Remove all static minica keys (#7489)

Remove the redis-tls, wfe-tls, and mail-test-srv keys which were
generated by minica and then checked in to the repo. All three are
replaced by the dynamically-generated ipki directory.

Part of https://github.com/letsencrypt/boulder/issues/7476

README.md

@@ -229,8 +229,8 @@ the following URLs:
 
 To access the HTTPS versions of the endpoints you will need to configure your
 ACME client software to use a CA truststore that contains the
-`test/wfe-tls/minica.pem` CA certificate. See
+`test/certs/ipki/minica.pem` CA certificate. See
-[`test/PKI.md`](https://github.com/letsencrypt/boulder/blob/main/test/PKI.md)
+[`test/certs/README.md`](https://github.com/letsencrypt/boulder/blob/main/test/certs/README.md)
 for more information.
 
 Your local Boulder instance uses a fake DNS resolver that returns 127.0.0.1

cmd/rocsp-tool/client_test.go

@@ -24,9 +24,9 @@ import (
 )
 
 func makeClient() (*rocsp.RWClient, clock.Clock) {
-	CACertFile := "../../test/redis-tls/minica.pem"
+	CACertFile := "../../test/certs/ipki/minica.pem"
-	CertFile := "../../test/redis-tls/boulder/cert.pem"
+	CertFile := "../../test/certs/ipki/localhost/cert.pem"
-	KeyFile := "../../test/redis-tls/boulder/key.pem"
+	KeyFile := "../../test/certs/ipki/localhost/key.pem"
 	tlsConfig := cmd.TLSConfig{
 		CACertFile: CACertFile,
 		CertFile:   CertFile,

docs/redis.md

@@ -41,9 +41,9 @@ Redis protocol. Here's the command to do that (run from the Boulder root):
 
 ```shell
 openssl s_client -connect 10.33.33.2:4218 \
-  -CAfile test/redis-tls/minica.pem \
+  -CAfile test/certs/ipki/minica.pem \
-  -cert test/redis-tls/boulder/cert.pem \
+  -cert test/certs/ipki/localhost/cert.pem \
-  -key test/redis-tls/boulder/key.pem
+  -key test/certs/ipki/localhost/key.pem
 ```
 
 Then, first thing when you connect, run `AUTH <user> <password>`. You can get a

mail/mailer_test.go

@@ -2,6 +2,9 @@ package mail
 
 import (
 	"bufio"
+	"crypto/ecdsa"
+	"crypto/elliptic"
+	"crypto/rand"
 	"crypto/tls"
 	"crypto/x509"
 	"fmt"
@@ -9,7 +12,6 @@ import (
 	"net"
 	"net/mail"
 	"net/textproto"
-	"os"
 	"strings"
 	"testing"
 	"time"
@@ -21,6 +23,42 @@ import (
 	"github.com/letsencrypt/boulder/test"
 )
 
+var (
+	// These variables are populated by init(), and then referenced by setup() and
+	// listenForever(). smtpCert is the TLS certificate which will be served by
+	// the fake SMTP server, and smtpRoot is the issuer of that certificate which
+	// will be trusted by the SMTP client under test.
+	smtpRoot *x509.CertPool
+	smtpCert *tls.Certificate
+)
+
+func init() {
+	// Populate the global smtpRoot and smtpCert variables. We use a single self
+	// signed cert for both, for ease of generation. It has to assert the name
+	// localhost to appease the mailer, which is connecting to localhost.
+	key, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
+	fmt.Println(err)
+	template := x509.Certificate{
+		DNSNames:     []string{"localhost"},
+		SerialNumber: big.NewInt(123),
+		NotBefore:    time.Now().Add(-24 * time.Hour),
+		NotAfter:     time.Now().Add(24 * time.Hour),
+	}
+	certDER, err := x509.CreateCertificate(rand.Reader, &template, &template, key.Public(), key)
+	fmt.Println(err)
+	cert, err := x509.ParseCertificate(certDER)
+	fmt.Println(err)
+
+	smtpRoot = x509.NewCertPool()
+	smtpRoot.AddCert(cert)
+
+	smtpCert = &tls.Certificate{
+		Certificate: [][]byte{certDER},
+		PrivateKey:  key,
+		Leaf:        cert,
+	}
+}
+
 type fakeSource struct{}
 
 func (f fakeSource) generate() *big.Int {
@@ -76,13 +114,8 @@ func expect(t *testing.T, buf *bufio.Reader, expected string) error {
 type connHandler func(int, *testing.T, net.Conn, *net.TCPConn)
 
 func listenForever(l *net.TCPListener, t *testing.T, handler connHandler) {
-	keyPair, err := tls.LoadX509KeyPair("../test/mail-test-srv/localhost/cert.pem", "../test/mail-test-srv/localhost/key.pem")
-	if err != nil {
-		t.Errorf("loading keypair: %s", err)
-
-	}
 	tlsConf := &tls.Config{
-		Certificates: []tls.Certificate{keyPair},
+		Certificates: []tls.Certificate{*smtpCert},
 	}
 	connID := 0
 	for {
@@ -285,16 +318,6 @@ func setup(t *testing.T) (*mailerImpl, *net.TCPListener, func()) {
 		}
 	}
 
-	pem, err := os.ReadFile("../test/mail-test-srv/minica.pem")
-	if err != nil {
-		t.Fatalf("loading smtp root: %s", err)
-	}
-	smtpRoots := x509.NewCertPool()
-	ok := smtpRoots.AppendCertsFromPEM(pem)
-	if !ok {
-		t.Fatal("failed parsing SMTP root")
-	}
-
 	// We can look at the listener Addr() to figure out which free port was
 	// assigned by the operating system
 
@@ -308,7 +331,7 @@ func setup(t *testing.T) (*mailerImpl, *net.TCPListener, func()) {
 		port,
 		"user@example.com",
 		"passwd",
-		smtpRoots,
+		smtpRoot,
 		*fromAddress,
 		log,
 		metrics.NoopRegisterer,

ra/ra_test.go

@@ -374,9 +374,9 @@ func initAuthorities(t *testing.T) (*DummyValidationAuthority, sapb.StorageAutho
 		rc := bredis.Config{
 			Username: "unittest-rw",
 			TLS: cmd.TLSConfig{
-				CACertFile: "../test/redis-tls/minica.pem",
+				CACertFile: "../test/certs/ipki/minica.pem",
-				CertFile:   "../test/redis-tls/boulder/cert.pem",
+				CertFile:   "../test/certs/ipki/localhost/cert.pem",
-				KeyFile:    "../test/redis-tls/boulder/key.pem",
+				KeyFile:    "../test/certs/ipki/localhost/key.pem",
 			},
 			Lookups: []cmd.ServiceDomain{
 				{

ratelimits/source_redis_test.go

@@ -4,19 +4,20 @@ import (
 	"testing"
 	"time"
 
+	"golang.org/x/net/context"
+
 	"github.com/letsencrypt/boulder/cmd"
 	"github.com/letsencrypt/boulder/metrics"
 	"github.com/letsencrypt/boulder/test"
-	"golang.org/x/net/context"
 
 	"github.com/jmhodges/clock"
 	"github.com/redis/go-redis/v9"
 )
 
 func newTestRedisSource(clk clock.FakeClock, addrs map[string]string) *RedisSource {
-	CACertFile := "../test/redis-tls/minica.pem"
+	CACertFile := "../test/certs/ipki/minica.pem"
-	CertFile := "../test/redis-tls/boulder/cert.pem"
+	CertFile := "../test/certs/ipki/localhost/cert.pem"
-	KeyFile := "../test/redis-tls/boulder/key.pem"
+	KeyFile := "../test/certs/ipki/localhost/key.pem"
 	tlsConfig := cmd.TLSConfig{
 		CACertFile: CACertFile,
 		CertFile:   CertFile,

redis/lookup_test.go

@@ -14,9 +14,9 @@ import (
 )
 
 func newTestRedisRing() *redis.Ring {
-	CACertFile := "../test/redis-tls/minica.pem"
+	CACertFile := "../test/certs/ipki/minica.pem"
-	CertFile := "../test/redis-tls/boulder/cert.pem"
+	CertFile := "../test/certs/ipki/localhost/cert.pem"
-	KeyFile := "../test/redis-tls/boulder/key.pem"
+	KeyFile := "../test/certs/ipki/localhost/key.pem"
 	tlsConfig := cmd.TLSConfig{
 		CACertFile: CACertFile,
 		CertFile:   CertFile,

rocsp/rocsp_test.go

@@ -9,16 +9,17 @@ import (
 	"time"
 
 	"github.com/jmhodges/clock"
-	"github.com/letsencrypt/boulder/cmd"
-	"github.com/letsencrypt/boulder/metrics"
 	"github.com/redis/go-redis/v9"
 	"golang.org/x/crypto/ocsp"
+
+	"github.com/letsencrypt/boulder/cmd"
+	"github.com/letsencrypt/boulder/metrics"
 )
 
 func makeClient() (*RWClient, clock.Clock) {
-	CACertFile := "../test/redis-tls/minica.pem"
+	CACertFile := "../test/certs/ipki/minica.pem"
-	CertFile := "../test/redis-tls/boulder/cert.pem"
+	CertFile := "../test/certs/ipki/localhost/cert.pem"
-	KeyFile := "../test/redis-tls/boulder/key.pem"
+	KeyFile := "../test/certs/ipki/localhost/key.pem"
 	tlsConfig := cmd.TLSConfig{
 		CACertFile: CACertFile,
 		CertFile:   CertFile,

test/certs/.gitignore

@@ -1,3 +1,4 @@
 /ipki
+/misc
 /webpki
 /.softhsm-tokens

test/certs/README.md

@@ -47,22 +47,37 @@ these certificates (for the services that we run multiple copies of) have
 multiple names, so the same certificate can be loaded by each copy of that
 service.
 
+It also contains some non-gRPC certificates which are nonetheless serving the
+role of internal authentication between Let's Encrypt components:
+
+- The IP-address certificate used by challtestsrv (which acts as the integration
+  test environment's recursive resolver) for DoH handshakes.
+- The certificate presented by mail-test-srv's SMTP endpoint.
+- The certificate presented by the test redis cluster.
+- The certificate presented by the WFE's API TLS handler (which is usually
+  behind some other load-balancer like nginx).
+
 This PKI is loaded by virtually every Boulder component.
 
+**Note:** the minica issuer certificate and the "localhost" end-entity
+certificate are also used by several rocsp and ratelimit unit tests. The tests
+use these certificates to authenticate to the docker-compose redis cluster, and
+therefore cannot succeed outside of the docker environment anyway, so a
+dependency on the ipki hierarchy having been generated does not break them
+further.
+
 ## Other Test PKIs
 
 A variety of other PKIs (collections of keys and certificates) exist in this
 repository for the sake of unit and integration testing. We list them here as a
 TODO-list of PKIs to remove and clean up:
 
-- challtestsrv DoH: Our fake DNS challenge test server (which fulfills DNS-01
+- unit test hierarchy: the //test/hierarchy/ directory holds a collection of
-  challenges during integration tests) can negotiate DoH handshakes. The key and
+  certificates used by unit tests which want access to realistic issuer certs
-  cert is uses for this are currently generated as part of the ipki directory,
+  but don't want to rely on the //test/certs/webpki directory being generated.
-  but are fundamentally different from that PKI and should be moved.
+  These should be replaced by certs which the unit tests dynamically generate
-- wfe-tls: The //test/wfe-tls/ directory holds the key and certificate which the
+  in-memory, rather than loading from disk.
-  WFE uses to negotiate TLS handshakes with API clients.
+- unit test mocks: //test/test-key-5.der and //wfe2/wfe_test.go contain keys and
-- redis: The //test/redis-tls/ directory holds the key and certificate used by
+  certificates which are used to elicit specific behavior from //mocks/mocks.go.
-  our test redis cluster. This should probably be moved into the ipki directory.
+  These should be replaced with dynamically-generated keys and more flexible
-- unit tests: the //test/hierarchy/ directory holds a variety of certificates
+  mocks.
-  used by unit tests. These should be replaced by certs which the unit tests
-  dynamically generate in-memory, rather than loading from disk.

test/certs/generate.sh

@@ -3,32 +3,50 @@ set -e
 
 cd "$(realpath -- $(dirname -- "$0"))"
 
-ipki() (
+# Check that `minica` is installed
-  # Check that `minica` is installed
+command -v minica >/dev/null 2>&1 || {
-  command -v minica >/dev/null 2>&1 || {
+  echo >&2 "No 'minica' command available.";
-    echo >&2 "No 'minica' command available.";
+  echo >&2 "Check your GOPATH and run: 'go install github.com/jsha/minica@latest'.";
-    echo >&2 "Check your GOPATH and run: 'go install github.com/jsha/minica@latest'.";
+  exit 1;
-    exit 1;
+}
-  }
 
+ipki() (
   # Minica generates everything in-place, so we need to cd into the subdirectory.
   # This function executes in a subshell, so this cd does not affect the parent
   # script.
   mkdir ipki
   cd ipki
 
-  # Used by challtestsrv to negotiate DoH handshakes.
+  # Create a generic cert which can be used by our test-only services (like
-  # TODO: Move this out of the ipki directory.
+  # mail-test-srv) that aren't sophisticated enough to present a different name.
-  # This also creates the issuer key, so the loops below can run in the
+  # This first invocation also creates the issuer key, so the loops below can
-  # background without competing over who gets to create it.
+  # run in the background without racing to create it.
+  minica -domains localhost
+
+  # Used by challtestsrv to negotiate DoH handshakes. Even though we think of
+  # challtestsrv as being external to our infrastructure (because it hosts the
+  # DNS records that the tests validate), it *also* takes the place of our
+  # recursive resolvers, so the DoH certificate that it presents to the VAs is
+  # part of our internal PKI.
   minica -ip-addresses 10.77.77.77,10.88.88.88
 
+  # Presented by the WFE's TLS server, when configured. Normally the WFE lives
+  # behind another TLS-terminating server like nginx or apache, so the cert that
+  # it presents to that layer is also part of the internal PKI.
+  minica -domains "boulder"
+
+  # Presented by the test redis cluster. Contains IP addresses because Boulder
+  # components find individual redis servers via SRV records.
+  minica -domains redis -ip-addresses 10.33.33.2,10.33.33.3,10.33.33.4,10.33.33.5,10.33.33.6,10.33.33.7,10.33.33.8,10.33.33.9
+
+  # Used by Boulder gRPC services as both server and client mTLS certificates.
   for SERVICE in admin-revoker expiration-mailer ocsp-responder consul \
     wfe akamai-purger bad-key-revoker crl-updater crl-storer \
-    health-checker; do
+    health-checker rocsp-tool; do
     minica -domains "${SERVICE}.boulder" &
   done
 
+  # Same as above, for services that we run multiple copies of.
   for SERVICE in publisher nonce ra ca sa va rva ; do
     minica -domains "${SERVICE}.boulder,${SERVICE}1.boulder,${SERVICE}2.boulder" &
   done

test/chisel2.py

@@ -39,7 +39,7 @@ DIRECTORY_V2 = os.getenv('DIRECTORY_V2', 'http://boulder.service.consul:4001/dir
 ACCEPTABLE_TOS = os.getenv('ACCEPTABLE_TOS',"https://boulder.service.consul:4431/terms/v7")
 PORT = os.getenv('PORT', '80')
 
-os.environ.setdefault('REQUESTS_CA_BUNDLE', 'test/wfe-tls/minica.pem')
+os.environ.setdefault('REQUESTS_CA_BUNDLE', 'test/certs/ipki/minica.pem')
 
 import challtestsrv
 challSrv = challtestsrv.ChallTestServer()

test/config-next/bad-key-revoker.json

@@ -25,7 +25,7 @@
 			"username": "cert-manager@example.com",
 			"from": "bad key revoker <bad-key-revoker@test.org>",
 			"passwordFile": "test/secrets/smtp_password",
-			"SMTPTrustedRootFile": "test/mail-test-srv/minica.pem",
+			"SMTPTrustedRootFile": "test/certs/ipki/minica.pem",
 			"emailSubject": "Certificates you've issued have been revoked due to key compromise",
 			"emailTemplate": "test/example-bad-key-revoker-template"
 		},

test/config-next/expiration-mailer.json

@@ -33,7 +33,7 @@
 			"noWaitForReady": true,
 			"hostOverride": "sa.boulder"
 		},
-		"SMTPTrustedRootFile": "test/mail-test-srv/minica.pem",
+		"SMTPTrustedRootFile": "test/certs/ipki/minica.pem",
 		"frequency": "1h",
 		"features": {
 			"ExpirationMailerUsesJoin": true

test/config-next/ocsp-responder.json

@@ -11,9 +11,9 @@
 			"poolSize": 100,
 			"routeRandomly": true,
 			"tls": {
-				"caCertFile": "test/redis-tls/minica.pem",
+				"caCertFile": "test/certs/ipki/minica.pem",
-				"certFile": "test/redis-tls/boulder/cert.pem",
+				"certFile": "test/certs/ipki/ocsp-responder.boulder/cert.pem",
-				"keyFile": "test/redis-tls/boulder/key.pem"
+				"keyFile": "test/certs/ipki/ocsp-responder.boulder/key.pem"
 			}
 		},
 		"tls": {

test/config-next/rocsp-tool.json

@@ -9,9 +9,9 @@
 			},
 			"timeout": "5s",
 			"tls": {
-				"caCertFile": "test/redis-tls/minica.pem",
+				"caCertFile": "test/certs/ipki/minica.pem",
-				"certFile": "test/redis-tls/boulder/cert.pem",
+				"certFile": "test/certs/ipki/rocsp-tool.boulder/cert.pem",
-				"keyFile": "test/redis-tls/boulder/key.pem"
+				"keyFile": "test/certs/ipki/rocsp-tool.boulder/key.pem"
 			}
 		}
 	},

test/config-next/wfe2.json

@@ -1,8 +1,8 @@
 {
 	"wfe": {
 		"timeout": "30s",
-		"serverCertificatePath": "test/wfe-tls/boulder/cert.pem",
+		"serverCertificatePath": "test/certs/ipki/boulder/cert.pem",
-		"serverKeyPath": "test/wfe-tls/boulder/key.pem",
+		"serverKeyPath": "test/certs/ipki/boulder/key.pem",
 		"allowOrigins": [
 			"*"
 		],
@@ -118,9 +118,9 @@
 				"poolSize": 100,
 				"routeRandomly": true,
 				"tls": {
-					"caCertFile": "test/redis-tls/minica.pem",
+					"caCertFile": "test/certs/ipki/minica.pem",
-					"certFile": "test/redis-tls/boulder/cert.pem",
+					"certFile": "test/certs/ipki/wfe.boulder/cert.pem",
-					"keyFile": "test/redis-tls/boulder/key.pem"
+					"keyFile": "test/certs/ipki/wfe.boulder/key.pem"
 				}
 			},
 			"Defaults": "test/config-next/wfe2-ratelimit-defaults.yml",

test/config/bad-key-revoker.json

@@ -26,7 +26,7 @@
 			"username": "cert-manager@example.com",
 			"from": "bad key revoker <bad-key-revoker@test.org>",
 			"passwordFile": "test/secrets/smtp_password",
-			"SMTPTrustedRootFile": "test/mail-test-srv/minica.pem",
+			"SMTPTrustedRootFile": "test/certs/ipki/minica.pem",
 			"emailSubject": "Certificates you've issued have been revoked due to key compromise",
 			"emailTemplate": "test/example-bad-key-revoker-template"
 		},

test/config/expiration-mailer.json

@@ -31,7 +31,7 @@
 			"noWaitForReady": true,
 			"hostOverride": "sa.boulder"
 		},
-		"SMTPTrustedRootFile": "test/mail-test-srv/minica.pem",
+		"SMTPTrustedRootFile": "test/certs/ipki/minica.pem",
 		"frequency": "1h"
 	},
 	"syslog": {

test/config/ocsp-responder.json

@@ -15,9 +15,9 @@
 			"poolSize": 100,
 			"routeRandomly": true,
 			"tls": {
-				"caCertFile": "test/redis-tls/minica.pem",
+				"caCertFile": "test/certs/ipki/minica.pem",
-				"certFile": "test/redis-tls/boulder/cert.pem",
+				"certFile": "test/certs/ipki/ocsp-responder.boulder/cert.pem",
-				"keyFile": "test/redis-tls/boulder/key.pem"
+				"keyFile": "test/certs/ipki/ocsp-responder.boulder/key.pem"
 			}
 		},
 		"tls": {

test/config/rocsp-tool.json

@@ -10,9 +10,9 @@
 			},
 			"timeout": "5s",
 			"tls": {
-				"caCertFile": "test/redis-tls/minica.pem",
+				"caCertFile": "test/certs/ipki/minica.pem",
-				"certFile": "test/redis-tls/boulder/cert.pem",
+				"certFile": "test/certs/ipki/rocsp-tool.boulder/cert.pem",
-				"keyFile": "test/redis-tls/boulder/key.pem"
+				"keyFile": "test/certs/ipki/rocsp-tool.boulder/key.pem"
 			}
 		}
 	},

test/config/wfe2.json

@@ -2,8 +2,8 @@
 	"wfe": {
 		"listenAddress": "0.0.0.0:4001",
 		"TLSListenAddress": "0.0.0.0:4431",
-		"serverCertificatePath": "test/wfe-tls/boulder/cert.pem",
+		"serverCertificatePath": "test/certs/ipki/boulder/cert.pem",
-		"serverKeyPath": "test/wfe-tls/boulder/key.pem",
+		"serverKeyPath": "test/certs/ipki/boulder/key.pem",
 		"allowOrigins": [
 			"*"
 		],

test/integration/ratelimit_test.go

@@ -9,6 +9,7 @@ import (
 	"testing"
 
 	"github.com/jmhodges/clock"
+
 	"github.com/letsencrypt/boulder/cmd"
 	blog "github.com/letsencrypt/boulder/log"
 	"github.com/letsencrypt/boulder/metrics"
@@ -35,9 +36,9 @@ func TestDuplicateFQDNRateLimit(t *testing.T) {
 		rc := bredis.Config{
 			Username: "unittest-rw",
 			TLS: cmd.TLSConfig{
-				CACertFile: "test/redis-tls/minica.pem",
+				CACertFile: "test/certs/ipki/minica.pem",
-				CertFile:   "test/redis-tls/boulder/cert.pem",
+				CertFile:   "test/certs/ipki/localhost/cert.pem",
-				KeyFile:    "test/redis-tls/boulder/key.pem",
+				KeyFile:    "test/certs/ipki/localhost/key.pem",
 			},
 			Lookups: []cmd.ServiceDomain{
 				{

test/mail-test-srv/localhost/cert.pem

@@ -1,19 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIDDTCCAfWgAwIBAgIIQGSVDolhyP4wDQYJKoZIhvcNAQELBQAwIDEeMBwGA1UE
-AxMVbWluaWNhIHJvb3QgY2EgMGY1NmYxMCAXDTE3MTEwMjAxMzUyMVoYDzIxMDcx
-MTAyMDIzNTIxWjAUMRIwEAYDVQQDEwlsb2NhbGhvc3QwggEiMA0GCSqGSIb3DQEB
-AQUAA4IBDwAwggEKAoIBAQDUJMN6C6mqo/AYMKYUBnsxvsnyZYFSqeWraSZQlMWs
-THB2FYUUndTOOQIypQfDEHtSx+bA5VzvKfgUSYMcHeFqf5zm00+33G6Z/TlBS6a1
-UG1GQf5saKemKkujLS7zHBTn7OqANJefZtIlXOh4s6EwkbpzyYM2s89FxxQMvdnH
-eB6exiiOsG9OHlA9Y4sPOSt1myYcuGKaxzTeEHpBYQii/SPzNqVEikDAmzfXDkUZ
-Y7xnJO7B1JLkWz+/J/OoEPcjulPuyO1x71b8Wxlf7IGz4G1L0DwYWYWF9ihBAP7L
-nxCghb2J3wyh+NXRN67teIjL5Ata4i9QleoQVCO31GMNAgMBAAGjVTBTMA4GA1Ud
-DwEB/wQEAwIFoDAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwDAYDVR0T
-AQH/BAIwADAUBgNVHREEDTALgglsb2NhbGhvc3QwDQYJKoZIhvcNAQELBQADggEB
-AHya9synKy5sBv+608s9stcDPOdT6neNtzOm2cY9mq9KEO58acRi7CTa/Fxa/cpm
-B/iYMHznqe/6dzgpdDUYgcr/gfMFKI7qjms7EyCUdIpC5qmiyZNjTNMOLm7SlM0F
-00FobsGScgK/D1AubqzbizgCzKO4QttlZd07i5mQHdFURGRg2CHCVawRVMUzMgA3
-ZslZh+wTa4AilXunA02aOkwDkQcPUQJXaUIx2NpIN3+aPSw3/8aTU3tiEEgCbblQ
-YfGC0H5gPF5OjZCknTp0RxdCMIfnWdgzh9mU3cmXwR7roLEec+Wp0S7PQ8ayo/c1
-ocNPAB9fZDHmqHaRYApI4BI=
------END CERTIFICATE-----

test/mail-test-srv/localhost/key.pem

@@ -1,27 +0,0 @@
------BEGIN RSA PRIVATE KEY-----
-MIIEpQIBAAKCAQEA1CTDegupqqPwGDCmFAZ7Mb7J8mWBUqnlq2kmUJTFrExwdhWF
-FJ3UzjkCMqUHwxB7UsfmwOVc7yn4FEmDHB3han+c5tNPt9xumf05QUumtVBtRkH+
-bGinpipLoy0u8xwU5+zqgDSXn2bSJVzoeLOhMJG6c8mDNrPPRccUDL3Zx3gensYo
-jrBvTh5QPWOLDzkrdZsmHLhimsc03hB6QWEIov0j8zalRIpAwJs31w5FGWO8ZyTu
-wdSS5Fs/vyfzqBD3I7pT7sjtce9W/FsZX+yBs+BtS9A8GFmFhfYoQQD+y58QoIW9
-id8MofjV0Teu7XiIy+QLWuIvUJXqEFQjt9RjDQIDAQABAoIBAQCwQut3mAEcmqF+
-N82Fje0F4/N+xv+wYyFETlVbVoD3K3u1YSP1gT2zKoK8+Yl9dVBB832yf9+7hy9s
-C7g3wEvuZKFE2AXAShJLN64+plCZDX39hg+Sm1HQKgw2Q/BiZc6o9JvSceAYvSGV
-kaBFyVoANNSqJ6Ax7ywkWcg63fL4Wz2r0J+HhEI09OlazdKepbcteDu+3ohw1FkA
-LSMJ6UuBCyx2w5TY32YTArtrX41gVKYJ9CfJd/9Bp3xypBQ+GTDoYQfHSAJjhK/3
-yRS6xlg05v6WVccjAJv2depKEpRXTWrHLiPRW+Rdn70T65vd4Kkwa7m1KAPPdOzq
-p7MgyBAxAoGBAN0j17g/QjjHGVsw/58tbzC1Wk5rULmMbz4BPRMCv5KJN2iRbJiO
-hHkMX6AeMbQCkRhoMDSRfNbTnzEfwUepD40U4rlRdoMv7Ig0Aj88/bc4KzC4ihJ0
-FBtehGfGbGds5DvXj/tAOqQaZwIu6bazg35RlkEwVyU1KouCGa7+alYHAoGBAPWV
-3nUC0VQ3NnYcvHhWpSZO+K4PzE+Z27npTXlNbdosPuOZE86OeS0JLHYpwZPHZb7M
-53FA1hEiST1E7NEu6lNj0L077dD528BDMuZqywvfqclUH5EWXZp9HRXzO5eRa9td
-N/peQST93/hJohZ/EKuxUxoHe0HPx68e2+Sr5ZlLAoGAYbnPQSsjdrf16qjSrmOD
-ucDLMdCXEgiPuJUPinEye+2LwPhTR2/j9yKSt83gJS7lNCYG95Q72SwYM7tWzPZX
-Wv+Z2k+30e3B18c0HwIzFV8LJzLGQbVulVHFrZ6wlVw32IJArMYLpC3Oy9Yzjnvy
-ZkZj4lcci+Lc9F4AP6dLEs0CgYEAiwYoRL0vmykWX46s8sK6AxG5nW+8DWPgC0KT
-ZRP8GAHsKBPELq5g0qnazZmdx/adFoIQkwBNLq3mIBUgqtqQNFzREg8W9bI8QH7K
-Fb5m63XWO+6vYAb1PjuNd5uWJJtiH3CJ++XXowVFAN1OMMYFvexISvfpQrxJIk2p
-1a2p8DkCgYEAzniTsmTFI9WrOb6CKhPiPBvjhHApixQ9531tUHvXh43OGwc3z5Wi
-tQzdzo7QRPmerKFwI3o7H6Ei+39xbIDnCZtQkctzyxLFYZA18xx+zgkEhgxWZUT6
-aJ49/xHnzyQC0OV5IYpxxzbnBnj8RmjEnsvsqD0VI/jdAV40W3G6vVE=
------END RSA PRIVATE KEY-----

test/mail-test-srv/minica-key.pem

@@ -1,27 +0,0 @@
------BEGIN RSA PRIVATE KEY-----
-MIIEpAIBAAKCAQEA1B7APkx8Eu5xL7ZogG2U12ag9XUGEGYdCLtsbbg54HTSmGwr
-8G6HZHBt4U2gkn0MieuE75UXyoCuTMYFgC5YKZgUo3Qb2pIey5FHhsFY+84swuq8
-vV/vPYiiG+Mf1UDTICKY+GeCmiHs07KyaVmnJyfx2R3/FEjL194b2u9rOeTNJrNg
-QdY2yRUG+x2Ml725w3RzXN/szdaVrSnmpSmVLGQhVnTy/je1CENcfvc/unixf02v
-Z0m8h1dCehDG/5It8d6EQT2FieuTLU7TKxzCR+6O1ZxXG74D5B6cOz1cpOi9v95J
-EKaspoW04LtBZbZODUk0TqIgxwCIT4ZJx3M9rQIDAQABAoIBAQDCf/Ps6/r07PiS
-NGL8J/7LyAodKBHIZamHwTu6G6vOObCFHOLpUqAJI+JNLf3ndIxTxsadXIt1Hqs0
-MHsIvvYOJan++s8zirp8FJmOYamzMqjujYlE6DuZo7hpc8hTpV4x4Cd91oP1yte6
-geeAHDnd+I2VdSDYu6tWJA5MoS4j5RHwbijaQa7YaLcKq4t5BEuktJjq0/H+i39Y
-/Qay5DprRadm2PYIAlMs14eCNTYTsKRvVseVlMXEW33+Abi2Qi0nBRI11Pk3JHjx
-sleaWtQr+fYQx2roMAPdaKqclrt0LD4FkIkEn6fMU8fEvwP+/HH0T70qIF4Ez2QS
-Qwzbed7NAoGBAOEbia+VosDN4PM7m9tnwhj05P7S3GkyxkksQhVd9ZneDGZnDQ/g
-817GYCsK1JMor5xDhlbsuHbi5qYvqSq3l2Jc94xs4aEd7VbKxv5SeqQNAKkWqG8l
-E27a9KyaAmOO/KvbSsHST5KtnPaMhGlZWLtn+EFmHibHQhPZI/p5eAaXAoGBAPE6
-8GU0MECqin6v0qQpepIrVtp2rYnKC7pusklwFlJgFeadoMoS5GUwLOY42FbLI9FI
-BFZXy5lu18mqrdsZo6DaNU9GuU1vqY//FjJ867ih/Pk/5PEckG8FfUekQf9mQn0c
-aRqmSYTBUBea2NV+BJN7Vad51As4wBmN3W8CkQpbAoGAOQZa2MoVUrZU2AkvsGMW
-fm/7Wrpb76JXLM4zZ2pH/1SK254bZvxbapTiY8T4mNbjtbg9XePVzvgn6c2FEzcy
-+E4Iv+ANQF1udGAmDOMkAk7w7eS5gn5n79szxE23cTUVuQtyYqs+US/95U8vc+iY
-W9E4yIhv9u7fRFvri1YeG70CgYBeiN16m7gpL2w094xR3xt0ut0/ofCiJfbwqb7e
-vrlQsO0EQlOnvT2aVgXSdwZ5BQTVWCay+5cDWwfftS6KxYJ1X+4yUiH+Mbs+fhXh
-1Ui/Q2QS/bIntyz3BSyybbGbeCSoSQD7e50mFGfhyEIfcFI0xcmsZzbs6uGFYi4b
-+eKDLwKBgQCeC7/V/PB3AIwpyxpu4D1/5+o7YSAY7Nz+qhqq1ar175/Zyg7KePmg
-i+cQdpIThu836NjEjl1NpSPoR2sAtF0wry1JdYw4iSbi9wppamCGcGrFEDUZnruG
-pGQgQS035iShZ7Fpll/rAosNXONYPxQEO55xSkqlSec4oxBDVjkO8w==
------END RSA PRIVATE KEY-----

test/mail-test-srv/minica.pem

@@ -1,19 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIDCTCCAfGgAwIBAgIID1bxK97hADQwDQYJKoZIhvcNAQELBQAwIDEeMBwGA1UE
-AxMVbWluaWNhIHJvb3QgY2EgMGY1NmYxMCAXDTE3MTEwMjAxMzUyMVoYDzIxMTcx
-MTAyMDIzNTIxWjAgMR4wHAYDVQQDExVtaW5pY2Egcm9vdCBjYSAwZjU2ZjEwggEi
-MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDUHsA+THwS7nEvtmiAbZTXZqD1
-dQYQZh0Iu2xtuDngdNKYbCvwbodkcG3hTaCSfQyJ64TvlRfKgK5MxgWALlgpmBSj
-dBvakh7LkUeGwVj7zizC6ry9X+89iKIb4x/VQNMgIpj4Z4KaIezTsrJpWacnJ/HZ
-Hf8USMvX3hva72s55M0ms2BB1jbJFQb7HYyXvbnDdHNc3+zN1pWtKealKZUsZCFW
-dPL+N7UIQ1x+9z+6eLF/Ta9nSbyHV0J6EMb/ki3x3oRBPYWJ65MtTtMrHMJH7o7V
-nFcbvgPkHpw7PVyk6L2/3kkQpqymhbTgu0Fltk4NSTROoiDHAIhPhknHcz2tAgMB
-AAGjRTBDMA4GA1UdDwEB/wQEAwIChDAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYB
-BQUHAwIwEgYDVR0TAQH/BAgwBgEB/wIBADANBgkqhkiG9w0BAQsFAAOCAQEAx4uu
-dfQYt+ptP1d+rrOxhA+g1eFH25icncf+ZUYCWVgJru9rvFQML1YfXVQ9HhRaIANA
-CogsogYob/3adaGXIMeC0ujA7YQOT6twe4APwHZwNElk9tcH/0SwHNimumvbz2F4
-QKkz43Ml1bomVlZH/RXXH9QGdIOb/WkPXyO1OrooEgSysduA2k6T2DJ3pZN68cz9
-GScL8xqe3oiJX/CEr20FxG1V8fYi8VWfh1+EIDDssT4RDnvoTOxuRonobCRKd5EV
-wrYm4SHoj1jU6PeZxFb+EesgTOcscgQORdmFdi873Qks1RVqRQPohzBsqW4/56gG
-imYVgFowC7JJ0DjBpg==
------END CERTIFICATE-----

test/redis-cli.sh

@@ -4,9 +4,9 @@ set -feuo pipefail
 
 ARGS="-p 4218 \
     --tls \
-    --cert /test/redis-tls/redis/cert.pem \
+    --cert /test/certs/ipki/redis/cert.pem \
-    --key /test/redis-tls/redis/key.pem \
+    --key /test/certs/ipki/redis/key.pem \
-    --cacert /test/redis-tls/minica.pem \
+    --cacert /test/certs/ipki/minica.pem \
     --user admin-user \
     --pass 435e9c4225f08813ef3af7c725f0d30d263b9cd3"
 

test/redis-ocsp.config

@@ -28,6 +28,6 @@ user unittest-rw       on +@all ~* >824968fa490f4ecec1e52d5e34916bdb60d45f8d
 masteruser admin-user
 masterauth 435e9c4225f08813ef3af7c725f0d30d263b9cd3
 tls-protocols "TLSv1.3"
-tls-cert-file /test/redis-tls/redis/cert.pem
+tls-cert-file /test/certs/ipki/redis/cert.pem
-tls-key-file /test/redis-tls/redis/key.pem
+tls-key-file /test/certs/ipki/redis/key.pem
-tls-ca-cert-file /test/redis-tls/minica.pem
+tls-ca-cert-file /test/certs/ipki/minica.pem

test/redis-ratelimits.config

@@ -25,6 +25,6 @@ user unittest-rw       on +@all ~* >824968fa490f4ecec1e52d5e34916bdb60d45f8d
 masteruser admin-user
 masterauth 435e9c4225f08813ef3af7c725f0d30d263b9cd3
 tls-protocols "TLSv1.3"
-tls-cert-file /test/redis-tls/redis/cert.pem
+tls-cert-file /test/certs/ipki/redis/cert.pem
-tls-key-file /test/redis-tls/redis/key.pem
+tls-key-file /test/certs/ipki/redis/key.pem
-tls-ca-cert-file /test/redis-tls/minica.pem
+tls-ca-cert-file /test/certs/ipki/minica.pem

test/redis-tls/boulder-redis/cert.pem

@@ -1,20 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIDNDCCAhygAwIBAgIIQHm/iT9HzJQwDQYJKoZIhvcNAQELBQAwIDEeMBwGA1UE
-AxMVbWluaWNhIHJvb3QgY2EgMDIwZGJhMB4XDTIzMTEyMjIxMjUzMVoXDTI1MTIy
-MjIxMjUzMVowGDEWMBQGA1UEAxMNYm91bGRlci1yZWRpczCCASIwDQYJKoZIhvcN
-AQEBBQADggEPADCCAQoCggEBAJyiukCCpUBL7biyuwKIVHBQ8RhsRy2qlAo/LIgG
-yrUt6A25Hyl6NQ7Ay1/BjzyY7b0gu6O45WwnQBTlBjRFf26kzA1lr7ASaLMKx7gc
-dJfosz3EerAuY+jr3/Fckib9rLEdYv/60a47PNlmUQcK1TR2wKzmCecoRVZuvD36
-LxdD2Vhj90/9wEquKvHkV0TjaUUQ2+UTUUDp6KPJ+/caQq5o27FCC7Df0FRkU2TS
-S0RfqJwQ6zFDcMamOzQGnol8ijP++B/tGPhOrsHU3T5G91XjSAcB/KKpwoyQfPlo
-jgMF3n5n59xrVwvVq/pIerlv0zIraQkZNQGWcGyDl58YTEkCAwEAAaN6MHgwDgYD
-VR0PAQH/BAQDAgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAMBgNV
-HRMBAf8EAjAAMB8GA1UdIwQYMBaAFA/oVvRrtcTNIZU9ljkaOO5YoxCtMBgGA1Ud
-EQQRMA+CDWJvdWxkZXItcmVkaXMwDQYJKoZIhvcNAQELBQADggEBAAS24MPzIZMA
-PCdQMCu0HLio2WKkG9mcfr9jrnBOqZL32ef9a+h6h363fHdfd78kbt9GE7NibY9B
-v5UKrFBrBFX3ddQ9eRMkRxsdcedjwAq2Do7wgiAaBHHAj5nxH4Q3tZEPX8Q4yhG+
-sXVvqcWF9CLD4V//uTEBQ8T4uPaZOgxLrGBs4fs0pz/8ULBgTHL+plOGay8KzwJa
-flBQUV29T5dPSransox/50YvX56V2UYW2fALJzbAuHjp/y2r9XVcVUSolVGt9di8
-fOYK7Lk462xVthN3PuiI97ZTkhnYgxGrBKWFotNg+BPuxNcx9hJdiBa7DOI3PU/D
-UCCjY21XRvw=
------END CERTIFICATE-----

test/redis-tls/boulder-redis/key.pem

@@ -1,27 +0,0 @@
------BEGIN RSA PRIVATE KEY-----
-MIIEpAIBAAKCAQEAnKK6QIKlQEvtuLK7AohUcFDxGGxHLaqUCj8siAbKtS3oDbkf
-KXo1DsDLX8GPPJjtvSC7o7jlbCdAFOUGNEV/bqTMDWWvsBJoswrHuBx0l+izPcR6
-sC5j6Ovf8VySJv2ssR1i//rRrjs82WZRBwrVNHbArOYJ5yhFVm68PfovF0PZWGP3
-T/3ASq4q8eRXRONpRRDb5RNRQOnoo8n79xpCrmjbsUILsN/QVGRTZNJLRF+onBDr
-MUNwxqY7NAaeiXyKM/74H+0Y+E6uwdTdPkb3VeNIBwH8oqnCjJB8+WiOAwXefmfn
-3GtXC9Wr+kh6uW/TMitpCRk1AZZwbIOXnxhMSQIDAQABAoIBAQCA0ghSA+B6l7ej
-3kKVW5/uW3NdfbewZAiqwLgUC1ntVhryJlztlNdMEd1xHFR8Jt3nXKNVjDwLDeDT
-DmRi2wFp8tjq78VlDk7TaTtGPQja4oN/ejbY7N44cr1T2KlOrfS4GY4RLqwCGi/6
-L/7Vxt//7Oabi/l7BhC4fAwPANJ304jlqOMvZ+EhwVtdHecmNcthcaz2focMiFrd
-NJX8+lEpdt/KU2of+6vrtY29dyqHIiEv2F4ioTrIp34JnsQoL6W6v/tHdl39ahEh
-sgE7ay7BHX3ltp7f3NuWU0xFS067bTxHfK7iZD1SxwZAWBDJpevgN/Y1hNOnJ3Ur
-InxefrXxAoGBAMWiaAtpiezHu0/ALunrhpqNLSvppeHIBoTOvM65i9O7FrEGqNuI
-2RwPGBUYI8CXD2znLJgRcq0p4oiq0M1KMBfrJdeO615JYVzJL/uR/83SM4saKFB4
-OG0k1KQQbsk8Uhxo9tovcrHdPKHfV2SWCvOkmBXySCAyYdhtQucVz+OVAoGBAMrk
-ueSYCSz0E+ADRm1acOLXYkb4zakF6/Jolj/9Ql9L98BpXu6MQ2LGW2vIJ0qbn2hv
-FrpRwsPXRN1qQMt40UeRvfRYZwR/jdOPpyllIGstMdSD/sADHfm+/8mwf/gbTEKu
-X/x7TwEXiDALIixYF64MCi1YqRzFFV5AyiacrNjlAoGAdwFXU1/mrIyMjvYzianI
-MLJH/ARCXdVbj4cJjBWQTBuBC3HuJduemFXCc5lIlgSgRjxhzuPawMjS3ua0upks
-oop3C/jEY88d8Ig4+2wrs50aam2CzwnFOHuQC4bVnxlSfEb8Nd+SWeXVR8e70RbE
-W3fGGJj+s1yDLJaGTa4Fs40CgYBGACIOt1G7G77bs+WRhvmZmfwDRoYWQb/FE8Z6
-71L99ATXcsNZBDWfl5YlGppLyGN4MZOi1uCelt/gkG8ohFeYHLVv3ywzxhpVmqNu
-ycAkmiQuERhMgQbPitFPccDFBg4Kl4TwZE6+rrLC+KRirkYFO4wrVwKJtYmIyku0
-hKux7QKBgQC6NRzYWwRRSQnaXKvgNVKibenVRpp9gj9jZ1ZS2o2g0q32/4Xa6UwF
-2XTL4DmO91wXK08tZIa47dHQblV24R89gWrPz9/RLAPPIEYlLJZd77oNuCIrlmq3
-Ra27fPDn/a+x4CE9pkWIkaVNh6YnelaxVOg2HSb4vSHjualmrIQLOA==
------END RSA PRIVATE KEY-----

test/redis-tls/boulder/cert.pem

@@ -1,19 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIDKDCCAhCgAwIBAgIIL2oIBmXMfVEwDQYJKoZIhvcNAQELBQAwIDEeMBwGA1UE
-AxMVbWluaWNhIHJvb3QgY2EgMDIwZGJhMB4XDTIzMTEyMjIxMzIwNFoXDTI1MTIy
-MjIxMzIwNFowEjEQMA4GA1UEAxMHYm91bGRlcjCCASIwDQYJKoZIhvcNAQEBBQAD
-ggEPADCCAQoCggEBAKMk2GleTJ4ev+X3z20Z80SnalsAz5I+UODas8fYrM9caTze
-c+zNY/PPOsgBCWJlGEZj5eTEqoKp22+okzaa0wQ/FubZ/K05mZzME6dFxhRN1mmd
-/7oPctb/0LFaLU/QSqp+HEJwIwpTz8XrgfR//WguLmDyIFUrtaUQBluQEbANQIid
-LghcjNgZVZucrm12da9kh9pd5BD/apJp+qmhMJpDf1Q2yjUjiRpmVswzTSEIuHW8
-6GPc9Njb+pgi4PuXsT+cNA/CnsMUUiED84RBIwwNnTSsGcNg7ALUCUqg0+k5Os3M
-/gwZJ88Fa8QW0fDEn7zOYavKbEp371hFjVAQ9IkCAwEAAaN0MHIwDgYDVR0PAQH/
-BAQDAgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAMBgNVHRMBAf8E
-AjAAMB8GA1UdIwQYMBaAFA/oVvRrtcTNIZU9ljkaOO5YoxCtMBIGA1UdEQQLMAmC
-B2JvdWxkZXIwDQYJKoZIhvcNAQELBQADggEBAI/IA1xC4k8Q15Dtpnr2uulIiGdn
-4kuS/4AjKsABkjaBU7bQyUm8A7hxIJLszWJoe1QuwgkXH9KIm6v3CQeCKxJB5YMp
-Q0009v1nwshFBTqacRX6ClQ/dt7pYaFX33wMYesPZc8r+i76IEbgQ+Fe9odHZUlc
-F+FsmrZg5cUBte7bAxe/5x4SGzT2Up1NT5tu1cLal6EwevH5dqB6IpkSNn2ixBh7
-G9M1/DsL3aFnqSxTzvwP7mG0e0mg8WGt3BzA6p3xtWeScFSPKOgIsLDSB48UTCOQ
-m6uJ1mxS103oqkFn8PovGOKymm5FyVIQc36WizioMPIDSFnKBfV+LRpdjsA=
------END CERTIFICATE-----

test/redis-tls/boulder/key.pem

@@ -1,27 +0,0 @@
------BEGIN RSA PRIVATE KEY-----
-MIIEowIBAAKCAQEAoyTYaV5Mnh6/5ffPbRnzRKdqWwDPkj5Q4Nqzx9isz1xpPN5z
-7M1j8886yAEJYmUYRmPl5MSqgqnbb6iTNprTBD8W5tn8rTmZnMwTp0XGFE3WaZ3/
-ug9y1v/QsVotT9BKqn4cQnAjClPPxeuB9H/9aC4uYPIgVSu1pRAGW5ARsA1AiJ0u
-CFyM2BlVm5yubXZ1r2SH2l3kEP9qkmn6qaEwmkN/VDbKNSOJGmZWzDNNIQi4dbzo
-Y9z02Nv6mCLg+5exP5w0D8KewxRSIQPzhEEjDA2dNKwZw2DsAtQJSqDT6Tk6zcz+
-DBknzwVrxBbR8MSfvM5hq8psSnfvWEWNUBD0iQIDAQABAoIBAFgj3OO4da5rsIN/
-CcrI3Vw3EsfNvVcmYa3Jmp2a22pAY/7ltD24jYq4Z+qMXNSTB7Vn3VlmQzTKreo6
-aiZzKRQ/PZFFLjUsTGig/PE/Sg/IKdHv8axFEmdD2C0pKhfX0a8g6QWf7d5zf2pP
-nWtKBs9VO+tWhM9fCQj/il/HizbQZNzs5H4Wl2vFoBMn9bYaWoXdb+XCtgviuqO4
-Ix3qvGvE0Q2CbWfI22IpexETMhnaH8fJsTOK5GpYZRh1bLW6XsjVobpHsBbMilOM
-bMD/cEGaAqYQ+XXfUk8hc+KS73pmB31UmSwIZLSwAw4mUhWMT6ANG01qrZxFofTM
-6nfGMjECgYEAwMRKYwXS/bwjyg9B/G2GCPjwju6XQlynZhA0+maBGCD/wS+hMy0X
-BHIoHqjCG5eSdpAGk7pZimwpoaistb4rRKFjyOpUIyTMnv9k77/z5l6NOrR2kjAr
-aO9FJlE0DOAx+kySEjQ6nzA46PYMvVWf1y5/hI9zbnfY1Js+y1fxIzUCgYEA2Kj1
-dmM/fTRgD8h6/l1hxKM/95iwbdhYOxCFVkluYcFkNwPix8EY0qKGYeG0BWOS8xTZ
-irpb6tpjNactbK/KV0twT6wMPk12ptxsMP71gPsyBZ758uiZcH3SfwYSZGuHbg9L
-v+LgdXPTFceD1746ocGHX1oV/7tcM6D9ExKeQoUCgYA1Fpop9VOrX6I3psYUgBFW
-7UBLDPiJZT0RBcuhXpOVEpl9GeH6VyOsrMfR0cZLlQ3YK0g0bTD1x14b0HloQCxo
-ZU426hor55mW/F1PDf1c55NbpJG3Jx79clAIAnskRKZe+bGM4+d1KfGybvkJN8ii
-mYKy/lLbDJSh0POVSu31NQKBgQCsgLoPbK4cLhtd9a2X4Rn6ylAf/v5aNyrovBqt
-vQGZ67Sy6PEjQmdVLfn47Q+8Sq+xwyQCBKcysnbTPSw5oS1lm7bseHu3D04tRMsP
-p7Ao5dfKCe3Qrcmde1Chul/ifIrz4lHZkfZNDc8/Q/+BQwDD0abLEJr7Zl3e7YsS
-KHzBUQKBgFPH4+87koCQkFPdzi2QshTqg1DZ5a6IfTbDljzf/zErk5PEDu3aXxYX
-mKRiXX5WtD2RZn6GUerkCRIpAJg0qOD86t9iTytZbeqh1r44bG3pkymGHBUTr6ra
-3QO6yTG1SBQP9vSeIY5ihqzXAus5VeTXpsRuRu4vwxhD9j6zo/R9
------END RSA PRIVATE KEY-----

test/redis-tls/generate.sh

@@ -1,19 +0,0 @@
-#!/bin/bash
-set -e
-set -o xtrace
-
-cd "$(realpath -- $(dirname -- "$0"))"
-
-# Check that `minica` is installed
-command -v minica >/dev/null 2>&1 || {
-  echo >&2 "No 'minica' command available.";
-  echo >&2 "Check your GOPATH and run: 'go get github.com/jsha/minica'.";
-  exit 1;
-}
-
-minica -domains boulder
-minica -domains boulder-redis
-minica -domains redis -ip-addresses 10.33.33.2,10.33.33.3,10.33.33.4,10.33.33.5,10.33.33.6,10.33.33.7,10.33.33.8,10.33.33.9
-
-# minica sets restrictive directory permissions, but we don't want that
-chmod -R go+rX .

test/redis-tls/minica-key.pem

@@ -1,27 +0,0 @@
------BEGIN RSA PRIVATE KEY-----
-MIIEogIBAAKCAQEAzJTME7rHyGhM+3gfEWbmupFvNdRuQ87zvF/RgIvJnZaqDrkp
-krxzc+fVZ9JVGex9TcMgF6j5uxYGKxswDwSifipMPXaySS6Hklj7RU/ZSEm5faka
-WIPfWls1n7hHSmCQ2ucKGS6EBGgEVvPE3AgeOMC7SsiaWpDCWSleYF6n6X0gEckD
-y7D/44q1YQ/mzRLN7AQccNljLQ3VUtdldbKA9oigOcE4ijY46W8nmukOc1nIxati
-vLqceuYS++bXZB2mAqi2Xnqv3IoJRr1wynp2TDEmPTs+KlA4cVk3G9ec8qJU/H0P
-UHWarwaDg+lgblkzV25098yEomRgAD0IHb/XewIDAQABAoIBAEJgxRZhtBDCRrgQ
-8YOj75j5NywwENbPfyXPsRoUQQZwrBy611JU8uDYh9V32UTgBogEl5UVrnGVY8r4
-t08oIdDtyG7o5E/6WOKTHHQQxF9ADH9JLtMpdn7KuUtpbzgivN1JuW0SOqNzXHUa
-AvWhbKzdW+eXzv0zmttzILwD+lc3PXEwk5mBe81wExOTSJYRN5jg2Ww+2RZBsc8S
-APWddtoK08sEwK+l1GRyWE8GERlz1+f0EvUEMzBIGTXvAopLz/fDp/qkcZWhYEXn
-cFtZmadlJyiuBh66BD42kcS7PtWs/HM0R/Q30lDG4ke/udZOAafzZDrGQGNKti/y
-8NfZJ4ECgYEA3tdfOscgPYA5cviBMOIJIlcfaXswsYKE8PTSmwIVopNeuDxAc2qS
-ay/UH+jeqXNA7qoIX4bMf53o5aCgxT0UcGP+uggZHfmUwG0FSksmWbyol6Da2EF6
-iAR3+AF3MZQ9teIs2xGt0Mo0NvVQh9PJaX1+VFiBlVCHs0KKg9sH2wUCgYEA6wXZ
-pK7JIoV2PMdAvkf1R64GktN27qrKSa3poVSec8ZYjDrZC2EN5FTH83QI2h9vhHCi
-HFXR4/wO+iRGvUj1PtKhIMOkpi8CgTPGhZ798o5kXFyOEJ2ELC9NT1cW/GewfZVk
-fPSfQi58iy1L+B8vw87lxYg+eO639jIgTc9ocH8CgYAgoq4hr5P7LdI8EkTpYdEw
-pE3HZvFErfbGSzSk2vNMMgUHOlu+C3eSFxkb60Dg1C5IRcKgKt+8OOYo6xNgj4d0
-xlBB8nmrOCge3liN/t+I+OY//qDOVxiY3v6q5ZwNOMao4ozrMHWiRFrNSbQXkF7J
-AkYEGEoyEe8tw6sBkIxf+QKBgBUyjuHKnfuOHA75Tb6b0OSpLpCZoBWAtAQXOoZB
-kpUQo7XqLN9Y3p7kgrBTm+TIhw9j9Usm9mpgtp0bHoI+DVigOMYyvyv5+3jZyaMN
-pwv0idrGwk1/V4eAsLFiQoF7fLCnA8w9aAvZE4SeDkcP0QgRJio90pyns1HyTXWX
-Km1TAoGAa7UyLJnaQIg7P+XnDpm/RdNyJPkXfUz4sW3tZNTSjBcmeIsf1REvnt0R
-+xR58ANZIAxNjhWzDkMq0bMFlWE3aMTVVwpWD3+fqi0b8uOIPH55hKdUgYW7fN9d
-lzXHeP37rzOFAdZCC1co5gCeqbodoJ4U802eKP75OAdEfj8BbQQ=
------END RSA PRIVATE KEY-----

test/redis-tls/minica.pem

@@ -1,20 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIDSzCCAjOgAwIBAgIIAg26dvKrbYkwDQYJKoZIhvcNAQELBQAwIDEeMBwGA1UE
-AxMVbWluaWNhIHJvb3QgY2EgMDIwZGJhMCAXDTIxMTAyMzAyMTUxOVoYDzIxMjEx
-MDIzMDMxNTE5WjAgMR4wHAYDVQQDExVtaW5pY2Egcm9vdCBjYSAwMjBkYmEwggEi
-MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDMlMwTusfIaEz7eB8RZua6kW81
-1G5DzvO8X9GAi8mdlqoOuSmSvHNz59Vn0lUZ7H1NwyAXqPm7FgYrGzAPBKJ+Kkw9
-drJJLoeSWPtFT9lISbl9qRpYg99aWzWfuEdKYJDa5woZLoQEaARW88TcCB44wLtK
-yJpakMJZKV5gXqfpfSARyQPLsP/jirVhD+bNEs3sBBxw2WMtDdVS12V1soD2iKA5
-wTiKNjjpbyea6Q5zWcjFq2K8upx65hL75tdkHaYCqLZeeq/ciglGvXDKenZMMSY9
-Oz4qUDhxWTcb15zyolT8fQ9QdZqvBoOD6WBuWTNXbnT3zISiZGAAPQgdv9d7AgMB
-AAGjgYYwgYMwDgYDVR0PAQH/BAQDAgKEMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggr
-BgEFBQcDAjASBgNVHRMBAf8ECDAGAQH/AgEAMB0GA1UdDgQWBBQP6Fb0a7XEzSGV
-PZY5GjjuWKMQrTAfBgNVHSMEGDAWgBQP6Fb0a7XEzSGVPZY5GjjuWKMQrTANBgkq
-hkiG9w0BAQsFAAOCAQEASfe9zRlpIXHy4+mp1PIpjGjJjk0NhPOcoN8B2vCqYWsJ
-nnfl9zfORkWPL6PgiXWqS6nNC+iqRFBWphaRqtSle0j+4NLFnmmOMXI/NlCjAvTH
-6TNJ/H0nHlJ9p3Ui9a5MvZ8I/dOJLrFDX4/d9Lg76txKhFJBzXvxd9PSVKPJvnfx
-x3aare5fkXy+JlZwP8FhbzIwVTmHGPxKEUCbImhmailXTfLTmm+bS1CW2OrOnlSn
-ZPlEA8N1Y8ogNZQf2v65QCT7k64a1IuEA7XcH+W4+JhRAPPp1NujMTbeo855gMMm
-D6LXhbMEV2jO6Yfqgr2H+fmiWq3nILj/XBSTEYNBqQ==
------END CERTIFICATE-----

test/redis-tls/redis/cert.pem

@@ -1,20 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIDVjCCAj6gAwIBAgIIFK4th6FcU8AwDQYJKoZIhvcNAQELBQAwIDEeMBwGA1UE
-AxMVbWluaWNhIHJvb3QgY2EgMDIwZGJhMB4XDTIzMTEyMjIxMjUzMVoXDTI1MTIy
-MjIxMjUzMVowEDEOMAwGA1UEAxMFcmVkaXMwggEiMA0GCSqGSIb3DQEBAQUAA4IB
-DwAwggEKAoIBAQDoo5YMrAiUB2+It/4wC4Jb6UVnlZ3yA+3sGnrv4qzZpZKBZeC5
-NRZZin18+NiLxRdKTXvUpFL/2c4jXVE3w63aPQoqsCFVeU6PW3/WoCzmyG7h1TlQ
-7eVX5ifCuL7Or0TI+XqEBhkiI4CmhoOKKYmcEl5+7Xej9duPvK2+5BXJ7nqAlkFV
-35rlxcMsSinMfC54e2jbyXRmy8EHV5s6fgQ6d8BV/xle8uFiJs8iubEJQTKEhf5c
-t46Hg4czjluAiRaTqadjSisw8uczJG0FkW4vER1kBdbQMrHmqDdfC9PW86JT5dkv
-Yk6swzEv0qWbAsEhdQ38n268YbeloH6VlRLXAgMBAAGjgaMwgaAwDgYDVR0PAQH/
-BAQDAgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAMBgNVHRMBAf8E
-AjAAMB8GA1UdIwQYMBaAFA/oVvRrtcTNIZU9ljkaOO5YoxCtMEAGA1UdEQQ5MDeC
-BXJlZGlzhwQKISEChwQKISEDhwQKISEEhwQKISEFhwQKISEGhwQKISEHhwQKISEI
-hwQKISEJMA0GCSqGSIb3DQEBCwUAA4IBAQCxN17tuodLpUjPNP4I2eJxHMNjTY+H
-b8av1W8L3HG2yHC5uCI/FESvPrDK0jfaD5IHu/XZp8p/7fvGnTX0B5+x1X2My2ow
-Uf/9WrMyj9nbikj/ZFCwpYdaKxitvHD3mXLBUmkRUhY1aC98kzcQpg+8OwdgVlYj
-3XMlgJjwdEERayaPsn9FDPW9B23W8jSC5hjTuz5+R4ZB5Y8TAvqmCJGnKpa/XCh0
-qr9By7B/kbnZmmMxszooJYwqRyDLLZOSCaA7u2Y+VqMTyOd1dk4sN5LJYHZdeB4L
-nQN60PTQhfM6JEMDc1iGCzEXh26ji0e8HQOE04vwMsDWGUi+3Jk9FZsY
------END CERTIFICATE-----

test/redis-tls/redis/key.pem

@@ -1,27 +0,0 @@
------BEGIN RSA PRIVATE KEY-----
-MIIEpQIBAAKCAQEA6KOWDKwIlAdviLf+MAuCW+lFZ5Wd8gPt7Bp67+Ks2aWSgWXg
-uTUWWYp9fPjYi8UXSk171KRS/9nOI11RN8Ot2j0KKrAhVXlOj1t/1qAs5shu4dU5
-UO3lV+Ynwri+zq9EyPl6hAYZIiOApoaDiimJnBJefu13o/Xbj7ytvuQVye56gJZB
-Vd+a5cXDLEopzHwueHto28l0ZsvBB1ebOn4EOnfAVf8ZXvLhYibPIrmxCUEyhIX+
-XLeOh4OHM45bgIkWk6mnY0orMPLnMyRtBZFuLxEdZAXW0DKx5qg3XwvT1vOiU+XZ
-L2JOrMMxL9KlmwLBIXUN/J9uvGG3paB+lZUS1wIDAQABAoIBAQC36zxhYFCX1xkS
-WYQXr8GrsEwyjFKGVxzuIDE5HVfR6dhdfJGhWpsExzxWZNWuCm9TStavUgpcQ3F4
-+/mNwKHde4xiG0T/MhwtsgTrRU66VZNz7wKVPL6oM0kT5MLU3DPhP3rgjYGpP7Ah
-9w5fWF92h/81EcAYW/LtPBmQZPnk3acTWrhREh9ZI14ugA87lNUHdzHKo0mWi2HU
-Au9xbxV8wIqRe771cq62pXfP8D4eZMjxEoSXfBP0MFV9tuXSyCcw++jWRfZNGUgA
-fNWORakLu38gNM7soIhCIDHjVF1bbAHh/iiAFhuJ6YcNk8nIQ9Oaj0n8hDOiF/bU
-Jha2Q15hAoGBAPVcYFMFbyMHv+Lf7YaqAaLIND+uOicdOYsMoqAkvxxHZja7Ki5O
-ZuAcefRCbcXf9l0HeHPF+fDXE+hLO3a6BJrrRnW68d4bfYsH830AEwJSE+aGyS1w
-vKN3v9HINEXR8M2pOBVyHQns21ZVo5pOh9y/Ix+iuF6cQsqzQlfaX7MNAoGBAPK5
-/cigMZ4N9NfZlSctmvmX6Hx5IY14lZavuC9q5TGcHiFhaBO2ea7j5yprGODfAXlh
-U7bZifTOebtCJe7yDByq4dTG4shvIPGN4yMnnCY/lnzoj9oBIaQXUASme9j2/ecx
-+zTbI/ftg+KQh6sCatModQxuvheLmR7PZrHi3TRzAoGBAMndYYaMfv5EHvQqpcJY
-VpY1vv7xefi6S6CCGb5F3VIH0CmRXUfRy0PxScjTansVIx0wy0H9DQDAAynn05l/
-u9A1Z7fuwZWp6mUbepFKIVmUa7kLBbM0AI9BM3kGDTOwYTzjTzgdtZR34ZErTjnj
-CFZujxg1CRkV2MHqL9gV2wx1AoGAG4LBJPAjL4rdaWmb4ijlG8z/6LvB9crpCX85
-HQa8m3baY2Yq6bEQ8aWbGc+xrisYe61wU5UscbbFTVgd/IsqnEUx+2/fXGBcF4TB
-bcabiCpE4DtrsoXWTkbmJuDHwLud44pisobz+LHO9Or0tYk8mlpHifUzTm/gFwHi
-3d6cu8kCgYEAscvA6kNcDzt+toZMSy9TOKeZdy+fZdZlcUksaMgOhAToZ/qLCrPm
-6BWv0ek9x1QzcsUnS3sFdXrznFf794FYI6jWATbieq7WUnanu8dE5FLC9rrLEnAC
-+WhjSpg34ejr/fMRntJGWr+MnfGGydOJsZ7CEt8z5c6iUqiGHC4ZV64=
------END RSA PRIVATE KEY-----

test/startservers.py

@@ -56,7 +56,7 @@ SERVICES = (
         None),
     Service('mail-test-srv',
         9380, None, None,
-        ('./bin/mail-test-srv', '--closeFirst', '5', '--cert', 'test/mail-test-srv/localhost/cert.pem', '--key', 'test/mail-test-srv/localhost/key.pem'),
+        ('./bin/mail-test-srv', '--closeFirst', '5', '--cert', 'test/certs/ipki/localhost/cert.pem', '--key', 'test/certs/ipki/localhost/key.pem'),
         None),
     Service('ocsp-responder',
         8005, None, None,

test/wfe-tls/README

@@ -1,4 +0,0 @@
-This directory contains the minica hierarchy used to produce certificates for
-Redis to use in integration tests, and for boulder to authenticate to Redis.
-
-See boulder/test/PKI.md

test/wfe-tls/boulder/cert.pem

@@ -1,19 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIDCTCCAfGgAwIBAgIIYFPZfdxpKUswDQYJKoZIhvcNAQELBQAwIDEeMBwGA1UE
-AxMVbWluaWNhIHJvb3QgY2EgNWE1ZDYwMCAXDTE4MDEwMzIxNTQwMVoYDzIxMDgw
-MTAzMjE1NDAxWjASMRAwDgYDVQQDEwdib3VsZGVyMIIBIjANBgkqhkiG9w0BAQEF
-AAOCAQ8AMIIBCgKCAQEAsHE8C5UYyHimY4cnVnEqB2RQ96H8WQhwNRAY5Wggg6PN
-7k6V+bamYfu3YJ27YvwERGsB7lZ5jsa8NqhnRpe0FaPb5h/o3MU8qigSK+Jzy1Cz
-/E37Jns1JXLoquog5wVDl5Q9kJAVIzInLBdlBIQ3KW0nQwpIXRAy37zjXu+TJp3d
-1gdXFuQ4I43dZxafV+CX5F/NFZmJKIRNmMDteNeukgyR/8Dh+pTuX5q+lf+rRecr
-KmKvnqYP55fzstnTK385pMXCLiBNC3XjumpEAh8Z2PFrDVnWeJYDjlWvT6VJ+5h8
-7eMLOR2Fr/EL1j8WdaaeXQBe+f9rKthdUtK5UkIHlwIDAQABo1MwUTAOBgNVHQ8B
-Af8EBAMCBaAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMAwGA1UdEwEB
-/wQCMAAwEgYDVR0RBAswCYIHYm91bGRlcjANBgkqhkiG9w0BAQsFAAOCAQEAr8bY
-DWWWHjdH7sbGzei165sMHZK8PLFl9ns7/VI7KKIyIg3uUTwbDLf2ZvE0fSZgPDq6
-oPe3vE7kLUvJCQG7Dq0TcT5s1HOXwqdLijJMPxBEflmT+da3qAduL0AQ76TZEGxl
-6T57QywI9S2nwFx7IgL9VQ5iOKuuSL/i9xEKp9IMYVGvuT7uTt/CQyX/sgR2mcRN
-kem/ZwG9sLa9D94YWTwvLjsItyjb56THETu91o83M+4em981yngbtuuLd8hX5ini
-4Kl6pn8EAS75l0EfTUHlnXAwc9RMAG3TkjghCVUtuC8q4TgDLXLHRCRsojaKnK6H
-0xbgULqAjqRkJ0Cu9Q==
------END CERTIFICATE-----

test/wfe-tls/boulder/key.pem

@@ -1,27 +0,0 @@
------BEGIN RSA PRIVATE KEY-----
-MIIEowIBAAKCAQEAsHE8C5UYyHimY4cnVnEqB2RQ96H8WQhwNRAY5Wggg6PN7k6V
-+bamYfu3YJ27YvwERGsB7lZ5jsa8NqhnRpe0FaPb5h/o3MU8qigSK+Jzy1Cz/E37
-Jns1JXLoquog5wVDl5Q9kJAVIzInLBdlBIQ3KW0nQwpIXRAy37zjXu+TJp3d1gdX
-FuQ4I43dZxafV+CX5F/NFZmJKIRNmMDteNeukgyR/8Dh+pTuX5q+lf+rRecrKmKv
-nqYP55fzstnTK385pMXCLiBNC3XjumpEAh8Z2PFrDVnWeJYDjlWvT6VJ+5h87eML
-OR2Fr/EL1j8WdaaeXQBe+f9rKthdUtK5UkIHlwIDAQABAoIBABOzAMY2RkcTmVgh
-XdX72npqy9NqBXeXRpfWDUGHp6Gq5zIFGh+AMgFcjjO+SI6bnopY/CU1CGtVauwb
-TzSFeXi1C7cctu33I3fH84dsyAraHs47kp/QP7XHp4x1iWjhoJNK3LjILWP5lIAK
-uJ+Rd2sroaeNfVjOly99slEGJIK6C+ImFKWmfCwaXcxbl+PbpIcL0SiTF/5FmuXx
-Ri9vUJxxVv1+GZNTiEjXFKe9UfYNt3DoAolRTaL7ZdzEny0cXf31eIeA8LY9uQ8I
-pec0zheqdpfj+L3qfV7RDh0va4fEzXP92mBgrvFiJsRa2cvQoDFW2IXSR2chl8Tn
-r/qlEhkCgYEAyJ4JADnhmQvXVYa90oIYicJeJie3lLtjMFps7EvHCmKjTpzGG1s6
-r4EBQEConJQeR2YLVjgN45ureAkLJTswqt9UcXxJFBIHuCUF1QqtjtVIgG3v6REH
-jnr+o2XigHv4pQB2g1mlYh3LwhD94hyWIRxyzeW/oeENykfIZcDWud0CgYEA4Sa2
-EDLvCPFZMFk2m/FDOyMUORdeUFMLCA6igtAoL53v19eoe+kICiqCNbTj9ekcSA2N
-ojKBHkG9x+TrIDc036ZbpCO99FLOlX9uRFuEQCkcih27bMvSN5e3TFnOPOENNIKi
-A1WDbbS+mJQcf3EV8mzGdd7vlpPk2mYzVdSgogMCgYBRDkEWvUwgGP+sx58EYZnm
-dwixI9Txm/CMhcyCgG9wC8Btr7v/K5H/fQDzY+x8LwA42srzz/wUnT3fZtAA//Q+
-5bLpk0y3dj12Mkcz93d+QUBk24ZWRZInCBzAChdE0FH64MABfAPtK5q600Cwzdn+
-kM71z8Dod9SpiO03530aZQKBgQCB81ft7Zftr29s6nEMfKnzPgH0GbrD3cpmMhw2
-KHKpWR0PlVeXfR64z2QsH2Xbj1pVdA0lasT/c65X65aSF4sa8ue9yyteE1VNECnS
-poekiJYCWbrNxq5ki9qt5L+Wf8ahYiykg/zBmyrO4d246MpkC8hYS/45CM90Brzm
-czzrhQKBgAePfH2J5EKZUA064DwMytgyp3yj1ki+6/lH4nfDKhtili/CkLjkeOKl
-g/rG1ysU63TTn7IEdLDmLI8UhWNXc8i/leuTp9yufEpxZhfHjbKOQ5m9IUg6lixP
-YJZLI2ig3hxwPJi/tIKoYXVn2dk2LCYGmGiqZmGzKK3j0dvdYJxe
------END RSA PRIVATE KEY-----

test/wfe-tls/minica-key.pem

@@ -1,27 +0,0 @@
------BEGIN RSA PRIVATE KEY-----
-MIIEogIBAAKCAQEAuQbmziJB9NUIWtUeHsEdTDrWtEUuqQbX6Tz1/VhSEkTIyxze
-c7U62ytZ1MijAS/PPd1G6eIIv5NRKJycnzRFHClNKKzMnBPTNnp8DlWKaRsorp9q
-vdc0R1ep2eysaUDUNwJyHPygjdXD+ob846LUiSNWmZa0Fxxp4NOrLaJzBo1/uojN
-kafNhNgA4/17e5/N2GfFzLVYCRM/nFxRZ9NaxIRrJsWv40ZifXNOVyb1Po40uItR
-oC31ji1jYx4MWRoVAd/6VF11MK4wvrev7fIRVXsXI+LaJDk02qA+YwU9/EWncmN8
-JJz2g9cYUVfSQCNxVbQmWKT5SCWVaGTnObBCYQIDAQABAoIBACb8dkt+2mjtLlp9
-R2BxjmvOhgjr/t3srDff+XENWBWzWp+5kIHO8PzXUJFOSVJpsYA2jMehMfiz4Mju
-3u2IxPsfFLv6VQ6Z+soi2trmWUi2SUcqHgKsQr65kPdzMAzpdQ22PTcwX+Ai5611
-HfoVCDVxNcEdCQtJmGGgGBSAgz4g3MrT9yPsce3iJZOM+05cJxZ1kIUrRQ4mHd5m
-yztynYnTsr8l9hcg2EC+vUlYg7WfUS91rVxEdcYKA7rOXhYexWBu679XAGEYbafZ
-e4wsi9nhVTcPdatHPvuLp2BcIlxMdJxyNWx3RqAv6NLJvOsrw1rNMpzlCSe5DCR4
-uosfRMECgYEA1dliAX6TSI/0jzk8YWvt32Nf/IlKL+psDxUygjRwzVvJdUPAlKf2
-KBfrtn5r+vnD5J6gIPp4MCDpbWoDBsZv5N0EFGBmeC96vybdulUrNgLnolZPrjpt
-iS5ZVMFFMpW37vE7c8cEtIS0iQNFZe8E4mUK4V+kUO9KMxdfJvd470kCgYEA3X8t
-6qWUg0gzHVJjijt0zSHC5aHlNf9WkJEpcgVkuL6F0XFT8l7yIzGfIvo7vvYJpPmp
-/jRnvceW8azo827ejO0SGhQryqIoLUXtNrE6PaACKs7cLoN2wkHCwIzKw9obunPx
-EWsiLvxmX7jOmH8CJb3Mq6gNBZ6Tt1f1U1QSglkCgYABvhG0XWmpz7J4cEjzqkN3
-7IFdt2ipV0mmHdAZi3/XzIWptPGexHeXAArlo8YRd3OHK1u2qRPNoJcGUzTPG1LS
-FJLx748mL4zafeCUohkGCaQFiJqBmuxFj+EedaywqtOi2MhZOyfoqKQn8aThHb92
-cMhT6cmW9zwtimU2FhIgMQKBgC30PfWJ5vcZ2qkBt+8tCL2qfIIiBakfUblqtJuY
-bN47gQ4EIjON6VTN7cNXAWBMMZINzmwUOVXRfAqmIiqnXPsGEJRijPdcj1NdR6rq
-ODgi43A4PMxVsCT7eclzLHpX3RrhBSnk/VGcQi0n7Y0MBMkJyNXwZss8rE8Eq7xf
-G/v5AoGAE5N6SK387AEF9uhFBykJKyfiXMezDWBrOMvZLLJrOJXuwsyiKg7z37pu
-eb2SVPobBEGhWjrAzG+E3yl6b62Kl/hucXN4CGGJAFtlIwgNAGnu0Fu+h0Qd6BFj
-+wct5WyMCIpLMKJDxfmgCZt4KDoeai91oZNM9JLdSNRDjHG3eJ4=
------END RSA PRIVATE KEY-----

test/wfe-tls/minica.pem

@@ -1,19 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIDCTCCAfGgAwIBAgIIWl1gPnP5KdIwDQYJKoZIhvcNAQELBQAwIDEeMBwGA1UE
-AxMVbWluaWNhIHJvb3QgY2EgNWE1ZDYwMCAXDTE4MDEwMzIxNTQwMFoYDzIxMTgw
-MTAzMjE1NDAwWjAgMR4wHAYDVQQDExVtaW5pY2Egcm9vdCBjYSA1YTVkNjAwggEi
-MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC5BubOIkH01Qha1R4ewR1MOta0
-RS6pBtfpPPX9WFISRMjLHN5ztTrbK1nUyKMBL8893Ubp4gi/k1EonJyfNEUcKU0o
-rMycE9M2enwOVYppGyiun2q91zRHV6nZ7KxpQNQ3AnIc/KCN1cP6hvzjotSJI1aZ
-lrQXHGng06stonMGjX+6iM2Rp82E2ADj/Xt7n83YZ8XMtVgJEz+cXFFn01rEhGsm
-xa/jRmJ9c05XJvU+jjS4i1GgLfWOLWNjHgxZGhUB3/pUXXUwrjC+t6/t8hFVexcj
-4tokOTTaoD5jBT38RadyY3wknPaD1xhRV9JAI3FVtCZYpPlIJZVoZOc5sEJhAgMB
-AAGjRTBDMA4GA1UdDwEB/wQEAwIChDAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYB
-BQUHAwIwEgYDVR0TAQH/BAgwBgEB/wIBADANBgkqhkiG9w0BAQsFAAOCAQEAJqPB
-eVGD4CpjlXBd+7XBSZBoy0r59sEtkNyireZuyyjJ/SOErfu3Y1eKJYaqe7RhZYBx
-TahSkpFGIHRMHYJicxVdVld2CotNGqkyv/54HeHu0o3FfTEkwX6dimZmVa3nMhzK
-nqc9CFL5MVPF+EQ6FdXHL5mMXR+rFWjASt2I3Fd+VWKwztkqTPOBvj9HHRyMb6jM
-KOME5Mh3PreRL0xx3cWA6yV4j0d1SxSKQyoC8DCCJs9/5oJLobFOB/fctCh8e2NR
-+RcgVreA0BiEjFKrJjtzV1ODafAfQKTvR/UjO5133HPHkbVXdt4H0NlGQvfRD0z0
-ZWTX1uJOxI1HyhHb5A==
------END CERTIFICATE-----

wfe2/wfe_test.go

@@ -370,9 +370,9 @@ func setupWFE(t *testing.T) (WebFrontEndImpl, clock.FakeClock, requestSigner) {
 		rc := bredis.Config{
 			Username: "unittest-rw",
 			TLS: cmd.TLSConfig{
-				CACertFile: "../test/redis-tls/minica.pem",
+				CACertFile: "../test/certs/ipki/minica.pem",
-				CertFile:   "../test/redis-tls/boulder/cert.pem",
+				CertFile:   "../test/certs/ipki/localhost/cert.pem",
-				KeyFile:    "../test/redis-tls/boulder/key.pem",
+				KeyFile:    "../test/certs/ipki/localhost/key.pem",
 			},
 			Lookups: []cmd.ServiceDomain{
 				{