Merge branch 'tmp-minor-fixes' into 'master'

Few minor bug fixes for the next release

Closes #770 and #767

See merge request gnutls/gnutls!1003

44 files changed, 730 insertions, 167 deletions

diff --git a/doc/cha-gtls-app.texi b/doc/cha-gtls-app.texi
index 6f605dfa1c..b304d67fb9 100644
--- a/doc/cha-gtls-app.texi
+++ b/doc/cha-gtls-app.texi
@@ -1610,7 +1610,7 @@ will disable CRL or OCSP checks in the verification of the certificate chain.
 @item %VERIFY_ALLOW_X509_V1_CA_CRT @tab
 will allow V1 CAs in chains.
 
-@item %PROFILE_(LOW|LEGACY|MEDIUM|HIGH|ULTRA) @tab
+@item %PROFILE_(LOW|LEGACY|MEDIUM|HIGH|ULTRA|FUTURE) @tab
 require a certificate verification profile the corresponds to the specified
 security level, see @ref{tab:key-sizes} for the mappings to values.
 
diff --git a/lib/Makefile.am b/lib/Makefile.am
index fe9cf63a2f..83b328e89a 100644
--- a/lib/Makefile.am
+++ b/lib/Makefile.am
@@ -72,7 +72,7 @@ COBJECTS = range.c record.c compress.c debug.c cipher.c gthreads.h handshake-tls
 	pk.c cert-cred.c global.c constate.c anon_cred.c pkix_asn1_tab.c gnutls_asn1_tab.c	\
 	mem.c fingerprint.c tls-sig.c ecc.c alert.c privkey_raw.c atomic.h	\
 	system/certs.c system/threads.c system/fastopen.c system/sockets.c	\
-	str-iconv.c system.c \
+	str-iconv.c system.c profiles.c profiles.h \
 	str.c str-unicode.c str-idna.c state.c cert-cred-x509.c file.c supplemental.c	\
 	random.c crypto-api.c crypto-api.h privkey.c pcert.c pubkey.c locks.c dtls.c \
 	system_override.c crypto-backend.c verify-tofu.c pin.c tpm.c fips.c	\
diff --git a/lib/algorithms/secparams.c b/lib/algorithms/secparams.c
index 9041ecab74..efd1f47530 100644
--- a/lib/algorithms/secparams.c
+++ b/lib/algorithms/secparams.c
@@ -91,7 +91,8 @@ gnutls_sec_param_to_pk_bits(gnutls_pk_algorithm_t algo,
 		else if (IS_EC(algo)||IS_GOSTEC(algo))
 			ret = p->ecc_bits;
 		else
-			ret = p->pk_bits; break;
+			ret = p->pk_bits;
+		break;
 	}
 	);
 	return ret;
diff --git a/lib/includes/gnutls/x509.h b/lib/includes/gnutls/x509.h
index a153f7fac9..5c5f6ca506 100644
--- a/lib/includes/gnutls/x509.h
+++ b/lib/includes/gnutls/x509.h
@@ -988,6 +988,7 @@ typedef enum gnutls_certificate_verify_flags {
 
 /**
  * gnutls_certificate_verification_profiles_t:
+ * @GNUTLS_PROFILE_UNKNOWN: An invalid/unknown profile.
  * @GNUTLS_PROFILE_VERY_WEAK: A verification profile that
  *  corresponds to @GNUTLS_SEC_PARAM_VERY_WEAK (64 bits)
  * @GNUTLS_PROFILE_LOW: A verification profile that
@@ -999,8 +1000,10 @@ typedef enum gnutls_certificate_verify_flags {
  * @GNUTLS_PROFILE_HIGH: A verification profile that
  *  corresponds to @GNUTLS_SEC_PARAM_HIGH (128 bits)
  * @GNUTLS_PROFILE_ULTRA: A verification profile that
- *  corresponds to @GNUTLS_SEC_PARAM_ULTRA (256 bits)
-% * @GNUTLS_PROFILE_SUITEB128: A verification profile that
+ *  corresponds to @GNUTLS_SEC_PARAM_ULTRA (192 bits)
+ * @GNUTLS_PROFILE_FUTURE: A verification profile that
+ *  corresponds to @GNUTLS_SEC_PARAM_FUTURE (256 bits)
+ * @GNUTLS_PROFILE_SUITEB128: A verification profile that
  *  applies the SUITEB128 rules
  * @GNUTLS_PROFILE_SUITEB192: A verification profile that
  *  applies the SUITEB192 rules
@@ -1008,12 +1011,14 @@ typedef enum gnutls_certificate_verify_flags {
  * Enumeration of different certificate verification profiles.
  */
 typedef enum gnutls_certificate_verification_profiles_t {
+	GNUTLS_PROFILE_UNKNOWN = 0,
 	GNUTLS_PROFILE_VERY_WEAK = 1,
 	GNUTLS_PROFILE_LOW = 2,
 	GNUTLS_PROFILE_LEGACY = 4,
 	GNUTLS_PROFILE_MEDIUM = 5,
 	GNUTLS_PROFILE_HIGH = 6,
 	GNUTLS_PROFILE_ULTRA = 7,
+	GNUTLS_PROFILE_FUTURE = 9,
 	
 	GNUTLS_PROFILE_SUITEB128=32,
 	GNUTLS_PROFILE_SUITEB192=33
diff --git a/lib/libgnutls.map b/lib/libgnutls.map
index ec8aadf558..2ed202e279 100644
--- a/lib/libgnutls.map
+++ b/lib/libgnutls.map
@@ -1336,6 +1336,9 @@ GNUTLS_PRIVATE_3_4 {
 	_gnutls_mpi_ops;
 	_gnutls_mpi_log;
 	_gnutls_mpi_release;
+	# tests/time.c
+	_gnutls_utcTime2gtime;
+	_gnutls_x509_generalTime2gtime;
 
 	# Internal symbols needed by tests/:
 	_gnutls_default_priority_string;
diff --git a/lib/priority.c b/lib/priority.c
index 900bbf7783..1ed5d84927 100644
--- a/lib/priority.c
+++ b/lib/priority.c
@@ -1,6 +1,6 @@
 /*
  * Copyright (C) 2004-2015 Free Software Foundation, Inc.
- * Copyright (C) 2015-2017 Red Hat, Inc.
+ * Copyright (C) 2015-2019 Red Hat, Inc.
  *
  * Author: Nikos Mavrogiannopoulos
  *
@@ -36,10 +36,17 @@
 #include "errno.h"
 #include "ext/srp.h"
 #include <gnutls/gnutls.h>
+#include "profiles.h"
 #include "c-strcase.h"
 
 #define MAX_ELEMENTS 64
 
+#define ENABLE_PROFILE(c, profile) do { \
+	c->additional_verify_flags &= 0x00ffffff; \
+	c->additional_verify_flags |= GNUTLS_PROFILE_TO_VFLAGS(profile); \
+	c->level = _gnutls_profile_to_sec_level(profile); \
+	} while(0)
+
 /* This function is used by the test suite */
 char *_gnutls_resolve_priorities(const char* priorities);
 const char *_gnutls_default_priority_string = DEFAULT_PRIORITY_STRING;
@@ -839,51 +846,39 @@ static void disable_wildcards(gnutls_priority_t c)
 }
 static void enable_profile_very_weak(gnutls_priority_t c)
 {
-	c->additional_verify_flags &= 0x00ffffff;
-	c->additional_verify_flags |= GNUTLS_PROFILE_TO_VFLAGS(GNUTLS_PROFILE_VERY_WEAK);
-	c->level = GNUTLS_SEC_PARAM_VERY_WEAK;
+	ENABLE_PROFILE(c, GNUTLS_PROFILE_VERY_WEAK);
 }
 static void enable_profile_low(gnutls_priority_t c)
 {
-	c->additional_verify_flags &= 0x00ffffff;
-	c->additional_verify_flags |= GNUTLS_PROFILE_TO_VFLAGS(GNUTLS_PROFILE_LOW);
-	c->level = GNUTLS_SEC_PARAM_LOW;
+	ENABLE_PROFILE(c, GNUTLS_PROFILE_LOW);
 }
 static void enable_profile_legacy(gnutls_priority_t c)
 {
-	c->additional_verify_flags &= 0x00ffffff;
-	c->additional_verify_flags |= GNUTLS_PROFILE_TO_VFLAGS(GNUTLS_PROFILE_LEGACY);
-	c->level = GNUTLS_SEC_PARAM_LEGACY;
+	ENABLE_PROFILE(c, GNUTLS_PROFILE_LEGACY);
+}
+static void enable_profile_medium(gnutls_priority_t c)
+{
+	ENABLE_PROFILE(c, GNUTLS_PROFILE_MEDIUM);
 }
 static void enable_profile_high(gnutls_priority_t c)
 {
-	c->additional_verify_flags &= 0x00ffffff;
-	c->additional_verify_flags |= GNUTLS_PROFILE_TO_VFLAGS(GNUTLS_PROFILE_HIGH);
-	c->level = GNUTLS_SEC_PARAM_HIGH;
+	ENABLE_PROFILE(c, GNUTLS_PROFILE_HIGH);
 }
 static void enable_profile_ultra(gnutls_priority_t c)
 {
-	c->additional_verify_flags &= 0x00ffffff;
-	c->additional_verify_flags |= GNUTLS_PROFILE_TO_VFLAGS(GNUTLS_PROFILE_ULTRA);
-	c->level = GNUTLS_SEC_PARAM_ULTRA;
+	ENABLE_PROFILE(c, GNUTLS_PROFILE_ULTRA);
 }
-static void enable_profile_medium(gnutls_priority_t c)
+static void enable_profile_future(gnutls_priority_t c)
 {
-	c->additional_verify_flags &= 0x00ffffff;
-	c->additional_verify_flags |= GNUTLS_PROFILE_TO_VFLAGS(GNUTLS_PROFILE_MEDIUM);
-	c->level = GNUTLS_SEC_PARAM_MEDIUM;
+	ENABLE_PROFILE(c, GNUTLS_PROFILE_FUTURE);
 }
 static void enable_profile_suiteb128(gnutls_priority_t c)
 {
-	c->additional_verify_flags &= 0x00ffffff;
-	c->additional_verify_flags |= GNUTLS_PROFILE_TO_VFLAGS(GNUTLS_PROFILE_SUITEB128);
-	c->level = GNUTLS_SEC_PARAM_HIGH;
+	ENABLE_PROFILE(c, GNUTLS_PROFILE_SUITEB128);
 }
 static void enable_profile_suiteb192(gnutls_priority_t c)
 {
-	c->additional_verify_flags &= 0x00ffffff;
-	c->additional_verify_flags |= GNUTLS_PROFILE_TO_VFLAGS(GNUTLS_PROFILE_SUITEB192);
-	c->level = GNUTLS_SEC_PARAM_ULTRA;
+	ENABLE_PROFILE(c, GNUTLS_PROFILE_SUITEB128);
 }
 static void enable_safe_renegotiation(gnutls_priority_t c)
 {
diff --git a/lib/priority_options.gperf b/lib/priority_options.gperf
index a955ec85e6..c0524e5a09 100644
--- a/lib/priority_options.gperf
+++ b/lib/priority_options.gperf
@@ -33,6 +33,7 @@ PROFILE_LEGACY, enable_profile_legacy
 PROFILE_MEDIUM, enable_profile_medium
 PROFILE_HIGH, enable_profile_high
 PROFILE_ULTRA, enable_profile_ultra
+PROFILE_FUTURE, enable_profile_future
 PROFILE_SUITEB128, enable_profile_suiteb128
 PROFILE_SUITEB192, enable_profile_suiteb192
 NEW_PADDING, dummy_func
diff --git a/lib/profiles.c b/lib/profiles.c
new file mode 100644
index 0000000000..729ae51a0d
--- /dev/null
+++ b/lib/profiles.c
@@ -0,0 +1,74 @@
+/*
+ * Copyright (C) 2019 Red Hat, Inc.
+ *
+ * Author: Nikos Mavrogiannopoulos
+ *
+ * This file is part of GnuTLS.
+ *
+ * The GnuTLS is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public License
+ * as published by the Free Software Foundation; either version 2.1 of
+ * the License, or (at your option) any later version.
+ *
+ * This library is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public License
+ * along with this program.  If not, see <https://www.gnu.org/licenses/>
+ *
+ */
+
+#include "gnutls_int.h"
+#include <algorithms.h>
+#include "errors.h"
+#include <x509/common.h>
+#include "c-strcase.h"
+#include "profiles.h"
+
+typedef struct {
+	const char *name;
+	gnutls_certificate_verification_profiles_t profile;
+	gnutls_sec_param_t sec_param;
+} gnutls_profile_entry;
+
+static const gnutls_profile_entry profiles[] = {
+	{"Very weak", GNUTLS_PROFILE_VERY_WEAK, GNUTLS_SEC_PARAM_VERY_WEAK},
+	{"Low", GNUTLS_PROFILE_LOW, GNUTLS_SEC_PARAM_LOW},
+	{"Legacy", GNUTLS_PROFILE_LEGACY, GNUTLS_SEC_PARAM_LEGACY},
+	{"Medium", GNUTLS_PROFILE_MEDIUM, GNUTLS_SEC_PARAM_MEDIUM},
+	{"High", GNUTLS_PROFILE_HIGH, GNUTLS_SEC_PARAM_HIGH},
+	{"Ultra", GNUTLS_PROFILE_ULTRA, GNUTLS_SEC_PARAM_ULTRA},
+	{"Future", GNUTLS_PROFILE_FUTURE, GNUTLS_SEC_PARAM_FUTURE},
+	{"SuiteB128", GNUTLS_PROFILE_SUITEB128, GNUTLS_SEC_PARAM_HIGH},
+	{"SuiteB192", GNUTLS_PROFILE_SUITEB192, GNUTLS_SEC_PARAM_ULTRA},
+	{NULL, 0, 0}
+};
+
+gnutls_sec_param_t _gnutls_profile_to_sec_level(gnutls_certificate_verification_profiles_t profile)
+{
+	const gnutls_profile_entry *p;
+
+	for(p = profiles; p->name != NULL; p++) {
+		if (profile == p->profile)
+			return p->sec_param;
+	}
+
+	return GNUTLS_SEC_PARAM_UNKNOWN;
+}
+
+gnutls_certificate_verification_profiles_t _gnutls_profile_get_id(const char *name)
+{
+	const gnutls_profile_entry *p;
+
+	if (name == NULL)
+		return GNUTLS_PROFILE_UNKNOWN;
+
+	for(p = profiles; p->name != NULL; p++) {
+		if (c_strcasecmp(p->name, name) == 0)
+			return p->profile;
+	}
+
+	return GNUTLS_PROFILE_UNKNOWN;
+}
diff --git a/lib/profiles.h b/lib/profiles.h
new file mode 100644
index 0000000000..a2aae2a687
--- /dev/null
+++ b/lib/profiles.h
@@ -0,0 +1,32 @@
+/*
+ * Copyright (C) 2019 Red Hat, Inc.
+ *
+ * Author: Nikos Mavrogiannopoulos
+ *
+ * This file is part of GnuTLS.
+ *
+ * The GnuTLS is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public License
+ * as published by the Free Software Foundation; either version 2.1 of
+ * the License, or (at your option) any later version.
+ *
+ * This library is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public License
+ * along with this program.  If not, see <https://www.gnu.org/licenses/>
+ *
+ */
+
+#ifndef GNUTLS_LIB_PROFILES_H
+#define GNUTLS_LIB_PROFILES_H
+
+#include <gnutls/gnutls.h>
+#include <gnutls/x509.h>
+
+gnutls_certificate_verification_profiles_t _gnutls_profile_get_id(const char *name) __GNUTLS_PURE__;
+gnutls_sec_param_t _gnutls_profile_to_sec_level(gnutls_certificate_verification_profiles_t profile) __GNUTLS_PURE__;
+
+#endif /* GNUTLS_LIB_PROFILES_H */
diff --git a/lib/x509/time.c b/lib/x509/time.c
index 0b3e78b090..daaac7687b 100644
--- a/lib/x509/time.c
+++ b/lib/x509/time.c
@@ -34,6 +34,8 @@
 #include "extras/hex.h"
 #include <common.h>
 
+time_t _gnutls_utcTime2gtime(const char *ttime);
+
 /* TIME functions 
  * Conversions between generalized or UTC time to time_t
  *
@@ -171,7 +173,7 @@ static time_t time2gtime(const char *ttime, int year)
  *
  * (seconds are optional)
  */
-static time_t utcTime2gtime(const char *ttime)
+time_t _gnutls_utcTime2gtime(const char *ttime)
 {
 	char xx[3];
 	int year;
@@ -345,7 +347,7 @@ time_t _gnutls_x509_get_time(ASN1_TYPE c2, const char *where, int force_general)
 			len = sizeof(ttime) - 1;
 			result = asn1_read_value(c2, name, ttime, &len);
 			if (result == ASN1_SUCCESS)
-				c_time = utcTime2gtime(ttime);
+				c_time = _gnutls_utcTime2gtime(ttime);
 		}
 
 		/* We cannot handle dates after 2031 in 32 bit machines.
diff --git a/lib/x509/verify.c b/lib/x509/verify.c
index 17404022f8..e6577cad03 100644
--- a/lib/x509/verify.c
+++ b/lib/x509/verify.c
@@ -461,7 +461,7 @@ static unsigned is_level_acceptable(
 	gnutls_sec_param_t sp;
 	int hash;
 
-	if (profile == 0)
+	if (profile == GNUTLS_PROFILE_UNKNOWN)
 		return 1;
 
 	pkalg = gnutls_x509_crt_get_pk_algorithm(crt, &bits);
@@ -481,6 +481,7 @@ static unsigned is_level_acceptable(
 		CASE_SEC_PARAM(GNUTLS_PROFILE_MEDIUM, GNUTLS_SEC_PARAM_MEDIUM);
 		CASE_SEC_PARAM(GNUTLS_PROFILE_HIGH, GNUTLS_SEC_PARAM_HIGH);
 		CASE_SEC_PARAM(GNUTLS_PROFILE_ULTRA, GNUTLS_SEC_PARAM_ULTRA);
+		CASE_SEC_PARAM(GNUTLS_PROFILE_FUTURE, GNUTLS_SEC_PARAM_FUTURE);
 		case GNUTLS_PROFILE_SUITEB128:
 		case GNUTLS_PROFILE_SUITEB192: {
 			unsigned curve, issuer_curve;
@@ -563,6 +564,9 @@ static unsigned is_level_acceptable(
 			}
 
 			break;
+		case GNUTLS_PROFILE_UNKNOWN: /* already checked; avoid compiler warnings */
+			_gnutls_debug_log("An unknown profile (%d) was encountered\n", (int)profile);
+			return gnutls_assert_val(0);
 		}
 	}
 
diff --git a/src/certtool.c b/src/certtool.c
index f34f7d4573..2e4ab86e93 100644
--- a/src/certtool.c
+++ b/src/certtool.c
@@ -1,6 +1,6 @@
 /*
  * Copyright (C) 2003-2016 Free Software Foundation, Inc.
- * Copyright (C) 2015-2017 Red Hat, Inc.
+ * Copyright (C) 2015-2019 Red Hat, Inc.
  *
  * This file is part of GnuTLS.
  *
@@ -579,6 +579,10 @@ generate_certificate(gnutls_privkey_t * ret_key,
 					app_exit(1);
 				}
 			}
+		} else if (ca_status) {
+			/* CAs always sign */
+			if (get_sign_status(server))
+				usage |= GNUTLS_KEY_DIGITAL_SIGNATURE;
 		}
 
 		result = get_key_agreement_status();
diff --git a/src/serv.c b/src/serv.c
index fbb40258a5..6043fed7fe 100644
--- a/src/serv.c
+++ b/src/serv.c
@@ -99,7 +99,7 @@ static void tcp_server(const char *name, int port);
 
 #define SMALL_READ_TEST (2147483647)
 
-#define GERR(ret) fprintf(stdout, "Error: %s\n", safe_strerror(ret))
+#define GERR(ret) fprintf(stderr, "Error: %s\n", safe_strerror(ret))
 
 #define HTTP_END  "</BODY></HTML>\n\n"
 
diff --git a/tests/Makefile.am b/tests/Makefile.am
index eb65e94858..f3602e7009 100644
--- a/tests/Makefile.am
+++ b/tests/Makefile.am
@@ -150,7 +150,7 @@ ctests += mini-record-2 simple gnutls_hmac_fast set_pkcs12_cred cert certuniquei
 	 mini-termination mini-x509-cas mini-x509-2 pkcs12_simple tls-pthread \
 	 mini-emsgsize-dtls chainverify-unsorted mini-overhead tls12-ffdhe \
 	 mini-dtls-heartbeat mini-x509-callbacks key-openssl priorities priorities-groups	\
-	 gnutls_x509_privkey_import gnutls_x509_crt_list_import \
+	 gnutls_x509_privkey_import gnutls_x509_crt_list_import time \
 	 sign-verify-ext4 tls-neg-ext4-key resume-lifetime memset0 memset1 \
 	 mini-dtls-srtp rsa-encrypt-decrypt mini-loss-time gnutls-strcodes \
 	 mini-record mini-dtls-record handshake-timeout mini-record-range \
@@ -481,7 +481,7 @@ dist_check_SCRIPTS += fastopen.sh pkgconfig.sh starttls.sh starttls-ftp.sh start
 	ocsp-tests/ocsp-test cipher-listings.sh sni-hostname.sh server-multi-keys.sh \
 	psktool.sh ocsp-tests/ocsp-load-chain gnutls-cli-save-data.sh gnutls-cli-debug.sh \
 	sni-resume.sh ocsp-tests/ocsptool cert-reencoding.sh pkcs7-cat.sh long-crl.sh \
-	serv-udp.sh logfile-option.sh gnutls-cli-resume.sh
+	serv-udp.sh logfile-option.sh gnutls-cli-resume.sh profile-tests.sh
 
 dist_check_SCRIPTS += gnutls-cli-self-signed.sh gnutls-cli-invalid-crl.sh
 
diff --git a/tests/cert-tests/Makefile.am b/tests/cert-tests/Makefile.am
index 0d13aeaa75..06bdf42950 100644
--- a/tests/cert-tests/Makefile.am
+++ b/tests/cert-tests/Makefile.am
@@ -107,7 +107,7 @@ dist_check_SCRIPTS = pathlen aki invalid-sig email \
 	pkcs12 certtool-crl-decoding pkcs12-encode pkcs12-corner-cases inhibit-anypolicy \
 	smime cert-time alt-chain pkcs7-list-sign pkcs7-eddsa certtool-ecdsa \
 	key-id pkcs8 pkcs8-decode ecdsa illegal-rsa pkcs8-invalid key-invalid \
-	pkcs8-eddsa
+	pkcs8-eddsa certtool-subca
 
 dist_check_SCRIPTS += key-id ecdsa pkcs8-invalid key-invalid pkcs8-decode pkcs8 pkcs8-eddsa \
 	certtool-utf8 crq
diff --git a/tests/cert-tests/certtool-subca b/tests/cert-tests/certtool-subca
new file mode 100755
index 0000000000..6bd5d94def
--- /dev/null
+++ b/tests/cert-tests/certtool-subca
@@ -0,0 +1,108 @@
+#!/bin/sh
+
+# Copyright (C) 2019 Red Hat, Inc.
+#
+# Author: Nikos Mavrogiannopoulos
+#
+# This file is part of GnuTLS.
+#
+# GnuTLS is free software; you can redistribute it and/or modify it
+# under the terms of the GNU General Public License as published by the
+# Free Software Foundation; either version 3 of the License, or (at
+# your option) any later version.
+#
+# GnuTLS is distributed in the hope that it will be useful, but
+# WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+# General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with GnuTLS; if not, write to the Free Software Foundation,
+# Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
+
+#set -e
+
+# This is a reproducer for #767
+
+srcdir="${srcdir:-.}"
+CERTTOOL="${CERTTOOL:-../../src/certtool${EXEEXT}}"
+DIFF="${DIFF:-diff}"
+
+if ! test -x "${CERTTOOL}"; then
+	exit 77
+fi
+
+if ! test -z "${VALGRIND}"; then
+	VALGRIND="${LIBTOOL:-libtool} --mode=execute ${VALGRIND} --error-exitcode=15"
+fi
+
+ROOT_CA_TMPL=root.ca.$$.tmp
+SUB_CA_TMPL=sub.ca.$$.tmp
+ROOT_PRIVKEY=root.key.$$.tmp
+ROOT_CA_CERT=root.ca.cert.$$.tmp
+CSR_FILE=csr.$$.tmp
+OUTFILE=out3.$$.tmp
+
+. ${srcdir}/../scripts/common.sh
+
+cat >${ROOT_CA_TMPL} <<_EOF_
+organization = "Example"
+cn = "Root CA"
+expiration_days = 700
+ca
+cert_signing_key
+crl_signing_key
+_EOF_
+
+cat >${SUB_CA_TMPL} <<_EOF_
+organization = "Example"
+cn = "Example CA"
+expiration_days = 350
+crl_dist_points = "http://crl.example.com/Root_CA.crl"
+ca
+signing_key
+cert_signing_key
+crl_signing_key
+path_len = 0
+_EOF_
+
+${CERTTOOL} --generate-privkey --key-type ecdsa --outfile ${ROOT_PRIVKEY} >/dev/null
+if test $? != 0;then
+	echo "Error generating privkey"
+	exit 1
+fi
+
+${CERTTOOL} --generate-self-signed --load-privkey ${ROOT_PRIVKEY} --template ${ROOT_CA_TMPL} > ${ROOT_CA_CERT} 2>&1
+if test $? != 0;then
+	echo "Error generating root CA"
+	exit 1
+fi
+
+grep "Digital signature" ${ROOT_CA_CERT} >/dev/null
+if test $? = 0;then
+	echo "root CA: found the digital signature flag although not specified!"
+	exit 1
+fi
+
+${CERTTOOL} --generate-request --load-privkey ${ROOT_PRIVKEY} --template ${SUB_CA_TMPL} --outfile ${CSR_FILE}
+if test $? != 0;then
+	cat ${SUB_CA_TMPL}
+	echo "Error generating csr"
+	exit 1
+fi
+
+${CERTTOOL} --generate-certificate --load-ca-privkey ${ROOT_PRIVKEY} --load-ca-certificate ${ROOT_CA_CERT} --load-request ${CSR_FILE} --template ${SUB_CA_TMPL} >${OUTFILE} 2>&1
+if test $? != 0;then
+	echo "Error generating sub CA"
+	exit 1
+fi
+
+grep "Digital signature" ${OUTFILE} >/dev/null
+if test $? != 0;then
+	echo "Cannot find the digital signature flag!"
+	exit 1
+fi
+
+rm -f "${ROOT_PRIVKEY}" "${ROOT_CA_CERT}" "${CSR_FILE}" "${ROOT_CA_TMPL}" "${SUB_CA_TMPL}" "${OUTFILE}"
+
+exit 0
diff --git a/tests/cert-tests/data/inhibit-anypolicy.pem b/tests/cert-tests/data/inhibit-anypolicy.pem
index 4291cdf9a8..d643afd005 100644
--- a/tests/cert-tests/data/inhibit-anypolicy.pem
+++ b/tests/cert-tests/data/inhibit-anypolicy.pem
@@ -15,11 +15,11 @@ LL7L+JnX+yvGuzn1R8ZV5YR7AgMBAAGjggFGMIIBQjAPBgNVHRMBAf8EBTADAQH/
 MGoGA1UdEQRjMGGCDHd3dy5ub25lLm9yZ4ITd3d3Lm1vcmV0aGFub25lLm9yZ4IX
 d3d3LmV2ZW5tb3JldGhhbm9uZS5vcmeHBMCoAQGBDW5vbmVAbm9uZS5vcmeBDndo
 ZXJlQG5vbmUub3JnMA0GA1UdNgEB/wQDAgEDMBMGA1UdJQQMMAoGCCsGAQUFBwMJ
-MA8GA1UdDwEB/wQFAwMHBAAwHQYDVR0OBBYEFHU6t/xzZCkUSWER/c6Qy/Y9HIoT
+MA8GA1UdDwEB/wQFAwMHhAAwHQYDVR0OBBYEFHU6t/xzZCkUSWER/c6Qy/Y9HIoT
 MG8GA1UdHwRoMGYwZKBioGCGHmh0dHA6Ly93d3cuZ2V0Y3JsLmNybC9nZXRjcmwx
 L4YeaHR0cDovL3d3dy5nZXRjcmwuY3JsL2dldGNybDIvhh5odHRwOi8vd3d3Lmdl
-dGNybC5jcmwvZ2V0Y3JsMy8wDQYJKoZIhvcNAQELBQADgYEAe+eZiFD221AO6yOk
-DUmizGBiFhG169EgOToWHboZ1E/LzeljhQbOMcQgPlMLsifiUGpi3Qn7aj/zYv86
-ppO+0jmQZHjsALyPk/kEQkloIXi9Ibo0nwAH+BNkeaOIHl9m5ms/8xaaYi2GdyQO
-hzSspr1AGSQtA6ZMTs1mqEXyyFk=
+dGNybC5jcmwvZ2V0Y3JsMy8wDQYJKoZIhvcNAQELBQADgYEAhmQB01JYW2WVvkNe
+hjyKLjoKc5ME9VrjpckT4BEXcGibgrjOcABH00DNDqiS6b1NAslxtuVp9eYlZNw1
+4Na7FBkGHIt5+T8sNnTuVV7X4S7/1uE3qHtfVdXTkL2foYjkihQet+DY9PnLbduM
+CAnd9OWhyE2r4jwQGaJU9vZ3rJY=
 -----END CERTIFICATE-----
diff --git a/tests/cert-tests/data/long-serial.pem b/tests/cert-tests/data/long-serial.pem
index 289b3f31c0..e7e96e831b 100644
--- a/tests/cert-tests/data/long-serial.pem
+++ b/tests/cert-tests/data/long-serial.pem
@@ -15,11 +15,11 @@ Gnodaa9HAmB6H7noz9vINDBRlj2MllwAvGHeCA+xNiF/qQDjBQIDAQABo4IBNzCC
 ATMwDwYDVR0TAQH/BAUwAwEB/zBqBgNVHREEYzBhggx3d3cubm9uZS5vcmeCE3d3
 dy5tb3JldGhhbm9uZS5vcmeCF3d3dy5ldmVubW9yZXRoYW5vbmUub3JnhwTAqAEB
 gQ1ub25lQG5vbmUub3JngQ53aGVyZUBub25lLm9yZzATBgNVHSUEDDAKBggrBgEF
-BQcDCTAPBgNVHQ8BAf8EBQMDBwQAMB0GA1UdDgQWBBRdQK3wzpRAlYt+mZQdklQi
+BQcDCTAPBgNVHQ8BAf8EBQMDB4QAMB0GA1UdDgQWBBRdQK3wzpRAlYt+mZQdklQi
 ynI2XzBvBgNVHR8EaDBmMGSgYqBghh5odHRwOi8vd3d3LmdldGNybC5jcmwvZ2V0
 Y3JsMS+GHmh0dHA6Ly93d3cuZ2V0Y3JsLmNybC9nZXRjcmwyL4YeaHR0cDovL3d3
-dy5nZXRjcmwuY3JsL2dldGNybDMvMA0GCSqGSIb3DQEBCwUAA4GBAB9UxZeBoXQ7
-LChiAWCRxfw7eDkQzprXArfFMcUHQlmX/rOmgmNRtvPOvrdTaECMWV87bhZjm5OY
-x3vFgNLgwEIOd50rPwFlR0imNafpbgwQD35vJ5CEnIt6gFDfViJ+cjsyl0tnV8x+
-mrab87Cjzb0a1Uwdk0P2k7QOhrQVBx1q
+dy5nZXRjcmwuY3JsL2dldGNybDMvMA0GCSqGSIb3DQEBCwUAA4GBAHkjOKCpVUDK
+zobnWDx5zl0XSe1P+mF576BoSBN6Qs6M5Vt2r8+annglcn6ovd+uk89jRmy/lrkn
+7wWc+xIrgG97CWNIJ23WZg2b5+ervdIdMUDs/Kf9ZVZwOnBhO9tMHyU5ZmWKEpD4
+nmgDQNFBHFx5LQU9RthnskMBT034eJtV
 -----END CERTIFICATE-----
diff --git a/tests/cert-tests/data/template-crq.pem b/tests/cert-tests/data/template-crq.pem
index 4a0dfd8ea7..03ad32c484 100644
--- a/tests/cert-tests/data/template-crq.pem
+++ b/tests/cert-tests/data/template-crq.pem
@@ -11,12 +11,12 @@ BAwTA0RyLjEPMA0GA1UEQRMGamFja2FsMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCB
 iQKBgQClxs51Q4S/ZJ4CJxPxA1n3eS2S7XwvUKQD8S15uYaLBX46u0Sqr4TPE5ge
 HEo49zMtep9y1GttJrAxN3AQ+0Lp2J0YZX4ZSfwFlgRogx53hr/t9eUSOxP+Mxic
 Gnodaa9HAmB6H7noz9vINDBRlj2MllwAvGHeCA+xNiF/qQDjBQIDAQABo4HrMIHo
-MA8GA1UdDwEB/wQFAwMHhAAwFgYDVR0lAQH/BAwwCgYIKwYBBQUHAwkwDAYDVR0T
+MA8GA1UdDwEB/wQFAwMHgAAwFgYDVR0lAQH/BAwwCgYIKwYBBQUHAwkwDAYDVR0T
 AQH/BAIwADAdBgNVHQ4EFgQUXUCt8M6UQJWLfpmUHZJUIspyNl8wHwYDVR0jBBgw
 FoAUXUCt8M6UQJWLfpmUHZJUIspyNl8wbwYDVR0fBGgwZjBkoGKgYIYeaHR0cDov
 L3d3dy5nZXRjcmwuY3JsL2dldGNybDEvhh5odHRwOi8vd3d3LmdldGNybC5jcmwv
 Z2V0Y3JsMi+GHmh0dHA6Ly93d3cuZ2V0Y3JsLmNybC9nZXRjcmwzLzANBgkqhkiG
-9w0BAQsFAAOBgQBntg42qQ31Jk0RZ8zET4GBx4WMcWM/vv5DRFrJ2r3veFgcclrB
-C88k0HerP2c6siAAOeXSLOuZ+W6du+5E7537y2lC87PW/cmanoY7Pkjhz9VjzJlh
-bEQLFHHq5TMSKvnsn5IUSJefiOzJZ45saN0uGMYAfN0NWJPum+ofcyXZWQ==
+9w0BAQsFAAOBgQCOk24K2VFpVFj/V4UHHk2U385GP2Q7+Eoh+2B83Vabf44NxRiA
+XGfPmTvgYjislNavehaItPd1wQV8E+/I2s4wZWxgl0+jDWL9iR9S08wSqahKhbp1
+TeO3Hy5BLghvYDqTciOnyARxlZCtfAQslkUQ32q6ivSOxNQ3leLY92Myew==
 -----END CERTIFICATE-----
diff --git a/tests/cert-tests/data/template-date.pem b/tests/cert-tests/data/template-date.pem
index c1613ca680..3db9239cd0 100644
--- a/tests/cert-tests/data/template-date.pem
+++ b/tests/cert-tests/data/template-date.pem
@@ -14,10 +14,10 @@ QunYnRhlfhlJ/AWWBGiDHneGv+315RI7E/4zGJwaeh1pr0cCYHofuejP28g0MFGW
 PYyWXAC8Yd4ID7E2IX+pAOMFAgMBAAGjgfUwgfIwDwYDVR0TAQH/BAUwAwEB/zBq
 BgNVHREEYzBhggx3d3cubm9uZS5vcmeCE3d3dy5tb3JldGhhbm9uZS5vcmeCF3d3
 dy5ldmVubW9yZXRoYW5vbmUub3JnhwTAqAEBgQ1ub25lQG5vbmUub3JngQ53aGVy
-ZUBub25lLm9yZzATBgNVHSUEDDAKBggrBgEFBQcDCTAPBgNVHQ8BAf8EBQMDBwQA
+ZUBub25lLm9yZzATBgNVHSUEDDAKBggrBgEFBQcDCTAPBgNVHQ8BAf8EBQMDB4QA
 MB0GA1UdDgQWBBRdQK3wzpRAlYt+mZQdklQiynI2XzAuBgNVHR8EJzAlMCOgIaAf
 hh1odHRwOi8vd3d3LmdldGNybC5jcmwvZ2V0Y3JsLzANBgkqhkiG9w0BAQsFAAOB
-gQCDciVqhKW/vwPxoMJ1Ch6CAtKoPCTj2Anie1AxogSpNFZuzzUHoiKq9XxnUGaU
-4wEsmHU9JuDBbjpR8rmTs2zsRTnDk2yqMjXa8j1iUhRxWwoIYbJLBblMene7aVbV
-cTdJSs4Y73J6cDqvumU/rhdYw48PQbaIwhABqqiPiM3vGw==
+gQCXDjCtllqexMxEBrKpt5POz7mQfWT5lhFk4GFY1V5u5s/ipuGRVZb4BMLIsCHR
+O7dGbyY/TonCjFdHhvCrmzsfstlHnA+bt9/1GrDP7vFIi+3hx2OnHLd3TvDR8WJ7
+84upUqvWAqXUZ/UXiVrvnS4bJ5jN5pa+k8t4G8GGDA1JlA==
 -----END CERTIFICATE-----
diff --git a/tests/cert-tests/data/template-dates-after2038.pem b/tests/cert-tests/data/template-dates-after2038.pem
index 865ddc901a..0cf9f8fd8e 100644
--- a/tests/cert-tests/data/template-dates-after2038.pem
+++ b/tests/cert-tests/data/template-dates-after2038.pem
@@ -14,10 +14,10 @@ QunYnRhlfhlJ/AWWBGiDHneGv+315RI7E/4zGJwaeh1pr0cCYHofuejP28g0MFGW
 PYyWXAC8Yd4ID7E2IX+pAOMFAgMBAAGjgfUwgfIwDwYDVR0TAQH/BAUwAwEB/zBq
 BgNVHREEYzBhggx3d3cubm9uZS5vcmeCE3d3dy5tb3JldGhhbm9uZS5vcmeCF3d3
 dy5ldmVubW9yZXRoYW5vbmUub3JnhwTAqAEBgQ1ub25lQG5vbmUub3JngQ53aGVy
-ZUBub25lLm9yZzATBgNVHSUEDDAKBggrBgEFBQcDCTAPBgNVHQ8BAf8EBQMDBwQA
+ZUBub25lLm9yZzATBgNVHSUEDDAKBggrBgEFBQcDCTAPBgNVHQ8BAf8EBQMDB4QA
 MB0GA1UdDgQWBBRdQK3wzpRAlYt+mZQdklQiynI2XzAuBgNVHR8EJzAlMCOgIaAf
 hh1odHRwOi8vd3d3LmdldGNybC5jcmwvZ2V0Y3JsLzANBgkqhkiG9w0BAQsFAAOB
-gQCTELknONiixbQdjpBVaelZZfymC4ixUfw/IqeWMK7bYoPWi3JQyY8McQOtijna
-RZwSVga9nthtBhHYjxuW3w8kPYQCoyK3ugw7aI8WYmlGeEAT+BiVualE3ZMm7Lf0
-CwmtHA8I0CHKEzfsMCN3wu9EJ3C+9nq5qRtm2lfQSbSsvw==
+gQBBZKTdpnE+SG7bxPJ3yWUa3/H2fXYTJFzP2g5sKsW9y439SJBvbNuerczRsvNB
+QfokkinVQB3LKSC1jZ5Py5rzaDS0PJxpz0u9DrzstpPWjfzOv0cmCr7dcpxFL2JC
+ItOU/OLb2SYTfo8PwWs3/G3e4yYsGrR/kwfWA0nj6Sms3Q==
 -----END CERTIFICATE-----
diff --git a/tests/cert-tests/data/template-dn.pem b/tests/cert-tests/data/template-dn.pem
index 5ebc8eb9a0..9c37d823a5 100644
--- a/tests/cert-tests/data/template-dn.pem
+++ b/tests/cert-tests/data/template-dn.pem
@@ -11,9 +11,9 @@ NDBRlj2MllwAvGHeCA+xNiF/qQDjBQIDAQABo4H1MIHyMA8GA1UdEwEB/wQFMAMB
 Af8wagYDVR0RBGMwYYIMd3d3Lm5vbmUub3JnghN3d3cubW9yZXRoYW5vbmUub3Jn
 ghd3d3cuZXZlbm1vcmV0aGFub25lLm9yZ4cEwKgBAYENbm9uZUBub25lLm9yZ4EO
 d2hlcmVAbm9uZS5vcmcwEwYDVR0lBAwwCgYIKwYBBQUHAwkwDwYDVR0PAQH/BAUD
-AwcEADAdBgNVHQ4EFgQUXUCt8M6UQJWLfpmUHZJUIspyNl8wLgYDVR0fBCcwJTAj
+AweEADAdBgNVHQ4EFgQUXUCt8M6UQJWLfpmUHZJUIspyNl8wLgYDVR0fBCcwJTAj
 oCGgH4YdaHR0cDovL3d3dy5nZXRjcmwuY3JsL2dldGNybC8wDQYJKoZIhvcNAQEL
-BQADgYEAjhN+oIDCWn6jdXIJMfd3co3SeVd/HY8Hu6TUnXs/fmkJY6Hglq6f8YYE
-M74eH5HF+ixUOSDvXLGVhR5uZoP9CGBSPJdINOIRyDzUYv6TVydAe1TvKLjacZm0
-jq8Pe2CXpQAaHhHKt84mSQx1jnYYYmfupyNwqq7XFTSjLAZyyPA=
+BQADgYEAh/QtfeAkHwXad7u+sSiD2uAmal1eJPagxC/kqq8AnI8Fa3QCIawMYi+V
+/WerX8qk7xY4LPma6VW/uC89TvISMR4DqrubKy4ELt4tvDcVIi+n8pInxdNBMX/u
+3lygdVTLLDWBMernpeZWGauaxdEWlSMyyucYQyDm14iSBfhyj9M=
 -----END CERTIFICATE-----
diff --git a/tests/cert-tests/data/template-generalized.pem b/tests/cert-tests/data/template-generalized.pem
index f7e9c4aaeb..cbbcdd0ae9 100644
--- a/tests/cert-tests/data/template-generalized.pem
+++ b/tests/cert-tests/data/template-generalized.pem
@@ -15,9 +15,9 @@ NDBRlj2MllwAvGHeCA+xNiF/qQDjBQIDAQABo4H1MIHyMA8GA1UdEwEB/wQFMAMB
 Af8wagYDVR0RBGMwYYIMd3d3Lm5vbmUub3JnghN3d3cubW9yZXRoYW5vbmUub3Jn
 ghd3d3cuZXZlbm1vcmV0aGFub25lLm9yZ4cEwKgBAYENbm9uZUBub25lLm9yZ4EO
 d2hlcmVAbm9uZS5vcmcwEwYDVR0lBAwwCgYIKwYBBQUHAwkwDwYDVR0PAQH/BAUD
-AwcEADAdBgNVHQ4EFgQUXUCt8M6UQJWLfpmUHZJUIspyNl8wLgYDVR0fBCcwJTAj
+AweEADAdBgNVHQ4EFgQUXUCt8M6UQJWLfpmUHZJUIspyNl8wLgYDVR0fBCcwJTAj
 oCGgH4YdaHR0cDovL3d3dy5nZXRjcmwuY3JsL2dldGNybC8wDQYJKoZIhvcNAQEL
-BQADgYEAimJGv9nzp+fiQL6JR2iN5XCr2I8Omtd+qiDwdkrBUJ5QOjgYrO27pIQb
-hLG+gg1V3VVwk3JzJQkBsvX2+8jGKDpytHul+tfrhZO32BlEwgAviDz54LpEgPsQ
-w2mqTIswGzS+5ZH7kCpAmEYc7bkO3Qs9JMLXY17QKnsyiV0rOVM=
+BQADgYEAdwNEsT9EnaXSHaR8r1/jUw7cEQWNN/gUHpy917Ha5brc633LJopAhfR4
+i6CAZrAA46GAxTNvLaah5OXGDbHxGcEwcOwFT6/RJ3a+52U8LKa3DjAeaWoxlARL
+1xfKBMbORS0+7lY0D7Oh9BYVgqL2FUet4Cohf2qgDsMM9siz204=
 -----END CERTIFICATE-----
diff --git a/tests/cert-tests/data/template-krb5name.pem b/tests/cert-tests/data/template-krb5name.pem
index d69e86f30b..038bb7722e 100644
--- a/tests/cert-tests/data/template-krb5name.pem
+++ b/tests/cert-tests/data/template-krb5name.pem
@@ -15,9 +15,9 @@ ETAPoAMCAQGhCDAGGwR1c2VyoDIGBisGAQUCAqAoMCagCxsJUkVBTE0uQ09NoRcw
 FaADAgEBoQ4wDBsESFRUUBsEdXNlcqA6BgYrBgEFAgKgMDAuoAsbCVJFQUxNLkNP
 TaEfMB2gAwIBAaEWMBQbBWNvbXAxGwVjb21wMhsEdXNlcoENbm9uZUBub25lLm9y
 Z4EOd2hlcmVAbm9uZS5vcmcwEwYDVR0lBAwwCgYIKwYBBQUHAwkwDwYDVR0PAQH/
-BAUDAwcEADAdBgNVHQ4EFgQUXUCt8M6UQJWLfpmUHZJUIspyNl8wLgYDVR0fBCcw
+BAUDAweEADAdBgNVHQ4EFgQUXUCt8M6UQJWLfpmUHZJUIspyNl8wLgYDVR0fBCcw
 JTAjoCGgH4YdaHR0cDovL3d3dy5nZXRjcmwuY3JsL2dldGNybC8wDQYJKoZIhvcN
-AQELBQADgYEAiidPcCe/oD+6FKl81oTtd1m7T7mq6PTat2YQMlVG0zqEICkhULXx
-Z8UqatZZLjSYSye1pOGrwqU/nXzXZbvogTnfYriaE0wgLviYKjX3EucAX2XqC2ED
-qbyao1Ia+vL+ugK7z+UBm/xIAurC5b9B4cOQ6ULq+k7c+miyyrxCWow=
+AQELBQADgYEAMM+b9XNFH/cn9WQCMZMr12izyBl69S3M1D4MQvA2XIGFR1h10+VS
+cYKIfTICbYuV/s44bVpQJ8Nj9cumMu6SqURpfKmnr8gDFvadY8Q1PPbtmKn/iahI
+hb5Ro4Li5R6DZtKfdYEfsljUinSWnUnBwAtGJgbhSrGwN5di1NPV1Nw=
 -----END CERTIFICATE-----
diff --git a/tests/cert-tests/data/template-nc.pem b/tests/cert-tests/data/template-nc.pem
index 680fce1642..9cba2bd15b 100644
--- a/tests/cert-tests/data/template-nc.pem
+++ b/tests/cert-tests/data/template-nc.pem
@@ -15,10 +15,10 @@ oGswCocIwKgFAP///wAwCocICgoAAP//AAAwCocIrBd6AP///gAwIocg/Ez+j3/6
 GL0AAAAAAAAAAP//////////AAAAAAAAAAAwDYILZXhhbXBsZS5jb20wEoEQbm1h
 dkBleGFtcGxlLmNvbaFrMAqHCAoKZAD///8AMAqHCAoKZQD///8AMCKHIPxM/o9/
 +hi9cshkuQAAAAD///////////////8AAAAAMAWCA25ldDAFggNvcmcwAoIAMA2B
-C2V4YW1wbGUubmV0MAyBCmV4YW1wbGUubGkwDwYDVR0PAQH/BAUDAwcEADAdBgNV
+C2V4YW1wbGUubmV0MAyBCmV4YW1wbGUubGkwDwYDVR0PAQH/BAUDAweEADAdBgNV
 HQ4EFgQUXUCt8M6UQJWLfpmUHZJUIspyNl8wLgYDVR0fBCcwJTAjoCGgH4YdaHR0
-cDovL3d3dy5nZXRjcmwuY3JsL2dldGNybC8wDQYJKoZIhvcNAQELBQADgYEAEIi1
-EPKT1uwVZvy99QuUGTxC/sMrF/k9M9+uV6+C4f8ikqQOhgSl4t5BdalgVLZzUeGr
-oBGhbdjGrIq6kQiVgdeRZG+HlzVvr3+K69TTA15B86IdDg6dS8YCOVsoZvNcT8xw
-2knOQmqXE7GqEPO3VCfOVTTl1u+69cU2X41MMhM=
+cDovL3d3dy5nZXRjcmwuY3JsL2dldGNybC8wDQYJKoZIhvcNAQELBQADgYEApURg
+xJuSGg3iogTI7x9HjgCi6ohSVKnX31i63ommreoKiy9sz5oPfsEuDcP0KaQMgK2V
+xPMcBZbaCJHkRmWsjkEx3XcxWwtMnP1oj54N067C/mhamgUfR4KPdmorcgk9vZz9
+jI0FbegyqTQzRD40p4OQsCzVlqgixif4gRDhQWI=
 -----END CERTIFICATE-----
diff --git a/tests/cert-tests/data/template-othername-xmpp.pem b/tests/cert-tests/data/template-othername-xmpp.pem
index b81716b774..3d06423147 100644
--- a/tests/cert-tests/data/template-othername-xmpp.pem
+++ b/tests/cert-tests/data/template-othername-xmpp.pem
@@ -1,5 +1,5 @@
 -----BEGIN CERTIFICATE-----
-MIIDazCCAtSgAwIBAgIBBzANBgkqhkiG9w0BAQsFADBbMQwwCgYDVQQDEwNOaWsx
+MIIDaDCCAtGgAwIBAgIBBzANBgkqhkiG9w0BAQsFADBbMQwwCgYDVQQDEwNOaWsx
 DzANBgNVBAgTBkF0dGlraTELMAkGA1UEBhMCR1IxGjAYBgNVBAQTEU1hdnJvZ2lh
 bm5vcG91bG9zMREwDwYDVQQJEwhBcmthZGlhczAeFw0wNzA0MjIwMDAwMDBaFw0x
 NDA1MjUwMDAwMDBaMFsxDDAKBgNVBAMTA05pazEPMA0GA1UECBMGQXR0aWtpMQsw
@@ -7,15 +7,15 @@ CQYDVQQGEwJHUjEaMBgGA1UEBBMRTWF2cm9naWFubm9wb3Vsb3MxETAPBgNVBAkT
 CEFya2FkaWFzMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQClxs51Q4S/ZJ4C
 JxPxA1n3eS2S7XwvUKQD8S15uYaLBX46u0Sqr4TPE5geHEo49zMtep9y1GttJrAx
 N3AQ+0Lp2J0YZX4ZSfwFlgRogx53hr/t9eUSOxP+MxicGnodaa9HAmB6H7noz9vI
-NDBRlj2MllwAvGHeCA+xNiF/qQDjBQIDAQABo4IBPTCCATkwDwYDVR0TAQH/BAUw
-AwEB/zCBsAYDVR0RBIGoMIGlggx3d3cubm9uZS5vcmeCE3d3dy5tb3JldGhhbm9u
-ZS5vcmeCF3d3dy5ldmVubW9yZXRoYW5vbmUub3JnhwTAqAEBoCMGCCsGAQUFBwgF
-oBcMFWp1bGlldEBpbS5leGFtcGxlLmNvbaAdBggrBgEFBQcIBaARDA9oZWxsb0Bo
-ZWxsby5vcmeBDW5vbmVAbm9uZS5vcmeBDndoZXJlQG5vbmUub3JnMBMGA1UdJQQM
-MAoGCCsGAQUFBwMJMA8GA1UdDwEB/wQFAwMHBAAwHQYDVR0OBBYEFF1ArfDOlECV
-i36ZlB2SVCLKcjZfMC4GA1UdHwQnMCUwI6AhoB+GHWh0dHA6Ly93d3cuZ2V0Y3Js
-LmNybC9nZXRjcmwvMA0GCSqGSIb3DQEBCwUAA4GBAA9/JPNTkMZUlpZ39qrSm2Oa
-r9lAeDOnMbEYHcXnmmAjjPNL0DePjRD6xfayqPvrE6F5/Og4I9+UbHlSw8470qYr
-RBOHjqp+vn0+k9AKeoO0tB692XZEs/AqqQCVvizCOlrhpdrYRDIhf7pWIC0VUz+o
-+9bYIjtqHhWAO1mM5016
+NDBRlj2MllwAvGHeCA+xNiF/qQDjBQIDAQABo4IBOjCCATYwDAYDVR0TAQH/BAIw
+ADCBsAYDVR0RBIGoMIGlggx3d3cubm9uZS5vcmeCE3d3dy5tb3JldGhhbm9uZS5v
+cmeCF3d3dy5ldmVubW9yZXRoYW5vbmUub3JnhwTAqAEBoCMGCCsGAQUFBwgFoBcM
+FWp1bGlldEBpbS5leGFtcGxlLmNvbaAdBggrBgEFBQcIBaARDA9oZWxsb0BoZWxs
+by5vcmeBDW5vbmVAbm9uZS5vcmeBDndoZXJlQG5vbmUub3JnMBMGA1UdJQQMMAoG
+CCsGAQUFBwMJMA8GA1UdDwEB/wQFAwMHgAAwHQYDVR0OBBYEFF1ArfDOlECVi36Z
+lB2SVCLKcjZfMC4GA1UdHwQnMCUwI6AhoB+GHWh0dHA6Ly93d3cuZ2V0Y3JsLmNy
+bC9nZXRjcmwvMA0GCSqGSIb3DQEBCwUAA4GBAB6XUDXasilW0/gnhFaULkIALaK8
+khY1aUIPJo4nXaCUdSl4HwDR+Q+fBJEQ+b7HJ/2V8+iQHQxJhI+CoQ5AxXjSVS4Y
+TJVB5uq4wIyGpwcu/QGysyBb4NqMA7kWh13J6vIblBO9+AWVGui2w+Sy1OgmDkty
+GLmLQS2MD1u7p41J
 -----END CERTIFICATE-----
diff --git a/tests/cert-tests/data/template-othername.pem b/tests/cert-tests/data/template-othername.pem
index 540bd81547..6bb3227099 100644
--- a/tests/cert-tests/data/template-othername.pem
+++ b/tests/cert-tests/data/template-othername.pem
@@ -14,9 +14,9 @@ MCygDRsLVkFOUkVJTi5PUkehGzAZoAYCBAAAAAKhDzANGwRyaWNrGwVhZG1pbqAX
 BgQqBAUGoA8EDWEgdGVzdCBzdHJpbmegHQYIKwYBBQUHCAegEQwPbm1hdkBnbnV0
 bHMub3JnoB0GCCsGAQUFBwgFoBEMD25tYXZAZ251dGxzLm9yZ4ENbm9uZUBub25l
 Lm9yZ4EOd2hlcmVAbm9uZS5vcmcwEwYDVR0lBAwwCgYIKwYBBQUHAwkwDwYDVR0P
-AQH/BAUDAwcEADAdBgNVHQ4EFgQUXUCt8M6UQJWLfpmUHZJUIspyNl8wLgYDVR0f
+AQH/BAUDAweEADAdBgNVHQ4EFgQUXUCt8M6UQJWLfpmUHZJUIspyNl8wLgYDVR0f
 BCcwJTAjoCGgH4YdaHR0cDovL3d3dy5nZXRjcmwuY3JsL2dldGNybC8wDQYJKoZI
-hvcNAQELBQADgYEAavwEUhW+tvs0qcj09ZchA4AYTmhq8Wx3EzhDHpPA6xlERWxs
-NB07bA7dJ1XzbCn4Q2DIT6AVQARQuQdT5S6kbnk2LjAPgMLNS90MaNBhV5Qiea+f
-yL/FTC/chuDBR6pGUOW5c8oPP85WAHVBQXX2GLN0esCnTtLX18Jinfl06hU=
+hvcNAQELBQADgYEANTKeCgs/Cv8N3nn7f4v3h+X5m5GSzNcdpdQ/joEv1Lkb8Sl4
+soXQqoBFHcbj8AQEeRSXSZAD1cBoAwVsVfzkdXxGZ+7T3s50ogKSSITfp91783e1
+VO4VaeA5Wsi46x3CE8Uzry8a4bP7GhzH6rRW846oSqH07J4L2QAVilN5SF0=
 -----END CERTIFICATE-----
diff --git a/tests/cert-tests/data/template-overflow.pem b/tests/cert-tests/data/template-overflow.pem
index c0b025070c..c9bf31e9c3 100644
--- a/tests/cert-tests/data/template-overflow.pem
+++ b/tests/cert-tests/data/template-overflow.pem
@@ -15,9 +15,9 @@ UZY9jJZcALxh3ggPsTYhf6kA4wUCAwEAAaOB9TCB8jAPBgNVHRMBAf8EBTADAQH/
 MGoGA1UdEQRjMGGCDHd3dy5ub25lLm9yZ4ITd3d3Lm1vcmV0aGFub25lLm9yZ4IX
 d3d3LmV2ZW5tb3JldGhhbm9uZS5vcmeHBMCoAQGBDW5vbmVAbm9uZS5vcmeBDndo
 ZXJlQG5vbmUub3JnMBMGA1UdJQQMMAoGCCsGAQUFBwMJMA8GA1UdDwEB/wQFAwMH
-BAAwHQYDVR0OBBYEFF1ArfDOlECVi36ZlB2SVCLKcjZfMC4GA1UdHwQnMCUwI6Ah
+hAAwHQYDVR0OBBYEFF1ArfDOlECVi36ZlB2SVCLKcjZfMC4GA1UdHwQnMCUwI6Ah
 oB+GHWh0dHA6Ly93d3cuZ2V0Y3JsLmNybC9nZXRjcmwvMA0GCSqGSIb3DQEBCwUA
-A4GBABVMpMML6zxcl5ww9Mshd8c15oobslbMFRWtoCigFDtxL0QjXBLdqDvcnDEd
-TRCqJSBtZRyXRby6OcYppKLKgM+fO3JS1SHKgs44jabShdrEoR1HLQqMh57sM1Oq
-OTA4++PhC1+dEAknkRqNxGQU1gqxx/iDVst45s/XLzwQYF+N
+A4GBAAjokEJilLen8WR+iXKNgsnS6nJNobQaH0PXqekrbsMcd/z+S2gAmXsZjpZm
+QfVl8w8a0hxFgE9AfdJu79pHBtdrSczCfUY1VfvlMU46iZBmSMFFbKV7B8THn0QK
+Bj7A6XUC1uTjlYeujSi06LhC7CzykjoxYjjEc96552k8Sxsp
 -----END CERTIFICATE-----
diff --git a/tests/cert-tests/data/template-overflow2.pem b/tests/cert-tests/data/template-overflow2.pem
index 43e8efadc6..2de2af0282 100644
--- a/tests/cert-tests/data/template-overflow2.pem
+++ b/tests/cert-tests/data/template-overflow2.pem
@@ -15,9 +15,9 @@ UZY9jJZcALxh3ggPsTYhf6kA4wUCAwEAAaOB9TCB8jAPBgNVHRMBAf8EBTADAQH/
 MGoGA1UdEQRjMGGCDHd3dy5ub25lLm9yZ4ITd3d3Lm1vcmV0aGFub25lLm9yZ4IX
 d3d3LmV2ZW5tb3JldGhhbm9uZS5vcmeHBMCoAQGBDW5vbmVAbm9uZS5vcmeBDndo
 ZXJlQG5vbmUub3JnMBMGA1UdJQQMMAoGCCsGAQUFBwMJMA8GA1UdDwEB/wQFAwMH
-BAAwHQYDVR0OBBYEFF1ArfDOlECVi36ZlB2SVCLKcjZfMC4GA1UdHwQnMCUwI6Ah
+hAAwHQYDVR0OBBYEFF1ArfDOlECVi36ZlB2SVCLKcjZfMC4GA1UdHwQnMCUwI6Ah
 oB+GHWh0dHA6Ly93d3cuZ2V0Y3JsLmNybC9nZXRjcmwvMA0GCSqGSIb3DQEBCwUA
-A4GBAHUypGH/Jaxkyd3DdX5OCJ54+Qvre3/abi3fT1vBR28zQBYH7RdbAJobNsro
-vKoa4Bugc43llXjxztpxB078pj0nsn9yE1OSsOryBWP6yZ/OfoxD5uZrUuXwkx0Q
-HfijaNBnIn/xBO7No7VqvUK0QrNy11HqWi7KrxjcaWcBwZ7D
+A4GBAJxCy6TeatkbCtKlTS76T5pPPkNX0w654BOFOvbOjJ/Qd0QjI+bCRDvjLKN4
+s3KVjhWaX/IhR4kql1FSrIfD9Cs+/JN91hlNhH5eK2p8NfRXSeAZby2d1UzYZDV/
+qFbnBROQbuH08KfoGU7dYwsOcEZpQ38SpVwHUJJSDSzkKx88
 -----END CERTIFICATE-----
diff --git a/tests/cert-tests/data/template-rsa-sha3-224.pem b/tests/cert-tests/data/template-rsa-sha3-224.pem
index 8b2a0fb903..f20544c747 100644
--- a/tests/cert-tests/data/template-rsa-sha3-224.pem
+++ b/tests/cert-tests/data/template-rsa-sha3-224.pem
@@ -15,11 +15,11 @@ PYyWXAC8Yd4ID7E2IX+pAOMFAgMBAAGjggE3MIIBMzAPBgNVHRMBAf8EBTADAQH/
 MGoGA1UdEQRjMGGCDHd3dy5ub25lLm9yZ4ITd3d3Lm1vcmV0aGFub25lLm9yZ4IX
 d3d3LmV2ZW5tb3JldGhhbm9uZS5vcmeHBMCoAQGBDW5vbmVAbm9uZS5vcmeBDndo
 ZXJlQG5vbmUub3JnMBMGA1UdJQQMMAoGCCsGAQUFBwMJMA8GA1UdDwEB/wQFAwMH
-BAAwHQYDVR0OBBYEFF1ArfDOlECVi36ZlB2SVCLKcjZfMG8GA1UdHwRoMGYwZKBi
+hAAwHQYDVR0OBBYEFF1ArfDOlECVi36ZlB2SVCLKcjZfMG8GA1UdHwRoMGYwZKBi
 oGCGHmh0dHA6Ly93d3cuZ2V0Y3JsLmNybC9nZXRjcmwxL4YeaHR0cDovL3d3dy5n
 ZXRjcmwuY3JsL2dldGNybDIvhh5odHRwOi8vd3d3LmdldGNybC5jcmwvZ2V0Y3Js
-My8wDQYJYIZIAWUDBAMNBQADgYEABZpsvNQi0mtwO88lqAsN/iTB1BvXlaCNVPiB
-f52WMSgJskJV+Gxhx0zwnSvqC7Iiq8SpF20ROC+3ROq1IuGIlO9/Q8aXfW/cK3Nn
-qfVEMmdNkmUO2bTy1yhs6xpuoQmvDTA/kYo0DsZhIZdWOzuvUEZ48oztkiFsXjmo
-NkjpuP4=
+My8wDQYJYIZIAWUDBAMNBQADgYEAiA3TxnYSzSnqDbf9QEV5hFeyq1z7u2fW6pKL
++BkmwDm5mX7Lb5tZ2wBFkF9rx/OrxH5d/yXXy5FAvTIALLtYy6z1M5SHn9ygpQQu
+H8fAnT7kou6eqdi1wWZUUcANUR8qUGyqGfWZvckoUBaleQG1x6g35bDuDu2zPcVW
+II7WDzo=
 -----END CERTIFICATE-----
diff --git a/tests/cert-tests/data/template-rsa-sha3-256.pem b/tests/cert-tests/data/template-rsa-sha3-256.pem
index 35a083ac3c..ff6dcfcb4c 100644
--- a/tests/cert-tests/data/template-rsa-sha3-256.pem
+++ b/tests/cert-tests/data/template-rsa-sha3-256.pem
@@ -15,11 +15,11 @@ PYyWXAC8Yd4ID7E2IX+pAOMFAgMBAAGjggE3MIIBMzAPBgNVHRMBAf8EBTADAQH/
 MGoGA1UdEQRjMGGCDHd3dy5ub25lLm9yZ4ITd3d3Lm1vcmV0aGFub25lLm9yZ4IX
 d3d3LmV2ZW5tb3JldGhhbm9uZS5vcmeHBMCoAQGBDW5vbmVAbm9uZS5vcmeBDndo
 ZXJlQG5vbmUub3JnMBMGA1UdJQQMMAoGCCsGAQUFBwMJMA8GA1UdDwEB/wQFAwMH
-BAAwHQYDVR0OBBYEFF1ArfDOlECVi36ZlB2SVCLKcjZfMG8GA1UdHwRoMGYwZKBi
+hAAwHQYDVR0OBBYEFF1ArfDOlECVi36ZlB2SVCLKcjZfMG8GA1UdHwRoMGYwZKBi
 oGCGHmh0dHA6Ly93d3cuZ2V0Y3JsLmNybC9nZXRjcmwxL4YeaHR0cDovL3d3dy5n
 ZXRjcmwuY3JsL2dldGNybDIvhh5odHRwOi8vd3d3LmdldGNybC5jcmwvZ2V0Y3Js
-My8wDQYJYIZIAWUDBAMOBQADgYEApWQSGVKFbbUOZVsgXfx978CNxewsZGsNdrAU
-X98wxysQGe8tQNvftPRB+NijWo5f49HjAfVhWxCr51f8pat+IPK8U7iRY3Uxxz+G
-xRO0qfP0AyAQIYOvWkKi6RqvoVReh+69n2fSTgdhvKJrKITRlPL+kNbYlA2i3v2G
-j1AK27Y=
+My8wDQYJYIZIAWUDBAMOBQADgYEASyYQIkWmWNRwjHnLCFZmwAVdE833hh0gf8ne
+3HbW2splDnfDUoKxqpMd7ViLCoWwoh6Y24d0yvZc1RGy83Z0Q0QuA8kAtYnMZ3j/
+ZtXZGq6010ZqkcHP43MZgLFru27diymDbgGxzsP9rOc1GnIi0OKo5EpJI1KHaG+k
+0ObmT5U=
 -----END CERTIFICATE-----
diff --git a/tests/cert-tests/data/template-rsa-sha3-384.pem b/tests/cert-tests/data/template-rsa-sha3-384.pem
index b6de699f96..33c4b31ab4 100644
--- a/tests/cert-tests/data/template-rsa-sha3-384.pem
+++ b/tests/cert-tests/data/template-rsa-sha3-384.pem
@@ -15,11 +15,11 @@ PYyWXAC8Yd4ID7E2IX+pAOMFAgMBAAGjggE3MIIBMzAPBgNVHRMBAf8EBTADAQH/
 MGoGA1UdEQRjMGGCDHd3dy5ub25lLm9yZ4ITd3d3Lm1vcmV0aGFub25lLm9yZ4IX
 d3d3LmV2ZW5tb3JldGhhbm9uZS5vcmeHBMCoAQGBDW5vbmVAbm9uZS5vcmeBDndo
 ZXJlQG5vbmUub3JnMBMGA1UdJQQMMAoGCCsGAQUFBwMJMA8GA1UdDwEB/wQFAwMH
-BAAwHQYDVR0OBBYEFF1ArfDOlECVi36ZlB2SVCLKcjZfMG8GA1UdHwRoMGYwZKBi
+hAAwHQYDVR0OBBYEFF1ArfDOlECVi36ZlB2SVCLKcjZfMG8GA1UdHwRoMGYwZKBi
 oGCGHmh0dHA6Ly93d3cuZ2V0Y3JsLmNybC9nZXRjcmwxL4YeaHR0cDovL3d3dy5n
 ZXRjcmwuY3JsL2dldGNybDIvhh5odHRwOi8vd3d3LmdldGNybC5jcmwvZ2V0Y3Js
-My8wDQYJYIZIAWUDBAMPBQADgYEAI2ltSzA62kJqSBTWBmwot8d7go5NXNcM8vsE
-XFdnFiT86ne33o58fXIA/TBr/f2rurIPKH3EbDQb00sr0ULrHYAF3KK1QkwOBMX6
-kWejpBlptV58liwBYhA3+ONp6K7yaiRGJzxA2xI4EZuUvsHy5F+oIpMb1ZlTmGMg
-ib2amD4=
+My8wDQYJYIZIAWUDBAMPBQADgYEAXFYGBk+qE52LESjshhK+jIXr3Tp7yZqV7oN8
+E/BBzXI+TelNmo1Rf/l7uOfQGsCDmBmP23F75UFNYk/1dYe1Sz6ODITLVRjy+upC
+YkKTj/EcPeoeHvATe6bn3ohJcBEmbNAVu2IgGzHvewytKKlBk9EcR9uSENIuTY6A
+bdXq6Sw=
 -----END CERTIFICATE-----
diff --git a/tests/cert-tests/data/template-rsa-sha3-512.pem b/tests/cert-tests/data/template-rsa-sha3-512.pem
index 05a24766a0..ab773ef1ad 100644
--- a/tests/cert-tests/data/template-rsa-sha3-512.pem
+++ b/tests/cert-tests/data/template-rsa-sha3-512.pem
@@ -15,11 +15,11 @@ PYyWXAC8Yd4ID7E2IX+pAOMFAgMBAAGjggE3MIIBMzAPBgNVHRMBAf8EBTADAQH/
 MGoGA1UdEQRjMGGCDHd3dy5ub25lLm9yZ4ITd3d3Lm1vcmV0aGFub25lLm9yZ4IX
 d3d3LmV2ZW5tb3JldGhhbm9uZS5vcmeHBMCoAQGBDW5vbmVAbm9uZS5vcmeBDndo
 ZXJlQG5vbmUub3JnMBMGA1UdJQQMMAoGCCsGAQUFBwMJMA8GA1UdDwEB/wQFAwMH
-BAAwHQYDVR0OBBYEFF1ArfDOlECVi36ZlB2SVCLKcjZfMG8GA1UdHwRoMGYwZKBi
+hAAwHQYDVR0OBBYEFF1ArfDOlECVi36ZlB2SVCLKcjZfMG8GA1UdHwRoMGYwZKBi
 oGCGHmh0dHA6Ly93d3cuZ2V0Y3JsLmNybC9nZXRjcmwxL4YeaHR0cDovL3d3dy5n
 ZXRjcmwuY3JsL2dldGNybDIvhh5odHRwOi8vd3d3LmdldGNybC5jcmwvZ2V0Y3Js
-My8wDQYJYIZIAWUDBAMQBQADgYEADQwUNzbut+lsgGPm1ELQ+yIzKKUDpiGyUmVY
-4DHFKVHKAAM4p6eRY4CQhrGcQIAF/cv7BMlMtXwVPCMGmUiws3RpT5IR5PBU3ppM
-CB7kDZ93BwHwXOoURU9wlYcUiRKmbN6rZ5YOUBYwYPZhyPcgnZPO8S7+2fbIo07i
-TFELtZ0=
+My8wDQYJYIZIAWUDBAMQBQADgYEAiBWEi/IhCQ6qpxX7KlClo6Xdwfbn2Zg5iftl
+hNV1nZ23hLvG8YhqqKVOU0kk1jhnyjQeJN8Hj9wrEJTNmwhmFie/ftC0amYjFZMv
+/iWOqRwTjaSkGSetq0yTaZ05NUEbvL6KdorNuJslts42zmShjNWDIYtpW4o+p7c1
+IfKnPj0=
 -----END CERTIFICATE-----
diff --git a/tests/cert-tests/data/template-test.pem b/tests/cert-tests/data/template-test.pem
index 1acd2fe0ae..a9e23b2ea7 100644
--- a/tests/cert-tests/data/template-test.pem
+++ b/tests/cert-tests/data/template-test.pem
@@ -15,11 +15,11 @@ PYyWXAC8Yd4ID7E2IX+pAOMFAgMBAAGjggE3MIIBMzAPBgNVHRMBAf8EBTADAQH/
 MGoGA1UdEQRjMGGCDHd3dy5ub25lLm9yZ4ITd3d3Lm1vcmV0aGFub25lLm9yZ4IX
 d3d3LmV2ZW5tb3JldGhhbm9uZS5vcmeHBMCoAQGBDW5vbmVAbm9uZS5vcmeBDndo
 ZXJlQG5vbmUub3JnMBMGA1UdJQQMMAoGCCsGAQUFBwMJMA8GA1UdDwEB/wQFAwMH
-BAAwHQYDVR0OBBYEFF1ArfDOlECVi36ZlB2SVCLKcjZfMG8GA1UdHwRoMGYwZKBi
+hAAwHQYDVR0OBBYEFF1ArfDOlECVi36ZlB2SVCLKcjZfMG8GA1UdHwRoMGYwZKBi
 oGCGHmh0dHA6Ly93d3cuZ2V0Y3JsLmNybC9nZXRjcmwxL4YeaHR0cDovL3d3dy5n
 ZXRjcmwuY3JsL2dldGNybDIvhh5odHRwOi8vd3d3LmdldGNybC5jcmwvZ2V0Y3Js
-My8wDQYJKoZIhvcNAQELBQADgYEANoDHZVtHbnn3dqVR0BEl6OYe8jIpVAP75prg
-D1YB1+WutTKvdhs+2BMDty5wpHH5HBTbjBIZ8gvAv9696YSruOKQDPAbd3ideC1g
-GLGFgndio377X8IKw9J9pDhyaHUcKbn6GgnerDvnxiAdPboFO9/zBi+0EQN/fndh
-wRsuQhk=
+My8wDQYJKoZIhvcNAQELBQADgYEAY/wOee5PsT1eZiuE2SOF2y+Qlf7GeRNhqJ2V
+KRtS7wdLJXjxL+Tp0TJTyAfGCgxg3cFRbeSGg+gffo9wO4y/cP6hzVeBtYD+RNSK
+ATUrYVtniKQulLOeNu/VyCYeLfD+8gQK0s44MIKuzCKUa01QO97slLa0qEG5qqxO
+IXPMNFM=
 -----END CERTIFICATE-----
diff --git a/tests/cert-tests/data/template-tlsfeature.csr b/tests/cert-tests/data/template-tlsfeature.csr
index 2db290c3f1..191fac319b 100644
--- a/tests/cert-tests/data/template-tlsfeature.csr
+++ b/tests/cert-tests/data/template-tlsfeature.csr
@@ -26,12 +26,11 @@ PKCS #10 Certificate Request Information:
 				RFC822Name: none@none.org
 				RFC822Name: where@none.org
 			Basic Constraints (critical):
-				Certificate Authority (CA): TRUE
+				Certificate Authority (CA): FALSE
 			Key Purpose (critical):
 				OCSP signing.
 			Key Usage (critical):
 				Digital signature.
-				Certificate signing.
 			TLS Features (not critical):
 				OCSP Status Request(5)
 				17
@@ -45,19 +44,19 @@ Other Information:
 Self signature: verified
 
 -----BEGIN NEW CERTIFICATE REQUEST-----
-MIICrDCCAhUCAQAwgZoxFTATBgNVBAMTDENpbmR5IExhdXBlcjEXMBUGA1UECxMO
+MIICqTCCAhICAQAwgZoxFTATBgNVBAMTDENpbmR5IExhdXBlcjEXMBUGA1UECxMO
 c2xlZXBpbmcgZGVwdC4xEjAQBgNVBAoTCUtva28gaW5jLjEPMA0GA1UECBMGQXR0
 aWtpMQswCQYDVQQGEwJHUjEXMBUGCgmSJomT8ixkAQETB2NsYXVwZXIxDDAKBgNV
 BAwTA0RyLjEPMA0GA1UEQRMGamFja2FsMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCB
 iQKBgQClxs51Q4S/ZJ4CJxPxA1n3eS2S7XwvUKQD8S15uYaLBX46u0Sqr4TPE5ge
 HEo49zMtep9y1GttJrAxN3AQ+0Lp2J0YZX4ZSfwFlgRogx53hr/t9eUSOxP+Mxic
-Gnodaa9HAmB6H7noz9vINDBRlj2MllwAvGHeCA+xNiF/qQDjBQIDAQABoIHQMIHN
-BgkqhkiG9w0BCQ4xgb8wgbwwagYDVR0RBGMwYYIMd3d3Lm5vbmUub3JnghN3d3cu
+Gnodaa9HAmB6H7noz9vINDBRlj2MllwAvGHeCA+xNiF/qQDjBQIDAQABoIHNMIHK
+BgkqhkiG9w0BCQ4xgbwwgbkwagYDVR0RBGMwYYIMd3d3Lm5vbmUub3JnghN3d3cu
 bW9yZXRoYW5vbmUub3Jnghd3d3cuZXZlbm1vcmV0aGFub25lLm9yZ4cEwKgBAYEN
-bm9uZUBub25lLm9yZ4EOd2hlcmVAbm9uZS5vcmcwDwYDVR0TAQH/BAUwAwEB/zAW
-BgNVHSUBAf8EDDAKBggrBgEFBQcDCTAPBgNVHQ8BAf8EBQMDB4QAMBQGCCsGAQUF
-BwEYBAgwBgIBBQIBETANBgkqhkiG9w0BAQsFAAOBgQBp5DB6ksTU78tli6cYkxB4
-DRPIGOhL87o4gpsOQNSS61ECYTf2wxGqPA1sM/8syNn0hU1hGVqZG2ydYmR6PxkO
-/FfKNmxI5+cRA8oKk6zNhu42tll3NLFbYZV9cp8+JpBQMLBIXxU23UggnsxoVrks
-C1I6oDxIq5kDixlWKnaMGA==
+bm9uZUBub25lLm9yZ4EOd2hlcmVAbm9uZS5vcmcwDAYDVR0TAQH/BAIwADAWBgNV
+HSUBAf8EDDAKBggrBgEFBQcDCTAPBgNVHQ8BAf8EBQMDB4AAMBQGCCsGAQUFBwEY
+BAgwBgIBBQIBETANBgkqhkiG9w0BAQsFAAOBgQAIayiRbitKkrg0YAtj/cqij5xx
+6ictys5F3XvdsTgTINPpW41TqFJltPFfFJXRCwJI/aitPXH4so+xS6sFYHKHYXnu
+DGGwNRE0bmW9+/MhgkMLdLNw22MRiyDK1TM5CWAe9CCX8jzyRnnKXIvpPXv0yLhY
+kT9W7Sjw72lPTehtsg==
 -----END NEW CERTIFICATE REQUEST-----
diff --git a/tests/cert-tests/data/template-tlsfeature.pem b/tests/cert-tests/data/template-tlsfeature.pem
index 23ba2886a1..a412a42c13 100644
--- a/tests/cert-tests/data/template-tlsfeature.pem
+++ b/tests/cert-tests/data/template-tlsfeature.pem
@@ -1,5 +1,5 @@
 -----BEGIN CERTIFICATE-----
-MIIENzCCA6CgAwIBAgIBBzANBgkqhkiG9w0BAQsFADCBuDEVMBMGA1UEAxMMQ2lu
+MIIENDCCA52gAwIBAgIBBzANBgkqhkiG9w0BAQsFADCBuDEVMBMGA1UEAxMMQ2lu
 ZHkgTGF1cGVyMRcwFQYKCZImiZPyLGQBARMHY2xhdXBlcjEXMBUGA1UECxMOc2xl
 ZXBpbmcgZGVwdC4xEjAQBgNVBAoTCUtva28gaW5jLjEPMA0GA1UECBMGQXR0aWtp
 MQswCQYDVQQGEwJHUjEMMAoGA1UEDBMDRHIuMQ8wDQYDVQRBEwZqYWNrYWwxHDAa
@@ -11,15 +11,15 @@ DBMDRHIuMQ8wDQYDVQRBEwZqYWNrYWwxHDAaBgkqhkiG9w0BCQEWDW5vbmVAbm9u
 ZS5vcmcwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAKXGznVDhL9kngInE/ED
 Wfd5LZLtfC9QpAPxLXm5hosFfjq7RKqvhM8TmB4cSjj3My16n3LUa20msDE3cBD7
 QunYnRhlfhlJ/AWWBGiDHneGv+315RI7E/4zGJwaeh1pr0cCYHofuejP28g0MFGW
-PYyWXAC8Yd4ID7E2IX+pAOMFAgMBAAGjggFNMIIBSTAUBggrBgEFBQcBGAQIMAYC
-AQUCAREwDwYDVR0TAQH/BAUwAwEB/zBqBgNVHREEYzBhggx3d3cubm9uZS5vcmeC
-E3d3dy5tb3JldGhhbm9uZS5vcmeCF3d3dy5ldmVubW9yZXRoYW5vbmUub3JnhwTA
-qAEBgQ1ub25lQG5vbmUub3JngQ53aGVyZUBub25lLm9yZzATBgNVHSUEDDAKBggr
-BgEFBQcDCTAPBgNVHQ8BAf8EBQMDBwQAMB0GA1UdDgQWBBRdQK3wzpRAlYt+mZQd
-klQiynI2XzBvBgNVHR8EaDBmMGSgYqBghh5odHRwOi8vd3d3LmdldGNybC5jcmwv
-Z2V0Y3JsMS+GHmh0dHA6Ly93d3cuZ2V0Y3JsLmNybC9nZXRjcmwyL4YeaHR0cDov
-L3d3dy5nZXRjcmwuY3JsL2dldGNybDMvMA0GCSqGSIb3DQEBCwUAA4GBAG4dVgPt
-cB2JnNlNacL+MnggU4TyYTnpEvBWUnjiZxvsKMAk+XcqeW61hjl0u0wQGWBOsSeS
-yLcnXHKApdI0LUkWhkKGqZaUSktd9v5sBzP1IXsXHMRsa1ZPazsSYbQ+EQggOnEP
-s6Zw/bt1SYHBdqk8+yBXq54AYT4EK+6Me/pX
+PYyWXAC8Yd4ID7E2IX+pAOMFAgMBAAGjggFKMIIBRjAUBggrBgEFBQcBGAQIMAYC
+AQUCAREwDAYDVR0TAQH/BAIwADBqBgNVHREEYzBhggx3d3cubm9uZS5vcmeCE3d3
+dy5tb3JldGhhbm9uZS5vcmeCF3d3dy5ldmVubW9yZXRoYW5vbmUub3JnhwTAqAEB
+gQ1ub25lQG5vbmUub3JngQ53aGVyZUBub25lLm9yZzATBgNVHSUEDDAKBggrBgEF
+BQcDCTAPBgNVHQ8BAf8EBQMDB4AAMB0GA1UdDgQWBBRdQK3wzpRAlYt+mZQdklQi
+ynI2XzBvBgNVHR8EaDBmMGSgYqBghh5odHRwOi8vd3d3LmdldGNybC5jcmwvZ2V0
+Y3JsMS+GHmh0dHA6Ly93d3cuZ2V0Y3JsLmNybC9nZXRjcmwyL4YeaHR0cDovL3d3
+dy5nZXRjcmwuY3JsL2dldGNybDMvMA0GCSqGSIb3DQEBCwUAA4GBAEoSB3eLhcMA
+/pAOs3A9GW23Yi9C1QXNCoTbE/nzxNKLjGVVDMIOW5soLsmX7KXavAG12qJ6ZmXK
+3rdgx30vVOqZdELVu+Ht9GxcUf1MRWOTYUhKyD9trJ5BYR2vpaakIM0MoFnpc7d2
+tO6NAkRin8u7kYutdFqTGhAz4gVXWXGF
 -----END CERTIFICATE-----
diff --git a/tests/cert-tests/data/template-unique.pem b/tests/cert-tests/data/template-unique.pem
index e08e5b53ec..538c0a28a8 100644
--- a/tests/cert-tests/data/template-unique.pem
+++ b/tests/cert-tests/data/template-unique.pem
@@ -11,10 +11,10 @@ NDBRlj2MllwAvGHeCA+xNiF/qQDjBQIDAQABgQgAERQjJCUSJIIGAAAVIyQlo4H1
 MIHyMA8GA1UdEwEB/wQFMAMBAf8wagYDVR0RBGMwYYIMd3d3Lm5vbmUub3JnghN3
 d3cubW9yZXRoYW5vbmUub3Jnghd3d3cuZXZlbm1vcmV0aGFub25lLm9yZ4cEwKgB
 AYENbm9uZUBub25lLm9yZ4EOd2hlcmVAbm9uZS5vcmcwEwYDVR0lBAwwCgYIKwYB
-BQUHAwkwDwYDVR0PAQH/BAUDAwcEADAdBgNVHQ4EFgQUXUCt8M6UQJWLfpmUHZJU
+BQUHAwkwDwYDVR0PAQH/BAUDAweEADAdBgNVHQ4EFgQUXUCt8M6UQJWLfpmUHZJU
 IspyNl8wLgYDVR0fBCcwJTAjoCGgH4YdaHR0cDovL3d3dy5nZXRjcmwuY3JsL2dl
-dGNybC8wDQYJKoZIhvcNAQELBQADgYEAlJcMko5hA7LLxZWylww49HrmiKCRMjH/
-FMPi5WW54n8YfRQuOD8wvHUl3EcJHCXBu0nlWQJfIfGiPIBTTX7EJCS3KQpX296p
-q1xClFdGqXCNOzy0Ld64Qh7qgt5TlvV+uzGgfkzaPqksBhhVLXlUNS2cCSiyi075
-wxR6TEOsjqE=
+dGNybC8wDQYJKoZIhvcNAQELBQADgYEAR0YLJcy/QThClfMri0ULVGRRl8YlxGc8
+HSl+TtabcK2Ei3bl0G1yMz02/jaIqi87DWssKL42bmT1qieyOFik3a+jXY377P7G
+ssW54WKXQvhpR1b3JZ2RADaj8g9+E9zrUsSlVNaDC33f3DoTzU/tryw25V7U1quj
+ALQTc/0hW1k=
 -----END CERTIFICATE-----
diff --git a/tests/cert-tests/sha3-test b/tests/cert-tests/sha3-test
index abb20bca04..dc3cf8f6ba 100755
--- a/tests/cert-tests/sha3-test
+++ b/tests/cert-tests/sha3-test
@@ -50,8 +50,8 @@ datefudge -s "2007-04-22" \
 rc=$?
 
 if test -f "${srcdir}/data/template-rsa-$i.pem";then
-${DIFF} "${srcdir}/data/template-rsa-$i.pem" "${TMPFILE}" >/dev/null 2>&1
-rc=$?
+	${DIFF} "${srcdir}/data/template-rsa-$i.pem" "${TMPFILE}" >/dev/null 2>&1
+	rc=$?
 fi
 
 # We're done.
diff --git a/tests/cert-tests/template-test b/tests/cert-tests/template-test
index fe954e528a..43e28fe15d 100755
--- a/tests/cert-tests/template-test
+++ b/tests/cert-tests/template-test
@@ -149,7 +149,6 @@ else
 
 	# We're done.
 	if test "${rc}" != "0"; then
-	echo $TMPFILE
 		echo "Test 5-2 (overflow2) failed"
 		exit ${rc}
 	fi
diff --git a/tests/cert-tests/templates/template-othername-xmpp.tmpl b/tests/cert-tests/templates/template-othername-xmpp.tmpl
index 1e9a85f846..017dfbaa83 100644
--- a/tests/cert-tests/templates/template-othername-xmpp.tmpl
+++ b/tests/cert-tests/templates/template-othername-xmpp.tmpl
@@ -33,9 +33,6 @@ crl_dist_points = "http://www.getcrl.crl/getcrl/"
 
 email = "where@none.org"
 
-# Whether this is a CA certificate or not
-ca
-
 # Whether this certificate will be used for a TLS client
 #tls_www_client
 
diff --git a/tests/cert-tests/templates/template-tlsfeature.tmpl b/tests/cert-tests/templates/template-tlsfeature.tmpl
index 7a03b49afb..f4d3f69abb 100644
--- a/tests/cert-tests/templates/template-tlsfeature.tmpl
+++ b/tests/cert-tests/templates/template-tlsfeature.tmpl
@@ -65,9 +65,6 @@ crl_dist_points = "http://www.getcrl.crl/getcrl3/"
 
 email = "where@none.org"
 
-# Whether this is a CA certificate or not
-ca
-
 # Whether this certificate will be used for a TLS client
 #tls_www_client
 
diff --git a/tests/profile-tests.sh b/tests/profile-tests.sh
new file mode 100755
index 0000000000..71295fd5a6
--- /dev/null
+++ b/tests/profile-tests.sh
@@ -0,0 +1,243 @@
+#!/bin/sh
+
+# Copyright (C) 2019 Red Hat, Inc.
+#
+# Author: Nikos Mavrogiannopoulos
+#
+# This file is part of GnuTLS.
+#
+# GnuTLS is free software; you can redistribute it and/or modify it
+# under the terms of the GNU General Public License as published by the
+# Free Software Foundation; either version 3 of the License, or (at
+# your option) any later version.
+#
+# GnuTLS is distributed in the hope that it will be useful, but
+# WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+# General Public License for more details.
+#
+# You should have received a copy of the GNU Lesser General Public License
+# along with this program.  If not, see <https://www.gnu.org/licenses/>
+#
+
+# This program tests whether the profile keywords work as expected
+
+srcdir="${srcdir:-.}"
+SERV="${SERV:-../src/gnutls-serv${EXEEXT}}"
+CLI="${CLI:-../src/gnutls-cli${EXEEXT}}"
+TMPFILE=config.$$.tmp
+export GNUTLS_SYSTEM_PRIORITY_FAIL_ON_INVALID=1
+
+if ! test -x "${SERV}"; then
+	exit 77
+fi
+
+if ! test -x "${CLI}"; then
+	exit 77
+fi
+
+if test "${WINDIR}" != ""; then
+	exit 77
+fi
+
+. "${srcdir}/scripts/common.sh"
+
+CAFILE="./profile-ca.$$.tmp"
+CERT="./profile-cert.$$.tmp"
+
+
+echo "Testing with a 256 bit ECDSA key"
+
+cat >${CAFILE} <<_EOF_
+-----BEGIN CERTIFICATE-----
+MIIBZjCCAQugAwIBAgIUT/9x+s6cBhBHWoZH5fBi9c0aBPswCgYIKoZIzj0EAwIw
+DzENMAsGA1UEAxMEQ0EtMDAgFw0xOTA1MjAxMzAxNTdaGA85OTk5MTIzMTIzNTk1
+OVowDzENMAsGA1UEAxMEQ0EtMDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABI7d
+qggkXNbYfXi5rMqdvvX26GJ02A63B5sueaS0w1LITLeMb0mhx4trpXMkJ3lr05lY
+JCfr6sUTAlYLMBLZJ+ajQzBBMA8GA1UdEwEB/wQFMAMBAf8wDwYDVR0PAQH/BAUD
+AwcGADAdBgNVHQ4EFgQUUkk7xPS5Uf53q8YLEhz5KGqeZH0wCgYIKoZIzj0EAwID
+SQAwRgIhAKL/lPu6hOTwA/FfB+dMkkVeeZA+6CeXgbnxeA6HXy3bAiEAvO3+1VhR
+RIHc3JBuIsLlrwaovXAZHgXNGV2WalixDHI=
+-----END CERTIFICATE-----
+_EOF_
+cat >${CERT} <<_EOF_
+-----BEGIN CERTIFICATE-----
+MIIBnTCCAUOgAwIBAgIUUoqE4mD73XmLCryaMad6AXl6TjAwCgYIKoZIzj0EAwIw
+DzENMAsGA1UEAxMEQ0EtMDAgFw0xOTA1MjAxMzAxNTdaGA85OTk5MTIzMTIzNTk1
+OVowEzERMA8GA1UEAxMIc2VydmVyLTEwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNC
+AAScHgQMZCm5GLjGs64tN8hmK+KmDOTBU0fyqc9Tle6WjgFFBzPeHv8vLcrp5HTI
+mNtKFNCaLN73r9h8xk3qG2pno3cwdTAMBgNVHRMBAf8EAjAAMBQGA1UdEQQNMAuC
+CWxvY2FsaG9zdDAPBgNVHQ8BAf8EBQMDB4AAMB0GA1UdDgQWBBRpzYoZdeLYgscj
+yokMBbda3FnghzAfBgNVHSMEGDAWgBRSSTvE9LlR/nerxgsSHPkoap5kfTAKBggq
+hkjOPQQDAgNIADBFAiATJTdJ176UocB1BGDTTwJAuNKurPFZzlEaeYHS3tetXAIh
+AP/RStdc8DV/AtHZOF1/FF3fB/tS3d+vb2f0QsTbcl5f
+-----END CERTIFICATE-----
+-----BEGIN EC PRIVATE KEY-----
+MHcCAQEEIG5Gt+KTDxw5cevzwL0Sfo2AJZNeVtu3GHSnpICvsSiBoAoGCCqGSM49
+AwEHoUQDQgAEnB4EDGQpuRi4xrOuLTfIZivipgzkwVNH8qnPU5Xulo4BRQcz3h7/
+Ly3K6eR0yJjbShTQmize96/YfMZN6htqZw==
+-----END EC PRIVATE KEY-----
+_EOF_
+KEY="${CERT}"
+
+eval "${GETPORT}"
+launch_server $$ --echo --priority "NORMAL" --x509keyfile ${KEY} --x509certfile ${CERT}
+PID=$!
+wait_server ${PID}
+
+"${CLI}" -p "${PORT}" 127.0.0.1 --priority NORMAL:%PROFILE_VERY_WEAK --verify-hostname localhost --x509cafile "${CAFILE}" </dev/null >/dev/null ||
+	fail ${PID} "expected connection to succeed (1)"
+
+"${CLI}" -p "${PORT}" 127.0.0.1 --priority NORMAL:%PROFILE_LOW --verify-hostname localhost --x509cafile "${CAFILE}" </dev/null >/dev/null ||
+	fail ${PID} "expected connection to succeed (2)"
+
+"${CLI}" -p "${PORT}" 127.0.0.1 --priority NORMAL:%PROFILE_LEGACY --verify-hostname localhost --x509cafile "${CAFILE}" </dev/null >/dev/null ||
+	fail ${PID} "expected connection to succeed (3)"
+
+"${CLI}" -p "${PORT}" 127.0.0.1 --priority NORMAL:%PROFILE_HIGH --verify-hostname localhost --x509cafile "${CAFILE}" </dev/null >/dev/null ||
+	fail ${PID} "expected connection to succeed (4)"
+
+"${CLI}" -p "${PORT}" 127.0.0.1 --priority NORMAL:%PROFILE_ULTRA --verify-hostname localhost --x509cafile "${CAFILE}" </dev/null >/dev/null &&
+	fail ${PID} "expected connection to fail (1)"
+
+"${CLI}" -p "${PORT}" 127.0.0.1 --priority NORMAL:%PROFILE_FUTURE --verify-hostname localhost --x509cafile "${CAFILE}" </dev/null >/dev/null &&
+	fail ${PID} "expected connection to fail (2)"
+
+kill ${PID}
+wait
+
+
+echo "Testing with a 384 bit ECDSA key"
+
+cat >${CAFILE} <<_EOF_
+-----BEGIN CERTIFICATE-----
+MIIBojCCASigAwIBAgIUFMelLI8WwXyoyKjZGXXXcLb4N1EwCgYIKoZIzj0EAwMw
+DzENMAsGA1UEAxMEQ0EtMDAgFw0xOTA1MjAxMzA2MDNaGA85OTk5MTIzMTIzNTk1
+OVowDzENMAsGA1UEAxMEQ0EtMDB2MBAGByqGSM49AgEGBSuBBAAiA2IABNxXKt1I
+dpBTxQ5oefACUoUgdEwLNkbrjMeEYbB1Wz9d5Uk9nJPjQOGx85ct3FysauMxzBGy
+BKnBEYViamZiffXu3zzNlIZY+tCbc3MUqs6q60CuNIw4UjakKhgD6II2MKNDMEEw
+DwYDVR0TAQH/BAUwAwEB/zAPBgNVHQ8BAf8EBQMDBwYAMB0GA1UdDgQWBBQJ9QXM
+rPF8/z2VviCfhSp2ezf1AjAKBggqhkjOPQQDAwNoADBlAjEA5nmuJqRQFLgHYnN5
+MRmMfT+TvkLL+MPBo9lK8cbFzweV/PdySLRKNylOH4y70UyzAjBk3kFH7KC1AGMz
++A87+Rx+7BHOIdKIp91wx8LhMIdbeX9yi3w6YRsjHoLxKtJ8FYE=
+-----END CERTIFICATE-----
+_EOF_
+cat >${CERT} <<_EOF_
+-----BEGIN CERTIFICATE-----
+MIIB2DCCAWCgAwIBAgIUJiHZy9J/MQzCJPjaP3Zy+JTXHgowCgYIKoZIzj0EAwMw
+DzENMAsGA1UEAxMEQ0EtMDAgFw0xOTA1MjAxMzA2MDNaGA85OTk5MTIzMTIzNTk1
+OVowEzERMA8GA1UEAxMIc2VydmVyLTEwdjAQBgcqhkjOPQIBBgUrgQQAIgNiAATP
+agsLKT6MLGFsxWyBjDmyrfcAreBZtGDe9tS8jYItbM8y/ulvjCnwW/dwmVBe6UKX
+n7WIJ7nxvp/j0k59TwpMxfpSn51NhiaViMQ4ZxA34qm+H3gUl8r1GC9I/EPTYe2j
+dzB1MAwGA1UdEwEB/wQCMAAwFAYDVR0RBA0wC4IJbG9jYWxob3N0MA8GA1UdDwEB
+/wQFAwMHgAAwHQYDVR0OBBYEFO2V2sn+n3Kj0sA2leiLp/RQDmt/MB8GA1UdIwQY
+MBaAFAn1Bcys8Xz/PZW+IJ+FKnZ7N/UCMAoGCCqGSM49BAMDA2YAMGMCL37ZZOM0
+fKI8jzlZRF64IOB/hVbvMD5WOMqFN/M8BjbPSywuRy9/JIq0KiFw3IKUAjAJZSsJ
+fd8/9po81LJwyfUF/fTwPa7CNExb4BoDRtDDc7s/ciXI/13rxwkJnlAytwI=
+-----END CERTIFICATE-----
+-----BEGIN EC PRIVATE KEY-----
+MIGlAgEBBDEAtrbWqGFyxd+qLlU0VHGvS5CpuAg0fPvODXzu8qHGREvxMYJL5d0I
+YfU7emquAuq/oAcGBSuBBAAioWQDYgAEz2oLCyk+jCxhbMVsgYw5sq33AK3gWbRg
+3vbUvI2CLWzPMv7pb4wp8Fv3cJlQXulCl5+1iCe58b6f49JOfU8KTMX6Up+dTYYm
+lYjEOGcQN+Kpvh94FJfK9RgvSPxD02Ht
+-----END EC PRIVATE KEY-----
+_EOF_
+KEY="${CERT}"
+
+eval "${GETPORT}"
+launch_server $$ --echo --priority "NORMAL" --x509keyfile ${KEY} --x509certfile ${CERT}
+PID=$!
+wait_server ${PID}
+
+"${CLI}" -p "${PORT}" 127.0.0.1 --priority NORMAL:%PROFILE_VERY_WEAK --verify-hostname localhost --x509cafile "${CAFILE}" </dev/null >/dev/null ||
+	fail ${PID} "expected connection to succeed (1)"
+
+"${CLI}" -p "${PORT}" 127.0.0.1 --priority NORMAL:%PROFILE_LOW --verify-hostname localhost --x509cafile "${CAFILE}" </dev/null >/dev/null ||
+	fail ${PID} "expected connection to succeed (2)"
+
+"${CLI}" -p "${PORT}" 127.0.0.1 --priority NORMAL:%PROFILE_LEGACY --verify-hostname localhost --x509cafile "${CAFILE}" </dev/null >/dev/null ||
+	fail ${PID} "expected connection to succeed (3)"
+
+"${CLI}" -p "${PORT}" 127.0.0.1 --priority NORMAL:%PROFILE_HIGH --verify-hostname localhost --x509cafile "${CAFILE}" </dev/null >/dev/null ||
+	fail ${PID} "expected connection to succeed (4)"
+
+"${CLI}" -p "${PORT}" 127.0.0.1 --priority NORMAL:%PROFILE_ULTRA --verify-hostname localhost --x509cafile "${CAFILE}" </dev/null >/dev/null ||
+	fail ${PID} "expected connection to succeed (5)"
+
+"${CLI}" -p "${PORT}" 127.0.0.1 --priority NORMAL:%PROFILE_FUTURE --verify-hostname localhost --x509cafile "${CAFILE}" </dev/null >/dev/null &&
+	fail ${PID} "expected connection to fail (1)"
+
+kill ${PID}
+wait
+
+echo "Testing with a 521 bit ECDSA key"
+
+cat >${CAFILE} <<_EOF_
+-----BEGIN CERTIFICATE-----
+MIIB7TCCAU6gAwIBAgIUW9MXlkeIARoHEeP+DmgMfSOh9xkwCgYIKoZIzj0EAwQw
+DzENMAsGA1UEAxMEQ0EtMDAgFw0xOTA1MjAxMzE4MDVaGA85OTk5MTIzMTIzNTk1
+OVowDzENMAsGA1UEAxMEQ0EtMDCBmzAQBgcqhkjOPQIBBgUrgQQAIwOBhgAEASRD
+p6ArQF3bkC7rMzUo6RGle3LCDVkrVrcS0vMRKz6D436g/yO0+om5Xbny/z3Weo4x
+E8dat+dQp2sHurso6ByhAbm08MqxKUqaU4G69xvTYTOSMljDtx/3upsF955J5/CT
+/F8czPBR9jebQZOCXWI0clpFSTGTYFnqHVlyTTwCgd87o0MwQTAPBgNVHRMBAf8E
+BTADAQH/MA8GA1UdDwEB/wQFAwMHBgAwHQYDVR0OBBYEFI2SeRAmyVkAAEabKWfy
+SREfJqJfMAoGCCqGSM49BAMEA4GMADCBiAJCAc8sUwRR5Q5u52YSdaEiHgnWlNTJ
+nP7ckTAiSCEmhp2L8wdvG2274oTjvw3gbUHLc310AAoIvUcZfaXB6zooIpl9AkIB
+NK1JHzm60+USUDxJoQngtl8KdM9jR9UmjZ5hVhd/k5FeNYbb6Z+kuIasE4SlnJnd
+VIEgdnjXtlI3n052VLjDKg4=
+-----END CERTIFICATE-----
+_EOF_
+cat >${CERT} <<_EOF_
+-----BEGIN CERTIFICATE-----
+MIICJDCCAYagAwIBAgIUTNrzhsX4+TV92p8tYrrUclDsYsUwCgYIKoZIzj0EAwQw
+DzENMAsGA1UEAxMEQ0EtMDAgFw0xOTA1MjAxMzE4MDVaGA85OTk5MTIzMTIzNTk1
+OVowEzERMA8GA1UEAxMIc2VydmVyLTEwgZswEAYHKoZIzj0CAQYFK4EEACMDgYYA
+BAGAb9ToCqbQ8wImyiIN3Zf3T8WrwB/R28f0w8wq0W5a71FGayY0VU5exSBV7nnj
+X8xFwUb+BpIVRQ4ZsryQCDDANACxXE3hwae59mqO9JhrTUQL7KyDaZ8W6KbACn8h
+fYsOay/3ub0wdNdG8aJIcZzmrX1DNM0Jt/rW1d2nzuv6lZqCfqN3MHUwDAYDVR0T
+AQH/BAIwADAUBgNVHREEDTALgglsb2NhbGhvc3QwDwYDVR0PAQH/BAUDAweAADAd
+BgNVHQ4EFgQUv46ZnyF9oFn6yVCPl8WJ2InprhowHwYDVR0jBBgwFoAUjZJ5ECbJ
+WQAARpspZ/JJER8mol8wCgYIKoZIzj0EAwQDgYsAMIGHAkIAh0/UdYPTSWmtTRNZ
+d1VGCBW+Pw9aMkSTd8byWgle8+z1aQdZYQF46MHDuRC3zkooAYXPjbYCbLba5W/x
+K1MVvfoCQThH3TCLj/Qci1788SNJ2bvN4bGe9m71cRhJWOXx5GRUHjvRJ5dttllq
+dPzh992Fym1fGoyKne2xm172IG2LvTI0
+-----END CERTIFICATE-----
+-----BEGIN EC PRIVATE KEY-----
+MIHcAgEBBEIBZEu+h1ouDy17i0vGtm39PIrwWCGmjiQkCp1HnPSGod6SM2O3j4Mf
+PH5pp8dPYx0LmHXTe+/P/oiIf128sSlsIGCgBwYFK4EEACOhgYkDgYYABAGAb9To
+CqbQ8wImyiIN3Zf3T8WrwB/R28f0w8wq0W5a71FGayY0VU5exSBV7nnjX8xFwUb+
+BpIVRQ4ZsryQCDDANACxXE3hwae59mqO9JhrTUQL7KyDaZ8W6KbACn8hfYsOay/3
+ub0wdNdG8aJIcZzmrX1DNM0Jt/rW1d2nzuv6lZqCfg==
+-----END EC PRIVATE KEY-----
+_EOF_
+KEY="${CERT}"
+
+eval "${GETPORT}"
+launch_server $$ --echo --priority "NORMAL" --x509keyfile ${KEY} --x509certfile ${CERT}
+PID=$!
+wait_server ${PID}
+
+"${CLI}" -p "${PORT}" 127.0.0.1 --priority NORMAL:%PROFILE_VERY_WEAK --verify-hostname localhost --x509cafile "${CAFILE}" </dev/null >/dev/null ||
+	fail ${PID} "expected connection to succeed (1)"
+
+"${CLI}" -p "${PORT}" 127.0.0.1 --priority NORMAL:%PROFILE_LOW --verify-hostname localhost --x509cafile "${CAFILE}" </dev/null >/dev/null ||
+	fail ${PID} "expected connection to succeed (2)"
+
+"${CLI}" -p "${PORT}" 127.0.0.1 --priority NORMAL:%PROFILE_LEGACY --verify-hostname localhost --x509cafile "${CAFILE}" </dev/null >/dev/null ||
+	fail ${PID} "expected connection to succeed (3)"
+
+"${CLI}" -p "${PORT}" 127.0.0.1 --priority NORMAL:%PROFILE_HIGH --verify-hostname localhost --x509cafile "${CAFILE}" </dev/null >/dev/null ||
+	fail ${PID} "expected connection to succeed (4)"
+
+"${CLI}" -p "${PORT}" 127.0.0.1 --priority NORMAL:%PROFILE_ULTRA --verify-hostname localhost --x509cafile "${CAFILE}" </dev/null >/dev/null ||
+	fail ${PID} "expected connection to succeed (5)"
+
+"${CLI}" -p "${PORT}" 127.0.0.1 --priority NORMAL:%PROFILE_FUTURE --verify-hostname localhost --x509cafile "${CAFILE}" </dev/null >/dev/null ||
+	fail ${PID} "expected connection to succeed (6)"
+
+kill ${PID}
+wait
+
+rm -f ${TMPFILE} ${CAFILE} ${CERT}
+
+exit 0
diff --git a/tests/suite/certs/create-chain.sh b/tests/suite/certs/create-chain.sh
index 494a5d92e5..c616189e63 100755
--- a/tests/suite/certs/create-chain.sh
+++ b/tests/suite/certs/create-chain.sh
@@ -16,6 +16,11 @@ LAST=`expr ${NUM} - 1`
 rm -rf "${OUTPUT}"
 mkdir -p "${OUTPUT}"
 
+#KEY_TYPE_ROOT="--key-type rsa-pss --bits 2048 --hash sha384 --salt-size 64"
+KEY_TYPE_ROOT="--key-type ecdsa --curve secp521r1"
+KEY_TYPE_SUBCA="--key-type rsa-pss --bits 2048 --hash sha256 --salt-size 64"
+KEY_TYPE="--key-type ecdsa --curve secp521r1"
+
 counter=0
 while test ${counter} -lt ${NUM}; do
 	if test ${counter} = ${LAST}; then
@@ -25,7 +30,7 @@ while test ${counter} -lt ${NUM}; do
 	fi
 
 	if test ${counter} = 0; then
-	"${CERTTOOL}" --key-type rsa-pss --bits 2048 --hash sha256 --salt-size 64 --generate-privkey >"${OUTPUT}/${name}.key" 2>/dev/null
+	"${CERTTOOL}" ${KEY_TYPE} --generate-privkey >"${OUTPUT}/${name}.key" 2>/dev/null
 	# ROOT CA
 		echo "cn = ${name}" >"${TEMPLATE}"
 		echo "ca" >>"${TEMPLATE}"
@@ -40,7 +45,7 @@ while test ${counter} -lt ${NUM}; do
 			"${OUTPUT}/${name}.crl" --template "${TEMPLATE}" 2>/dev/null
 	else
 		if test ${counter} = ${LAST}; then
-	"${CERTTOOL}" --key-type rsa --bits 2048 --generate-privkey >"${OUTPUT}/${name}.key" 2>/dev/null
+	"${CERTTOOL}" ${KEY_TYPE} --generate-privkey >"${OUTPUT}/${name}.key" 2>/dev/null
 		# END certificate
 			echo "cn = ${name}" >"${TEMPLATE}"
 			echo "dns_name = localhost" >>"${TEMPLATE}"
@@ -52,7 +57,7 @@ while test ${counter} -lt ${NUM}; do
 				--load-ca-privkey "${OUTPUT}/${prev_name}.key" \
 				--outfile "${OUTPUT}/${name}.crt" --template "${TEMPLATE}" -d 4 #2>/dev/null
 		else
-	"${CERTTOOL}" --key-type rsa-pss --bits 2048 --hash sha384 --salt-size 48 --generate-privkey >"${OUTPUT}/${name}.key" -d 4 #2>/dev/null
+	"${CERTTOOL}" ${KEY_TYPE_SUBCA} --generate-privkey >"${OUTPUT}/${name}.key" -d 4 #2>/dev/null
 		# intermediate CA
 			echo "cn = ${name}" >"${TEMPLATE}"
 			echo "ca" >>"${TEMPLATE}"
diff --git a/tests/time.c b/tests/time.c
new file mode 100644
index 0000000000..7f5240d026
--- /dev/null
+++ b/tests/time.c
@@ -0,0 +1,94 @@
+/*
+ * Copyright (C) 2019 Red Hat, Inc.
+ *
+ * Author: Nikos Mavrogiannopoulos
+ *
+ * This file is part of GnuTLS.
+ *
+ * GnuTLS is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * GnuTLS is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+ * General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public License
+ * along with this program.  If not, see <https://www.gnu.org/licenses/>
+ *
+ */
+
+/* That's a unit test of _gnutls_utcTime2gtime() and _gnutls_x509_generalTime2gtime()
+ */
+
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+#endif
+
+#include <stdio.h>
+#include <stdlib.h>
+
+#include <string.h>
+#include <gnutls/gnutls.h>
+
+#include "utils.h"
+
+time_t _gnutls_utcTime2gtime(const char *ttime);
+time_t _gnutls_x509_generalTime2gtime(const char *ttime);
+
+struct time_tests_st {
+	const char *time_str;
+	time_t utime;
+};
+
+struct time_tests_st general_time_tests[] = {
+	{
+		.time_str = "20190520133237Z",
+		.utime = 1558359157
+	},
+	{
+		.time_str = "20170101000000Z",
+		.utime = 1483228800
+	},
+	{
+		.time_str = "19700101000000Z",
+		.utime = 0
+	},
+};
+
+struct time_tests_st utc_time_tests[] = {
+	{
+		.time_str = "190520133237",
+		.utime = 1558359157
+	},
+	{
+		.time_str = "170101000000Z",
+		.utime = 1483228800
+	},
+};
+
+
+void doit(void)
+{
+	time_t t;
+	unsigned i;
+
+	for (i=0;i<sizeof(general_time_tests)/sizeof(general_time_tests[0]);i++) {
+		t = _gnutls_x509_generalTime2gtime(general_time_tests[i].time_str);
+		if (t != general_time_tests[i].utime) {
+			fprintf(stderr, "%s: Error in GeneralTime conversion\n", general_time_tests[i].time_str);
+			fprintf(stderr, "got: %lu, expected: %lu\n", (unsigned long)t, general_time_tests[i].utime);
+		}
+	}
+
+	for (i=0;i<sizeof(utc_time_tests)/sizeof(utc_time_tests[0]);i++) {
+		t = _gnutls_utcTime2gtime(utc_time_tests[i].time_str);
+		if (t != utc_time_tests[i].utime) {
+			fprintf(stderr, "%s: Error in utcTime conversion\n", utc_time_tests[i].time_str);
+			fprintf(stderr, "got: %lu, expected: %lu\n", (unsigned long)t, utc_time_tests[i].utime);
+		}
+	}
+}
+