From 4c38c6c10ebcd97929bdc97afacff6b349f7f744 Mon Sep 17 00:00:00 2001
From: dduck <nicolas.canovaz@protonmail.com>
Date: Fri, 24 Oct 2025 16:17:08 +0200
Subject: [PATCH] new pki

---
 ca/root-ca.crt                                |  82 ++++++++++++
 ca/root-ca.csr                                |  18 +++
 ...924BE5EB2B8BA5096D1DAF13A4B53D20830A2B.pem |  82 ++++++++++++
 ...665C1EDD2521B0A59089AF93F35E78E5D6848A.pem |  82 ++++++++++++
 ca/root-ca/db/root-ca.crl.srl                 |   1 +
 ca/root-ca/db/root-ca.crt.srl                 |   1 +
 ca/root-ca/db/root-ca.db                      |   2 +
 ca/root-ca/db/root-ca.db.attr                 |   1 +
 ca/root-ca/db/root-ca.db.attr.old             |   1 +
 ca/root-ca/db/root-ca.db.old                  |   1 +
 ca/root-ca/private/root-ca.key                |  30 +++++
 ca/signing-ca.crt                             |  82 ++++++++++++
 ca/signing-ca.csr                             |  18 +++
 ...3928739ADF6A4B59724A907A463AF46DE9C119.pem |  87 ++++++++++++
 ...0890E47F3A4BDA3113B7019392EC4EEC3C6FC5.pem |  88 +++++++++++++
 ca/signing-ca/db/signing-ca.crl.srl           |   1 +
 ca/signing-ca/db/signing-ca.crt.srl           |   1 +
 ca/signing-ca/db/signing-ca.db                |   2 +
 ca/signing-ca/db/signing-ca.db.attr           |   1 +
 ca/signing-ca/db/signing-ca.db.attr.old       |   1 +
 ca/signing-ca/db/signing-ca.db.old            |   1 +
 ca/signing-ca/private/signing-ca.key          |  30 +++++
 certs/barney.crt                              |  88 +++++++++++++
 certs/barney.csr                              |  19 +++
 certs/barney.key                              |  30 +++++
 certs/barney.p12                              | Bin 0 -> 3920 bytes
 certs/simple-org.crt                          |  87 ++++++++++++
 certs/simple-org.csr                          |  19 +++
 certs/simple-org.key                          |  28 ++++
 etc/client.conf                               |  29 ++++
 etc/email.conf                                |  31 +++++
 etc/root-ca.conf                              | 102 ++++++++++++++
 etc/server.conf                               |  32 +++++
 etc/signing-ca.conf                           | 124 ++++++++++++++++++
 34 files changed, 1202 insertions(+)
 create mode 100644 ca/root-ca.crt
 create mode 100644 ca/root-ca.csr
 create mode 100644 ca/root-ca/2A924BE5EB2B8BA5096D1DAF13A4B53D20830A2B.pem
 create mode 100644 ca/root-ca/70665C1EDD2521B0A59089AF93F35E78E5D6848A.pem
 create mode 100644 ca/root-ca/db/root-ca.crl.srl
 create mode 100644 ca/root-ca/db/root-ca.crt.srl
 create mode 100644 ca/root-ca/db/root-ca.db
 create mode 100644 ca/root-ca/db/root-ca.db.attr
 create mode 100644 ca/root-ca/db/root-ca.db.attr.old
 create mode 100644 ca/root-ca/db/root-ca.db.old
 create mode 100644 ca/root-ca/private/root-ca.key
 create mode 100644 ca/signing-ca.crt
 create mode 100644 ca/signing-ca.csr
 create mode 100644 ca/signing-ca/2C3928739ADF6A4B59724A907A463AF46DE9C119.pem
 create mode 100644 ca/signing-ca/4B0890E47F3A4BDA3113B7019392EC4EEC3C6FC5.pem
 create mode 100644 ca/signing-ca/db/signing-ca.crl.srl
 create mode 100644 ca/signing-ca/db/signing-ca.crt.srl
 create mode 100644 ca/signing-ca/db/signing-ca.db
 create mode 100644 ca/signing-ca/db/signing-ca.db.attr
 create mode 100644 ca/signing-ca/db/signing-ca.db.attr.old
 create mode 100644 ca/signing-ca/db/signing-ca.db.old
 create mode 100644 ca/signing-ca/private/signing-ca.key
 create mode 100644 certs/barney.crt
 create mode 100644 certs/barney.csr
 create mode 100644 certs/barney.key
 create mode 100644 certs/barney.p12
 create mode 100644 certs/simple-org.crt
 create mode 100644 certs/simple-org.csr
 create mode 100644 certs/simple-org.key
 create mode 100644 etc/client.conf
 create mode 100644 etc/email.conf
 create mode 100644 etc/root-ca.conf
 create mode 100644 etc/server.conf
 create mode 100644 etc/signing-ca.conf

diff --git a/ca/root-ca.crt b/ca/root-ca.crt
new file mode 100644
index 0000000..44174b2
--- /dev/null
+++ b/ca/root-ca.crt
@@ -0,0 +1,82 @@
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number:
+            2a:92:4b:e5:eb:2b:8b:a5:09:6d:1d:af:13:a4:b5:3d:20:83:0a:2b
+        Signature Algorithm: sha256WithRSAEncryption
+        Issuer: DC=org, DC=simple, O=Simple Inc, CN=Simple Root CA
+        Validity
+            Not Before: Oct 24 13:49:19 2025 GMT
+            Not After : Oct 24 13:49:19 2035 GMT
+        Subject: DC=org, DC=simple, O=Simple Inc, CN=Simple Root CA
+        Subject Public Key Info:
+            Public Key Algorithm: rsaEncryption
+                Public-Key: (2048 bit)
+                Modulus:
+                    00:97:70:47:fe:95:95:6d:f1:d3:fc:22:39:fe:db:
+                    9b:08:44:9f:98:e0:02:9d:9c:85:69:f9:b3:be:01:
+                    77:d6:aa:31:e1:b2:b7:82:1a:ba:7e:62:36:f4:df:
+                    be:26:13:26:1e:d0:c2:c3:00:61:1e:f5:e1:5d:02:
+                    c3:5a:04:08:7e:70:e8:5d:25:f8:94:35:45:b7:ee:
+                    91:cc:ef:41:41:2e:a4:71:7b:54:51:81:7e:e3:27:
+                    42:53:c2:ab:4c:e4:8a:ed:59:7a:a9:f8:91:f1:8a:
+                    69:83:0c:a7:83:f9:36:cc:af:9c:26:7e:b6:d5:10:
+                    03:24:be:7b:f2:5c:f8:a9:3c:01:96:c2:21:88:1d:
+                    e3:6f:46:c3:9d:d8:ea:8b:90:4c:c4:2b:90:7c:a3:
+                    5c:dc:68:c3:b5:01:a7:4c:99:97:d4:94:b0:69:3d:
+                    c9:50:4e:a4:5e:54:94:cc:c4:db:18:65:f7:6f:6c:
+                    74:b1:02:c4:5e:93:d1:92:1b:05:89:4d:a5:55:38:
+                    da:8e:2d:e7:60:9a:ee:be:60:6c:77:5a:12:c0:60:
+                    2d:b1:4b:8d:6b:04:ae:5c:38:c9:9e:0c:b4:4e:3a:
+                    df:5b:d6:43:60:98:bb:b1:04:25:41:c6:af:b8:8b:
+                    18:c7:a7:ae:29:11:b9:40:04:35:6b:f4:57:57:fa:
+                    d9:d3
+                Exponent: 65537 (0x10001)
+        X509v3 extensions:
+            X509v3 Key Usage: critical
+                Certificate Sign, CRL Sign
+            X509v3 Basic Constraints: critical
+                CA:TRUE
+            X509v3 Subject Key Identifier: 
+                DA:B2:3E:C6:6E:34:D2:0A:3C:FF:AC:A2:9D:17:24:A3:32:AB:DD:AB
+            X509v3 Authority Key Identifier: 
+                DA:B2:3E:C6:6E:34:D2:0A:3C:FF:AC:A2:9D:17:24:A3:32:AB:DD:AB
+    Signature Algorithm: sha256WithRSAEncryption
+    Signature Value:
+        2c:da:9e:3c:bf:e8:ce:92:3f:33:66:0e:f0:53:0c:8b:d8:51:
+        a3:00:7f:3d:9c:df:dc:9b:a5:fb:f4:b4:d1:12:e4:0d:4a:a7:
+        02:3b:ce:4b:2e:8d:af:06:a8:a3:62:a8:71:ef:8d:60:08:4f:
+        e5:ff:fb:8d:e7:00:33:3b:c8:41:1b:be:61:03:ec:d5:b4:fe:
+        d1:29:06:eb:fb:1f:2c:70:47:4f:99:b8:cd:45:38:29:89:70:
+        cb:00:c2:db:73:f1:37:b6:84:e4:fc:38:38:1d:74:d9:07:14:
+        ba:47:d0:f1:fa:f3:97:c2:1f:90:79:de:bb:58:9e:69:67:b5:
+        12:93:87:c8:9f:c2:02:55:8a:d1:5b:c4:3c:2d:65:4d:6e:70:
+        c6:59:f3:52:d1:01:9b:37:b7:39:2d:32:00:cd:e4:27:f2:d9:
+        f8:4a:14:4d:4d:a7:8e:37:2b:6f:ab:aa:58:81:22:93:e9:cd:
+        8a:aa:4e:c3:11:74:1a:13:4a:ad:e7:db:dd:ac:d6:f4:90:cd:
+        76:b7:c1:cb:2d:da:6e:9e:ee:12:85:a2:a2:6c:be:62:6a:c2:
+        cf:3e:ac:40:0e:d4:0e:65:b7:2d:8f:22:3e:d5:0b:41:da:fa:
+        4a:eb:1b:a5:7f:d5:c9:86:21:a3:19:51:03:d1:a9:35:f1:5f:
+        7d:2a:b9:87
+-----BEGIN CERTIFICATE-----
+MIIDpzCCAo+gAwIBAgIUKpJL5esri6UJbR2vE6S1PSCDCiswDQYJKoZIhvcNAQEL
+BQAwWzETMBEGCgmSJomT8ixkARkWA29yZzEWMBQGCgmSJomT8ixkARkWBnNpbXBs
+ZTETMBEGA1UECgwKU2ltcGxlIEluYzEXMBUGA1UEAwwOU2ltcGxlIFJvb3QgQ0Ew
+HhcNMjUxMDI0MTM0OTE5WhcNMzUxMDI0MTM0OTE5WjBbMRMwEQYKCZImiZPyLGQB
+GRYDb3JnMRYwFAYKCZImiZPyLGQBGRYGc2ltcGxlMRMwEQYDVQQKDApTaW1wbGUg
+SW5jMRcwFQYDVQQDDA5TaW1wbGUgUm9vdCBDQTCCASIwDQYJKoZIhvcNAQEBBQAD
+ggEPADCCAQoCggEBAJdwR/6VlW3x0/wiOf7bmwhEn5jgAp2chWn5s74Bd9aqMeGy
+t4Iaun5iNvTfviYTJh7QwsMAYR714V0Cw1oECH5w6F0l+JQ1RbfukczvQUEupHF7
+VFGBfuMnQlPCq0zkiu1Zeqn4kfGKaYMMp4P5NsyvnCZ+ttUQAyS+e/Jc+Kk8AZbC
+IYgd429Gw53Y6ouQTMQrkHyjXNxow7UBp0yZl9SUsGk9yVBOpF5UlMzE2xhl929s
+dLECxF6T0ZIbBYlNpVU42o4t52Ca7r5gbHdaEsBgLbFLjWsErlw4yZ4MtE4631vW
+Q2CYu7EEJUHGr7iLGMenrikRuUAENWv0V1f62dMCAwEAAaNjMGEwDgYDVR0PAQH/
+BAQDAgEGMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFNqyPsZuNNIKPP+sop0X
+JKMyq92rMB8GA1UdIwQYMBaAFNqyPsZuNNIKPP+sop0XJKMyq92rMA0GCSqGSIb3
+DQEBCwUAA4IBAQAs2p48v+jOkj8zZg7wUwyL2FGjAH89nN/cm6X79LTREuQNSqcC
+O85LLo2vBqijYqhx741gCE/l//uN5wAzO8hBG75hA+zVtP7RKQbr+x8scEdPmbjN
+RTgpiXDLAMLbc/E3toTk/Dg4HXTZBxS6R9Dx+vOXwh+Qed67WJ5pZ7USk4fIn8IC
+VYrRW8Q8LWVNbnDGWfNS0QGbN7c5LTIAzeQn8tn4ShRNTaeONytvq6pYgSKT6c2K
+qk7DEXQaE0qt59vdrNb0kM12t8HLLdpunu4ShaKibL5iasLPPqxADtQOZbctjyI+
+1QtB2vpK6xulf9XJhiGjGVED0ak18V99KrmH
+-----END CERTIFICATE-----
diff --git a/ca/root-ca.csr b/ca/root-ca.csr
new file mode 100644
index 0000000..fdc5cb3
--- /dev/null
+++ b/ca/root-ca.csr
@@ -0,0 +1,18 @@
+-----BEGIN CERTIFICATE REQUEST-----
+MIIC8TCCAdkCAQAwWzETMBEGCgmSJomT8ixkARkWA29yZzEWMBQGCgmSJomT8ixk
+ARkWBnNpbXBsZTETMBEGA1UECgwKU2ltcGxlIEluYzEXMBUGA1UEAwwOU2ltcGxl
+IFJvb3QgQ0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCXcEf+lZVt
+8dP8Ijn+25sIRJ+Y4AKdnIVp+bO+AXfWqjHhsreCGrp+Yjb0374mEyYe0MLDAGEe
+9eFdAsNaBAh+cOhdJfiUNUW37pHM70FBLqRxe1RRgX7jJ0JTwqtM5IrtWXqp+JHx
+immDDKeD+TbMr5wmfrbVEAMkvnvyXPipPAGWwiGIHeNvRsOd2OqLkEzEK5B8o1zc
+aMO1AadMmZfUlLBpPclQTqReVJTMxNsYZfdvbHSxAsRek9GSGwWJTaVVONqOLedg
+mu6+YGx3WhLAYC2xS41rBK5cOMmeDLROOt9b1kNgmLuxBCVBxq+4ixjHp64pEblA
+BDVr9FdX+tnTAgMBAAGgUTBPBgkqhkiG9w0BCQ4xQjBAMA4GA1UdDwEB/wQEAwIB
+BjAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBTasj7GbjTSCjz/rKKdFySjMqvd
+qzANBgkqhkiG9w0BAQsFAAOCAQEAdWJ7rkL/OaaX6JYUeXuR0x3zQ0L1KAaLo/TU
+iqY1L2LV9RXdNCsqsV2i/zx5F+nb6qtr65l7r/J75nGsfAJOrwgXWxKRCNo/aYdY
+3PJ120BmrUHIRWZuQC2I5hyjiuSXYQduCjJYujRnV28dEgCHIs+luLWpBzKVE0yO
+NiPW4cfKuBNWrfYmO/BT79ygJBjnt/gXAILsHYIn2yg8cksjkXkoDhXisYYCUGYS
+uhC3ATn1zR4lNHsXQg8uwlBJSWYEbOqfEBHGWWVbZergxWsRyRY6fDy1tbqOP+TO
+QXAXCt4zB1PU8J6uufNID7LTa6LeKnTRj7P/9lGXpKNDIsEpeA==
+-----END CERTIFICATE REQUEST-----
diff --git a/ca/root-ca/2A924BE5EB2B8BA5096D1DAF13A4B53D20830A2B.pem b/ca/root-ca/2A924BE5EB2B8BA5096D1DAF13A4B53D20830A2B.pem
new file mode 100644
index 0000000..44174b2
--- /dev/null
+++ b/ca/root-ca/2A924BE5EB2B8BA5096D1DAF13A4B53D20830A2B.pem
@@ -0,0 +1,82 @@
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number:
+            2a:92:4b:e5:eb:2b:8b:a5:09:6d:1d:af:13:a4:b5:3d:20:83:0a:2b
+        Signature Algorithm: sha256WithRSAEncryption
+        Issuer: DC=org, DC=simple, O=Simple Inc, CN=Simple Root CA
+        Validity
+            Not Before: Oct 24 13:49:19 2025 GMT
+            Not After : Oct 24 13:49:19 2035 GMT
+        Subject: DC=org, DC=simple, O=Simple Inc, CN=Simple Root CA
+        Subject Public Key Info:
+            Public Key Algorithm: rsaEncryption
+                Public-Key: (2048 bit)
+                Modulus:
+                    00:97:70:47:fe:95:95:6d:f1:d3:fc:22:39:fe:db:
+                    9b:08:44:9f:98:e0:02:9d:9c:85:69:f9:b3:be:01:
+                    77:d6:aa:31:e1:b2:b7:82:1a:ba:7e:62:36:f4:df:
+                    be:26:13:26:1e:d0:c2:c3:00:61:1e:f5:e1:5d:02:
+                    c3:5a:04:08:7e:70:e8:5d:25:f8:94:35:45:b7:ee:
+                    91:cc:ef:41:41:2e:a4:71:7b:54:51:81:7e:e3:27:
+                    42:53:c2:ab:4c:e4:8a:ed:59:7a:a9:f8:91:f1:8a:
+                    69:83:0c:a7:83:f9:36:cc:af:9c:26:7e:b6:d5:10:
+                    03:24:be:7b:f2:5c:f8:a9:3c:01:96:c2:21:88:1d:
+                    e3:6f:46:c3:9d:d8:ea:8b:90:4c:c4:2b:90:7c:a3:
+                    5c:dc:68:c3:b5:01:a7:4c:99:97:d4:94:b0:69:3d:
+                    c9:50:4e:a4:5e:54:94:cc:c4:db:18:65:f7:6f:6c:
+                    74:b1:02:c4:5e:93:d1:92:1b:05:89:4d:a5:55:38:
+                    da:8e:2d:e7:60:9a:ee:be:60:6c:77:5a:12:c0:60:
+                    2d:b1:4b:8d:6b:04:ae:5c:38:c9:9e:0c:b4:4e:3a:
+                    df:5b:d6:43:60:98:bb:b1:04:25:41:c6:af:b8:8b:
+                    18:c7:a7:ae:29:11:b9:40:04:35:6b:f4:57:57:fa:
+                    d9:d3
+                Exponent: 65537 (0x10001)
+        X509v3 extensions:
+            X509v3 Key Usage: critical
+                Certificate Sign, CRL Sign
+            X509v3 Basic Constraints: critical
+                CA:TRUE
+            X509v3 Subject Key Identifier: 
+                DA:B2:3E:C6:6E:34:D2:0A:3C:FF:AC:A2:9D:17:24:A3:32:AB:DD:AB
+            X509v3 Authority Key Identifier: 
+                DA:B2:3E:C6:6E:34:D2:0A:3C:FF:AC:A2:9D:17:24:A3:32:AB:DD:AB
+    Signature Algorithm: sha256WithRSAEncryption
+    Signature Value:
+        2c:da:9e:3c:bf:e8:ce:92:3f:33:66:0e:f0:53:0c:8b:d8:51:
+        a3:00:7f:3d:9c:df:dc:9b:a5:fb:f4:b4:d1:12:e4:0d:4a:a7:
+        02:3b:ce:4b:2e:8d:af:06:a8:a3:62:a8:71:ef:8d:60:08:4f:
+        e5:ff:fb:8d:e7:00:33:3b:c8:41:1b:be:61:03:ec:d5:b4:fe:
+        d1:29:06:eb:fb:1f:2c:70:47:4f:99:b8:cd:45:38:29:89:70:
+        cb:00:c2:db:73:f1:37:b6:84:e4:fc:38:38:1d:74:d9:07:14:
+        ba:47:d0:f1:fa:f3:97:c2:1f:90:79:de:bb:58:9e:69:67:b5:
+        12:93:87:c8:9f:c2:02:55:8a:d1:5b:c4:3c:2d:65:4d:6e:70:
+        c6:59:f3:52:d1:01:9b:37:b7:39:2d:32:00:cd:e4:27:f2:d9:
+        f8:4a:14:4d:4d:a7:8e:37:2b:6f:ab:aa:58:81:22:93:e9:cd:
+        8a:aa:4e:c3:11:74:1a:13:4a:ad:e7:db:dd:ac:d6:f4:90:cd:
+        76:b7:c1:cb:2d:da:6e:9e:ee:12:85:a2:a2:6c:be:62:6a:c2:
+        cf:3e:ac:40:0e:d4:0e:65:b7:2d:8f:22:3e:d5:0b:41:da:fa:
+        4a:eb:1b:a5:7f:d5:c9:86:21:a3:19:51:03:d1:a9:35:f1:5f:
+        7d:2a:b9:87
+-----BEGIN CERTIFICATE-----
+MIIDpzCCAo+gAwIBAgIUKpJL5esri6UJbR2vE6S1PSCDCiswDQYJKoZIhvcNAQEL
+BQAwWzETMBEGCgmSJomT8ixkARkWA29yZzEWMBQGCgmSJomT8ixkARkWBnNpbXBs
+ZTETMBEGA1UECgwKU2ltcGxlIEluYzEXMBUGA1UEAwwOU2ltcGxlIFJvb3QgQ0Ew
+HhcNMjUxMDI0MTM0OTE5WhcNMzUxMDI0MTM0OTE5WjBbMRMwEQYKCZImiZPyLGQB
+GRYDb3JnMRYwFAYKCZImiZPyLGQBGRYGc2ltcGxlMRMwEQYDVQQKDApTaW1wbGUg
+SW5jMRcwFQYDVQQDDA5TaW1wbGUgUm9vdCBDQTCCASIwDQYJKoZIhvcNAQEBBQAD
+ggEPADCCAQoCggEBAJdwR/6VlW3x0/wiOf7bmwhEn5jgAp2chWn5s74Bd9aqMeGy
+t4Iaun5iNvTfviYTJh7QwsMAYR714V0Cw1oECH5w6F0l+JQ1RbfukczvQUEupHF7
+VFGBfuMnQlPCq0zkiu1Zeqn4kfGKaYMMp4P5NsyvnCZ+ttUQAyS+e/Jc+Kk8AZbC
+IYgd429Gw53Y6ouQTMQrkHyjXNxow7UBp0yZl9SUsGk9yVBOpF5UlMzE2xhl929s
+dLECxF6T0ZIbBYlNpVU42o4t52Ca7r5gbHdaEsBgLbFLjWsErlw4yZ4MtE4631vW
+Q2CYu7EEJUHGr7iLGMenrikRuUAENWv0V1f62dMCAwEAAaNjMGEwDgYDVR0PAQH/
+BAQDAgEGMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFNqyPsZuNNIKPP+sop0X
+JKMyq92rMB8GA1UdIwQYMBaAFNqyPsZuNNIKPP+sop0XJKMyq92rMA0GCSqGSIb3
+DQEBCwUAA4IBAQAs2p48v+jOkj8zZg7wUwyL2FGjAH89nN/cm6X79LTREuQNSqcC
+O85LLo2vBqijYqhx741gCE/l//uN5wAzO8hBG75hA+zVtP7RKQbr+x8scEdPmbjN
+RTgpiXDLAMLbc/E3toTk/Dg4HXTZBxS6R9Dx+vOXwh+Qed67WJ5pZ7USk4fIn8IC
+VYrRW8Q8LWVNbnDGWfNS0QGbN7c5LTIAzeQn8tn4ShRNTaeONytvq6pYgSKT6c2K
+qk7DEXQaE0qt59vdrNb0kM12t8HLLdpunu4ShaKibL5iasLPPqxADtQOZbctjyI+
+1QtB2vpK6xulf9XJhiGjGVED0ak18V99KrmH
+-----END CERTIFICATE-----
diff --git a/ca/root-ca/70665C1EDD2521B0A59089AF93F35E78E5D6848A.pem b/ca/root-ca/70665C1EDD2521B0A59089AF93F35E78E5D6848A.pem
new file mode 100644
index 0000000..15d6aa9
--- /dev/null
+++ b/ca/root-ca/70665C1EDD2521B0A59089AF93F35E78E5D6848A.pem
@@ -0,0 +1,82 @@
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number:
+            70:66:5c:1e:dd:25:21:b0:a5:90:89:af:93:f3:5e:78:e5:d6:84:8a
+        Signature Algorithm: sha256WithRSAEncryption
+        Issuer: DC=org, DC=simple, O=Simple Inc, CN=Simple Root CA
+        Validity
+            Not Before: Oct 24 13:50:25 2025 GMT
+            Not After : Oct 24 13:50:25 2035 GMT
+        Subject: DC=org, DC=simple, O=Simple Inc, CN=Simple Signing CA
+        Subject Public Key Info:
+            Public Key Algorithm: rsaEncryption
+                Public-Key: (2048 bit)
+                Modulus:
+                    00:cd:57:70:66:95:5b:9e:c7:e0:8e:92:3c:8c:a5:
+                    f2:c1:de:e5:2b:ed:96:f6:04:4c:62:1e:91:e8:b0:
+                    29:22:88:ff:7f:7f:af:25:92:f7:e9:ca:ce:3a:3a:
+                    59:7b:9a:68:ab:dd:27:87:15:8d:3c:e2:88:bf:28:
+                    68:14:d8:6a:9a:e0:60:1d:61:c4:c1:c4:1f:9b:10:
+                    ea:d5:ee:ff:7a:97:93:d8:9d:fc:a3:92:ca:30:3f:
+                    c8:fc:3f:6b:ac:db:ba:fd:22:70:3e:d0:38:14:b2:
+                    b2:c4:6c:61:74:a0:ed:c7:6c:cf:e6:9d:df:aa:d8:
+                    ef:3d:ac:5f:6b:93:a7:a7:4f:d4:28:b1:d5:e2:01:
+                    6e:e3:0f:34:39:58:6c:e7:e7:e8:68:92:da:5d:d1:
+                    ef:c5:e5:7c:a7:28:2c:51:cd:d9:9d:1d:43:20:ad:
+                    f1:76:20:94:20:e4:72:b4:ed:e4:77:c8:00:c1:19:
+                    86:be:50:95:01:97:40:58:dc:3b:f2:69:ac:d7:b3:
+                    4b:c2:39:31:bf:13:f9:a4:96:49:e8:dc:07:49:a4:
+                    ab:20:0f:08:d1:45:a6:0a:57:bb:59:22:14:d9:bb:
+                    bd:17:d2:3a:06:95:80:14:a4:69:cc:b3:84:65:3b:
+                    bc:33:72:d5:45:0f:f4:90:50:4f:ac:57:81:2b:b0:
+                    6d:05
+                Exponent: 65537 (0x10001)
+        X509v3 extensions:
+            X509v3 Key Usage: critical
+                Certificate Sign, CRL Sign
+            X509v3 Basic Constraints: critical
+                CA:TRUE, pathlen:0
+            X509v3 Subject Key Identifier: 
+                D7:7A:FE:65:8D:74:F3:F3:85:92:B5:F1:C3:55:3A:0B:6D:50:10:41
+            X509v3 Authority Key Identifier: 
+                DA:B2:3E:C6:6E:34:D2:0A:3C:FF:AC:A2:9D:17:24:A3:32:AB:DD:AB
+    Signature Algorithm: sha256WithRSAEncryption
+    Signature Value:
+        59:0f:a8:fa:9b:a6:5b:34:8b:c4:ea:44:02:f8:3c:08:62:45:
+        d4:87:48:24:20:50:8f:40:ca:3a:64:0d:98:04:f7:3c:a9:4c:
+        ca:92:4a:56:40:9a:45:28:fd:7b:f3:6b:2b:f2:7d:a0:d6:24:
+        e1:51:24:e5:5b:f1:e1:c5:8f:f4:06:a8:4f:2b:c3:58:ad:a6:
+        f8:32:80:d6:de:ca:46:97:f2:0f:07:9b:06:55:7c:db:a2:bf:
+        5c:1f:be:41:09:a8:34:c3:68:71:d2:dc:94:1a:63:24:2c:73:
+        65:92:47:74:82:3e:ba:74:07:c3:06:14:13:25:81:de:8c:f7:
+        c5:61:ca:c4:90:93:14:9a:50:eb:a1:03:6b:b0:1d:ad:4f:9b:
+        b8:14:8e:ba:d0:4d:c2:71:bb:19:2a:c1:ed:0e:19:00:87:38:
+        fb:3f:df:53:bf:42:b5:1f:f6:3b:dc:82:b4:a2:40:37:b4:96:
+        21:66:4a:f0:86:6b:3a:37:90:f0:2a:f6:94:70:3f:65:73:3c:
+        30:0d:c1:41:5c:e1:33:cd:c1:1f:d6:16:8b:fe:34:01:af:05:
+        e6:df:fa:f3:55:31:ac:0d:5c:15:7e:a4:f9:0d:70:c6:d8:c2:
+        40:e3:01:e3:59:af:86:35:fd:22:ce:cc:85:bb:dd:93:e9:7c:
+        e4:64:b3:14
+-----BEGIN CERTIFICATE-----
+MIIDrTCCApWgAwIBAgIUcGZcHt0lIbClkImvk/NeeOXWhIowDQYJKoZIhvcNAQEL
+BQAwWzETMBEGCgmSJomT8ixkARkWA29yZzEWMBQGCgmSJomT8ixkARkWBnNpbXBs
+ZTETMBEGA1UECgwKU2ltcGxlIEluYzEXMBUGA1UEAwwOU2ltcGxlIFJvb3QgQ0Ew
+HhcNMjUxMDI0MTM1MDI1WhcNMzUxMDI0MTM1MDI1WjBeMRMwEQYKCZImiZPyLGQB
+GRYDb3JnMRYwFAYKCZImiZPyLGQBGRYGc2ltcGxlMRMwEQYDVQQKDApTaW1wbGUg
+SW5jMRowGAYDVQQDDBFTaW1wbGUgU2lnbmluZyBDQTCCASIwDQYJKoZIhvcNAQEB
+BQADggEPADCCAQoCggEBAM1XcGaVW57H4I6SPIyl8sHe5SvtlvYETGIekeiwKSKI
+/39/ryWS9+nKzjo6WXuaaKvdJ4cVjTziiL8oaBTYaprgYB1hxMHEH5sQ6tXu/3qX
+k9id/KOSyjA/yPw/a6zbuv0icD7QOBSyssRsYXSg7cdsz+ad36rY7z2sX2uTp6dP
+1Cix1eIBbuMPNDlYbOfn6GiS2l3R78XlfKcoLFHN2Z0dQyCt8XYglCDkcrTt5HfI
+AMEZhr5QlQGXQFjcO/JprNezS8I5Mb8T+aSWSejcB0mkqyAPCNFFpgpXu1kiFNm7
+vRfSOgaVgBSkacyzhGU7vDNy1UUP9JBQT6xXgSuwbQUCAwEAAaNmMGQwDgYDVR0P
+AQH/BAQDAgEGMBIGA1UdEwEB/wQIMAYBAf8CAQAwHQYDVR0OBBYEFNd6/mWNdPPz
+hZK18cNVOgttUBBBMB8GA1UdIwQYMBaAFNqyPsZuNNIKPP+sop0XJKMyq92rMA0G
+CSqGSIb3DQEBCwUAA4IBAQBZD6j6m6ZbNIvE6kQC+DwIYkXUh0gkIFCPQMo6ZA2Y
+BPc8qUzKkkpWQJpFKP1782sr8n2g1iThUSTlW/HhxY/0BqhPK8NYrab4MoDW3spG
+l/IPB5sGVXzbor9cH75BCag0w2hx0tyUGmMkLHNlkkd0gj66dAfDBhQTJYHejPfF
+YcrEkJMUmlDroQNrsB2tT5u4FI660E3CcbsZKsHtDhkAhzj7P99Tv0K1H/Y73IK0
+okA3tJYhZkrwhms6N5DwKvaUcD9lczwwDcFBXOEzzcEf1haL/jQBrwXm3/rzVTGs
+DVwVfqT5DXDG2MJA4wHjWa+GNf0izsyFu92T6XzkZLMU
+-----END CERTIFICATE-----
diff --git a/ca/root-ca/db/root-ca.crl.srl b/ca/root-ca/db/root-ca.crl.srl
new file mode 100644
index 0000000..8a0f05e
--- /dev/null
+++ b/ca/root-ca/db/root-ca.crl.srl
@@ -0,0 +1 @@
+01
diff --git a/ca/root-ca/db/root-ca.crt.srl b/ca/root-ca/db/root-ca.crt.srl
new file mode 100644
index 0000000..8a0f05e
--- /dev/null
+++ b/ca/root-ca/db/root-ca.crt.srl
@@ -0,0 +1 @@
+01
diff --git a/ca/root-ca/db/root-ca.db b/ca/root-ca/db/root-ca.db
new file mode 100644
index 0000000..24033a5
--- /dev/null
+++ b/ca/root-ca/db/root-ca.db
@@ -0,0 +1,2 @@
+V	351024134919Z		2A924BE5EB2B8BA5096D1DAF13A4B53D20830A2B	unknown	/DC=org/DC=simple/O=Simple Inc/CN=Simple Root CA
+V	351024135025Z		70665C1EDD2521B0A59089AF93F35E78E5D6848A	unknown	/DC=org/DC=simple/O=Simple Inc/CN=Simple Signing CA
diff --git a/ca/root-ca/db/root-ca.db.attr b/ca/root-ca/db/root-ca.db.attr
new file mode 100644
index 0000000..3a7e39e
--- /dev/null
+++ b/ca/root-ca/db/root-ca.db.attr
@@ -0,0 +1 @@
+unique_subject = no
diff --git a/ca/root-ca/db/root-ca.db.attr.old b/ca/root-ca/db/root-ca.db.attr.old
new file mode 100644
index 0000000..3a7e39e
--- /dev/null
+++ b/ca/root-ca/db/root-ca.db.attr.old
@@ -0,0 +1 @@
+unique_subject = no
diff --git a/ca/root-ca/db/root-ca.db.old b/ca/root-ca/db/root-ca.db.old
new file mode 100644
index 0000000..4d02077
--- /dev/null
+++ b/ca/root-ca/db/root-ca.db.old
@@ -0,0 +1 @@
+V	351024134919Z		2A924BE5EB2B8BA5096D1DAF13A4B53D20830A2B	unknown	/DC=org/DC=simple/O=Simple Inc/CN=Simple Root CA
diff --git a/ca/root-ca/private/root-ca.key b/ca/root-ca/private/root-ca.key
new file mode 100644
index 0000000..cc4f66f
--- /dev/null
+++ b/ca/root-ca/private/root-ca.key
@@ -0,0 +1,30 @@
+-----BEGIN ENCRYPTED PRIVATE KEY-----
+MIIFNTBfBgkqhkiG9w0BBQ0wUjAxBgkqhkiG9w0BBQwwJAQQPz6DyCEMMiTsB8O8
+XBs3VQICCAAwDAYIKoZIhvcNAgkFADAdBglghkgBZQMEASoEEKK5iLhWYyPvGkZZ
+uzBeGBsEggTQxjNhLLlc6fNUJUhO2A0xiWPtMefCEOcOKSq+n9EtmvzIEkgUptKG
+Z2cIJ054BVHBezOf4fF9jRqjKaOTkF0JUHAYjSGHL1UxgdNWSVTpaodDz4iKsXRC
+9BtOaEza2s3Z2Ffp6/h7cU5xig76L0dRRkEpOTi6e5Ta4vWnO0S/hfwUBs/Ymhf2
+qob5BL/8GWOdNdlgVcgZ7aEjsYg32MQbXQsjNuUMa8/P/GTv6xKUGV1H+9kDHg8e
+42Q84lNnVmFcNERwbH25ELvHyCBeZFMSHqeQ2NIP7LuPdLUHnMed86eQVBHWTvmd
+Kn8kU90cdqvCdHlyKEK7b2QXWz5mhoE6ijXmJxz7sqOXBRljpOIJBwBUoEb20huZ
+ajSDRAVqJbwHp9VRSx7bWwY11RcpBV8O8K0Z3axaQqJnZsunHqH7g7PbwMDxrZ17
+QCptadkDBE24HMOY2qi2/q9fzjTUC/O2fCO82dtiRDeyYm4hTX1E/BR99N17Btxm
++nSkhTSZYbk/7i1Rut3Oa/p36P93dYgXZUTSv0moduGcGYpiXyLSpnTY0vqmn77z
+hG7JaTlD7Zh0lM7LsEUTeKMyXGKs/zaY+ZOAzuLpkf/SaCfiZWiUnzPI+QEjz8Bi
+8POHYQvyCV6ojpn74+L/nw7zMGxMfJQ6gifG9dXg3rtttNs0DFbx4KtKdGPXMAiZ
+96s/odx2VhU7AAVs2NF4JQj0xmIbbZiTVG/PfUcU27goM6Q2YYM3CCqg4LXNRVIp
+Eam6iEWKyHD3QfRl4teKyt7OcQnHU6OH8usmUlLn9cSWmr503GTjrwUeyskzTndZ
+DYNPHNpcbHNp9y7Y9W208JFh4WseM60tP2Wv7owBj71DlIVe2OKUnYbcb3GgC0xH
+izFVoq5SdhoFsb+moQqOc0GXwXCW6ilUvy2W4ubZnWiZbI3rsj4P+6ZDFOUHeiu7
+nLkFNbxwoXQFr19Coi5+rqRQztgJVOTBd4nYd3lnBeZVk0goIN09giWk6LL55aG3
+usLDYX0uwT8PfRMj7BPZtVgZOxxhj17bORkhIkDxzvam0gX9oJsQFcqqKeulaJAT
+EneM9UGJJvHHC1h0e8A7CzHjZtqMxm81W2iSNfe4z4qiTFMEln5DU3jA5yz2g5C/
+yrPVyXiZ0XeJLxJtkanmeYphInwjARhaJNdridcYH+sWzs5gLgOGc+hKZf7Mszrq
+A7ZpHKA8cVxHeMLCW03wi4m3ENGPjvciZALMabu+2TSLSS6qGCD9zZJgKgNaf1BN
+sfj/tNx0+pJfJGmMPKV8thqGGyCEIVCj6zp3D0zhGWR3JqYrnOItqi8yOhJe1ArV
+KJQSMffByKkxyVYk1FTmJZ9/pxQDgc2lndfoqf75+aZ2RBr6f25j/vHvDzRsgIJy
+BAzZLO8FyPysudjbLgaHnOMAA+wZTqm8DReJ50kC4a3I/FOONWrk7NHVqpLRN25l
+OuysFQ2t/dysBmK0VOAJmK7WzO34mVN+qnvNymp4307UR03nL7N3YI5SSj86oS5/
+TVqZLXHsoK6fMwSqPv9pHSsjyohj6FdTo0zo9an5skfrThfltO7gArJ+GDxjEGxc
+TYliT6kENDeDZE7CZaR0+dN8SmSAwAX7g74z8UZsfi+ho+OUGGX/oq0=
+-----END ENCRYPTED PRIVATE KEY-----
diff --git a/ca/signing-ca.crt b/ca/signing-ca.crt
new file mode 100644
index 0000000..15d6aa9
--- /dev/null
+++ b/ca/signing-ca.crt
@@ -0,0 +1,82 @@
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number:
+            70:66:5c:1e:dd:25:21:b0:a5:90:89:af:93:f3:5e:78:e5:d6:84:8a
+        Signature Algorithm: sha256WithRSAEncryption
+        Issuer: DC=org, DC=simple, O=Simple Inc, CN=Simple Root CA
+        Validity
+            Not Before: Oct 24 13:50:25 2025 GMT
+            Not After : Oct 24 13:50:25 2035 GMT
+        Subject: DC=org, DC=simple, O=Simple Inc, CN=Simple Signing CA
+        Subject Public Key Info:
+            Public Key Algorithm: rsaEncryption
+                Public-Key: (2048 bit)
+                Modulus:
+                    00:cd:57:70:66:95:5b:9e:c7:e0:8e:92:3c:8c:a5:
+                    f2:c1:de:e5:2b:ed:96:f6:04:4c:62:1e:91:e8:b0:
+                    29:22:88:ff:7f:7f:af:25:92:f7:e9:ca:ce:3a:3a:
+                    59:7b:9a:68:ab:dd:27:87:15:8d:3c:e2:88:bf:28:
+                    68:14:d8:6a:9a:e0:60:1d:61:c4:c1:c4:1f:9b:10:
+                    ea:d5:ee:ff:7a:97:93:d8:9d:fc:a3:92:ca:30:3f:
+                    c8:fc:3f:6b:ac:db:ba:fd:22:70:3e:d0:38:14:b2:
+                    b2:c4:6c:61:74:a0:ed:c7:6c:cf:e6:9d:df:aa:d8:
+                    ef:3d:ac:5f:6b:93:a7:a7:4f:d4:28:b1:d5:e2:01:
+                    6e:e3:0f:34:39:58:6c:e7:e7:e8:68:92:da:5d:d1:
+                    ef:c5:e5:7c:a7:28:2c:51:cd:d9:9d:1d:43:20:ad:
+                    f1:76:20:94:20:e4:72:b4:ed:e4:77:c8:00:c1:19:
+                    86:be:50:95:01:97:40:58:dc:3b:f2:69:ac:d7:b3:
+                    4b:c2:39:31:bf:13:f9:a4:96:49:e8:dc:07:49:a4:
+                    ab:20:0f:08:d1:45:a6:0a:57:bb:59:22:14:d9:bb:
+                    bd:17:d2:3a:06:95:80:14:a4:69:cc:b3:84:65:3b:
+                    bc:33:72:d5:45:0f:f4:90:50:4f:ac:57:81:2b:b0:
+                    6d:05
+                Exponent: 65537 (0x10001)
+        X509v3 extensions:
+            X509v3 Key Usage: critical
+                Certificate Sign, CRL Sign
+            X509v3 Basic Constraints: critical
+                CA:TRUE, pathlen:0
+            X509v3 Subject Key Identifier: 
+                D7:7A:FE:65:8D:74:F3:F3:85:92:B5:F1:C3:55:3A:0B:6D:50:10:41
+            X509v3 Authority Key Identifier: 
+                DA:B2:3E:C6:6E:34:D2:0A:3C:FF:AC:A2:9D:17:24:A3:32:AB:DD:AB
+    Signature Algorithm: sha256WithRSAEncryption
+    Signature Value:
+        59:0f:a8:fa:9b:a6:5b:34:8b:c4:ea:44:02:f8:3c:08:62:45:
+        d4:87:48:24:20:50:8f:40:ca:3a:64:0d:98:04:f7:3c:a9:4c:
+        ca:92:4a:56:40:9a:45:28:fd:7b:f3:6b:2b:f2:7d:a0:d6:24:
+        e1:51:24:e5:5b:f1:e1:c5:8f:f4:06:a8:4f:2b:c3:58:ad:a6:
+        f8:32:80:d6:de:ca:46:97:f2:0f:07:9b:06:55:7c:db:a2:bf:
+        5c:1f:be:41:09:a8:34:c3:68:71:d2:dc:94:1a:63:24:2c:73:
+        65:92:47:74:82:3e:ba:74:07:c3:06:14:13:25:81:de:8c:f7:
+        c5:61:ca:c4:90:93:14:9a:50:eb:a1:03:6b:b0:1d:ad:4f:9b:
+        b8:14:8e:ba:d0:4d:c2:71:bb:19:2a:c1:ed:0e:19:00:87:38:
+        fb:3f:df:53:bf:42:b5:1f:f6:3b:dc:82:b4:a2:40:37:b4:96:
+        21:66:4a:f0:86:6b:3a:37:90:f0:2a:f6:94:70:3f:65:73:3c:
+        30:0d:c1:41:5c:e1:33:cd:c1:1f:d6:16:8b:fe:34:01:af:05:
+        e6:df:fa:f3:55:31:ac:0d:5c:15:7e:a4:f9:0d:70:c6:d8:c2:
+        40:e3:01:e3:59:af:86:35:fd:22:ce:cc:85:bb:dd:93:e9:7c:
+        e4:64:b3:14
+-----BEGIN CERTIFICATE-----
+MIIDrTCCApWgAwIBAgIUcGZcHt0lIbClkImvk/NeeOXWhIowDQYJKoZIhvcNAQEL
+BQAwWzETMBEGCgmSJomT8ixkARkWA29yZzEWMBQGCgmSJomT8ixkARkWBnNpbXBs
+ZTETMBEGA1UECgwKU2ltcGxlIEluYzEXMBUGA1UEAwwOU2ltcGxlIFJvb3QgQ0Ew
+HhcNMjUxMDI0MTM1MDI1WhcNMzUxMDI0MTM1MDI1WjBeMRMwEQYKCZImiZPyLGQB
+GRYDb3JnMRYwFAYKCZImiZPyLGQBGRYGc2ltcGxlMRMwEQYDVQQKDApTaW1wbGUg
+SW5jMRowGAYDVQQDDBFTaW1wbGUgU2lnbmluZyBDQTCCASIwDQYJKoZIhvcNAQEB
+BQADggEPADCCAQoCggEBAM1XcGaVW57H4I6SPIyl8sHe5SvtlvYETGIekeiwKSKI
+/39/ryWS9+nKzjo6WXuaaKvdJ4cVjTziiL8oaBTYaprgYB1hxMHEH5sQ6tXu/3qX
+k9id/KOSyjA/yPw/a6zbuv0icD7QOBSyssRsYXSg7cdsz+ad36rY7z2sX2uTp6dP
+1Cix1eIBbuMPNDlYbOfn6GiS2l3R78XlfKcoLFHN2Z0dQyCt8XYglCDkcrTt5HfI
+AMEZhr5QlQGXQFjcO/JprNezS8I5Mb8T+aSWSejcB0mkqyAPCNFFpgpXu1kiFNm7
+vRfSOgaVgBSkacyzhGU7vDNy1UUP9JBQT6xXgSuwbQUCAwEAAaNmMGQwDgYDVR0P
+AQH/BAQDAgEGMBIGA1UdEwEB/wQIMAYBAf8CAQAwHQYDVR0OBBYEFNd6/mWNdPPz
+hZK18cNVOgttUBBBMB8GA1UdIwQYMBaAFNqyPsZuNNIKPP+sop0XJKMyq92rMA0G
+CSqGSIb3DQEBCwUAA4IBAQBZD6j6m6ZbNIvE6kQC+DwIYkXUh0gkIFCPQMo6ZA2Y
+BPc8qUzKkkpWQJpFKP1782sr8n2g1iThUSTlW/HhxY/0BqhPK8NYrab4MoDW3spG
+l/IPB5sGVXzbor9cH75BCag0w2hx0tyUGmMkLHNlkkd0gj66dAfDBhQTJYHejPfF
+YcrEkJMUmlDroQNrsB2tT5u4FI660E3CcbsZKsHtDhkAhzj7P99Tv0K1H/Y73IK0
+okA3tJYhZkrwhms6N5DwKvaUcD9lczwwDcFBXOEzzcEf1haL/jQBrwXm3/rzVTGs
+DVwVfqT5DXDG2MJA4wHjWa+GNf0izsyFu92T6XzkZLMU
+-----END CERTIFICATE-----
diff --git a/ca/signing-ca.csr b/ca/signing-ca.csr
new file mode 100644
index 0000000..f9286be
--- /dev/null
+++ b/ca/signing-ca.csr
@@ -0,0 +1,18 @@
+-----BEGIN CERTIFICATE REQUEST-----
+MIIC9zCCAd8CAQAwXjETMBEGCgmSJomT8ixkARkWA29yZzEWMBQGCgmSJomT8ixk
+ARkWBnNpbXBsZTETMBEGA1UECgwKU2ltcGxlIEluYzEaMBgGA1UEAwwRU2ltcGxl
+IFNpZ25pbmcgQ0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDNV3Bm
+lVuex+COkjyMpfLB3uUr7Zb2BExiHpHosCkiiP9/f68lkvfpys46Oll7mmir3SeH
+FY084oi/KGgU2Gqa4GAdYcTBxB+bEOrV7v96l5PYnfyjksowP8j8P2us27r9InA+
+0DgUsrLEbGF0oO3HbM/mnd+q2O89rF9rk6enT9QosdXiAW7jDzQ5WGzn5+hoktpd
+0e/F5XynKCxRzdmdHUMgrfF2IJQg5HK07eR3yADBGYa+UJUBl0BY3DvyaazXs0vC
+OTG/E/mklkno3AdJpKsgDwjRRaYKV7tZIhTZu70X0joGlYAUpGnMs4RlO7wzctVF
+D/SQUE+sV4ErsG0FAgMBAAGgVDBSBgkqhkiG9w0BCQ4xRTBDMA4GA1UdDwEB/wQE
+AwIBBjASBgNVHRMBAf8ECDAGAQH/AgEAMB0GA1UdDgQWBBTXev5ljXTz84WStfHD
+VToLbVAQQTANBgkqhkiG9w0BAQsFAAOCAQEAei+n50sS+liBhNZlR2Vz9TwFpGm5
+qrqu8RYDQjqLMHD1wHglhvB692dr+dNzPbtmfY6CGYgglsSJ+UzBbJxNxCfhG3cZ
+Hkum9cj1u02KqDGtyk+HPyzXoaYtj8Cg3QOwiS80Jc143asjeDXGx3DL759A+ya9
+doZiG6qpm7jpje9MvX9WUJ0xJW58NLTROTc7EmyWA4Dg/UJOWGYzCU3zrJRhW1sl
+iQJlQoUFx2r1SkEQOKmWYpLByvTzxNI1MjOov4ri2L1WQpkPj0JnJhJWuqg9w/JU
+zhttK428M4Hccn58Ny0xlO1vx9+TBlKhTPscdJDiVPoOmHU3ikrZZPAfZA==
+-----END CERTIFICATE REQUEST-----
diff --git a/ca/signing-ca/2C3928739ADF6A4B59724A907A463AF46DE9C119.pem b/ca/signing-ca/2C3928739ADF6A4B59724A907A463AF46DE9C119.pem
new file mode 100644
index 0000000..4949aae
--- /dev/null
+++ b/ca/signing-ca/2C3928739ADF6A4B59724A907A463AF46DE9C119.pem
@@ -0,0 +1,87 @@
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number:
+            2c:39:28:73:9a:df:6a:4b:59:72:4a:90:7a:46:3a:f4:6d:e9:c1:19
+        Signature Algorithm: sha256WithRSAEncryption
+        Issuer: DC=org, DC=simple, O=Simple Inc, CN=Simple Signing CA
+        Validity
+            Not Before: Oct 24 13:52:07 2025 GMT
+            Not After : Oct 24 13:52:07 2027 GMT
+        Subject: DC=org, DC=simple, O=Simple Inc, CN=Simple
+        Subject Public Key Info:
+            Public Key Algorithm: rsaEncryption
+                Public-Key: (2048 bit)
+                Modulus:
+                    00:8f:16:6d:2c:43:29:37:e4:d8:a3:6e:0c:e9:11:
+                    63:f5:a5:b1:2c:bc:a1:2a:c8:43:66:04:0f:a0:c9:
+                    8e:d8:62:dd:29:33:2e:b8:35:21:1f:58:52:3b:f2:
+                    52:ad:87:de:7e:e5:e0:65:28:f5:8f:74:93:e2:bd:
+                    6c:59:4f:30:9f:27:f9:7a:9a:9b:f6:17:07:37:cf:
+                    79:d7:12:40:0a:3d:70:26:27:20:73:e9:a6:4e:98:
+                    e5:ff:d7:e1:69:ff:dd:79:50:79:b7:2b:d2:b7:7a:
+                    fb:18:0d:d5:c5:3a:20:3b:1e:f2:03:b3:8d:cf:7d:
+                    42:8d:86:cf:33:48:01:e2:0f:4e:4e:c1:d3:58:e0:
+                    d7:58:34:0e:a5:4f:3f:48:71:93:14:d0:70:9a:f0:
+                    7d:ff:ad:b0:25:a2:de:25:e4:4c:b0:0c:0e:a8:3c:
+                    c6:cb:52:20:e6:c8:3e:09:05:b9:8b:bf:03:0c:6f:
+                    c0:19:4e:6e:c1:13:1c:3b:1a:2e:9c:4a:c2:b7:10:
+                    b1:78:87:1b:31:11:3a:42:72:72:53:d2:7a:b9:74:
+                    54:0f:0d:32:eb:3e:a1:ee:4d:8e:61:aa:0c:8f:0e:
+                    bb:58:9f:f0:27:99:bc:d1:cb:13:14:0b:15:36:4e:
+                    97:d4:01:08:6c:05:55:ca:78:8d:90:f7:09:f1:6e:
+                    94:81
+                Exponent: 65537 (0x10001)
+        X509v3 extensions:
+            X509v3 Key Usage: critical
+                Digital Signature, Key Encipherment
+            X509v3 Basic Constraints: 
+                CA:FALSE
+            X509v3 Extended Key Usage: 
+                TLS Web Server Authentication, TLS Web Client Authentication
+            X509v3 Subject Key Identifier: 
+                83:0D:B5:A2:0F:97:28:E1:3E:78:9D:18:6F:1F:9F:BC:B9:FB:85:56
+            X509v3 Authority Key Identifier: 
+                D7:7A:FE:65:8D:74:F3:F3:85:92:B5:F1:C3:55:3A:0B:6D:50:10:41
+            X509v3 Subject Alternative Name: 
+                DNS:www.simple.org
+    Signature Algorithm: sha256WithRSAEncryption
+    Signature Value:
+        86:70:a9:51:a3:52:d6:f5:8d:bb:c3:ef:40:a4:5d:42:9e:b7:
+        46:e4:ca:1a:4c:86:ec:20:25:5d:b5:52:ea:0f:63:f2:fd:77:
+        d5:8c:1d:9b:3d:c0:3f:a5:09:6c:b8:75:1d:f8:1c:47:2d:7a:
+        d6:4d:57:06:0d:8e:f4:c7:ef:07:59:5d:38:ed:e4:51:a1:c4:
+        30:9a:1f:7d:4a:87:ff:06:2f:98:fb:e2:cf:db:7f:f7:ec:bd:
+        b2:13:11:02:73:11:7a:89:f5:90:79:7f:03:df:01:7b:3e:af:
+        4e:92:d5:93:c6:8d:63:dd:3e:4f:ff:ca:6e:70:8c:4a:53:19:
+        52:75:22:1b:ab:37:a4:6a:03:aa:0f:48:a6:9c:6f:a3:47:cf:
+        0d:1a:ff:89:30:44:00:39:02:85:df:ef:4b:e5:64:64:5b:f4:
+        64:23:9e:d3:07:c0:00:3f:e4:18:f1:58:a6:52:a2:3d:ba:0f:
+        b6:39:6a:6a:fa:6b:50:4f:0f:79:1a:23:c2:03:df:66:8e:9e:
+        e7:e1:d9:97:51:b7:b2:ef:2d:25:27:6b:87:9e:ac:5b:4e:78:
+        bb:39:05:68:9a:7e:6e:66:82:b9:3e:30:be:dd:7a:34:9f:93:
+        2a:30:bc:bf:b2:44:e8:37:01:df:d4:c7:c9:a7:8d:19:f0:a1:
+        f1:a1:b0:42
+-----BEGIN CERTIFICATE-----
+MIID2DCCAsCgAwIBAgIULDkoc5rfaktZckqQekY69G3pwRkwDQYJKoZIhvcNAQEL
+BQAwXjETMBEGCgmSJomT8ixkARkWA29yZzEWMBQGCgmSJomT8ixkARkWBnNpbXBs
+ZTETMBEGA1UECgwKU2ltcGxlIEluYzEaMBgGA1UEAwwRU2ltcGxlIFNpZ25pbmcg
+Q0EwHhcNMjUxMDI0MTM1MjA3WhcNMjcxMDI0MTM1MjA3WjBTMRMwEQYKCZImiZPy
+LGQBGRYDb3JnMRYwFAYKCZImiZPyLGQBGRYGc2ltcGxlMRMwEQYDVQQKDApTaW1w
+bGUgSW5jMQ8wDQYDVQQDDAZTaW1wbGUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAw
+ggEKAoIBAQCPFm0sQyk35NijbgzpEWP1pbEsvKEqyENmBA+gyY7YYt0pMy64NSEf
+WFI78lKth95+5eBlKPWPdJPivWxZTzCfJ/l6mpv2Fwc3z3nXEkAKPXAmJyBz6aZO
+mOX/1+Fp/915UHm3K9K3evsYDdXFOiA7HvIDs43PfUKNhs8zSAHiD05OwdNY4NdY
+NA6lTz9IcZMU0HCa8H3/rbAlot4l5EywDA6oPMbLUiDmyD4JBbmLvwMMb8AZTm7B
+Exw7Gi6cSsK3ELF4hxsxETpCcnJT0nq5dFQPDTLrPqHuTY5hqgyPDrtYn/AnmbzR
+yxMUCxU2TpfUAQhsBVXKeI2Q9wnxbpSBAgMBAAGjgZgwgZUwDgYDVR0PAQH/BAQD
+AgWgMAkGA1UdEwQCMAAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMB0G
+A1UdDgQWBBSDDbWiD5co4T54nRhvH5+8ufuFVjAfBgNVHSMEGDAWgBTXev5ljXTz
+84WStfHDVToLbVAQQTAZBgNVHREEEjAQgg53d3cuc2ltcGxlLm9yZzANBgkqhkiG
+9w0BAQsFAAOCAQEAhnCpUaNS1vWNu8PvQKRdQp63RuTKGkyG7CAlXbVS6g9j8v13
+1Ywdmz3AP6UJbLh1HfgcRy161k1XBg2O9MfvB1ldOO3kUaHEMJoffUqH/wYvmPvi
+z9t/9+y9shMRAnMReon1kHl/A98Bez6vTpLVk8aNY90+T//KbnCMSlMZUnUiG6s3
+pGoDqg9Ippxvo0fPDRr/iTBEADkChd/vS+VkZFv0ZCOe0wfAAD/kGPFYplKiPboP
+tjlqavprUE8PeRojwgPfZo6e5+HZl1G3su8tJSdrh56sW054uzkFaJp+bmaCuT4w
+vt16NJ+TKjC8v7JE6DcB39THyaeNGfCh8aGwQg==
+-----END CERTIFICATE-----
diff --git a/ca/signing-ca/4B0890E47F3A4BDA3113B7019392EC4EEC3C6FC5.pem b/ca/signing-ca/4B0890E47F3A4BDA3113B7019392EC4EEC3C6FC5.pem
new file mode 100644
index 0000000..5aec4fd
--- /dev/null
+++ b/ca/signing-ca/4B0890E47F3A4BDA3113B7019392EC4EEC3C6FC5.pem
@@ -0,0 +1,88 @@
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number:
+            4b:08:90:e4:7f:3a:4b:da:31:13:b7:01:93:92:ec:4e:ec:3c:6f:c5
+        Signature Algorithm: sha256WithRSAEncryption
+        Issuer: DC=org, DC=simple, O=Simple Inc, CN=Simple Signing CA
+        Validity
+            Not Before: Oct 24 14:05:59 2025 GMT
+            Not After : Oct 24 14:05:59 2027 GMT
+        Subject: C=FR, ST=Paris, L=Paris, O=LoLiLoL, CN=Barney/emailAddress=Barney@lolilol.com
+        Subject Public Key Info:
+            Public Key Algorithm: rsaEncryption
+                Public-Key: (2048 bit)
+                Modulus:
+                    00:c7:d5:79:79:f5:b3:d5:48:b1:bc:25:53:4c:6b:
+                    1e:21:d7:76:25:f5:9e:0d:c9:e6:9d:8b:2e:cf:e6:
+                    af:1d:92:34:72:5a:a3:bd:6c:4b:40:83:f3:3e:22:
+                    57:70:a1:23:47:ee:03:54:bf:50:e4:e2:fb:03:94:
+                    e6:2f:2a:50:28:10:9d:73:90:66:dc:bc:24:c6:96:
+                    44:2b:f7:b8:e0:e5:c0:40:10:9e:6a:fc:36:0e:ea:
+                    67:7f:7e:47:0a:d5:b4:e5:b7:64:ea:09:fd:fa:32:
+                    cc:c3:0e:1f:2a:1e:af:07:e5:03:32:49:43:ab:3d:
+                    d4:f5:58:e3:c7:59:76:70:04:9c:0a:ca:12:75:29:
+                    80:a8:7a:e5:3e:ed:99:34:de:24:53:69:15:e1:b4:
+                    72:11:0f:1f:c8:2d:fe:65:5d:85:31:5f:ed:d5:33:
+                    11:6d:28:e8:92:5b:c4:d4:90:43:b3:3f:9a:cf:28:
+                    3a:10:5e:8c:bc:92:fe:d2:79:dd:d3:2d:44:68:be:
+                    ff:98:81:07:d0:a8:2c:ad:f2:a8:14:5e:41:4b:f4:
+                    fb:08:e9:c4:b8:0f:e2:48:de:d3:f9:c9:b2:4d:e1:
+                    07:09:74:85:61:4f:8c:5b:9c:46:fb:43:7e:c1:35:
+                    7d:63:55:86:07:1e:c3:b7:12:7c:31:ff:ca:28:c6:
+                    13:5f
+                Exponent: 65537 (0x10001)
+        X509v3 extensions:
+            X509v3 Key Usage: critical
+                Digital Signature
+            X509v3 Basic Constraints: 
+                CA:FALSE
+            X509v3 Extended Key Usage: 
+                TLS Web Client Authentication
+            X509v3 Subject Key Identifier: 
+                DD:19:55:95:C5:A8:26:A8:A5:BD:B1:26:2A:BE:F0:03:72:68:FB:89
+            X509v3 Authority Key Identifier: 
+                D7:7A:FE:65:8D:74:F3:F3:85:92:B5:F1:C3:55:3A:0B:6D:50:10:41
+            X509v3 Subject Alternative Name: 
+                email:Barney@lolilol.com
+    Signature Algorithm: sha256WithRSAEncryption
+    Signature Value:
+        02:5b:88:3a:ef:ac:25:64:39:e4:30:62:62:b2:f6:70:66:75:
+        5e:7d:7c:c7:4f:a2:74:d1:f0:66:eb:b0:87:f3:59:d2:83:be:
+        66:f8:9a:bf:15:68:9f:ad:13:4d:db:a3:7d:09:e6:f8:2b:a0:
+        8a:e7:37:2c:b7:94:32:5c:4b:3b:98:2d:b4:aa:20:c1:64:34:
+        51:c3:3e:40:ab:b6:f2:d1:dd:fc:e3:a2:bd:40:2a:50:fc:e5:
+        68:28:4f:07:90:6e:d2:3d:65:0d:bc:db:01:dd:fb:0d:39:c8:
+        1d:a8:75:53:4c:7d:cc:0f:ea:68:f9:7b:cb:22:56:41:3a:37:
+        f2:5b:1d:54:8e:59:a8:62:dd:43:f6:33:78:c4:81:75:c4:74:
+        96:2f:dd:13:14:cb:d6:b6:18:3e:60:41:6c:af:56:e8:9b:15:
+        d1:87:83:94:56:21:f2:0d:c9:d1:67:7e:d8:01:a6:dd:a8:eb:
+        dd:5e:b2:38:dc:36:b6:0a:c4:bb:13:04:69:f4:59:55:1e:9c:
+        20:70:c9:aa:38:f1:a3:7f:a5:2b:f6:3d:f4:f4:05:ef:46:3d:
+        93:73:04:c3:4e:de:de:4c:4d:f9:92:ec:67:16:c3:04:8d:c1:
+        87:5d:a7:c7:25:40:7c:5e:93:76:97:74:b7:3f:1f:cd:78:fd:
+        4e:d2:bc:11
+-----BEGIN CERTIFICATE-----
+MIID8jCCAtqgAwIBAgIUSwiQ5H86S9oxE7cBk5LsTuw8b8UwDQYJKoZIhvcNAQEL
+BQAwXjETMBEGCgmSJomT8ixkARkWA29yZzEWMBQGCgmSJomT8ixkARkWBnNpbXBs
+ZTETMBEGA1UECgwKU2ltcGxlIEluYzEaMBgGA1UEAwwRU2ltcGxlIFNpZ25pbmcg
+Q0EwHhcNMjUxMDI0MTQwNTU5WhcNMjcxMDI0MTQwNTU5WjBzMQswCQYDVQQGEwJG
+UjEOMAwGA1UECAwFUGFyaXMxDjAMBgNVBAcMBVBhcmlzMRAwDgYDVQQKDAdMb0xp
+TG9MMQ8wDQYDVQQDDAZCYXJuZXkxITAfBgkqhkiG9w0BCQEWEkJhcm5leUBsb2xp
+bG9sLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMfVeXn1s9VI
+sbwlU0xrHiHXdiX1ng3J5p2LLs/mrx2SNHJao71sS0CD8z4iV3ChI0fuA1S/UOTi
++wOU5i8qUCgQnXOQZty8JMaWRCv3uODlwEAQnmr8Ng7qZ39+RwrVtOW3ZOoJ/foy
+zMMOHyoerwflAzJJQ6s91PVY48dZdnAEnArKEnUpgKh65T7tmTTeJFNpFeG0chEP
+H8gt/mVdhTFf7dUzEW0o6JJbxNSQQ7M/ms8oOhBejLyS/tJ53dMtRGi+/5iBB9Co
+LK3yqBReQUv0+wjpxLgP4kje0/nJsk3hBwl0hWFPjFucRvtDfsE1fWNVhgcew7cS
+fDH/yijGE18CAwEAAaOBkjCBjzAOBgNVHQ8BAf8EBAMCB4AwCQYDVR0TBAIwADAT
+BgNVHSUEDDAKBggrBgEFBQcDAjAdBgNVHQ4EFgQU3RlVlcWoJqilvbEmKr7wA3Jo
++4kwHwYDVR0jBBgwFoAU13r+ZY108/OFkrXxw1U6C21QEEEwHQYDVR0RBBYwFIES
+QmFybmV5QGxvbGlsb2wuY29tMA0GCSqGSIb3DQEBCwUAA4IBAQACW4g676wlZDnk
+MGJisvZwZnVefXzHT6J00fBm67CH81nSg75m+Jq/FWifrRNN26N9Ceb4K6CK5zcs
+t5QyXEs7mC20qiDBZDRRwz5Aq7by0d3846K9QCpQ/OVoKE8HkG7SPWUNvNsB3fsN
+OcgdqHVTTH3MD+po+XvLIlZBOjfyWx1UjlmoYt1D9jN4xIF1xHSWL90TFMvWthg+
+YEFsr1bomxXRh4OUViHyDcnRZ37YAabdqOvdXrI43Da2CsS7EwRp9FlVHpwgcMmq
+OPGjf6Ur9j309AXvRj2TcwTDTt7eTE35kuxnFsMEjcGHXafHJUB8XpN2l3S3Px/N
+eP1O0rwR
+-----END CERTIFICATE-----
diff --git a/ca/signing-ca/db/signing-ca.crl.srl b/ca/signing-ca/db/signing-ca.crl.srl
new file mode 100644
index 0000000..8a0f05e
--- /dev/null
+++ b/ca/signing-ca/db/signing-ca.crl.srl
@@ -0,0 +1 @@
+01
diff --git a/ca/signing-ca/db/signing-ca.crt.srl b/ca/signing-ca/db/signing-ca.crt.srl
new file mode 100644
index 0000000..8a0f05e
--- /dev/null
+++ b/ca/signing-ca/db/signing-ca.crt.srl
@@ -0,0 +1 @@
+01
diff --git a/ca/signing-ca/db/signing-ca.db b/ca/signing-ca/db/signing-ca.db
new file mode 100644
index 0000000..42e45ad
--- /dev/null
+++ b/ca/signing-ca/db/signing-ca.db
@@ -0,0 +1,2 @@
+V	271024135207Z		2C3928739ADF6A4B59724A907A463AF46DE9C119	unknown	/DC=org/DC=simple/O=Simple Inc/CN=Simple
+V	271024140559Z		4B0890E47F3A4BDA3113B7019392EC4EEC3C6FC5	unknown	/C=FR/ST=Paris/L=Paris/O=LoLiLoL/CN=Barney/emailAddress=Barney@lolilol.com
diff --git a/ca/signing-ca/db/signing-ca.db.attr b/ca/signing-ca/db/signing-ca.db.attr
new file mode 100644
index 0000000..3a7e39e
--- /dev/null
+++ b/ca/signing-ca/db/signing-ca.db.attr
@@ -0,0 +1 @@
+unique_subject = no
diff --git a/ca/signing-ca/db/signing-ca.db.attr.old b/ca/signing-ca/db/signing-ca.db.attr.old
new file mode 100644
index 0000000..3a7e39e
--- /dev/null
+++ b/ca/signing-ca/db/signing-ca.db.attr.old
@@ -0,0 +1 @@
+unique_subject = no
diff --git a/ca/signing-ca/db/signing-ca.db.old b/ca/signing-ca/db/signing-ca.db.old
new file mode 100644
index 0000000..6be3050
--- /dev/null
+++ b/ca/signing-ca/db/signing-ca.db.old
@@ -0,0 +1 @@
+V	271024135207Z		2C3928739ADF6A4B59724A907A463AF46DE9C119	unknown	/DC=org/DC=simple/O=Simple Inc/CN=Simple
diff --git a/ca/signing-ca/private/signing-ca.key b/ca/signing-ca/private/signing-ca.key
new file mode 100644
index 0000000..c11a323
--- /dev/null
+++ b/ca/signing-ca/private/signing-ca.key
@@ -0,0 +1,30 @@
+-----BEGIN ENCRYPTED PRIVATE KEY-----
+MIIFNTBfBgkqhkiG9w0BBQ0wUjAxBgkqhkiG9w0BBQwwJAQQ1bbvoC4QJNqOKxCH
+oSXIQAICCAAwDAYIKoZIhvcNAgkFADAdBglghkgBZQMEASoEEIoL3gD6+ksCQQMc
+mUKsCRUEggTQtzrwva2nTG9OFOpMgMnJn+95A4Px3iCgAH+PLb+xtwJ7NCWKhpAM
+2Gj7ezSTrhwf99CjYhhiYcuGUcigG6XkW8fcgjSSQ9vnywebG5GbmndV4FgY+cty
+lzhz1SWvV2IwW3M1XtGH6MOb8RI2s3bp9RgvUduN81VJKhISBl7o0K/X6CyhkiDq
+TTkaRAwTxej4ZZDxjJ2mo2HFnFX9FGFQUbnE/IAwsAb3+c0xKXo3Fj+y/RICexLD
+zMGKbsUhzw4k53oZEBeHKB+31XrrvN8Dzxj3KL8ywHliZnQaAZs61ELcPQuDYl4B
+XJwp2WyEV39VQmvTW2ECcMIP9fE5M3ivRDGvA1O4gGjmHAkotH3i6OvW56kYMCVQ
+zFZhelI6+aD97741Chio5x2gSPtvdfsvIr4avj7BxFOUscC2mrGvDhLWUOM78Xd9
+X2y9ZzdUrZ/NXdmnj3e4Fd/T9XH6INt3XU6Jdt49AoW+RUA3uKZAZhLiapoIAdeE
+FAIQMWlnBZFqZNql0hyJi5UJ4ccW+0+5I8AHg/eJbrHnDS39zZOKP+I3JIf/+2q+
+C4MmLKDa9nXvRYD7dpxOGyOwvDAtYmTLAZaYYHxX7qjT5E49eluzsR/lt880ROZY
+LPxb5eOV8IvJ9d/ONXHCIOAoDqGI/c38o8/qO0WH2+EFSdvKoTs7GX5Tni8YaUGy
+vlES9tOtU5kfCE4IzToFHWJkMTQVg5AkFxrpBZPelu4+ogCWyzCeoBfdywPGVHQk
+M/BX5JaI66PIBUuc6nVmpEDlCRNy1hipivgD9A3VkpKwLkqQlXHA91N8NrOdbESG
+2CQxltg1g93RxdQBhUcp+SJ0iliqTGFBxvdfjmDjd9TLSsYLOTHvVpCqDwvbJ7nN
+paSeYOxkZ1mGHYpCvavRY0dtXZyFliwQO8wPPccav4DtsbyDKMG57GSmW3PdNIUN
+hD6w4aM/VOgVdBjm+Euu6yTcTcR591mriVe9Y7Ph3pBB9a6CrASdvNPMaoSXCAT3
+Tjtgj+0xLksWS6GWgyTEOjw8xy5/yKF5bVJpd8ocj2Dm1bnWgzmqgC8ThRc8Hv7w
+ZWL9eVLUht3A+XKAiIKqOjGDK7tBOJAQ7bxfiyfLsovmRWb8aRfZpFOpRRG3Iw/V
+fxWjrx1khk4RXP+lt02zIugiW4N861s2HjiNzAiPLDpTxkjpcPYUZ11EFa8SH2IG
+acGcdQzkTf1ZVKaP9UeGdX7eSHWDb+xOvH1ADT++NAKM2WDYdCBGuTkB2Au1kV09
+nXOb/EgXwsDVJtBwxRTYiw7obIDIrUdXMH6DWrRFQKMWzwviimoJfwL2nfEhmoiM
+qe9FMHF/x7+wNuzsPOAtBpBqfovx5sqW4Ic78J3+anulRX3TaslVLvCDDc6LnDQv
+k9QhE3oYFlDdZTsSGcmvOwB8vVBErZGkDbirS34ex3N1FXmwtEk3yj18Clvus+ce
++B22sRbsdkbt9jw2vxKEhjmkB2xzuvYHgLVKOuGVXtBVO6CbKMcFCQyTd/0TMAPn
+SoD0QxqkvEcxCY/KUaGad+rs1H9e3dsPhlPYKvKa5E2FS1sKTSYoj9+t1Kzm0fw3
+BJsGozL1SDNBhzCDYdE2XG7B1nb1BZxz7snlus0WUb3IEMPGp53aCyk=
+-----END ENCRYPTED PRIVATE KEY-----
diff --git a/certs/barney.crt b/certs/barney.crt
new file mode 100644
index 0000000..5aec4fd
--- /dev/null
+++ b/certs/barney.crt
@@ -0,0 +1,88 @@
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number:
+            4b:08:90:e4:7f:3a:4b:da:31:13:b7:01:93:92:ec:4e:ec:3c:6f:c5
+        Signature Algorithm: sha256WithRSAEncryption
+        Issuer: DC=org, DC=simple, O=Simple Inc, CN=Simple Signing CA
+        Validity
+            Not Before: Oct 24 14:05:59 2025 GMT
+            Not After : Oct 24 14:05:59 2027 GMT
+        Subject: C=FR, ST=Paris, L=Paris, O=LoLiLoL, CN=Barney/emailAddress=Barney@lolilol.com
+        Subject Public Key Info:
+            Public Key Algorithm: rsaEncryption
+                Public-Key: (2048 bit)
+                Modulus:
+                    00:c7:d5:79:79:f5:b3:d5:48:b1:bc:25:53:4c:6b:
+                    1e:21:d7:76:25:f5:9e:0d:c9:e6:9d:8b:2e:cf:e6:
+                    af:1d:92:34:72:5a:a3:bd:6c:4b:40:83:f3:3e:22:
+                    57:70:a1:23:47:ee:03:54:bf:50:e4:e2:fb:03:94:
+                    e6:2f:2a:50:28:10:9d:73:90:66:dc:bc:24:c6:96:
+                    44:2b:f7:b8:e0:e5:c0:40:10:9e:6a:fc:36:0e:ea:
+                    67:7f:7e:47:0a:d5:b4:e5:b7:64:ea:09:fd:fa:32:
+                    cc:c3:0e:1f:2a:1e:af:07:e5:03:32:49:43:ab:3d:
+                    d4:f5:58:e3:c7:59:76:70:04:9c:0a:ca:12:75:29:
+                    80:a8:7a:e5:3e:ed:99:34:de:24:53:69:15:e1:b4:
+                    72:11:0f:1f:c8:2d:fe:65:5d:85:31:5f:ed:d5:33:
+                    11:6d:28:e8:92:5b:c4:d4:90:43:b3:3f:9a:cf:28:
+                    3a:10:5e:8c:bc:92:fe:d2:79:dd:d3:2d:44:68:be:
+                    ff:98:81:07:d0:a8:2c:ad:f2:a8:14:5e:41:4b:f4:
+                    fb:08:e9:c4:b8:0f:e2:48:de:d3:f9:c9:b2:4d:e1:
+                    07:09:74:85:61:4f:8c:5b:9c:46:fb:43:7e:c1:35:
+                    7d:63:55:86:07:1e:c3:b7:12:7c:31:ff:ca:28:c6:
+                    13:5f
+                Exponent: 65537 (0x10001)
+        X509v3 extensions:
+            X509v3 Key Usage: critical
+                Digital Signature
+            X509v3 Basic Constraints: 
+                CA:FALSE
+            X509v3 Extended Key Usage: 
+                TLS Web Client Authentication
+            X509v3 Subject Key Identifier: 
+                DD:19:55:95:C5:A8:26:A8:A5:BD:B1:26:2A:BE:F0:03:72:68:FB:89
+            X509v3 Authority Key Identifier: 
+                D7:7A:FE:65:8D:74:F3:F3:85:92:B5:F1:C3:55:3A:0B:6D:50:10:41
+            X509v3 Subject Alternative Name: 
+                email:Barney@lolilol.com
+    Signature Algorithm: sha256WithRSAEncryption
+    Signature Value:
+        02:5b:88:3a:ef:ac:25:64:39:e4:30:62:62:b2:f6:70:66:75:
+        5e:7d:7c:c7:4f:a2:74:d1:f0:66:eb:b0:87:f3:59:d2:83:be:
+        66:f8:9a:bf:15:68:9f:ad:13:4d:db:a3:7d:09:e6:f8:2b:a0:
+        8a:e7:37:2c:b7:94:32:5c:4b:3b:98:2d:b4:aa:20:c1:64:34:
+        51:c3:3e:40:ab:b6:f2:d1:dd:fc:e3:a2:bd:40:2a:50:fc:e5:
+        68:28:4f:07:90:6e:d2:3d:65:0d:bc:db:01:dd:fb:0d:39:c8:
+        1d:a8:75:53:4c:7d:cc:0f:ea:68:f9:7b:cb:22:56:41:3a:37:
+        f2:5b:1d:54:8e:59:a8:62:dd:43:f6:33:78:c4:81:75:c4:74:
+        96:2f:dd:13:14:cb:d6:b6:18:3e:60:41:6c:af:56:e8:9b:15:
+        d1:87:83:94:56:21:f2:0d:c9:d1:67:7e:d8:01:a6:dd:a8:eb:
+        dd:5e:b2:38:dc:36:b6:0a:c4:bb:13:04:69:f4:59:55:1e:9c:
+        20:70:c9:aa:38:f1:a3:7f:a5:2b:f6:3d:f4:f4:05:ef:46:3d:
+        93:73:04:c3:4e:de:de:4c:4d:f9:92:ec:67:16:c3:04:8d:c1:
+        87:5d:a7:c7:25:40:7c:5e:93:76:97:74:b7:3f:1f:cd:78:fd:
+        4e:d2:bc:11
+-----BEGIN CERTIFICATE-----
+MIID8jCCAtqgAwIBAgIUSwiQ5H86S9oxE7cBk5LsTuw8b8UwDQYJKoZIhvcNAQEL
+BQAwXjETMBEGCgmSJomT8ixkARkWA29yZzEWMBQGCgmSJomT8ixkARkWBnNpbXBs
+ZTETMBEGA1UECgwKU2ltcGxlIEluYzEaMBgGA1UEAwwRU2ltcGxlIFNpZ25pbmcg
+Q0EwHhcNMjUxMDI0MTQwNTU5WhcNMjcxMDI0MTQwNTU5WjBzMQswCQYDVQQGEwJG
+UjEOMAwGA1UECAwFUGFyaXMxDjAMBgNVBAcMBVBhcmlzMRAwDgYDVQQKDAdMb0xp
+TG9MMQ8wDQYDVQQDDAZCYXJuZXkxITAfBgkqhkiG9w0BCQEWEkJhcm5leUBsb2xp
+bG9sLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMfVeXn1s9VI
+sbwlU0xrHiHXdiX1ng3J5p2LLs/mrx2SNHJao71sS0CD8z4iV3ChI0fuA1S/UOTi
++wOU5i8qUCgQnXOQZty8JMaWRCv3uODlwEAQnmr8Ng7qZ39+RwrVtOW3ZOoJ/foy
+zMMOHyoerwflAzJJQ6s91PVY48dZdnAEnArKEnUpgKh65T7tmTTeJFNpFeG0chEP
+H8gt/mVdhTFf7dUzEW0o6JJbxNSQQ7M/ms8oOhBejLyS/tJ53dMtRGi+/5iBB9Co
+LK3yqBReQUv0+wjpxLgP4kje0/nJsk3hBwl0hWFPjFucRvtDfsE1fWNVhgcew7cS
+fDH/yijGE18CAwEAAaOBkjCBjzAOBgNVHQ8BAf8EBAMCB4AwCQYDVR0TBAIwADAT
+BgNVHSUEDDAKBggrBgEFBQcDAjAdBgNVHQ4EFgQU3RlVlcWoJqilvbEmKr7wA3Jo
++4kwHwYDVR0jBBgwFoAU13r+ZY108/OFkrXxw1U6C21QEEEwHQYDVR0RBBYwFIES
+QmFybmV5QGxvbGlsb2wuY29tMA0GCSqGSIb3DQEBCwUAA4IBAQACW4g676wlZDnk
+MGJisvZwZnVefXzHT6J00fBm67CH81nSg75m+Jq/FWifrRNN26N9Ceb4K6CK5zcs
+t5QyXEs7mC20qiDBZDRRwz5Aq7by0d3846K9QCpQ/OVoKE8HkG7SPWUNvNsB3fsN
+OcgdqHVTTH3MD+po+XvLIlZBOjfyWx1UjlmoYt1D9jN4xIF1xHSWL90TFMvWthg+
+YEFsr1bomxXRh4OUViHyDcnRZ37YAabdqOvdXrI43Da2CsS7EwRp9FlVHpwgcMmq
+OPGjf6Ur9j309AXvRj2TcwTDTt7eTE35kuxnFsMEjcGHXafHJUB8XpN2l3S3Px/N
+eP1O0rwR
+-----END CERTIFICATE-----
diff --git a/certs/barney.csr b/certs/barney.csr
new file mode 100644
index 0000000..b00f289
--- /dev/null
+++ b/certs/barney.csr
@@ -0,0 +1,19 @@
+-----BEGIN CERTIFICATE REQUEST-----
+MIIDLDCCAhQCAQAwczELMAkGA1UEBhMCRlIxDjAMBgNVBAgMBVBhcmlzMQ4wDAYD
+VQQHDAVQYXJpczEQMA4GA1UECgwHTG9MaUxvTDEPMA0GA1UEAwwGQmFybmV5MSEw
+HwYJKoZIhvcNAQkBFhJCYXJuZXlAbG9saWxvbC5jb20wggEiMA0GCSqGSIb3DQEB
+AQUAA4IBDwAwggEKAoIBAQDH1Xl59bPVSLG8JVNMax4h13Yl9Z4Nyeadiy7P5q8d
+kjRyWqO9bEtAg/M+IldwoSNH7gNUv1Dk4vsDlOYvKlAoEJ1zkGbcvCTGlkQr97jg
+5cBAEJ5q/DYO6md/fkcK1bTlt2TqCf36MszDDh8qHq8H5QMySUOrPdT1WOPHWXZw
+BJwKyhJ1KYCoeuU+7Zk03iRTaRXhtHIRDx/ILf5lXYUxX+3VMxFtKOiSW8TUkEOz
+P5rPKDoQXoy8kv7Sed3TLURovv+YgQfQqCyt8qgUXkFL9PsI6cS4D+JI3tP5ybJN
+4QcJdIVhT4xbnEb7Q37BNX1jVYYHHsO3Enwx/8ooxhNfAgMBAAGgdDByBgkqhkiG
+9w0BCQ4xZTBjMA4GA1UdDwEB/wQEAwIHgDATBgNVHSUEDDAKBggrBgEFBQcDAjAd
+BgNVHQ4EFgQU3RlVlcWoJqilvbEmKr7wA3Jo+4kwHQYDVR0RBBYwFIESQmFybmV5
+QGxvbGlsb2wuY29tMA0GCSqGSIb3DQEBCwUAA4IBAQBQBNIWRsAYKFAOvyFeh3Sq
+Krc1rtJQzqHOiiqIKkLwm2rab2C5RooXA1jZ7CI/OLXSIN9eyb18uUza0E801xgK
+VLe8iOr0xojpO8oLYrBUUwj014aoLiNjwoLsfQ1FgcccSjMe1efGLYb08RpR/uvx
+1JL6pHAhg8/Jnt/2KU6VsVdEErHhu+EltJc0pzlHYCcOUDYlznPwAvCg0Z3/3xqu
+MpxPLI8KnkOnoJYAEVKc6qPTBqMpMuheYGzav1oHATQsTcrk17ELM4GA5eJuZPiH
+o4k4NCusK6VJsKh1L2puACe5OwrG1MRxEkwmEKM0mVluxXkbLYA/AB/90ni6ucZk
+-----END CERTIFICATE REQUEST-----
diff --git a/certs/barney.key b/certs/barney.key
new file mode 100644
index 0000000..4126374
--- /dev/null
+++ b/certs/barney.key
@@ -0,0 +1,30 @@
+-----BEGIN ENCRYPTED PRIVATE KEY-----
+MIIFNTBfBgkqhkiG9w0BBQ0wUjAxBgkqhkiG9w0BBQwwJAQQCJHGxV/mC+Fvab7F
+HrUx6wICCAAwDAYIKoZIhvcNAgkFADAdBglghkgBZQMEASoEEHMd3ChJ90iMFT3y
+XL54LUIEggTQAfexKPo9zoz/+y7opfU7fKDEo53Qt8QK9zUagntv1ktOboNXwswU
+7qu/iKH9UPlgkmndCK8oMS8spywsvqYb2yKhjbxhm5f0njxKP7axb+O+RlCk8QoF
+fzbdnvcf9l5KTNz4XtzdK1bmt1Hopq9kO3ELJkvH7lhzSKYRf+WikaXrRecNsfqf
+xNIzsPQebCSCgGj460CiW2CEuKC6UXto98MTArIE3l7QjRjEINrlBNBUfJVhOaDK
+7RBbkbwC69ISsMH2WEJ04DmejSveo/jHkKU7rD7qlnCcCVBF6VhsBKQKJSeqAdNA
+781JYdokySQMNycAdlwXJE25Z5zgey9gdE2CpRfXvAgAUBN9JgJP48qInjfPvxqi
+kJwH4ykjVm75CnxcrD8DsF7+njr2Aiboeb96eXus/vtmUjXexIdlYSq6ZwcnBSq2
+9HW95y1DHh3zZYN1e/gm0hWWoRfF/44lMvcZ346jkT8atxJQJcTvTvTRix0HFh3l
+SatFPHn0Eu8kDvzUhuHWPkyZSErW1nmhHYiYL7SSM/iov1sgAAX7aunDZ+x+pSxe
+JlzCmxwZDI4pHmvuSTKR+JuXmbD3/0VMUstJGWXe91T1iHJQIlYH63IOQ9mhPD1v
+ox15KB2KMCEuPHa3ddc5kCxTlHKD4+eQLl1V5bGtHhC4L8fDtD4ZsLgVCaBJG0lH
+lSIdbJ0LWAAbD2W5R8+1jQFq5WcK9nb9ujyhQhCwBAI4pEQKPtGM0t/PqyaBV5mh
+VK61q9avYkeLX9+KW1YZGPW7Br9fmTGmqUODhDbnPqjDbpZKnbDTuiWkk3BIfKR7
+vdnG7d0OuFj3bePq/vsyoowRdJ7v2PvPWkZeuAEUANxWw0xX69VXYyIvotjMupQc
+O7v5zAVF/b60WhMpuIqH+VGkDisFlg0dq6XjqnNFqnOyO4NHfUv4vSyaQfYoDZ9L
++kHcWV9OtZYpQFxwfkRZRYhHH4FrcPoWJgoR+r0xZsnrRu46DDve4k6B3eqEwO+v
+rm7KiFrdU5WCM2yyfMf2OuMjrIu/Juk3IVGZYVfaMaMlHroLA8Jg9C/tsN13IeCy
+jT4Qjy6Y2of/mklKw/aGS466rXlLPevaULeNy6v+4aX+FJChWmznzRxMEKQVOHAb
+8MCBjTGzoP6XN+RpU9Gq0/Bwd2eLxrP8fsk6SjKYj+AK4POAvpBRJggYrAlvy5p7
+7QdD7K0dAlvUtcrbkEVJr3Co9MYZ2Z+zzjFeMZRvXeTzENjO5/+W3WdZFLjrgTu3
+tSBPdXNslywt7FHimLog6IUc/QYae7x+mirhUmFapAV0ZZM7px6Ar123GBhnPUsd
+ECor6oEVTOu/QqMlRkpyxPKOQxqRatTThB+x4kGLrxirim9yqUo8ZOeE0zBAf/0G
+IxsN/Q/woRBFSumOSmXA4kiy91K82rjPtzqyZunLDvdyOyLwKDCRgo8lvq95CSYJ
+GX6nXEtz7wZX7+PDmS9cPsDKB8M0mRhfGSDfL4mpzvBOA5hgraTJ8Awd8Caw8FnS
+iIvNmFTA2cQVdZDShxB3ZFUKc1T5Ca/OYgnfy012tPVR/R4nN42M0JICuvKN9fck
+uCytFJaEcrTYxLS2fHXOpgMmqkmU4pNNDs6D/BWgiJGdDD0gRWLvmRA=
+-----END ENCRYPTED PRIVATE KEY-----
diff --git a/certs/barney.p12 b/certs/barney.p12
new file mode 100644
index 0000000000000000000000000000000000000000..6e6de43b8a65807b8e367e3a8358c972ba55fbd7
GIT binary patch
literal 3920
zcmai1c{CIb*PgM=nCwd-j1(c!jD6q6lARGnWZxM(jlviV*$P=h!XVpNXB0w3_C00a
zB8-%M&+9$kcYeP=-}9V%?s=Z)o^$`Z=eaN}qdo<Y5{6}@06}iy?&1#UfnZ=hmSKkq
z%kUe9Wgx?_kW2qspnNRN2@FefKmi0?v_JnkK$y)xgqj|Pgu(x%bTED@CR(9vvU&kO
zTC+r(SJ%>_pMru00HXuZ{NGjz2sHr41A^G%?gE`Csererm|7|8ZWqbC(MSO1mRUiQ
z&=@QY=H;WV7&id)(1ke;Bz!-YE5oso;nKY&%fJ<`2HIU($vwz*D=SYzrQ}QV&bz3s
z?t-T1I)npwp1ol^D=fEMGC62w>%RToMs`tnDhbfFb}h&s+Qu#`m+V3L>@<b_2Pta+
z8tjOQ^JR#FaW#!cAdSC<=EwpP_M?c38uJ7^kCySv1a==<k()r?vlXie#kn@fL6%-s
z)%5*}hWLB4%QaUftGj;t+n6r!1vm&+JB8s|?oik&1CZEhhe(%nu!DGWtV>p;Y=ylX
za_smQ`7L?t6-rl}D)FXYGk`BtP;_69N;2v7PB-(q^U;vm+WXsq<f5nfb5nz$c}SE0
zs()|>H{$ss+utH)sTcI06WulH86y_dK;DW|`7VxIRx+JR!`Qf4XQxFmT6swWBii9v
zc5{Xvr$_mQwYpboIXKMZop66#=3*ueRS^FB#cVEmyXA;UmAe#l9KW{)1o^Gr^zB30
zj1ztmGG1UvAGyOA_vLv&f63F`pAVD*lM91dDn8{NOw0JgV*+%Q2j4DpESAxv`LLb7
zL_e*#eq<)XPUXmU%yo~~vNJY>C5LGBW54lgYfHpX^Ce-cAG~=Ri%9%Lsc`Yx5w-Pq
zMoY!NQQJfALN-z)MQ0H>7RLmMrr~X3Oe((W8Hz?Dcg-#zblC8fnG*e6z3l}>j7yq5
zEL+PuulB7^;QM%(8Q1=Belvw)vQf_>mpB{hS{}x$PiInMuBV?y?9xLRSclNqDtV^5
zg2({IW`hLB^eja_HlH2@5r3bgZ2D(q1ngDi26E=N&2`v6?QYQzSE^wB#NBOLEF#HG
z;OAUtYn7)arLQRLq$sVcs>^s@W0ulY)iU^kBbucoagxC=617l)QAh}fOg_S;?@YDv
zT3q<f09P%9=J5-t<9N!E)QE~!j1~5Ba?vHN%o&AK`o%Oa<3r<IRue;!PvD=f%^^9i
z&x>rc4-$eQ(FxCoX4~E~?!=9SZ*okWHbN_QZr-5jv~tqFMa*;}SM7uklX^A{ex>mY
zBe;SJ_P1M7Lj{laaZMUC&rDX$KMJkye@q8j6-7L%F4hk|(i&lkaO$`*;798KPug>g
z+pH@kthV-w@v=Q)P(qysFTtk3rD*lVrHRhjyK<^AHe`5$g=d2Cw3OPxPbQuXJfbv7
zQuz9b#ybx<V(;f#(TyA(Mm;i-sArca?tDkD*mj2{*6vu{;bYFmlY2fLp%sy}1jENy
zU^;;>gK%3qrh<NP{U^-bm*^EdeYTh_wd6|I)a9Gp2omB^Rmj7>kmJ8Gb47ygMlrY7
zf-AEhWFJ_0H?NMrLY+MbpZkUn>0DfYqWioHs3_B*KnOEOCO3~sTU<AAX#ewQV9`+~
zx4Vdqlp#v>4on7TG*WT7eo&=PH5D2DYOc_l+nQq3UPx`J6yPeORIIH#Lgu=0*y5rQ
z8+aBSltcA1|6#(pXF&nib^vnw;8qf;US>4aCtfns`x2_d{YAHKd<NJRBlp(k1xcUX
zvo$%JqHxg+9pxteaQljaC7W%6Lvhyc=HcJ_+jv5V6O$p!BNjSYPESW8*xt>|O^KzM
z<L!p5-|vhpoH-;UR7==qArp6Ge3<aE_8bP<sgA2bE)Mf2sHQwO;1m1_D669>Z1zgG
zrRWVCSa@ojhs}|z{jJP~QGKxHsj!Fhe5g>?gfp1m_W_8rN+r%3GdY^{W$CG1^MbY4
zA;QN-o6BW72MINSPrXqq$bO@OS$fFYN67G3f(E5gyptKC7EQGi)|Nr*x&^c<yy&XU
z8t~kGPb+l!6{T{Dzz;Bz3PKyZKQ&&yr=Nk+CbLwqsQh(NRv(m-WOAphTPLl5Q!j7P
zjdklvB65sPHiA#UUnPI`@R^EQYHHyjIRUwy*`Y(7d#d2VQxYA}VR#SK?@_Igr?Wlj
zyMKx2`L4lr6aJNT+6KGKCU_1RQ&QgZH|0prXClv)8{jeKlFyAFI`976zG@vXu%b@&
z9MDGWe=Zs4mxl5jdr4x8eVT^f5<0Fu(wLi^K6jqUhEjlc=E2owUmiVu<|9H0M;dj6
zY;G&kuiUtMnsgT3MON>!I&$9#4tPH+zZDbZ4h~;c`q+T%-HH5;8MPH-enpfBHnY-y
z{}=KgI%Tk^YN;ml*f{_FWDvk*>W{U5>qP5^zS3GI**u-s8_3RB*XFfw*%hIB!TB>M
zt5g@jx%0f_voE7Fo6o2%CJP83*M)KBlICY}b;%(yN#3K{PG5fD=ENWLi<#Q3E6--N
z_}I8DRlZ+^EPS-){u)$y=<aC-uc?>jo^DHx6wudgvwOpFBFj|s)mK`@yLm^HTy|CK
zK)Z(VY0Jra>>br;zt6u?|5i4=DU|JN%Y4UTT%~&j$GgdhzNyDy9>JGn3tdWYJ;ZAI
za`NlfY(}F;IS;7Q`8E(020UIqPzQD87TR^yt(DPt<~w28%3$aVV!V1(!)10>Grm`0
z_hJG>Tr`bBvUSE6ffeShH$-Z*yz~S1&j-bh1vN&iiUeFsssTdzPK6J3zRNwno@h~q
zC@CZ*^SBL>fvgTJK~WyHyeCuPVs1iDR`g{2jhHJNcQV2-^~aG6+`#<vwm<M-oiQKN
zo|mYMqT_YyY@->m6z89f_{keNJt}W#ExBWY544i!wq?6=L=W9%GY4*=l*Z${>fXxS
z8FP~&(7YxJ_7KOONYRGDMwJHAhsBb->3#aHgZ8H6l$oou4LO<fdi|FNp1-ZYRGa$v
zhX$?WKk09YtfHibGk2FiL@>PFr6eE`M}F1g;OIXX?-ZNMOs>4&xT9#kOK#I`nm1&+
z$+x1H(?RG$?r#)g-YKbH*}L+g@ia}PIB_}fp?kJb`5x%2w!Pkpl-h|c&_1^WhNYhP
zC)fNpC{g!NVW~SW<c}Bi0Yv-%8H(-_kmACWyAY-RS1>|MDyH=s!WW)B_70;q)$IPC
z!N_+78?j*0PMEPS5VcC*RiVOC4fW|y1bHf!(SLp)-=QinT_r?1F)FmxnxuTSTDqPy
zjvjH3F}>q1VW8FRSJAL0Ha`X++s5Pdh3WP#M{oiSlLX?Ef_j(U7eu)FLg8$7vg#!$
z6>0jF`W3G%f)(S)&Wrump@g881Lf#)vG0#LnZ*v4Rf_XNc8O2;THa}92$8MrhxIMC
zDXc^RV=PjNG6k=gsQF4N^qSC?SmJZh+F>B%PQr3>JP(WH#}5i-V)n&-Ye*X{7Y5gJ
zNpF@+BollHGEr))R4#rEk$3fWgsGioFyEsVw9sZU+y|pHS4gc_GDoiT5lVNgd>Eq<
zEz&A3(jNNz+0W}H_DPws>gYSgg{+9nIPUqmES>j`nOla<0{dy<x@i$3b~{yuS+ktB
zq7EaK>!|6JZyF~`^v=B11BDevdMA;k2=wjO#=<dWcdT>!z{?dw*x8)$L&^>w=*jQ2
zNyg$fH!lU|EUWR}FL24FuD1f7+GlNrJaw4p&_OA~ST^?WNOD73IV*h7)@e7jUqb^O
zVxloP_GzSFJw*i;s(F0M;uDV&!pGe+Ei)@u8z0+z11zthtdE!_#leRoJuQgJjCrZJ
zS9&J=t9}a7F?{c+wbQ&YuzvR7<AW%|Uz1make%q4YPVa>qB{O^FSEG1UdbftM4K0S
z&8p_jg(P5pwSTebRLY<2c%q-b+WTv<?Qxa8OsW>|j6d!d!-r4iCnY+p<|fha3<riW
zk`p;YQ#vNepCxkdmYgi?THsOQ6xkB1#JkYOJ6)+ar27|S;IuaN#^!9J-WI*^6&A+i
zVms2^Z=dU54;;u`5}2Y@E_vM#G5lVaQZWbOX!kbb1n)>Ig9Vy7q2=!J;#cXG89L&R
z+c;PYf8Eu{r_YHgKBc^g+3oI7IY*sbMLSK7X<gfq9uIjd)uohJEL&&a&HpptiuN}F
z%loS?hnDw0EgKygK|matXz8&)g@wgnt#)?MLMNh35|?UNT?>4yS)E;iRE)Mk`VjFp
zucuWj@C_2&o<fAvjzt>3T!F=v-hkV<9Ss(m+r3QTZvDsRiB-nZ@nh1j=u9;clm0p4
zw!0n<B`dXoqBB|AtL|2*Pd8cS50rBiB*kDK7$3;zV)j0}JCDDiGeAsb4jc3|$gvL;
zG==cFt8VP2gl)uNNu^$V429@GiP|;nd2`Qw@xh91ugv&Q3sEEPk&%P(_opiz!Z5x*
zPkDY4ongdg?ev3FyRxA<g{$5s=Cb3@+s)4l6#)~DJ2<7seDooPDw>W?$M~<NKYSVZ
zaZg4z{s?XfuEgP8YL{Ha<Qw$Z3L_qV2dTByg!#I)Z$4!m#N0$oJ*piiXAM1KJMJ>~
zDv{4lgnl@Z{`Tv3j`qoB$!X)|(Z+Y73EtoEB4^e}bXSc-$~xG@!1+8(`#RD(fxQIB
zuy#MBfq}cbEPW9D$s@2)WXj37SM;G~E7SUeb5MNZXN@v~+nRJ5sWN1b$6Wj7EKT(p
zMz=3RZT>-ITm8N4?6}R)kF2ynPJVp1#*PJmm!PL&GHq1QERk1y%KucDb}nudbIlQ~
zRxik|ie&(qBqou#Vl=n2_S8wbwhq5eTNCv;J{(~KqetrG)|XR4N}IGeb@{86Jz`mp
zK6?(gLg0R|8~+?y$YuByDz=Snj5GN$v<6_Jou0_$@3@dNLl4vYcZdzH3{?cE1MC2P
z02IIpfCgLxAOV2@`wMtp@M{1efZ;_C00aZPFJ?S06g7au1)Ko>7Z8T2!Qe3Ze|}I3
zAT@yMT5Os^zvGC4K8lw4i-2#UoyX|!-hy^$ENPM<GzC8Rm5L@XzNH0pa(nZ?cl$qs
C;WYUG

literal 0
HcmV?d00001

diff --git a/certs/simple-org.crt b/certs/simple-org.crt
new file mode 100644
index 0000000..4949aae
--- /dev/null
+++ b/certs/simple-org.crt
@@ -0,0 +1,87 @@
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number:
+            2c:39:28:73:9a:df:6a:4b:59:72:4a:90:7a:46:3a:f4:6d:e9:c1:19
+        Signature Algorithm: sha256WithRSAEncryption
+        Issuer: DC=org, DC=simple, O=Simple Inc, CN=Simple Signing CA
+        Validity
+            Not Before: Oct 24 13:52:07 2025 GMT
+            Not After : Oct 24 13:52:07 2027 GMT
+        Subject: DC=org, DC=simple, O=Simple Inc, CN=Simple
+        Subject Public Key Info:
+            Public Key Algorithm: rsaEncryption
+                Public-Key: (2048 bit)
+                Modulus:
+                    00:8f:16:6d:2c:43:29:37:e4:d8:a3:6e:0c:e9:11:
+                    63:f5:a5:b1:2c:bc:a1:2a:c8:43:66:04:0f:a0:c9:
+                    8e:d8:62:dd:29:33:2e:b8:35:21:1f:58:52:3b:f2:
+                    52:ad:87:de:7e:e5:e0:65:28:f5:8f:74:93:e2:bd:
+                    6c:59:4f:30:9f:27:f9:7a:9a:9b:f6:17:07:37:cf:
+                    79:d7:12:40:0a:3d:70:26:27:20:73:e9:a6:4e:98:
+                    e5:ff:d7:e1:69:ff:dd:79:50:79:b7:2b:d2:b7:7a:
+                    fb:18:0d:d5:c5:3a:20:3b:1e:f2:03:b3:8d:cf:7d:
+                    42:8d:86:cf:33:48:01:e2:0f:4e:4e:c1:d3:58:e0:
+                    d7:58:34:0e:a5:4f:3f:48:71:93:14:d0:70:9a:f0:
+                    7d:ff:ad:b0:25:a2:de:25:e4:4c:b0:0c:0e:a8:3c:
+                    c6:cb:52:20:e6:c8:3e:09:05:b9:8b:bf:03:0c:6f:
+                    c0:19:4e:6e:c1:13:1c:3b:1a:2e:9c:4a:c2:b7:10:
+                    b1:78:87:1b:31:11:3a:42:72:72:53:d2:7a:b9:74:
+                    54:0f:0d:32:eb:3e:a1:ee:4d:8e:61:aa:0c:8f:0e:
+                    bb:58:9f:f0:27:99:bc:d1:cb:13:14:0b:15:36:4e:
+                    97:d4:01:08:6c:05:55:ca:78:8d:90:f7:09:f1:6e:
+                    94:81
+                Exponent: 65537 (0x10001)
+        X509v3 extensions:
+            X509v3 Key Usage: critical
+                Digital Signature, Key Encipherment
+            X509v3 Basic Constraints: 
+                CA:FALSE
+            X509v3 Extended Key Usage: 
+                TLS Web Server Authentication, TLS Web Client Authentication
+            X509v3 Subject Key Identifier: 
+                83:0D:B5:A2:0F:97:28:E1:3E:78:9D:18:6F:1F:9F:BC:B9:FB:85:56
+            X509v3 Authority Key Identifier: 
+                D7:7A:FE:65:8D:74:F3:F3:85:92:B5:F1:C3:55:3A:0B:6D:50:10:41
+            X509v3 Subject Alternative Name: 
+                DNS:www.simple.org
+    Signature Algorithm: sha256WithRSAEncryption
+    Signature Value:
+        86:70:a9:51:a3:52:d6:f5:8d:bb:c3:ef:40:a4:5d:42:9e:b7:
+        46:e4:ca:1a:4c:86:ec:20:25:5d:b5:52:ea:0f:63:f2:fd:77:
+        d5:8c:1d:9b:3d:c0:3f:a5:09:6c:b8:75:1d:f8:1c:47:2d:7a:
+        d6:4d:57:06:0d:8e:f4:c7:ef:07:59:5d:38:ed:e4:51:a1:c4:
+        30:9a:1f:7d:4a:87:ff:06:2f:98:fb:e2:cf:db:7f:f7:ec:bd:
+        b2:13:11:02:73:11:7a:89:f5:90:79:7f:03:df:01:7b:3e:af:
+        4e:92:d5:93:c6:8d:63:dd:3e:4f:ff:ca:6e:70:8c:4a:53:19:
+        52:75:22:1b:ab:37:a4:6a:03:aa:0f:48:a6:9c:6f:a3:47:cf:
+        0d:1a:ff:89:30:44:00:39:02:85:df:ef:4b:e5:64:64:5b:f4:
+        64:23:9e:d3:07:c0:00:3f:e4:18:f1:58:a6:52:a2:3d:ba:0f:
+        b6:39:6a:6a:fa:6b:50:4f:0f:79:1a:23:c2:03:df:66:8e:9e:
+        e7:e1:d9:97:51:b7:b2:ef:2d:25:27:6b:87:9e:ac:5b:4e:78:
+        bb:39:05:68:9a:7e:6e:66:82:b9:3e:30:be:dd:7a:34:9f:93:
+        2a:30:bc:bf:b2:44:e8:37:01:df:d4:c7:c9:a7:8d:19:f0:a1:
+        f1:a1:b0:42
+-----BEGIN CERTIFICATE-----
+MIID2DCCAsCgAwIBAgIULDkoc5rfaktZckqQekY69G3pwRkwDQYJKoZIhvcNAQEL
+BQAwXjETMBEGCgmSJomT8ixkARkWA29yZzEWMBQGCgmSJomT8ixkARkWBnNpbXBs
+ZTETMBEGA1UECgwKU2ltcGxlIEluYzEaMBgGA1UEAwwRU2ltcGxlIFNpZ25pbmcg
+Q0EwHhcNMjUxMDI0MTM1MjA3WhcNMjcxMDI0MTM1MjA3WjBTMRMwEQYKCZImiZPy
+LGQBGRYDb3JnMRYwFAYKCZImiZPyLGQBGRYGc2ltcGxlMRMwEQYDVQQKDApTaW1w
+bGUgSW5jMQ8wDQYDVQQDDAZTaW1wbGUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAw
+ggEKAoIBAQCPFm0sQyk35NijbgzpEWP1pbEsvKEqyENmBA+gyY7YYt0pMy64NSEf
+WFI78lKth95+5eBlKPWPdJPivWxZTzCfJ/l6mpv2Fwc3z3nXEkAKPXAmJyBz6aZO
+mOX/1+Fp/915UHm3K9K3evsYDdXFOiA7HvIDs43PfUKNhs8zSAHiD05OwdNY4NdY
+NA6lTz9IcZMU0HCa8H3/rbAlot4l5EywDA6oPMbLUiDmyD4JBbmLvwMMb8AZTm7B
+Exw7Gi6cSsK3ELF4hxsxETpCcnJT0nq5dFQPDTLrPqHuTY5hqgyPDrtYn/AnmbzR
+yxMUCxU2TpfUAQhsBVXKeI2Q9wnxbpSBAgMBAAGjgZgwgZUwDgYDVR0PAQH/BAQD
+AgWgMAkGA1UdEwQCMAAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMB0G
+A1UdDgQWBBSDDbWiD5co4T54nRhvH5+8ufuFVjAfBgNVHSMEGDAWgBTXev5ljXTz
+84WStfHDVToLbVAQQTAZBgNVHREEEjAQgg53d3cuc2ltcGxlLm9yZzANBgkqhkiG
+9w0BAQsFAAOCAQEAhnCpUaNS1vWNu8PvQKRdQp63RuTKGkyG7CAlXbVS6g9j8v13
+1Ywdmz3AP6UJbLh1HfgcRy161k1XBg2O9MfvB1ldOO3kUaHEMJoffUqH/wYvmPvi
+z9t/9+y9shMRAnMReon1kHl/A98Bez6vTpLVk8aNY90+T//KbnCMSlMZUnUiG6s3
+pGoDqg9Ippxvo0fPDRr/iTBEADkChd/vS+VkZFv0ZCOe0wfAAD/kGPFYplKiPboP
+tjlqavprUE8PeRojwgPfZo6e5+HZl1G3su8tJSdrh56sW054uzkFaJp+bmaCuT4w
+vt16NJ+TKjC8v7JE6DcB39THyaeNGfCh8aGwQg==
+-----END CERTIFICATE-----
diff --git a/certs/simple-org.csr b/certs/simple-org.csr
new file mode 100644
index 0000000..fe294fb
--- /dev/null
+++ b/certs/simple-org.csr
@@ -0,0 +1,19 @@
+-----BEGIN CERTIFICATE REQUEST-----
+MIIDEjCCAfoCAQAwUzETMBEGCgmSJomT8ixkARkWA29yZzEWMBQGCgmSJomT8ixk
+ARkWBnNpbXBsZTETMBEGA1UECgwKU2ltcGxlIEluYzEPMA0GA1UEAwwGU2ltcGxl
+MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAjxZtLEMpN+TYo24M6RFj
+9aWxLLyhKshDZgQPoMmO2GLdKTMuuDUhH1hSO/JSrYfefuXgZSj1j3ST4r1sWU8w
+nyf5epqb9hcHN8951xJACj1wJicgc+mmTpjl/9fhaf/deVB5tyvSt3r7GA3VxTog
+Ox7yA7ONz31CjYbPM0gB4g9OTsHTWODXWDQOpU8/SHGTFNBwmvB9/62wJaLeJeRM
+sAwOqDzGy1Ig5sg+CQW5i78DDG/AGU5uwRMcOxounErCtxCxeIcbMRE6QnJyU9J6
+uXRUDw0y6z6h7k2OYaoMjw67WJ/wJ5m80csTFAsVNk6X1AEIbAVVyniNkPcJ8W6U
+gQIDAQABoHoweAYJKoZIhvcNAQkOMWswaTAOBgNVHQ8BAf8EBAMCBaAwHQYDVR0l
+BBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMB0GA1UdDgQWBBSDDbWiD5co4T54nRhv
+H5+8ufuFVjAZBgNVHREEEjAQgg53d3cuc2ltcGxlLm9yZzANBgkqhkiG9w0BAQsF
+AAOCAQEAROxIUVaXvOfwYxYlgWAMsWGbt8l8FYRtr+nDf4jg1d1SJXgTqftYoJXI
+1aHjjVdDleM/p2Cd97EcQzO3Rk66RL7XMKCN6sENJBNyT4mUK1cQWHrq3LB3MJCM
+clf/qX8hh2spIeWLT9SHxvDGJUitXBlqPkI8HOsFSFD1zYGO1GexPRVbi7/jkCSU
+mmZiwRavJ0a8s02Ua940jC9LyDayck8pFJzaYxFJ2jNMYK4rfQsNxMBDKow3/ufb
+4Rr+2ESLvqx8Ndo4Zj1SnNTywIV4UUFS9y18B635LWvJenGAjsFE3oTzYqoknhzT
+cXz1bDY6dPJH68X6rupsCmG2uE7Wpg==
+-----END CERTIFICATE REQUEST-----
diff --git a/certs/simple-org.key b/certs/simple-org.key
new file mode 100644
index 0000000..f8e993f
--- /dev/null
+++ b/certs/simple-org.key
@@ -0,0 +1,28 @@
+-----BEGIN PRIVATE KEY-----
+MIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQCPFm0sQyk35Nij
+bgzpEWP1pbEsvKEqyENmBA+gyY7YYt0pMy64NSEfWFI78lKth95+5eBlKPWPdJPi
+vWxZTzCfJ/l6mpv2Fwc3z3nXEkAKPXAmJyBz6aZOmOX/1+Fp/915UHm3K9K3evsY
+DdXFOiA7HvIDs43PfUKNhs8zSAHiD05OwdNY4NdYNA6lTz9IcZMU0HCa8H3/rbAl
+ot4l5EywDA6oPMbLUiDmyD4JBbmLvwMMb8AZTm7BExw7Gi6cSsK3ELF4hxsxETpC
+cnJT0nq5dFQPDTLrPqHuTY5hqgyPDrtYn/AnmbzRyxMUCxU2TpfUAQhsBVXKeI2Q
+9wnxbpSBAgMBAAECggEAAfhul3HzUtw5aYK99cWyCTN3baTJWWP5naGHr5CnAW7X
+GdalGY9NvfdC5qVvIwmgdEHpJat7OjcCRFiUceRnyIFN67TOWgS2KjwWsvIC5ME0
+1qmqRj5c9m8fl7ba2VFXNPD5RB7731/3rjyeiYFD6VyDO67Q0J8qd/V3y/59XCYR
+ifYhQCp8AM9/rYaiYJ9YMjqJqMjFj4Q4NH5TAehlOTBDLcgSWeRrBXLnyFr4zhcO
+xmYLUFMiCxFWcI17fsGQlda2mBclLhHTcaFEMjO0UuA0gwZ+YrLnfP6fHTY2kwp7
+rywI0PWwzpyHCnZNcF1QxwgJOfei4hGkUqlOrUFnYQKBgQDBfpklHT6QgLmiblx+
+o5aFAwJ41wW9qQ4X3b7VxwhhPpoP+ygS8EUkxngPJahZ8rA5qWH+DJ4LDku3RQ64
+hE0O1P08NnlWg76XXrZmocRV5iu016PDMWEMySeelvRUQAYH8MFH+WDEMK51Mm6L
+RwURuXN6pTWzLHNdFo0dQF8e+QKBgQC9T1S6oUIRtttvwNvNwtw9s/1eyHmdytfW
+e6ZWT21l9X3N3+0YR8Gy1rmjQVMdxaF5sRxOWtn7ihujZYs8KP5QoXWfS30G2ZJQ
+N1qEZn0wJhpq9VF+I023NmuLJBxSi7hctGUdDHcoe0piUP24H5QV0bTEYSi+7LpV
+sWf8IhMbyQKBgQCCGj+bBvjkbMllAFPNCu3Qbd+hpOLFTgCd54nDcFqgGFm62SNu
+6IN1YMWlWarDID2B5/Rtv8ocoPYkOpjVVJADow7LB826cEccvKBkjezX3TYSGNSS
+EIey8yZiqhmK9KmZeTZc0L9R63HCd7CAkbZE3q9ZDfD3krHXK6yiuH+88QKBgQCV
+eGqcxLAmzmrqDKtABgfhDBkUWlNz2/GZHp4R7bqh0zgWciSAlD+C1flSxkQ68Izz
+SXzg/Oi5q6zw0T8jK/bIcQMu1+qKmwTkIyBsA4P6nUskgjdq0bMN4oD9JnDaWAkj
+4ScozWvT4ay0feAmHYDNzXrdxxzlyoHBIUbKE5lkyQKBgQC7ertazu8bxWMPFa48
+DZDL6oDvWWcSmUVyNAjlaZFUmF3gQeSB7U6BfxGa+k1BdbDeYSXVwCCC9G2XGPAx
+eMUnFYS6WjagxKNfls0yC19Gy1Jo4XNwdFKujW15uC8ogArwTrOSKEQBUGk4gmH6
+ZttsuVvMuTmZv9Kq9hinarLUWQ==
+-----END PRIVATE KEY-----
diff --git a/etc/client.conf b/etc/client.conf
new file mode 100644
index 0000000..f7cfa5a
--- /dev/null
+++ b/etc/client.conf
@@ -0,0 +1,29 @@
+# TLS client certificate request
+
+[ req ]
+default_bits            = 2048                  # RSA key size
+encrypt_key             = yes                   # Protect private key
+default_md              = sha256                # MD to use
+utf8                    = yes                   # Input is UTF-8
+string_mask             = utf8only              # Emit UTF-8 strings
+prompt                  = yes                   # Prompt for DN
+distinguished_name      = client_dn             # DN template
+req_extensions          = client_reqext         # Desired extensions
+
+[ client_dn ]
+countryName             = "1. Country Name (2 letters) (eg, US)       "
+countryName_max         = 2
+stateOrProvinceName     = "2. State or Province Name   (eg, region)   "
+localityName            = "3. Locality Name            (eg, city)     "
+organizationName        = "4. Organization Name        (eg, company)  "
+organizationalUnitName  = "5. Organizational Unit Name (eg, section)  "
+commonName              = "6. Common Name              (eg, full name)"
+commonName_max          = 64
+emailAddress            = "7. Email Address            (eg, name@fqdn)"
+emailAddress_max        = 40
+
+[ client_reqext ]
+keyUsage                = critical,digitalSignature
+extendedKeyUsage        = clientAuth
+subjectKeyIdentifier    = hash
+subjectAltName          = email:copy
diff --git a/etc/email.conf b/etc/email.conf
new file mode 100644
index 0000000..6206353
--- /dev/null
+++ b/etc/email.conf
@@ -0,0 +1,31 @@
+# Email certificate request
+
+# This file is used by the openssl req command. Since we cannot know the DN in
+# advance the user is prompted for DN information.
+
+[ req ]
+default_bits            = 2048                  # RSA key size
+encrypt_key             = yes                   # Protect private key
+default_md              = sha256                # MD to use
+utf8                    = yes                   # Input is UTF-8
+string_mask             = utf8only              # Emit UTF-8 strings
+prompt                  = yes                   # Prompt for DN
+distinguished_name      = email_dn              # DN template
+req_extensions          = email_reqext          # Desired extensions
+
+[ email_dn ]
+0.domainComponent       = "1. Domain Component         (eg, com)      "
+1.domainComponent       = "2. Domain Component         (eg, company)  "
+2.domainComponent       = "3. Domain Component         (eg, pki)      "
+organizationName        = "4. Organization Name        (eg, company)  "
+organizationalUnitName  = "5. Organizational Unit Name (eg, section)  "
+commonName              = "6. Common Name              (eg, full name)"
+commonName_max          = 64
+emailAddress            = "7. Email Address            (eg, name@fqdn)"
+emailAddress_max        = 40
+
+[ email_reqext ]
+keyUsage                = critical,digitalSignature,keyEncipherment
+extendedKeyUsage        = emailProtection,clientAuth
+subjectKeyIdentifier    = hash
+subjectAltName          = email:copy
diff --git a/etc/root-ca.conf b/etc/root-ca.conf
new file mode 100644
index 0000000..ccb452c
--- /dev/null
+++ b/etc/root-ca.conf
@@ -0,0 +1,102 @@
+# Simple Root CA
+
+# The [default] section contains global constants that can be referred to from
+# the entire configuration file. It may also hold settings pertaining to more
+# than one openssl command.
+
+[ default ]
+ca                      = root-ca               # CA name
+dir                     = .                     # Top dir
+
+# The next part of the configuration file is used by the openssl req command.
+# It defines the CA's key pair, its DN, and the desired extensions for the CA
+# certificate.
+
+[ req ]
+default_bits            = 2048                  # RSA key size
+encrypt_key             = yes                   # Protect private key
+default_md              = sha256                # MD to use
+utf8                    = yes                   # Input is UTF-8
+string_mask             = utf8only              # Emit UTF-8 strings
+prompt                  = no                    # Don't prompt for DN
+distinguished_name      = ca_dn                 # DN section
+req_extensions          = ca_reqext             # Desired extensions
+
+[ ca_dn ]
+0.domainComponent       = "org"
+1.domainComponent       = "simple"
+organizationName        = "Simple Inc"
+commonName              = "Simple Root CA"
+
+[ ca_reqext ]
+keyUsage                = critical,keyCertSign,cRLSign
+basicConstraints        = critical,CA:true
+subjectKeyIdentifier    = hash
+
+# The remainder of the configuration file is used by the openssl ca command.
+# The CA section defines the locations of CA assets, as well as the policies
+# applying to the CA.
+
+[ ca ]
+default_ca              = root_ca               # The default CA section
+
+[ root_ca ]
+certificate             = $dir/ca/$ca.crt       # The CA cert
+private_key             = $dir/ca/$ca/private/$ca.key # CA private key
+new_certs_dir           = $dir/ca/$ca           # Certificate archive
+serial                  = $dir/ca/$ca/db/$ca.crt.srl # Serial number file
+crlnumber               = $dir/ca/$ca/db/$ca.crl.srl # CRL number file
+database                = $dir/ca/$ca/db/$ca.db # Index file
+rand_serial             = yes                   # Use random serial numbers
+unique_subject          = no                    # Require unique subject
+default_days            = 3652                  # How long to certify for
+default_md              = sha256                # MD to use
+policy                  = match_pol             # Default naming policy
+email_in_dn             = no                    # Add email to cert DN
+preserve                = no                    # Keep passed DN ordering
+name_opt                = multiline,-esc_msb,utf8 # Subject DN display options
+cert_opt                = ca_default            # Certificate display options
+copy_extensions         = none                  # Copy extensions from CSR
+x509_extensions         = signing_ca_ext        # Default cert extensions
+default_crl_days        = 365                   # How long before next CRL
+crl_extensions          = crl_ext               # CRL extensions
+
+# Naming policies control which parts of a DN end up in the certificate and
+# under what circumstances certification should be denied.
+
+[ match_pol ]
+domainComponent         = match                 # Must match 'simple.org'
+organizationName        = match                 # Must match 'Simple Inc'
+organizationalUnitName  = optional              # Included if present
+commonName              = supplied              # Must be present
+
+[ any_pol ]
+domainComponent         = optional
+countryName             = optional
+stateOrProvinceName     = optional
+localityName            = optional
+organizationName        = optional
+organizationalUnitName  = optional
+commonName              = optional
+emailAddress            = optional
+
+# Certificate extensions define what types of certificates the CA is able to
+# create.
+
+[ root_ca_ext ]
+keyUsage                = critical,keyCertSign,cRLSign
+basicConstraints        = critical,CA:true
+subjectKeyIdentifier    = hash
+authorityKeyIdentifier  = keyid:always
+
+[ signing_ca_ext ]
+keyUsage                = critical,keyCertSign,cRLSign
+basicConstraints        = critical,CA:true,pathlen:0
+subjectKeyIdentifier    = hash
+authorityKeyIdentifier  = keyid:always
+
+# CRL extensions exist solely to point to the CA certificate that has issued
+# the CRL.
+
+[ crl_ext ]
+authorityKeyIdentifier  = keyid:always
diff --git a/etc/server.conf b/etc/server.conf
new file mode 100644
index 0000000..b35f588
--- /dev/null
+++ b/etc/server.conf
@@ -0,0 +1,32 @@
+# TLS server certificate request
+
+# This file is used by the openssl req command. The subjectAltName cannot be
+# prompted for and must be specified in the SAN environment variable.
+
+[ default ]
+SAN                     = DNS:www.example.com   # Default SAN
+
+[ req ]
+default_bits            = 2048                  # RSA key size
+encrypt_key             = no                    # Protect private key
+default_md              = sha256                # MD to use
+utf8                    = yes                   # Input is UTF-8
+string_mask             = utf8only              # Emit UTF-8 strings
+prompt                  = yes                   # Prompt for DN
+distinguished_name      = server_dn             # DN template
+req_extensions          = server_reqext         # Desired extensions
+
+[ server_dn ]
+0.domainComponent       = "1. Domain Component         (eg, com)      "
+1.domainComponent       = "2. Domain Component         (eg, company)  "
+2.domainComponent       = "3. Domain Component         (eg, pki)      "
+organizationName        = "4. Organization Name        (eg, company)  "
+organizationalUnitName  = "5. Organizational Unit Name (eg, section)  "
+commonName              = "6. Common Name              (eg, FQDN)     "
+commonName_max          = 64
+
+[ server_reqext ]
+keyUsage                = critical,digitalSignature,keyEncipherment
+extendedKeyUsage        = serverAuth,clientAuth
+subjectKeyIdentifier    = hash
+subjectAltName          = $ENV::SAN
diff --git a/etc/signing-ca.conf b/etc/signing-ca.conf
new file mode 100644
index 0000000..c8ec1b2
--- /dev/null
+++ b/etc/signing-ca.conf
@@ -0,0 +1,124 @@
+# Simple Signing CA
+
+# The [default] section contains global constants that can be referred to from
+# the entire configuration file. It may also hold settings pertaining to more
+# than one openssl command.
+
+[ default ]
+ca                      = signing-ca            # CA name
+dir                     = .                     # Top dir
+
+# The next part of the configuration file is used by the openssl req command.
+# It defines the CA's key pair, its DN, and the desired extensions for the CA
+# certificate.
+
+[ req ]
+default_bits            = 2048                  # RSA key size
+encrypt_key             = yes                   # Protect private key
+default_md              = sha256                # MD to use
+utf8                    = yes                   # Input is UTF-8
+string_mask             = utf8only              # Emit UTF-8 strings
+prompt                  = no                    # Don't prompt for DN
+distinguished_name      = ca_dn                 # DN section
+req_extensions          = ca_reqext             # Desired extensions
+
+[ ca_dn ]
+0.domainComponent       = "org"
+1.domainComponent       = "simple"
+organizationName        = "Simple Inc"
+commonName              = "Simple Signing CA"
+
+[ ca_reqext ]
+keyUsage                = critical,keyCertSign,cRLSign
+basicConstraints        = critical,CA:true,pathlen:0
+subjectKeyIdentifier    = hash
+
+# The remainder of the configuration file is used by the openssl ca command.
+# The CA section defines the locations of CA assets, as well as the policies
+# applying to the CA.
+
+[ ca ]
+default_ca              = signing_ca            # The default CA section
+
+[ signing_ca ]
+certificate             = $dir/ca/$ca.crt       # The CA cert
+private_key             = $dir/ca/$ca/private/$ca.key # CA private key
+new_certs_dir           = $dir/ca/$ca           # Certificate archive
+serial                  = $dir/ca/$ca/db/$ca.crt.srl # Serial number file
+crlnumber               = $dir/ca/$ca/db/$ca.crl.srl # CRL number file
+database                = $dir/ca/$ca/db/$ca.db # Index file
+rand_serial             = yes                   # Use random serial numbers
+unique_subject          = no                    # Require unique subject
+default_days            = 730                   # How long to certify for
+default_md              = sha256                # MD to use
+policy                  = match_pol             # Default naming policy
+email_in_dn             = yes                   # Add email to cert DN
+preserve                = no                    # Keep passed DN ordering
+name_opt                = multiline,-esc_msb,utf8 # Subject DN display options
+cert_opt                = ca_default            # Certificate display options
+copy_extensions         = copy                  # Copy extensions from CSR
+x509_extensions         = email_ext             # Default cert extensions
+default_crl_days        = 7                     # How long before next CRL
+crl_extensions          = crl_ext               # CRL extensions
+
+# Naming policies control which parts of a DN end up in the certificate and
+# under what circumstances certification should be denied.
+
+[ match_pol ]
+domainComponent         = match                 # Must match 'simple.org'
+organizationName        = match                 # Must match 'Simple Inc'
+organizationalUnitName  = optional              # Included if present
+commonName              = supplied              # Must be present
+emailAddress            = optional              # Included if present
+
+[ any_pol ]
+domainComponent         = optional
+countryName             = optional
+stateOrProvinceName     = optional
+localityName            = optional
+organizationName        = optional
+organizationalUnitName  = optional
+commonName              = optional
+emailAddress            = optional
+
+# Certificate extensions define what types of certificates the CA is able to
+# create.
+
+[ extern_pol ]
+countryName             = supplied              # Must be present
+stateOrProvinceName     = optional              # Included if present
+localityName            = optional              # Included if present
+organizationName        = supplied              # Must be present
+organizationalUnitName  = optional              # Included if present
+commonName              = supplied              # Must be present
+emailAddress            = optional              # Included if present
+
+
+[ email_ext ]
+keyUsage                = critical,digitalSignature,keyEncipherment
+basicConstraints        = CA:false
+extendedKeyUsage        = emailProtection,clientAuth
+subjectKeyIdentifier    = hash
+authorityKeyIdentifier  = keyid:always
+
+[ server_ext ]
+keyUsage                = critical,digitalSignature,keyEncipherment
+basicConstraints        = CA:false
+extendedKeyUsage        = serverAuth,clientAuth
+subjectKeyIdentifier    = hash
+authorityKeyIdentifier  = keyid:always
+
+[ client_ext ]
+keyUsage                = critical,digitalSignature
+basicConstraints        = CA:false
+extendedKeyUsage        = clientAuth
+subjectKeyIdentifier    = hash
+authorityKeyIdentifier  = keyid:always
+#authorityInfoAccess     = @issuer_info
+#crlDistributionPoints   = @crl_info
+
+# CRL extensions exist solely to point to the CA certificate that has issued
+# the CRL.
+
+[ crl_ext ]
+authorityKeyIdentifier  = keyid:always