Network Working Group                                        C. Jennings
Internet-Draft                                             Cisco Systems
Intended status: Informational                                    K. Ono
Expires: July 18, August 13, 2011                             Columbia University
                                                               R. Sparks
                                                         B. Hibbard, Ed.
                                                                 Tekelec
                                                        January 14,
                                                        February 9, 2011

  Example call flows using Session Initiation Protocol (SIP) security
                               mechanisms
                    draft-ietf-sipcore-sec-flows-08
                    draft-ietf-sipcore-sec-flows-09

Abstract

   This document shows example call flows demonstrating the use of
   Transport Layer Security (TLS), and Secure/Multipurpose Internet Mail
   Extensions (S/MIME) in Session Initiation Protocol (SIP).  It also
   provides information that helps implementers build interoperable SIP
   software.  To help facilitate interoperability testing, it includes
   certificates used in the example call flows and processes to create
   certificates for testing.

Status of this Memo

   This Internet-Draft is submitted in full conformance with the
   provisions of BCP 78 and BCP 79.

   Internet-Drafts are working documents of the Internet Engineering
   Task Force (IETF).  Note that other groups may also distribute
   working documents as Internet-Drafts.  The list of current Internet-
   Drafts is at http://datatracker.ietf.org/drafts/current/.

   Internet-Drafts are draft documents valid for a maximum of six months
   and may be updated, replaced, or obsoleted by other documents at any
   time.  It is inappropriate to use Internet-Drafts as reference
   material or to cite them other than as "work in progress."

   This Internet-Draft will expire on July 18, August 13, 2011.

Copyright Notice

   Copyright (c) 2011 IETF Trust and the persons identified as the
   document authors.  All rights reserved.

   This document is subject to BCP 78 and the IETF Trust's Legal
   Provisions Relating to IETF Documents
   (http://trustee.ietf.org/license-info) in effect on the date of
   publication of this document.  Please review these documents
   carefully, as they describe your rights and restrictions with respect
   to this document.  Code Components extracted from this document must
   include Simplified BSD License text as described in Section 4.e of
   the Trust Legal Provisions and are provided without warranty as
   described in the Simplified BSD License.

Table of Contents

   1.  Introduction . . . . . . . . . . . . . . . . . . . . . . . . .  3
   2.  Certificates . . . . . . . . . . . . . . . . . . . . . . . . .  4
     2.1.  CA Certificates  . . . . . . . . . . . . . . . . . . . . .  4
     2.2.  Host Certificates  . . . . . . . . . . . . . . . . . . . .  8
     2.3.  User Certificates  . . . . . . . . . . . . . . . . . . . . 10
   3.  Callflow with Message Over TLS . . . . . . . . . . . . . . . . 12
     3.1.  TLS with Server Authentication . . . . . . . . . . . . . . 12
     3.2.  MESSAGE Transaction Over TLS . . . . . . . . . . . . . . . 13
   4.  Callflow with S/MIME-secured Message . . . . . . . . . . . . . 15
     4.1.  MESSAGE Request with Signed Body . . . . . . . . . . . . . 15
     4.2.  MESSAGE Request with Encrypted Body  . . . . . . . . . . . 20
     4.3.  MESSAGE Request with Encrypted and Signed Body . . . . . . 22
   5.  Observed Interoperability Issues . . . . . . . . . . . . . . . 29
   6.  Additional Test Scenarios  . . . . . . . . . . . . . . . . . . 31
   7.  IANA Considerations  . . . . . . . . . . . . . . . . . . . . . 34
   8.  Acknowledgments  . . . . . . . . . . . . . . . . . . . . . . . 35
   9.  Security Considerations  . . . . . . . . . . . . . . . . . . . 36
   10. Changelog  . . . . . . . . . . . . . . . . . . . . . . . . . . 37
   11. References . . . . . . . . . . . . . . . . . . . . . . . . . . 40
     11.1. Normative References . . . . . . . . . . . . . . . . . . . 40
     11.2. Informative References . . . . . . . . . . . . . . . . . . 41
   Appendix A.  Making Test Certificates  . . . . . . . . . . . . . . 43
     A.1.  makeCA script  . . . . . . . . . . . . . . . . . . . . . . 44
     A.2.  makeCert script  . . . . . . . . . . . . . . . . . . . . . 48
   Appendix B.  Certificates for Testing  . . . . . . . . . . . . . . 51
     B.1.  Certificates Using EKU . . . . . . . . . . . . . . . . . . 51
     B.2.  Certificates NOT Using EKU . . . . . . . . . . . . . . . . 58
     B.3.  Certificate Chaining with a Non-Root CA  . . . . . . . . . 66
   Appendix C.  Message Dumps . . . . . . . . . . . . . . . . . . . . 73
   Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 76

1.  Introduction

   This document is informational and is not normative on any aspect of
   SIP.

   SIP with TLS ([RFC5246]) implementations are becoming very common.
   Several implementations of the S/MIME ([RFC5751]) portion of SIP
   ([RFC3261]) are also becoming available.  After several
   interoperability events, it is clear that it is difficult to write
   these systems without any test vectors or examples of "known good"
   messages to test against.  Furthermore, testing at the events is
   often hindered due to the lack of a commonly trusted certificate
   authority to sign the certificates used in the events.  This document
   addresses both of these issues by providing messages that give
   detailed examples that implementers can use for comparison and that
   can also be used for testing.  In addition, this document provides a
   common certificate and private key that can be used to set up a mock
   Certificate Authority (CA) that can be used during the SIP
   interoperability events.  Certificate requests from the users will be
   signed by the private key of the mock CA.  The document also provides
   some hints and clarifications for implementers.

   A simple SIP call flow using SIPS URIs and TLS is shown in Section 3.
   The certificates for the hosts used are shown in Section 2.2, and the
   CA certificates used to sign these are shown in Section 2.1.

   The text from Section 4.1 through Section 4.3 shows some simple SIP
   call flows using S/MIME to sign and encrypt the body of the message.
   The user certificates used in these examples are shown in
   Section 2.3.  These host certificates are signed with the same mock
   CA private key.

   Section 5 presents a partial list of items that implementers should
   consider in order to implement systems that will interoperate.

   Scripts and instructions to make certificates that can be used for
   interoperability testing are presented in Appendix A, along with
   methods for converting these to various formats.  The certificates
   used while creating the examples and test messages in this document
   are made available in Appendix B.

   Binary copies of various messages in this document that can be used
   for testing appear in Appendix C.

2.  Certificates

2.1.  CA Certificates

   The certificate used by the CA to sign the other certificates is
   shown below.  This is a X509v3 certificate.  Note that the X.509v3
   Basic Constraints in the certificate allows it to be used as a CA,
   certificate authority.  This certificate is not used directly in the
   TLS call flow; it is used only to verify user and host certificates.

   Version: 3 (0x2)
   Serial Number:
       96:a3:84:17:4e:ef:8a:4c
   Signature Algorithm: sha1WithRSAEncryption
   Issuer: C=US, ST=California, L=San Jose, O=sipit,
           OU=Sipit Test Certificate Authority
   Validity
       Not Before: Dec  6 22:36:29 2010 Jan 27 18:36:05 2011 GMT
       Not After : Nov 12 22:36:29 2110 Jan  3 18:36:05 2111 GMT
   Subject: C=US, ST=California, L=San Jose, O=sipit,
           OU=Sipit Test Certificate Authority
   Subject Public Key Info:
       Public Key Algorithm: rsaEncryption
       RSA Public Key: (2048 bit)
           Modulus (2048 bit):
               00:ec:c0:ad:ec:3b:0d:7b:6a:95:24:96:dc:33:c2:
               1d:f6:b3:0d:af:ed:5f:73:9c:b5:5f:dc:3a:21:95:
               20:81:c1:29:63:a0:34:86:ed:f1:4c:8a:66:90:37:
               95:ab:0f:8c:b2:da:55:a9:ca:ca:ae:50:10:eb:34:
               28:d7:d8:98:5b:14:ec:fc:c4:55:d4:c6:63:5a:ee:
               e8:ec:41:08:d3:be:28:9e:b1:89:4d:d2:6b:57:f6:
               aa:77:c9:08:fc:f9:25:a0:a3:e3:cc:bf:f0:c0:f2:
               99:59:e5:ef:cf:0a:3a:d7:38:bc:6b:f9:6c:ff:6e:
               a0:d0:b2:62:4f:98:72:f0:f0:1d:1d:40:84:50:05:
               9b:6e:15:3c:49:b6:9d:58:05:a1:0d:cf:91:ee:ed:
               28:0f:0f:e1:0f:71:8a:a6:6e:7c:2a:ad:ae:ae:c4:
               8d:8e:2a:2e:8a:a2:ac:67:85:2e:aa:82:0e:4b:38:
               b1:e9:f2:84:23:0c:98:e0:57:b8:38:70:f4:89:a9:
               94:cb:9a:5e:15:52:ba:45:0a:80:9f:33:82:cf:e2:
               f2:eb:8f:f9:61:3c:8a:eb:74:b1:7c:87:f9:0c:2f:
               20:ce:0d:be:69:8f:d1:bc:5d:c5:8a:e5:1a:0b:5d:
               70:65:c8:02:f3:46:85:25:d3:88:8c:dd:80:55:d9:
               69:9b
               00:ab:1f:91:61:f1:1c:c5:cd:a6:7b:16:9b:b7:14:
               79:e4:30:9e:98:d0:ec:07:b7:bd:77:d7:d1:f5:5b:
               2c:e2:ee:e6:b1:b0:f0:85:fa:a5:bc:cb:cc:cf:69:
               2c:4f:fc:50:ef:9d:31:2b:c0:59:ea:fb:64:6f:1f:
               55:a7:3d:fd:70:d2:56:db:14:99:17:92:70:ac:26:
               f8:34:41:70:d9:c0:03:91:6a:ba:d1:11:8f:ac:12:
               31:de:b9:19:70:8d:5d:a7:7d:8b:19:cc:40:3f:ae:
               ff:de:1f:db:94:b3:46:77:6c:ae:ae:ff:3e:d6:84:
               5b:c2:de:0b:26:65:d0:91:c7:70:4b:c7:0a:4a:bf:
               c7:97:04:dd:ba:58:47:cb:e0:2b:23:76:87:65:c5:
               55:34:10:ab:27:1f:1c:f8:30:3d:b0:9b:ca:a2:81:
               72:4c:bd:60:fe:f7:21:fe:0b:db:0b:db:e9:5b:01:
               36:d4:28:15:6b:79:eb:d0:91:1b:21:59:b8:0e:aa:
               bf:d5:b1:6c:70:37:a3:3f:a5:7d:0e:95:46:f6:f6:
               58:67:83:75:42:37:18:0b:a4:41:39:b2:2f:6c:80:
               2c:78:ec:a5:0f:be:9c:10:f8:c0:0b:0d:73:99:9e:
               0d:d7:97:50:cb:cc:45:34:23:49:41:85:22:24:ad:
               29:c3
           Exponent: 65537 (0x10001)
   X509v3 extensions:
       X509v3 Subject Key Identifier:
           BB:37:8E:47:C7:5A:34:DB:7A:D9:F8:76:B6:75:8E:D0:E4:13:17:45
           95:45:7E:5F:2B:EA:65:98:12:91:04:F3:63:C7:68:9A:58:16:77:27
       X509v3 Authority Key Identifier:

           BB:37:8E:47:C7:5A:34:DB:7A:D9:F8:76:B6:75:8E:D0:E4:13:17:45
           DirName:/C=US/ST=California/L=San Jose/O=sipit/
           OU=Sipit Test Certificate Authority
           serial:96:A3:84:17:4E:EF:8A:4C

           95:45:7E:5F:2B:EA:65:98:12:91:04:F3:63:C7:68:9A:58:16:77:27

       X509v3 Basic Constraints:
           CA:TRUE
       Signature Algorithm: sha1WithRSAEncryption
   b1:75:d4:56:ab:70:14:a0:ee:67:a3:ec:07:0c:1d:8b:2c:5f:
   d7:1c:f3:e3:01:ba:3d:9d:da:47:49:31:d5:81:f5:2d:d2:66:
   a5:2c:1f:db:c3:2d:8a:32:6a:ec:22:8b:b1:58:63:57:23:88:
   34:9f:6c:df:8c:7b:73:8c:2a:7c:d3:23:02:97:54:76:f3:34:
   25:7f:d1:ad:25:87:17:56:30:61:43:f4:16:63:77:0f:7b:a7:
   b0:0b:97:1b:05:f2:5c:86:2c:a9:d5:3b:cb:73:92:a2:3c:dc:
   7e:12:30:86:9e:f8:57:6c:a2:a4:28:51:e4:f7:f0:ce:29:9c:
   82:34:f2:02:3c:43:62:36:94:44:c1:ad:b4:79:f7:6e:f9:e2:
   bd:f9:15:cc:e8:de:b0:9d:9c:2f:18:30:a9:eb:3f:d4:56:c9:
   61:8d:78:b2:fb:4e:e5:22:1d:00:c4:cf:ce:9c:fe:d6:f1:4f:
   01:9d:92:58:e0:78:2a:cb:69:36:18:ac:1b:53:0d:86:b1:91:
   34:8b:de:05:5d:22:18:2a:67:e5:ea:f2:77:01:d6:9c:60:17:
   06:84:83:6f:b6:88:7e:ce:c8:63:d4:30:6d:90:72:fe:59:f4:
   32:04:e6:af:d4:be:99:44:c8:de:3d:01:88:d7:8a:35:30:c2:
   2d:77:e9:70
   06:5f:9e:ae:a0:9a:bc:b5:b9:5b:7e:97:33:cc:df:63:98:98:
   94:cb:0d:66:a9:83:e8:aa:58:2a:59:a1:9e:47:31:a6:af:5c:
   3f:a2:25:86:f8:df:05:92:b7:db:69:a1:69:72:87:66:c5:ab:
   35:89:01:37:19:c9:74:eb:09:d1:3f:88:7b:24:13:42:ca:2d:
   fb:45:e6:cc:4b:f8:21:78:f3:f5:97:ec:09:92:24:a2:f0:e6:
   94:8d:97:4a:00:94:00:bd:25:b8:17:2c:52:53:5d:cc:5c:48:
   a4:a1:1d:2d:f6:50:55:13:a4:d3:b2:a2:f4:f1:b9:6d:48:5e:
   5c:f3:de:e0:fc:59:09:a1:d9:14:61:65:bf:d8:3f:b9:ba:2e:
   7c:ed:5c:24:9b:6b:ca:aa:5f:f1:c1:1e:b0:a8:da:82:0f:fb:
   4c:71:3b:4d:7b:38:c8:e3:8a:2a:19:34:44:26:0b:ea:f0:47:
   38:46:28:65:04:e2:01:52:dd:ec:3d:e5:f5:53:74:77:74:75:
   6d:c6:d9:c2:0a:ac:3b:b8:98:5c:55:53:34:74:52:a8:26:b1:
   2f:30:22:d0:8b:b7:f3:a0:dd:68:07:33:d5:ae:b7:81:b2:94:
   58:72:4e:7c:c6:72:2f:bd:6c:69:fb:b5:17:a8:2a:8d:d7:2c:
   91:06:c8:0c

   The certificate content shown above and throughout this document was
   rendered by the OpenSSL "x509" tool.  These dumps are included only
   as informative examples.  Output may vary among future revisions of
   the tool.  At the time of this document's publication, there were
   some irregularities in the output shown above that are worth noting.
   First, the presentation of Distinguished Names (DN) is inconsistent,
   e.g. (DN).
   In particular, note that in the "Issuer" field and "Subject" fields, it
   appears the intent is to be present DNs in Lightweight Directory Access
   Protocol (LDAP) format, while the "DirName" field in the "X509v3
   extensions" portion appears to be in Distributed Computing
   Environment (DCE) format.  Second, if LDAP format  If this was intended, the spaces should have
   been omitted after the delimiting commas, and the elements should
   have been presented in order of most-specific to least-specific.
   Please refer to Appendix A of [RFC4514].  Using the "Issuer" DN from
   above as an example and following guidelines in [RFC4514], it should
   have instead appeared as:

   Issuer: OU=Sipit Test Certificate Authority,O=sipit,L=San Jose,
           ST=California,C=US

   The ASN.1 parse of the CA certificate is shown below.

  0:l=1083

  0:l= 949 cons: SEQUENCE
  4:l= 803 669 cons:  SEQUENCE
  8:l=   3 cons:   cont [ 0 ]
 10:l=   1 prim:    INTEGER           :02
 13:l=   9 prim:   INTEGER           :96A384174EEF8A4C
 24:l=  13 cons:   SEQUENCE
 26:l=   9 prim:    OBJECT            :sha1WithRSAEncryption
 37:l=   0 prim:    NULL
 39:l= 112 cons:   SEQUENCE
 41:l=  11 cons:    SET
 43:l=   9 cons:     SEQUENCE
 45:l=   3 prim:      OBJECT            :countryName
 50:l=   2 prim:      PRINTABLESTRING   :US
 54:l=  19 cons:    SET
 56:l=  17 cons:     SEQUENCE
 58:l=   3 prim:      OBJECT            :stateOrProvinceName
 63:l=  10 prim:      PRINTABLESTRING   :California      UTF8STRING
  43 61 6c 69 66 6f 72 6e-69 61                     California
 75:l=  17 cons:    SET
 77:l=  15 cons:     SEQUENCE
 79:l=   3 prim:      OBJECT            :localityName
 84:l=   8 prim:      PRINTABLESTRING   :San      UTF8STRING
  53 61 6e 20 4a 6f 73 65-                          San Jose
 94:l=  14 cons:    SET
 96:l=  12 cons:     SEQUENCE
 98:l=   3 prim:      OBJECT            :organizationName
103:l=   5 prim:      PRINTABLESTRING   :sipit      UTF8STRING
  73 69 70 69 74                                    sipit
110:l=  41 cons:    SET
112:l=  39 cons:     SEQUENCE
114:l=   3 prim:      OBJECT            :organizationalUnitName
119:l=  32 prim:      PRINTABLESTRING  :Sipit      UTF8STRING
  53 69 70 69 74 20 54 65-73 74 20 43 65 72 74 69   Sipit Test Certificate Certi
  66 69 63 61 74 65 20 41-75 74 68 6f 72 69 74 79   ficate Authority
153:l=  32 cons:   SEQUENCE
155:l=  13 prim:    UTCTIME           :101206223629Z           :110127183605Z
170:l=  15 prim:    GENERALIZEDTIME   :21101112223629Z   :21110103183605Z
187:l= 112 cons:   SEQUENCE
189:l=  11 cons:    SET
191:l=   9 cons:     SEQUENCE
193:l=   3 prim:      OBJECT            :countryName
198:l=   2 prim:      PRINTABLESTRING   :US
202:l=  19 cons:    SET
204:l=  17 cons:     SEQUENCE
206:l=   3 prim:      OBJECT            :stateOrProvinceName
211:l=  10 prim:      PRINTABLESTRING   :California      UTF8STRING
  43 61 6c 69 66 6f 72 6e-69 61                     California
223:l=  17 cons:    SET
225:l=  15 cons:     SEQUENCE
227:l=   3 prim:      OBJECT            :localityName
232:l=   8 prim:      PRINTABLESTRING   :San      UTF8STRING
  53 61 6e 20 4a 6f 73 65-                          San Jose
242:l=  14 cons:    SET
244:l=  12 cons:     SEQUENCE
246:l=   3 prim:      OBJECT            :organizationName
251:l=   5 prim:      PRINTABLESTRING   :sipit      UTF8STRING
  73 69 70 69 74                                    sipit
258:l=  41 cons:    SET
260:l=  39 cons:     SEQUENCE
262:l=   3 prim:      OBJECT            :organizationalUnitName
267:l=  32 prim:      PRINTABLESTRING  :Sipit      UTF8STRING
  53 69 70 69 74 20 54 65-73 74 20 43 65 72 74 69   Sipit Test Certificate Certi
  66 69 63 61 74 65 20 41-75 74 68 6f 72 69 74 79   ficate Authority
301:l= 290 cons:   SEQUENCE
305:l=  13 cons:    SEQUENCE
307:l=   9 prim:     OBJECT            :rsaEncryption
318:l=   0 prim:     NULL
320:l= 271 prim:    BIT STRING
  00 30 82 01 0a 02 82 01-01 00 ec c0 ad ec 3b 0d   .0............;.
  7b 6a 95 24 96 dc 33 c2-1d f6 b3 0d af ed 5f 73   {j.$..3......._s
  9c b5 5f dc 3a 21 95 20-81 c1 29 63 a0 34 86 ed   .._.:!. ..)c.4.. ab 1f 91 61 f1 4c 8a 66 90 37 95 ab-0f 8c b2 da 55 a9 ca ca   .L.f.7......U...
  ae 50 10 eb 34 28 1c   .0...........a..
  c5 cd a6 7b 16 9b b7 14-79 e4 30 9e 98 d0 ec 07   ...{....y.0.....
  b7 bd 77 d7 d8-98 d1 f5 5b 14 ec fc c4 55 d4   .P..4(...[....U.
  c6 63 5a 2c-e2 ee e8 ec 41 08-d3 be 28 9e e6 b1 89 4d d2   .cZ...A...(...M.
  6b 57 f6 aa 77 c9 08 fc-f9 25 a0 a3 e3 cc bf b0 f0   kW..w....%......
  c0 f2 99 59 e5 ef cf 0a-3a d7 38 85 fa   ..w...[,........
  a5 bc 6b f9 6c ff   ...Y....:.8.k.l.
  6e a0 d0 b2 62 4f 98 72-f0 f0 1d 1d 40 84 cb cc cf 69 2c 4f-fc 50 05   n...bO.r....@.P.
  9b 6e 15 3c 49 b6 ef 9d 58-05 a1 0d cf 31 2b c0 59   .....i,O.P..1+.Y
  ea fb 64 6f 1f 55 a7 3d-fd 70 d2 56 db 14 99 17   ..do.U.=.p.V....
  92 70 ac 26 f8 34 41 70-d9 c0 03 91 ee ed 28   .n.<I..X.......(
  0f 0f e1 0f 71 8a a6 6e-7c 2a ad 6a ba d1 11   .p.&.4Ap....j...
  8f ac 12 31 de b9 19 70-8d 5d a7 7d 8b 19 cc 40   ...1...p.].}...@
  3f ae ff de 1f db 94 b3-46 77 6c ae c4 8d 8e   ....q..n|*......
  2a 2e 8a a2 ac 67 85 2e-aa 82 0e 4b 38 b1 e9 f2   *....g.....K8... ae ff 3e d6   ?.......Fwl...>.
  84 5b c2 de 0b 26 65 d0-91 c7 70 4b c7 0a 4a bf   .[...&e...pK..J.
  c7 97 04 dd ba 58 47 cb-e0 2b 23 0c 98 e0 57 b8 38-70 f4 89 a9 94 cb 9a 5e   .#...W.8p......^ 76 87 65 c5 55   .....XG..+#v.e.U
  34 10 ab 27 1f 1c f8 30-3d b0 9b ca a2 81 72 4c   4..'...0=.....rL
  bd 60 fe f7 21 fe 0b db-0b db e9 5b 01 36 d4 28   .`..!......[.6.(
  15 52 ba 45 0a 80 9f 33-82 cf e2 f2 eb 8f f9 61   .R.E...3.......a
  3c 8a 6b 79 eb 74 d0 91 1b 21-59 b8 0e aa bf d5 b1 7c 87 f9-0c 2f 20 ce 0d be 69 8f   <..t.|.../ ...i.
  d1 bc 5d c5 8a e5 1a 0b-5d 6c   .ky....!Y......l
  70 65 c8 02 f3 46 85   ..].....]pe...F.
  25 d3 88 8c dd 37 a3 3f a5 7d 0e 95-46 f6 f6 58 67 83 75 42   p7.?.}..F..Xg.uB
  37 18 0b a4 41 39 b2 2f-6c 80 55 d9-69 9b 2c 78 ec a5 0f be   7...A9./l.,x....
  9c 10 f8 c0 0b 0d 73 99-9e 0d d7 97 50 cb cc 45   ......s.....P..E
  34 23 49 41 85 22 24 ad-29 c3 02 03 01 00 01      %.....U.i......      4#IA."$.)......
595:l= 213  80 cons:   cont [ 3 ]
598:l= 210
597:l=  78 cons:    SEQUENCE
601:l=
599:l=  29 cons:     SEQUENCE
603:l=
601:l=   3 prim:      OBJECT            :X509v3 Subject Key Identifier
608:l=
606:l=  22 prim:      OCTET STRING
  04 14 bb 37 8e 47 c7 5a-34 db 7a d9 f8 76 b6 75   ...7.G.Z4.z..v.u
  8e d0 e4 13 17 95 45                                 .....E
632:l= 162 7e 5f 2b ea-65 98 12 91 04 f3 63 c7   ...E~_+.e.....c.
  68 9a 58 16 77 27                                 h.X.w'
630:l=  31 cons:     SEQUENCE
635:l=
632:l=   3 prim:      OBJECT            :X509v3 Authority Key Identifier
640:l= 154 prim:      OCTET STRING
  30 81 97 80 14 bb 37 8e-47 c7 5a 34 db 7a d9 f8   0.....7.G.Z4.z..
  76 b6 75 8e d0 e4 13 17-45 a1 74 a4 72 30 70 31   v.u.....E.t.r0p1
  0b 30 09 06 03 55 04 06-13 02 55 53 31 13 30 11   .0...U....US1.0.
  06 03 55 04 08 13 0a 43-61 6c 69 66 6f 72 6e 69   ..U....Californi
  61 31 11 30 0f 06 03 55-04 07 13 08 53 61 6e 20   a1.0...U....San
  4a 6f 73 65 31 0e 30 0c-06 03 55 04 0a 13 05 73   Jose1.0...U....s
  69 70 69 74 31 29 Authority Key Identifier
637:l=  24 prim:      OCTET STRING
  30 27-06 03 55 04 0b 13 20 53   ipit1)0'..U... S
  69 70 69 74 20 54 65 73-74 20 43 16 80 14 95 45 7e 5f-2b ea 65 72 74 69 66   ipit Test Certif
  69 98 12 91 04 f3   0....E~_+.e.....
  63 61 74 65 20 41 75-74 c7 68 6f 72 69 74 79 82   icate Authority.
  09 00 96 a3 84 17 4e ef-8a 4c                     ......N..L
797:l= 9a 58 16 77 27-                          c.h.X.w'
663:l=  12 cons:     SEQUENCE
799:l=
665:l=   3 prim:      OBJECT            :X509v3 Basic Constraints
804:l=
670:l=   5 prim:      OCTET STRING
  30 03 01 01 ff                                    0....
811:l=
677:l=  13 cons:  SEQUENCE
813:l=
679:l=   9 prim:   OBJECT            :sha1WithRSAEncryption
824:l=
690:l=   0 prim:   NULL
826:l=
692:l= 257 prim:  BIT STRING
  00 b1 75 d4 56 ab 70 14-a0 ee 67 a3 ec 07 0c 1d   ..u.V.p...g.....
  8b 2c 06 5f d7 1c f3 e3 01-ba 3d 9d da 47 49 31 d5   .,_......=..GI1.
  81 f5 2d d2 9e ae a0 9a bc-b5 b9 5b 7e 97 33 cc df   .._.......[~.3..
  63 98 98 94 cb 0d 66 a5 2c 1f-db c3 2d 8a 32 6a ec 22   ..-.f.,...-.2j."
  8b b1 a9-83 e8 aa 58 63 57 23 88 34-9f 6c df 8c 7b 73 8c 2a   ..XcW#.4.l..{s.*
  7c d3 23 02 97 54 76 f3-34 25 7f d1 ad 25 87 17   |.#..Tv.4%...%..
  56 30 61 43 f4 16 63 77-0f 7b a7 b0 0b 97 1b 05   V0aC..cw.{......
  f2 59 a1 9e   c.....f....X*Y..
  47 31 a6 af 5c 86 2c a9 d5 3b cb-73 92 3f a2 3c dc 7e 12 30   .\.,..;.s..<.~.0
  86 9e 25-86 f8 57 6c a2 a4 28-51 e4 f7 f0 ce 29 9c 82   ...Wl..(Q....)..
  34 f2 02 3c 43 62 36 94-44 c1 ad b4 79 f7 6e f9   4..<Cb6.D...y.n.
  e2 bd f9 15 cc e8 de b0-9d 9c 2f 18 30 a9 df 05 92 b7 db 69   G1..\?.%.......i
  a1 69 72 87 66 c5 ab 35-89 01 37 19 c9 74 eb 09   .ir.f..5..7..t..
  d1 3f   ........../.0..?
  d4 56 c9 61 8d 88 7b 24 13 42 ca-2d fb 45 e6 cc 4b f8 21   .?.{$.B.-.E..K.!
  78 b2 fb-4e e5 22 1d f3 f5 97 ec 09 92 24-a2 f0 e6 94 8d 97 4a 00 c4 cf ce   .V.a.x..N.".....
  9c fe d6   x......$......J.
  94 00 bd 25 b8 17 2c 52-53 5d cc 5c 48 a4 a1 1d   ...%..,RS].\H...
  2d f6 50 55 13 a4 d3 b2-a2 f4 f1 4f 01 9d 92-58 b9 6d 48 5e 5c   -.PU........mH^\
  f3 de e0 78 fc 59 09 a1 d9-14 61 65 bf d8 3f b9 ba   ....Y....ae..?..
  2e 7c ed 5c 24 9b 6b ca-aa 5f f1 c1 1e b0 a8 da   .|.\$.k.._......
  82 0f fb 4c 71 3b 4d 7b-38 c8 e3 8a 2a cb 69 36 18   ....O...X.x*.i6. 19 34 44   ...Lq;M{8...*.4D
  26 0b ea f0 47 38 46 28-65 04 e2 01 52 dd ec 3d   &...G8F(e...R..=
  e5 f5 53 74 77 74 75 6d-c6 d9 c2 0a ac 1b 3b b8 98   ..Stwtum.....;..
  5c 55 53 0d 86 b1 91 34-8b de 05 5d 34 74 52 a8 26-b1 2f 30 22 18 d0 8b b7 f3   \US4tR.&./0"....
  a0 dd 68 07 33 d5 ae b7-81 b2 94 58 72 4e 7c c6   ..h.3......XrN|.
  72 2f bd 6c 69 fb b5 17-a8 2a 67   ..S....4...]".*g
  e5 ea f2 77 01 d6 9c 60-17 8d d7 2c 91 06 84 83 6f b6 88 7e   ...w...`....o..~
  ce c8 63 d4 30 6d 90 72-fe 59 f4 32 04 e6 af d4   ..c.0m.r.Y.2....
  be 99 44 c8 de 3d 01 88-d7 8a 35 30 c2 2d 77 e9   ..D..=....50.-w.
  70                                                p   r/.li....*..,...
  0c                                                .

2.2.  Host Certificates

   The certificate for the host example.com is shown below.  Note that
   the Subject Alternative Name is set to example.com and is a DNS type.
   The certificates for the other hosts are shown in Appendix B.

   Version: 3 (0x2)
   Serial Number:
       96:a3:84:17:4e:ef:8a:4f
   Signature Algorithm: sha1WithRSAEncryption
   Issuer: C=US, ST=California, L=San Jose, O=sipit,
           OU=Sipit Test Certificate Authority
   Validity
       Not Before: Dec  6 22:43:50 2010 Feb  7 19:32:17 2011 GMT
       Not After : Nov 12 22:43:50 2110 Jan 14 19:32:17 2111 GMT
   Subject: C=US, ST=California, L=San Jose, O=sipit, CN=example.com
   Subject Public Key Info:
       Public Key Algorithm: rsaEncryption
       RSA Public Key: (2048 bit)
           Modulus (2048 bit):
               00:9d:26:25:9d:f2:f8:00:ce:3a:8e:e5:11:f8:6a:
               3b:0e:ca:0b:7c:ac:74:cb:5a:79:c7:52:1c:ea:cc:
               07:86:b7:93:37:6a:0e:2a:00:e6:47:f9:7a:92:b8:
               07:c9:2c:1a:9a:34:a0:e0:63:ad:46:6e:d2:82:cc:

               c4:a2:cd:ce:a6:e2:51:d7:9b:ce:39:a8:55:3d:b1:
               4a:df:27:d8:8f:02:33:0a:84:5a:a2:ec:d1:b4:c1:
               e0:09:79:9f:05:6a:b8:08:38:82:6b:c2:0e:5d:c7:
               4f:c5:21:a2:4f:35:4a:5a:96:3a:d6:f2:a0:53:c8:
               fe:d7:ee:ef:1b:27:06:08:fe:24:96:04:23:19:7f:
               65:4d:81:43:b0:79:47:43:b7:a3:1f:13:58:8e:c0:
               e4:92:a7:3d:44:93:4d:74:df:21:13:94:73:48:f0:
               6f:cf:8d:a0:6d:2a:67:8e:82:c7:c7:56:af:15:cc:
               2d:c0:0e:bf:49:27:0a:bd:a7:7f:71:d4:5e:2b:6e:
               f2:c1:37:16:0b:e4:b9:44:29:91:fa:48:0b:48:e8:
               e7:32:d4:96:17:56:b9:9a:ba:1b:c1:0e:5f:78:12:
               26:06:b4:1f:73:0d:aa:8d:17:dc:29:89:83:fe:08:
               71:88:3d:a1:cd:35:49:01:fe:26:df:c7:2c:a8:44:
               d9:e3
               00:dd:74:06:02:10:c2:e7:04:1f:bc:8c:b6:24:e7:
               9b:94:a3:48:37:85:9e:6d:83:12:84:50:1a:8e:48:
               b1:fa:86:8c:a7:80:b9:be:52:ec:a6:ca:63:47:84:
               ad:f6:74:85:82:16:7e:4e:36:40:0a:74:2c:20:a9:
               6a:0e:6a:7f:35:cf:70:71:63:7d:e9:43:67:81:4c:
               ea:b5:1e:b7:4c:a3:35:08:7b:21:0d:2a:73:07:63:
               9d:8d:75:bf:1f:d4:8e:e6:67:60:75:f7:ea:0a:7a:

               6c:90:af:92:45:e0:62:05:9a:8a:10:98:dc:7c:54:
               8b:e4:61:95:3b:04:fc:10:50:ef:80:45:ba:5e:84:
               97:76:c1:20:25:c1:92:1d:89:0a:f7:55:62:64:fa:
               e8:69:a2:62:4c:67:d3:08:d9:61:b5:3d:16:54:b6:
               b7:44:8d:59:2b:90:d4:e9:fb:c7:7d:87:58:c3:12:
               ac:33:78:00:50:ba:07:05:b3:b9:01:1a:63:55:6c:
               e1:7a:ec:a3:07:ae:3b:02:83:a1:69:e0:c3:dc:2d:
               61:e9:b2:e3:b3:71:c8:a6:cf:da:fb:3e:99:c7:e5:
               71:b9:c9:17:d4:ed:bc:a0:47:54:09:8c:6e:6d:53:
               9a:2c:c9:68:c6:6f:f1:3d:91:1a:24:43:77:7d:91:
               69:4b
           Exponent: 65537 (0x10001)
   X509v3 extensions:
       X509v3 Subject Alternative Name:
           DNS:example.com, URI:sip:example.com
       X509v3 Basic Constraints:
           CA:FALSE
       X509v3 Subject Key Identifier:
           AB:E9:BC:0D:37:A2:45:90:F2:BB:CB:B1:DB:A1:49:28:81:3C:1A:D2
           CC:06:59:5B:8B:5E:D6:0D:F2:05:4D:1B:68:54:1E:FC:F9:43:19:17
       X509v3 Authority Key Identifier:
           BB:37:8E:47:C7:5A:34:DB:7A:D9:F8:76:B6:75:8E:D0:E4:13:17:45
           DirName:/C=US/ST=California/L=San Jose/O=sipit/
           OU=Sipit Test Certificate Authority
           serial:96:A3:84:17:4E:EF:8A:4C
           95:45:7E:5F:2B:EA:65:98:12:91:04:F3:63:C7:68:9A:58:16:77:27

       X509v3 Key Usage:
           Digital Signature, Non Repudiation, Key Encipherment
       X509v3 Extended Key Usage:
           TLS Web Server Authentication, 1.3.6.1.5.5.7.3.20
       Signature Algorithm: sha1WithRSAEncryption
   8e:d9:1f:18:52:53:28:77:b9:0a:26:0b:0d:94:d8:3f:fa:01:
   a9:72:f2:02:80:3c:f9:01:5c:0a:84:3b:f3:6d:86:b3:ad:7f:
   d3:91:e8:0c:b4:76:2f:ec:f6:5a:9a:16:d5:5e:0e:77:e6:e5:
   3b:bb:68:51:2b:d8:bf:68:5c:63:4a:d8:2d:84:6b:af:f5:e2:
   ea:8c:75:0b:e5:55:bf:5d:f5:bc:bb:ee:f0:62:bc:de:9a:aa:
   c5:ae:53:d4:bd:aa:a5:3b:6f:f3:8d:00:2e:2b:c8:ec:ce:2a:
   fc:0d:8e:54:8e:4d:01:ea:c0:0a:44:93:03:2d:8f:95:45:2f:
   dd:df:33:df:db:96:1f:26:12:2f:b1:17:d2:f0:ab:31:b9:cb:
   c4:c1:ae:e6:53:c1:a0:15:79:5b:a2:9d:af:17:b4:ec:72:c2:
   9d:38:79:43:c5:58:6e:b6:8e:44:ba:87:03:24:d8:24:ac:12:
   1c:be:16:42:32:4e:1b:a8:c3:7f:a9:70:0b:12:c1:8f:98:2c:
   b9:23:03:ee:aa:98:5a:48:8f:c8:34:f9:be:73:e5:5c:ae:6b:
   a2:b5:8c:04:0f:7c:b1:d2:86:96:e4:c0:d1:f4:11:73:55:df:
   e6:3c:7e:17:c6:95:87:b1:a2:87:50:91:d7:ce:68:24:86:c1:
   3d:35:c0:d0
   6a:9a:d1:db:00:4b:90:86:b0:53:ea:6f:30:31:89:1e:9b:09:
   14:bd:6f:b9:02:aa:6f:58:ee:30:03:b8:a1:fd:b3:41:72:ff:
   b3:0d:cb:76:a7:17:c6:57:38:06:13:e5:f3:e4:30:17:4d:f7:
   97:b5:f3:74:e9:81:f8:f4:55:a3:0d:f5:82:38:c3:98:43:52:
   1f:84:cd:1a:b4:a3:45:9f:3d:e2:31:fd:cb:a2:ad:ed:60:7d:
   fa:d2:aa:49:2f:41:a9:80:01:bb:ed:b6:75:c9:97:69:7f:0c:
   91:60:f1:c4:5a:36:e8:5c:ac:e1:a8:e7:9a:55:e5:e0:cd:01:
   f4:de:93:f4:38:6c:c1:71:d2:fd:cd:1b:5d:25:eb:90:7b:31:
   41:e7:37:0e:e5:c0:01:48:91:f7:34:dd:c6:1f:74:e6:34:34:
   e6:cd:93:0f:3f:ce:94:ad:91:d9:e2:72:b1:9f:1d:d3:a5:7d:
   5e:e2:a4:56:c5:b1:71:4d:10:0a:5d:a6:56:e6:57:1f:48:a5:
   5c:75:67:ea:ab:35:3e:f6:b6:fa:c1:f3:8a:c1:80:71:32:18:
   6c:33:b5:fa:16:5a:16:e1:a1:6c:19:67:f5:45:68:64:6f:b2:
   31:dc:e3:5a:1a:b2:d4:87:89:96:fd:87:ba:38:4e:0a:19:07:
   03:4b:9b:b1

   The example host certificate above, as well as all the others
   presented in this document, are signed directly by a root CA.  These
   certificate chains have a length equal to two: the root CA and the
   host certificate.  Non-root CAs exist and may also sign certificates.

   The certificate chains presented by hosts with certificates signed by
   non-root CAs will have a length greater than two.  For more details
   on how certificate chains are validated, see Sections 6.1 and 6.2 of
   [RFC5280].

2.3.  User Certificates

   User certificates are used by many applications to establish user
   identity.  The user certificate for fluffy@example.com is shown
   below.  Note that the Subject Alternative Name has a list of names
   with different URL types such as a sip, im, or pres URL.  This is
   necessary for interoperating with a Common Profile for Instant
   Messaging (CPIM) gateway.  In this example, example.com is the domain
   for fluffy.  The message could be coming from any host in
   *.example.com, and the AOR in the user certificate would still be the
   same.  The others are shown in Appendix B.1.  These certificates make
   use of the Extended Key Usage (EKU) extension discussed in [RFC5924].
   Note that the X509v3 Extended Key Usage attribute refers to the SIP
   OID introduced in [RFC5924], which is 1.3.6.1.5.5.7.3.20

   Version: 3 (0x2)
   Serial Number:
       96:a3:84:17:4e:ef:8a:4d
   Signature Algorithm: sha1WithRSAEncryption
   Issuer: C=US, ST=California, L=San Jose, O=sipit,
           OU=Sipit Test Certificate Authority
   Validity
       Not Before: Dec  6 22:43:49 2010 Feb  7 19:32:17 2011 GMT
       Not After : Nov 12 22:43:49 2110 Jan 14 19:32:17 2111 GMT
   Subject: C=US, ST=California, L=San Jose, O=sipit,
            CN=fluffy@example.com
            CN=fluffy
   Subject Public Key Info:
       Public Key Algorithm: rsaEncryption
       RSA Public Key: (2048 bit)
           Modulus (2048 bit):
               00:c6:a9:ff:b2:e0:63:18:7a:05:b9:9a:31:c0:33:
               bb:d4:05:db:a4:df:32:68:41:7e:e5:6c:13:cd:f2:
               18:d3:9b:fa:7f:45:92:66:10:a3:f2:4d:ce:40:dd:
               1e:df:13:43:b6:d9:f2:cb:44:a0:85:11:51:d2:b0:
               f7:9f:d2:3e:af:cd:7d:cb:ab:c0:f0:00:d0:7e:e0:
               45:d5:91:45:7a:25:73:d6:08:80:e6:ca:73:61:e1:
               04:d3:11:f5:6f:10:00:a9:5d:a7:ac:da:d9:75:92:
               14:07:bd:81:26:79:90:4b:99:aa:d8:54:e5:34:6a:
               4f:61:e5:e8:22:47:96:f1:e2:5c:e5:a3:09:43:22:

               7b:a5:46:d8:8f:df:c4:18:ed:75:17:00:68:6e:95:
               16:e8:ca:15:4c:25:f6:2c:33:86:0e:7a:0f:9d:9a:
               a5:e3:8c:3e:ff:c5:32:08:25:bb:52:08:20:8b:95:
               46:c9:52:da:7a:15:46:eb:8b:8e:a2:22:b8:e7:ef:
               a0:e5:c2:59:83:c8:8b:f7:33:0e:f7:80:b7:11:27:
               ac:3e:2c:37:a2:67:2c:22:3b:55:90:a6:ff:c0:df:
               63:d1:20:ec:6c:7c:61:2e:b5:d0:28:d7:09:ed:33:
               a6:22:9d:00:de:21:bb:7c:53:d1:9f:af:20:23:f4:
               dd:51
               00:a3:2c:59:0c:e9:bc:e4:ec:d3:9e:fb:99:02:ec:
               b1:36:3a:b7:d3:1d:4d:c3:3a:b6:ae:50:bd:5f:55:
               08:77:8c:7e:a4:e9:f0:68:31:28:8f:23:32:56:19:
               c3:22:97:a7:6d:fd:a7:22:2a:01:b5:af:61:bd:5f:
               7e:c1:14:e5:98:29:b4:34:4e:38:8a:26:ee:0d:da:
               db:27:b9:78:d6:ac:ac:04:78:32:98:c2:75:e7:6a:
               b7:2d:b3:3c:e3:eb:97:a5:ef:8b:59:42:50:17:7b:
               fe:a7:81:af:37:a7:e7:e3:1f:b0:8d:d0:72:2f:6c:
               14:42:c6:01:68:e1:8f:fd:56:4d:7d:cf:16:dc:aa:
               05:61:0b:0a:ca:ca:ec:51:ec:53:6e:3d:2b:00:80:
               fe:35:1b:06:0a:61:13:88:0b:44:f3:cc:fd:2b:0e:
               b4:a2:0b:a0:97:84:14:2e:ee:2b:e3:2f:c1:1a:9e:
               86:9a:78:6a:a2:4c:57:93:e7:01:26:d3:56:0d:bd:

               b0:2f:f8:da:c7:3c:01:dc:cb:2d:31:8c:6c:c6:5c:
               b4:63:e8:b2:a2:40:11:bf:ad:f8:6d:12:01:97:1d:
               47:f8:6a:15:8b:fb:27:96:73:44:46:34:d7:24:1c:
               cf:56:8d:d4:be:d6:94:5b:f0:a6:67:e3:dd:cf:b4:
               f2:d5
           Exponent: 65537 (0x10001)
   X509v3 extensions:
       X509v3 Subject Alternative Name:
           URI:sip:fluffy@example.com, URI:im:fluffy@example.com,
              URI:pres:fluffy@example.com
       X509v3 Basic Constraints:
           CA:FALSE
       X509v3 Subject Key Identifier:
           13:C1:2F:28:AF:EB:53:7F:1D:4D:66:27:1E:D7:F7:99:56:31:C8:A0
           85:97:09:B8:D3:55:37:24:8A:DC:DE:E3:91:72:E4:22:CF:98:87:52
       X509v3 Authority Key Identifier:
           BB:37:8E:47:C7:5A:34:DB:7A:D9:F8:76:B6:75:8E:D0:E4:13:17:45
           DirName:/C=US/ST=California/L=San Jose/O=sipit/
           OU=Sipit Test Certificate Authority
           serial:96:A3:84:17:4E:EF:8A:4C
           95:45:7E:5F:2B:EA:65:98:12:91:04:F3:63:C7:68:9A:58:16:77:27

       X509v3 Key Usage:
           Digital Signature, Non Repudiation, Key Encipherment
       X509v3 Extended Key Usage:
           E-mail Protection, 1.3.6.1.5.5.7.3.20
       Signature Algorithm: sha1WithRSAEncryption
   5d:d6:f9:23:45:da:7a:51:8b:c6:fe:4b:89:99:81:37:ef:27:
   03:aa:e0:ed:8d:ec:d0:bf:6e:4c:0c:63:6a:bb:db:be:9d:6d:
   f8:d0:d9:7d:89:78:e3:1f:c6:3b:db:ae:1e:f6:f4:56:00:dd:
   f3:0e:2b:f8:70:91:f1:ec:f8:02:06:c1:f3:90:92:b3:25:8d:
   54:22:b8:07:4b:a1:ee:5c:5c:17:ac:62:37:28:5f:70:02:b5:
   80:09:94:42:cf:e6:f0:70:db:df:d1:94:e1:7d:d5:70:41:1a:
   4b:b5:73:ec:4c:78:71:bd:9b:d4:63:d7:57:30:fc:eb:d2:bb:
   7d:9c:4e:b9:c2:ea:b6:9b:46:47:46:d0:8d:8e:51:f9:dd:ed:
   88:75:2d:18:3b:79:4b:ce:f6:76:7b:f5:2f:71:4b:a4:1d:06:
   f8:37:5e:d9:8a:42:5c:76:a3:95:36:f0:9b:ee:5a:55:62:12:
   2a:94:4e:fe:37:8b:2e:45:5a:21:1c:47:fd:de:2f:01:3e:77:
   b9:24:a6:66:44:95:32:37:2c:4d:90:93:bb:6a:b3:1d:5b:9c:
   0c:3b:d6:70:d3:7a:39:46:48:2b:ba:5d:6e:d8:3b:83:cb:cf:
   67:5b:0c:2d:2e:4c:ff:12:1e:df:72:75:b3:cf:9d:83:ce:e9:
   f4:f4:3c:02
   a8:a9:8f:d8:8a:0b:88:ed:ff:4f:bf:e5:cd:8f:9e:7b:b8:e6:
   f2:2c:aa:e3:23:5b:9a:71:5e:fd:20:a3:dd:d9:d3:c1:f2:e8:
   f0:be:77:db:33:cc:8a:7b:4f:91:2b:8d:d6:f7:14:c3:8d:e0:
   60:d3:34:50:bc:be:67:22:cd:f5:74:7b:f4:9a:68:a2:52:2b:
   81:2f:46:d3:09:9f:25:c3:20:e8:10:d5:ef:38:7b:d1:17:d4:
   f1:d7:54:67:56:f1:13:cf:2f:fc:8b:83:fc:14:e7:01:82:59:
   83:cc:b1:8d:f0:c7:da:4e:b1:dc:cc:54:cf:6c:3b:47:47:59:
   87:d9:16:ec:af:af:e1:12:13:23:1e:0a:db:f5:b5:ff:5d:ab:
   15:0e:e3:25:91:00:0e:90:db:d8:07:11:90:81:01:3a:48:a8:
   aa:9e:b0:62:d3:36:f0:0c:b7:2f:a7:17:92:52:36:29:14:0a:
   d6:65:86:67:73:74:6e:aa:3c:ee:47:38:1e:c8:6e:06:81:85:
   1c:2e:f0:b6:04:7d:6c:38:db:81:9c:b8:07:e3:07:be:f5:2f:
   09:68:63:04:6b:87:0e:36:b9:a1:a3:fb:c8:30:0c:a0:63:8d:
   6d:ab:0a:f8:44:b0:78:19:1a:38:7e:fa:6a:a1:d4:4b:4b:75:
   75:bf:6f:09

   Versions of these certificates that do not make use of EKU are also
   included in Appendix B.2

3.  Callflow with Message Over TLS

3.1.  TLS with Server Authentication

   The flow below shows the edited SSLDump output of the host
   example.com forming a TLS [RFC5246] connection to example.net.  In
   this example mutual authentication is not used.  Note that the client
   proposed three protocol suites including TLS_RSA_WITH_AES_128_CBC_SHA
   defined in [RFC5246].  The certificate returned by the server
   contains a Subject Alternative Name that is set to example.net.  A
   detailed discussion of TLS can be found in SSL and TLS [EKR-TLS].
   For more details on the SSLDump tool, see the SSLDump Manual
   [ssldump-manpage].

   This example does not use the Server Extended Hello (see [RFC5246]).

   New TCP connection #1: example.com(58315) example.com(50738) <-> example.net(5061)
   1 1  0.0004 (0.0004)  C>SV3.1(101)  Handshake
         ClientHello
           Version 3.1
           random[32]=
             4c 09 5b a7 66 77 eb 43 52 30 dd 98 4d 09 23 d3
             ff 81 74 ab 04 69 bb 79 8c dc 59 cd c2 1f b7 ec
           cipher suites
           TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
           TLS_ECDH_RSA_WITH_AES_256_CBC_SHA
           TLS_DHE_RSA_WITH_AES_256_SHA
           TLS_RSA_WITH_AES_256_CBC_SHA
           TLS_DSS_RSA_WITH_AES_256_SHA
           TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
           TLS_ECDH_RSA_WITH_AES_128_CBC_SHA
           TLS_DHE_RSA_WITH_AES_128_CBC_SHA
           TLS_RSA_WITH_AES_128_CBC_SHA
           TLS_DHE_DSS_WITH_AES_128_CBC_SHA
           TLS_ECDHE_RSA_WITH_DES_192_CBC3_SHA
           TLS_ECDH_RSA_WITH_DES_192_CBC3_SHA
           TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA
           TLS_RSA_WITH_3DES_EDE_CBC_SHA
           TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA
           TLS_ECDHE_RSA_WITH_RC4_128_SHA
           TLS_ECDH_RSA_WITH_RC4_128_SHA
           TLS_RSA_WITH_RC4_128_SHA
           TLS_RSA_WITH_RC4_128_MD5
           TLS_DHE_RSA_WITH_DES_CBC_SHA
           TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA
           TLS_RSA_WITH_DES_CBC_SHA
           TLS_RSA_EXPORT_WITH_DES40_CBC_SHA
           TLS_DHE_DSS_WITH_DES_CBC_SHA
           TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA
           TLS_RSA_EXPORT_WITH_RC4_40_MD5
           compression methods
                     NULL
   1 2  0.0012 (0.0007)  S>CV3.1(48)  Handshake
         ServerHello
           Version 3.1
           random[32]=
             4c 09 5b a7 30 87 74 c7 16 98 24 d5 af 35 17 a7
             ef c3 78 0c 94 d4 94 d2 7b a6 3f 40 04 25 f6 e0
           session_id[0]=

           cipherSuite         TLS_RSA_WITH_AES_256_CBC_SHA
           compressionMethod                   NULL
   1 3  0.0012 (0.0000)  S>CV3.1(1858)  Handshake
         Certificate
   1 4  0.0012 (0.0000)  S>CV3.1(14)  Handshake
         CertificateRequest
           certificate_types                   rsa_sign
           certificate_types                   dss_sign
           certificate_types                 unknown value
         ServerHelloDone
   1 5  0.0043 (0.0031)  C>SV3.1(7)  Handshake
         Certificate
   1 6  0.0043 (0.0000)  C>SV3.1(262)  Handshake
         ClientKeyExchange
   1 7  0.0043 (0.0000)  C>SV3.1(1)  ChangeCipherSpec
   1 8  0.0043 (0.0000)  C>SV3.1(48)  Handshake
   1 9  0.0129 (0.0085)  S>CV3.1(170)  Handshake
   1 10 0.0129 (0.0000)  S>CV3.1(1)  ChangeCipherSpec
   1 11 0.0129 (0.0000)  S>CV3.1(48)  Handshake
   1 12 0.0134 (0.0005)  C>SV3.1(32)  application_data
   1 13 0.0134 (0.0000)  C>SV3.1(496)  application_data
   1 14 0.2150 (0.2016)  S>CV3.1(32)  application_data
   1 15 0.2150 (0.0000)  S>CV3.1(336)  application_data
   1 16 12.2304 (12.0154)  S>CV3.1(32)  Alert
   1    12.2310 (0.0005)  S>C  TCP FIN
   1 17 12.2321 (0.0011)  C>SV3.1(32)  Alert

3.2.  MESSAGE Transaction Over TLS

   Once the TLS session is set up, the following MESSAGE request (as
   defined in [RFC3428] is sent from fluffy@example.com to
   kumiko@example.net.  Note that the URI has a SIPS URL and that the
   VIA indicates that TLS was used.  In order to format this document,
   the <allOneLine> convention from [RFC4475] is used to break long
   lines.  The actual message does not contain the linebreaks line breaks contained
   within those tags.

   MESSAGE sips:kumiko@example.net:5061 SIP/2.0
   <allOneLine>
   Via: SIP/2.0/TLS 192.0.2.2:15001;
        branch=z9hG4bK-d8754z-3bcb7c685f585679-1---d8754z-;
        rport=58315
        branch=z9hG4bK-d8754z-c785a077a9a8451b-1---d8754z-;
        rport=50738
   </allOneLine>
   Max-Forwards: 70
   To: <sips:kumiko@example.net:5061>
   From: <sips:fluffy@example.com:15001>;tag=b5220b64 <sips:fluffy@example.com:15001>;tag=1a93430b
   Call-ID: ZDQ1ZjNhMjQxZjZlYjNkZjUyYjJhMDA5MTAxYjRhMmE. OTZmMDE2OWNlYTVjNDkzYzBhMWRlMDU4NDExZmU4ZTQ.
   CSeq: 4308 MESSAGE
   <allOneLine>
   Accept: multipart/signed, text/plain, application/pkcs7-mime,
           application/sdp, multipart/alternative
   </allOneLine>
   Content-Type: text/plain
   Content-Length: 6

   Hello!

   When a User Agent (UA) goes to send a message to example.com, the UA
   can see if it already has a TLS connection to example.com and if it
   does, it may send the message over this connection.  A UA should have
   some scheme for reusing connections as opening a new TLS connection
   for every message results in awful performance.  Implementers are
   encouraged to read [RFC5923] and [RFC3263].

   The response is sent from example.net to example.com over the same
   TLS connection.  It is shown below.

   SIP/2.0 200 OK
   <allOneLine>
   Via: SIP/2.0/TLS 192.0.2.2:15001;
        branch=z9hG4bK-d8754z-3bcb7c685f585679-1---d8754z-;
        rport=58315
        branch=z9hG4bK-d8754z-c785a077a9a8451b-1---d8754z-;
        rport=50738
   </allOneLine>
   To: <sips:kumiko@example.net:5061>;tag=35b8014f <sips:kumiko@example.net:5061>;tag=0d075510
   From: <sips:fluffy@example.com:15001>;tag=b5220b64 <sips:fluffy@example.com:15001>;tag=1a93430b
   Call-ID: ZDQ1ZjNhMjQxZjZlYjNkZjUyYjJhMDA5MTAxYjRhMmE. OTZmMDE2OWNlYTVjNDkzYzBhMWRlMDU4NDExZmU4ZTQ.
   CSeq: 4308 MESSAGE
   Content-Length: 0

4.  Callflow with S/MIME-secured Message

4.1.  MESSAGE Request with Signed Body

   Below is an example of a signed message.  The values on the Content-
   Type line (multipart/signed) and on the Content-Disposition line have
   been broken across lines to fit on the page, but they are not broken
   across lines in actual implementations.

   MESSAGE sip:kumiko@example.net SIP/2.0
   <allOneLine>
   Via: SIP/2.0/TCP 192.0.2.2:15001;
        branch=z9hG4bK-d8754z-81e4f73858c3585d-1---d8754z-;
        rport=58316
        branch=z9hG4bK-d8754z-3a922b6dc0f0ff37-1---d8754z-;
        rport=50739
   </allOneLine>
   Max-Forwards: 70
   To: <sip:kumiko@example.net>
   From: <sip:fluffy@example.com>;tag=74a11610 <sip:fluffy@example.com>;tag=ef6bad5e
   Call-ID: MzBlOGM0NzkwOTExM2MyMGMyMzU3OWMzZGU0Y2Y1MTg. N2NiZjI0NjRjNDQ0MTY1NDRjNWNmMGU1MDA2MDRhYmI.
   CSeq: 8473 MESSAGE
   <allOneLine>
   Accept: multipart/signed, text/plain, application/pkcs7-mime,
           application/sdp, multipart/alternative
   </allOneLine>
   <allOneLine>
   Content-Type: multipart/signed;boundary=7fbf310bbfc8c71c; multipart/signed;boundary=3b515e121b43a911;
                 micalg=sha1;protocol="application/pkcs7-signature"
   </allOneLine>
   Content-Length: 774

   --7fbf310bbfc8c71c

   --3b515e121b43a911
   Content-Type: text/plain
   Content-Transfer-Encoding: binary

   Hello!
   --7fbf310bbfc8c71c
   --3b515e121b43a911
   Content-Type: application/pkcs7-signature;name=smime.p7s
   <allOneLine>
   Content-Disposition: attachment;handling=required;
                        filename=smime.p7s
   </allOneLine>
   Content-Transfer-Encoding: binary

   *****************
   * BINARY BLOB 1 *
   *****************
   --7fbf310bbfc8c71c--
   --3b515e121b43a911--
   It is important to note that the signature ("BINARY BLOB 1") is
   computed over the MIME headers and body, but excludes the multipart
   boundary lines.  The value on the Message-body line ends with CRLF.
   The CRLF is included in the boundary and is not part of the signature
   computation.  To be clear, the signature is computed over data
   starting with the "C" in the "Content-Type" and ending with the "!"
   in the "Hello!".

   Content-Type: text/plain
   Content-Transfer-Encoding: binary

   Hello!

   Following is the ASN.1 parsing of encrypted contents referred to
   above as "BINARY BLOB 1".  Note that at address 30, the hash for the
   signature is specified as SHA-1.  Also note that the sender's
   certificate is not attached as it is optional in [RFC5652].

    0  472: SEQUENCE {
    4    9:   OBJECT IDENTIFIER signedData (1 2 840 113549 1 7 2)
   15  457:   [0] {
   19  453:     SEQUENCE {
   23    1:       INTEGER 1
   26   11:       SET {
   28    9:         SEQUENCE {
   30    5:           OBJECT IDENTIFIER sha1 (1 3 14 3 2 26)
   37    0:           NULL
          :           }
          :         }
   39   11:       SEQUENCE {
   41    9:         OBJECT IDENTIFIER data (1 2 840 113549 1 7 1)
          :         }
   52  420:       SET {
   56  416:         SEQUENCE {
   60    1:           INTEGER 1
   63  125:           SEQUENCE {
   65  112:             SEQUENCE {
   67   11:               SET {
   69    9:                 SEQUENCE {
   71    3:                   OBJECT IDENTIFIER countryName (2 5 4 6)
   76    2:                   PrintableString 'US'
          :                   }
          :                 }
   80   19:               SET {
   82   17:                 SEQUENCE {
   84    3:                   OBJECT IDENTIFIER
          :                     stateOrProvinceName (2 5 4 8)
   89   10:                   PrintableString                   UTF8String 'California'
          :                   }
          :                 }
    101   17:               SET {
    103   15:                 SEQUENCE {
    105    3:                   OBJECT IDENTIFIER localityName (2 5 4 7)
    110    8:                   PrintableString                   UTF8String 'San Jose'
          :                   }
          :                 }
    120   14:               SET {
    122   12:                 SEQUENCE {
    124    3:                   OBJECT IDENTIFIER
          :                     organizationName (2 5 4 10)
    129    5:                   PrintableString                   UTF8String 'sipit'
          :                   }
          :                 }
    136   41:               SET {
    138   39:                 SEQUENCE {
    140    3:                   OBJECT IDENTIFIER
          :                     organizationalUnitName (2 5 4 11)
    145   32:                   PrintableString                   UTF8String 'Sipit Test Certificate Aut
hority'
                                            Authority'
          :                   }
          :                 }
          :               }
    179    9:             INTEGER 00 96 A3 84 17 4E EF 8A 4D
          :             }
    190    9:           SEQUENCE {
    192    5:             OBJECT IDENTIFIER sha1 (1 3 14 3 2 26)
    199    0:             NULL
          :             }
    201   13:           SEQUENCE {
    203    9:             OBJECT IDENTIFIER
          :               rsaEncryption (1 2 840 113549 1 1 1)
 214    0:             NULL
       :             }
 216  256:           OCTET STRING
       :             0F 8A 9A BE F0 A8 9B 91 3D C1 4A E5 62 C1 FB 5D
       :             69 70 4E 36 F8 3C C5 7A D5 06 6A 62 1E 6C 2E 17
    214    0:             NULL
          :             0D 3C 91 B5             }
    216  256:           OCTET STRING
          :             74 4D 21 39 C7 81 CF 77 B7 61 3B 2E 97 76 C0 D6 E2 E2 2C 30 5A AA BC 4E 60 8D 69
          :             3A 97 15             A7 32 3B 3E E5 79 AB FD 50 1A B1 7D 4A D3 C1 03 9F 19 7D A2 76
          :             97 E0 2E 41 E7 8B B3 CE 30 CD 62 4B 96 20 35 DB C1 64 D9 33 92
          :             96 CD 28 03 98 6E 2C 0C F6 20 19 E1 8D 93 40 F2 88 DA 29
          :             AD 0B C2 0E F9 D3 6A 95 2C 79 6E C2 3D 62 E6 54
          :             A9 1B B7 73 E2 AC 66 DB 16 F8 B7 44 01 6C 03 1B 71 9C EE C9 EC
          :             4D 59 6E DB 93 B1 CF F5 17 79 C5 C8 BA 2F A7 6C 4B DC CF
          :             62 A3 F3 1A 1B 49 FA 48 7E BE 96 32 24 E4 40 66 3C 4F 92 3E 2B 36 D1 26 2B
       :             37 9B 01 CD C7 39 FA A5 29 41 A5 ED BD F3 71 DB
       :             82 5A 2D E9 3A D2 E6 87 86 BF 10 F3 41 AF 09 6A 20 82 D4
          :             69 50 FB 70 DA 88 A3 C3 91 C5 10 CE             7A 43 60 2B FC D8 3D 80 55 AE
       :             8C 99 1E 54 B6 06 3E CA 64 90 FA E2 4F A6 B0 40 2B 57 17 CB 81 03 2A 56 69
          :             3E A1 9D             81 82 FA 78 DE D2 3A 2F FA A3 C5 EA 8B E8 7C BF 40 69 6E 80 0C 36
          :             1B BC DC FD 1B 8C 2E 0F 01 AF 73 6E 2C 7F D9 E1 04 0E 4E 50
          :             94 75 7C BD D9 0B DD A3 08 FF 52 F1 41 51 4D 86 34 5A 1C D6 92 3C
       :             87 C8 0A 52 32 8D AA F6 45 1B 5C A0 6A E7 64 1E FA 36 E3 EC E4 A5 35 46
          :             29 12 84 53 4B 2E 0B 72 0E 5E 5B 9A 4B             BE A2 97 1D AD BA 44 54 3A ED 94 DA 76 4A FE F6 51 BA
          :             64 3E 78 8A 5B 9C 45 C0             A4 7D 7A 62 FF BF 2A 2F F2 5C 5A FE CA E6 F6 89 25 00 73 B9 DC 5D
          :             EA 26 F2 35 17 19 4B E0 08 D2 F5 FE 32 D2 47 EC F1 4D 74 20 CE 97 96 4E 72 9C 72 FD 1F
          :             68 C1 6A 5C 86 42 F2 ED F2 70 65 4C C7 44 C5 7C 26
          :           }
          :         }
          :       }
          :     }
          :   }

   SHA-1 parameters may be omitted entirely, instead of being set to
   NULL, as mentioned in [RFC3370].  The above dump of Blob 1 has SHA-1
   parameters set to NULL.  Below are the same contents signed with the
   same key, but omitting the NULL according to [RFC3370].  This is the
   preferred encoding.  This is covered in greater detail in Section 5.

    0  468: SEQUENCE {
    4    9:   OBJECT IDENTIFIER signedData (1 2 840 113549 1 7 2)
   15  453:   [0] {
   19  449:     SEQUENCE {
   23    1:       INTEGER 1
   26    9:       SET {
   28    7:         SEQUENCE {
   30    5:           OBJECT IDENTIFIER sha1 (1 3 14 3 2 26)
          :           }
          :         }
   37   11:       SEQUENCE {
   39    9:         OBJECT IDENTIFIER data (1 2 840 113549 1 7 1)
          :         }
   50  418:       SET {
   54  414:         SEQUENCE {
   58    1:           INTEGER 1
   61  125:           SEQUENCE {
   63  112:             SEQUENCE {
   65   11:               SET {
   67    9:                 SEQUENCE {
   69    3:                   OBJECT IDENTIFIER countryName (2 5 4 6)
   74    2:                   PrintableString 'US'
          :                   }
          :                 }
   78   19:               SET {
   80   17:                 SEQUENCE {
   82    3:                   OBJECT IDENTIFIER
          :                     stateOrProvinceName (2 5 4 8)
   87   10:                   PrintableString                   UTF8String 'California'
          :                   }
          :                 }

   99   17:               SET {
    101   15:                 SEQUENCE {
    103    3:                   OBJECT IDENTIFIER localityName (2 5 4 7)
    108    8:                   PrintableString                   UTF8String 'San Jose'
          :                   }
          :                 }
    118   14:               SET {
    120   12:                 SEQUENCE {
    122    3:                   OBJECT IDENTIFIER
          :                     organizationName (2 5 4 10)
    127    5:                   PrintableString                   UTF8String 'sipit'
          :                   }
          :                 }
    134   41:               SET {
    136   39:                 SEQUENCE {
    138    3:                   OBJECT IDENTIFIER
          :                     organizationalUnitName (2 5 4 11)
    143   32:                   PrintableString                   UTF8String 'Sipit Test Certificate Aut
hority'
                                            Authority'
          :                   }
          :                 }
          :               }
    177    9:             INTEGER 00 96 A3 84 17 4E EF 8A 4D
          :             }
    188    7:           SEQUENCE {
    190    5:             OBJECT IDENTIFIER sha1 (1 3 14 3 2 26)
          :             }
    197   13:           SEQUENCE {
    199    9:             OBJECT IDENTIFIER
          :               rsaEncryption (1 2 840 113549 1 1 1)
    210    0:             NULL
          :             }
    212  256:           OCTET STRING
          :             0F 8A 9A BE F0 A8 9B 91 3D C1 4A E5 62 C1 FB 5D
       :             69 70 4E 36 F8 3C C5 7A D5 06 6A 62 1E 6C 2E 17
       :             0D 3C 91 B5             74 4D 21 39 C7 81 CF 77 B7 61 3B 2E 97 76 C0 D6 E2 E2 2C 30 5A AA BC 4E 60 8D 69
          :             3A 97 15             A7 32 3B 3E E5 79 AB FD 50 1A B1 7D 4A D3 C1 03 9F 19 7D A2 76
          :             97 E0 2E 41 E7 8B B3 CE 30 CD 62 4B 96 20 35 DB C1 64 D9 33 92
          :             96 CD 28 03 98 6E 2C 0C F6 20 19 E1 8D 93 40 F2 88 DA 29
          :             AD 0B C2 0E F9 D3 6A 95 2C 79 6E C2 3D 62 E6 54
          :             A9 1B B7 73 E2 AC 66 DB 16 F8 B7 44 01 6C 03 1B 71 9C EE C9 EC
          :             4D 59 6E DB 93 B1 CF F5 17 79 C5 C8 BA 2F A7 6C 4B DC CF
          :             62 A3 F3 1A 1B 49 FA 48 7E BE 96 32 24 E4 40 66 3C 4F 92 3E 87 86 BF 09 6A
          :             7A 43 60 2B 36 D1 26 FC D8 3D 2B 57 17 CB 81 03 2A 56 69
          :             37 9B 01 CD C7 39 FA A5 29 41 A5 ED BD F3 71 DB
       :             81 82 5A 2D E9 3A FA 78 DE D2 E6 BF 10 F3 41 AF 6A 20 82 D4
       :             69 50 FB 70 DA 88 3A 2F FA A3 C3 91 C5 10 CE 3D 80 55 AE EA 8B E8 0C 36
          :             1B BC DC FD 1B 8C 99 1E 54 B6 06 3E CA 64 90 FA E2 4F A6 B0 40
       :             3E A1 9D D2 E8 7C BF 40 69 6E 80 2E 0F 01 AF 73 6E 2C 7F D9 E1 04 0E 4E 50
          :             94 75 7C BD D9 0B DD A3 08 FF 52 F1 41 51 4D 86 34 5A 1C D6 92 3C
       :             87 C8 0A 52 32 8D AA F6 45 1B 5C A0 6A E7 64 1E FA 36 E3 EC E4 A5 35 46
          :             29 12 84 53 4B 2E 0B 72 0E 5E 5B 9A 4B             BE A2 97 1D AD BA 44 54 3A ED 94 DA 76 4A FE F6 51 BA
          :             64 3E 78 8A 5B 9C 45 C0             A4 7D 7A 62 FF BF 2A 2F F2 5C 5A FE CA E6 F6 89 25 00 73 B9 DC 5D
          :             EA 26 F2 35 17 19 4B E0 08 D2 F5 FE 32 D2 47 EC F1 4D 74 20 CE 97 96 4E 72 9C 72 FD 1F
          :             68 C1 6A 5C 86 42 F2 ED F2 70 65 4C C7 44 C5 7C 26
          :           }
          :         }
          :       }
          :     }
          :   }

4.2.  MESSAGE Request with Encrypted Body

   Below is an example of an encrypted text/plain message that says
   "Hello!".  The binary encrypted contents have been replaced with the
   block "BINARY BLOB 2".

   MESSAGE sip:kumiko@example.net SIP/2.0
   <allOneLine>
   Via: SIP/2.0/TCP 192.0.2.2:15001;
        branch=z9hG4bK-d8754z-609333791d00044c-1---d8754z-;
        rport=58318
        branch=z9hG4bK-d8754z-c276232b541dd527-1---d8754z-;
        rport=50741
   </allOneLine>
   Max-Forwards: 70
   To: <sip:kumiko@example.net>
   From: <sip:fluffy@example.com>;tag=625ceb5b <sip:fluffy@example.com>;tag=7a2e3025
   Call-ID: NDY4ZjJjMDllZTA4OTNlYjNhYjQ3NmE1YjIzODk5NGM. MDYyMDhhODA3NWE2ZjEyYzAwOTZlMjExNWI2ZWQwZGM.
   CSeq: 3260 MESSAGE
   <allOneLine>
   Accept: multipart/signed, text/plain, application/pkcs7-mime,
           application/sdp, multipart/alternative
   </allOneLine>
   <allOneLine>
   Content-Disposition: attachment;handling=required;
                        filename=smime.p7
   </allOneLine>
   Content-Transfer-Encoding: binary
   <allOneLine>
   Content-Type: application/pkcs7-mime;smime-type=enveloped-data;
                 name=smime.p7m
   </allOneLine>
   Content-Length: 565

   *****************
   * BINARY BLOB 2 *
   *****************

   Following is the ASN.1 parsing of "BINARY BLOB 2".  Note that at
   address 454, the encryption is set to aes128-CBC.

    0  561: SEQUENCE {
    4    9:   OBJECT IDENTIFIER envelopedData (1 2 840 113549 1 7 3)
   15  546:   [0] {
   19  542:     SEQUENCE {
   23    1:       INTEGER 0
   26  409:       SET {
   30  405:         SEQUENCE {
   34    1:           INTEGER 0
   37  125:           SEQUENCE {
   39  112:             SEQUENCE {
   41   11:               SET {
   43    9:                 SEQUENCE {
   45    3:                   OBJECT IDENTIFIER countryName (2 5 4 6)
   50    2:                   PrintableString 'US'
          :                   }
          :                 }
   54   19:               SET {
   56   17:                 SEQUENCE {
   58    3:                   OBJECT IDENTIFIER
          :                     stateOrProvinceName (2 5 4 8)
   63   10:                   PrintableString                   UTF8String 'California'
          :                   }
          :                 }
   75   17:               SET {
   77   15:                 SEQUENCE {
   79    3:                   OBJECT IDENTIFIER localityName (2 5 4 7)
   84    8:                   PrintableString                   UTF8String 'San Jose'
          :                   }
          :                 }
   94   14:               SET {
   96   12:                 SEQUENCE {
   98    3:                   OBJECT IDENTIFIER
          :                     organizationName (2 5 4 10)
    103    5:                   PrintableString                   UTF8String 'sipit'
          :                   }
          :                 }
    110   41:               SET {
    112   39:                 SEQUENCE {
    114    3:                   OBJECT IDENTIFIER
          :                     organizationalUnitName (2 5 4 11)
    119   32:                   PrintableString                   UTF8String 'Sipit Test Certificate Aut
hority'
                                            Authority'
          :                   }
          :                 }
          :               }
    153    9:             INTEGER 00 96 A3 84 17 4E EF 8A 4E
          :             }
    164   13:           SEQUENCE {
    166    9:             OBJECT IDENTIFIER
          :               rsaEncryption (1 2 840 113549 1 1 1)
    177    0:             NULL
          :             }
    179  256:           OCTET STRING
          :             13 04 66 18 17 D5 24 A6 2C 67 91 92             B9 12 8F 32 AB 4A E2 38 C1 E0 53 69 88 D6 25 E7
          :             40 03 B1 DE 79 21 A3 E8 23 5A 1B CB FB 58 F4 97
          :             48 A7 C8 F0 3D DF 41 A3 5A 90 32 70 82 FA B0 DE
          :             D8 94 7C 6C 2E 01 FE 33 BD 62 CB 07 4F 58 DE 6F
          :             EA 3F EF B4 FB 46 72 58 9A 88 A0 1F FC B6 85 BC 23 D7 C8
          :             22 71             09 E7 C0 D9 B3 FB 0D C0 27 CC E4 E0 A1 FF 0B 90 8D 4A 5F 3F 96 7C AC D4 E2 19 E8 02 B6
          :             FC CC AF B4 81 16 B2             0E F3 0D F2 91 4A 67 A9 EE 51 6A 97 D7 C3 53 78 49 59 DD DD 84 86 6D EC
          :             DB BC E4 D5             78 6E C6 E0 D9 D0 C0 E5 83 7C E1 5E 98 3C 2E 20 7B
       :             BC 3A 00 3B AC 88 71 91 46 F2 94 47 D0 D9 05 F6 1F 5A 40 59 60 0C D7 EB
          :             1B F3 EA             A3 FB 04 B3 C9 A5 EB 79 B7 69 21 97 DD E0 64 5D A8 30 ED B3 56 BE F8 F6 51 B2 5E
          :             BF 40 97 73             58 67 65 BE F6 53 C9 C0 D2 B3 61 07 E2 D8 17 28 33 A6 B8 35 8C 0E 14 7F 90 D0 7B
          :             97 42 CB 68 37 97 E4 C3 AB 10 09 66 53 E9 72 C7             03 00 6C 3D 81 29 F5 D7 E5 AC 75 5E E0 F0 DD E3
          :             A4 66 0C 09             3E B2 06 12 E1 49 67 B9 40 97 D6 0B BA 52 7D
       :             C3 9E B7 30 51 4B 41 49 A9 CB 5F AF EC A8 A0 AA 69 FF 38 08 F1 84 05 F5 C0 BC
          :             30 06 8B             55 A6 D4 C9 D8 FD A4 23 E5 AC 40 9F 9D 51 5B F7 05 05 86 F5 CE AD 7B FF BA 3A C3
          :             5D 46 4C 2E FE             C3 CD 3A E7 6D 7C E2 21 7A 75 37 10 7E 0D 4D
       :             82 9E 44 B1 34 AB 05 D0 59 A8 F8 50 75 4F 14 6A BD 3D 65 3E D8 77 76 C6
          :             6B 37 2E F8 54 7B 47 49 2F 55             13 A6 48 12 7B E8 76 2E 25 CC 22 5D 73 BD 8E 40 E4 15 02 A2
          :             3F 1E             39 4A CB D9 86 95 1A 05 EC 1A 62 96 0F 56 95 9B 26
       :             CD E2 55 08 A4 EE 4E 8A D6 81 EF 1C 92 D1 F2 81 34 83 8C 3F EF 5E BA C4 4A 46 9C
          :           }
          :         }
    439  124:       SEQUENCE {
    441    9:         OBJECT IDENTIFIER data (1 2 840 113549 1 7 1)
    452   29:         SEQUENCE {
    454    9:           OBJECT IDENTIFIER
          :             aes128-CBC (2 16 840 1 101 3 4 1 2)
    465   16:           OCTET STRING
          :             F9 4F C2 92 49 32 EB A9 E0 A5 AC AB EF 01 5D A5             CA 35 CA BD 1E 78 83 D9 20 6C 47 B9 9F DC 91 88
          :           }
    483   80:         [0]
          :           95 F0 53 3D 18 09 77 30           1B AE 12 C4 0E 55 96 AB 99 CC 1C 7F B5 98 A4 BF
          :           D2 AC 2B 1E 0A 51 E9 EB D8 7F 94 BB B5 38 05 59 F2 38 A1 CD 29 75 17
          :           E4 32 8B CA 69 8D BA E5 46           1D 63 9C 99 35 20 70 D3
       :           EE 7A 21 4B C3 E9 53 E5 1B 0B B0 7D 26 9A 6A 5C 11 6F
       :           59 72 B3 91 2D 88 06 7F 78 80 F3 5A 3E DC 35
          :           BF 22 1E 03 32 59 98 95 F6 69 89 DA FD 81 5F D9 41 E6 22 5B 2F EB 63 3A 18
          :           F5 9C 71 29 BB 1E           FD B5 84 14 01 97 9E 96 46 0B 40 EB 39 8A A2 C6 FC 56 29 86 47 8B D1 EE
          :         }
          :       }
          :     }
          :   }

4.3.  MESSAGE Request with Encrypted and Signed Body

   In the example below, some of the header values have been split
   across mutliple multiple lines.  Where the lines have been broken, the
   <allOneLine> convention has been used.  This was only done to make it
   fit in the RFC format.  Specifically, the application/pkcs7-mime
   Content-Type line is one line with no whitespace between the "mime;"
   and the "smime-type".  The values are split across lines for
   formatting, but are not split in the real message.  The binary
   encrypted content has been replaced with "BINARY BLOB 3", and the
   binary signed content has been replaced with "BINARY BLOB 4".

   MESSAGE sip:kumiko@example.net SIP/2.0
   <allOneLine>
   Via: SIP/2.0/TCP 192.0.2.2:15001;
        branch=z9hG4bK-d8754z-69c41c074ef38f70-1---d8754z-;
        rport=58319
        branch=z9hG4bK-d8754z-97a26e59b7262b34-1---d8754z-;
        rport=50742
   </allOneLine>
   Max-Forwards: 70
   To: <sip:kumiko@example.net>
   From: <sip:fluffy@example.com>;tag=85475653 <sip:fluffy@example.com>;tag=379f5b27
   Call-ID: NmVjYjE0NzNhNjczMDEyZGM3YWM5NmRjYWQxY2JlYTI. MjYwMzdjYTY3YWRkYzgzMjU0MGI4Mzc2Njk1YzJlNzE.
   CSeq: 5449 MESSAGE
   <allOneLine>
   Accept: multipart/signed, text/plain, application/pkcs7-mime,
           application/sdp, multipart/alternative
   </allOneLine>
   <allOneLine>
   Content-Type: multipart/signed;boundary=30145b1e6548046b; multipart/signed;boundary=e8df6e1ce5d1e864;
                 micalg=sha1;protocol="application/pkcs7-signature"
   </allOneLine>
   Content-Length: 1455

   --30145b1e6548046b

   --e8df6e1ce5d1e864
   <allOneLine>
   Content-Type: application/pkcs7-mime;smime-type=enveloped-data;
                 name=smime.p7m
   </allOneLine>
   <allOneLine>
   Content-Disposition: attachment;handling=required;
                        filename=smime.p7
   </allOneLine>
   Content-Transfer-Encoding: binary

   *****************
   * BINARY BLOB 3 *
   *****************
   --30145b1e6548046b
   --e8df6e1ce5d1e864
   Content-Type: application/pkcs7-signature;name=smime.p7s
   <allOneLine>
   Content-Disposition: attachment;handling=required;
                        filename=smime.p7s
   </allOneLine>
   Content-Transfer-Encoding: binary

   *****************
   * BINARY BLOB 4 *
   *****************
   --30145b1e6548046b--
   --e8df6e1ce5d1e864--
   Below is the ASN.1 parsing of "BINARY BLOB 3".

    0  561: SEQUENCE {
    4    9:   OBJECT IDENTIFIER envelopedData (1 2 840 113549 1 7 3)
   15  546:   [0] {
   19  542:     SEQUENCE {
   23    1:       INTEGER 0
   26  409:       SET {
   30  405:         SEQUENCE {
   34    1:           INTEGER 0
   37  125:           SEQUENCE {
   39  112:             SEQUENCE {
   41   11:               SET {
   43    9:                 SEQUENCE {
   45    3:                   OBJECT IDENTIFIER countryName (2 5 4 6)
   50    2:                   PrintableString 'US'
          :                   }
          :                 }
   54   19:               SET {
   56   17:                 SEQUENCE {
   58    3:                   OBJECT IDENTIFIER
          :                     stateOrProvinceName (2 5 4 8)
   63   10:                   PrintableString                   UTF8String 'California'
          :                   }
          :                 }
   75   17:               SET {
   77   15:                 SEQUENCE {
   79    3:                   OBJECT IDENTIFIER localityName (2 5 4 7)
   84    8:                   PrintableString                   UTF8String 'San Jose'
          :                   }
          :                 }
   94   14:               SET {
   96   12:                 SEQUENCE {
   98    3:                   OBJECT IDENTIFIER
          :                     organizationName (2 5 4 10)
    103    5:                   PrintableString                   UTF8String 'sipit'
          :                   }
          :                 }
    110   41:               SET {
    112   39:                 SEQUENCE {
    114    3:                   OBJECT IDENTIFIER
          :                     organizationalUnitName (2 5 4 11)
    119   32:                   PrintableString                   UTF8String 'Sipit Test Certificate Aut
hority'
                                            Authority'
          :                   }
          :                 }
          :               }
    153    9:             INTEGER 00 96 A3 84 17 4E EF 8A 4E
          :             }
    164   13:           SEQUENCE {
    166    9:             OBJECT IDENTIFIER
          :               rsaEncryption (1 2 840 113549 1 1 1)
    177    0:             NULL
          :             }
    179  256:           OCTET STRING
          :             74 D6 C9 2B 48 63 97 2B 56 C2 76 FF 0C D1 C4 EB
       :             D9 F1 DE 46 F5 0E 37 81 60 F8 03             49 11 39 99 60 F5
       :             9F 20 F8 41 53 96 C7 50 4C FF 6D 99 A0 E8 B6 B8
       :             AB 97 CD 6F A7 19 58 0B 11 52 A9 D0 2C F2 C4 B9 89 29 C0 9D E3 AA FB 86 CB EB 12 CC 8E
          :             66 F5 FF             96 9D 85 3E 80 51 CC 24 75 60 A8 D4 5D D2 7C C4 9B B7 81 4B B5 4C 6D 2B
       :             DE C5 A5 A8 A5 FA 7D 21 10 A5 E7 0C 98 67 66 48 13 80
          :             07 EF             6A 6A B2 34 72 D8 C0 82 60 DA B3 43 F8 51 8C 32
          :             8B DD 8F 68 2A 11 D0 76 6D 9C 46 4E B6 A1 73 C1 44 A0 68 EE 51
       :             6D 81 57 E9 27 98 75 B3 E5 08 CC A6 DA 7C 77 D4
       :             DC 10 FF 16 78 61 C7 A6 B1 CF 96 36 C9 D8 27 AC 1F D3 A4 83
          :             74 85 21 74 7D E0 FD 42 C0 97 00 82 A2 80 81 22
          :             A0 AF 1F B1 65 1B C8 EF BA             9C C8 AD 4B E6 AA FC
       :             53 03 8C C2 02 1F BF 20 AE 6F E7 3B 37 A2 82 0A 85 F0 68 EF 9A D7 6D 98 A3 1D 24 2B A9 5E
          :             13 D1 F4 A3 F4             B3 9A BE E0 B6 75 F5 B6 5B 86 A0 E1 3E A7 D9 1D 1C D7 42 CB 6F A5 81 66 23
          :             28 00 7C 99 6A B6 03 3F 7E F6 8E 93 4B 48 EA 91 49 01 62 35 F1
          :             FD 40 54 5D AC F7 84 EA 3F 27 43 FD DE E2 10 DD
          :             63 C4 35 4A 13 63 0B 6D 0D 9A D5 AB 72 39 69 8C
          :             65 4C 44 C4 A3 31 60 79 B9 A8 A3 A1 03 FD 41 87 7B 25
          :             12 B1 45 83 C6 61 E5 F3 F8 47 CE 8C 42 D9 26 77 A5 57 AF 1A 95
          :             44             BF 05 A5 E8 E9 47 F2 D1 CD A6 2B 17 B5 C8 25 D3 9C C2 B8 8B AE DC 13 7E 1B 83 5C 8C C4
          :             62 16 2C F4 50 72 F6 C3 4F 2B 33 30             1F 31 BC 59 97 BF 22 E6 FD 6E 9A B0 91 EC 71 A6 7F 28 3E
          :             54 36             23 4F 10 06 61 D0 B6 F8 6F 20 BF 88 1B 40 E2 C0 60 CF 5E 5B 86 08 0B 06 82 B4 B7 DB
          :             00 DD AC 3A 39 27 E2 7C 96 AD 8A E9 C3 B8 06 5E
          :           }
          :         }
    439  124:       SEQUENCE {
    441    9:         OBJECT IDENTIFIER data (1 2 840 113549 1 7 1)
    452   29:         SEQUENCE {
    454    9:           OBJECT IDENTIFIER
          :             aes128-CBC (2 16 840 1 101 3 4 1 2)
    465   16:           OCTET STRING
          :             71 3B EA E0             88 9B 13 75 A7 66 14 C3 CF CD C6 FF D2 91 5D FE D0 5E 6D EA AC 0B B9 6B 3A 99 A0
          :           }
    483   80:         [0]
          :           41 E7 5A B1 AC F0 A6 BC 9F 52 4F 83 D5 C5 6C 23           80 0B A3 B7 57 89 B4 F4 70 AE 1D 14 A9 35 DD F9
          :           49 17 20 78 9D C9 73 CB CC 48 8A 61 EB           1D 66 29 46 2D D4
       :           4A 03 6A 4A 31 E9 F7 52 5B 01 40 13 E1 3B 4A 23 E5 EC AB F9 35
          :           A6 34 38 B9 67 DD B6 A4 BE C0 02 31 06 19 C4 39 22 7D 10 4C 0D
          :           BD           F4 96 04 78 53 59 63 5A 45 2E 02 51 18 B0 F2 43 77 4F 11 85 4E 7E E3 C3 BC B2 DF 55 17 79
          :           89           5F F2 4E EA 21 E7 FC FF 7C FD 82 41 26 C6 D5 35 29 E5 25 42 37 45 39 5D F6 DA 57 9A 4E 0B
          :         }
          :       }
          :     }
          :   }

   Below is the ASN.1 parsing of "BINARY BLOB 4".

    0  472: SEQUENCE {
    4    9:   OBJECT IDENTIFIER signedData (1 2 840 113549 1 7 2)
   15  457:   [0] {
   19  453:     SEQUENCE {
   23    1:       INTEGER 1
   26   11:       SET {
   28    9:         SEQUENCE {
   30    5:           OBJECT IDENTIFIER sha1 (1 3 14 3 2 26)
   37    0:           NULL
          :           }
          :         }
   39   11:       SEQUENCE {
   41    9:         OBJECT IDENTIFIER data (1 2 840 113549 1 7 1)
          :         }
   52  420:       SET {
   56  416:         SEQUENCE {
   60    1:           INTEGER 1
   63  125:           SEQUENCE {
   65  112:             SEQUENCE {
   67   11:               SET {
   69    9:                 SEQUENCE {
   71    3:                   OBJECT IDENTIFIER countryName (2 5 4 6)
   76    2:                   PrintableString 'US'
          :                   }
          :                 }
   80   19:               SET {
   82   17:                 SEQUENCE {
   84    3:                   OBJECT IDENTIFIER
          :                     stateOrProvinceName (2 5 4 8)
   89   10:                   PrintableString                   UTF8String 'California'
          :                   }
          :                 }
    101   17:               SET {
    103   15:                 SEQUENCE {
    105    3:                   OBJECT IDENTIFIER localityName (2 5 4 7)
    110    8:                   PrintableString                   UTF8String 'San Jose'
          :                   }
          :                 }
    120   14:               SET {
    122   12:                 SEQUENCE {
    124    3:                   OBJECT IDENTIFIER
          :                     organizationName (2 5 4 10)
    129    5:                   PrintableString                   UTF8String 'sipit'
          :                   }
          :                 }
    136   41:               SET {
    138   39:                 SEQUENCE {
    140    3:                   OBJECT IDENTIFIER
          :                     organizationalUnitName (2 5 4 11)

    145   32:                   PrintableString                   UTF8String 'Sipit Test Certificate Aut
hority'
                                            Authority'
          :                   }
          :                 }
          :               }
    179    9:             INTEGER 00 96 A3 84 17 4E EF 8A 4D
          :             }
    190    9:           SEQUENCE {
    192    5:             OBJECT IDENTIFIER sha1 (1 3 14 3 2 26)
    199    0:             NULL
          :             }
    201   13:           SEQUENCE {
    203    9:             OBJECT IDENTIFIER
          :               rsaEncryption (1 2 840 113549 1 1 1)
 214    0:             NULL
       :             }
 216  256:           OCTET STRING
       :             7E A7 3D FD 62 05 89 BD 84 04 E7 6C E1 9C 12 90
       :             D5 23 55 65 54 D8 57 30 60 93 14 8A F0 99 E5 B7 113549 1 1 1)
    214    0:             NULL
          :             81 2B 99 14 4A B0 05 A4 DB 5A FD F2 2B E2 F3 43             }
    216  256:           OCTET STRING
          :             7E             6E 51 AC 24 2E BA 7C A1 EE 80 A8 55 BC D4 64 5D
          :             E5 29 37 F3 08 76 95 1C 43 B0 98 E6 09 81 28 95
       :             FB DF FD CD 5F B2 AF 70 DA 07 21 AA 6F 91 D2 97 79 32 5B AF CA
          :             FE A1 73 FC E5 57 4E C6 3B 67 99 11 C4 B9 D6 01 35 AA E4 78 1E 59
          :             9A 6C CC 58 9F 2D             93 EE 67 63 77 1E 7A 82 BC 1E 26 0F 39 75 0C A6 44 D3 72 D3 5C 96 3B E1 E2
          :             F4 90 31 66 A3             26 92 01 6A B7 66 1B 5D F0 C0 2C 51 46 FB A7 36 44 E3
          :             64 C6 11 CB 0B 6B FD F3 6D 7C FD 3E AE 2E 29 58 1D 18 15 BA 91 BB
          :             ED 26 D4 B1 A5 F8 67             78 9E F4 34 32 45 EA 1B A1 20 68 B9 DE D3 E3 0C FC F7 14 9A
          :             2C 64 AB 22 AD B7 27 52 BD 52 EC 27 88 14 BD DB C3 54 C7
          :             66 BC 3D 2A             EA 48 DB 07 E9 9B 2E C8 BE 62 A2 76 83 53 37 E8
          :             02 4B D1 86 E9 DF 2E BD 93 39 EC 2F 01 53 A0 7F
          :             1A B9 A6 31 FC E7 91 1C EF 83 DB 22 4A 67 83 94 B3 DE A5 FA F5 51
       :             FD 8B C5 F0 86 06 C4 ED FB FB E1 32 F3 4B C2 41 B2 4E
          :             FC 8F FD             28 A9 CD 9E FF 9B 1D 09 8C E4 F9 45 0F 65 DC DE 4A 04 6A E0 86 90 7B 58 5F DB 7A 96
          :             C6 83 A3             96 8E 8B 68 E4 A0 25 61 C2 58 A2 28 E5 B3 3F 33 EC 1C B2 F1 6D 51 06 EB 36 9C
          :             21 23 4C 47 AB 2C A1 EB 1A 37 01             78 9E 97 5D A8 61 0D D8 3A A7 9F A3 B5 87 0B 80 11 C2 A9 1A
          :             FF 7F B6 B2 33 A8 02 01 E3 C5 ED E8 28 0C 6A             E5 17 1C EB 82 55 AB CD 04 E7 D9
       :             A0 7B EA 5B 11 E8 B7 47 56 3E 9B 24 9C 14 71 40 8F A4 5C 6A
          :             34             FE FD CC B7 DB 47 28 DE C4 6B 7C F1 05 5D 2E 31 29 4C 67 6F 77 85 9E 24 D8 11 E1 E4 7D
          :           }
          :         }
          :       }
          :     }
          :   }

5.  Observed Interoperability Issues

   This section describes some common interoperability problems.  These
   were observed by the authors at SIPit interoperability events.
   Implementers should be careful to verify that their systems do not
   introduce these common problems, and, when possible, make their
   clients forgiving in what they receive.  Implementations should take
   extra care to produce reasonable error messages when interacting with
   software that has these problems.

   Some SIP clients incorrectly only do SSLv3 and do not support TLS.
   See Section 26.2.1 of [RFC3261].

   Many SIP clients were found to accept expired certificates with no
   warning or error.  See Section 4.1.2.5 of [RFC5280].

   When used with SIP, TLS and S/MIME provide the identity of the peer
   that a client is communicating with in the Subject Alternative Name
   in the certificate.  The software checks that this name corresponds
   to the identity the server is trying to contact.  Normative text
   describing path validation can be found in Section 7 of [RFC5922] and
   Section 6 of [RFC5280].  If a client is trying to set up a TLS
   connection to good.example.com and it gets a TLS connection set up
   with a server that presents a valid certificate but with the name
   evil.example.com, it will typically generate an error or warning of
   some type.  Similarly with S/MIME, if a user is trying to communicate
   with sip:fluffy@example.com, one of the items in the Subject
   Alternate Name set in the certificate will need to match according to
   the certificate validation rules in Section 23 of [RFC3261] and
   Section 6 of [RFC5280].

   Some implementations used binary MIME encodings while others used
   base64.  It is advisable that implementations send only binary and
   are prepared to receive either.  See Section 3.2 of [RFC5621].

   In several places in this document, the messages contain the encoding
   for the SHA-1 digest algorithm identifier.  The preferred form for
   encoding as set out in Section 2 of [RFC3370] is the form in which
   the optional AlgorithmIdentifier parameter field is omitted.
   However, [RFC3370] also says the recipients need to be able to
   receive the form in which the AlgorithmIdentifier parameter field is
   present and set to NULL.  Examples of the form using NULL can be
   found in Section 4.2 of [RFC4134].  Receivers really do need to be
   able to receive the form that includes the NULL because the NULL
   form, while not preferred, is what was observed as being generated by
   most implementations.  Implementers should also note that if the
   algorithm is MD5 instead of SHA-1, then the form that omits the
   AlgorithmIdentifier parameters field is not allowed and the sender
   has to use the form where the NULL is included.

   The preferred encryption algorithm for S/MIME in SIP is AES as
   defined in [RFC3853].

   Observed S/MIME interoperability has been better when UAs did not
   attach the senders' certificates.  Attaching the certificates
   significantly increases the size of the messages, which should be
   considered when sending over UDP.  Furthermore, the receiver cannot
   rely on the sender to always send the certificate, so it does not
   turn out to be useful in most situations.

   Please note that the certificate path validation algorithm described
   in Section 6 of [RFC5280] is a complex algorithm for which all of the
   details matter.  There are numerous ways in which failing to
   precisely implement the algorithm as specified in Section 6 of
   [RFC5280] can create a security flaw, a simple example of which is
   the failure to check the expiration date that is already mentioned
   above.  It is important for developers to ensure that this validation
   is performed and that the results are verified by their applications
   or any libraries that they use.

6.  Additional Test Scenarios

   This section provides a non-exhaustive list of tests that
   implementations should perform while developing systems that use
   S/MIME and TLS for SIP.

   Much of the required behavior for inspecting certificates when using
   S/MIME and TLS with SIP is currently underspecified.  The non-
   normative recommendations in this document capture the current
   folklore around that required behavior, guided by both related
   normative works such as [RFC4474] (particulary, (particularly, Section 13.4 Domain
   Names and Subordination) and informative works such as [RFC2818]
   Section 3.1.  To summarize, test plans should:

   o  For S/MIME secured bodies, assure that the peer's URI (address-of-
      record, as per [RFC3261] Section 23.3) appears in the
      subjectAltName of the peer's certifcate certificate as a
      uniformResourceIdentifier field.

   o  For TLS, assure that the peer's hostname appears as described in
      [RFC5922].  Also:

      *  assure an exact match in a dNSName entry in the subjectAltName
         if there are any dNSNames in the subjectAltName.  Wildcard
         matching is not allowed against these dNSName entries.  See
         Section 7.1 of [RFC5922].

      *  assure that the most specific CommonName in the Subject field
         matches if there are no dNSName entries in the subjectAltName
         at all (which is not the same as there being no matching
         dNSName entries).  This match can be either exact, or against
         an entry that uses the wildcard matching character '*'

      The peer's hostname is discovered from the initial DNS query in
      the server location process [RFC3263].

   o  IP addresses can appear in subjectAltName ([RFC5280]) of the
      peer's certificate, e.g.  "IP:192.168.0.1".  Note that if IP
      addresses are used in subjectAltName, there are important
      ramifications regarding the use of Record-Route headers that also
      need to be considered.  See Section 7.5 of [RFC5922].  Use of IP
      addresses instead of domain names is inadvisable.

   For each of these tests, an implementation will proceed past the
   verification point only if the certificate is "good".  S/MIME
   protected requests presenting bad certificate data will be rejected.
   S/MIME protected responses presenting bad certificate information
   will be ignored.  TLS connections involving bad certificate data will
   not be completed.

   1.   S/MIME : Good peer certificate

   2.   S/MIME : Bad peer certificate (peer URI does not appear in
        subjAltName)
        subjectAltName)

   3.   S/MIME : Bad peer certificate (valid authority chain does not
        end at a trusted CA)

   4.   S/MIME : Bad peer certificate (incomplete authority chain)

   5.   S/MIME : Bad peer certificate (the current time does not fall
        within the period of validity)

   6.   S/MIME : Bad peer certificate (certificate (certificate, or cert certificate in
        authority
        chain chain, has been revoked)

   7.   S/MIME : Bad peer certificate ("Digital Signature" is not
        specified as an X509v3 Key Usage)

   8.   TLS : Good peer certificate (hostname appears in dNSName in
        subjAltName)
        subjectAltName)

   9.   TLS : Good peer certificate (no dNSNames in subjAltName, subjectAltName,
        hostname appears in CN of Subject)

   10.  TLS : Good peer certificate (CN of Subject empty, and
        subjectAltName extension contains an iPAddress stored in the
        octet string in network byte order form as specified in RFC 791
        [RFC0791])

   11.  TLS : Bad peer certificate (no match in dNSNames or in the
        Subject CN)

   12.  TLS : Bad peer certificate (valid authority chain does not end
        at a trusted CA)

   13.  TLS : Bad peer certificate (incomplete authority chain)

   14.  TLS : Bad peer certificate (the current time does not fall
        within the period of validity)

   15.  TLS : Bad peer certificate (certificate (certificate, or cert certificate in
        authority
        chain chain, has been revoked)

   16.  TLS : Bad peer certificate ("TLS Web Server Authentication" is
        not specified as an X509v3 Key Usage)

   17.  TLS : Bad peer certificate (Neither "SIP Domain" nor "Any
        Extended Key Usage" specified as an X509v3 Extended Key Usage,
        and X509v3 Extended Key Usage is present)

7.  IANA Considerations

   No IANA actions are required.

8.  Acknowledgments

   Many thanks to the developers of all the open source software used to
   create these call flows.  This includes the underlying crypto and TLS
   software used from openssl.org, the SIP stack from
   www.resiprocate.org, and the SIMPLE IMPP agent from www.sipimp.org.
   The TLS flow dumps were done with SSLDump from
   http://www.rtfm.com/ssldump.  The book "SSL and TLS" [EKR-TLS] was a
   huge help in developing the code for these flows.  It's sad there is
   no second edition.

   Thanks to Jim Schaad, Russ Housley, Eric Rescorla, Dan Wing, Tat
   Chan, and Lyndsay Campbell who all helped find and correct mistakes
   in this document.

   Vijay Gurbani and Alan Jeffrey contributed much of the additional
   test scenario content.

9.  Security Considerations

   Implementers must never use any of the certificates provided in this
   document in anything but a test environment.  Installing the CA root
   certificates used in this document as a trusted root in operational
   software would completely destroy the security of the system while
   giving the user the impression that the system was operating
   securely.

   This document recommends some things that implementers might test or
   verify to improve the security of their implementations.  It is
   impossible to make a comprehensive list of these, and this document
   only suggests some of the most common mistakes that have been seen at
   the SIPit interoperability events.  Just because an implementation
   does everything this document recommends does not make it secure.

   This document does not show any messages to check certificate
   revocation status (see Sections 3.3 and 6.3 of [RFC5280]) as that is
   not part of the SIP call flow.  The expectation is that revocation
   status is checked regularly to protect against the possibility of
   certificate compromise or repudiation.  For more information on how
   certificate revocation status can be checked, see [RFC2560] (Online
   Certificate Status Protocol) and [RFC5055] (Server-Based Certificate
   Validation Protocol).

10.  Changelog

   (RFC Editor: remove this section)

   -02 to -03

      *  Re-worded "should" and "must" so that the document doesn't
         sound like it is making normative statements.  Actual normative
         behavior is referred to in the respective RFCs.

      *  Section 5: re-worded paragraphs 4 and 5 regarding
         subjectAltName, and added references.

      *  Section 6: added references, clarified use of IP addresses, and
         clarified which From/To URI is used for comparison (from
         section 23.2).  Added an EKU test case.

      *  Section 9: added text about certificate revocation checking.

      *  Appendix B.3: new section to present certificate chains longer
         than 2 (non-root CA).

      *  Made examples consistently use <allOneLine> convention.

      *  CSeq looks more random.

      *  Serial numbers in certs certificates are non-zero.

      *  All flows re-generated using new certs. certificates.  IP addresses
         conform to RFC 5737.

      *  Updated references.

   -01 to -02

      *  Draft is now informational, not standards track.  Normative-
         sounding language and references to RFC 2119 removed.

      *  Add TODO: change "hello" to "Hello!" in example flows for
         consistency.

      *  Add TODO: Fix subjectAltName DNS:com to DNS:example.com and
         DNS:net to DNS:example.net.

      *  Add TODO: use allOneLine convention from RFC4475.

      *  Section 3: updated open issue regarding contact headers in
         MESSAGE.

      *  Section 3.2: added some text about RFC 3263 and connection
         reuse and closed open issue.

      *  Section 5: clarified text about sender attaching certs, closed
         issue.

      *  Section 5: clarified text about observed problems, closed
         issue.

      *  Section 5: closed issue about clients vs. servers vs. proxies.

      *  Section 6: updated section text and open issue where IP address
         is in subjectAltName.

      *  Section 6: added normative references and closed "folklore"
         issue.

      *  Section 6: added cases about cert usage and broken chains,
         updated OPEN ISSUE: we need a SIP EKU example.

      *  References: updated references to drafts and re-categorized
         informative vs. normative.

      *  Section 9: added some text about revocation status and closed
         issue.

      *  Appendix B: open issue: do we need non-root-CA certs and host
         certs signed by them for help in testing cases in Section 6?

      *  Miscellaneous minor editorial changes.

   -00 to -01

      *  Addition of OPEN ISSUES.

      *  Numerous minor edits from mailing list feedback.

   to -00

      *  Changed RFC 3369 references to RFC 3852.

      *  Changed draft-ietf-sip-identity references to RFC 4474.

      *  Added an ASN.1 dump of CMS signed content where SHA-1
         parameters are omitted instead of being set to ASN.1 NULL.

      *  Accept headers added to messages.

      *  User and domain certificates are generated with EKU as
         specified in Draft SIP EKU.

      *  Message content that is shown is computed using certificates
         generated with EKU.

      *  Message dump archive returned.

      *  Message archive contains messages formed with and without EKU
         certificates.

   prior to -00

      *  Incorporated the Test cases from Vijay Gurbani's and Alan
         Jeffrey's Use of TLS in SIP draft

      *  Began to capture the folklore around where identities are
         carried in certificates for use with SIP

      *  Removed the message dump archive pending verification (will
         return in -02)

11.  References

11.1.  Normative References

   [RFC0791]  Postel, J., "Internet Protocol", STD 5, RFC 791,
              September 1981.

   [RFC2560]  Myers, M., Ankney, R., Malpani, A., Galperin, S., and C.
              Adams, "X.509 Internet Public Key Infrastructure Online
              Certificate Status Protocol - OCSP", RFC 2560, June 1999.

   [RFC3261]  Rosenberg, J., Schulzrinne, H., Camarillo, G., Johnston,
              A., Peterson, J., Sparks, R., Handley, M., and E.
              Schooler, "SIP: Session Initiation Protocol", RFC 3261,
              June 2002.

   [RFC3263]  Rosenberg, J. and H. Schulzrinne, "Session Initiation
              Protocol (SIP): Locating SIP Servers", RFC 3263,
              June 2002.

   [RFC3370]  Housley, R., "Cryptographic Message Syntax (CMS)
              Algorithms", RFC 3370, August 2002.

   [RFC3428]  Campbell, B., Rosenberg, J., Schulzrinne, H., Huitema, C.,
              and D. Gurle, "Session Initiation Protocol (SIP) Extension
              for Instant Messaging", RFC 3428, December 2002.

   [RFC3853]  Peterson, J., "S/MIME Advanced Encryption Standard (AES)
              Requirement for the Session Initiation Protocol (SIP)",
              RFC 3853, July 2004.

   [RFC4474]  Peterson, J. and C. Jennings, "Enhancements for
              Authenticated Identity Management in the Session
              Initiation Protocol (SIP)", RFC 4474, August 2006.

   [RFC5055]  Freeman, T., Housley, R., Malpani, A., Cooper, D., and W.
              Polk, "Server-Based Certificate Validation Protocol
              (SCVP)", RFC 5055, December 2007.

   [RFC5246]  Dierks, T. and E. Rescorla, "The Transport Layer Security
              (TLS) Protocol Version 1.2", RFC 5246, August 2008.

   [RFC5280]  Cooper, D., Santesson, S., Farrell, S., Boeyen, S.,
              Housley, R., and W. Polk, "Internet X.509 Public Key
              Infrastructure Certificate and Certificate Revocation List
              (CRL) Profile", RFC 5280, May 2008.

   [RFC5621]  Camarillo, G., "Message Body Handling in the Session
              Initiation Protocol (SIP)", RFC 5621, September 2009.

   [RFC5652]  Housley, R., "Cryptographic Message Syntax (CMS)", STD 70,
              RFC 5652, September 2009.

   [RFC5751]  Ramsdell, B. and S. Turner, "Secure/Multipurpose Internet
              Mail Extensions (S/MIME) Version 3.2 Message
              Specification", RFC 5751, January 2010.

   [RFC5922]  Gurbani, V., Lawrence, S., and A. Jeffrey, "Domain
              Certificates in the Session Initiation Protocol (SIP)",
              RFC 5922, June 2010.

   [RFC5923]  Gurbani, V., Mahy, R., and B. Tate, "Connection Reuse in
              the Session Initiation Protocol (SIP)", RFC 5923,
              June 2010.

   [RFC5924]  Lawrence, S. and V. Gurbani, "Extended Key Usage (EKU) for
              Session Initiation Protocol (SIP) X.509 Certificates",
              RFC 5924, June 2010.

   [X.509]    International Telecommunications Union, "Information
              technology - Open Systems Interconnection - The Directory:
              Public-key and attribute certificate frameworks", ITU-
              T Recommendation X.509 (2005), ISO/IEC 9594-8:2005.

   [X.683]    International Telecommunications Union, "Information
              technology - Abstract Syntax Notation One (ASN.1):
              Parameterization of ASN.1 specifications", ITU-
              T Recommendation X.683 (2002), ISO/IEC 8824-4:2002, 2002.

11.2.  Informative References

   [EKR-TLS]  Rescorla, E., "SSL and TLS - Designing and Building Secure
              Systems", 2001.

   [RFC2818]  Rescorla, E., "HTTP Over TLS", RFC 2818, May 2000.

   [RFC4134]  Hoffman, P., "Examples of S/MIME Messages", RFC 4134,
              July 2005.

   [RFC4475]  Sparks, R., Hawrylyshen, A., Johnston, A., Rosenberg, J.,
              and H. Schulzrinne, "Session Initiation Protocol (SIP)
              Torture Test Messages", RFC 4475, May 2006.

   [RFC4514]  Zeilenga, K., "Lightweight Directory Access Protocol
              (LDAP): String Representation of Distinguished Names",
              RFC 4514, June 2006.

   [ssldump-manpage]
              Rescorla, E., "SSLDump manpage".

Appendix A.  Making Test Certificates

   These scripts allow you to make certificates for test purposes.  The
   certificates will all share a common CA root so that everyone running
   these scripts can have interoperable certificates.  WARNING - these
   certificates are totally insecure and are for test purposes only.
   All the CA created by this script share the same private key to
   facilitate interoperability testing, but this totally breaks the
   security since the private key of the CA is well known.

   The instructions assume a Unix-like environment with openssl
   installed, but openssl does work in Windows too.  OpenSSL version
   0.9.8j was used to generate the certificates used in this document.
   Make sure you have openssl installed by trying to run "openssl".  Run
   the makeCA script found in Appendix A.1; this creates a subdirectory
   called demoCA.  If the makeCA script cannot find where your openssl
   is installed you will have to set an environment variable called
   OPENSSLDIR to whatever directory contains the file openssl.cnf.  You
   can find this with a "locate openssl.cnf".  You are now ready to make
   certificates.

   To create certs certificates for use with TLS, run the makeCert script
   found in Appendix A.2 with the fully qualified domain name of the
   proxy you are making the certificate for.  For example, "makeCert
   host.example.net".
   host.example.net domain eku".  This will generate a private key and a
   certificate.  The private key will be left in a file named
   domain_key_example.net.pem in pem Privacy Enhanced Mail (PEM) format.
   The certificate will be in domain_cert_example.net.pem.  Some
   programs expect both the certificate and private key combined
   together in a PKCS12 Public-key Cryptography Standards (PKCS) #12 format
   file.  This is created by the script and left in a file named
   example.net.p12.  Some programs expect this file to have a .pfx
   extension instead of .p12 - just rename the file if needed.  A file
   with a certificate signing request, called example.net.csr, is also
   created and can be used to get the certificate signed by another CA.

   A second argument indicating the number of days for which the
   certificate should be valid can be passed to the makeCert script.  It
   is possible to make an expired certificate using the command
   "makeCert host.example.net 0".

   Anywhere that a password is used to protect a certificate, the
   password is set to the string "password".

   The root certificate for the CA is in the file
   root_cert_fluffyCA.pem.

   For things that need DER format certificates, a certificate can be
   converted from PEM to DER with "openssl x509 -in cert.pem -inform PEM
   -out cert.der -outform DER".

   Some programs expect certificates in PKCS#7 PKCS #7 format (with a file
   extension of .p7c).  You can convert these from PEM format to PKCS#7 PKCS #7
   with "openssl crl2pkcs7 -nocrl -certfile cert.pem -certfile demoCA/
   cacert.pem -outform DER -out cert.p7c"

   IE (version 8), Outlook Express (version 6), and Firefox (version
   3.5) can import and export .p12 files and .p7c files.  You can
   convert a pkcs7 PKCS #7 certificate to PEM format with "openssl pkcs7 -in
   cert.p7c -inform DER -outform PEM -out cert.pem".

   The private key can be converted to pkcs8 PKCS #8 format with "openssl
   pkcs8 -in a_key.pem -topk8 -outform DER -out a_key.p8c"

   In general, a TLS client will just need the root certificate of the
   CA.  A TLS server will need its private key and its certificate.
   These could be in two PEM files, a single file with both certificate
   and private key PEM sections, or a single .p12 file.  An S/MIME
   program will need its private key and certificate, the root
   certificate of the CA, and the certificate for every other user it
   communicates with.

A.1.  makeCA script

   #!/bin/sh
   set -x

   rm -rf demoCA

   mkdir demoCA
   mkdir demoCA/certs
   mkdir demoCA/crl
   mkdir demoCA/newcerts
   mkdir demoCA/private
   # This is done to generate the exact serial number used for the RFC
   echo "4902110184015C" > demoCA/serial
   touch demoCA/index.txt

   # You may need to modify this for where your default file is
   # you can find where yours in by typing "openssl ca"
   for D in /etc/ssl /usr/local/ssl /sw/etc/ssl /sw/share/ssl; do
     CONF=${OPENSSLDIR:=$D}/openssl.cnf
     [ -f ${CONF} ] && break
   done

   CONF=${OPENSSLDIR}/openssl.cnf
   if [ ! -f $CONF  ]; then
       echo "Can not find file $CONF - set your OPENSSLDIR variable"
       exit
   fi

   cp $CONF openssl.cnf

   cat >> openssl.cnf  <<EOF
   [ sipdomain_cert ]
   subjectAltName=\${ENV::ALTNAME}
   basicConstraints=CA:FALSE
   subjectKeyIdentifier=hash
   authorityKeyIdentifier=keyid,issuer:always
   authorityKeyIdentifier=keyid,issuer
   keyUsage = nonRepudiation,digitalSignature,keyEncipherment
   extendedKeyUsage=serverAuth,1.3.6.1.5.5.7.3.20

   [ sipdomain_req ]
   basicConstraints = CA:FALSE
   subjectAltName=\${ENV::ALTNAME}
   subjectKeyIdentifier=hash

   [ sipuser_cert ]
   subjectAltName=\${ENV::ALTNAME}
   basicConstraints=CA:FALSE
   subjectKeyIdentifier=hash
   authorityKeyIdentifier=keyid,issuer:always
   authorityKeyIdentifier=keyid,issuer
   keyUsage = nonRepudiation,digitalSignature,keyEncipherment
   extendedKeyUsage=emailProtection,1.3.6.1.5.5.7.3.20

   [ sipuser_req ]
   basicConstraints = CA:FALSE
   subjectAltName=\${ENV::ALTNAME}
   subjectKeyIdentifier=hash

   [ sipdomain_noeku_cert ]
   subjectAltName=\${ENV::ALTNAME}
   basicConstraints=CA:FALSE
   subjectKeyIdentifier=hash
   authorityKeyIdentifier=keyid,issuer:always
   authorityKeyIdentifier=keyid,issuer
   keyUsage = nonRepudiation,digitalSignature,keyEncipherment

   [ sipdomain_noeku_req ]
   basicConstraints = CA:FALSE
   subjectAltName=\${ENV::ALTNAME}
   subjectKeyIdentifier=hash

   [ sipuser_noeku_cert ]
   subjectAltName=\${ENV::ALTNAME}
   basicConstraints=CA:FALSE
   subjectKeyIdentifier=hash
   authorityKeyIdentifier=keyid,issuer:always
   authorityKeyIdentifier=keyid,issuer
   keyUsage = nonRepudiation,digitalSignature,keyEncipherment

   [ sipuser_noeku_req ]
   basicConstraints = CA:FALSE
   subjectAltName=\${ENV::ALTNAME}
   subjectKeyIdentifier=hash

   EOF

   cat > demoCA/private/cakey.pem <<EOF
   -----BEGIN ENCRYPTED PRIVATE KEY-----
   MIIFDjBABgkqhkiG9w0BBQ0wMzAbBgkqhkiG9w0BBQwwDgQIiJYqQKtuiS0CAggA
   MBQGCCqGSIb3DQMHBAiNK9djStGRcgSCBMhyfVjcNeZk9J4Mi/aWvy//9v/Htx9q
   V0F6S2qdXhuSHzcJPAAoCKAvXuySszn1GSdeMcRy927nFoAf2EROawpJ5bVMe5YQ
   /lkmfo/+whlsizpX9yF84NeJ71vCOXIvvhUhD9vTUzhdmV/pM3Mtb/W4f35iEgoO
   y8EnSO3zs4+b2A07eoPspudj7exYgB7BFkUCnPaPF92O8GAFkcCnNRm43Dy+T22p
   m1inp5QLi5ODTbIKy+5Uaki7OP9bRmrxotDOWbXlHulYH9NOMQN1BbozJ3/PJe3U
   Zn2g3KHYlEUlPoYV/GLBI064dYirMCG1uKTZpCGunGOQjj5EWzWbDYIUpAnxDboN
   yKBpnMQxjsBz8/lP36HcPuVw2prTbTOCyaVjOip7p11Oq2XPHkqhWHJ6ZMypDG/3
   Y/qbkROZAB3FemkfPBwjisJMQSlVIUW/PoU9Jtl2sOQ45KB3ZLEzUuOM94hc1Zmd
   6VP1Iaj8irQ5Jsn8MrmIXy3566It/MX/hl395I2T0misVxoqpY5KpRsVGoj0D4bx
   fcitKQrReWOU1+rNGCpHoRNj+1Iv3cTn2QiBMHGB7QI17qKlTmITCRa7SdpdWvE7
   ZCM1IaNuK5PgiVQymuodvWygA4oX/mmcWKRBze6rl5sUGHzHKijdp+276ochDrzZ
   goyB5zqK3epF4NWeKYkm/pOOa8htzQ2rl8Fyly0jE4Diw9XciPe5KW5qjr1tOJfF
   ryborU1L1pLKvgt0nsKuXIDdqmD6xhCkssE6fcC+svS/91Q5cZB8Aiu9lmB6DRuy
   gtUDjafgeLXuZviyh9GyMtlVRKL61zzlpAkav84p27q1XmpmMkN7V5fbDQE+xl7k
   RLXKw5lWTgj/435YM4anAPJaF/cl8EdxgK2r6sy5FBqE2uM6d2N9ghbnAPF1HlSa
   wg7s+vm54MHTdIj3LWYq3hnuVU0dn5/IJvKBbadj9DdXUAio2d3GrNVkUZLNSQtm
   cCGVEIvzSO2DcDZhmBM0Ub6uWPmxfXShNWJ5L7ZrW41o19ejEUcVnP7arEIdvxsZ
   fBqSXMZXw2WW+nU18qlXexkI77A4sLZIOHjRKzsS2QpV6OTzMfP/EHLluLYK+C3t
   8cds9cBfd2PNyv9PlZySjSBCOCkzN7udmcldyeyflBmbNoBvbu1ti7fv3/ZQWelX
   K45EW+FbnSCUfrmeanrWFSs2wgxHeB0IqKvWAqraY0qYFMfiPp8d4lgK5wJqM5bk
   1HRlwnUIEnXRTEe8MPW9/HNgyPeu7LlSe5D/zCjSs2qlfIsfjAi0tekITYHD19oy
   vpjIkHGQeXq9N3NucuDAQ9RlZWvw9RKLkzzzY7VFT+3Zx5FaDgSM9+igGlPbAE/8
   p3h+MW18StyG9DsQ0DTurhL/fhFYtjiSCksAsmjjX4lVwWaLGEk949vKISCdAlab
   BS7YUMBHrsvywTDdwygENzNlDQ1OK5d2zTjcdpSe8z+yrWj3dKLVCO9QPSkuECo6
   Izm6JmZXCjn4+PhPmChZGIoB8E3cTyuLd64AzyhSAY0J0myNYVE9Po90yPp+J/86
   D6dpNldxJTWm5/myrbdT2dvc2glV0XUIdMKMc16aaD7AX56fCfYt7sWyAZ6nAgwm
   t4U=
   MIIFDjBABgkqhkiG9w0BBQ0wMzAbBgkqhkiG9w0BBQwwDgQIlwtc771DlNUCAggA
   MBQGCCqGSIb3DQMHBAhRD3Z1i2TavwSCBMgXoXo0H/dTplHwnqfW7Uh1dr776z7B
   lsNxlenMA6lYmALF/4E1tqOE2/aEbr8W3wTVjNpew9r5TBsbA1I9/FMMe+USc1ra
   5pIdDLx7ynzHvxcUWJ1xbWGeLcEmXGOvzkwW/oOg49Yq1ce1GtlLSV2L7Wi93TUQ
   Q8i5l0X0xjx7cB7kaHTOTyaN0sxUE3qlQ2sXTbbHWUfIaNpEZUI5ITrDUflfMnxb
   RogQGv+5owsM7zwzfyGz3QocM9WaZwKFOEOqBvEfGaaZ9ml+cn1Rz/1Id7tSBlRH
   3ucN2mGdEVIUvzSACZ9LPuIO7WBGM56enDRsqZji4WfqDHdXa4gkJKqPEJeBnLVA
   jxCmLJSyikM25kHDm8LWuOckO/Rk+7999h13Qv1Ynm7yCincorqdlTrAdmq1Z8Tj
   QPgXioTlx6++6yxiDCV7Mwkydox31K9y/Tf2cZ//dWuf/lfMaaq8HfpSNl4RKqsz
   ufL41K5sCzPRIugUdooUQSGPC0JgcskPcifT6zvrI62KLPFVrwG5HT9PdevQvC6O
   VgglxbEGJ7I4vllzmY62/0LtQKIA6bh8pszvvmHjGo9s+f+p7KJVYygEHNEmRTm+
   8M2owk67033sV6IClDOAdRL8siTHmcmM+r1x9VVIppsDrzjqQqYVGYBbjEJW8eQp
   t7kAjuN48tDD1mS8E6DstPv/6S0AjzAqCbjkuPJ0WU5fD1cY+iTpo9vcunohcj+i
   KVXsM34wOsBpMBjFQ+Aww5bsIkEV1liOYLav1F7/BvP2s0gc3puM5W35y1cbKLu2
   ThJV7mIWoV770aQYpJba0UAk9OzBVEvPNahrDI1NucbEkFrhN2pfnOs7k4UvrjiK
   uknKrm3gocDOdstyMZX81Beyj06NhpcJH+bOSvROk/d68aAsapy6qS9hLijNNbcd
   itQ/fo+1o9MDujT/huj7ZFqdzNM3KA6vxf0kmmVM+GJbYke+cjXk6WB80lF9lYcB
   0pWPd+fgwFL252FUoFcjvUWFXkvbR1+IMkv6sNdKcXHHazAE6nl6yPl9bVwCaS1I
   WNqEfHntblNZbeW+3qH8ov1ZXVCqEmaHkajSAhFJKXCgpSXaIx2FSntzpVFbRpnw
   Yd9eml9xwgE3l9aRuvR6p61fd051LzCh7KjvorV1CemPUT6YRBamFNCBoT7cqjhE
   kqMQfowKkMEY0p2dzMnGzsSPKk10nI53RgPyD/8FT5dPuq073SyjxTKhAbvl+kVl
   lrfZ6b7P/UKwLBCT3bLG6uU/Es84euWN+U2JXIADPoCcVeWrUqkf4j368c2Z8Zdd
   A27X4ZJ+q+YfsFNiOA7vshHi3Am3gBzQhEEGsRdzgkf8qmtlRGhq/823GEexoUfu
   8SiOOjoU08HGAkTtPWjV5+0C6Q6RW9SmNMwz7msZHoKTQ8kz2LKXUwb6DBwWcw6/
   UTUgzVXqhA8HmjsnVe9ftDKL66v9zlp4RVRdDzm4TYUybYh5uigFbjJFLlnJnJho
   TcnusHO80Cxgs64khLRzM46Oi+JSEPv7o7zHcfWNOVtNW908EKCubtEDZtnQn9VC
   0Sky9R/WzunaLlG3LZ3BRUhWpyyvdNxlNq3ie4tcRMlXIEe14UZN0sPCKZY//NEn
   BEc=
   -----END ENCRYPTED PRIVATE KEY-----
   EOF

   cat > demoCA/cacert.pem <<EOF
   -----BEGIN CERTIFICATE-----
   MIIEOzCCAyOgAwIBAgIJAJajhBdO74pMMA0GCSqGSIb3DQEBBQUAMHAxCzAJBgNV
   BAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMREwDwYDVQQHEwhTYW4gSm9zZTEO
   MAwGA1UEChMFc2lwaXQxKTAnBgNVBAsTIFNpcGl0IFRlc3QgQ2VydGlmaWNhdGUg
   QXV0aG9yaXR5MCAXDTEwMTIwNjIyMzYyOVoYDzIxMTAxMTEyMjIzNjI5WjBwMQsw
   CQYDVQQGEwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTERMA8GA1UEBxMIU2FuIEpv
   c2UxDjAMBgNVBAoTBXNpcGl0MSkwJwYDVQQLEyBTaXBpdCBUZXN0IENlcnRpZmlj
   YXRlIEF1dGhvcml0eTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAOzA
   rew7DXtqlSSW3DPCHfazDa/tX3OctV/cOiGVIIHBKWOgNIbt8UyKZpA3lasPjLLa
   VanKyq5QEOs0KNfYmFsU7PzEVdTGY1ru6OxBCNO+KJ6xiU3Sa1f2qnfJCPz5JaCj
   48y/8MDymVnl788KOtc4vGv5bP9uoNCyYk+YcvDwHR1AhFAFm24VPEm2nVgFoQ3P
   ke7tKA8P4Q9xiqZufCqtrq7EjY4qLoqirGeFLqqCDks4senyhCMMmOBXuDhw9Imp
   lMuaXhVSukUKgJ8zgs/i8uuP+WE8iut0sXyH+QwvIM4NvmmP0bxdxYrlGgtdcGXI
   AvNGhSXTiIzdgFXZaZsCAwEAAaOB1TCB0jAdBgNVHQ4EFgQUuzeOR8daNNt62fh2
   tnWO0OQTF0UwgaIGA1UdIwSBmjCBl4AUuzeOR8daNNt62fh2tnWO0OQTF0WhdKRy
   MHAxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMREwDwYDVQQHEwhT
   YW4gSm9zZTEOMAwGA1UEChMFc2lwaXQxKTAnBgNVBAsTIFNpcGl0IFRlc3QgQ2Vy
   dGlmaWNhdGUgQXV0aG9yaXR5ggkAlqOEF07vikwwDAYDVR0TBAUwAwEB/zANBgkq
   hkiG9w0BAQUFAAOCAQEAsXXUVqtwFKDuZ6PsBwwdiyxf1xzz4wG6PZ3aR0kx1YH1
   LdJmpSwf28MtijJq7CKLsVhjVyOINJ9s34x7c4wqfNMjApdUdvM0JX/RrSWHF1Yw
   YUP0FmN3D3unsAuXGwXyXIYsqdU7y3OSojzcfhIwhp74V2yipChR5PfwzimcgjTy
   AjxDYjaURMGttHn3bvnivfkVzOjesJ2cLxgwqes/1FbJYY14svtO5SIdAMTPzpz+
   1vFPAZ2SWOB4KstpNhisG1MNhrGRNIveBV0iGCpn5erydwHWnGAXBoSDb7aIfs7I
   Y9QwbZBy/ln0MgTmr9S+mUTI3j0BiNeKNTDCLXfpcA==
   MIIDtTCCAp2gAwIBAgIJAJajhBdO74pMMA0GCSqGSIb3DQEBBQUAMHAxCzAJBgNV
   BAYTAlVTMRMwEQYDVQQIDApDYWxpZm9ybmlhMREwDwYDVQQHDAhTYW4gSm9zZTEO
   MAwGA1UECgwFc2lwaXQxKTAnBgNVBAsMIFNpcGl0IFRlc3QgQ2VydGlmaWNhdGUg
   QXV0aG9yaXR5MCAXDTExMDEyNzE4MzYwNVoYDzIxMTEwMTAzMTgzNjA1WjBwMQsw
   CQYDVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTERMA8GA1UEBwwIU2FuIEpv
   c2UxDjAMBgNVBAoMBXNpcGl0MSkwJwYDVQQLDCBTaXBpdCBUZXN0IENlcnRpZmlj
   YXRlIEF1dGhvcml0eTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKsf
   kWHxHMXNpnsWm7cUeeQwnpjQ7Ae3vXfX0fVbLOLu5rGw8IX6pbzLzM9pLE/8UO+d
   MSvAWer7ZG8fVac9/XDSVtsUmReScKwm+DRBcNnAA5FqutERj6wSMd65GXCNXad9
   ixnMQD+u/94f25SzRndsrq7/PtaEW8LeCyZl0JHHcEvHCkq/x5cE3bpYR8vgKyN2
   h2XFVTQQqycfHPgwPbCbyqKBcky9YP73If4L2wvb6VsBNtQoFWt569CRGyFZuA6q
   v9WxbHA3oz+lfQ6VRvb2WGeDdUI3GAukQTmyL2yALHjspQ++nBD4wAsNc5meDdeX
   UMvMRTQjSUGFIiStKcMCAwEAAaNQME4wHQYDVR0OBBYEFJVFfl8r6mWYEpEE82PH
   aJpYFncnMB8GA1UdIwQYMBaAFJVFfl8r6mWYEpEE82PHaJpYFncnMAwGA1UdEwQF
   MAMBAf8wDQYJKoZIhvcNAQEFBQADggEBAAZfnq6gmry1uVt+lzPM32OYmJTLDWap
   g+iqWCpZoZ5HMaavXD+iJYb43wWSt9tpoWlyh2bFqzWJATcZyXTrCdE/iHskE0LK
   LftF5sxL+CF48/WX7AmSJKLw5pSNl0oAlAC9JbgXLFJTXcxcSKShHS32UFUTpNOy
   ovTxuW1IXlzz3uD8WQmh2RRhZb/YP7m6LnztXCSba8qqX/HBHrCo2oIP+0xxO017
   OMjjiioZNEQmC+rwRzhGKGUE4gFS3ew95fVTdHd0dW3G2cIKrDu4mFxVUzR0Uqgm
   sS8wItCLt/Og3WgHM9Wut4GylFhyTnzGci+9bGn7tReoKo3XLJEGyAw=
   -----END CERTIFICATE-----

   EOF

   # uncomment the following lines to generate your own key pair

   # openssl req -newkey rsa:2048 -passin pass:password \
   #     -passout pass:password -set_serial 0x96a384174eef8a4c \
   #     -sha1 -x509 -keyout demoCA/private/cakey.pem \
   #     -out demoCA/cacert.pem -days 36500 -config ${CONF} <<EOF
   # US
   # California
   # San Jose
   # sipit
   # Sipit Test Certificate Authority
   #
   #
   # EOF

   # either randomly generate a serial number, or set it manually
   # hexdump -n 4 -e '4/1 "%04u"' /dev/random > demoCA/serial
   echo 96a384174eef8a4d > demoCA/serial

   openssl crl2pkcs7 -nocrl -certfile demoCA/cacert.pem \
           -outform DER -out demoCA/cacert.p7c

   cp demoCA/cacert.pem root_cert_fluffyCA.pem

A.2.  makeCert script

  #!/bin/sh
  set -x

  # Make a symbolic link to this file called "makeUserCert"
  # if you wish to use it to make certs for users.

  # ExecName=$(basename $0)
  #
  # if [ ${ExecName} == "makeUserCert" ]; then
  #   ExtPrefix="sipuser"
  # elif [ ${ExecName} == "makeEkuUserCert" ]; then
  #   ExtPrefix="sipuser_eku"
  # elif [ ${ExecName} == "makeEkuCert" ]; then
  #   ExtPrefix="sipdomain_eku"
  # else
  #   ExtPrefix="sipdomain"
  # fi

  if [  $# == 3  ]; then
    DAYS=36500
  elif [ $# == 4 ]; then
    DAYS=$4
  else
    echo "Usage: makeCert test.example.org user|domain eku|noeku [days]"
    echo "       makeCert alice@example.org [days]"
    echo "days is how long the certificate is valid"
    echo "days set to 0 generates an invalid certificate"
    exit 0
  fi

  ExtPrefix="sip"${2}

  if [ $3 == "noeku" ]; then
    ExtPrefix=${ExtPrefix}"_noeku"
  fi

  DOMAIN=`echo $1 | perl -ne '{print "$1\n" if (/(\w+\..*)$/)}'   `
  USER=`echo $1 | perl -ne '{print "$1\n" if (/(\w+)\@(\w+\..*)$/)}'   `
  ADDR=$1
  echo "making cert for $DOMAIN ${ADDR}"

  if [ $2 == "user" ]; then
    CNVALUE=$USER
  else
    CNVALUE=$DOMAIN
  fi

  rm -f ${ADDR}_*.pem
  rm -f ${ADDR}.p12

  case ${ADDR} in
  *:*) ALTNAME="URI:${ADDR}" ;;
  *@*) ALTNAME="URI:sip:${ADDR},URI:im:${ADDR},URI:pres:${ADDR}" ;;
  *)   ALTNAME="DNS:${DOMAIN},URI:sip:${ADDR}" ;;
  esac

  rm -f demoCA/index.txt
  touch demoCA/index.txt
  rm -f demoCA/newcerts/*

  export ALTNAME

  openssl genrsa  -out ${ADDR}_key.pem 2048
  openssl req -new  -config openssl.cnf -reqexts ${ExtPrefix}_req \
          -sha1 -key ${ADDR}_key.pem \
          -out ${ADDR}.csr -days ${DAYS} <<EOF
  US
  California
  San Jose
  sipit

  ${ADDR}

  ${CNVALUE}

  EOF

  if [ $DAYS == 0 ]; then
  openssl ca -extensions ${ExtPrefix}_cert -config openssl.cnf \
      -passin pass:password -policy policy_anything \
      -md sha1 -batch -notext -out ${ADDR}_cert.pem \
      -startdate 990101000000Z \
      -enddate 000101000000Z \
       -infiles ${ADDR}.csr
  else
  openssl ca -extensions ${ExtPrefix}_cert -config openssl.cnf \
      -passin pass:password -policy policy_anything \
      -md sha1 -days ${DAYS} -batch -notext -out ${ADDR}_cert.pem \
       -infiles ${ADDR}.csr
  fi

  openssl pkcs12 -passin pass:password \
      -passout pass:password -export \
      -out ${ADDR}.p12 -in ${ADDR}_cert.pem \
      -inkey ${ADDR}_key.pem -name ${ADDR} -certfile demoCA/cacert.pem

  openssl x509 -in ${ADDR}_cert.pem -noout -text

  case ${ADDR} in
  *@*) mv ${ADDR}_key.pem user_key_${ADDR}.pem; \
       mv ${ADDR}_cert.pem user_cert_${ADDR}.pem ;;
  *)   mv ${ADDR}_key.pem domain_key_${ADDR}.pem; \
       mv ${ADDR}_cert.pem domain_cert_${ADDR}.pem ;;
  esac

Appendix B.  Certificates for Testing

   This section contains various certificates used for testing in PEM
   format.

B.1.  Certificates Using EKU

   These certificates make use of the EKU specification described in
   [RFC5924].

   Fluffy's user certificate for example.com:

   -----BEGIN CERTIFICATE-----
   MIIEqzCCA5OgAwIBAgIJAJajhBdO74pNMA0GCSqGSIb3DQEBBQUAMHAxCzAJBgNV
   BAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMREwDwYDVQQHEwhTYW4gSm9zZTEO
   MAwGA1UEChMFc2lwaXQxKTAnBgNVBAsTIFNpcGl0IFRlc3QgQ2VydGlmaWNhdGUg
   QXV0aG9yaXR5MCAXDTEwMTIwNjIyNDM0OVoYDzIxMTAxMTEyMjI0MzQ5WjBiMQsw
   MIIEGTCCAwGgAwIBAgIJAJajhBdO74pNMA0GCSqGSIb3DQEBBQUAMHAxCzAJBgNV
   BAYTAlVTMRMwEQYDVQQIDApDYWxpZm9ybmlhMREwDwYDVQQHDAhTYW4gSm9zZTEO
   MAwGA1UECgwFc2lwaXQxKTAnBgNVBAsMIFNpcGl0IFRlc3QgQ2VydGlmaWNhdGUg
   QXV0aG9yaXR5MCAXDTExMDIwNzE5MzIxN1oYDzIxMTEwMTE0MTkzMjE3WjBWMQsw
   CQYDVQQGEwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTERMA8GA1UEBxMIU2FuIEpv
   c2UxDjAMBgNVBAoTBXNpcGl0MRswGQYDVQQDFBJmbHVmZnlAZXhhbXBsZS5jb20w
   ggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDGqf+y4GMYegW5mjHAM7vU
   Bduk3zJoQX7lbBPN8hjTm/p/RZJmEKPyTc5A3R7fE0O22fLLRKCFEVHSsPef0j6v
   zX3Lq8DwANB+4EXVkUV6JXPWCIDmynNh4QTTEfVvEACpXaes2tl1khQHvYEmeZBL
   marYVOU0ak9h5egiR5bx4lzlowlDInulRtiP38QY7XUXAGhulRboyhVMJfYsM4YO
   eg+dmqXjjD7/xTIIJbtSCCCLlUbJUtp6FUbri46iIrjn76DlwlmDyIv3Mw73gLcR
   J6w+LDeiZywiO1WQpv/A32PRIOxsfGEutdAo1wntM6YinQDeIbt8U9GfryAj9N1R
   AgMBAAGjggFSMIIBTjBRBgNVHREESjBIhhZzaXA6Zmx1ZmZ5QGV4YW1wbGUuY29t
   hhVpbTpmbHVmZnlAZXhhbXBsZS5jb22GF3ByZXM6Zmx1ZmZ5QGV4YW1wbGUuY29t
   MAkGA1UdEwQCMAAwHQYDVR0OBBYEFBPBLyiv61N/HU1mJx7X95lWMcigMIGiBgNV
   HSMEgZowgZeAFLs3jkfHWjTbetn4drZ1jtDkExdFoXSkcjBwMQswCQYDVQQGEwJV
   UzETMBEGA1UECBMKQ2FsaWZvcm5pYTERMA8GA1UEBxMIU2FuIEpvc2UxDjAMBgNV
   BAoTBXNpcGl0MSkwJwYDVQQLEyBTaXBpdCBUZXN0IENlcnRpZmljYXRlIEF1dGhv
   cml0eYIJAJajhBdO74pMMAsGA1UdDwQEAwIF4DAdBgNVHSUEFjAUBggrBgEFBQcD
   BAYIKwYBBQUHAxQwDQYJKoZIhvcNAQEFBQADggEBAF3W+SNF2npRi8b+S4mZgTfv
   JwOq4O2N7NC/bkwMY2q7276dbfjQ2X2JeOMfxjvbrh729FYA3fMOK/hwkfHs+AIG
   wfOQkrMljVQiuAdLoe5cXBesYjcoX3ACtYAJlELP5vBw29/RlOF91XBBGku1c+xM
   eHG9m9Rj11cw/OvSu32cTrnC6rabRkdG0I2OUfnd7Yh1LRg7eUvO9nZ79S9xS6Qd
   Bvg3XtmKQlx2o5U28JvuWlViEiqUTv43iy5FWiEcR/3eLwE+d7kkpmZElTI3LE2Q
   k7tqsx1bnAw71nDTejlGSCu6XW7YO4PLz2dbDC0uTP8SHt9ydbPPnYPO6fT0PAI=
   c2UxDjAMBgNVBAoTBXNpcGl0MQ8wDQYDVQQDEwZmbHVmZnkwggEiMA0GCSqGSIb3
   DQEBAQUAA4IBDwAwggEKAoIBAQCjLFkM6bzk7NOe+5kC7LE2OrfTHU3DOrauUL1f
   VQh3jH6k6fBoMSiPIzJWGcMil6dt/aciKgG1r2G9X37BFOWYKbQ0TjiKJu4N2tsn
   uXjWrKwEeDKYwnXnarctszzj65el74tZQlAXe/6nga83p+fjH7CN0HIvbBRCxgFo
   4Y/9Vk19zxbcqgVhCwrKyuxR7FNuPSsAgP41GwYKYROIC0TzzP0rDrSiC6CXhBQu
   7ivjL8EanoaaeGqiTFeT5wEm01YNvbAv+NrHPAHcyy0xjGzGXLRj6LKiQBG/rfht
   EgGXHUf4ahWL+yeWc0RGNNckHM9WjdS+1pRb8KZn493PtPLVAgMBAAGjgc0wgcow
   UQYDVR0RBEowSIYWc2lwOmZsdWZmeUBleGFtcGxlLmNvbYYVaW06Zmx1ZmZ5QGV4
   YW1wbGUuY29thhdwcmVzOmZsdWZmeUBleGFtcGxlLmNvbTAJBgNVHRMEAjAAMB0G
   A1UdDgQWBBSFlwm401U3JIrc3uORcuQiz5iHUjAfBgNVHSMEGDAWgBSVRX5fK+pl
   mBKRBPNjx2iaWBZ3JzALBgNVHQ8EBAMCBeAwHQYDVR0lBBYwFAYIKwYBBQUHAwQG
   CCsGAQUFBwMUMA0GCSqGSIb3DQEBBQUAA4IBAQCoqY/YiguI7f9Pv+XNj557uOby
   LKrjI1uacV79IKPd2dPB8ujwvnfbM8yKe0+RK43W9xTDjeBg0zRQvL5nIs31dHv0
   mmiiUiuBL0bTCZ8lwyDoENXvOHvRF9Tx11RnVvETzy/8i4P8FOcBglmDzLGN8Mfa
   TrHczFTPbDtHR1mH2Rbsr6/hEhMjHgrb9bX/XasVDuMlkQAOkNvYBxGQgQE6SKiq
   nrBi0zbwDLcvpxeSUjYpFArWZYZnc3RuqjzuRzgeyG4GgYUcLvC2BH1sONuBnLgH
   4we+9S8JaGMEa4cONrmho/vIMAygY41tqwr4RLB4GRo4fvpqodRLS3V1v28J
   -----END CERTIFICATE-----

   Fluffy's private key for user certificate for example.com:

   -----BEGIN RSA PRIVATE KEY-----
   MIIEowIBAAKCAQEAxqn/suBjGHoFuZoxwDO71AXbpN8yaEF+5WwTzfIY05v6f0WS
   ZhCj8k3OQN0e3xNDttnyy0SghRFR0rD3n9I+r819y6vA8ADQfuBF1ZFFeiVz1giA
   5spzYeEE0xH1bxAAqV2nrNrZdZIUB72BJnmQS5mq2FTlNGpPYeXoIkeW8eJc5aMJ
   QyJ7pUbYj9/EGO11FwBobpUW6MoVTCX2LDOGDnoPnZql44w+/8UyCCW7Ugggi5VG
   yVLaehVG64uOoiK45++g5cJZg8iL9zMO94C3ESesPiw3omcsIjtVkKb/wN9j0SDs
   bHxhLrXQKNcJ7TOmIp0A3iG7fFPRn68gI/TdUQIDAQABAoIBAEwk1lOaO4EjK9SS
   rCTt7zz5rdEIl0psaBXJEeIqu6dHroBfixhBooT5m2czGWUI/jg0WyHbwOaf18u4
   doC0VcCOM3v/7ahPt5oZncqYrpd9iWNsyPMsf4LxeybnSDn0WTyRH/ZZv2WXwsOg
   t8Kmb076rAfUqjEn2hs8wnd5FvrISfWG2yYuht06+Tu/0OEk/DJpP9AsEcoHbWpy
   tsHaPfqGiD2HEViOTXqBQ2GGJE6p/WpJvqQXDJTRkkXjuQCuNiah+p3DsUbtKkYe
   YdAWhC4T/Lmq9QQiWEiEjRcFYQ45LU0jGbtqOIPOlPpq+cxlXHUVwgE6XDSC090B
   YgyEL8ECgYEA8HsDj/aj28rBbiMduhAOLgVaiPrR4d9Lp5N22S2R1OXqS65cDGnU
   zMjRlSBak/aLwxcFv/lGpHwoJxr13GHTid2/7h7/R8pN+USjtvC8qVAOPYujAsX6
   gcl53WGo8mSciIEN5L6TpwMknP3F/FYANalyuUpkKr6dIGbVCrrbGskCgYEA03wi
   QRpA/vvB21GbeneyIDcGmRX7TTCd5TfH4GFOPFNZtkw35RHOyMh6f5jN4Gf828lC
   rvqhgmYaI58n9Jf8CHoOlWrXgLQadxszD4T2s+PPUmjLKKkwLLe2JpWtUxrUVbg0
   9XOid8MdFybeQapUJ9BKPTufBGAAqIUvAj3LakkCgYBjWi9Klxdzgv0PR6rMaD2z
   fbq9xQJZUyuqfB4p883AK4z034BgEIk+YelUtx007DMp0qUpfw9UfYcJQPY6qp/+
   4YKeGmhVfJtiVJ1ew27udIitnLcoOisY2+hhMivemPqi2s6mpqXR5laGFcJqUg2c
   Hfmr27QuhLnd3R4/ZJuJIQKBgAg0xeN+0EzUmgYXmY/b+yZy3CeuiazKGSZezruv
   Kuj+VvnS5UxXL43s8Yvn8v0lK9OfcJ33jbLQoW0GbPd5ukbd7Zjwp2IQGwLKJGYS
   w7vhOBc7h76RKhRiIIhIwIv7+4dD+ZIYpZI+GO/gCznDETbmRysvGBGEZCIl4NgW
   a8E5AoGBAIzBmJ4ILr6D5ap2hXPX97FGjatcs8jl7UHOOBIKEiPJBKIwsw/n/07W
   +JWtSwMAUKepSVMBJZRSugfmryO3O4dgIy4eGIIGtkzzVW/CJ+/P6f8uBOrpBr0z
   woMp543+fuBjpu5B1YLP/9EmZuQf+98BCkk6uUmYekIuVNS4sbUl
   MIIEpQIBAAKCAQEAoyxZDOm85OzTnvuZAuyxNjq30x1Nwzq2rlC9X1UId4x+pOnw
   aDEojyMyVhnDIpenbf2nIioBta9hvV9+wRTlmCm0NE44iibuDdrbJ7l41qysBHgy
   mMJ152q3LbM84+uXpe+LWUJQF3v+p4GvN6fn4x+wjdByL2wUQsYBaOGP/VZNfc8W
   3KoFYQsKysrsUexTbj0rAID+NRsGCmETiAtE88z9Kw60ogugl4QULu4r4y/BGp6G
   mnhqokxXk+cBJtNWDb2wL/jaxzwB3MstMYxsxly0Y+iyokARv634bRIBlx1H+GoV
   i/snlnNERjTXJBzPVo3UvtaUW/CmZ+Pdz7Ty1QIDAQABAoIBAH+bSvjiQir1WnnW
   YM78s4mpWeDr5chrvjmMQsyu/zQe11u4551T9FgcOl1DQGtpFjLaTz5Ug4nGYjVq
   3QG6ieL5mkfddDH2R+zl3sWuMmYQG2ZTaZ41VWdo+V/v8Ap+T9YhA2UGiwQSoA/3
   R0PLN3lTaws8nE+hwiaGGsweujBvcaIJu4RQrGHRHaeEplU+tfjcHHElfzUAmKyM
   cMgF8IpdUcA1pyHe3Pyc0oGnLyEVnv291xGWQfWT7nqf7K0QDLA6+TvbG3fGEYIw
   WK4DMraUbZ66Jlnj1XfADoxWOTsygV+KYhZcbwjBWAUSOSduAtfwa6b72OnWd28J
   8KYvrXECgYEA1eCJZZSavxhlfxqsWC/WdQ8S3SimI62KSLrN3bI0RO/60KiU2ap3
   16ZhNLq8t3DjpkWiZrukixs2odsU7k3z6q+qm++P0TUwL7z3Bri0FimqUeVSYgAf
   ZmFgGz7wLAM29zhv0hTZjGrrwMlNSyJ2tjyqpiO1XqkbdBpPBxKPrdcCgYEAw09f
   4M2QKQBFzjecPeQpwJqnh8cuoHS+2CNLYGjlmjd/zAUgVF2+WPA1R1DmjAqJ9iwh
   15Yx3CbknpKbfhfilmHkcGyA+fjQaisq/NzN3Ya0FP9Waht0FoBsAHt9X5xFwXH6
   YBKUrqoPF5DAy427EL1nsIRa+LtoPaTdqpphFzMCgYEAlgSOO0s2FA43uyTpeF3t
   rmQpVilaB7KFSaiGGBgUY7p0koF9DwRsVT4l9sd48a7kb09ur2K08sHe2z8BenoB
   Oj+HiyNJHHSTXRjNqNBLuTP2fMU+uPDfFX/92n6WFjkXB+d1P8VSJxUkUjCg36/H
   1uHMzQZFBKXXVOPTROG3GDcCgYEAoPFmq8QZOIA+BbnzqVi8QzfuN8geFyE9JrSm
   55JpKdT0HbZXts3tDjMbZGI5KUuB9nbViGb/PVBbcoSTV6vtD0kpyq7O9a5gaCyc
   ZvS5PARFn0vt9NAcsHIxDZC1drU7EjaPQN3u4aPHff7NsK9haGD78gyPPoqIUsvp
   0i0XNtsCgYEAxIUikI+5wXIrnC1FUt0gt6+4T0zc7qEO0EpQRtktZ/1saNXEhA6N
   EUqWLJMOnClhp72V5IvXsKgjxU8VpgIZeHIIt5jZb8XMmBiSQxiVTf6rp3s8PqlM
   EtXfh7TdJzKuRP7d0g2uG4boJMFf590nqNjrxj9VeSxEWUrSK3YG/h8=
   -----END RSA PRIVATE KEY-----

   Kumiko's user certificate for example.net:

   -----BEGIN CERTIFICATE-----
   MIIEqzCCA5OgAwIBAgIJAJajhBdO74pOMA0GCSqGSIb3DQEBBQUAMHAxCzAJBgNV
   BAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMREwDwYDVQQHEwhTYW4gSm9zZTEO
   MAwGA1UEChMFc2lwaXQxKTAnBgNVBAsTIFNpcGl0IFRlc3QgQ2VydGlmaWNhdGUg
   QXV0aG9yaXR5MCAXDTEwMTIwNjIyNDM0OVoYDzIxMTAxMTEyMjI0MzQ5WjBiMQsw
   MIIEGTCCAwGgAwIBAgIJAJajhBdO74pOMA0GCSqGSIb3DQEBBQUAMHAxCzAJBgNV
   BAYTAlVTMRMwEQYDVQQIDApDYWxpZm9ybmlhMREwDwYDVQQHDAhTYW4gSm9zZTEO
   MAwGA1UECgwFc2lwaXQxKTAnBgNVBAsMIFNpcGl0IFRlc3QgQ2VydGlmaWNhdGUg
   QXV0aG9yaXR5MCAXDTExMDIwNzE5MzIxN1oYDzIxMTEwMTE0MTkzMjE3WjBWMQsw
   CQYDVQQGEwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTERMA8GA1UEBxMIU2FuIEpv
   c2UxDjAMBgNVBAoTBXNpcGl0MRswGQYDVQQDFBJrdW1pa29AZXhhbXBsZS5uZXQw
   ggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCkdtivi2PlG4flNHykpe5V
   BNZiM+syZv0FInCzH0E1eWYfD34esCKXZaalQJqLzxPudFZ18uwdJ8+H7ToHQM2O
   nsdfY6rBh1/51ee2Au9L2qxy2kHoRPXARmWWh4Wa1oSzBWBmWJIuof9NQbkoVnER
   ikFRzDiaMvG1uh4gOTpXhxch18BCUgopUkksYheHHDDcV0CcZXmH49mo+VbOs55S
   S4kWkamP3R35hOWGIBYhRa7/XnBU8Xq+7Qg4SYjy41ZTSE3l8oaayfqf8SHWOQO+
   hFlHm6BlYOEnGMX4Fjn+XWllJ3GinsGmrXXJvDj8Y4ux5SxYQvzAxssF0ZeMFDPt
   AgMBAAGjggFSMIIBTjBRBgNVHREESjBIhhZzaXA6a3VtaWtvQGV4YW1wbGUubmV0
   hhVpbTprdW1pa29AZXhhbXBsZS5uZXSGF3ByZXM6a3VtaWtvQGV4YW1wbGUubmV0
   MAkGA1UdEwQCMAAwHQYDVR0OBBYEFKSdwO/x+f3jTWmnSXlr2GWtXYgkMIGiBgNV
   HSMEgZowgZeAFLs3jkfHWjTbetn4drZ1jtDkExdFoXSkcjBwMQswCQYDVQQGEwJV
   UzETMBEGA1UECBMKQ2FsaWZvcm5pYTERMA8GA1UEBxMIU2FuIEpvc2UxDjAMBgNV
   BAoTBXNpcGl0MSkwJwYDVQQLEyBTaXBpdCBUZXN0IENlcnRpZmljYXRlIEF1dGhv
   cml0eYIJAJajhBdO74pMMAsGA1UdDwQEAwIF4DAdBgNVHSUEFjAUBggrBgEFBQcD
   BAYIKwYBBQUHAxQwDQYJKoZIhvcNAQEFBQADggEBAJFQco7QyfgyrK8+fUpsI5PH
   zgey97huhCIN07H0XI7wUbGgXpBwv/IU5MT5rCk4nRpQUcCzGcKumeSqAkjdmHjP
   FgyTBTlpx3+21vr9+980sw7HBNWV3tC8wzg1M8HJe8Fg9O1ESESwy0dLFcspAcRh
   QNnA9C90ukcZjyObl44blQ9z9eUGlFePwirXF/g3zAf1CLiww6a6T4i0mqxFdQ4q
   Kwy0iNpfU1MdRfOIr9Pv9dOLcaoijEFH9kugRBhNSVoVK2mzctJB1+XPDQqO2uwa
   3FARkYFFxdNi+TktvaXxxO1S6bq1hurStsYOfHrgunPiLdRsF+JO44xYAxHPrwU=
   c2UxDjAMBgNVBAoTBXNpcGl0MQ8wDQYDVQQDEwZrdW1pa28wggEiMA0GCSqGSIb3
   DQEBAQUAA4IBDwAwggEKAoIBAQDL5odVdA3gFf/MuGIqbMY8Kl7g7kUfexWkpXbT
   ptxlxf2D8hzUX8/PUn2XXcTbP019DqA+MkMiX4NNGpDZyeoIrcquKUXK7UQlRoKy
   Q6Va11DijHTqdPTWFIrRhbRUhPjj0WvG1AFPYRRG/IZfRQcH8Aw1w8XSp614m1mY
   9XwL5LuHNimAgjADHMrSk1obmHws0thU9nV0t1UG1SA1lA32JZX81bqKDg3Tq1Ho
   fsKU3GwoBZG507lVG5bcV2ByA5HnCFpFeDTDYE23197USLhqRtIqrxxr64SFo9Dn
   P0mYH6e3lRveAZhdKIbCHgGaKqIr7+SZDnLdCyKDrFSPC/lbAgMBAAGjgc0wgcow
   UQYDVR0RBEowSIYWc2lwOmt1bWlrb0BleGFtcGxlLm5ldIYVaW06a3VtaWtvQGV4
   YW1wbGUubmV0hhdwcmVzOmt1bWlrb0BleGFtcGxlLm5ldDAJBgNVHRMEAjAAMB0G
   A1UdDgQWBBQ02bNX/rnbbYoEy6wU7oyst63WbDAfBgNVHSMEGDAWgBSVRX5fK+pl
   mBKRBPNjx2iaWBZ3JzALBgNVHQ8EBAMCBeAwHQYDVR0lBBYwFAYIKwYBBQUHAwQG
   CCsGAQUFBwMUMA0GCSqGSIb3DQEBBQUAA4IBAQCTN2SNTLUcvgtVnBi3RBRtD0+p
   aiFPtWQ+YWbyCG/+NetesegCwi7xBOgSK+GxUWpTVuDW5smyTTZyvrMQhpkckcyO
   KvuUVz0/yK67oSume1vo75KY8BvgfeZXZG4PjqqelJ3czB0XLfeb6KFmtoiHQ/R7
   4i/O9+MhB3Zoeg5bm5f2g9ljYwRbD1Uav/aH9WeGEX992d9XJ/bpGGPrAdgmV3jo
   KDFKh8ys1yfmM3xVdU0qPtos2nlzGNaqoceeFZoYaMf8uTzoaan6KZkQDTiMDRpt
   YKxyS721re/840FwDvt67w+GIfFf7ISrAlkHwroYt0NMnLv610rka8qnVvaQ
   -----END CERTIFICATE-----

   Kumiko's private key for user certificate for example.net:

   -----BEGIN RSA PRIVATE KEY-----
   MIIEowIBAAKCAQEApHbYr4tj5RuH5TR8pKXuVQTWYjPrMmb9BSJwsx9BNXlmHw9+
   HrAil2WmpUCai88T7nRWdfLsHSfPh+06B0DNjp7HX2OqwYdf+dXntgLvS9qsctpB
   6ET1wEZlloeFmtaEswVgZliSLqH/TUG5KFZxEYpBUcw4mjLxtboeIDk6V4cXIdfA
   QlIKKVJJLGIXhxww3FdAnGV5h+PZqPlWzrOeUkuJFpGpj90d+YTlhiAWIUWu/15w
   VPF6vu0IOEmI8uNWU0hN5fKGmsn6n/Eh1jkDvoRZR5ugZWDhJxjF+BY5/l1pZSdx
   op7Bpq11ybw4/GOLseUsWEL8wMbLBdGXjBQz7QIDAQABAoIBAQCUD0pT/zEXeQmG
   lxH/SEKf15MJJaR/46e1j6PWHjUeZwRAwjnQdtEtax3zd42qf+p5qdKMrP1T4hs7
   S54KGZT06Iykm52GTNFioefQPCQiLeNCIqti53I2fynFsovdMXKVmCmI+gPgZ4bn
   jluarPdtywGzGh968pIYAE5OxDZ5xHrdP8VfgcClx31qxHSMtr3EMWiYBOfb2P77
   sQW1mox7JzNjdpw2KNjMg+gBPW7J0dslG084MtDR5qMzLXtSsxYQsJjwjySXLrB4
   d2o6ZpH7UTzvkxu6zzGfeX+wmDES7Gio/AuNrWMuTR+cZcs76g10nkHkPPPRj32v
   /e6YRIsBAoGBAM98U6ln2C15SjjMuEn8x/xR000BPVBH650fQoJwuORqORWFqFTH
   3aQZTHupmLojabBvlCx9vlpdbC9OfKW9Le+pW1F8T9o2MyEs4U82DmkLuNNd6x5U
   7TRPMieQfTzbDdEMynR1Gf5D1wl95ZcuaGbSfIoJ64c/Eyh0G5WSMJdpAoGBAMrr
   WEWCYZAmZfr7O9ay/zhG+EAR86SCKVdrV12okvagp18k2EEdFuk+Mx4h7cs/FIS6
   P9mbasPjU/o6kmeQuuHW/M66D/5R+C7YJKxC24L7ZfSAVrqVjyXR6rfoqCaSBJoX
   kgsxpS4tsUF0iC9RRehOZrJVAuaR1A8mb4OZGUvlAoGAEiQKpIshyYgLR0AO9NkX
   GyaEVP1AwR4oqYosJH96iu4Go60V9KOs60YS+9TuN4gVG4oF6IXt+LSmWtR/7XXG
   6GdkRpGZ4bhPbB0ibeyKAgE2XbSec/505tftyKvHZ2S3pol5wgjjBuojiP7q7fbu
   xd6taNxJLYAESsssBj3L5dECgYBLwMQ5Xs0xVURpB/V012n0BnqS4KDGX1kzq3z4
   GACVVbBmEokw9b0h4fiPXTc60xfD3QwNHroi2vD0z3zscNlziiDixA9IcC1ov4Qh
   UuxD37pWJrs5+K9x/QXVFmP/0i8pn3cD+sqhjKlJuElG8N5aNTqdhKMKlJJH/Z9P
   z43kCQKBgEpEVv4D7MDLxXMoEaPckayeGGSswbPgeb/u5Wy1PsqiaP992KrP62hq
   K5uTFjRHJMuGKJfMFM/2HETJfllXSHWIMgnFz9ZRqcZ4AbLSreK2muzIKsHnusKg
   DEMZo+gSRZbZrINJnxFhCgF0ttpVZ56LC2ftMmFzARzuP7e1Wu05
   MIIEpAIBAAKCAQEAy+aHVXQN4BX/zLhiKmzGPCpe4O5FH3sVpKV206bcZcX9g/Ic
   1F/Pz1J9l13E2z9NfQ6gPjJDIl+DTRqQ2cnqCK3KrilFyu1EJUaCskOlWtdQ4ox0
   6nT01hSK0YW0VIT449FrxtQBT2EURvyGX0UHB/AMNcPF0qeteJtZmPV8C+S7hzYp
   gIIwAxzK0pNaG5h8LNLYVPZ1dLdVBtUgNZQN9iWV/NW6ig4N06tR6H7ClNxsKAWR
   udO5VRuW3FdgcgOR5whaRXg0w2BNt9fe1Ei4akbSKq8ca+uEhaPQ5z9JmB+nt5Ub
   3gGYXSiGwh4BmiqiK+/kmQ5y3Qsig6xUjwv5WwIDAQABAoIBAHCXmrGgRS0xWLBW
   PLbKm+iLSRsR14+bqwbg663SHTAB1Yzvu+W2Bo2oMnvMJrEe0o407l2J6bJoZZvF
   CKmKqrYiKaJkXgrBW/jtZ6xCWGPCNAL1pnX1IWG5tDIgj8SALOO4N7hyR0rrA4Rz
   W0vuVQSYFFX4BhvdxZesyRwCqn3x0pPSff95Ad+vuJd5CYuFZCuyGkszQ3fi+Nia
   Gqs01EuyolEv72rsw2E5+wtx3qXB8Z4HXr+Yq9NbE8lp2CWd1Uh1qIHl8kwWmnIG
   V3oLKiIowV+M6Zx/uzwAMF0Rdn5kET+b5DOlIksUAAa8LZsf95rOvkLgw7aZaj5e
   sXhAdGECgYEA8930YqU2+AcEkjC5hygw1M/X5k/IcvZp0a8/in2hJW7iZgGh0AFE
   jjxuoIVXbxSf9cZ+M6g76Svww9ecmovLArqbhFaLfbZCsrLeEAhQtGcu3wv7o6px
   N0EbbF5FmOK7qaQ1Sgqj0NF5zP2JsrxGNoRmgFFwVdcpP/3Jp/IlZEsCgYEA1guI
   /7I8h9og1dmTPzMpvpnANdRF/iuMX9AE4LNRp09Hjx0B7Vuat1ABtx09/ZN1hLhZ
   BTZ5R2R2RjbzSHXZ3FdoMgSx9Q3qa+xuPel4RcppHNjdYkPDhPLnOUwQBqFL6kyU
   nTEF+k6VIZvNsmGbB6wpHU1cjDAZUx71p6W49TECgYAMHpa7pExUDT076rH9tpCe
   sume544lsHtX0WbOAipVCuqzeRdKmBWJIBW7YoUS3yqH82JoPM8lamqfwQJmZ9Yh
   /5YlAIwUJk+wQ9VnZJJmNM6OhTDvVFQmE9VCEHlS/Mmox6FiWZ8EjLSJ7HvAZzzy
   Dqhtbh6wFW5WYM15zD3xewKBgQCRmIkY/QGFm0+Ih5ZMgB3eI7GGLB1sNe0nY1Ve
   Dzv0pc3UQHQGI7CLDuYLy91V9o8St17+V76JXIHDYy97U4bdBau/kkgGm++gd9PJ
   U11Xg8aaM73rUJLXhW7ZH68rA16jQnI4tpcNW5S/pr51n0UYI/hXkT7psPIZA08w
   OV8lkQKBgQDaGzCYC/6WumGJUerVCzZd/H6+E3ntZmtz273c8+wV89oRtZzUoJY4
   bVNrYFs9iKFxLtNGRECEU2VzDXHUAguqe05rbzPudAZ4wSsrNchUyw8LkIXHDckt
   pVLs0vhRK2gW/W2I+p2exSPQPt3Uy8tT6IsB9ZbNg/H4D160heHkuQ==
   -----END RSA PRIVATE KEY-----

   Domain certificate for example.com:

   -----BEGIN CERTIFICATE-----
   MIIEejCCA2KgAwIBAgIJAJajhBdO74pPMA0GCSqGSIb3DQEBBQUAMHAxCzAJBgNV
   BAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMREwDwYDVQQHEwhTYW4gSm9zZTEO
   MAwGA1UEChMFc2lwaXQxKTAnBgNVBAsTIFNpcGl0IFRlc3QgQ2VydGlmaWNhdGUg
   QXV0aG9yaXR5MCAXDTEwMTIwNjIyNDM1MFoYDzIxMTAxMTEyMjI0MzUwWjBbMQsw
   MIID9DCCAtygAwIBAgIJAJajhBdO74pPMA0GCSqGSIb3DQEBBQUAMHAxCzAJBgNV
   BAYTAlVTMRMwEQYDVQQIDApDYWxpZm9ybmlhMREwDwYDVQQHDAhTYW4gSm9zZTEO
   MAwGA1UECgwFc2lwaXQxKTAnBgNVBAsMIFNpcGl0IFRlc3QgQ2VydGlmaWNhdGUg
   QXV0aG9yaXR5MCAXDTExMDIwNzE5MzIxN1oYDzIxMTEwMTE0MTkzMjE3WjBbMQsw
   CQYDVQQGEwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTERMA8GA1UEBxMIU2FuIEpv
   c2UxDjAMBgNVBAoTBXNpcGl0MRQwEgYDVQQDEwtleGFtcGxlLmNvbTCCASIwDQYJ
   KoZIhvcNAQEBBQADggEPADCCAQoCggEBAJ0mJZ3y+ADOOo7lEfhqOw7KC3ysdMta
   ecdSHOrMB4a3kzdqDioA5kf5epK4B8ksGpo0oOBjrUZu0oLMxKLNzqbiUdebzjmo
   VT2xSt8n2I8CMwqEWqLs0bTB4Al5nwVquAg4gmvCDl3HT8Uhok81SlqWOtbyoFPI
   /tfu7xsnBgj+JJYEIxl/ZU2BQ7B5R0O3ox8TWI7A5JKnPUSTTXTfIROUc0jwb8+N
   oG0qZ46Cx8dWrxXMLcAOv0knCr2nf3HUXitu8sE3FgvkuUQpkfpIC0jo5zLUlhdW
   uZq6G8EOX3gSJga0H3MNqo0X3CmJg/4IcYg9oc01SQH+Jt/HLKhE2eMCAwEAAaOC
   ASgwggEkMCcGA1UdEQQgMB6CC2V4YW1wbGUuY29thg9zaXA6ZXhhbXBsZS5jb20w
   CQYDVR0TBAIwADAdBgNVHQ4EFgQUq+m8DTeiRZDyu8ux26FJKIE8GtIwgaIGA1Ud
   IwSBmjCBl4AUuzeOR8daNNt62fh2tnWO0OQTF0WhdKRyMHAxCzAJBgNVBAYTAlVT
   MRMwEQYDVQQIEwpDYWxpZm9ybmlhMREwDwYDVQQHEwhTYW4gSm9zZTEOMAwGA1UE
   ChMFc2lwaXQxKTAnBgNVBAsTIFNpcGl0IFRlc3QgQ2VydGlmaWNhdGUgQXV0aG9y
   aXR5ggkAlqOEF07vikwwCwYDVR0PBAQDAgXgMB0GA1UdJQQWMBQGCCsGAQUFBwMB
   BggrBgEFBQcDFDANBgkqhkiG9w0BAQUFAAOCAQEAjtkfGFJTKHe5CiYLDZTYP/oB
   qXLyAoA8+QFcCoQ7822Gs61/05HoDLR2L+z2WpoW1V4Od+blO7toUSvYv2hcY0rY
   LYRrr/Xi6ox1C+VVv131vLvu8GK83pqqxa5T1L2qpTtv840ALivI7M4q/A2OVI5N
   AerACkSTAy2PlUUv3d8z39uWHyYSL7EX0vCrMbnLxMGu5lPBoBV5W6Kdrxe07HLC
   nTh5Q8VYbraORLqHAyTYJKwSHL4WQjJOG6jDf6lwCxLBj5gsuSMD7qqYWkiPyDT5
   vnPlXK5rorWMBA98sdKGluTA0fQRc1Xf5jx+F8aVh7Gih1CR185oJIbBPTXA0A==
   KoZIhvcNAQEBBQADggEPADCCAQoCggEBAN10BgIQwucEH7yMtiTnm5SjSDeFnm2D
   EoRQGo5IsfqGjKeAub5S7KbKY0eErfZ0hYIWfk42QAp0LCCpag5qfzXPcHFjfelD
   Z4FM6rUet0yjNQh7IQ0qcwdjnY11vx/UjuZnYHX36gp6bJCvkkXgYgWaihCY3HxU
   i+RhlTsE/BBQ74BFul6El3bBICXBkh2JCvdVYmT66GmiYkxn0wjZYbU9FlS2t0SN
   WSuQ1On7x32HWMMSrDN4AFC6BwWzuQEaY1Vs4XrsoweuOwKDoWngw9wtYemy47Nx
   yKbP2vs+mcflcbnJF9TtvKBHVAmMbm1TmizJaMZv8T2RGiRDd32RaUsCAwEAAaOB
   ozCBoDAnBgNVHREEIDAeggtleGFtcGxlLmNvbYYPc2lwOmV4YW1wbGUuY29tMAkG
   A1UdEwQCMAAwHQYDVR0OBBYEFMwGWVuLXtYN8gVNG2hUHvz5QxkXMB8GA1UdIwQY
   MBaAFJVFfl8r6mWYEpEE82PHaJpYFncnMAsGA1UdDwQEAwIF4DAdBgNVHSUEFjAU
   BggrBgEFBQcDAQYIKwYBBQUHAxQwDQYJKoZIhvcNAQEFBQADggEBAGqa0dsAS5CG
   sFPqbzAxiR6bCRS9b7kCqm9Y7jADuKH9s0Fy/7MNy3anF8ZXOAYT5fPkMBdN95e1
   83Tpgfj0VaMN9YI4w5hDUh+EzRq0o0WfPeIx/cuire1gffrSqkkvQamAAbvttnXJ
   l2l/DJFg8cRaNuhcrOGo55pV5eDNAfTek/Q4bMFx0v3NG10l65B7MUHnNw7lwAFI
   kfc03cYfdOY0NObNkw8/zpStkdnicrGfHdOlfV7ipFbFsXFNEApdplbmVx9IpVx1
   Z+qrNT72tvrB84rBgHEyGGwztfoWWhbhoWwZZ/VFaGRvsjHc41oastSHiZb9h7o4
   TgoZBwNLm7E=
   -----END CERTIFICATE-----

   Private key for domain certificate for example.com:

   -----BEGIN RSA PRIVATE KEY-----
   MIIEogIBAAKCAQEAnSYlnfL4AM46juUR+Go7DsoLfKx0y1p5x1Ic6swHhreTN2oO
   KgDmR/l6krgHySwamjSg4GOtRm7SgszEos3OpuJR15vOOahVPbFK3yfYjwIzCoRa
   ouzRtMHgCXmfBWq4CDiCa8IOXcdPxSGiTzVKWpY61vKgU8j+1+7vGycGCP4klgQj
   GX9lTYFDsHlHQ7ejHxNYjsDkkqc9RJNNdN8hE5RzSPBvz42gbSpnjoLHx1avFcwt
   wA6/SScKvad/cdReK27ywTcWC+S5RCmR+kgLSOjnMtSWF1a5mrobwQ5feBImBrQf
   cw2qjRfcKYmD/ghxiD2hzTVJAf4m38csqETZ4wIDAQABAoIBAHyobQCdYxOohBUk
   KxwmkJCLv473cnJ5Y860GVI75OB9sN8tVu0E56dChHPsXei7/qJCizdUeng7ouu1
   KWqH3ZzOPOPOqUldebjFccIRZp0SvpBiK0/Akh1UCbcabgWrAS8sPHDkb+b+Gw4i
   PxGcEU5Ii4ZE0t+DunxqAexFCWmJigAqn+FfRP765ijjI/GOzw02xEemR5GblyMI
   3P8dir9btXbevic3dBS4p9IkDfSQdgJc1MvscEa4RE76J8cpuRJx5/TT1YdBqn53
   Yuit1vJ44ep/tDtSbOPshmqS2nZAgZZ7IhPnmkn803r9ZlOHMRomScnrNq+kLeRl
   frEjgdECgYEAzi2vY7eqY+Ok+KVVR2ZqD8uxQXwiOep2n9mdNYXAtOBPEvekFGmD
   oPO6NNY2sc+mbuPYNRsjkNBwvs2Amuc7sGar9vJ3KCGdA4J5WQfC2JO4QrSAw8xH
   x3uQHA5nukYqZdFQzpQ87SyOPyQrg5lIsEdj8EWOjMspr7dhkfoqQpsCgYEAwx95
   C1/EnZi4gy6CrNAEuinjDOborEhWY/pEvU1h2NI3L20a1UkG522Yu3vVDhIhRUmo
   z46XOJmdGAjhJ+jGuEvC/I/1/dhH43QZ/+nnbNKq8hgAjsLYB2NalJLv5Oo7bOn3
   99k6Ve3jpai7UMxKN+mmF4p0BtFy7pbRUrGFNlkCgYBi8CdfCa7ZWk87BlPC/JFe
   3RdFXmUqN6oPESVQnsuXwKARcQaqyOtiXDL50eXTM9shEXMaINjTUEMaPJE/REEv
   aEWTLk0h0+d93KmQoJnOxixAzk+QJcI4JsJDxGHgUHVeALDvQNFv2taz1A6RiwgH
   l2qMzUQXqhJqAOzwWQTYiwKBgFHRq7cqRE71UEGpyh/e5myNzeiGFwDPIHKx6gsb
   HLGHjJ51eLAA/EUk/st3JKLO1WaxeXj3SM/yEh6W8psCj/mNw0iWsUbtX0+wSoq2
   MVW/jPERQYKbj2yhq8TrTG7IDX0hKtqiG0UXCMNZWpqJ34FMl1n9s6N8Rl5nnYS4
   bayZAoGAbDehMmO3vOUa/XdDAwxXoSB1KuONGF0u+V8tbYLrPpRQRBm1hwnQgsRC
   FWE1NvNEj8nku19CP9/iuOHSCaBEsZ0jKzGr5wTRa3XO19qmBjotDcby6q11VkUM
   GrbwRHncPk3H6tNED+sAaeNcmEBiBvX1HW7iVN1SAM2jj1xv79E=
   MIIEpQIBAAKCAQEA3XQGAhDC5wQfvIy2JOeblKNIN4WebYMShFAajkix+oaMp4C5
   vlLspspjR4St9nSFghZ+TjZACnQsIKlqDmp/Nc9wcWN96UNngUzqtR63TKM1CHsh
   DSpzB2OdjXW/H9SO5mdgdffqCnpskK+SReBiBZqKEJjcfFSL5GGVOwT8EFDvgEW6
   XoSXdsEgJcGSHYkK91ViZProaaJiTGfTCNlhtT0WVLa3RI1ZK5DU6fvHfYdYwxKs
   M3gAULoHBbO5ARpjVWzheuyjB647AoOhaeDD3C1h6bLjs3HIps/a+z6Zx+VxuckX
   1O28oEdUCYxubVOaLMloxm/xPZEaJEN3fZFpSwIDAQABAoIBAB9s231ni4Dk4OwM
   u7w48acCFLlsSLMZqoMEKwCN6FO4zDTo23LaqaJxje0UMuuKVXfEYWAP6r6RBcIM
   yHQLQMoOCdLNX4y+d+2tUJErLq+9aUUu093ebDxcMntkfh6yNyUS/mk/KQMbpFRT
   1dn8oWxSJc19I6yxArkB7/9UEcDut6vzdbz+agXpHZH4Tje5OWZQXkHzsYobM8Y8
   c2XwudP1zdQtvOrrOeirexxpOQf4CBQnBxoGmbae9Wf27Kw2bBm5+blZFgdqNxoh
   6Q3rJ9EDyWkrVMAq9a67a59wST1ymyC0c6FmfToCMGlgoMPHcEdvuNYPWd2322oK
   ZdfsawECgYEA+AewMiTdhAE+9TId2qilLQV+y8bdTHQ9rSqW9SF+q5ShOpZa79ER
   asuDuqxU+TiewS0ircrkIyzQmCc1fnfBJh5y6GukpUk8HdLLkA29fV3ZJe+Y4ZbL
   b4TEy/RxEECQREgtnQiaw08yOlT1dobNwxzVsi3mrhtOpfbPBERZUSsCgYEA5JG2
   aGRCkyzASGAnZmqqXCP/pImU+tJb2OCgQ6/3gsxi/l91LwtRhFgx/ptYCgZWlpbz
   +mpnDqexKtowldbjorrUADw84zG4u9d+uWOCXEpCVIEu4DZsRURdy3OzpK1vJaUm
   NLgBiDj8JkUFrXTi4Rzx1Xysf6ndWAxDPDdI+GECgYEAoyFrYY+dohSvs9UijY4e
   FV5n5t8E7iQF7L72SoOdLHy1DjOV2+VF71erbDusJ751q9hj1qp7Iid3ips/M87P
   2qJsMTGbOJrST0s1V6mx16LCD5Fmm/jyFIbeaMZ9FpNgT4ipd38RSyPrhTIbv7kp
   3Ao7AtXtwtVzBPUvcz8A/8ECgYEAw2ps2F13qdql3nsO1Ho3gqVoaGUUUUlOK2MI
   wjYM1/AkZrR4PKthm1PIEpT/tTpsBz2yBBO6XoYya5+10DWz0yoGHNljeR7GgRqh
   hqC0EHGQuizkRd9hu+rSgiI+oXmCQF4tBv+Wl7+YnKOAUidP3gTgIZUA6fjxe9io
   FzBxG6ECgYEAyAHvSeqqwmdotdpWgR3Fk1CmtH7ZPnF2rsuRBaBoYnWtU619ote+
   +Bmd4fBUB9tQOzUC9desRtoK3+wlJKHEPjm/0FxtQQi9ogHEn4e6P9jOwXJNkSsa
   GjGUfzQ3Vm2baeNMg7sH8C5mQ9nskDuCzdlVAB2bMp23oPl6cvPIb0E=
   -----END RSA PRIVATE KEY-----

   Domain certificate for example.net:

   -----BEGIN CERTIFICATE-----
   MIIEejCCA2KgAwIBAgIJAJajhBdO74pQMA0GCSqGSIb3DQEBBQUAMHAxCzAJBgNV
   BAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMREwDwYDVQQHEwhTYW4gSm9zZTEO
   MAwGA1UEChMFc2lwaXQxKTAnBgNVBAsTIFNpcGl0IFRlc3QgQ2VydGlmaWNhdGUg
   QXV0aG9yaXR5MCAXDTEwMTIwNjIyNDM1MVoYDzIxMTAxMTEyMjI0MzUxWjBbMQsw
   MIID9DCCAtygAwIBAgIJAJajhBdO74pQMA0GCSqGSIb3DQEBBQUAMHAxCzAJBgNV
   BAYTAlVTMRMwEQYDVQQIDApDYWxpZm9ybmlhMREwDwYDVQQHDAhTYW4gSm9zZTEO
   MAwGA1UECgwFc2lwaXQxKTAnBgNVBAsMIFNpcGl0IFRlc3QgQ2VydGlmaWNhdGUg
   QXV0aG9yaXR5MCAXDTExMDIwNzE5MzIxOFoYDzIxMTEwMTE0MTkzMjE4WjBbMQsw
   CQYDVQQGEwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTERMA8GA1UEBxMIU2FuIEpv
   c2UxDjAMBgNVBAoTBXNpcGl0MRQwEgYDVQQDEwtleGFtcGxlLm5ldDCCASIwDQYJ
   KoZIhvcNAQEBBQADggEPADCCAQoCggEBAKbPap6TpwWUVOamXmS8f0LCVAKz0F/7
   kIb5ec82bNlDMBvAsdFU3NXDqjEToP7qFNSKC15NvspLKVke9qVrXh6C2HzGzU+E
   YQZ/A+Z7ZThevlGHlDuIAjcwjF/Fl289B/grw944cjfEVEg1rj3x3mzyC3EQdNOO
   7rUlAlQxq6ddWXtfTgvDItZUOiKBkj0Atj0cJLKzdHzB+hrKDgnX72sDHIpO5M59
   QFjeKaanYnjZ8GoazJ6ZWLf4tQUZpwVM1ZkoVmVY/P34GCSm+AredDseL0o2591w
   3OvKv7HSNtILyoXNaN3Of1WZlHbVG3ttVAV3mFc1BlrsE2mbgHl0ExsCAwEAAaOC
   ASgwggEkMCcGA1UdEQQgMB6CC2V4YW1wbGUubmV0hg9zaXA6ZXhhbXBsZS5uZXQw
   CQYDVR0TBAIwADAdBgNVHQ4EFgQUipA3w0Xx3/5B9qPT6PBlak3th6IwgaIGA1Ud
   IwSBmjCBl4AUuzeOR8daNNt62fh2tnWO0OQTF0WhdKRyMHAxCzAJBgNVBAYTAlVT
   MRMwEQYDVQQIEwpDYWxpZm9ybmlhMREwDwYDVQQHEwhTYW4gSm9zZTEOMAwGA1UE
   ChMFc2lwaXQxKTAnBgNVBAsTIFNpcGl0IFRlc3QgQ2VydGlmaWNhdGUgQXV0aG9y
   aXR5ggkAlqOEF07vikwwCwYDVR0PBAQDAgXgMB0GA1UdJQQWMBQGCCsGAQUFBwMB
   BggrBgEFBQcDFDANBgkqhkiG9w0BAQUFAAOCAQEAxOpZXrdpZMLbA1GgFI4Sj4a5
   9qtrweqFKFY1X+mUWvuBVpcClUgTC/sbE1kngtY7p8icF7NSbQhT5+UYwwUI0d1U
   +J0K2JFF+5t5db54CMVGniMIfw/NAqA5u1kX4+N90FF4DpoG9TKwxu8Q+zfWVCag
   VDMg9uYx90eM1v+Qk6LWbnYzG+ZA+VuDq+ilRw4eTqX4urTmprudxzpI7FZZLJDs
   1KNBGGza1anbrdD0X7NoKaY7i0Pu2Vz7JmNFa2xC5xrswOJTho8eL00g+UXCVu4M
   d8aD/tpKbGVHgjwfoorD+lDLogtnDcqTXkEnw4MM77AYScc9UQtIcODm8Y65Lw==
   KoZIhvcNAQEBBQADggEPADCCAQoCggEBAOwsdgPVSPMweLWsBDHUSXJS6Vk6pu6K
   sVg8IWMf1g0TWTPc5jUAQlWlLNtmN4gcSzq5z1ecvf3rLMomJPZaWbektTTg1KZl
   2wQgyP+vx/Hf1BByj3s2DE/KZoLnQjFQawHHMc+kCtSa6dCFTmD9nA5cYDVxNmKG
   Kz/+5HYxe6ByI6NZGNlSB8ADPULcFg6UchO06JvrGFt1n9tAtMf5C31+YYGpqXBl
   qZOV8Wo0Gp6Vlnd4LrvDZkwjpQ/o7EuFbiK34Gvh3cuh9EkMbk+IPgVv7ohjWPDl
   6WygTkE2VXHDhhdN4MXPKyenXX35sB52fNytN+2qM8bo4QPfTZlGrx0CAwEAAaOB
   ozCBoDAnBgNVHREEIDAeggtleGFtcGxlLm5ldIYPc2lwOmV4YW1wbGUubmV0MAkG
   A1UdEwQCMAAwHQYDVR0OBBYEFNiNYjKOu6f046JHy28GDRVMeR7sMB8GA1UdIwQY
   MBaAFJVFfl8r6mWYEpEE82PHaJpYFncnMAsGA1UdDwQEAwIF4DAdBgNVHSUEFjAU
   BggrBgEFBQcDAQYIKwYBBQUHAxQwDQYJKoZIhvcNAQEFBQADggEBAHUzR2H2IWrQ
   ls3iqNlG7815mOjm9mgQX6WP2ILwBOTOqtPJ9uE2XZU9qw6d9vdcbAgLpp4Em4T7
   Whcs0zVTrgKpWjDlho/boRS1gP2Qu9I86zJzf2R3mhTHUsbpxIwMCcHQg/fdIIeP
   5Ar8R5DZXx/Q9zdQLE+cjMSjxo7q7uOV8DRkgMpYtp7BURg5ZXhnkAhEHxa3/SbU
   YGfy3PzRoAMQmRZieAXArsIxEfkaC4Dtox/D4XLvY7njBFv8H6wqlvQyDsKXWlUH
   8dS9i/3wFEpQtymUUeXwk8gzf2ytT6hgrX70s6BLy/IeRU+wLJ3k5YZpopQZjDm1
   fNQG/O8TJlQ=
   -----END CERTIFICATE-----

   Private key for domain certificate for example.net:

   -----BEGIN RSA PRIVATE KEY-----
   MIIEowIBAAKCAQEAps9qnpOnBZRU5qZeZLx/QsJUArPQX/uQhvl5zzZs2UMwG8Cx
   0VTc1cOqMROg/uoU1IoLXk2+ykspWR72pWteHoLYfMbNT4RhBn8D5ntlOF6+UYeU
   O4gCNzCMX8WXbz0H+CvD3jhyN8RUSDWuPfHebPILcRB0047utSUCVDGrp11Ze19O
   C8Mi1lQ6IoGSPQC2PRwksrN0fMH6GsoOCdfvawMcik7kzn1AWN4ppqdieNnwahrM
   nplYt/i1BRmnBUzVmShWZVj8/fgYJKb4Ct50Ox4vSjbn3XDc68q/sdI20gvKhc1o
   3c5/VZmUdtUbe21UBXeYVzUGWuwTaZuAeXQTGwIDAQABAoIBACdfe+4UMe86NNQA
   XvVuHKe4ULYWlU+ihFmnlx3W3dhmaHuUfyRG4J1AQvK0jGK/A82rC8XlmewL06Wq
   jlM7RYr0HX9OOXXUbEZpQpVreNfWXRvHYbCviL5YIjoU3IqwICpuwhu4vRT2rWIh
   8Y/DgFm8xACa/shUy3lMVAFle/vTxlAuLA8eU7StYCsw8a7ZBqSWwWhbRQXAH6j0
   KYo7g37SP+3GnxvvLmEARpsK11ymQLWfIqtO4lF1I/ODW0Jc1YPzF/i/wcfy1VLd
   IySx84qqOKmwA8aRvnjeiLnyii0Qo99Dc3nQH34uK8YyBeq1/00JNBKwI1kO+W0l
   oUTindkCgYEA01mNxZeU5KhZy9n4jHkJCoO4YxXRJeVtq0HUO3Ht7NP7LtRtbmnZ
   L+ha7vtftJo/H8Mklj0xMBaHw3W6J0NTtYB6fcViEVvRpohis13ol/LcpP57/y+L
   yEW6E9q811mta8hUhhmjhjQdytv5IT9taze+7y6I1HGN17xlW9JOmOUCgYEAyg0G
   TfbMG9974aN86RsN56OFhEvMUscawnFMf9L+c/JWV8pkhIiUvATVHwsLAMXnM0mk
   q2jHVunFMF6/Dt0QDE6els+p9S/qz/qn5P2i5TEse/L7YITk0K/6Xp0Ot9VDMoFx
   XDd5FJj1PjikmhZ3qM6jxhrzKE9OVnv+P+JpO/8CgYBIWbjZsnlrCWKsETMvy2NX
   8R2W9eoCIhc38DIaI3dCgpLTRi8sBBowd0dh1jW+GquPUPteXxZOkvfo5o1SUY7/
   bDsCgSaAMMGFU90N8BDmq2HzLZb/FaSxa4U2tMO+qNlgM1UUDwTWtVKZllIjmpX3
   hT7cnD6FE1ZuSvUbyNPVLQKBgQCMmbWqaTQtrT3CjYbtm5L4fzT5E9nyPHUlm7v1
   Mzk4LAnje4apJ3YAxIgd2wxkFFNHwFZjpT0aAQDkIPpo+HIjbk4zefy2DwsigTV2
   Rv2k6awf8Lz2tGOZyOu8DSThzfi924+r8TpDmBEIpFf+leXcxTb4M2bDxTQpQI1z
   nTVHtwKBgGQPfSeoeegQEg4JwWA4gcxc7IFn0zppj+LZMI98Teyga5S0P7ju4SC9
   mPD0N9TriE6nW6+Zvf/9JDC+gjwXs2m/ueq50HKYxHaeG4NGknuJg09HpgD1f37R
   UVhWNjxpG4iU18Rm5UCRP3HwEJ06DWFFty+7ZKJtSkTZFOH7NdUf
   MIIEogIBAAKCAQEA7Cx2A9VI8zB4tawEMdRJclLpWTqm7oqxWDwhYx/WDRNZM9zm
   NQBCVaUs22Y3iBxLOrnPV5y9/essyiYk9lpZt6S1NODUpmXbBCDI/6/H8d/UEHKP
   ezYMT8pmgudCMVBrAccxz6QK1Jrp0IVOYP2cDlxgNXE2YoYrP/7kdjF7oHIjo1kY
   2VIHwAM9QtwWDpRyE7Tom+sYW3Wf20C0x/kLfX5hgampcGWpk5XxajQanpWWd3gu
   u8NmTCOlD+jsS4VuIrfga+Hdy6H0SQxuT4g+BW/uiGNY8OXpbKBOQTZVccOGF03g
   xc8rJ6ddffmwHnZ83K037aozxujhA99NmUavHQIDAQABAoIBABfBYR2BlpTfi0S6
   yLE6aSjWriILhD76NFxrr/AIg79M8uwEjCNIo2N5+ckXvv4x2l9N0U0+tt2Tii3L
   KGyfKecO6isncjxKgn0nzw/o3nO1z97Xpxb9mL9t3GHOYRoUvK6xGpGILo60BlCz
   F+8pk0jegc7eVFoUpMULHm/FCmpY30N5cvCHcAE/ncW49bZmH3gQ+cmr5UcKKDUY
   baJyLd8Q1f+uSmtrfYZzRT5c+4wmrBUjv3w9poMJuEo4slRaDnyeKJPSNR/6/LJk
   tqnqgNif9cj9wqF6hWA23dDmmU/kSRtn1KOz5XmV9Jbo4Fu64Fvn/m/hj5Og4CP9
   hZUWIQECgYEA+nV2pzspCfS7jSebVnvjChvqJ0nJAilSqCmrSQIT5PRmO+GQs6UT
   PVN4GE0Ms8TTJyvxVkpoagQ36VLw/Wr0jUm+Z+dv1TIlFWTas8RNmdZHMv0LvfEe
   Qu2fTI68l2d/L9GBMUCYa/sucX5E9q+3LC+Qo9jw8ehWjQZsWYER4dsCgYEA8WYX
   AqDdKjHRqu2h248gZsuogiZq05iuzXhk2VTQoiM92mu8m1Htak+eov3/3wojqxuw
   TAQbf/t8EfQ7LIGjaKqAua7mgG/aNB6MGGwdpBAPUZDL+DuKfbDbzTOL/IuaW0Fp
   40RC0Up5nTU9wzIKB7a6n5S5R0KXxiGUIphfcGcCgYA6IYdPmziUOfxJ79ZrBUgV
   8ZKwWbzQxpyLsVgzEsthSaRs45a9S2QiyLvIECIRm25S2i0ilRSU/rOncPvEJc3q
   +SG7Zgkb146p34WvUbGdMhHGcNsH0+3tJM/jagG1tmzbwWmV7+MwtNT7vI3vH6uJ
   EuUkUlbiHsXv53zAbWekHwKBgBy5HwfLCEXbA62o9NdhImPY28YQuClRQ4tjReyu
   MNz6AIQayahZiTxbGO8f9fAeDrxvYPzKiFMkI1EnlFrpWf48O3DcpMSninklIVpO
   kwBQgOIdrods3j+yaZTzCzcTjVxKXkUSfDjW+b2A9kZhj9v3HCGc2qbl/5Utraio
   JMMFAoGAHb+k+C4e8WrW+jXbbG/DgAkSokK5vZwZLHeWBig9bEi626xN/oFEQVXp
   zqwyNo6zQaofmS6anT6P2M7NClSGJxh27eBTiTLp1NCXlGTWAQEtXmYtvnAZNzXC
   5Ur0wvS5bLx0nbhJwN8ZBwzJhYup0kU3pn99GcF+vkj5Eg7Zftg=
   -----END RSA PRIVATE KEY-----

B.2.  Certificates NOT Using EKU

   These certificates do not make use of the EKU specification described
   in [RFC5924].  Most existing certificates fall in this category.

   Fluffy's user certificate for example.com:

   -----BEGIN CERTIFICATE-----
   MIIEjDCCA3SgAwIBAgIJAJajhBdO74pRMA0GCSqGSIb3DQEBBQUAMHAxCzAJBgNV
   BAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMREwDwYDVQQHEwhTYW4gSm9zZTEO
   MAwGA1UEChMFc2lwaXQxKTAnBgNVBAsTIFNpcGl0IFRlc3QgQ2VydGlmaWNhdGUg
   QXV0aG9yaXR5MCAXDTEwMTIwNjIyNDM1MVoYDzIxMTAxMTEyMjI0MzUxWjBiMQsw
   MIID+jCCAuKgAwIBAgIJAJajhBdO74pRMA0GCSqGSIb3DQEBBQUAMHAxCzAJBgNV
   BAYTAlVTMRMwEQYDVQQIDApDYWxpZm9ybmlhMREwDwYDVQQHDAhTYW4gSm9zZTEO
   MAwGA1UECgwFc2lwaXQxKTAnBgNVBAsMIFNpcGl0IFRlc3QgQ2VydGlmaWNhdGUg
   QXV0aG9yaXR5MCAXDTExMDIwNzE5MzIxOFoYDzIxMTEwMTE0MTkzMjE4WjBWMQsw
   CQYDVQQGEwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTERMA8GA1UEBxMIU2FuIEpv
   c2UxDjAMBgNVBAoTBXNpcGl0MRswGQYDVQQDFBJmbHVmZnlAZXhhbXBsZS5jb20w
   ggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCnWAqXQ7NkLPjAssXP8c3o
   zMed3haJ8gwH4r+N1Pm+3LuWk8LJ63Vq/+gjlel2RxP39rkU/HXa+nqHqiH+M1E1
   ic7hpmEHM6Gm0Tg43aVQBx5qGzneMMfdXJ9UARSg/Vb+U0AlvyWbwXDh3UZvIl1E
   EVOJ80h8F8B34PcUbzZ5koaYcBV/GMWkihT6++mgTT+U1b0icP3+Jz//upaOYQiI
   pGKo79p0b1yESS6jFkPEbiFJEQssroWIZWIYkY4qkbFQCw60pN+S+zwI/vBDFCea
   9sUpwkCLdsVwMpqjDSseJHtzfqBAD5bEjLPJ8vGaqmPcYwFamsZ6ylJqxGizO1il
   AgMBAAGjggEzMIIBLzBRBgNVHREESjBIhhZzaXA6Zmx1ZmZ5QGV4YW1wbGUuY29t
   hhVpbTpmbHVmZnlAZXhhbXBsZS5jb22GF3ByZXM6Zmx1ZmZ5QGV4YW1wbGUuY29t
   MAkGA1UdEwQCMAAwHQYDVR0OBBYEFI0hoK+Qsya+/kfcfP+YSiT654kjMIGiBgNV
   HSMEgZowgZeAFLs3jkfHWjTbetn4drZ1jtDkExdFoXSkcjBwMQswCQYDVQQGEwJV
   UzETMBEGA1UECBMKQ2FsaWZvcm5pYTERMA8GA1UEBxMIU2FuIEpvc2UxDjAMBgNV
   BAoTBXNpcGl0MSkwJwYDVQQLEyBTaXBpdCBUZXN0IENlcnRpZmljYXRlIEF1dGhv
   cml0eYIJAJajhBdO74pMMAsGA1UdDwQEAwIF4DANBgkqhkiG9w0BAQUFAAOCAQEA
   PlzFnchNCY8HE21bWZxYX20lENZqv4Cnmwcgdlq1iHCW/r+aUty6f4PvYEBULPxv
   70HAW5v2KTyK4p9JOk+/59+60piLp4Fq6P0/T8D9oIJUPm2W0xqvsyBzcQEI8fq3
   GZCc+P/4J2B9T58sD4wROMkThhSiCsIkqWMGxV2RZBUQZkgPkAWBHmueEFO3p/9m
   7de94Cw7I8Wusip2YIbMzekraVC2soAjL9v5BV5sjflU6g94mBQ4LrfPGHIQLXL0
   i84PwSuLJRtHLxfbF6Rv13t3s3aRyi3rOz9CA7cqf4ZhKdknek34WmDAFh0nRfZS
   B4J1D+Ky/GluG6T4vqKHPA==
   c2UxDjAMBgNVBAoTBXNpcGl0MQ8wDQYDVQQDEwZmbHVmZnkwggEiMA0GCSqGSIb3
   DQEBAQUAA4IBDwAwggEKAoIBAQC6VyOIP6UANXy766KHiYDxyOpYEFboLJv6SEtw
   UWQoZS3hQurFidOu4gkCspblzaMoty7lnUexbFxUKdbJOWGMcB2hrezJ+6rwJPK/
   bF5YDijVtVqMRd5lv/Ni5yzteHfrMszWnz3t+ojgak4XTjBJmP2RO0T67GUpEbFV
   sDeYtWi+G1ebDAR6bf6Jdba2K6DnmkxT5Rr6oYJHIApYbubk28asBQN6EGBBgPEO
   RReJYrjoJR/rBDDe1bxK+ONdFXPlwjI/TRPMpvUYraWgTjJ18tXISgF1htaa/Y1K
   YP79Yun2Nl/3UQcPIc/C6CXBs3yAUK3qQO1G6C5pXH9KMMlNAgMBAAGjga4wgasw
   UQYDVR0RBEowSIYWc2lwOmZsdWZmeUBleGFtcGxlLmNvbYYVaW06Zmx1ZmZ5QGV4
   YW1wbGUuY29thhdwcmVzOmZsdWZmeUBleGFtcGxlLmNvbTAJBgNVHRMEAjAAMB0G
   A1UdDgQWBBT7CTXlQ5GKWvxGZNY24mmmVuEnRDAfBgNVHSMEGDAWgBSVRX5fK+pl
   mBKRBPNjx2iaWBZ3JzALBgNVHQ8EBAMCBeAwDQYJKoZIhvcNAQEFBQADggEBAKL9
   wUWGRhCQdhjzY4bx0R5Kwz+NHvsb8rjlPqfdcbNujBCw+rD+/uux0G3HwW+Mraj5
   U2tUehwz87k6SgdqADzL/CP2mjzCJo5uDhi+tzjeg6ZklTSZYQrL3FSv/AgcUfFI
   9HuCGkix/htaoEMy2zNZnZOjdtFME9w7wb3GxxqWTUzl9TToloCXYmLeQo/jwuad
   40ybun1P5CWkO5Md2Y5zuNfCsRRz5lLYtAVfANtLBfeFV+S87AwrrdeITT+iyB7H
   Jj+t24U4IMC8MttcHBlPPBuRVc2kmhNEQuTzelCsldXgY2+kn8ItnLdv1mvLpXA2
   2Y41CPLCSj9AlqqZL9I=
   -----END CERTIFICATE-----

   Fluffy's private key for user certificate for example.com:

   -----BEGIN RSA PRIVATE KEY-----
   MIIEogIBAAKCAQEAp1gKl0OzZCz4wLLFz/HN6MzHnd4WifIMB+K/jdT5vty7lpPC
   yet1av/oI5XpdkcT9/a5FPx12vp6h6oh/jNRNYnO4aZhBzOhptE4ON2lUAceahs5
   3jDH3VyfVAEUoP1W/lNAJb8lm8Fw4d1GbyJdRBFTifNIfBfAd+D3FG82eZKGmHAV
   fxjFpIoU+vvpoE0/lNW9InD9/ic//7qWjmEIiKRiqO/adG9chEkuoxZDxG4hSREL
   LK6FiGViGJGOKpGxUAsOtKTfkvs8CP7wQxQnmvbFKcJAi3bFcDKaow0rHiR7c36g
   QA+WxIyzyfLxmqpj3GMBWprGespSasRosztYpQIDAQABAoIBAE4NmqMDSOEouL3o
   pKthNZGoMlNIC2s8IrBq6r3U4MhNXJHXSbu0v4ew5S3z9njcnkvCIIHRX4dL3Wr5
   x/ExLmeyZ3SIjik1w+hzHa4oc7roFx+Wo18nkZGGaipcdqrAf5sQaZMxnPERQP2Y
   oAmmFapyCm0FtIFs8rD3lUdKuDXriPj+p8adcXeJrKixlJSjK1ct+KIEP+GK53x8
   0c5+v2mUopfY4bFxJtQx0CwXQj0DQtn7y9gtKP53pyUDwE6/MBx3IxssIaBIz4ke
   DgSZACdYCmCnyWCjsfLhkhvapm6+8nM3RxtFAdo3OA5EUte4+YpGHGCrHOkumdu/
   QuJ1MQECgYEA1lCm83NUJPyh+QvmKNMT2gLcNJGkMUlLr1izBn0es6y7e0VRCgOR
   wcC1KKx2IlW0OqO4yHGKGH0+9zSd+3ZE+9SjsYrL0p0zmgl3jtevhKm1KHiVHj5f
   opgIOF6+SEED2QoeLWyQHzYATtQLXRjIL+rihDdct//IvY3ii4QJ37kCgYEAx+SQ
   g1mkqzMraDmaB8SEO+CvxSHPZYw7xAuOx4OeznU8FKRyC+pxiMOBfsdUXqIRVa9W
   vOcEhmfNmRSAOYJBmMa3S9vNJtn0hejnVEQBo/HKaG19cqDc03anXFNXxx1mkgvE
   Dixv4WuiJladAHl6E8HNWNW609I1WHpRj7hWfk0CgYARyiARlUEm0NGhGpvAR8Ue
   E56zvmMitDLUG0jBASHLSEtHsDlJ24H900E2XxpvPy32sCBmgwYzgjH30yZJ+UdA
   oCX2Vs8UbHgcES0bbkvjdzLSaS/3krXdiUElbLfex4bKPUzD+H7+GD1uTaujzqrP
   T2/+CZpoq5K+KUjky9EGAQKBgEpa0Q6q97/fBtR8KLme9fk3+OoBS55gbZLdIb1B
   Tn9JyJF9IhcgnB7danv4NYAGFSCkWkVmQZ6lWisJHzFFLJVhxajoGAXNqVFucy47
   JckQFdSGddV/1OSsDFEhh1M/snm8+q6zBOL7IJPWQAx/I1PaEUJsLlTAqqtAxLoL
   PdE5AoGALjb+pyL6ZZzpawX3BbM6AKUYr3nITsatHkRFdko4JYQ27Wv17//947BL
   NJxJrw411nv8O32O/A2PEd3tSOZAAl4XWgzDN2SSBIllIjkbQG02gdd6EalFZ4jL
   LkjFYQOJdaurKaTZaOqcb6QQWlrplz9zbZhsXBJmNm+MO7IJWXE=
   MIIEogIBAAKCAQEAulcjiD+lADV8u+uih4mA8cjqWBBW6Cyb+khLcFFkKGUt4ULq
   xYnTruIJArKW5c2jKLcu5Z1HsWxcVCnWyTlhjHAdoa3syfuq8CTyv2xeWA4o1bVa
   jEXeZb/zYucs7Xh36zLM1p897fqI4GpOF04wSZj9kTtE+uxlKRGxVbA3mLVovhtX
   mwwEem3+iXW2tiug55pMU+Ua+qGCRyAKWG7m5NvGrAUDehBgQYDxDkUXiWK46CUf
   6wQw3tW8SvjjXRVz5cIyP00TzKb1GK2loE4ydfLVyEoBdYbWmv2NSmD+/WLp9jZf
   91EHDyHPwuglwbN8gFCt6kDtRuguaVx/SjDJTQIDAQABAoIBABtIBLi+8K5eJlvw
   /MOxOwKrMrwf8ElftppnGTxhfjN31MbFIFA5hJd3GnCdqwAMIlYks6YEZ+mu/rmH
   wp2FXCXOiFgSebd8tCMilbO27v0fXZUkTxR4aj4lY0HYrLg7yfrSXjER8WQ1KPMK
   PVKmLOWpk34+2jOOhqUDpR3xhcJClQ81fC1hKe2JoixNDoPdfM3azTq8QUPLQD2I
   mjww1IH1677G5o/6qMloOM0Feqv/3cUWiRmvPv4eyGHdNtuFXKFpB4DQQMQL7TD8
   FoOHBymHIOzSSF+gYgBFOb0YNgu2CqZrfED9cf0rRotrbXf6tM+akclxfHhkfKaa
   JPZosbUCgYEA4MaetKsa7azhEYMc4TK0xhhV5Hi6lj1xR/6h++uYF0OIOBjM9yU3
   5n6vLpyghNbW2bK08OIWPO0F4syvyKYR2elmUDraH29DKAtRLEkU9K82RG4AmXmk
   G6ZsWOfx6Jf35OnAKVj/7aN9jc4K1v6EFyQGYEXbp4I0fhFfbJBAe28CgYEA1Dmx
   iKJD+jWW9ypHk51YJ3r+a5qPPNVmjGKQQje3Y6+rSlxmW0hMwXoCBOYRwhHBRA//
   SxH93PZ8rECjNkhxp6Ao87X2Gcol5U6kH+rwfd/3+SsHqPrugaDIwNlgkcu8VRrP
   8uP2CgJoDBi5UY2UR97GVK98x8k2Sf6kDT32mQMCgYB/KH3R8VY7jOiKcqTc1UWl
   J1E3/gB4S+wQ8YELth0FVCP0sDsLuZdlItfRw7OfUraa01k/SHeSIfiJdIghN6mz
   oDFMQ+7vh47zUWurZPCg95n4nk5ihIkNR1nV9elJTudjLcWS3pFyC2JU3XIObE+n
   k66zufFoUuWFSCi2juibqwKBgCT6RHe1JjkDe2FniX8r7D88y/W9wXVtDWgqiE4x
   XQ/OfP8A6IjBKTaQ5qcp2zBAXbdZPjc7VEta21A8FvQPXVZCrsAAFXha4413zVsO
   WYblLlTI7ZXA2yvU8wW/Gnds00zU1iTRGX6W+sAY0rll/M8k/tOknA5HfeEYsEbq
   Y/w3AoGASjoC9Fjy2aBvH8SQaimn/Rx3hOFR4myOGWtHxrXmezoO2YdcMO1d8rlz
   A/sQRvVofHRwyoaIkZkALprEGyxEqCdMmEs1h9xYAcxfW23RfqC39DYb9RTrRkwa
   ArJmcEdRESOsIYhhXGfE1QMGiwj1UXMWeYcLtqQKWiLLDTYYfQE=
   -----END RSA PRIVATE KEY-----

   Kumiko's user certificate for example.net:

   -----BEGIN CERTIFICATE-----
   MIIEjDCCA3SgAwIBAgIJAJajhBdO74pSMA0GCSqGSIb3DQEBBQUAMHAxCzAJBgNV
   BAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMREwDwYDVQQHEwhTYW4gSm9zZTEO
   MAwGA1UEChMFc2lwaXQxKTAnBgNVBAsTIFNpcGl0IFRlc3QgQ2VydGlmaWNhdGUg
   QXV0aG9yaXR5MCAXDTEwMTIwNjIyNDM1MloYDzIxMTAxMTEyMjI0MzUyWjBiMQsw
   MIID+jCCAuKgAwIBAgIJAJajhBdO74pSMA0GCSqGSIb3DQEBBQUAMHAxCzAJBgNV
   BAYTAlVTMRMwEQYDVQQIDApDYWxpZm9ybmlhMREwDwYDVQQHDAhTYW4gSm9zZTEO
   MAwGA1UECgwFc2lwaXQxKTAnBgNVBAsMIFNpcGl0IFRlc3QgQ2VydGlmaWNhdGUg
   QXV0aG9yaXR5MCAXDTExMDIwNzE5MzIxOFoYDzIxMTEwMTE0MTkzMjE4WjBWMQsw
   CQYDVQQGEwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTERMA8GA1UEBxMIU2FuIEpv
   c2UxDjAMBgNVBAoTBXNpcGl0MRswGQYDVQQDFBJrdW1pa29AZXhhbXBsZS5uZXQw
   ggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDRSzOOvy+ileQ+vlg50lmj
   LG2ZtCBwMwzoxV61qi4GYW7Ycj1Po4rGZj6SbPXBl1kOEVWLeUk6kcdw1VCx0Qy6
   DhMNfdOBC/iEKGClhTs+hsV9TYl8S9gyPWPPkny6C2LSsnZlN2CAlftvj7YzMOiT
   bcHejcvsA3Wa0HyJbUlj80v/iqf5e+6x2qlvEsCBfHmBQcybJlJLhIUcMTRsEo6o
   pEC8ZGNzHLfyH+MFZeGkte7+n1M7PSLCywQ0ZHy5hZQd5G3xoM5FRB/MzZumLCEn
   NbVi2K9tBSbcEExKPwgiANwoBG5r9fPoSUibZk/DbH4f79L+wbI8z3EjiAEqib+Z
   AgMBAAGjggEzMIIBLzBRBgNVHREESjBIhhZzaXA6a3VtaWtvQGV4YW1wbGUubmV0
   hhVpbTprdW1pa29AZXhhbXBsZS5uZXSGF3ByZXM6a3VtaWtvQGV4YW1wbGUubmV0
   MAkGA1UdEwQCMAAwHQYDVR0OBBYEFEDMGZkS331DpFqfPXUoAIYcVUKVMIGiBgNV
   HSMEgZowgZeAFLs3jkfHWjTbetn4drZ1jtDkExdFoXSkcjBwMQswCQYDVQQGEwJV
   UzETMBEGA1UECBMKQ2FsaWZvcm5pYTERMA8GA1UEBxMIU2FuIEpvc2UxDjAMBgNV
   BAoTBXNpcGl0MSkwJwYDVQQLEyBTaXBpdCBUZXN0IENlcnRpZmljYXRlIEF1dGhv
   cml0eYIJAJajhBdO74pMMAsGA1UdDwQEAwIF4DANBgkqhkiG9w0BAQUFAAOCAQEA
   E7CDtfPvcTa8bcfnkqQ9+26qTuiL1uCEyo3QnnrZl1+miN3DZvsmckgUn64vkKQ5
   w9bPrckyhtJrY2WGLnQ7UGvUItK3asv22cgN9JaAMZfJeeH0jOJRtH6oDeWuDcgV
   2hanLeJYeZU3p2scV5r1ph3xpRG2mOCgaFKhT1zxP7j8Teya2m/k1IKjZyV/khPI
   nn/RMK1H56zoeqhQt3Xx//xxyxnZcqbyDOdRsnwGolm0V6s1qFy7BHq/1uRCAbyn
   fHcPfciTr+DR7GC/HkgVrIcZdy0gxsc2Vnbx8JQ8KqQl1gNIHo+QmYbBv+MhSqcA
   dhkXD+SMLv6W+eO16uneCA==
   c2UxDjAMBgNVBAoTBXNpcGl0MQ8wDQYDVQQDEwZrdW1pa28wggEiMA0GCSqGSIb3
   DQEBAQUAA4IBDwAwggEKAoIBAQDE/QVN7nxDDu5ov6b0cmHIFH93KhNbTEyCisir
   i4OeUBiCv9dgRgPBXffrIIVQdIlCoDeLDusHdsC9EfFWvg+pRlKVEDgwccO0F5AV
   bq3MK2Njma5I0lwpIa0RXYQ0K//oX/+jZeakhFty/R9yer0KaXWdLRd6KtncISui
   z9rFhlTB9lHg6vNJUN9+Xonbcs7siXbj3qZdhb7oipI4PoQlXVetyu+SzAVe6MsU
   5lwLmpQpIzQdSsJyxaAsW+AsyxunhWWiPZ888UM4vXjacZuj8GvJ8w2XjgJilQvV
   s8ojWMKnAGLaR7grTBmGQ90e6+cg7hWuoGBlQA0R0h8zWQz5AgMBAAGjga4wgasw
   UQYDVR0RBEowSIYWc2lwOmt1bWlrb0BleGFtcGxlLm5ldIYVaW06a3VtaWtvQGV4
   YW1wbGUubmV0hhdwcmVzOmt1bWlrb0BleGFtcGxlLm5ldDAJBgNVHRMEAjAAMB0G
   A1UdDgQWBBR6WwH61Ul7BIWeiKM35fMAiE9xazAfBgNVHSMEGDAWgBSVRX5fK+pl
   mBKRBPNjx2iaWBZ3JzALBgNVHQ8EBAMCBeAwDQYJKoZIhvcNAQEFBQADggEBAKE8
   y9YyoZlkFw4WxPalK087sSEveKBfzh4TuYQf5YcSIPw0coZGj/gNxn1juiYhE93G
   F+Si/hJM0M6cc7SLB5Spq06Tt3PyPBIOZOWk9koh92kDI3axSr6II9Plsvp+Xsrl
   bz5Zy8njy/YZrk/qOaHqQ5J6nPNp5qwF+ns2t+5Zl88Lli5nkBgOXFOuE0RIkcdF
   CUFRUj026GxAILR6wUThOzfq55Azwl5Y9Y9QmEjFhkbYLls00HxcJdnt+6Sdm/vN
   MeMJZdTzp1x+8pfPhJgHoyz7nkAxhgzC9RT33ra33BNkMQ6esRlQONJ+ZRsRLhHP
   O7+kvXvmj9AAsA291wY=
   -----END CERTIFICATE-----

   Kumiko's private key for user certificate for example.net:

   -----BEGIN RSA PRIVATE KEY-----
   MIIEpAIBAAKCAQEA0Uszjr8vopXkPr5YOdJZoyxtmbQgcDMM6MVetaouBmFu2HI9
   T6OKxmY+kmz1wZdZDhFVi3lJOpHHcNVQsdEMug4TDX3TgQv4hChgpYU7PobFfU2J
   fEvYMj1jz5J8ugti0rJ2ZTdggJX7b4+2MzDok23B3o3L7AN1mtB8iW1JY/NL/4qn
   +XvusdqpbxLAgXx5gUHMmyZSS4SFHDE0bBKOqKRAvGRjcxy38h/jBWXhpLXu/p9T
   Oz0iwssENGR8uYWUHeRt8aDORUQfzM2bpiwhJzW1YtivbQUm3BBMSj8IIgDcKARu
   a/Xz6ElIm2ZPw2x+H+/S/sGyPM9xI4gBKom/mQIDAQABAoIBAG9e7w6U2gpQbOae
   b2BFeQGFkMTrvx81azcqX92Xs2odythO4iVQx3YPzlgotxXPLcp4mubfIYKTNGfs
   e0ZEEdunxae2Pyg6cIIS4mrx3LbHDKxC6FhGG8OQO16nesudZ3brFGmD8Ew8g1G4
   TaIr8ncRPsro9YyfwqMhMkQG7bjLNcArDV8QiFduJFDKHSTfQjMS3V9p0SUFwGFy
   /t/1IsEWNvcTO5H3flNOgergiPNx30prMD+vhgWJXPKDuKW0mIfmogFheDZXOMvZ
   XvKJoNHzhSmB4mToADbTFXRXCTxeGgE7ZKqldPlHNBw0TdBpFdu0vrxkJV+t9CT+
   RQPYdCkCgYEA+D6SGuR7LPMHa/6wGHRXaIZXDTTRbbTA9M54/+aByvSgSdUgTkyV
   c76GLjal3X2eNGHHi75fJtpTugrMZ4EnRrqGS8U3Tip081zUy2m+sfT4eHUDACDT
   kFOzJA+brPz9VLpZZYL1boNtDicMp9qN1RhDw8arqcRj9bUdPK9Fh4sCgYEA19Ub
   oN8quH8TKi9QbDAc7Mm59T/IvW1qGXacpU/noRUvSfnhazCExLeFhmd2gfF8GbeA
   Nt6LWCxMdd62wi+uubQ9N+qkp6SoRi5FdZQ0F+sTaslI8wgr+LOITcYQYibpnRLe
   L4WjIqQuESy3bQ+uTDVMK/yAm3ZLxYWCBdelWesCgYEAzT6me/eWY8aXx1Fu9PkT
   38baqH+X/BVrR7yCTEmf3Fa/Q+wjZrlpA6ZtuD3Uizk2GWcSndaLQ0tV2EbfU2B0
   QcUsDe+D12vBAAkrovbOBMJewPE1xuBdK0IYpeMFulP9fBUKnqRVGcct3nqouws3
   Iw2J0Y8sFRPb9aWGA8uCOBsCgYEA0M7QB/dgMVZfiDR2LfTuRvdy/R5Ua09rkm76
   ZcTEZ0dDlOI3f6hVCqwydjGqqVSjp42scWkkjo1s+6wYTA4tkGQbxfkwiy/1zM//
   Sx2yuGEpS+qotNd3Ewk+GWBBgXP8F4alhnxXs6/7EYqdetns2rXFl9iV49GyxMnB
   XT2gLzkCgYBfcLwsNYCw5YChZSexQgP/VYDIFm5PAITnGYCVMDLMaPdeCV/IKVWN
   UKqlc97IyKCmLy0RYzXpYiY1sw5Vdb63mb243AjIOxZiaHMjfG2Ke6+Iz5CfuIoD
   3uxlgFG/hCv5HAjOPkYopkB/eOtHbvKh1Ud+zhyCjnnxiQKawYtL4Q==
   MIIEpAIBAAKCAQEAxP0FTe58Qw7uaL+m9HJhyBR/dyoTW0xMgorIq4uDnlAYgr/X
   YEYDwV336yCFUHSJQqA3iw7rB3bAvRHxVr4PqUZSlRA4MHHDtBeQFW6tzCtjY5mu
   SNJcKSGtEV2ENCv/6F//o2XmpIRbcv0fcnq9Cml1nS0XeirZ3CEros/axYZUwfZR
   4OrzSVDffl6J23LO7Il2496mXYW+6IqSOD6EJV1XrcrvkswFXujLFOZcC5qUKSM0
   HUrCcsWgLFvgLMsbp4Vloj2fPPFDOL142nGbo/BryfMNl44CYpUL1bPKI1jCpwBi
   2ke4K0wZhkPdHuvnIO4VrqBgZUANEdIfM1kM+QIDAQABAoIBADuLR+kwp3sVrlcX
   Z34IfSofmBALNeKpA4+KJ/JCr7xQ9bfACXhecZAnuWLnZ6TUNRFgoKl2DvEookYE
   gHD57n36dcf9KR7rpH5xiOoRlJNcoiRfNeFpRNZiCZBwNiAXFLnHGtznVnpwT7xI
   axMNqsrU6epi0O/quAPkOu5x6e0+j+j3ZauI4EfD1w2R6moBMUtATauZEEyLuC9A
   6bFz2AFDchPVLwSjNMu0tAJc8Fss8xKls9HUXGS22eUfHxWfkCGwChuW60obGmas
   E7GS7h4g9QvvQ4hGSVy9/MmQ88GmT0LynOyzFBCpuwjOQTHwsD674ldMSL4kXYVK
   jcnTAkkCgYEA4bjN2ILis3uWTjvTNnrmWn1QoZBZDhg1LuNs5o1XtOJ7CdkckUvs
   nqqQYOzNk/9N8vUs12ds3csXHypuuGrJwAVf648RSPDUUQ2XOoPSL9NeuZt5V1fT
   1VyVWanKCBZ5sztISNVPt7Pu8DtGLHch4S/7M+gEUQB1Ogz7fyJHvFsCgYEA32mE
   6lN67aHkqMLa06ZI9JIk/3SsFIPpjwZ4tk+sQCqEzawPvkT7qF2+U8lVt0XXKJZL
   aexsopsULCGS86TEAPoYtjjk91p6ZZj8mgRZLU55g+gRdTpAFhXMgIctU7U6cDIw
   SPa6UxJp9XCa/Gf6YLfas9VBhc/8OC7I4ygjLDsCgYEAgAG7yuM/CSY3MRrARw8f
   f4W9qkIgHtwfnP2gjobtjEk8GXOkvcle4QQ9aJoiY6HPZM8hpO6kUIuSCzyXGcKF
   s33Yzc+Or9zTqzuX3blQA4tNFtlS0POf0En28KhXSIrmbXxbG+LMmJNUF6yluSW+
   cuQxA1i6ye0Gjes63Phl0i0CgYEAuEcILGQpTGMyAYWgC93n5Vu6ir+IxO89sgyL
   ew1irhakLiWTYsTxsyGHwQKb4i0IWOEHWVp7DPDPhcs3tCIezhN8WKm7KtAFj1HO
   YZfemsFU99lutPwUKmNWqFlXqOkeR7cOHtDsRWM15Q45uKJnYmmkSptHjYFNsGXe
   q4fK40sCgYBoAYtsLfMlqt7s3htx4hZSMFbLP/iMGW2DMMAzDW+Xxsvw86ibrcWY
   8c3hbohuJBpyAzba4QoR2G+gtRmodLca+tQFMrObETHFglNCY+WoHRSNRImbCS8w
   dsszPgHWf1nrxBLBiDFlHZwSqbZtLyBjPlHJ+fTiPNo6UTx8aDQ4Pw==
   -----END RSA PRIVATE KEY-----

   Domain certificate for example.com:

   -----BEGIN CERTIFICATE-----
   MIIEWzCCA0OgAwIBAgIJAJajhBdO74pTMA0GCSqGSIb3DQEBBQUAMHAxCzAJBgNV
   BAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMREwDwYDVQQHEwhTYW4gSm9zZTEO
   MAwGA1UEChMFc2lwaXQxKTAnBgNVBAsTIFNpcGl0IFRlc3QgQ2VydGlmaWNhdGUg
   QXV0aG9yaXR5MCAXDTEwMTIwNjIyNDM1M1oYDzIxMTAxMTEyMjI0MzUzWjBbMQsw
   MIID1TCCAr2gAwIBAgIJAJajhBdO74pTMA0GCSqGSIb3DQEBBQUAMHAxCzAJBgNV
   BAYTAlVTMRMwEQYDVQQIDApDYWxpZm9ybmlhMREwDwYDVQQHDAhTYW4gSm9zZTEO
   MAwGA1UECgwFc2lwaXQxKTAnBgNVBAsMIFNpcGl0IFRlc3QgQ2VydGlmaWNhdGUg
   QXV0aG9yaXR5MCAXDTExMDIwNzE5MzIxOVoYDzIxMTEwMTE0MTkzMjE5WjBbMQsw
   CQYDVQQGEwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTERMA8GA1UEBxMIU2FuIEpv
   c2UxDjAMBgNVBAoTBXNpcGl0MRQwEgYDVQQDEwtleGFtcGxlLmNvbTCCASIwDQYJ
   KoZIhvcNAQEBBQADggEPADCCAQoCggEBAPXQypMGzF6lwEjhD96RuJBYfc/pw98Y
   cR1IVQhNBqzHQYvq+Q4FO+MdpNk/AFv6IRNTMr+v5NN6TK47CWeUqA9XuXiACFw2
   ozotPePHCEqvtUaxtUvxqmhkkUB/QiZcTKk/eEDQsDSgcsY5HJ+iE7VEFhu5J6dF
   gKdhn8RsNngTPTMwF/3yYuir1SjPCKTGBgikG0ZBqob5dmZ2SMovaCq22vkvO0x8
   ZyitT+nmvAC3ojlhXohzjAjzhmW/okAy835eDFT720jrf0TMoPUXSj/NXXJNEBZP
   V7rIB9WVb9I4FP3tSsq18pZAEarCxaunMHk6iI5p84m7c/4x9pliaKUCAwEAAaOC
   AQkwggEFMCcGA1UdEQQgMB6CC2V4YW1wbGUuY29thg9zaXA6ZXhhbXBsZS5jb20w
   CQYDVR0TBAIwADAdBgNVHQ4EFgQUagjcipLzTuQKrLLsrLLfkHFwfekwgaIGA1Ud
   IwSBmjCBl4AUuzeOR8daNNt62fh2tnWO0OQTF0WhdKRyMHAxCzAJBgNVBAYTAlVT
   MRMwEQYDVQQIEwpDYWxpZm9ybmlhMREwDwYDVQQHEwhTYW4gSm9zZTEOMAwGA1UE
   ChMFc2lwaXQxKTAnBgNVBAsTIFNpcGl0IFRlc3QgQ2VydGlmaWNhdGUgQXV0aG9y
   aXR5ggkAlqOEF07vikwwCwYDVR0PBAQDAgXgMA0GCSqGSIb3DQEBBQUAA4IBAQBi
   FmTqO1oubNqemX+2FuF3YhkXMIzDEH668rel+NP2B4ypYJhA4tz+v2CWOAX3ZZQB
   Nwkw0QcH4Fj0Ux1U9AtggSCcX7hSQ2r2k2EWM45wfzI6Nfrm+eWntGSTj9CQMSwK
   XrhLhQB1o/7E05zuMmbmslZE+Nb1/W7HkDexwh1r0hzYLh+dUUAjbd5tGXo3tRgB
   nU9EGfdMgbIMEP2iTc8rZoIcGIvDgd+2GrOLVL/1ZAGCZTu9ZKD0SHSmQkiY0hBk
   sWDOjCnj2BFumv5e0cG3ny79ow93aHkbF5nSDpk1Os3dodkaPJ3oimtiB1J5r2Se
   quV9K7j+tItHd7bapwBt
   KoZIhvcNAQEBBQADggEPADCCAQoCggEBAKEVuYyZlaqfqks9u9yWQRp9WfI+VsQg
   GpJH3vAfastElCdxlBV7+R2CaQ/GnXDnE0lAC5SiKRcvPHq5OLx1VnDADMWmcXBv
   wK5n1zN+7MUCy/MISMr7E2Nd+py8Ft3XhjWDIuUljAh4HDO4fxS/BFy8zozADxvP
   OfpE40EABF5aj7e+xjtkErdkMybAcSYyo53IHP3wDPxmMzCsOw/fi8bfy9j1GiUD
   uz01F9qT/Opz9K1snxgT1IK6GRlktG4JawSiohW1QbARfj9//hR7ZgeB0gO6LLGX
   cGXdl87JdA4ZHMZNinN4Cv8ctZYSQZ3dbt1pRRbGtq7elPskiinDuUkCAwEAAaOB
   hDCBgTAnBgNVHREEIDAeggtleGFtcGxlLmNvbYYPc2lwOmV4YW1wbGUuY29tMAkG
   A1UdEwQCMAAwHQYDVR0OBBYEFFNu6jHPsItA+vy/Jqv81MW7wLJpMB8GA1UdIwQY
   MBaAFJVFfl8r6mWYEpEE82PHaJpYFncnMAsGA1UdDwQEAwIF4DANBgkqhkiG9w0B
   AQUFAAOCAQEANH+wX56VJd0vVB9+Mef1xItWrSQUyNYZZCBq+y/5vIoOp6Chaupn
   xjTjWf50zg6CK8yKBWq8pGlG45GTUx+uCx+nVIbHpyTT5+YDDUzlIhhAUzIOOB33
   Fd/XI/1PK5p5ftuJIYXU0rGuaoH8ud/p2nhIf9mwicUHxViTX3PUwlFC7eMbevBo
   8/dMYnHb2i40ug6hsiYggsmQDbhHLVLo/yqkpvgzPLSSlkXS4sv2oIoJ/ISuSjhP
   QkQ7mh7h01ct/LOa53qWfbCVogQDhMEqPTVdPm+JzTrMlWeZdrk4KbnXGp64Jtpu
   xTVI4GcVAGWUT0cmpspDmHbPOKm5kcltkg==
   -----END CERTIFICATE-----

   Private key for domain certificate for example.com:

   -----BEGIN RSA PRIVATE KEY-----
   MIIEowIBAAKCAQEA9dDKkwbMXqXASOEP3pG4kFh9z+nD3xhxHUhVCE0GrMdBi+r5
   DgU74x2k2T8AW/ohE1Myv6/k03pMrjsJZ5SoD1e5eIAIXDajOi0948cISq+1RrG1
   S/GqaGSRQH9CJlxMqT94QNCwNKByxjkcn6ITtUQWG7knp0WAp2GfxGw2eBM9MzAX
   /fJi6KvVKM8IpMYGCKQbRkGqhvl2ZnZIyi9oKrba+S87THxnKK1P6ea8ALeiOWFe
   iHOMCPOGZb+iQDLzfl4MVPvbSOt/RMyg9RdKP81dck0QFk9XusgH1ZVv0jgU/e1K
   yrXylkARqsLFq6cweTqIjmnzibtz/jH2mWJopQIDAQABAoIBAClI8uz0pFh1IDFd
   U2v/L29W3XKRAWuz0DOp1VY6kZdtM84LHd9D88X2UZyHH0lTXkC/pXNaWGVIUh6l
   HbQ+3GcPRcA+SKksKAf6Vz2tTPA2SIziBeAGa6dy1I5vkS2eLOX0Gf9QzXdZR02R
   hAQvlX3JPKlVVJqcaroyBEJaJl/ODyKEEWn5s13sjV1OUjsTtWJp56sbkQ/6tHaq
   T/q3jLviNUyJJWnbXNMSMTo+L+kg9ezLngJp7QHjemk+/GcrZHMZGEiydFlVkE8R
   egBanpVFve7OB0zeYRFI+2dSnt9/M7OwEp2abBj4iGCOlrNvvrJ0cp4US3cTc6U0
   z2kvMGECgYEA+6+fw6RNCmrJRXE/cMqMq0d/gzlDeZ8iQ7Esx3yvMprI6nhYR/CI
   gsYAEz4SkRYeUggMLRF2VEHzM3jIp0ClucpxN9gPXk/rgew+wdzDUHxchuSdYUYO
   W0c6ji7TksrCFckYRqOyEQ1MYcQHUYSSt4FdXI1lHVSosv/DGOGtxfkCgYEA+gdo
   g3hAKm0wDNMg/T9rsnsDeQY+H4TuGMpLU9Uy0dJ4wwRIeUc8L2fLBgFEzV2cwRGw
   fDEZvt0btvzXN+JGUiKwoS+S8a+To6YN+Xk0w9SwyulqmriVsWfmNiBlStO7yhCI
   HlM6Q9ZLCSnDK1rRiHoDDq/N44x6fZ+lfA7E8w0CgYEAuRA5HIUqNNeyaUJNUKVO
   6/5lr1qi18IAUt/rOj/fHwmbZHTbDQK7jdUDZyLESjSGVPEf6t+lL21S420TtY+e
   jE9kEpjnLAT9+Yl519h5MSxQaMufQVBe7BUi5DtgTNaUAardE8v3+fvaRyT58KHX
   s+EGgjBhwkBmzz+q+BexTBkCgYBIbOzxaFvt7kME9AOSWFSyFsAixpQoPTFbLP41
   AoT+EqG4m/0CZIgik0ZULvnnIz7NDnq4/uAeUZ49m3AcWAdWs4XGqyk9qUZzGR7j
   LSEDuRCdNpAS0XVLNnWRKEEvM7YqCi/j2Of/zotd1CMc4+neRrmr/3D8gSzaRuyA
   yyZx4QKBgEsfARDm5ldHF4Eatn0P7p+KpIKaaRELwklUKWpkc7Q4XTEkshzBZ7bn
   66QPgU2JHCd4gKnTZDs1qhz7G+ZkRFk9bupiqEmGE1Tcv1cKgSXacYQJHvki+/9E
   1r6h5F002P6KeKEwzliN2b3Bsu5fhZrxWQOm82+D1vcrkgmZ0UtY
   MIIEpAIBAAKCAQEAoRW5jJmVqp+qSz273JZBGn1Z8j5WxCAakkfe8B9qy0SUJ3GU
   FXv5HYJpD8adcOcTSUALlKIpFy88erk4vHVWcMAMxaZxcG/ArmfXM37sxQLL8whI
   yvsTY136nLwW3deGNYMi5SWMCHgcM7h/FL8EXLzOjMAPG885+kTjQQAEXlqPt77G
   O2QSt2QzJsBxJjKjncgc/fAM/GYzMKw7D9+Lxt/L2PUaJQO7PTUX2pP86nP0rWyf
   GBPUgroZGWS0bglrBKKiFbVBsBF+P3/+FHtmB4HSA7ossZdwZd2Xzsl0Dhkcxk2K
   c3gK/xy1lhJBnd1u3WlFFsa2rt6U+ySKKcO5SQIDAQABAoIBABI9gIZAOedZLxJY
   Cja/ON4EBbRdhLuumvOnecIc/J3JxTD2Nnt8T0gdJUJpDhjjwZZQzz7kYdzDN4j6
   Akeszb30sT2MTFob/WiCT6cAH1VrrKZ3cK6zYY2l7aPj1H8IUaUrlT73UnT/DMp6
   gMFbo+XQZ18evFc8zubc+BK7KsN4Nb6/zMhw+PXEiyg2EGDN1Fo4TMhxPD4wBIMU
   8oLlE8A6GKimxAk3gMuIiS6Ruau2HpGkjkkHkAx/yzU1s8BCMoLDJjyyH19PRISr
   n0VFfe0gM0aZpdZ/94ynFPdMnBXTq8BabT09eiycuLKlL0g/ERmj6jIImGSYRWED
   GzlzX0UCgYEA0FDUek2uLhyltXwlzhDTldyuItiYZq/MeXaq2eA96zhJlD6aX+55
   PQIxEEfhgTNf4e4cKjXQSD7aixy7jp/kFGowFRlB4pwbLDuhlniYSxa8Kv0OpJM4
   DTAGue4QFZId5Z43KH755Ub7tjrCEIdQnij44DA3gPnjqXk973pdyVcCgYEAxfUx
   /zMXgTp7HxW+QHZD7xXEs4Fp1xjzL5BaHoJnM7WbmkWvUvcMaEE/i9RqpyGlXRiN
   jX6KBZ9UVgh/B0/AcYMa3DImTa0+Uie9kN7jTi5pzvIUAdFh+RyQ4tULWr5cgrzv
   PjGG9tXMthuIbILSumVEwvC+P6Ksi1r4xp1ezl8CgYEArF51sk2clqM1qpnzXjMm
   IJbdsA+w6ycD9m1uqaGXGo8UswmqCz70KrspheM0gQfVisjPnU2x7lWz1/AKcdVz
   kEDdUFf54FxzT4J4Dl3zBg7l3FxQRXVbp+3ZYvfNb0vcWSc1VNjcRg8aMIsmES8m
   UfhtFnRPOPWMn6qmyQVjnTkCgYB/3zlinkBKq9ooZEU3Iq4TXL5pLemOloFQcjCk
   kJvVnTRcXTM5pngPSEaiLp6OQ3+sOVYG1nyV0SwLPwW/VVb8fDH3lzWC66vcKeuc
   Dz5JnFWg5mLiIbzly/wTaochIOJlWWI5jIigHc9Uu0hOv9sbqJrYSea6+Hv4sNUO
   h01chQKBgQCKLEH7vWQX8fkw+yKnmvAFoZ5H3IHUQw/WYsoCOVnWoY+vowcuuTTt
   cbW1VkrtEjJPuYeEPa5NI2kmsNUZGrKCpx/3uq2JfMVopJzJN9biFM4ulcKqf9ie
   hiVIFVVmxq+dVmXBgXCknhYK1Mnt9b3BK6mDqerQjK1TKryqAJ2QpQ==
   -----END RSA PRIVATE KEY-----

   Domain certificate for example.net:

   -----BEGIN CERTIFICATE-----
   MIIEWzCCA0OgAwIBAgIJAJajhBdO74pUMA0GCSqGSIb3DQEBBQUAMHAxCzAJBgNV
   BAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMREwDwYDVQQHEwhTYW4gSm9zZTEO
   MAwGA1UEChMFc2lwaXQxKTAnBgNVBAsTIFNpcGl0IFRlc3QgQ2VydGlmaWNhdGUg
   QXV0aG9yaXR5MCAXDTEwMTIwNjIyNDM1M1oYDzIxMTAxMTEyMjI0MzUzWjBbMQsw
   MIID1TCCAr2gAwIBAgIJAJajhBdO74pUMA0GCSqGSIb3DQEBBQUAMHAxCzAJBgNV
   BAYTAlVTMRMwEQYDVQQIDApDYWxpZm9ybmlhMREwDwYDVQQHDAhTYW4gSm9zZTEO
   MAwGA1UECgwFc2lwaXQxKTAnBgNVBAsMIFNpcGl0IFRlc3QgQ2VydGlmaWNhdGUg
   QXV0aG9yaXR5MCAXDTExMDIwNzE5MzIxOVoYDzIxMTEwMTE0MTkzMjE5WjBbMQsw
   CQYDVQQGEwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTERMA8GA1UEBxMIU2FuIEpv
   c2UxDjAMBgNVBAoTBXNpcGl0MRQwEgYDVQQDEwtleGFtcGxlLm5ldDCCASIwDQYJ
   KoZIhvcNAQEBBQADggEPADCCAQoCggEBAKLxMPl07wMbp/bSkuEbZEWv9qP/GBID
   pfthXzRVzFDnVFH7dpO/jMZKBH2iNT4b9wdkfsS6c1DmgU8AqJtegvtmTgOVol/r
   EJn2J8VGOWJVN/TynBbJ2niNnSvxdhFV4xRq2BCebH9ef5sDUj8cWdTAq2/rHzYj
   XQkaLXQB3Gv1IO4DwmKsh+TwZaTa8IsTPR2oUXp7+91NY6Su71j81vE5YWlyCceJ
   ABQS21h8tRlTujsdcimMahzYk0h1YW5eIQL0nu8ntuRUJbSB1ggOIBWBfiwfrC+s
   lddcoi2BmwLAjVA2jFJSX6VKPeGx/SBJzGLSchBhbYhqxLTdEZHl9hsCAwEAAaOC
   AQkwggEFMCcGA1UdEQQgMB6CC2V4YW1wbGUubmV0hg9zaXA6ZXhhbXBsZS5uZXQw
   CQYDVR0TBAIwADAdBgNVHQ4EFgQUtqDdd06cJYC0MbTmS+guXze7o8wwgaIGA1Ud
   IwSBmjCBl4AUuzeOR8daNNt62fh2tnWO0OQTF0WhdKRyMHAxCzAJBgNVBAYTAlVT
   MRMwEQYDVQQIEwpDYWxpZm9ybmlhMREwDwYDVQQHEwhTYW4gSm9zZTEOMAwGA1UE
   ChMFc2lwaXQxKTAnBgNVBAsTIFNpcGl0IFRlc3QgQ2VydGlmaWNhdGUgQXV0aG9y
   aXR5ggkAlqOEF07vikwwCwYDVR0PBAQDAgXgMA0GCSqGSIb3DQEBBQUAA4IBAQBE
   fQlW/9q+ne3nOldC1mJtzLYKBqSUUiI+FCmMvcIYACx0wzLl7CyAWmh2xn2gcVRL
   7H7kFzdhRYHUzAMG88NzQ4V8RaXb3KKOv6X5yBMfaTJh4nQSkdVGZ6JkJaQpvrd3
   fvAWlT1rJc19vIymXrtYhqoYcgnm0bk1ewwBmxh7SpIRIpX6W/4dP/AWryXBphYm
   Ha3eghCol5H+g9wRtsA08CKPak/LRTupULY0embxqpZhHTyA++8Vp3W6dfegZVRx
   tBigKs6tXY7tkvkbKq4X6zBNEF9A9verJ7u/K5fwkpxHy5QqBS5cK1i1cwlHPveU
   qg7Qj2kcWHF55LrBaWFh
   KoZIhvcNAQEBBQADggEPADCCAQoCggEBAKoWx8g1KbnGX2YEOXrbod2pbR0fpkYW
   V7O/tIWHddl+ACLlqqNPKSmIqwAFbZ2uf7S95OkXhkgRJGw3BugftUJS7zDhqVqi
   dgPLMUPrdzpFazeh/AwBjc0wNBz/6tkUXrm7y/FwwzaCoKw+8Qm4Ibn2E3bNqWlm
   iyKOXnYt4LGmy6J5e64hfQ3Vqe0ze5cfLKcpBbjF/TF75utbnH25zE0C/o1b+x1f
   dwyDjsH0NN+A1ZFrI2NdleVAuH6F2vx4ctwZUzUJXyXezFmw5SRzhtWkb0iHO0ER
   Ne7hCHLCv2Z6/GfIuHirCsGtNKSQIC6k74MyD7D75nltnLVgJ7Oxt28CAwEAAaOB
   hDCBgTAnBgNVHREEIDAeggtleGFtcGxlLm5ldIYPc2lwOmV4YW1wbGUubmV0MAkG
   A1UdEwQCMAAwHQYDVR0OBBYEFC1TKpLjuKa/dPumVbeFXEW4UR6EMB8GA1UdIwQY
   MBaAFJVFfl8r6mWYEpEE82PHaJpYFncnMAsGA1UdDwQEAwIF4DANBgkqhkiG9w0B
   AQUFAAOCAQEAJry8LukecUv4DUs5u/s6IymyqDLpeNvm94yrIIk/eRW72Jtr9rf5
   6zF0Pd/+NzDXRYPe99HQgF3EKYndKIfnRUStJzIqiba2UszypDVRTQ6W9cH9e/1q
   FdCjjeoVkRvnGo91S8DkgWM4boNRUgZtYwP+1I8hR+0717tp0f4fKjYX+NxPe30r
   WzbLYXFDEiPndEgcxHc84Eeupit7VBQm7jxtF+XbaVGiLPGKCiYqdVS08h2ZakRK
   8T3xL8Ecs4/rQn7PNPyEfS52R8hC70r66aAxZqLbKNpth/SZ3/hdeAyJ/NnFMW1J
   uq3kB5YAJSwMYAUXaQhB1BvxKzXqstzJHQ==
   -----END CERTIFICATE-----

   Private key for domain certificate for example.net:

   -----BEGIN RSA PRIVATE KEY-----
   MIIEpAIBAAKCAQEAovEw+XTvAxun9tKS4RtkRa/2o/8YEgOl+2FfNFXMUOdUUft2
   k7+MxkoEfaI1Phv3B2R+xLpzUOaBTwCom16C+2ZOA5WiX+sQmfYnxUY5YlU39PKc
   FsnaeI2dK/F2EVXjFGrYEJ5sf15/mwNSPxxZ1MCrb+sfNiNdCRotdAHca/Ug7gPC
   YqyH5PBlpNrwixM9HahRenv73U1jpK7vWPzW8TlhaXIJx4kAFBLbWHy1GVO6Ox1y
   KYxqHNiTSHVhbl4hAvSe7ye25FQltIHWCA4gFYF+LB+sL6yV11yiLYGbAsCNUDaM
   UlJfpUo94bH9IEnMYtJyEGFtiGrEtN0RkeX2GwIDAQABAoIBAQCE4NaEiHSl/zbB
   lUXMp67lGbO0V8KEZk9Eqkqefl2JmKzt0nkH0kz2I8R3xAFRbjLM54pt2nNSBThs
   eegGFFQSuoJib/Oj7ylxtQkH2tXPOBnS+sqJ1wEAENSc0mPrjTQLIXqkSt3GHQVJ
   H7NB3lfvpVPpiD/CwaIMWzm4AhCERGza2t6wpAy5gFhylKpVKooHz7kOrEYdRml1
   nS/kCzPEhUoWMQR7vbvwFuSGXM92xzmI1/5cBAVE+C10jVc/rdWaZ62DYudx/g5i
   hIZNlwhP3XipkO3BsbiECJxRTWL4QkkTOGaz36UouP9ZYO5QMSr7XiJMhSrInc4n
   ieU4E9qZAoGBANKD1ZZ70tHaQEL8cejQNfV1fId+RPOQ0aENlAarpoyoldJll3zN
   E1Hgi80Evs7Zh7hlunXmW3MpOEUgkJutv+ZpAo5blSdqQGtLiBDItPPrjYAh+HPZ
   MvbCIRyh5ABxW37JaDPPiBplDGtonj37S+ZZw3FZgdgRs/BvIsUV1rqlAoGBAMYl
   +PUEDSThCLseQeRKLRbnJV7+mUpEtipeoNWFWZYpupwgsFfQzN568SpN2nLO3rrL
   DCC88ODWH2QJp9D1+luc2NE0b9fzGlTsFRfl2dTkHwNp8LG8k2jclLbKnpqEV0KR
   M+mkEu8otmA01n51y9ok5H+JB/d1PuE8t7G2ENG/AoGBAIil9QYquE1qG56f2Z0j
   UnNT4RLenwlvrvOZKcYus/zIDgC122CyieDzHixl8Sm6QIQs3J1de21Ei3crzVKQ
   tWluLq+TuT0NlmVPcTJb5kITXBWZd3pTueY9W1sHp0W2T4r8V/yRsSpY/3fVQCrB
   raIIEHrKfCNyUlg2+93s8CbVAoGAbEIG2ObTv5hrSsBnQ7D7HY5ALrxvR9JurIty
   1/W5Un+OAwshDXl41PzakkBi32MC8Y9KGwDfoheaou9bjqE1naP+GZ7KlHOvqUIq
   7Bmaf+P6xcS1yoW7DAmn/o6JROaVPjtS343TAnN94OY9Ym49Z/vME5nsjliyeCDS
   Q/ezDMUCgYA9OJnERsdz8Eh7oFRYo5e2lGRb7PrhEXvWGtQTRGkciCZi+qoOUpnm
   NIo24QE08RksQBHUvPQva9bX19lNcoC0mhnRtqR4I7CUug9pb/jOEU9KtDJWwqem
   PYfdA6oLGdAKQrlatklXiotbPhxtW6uyXM6szyDZrlqmMz37UZ3mIw==
   MIIEowIBAAKCAQEAqhbHyDUpucZfZgQ5etuh3altHR+mRhZXs7+0hYd12X4AIuWq
   o08pKYirAAVtna5/tL3k6ReGSBEkbDcG6B+1QlLvMOGpWqJ2A8sxQ+t3OkVrN6H8
   DAGNzTA0HP/q2RReubvL8XDDNoKgrD7xCbghufYTds2paWaLIo5edi3gsabLonl7
   riF9DdWp7TN7lx8spykFuMX9MXvm61ucfbnMTQL+jVv7HV93DIOOwfQ034DVkWsj
   Y12V5UC4foXa/Hhy3BlTNQlfJd7MWbDlJHOG1aRvSIc7QRE17uEIcsK/Znr8Z8i4
   eKsKwa00pJAgLqTvgzIPsPvmeW2ctWAns7G3bwIDAQABAoIBAHIjpV+B5YVITL59
   +UCr4JyKVLGlioQf/CygafjtZTVVa6v/aRn8Rkgb8XyrJ9sXvZVBlTqiUbdM4Z9I
   8faVSKLAWsj3thkfSojTMzU77x+IdCG6LxSzekAGqAIJ7sRL+iEzl/Fm1WlgEYhl
   GIWILgHH01n3O0eCy72dwmAV+2Hazn8eBggkWxMp0fblRC9pVh0FCo+jy1lHasjL
   oOBkH51lbmZ4PUuUY072j2665gPm7i0nr25igef842JkbqAV8rAoNlQ26Y7tYLEw
   6QyLv0odeb0rHZ8IEzahWAdmIPGCIUcFM7RmyInOatGA0dVEU3uYnkUQQVOi/JTx
   46CCMbECgYEA4c1Dv/IVz9pdW1o/0MaJ94zfeg7Pgn5DRXnNMjCsSxVHSMINwlUl
   BcYozs77vWbIuXiXO2xQe9mGA2ss3+vNxB0eu6EBQ/fK16cQQQH52nXdrV1sqnkN
   5B5elFKcZKPfNVWrg0BC6csDndTcHp9STIKsxWkesLzC3Vz5UXZMsocCgYEAwNYV
   +SsCIQGLT8ZZfKyE2nHqRUFknKc/tWQJop5gnE4ws3Lql3SNyCUQr/sDYelxQDE3
   6COm197JcZ7jggDq7grigIxMznRxLMeG7bb7FfwPE/SKV0H5uagEB7ktFl8xIJKt
   yOCK1ulillQjToSs4uetHLRXKCDSEpRiSw7wRdkCgYEAkDKBXYa/nykYDUqpDi57
   1PbFkDD9G5x+YVPTUoX6wUgpabFjEANHzVQqo0dTRDTrYmY8Tdpx22WiS3SaB7WS
   hfcCtVewczM++lDZ9GnKoVQ76IaM6qC72j36sEXBUhPEa072ZK8ZDCx1dsmEeJnN
   +MZKhxcGXl9tIehJ31foyukCgYB9AUs1PwAeTVX13OrduyhUQ0xOoNmMA491Euh8
   FpciPD2t1mzkyZWvjPeIXPwQWLglmMJZJeNeRPnpQcrR165zqXKzSj/wBePn12BM
   cTXLRp6vnPKhJg+wno4eQ5hKzGKYbv1hHs5iCuDx+pD4sWExpmW+Gdn2FXCYwsAF
   UCXJ4QKBgAKSrm8Y5xQhd8RAMg9JZLGUpPnmTKNU98f3fUFnX7jZEZETasnn18vd
   65x04h58cohJJkNxqeL6k3lc3Mw0pzZrvsIha3ZMEoJPCgwBa8zLzrR13YQin6yf
   +bAmfTDmhigpORB36ODY4B1kcwxKzQ0n3XAtlrL7NRV5wHr2ejkY
   -----END RSA PRIVATE KEY-----

B.3.  Certificate Chaining with a Non-Root CA

   Following is a certificate for a non-root CA in example.net.  The
   certificate was signed by the root CA shown in Section 2.1.  As
   indicated in Sections 4.2.1.9 and 4.2.1.3 [RFC5280], "cA" is set in
   Basic Constraints, and "keyCertSign" is set in Key Usage.  This
   identifies the certificate holder as a signing authority.

   Version: 3 (0x2)
   Serial Number:
       49:02:11:01:84:01:5c
       96:a3:84:17:4e:ef:8a:52
   Signature Algorithm: sha1WithRSAEncryption
   Issuer: C=US, ST=California, L=San Jose, O=sipit,
            OU=Sipit Test Certificate Authority
   Validity
       Not Before: Dec Feb  7 01:58:47 2010 20:21:13 2011 GMT
       Not After : Nov 13 01:58:47 2110 Jan 14 20:21:13 2111 GMT
   Subject: C=US, ST=California, L=San Jose, O=sipit,
            OU=Test CA for example.net, CN=example.net
   Subject Public Key Info:

       Public Key Algorithm: rsaEncryption
       RSA Public Key: (2048 bit)
           Modulus (2048 bit):
               00:c0:a8:7e:1a:37:6a:40:3d:f6:a4:18:be:27:bd:
               c6:20:63:af:9e:42:b6:09:13:85:6d:c1:0d:17:9a:
               5b:98:5c:9a:d8:dc:55:b1:a0:b8:b5:51:0f:6c:98:
               19:86:7f:46:24:2f:54:b1:b1:c3:75:4d:13:8a:1c:
               03:83:ce:e7:3d:2b:a4:a9:8f:74:7d:9e:7e:2c:42:
               2d:a9:df:84:56:ea:78:74:81:af:74:4d:c0:95:2c:
               c4:c2:8b:55:a6:4e:7c:d6:f2:54:7c:10:c5:b1:ae:
               88:82:38:53:97:1e:16:1a:85:db:da:9c:d5:31:7c:
               df:b7:22:df:5f:2a:df:78:36:b3:98:0a:b7:d9:2a:
               5f:9c:39:0e:95:23:98:cc:4d:f5:d0:63:39:83:04:
               40:96:1c:3c:73:8e:78:59:09:bf:e9:45:7a:f5:76:
               48:3c:86:c0:94:3b:1c:d8:d7:d1:40:7c:d2:cf:47:
               c8:e4:ea:f9:d4:36:a8:1d:77:e1:25:9c:69:5d:a8:
               cf:09:1a:04:78:71:95:97:99:7f:1b:51:3c:0a:25:
               2e:d3:a3:20:d4:72:b9:55:80:10:a6:3e:56:2e:82:
               5c:b2:77:c8:0d:40:4f:e3:65:f5:97:7a:8e:12:e9:
               8a:31:42:00:5a:99:46:5e:a2:7d:b4:e2:24:d6:a7:
               5e:b9
               00:d4:46:65:51:f8:84:1c:b5:93:47:a5:15:14:06:
               ec:dc:2a:77:93:11:5e:75:14:d2:88:54:bd:16:50:
               dd:41:3f:7e:2a:e4:26:d5:a3:33:b0:5e:37:1d:e5:
               96:37:1c:1c:69:80:a4:ef:fd:22:78:d7:ce:d3:c3:
               de:96:fb:87:30:88:bc:06:14:80:5d:f3:ab:d7:64:
               3e:07:31:dc:97:c5:d6:19:26:bc:7d:0b:f8:de:5e:
               f9:0f:dc:9a:45:0f:28:8d:dd:fa:15:56:d5:35:17:
               28:80:d2:fc:1f:d6:95:95:42:0e:2c:47:38:53:ad:
               fd:0e:24:fd:a3:43:33:83:52:65:54:da:48:d8:dc:
               86:42:d5:26:ac:1d:52:54:08:52:e5:3f:4a:76:95:
               77:8d:c6:f2:33:f0:18:87:c8:fc:5b:54:5d:dd:65:
               f1:5c:f5:c8:f4:36:54:8a:b6:7b:6f:f8:55:f8:d8:
               d8:df:a9:7b:40:45:4c:92:0f:aa:b2:2c:a1:a8:64:
               d5:99:22:1e:28:78:a0:d8:e5:51:64:3f:03:14:a9:
               12:47:61:84:d6:b0:69:1a:6b:a3:6e:d8:ca:ce:43:
               50:ad:57:96:2b:87:15:d9:c2:11:03:b0:82:d4:f0:
               80:bf:dd:44:f4:f6:39:0a:2b:e3:4d:d3:f5:e7:aa:
               34:e5
           Exponent: 65537 (0x10001)
   X509v3 extensions:
       X509v3 Basic Constraints:
           CA:TRUE
       X509v3 Subject Key Identifier:
           8F:65:F4:D6:05:98:B2:0F:34:5F:48:89:CC:81:DE:A5:C1:E8:A4:B2
           72:70:CF:66:1E:23:A5:38:FC:6F:40:8F:86:8A:AF:E0:B9:6F:E9:C3
       X509v3 Authority Key Identifier:
           BB:37:8E:47:C7:5A:34:DB:7A:D9:F8:76:B6:75:8E:D0:E4:13:17:45
           95:45:7E:5F:2B:EA:65:98:12:91:04:F3:63:C7:68:9A:58:16:77:27

       X509v3 Key Usage:
           Certificate Sign
       Signature Algorithm: sha1WithRSAEncryption
   c1:80:06:29:01:35:68:dc:67:ab:1c:c5:de:ad:d5:24:29:24:
   12:4b:5f:67:51:a4:85:e0:70:92:d7:4b:5b:2c:17:5e:42:a1:
   56:b6:89:a5:92:64:d4:30:0a:df:24:8a:88:06:ee:5c:4e:51:
   3a:a1:7c:70:f4:4b:ff:18:3b:8f:6d:a8:6a:ec:84:73:b5:4c:
   ef:6f:a3:f3:ac:63:46:aa:72:0c:cb:4c:ac:99:5c:ca:0f:ba:
   73:c3:1f:57:e9:05:a8:57:3b:5f:dd:66:2a:a7:a8:9b:e5:99:
   3f:6a:2e:48:5a:86:38:bd:5a:5d:2d:12:d1:43:6a:7a:34:d5:
   9b:3e:64:d8:2f:40:0e:67:2f:34:ee:83:9a:f1:e4:99:84:66:
   4d:3d:6e:99:6b:74:0b:13:28:75:7b:ee:55:e8:48:15:9e:fe:
   e6:bb:de:48:f7:53:59:37:85:52:a0:72:80:35:0d:24:14:ae:
   9b:87:32:da:25:16:7f:01:84:aa:c9:0b:2d:ec:21:c1:51:35:
   37:80:e8:ae:eb:0c:e7:c2:7e:5d:a4:61:eb:b1:19:d0:4a:2b:
   2b:42:3a:95:7c:5a:49:a8:7b:27:f3:af:b6:15:94:f4:8b:a6:
   11:80:80:2f:ff:9d:9a:cd:c4:de:20:48:c0:f9:f3:0e:e4:8f:
   07:a2:13:17
   70:73:c0:65:9c:2f:09:39:39:d6:a4:5b:95:e7:7b:43:34:b5:
   b9:b2:5d:76:eb:ef:87:e0:25:b6:68:ab:ee:f8:f7:85:c4:21:
   47:bb:6c:68:62:ff:f8:84:1e:44:5a:30:4e:ce:97:91:cc:3d:
   43:4a:8b:b7:25:26:08:63:c6:71:4a:c1:94:35:81:66:de:23:
   9d:e3:37:de:31:80:ed:58:b7:07:a7:ea:87:d3:cc:da:1b:62:
   c9:82:c2:17:e6:2d:20:e4:b2:69:14:cb:05:43:34:6f:b5:2c:
   60:d8:44:43:f9:e6:e9:3d:7c:54:a2:b9:d9:1e:7d:67:bb:3f:
   32:31:0d:c1:88:78:a8:67:39:f5:d2:3e:08:f7:38:84:a6:8f:
   c2:3e:00:ce:5f:b4:c8:da:a1:b5:2f:c2:89:60:a4:3a:2b:be:
   98:e0:44:34:af:ec:7f:73:26:f1:94:5b:39:09:b9:9f:93:c2:
   9d:7a:96:2f:82:66:c8:4d:f6:db:87:00:8e:bc:2a:b9:51:73:
   6c:cc:ff:e5:31:25:b1:4a:d0:9a:a9:c3:65:35:21:89:76:3d:
   39:f8:84:42:a6:03:0e:b5:c9:2f:5d:18:bc:9d:b9:82:f6:83:
   dd:2b:29:6c:8d:2c:8c:47:d4:7d:be:de:32:13:85:92:32:bc:
   61:62:6b:e5
   Robert's certificate was signed by the non-root CA in example.net:

   Version: 3 (0x2)
   Serial Number:
    49:02:11:01:84:01:5d
       96:a3:84:17:4e:ef:8a:53
   Signature Algorithm: sha1WithRSAEncryption
   Issuer: C=US, ST=California, L=San Jose, O=sipit,
            OU=Test CA for example.net,
            CN=example.net
   Validity
       Not Before: Dec Feb  7 01:58:48 2010 20:21:13 2011 GMT
       Not After : Nov 13 01:58:48 2110 Jan 14 20:21:13 2111 GMT
   Subject: C=US, ST=California, L=San Jose, O=sipit, CN=robert@example.net CN=robert
   Subject Public Key Info:
       Public Key Algorithm: rsaEncryption
       RSA Public Key: (2048 bit)
           Modulus (2048 bit):
            00:c9:74:33:f2:e2:2e:ba:0d:0f:c9:08:17:56:9b:
            50:c2:9f:e9:68:af:bf:be:13:f4:d7:68:ef:67:d5:
            77:53:d9:f8:64:92:08:6b:64:4e:a0:ea:ff:16:56:
            96:dd:e1:94:9d:75:a9:35:e9:82:27:90:42:80:1f:
            75:27:90:c2:6f:45:3d:3d:59:da:2f:12:16:ef:e5:
            1f:e3:7f:f8:20:ea:2b:1b:5a:08:fd:53:a1:ed:29:
            8a:13:fe:27:77:14:d6:14:f9:8e:e3:e3:da:49:b0:
            e6:f1:84:d3:b0:82:58:79:9d:8d:a5:44:52:19:92:
            de:da:1d:a9:cd:d6:39:01:29:02:d9:51:31:d5:c1:
            d2:90:dc:58:11:c3:fb:da:21:fb:8a:71:18:a6:86:
            7a:7d:21:29:83:bc:47:89:e3:7e:0c:a9:f0:dc:4d:
            52:fd:6b:97:69:ec:72:1c:f7:db:8f:42:c8:54:17:
            6e:12:09:e2:96:cd:c7:e6:43:7d:65:50:7d:06:17:
            4e:cf:60:81:54:2d:07:b5:1f:71:ae:7a:ee:55:2f:
            c9:e6:e4:62:eb:89:a5:15:ee:62:31:ad:c8:c0:48:
            d6:de:04:81:88:72:ae:60:7d:6d:a4:95:00:aa:17:
            3f:cc:e0:ff:c2:59:8c:2c:40:1b:8b:3d:1e:e2:39:
            2a:97
               00:d3:dc:14:69:6b:71:09:2c:0b:0f:9d:95:08:c1:
               64:20:66:ef:9f:9c:30:06:30:39:eb:14:16:da:19:
               cc:41:4d:b1:cf:f8:53:5b:a5:0d:76:ec:97:ba:16:
               10:9f:ed:57:b5:fb:6d:4b:9f:8f:d0:9f:0e:15:a7:
               3e:88:c4:e4:ef:35:d1:63:91:20:68:18:f4:8e:3b:
               b4:0f:03:3e:a0:00:d6:c3:26:e7:57:8e:21:92:a3:
               7a:2d:21:44:48:db:01:b9:54:e8:dc:d6:e3:d1:b3:
               f2:4b:26:0f:3f:d4:99:63:e4:7e:14:0a:b2:73:1c:
               5f:3b:41:36:e9:9a:70:be:f7:4f:08:6b:4a:db:44:
               02:e8:bb:50:66:2c:98:94:45:9e:7e:01:0e:9d:c3:
               a9:03:b7:28:15:28:c3:cd:a2:ad:ab:07:f6:ff:69:
               f4:ec:ba:7f:4b:bd:9b:28:8c:0d:87:e2:66:d1:24:
               34:e5:77:be:89:f1:c9:76:4c:37:34:3a:bc:d9:9c:
               36:f5:28:60:01:29:5c:f4:1e:7a:15:19:34:81:1c:
               cf:1a:06:5c:0f:f9:81:67:dc:50:09:e2:a8:d7:9d:
               9f:35:6e:ff:a6:a8:80:74:6c:f8:a1:0a:f3:bb:2b:
               b6:51:8c:21:bc:06:72:59:d0:95:42:d3:02:2c:ce:
               f9:23
           Exponent: 65537 (0x10001)
   X509v3 extensions:
       X509v3 Subject Alternative Name:
           URI:sip:robert@example.net, URI:im:robert@example.net,
              URI:pres:robert@example.net
       X509v3 Basic Constraints:
           CA:FALSE
       X509v3 Subject Key Identifier:
        1F:9D:AA:DA:A2:0C:D2:DF:D8:A0:5C:CF:CD:CA:E4:2F:31:0C:4F:D3
           A6:42:BD:62:0D:6B:BF:EE:67:D4:C7:BC:09:3F:0B:3A:12:AB:19:CE
       X509v3 Authority Key Identifier:
        8F:65:F4:D6:05:98:B2:0F:34:5F:48:89:CC:81:DE:A5:C1:E8:A4:B2
           72:70:CF:66:1E:23:A5:38:FC:6F:40:8F:86:8A:AF:E0:B9:6F:E9:C3

       X509v3 Key Usage:

           Digital Signature, Non Repudiation, Key Encipherment
       X509v3 Extended Key Usage:
           E-mail Protection, 1.3.6.1.5.5.7.3.20
       Signature Algorithm: sha1WithRSAEncryption
46:f4:fa:a0:78:ea:66:da:87:3f:b7:c5:f4:4d:38:5a:fc:05:
78:6f:6a:0b:81:b1:09:b5:79:9e:a1:05:d1:2b:b0:4b:9b:f4:
ff:b9:1a:c3:15:e5:8b:83:8d:00:59:b1:bc:a4:1a:3f:e1:6c:
3b:78:66:aa:b8:73:60:4d:a6:6b:22:4c:26:19:a9:71:fc:c0:
04:0b:d2:42:02:12:ed:3f:29:74:4e:88:e6:46:e0:c0:46:61:
27:e9:66:a3:e5:e6:e4:55:0e:03:4c:9a:55:f9:49:f6:ae:0f:
8d:91:1e:fc:e4:5d:8d:51:8f:c8:07:7a:ec:04:38:8f:53:14:
3d:71:ff:0c:b6:9e:c1:a4:3a:7f:2f:d3:84:e0:6a:f1:82:21:
23:20:10:e7:90:94:4a:47:b3:5a:a0:9e:66:9a:97:3b:73:8f:
18:43:37:8c:c2:73:cb:a4:be:86:d6:77:0c:51:65:03:41:cb:
03:98:f0:2b:2f:5d:eb:64:e4:52:37:ec:5f:ff:a9:16:bf:d7:
a3:43:ca:ac:86:ce:56:7e:35:f0:9f:f4:f4:77:78:ce:04:15:
7b:b8:95:0c:04:52:f5:9c:98:20:9d:18:04:95:f2:15:e5:f6:
31:6e:b9:1b:64:a9:c4:ac:3b:e9:f2:a7:24:1b:4e:30:fc:67:
cc:97:65:5d
   25:99:ea:1a:1e:96:6d:4e:b1:9c:5a:43:77:ea:3a:a7:a1:b7:
   22:db:b9:d4:9a:1e:17:f7:13:2e:b2:ca:80:dd:c9:a5:db:61:
   41:c6:8b:65:ae:0e:fc:9a:46:77:16:e0:e2:3d:1d:20:3c:e5:
   d5:e0:b8:03:41:4f:e7:69:bf:e0:4c:dd:cc:c4:51:b1:da:2f:
   ad:58:e1:ed:c6:5b:04:ea:1e:af:9a:89:cd:be:60:3c:9a:30:
   51:7f:99:5a:6b:5c:8f:5a:d4:b8:ce:b5:8b:31:74:70:b3:cc:
   5c:04:90:d8:8d:b6:75:55:fb:c1:d8:e8:db:cf:3d:80:e4:8d:
   2f:7e:b9:2b:a2:9e:9f:1e:6f:d0:4e:6e:f7:f0:a6:61:3b:9e:
   9b:4b:78:6b:84:37:ad:93:19:0d:7f:46:5a:18:74:89:8b:a8:
   1a:75:bf:db:df:25:43:4b:57:ab:a1:19:2e:7c:7b:b9:b5:50:
   ef:2c:1f:5c:18:8f:6c:66:83:61:eb:25:a3:21:81:2c:61:3b:
   ee:8c:18:1a:89:9a:29:0d:5c:5b:38:f3:71:3d:61:f0:3f:80:
   33:90:f2:60:53:48:fb:7a:65:c9:5f:1f:a3:e8:75:42:42:f5:
   ad:db:60:29:c6:0f:3c:68:00:7a:2b:38:db:c7:17:b9:4e:d8:
   90:d8:52:bc

   Certificate for CA for example.net in PEM format:

   -----BEGIN CERTIFICATE-----
   MIIDzTCCArWgAwIBAgIHSQIRAYQBXDANBgkqhkiG9w0BAQUFADBwMQswCQYDVQQG
   EwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTERMA8GA1UEBxMIU2FuIEpvc2UxDjAM
   BgNVBAoTBXNpcGl0MSkwJwYDVQQLEyBTaXBpdCBUZXN0IENlcnRpZmljYXRlIEF1
   dGhvcml0eTAgFw0xMDEyMDcwMTU4NDdaGA8yMTEwMTExMzAxNTg0N1owfTELMAkG
   A1UEBhMCVVMxEzARBgNVBAgTCkNhbGlmb3JuaWExETAPBgNVBAcTCFNhbiBKb3Nl
   MQ4wDAYDVQQKEwVzaXBpdDEgMB4GA1UECxMXVGVzdCBDQSBmb3IgZXhhbXBsZS5u
   ZXQxFDASBgNVBAMTC2V4YW1wbGUubmV0MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A
   MIIBCgKCAQEAwKh+GjdqQD32pBi+J73GIGOvnkK2CROFbcENF5pbmFya2NxVsaC4
   tVEPbJgZhn9GJC9UsbHDdU0TihwDg87nPSukqY90fZ5+LEItqd+EVup4dIGvdE3A
   lSzEwotVpk581vJUfBDFsa6IgjhTlx4WGoXb2pzVMXzftyLfXyrfeDazmAq32Spf
   nDkOlSOYzE310GM5gwRAlhw8c454WQm/6UV69XZIPIbAlDsc2NfRQHzSz0fI5Or5
   1DaoHXfhJZxpXajPCRoEeHGVl5l/G1E8CiUu06Mg1HK5VYAQpj5WLoJcsnfIDUBP
   42X1l3qOEumKMUIAWplGXqJ9tOIk1qdeuQIDAQABo10wWzAMBgNVHRMEBTADAQH/
   MB0GA1UdDgQWBBSPZfTWBZiyDzRfSInMgd6lweiksjAfBgNVHSMEGDAWgBS7N45H
   x1o023rZ+Ha2dY7Q5BMXRTALBgNVHQ8EBAMCAgQwDQYJKoZIhvcNAQEFBQADggEB
   AMGABikBNWjcZ6scxd6t1SQpJBJLX2dRpIXgcJLXS1ssF15CoVa2iaWSZNQwCt8k
   iogG7lxOUTqhfHD0S/8YO49tqGrshHO1TO9vo/OsY0aqcgzLTKyZXMoPunPDH1fp
   BahXO1/dZiqnqJvlmT9qLkhahji9Wl0tEtFDano01Zs+ZNgvQA5nLzTug5rx5JmE
   Zk09bplrdAsTKHV77lXoSBWe/ua73kj3U1k3hVKgcoA1DSQUrpuHMtolFn8BhKrJ
   Cy3sIcFRNTeA6K7rDOfCfl2kYeuxGdBKKytCOpV8Wkmoeyfzr7YVlPSLphGAgC//
   nZrNxN4gSMD58w7kjweiExc=
   MIIDzzCCAregAwIBAgIJAJajhBdO74pSMA0GCSqGSIb3DQEBBQUAMHAxCzAJBgNV
   BAYTAlVTMRMwEQYDVQQIDApDYWxpZm9ybmlhMREwDwYDVQQHDAhTYW4gSm9zZTEO
   MAwGA1UECgwFc2lwaXQxKTAnBgNVBAsMIFNpcGl0IFRlc3QgQ2VydGlmaWNhdGUg
   QXV0aG9yaXR5MCAXDTExMDIwNzIwMjExM1oYDzIxMTEwMTE0MjAyMTEzWjB9MQsw
   CQYDVQQGEwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTERMA8GA1UEBxMIU2FuIEpv
   c2UxDjAMBgNVBAoTBXNpcGl0MSAwHgYDVQQLExdUZXN0IENBIGZvciBleGFtcGxl
   Lm5ldDEUMBIGA1UEAxMLZXhhbXBsZS5uZXQwggEiMA0GCSqGSIb3DQEBAQUAA4IB
   DwAwggEKAoIBAQDURmVR+IQctZNHpRUUBuzcKneTEV51FNKIVL0WUN1BP34q5CbV
   ozOwXjcd5ZY3HBxpgKTv/SJ4187Tw96W+4cwiLwGFIBd86vXZD4HMdyXxdYZJrx9
   C/jeXvkP3JpFDyiN3foVVtU1FyiA0vwf1pWVQg4sRzhTrf0OJP2jQzODUmVU2kjY
   3IZC1SasHVJUCFLlP0p2lXeNxvIz8BiHyPxbVF3dZfFc9cj0NlSKtntv+FX42Njf
   qXtARUySD6qyLKGoZNWZIh4oeKDY5VFkPwMUqRJHYYTWsGkaa6Nu2MrOQ1CtV5Yr
   hxXZwhEDsILU8IC/3UT09jkKK+NN0/XnqjTlAgMBAAGjXTBbMAwGA1UdEwQFMAMB
   Af8wHQYDVR0OBBYEFHJwz2YeI6U4/G9Aj4aKr+C5b+nDMB8GA1UdIwQYMBaAFJVF
   fl8r6mWYEpEE82PHaJpYFncnMAsGA1UdDwQEAwICBDANBgkqhkiG9w0BAQUFAAOC
   AQEAcHPAZZwvCTk51qRbled7QzS1ubJdduvvh+Altmir7vj3hcQhR7tsaGL/+IQe
   RFowTs6Xkcw9Q0qLtyUmCGPGcUrBlDWBZt4jneM33jGA7Vi3B6fqh9PM2htiyYLC
   F+YtIOSyaRTLBUM0b7UsYNhEQ/nm6T18VKK52R59Z7s/MjENwYh4qGc59dI+CPc4
   hKaPwj4Azl+0yNqhtS/CiWCkOiu+mOBENK/sf3Mm8ZRbOQm5n5PCnXqWL4JmyE32
   24cAjrwquVFzbMz/5TElsUrQmqnDZTUhiXY9OfiEQqYDDrXJL10YvJ25gvaD3Ssp
   bI0sjEfUfb7eMhOFkjK8YWJr5Q==
   -----END CERTIFICATE-----

   Private key for CA for example.net:

   -----BEGIN RSA PRIVATE KEY-----
   MIIEowIBAAKCAQEAwKh+GjdqQD32pBi+J73GIGOvnkK2CROFbcENF5pbmFya2NxV
   saC4tVEPbJgZhn9GJC9UsbHDdU0TihwDg87nPSukqY90fZ5+LEItqd+EVup4dIGv
   dE3AlSzEwotVpk581vJUfBDFsa6IgjhTlx4WGoXb2pzVMXzftyLfXyrfeDazmAq3
   2SpfnDkOlSOYzE310GM5gwRAlhw8c454WQm/6UV69XZIPIbAlDsc2NfRQHzSz0fI
   5Or51DaoHXfhJZxpXajPCRoEeHGVl5l/G1E8CiUu06Mg1HK5VYAQpj5WLoJcsnfI
   DUBP42X1l3qOEumKMUIAWplGXqJ9tOIk1qdeuQIDAQABAoIBAFuG8LnFv92bUnRt
   KNG6j8jNcx5ttQuk0Yvt3ilrdL5yqEIEk1Wa9IV3aCuAKwhBqPIB5muw9xngLzs6
   ydSx1Bu0gzrm40HWrTybiBQfE0EzjVxUTCWl1qtIJIYEKgGjYh2/7LEwSqt6LnIn
   DldJvNiG5Yb7YTFskN/xWktdE+OIzJ3emJW9JwAMHbT4HZkhMg4YAqMa0xi48/s4
   eq/oBRs6Ukn1YSi9Mae9f3ZQ4wGnWbpDbBVE/ViLKrd6jCWEK+D8LMxWoHBbfF4F
   cmG52ByEjYYaNhpYbjV3ScjFOfs1OcGB/AWIpmxXhys+P7aaeTyRJeIRGMRzBXE3
   yu91Kp0CgYEA/BLVqM4nhjsZgjQRBHrLViQXYldzro3L+oI9nFe6vxjZhqZeNfHc
   lYD7KkdknCf8wknpmMuC+zsQdfiCytwSOFa0Pm/5MaPmL8UzgtCfg6tQovKxtBUm
   a12+tpRgK1zvKivz9Vhbaa0QANW6ZEwORk00dIY09E+3MAsrFpP0IOsCgYEAw6i7
   4Blxf4qWTfBMK+9QQsinfwjrqcYbg6Uwvne0C+EXyXwyIpIc/SVtjgLwYWJyxBkn
   T0fUGICPeLXwMqloohtJ3UQ4wI1jxMsCEtPbJ0s/YtYEkp9kLWzJbI2OICi2eJ06
   GROgHtSuL1eheEi7106vKMIGBVT3X+GqZGUVtesCgYEAmkY0ueGiUwbsr8GKAMHe
   nNPt8+QuCtEB3EnFx1/yDW76AuzjkAR8yotsLQ4Qx3m5undeHoO/oF8fzfPQqLNT
   +2MlYWlKjFURVn9M7W0dk4pQCcqbc+nV37Q6OqhIy4FPZvILl0cCe4TN3JTyRNw/
   iEtMJVzWIAiBx0eukVzv9w0CgYBu8wDOfD8TDthai9f11ffSVww8CifwlslFZmf0
   qdZsIhEmDQo09lv/5LhyHhKHdpcTwhu7ZkTMPCKfVbRGVjBiNE03bpcsAUFA98lO
   Odp9NrtT5X6kUkQxSg4SQ1cDv3JxhN7MF4fl076OVAfZOI1j81d6KkPVxC+erE2+
   LmAYTwKBgAZtrPmLR6jW1PsNDrRW4krw2oXZoM6sBehL0ZUwsKUkbn+ksvWgDAP1
   NjxUvJ77VlCkUG5ftfl4RD+Ttd6bC8zLEqZBCV9owyCerQ5dwfU+4mAdRaY7nsry
   Jx+kwbiQpcFImLnrXtO/J47UzivrAc52M5u5wAw009j0YngCPT5R
   MIIEpAIBAAKCAQEA1EZlUfiEHLWTR6UVFAbs3Cp3kxFedRTSiFS9FlDdQT9+KuQm
   1aMzsF43HeWWNxwcaYCk7/0ieNfO08PelvuHMIi8BhSAXfOr12Q+BzHcl8XWGSa8
   fQv43l75D9yaRQ8ojd36FVbVNRcogNL8H9aVlUIOLEc4U639DiT9o0Mzg1JlVNpI
   2NyGQtUmrB1SVAhS5T9KdpV3jcbyM/AYh8j8W1Rd3WXxXPXI9DZUirZ7b/hV+NjY
   36l7QEVMkg+qsiyhqGTVmSIeKHig2OVRZD8DFKkSR2GE1rBpGmujbtjKzkNQrVeW
   K4cV2cIRA7CC1PCAv91E9PY5CivjTdP156o05QIDAQABAoIBADp/7/pIH7h9vcn3
   z7hGNE50kaGBHuPrSh3yJG4a+O67XbzaRW2I3XzUaiIeHGixoY7duha9Txu4dbJc
   f2JijR4uAIs4aSv7NDdW09VNw3o8NkWWLEnV288Eo2Tgqc8wXz/BleL9nCJWcH4Y
   Jw1rKKwKmTdQpVBCWcPlI9UzduXQdZfBbrsL6+OZ+F3kbvUwYAVhhUuBS9sf4Xib
   5GA2CDLPm433giOS3yr9KigpcLvbhAhMiPTXJ6i65m9xGGCcjhxP/drOH0cNczRD
   yW0FCbaNRJUg9kEVu+n3uG1aVfOnU7RqcblFXgO7ea7G+mfp3Cfm744kvFEXz04k
   8WLW6gECgYEA9lK9mKhMUeB1+xPJB4Za5QvrFc7nLt8ee7/aTNcyMI0l3uXyPDPj
   TNEfgaRobptmwd2HVtXjlQ54fE+pE+qS8dOORh2VFoWi91zI4C8WnM/6j5P+QiXY
   tcZDPF22bmsSW7uaQyaOhUfIMhzox1BbUH5q5YrcA5DmmQtaxcIZ+IECgYEA3J07
   6DamIgy0eJO2GKHU/Hy8RvQZgauzCtmqmLQrWZeOmx9hORe1a71QU5F6Y3HQRcTD
   RDDdJua9Y8BJ0WTkasbRgxjmHQlf4pUdT6ycfWgISbcCNFTosgPH+/OZPEh4DKlO
   rbldUzHPuZdo2Q72KtSPMk+ikny2lCZ9cm2mKmUCgYEAsGoX4fJ/HpDMzrKf4qTG
   Co8bojXZ+wbPVT/Vf/0LtBwTCG3VrGpZG5YWo4n1RWpFEQmwuW9cnE+N2TJQXLQ+
   47Vpiyv6r/OsAM9SCsWOw2ZtBFGw4v0qFR3W37AaTUCgGFTnKbq+jhQX/FQaH02c
   6KxxsM5fvqoTjX7FVycp5IECgYA4Tq1WpHQcpq99Qv4sJUnuM4v+dBj6fq9Q6qNf
   HEUgNc2BDC5NWx7D4+rXmX7qWMc2t3S7N9mKL0RRbGeq2RxvoFUjJ7y71oOxmiuE
   BWNfoqjS37HhV3aY0Nw/EzqeJ0T0vlXFg1Utgb4p+VoaZHYyElSGG8s7pjcXcwd7
   qD7L/QKBgQCeDLKx5T1d/EqwW8KNK5qD/5lG/T0zu3MCDlzCjfs2BHMasv5RALd+
   unMMANDElPHOFs7fSmCfspN8Y7+W15/k9WugpwQfST2Y8dSRVdPFp1FRt8u25yX2
   mdRbU3vJSiAqPEEpKpBolXPxLOeLGvoTHFWSazgmCPIKKxq0wL+0+w==
   -----END RSA PRIVATE KEY-----

   Robert's certificate:

   -----BEGIN CERTIFICATE-----
   MIIEMDCCAxigAwIBAgIHSQIRAYQBXTANBgkqhkiG9w0BAQUFADB9MQswCQYDVQQG
   EwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTERMA8GA1UEBxMIU2FuIEpvc2UxDjAM
   BgNVBAoTBXNpcGl0MSAwHgYDVQQLExdUZXN0IENBIGZvciBleGFtcGxlLm5ldDEU
   MBIGA1UEAxMLZXhhbXBsZS5uZXQwIBcNMTAxMjA3MDE1ODQ4WhgPMjExMDExMTMw
   MTU4NDhaMGIxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMREwDwYD
   VQQHEwhTYW4gSm9zZTEOMAwGA1UEChMFc2lwaXQxGzAZBgNVBAMUEnJvYmVydEBl
   eGFtcGxlLm5ldDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMl0M/Li
   LroND8kIF1abUMKf6Wivv74T9Ndo72fVd1PZ+GSSCGtkTqDq/xZWlt3hlJ11qTXp
   gieQQoAfdSeQwm9FPT1Z2i8SFu/lH+N/+CDqKxtaCP1Toe0pihP+J3cU1hT5juPj
   2kmw5vGE07CCWHmdjaVEUhmS3todqc3WOQEpAtlRMdXB0pDcWBHD+9oh+4pxGKaG
   en0hKYO8R4njfgyp8NxNUv1rl2nschz3249CyFQXbhIJ4pbNx+ZDfWVQfQYXTs9g
   gVQtB7Ufca567lUvyebkYuuJpRXuYjGtyMBI1t4EgYhyrmB9baSVAKoXP8zg/8JZ
   jCxAG4s9HuI5KpcCAwEAAaOBzTCByjBRBgNVHREESjBIhhZzaXA6cm9iZXJ0QGV4
   YW1wbGUubmV0hhVpbTpyb2JlcnRAZXhhbXBsZS5uZXSGF3ByZXM6cm9iZXJ0QGV4
   YW1wbGUubmV0MAkGA1UdEwQCMAAwHQYDVR0OBBYEFB+dqtqiDNLf2KBcz83K5C8x
   DE/TMB8GA1UdIwQYMBaAFI9l9NYFmLIPNF9IicyB3qXB6KSyMAsGA1UdDwQEAwIF
   4DAdBgNVHSUEFjAUBggrBgEFBQcDBAYIKwYBBQUHAxQwDQYJKoZIhvcNAQEFBQAD
   ggEBAEb0+qB46mbahz+3xfRNOFr8BXhvaguBsQm1eZ6hBdErsEub9P+5GsMV5YuD
   jQBZsbykGj/hbDt4Zqq4c2BNpmsiTCYZqXH8wAQL0kICEu0/KXROiOZG4MBGYSfp
   ZqPl5uRVDgNMmlX5SfauD42RHvzkXY1Rj8gHeuwEOI9TFD1x/wy2nsGkOn8v04Tg
   avGCISMgEOeQlEpHs1qgnmaalztzjxhDN4zCc8ukvobWdwxRZQNBywOY8CsvXetk
   5FI37F//qRa/16NDyqyGzlZ+NfCf9PR3eM4EFXu4lQwEUvWcmCCdGASV8hXl9jFu
   uRtkqcSsO+nypyQbTjD8Z8yXZV0=
   MIIEJjCCAw6gAwIBAgIJAJajhBdO74pTMA0GCSqGSIb3DQEBBQUAMH0xCzAJBgNV
   BAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMREwDwYDVQQHEwhTYW4gSm9zZTEO
   MAwGA1UEChMFc2lwaXQxIDAeBgNVBAsTF1Rlc3QgQ0EgZm9yIGV4YW1wbGUubmV0
   MRQwEgYDVQQDEwtleGFtcGxlLm5ldDAgFw0xMTAyMDcyMDIxMTNaGA8yMTExMDEx
   NDIwMjExM1owVjELMAkGA1UEBhMCVVMxEzARBgNVBAgTCkNhbGlmb3JuaWExETAP
   BgNVBAcTCFNhbiBKb3NlMQ4wDAYDVQQKEwVzaXBpdDEPMA0GA1UEAxMGcm9iZXJ0
   MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA09wUaWtxCSwLD52VCMFk
   IGbvn5wwBjA56xQW2hnMQU2xz/hTW6UNduyXuhYQn+1XtfttS5+P0J8OFac+iMTk
   7zXRY5EgaBj0jju0DwM+oADWwybnV44hkqN6LSFESNsBuVTo3Nbj0bPySyYPP9SZ
   Y+R+FAqycxxfO0E26ZpwvvdPCGtK20QC6LtQZiyYlEWefgEOncOpA7coFSjDzaKt
   qwf2/2n07Lp/S72bKIwNh+Jm0SQ05Xe+ifHJdkw3NDq82Zw29ShgASlc9B56FRk0
   gRzPGgZcD/mBZ9xQCeKo152fNW7/pqiAdGz4oQrzuyu2UYwhvAZyWdCVQtMCLM75
   IwIDAQABo4HNMIHKMFEGA1UdEQRKMEiGFnNpcDpyb2JlcnRAZXhhbXBsZS5uZXSG
   FWltOnJvYmVydEBleGFtcGxlLm5ldIYXcHJlczpyb2JlcnRAZXhhbXBsZS5uZXQw
   CQYDVR0TBAIwADAdBgNVHQ4EFgQUpkK9Yg1rv+5n1Me8CT8LOhKrGc4wHwYDVR0j
   BBgwFoAUcnDPZh4jpTj8b0CPhoqv4Llv6cMwCwYDVR0PBAQDAgXgMB0GA1UdJQQW
   MBQGCCsGAQUFBwMEBggrBgEFBQcDFDANBgkqhkiG9w0BAQUFAAOCAQEAJZnqGh6W
   bU6xnFpDd+o6p6G3Itu51JoeF/cTLrLKgN3JpdthQcaLZa4O/JpGdxbg4j0dIDzl
   1eC4A0FP52m/4EzdzMRRsdovrVjh7cZbBOoer5qJzb5gPJowUX+ZWmtcj1rUuM61
   izF0cLPMXASQ2I22dVX7wdjo2889gOSNL365K6Kenx5v0E5u9/CmYTuem0t4a4Q3
   rZMZDX9GWhh0iYuoGnW/298lQ0tXq6EZLnx7ubVQ7ywfXBiPbGaDYesloyGBLGE7
   7owYGomaKQ1cWzjzcT1h8D+AM5DyYFNI+3plyV8fo+h1QkL1rdtgKcYPPGgAeis4
   28cXuU7YkNhSvA==
   -----END CERTIFICATE-----

   Robert's private key:

   -----BEGIN RSA PRIVATE KEY-----
   MIIEpAIBAAKCAQEAyXQz8uIuug0PyQgXVptQwp/paK+/vhP012jvZ9V3U9n4ZJII
   a2ROoOr/FlaW3eGUnXWpNemCJ5BCgB91J5DCb0U9PVnaLxIW7+Uf43/4IOorG1oI
   /VOh7SmKE/4ndxTWFPmO4+PaSbDm8YTTsIJYeZ2NpURSGZLe2h2pzdY5ASkC2VEx
   1cHSkNxYEcP72iH7inEYpoZ6fSEpg7xHieN+DKnw3E1S/WuXaexyHPfbj0LIVBdu
   Egnils3H5kN9ZVB9BhdOz2CBVC0HtR9xrnruVS/J5uRi64mlFe5iMa3IwEjW3gSB
   iHKuYH1tpJUAqhc/zOD/wlmMLEAbiz0e4jkqlwIDAQABAoIBACcWcO3zjPV0i1eK
   Rlz7jdP1iyhQ0XdkD+Gr7qfK93hBlryMyS1tLQR0FEKVUniCyH800TwwrpxWlVCe
   yfB/WfqVCKjawkbXz7OEVYei0NYyGWMZOR1OGOEXaj8u1SF53X/8XAlDsJsTw/ug
   tiJNaDVQqKckdnmX0b2oe8YAhtb+cdpAQeILHzn5Zbi/6pE1dSFRYA7krVK3Llv8
   oLUJtlHJIXXdyajsBFxpT+i34PonkUDM8Gv51Or95L3z2nrBKG6IK/QvAdDnbcnK
   s2IPmxaE4Dmql3+NbqOYkyaYpaPl5jot0fYuzE8WiUbnLklsPiZhnpUqOm9UOMof
   RWDa76ECgYEA75U44AL7amX/yuUAugXp642I8UI05MzWE1r+uc49MqsPikr1emr2
   MWq+2jejUl7hA8B1UwaND6YQxJ7IsN/Gw9e1uo/hUM0BXAmj8wvLfC7U2F2RoelV
   xCxtJm8ltWv1mT7wzphYbddE3MF/WEYGMeQBPp8ZGsi5YthqCFBW2t0CgYEA10Ie
   rb2TaCU2RCw/H6mJ1RDT1T9XYN/LggDmNOBnAxOpor4h0ifiuvIZSzEcnXD0bBGJ
   HgGJh4yVuGQOKEWGcCXp3R6ARtYQPJi1nNF+I6wdH3eM3z5/7xB/FZsoPesA0Tp+
   9cbGsaP6yxSFFdEhu3npE4r0wRSiqZevbJJcYgMCgYEAkeYHmrN2M9clrINErAQJ
   7b5lVLaCy4rKG0Ngt/oWXpK5hfgcAY69ml5tFyqmtPS+hrBfQk5M/OiecX5YrQ25
   V243ZwNTrQcK+ueMBeh65IcIazKgCz+zUSHU3oD1L8Qs7kPcFZPE1i8v6leTm0gZ
   Yax97YqpmRv/eWhdOe7i1akCgYEAzJEvqpmBHvZOThdmneZ28J+fUQdzOMM2GgRU
   wmeIPipPijP63Ee/dz5gv06bDRytjI5Vqsh3NPRrzOJ5edgo3SeKyvMToT4KDCxs
   W+3TXH9S5fatT/OLjVw2Cgh8A+vzyOM4iMYxSdy2mIyVtZgb4JkI4eOqmlvMAjP/
   KMUnOpUCgYA7Ah+UVDuxnW1znWnYcvo/CnSkpAFf9XPQzr/fFY8oAXTsEJdRzS1A
   eXPplLGDPQLAR426MLBbGXgSgMp3SqEPHH5nn8hH6WUsnNvQDOeEIJKmGXhU/xQ3
   QEA9FUXAvpAO1iSPESE/oPvwWv2DWieiUwDoX9F8scoF1j8ChBX33A==
   MIIEowIBAAKCAQEA09wUaWtxCSwLD52VCMFkIGbvn5wwBjA56xQW2hnMQU2xz/hT
   W6UNduyXuhYQn+1XtfttS5+P0J8OFac+iMTk7zXRY5EgaBj0jju0DwM+oADWwybn
   V44hkqN6LSFESNsBuVTo3Nbj0bPySyYPP9SZY+R+FAqycxxfO0E26ZpwvvdPCGtK
   20QC6LtQZiyYlEWefgEOncOpA7coFSjDzaKtqwf2/2n07Lp/S72bKIwNh+Jm0SQ0
   5Xe+ifHJdkw3NDq82Zw29ShgASlc9B56FRk0gRzPGgZcD/mBZ9xQCeKo152fNW7/
   pqiAdGz4oQrzuyu2UYwhvAZyWdCVQtMCLM75IwIDAQABAoIBAAv+Q3GMUYPRaHbj
   1tH+EKr86MfCUb2n8T9rjbefCj8QJOa/CgkAGPkIf7ZbFWnYR8TXjOJhEAUhW+zB
   4PphGwynoUjfqFP8RavfmVvYNS1dnsrBYwtD0oa4lmwDnBf7vec99Ui7KX5vj2HN
   r8NPR7et8a00xdFaY9G46WDkC0nkH8AqMMymY/Vu2KpH0f01hTpFLmxS7We+d3Uq
   mva15GUc8+EL079uphokchr4E0036Ce4luCnqQfOUAKcXCMYK27lG5uue620IXLE
   CqeevZPEn8eqWhSNGl981CF15AEb0tApMcMwrfcbpnQMHQuyQHm2XVewgF0gQGLn
   UA0i6NECgYEA9TrFg3Kuw1Vfi+kztX6IMjW07YgN443NtB/9+sXKoc0Iz6LoPbOT
   VHSVqHHpjicicBUyUa77Kr61HAv7AV0s2FRHAb3M7wOVYGkT52+12o4FH6EMU42G
   ISAcsS4vCfHhYq1T0hC91bIY1XXxuBrpo0yb1RkEaSALHN6arAEgWccCgYEA3Sod
   gEcahQEnu5P8UY5j9yFaBRqVxdQKWnO2trkfLkyVgtvn7ES31EGojVHg23nr5IsK
   IpwFgBiQvEGUgV3dR0Jc5sZTETOweWBLebC/CtZfnhBcCNx8jwX5m/CtTzMHuxVs
   VJ1WpUDn+K7+G8KIK0+Kp5QdOCxXptHRLkGPBcUCgYAVgCulFL8B3VBdQfsIpKlo
   TZEpak5dbydj7ZIlFIZpnUJyggP+tOnr87TTafliP0gjr5gT1VWsL8BNTzeYrQSr
   iugW3P9EzXmhVFUsa3z0RpNobIRaJwRljx0046m4I37xWeUJe/JI9C59OLQSwjlN
   2f+ntWPPm8GdrF6/SfH+LQKBgQCyDaf2kEf/cHCmiXuHxVUhrs4kccTGofE75RDi
   hqNdyPZNhfFvu9srnTivnY2j5MJPGsksF+Qtvpk3lqySghkVt43HlT9nB/A5p5bb
   /7muZexQ+ua9k5UMKElOjDNbIcBFk/fFH26UWG7pPSkC/FhYVg9Q3uOvR7PBcAYy
   cUFN6QKBgBw2k5SDvun41wNV4wxGEli9ia+i4lzg8pwJ1DUxnOcDvlDGzAzCNtW9
   wPoR+jvhK6V6X1mI0tqqcYZ07pC3CJBEtAckHj2Ik+ZAEjQMf+eH62Rcv6Sbozq0
   5dFCBZwzIe2IQomg3J8+OyILSs/uzFkjGjloJIrP+OtPKSrfR+/Y
   -----END RSA PRIVATE KEY-----

Appendix C.  Message Dumps

   This section contains a base64 encoded gzipped, compressed tar file
   of various CMS Cryptographic Message Syntax (CMS) messages used in this
   document.  Saving the data in a file foo.tgz.b64 then running a
   command like "openssl base64 -d -in foo.tgz.b64 | tar xfz -" would
   recover the CMS messages and allow them to be used as test vectors.

   -- BEGIN MESSAGE ARCHIVE --
   H4sIAOaV/UwCA+ycCVgTV9fHCQgIQl1wRYsBrZUlODOZJQFRg2E3CUsAEwXN
   MiEJ2UyCLK6AoqLVqmVTK1DBomjFDZWq4IJbQRHRun9IUXErVoG6Ud5QW0UK
   4vd+0FY+Lg/PJHdmztwM99zf/5wzQSDXkDRyiRwnyTVhjkKeVq/zGwAAKAwT
   m7cYiryzbW4QDENEEIQxjAxCGIwQARBGAESPCOj9DS1Co+WpdUPhqyU8xXuO
   62j/689CfLP9SBrDLSCA5uFG1EhUTuERckm4chIexZOrZLijAtcSA7x8x0GO
   gLlpkITn9Oe7cezJvkSQqnvlCDlCTiACAKAzX81TCMQuMVSxB8z3IQkpGALH
   kMggzgchhIoJyFQeCCAkkET6c5+zWqVUa10QChnEzE0ZvCiSu1IdyVMLNU5E
   THdJttKJOL7tcU0wN3VXK+V/7BfJIkSi6Df7BUr5BGctL8wFFeh+ABQ0N53M
   k8lIXnQnIovNAFgeQTIW3YvMgbxABuQv5Ur9wxlSsYThwYhkSjkQ18NdzPLw
   ctSdFoDPciJSYIxM/OM+mZvSBAJcpXUiyiNkWomKp9aO00jCFLjQgajFo7Tj
   VDKeROFA5KlUMomAp5UoFeNU4QINRmr2sXf7NUKVQwszPJkWVyt0u2bjuisr
   FVpcoSWxo1X4X6/lzFdGKIQ8dbQLovMkmE9GBCJQJAQAgbNcZ10W5qIR80Bn
   lVqpVQqUMhebvw6n2RBPG6HGbd5ebAquCNOKdTe/+e6bm5JIra23HtfbT9xi
   j24eaES4muSmECiFEkWYE5EvUejG2mzSE5fJlNYfYvo9I3ZW8OS4y++LlqMK
   07w9ky7RqJQaSfM5OgNaLU8gluv6ncU8hVCmG4mLGp8VIVHr7p9IIsPbs/Le
   DwDEESqMTOwSPBN+NScY62fEEYp1XUf0CQTQBDA2MrT/xEDfEujz9hACGEf4
   RnfIRt0hwDxABfYBTIwMAnsZWegHBoAWQP/mN70tfp+iEpFSrZDwwP5A3+Ze
   Y4veATwF0VupwcFPALPmLnNTC0PdjJdoQVvg8+aOPhbEgOb3RDau0RIn42qt
   RNR823AiLUIrVqol2mh9E73kTYuGMGsTGW9HaP5mhASCoV6vOIJe38R1hx/n
   rF/tcsT7Nv/IyxCJiok+G18cc9FIyreSOQ4xH796L/Vk7LnIfTxnx5TZRU4p
   g76FnCdE5zamVDrS7i5vIA67NXyfpmrwMzqBwVFcG+71wnP+4WSItWaCPXp+
   jD22nlB6kvoi25aW/ejQ01nX4rike07ldwr7PaXtkBLjKiS+L1VXl246trq4
   31mXhYHfrUizYucbTTgj/PJFFWtz3qQJmV+X18wtnCRRLNyhUTgsuLGpd5P/
   LzQ/RgLMHXFpzfglp8xN/aEvtja4DZ+eIb0rtLIdsCjAx7GP+pPQaet8vH9r
   EE6ISpy2wa2I33SnYdlnepphPpW9y+t/g8o9Hv7C0M4d09asJJHMTfW6dZPj
   Gg0vDCdpZRqSGteoukICdMB/AMaAVvxHIAjs4f/f0f5AOhHSjZnl05rzUwI+
   lPN8AR8ToBREhFAQFKO2w3nkLdU1bWDdCdHR+jW7yQifotOBopag17RB+tej
   en0OXzdtAD4Kt+A9l+4HcqVMMUPqF8WVcmUcKTOcKw2M5ki9xQw6DWGwaVEc
   qb+YIXd7w3uYDFDe8r41HH9HY/dZFVr4fxep/479H4PB1vofQsg9/v836/92
   PbK9KKALVof2o4D214t/fIn4J0KCtqT3n0sU2lJqd/D3Vyjx8AiSoEuzAB3H
   /+TW/Eehnvi/O8T/IEWAoEIyiCIQhuoUddueD4FdEv8LEQDEqAivZfxP50As
   Oi2KyxbEcOliMVPqLmZ6uJFZdAHMifHXxf1BUoZUEMNh0z6K+B8HACoAQlQ+
   hAkpQqiT4//W1jsx/u/IdE/83/nxv9/74v+hkrLyb58ZL+XjMxZed517Y0+8
   Pt9sBnlB4Cj6Ot+zE8uC2J+FVni65m/+PCbB3NTM4LnKy+7eyIOlg1hfSkbj
   /rbQiJB+B441kg6NsM7nrd8T8mIVTfDDjQR6PsAKMuaGF94R2vMezPspZbf3
   uN3MfffoU71W5pqb4nXq/vU3E2sGF5y8k7l28/75qU94WRL+6a2DPGrmXJq+
   JR5mzS0J4Cv3L00zSSkZC9yOUxkcrHmwetStCXqjVlCqFdkSjeW8PargIell
   M65eOWjTKK/eXrGrYVD6LpunQy2SDHwZEtJGopy4c4f+hbW5524GX/s0L3WY
   wtX1K8lQcLYlarX26fywnJWpm4HItqZlt08AvOb/a/bjCoE6WqXFhZ2sADri
   P0RGW/Ffh3+4h//dgP8oWQRjVDKG8UUiRASL2uE/1DX5fxFMxagwtQX/GWwd
   53WCnikPhDhQkJQrZ0BMdpBO9AciDJ024Ehp0Qw2B2HGhL/hPxlCgX+K//8H
   pH0Q0TqCbrMt59erg1Z3iAuumI3LlCpcSNItEbx3SSz/q5JAUOQ1NfXBt0g0
   yIjTt9F1WekT9HR0TNPRMUn38p+mo38bUDy4av78suFHK5KS0JtrC79KFy1O
   P5d5pzEtfYvj1Spzrb9BYqVeZCFnwznrTwe6ThSrf7W3cixRGHDmHY2XTRY3
   ns98+tztyOPHnOgXuN4sxgnPvqXWtw4eGjTswb4EKMry0XIRYpE/NepQYeUW
   m8NoL/7IHXF2sphLD2kUO9ES0k+/1d1eYrcjtH8tbLOcNuPU0HqakfeR8m0N
   6DerZl+/tmf6tMW+0dt9FTNig2cbTh2cHM34PqAGq/r6sSWn7uqtIoddBQn8
   ELPRd40NFl6Mf75o+5Fdl0YifVieoRULZq148PMjpzkyi/M0n+JeFw+cGU0t
   uH//QsYaa2iC1a57lpnz6/SfA4K1wNwWSgb41MhkZoInATfoRdDv1W9P3eIL
   zuq6VxuzlxJv9ho7eqFv9qnhx6/3HmhduzeN51VZX1tUUtWXEFww9Mx0rcrk
   +U7XWdXjwlz2vQhW6/VLnjltZupsrzlnnm6NOer58nam8ZLl876/lodmeQ2K
   V4aHld/YtaK8u+fe/23876onADqO/7HW8T+A9OT/uwP/EQpO0YX9uEhIEQlE
   ELkd/gNdwn+yCAOE8DvxP1cqlnE93KVMtqsu9mcgXDZXypF7RTGDGTBXzonh
   0jkgR+qm0wh+H0n9H4cpFERI0bkOyIOhTor/4T/r/+9a79T6//tN/3vj/8vv
   xv+ndV3FzfF/s3R5HV0b6rXOAGTpDsr4V2QAWoyxJwfQdg6g9dTs1jmAlvxv
   9rA/kwCdKQQ64D8Zg1rn/1EM6Kn/dQf+A6BQAFIRKi5CKRQIFrTDf3KX8J8P
   omSUh6It+M+k+0VxpH6RXDYnkkHnyrh0GsSgM2AO5B7OlLpFcj38ZVwpM5wh
   Z7zhPwLD1H8r/1EBINT5FhlFQSoFQTon/w/CCPJaALQ232UJg67Oc3wkOQhm
   G1COBgfVLUktHvOwait08vbc6Id213+JWr/nleu0OHrpd8RFX9soVHBlwMmz
   MaFZ349ztc0cOl277zDxsTh0/hivmkFU4s/JcgnqicQbpv14OWLPEiZd2ZsR
   Vro3p9FzovLMLeWkgmoDr/Qsl7yJg+J3HbPNnfokEDxrJlxQEToRfRVOf9jk
   Y/ci5Gpj8dizgl0JkRHr9heX1R/9bciJH8sWVOTt+SqrTJV+6dCK4TkuWzd4
   lU+Mbai5OSV3SNDMPnyz/IPDEzUy1HvUnfqfcgbXxAXjdvkVqz6zXZMxccPT
   UVtme5tXr1xSe2rReDBEcfyu5STj+tq6qQsRh9q63WMsqNNz4zML7tAWvC8H
   0bs+cLrsofqiu9R8o3CIr91CXwj+xXGAkeryuG/K+Ul5Tg3TjE8JI4ITbVzL
   113mqDycnl3CLHv7SM8uJVVPNeGmlvibzTu9LXPP2szPjI+VK03SCaqjW8/v
   vVarm/1nr6V+/1j737lBj1jtjMdV3ytWl8nEpymPrTY0fteXfZFDoVxdgyaZ
   2O9H9u6ckEH6Ar0+D158d/+veWPt4sj0iCxKU/B5D58Fa5ZJl24sceu/anhs
   nicxoGSNw9BPSo4VlabSpxdCA7T9hw0JG5g82Td24YKx/mPOhKw5MnKm3iiH
   AxHVP66bH2oFnG+0p6wHCB7f5c4+Z+AgbRx2/0CyGpz8fLlSWySo+PqQ/5lS
   Qnia3sRMV0lohuXNmUlTHmGJoYVmKueLX4aNDGi6lLITc/UbVPRNFHRzXuDW
   rIEmO7ZUrLx+FCxm2S2GBrDvqh0epzw7tKXK3LSm6KDs2goe41HBiKxn5XGM
   9FcHfoRDvXc1zFxfdXz9HYvFL9uamf9rrdq1lZ8Prf+0zP+gzfkfkIz16L/u
   UP8BqGQyGaOCwubnfNvTfyCla+o/ECLA+Qj/Hf3HgblSbymDLpNx2TSYxWY2
   P/Al1mlCMlPuBnKkXjEsejjC9GD01H/+f9V/2tJeFr1EQ4dcHL3ZIWz1moyR
   r/JtZpncLbqy+6V50ecl1ZWZTa9KduyJHbzrx2MBUV6cGzcWXTtYfbHySlnR
   7VuhqeMdiXMOOuk5b1s6a7X7k688yq4YNgx/ej96n8Q65UalMCQHCDpcOClF
   MzUMP9wQcLqofDfPOMX1BzGWUn0st5+JKOCe+mSWyMzEaMAtr7ADky71KfCf
   d2zjPsDPh/bDjB0PczK2SpoAo+VZo27/amiYUH92+5ymghD3KY6/yedWWcdE
   YP3mmzPiNtJ3wrllnJxnA6WHXPAJ4ZjjM/YcD69xgXNqZjseWjnR6kpCkqXh
   Q0t+ct+gpPVjSqsSL8XWjlhz/kksHL9iYu37tNdz1tE1XtCDLZXZ23JrCSHZ
   C32THge4DDWJBMq32VuZm/rde1ANLT8j+aLgtrtgQxpCVF34Ocba59i9gNt5
   88ask07vr+Sod6+2Sk1qkCyj3bGZNu5B/YZZtt9bEVI2Jj+gJn5z4lVPAajL
   25vKDylSzNOSwpRa0uv1rBOVQEfPf4MA0or/KAb28P9vaZ2S0O9xo4/f/7vs
   2x8fUv9FW/k/GSNDPf7fDfQ/BcRhEUamIBQBGaEgwnb0P9ol+h+DeSCIgkDL
   579iXGUsDwbAjAmPZLHdohgQI5rhofuNCSSzghkxXI9AgANxQAY77KOo/2Ii
   vogMAny+SEARYKCgc+u/ra13Yv23I9M9KbV/IKXW8x3wNmZm934EvGsrvx9a
   /wVb5/8QtKf+2y3yf1QBDAoADMZFZIoIa+f7XyC1S/hPQWAMQRFyy/yfPEjK
   kbrp+M8UM6WCGAbdLZrrwSBzghkIU+4v5QT7RXEgbxmH7fVR1H/Jzf8riQ/i
   KAJTABjld3L9t7X5nvrv35+D1F46be8pSLEPOjq7yez88QdXfrnpXv8JFjvz
   mUF/atrM+nTiM1pA8knfKU3ytIya/P25KaXKb4dN3VLm8OT4gWW2RaL6poV+
   JaMjZuZUhOydIre/WZydk/1innW/7LtmqWEiT+PaG6vEdv3l7sz8zAzxz37y
   2OB7n6dG7L7du2Tz1bmRFdcHR/FObt55Lhk9ffnzbSMvZOwYuRMffqq2YMOp
   7T53tr4KMFhxVH9kIfE75V1nTJ66yeJ83aa6dYcr8yPq86clZNxqWLnWx4vA
   py2ZM2CnW/wJHj275nzpZvshe099dmHD0f3L+YMd6nzVDcdY9mSAk1Jow0ZH
   sfoZ8crynymJhUt793lfDnKW8/3KkN/KQuX3t/U5EO6UttCXdpe7c9vjzQfT
   /VnxF4tlo7yGEKO+Pq35ocQzkffAnVThbSD1Bu/96j+NsBmmHAi7cSgqgCPg
   ujnq+w3NezI5krWMed/67qumuY1xtDEnLiK2/50X9GjVLteq8791aeQbLju0
   qNdd2a0NA768OCoQZ18OBmauHZj4OO32vlj7tIHeeYZZ17iNT+yrnk6eb4s9
   7T07acTkvNQ7JrFjk17+T2PpDtVVY+uwtP7HD1wirJOVTE0nbaZfUF+Ynux8
   q6ruS1C0aZ9oeKOj7dRPhw4qeDSmYmf2s7A6GHK7n2uzfZ/ooIud8Yja+LCv
   dt/MflHv17i8+HGC0fFHL1/egp76HKW9WtVYurFp/acmK6qfu/XFr5+I35S8
   crm4evdE8sMRRg9Q61FTPHIdMh9YYoSojSkhOU0L8neRc/QJPxU/qhlrJr2S
   Mee+R9B/2rljG4CgAICClQ2MoKCRSNSi0xiBWvJVejsYgNIo5lBZwAYMYAK5
   m+HVr1qTLZ7qZe9C2aTnMc531OdF1g7XV5j/3xUBAAAAAAAAAAAArwcJE6fh
   AHgAAA==
   H4sIAIpaUE0CA+ybeUATxx7HCSCIHIpoqSIQvFECu5tsDhAEDATQhCsQExTZ
   JBtIyGUSIEREREU8i1ZRqVYERVHUCqKiUBWP1vusXCJeeIv3LfpCaRUpSF8f
   tJXH/JPdmd3fTjYz8/n+fr8JT6LEKSVCCYqTKCMd+YhKp/0LAABEAgHb8Eki
   wp98NhSIQACxIAhDBACGIRDCAiCBQCTqYAGdv6HEKFWIQtsVrkKISD9zXVvt
   jd8F++HzCyl0r+BgD5oXVimUO0fHSITRMndUjUjkYtRRiqqwwb4BTpAjYNoj
   VIg4/37mxBwTgAUp2iNHyBFyBmEAAF24CkTKi3LVUKJoBO5YHJ9MggkaHAUi
   CxASgSvAc3kwgQDgQBzu9zYXhVymULnCAImgfQAdUeO8ZYo4RMFXOmNJ2hqm
   zBk7quV+uZn28FbIJL+1C8QxAkH8h3aeTOLmokIiXXkIWSAgEHimPcYgYjHO
   l+qMZYui49gsdpw/ky9mM33V2mOAwWTDdCpPQ6eFSugsuppOjYbZIraj9rZg
   dLIzlkwg4bG/vSfTHh48HipXOWMlMWKVUI4oVE5KYaQU5TtgVaha5SQXI0Kp
   AxaRy8VCHqISyqRO8miekoRrmGOf1iv5cocmZhCxClVItU2xqPbJMqkKlapw
   zHg5+sdnuXBlMVI+ooh3JQkAIoULAhRAwKMIINBForUujnRVRiGgi1whU8l4
   MrHrwD92p8EQoopRoAM/PmwcKo1URWlffsPbN+2BwzW33rxfH79xkxbtOFAK
   UAXOS8qT8YXSSGcsVyjV9rXBpA8qFsvs/ozpz/TYRYpIUNdfFy1HOUn58U6q
   UCmXKYUN92gNqFQIL0qirXeJQqR8sbYnrgp0coxQoX1/AqEYbc3KZ78AkIw5
   b2A0IsUn5YUpxlA3MxlzSFu1XxeDAY0AQ4NuI830dPsDxh8vwYDJmCztJd9r
   LwGmAnLQGDAy0AvRN7DQDQkGLQDzhpPuJr8OUaFAppAKEdAc6NlQa2jSPRiR
   Yv1kShQ0A0waqkx7mHTTjnihCrQHhjVUGJtggxvOsUxUqcKOQRUqoaDhtaFY
   jxhVlEwhVMXrGumkZ8+0ZDyYS//YQ9MPPcRguunoJ2N0VHQ7yoWrVx0AzsZi
   RsQC4fra+ID+26b6nduvt7rf1KzYZQUngRPcselYuGo/vwK/OP3EcL3lUgeT
   5wu+dX+cWmm/2bjU7NU50VKHeGmpK/cGM9cqT1D11U6qWM9q8sq6I/fo3247
   9cwy/tDPu53Wi8dePMXNftLfavB1d8Eo/9kpe41EmjERI9+Wu45kWR6brjci
   VDg9+bX60llnp9fZh+7Mu2VCtCq+WG8137EnZmvFFX0zRsCSmISSCuPqja+J
   1+5dXwd7/5i1zHrzbirT+f6Syli/wN1rp2q4e0c4PZ7AeXf0RtHFiXeGPoYt
   +2FPLktnKFYq6m2j9osmpHg+vv9Yjo77iXoooaVBicOZ9tDp3EWCKpVIJIpT
   iZU4BaqUd4QEaIP/AIEENOM/DAH4Lv7/HeU3pGMhbZ/9xzbn/LjgP8l5HokM
   IwCJhFAQMgEGuS1zHk/+SHVlC1h3hgEi2MhugA+QYBgEmoJe2QLpG3vVeA+I
   UPAEPMBtwnt/JkdCp3pB/iyGlvehIgY1WsPWeEbRWUFiOjWEwKB6qTmSEAKH
   GfiB91oT5I+8bw7HX9HYeZaFJvO/g9R/2/Of9Ef9D+Hhrvn/N+v/Vmdka15A
   B6wOrXsBra8X//gS8U+4BC1J79+XKGJTqd3G7y+VodExOF6HRgH+e/8fJgJd
   878z+P8CroDHhfFkMiSABDwC2Ir/T+gQ/59PQUEKD0aaTHYG1VviT/OF2CJe
   PFvjAdJpgXEMUWA8ncUmMCSh0QzIW0RniiUMmu8X4f8L8ESUC8E8MsCDiBCR
   0L7+f3Pr7ej/t2W6y/9vf/8/8HP+v9NPV5eaR6TYVRfWLfhu+1lh9PEH1Yl7
   3jz7fs3BmbkOBuG3w2pqtwGq9cbhC6OdH96zemPjG4apsSHkbVgcoUcehTFK
   OWy7cOCpAU/puqGxdgMgZPODtBLNnvfvJ/vNw+utn/rowmayYapSsrV8Dykr
   oeeNqsQnR8adKxop2bOKs3FLYdEZeeaIqUusqmMYP5nVzdYPybwytua2/eLE
   H1KtuBdqepaMG+w9Fn8y8krfg0ZDhjr1PcK2W385634htWhFRL3aEne7xP2b
   u4b1ewyC5s1GzZ/Pt/LaHLkhZNaNd2YF9k604RuOKkWaQTtOVP5UOGTKnAvB
   MxPUO5e9HvBypdFIe7tcIT/uSkuD8v/A/2/kfyP7USlPES9Xofx2VgBt8R/C
   k5rxn6it6uJ/J+A/SsaDFDJERPB8PpEIEFvhP9wh/Af5EB8gkD7hv8gXr5X7
   AIMZDdI1gQCbFaLVAtEgg+YXxWCFxPmz6ABd5B3F0PA+8B8PEYF/iv//A9L+
   FNHagm6DLZfG1UGlvcQVlcaiYpkc5eO0SwTyKYklf1QSMBFupKYu+BGJepnJ
   ugO1VTa6GB0tHVdo6bhUe/hP0zGoBSjuo1ZeP9XrMm7+knrDUIfaOajutiR+
   1V3a4n2njLBOoePccHmXneaWvBeZ59noD3vlpzFMfBpaqZd229hH1D1sCMOD
   o7vxgaEUfRl33svcUzD95IYZc0PDjqzPej56ZblXwcnKhcJdgUOTVdhizi77
   bUfNr48KjZ0gsN+jCs1aBizgpe9Q7xy1et+m11+dHXyROEVgrS80Of1457vt
   tW/N3Q5gfpyvd9ku0U6j/7Vmh5GqICyaIApP8JwVysod4jd9p/skL/eTD49W
   SZ2KU4vU5iWxo75POZTx3bDM5IlOg3fnw7OKlDdWzJb1DU3LNfd5GRYb/dB6
   q+y8dkzcwoTffGNyxsvum+OjgIQmUgawNjCKSPHBoHr6GF39XrzBx9SKM6eD
   a4oSrqXTD71KCoistLQITlMeYfRj+XKQKK/oVeHiy2nwiITFQZutH/DpQeqc
   vbIj9dH1R+Zd35uQs2ZJfI11vQnV+q7sweLwNN7g0irbvoHyN18Pm7tpV/GI
   rJudnr7/Lv531A6Atv1/uLn/D+DBLv53Av5rf08eAIJ8PAUPCAQAoRX+4zuE
   /xREO6i4hE/9fzaBzvJV+7NC8P5MD5AhiobpLHocR8KOY0C+eAbkpWEwfWF/
   Ju+L8P/xRATSyis+Hw8QBGSY3E7+P6HR/29uvR39/7ZM/3v9//JP/f8j2qpD
   Df5/g3Rp9K676TSPAKzVXpT5r4gANOljVwygpRhA84HZyWMATfnfMMN+DwK0
   pxBog/94EoRv7v8TiV3x/87AfxKfCwoIJBIIk0ABv9X4P7Fj+E+GIJBEIjXh
   Px3yBTlMLzydGtWw/w/mMDlCjihKxKD6SdgSLzWHqm1j8sX+tI/7/2ACgfJv
   5T+fCBJhlEQgg1wuiof57cJ/kADDjQKgufkOCxh0dJzjC4lBMFqAcvKdjFmr
   L0ziPSuQYdfIDmX9vIJ7ro5zN3koOb1nZXDiqzQj2PxgRPfvt3692MPesDw3
   H0mRFak32LoZXSW5mZVmmHEWzc6t9900ZeP9gYbHTscbvXB5Yuk6d7DnTupR
   zS97Jtkejg3IeTE3/yvh5Ko6cXzQpnFhIJ9SYbN5dIplpR4F7337BfKy5v0I
   zDy7YUxd/zmPbLdcnxc0VVBa+1w1Y0BGVC/r8WGZ5CdzcoQFugTSlKP97Yfd
   t2TaztDc2oZRG848pK4SbVjCjb1sEjbbgDNGrCPKC/ZZ914Usqo/bXj/+OUX
   PHUP6r6ca1RTeHPQnKiHZy3STN8T7+wvs31XNpGZbuJJ+1wIYgGsMP1lVUJ3
   sWn+UVD3lmNSwPnbj/Z7mvZ4ek1i49fPd4PGduPzY/cLy0eNLY9VYZLKAiTB
   K7aM74m3GMg/XX3D/RnboCgzWqWesPS0xb7C07Dt2bQhY0r5C48vzDPpttsi
   gMka8temQZdYbY/tqp8Vq0rvxIKvIg7nF71/PmnMyyzd0mn6eVzNU+dvH2w4
   c8XBuLdN0YSMHBfhvHnjYjg78aylKLrrTOlyN1qF+PRFl1SrGZNnmU+Wjk05
   G+saWZdicn8BeVBe0g/IrbKKiVnCUFr2IltxryU+mccj+kgCvMfeHSVh95o2
   ab7u01UQ5f4O5wr9Q1XXhsfVDPUoM4ms3lTHcGaUbinanG12t/ervoYlR5Kr
   h0tLLdPDfYcrZxUnxkwetmuDXt7+3WXblV6S9L2mPfpaTl2+Zxt31HGR5UNe
   6rSg8xWj7tNcsne/vbDVlTToHJmT3+v2pl599bIm6Cfu3mzn8F4Ve2XiNp9J
   uum46AWJRNo1C3J9SyPzv1arHZv5+bP5H2Lz+A8IduV/OoP+40EkIoSHuDAB
   5PNhiNSK/gM7RP+REAjFAxDcVP9R2fFa7RflT/XAM1heEEfk1bAPJM6fyRHT
   RV5qBssX4rAC4zg0elf+5/8r/9OS9irq/Q20ye8qef/lYGHqhSE33fW2XYq3
   y741iGN17M34p8t81v/80LXGI5uTBsmTX/9wqXxJgtgR8w5fwj1m6D/+kuzO
   6Afb33grxmekZs4qHlT2s5Fx2gK/SaPTE/LOX+13S3eH2RPTx4v8InPrAkXL
   ylIk99TSw5dnJFzRseW4syNMyu5mv9EvOLLubvz9gtCXzwPzw8dfLbccjs/Z
   Bc836zMt7fQUPR2x63T7Z2W1eTHhlx9WX3PLN1h2wTf3GLn7o5ndnu0rDsk5
   f6S8fm2e++pVgWEvnA8cOOF8U2LX7XRAjH+f8rjYwxY5Pr2nDDk+cKKyxP16
   X90sit+xipDua+sYc8N3H/TzXvk57XUUPlpio55RgRXTilZfXJSaFGC1pfdB
   s5D0TSuOD5hWuHzt3rPl05bsKSR3Yz8mrzlhH2NpzbMy/gGXajBNnfSE43YR
   3jvQRg9iL6+snz6pwoPn/HV94cw+GG9j97uh9im0eWfqutI/HV8+ZH5wcVGI
   ChcpU+Ea17N2VAJt7f8Ggeb5HyIJALr4/3eUdgnod02jL3/+d9i/P/5K/hdP
   AqGu+d8J9D8eoUAQl8jnAQJAIMC3ov/xlA7R/6iAyEX4MNo0/wsxhByRL8AQ
   BYkY1ECAzmSDDKr2mMWQ0GkhIJ3qAdGpQVFsyZex/xvPhUEYBSGQS9C+ahBs
   5/xvM+vtmf9tw3RXSO0fCKl1/Qf8jwOzk+d/Ozbz+2fzv1Dz+B9M6Mr/dgb+
   U0gIRERhCpcEESEuvrX9X1CH8B9PoghgLvRJ/lfEjqNr+CI2k41ns4Ki2ZpI
   DV0UAtBpvgS6hgcxRNEgW+MnZmi8voj8L0rmC4goyENhPoiS2+n/Xx/zv83N
   d+V///4YpK+5sXlQ7qprG9+kHLvb+/jC9FWz3JLOJhz8buf0sYWvLZJEonyC
   onxfckRlwZiXgfOhedWnYyUrvZX7qZm93n+1doZqlp1q6uV6z33LdJKzkqYP
   XJmVbNpj1sOoBxllEuvBI3PDCzIy3dZXWA8o8zwmWzddMGi4TsIK0Q690YnP
   fe4s8oUf1bszJ+a9mHln9LAx9Zeu9qrmHYT9LHjGEtOMXzYpKML56DjqwWww
   Ir5oQ/YavXqPIb1rn7yknZzvWTE0bh1ra/+le7utu017fGbLRYtEqxkT5h+0
   BYvZN+qlGT8sujc5Z9pwt0FW7lf3RZwKD0vpbpC8fWeVTnWeM2XY1YT0zXNv
   H9hlEP65IGTqdxYx6wV9Dpw6cfj92UUTM5MCkoyzd7LmbH8q32LdJxeufmUt
   sPcOcre44uI3qPbepldwzo61P+7TDoV+BykDp/YaZ/o0XV9tPouReO1AcX5N
   iGX8pMeM2iGeJC/KxOeVrAyG8V+bBl1itcPFqjQwb7Dj7oQ1dUkbQorP8yfW
   2htNyt+6Ubbo7LJ4KGzr0XdrlG9rWYzDLpHwxutqG/a3dZG8OBtNcrHN0J6U
   GJOcoYsxop0TH+5zCPR+s55IvcY/bH7MOLr+iSSh3m2L46I96u+fWq3BRhVd
   OnfN5O2LPhkO/E3DgkqC7g1L7VNSdYD50x2fKsPb3zn+/CM3K3ZGMOmW7tgz
   KbdrHEu+pdxzwgRnTutflAO+vbloQNVAv8gZS/IZw3NPXPLTF11OSZsyflKV
   Jj09cwhSOj5reG1B/iNJoMFKNWJa7rx+dXbhbOMk89Lc/7RvxzQMAgEARRkw
   wNSEMOLlFDBVBGMnFhJsYAABZ4LuJUwkJZCgoQQDdcB7Gv768/VRHG01vNNt
   emZ7DOdvjHOoX11ffrLl2/wL8wbDIgAAAAAAAAAAAJBchjiJbgB4AAA=
   -- END MESSAGE ARCHIVE --

Authors' Addresses

   Cullen Jennings
   Cisco Systems
   170 West Tasman Drive
   Mailstop SJC-21/2
   San Jose, CA  95134
   USA

   Phone: +1 408 421 9990
   Email: fluffy@cisco.com

   Kumiko Ono
   Columbia University

   Email: kumiko@cs.columbia.edu

   Robert Sparks
   Tekelec
   17210 Campbell Road
   Suite 250
   Dallas, TX  75252
   USA

   Email: rjsparks@estacado.net

   Brian Hibbard (editor)
   Tekelec
   17210 Campbell Road
   Suite 250
   Dallas, TX  75252
   USA

   Email: brian@estacado.net