summaryrefslogtreecommitdiff
path: root/selftest/manage-ca
diff options
context:
space:
mode:
authorStefan Metzmacher <metze@samba.org>2016-06-03 21:32:04 +0200
committerAndrew Bartlett <abartlet@samba.org>2016-07-22 23:34:21 +0200
commit0860b1379895909b413f11cc72c615199c71bd0c (patch)
tree4ccb6c308d75f11cf896851ee16e5ec5e75e8f49 /selftest/manage-ca
parent763baa632af08da5181b3454d502add5226494c8 (diff)
downloadsamba-0860b1379895909b413f11cc72c615199c71bd0c.tar.gz
selftest/manage-ca: add certificates for pkinit@[addom.]samba.example.com
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11441 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Diffstat (limited to 'selftest/manage-ca')
-rw-r--r--selftest/manage-ca/CA-samba.example.com/NewCerts/04.pem168
-rw-r--r--selftest/manage-ca/CA-samba.example.com/NewCerts/05.pem168
-rw-r--r--selftest/manage-ca/CA-samba.example.com/Private/CA-samba.example.com-index.txt2
-rw-r--r--selftest/manage-ca/CA-samba.example.com/Private/CA-samba.example.com-index.txt.old2
-rw-r--r--selftest/manage-ca/CA-samba.example.com/Private/CA-samba.example.com-serial.txt2
-rw-r--r--selftest/manage-ca/CA-samba.example.com/Private/CA-samba.example.com-serial.txt.old2
-rw-r--r--selftest/manage-ca/CA-samba.example.com/Users/pkinit@addom.samba.example.com/USER-pkinit@addom.samba.example.com-S05-cert.cerbin0 -> 2300 bytes
-rw-r--r--selftest/manage-ca/CA-samba.example.com/Users/pkinit@addom.samba.example.com/USER-pkinit@addom.samba.example.com-S05-cert.pem168
-rw-r--r--selftest/manage-ca/CA-samba.example.com/Users/pkinit@addom.samba.example.com/USER-pkinit@addom.samba.example.com-S05-key.pem30
-rw-r--r--selftest/manage-ca/CA-samba.example.com/Users/pkinit@addom.samba.example.com/USER-pkinit@addom.samba.example.com-S05-openssl.cnf242
-rw-r--r--selftest/manage-ca/CA-samba.example.com/Users/pkinit@addom.samba.example.com/USER-pkinit@addom.samba.example.com-S05-private-key.pem27
-rw-r--r--selftest/manage-ca/CA-samba.example.com/Users/pkinit@addom.samba.example.com/USER-pkinit@addom.samba.example.com-S05-private.p12bin0 -> 3901 bytes
-rw-r--r--selftest/manage-ca/CA-samba.example.com/Users/pkinit@addom.samba.example.com/USER-pkinit@addom.samba.example.com-S05-req.pem19
l---------selftest/manage-ca/CA-samba.example.com/Users/pkinit@addom.samba.example.com/USER-pkinit@addom.samba.example.com-cert.pem1
l---------selftest/manage-ca/CA-samba.example.com/Users/pkinit@addom.samba.example.com/USER-pkinit@addom.samba.example.com-private-key.pem1
-rw-r--r--selftest/manage-ca/CA-samba.example.com/Users/pkinit@samba.example.com/USER-pkinit@samba.example.com-S04-cert.cerbin0 -> 2270 bytes
-rw-r--r--selftest/manage-ca/CA-samba.example.com/Users/pkinit@samba.example.com/USER-pkinit@samba.example.com-S04-cert.pem168
-rw-r--r--selftest/manage-ca/CA-samba.example.com/Users/pkinit@samba.example.com/USER-pkinit@samba.example.com-S04-key.pem30
-rw-r--r--selftest/manage-ca/CA-samba.example.com/Users/pkinit@samba.example.com/USER-pkinit@samba.example.com-S04-openssl.cnf242
-rw-r--r--selftest/manage-ca/CA-samba.example.com/Users/pkinit@samba.example.com/USER-pkinit@samba.example.com-S04-private-key.pem27
-rw-r--r--selftest/manage-ca/CA-samba.example.com/Users/pkinit@samba.example.com/USER-pkinit@samba.example.com-S04-private.p12bin0 -> 3869 bytes
-rw-r--r--selftest/manage-ca/CA-samba.example.com/Users/pkinit@samba.example.com/USER-pkinit@samba.example.com-S04-req.pem18
l---------selftest/manage-ca/CA-samba.example.com/Users/pkinit@samba.example.com/USER-pkinit@samba.example.com-cert.pem1
l---------selftest/manage-ca/CA-samba.example.com/Users/pkinit@samba.example.com/USER-pkinit@samba.example.com-private-key.pem1
24 files changed, 1317 insertions, 2 deletions
diff --git a/selftest/manage-ca/CA-samba.example.com/NewCerts/04.pem b/selftest/manage-ca/CA-samba.example.com/NewCerts/04.pem
new file mode 100644
index 00000000000..730b8243d2d
--- /dev/null
+++ b/selftest/manage-ca/CA-samba.example.com/NewCerts/04.pem
@@ -0,0 +1,168 @@
+Certificate:
+ Data:
+ Version: 3 (0x2)
+ Serial Number: 4 (0x4)
+ Signature Algorithm: sha256WithRSAEncryption
+ Issuer: C=US, ST=SambaState, L=SambaCity, O=SambaSelfTesting, OU=CA Administration, CN=CA of samba.example.com/emailAddress=ca-samba.example.com@samba.example.com
+ Validity
+ Not Before: Jun 3 19:30:29 2016 GMT
+ Not After : May 29 19:30:29 2036 GMT
+ Subject: C=US, ST=SambaState, O=SambaSelfTesting, OU=Users, CN=pkinit@samba.example.com/emailAddress=pkinit@samba.example.com
+ Subject Public Key Info:
+ Public Key Algorithm: rsaEncryption
+ Public-Key: (2048 bit)
+ Modulus:
+ 00:dd:c4:48:44:a5:e9:6b:b4:41:03:6a:dc:34:1f:
+ d6:41:ce:f7:cb:b2:44:a7:a3:0e:89:16:ff:0d:62:
+ 23:e0:8b:24:db:82:82:68:29:22:1b:57:44:12:c6:
+ ea:10:2d:6f:3a:4b:75:b1:2e:76:62:01:62:ff:ba:
+ 3d:67:e1:39:0d:12:38:b0:fc:b3:e5:0e:dd:77:73:
+ 2b:99:25:86:d5:15:84:08:be:b0:8b:38:d7:64:9d:
+ d6:e7:dc:4d:9a:fb:ea:17:41:bb:d1:cf:1a:b9:5b:
+ 0b:8a:e5:8c:5a:b7:2d:ab:bd:f7:c3:91:ae:26:c2:
+ e3:97:27:ea:3f:be:c9:22:af:d6:76:35:45:b0:72:
+ 86:f2:bd:bf:e2:d3:e3:e3:68:52:26:db:f0:a6:6a:
+ 0e:63:05:9b:17:6d:13:ee:c4:15:41:96:27:06:90:
+ fd:10:b5:f9:6c:74:be:b0:a8:bb:70:f7:a2:25:da:
+ f7:f1:91:c2:69:6c:40:c4:63:e8:06:83:e0:1d:b7:
+ 2b:29:d3:75:d1:df:c1:d2:90:af:b9:81:47:78:f3:
+ f1:1a:c9:20:e3:1b:6f:e4:fd:2e:0b:65:a7:6f:b1:
+ b2:a0:d3:e3:d2:2f:2b:ef:fd:01:5b:27:e7:1b:c1:
+ 0e:bc:bd:f0:7b:b2:34:a9:9b:4d:2c:c8:65:33:c8:
+ 33:17
+ Exponent: 65537 (0x10001)
+ X509v3 extensions:
+ X509v3 Basic Constraints:
+ CA:FALSE
+ X509v3 CRL Distribution Points:
+
+ Full Name:
+ URI:http://www.samba.example.com/crls/CA-samba.example.com-crl.crl
+
+ Netscape Cert Type:
+ SSL Client, S/MIME
+ X509v3 Key Usage:
+ Digital Signature, Non Repudiation, Key Encipherment
+ Netscape Comment:
+ Smart Card Login Certificate for pkinit@samba.example.com
+ X509v3 Subject Key Identifier:
+ E9:67:66:B8:3D:F1:39:AB:1A:4D:00:9D:EC:CE:FF:4B:50:D8:5D:A2
+ X509v3 Authority Key Identifier:
+ keyid:A2:3E:02:2A:A3:A7:4D:39:B4:08:4D:99:CC:0C:75:36:EA:27:C3:3E
+
+ X509v3 Subject Alternative Name:
+ email:pkinit@samba.example.com, othername:<unsupported>
+ X509v3 Issuer Alternative Name:
+ email:ca-samba.example.com@samba.example.com
+ Netscape CA Revocation Url:
+ http://www.samba.example.com/crls/CA-samba.example.com-crl.crl
+ X509v3 Extended Key Usage:
+ TLS Web Client Authentication, scardLogin
+ Signature Algorithm: sha256WithRSAEncryption
+ 88:3e:f3:98:08:ef:cd:53:3a:07:d5:1c:fd:26:7c:f1:96:2e:
+ b9:06:87:f2:5b:e2:be:d1:04:6e:38:59:14:49:9d:46:ef:7e:
+ 6c:08:02:3e:18:09:09:61:a8:1d:a9:da:59:40:58:5f:d2:ca:
+ 4f:76:0e:7e:01:db:05:03:fb:78:c7:89:86:aa:1b:dc:02:bb:
+ 86:a5:02:7c:01:54:dd:ad:e0:43:c5:d9:ec:86:c2:47:b5:5a:
+ 1c:8c:06:0e:fe:11:ad:a5:57:37:f5:0a:35:65:a4:f2:27:14:
+ 2f:bf:53:48:66:e1:da:b9:58:95:a2:d1:95:9c:ae:0a:ca:29:
+ a6:ef:7a:58:74:86:40:ea:2a:c6:18:9f:1a:d9:70:e2:a8:aa:
+ 8d:f1:22:bf:b6:e4:61:d4:21:ee:bf:17:e1:aa:d1:cf:0b:35:
+ 82:c7:3f:a1:be:d1:a5:bd:4e:04:0d:cf:11:2d:d6:0c:7e:47:
+ 5c:5e:84:d2:10:60:7e:97:d7:52:be:a1:cd:2d:85:da:b2:dd:
+ 68:88:12:a4:88:5f:16:0c:ae:6f:60:7f:da:58:5f:91:bd:8d:
+ 15:20:c2:74:94:0b:93:65:80:7c:77:15:a2:70:bb:98:be:41:
+ 1a:2e:c5:78:52:64:e7:44:03:3f:64:97:10:a9:1b:17:f3:79:
+ f9:51:0c:4c:58:e7:03:e7:bb:fd:34:ff:c0:4a:ad:b1:7a:ba:
+ 97:3c:f8:e0:9e:30:3d:e7:5f:be:ac:6a:b3:c1:1e:50:7c:cd:
+ ce:18:bd:96:73:fb:9c:90:e7:ae:e0:be:c5:65:29:9a:1c:da:
+ c3:64:2a:99:dc:93:61:32:9a:70:1a:45:83:72:38:0f:57:de:
+ 0d:f5:64:71:97:de:b5:64:99:43:30:6d:3f:25:82:b5:3e:a1:
+ ba:39:d2:fc:b8:df:7e:57:da:fc:be:c2:84:2e:99:41:52:a2:
+ 18:f4:99:c7:e2:b9:af:2a:84:32:5c:cb:ba:26:86:6b:8e:58:
+ 30:d8:4f:5b:60:34:fd:30:de:c5:a0:7a:8c:e7:34:2b:bc:81:
+ 6d:4c:a8:b5:ba:b5:52:b9:42:e5:d8:7e:be:31:a3:8e:b0:c3:
+ f6:16:28:92:e7:9d:3f:c8:cf:a0:4a:b0:3a:ae:75:59:ab:19:
+ 91:e4:2e:76:57:3f:58:88:5f:2e:7b:c5:8f:11:25:0f:cd:8f:
+ e3:91:80:2f:d4:7b:5a:80:c3:c9:7c:0a:aa:01:bf:5c:8c:0e:
+ 57:84:bf:72:ad:7b:0a:b9:95:27:0f:aa:9b:96:08:8e:bb:63:
+ 56:5a:1d:ad:0c:5b:1c:04:38:ae:2b:88:d4:d1:68:20:f2:a0:
+ 9b:77:9c:95:db:17:cb:cf:79:4a:13:66:c9:34:36:f6:c6:f9:
+ 8b:4b:92:5e:59:a3:5d:75:4e:fa:f2:fa:d5:d9:66:80:82:a4:
+ 8d:e2:d8:b6:ed:c5:a3:ca:a2:70:64:9c:b9:1c:49:b2:2f:46:
+ b3:13:3b:88:a7:5a:8e:22:b7:90:f5:74:27:21:06:a4:94:bb:
+ b1:cb:e7:e4:92:f0:e9:80:15:94:82:1a:97:34:d0:cf:aa:37:
+ b1:27:a5:38:39:7c:8d:ba:a1:12:dd:30:48:44:90:0c:35:0f:
+ cc:e6:13:e7:c9:06:36:1d:b0:c9:be:28:0f:47:1c:b0:47:a3:
+ 20:d1:bb:a1:85:1a:80:c2:9b:70:61:9f:a7:82:46:3c:80:28:
+ 0c:17:f6:fc:75:83:be:ff:5c:da:bc:be:2c:65:a6:c0:fc:c1:
+ 32:ae:9a:bf:d1:7c:fb:b3:26:3b:77:03:fe:a9:e9:ae:4c:72:
+ 58:a9:6e:ce:ad:c0:1f:30:b2:06:32:65:af:5f:db:3d:2b:ab:
+ c5:46:5c:0a:df:50:b5:7e:31:c8:b0:7e:50:e2:aa:d8:01:8e:
+ ea:e7:3c:8b:90:73:de:77:9f:47:ea:af:16:0d:a5:c0:89:6f:
+ 86:a4:84:f7:1f:03:fd:7d:f8:a8:7d:9c:9a:f1:13:c8:d5:5b:
+ 9c:2f:71:c1:c0:c2:17:89:39:6d:28:2d:20:31:ca:60:cf:7f:
+ 78:42:5c:a3:28:76:19:a8:ca:e6:07:22:6d:7f:04:b1:20:ab:
+ 70:40:33:e9:a3:fa:da:b5:7c:ee:70:0b:c6:a2:6a:90:1a:10:
+ fe:8a:9b:56:5c:44:85:f1:b4:41:67:0b:c1:a3:68:2f:ff:b1:
+ 48:f3:38:4b:28:4e:52:36:0c:9b:37:aa:7e:82:63:c3:61:33:
+ a9:05:b3:af:13:07:b3:9e:4d:4c:3c:c4:47:34:ce:f3:6e:55:
+ 69:d7:af:dc:e4:82:34:9b:fe:cc:d9:db:1f:08:3e:3c:3a:9b:
+ ac:a7:7e:61:3f:5f:01:0c:d8:f3:63:31:31:07:e2:05:84:30:
+ 65:f4:b0:a6:cc:ad:63:fe:06:db:d7:e9:2f:9d:db:2c:64:af:
+ d6:d1:cc:9e:c3:11:09:ad:7d:e2:06:6d:21:ad:a5:4f:a6:87:
+ 9b:ee:db:6c:e9:69:a7:6a:eb:93:67:e2:e9:6f:23:f8:2e:95:
+ 78:5f:a8:66:ae:7e:2c:5e:6b:07:3e:02:ad:20:af:61:9c:0e:
+ 1d:c6:7a:31:5a:33:bd:61:1a:67:5b:a9:42:3c:17:67:f8:dd:
+ 80:e3:ab:62:a0:42:53:33:1f:f7:79:ea:32:d1:26:dd:bb:c6:
+ 26:aa:2c:ac:16:7e:24:b4:ae:7d:ce:77:e8:5f:2d:97
+-----BEGIN CERTIFICATE-----
+MIII2jCCBMKgAwIBAgIBBDANBgkqhkiG9w0BAQsFADCBxjELMAkGA1UEBhMCVVMx
+EzARBgNVBAgMClNhbWJhU3RhdGUxEjAQBgNVBAcMCVNhbWJhQ2l0eTEZMBcGA1UE
+CgwQU2FtYmFTZWxmVGVzdGluZzEaMBgGA1UECwwRQ0EgQWRtaW5pc3RyYXRpb24x
+IDAeBgNVBAMMF0NBIG9mIHNhbWJhLmV4YW1wbGUuY29tMTUwMwYJKoZIhvcNAQkB
+FiZjYS1zYW1iYS5leGFtcGxlLmNvbUBzYW1iYS5leGFtcGxlLmNvbTAeFw0xNjA2
+MDMxOTMwMjlaFw0zNjA1MjkxOTMwMjlaMIGZMQswCQYDVQQGEwJVUzETMBEGA1UE
+CAwKU2FtYmFTdGF0ZTEZMBcGA1UECgwQU2FtYmFTZWxmVGVzdGluZzEOMAwGA1UE
+CwwFVXNlcnMxITAfBgNVBAMMGHBraW5pdEBzYW1iYS5leGFtcGxlLmNvbTEnMCUG
+CSqGSIb3DQEJARYYcGtpbml0QHNhbWJhLmV4YW1wbGUuY29tMIIBIjANBgkqhkiG
+9w0BAQEFAAOCAQ8AMIIBCgKCAQEA3cRIRKXpa7RBA2rcNB/WQc73y7JEp6MOiRb/
+DWIj4Isk24KCaCkiG1dEEsbqEC1vOkt1sS52YgFi/7o9Z+E5DRI4sPyz5Q7dd3Mr
+mSWG1RWECL6wizjXZJ3W59xNmvvqF0G70c8auVsLiuWMWrctq733w5GuJsLjlyfq
+P77JIq/WdjVFsHKG8r2/4tPj42hSJtvwpmoOYwWbF20T7sQVQZYnBpD9ELX5bHS+
+sKi7cPeiJdr38ZHCaWxAxGPoBoPgHbcrKdN10d/B0pCvuYFHePPxGskg4xtv5P0u
+C2Wnb7GyoNPj0i8r7/0BWyfnG8EOvL3we7I0qZtNLMhlM8gzFwIDAQABo4IB/DCC
+AfgwCQYDVR0TBAIwADBPBgNVHR8ESDBGMESgQqBAhj5odHRwOi8vd3d3LnNhbWJh
+LmV4YW1wbGUuY29tL2NybHMvQ0Etc2FtYmEuZXhhbXBsZS5jb20tY3JsLmNybDAR
+BglghkgBhvhCAQEEBAMCBaAwCwYDVR0PBAQDAgXgMEgGCWCGSAGG+EIBDQQ7FjlT
+bWFydCBDYXJkIExvZ2luIENlcnRpZmljYXRlIGZvciBwa2luaXRAc2FtYmEuZXhh
+bXBsZS5jb20wHQYDVR0OBBYEFOlnZrg98TmrGk0AnezO/0tQ2F2iMB8GA1UdIwQY
+MBaAFKI+Aiqjp005tAhNmcwMdTbqJ8M+ME0GA1UdEQRGMESBGHBraW5pdEBzYW1i
+YS5leGFtcGxlLmNvbaAoBgorBgEEAYI3FAIDoBoMGHBraW5pdEBzYW1iYS5leGFt
+cGxlLmNvbTAxBgNVHRIEKjAogSZjYS1zYW1iYS5leGFtcGxlLmNvbUBzYW1iYS5l
+eGFtcGxlLmNvbTBNBglghkgBhvhCAQQEQBY+aHR0cDovL3d3dy5zYW1iYS5leGFt
+cGxlLmNvbS9jcmxzL0NBLXNhbWJhLmV4YW1wbGUuY29tLWNybC5jcmwwHwYDVR0l
+BBgwFgYIKwYBBQUHAwIGCisGAQQBgjcUAgIwDQYJKoZIhvcNAQELBQADggQBAIg+
+85gI781TOgfVHP0mfPGWLrkGh/Jb4r7RBG44WRRJnUbvfmwIAj4YCQlhqB2p2llA
+WF/Syk92Dn4B2wUD+3jHiYaqG9wCu4alAnwBVN2t4EPF2eyGwke1WhyMBg7+Ea2l
+Vzf1CjVlpPInFC+/U0hm4dq5WJWi0ZWcrgrKKabvelh0hkDqKsYYnxrZcOKoqo3x
+Ir+25GHUIe6/F+Gq0c8LNYLHP6G+0aW9TgQNzxEt1gx+R1xehNIQYH6X11K+oc0t
+hdqy3WiIEqSIXxYMrm9gf9pYX5G9jRUgwnSUC5NlgHx3FaJwu5i+QRouxXhSZOdE
+Az9klxCpGxfzeflRDExY5wPnu/00/8BKrbF6upc8+OCeMD3nX76sarPBHlB8zc4Y
+vZZz+5yQ567gvsVlKZoc2sNkKpnck2EymnAaRYNyOA9X3g31ZHGX3rVkmUMwbT8l
+grU+obo50vy4335X2vy+woQumUFSohj0mcfiua8qhDJcy7omhmuOWDDYT1tgNP0w
+3sWgeoznNCu8gW1MqLW6tVK5QuXYfr4xo46ww/YWKJLnnT/Iz6BKsDqudVmrGZHk
+LnZXP1iIXy57xY8RJQ/Nj+ORgC/Ue1qAw8l8CqoBv1yMDleEv3Ktewq5lScPqpuW
+CI67Y1ZaHa0MWxwEOK4riNTRaCDyoJt3nJXbF8vPeUoTZsk0NvbG+YtLkl5Zo111
+Tvry+tXZZoCCpI3i2LbtxaPKonBknLkcSbIvRrMTO4inWo4it5D1dCchBqSUu7HL
+5+SS8OmAFZSCGpc00M+qN7EnpTg5fI26oRLdMEhEkAw1D8zmE+fJBjYdsMm+KA9H
+HLBHoyDRu6GFGoDCm3Bhn6eCRjyAKAwX9vx1g77/XNq8vixlpsD8wTKumr/RfPuz
+Jjt3A/6p6a5Mclipbs6twB8wsgYyZa9f2z0rq8VGXArfULV+MciwflDiqtgBjurn
+PIuQc953n0fqrxYNpcCJb4akhPcfA/19+Kh9nJrxE8jVW5wvccHAwheJOW0oLSAx
+ymDPf3hCXKModhmoyuYHIm1/BLEgq3BAM+mj+tq1fO5wC8aiapAaEP6Km1ZcRIXx
+tEFnC8GjaC//sUjzOEsoTlI2DJs3qn6CY8NhM6kFs68TB7OeTUw8xEc0zvNuVWnX
+r9zkgjSb/szZ2x8IPjw6m6ynfmE/XwEM2PNjMTEH4gWEMGX0sKbMrWP+BtvX6S+d
+2yxkr9bRzJ7DEQmtfeIGbSGtpU+mh5vu22zpaadq65Nn4ulvI/gulXhfqGaufixe
+awc+Aq0gr2GcDh3GejFaM71hGmdbqUI8F2f43YDjq2KgQlMzH/d56jLRJt27xiaq
+LKwWfiS0rn3Od+hfLZc=
+-----END CERTIFICATE-----
diff --git a/selftest/manage-ca/CA-samba.example.com/NewCerts/05.pem b/selftest/manage-ca/CA-samba.example.com/NewCerts/05.pem
new file mode 100644
index 00000000000..997dfd3e53e
--- /dev/null
+++ b/selftest/manage-ca/CA-samba.example.com/NewCerts/05.pem
@@ -0,0 +1,168 @@
+Certificate:
+ Data:
+ Version: 3 (0x2)
+ Serial Number: 5 (0x5)
+ Signature Algorithm: sha256WithRSAEncryption
+ Issuer: C=US, ST=SambaState, L=SambaCity, O=SambaSelfTesting, OU=CA Administration, CN=CA of samba.example.com/emailAddress=ca-samba.example.com@samba.example.com
+ Validity
+ Not Before: Jun 3 19:30:47 2016 GMT
+ Not After : May 29 19:30:47 2036 GMT
+ Subject: C=US, ST=SambaState, O=SambaSelfTesting, OU=Users, CN=pkinit@addom.samba.example.com/emailAddress=pkinit@addom.samba.example.com
+ Subject Public Key Info:
+ Public Key Algorithm: rsaEncryption
+ Public-Key: (2048 bit)
+ Modulus:
+ 00:b3:a4:e8:bd:c8:4f:6a:71:c6:15:a8:dd:00:d6:
+ 61:74:00:e4:8f:b5:c4:0e:98:d9:51:aa:aa:4f:c7:
+ 8c:f9:6c:37:5c:60:55:da:7c:55:9c:d3:cd:e2:f1:
+ ed:51:39:25:d5:fa:69:7e:a7:67:9c:a9:61:1b:5c:
+ 73:50:d0:6f:ba:ce:3a:df:fe:ae:95:95:8e:97:ab:
+ c6:bb:6a:c3:60:0b:ca:c2:9c:31:ff:c6:2f:52:bb:
+ cb:2f:f6:2c:4d:be:20:e1:16:49:d3:22:36:66:4f:
+ 5c:c4:30:12:07:34:8b:00:4e:5b:51:7d:40:35:81:
+ dc:5c:0e:af:be:78:63:80:69:67:87:53:97:d0:3f:
+ d7:66:8d:26:8a:0a:24:95:f9:db:dd:93:0e:48:54:
+ c8:30:e4:77:0d:65:ef:a4:6a:de:29:91:77:97:40:
+ 5c:2e:ed:35:5e:b9:0f:37:ad:d9:70:76:99:77:45:
+ 8c:4a:65:63:13:72:d5:c4:53:37:57:85:0a:6d:74:
+ 30:8c:69:7f:83:f0:7f:f5:67:05:79:80:27:d4:38:
+ 6d:49:2f:8d:2a:97:2e:33:1f:d0:e0:c1:76:1b:bf:
+ bf:b1:75:8a:c9:b1:3f:3f:f2:4e:c5:b0:68:5e:76:
+ 8a:7e:9c:57:b2:ec:3d:18:83:e2:65:d5:30:5e:b5:
+ f4:c7
+ Exponent: 65537 (0x10001)
+ X509v3 extensions:
+ X509v3 Basic Constraints:
+ CA:FALSE
+ X509v3 CRL Distribution Points:
+
+ Full Name:
+ URI:http://www.samba.example.com/crls/CA-samba.example.com-crl.crl
+
+ Netscape Cert Type:
+ SSL Client, S/MIME
+ X509v3 Key Usage:
+ Digital Signature, Non Repudiation, Key Encipherment
+ Netscape Comment:
+ Smart Card Login Certificate for pkinit@addom.samba.example.com
+ X509v3 Subject Key Identifier:
+ 3E:81:65:A1:E3:7E:18:BE:80:FE:15:93:CC:20:15:FD:08:D4:A4:3D
+ X509v3 Authority Key Identifier:
+ keyid:A2:3E:02:2A:A3:A7:4D:39:B4:08:4D:99:CC:0C:75:36:EA:27:C3:3E
+
+ X509v3 Subject Alternative Name:
+ email:pkinit@addom.samba.example.com, othername:<unsupported>
+ X509v3 Issuer Alternative Name:
+ email:ca-samba.example.com@samba.example.com
+ Netscape CA Revocation Url:
+ http://www.samba.example.com/crls/CA-samba.example.com-crl.crl
+ X509v3 Extended Key Usage:
+ TLS Web Client Authentication, scardLogin
+ Signature Algorithm: sha256WithRSAEncryption
+ 7b:47:4c:55:7c:77:8b:8f:ca:23:3e:51:6a:51:c1:49:44:0d:
+ 72:56:27:79:f7:54:48:ef:74:37:5e:2a:33:68:dc:04:8a:de:
+ b2:8e:7b:26:6f:67:f5:bc:0a:e1:ec:74:12:86:5a:6b:56:7d:
+ 75:24:d0:df:c7:1e:c4:28:e8:a5:c0:e5:3a:a0:74:f8:95:70:
+ 61:44:a1:9c:e3:54:d8:cf:1b:e2:2f:35:d3:ca:1a:5f:07:e9:
+ ce:fe:79:e1:20:ac:9e:94:74:a5:80:2e:38:75:bc:bc:d7:2d:
+ e0:54:c1:17:9a:8e:07:42:7e:5f:2e:17:93:63:ab:ae:ed:c6:
+ 29:0f:91:c8:8a:99:ad:21:5b:52:a7:dd:0c:2f:32:dc:0d:36:
+ 9c:98:02:aa:eb:8f:2d:3a:86:1a:cf:f8:f5:da:0b:70:7e:14:
+ 9c:79:bc:8a:6c:c7:06:8d:3e:3b:26:2a:50:a1:05:ca:47:79:
+ d1:ba:55:06:cd:d2:3a:10:27:8d:cb:ee:b4:f7:90:ff:f2:fb:
+ 67:f0:73:0b:4f:51:5e:0b:8d:e4:94:cb:da:56:2d:18:91:b8:
+ 51:0f:ee:48:99:cc:ae:8b:6b:ac:d8:38:1e:5e:5e:d9:1a:29:
+ 52:04:52:49:49:30:60:3b:fa:4e:c9:0c:a0:67:20:e1:4a:9f:
+ 84:44:c8:ca:35:d5:28:a6:06:7e:dc:c3:81:8d:40:12:3d:ae:
+ 0d:51:42:5a:16:92:78:2e:70:0b:ba:7f:8e:52:b7:2e:a8:f1:
+ 72:32:ba:6f:30:92:1e:40:0f:bf:09:14:5b:63:c6:1d:b3:ac:
+ eb:e7:69:f0:1b:3c:b8:4a:ec:a2:22:e2:58:ad:ef:22:77:9c:
+ e2:51:ec:38:bf:47:d8:1e:43:77:61:3d:60:54:c7:ba:6a:be:
+ 87:ea:f7:9e:46:74:90:70:c3:d9:74:21:be:90:78:12:2f:30:
+ d2:56:3b:9a:24:27:17:1b:d0:8c:49:e7:65:a8:d2:d9:0f:f8:
+ e9:5e:51:8c:97:cf:90:37:e5:ad:dc:88:ac:c1:54:57:7a:9a:
+ f4:5a:80:25:85:7c:d0:b7:17:03:8c:b3:43:20:59:c7:f3:68:
+ 72:f5:53:75:df:a0:00:12:f0:28:d5:dc:70:ec:9e:c2:33:bd:
+ 73:e9:8c:62:b8:2f:0d:55:a3:3d:d2:21:59:4f:3a:d7:50:aa:
+ 43:72:25:05:a0:2f:e0:f1:79:59:2a:57:e6:b9:91:21:b9:9f:
+ 07:f9:49:fc:d7:97:f7:be:a7:81:69:ac:6c:9a:7c:25:5e:6b:
+ 48:37:90:89:ac:37:02:b5:be:41:01:56:93:71:f4:e9:75:3c:
+ aa:0a:9b:d6:a3:09:64:51:30:d7:2c:1a:dd:bc:83:2e:45:b5:
+ 90:a5:ad:16:ba:18:56:1c:88:73:b5:ee:77:6d:65:3e:11:dc:
+ 36:45:6a:08:99:5d:24:86:93:da:45:95:2a:de:80:96:2e:db:
+ d7:87:b3:f1:70:3c:b5:56:eb:ca:62:dc:3c:49:84:3c:f8:6d:
+ d9:44:e0:81:33:5e:f7:22:27:8b:09:05:12:a6:c1:79:56:c7:
+ 7f:e2:80:d6:ab:4d:e5:1a:ff:ae:9a:fd:3b:7b:aa:15:ca:10:
+ c2:6a:98:c4:70:63:6e:7d:94:8e:87:0a:24:bd:b1:59:85:67:
+ 5b:e8:2e:ff:d7:43:8c:46:06:1a:a8:ba:72:e7:0d:ef:5f:6c:
+ 2d:5c:14:56:ad:5d:56:a5:21:09:7b:16:44:4a:74:9d:1a:03:
+ aa:1a:41:29:e5:78:e4:7c:9e:53:18:61:d8:5a:d1:e8:a8:0e:
+ f4:d3:40:d6:6b:cd:c9:e4:a3:3d:51:54:c3:d6:09:4c:48:9e:
+ 34:2a:23:ad:83:ab:9a:99:c2:bf:7b:85:98:d7:b6:21:fc:c4:
+ 17:6c:56:46:95:98:da:e8:6c:f3:67:4e:33:fc:68:b8:af:86:
+ 07:8b:8e:f3:16:2c:ec:82:e7:b8:47:64:5c:f5:bd:37:75:b5:
+ 94:d3:09:3c:3d:6a:6d:47:81:e0:1b:df:5e:d7:6c:92:7d:23:
+ 91:3e:29:06:21:5b:52:62:47:87:e8:7e:20:ab:fa:cb:3f:9e:
+ ab:7e:55:7e:d2:76:7d:3e:ce:49:f5:ad:a1:f8:13:ba:9a:d6:
+ 54:bb:e9:f0:e0:a6:77:27:95:33:84:48:ff:29:87:fc:65:94:
+ d4:56:44:88:fc:40:0a:64:32:15:13:36:bf:fb:10:65:35:94:
+ 66:ad:d7:e4:16:08:c5:8b:2f:c7:a1:14:99:60:69:66:39:3f:
+ 8d:f3:d3:46:ae:c9:ad:85:94:9b:06:6f:7e:f9:84:b4:e7:fb:
+ 7c:79:1b:75:00:f7:10:19:86:57:48:ea:d5:24:eb:f5:d6:42:
+ 43:73:36:db:9a:15:73:01:75:db:e5:4f:d0:68:3a:3b:35:ce:
+ 19:ab:08:e8:75:c4:7d:b0:d8:c9:64:f9:de:e4:ae:df:a5:24:
+ 19:dd:b8:d1:88:40:48:2a:13:6c:ad:72:23:46:45:2c:78:0c:
+ d4:68:15:11:7f:e2:47:2d:ce:d0:ce:ae:43:8b:08:af:42:12:
+ 85:6f:4d:8b:39:e0:a1:d9:65:08:b1:dc:00:e2:e8:f0:e1:f6:
+ 8f:21:8e:81:cd:de:8a:d0:92:58:22:d0:b0:29:fa:f8:98:6f:
+ c6:e0:68:37:b4:57:90:c2:c4:7c:38:64:51:d7:61:5a
+-----BEGIN CERTIFICATE-----
+MIII+DCCBOCgAwIBAgIBBTANBgkqhkiG9w0BAQsFADCBxjELMAkGA1UEBhMCVVMx
+EzARBgNVBAgMClNhbWJhU3RhdGUxEjAQBgNVBAcMCVNhbWJhQ2l0eTEZMBcGA1UE
+CgwQU2FtYmFTZWxmVGVzdGluZzEaMBgGA1UECwwRQ0EgQWRtaW5pc3RyYXRpb24x
+IDAeBgNVBAMMF0NBIG9mIHNhbWJhLmV4YW1wbGUuY29tMTUwMwYJKoZIhvcNAQkB
+FiZjYS1zYW1iYS5leGFtcGxlLmNvbUBzYW1iYS5leGFtcGxlLmNvbTAeFw0xNjA2
+MDMxOTMwNDdaFw0zNjA1MjkxOTMwNDdaMIGlMQswCQYDVQQGEwJVUzETMBEGA1UE
+CAwKU2FtYmFTdGF0ZTEZMBcGA1UECgwQU2FtYmFTZWxmVGVzdGluZzEOMAwGA1UE
+CwwFVXNlcnMxJzAlBgNVBAMMHnBraW5pdEBhZGRvbS5zYW1iYS5leGFtcGxlLmNv
+bTEtMCsGCSqGSIb3DQEJARYecGtpbml0QGFkZG9tLnNhbWJhLmV4YW1wbGUuY29t
+MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAs6TovchPanHGFajdANZh
+dADkj7XEDpjZUaqqT8eM+Ww3XGBV2nxVnNPN4vHtUTkl1fppfqdnnKlhG1xzUNBv
+us463/6ulZWOl6vGu2rDYAvKwpwx/8YvUrvLL/YsTb4g4RZJ0yI2Zk9cxDASBzSL
+AE5bUX1ANYHcXA6vvnhjgGlnh1OX0D/XZo0migoklfnb3ZMOSFTIMOR3DWXvpGre
+KZF3l0BcLu01XrkPN63ZcHaZd0WMSmVjE3LVxFM3V4UKbXQwjGl/g/B/9WcFeYAn
+1DhtSS+NKpcuMx/Q4MF2G7+/sXWKybE/P/JOxbBoXnaKfpxXsuw9GIPiZdUwXrX0
+xwIDAQABo4ICDjCCAgowCQYDVR0TBAIwADBPBgNVHR8ESDBGMESgQqBAhj5odHRw
+Oi8vd3d3LnNhbWJhLmV4YW1wbGUuY29tL2NybHMvQ0Etc2FtYmEuZXhhbXBsZS5j
+b20tY3JsLmNybDARBglghkgBhvhCAQEEBAMCBaAwCwYDVR0PBAQDAgXgME4GCWCG
+SAGG+EIBDQRBFj9TbWFydCBDYXJkIExvZ2luIENlcnRpZmljYXRlIGZvciBwa2lu
+aXRAYWRkb20uc2FtYmEuZXhhbXBsZS5jb20wHQYDVR0OBBYEFD6BZaHjfhi+gP4V
+k8wgFf0I1KQ9MB8GA1UdIwQYMBaAFKI+Aiqjp005tAhNmcwMdTbqJ8M+MFkGA1Ud
+EQRSMFCBHnBraW5pdEBhZGRvbS5zYW1iYS5leGFtcGxlLmNvbaAuBgorBgEEAYI3
+FAIDoCAMHnBraW5pdEBhZGRvbS5zYW1iYS5leGFtcGxlLmNvbTAxBgNVHRIEKjAo
+gSZjYS1zYW1iYS5leGFtcGxlLmNvbUBzYW1iYS5leGFtcGxlLmNvbTBNBglghkgB
+hvhCAQQEQBY+aHR0cDovL3d3dy5zYW1iYS5leGFtcGxlLmNvbS9jcmxzL0NBLXNh
+bWJhLmV4YW1wbGUuY29tLWNybC5jcmwwHwYDVR0lBBgwFgYIKwYBBQUHAwIGCisG
+AQQBgjcUAgIwDQYJKoZIhvcNAQELBQADggQBAHtHTFV8d4uPyiM+UWpRwUlEDXJW
+J3n3VEjvdDdeKjNo3ASK3rKOeyZvZ/W8CuHsdBKGWmtWfXUk0N/HHsQo6KXA5Tqg
+dPiVcGFEoZzjVNjPG+IvNdPKGl8H6c7+eeEgrJ6UdKWALjh1vLzXLeBUwReajgdC
+fl8uF5Njq67txikPkciKma0hW1Kn3QwvMtwNNpyYAqrrjy06hhrP+PXaC3B+FJx5
+vIpsxwaNPjsmKlChBcpHedG6VQbN0joQJ43L7rT3kP/y+2fwcwtPUV4LjeSUy9pW
+LRiRuFEP7kiZzK6La6zYOB5eXtkaKVIEUklJMGA7+k7JDKBnIOFKn4REyMo11Sim
+Bn7cw4GNQBI9rg1RQloWkngucAu6f45Sty6o8XIyum8wkh5AD78JFFtjxh2zrOvn
+afAbPLhK7KIi4lit7yJ3nOJR7Di/R9geQ3dhPWBUx7pqvofq955GdJBww9l0Ib6Q
+eBIvMNJWO5okJxcb0IxJ52Wo0tkP+OleUYyXz5A35a3ciKzBVFd6mvRagCWFfNC3
+FwOMs0MgWcfzaHL1U3XfoAAS8CjV3HDsnsIzvXPpjGK4Lw1Voz3SIVlPOtdQqkNy
+JQWgL+DxeVkqV+a5kSG5nwf5SfzXl/e+p4FprGyafCVea0g3kImsNwK1vkEBVpNx
+9Ol1PKoKm9ajCWRRMNcsGt28gy5FtZClrRa6GFYciHO17ndtZT4R3DZFagiZXSSG
+k9pFlSregJYu29eHs/FwPLVW68pi3DxJhDz4bdlE4IEzXvciJ4sJBRKmwXlWx3/i
+gNarTeUa/66a/Tt7qhXKEMJqmMRwY259lI6HCiS9sVmFZ1voLv/XQ4xGBhqounLn
+De9fbC1cFFatXValIQl7FkRKdJ0aA6oaQSnleOR8nlMYYdha0eioDvTTQNZrzcnk
+oz1RVMPWCUxInjQqI62Dq5qZwr97hZjXtiH8xBdsVkaVmNrobPNnTjP8aLivhgeL
+jvMWLOyC57hHZFz1vTd1tZTTCTw9am1HgeAb317XbJJ9I5E+KQYhW1JiR4fofiCr
++ss/nqt+VX7Sdn0+zkn1raH4E7qa1lS76fDgpncnlTOESP8ph/xllNRWRIj8QApk
+MhUTNr/7EGU1lGat1+QWCMWLL8ehFJlgaWY5P43z00auya2FlJsGb375hLTn+3x5
+G3UA9xAZhldI6tUk6/XWQkNzNtuaFXMBddvlT9BoOjs1zhmrCOh1xH2w2Mlk+d7k
+rt+lJBnduNGIQEgqE2ytciNGRSx4DNRoFRF/4kctztDOrkOLCK9CEoVvTYs54KHZ
+ZQix3ADi6PDh9o8hjoHN3orQklgi0LAp+viYb8bgaDe0V5DCxHw4ZFHXYVo=
+-----END CERTIFICATE-----
diff --git a/selftest/manage-ca/CA-samba.example.com/Private/CA-samba.example.com-index.txt b/selftest/manage-ca/CA-samba.example.com/Private/CA-samba.example.com-index.txt
index fb3c34a5445..8f7f1cfba2b 100644
--- a/selftest/manage-ca/CA-samba.example.com/Private/CA-samba.example.com-index.txt
+++ b/selftest/manage-ca/CA-samba.example.com/Private/CA-samba.example.com-index.txt
@@ -2,3 +2,5 @@ V 360311232844Z 00 unknown /C=US/ST=SambaState/O=SambaSelfTesting/OU=Domain Con
V 360311232904Z 01 unknown /C=US/ST=SambaState/O=SambaSelfTesting/OU=Users/CN=administrator@samba.example.com/emailAddress=administrator@samba.example.com
V 360311232925Z 02 unknown /C=US/ST=SambaState/O=SambaSelfTesting/OU=Domain Controllers/CN=addc.addom.samba.example.com/emailAddress=ca-samba.example.com@samba.example.com
V 360311232941Z 03 unknown /C=US/ST=SambaState/O=SambaSelfTesting/OU=Users/CN=administrator@addom.samba.example.com/emailAddress=administrator@addom.samba.example.com
+V 360529193029Z 04 unknown /C=US/ST=SambaState/O=SambaSelfTesting/OU=Users/CN=pkinit@samba.example.com/emailAddress=pkinit@samba.example.com
+V 360529193047Z 05 unknown /C=US/ST=SambaState/O=SambaSelfTesting/OU=Users/CN=pkinit@addom.samba.example.com/emailAddress=pkinit@addom.samba.example.com
diff --git a/selftest/manage-ca/CA-samba.example.com/Private/CA-samba.example.com-index.txt.old b/selftest/manage-ca/CA-samba.example.com/Private/CA-samba.example.com-index.txt.old
index 9b973d4b045..756e7ba1a0e 100644
--- a/selftest/manage-ca/CA-samba.example.com/Private/CA-samba.example.com-index.txt.old
+++ b/selftest/manage-ca/CA-samba.example.com/Private/CA-samba.example.com-index.txt.old
@@ -1,3 +1,5 @@
V 360311232844Z 00 unknown /C=US/ST=SambaState/O=SambaSelfTesting/OU=Domain Controllers/CN=localdc.samba.example.com/emailAddress=ca-samba.example.com@samba.example.com
V 360311232904Z 01 unknown /C=US/ST=SambaState/O=SambaSelfTesting/OU=Users/CN=administrator@samba.example.com/emailAddress=administrator@samba.example.com
V 360311232925Z 02 unknown /C=US/ST=SambaState/O=SambaSelfTesting/OU=Domain Controllers/CN=addc.addom.samba.example.com/emailAddress=ca-samba.example.com@samba.example.com
+V 360311232941Z 03 unknown /C=US/ST=SambaState/O=SambaSelfTesting/OU=Users/CN=administrator@addom.samba.example.com/emailAddress=administrator@addom.samba.example.com
+V 360529193029Z 04 unknown /C=US/ST=SambaState/O=SambaSelfTesting/OU=Users/CN=pkinit@samba.example.com/emailAddress=pkinit@samba.example.com
diff --git a/selftest/manage-ca/CA-samba.example.com/Private/CA-samba.example.com-serial.txt b/selftest/manage-ca/CA-samba.example.com/Private/CA-samba.example.com-serial.txt
index 64969239d5f..cd672a533b7 100644
--- a/selftest/manage-ca/CA-samba.example.com/Private/CA-samba.example.com-serial.txt
+++ b/selftest/manage-ca/CA-samba.example.com/Private/CA-samba.example.com-serial.txt
@@ -1 +1 @@
-04
+06
diff --git a/selftest/manage-ca/CA-samba.example.com/Private/CA-samba.example.com-serial.txt.old b/selftest/manage-ca/CA-samba.example.com/Private/CA-samba.example.com-serial.txt.old
index 75016ea3625..eeee65ec419 100644
--- a/selftest/manage-ca/CA-samba.example.com/Private/CA-samba.example.com-serial.txt.old
+++ b/selftest/manage-ca/CA-samba.example.com/Private/CA-samba.example.com-serial.txt.old
@@ -1 +1 @@
-03
+05
diff --git a/selftest/manage-ca/CA-samba.example.com/Users/pkinit@addom.samba.example.com/USER-pkinit@addom.samba.example.com-S05-cert.cer b/selftest/manage-ca/CA-samba.example.com/Users/pkinit@addom.samba.example.com/USER-pkinit@addom.samba.example.com-S05-cert.cer
new file mode 100644
index 00000000000..85773b01c7c
--- /dev/null
+++ b/selftest/manage-ca/CA-samba.example.com/Users/pkinit@addom.samba.example.com/USER-pkinit@addom.samba.example.com-S05-cert.cer
Binary files differ
diff --git a/selftest/manage-ca/CA-samba.example.com/Users/pkinit@addom.samba.example.com/USER-pkinit@addom.samba.example.com-S05-cert.pem b/selftest/manage-ca/CA-samba.example.com/Users/pkinit@addom.samba.example.com/USER-pkinit@addom.samba.example.com-S05-cert.pem
new file mode 100644
index 00000000000..997dfd3e53e
--- /dev/null
+++ b/selftest/manage-ca/CA-samba.example.com/Users/pkinit@addom.samba.example.com/USER-pkinit@addom.samba.example.com-S05-cert.pem
@@ -0,0 +1,168 @@
+Certificate:
+ Data:
+ Version: 3 (0x2)
+ Serial Number: 5 (0x5)
+ Signature Algorithm: sha256WithRSAEncryption
+ Issuer: C=US, ST=SambaState, L=SambaCity, O=SambaSelfTesting, OU=CA Administration, CN=CA of samba.example.com/emailAddress=ca-samba.example.com@samba.example.com
+ Validity
+ Not Before: Jun 3 19:30:47 2016 GMT
+ Not After : May 29 19:30:47 2036 GMT
+ Subject: C=US, ST=SambaState, O=SambaSelfTesting, OU=Users, CN=pkinit@addom.samba.example.com/emailAddress=pkinit@addom.samba.example.com
+ Subject Public Key Info:
+ Public Key Algorithm: rsaEncryption
+ Public-Key: (2048 bit)
+ Modulus:
+ 00:b3:a4:e8:bd:c8:4f:6a:71:c6:15:a8:dd:00:d6:
+ 61:74:00:e4:8f:b5:c4:0e:98:d9:51:aa:aa:4f:c7:
+ 8c:f9:6c:37:5c:60:55:da:7c:55:9c:d3:cd:e2:f1:
+ ed:51:39:25:d5:fa:69:7e:a7:67:9c:a9:61:1b:5c:
+ 73:50:d0:6f:ba:ce:3a:df:fe:ae:95:95:8e:97:ab:
+ c6:bb:6a:c3:60:0b:ca:c2:9c:31:ff:c6:2f:52:bb:
+ cb:2f:f6:2c:4d:be:20:e1:16:49:d3:22:36:66:4f:
+ 5c:c4:30:12:07:34:8b:00:4e:5b:51:7d:40:35:81:
+ dc:5c:0e:af:be:78:63:80:69:67:87:53:97:d0:3f:
+ d7:66:8d:26:8a:0a:24:95:f9:db:dd:93:0e:48:54:
+ c8:30:e4:77:0d:65:ef:a4:6a:de:29:91:77:97:40:
+ 5c:2e:ed:35:5e:b9:0f:37:ad:d9:70:76:99:77:45:
+ 8c:4a:65:63:13:72:d5:c4:53:37:57:85:0a:6d:74:
+ 30:8c:69:7f:83:f0:7f:f5:67:05:79:80:27:d4:38:
+ 6d:49:2f:8d:2a:97:2e:33:1f:d0:e0:c1:76:1b:bf:
+ bf:b1:75:8a:c9:b1:3f:3f:f2:4e:c5:b0:68:5e:76:
+ 8a:7e:9c:57:b2:ec:3d:18:83:e2:65:d5:30:5e:b5:
+ f4:c7
+ Exponent: 65537 (0x10001)
+ X509v3 extensions:
+ X509v3 Basic Constraints:
+ CA:FALSE
+ X509v3 CRL Distribution Points:
+
+ Full Name:
+ URI:http://www.samba.example.com/crls/CA-samba.example.com-crl.crl
+
+ Netscape Cert Type:
+ SSL Client, S/MIME
+ X509v3 Key Usage:
+ Digital Signature, Non Repudiation, Key Encipherment
+ Netscape Comment:
+ Smart Card Login Certificate for pkinit@addom.samba.example.com
+ X509v3 Subject Key Identifier:
+ 3E:81:65:A1:E3:7E:18:BE:80:FE:15:93:CC:20:15:FD:08:D4:A4:3D
+ X509v3 Authority Key Identifier:
+ keyid:A2:3E:02:2A:A3:A7:4D:39:B4:08:4D:99:CC:0C:75:36:EA:27:C3:3E
+
+ X509v3 Subject Alternative Name:
+ email:pkinit@addom.samba.example.com, othername:<unsupported>
+ X509v3 Issuer Alternative Name:
+ email:ca-samba.example.com@samba.example.com
+ Netscape CA Revocation Url:
+ http://www.samba.example.com/crls/CA-samba.example.com-crl.crl
+ X509v3 Extended Key Usage:
+ TLS Web Client Authentication, scardLogin
+ Signature Algorithm: sha256WithRSAEncryption
+ 7b:47:4c:55:7c:77:8b:8f:ca:23:3e:51:6a:51:c1:49:44:0d:
+ 72:56:27:79:f7:54:48:ef:74:37:5e:2a:33:68:dc:04:8a:de:
+ b2:8e:7b:26:6f:67:f5:bc:0a:e1:ec:74:12:86:5a:6b:56:7d:
+ 75:24:d0:df:c7:1e:c4:28:e8:a5:c0:e5:3a:a0:74:f8:95:70:
+ 61:44:a1:9c:e3:54:d8:cf:1b:e2:2f:35:d3:ca:1a:5f:07:e9:
+ ce:fe:79:e1:20:ac:9e:94:74:a5:80:2e:38:75:bc:bc:d7:2d:
+ e0:54:c1:17:9a:8e:07:42:7e:5f:2e:17:93:63:ab:ae:ed:c6:
+ 29:0f:91:c8:8a:99:ad:21:5b:52:a7:dd:0c:2f:32:dc:0d:36:
+ 9c:98:02:aa:eb:8f:2d:3a:86:1a:cf:f8:f5:da:0b:70:7e:14:
+ 9c:79:bc:8a:6c:c7:06:8d:3e:3b:26:2a:50:a1:05:ca:47:79:
+ d1:ba:55:06:cd:d2:3a:10:27:8d:cb:ee:b4:f7:90:ff:f2:fb:
+ 67:f0:73:0b:4f:51:5e:0b:8d:e4:94:cb:da:56:2d:18:91:b8:
+ 51:0f:ee:48:99:cc:ae:8b:6b:ac:d8:38:1e:5e:5e:d9:1a:29:
+ 52:04:52:49:49:30:60:3b:fa:4e:c9:0c:a0:67:20:e1:4a:9f:
+ 84:44:c8:ca:35:d5:28:a6:06:7e:dc:c3:81:8d:40:12:3d:ae:
+ 0d:51:42:5a:16:92:78:2e:70:0b:ba:7f:8e:52:b7:2e:a8:f1:
+ 72:32:ba:6f:30:92:1e:40:0f:bf:09:14:5b:63:c6:1d:b3:ac:
+ eb:e7:69:f0:1b:3c:b8:4a:ec:a2:22:e2:58:ad:ef:22:77:9c:
+ e2:51:ec:38:bf:47:d8:1e:43:77:61:3d:60:54:c7:ba:6a:be:
+ 87:ea:f7:9e:46:74:90:70:c3:d9:74:21:be:90:78:12:2f:30:
+ d2:56:3b:9a:24:27:17:1b:d0:8c:49:e7:65:a8:d2:d9:0f:f8:
+ e9:5e:51:8c:97:cf:90:37:e5:ad:dc:88:ac:c1:54:57:7a:9a:
+ f4:5a:80:25:85:7c:d0:b7:17:03:8c:b3:43:20:59:c7:f3:68:
+ 72:f5:53:75:df:a0:00:12:f0:28:d5:dc:70:ec:9e:c2:33:bd:
+ 73:e9:8c:62:b8:2f:0d:55:a3:3d:d2:21:59:4f:3a:d7:50:aa:
+ 43:72:25:05:a0:2f:e0:f1:79:59:2a:57:e6:b9:91:21:b9:9f:
+ 07:f9:49:fc:d7:97:f7:be:a7:81:69:ac:6c:9a:7c:25:5e:6b:
+ 48:37:90:89:ac:37:02:b5:be:41:01:56:93:71:f4:e9:75:3c:
+ aa:0a:9b:d6:a3:09:64:51:30:d7:2c:1a:dd:bc:83:2e:45:b5:
+ 90:a5:ad:16:ba:18:56:1c:88:73:b5:ee:77:6d:65:3e:11:dc:
+ 36:45:6a:08:99:5d:24:86:93:da:45:95:2a:de:80:96:2e:db:
+ d7:87:b3:f1:70:3c:b5:56:eb:ca:62:dc:3c:49:84:3c:f8:6d:
+ d9:44:e0:81:33:5e:f7:22:27:8b:09:05:12:a6:c1:79:56:c7:
+ 7f:e2:80:d6:ab:4d:e5:1a:ff:ae:9a:fd:3b:7b:aa:15:ca:10:
+ c2:6a:98:c4:70:63:6e:7d:94:8e:87:0a:24:bd:b1:59:85:67:
+ 5b:e8:2e:ff:d7:43:8c:46:06:1a:a8:ba:72:e7:0d:ef:5f:6c:
+ 2d:5c:14:56:ad:5d:56:a5:21:09:7b:16:44:4a:74:9d:1a:03:
+ aa:1a:41:29:e5:78:e4:7c:9e:53:18:61:d8:5a:d1:e8:a8:0e:
+ f4:d3:40:d6:6b:cd:c9:e4:a3:3d:51:54:c3:d6:09:4c:48:9e:
+ 34:2a:23:ad:83:ab:9a:99:c2:bf:7b:85:98:d7:b6:21:fc:c4:
+ 17:6c:56:46:95:98:da:e8:6c:f3:67:4e:33:fc:68:b8:af:86:
+ 07:8b:8e:f3:16:2c:ec:82:e7:b8:47:64:5c:f5:bd:37:75:b5:
+ 94:d3:09:3c:3d:6a:6d:47:81:e0:1b:df:5e:d7:6c:92:7d:23:
+ 91:3e:29:06:21:5b:52:62:47:87:e8:7e:20:ab:fa:cb:3f:9e:
+ ab:7e:55:7e:d2:76:7d:3e:ce:49:f5:ad:a1:f8:13:ba:9a:d6:
+ 54:bb:e9:f0:e0:a6:77:27:95:33:84:48:ff:29:87:fc:65:94:
+ d4:56:44:88:fc:40:0a:64:32:15:13:36:bf:fb:10:65:35:94:
+ 66:ad:d7:e4:16:08:c5:8b:2f:c7:a1:14:99:60:69:66:39:3f:
+ 8d:f3:d3:46:ae:c9:ad:85:94:9b:06:6f:7e:f9:84:b4:e7:fb:
+ 7c:79:1b:75:00:f7:10:19:86:57:48:ea:d5:24:eb:f5:d6:42:
+ 43:73:36:db:9a:15:73:01:75:db:e5:4f:d0:68:3a:3b:35:ce:
+ 19:ab:08:e8:75:c4:7d:b0:d8:c9:64:f9:de:e4:ae:df:a5:24:
+ 19:dd:b8:d1:88:40:48:2a:13:6c:ad:72:23:46:45:2c:78:0c:
+ d4:68:15:11:7f:e2:47:2d:ce:d0:ce:ae:43:8b:08:af:42:12:
+ 85:6f:4d:8b:39:e0:a1:d9:65:08:b1:dc:00:e2:e8:f0:e1:f6:
+ 8f:21:8e:81:cd:de:8a:d0:92:58:22:d0:b0:29:fa:f8:98:6f:
+ c6:e0:68:37:b4:57:90:c2:c4:7c:38:64:51:d7:61:5a
+-----BEGIN CERTIFICATE-----
+MIII+DCCBOCgAwIBAgIBBTANBgkqhkiG9w0BAQsFADCBxjELMAkGA1UEBhMCVVMx
+EzARBgNVBAgMClNhbWJhU3RhdGUxEjAQBgNVBAcMCVNhbWJhQ2l0eTEZMBcGA1UE
+CgwQU2FtYmFTZWxmVGVzdGluZzEaMBgGA1UECwwRQ0EgQWRtaW5pc3RyYXRpb24x
+IDAeBgNVBAMMF0NBIG9mIHNhbWJhLmV4YW1wbGUuY29tMTUwMwYJKoZIhvcNAQkB
+FiZjYS1zYW1iYS5leGFtcGxlLmNvbUBzYW1iYS5leGFtcGxlLmNvbTAeFw0xNjA2
+MDMxOTMwNDdaFw0zNjA1MjkxOTMwNDdaMIGlMQswCQYDVQQGEwJVUzETMBEGA1UE
+CAwKU2FtYmFTdGF0ZTEZMBcGA1UECgwQU2FtYmFTZWxmVGVzdGluZzEOMAwGA1UE
+CwwFVXNlcnMxJzAlBgNVBAMMHnBraW5pdEBhZGRvbS5zYW1iYS5leGFtcGxlLmNv
+bTEtMCsGCSqGSIb3DQEJARYecGtpbml0QGFkZG9tLnNhbWJhLmV4YW1wbGUuY29t
+MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAs6TovchPanHGFajdANZh
+dADkj7XEDpjZUaqqT8eM+Ww3XGBV2nxVnNPN4vHtUTkl1fppfqdnnKlhG1xzUNBv
+us463/6ulZWOl6vGu2rDYAvKwpwx/8YvUrvLL/YsTb4g4RZJ0yI2Zk9cxDASBzSL
+AE5bUX1ANYHcXA6vvnhjgGlnh1OX0D/XZo0migoklfnb3ZMOSFTIMOR3DWXvpGre
+KZF3l0BcLu01XrkPN63ZcHaZd0WMSmVjE3LVxFM3V4UKbXQwjGl/g/B/9WcFeYAn
+1DhtSS+NKpcuMx/Q4MF2G7+/sXWKybE/P/JOxbBoXnaKfpxXsuw9GIPiZdUwXrX0
+xwIDAQABo4ICDjCCAgowCQYDVR0TBAIwADBPBgNVHR8ESDBGMESgQqBAhj5odHRw
+Oi8vd3d3LnNhbWJhLmV4YW1wbGUuY29tL2NybHMvQ0Etc2FtYmEuZXhhbXBsZS5j
+b20tY3JsLmNybDARBglghkgBhvhCAQEEBAMCBaAwCwYDVR0PBAQDAgXgME4GCWCG
+SAGG+EIBDQRBFj9TbWFydCBDYXJkIExvZ2luIENlcnRpZmljYXRlIGZvciBwa2lu
+aXRAYWRkb20uc2FtYmEuZXhhbXBsZS5jb20wHQYDVR0OBBYEFD6BZaHjfhi+gP4V
+k8wgFf0I1KQ9MB8GA1UdIwQYMBaAFKI+Aiqjp005tAhNmcwMdTbqJ8M+MFkGA1Ud
+EQRSMFCBHnBraW5pdEBhZGRvbS5zYW1iYS5leGFtcGxlLmNvbaAuBgorBgEEAYI3
+FAIDoCAMHnBraW5pdEBhZGRvbS5zYW1iYS5leGFtcGxlLmNvbTAxBgNVHRIEKjAo
+gSZjYS1zYW1iYS5leGFtcGxlLmNvbUBzYW1iYS5leGFtcGxlLmNvbTBNBglghkgB
+hvhCAQQEQBY+aHR0cDovL3d3dy5zYW1iYS5leGFtcGxlLmNvbS9jcmxzL0NBLXNh
+bWJhLmV4YW1wbGUuY29tLWNybC5jcmwwHwYDVR0lBBgwFgYIKwYBBQUHAwIGCisG
+AQQBgjcUAgIwDQYJKoZIhvcNAQELBQADggQBAHtHTFV8d4uPyiM+UWpRwUlEDXJW
+J3n3VEjvdDdeKjNo3ASK3rKOeyZvZ/W8CuHsdBKGWmtWfXUk0N/HHsQo6KXA5Tqg
+dPiVcGFEoZzjVNjPG+IvNdPKGl8H6c7+eeEgrJ6UdKWALjh1vLzXLeBUwReajgdC
+fl8uF5Njq67txikPkciKma0hW1Kn3QwvMtwNNpyYAqrrjy06hhrP+PXaC3B+FJx5
+vIpsxwaNPjsmKlChBcpHedG6VQbN0joQJ43L7rT3kP/y+2fwcwtPUV4LjeSUy9pW
+LRiRuFEP7kiZzK6La6zYOB5eXtkaKVIEUklJMGA7+k7JDKBnIOFKn4REyMo11Sim
+Bn7cw4GNQBI9rg1RQloWkngucAu6f45Sty6o8XIyum8wkh5AD78JFFtjxh2zrOvn
+afAbPLhK7KIi4lit7yJ3nOJR7Di/R9geQ3dhPWBUx7pqvofq955GdJBww9l0Ib6Q
+eBIvMNJWO5okJxcb0IxJ52Wo0tkP+OleUYyXz5A35a3ciKzBVFd6mvRagCWFfNC3
+FwOMs0MgWcfzaHL1U3XfoAAS8CjV3HDsnsIzvXPpjGK4Lw1Voz3SIVlPOtdQqkNy
+JQWgL+DxeVkqV+a5kSG5nwf5SfzXl/e+p4FprGyafCVea0g3kImsNwK1vkEBVpNx
+9Ol1PKoKm9ajCWRRMNcsGt28gy5FtZClrRa6GFYciHO17ndtZT4R3DZFagiZXSSG
+k9pFlSregJYu29eHs/FwPLVW68pi3DxJhDz4bdlE4IEzXvciJ4sJBRKmwXlWx3/i
+gNarTeUa/66a/Tt7qhXKEMJqmMRwY259lI6HCiS9sVmFZ1voLv/XQ4xGBhqounLn
+De9fbC1cFFatXValIQl7FkRKdJ0aA6oaQSnleOR8nlMYYdha0eioDvTTQNZrzcnk
+oz1RVMPWCUxInjQqI62Dq5qZwr97hZjXtiH8xBdsVkaVmNrobPNnTjP8aLivhgeL
+jvMWLOyC57hHZFz1vTd1tZTTCTw9am1HgeAb317XbJJ9I5E+KQYhW1JiR4fofiCr
++ss/nqt+VX7Sdn0+zkn1raH4E7qa1lS76fDgpncnlTOESP8ph/xllNRWRIj8QApk
+MhUTNr/7EGU1lGat1+QWCMWLL8ehFJlgaWY5P43z00auya2FlJsGb375hLTn+3x5
+G3UA9xAZhldI6tUk6/XWQkNzNtuaFXMBddvlT9BoOjs1zhmrCOh1xH2w2Mlk+d7k
+rt+lJBnduNGIQEgqE2ytciNGRSx4DNRoFRF/4kctztDOrkOLCK9CEoVvTYs54KHZ
+ZQix3ADi6PDh9o8hjoHN3orQklgi0LAp+viYb8bgaDe0V5DCxHw4ZFHXYVo=
+-----END CERTIFICATE-----
diff --git a/selftest/manage-ca/CA-samba.example.com/Users/pkinit@addom.samba.example.com/USER-pkinit@addom.samba.example.com-S05-key.pem b/selftest/manage-ca/CA-samba.example.com/Users/pkinit@addom.samba.example.com/USER-pkinit@addom.samba.example.com-S05-key.pem
new file mode 100644
index 00000000000..542cd3d1715
--- /dev/null
+++ b/selftest/manage-ca/CA-samba.example.com/Users/pkinit@addom.samba.example.com/USER-pkinit@addom.samba.example.com-S05-key.pem
@@ -0,0 +1,30 @@
+-----BEGIN ENCRYPTED PRIVATE KEY-----
+MIIFDjBABgkqhkiG9w0BBQ0wMzAbBgkqhkiG9w0BBQwwDgQIEaGZ7BvOYu4CAggA
+MBQGCCqGSIb3DQMHBAhSIfRjeKrXNgSCBMh+g3dZyu/ZZ1DgB1U3qiUMIIA/hurX
+2FjSuDIrn5+g7uPIxtBjQgz2+2f4kUsiqx/UBOodAwtSzjpP3HX91zyRoMke4jA1
+cx3PlsaSCwXXBmbLhI8+IAiQZ7zo4r5C91nNXVBUC+Z4bDydjXRnZHBAiGo674mB
+ZbpixlAjDQWiJCZJvqDy7uqjIK9un12fU/hBWc6mLJZ8MSTWaJ9/ONGTImhbI7f7
+jtM04HihoDsh8ExeVSSWYt+vM3VIjXlbZqTi0d2ijgb4MnGsIuVVZtnvLbMSe7Ow
+lGLNsbkUq3y8JsF2rkZWHE+7J33Ko9fgUr9kVaIVJpChWnOSsxVUuRydrCUS4g3L
+1wmVPEW59t0jFwMt7qcQS7K1ivkjmNplyld5pBssLX4BuzKMxEsGG6c8MwSLGqcJ
+g70xbraCWzn0ggKCROGvbFmIn9o7GXCnYLj3e4LfHbV0XgINiw7ufCUgRTTHEn+L
+PAaGd13BxdYlquIzbSLhdijDzU+41tXI/g1bw4tAlxcKHPh9XmKRYf8DusVWRKB1
+uyouHQxEVYyJw5atQJZLlzTUWpZ0V4q2UVckN2LSFMtwTu8ZL9iNSL4l75iRaMdI
++V9a+QaAifd7qF8eujvfVgpzuiMuEonQ9iRJOErJ6/BaCO9WaZ+jE0ojZtllWjLQ
+rXGRcxkROFcE36GC7YSWzKDq9WlgQKne9EDp0WevcSNTc698cz09D1/z8N1pkk1K
+Ako3BKs9FUSmynSuTz52CEJ+XOd9FESsJkcu8FqUfmXM5Ubq9jhSU91skmuJHG8r
+BlzkuO2va91T1Muu/RHaFhBYmaomkw2kvJ57oay7wZ/9Fm+j6PjdgAH81w3RfS+G
+m+Vivp6wRmE438yy2QDgywjvk7anjZMX1R2PhXWgmKTSL1EosAFx6AZytd+xTDFa
+tEIkfwVkr6fKLI1FFq2artDZAYqSpkFCmRFOMNoqc6UAzuET88y5oPDjY9RS3Ikd
+Ru9VvuT2LcaWjCj3ofqV0ATYgkbGSsj6n66kZFoPBEv7dpD33mN9A0R7U8nzeXUT
+0ImG4xsXv4vfumrfgG6sr17Ylsm/ntmUtcFy+ZbJCLypL2UnZya1+EC6a20kVt7X
+DDpFH/qct3iBeRJnTdoTxWGbQKHRQ5Ro/GnZ02fCN0DBEyb4WHbP6T+Gy3DHF6TA
+rBlC5nVNQD49d5brbPyBnBG4585mzPZI57npo3MpgEHv9+LC48LfJZaX5w7uevg+
+RnkjjIwrEIUZMrUvFxeNYKtdp9IggRGjDCPz8Y8TNBnvWuet0xRODhZTVs6zFeQw
+s+NZirzyN6XSu9Wpc+CGbFx55eMOGog8t2e2HjBbeNCvri9wKP1t1CdCD+CTqJ6E
+BaoP0Wippj8VGOB87djnT+7X2bJLjnYkmspk/Mhlz1EKh+j6SXh5VFCSoO3o1JbW
+iyAI2vpT3+Bt4RXrUDTYV9OHpWSQXM/TYhHnVBdeq53h5UkBYsK+vSjHyjF9Jspt
+ORWsCUBiaVBy3X9AMEubsITKCVAjlCacFDOraO6h7Y6LkOyuNvJ2aDo02L3sfDPY
+sa43P1ERP5C4OOUzhLmavkwhJnzAHVAVCfNMCDzYe7UsSrweQ+OVfcp70uAdKfK5
+jzQ=
+-----END ENCRYPTED PRIVATE KEY-----
diff --git a/selftest/manage-ca/CA-samba.example.com/Users/pkinit@addom.samba.example.com/USER-pkinit@addom.samba.example.com-S05-openssl.cnf b/selftest/manage-ca/CA-samba.example.com/Users/pkinit@addom.samba.example.com/USER-pkinit@addom.samba.example.com-S05-openssl.cnf
new file mode 100644
index 00000000000..8bb8714616b
--- /dev/null
+++ b/selftest/manage-ca/CA-samba.example.com/Users/pkinit@addom.samba.example.com/USER-pkinit@addom.samba.example.com-S05-openssl.cnf
@@ -0,0 +1,242 @@
+#
+# Based on the OpenSSL example configuration file.
+# This is mostly being used for generation of certificate requests.
+#
+
+# This definition stops the following lines choking if HOME isn't
+# defined.
+HOME = .
+RANDFILE = $ENV::HOME/.rnd
+
+#CRLDISTPT = [CRL Distribution Point; e.g., http://crl-list.base/w4edom-l4.base.crl]
+CRLDISTPT = http://www.samba.example.com/crls/CA-samba.example.com-crl.crl
+
+# Extra OBJECT IDENTIFIER info:
+oid_section = new_oids
+
+# To use this configuration file with the "-extfile" option of the
+# "openssl x509" utility, name here the section containing the
+# X.509v3 extensions to use:
+# extensions =
+# (Alternatively, use a configuration file that has only
+# X.509v3 extensions in its main [= default] section.)
+
+[ new_oids ]
+# Ordinarily, certificates must have this oid as an enhanced key usage in order for Windows to allow them to be used as a login credential
+scardLogin=1.3.6.1.4.1.311.20.2.2
+# Used in a smart card login certificate's subject alternative name
+msUPN=1.3.6.1.4.1.311.20.2.3
+# Ordinarily, certificates must have this oid as an enhanced key usage in order for Windows to allow them to be used to identify a domain controller
+msKDC=1.3.6.1.5.2.3.5
+# Identifies the AD GUID
+msADGUID=1.3.6.1.4.1.311.25.1
+
+####################################################################
+[ ca ]
+default_ca = CA_default # The default ca section
+
+####################################################################
+[ CA_default ]
+
+dir = CA-samba.example.com # Where everything is kept
+certs = $dir/_none_certs # Where the issued certs are kept
+crl_dir = $dir/_none_crl # Where the issued crl are kept
+database = $dir/Private/CA-samba.example.com-index.txt # database index file.
+unique_subject = yes # Set to 'no' to allow creation of
+ # several certificates with same subject.
+new_certs_dir = $dir/NewCerts # default place for new certs.
+
+certificate = $dir/Public/CA-samba.example.com-cert.pem # The CA certificate
+serial = $dir/Private/CA-samba.example.com-serial.txt # The current serial number
+crlnumber = $dir/Private/CA-samba.example.com-crlnumber.txt # the current crl number
+ # must be commented out to leave a V1 CRL
+
+#crl = $dir/Public/CA-samba.example.com-crl.pem # The current CRL
+crl = $dir/Public/CA-samba.example.com-crl.crl # The current CRL
+private_key = $dir/Private/CA-samba.example.com-private-key.pem # The private key
+RANDFILE = $dir/Private/CA-samba.example.com.rand # private random number file
+
+#x509_extensions = # The extensions to add to the cert
+x509_extensions = template_x509_extensions
+
+# Comment out the following two lines for the "traditional"
+# (and highly broken) format.
+name_opt = ca_default # Subject Name options
+cert_opt = ca_default # Certificate field options
+
+# Extension copying option: use with caution.
+# copy_extensions = copy
+
+# Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs
+# so this is commented out by default to leave a V1 CRL.
+# crlnumber must also be commented out to leave a V1 CRL.
+crl_extensions = crl_ext
+
+default_days = 7300 # how long to certify for
+default_crl_days= 7300 # how long before next CRL
+default_md = sha256 # use public key default MD
+preserve = no # keep passed DN ordering
+
+# A few difference way of specifying how similar the request should look
+# For type CA, the listed attributes must be the same, and the optional
+# and supplied fields are just that :-)
+policy = policy_match
+
+# For the CA policy
+[ policy_match ]
+countryName = match
+stateOrProvinceName = match
+organizationName = match
+organizationalUnitName = optional
+commonName = supplied
+emailAddress = optional
+
+# For the 'anything' policy
+# At this point in time, you must list all acceptable 'object'
+# types.
+[ policy_anything ]
+countryName = match
+stateOrProvinceName = match
+localityName = match
+organizationName = match
+organizationalUnitName = match
+commonName = supplied
+emailAddress = supplied
+
+####################################################################
+[ req ]
+default_bits = 2048
+distinguished_name = req_distinguished_name
+attributes = req_attributes
+x509_extensions = v3_ca # The extensions to add to the self signed cert
+
+# Passwords for private keys if not present they will be prompted for
+# input_password = secret
+# output_password = secret
+
+# This sets a mask for permitted string types. There are several options.
+# default: PrintableString, T61String, BMPString.
+# pkix : PrintableString, BMPString (PKIX recommendation before 2004)
+# utf8only: only UTF8Strings (PKIX recommendation after 2004).
+# nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings).
+# MASK:XXXX a literal mask value.
+# WARNING: ancient versions of Netscape crash on BMPStrings or UTF8Strings.
+string_mask = utf8only
+
+# req_extensions = v3_req # The extensions to add to a certificate request
+
+[ req_distinguished_name ]
+countryName = Country Name (2 letter code)
+countryName_default = US
+countryName_min = 2
+countryName_max = 2
+
+stateOrProvinceName = State or Province Name (full name)
+stateOrProvinceName_default = SambaState
+
+localityName = Locality Name (eg, city)
+localityName_default = SambaCity
+
+organizationName = Organization Name (eg, company)
+organizationName_default = SambaSelfTesting
+
+organizationalUnitName = Organizational Unit Name (eg, section)
+organizationalUnitName_default = Users
+
+commonName = Common Name (eg, YOUR name)
+commonName_default = pkinit@addom.samba.example.com
+commonName_max = 64
+
+emailAddress = Email Address
+emailAddress_default = pkinit@addom.samba.example.com
+emailAddress_max = 64
+
+# SET-ex3 = SET extension number 3
+
+[ req_attributes ]
+#challengePassword = A challenge password
+#challengePassword_min = 4
+#challengePassword_max = 20
+#
+#unstructuredName = An optional company name
+
+[ v3_req ]
+
+# Extensions to add to a certificate request
+
+basicConstraints = CA:FALSE
+keyUsage = nonRepudiation, digitalSignature, keyEncipherment
+
+[ v3_ca ]
+# Extensions for a typical CA
+# PKIX recommendation.
+subjectKeyIdentifier=hash
+authorityKeyIdentifier=keyid:always,issuer
+
+# This is what PKIX recommends but some broken software chokes on critical
+# extensions.
+#basicConstraints = critical,CA:true
+# So we do this instead.
+basicConstraints = CA:true
+
+# Key usage: this is typical for a CA certificate.
+keyUsage = cRLSign, keyCertSign
+
+crlDistributionPoints=URI:$CRLDISTPT
+
+# Some might want this also
+nsCertType = sslCA, emailCA
+
+# Include email address in subject alt name: another PKIX recommendation
+subjectAltName=email:copy
+# Copy issuer details
+issuerAltName=issuer:copy
+
+[ crl_ext ]
+# CRL extensions.
+# Only issuerAltName and authorityKeyIdentifier make any sense in a CRL.
+
+issuerAltName=issuer:copy
+authorityKeyIdentifier=keyid:always
+
+#[ usr_cert_scarduser ]
+[ template_x509_extensions ]
+
+# These extensions are added when 'ca' signs a request for a certificate that will be used to login from a smart card
+
+# This goes against PKIX guidelines but some CAs do it and some software
+# requires this to avoid interpreting an end user certificate as a CA.
+
+basicConstraints=CA:FALSE
+crlDistributionPoints=URI:$CRLDISTPT
+
+# For normal client use this is typical
+nsCertType = client, email
+
+# This is typical in keyUsage for a client certificate.
+keyUsage = nonRepudiation, digitalSignature, keyEncipherment
+
+# This will be displayed in Netscape's comment listbox.
+nsComment = "Smart Card Login Certificate for pkinit@addom.samba.example.com"
+
+# PKIX recommendations harmless if included in all certificates.
+subjectKeyIdentifier=hash
+authorityKeyIdentifier=keyid,issuer
+
+# This stuff is for subjectAltName and issuerAltname.
+
+subjectAltName=email:copy,otherName:msUPN;UTF8:pkinit@addom.samba.example.com
+
+# Copy subject details
+issuerAltName=issuer:copy
+
+nsCaRevocationUrl = $CRLDISTPT
+#nsBaseUrl
+#nsRevocationUrl
+#nsRenewalUrl
+#nsCaPolicyUrl
+#nsSslServerName
+
+#Extended Key requirements for client certs
+extendedKeyUsage = clientAuth,scardLogin
+
diff --git a/selftest/manage-ca/CA-samba.example.com/Users/pkinit@addom.samba.example.com/USER-pkinit@addom.samba.example.com-S05-private-key.pem b/selftest/manage-ca/CA-samba.example.com/Users/pkinit@addom.samba.example.com/USER-pkinit@addom.samba.example.com-S05-private-key.pem
new file mode 100644
index 00000000000..8ab86837094
--- /dev/null
+++ b/selftest/manage-ca/CA-samba.example.com/Users/pkinit@addom.samba.example.com/USER-pkinit@addom.samba.example.com-S05-private-key.pem
@@ -0,0 +1,27 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIEowIBAAKCAQEAs6TovchPanHGFajdANZhdADkj7XEDpjZUaqqT8eM+Ww3XGBV
+2nxVnNPN4vHtUTkl1fppfqdnnKlhG1xzUNBvus463/6ulZWOl6vGu2rDYAvKwpwx
+/8YvUrvLL/YsTb4g4RZJ0yI2Zk9cxDASBzSLAE5bUX1ANYHcXA6vvnhjgGlnh1OX
+0D/XZo0migoklfnb3ZMOSFTIMOR3DWXvpGreKZF3l0BcLu01XrkPN63ZcHaZd0WM
+SmVjE3LVxFM3V4UKbXQwjGl/g/B/9WcFeYAn1DhtSS+NKpcuMx/Q4MF2G7+/sXWK
+ybE/P/JOxbBoXnaKfpxXsuw9GIPiZdUwXrX0xwIDAQABAoIBAB3OjPeAVvz4Z7+M
+Ry8uYvkWdNYLeL5bSiOsx5l5KMDx3bWsHlKkMqhU1GKFdbT2YHrCk+J58E0kJYKe
+sluEWiWKtmYYIeub5w7vZ4gNTOGQ01G7DOi9f3igxDPvCqbTly0Bv7oSgSg0ntXG
+jBc59p5UYf6BY7f9Fg0IOszFuOzDSSHoX8Ld/8rO+2d7k0cvS2xG3FViqMifqAN+
+b1GVm9MtPB5B4iM9dAsgy7NK8kKoY3xUFeYwC8yzBCeG35F+Bq6x+vTUoNfESwwg
+/qvJwRNgChlJgLVbrcR/F0wDuvINwELUeDipP1Ca8dmaQgYLlYqrbYJlJEfsHX9w
+IkuW1CECgYEA5Sn1mTKK4RnHGWE84kqAayiCEifap/FcPpA5M5AZ8t0HxDUGZ/aO
+glhFOsA0bKpmK+U7Hv+uZtD7YDI2syzwk3RnLn3sHaNSMKYkogGOds4U8wYalLYe
+AhTGPhukip+6SAZEJicRZDYxy4xczOLmwmGeTMFPQ7mWljbYTVvo7dkCgYEAyK5p
+ZZu8Jor0VKuUjQwtzsr0P7AP8h84uf38+Llfn51/sDGihR7oHA7ER0HgaOwL238f
+a990+QpShlH1LLik8LeWXNEl6A9MvWJH1OCahGh48ui8T1ptI6OgcNfIDOt0ZE2e
+RoV90FpzABR057SvSog6iuCZqYl7ddEoEd3oM58CgYBqrJSJ4rApRqGam9wGjp2m
+xC2AHBM5uC2zZdlqujqKBf+2guRfgrMl08cuKQh+SPfUmRljPavGaqOJTPaPg2zd
+hwL87lr6FOuOf9hvnX/ep+GymvXGodvoJhl+EcoPSXkiS+BvTiJXXq7hTI5qRXkb
+pOtWWWn3Ya3KcO9RW2ZbSQKBgFnRVfLYJPnLL1fGA5KtZMMtKuxmTHy9ZJI6D0Lz
+FM1HnKKrVGXoU1JbeZW68kmDfDsdRl7tgFkGObFMdUMy0P+761xXb3PRhTMuDaBF
+dmLUr21opP+PJVHSJjjbGvpNV6ac5r4BeTILiXT7sucRg3METc9ifuPWWJ9+oUR9
+4TNZAoGBAMH9sFqsXKXgLjnPEtdy2GJV51oytQRBxWtB/E2minj+U1b8F336vnUp
+JEmY08KXj8weSSs+BUXKqxRWxLo2aWKXcvtpyHttdvJvHroG4Rb5xuvZWNtOFyhV
+IHA/pdwvhgvUWoM12U2DZfznKHTDrUNpo6bs7lkPqVOSemlDucpU
+-----END RSA PRIVATE KEY-----
diff --git a/selftest/manage-ca/CA-samba.example.com/Users/pkinit@addom.samba.example.com/USER-pkinit@addom.samba.example.com-S05-private.p12 b/selftest/manage-ca/CA-samba.example.com/Users/pkinit@addom.samba.example.com/USER-pkinit@addom.samba.example.com-S05-private.p12
new file mode 100644
index 00000000000..4b77b584fc6
--- /dev/null
+++ b/selftest/manage-ca/CA-samba.example.com/Users/pkinit@addom.samba.example.com/USER-pkinit@addom.samba.example.com-S05-private.p12
Binary files differ
diff --git a/selftest/manage-ca/CA-samba.example.com/Users/pkinit@addom.samba.example.com/USER-pkinit@addom.samba.example.com-S05-req.pem b/selftest/manage-ca/CA-samba.example.com/Users/pkinit@addom.samba.example.com/USER-pkinit@addom.samba.example.com-S05-req.pem
new file mode 100644
index 00000000000..dc60d63daba
--- /dev/null
+++ b/selftest/manage-ca/CA-samba.example.com/Users/pkinit@addom.samba.example.com/USER-pkinit@addom.samba.example.com-S05-req.pem
@@ -0,0 +1,19 @@
+-----BEGIN CERTIFICATE REQUEST-----
+MIIC/zCCAecCAQAwgbkxCzAJBgNVBAYTAlVTMRMwEQYDVQQIDApTYW1iYVN0YXRl
+MRIwEAYDVQQHDAlTYW1iYUNpdHkxGTAXBgNVBAoMEFNhbWJhU2VsZlRlc3Rpbmcx
+DjAMBgNVBAsMBVVzZXJzMScwJQYDVQQDDB5wa2luaXRAYWRkb20uc2FtYmEuZXhh
+bXBsZS5jb20xLTArBgkqhkiG9w0BCQEWHnBraW5pdEBhZGRvbS5zYW1iYS5leGFt
+cGxlLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALOk6L3IT2px
+xhWo3QDWYXQA5I+1xA6Y2VGqqk/HjPlsN1xgVdp8VZzTzeLx7VE5JdX6aX6nZ5yp
+YRtcc1DQb7rOOt/+rpWVjperxrtqw2ALysKcMf/GL1K7yy/2LE2+IOEWSdMiNmZP
+XMQwEgc0iwBOW1F9QDWB3FwOr754Y4BpZ4dTl9A/12aNJooKJJX5292TDkhUyDDk
+dw1l76Rq3imRd5dAXC7tNV65Dzet2XB2mXdFjEplYxNy1cRTN1eFCm10MIxpf4Pw
+f/VnBXmAJ9Q4bUkvjSqXLjMf0ODBdhu/v7F1ismxPz/yTsWwaF52in6cV7LsPRiD
+4mXVMF619McCAwEAAaAAMA0GCSqGSIb3DQEBCwUAA4IBAQBQjwN3+bsWLHsr7k9K
+bfranU8U1dKD05siA3w+Dop43G1eLzBjBrQvSUB4AMzd8a0KKD8dt0xm2s504wxU
+SAyGgUcE+a1nPazZUPw5tJVRt41S808Gzd7zU+12UZiUjpE0Y8NayAyn+n/IhNPN
+UHOFnZfgBJqWUOEO6+JyJXxYuqaXzmrYg5Kr4vr2tr9d6+hLsp3g3nJKoefPR1RS
+2PMk1zubbbjsi9VF/yK6W4QNkfcZN74tMm+kNPAhid422L4FdZSupmfGts45uFWw
+zHOOyKOGLkZ4pxNlMRKIL1aYtoyR4UetudX2CUkQsBs/w04DLehk6rjbtQPO4nTI
+QYxm
+-----END CERTIFICATE REQUEST-----
diff --git a/selftest/manage-ca/CA-samba.example.com/Users/pkinit@addom.samba.example.com/USER-pkinit@addom.samba.example.com-cert.pem b/selftest/manage-ca/CA-samba.example.com/Users/pkinit@addom.samba.example.com/USER-pkinit@addom.samba.example.com-cert.pem
new file mode 120000
index 00000000000..e8d6f501c70
--- /dev/null
+++ b/selftest/manage-ca/CA-samba.example.com/Users/pkinit@addom.samba.example.com/USER-pkinit@addom.samba.example.com-cert.pem
@@ -0,0 +1 @@
+USER-pkinit@addom.samba.example.com-S05-cert.pem \ No newline at end of file
diff --git a/selftest/manage-ca/CA-samba.example.com/Users/pkinit@addom.samba.example.com/USER-pkinit@addom.samba.example.com-private-key.pem b/selftest/manage-ca/CA-samba.example.com/Users/pkinit@addom.samba.example.com/USER-pkinit@addom.samba.example.com-private-key.pem
new file mode 120000
index 00000000000..aac9cfc3288
--- /dev/null
+++ b/selftest/manage-ca/CA-samba.example.com/Users/pkinit@addom.samba.example.com/USER-pkinit@addom.samba.example.com-private-key.pem
@@ -0,0 +1 @@
+USER-pkinit@addom.samba.example.com-S05-private-key.pem \ No newline at end of file
diff --git a/selftest/manage-ca/CA-samba.example.com/Users/pkinit@samba.example.com/USER-pkinit@samba.example.com-S04-cert.cer b/selftest/manage-ca/CA-samba.example.com/Users/pkinit@samba.example.com/USER-pkinit@samba.example.com-S04-cert.cer
new file mode 100644
index 00000000000..9a8d7ae40d5
--- /dev/null
+++ b/selftest/manage-ca/CA-samba.example.com/Users/pkinit@samba.example.com/USER-pkinit@samba.example.com-S04-cert.cer
Binary files differ
diff --git a/selftest/manage-ca/CA-samba.example.com/Users/pkinit@samba.example.com/USER-pkinit@samba.example.com-S04-cert.pem b/selftest/manage-ca/CA-samba.example.com/Users/pkinit@samba.example.com/USER-pkinit@samba.example.com-S04-cert.pem
new file mode 100644
index 00000000000..730b8243d2d
--- /dev/null
+++ b/selftest/manage-ca/CA-samba.example.com/Users/pkinit@samba.example.com/USER-pkinit@samba.example.com-S04-cert.pem
@@ -0,0 +1,168 @@
+Certificate:
+ Data:
+ Version: 3 (0x2)
+ Serial Number: 4 (0x4)
+ Signature Algorithm: sha256WithRSAEncryption
+ Issuer: C=US, ST=SambaState, L=SambaCity, O=SambaSelfTesting, OU=CA Administration, CN=CA of samba.example.com/emailAddress=ca-samba.example.com@samba.example.com
+ Validity
+ Not Before: Jun 3 19:30:29 2016 GMT
+ Not After : May 29 19:30:29 2036 GMT
+ Subject: C=US, ST=SambaState, O=SambaSelfTesting, OU=Users, CN=pkinit@samba.example.com/emailAddress=pkinit@samba.example.com
+ Subject Public Key Info:
+ Public Key Algorithm: rsaEncryption
+ Public-Key: (2048 bit)
+ Modulus:
+ 00:dd:c4:48:44:a5:e9:6b:b4:41:03:6a:dc:34:1f:
+ d6:41:ce:f7:cb:b2:44:a7:a3:0e:89:16:ff:0d:62:
+ 23:e0:8b:24:db:82:82:68:29:22:1b:57:44:12:c6:
+ ea:10:2d:6f:3a:4b:75:b1:2e:76:62:01:62:ff:ba:
+ 3d:67:e1:39:0d:12:38:b0:fc:b3:e5:0e:dd:77:73:
+ 2b:99:25:86:d5:15:84:08:be:b0:8b:38:d7:64:9d:
+ d6:e7:dc:4d:9a:fb:ea:17:41:bb:d1:cf:1a:b9:5b:
+ 0b:8a:e5:8c:5a:b7:2d:ab:bd:f7:c3:91:ae:26:c2:
+ e3:97:27:ea:3f:be:c9:22:af:d6:76:35:45:b0:72:
+ 86:f2:bd:bf:e2:d3:e3:e3:68:52:26:db:f0:a6:6a:
+ 0e:63:05:9b:17:6d:13:ee:c4:15:41:96:27:06:90:
+ fd:10:b5:f9:6c:74:be:b0:a8:bb:70:f7:a2:25:da:
+ f7:f1:91:c2:69:6c:40:c4:63:e8:06:83:e0:1d:b7:
+ 2b:29:d3:75:d1:df:c1:d2:90:af:b9:81:47:78:f3:
+ f1:1a:c9:20:e3:1b:6f:e4:fd:2e:0b:65:a7:6f:b1:
+ b2:a0:d3:e3:d2:2f:2b:ef:fd:01:5b:27:e7:1b:c1:
+ 0e:bc:bd:f0:7b:b2:34:a9:9b:4d:2c:c8:65:33:c8:
+ 33:17
+ Exponent: 65537 (0x10001)
+ X509v3 extensions:
+ X509v3 Basic Constraints:
+ CA:FALSE
+ X509v3 CRL Distribution Points:
+
+ Full Name:
+ URI:http://www.samba.example.com/crls/CA-samba.example.com-crl.crl
+
+ Netscape Cert Type:
+ SSL Client, S/MIME
+ X509v3 Key Usage:
+ Digital Signature, Non Repudiation, Key Encipherment
+ Netscape Comment:
+ Smart Card Login Certificate for pkinit@samba.example.com
+ X509v3 Subject Key Identifier:
+ E9:67:66:B8:3D:F1:39:AB:1A:4D:00:9D:EC:CE:FF:4B:50:D8:5D:A2
+ X509v3 Authority Key Identifier:
+ keyid:A2:3E:02:2A:A3:A7:4D:39:B4:08:4D:99:CC:0C:75:36:EA:27:C3:3E
+
+ X509v3 Subject Alternative Name:
+ email:pkinit@samba.example.com, othername:<unsupported>
+ X509v3 Issuer Alternative Name:
+ email:ca-samba.example.com@samba.example.com
+ Netscape CA Revocation Url:
+ http://www.samba.example.com/crls/CA-samba.example.com-crl.crl
+ X509v3 Extended Key Usage:
+ TLS Web Client Authentication, scardLogin
+ Signature Algorithm: sha256WithRSAEncryption
+ 88:3e:f3:98:08:ef:cd:53:3a:07:d5:1c:fd:26:7c:f1:96:2e:
+ b9:06:87:f2:5b:e2:be:d1:04:6e:38:59:14:49:9d:46:ef:7e:
+ 6c:08:02:3e:18:09:09:61:a8:1d:a9:da:59:40:58:5f:d2:ca:
+ 4f:76:0e:7e:01:db:05:03:fb:78:c7:89:86:aa:1b:dc:02:bb:
+ 86:a5:02:7c:01:54:dd:ad:e0:43:c5:d9:ec:86:c2:47:b5:5a:
+ 1c:8c:06:0e:fe:11:ad:a5:57:37:f5:0a:35:65:a4:f2:27:14:
+ 2f:bf:53:48:66:e1:da:b9:58:95:a2:d1:95:9c:ae:0a:ca:29:
+ a6:ef:7a:58:74:86:40:ea:2a:c6:18:9f:1a:d9:70:e2:a8:aa:
+ 8d:f1:22:bf:b6:e4:61:d4:21:ee:bf:17:e1:aa:d1:cf:0b:35:
+ 82:c7:3f:a1:be:d1:a5:bd:4e:04:0d:cf:11:2d:d6:0c:7e:47:
+ 5c:5e:84:d2:10:60:7e:97:d7:52:be:a1:cd:2d:85:da:b2:dd:
+ 68:88:12:a4:88:5f:16:0c:ae:6f:60:7f:da:58:5f:91:bd:8d:
+ 15:20:c2:74:94:0b:93:65:80:7c:77:15:a2:70:bb:98:be:41:
+ 1a:2e:c5:78:52:64:e7:44:03:3f:64:97:10:a9:1b:17:f3:79:
+ f9:51:0c:4c:58:e7:03:e7:bb:fd:34:ff:c0:4a:ad:b1:7a:ba:
+ 97:3c:f8:e0:9e:30:3d:e7:5f:be:ac:6a:b3:c1:1e:50:7c:cd:
+ ce:18:bd:96:73:fb:9c:90:e7:ae:e0:be:c5:65:29:9a:1c:da:
+ c3:64:2a:99:dc:93:61:32:9a:70:1a:45:83:72:38:0f:57:de:
+ 0d:f5:64:71:97:de:b5:64:99:43:30:6d:3f:25:82:b5:3e:a1:
+ ba:39:d2:fc:b8:df:7e:57:da:fc:be:c2:84:2e:99:41:52:a2:
+ 18:f4:99:c7:e2:b9:af:2a:84:32:5c:cb:ba:26:86:6b:8e:58:
+ 30:d8:4f:5b:60:34:fd:30:de:c5:a0:7a:8c:e7:34:2b:bc:81:
+ 6d:4c:a8:b5:ba:b5:52:b9:42:e5:d8:7e:be:31:a3:8e:b0:c3:
+ f6:16:28:92:e7:9d:3f:c8:cf:a0:4a:b0:3a:ae:75:59:ab:19:
+ 91:e4:2e:76:57:3f:58:88:5f:2e:7b:c5:8f:11:25:0f:cd:8f:
+ e3:91:80:2f:d4:7b:5a:80:c3:c9:7c:0a:aa:01:bf:5c:8c:0e:
+ 57:84:bf:72:ad:7b:0a:b9:95:27:0f:aa:9b:96:08:8e:bb:63:
+ 56:5a:1d:ad:0c:5b:1c:04:38:ae:2b:88:d4:d1:68:20:f2:a0:
+ 9b:77:9c:95:db:17:cb:cf:79:4a:13:66:c9:34:36:f6:c6:f9:
+ 8b:4b:92:5e:59:a3:5d:75:4e:fa:f2:fa:d5:d9:66:80:82:a4:
+ 8d:e2:d8:b6:ed:c5:a3:ca:a2:70:64:9c:b9:1c:49:b2:2f:46:
+ b3:13:3b:88:a7:5a:8e:22:b7:90:f5:74:27:21:06:a4:94:bb:
+ b1:cb:e7:e4:92:f0:e9:80:15:94:82:1a:97:34:d0:cf:aa:37:
+ b1:27:a5:38:39:7c:8d:ba:a1:12:dd:30:48:44:90:0c:35:0f:
+ cc:e6:13:e7:c9:06:36:1d:b0:c9:be:28:0f:47:1c:b0:47:a3:
+ 20:d1:bb:a1:85:1a:80:c2:9b:70:61:9f:a7:82:46:3c:80:28:
+ 0c:17:f6:fc:75:83:be:ff:5c:da:bc:be:2c:65:a6:c0:fc:c1:
+ 32:ae:9a:bf:d1:7c:fb:b3:26:3b:77:03:fe:a9:e9:ae:4c:72:
+ 58:a9:6e:ce:ad:c0:1f:30:b2:06:32:65:af:5f:db:3d:2b:ab:
+ c5:46:5c:0a:df:50:b5:7e:31:c8:b0:7e:50:e2:aa:d8:01:8e:
+ ea:e7:3c:8b:90:73:de:77:9f:47:ea:af:16:0d:a5:c0:89:6f:
+ 86:a4:84:f7:1f:03:fd:7d:f8:a8:7d:9c:9a:f1:13:c8:d5:5b:
+ 9c:2f:71:c1:c0:c2:17:89:39:6d:28:2d:20:31:ca:60:cf:7f:
+ 78:42:5c:a3:28:76:19:a8:ca:e6:07:22:6d:7f:04:b1:20:ab:
+ 70:40:33:e9:a3:fa:da:b5:7c:ee:70:0b:c6:a2:6a:90:1a:10:
+ fe:8a:9b:56:5c:44:85:f1:b4:41:67:0b:c1:a3:68:2f:ff:b1:
+ 48:f3:38:4b:28:4e:52:36:0c:9b:37:aa:7e:82:63:c3:61:33:
+ a9:05:b3:af:13:07:b3:9e:4d:4c:3c:c4:47:34:ce:f3:6e:55:
+ 69:d7:af:dc:e4:82:34:9b:fe:cc:d9:db:1f:08:3e:3c:3a:9b:
+ ac:a7:7e:61:3f:5f:01:0c:d8:f3:63:31:31:07:e2:05:84:30:
+ 65:f4:b0:a6:cc:ad:63:fe:06:db:d7:e9:2f:9d:db:2c:64:af:
+ d6:d1:cc:9e:c3:11:09:ad:7d:e2:06:6d:21:ad:a5:4f:a6:87:
+ 9b:ee:db:6c:e9:69:a7:6a:eb:93:67:e2:e9:6f:23:f8:2e:95:
+ 78:5f:a8:66:ae:7e:2c:5e:6b:07:3e:02:ad:20:af:61:9c:0e:
+ 1d:c6:7a:31:5a:33:bd:61:1a:67:5b:a9:42:3c:17:67:f8:dd:
+ 80:e3:ab:62:a0:42:53:33:1f:f7:79:ea:32:d1:26:dd:bb:c6:
+ 26:aa:2c:ac:16:7e:24:b4:ae:7d:ce:77:e8:5f:2d:97
+-----BEGIN CERTIFICATE-----
+MIII2jCCBMKgAwIBAgIBBDANBgkqhkiG9w0BAQsFADCBxjELMAkGA1UEBhMCVVMx
+EzARBgNVBAgMClNhbWJhU3RhdGUxEjAQBgNVBAcMCVNhbWJhQ2l0eTEZMBcGA1UE
+CgwQU2FtYmFTZWxmVGVzdGluZzEaMBgGA1UECwwRQ0EgQWRtaW5pc3RyYXRpb24x
+IDAeBgNVBAMMF0NBIG9mIHNhbWJhLmV4YW1wbGUuY29tMTUwMwYJKoZIhvcNAQkB
+FiZjYS1zYW1iYS5leGFtcGxlLmNvbUBzYW1iYS5leGFtcGxlLmNvbTAeFw0xNjA2
+MDMxOTMwMjlaFw0zNjA1MjkxOTMwMjlaMIGZMQswCQYDVQQGEwJVUzETMBEGA1UE
+CAwKU2FtYmFTdGF0ZTEZMBcGA1UECgwQU2FtYmFTZWxmVGVzdGluZzEOMAwGA1UE
+CwwFVXNlcnMxITAfBgNVBAMMGHBraW5pdEBzYW1iYS5leGFtcGxlLmNvbTEnMCUG
+CSqGSIb3DQEJARYYcGtpbml0QHNhbWJhLmV4YW1wbGUuY29tMIIBIjANBgkqhkiG
+9w0BAQEFAAOCAQ8AMIIBCgKCAQEA3cRIRKXpa7RBA2rcNB/WQc73y7JEp6MOiRb/
+DWIj4Isk24KCaCkiG1dEEsbqEC1vOkt1sS52YgFi/7o9Z+E5DRI4sPyz5Q7dd3Mr
+mSWG1RWECL6wizjXZJ3W59xNmvvqF0G70c8auVsLiuWMWrctq733w5GuJsLjlyfq
+P77JIq/WdjVFsHKG8r2/4tPj42hSJtvwpmoOYwWbF20T7sQVQZYnBpD9ELX5bHS+
+sKi7cPeiJdr38ZHCaWxAxGPoBoPgHbcrKdN10d/B0pCvuYFHePPxGskg4xtv5P0u
+C2Wnb7GyoNPj0i8r7/0BWyfnG8EOvL3we7I0qZtNLMhlM8gzFwIDAQABo4IB/DCC
+AfgwCQYDVR0TBAIwADBPBgNVHR8ESDBGMESgQqBAhj5odHRwOi8vd3d3LnNhbWJh
+LmV4YW1wbGUuY29tL2NybHMvQ0Etc2FtYmEuZXhhbXBsZS5jb20tY3JsLmNybDAR
+BglghkgBhvhCAQEEBAMCBaAwCwYDVR0PBAQDAgXgMEgGCWCGSAGG+EIBDQQ7FjlT
+bWFydCBDYXJkIExvZ2luIENlcnRpZmljYXRlIGZvciBwa2luaXRAc2FtYmEuZXhh
+bXBsZS5jb20wHQYDVR0OBBYEFOlnZrg98TmrGk0AnezO/0tQ2F2iMB8GA1UdIwQY
+MBaAFKI+Aiqjp005tAhNmcwMdTbqJ8M+ME0GA1UdEQRGMESBGHBraW5pdEBzYW1i
+YS5leGFtcGxlLmNvbaAoBgorBgEEAYI3FAIDoBoMGHBraW5pdEBzYW1iYS5leGFt
+cGxlLmNvbTAxBgNVHRIEKjAogSZjYS1zYW1iYS5leGFtcGxlLmNvbUBzYW1iYS5l
+eGFtcGxlLmNvbTBNBglghkgBhvhCAQQEQBY+aHR0cDovL3d3dy5zYW1iYS5leGFt
+cGxlLmNvbS9jcmxzL0NBLXNhbWJhLmV4YW1wbGUuY29tLWNybC5jcmwwHwYDVR0l
+BBgwFgYIKwYBBQUHAwIGCisGAQQBgjcUAgIwDQYJKoZIhvcNAQELBQADggQBAIg+
+85gI781TOgfVHP0mfPGWLrkGh/Jb4r7RBG44WRRJnUbvfmwIAj4YCQlhqB2p2llA
+WF/Syk92Dn4B2wUD+3jHiYaqG9wCu4alAnwBVN2t4EPF2eyGwke1WhyMBg7+Ea2l
+Vzf1CjVlpPInFC+/U0hm4dq5WJWi0ZWcrgrKKabvelh0hkDqKsYYnxrZcOKoqo3x
+Ir+25GHUIe6/F+Gq0c8LNYLHP6G+0aW9TgQNzxEt1gx+R1xehNIQYH6X11K+oc0t
+hdqy3WiIEqSIXxYMrm9gf9pYX5G9jRUgwnSUC5NlgHx3FaJwu5i+QRouxXhSZOdE
+Az9klxCpGxfzeflRDExY5wPnu/00/8BKrbF6upc8+OCeMD3nX76sarPBHlB8zc4Y
+vZZz+5yQ567gvsVlKZoc2sNkKpnck2EymnAaRYNyOA9X3g31ZHGX3rVkmUMwbT8l
+grU+obo50vy4335X2vy+woQumUFSohj0mcfiua8qhDJcy7omhmuOWDDYT1tgNP0w
+3sWgeoznNCu8gW1MqLW6tVK5QuXYfr4xo46ww/YWKJLnnT/Iz6BKsDqudVmrGZHk
+LnZXP1iIXy57xY8RJQ/Nj+ORgC/Ue1qAw8l8CqoBv1yMDleEv3Ktewq5lScPqpuW
+CI67Y1ZaHa0MWxwEOK4riNTRaCDyoJt3nJXbF8vPeUoTZsk0NvbG+YtLkl5Zo111
+Tvry+tXZZoCCpI3i2LbtxaPKonBknLkcSbIvRrMTO4inWo4it5D1dCchBqSUu7HL
+5+SS8OmAFZSCGpc00M+qN7EnpTg5fI26oRLdMEhEkAw1D8zmE+fJBjYdsMm+KA9H
+HLBHoyDRu6GFGoDCm3Bhn6eCRjyAKAwX9vx1g77/XNq8vixlpsD8wTKumr/RfPuz
+Jjt3A/6p6a5Mclipbs6twB8wsgYyZa9f2z0rq8VGXArfULV+MciwflDiqtgBjurn
+PIuQc953n0fqrxYNpcCJb4akhPcfA/19+Kh9nJrxE8jVW5wvccHAwheJOW0oLSAx
+ymDPf3hCXKModhmoyuYHIm1/BLEgq3BAM+mj+tq1fO5wC8aiapAaEP6Km1ZcRIXx
+tEFnC8GjaC//sUjzOEsoTlI2DJs3qn6CY8NhM6kFs68TB7OeTUw8xEc0zvNuVWnX
+r9zkgjSb/szZ2x8IPjw6m6ynfmE/XwEM2PNjMTEH4gWEMGX0sKbMrWP+BtvX6S+d
+2yxkr9bRzJ7DEQmtfeIGbSGtpU+mh5vu22zpaadq65Nn4ulvI/gulXhfqGaufixe
+awc+Aq0gr2GcDh3GejFaM71hGmdbqUI8F2f43YDjq2KgQlMzH/d56jLRJt27xiaq
+LKwWfiS0rn3Od+hfLZc=
+-----END CERTIFICATE-----
diff --git a/selftest/manage-ca/CA-samba.example.com/Users/pkinit@samba.example.com/USER-pkinit@samba.example.com-S04-key.pem b/selftest/manage-ca/CA-samba.example.com/Users/pkinit@samba.example.com/USER-pkinit@samba.example.com-S04-key.pem
new file mode 100644
index 00000000000..44f2dca0b3c
--- /dev/null
+++ b/selftest/manage-ca/CA-samba.example.com/Users/pkinit@samba.example.com/USER-pkinit@samba.example.com-S04-key.pem
@@ -0,0 +1,30 @@
+-----BEGIN ENCRYPTED PRIVATE KEY-----
+MIIFDjBABgkqhkiG9w0BBQ0wMzAbBgkqhkiG9w0BBQwwDgQI3lMKoRxwFl4CAggA
+MBQGCCqGSIb3DQMHBAh3N+m1jtZvYgSCBMjc0ubJOkfSna22cqDmoGRkN/3T/nfk
+zjaeXgq95J/FKJjrDL8t+ywAM/Xrs5CIRraaiJQ2ddYy6ViaKsoK00lVxx1zelFA
+7HZke3gXQnmJEXxnb2cCJhYwX5ElT/QoSgxh9cLuLnw/4HVp4K0wCAjmCkYtCc32
+HvqCJJU2Gj97rVMr43jz/GISBKdFtzBSP059SRNgutczONs4zBV3YZNYMOO+GZWF
+Gt46vy0rzEgEku9PdNSBG48j2VCidj6VzJSDzrS8gMcNVd65quzCoCLoaUZ+Xgf0
+T28rwElhRe0Khji1fW2KyeyMNwtivKZPVOzOkS4gdmRZq64WdZBSC0yL4VepXXML
+wUtPORgYZ0VkkLZHJ5exLQJESQz68CX9kiryoZgDbZMcYzDBI4lkFwtqRTKRbmM+
+K4VPVxqWREAmnMPBfdDBRKi0yml2Y53Eq5PAhCqkhbFe5JiZ5OGlwGY+zPiFZ+65
+EYHTcjCW1NIY1GTKYp7AYQ0JX4tNqFQon+9GLmowODQeW0DkcCKabHNTNUnCwW0d
+qxyzC+gUEMCas1ZjVlkxeTEzYm7820DierzEc2pdvWRm6p8EHlFOboD65HpxpG4h
+wYbe2ctNoB0gpaFDgaEsECxJ6ZxkMk2x39UPlAawkVshGs9W8StIxHgSUv4H9T/S
+9SAiQKQOGOpyj0V+zfq6IW/XXK+lbV5CRSYwSAmC1JuEeR8Hy6guPmjNC4Otp/5j
+NjiYDHWtQKvnYJDZOZraW1QqHlrwB6SNt3EAWYHR+d/OOPedeUh/WvtT7brnPu1Z
+fQPkQLJtKyvG6rkNvAJl3Zl67cz3D3G1J/MSpFXc4dUcTKfldR5uSQSpVqFEWqmw
+hgBxsv7OI0c/NMFt1JmUpQTMxhFqLKCjwVI9LZgJfl+EFPI5PCJY7mHBMfhDgZek
+epAS7V+zaVOXZw41unk8HGgTx+u64g5cM8QEfs23RSu8t2122p7q4n1qgZ9pWtQZ
+hwxhqvI4I4fnFVqgBRih9xQ3Vg/jCCtRLEPtrtlYYHGhejZ+6oSNN11aacOoVoBj
+15rdwA45ch/W62ktHwvjoE8welXUOmjLLYh3zZH0tqdwOMDv0MRAjC0k4tACYClC
+TqHipCjqead5vZRM40hCzE70AB4pLm6utAseJb8C/EweqlbhBaYqqPFZo/GdqD8s
+9hQ3NU29ynrtIeuj359y9gLQU4Tc+dU8f6bxTE5IKrTwk552695lODKb5R4J1rN9
+weY1fcXWCHPiVJhmFnWo11nNPt7vS+m0eUCVdAAOdPoZwBLswTD6wCxquXXLi7wR
+1a4vA8inf/nV+8kHebyhrQdS3uekqQZbPbfE545csLXnJdb+N418q/Vxw9lIH+N0
+90GeOdWGM34fXRzrPFlDSW5IhKDSR8+4tU71Fq4kwI1Z1AFN4oJUgcRRNm/fdd3w
+V1PLnYYpTIFpunuerCDqYtHiIh2uwtWUWzPgIK7mm/UV5VSDsWTYktPlkTxEAwzm
+ktuharKIvzLA13p5PXBHpjv27wJjgs6kPuWgBpG1IosC4nDq2355lBLqFSgK1pUt
+Px6tls4RkaOTk8+t6J6W2ZeaF4Nu7kG6qnTqUuBkshcqcS3A53i2m0O/ug7n3vfU
+QHM=
+-----END ENCRYPTED PRIVATE KEY-----
diff --git a/selftest/manage-ca/CA-samba.example.com/Users/pkinit@samba.example.com/USER-pkinit@samba.example.com-S04-openssl.cnf b/selftest/manage-ca/CA-samba.example.com/Users/pkinit@samba.example.com/USER-pkinit@samba.example.com-S04-openssl.cnf
new file mode 100644
index 00000000000..3ece25fb9cf
--- /dev/null
+++ b/selftest/manage-ca/CA-samba.example.com/Users/pkinit@samba.example.com/USER-pkinit@samba.example.com-S04-openssl.cnf
@@ -0,0 +1,242 @@
+#
+# Based on the OpenSSL example configuration file.
+# This is mostly being used for generation of certificate requests.
+#
+
+# This definition stops the following lines choking if HOME isn't
+# defined.
+HOME = .
+RANDFILE = $ENV::HOME/.rnd
+
+#CRLDISTPT = [CRL Distribution Point; e.g., http://crl-list.base/w4edom-l4.base.crl]
+CRLDISTPT = http://www.samba.example.com/crls/CA-samba.example.com-crl.crl
+
+# Extra OBJECT IDENTIFIER info:
+oid_section = new_oids
+
+# To use this configuration file with the "-extfile" option of the
+# "openssl x509" utility, name here the section containing the
+# X.509v3 extensions to use:
+# extensions =
+# (Alternatively, use a configuration file that has only
+# X.509v3 extensions in its main [= default] section.)
+
+[ new_oids ]
+# Ordinarily, certificates must have this oid as an enhanced key usage in order for Windows to allow them to be used as a login credential
+scardLogin=1.3.6.1.4.1.311.20.2.2
+# Used in a smart card login certificate's subject alternative name
+msUPN=1.3.6.1.4.1.311.20.2.3
+# Ordinarily, certificates must have this oid as an enhanced key usage in order for Windows to allow them to be used to identify a domain controller
+msKDC=1.3.6.1.5.2.3.5
+# Identifies the AD GUID
+msADGUID=1.3.6.1.4.1.311.25.1
+
+####################################################################
+[ ca ]
+default_ca = CA_default # The default ca section
+
+####################################################################
+[ CA_default ]
+
+dir = CA-samba.example.com # Where everything is kept
+certs = $dir/_none_certs # Where the issued certs are kept
+crl_dir = $dir/_none_crl # Where the issued crl are kept
+database = $dir/Private/CA-samba.example.com-index.txt # database index file.
+unique_subject = yes # Set to 'no' to allow creation of
+ # several certificates with same subject.
+new_certs_dir = $dir/NewCerts # default place for new certs.
+
+certificate = $dir/Public/CA-samba.example.com-cert.pem # The CA certificate
+serial = $dir/Private/CA-samba.example.com-serial.txt # The current serial number
+crlnumber = $dir/Private/CA-samba.example.com-crlnumber.txt # the current crl number
+ # must be commented out to leave a V1 CRL
+
+#crl = $dir/Public/CA-samba.example.com-crl.pem # The current CRL
+crl = $dir/Public/CA-samba.example.com-crl.crl # The current CRL
+private_key = $dir/Private/CA-samba.example.com-private-key.pem # The private key
+RANDFILE = $dir/Private/CA-samba.example.com.rand # private random number file
+
+#x509_extensions = # The extensions to add to the cert
+x509_extensions = template_x509_extensions
+
+# Comment out the following two lines for the "traditional"
+# (and highly broken) format.
+name_opt = ca_default # Subject Name options
+cert_opt = ca_default # Certificate field options
+
+# Extension copying option: use with caution.
+# copy_extensions = copy
+
+# Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs
+# so this is commented out by default to leave a V1 CRL.
+# crlnumber must also be commented out to leave a V1 CRL.
+crl_extensions = crl_ext
+
+default_days = 7300 # how long to certify for
+default_crl_days= 7300 # how long before next CRL
+default_md = sha256 # use public key default MD
+preserve = no # keep passed DN ordering
+
+# A few difference way of specifying how similar the request should look
+# For type CA, the listed attributes must be the same, and the optional
+# and supplied fields are just that :-)
+policy = policy_match
+
+# For the CA policy
+[ policy_match ]
+countryName = match
+stateOrProvinceName = match
+organizationName = match
+organizationalUnitName = optional
+commonName = supplied
+emailAddress = optional
+
+# For the 'anything' policy
+# At this point in time, you must list all acceptable 'object'
+# types.
+[ policy_anything ]
+countryName = match
+stateOrProvinceName = match
+localityName = match
+organizationName = match
+organizationalUnitName = match
+commonName = supplied
+emailAddress = supplied
+
+####################################################################
+[ req ]
+default_bits = 2048
+distinguished_name = req_distinguished_name
+attributes = req_attributes
+x509_extensions = v3_ca # The extensions to add to the self signed cert
+
+# Passwords for private keys if not present they will be prompted for
+# input_password = secret
+# output_password = secret
+
+# This sets a mask for permitted string types. There are several options.
+# default: PrintableString, T61String, BMPString.
+# pkix : PrintableString, BMPString (PKIX recommendation before 2004)
+# utf8only: only UTF8Strings (PKIX recommendation after 2004).
+# nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings).
+# MASK:XXXX a literal mask value.
+# WARNING: ancient versions of Netscape crash on BMPStrings or UTF8Strings.
+string_mask = utf8only
+
+# req_extensions = v3_req # The extensions to add to a certificate request
+
+[ req_distinguished_name ]
+countryName = Country Name (2 letter code)
+countryName_default = US
+countryName_min = 2
+countryName_max = 2
+
+stateOrProvinceName = State or Province Name (full name)
+stateOrProvinceName_default = SambaState
+
+localityName = Locality Name (eg, city)
+localityName_default = SambaCity
+
+organizationName = Organization Name (eg, company)
+organizationName_default = SambaSelfTesting
+
+organizationalUnitName = Organizational Unit Name (eg, section)
+organizationalUnitName_default = Users
+
+commonName = Common Name (eg, YOUR name)
+commonName_default = pkinit@samba.example.com
+commonName_max = 64
+
+emailAddress = Email Address
+emailAddress_default = pkinit@samba.example.com
+emailAddress_max = 64
+
+# SET-ex3 = SET extension number 3
+
+[ req_attributes ]
+#challengePassword = A challenge password
+#challengePassword_min = 4
+#challengePassword_max = 20
+#
+#unstructuredName = An optional company name
+
+[ v3_req ]
+
+# Extensions to add to a certificate request
+
+basicConstraints = CA:FALSE
+keyUsage = nonRepudiation, digitalSignature, keyEncipherment
+
+[ v3_ca ]
+# Extensions for a typical CA
+# PKIX recommendation.
+subjectKeyIdentifier=hash
+authorityKeyIdentifier=keyid:always,issuer
+
+# This is what PKIX recommends but some broken software chokes on critical
+# extensions.
+#basicConstraints = critical,CA:true
+# So we do this instead.
+basicConstraints = CA:true
+
+# Key usage: this is typical for a CA certificate.
+keyUsage = cRLSign, keyCertSign
+
+crlDistributionPoints=URI:$CRLDISTPT
+
+# Some might want this also
+nsCertType = sslCA, emailCA
+
+# Include email address in subject alt name: another PKIX recommendation
+subjectAltName=email:copy
+# Copy issuer details
+issuerAltName=issuer:copy
+
+[ crl_ext ]
+# CRL extensions.
+# Only issuerAltName and authorityKeyIdentifier make any sense in a CRL.
+
+issuerAltName=issuer:copy
+authorityKeyIdentifier=keyid:always
+
+#[ usr_cert_scarduser ]
+[ template_x509_extensions ]
+
+# These extensions are added when 'ca' signs a request for a certificate that will be used to login from a smart card
+
+# This goes against PKIX guidelines but some CAs do it and some software
+# requires this to avoid interpreting an end user certificate as a CA.
+
+basicConstraints=CA:FALSE
+crlDistributionPoints=URI:$CRLDISTPT
+
+# For normal client use this is typical
+nsCertType = client, email
+
+# This is typical in keyUsage for a client certificate.
+keyUsage = nonRepudiation, digitalSignature, keyEncipherment
+
+# This will be displayed in Netscape's comment listbox.
+nsComment = "Smart Card Login Certificate for pkinit@samba.example.com"
+
+# PKIX recommendations harmless if included in all certificates.
+subjectKeyIdentifier=hash
+authorityKeyIdentifier=keyid,issuer
+
+# This stuff is for subjectAltName and issuerAltname.
+
+subjectAltName=email:copy,otherName:msUPN;UTF8:pkinit@samba.example.com
+
+# Copy subject details
+issuerAltName=issuer:copy
+
+nsCaRevocationUrl = $CRLDISTPT
+#nsBaseUrl
+#nsRevocationUrl
+#nsRenewalUrl
+#nsCaPolicyUrl
+#nsSslServerName
+
+#Extended Key requirements for client certs
+extendedKeyUsage = clientAuth,scardLogin
+
diff --git a/selftest/manage-ca/CA-samba.example.com/Users/pkinit@samba.example.com/USER-pkinit@samba.example.com-S04-private-key.pem b/selftest/manage-ca/CA-samba.example.com/Users/pkinit@samba.example.com/USER-pkinit@samba.example.com-S04-private-key.pem
new file mode 100644
index 00000000000..5492ba3f5e6
--- /dev/null
+++ b/selftest/manage-ca/CA-samba.example.com/Users/pkinit@samba.example.com/USER-pkinit@samba.example.com-S04-private-key.pem
@@ -0,0 +1,27 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIEowIBAAKCAQEA3cRIRKXpa7RBA2rcNB/WQc73y7JEp6MOiRb/DWIj4Isk24KC
+aCkiG1dEEsbqEC1vOkt1sS52YgFi/7o9Z+E5DRI4sPyz5Q7dd3MrmSWG1RWECL6w
+izjXZJ3W59xNmvvqF0G70c8auVsLiuWMWrctq733w5GuJsLjlyfqP77JIq/WdjVF
+sHKG8r2/4tPj42hSJtvwpmoOYwWbF20T7sQVQZYnBpD9ELX5bHS+sKi7cPeiJdr3
+8ZHCaWxAxGPoBoPgHbcrKdN10d/B0pCvuYFHePPxGskg4xtv5P0uC2Wnb7GyoNPj
+0i8r7/0BWyfnG8EOvL3we7I0qZtNLMhlM8gzFwIDAQABAoIBAQCgUBQuDAIBafzV
+i5pD0//+8q8PAX+/74/Cam1WL2vgFrY+OMosog+V1C/RoxnxN+cALSyXOQ87KeV3
+GBrrzVSArnts9kDVhTlz8D3EJ+ygfT1FVRQqkJykj7WbRxaSwykmRs6PjTe0Zqyh
+a+9aZLEPRfSl29oZCymbS697BWBBQaKT/KKbVct9ViJhr8LjXjRYu1HGJuBY/kl4
+NFJFnmgL9KDlbkh9kNxVdLU1P4Ln9Yur13aV2OnVKkbgeTxFSsQrQbnyRjjtEtpE
+ePTimmtbE8Epvd8BM8Pq1geD7NlBH1+Nmi+1mD3r0YNqnvRcqCpEWDS9dL/Mgs4B
+/OgjX90BAoGBAP1VQLWZBgy1aSu7AIUtdAFsxmU6ecjh4ISczoHOe7b6xITEWYtB
+S3ai7gA0+g/iPiKzIAVmyI5/pWBa/h8UnMFm5UoZYSBtI2o8nRAxMnlXJ3Ny7OM5
+QBluT0uEKtj7N/KEpbe61hNH7sVoyq+RJgGCGq9bbxZjAdlqgdkN0w7ZAoGBAOAZ
+9N+Aru0f1vU0b9U6Dh/XTvtgOFd9AJbrXyQZRqbYQguYgWB0aZfDH3TarGDRbIf/
+/Alhoo7gatIstDgjDxk8GuhOFvlimNrf8RC6oTXDvPLnwekdAL7/fMOyFsTegxWL
+1J305SNa8FL3G0Fr2HxCUa0UoCk/wVau78atpvtvAoGAEYmqXigG1DBm5IEgqxeX
+dVXLckyXC8IfYe7dGP1rcSJxImPZcxuFFuR2p4sDWMAn3w0ZhWY1MjBCCaai+xHZ
+PEZcT0HsiGslzX/+u5U8UkwnTgXBwoU/G8OYN7khoj3aBK8MLekAUvti20XC6l6Z
+C/eu0z74NMuL4DpQXO9pEhkCgYBNtfKKRo9iPvZFlWdqY3VeaUVEOjuPaxN3Qit9
+0x4C4V8Vsk666eNr8wfHd8Tq1fRyvLvjbO336a5hL4tXJCEqOQODpwCkfiJPU/S+
+PlmE0VmGSgOeGKaXlPToz6rBnf+KyzBxjeifd/t6aaIT75fkjwLPqCVZ6Hfc3VDc
+bn9HFQKBgF8+kghkOG15fchOAaqRq+nqmfJNKQPf9VxGBF+LPaXJdK1XOjnfUIxd
+wVkPpic5HfAbZfYCChSPYWV07s3V7Muqz5mJ/TxijMVjLwRZQqcXNqA9rufoaz7i
+3lHgGTaPLBVnz06lPMHTuyXid+QK3xHsFeT+NQ2NSfRucTCTnSJ3
+-----END RSA PRIVATE KEY-----
diff --git a/selftest/manage-ca/CA-samba.example.com/Users/pkinit@samba.example.com/USER-pkinit@samba.example.com-S04-private.p12 b/selftest/manage-ca/CA-samba.example.com/Users/pkinit@samba.example.com/USER-pkinit@samba.example.com-S04-private.p12
new file mode 100644
index 00000000000..f83f831868b
--- /dev/null
+++ b/selftest/manage-ca/CA-samba.example.com/Users/pkinit@samba.example.com/USER-pkinit@samba.example.com-S04-private.p12
Binary files differ
diff --git a/selftest/manage-ca/CA-samba.example.com/Users/pkinit@samba.example.com/USER-pkinit@samba.example.com-S04-req.pem b/selftest/manage-ca/CA-samba.example.com/Users/pkinit@samba.example.com/USER-pkinit@samba.example.com-S04-req.pem
new file mode 100644
index 00000000000..72e7383e4b4
--- /dev/null
+++ b/selftest/manage-ca/CA-samba.example.com/Users/pkinit@samba.example.com/USER-pkinit@samba.example.com-S04-req.pem
@@ -0,0 +1,18 @@
+-----BEGIN CERTIFICATE REQUEST-----
+MIIC8zCCAdsCAQAwga0xCzAJBgNVBAYTAlVTMRMwEQYDVQQIDApTYW1iYVN0YXRl
+MRIwEAYDVQQHDAlTYW1iYUNpdHkxGTAXBgNVBAoMEFNhbWJhU2VsZlRlc3Rpbmcx
+DjAMBgNVBAsMBVVzZXJzMSEwHwYDVQQDDBhwa2luaXRAc2FtYmEuZXhhbXBsZS5j
+b20xJzAlBgkqhkiG9w0BCQEWGHBraW5pdEBzYW1iYS5leGFtcGxlLmNvbTCCASIw
+DQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAN3ESESl6Wu0QQNq3DQf1kHO98uy
+RKejDokW/w1iI+CLJNuCgmgpIhtXRBLG6hAtbzpLdbEudmIBYv+6PWfhOQ0SOLD8
+s+UO3XdzK5klhtUVhAi+sIs412Sd1ufcTZr76hdBu9HPGrlbC4rljFq3Lau998OR
+ribC45cn6j++ySKv1nY1RbByhvK9v+LT4+NoUibb8KZqDmMFmxdtE+7EFUGWJwaQ
+/RC1+Wx0vrCou3D3oiXa9/GRwmlsQMRj6AaD4B23KynTddHfwdKQr7mBR3jz8RrJ
+IOMbb+T9Lgtlp2+xsqDT49IvK+/9AVsn5xvBDry98HuyNKmbTSzIZTPIMxcCAwEA
+AaAAMA0GCSqGSIb3DQEBCwUAA4IBAQAS1xXnu2962UGX+uGRd546a81d3UBr6fbe
+0fFemBBdXqLcOS7dIksjrn0Nuf+L9RFBFX8J+j5W769GvbctoVriuyC6BUU6UmKd
+WMUgg6DpqhqOUW9Ze7bnHJc7JKwsgUQCmK1lEveS2ZyA9eUMOB4Wt6w+Fa4aJ51u
+vm590qbs5gmeWHMTE7svG0oxwoT0bhT95sKSlfbuMM5v9XS72ZNkkcmmg/i0/Kpw
+XXevmng9bVtZS4ajyGyFMQ45u5OauJwYJDFOjOqzo+YyglCyyrj5XJBYy7aajRPz
+Bre7Pub8WwLFJyw6Chc++8VSgqBXN57RS64eSY58ChNyQYcj8vB2
+-----END CERTIFICATE REQUEST-----
diff --git a/selftest/manage-ca/CA-samba.example.com/Users/pkinit@samba.example.com/USER-pkinit@samba.example.com-cert.pem b/selftest/manage-ca/CA-samba.example.com/Users/pkinit@samba.example.com/USER-pkinit@samba.example.com-cert.pem
new file mode 120000
index 00000000000..e8fe413a274
--- /dev/null
+++ b/selftest/manage-ca/CA-samba.example.com/Users/pkinit@samba.example.com/USER-pkinit@samba.example.com-cert.pem
@@ -0,0 +1 @@
+USER-pkinit@samba.example.com-S04-cert.pem \ No newline at end of file
diff --git a/selftest/manage-ca/CA-samba.example.com/Users/pkinit@samba.example.com/USER-pkinit@samba.example.com-private-key.pem b/selftest/manage-ca/CA-samba.example.com/Users/pkinit@samba.example.com/USER-pkinit@samba.example.com-private-key.pem
new file mode 120000
index 00000000000..53e9e41bd70
--- /dev/null
+++ b/selftest/manage-ca/CA-samba.example.com/Users/pkinit@samba.example.com/USER-pkinit@samba.example.com-private-key.pem
@@ -0,0 +1 @@
+USER-pkinit@samba.example.com-S04-private-key.pem \ No newline at end of file
View Lorry Controller Status