv60z9epuGre7StXrVyDGBnGqGexsKIiH
+uaECIQDzrY97z+Zcb1RZ/ncQfiep40jMGmpDX/un+wtfkeICWQIhAMLcSIgL/FTH
+t7ehuH5pClcJY0bX0tbOpfNgOWvMniJVAiEAyrYMkewOb8Dxg/gLJn48ErkP2zLy
+SWA0orZV7MgYIukCIBcGcIui3u4lq0/HjEVjpBUkxtZYKlG3mWRoumBCjW0BAiEA
+tqIijH5G06iofDnTIJzXFfetUPNl/wqJ1Xz6ECFh84s=
+-----END RSA PRIVATE KEY-----
diff --git a/test/aux-fixed/exim-ca/example.com/revoked2.example.com/secmod.db b/test/aux-fixed/exim-ca/example.com/revoked2.example.com/secmod.db
new file mode 100644
index 0000000..b7f2179
Binary files /dev/null and b/test/aux-fixed/exim-ca/example.com/revoked2.example.com/secmod.db differ
diff --git a/test/aux-fixed/exim-ca/example.com/server1.example.com/ca_chain.pem b/test/aux-fixed/exim-ca/example.com/server1.example.com/ca_chain.pem
new file mode 100644
index 0000000..5bb0677
--- /dev/null
+++ b/test/aux-fixed/exim-ca/example.com/server1.example.com/ca_chain.pem
@@ -0,0 +1,47 @@
+Bag Attributes
+    friendlyName: Signing Cert
+subject=/O=example.com/CN=clica Signing Cert
+issuer=/O=example.com/CN=clica CA
+-----BEGIN CERTIFICATE-----
+MIIBpzCCAVGgAwIBAgIBAjANBgkqhkiG9w0BAQUFADApMRQwEgYDVQQKEwtleGFt
+cGxlLmNvbTERMA8GA1UEAxMIY2xpY2EgQ0EwHhcNMTIxMTAxMTIzNDAxWhcNMzgw
+MTAxMTIzNDAxWjAzMRQwEgYDVQQKEwtleGFtcGxlLmNvbTEbMBkGA1UEAxMSY2xp
+Y2EgU2lnbmluZyBDZXJ0MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBALGUYGllRw9Y
+7ATtT3iqwv3rnnpYYWaxGdamUYznYS6l8lAyHFOqfEktdHZ+bUyRVWsbvyx/a2St
+u1vpZpkihvMCAwEAAaNaMFgwDgYDVR0PAQH/BAQDAgEGMBIGA1UdEwEB/wQIMAYB
+Af8CAQAwMgYDVR0fBCswKTAnoCWgI4YhaHR0cDovL2NybC5leGFtcGxlLmNvbS9s
+YXRlc3QuY3JsMA0GCSqGSIb3DQEBBQUAA0EApouSZ4cX2rx+pZWcDHJH+KaCMpMa
+ScrHO8bFSCWI02ckzoIxWfu1DMNO++EpyzrTgyaXoCROjvhdslwucMqAIg==
+-----END CERTIFICATE-----
+Bag Attributes
+    friendlyName: Certificate Authority
+subject=/O=example.com/CN=clica CA
+issuer=/O=example.com/CN=clica CA
+-----BEGIN CERTIFICATE-----
+MIIBaTCCAROgAwIBAgIBATANBgkqhkiG9w0BAQUFADApMRQwEgYDVQQKEwtleGFt
+cGxlLmNvbTERMA8GA1UEAxMIY2xpY2EgQ0EwHhcNMTIxMTAxMTIzNDAwWhcNMzgw
+MTAxMTIzNDAwWjApMRQwEgYDVQQKEwtleGFtcGxlLmNvbTERMA8GA1UEAxMIY2xp
+Y2EgQ0EwXDANBgkqhkiG9w0BAQEFAANLADBIAkEAxYR8NYQvEd7/e4MvOj9dh2+o
+mnywT9ajMo1589DWt2z14ouRKhSZWlx4O4AicPZc6n4uvt7++t0tTHhmm5JIbwID
+AQABoyYwJDASBgNVHRMBAf8ECDAGAQH/AgEBMA4GA1UdDwEB/wQEAwIBBjANBgkq
+hkiG9w0BAQUFAANBALjVd1KMBadFJFIzTEspoPYxJvXKvLMclekQs5QY0lmmUj5+
+ugITEG6ywu3s+REUB+8Dj+ofQz3tgIm9NBpkfsA=
+-----END CERTIFICATE-----
+Bag Attributes
+    friendlyName: server1.example.com
+    localKeyID: 7B 32 26 98 D0 B8 1E 75 99 29 DC F8 13 EE 29 B7 59 E3 DC DC 
+subject=/CN=server1.example.com
+issuer=/O=example.com/CN=clica Signing Cert
+-----BEGIN CERTIFICATE-----
+MIICAjCCAaygAwIBAgIBZTANBgkqhkiG9w0BAQUFADAzMRQwEgYDVQQKEwtleGFt
+cGxlLmNvbTEbMBkGA1UEAxMSY2xpY2EgU2lnbmluZyBDZXJ0MB4XDTEyMTEwMTEy
+MzQwMVoXDTM4MDEwMTEyMzQwMVowHjEcMBoGA1UEAxMTc2VydmVyMS5leGFtcGxl
+LmNvbTBcMA0GCSqGSIb3DQEBAQUAA0sAMEgCQQC6EbKf3ZB2Zm+SVn7KzSofX5I+
+3KANkvS0aVxUS/mtnKJg6JLKc2dVav1OmPTF/M8J21F6tVd8EHWBrlsgS3QdAgMB
+AAGjgb8wgbwwDgYDVR0PAQH/BAQDAgTwMCAGA1UdJQEB/wQWMBQGCCsGAQUFBwMB
+BggrBgEFBQcDAjAyBgNVHR8EKzApMCegJaAjhiFodHRwOi8vY3JsLmV4YW1wbGUu
+Y29tL2xhdGVzdC5jcmwwNAYIKwYBBQUHAQEEKDAmMCQGCCsGAQUFBzABhhhodHRw
+Oi8vb3NjcC9leGFtcGxlLmNvbS8wHgYDVR0RBBcwFYITc2VydmVyMS5leGFtcGxl
+LmNvbTANBgkqhkiG9w0BAQUFAANBALDva+1Fm8VMNtBTzLmk0wd+rAGNry/HPB++
+vNngBR33/8N/529Zr4WPrL2BeOZkQeDO1qH/2giCAvYfZoBOIO4=
+-----END CERTIFICATE-----
diff --git a/test/aux-fixed/exim-ca/example.com/server1.example.com/cert8.db b/test/aux-fixed/exim-ca/example.com/server1.example.com/cert8.db
new file mode 100644
index 0000000..9d730fe
Binary files /dev/null and b/test/aux-fixed/exim-ca/example.com/server1.example.com/cert8.db differ
diff --git a/test/aux-fixed/exim-ca/example.com/server1.example.com/key3.db b/test/aux-fixed/exim-ca/example.com/server1.example.com/key3.db
new file mode 100644
index 0000000..672b088
Binary files /dev/null and b/test/aux-fixed/exim-ca/example.com/server1.example.com/key3.db differ
diff --git a/test/aux-fixed/exim-ca/example.com/server1.example.com/pwdfile b/test/aux-fixed/exim-ca/example.com/server1.example.com/pwdfile
new file mode 100644
index 0000000..f3097ab
--- /dev/null
+++ b/test/aux-fixed/exim-ca/example.com/server1.example.com/pwdfile
@@ -0,0 +1 @@
+password
diff --git a/test/aux-fixed/exim-ca/example.com/server1.example.com/secmod.db b/test/aux-fixed/exim-ca/example.com/server1.example.com/secmod.db
new file mode 100644
index 0000000..0883379
Binary files /dev/null and b/test/aux-fixed/exim-ca/example.com/server1.example.com/secmod.db differ
diff --git a/test/aux-fixed/exim-ca/example.com/server1.example.com/server1.example.com.chain.pem b/test/aux-fixed/exim-ca/example.com/server1.example.com/server1.example.com.chain.pem
new file mode 100644
index 0000000..6ea0a52
--- /dev/null
+++ b/test/aux-fixed/exim-ca/example.com/server1.example.com/server1.example.com.chain.pem
@@ -0,0 +1,29 @@
+Bag Attributes
+    friendlyName: server1.example.com
+    localKeyID: 7B 32 26 98 D0 B8 1E 75 99 29 DC F8 13 EE 29 B7 59 E3 DC DC 
+subject=/CN=server1.example.com
+issuer=/O=example.com/CN=clica Signing Cert
+-----BEGIN CERTIFICATE-----
+MIICAjCCAaygAwIBAgIBZTANBgkqhkiG9w0BAQUFADAzMRQwEgYDVQQKEwtleGFt
+cGxlLmNvbTEbMBkGA1UEAxMSY2xpY2EgU2lnbmluZyBDZXJ0MB4XDTEyMTEwMTEy
+MzQwMVoXDTM4MDEwMTEyMzQwMVowHjEcMBoGA1UEAxMTc2VydmVyMS5leGFtcGxl
+LmNvbTBcMA0GCSqGSIb3DQEBAQUAA0sAMEgCQQC6EbKf3ZB2Zm+SVn7KzSofX5I+
+3KANkvS0aVxUS/mtnKJg6JLKc2dVav1OmPTF/M8J21F6tVd8EHWBrlsgS3QdAgMB
+AAGjgb8wgbwwDgYDVR0PAQH/BAQDAgTwMCAGA1UdJQEB/wQWMBQGCCsGAQUFBwMB
+BggrBgEFBQcDAjAyBgNVHR8EKzApMCegJaAjhiFodHRwOi8vY3JsLmV4YW1wbGUu
+Y29tL2xhdGVzdC5jcmwwNAYIKwYBBQUHAQEEKDAmMCQGCCsGAQUFBzABhhhodHRw
+Oi8vb3NjcC9leGFtcGxlLmNvbS8wHgYDVR0RBBcwFYITc2VydmVyMS5leGFtcGxl
+LmNvbTANBgkqhkiG9w0BAQUFAANBALDva+1Fm8VMNtBTzLmk0wd+rAGNry/HPB++
+vNngBR33/8N/529Zr4WPrL2BeOZkQeDO1qH/2giCAvYfZoBOIO4=
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIIBpzCCAVGgAwIBAgIBAjANBgkqhkiG9w0BAQUFADApMRQwEgYDVQQKEwtleGFt
+cGxlLmNvbTERMA8GA1UEAxMIY2xpY2EgQ0EwHhcNMTIxMTAxMTIzNDAxWhcNMzgw
+MTAxMTIzNDAxWjAzMRQwEgYDVQQKEwtleGFtcGxlLmNvbTEbMBkGA1UEAxMSY2xp
+Y2EgU2lnbmluZyBDZXJ0MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBALGUYGllRw9Y
+7ATtT3iqwv3rnnpYYWaxGdamUYznYS6l8lAyHFOqfEktdHZ+bUyRVWsbvyx/a2St
+u1vpZpkihvMCAwEAAaNaMFgwDgYDVR0PAQH/BAQDAgEGMBIGA1UdEwEB/wQIMAYB
+Af8CAQAwMgYDVR0fBCswKTAnoCWgI4YhaHR0cDovL2NybC5leGFtcGxlLmNvbS9s
+YXRlc3QuY3JsMA0GCSqGSIb3DQEBBQUAA0EApouSZ4cX2rx+pZWcDHJH+KaCMpMa
+ScrHO8bFSCWI02ckzoIxWfu1DMNO++EpyzrTgyaXoCROjvhdslwucMqAIg==
+-----END CERTIFICATE-----
diff --git a/test/aux-fixed/exim-ca/example.com/server1.example.com/server1.example.com.key b/test/aux-fixed/exim-ca/example.com/server1.example.com/server1.example.com.key
new file mode 100644
index 0000000..02d5161
--- /dev/null
+++ b/test/aux-fixed/exim-ca/example.com/server1.example.com/server1.example.com.key
@@ -0,0 +1,15 @@
+Bag Attributes
+    friendlyName: server1.example.com
+    localKeyID: 7B 32 26 98 D0 B8 1E 75 99 29 DC F8 13 EE 29 B7 59 E3 DC DC 
+Key Attributes: <No Attributes>
+-----BEGIN ENCRYPTED PRIVATE KEY-----
+MIIBnjBABgkqhkiG9w0BBQ0wMzAbBgkqhkiG9w0BBQwwDgQIt+n3xYebFlACAggA
+MBQGCCqGSIb3DQMHBAi30QtCXj3kIQSCAVjO+WdU7jaPYN1v7ev2qNehi8MrvllJ
+Q03/xCaiGTI7fUQM55W4Tc5+b952ni6ZtCnYfCojIQ6Wr0uyrabRE9nCRTudKAGv
++RG/vO576Wv69XblZaKwPp1ru5Fb+TqMRDmHsJKzmjx4/iN3l/673w8QEW+opYjI
+i+azRCzMjUcFDkExEqXunJCDD4k0iWv/LTiXa/WfKoPncY6dmtjGt/ceGG7gn+sy
+IGTPbVyX85I4lfSb42mQjticlqpNWNv+BasZNGIAGkreGEIR1HqvoIeIjyze4j/k
+yAA/oAO7WucowZfX6Rcno9yO5Cjsbn60RPMe5aSnCKXH8OnaklegbzQCIXwlRapH
+VCE28ladQ1+7zwCBhCW60WwhRN0UDQz9aFTrbhZ0uUZ13t/EcRr17f43hXnjwCVg
++q6ixyRnx4zSncCTL6iOe2ybUV8IXCFdrWnd7CYJOz804w==
+-----END ENCRYPTED PRIVATE KEY-----
diff --git a/test/aux-fixed/exim-ca/example.com/server1.example.com/server1.example.com.ocsp.dated.resp b/test/aux-fixed/exim-ca/example.com/server1.example.com/server1.example.com.ocsp.dated.resp
new file mode 100644
index 0000000..0e35bdf
Binary files /dev/null and b/test/aux-fixed/exim-ca/example.com/server1.example.com/server1.example.com.ocsp.dated.resp differ
diff --git a/test/aux-fixed/exim-ca/example.com/server1.example.com/server1.example.com.ocsp.good.resp b/test/aux-fixed/exim-ca/example.com/server1.example.com/server1.example.com.ocsp.good.resp
new file mode 100644
index 0000000..c616136
Binary files /dev/null and b/test/aux-fixed/exim-ca/example.com/server1.example.com/server1.example.com.ocsp.good.resp differ
diff --git a/test/aux-fixed/exim-ca/example.com/server1.example.com/server1.example.com.ocsp.req b/test/aux-fixed/exim-ca/example.com/server1.example.com/server1.example.com.ocsp.req
new file mode 100644
index 0000000..fb9674a
Binary files /dev/null and b/test/aux-fixed/exim-ca/example.com/server1.example.com/server1.example.com.ocsp.req differ
diff --git a/test/aux-fixed/exim-ca/example.com/server1.example.com/server1.example.com.ocsp.revoked.resp b/test/aux-fixed/exim-ca/example.com/server1.example.com/server1.example.com.ocsp.revoked.resp
new file mode 100644
index 0000000..aa6d371
Binary files /dev/null and b/test/aux-fixed/exim-ca/example.com/server1.example.com/server1.example.com.ocsp.revoked.resp differ
diff --git a/test/aux-fixed/exim-ca/example.com/server1.example.com/server1.example.com.p12 b/test/aux-fixed/exim-ca/example.com/server1.example.com/server1.example.com.p12
new file mode 100644
index 0000000..e7f3cfb
Binary files /dev/null and b/test/aux-fixed/exim-ca/example.com/server1.example.com/server1.example.com.p12 differ
diff --git a/test/aux-fixed/exim-ca/example.com/server1.example.com/server1.example.com.pem b/test/aux-fixed/exim-ca/example.com/server1.example.com/server1.example.com.pem
new file mode 100644
index 0000000..5080ef8
--- /dev/null
+++ b/test/aux-fixed/exim-ca/example.com/server1.example.com/server1.example.com.pem
@@ -0,0 +1,18 @@
+Bag Attributes
+    friendlyName: server1.example.com
+    localKeyID: 7B 32 26 98 D0 B8 1E 75 99 29 DC F8 13 EE 29 B7 59 E3 DC DC 
+subject=/CN=server1.example.com
+issuer=/O=example.com/CN=clica Signing Cert
+-----BEGIN CERTIFICATE-----
+MIICAjCCAaygAwIBAgIBZTANBgkqhkiG9w0BAQUFADAzMRQwEgYDVQQKEwtleGFt
+cGxlLmNvbTEbMBkGA1UEAxMSY2xpY2EgU2lnbmluZyBDZXJ0MB4XDTEyMTEwMTEy
+MzQwMVoXDTM4MDEwMTEyMzQwMVowHjEcMBoGA1UEAxMTc2VydmVyMS5leGFtcGxl
+LmNvbTBcMA0GCSqGSIb3DQEBAQUAA0sAMEgCQQC6EbKf3ZB2Zm+SVn7KzSofX5I+
+3KANkvS0aVxUS/mtnKJg6JLKc2dVav1OmPTF/M8J21F6tVd8EHWBrlsgS3QdAgMB
+AAGjgb8wgbwwDgYDVR0PAQH/BAQDAgTwMCAGA1UdJQEB/wQWMBQGCCsGAQUFBwMB
+BggrBgEFBQcDAjAyBgNVHR8EKzApMCegJaAjhiFodHRwOi8vY3JsLmV4YW1wbGUu
+Y29tL2xhdGVzdC5jcmwwNAYIKwYBBQUHAQEEKDAmMCQGCCsGAQUFBzABhhhodHRw
+Oi8vb3NjcC9leGFtcGxlLmNvbS8wHgYDVR0RBBcwFYITc2VydmVyMS5leGFtcGxl
+LmNvbTANBgkqhkiG9w0BAQUFAANBALDva+1Fm8VMNtBTzLmk0wd+rAGNry/HPB++
+vNngBR33/8N/529Zr4WPrL2BeOZkQeDO1qH/2giCAvYfZoBOIO4=
+-----END CERTIFICATE-----
diff --git a/test/aux-fixed/exim-ca/example.com/server1.example.com/server1.example.com.unlocked.key b/test/aux-fixed/exim-ca/example.com/server1.example.com/server1.example.com.unlocked.key
new file mode 100644
index 0000000..a616974
--- /dev/null
+++ b/test/aux-fixed/exim-ca/example.com/server1.example.com/server1.example.com.unlocked.key
@@ -0,0 +1,9 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIBOQIBAAJBALoRsp/dkHZmb5JWfsrNKh9fkj7coA2S9LRpXFRL+a2comDokspz
+Z1Vq/U6Y9MX8zwnbUXq1V3wQdYGuWyBLdB0CAwEAAQJAC7hRqAAsuUh6fp00H1IM
+9Szv6UW8Tx6Si0qXpjei4mx/reGBvQGTIUJuGdXmuBH5tQHLPskjEqXmgiccWydz
+gQIhAPCP3JccbCUpKELah84ikXuQs0PEnGfyg4oP22x0B5q3AiEAxgKV7eFrd5Qa
+FfjHsK/HfrL8YQYynm8yDqqHnSsJY8sCIFei4Sa/uPoUs1EfkWfcGgnc3iGrB5uq
+spbiTfqFjpujAiAcWvhvdU13dUz7AoJOKg3udeEwX7vV9mR7ty3ucuBIWwIgEy7b
+le8z7zokRTzIKSMpl5xr/0Vp6DWlS0KwuLNuJjc=
+-----END RSA PRIVATE KEY-----
diff --git a/test/aux-fixed/exim-ca/example.com/server2.example.com/ca_chain.pem b/test/aux-fixed/exim-ca/example.com/server2.example.com/ca_chain.pem
new file mode 100644
index 0000000..dc1fbb7
--- /dev/null
+++ b/test/aux-fixed/exim-ca/example.com/server2.example.com/ca_chain.pem
@@ -0,0 +1,47 @@
+Bag Attributes
+    friendlyName: Signing Cert
+subject=/O=example.com/CN=clica Signing Cert
+issuer=/O=example.com/CN=clica CA
+-----BEGIN CERTIFICATE-----
+MIIBpzCCAVGgAwIBAgIBAjANBgkqhkiG9w0BAQUFADApMRQwEgYDVQQKEwtleGFt
+cGxlLmNvbTERMA8GA1UEAxMIY2xpY2EgQ0EwHhcNMTIxMTAxMTIzNDAxWhcNMzgw
+MTAxMTIzNDAxWjAzMRQwEgYDVQQKEwtleGFtcGxlLmNvbTEbMBkGA1UEAxMSY2xp
+Y2EgU2lnbmluZyBDZXJ0MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBALGUYGllRw9Y
+7ATtT3iqwv3rnnpYYWaxGdamUYznYS6l8lAyHFOqfEktdHZ+bUyRVWsbvyx/a2St
+u1vpZpkihvMCAwEAAaNaMFgwDgYDVR0PAQH/BAQDAgEGMBIGA1UdEwEB/wQIMAYB
+Af8CAQAwMgYDVR0fBCswKTAnoCWgI4YhaHR0cDovL2NybC5leGFtcGxlLmNvbS9s
+YXRlc3QuY3JsMA0GCSqGSIb3DQEBBQUAA0EApouSZ4cX2rx+pZWcDHJH+KaCMpMa
+ScrHO8bFSCWI02ckzoIxWfu1DMNO++EpyzrTgyaXoCROjvhdslwucMqAIg==
+-----END CERTIFICATE-----
+Bag Attributes
+    friendlyName: Certificate Authority
+subject=/O=example.com/CN=clica CA
+issuer=/O=example.com/CN=clica CA
+-----BEGIN CERTIFICATE-----
+MIIBaTCCAROgAwIBAgIBATANBgkqhkiG9w0BAQUFADApMRQwEgYDVQQKEwtleGFt
+cGxlLmNvbTERMA8GA1UEAxMIY2xpY2EgQ0EwHhcNMTIxMTAxMTIzNDAwWhcNMzgw
+MTAxMTIzNDAwWjApMRQwEgYDVQQKEwtleGFtcGxlLmNvbTERMA8GA1UEAxMIY2xp
+Y2EgQ0EwXDANBgkqhkiG9w0BAQEFAANLADBIAkEAxYR8NYQvEd7/e4MvOj9dh2+o
+mnywT9ajMo1589DWt2z14ouRKhSZWlx4O4AicPZc6n4uvt7++t0tTHhmm5JIbwID
+AQABoyYwJDASBgNVHRMBAf8ECDAGAQH/AgEBMA4GA1UdDwEB/wQEAwIBBjANBgkq
+hkiG9w0BAQUFAANBALjVd1KMBadFJFIzTEspoPYxJvXKvLMclekQs5QY0lmmUj5+
+ugITEG6ywu3s+REUB+8Dj+ofQz3tgIm9NBpkfsA=
+-----END CERTIFICATE-----
+Bag Attributes
+    friendlyName: server2.example.com
+    localKeyID: 69 B2 C3 8A B6 1C C2 19 F4 1B 4E 74 28 AF 12 89 E8 2E D9 BE 
+subject=/CN=server2.example.com
+issuer=/O=example.com/CN=clica Signing Cert
+-----BEGIN CERTIFICATE-----
+MIICAzCCAa2gAwIBAgICAMkwDQYJKoZIhvcNAQEFBQAwMzEUMBIGA1UEChMLZXhh
+bXBsZS5jb20xGzAZBgNVBAMTEmNsaWNhIFNpZ25pbmcgQ2VydDAeFw0xMjExMDEx
+MjM0MDFaFw0zODAxMDExMjM0MDFaMB4xHDAaBgNVBAMTE3NlcnZlcjIuZXhhbXBs
+ZS5jb20wXDANBgkqhkiG9w0BAQEFAANLADBIAkEA2TCJENbO0UK+Cjs2HSqq1OlM
+VIJQs/ctua3DEcPOphjNwLrUqVGv5qkWFDHbsJ00hpiW7uK9tDfawSWmcFis1wID
+AQABo4G/MIG8MA4GA1UdDwEB/wQEAwIE8DAgBgNVHSUBAf8EFjAUBggrBgEFBQcD
+AQYIKwYBBQUHAwIwMgYDVR0fBCswKTAnoCWgI4YhaHR0cDovL2NybC5leGFtcGxl
+LmNvbS9sYXRlc3QuY3JsMDQGCCsGAQUFBwEBBCgwJjAkBggrBgEFBQcwAYYYaHR0
+cDovL29zY3AvZXhhbXBsZS5jb20vMB4GA1UdEQQXMBWCE3NlcnZlcjIuZXhhbXBs
+ZS5jb20wDQYJKoZIhvcNAQEFBQADQQCeF6NprEufUaSaqXhBk7hP7kX2NtTEkHmg
+hm1yvEzKL1/7gmqhMAGFapGV90k/8J6L4FiIEaxIHuTvm94KfKZi
+-----END CERTIFICATE-----
diff --git a/test/aux-fixed/exim-ca/example.com/server2.example.com/cert8.db b/test/aux-fixed/exim-ca/example.com/server2.example.com/cert8.db
new file mode 100644
index 0000000..840f694
Binary files /dev/null and b/test/aux-fixed/exim-ca/example.com/server2.example.com/cert8.db differ
diff --git a/test/aux-fixed/exim-ca/example.com/server2.example.com/key3.db b/test/aux-fixed/exim-ca/example.com/server2.example.com/key3.db
new file mode 100644
index 0000000..89bff13
Binary files /dev/null and b/test/aux-fixed/exim-ca/example.com/server2.example.com/key3.db differ
diff --git a/test/aux-fixed/exim-ca/example.com/server2.example.com/pwdfile b/test/aux-fixed/exim-ca/example.com/server2.example.com/pwdfile
new file mode 100644
index 0000000..f3097ab
--- /dev/null
+++ b/test/aux-fixed/exim-ca/example.com/server2.example.com/pwdfile
@@ -0,0 +1 @@
+password
diff --git a/test/aux-fixed/exim-ca/example.com/server2.example.com/secmod.db b/test/aux-fixed/exim-ca/example.com/server2.example.com/secmod.db
new file mode 100644
index 0000000..8ea139c
Binary files /dev/null and b/test/aux-fixed/exim-ca/example.com/server2.example.com/secmod.db differ
diff --git a/test/aux-fixed/exim-ca/example.com/server2.example.com/server2.example.com.chain.pem b/test/aux-fixed/exim-ca/example.com/server2.example.com/server2.example.com.chain.pem
new file mode 100644
index 0000000..52263a2
--- /dev/null
+++ b/test/aux-fixed/exim-ca/example.com/server2.example.com/server2.example.com.chain.pem
@@ -0,0 +1,29 @@
+Bag Attributes
+    friendlyName: server2.example.com
+    localKeyID: 69 B2 C3 8A B6 1C C2 19 F4 1B 4E 74 28 AF 12 89 E8 2E D9 BE 
+subject=/CN=server2.example.com
+issuer=/O=example.com/CN=clica Signing Cert
+-----BEGIN CERTIFICATE-----
+MIICAzCCAa2gAwIBAgICAMkwDQYJKoZIhvcNAQEFBQAwMzEUMBIGA1UEChMLZXhh
+bXBsZS5jb20xGzAZBgNVBAMTEmNsaWNhIFNpZ25pbmcgQ2VydDAeFw0xMjExMDEx
+MjM0MDFaFw0zODAxMDExMjM0MDFaMB4xHDAaBgNVBAMTE3NlcnZlcjIuZXhhbXBs
+ZS5jb20wXDANBgkqhkiG9w0BAQEFAANLADBIAkEA2TCJENbO0UK+Cjs2HSqq1OlM
+VIJQs/ctua3DEcPOphjNwLrUqVGv5qkWFDHbsJ00hpiW7uK9tDfawSWmcFis1wID
+AQABo4G/MIG8MA4GA1UdDwEB/wQEAwIE8DAgBgNVHSUBAf8EFjAUBggrBgEFBQcD
+AQYIKwYBBQUHAwIwMgYDVR0fBCswKTAnoCWgI4YhaHR0cDovL2NybC5leGFtcGxl
+LmNvbS9sYXRlc3QuY3JsMDQGCCsGAQUFBwEBBCgwJjAkBggrBgEFBQcwAYYYaHR0
+cDovL29zY3AvZXhhbXBsZS5jb20vMB4GA1UdEQQXMBWCE3NlcnZlcjIuZXhhbXBs
+ZS5jb20wDQYJKoZIhvcNAQEFBQADQQCeF6NprEufUaSaqXhBk7hP7kX2NtTEkHmg
+hm1yvEzKL1/7gmqhMAGFapGV90k/8J6L4FiIEaxIHuTvm94KfKZi
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIIBpzCCAVGgAwIBAgIBAjANBgkqhkiG9w0BAQUFADApMRQwEgYDVQQKEwtleGFt
+cGxlLmNvbTERMA8GA1UEAxMIY2xpY2EgQ0EwHhcNMTIxMTAxMTIzNDAxWhcNMzgw
+MTAxMTIzNDAxWjAzMRQwEgYDVQQKEwtleGFtcGxlLmNvbTEbMBkGA1UEAxMSY2xp
+Y2EgU2lnbmluZyBDZXJ0MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBALGUYGllRw9Y
+7ATtT3iqwv3rnnpYYWaxGdamUYznYS6l8lAyHFOqfEktdHZ+bUyRVWsbvyx/a2St
+u1vpZpkihvMCAwEAAaNaMFgwDgYDVR0PAQH/BAQDAgEGMBIGA1UdEwEB/wQIMAYB
+Af8CAQAwMgYDVR0fBCswKTAnoCWgI4YhaHR0cDovL2NybC5leGFtcGxlLmNvbS9s
+YXRlc3QuY3JsMA0GCSqGSIb3DQEBBQUAA0EApouSZ4cX2rx+pZWcDHJH+KaCMpMa
+ScrHO8bFSCWI02ckzoIxWfu1DMNO++EpyzrTgyaXoCROjvhdslwucMqAIg==
+-----END CERTIFICATE-----
diff --git a/test/aux-fixed/exim-ca/example.com/server2.example.com/server2.example.com.key b/test/aux-fixed/exim-ca/example.com/server2.example.com/server2.example.com.key
new file mode 100644
index 0000000..a4960f9
--- /dev/null
+++ b/test/aux-fixed/exim-ca/example.com/server2.example.com/server2.example.com.key
@@ -0,0 +1,15 @@
+Bag Attributes
+    friendlyName: server2.example.com
+    localKeyID: 69 B2 C3 8A B6 1C C2 19 F4 1B 4E 74 28 AF 12 89 E8 2E D9 BE 
+Key Attributes: <No Attributes>
+-----BEGIN ENCRYPTED PRIVATE KEY-----
+MIIBnjBABgkqhkiG9w0BBQ0wMzAbBgkqhkiG9w0BBQwwDgQIFmRnQVx4IM4CAggA
+MBQGCCqGSIb3DQMHBAj96PHFOGcW+gSCAVhUx92WT6m/52ZEGgqV+RyBKgHPv0Vk
+NCrmKEJJAvGRWGl+jnpU780hLNx+qWHxGV6r+wyPN9F81oDhqeYQtIRIYC8tWBeC
+9mouIU/iNXYUkun4ZaH6sIJSFfB/2l/pz5/GaiCqgQPPufGmRFsHcGcZlYpnLHkb
+PyRFagan7QYIwUouBTyJ0o/OKBU/r6QM+ZO1zB4YqUutpYMTUbcD9zkj3eAFpIDZ
+fuci+WK1imuUek9LdKifM8f5jdc4n/Ya5rFcpHg45CXz+pLntsprjQVzhFdQblZW
+60ZyiJm682h7ioHhcJYmYyEa5DMItEqzLasQncMi/s8+SUCqTE0QaWYWJ+ofv1cD
+GBYWoM7Ar47zaqgQYlKMKs9mDfUQ4FQy382yrnsPnyo+K8ra5ESUA++uIxMwouHo
+x3dD4wV51jP8VC9VN2GWprZWffnxwMP4PxZejmZVbSWvPw==
+-----END ENCRYPTED PRIVATE KEY-----
diff --git a/test/aux-fixed/exim-ca/example.com/server2.example.com/server2.example.com.ocsp.dated.resp b/test/aux-fixed/exim-ca/example.com/server2.example.com/server2.example.com.ocsp.dated.resp
new file mode 100644
index 0000000..baa2281
Binary files /dev/null and b/test/aux-fixed/exim-ca/example.com/server2.example.com/server2.example.com.ocsp.dated.resp differ
diff --git a/test/aux-fixed/exim-ca/example.com/server2.example.com/server2.example.com.ocsp.good.resp b/test/aux-fixed/exim-ca/example.com/server2.example.com/server2.example.com.ocsp.good.resp
new file mode 100644
index 0000000..80180be
Binary files /dev/null and b/test/aux-fixed/exim-ca/example.com/server2.example.com/server2.example.com.ocsp.good.resp differ
diff --git a/test/aux-fixed/exim-ca/example.com/server2.example.com/server2.example.com.ocsp.req b/test/aux-fixed/exim-ca/example.com/server2.example.com/server2.example.com.ocsp.req
new file mode 100644
index 0000000..fe4957e
Binary files /dev/null and b/test/aux-fixed/exim-ca/example.com/server2.example.com/server2.example.com.ocsp.req differ
diff --git a/test/aux-fixed/exim-ca/example.com/server2.example.com/server2.example.com.ocsp.revoked.resp b/test/aux-fixed/exim-ca/example.com/server2.example.com/server2.example.com.ocsp.revoked.resp
new file mode 100644
index 0000000..80180be
Binary files /dev/null and b/test/aux-fixed/exim-ca/example.com/server2.example.com/server2.example.com.ocsp.revoked.resp differ
diff --git a/test/aux-fixed/exim-ca/example.com/server2.example.com/server2.example.com.p12 b/test/aux-fixed/exim-ca/example.com/server2.example.com/server2.example.com.p12
new file mode 100644
index 0000000..c080a6a
Binary files /dev/null and b/test/aux-fixed/exim-ca/example.com/server2.example.com/server2.example.com.p12 differ
diff --git a/test/aux-fixed/exim-ca/example.com/server2.example.com/server2.example.com.pem b/test/aux-fixed/exim-ca/example.com/server2.example.com/server2.example.com.pem
new file mode 100644
index 0000000..eacf55c
--- /dev/null
+++ b/test/aux-fixed/exim-ca/example.com/server2.example.com/server2.example.com.pem
@@ -0,0 +1,18 @@
+Bag Attributes
+    friendlyName: server2.example.com
+    localKeyID: 69 B2 C3 8A B6 1C C2 19 F4 1B 4E 74 28 AF 12 89 E8 2E D9 BE 
+subject=/CN=server2.example.com
+issuer=/O=example.com/CN=clica Signing Cert
+-----BEGIN CERTIFICATE-----
+MIICAzCCAa2gAwIBAgICAMkwDQYJKoZIhvcNAQEFBQAwMzEUMBIGA1UEChMLZXhh
+bXBsZS5jb20xGzAZBgNVBAMTEmNsaWNhIFNpZ25pbmcgQ2VydDAeFw0xMjExMDEx
+MjM0MDFaFw0zODAxMDExMjM0MDFaMB4xHDAaBgNVBAMTE3NlcnZlcjIuZXhhbXBs
+ZS5jb20wXDANBgkqhkiG9w0BAQEFAANLADBIAkEA2TCJENbO0UK+Cjs2HSqq1OlM
+VIJQs/ctua3DEcPOphjNwLrUqVGv5qkWFDHbsJ00hpiW7uK9tDfawSWmcFis1wID
+AQABo4G/MIG8MA4GA1UdDwEB/wQEAwIE8DAgBgNVHSUBAf8EFjAUBggrBgEFBQcD
+AQYIKwYBBQUHAwIwMgYDVR0fBCswKTAnoCWgI4YhaHR0cDovL2NybC5leGFtcGxl
+LmNvbS9sYXRlc3QuY3JsMDQGCCsGAQUFBwEBBCgwJjAkBggrBgEFBQcwAYYYaHR0
+cDovL29zY3AvZXhhbXBsZS5jb20vMB4GA1UdEQQXMBWCE3NlcnZlcjIuZXhhbXBs
+ZS5jb20wDQYJKoZIhvcNAQEFBQADQQCeF6NprEufUaSaqXhBk7hP7kX2NtTEkHmg
+hm1yvEzKL1/7gmqhMAGFapGV90k/8J6L4FiIEaxIHuTvm94KfKZi
+-----END CERTIFICATE-----
diff --git a/test/aux-fixed/exim-ca/example.com/server2.example.com/server2.example.com.unlocked.key b/test/aux-fixed/exim-ca/example.com/server2.example.com/server2.example.com.unlocked.key
new file mode 100644
index 0000000..6e0c41e
--- /dev/null
+++ b/test/aux-fixed/exim-ca/example.com/server2.example.com/server2.example.com.unlocked.key
@@ -0,0 +1,9 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIBOQIBAAJBANkwiRDWztFCvgo7Nh0qqtTpTFSCULP3LbmtwxHDzqYYzcC61KlR
+r+apFhQx27CdNIaYlu7ivbQ32sElpnBYrNcCAwEAAQJAAT7+ClKxLRIs9PISBWjR
+Qhd0kKeOvvmUEZSlodx1uw42qqDQ0vfYMSOWzn8dlGQ/XGJ4xVwvFFklNCfWva4M
+QQIhAPaoF/TqmR/dc2CLsQkWoZQqdu7w+uBnTnqqcQ1A2ci9AiEA4Wqw3SszsAwV
+ELV+DCDouyncyMmCzJkDjYA1WYNiVyMCIAc3AYRjfFknRCG11Fbct5s65sG0gNIh
+k3UZGTd3ByfNAiAbwAqt75eZYKNnPzCZRaPhBrJLdaNIlL2/Ob1Xm7kLiQIgWtVa
+weFGKWW86QXScrel5sjNDxFv+ZvMd+heAiPqkXs=
+-----END RSA PRIVATE KEY-----
diff --git a/test/aux-fixed/exim-ca/example.net/BLANK/CA.pem b/test/aux-fixed/exim-ca/example.net/BLANK/CA.pem
new file mode 100644
index 0000000..bed3d2f
--- /dev/null
+++ b/test/aux-fixed/exim-ca/example.net/BLANK/CA.pem
@@ -0,0 +1,10 @@
+-----BEGIN CERTIFICATE-----
+MIIBaTCCAROgAwIBAgIBATANBgkqhkiG9w0BAQUFADApMRQwEgYDVQQKEwtleGFt
+cGxlLm5ldDERMA8GA1UEAxMIY2xpY2EgQ0EwHhcNMTIxMTAxMTIzNDAzWhcNMzgw
+MTAxMTIzNDAzWjApMRQwEgYDVQQKEwtleGFtcGxlLm5ldDERMA8GA1UEAxMIY2xp
+Y2EgQ0EwXDANBgkqhkiG9w0BAQEFAANLADBIAkEAp2tm7DhEtMNQPz23MpsxYVje
+SgMgmkDx8qdr97SBBVqtPcHMMrCEZ9dQiYCFxbshxXfeova+DbLZISDlHA9xjQID
+AQABoyYwJDASBgNVHRMBAf8ECDAGAQH/AgEBMA4GA1UdDwEB/wQEAwIBBjANBgkq
+hkiG9w0BAQUFAANBAG/rfiV0UE6Q//VIKN5CprvNXDGQFfcFCWNRCu6ZGTPpaDf2
+iPqVISD9trZrvtlUIgKjGgOQQbdNH9RBj5+6QKo=
+-----END CERTIFICATE-----
diff --git a/test/aux-fixed/exim-ca/example.net/BLANK/Signer.pem b/test/aux-fixed/exim-ca/example.net/BLANK/Signer.pem
new file mode 100644
index 0000000..5d2b2ea
--- /dev/null
+++ b/test/aux-fixed/exim-ca/example.net/BLANK/Signer.pem
@@ -0,0 +1,11 @@
+-----BEGIN CERTIFICATE-----
+MIIBpzCCAVGgAwIBAgIBAjANBgkqhkiG9w0BAQUFADApMRQwEgYDVQQKEwtleGFt
+cGxlLm5ldDERMA8GA1UEAxMIY2xpY2EgQ0EwHhcNMTIxMTAxMTIzNDAzWhcNMzgw
+MTAxMTIzNDAzWjAzMRQwEgYDVQQKEwtleGFtcGxlLm5ldDEbMBkGA1UEAxMSY2xp
+Y2EgU2lnbmluZyBDZXJ0MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAN9lXg/7R2gY
+392B325b/0eHLOrQG1px0aPuSwCBG0cKwCATtsKjYne15vNXAskVAdejY0Ujvo+a
+d4jVi2qYJ8sCAwEAAaNaMFgwDgYDVR0PAQH/BAQDAgEGMBIGA1UdEwEB/wQIMAYB
+Af8CAQAwMgYDVR0fBCswKTAnoCWgI4YhaHR0cDovL2NybC5leGFtcGxlLm5ldC9s
+YXRlc3QuY3JsMA0GCSqGSIb3DQEBBQUAA0EAlm29nFrjiJPaldOtHxpmWzE3Zxit
+Sl4RxdeJcJ7aGL2gDOAWmiVh6UPbMm/o6Vg2PxHp2YviOhVunp1C2t85ow==
+-----END CERTIFICATE-----
diff --git a/test/aux-fixed/exim-ca/example.net/BLANK/cert8.db b/test/aux-fixed/exim-ca/example.net/BLANK/cert8.db
new file mode 100644
index 0000000..0d794a0
Binary files /dev/null and b/test/aux-fixed/exim-ca/example.net/BLANK/cert8.db differ
diff --git a/test/aux-fixed/exim-ca/example.net/BLANK/key3.db b/test/aux-fixed/exim-ca/example.net/BLANK/key3.db
new file mode 100644
index 0000000..31b9ac7
Binary files /dev/null and b/test/aux-fixed/exim-ca/example.net/BLANK/key3.db differ
diff --git a/test/aux-fixed/exim-ca/example.net/BLANK/pwdfile b/test/aux-fixed/exim-ca/example.net/BLANK/pwdfile
new file mode 100644
index 0000000..8b13789
--- /dev/null
+++ b/test/aux-fixed/exim-ca/example.net/BLANK/pwdfile
@@ -0,0 +1 @@
+
diff --git a/test/aux-fixed/exim-ca/example.net/BLANK/secmod.db b/test/aux-fixed/exim-ca/example.net/BLANK/secmod.db
new file mode 100644
index 0000000..8a83193
Binary files /dev/null and b/test/aux-fixed/exim-ca/example.net/BLANK/secmod.db differ
diff --git a/test/aux-fixed/exim-ca/example.net/CA/CA.pem b/test/aux-fixed/exim-ca/example.net/CA/CA.pem
new file mode 100644
index 0000000..bed3d2f
--- /dev/null
+++ b/test/aux-fixed/exim-ca/example.net/CA/CA.pem
@@ -0,0 +1,10 @@
+-----BEGIN CERTIFICATE-----
+MIIBaTCCAROgAwIBAgIBATANBgkqhkiG9w0BAQUFADApMRQwEgYDVQQKEwtleGFt
+cGxlLm5ldDERMA8GA1UEAxMIY2xpY2EgQ0EwHhcNMTIxMTAxMTIzNDAzWhcNMzgw
+MTAxMTIzNDAzWjApMRQwEgYDVQQKEwtleGFtcGxlLm5ldDERMA8GA1UEAxMIY2xp
+Y2EgQ0EwXDANBgkqhkiG9w0BAQEFAANLADBIAkEAp2tm7DhEtMNQPz23MpsxYVje
+SgMgmkDx8qdr97SBBVqtPcHMMrCEZ9dQiYCFxbshxXfeova+DbLZISDlHA9xjQID
+AQABoyYwJDASBgNVHRMBAf8ECDAGAQH/AgEBMA4GA1UdDwEB/wQEAwIBBjANBgkq
+hkiG9w0BAQUFAANBAG/rfiV0UE6Q//VIKN5CprvNXDGQFfcFCWNRCu6ZGTPpaDf2
+iPqVISD9trZrvtlUIgKjGgOQQbdNH9RBj5+6QKo=
+-----END CERTIFICATE-----
diff --git a/test/aux-fixed/exim-ca/example.net/CA/OCSP.key b/test/aux-fixed/exim-ca/example.net/CA/OCSP.key
new file mode 100644
index 0000000..5ab675c
--- /dev/null
+++ b/test/aux-fixed/exim-ca/example.net/CA/OCSP.key
@@ -0,0 +1,14 @@
+Bag Attributes
+    friendlyName: OCSP Signer
+    localKeyID: 16 61 1B 08 43 C0 0E C4 AF 4D 7B E9 27 1D EB B0 D7 05 E9 75 
+Key Attributes: <No Attributes>
+-----BEGIN PRIVATE KEY-----
+MIIBVQIBADANBgkqhkiG9w0BAQEFAASCAT8wggE7AgEAAkEAsT/jRe87h2kyfvbt
+YbvgOPS3y6+BPP8pVdU2CefZAy4mYhuj4ZejZgOf8W9XoonCKTW0Y31feBcy0cM+
+2TNM3QIDAQABAkEApPyuBevggnP2T95zKfUiioGoD43HA8sTY9T53xCTnPOrNNCv
+Vn5+ZXao86JF3ly2jY8Eg0b1hFpfZsZMhG/PgQIhAOg/SgSXqPL8oON/Uot1IUHe
+xLfwqW4toMwTknwdWO39AiEAw2ClhCYw/YTDdbh8sstP7k9HDNBPynwAuURLqc6/
+oGECIBDxVQgCvFuFnIMcLbxovhVdGALHNsUH5RweLWiKh4tNAiBSgpVD6tETr6bQ
+J1paM6yM6uQJkEuyKo4vr5z4mHyq4QIhAMtfRG4+QspRY6aaAAebWBS4zwDiAZCH
+6bnyjSzbUHsm
+-----END PRIVATE KEY-----
diff --git a/test/aux-fixed/exim-ca/example.net/CA/OCSP.p12 b/test/aux-fixed/exim-ca/example.net/CA/OCSP.p12
new file mode 100644
index 0000000..4ebddda
Binary files /dev/null and b/test/aux-fixed/exim-ca/example.net/CA/OCSP.p12 differ
diff --git a/test/aux-fixed/exim-ca/example.net/CA/OCSP.pem b/test/aux-fixed/exim-ca/example.net/CA/OCSP.pem
new file mode 100644
index 0000000..2d71376
--- /dev/null
+++ b/test/aux-fixed/exim-ca/example.net/CA/OCSP.pem
@@ -0,0 +1,11 @@
+-----BEGIN CERTIFICATE-----
+MIIBgDCCASqgAwIBAgIBAzANBgkqhkiG9w0BAQUFADAzMRQwEgYDVQQKEwtleGFt
+cGxlLm5ldDEbMBkGA1UEAxMSY2xpY2EgU2lnbmluZyBDZXJ0MB4XDTEyMTEwMTEy
+MzQwM1oXDTM4MDEwMTEyMzQwM1owMjEUMBIGA1UEChMLZXhhbXBsZS5uZXQxGjAY
+BgNVBAMTEWNsaWNhIE9DU1AgU2lnbmVyMFwwDQYJKoZIhvcNAQEBBQADSwAwSAJB
+ALE/40XvO4dpMn727WG74Dj0t8uvgTz/KVXVNgnn2QMuJmIbo+GXo2YDn/FvV6KJ
+wik1tGN9X3gXMtHDPtkzTN0CAwEAAaMqMCgwDgYDVR0PAQH/BAQDAgeAMBYGA1Ud
+JQEB/wQMMAoGCCsGAQUFBwMJMA0GCSqGSIb3DQEBBQUAA0EAjPHbFyZJZHxLSqn5
+i4i7+sWFAueHbbVXyDkzbspOeAbUeuc+lyZ7gMkRofbfIyXIMzSggVKiBetK5gf8
+OhXNJA==
+-----END CERTIFICATE-----
diff --git a/test/aux-fixed/exim-ca/example.net/CA/Signer.pem b/test/aux-fixed/exim-ca/example.net/CA/Signer.pem
new file mode 100644
index 0000000..5d2b2ea
--- /dev/null
+++ b/test/aux-fixed/exim-ca/example.net/CA/Signer.pem
@@ -0,0 +1,11 @@
+-----BEGIN CERTIFICATE-----
+MIIBpzCCAVGgAwIBAgIBAjANBgkqhkiG9w0BAQUFADApMRQwEgYDVQQKEwtleGFt
+cGxlLm5ldDERMA8GA1UEAxMIY2xpY2EgQ0EwHhcNMTIxMTAxMTIzNDAzWhcNMzgw
+MTAxMTIzNDAzWjAzMRQwEgYDVQQKEwtleGFtcGxlLm5ldDEbMBkGA1UEAxMSY2xp
+Y2EgU2lnbmluZyBDZXJ0MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAN9lXg/7R2gY
+392B325b/0eHLOrQG1px0aPuSwCBG0cKwCATtsKjYne15vNXAskVAdejY0Ujvo+a
+d4jVi2qYJ8sCAwEAAaNaMFgwDgYDVR0PAQH/BAQDAgEGMBIGA1UdEwEB/wQIMAYB
+Af8CAQAwMgYDVR0fBCswKTAnoCWgI4YhaHR0cDovL2NybC5leGFtcGxlLm5ldC9s
+YXRlc3QuY3JsMA0GCSqGSIb3DQEBBQUAA0EAlm29nFrjiJPaldOtHxpmWzE3Zxit
+Sl4RxdeJcJ7aGL2gDOAWmiVh6UPbMm/o6Vg2PxHp2YviOhVunp1C2t85ow==
+-----END CERTIFICATE-----
diff --git a/test/aux-fixed/exim-ca/example.net/CA/ca.conf b/test/aux-fixed/exim-ca/example.net/CA/ca.conf
new file mode 100644
index 0000000..d162ea3
--- /dev/null
+++ b/test/aux-fixed/exim-ca/example.net/CA/ca.conf
@@ -0,0 +1,18 @@
+; Config::Simple 4.59
+; Thu Nov  1 12:34:03 2012
+
+[CLICA]
+crl_url=http://crl.example.net/latest.crl
+crl_signer=Signing Cert
+level=1
+signer=Signing Cert
+ocsp_signer=OCSP Signer
+ocsp_url=http://oscp/example.net/
+
+[CA]
+org=example.net
+subject=clica CA
+name=Certificate Authority
+bits=512
+
+
diff --git a/test/aux-fixed/exim-ca/example.net/CA/cert8.db b/test/aux-fixed/exim-ca/example.net/CA/cert8.db
new file mode 100644
index 0000000..6a130c8
Binary files /dev/null and b/test/aux-fixed/exim-ca/example.net/CA/cert8.db differ
diff --git a/test/aux-fixed/exim-ca/example.net/CA/crl.empty b/test/aux-fixed/exim-ca/example.net/CA/crl.empty
new file mode 100644
index 0000000..364b43d
Binary files /dev/null and b/test/aux-fixed/exim-ca/example.net/CA/crl.empty differ
diff --git a/test/aux-fixed/exim-ca/example.net/CA/crl.empty.in.txt b/test/aux-fixed/exim-ca/example.net/CA/crl.empty.in.txt
new file mode 100644
index 0000000..250311c
--- /dev/null
+++ b/test/aux-fixed/exim-ca/example.net/CA/crl.empty.in.txt
@@ -0,0 +1 @@
+update=20130127152434Z 
diff --git a/test/aux-fixed/exim-ca/example.net/CA/crl.empty.pem b/test/aux-fixed/exim-ca/example.net/CA/crl.empty.pem
new file mode 100644
index 0000000..8236f85
--- /dev/null
+++ b/test/aux-fixed/exim-ca/example.net/CA/crl.empty.pem
@@ -0,0 +1,6 @@
+-----BEGIN X509 CRL-----
+MIGsMFgCAQEwDQYJKoZIhvcNAQEFBQAwMzEUMBIGA1UEChMLZXhhbXBsZS5uZXQx
+GzAZBgNVBAMTEmNsaWNhIFNpZ25pbmcgQ2VydBgPMjAxMzAxMjcxNTI0MzRaMA0G
+CSqGSIb3DQEBBQUAA0EAnGNQN1GnKB2PGg9C+vguhNlTRLgf9j9lziLPBkPff4+k
+8JLTVhcuQYnYTdw1WKq/DeXJRyZwd7Z8vAMMdsW5ZA==
+-----END X509 CRL-----
diff --git a/test/aux-fixed/exim-ca/example.net/CA/crl.v2 b/test/aux-fixed/exim-ca/example.net/CA/crl.v2
new file mode 100644
index 0000000..7473ce8
Binary files /dev/null and b/test/aux-fixed/exim-ca/example.net/CA/crl.v2 differ
diff --git a/test/aux-fixed/exim-ca/example.net/CA/crl.v2.in.txt b/test/aux-fixed/exim-ca/example.net/CA/crl.v2.in.txt
new file mode 100644
index 0000000..434045f
--- /dev/null
+++ b/test/aux-fixed/exim-ca/example.net/CA/crl.v2.in.txt
@@ -0,0 +1,3 @@
+update=20130127152437Z 
+addcert 102 20130127152437Z
+addcert 202 20130127152437Z
diff --git a/test/aux-fixed/exim-ca/example.net/CA/crl.v2.pem b/test/aux-fixed/exim-ca/example.net/CA/crl.v2.pem
new file mode 100644
index 0000000..dceb45c
--- /dev/null
+++ b/test/aux-fixed/exim-ca/example.net/CA/crl.v2.pem
@@ -0,0 +1,7 @@
+-----BEGIN X509 CRL-----
+MIHcMIGHAgEBMA0GCSqGSIb3DQEBBQUAMDMxFDASBgNVBAoTC2V4YW1wbGUubmV0
+MRswGQYDVQQDExJjbGljYSBTaWduaW5nIENlcnQYDzIwMTMwMTI3MTUyNDM3WjAt
+MBQCAWYYDzIwMTMwMTI3MTUyNDM3WjAVAgIAyhgPMjAxMzAxMjcxNTI0MzdaMA0G
+CSqGSIb3DQEBBQUAA0EAL1D/ZMfKSVVozt/TtAPIR/PMLTvBCGrRDbH31tI3pGUJ
+l+FZTnkR48HXOkuaPCxMclubZ0ptQ6wXHP58iwKacA==
+-----END X509 CRL-----
diff --git a/test/aux-fixed/exim-ca/example.net/CA/index.revoked.txt b/test/aux-fixed/exim-ca/example.net/CA/index.revoked.txt
new file mode 100644
index 0000000..b141dca
--- /dev/null
+++ b/test/aux-fixed/exim-ca/example.net/CA/index.revoked.txt
@@ -0,0 +1,6 @@
+R    130110200751Z    100201142709Z,superseded    65    unknown    CN=server1.example.net
+R    130110200751Z    100201142709Z,superseded    66    unknown    CN=revoked1.example.net
+R    130110200751Z    100201142709Z,superseded    67    unknown    CN=expired1.example.net
+R    130110200751Z    100201142709Z,superseded    c9    unknown    CN=server2.example.net
+R    130110200751Z    100201142709Z,superseded    ca    unknown    CN=revoked2.example.net
+R    130110200751Z    100201142709Z,superseded    cb    unknown    CN=expired2.example.net
diff --git a/test/aux-fixed/exim-ca/example.net/CA/index.valid.txt b/test/aux-fixed/exim-ca/example.net/CA/index.valid.txt
new file mode 100644
index 0000000..ee52d83
--- /dev/null
+++ b/test/aux-fixed/exim-ca/example.net/CA/index.valid.txt
@@ -0,0 +1,6 @@
+V    130110200751Z        65    unknown    CN=server1.example.net
+V    130110200751Z        66    unknown    CN=revoked1.example.net
+V    130110200751Z        67    unknown    CN=expired1.example.net
+V    130110200751Z        c9    unknown    CN=server2.example.net
+V    130110200751Z        ca    unknown    CN=revoked2.example.net
+V    130110200751Z        cb    unknown    CN=expired2.example.net
diff --git a/test/aux-fixed/exim-ca/example.net/CA/key3.db b/test/aux-fixed/exim-ca/example.net/CA/key3.db
new file mode 100644
index 0000000..e17cadf
Binary files /dev/null and b/test/aux-fixed/exim-ca/example.net/CA/key3.db differ
diff --git a/test/aux-fixed/exim-ca/example.net/CA/noise.file b/test/aux-fixed/exim-ca/example.net/CA/noise.file
new file mode 100644
index 0000000..c19c41f
--- /dev/null
+++ b/test/aux-fixed/exim-ca/example.net/CA/noise.file
@@ -0,0 +1,342 @@
+processor    : 0
+vendor_id    : GenuineIntel
+cpu family    : 6
+model        : 26
+model name    : Intel(R) Xeon(R) CPU           E5520  @ 2.27GHz
+stepping    : 5
+cpu MHz        : 2260.628
+cache size    : 8192 KB
+fpu        : yes
+fpu_exception    : yes
+cpuid level    : 11
+wp        : yes
+flags        : fpu vme de pse tsc msr pae mce cx8 apic mtrr pge mca cmov pat pse36 clflush dts mmx fxsr sse sse2 ss syscall nx rdtscp lm constant_tsc arch_perfmon pebs bts xtopology tsc_reliable nonstop_tsc aperfmperf unfair_spinlock pni ssse3 cx16 sse4_1 sse4_2 x2apic popcnt hypervisor lahf_lm ida dts
+bogomips    : 4521.25
+clflush size    : 64
+cache_alignment    : 64
+address sizes    : 40 bits physical, 48 bits virtual
+power management:
+
+processor    : 1
+vendor_id    : GenuineIntel
+cpu family    : 6
+model        : 26
+model name    : Intel(R) Xeon(R) CPU           E5520  @ 2.27GHz
+stepping    : 5
+cpu MHz        : 2260.628
+cache size    : 8192 KB
+fpu        : yes
+fpu_exception    : yes
+cpuid level    : 11
+wp        : yes
+flags        : fpu vme de pse tsc msr pae mce cx8 apic mtrr pge mca cmov pat pse36 clflush dts mmx fxsr sse sse2 ss syscall nx rdtscp lm constant_tsc arch_perfmon pebs bts xtopology tsc_reliable nonstop_tsc aperfmperf unfair_spinlock pni ssse3 cx16 sse4_1 sse4_2 x2apic popcnt hypervisor lahf_lm ida dts
+bogomips    : 4521.25
+clflush size    : 64
+cache_alignment    : 64
+address sizes    : 40 bits physical, 48 bits virtual
+power management:
+
+           CPU0       CPU1       
+  0:       2481          0   IO-APIC-edge      timer
+  1:      21441        346   IO-APIC-edge      i8042
+  3:          1          0   IO-APIC-edge    
+  4:          1          0   IO-APIC-edge    
+  7:          0          0   IO-APIC-edge      parport0
+  8:          1          0   IO-APIC-edge      rtc0
+  9:          0          0   IO-APIC-fasteoi   acpi
+ 12:      78986       1718   IO-APIC-edge      i8042
+ 14:          0          0   IO-APIC-edge      ata_piix
+ 15:    2423337       1435   IO-APIC-edge      ata_piix
+ 16:       1025          0   IO-APIC-fasteoi   Ensoniq AudioPCI
+ 17:     239858       2559   IO-APIC-fasteoi   ehci_hcd:usb1, ioc0
+ 18:        246          0   IO-APIC-fasteoi   uhci_hcd:usb2
+ 19:    1868825      51479   IO-APIC-fasteoi   eth0
+ 24:          0          0   PCI-MSI-edge      pciehp
+ 25:          0          0   PCI-MSI-edge      pciehp
+ 26:          0          0   PCI-MSI-edge      pciehp
+ 27:          0          0   PCI-MSI-edge      pciehp
+ 28:          0          0   PCI-MSI-edge      pciehp
+ 29:          0          0   PCI-MSI-edge      pciehp
+ 30:          0          0   PCI-MSI-edge      pciehp
+ 31:          0          0   PCI-MSI-edge      pciehp
+ 32:          0          0   PCI-MSI-edge      pciehp
+ 33:          0          0   PCI-MSI-edge      pciehp
+ 34:          0          0   PCI-MSI-edge      pciehp
+ 35:          0          0   PCI-MSI-edge      pciehp
+ 36:          0          0   PCI-MSI-edge      pciehp
+ 37:          0          0   PCI-MSI-edge      pciehp
+ 38:          0          0   PCI-MSI-edge      pciehp
+ 39:          0          0   PCI-MSI-edge      pciehp
+ 40:          0          0   PCI-MSI-edge      pciehp
+ 41:          0          0   PCI-MSI-edge      pciehp
+ 42:          0          0   PCI-MSI-edge      pciehp
+ 43:          0          0   PCI-MSI-edge      pciehp
+ 44:          0          0   PCI-MSI-edge      pciehp
+ 45:          0          0   PCI-MSI-edge      pciehp
+ 46:          0          0   PCI-MSI-edge      pciehp
+ 47:          0          0   PCI-MSI-edge      pciehp
+ 48:          0          0   PCI-MSI-edge      pciehp
+ 49:          0          0   PCI-MSI-edge      pciehp
+ 50:          0          0   PCI-MSI-edge      pciehp
+ 51:          0          0   PCI-MSI-edge      pciehp
+ 52:          0          0   PCI-MSI-edge      pciehp
+ 53:          0          0   PCI-MSI-edge      pciehp
+ 54:          0          0   PCI-MSI-edge      pciehp
+ 55:          0          0   PCI-MSI-edge      pciehp
+ 56:          1          0   PCI-MSI-edge      vmci
+ 57:          0          0   PCI-MSI-edge      vmci
+NMI:          0          0   Non-maskable interrupts
+LOC:   12398590   14242910   Local timer interrupts
+SPU:          0          0   Spurious interrupts
+PMI:          0          0   Performance monitoring interrupts
+IWI:          0          0   IRQ work interrupts
+RES:     282808     309226   Rescheduling interrupts
+CAL:       1955     163556   Function call interrupts
+TLB:      18075      15578   TLB shootdowns
+TRM:          0          0   Thermal event interrupts
+THR:          0          0   Threshold APIC interrupts
+MCE:          0          0   Machine check exceptions
+MCP:       2310       2310   Machine check polls
+ERR:          0
+MIS:          0
+MemTotal:        1914844 kB
+MemFree:          133340 kB
+Buffers:          142048 kB
+Cached:           953728 kB
+SwapCached:          108 kB
+Active:           982140 kB
+Inactive:         540820 kB
+Active(anon):     287228 kB
+Inactive(anon):   143480 kB
+Active(file):     694912 kB
+Inactive(file):   397340 kB
+Unevictable:           0 kB
+Mlocked:               0 kB
+SwapTotal:       4194296 kB
+SwapFree:        4193560 kB
+Dirty:              2760 kB
+Writeback:             0 kB
+AnonPages:        427016 kB
+Mapped:            70844 kB
+Shmem:              3400 kB
+Slab:             191064 kB
+SReclaimable:     125460 kB
+SUnreclaim:        65604 kB
+KernelStack:        2312 kB
+PageTables:        23528 kB
+NFS_Unstable:          0 kB
+Bounce:                0 kB
+WritebackTmp:          0 kB
+CommitLimit:     5151716 kB
+Committed_AS:     973184 kB
+VmallocTotal:   34359738367 kB
+VmallocUsed:      280772 kB
+VmallocChunk:   34359441168 kB
+HardwareCorrupted:     0 kB
+AnonHugePages:    249856 kB
+HugePages_Total:       0
+HugePages_Free:        0
+HugePages_Rsvd:        0
+HugePages_Surp:        0
+Hugepagesize:       2048 kB
+DirectMap4k:        8192 kB
+DirectMap2M:     2088960 kB
+slabinfo - version: 2.1
+# name            <active_objs> <num_objs> <objsize> <objperslab> <pagesperslab> : tunables <limit> <batchcount> <sharedfactor> : slabdata <active_slabs> <num_slabs> <sharedavail>
+bridge_fdb_cache       0      0     64   59    1 : tunables  120   60    8 : slabdata      0      0      0
+fuse_request           0      0    632    6    1 : tunables   54   27    8 : slabdata      0      0      0
+fuse_inode             0      0    768    5    1 : tunables   54   27    8 : slabdata      0      0      0
+rpc_buffers            8      8   2048    2    1 : tunables   24   12    8 : slabdata      4      4      0
+rpc_tasks              8     15    256   15    1 : tunables  120   60    8 : slabdata      1      1      0
+rpc_inode_cache        8      8    832    4    1 : tunables   54   27    8 : slabdata      2      2      0
+hgfsInodeCache         1      6    640    6    1 : tunables   54   27    8 : slabdata      1      1      0
+AF_VMCI                0      0   1024    4    1 : tunables   54   27    8 : slabdata      0      0      0
+nf_conntrack_expect      0      0    240   16    1 : tunables  120   60    8 : slabdata      0      0      0
+nf_conntrack_ffffffff8200cec0     11     26    304   13    1 : tunables   54   27    8 : slabdata      2      2      0
+fib6_nodes            22     59     64   59    1 : tunables  120   60    8 : slabdata      1      1      0
+ip6_dst_cache         13     30    384   10    1 : tunables   54   27    8 : slabdata      3      3      0
+ndisc_cache            1     15    256   15    1 : tunables  120   60    8 : slabdata      1      1      0
+ip6_mrt_cache          0      0    128   30    1 : tunables  120   60    8 : slabdata      0      0      0
+RAWv6                 67     68   1024    4    1 : tunables   54   27    8 : slabdata     17     17      0
+UDPLITEv6              0      0   1024    4    1 : tunables   54   27    8 : slabdata      0      0      0
+UDPv6                  4      4   1024    4    1 : tunables   54   27    8 : slabdata      1      1      0
+tw_sock_TCPv6          0      0    320   12    1 : tunables   54   27    8 : slabdata      0      0      0
+request_sock_TCPv6      0      0    192   20    1 : tunables  120   60    8 : slabdata      0      0      0
+TCPv6                  9     10   1856    2    1 : tunables   24   12    8 : slabdata      5      5      0
+jbd2_1k                0      0   1024    4    1 : tunables   54   27    8 : slabdata      0      0      0
+avtab_node        502203 502416     24  144    1 : tunables  120   60    8 : slabdata   3489   3489      0
+ext4_inode_cache   74880  74880   1024    4    1 : tunables   54   27    8 : slabdata  18720  18720      0
+ext4_xattr             9     44     88   44    1 : tunables  120   60    8 : slabdata      1      1      0
+ext4_free_block_extents     32     67     56   67    1 : tunables  120   60    8 : slabdata      1      1      0
+ext4_alloc_context     28     28    136   28    1 : tunables  120   60    8 : slabdata      1      1      0
+ext4_prealloc_space     18     37    104   37    1 : tunables  120   60    8 : slabdata      1      1      0
+ext4_system_zone       0      0     40   92    1 : tunables  120   60    8 : slabdata      0      0      0
+jbd2_journal_handle     32    144     24  144    1 : tunables  120   60    8 : slabdata      1      1      0
+jbd2_journal_head    102    102    112   34    1 : tunables  120   60    8 : slabdata      3      3      0
+jbd2_revoke_table      4    202     16  202    1 : tunables  120   60    8 : slabdata      1      1      0
+jbd2_revoke_record      0      0     32  112    1 : tunables  120   60    8 : slabdata      0      0      0
+dm_crypt_io           50     50    152   25    1 : tunables  120   60    8 : slabdata      2      2      0
+sd_ext_cdb             2    112     32  112    1 : tunables  120   60    8 : slabdata      1      1      0
+scsi_sense_cache      22     60    128   30    1 : tunables  120   60    8 : slabdata      2      2      0
+scsi_cmd_cache        23     45    256   15    1 : tunables  120   60    8 : slabdata      3      3      0
+dm_raid1_read_record      0      0   1064    7    2 : tunables   24   12    8 : slabdata      0      0      0
+kcopyd_job             0      0   3240    2    2 : tunables   24   12    8 : slabdata      0      0      0
+io                     0      0     64   59    1 : tunables  120   60    8 : slabdata      0      0      0
+dm_uevent              0      0   2608    3    2 : tunables   24   12    8 : slabdata      0      0      0
+dm_rq_clone_bio_info      0      0     16  202    1 : tunables  120   60    8 : slabdata      0      0      0
+dm_rq_target_io        0      0    392   10    1 : tunables   54   27    8 : slabdata      0      0      0
+dm_target_io         844    864     24  144    1 : tunables  120   60    8 : slabdata      6      6      0
+dm_io                828    828     40   92    1 : tunables  120   60    8 : slabdata      9      9      0
+flow_cache             0      0     96   40    1 : tunables  120   60    8 : slabdata      0      0      0
+uhci_urb_priv          6     67     56   67    1 : tunables  120   60    8 : slabdata      1      1      0
+cfq_io_context         4     28    136   28    1 : tunables  120   60    8 : slabdata      1      1      0
+cfq_queue              5     16    240   16    1 : tunables  120   60    8 : slabdata      1      1      0
+bsg_cmd                0      0    312   12    1 : tunables   54   27    8 : slabdata      0      0      0
+mqueue_inode_cache      1      4    896    4    1 : tunables   54   27    8 : slabdata      1      1      0
+isofs_inode_cache      0      0    640    6    1 : tunables   54   27    8 : slabdata      0      0      0
+hugetlbfs_inode_cache      1      6    608    6    1 : tunables   54   27    8 : slabdata      1      1      0
+dquot                  0      0    256   15    1 : tunables  120   60    8 : slabdata      0      0      0
+kioctx                 0      0    384   10    1 : tunables   54   27    8 : slabdata      0      0      0
+kiocb                  0      0    256   15    1 : tunables  120   60    8 : slabdata      0      0      0
+inotify_event_private_data      0      0     32  112    1 : tunables  120   60    8 : slabdata      0      0      0
+inotify_inode_mark_entry    186    204    112   34    1 : tunables  120   60    8 : slabdata      6      6      0
+dnotify_mark_entry      1     34    112   34    1 : tunables  120   60    8 : slabdata      1      1      0
+dnotify_struct         1    112     32  112    1 : tunables  120   60    8 : slabdata      1      1      0
+fasync_cache           6    144     24  144    1 : tunables  120   60    8 : slabdata      1      1      0
+khugepaged_mm_slot     83     92     40   92    1 : tunables  120   60    8 : slabdata      1      1      0
+ksm_mm_slot            0      0     48   77    1 : tunables  120   60    8 : slabdata      0      0      0
+ksm_stable_node        0      0     40   92    1 : tunables  120   60    8 : slabdata      0      0      0
+ksm_rmap_item          0      0     64   59    1 : tunables  120   60    8 : slabdata      0      0      0
+utrace_engine          0      0     56   67    1 : tunables  120   60    8 : slabdata      0      0      0
+utrace                 0      0     64   59    1 : tunables  120   60    8 : slabdata      0      0      0
+pid_namespace          0      0   2120    3    2 : tunables   24   12    8 : slabdata      0      0      0
+nsproxy                0      0     48   77    1 : tunables  120   60    8 : slabdata      0      0      0
+posix_timers_cache      0      0    176   22    1 : tunables  120   60    8 : slabdata      0      0      0
+uid_cache             10     60    128   30    1 : tunables  120   60    8 : slabdata      2      2      0
+UNIX                 459    480    768    5    1 : tunables   54   27    8 : slabdata     96     96      0
+ip_mrt_cache           0      0    128   30    1 : tunables  120   60    8 : slabdata      0      0      0
+UDP-Lite               0      0    832    9    2 : tunables   54   27    8 : slabdata      0      0      0
+tcp_bind_bucket       15     59     64   59    1 : tunables  120   60    8 : slabdata      1      1      0
+inet_peer_cache        4     59     64   59    1 : tunables  120   60    8 : slabdata      1      1      0
+secpath_cache          0      0     64   59    1 : tunables  120   60    8 : slabdata      0      0      0
+xfrm_dst_cache         0      0    384   10    1 : tunables   54   27    8 : slabdata      0      0      0
+ip_fib_alias           0      0     32  112    1 : tunables  120   60    8 : slabdata      0      0      0
+ip_fib_hash           10    106     72   53    1 : tunables  120   60    8 : slabdata      2      2      0
+ip_dst_cache          29     50    384   10    1 : tunables   54   27    8 : slabdata      5      5      0
+arp_cache              4     15    256   15    1 : tunables  120   60    8 : slabdata      1      1      0
+RAW                   65     72    832    9    2 : tunables   54   27    8 : slabdata      8      8      0
+UDP                    6     18    832    9    2 : tunables   54   27    8 : slabdata      2      2      0
+tw_sock_TCP            0      0    256   15    1 : tunables  120   60    8 : slabdata      0      0      0
+request_sock_TCP       0      0    192   20    1 : tunables  120   60    8 : slabdata      0      0      0
+TCP                   20     24   1664    4    2 : tunables   24   12    8 : slabdata      6      6      0
+eventpoll_pwq        126    212     72   53    1 : tunables  120   60    8 : slabdata      4      4      0
+eventpoll_epi        126    180    128   30    1 : tunables  120   60    8 : slabdata      6      6      0
+sgpool-128             2      2   4096    1    1 : tunables   24   12    8 : slabdata      2      2      0
+sgpool-64              2      2   2048    2    1 : tunables   24   12    8 : slabdata      1      1      0
+sgpool-32              2      4   1024    4    1 : tunables   54   27    8 : slabdata      1      1      0
+sgpool-16              2      8    512    8    1 : tunables   54   27    8 : slabdata      1      1      0
+sgpool-8              15     15    256   15    1 : tunables  120   60    8 : slabdata      1      1      0
+scsi_data_buffer       0      0     24  144    1 : tunables  120   60    8 : slabdata      0      0      0
+blkdev_integrity       0      0    112   34    1 : tunables  120   60    8 : slabdata      0      0      0
+blkdev_queue          29     30   2856    2    2 : tunables   24   12    8 : slabdata     15     15      0
+blkdev_requests       31     44    352   11    1 : tunables   54   27    8 : slabdata      4      4      0
+blkdev_ioc             5     48     80   48    1 : tunables  120   60    8 : slabdata      1      1      0
+fsnotify_event_holder      0      0     24  144    1 : tunables  120   60    8 : slabdata      0      0      0
+fsnotify_event         0      0    104   37    1 : tunables  120   60    8 : slabdata      0      0      0
+bio-0                180    180    192   20    1 : tunables  120   60    8 : slabdata      9      9      0
+biovec-256            66     66   4096    1    1 : tunables   24   12    8 : slabdata     66     66      0
+biovec-128             0      0   2048    2    1 : tunables   24   12    8 : slabdata      0      0      0
+biovec-64              0      0   1024    4    1 : tunables   54   27    8 : slabdata      0      0      0
+biovec-16              0      0    256   15    1 : tunables  120   60    8 : slabdata      0      0      0
+bip-256                2      2   4224    1    2 : tunables    8    4    0 : slabdata      2      2      0
+bip-128                0      0   2176    3    2 : tunables   24   12    8 : slabdata      0      0      0
+bip-64                 0      0   1152    7    2 : tunables   24   12    8 : slabdata      0      0      0
+bip-16                 0      0    384   10    1 : tunables   54   27    8 : slabdata      0      0      0
+bip-4                  0      0    192   20    1 : tunables  120   60    8 : slabdata      0      0      0
+bip-1                  0      0    128   30    1 : tunables  120   60    8 : slabdata      0      0      0
+sock_inode_cache     666    685    704    5    1 : tunables   54   27    8 : slabdata    137    137      0
+skbuff_fclone_cache     42     42    512    7    1 : tunables   54   27    8 : slabdata      6      6      0
+skbuff_head_cache    302    450    256   15    1 : tunables  120   60    8 : slabdata     30     30      0
+file_lock_cache       38     44    176   22    1 : tunables  120   60    8 : slabdata      2      2      0
+net_namespace          0      0   2112    3    2 : tunables   24   12    8 : slabdata      0      0      0
+shmem_inode_cache    774    775    800    5    1 : tunables   54   27    8 : slabdata    155    155      0
+Acpi-Operand        4563   4664     72   53    1 : tunables  120   60    8 : slabdata     88     88      0
+Acpi-ParseExt          0      0     72   53    1 : tunables  120   60    8 : slabdata      0      0      0
+Acpi-Parse             0      0     48   77    1 : tunables  120   60    8 : slabdata      0      0      0
+Acpi-State             0      0     80   48    1 : tunables  120   60    8 : slabdata      0      0      0
+Acpi-Namespace      3311   3312     40   92    1 : tunables  120   60    8 : slabdata     36     36      0
+task_delay_info      332    340    112   34    1 : tunables  120   60    8 : slabdata     10     10      0
+taskstats              5     12    328   12    1 : tunables   54   27    8 : slabdata      1      1      0
+proc_inode_cache    1008   1008    640    6    1 : tunables   54   27    8 : slabdata    168    168      0
+sigqueue              35     48    160   24    1 : tunables  120   60    8 : slabdata      2      2      0
+bdev_cache            32     36    832    4    1 : tunables   54   27    8 : slabdata      9      9      0
+sysfs_dir_cache    11356  11367    144   27    1 : tunables  120   60    8 : slabdata    421    421      0
+mnt_cache             37     45    256   15    1 : tunables  120   60    8 : slabdata      3      3      0
+filp                4644   4700    192   20    1 : tunables  120   60    8 : slabdata    235    235    120
+inode_cache         6883   7308    592    6    1 : tunables   54   27    8 : slabdata   1218   1218      0
+dentry             61240  63960    192   20    1 : tunables  120   60    8 : slabdata   3198   3198      0
+names_cache           26     26   4096    1    1 : tunables   24   12    8 : slabdata     26     26      0
+avc_node             510   1239     64   59    1 : tunables  120   60    8 : slabdata     21     21      0
+selinux_inode_security  84206  86072     72   53    1 : tunables  120   60    8 : slabdata   1624   1624      0
+radix_tree_node    11606  11781    560    7    1 : tunables   54   27    8 : slabdata   1683   1683      0
+key_jar               11     20    192   20    1 : tunables  120   60    8 : slabdata      1      1      0
+buffer_head       221526 230214    104   37    1 : tunables  120   60    8 : slabdata   6222   6222      0
+vm_area_struct     12962  13034    200   19    1 : tunables  120   60    8 : slabdata    686    686      0
+mm_struct            145    145   1408    5    2 : tunables   24   12    8 : slabdata     29     29      0
+fs_cache             177    177     64   59    1 : tunables  120   60    8 : slabdata      3      3      0
+files_cache          162    165    704   11    2 : tunables   54   27    8 : slabdata     15     15      0
+signal_cache         208    208   1024    4    1 : tunables   54   27    8 : slabdata     52     52      0
+sighand_cache        201    201   2112    3    2 : tunables   24   12    8 : slabdata     67     67      0
+task_xstate          240    240    512    8    1 : tunables   54   27    8 : slabdata     30     30      0
+task_struct          306    306   2656    3    2 : tunables   24   12    8 : slabdata    102    102      0
+cred_jar             580    580    192   20    1 : tunables  120   60    8 : slabdata     29     29      0
+anon_vma_chain      7874   8162     48   77    1 : tunables  120   60    8 : slabdata    106    106      0
+anon_vma            5773   5888     40   92    1 : tunables  120   60    8 : slabdata     64     64      0
+pid                  322    330    128   30    1 : tunables  120   60    8 : slabdata     11     11      0
+shared_policy_node      0      0     48   77    1 : tunables  120   60    8 : slabdata      0      0      0
+numa_policy            1     28    136   28    1 : tunables  120   60    8 : slabdata      1      1      0
+idr_layer_cache      428    434    544    7    1 : tunables   54   27    8 : slabdata     62     62      0
+size-4194304(DMA)      0      0 4194304    1 1024 : tunables    1    1    0 : slabdata      0      0      0
+size-4194304           0      0 4194304    1 1024 : tunables    1    1    0 : slabdata      0      0      0
+size-2097152(DMA)      0      0 2097152    1  512 : tunables    1    1    0 : slabdata      0      0      0
+size-2097152           0      0 2097152    1  512 : tunables    1    1    0 : slabdata      0      0      0
+size-1048576(DMA)      0      0 1048576    1  256 : tunables    1    1    0 : slabdata      0      0      0
+size-1048576           0      0 1048576    1  256 : tunables    1    1    0 : slabdata      0      0      0
+size-524288(DMA)       0      0 524288    1  128 : tunables    1    1    0 : slabdata      0      0      0
+size-524288            0      0 524288    1  128 : tunables    1    1    0 : slabdata      0      0      0
+size-262144(DMA)       0      0 262144    1   64 : tunables    1    1    0 : slabdata      0      0      0
+size-262144            0      0 262144    1   64 : tunables    1    1    0 : slabdata      0      0      0
+size-131072(DMA)       0      0 131072    1   32 : tunables    8    4    0 : slabdata      0      0      0
+size-131072            1      1 131072    1   32 : tunables    8    4    0 : slabdata      1      1      0
+size-65536(DMA)        0      0  65536    1   16 : tunables    8    4    0 : slabdata      0      0      0
+size-65536             2      2  65536    1   16 : tunables    8    4    0 : slabdata      2      2      0
+size-32768(DMA)        0      0  32768    1    8 : tunables    8    4    0 : slabdata      0      0      0
+size-32768             3      3  32768    1    8 : tunables    8    4    0 : slabdata      3      3      0
+size-16384(DMA)        0      0  16384    1    4 : tunables    8    4    0 : slabdata      0      0      0
+size-16384            12     12  16384    1    4 : tunables    8    4    0 : slabdata     12     12      0
+size-8192(DMA)         0      0   8192    1    2 : tunables    8    4    0 : slabdata      0      0      0
+size-8192             27     27   8192    1    2 : tunables    8    4    0 : slabdata     27     27      0
+size-4096(DMA)         0      0   4096    1    1 : tunables   24   12    8 : slabdata      0      0      0
+size-4096            425    425   4096    1    1 : tunables   24   12    8 : slabdata    425    425      0
+size-2048(DMA)         0      0   2048    2    1 : tunables   24   12    8 : slabdata      0      0      0
+size-2048            573    578   2048    2    1 : tunables   24   12    8 : slabdata    289    289      0
+size-1024(DMA)         0      0   1024    4    1 : tunables   54   27    8 : slabdata      0      0      0
+size-1024           1340   1340   1024    4    1 : tunables   54   27    8 : slabdata    335    335      0
+size-512(DMA)          0      0    512    8    1 : tunables   54   27    8 : slabdata      0      0      0
+size-512            1123   1176    512    8    1 : tunables   54   27    8 : slabdata    147    147      0
+size-256(DMA)          0      0    256   15    1 : tunables  120   60    8 : slabdata      0      0      0
+size-256             930    930    256   15    1 : tunables  120   60    8 : slabdata     62     62      0
+size-192(DMA)          0      0    192   20    1 : tunables  120   60    8 : slabdata      0      0      0
+size-192            2119   2160    192   20    1 : tunables  120   60    8 : slabdata    108    108      0
+size-128(DMA)          0      0    128   30    1 : tunables  120   60    8 : slabdata      0      0      0
+size-64(DMA)           0      0     64   59    1 : tunables  120   60    8 : slabdata      0      0      0
+size-64            33093  40887     64   59    1 : tunables  120   60    8 : slabdata    693    693      0
+size-32(DMA)           0      0     32  112    1 : tunables  120   60    8 : slabdata      0      0      0
+size-128            3921   4800    128   30    1 : tunables  120   60    8 : slabdata    160    160      0
+size-32           332389 332976     32  112    1 : tunables  120   60    8 : slabdata   2973   2973      0
+kmem_cache           191    191  32896    1   16 : tunables    8    4    0 : slabdata    191    191      0
+Inter-|   Receive                                                |  Transmit
+ face |bytes    packets errs drop fifo frame compressed multicast|bytes    packets errs drop fifo colls carrier compressed
+    lo:267102759  105357    0    0    0     0          0         0 267102759  105357    0    0    0     0       0          0
+  eth0:1013761672 1354551    0    0    0     0          0         0 245537245  966850    0    0    0     0       0          0
+  pan0:       0       0    0    0    0     0          0         0        0       0    0    0    0     0       0          0
diff --git a/test/aux-fixed/exim-ca/example.net/CA/pwdfile b/test/aux-fixed/exim-ca/example.net/CA/pwdfile
new file mode 100644
index 0000000..f3097ab
--- /dev/null
+++ b/test/aux-fixed/exim-ca/example.net/CA/pwdfile
@@ -0,0 +1 @@
+password
diff --git a/test/aux-fixed/exim-ca/example.net/CA/secmod.db b/test/aux-fixed/exim-ca/example.net/CA/secmod.db
new file mode 100644
index 0000000..c7f115b
Binary files /dev/null and b/test/aux-fixed/exim-ca/example.net/CA/secmod.db differ
diff --git a/test/aux-fixed/exim-ca/example.net/expired1.example.net/ca_chain.pem b/test/aux-fixed/exim-ca/example.net/expired1.example.net/ca_chain.pem
new file mode 100644
index 0000000..d0ee061
--- /dev/null
+++ b/test/aux-fixed/exim-ca/example.net/expired1.example.net/ca_chain.pem
@@ -0,0 +1,47 @@
+Bag Attributes
+    friendlyName: Signing Cert
+subject=/O=example.net/CN=clica Signing Cert
+issuer=/O=example.net/CN=clica CA
+-----BEGIN CERTIFICATE-----
+MIIBpzCCAVGgAwIBAgIBAjANBgkqhkiG9w0BAQUFADApMRQwEgYDVQQKEwtleGFt
+cGxlLm5ldDERMA8GA1UEAxMIY2xpY2EgQ0EwHhcNMTIxMTAxMTIzNDAzWhcNMzgw
+MTAxMTIzNDAzWjAzMRQwEgYDVQQKEwtleGFtcGxlLm5ldDEbMBkGA1UEAxMSY2xp
+Y2EgU2lnbmluZyBDZXJ0MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAN9lXg/7R2gY
+392B325b/0eHLOrQG1px0aPuSwCBG0cKwCATtsKjYne15vNXAskVAdejY0Ujvo+a
+d4jVi2qYJ8sCAwEAAaNaMFgwDgYDVR0PAQH/BAQDAgEGMBIGA1UdEwEB/wQIMAYB
+Af8CAQAwMgYDVR0fBCswKTAnoCWgI4YhaHR0cDovL2NybC5leGFtcGxlLm5ldC9s
+YXRlc3QuY3JsMA0GCSqGSIb3DQEBBQUAA0EAlm29nFrjiJPaldOtHxpmWzE3Zxit
+Sl4RxdeJcJ7aGL2gDOAWmiVh6UPbMm/o6Vg2PxHp2YviOhVunp1C2t85ow==
+-----END CERTIFICATE-----
+Bag Attributes
+    friendlyName: Certificate Authority
+subject=/O=example.net/CN=clica CA
+issuer=/O=example.net/CN=clica CA
+-----BEGIN CERTIFICATE-----
+MIIBaTCCAROgAwIBAgIBATANBgkqhkiG9w0BAQUFADApMRQwEgYDVQQKEwtleGFt
+cGxlLm5ldDERMA8GA1UEAxMIY2xpY2EgQ0EwHhcNMTIxMTAxMTIzNDAzWhcNMzgw
+MTAxMTIzNDAzWjApMRQwEgYDVQQKEwtleGFtcGxlLm5ldDERMA8GA1UEAxMIY2xp
+Y2EgQ0EwXDANBgkqhkiG9w0BAQEFAANLADBIAkEAp2tm7DhEtMNQPz23MpsxYVje
+SgMgmkDx8qdr97SBBVqtPcHMMrCEZ9dQiYCFxbshxXfeova+DbLZISDlHA9xjQID
+AQABoyYwJDASBgNVHRMBAf8ECDAGAQH/AgEBMA4GA1UdDwEB/wQEAwIBBjANBgkq
+hkiG9w0BAQUFAANBAG/rfiV0UE6Q//VIKN5CprvNXDGQFfcFCWNRCu6ZGTPpaDf2
+iPqVISD9trZrvtlUIgKjGgOQQbdNH9RBj5+6QKo=
+-----END CERTIFICATE-----
+Bag Attributes
+    friendlyName: expired1.example.net
+    localKeyID: 1E 0D 7E 35 C6 DD 12 8A 56 2B C8 44 4B 60 A9 95 DC 68 6F 37 
+subject=/CN=expired1.example.net
+issuer=/O=example.net/CN=clica Signing Cert
+-----BEGIN CERTIFICATE-----
+MIICBDCCAa6gAwIBAgIBZzANBgkqhkiG9w0BAQUFADAzMRQwEgYDVQQKEwtleGFt
+cGxlLm5ldDEbMBkGA1UEAxMSY2xpY2EgU2lnbmluZyBDZXJ0MB4XDTEyMTEwMTEy
+MzQwNFoXDTEyMTIwMTEyMzQwNFowHzEdMBsGA1UEAxMUZXhwaXJlZDEuZXhhbXBs
+ZS5uZXQwXDANBgkqhkiG9w0BAQEFAANLADBIAkEA+LXqjv5NnRW2OlKWyYYH8ZFb
+Fj4xAdg4qSa1WK/wlUUdpQldGzpDuq/BzuyQdJjp1vSnqhKjfxz0ef9xJievdwID
+AQABo4HAMIG9MA4GA1UdDwEB/wQEAwIE8DAgBgNVHSUBAf8EFjAUBggrBgEFBQcD
+AQYIKwYBBQUHAwIwMgYDVR0fBCswKTAnoCWgI4YhaHR0cDovL2NybC5leGFtcGxl
+Lm5ldC9sYXRlc3QuY3JsMDQGCCsGAQUFBwEBBCgwJjAkBggrBgEFBQcwAYYYaHR0
+cDovL29zY3AvZXhhbXBsZS5uZXQvMB8GA1UdEQQYMBaCFGV4cGlyZWQxLmV4YW1w
+bGUubmV0MA0GCSqGSIb3DQEBBQUAA0EA0dUUjXeu21xQo+AsptLSwmzhn+EV8ixI
+757XRkCnAN0mOZZHcv+imuiEXpf62J+wNyWKNCWu2iPttov/JAcYKA==
+-----END CERTIFICATE-----
diff --git a/test/aux-fixed/exim-ca/example.net/expired1.example.net/cert8.db b/test/aux-fixed/exim-ca/example.net/expired1.example.net/cert8.db
new file mode 100644
index 0000000..85ea017
Binary files /dev/null and b/test/aux-fixed/exim-ca/example.net/expired1.example.net/cert8.db differ
diff --git a/test/aux-fixed/exim-ca/example.net/expired1.example.net/expired1.example.net.chain.pem b/test/aux-fixed/exim-ca/example.net/expired1.example.net/expired1.example.net.chain.pem
new file mode 100644
index 0000000..1550cf2
--- /dev/null
+++ b/test/aux-fixed/exim-ca/example.net/expired1.example.net/expired1.example.net.chain.pem
@@ -0,0 +1,29 @@
+Bag Attributes
+    friendlyName: expired1.example.net
+    localKeyID: 1E 0D 7E 35 C6 DD 12 8A 56 2B C8 44 4B 60 A9 95 DC 68 6F 37 
+subject=/CN=expired1.example.net
+issuer=/O=example.net/CN=clica Signing Cert
+-----BEGIN CERTIFICATE-----
+MIICBDCCAa6gAwIBAgIBZzANBgkqhkiG9w0BAQUFADAzMRQwEgYDVQQKEwtleGFt
+cGxlLm5ldDEbMBkGA1UEAxMSY2xpY2EgU2lnbmluZyBDZXJ0MB4XDTEyMTEwMTEy
+MzQwNFoXDTEyMTIwMTEyMzQwNFowHzEdMBsGA1UEAxMUZXhwaXJlZDEuZXhhbXBs
+ZS5uZXQwXDANBgkqhkiG9w0BAQEFAANLADBIAkEA+LXqjv5NnRW2OlKWyYYH8ZFb
+Fj4xAdg4qSa1WK/wlUUdpQldGzpDuq/BzuyQdJjp1vSnqhKjfxz0ef9xJievdwID
+AQABo4HAMIG9MA4GA1UdDwEB/wQEAwIE8DAgBgNVHSUBAf8EFjAUBggrBgEFBQcD
+AQYIKwYBBQUHAwIwMgYDVR0fBCswKTAnoCWgI4YhaHR0cDovL2NybC5leGFtcGxl
+Lm5ldC9sYXRlc3QuY3JsMDQGCCsGAQUFBwEBBCgwJjAkBggrBgEFBQcwAYYYaHR0
+cDovL29zY3AvZXhhbXBsZS5uZXQvMB8GA1UdEQQYMBaCFGV4cGlyZWQxLmV4YW1w
+bGUubmV0MA0GCSqGSIb3DQEBBQUAA0EA0dUUjXeu21xQo+AsptLSwmzhn+EV8ixI
+757XRkCnAN0mOZZHcv+imuiEXpf62J+wNyWKNCWu2iPttov/JAcYKA==
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIIBpzCCAVGgAwIBAgIBAjANBgkqhkiG9w0BAQUFADApMRQwEgYDVQQKEwtleGFt
+cGxlLm5ldDERMA8GA1UEAxMIY2xpY2EgQ0EwHhcNMTIxMTAxMTIzNDAzWhcNMzgw
+MTAxMTIzNDAzWjAzMRQwEgYDVQQKEwtleGFtcGxlLm5ldDEbMBkGA1UEAxMSY2xp
+Y2EgU2lnbmluZyBDZXJ0MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAN9lXg/7R2gY
+392B325b/0eHLOrQG1px0aPuSwCBG0cKwCATtsKjYne15vNXAskVAdejY0Ujvo+a
+d4jVi2qYJ8sCAwEAAaNaMFgwDgYDVR0PAQH/BAQDAgEGMBIGA1UdEwEB/wQIMAYB
+Af8CAQAwMgYDVR0fBCswKTAnoCWgI4YhaHR0cDovL2NybC5leGFtcGxlLm5ldC9s
+YXRlc3QuY3JsMA0GCSqGSIb3DQEBBQUAA0EAlm29nFrjiJPaldOtHxpmWzE3Zxit
+Sl4RxdeJcJ7aGL2gDOAWmiVh6UPbMm/o6Vg2PxHp2YviOhVunp1C2t85ow==
+-----END CERTIFICATE-----
diff --git a/test/aux-fixed/exim-ca/example.net/expired1.example.net/expired1.example.net.key b/test/aux-fixed/exim-ca/example.net/expired1.example.net/expired1.example.net.key
new file mode 100644
index 0000000..00adfe8
--- /dev/null
+++ b/test/aux-fixed/exim-ca/example.net/expired1.example.net/expired1.example.net.key
@@ -0,0 +1,15 @@
+Bag Attributes
+    friendlyName: expired1.example.net
+    localKeyID: 1E 0D 7E 35 C6 DD 12 8A 56 2B C8 44 4B 60 A9 95 DC 68 6F 37 
+Key Attributes: <No Attributes>
+-----BEGIN ENCRYPTED PRIVATE KEY-----
+MIIBpjBABgkqhkiG9w0BBQ0wMzAbBgkqhkiG9w0BBQwwDgQIEobdAguY51UCAggA
+MBQGCCqGSIb3DQMHBAjyQJzMIkx+swSCAWBoW5JocLm3XvmW7cnK8Np23KqUs4ST
+MG68rJY6pLqdGkn8aK0yZfecdpuHoFCZRdxQy9ztdofB50tkr7evlTuM1u40/9b0
+ygZ9ajxESZmF5mS8r6dFGXOBq7UrMpEvod1lujpP3hwtkqJOlPFhacPUestqDjP4
+zDmEmKQYyRx4DQ3QM4T2Wuc1S8TSECcMLsOgZhOxGULIzmtxceftS/V9NYewZsne
+Q05TKH7ygWGvUyYEgDlFlBAk8CAiqIBBz3fU2bmWfR5p6hoSTqGeLlAL7fTid8Vf
+g4HEfthygRC28+s5r/MbMBJKwTdRHnQbmK4rOxFUhYCkV8Df28Ukx/RaA9CKjbQl
+2fnuTRAms72szZRoKsdS3xVgyaOdgdhVJKWP2QAUvzblX/wpKr9BwrbqIhXOqEiv
+9/yCVqUg20sjNvYyw/2Zv9t+g9u3d5CMyU37e8AT8X3DExmpleiOdX4J
+-----END ENCRYPTED PRIVATE KEY-----
diff --git a/test/aux-fixed/exim-ca/example.net/expired1.example.net/expired1.example.net.ocsp.dated.resp b/test/aux-fixed/exim-ca/example.net/expired1.example.net/expired1.example.net.ocsp.dated.resp
new file mode 100644
index 0000000..8831013
Binary files /dev/null and b/test/aux-fixed/exim-ca/example.net/expired1.example.net/expired1.example.net.ocsp.dated.resp differ
diff --git a/test/aux-fixed/exim-ca/example.net/expired1.example.net/expired1.example.net.ocsp.good.resp b/test/aux-fixed/exim-ca/example.net/expired1.example.net/expired1.example.net.ocsp.good.resp
new file mode 100644
index 0000000..3b2606d
Binary files /dev/null and b/test/aux-fixed/exim-ca/example.net/expired1.example.net/expired1.example.net.ocsp.good.resp differ
diff --git a/test/aux-fixed/exim-ca/example.net/expired1.example.net/expired1.example.net.ocsp.req b/test/aux-fixed/exim-ca/example.net/expired1.example.net/expired1.example.net.ocsp.req
new file mode 100644
index 0000000..c67ed9c
Binary files /dev/null and b/test/aux-fixed/exim-ca/example.net/expired1.example.net/expired1.example.net.ocsp.req differ
diff --git a/test/aux-fixed/exim-ca/example.net/expired1.example.net/expired1.example.net.ocsp.revoked.resp b/test/aux-fixed/exim-ca/example.net/expired1.example.net/expired1.example.net.ocsp.revoked.resp
new file mode 100644
index 0000000..6b8b763
Binary files /dev/null and b/test/aux-fixed/exim-ca/example.net/expired1.example.net/expired1.example.net.ocsp.revoked.resp differ
diff --git a/test/aux-fixed/exim-ca/example.net/expired1.example.net/expired1.example.net.p12 b/test/aux-fixed/exim-ca/example.net/expired1.example.net/expired1.example.net.p12
new file mode 100644
index 0000000..84f4bf5
Binary files /dev/null and b/test/aux-fixed/exim-ca/example.net/expired1.example.net/expired1.example.net.p12 differ
diff --git a/test/aux-fixed/exim-ca/example.net/expired1.example.net/expired1.example.net.pem b/test/aux-fixed/exim-ca/example.net/expired1.example.net/expired1.example.net.pem
new file mode 100644
index 0000000..310db9b
--- /dev/null
+++ b/test/aux-fixed/exim-ca/example.net/expired1.example.net/expired1.example.net.pem
@@ -0,0 +1,18 @@
+Bag Attributes
+    friendlyName: expired1.example.net
+    localKeyID: 1E 0D 7E 35 C6 DD 12 8A 56 2B C8 44 4B 60 A9 95 DC 68 6F 37 
+subject=/CN=expired1.example.net
+issuer=/O=example.net/CN=clica Signing Cert
+-----BEGIN CERTIFICATE-----
+MIICBDCCAa6gAwIBAgIBZzANBgkqhkiG9w0BAQUFADAzMRQwEgYDVQQKEwtleGFt
+cGxlLm5ldDEbMBkGA1UEAxMSY2xpY2EgU2lnbmluZyBDZXJ0MB4XDTEyMTEwMTEy
+MzQwNFoXDTEyMTIwMTEyMzQwNFowHzEdMBsGA1UEAxMUZXhwaXJlZDEuZXhhbXBs
+ZS5uZXQwXDANBgkqhkiG9w0BAQEFAANLADBIAkEA+LXqjv5NnRW2OlKWyYYH8ZFb
+Fj4xAdg4qSa1WK/wlUUdpQldGzpDuq/BzuyQdJjp1vSnqhKjfxz0ef9xJievdwID
+AQABo4HAMIG9MA4GA1UdDwEB/wQEAwIE8DAgBgNVHSUBAf8EFjAUBggrBgEFBQcD
+AQYIKwYBBQUHAwIwMgYDVR0fBCswKTAnoCWgI4YhaHR0cDovL2NybC5leGFtcGxl
+Lm5ldC9sYXRlc3QuY3JsMDQGCCsGAQUFBwEBBCgwJjAkBggrBgEFBQcwAYYYaHR0
+cDovL29zY3AvZXhhbXBsZS5uZXQvMB8GA1UdEQQYMBaCFGV4cGlyZWQxLmV4YW1w
+bGUubmV0MA0GCSqGSIb3DQEBBQUAA0EA0dUUjXeu21xQo+AsptLSwmzhn+EV8ixI
+757XRkCnAN0mOZZHcv+imuiEXpf62J+wNyWKNCWu2iPttov/JAcYKA==
+-----END CERTIFICATE-----
diff --git a/test/aux-fixed/exim-ca/example.net/expired1.example.net/expired1.example.net.unlocked.key b/test/aux-fixed/exim-ca/example.net/expired1.example.net/expired1.example.net.unlocked.key
new file mode 100644
index 0000000..77c8dad
--- /dev/null
+++ b/test/aux-fixed/exim-ca/example.net/expired1.example.net/expired1.example.net.unlocked.key
@@ -0,0 +1,9 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIBOgIBAAJBAPi16o7+TZ0VtjpSlsmGB/GRWxY+MQHYOKkmtViv8JVFHaUJXRs6
+Q7qvwc7skHSY6db0p6oSo38c9Hn/cSYnr3cCAwEAAQJBAK1O9tgV1Te1PXp+upxL
+TZXD2FkzlSrX5QPZ+VyHnXolg8XNhx2pA1J4iJrnvooWQRZuWRhi/p8g2ygJ8B6I
+60ECIQD/cO5OrdRWg3EBgoCWN7WAZ53qMmSRxAnMt95W5yujGQIhAPlBNzbQr2Z7
+DVvwCc2ERxuaFGTcLZH/x+oRhZ9jr0kPAiB/79froDSRgBPBZdNxaUWGol79RXAJ
+cd5WomDBtdatQQIgAVyP1qbRLnghnIz1IMBGOypeTia9wPxqtSafWj2LKZUCID/d
+8buaLYm3yYYAQwbTBtb89+gpRg0I51DFS6fNIuU4
+-----END RSA PRIVATE KEY-----
diff --git a/test/aux-fixed/exim-ca/example.net/expired1.example.net/key3.db b/test/aux-fixed/exim-ca/example.net/expired1.example.net/key3.db
new file mode 100644
index 0000000..9919dfa
Binary files /dev/null and b/test/aux-fixed/exim-ca/example.net/expired1.example.net/key3.db differ
diff --git a/test/aux-fixed/exim-ca/example.net/expired1.example.net/pwdfile b/test/aux-fixed/exim-ca/example.net/expired1.example.net/pwdfile
new file mode 100644
index 0000000..f3097ab
--- /dev/null
+++ b/test/aux-fixed/exim-ca/example.net/expired1.example.net/pwdfile
@@ -0,0 +1 @@
+password
diff --git a/test/aux-fixed/exim-ca/example.net/expired1.example.net/secmod.db b/test/aux-fixed/exim-ca/example.net/expired1.example.net/secmod.db
new file mode 100644
index 0000000..4347c0d
Binary files /dev/null and b/test/aux-fixed/exim-ca/example.net/expired1.example.net/secmod.db differ
diff --git a/test/aux-fixed/exim-ca/example.net/expired2.example.net/ca_chain.pem b/test/aux-fixed/exim-ca/example.net/expired2.example.net/ca_chain.pem
new file mode 100644
index 0000000..323ae16
--- /dev/null
+++ b/test/aux-fixed/exim-ca/example.net/expired2.example.net/ca_chain.pem
@@ -0,0 +1,47 @@
+Bag Attributes
+    friendlyName: Signing Cert
+subject=/O=example.net/CN=clica Signing Cert
+issuer=/O=example.net/CN=clica CA
+-----BEGIN CERTIFICATE-----
+MIIBpzCCAVGgAwIBAgIBAjANBgkqhkiG9w0BAQUFADApMRQwEgYDVQQKEwtleGFt
+cGxlLm5ldDERMA8GA1UEAxMIY2xpY2EgQ0EwHhcNMTIxMTAxMTIzNDAzWhcNMzgw
+MTAxMTIzNDAzWjAzMRQwEgYDVQQKEwtleGFtcGxlLm5ldDEbMBkGA1UEAxMSY2xp
+Y2EgU2lnbmluZyBDZXJ0MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAN9lXg/7R2gY
+392B325b/0eHLOrQG1px0aPuSwCBG0cKwCATtsKjYne15vNXAskVAdejY0Ujvo+a
+d4jVi2qYJ8sCAwEAAaNaMFgwDgYDVR0PAQH/BAQDAgEGMBIGA1UdEwEB/wQIMAYB
+Af8CAQAwMgYDVR0fBCswKTAnoCWgI4YhaHR0cDovL2NybC5leGFtcGxlLm5ldC9s
+YXRlc3QuY3JsMA0GCSqGSIb3DQEBBQUAA0EAlm29nFrjiJPaldOtHxpmWzE3Zxit
+Sl4RxdeJcJ7aGL2gDOAWmiVh6UPbMm/o6Vg2PxHp2YviOhVunp1C2t85ow==
+-----END CERTIFICATE-----
+Bag Attributes
+    friendlyName: Certificate Authority
+subject=/O=example.net/CN=clica CA
+issuer=/O=example.net/CN=clica CA
+-----BEGIN CERTIFICATE-----
+MIIBaTCCAROgAwIBAgIBATANBgkqhkiG9w0BAQUFADApMRQwEgYDVQQKEwtleGFt
+cGxlLm5ldDERMA8GA1UEAxMIY2xpY2EgQ0EwHhcNMTIxMTAxMTIzNDAzWhcNMzgw
+MTAxMTIzNDAzWjApMRQwEgYDVQQKEwtleGFtcGxlLm5ldDERMA8GA1UEAxMIY2xp
+Y2EgQ0EwXDANBgkqhkiG9w0BAQEFAANLADBIAkEAp2tm7DhEtMNQPz23MpsxYVje
+SgMgmkDx8qdr97SBBVqtPcHMMrCEZ9dQiYCFxbshxXfeova+DbLZISDlHA9xjQID
+AQABoyYwJDASBgNVHRMBAf8ECDAGAQH/AgEBMA4GA1UdDwEB/wQEAwIBBjANBgkq
+hkiG9w0BAQUFAANBAG/rfiV0UE6Q//VIKN5CprvNXDGQFfcFCWNRCu6ZGTPpaDf2
+iPqVISD9trZrvtlUIgKjGgOQQbdNH9RBj5+6QKo=
+-----END CERTIFICATE-----
+Bag Attributes
+    friendlyName: expired2.example.net
+    localKeyID: 1A 68 61 A3 03 A4 DC 65 19 7A 7E 5E 65 37 39 DB E3 CB 56 AC 
+subject=/CN=expired2.example.net
+issuer=/O=example.net/CN=clica Signing Cert
+-----BEGIN CERTIFICATE-----
+MIICBTCCAa+gAwIBAgICAMswDQYJKoZIhvcNAQEFBQAwMzEUMBIGA1UEChMLZXhh
+bXBsZS5uZXQxGzAZBgNVBAMTEmNsaWNhIFNpZ25pbmcgQ2VydDAeFw0xMjExMDEx
+MjM0MDVaFw0xMjEyMDExMjM0MDVaMB8xHTAbBgNVBAMTFGV4cGlyZWQyLmV4YW1w
+bGUubmV0MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAMRPNIrjXhmHfWrc/c+K9esj
+3cXECi38lpKgZyhqN8CjRvifIaMoZaCPoXoppyC3MmtLhT5JnYe8+1vSApl9jPUC
+AwEAAaOBwDCBvTAOBgNVHQ8BAf8EBAMCBPAwIAYDVR0lAQH/BBYwFAYIKwYBBQUH
+AwEGCCsGAQUFBwMCMDIGA1UdHwQrMCkwJ6AloCOGIWh0dHA6Ly9jcmwuZXhhbXBs
+ZS5uZXQvbGF0ZXN0LmNybDA0BggrBgEFBQcBAQQoMCYwJAYIKwYBBQUHMAGGGGh0
+dHA6Ly9vc2NwL2V4YW1wbGUubmV0LzAfBgNVHREEGDAWghRleHBpcmVkMi5leGFt
+cGxlLm5ldDANBgkqhkiG9w0BAQUFAANBAMmrnrUFZRECJcDk4BGSMQp5vvC/uHi0
+1NSP3Ki4Yu+CbXUHtgZqwOB5abU8INeLbJoab2stMFsdevzRYuuqb7s=
+-----END CERTIFICATE-----
diff --git a/test/aux-fixed/exim-ca/example.net/expired2.example.net/cert8.db b/test/aux-fixed/exim-ca/example.net/expired2.example.net/cert8.db
new file mode 100644
index 0000000..6df2cda
Binary files /dev/null and b/test/aux-fixed/exim-ca/example.net/expired2.example.net/cert8.db differ
diff --git a/test/aux-fixed/exim-ca/example.net/expired2.example.net/expired2.example.net.chain.pem b/test/aux-fixed/exim-ca/example.net/expired2.example.net/expired2.example.net.chain.pem
new file mode 100644
index 0000000..b8e34d0
--- /dev/null
+++ b/test/aux-fixed/exim-ca/example.net/expired2.example.net/expired2.example.net.chain.pem
@@ -0,0 +1,29 @@
+Bag Attributes
+    friendlyName: expired2.example.net
+    localKeyID: 1A 68 61 A3 03 A4 DC 65 19 7A 7E 5E 65 37 39 DB E3 CB 56 AC 
+subject=/CN=expired2.example.net
+issuer=/O=example.net/CN=clica Signing Cert
+-----BEGIN CERTIFICATE-----
+MIICBTCCAa+gAwIBAgICAMswDQYJKoZIhvcNAQEFBQAwMzEUMBIGA1UEChMLZXhh
+bXBsZS5uZXQxGzAZBgNVBAMTEmNsaWNhIFNpZ25pbmcgQ2VydDAeFw0xMjExMDEx
+MjM0MDVaFw0xMjEyMDExMjM0MDVaMB8xHTAbBgNVBAMTFGV4cGlyZWQyLmV4YW1w
+bGUubmV0MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAMRPNIrjXhmHfWrc/c+K9esj
+3cXECi38lpKgZyhqN8CjRvifIaMoZaCPoXoppyC3MmtLhT5JnYe8+1vSApl9jPUC
+AwEAAaOBwDCBvTAOBgNVHQ8BAf8EBAMCBPAwIAYDVR0lAQH/BBYwFAYIKwYBBQUH
+AwEGCCsGAQUFBwMCMDIGA1UdHwQrMCkwJ6AloCOGIWh0dHA6Ly9jcmwuZXhhbXBs
+ZS5uZXQvbGF0ZXN0LmNybDA0BggrBgEFBQcBAQQoMCYwJAYIKwYBBQUHMAGGGGh0
+dHA6Ly9vc2NwL2V4YW1wbGUubmV0LzAfBgNVHREEGDAWghRleHBpcmVkMi5leGFt
+cGxlLm5ldDANBgkqhkiG9w0BAQUFAANBAMmrnrUFZRECJcDk4BGSMQp5vvC/uHi0
+1NSP3Ki4Yu+CbXUHtgZqwOB5abU8INeLbJoab2stMFsdevzRYuuqb7s=
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIIBpzCCAVGgAwIBAgIBAjANBgkqhkiG9w0BAQUFADApMRQwEgYDVQQKEwtleGFt
+cGxlLm5ldDERMA8GA1UEAxMIY2xpY2EgQ0EwHhcNMTIxMTAxMTIzNDAzWhcNMzgw
+MTAxMTIzNDAzWjAzMRQwEgYDVQQKEwtleGFtcGxlLm5ldDEbMBkGA1UEAxMSY2xp
+Y2EgU2lnbmluZyBDZXJ0MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAN9lXg/7R2gY
+392B325b/0eHLOrQG1px0aPuSwCBG0cKwCATtsKjYne15vNXAskVAdejY0Ujvo+a
+d4jVi2qYJ8sCAwEAAaNaMFgwDgYDVR0PAQH/BAQDAgEGMBIGA1UdEwEB/wQIMAYB
+Af8CAQAwMgYDVR0fBCswKTAnoCWgI4YhaHR0cDovL2NybC5leGFtcGxlLm5ldC9s
+YXRlc3QuY3JsMA0GCSqGSIb3DQEBBQUAA0EAlm29nFrjiJPaldOtHxpmWzE3Zxit
+Sl4RxdeJcJ7aGL2gDOAWmiVh6UPbMm/o6Vg2PxHp2YviOhVunp1C2t85ow==
+-----END CERTIFICATE-----
diff --git a/test/aux-fixed/exim-ca/example.net/expired2.example.net/expired2.example.net.key b/test/aux-fixed/exim-ca/example.net/expired2.example.net/expired2.example.net.key
new file mode 100644
index 0000000..382ad41
--- /dev/null
+++ b/test/aux-fixed/exim-ca/example.net/expired2.example.net/expired2.example.net.key
@@ -0,0 +1,15 @@
+Bag Attributes
+    friendlyName: expired2.example.net
+    localKeyID: 1A 68 61 A3 03 A4 DC 65 19 7A 7E 5E 65 37 39 DB E3 CB 56 AC 
+Key Attributes: <No Attributes>
+-----BEGIN ENCRYPTED PRIVATE KEY-----
+MIIBpjBABgkqhkiG9w0BBQ0wMzAbBgkqhkiG9w0BBQwwDgQIU+oGNqBSHjcCAggA
+MBQGCCqGSIb3DQMHBAjYaI7Iob+lDASCAWDAZIbvl/AbphvMZhynrCFGzj6iN309
+N+U1mQPGWD6hisPfA4aTpIQyHtVah6KCE1fbzGFgiNULsfByVj4XBRbetiVKMuWA
+xs/EEcPhNRG0KOeRxzDtSpM0lG078XAC4p7wgqvhf4R9524Vq4PpYzt+tKfh0rPC
+leF7VFJ5vi7Tms7q1wqtL76Wgibq4m43XoFrYMbQL2qbXl98rRAP6R6u852f4L/D
+Cy1EGsgWIdGjCPQRxdwC0Vf1vIjaspXBmVhbFJR9Djp48DShbAO11cXRSIligH6t
+7p+aesQM/illunmCaMzMYFAjdrMYZEO1bqVdU5Nd7/tlQQLgHSdo+iD6XLnci7dw
+elQ9bRxYVMEDX16kTXd4NU6xP0Zpac5XHu4ji2PKlSOSxQh5GbPICXdEH7K/Oshv
+CUIZbYnlGsOT2uFgnChtUeIwc6OXcSv3LLXIwzg0ec7yN83j0r3jQRQx
+-----END ENCRYPTED PRIVATE KEY-----
diff --git a/test/aux-fixed/exim-ca/example.net/expired2.example.net/expired2.example.net.ocsp.dated.resp b/test/aux-fixed/exim-ca/example.net/expired2.example.net/expired2.example.net.ocsp.dated.resp
new file mode 100644
index 0000000..7f6c27b
Binary files /dev/null and b/test/aux-fixed/exim-ca/example.net/expired2.example.net/expired2.example.net.ocsp.dated.resp differ
diff --git a/test/aux-fixed/exim-ca/example.net/expired2.example.net/expired2.example.net.ocsp.good.resp b/test/aux-fixed/exim-ca/example.net/expired2.example.net/expired2.example.net.ocsp.good.resp
new file mode 100644
index 0000000..a9ad370
Binary files /dev/null and b/test/aux-fixed/exim-ca/example.net/expired2.example.net/expired2.example.net.ocsp.good.resp differ
diff --git a/test/aux-fixed/exim-ca/example.net/expired2.example.net/expired2.example.net.ocsp.req b/test/aux-fixed/exim-ca/example.net/expired2.example.net/expired2.example.net.ocsp.req
new file mode 100644
index 0000000..4684f07
Binary files /dev/null and b/test/aux-fixed/exim-ca/example.net/expired2.example.net/expired2.example.net.ocsp.req differ
diff --git a/test/aux-fixed/exim-ca/example.net/expired2.example.net/expired2.example.net.ocsp.revoked.resp b/test/aux-fixed/exim-ca/example.net/expired2.example.net/expired2.example.net.ocsp.revoked.resp
new file mode 100644
index 0000000..a9ad370
Binary files /dev/null and b/test/aux-fixed/exim-ca/example.net/expired2.example.net/expired2.example.net.ocsp.revoked.resp differ
diff --git a/test/aux-fixed/exim-ca/example.net/expired2.example.net/expired2.example.net.p12 b/test/aux-fixed/exim-ca/example.net/expired2.example.net/expired2.example.net.p12
new file mode 100644
index 0000000..8f9ef94
Binary files /dev/null and b/test/aux-fixed/exim-ca/example.net/expired2.example.net/expired2.example.net.p12 differ
diff --git a/test/aux-fixed/exim-ca/example.net/expired2.example.net/expired2.example.net.pem b/test/aux-fixed/exim-ca/example.net/expired2.example.net/expired2.example.net.pem
new file mode 100644
index 0000000..8c10ace
--- /dev/null
+++ b/test/aux-fixed/exim-ca/example.net/expired2.example.net/expired2.example.net.pem
@@ -0,0 +1,18 @@
+Bag Attributes
+    friendlyName: expired2.example.net
+    localKeyID: 1A 68 61 A3 03 A4 DC 65 19 7A 7E 5E 65 37 39 DB E3 CB 56 AC 
+subject=/CN=expired2.example.net
+issuer=/O=example.net/CN=clica Signing Cert
+-----BEGIN CERTIFICATE-----
+MIICBTCCAa+gAwIBAgICAMswDQYJKoZIhvcNAQEFBQAwMzEUMBIGA1UEChMLZXhh
+bXBsZS5uZXQxGzAZBgNVBAMTEmNsaWNhIFNpZ25pbmcgQ2VydDAeFw0xMjExMDEx
+MjM0MDVaFw0xMjEyMDExMjM0MDVaMB8xHTAbBgNVBAMTFGV4cGlyZWQyLmV4YW1w
+bGUubmV0MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAMRPNIrjXhmHfWrc/c+K9esj
+3cXECi38lpKgZyhqN8CjRvifIaMoZaCPoXoppyC3MmtLhT5JnYe8+1vSApl9jPUC
+AwEAAaOBwDCBvTAOBgNVHQ8BAf8EBAMCBPAwIAYDVR0lAQH/BBYwFAYIKwYBBQUH
+AwEGCCsGAQUFBwMCMDIGA1UdHwQrMCkwJ6AloCOGIWh0dHA6Ly9jcmwuZXhhbXBs
+ZS5uZXQvbGF0ZXN0LmNybDA0BggrBgEFBQcBAQQoMCYwJAYIKwYBBQUHMAGGGGh0
+dHA6Ly9vc2NwL2V4YW1wbGUubmV0LzAfBgNVHREEGDAWghRleHBpcmVkMi5leGFt
+cGxlLm5ldDANBgkqhkiG9w0BAQUFAANBAMmrnrUFZRECJcDk4BGSMQp5vvC/uHi0
+1NSP3Ki4Yu+CbXUHtgZqwOB5abU8INeLbJoab2stMFsdevzRYuuqb7s=
+-----END CERTIFICATE-----
diff --git a/test/aux-fixed/exim-ca/example.net/expired2.example.net/expired2.example.net.unlocked.key b/test/aux-fixed/exim-ca/example.net/expired2.example.net/expired2.example.net.unlocked.key
new file mode 100644
index 0000000..12a48de
--- /dev/null
+++ b/test/aux-fixed/exim-ca/example.net/expired2.example.net/expired2.example.net.unlocked.key
@@ -0,0 +1,9 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIBOgIBAAJBAMRPNIrjXhmHfWrc/c+K9esj3cXECi38lpKgZyhqN8CjRvifIaMo
+ZaCPoXoppyC3MmtLhT5JnYe8+1vSApl9jPUCAwEAAQJAOCkksfs8B3ewlKrmXcK2
+ee/H2XUtKFzTwtzqxjAlBRHwxgSOZr4rn10t+R4j6cvLqhfbXGu0p+1oGgFCYAe6
+/QIhAOU/L1TRGgE1Q0gR+BSyWTlHNSXu1wmy0j/nVSk1fb2bAiEA2zgBX7vxRt1M
+d7AKLfqjpMKolmMUyWNQdGFI/+Ch0K8CIHsFMkAgygS18XoecnOg1bKgHMxTZEBH
+Hv6+BHxNwUFbAiBpXA98/Y1G69F2rMsXsiC4bT4tmU1CRVNDvAYjxMjAzQIhAOHO
+1ynQHqtSfjlkpZtcNqey2SlcqXz7xI/aEXVYj5Q4
+-----END RSA PRIVATE KEY-----
diff --git a/test/aux-fixed/exim-ca/example.net/expired2.example.net/key3.db b/test/aux-fixed/exim-ca/example.net/expired2.example.net/key3.db
new file mode 100644
index 0000000..4489ac3
Binary files /dev/null and b/test/aux-fixed/exim-ca/example.net/expired2.example.net/key3.db differ
diff --git a/test/aux-fixed/exim-ca/example.net/expired2.example.net/pwdfile b/test/aux-fixed/exim-ca/example.net/expired2.example.net/pwdfile
new file mode 100644
index 0000000..f3097ab
--- /dev/null
+++ b/test/aux-fixed/exim-ca/example.net/expired2.example.net/pwdfile
@@ -0,0 +1 @@
+password
diff --git a/test/aux-fixed/exim-ca/example.net/expired2.example.net/secmod.db b/test/aux-fixed/exim-ca/example.net/expired2.example.net/secmod.db
new file mode 100644
index 0000000..372213d
Binary files /dev/null and b/test/aux-fixed/exim-ca/example.net/expired2.example.net/secmod.db differ
diff --git a/test/aux-fixed/exim-ca/example.net/revoked1.example.net/ca_chain.pem b/test/aux-fixed/exim-ca/example.net/revoked1.example.net/ca_chain.pem
new file mode 100644
index 0000000..cba5fac
--- /dev/null
+++ b/test/aux-fixed/exim-ca/example.net/revoked1.example.net/ca_chain.pem
@@ -0,0 +1,47 @@
+Bag Attributes
+    friendlyName: Signing Cert
+subject=/O=example.net/CN=clica Signing Cert
+issuer=/O=example.net/CN=clica CA
+-----BEGIN CERTIFICATE-----
+MIIBpzCCAVGgAwIBAgIBAjANBgkqhkiG9w0BAQUFADApMRQwEgYDVQQKEwtleGFt
+cGxlLm5ldDERMA8GA1UEAxMIY2xpY2EgQ0EwHhcNMTIxMTAxMTIzNDAzWhcNMzgw
+MTAxMTIzNDAzWjAzMRQwEgYDVQQKEwtleGFtcGxlLm5ldDEbMBkGA1UEAxMSY2xp
+Y2EgU2lnbmluZyBDZXJ0MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAN9lXg/7R2gY
+392B325b/0eHLOrQG1px0aPuSwCBG0cKwCATtsKjYne15vNXAskVAdejY0Ujvo+a
+d4jVi2qYJ8sCAwEAAaNaMFgwDgYDVR0PAQH/BAQDAgEGMBIGA1UdEwEB/wQIMAYB
+Af8CAQAwMgYDVR0fBCswKTAnoCWgI4YhaHR0cDovL2NybC5leGFtcGxlLm5ldC9s
+YXRlc3QuY3JsMA0GCSqGSIb3DQEBBQUAA0EAlm29nFrjiJPaldOtHxpmWzE3Zxit
+Sl4RxdeJcJ7aGL2gDOAWmiVh6UPbMm/o6Vg2PxHp2YviOhVunp1C2t85ow==
+-----END CERTIFICATE-----
+Bag Attributes
+    friendlyName: Certificate Authority
+subject=/O=example.net/CN=clica CA
+issuer=/O=example.net/CN=clica CA
+-----BEGIN CERTIFICATE-----
+MIIBaTCCAROgAwIBAgIBATANBgkqhkiG9w0BAQUFADApMRQwEgYDVQQKEwtleGFt
+cGxlLm5ldDERMA8GA1UEAxMIY2xpY2EgQ0EwHhcNMTIxMTAxMTIzNDAzWhcNMzgw
+MTAxMTIzNDAzWjApMRQwEgYDVQQKEwtleGFtcGxlLm5ldDERMA8GA1UEAxMIY2xp
+Y2EgQ0EwXDANBgkqhkiG9w0BAQEFAANLADBIAkEAp2tm7DhEtMNQPz23MpsxYVje
+SgMgmkDx8qdr97SBBVqtPcHMMrCEZ9dQiYCFxbshxXfeova+DbLZISDlHA9xjQID
+AQABoyYwJDASBgNVHRMBAf8ECDAGAQH/AgEBMA4GA1UdDwEB/wQEAwIBBjANBgkq
+hkiG9w0BAQUFAANBAG/rfiV0UE6Q//VIKN5CprvNXDGQFfcFCWNRCu6ZGTPpaDf2
+iPqVISD9trZrvtlUIgKjGgOQQbdNH9RBj5+6QKo=
+-----END CERTIFICATE-----
+Bag Attributes
+    friendlyName: revoked1.example.net
+    localKeyID: 3A 08 2E BA 85 F0 DD 7E C5 FE 51 92 BD 0B C7 35 9D 56 6B A5 
+subject=/CN=revoked1.example.net
+issuer=/O=example.net/CN=clica Signing Cert
+-----BEGIN CERTIFICATE-----
+MIICBDCCAa6gAwIBAgIBZjANBgkqhkiG9w0BAQUFADAzMRQwEgYDVQQKEwtleGFt
+cGxlLm5ldDEbMBkGA1UEAxMSY2xpY2EgU2lnbmluZyBDZXJ0MB4XDTEyMTEwMTEy
+MzQwNFoXDTM4MDEwMTEyMzQwNFowHzEdMBsGA1UEAxMUcmV2b2tlZDEuZXhhbXBs
+ZS5uZXQwXDANBgkqhkiG9w0BAQEFAANLADBIAkEAr20bGUprpXdQGlk/FW+RJ19l
+FZ//slFysFeG3PEVjVjCnvsoxBFZJFVyfHhyxTvVYdoC6BVZfs9HRAjgZuBImQID
+AQABo4HAMIG9MA4GA1UdDwEB/wQEAwIE8DAgBgNVHSUBAf8EFjAUBggrBgEFBQcD
+AQYIKwYBBQUHAwIwMgYDVR0fBCswKTAnoCWgI4YhaHR0cDovL2NybC5leGFtcGxl
+Lm5ldC9sYXRlc3QuY3JsMDQGCCsGAQUFBwEBBCgwJjAkBggrBgEFBQcwAYYYaHR0
+cDovL29zY3AvZXhhbXBsZS5uZXQvMB8GA1UdEQQYMBaCFHJldm9rZWQxLmV4YW1w
+bGUubmV0MA0GCSqGSIb3DQEBBQUAA0EACw87yNDj6DBkvF+i1qUyw6vqijmPyOQZ
+4S+UOCyyNSsJrA1VMjRjAqGTgyU0OFtfcGuhvZ1ZnlFrvVog/icGcw==
+-----END CERTIFICATE-----
diff --git a/test/aux-fixed/exim-ca/example.net/revoked1.example.net/cert8.db b/test/aux-fixed/exim-ca/example.net/revoked1.example.net/cert8.db
new file mode 100644
index 0000000..e10dae1
Binary files /dev/null and b/test/aux-fixed/exim-ca/example.net/revoked1.example.net/cert8.db differ
diff --git a/test/aux-fixed/exim-ca/example.net/revoked1.example.net/key3.db b/test/aux-fixed/exim-ca/example.net/revoked1.example.net/key3.db
new file mode 100644
index 0000000..57ab103
Binary files /dev/null and b/test/aux-fixed/exim-ca/example.net/revoked1.example.net/key3.db differ
diff --git a/test/aux-fixed/exim-ca/example.net/revoked1.example.net/pwdfile b/test/aux-fixed/exim-ca/example.net/revoked1.example.net/pwdfile
new file mode 100644
index 0000000..f3097ab
--- /dev/null
+++ b/test/aux-fixed/exim-ca/example.net/revoked1.example.net/pwdfile
@@ -0,0 +1 @@
+password
diff --git a/test/aux-fixed/exim-ca/example.net/revoked1.example.net/revoked1.example.net.chain.pem b/test/aux-fixed/exim-ca/example.net/revoked1.example.net/revoked1.example.net.chain.pem
new file mode 100644
index 0000000..6db7016
--- /dev/null
+++ b/test/aux-fixed/exim-ca/example.net/revoked1.example.net/revoked1.example.net.chain.pem
@@ -0,0 +1,29 @@
+Bag Attributes
+    friendlyName: revoked1.example.net
+    localKeyID: 3A 08 2E BA 85 F0 DD 7E C5 FE 51 92 BD 0B C7 35 9D 56 6B A5 
+subject=/CN=revoked1.example.net
+issuer=/O=example.net/CN=clica Signing Cert
+-----BEGIN CERTIFICATE-----
+MIICBDCCAa6gAwIBAgIBZjANBgkqhkiG9w0BAQUFADAzMRQwEgYDVQQKEwtleGFt
+cGxlLm5ldDEbMBkGA1UEAxMSY2xpY2EgU2lnbmluZyBDZXJ0MB4XDTEyMTEwMTEy
+MzQwNFoXDTM4MDEwMTEyMzQwNFowHzEdMBsGA1UEAxMUcmV2b2tlZDEuZXhhbXBs
+ZS5uZXQwXDANBgkqhkiG9w0BAQEFAANLADBIAkEAr20bGUprpXdQGlk/FW+RJ19l
+FZ//slFysFeG3PEVjVjCnvsoxBFZJFVyfHhyxTvVYdoC6BVZfs9HRAjgZuBImQID
+AQABo4HAMIG9MA4GA1UdDwEB/wQEAwIE8DAgBgNVHSUBAf8EFjAUBggrBgEFBQcD
+AQYIKwYBBQUHAwIwMgYDVR0fBCswKTAnoCWgI4YhaHR0cDovL2NybC5leGFtcGxl
+Lm5ldC9sYXRlc3QuY3JsMDQGCCsGAQUFBwEBBCgwJjAkBggrBgEFBQcwAYYYaHR0
+cDovL29zY3AvZXhhbXBsZS5uZXQvMB8GA1UdEQQYMBaCFHJldm9rZWQxLmV4YW1w
+bGUubmV0MA0GCSqGSIb3DQEBBQUAA0EACw87yNDj6DBkvF+i1qUyw6vqijmPyOQZ
+4S+UOCyyNSsJrA1VMjRjAqGTgyU0OFtfcGuhvZ1ZnlFrvVog/icGcw==
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIIBpzCCAVGgAwIBAgIBAjANBgkqhkiG9w0BAQUFADApMRQwEgYDVQQKEwtleGFt
+cGxlLm5ldDERMA8GA1UEAxMIY2xpY2EgQ0EwHhcNMTIxMTAxMTIzNDAzWhcNMzgw
+MTAxMTIzNDAzWjAzMRQwEgYDVQQKEwtleGFtcGxlLm5ldDEbMBkGA1UEAxMSY2xp
+Y2EgU2lnbmluZyBDZXJ0MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAN9lXg/7R2gY
+392B325b/0eHLOrQG1px0aPuSwCBG0cKwCATtsKjYne15vNXAskVAdejY0Ujvo+a
+d4jVi2qYJ8sCAwEAAaNaMFgwDgYDVR0PAQH/BAQDAgEGMBIGA1UdEwEB/wQIMAYB
+Af8CAQAwMgYDVR0fBCswKTAnoCWgI4YhaHR0cDovL2NybC5leGFtcGxlLm5ldC9s
+YXRlc3QuY3JsMA0GCSqGSIb3DQEBBQUAA0EAlm29nFrjiJPaldOtHxpmWzE3Zxit
+Sl4RxdeJcJ7aGL2gDOAWmiVh6UPbMm/o6Vg2PxHp2YviOhVunp1C2t85ow==
+-----END CERTIFICATE-----
diff --git a/test/aux-fixed/exim-ca/example.net/revoked1.example.net/revoked1.example.net.key b/test/aux-fixed/exim-ca/example.net/revoked1.example.net/revoked1.example.net.key
new file mode 100644
index 0000000..d67c105
--- /dev/null
+++ b/test/aux-fixed/exim-ca/example.net/revoked1.example.net/revoked1.example.net.key
@@ -0,0 +1,15 @@
+Bag Attributes
+    friendlyName: revoked1.example.net
+    localKeyID: 3A 08 2E BA 85 F0 DD 7E C5 FE 51 92 BD 0B C7 35 9D 56 6B A5 
+Key Attributes: <No Attributes>
+-----BEGIN ENCRYPTED PRIVATE KEY-----
+MIIBpjBABgkqhkiG9w0BBQ0wMzAbBgkqhkiG9w0BBQwwDgQITLxrgeizo7ACAggA
+MBQGCCqGSIb3DQMHBAiR0pknm91lSASCAWAoe8AKx1R5elFbE1FAZaGyPjegmgc5
+qFLKuVzK43OMKRphZJPKRSa12rzz40qRozJItXiDNL1+qt+IbOirtUlvvKu+5cdC
+oHQgSjA58Is1DN6f+OqD7v7S1ZdXrtyMmtvaHLfjsgX7f9acq8Q7OrcdVcJksVRL
+7yCULtR0NRxG+elh5lF9SNY+1f8Hee/dfP3LmyE+leO5ECfOWcIFLBCjLbdmMQFf
+lIodgPiy1qjuGwuXZQy/3s1tZ4p2R6dQ7FrPWCyDAxkd/Vw5+BWZ/UJD8GDKtvLL
+E9lyYuUg7KUaWiSSdsHmXMyrs+xdW+1GHqAVkuJqjWR2nxtXBDQ7GIaDfZr7nosR
+OR5ABpVtZ0eAiJz7qX3WjxtoQJ/7RRPYOnINzyRVgHHHVekyFdYd1OiQDgVoh+08
+HOOA6ZbXLyOCGqh5Syp0RAn7d8qSfX/Z8l6wnxblNG16noDPRbNGf9rU
+-----END ENCRYPTED PRIVATE KEY-----
diff --git a/test/aux-fixed/exim-ca/example.net/revoked1.example.net/revoked1.example.net.ocsp.dated.resp b/test/aux-fixed/exim-ca/example.net/revoked1.example.net/revoked1.example.net.ocsp.dated.resp
new file mode 100644
index 0000000..3c7ac69
Binary files /dev/null and b/test/aux-fixed/exim-ca/example.net/revoked1.example.net/revoked1.example.net.ocsp.dated.resp differ
diff --git a/test/aux-fixed/exim-ca/example.net/revoked1.example.net/revoked1.example.net.ocsp.good.resp b/test/aux-fixed/exim-ca/example.net/revoked1.example.net/revoked1.example.net.ocsp.good.resp
new file mode 100644
index 0000000..71c6b2d
Binary files /dev/null and b/test/aux-fixed/exim-ca/example.net/revoked1.example.net/revoked1.example.net.ocsp.good.resp differ
diff --git a/test/aux-fixed/exim-ca/example.net/revoked1.example.net/revoked1.example.net.ocsp.req b/test/aux-fixed/exim-ca/example.net/revoked1.example.net/revoked1.example.net.ocsp.req
new file mode 100644
index 0000000..829b621
Binary files /dev/null and b/test/aux-fixed/exim-ca/example.net/revoked1.example.net/revoked1.example.net.ocsp.req differ
diff --git a/test/aux-fixed/exim-ca/example.net/revoked1.example.net/revoked1.example.net.ocsp.revoked.resp b/test/aux-fixed/exim-ca/example.net/revoked1.example.net/revoked1.example.net.ocsp.revoked.resp
new file mode 100644
index 0000000..8549f0e
Binary files /dev/null and b/test/aux-fixed/exim-ca/example.net/revoked1.example.net/revoked1.example.net.ocsp.revoked.resp differ
diff --git a/test/aux-fixed/exim-ca/example.net/revoked1.example.net/revoked1.example.net.p12 b/test/aux-fixed/exim-ca/example.net/revoked1.example.net/revoked1.example.net.p12
new file mode 100644
index 0000000..91af59f
Binary files /dev/null and b/test/aux-fixed/exim-ca/example.net/revoked1.example.net/revoked1.example.net.p12 differ
diff --git a/test/aux-fixed/exim-ca/example.net/revoked1.example.net/revoked1.example.net.pem b/test/aux-fixed/exim-ca/example.net/revoked1.example.net/revoked1.example.net.pem
new file mode 100644
index 0000000..286a0ef
--- /dev/null
+++ b/test/aux-fixed/exim-ca/example.net/revoked1.example.net/revoked1.example.net.pem
@@ -0,0 +1,18 @@
+Bag Attributes
+    friendlyName: revoked1.example.net
+    localKeyID: 3A 08 2E BA 85 F0 DD 7E C5 FE 51 92 BD 0B C7 35 9D 56 6B A5 
+subject=/CN=revoked1.example.net
+issuer=/O=example.net/CN=clica Signing Cert
+-----BEGIN CERTIFICATE-----
+MIICBDCCAa6gAwIBAgIBZjANBgkqhkiG9w0BAQUFADAzMRQwEgYDVQQKEwtleGFt
+cGxlLm5ldDEbMBkGA1UEAxMSY2xpY2EgU2lnbmluZyBDZXJ0MB4XDTEyMTEwMTEy
+MzQwNFoXDTM4MDEwMTEyMzQwNFowHzEdMBsGA1UEAxMUcmV2b2tlZDEuZXhhbXBs
+ZS5uZXQwXDANBgkqhkiG9w0BAQEFAANLADBIAkEAr20bGUprpXdQGlk/FW+RJ19l
+FZ//slFysFeG3PEVjVjCnvsoxBFZJFVyfHhyxTvVYdoC6BVZfs9HRAjgZuBImQID
+AQABo4HAMIG9MA4GA1UdDwEB/wQEAwIE8DAgBgNVHSUBAf8EFjAUBggrBgEFBQcD
+AQYIKwYBBQUHAwIwMgYDVR0fBCswKTAnoCWgI4YhaHR0cDovL2NybC5leGFtcGxl
+Lm5ldC9sYXRlc3QuY3JsMDQGCCsGAQUFBwEBBCgwJjAkBggrBgEFBQcwAYYYaHR0
+cDovL29zY3AvZXhhbXBsZS5uZXQvMB8GA1UdEQQYMBaCFHJldm9rZWQxLmV4YW1w
+bGUubmV0MA0GCSqGSIb3DQEBBQUAA0EACw87yNDj6DBkvF+i1qUyw6vqijmPyOQZ
+4S+UOCyyNSsJrA1VMjRjAqGTgyU0OFtfcGuhvZ1ZnlFrvVog/icGcw==
+-----END CERTIFICATE-----
diff --git a/test/aux-fixed/exim-ca/example.net/revoked1.example.net/revoked1.example.net.unlocked.key b/test/aux-fixed/exim-ca/example.net/revoked1.example.net/revoked1.example.net.unlocked.key
new file mode 100644
index 0000000..412042f
--- /dev/null
+++ b/test/aux-fixed/exim-ca/example.net/revoked1.example.net/revoked1.example.net.unlocked.key
@@ -0,0 +1,9 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIBOwIBAAJBAK9tGxlKa6V3UBpZPxVvkSdfZRWf/7JRcrBXhtzxFY1Ywp77KMQR
+WSRVcnx4csU71WHaAugVWX7PR0QI4GbgSJkCAwEAAQJAMvRiFqqDMgDCB6U8qaFK
+bEFNP0bGIql9wrLpvWtZc0CFyhV6LSjMBQSQp92r1tMlB4NKQ7leLb7XXgrPRswY
+AQIhANW94AFeO6+yIhd1OQuizl8SBQwCi0gvlMqsrf3kyDrZAiEA0hv3G/VQWPKY
+n/wikupIE/8jbJvLWLRYYWn6eGg6Y8ECIQC7RN0a1cFdsqkD/IS6mS5PRa5+U0xN
+NsMawCjBps14IQIhAL24JLypGSEIBYrIl8uDIwxzYGBMmSQCzJ9Bm7onmznBAiAe
+YGSy1e3Vji/YwZGuEyGrVl+BEIQ1p0vUgRZ7aEpVpQ==
+-----END RSA PRIVATE KEY-----
diff --git a/test/aux-fixed/exim-ca/example.net/revoked1.example.net/secmod.db b/test/aux-fixed/exim-ca/example.net/revoked1.example.net/secmod.db
new file mode 100644
index 0000000..d38550f
Binary files /dev/null and b/test/aux-fixed/exim-ca/example.net/revoked1.example.net/secmod.db differ
diff --git a/test/aux-fixed/exim-ca/example.net/revoked2.example.net/ca_chain.pem b/test/aux-fixed/exim-ca/example.net/revoked2.example.net/ca_chain.pem
new file mode 100644
index 0000000..9bd3617
--- /dev/null
+++ b/test/aux-fixed/exim-ca/example.net/revoked2.example.net/ca_chain.pem
@@ -0,0 +1,47 @@
+Bag Attributes
+    friendlyName: Signing Cert
+subject=/O=example.net/CN=clica Signing Cert
+issuer=/O=example.net/CN=clica CA
+-----BEGIN CERTIFICATE-----
+MIIBpzCCAVGgAwIBAgIBAjANBgkqhkiG9w0BAQUFADApMRQwEgYDVQQKEwtleGFt
+cGxlLm5ldDERMA8GA1UEAxMIY2xpY2EgQ0EwHhcNMTIxMTAxMTIzNDAzWhcNMzgw
+MTAxMTIzNDAzWjAzMRQwEgYDVQQKEwtleGFtcGxlLm5ldDEbMBkGA1UEAxMSY2xp
+Y2EgU2lnbmluZyBDZXJ0MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAN9lXg/7R2gY
+392B325b/0eHLOrQG1px0aPuSwCBG0cKwCATtsKjYne15vNXAskVAdejY0Ujvo+a
+d4jVi2qYJ8sCAwEAAaNaMFgwDgYDVR0PAQH/BAQDAgEGMBIGA1UdEwEB/wQIMAYB
+Af8CAQAwMgYDVR0fBCswKTAnoCWgI4YhaHR0cDovL2NybC5leGFtcGxlLm5ldC9s
+YXRlc3QuY3JsMA0GCSqGSIb3DQEBBQUAA0EAlm29nFrjiJPaldOtHxpmWzE3Zxit
+Sl4RxdeJcJ7aGL2gDOAWmiVh6UPbMm/o6Vg2PxHp2YviOhVunp1C2t85ow==
+-----END CERTIFICATE-----
+Bag Attributes
+    friendlyName: Certificate Authority
+subject=/O=example.net/CN=clica CA
+issuer=/O=example.net/CN=clica CA
+-----BEGIN CERTIFICATE-----
+MIIBaTCCAROgAwIBAgIBATANBgkqhkiG9w0BAQUFADApMRQwEgYDVQQKEwtleGFt
+cGxlLm5ldDERMA8GA1UEAxMIY2xpY2EgQ0EwHhcNMTIxMTAxMTIzNDAzWhcNMzgw
+MTAxMTIzNDAzWjApMRQwEgYDVQQKEwtleGFtcGxlLm5ldDERMA8GA1UEAxMIY2xp
+Y2EgQ0EwXDANBgkqhkiG9w0BAQEFAANLADBIAkEAp2tm7DhEtMNQPz23MpsxYVje
+SgMgmkDx8qdr97SBBVqtPcHMMrCEZ9dQiYCFxbshxXfeova+DbLZISDlHA9xjQID
+AQABoyYwJDASBgNVHRMBAf8ECDAGAQH/AgEBMA4GA1UdDwEB/wQEAwIBBjANBgkq
+hkiG9w0BAQUFAANBAG/rfiV0UE6Q//VIKN5CprvNXDGQFfcFCWNRCu6ZGTPpaDf2
+iPqVISD9trZrvtlUIgKjGgOQQbdNH9RBj5+6QKo=
+-----END CERTIFICATE-----
+Bag Attributes
+    friendlyName: revoked2.example.net
+    localKeyID: 60 8E D5 FB A7 97 B2 E8 F9 84 11 4F 91 1D 3C 91 B8 19 E8 97 
+subject=/CN=revoked2.example.net
+issuer=/O=example.net/CN=clica Signing Cert
+-----BEGIN CERTIFICATE-----
+MIICBTCCAa+gAwIBAgICAMowDQYJKoZIhvcNAQEFBQAwMzEUMBIGA1UEChMLZXhh
+bXBsZS5uZXQxGzAZBgNVBAMTEmNsaWNhIFNpZ25pbmcgQ2VydDAeFw0xMjExMDEx
+MjM0MDRaFw0zODAxMDExMjM0MDRaMB8xHTAbBgNVBAMTFHJldm9rZWQyLmV4YW1w
+bGUubmV0MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAMj2mEnZY8N38XJ5ZLTymH2J
+hBNiubBU4ddvVQ0y48E/b5fbYwJI458bKgyNhqQtO/MG15oIndFpbazcp1p8++8C
+AwEAAaOBwDCBvTAOBgNVHQ8BAf8EBAMCBPAwIAYDVR0lAQH/BBYwFAYIKwYBBQUH
+AwEGCCsGAQUFBwMCMDIGA1UdHwQrMCkwJ6AloCOGIWh0dHA6Ly9jcmwuZXhhbXBs
+ZS5uZXQvbGF0ZXN0LmNybDA0BggrBgEFBQcBAQQoMCYwJAYIKwYBBQUHMAGGGGh0
+dHA6Ly9vc2NwL2V4YW1wbGUubmV0LzAfBgNVHREEGDAWghRyZXZva2VkMi5leGFt
+cGxlLm5ldDANBgkqhkiG9w0BAQUFAANBAD46Iw05ofRAaw9+yeTDPIydjl1Pkb1/
+ma4/qSK7p8BU/pMN3SH4qxKW7z6nNregMW48d5KcSxUPBmWmDCM8u70=
+-----END CERTIFICATE-----
diff --git a/test/aux-fixed/exim-ca/example.net/revoked2.example.net/cert8.db b/test/aux-fixed/exim-ca/example.net/revoked2.example.net/cert8.db
new file mode 100644
index 0000000..b05fa01
Binary files /dev/null and b/test/aux-fixed/exim-ca/example.net/revoked2.example.net/cert8.db differ
diff --git a/test/aux-fixed/exim-ca/example.net/revoked2.example.net/key3.db b/test/aux-fixed/exim-ca/example.net/revoked2.example.net/key3.db
new file mode 100644
index 0000000..5f70c4b
Binary files /dev/null and b/test/aux-fixed/exim-ca/example.net/revoked2.example.net/key3.db differ
diff --git a/test/aux-fixed/exim-ca/example.net/revoked2.example.net/pwdfile b/test/aux-fixed/exim-ca/example.net/revoked2.example.net/pwdfile
new file mode 100644
index 0000000..f3097ab
--- /dev/null
+++ b/test/aux-fixed/exim-ca/example.net/revoked2.example.net/pwdfile
@@ -0,0 +1 @@
+password
diff --git a/test/aux-fixed/exim-ca/example.net/revoked2.example.net/revoked2.example.net.chain.pem b/test/aux-fixed/exim-ca/example.net/revoked2.example.net/revoked2.example.net.chain.pem
new file mode 100644
index 0000000..e872801
--- /dev/null
+++ b/test/aux-fixed/exim-ca/example.net/revoked2.example.net/revoked2.example.net.chain.pem
@@ -0,0 +1,29 @@
+Bag Attributes
+    friendlyName: revoked2.example.net
+    localKeyID: 60 8E D5 FB A7 97 B2 E8 F9 84 11 4F 91 1D 3C 91 B8 19 E8 97 
+subject=/CN=revoked2.example.net
+issuer=/O=example.net/CN=clica Signing Cert
+-----BEGIN CERTIFICATE-----
+MIICBTCCAa+gAwIBAgICAMowDQYJKoZIhvcNAQEFBQAwMzEUMBIGA1UEChMLZXhh
+bXBsZS5uZXQxGzAZBgNVBAMTEmNsaWNhIFNpZ25pbmcgQ2VydDAeFw0xMjExMDEx
+MjM0MDRaFw0zODAxMDExMjM0MDRaMB8xHTAbBgNVBAMTFHJldm9rZWQyLmV4YW1w
+bGUubmV0MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAMj2mEnZY8N38XJ5ZLTymH2J
+hBNiubBU4ddvVQ0y48E/b5fbYwJI458bKgyNhqQtO/MG15oIndFpbazcp1p8++8C
+AwEAAaOBwDCBvTAOBgNVHQ8BAf8EBAMCBPAwIAYDVR0lAQH/BBYwFAYIKwYBBQUH
+AwEGCCsGAQUFBwMCMDIGA1UdHwQrMCkwJ6AloCOGIWh0dHA6Ly9jcmwuZXhhbXBs
+ZS5uZXQvbGF0ZXN0LmNybDA0BggrBgEFBQcBAQQoMCYwJAYIKwYBBQUHMAGGGGh0
+dHA6Ly9vc2NwL2V4YW1wbGUubmV0LzAfBgNVHREEGDAWghRyZXZva2VkMi5leGFt
+cGxlLm5ldDANBgkqhkiG9w0BAQUFAANBAD46Iw05ofRAaw9+yeTDPIydjl1Pkb1/
+ma4/qSK7p8BU/pMN3SH4qxKW7z6nNregMW48d5KcSxUPBmWmDCM8u70=
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIIBpzCCAVGgAwIBAgIBAjANBgkqhkiG9w0BAQUFADApMRQwEgYDVQQKEwtleGFt
+cGxlLm5ldDERMA8GA1UEAxMIY2xpY2EgQ0EwHhcNMTIxMTAxMTIzNDAzWhcNMzgw
+MTAxMTIzNDAzWjAzMRQwEgYDVQQKEwtleGFtcGxlLm5ldDEbMBkGA1UEAxMSY2xp
+Y2EgU2lnbmluZyBDZXJ0MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAN9lXg/7R2gY
+392B325b/0eHLOrQG1px0aPuSwCBG0cKwCATtsKjYne15vNXAskVAdejY0Ujvo+a
+d4jVi2qYJ8sCAwEAAaNaMFgwDgYDVR0PAQH/BAQDAgEGMBIGA1UdEwEB/wQIMAYB
+Af8CAQAwMgYDVR0fBCswKTAnoCWgI4YhaHR0cDovL2NybC5leGFtcGxlLm5ldC9s
+YXRlc3QuY3JsMA0GCSqGSIb3DQEBBQUAA0EAlm29nFrjiJPaldOtHxpmWzE3Zxit
+Sl4RxdeJcJ7aGL2gDOAWmiVh6UPbMm/o6Vg2PxHp2YviOhVunp1C2t85ow==
+-----END CERTIFICATE-----
diff --git a/test/aux-fixed/exim-ca/example.net/revoked2.example.net/revoked2.example.net.key b/test/aux-fixed/exim-ca/example.net/revoked2.example.net/revoked2.example.net.key
new file mode 100644
index 0000000..681886b
--- /dev/null
+++ b/test/aux-fixed/exim-ca/example.net/revoked2.example.net/revoked2.example.net.key
@@ -0,0 +1,15 @@
+Bag Attributes
+    friendlyName: revoked2.example.net
+    localKeyID: 60 8E D5 FB A7 97 B2 E8 F9 84 11 4F 91 1D 3C 91 B8 19 E8 97 
+Key Attributes: <No Attributes>
+-----BEGIN ENCRYPTED PRIVATE KEY-----
+MIIBpjBABgkqhkiG9w0BBQ0wMzAbBgkqhkiG9w0BBQwwDgQIfHUUKZHRP88CAggA
+MBQGCCqGSIb3DQMHBAiGHts1xOcjYASCAWA+TB8P6+MMx7kHWAIrO7eIwxXI/ivw
+gKWa/XVFtZeZcBYCdjR0Ubfsv3emeWtZ72badVNNOgbUqaMsTraqYePGS9fVIk8e
+Pn3PjKdd7rODvSTN647CrN6ng0x1yYW/RVo5v5CnoantSojUY5eNhO+iSGPFgbvj
+h8s0uKZ3+KxlySpIJX9RU/LJQUfrdCAGkdIuPEi4graL8Z9pjyORqppYNCI+u+VG
+m76zMJq9vxBcn6v3/DpVCFL7gokwD0GgMtWtTeXiP1Yn92dsn3DPVNI/ieE1ogJs
+8WVWmTNBm0UuN0GiUWqQUXv3cqFpNArL/BObHJGWyHObUz3FgDpkP4crmhrFN2Ao
+cT34tYaN9SGfoYA+MI2DqKQ0M8aGBvbL5CVGqJqWiVB71jG+JsdS0Q+7K5JQ5d/O
+xiynUVJ8FhZBQshqPXAkPD8lOeFQ2QZp53RUSlI3d04Cy8FAZr3HzqEZ
+-----END ENCRYPTED PRIVATE KEY-----
diff --git a/test/aux-fixed/exim-ca/example.net/revoked2.example.net/revoked2.example.net.ocsp.dated.resp b/test/aux-fixed/exim-ca/example.net/revoked2.example.net/revoked2.example.net.ocsp.dated.resp
new file mode 100644
index 0000000..834df2a
Binary files /dev/null and b/test/aux-fixed/exim-ca/example.net/revoked2.example.net/revoked2.example.net.ocsp.dated.resp differ
diff --git a/test/aux-fixed/exim-ca/example.net/revoked2.example.net/revoked2.example.net.ocsp.good.resp b/test/aux-fixed/exim-ca/example.net/revoked2.example.net/revoked2.example.net.ocsp.good.resp
new file mode 100644
index 0000000..f110fab
Binary files /dev/null and b/test/aux-fixed/exim-ca/example.net/revoked2.example.net/revoked2.example.net.ocsp.good.resp differ
diff --git a/test/aux-fixed/exim-ca/example.net/revoked2.example.net/revoked2.example.net.ocsp.req b/test/aux-fixed/exim-ca/example.net/revoked2.example.net/revoked2.example.net.ocsp.req
new file mode 100644
index 0000000..0c271ad
Binary files /dev/null and b/test/aux-fixed/exim-ca/example.net/revoked2.example.net/revoked2.example.net.ocsp.req differ
diff --git a/test/aux-fixed/exim-ca/example.net/revoked2.example.net/revoked2.example.net.ocsp.revoked.resp b/test/aux-fixed/exim-ca/example.net/revoked2.example.net/revoked2.example.net.ocsp.revoked.resp
new file mode 100644
index 0000000..f110fab
Binary files /dev/null and b/test/aux-fixed/exim-ca/example.net/revoked2.example.net/revoked2.example.net.ocsp.revoked.resp differ
diff --git a/test/aux-fixed/exim-ca/example.net/revoked2.example.net/revoked2.example.net.p12 b/test/aux-fixed/exim-ca/example.net/revoked2.example.net/revoked2.example.net.p12
new file mode 100644
index 0000000..368429e
Binary files /dev/null and b/test/aux-fixed/exim-ca/example.net/revoked2.example.net/revoked2.example.net.p12 differ
diff --git a/test/aux-fixed/exim-ca/example.net/revoked2.example.net/revoked2.example.net.pem b/test/aux-fixed/exim-ca/example.net/revoked2.example.net/revoked2.example.net.pem
new file mode 100644
index 0000000..8862a6b
--- /dev/null
+++ b/test/aux-fixed/exim-ca/example.net/revoked2.example.net/revoked2.example.net.pem
@@ -0,0 +1,18 @@
+Bag Attributes
+    friendlyName: revoked2.example.net
+    localKeyID: 60 8E D5 FB A7 97 B2 E8 F9 84 11 4F 91 1D 3C 91 B8 19 E8 97 
+subject=/CN=revoked2.example.net
+issuer=/O=example.net/CN=clica Signing Cert
+-----BEGIN CERTIFICATE-----
+MIICBTCCAa+gAwIBAgICAMowDQYJKoZIhvcNAQEFBQAwMzEUMBIGA1UEChMLZXhh
+bXBsZS5uZXQxGzAZBgNVBAMTEmNsaWNhIFNpZ25pbmcgQ2VydDAeFw0xMjExMDEx
+MjM0MDRaFw0zODAxMDExMjM0MDRaMB8xHTAbBgNVBAMTFHJldm9rZWQyLmV4YW1w
+bGUubmV0MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAMj2mEnZY8N38XJ5ZLTymH2J
+hBNiubBU4ddvVQ0y48E/b5fbYwJI458bKgyNhqQtO/MG15oIndFpbazcp1p8++8C
+AwEAAaOBwDCBvTAOBgNVHQ8BAf8EBAMCBPAwIAYDVR0lAQH/BBYwFAYIKwYBBQUH
+AwEGCCsGAQUFBwMCMDIGA1UdHwQrMCkwJ6AloCOGIWh0dHA6Ly9jcmwuZXhhbXBs
+ZS5uZXQvbGF0ZXN0LmNybDA0BggrBgEFBQcBAQQoMCYwJAYIKwYBBQUHMAGGGGh0
+dHA6Ly9vc2NwL2V4YW1wbGUubmV0LzAfBgNVHREEGDAWghRyZXZva2VkMi5leGFt
+cGxlLm5ldDANBgkqhkiG9w0BAQUFAANBAD46Iw05ofRAaw9+yeTDPIydjl1Pkb1/
+ma4/qSK7p8BU/pMN3SH4qxKW7z6nNregMW48d5KcSxUPBmWmDCM8u70=
+-----END CERTIFICATE-----
diff --git a/test/aux-fixed/exim-ca/example.net/revoked2.example.net/revoked2.example.net.unlocked.key b/test/aux-fixed/exim-ca/example.net/revoked2.example.net/revoked2.example.net.unlocked.key
new file mode 100644
index 0000000..4c90105
--- /dev/null
+++ b/test/aux-fixed/exim-ca/example.net/revoked2.example.net/revoked2.example.net.unlocked.key
@@ -0,0 +1,9 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIBOwIBAAJBAMj2mEnZY8N38XJ5ZLTymH2JhBNiubBU4ddvVQ0y48E/b5fbYwJI
+458bKgyNhqQtO/MG15oIndFpbazcp1p8++8CAwEAAQJAdkDE9A+7qLXXmejc3a0z
+FgvpcA7T/XK1QjP89DtR0dAbM0tLdWyhshLNcNSW6urwYKkPmw7jPmW1wC14/Ob3
+IQIhAOg4d+nA1BNR2+L2dDJhdTPWzVWERwsMaBVMsKYg8TbjAiEA3Yq7xYMK0aNU
+XTvzTnmr+y51Ce5BQK9U2q/B1kyIKIUCIDQZ902K5govo5YYlZl4JEOtPgSh2Q6x
+iei9fCTJ31ThAiEAg28IQYCiDYeJyJqFmZwjxSxlsVORkO+0Nt2o8RuMeAUCIQCj
+IPd5zjwu8dkolqvof1uMm3An3YhSLWSlJK1BSAk2Yw==
+-----END RSA PRIVATE KEY-----
diff --git a/test/aux-fixed/exim-ca/example.net/revoked2.example.net/secmod.db b/test/aux-fixed/exim-ca/example.net/revoked2.example.net/secmod.db
new file mode 100644
index 0000000..a2fa5b6
Binary files /dev/null and b/test/aux-fixed/exim-ca/example.net/revoked2.example.net/secmod.db differ
diff --git a/test/aux-fixed/exim-ca/example.net/server1.example.net/ca_chain.pem b/test/aux-fixed/exim-ca/example.net/server1.example.net/ca_chain.pem
new file mode 100644
index 0000000..4696e4e
--- /dev/null
+++ b/test/aux-fixed/exim-ca/example.net/server1.example.net/ca_chain.pem
@@ -0,0 +1,47 @@
+Bag Attributes
+    friendlyName: Signing Cert
+subject=/O=example.net/CN=clica Signing Cert
+issuer=/O=example.net/CN=clica CA
+-----BEGIN CERTIFICATE-----
+MIIBpzCCAVGgAwIBAgIBAjANBgkqhkiG9w0BAQUFADApMRQwEgYDVQQKEwtleGFt
+cGxlLm5ldDERMA8GA1UEAxMIY2xpY2EgQ0EwHhcNMTIxMTAxMTIzNDAzWhcNMzgw
+MTAxMTIzNDAzWjAzMRQwEgYDVQQKEwtleGFtcGxlLm5ldDEbMBkGA1UEAxMSY2xp
+Y2EgU2lnbmluZyBDZXJ0MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAN9lXg/7R2gY
+392B325b/0eHLOrQG1px0aPuSwCBG0cKwCATtsKjYne15vNXAskVAdejY0Ujvo+a
+d4jVi2qYJ8sCAwEAAaNaMFgwDgYDVR0PAQH/BAQDAgEGMBIGA1UdEwEB/wQIMAYB
+Af8CAQAwMgYDVR0fBCswKTAnoCWgI4YhaHR0cDovL2NybC5leGFtcGxlLm5ldC9s
+YXRlc3QuY3JsMA0GCSqGSIb3DQEBBQUAA0EAlm29nFrjiJPaldOtHxpmWzE3Zxit
+Sl4RxdeJcJ7aGL2gDOAWmiVh6UPbMm/o6Vg2PxHp2YviOhVunp1C2t85ow==
+-----END CERTIFICATE-----
+Bag Attributes
+    friendlyName: Certificate Authority
+subject=/O=example.net/CN=clica CA
+issuer=/O=example.net/CN=clica CA
+-----BEGIN CERTIFICATE-----
+MIIBaTCCAROgAwIBAgIBATANBgkqhkiG9w0BAQUFADApMRQwEgYDVQQKEwtleGFt
+cGxlLm5ldDERMA8GA1UEAxMIY2xpY2EgQ0EwHhcNMTIxMTAxMTIzNDAzWhcNMzgw
+MTAxMTIzNDAzWjApMRQwEgYDVQQKEwtleGFtcGxlLm5ldDERMA8GA1UEAxMIY2xp
+Y2EgQ0EwXDANBgkqhkiG9w0BAQEFAANLADBIAkEAp2tm7DhEtMNQPz23MpsxYVje
+SgMgmkDx8qdr97SBBVqtPcHMMrCEZ9dQiYCFxbshxXfeova+DbLZISDlHA9xjQID
+AQABoyYwJDASBgNVHRMBAf8ECDAGAQH/AgEBMA4GA1UdDwEB/wQEAwIBBjANBgkq
+hkiG9w0BAQUFAANBAG/rfiV0UE6Q//VIKN5CprvNXDGQFfcFCWNRCu6ZGTPpaDf2
+iPqVISD9trZrvtlUIgKjGgOQQbdNH9RBj5+6QKo=
+-----END CERTIFICATE-----
+Bag Attributes
+    friendlyName: server1.example.net
+    localKeyID: 4C 81 72 95 D9 D6 9C FD 7A B1 C0 66 9F 85 A7 01 93 A4 6E D7 
+subject=/CN=server1.example.net
+issuer=/O=example.net/CN=clica Signing Cert
+-----BEGIN CERTIFICATE-----
+MIICAjCCAaygAwIBAgIBZTANBgkqhkiG9w0BAQUFADAzMRQwEgYDVQQKEwtleGFt
+cGxlLm5ldDEbMBkGA1UEAxMSY2xpY2EgU2lnbmluZyBDZXJ0MB4XDTEyMTEwMTEy
+MzQwNFoXDTM4MDEwMTEyMzQwNFowHjEcMBoGA1UEAxMTc2VydmVyMS5leGFtcGxl
+Lm5ldDBcMA0GCSqGSIb3DQEBAQUAA0sAMEgCQQDCtN2Y0S4oROnlfkTeUH2ULUVs
+RShAIKdxlXRo+F09rEBzNKKNC4ZWIr+pc8U+iQzGGTiiCTfeq9bI0Uef1493AgMB
+AAGjgb8wgbwwDgYDVR0PAQH/BAQDAgTwMCAGA1UdJQEB/wQWMBQGCCsGAQUFBwMB
+BggrBgEFBQcDAjAyBgNVHR8EKzApMCegJaAjhiFodHRwOi8vY3JsLmV4YW1wbGUu
+bmV0L2xhdGVzdC5jcmwwNAYIKwYBBQUHAQEEKDAmMCQGCCsGAQUFBzABhhhodHRw
+Oi8vb3NjcC9leGFtcGxlLm5ldC8wHgYDVR0RBBcwFYITc2VydmVyMS5leGFtcGxl
+Lm5ldDANBgkqhkiG9w0BAQUFAANBAEMi4SnbMDOvnQk2UkvvNVGyBEXNsuskNzo9
+5wAY6x0bUZ6XWZ8+kM60gbmOqwfPA6pw/w7ui3XJ1Ac3BAUverQ=
+-----END CERTIFICATE-----
diff --git a/test/aux-fixed/exim-ca/example.net/server1.example.net/cert8.db b/test/aux-fixed/exim-ca/example.net/server1.example.net/cert8.db
new file mode 100644
index 0000000..3c1b67c
Binary files /dev/null and b/test/aux-fixed/exim-ca/example.net/server1.example.net/cert8.db differ
diff --git a/test/aux-fixed/exim-ca/example.net/server1.example.net/key3.db b/test/aux-fixed/exim-ca/example.net/server1.example.net/key3.db
new file mode 100644
index 0000000..f9104cf
Binary files /dev/null and b/test/aux-fixed/exim-ca/example.net/server1.example.net/key3.db differ
diff --git a/test/aux-fixed/exim-ca/example.net/server1.example.net/pwdfile b/test/aux-fixed/exim-ca/example.net/server1.example.net/pwdfile
new file mode 100644
index 0000000..f3097ab
--- /dev/null
+++ b/test/aux-fixed/exim-ca/example.net/server1.example.net/pwdfile
@@ -0,0 +1 @@
+password
diff --git a/test/aux-fixed/exim-ca/example.net/server1.example.net/secmod.db b/test/aux-fixed/exim-ca/example.net/server1.example.net/secmod.db
new file mode 100644
index 0000000..5353087
Binary files /dev/null and b/test/aux-fixed/exim-ca/example.net/server1.example.net/secmod.db differ
diff --git a/test/aux-fixed/exim-ca/example.net/server1.example.net/server1.example.net.chain.pem b/test/aux-fixed/exim-ca/example.net/server1.example.net/server1.example.net.chain.pem
new file mode 100644
index 0000000..4d4431b
--- /dev/null
+++ b/test/aux-fixed/exim-ca/example.net/server1.example.net/server1.example.net.chain.pem
@@ -0,0 +1,29 @@
+Bag Attributes
+    friendlyName: server1.example.net
+    localKeyID: 4C 81 72 95 D9 D6 9C FD 7A B1 C0 66 9F 85 A7 01 93 A4 6E D7 
+subject=/CN=server1.example.net
+issuer=/O=example.net/CN=clica Signing Cert
+-----BEGIN CERTIFICATE-----
+MIICAjCCAaygAwIBAgIBZTANBgkqhkiG9w0BAQUFADAzMRQwEgYDVQQKEwtleGFt
+cGxlLm5ldDEbMBkGA1UEAxMSY2xpY2EgU2lnbmluZyBDZXJ0MB4XDTEyMTEwMTEy
+MzQwNFoXDTM4MDEwMTEyMzQwNFowHjEcMBoGA1UEAxMTc2VydmVyMS5leGFtcGxl
+Lm5ldDBcMA0GCSqGSIb3DQEBAQUAA0sAMEgCQQDCtN2Y0S4oROnlfkTeUH2ULUVs
+RShAIKdxlXRo+F09rEBzNKKNC4ZWIr+pc8U+iQzGGTiiCTfeq9bI0Uef1493AgMB
+AAGjgb8wgbwwDgYDVR0PAQH/BAQDAgTwMCAGA1UdJQEB/wQWMBQGCCsGAQUFBwMB
+BggrBgEFBQcDAjAyBgNVHR8EKzApMCegJaAjhiFodHRwOi8vY3JsLmV4YW1wbGUu
+bmV0L2xhdGVzdC5jcmwwNAYIKwYBBQUHAQEEKDAmMCQGCCsGAQUFBzABhhhodHRw
+Oi8vb3NjcC9leGFtcGxlLm5ldC8wHgYDVR0RBBcwFYITc2VydmVyMS5leGFtcGxl
+Lm5ldDANBgkqhkiG9w0BAQUFAANBAEMi4SnbMDOvnQk2UkvvNVGyBEXNsuskNzo9
+5wAY6x0bUZ6XWZ8+kM60gbmOqwfPA6pw/w7ui3XJ1Ac3BAUverQ=
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIIBpzCCAVGgAwIBAgIBAjANBgkqhkiG9w0BAQUFADApMRQwEgYDVQQKEwtleGFt
+cGxlLm5ldDERMA8GA1UEAxMIY2xpY2EgQ0EwHhcNMTIxMTAxMTIzNDAzWhcNMzgw
+MTAxMTIzNDAzWjAzMRQwEgYDVQQKEwtleGFtcGxlLm5ldDEbMBkGA1UEAxMSY2xp
+Y2EgU2lnbmluZyBDZXJ0MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAN9lXg/7R2gY
+392B325b/0eHLOrQG1px0aPuSwCBG0cKwCATtsKjYne15vNXAskVAdejY0Ujvo+a
+d4jVi2qYJ8sCAwEAAaNaMFgwDgYDVR0PAQH/BAQDAgEGMBIGA1UdEwEB/wQIMAYB
+Af8CAQAwMgYDVR0fBCswKTAnoCWgI4YhaHR0cDovL2NybC5leGFtcGxlLm5ldC9s
+YXRlc3QuY3JsMA0GCSqGSIb3DQEBBQUAA0EAlm29nFrjiJPaldOtHxpmWzE3Zxit
+Sl4RxdeJcJ7aGL2gDOAWmiVh6UPbMm/o6Vg2PxHp2YviOhVunp1C2t85ow==
+-----END CERTIFICATE-----
diff --git a/test/aux-fixed/exim-ca/example.net/server1.example.net/server1.example.net.key b/test/aux-fixed/exim-ca/example.net/server1.example.net/server1.example.net.key
new file mode 100644
index 0000000..d01d43b
--- /dev/null
+++ b/test/aux-fixed/exim-ca/example.net/server1.example.net/server1.example.net.key
@@ -0,0 +1,15 @@
+Bag Attributes
+    friendlyName: server1.example.net
+    localKeyID: 4C 81 72 95 D9 D6 9C FD 7A B1 C0 66 9F 85 A7 01 93 A4 6E D7 
+Key Attributes: <No Attributes>
+-----BEGIN ENCRYPTED PRIVATE KEY-----
+MIIBpjBABgkqhkiG9w0BBQ0wMzAbBgkqhkiG9w0BBQwwDgQItqv8KkyfDOECAggA
+MBQGCCqGSIb3DQMHBAi+cLfRJYwdhASCAWDijpItKwM1N1Tk9po65/Et0DLcJt8h
+UNc26UWxg4uGMcbyHJv5+OZDhAjla1GwFLBZDQwCsnvwfjHfpwFpSx4Mxj4SMGrx
+YCwSB8smLl5cZNJpm2N3JVlrX/ZHR1plwtVccOf9Ry7MFoyj9YcXTs9N39zmpYDD
+Oi81eD2CzGEP2NqyycJK3Fu0OMUNT5RYHF7Nja6mGjzyul8rDPHPOcwQ0CCEHUmF
+3FaMqji+aCpJ+BeFwcVYZjiuQx4ajKXnu8g4KEa1S59KgSRiAdL8Ih1dN5qrDJB5
+dDTo37DneR1RkudMs2OcbMnbhyWQZ/AhfUqqFM7NLnDSVwhUtL9kPzjqIA1+l9V6
+27ANditdhs3fS6026sC3MMJRrPXmZGU3GuItxi1hU/CjiCb54VsK8MEhWpzU6QiS
++UXkPYKauZKsGtfn0sI8ZUCEyo2vF79KAIGK6DYQ6dIOmjvKqz2xgng/
+-----END ENCRYPTED PRIVATE KEY-----
diff --git a/test/aux-fixed/exim-ca/example.net/server1.example.net/server1.example.net.ocsp.dated.resp b/test/aux-fixed/exim-ca/example.net/server1.example.net/server1.example.net.ocsp.dated.resp
new file mode 100644
index 0000000..8dc2a09
Binary files /dev/null and b/test/aux-fixed/exim-ca/example.net/server1.example.net/server1.example.net.ocsp.dated.resp differ
diff --git a/test/aux-fixed/exim-ca/example.net/server1.example.net/server1.example.net.ocsp.good.resp b/test/aux-fixed/exim-ca/example.net/server1.example.net/server1.example.net.ocsp.good.resp
new file mode 100644
index 0000000..b2cb446
Binary files /dev/null and b/test/aux-fixed/exim-ca/example.net/server1.example.net/server1.example.net.ocsp.good.resp differ
diff --git a/test/aux-fixed/exim-ca/example.net/server1.example.net/server1.example.net.ocsp.req b/test/aux-fixed/exim-ca/example.net/server1.example.net/server1.example.net.ocsp.req
new file mode 100644
index 0000000..0057816
Binary files /dev/null and b/test/aux-fixed/exim-ca/example.net/server1.example.net/server1.example.net.ocsp.req differ
diff --git a/test/aux-fixed/exim-ca/example.net/server1.example.net/server1.example.net.ocsp.revoked.resp b/test/aux-fixed/exim-ca/example.net/server1.example.net/server1.example.net.ocsp.revoked.resp
new file mode 100644
index 0000000..5e9cee6
Binary files /dev/null and b/test/aux-fixed/exim-ca/example.net/server1.example.net/server1.example.net.ocsp.revoked.resp differ
diff --git a/test/aux-fixed/exim-ca/example.net/server1.example.net/server1.example.net.p12 b/test/aux-fixed/exim-ca/example.net/server1.example.net/server1.example.net.p12
new file mode 100644
index 0000000..9596af0
Binary files /dev/null and b/test/aux-fixed/exim-ca/example.net/server1.example.net/server1.example.net.p12 differ
diff --git a/test/aux-fixed/exim-ca/example.net/server1.example.net/server1.example.net.pem b/test/aux-fixed/exim-ca/example.net/server1.example.net/server1.example.net.pem
new file mode 100644
index 0000000..4d14e20
--- /dev/null
+++ b/test/aux-fixed/exim-ca/example.net/server1.example.net/server1.example.net.pem
@@ -0,0 +1,18 @@
+Bag Attributes
+    friendlyName: server1.example.net
+    localKeyID: 4C 81 72 95 D9 D6 9C FD 7A B1 C0 66 9F 85 A7 01 93 A4 6E D7 
+subject=/CN=server1.example.net
+issuer=/O=example.net/CN=clica Signing Cert
+-----BEGIN CERTIFICATE-----
+MIICAjCCAaygAwIBAgIBZTANBgkqhkiG9w0BAQUFADAzMRQwEgYDVQQKEwtleGFt
+cGxlLm5ldDEbMBkGA1UEAxMSY2xpY2EgU2lnbmluZyBDZXJ0MB4XDTEyMTEwMTEy
+MzQwNFoXDTM4MDEwMTEyMzQwNFowHjEcMBoGA1UEAxMTc2VydmVyMS5leGFtcGxl
+Lm5ldDBcMA0GCSqGSIb3DQEBAQUAA0sAMEgCQQDCtN2Y0S4oROnlfkTeUH2ULUVs
+RShAIKdxlXRo+F09rEBzNKKNC4ZWIr+pc8U+iQzGGTiiCTfeq9bI0Uef1493AgMB
+AAGjgb8wgbwwDgYDVR0PAQH/BAQDAgTwMCAGA1UdJQEB/wQWMBQGCCsGAQUFBwMB
+BggrBgEFBQcDAjAyBgNVHR8EKzApMCegJaAjhiFodHRwOi8vY3JsLmV4YW1wbGUu
+bmV0L2xhdGVzdC5jcmwwNAYIKwYBBQUHAQEEKDAmMCQGCCsGAQUFBzABhhhodHRw
+Oi8vb3NjcC9leGFtcGxlLm5ldC8wHgYDVR0RBBcwFYITc2VydmVyMS5leGFtcGxl
+Lm5ldDANBgkqhkiG9w0BAQUFAANBAEMi4SnbMDOvnQk2UkvvNVGyBEXNsuskNzo9
+5wAY6x0bUZ6XWZ8+kM60gbmOqwfPA6pw/w7ui3XJ1Ac3BAUverQ=
+-----END CERTIFICATE-----
diff --git a/test/aux-fixed/exim-ca/example.net/server1.example.net/server1.example.net.unlocked.key b/test/aux-fixed/exim-ca/example.net/server1.example.net/server1.example.net.unlocked.key
new file mode 100644
index 0000000..4224283
--- /dev/null
+++ b/test/aux-fixed/exim-ca/example.net/server1.example.net/server1.example.net.unlocked.key
@@ -0,0 +1,9 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIBOgIBAAJBAMK03ZjRLihE6eV+RN5QfZQtRWxFKEAgp3GVdGj4XT2sQHM0oo0L
+hlYiv6lzxT6JDMYZOKIJN96r1sjRR5/Xj3cCAwEAAQJAYR333g6QeFOPWwH1dfIu
+ASfnlc6U+g+PlY8XhnhDgcu2le3IQuOaI0sw/X0vZdhEKJpDHJ1hKGxIQpOB2R/P
+EQIhAPUMh9+sUsZSnNbhEggO8h6F4TeLoAVJNzUtW5UvmBgvAiEAy2hlFkLXlP0t
+VYwmNqyCs8Jhf0SIrnhPw3ynJhxgYzkCIQDlHd48yAZs3/k9ABu35SGEYHD/WlE4
+IAi6c7pZdrKiiQIgEH48hBuTY29L973Pc2t1haHjSfCCrLLwtMcsvnhakHECIEuy
+0/MQz7IYZNJ7g36j3jjv8vFkAdDCGyKzuMGLoq9p
+-----END RSA PRIVATE KEY-----
diff --git a/test/aux-fixed/exim-ca/example.net/server2.example.net/ca_chain.pem b/test/aux-fixed/exim-ca/example.net/server2.example.net/ca_chain.pem
new file mode 100644
index 0000000..39e5eed
--- /dev/null
+++ b/test/aux-fixed/exim-ca/example.net/server2.example.net/ca_chain.pem
@@ -0,0 +1,47 @@
+Bag Attributes
+    friendlyName: Signing Cert
+subject=/O=example.net/CN=clica Signing Cert
+issuer=/O=example.net/CN=clica CA
+-----BEGIN CERTIFICATE-----
+MIIBpzCCAVGgAwIBAgIBAjANBgkqhkiG9w0BAQUFADApMRQwEgYDVQQKEwtleGFt
+cGxlLm5ldDERMA8GA1UEAxMIY2xpY2EgQ0EwHhcNMTIxMTAxMTIzNDAzWhcNMzgw
+MTAxMTIzNDAzWjAzMRQwEgYDVQQKEwtleGFtcGxlLm5ldDEbMBkGA1UEAxMSY2xp
+Y2EgU2lnbmluZyBDZXJ0MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAN9lXg/7R2gY
+392B325b/0eHLOrQG1px0aPuSwCBG0cKwCATtsKjYne15vNXAskVAdejY0Ujvo+a
+d4jVi2qYJ8sCAwEAAaNaMFgwDgYDVR0PAQH/BAQDAgEGMBIGA1UdEwEB/wQIMAYB
+Af8CAQAwMgYDVR0fBCswKTAnoCWgI4YhaHR0cDovL2NybC5leGFtcGxlLm5ldC9s
+YXRlc3QuY3JsMA0GCSqGSIb3DQEBBQUAA0EAlm29nFrjiJPaldOtHxpmWzE3Zxit
+Sl4RxdeJcJ7aGL2gDOAWmiVh6UPbMm/o6Vg2PxHp2YviOhVunp1C2t85ow==
+-----END CERTIFICATE-----
+Bag Attributes
+    friendlyName: Certificate Authority
+subject=/O=example.net/CN=clica CA
+issuer=/O=example.net/CN=clica CA
+-----BEGIN CERTIFICATE-----
+MIIBaTCCAROgAwIBAgIBATANBgkqhkiG9w0BAQUFADApMRQwEgYDVQQKEwtleGFt
+cGxlLm5ldDERMA8GA1UEAxMIY2xpY2EgQ0EwHhcNMTIxMTAxMTIzNDAzWhcNMzgw
+MTAxMTIzNDAzWjApMRQwEgYDVQQKEwtleGFtcGxlLm5ldDERMA8GA1UEAxMIY2xp
+Y2EgQ0EwXDANBgkqhkiG9w0BAQEFAANLADBIAkEAp2tm7DhEtMNQPz23MpsxYVje
+SgMgmkDx8qdr97SBBVqtPcHMMrCEZ9dQiYCFxbshxXfeova+DbLZISDlHA9xjQID
+AQABoyYwJDASBgNVHRMBAf8ECDAGAQH/AgEBMA4GA1UdDwEB/wQEAwIBBjANBgkq
+hkiG9w0BAQUFAANBAG/rfiV0UE6Q//VIKN5CprvNXDGQFfcFCWNRCu6ZGTPpaDf2
+iPqVISD9trZrvtlUIgKjGgOQQbdNH9RBj5+6QKo=
+-----END CERTIFICATE-----
+Bag Attributes
+    friendlyName: server2.example.net
+    localKeyID: E6 14 E8 D3 C2 D6 33 C5 46 4A 62 47 B7 C2 BA D6 3B 26 F2 56 
+subject=/CN=server2.example.net
+issuer=/O=example.net/CN=clica Signing Cert
+-----BEGIN CERTIFICATE-----
+MIICAzCCAa2gAwIBAgICAMkwDQYJKoZIhvcNAQEFBQAwMzEUMBIGA1UEChMLZXhh
+bXBsZS5uZXQxGzAZBgNVBAMTEmNsaWNhIFNpZ25pbmcgQ2VydDAeFw0xMjExMDEx
+MjM0MDRaFw0zODAxMDExMjM0MDRaMB4xHDAaBgNVBAMTE3NlcnZlcjIuZXhhbXBs
+ZS5uZXQwXDANBgkqhkiG9w0BAQEFAANLADBIAkEAoXux6WdUK5xq7w+eMCFo2iEE
+GCUYpmqc4H6AmgxmglEfrndnKMv/fLRJpMUMe65a2fIPdMaZO6uX/fBDYSeUjwID
+AQABo4G/MIG8MA4GA1UdDwEB/wQEAwIE8DAgBgNVHSUBAf8EFjAUBggrBgEFBQcD
+AQYIKwYBBQUHAwIwMgYDVR0fBCswKTAnoCWgI4YhaHR0cDovL2NybC5leGFtcGxl
+Lm5ldC9sYXRlc3QuY3JsMDQGCCsGAQUFBwEBBCgwJjAkBggrBgEFBQcwAYYYaHR0
+cDovL29zY3AvZXhhbXBsZS5uZXQvMB4GA1UdEQQXMBWCE3NlcnZlcjIuZXhhbXBs
+ZS5uZXQwDQYJKoZIhvcNAQEFBQADQQBhKq+CoKmxvdEJ4+AlNsJGpByKiwsDo0Cz
+mtgyGnn4a+3kkKYb2/KWosrBBLIzZbuzQ6sAjDKKioKJy7+ENuki
+-----END CERTIFICATE-----
diff --git a/test/aux-fixed/exim-ca/example.net/server2.example.net/cert8.db b/test/aux-fixed/exim-ca/example.net/server2.example.net/cert8.db
new file mode 100644
index 0000000..0478b4b
Binary files /dev/null and b/test/aux-fixed/exim-ca/example.net/server2.example.net/cert8.db differ
diff --git a/test/aux-fixed/exim-ca/example.net/server2.example.net/key3.db b/test/aux-fixed/exim-ca/example.net/server2.example.net/key3.db
new file mode 100644
index 0000000..11649e0
Binary files /dev/null and b/test/aux-fixed/exim-ca/example.net/server2.example.net/key3.db differ
diff --git a/test/aux-fixed/exim-ca/example.net/server2.example.net/pwdfile b/test/aux-fixed/exim-ca/example.net/server2.example.net/pwdfile
new file mode 100644
index 0000000..f3097ab
--- /dev/null
+++ b/test/aux-fixed/exim-ca/example.net/server2.example.net/pwdfile
@@ -0,0 +1 @@
+password
diff --git a/test/aux-fixed/exim-ca/example.net/server2.example.net/secmod.db b/test/aux-fixed/exim-ca/example.net/server2.example.net/secmod.db
new file mode 100644
index 0000000..4bdbe54
Binary files /dev/null and b/test/aux-fixed/exim-ca/example.net/server2.example.net/secmod.db differ
diff --git a/test/aux-fixed/exim-ca/example.net/server2.example.net/server2.example.net.chain.pem b/test/aux-fixed/exim-ca/example.net/server2.example.net/server2.example.net.chain.pem
new file mode 100644
index 0000000..8f2b6af
--- /dev/null
+++ b/test/aux-fixed/exim-ca/example.net/server2.example.net/server2.example.net.chain.pem
@@ -0,0 +1,29 @@
+Bag Attributes
+    friendlyName: server2.example.net
+    localKeyID: E6 14 E8 D3 C2 D6 33 C5 46 4A 62 47 B7 C2 BA D6 3B 26 F2 56 
+subject=/CN=server2.example.net
+issuer=/O=example.net/CN=clica Signing Cert
+-----BEGIN CERTIFICATE-----
+MIICAzCCAa2gAwIBAgICAMkwDQYJKoZIhvcNAQEFBQAwMzEUMBIGA1UEChMLZXhh
+bXBsZS5uZXQxGzAZBgNVBAMTEmNsaWNhIFNpZ25pbmcgQ2VydDAeFw0xMjExMDEx
+MjM0MDRaFw0zODAxMDExMjM0MDRaMB4xHDAaBgNVBAMTE3NlcnZlcjIuZXhhbXBs
+ZS5uZXQwXDANBgkqhkiG9w0BAQEFAANLADBIAkEAoXux6WdUK5xq7w+eMCFo2iEE
+GCUYpmqc4H6AmgxmglEfrndnKMv/fLRJpMUMe65a2fIPdMaZO6uX/fBDYSeUjwID
+AQABo4G/MIG8MA4GA1UdDwEB/wQEAwIE8DAgBgNVHSUBAf8EFjAUBggrBgEFBQcD
+AQYIKwYBBQUHAwIwMgYDVR0fBCswKTAnoCWgI4YhaHR0cDovL2NybC5leGFtcGxl
+Lm5ldC9sYXRlc3QuY3JsMDQGCCsGAQUFBwEBBCgwJjAkBggrBgEFBQcwAYYYaHR0
+cDovL29zY3AvZXhhbXBsZS5uZXQvMB4GA1UdEQQXMBWCE3NlcnZlcjIuZXhhbXBs
+ZS5uZXQwDQYJKoZIhvcNAQEFBQADQQBhKq+CoKmxvdEJ4+AlNsJGpByKiwsDo0Cz
+mtgyGnn4a+3kkKYb2/KWosrBBLIzZbuzQ6sAjDKKioKJy7+ENuki
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIIBpzCCAVGgAwIBAgIBAjANBgkqhkiG9w0BAQUFADApMRQwEgYDVQQKEwtleGFt
+cGxlLm5ldDERMA8GA1UEAxMIY2xpY2EgQ0EwHhcNMTIxMTAxMTIzNDAzWhcNMzgw
+MTAxMTIzNDAzWjAzMRQwEgYDVQQKEwtleGFtcGxlLm5ldDEbMBkGA1UEAxMSY2xp
+Y2EgU2lnbmluZyBDZXJ0MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAN9lXg/7R2gY
+392B325b/0eHLOrQG1px0aPuSwCBG0cKwCATtsKjYne15vNXAskVAdejY0Ujvo+a
+d4jVi2qYJ8sCAwEAAaNaMFgwDgYDVR0PAQH/BAQDAgEGMBIGA1UdEwEB/wQIMAYB
+Af8CAQAwMgYDVR0fBCswKTAnoCWgI4YhaHR0cDovL2NybC5leGFtcGxlLm5ldC9s
+YXRlc3QuY3JsMA0GCSqGSIb3DQEBBQUAA0EAlm29nFrjiJPaldOtHxpmWzE3Zxit
+Sl4RxdeJcJ7aGL2gDOAWmiVh6UPbMm/o6Vg2PxHp2YviOhVunp1C2t85ow==
+-----END CERTIFICATE-----
diff --git a/test/aux-fixed/exim-ca/example.net/server2.example.net/server2.example.net.key b/test/aux-fixed/exim-ca/example.net/server2.example.net/server2.example.net.key
new file mode 100644
index 0000000..0375904
--- /dev/null
+++ b/test/aux-fixed/exim-ca/example.net/server2.example.net/server2.example.net.key
@@ -0,0 +1,15 @@
+Bag Attributes
+    friendlyName: server2.example.net
+    localKeyID: E6 14 E8 D3 C2 D6 33 C5 46 4A 62 47 B7 C2 BA D6 3B 26 F2 56 
+Key Attributes: <No Attributes>
+-----BEGIN ENCRYPTED PRIVATE KEY-----
+MIIBpjBABgkqhkiG9w0BBQ0wMzAbBgkqhkiG9w0BBQwwDgQId2/8mqWfInACAggA
+MBQGCCqGSIb3DQMHBAgvDNlX6TpnZQSCAWD27NSWhbC88NONthVEEIHARSoUieXl
+Hsker9qC52voq+kSQf4sFmifD9SgestoXFoxBOWi4mnO2uwUqu/yC3Igrr0DE0VH
+zXapBoEbd7Yr4y5BN7M5+oQPGjxCUocP3Bp9dxvo5T3lFLtmaBvdBucVHvn6UqzX
+uUZw3O1LdoMm6PqZXBh8vzhapYq5I5oMOhWJsJrauSfXaBJObeo3MgFF6WfUQlnI
+fR/O7uJ00t+ArvdkQVIDT70FWWAFvt9DDtVIUcva8BfiGEjPjqso0tElTzPRqRrs
+WmS1jn1Lf/EVaVSOIIecjHodxeA7R/vMlG+5U/PcgfeYMEFyn0Aj/tUvdR6tTAUy
+1K5zFEGG5YCY2e0HmVyc/qvOoSPwi7f8eJEziTuv2nXlPrjd74OcGn1ffXyMeDZ6
+gDAQB9pe/7m9OZ9MAxuak4DEyFMdNJTFJ3il0ILAi8R2GOGA+TVSrGAT
+-----END ENCRYPTED PRIVATE KEY-----
diff --git a/test/aux-fixed/exim-ca/example.net/server2.example.net/server2.example.net.ocsp.dated.resp b/test/aux-fixed/exim-ca/example.net/server2.example.net/server2.example.net.ocsp.dated.resp
new file mode 100644
index 0000000..edb418a
Binary files /dev/null and b/test/aux-fixed/exim-ca/example.net/server2.example.net/server2.example.net.ocsp.dated.resp differ
diff --git a/test/aux-fixed/exim-ca/example.net/server2.example.net/server2.example.net.ocsp.good.resp b/test/aux-fixed/exim-ca/example.net/server2.example.net/server2.example.net.ocsp.good.resp
new file mode 100644
index 0000000..dcb27f2
Binary files /dev/null and b/test/aux-fixed/exim-ca/example.net/server2.example.net/server2.example.net.ocsp.good.resp differ
diff --git a/test/aux-fixed/exim-ca/example.net/server2.example.net/server2.example.net.ocsp.req b/test/aux-fixed/exim-ca/example.net/server2.example.net/server2.example.net.ocsp.req
new file mode 100644
index 0000000..54d932e
Binary files /dev/null and b/test/aux-fixed/exim-ca/example.net/server2.example.net/server2.example.net.ocsp.req differ
diff --git a/test/aux-fixed/exim-ca/example.net/server2.example.net/server2.example.net.ocsp.revoked.resp b/test/aux-fixed/exim-ca/example.net/server2.example.net/server2.example.net.ocsp.revoked.resp
new file mode 100644
index 0000000..dda468d
Binary files /dev/null and b/test/aux-fixed/exim-ca/example.net/server2.example.net/server2.example.net.ocsp.revoked.resp differ
diff --git a/test/aux-fixed/exim-ca/example.net/server2.example.net/server2.example.net.p12 b/test/aux-fixed/exim-ca/example.net/server2.example.net/server2.example.net.p12
new file mode 100644
index 0000000..e54fff3
Binary files /dev/null and b/test/aux-fixed/exim-ca/example.net/server2.example.net/server2.example.net.p12 differ
diff --git a/test/aux-fixed/exim-ca/example.net/server2.example.net/server2.example.net.pem b/test/aux-fixed/exim-ca/example.net/server2.example.net/server2.example.net.pem
new file mode 100644
index 0000000..e973e00
--- /dev/null
+++ b/test/aux-fixed/exim-ca/example.net/server2.example.net/server2.example.net.pem
@@ -0,0 +1,18 @@
+Bag Attributes
+    friendlyName: server2.example.net
+    localKeyID: E6 14 E8 D3 C2 D6 33 C5 46 4A 62 47 B7 C2 BA D6 3B 26 F2 56 
+subject=/CN=server2.example.net
+issuer=/O=example.net/CN=clica Signing Cert
+-----BEGIN CERTIFICATE-----
+MIICAzCCAa2gAwIBAgICAMkwDQYJKoZIhvcNAQEFBQAwMzEUMBIGA1UEChMLZXhh
+bXBsZS5uZXQxGzAZBgNVBAMTEmNsaWNhIFNpZ25pbmcgQ2VydDAeFw0xMjExMDEx
+MjM0MDRaFw0zODAxMDExMjM0MDRaMB4xHDAaBgNVBAMTE3NlcnZlcjIuZXhhbXBs
+ZS5uZXQwXDANBgkqhkiG9w0BAQEFAANLADBIAkEAoXux6WdUK5xq7w+eMCFo2iEE
+GCUYpmqc4H6AmgxmglEfrndnKMv/fLRJpMUMe65a2fIPdMaZO6uX/fBDYSeUjwID
+AQABo4G/MIG8MA4GA1UdDwEB/wQEAwIE8DAgBgNVHSUBAf8EFjAUBggrBgEFBQcD
+AQYIKwYBBQUHAwIwMgYDVR0fBCswKTAnoCWgI4YhaHR0cDovL2NybC5leGFtcGxl
+Lm5ldC9sYXRlc3QuY3JsMDQGCCsGAQUFBwEBBCgwJjAkBggrBgEFBQcwAYYYaHR0
+cDovL29zY3AvZXhhbXBsZS5uZXQvMB4GA1UdEQQXMBWCE3NlcnZlcjIuZXhhbXBs
+ZS5uZXQwDQYJKoZIhvcNAQEFBQADQQBhKq+CoKmxvdEJ4+AlNsJGpByKiwsDo0Cz
+mtgyGnn4a+3kkKYb2/KWosrBBLIzZbuzQ6sAjDKKioKJy7+ENuki
+-----END CERTIFICATE-----
diff --git a/test/aux-fixed/exim-ca/example.net/server2.example.net/server2.example.net.unlocked.key b/test/aux-fixed/exim-ca/example.net/server2.example.net/server2.example.net.unlocked.key
new file mode 100644
index 0000000..74b3501
--- /dev/null
+++ b/test/aux-fixed/exim-ca/example.net/server2.example.net/server2.example.net.unlocked.key
@@ -0,0 +1,9 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIBOgIBAAJBAKF7selnVCucau8PnjAhaNohBBglGKZqnOB+gJoMZoJRH653ZyjL
+/3y0SaTFDHuuWtnyD3TGmTurl/3wQ2EnlI8CAwEAAQJAGXXkRjWperrNzWV7/oC2
+BHZiK+Blc4+prmejpSZBX1hk5XFL8vMx3H1yYnYj3LLr2MzuZ7W410GXBvZkfOy5
+uQIhANSjR5qV2dgzdI7nTjPXZOVPHfh9S4RbgCa8nbm+Yg59AiEAwmnlkEP8BMHx
+8GeuItJyuIQYXU/TRFIAB5N9nDWO4PsCIFvZj/OJaUlHqMCVz6T7FL0suMB+tuEc
+eTXCYcs7HrYtAiEAi4ivv+xbbBq7B72SSOHcfrwoNIi/bBCifs2H4N67zpMCIBpU
+fl/bfvpZ2FtBsZ1yMTgTXzaZyOllhYkaZO3bvQYU
+-----END RSA PRIVATE KEY-----
diff --git a/test/aux-fixed/exim-ca/example.org/BLANK/CA.pem b/test/aux-fixed/exim-ca/example.org/BLANK/CA.pem
new file mode 100644
index 0000000..bdb4c06
--- /dev/null
+++ b/test/aux-fixed/exim-ca/example.org/BLANK/CA.pem
@@ -0,0 +1,10 @@
+-----BEGIN CERTIFICATE-----
+MIIBaTCCAROgAwIBAgIBATANBgkqhkiG9w0BAQUFADApMRQwEgYDVQQKEwtleGFt
+cGxlLm9yZzERMA8GA1UEAxMIY2xpY2EgQ0EwHhcNMTIxMTAxMTIzNDAyWhcNMzgw
+MTAxMTIzNDAyWjApMRQwEgYDVQQKEwtleGFtcGxlLm9yZzERMA8GA1UEAxMIY2xp
+Y2EgQ0EwXDANBgkqhkiG9w0BAQEFAANLADBIAkEAxY7JyBAI+e4vb4bz0HcjtE+O
+x0nLBB19Kz04yNARj1z/ZvY2c+uvOR3muHROCgFUQxGobP3n2HaTS/cmv2SVPwID
+AQABoyYwJDASBgNVHRMBAf8ECDAGAQH/AgEBMA4GA1UdDwEB/wQEAwIBBjANBgkq
+hkiG9w0BAQUFAANBAJLhs/m5Jx4oV++aylcAvIHa0vHSK4eh3zX1HqWwqK9I0/nl
+LqwwPgtgHQOpe7nd2g2B9wPZ82i6LiqY76A+9hI=
+-----END CERTIFICATE-----
diff --git a/test/aux-fixed/exim-ca/example.org/BLANK/Signer.pem b/test/aux-fixed/exim-ca/example.org/BLANK/Signer.pem
new file mode 100644
index 0000000..bbcf3ac
--- /dev/null
+++ b/test/aux-fixed/exim-ca/example.org/BLANK/Signer.pem
@@ -0,0 +1,11 @@
+-----BEGIN CERTIFICATE-----
+MIIBpzCCAVGgAwIBAgIBAjANBgkqhkiG9w0BAQUFADApMRQwEgYDVQQKEwtleGFt
+cGxlLm9yZzERMA8GA1UEAxMIY2xpY2EgQ0EwHhcNMTIxMTAxMTIzNDAyWhcNMzgw
+MTAxMTIzNDAyWjAzMRQwEgYDVQQKEwtleGFtcGxlLm9yZzEbMBkGA1UEAxMSY2xp
+Y2EgU2lnbmluZyBDZXJ0MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAJ2Y6E5WBXQE
+zFsWgxK4JXrpPWGEQZ+KNy3iXgmupAA6Yy0umCLu+eGCekkwZ0WfFhhd+Qy7P+qo
+F0mre7VDDHECAwEAAaNaMFgwDgYDVR0PAQH/BAQDAgEGMBIGA1UdEwEB/wQIMAYB
+Af8CAQAwMgYDVR0fBCswKTAnoCWgI4YhaHR0cDovL2NybC5leGFtcGxlLm9yZy9s
+YXRlc3QuY3JsMA0GCSqGSIb3DQEBBQUAA0EATmemAFFWLNA8natXhFyhrDYmTv8X
+PEJ3UVt0DmOMxmEBahIeDfplfTfj/NYvy/on7YCZO7F5PwVY2pNJqm8Tmw==
+-----END CERTIFICATE-----
diff --git a/test/aux-fixed/exim-ca/example.org/BLANK/cert8.db b/test/aux-fixed/exim-ca/example.org/BLANK/cert8.db
new file mode 100644
index 0000000..173ac18
Binary files /dev/null and b/test/aux-fixed/exim-ca/example.org/BLANK/cert8.db differ
diff --git a/test/aux-fixed/exim-ca/example.org/BLANK/key3.db b/test/aux-fixed/exim-ca/example.org/BLANK/key3.db
new file mode 100644
index 0000000..f4cc9de
Binary files /dev/null and b/test/aux-fixed/exim-ca/example.org/BLANK/key3.db differ
diff --git a/test/aux-fixed/exim-ca/example.org/BLANK/pwdfile b/test/aux-fixed/exim-ca/example.org/BLANK/pwdfile
new file mode 100644
index 0000000..8b13789
--- /dev/null
+++ b/test/aux-fixed/exim-ca/example.org/BLANK/pwdfile
@@ -0,0 +1 @@
+
diff --git a/test/aux-fixed/exim-ca/example.org/BLANK/secmod.db b/test/aux-fixed/exim-ca/example.org/BLANK/secmod.db
new file mode 100644
index 0000000..8a83193
Binary files /dev/null and b/test/aux-fixed/exim-ca/example.org/BLANK/secmod.db differ
diff --git a/test/aux-fixed/exim-ca/example.org/CA/CA.pem b/test/aux-fixed/exim-ca/example.org/CA/CA.pem
new file mode 100644
index 0000000..bdb4c06
--- /dev/null
+++ b/test/aux-fixed/exim-ca/example.org/CA/CA.pem
@@ -0,0 +1,10 @@
+-----BEGIN CERTIFICATE-----
+MIIBaTCCAROgAwIBAgIBATANBgkqhkiG9w0BAQUFADApMRQwEgYDVQQKEwtleGFt
+cGxlLm9yZzERMA8GA1UEAxMIY2xpY2EgQ0EwHhcNMTIxMTAxMTIzNDAyWhcNMzgw
+MTAxMTIzNDAyWjApMRQwEgYDVQQKEwtleGFtcGxlLm9yZzERMA8GA1UEAxMIY2xp
+Y2EgQ0EwXDANBgkqhkiG9w0BAQEFAANLADBIAkEAxY7JyBAI+e4vb4bz0HcjtE+O
+x0nLBB19Kz04yNARj1z/ZvY2c+uvOR3muHROCgFUQxGobP3n2HaTS/cmv2SVPwID
+AQABoyYwJDASBgNVHRMBAf8ECDAGAQH/AgEBMA4GA1UdDwEB/wQEAwIBBjANBgkq
+hkiG9w0BAQUFAANBAJLhs/m5Jx4oV++aylcAvIHa0vHSK4eh3zX1HqWwqK9I0/nl
+LqwwPgtgHQOpe7nd2g2B9wPZ82i6LiqY76A+9hI=
+-----END CERTIFICATE-----
diff --git a/test/aux-fixed/exim-ca/example.org/CA/OCSP.key b/test/aux-fixed/exim-ca/example.org/CA/OCSP.key
new file mode 100644
index 0000000..4248964
--- /dev/null
+++ b/test/aux-fixed/exim-ca/example.org/CA/OCSP.key
@@ -0,0 +1,14 @@
+Bag Attributes
+    friendlyName: OCSP Signer
+    localKeyID: 89 7C 3C C4 3E 60 FD AA 47 69 0A 11 1B 17 C9 BD 6B D2 DA 1E 
+Key Attributes: <No Attributes>
+-----BEGIN PRIVATE KEY-----
+MIIBVQIBADANBgkqhkiG9w0BAQEFAASCAT8wggE7AgEAAkEAl1EzD7A3887Wit6D
+uE5WOuTdCD4RVQFBa85RFHZd/Q3Yiw5SXh7gQaykL/4mrFHzgbKNgj6WmjBp4tNI
+FQYqJQIDAQABAkBNigd/X46cef5IdRPMayAW19ZH9f5Nr/IFO1kjAjDRjfASDkBN
+V/rMV+78Rh5fOAj1S74VILvKTaaLWhvkDOF1AiEAxxhzyV1rOrdo/tp7W6uD5m0g
+OTxUZYn/6Ec/Kkb6SjsCIQDCkN8rSD+IkhJ3zQOvCi2Onxjon5mE4mkbhZLq84W3
+HwIhAJbbRlCbwnY5JwuEjNgG++iLY1E7D0/o4skjww7LvTalAiBCCbH1mtwVmp6y
+Et/BNY8o7U8jBaixtbc/JCMto+IquQIhAI6flaLC9nQbBh6BX6GVeGu3XS9M/jFe
+EK9fMWn71opJ
+-----END PRIVATE KEY-----
diff --git a/test/aux-fixed/exim-ca/example.org/CA/OCSP.p12 b/test/aux-fixed/exim-ca/example.org/CA/OCSP.p12
new file mode 100644
index 0000000..e247406
Binary files /dev/null and b/test/aux-fixed/exim-ca/example.org/CA/OCSP.p12 differ
diff --git a/test/aux-fixed/exim-ca/example.org/CA/OCSP.pem b/test/aux-fixed/exim-ca/example.org/CA/OCSP.pem
new file mode 100644
index 0000000..287e61e
--- /dev/null
+++ b/test/aux-fixed/exim-ca/example.org/CA/OCSP.pem
@@ -0,0 +1,11 @@
+-----BEGIN CERTIFICATE-----
+MIIBgDCCASqgAwIBAgIBAzANBgkqhkiG9w0BAQUFADAzMRQwEgYDVQQKEwtleGFt
+cGxlLm9yZzEbMBkGA1UEAxMSY2xpY2EgU2lnbmluZyBDZXJ0MB4XDTEyMTEwMTEy
+MzQwMloXDTM4MDEwMTEyMzQwMlowMjEUMBIGA1UEChMLZXhhbXBsZS5vcmcxGjAY
+BgNVBAMTEWNsaWNhIE9DU1AgU2lnbmVyMFwwDQYJKoZIhvcNAQEBBQADSwAwSAJB
+AJdRMw+wN/PO1oreg7hOVjrk3Qg+EVUBQWvOURR2Xf0N2IsOUl4e4EGspC/+JqxR
+84GyjYI+lpowaeLTSBUGKiUCAwEAAaMqMCgwDgYDVR0PAQH/BAQDAgeAMBYGA1Ud
+JQEB/wQMMAoGCCsGAQUFBwMJMA0GCSqGSIb3DQEBBQUAA0EAZe2NAm2FGEJuLkyZ
+AiGPi2pdu5ngE+vQhyTFR3EJ4L6HDkNGE5Mv7lrsSSWU47N3R+Oo+glEau6SyTb1
+zMIYxQ==
+-----END CERTIFICATE-----
diff --git a/test/aux-fixed/exim-ca/example.org/CA/Signer.pem b/test/aux-fixed/exim-ca/example.org/CA/Signer.pem
new file mode 100644
index 0000000..bbcf3ac
--- /dev/null
+++ b/test/aux-fixed/exim-ca/example.org/CA/Signer.pem
@@ -0,0 +1,11 @@
+-----BEGIN CERTIFICATE-----
+MIIBpzCCAVGgAwIBAgIBAjANBgkqhkiG9w0BAQUFADApMRQwEgYDVQQKEwtleGFt
+cGxlLm9yZzERMA8GA1UEAxMIY2xpY2EgQ0EwHhcNMTIxMTAxMTIzNDAyWhcNMzgw
+MTAxMTIzNDAyWjAzMRQwEgYDVQQKEwtleGFtcGxlLm9yZzEbMBkGA1UEAxMSY2xp
+Y2EgU2lnbmluZyBDZXJ0MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAJ2Y6E5WBXQE
+zFsWgxK4JXrpPWGEQZ+KNy3iXgmupAA6Yy0umCLu+eGCekkwZ0WfFhhd+Qy7P+qo
+F0mre7VDDHECAwEAAaNaMFgwDgYDVR0PAQH/BAQDAgEGMBIGA1UdEwEB/wQIMAYB
+Af8CAQAwMgYDVR0fBCswKTAnoCWgI4YhaHR0cDovL2NybC5leGFtcGxlLm9yZy9s
+YXRlc3QuY3JsMA0GCSqGSIb3DQEBBQUAA0EATmemAFFWLNA8natXhFyhrDYmTv8X
+PEJ3UVt0DmOMxmEBahIeDfplfTfj/NYvy/on7YCZO7F5PwVY2pNJqm8Tmw==
+-----END CERTIFICATE-----
diff --git a/test/aux-fixed/exim-ca/example.org/CA/ca.conf b/test/aux-fixed/exim-ca/example.org/CA/ca.conf
new file mode 100644
index 0000000..9d6d2ed
--- /dev/null
+++ b/test/aux-fixed/exim-ca/example.org/CA/ca.conf
@@ -0,0 +1,18 @@
+; Config::Simple 4.59
+; Thu Nov  1 12:34:02 2012
+
+[CLICA]
+crl_url=http://crl.example.org/latest.crl
+crl_signer=Signing Cert
+level=1
+signer=Signing Cert
+ocsp_signer=OCSP Signer
+ocsp_url=http://oscp/example.org/
+
+[CA]
+org=example.org
+subject=clica CA
+name=Certificate Authority
+bits=512
+
+
diff --git a/test/aux-fixed/exim-ca/example.org/CA/cert8.db b/test/aux-fixed/exim-ca/example.org/CA/cert8.db
new file mode 100644
index 0000000..7f25f8d
Binary files /dev/null and b/test/aux-fixed/exim-ca/example.org/CA/cert8.db differ
diff --git a/test/aux-fixed/exim-ca/example.org/CA/crl.empty b/test/aux-fixed/exim-ca/example.org/CA/crl.empty
new file mode 100644
index 0000000..f35edb0
Binary files /dev/null and b/test/aux-fixed/exim-ca/example.org/CA/crl.empty differ
diff --git a/test/aux-fixed/exim-ca/example.org/CA/crl.empty.in.txt b/test/aux-fixed/exim-ca/example.org/CA/crl.empty.in.txt
new file mode 100644
index 0000000..250311c
--- /dev/null
+++ b/test/aux-fixed/exim-ca/example.org/CA/crl.empty.in.txt
@@ -0,0 +1 @@
+update=20130127152434Z 
diff --git a/test/aux-fixed/exim-ca/example.org/CA/crl.empty.pem b/test/aux-fixed/exim-ca/example.org/CA/crl.empty.pem
new file mode 100644
index 0000000..292e871
--- /dev/null
+++ b/test/aux-fixed/exim-ca/example.org/CA/crl.empty.pem
@@ -0,0 +1,6 @@
+-----BEGIN X509 CRL-----
+MIGsMFgCAQEwDQYJKoZIhvcNAQEFBQAwMzEUMBIGA1UEChMLZXhhbXBsZS5vcmcx
+GzAZBgNVBAMTEmNsaWNhIFNpZ25pbmcgQ2VydBgPMjAxMzAxMjcxNTI0MzRaMA0G
+CSqGSIb3DQEBBQUAA0EAL3N9NbP2jClLBlaFsAFB959JN6Hm7B6H5uYdGo55Rvt6
+1BZvz36DEQemcEmzrelVOR+bCBTTBkH8SC6jv9dsAQ==
+-----END X509 CRL-----
diff --git a/test/aux-fixed/exim-ca/example.org/CA/crl.v2 b/test/aux-fixed/exim-ca/example.org/CA/crl.v2
new file mode 100644
index 0000000..8c7f4d4
Binary files /dev/null and b/test/aux-fixed/exim-ca/example.org/CA/crl.v2 differ
diff --git a/test/aux-fixed/exim-ca/example.org/CA/crl.v2.in.txt b/test/aux-fixed/exim-ca/example.org/CA/crl.v2.in.txt
new file mode 100644
index 0000000..434045f
--- /dev/null
+++ b/test/aux-fixed/exim-ca/example.org/CA/crl.v2.in.txt
@@ -0,0 +1,3 @@
+update=20130127152437Z 
+addcert 102 20130127152437Z
+addcert 202 20130127152437Z
diff --git a/test/aux-fixed/exim-ca/example.org/CA/crl.v2.pem b/test/aux-fixed/exim-ca/example.org/CA/crl.v2.pem
new file mode 100644
index 0000000..bff5953
--- /dev/null
+++ b/test/aux-fixed/exim-ca/example.org/CA/crl.v2.pem
@@ -0,0 +1,7 @@
+-----BEGIN X509 CRL-----
+MIHcMIGHAgEBMA0GCSqGSIb3DQEBBQUAMDMxFDASBgNVBAoTC2V4YW1wbGUub3Jn
+MRswGQYDVQQDExJjbGljYSBTaWduaW5nIENlcnQYDzIwMTMwMTI3MTUyNDM3WjAt
+MBQCAWYYDzIwMTMwMTI3MTUyNDM3WjAVAgIAyhgPMjAxMzAxMjcxNTI0MzdaMA0G
+CSqGSIb3DQEBBQUAA0EAVWskomLMAt1QAPrpuIC7WsNrAmPRG1XL+Ggm8d4rESya
+WGQxA0p4ZM6THLfJ3ZWAxlMHEGVkqAUQpUnZhNHmEQ==
+-----END X509 CRL-----
diff --git a/test/aux-fixed/exim-ca/example.org/CA/index.revoked.txt b/test/aux-fixed/exim-ca/example.org/CA/index.revoked.txt
new file mode 100644
index 0000000..8c67708
--- /dev/null
+++ b/test/aux-fixed/exim-ca/example.org/CA/index.revoked.txt
@@ -0,0 +1,6 @@
+R    130110200751Z    100201142709Z,superseded    65    unknown    CN=server1.example.org
+R    130110200751Z    100201142709Z,superseded    66    unknown    CN=revoked1.example.org
+R    130110200751Z    100201142709Z,superseded    67    unknown    CN=expired1.example.org
+R    130110200751Z    100201142709Z,superseded    c9    unknown    CN=server2.example.org
+R    130110200751Z    100201142709Z,superseded    ca    unknown    CN=revoked2.example.org
+R    130110200751Z    100201142709Z,superseded    cb    unknown    CN=expired2.example.org
diff --git a/test/aux-fixed/exim-ca/example.org/CA/index.valid.txt b/test/aux-fixed/exim-ca/example.org/CA/index.valid.txt
new file mode 100644
index 0000000..c8fd76e
--- /dev/null
+++ b/test/aux-fixed/exim-ca/example.org/CA/index.valid.txt
@@ -0,0 +1,6 @@
+V    130110200751Z        65    unknown    CN=server1.example.org
+V    130110200751Z        66    unknown    CN=revoked1.example.org
+V    130110200751Z        67    unknown    CN=expired1.example.org
+V    130110200751Z        c9    unknown    CN=server2.example.org
+V    130110200751Z        ca    unknown    CN=revoked2.example.org
+V    130110200751Z        cb    unknown    CN=expired2.example.org
diff --git a/test/aux-fixed/exim-ca/example.org/CA/key3.db b/test/aux-fixed/exim-ca/example.org/CA/key3.db
new file mode 100644
index 0000000..e11319f
Binary files /dev/null and b/test/aux-fixed/exim-ca/example.org/CA/key3.db differ
diff --git a/test/aux-fixed/exim-ca/example.org/CA/noise.file b/test/aux-fixed/exim-ca/example.org/CA/noise.file
new file mode 100644
index 0000000..8641648
--- /dev/null
+++ b/test/aux-fixed/exim-ca/example.org/CA/noise.file
@@ -0,0 +1,342 @@
+processor    : 0
+vendor_id    : GenuineIntel
+cpu family    : 6
+model        : 26
+model name    : Intel(R) Xeon(R) CPU           E5520  @ 2.27GHz
+stepping    : 5
+cpu MHz        : 2260.628
+cache size    : 8192 KB
+fpu        : yes
+fpu_exception    : yes
+cpuid level    : 11
+wp        : yes
+flags        : fpu vme de pse tsc msr pae mce cx8 apic mtrr pge mca cmov pat pse36 clflush dts mmx fxsr sse sse2 ss syscall nx rdtscp lm constant_tsc arch_perfmon pebs bts xtopology tsc_reliable nonstop_tsc aperfmperf unfair_spinlock pni ssse3 cx16 sse4_1 sse4_2 x2apic popcnt hypervisor lahf_lm ida dts
+bogomips    : 4521.25
+clflush size    : 64
+cache_alignment    : 64
+address sizes    : 40 bits physical, 48 bits virtual
+power management:
+
+processor    : 1
+vendor_id    : GenuineIntel
+cpu family    : 6
+model        : 26
+model name    : Intel(R) Xeon(R) CPU           E5520  @ 2.27GHz
+stepping    : 5
+cpu MHz        : 2260.628
+cache size    : 8192 KB
+fpu        : yes
+fpu_exception    : yes
+cpuid level    : 11
+wp        : yes
+flags        : fpu vme de pse tsc msr pae mce cx8 apic mtrr pge mca cmov pat pse36 clflush dts mmx fxsr sse sse2 ss syscall nx rdtscp lm constant_tsc arch_perfmon pebs bts xtopology tsc_reliable nonstop_tsc aperfmperf unfair_spinlock pni ssse3 cx16 sse4_1 sse4_2 x2apic popcnt hypervisor lahf_lm ida dts
+bogomips    : 4521.25
+clflush size    : 64
+cache_alignment    : 64
+address sizes    : 40 bits physical, 48 bits virtual
+power management:
+
+           CPU0       CPU1       
+  0:       2481          0   IO-APIC-edge      timer
+  1:      21441        346   IO-APIC-edge      i8042
+  3:          1          0   IO-APIC-edge    
+  4:          1          0   IO-APIC-edge    
+  7:          0          0   IO-APIC-edge      parport0
+  8:          1          0   IO-APIC-edge      rtc0
+  9:          0          0   IO-APIC-fasteoi   acpi
+ 12:      78986       1718   IO-APIC-edge      i8042
+ 14:          0          0   IO-APIC-edge      ata_piix
+ 15:    2423330       1435   IO-APIC-edge      ata_piix
+ 16:       1025          0   IO-APIC-fasteoi   Ensoniq AudioPCI
+ 17:     239850       2559   IO-APIC-fasteoi   ehci_hcd:usb1, ioc0
+ 18:        246          0   IO-APIC-fasteoi   uhci_hcd:usb2
+ 19:    1868741      51479   IO-APIC-fasteoi   eth0
+ 24:          0          0   PCI-MSI-edge      pciehp
+ 25:          0          0   PCI-MSI-edge      pciehp
+ 26:          0          0   PCI-MSI-edge      pciehp
+ 27:          0          0   PCI-MSI-edge      pciehp
+ 28:          0          0   PCI-MSI-edge      pciehp
+ 29:          0          0   PCI-MSI-edge      pciehp
+ 30:          0          0   PCI-MSI-edge      pciehp
+ 31:          0          0   PCI-MSI-edge      pciehp
+ 32:          0          0   PCI-MSI-edge      pciehp
+ 33:          0          0   PCI-MSI-edge      pciehp
+ 34:          0          0   PCI-MSI-edge      pciehp
+ 35:          0          0   PCI-MSI-edge      pciehp
+ 36:          0          0   PCI-MSI-edge      pciehp
+ 37:          0          0   PCI-MSI-edge      pciehp
+ 38:          0          0   PCI-MSI-edge      pciehp
+ 39:          0          0   PCI-MSI-edge      pciehp
+ 40:          0          0   PCI-MSI-edge      pciehp
+ 41:          0          0   PCI-MSI-edge      pciehp
+ 42:          0          0   PCI-MSI-edge      pciehp
+ 43:          0          0   PCI-MSI-edge      pciehp
+ 44:          0          0   PCI-MSI-edge      pciehp
+ 45:          0          0   PCI-MSI-edge      pciehp
+ 46:          0          0   PCI-MSI-edge      pciehp
+ 47:          0          0   PCI-MSI-edge      pciehp
+ 48:          0          0   PCI-MSI-edge      pciehp
+ 49:          0          0   PCI-MSI-edge      pciehp
+ 50:          0          0   PCI-MSI-edge      pciehp
+ 51:          0          0   PCI-MSI-edge      pciehp
+ 52:          0          0   PCI-MSI-edge      pciehp
+ 53:          0          0   PCI-MSI-edge      pciehp
+ 54:          0          0   PCI-MSI-edge      pciehp
+ 55:          0          0   PCI-MSI-edge      pciehp
+ 56:          1          0   PCI-MSI-edge      vmci
+ 57:          0          0   PCI-MSI-edge      vmci
+NMI:          0          0   Non-maskable interrupts
+LOC:   12398298   14241637   Local timer interrupts
+SPU:          0          0   Spurious interrupts
+PMI:          0          0   Performance monitoring interrupts
+IWI:          0          0   IRQ work interrupts
+RES:     282673     309097   Rescheduling interrupts
+CAL:       1955     163548   Function call interrupts
+TLB:      17977      15562   TLB shootdowns
+TRM:          0          0   Thermal event interrupts
+THR:          0          0   Threshold APIC interrupts
+MCE:          0          0   Machine check exceptions
+MCP:       2310       2310   Machine check polls
+ERR:          0
+MIS:          0
+MemTotal:        1914844 kB
+MemFree:          134216 kB
+Buffers:          142048 kB
+Cached:           952796 kB
+SwapCached:          108 kB
+Active:           981384 kB
+Inactive:         540556 kB
+Active(anon):     287092 kB
+Inactive(anon):   143480 kB
+Active(file):     694292 kB
+Inactive(file):   397076 kB
+Unevictable:           0 kB
+Mlocked:               0 kB
+SwapTotal:       4194296 kB
+SwapFree:        4193560 kB
+Dirty:              1732 kB
+Writeback:             0 kB
+AnonPages:        427116 kB
+Mapped:            70924 kB
+Shmem:              3400 kB
+Slab:             190944 kB
+SReclaimable:     125404 kB
+SUnreclaim:        65540 kB
+KernelStack:        2312 kB
+PageTables:        23536 kB
+NFS_Unstable:          0 kB
+Bounce:                0 kB
+WritebackTmp:          0 kB
+CommitLimit:     5151716 kB
+Committed_AS:     973184 kB
+VmallocTotal:   34359738367 kB
+VmallocUsed:      280772 kB
+VmallocChunk:   34359441168 kB
+HardwareCorrupted:     0 kB
+AnonHugePages:    249856 kB
+HugePages_Total:       0
+HugePages_Free:        0
+HugePages_Rsvd:        0
+HugePages_Surp:        0
+Hugepagesize:       2048 kB
+DirectMap4k:        8192 kB
+DirectMap2M:     2088960 kB
+slabinfo - version: 2.1
+# name            <active_objs> <num_objs> <objsize> <objperslab> <pagesperslab> : tunables <limit> <batchcount> <sharedfactor> : slabdata <active_slabs> <num_slabs> <sharedavail>
+bridge_fdb_cache       0      0     64   59    1 : tunables  120   60    8 : slabdata      0      0      0
+fuse_request           0      0    632    6    1 : tunables   54   27    8 : slabdata      0      0      0
+fuse_inode             0      0    768    5    1 : tunables   54   27    8 : slabdata      0      0      0
+rpc_buffers            8      8   2048    2    1 : tunables   24   12    8 : slabdata      4      4      0
+rpc_tasks              8     15    256   15    1 : tunables  120   60    8 : slabdata      1      1      0
+rpc_inode_cache        8      8    832    4    1 : tunables   54   27    8 : slabdata      2      2      0
+hgfsInodeCache         1      6    640    6    1 : tunables   54   27    8 : slabdata      1      1      0
+AF_VMCI                0      0   1024    4    1 : tunables   54   27    8 : slabdata      0      0      0
+nf_conntrack_expect      0      0    240   16    1 : tunables  120   60    8 : slabdata      0      0      0
+nf_conntrack_ffffffff8200cec0     22     26    304   13    1 : tunables   54   27    8 : slabdata      2      2      0
+fib6_nodes            22     59     64   59    1 : tunables  120   60    8 : slabdata      1      1      0
+ip6_dst_cache         13     30    384   10    1 : tunables   54   27    8 : slabdata      3      3      0
+ndisc_cache            1     15    256   15    1 : tunables  120   60    8 : slabdata      1      1      0
+ip6_mrt_cache          0      0    128   30    1 : tunables  120   60    8 : slabdata      0      0      0
+RAWv6                 67     68   1024    4    1 : tunables   54   27    8 : slabdata     17     17      0
+UDPLITEv6              0      0   1024    4    1 : tunables   54   27    8 : slabdata      0      0      0
+UDPv6                  4      4   1024    4    1 : tunables   54   27    8 : slabdata      1      1      0
+tw_sock_TCPv6          0      0    320   12    1 : tunables   54   27    8 : slabdata      0      0      0
+request_sock_TCPv6      0      0    192   20    1 : tunables  120   60    8 : slabdata      0      0      0
+TCPv6                  9     10   1856    2    1 : tunables   24   12    8 : slabdata      5      5      0
+jbd2_1k                0      0   1024    4    1 : tunables   54   27    8 : slabdata      0      0      0
+avtab_node        502203 502416     24  144    1 : tunables  120   60    8 : slabdata   3489   3489      0
+ext4_inode_cache   74816  74820   1024    4    1 : tunables   54   27    8 : slabdata  18705  18705      0
+ext4_xattr             9     44     88   44    1 : tunables  120   60    8 : slabdata      1      1      0
+ext4_free_block_extents     32     67     56   67    1 : tunables  120   60    8 : slabdata      1      1      0
+ext4_alloc_context     28     28    136   28    1 : tunables  120   60    8 : slabdata      1      1      0
+ext4_prealloc_space     18     37    104   37    1 : tunables  120   60    8 : slabdata      1      1      0
+ext4_system_zone       0      0     40   92    1 : tunables  120   60    8 : slabdata      0      0      0
+jbd2_journal_handle     32    144     24  144    1 : tunables  120   60    8 : slabdata      1      1      0
+jbd2_journal_head     74    102    112   34    1 : tunables  120   60    8 : slabdata      3      3      0
+jbd2_revoke_table      4    202     16  202    1 : tunables  120   60    8 : slabdata      1      1      0
+jbd2_revoke_record      0      0     32  112    1 : tunables  120   60    8 : slabdata      0      0      0
+dm_crypt_io           50     50    152   25    1 : tunables  120   60    8 : slabdata      2      2      0
+sd_ext_cdb             2    112     32  112    1 : tunables  120   60    8 : slabdata      1      1      0
+scsi_sense_cache      25     60    128   30    1 : tunables  120   60    8 : slabdata      2      2      0
+scsi_cmd_cache        28     45    256   15    1 : tunables  120   60    8 : slabdata      3      3      0
+dm_raid1_read_record      0      0   1064    7    2 : tunables   24   12    8 : slabdata      0      0      0
+kcopyd_job             0      0   3240    2    2 : tunables   24   12    8 : slabdata      0      0      0
+io                     0      0     64   59    1 : tunables  120   60    8 : slabdata      0      0      0
+dm_uevent              0      0   2608    3    2 : tunables   24   12    8 : slabdata      0      0      0
+dm_rq_clone_bio_info      0      0     16  202    1 : tunables  120   60    8 : slabdata      0      0      0
+dm_rq_target_io        0      0    392   10    1 : tunables   54   27    8 : slabdata      0      0      0
+dm_target_io         844    864     24  144    1 : tunables  120   60    8 : slabdata      6      6      0
+dm_io                828    828     40   92    1 : tunables  120   60    8 : slabdata      9      9      0
+flow_cache             0      0     96   40    1 : tunables  120   60    8 : slabdata      0      0      0
+uhci_urb_priv          6     67     56   67    1 : tunables  120   60    8 : slabdata      1      1      0
+cfq_io_context         4     28    136   28    1 : tunables  120   60    8 : slabdata      1      1      0
+cfq_queue              5     16    240   16    1 : tunables  120   60    8 : slabdata      1      1      0
+bsg_cmd                0      0    312   12    1 : tunables   54   27    8 : slabdata      0      0      0
+mqueue_inode_cache      1      4    896    4    1 : tunables   54   27    8 : slabdata      1      1      0
+isofs_inode_cache      0      0    640    6    1 : tunables   54   27    8 : slabdata      0      0      0
+hugetlbfs_inode_cache      1      6    608    6    1 : tunables   54   27    8 : slabdata      1      1      0
+dquot                  0      0    256   15    1 : tunables  120   60    8 : slabdata      0      0      0
+kioctx                 0      0    384   10    1 : tunables   54   27    8 : slabdata      0      0      0
+kiocb                  0      0    256   15    1 : tunables  120   60    8 : slabdata      0      0      0
+inotify_event_private_data      0      0     32  112    1 : tunables  120   60    8 : slabdata      0      0      0
+inotify_inode_mark_entry    186    204    112   34    1 : tunables  120   60    8 : slabdata      6      6      0
+dnotify_mark_entry      1     34    112   34    1 : tunables  120   60    8 : slabdata      1      1      0
+dnotify_struct         1    112     32  112    1 : tunables  120   60    8 : slabdata      1      1      0
+fasync_cache           6    144     24  144    1 : tunables  120   60    8 : slabdata      1      1      0
+khugepaged_mm_slot     83     92     40   92    1 : tunables  120   60    8 : slabdata      1      1      0
+ksm_mm_slot            0      0     48   77    1 : tunables  120   60    8 : slabdata      0      0      0
+ksm_stable_node        0      0     40   92    1 : tunables  120   60    8 : slabdata      0      0      0
+ksm_rmap_item          0      0     64   59    1 : tunables  120   60    8 : slabdata      0      0      0
+utrace_engine          0      0     56   67    1 : tunables  120   60    8 : slabdata      0      0      0
+utrace                 0      0     64   59    1 : tunables  120   60    8 : slabdata      0      0      0
+pid_namespace          0      0   2120    3    2 : tunables   24   12    8 : slabdata      0      0      0
+nsproxy                0      0     48   77    1 : tunables  120   60    8 : slabdata      0      0      0
+posix_timers_cache      0      0    176   22    1 : tunables  120   60    8 : slabdata      0      0      0
+uid_cache             10     60    128   30    1 : tunables  120   60    8 : slabdata      2      2      0
+UNIX                 459    480    768    5    1 : tunables   54   27    8 : slabdata     96     96      0
+ip_mrt_cache           0      0    128   30    1 : tunables  120   60    8 : slabdata      0      0      0
+UDP-Lite               0      0    832    9    2 : tunables   54   27    8 : slabdata      0      0      0
+tcp_bind_bucket       15     59     64   59    1 : tunables  120   60    8 : slabdata      1      1      0
+inet_peer_cache        4     59     64   59    1 : tunables  120   60    8 : slabdata      1      1      0
+secpath_cache          0      0     64   59    1 : tunables  120   60    8 : slabdata      0      0      0
+xfrm_dst_cache         0      0    384   10    1 : tunables   54   27    8 : slabdata      0      0      0
+ip_fib_alias           0      0     32  112    1 : tunables  120   60    8 : slabdata      0      0      0
+ip_fib_hash           10    106     72   53    1 : tunables  120   60    8 : slabdata      2      2      0
+ip_dst_cache          29     50    384   10    1 : tunables   54   27    8 : slabdata      5      5      0
+arp_cache              4     15    256   15    1 : tunables  120   60    8 : slabdata      1      1      0
+RAW                   65     72    832    9    2 : tunables   54   27    8 : slabdata      8      8      0
+UDP                    6     18    832    9    2 : tunables   54   27    8 : slabdata      2      2      0
+tw_sock_TCP            0      0    256   15    1 : tunables  120   60    8 : slabdata      0      0      0
+request_sock_TCP       0      0    192   20    1 : tunables  120   60    8 : slabdata      0      0      0
+TCP                   20     24   1664    4    2 : tunables   24   12    8 : slabdata      6      6      0
+eventpoll_pwq        126    212     72   53    1 : tunables  120   60    8 : slabdata      4      4      0
+eventpoll_epi        126    180    128   30    1 : tunables  120   60    8 : slabdata      6      6      0
+sgpool-128             2      2   4096    1    1 : tunables   24   12    8 : slabdata      2      2      0
+sgpool-64              2      2   2048    2    1 : tunables   24   12    8 : slabdata      1      1      0
+sgpool-32              2      4   1024    4    1 : tunables   54   27    8 : slabdata      1      1      0
+sgpool-16              2      8    512    8    1 : tunables   54   27    8 : slabdata      1      1      0
+sgpool-8              15     15    256   15    1 : tunables  120   60    8 : slabdata      1      1      0
+scsi_data_buffer       0      0     24  144    1 : tunables  120   60    8 : slabdata      0      0      0
+blkdev_integrity       0      0    112   34    1 : tunables  120   60    8 : slabdata      0      0      0
+blkdev_queue          29     30   2856    2    2 : tunables   24   12    8 : slabdata     15     15      0
+blkdev_requests       42     66    352   11    1 : tunables   54   27    8 : slabdata      5      6      0
+blkdev_ioc             5     48     80   48    1 : tunables  120   60    8 : slabdata      1      1      0
+fsnotify_event_holder      0      0     24  144    1 : tunables  120   60    8 : slabdata      0      0      0
+fsnotify_event         0      0    104   37    1 : tunables  120   60    8 : slabdata      0      0      0
+bio-0                180    180    192   20    1 : tunables  120   60    8 : slabdata      9      9      0
+biovec-256            66     66   4096    1    1 : tunables   24   12    8 : slabdata     66     66      0
+biovec-128             0      0   2048    2    1 : tunables   24   12    8 : slabdata      0      0      0
+biovec-64              0      0   1024    4    1 : tunables   54   27    8 : slabdata      0      0      0
+biovec-16              0      0    256   15    1 : tunables  120   60    8 : slabdata      0      0      0
+bip-256                2      2   4224    1    2 : tunables    8    4    0 : slabdata      2      2      0
+bip-128                0      0   2176    3    2 : tunables   24   12    8 : slabdata      0      0      0
+bip-64                 0      0   1152    7    2 : tunables   24   12    8 : slabdata      0      0      0
+bip-16                 0      0    384   10    1 : tunables   54   27    8 : slabdata      0      0      0
+bip-4                  0      0    192   20    1 : tunables  120   60    8 : slabdata      0      0      0
+bip-1                  0      0    128   30    1 : tunables  120   60    8 : slabdata      0      0      0
+sock_inode_cache     667    685    704    5    1 : tunables   54   27    8 : slabdata    137    137      0
+skbuff_fclone_cache     35     35    512    7    1 : tunables   54   27    8 : slabdata      5      5      0
+skbuff_head_cache    302    450    256   15    1 : tunables  120   60    8 : slabdata     30     30      0
+file_lock_cache       38     44    176   22    1 : tunables  120   60    8 : slabdata      2      2      0
+net_namespace          0      0   2112    3    2 : tunables   24   12    8 : slabdata      0      0      0
+shmem_inode_cache    774    775    800    5    1 : tunables   54   27    8 : slabdata    155    155      0
+Acpi-Operand        4563   4664     72   53    1 : tunables  120   60    8 : slabdata     88     88      0
+Acpi-ParseExt          0      0     72   53    1 : tunables  120   60    8 : slabdata      0      0      0
+Acpi-Parse             0      0     48   77    1 : tunables  120   60    8 : slabdata      0      0      0
+Acpi-State             0      0     80   48    1 : tunables  120   60    8 : slabdata      0      0      0
+Acpi-Namespace      3311   3312     40   92    1 : tunables  120   60    8 : slabdata     36     36      0
+task_delay_info      332    340    112   34    1 : tunables  120   60    8 : slabdata     10     10      0
+taskstats              5     12    328   12    1 : tunables   54   27    8 : slabdata      1      1      0
+proc_inode_cache    1008   1008    640    6    1 : tunables   54   27    8 : slabdata    168    168      0
+sigqueue              35     48    160   24    1 : tunables  120   60    8 : slabdata      2      2      0
+bdev_cache            32     36    832    4    1 : tunables   54   27    8 : slabdata      9      9      0
+sysfs_dir_cache    11356  11367    144   27    1 : tunables  120   60    8 : slabdata    421    421      0
+mnt_cache             37     45    256   15    1 : tunables  120   60    8 : slabdata      3      3      0
+filp                4614   4700    192   20    1 : tunables  120   60    8 : slabdata    235    235      0
+inode_cache         6883   7308    592    6    1 : tunables   54   27    8 : slabdata   1218   1218      0
+dentry             61120  63960    192   20    1 : tunables  120   60    8 : slabdata   3198   3198      0
+names_cache           26     26   4096    1    1 : tunables   24   12    8 : slabdata     26     26      0
+avc_node             518   1239     64   59    1 : tunables  120   60    8 : slabdata     21     21      0
+selinux_inode_security  84146  86072     72   53    1 : tunables  120   60    8 : slabdata   1624   1624      0
+radix_tree_node    11579  11781    560    7    1 : tunables   54   27    8 : slabdata   1683   1683      0
+key_jar               11     20    192   20    1 : tunables  120   60    8 : slabdata      1      1      0
+buffer_head       221286 230214    104   37    1 : tunables  120   60    8 : slabdata   6222   6222      0
+vm_area_struct     12992  13034    200   19    1 : tunables  120   60    8 : slabdata    686    686     60
+mm_struct            145    145   1408    5    2 : tunables   24   12    8 : slabdata     29     29      0
+fs_cache             177    177     64   59    1 : tunables  120   60    8 : slabdata      3      3      0
+files_cache          162    165    704   11    2 : tunables   54   27    8 : slabdata     15     15      0
+signal_cache         208    208   1024    4    1 : tunables   54   27    8 : slabdata     52     52      0
+sighand_cache        198    198   2112    3    2 : tunables   24   12    8 : slabdata     66     66      0
+task_xstate          232    232    512    8    1 : tunables   54   27    8 : slabdata     29     29      0
+task_struct          303    303   2656    3    2 : tunables   24   12    8 : slabdata    101    101      0
+cred_jar             580    580    192   20    1 : tunables  120   60    8 : slabdata     29     29      0
+anon_vma_chain      7904   8162     48   77    1 : tunables  120   60    8 : slabdata    106    106     60
+anon_vma            5773   5888     40   92    1 : tunables  120   60    8 : slabdata     64     64      0
+pid                  322    330    128   30    1 : tunables  120   60    8 : slabdata     11     11      0
+shared_policy_node      0      0     48   77    1 : tunables  120   60    8 : slabdata      0      0      0
+numa_policy            1     28    136   28    1 : tunables  120   60    8 : slabdata      1      1      0
+idr_layer_cache      428    434    544    7    1 : tunables   54   27    8 : slabdata     62     62      0
+size-4194304(DMA)      0      0 4194304    1 1024 : tunables    1    1    0 : slabdata      0      0      0
+size-4194304           0      0 4194304    1 1024 : tunables    1    1    0 : slabdata      0      0      0
+size-2097152(DMA)      0      0 2097152    1  512 : tunables    1    1    0 : slabdata      0      0      0
+size-2097152           0      0 2097152    1  512 : tunables    1    1    0 : slabdata      0      0      0
+size-1048576(DMA)      0      0 1048576    1  256 : tunables    1    1    0 : slabdata      0      0      0
+size-1048576           0      0 1048576    1  256 : tunables    1    1    0 : slabdata      0      0      0
+size-524288(DMA)       0      0 524288    1  128 : tunables    1    1    0 : slabdata      0      0      0
+size-524288            0      0 524288    1  128 : tunables    1    1    0 : slabdata      0      0      0
+size-262144(DMA)       0      0 262144    1   64 : tunables    1    1    0 : slabdata      0      0      0
+size-262144            0      0 262144    1   64 : tunables    1    1    0 : slabdata      0      0      0
+size-131072(DMA)       0      0 131072    1   32 : tunables    8    4    0 : slabdata      0      0      0
+size-131072            1      1 131072    1   32 : tunables    8    4    0 : slabdata      1      1      0
+size-65536(DMA)        0      0  65536    1   16 : tunables    8    4    0 : slabdata      0      0      0
+size-65536             2      2  65536    1   16 : tunables    8    4    0 : slabdata      2      2      0
+size-32768(DMA)        0      0  32768    1    8 : tunables    8    4    0 : slabdata      0      0      0
+size-32768             3      3  32768    1    8 : tunables    8    4    0 : slabdata      3      3      0
+size-16384(DMA)        0      0  16384    1    4 : tunables    8    4    0 : slabdata      0      0      0
+size-16384            12     12  16384    1    4 : tunables    8    4    0 : slabdata     12     12      0
+size-8192(DMA)         0      0   8192    1    2 : tunables    8    4    0 : slabdata      0      0      0
+size-8192             27     27   8192    1    2 : tunables    8    4    0 : slabdata     27     27      0
+size-4096(DMA)         0      0   4096    1    1 : tunables   24   12    8 : slabdata      0      0      0
+size-4096            425    425   4096    1    1 : tunables   24   12    8 : slabdata    425    425      0
+size-2048(DMA)         0      0   2048    2    1 : tunables   24   12    8 : slabdata      0      0      0
+size-2048            578    578   2048    2    1 : tunables   24   12    8 : slabdata    289    289      0
+size-1024(DMA)         0      0   1024    4    1 : tunables   54   27    8 : slabdata      0      0      0
+size-1024           1332   1332   1024    4    1 : tunables   54   27    8 : slabdata    333    333      0
+size-512(DMA)          0      0    512    8    1 : tunables   54   27    8 : slabdata      0      0      0
+size-512            1123   1176    512    8    1 : tunables   54   27    8 : slabdata    147    147      0
+size-256(DMA)          0      0    256   15    1 : tunables  120   60    8 : slabdata      0      0      0
+size-256             930    930    256   15    1 : tunables  120   60    8 : slabdata     62     62      0
+size-192(DMA)          0      0    192   20    1 : tunables  120   60    8 : slabdata      0      0      0
+size-192            2119   2160    192   20    1 : tunables  120   60    8 : slabdata    108    108      0
+size-128(DMA)          0      0    128   30    1 : tunables  120   60    8 : slabdata      0      0      0
+size-64(DMA)           0      0     64   59    1 : tunables  120   60    8 : slabdata      0      0      0
+size-64            33063  40887     64   59    1 : tunables  120   60    8 : slabdata    693    693     60
+size-32(DMA)           0      0     32  112    1 : tunables  120   60    8 : slabdata      0      0      0
+size-128            3921   4800    128   30    1 : tunables  120   60    8 : slabdata    160    160      0
+size-32           332419 332976     32  112    1 : tunables  120   60    8 : slabdata   2973   2973     60
+kmem_cache           191    191  32896    1   16 : tunables    8    4    0 : slabdata    191    191      0
+Inter-|   Receive                                                |  Transmit
+ face |bytes    packets errs drop fifo frame compressed multicast|bytes    packets errs drop fifo colls carrier compressed
+    lo:267102759  105357    0    0    0     0          0         0 267102759  105357    0    0    0     0       0          0
+  eth0:1013758516 1354506    0    0    0     0          0         0 245531629  966810    0    0    0     0       0          0
+  pan0:       0       0    0    0    0     0          0         0        0       0    0    0    0     0       0          0
diff --git a/test/aux-fixed/exim-ca/example.org/CA/pwdfile b/test/aux-fixed/exim-ca/example.org/CA/pwdfile
new file mode 100644
index 0000000..f3097ab
--- /dev/null
+++ b/test/aux-fixed/exim-ca/example.org/CA/pwdfile
@@ -0,0 +1 @@
+password
diff --git a/test/aux-fixed/exim-ca/example.org/CA/secmod.db b/test/aux-fixed/exim-ca/example.org/CA/secmod.db
new file mode 100644
index 0000000..c7f115b
Binary files /dev/null and b/test/aux-fixed/exim-ca/example.org/CA/secmod.db differ
diff --git a/test/aux-fixed/exim-ca/example.org/expired1.example.org/ca_chain.pem b/test/aux-fixed/exim-ca/example.org/expired1.example.org/ca_chain.pem
new file mode 100644
index 0000000..45c5c63
--- /dev/null
+++ b/test/aux-fixed/exim-ca/example.org/expired1.example.org/ca_chain.pem
@@ -0,0 +1,47 @@
+Bag Attributes
+    friendlyName: Signing Cert
+subject=/O=example.org/CN=clica Signing Cert
+issuer=/O=example.org/CN=clica CA
+-----BEGIN CERTIFICATE-----
+MIIBpzCCAVGgAwIBAgIBAjANBgkqhkiG9w0BAQUFADApMRQwEgYDVQQKEwtleGFt
+cGxlLm9yZzERMA8GA1UEAxMIY2xpY2EgQ0EwHhcNMTIxMTAxMTIzNDAyWhcNMzgw
+MTAxMTIzNDAyWjAzMRQwEgYDVQQKEwtleGFtcGxlLm9yZzEbMBkGA1UEAxMSY2xp
+Y2EgU2lnbmluZyBDZXJ0MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAJ2Y6E5WBXQE
+zFsWgxK4JXrpPWGEQZ+KNy3iXgmupAA6Yy0umCLu+eGCekkwZ0WfFhhd+Qy7P+qo
+F0mre7VDDHECAwEAAaNaMFgwDgYDVR0PAQH/BAQDAgEGMBIGA1UdEwEB/wQIMAYB
+Af8CAQAwMgYDVR0fBCswKTAnoCWgI4YhaHR0cDovL2NybC5leGFtcGxlLm9yZy9s
+YXRlc3QuY3JsMA0GCSqGSIb3DQEBBQUAA0EATmemAFFWLNA8natXhFyhrDYmTv8X
+PEJ3UVt0DmOMxmEBahIeDfplfTfj/NYvy/on7YCZO7F5PwVY2pNJqm8Tmw==
+-----END CERTIFICATE-----
+Bag Attributes
+    friendlyName: Certificate Authority
+subject=/O=example.org/CN=clica CA
+issuer=/O=example.org/CN=clica CA
+-----BEGIN CERTIFICATE-----
+MIIBaTCCAROgAwIBAgIBATANBgkqhkiG9w0BAQUFADApMRQwEgYDVQQKEwtleGFt
+cGxlLm9yZzERMA8GA1UEAxMIY2xpY2EgQ0EwHhcNMTIxMTAxMTIzNDAyWhcNMzgw
+MTAxMTIzNDAyWjApMRQwEgYDVQQKEwtleGFtcGxlLm9yZzERMA8GA1UEAxMIY2xp
+Y2EgQ0EwXDANBgkqhkiG9w0BAQEFAANLADBIAkEAxY7JyBAI+e4vb4bz0HcjtE+O
+x0nLBB19Kz04yNARj1z/ZvY2c+uvOR3muHROCgFUQxGobP3n2HaTS/cmv2SVPwID
+AQABoyYwJDASBgNVHRMBAf8ECDAGAQH/AgEBMA4GA1UdDwEB/wQEAwIBBjANBgkq
+hkiG9w0BAQUFAANBAJLhs/m5Jx4oV++aylcAvIHa0vHSK4eh3zX1HqWwqK9I0/nl
+LqwwPgtgHQOpe7nd2g2B9wPZ82i6LiqY76A+9hI=
+-----END CERTIFICATE-----
+Bag Attributes
+    friendlyName: expired1.example.org
+    localKeyID: 0B 77 EA 83 E1 31 8B 71 88 DB 88 4E DE 08 91 19 A5 4A 4D A6 
+subject=/CN=expired1.example.org
+issuer=/O=example.org/CN=clica Signing Cert
+-----BEGIN CERTIFICATE-----
+MIICBDCCAa6gAwIBAgIBZzANBgkqhkiG9w0BAQUFADAzMRQwEgYDVQQKEwtleGFt
+cGxlLm9yZzEbMBkGA1UEAxMSY2xpY2EgU2lnbmluZyBDZXJ0MB4XDTEyMTEwMTEy
+MzQwM1oXDTEyMTIwMTEyMzQwM1owHzEdMBsGA1UEAxMUZXhwaXJlZDEuZXhhbXBs
+ZS5vcmcwXDANBgkqhkiG9w0BAQEFAANLADBIAkEA4TTv655lwyf5lL4RkuLHqPdg
+mXI36dkjEL/864WoszwLRYYfnlOj4hmKfjq9VoslfDRnOoZSm0NebJJ9Y/ea2wID
+AQABo4HAMIG9MA4GA1UdDwEB/wQEAwIE8DAgBgNVHSUBAf8EFjAUBggrBgEFBQcD
+AQYIKwYBBQUHAwIwMgYDVR0fBCswKTAnoCWgI4YhaHR0cDovL2NybC5leGFtcGxl
+Lm9yZy9sYXRlc3QuY3JsMDQGCCsGAQUFBwEBBCgwJjAkBggrBgEFBQcwAYYYaHR0
+cDovL29zY3AvZXhhbXBsZS5vcmcvMB8GA1UdEQQYMBaCFGV4cGlyZWQxLmV4YW1w
+bGUub3JnMA0GCSqGSIb3DQEBBQUAA0EABG4yReI+VPyFc3kEejJr31rOi3BpgEfP
+FsN+9WoTa0B+VW125F47/FySYat+M6KBSW8fe6HFexU6FXQF+mCNvQ==
+-----END CERTIFICATE-----
diff --git a/test/aux-fixed/exim-ca/example.org/expired1.example.org/cert8.db b/test/aux-fixed/exim-ca/example.org/expired1.example.org/cert8.db
new file mode 100644
index 0000000..133a82f
Binary files /dev/null and b/test/aux-fixed/exim-ca/example.org/expired1.example.org/cert8.db differ
diff --git a/test/aux-fixed/exim-ca/example.org/expired1.example.org/expired1.example.org.chain.pem b/test/aux-fixed/exim-ca/example.org/expired1.example.org/expired1.example.org.chain.pem
new file mode 100644
index 0000000..d4f9ee3
--- /dev/null
+++ b/test/aux-fixed/exim-ca/example.org/expired1.example.org/expired1.example.org.chain.pem
@@ -0,0 +1,29 @@
+Bag Attributes
+    friendlyName: expired1.example.org
+    localKeyID: 0B 77 EA 83 E1 31 8B 71 88 DB 88 4E DE 08 91 19 A5 4A 4D A6 
+subject=/CN=expired1.example.org
+issuer=/O=example.org/CN=clica Signing Cert
+-----BEGIN CERTIFICATE-----
+MIICBDCCAa6gAwIBAgIBZzANBgkqhkiG9w0BAQUFADAzMRQwEgYDVQQKEwtleGFt
+cGxlLm9yZzEbMBkGA1UEAxMSY2xpY2EgU2lnbmluZyBDZXJ0MB4XDTEyMTEwMTEy
+MzQwM1oXDTEyMTIwMTEyMzQwM1owHzEdMBsGA1UEAxMUZXhwaXJlZDEuZXhhbXBs
+ZS5vcmcwXDANBgkqhkiG9w0BAQEFAANLADBIAkEA4TTv655lwyf5lL4RkuLHqPdg
+mXI36dkjEL/864WoszwLRYYfnlOj4hmKfjq9VoslfDRnOoZSm0NebJJ9Y/ea2wID
+AQABo4HAMIG9MA4GA1UdDwEB/wQEAwIE8DAgBgNVHSUBAf8EFjAUBggrBgEFBQcD
+AQYIKwYBBQUHAwIwMgYDVR0fBCswKTAnoCWgI4YhaHR0cDovL2NybC5leGFtcGxl
+Lm9yZy9sYXRlc3QuY3JsMDQGCCsGAQUFBwEBBCgwJjAkBggrBgEFBQcwAYYYaHR0
+cDovL29zY3AvZXhhbXBsZS5vcmcvMB8GA1UdEQQYMBaCFGV4cGlyZWQxLmV4YW1w
+bGUub3JnMA0GCSqGSIb3DQEBBQUAA0EABG4yReI+VPyFc3kEejJr31rOi3BpgEfP
+FsN+9WoTa0B+VW125F47/FySYat+M6KBSW8fe6HFexU6FXQF+mCNvQ==
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIIBpzCCAVGgAwIBAgIBAjANBgkqhkiG9w0BAQUFADApMRQwEgYDVQQKEwtleGFt
+cGxlLm9yZzERMA8GA1UEAxMIY2xpY2EgQ0EwHhcNMTIxMTAxMTIzNDAyWhcNMzgw
+MTAxMTIzNDAyWjAzMRQwEgYDVQQKEwtleGFtcGxlLm9yZzEbMBkGA1UEAxMSY2xp
+Y2EgU2lnbmluZyBDZXJ0MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAJ2Y6E5WBXQE
+zFsWgxK4JXrpPWGEQZ+KNy3iXgmupAA6Yy0umCLu+eGCekkwZ0WfFhhd+Qy7P+qo
+F0mre7VDDHECAwEAAaNaMFgwDgYDVR0PAQH/BAQDAgEGMBIGA1UdEwEB/wQIMAYB
+Af8CAQAwMgYDVR0fBCswKTAnoCWgI4YhaHR0cDovL2NybC5leGFtcGxlLm9yZy9s
+YXRlc3QuY3JsMA0GCSqGSIb3DQEBBQUAA0EATmemAFFWLNA8natXhFyhrDYmTv8X
+PEJ3UVt0DmOMxmEBahIeDfplfTfj/NYvy/on7YCZO7F5PwVY2pNJqm8Tmw==
+-----END CERTIFICATE-----
diff --git a/test/aux-fixed/exim-ca/example.org/expired1.example.org/expired1.example.org.key b/test/aux-fixed/exim-ca/example.org/expired1.example.org/expired1.example.org.key
new file mode 100644
index 0000000..fab9097
--- /dev/null
+++ b/test/aux-fixed/exim-ca/example.org/expired1.example.org/expired1.example.org.key
@@ -0,0 +1,15 @@
+Bag Attributes
+    friendlyName: expired1.example.org
+    localKeyID: 0B 77 EA 83 E1 31 8B 71 88 DB 88 4E DE 08 91 19 A5 4A 4D A6 
+Key Attributes: <No Attributes>
+-----BEGIN ENCRYPTED PRIVATE KEY-----
+MIIBpjBABgkqhkiG9w0BBQ0wMzAbBgkqhkiG9w0BBQwwDgQIL+kummor3pQCAggA
+MBQGCCqGSIb3DQMHBAhpvl78t5As+QSCAWBlOt1XpYY+o5G0MSANfiL7BfKlwwYh
+MDpKzsNWfwxrNZNmeT293TKVlXEav4FsEnbU0yVJ0HSLC1peXM32mjdezDdMQAwq
+QPrIRj5r5m4mTTWhUPnDUrzdwrYbD4flg0H6eO7gX1w2gJw8E/LS8nhAy6ZOfEvL
+jlghGljcALDPVDvNEAtcx+Wd4p71vp6wm/3kl3SAl7WXO1HcKwYYIEEL9DFZ/P4n
+kqlgCu3pcgKbH9HHjImOkYRWP2Poy3OLJ7h+i/rIEaxiaJFt/1zTm+DxkkM6nbwR
+2C0VnX6/gSbpz58xBlJUMiZqvh9ciFhuLCYeiJx+HnKKzTEIfnSyKV7Y7GSzqkUE
+kKPVa6NTXq0nlH1fuecTGv3iUE4AXWJPmGNYS0caR8oTFd5pFlOQGazRjLDxTIb/
+N6zXiTCpQt4MWHi71a/GnfUrv0e/Bl24ARJnVWcP4brT8jA/oiPeQGEq
+-----END ENCRYPTED PRIVATE KEY-----
diff --git a/test/aux-fixed/exim-ca/example.org/expired1.example.org/expired1.example.org.ocsp.dated.resp b/test/aux-fixed/exim-ca/example.org/expired1.example.org/expired1.example.org.ocsp.dated.resp
new file mode 100644
index 0000000..0825ec7
Binary files /dev/null and b/test/aux-fixed/exim-ca/example.org/expired1.example.org/expired1.example.org.ocsp.dated.resp differ
diff --git a/test/aux-fixed/exim-ca/example.org/expired1.example.org/expired1.example.org.ocsp.good.resp b/test/aux-fixed/exim-ca/example.org/expired1.example.org/expired1.example.org.ocsp.good.resp
new file mode 100644
index 0000000..e786da6
Binary files /dev/null and b/test/aux-fixed/exim-ca/example.org/expired1.example.org/expired1.example.org.ocsp.good.resp differ
diff --git a/test/aux-fixed/exim-ca/example.org/expired1.example.org/expired1.example.org.ocsp.req b/test/aux-fixed/exim-ca/example.org/expired1.example.org/expired1.example.org.ocsp.req
new file mode 100644
index 0000000..75ffacf
Binary files /dev/null and b/test/aux-fixed/exim-ca/example.org/expired1.example.org/expired1.example.org.ocsp.req differ
diff --git a/test/aux-fixed/exim-ca/example.org/expired1.example.org/expired1.example.org.ocsp.revoked.resp b/test/aux-fixed/exim-ca/example.org/expired1.example.org/expired1.example.org.ocsp.revoked.resp
new file mode 100644
index 0000000..f8709f4
Binary files /dev/null and b/test/aux-fixed/exim-ca/example.org/expired1.example.org/expired1.example.org.ocsp.revoked.resp differ
diff --git a/test/aux-fixed/exim-ca/example.org/expired1.example.org/expired1.example.org.p12 b/test/aux-fixed/exim-ca/example.org/expired1.example.org/expired1.example.org.p12
new file mode 100644
index 0000000..f7ef5e6
Binary files /dev/null and b/test/aux-fixed/exim-ca/example.org/expired1.example.org/expired1.example.org.p12 differ
diff --git a/test/aux-fixed/exim-ca/example.org/expired1.example.org/expired1.example.org.pem b/test/aux-fixed/exim-ca/example.org/expired1.example.org/expired1.example.org.pem
new file mode 100644
index 0000000..13da50b
--- /dev/null
+++ b/test/aux-fixed/exim-ca/example.org/expired1.example.org/expired1.example.org.pem
@@ -0,0 +1,18 @@
+Bag Attributes
+    friendlyName: expired1.example.org
+    localKeyID: 0B 77 EA 83 E1 31 8B 71 88 DB 88 4E DE 08 91 19 A5 4A 4D A6 
+subject=/CN=expired1.example.org
+issuer=/O=example.org/CN=clica Signing Cert
+-----BEGIN CERTIFICATE-----
+MIICBDCCAa6gAwIBAgIBZzANBgkqhkiG9w0BAQUFADAzMRQwEgYDVQQKEwtleGFt
+cGxlLm9yZzEbMBkGA1UEAxMSY2xpY2EgU2lnbmluZyBDZXJ0MB4XDTEyMTEwMTEy
+MzQwM1oXDTEyMTIwMTEyMzQwM1owHzEdMBsGA1UEAxMUZXhwaXJlZDEuZXhhbXBs
+ZS5vcmcwXDANBgkqhkiG9w0BAQEFAANLADBIAkEA4TTv655lwyf5lL4RkuLHqPdg
+mXI36dkjEL/864WoszwLRYYfnlOj4hmKfjq9VoslfDRnOoZSm0NebJJ9Y/ea2wID
+AQABo4HAMIG9MA4GA1UdDwEB/wQEAwIE8DAgBgNVHSUBAf8EFjAUBggrBgEFBQcD
+AQYIKwYBBQUHAwIwMgYDVR0fBCswKTAnoCWgI4YhaHR0cDovL2NybC5leGFtcGxl
+Lm9yZy9sYXRlc3QuY3JsMDQGCCsGAQUFBwEBBCgwJjAkBggrBgEFBQcwAYYYaHR0
+cDovL29zY3AvZXhhbXBsZS5vcmcvMB8GA1UdEQQYMBaCFGV4cGlyZWQxLmV4YW1w
+bGUub3JnMA0GCSqGSIb3DQEBBQUAA0EABG4yReI+VPyFc3kEejJr31rOi3BpgEfP
+FsN+9WoTa0B+VW125F47/FySYat+M6KBSW8fe6HFexU6FXQF+mCNvQ==
+-----END CERTIFICATE-----
diff --git a/test/aux-fixed/exim-ca/example.org/expired1.example.org/expired1.example.org.unlocked.key b/test/aux-fixed/exim-ca/example.org/expired1.example.org/expired1.example.org.unlocked.key
new file mode 100644
index 0000000..132d2da
--- /dev/null
+++ b/test/aux-fixed/exim-ca/example.org/expired1.example.org/expired1.example.org.unlocked.key
@@ -0,0 +1,9 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIBOgIBAAJBAOE07+ueZcMn+ZS+EZLix6j3YJlyN+nZIxC//OuFqLM8C0WGH55T
+o+IZin46vVaLJXw0ZzqGUptDXmySfWP3mtsCAwEAAQJAbjXB08TIeCDv+uKpJwDk
+RMQK+gzzX/VrO5843umiDVPBs3FoDJJMMI1YIxiqmj61BNvh6YdTeYMbgsqdvUT/
+AQIhAP2hXPtUNCfSMbDZujRe7weCDynq2SdT9v5GwCABKNRLAiEA40+XExCBf3zV
+Eibj6fEWBlJjQPjCEvFLkbeOi44UmbECIF8u9qkvkZ88J//ZxiKvWf80VSKDC1nS
+DgihXqrkJIF/AiAhsUBhUQcA0I38fMs3d8ad9URE8xpBGIbs+FomkU64YQIhALds
+zCAiNfSE9O4vQvnSlbPdKT5KSbux/uGuPIhK+RA0
+-----END RSA PRIVATE KEY-----
diff --git a/test/aux-fixed/exim-ca/example.org/expired1.example.org/key3.db b/test/aux-fixed/exim-ca/example.org/expired1.example.org/key3.db
new file mode 100644
index 0000000..4122a84
Binary files /dev/null and b/test/aux-fixed/exim-ca/example.org/expired1.example.org/key3.db differ
diff --git a/test/aux-fixed/exim-ca/example.org/expired1.example.org/pwdfile b/test/aux-fixed/exim-ca/example.org/expired1.example.org/pwdfile
new file mode 100644
index 0000000..f3097ab
--- /dev/null
+++ b/test/aux-fixed/exim-ca/example.org/expired1.example.org/pwdfile
@@ -0,0 +1 @@
+password
diff --git a/test/aux-fixed/exim-ca/example.org/expired1.example.org/secmod.db b/test/aux-fixed/exim-ca/example.org/expired1.example.org/secmod.db
new file mode 100644
index 0000000..fb95521
Binary files /dev/null and b/test/aux-fixed/exim-ca/example.org/expired1.example.org/secmod.db differ
diff --git a/test/aux-fixed/exim-ca/example.org/expired2.example.org/ca_chain.pem b/test/aux-fixed/exim-ca/example.org/expired2.example.org/ca_chain.pem
new file mode 100644
index 0000000..1ca5e28
--- /dev/null
+++ b/test/aux-fixed/exim-ca/example.org/expired2.example.org/ca_chain.pem
@@ -0,0 +1,47 @@
+Bag Attributes
+    friendlyName: Signing Cert
+subject=/O=example.org/CN=clica Signing Cert
+issuer=/O=example.org/CN=clica CA
+-----BEGIN CERTIFICATE-----
+MIIBpzCCAVGgAwIBAgIBAjANBgkqhkiG9w0BAQUFADApMRQwEgYDVQQKEwtleGFt
+cGxlLm9yZzERMA8GA1UEAxMIY2xpY2EgQ0EwHhcNMTIxMTAxMTIzNDAyWhcNMzgw
+MTAxMTIzNDAyWjAzMRQwEgYDVQQKEwtleGFtcGxlLm9yZzEbMBkGA1UEAxMSY2xp
+Y2EgU2lnbmluZyBDZXJ0MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAJ2Y6E5WBXQE
+zFsWgxK4JXrpPWGEQZ+KNy3iXgmupAA6Yy0umCLu+eGCekkwZ0WfFhhd+Qy7P+qo
+F0mre7VDDHECAwEAAaNaMFgwDgYDVR0PAQH/BAQDAgEGMBIGA1UdEwEB/wQIMAYB
+Af8CAQAwMgYDVR0fBCswKTAnoCWgI4YhaHR0cDovL2NybC5leGFtcGxlLm9yZy9s
+YXRlc3QuY3JsMA0GCSqGSIb3DQEBBQUAA0EATmemAFFWLNA8natXhFyhrDYmTv8X
+PEJ3UVt0DmOMxmEBahIeDfplfTfj/NYvy/on7YCZO7F5PwVY2pNJqm8Tmw==
+-----END CERTIFICATE-----
+Bag Attributes
+    friendlyName: Certificate Authority
+subject=/O=example.org/CN=clica CA
+issuer=/O=example.org/CN=clica CA
+-----BEGIN CERTIFICATE-----
+MIIBaTCCAROgAwIBAgIBATANBgkqhkiG9w0BAQUFADApMRQwEgYDVQQKEwtleGFt
+cGxlLm9yZzERMA8GA1UEAxMIY2xpY2EgQ0EwHhcNMTIxMTAxMTIzNDAyWhcNMzgw
+MTAxMTIzNDAyWjApMRQwEgYDVQQKEwtleGFtcGxlLm9yZzERMA8GA1UEAxMIY2xp
+Y2EgQ0EwXDANBgkqhkiG9w0BAQEFAANLADBIAkEAxY7JyBAI+e4vb4bz0HcjtE+O
+x0nLBB19Kz04yNARj1z/ZvY2c+uvOR3muHROCgFUQxGobP3n2HaTS/cmv2SVPwID
+AQABoyYwJDASBgNVHRMBAf8ECDAGAQH/AgEBMA4GA1UdDwEB/wQEAwIBBjANBgkq
+hkiG9w0BAQUFAANBAJLhs/m5Jx4oV++aylcAvIHa0vHSK4eh3zX1HqWwqK9I0/nl
+LqwwPgtgHQOpe7nd2g2B9wPZ82i6LiqY76A+9hI=
+-----END CERTIFICATE-----
+Bag Attributes
+    friendlyName: expired2.example.org
+    localKeyID: C5 6F 48 06 54 0E B3 BB 1A BF 6D F3 86 B8 E6 D7 37 A4 65 F3 
+subject=/CN=expired2.example.org
+issuer=/O=example.org/CN=clica Signing Cert
+-----BEGIN CERTIFICATE-----
+MIICBTCCAa+gAwIBAgICAMswDQYJKoZIhvcNAQEFBQAwMzEUMBIGA1UEChMLZXhh
+bXBsZS5vcmcxGzAZBgNVBAMTEmNsaWNhIFNpZ25pbmcgQ2VydDAeFw0xMjExMDEx
+MjM0MDNaFw0xMjEyMDExMjM0MDNaMB8xHTAbBgNVBAMTFGV4cGlyZWQyLmV4YW1w
+bGUub3JnMFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAK1KoNb3Cu3dTkQQssg1cXUb
+0Oo/o0v/BCm5A9JjE8eL0K694hJrk2pSmI+nF1ujtC+0Ilylzd2JyXvyu6jZqRUC
+AwEAAaOBwDCBvTAOBgNVHQ8BAf8EBAMCBPAwIAYDVR0lAQH/BBYwFAYIKwYBBQUH
+AwEGCCsGAQUFBwMCMDIGA1UdHwQrMCkwJ6AloCOGIWh0dHA6Ly9jcmwuZXhhbXBs
+ZS5vcmcvbGF0ZXN0LmNybDA0BggrBgEFBQcBAQQoMCYwJAYIKwYBBQUHMAGGGGh0
+dHA6Ly9vc2NwL2V4YW1wbGUub3JnLzAfBgNVHREEGDAWghRleHBpcmVkMi5leGFt
+cGxlLm9yZzANBgkqhkiG9w0BAQUFAANBAATDk4AOeRU7z4FPpjK6J2BvKeStcuon
+xoli6qipNnf95JXgo4ZOktbGD5eankcp4QRFEUMQ79DJuTCkOl/Zgs4=
+-----END CERTIFICATE-----
diff --git a/test/aux-fixed/exim-ca/example.org/expired2.example.org/cert8.db b/test/aux-fixed/exim-ca/example.org/expired2.example.org/cert8.db
new file mode 100644
index 0000000..24ee82e
Binary files /dev/null and b/test/aux-fixed/exim-ca/example.org/expired2.example.org/cert8.db differ
diff --git a/test/aux-fixed/exim-ca/example.org/expired2.example.org/expired2.example.org.chain.pem b/test/aux-fixed/exim-ca/example.org/expired2.example.org/expired2.example.org.chain.pem
new file mode 100644
index 0000000..3bbfb4c
--- /dev/null
+++ b/test/aux-fixed/exim-ca/example.org/expired2.example.org/expired2.example.org.chain.pem
@@ -0,0 +1,29 @@
+Bag Attributes
+    friendlyName: expired2.example.org
+    localKeyID: C5 6F 48 06 54 0E B3 BB 1A BF 6D F3 86 B8 E6 D7 37 A4 65 F3 
+subject=/CN=expired2.example.org
+issuer=/O=example.org/CN=clica Signing Cert
+-----BEGIN CERTIFICATE-----
+MIICBTCCAa+gAwIBAgICAMswDQYJKoZIhvcNAQEFBQAwMzEUMBIGA1UEChMLZXhh
+bXBsZS5vcmcxGzAZBgNVBAMTEmNsaWNhIFNpZ25pbmcgQ2VydDAeFw0xMjExMDEx
+MjM0MDNaFw0xMjEyMDExMjM0MDNaMB8xHTAbBgNVBAMTFGV4cGlyZWQyLmV4YW1w
+bGUub3JnMFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAK1KoNb3Cu3dTkQQssg1cXUb
+0Oo/o0v/BCm5A9JjE8eL0K694hJrk2pSmI+nF1ujtC+0Ilylzd2JyXvyu6jZqRUC
+AwEAAaOBwDCBvTAOBgNVHQ8BAf8EBAMCBPAwIAYDVR0lAQH/BBYwFAYIKwYBBQUH
+AwEGCCsGAQUFBwMCMDIGA1UdHwQrMCkwJ6AloCOGIWh0dHA6Ly9jcmwuZXhhbXBs
+ZS5vcmcvbGF0ZXN0LmNybDA0BggrBgEFBQcBAQQoMCYwJAYIKwYBBQUHMAGGGGh0
+dHA6Ly9vc2NwL2V4YW1wbGUub3JnLzAfBgNVHREEGDAWghRleHBpcmVkMi5leGFt
+cGxlLm9yZzANBgkqhkiG9w0BAQUFAANBAATDk4AOeRU7z4FPpjK6J2BvKeStcuon
+xoli6qipNnf95JXgo4ZOktbGD5eankcp4QRFEUMQ79DJuTCkOl/Zgs4=
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIIBpzCCAVGgAwIBAgIBAjANBgkqhkiG9w0BAQUFADApMRQwEgYDVQQKEwtleGFt
+cGxlLm9yZzERMA8GA1UEAxMIY2xpY2EgQ0EwHhcNMTIxMTAxMTIzNDAyWhcNMzgw
+MTAxMTIzNDAyWjAzMRQwEgYDVQQKEwtleGFtcGxlLm9yZzEbMBkGA1UEAxMSY2xp
+Y2EgU2lnbmluZyBDZXJ0MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAJ2Y6E5WBXQE
+zFsWgxK4JXrpPWGEQZ+KNy3iXgmupAA6Yy0umCLu+eGCekkwZ0WfFhhd+Qy7P+qo
+F0mre7VDDHECAwEAAaNaMFgwDgYDVR0PAQH/BAQDAgEGMBIGA1UdEwEB/wQIMAYB
+Af8CAQAwMgYDVR0fBCswKTAnoCWgI4YhaHR0cDovL2NybC5leGFtcGxlLm9yZy9s
+YXRlc3QuY3JsMA0GCSqGSIb3DQEBBQUAA0EATmemAFFWLNA8natXhFyhrDYmTv8X
+PEJ3UVt0DmOMxmEBahIeDfplfTfj/NYvy/on7YCZO7F5PwVY2pNJqm8Tmw==
+-----END CERTIFICATE-----
diff --git a/test/aux-fixed/exim-ca/example.org/expired2.example.org/expired2.example.org.key b/test/aux-fixed/exim-ca/example.org/expired2.example.org/expired2.example.org.key
new file mode 100644
index 0000000..6bbf07e
--- /dev/null
+++ b/test/aux-fixed/exim-ca/example.org/expired2.example.org/expired2.example.org.key
@@ -0,0 +1,15 @@
+Bag Attributes
+    friendlyName: expired2.example.org
+    localKeyID: C5 6F 48 06 54 0E B3 BB 1A BF 6D F3 86 B8 E6 D7 37 A4 65 F3 
+Key Attributes: <No Attributes>
+-----BEGIN ENCRYPTED PRIVATE KEY-----
+MIIBpjBABgkqhkiG9w0BBQ0wMzAbBgkqhkiG9w0BBQwwDgQIqYRYZdwd4cwCAggA
+MBQGCCqGSIb3DQMHBAguS/XNjyFFMASCAWBxEYbvvuvMpVOunc6orT3lMpGxNbCV
+kNeLvBHH2LkW1lQfLoo0zgqzyvjF7hTbeNm9NS8dL3ZzMG7Xb3hiR22ypuP7gdaA
+NFxt7XfO7pCLsFScmOthYseIBvuxAGN8Qze2KDrXTVnOyrgPGk2q6XTIblUnGekt
+MuxJAJIIGW0le9Ci23Z+156zv7BAPWiAR7qL4Lm6V3T4ppfSeGkpBhGVpCmdjnT1
+IhR4rcrLjvqE+QhqEY/gA4chFcnkZsmcLNjMAMgHXdsGgpkrv8WrbS4nTsNY71p5
+d+qA6Z6ORVyUOrxzr34NpAM9tpsvHniMEvlJAq5DMz64qnG/iZymTKH8tOhgvD9d
+a7pENj+x1Eo+qb/2g6zut4+O5WnkWfXQXtuh+rnUOB09IteV33o8OYOlLR0eQxqJ
+BOLi5FgNVfoSJuCZrR9oqufOb4ue7x7lmOw0r3EQYUp0weYLvDyh0ih+
+-----END ENCRYPTED PRIVATE KEY-----
diff --git a/test/aux-fixed/exim-ca/example.org/expired2.example.org/expired2.example.org.ocsp.dated.resp b/test/aux-fixed/exim-ca/example.org/expired2.example.org/expired2.example.org.ocsp.dated.resp
new file mode 100644
index 0000000..44f9d00
Binary files /dev/null and b/test/aux-fixed/exim-ca/example.org/expired2.example.org/expired2.example.org.ocsp.dated.resp differ
diff --git a/test/aux-fixed/exim-ca/example.org/expired2.example.org/expired2.example.org.ocsp.good.resp b/test/aux-fixed/exim-ca/example.org/expired2.example.org/expired2.example.org.ocsp.good.resp
new file mode 100644
index 0000000..0760bb3
Binary files /dev/null and b/test/aux-fixed/exim-ca/example.org/expired2.example.org/expired2.example.org.ocsp.good.resp differ
diff --git a/test/aux-fixed/exim-ca/example.org/expired2.example.org/expired2.example.org.ocsp.req b/test/aux-fixed/exim-ca/example.org/expired2.example.org/expired2.example.org.ocsp.req
new file mode 100644
index 0000000..96cb53d
Binary files /dev/null and b/test/aux-fixed/exim-ca/example.org/expired2.example.org/expired2.example.org.ocsp.req differ
diff --git a/test/aux-fixed/exim-ca/example.org/expired2.example.org/expired2.example.org.ocsp.revoked.resp b/test/aux-fixed/exim-ca/example.org/expired2.example.org/expired2.example.org.ocsp.revoked.resp
new file mode 100644
index 0000000..0760bb3
Binary files /dev/null and b/test/aux-fixed/exim-ca/example.org/expired2.example.org/expired2.example.org.ocsp.revoked.resp differ
diff --git a/test/aux-fixed/exim-ca/example.org/expired2.example.org/expired2.example.org.p12 b/test/aux-fixed/exim-ca/example.org/expired2.example.org/expired2.example.org.p12
new file mode 100644
index 0000000..5bd498b
Binary files /dev/null and b/test/aux-fixed/exim-ca/example.org/expired2.example.org/expired2.example.org.p12 differ
diff --git a/test/aux-fixed/exim-ca/example.org/expired2.example.org/expired2.example.org.pem b/test/aux-fixed/exim-ca/example.org/expired2.example.org/expired2.example.org.pem
new file mode 100644
index 0000000..a2cdafe
--- /dev/null
+++ b/test/aux-fixed/exim-ca/example.org/expired2.example.org/expired2.example.org.pem
@@ -0,0 +1,18 @@
+Bag Attributes
+    friendlyName: expired2.example.org
+    localKeyID: C5 6F 48 06 54 0E B3 BB 1A BF 6D F3 86 B8 E6 D7 37 A4 65 F3 
+subject=/CN=expired2.example.org
+issuer=/O=example.org/CN=clica Signing Cert
+-----BEGIN CERTIFICATE-----
+MIICBTCCAa+gAwIBAgICAMswDQYJKoZIhvcNAQEFBQAwMzEUMBIGA1UEChMLZXhh
+bXBsZS5vcmcxGzAZBgNVBAMTEmNsaWNhIFNpZ25pbmcgQ2VydDAeFw0xMjExMDEx
+MjM0MDNaFw0xMjEyMDExMjM0MDNaMB8xHTAbBgNVBAMTFGV4cGlyZWQyLmV4YW1w
+bGUub3JnMFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAK1KoNb3Cu3dTkQQssg1cXUb
+0Oo/o0v/BCm5A9JjE8eL0K694hJrk2pSmI+nF1ujtC+0Ilylzd2JyXvyu6jZqRUC
+AwEAAaOBwDCBvTAOBgNVHQ8BAf8EBAMCBPAwIAYDVR0lAQH/BBYwFAYIKwYBBQUH
+AwEGCCsGAQUFBwMCMDIGA1UdHwQrMCkwJ6AloCOGIWh0dHA6Ly9jcmwuZXhhbXBs
+ZS5vcmcvbGF0ZXN0LmNybDA0BggrBgEFBQcBAQQoMCYwJAYIKwYBBQUHMAGGGGh0
+dHA6Ly9vc2NwL2V4YW1wbGUub3JnLzAfBgNVHREEGDAWghRleHBpcmVkMi5leGFt
+cGxlLm9yZzANBgkqhkiG9w0BAQUFAANBAATDk4AOeRU7z4FPpjK6J2BvKeStcuon
+xoli6qipNnf95JXgo4ZOktbGD5eankcp4QRFEUMQ79DJuTCkOl/Zgs4=
+-----END CERTIFICATE-----
diff --git a/test/aux-fixed/exim-ca/example.org/expired2.example.org/expired2.example.org.unlocked.key b/test/aux-fixed/exim-ca/example.org/expired2.example.org/expired2.example.org.unlocked.key
new file mode 100644
index 0000000..873f59f
--- /dev/null
+++ b/test/aux-fixed/exim-ca/example.org/expired2.example.org/expired2.example.org.unlocked.key
@@ -0,0 +1,9 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIBPAIBAAJBAK1KoNb3Cu3dTkQQssg1cXUb0Oo/o0v/BCm5A9JjE8eL0K694hJr
+k2pSmI+nF1ujtC+0Ilylzd2JyXvyu6jZqRUCAwEAAQJBAIKMYjcPzW/89OVaHxWt
+DVhIKE8Quhiaeaxk8Xgho9kDQXb9VUnY9uY+hQFL8jAlmr1xyqPL1ztA8Rx7b7DH
+toECIQDifcfwxsjaF2XMdkDdEtmoYlEow5sRoGzgNz29EQtUiQIhAMPedhNwRb2J
+0Vc6OgL4DCwu4oyjxcyGU3TywinwhCUtAiAnnYaGR87DzsngfGKWCIEHocK+VZBf
+AedpRGBJHJ0VuQIhALHy6Ylthh7WGBfMcaoC22RE0FR/8hOHskjcyGQ7/IKdAiEA
+lLVprJ0QmF5Z1+6RbIOcWwRWNOHEqAz4xY6HR65E2HE=
+-----END RSA PRIVATE KEY-----
diff --git a/test/aux-fixed/exim-ca/example.org/expired2.example.org/key3.db b/test/aux-fixed/exim-ca/example.org/expired2.example.org/key3.db
new file mode 100644
index 0000000..22278dd
Binary files /dev/null and b/test/aux-fixed/exim-ca/example.org/expired2.example.org/key3.db differ
diff --git a/test/aux-fixed/exim-ca/example.org/expired2.example.org/pwdfile b/test/aux-fixed/exim-ca/example.org/expired2.example.org/pwdfile
new file mode 100644
index 0000000..f3097ab
--- /dev/null
+++ b/test/aux-fixed/exim-ca/example.org/expired2.example.org/pwdfile
@@ -0,0 +1 @@
+password
diff --git a/test/aux-fixed/exim-ca/example.org/expired2.example.org/secmod.db b/test/aux-fixed/exim-ca/example.org/expired2.example.org/secmod.db
new file mode 100644
index 0000000..7201c72
Binary files /dev/null and b/test/aux-fixed/exim-ca/example.org/expired2.example.org/secmod.db differ
diff --git a/test/aux-fixed/exim-ca/example.org/revoked1.example.org/ca_chain.pem b/test/aux-fixed/exim-ca/example.org/revoked1.example.org/ca_chain.pem
new file mode 100644
index 0000000..6e46899
--- /dev/null
+++ b/test/aux-fixed/exim-ca/example.org/revoked1.example.org/ca_chain.pem
@@ -0,0 +1,47 @@
+Bag Attributes
+    friendlyName: Signing Cert
+subject=/O=example.org/CN=clica Signing Cert
+issuer=/O=example.org/CN=clica CA
+-----BEGIN CERTIFICATE-----
+MIIBpzCCAVGgAwIBAgIBAjANBgkqhkiG9w0BAQUFADApMRQwEgYDVQQKEwtleGFt
+cGxlLm9yZzERMA8GA1UEAxMIY2xpY2EgQ0EwHhcNMTIxMTAxMTIzNDAyWhcNMzgw
+MTAxMTIzNDAyWjAzMRQwEgYDVQQKEwtleGFtcGxlLm9yZzEbMBkGA1UEAxMSY2xp
+Y2EgU2lnbmluZyBDZXJ0MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAJ2Y6E5WBXQE
+zFsWgxK4JXrpPWGEQZ+KNy3iXgmupAA6Yy0umCLu+eGCekkwZ0WfFhhd+Qy7P+qo
+F0mre7VDDHECAwEAAaNaMFgwDgYDVR0PAQH/BAQDAgEGMBIGA1UdEwEB/wQIMAYB
+Af8CAQAwMgYDVR0fBCswKTAnoCWgI4YhaHR0cDovL2NybC5leGFtcGxlLm9yZy9s
+YXRlc3QuY3JsMA0GCSqGSIb3DQEBBQUAA0EATmemAFFWLNA8natXhFyhrDYmTv8X
+PEJ3UVt0DmOMxmEBahIeDfplfTfj/NYvy/on7YCZO7F5PwVY2pNJqm8Tmw==
+-----END CERTIFICATE-----
+Bag Attributes
+    friendlyName: Certificate Authority
+subject=/O=example.org/CN=clica CA
+issuer=/O=example.org/CN=clica CA
+-----BEGIN CERTIFICATE-----
+MIIBaTCCAROgAwIBAgIBATANBgkqhkiG9w0BAQUFADApMRQwEgYDVQQKEwtleGFt
+cGxlLm9yZzERMA8GA1UEAxMIY2xpY2EgQ0EwHhcNMTIxMTAxMTIzNDAyWhcNMzgw
+MTAxMTIzNDAyWjApMRQwEgYDVQQKEwtleGFtcGxlLm9yZzERMA8GA1UEAxMIY2xp
+Y2EgQ0EwXDANBgkqhkiG9w0BAQEFAANLADBIAkEAxY7JyBAI+e4vb4bz0HcjtE+O
+x0nLBB19Kz04yNARj1z/ZvY2c+uvOR3muHROCgFUQxGobP3n2HaTS/cmv2SVPwID
+AQABoyYwJDASBgNVHRMBAf8ECDAGAQH/AgEBMA4GA1UdDwEB/wQEAwIBBjANBgkq
+hkiG9w0BAQUFAANBAJLhs/m5Jx4oV++aylcAvIHa0vHSK4eh3zX1HqWwqK9I0/nl
+LqwwPgtgHQOpe7nd2g2B9wPZ82i6LiqY76A+9hI=
+-----END CERTIFICATE-----
+Bag Attributes
+    friendlyName: revoked1.example.org
+    localKeyID: CB 4F CF EE 43 43 65 BB 23 74 E0 40 65 36 FE 99 31 DF AB A8 
+subject=/CN=revoked1.example.org
+issuer=/O=example.org/CN=clica Signing Cert
+-----BEGIN CERTIFICATE-----
+MIICBDCCAa6gAwIBAgIBZjANBgkqhkiG9w0BAQUFADAzMRQwEgYDVQQKEwtleGFt
+cGxlLm9yZzEbMBkGA1UEAxMSY2xpY2EgU2lnbmluZyBDZXJ0MB4XDTEyMTEwMTEy
+MzQwMloXDTM4MDEwMTEyMzQwMlowHzEdMBsGA1UEAxMUcmV2b2tlZDEuZXhhbXBs
+ZS5vcmcwXDANBgkqhkiG9w0BAQEFAANLADBIAkEAtH5k2k62LbnSi/B5Bgxk+zMn
+GiOYjeojLffbE73oSIws/sAwigOroZRxeDCK1Bvqlt3CsRlh1j7qGHTdf3JPEQID
+AQABo4HAMIG9MA4GA1UdDwEB/wQEAwIE8DAgBgNVHSUBAf8EFjAUBggrBgEFBQcD
+AQYIKwYBBQUHAwIwMgYDVR0fBCswKTAnoCWgI4YhaHR0cDovL2NybC5leGFtcGxl
+Lm9yZy9sYXRlc3QuY3JsMDQGCCsGAQUFBwEBBCgwJjAkBggrBgEFBQcwAYYYaHR0
+cDovL29zY3AvZXhhbXBsZS5vcmcvMB8GA1UdEQQYMBaCFHJldm9rZWQxLmV4YW1w
+bGUub3JnMA0GCSqGSIb3DQEBBQUAA0EAh2MZRLrAaQlspQCSvzB8GauDjhyc1ZMz
+/YeE550dEXzC3YtnTK6PKmDfm0xw/eVcSnwlsYUdLFzB5xBGbkxQbg==
+-----END CERTIFICATE-----
diff --git a/test/aux-fixed/exim-ca/example.org/revoked1.example.org/cert8.db b/test/aux-fixed/exim-ca/example.org/revoked1.example.org/cert8.db
new file mode 100644
index 0000000..276490b
Binary files /dev/null and b/test/aux-fixed/exim-ca/example.org/revoked1.example.org/cert8.db differ
diff --git a/test/aux-fixed/exim-ca/example.org/revoked1.example.org/key3.db b/test/aux-fixed/exim-ca/example.org/revoked1.example.org/key3.db
new file mode 100644
index 0000000..d0a1a89
Binary files /dev/null and b/test/aux-fixed/exim-ca/example.org/revoked1.example.org/key3.db differ
diff --git a/test/aux-fixed/exim-ca/example.org/revoked1.example.org/pwdfile b/test/aux-fixed/exim-ca/example.org/revoked1.example.org/pwdfile
new file mode 100644
index 0000000..f3097ab
--- /dev/null
+++ b/test/aux-fixed/exim-ca/example.org/revoked1.example.org/pwdfile
@@ -0,0 +1 @@
+password
diff --git a/test/aux-fixed/exim-ca/example.org/revoked1.example.org/revoked1.example.org.chain.pem b/test/aux-fixed/exim-ca/example.org/revoked1.example.org/revoked1.example.org.chain.pem
new file mode 100644
index 0000000..44a69f4
--- /dev/null
+++ b/test/aux-fixed/exim-ca/example.org/revoked1.example.org/revoked1.example.org.chain.pem
@@ -0,0 +1,29 @@
+Bag Attributes
+    friendlyName: revoked1.example.org
+    localKeyID: CB 4F CF EE 43 43 65 BB 23 74 E0 40 65 36 FE 99 31 DF AB A8 
+subject=/CN=revoked1.example.org
+issuer=/O=example.org/CN=clica Signing Cert
+-----BEGIN CERTIFICATE-----
+MIICBDCCAa6gAwIBAgIBZjANBgkqhkiG9w0BAQUFADAzMRQwEgYDVQQKEwtleGFt
+cGxlLm9yZzEbMBkGA1UEAxMSY2xpY2EgU2lnbmluZyBDZXJ0MB4XDTEyMTEwMTEy
+MzQwMloXDTM4MDEwMTEyMzQwMlowHzEdMBsGA1UEAxMUcmV2b2tlZDEuZXhhbXBs
+ZS5vcmcwXDANBgkqhkiG9w0BAQEFAANLADBIAkEAtH5k2k62LbnSi/B5Bgxk+zMn
+GiOYjeojLffbE73oSIws/sAwigOroZRxeDCK1Bvqlt3CsRlh1j7qGHTdf3JPEQID
+AQABo4HAMIG9MA4GA1UdDwEB/wQEAwIE8DAgBgNVHSUBAf8EFjAUBggrBgEFBQcD
+AQYIKwYBBQUHAwIwMgYDVR0fBCswKTAnoCWgI4YhaHR0cDovL2NybC5leGFtcGxl
+Lm9yZy9sYXRlc3QuY3JsMDQGCCsGAQUFBwEBBCgwJjAkBggrBgEFBQcwAYYYaHR0
+cDovL29zY3AvZXhhbXBsZS5vcmcvMB8GA1UdEQQYMBaCFHJldm9rZWQxLmV4YW1w
+bGUub3JnMA0GCSqGSIb3DQEBBQUAA0EAh2MZRLrAaQlspQCSvzB8GauDjhyc1ZMz
+/YeE550dEXzC3YtnTK6PKmDfm0xw/eVcSnwlsYUdLFzB5xBGbkxQbg==
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIIBpzCCAVGgAwIBAgIBAjANBgkqhkiG9w0BAQUFADApMRQwEgYDVQQKEwtleGFt
+cGxlLm9yZzERMA8GA1UEAxMIY2xpY2EgQ0EwHhcNMTIxMTAxMTIzNDAyWhcNMzgw
+MTAxMTIzNDAyWjAzMRQwEgYDVQQKEwtleGFtcGxlLm9yZzEbMBkGA1UEAxMSY2xp
+Y2EgU2lnbmluZyBDZXJ0MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAJ2Y6E5WBXQE
+zFsWgxK4JXrpPWGEQZ+KNy3iXgmupAA6Yy0umCLu+eGCekkwZ0WfFhhd+Qy7P+qo
+F0mre7VDDHECAwEAAaNaMFgwDgYDVR0PAQH/BAQDAgEGMBIGA1UdEwEB/wQIMAYB
+Af8CAQAwMgYDVR0fBCswKTAnoCWgI4YhaHR0cDovL2NybC5leGFtcGxlLm9yZy9s
+YXRlc3QuY3JsMA0GCSqGSIb3DQEBBQUAA0EATmemAFFWLNA8natXhFyhrDYmTv8X
+PEJ3UVt0DmOMxmEBahIeDfplfTfj/NYvy/on7YCZO7F5PwVY2pNJqm8Tmw==
+-----END CERTIFICATE-----
diff --git a/test/aux-fixed/exim-ca/example.org/revoked1.example.org/revoked1.example.org.key b/test/aux-fixed/exim-ca/example.org/revoked1.example.org/revoked1.example.org.key
new file mode 100644
index 0000000..cd759c4
--- /dev/null
+++ b/test/aux-fixed/exim-ca/example.org/revoked1.example.org/revoked1.example.org.key
@@ -0,0 +1,15 @@
+Bag Attributes
+    friendlyName: revoked1.example.org
+    localKeyID: CB 4F CF EE 43 43 65 BB 23 74 E0 40 65 36 FE 99 31 DF AB A8 
+Key Attributes: <No Attributes>
+-----BEGIN ENCRYPTED PRIVATE KEY-----
+MIIBnjBABgkqhkiG9w0BBQ0wMzAbBgkqhkiG9w0BBQwwDgQIYvHqW0ndOlQCAggA
+MBQGCCqGSIb3DQMHBAgXAj3LlhSYaQSCAVhHtecAjwqd7AvQnGWaErxhdo/AMfio
+SWCovkatfN0ExC0Q43QX2P7HKcP6ysQDg+oLHWiIP+2N6lOkQLBxF4KCAfEa9hcR
+GJhbBDLiL5mNgfxdPzM+NUfxGainUfwiGFM5ZZg4vZgvP8hMoVeCRJ+sBP4rHzyw
+0AdAMzAeJym8MVONUMadr/D7ReMGgxQdGGl/GrrmwOAeJNCh8KJVfI7hQZE0Ell7
+XWWZPl1VafuzErUz0Lm4NdbstlfpVE/ZWWuXCxGgJ5cPyMu5oloHPpPm+x0oR4Ik
+NxPkXZ74OZtc58nTgh+SEVe/myWTujMdj9jCxfJknyAlMwZCv/wu/EwcRFopvo16
+zLCsb2x4+sW5Uhduv0mQYEIPBjl+9Eg5eHrX6z+E/AhikE3C7OmQ7MM/8PLPqoUo
+xoXYK2O5seWWA5IjCbm7I9mMQpmZi847H9WpHLEaoh8gew==
+-----END ENCRYPTED PRIVATE KEY-----
diff --git a/test/aux-fixed/exim-ca/example.org/revoked1.example.org/revoked1.example.org.ocsp.dated.resp b/test/aux-fixed/exim-ca/example.org/revoked1.example.org/revoked1.example.org.ocsp.dated.resp
new file mode 100644
index 0000000..5a12466
Binary files /dev/null and b/test/aux-fixed/exim-ca/example.org/revoked1.example.org/revoked1.example.org.ocsp.dated.resp differ
diff --git a/test/aux-fixed/exim-ca/example.org/revoked1.example.org/revoked1.example.org.ocsp.good.resp b/test/aux-fixed/exim-ca/example.org/revoked1.example.org/revoked1.example.org.ocsp.good.resp
new file mode 100644
index 0000000..30c30f6
Binary files /dev/null and b/test/aux-fixed/exim-ca/example.org/revoked1.example.org/revoked1.example.org.ocsp.good.resp differ
diff --git a/test/aux-fixed/exim-ca/example.org/revoked1.example.org/revoked1.example.org.ocsp.req b/test/aux-fixed/exim-ca/example.org/revoked1.example.org/revoked1.example.org.ocsp.req
new file mode 100644
index 0000000..90263fd
Binary files /dev/null and b/test/aux-fixed/exim-ca/example.org/revoked1.example.org/revoked1.example.org.ocsp.req differ
diff --git a/test/aux-fixed/exim-ca/example.org/revoked1.example.org/revoked1.example.org.ocsp.revoked.resp b/test/aux-fixed/exim-ca/example.org/revoked1.example.org/revoked1.example.org.ocsp.revoked.resp
new file mode 100644
index 0000000..6273c03
Binary files /dev/null and b/test/aux-fixed/exim-ca/example.org/revoked1.example.org/revoked1.example.org.ocsp.revoked.resp differ
diff --git a/test/aux-fixed/exim-ca/example.org/revoked1.example.org/revoked1.example.org.p12 b/test/aux-fixed/exim-ca/example.org/revoked1.example.org/revoked1.example.org.p12
new file mode 100644
index 0000000..c4392fc
Binary files /dev/null and b/test/aux-fixed/exim-ca/example.org/revoked1.example.org/revoked1.example.org.p12 differ
diff --git a/test/aux-fixed/exim-ca/example.org/revoked1.example.org/revoked1.example.org.pem b/test/aux-fixed/exim-ca/example.org/revoked1.example.org/revoked1.example.org.pem
new file mode 100644
index 0000000..70bea88
--- /dev/null
+++ b/test/aux-fixed/exim-ca/example.org/revoked1.example.org/revoked1.example.org.pem
@@ -0,0 +1,18 @@
+Bag Attributes
+    friendlyName: revoked1.example.org
+    localKeyID: CB 4F CF EE 43 43 65 BB 23 74 E0 40 65 36 FE 99 31 DF AB A8 
+subject=/CN=revoked1.example.org
+issuer=/O=example.org/CN=clica Signing Cert
+-----BEGIN CERTIFICATE-----
+MIICBDCCAa6gAwIBAgIBZjANBgkqhkiG9w0BAQUFADAzMRQwEgYDVQQKEwtleGFt
+cGxlLm9yZzEbMBkGA1UEAxMSY2xpY2EgU2lnbmluZyBDZXJ0MB4XDTEyMTEwMTEy
+MzQwMloXDTM4MDEwMTEyMzQwMlowHzEdMBsGA1UEAxMUcmV2b2tlZDEuZXhhbXBs
+ZS5vcmcwXDANBgkqhkiG9w0BAQEFAANLADBIAkEAtH5k2k62LbnSi/B5Bgxk+zMn
+GiOYjeojLffbE73oSIws/sAwigOroZRxeDCK1Bvqlt3CsRlh1j7qGHTdf3JPEQID
+AQABo4HAMIG9MA4GA1UdDwEB/wQEAwIE8DAgBgNVHSUBAf8EFjAUBggrBgEFBQcD
+AQYIKwYBBQUHAwIwMgYDVR0fBCswKTAnoCWgI4YhaHR0cDovL2NybC5leGFtcGxl
+Lm9yZy9sYXRlc3QuY3JsMDQGCCsGAQUFBwEBBCgwJjAkBggrBgEFBQcwAYYYaHR0
+cDovL29zY3AvZXhhbXBsZS5vcmcvMB8GA1UdEQQYMBaCFHJldm9rZWQxLmV4YW1w
+bGUub3JnMA0GCSqGSIb3DQEBBQUAA0EAh2MZRLrAaQlspQCSvzB8GauDjhyc1ZMz
+/YeE550dEXzC3YtnTK6PKmDfm0xw/eVcSnwlsYUdLFzB5xBGbkxQbg==
+-----END CERTIFICATE-----
diff --git a/test/aux-fixed/exim-ca/example.org/revoked1.example.org/revoked1.example.org.unlocked.key b/test/aux-fixed/exim-ca/example.org/revoked1.example.org/revoked1.example.org.unlocked.key
new file mode 100644
index 0000000..47e917b
--- /dev/null
+++ b/test/aux-fixed/exim-ca/example.org/revoked1.example.org/revoked1.example.org.unlocked.key
@@ -0,0 +1,9 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIBOQIBAAJBALR+ZNpOti250ovweQYMZPszJxojmI3qIy332xO96EiMLP7AMIoD
+q6GUcXgwitQb6pbdwrEZYdY+6hh03X9yTxECAwEAAQJADLoAyHfWVqEMnHtnPSrw
+j9nKfwhVgGQq+NnKI7k3QK4rQX1Z+wfSw0rxpE5sFqDUVheeFY/IMolXD32zJwUM
+pQIhAOEb6HbVqVqYr5lgN7CoRSVRXJEm1PvxmI6RKewtAPGTAiEAzUMl+oAfRboT
+tywwc4N8MdvAAapLnP9u7NmhG7fP80sCIHkXgCdcrCs180/4ODzpZ7i5WagjUXLt
+9XjLkdegJd/NAiAweI7bXK4F1S8arkCyxnXpgC8TNZetd1RGcg3tcbaViQIgIDmb
+d9wZOnDeMg3BlC5X+zfOyiGk3+/Jnp7Msya+nfc=
+-----END RSA PRIVATE KEY-----
diff --git a/test/aux-fixed/exim-ca/example.org/revoked1.example.org/secmod.db b/test/aux-fixed/exim-ca/example.org/revoked1.example.org/secmod.db
new file mode 100644
index 0000000..7621830
Binary files /dev/null and b/test/aux-fixed/exim-ca/example.org/revoked1.example.org/secmod.db differ
diff --git a/test/aux-fixed/exim-ca/example.org/revoked2.example.org/ca_chain.pem b/test/aux-fixed/exim-ca/example.org/revoked2.example.org/ca_chain.pem
new file mode 100644
index 0000000..d36ac20
--- /dev/null
+++ b/test/aux-fixed/exim-ca/example.org/revoked2.example.org/ca_chain.pem
@@ -0,0 +1,47 @@
+Bag Attributes
+    friendlyName: Signing Cert
+subject=/O=example.org/CN=clica Signing Cert
+issuer=/O=example.org/CN=clica CA
+-----BEGIN CERTIFICATE-----
+MIIBpzCCAVGgAwIBAgIBAjANBgkqhkiG9w0BAQUFADApMRQwEgYDVQQKEwtleGFt
+cGxlLm9yZzERMA8GA1UEAxMIY2xpY2EgQ0EwHhcNMTIxMTAxMTIzNDAyWhcNMzgw
+MTAxMTIzNDAyWjAzMRQwEgYDVQQKEwtleGFtcGxlLm9yZzEbMBkGA1UEAxMSY2xp
+Y2EgU2lnbmluZyBDZXJ0MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAJ2Y6E5WBXQE
+zFsWgxK4JXrpPWGEQZ+KNy3iXgmupAA6Yy0umCLu+eGCekkwZ0WfFhhd+Qy7P+qo
+F0mre7VDDHECAwEAAaNaMFgwDgYDVR0PAQH/BAQDAgEGMBIGA1UdEwEB/wQIMAYB
+Af8CAQAwMgYDVR0fBCswKTAnoCWgI4YhaHR0cDovL2NybC5leGFtcGxlLm9yZy9s
+YXRlc3QuY3JsMA0GCSqGSIb3DQEBBQUAA0EATmemAFFWLNA8natXhFyhrDYmTv8X
+PEJ3UVt0DmOMxmEBahIeDfplfTfj/NYvy/on7YCZO7F5PwVY2pNJqm8Tmw==
+-----END CERTIFICATE-----
+Bag Attributes
+    friendlyName: Certificate Authority
+subject=/O=example.org/CN=clica CA
+issuer=/O=example.org/CN=clica CA
+-----BEGIN CERTIFICATE-----
+MIIBaTCCAROgAwIBAgIBATANBgkqhkiG9w0BAQUFADApMRQwEgYDVQQKEwtleGFt
+cGxlLm9yZzERMA8GA1UEAxMIY2xpY2EgQ0EwHhcNMTIxMTAxMTIzNDAyWhcNMzgw
+MTAxMTIzNDAyWjApMRQwEgYDVQQKEwtleGFtcGxlLm9yZzERMA8GA1UEAxMIY2xp
+Y2EgQ0EwXDANBgkqhkiG9w0BAQEFAANLADBIAkEAxY7JyBAI+e4vb4bz0HcjtE+O
+x0nLBB19Kz04yNARj1z/ZvY2c+uvOR3muHROCgFUQxGobP3n2HaTS/cmv2SVPwID
+AQABoyYwJDASBgNVHRMBAf8ECDAGAQH/AgEBMA4GA1UdDwEB/wQEAwIBBjANBgkq
+hkiG9w0BAQUFAANBAJLhs/m5Jx4oV++aylcAvIHa0vHSK4eh3zX1HqWwqK9I0/nl
+LqwwPgtgHQOpe7nd2g2B9wPZ82i6LiqY76A+9hI=
+-----END CERTIFICATE-----
+Bag Attributes
+    friendlyName: revoked2.example.org
+    localKeyID: B9 99 5C A3 65 F8 67 93 A4 96 45 B2 7C B6 64 28 CB 71 1D 6C 
+subject=/CN=revoked2.example.org
+issuer=/O=example.org/CN=clica Signing Cert
+-----BEGIN CERTIFICATE-----
+MIICBTCCAa+gAwIBAgICAMowDQYJKoZIhvcNAQEFBQAwMzEUMBIGA1UEChMLZXhh
+bXBsZS5vcmcxGzAZBgNVBAMTEmNsaWNhIFNpZ25pbmcgQ2VydDAeFw0xMjExMDEx
+MjM0MDNaFw0zODAxMDExMjM0MDNaMB8xHTAbBgNVBAMTFHJldm9rZWQyLmV4YW1w
+bGUub3JnMFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANLUlL/Fx0qhl0rhRZ3HTr+d
+wbKi0cDyZa97S5EDr3Dq1qurHmEs92C6P27df1r6ltVT7O1xH1+s40hTL5yzQ3sC
+AwEAAaOBwDCBvTAOBgNVHQ8BAf8EBAMCBPAwIAYDVR0lAQH/BBYwFAYIKwYBBQUH
+AwEGCCsGAQUFBwMCMDIGA1UdHwQrMCkwJ6AloCOGIWh0dHA6Ly9jcmwuZXhhbXBs
+ZS5vcmcvbGF0ZXN0LmNybDA0BggrBgEFBQcBAQQoMCYwJAYIKwYBBQUHMAGGGGh0
+dHA6Ly9vc2NwL2V4YW1wbGUub3JnLzAfBgNVHREEGDAWghRyZXZva2VkMi5leGFt
+cGxlLm9yZzANBgkqhkiG9w0BAQUFAANBAC0aZSfdH/PlvY+jfQnVAkmmYyawPdSu
+Osv4lwZYhBo2FSJdlufbwo3ElD4JK/BIHHTGiphM9++hpGLWaAcvT4k=
+-----END CERTIFICATE-----
diff --git a/test/aux-fixed/exim-ca/example.org/revoked2.example.org/cert8.db b/test/aux-fixed/exim-ca/example.org/revoked2.example.org/cert8.db
new file mode 100644
index 0000000..e1c3dae
Binary files /dev/null and b/test/aux-fixed/exim-ca/example.org/revoked2.example.org/cert8.db differ
diff --git a/test/aux-fixed/exim-ca/example.org/revoked2.example.org/key3.db b/test/aux-fixed/exim-ca/example.org/revoked2.example.org/key3.db
new file mode 100644
index 0000000..52cfbc2
Binary files /dev/null and b/test/aux-fixed/exim-ca/example.org/revoked2.example.org/key3.db differ
diff --git a/test/aux-fixed/exim-ca/example.org/revoked2.example.org/pwdfile b/test/aux-fixed/exim-ca/example.org/revoked2.example.org/pwdfile
new file mode 100644
index 0000000..f3097ab
--- /dev/null
+++ b/test/aux-fixed/exim-ca/example.org/revoked2.example.org/pwdfile
@@ -0,0 +1 @@
+password
diff --git a/test/aux-fixed/exim-ca/example.org/revoked2.example.org/revoked2.example.org.chain.pem b/test/aux-fixed/exim-ca/example.org/revoked2.example.org/revoked2.example.org.chain.pem
new file mode 100644
index 0000000..7bc3981
--- /dev/null
+++ b/test/aux-fixed/exim-ca/example.org/revoked2.example.org/revoked2.example.org.chain.pem
@@ -0,0 +1,29 @@
+Bag Attributes
+    friendlyName: revoked2.example.org
+    localKeyID: B9 99 5C A3 65 F8 67 93 A4 96 45 B2 7C B6 64 28 CB 71 1D 6C 
+subject=/CN=revoked2.example.org
+issuer=/O=example.org/CN=clica Signing Cert
+-----BEGIN CERTIFICATE-----
+MIICBTCCAa+gAwIBAgICAMowDQYJKoZIhvcNAQEFBQAwMzEUMBIGA1UEChMLZXhh
+bXBsZS5vcmcxGzAZBgNVBAMTEmNsaWNhIFNpZ25pbmcgQ2VydDAeFw0xMjExMDEx
+MjM0MDNaFw0zODAxMDExMjM0MDNaMB8xHTAbBgNVBAMTFHJldm9rZWQyLmV4YW1w
+bGUub3JnMFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANLUlL/Fx0qhl0rhRZ3HTr+d
+wbKi0cDyZa97S5EDr3Dq1qurHmEs92C6P27df1r6ltVT7O1xH1+s40hTL5yzQ3sC
+AwEAAaOBwDCBvTAOBgNVHQ8BAf8EBAMCBPAwIAYDVR0lAQH/BBYwFAYIKwYBBQUH
+AwEGCCsGAQUFBwMCMDIGA1UdHwQrMCkwJ6AloCOGIWh0dHA6Ly9jcmwuZXhhbXBs
+ZS5vcmcvbGF0ZXN0LmNybDA0BggrBgEFBQcBAQQoMCYwJAYIKwYBBQUHMAGGGGh0
+dHA6Ly9vc2NwL2V4YW1wbGUub3JnLzAfBgNVHREEGDAWghRyZXZva2VkMi5leGFt
+cGxlLm9yZzANBgkqhkiG9w0BAQUFAANBAC0aZSfdH/PlvY+jfQnVAkmmYyawPdSu
+Osv4lwZYhBo2FSJdlufbwo3ElD4JK/BIHHTGiphM9++hpGLWaAcvT4k=
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIIBpzCCAVGgAwIBAgIBAjANBgkqhkiG9w0BAQUFADApMRQwEgYDVQQKEwtleGFt
+cGxlLm9yZzERMA8GA1UEAxMIY2xpY2EgQ0EwHhcNMTIxMTAxMTIzNDAyWhcNMzgw
+MTAxMTIzNDAyWjAzMRQwEgYDVQQKEwtleGFtcGxlLm9yZzEbMBkGA1UEAxMSY2xp
+Y2EgU2lnbmluZyBDZXJ0MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAJ2Y6E5WBXQE
+zFsWgxK4JXrpPWGEQZ+KNy3iXgmupAA6Yy0umCLu+eGCekkwZ0WfFhhd+Qy7P+qo
+F0mre7VDDHECAwEAAaNaMFgwDgYDVR0PAQH/BAQDAgEGMBIGA1UdEwEB/wQIMAYB
+Af8CAQAwMgYDVR0fBCswKTAnoCWgI4YhaHR0cDovL2NybC5leGFtcGxlLm9yZy9s
+YXRlc3QuY3JsMA0GCSqGSIb3DQEBBQUAA0EATmemAFFWLNA8natXhFyhrDYmTv8X
+PEJ3UVt0DmOMxmEBahIeDfplfTfj/NYvy/on7YCZO7F5PwVY2pNJqm8Tmw==
+-----END CERTIFICATE-----
diff --git a/test/aux-fixed/exim-ca/example.org/revoked2.example.org/revoked2.example.org.key b/test/aux-fixed/exim-ca/example.org/revoked2.example.org/revoked2.example.org.key
new file mode 100644
index 0000000..3c2d612
--- /dev/null
+++ b/test/aux-fixed/exim-ca/example.org/revoked2.example.org/revoked2.example.org.key
@@ -0,0 +1,15 @@
+Bag Attributes
+    friendlyName: revoked2.example.org
+    localKeyID: B9 99 5C A3 65 F8 67 93 A4 96 45 B2 7C B6 64 28 CB 71 1D 6C 
+Key Attributes: <No Attributes>
+-----BEGIN ENCRYPTED PRIVATE KEY-----
+MIIBpjBABgkqhkiG9w0BBQ0wMzAbBgkqhkiG9w0BBQwwDgQIatK6XJ1l+7MCAggA
+MBQGCCqGSIb3DQMHBAjUZXz3pKENmgSCAWDbQs9Kd21OIstOoQdgYviX33loF2bH
+wpn0IP4P/2dFUmK07M146AEwPgXTI/mCewMgJ/cRQqnFAyoE1hjbZnk3WRi2SRXs
+dmIWAveseDuDsL7og72bHSvHIqsvcYs9SS8KBPCH6wY14a40QO1X26t7S8ZLTspu
+4V/YSNNiug6n8Z3N1Y2tuWPC8CQ9bBtL2jcqZT0WBJ8BXtn69jmVSWNm1DBaByET
+M4dqHGC//hFk1jnKBXaJ/VvBS5E6lOANwfUAr0gQT08NaJ7qJ6WUhpca7Rtky/KQ
+/passZZKeu7/R8VyQLvfk+vH2wW+5EX8+WtutWQJycW57+pnoXORrvIz3lc6B/6+
+Q91EJzABv5n93nynoZgEEr4vKiCCmLGYYJEciqQTERzCDNw3P73R+sd9PiTrku9g
+pKp12ieWWHZjeHcAMUZl8xWSytVT1fkeSPXcA43KoW93s78DegMh/HTr
+-----END ENCRYPTED PRIVATE KEY-----
diff --git a/test/aux-fixed/exim-ca/example.org/revoked2.example.org/revoked2.example.org.ocsp.dated.resp b/test/aux-fixed/exim-ca/example.org/revoked2.example.org/revoked2.example.org.ocsp.dated.resp
new file mode 100644
index 0000000..00a0d1c
Binary files /dev/null and b/test/aux-fixed/exim-ca/example.org/revoked2.example.org/revoked2.example.org.ocsp.dated.resp differ
diff --git a/test/aux-fixed/exim-ca/example.org/revoked2.example.org/revoked2.example.org.ocsp.good.resp b/test/aux-fixed/exim-ca/example.org/revoked2.example.org/revoked2.example.org.ocsp.good.resp
new file mode 100644
index 0000000..3e2585a
Binary files /dev/null and b/test/aux-fixed/exim-ca/example.org/revoked2.example.org/revoked2.example.org.ocsp.good.resp differ
diff --git a/test/aux-fixed/exim-ca/example.org/revoked2.example.org/revoked2.example.org.ocsp.req b/test/aux-fixed/exim-ca/example.org/revoked2.example.org/revoked2.example.org.ocsp.req
new file mode 100644
index 0000000..0348f98
Binary files /dev/null and b/test/aux-fixed/exim-ca/example.org/revoked2.example.org/revoked2.example.org.ocsp.req differ
diff --git a/test/aux-fixed/exim-ca/example.org/revoked2.example.org/revoked2.example.org.ocsp.revoked.resp b/test/aux-fixed/exim-ca/example.org/revoked2.example.org/revoked2.example.org.ocsp.revoked.resp
new file mode 100644
index 0000000..3e2585a
Binary files /dev/null and b/test/aux-fixed/exim-ca/example.org/revoked2.example.org/revoked2.example.org.ocsp.revoked.resp differ
diff --git a/test/aux-fixed/exim-ca/example.org/revoked2.example.org/revoked2.example.org.p12 b/test/aux-fixed/exim-ca/example.org/revoked2.example.org/revoked2.example.org.p12
new file mode 100644
index 0000000..f71eda5
Binary files /dev/null and b/test/aux-fixed/exim-ca/example.org/revoked2.example.org/revoked2.example.org.p12 differ
diff --git a/test/aux-fixed/exim-ca/example.org/revoked2.example.org/revoked2.example.org.pem b/test/aux-fixed/exim-ca/example.org/revoked2.example.org/revoked2.example.org.pem
new file mode 100644
index 0000000..9e24c7c
--- /dev/null
+++ b/test/aux-fixed/exim-ca/example.org/revoked2.example.org/revoked2.example.org.pem
@@ -0,0 +1,18 @@
+Bag Attributes
+    friendlyName: revoked2.example.org
+    localKeyID: B9 99 5C A3 65 F8 67 93 A4 96 45 B2 7C B6 64 28 CB 71 1D 6C 
+subject=/CN=revoked2.example.org
+issuer=/O=example.org/CN=clica Signing Cert
+-----BEGIN CERTIFICATE-----
+MIICBTCCAa+gAwIBAgICAMowDQYJKoZIhvcNAQEFBQAwMzEUMBIGA1UEChMLZXhh
+bXBsZS5vcmcxGzAZBgNVBAMTEmNsaWNhIFNpZ25pbmcgQ2VydDAeFw0xMjExMDEx
+MjM0MDNaFw0zODAxMDExMjM0MDNaMB8xHTAbBgNVBAMTFHJldm9rZWQyLmV4YW1w
+bGUub3JnMFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANLUlL/Fx0qhl0rhRZ3HTr+d
+wbKi0cDyZa97S5EDr3Dq1qurHmEs92C6P27df1r6ltVT7O1xH1+s40hTL5yzQ3sC
+AwEAAaOBwDCBvTAOBgNVHQ8BAf8EBAMCBPAwIAYDVR0lAQH/BBYwFAYIKwYBBQUH
+AwEGCCsGAQUFBwMCMDIGA1UdHwQrMCkwJ6AloCOGIWh0dHA6Ly9jcmwuZXhhbXBs
+ZS5vcmcvbGF0ZXN0LmNybDA0BggrBgEFBQcBAQQoMCYwJAYIKwYBBQUHMAGGGGh0
+dHA6Ly9vc2NwL2V4YW1wbGUub3JnLzAfBgNVHREEGDAWghRyZXZva2VkMi5leGFt
+cGxlLm9yZzANBgkqhkiG9w0BAQUFAANBAC0aZSfdH/PlvY+jfQnVAkmmYyawPdSu
+Osv4lwZYhBo2FSJdlufbwo3ElD4JK/BIHHTGiphM9++hpGLWaAcvT4k=
+-----END CERTIFICATE-----
diff --git a/test/aux-fixed/exim-ca/example.org/revoked2.example.org/revoked2.example.org.unlocked.key b/test/aux-fixed/exim-ca/example.org/revoked2.example.org/revoked2.example.org.unlocked.key
new file mode 100644
index 0000000..c6895f7
--- /dev/null
+++ b/test/aux-fixed/exim-ca/example.org/revoked2.example.org/revoked2.example.org.unlocked.key
@@ -0,0 +1,9 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIBOwIBAAJBANLUlL/Fx0qhl0rhRZ3HTr+dwbKi0cDyZa97S5EDr3Dq1qurHmEs
+92C6P27df1r6ltVT7O1xH1+s40hTL5yzQ3sCAwEAAQJBALGnYBCY3+4LbCk02iyx
+nbHphSa5/HXRy82q32o66MMEGIfyMaluRfMoQHS9n3yieOn2i41s7+4w52ormZEx
+hEECIQDpSgUGrakvx2mqhAxIkfYTJgS3bMUINlRveYpYNvL65QIhAOda2XxChB3H
+TxTgJURPl1i4LOEm9ecMHlBNhzhadn7fAiEA0pp8BxdnkTaY8dLbs/fxCkBcKasM
+BOnnN+ulNRYGLPECIDrXJFEyKZ/ZPQe2KkRBaeCqlt98pTXqIxuRXD684z5JAiBi
+aAtGEXlUtwnseKyflSrEh0bAwnOsEEA7qEUCl/ExPw==
+-----END RSA PRIVATE KEY-----
diff --git a/test/aux-fixed/exim-ca/example.org/revoked2.example.org/secmod.db b/test/aux-fixed/exim-ca/example.org/revoked2.example.org/secmod.db
new file mode 100644
index 0000000..f7a91aa
Binary files /dev/null and b/test/aux-fixed/exim-ca/example.org/revoked2.example.org/secmod.db differ
diff --git a/test/aux-fixed/exim-ca/example.org/server1.example.org/ca_chain.pem b/test/aux-fixed/exim-ca/example.org/server1.example.org/ca_chain.pem
new file mode 100644
index 0000000..6cdbee1
--- /dev/null
+++ b/test/aux-fixed/exim-ca/example.org/server1.example.org/ca_chain.pem
@@ -0,0 +1,47 @@
+Bag Attributes
+    friendlyName: Signing Cert
+subject=/O=example.org/CN=clica Signing Cert
+issuer=/O=example.org/CN=clica CA
+-----BEGIN CERTIFICATE-----
+MIIBpzCCAVGgAwIBAgIBAjANBgkqhkiG9w0BAQUFADApMRQwEgYDVQQKEwtleGFt
+cGxlLm9yZzERMA8GA1UEAxMIY2xpY2EgQ0EwHhcNMTIxMTAxMTIzNDAyWhcNMzgw
+MTAxMTIzNDAyWjAzMRQwEgYDVQQKEwtleGFtcGxlLm9yZzEbMBkGA1UEAxMSY2xp
+Y2EgU2lnbmluZyBDZXJ0MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAJ2Y6E5WBXQE
+zFsWgxK4JXrpPWGEQZ+KNy3iXgmupAA6Yy0umCLu+eGCekkwZ0WfFhhd+Qy7P+qo
+F0mre7VDDHECAwEAAaNaMFgwDgYDVR0PAQH/BAQDAgEGMBIGA1UdEwEB/wQIMAYB
+Af8CAQAwMgYDVR0fBCswKTAnoCWgI4YhaHR0cDovL2NybC5leGFtcGxlLm9yZy9s
+YXRlc3QuY3JsMA0GCSqGSIb3DQEBBQUAA0EATmemAFFWLNA8natXhFyhrDYmTv8X
+PEJ3UVt0DmOMxmEBahIeDfplfTfj/NYvy/on7YCZO7F5PwVY2pNJqm8Tmw==
+-----END CERTIFICATE-----
+Bag Attributes
+    friendlyName: Certificate Authority
+subject=/O=example.org/CN=clica CA
+issuer=/O=example.org/CN=clica CA
+-----BEGIN CERTIFICATE-----
+MIIBaTCCAROgAwIBAgIBATANBgkqhkiG9w0BAQUFADApMRQwEgYDVQQKEwtleGFt
+cGxlLm9yZzERMA8GA1UEAxMIY2xpY2EgQ0EwHhcNMTIxMTAxMTIzNDAyWhcNMzgw
+MTAxMTIzNDAyWjApMRQwEgYDVQQKEwtleGFtcGxlLm9yZzERMA8GA1UEAxMIY2xp
+Y2EgQ0EwXDANBgkqhkiG9w0BAQEFAANLADBIAkEAxY7JyBAI+e4vb4bz0HcjtE+O
+x0nLBB19Kz04yNARj1z/ZvY2c+uvOR3muHROCgFUQxGobP3n2HaTS/cmv2SVPwID
+AQABoyYwJDASBgNVHRMBAf8ECDAGAQH/AgEBMA4GA1UdDwEB/wQEAwIBBjANBgkq
+hkiG9w0BAQUFAANBAJLhs/m5Jx4oV++aylcAvIHa0vHSK4eh3zX1HqWwqK9I0/nl
+LqwwPgtgHQOpe7nd2g2B9wPZ82i6LiqY76A+9hI=
+-----END CERTIFICATE-----
+Bag Attributes
+    friendlyName: server1.example.org
+    localKeyID: 5E 7F 83 85 31 F1 CA DC 88 07 2C 58 95 FA 36 16 65 F6 BB 8D 
+subject=/CN=server1.example.org
+issuer=/O=example.org/CN=clica Signing Cert
+-----BEGIN CERTIFICATE-----
+MIICAjCCAaygAwIBAgIBZTANBgkqhkiG9w0BAQUFADAzMRQwEgYDVQQKEwtleGFt
+cGxlLm9yZzEbMBkGA1UEAxMSY2xpY2EgU2lnbmluZyBDZXJ0MB4XDTEyMTEwMTEy
+MzQwMloXDTM4MDEwMTEyMzQwMlowHjEcMBoGA1UEAxMTc2VydmVyMS5leGFtcGxl
+Lm9yZzBcMA0GCSqGSIb3DQEBAQUAA0sAMEgCQQDFIpfEcK4d3IEq3F7B6AIpepZk
+mKln9pcCm0RbAxm77YlhHucDzyVu9rmW7XSW/c4Dv3clwzHLpaoF2KURKLZ7AgMB
+AAGjgb8wgbwwDgYDVR0PAQH/BAQDAgTwMCAGA1UdJQEB/wQWMBQGCCsGAQUFBwMB
+BggrBgEFBQcDAjAyBgNVHR8EKzApMCegJaAjhiFodHRwOi8vY3JsLmV4YW1wbGUu
+b3JnL2xhdGVzdC5jcmwwNAYIKwYBBQUHAQEEKDAmMCQGCCsGAQUFBzABhhhodHRw
+Oi8vb3NjcC9leGFtcGxlLm9yZy8wHgYDVR0RBBcwFYITc2VydmVyMS5leGFtcGxl
+Lm9yZzANBgkqhkiG9w0BAQUFAANBACfk1MYCSbT2gbaT1Dv9FrMEybkFZtxUfz69
+Gnx/55Wfw936z2en+RImD3qF1qQxUwIMlWGm6SaitfmlQ5qVJ1A=
+-----END CERTIFICATE-----
diff --git a/test/aux-fixed/exim-ca/example.org/server1.example.org/cert8.db b/test/aux-fixed/exim-ca/example.org/server1.example.org/cert8.db
new file mode 100644
index 0000000..c9c908a
Binary files /dev/null and b/test/aux-fixed/exim-ca/example.org/server1.example.org/cert8.db differ
diff --git a/test/aux-fixed/exim-ca/example.org/server1.example.org/key3.db b/test/aux-fixed/exim-ca/example.org/server1.example.org/key3.db
new file mode 100644
index 0000000..db816ef
Binary files /dev/null and b/test/aux-fixed/exim-ca/example.org/server1.example.org/key3.db differ
diff --git a/test/aux-fixed/exim-ca/example.org/server1.example.org/pwdfile b/test/aux-fixed/exim-ca/example.org/server1.example.org/pwdfile
new file mode 100644
index 0000000..f3097ab
--- /dev/null
+++ b/test/aux-fixed/exim-ca/example.org/server1.example.org/pwdfile
@@ -0,0 +1 @@
+password
diff --git a/test/aux-fixed/exim-ca/example.org/server1.example.org/secmod.db b/test/aux-fixed/exim-ca/example.org/server1.example.org/secmod.db
new file mode 100644
index 0000000..ac46b48
Binary files /dev/null and b/test/aux-fixed/exim-ca/example.org/server1.example.org/secmod.db differ
diff --git a/test/aux-fixed/exim-ca/example.org/server1.example.org/server1.example.org.chain.pem b/test/aux-fixed/exim-ca/example.org/server1.example.org/server1.example.org.chain.pem
new file mode 100644
index 0000000..da43040
--- /dev/null
+++ b/test/aux-fixed/exim-ca/example.org/server1.example.org/server1.example.org.chain.pem
@@ -0,0 +1,29 @@
+Bag Attributes
+    friendlyName: server1.example.org
+    localKeyID: 5E 7F 83 85 31 F1 CA DC 88 07 2C 58 95 FA 36 16 65 F6 BB 8D 
+subject=/CN=server1.example.org
+issuer=/O=example.org/CN=clica Signing Cert
+-----BEGIN CERTIFICATE-----
+MIICAjCCAaygAwIBAgIBZTANBgkqhkiG9w0BAQUFADAzMRQwEgYDVQQKEwtleGFt
+cGxlLm9yZzEbMBkGA1UEAxMSY2xpY2EgU2lnbmluZyBDZXJ0MB4XDTEyMTEwMTEy
+MzQwMloXDTM4MDEwMTEyMzQwMlowHjEcMBoGA1UEAxMTc2VydmVyMS5leGFtcGxl
+Lm9yZzBcMA0GCSqGSIb3DQEBAQUAA0sAMEgCQQDFIpfEcK4d3IEq3F7B6AIpepZk
+mKln9pcCm0RbAxm77YlhHucDzyVu9rmW7XSW/c4Dv3clwzHLpaoF2KURKLZ7AgMB
+AAGjgb8wgbwwDgYDVR0PAQH/BAQDAgTwMCAGA1UdJQEB/wQWMBQGCCsGAQUFBwMB
+BggrBgEFBQcDAjAyBgNVHR8EKzApMCegJaAjhiFodHRwOi8vY3JsLmV4YW1wbGUu
+b3JnL2xhdGVzdC5jcmwwNAYIKwYBBQUHAQEEKDAmMCQGCCsGAQUFBzABhhhodHRw
+Oi8vb3NjcC9leGFtcGxlLm9yZy8wHgYDVR0RBBcwFYITc2VydmVyMS5leGFtcGxl
+Lm9yZzANBgkqhkiG9w0BAQUFAANBACfk1MYCSbT2gbaT1Dv9FrMEybkFZtxUfz69
+Gnx/55Wfw936z2en+RImD3qF1qQxUwIMlWGm6SaitfmlQ5qVJ1A=
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIIBpzCCAVGgAwIBAgIBAjANBgkqhkiG9w0BAQUFADApMRQwEgYDVQQKEwtleGFt
+cGxlLm9yZzERMA8GA1UEAxMIY2xpY2EgQ0EwHhcNMTIxMTAxMTIzNDAyWhcNMzgw
+MTAxMTIzNDAyWjAzMRQwEgYDVQQKEwtleGFtcGxlLm9yZzEbMBkGA1UEAxMSY2xp
+Y2EgU2lnbmluZyBDZXJ0MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAJ2Y6E5WBXQE
+zFsWgxK4JXrpPWGEQZ+KNy3iXgmupAA6Yy0umCLu+eGCekkwZ0WfFhhd+Qy7P+qo
+F0mre7VDDHECAwEAAaNaMFgwDgYDVR0PAQH/BAQDAgEGMBIGA1UdEwEB/wQIMAYB
+Af8CAQAwMgYDVR0fBCswKTAnoCWgI4YhaHR0cDovL2NybC5leGFtcGxlLm9yZy9s
+YXRlc3QuY3JsMA0GCSqGSIb3DQEBBQUAA0EATmemAFFWLNA8natXhFyhrDYmTv8X
+PEJ3UVt0DmOMxmEBahIeDfplfTfj/NYvy/on7YCZO7F5PwVY2pNJqm8Tmw==
+-----END CERTIFICATE-----
diff --git a/test/aux-fixed/exim-ca/example.org/server1.example.org/server1.example.org.key b/test/aux-fixed/exim-ca/example.org/server1.example.org/server1.example.org.key
new file mode 100644
index 0000000..6e41e50
--- /dev/null
+++ b/test/aux-fixed/exim-ca/example.org/server1.example.org/server1.example.org.key
@@ -0,0 +1,15 @@
+Bag Attributes
+    friendlyName: server1.example.org
+    localKeyID: 5E 7F 83 85 31 F1 CA DC 88 07 2C 58 95 FA 36 16 65 F6 BB 8D 
+Key Attributes: <No Attributes>
+-----BEGIN ENCRYPTED PRIVATE KEY-----
+MIIBpjBABgkqhkiG9w0BBQ0wMzAbBgkqhkiG9w0BBQwwDgQIhfu7ElRn7TUCAggA
+MBQGCCqGSIb3DQMHBAggde7b8jzc2ASCAWCNar4Td+ZM5Elbb16QeDTfzMoKoScb
+jQo/GS7f5h4An9vh/aTaKBoWDQ8gLcvbTUlpGxRznGt9mmOk9AOWsd03rTJ3TUud
++Cm4GfyEslvF8zXSPgJOz4YMiMMNZF3sEGGxs+D6Dav7isMrAIE/Se4Uh3pBY3Fg
+kio9fZfJSWorb3XO6LY9wyg33sz0ZxfhLfhenpeuveQfGuwc9l/DtYuhorqa4xXv
++T5W6HQ7g7nB/GMQF0rkm7BUSqawuLPK7ippBjpNg07iGOYNvQ5GKPahuBTbKyDc
+7LYzGNjZ+mNyL8vDNkwcdnUUqIbYsdMqmEZX+cu2wugXF1GshI9krcDHBXGcZH4G
+sogntcL8qR5KpPfBQCcp9An7TfLJkJtZOH6IYVZVy3/wb+OEou3UNckMe7PF8PWa
+T6/N9/zs49U6RxiYn+Vz/x0hQmRbLvLEsbotT1WStJq8LkcI0Zu9cJab
+-----END ENCRYPTED PRIVATE KEY-----
diff --git a/test/aux-fixed/exim-ca/example.org/server1.example.org/server1.example.org.ocsp.dated.resp b/test/aux-fixed/exim-ca/example.org/server1.example.org/server1.example.org.ocsp.dated.resp
new file mode 100644
index 0000000..43bb173
Binary files /dev/null and b/test/aux-fixed/exim-ca/example.org/server1.example.org/server1.example.org.ocsp.dated.resp differ
diff --git a/test/aux-fixed/exim-ca/example.org/server1.example.org/server1.example.org.ocsp.good.resp b/test/aux-fixed/exim-ca/example.org/server1.example.org/server1.example.org.ocsp.good.resp
new file mode 100644
index 0000000..7521479
Binary files /dev/null and b/test/aux-fixed/exim-ca/example.org/server1.example.org/server1.example.org.ocsp.good.resp differ
diff --git a/test/aux-fixed/exim-ca/example.org/server1.example.org/server1.example.org.ocsp.req b/test/aux-fixed/exim-ca/example.org/server1.example.org/server1.example.org.ocsp.req
new file mode 100644
index 0000000..6ec207d
Binary files /dev/null and b/test/aux-fixed/exim-ca/example.org/server1.example.org/server1.example.org.ocsp.req differ
diff --git a/test/aux-fixed/exim-ca/example.org/server1.example.org/server1.example.org.ocsp.revoked.resp b/test/aux-fixed/exim-ca/example.org/server1.example.org/server1.example.org.ocsp.revoked.resp
new file mode 100644
index 0000000..90cd6fa
Binary files /dev/null and b/test/aux-fixed/exim-ca/example.org/server1.example.org/server1.example.org.ocsp.revoked.resp differ
diff --git a/test/aux-fixed/exim-ca/example.org/server1.example.org/server1.example.org.p12 b/test/aux-fixed/exim-ca/example.org/server1.example.org/server1.example.org.p12
new file mode 100644
index 0000000..585738e
Binary files /dev/null and b/test/aux-fixed/exim-ca/example.org/server1.example.org/server1.example.org.p12 differ
diff --git a/test/aux-fixed/exim-ca/example.org/server1.example.org/server1.example.org.pem b/test/aux-fixed/exim-ca/example.org/server1.example.org/server1.example.org.pem
new file mode 100644
index 0000000..81679f8
--- /dev/null
+++ b/test/aux-fixed/exim-ca/example.org/server1.example.org/server1.example.org.pem
@@ -0,0 +1,18 @@
+Bag Attributes
+    friendlyName: server1.example.org
+    localKeyID: 5E 7F 83 85 31 F1 CA DC 88 07 2C 58 95 FA 36 16 65 F6 BB 8D 
+subject=/CN=server1.example.org
+issuer=/O=example.org/CN=clica Signing Cert
+-----BEGIN CERTIFICATE-----
+MIICAjCCAaygAwIBAgIBZTANBgkqhkiG9w0BAQUFADAzMRQwEgYDVQQKEwtleGFt
+cGxlLm9yZzEbMBkGA1UEAxMSY2xpY2EgU2lnbmluZyBDZXJ0MB4XDTEyMTEwMTEy
+MzQwMloXDTM4MDEwMTEyMzQwMlowHjEcMBoGA1UEAxMTc2VydmVyMS5leGFtcGxl
+Lm9yZzBcMA0GCSqGSIb3DQEBAQUAA0sAMEgCQQDFIpfEcK4d3IEq3F7B6AIpepZk
+mKln9pcCm0RbAxm77YlhHucDzyVu9rmW7XSW/c4Dv3clwzHLpaoF2KURKLZ7AgMB
+AAGjgb8wgbwwDgYDVR0PAQH/BAQDAgTwMCAGA1UdJQEB/wQWMBQGCCsGAQUFBwMB
+BggrBgEFBQcDAjAyBgNVHR8EKzApMCegJaAjhiFodHRwOi8vY3JsLmV4YW1wbGUu
+b3JnL2xhdGVzdC5jcmwwNAYIKwYBBQUHAQEEKDAmMCQGCCsGAQUFBzABhhhodHRw
+Oi8vb3NjcC9leGFtcGxlLm9yZy8wHgYDVR0RBBcwFYITc2VydmVyMS5leGFtcGxl
+Lm9yZzANBgkqhkiG9w0BAQUFAANBACfk1MYCSbT2gbaT1Dv9FrMEybkFZtxUfz69
+Gnx/55Wfw936z2en+RImD3qF1qQxUwIMlWGm6SaitfmlQ5qVJ1A=
+-----END CERTIFICATE-----
diff --git a/test/aux-fixed/exim-ca/example.org/server1.example.org/server1.example.org.unlocked.key b/test/aux-fixed/exim-ca/example.org/server1.example.org/server1.example.org.unlocked.key
new file mode 100644
index 0000000..1b83abc
--- /dev/null
+++ b/test/aux-fixed/exim-ca/example.org/server1.example.org/server1.example.org.unlocked.key
@@ -0,0 +1,9 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIBPQIBAAJBAMUil8Rwrh3cgSrcXsHoAil6lmSYqWf2lwKbRFsDGbvtiWEe5wPP
+JW72uZbtdJb9zgO/dyXDMculqgXYpREotnsCAwEAAQJBAKDzsX4NkduHoV5hNmyT
+BNDg6dGQYyAi0QCrzI+SZHxt8ZYksM//or03aXE7xUUAeFmlSQYc9KfhADAB+mL8
+3YECIQDi4Q5nPCDr99odHTguDlTDi9vEEIiY2N7g8jsGAZH6KwIhAN5wME90eCX/
+oIzlAVqCbq9JuO8Zt3lxvqbasOGT3pzxAiEAwXcifhvDAxUGNF9vQa7Mzzca/vUO
+VjBQ1kcY18VNAqMCIQCxMe/aK67WnldYRcmZP1RLANB4cCUPcoPsyUOkvzXUEQIh
+AJEKAaavDZzn70+xnPw/8QPzHExNxIRtYrxBnc0Kv74r
+-----END RSA PRIVATE KEY-----
diff --git a/test/aux-fixed/exim-ca/example.org/server2.example.org/ca_chain.pem b/test/aux-fixed/exim-ca/example.org/server2.example.org/ca_chain.pem
new file mode 100644
index 0000000..35a92fb
--- /dev/null
+++ b/test/aux-fixed/exim-ca/example.org/server2.example.org/ca_chain.pem
@@ -0,0 +1,47 @@
+Bag Attributes
+    friendlyName: Signing Cert
+subject=/O=example.org/CN=clica Signing Cert
+issuer=/O=example.org/CN=clica CA
+-----BEGIN CERTIFICATE-----
+MIIBpzCCAVGgAwIBAgIBAjANBgkqhkiG9w0BAQUFADApMRQwEgYDVQQKEwtleGFt
+cGxlLm9yZzERMA8GA1UEAxMIY2xpY2EgQ0EwHhcNMTIxMTAxMTIzNDAyWhcNMzgw
+MTAxMTIzNDAyWjAzMRQwEgYDVQQKEwtleGFtcGxlLm9yZzEbMBkGA1UEAxMSY2xp
+Y2EgU2lnbmluZyBDZXJ0MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAJ2Y6E5WBXQE
+zFsWgxK4JXrpPWGEQZ+KNy3iXgmupAA6Yy0umCLu+eGCekkwZ0WfFhhd+Qy7P+qo
+F0mre7VDDHECAwEAAaNaMFgwDgYDVR0PAQH/BAQDAgEGMBIGA1UdEwEB/wQIMAYB
+Af8CAQAwMgYDVR0fBCswKTAnoCWgI4YhaHR0cDovL2NybC5leGFtcGxlLm9yZy9s
+YXRlc3QuY3JsMA0GCSqGSIb3DQEBBQUAA0EATmemAFFWLNA8natXhFyhrDYmTv8X
+PEJ3UVt0DmOMxmEBahIeDfplfTfj/NYvy/on7YCZO7F5PwVY2pNJqm8Tmw==
+-----END CERTIFICATE-----
+Bag Attributes
+    friendlyName: Certificate Authority
+subject=/O=example.org/CN=clica CA
+issuer=/O=example.org/CN=clica CA
+-----BEGIN CERTIFICATE-----
+MIIBaTCCAROgAwIBAgIBATANBgkqhkiG9w0BAQUFADApMRQwEgYDVQQKEwtleGFt
+cGxlLm9yZzERMA8GA1UEAxMIY2xpY2EgQ0EwHhcNMTIxMTAxMTIzNDAyWhcNMzgw
+MTAxMTIzNDAyWjApMRQwEgYDVQQKEwtleGFtcGxlLm9yZzERMA8GA1UEAxMIY2xp
+Y2EgQ0EwXDANBgkqhkiG9w0BAQEFAANLADBIAkEAxY7JyBAI+e4vb4bz0HcjtE+O
+x0nLBB19Kz04yNARj1z/ZvY2c+uvOR3muHROCgFUQxGobP3n2HaTS/cmv2SVPwID
+AQABoyYwJDASBgNVHRMBAf8ECDAGAQH/AgEBMA4GA1UdDwEB/wQEAwIBBjANBgkq
+hkiG9w0BAQUFAANBAJLhs/m5Jx4oV++aylcAvIHa0vHSK4eh3zX1HqWwqK9I0/nl
+LqwwPgtgHQOpe7nd2g2B9wPZ82i6LiqY76A+9hI=
+-----END CERTIFICATE-----
+Bag Attributes
+    friendlyName: server2.example.org
+    localKeyID: 86 3E B2 BF BC 60 4F 3F C4 EA AA FE 97 44 A9 48 6B 4F C1 77 
+subject=/CN=server2.example.org
+issuer=/O=example.org/CN=clica Signing Cert
+-----BEGIN CERTIFICATE-----
+MIICAzCCAa2gAwIBAgICAMkwDQYJKoZIhvcNAQEFBQAwMzEUMBIGA1UEChMLZXhh
+bXBsZS5vcmcxGzAZBgNVBAMTEmNsaWNhIFNpZ25pbmcgQ2VydDAeFw0xMjExMDEx
+MjM0MDNaFw0zODAxMDExMjM0MDNaMB4xHDAaBgNVBAMTE3NlcnZlcjIuZXhhbXBs
+ZS5vcmcwXDANBgkqhkiG9w0BAQEFAANLADBIAkEA1bNd+LEj7UV8Riahrn/3TL1n
+NwaIvqkqCFscP5ae3dB5rJ8vdfIc0hOzh782zpXxJxYa7S340zjxfgdUzMAeWQID
+AQABo4G/MIG8MA4GA1UdDwEB/wQEAwIE8DAgBgNVHSUBAf8EFjAUBggrBgEFBQcD
+AQYIKwYBBQUHAwIwMgYDVR0fBCswKTAnoCWgI4YhaHR0cDovL2NybC5leGFtcGxl
+Lm9yZy9sYXRlc3QuY3JsMDQGCCsGAQUFBwEBBCgwJjAkBggrBgEFBQcwAYYYaHR0
+cDovL29zY3AvZXhhbXBsZS5vcmcvMB4GA1UdEQQXMBWCE3NlcnZlcjIuZXhhbXBs
+ZS5vcmcwDQYJKoZIhvcNAQEFBQADQQBCORy4CO4MMENsEtYwU7xE0Ck5i8VefJ6D
+txODMnRUzsthdbfjgXm3BfVPrhOuT0/bIKfyJtoSdCtN1SRPTJxO
+-----END CERTIFICATE-----
diff --git a/test/aux-fixed/exim-ca/example.org/server2.example.org/cert8.db b/test/aux-fixed/exim-ca/example.org/server2.example.org/cert8.db
new file mode 100644
index 0000000..2f8358e
Binary files /dev/null and b/test/aux-fixed/exim-ca/example.org/server2.example.org/cert8.db differ
diff --git a/test/aux-fixed/exim-ca/example.org/server2.example.org/key3.db b/test/aux-fixed/exim-ca/example.org/server2.example.org/key3.db
new file mode 100644
index 0000000..df16257
Binary files /dev/null and b/test/aux-fixed/exim-ca/example.org/server2.example.org/key3.db differ
diff --git a/test/aux-fixed/exim-ca/example.org/server2.example.org/pwdfile b/test/aux-fixed/exim-ca/example.org/server2.example.org/pwdfile
new file mode 100644
index 0000000..f3097ab
--- /dev/null
+++ b/test/aux-fixed/exim-ca/example.org/server2.example.org/pwdfile
@@ -0,0 +1 @@
+password
diff --git a/test/aux-fixed/exim-ca/example.org/server2.example.org/secmod.db b/test/aux-fixed/exim-ca/example.org/server2.example.org/secmod.db
new file mode 100644
index 0000000..92af259
Binary files /dev/null and b/test/aux-fixed/exim-ca/example.org/server2.example.org/secmod.db differ
diff --git a/test/aux-fixed/exim-ca/example.org/server2.example.org/server2.example.org.chain.pem b/test/aux-fixed/exim-ca/example.org/server2.example.org/server2.example.org.chain.pem
new file mode 100644
index 0000000..5bcc299
--- /dev/null
+++ b/test/aux-fixed/exim-ca/example.org/server2.example.org/server2.example.org.chain.pem
@@ -0,0 +1,29 @@
+Bag Attributes
+    friendlyName: server2.example.org
+    localKeyID: 86 3E B2 BF BC 60 4F 3F C4 EA AA FE 97 44 A9 48 6B 4F C1 77 
+subject=/CN=server2.example.org
+issuer=/O=example.org/CN=clica Signing Cert
+-----BEGIN CERTIFICATE-----
+MIICAzCCAa2gAwIBAgICAMkwDQYJKoZIhvcNAQEFBQAwMzEUMBIGA1UEChMLZXhh
+bXBsZS5vcmcxGzAZBgNVBAMTEmNsaWNhIFNpZ25pbmcgQ2VydDAeFw0xMjExMDEx
+MjM0MDNaFw0zODAxMDExMjM0MDNaMB4xHDAaBgNVBAMTE3NlcnZlcjIuZXhhbXBs
+ZS5vcmcwXDANBgkqhkiG9w0BAQEFAANLADBIAkEA1bNd+LEj7UV8Riahrn/3TL1n
+NwaIvqkqCFscP5ae3dB5rJ8vdfIc0hOzh782zpXxJxYa7S340zjxfgdUzMAeWQID
+AQABo4G/MIG8MA4GA1UdDwEB/wQEAwIE8DAgBgNVHSUBAf8EFjAUBggrBgEFBQcD
+AQYIKwYBBQUHAwIwMgYDVR0fBCswKTAnoCWgI4YhaHR0cDovL2NybC5leGFtcGxl
+Lm9yZy9sYXRlc3QuY3JsMDQGCCsGAQUFBwEBBCgwJjAkBggrBgEFBQcwAYYYaHR0
+cDovL29zY3AvZXhhbXBsZS5vcmcvMB4GA1UdEQQXMBWCE3NlcnZlcjIuZXhhbXBs
+ZS5vcmcwDQYJKoZIhvcNAQEFBQADQQBCORy4CO4MMENsEtYwU7xE0Ck5i8VefJ6D
+txODMnRUzsthdbfjgXm3BfVPrhOuT0/bIKfyJtoSdCtN1SRPTJxO
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIIBpzCCAVGgAwIBAgIBAjANBgkqhkiG9w0BAQUFADApMRQwEgYDVQQKEwtleGFt
+cGxlLm9yZzERMA8GA1UEAxMIY2xpY2EgQ0EwHhcNMTIxMTAxMTIzNDAyWhcNMzgw
+MTAxMTIzNDAyWjAzMRQwEgYDVQQKEwtleGFtcGxlLm9yZzEbMBkGA1UEAxMSY2xp
+Y2EgU2lnbmluZyBDZXJ0MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAJ2Y6E5WBXQE
+zFsWgxK4JXrpPWGEQZ+KNy3iXgmupAA6Yy0umCLu+eGCekkwZ0WfFhhd+Qy7P+qo
+F0mre7VDDHECAwEAAaNaMFgwDgYDVR0PAQH/BAQDAgEGMBIGA1UdEwEB/wQIMAYB
+Af8CAQAwMgYDVR0fBCswKTAnoCWgI4YhaHR0cDovL2NybC5leGFtcGxlLm9yZy9s
+YXRlc3QuY3JsMA0GCSqGSIb3DQEBBQUAA0EATmemAFFWLNA8natXhFyhrDYmTv8X
+PEJ3UVt0DmOMxmEBahIeDfplfTfj/NYvy/on7YCZO7F5PwVY2pNJqm8Tmw==
+-----END CERTIFICATE-----
diff --git a/test/aux-fixed/exim-ca/example.org/server2.example.org/server2.example.org.key b/test/aux-fixed/exim-ca/example.org/server2.example.org/server2.example.org.key
new file mode 100644
index 0000000..6f62ee0
--- /dev/null
+++ b/test/aux-fixed/exim-ca/example.org/server2.example.org/server2.example.org.key
@@ -0,0 +1,15 @@
+Bag Attributes
+    friendlyName: server2.example.org
+    localKeyID: 86 3E B2 BF BC 60 4F 3F C4 EA AA FE 97 44 A9 48 6B 4F C1 77 
+Key Attributes: <No Attributes>
+-----BEGIN ENCRYPTED PRIVATE KEY-----
+MIIBpjBABgkqhkiG9w0BBQ0wMzAbBgkqhkiG9w0BBQwwDgQIjfdds7UVEY0CAggA
+MBQGCCqGSIb3DQMHBAiY22+2lkjkEASCAWDm5MmTuUgMOkSWscoH1Qn/GVM2sawP
+TsknGm/HMV+bJlpGLCXwBrAKe6RDC+zlEmGVUSWJoxoPz1qQT9fcooyEFSCS8asN
+omSw+8wrxXTSB57b1OqpHoV8VlTT60/sdVV8l9B1Ef/vsdjKB0NDwqUwDVg4Xw32
+wV3Tv8pFRLg3CBCEDeykcJ+FkodSope9UL6E95Ukhae335bTmWsxbrR4IZCUhI2t
+/MOLyPnd6huPGlti2SH8PRRnei6TM/O8mH1uUzdSAqxoDA6wV+P6pIDI8GY1k61q
+53oeq9ocSJOQ+q3kIyBQlGgApME47hog3sVZ/WsU3r071g9VKhzlFUFPOOkbUR9+
+gl7MDV/r/6IjOAHEaLFBQrnRVKbs93sTtf8pNhIHJLJtTWjDV/nBbiHxsNFIWqGU
+ZlH0FU2DENHZqPiLxsfH1J9EmtTiHXgu/naD0m7RbmPm6ffIDPuYPVMw
+-----END ENCRYPTED PRIVATE KEY-----
diff --git a/test/aux-fixed/exim-ca/example.org/server2.example.org/server2.example.org.ocsp.dated.resp b/test/aux-fixed/exim-ca/example.org/server2.example.org/server2.example.org.ocsp.dated.resp
new file mode 100644
index 0000000..b15606a
Binary files /dev/null and b/test/aux-fixed/exim-ca/example.org/server2.example.org/server2.example.org.ocsp.dated.resp differ
diff --git a/test/aux-fixed/exim-ca/example.org/server2.example.org/server2.example.org.ocsp.good.resp b/test/aux-fixed/exim-ca/example.org/server2.example.org/server2.example.org.ocsp.good.resp
new file mode 100644
index 0000000..8fc3f99
Binary files /dev/null and b/test/aux-fixed/exim-ca/example.org/server2.example.org/server2.example.org.ocsp.good.resp differ
diff --git a/test/aux-fixed/exim-ca/example.org/server2.example.org/server2.example.org.ocsp.req b/test/aux-fixed/exim-ca/example.org/server2.example.org/server2.example.org.ocsp.req
new file mode 100644
index 0000000..f8731d0
Binary files /dev/null and b/test/aux-fixed/exim-ca/example.org/server2.example.org/server2.example.org.ocsp.req differ
diff --git a/test/aux-fixed/exim-ca/example.org/server2.example.org/server2.example.org.ocsp.revoked.resp b/test/aux-fixed/exim-ca/example.org/server2.example.org/server2.example.org.ocsp.revoked.resp
new file mode 100644
index 0000000..8fc3f99
Binary files /dev/null and b/test/aux-fixed/exim-ca/example.org/server2.example.org/server2.example.org.ocsp.revoked.resp differ
diff --git a/test/aux-fixed/exim-ca/example.org/server2.example.org/server2.example.org.p12 b/test/aux-fixed/exim-ca/example.org/server2.example.org/server2.example.org.p12
new file mode 100644
index 0000000..f2f2fe8
Binary files /dev/null and b/test/aux-fixed/exim-ca/example.org/server2.example.org/server2.example.org.p12 differ
diff --git a/test/aux-fixed/exim-ca/example.org/server2.example.org/server2.example.org.pem b/test/aux-fixed/exim-ca/example.org/server2.example.org/server2.example.org.pem
new file mode 100644
index 0000000..ed55c33
--- /dev/null
+++ b/test/aux-fixed/exim-ca/example.org/server2.example.org/server2.example.org.pem
@@ -0,0 +1,18 @@
+Bag Attributes
+    friendlyName: server2.example.org
+    localKeyID: 86 3E B2 BF BC 60 4F 3F C4 EA AA FE 97 44 A9 48 6B 4F C1 77 
+subject=/CN=server2.example.org
+issuer=/O=example.org/CN=clica Signing Cert
+-----BEGIN CERTIFICATE-----
+MIICAzCCAa2gAwIBAgICAMkwDQYJKoZIhvcNAQEFBQAwMzEUMBIGA1UEChMLZXhh
+bXBsZS5vcmcxGzAZBgNVBAMTEmNsaWNhIFNpZ25pbmcgQ2VydDAeFw0xMjExMDEx
+MjM0MDNaFw0zODAxMDExMjM0MDNaMB4xHDAaBgNVBAMTE3NlcnZlcjIuZXhhbXBs
+ZS5vcmcwXDANBgkqhkiG9w0BAQEFAANLADBIAkEA1bNd+LEj7UV8Riahrn/3TL1n
+NwaIvqkqCFscP5ae3dB5rJ8vdfIc0hOzh782zpXxJxYa7S340zjxfgdUzMAeWQID
+AQABo4G/MIG8MA4GA1UdDwEB/wQEAwIE8DAgBgNVHSUBAf8EFjAUBggrBgEFBQcD
+AQYIKwYBBQUHAwIwMgYDVR0fBCswKTAnoCWgI4YhaHR0cDovL2NybC5leGFtcGxl
+Lm9yZy9sYXRlc3QuY3JsMDQGCCsGAQUFBwEBBCgwJjAkBggrBgEFBQcwAYYYaHR0
+cDovL29zY3AvZXhhbXBsZS5vcmcvMB4GA1UdEQQXMBWCE3NlcnZlcjIuZXhhbXBs
+ZS5vcmcwDQYJKoZIhvcNAQEFBQADQQBCORy4CO4MMENsEtYwU7xE0Ck5i8VefJ6D
+txODMnRUzsthdbfjgXm3BfVPrhOuT0/bIKfyJtoSdCtN1SRPTJxO
+-----END CERTIFICATE-----
diff --git a/test/aux-fixed/exim-ca/example.org/server2.example.org/server2.example.org.unlocked.key b/test/aux-fixed/exim-ca/example.org/server2.example.org/server2.example.org.unlocked.key
new file mode 100644
index 0000000..38b2718
--- /dev/null
+++ b/test/aux-fixed/exim-ca/example.org/server2.example.org/server2.example.org.unlocked.key
@@ -0,0 +1,9 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIBOwIBAAJBANWzXfixI+1FfEYmoa5/90y9ZzcGiL6pKghbHD+Wnt3QeayfL3Xy
+HNITs4e/Ns6V8ScWGu0t+NM48X4HVMzAHlkCAwEAAQJATzDe2+/Y3m5ndR+PvriR
+DhEKFKwJNI4/k0UgHLhWOt/+y02ZfO5zhZaLvYG1BQbGKyhypdAGS8QP19xRVjI9
+uQIhAPs7Ql00hIvZvfRMmgh90otggbrWIrkW8Oh10BMFBdkTAiEA2cG+l36A5NAs
+PlA7sOlQyFs5F4XNXzEy76vPsGR/pGMCIBjo3UGkjWfYZQ8t8S/aWd/b58EArlyv
+u58w3zqjitrlAiEAsJeqlPkGVolsF+zBO6s61AEGv8jG0Ff50twmxgn6abkCIQDJ
+pUSYU/YF7bYj5QuHRyemhzDytTQcAB7A4IEWZsSL9A==
+-----END RSA PRIVATE KEY-----
diff --git a/test/aux-fixed/exim-ca/genall b/test/aux-fixed/exim-ca/genall
new file mode 100755
index 0000000..63a3618
--- /dev/null
+++ b/test/aux-fixed/exim-ca/genall
@@ -0,0 +1,101 @@
+#!/bin/bash
+#
+
+echo Ensure time is set to 2012/11/01 12:34
+echo use -  date -u 110112342012
+echo hit return when ready
+read junk
+for tld in com org net
+do
+    clica -D example.$tld -p password -B 512 -I -N example.$tld -F -C http://crl.example.$tld/latest.crl -O http://oscp/example.$tld/
+    clica -D example.$tld -p password -s 101 -S server1.example.$tld
+    clica -D example.$tld -p password -s 102 -S revoked1.example.$tld
+    clica -D example.$tld -p password -s 103 -S expired1.example.$tld -m 1
+    clica -D example.$tld -p password -s 201 -S server2.example.$tld
+    clica -D example.$tld -p password -s 202 -S revoked2.example.$tld
+    clica -D example.$tld -p password -s 203 -S expired2.example.$tld -m 1
+done
+
+# and loop again
+for tld in com org net
+do
+    CADIR=example.$tld/CA
+    #give ourselves an OSCP key to work with
+    pk12util -o $CADIR/OCSP.p12 -n 'OCSP Signer' -d $CADIR -K password -W password
+    openssl pkcs12 -in $CADIR/OCSP.p12 -passin pass:password -passout pass:password -nodes -nocerts -out $CADIR/OCSP.key
+
+
+    # create some index files for the ocsp responder to work with
+    cat >$CADIR/index.valid.txt <<EOF
+V    130110200751Z        65    unknown    CN=server1.example.$tld
+V    130110200751Z        66    unknown    CN=revoked1.example.$tld
+V    130110200751Z        67    unknown    CN=expired1.example.$tld
+V    130110200751Z        c9    unknown    CN=server2.example.$tld
+V    130110200751Z        ca    unknown    CN=revoked2.example.$tld
+V    130110200751Z        cb    unknown    CN=expired2.example.$tld
+EOF
+    cat >$CADIR/index.revoked.txt <<EOF
+R    130110200751Z    100201142709Z,superseded    65    unknown    CN=server1.example.$tld
+R    130110200751Z    100201142709Z,superseded    66    unknown    CN=revoked1.example.$tld
+R    130110200751Z    100201142709Z,superseded    67    unknown    CN=expired1.example.$tld
+R    130110200751Z    100201142709Z,superseded    c9    unknown    CN=server2.example.$tld
+R    130110200751Z    100201142709Z,superseded    ca    unknown    CN=revoked2.example.$tld
+R    130110200751Z    100201142709Z,superseded    cb    unknown    CN=expired2.example.$tld
+EOF
+
+    # Now create all the ocsp requests and responses
+    OGENCOMMON="-rsigner $CADIR/OCSP.pem -rkey $CADIR/OCSP.key -CA $CADIR/Signer.pem -noverify"
+    for server in server1 revoked1 expired1 server2 revoked2 expired2
+    do
+    SPFX=example.$tld/$server.example.$tld/$server.example.$tld
+    openssl ocsp -issuer $CADIR/Signer.pem -cert $SPFX.pem -reqout $SPFX.ocsp.req
+    openssl ocsp -index $CADIR/index.valid.txt $OGENCOMMON -reqin $SPFX.ocsp.req -respout $SPFX.ocsp.good.resp
+    openssl ocsp -index $CADIR/index.valid.txt $OGENCOMMON -ndays 30 -reqin $SPFX.ocsp.req -respout $SPFX.ocsp.dated.resp
+    openssl ocsp -index $CADIR/index.revoked.txt $OGENCOMMON -reqin $SPFX.ocsp.req -respout $SPFX.ocsp.revoked.resp
+    done
+done
+
+# and loop again to generate unlocked keys and client cert bundles
+for tld in com org net
+do
+    for server in server1 revoked1 expired1 server2 revoked2 expired2 do
+    SDIR=example.$tld/$server.example.$tld
+    SPFX=$SDIR/$server.example.$tld
+    openssl rsa -in $SPFX.key -passin file:$SDIR/pwdfile -out $SPFX.unlocked.key
+    cat $SPFX.pem example.$tld/CA/Signer.pem >$SPFX.chain.pem
+    done
+done
+
+echo Please to reset date to now.
+echo service ntpdate start
+echo 
+echo Then hit return
+read junk
+
+# Create CRL files in .der and .pem
+# empty versions, and ones with the revoked servers
+for tld in com org net
+do
+    CADIR=example.$tld/CA
+    CRLIN=$CADIR/crl.empty.in.txt
+    DATENOW=`date -u +%Y%m%d%H%M%SZ`
+    echo "update=$DATENOW " >$CRLIN
+    crlutil -G -d $CADIR -f $CADIR/pwdfile \
+    -n 'Signing Cert' -c $CRLIN -o $CADIR/crl.empty
+    openssl crl -in $CADIR/crl.empty -inform der -out $CADIR/crl.empty.pem
+done
+sleep 2
+for tld in com org net
+do
+    CADIR=example.$tld/CA
+    CRLIN=$CADIR/crl.v2.in.txt
+    DATENOW=`date -u +%Y%m%d%H%M%SZ`
+    echo "update=$DATENOW " >$CRLIN
+    echo "addcert 102 $DATENOW" >>$CRLIN
+    echo "addcert 202 $DATENOW" >>$CRLIN
+    crlutil -G -d $CADIR -f $CADIR/pwdfile \
+    -n 'Signing Cert' -c $CRLIN -o $CADIR/crl.v2
+    openssl crl -in $CADIR/crl.v2 -inform der -out $CADIR/crl.v2.pem
+done
+
+echo "CA, Certificate, CRL and OSCP Response generation complete"
diff --git a/test/aux-fixed/ocsp_file.der b/test/aux-fixed/ocsp_file.der
new file mode 100644
index 0000000..f629d53
Binary files /dev/null and b/test/aux-fixed/ocsp_file.der differ
diff --git a/test/confs/5600 b/test/confs/5600
new file mode 100644
index 0000000..8b26ee7
--- /dev/null
+++ b/test/confs/5600
@@ -0,0 +1,66 @@
+# Exim test configuration 5600
+# OCSP stapling, server
+
+CRL=
+
+exim_path = EXIM_PATH
+host_lookup_order = bydns
+primary_hostname = server1.example.com
+rfc1413_query_timeout = 0s
+spool_directory = DIR/spool
+log_file_path = DIR/spool/log/%slog
+gecos_pattern = ""
+gecos_name = CALLER_NAME
+
+# ----- Main settings -----
+
+acl_smtp_rcpt = check_recipient
+
+log_selector = +tls_peerdn
+
+queue_only
+queue_run_in_order
+
+tls_advertise_hosts = *
+
+tls_certificate = DIR/aux-fixed/exim-ca/example.com/server1.example.com/server1.example.com.pem
+tls_privatekey = DIR/aux-fixed/exim-ca/example.com/server1.example.com/server1.example.com.unlocked.key
+
+tls_verify_hosts = HOSTIPV4
+tls_try_verify_hosts = *
+tls_verify_certificates = DIR/aux-fixed/cert2
+tls_crl = CRL
+tls_ocsp_file = OCSP
+
+
+# ------ ACL ------
+
+begin acl
+
+check_recipient:
+  deny     message = certificate not verified: peerdn=$tls_peerdn
+         ! verify = certificate
+  accept
+
+
+# ----- Routers -----
+
+begin routers
+
+abc:
+  driver = accept
+  retry_use_local_part
+  transport = local_delivery
+
+
+# ----- Transports -----
+
+begin transports
+
+local_delivery:
+  driver = appendfile
+  file = DIR/test-mail/$local_part
+  headers_add = TLS: cipher=$tls_cipher peerdn=$tls_peerdn
+  user = CALLER
+
+# End
diff --git a/test/confs/5601 b/test/confs/5601
new file mode 100644
index 0000000..5172ff2
--- /dev/null
+++ b/test/confs/5601
@@ -0,0 +1,121 @@
+# Exim test configuration 5601
+# OCSP stapling, client
+
+SERVER =
+
+exim_path = EXIM_PATH
+host_lookup_order = bydns
+primary_hostname = server1.example.com
+rfc1413_query_timeout = 0s
+spool_directory = DIR/spool
+log_file_path = DIR/spool/log/SERVER%slog
+gecos_pattern = ""
+gecos_name = CALLER_NAME
+
+
+# ----- Main settings -----
+
+domainlist local_domains = test.ex : *.test.ex
+
+acl_smtp_rcpt = check_recipient
+log_selector = +tls_peerdn
+remote_max_parallel = 1
+
+tls_advertise_hosts = *
+
+# Set certificate only if server
+
+tls_certificate = ${if eq {SERVER}{server}\
+{DIR/aux-fixed/exim-ca/example.com/server1.example.com/server1.example.com.chain.pem}\
+fail\
+}
+
+#{DIR/aux-fixed/exim-ca/example.com/CA/CA.pem}\
+
+tls_privatekey = ${if eq {SERVER}{server}\
+{DIR/aux-fixed/exim-ca/example.com/server1.example.com/server1.example.com.unlocked.key}\
+fail}
+
+tls_ocsp_file = OCSP
+
+
+# ------ ACL ------
+
+begin acl
+
+check_recipient:
+  accept  domains = +local_domains
+  deny    message = relay not permitted
+
+
+# ----- Routers -----
+
+begin routers
+
+client:
+  driver = accept
+  condition = ${if eq {SERVER}{server}{no}{yes}}
+  retry_use_local_part
+  transport = send_to_server${if eq{$local_part}{nostaple}{1} \
+                {${if eq{$local_part}{smtps} {3}{2}}} \
+                 }
+
+server:
+  driver = redirect
+  data = :blackhole:
+  #retry_use_local_part
+  #transport = local_delivery
+
+
+# ----- Transports -----
+
+begin transports
+
+local_delivery:
+  driver = appendfile
+  file = DIR/test-mail/$local_part
+  headers_add = TLS: cipher=$tls_cipher peerdn=$tls_peerdn
+  user = CALLER
+
+send_to_server1:
+  driver = smtp
+  allow_localhost
+  hosts = HOSTIPV4
+  port = PORT_D
+  tls_verify_certificates = DIR/aux-fixed/exim-ca/example.com/CA/CA.pem
+  hosts_require_tls = *
+# note no ocsp here
+
+send_to_server2:
+  driver = smtp
+  allow_localhost
+  hosts = 127.0.0.1
+  port = PORT_D
+  helo_data = helo.data.changed
+  #tls_verify_certificates = DIR/aux-fixed/exim-ca/example.com/server1.example.com/ca_chain.pem
+  tls_verify_certificates = DIR/aux-fixed/exim-ca/example.com/CA/CA.pem
+  hosts_require_tls =  *
+  hosts_require_ocsp = *
+
+send_to_server3:
+  driver = smtp
+  allow_localhost
+  hosts = 127.0.0.1
+  port = PORT_D
+  helo_data = helo.data.changed
+  #tls_verify_certificates = DIR/aux-fixed/exim-ca/example.com/server1.example.com/ca_chain.pem
+  tls_verify_certificates = DIR/aux-fixed/exim-ca/example.com/CA/CA.pem
+  protocol =           smtps
+  hosts_require_tls =  *
+  hosts_require_ocsp = *
+
+
+# ----- Retry -----
+
+
+begin retry
+
+* * F,5d,1s
+
+
+# End
diff --git a/test/log/5600 b/test/log/5600
new file mode 100644
index 0000000..869883f
--- /dev/null
+++ b/test/log/5600
@@ -0,0 +1,6 @@
+1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port 1225
+1999-03-02 09:44:33 [ip4.ip4.ip4.ip4] Recieved OCSP stapling req; responding
+1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port 1225
+1999-03-02 09:44:33 [ip4.ip4.ip4.ip4] Recieved OCSP stapling req; not responding
+1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port 1225
+1999-03-02 09:44:33 [ip4.ip4.ip4.ip4] Recieved OCSP stapling req; not responding
diff --git a/test/log/5601 b/test/log/5601
new file mode 100644
index 0000000..40caa0f
--- /dev/null
+++ b/test/log/5601
@@ -0,0 +1,41 @@
+1999-03-02 09:44:33 10HmaX-0005vi-00 <= CALLER@??? U=CALLER P=local S=sss
+1999-03-02 09:44:33 10HmaX-0005vi-00 => nostaple@??? R=client T=send_to_server1 H=ip4.ip4.ip4.ip4 [ip4.ip4.ip4.ip4] X=TLSv1:AES256-SHA:256 DN="/CN=server1.example.com" C="250 OK id=10HmaY-0005vi-00"
+1999-03-02 09:44:33 10HmaX-0005vi-00 Completed
+1999-03-02 09:44:33 10HmaZ-0005vi-00 <= CALLER@??? U=CALLER P=local S=sss
+1999-03-02 09:44:33 10HmaZ-0005vi-00 => CALLER@??? R=client T=send_to_server2 H=127.0.0.1 [127.0.0.1] X=TLSv1:AES256-SHA:256 DN="/CN=server1.example.com" C="250 OK id=10HmbA-0005vi-00"
+1999-03-02 09:44:33 10HmaZ-0005vi-00 Completed
+1999-03-02 09:44:33 10HmbB-0005vi-00 <= CALLER@??? U=CALLER P=local S=sss
+1999-03-02 09:44:33 10HmbB-0005vi-00 Received TLS status response, null content
+1999-03-02 09:44:33 10HmbB-0005vi-00 TLS error on connection to 127.0.0.1 [127.0.0.1] (SSL_connect): error: <<detail omitted>>
+1999-03-02 09:44:33 10HmbB-0005vi-00 == CALLER@??? R=client T=send_to_server2 defer (-37): failure while setting up TLS session
+1999-03-02 09:44:33 10HmbC-0005vi-00 <= CALLER@??? U=CALLER P=local S=sss
+1999-03-02 09:44:33 10HmbC-0005vi-00 Server certificate revoked; reason: superseded
+1999-03-02 09:44:33 10HmbC-0005vi-00 TLS error on connection to 127.0.0.1 [127.0.0.1] (SSL_connect): error: <<detail omitted>>
+1999-03-02 09:44:33 10HmbC-0005vi-00 == CALLER@??? R=client T=send_to_server2 defer (-37): failure while setting up TLS session
+1999-03-02 09:44:33 10HmbD-0005vi-00 <= CALLER@??? U=CALLER P=local S=sss
+1999-03-02 09:44:33 10HmbD-0005vi-00 Server OSCP dates invalid
+1999-03-02 09:44:33 10HmbD-0005vi-00 TLS error on connection to 127.0.0.1 [127.0.0.1] (SSL_connect): error: <<detail omitted>>
+1999-03-02 09:44:33 10HmbD-0005vi-00 == CALLER@??? R=client T=send_to_server2 defer (-37): failure while setting up TLS session
+
+******** SERVER ********
+1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port 1225
+1999-03-02 09:44:33 10HmaY-0005vi-00 <= CALLER@??? H=the.local.host.name (server1.example.com) [ip4.ip4.ip4.ip4] P=esmtps X=TLSv1:AES256-SHA:256 S=sss id=E10HmaX-0005vi-00@???
+1999-03-02 09:44:33 10HmaY-0005vi-00 => :blackhole: <nostaple@???> R=server
+1999-03-02 09:44:33 10HmaY-0005vi-00 Completed
+1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port 1225
+1999-03-02 09:44:33 [127.0.0.1] Recieved OCSP stapling req; responding
+1999-03-02 09:44:33 10HmbA-0005vi-00 <= CALLER@??? H=(helo.data.changed) [127.0.0.1] P=esmtps X=TLSv1:AES256-SHA:256 S=sss id=E10HmaZ-0005vi-00@???
+1999-03-02 09:44:33 10HmbA-0005vi-00 => :blackhole: <CALLER@???> R=server
+1999-03-02 09:44:33 10HmbA-0005vi-00 Completed
+1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port 1225
+1999-03-02 09:44:33 [127.0.0.1] Recieved OCSP stapling req; not responding
+1999-03-02 09:44:33 TLS error on connection from (helo.data.changed) [127.0.0.1] (SSL_accept): error: <<detail omitted>>
+1999-03-02 09:44:33 TLS client disconnected cleanly (rejected our certificate?)
+1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port 1225
+1999-03-02 09:44:33 [127.0.0.1] Recieved OCSP stapling req; responding
+1999-03-02 09:44:33 TLS error on connection from (helo.data.changed) [127.0.0.1] (SSL_accept): error: <<detail omitted>>
+1999-03-02 09:44:33 TLS client disconnected cleanly (rejected our certificate?)
+1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port 1225
+1999-03-02 09:44:33 [127.0.0.1] Recieved OCSP stapling req; responding
+1999-03-02 09:44:33 TLS error on connection from (helo.data.changed) [127.0.0.1] (SSL_accept): error: <<detail omitted>>
+1999-03-02 09:44:33 TLS client disconnected cleanly (rejected our certificate?)
diff --git a/test/msglog/2145.10HmaX-0005vi-00 b/test/msglog/2145.10HmaX-0005vi-00
new file mode 100644
index 0000000..33692c6
--- /dev/null
+++ b/test/msglog/2145.10HmaX-0005vi-00
@@ -0,0 +1 @@
+1999-03-02 09:44:33 Received from CALLER@??? U=CALLER P=local S=sss
diff --git a/test/scripts/5600-OCSP-OpenSSL/5600 b/test/scripts/5600-OCSP-OpenSSL/5600
new file mode 100644
index 0000000..464da69
--- /dev/null
+++ b/test/scripts/5600-OCSP-OpenSSL/5600
@@ -0,0 +1,80 @@
+# TLS server: OCSP stapling
+#
+#
+#
+# 1: Server sends good staple on request
+exim -bd -oX PORT_D -DSERVER=server \
+ -DOCSP=DIR/aux-fixed/exim-ca/example.com/server1.example.com/server1.example.com.ocsp.good.resp
+****
+client-ssl \
+ -ocsp aux-fixed/exim-ca/example.com/server1.example.com/ca_chain.pem \
+ HOSTIPV4 PORT_D aux-fixed/cert2 aux-fixed/cert2
+??? 220
+ehlo rhu.barb
+??? 250-
+??? 250-
+??? 250-
+??? 250-
+??? 250-
+??? 250
+starttls
+??? 220
+mail from:<userx@???>
+??? 250
+rcpt to:<userx@???>
+??? 250
+quit
+??? 221
+****
+killdaemon
+#
+#
+#
+# 2: Server does not staple an outdated response
+exim -bd -oX PORT_D -DSERVER=server \
+ -DOCSP=DIR/aux-fixed/exim-ca/example.com/server1.example.com/server1.example.com.ocsp.dated.resp
+****
+# XXX test sequence might not be quite right; this is for a server refusal
+# and we're expecting a client refusal.
+client-ssl -ocsp aux-fixed/exim-ca/expired1.example.com/CA.pem HOSTIPV4 PORT_D aux-fixed/cert2 aux-fixed/cert2
+??? 220
+ehlo rhu.barb
+??? 250-
+??? 250-
+??? 250-
+??? 250-
+??? 250-
+??? 250
+starttls
+??? 220
+****
+killdaemon
+#
+#
+#
+#
+#
+# 3: Server does not staple a response for a revoked cert
+exim -bd -oX PORT_D -DSERVER=server \
+ -DOCSP=DIR/aux-fixed/exim-ca/example.com/server1.example.com/server1.example.com.ocsp.revoked.resp
+****
+client-ssl \
+ -ocsp aux-fixed/exim-ca/example.com/server1.example.com/ca_chain.pem \
+ HOSTIPV4 PORT_D aux-fixed/cert2 aux-fixed/cert2
+??? 220
+ehlo rhu.barb
+??? 250-
+??? 250-
+??? 250-
+??? 250-
+??? 250-
+??? 250
+starttls
+??? 220
+****
+killdaemon
+#
+#
+#
+#
+#
diff --git a/test/scripts/5600-OCSP-OpenSSL/5601 b/test/scripts/5600-OCSP-OpenSSL/5601
new file mode 100644
index 0000000..b2983eb
--- /dev/null
+++ b/test/scripts/5600-OCSP-OpenSSL/5601
@@ -0,0 +1,65 @@
+# OCSP stapling, client
+#
+#
+# Client works when we don't demand OCSP stapling
+exim -bd -oX PORT_D -DSERVER=server -DOCSP=/dev/null
+****
+exim nostaple@???
+test message.
+****
+sleep 1
+killdaemon
+#
+#
+#
+#
+# Client accepts good stapled info
+exim -bd -oX PORT_D -DSERVER=server \
+ -DOCSP=DIR/aux-fixed/exim-ca/example.com/server1.example.com/server1.example.com.ocsp.good.resp
+****
+exim CALLER@???
+test message.
+****
+sleep 1
+killdaemon
+#
+#
+#
+# Client fails on lack of requested stapled info
+exim -bd -oX PORT_D -DSERVER=server -DOCSP=/dev/null
+****
+exim CALLER@???
+test message.
+****
+sleep 1
+killdaemon
+no_msglog_check
+#
+#
+#
+# Client fails on revoked stapled info
+EXIM_TESTHARNESS_DISABLE_OCSPVALIDITYCHECK=y exim -bd -oX PORT_D -DSERVER=server \
+ -DOCSP=DIR/aux-fixed/exim-ca/example.com/server1.example.com/server1.example.com.ocsp.revoked.resp
+****
+exim CALLER@???
+test message.
+****
+sleep 1
+killdaemon
+#
+#
+#
+#
+# Client fails on expired stapled info
+EXIM_TESTHARNESS_DISABLE_OCSPVALIDITYCHECK=y exim -bd -oX PORT_D -DSERVER=server \
+ -DOCSP=DIR/aux-fixed/exim-ca/example.com/server1.example.com/server1.example.com.ocsp.dated.resp
+****
+exim CALLER@???
+test message.
+****
+sleep 1
+killdaemon
+#
+#
+#
+#
diff --git a/test/scripts/5600-OCSP-OpenSSL/REQUIRES b/test/scripts/5600-OCSP-OpenSSL/REQUIRES
new file mode 100644
index 0000000..3d15ede
--- /dev/null
+++ b/test/scripts/5600-OCSP-OpenSSL/REQUIRES
@@ -0,0 +1,3 @@
+support OpenSSL
+support Experimental_OCSP
+running IPv4
diff --git a/test/src/client.c b/test/src/client.c
index 58ab56d..3b782f3 100644
--- a/test/src/client.c
+++ b/test/src/client.c
@@ -1,7 +1,8 @@
 /* A little hacked up program that makes a TCP/IP call and reads a script to
 drive it, for testing Exim server code running as a daemon. It's got a bit
 messy with the addition of support for either OpenSSL or GnuTLS. The code for
-those was hacked out of Exim itself. */
+those was hacked out of Exim itself, then code for OCSP stapling was ripped
+from the openssl ocsp and s_client utilities. */


/* ANSI C standard includes */

@@ -66,6 +67,9 @@ latter needs a whole pile of tables. */
#include <openssl/ssl.h>
#include <openssl/err.h>
#include <openssl/rand.h>
+#include <openssl/ocsp.h>
+
+char * ocsp_stapling = NULL;
#endif


@@ -145,6 +149,91 @@ sigalrm_seen = 1;
/****************************************************************************/

 #ifdef HAVE_OPENSSL
+
+X509_STORE *
+setup_verify(BIO *bp, char *CAfile, char *CApath)
+{
+        X509_STORE *store;
+        X509_LOOKUP *lookup;
+        if(!(store = X509_STORE_new())) goto end;
+        lookup=X509_STORE_add_lookup(store,X509_LOOKUP_file());
+        if (lookup == NULL) goto end;
+        if (CAfile) {
+                if(!X509_LOOKUP_load_file(lookup,CAfile,X509_FILETYPE_PEM)) {
+                        BIO_printf(bp, "Error loading file %s\n", CAfile);
+                        goto end;
+                }
+        } else X509_LOOKUP_load_file(lookup,NULL,X509_FILETYPE_DEFAULT);
+
+        lookup=X509_STORE_add_lookup(store,X509_LOOKUP_hash_dir());
+        if (lookup == NULL) goto end;
+        if (CApath) {
+                if(!X509_LOOKUP_add_dir(lookup,CApath,X509_FILETYPE_PEM)) {
+                        BIO_printf(bp, "Error loading directory %s\n", CApath);
+                        goto end;
+                }
+        } else X509_LOOKUP_add_dir(lookup,NULL,X509_FILETYPE_DEFAULT);
+
+        ERR_clear_error();
+        return store;
+        end:
+        X509_STORE_free(store);
+        return NULL;
+}
+
+
+static int
+tls_client_stapling_cb(SSL *s, void *arg)
+{
+const unsigned char *p;
+int len;
+OCSP_RESPONSE *rsp;
+OCSP_BASICRESP *bs;
+char *CAfile = NULL;
+X509_STORE *store = NULL;
+int ret = 1;
+
+len = SSL_get_tlsext_status_ocsp_resp(s, &p);
+/*BIO_printf(arg, "OCSP response: ");*/
+if (!p)
+    {
+    BIO_printf(arg, "no response received\n");
+    return 1;
+    }
+if(!(rsp = d2i_OCSP_RESPONSE(NULL, &p, len)))
+    {
+    BIO_printf(arg, "response parse error\n");
+    BIO_dump_indent(arg, (char *)p, len, 4);
+    return 0;
+    }
+if(!(bs = OCSP_response_get1_basic(rsp)))
+  {
+  BIO_printf(arg, "error parsing response\n");
+  return 0;
+  }
+
+CAfile = ocsp_stapling;
+if(!(store = setup_verify(arg, CAfile, NULL)))
+  {
+  BIO_printf(arg, "error in cert setup\n");
+  return 0;
+  }
+
+/* No file of alternate certs, no options */
+if(OCSP_basic_verify(bs, NULL, store, 0) <= 0)
+  {
+  BIO_printf(arg, "Response Verify Failure\n");
+  ERR_print_errors(arg);
+  ret = 0;
+  }
+else
+  BIO_printf(arg, "Response verify OK\n");
+
+X509_STORE_free(store);
+return ret;
+}
+
+
 /*************************************************
 *         Start an OpenSSL TLS session           *
 *************************************************/
@@ -161,6 +250,13 @@ SSL_set_session_id_context(*ssl, sid_ctx, strlen(sid_ctx));
 SSL_set_fd (*ssl, sock);
 SSL_set_connect_state(*ssl);


+if (ocsp_stapling)
+  {
+  SSL_CTX_set_tlsext_status_cb(ctx, tls_client_stapling_cb);
+  SSL_CTX_set_tlsext_status_arg(ctx, BIO_new_fp(stdout, BIO_NOCLOSE));
+  SSL_set_tlsext_status_type(*ssl, TLSEXT_STATUSTYPE_ocsp);
+  }
+
 signal(SIGALRM, sigalrm_handler_flag);
 sigalrm_seen = 0;
 alarm(5);
@@ -418,6 +514,17 @@ while (argc >= argi + 1 && argv[argi][0] == '-')
     tls_on_connect = 1;
     argi++;
     }
+#ifdef HAVE_OPENSSL
+  else if (strcmp(argv[argi], "-ocsp") == 0)
+    {
+    if (argc < ++argi + 1)
+      {
+      fprintf(stderr, "Missing required certificate file for ocsp option\n");
+      exit(1);
+      }
+    ocsp_stapling = argv[argi++];
+    }
+#endif
   else if (argv[argi][1] == 't' && isdigit(argv[argi][2]))
     {
     tmplong = strtol(argv[argi]+2, &end, 10);
diff --git a/test/stderr/5600 b/test/stderr/5600
new file mode 100644
index 0000000..045fadc
--- /dev/null
+++ b/test/stderr/5600
@@ -0,0 +1,2 @@
+
+******** SERVER ********
diff --git a/test/stderr/5601 b/test/stderr/5601
new file mode 100644
index 0000000..045fadc
--- /dev/null
+++ b/test/stderr/5601
@@ -0,0 +1,2 @@
+
+******** SERVER ********
diff --git a/test/stdout/5600 b/test/stdout/5600
new file mode 100644
index 0000000..9020be1
--- /dev/null
+++ b/test/stdout/5600
@@ -0,0 +1,142 @@
+Connecting to ip4.ip4.ip4.ip4 port 1225 ... connected
+Certificate file = aux-fixed/cert2
+Key file = aux-fixed/cert2
+??? 220
+<<< 220 server1.example.com ESMTP Exim x.yz Tue, 2 Mar 1999 09:44:33 +0000
+>>> ehlo rhu.barb
+??? 250-
+<<< 250-server1.example.com Hello rhu.barb [ip4.ip4.ip4.ip4]
+??? 250-
+<<< 250-SIZE 52428800
+??? 250-
+<<< 250-8BITMIME
+??? 250-
+<<< 250-PIPELINING
+??? 250-
+<<< 250-STARTTLS
+??? 250
+<<< 250 HELP
+>>> starttls
+??? 220
+<<< 220 TLS go ahead
+Attempting to start TLS
+SSL info: before/connect initialization
+SSL info: before/connect initialization
+SSL info: SSLv2/v3 write client hello A
+SSL info: SSLv3 read server hello A
+SSL info: SSLv3 read server certificate A
+Response verify OK
+SSL info: unknown state
+SSL info: SSLv3 read server key exchange A
+SSL info: SSLv3 read server certificate request A
+SSL info: SSLv3 read server done A
+SSL info: SSLv3 write client certificate A
+SSL info: SSLv3 write client key exchange A
+SSL info: SSLv3 write certificate verify A
+SSL info: SSLv3 write change cipher spec A
+SSL info: SSLv3 write finished A
+SSL info: SSLv3 flush data
+SSL info: SSLv3 read server session ticket A
+SSL info: SSLv3 read finished A
+SSL info: SSL negotiation finished successfully
+SSL info: SSL negotiation finished successfully
+SSL connection using AES256-SHA
+Succeeded in starting TLS
+>>> mail from:<userx@???>
+??? 250
+<<< 250 OK
+>>> rcpt to:<userx@???>
+??? 250
+<<< 250 Accepted
+>>> quit
+??? 221
+<<< 221 server1.example.com closing connection
+End of script
+Connecting to ip4.ip4.ip4.ip4 port 1225 ... connected
+Certificate file = aux-fixed/cert2
+Key file = aux-fixed/cert2
+??? 220
+<<< 220 server1.example.com ESMTP Exim x.yz Tue, 2 Mar 1999 09:44:33 +0000
+>>> ehlo rhu.barb
+??? 250-
+<<< 250-server1.example.com Hello rhu.barb [ip4.ip4.ip4.ip4]
+??? 250-
+<<< 250-SIZE 52428800
+??? 250-
+<<< 250-8BITMIME
+??? 250-
+<<< 250-PIPELINING
+??? 250-
+<<< 250-STARTTLS
+??? 250
+<<< 250 HELP
+>>> starttls
+??? 220
+<<< 220 TLS go ahead
+Attempting to start TLS
+SSL info: before/connect initialization
+SSL info: before/connect initialization
+SSL info: SSLv2/v3 write client hello A
+no response received
+SSL info: SSLv3 read server hello A
+SSL info: SSLv3 read server certificate A
+SSL info: SSLv3 read server key exchange A
+SSL info: SSLv3 read server certificate request A
+SSL info: SSLv3 read server done A
+SSL info: SSLv3 write client certificate A
+SSL info: SSLv3 write client key exchange A
+SSL info: SSLv3 write certificate verify A
+SSL info: SSLv3 write change cipher spec A
+SSL info: SSLv3 write finished A
+SSL info: SSLv3 flush data
+SSL info: SSLv3 read server session ticket A
+SSL info: SSLv3 read finished A
+SSL info: SSL negotiation finished successfully
+SSL info: SSL negotiation finished successfully
+SSL connection using AES256-SHA
+Succeeded in starting TLS
+End of script
+Connecting to ip4.ip4.ip4.ip4 port 1225 ... connected
+Certificate file = aux-fixed/cert2
+Key file = aux-fixed/cert2
+??? 220
+<<< 220 server1.example.com ESMTP Exim x.yz Tue, 2 Mar 1999 09:44:33 +0000
+>>> ehlo rhu.barb
+??? 250-
+<<< 250-server1.example.com Hello rhu.barb [ip4.ip4.ip4.ip4]
+??? 250-
+<<< 250-SIZE 52428800
+??? 250-
+<<< 250-8BITMIME
+??? 250-
+<<< 250-PIPELINING
+??? 250-
+<<< 250-STARTTLS
+??? 250
+<<< 250 HELP
+>>> starttls
+??? 220
+<<< 220 TLS go ahead
+Attempting to start TLS
+SSL info: before/connect initialization
+SSL info: before/connect initialization
+SSL info: SSLv2/v3 write client hello A
+no response received
+SSL info: SSLv3 read server hello A
+SSL info: SSLv3 read server certificate A
+SSL info: SSLv3 read server key exchange A
+SSL info: SSLv3 read server certificate request A
+SSL info: SSLv3 read server done A
+SSL info: SSLv3 write client certificate A
+SSL info: SSLv3 write client key exchange A
+SSL info: SSLv3 write certificate verify A
+SSL info: SSLv3 write change cipher spec A
+SSL info: SSLv3 write finished A
+SSL info: SSLv3 flush data
+SSL info: SSLv3 read server session ticket A
+SSL info: SSLv3 read finished A
+SSL info: SSL negotiation finished successfully
+SSL info: SSL negotiation finished successfully
+SSL connection using AES256-SHA
+Succeeded in starting TLS
+End of script
diff --git a/test/trusted_configs b/test/trusted_configs
new file mode 100644
index 0000000..47a1ec9
--- /dev/null
+++ b/test/trusted_configs
@@ -0,0 +1 @@
+/root/git/exim/test/test-config