ocs init

2025-03-03 11:01:26 +08:00
parent 5f1710dc22
commit dae6fc93f7
1057 changed files with 519829 additions and 0 deletions
--- a/plat/diameter/doc/single_host/CAGenerate/ca.chain.crt
+++ b/plat/diameter/doc/single_host/CAGenerate/ca.chain.crt
@@ -0,0 +1,87 @@
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number: 17253258667433909647 (0xef6fe358aa53dd8f)
+    Signature Algorithm: sha1WithRSAEncryption
+        Issuer: DC=com, DC=example, CN=Test Certifying CA
+        Validity
+            Not Before: Jun 18 16:54:51 2016 GMT
+            Not After : Jun 18 16:54:51 2017 GMT
+        Subject: DC=com, DC=example, CN=Test Certifying CA
+        Subject Public Key Info:
+            Public Key Algorithm: rsaEncryption
+                Public-Key: (2048 bit)
+                Modulus:
+                    00:e9:29:6f:b7:08:85:18:17:c4:7a:4c:de:89:29:
+                    28:01:07:ef:60:c9:f5:71:b2:40:51:b2:c5:be:dc:
+                    41:9c:e1:0f:ba:62:9e:5a:d2:58:1f:7b:71:aa:c3:
+                    e8:d7:b6:49:78:b8:1d:21:96:98:c6:8b:c3:95:47:
+                    45:58:c8:6c:e4:32:4c:53:a7:0f:97:e5:91:8b:66:
+                    a8:a6:17:89:1b:f3:33:05:40:34:1c:8d:f3:66:0c:
+                    0c:a7:cb:98:01:35:78:5d:bd:8d:d7:ee:62:bd:78:
+                    9b:14:69:2f:03:fd:99:b3:45:9e:a6:11:cf:e7:6f:
+                    9d:a2:ea:34:59:c2:57:82:0b:70:5f:f2:1d:a2:de:
+                    36:90:34:2a:81:0b:14:f2:c2:42:c0:19:44:05:11:
+                    d6:c4:e7:48:a6:64:1e:b5:87:ea:ce:d0:cc:1c:bb:
+                    37:71:30:a8:47:87:38:90:ae:4f:c6:3a:cb:32:a8:
+                    26:e4:01:cf:69:2c:e5:36:35:9c:52:15:08:ca:b9:
+                    2a:eb:d6:76:00:c2:6c:70:c4:10:23:12:43:9b:a9:
+                    31:6f:84:51:ef:1e:a7:e9:7d:20:3a:c6:34:f5:35:
+                    6c:36:b9:b6:e1:8c:2d:77:af:b1:d0:d0:e2:28:c7:
+                    93:f2:84:f5:8f:b1:5d:0d:05:e8:4a:5d:c7:b3:69:
+                    a3:73
+                Exponent: 65537 (0x10001)
+        X509v3 extensions:
+            X509v3 Subject Key Identifier: 
+                5B:09:09:8C:18:28:52:5C:5B:39:E9:07:62:07:54:43:73:81:F1:33
+            X509v3 Authority Key Identifier: 
+                keyid:5B:09:09:8C:18:28:52:5C:5B:39:E9:07:62:07:54:43:73:81:F1:33
+                DirName:/DC=com/DC=example/CN=Test Certifying CA
+                serial:EF:6F:E3:58:AA:53:DD:8F
+
+            X509v3 Key Usage: 
+                Digital Signature, Non Repudiation, Key Encipherment, Data Encipherment, Key Agreement, Certificate Sign, CRL Sign
+            X509v3 Basic Constraints: critical
+                CA:TRUE
+            Netscape Comment: 
+                Testing CA Certificate
+    Signature Algorithm: sha1WithRSAEncryption
+         34:24:3a:34:f7:8d:58:de:dc:b5:34:6e:06:ea:53:77:c9:9a:
+         fe:7f:29:7f:3e:74:d1:f9:97:c4:7b:b5:0e:82:99:ac:89:03:
+         a6:48:9e:17:f9:6f:06:eb:c2:93:33:de:45:82:8a:2d:4b:1a:
+         4b:3c:30:36:6f:a2:b9:f9:d0:24:97:65:5c:82:19:0c:83:5e:
+         ae:16:09:25:fa:83:5c:59:5c:18:83:8b:c8:e6:c2:77:c5:d0:
+         1a:8c:95:6e:ba:18:a6:29:86:92:e7:8b:71:26:12:1b:1e:c7:
+         3f:0a:de:28:95:0b:4e:02:2f:8f:56:83:f2:0d:0f:d0:54:f1:
+         25:15:e8:3f:02:c1:2a:f7:cd:0a:07:51:85:c9:9a:3a:64:66:
+         1e:25:4a:b0:ac:38:96:3e:db:36:04:e4:23:06:e5:93:f0:24:
+         db:ff:60:1d:ce:eb:a2:37:f1:86:9f:a7:d2:23:f7:c7:9e:72:
+         a8:20:87:2d:ca:37:7a:15:d7:d6:47:13:ce:58:0f:d8:6b:f3:
+         34:2c:7d:42:01:bf:32:8d:65:62:af:e0:1f:6c:9f:04:07:6c:
+         0d:f0:93:c3:67:f1:9a:73:a7:4f:82:8f:c8:05:7d:63:b3:48:
+         a0:e2:3b:2e:da:c7:cb:05:91:32:59:1a:54:94:22:7b:01:92:
+         9a:c4:c2:e7
+-----BEGIN CERTIFICATE-----
+MIID/jCCAuagAwIBAgIJAO9v41iqU92PMA0GCSqGSIb3DQEBBQUAMEsxEzARBgoJ
+kiaJk/IsZAEZFgNjb20xFzAVBgoJkiaJk/IsZAEZFgdleGFtcGxlMRswGQYDVQQD
+ExJUZXN0IENlcnRpZnlpbmcgQ0EwHhcNMTYwNjE4MTY1NDUxWhcNMTcwNjE4MTY1
+NDUxWjBLMRMwEQYKCZImiZPyLGQBGRYDY29tMRcwFQYKCZImiZPyLGQBGRYHZXhh
+bXBsZTEbMBkGA1UEAxMSVGVzdCBDZXJ0aWZ5aW5nIENBMIIBIjANBgkqhkiG9w0B
+AQEFAAOCAQ8AMIIBCgKCAQEA6SlvtwiFGBfEekzeiSkoAQfvYMn1cbJAUbLFvtxB
+nOEPumKeWtJYH3txqsPo17ZJeLgdIZaYxovDlUdFWMhs5DJMU6cPl+WRi2aopheJ
+G/MzBUA0HI3zZgwMp8uYATV4Xb2N1+5ivXibFGkvA/2Zs0WephHP52+douo0WcJX
+ggtwX/Idot42kDQqgQsU8sJCwBlEBRHWxOdIpmQetYfqztDMHLs3cTCoR4c4kK5P
+xjrLMqgm5AHPaSzlNjWcUhUIyrkq69Z2AMJscMQQIxJDm6kxb4RR7x6n6X0gOsY0
+9TVsNrm24Ywtd6+x0NDiKMeT8oT1j7FdDQXoSl3Hs2mjcwIDAQABo4HkMIHhMB0G
+A1UdDgQWBBRbCQmMGChSXFs56QdiB1RDc4HxMzB7BgNVHSMEdDBygBRbCQmMGChS
+XFs56QdiB1RDc4HxM6FPpE0wSzETMBEGCgmSJomT8ixkARkWA2NvbTEXMBUGCgmS
+JomT8ixkARkWB2V4YW1wbGUxGzAZBgNVBAMTElRlc3QgQ2VydGlmeWluZyBDQYIJ
+AO9v41iqU92PMAsGA1UdDwQEAwIB/jAPBgNVHRMBAf8EBTADAQH/MCUGCWCGSAGG
+EIBDQQYFhZUZXN0aW5nIENBIENlcnRpZmljYXRlMA0GCSqGSIb3DQEBBQUAA4IB
+AQA0JDo0941Y3ty1NG4G6lN3yZr+fyl/PnTR+ZfEe7UOgpmsiQOmSJ4X+W8G68KT
+M95FgootSxpLPDA2b6K5+dAkl2VcghkMg16uFgkl+oNcWVwYg4vI5sJ3xdAajJVu
+uhimKYaS54txJhIbHsc/Ct4olQtOAi+PVoPyDQ/QVPElFeg/AsEq980KB1GFyZo6
+ZGYeJUqwrDiWPts2BOQjBuWT8CTb/2AdzuuiN/GGn6fSI/fHnnKoIIctyjd6FdfW
+RxPOWA/Ya/M0LH1CAb8yjWVir+AfbJ8EB2wN8JPDZ/Gac6dPgo/IBX1js0ig4jsu
+2sfLBZEyWRpUlCJ7AZKaxMLn
+-----END CERTIFICATE-----
--- a/plat/diameter/doc/single_host/CAGenerate/ca.crl
+++ b/plat/diameter/doc/single_host/CAGenerate/ca.crl
--- a/plat/diameter/doc/single_host/CAGenerate/ca.crt
+++ b/plat/diameter/doc/single_host/CAGenerate/ca.crt
@@ -0,0 +1,87 @@
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number: 17253258667433909647 (0xef6fe358aa53dd8f)
+    Signature Algorithm: sha1WithRSAEncryption
+        Issuer: DC=com, DC=example, CN=Test Certifying CA
+        Validity
+            Not Before: Jun 18 16:54:51 2016 GMT
+            Not After : Jun 18 16:54:51 2017 GMT
+        Subject: DC=com, DC=example, CN=Test Certifying CA
+        Subject Public Key Info:
+            Public Key Algorithm: rsaEncryption
+                Public-Key: (2048 bit)
+                Modulus:
+                    00:e9:29:6f:b7:08:85:18:17:c4:7a:4c:de:89:29:
+                    28:01:07:ef:60:c9:f5:71:b2:40:51:b2:c5:be:dc:
+                    41:9c:e1:0f:ba:62:9e:5a:d2:58:1f:7b:71:aa:c3:
+                    e8:d7:b6:49:78:b8:1d:21:96:98:c6:8b:c3:95:47:
+                    45:58:c8:6c:e4:32:4c:53:a7:0f:97:e5:91:8b:66:
+                    a8:a6:17:89:1b:f3:33:05:40:34:1c:8d:f3:66:0c:
+                    0c:a7:cb:98:01:35:78:5d:bd:8d:d7:ee:62:bd:78:
+                    9b:14:69:2f:03:fd:99:b3:45:9e:a6:11:cf:e7:6f:
+                    9d:a2:ea:34:59:c2:57:82:0b:70:5f:f2:1d:a2:de:
+                    36:90:34:2a:81:0b:14:f2:c2:42:c0:19:44:05:11:
+                    d6:c4:e7:48:a6:64:1e:b5:87:ea:ce:d0:cc:1c:bb:
+                    37:71:30:a8:47:87:38:90:ae:4f:c6:3a:cb:32:a8:
+                    26:e4:01:cf:69:2c:e5:36:35:9c:52:15:08:ca:b9:
+                    2a:eb:d6:76:00:c2:6c:70:c4:10:23:12:43:9b:a9:
+                    31:6f:84:51:ef:1e:a7:e9:7d:20:3a:c6:34:f5:35:
+                    6c:36:b9:b6:e1:8c:2d:77:af:b1:d0:d0:e2:28:c7:
+                    93:f2:84:f5:8f:b1:5d:0d:05:e8:4a:5d:c7:b3:69:
+                    a3:73
+                Exponent: 65537 (0x10001)
+        X509v3 extensions:
+            X509v3 Subject Key Identifier: 
+                5B:09:09:8C:18:28:52:5C:5B:39:E9:07:62:07:54:43:73:81:F1:33
+            X509v3 Authority Key Identifier: 
+                keyid:5B:09:09:8C:18:28:52:5C:5B:39:E9:07:62:07:54:43:73:81:F1:33
+                DirName:/DC=com/DC=example/CN=Test Certifying CA
+                serial:EF:6F:E3:58:AA:53:DD:8F
+
+            X509v3 Key Usage: 
+                Digital Signature, Non Repudiation, Key Encipherment, Data Encipherment, Key Agreement, Certificate Sign, CRL Sign
+            X509v3 Basic Constraints: critical
+                CA:TRUE
+            Netscape Comment: 
+                Testing CA Certificate
+    Signature Algorithm: sha1WithRSAEncryption
+         34:24:3a:34:f7:8d:58:de:dc:b5:34:6e:06:ea:53:77:c9:9a:
+         fe:7f:29:7f:3e:74:d1:f9:97:c4:7b:b5:0e:82:99:ac:89:03:
+         a6:48:9e:17:f9:6f:06:eb:c2:93:33:de:45:82:8a:2d:4b:1a:
+         4b:3c:30:36:6f:a2:b9:f9:d0:24:97:65:5c:82:19:0c:83:5e:
+         ae:16:09:25:fa:83:5c:59:5c:18:83:8b:c8:e6:c2:77:c5:d0:
+         1a:8c:95:6e:ba:18:a6:29:86:92:e7:8b:71:26:12:1b:1e:c7:
+         3f:0a:de:28:95:0b:4e:02:2f:8f:56:83:f2:0d:0f:d0:54:f1:
+         25:15:e8:3f:02:c1:2a:f7:cd:0a:07:51:85:c9:9a:3a:64:66:
+         1e:25:4a:b0:ac:38:96:3e:db:36:04:e4:23:06:e5:93:f0:24:
+         db:ff:60:1d:ce:eb:a2:37:f1:86:9f:a7:d2:23:f7:c7:9e:72:
+         a8:20:87:2d:ca:37:7a:15:d7:d6:47:13:ce:58:0f:d8:6b:f3:
+         34:2c:7d:42:01:bf:32:8d:65:62:af:e0:1f:6c:9f:04:07:6c:
+         0d:f0:93:c3:67:f1:9a:73:a7:4f:82:8f:c8:05:7d:63:b3:48:
+         a0:e2:3b:2e:da:c7:cb:05:91:32:59:1a:54:94:22:7b:01:92:
+         9a:c4:c2:e7
+-----BEGIN CERTIFICATE-----
+MIID/jCCAuagAwIBAgIJAO9v41iqU92PMA0GCSqGSIb3DQEBBQUAMEsxEzARBgoJ
+kiaJk/IsZAEZFgNjb20xFzAVBgoJkiaJk/IsZAEZFgdleGFtcGxlMRswGQYDVQQD
+ExJUZXN0IENlcnRpZnlpbmcgQ0EwHhcNMTYwNjE4MTY1NDUxWhcNMTcwNjE4MTY1
+NDUxWjBLMRMwEQYKCZImiZPyLGQBGRYDY29tMRcwFQYKCZImiZPyLGQBGRYHZXhh
+bXBsZTEbMBkGA1UEAxMSVGVzdCBDZXJ0aWZ5aW5nIENBMIIBIjANBgkqhkiG9w0B
+AQEFAAOCAQ8AMIIBCgKCAQEA6SlvtwiFGBfEekzeiSkoAQfvYMn1cbJAUbLFvtxB
+nOEPumKeWtJYH3txqsPo17ZJeLgdIZaYxovDlUdFWMhs5DJMU6cPl+WRi2aopheJ
+G/MzBUA0HI3zZgwMp8uYATV4Xb2N1+5ivXibFGkvA/2Zs0WephHP52+douo0WcJX
+ggtwX/Idot42kDQqgQsU8sJCwBlEBRHWxOdIpmQetYfqztDMHLs3cTCoR4c4kK5P
+xjrLMqgm5AHPaSzlNjWcUhUIyrkq69Z2AMJscMQQIxJDm6kxb4RR7x6n6X0gOsY0
+9TVsNrm24Ywtd6+x0NDiKMeT8oT1j7FdDQXoSl3Hs2mjcwIDAQABo4HkMIHhMB0G
+A1UdDgQWBBRbCQmMGChSXFs56QdiB1RDc4HxMzB7BgNVHSMEdDBygBRbCQmMGChS
+XFs56QdiB1RDc4HxM6FPpE0wSzETMBEGCgmSJomT8ixkARkWA2NvbTEXMBUGCgmS
+JomT8ixkARkWB2V4YW1wbGUxGzAZBgNVBAMTElRlc3QgQ2VydGlmeWluZyBDQYIJ
+AO9v41iqU92PMAsGA1UdDwQEAwIB/jAPBgNVHRMBAf8EBTADAQH/MCUGCWCGSAGG
+EIBDQQYFhZUZXN0aW5nIENBIENlcnRpZmljYXRlMA0GCSqGSIb3DQEBBQUAA4IB
+AQA0JDo0941Y3ty1NG4G6lN3yZr+fyl/PnTR+ZfEe7UOgpmsiQOmSJ4X+W8G68KT
+M95FgootSxpLPDA2b6K5+dAkl2VcghkMg16uFgkl+oNcWVwYg4vI5sJ3xdAajJVu
+uhimKYaS54txJhIbHsc/Ct4olQtOAi+PVoPyDQ/QVPElFeg/AsEq980KB1GFyZo6
+ZGYeJUqwrDiWPts2BOQjBuWT8CTb/2AdzuuiN/GGn6fSI/fHnnKoIIctyjd6FdfW
+RxPOWA/Ya/M0LH1CAb8yjWVir+AfbJ8EB2wN8JPDZ/Gac6dPgo/IBX1js0ig4jsu
+2sfLBZEyWRpUlCJ7AZKaxMLn
+-----END CERTIFICATE-----
--- a/plat/diameter/doc/single_host/CAGenerate/ca.csr
+++ b/plat/diameter/doc/single_host/CAGenerate/ca.csr
@@ -0,0 +1,16 @@
+-----BEGIN CERTIFICATE REQUEST-----
+MIICkDCCAXgCAQAwSzETMBEGCgmSJomT8ixkARkWA2NvbTEXMBUGCgmSJomT8ixk
+ARkWB2V4YW1wbGUxGzAZBgNVBAMTElRlc3QgQ2VydGlmeWluZyBDQTCCASIwDQYJ
+KoZIhvcNAQEBBQADggEPADCCAQoCggEBAOkpb7cIhRgXxHpM3okpKAEH72DJ9XGy
+QFGyxb7cQZzhD7pinlrSWB97carD6Ne2SXi4HSGWmMaLw5VHRVjIbOQyTFOnD5fl
+kYtmqKYXiRvzMwVANByN82YMDKfLmAE1eF29jdfuYr14mxRpLwP9mbNFnqYRz+dv
+naLqNFnCV4ILcF/yHaLeNpA0KoELFPLCQsAZRAUR1sTnSKZkHrWH6s7QzBy7N3Ew
+qEeHOJCuT8Y6yzKoJuQBz2ks5TY1nFIVCMq5KuvWdgDCbHDEECMSQ5upMW+EUe8e
+p+l9IDrGNPU1bDa5tuGMLXevsdDQ4ijHk/KE9Y+xXQ0F6Epdx7Npo3MCAwEAAaAA
+MA0GCSqGSIb3DQEBBQUAA4IBAQCvHeXfLukUAajL7H52zH8cSbojf+r/Y3z1Gc6R
+sZ+tVTI/FVskjvhQ/tyHxktXVU8A5iXHD1aOE78dfNM9OTv9ys0k0/rD6lSAdWfE
+L9HgWll4hYm9a1DKEqPOuEIkj/p1sQkNgZUmUWyELvyp4safgD+h2ugmPBzis/hF
+je3q29+lhTe38GG91mGxhnHTJcsLF0Te0y4yv1JScryZ7uqnzjyrLxiJLRYGc2di
+7db1WmjtxDQUxclLkt6BBhVIi87K04S1hglY8mxlLiVdF0tEY4a/a1hLGs1Q4U8Z
+2BtSYR+OYLHNnCU5iDlaI5Z207f0ErTpYWw/PlgCF0G7dMLa
+-----END CERTIFICATE REQUEST-----
--- a/plat/diameter/doc/single_host/CAGenerate/ca.db
+++ b/plat/diameter/doc/single_host/CAGenerate/ca.db
@@ -0,0 +1,2 @@
+V	170618165451Z		00	unknown	/DC=com/DC=example/CN=OCSP Signer for Test Certifying CA
+V	170618165451Z		01	unknown	/DC=com/DC=example/mail=root@example.com/CN=localhost
--- a/plat/diameter/doc/single_host/CAGenerate/ca.db.attr
+++ b/plat/diameter/doc/single_host/CAGenerate/ca.db.attr
@@ -0,0 +1 @@
+unique_subject = yes
--- a/plat/diameter/doc/single_host/CAGenerate/ca.db.attr.old
+++ b/plat/diameter/doc/single_host/CAGenerate/ca.db.attr.old
@@ -0,0 +1 @@
+unique_subject = yes
--- a/plat/diameter/doc/single_host/CAGenerate/ca.db.old
+++ b/plat/diameter/doc/single_host/CAGenerate/ca.db.old
@@ -0,0 +1 @@
+V	170618165451Z		00	unknown	/DC=com/DC=example/CN=OCSP Signer for Test Certifying CA
--- a/plat/diameter/doc/single_host/CAGenerate/ca.srl
+++ b/plat/diameter/doc/single_host/CAGenerate/ca.srl
@@ -0,0 +1 @@
+02
--- a/plat/diameter/doc/single_host/CAGenerate/ca.srl.old
+++ b/plat/diameter/doc/single_host/CAGenerate/ca.srl.old
@@ -0,0 +1 @@
+01
--- a/plat/diameter/doc/single_host/CAGenerate/fdTestExt
+++ b/plat/diameter/doc/single_host/CAGenerate/fdTestExt
--- a/plat/diameter/doc/single_host/CAGenerate/freeDiameter-1.conf
+++ b/plat/diameter/doc/single_host/CAGenerate/freeDiameter-1.conf
@@ -0,0 +1,16 @@
+
+# -------- Test configuration ---------
+
+Identity = "peer1.localdomain";
+Realm = "localdomain";
+# Port = 3868;
+# SecPort = 3869;
+
+TLS_Cred = "./ca.crt",
+	   "./ca.key";
+TLS_CA = "./ca.pem";
+
+#LoadExtension = "extensions/test_app.fdx" : "test_app1.conf";
+
+ConnectPeer = "peer2.localdomain" { ConnectTo = "127.0.0.1"; No_TLS; port = 30868; };
+
--- a/plat/diameter/doc/single_host/CAGenerate/localhost.crt
+++ b/plat/diameter/doc/single_host/CAGenerate/localhost.crt
@@ -0,0 +1,152 @@
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number: 1 (0x1)
+    Signature Algorithm: sha1WithRSAEncryption
+        Issuer: DC=com, DC=example, CN=Test Certifying CA
+        Validity
+            Not Before: Jun 18 16:54:51 2016 GMT
+            Not After : Jun 18 16:54:51 2017 GMT
+        Subject: DC=com, DC=example/mail=root@example.com, CN=localhost
+        Subject Public Key Info:
+            Public Key Algorithm: rsaEncryption
+                Public-Key: (2048 bit)
+                Modulus:
+                    00:b7:cf:a3:84:a5:55:ae:d8:6f:a6:e9:4f:33:2c:
+                    b1:b6:5f:b2:b2:ac:e8:dc:ee:94:ba:55:15:ff:06:
+                    63:1b:48:c4:24:c1:d0:44:86:1b:52:a4:75:25:97:
+                    67:30:e2:6e:6f:13:f9:6c:ac:58:d7:55:1c:71:48:
+                    12:d6:06:1f:b5:1e:98:10:2a:73:74:19:5b:a0:22:
+                    9f:28:96:06:b1:e0:8a:40:ee:2d:2a:ab:01:2a:8d:
+                    d7:96:c6:1f:a3:d4:2c:af:fb:31:f4:a3:26:c8:39:
+                    d6:ee:fa:1f:06:b4:35:82:6e:5e:de:79:89:38:c9:
+                    02:7f:a9:56:cb:be:24:fd:c2:d5:6a:86:6b:d9:4e:
+                    90:08:01:e1:32:80:dc:2d:ae:40:9e:da:ad:ba:69:
+                    ea:31:e2:94:f1:1b:41:07:f1:fa:a8:a6:6e:b9:03:
+                    1f:1a:3e:64:18:4f:20:79:0f:49:de:df:f9:5a:b2:
+                    52:ad:72:9b:29:39:13:f1:0f:5f:cd:e2:a1:ef:54:
+                    1d:2b:63:d0:09:f1:08:c3:a8:0e:e1:46:be:29:d9:
+                    7e:93:06:da:98:4f:f6:49:f4:31:9d:2c:29:35:36:
+                    51:65:98:84:b7:87:03:ea:ba:61:94:ba:f3:00:17:
+                    43:10:9d:18:c6:58:7f:73:ff:6b:36:7c:ed:f4:66:
+                    ef:15
+                Exponent: 65537 (0x10001)
+        X509v3 extensions:
+            X509v3 Certificate Policies: 
+                Policy: X509v3 Any Policy
+
+            X509v3 Subject Key Identifier: 
+                B8:31:DB:64:96:F7:F9:88:99:4B:A3:D3:D9:98:2F:06:AF:AB:84:A7
+            X509v3 Authority Key Identifier: 
+                keyid:5B:09:09:8C:18:28:52:5C:5B:39:E9:07:62:07:54:43:73:81:F1:33
+                DirName:/DC=com/DC=example/CN=Test Certifying CA
+                serial:EF:6F:E3:58:AA:53:DD:8F
+
+            X509v3 Basic Constraints: 
+                CA:FALSE
+            Netscape Comment: 
+                Testing Certificate for localhost
+    Signature Algorithm: sha1WithRSAEncryption
+         24:a1:20:db:9b:c2:87:81:84:64:d7:ce:de:81:29:63:63:19:
+         2b:b9:21:4f:c1:82:79:02:fa:c4:b4:2e:5e:2c:cb:a4:86:f6:
+         4f:02:f9:cb:a5:bb:ad:00:58:fd:4a:0a:45:19:74:5e:d5:80:
+         18:fd:96:0a:05:22:33:ae:8b:65:41:47:07:3a:5f:5b:ab:c1:
+         8d:92:1d:22:b1:74:8a:d6:db:81:c8:8c:d1:d3:d3:52:36:ec:
+         a3:e4:64:c1:23:7c:0a:9c:36:ec:e4:cf:a2:f5:9b:1b:39:a4:
+         94:0f:12:18:0a:f4:91:a1:71:89:13:c1:86:24:b5:46:d1:c9:
+         de:8e:bc:c3:a9:90:c4:99:d3:99:36:de:47:10:89:b9:c7:e8:
+         d4:2b:a4:65:3a:a9:9d:ea:d0:16:08:20:0c:c0:ec:b5:b1:2d:
+         17:9e:45:32:ee:91:ee:9e:6f:59:03:2c:8f:dd:36:6d:d3:29:
+         d0:4b:b0:f4:d5:76:dd:92:1b:89:d7:5b:e6:bb:90:61:0b:5f:
+         55:84:f3:1c:cc:61:01:e5:3f:5c:08:0d:a5:41:51:00:6e:a8:
+         e6:9b:f1:76:bd:f8:96:62:22:42:37:db:3e:29:a7:2c:70:2b:
+         22:82:60:b8:9c:83:83:3c:d9:02:c7:0d:9f:b4:a6:a1:8f:81:
+         76:41:48:53
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number: 1 (0x1)
+    Signature Algorithm: sha1WithRSAEncryption
+        Issuer: DC=com, DC=example, CN=Test Certifying CA
+        Validity
+            Not Before: Jun 18 16:54:51 2016 GMT
+            Not After : Jun 18 16:54:51 2017 GMT
+        Subject: DC=com, DC=example/mail=root@example.com, CN=localhost
+        Subject Public Key Info:
+            Public Key Algorithm: rsaEncryption
+                Public-Key: (2048 bit)
+                Modulus:
+                    00:b7:cf:a3:84:a5:55:ae:d8:6f:a6:e9:4f:33:2c:
+                    b1:b6:5f:b2:b2:ac:e8:dc:ee:94:ba:55:15:ff:06:
+                    63:1b:48:c4:24:c1:d0:44:86:1b:52:a4:75:25:97:
+                    67:30:e2:6e:6f:13:f9:6c:ac:58:d7:55:1c:71:48:
+                    12:d6:06:1f:b5:1e:98:10:2a:73:74:19:5b:a0:22:
+                    9f:28:96:06:b1:e0:8a:40:ee:2d:2a:ab:01:2a:8d:
+                    d7:96:c6:1f:a3:d4:2c:af:fb:31:f4:a3:26:c8:39:
+                    d6:ee:fa:1f:06:b4:35:82:6e:5e:de:79:89:38:c9:
+                    02:7f:a9:56:cb:be:24:fd:c2:d5:6a:86:6b:d9:4e:
+                    90:08:01:e1:32:80:dc:2d:ae:40:9e:da:ad:ba:69:
+                    ea:31:e2:94:f1:1b:41:07:f1:fa:a8:a6:6e:b9:03:
+                    1f:1a:3e:64:18:4f:20:79:0f:49:de:df:f9:5a:b2:
+                    52:ad:72:9b:29:39:13:f1:0f:5f:cd:e2:a1:ef:54:
+                    1d:2b:63:d0:09:f1:08:c3:a8:0e:e1:46:be:29:d9:
+                    7e:93:06:da:98:4f:f6:49:f4:31:9d:2c:29:35:36:
+                    51:65:98:84:b7:87:03:ea:ba:61:94:ba:f3:00:17:
+                    43:10:9d:18:c6:58:7f:73:ff:6b:36:7c:ed:f4:66:
+                    ef:15
+                Exponent: 65537 (0x10001)
+        X509v3 extensions:
+            X509v3 Certificate Policies: 
+                Policy: X509v3 Any Policy
+
+            X509v3 Subject Key Identifier: 
+                B8:31:DB:64:96:F7:F9:88:99:4B:A3:D3:D9:98:2F:06:AF:AB:84:A7
+            X509v3 Authority Key Identifier: 
+                keyid:5B:09:09:8C:18:28:52:5C:5B:39:E9:07:62:07:54:43:73:81:F1:33
+                DirName:/DC=com/DC=example/CN=Test Certifying CA
+                serial:EF:6F:E3:58:AA:53:DD:8F
+
+            X509v3 Basic Constraints: 
+                CA:FALSE
+            Netscape Comment: 
+                Testing Certificate for localhost
+    Signature Algorithm: sha1WithRSAEncryption
+         24:a1:20:db:9b:c2:87:81:84:64:d7:ce:de:81:29:63:63:19:
+         2b:b9:21:4f:c1:82:79:02:fa:c4:b4:2e:5e:2c:cb:a4:86:f6:
+         4f:02:f9:cb:a5:bb:ad:00:58:fd:4a:0a:45:19:74:5e:d5:80:
+         18:fd:96:0a:05:22:33:ae:8b:65:41:47:07:3a:5f:5b:ab:c1:
+         8d:92:1d:22:b1:74:8a:d6:db:81:c8:8c:d1:d3:d3:52:36:ec:
+         a3:e4:64:c1:23:7c:0a:9c:36:ec:e4:cf:a2:f5:9b:1b:39:a4:
+         94:0f:12:18:0a:f4:91:a1:71:89:13:c1:86:24:b5:46:d1:c9:
+         de:8e:bc:c3:a9:90:c4:99:d3:99:36:de:47:10:89:b9:c7:e8:
+         d4:2b:a4:65:3a:a9:9d:ea:d0:16:08:20:0c:c0:ec:b5:b1:2d:
+         17:9e:45:32:ee:91:ee:9e:6f:59:03:2c:8f:dd:36:6d:d3:29:
+         d0:4b:b0:f4:d5:76:dd:92:1b:89:d7:5b:e6:bb:90:61:0b:5f:
+         55:84:f3:1c:cc:61:01:e5:3f:5c:08:0d:a5:41:51:00:6e:a8:
+         e6:9b:f1:76:bd:f8:96:62:22:42:37:db:3e:29:a7:2c:70:2b:
+         22:82:60:b8:9c:83:83:3c:d9:02:c7:0d:9f:b4:a6:a1:8f:81:
+         76:41:48:53
+-----BEGIN CERTIFICATE-----
+MIIEGjCCAwKgAwIBAgIBATANBgkqhkiG9w0BAQUFADBLMRMwEQYKCZImiZPyLGQB
+GRYDY29tMRcwFQYKCZImiZPyLGQBGRYHZXhhbXBsZTEbMBkGA1UEAxMSVGVzdCBD
+ZXJ0aWZ5aW5nIENBMB4XDTE2MDYxODE2NTQ1MVoXDTE3MDYxODE2NTQ1MVowZDET
+MBEGCgmSJomT8ixkARkWA2NvbTEXMBUGCgmSJomT8ixkARkWB2V4YW1wbGUxIDAe
+BgoJkiaJk/IsZAEDFBByb290QGV4YW1wbGUuY29tMRIwEAYDVQQDEwlsb2NhbGhv
+c3QwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC3z6OEpVWu2G+m6U8z
+LLG2X7KyrOjc7pS6VRX/BmMbSMQkwdBEhhtSpHUll2cw4m5vE/lsrFjXVRxxSBLW
+Bh+1HpgQKnN0GVugIp8olgax4IpA7i0qqwEqjdeWxh+j1Cyv+zH0oybIOdbu+h8G
+tDWCbl7eeYk4yQJ/qVbLviT9wtVqhmvZTpAIAeEygNwtrkCe2q26aeox4pTxG0EH
+8fqopm65Ax8aPmQYTyB5D0ne3/laslKtcpspORPxD1/N4qHvVB0rY9AJ8QjDqA7h
+Rr4p2X6TBtqYT/ZJ9DGdLCk1NlFlmIS3hwPqumGUuvMAF0MQnRjGWH9z/2s2fO30
+Zu8VAgMBAAGjge8wgewwEQYDVR0gBAowCDAGBgRVHSAAMB0GA1UdDgQWBBS4Mdtk
+lvf5iJlLo9PZmC8Gr6uEpzB7BgNVHSMEdDBygBRbCQmMGChSXFs56QdiB1RDc4Hx
+M6FPpE0wSzETMBEGCgmSJomT8ixkARkWA2NvbTEXMBUGCgmSJomT8ixkARkWB2V4
+YW1wbGUxGzAZBgNVBAMTElRlc3QgQ2VydGlmeWluZyBDQYIJAO9v41iqU92PMAkG
+A1UdEwQCMAAwMAYJYIZIAYb4QgENBCMWIVRlc3RpbmcgQ2VydGlmaWNhdGUgZm9y
+IGxvY2FsaG9zdDANBgkqhkiG9w0BAQUFAAOCAQEAJKEg25vCh4GEZNfO3oEpY2MZ
+K7khT8GCeQL6xLQuXizLpIb2TwL5y6W7rQBY/UoKRRl0XtWAGP2WCgUiM66LZUFH
+BzpfW6vBjZIdIrF0itbbgciM0dPTUjbso+RkwSN8Cpw27OTPovWbGzmklA8SGAr0
+kaFxiRPBhiS1RtHJ3o68w6mQxJnTmTbeRxCJucfo1CukZTqpnerQFgggDMDstbEt
+F55FMu6R7p5vWQMsj902bdMp0Euw9NV23ZIbiddb5ruQYQtfVYTzHMxhAeU/XAgN
+pUFRAG6o5pvxdr34lmIiQjfbPimnLHArIoJguJyDgzzZAscNn7SmoY+BdkFIUw==
+-----END CERTIFICATE-----
--- a/plat/diameter/doc/single_host/CAGenerate/localhost.csr
+++ b/plat/diameter/doc/single_host/CAGenerate/localhost.csr
@@ -0,0 +1,17 @@
+-----BEGIN CERTIFICATE REQUEST-----
+MIICqTCCAZECAQAwZDETMBEGCgmSJomT8ixkARkWA2NvbTEXMBUGCgmSJomT8ixk
+ARkWB2V4YW1wbGUxIDAeBgoJkiaJk/IsZAEDFBByb290QGV4YW1wbGUuY29tMRIw
+EAYDVQQDEwlsb2NhbGhvc3QwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB
+AQC3z6OEpVWu2G+m6U8zLLG2X7KyrOjc7pS6VRX/BmMbSMQkwdBEhhtSpHUll2cw
+4m5vE/lsrFjXVRxxSBLWBh+1HpgQKnN0GVugIp8olgax4IpA7i0qqwEqjdeWxh+j
+1Cyv+zH0oybIOdbu+h8GtDWCbl7eeYk4yQJ/qVbLviT9wtVqhmvZTpAIAeEygNwt
+rkCe2q26aeox4pTxG0EH8fqopm65Ax8aPmQYTyB5D0ne3/laslKtcpspORPxD1/N
+4qHvVB0rY9AJ8QjDqA7hRr4p2X6TBtqYT/ZJ9DGdLCk1NlFlmIS3hwPqumGUuvMA
+F0MQnRjGWH9z/2s2fO30Zu8VAgMBAAGgADANBgkqhkiG9w0BAQUFAAOCAQEACe/8
+eLWyhbHx6YZzliLGQsOZDqZrV+7rLCD7eYOt09DcxfHGqWuXYJfL6LCTAEkZtd2Z
+BYWVxmqNqeWvqlZUq7EMsYsAtAnQEnGE7mBoY0dEMMiRuirYmOblt1y1k3paDAY7
+HBt3hGiCxwZq8hlUQDmyB19GyoAogyaneqCWyMObisBeyFEjoYssXD+0KKGcZ/kt
+qKNK+8S/X2HBBB76chO0gJ3cTOpDVi5YjHOOk3Ovx4D2igN1C7xysecvXIrLVSj/
+9xSpzK0i1W5gWn1c6P5y4kxF/prmfwrJB8LyqP7x7VLqhlwDA6bkk17D4y/ogQM+
+0dIWUwwfxJdiEdjL4w==
+-----END CERTIFICATE REQUEST-----
--- a/plat/diameter/doc/single_host/CAGenerate/ocsp.crt
+++ b/plat/diameter/doc/single_host/CAGenerate/ocsp.crt
@@ -0,0 +1,159 @@
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number: 0 (0x0)
+    Signature Algorithm: sha1WithRSAEncryption
+        Issuer: DC=com, DC=example, CN=Test Certifying CA
+        Validity
+            Not Before: Jun 18 16:54:51 2016 GMT
+            Not After : Jun 18 16:54:51 2017 GMT
+        Subject: DC=com, DC=example, CN=OCSP Signer for Test Certifying CA
+        Subject Public Key Info:
+            Public Key Algorithm: rsaEncryption
+                Public-Key: (2048 bit)
+                Modulus:
+                    00:b3:36:dc:c6:0e:a5:f3:e1:2f:0e:9c:94:19:10:
+                    00:fb:40:2b:6f:d0:1c:c6:de:64:32:fd:ac:d0:45:
+                    55:38:d8:77:11:46:8f:22:1f:93:c3:e9:fd:64:c8:
+                    1d:8d:21:65:8e:83:ae:91:53:bc:b9:a3:4d:b2:0e:
+                    ef:16:f8:52:9f:7b:69:dc:9c:73:cb:06:66:27:23:
+                    8d:6f:ba:11:e4:d6:0d:6f:25:9c:8e:d3:d8:1a:d5:
+                    2f:9d:00:06:b9:47:0c:24:00:87:e2:77:46:d0:6e:
+                    57:cd:f8:47:6e:50:cb:e7:71:d1:c5:50:bb:a5:2a:
+                    15:be:b4:cb:ea:d7:03:12:1b:d3:67:3c:76:12:df:
+                    e0:01:0d:69:36:16:1b:93:99:db:c2:5d:68:a4:f3:
+                    1f:56:24:4d:0c:da:1f:e4:81:04:bd:2c:d2:ec:8b:
+                    05:ff:eb:fb:2c:f9:92:93:e0:99:11:fa:64:aa:6b:
+                    83:ce:34:20:59:4b:b2:fa:d7:f7:6a:cd:b1:9d:90:
+                    56:43:ae:f2:ab:2e:e3:66:84:15:f5:ad:aa:6e:ce:
+                    c5:f5:3b:7b:bc:83:0c:7f:8f:f6:95:2c:b8:71:1a:
+                    d3:34:39:07:2e:2c:76:1c:6a:01:f2:1b:dd:59:ab:
+                    8c:4b:c9:bf:a7:54:bf:d4:3a:9f:13:fe:3d:7f:77:
+                    ce:89
+                Exponent: 65537 (0x10001)
+        X509v3 extensions:
+            X509v3 Subject Key Identifier: 
+                30:46:BF:06:40:30:42:09:BE:75:D8:AC:C3:AC:7B:D3:4C:92:75:71
+            X509v3 Authority Key Identifier: 
+                keyid:5B:09:09:8C:18:28:52:5C:5B:39:E9:07:62:07:54:43:73:81:F1:33
+                DirName:/DC=com/DC=example/CN=Test Certifying CA
+                serial:EF:6F:E3:58:AA:53:DD:8F
+
+            X509v3 Key Usage: 
+                Digital Signature, Non Repudiation, Key Encipherment, Data Encipherment, Key Agreement, Certificate Sign, CRL Sign
+            X509v3 Basic Constraints: 
+                CA:FALSE
+            X509v3 Extended Key Usage: 
+                OCSP Signing
+            Netscape Comment: 
+                Testing OCSP Certificate
+            OCSP No Check: 
+
+    Signature Algorithm: sha1WithRSAEncryption
+         e0:4d:17:4c:a4:ff:57:a1:db:d5:d2:77:7a:2d:70:51:8b:11:
+         96:31:9f:fd:7e:d5:a7:a0:bb:d4:0d:ab:c2:5e:56:70:aa:84:
+         47:f4:e9:28:51:c9:62:ca:3b:ad:5c:da:8c:60:37:72:d9:06:
+         27:a1:60:cc:58:33:de:f1:85:3b:72:28:57:61:d6:8f:ce:46:
+         84:53:bb:ad:61:2c:b8:c0:c0:db:88:9d:1c:a4:09:b8:8c:ca:
+         49:d1:13:32:4b:b0:10:e9:65:b3:0b:68:30:65:e6:a0:6f:db:
+         7c:ce:7b:52:c0:eb:7a:11:50:eb:2f:0e:2f:36:83:95:15:09:
+         5f:f2:f8:2c:7d:a8:b2:c1:5e:f5:61:72:b7:a8:38:de:22:b7:
+         a7:1c:43:03:c5:d4:01:ef:f0:fd:4e:9c:28:c7:b2:29:89:23:
+         ff:c4:75:28:d2:c3:d8:e1:68:b1:08:9f:af:60:60:2a:ed:a0:
+         96:b1:6c:f4:cc:61:bb:9d:af:5b:69:1f:3d:81:6c:ba:e2:e2:
+         d6:38:aa:77:6b:a6:3f:e0:8a:8d:55:6d:df:06:cb:5b:1d:53:
+         f7:96:4f:6f:98:8b:b3:0c:c3:2b:52:51:99:2d:09:fa:d0:a7:
+         d5:1f:be:8b:43:21:0c:60:e0:bc:e3:42:f1:8a:d3:85:d1:cb:
+         02:58:5a:98
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number: 0 (0x0)
+    Signature Algorithm: sha1WithRSAEncryption
+        Issuer: DC=com, DC=example, CN=Test Certifying CA
+        Validity
+            Not Before: Jun 18 16:54:51 2016 GMT
+            Not After : Jun 18 16:54:51 2017 GMT
+        Subject: DC=com, DC=example, CN=OCSP Signer for Test Certifying CA
+        Subject Public Key Info:
+            Public Key Algorithm: rsaEncryption
+                Public-Key: (2048 bit)
+                Modulus:
+                    00:b3:36:dc:c6:0e:a5:f3:e1:2f:0e:9c:94:19:10:
+                    00:fb:40:2b:6f:d0:1c:c6:de:64:32:fd:ac:d0:45:
+                    55:38:d8:77:11:46:8f:22:1f:93:c3:e9:fd:64:c8:
+                    1d:8d:21:65:8e:83:ae:91:53:bc:b9:a3:4d:b2:0e:
+                    ef:16:f8:52:9f:7b:69:dc:9c:73:cb:06:66:27:23:
+                    8d:6f:ba:11:e4:d6:0d:6f:25:9c:8e:d3:d8:1a:d5:
+                    2f:9d:00:06:b9:47:0c:24:00:87:e2:77:46:d0:6e:
+                    57:cd:f8:47:6e:50:cb:e7:71:d1:c5:50:bb:a5:2a:
+                    15:be:b4:cb:ea:d7:03:12:1b:d3:67:3c:76:12:df:
+                    e0:01:0d:69:36:16:1b:93:99:db:c2:5d:68:a4:f3:
+                    1f:56:24:4d:0c:da:1f:e4:81:04:bd:2c:d2:ec:8b:
+                    05:ff:eb:fb:2c:f9:92:93:e0:99:11:fa:64:aa:6b:
+                    83:ce:34:20:59:4b:b2:fa:d7:f7:6a:cd:b1:9d:90:
+                    56:43:ae:f2:ab:2e:e3:66:84:15:f5:ad:aa:6e:ce:
+                    c5:f5:3b:7b:bc:83:0c:7f:8f:f6:95:2c:b8:71:1a:
+                    d3:34:39:07:2e:2c:76:1c:6a:01:f2:1b:dd:59:ab:
+                    8c:4b:c9:bf:a7:54:bf:d4:3a:9f:13:fe:3d:7f:77:
+                    ce:89
+                Exponent: 65537 (0x10001)
+        X509v3 extensions:
+            X509v3 Subject Key Identifier: 
+                30:46:BF:06:40:30:42:09:BE:75:D8:AC:C3:AC:7B:D3:4C:92:75:71
+            X509v3 Authority Key Identifier: 
+                keyid:5B:09:09:8C:18:28:52:5C:5B:39:E9:07:62:07:54:43:73:81:F1:33
+                DirName:/DC=com/DC=example/CN=Test Certifying CA
+                serial:EF:6F:E3:58:AA:53:DD:8F
+
+            X509v3 Key Usage: 
+                Digital Signature, Non Repudiation, Key Encipherment, Data Encipherment, Key Agreement, Certificate Sign, CRL Sign
+            X509v3 Basic Constraints: 
+                CA:FALSE
+            X509v3 Extended Key Usage: 
+                OCSP Signing
+            Netscape Comment: 
+                Testing OCSP Certificate
+            OCSP No Check: 
+
+    Signature Algorithm: sha1WithRSAEncryption
+         e0:4d:17:4c:a4:ff:57:a1:db:d5:d2:77:7a:2d:70:51:8b:11:
+         96:31:9f:fd:7e:d5:a7:a0:bb:d4:0d:ab:c2:5e:56:70:aa:84:
+         47:f4:e9:28:51:c9:62:ca:3b:ad:5c:da:8c:60:37:72:d9:06:
+         27:a1:60:cc:58:33:de:f1:85:3b:72:28:57:61:d6:8f:ce:46:
+         84:53:bb:ad:61:2c:b8:c0:c0:db:88:9d:1c:a4:09:b8:8c:ca:
+         49:d1:13:32:4b:b0:10:e9:65:b3:0b:68:30:65:e6:a0:6f:db:
+         7c:ce:7b:52:c0:eb:7a:11:50:eb:2f:0e:2f:36:83:95:15:09:
+         5f:f2:f8:2c:7d:a8:b2:c1:5e:f5:61:72:b7:a8:38:de:22:b7:
+         a7:1c:43:03:c5:d4:01:ef:f0:fd:4e:9c:28:c7:b2:29:89:23:
+         ff:c4:75:28:d2:c3:d8:e1:68:b1:08:9f:af:60:60:2a:ed:a0:
+         96:b1:6c:f4:cc:61:bb:9d:af:5b:69:1f:3d:81:6c:ba:e2:e2:
+         d6:38:aa:77:6b:a6:3f:e0:8a:8d:55:6d:df:06:cb:5b:1d:53:
+         f7:96:4f:6f:98:8b:b3:0c:c3:2b:52:51:99:2d:09:fa:d0:a7:
+         d5:1f:be:8b:43:21:0c:60:e0:bc:e3:42:f1:8a:d3:85:d1:cb:
+         02:58:5a:98
+-----BEGIN CERTIFICATE-----
+MIIEKjCCAxKgAwIBAgIBADANBgkqhkiG9w0BAQUFADBLMRMwEQYKCZImiZPyLGQB
+GRYDY29tMRcwFQYKCZImiZPyLGQBGRYHZXhhbXBsZTEbMBkGA1UEAxMSVGVzdCBD
+ZXJ0aWZ5aW5nIENBMB4XDTE2MDYxODE2NTQ1MVoXDTE3MDYxODE2NTQ1MVowWzET
+MBEGCgmSJomT8ixkARkWA2NvbTEXMBUGCgmSJomT8ixkARkWB2V4YW1wbGUxKzAp
+BgNVBAMTIk9DU1AgU2lnbmVyIGZvciBUZXN0IENlcnRpZnlpbmcgQ0EwggEiMA0G
+CSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCzNtzGDqXz4S8OnJQZEAD7QCtv0BzG
+3mQy/azQRVU42HcRRo8iH5PD6f1kyB2NIWWOg66RU7y5o02yDu8W+FKfe2ncnHPL
+BmYnI41vuhHk1g1vJZyO09ga1S+dAAa5RwwkAIfid0bQblfN+EduUMvncdHFULul
+KhW+tMvq1wMSG9NnPHYS3+ABDWk2FhuTmdvCXWik8x9WJE0M2h/kgQS9LNLsiwX/
+6/ss+ZKT4JkR+mSqa4PONCBZS7L61/dqzbGdkFZDrvKrLuNmhBX1rapuzsX1O3u8
+gwx/j/aVLLhxGtM0OQcuLHYcagHyG91Zq4xLyb+nVL/UOp8T/j1/d86JAgMBAAGj
+ggEHMIIBAzAdBgNVHQ4EFgQUMEa/BkAwQgm+ddisw6x700ySdXEwewYDVR0jBHQw
+coAUWwkJjBgoUlxbOekHYgdUQ3OB8TOhT6RNMEsxEzARBgoJkiaJk/IsZAEZFgNj
+b20xFzAVBgoJkiaJk/IsZAEZFgdleGFtcGxlMRswGQYDVQQDExJUZXN0IENlcnRp
+ZnlpbmcgQ0GCCQDvb+NYqlPdjzALBgNVHQ8EBAMCAf4wCQYDVR0TBAIwADATBgNV
+HSUEDDAKBggrBgEFBQcDCTAnBglghkgBhvhCAQ0EGhYYVGVzdGluZyBPQ1NQIENl
+cnRpZmljYXRlMA8GCSsGAQUFBzABBQQCBQAwDQYJKoZIhvcNAQEFBQADggEBAOBN
+F0yk/1eh29XSd3otcFGLEZYxn/1+1aegu9QNq8JeVnCqhEf06ShRyWLKO61c2oxg
+N3LZBiehYMxYM97xhTtyKFdh1o/ORoRTu61hLLjAwNuInRykCbiMyknREzJLsBDp
+ZbMLaDBl5qBv23zOe1LA63oRUOsvDi82g5UVCV/y+Cx9qLLBXvVhcreoON4it6cc
+QwPF1AHv8P1OnCjHsimJI//EdSjSw9jhaLEIn69gYCrtoJaxbPTMYbudr1tpHz2B
+bLri4tY4qndrpj/gio1Vbd8Gy1sdU/eWT2+Yi7MMwytSUZktCfrQp9UfvotDIQxg
+4LzjQvGK04XRywJYWpg=
+-----END CERTIFICATE-----
--- a/plat/diameter/doc/single_host/CAGenerate/ocsp.csr
+++ b/plat/diameter/doc/single_host/CAGenerate/ocsp.csr
@@ -0,0 +1,17 @@
+-----BEGIN CERTIFICATE REQUEST-----
+MIICoDCCAYgCAQAwWzETMBEGCgmSJomT8ixkARkWA2NvbTEXMBUGCgmSJomT8ixk
+ARkWB2V4YW1wbGUxKzApBgNVBAMTIk9DU1AgU2lnbmVyIGZvciBUZXN0IENlcnRp
+ZnlpbmcgQ0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCzNtzGDqXz
+4S8OnJQZEAD7QCtv0BzG3mQy/azQRVU42HcRRo8iH5PD6f1kyB2NIWWOg66RU7y5
+o02yDu8W+FKfe2ncnHPLBmYnI41vuhHk1g1vJZyO09ga1S+dAAa5RwwkAIfid0bQ
+blfN+EduUMvncdHFULulKhW+tMvq1wMSG9NnPHYS3+ABDWk2FhuTmdvCXWik8x9W
+JE0M2h/kgQS9LNLsiwX/6/ss+ZKT4JkR+mSqa4PONCBZS7L61/dqzbGdkFZDrvKr
+LuNmhBX1rapuzsX1O3u8gwx/j/aVLLhxGtM0OQcuLHYcagHyG91Zq4xLyb+nVL/U
+Op8T/j1/d86JAgMBAAGgADANBgkqhkiG9w0BAQUFAAOCAQEArFHItPRlHAT2Bfgk
+5eerQ0NJYRmo6Rz5R57rGjf92eZfH855KUy43tPdc+EFtp+RgBumpQi7RpeZyqmZ
+wtwQIev66I+Ls9/hXE8+VxtBlFAl99gFyzj5kRdfkjb0uOxWN6MSfxPcNE4J7oWm
+f8PBeIIcUCZEmFGvo1G2hoPyD2xUNYpMw0+XAPIsuqnqS/eY7SbYs+vByt9jPzTx
+cOZ0jpXRfHrf2gsvcQSmO6MLRwKiF3P62BUMp+UcTRtpznxSpwl9GdQN5E0H4pQh
+4HUYPmFRSkwFa8FkJGorMTcsR8U2/NiVGZnJgRz2ElSxLL4epBT7M/+MvURgH0Py
+4/ab4Q==
+-----END CERTIFICATE REQUEST-----
--- a/plat/diameter/doc/single_host/CAGenerate/ssl_make_certs.sh
+++ b/plat/diameter/doc/single_host/CAGenerate/ssl_make_certs.sh
@@ -0,0 +1,545 @@
+#!/bin/bash -e
+#
+#  Generate a root CA cert for signing, and then a subject cert.
+#  Usage: make-certs.sh hostname [user[@domain]] [more ...]
+#  For testing only, probably still has some bugs in it.
+#
+
+DOMAIN=example.com
+DAYS=365
+KEYTYPE=RSA
+KEYSIZE=2048
+CURVE=prime256v1
+DIGEST=SHA1
+CRLHOURS=24
+CRLDAYS=
+
+# Cleanup temporary files at exit.
+touch openssl.cnf
+newcertdir=`mktemp -d`
+cleanup() {
+	test -f openssl.cnf   && rm -f openssl.cnf
+	test -f ca.txt        && rm -f ca.txt
+	test -f ocsp.txt      && rm -f ocsp.txt
+	test -n "$newcertdir" && rm -fr "$newcertdir"
+}
+trap cleanup EXIT
+
+# The first argument is either a common name value or a flag indicating that
+# we're doing something other than issuing a cert.
+commonname="$1"
+refresh_crl=false
+revoke_cert=false
+ocsp_serve=false
+if test "x$commonname" = "x-refresh-crl" ; then
+	refresh_crl=true
+	commonname="$1"
+fi
+if test "x$commonname" = "x-refresh_crl" ; then
+	refresh_crl=true
+	commonname="$1"
+fi
+if test "x$commonname" = "x-revoke" ; then
+	revoke_cert=true
+	shift
+	commonname="$1"
+fi
+if test "x$commonname" = "x-ocsp" ; then
+	ocsp_serve=true
+	commonname="$1"
+fi
+if test "x$commonname" = x ; then
+	echo Usage: `basename $0` 'commonname' user'[@domain]' '[more [...]]'
+	echo Usage: `basename $0` -revoke 'commonname'
+	echo Usage: `basename $0` -ocsp
+	echo Usage: `basename $0` -refresh-crl
+	echo More:
+	echo -e \\tKey type: "[RSA|DSA|EC]"
+	echo -e \\tElliptic curve: "[prime256v1|secp384r1|secp521r1]"
+	echo -e \\tKey usage: "[sign|signing|encrypt|encryption|agree|agreement|all]"
+	echo -e \\tAuthority Access Info OCSP responder: "ocsp:URI"
+	echo -e \\tCRL distribution point: "crl:URI"
+	echo -e \\tSubject Alternative Name:
+	echo -e \\t\\tHostname: "*"
+	echo -e \\t\\tIP address: w.x.y.z
+	echo -e \\t\\tEmail address: "*@*.com/edu/net/org/local"
+	echo -e \\t\\tKerberos principal name: "*@*.COM/EDU/NET/ORG/LOCAL"
+	echo -e \\tExtended key usage:
+	echo -e \\t\\t1....
+	echo -e \\t\\t2....
+	echo -e \\t\\tid-kp-server-auth \| tls-server
+	echo -e \\t\\tid-kp-client-auth \| tls-client
+	echo -e \\t\\tid-kp-email-protection \| email
+	echo -e \\t\\tid-ms-kp-sc-logon \| id-ms-sc-logon
+	echo -e \\t\\tid-pkinit-kp-client-auth \| id-pkinit-client
+	echo -e \\t\\tid-pkinit-kp-kdc \| id-pkinit-kdc
+	echo -e \\t\\tca \| CA
+	exit 1
+fi
+
+# Choose a user name part for email attributes.
+GIVENUSER=$2
+test x"$GIVENUSER" = x && GIVENUSER=$USER
+echo "$GIVENUSER" | grep -q @ || GIVENUSER="$GIVENUSER"@$DOMAIN
+DOMAIN=`echo "$GIVENUSER" | cut -f2- -d@`
+
+shift || true
+shift || true
+
+# Done already?
+done=:
+
+keygen() {
+	case "$KEYTYPE" in
+	DSA)
+		openssl dsaparam $KEYSIZE -genkey
+		;;
+	EC)
+		openssl ecparam -name $CURVE -noout -param_enc named_curve -genkey
+		;;
+	RSA|*)
+		openssl genrsa $KEYSIZE -nodes
+		;;
+	esac
+}
+
+# Set some defaults.
+CA=FALSE
+if test -s ca.crldp.uri.txt ; then
+	crlval="`cat ca.crldp.uri.txt`"
+	crl="URI:$crlval"
+fi
+if test -s ca.ocsp.uri.txt ; then
+	aiaval="`cat ca.ocsp.uri.txt`"
+	aia="OCSP;URI:$aiaval"
+fi
+if test -s ca.domain.txt ; then
+	domval="`cat ca.domain.txt`"
+	if test -n "$domval" ; then
+		DOMAIN="$domval"
+	fi
+fi
+
+# Parse the arguments which indicate what sort of information we want.
+while test $# -gt 0 ; do
+	type=
+	value="$1"
+	case "$value" in
+	RSA|rsa)
+		KEYTYPE=RSA
+		;;
+	DSA|dsa)
+		KEYTYPE=DSA
+		;;
+	EC|ec)
+		KEYTYPE=EC
+		;;
+	prime256v1|secp384r1|secp521r1)
+		CURVE=$1
+		;;
+	OCSP:*|ocsp:*)
+		aiaval=`echo "$value" | cut -f2- -d:`
+		aia="OCSP;URI:$aiaval"
+		;;
+	CRL:*|crl:*)
+		crlval=`echo "$value" | cut -f2- -d:`
+		crl="URI:$crlval"
+		;;
+	signing|sign)
+		keyusage="${keyusage:+${keyusage},}nonRepudiation,digitalSignature"
+		;;
+	encryption|encrypt)
+		keyusage="${keyusage:+${keyusage},}keyEncipherment,dataEncipherment"
+		;;
+	agreement|agree)
+		keyusage="${keyusage:+${keyusage},}keyAgreement"
+		;;
+	all)
+		keyusage="digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement,keyCertSign,cRLSign,encipherOnly,decipherOnly"
+		;;
+	ca|CA)
+		CA=TRUE
+		keyusage="${keyusage:+${keyusage},}nonRepudiation,digitalSignature,keyEncipherment,dataEncipherment,keyAgreement,keyCertSign,cRLSign"
+		;;
+	1.*|2.*|id-*|tls-*|email|mail)
+		ekuval=`echo "$value" | tr '[A-Z]' '[a-z]' | sed 's,\-,,g'`
+		case "$ekuval" in
+		idkpserverauth|tlsserver) ekuval=1.3.6.1.5.5.7.3.1;;
+		idkpclientauth|tlsclient) ekuval=1.3.6.1.5.5.7.3.2;;
+		idkpemailprotection|email|mail) ekuval=1.3.6.1.5.5.7.3.4;;
+		idmskpsclogon|idmssclogon) ekuval=1.3.6.1.4.1.311.20.2.2;;
+		idpkinitkpclientauth|idpkinitclient) ekuval=1.3.6.1.5.2.3.4;;
+		idpkinitkpkdc|idpkinitkdc) ekuval=1.3.6.1.5.2.3.5;;
+		esac
+		if test -z "$eku" ; then
+			eku="$ekuval"
+		else
+			eku="$eku,$ekuval"
+		fi
+		;;
+	*@*.COM|*@*.EDU|*@*.NET|*@*.ORG|*@*.LOCAL)
+		luser=`echo "$value" | tr '[A-Z]' '[a-z]'`
+		if test "$luser" = "$value" ; then
+			luser=
+		fi
+		type="otherName:1.3.6.1.5.2.2;SEQUENCE:$value,${luser:+otherName:1.3.6.1.4.1.311.20.2.3;UTF8:${luser},}otherName:1.3.6.1.4.1.311.20.2.3;UTF8"
+		unset luser
+		principals="$principals $value"
+		;;
+	*@*.com|*@*.edu|*@*.net|*@*.org|*@*.local)            type=email;;
+	[0-9]*.[0-9]*.[0-9]*.[0-9]*)                          type=IP;;
+	*)                                                    type=DNS;;
+	esac
+	if test -n "$type" ; then
+		newvalue="${type}:$value"
+		if test -z "$altnames" ; then
+			altnames="${newvalue}"
+		else
+			altnames="${altnames},${newvalue}"
+		fi
+	fi
+	shift
+done
+
+# Build the configuration file, including bits on how to construct the CA
+# certificate, an OCSP responder certificate, and the issued certificate.
+cat > openssl.cnf <<- EOF
+[ca]
+default_ca = issuer
+
+[issuer]
+private_key = `pwd`/ca.key
+certificate = `pwd`/ca.crt
+database = `pwd`/ca.db
+serial = `pwd`/ca.srl
+default_md = $DIGEST
+new_certs_dir = $newcertdir
+policy = no_policy
+
+[no_policy]
+
+[req_oids]
+domainComponent = 0.9.2342.19200300.100.1.25
+
+[req_ca]
+prompt = no
+oid_section = req_oids
+distinguished_name = req_ca_name
+default_md = $DIGEST
+
+[req_ca_name]
+EOF
+echo $DOMAIN | awk 'BEGIN {FS="."}{for(i=NF;i>0;i--){print NF-i ".domainComponent="$i;}}' >> openssl.cnf
+cat >> openssl.cnf <<- EOF
+commonName = Test Certifying CA
+
+[v3_ca]
+subjectKeyIdentifier=hash
+authorityKeyIdentifier=keyid:always,issuer:always
+keyUsage=nonRepudiation,digitalSignature,keyEncipherment,dataEncipherment,keyAgreement,keyCertSign,cRLSign
+basicConstraints=critical,CA:TRUE
+nsComment="Testing CA Certificate"
+EOF
+if test -n "$aia" ; then
+	echo "authorityInfoAccess = ${aia}" >> openssl.cnf
+	echo -n "$aiaval" > ca.ocsp.uri.txt
+fi
+if test -n "$crl" ; then
+	echo "crlDistributionPoints = ${crl}" >> openssl.cnf
+	echo -n "$crlval" > ca.crldp.uri.txt
+fi
+echo "$DOMAIN" > ca.domain.txt
+cat >> openssl.cnf <<- EOF
+
+[req_ocsp]
+prompt = no
+oid_section = req_oids
+distinguished_name = req_ocsp_name
+default_md = $DIGEST
+
+[req_ocsp_name]
+EOF
+echo $DOMAIN | awk 'BEGIN {FS="."}{for(i=NF;i>0;i--){print NF-i ".domainComponent="$i;}}' >> openssl.cnf
+cat >> openssl.cnf <<- EOF
+commonName = OCSP Signer for Test Certifying CA
+
+[v3_ocsp]
+subjectKeyIdentifier=hash
+authorityKeyIdentifier=keyid:always,issuer:always
+keyUsage=digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement,keyCertSign,cRLSign
+basicConstraints=CA:FALSE
+extendedKeyUsage=1.3.6.1.5.5.7.3.9
+nsComment="Testing OCSP Certificate"
+1.3.6.1.5.5.7.48.1.5=ASN1:NULL
+EOF
+if test -n "$aia" ; then
+	echo "authorityInfoAccess = ${aia}" >> openssl.cnf
+fi
+if test -n "$crl" ; then
+	echo "crlDistributionPoints = ${crl}" >> openssl.cnf
+fi
+cat >> openssl.cnf <<- EOF
+
+[req_issued]
+prompt = no
+oid_section = req_oids
+distinguished_name = req_issued_name
+default_md = $DIGEST
+
+[req_issued_name]
+EOF
+echo $DOMAIN | awk 'BEGIN {FS="."}{for(i=NF;i>0;i--){print NF-i ".domainComponent="$i;}}' >> openssl.cnf
+cat >> openssl.cnf <<- EOF
+mail = $GIVENUSER
+commonName = $commonname
+
+[v3_issued]
+certificatePolicies=2.5.29.32.0${eku:+,${eku}}
+subjectKeyIdentifier=hash
+authorityKeyIdentifier=keyid:always,issuer:always
+EOF
+if test -n "$aia" ; then
+	echo "authorityInfoAccess = ${aia}" >> openssl.cnf
+fi
+if test -n "$crl" ; then
+	echo "crlDistributionPoints = ${crl}" >> openssl.cnf
+fi
+if test -n "$keyusage" ; then
+	echo "keyUsage = critical,${keyusage}" >> openssl.cnf
+fi
+if test -n "$altnames" ; then
+	echo "subjectAltName = ${altnames}" >> openssl.cnf
+fi
+if test -n "$eku" ; then
+	echo "extendedKeyUsage = ${eku}" >> openssl.cnf
+fi
+if test "x$CA" = xTRUE ; then
+	echo "basicConstraints=critical,CA:TRUE" >> openssl.cnf
+	echo 'nsComment="Testing CA Certificate for '"$commonname"'"' >> openssl.cnf
+else
+	echo "basicConstraints=CA:FALSE" >> openssl.cnf
+	echo 'nsComment="Testing Certificate for '"$commonname"'"' >> openssl.cnf
+fi
+for value in $principals; do
+	user=`echo "$value" | cut -f1 -d@`
+	realm=`echo "$value" | cut -f2- -d@`
+	echo "" >> openssl.cnf
+	echo "[$value]" >> openssl.cnf
+	echo "realm=EXPLICIT:0,GeneralString:$realm" >> openssl.cnf
+	echo "kerberosname=EXPLICIT:1,SEQUENCE:krb5$user" >> openssl.cnf
+
+	echo "" >> openssl.cnf
+	echo "[krb5$user]" >> openssl.cnf
+	echo "nametype=EXPLICIT:0,INTEGER:1" >> openssl.cnf
+	echo "namelist=EXPLICIT:1,SEQUENCE:krb5basic$user" >> openssl.cnf
+
+	echo "[krb5basic$user]" >> openssl.cnf
+	count=0
+	for part in `echo "$user" | sed 's,/, ,g'` ; do
+		echo "$count.part=GeneralString:$part" >> openssl.cnf
+		count=`expr "$count" + 1`
+	done
+done
+
+# Create the data files for a new CA.
+if ! test -s ca.srl ; then
+	(dd if=/dev/urandom bs=8 count=1 2> /dev/null) | od -t x1c | head -n 1 | awk '{$1="00";OFS="";print}' > ca.srl
+else
+	echo "You already have a ca.srl file; not replacing."
+fi
+if ! test -s ca.db ; then
+	touch ca.db
+else
+	echo "You already have a ca.db file; not replacing."
+fi
+if ! test -s ca.db.attr ; then
+	touch ca.db.attr
+else
+	echo "You already have a ca.db.attr file; not replacing."
+fi
+
+# If we need a CA key, generate one.
+if ! test -s ca.key ; then
+	umask=`umask -p`
+	umask 077
+	keygen ca > ca.key 2> /dev/null
+	$umask
+else
+	echo "You already have a ca.key file; not replacing."
+	done=echo
+fi
+
+# If we need a CA certificate, generate one.
+if ! test -s ca.crt ; then
+	sed -i -e 's,^\[req_ca\]$,\[req\],g' `pwd`/openssl.cnf
+	openssl req -config `pwd`/openssl.cnf -new -key ca.key > ca.csr 2> /dev/null
+	sed -i -e 's,^\[req\]$,\[req_ca\],g' `pwd`/openssl.cnf
+	openssl x509 -extfile `pwd`/openssl.cnf -CAserial ca.srl -signkey ca.key -extensions v3_ca -req -in ca.csr -days $DAYS -out ca.crt ; : 2> /dev/null
+	openssl x509 -noout -text -in ca.crt > ca.txt
+	cat ca.crt >> ca.txt
+	cat ca.txt > ca.crt
+	rm ca.txt
+	cat ca.crt > ca.chain.crt
+else
+	echo "You already have a ca.crt file; not replacing."
+	done=echo
+fi
+
+# If we need an OCSP key, generate one.
+if ! test -s ocsp.key ; then
+	umask=`umask -p`
+	umask 077
+	keygen ocsp > ocsp.key 2> /dev/null
+	$umask
+else
+	echo "You already have an ocsp.key file; not replacing."
+	done=echo
+fi
+
+# Generate the OCSP signing cert.  Set the X.509v3 basic constraints and EKU.
+if ! test -s ocsp.crt ; then
+	sed -i -e 's,^\[req_ocsp\]$,\[req\],g' `pwd`/openssl.cnf
+	openssl req -config `pwd`/openssl.cnf -new -key ocsp.key > ocsp.csr 2> /dev/null
+	sed -i -e 's,^\[req\]$,\[req_ocsp\],g' `pwd`/openssl.cnf
+	openssl ca -batch -config `pwd`/openssl.cnf -extensions v3_ocsp -preserveDN -in ocsp.csr -days $DAYS -out ocsp.crt 2> /dev/null
+	openssl x509 -noout -text -in ocsp.crt > ocsp.txt
+	cat ocsp.crt >> ocsp.txt
+	cat ocsp.txt >  ocsp.crt
+	rm ocsp.txt
+else
+	echo "You already have an ocsp.crt file; not replacing."
+	done=echo
+fi
+
+# If we were told to revoke the certificate with the specified common name,
+# do so.
+if $revoke_cert ; then
+	openssl ca -config `pwd`/openssl.cnf -revoke "$commonname".crt
+fi
+
+# Always refresh the CRL.
+openssl ca -config `pwd`/openssl.cnf -gencrl ${CRLHOURS:+-crlhours ${CRLHOURS}} ${CRLDAYS:+-crldays ${CRLDAYS}} -out ca.crl.pem
+openssl crl -in ca.crl.pem -outform der -out ca.crl
+openssl crl -in ca.crl -inform der -noout -text > ca.crl.pem
+openssl crl -in ca.crl -inform der >> ca.crl.pem
+
+# If we were told to start up the mini OCSP server, do so.
+if $ocsp_serve ; then
+	openssl ocsp -text -index `pwd`/ca.db -CA `pwd`/ca.crt -rsigner `pwd`/ocsp.crt -rkey `pwd`/ocsp.key -rother `pwd`/ocsp.crt -port "`cut -f3 -d/ ca.ocsp.uri.txt | sed -r 's,(^[^:]*),0.0.0.0,g'`"
+	exit 0
+fi
+
+# If we're just here to do a revocation or refresh the CRL, we're done.
+if $revoke_cert || $refresh_crl ; then
+	exit 0
+fi
+
+# Create a new serial number and whatnot if this is a new sub-CA.
+if test "x$CA" = xTRUE ; then
+	if ! test -d "$commonname" ; then
+		mkdir "$commonname"
+	fi
+	if ! test -s "$commonname/ca.srl" ; then
+		(dd if=/dev/urandom bs=8 count=1 2> /dev/null) | od -t x1c | head -n 1 | awk '{$1="00";OFS="";print}' > "$commonname/ca.srl"
+	else
+		echo "You already have a $commonname/ca.srl file; not replacing."
+	fi
+	if test -n "$aia" ; then
+		echo -n "$aiaval" > "$commonname/ca.ocsp.uri.txt"
+	fi
+	if test -n "$crl" ; then
+		echo -n "$crlval" > "$commonname/ca.crldp.uri.txt"
+	fi
+	echo "$DOMAIN" > "$commonname/ca.domain.txt"
+	touch "$commonname/ca.db" "$commonname/ca.db.attr"
+	cert="$commonname/ca.crt"
+	csr="$commonname/ca.csr"
+	key="$commonname/ca.key"
+	pem="$commonname/ca.pem"
+	pfx="$commonname/ca.p12"
+	ln -s ../`basename $0` "$commonname"/
+else
+	cert="$commonname.crt"
+	csr="$commonname.csr"
+	key="$commonname.key"
+	pem="$commonname.pem"
+	pfx="$commonname.p12"
+fi
+
+# Generate the subject's certificate.  Set the X.509v3 basic constraints.
+if ! test -s "$cert" ; then
+	# Generate another key, unless we have a key or CSR.
+	if ! test -s "$key" && ! test -s "$csr" ; then
+		umask=`umask -p`
+		umask 077
+		keygen "$commonname" > "$key" 2> /dev/null
+		$umask
+	else
+		echo "You already have a $key or $csr file; not replacing."
+		done=echo
+	fi
+
+	if ! test -s "$csr" ; then
+		sed -i -e 's,^\[req_issued\]$,\[req\],g' `pwd`/openssl.cnf
+		openssl req -config `pwd`/openssl.cnf -new -key "$key" > "$csr" 2> /dev/null
+		sed -i -e 's,^\[req\]$,\[req_issued\],g' `pwd`/openssl.cnf
+	fi
+	openssl ca -batch -config `pwd`/openssl.cnf -extensions v3_issued -preserveDN -in "$csr" -days $DAYS -out "$cert" 2> /dev/null
+	openssl x509 -noout -text -in "$cert" > "$cert.txt"
+	cat "$cert" >> "$cert.txt"
+	cat "$cert.txt" > "$cert"
+	rm -f "$cert.txt"
+else
+	echo "You already have a $cert file; not replacing."
+	done=echo
+fi
+
+if test -s ca.chain.crt ; then
+	chain=ca.chain.crt
+else
+	chain=ca.crt
+fi
+if test "x$CA" = xTRUE ; then
+	cat "$chain" "$cert" > "$commonname/ca.chain.crt"
+fi
+
+# Create ca.pem and the subject's name.pem for the benefit of applications
+# which expect both the private key and the certificate in one file.
+umask=`umask -p`
+umask 077
+if ! test -s ca.pem ; then
+	cat ca.key ca.crt > ca.pem
+else
+	echo "You already have a ca.pem file; not replacing."
+	done=echo
+fi
+if ! test -s "$pem" ; then
+	cat "$key" "$cert" > "$pem"
+else
+	echo "You already have a $pem file; not replacing."
+	done=echo
+fi
+if ! test -s "$pfx" ; then
+	openssl pkcs12 -export -inkey "$key" -in "$cert" -name "$commonname" -out "$pfx" -nodes -passout pass:
+else
+	echo "You already have a $pfx file; not replacing."
+	done=echo
+fi
+$umask
+$done
+
+echo CA certificate:
+openssl x509 -noout -issuer  -in ca.crt | sed s,=\ ,\ ,g
+openssl x509 -noout -subject -in ca.crt | sed s,=\ ,\ ,g
+echo
+echo End entity certificate:
+openssl x509 -noout -issuer  -in "$cert" | sed s,=\ ,\ ,g
+openssl x509 -noout -subject -in "$cert" | sed s,=\ ,\ ,g
+openssl x509 -noout -serial  -in "$cert" | sed s,=,\ ,g
+echo
+echo PKCS12 bag:
+openssl pkcs12 -in "$pfx" -nodes -nokeys -nocerts -info -passin pass:
+echo
+echo Verifying:
+echo + openssl verify -CAfile "$chain" "$cert"
+openssl verify -CAfile "$chain" "$cert"
				`@@ -0,0 +1 @@`
				`V 170618165451Z 00 unknown /DC=com/DC=example/CN=OCSP Signer for Test Certifying CA`