From a6f7862ba728bcc2f8ac037dddfe84007a37e970 Mon Sep 17 00:00:00 2001
From: Andreas Metzler <ametzler@bebt.de>
Date: Sat, 28 Oct 2017 19:45:30 +0200
Subject: Make exim_monitor build reproducible.

Adapt changes to exim for SOURCE_DATE_EPOCH from exim
6e411084a29a7658f7bc88aa5a62ab9016c22c79 to exim_monitor.
---
 src/exim_monitor/em_version.c | 13 +++++++++++++
 1 file changed, 13 insertions(+)

(limited to 'src')

diff --git a/src/exim_monitor/em_version.c b/src/exim_monitor/em_version.c
index a2edbfe8a..8228f9467 100644
--- a/src/exim_monitor/em_version.c
+++ b/src/exim_monitor/em_version.c
@@ -10,6 +10,8 @@
 #include <string.h>
 #include <stdlib.h>
 
+#include "version.h"
+
 extern uschar *version_string;
 extern uschar *version_date;
 
@@ -21,6 +23,16 @@ uschar today[20];
 
 version_string = US"2.06";
 
+#ifdef EXIM_BUILD_DATE_OVERRIDE
+/* Reproducible build support; build tooling should have given us something looking like
+ * "25-Feb-2017 20:15:40" in EXIM_BUILD_DATE_OVERRIDE based on $SOURCE_DATE_EPOCH in environ
+ * per <https://reproducible-builds.org/specs/source-date-epoch/>
+ */
+version_date = US malloc(32);
+version_date[0] = 0;
+Ustrncat(version_date, EXIM_BUILD_DATE_OVERRIDE, 31);
+
+#else
 Ustrcpy(today, __DATE__);
 if (today[4] == ' ') i = 1;
 today[3] = today[6] = '-';
@@ -32,6 +44,7 @@ Ustrncat(version_date, today, 4);
 Ustrncat(version_date, today+7, 4);
 Ustrcat(version_date, " ");
 Ustrcat(version_date, __TIME__);
+#endif
 }
 
 /* End of em_version.c */
-- 
cgit v1.2.3


From 9650d98a07b2ad623c29fae2ff69ffd887ad4738 Mon Sep 17 00:00:00 2001
From: Jeremy Harris <jgh146exb@wizmail.org>
Date: Tue, 31 Oct 2017 15:31:50 +0000
Subject:     Add macro support to -be expansion test mode.  Bug 1623

---
 doc/doc-docbook/spec.xfpt            |   7 ++
 doc/doc-txt/NewStuff                 |   3 +
 src/src/exim.c                       |  73 +++++++----
 src/src/functions.h                  |   2 +
 src/src/readconf.c                   | 231 +++++++++++++++++++++--------------
 src/src/sieve.c                      |   1 +
 test/scripts/0000-Basic/0002         |  46 +++----
 test/scripts/0000-Basic/0542         |  10 +-
 test/scripts/3300-crypteq/3300       |  20 +--
 test/scripts/4200-International/4200 |   6 +-
 test/stderr/0002                     |  10 +-
 test/stderr/0236                     |   2 +-
 test/stderr/0387                     |   2 +-
 test/stderr/0484                     |   2 +-
 test/stderr/2200                     |   2 +-
 test/stderr/2600                     |   4 +-
 test/stderr/3000                     |   2 +-
 test/stderr/3212                     |   2 +-
 test/stdout/0002                     |  46 +++----
 test/stdout/0542                     |  10 +-
 test/stdout/3300                     |  20 +--
 test/stdout/4200                     |   6 +-
 22 files changed, 294 insertions(+), 213 deletions(-)

(limited to 'src')

diff --git a/doc/doc-docbook/spec.xfpt b/doc/doc-docbook/spec.xfpt
index a9a048ecb..13fcad724 100644
--- a/doc/doc-docbook/spec.xfpt
+++ b/doc/doc-docbook/spec.xfpt
@@ -2791,6 +2791,13 @@ files or databases you are using, you must exit and restart Exim before trying
 the same lookup again. Otherwise, because each Exim process caches the results
 of lookups, you will just get the same result as before.
 
+.new
+Macro processing is done on lines before string-expansion: new macros can be
+defined and macros will be expanded.
+Because macros in the config file are often used for secrets, those are only
+available to admin users.
+.wen
+
 .vitem &%-bem%&&~<&'filename'&>
 .oindex "&%-bem%&"
 .cindex "testing" "string expansion"
diff --git a/doc/doc-txt/NewStuff b/doc/doc-txt/NewStuff
index 6d875d5f4..22af13554 100644
--- a/doc/doc-txt/NewStuff
+++ b/doc/doc-txt/NewStuff
@@ -61,6 +61,9 @@ Version 4.90
 15. TCP Fast Open used, with data-on-SYN, for client SMTP via SOCKS5 proxy,
     for ${readsocket } expansions, and for ClamAV.
 
+16. The "-be" expansion test mode now supports macros.  Macros are expanded
+    in test lines, and new macros can be defined.
+
 
 Version 4.89
 ------------
diff --git a/src/src/exim.c b/src/src/exim.c
index 7dd084534..d71af0ac4 100644
--- a/src/src/exim.c
+++ b/src/src/exim.c
@@ -1457,6 +1457,39 @@ return TRUE;
 }
 
 
+/*************************************************
+*          Expansion testing			 *
+*************************************************/
+
+/* Expand and print one item, doing macro-processing.
+
+Arguments:
+  item		line for expansion
+*/
+
+static void
+expansion_test_line(uschar * line)
+{
+int len;
+BOOL dummy_macexp;
+
+Ustrncpy(big_buffer, line, big_buffer_size);
+big_buffer[big_buffer_size-1] = '\0';
+len = Ustrlen(big_buffer);
+
+(void) macros_expand(0, &len, &dummy_macexp);
+
+if (isupper(big_buffer[0]))
+  {
+  if (macro_read_assignment(big_buffer))
+    printf("Defined macro '%s'\n", mlast->name);
+  }
+else
+  if ((line = expand_string(big_buffer))) printf("%s\n", CS line);
+  else printf("Failed: %s\n", expand_string_message);
+}
+
+
 /*************************************************
 *          Entry point and high-level code       *
 *************************************************/
@@ -4988,7 +5021,7 @@ if (expansion_test)
   /* Read a test message from a file. We fudge it up to be on stdin, saving
   stdin itself for later reading of expansion strings. */
 
-  else if (expansion_test_message != NULL)
+  else if (expansion_test_message)
     {
     int save_stdin = dup(0);
     int fd = Uopen(expansion_test_message, O_RDONLY, 0);
@@ -5008,6 +5041,10 @@ if (expansion_test)
     clearerr(stdin);               /* Required by Darwin */
     }
 
+  /* Only admin users may see config-file macros this way */
+
+  if (!admin_user) macros = mlast = NULL;
+
   /* Allow $recipients for this testing */
 
   enable_dollar_recipients = TRUE;
@@ -5015,15 +5052,8 @@ if (expansion_test)
   /* Expand command line items */
 
   if (recipients_arg < argc)
-    {
     while (recipients_arg < argc)
-      {
-      uschar *s = argv[recipients_arg++];
-      uschar *ss = expand_string(s);
-      if (ss == NULL) printf ("Failed: %s\n", expand_string_message);
-      else printf("%s\n", CS ss);
-      }
-    }
+      expansion_test_line(argv[recipients_arg++]);
 
   /* Read stdin */
 
@@ -5031,25 +5061,18 @@ if (expansion_test)
     {
     char *(*fn_readline)(const char *) = NULL;
     void (*fn_addhist)(const char *) = NULL;
+    uschar * s;
 
-    #ifdef USE_READLINE
+#ifdef USE_READLINE
     void *dlhandle = set_readline(&fn_readline, &fn_addhist);
-    #endif
+#endif
 
-    for (;;)
-      {
-      uschar *ss;
-      uschar *source = get_stdinput(fn_readline, fn_addhist);
-      if (source == NULL) break;
-      ss = expand_string(source);
-      if (ss == NULL)
-        printf ("Failed: %s\n", expand_string_message);
-      else printf("%s\n", CS ss);
-      }
+    while (s = get_stdinput(fn_readline, fn_addhist))
+      expansion_test_line(s);
 
-    #ifdef USE_READLINE
-    if (dlhandle != NULL) dlclose(dlhandle);
-    #endif
+#ifdef USE_READLINE
+    if (dlhandle) dlclose(dlhandle);
+#endif
     }
 
   /* The data file will be open after -Mset */
@@ -5060,7 +5083,7 @@ if (expansion_test)
     deliver_datafile = -1;
     }
 
-  exim_exit(EXIT_SUCCESS, US"main");
+  exim_exit(EXIT_SUCCESS, US"main: expansion test");
   }
 
 
diff --git a/src/src/functions.h b/src/src/functions.h
index 1fe561f56..e50fa6f92 100644
--- a/src/src/functions.h
+++ b/src/src/functions.h
@@ -257,6 +257,8 @@ extern int     log_create_as_exim(uschar *);
 extern void    log_close_all(void);
 
 extern macro_item * macro_create(const uschar *, const uschar *, BOOL);
+extern BOOL    macro_read_assignment(uschar *);
+extern uschar *macros_expand(int, int *, BOOL *);
 extern void    mainlog_close(void);
 #ifdef WITH_CONTENT_SCAN
 extern int     malware(const uschar *, int);
diff --git a/src/src/readconf.c b/src/src/readconf.c
index b34372c44..8d5f38c58 100644
--- a/src/src/readconf.c
+++ b/src/src/readconf.c
@@ -615,7 +615,10 @@ m->namelen = Ustrlen(name);
 m->replen = Ustrlen(val);
 m->name = name;
 m->replacement = val;
-mlast->next = m;
+if (mlast)
+  mlast->next = m;
+else
+  macros = m;
 mlast = m;
 return m;
 }
@@ -630,11 +633,11 @@ non-command line, macros is permitted using '==' instead of '='.
 Arguments:
   s            points to the start of the logical line
 
-Returns:       nothing
+Returns:       FALSE iff fatal error
 */
 
-static void
-read_macro_assignment(uschar *s)
+BOOL
+macro_read_assignment(uschar *s)
 {
 uschar name[64];
 int namelen = 0;
@@ -644,15 +647,21 @@ macro_item *m;
 while (isalnum(*s) || *s == '_')
   {
   if (namelen >= sizeof(name) - 1)
-    log_write(0, LOG_PANIC_DIE|LOG_CONFIG_IN,
+    {
+    log_write(0, LOG_PANIC|LOG_CONFIG_IN,
       "macro name too long (maximum is " SIZE_T_FMT " characters)", sizeof(name) - 1);
+    return FALSE;
+    }
   name[namelen++] = *s++;
   }
 name[namelen] = 0;
 
 while (isspace(*s)) s++;
 if (*s++ != '=')
-  log_write(0, LOG_PANIC_DIE|LOG_CONFIG_IN, "malformed macro definition");
+  {
+  log_write(0, LOG_PANIC|LOG_CONFIG_IN, "malformed macro definition");
+  return FALSE;
+  }
 
 if (*s == '=')
   {
@@ -675,15 +684,21 @@ for (m = macros; m; m = m->next)
   if (Ustrcmp(m->name, name) == 0)
     {
     if (!m->command_line && !redef)
-      log_write(0, LOG_CONFIG|LOG_PANIC_DIE, "macro \"%s\" is already "
+      {
+      log_write(0, LOG_CONFIG|LOG_PANIC, "macro \"%s\" is already "
        "defined (use \"==\" if you want to redefine it", name);
+      return FALSE;
+      }
     break;
     }
 
   if (m->namelen < namelen && Ustrstr(name, m->name) != NULL)
-    log_write(0, LOG_CONFIG|LOG_PANIC_DIE, "\"%s\" cannot be defined as "
+    {
+    log_write(0, LOG_CONFIG|LOG_PANIC, "\"%s\" cannot be defined as "
       "a macro because previously defined macro \"%s\" is a substring",
       name, m->name);
+    return FALSE;
+    }
 
   /* We cannot have this test, because it is documented that a substring
   macro is permitted (there is even an example).
@@ -697,7 +712,7 @@ for (m = macros; m; m = m->next)
 
 /* Check for an overriding command-line definition. */
 
-if (m && m->command_line) return;
+if (m && m->command_line) return TRUE;
 
 /* Redefinition must refer to an existing macro. */
 
@@ -708,18 +723,119 @@ if (redef)
     m->replacement = string_copy(s);
     }
   else
-    log_write(0, LOG_CONFIG|LOG_PANIC_DIE, "can't redefine an undefined macro "
+    {
+    log_write(0, LOG_CONFIG|LOG_PANIC, "can't redefine an undefined macro "
       "\"%s\"", name);
+    return FALSE;
+    }
 
 /* We have a new definition. */
 else
   (void) macro_create(string_copy(name), string_copy(s), FALSE);
+return TRUE;
 }
 
 
 
 
 
+/* Process line for macros. The line is in big_buffer starting at offset len.
+Expand big_buffer if needed.  Handle definitions of new macros, and
+imacro expansions, rewriting the line in thw buffer.
+
+Arguments:
+ len		Offset in buffer of start of line
+ newlen		Pointer to offset of end of line, updated on return
+ macro_found	Pointer to return that a macro was expanded
+
+Return: pointer to first nonblank char in line
+*/
+
+uschar *
+macros_expand(int len, int * newlen, BOOL * macro_found)
+{
+uschar * ss = big_buffer + len;
+uschar * s;
+macro_item * m;
+
+/* Find the true start of the physical line - leading spaces are always
+ignored. */
+
+while (isspace(*ss)) ss++;
+
+/* Process the physical line for macros. If this is the start of the logical
+line, skip over initial text at the start of the line if it starts with an
+upper case character followed by a sequence of name characters and an equals
+sign, because that is the definition of a new macro, and we don't do
+replacement therein. */
+
+s = ss;
+if (len == 0 && isupper(*s))
+  {
+  while (isalnum(*s) || *s == '_') s++;
+  while (isspace(*s)) s++;
+  if (*s != '=') s = ss;          /* Not a macro definition */
+  }
+
+/* Skip leading chars which cannot start a macro name, to avoid multiple
+pointless rescans in Ustrstr calls. */
+
+while (*s && !isupper(*s) && *s != '_') s++;
+
+/* For each defined macro, scan the line (from after XXX= if present),
+replacing all occurrences of the macro. */
+
+*macro_found = FALSE;
+for (m = macros; m; m = m->next)
+  {
+  uschar * p, *pp;
+  uschar * t = s;
+
+  while ((p = Ustrstr(t, m->name)) != NULL)
+    {
+    int moveby;
+
+/* fprintf(stderr, "%s: matched '%s' in '%s'\n", __FUNCTION__, m->name, ss); */
+    /* Expand the buffer if necessary */
+
+    while (*newlen - m->namelen + m->replen + 1 > big_buffer_size)
+      {
+      int newsize = big_buffer_size + BIG_BUFFER_SIZE;
+      uschar *newbuffer = store_malloc(newsize);
+      memcpy(newbuffer, big_buffer, *newlen + 1);
+      p = newbuffer  + (p - big_buffer);
+      s = newbuffer  + (s - big_buffer);
+      ss = newbuffer + (ss - big_buffer);
+      t = newbuffer  + (t - big_buffer);
+      big_buffer_size = newsize;
+      store_free(big_buffer);
+      big_buffer = newbuffer;
+      }
+
+    /* Shuffle the remaining characters up or down in the buffer before
+    copying in the replacement text. Don't rescan the replacement for this
+    same macro. */
+
+    pp = p + m->namelen;
+    if ((moveby = m->replen - m->namelen) != 0)
+      {
+      memmove(p + m->replen, pp, (big_buffer + *newlen) - pp + 1);
+      *newlen += moveby;
+      }
+    Ustrncpy(p, m->replacement, m->replen);
+    t = p + m->replen;
+    while (*t && !isupper(*t) && *t != '_') t++;
+    *macro_found = TRUE;
+    }
+  }
+
+/* An empty macro replacement at the start of a line could mean that ss no
+longer points to the first non-blank character. */
+
+while (isspace(*ss)) ss++;
+return ss;
+}
+
 /*************************************************
 *            Read configuration line             *
 *************************************************/
@@ -749,7 +865,6 @@ int startoffset = 0;         /* To first non-blank char in logical line */
 int len = 0;                 /* Of logical line so far */
 int newlen;
 uschar *s, *ss;
-macro_item *m;
 BOOL macro_found;
 
 /* Loop for handling continuation lines, skipping comments, and dealing with
@@ -810,82 +925,7 @@ for (;;)
     newlen += Ustrlen(big_buffer + newlen);
     }
 
-  /* Find the true start of the physical line - leading spaces are always
-  ignored. */
-
-  ss = big_buffer + len;
-  while (isspace(*ss)) ss++;
-
-  /* Process the physical line for macros. If this is the start of the logical
-  line, skip over initial text at the start of the line if it starts with an
-  upper case character followed by a sequence of name characters and an equals
-  sign, because that is the definition of a new macro, and we don't do
-  replacement therein. */
-
-  s = ss;
-  if (len == 0 && isupper(*s))
-    {
-    while (isalnum(*s) || *s == '_') s++;
-    while (isspace(*s)) s++;
-    if (*s != '=') s = ss;          /* Not a macro definition */
-    }
-
-  /* Skip leading chars which cannot start a macro name, to avoid multiple
-  pointless rescans in Ustrstr calls. */
-
-  while (*s && !isupper(*s) && *s != '_') s++;
-
-  /* For each defined macro, scan the line (from after XXX= if present),
-  replacing all occurrences of the macro. */
-
-  macro_found = FALSE;
-  for (m = macros; m; m = m->next)
-    {
-    uschar * p, *pp;
-    uschar * t = s;
-
-    while ((p = Ustrstr(t, m->name)) != NULL)
-      {
-      int moveby;
-
-/* fprintf(stderr, "%s: matched '%s' in '%s'\n", __FUNCTION__, m->name, ss); */
-      /* Expand the buffer if necessary */
-
-      while (newlen - m->namelen + m->replen + 1 > big_buffer_size)
-        {
-        int newsize = big_buffer_size + BIG_BUFFER_SIZE;
-        uschar *newbuffer = store_malloc(newsize);
-        memcpy(newbuffer, big_buffer, newlen + 1);
-        p = newbuffer  + (p - big_buffer);
-        s = newbuffer  + (s - big_buffer);
-        ss = newbuffer + (ss - big_buffer);
-        t = newbuffer  + (t - big_buffer);
-        big_buffer_size = newsize;
-        store_free(big_buffer);
-        big_buffer = newbuffer;
-        }
-
-      /* Shuffle the remaining characters up or down in the buffer before
-      copying in the replacement text. Don't rescan the replacement for this
-      same macro. */
-
-      pp = p + m->namelen;
-      if ((moveby = m->replen - m->namelen) != 0)
-        {
-        memmove(p + m->replen, pp, (big_buffer + newlen) - pp + 1);
-        newlen += moveby;
-        }
-      Ustrncpy(p, m->replacement, m->replen);
-      t = p + m->replen;
-      while (*t && !isupper(*t) && *t != '_') t++;
-      macro_found = TRUE;
-      }
-    }
-
-  /* An empty macro replacement at the start of a line could mean that ss no
-  longer points to the first non-blank character. */
-
-  while (isspace(*ss)) ss++;
+  ss = macros_expand(len, &newlen, &macro_found);
 
   /* Check for comment lines - these are physical lines. */
 
@@ -3277,7 +3317,8 @@ while ((s = get_config_line()))
     log_write(0, LOG_PANIC_DIE|LOG_CONFIG_IN,
       "found unexpected BOM (Byte Order Mark)");
 
-  if (isupper(s[0])) read_macro_assignment(s);
+  if (isupper(s[0]))
+    { if (!macro_read_assignment(s)) exim_exit(EXIT_FAILURE, US""); }
 
   else if (Ustrncmp(s, "domainlist", 10) == 0)
     read_named_list(&domainlist_anchor, &domainlist_count,
@@ -3724,7 +3765,7 @@ while ((buffer = get_config_line()) != NULL)
       (d->info->init)(d);
       d = NULL;
       }
-    read_macro_assignment(buffer);
+    if (!macro_read_assignment(buffer)) exim_exit(EXIT_FAILURE, US"");
     continue;
     }
 
@@ -4225,7 +4266,7 @@ between ACLs. */
 
 acl_line = get_config_line();
 
-while(acl_line != NULL)
+while(acl_line)
   {
   uschar name[64];
   tree_node *node;
@@ -4234,7 +4275,7 @@ while(acl_line != NULL)
   p = readconf_readname(name, sizeof(name), acl_line);
   if (isupper(*name) && *p == '=')
     {
-    read_macro_assignment(acl_line);
+    if (!macro_read_assignment(acl_line)) exim_exit(EXIT_FAILURE, US"");
     acl_line = get_config_line();
     continue;
     }
@@ -4278,7 +4319,7 @@ log_write(0, LOG_PANIC_DIE|LOG_CONFIG_IN, "local_scan() options not supported: "
 #else
 
 uschar *p;
-while ((p = get_config_line()) != NULL)
+while ((p = get_config_line()))
   {
   (void) readconf_handle_option(p, local_scan_options, local_scan_options_count,
     NULL, US"local_scan option \"%s\" unknown");
@@ -4368,14 +4409,14 @@ while(next_section[0] != 0)
 void
 readconf_save_config(const uschar *s)
 {
-  save_config_line(string_sprintf("# Exim Configuration (%s)",
-    running_in_test_harness ? US"X" : s));
+save_config_line(string_sprintf("# Exim Configuration (%s)",
+  running_in_test_harness ? US"X" : s));
 }
 
 static void
 save_config_position(const uschar *file, int line)
 {
-  save_config_line(string_sprintf("# %d \"%s\"", line, file));
+save_config_line(string_sprintf("# %d \"%s\"", line, file));
 }
 
 /* Append a pre-parsed logical line to the config lines store,
diff --git a/src/src/sieve.c b/src/src/sieve.c
index f4ce58402..5d6b611c3 100644
--- a/src/src/sieve.c
+++ b/src/src/sieve.c
@@ -3381,6 +3381,7 @@ while (*filter->pc)
             {
             uschar *mime_body,*reason_end;
             static const uschar nlnl[]="\r\n\r\n";
+	    gstring * g;
 
             for
               (
diff --git a/test/scripts/0000-Basic/0002 b/test/scripts/0000-Basic/0002
index dd9cea255..27bf70806 100644
--- a/test/scripts/0000-Basic/0002
+++ b/test/scripts/0000-Basic/0002
@@ -198,7 +198,7 @@ base32d: 32 ${base32d:${base32:32}}
 base32d: 42 ${base32d:${base32:42}}
 base32d error: ABC ${base32d:ABC}
 
-The base62 operator is actually a base36 operator in the Darwin and Cygwin
+the base62 operator is actually a base36 operator in the Darwin and Cygwin
 environments. Write cunning tests that produce the same output in both cases,
 while doing a reasonable check.
 
@@ -531,8 +531,8 @@ abc:   ${lookup{abc}wildlsearch{DIR/aux-var/0002.wild}}
 a.b.c: ${lookup{a.b.c}wildlsearch{DIR/aux-var/0002.wild}}
 ab.c:  ${lookup{ab.c}wildlsearch{DIR/aux-var/0002.wild}}
 xyz:   ${lookup{xyz}wildlsearch{DIR/aux-var/0002.wild}}
-Xyz:   ${lookup{Xyz}wildlsearch{DIR/aux-var/0002.wild}}
-Zyz:   ${lookup{Zyz}wildlsearch{DIR/aux-var/0002.wild}}
+.Xyz:   ${lookup{Xyz}wildlsearch{DIR/aux-var/0002.wild}}
+.Zyz:   ${lookup{Zyz}wildlsearch{DIR/aux-var/0002.wild}}
 a b:   ${lookup{a b}wildlsearch{DIR/aux-var/0002.wild}}
 a  b:  ${lookup{a  b}wildlsearch{DIR/aux-var/0002.wild}}
 a:b:   ${lookup{a:b}wildlsearch{DIR/aux-var/0002.wild}}
@@ -547,8 +547,8 @@ abc:   ${lookup{abc}nwildlsearch{DIR/aux-var/0002.wild}}
 a.b.c: ${lookup{a.b.c}nwildlsearch{DIR/aux-var/0002.wild}}
 ab.c:  ${lookup{ab.c}nwildlsearch{DIR/aux-var/0002.wild}}
 xyz:   ${lookup{xyz}nwildlsearch{DIR/aux-var/0002.wild}}
-Xyz:   ${lookup{Xyz}nwildlsearch{DIR/aux-var/0002.wild}}
-Zyz:   ${lookup{Zyz}nwildlsearch{DIR/aux-var/0002.wild}}
+.Xyz:   ${lookup{Xyz}nwildlsearch{DIR/aux-var/0002.wild}}
+.Zyz:   ${lookup{Zyz}nwildlsearch{DIR/aux-var/0002.wild}}
 a b:   ${lookup{a b}nwildlsearch{DIR/aux-var/0002.wild}}
 a  b:  ${lookup{a  b}nwildlsearch{DIR/aux-var/0002.wild}}
 a:b:   ${lookup{a:b}nwildlsearch{DIR/aux-var/0002.wild}}
@@ -567,10 +567,10 @@ a\\:Xb: ${lookup{a\\:Xb}nwildlsearch{DIR/aux-var/0002.wild}}
 
 # Some tests of case-(in)dependence
 
-MiXeD-CD:  ${lookup{MiXeD-CD}nwildlsearch{DIR/aux-var/0002.wild}{$value}{NOT FOUND}}
-MixeD-CD:  ${lookup{MixeD-CD}nwildlsearch{DIR/aux-var/0002.wild}{$value}{NOT FOUND}}
-MiXeD-Ncd: ${lookup{MiXeD-Ncd}nwildlsearch{DIR/aux-var/0002.wild}{$value}{NOT FOUND}}
-MixeD-Ncd: ${lookup{MixeD-Ncd}nwildlsearch{DIR/aux-var/0002.wild}{$value}{NOT FOUND}}
+.MiXeD-CD:  ${lookup{MiXeD-CD}nwildlsearch{DIR/aux-var/0002.wild}{$value}{NOT FOUND}}
+.MixeD-CD:  ${lookup{MixeD-CD}nwildlsearch{DIR/aux-var/0002.wild}{$value}{NOT FOUND}}
+.MiXeD-Ncd: ${lookup{MiXeD-Ncd}nwildlsearch{DIR/aux-var/0002.wild}{$value}{NOT FOUND}}
+.MixeD-Ncd: ${lookup{MixeD-Ncd}nwildlsearch{DIR/aux-var/0002.wild}{$value}{NOT FOUND}}
 
 # IP address (CIDR) lookups
 
@@ -614,12 +614,12 @@ ${extract{B}{A=1 B=2 C=3}}
 ${extract{ B }{A=1 B=2 C=3}{$value}{NOT FOUND}}
 ${extract{2}{:}{1:2:3}}
 ${extract{ 2 }{:}{1:2:3}{$value}{NOT FOUND}}
-Empty:<${extract{D}{A=1 B=2 C=3}}>
-Empty:<${extract{4}{:}{1:2:3}}>
+empty:<${extract{D}{A=1 B=2 C=3}}>
+empty:<${extract{4}{:}{1:2:3}}>
 ${extract{C}{A=1 B=2 C=3}{<$value>}}
 ${extract{3}{:}{1:2:3}{<$value>}}
-Empty:<${extract{Z}{A=1 B=2 C=3}{<$value>}}>
-Empty:<${extract{4}{:}{1:2:3}{<$value>}}>
+empty:<${extract{Z}{A=1 B=2 C=3}{<$value>}}>
+empty:<${extract{4}{:}{1:2:3}{<$value>}}>
 ${extract{Z}{A=1 B=2 C=3}{<$value>}{no Z}}
 ${extract{4}{:}{1:2:3}{<$value>}{no 4}}
 ${extract{Z}{A=1 B=2 C=3}{<$value>}fail}
@@ -698,8 +698,8 @@ abcdea abc z   ${tr{abcdea}{abc}{z}}
 abcd      ${rfc2047:abcd}
 <:abcd:>  ${rfc2047:<:abcd:>}
 <:ab cd:> ${rfc2047:<:ab cd:>}
-Long:     ${rfc2047: here we go: a string that is going to be encoded: it will go over the 75-char limit}
-Long:     ${rfc2047: here we go: a string that is going to be encoded: it will go over the 75-char limit by a long way; in fact this one will go over the 150 character limit}
+long:     ${rfc2047: here we go: a string that is going to be encoded: it will go over the 75-char limit}
+long:     ${rfc2047: here we go: a string that is going to be encoded: it will go over the 75-char limit by a long way; in fact this one will go over the 150 character limit}
 
 # RFC 2047 decode
 
@@ -739,21 +739,21 @@ ${if exists{/non/exist/file}{${readfile{/non/exist/file}}}{non-exist}}
 # Calling a command
 
 ${run{DIR/aux-fixed/0002.runfile 0}}
-RC=$runrc
+rc=$runrc
 ${run{DIR/aux-fixed/0002.runfile 0}{1}{2}}
-RC=$runrc
+rc=$runrc
 ${run{DIR/aux-fixed/0002.runfile 0}{$value}{2}}
-RC=$runrc
+rc=$runrc
 ${run{DIR/aux-fixed/0002.runfile 1}{$value}{2}}
-RC=$runrc
+rc=$runrc
 ${run{DIR/aux-fixed/0002.runfile 1}{$value}{$value}}
-RC=$runrc
+rc=$runrc
 ${run{DIR/test-nonexist}{Y}{N}}
-RC=$runrc
+rc=$runrc
 >>${run{DIR/bin/iefbr14}}<<
-RC=$runrc
+rc=$runrc
 ${if eq{1}{2}{${run{/non/exist}}}{1!=2}}
-RC=$runrc
+rc=$runrc
 
 # PRVS
 
diff --git a/test/scripts/0000-Basic/0542 b/test/scripts/0000-Basic/0542
index 0c6362bde..1c8c03b5f 100644
--- a/test/scripts/0000-Basic/0542
+++ b/test/scripts/0000-Basic/0542
@@ -7,13 +7,15 @@ Subject: The subject is not the object
 This is the body of the message. Make the line longer than any header.
 ****
 sudo exim -be -Mset $msg1
-From: $h_from:
-Subject: $h_subject:
+from: $h_from:
+subject: $h_subject:
 message_body_size=$message_body_size
 message_id=$message_id
 message_exim_id=$message_exim_id
 max_received_linelength=$max_received_linelength
 recipients=$recipients
+TESTING_MACROS=$recipients
+(TESTING_MACROS)
 ****
 exim -bs
 mail from:<userz@test.ex>
@@ -29,8 +31,8 @@ This is the body of the message. Make the line much longer than any header.
 quit
 ****
 sudo exim -be -Mset $msg2
-From: $h_from:
-Subject: $h_subject:
+from: $h_from:
+subject: $h_subject:
 message_body_size=$message_body_size
 message_id=$message_id
 message_exim_id=$message_exim_id
diff --git a/test/scripts/3300-crypteq/3300 b/test/scripts/3300-crypteq/3300
index bd4dfccd2..2ca0fdd12 100644
--- a/test/scripts/3300-crypteq/3300
+++ b/test/scripts/3300-crypteq/3300
@@ -1,11 +1,11 @@
 # crypteq expansions
 
 exim -be
-BadCrypt: ${if crypteq{MySecret}{}{yes}{no}}
-MySecret: ${if crypteq{MySecret}{azrazPWCQJhyg}{yes}{no}}
-MySecret: ${if crypteq{MySecret}{aarazPWCQJhyg}{yes}{no}}
-MySecret: ${if crypteq{MySecret}{\{crypt\}azrazPWCQJhyg}{yes}{no}}
-MySecret: ${if crypteq{MySecret}{\{CRYPT\}zzrazPWCQJhyg}{yes}{no}}
+badCrypt: ${if crypteq{MySecret}{}{yes}{no}}
+mySecret: ${if crypteq{MySecret}{azrazPWCQJhyg}{yes}{no}}
+mySecret: ${if crypteq{MySecret}{aarazPWCQJhyg}{yes}{no}}
+mySecret: ${if crypteq{MySecret}{\{crypt\}azrazPWCQJhyg}{yes}{no}}
+mySecret: ${if crypteq{MySecret}{\{CRYPT\}zzrazPWCQJhyg}{yes}{no}}
 
 crypt16: ${if crypteq{MySecret}{\{crypt16\}azrazPWCQJhyg}{yes}{no}}
 crypt16: ${if crypteq{MySecretRhubarb}{\{crypt\}azrazPWCQJhyg}{yes}{no}}
@@ -26,9 +26,9 @@ abd:  ${if crypteq{abd}{\{sha1\}A9993E364706816ABA3E25717850C26C9CD0D89D}{yes}{n
 
 # Combinations
 
-Y:      ${if and {{crypteq{MySecret}{azrazPWCQJhyg}}{exists{/etc/passwd}}}{Y}{N}}
-Y:      ${if or  {{crypteq{MySecret}{azrazQWCQJhyg}}{exists{/etc/passwd}}}{Y}{N}}
-Y:      ${if or  {{crypteq{MySecret}{azrazPWCQJhyg}}{exists{/etc/pxsswd}}}{Y}{N}}
-N:      ${if or  {{crypteq{MySecret}{azrazQWCQJhyg}}{exists{/etc/pxsswd}}}{Y}{N}}
-N:      ${if and {{crypteq{MySecret}{azrazQWCQJhyg}}{exists{/etc/passwd}}}{Y}{N}}
+y:      ${if and {{crypteq{MySecret}{azrazPWCQJhyg}}{exists{/etc/passwd}}}{Y}{N}}
+y:      ${if or  {{crypteq{MySecret}{azrazQWCQJhyg}}{exists{/etc/passwd}}}{Y}{N}}
+y:      ${if or  {{crypteq{MySecret}{azrazPWCQJhyg}}{exists{/etc/pxsswd}}}{Y}{N}}
+n:      ${if or  {{crypteq{MySecret}{azrazQWCQJhyg}}{exists{/etc/pxsswd}}}{Y}{N}}
+n:      ${if and {{crypteq{MySecret}{azrazQWCQJhyg}}{exists{/etc/passwd}}}{Y}{N}}
 ****
diff --git a/test/scripts/4200-International/4200 b/test/scripts/4200-International/4200
index 81fbae865..b22094c08 100644
--- a/test/scripts/4200-International/4200
+++ b/test/scripts/4200-International/4200
@@ -124,13 +124,13 @@ conversion: ${utf8_domain_from_alabel:german.xn--strae-oqa.de}
 imapfolder conversions:
 
 ${imapfolder {Foo/Bar}}
-Foo.Bar
+.  Foo.Bar
 
 ${imapfolder {Foo/Bar} {.} {/}}
-Foo&AC8-Bar
+.  Foo&AC8-Bar
 
 ${imapfolder{Räksmörgås}}
-R&AOQ-ksm&APY-rg&AOU-s
+.  R&AOQ-ksm&APY-rg&AOU-s
 
 
 ****
diff --git a/test/stderr/0002 b/test/stderr/0002
index 8bf8f886f..7f9a50999 100644
--- a/test/stderr/0002
+++ b/test/stderr/0002
@@ -78,9 +78,9 @@ LOG: MAIN PANIC
   ┌considering: no}}
   ├──expanding: no
   └─────result: no
- ├──expanding: match_address:   ${if match_address{a.b.c}{a.b.c}{yes}{no}}
+ ├──expanding: a.b.c
  └─────result: match_address:   no
->>>>>>>>>>>>>>>> Exim pid=pppp (main) terminating with rc=0 >>>>>>>>>>>>>>>>
+>>>>>>>>>>>>>>>> Exim pid=pppp (main: expansion test) terminating with rc=0 >>>>>>>>>>>>>>>>
 Exim version x.yz ....
 configuration file is TESTSUITE/test-config
 admin user
@@ -111,7 +111,7 @@ admin user
  ┌considering: -oMt  sender_ident = $sender_ident
  ├──expanding: -oMt  sender_ident = $sender_ident
  └─────result: -oMt  sender_ident = me
->>>>>>>>>>>>>>>> Exim pid=pppp (main) terminating with rc=0 >>>>>>>>>>>>>>>>
+>>>>>>>>>>>>>>>> Exim pid=pppp (main: expansion test) terminating with rc=0 >>>>>>>>>>>>>>>>
 1999-03-02 09:44:33 no host name found for IP address V4NET.11.12.13
 Exim version x.yz ....
 configuration file is TESTSUITE/test-config
@@ -171,7 +171,7 @@ sender_rcvhost = ten-1.test.ex ([V4NET.0.0.1] ident=me)
  ┌considering: -oMt  sender_ident = $sender_ident
  ├──expanding: -oMt  sender_ident = $sender_ident
  └─────result: -oMt  sender_ident = me
->>>>>>>>>>>>>>>> Exim pid=pppp (main) terminating with rc=0 >>>>>>>>>>>>>>>>
+>>>>>>>>>>>>>>>> Exim pid=pppp (main: expansion test) terminating with rc=0 >>>>>>>>>>>>>>>>
 Exim version x.yz ....
 changed uid/gid: forcing real = effective
   uid=uuuu gid=CALLER_GID pid=pppp
@@ -425,4 +425,4 @@ sender address = CALLER@myhost.test.ex
 1.2.3.4 in "1.2.3"? no (malformed IPv4 address or address mask)
 1.2.3.4 in "1.2.3.4/abc"? no (malformed IPv4 address or address mask)
 search_tidyup called
->>>>>>>>>>>>>>>> Exim pid=pppp (main) terminating with rc=0 >>>>>>>>>>>>>>>>
+>>>>>>>>>>>>>>>> Exim pid=pppp (main: expansion test) terminating with rc=0 >>>>>>>>>>>>>>>>
diff --git a/test/stderr/0236 b/test/stderr/0236
index f51e4e8cf..996fa2a47 100644
--- a/test/stderr/0236
+++ b/test/stderr/0236
@@ -1,3 +1,3 @@
-LOG: PANIC DIE
+LOG: PANIC
   Exim configuration error in line 10 of TESTSUITE/test-config:
   macro name too long (maximum is 63 characters)
diff --git a/test/stderr/0387 b/test/stderr/0387
index 0d0d319ce..12d73e5a9 100644
--- a/test/stderr/0387
+++ b/test/stderr/0387
@@ -434,4 +434,4 @@ cached data used for lookup of *.b.c
   in TESTSUITE/aux-fixed/0387.1
 lookup yielded: [*.b.c]
 search_tidyup called
->>>>>>>>>>>>>>>> Exim pid=pppp (main) terminating with rc=0 >>>>>>>>>>>>>>>>
+>>>>>>>>>>>>>>>> Exim pid=pppp (main: expansion test) terminating with rc=0 >>>>>>>>>>>>>>>>
diff --git a/test/stderr/0484 b/test/stderr/0484
index dbf8f66bf..874ac06e2 100644
--- a/test/stderr/0484
+++ b/test/stderr/0484
@@ -129,4 +129,4 @@ cached data used for lookup of root
   in TESTSUITE/aux-fixed/0484.aliases
 lookup yielded: userx
 search_tidyup called
->>>>>>>>>>>>>>>> Exim pid=pppp (main) terminating with rc=0 >>>>>>>>>>>>>>>>
+>>>>>>>>>>>>>>>> Exim pid=pppp (main: expansion test) terminating with rc=0 >>>>>>>>>>>>>>>>
diff --git a/test/stderr/2200 b/test/stderr/2200
index 72aad3d26..4b9d87c16 100644
--- a/test/stderr/2200
+++ b/test/stderr/2200
@@ -20,7 +20,7 @@ internal_search_find: file="NULL"
 cached data used for lookup of a=localhost.test.ex
 lookup yielded: 127.0.0.1
 search_tidyup called
->>>>>>>>>>>>>>>> Exim pid=pppp (main) terminating with rc=0 >>>>>>>>>>>>>>>>
+>>>>>>>>>>>>>>>> Exim pid=pppp (main: expansion test) terminating with rc=0 >>>>>>>>>>>>>>>>
 Exim version x.yz ....
 configuration file is TESTSUITE/test-config
 admin user
diff --git a/test/stderr/2600 b/test/stderr/2600
index 1ea06926f..cdb2409b8 100644
--- a/test/stderr/2600
+++ b/test/stderr/2600
@@ -103,7 +103,7 @@ file lookup required for select * from them where name='it''s';
   in TESTSUITE/aux-fixed/sqlitedb
 lookup yielded: name=it's id=its 
 search_tidyup called
->>>>>>>>>>>>>>>> Exim pid=pppp (main) terminating with rc=0 >>>>>>>>>>>>>>>>
+>>>>>>>>>>>>>>>> Exim pid=pppp (main: expansion test) terminating with rc=0 >>>>>>>>>>>>>>>>
 Exim version x.yz ....
 changed uid/gid: forcing real = effective
   uid=uuuu gid=CALLER_GID pid=pppp
@@ -491,4 +491,4 @@ file lookup required for select name from them where id='userx';
   in TESTSUITE/aux-fixed/sqlitedb
 lookup yielded: Ayen Other
 search_tidyup called
->>>>>>>>>>>>>>>> Exim pid=pppp (main) terminating with rc=0 >>>>>>>>>>>>>>>>
+>>>>>>>>>>>>>>>> Exim pid=pppp (main: expansion test) terminating with rc=0 >>>>>>>>>>>>>>>>
diff --git a/test/stderr/3000 b/test/stderr/3000
index 17f48ab73..3f8338b67 100644
--- a/test/stderr/3000
+++ b/test/stderr/3000
@@ -41,7 +41,7 @@ LOG: MAIN
   log from Perl
  ├──expanding: ${perl{log_write}{log from Perl}}
  └─────result: Wrote log
->>>>>>>>>>>>>>>> Exim pid=pppp (main) terminating with rc=0 >>>>>>>>>>>>>>>>
+>>>>>>>>>>>>>>>> Exim pid=pppp (main: expansion test) terminating with rc=0 >>>>>>>>>>>>>>>>
 LOG: smtp_connection MAIN
   SMTP connection from CALLER
 LOG: MAIN
diff --git a/test/stderr/3212 b/test/stderr/3212
index 31c81e3b2..0b6c74464 100644
--- a/test/stderr/3212
+++ b/test/stderr/3212
@@ -133,4 +133,4 @@ cached data used for lookup of root
   in TESTSUITE/aux-fixed/3212.aliases
 lookup yielded: userx
 search_tidyup called
->>>>>>>>>>>>>>>> Exim pid=pppp (main) terminating with rc=0 >>>>>>>>>>>>>>>>
+>>>>>>>>>>>>>>>> Exim pid=pppp (main: expansion test) terminating with rc=0 >>>>>>>>>>>>>>>>
diff --git a/test/stdout/0002 b/test/stdout/0002
index 1422289a7..c7f8cce80 100644
--- a/test/stdout/0002
+++ b/test/stdout/0002
@@ -189,7 +189,7 @@ newline	tab\134backslash ~tilde\177DEL\200\201.
 > base32d: 42 42
 > Failed: argument for base32d operator is "ABC", which is not a base 32 number
 > 
-> The base62 operator is actually a base36 operator in the Darwin and Cygwin
+> the base62 operator is actually a base36 operator in the Darwin and Cygwin
 > environments. Write cunning tests that produce the same output in both cases,
 > while doing a reasonable check.
 > 
@@ -495,8 +495,8 @@ newline	tab\134backslash ~tilde\177DEL\200\201.
 > a.b.c: *.b.c
 > ab.c:  *b.c
 > xyz:   ^X
-> Xyz:   ^X
-> Zyz:   ^Z
+> .Xyz:   ^X
+> .Zyz:   ^Z
 > a b:   "^a +b"
 > a  b:  "^a +b"
 > a:b:   lookup succeeded
@@ -511,8 +511,8 @@ newline	tab\134backslash ~tilde\177DEL\200\201.
 > a.b.c: *.b.c
 > ab.c:  *b.c
 > xyz:   ^X
-> Xyz:   ^X
-> Zyz:   ^Z
+> .Xyz:   ^X
+> .Zyz:   ^Z
 > a b:   "^a +b"
 > a  b:  "^a +b"
 > a:b:   lookup succeeded
@@ -531,10 +531,10 @@ newline	tab\134backslash ~tilde\177DEL\200\201.
 > 
 > # Some tests of case-(in)dependence
 > 
-> MiXeD-CD:  Data found for case-dependent MiXeD-CD
-> MixeD-CD:  NOT FOUND
-> MiXeD-Ncd: Data found for case-independent MiXeD-nCD
-> MixeD-Ncd: Data found for case-independent MiXeD-nCD
+> .MiXeD-CD:  Data found for case-dependent MiXeD-CD
+> .MixeD-CD:  NOT FOUND
+> .MiXeD-Ncd: Data found for case-independent MiXeD-nCD
+> .MixeD-Ncd: Data found for case-independent MiXeD-nCD
 > 
 > # IP address (CIDR) lookups
 > 
@@ -578,12 +578,12 @@ newline	tab\134backslash ~tilde\177DEL\200\201.
 > 2
 > 2
 > 2
-> Empty:<>
-> Empty:<>
+> empty:<>
+> empty:<>
 > <3>
 > <3>
-> Empty:<>
-> Empty:<>
+> empty:<>
+> empty:<>
 > no Z
 > no 4
 > Failed: "extract" failed and "fail" requested
@@ -662,8 +662,8 @@ newline	tab\134backslash ~tilde\177DEL\200\201.
 > abcd      abcd
 > <:abcd:>  =?iso-8859-8?Q?=3C=3Aabcd=3A=3E?=
 > <:ab cd:> =?iso-8859-8?Q?=3C=3Aab_cd=3A=3E?=
-> Long:     =?iso-8859-8?Q?_here_we_go=3A_a_string_that_is_going_to_be_encoded=3A_?= =?iso-8859-8?Q?it_will_go_over_the_75-char_limit?=
-> Long:     =?iso-8859-8?Q?_here_we_go=3A_a_string_that_is_going_to_be_encoded=3A_?= =?iso-8859-8?Q?it_will_go_over_the_75-char_limit_by_a_long_way=3B_in?= =?iso-8859-8?Q?_fact_this_one_will_go_over_the_150_character_limit?=
+> long:     =?iso-8859-8?Q?_here_we_go=3A_a_string_that_is_going_to_be_encoded=3A_?= =?iso-8859-8?Q?it_will_go_over_the_75-char_limit?=
+> long:     =?iso-8859-8?Q?_here_we_go=3A_a_string_that_is_going_to_be_encoded=3A_?= =?iso-8859-8?Q?it_will_go_over_the_75-char_limit_by_a_long_way=3B_in?= =?iso-8859-8?Q?_fact_this_one_will_go_over_the_150_character_limit?=
 > 
 > # RFC 2047 decode
 > 
@@ -708,25 +708,25 @@ xyz
 > abcd
 1234
 
-> RC=0
+> rc=0
 > 1
-> RC=0
+> rc=0
 > abcd
 1234
 
-> RC=0
+> rc=0
 > 2
-> RC=1
+> rc=1
 > abcd
 1234
 
-> RC=1
+> rc=1
 > N
-> RC=127
+> rc=127
 > >><<
-> RC=0
+> rc=0
 > 1!=2
-> RC=0
+> rc=0
 > 
 > # PRVS
 > 
diff --git a/test/stdout/0542 b/test/stdout/0542
index ab29dc9c0..ce255a744 100644
--- a/test/stdout/0542
+++ b/test/stdout/0542
@@ -1,10 +1,12 @@
-> From: Himself <himself@there.tld>
-> Subject: The subject is not the object
+> from: Himself <himself@there.tld>
+> subject: The subject is not the object
 > message_body_size=71
 > message_id=10HmaX-0005vi-00
 > message_exim_id=10HmaX-0005vi-00
 > max_received_linelength=70
 > recipients=userx@test.x, usery@test.ex
+> Defined macro 'TESTING_MACROS'
+> (userx@test.x, usery@test.ex)
 > 
 220 myhost.test.ex ESMTP Exim x.yz Tue, 2 Mar 1999 09:44:33 +0000
 250 OK
@@ -13,8 +15,8 @@
 354 Enter message, ending with "." on a line by itself
 250 OK id=10HmaY-0005vi-00
 221 myhost.test.ex closing connection
-> From: Himself <himself@there.tld>
-> Subject: The subject is not the object
+> from: Himself <himself@there.tld>
+> subject: The subject is not the object
 > message_body_size=76
 > message_id=10HmaY-0005vi-00
 > message_exim_id=10HmaY-0005vi-00
diff --git a/test/stdout/3300 b/test/stdout/3300
index 1859bb184..e12e7c319 100644
--- a/test/stdout/3300
+++ b/test/stdout/3300
@@ -1,8 +1,8 @@
-> BadCrypt: no
-> MySecret: yes
-> MySecret: no
-> MySecret: yes
-> MySecret: no
+> badCrypt: no
+> mySecret: yes
+> mySecret: no
+> mySecret: yes
+> mySecret: no
 > 
 > crypt16: yes
 > crypt16: yes
@@ -23,9 +23,9 @@
 > 
 > # Combinations
 > 
-> Y:      Y
-> Y:      Y
-> Y:      Y
-> N:      N
-> N:      N
+> y:      Y
+> y:      Y
+> y:      Y
+> n:      N
+> n:      N
 > 
diff --git a/test/stdout/4200 b/test/stdout/4200
index af39676df..ac02d8f22 100644
--- a/test/stdout/4200
+++ b/test/stdout/4200
@@ -98,13 +98,13 @@
 > imapfolder conversions:
 > 
 > Foo.Bar
-> Foo.Bar
+> .  Foo.Bar
 > 
 > Foo&AC8-Bar
-> Foo&AC8-Bar
+> .  Foo&AC8-Bar
 > 
 > R&AOQ-ksm&APY-rg&AOU-s
-> R&AOQ-ksm&APY-rg&AOU-s
+> .  R&AOQ-ksm&APY-rg&AOU-s
 > 
 > 
 > 
-- 
cgit v1.2.3


From 3c4f5ec5cb933fa4f414ad5b11f7321c5e16fed6 Mon Sep 17 00:00:00 2001
From: Jeremy Harris <jgh146exb@wizmail.org>
Date: Tue, 31 Oct 2017 16:31:34 +0000
Subject: Lose extraneous line Broken-by: 9650d98a07

---
 src/src/sieve.c | 1 -
 1 file changed, 1 deletion(-)

(limited to 'src')

diff --git a/src/src/sieve.c b/src/src/sieve.c
index 5d6b611c3..f4ce58402 100644
--- a/src/src/sieve.c
+++ b/src/src/sieve.c
@@ -3381,7 +3381,6 @@ while (*filter->pc)
             {
             uschar *mime_body,*reason_end;
             static const uschar nlnl[]="\r\n\r\n";
-	    gstring * g;
 
             for
               (
-- 
cgit v1.2.3


From 983da87847289c7f5373e4d5933d379f211b7613 Mon Sep 17 00:00:00 2001
From: "Heiko Schlittermann (HS12-RIPE)" <hs@schlittermann.de>
Date: Wed, 1 Nov 2017 07:45:14 +0100
Subject: Add --version to all installed Perl and Shell scripts.

This option outputs the build info, and for Perl scripts it additionally
outputs the Perl version that is running the current script.
---
 src/OS/Makefile-Base         | 79 ++++++++++++++++++++++++++++++--------------
 src/src/convert4r3.src       | 12 +++++++
 src/src/convert4r4.src       | 12 +++++++
 src/src/exicyclog.src        |  5 +++
 src/src/exigrep.src          |  7 ++++
 src/src/exim_checkaccess.src |  8 +++++
 src/src/eximon.src           |  7 ++++
 src/src/eximstats.src        |  8 +++++
 src/src/exinext.src          |  7 ++++
 src/src/exipick.src          |  9 ++++-
 src/src/exiqgrep.src         |  9 +++++
 src/src/exiqsumm.src         |  8 +++++
 src/src/exiwhat.src          |  7 ++++
 src/src/transport-filter.src |  8 +++++
 14 files changed, 161 insertions(+), 25 deletions(-)

(limited to 'src')

diff --git a/src/OS/Makefile-Base b/src/OS/Makefile-Base
index d64ed549f..dcd87c29c 100644
--- a/src/OS/Makefile-Base
+++ b/src/OS/Makefile-Base
@@ -36,9 +36,9 @@ FE       = $(FULLECHO)
 # are set up, and finally it goes to the main Exim target.
 
 all:       utils exim
-config:    $(EDITME) checklocalmake Makefile os.c config.h version.h macro.c
+config:    $(EDITME) checklocalmake Makefile os.c config.h version.h version.sh macro.c
 
-checklocalmake: 
+checklocalmake:
 	@if $(SHELL) $(SCRIPTS)/newer $(EDITME)-$(OSTYPE) $(EDITME) || \
 	  $(SHELL) $(SCRIPTS)/newer $(EDITME)-$(ARCHTYPE) $(EDITME) || \
 	  $(SHELL) $(SCRIPTS)/newer $(EDITME)-$(OSTYPE)-$(ARCHTYPE) $(EDITME); \
@@ -260,7 +260,7 @@ buildconfig: buildconfig.c
 # Target for the exicyclog utility script
 exicyclog: config ../src/exicyclog.src
 	@rm -f exicyclog
-	@sed \
+	@. ./version.sh && sed \
 	  -e "s?PROCESSED_FLAG?This file has been so processed.?"\
 	  -e "/^# /p" \
 	  -e "/^# /d" \
@@ -277,6 +277,8 @@ exicyclog: config ../src/exicyclog.src
 	  -e "s?MV_COMMAND?$(MV_COMMAND)?" \
 	  -e "s?RM_COMMAND?$(RM_COMMAND)?" \
 	  -e "s?TOUCH_COMMAND?$(TOUCH_COMMAND)?" \
+	  -e "s?EXIM_RELEASE_VERSION?$${EXIM_RELEASE_VERSION}?" \
+	  -e "s?EXIM_VARIANT_VERSION?$${EXIM_VARIANT_VERSION}?" \
 	  ../src/exicyclog.src > exicyclog-t
 	@mv exicyclog-t exicyclog
 	@chmod a+x exicyclog
@@ -285,13 +287,15 @@ exicyclog: config ../src/exicyclog.src
 # Target for the exinext utility script
 exinext: config ../src/exinext.src
 	@rm -f exinext
-	@sed \
+	@. ./version.sh && sed \
 	  -e "s?PROCESSED_FLAG?This file has been so processed.?"\
 	  -e "/^# /p" \
 	  -e "/^# /d" \
 	  -e "s?CONFIGURE_FILE_USE_NODE?$(CONFIGURE_FILE_USE_NODE)?" \
 	  -e "s?CONFIGURE_FILE?$(CONFIGURE_FILE)?" \
 	  -e "s?BIN_DIRECTORY?$(BIN_DIRECTORY)?" \
+	  -e "s?EXIM_RELEASE_VERSION?$${EXIM_RELEASE_VERSION}?" \
+	  -e "s?EXIM_VARIANT_VERSION?$${EXIM_VARIANT_VERSION}?" \
 	  ../src/exinext.src > exinext-t
 	@mv exinext-t exinext
 	@chmod a+x exinext
@@ -300,7 +304,7 @@ exinext: config ../src/exinext.src
 # Target for the exiwhat utility script
 exiwhat: config ../src/exiwhat.src
 	@rm -f exiwhat
-	@sed \
+	@. ./version.sh && sed \
 	  -e "s?PROCESSED_FLAG?This file has been so processed.?"\
 	  -e "/^# /p" \
 	  -e "/^# /d" \
@@ -313,6 +317,8 @@ exiwhat: config ../src/exiwhat.src
 	  -e "s?EXIWHAT_EGREP_ARG?$(EXIWHAT_EGREP_ARG)?" \
 	  -e "s?EXIWHAT_MULTIKILL_CMD?$(EXIWHAT_MULTIKILL_CMD)?" \
 	  -e "s?EXIWHAT_MULTIKILL_ARG?$(EXIWHAT_MULTIKILL_ARG)?" \
+	  -e "s?EXIM_RELEASE_VERSION?$${EXIM_RELEASE_VERSION}?" \
+	  -e "s?EXIM_VARIANT_VERSION?$${EXIM_VARIANT_VERSION}?" \
 	  ../src/exiwhat.src > exiwhat-t
 	@mv exiwhat-t exiwhat
 	@chmod a+x exiwhat
@@ -321,7 +327,7 @@ exiwhat: config ../src/exiwhat.src
 # Target for the exim_checkaccess utility script
 exim_checkaccess: config ../src/exim_checkaccess.src
 	@rm -f exim_checkaccess
-	@sed \
+	@. ./version.sh && sed \
 	  -e "s?PROCESSED_FLAG?This file has been so processed.?"\
 	  -e "/^# /p" \
 	  -e "/^# /d" \
@@ -329,6 +335,8 @@ exim_checkaccess: config ../src/exim_checkaccess.src
 	  -e "s?CONFIGURE_FILE?$(CONFIGURE_FILE)?" \
 	  -e "s?BIN_DIRECTORY?$(BIN_DIRECTORY)?" \
 	  -e "s?PERL_COMMAND?$(PERL_COMMAND)?" \
+	  -e "s?EXIM_RELEASE_VERSION?$${EXIM_RELEASE_VERSION}?" \
+	  -e "s?EXIM_VARIANT_VERSION?$${EXIM_VARIANT_VERSION}?" \
 	  ../src/exim_checkaccess.src > exim_checkaccess-t
 	@mv exim_checkaccess-t exim_checkaccess
 	@chmod a+x exim_checkaccess
@@ -339,7 +347,7 @@ eximon: config ../src/eximon.src ../OS/eximon.conf-Default \
           ../Local/eximon.conf
 	@rm -f eximon
 	$(SHELL) $(SCRIPTS)/Configure-eximon
-	@sed \
+	@. ./version.sh && sed \
 	  -e "s?PROCESSED_FLAG?This file has been so processed.?"\
 	  -e "/^# /p" \
 	  -e "/^# /d" \
@@ -349,85 +357,108 @@ eximon: config ../src/eximon.src ../OS/eximon.conf-Default \
 	  -e "s?BASENAME_COMMAND?$(BASENAME_COMMAND)?" \
 	  -e "s?HOSTNAME_COMMAND?$(HOSTNAME_COMMAND)?" \
 	  -e "s?X11_LD_LIBRARY?$(X11_LD_LIB)?" \
+	  -e "s?EXIM_RELEASE_VERSION?$${EXIM_RELEASE_VERSION}?" \
+	  -e "s?EXIM_VARIANT_VERSION?$${EXIM_VARIANT_VERSION}?" \
 	  ../src/eximon.src >> eximon
 	@echo ">>> eximon script built"; echo ""
 
 # Targets for utilities; these are all Perl scripts that have to get the
 # location of Perl put in them. A few need other things as well.
 
-exigrep: Makefile ../src/exigrep.src
+exigrep: config ../src/exigrep.src
 	@rm -f exigrep
-	@sed \
+	@. ./version.sh && sed \
 	  -e "s?PROCESSED_FLAG?This file has been so processed.?"\
 	  -e "/^# /p" \
 	  -e "/^# /d" \
 	  -e "s?PERL_COMMAND?$(PERL_COMMAND)?" \
 	  -e "s?ZCAT_COMMAND?$(ZCAT_COMMAND)?" \
           -e "s?COMPRESS_SUFFIX?$(COMPRESS_SUFFIX)?" \
+	  -e "s?EXIM_RELEASE_VERSION?$${EXIM_RELEASE_VERSION}?" \
+	  -e "s?EXIM_VARIANT_VERSION?$${EXIM_VARIANT_VERSION}?" \
 	  ../src/exigrep.src > exigrep-t
 	@mv exigrep-t exigrep
 	@chmod a+x exigrep
 	@echo ">>> exigrep script built"
 
-eximstats: Makefile ../src/eximstats.src
+eximstats: config ../src/eximstats.src
 	@rm -f eximstats
-	@sed \
+	@. ./version.sh && sed \
 	  -e "s?PERL_COMMAND?$(PERL_COMMAND)?" \
+	  -e "s?EXIM_RELEASE_VERSION?$${EXIM_RELEASE_VERSION}?" \
+	  -e "s?EXIM_VARIANT_VERSION?$${EXIM_VARIANT_VERSION}?" \
 	  ../src/eximstats.src > eximstats-t
 	@mv eximstats-t eximstats
 	@chmod a+x eximstats
 	@echo ">>> eximstats script built"
 
-exiqgrep: Makefile ../src/exiqgrep.src
+exiqgrep: config ../src/exiqgrep.src
 	@rm -f exiqgrep
-	@sed \
+	@. ./version.sh && sed \
 	  -e "s?PROCESSED_FLAG?This file has been so processed.?"\
 	  -e "/^# /p" \
 	  -e "/^# /d" \
 	  -e "s?BIN_DIRECTORY?$(BIN_DIRECTORY)?" \
 	  -e "s?PERL_COMMAND?$(PERL_COMMAND)?" \
+	  -e "s?EXIM_RELEASE_VERSION?$${EXIM_RELEASE_VERSION}?" \
+	  -e "s?EXIM_VARIANT_VERSION?$${EXIM_VARIANT_VERSION}?" \
 	  ../src/exiqgrep.src > exiqgrep-t
 	@mv exiqgrep-t exiqgrep
 	@chmod a+x exiqgrep
 	@echo ">>> exiqgrep script built"
 
-exiqsumm: Makefile ../src/exiqsumm.src
+exiqsumm: config ../src/exiqsumm.src
 	@rm -f exiqsumm
-	@sed -e "s?PERL_COMMAND?$(PERL_COMMAND)?" \
+	@. ./version.sh && sed \
+	  -e "s?PERL_COMMAND?$(PERL_COMMAND)?" \
+	  -e "s?EXIM_RELEASE_VERSION?$${EXIM_RELEASE_VERSION}?" \
+	  -e "s?EXIM_VARIANT_VERSION?$${EXIM_VARIANT_VERSION}?" \
 	  ../src/exiqsumm.src > exiqsumm-t
 	@mv exiqsumm-t exiqsumm
 	@chmod a+x exiqsumm
 	@echo ">>> exiqsumm script built"
 
-exipick: Makefile ../src/exipick.src
+exipick: config ../src/exipick.src
 	@rm -f exipick
-	@sed -e "s?PERL_COMMAND?$(PERL_COMMAND)?" \
+	@. ./version.sh && sed \
+	  -e "s?PERL_COMMAND?$(PERL_COMMAND)?" \
 	  -e "s?SPOOL_DIRECTORY?$(SPOOL_DIRECTORY)?" \
 	  -e "s?BIN_DIRECTORY?$(BIN_DIRECTORY)?" \
+	  -e "s?EXIM_RELEASE_VERSION?$${EXIM_RELEASE_VERSION}?" \
+	  -e "s?EXIM_VARIANT_VERSION?$${EXIM_VARIANT_VERSION}?" \
 	  ../src/exipick.src > exipick-t
 	@mv exipick-t exipick
 	@chmod a+x exipick
 	@echo ">>> exipick script built"
 
-transport-filter.pl: Makefile ../src/transport-filter.src
+transport-filter.pl: config ../src/transport-filter.src
 	@rm -f transport-filter.pl
-	@sed -e "s?PERL_COMMAND?$(PERL_COMMAND)?" \
+	@. ./version.sh && sed \
+	  -e "s?PERL_COMMAND?$(PERL_COMMAND)?" \
+	  -e "s?EXIM_RELEASE_VERSION?$${EXIM_RELEASE_VERSION}?" \
+	  -e "s?EXIM_VARIANT_VERSION?$${EXIM_VARIANT_VERSION}?" \
 	  ../src/transport-filter.src > transport-filter.pl-t
 	@mv transport-filter.pl-t transport-filter.pl
 	@chmod a+x transport-filter.pl
 	@echo ">>> transport-filter.pl script built"
 
-convert4r3: Makefile ../src/convert4r3.src
+convert4r3: config ../src/convert4r3.src
 	@rm -f convert4r3
-	@sed -e "s?PERL_COMMAND?$(PERL_COMMAND)?" \
+	@. ./version.sh && sed \
+	  -e "s?PERL_COMMAND?$(PERL_COMMAND)?" \
+	  -e "s?EXIM_RELEASE_VERSION?$${EXIM_RELEASE_VERSION}?" \
+	  -e "s?EXIM_VARIANT_VERSION?$${EXIM_VARIANT_VERSION}?" \
 	  ../src/convert4r3.src > convert4r3-t
 	@mv convert4r3-t convert4r3
 	@chmod a+x convert4r3
 	@echo ">>> convert4r3 script built"
 
-convert4r4: Makefile ../src/convert4r4.src
+convert4r4: config ../src/convert4r4.src
 	@rm -f convert4r4
-	@sed -e "s?PERL_COMMAND?$(PERL_COMMAND)?" \
+	@. ./version.sh && sed \
+	  -e "s?PERL_COMMAND?$(PERL_COMMAND)?" \
+	  -e "s?EXIM_RELEASE_VERSION?$${EXIM_RELEASE_VERSION}?" \
+	  -e "s?EXIM_VARIANT_VERSION?$${EXIM_VARIANT_VERSION}?" \
 	  ../src/convert4r4.src > convert4r4-t
 	@mv convert4r4-t convert4r4
 	@chmod a+x convert4r4
@@ -635,7 +666,7 @@ PHDRS = ../config.h \
 
 # Update Exim's version information and build the version object.
 
-version.h::
+version.h version.sh::
 	@../scripts/reversion
 
 cnumber.h: version.h
diff --git a/src/src/convert4r3.src b/src/src/convert4r3.src
index 632eb70d7..d0b94d15e 100755
--- a/src/src/convert4r3.src
+++ b/src/src/convert4r3.src
@@ -10,6 +10,18 @@
 use warnings;
 BEGIN { pop @INC if $INC[-1] eq '.' };
 
+use Getopt::Long;
+use File::Basename;
+
+GetOptions(
+    'version' => sub {
+        print basename($0) . ": $0\n",
+            "build: EXIM_RELEASE_VERSIONEXIM_VARIANT_VERSION\n",
+            "perl(runtime): $^V\n";
+            exit 0;
+    },
+);
+
 ##################################################
 #             Analyse one line                   #
 ##################################################
diff --git a/src/src/convert4r4.src b/src/src/convert4r4.src
index fff4e478b..47987fc8f 100755
--- a/src/src/convert4r4.src
+++ b/src/src/convert4r4.src
@@ -9,6 +9,18 @@
 use warnings;
 BEGIN { pop @INC if $INC[-1] eq '.' };
 
+use Getopt::Long;
+use File::Basename;
+
+GetOptions(
+    'version' => sub {
+        print basename($0) . ": $0\n",
+            "build: EXIM_RELEASE_VERSIONEXIM_VARIANT_VERSION\n",
+            "perl(runtime): $^V\n";
+            exit 0;
+    },
+);
+
 # These are lists of main options which are abolished in Exim 4.
 # The first contains options that are used to construct new options.
 
diff --git a/src/src/exicyclog.src b/src/src/exicyclog.src
index 4fb160ac0..20bf9fcd4 100644
--- a/src/src/exicyclog.src
+++ b/src/src/exicyclog.src
@@ -72,6 +72,11 @@ while [ $# -gt 0 ] ; do
   -k) keep=$2
       shift
       ;;
+   --version)
+      echo "`basename $0`: $0"
+      echo "build: EXIM_RELEASE_VERSIONEXIM_VARIANT_VERSION"
+      exit 0
+      ;;
    *) echo "** exicyclog: unknown option $1"
       exit 1
       ;;
diff --git a/src/src/exigrep.src b/src/src/exigrep.src
index bdeffae82..118cd91b9 100644
--- a/src/src/exigrep.src
+++ b/src/src/exigrep.src
@@ -6,6 +6,7 @@ BEGIN { pop @INC if $INC[-1] eq '.' };
 
 use Pod::Usage;
 use Getopt::Long;
+use File::Basename;
 
 # Copyright (c) 2007-2017 University of Cambridge.
 # See the file NOTICE for conditions of use and distribution.
@@ -229,6 +230,12 @@ GetOptions(
             -noperldoc => system('perldoc -V 2>/dev/null >&2')
         );
       },
+      'version'        => sub {
+            print basename($0) . ": $0\n",
+                "build: EXIM_RELEASE_VERSIONEXIM_VARIANT_VERSION\n",
+                "perl(runtime): $^V\n";
+            exit 0;
+      },
 ) and @ARGV or pod2usage;
 
 $pattern = shift @ARGV;
diff --git a/src/src/exim_checkaccess.src b/src/src/exim_checkaccess.src
index a780a298a..81f6ebf70 100755
--- a/src/src/exim_checkaccess.src
+++ b/src/src/exim_checkaccess.src
@@ -65,8 +65,16 @@ PERL_COMMAND - $exim_path $args <<'End'
 
 BEGIN { pop @INC if $INC[-1] eq '.' };
 use FileHandle;
+use File::Basename;
 use IPC::Open2;
 
+if ($ARGV[0] eq '--version') {
+    print basename($0) . ": $0\n",
+          "build: EXIM_RELEASE_VERSIONEXIM_VARIANT_VERSION\n",
+          "perl(runtime): $^V\n";
+          exit 0;
+}
+
 if (scalar(@ARGV) < 3)
   {
   print "Usage: exim_checkaccess <IP address> <email address> [exim options]\n";
diff --git a/src/src/eximon.src b/src/src/eximon.src
index d461ccffa..6293a7cc2 100644
--- a/src/src/eximon.src
+++ b/src/src/eximon.src
@@ -18,6 +18,13 @@
 # X11_LD_LIBRARY
 
 # PROCESSED_FLAG
+#
+if test "x$1" = x--version
+then
+    echo "`basename $0`: $0"
+    echo "build: EXIM_RELEASE_VERSIONEXIM_VARIANT_VERSION"
+    exit 0
+fi
 
 # See if caller wants to invoke gdb
 
diff --git a/src/src/eximstats.src b/src/src/eximstats.src
index 80ac93372..99f4c195f 100644
--- a/src/src/eximstats.src
+++ b/src/src/eximstats.src
@@ -552,10 +552,18 @@ use integer;
 BEGIN { pop @INC if $INC[-1] eq '.' };
 use strict;
 use IO::File;
+use File::Basename;
 
 # use Time::Local;  # PH/FANF
 use POSIX;
 
+if ($ARGV[0] eq '--version') {
+    print basename($0) . ": $0\n",
+        "build: EXIM_RELEASE_VERSIONEXIM_VARIANT_VERSION\n",
+        "perl(runtime): $^V\n";
+        exit 0;
+}
+
 use vars qw($HAVE_GD_Graph_pie $HAVE_GD_Graph_linespoints $HAVE_Spreadsheet_WriteExcel);
 eval { require GD::Graph::pie; };
 $HAVE_GD_Graph_pie = $@ ? 0 : 1;
diff --git a/src/src/exinext.src b/src/src/exinext.src
index 9c427350b..913801867 100644
--- a/src/src/exinext.src
+++ b/src/src/exinext.src
@@ -25,6 +25,13 @@ config=
 eximmacdef=
 exim_path=
 
+if test "x$1" = x--version
+then
+    echo "`basename $0`: $0"
+    echo "build: EXIM_RELEASE_VERSIONEXIM_VARIANT_VERSION"
+    exit 0
+fi
+
 if expr -- $1 : '\-' >/dev/null ; then
   while expr -- $1 : '\-' >/dev/null ; do
     if [ "$1" = "-C" ]; then
diff --git a/src/src/exipick.src b/src/src/exipick.src
index a1aa79dc0..d486b4289 100644
--- a/src/src/exipick.src
+++ b/src/src/exipick.src
@@ -17,6 +17,7 @@ my $charset = 'ISO-8859-1';
 use strict;
 BEGIN { pop @INC if $INC[-1] eq '.' };
 use Getopt::Long;
+use File::Basename;
 
 my($p_name)   = $0 =~ m|/?([^/]+)$|;
 my $p_version = "20100323.0";
@@ -83,7 +84,13 @@ GetOptions(
   'show-vars=s' => \$G::show_vars,  # display the contents of these vars
   'just-vars'   => \$G::just_vars,  # only display vars, no other info
   'show-rules'  => \$G::show_rules, # display compiled match rules
-  'show-tests'  => \$G::show_tests  # display tests as applied to each message
+  'show-tests'  => \$G::show_tests, # display tests as applied to each message
+  'version'     => sub {
+        print basename($0) . ": $0\n",
+            "build: EXIM_RELEASE_VERSIONEXIM_VARIANT_VERSION\n",
+            "perl(runtime): $^V\n";
+            exit 0;
+  },
 ) || exit(1);
 
 # if both freeze and thaw specified, only thaw as it is less destructive
diff --git a/src/src/exiqgrep.src b/src/src/exiqgrep.src
index d900e9933..c26da684b 100644
--- a/src/src/exiqgrep.src
+++ b/src/src/exiqgrep.src
@@ -19,7 +19,9 @@
 
 use strict;
 BEGIN { pop @INC if $INC[-1] eq '.' };
+
 use Getopt::Std;
+use File::Basename;
 
 # Have this variable point to your exim binary.
 my $exim = 'BIN_DIRECTORY/exim';
@@ -44,6 +46,13 @@ if ($^O eq 'darwin') { # aka MacOS X
   $base = 62;
 };
 
+if ($ARGV[0] eq '--version') {
+    print basename($0) . ": $0\n",
+        "build: EXIM_RELEASE_VERSIONEXIM_VARIANT_VERSION\n",
+        "perl(runtime): $^V\n";
+        exit 0;
+}
+
 getopts('hf:r:y:o:s:C:zxlibRca',\%opt);
 if ($ARGV[0]) { &help; exit;}
 if ($opt{h}) { &help; exit;}
diff --git a/src/src/exiqsumm.src b/src/src/exiqsumm.src
index 99a304fef..97cacdd63 100644
--- a/src/src/exiqsumm.src
+++ b/src/src/exiqsumm.src
@@ -43,6 +43,14 @@
 
 use warnings;
 BEGIN { pop @INC if $INC[-1] eq '.' };
+use File::Basename;
+
+if ($ARGV[0] eq '--version') {
+    print basename($0) . ": $0\n",
+        "build: EXIM_RELEASE_VERSIONEXIM_VARIANT_VERSION\n",
+        "perl(runtime): $^V\n";
+        exit 0;
+}
 
 sub print_volume_rounded {
 my($x) = pop @_;
diff --git a/src/src/exiwhat.src b/src/src/exiwhat.src
index 2542b0198..4fdc09f78 100644
--- a/src/src/exiwhat.src
+++ b/src/src/exiwhat.src
@@ -52,6 +52,13 @@ signal=EXIWHAT_KILL_SIGNAL
 # See if this installation is using the esoteric "USE_NODE" feature of Exim,
 # in which it uses the host's name as a suffix for the configuration file name.
 
+if test "x$1" = x--version
+then
+    echo "`basename $0`: $0"
+    echo "build: EXIM_RELEASE_VERSIONEXIM_VARIANT_VERSION"
+    exit 0
+fi
+
 if [ "CONFIGURE_FILE_USE_NODE" = "yes" ]; then
   hostsuffix=.`uname -n`
 fi
diff --git a/src/src/transport-filter.src b/src/src/transport-filter.src
index 3f250e657..256bf7c39 100644
--- a/src/src/transport-filter.src
+++ b/src/src/transport-filter.src
@@ -13,6 +13,14 @@
 
 use warnings;
 BEGIN { pop @INC if $INC[-1] eq '.' };
+use File::Basename;
+
+if ($ARGV[0] eq '--version') {
+    print basename($0) . ": $0\n",
+        "build: EXIM_RELEASE_VERSIONEXIM_VARIANT_VERSION\n",
+        "perl(runtime): $^V\n";
+        exit 0;
+}
 
 # If the filter is called with any arguments, insert them into the message
 # as X-Arg headers, just to verify what they are.
-- 
cgit v1.2.3


From 02721dcdf5dfcf96f62f6c657c9989b9ef991fa7 Mon Sep 17 00:00:00 2001
From: Jeremy Harris <jgh146exb@wizmail.org>
Date: Wed, 1 Nov 2017 12:32:13 +0000
Subject: Use back-compatible variable for perl version The modern $^V is not
 present in some buildfarm animals' perl versions.

---
 src/src/exigrep.src          | 2 +-
 src/src/exim_checkaccess.src | 2 +-
 src/src/eximstats.src        | 2 +-
 src/src/exipick.src          | 2 +-
 src/src/exiqgrep.src         | 2 +-
 src/src/exiqsumm.src         | 2 +-
 src/src/transport-filter.src | 2 +-
 test/runtest                 | 2 +-
 8 files changed, 8 insertions(+), 8 deletions(-)

(limited to 'src')

diff --git a/src/src/exigrep.src b/src/src/exigrep.src
index 118cd91b9..9e5c7d8b7 100644
--- a/src/src/exigrep.src
+++ b/src/src/exigrep.src
@@ -233,7 +233,7 @@ GetOptions(
       'version'        => sub {
             print basename($0) . ": $0\n",
                 "build: EXIM_RELEASE_VERSIONEXIM_VARIANT_VERSION\n",
-                "perl(runtime): $^V\n";
+                "perl(runtime): $]\n";
             exit 0;
       },
 ) and @ARGV or pod2usage;
diff --git a/src/src/exim_checkaccess.src b/src/src/exim_checkaccess.src
index 81f6ebf70..360f307ba 100755
--- a/src/src/exim_checkaccess.src
+++ b/src/src/exim_checkaccess.src
@@ -71,7 +71,7 @@ use IPC::Open2;
 if ($ARGV[0] eq '--version') {
     print basename($0) . ": $0\n",
           "build: EXIM_RELEASE_VERSIONEXIM_VARIANT_VERSION\n",
-          "perl(runtime): $^V\n";
+          "perl(runtime): $]\n";
           exit 0;
 }
 
diff --git a/src/src/eximstats.src b/src/src/eximstats.src
index 99f4c195f..76cfe7e97 100644
--- a/src/src/eximstats.src
+++ b/src/src/eximstats.src
@@ -560,7 +560,7 @@ use POSIX;
 if ($ARGV[0] eq '--version') {
     print basename($0) . ": $0\n",
         "build: EXIM_RELEASE_VERSIONEXIM_VARIANT_VERSION\n",
-        "perl(runtime): $^V\n";
+        "perl(runtime): $]\n";
         exit 0;
 }
 
diff --git a/src/src/exipick.src b/src/src/exipick.src
index d486b4289..b6c28ef23 100644
--- a/src/src/exipick.src
+++ b/src/src/exipick.src
@@ -88,7 +88,7 @@ GetOptions(
   'version'     => sub {
         print basename($0) . ": $0\n",
             "build: EXIM_RELEASE_VERSIONEXIM_VARIANT_VERSION\n",
-            "perl(runtime): $^V\n";
+            "perl(runtime): $]\n";
             exit 0;
   },
 ) || exit(1);
diff --git a/src/src/exiqgrep.src b/src/src/exiqgrep.src
index c26da684b..c4f7c4b58 100644
--- a/src/src/exiqgrep.src
+++ b/src/src/exiqgrep.src
@@ -49,7 +49,7 @@ if ($^O eq 'darwin') { # aka MacOS X
 if ($ARGV[0] eq '--version') {
     print basename($0) . ": $0\n",
         "build: EXIM_RELEASE_VERSIONEXIM_VARIANT_VERSION\n",
-        "perl(runtime): $^V\n";
+        "perl(runtime): $]\n";
         exit 0;
 }
 
diff --git a/src/src/exiqsumm.src b/src/src/exiqsumm.src
index 97cacdd63..551ca97ca 100644
--- a/src/src/exiqsumm.src
+++ b/src/src/exiqsumm.src
@@ -48,7 +48,7 @@ use File::Basename;
 if ($ARGV[0] eq '--version') {
     print basename($0) . ": $0\n",
         "build: EXIM_RELEASE_VERSIONEXIM_VARIANT_VERSION\n",
-        "perl(runtime): $^V\n";
+        "perl(runtime): $]\n";
         exit 0;
 }
 
diff --git a/src/src/transport-filter.src b/src/src/transport-filter.src
index 256bf7c39..db00d877f 100644
--- a/src/src/transport-filter.src
+++ b/src/src/transport-filter.src
@@ -18,7 +18,7 @@ use File::Basename;
 if ($ARGV[0] eq '--version') {
     print basename($0) . ": $0\n",
         "build: EXIM_RELEASE_VERSIONEXIM_VARIANT_VERSION\n",
-        "perl(runtime): $^V\n";
+        "perl(runtime): $]\n";
         exit 0;
 }
 
diff --git a/test/runtest b/test/runtest
index b29be7fce..57e2d8a10 100755
--- a/test/runtest
+++ b/test/runtest
@@ -3364,7 +3364,7 @@ if (system("cp $parm_exim_dir/eximstats eximdir") != 0)
 
 # Collect some version information
 print '-' x 78, "\n";
-print "Perl version for runtest: $^V\n";
+print "Perl version for runtest: $]\n";
 foreach (map { "./eximdir/$_" } qw(exigrep exinext eximstats)) {
   # fold (or unfold?) multiline output into a one-liner
   print join(', ', map { chomp; $_ } `$_ --version`), "\n";
-- 
cgit v1.2.3


From b8d96756d873dab9685128f491399c535b652abe Mon Sep 17 00:00:00 2001
From: "Heiko Schlittermann (HS12-RIPE)" <hs@schlittermann.de>
Date: Wed, 1 Nov 2017 22:38:43 +0100
Subject: exigrep: we need to run with perl 5.8.x

The defined-or operator '//' does not exist yet.
---
 src/src/exigrep.src | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

(limited to 'src')

diff --git a/src/src/exigrep.src b/src/src/exigrep.src
index 9e5c7d8b7..5db01fe08 100644
--- a/src/src/exigrep.src
+++ b/src/src/exigrep.src
@@ -244,7 +244,8 @@ $pattern = quotemeta $pattern if $literal;
 # Start a pager if output goes to a terminal
 if (-t 1 and $use_pager)
   {
-  foreach ($ENV{PAGER}//(), 'less', 'more')
+  # for perl >= v5.10.x: foreach ($ENV{PAGER}//(), 'less', 'more')
+  foreach (defined $ENV{PAGER} ? $ENV{PAGER} : (), 'less', 'more')
     {
     local $ENV{LESS} .= ' --no-init --quit-if-one-screen';
     open(my $pager, '|-', $_) or next;
-- 
cgit v1.2.3


From 484cc1a938bec2546c2475deecdd11d34866a257 Mon Sep 17 00:00:00 2001
From: Jeremy Harris <jgh146exb@wizmail.org>
Date: Fri, 3 Nov 2017 11:02:19 +0000
Subject: DKIM: better syntax for control of oversigning.  Bug 2180

---
 doc/doc-docbook/spec.xfpt   | 11 +++++++++
 doc/doc-txt/NewStuff        |  1 +
 src/src/pdkim/pdkim.c       | 54 ++++++++++++++++++++++++---------------------
 test/log/4520               | 54 +++++++++++++++++++++++++++++++++++++--------
 test/scripts/4500-DKIM/4520 | 33 +++++++++++++++++++++++++++
 test/stderr/4520            |  4 ++--
 6 files changed, 121 insertions(+), 36 deletions(-)

(limited to 'src')

diff --git a/doc/doc-docbook/spec.xfpt b/doc/doc-docbook/spec.xfpt
index 13fcad724..a0eb53c58 100644
--- a/doc/doc-docbook/spec.xfpt
+++ b/doc/doc-docbook/spec.xfpt
@@ -38608,6 +38608,17 @@ When unspecified, the header names listed in RFC4871 will be used,
 whether or not each header is present in the message.
 The default list is available for the expansion in the macro
 "_DKIM_SIGN_HEADERS".
+
+If a name is repeated, multiple headers by that name (or the absence therof)
+will be signed.  The textually later headers in the headers part of the
+message are signed first, if there are multiples.
+
+A name can be prefixed with either an '=' or a '+' character.
+If an '=' prefix is used, all headers that are present with this name
+will be signed.
+If a '+' prefix if used, all headers that are present with this name
+will be signed, and one signtature added for a missing header with the
+name will be appended.
 .wen
 
 
diff --git a/doc/doc-txt/NewStuff b/doc/doc-txt/NewStuff
index 22af13554..e77095c8d 100644
--- a/doc/doc-txt/NewStuff
+++ b/doc/doc-txt/NewStuff
@@ -54,6 +54,7 @@ Version 4.90
 13. DKIM support for multiple signing, by domain and/or key-selector.
     DKIM support for multiple hashes, and for alternate-identity tags.
     Builtin macro with default list of signed headers.
+    Better syntax for specifying oversigning.
 
 14. Exipick understands -C|--config for an alternative Exim
     configuration file.
diff --git a/src/src/pdkim/pdkim.c b/src/src/pdkim/pdkim.c
index 1420b1a79..138861815 100644
--- a/src/src/pdkim/pdkim.c
+++ b/src/src/pdkim/pdkim.c
@@ -250,16 +250,19 @@ pdkim_free_ctx(pdkim_ctx *ctx)
 /* -------------------------------------------------------------------------- */
 /* Matches the name of the passed raw "header" against
    the passed colon-separated "tick", and invalidates
-   the entry in tick. Returns OK or fail-code */
-/*XXX might be safer done using a pdkim_stringlist for "tick" */
+   the entry in tick.  Entries can be prefixed for multi- or over-signing,
+   in which case do not invalidate.
+
+   Returns OK for a match, or fail-code
+*/
 
 static int
 header_name_match(const uschar * header, uschar * tick)
 {
-uschar * hname;
-uschar * lcopy;
-uschar * p;
-uschar * q;
+const uschar * ticklist = tick;
+int sep = ':';
+BOOL multisign;
+uschar * hname, * p, * ele;
 uschar * hcolon = Ustrchr(header, ':');		/* Get header name */
 
 if (!hcolon)
@@ -268,27 +271,22 @@ if (!hcolon)
 /* if we had strncmpic() we wouldn't need this copy */
 hname = string_copyn(header, hcolon-header);
 
-/* Copy tick-off list locally, so we can punch zeroes into it */
-p = lcopy = string_copy(tick);
-
-for (q = Ustrchr(p, ':'); q; q = Ustrchr(p, ':'))
+while (p = US ticklist, ele = string_nextinlist(&ticklist, &sep, NULL, 0))
   {
-  *q = '\0';
-  if (strcmpic(p, hname) == 0)
-    goto found;
-
-  p = q+1;
+  switch (*ele)
+  {
+  case '=': case '+':	multisign = TRUE; ele++; break;
+  default:		multisign = FALSE; break;
   }
 
-if (strcmpic(p, hname) == 0)
-  goto found;
-
+  if (strcmpic(ele, hname) == 0)
+    {
+    if (!multisign)
+      *p = '_';	/* Invalidate this header name instance in tick-off list */
+    return PDKIM_OK;
+    }
+  }
 return PDKIM_FAIL;
-
-found:
-  /* Invalidate header name instance in tick-off list */
-  tick[p-lcopy] = '_';
-  return PDKIM_OK;
 }
 
 
@@ -1445,11 +1443,17 @@ for (sig = ctx->sig; sig; sig = sig->next)
 	}
       }
 
-    /* Any headers we wanted to sign but were not present must also be listed */
+    /* Any headers we wanted to sign but were not present must also be listed.
+    Ignore elements that have been ticked-off or are marked as never-oversign. */
+
     l = sig->sign_headers;
     while((s = string_nextinlist(&l, &sep, NULL, 0)))
-      if (*s != '_')
+      {
+      if (*s == '+')			/* skip oversigning marker */
+        s++;
+      if (*s != '_' && *s != '=')
 	g = string_append_listele(g, ':', s);
+      }
     sig->headernames = string_from_gstring(g);
 
     /* Create signature header with b= omitted */
diff --git a/test/log/4520 b/test/log/4520
index b0ddcd64e..7bee5d786 100644
--- a/test/log/4520
+++ b/test/log/4520
@@ -5,11 +5,23 @@
 1999-03-02 09:44:33 10HmaZ-0005vi-00 => b@test.ex R=client T=send_to_server H=ip4.ip4.ip4.ip4 [ip4.ip4.ip4.ip4] C="250 OK id=10HmbA-0005vi-00"
 1999-03-02 09:44:33 10HmaZ-0005vi-00 Completed
 1999-03-02 09:44:33 10HmbB-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss
-1999-03-02 09:44:33 10HmbB-0005vi-00 => c@test.ex R=client T=send_to_server H=ip4.ip4.ip4.ip4 [ip4.ip4.ip4.ip4] C="250 OK id=10HmbC-0005vi-00"
+1999-03-02 09:44:33 10HmbB-0005vi-00 => b10@test.ex R=client T=send_to_server H=ip4.ip4.ip4.ip4 [ip4.ip4.ip4.ip4] C="250 OK id=10HmbC-0005vi-00"
 1999-03-02 09:44:33 10HmbB-0005vi-00 Completed
 1999-03-02 09:44:33 10HmbD-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss
-1999-03-02 09:44:33 10HmbD-0005vi-00 => d@test.ex R=client T=send_to_server H=ip4.ip4.ip4.ip4 [ip4.ip4.ip4.ip4] C="250 OK id=10HmbE-0005vi-00"
+1999-03-02 09:44:33 10HmbD-0005vi-00 => b12@test.ex R=client T=send_to_server H=ip4.ip4.ip4.ip4 [ip4.ip4.ip4.ip4] C="250 OK id=10HmbE-0005vi-00"
 1999-03-02 09:44:33 10HmbD-0005vi-00 Completed
+1999-03-02 09:44:33 10HmbF-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss
+1999-03-02 09:44:33 10HmbF-0005vi-00 => b20@test.ex R=client T=send_to_server H=ip4.ip4.ip4.ip4 [ip4.ip4.ip4.ip4] C="250 OK id=10HmbG-0005vi-00"
+1999-03-02 09:44:33 10HmbF-0005vi-00 Completed
+1999-03-02 09:44:33 10HmbH-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss
+1999-03-02 09:44:33 10HmbH-0005vi-00 => b22@test.ex R=client T=send_to_server H=ip4.ip4.ip4.ip4 [ip4.ip4.ip4.ip4] C="250 OK id=10HmbI-0005vi-00"
+1999-03-02 09:44:33 10HmbH-0005vi-00 Completed
+1999-03-02 09:44:33 10HmbJ-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss
+1999-03-02 09:44:33 10HmbJ-0005vi-00 => c@test.ex R=client T=send_to_server H=ip4.ip4.ip4.ip4 [ip4.ip4.ip4.ip4] C="250 OK id=10HmbK-0005vi-00"
+1999-03-02 09:44:33 10HmbJ-0005vi-00 Completed
+1999-03-02 09:44:33 10HmbL-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss
+1999-03-02 09:44:33 10HmbL-0005vi-00 => d@test.ex R=client T=send_to_server H=ip4.ip4.ip4.ip4 [ip4.ip4.ip4.ip4] C="250 OK id=10HmbM-0005vi-00"
+1999-03-02 09:44:33 10HmbL-0005vi-00 Completed
 
 ******** SERVER ********
 1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port 1225
@@ -26,15 +38,39 @@
 1999-03-02 09:44:33 10HmbA-0005vi-00 => :blackhole: <b@test.ex> R=server_dump
 1999-03-02 09:44:33 10HmbA-0005vi-00 Completed
 1999-03-02 09:44:33 macro: From:Sender:Reply-To:Subject:Date:Message-ID:To:Cc:MIME-Version:Content-Type:Content-Transfer-Encoding:Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To:References:List-Id:List-Help:List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive
-1999-03-02 09:44:33 10HmbC-0005vi-00 DKIM: d=test.ex s=sel c=relaxed/relaxed a=rsa-sha256 b=1024 i=allheaders@test.ex [verification succeeded]
-1999-03-02 09:44:33 10HmbC-0005vi-00 signer: test.ex bits: 1024 h=Date:Sender:Message-Id:From:Reply-To:Subject:To:Cc:MIME-Version:Content-Type:Content-Transfer-Encoding:Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To:References:List-Id:List-Help:List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive
-1999-03-02 09:44:33 10HmbC-0005vi-00 signer: allheaders@test.ex bits: 1024 h=Date:Sender:Message-Id:From:Reply-To:Subject:To:Cc:MIME-Version:Content-Type:Content-Transfer-Encoding:Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To:References:List-Id:List-Help:List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive
+1999-03-02 09:44:33 10HmbC-0005vi-00 DKIM: d=test.ex s=sel c=relaxed/relaxed a=rsa-sha256 b=1024 [verification succeeded]
+1999-03-02 09:44:33 10HmbC-0005vi-00 signer: test.ex bits: 1024 h=From
 1999-03-02 09:44:33 10HmbC-0005vi-00 <= CALLER@myhost.test.ex H=the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] P=esmtp S=sss id=E10HmbB-0005vi-00@myhost.test.ex
-1999-03-02 09:44:33 10HmbC-0005vi-00 => :blackhole: <c@test.ex> R=server_dump
+1999-03-02 09:44:33 10HmbC-0005vi-00 => :blackhole: <b10@test.ex> R=server_dump
 1999-03-02 09:44:33 10HmbC-0005vi-00 Completed
 1999-03-02 09:44:33 macro: From:Sender:Reply-To:Subject:Date:Message-ID:To:Cc:MIME-Version:Content-Type:Content-Transfer-Encoding:Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To:References:List-Id:List-Help:List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive
-1999-03-02 09:44:33 10HmbE-0005vi-00 DKIM: d=test.ex s=sel_bad c=relaxed/relaxed a=rsa-sha256 b=1024 [invalid - syntax error in public key record]
-1999-03-02 09:44:33 10HmbE-0005vi-00 signer: test.ex bits: 1024 h=From
+1999-03-02 09:44:33 10HmbE-0005vi-00 DKIM: d=test.ex s=sel c=relaxed/relaxed a=rsa-sha256 b=1024 [verification succeeded]
+1999-03-02 09:44:33 10HmbE-0005vi-00 signer: test.ex bits: 1024 h=X-mine:X-mine:From
 1999-03-02 09:44:33 10HmbE-0005vi-00 <= CALLER@myhost.test.ex H=the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] P=esmtp S=sss id=E10HmbD-0005vi-00@myhost.test.ex
-1999-03-02 09:44:33 10HmbE-0005vi-00 => :blackhole: <d@test.ex> R=server_dump
+1999-03-02 09:44:33 10HmbE-0005vi-00 => :blackhole: <b12@test.ex> R=server_dump
 1999-03-02 09:44:33 10HmbE-0005vi-00 Completed
+1999-03-02 09:44:33 macro: From:Sender:Reply-To:Subject:Date:Message-ID:To:Cc:MIME-Version:Content-Type:Content-Transfer-Encoding:Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To:References:List-Id:List-Help:List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive
+1999-03-02 09:44:33 10HmbG-0005vi-00 DKIM: d=test.ex s=sel c=relaxed/relaxed a=rsa-sha256 b=1024 [verification succeeded]
+1999-03-02 09:44:33 10HmbG-0005vi-00 signer: test.ex bits: 1024 h=X-Mine
+1999-03-02 09:44:33 10HmbG-0005vi-00 <= CALLER@myhost.test.ex H=the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] P=esmtp S=sss id=E10HmbF-0005vi-00@myhost.test.ex
+1999-03-02 09:44:33 10HmbG-0005vi-00 => :blackhole: <b20@test.ex> R=server_dump
+1999-03-02 09:44:33 10HmbG-0005vi-00 Completed
+1999-03-02 09:44:33 macro: From:Sender:Reply-To:Subject:Date:Message-ID:To:Cc:MIME-Version:Content-Type:Content-Transfer-Encoding:Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To:References:List-Id:List-Help:List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive
+1999-03-02 09:44:33 10HmbI-0005vi-00 DKIM: d=test.ex s=sel c=relaxed/relaxed a=rsa-sha256 b=1024 [verification succeeded]
+1999-03-02 09:44:33 10HmbI-0005vi-00 signer: test.ex bits: 1024 h=X-mine:X-mine:X-Mine
+1999-03-02 09:44:33 10HmbI-0005vi-00 <= CALLER@myhost.test.ex H=the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] P=esmtp S=sss id=E10HmbH-0005vi-00@myhost.test.ex
+1999-03-02 09:44:33 10HmbI-0005vi-00 => :blackhole: <b22@test.ex> R=server_dump
+1999-03-02 09:44:33 10HmbI-0005vi-00 Completed
+1999-03-02 09:44:33 macro: From:Sender:Reply-To:Subject:Date:Message-ID:To:Cc:MIME-Version:Content-Type:Content-Transfer-Encoding:Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To:References:List-Id:List-Help:List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive
+1999-03-02 09:44:33 10HmbK-0005vi-00 DKIM: d=test.ex s=sel c=relaxed/relaxed a=rsa-sha256 b=1024 i=allheaders@test.ex [verification succeeded]
+1999-03-02 09:44:33 10HmbK-0005vi-00 signer: test.ex bits: 1024 h=Date:Sender:Message-Id:From:Reply-To:Subject:To:Cc:MIME-Version:Content-Type:Content-Transfer-Encoding:Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To:References:List-Id:List-Help:List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive
+1999-03-02 09:44:33 10HmbK-0005vi-00 signer: allheaders@test.ex bits: 1024 h=Date:Sender:Message-Id:From:Reply-To:Subject:To:Cc:MIME-Version:Content-Type:Content-Transfer-Encoding:Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To:References:List-Id:List-Help:List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive
+1999-03-02 09:44:33 10HmbK-0005vi-00 <= CALLER@myhost.test.ex H=the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] P=esmtp S=sss id=E10HmbJ-0005vi-00@myhost.test.ex
+1999-03-02 09:44:33 10HmbK-0005vi-00 => :blackhole: <c@test.ex> R=server_dump
+1999-03-02 09:44:33 10HmbK-0005vi-00 Completed
+1999-03-02 09:44:33 macro: From:Sender:Reply-To:Subject:Date:Message-ID:To:Cc:MIME-Version:Content-Type:Content-Transfer-Encoding:Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To:References:List-Id:List-Help:List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive
+1999-03-02 09:44:33 10HmbM-0005vi-00 DKIM: d=test.ex s=sel_bad c=relaxed/relaxed a=rsa-sha256 b=1024 [invalid - syntax error in public key record]
+1999-03-02 09:44:33 10HmbM-0005vi-00 signer: test.ex bits: 1024 h=From
+1999-03-02 09:44:33 10HmbM-0005vi-00 <= CALLER@myhost.test.ex H=the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] P=esmtp S=sss id=E10HmbL-0005vi-00@myhost.test.ex
+1999-03-02 09:44:33 10HmbM-0005vi-00 => :blackhole: <d@test.ex> R=server_dump
+1999-03-02 09:44:33 10HmbM-0005vi-00 Completed
diff --git a/test/scripts/4500-DKIM/4520 b/test/scripts/4500-DKIM/4520
index 3e5879972..1bc4c6030 100644
--- a/test/scripts/4500-DKIM/4520
+++ b/test/scripts/4500-DKIM/4520
@@ -15,6 +15,39 @@ content
 exim -DOPT=From:From -odf b@test.ex
 From: nobody@example.com
 
+content
+****
+#
+# no header, multi-sign
+exim -DOPT=From:=X-Mine -odf b10@test.ex
+From: nobody@example.com
+
+content
+****
+#
+# double header, multi-sign
+exim -DOPT=From:=X-Mine -odf b12@test.ex
+From: nobody@example.com
+X-mine: one
+X-mine: two
+
+content
+****
+#
+#
+# no header, always-oversign
+exim -DOPT=+X-Mine -odf b20@test.ex
+From: nobody@example.com
+
+content
+****
+#
+# double header, always-oversign
+exim -DOPT=+X-Mine -odf b22@test.ex
+From: nobody@example.com
+X-mine: one
+X-mine: two
+
 content
 ****
 #
diff --git a/test/stderr/4520 b/test/stderr/4520
index 3d7957c03..499716fc1 100644
--- a/test/stderr/4520
+++ b/test/stderr/4520
@@ -45,12 +45,12 @@ DKIM-Signature:{SP}v=1;{SP}a=rsa-sha256;{SP}q=dns/txt;{SP}c=relaxed/relaxed;{SP}
 PDKIM >> Signed DKIM-Signature header, canonicalized >>>>>>>>>>>>>>>>>
 dkim-signature:v=1;{SP}a=rsa-sha256;{SP}q=dns/txt;{SP}c=relaxed/relaxed;{SP}d=test.ex;{SP}s=sel_bad;{SP}h=From;{SP}bh=/Ab0giHZitYQbDhFszoqQRUkgqueaX9zatJttIU/plc=;{SP}b=;
 PDKIM [test.ex] Header sha256 computed: 241e16230df5723d899cfae9474c6b376a2ab1f81d1094e358f50ffd0e0067b3
-  SMTP<< 250 OK id=10HmbE-0005vi-00
+  SMTP<< 250 OK id=10HmbM-0005vi-00
   SMTP>> QUIT
 cmd buf flush ddd bytes
   SMTP(close)>>
 LOG: MAIN
-  => d@test.ex R=client T=send_to_server H=ip4.ip4.ip4.ip4 [ip4.ip4.ip4.ip4] C="250 OK id=10HmbE-0005vi-00"
+  => d@test.ex R=client T=send_to_server H=ip4.ip4.ip4.ip4 [ip4.ip4.ip4.ip4] C="250 OK id=10HmbM-0005vi-00"
 LOG: MAIN
   Completed
 >>>>>>>>>>>>>>>> Exim pid=pppp (main) terminating with rc=0 >>>>>>>>>>>>>>>>
-- 
cgit v1.2.3


From ba86e143c7aeb0d70ea4c9d73a617a98f06f6baa Mon Sep 17 00:00:00 2001
From: Jeremy Harris <jgh146exb@wizmail.org>
Date: Tue, 7 Nov 2017 16:09:28 +0000
Subject: TLS: support multiple certificate files in server.  Bug 2092

---
 doc/doc-docbook/spec.xfpt                          |  52 +++-
 doc/doc-txt/NewStuff                               |   2 +
 src/src/configure.default                          |   3 +
 src/src/tls-gnu.c                                  |  56 +++-
 src/src/tls-openssl.c                              |  69 ++++-
 test/aux-fixed/exim-ca/example.com/BLANK/CA.pem    |  22 +-
 .../aux-fixed/exim-ca/example.com/BLANK/Signer.pem |  24 +-
 test/aux-fixed/exim-ca/example.com/BLANK/cert8.db  | Bin 65536 -> 65536 bytes
 test/aux-fixed/exim-ca/example.com/BLANK/key3.db   | Bin 16384 -> 16384 bytes
 test/aux-fixed/exim-ca/example.com/CA/CA.pem       |  22 +-
 test/aux-fixed/exim-ca/example.com/CA/OCSP.key     |  32 +--
 test/aux-fixed/exim-ca/example.com/CA/OCSP.p12     | Bin 2906 -> 2962 bytes
 test/aux-fixed/exim-ca/example.com/CA/OCSP.pem     |  23 +-
 test/aux-fixed/exim-ca/example.com/CA/Signer.key   |  32 +--
 test/aux-fixed/exim-ca/example.com/CA/Signer.p12   | Bin 2300 -> 2340 bytes
 test/aux-fixed/exim-ca/example.com/CA/Signer.pem   |  24 +-
 test/aux-fixed/exim-ca/example.com/CA/ca.conf      |  17 +-
 test/aux-fixed/exim-ca/example.com/CA/cert8.db     | Bin 65536 -> 65536 bytes
 test/aux-fixed/exim-ca/example.com/CA/crl.empty    | Bin 240 -> 244 bytes
 .../exim-ca/example.com/CA/crl.empty.in.txt        |   2 +-
 .../aux-fixed/exim-ca/example.com/CA/crl.empty.pem |  11 +-
 test/aux-fixed/exim-ca/example.com/CA/crl.v2       | Bin 289 -> 293 bytes
 .../aux-fixed/exim-ca/example.com/CA/crl.v2.in.txt |   6 +-
 test/aux-fixed/exim-ca/example.com/CA/crl.v2.pem   |  14 +-
 test/aux-fixed/exim-ca/example.com/CA/key3.db      | Bin 24576 -> 24576 bytes
 test/aux-fixed/exim-ca/example.com/CA/noise.file   | 161 +++++------
 .../example.com/expired1.example.com/ca_chain.pem  |  58 ++--
 .../example.com/expired1.example.com/cert8.db      | Bin 65536 -> 65536 bytes
 .../expired1.example.com.chain.pem                 |  56 ++--
 .../expired1.example.com/expired1.example.com.key  |  32 +--
 .../expired1.example.com.ocsp.dated.resp           | Bin 886 -> 898 bytes
 .../expired1.example.com.ocsp.good.resp            | Bin 886 -> 898 bytes
 .../expired1.example.com.ocsp.req                  | Bin 68 -> 68 bytes
 .../expired1.example.com.ocsp.revoked.resp         | Bin 908 -> 920 bytes
 .../expired1.example.com.ocsp.signer.dated.resp    | Bin 926 -> 938 bytes
 .../expired1.example.com.ocsp.signer.good.resp     | Bin 926 -> 938 bytes
 .../expired1.example.com.ocsp.signer.revoked.resp  | Bin 948 -> 960 bytes
 ...pired1.example.com.ocsp.signernocert.dated.resp | Bin 358 -> 362 bytes
 ...xpired1.example.com.ocsp.signernocert.good.resp | Bin 358 -> 362 bytes
 ...red1.example.com.ocsp.signernocert.revoked.resp | Bin 380 -> 384 bytes
 .../expired1.example.com/expired1.example.com.p12  | Bin 3076 -> 3108 bytes
 .../expired1.example.com/expired1.example.com.pem  |  32 +--
 .../expired1.example.com.unlocked.key              |  26 +-
 .../example.com/expired1.example.com/key3.db       | Bin 16384 -> 16384 bytes
 .../example.com/expired2.example.com/ca_chain.pem  |  58 ++--
 .../example.com/expired2.example.com/cert8.db      | Bin 65536 -> 65536 bytes
 .../expired2.example.com.chain.pem                 |  56 ++--
 .../expired2.example.com/expired2.example.com.key  |  32 +--
 .../expired2.example.com.ocsp.dated.resp           | Bin 887 -> 899 bytes
 .../expired2.example.com.ocsp.good.resp            | Bin 887 -> 899 bytes
 .../expired2.example.com.ocsp.req                  | Bin 69 -> 69 bytes
 .../expired2.example.com.ocsp.revoked.resp         | Bin 887 -> 899 bytes
 .../expired2.example.com.ocsp.signer.dated.resp    | Bin 927 -> 939 bytes
 .../expired2.example.com.ocsp.signer.good.resp     | Bin 927 -> 939 bytes
 .../expired2.example.com.ocsp.signer.revoked.resp  | Bin 927 -> 939 bytes
 ...pired2.example.com.ocsp.signernocert.dated.resp | Bin 359 -> 363 bytes
 ...xpired2.example.com.ocsp.signernocert.good.resp | Bin 359 -> 363 bytes
 ...red2.example.com.ocsp.signernocert.revoked.resp | Bin 359 -> 363 bytes
 .../expired2.example.com/expired2.example.com.p12  | Bin 3076 -> 3108 bytes
 .../expired2.example.com/expired2.example.com.pem  |  32 +--
 .../expired2.example.com.unlocked.key              |  26 +-
 .../example.com/expired2.example.com/key3.db       | Bin 16384 -> 16384 bytes
 .../example.com/revoked1.example.com/ca_chain.pem  |  58 ++--
 .../example.com/revoked1.example.com/cert8.db      | Bin 65536 -> 65536 bytes
 .../example.com/revoked1.example.com/key3.db       | Bin 16384 -> 16384 bytes
 .../revoked1.example.com.chain.pem                 |  56 ++--
 .../revoked1.example.com/revoked1.example.com.key  |  32 +--
 .../revoked1.example.com.ocsp.dated.resp           | Bin 886 -> 898 bytes
 .../revoked1.example.com.ocsp.good.resp            | Bin 886 -> 898 bytes
 .../revoked1.example.com.ocsp.req                  | Bin 68 -> 68 bytes
 .../revoked1.example.com.ocsp.revoked.resp         | Bin 908 -> 920 bytes
 .../revoked1.example.com.ocsp.signer.dated.resp    | Bin 926 -> 938 bytes
 .../revoked1.example.com.ocsp.signer.good.resp     | Bin 926 -> 938 bytes
 .../revoked1.example.com.ocsp.signer.revoked.resp  | Bin 948 -> 960 bytes
 ...voked1.example.com.ocsp.signernocert.dated.resp | Bin 358 -> 362 bytes
 ...evoked1.example.com.ocsp.signernocert.good.resp | Bin 358 -> 362 bytes
 ...ked1.example.com.ocsp.signernocert.revoked.resp | Bin 380 -> 384 bytes
 .../revoked1.example.com/revoked1.example.com.p12  | Bin 3076 -> 3108 bytes
 .../revoked1.example.com/revoked1.example.com.pem  |  32 +--
 .../revoked1.example.com.unlocked.key              |  26 +-
 .../example.com/revoked2.example.com/ca_chain.pem  |  58 ++--
 .../example.com/revoked2.example.com/cert8.db      | Bin 65536 -> 65536 bytes
 .../example.com/revoked2.example.com/key3.db       | Bin 16384 -> 16384 bytes
 .../revoked2.example.com.chain.pem                 |  56 ++--
 .../revoked2.example.com/revoked2.example.com.key  |  32 +--
 .../revoked2.example.com.ocsp.dated.resp           | Bin 887 -> 899 bytes
 .../revoked2.example.com.ocsp.good.resp            | Bin 887 -> 899 bytes
 .../revoked2.example.com.ocsp.req                  | Bin 69 -> 69 bytes
 .../revoked2.example.com.ocsp.revoked.resp         | Bin 887 -> 899 bytes
 .../revoked2.example.com.ocsp.signer.dated.resp    | Bin 927 -> 939 bytes
 .../revoked2.example.com.ocsp.signer.good.resp     | Bin 927 -> 939 bytes
 .../revoked2.example.com.ocsp.signer.revoked.resp  | Bin 927 -> 939 bytes
 ...voked2.example.com.ocsp.signernocert.dated.resp | Bin 359 -> 363 bytes
 ...evoked2.example.com.ocsp.signernocert.good.resp | Bin 359 -> 363 bytes
 ...ked2.example.com.ocsp.signernocert.revoked.resp | Bin 359 -> 363 bytes
 .../revoked2.example.com/revoked2.example.com.p12  | Bin 3076 -> 3108 bytes
 .../revoked2.example.com/revoked2.example.com.pem  |  32 +--
 .../revoked2.example.com.unlocked.key              |  26 +-
 .../example.com/server1.example.com/ca_chain.pem   |  58 ++--
 .../example.com/server1.example.com/cert8.db       | Bin 65536 -> 65536 bytes
 .../server1.example.com/certdir/08c48a5f.0         |   1 -
 .../server1.example.com/certdir/61e813e6.0         |   1 -
 .../server1.example.com/certdir/9ec80de3.0         |   1 +
 .../server1.example.com/certdir/d89e5358.0         |   1 +
 .../example.com/server1.example.com/fullchain.pem  |  94 +++----
 .../example.com/server1.example.com/key3.db        | Bin 16384 -> 16384 bytes
 .../server1.example.com.chain.pem                  |  60 ++--
 .../server1.example.com/server1.example.com.key    |  32 +--
 .../server1.example.com.ocsp.dated.resp            | Bin 886 -> 898 bytes
 .../server1.example.com.ocsp.good.resp             | Bin 886 -> 898 bytes
 .../server1.example.com.ocsp.req                   | Bin 68 -> 68 bytes
 .../server1.example.com.ocsp.revoked.resp          | Bin 908 -> 920 bytes
 .../server1.example.com.ocsp.signer.dated.resp     | Bin 926 -> 938 bytes
 .../server1.example.com.ocsp.signer.good.resp      | Bin 926 -> 938 bytes
 .../server1.example.com.ocsp.signer.revoked.resp   | Bin 948 -> 960 bytes
 ...erver1.example.com.ocsp.signernocert.dated.resp | Bin 358 -> 362 bytes
 ...server1.example.com.ocsp.signernocert.good.resp | Bin 358 -> 362 bytes
 ...ver1.example.com.ocsp.signernocert.revoked.resp | Bin 380 -> 384 bytes
 .../server1.example.com/server1.example.com.p12    | Bin 3154 -> 3186 bytes
 .../server1.example.com/server1.example.com.pem    |  36 +--
 .../server1.example.com.unlocked.key               |  26 +-
 .../server1_ec.example.com/ca_chain.pem            |  35 +++
 .../example.com/server1_ec.example.com/cert8.db    | Bin 0 -> 65536 bytes
 .../example.com/server1_ec.example.com/key3.db     | Bin 0 -> 16384 bytes
 .../example.com/server1_ec.example.com/pwdfile     |   1 +
 .../example.com/server1_ec.example.com/secmod.db   | Bin 0 -> 16384 bytes
 .../server1_ec.example.com.chain.pem               |  36 +++
 .../server1_ec.example.com.key                     |  13 +
 .../server1_ec.example.com.p12                     | Bin 0 -> 2759 bytes
 .../server1_ec.example.com.pem                     |  22 ++
 .../server1_ec.example.com.unlocked.key            |   7 +
 .../example.com/server2.example.com/ca_chain.pem   |  58 ++--
 .../example.com/server2.example.com/cert8.db       | Bin 65536 -> 65536 bytes
 .../example.com/server2.example.com/key3.db        | Bin 16384 -> 16384 bytes
 .../server2.example.com.chain.pem                  |  56 ++--
 .../server2.example.com/server2.example.com.key    |  32 +--
 .../server2.example.com.ocsp.dated.resp            | Bin 887 -> 899 bytes
 .../server2.example.com.ocsp.good.resp             | Bin 887 -> 899 bytes
 .../server2.example.com.ocsp.req                   | Bin 69 -> 69 bytes
 .../server2.example.com.ocsp.revoked.resp          | Bin 887 -> 899 bytes
 .../server2.example.com.ocsp.signer.dated.resp     | Bin 927 -> 939 bytes
 .../server2.example.com.ocsp.signer.good.resp      | Bin 927 -> 939 bytes
 .../server2.example.com.ocsp.signer.revoked.resp   | Bin 927 -> 939 bytes
 ...erver2.example.com.ocsp.signernocert.dated.resp | Bin 359 -> 363 bytes
 ...server2.example.com.ocsp.signernocert.good.resp | Bin 359 -> 363 bytes
 ...ver2.example.com.ocsp.signernocert.revoked.resp | Bin 359 -> 363 bytes
 .../server2.example.com/server2.example.com.p12    | Bin 3066 -> 3106 bytes
 .../server2.example.com/server2.example.com.pem    |  32 +--
 .../server2.example.com.unlocked.key               |  26 +-
 test/aux-fixed/exim-ca/example.net/BLANK/CA.pem    |  22 +-
 .../aux-fixed/exim-ca/example.net/BLANK/Signer.pem |  24 +-
 test/aux-fixed/exim-ca/example.net/BLANK/cert8.db  | Bin 65536 -> 65536 bytes
 test/aux-fixed/exim-ca/example.net/BLANK/key3.db   | Bin 16384 -> 16384 bytes
 test/aux-fixed/exim-ca/example.net/CA/CA.pem       |  22 +-
 test/aux-fixed/exim-ca/example.net/CA/OCSP.key     |  32 +--
 test/aux-fixed/exim-ca/example.net/CA/OCSP.p12     | Bin 2906 -> 2962 bytes
 test/aux-fixed/exim-ca/example.net/CA/OCSP.pem     |  23 +-
 test/aux-fixed/exim-ca/example.net/CA/Signer.key   |  32 +--
 test/aux-fixed/exim-ca/example.net/CA/Signer.p12   | Bin 2300 -> 2340 bytes
 test/aux-fixed/exim-ca/example.net/CA/Signer.pem   |  24 +-
 test/aux-fixed/exim-ca/example.net/CA/ca.conf      |  21 +-
 test/aux-fixed/exim-ca/example.net/CA/cert8.db     | Bin 65536 -> 65536 bytes
 test/aux-fixed/exim-ca/example.net/CA/crl.empty    | Bin 240 -> 244 bytes
 .../exim-ca/example.net/CA/crl.empty.in.txt        |   2 +-
 .../aux-fixed/exim-ca/example.net/CA/crl.empty.pem |  11 +-
 test/aux-fixed/exim-ca/example.net/CA/crl.v2       | Bin 289 -> 293 bytes
 .../aux-fixed/exim-ca/example.net/CA/crl.v2.in.txt |   6 +-
 test/aux-fixed/exim-ca/example.net/CA/crl.v2.pem   |  14 +-
 test/aux-fixed/exim-ca/example.net/CA/key3.db      | Bin 24576 -> 24576 bytes
 test/aux-fixed/exim-ca/example.net/CA/noise.file   | 161 +++++------
 .../example.net/expired1.example.net/ca_chain.pem  |  58 ++--
 .../example.net/expired1.example.net/cert8.db      | Bin 65536 -> 65536 bytes
 .../expired1.example.net.chain.pem                 |  56 ++--
 .../expired1.example.net/expired1.example.net.key  |  32 +--
 .../expired1.example.net.ocsp.dated.resp           | Bin 886 -> 898 bytes
 .../expired1.example.net.ocsp.good.resp            | Bin 886 -> 898 bytes
 .../expired1.example.net.ocsp.req                  | Bin 68 -> 68 bytes
 .../expired1.example.net.ocsp.revoked.resp         | Bin 908 -> 920 bytes
 .../expired1.example.net.ocsp.signer.dated.resp    | Bin 926 -> 938 bytes
 .../expired1.example.net.ocsp.signer.good.resp     | Bin 926 -> 938 bytes
 .../expired1.example.net.ocsp.signer.revoked.resp  | Bin 948 -> 960 bytes
 ...pired1.example.net.ocsp.signernocert.dated.resp | Bin 358 -> 362 bytes
 ...xpired1.example.net.ocsp.signernocert.good.resp | Bin 358 -> 362 bytes
 ...red1.example.net.ocsp.signernocert.revoked.resp | Bin 380 -> 384 bytes
 .../expired1.example.net/expired1.example.net.p12  | Bin 3076 -> 3108 bytes
 .../expired1.example.net/expired1.example.net.pem  |  32 +--
 .../expired1.example.net.unlocked.key              |  26 +-
 .../example.net/expired1.example.net/key3.db       | Bin 16384 -> 16384 bytes
 .../example.net/expired2.example.net/ca_chain.pem  |  58 ++--
 .../example.net/expired2.example.net/cert8.db      | Bin 65536 -> 65536 bytes
 .../expired2.example.net.chain.pem                 |  56 ++--
 .../expired2.example.net/expired2.example.net.key  |  32 +--
 .../expired2.example.net.ocsp.dated.resp           | Bin 887 -> 899 bytes
 .../expired2.example.net.ocsp.good.resp            | Bin 887 -> 899 bytes
 .../expired2.example.net.ocsp.req                  | Bin 69 -> 69 bytes
 .../expired2.example.net.ocsp.revoked.resp         | Bin 887 -> 899 bytes
 .../expired2.example.net.ocsp.signer.dated.resp    | Bin 927 -> 939 bytes
 .../expired2.example.net.ocsp.signer.good.resp     | Bin 927 -> 939 bytes
 .../expired2.example.net.ocsp.signer.revoked.resp  | Bin 927 -> 939 bytes
 ...pired2.example.net.ocsp.signernocert.dated.resp | Bin 359 -> 363 bytes
 ...xpired2.example.net.ocsp.signernocert.good.resp | Bin 359 -> 363 bytes
 ...red2.example.net.ocsp.signernocert.revoked.resp | Bin 359 -> 363 bytes
 .../expired2.example.net/expired2.example.net.p12  | Bin 3076 -> 3108 bytes
 .../expired2.example.net/expired2.example.net.pem  |  32 +--
 .../expired2.example.net.unlocked.key              |  26 +-
 .../example.net/expired2.example.net/key3.db       | Bin 16384 -> 16384 bytes
 .../example.net/revoked1.example.net/ca_chain.pem  |  58 ++--
 .../example.net/revoked1.example.net/cert8.db      | Bin 65536 -> 65536 bytes
 .../example.net/revoked1.example.net/key3.db       | Bin 16384 -> 16384 bytes
 .../revoked1.example.net.chain.pem                 |  56 ++--
 .../revoked1.example.net/revoked1.example.net.key  |  32 +--
 .../revoked1.example.net.ocsp.dated.resp           | Bin 886 -> 898 bytes
 .../revoked1.example.net.ocsp.good.resp            | Bin 886 -> 898 bytes
 .../revoked1.example.net.ocsp.req                  | Bin 68 -> 68 bytes
 .../revoked1.example.net.ocsp.revoked.resp         | Bin 908 -> 920 bytes
 .../revoked1.example.net.ocsp.signer.dated.resp    | Bin 926 -> 938 bytes
 .../revoked1.example.net.ocsp.signer.good.resp     | Bin 926 -> 938 bytes
 .../revoked1.example.net.ocsp.signer.revoked.resp  | Bin 948 -> 960 bytes
 ...voked1.example.net.ocsp.signernocert.dated.resp | Bin 358 -> 362 bytes
 ...evoked1.example.net.ocsp.signernocert.good.resp | Bin 358 -> 362 bytes
 ...ked1.example.net.ocsp.signernocert.revoked.resp | Bin 380 -> 384 bytes
 .../revoked1.example.net/revoked1.example.net.p12  | Bin 3076 -> 3108 bytes
 .../revoked1.example.net/revoked1.example.net.pem  |  32 +--
 .../revoked1.example.net.unlocked.key              |  26 +-
 .../example.net/revoked2.example.net/ca_chain.pem  |  58 ++--
 .../example.net/revoked2.example.net/cert8.db      | Bin 65536 -> 65536 bytes
 .../example.net/revoked2.example.net/key3.db       | Bin 16384 -> 16384 bytes
 .../revoked2.example.net.chain.pem                 |  56 ++--
 .../revoked2.example.net/revoked2.example.net.key  |  32 +--
 .../revoked2.example.net.ocsp.dated.resp           | Bin 887 -> 899 bytes
 .../revoked2.example.net.ocsp.good.resp            | Bin 887 -> 899 bytes
 .../revoked2.example.net.ocsp.req                  | Bin 69 -> 69 bytes
 .../revoked2.example.net.ocsp.revoked.resp         | Bin 887 -> 899 bytes
 .../revoked2.example.net.ocsp.signer.dated.resp    | Bin 927 -> 939 bytes
 .../revoked2.example.net.ocsp.signer.good.resp     | Bin 927 -> 939 bytes
 .../revoked2.example.net.ocsp.signer.revoked.resp  | Bin 927 -> 939 bytes
 ...voked2.example.net.ocsp.signernocert.dated.resp | Bin 359 -> 363 bytes
 ...evoked2.example.net.ocsp.signernocert.good.resp | Bin 359 -> 363 bytes
 ...ked2.example.net.ocsp.signernocert.revoked.resp | Bin 359 -> 363 bytes
 .../revoked2.example.net/revoked2.example.net.p12  | Bin 3076 -> 3108 bytes
 .../revoked2.example.net/revoked2.example.net.pem  |  32 +--
 .../revoked2.example.net.unlocked.key              |  26 +-
 .../example.net/server1.example.net/ca_chain.pem   |  58 ++--
 .../example.net/server1.example.net/cert8.db       | Bin 65536 -> 65536 bytes
 .../example.net/server1.example.net/fullchain.pem  |  94 +++----
 .../example.net/server1.example.net/key3.db        | Bin 16384 -> 16384 bytes
 .../server1.example.net.chain.pem                  |  60 ++--
 .../server1.example.net/server1.example.net.key    |  32 +--
 .../server1.example.net.ocsp.dated.resp            | Bin 886 -> 898 bytes
 .../server1.example.net.ocsp.good.resp             | Bin 886 -> 898 bytes
 .../server1.example.net.ocsp.req                   | Bin 68 -> 68 bytes
 .../server1.example.net.ocsp.revoked.resp          | Bin 908 -> 920 bytes
 .../server1.example.net.ocsp.signer.dated.resp     | Bin 926 -> 938 bytes
 .../server1.example.net.ocsp.signer.good.resp      | Bin 926 -> 938 bytes
 .../server1.example.net.ocsp.signer.revoked.resp   | Bin 948 -> 960 bytes
 ...erver1.example.net.ocsp.signernocert.dated.resp | Bin 358 -> 362 bytes
 ...server1.example.net.ocsp.signernocert.good.resp | Bin 358 -> 362 bytes
 ...ver1.example.net.ocsp.signernocert.revoked.resp | Bin 380 -> 384 bytes
 .../server1.example.net/server1.example.net.p12    | Bin 3154 -> 3186 bytes
 .../server1.example.net/server1.example.net.pem    |  36 +--
 .../server1.example.net.unlocked.key               |  26 +-
 .../example.net/server2.example.net/ca_chain.pem   |  58 ++--
 .../example.net/server2.example.net/cert8.db       | Bin 65536 -> 65536 bytes
 .../example.net/server2.example.net/key3.db        | Bin 16384 -> 16384 bytes
 .../server2.example.net.chain.pem                  |  56 ++--
 .../server2.example.net/server2.example.net.key    |  32 +--
 .../server2.example.net.ocsp.dated.resp            | Bin 887 -> 899 bytes
 .../server2.example.net.ocsp.good.resp             | Bin 887 -> 899 bytes
 .../server2.example.net.ocsp.req                   | Bin 69 -> 69 bytes
 .../server2.example.net.ocsp.revoked.resp          | Bin 887 -> 899 bytes
 .../server2.example.net.ocsp.signer.dated.resp     | Bin 927 -> 939 bytes
 .../server2.example.net.ocsp.signer.good.resp      | Bin 927 -> 939 bytes
 .../server2.example.net.ocsp.signer.revoked.resp   | Bin 927 -> 939 bytes
 ...erver2.example.net.ocsp.signernocert.dated.resp | Bin 359 -> 363 bytes
 ...server2.example.net.ocsp.signernocert.good.resp | Bin 359 -> 363 bytes
 ...ver2.example.net.ocsp.signernocert.revoked.resp | Bin 359 -> 363 bytes
 .../server2.example.net/server2.example.net.p12    | Bin 3066 -> 3106 bytes
 .../server2.example.net/server2.example.net.pem    |  32 +--
 .../server2.example.net.unlocked.key               |  26 +-
 test/aux-fixed/exim-ca/example.org/BLANK/CA.pem    |  22 +-
 .../aux-fixed/exim-ca/example.org/BLANK/Signer.pem |  24 +-
 test/aux-fixed/exim-ca/example.org/BLANK/cert8.db  | Bin 65536 -> 65536 bytes
 test/aux-fixed/exim-ca/example.org/BLANK/key3.db   | Bin 16384 -> 16384 bytes
 test/aux-fixed/exim-ca/example.org/CA/CA.pem       |  22 +-
 test/aux-fixed/exim-ca/example.org/CA/OCSP.key     |  32 +--
 test/aux-fixed/exim-ca/example.org/CA/OCSP.p12     | Bin 2906 -> 2962 bytes
 test/aux-fixed/exim-ca/example.org/CA/OCSP.pem     |  23 +-
 test/aux-fixed/exim-ca/example.org/CA/Signer.key   |  32 +--
 test/aux-fixed/exim-ca/example.org/CA/Signer.p12   | Bin 2300 -> 2340 bytes
 test/aux-fixed/exim-ca/example.org/CA/Signer.pem   |  24 +-
 test/aux-fixed/exim-ca/example.org/CA/ca.conf      |  15 +-
 test/aux-fixed/exim-ca/example.org/CA/cert8.db     | Bin 65536 -> 65536 bytes
 test/aux-fixed/exim-ca/example.org/CA/crl.empty    | Bin 240 -> 244 bytes
 .../exim-ca/example.org/CA/crl.empty.in.txt        |   2 +-
 .../aux-fixed/exim-ca/example.org/CA/crl.empty.pem |  11 +-
 test/aux-fixed/exim-ca/example.org/CA/crl.v2       | Bin 289 -> 293 bytes
 .../aux-fixed/exim-ca/example.org/CA/crl.v2.in.txt |   6 +-
 test/aux-fixed/exim-ca/example.org/CA/crl.v2.pem   |  14 +-
 test/aux-fixed/exim-ca/example.org/CA/key3.db      | Bin 24576 -> 24576 bytes
 test/aux-fixed/exim-ca/example.org/CA/noise.file   | 161 +++++------
 .../example.org/expired1.example.org/ca_chain.pem  |  58 ++--
 .../example.org/expired1.example.org/cert8.db      | Bin 65536 -> 65536 bytes
 .../expired1.example.org.chain.pem                 |  56 ++--
 .../expired1.example.org/expired1.example.org.key  |  32 +--
 .../expired1.example.org.ocsp.dated.resp           | Bin 886 -> 898 bytes
 .../expired1.example.org.ocsp.good.resp            | Bin 886 -> 898 bytes
 .../expired1.example.org.ocsp.req                  | Bin 68 -> 68 bytes
 .../expired1.example.org.ocsp.revoked.resp         | Bin 908 -> 920 bytes
 .../expired1.example.org.ocsp.signer.dated.resp    | Bin 926 -> 938 bytes
 .../expired1.example.org.ocsp.signer.good.resp     | Bin 926 -> 938 bytes
 .../expired1.example.org.ocsp.signer.revoked.resp  | Bin 948 -> 960 bytes
 ...pired1.example.org.ocsp.signernocert.dated.resp | Bin 358 -> 362 bytes
 ...xpired1.example.org.ocsp.signernocert.good.resp | Bin 358 -> 362 bytes
 ...red1.example.org.ocsp.signernocert.revoked.resp | Bin 380 -> 384 bytes
 .../expired1.example.org/expired1.example.org.p12  | Bin 3076 -> 3108 bytes
 .../expired1.example.org/expired1.example.org.pem  |  32 +--
 .../expired1.example.org.unlocked.key              |  26 +-
 .../example.org/expired1.example.org/key3.db       | Bin 16384 -> 16384 bytes
 .../example.org/expired2.example.org/ca_chain.pem  |  58 ++--
 .../example.org/expired2.example.org/cert8.db      | Bin 65536 -> 65536 bytes
 .../expired2.example.org.chain.pem                 |  56 ++--
 .../expired2.example.org/expired2.example.org.key  |  32 +--
 .../expired2.example.org.ocsp.dated.resp           | Bin 887 -> 899 bytes
 .../expired2.example.org.ocsp.good.resp            | Bin 887 -> 899 bytes
 .../expired2.example.org.ocsp.req                  | Bin 69 -> 69 bytes
 .../expired2.example.org.ocsp.revoked.resp         | Bin 887 -> 899 bytes
 .../expired2.example.org.ocsp.signer.dated.resp    | Bin 927 -> 939 bytes
 .../expired2.example.org.ocsp.signer.good.resp     | Bin 927 -> 939 bytes
 .../expired2.example.org.ocsp.signer.revoked.resp  | Bin 927 -> 939 bytes
 ...pired2.example.org.ocsp.signernocert.dated.resp | Bin 359 -> 363 bytes
 ...xpired2.example.org.ocsp.signernocert.good.resp | Bin 359 -> 363 bytes
 ...red2.example.org.ocsp.signernocert.revoked.resp | Bin 359 -> 363 bytes
 .../expired2.example.org/expired2.example.org.p12  | Bin 3076 -> 3108 bytes
 .../expired2.example.org/expired2.example.org.pem  |  32 +--
 .../expired2.example.org.unlocked.key              |  26 +-
 .../example.org/expired2.example.org/key3.db       | Bin 16384 -> 16384 bytes
 .../example.org/revoked1.example.org/ca_chain.pem  |  58 ++--
 .../example.org/revoked1.example.org/cert8.db      | Bin 65536 -> 65536 bytes
 .../example.org/revoked1.example.org/key3.db       | Bin 16384 -> 16384 bytes
 .../revoked1.example.org.chain.pem                 |  56 ++--
 .../revoked1.example.org/revoked1.example.org.key  |  32 +--
 .../revoked1.example.org.ocsp.dated.resp           | Bin 886 -> 898 bytes
 .../revoked1.example.org.ocsp.good.resp            | Bin 886 -> 898 bytes
 .../revoked1.example.org.ocsp.req                  | Bin 68 -> 68 bytes
 .../revoked1.example.org.ocsp.revoked.resp         | Bin 908 -> 920 bytes
 .../revoked1.example.org.ocsp.signer.dated.resp    | Bin 926 -> 938 bytes
 .../revoked1.example.org.ocsp.signer.good.resp     | Bin 926 -> 938 bytes
 .../revoked1.example.org.ocsp.signer.revoked.resp  | Bin 948 -> 960 bytes
 ...voked1.example.org.ocsp.signernocert.dated.resp | Bin 358 -> 362 bytes
 ...evoked1.example.org.ocsp.signernocert.good.resp | Bin 358 -> 362 bytes
 ...ked1.example.org.ocsp.signernocert.revoked.resp | Bin 380 -> 384 bytes
 .../revoked1.example.org/revoked1.example.org.p12  | Bin 3076 -> 3108 bytes
 .../revoked1.example.org/revoked1.example.org.pem  |  32 +--
 .../revoked1.example.org.unlocked.key              |  26 +-
 .../example.org/revoked2.example.org/ca_chain.pem  |  58 ++--
 .../example.org/revoked2.example.org/cert8.db      | Bin 65536 -> 65536 bytes
 .../example.org/revoked2.example.org/key3.db       | Bin 16384 -> 16384 bytes
 .../revoked2.example.org.chain.pem                 |  56 ++--
 .../revoked2.example.org/revoked2.example.org.key  |  32 +--
 .../revoked2.example.org.ocsp.dated.resp           | Bin 887 -> 899 bytes
 .../revoked2.example.org.ocsp.good.resp            | Bin 887 -> 899 bytes
 .../revoked2.example.org.ocsp.req                  | Bin 69 -> 69 bytes
 .../revoked2.example.org.ocsp.revoked.resp         | Bin 887 -> 899 bytes
 .../revoked2.example.org.ocsp.signer.dated.resp    | Bin 927 -> 939 bytes
 .../revoked2.example.org.ocsp.signer.good.resp     | Bin 927 -> 939 bytes
 .../revoked2.example.org.ocsp.signer.revoked.resp  | Bin 927 -> 939 bytes
 ...voked2.example.org.ocsp.signernocert.dated.resp | Bin 359 -> 363 bytes
 ...evoked2.example.org.ocsp.signernocert.good.resp | Bin 359 -> 363 bytes
 ...ked2.example.org.ocsp.signernocert.revoked.resp | Bin 359 -> 363 bytes
 .../revoked2.example.org/revoked2.example.org.p12  | Bin 3076 -> 3108 bytes
 .../revoked2.example.org/revoked2.example.org.pem  |  32 +--
 .../revoked2.example.org.unlocked.key              |  26 +-
 .../example.org/server1.example.org/ca_chain.pem   |  58 ++--
 .../example.org/server1.example.org/cert8.db       | Bin 65536 -> 65536 bytes
 .../example.org/server1.example.org/fullchain.pem  |  94 +++----
 .../example.org/server1.example.org/key3.db        | Bin 16384 -> 16384 bytes
 .../server1.example.org.chain.pem                  |  60 ++--
 .../server1.example.org/server1.example.org.key    |  32 +--
 .../server1.example.org.ocsp.dated.resp            | Bin 886 -> 898 bytes
 .../server1.example.org.ocsp.good.resp             | Bin 886 -> 898 bytes
 .../server1.example.org.ocsp.req                   | Bin 68 -> 68 bytes
 .../server1.example.org.ocsp.revoked.resp          | Bin 908 -> 920 bytes
 .../server1.example.org.ocsp.signer.dated.resp     | Bin 926 -> 938 bytes
 .../server1.example.org.ocsp.signer.good.resp      | Bin 926 -> 938 bytes
 .../server1.example.org.ocsp.signer.revoked.resp   | Bin 948 -> 960 bytes
 ...erver1.example.org.ocsp.signernocert.dated.resp | Bin 358 -> 362 bytes
 ...server1.example.org.ocsp.signernocert.good.resp | Bin 358 -> 362 bytes
 ...ver1.example.org.ocsp.signernocert.revoked.resp | Bin 380 -> 384 bytes
 .../server1.example.org/server1.example.org.p12    | Bin 3154 -> 3186 bytes
 .../server1.example.org/server1.example.org.pem    |  36 +--
 .../server1.example.org.unlocked.key               |  26 +-
 .../example.org/server2.example.org/ca_chain.pem   |  58 ++--
 .../example.org/server2.example.org/cert8.db       | Bin 65536 -> 65536 bytes
 .../example.org/server2.example.org/key3.db        | Bin 16384 -> 16384 bytes
 .../server2.example.org.chain.pem                  |  56 ++--
 .../server2.example.org/server2.example.org.key    |  32 +--
 .../server2.example.org.ocsp.dated.resp            | Bin 887 -> 899 bytes
 .../server2.example.org.ocsp.good.resp             | Bin 887 -> 899 bytes
 .../server2.example.org.ocsp.req                   | Bin 69 -> 69 bytes
 .../server2.example.org.ocsp.revoked.resp          | Bin 887 -> 899 bytes
 .../server2.example.org.ocsp.signer.dated.resp     | Bin 927 -> 939 bytes
 .../server2.example.org.ocsp.signer.good.resp      | Bin 927 -> 939 bytes
 .../server2.example.org.ocsp.signer.revoked.resp   | Bin 927 -> 939 bytes
 ...erver2.example.org.ocsp.signernocert.dated.resp | Bin 359 -> 363 bytes
 ...server2.example.org.ocsp.signernocert.good.resp | Bin 359 -> 363 bytes
 ...ver2.example.org.ocsp.signernocert.revoked.resp | Bin 359 -> 363 bytes
 .../server2.example.org/server2.example.org.p12    | Bin 3066 -> 3106 bytes
 .../server2.example.org/server2.example.org.pem    |  32 +--
 .../server2.example.org.unlocked.key               |  26 +-
 test/aux-fixed/exim-ca/example_ec.com/BLANK/CA.pem |  13 +
 .../exim-ca/example_ec.com/BLANK/Signer.pem        |  14 +
 .../exim-ca/example_ec.com/BLANK/cert8.db          | Bin 0 -> 65536 bytes
 .../aux-fixed/exim-ca/example_ec.com/BLANK/key3.db | Bin 0 -> 16384 bytes
 .../aux-fixed/exim-ca/example_ec.com/BLANK/pwdfile |   1 +
 .../exim-ca/example_ec.com/BLANK/secmod.db         | Bin 0 -> 16384 bytes
 test/aux-fixed/exim-ca/example_ec.com/CA/CA.pem    |  13 +
 test/aux-fixed/exim-ca/example_ec.com/CA/OCSP.pem  |  14 +
 .../aux-fixed/exim-ca/example_ec.com/CA/Signer.pem |  14 +
 test/aux-fixed/exim-ca/example_ec.com/CA/ca.conf   |  18 ++
 test/aux-fixed/exim-ca/example_ec.com/CA/cert8.db  | Bin 0 -> 65536 bytes
 test/aux-fixed/exim-ca/example_ec.com/CA/key3.db   | Bin 0 -> 16384 bytes
 .../aux-fixed/exim-ca/example_ec.com/CA/noise.file | 310 +++++++++++++++++++++
 test/aux-fixed/exim-ca/example_ec.com/CA/pwdfile   |   1 +
 test/aux-fixed/exim-ca/example_ec.com/CA/secmod.db | Bin 0 -> 16384 bytes
 .../server1.example_ec.com/ca_chain.pem            |  35 +++
 .../example_ec.com/server1.example_ec.com/cert8.db | Bin 0 -> 65536 bytes
 .../server1.example_ec.com/fullchain.pem           |  59 ++++
 .../example_ec.com/server1.example_ec.com/key3.db  | Bin 0 -> 16384 bytes
 .../example_ec.com/server1.example_ec.com/pwdfile  |   1 +
 .../server1.example_ec.com/secmod.db               | Bin 0 -> 16384 bytes
 .../server1.example_ec.com.chain.pem               |  38 +++
 .../server1.example_ec.com.key                     |  13 +
 .../server1.example_ec.com.p12                     | Bin 0 -> 2847 bytes
 .../server1.example_ec.com.pem                     |  24 ++
 .../server1.example_ec.com.unlocked.key            |   7 +
 test/aux-fixed/exim-ca/fullchain.pem               |   0
 test/aux-fixed/exim-ca/genall                      | 185 ++++++++----
 test/confs/2002                                    |  21 +-
 test/confs/2102                                    |  30 +-
 test/log/2002                                      |  38 ++-
 test/log/2003                                      |   4 +-
 test/log/2007.FOO                                  |   9 +
 test/log/2008                                      |  14 +-
 test/log/2010                                      |   4 +-
 test/log/2012                                      |  16 +-
 test/log/2013                                      |  24 +-
 test/log/2014                                      |   6 +-
 test/log/2017                                      |   8 +-
 test/log/2018                                      |   2 +-
 test/log/2019                                      |   4 +-
 test/log/2020                                      |   4 +-
 test/log/2025                                      |   4 +-
 test/log/2026                                      |   2 +-
 test/log/2027                                      |   4 +-
 test/log/2030                                      |   4 +-
 test/log/2031                                      |   8 +-
 test/log/2033                                      |   8 +-
 test/log/2035                                      |   4 +-
 test/log/2037                                      |   4 +-
 test/log/2038                                      |  24 +-
 test/log/2090                                      |   4 +-
 test/log/2091                                      |   4 +-
 test/log/2100                                      |   4 +-
 test/log/2102                                      |  40 +--
 test/log/2103                                      |   4 +-
 test/log/2108                                      |  14 +-
 test/log/2110                                      |   4 +-
 test/log/2112                                      |  16 +-
 test/log/2113                                      |  24 +-
 test/log/2114                                      |   6 +-
 test/log/2117                                      |   8 +-
 test/log/2118                                      |   2 +-
 test/log/2119                                      |   4 +-
 test/log/2120                                      |   4 +-
 test/log/2126                                      |   4 +-
 test/log/2127                                      |   4 +-
 test/log/2130                                      |   4 +-
 test/log/2131                                      |   8 +-
 test/log/2132                                      |   6 +-
 test/log/2133                                      |   8 +-
 test/log/2135                                      |   4 +-
 test/log/2137                                      |   4 +-
 test/log/2138                                      |  24 +-
 test/log/2149                                      |   4 +-
 test/log/2190                                      |   4 +-
 test/log/2191                                      |   4 +-
 test/log/3451                                      |   8 +-
 test/log/3452                                      |   8 +-
 test/log/3454                                      |   4 +-
 test/log/3455                                      |   4 +-
 test/log/3461                                      |   8 +-
 test/log/3462                                      |   8 +-
 test/log/3464                                      |   4 +-
 test/log/3465                                      |   4 +-
 test/log/4211                                      |   4 +-
 test/log/4213                                      |   2 +-
 test/log/4214                                      |  10 +-
 test/log/4215                                      |   4 +-
 test/log/4216                                      |  10 +-
 test/log/4221                                      |   4 +-
 test/log/4223                                      |   2 +-
 test/log/4224                                      |  10 +-
 test/log/4225                                      |   4 +-
 test/log/4226                                      |  10 +-
 test/log/5410                                      |   4 +-
 test/log/5420                                      |   4 +-
 test/log/5601                                      |  12 +-
 test/log/5611                                      |  12 +-
 test/log/5651                                      |  12 +-
 test/log/5710                                      |  16 +-
 test/log/5720                                      |  28 +-
 test/log/5730                                      |  16 +-
 test/log/5740                                      |  16 +-
 test/log/5840                                      | 109 ++++----
 test/log/5860                                      |  23 +-
 test/mail/2002.CALLER                              |  38 ++-
 test/mail/2003.userx                               |   4 +-
 test/mail/2008.CALLER                              |   8 +-
 test/mail/2008.abcd                                |   4 +-
 test/mail/2008.xyz                                 |   4 +-
 test/mail/2013.usera                               |   4 +-
 test/mail/2013.userb                               |   4 +-
 test/mail/2013.userc                               |   4 +-
 test/mail/2013.userx                               |   4 +-
 test/mail/2013.usery                               |   4 +-
 test/mail/2013.userz                               |   4 +-
 test/mail/2017.userx                               |   8 +-
 test/mail/2019.userx                               |   8 +-
 test/mail/2027.userx                               |   4 +-
 test/mail/2038.userx0                              |   4 +-
 test/mail/2038.userx1                              |   4 +-
 test/mail/2038.usery0                              |   4 +-
 test/mail/2038.usery1                              |   4 +-
 test/mail/2038.userz0                              |   4 +-
 test/mail/2038.userz1                              |   4 +-
 test/mail/2102.CALLER                              |  25 +-
 test/mail/2103.userx                               |   4 +-
 test/mail/2108.CALLER                              |   8 +-
 test/mail/2108.abcd                                |   4 +-
 test/mail/2108.xyz                                 |   4 +-
 test/mail/2113.usera                               |   4 +-
 test/mail/2113.userb                               |   4 +-
 test/mail/2113.userc                               |   4 +-
 test/mail/2113.userx                               |   4 +-
 test/mail/2113.usery                               |   4 +-
 test/mail/2113.userz                               |   4 +-
 test/mail/2117.userx                               |   8 +-
 test/mail/2119.userx                               |   8 +-
 test/mail/2127.userx                               |   4 +-
 test/mail/2132.CALLER                              |  12 +-
 test/mail/2138.userx0                              |   4 +-
 test/mail/2138.userx1                              |   4 +-
 test/mail/2138.usery0                              |   4 +-
 test/mail/2138.usery1                              |   4 +-
 test/mail/2138.userz0                              |   4 +-
 test/mail/2138.userz1                              |   4 +-
 test/mail/2149.userx                               |   4 +-
 test/mail/3451.userx                               |   8 +-
 test/mail/3452.userx                               |   8 +-
 test/mail/3461.userx                               |   8 +-
 test/mail/3462.userx                               |   8 +-
 test/rejectlog/2003                                |   2 +-
 test/rejectlog/2014                                |   6 +-
 test/rejectlog/2037                                |   6 +-
 test/rejectlog/2103                                |   2 +-
 test/rejectlog/2114                                |   6 +-
 test/rejectlog/2137                                |   6 +-
 test/rejectlog/4214                                |   2 +-
 test/rejectlog/4216                                |   2 +-
 test/rejectlog/4224                                |   2 +-
 test/rejectlog/4226                                |   2 +-
 test/runtest                                       |   4 +-
 test/scripts/2000-GnuTLS/2002                      |  58 ++++
 test/scripts/2100-OpenSSL/2102                     |  30 ++
 test/src/client.c                                  |  37 ++-
 test/stderr/2008                                   |   8 +-
 test/stderr/2013                                   |  12 +-
 test/stderr/2035                                   |   2 +-
 test/stderr/2108                                   |   8 +-
 test/stderr/2113                                   |  12 +-
 test/stderr/2135                                   |   2 +-
 test/stderr/5410                                   |   2 +-
 test/stderr/5420                                   |   2 +-
 test/stdout/2002                                   |  78 ++++++
 test/stdout/2003                                   |   2 +-
 test/stdout/2102                                   |  46 ++-
 test/stdout/2103                                   |   6 +-
 test/stdout/2105                                   |   2 +-
 test/stdout/2106                                   |   2 +-
 test/stdout/2114                                   |  10 +-
 test/stdout/2118                                   |   2 +-
 test/stdout/2119                                   |   4 +-
 test/stdout/2122                                   |   2 +-
 test/stdout/2128                                   |   4 +-
 test/stdout/2132                                   |   6 +-
 test/stdout/2150                                   |   2 +-
 test/stdout/2190                                   |   4 +-
 test/stdout/3450                                   |   2 +-
 test/stdout/3454                                   |   4 +-
 test/stdout/3460                                   |   2 +-
 test/stdout/3463                                   |   4 +-
 test/stdout/3464                                   |   4 +-
 test/stdout/5600                                   |   8 +-
 test/stdout/5610                                   |   8 +-
 604 files changed, 4459 insertions(+), 3275 deletions(-)
 delete mode 120000 test/aux-fixed/exim-ca/example.com/server1.example.com/certdir/08c48a5f.0
 delete mode 120000 test/aux-fixed/exim-ca/example.com/server1.example.com/certdir/61e813e6.0
 create mode 120000 test/aux-fixed/exim-ca/example.com/server1.example.com/certdir/9ec80de3.0
 create mode 120000 test/aux-fixed/exim-ca/example.com/server1.example.com/certdir/d89e5358.0
 create mode 100644 test/aux-fixed/exim-ca/example.com/server1_ec.example.com/ca_chain.pem
 create mode 100644 test/aux-fixed/exim-ca/example.com/server1_ec.example.com/cert8.db
 create mode 100644 test/aux-fixed/exim-ca/example.com/server1_ec.example.com/key3.db
 create mode 100644 test/aux-fixed/exim-ca/example.com/server1_ec.example.com/pwdfile
 create mode 100644 test/aux-fixed/exim-ca/example.com/server1_ec.example.com/secmod.db
 create mode 100644 test/aux-fixed/exim-ca/example.com/server1_ec.example.com/server1_ec.example.com.chain.pem
 create mode 100644 test/aux-fixed/exim-ca/example.com/server1_ec.example.com/server1_ec.example.com.key
 create mode 100644 test/aux-fixed/exim-ca/example.com/server1_ec.example.com/server1_ec.example.com.p12
 create mode 100644 test/aux-fixed/exim-ca/example.com/server1_ec.example.com/server1_ec.example.com.pem
 create mode 100644 test/aux-fixed/exim-ca/example.com/server1_ec.example.com/server1_ec.example.com.unlocked.key
 create mode 100644 test/aux-fixed/exim-ca/example_ec.com/BLANK/CA.pem
 create mode 100644 test/aux-fixed/exim-ca/example_ec.com/BLANK/Signer.pem
 create mode 100644 test/aux-fixed/exim-ca/example_ec.com/BLANK/cert8.db
 create mode 100644 test/aux-fixed/exim-ca/example_ec.com/BLANK/key3.db
 create mode 100644 test/aux-fixed/exim-ca/example_ec.com/BLANK/pwdfile
 create mode 100644 test/aux-fixed/exim-ca/example_ec.com/BLANK/secmod.db
 create mode 100644 test/aux-fixed/exim-ca/example_ec.com/CA/CA.pem
 create mode 100644 test/aux-fixed/exim-ca/example_ec.com/CA/OCSP.pem
 create mode 100644 test/aux-fixed/exim-ca/example_ec.com/CA/Signer.pem
 create mode 100644 test/aux-fixed/exim-ca/example_ec.com/CA/ca.conf
 create mode 100644 test/aux-fixed/exim-ca/example_ec.com/CA/cert8.db
 create mode 100644 test/aux-fixed/exim-ca/example_ec.com/CA/key3.db
 create mode 100644 test/aux-fixed/exim-ca/example_ec.com/CA/noise.file
 create mode 100644 test/aux-fixed/exim-ca/example_ec.com/CA/pwdfile
 create mode 100644 test/aux-fixed/exim-ca/example_ec.com/CA/secmod.db
 create mode 100644 test/aux-fixed/exim-ca/example_ec.com/server1.example_ec.com/ca_chain.pem
 create mode 100644 test/aux-fixed/exim-ca/example_ec.com/server1.example_ec.com/cert8.db
 create mode 100644 test/aux-fixed/exim-ca/example_ec.com/server1.example_ec.com/fullchain.pem
 create mode 100644 test/aux-fixed/exim-ca/example_ec.com/server1.example_ec.com/key3.db
 create mode 100644 test/aux-fixed/exim-ca/example_ec.com/server1.example_ec.com/pwdfile
 create mode 100644 test/aux-fixed/exim-ca/example_ec.com/server1.example_ec.com/secmod.db
 create mode 100644 test/aux-fixed/exim-ca/example_ec.com/server1.example_ec.com/server1.example_ec.com.chain.pem
 create mode 100644 test/aux-fixed/exim-ca/example_ec.com/server1.example_ec.com/server1.example_ec.com.key
 create mode 100644 test/aux-fixed/exim-ca/example_ec.com/server1.example_ec.com/server1.example_ec.com.p12
 create mode 100644 test/aux-fixed/exim-ca/example_ec.com/server1.example_ec.com/server1.example_ec.com.pem
 create mode 100644 test/aux-fixed/exim-ca/example_ec.com/server1.example_ec.com/server1.example_ec.com.unlocked.key
 delete mode 100644 test/aux-fixed/exim-ca/fullchain.pem
 create mode 100644 test/log/2007.FOO

(limited to 'src')

diff --git a/doc/doc-docbook/spec.xfpt b/doc/doc-docbook/spec.xfpt
index 546a944b6..7a0841cb2 100644
--- a/doc/doc-docbook/spec.xfpt
+++ b/doc/doc-docbook/spec.xfpt
@@ -12906,6 +12906,11 @@ It is only useful as the argument of a
 &%certextract%& expansion item, &%md5%&, &%sha1%& or &%sha256%& operator,
 or a &%def%& condition.
 
+.new
+&*Note*&: Under current versions of OpenSSL, when a list of more than one
+file is used for &%tls_certificate%&, this variable is not reliable.
+.wen
+
 .vitem &$tls_in_peercert$&
 .vindex "&$tls_in_peercert$&"
 This variable refers to the certificate presented by the peer of an
@@ -17107,11 +17112,15 @@ using the &%tls_certificate%& option.  If TLS support for incoming connections
 is not required the &%tls_advertise_hosts%& option should be set empty.
 
 
-.option tls_certificate main string&!! unset
+.option tls_certificate main string list&!! unset
 .cindex "TLS" "server certificate; location of"
 .cindex "certificate" "server, location of"
-The value of this option is expanded, and must then be the absolute path to a
-file which contains the server's certificates. The server's private key is also
+.new
+The value of this option is expanded, and must then be a list of absolute paths to
+files which contains the server's certificates.  Commonly only one file is
+needed.
+.wen
+The server's private key is also
 assumed to be in this file if &%tls_privatekey%& is unset. See chapter
 &<<CHAPTLS>>& for further details.
 
@@ -17120,6 +17129,11 @@ receiving incoming messages as a server. If you want to supply certificates for
 use when sending messages as a client, you must set the &%tls_certificate%&
 option in the relevant &(smtp)& transport.
 
+.new
+&*Note*&: Under current versions of OpenSSL, when a list of more than one
+file is used, the &$tls_in_ourcert$& veriable is unreliable.
+.wen
+
 If the option contains &$tls_out_sni$& and Exim is built against OpenSSL, then
 if the OpenSSL build supports TLS extensions and the TLS client sends the
 Server Name Indication extension, then this option and others documented in
@@ -17270,10 +17284,13 @@ further details, see section &<<SECTsupobssmt>>&.
 
 
 
-.option tls_privatekey main string&!! unset
+.option tls_privatekey main string list&!! unset
 .cindex "TLS" "server private key; location of"
-The value of this option is expanded, and must then be the absolute path to a
-file which contains the server's private key. If this option is unset, or if
+.new
+The value of this option is expanded, and must then be a list of absolute paths to
+files which contains the server's private keys.
+.wen
+If this option is unset, or if
 the expansion is forced to fail, or the result is an empty string, the private
 key is assumed to be in the same file as the server's certificates. See chapter
 &<<CHAPTLS>>& for further details.
@@ -27115,6 +27132,11 @@ When using OpenSSL, this option is ignored.
 (If an API is found to let OpenSSL be configured in this way,
 let the Exim Maintainers know and we'll likely use it).
 .next
+.new
+With GnuTLS, if an explicit list is used for the &%tls_privatekey%& main option
+main option, it must be ordered to match the %&tls_certificate%& list.
+.wen
+.next
 Some other recently added features may only be available in one or the other.
 This should be documented with the feature.  If the documentation does not
 explicitly state that the feature is infeasible in the other TLS
@@ -27270,6 +27292,12 @@ tls_require_ciphers = ${if =={$received_port}{25}\
                            {HIGH:!MD5:!SHA1}}
 .endd
 
+.new
+This example will prefer ECDSA-authenticated ciphers over RSA ones:
+.code
+tls_require_ciphers = ECDSA:RSA:!COMPLEMENTOFDEFAULT
+.endd
+.wen
 
 
 .section "Requiring specific ciphers or other parameters in GnuTLS" &&&
@@ -27358,8 +27386,7 @@ from someone able to intercept the communication.
 
 Further protection requires some further configuration at the server end.
 
-It is rumoured that all existing clients that support TLS/SSL use RSA
-encryption. To make this work you need to set, in the server,
+To make TLS work you need to set, in the server,
 .code
 tls_certificate = /some/file/name
 tls_privatekey = /some/file/name
@@ -27378,6 +27405,15 @@ is assumed to be the case. The certificate file may also contain intermediate
 certificates that need to be sent to the client to enable it to authenticate
 the server's certificate.
 
+.new
+For dual-stack (eg. RSA and ECDSA) configurations, these options can be
+colon-separated lists of file paths.  Ciphers using given authentication
+algorithms require the presence of a suitable certificate to supply the
+public-key.  The server selects among the certificates to present to the
+client depending on the selected cipher, hence the priority ordering for
+ciphers will affect which certificate is used.
+.wen
+
 If you do not understand about certificates and keys, please try to find a
 source of this background information, which is not Exim-specific. (There are a
 few comments below in section &<<SECTcerandall>>&.)
diff --git a/doc/doc-txt/NewStuff b/doc/doc-txt/NewStuff
index e77095c8d..7e6971dde 100644
--- a/doc/doc-txt/NewStuff
+++ b/doc/doc-txt/NewStuff
@@ -65,6 +65,8 @@ Version 4.90
 16. The "-be" expansion test mode now supports macros.  Macros are expanded
     in test lines, and new macros can be defined.
 
+17. Support for server-side dual-certificate-stacks (eg. RSA + ECDSA).
+
 
 Version 4.89
 ------------
diff --git a/src/src/configure.default b/src/src/configure.default
index a294dc3e6..b828ca20a 100644
--- a/src/src/configure.default
+++ b/src/src/configure.default
@@ -153,6 +153,9 @@ acl_smtp_data = acl_check_data
 # tls_certificate = /etc/ssl/exim.crt
 # tls_privatekey = /etc/ssl/exim.pem
 
+# For OpenSSL, prefer EC- over RSA-authenticated ciphers
+# tls_require_ciphers = ECDSA:RSA:!COMPLEMENTOFDEFAILT
+
 # In order to support roaming users who wish to send email from anywhere,
 # you may want to make Exim listen on other ports as well as port 25, in
 # case these users need to send email from a network that blocks port 25.
diff --git a/src/src/tls-gnu.c b/src/src/tls-gnu.c
index 43094f30d..898e37cd6 100644
--- a/src/src/tls-gnu.c
+++ b/src/src/tls-gnu.c
@@ -804,6 +804,18 @@ err:
 
 
 
+static int
+tls_add_certfile(exim_gnutls_state_st * state, const host_item * host,
+  uschar * certfile, uschar * keyfile, uschar ** errstr)
+{
+int rc = gnutls_certificate_set_x509_key_file(state->x509_cred,
+    CS certfile, CS keyfile, GNUTLS_X509_FMT_PEM);
+exim_gnutls_err_check(
+    string_sprintf("cert/key setup: cert=%s key=%s", certfile, keyfile));
+return OK;
+}
+
+
 /*************************************************
 *       Variables re-expanded post-SNI           *
 *************************************************/
@@ -824,7 +836,7 @@ Returns:          OK/DEFER/FAIL
 */
 
 static int
-tls_expand_session_files(exim_gnutls_state_st *state, uschar ** errstr)
+tls_expand_session_files(exim_gnutls_state_st * state, uschar ** errstr)
 {
 struct stat statbuf;
 int rc;
@@ -839,11 +851,11 @@ int cert_count;
 if (!host)	/* server */
   if (!state->received_sni)
     {
-    if (state->tls_certificate &&
-        (Ustrstr(state->tls_certificate, US"tls_sni") ||
-         Ustrstr(state->tls_certificate, US"tls_in_sni") ||
-         Ustrstr(state->tls_certificate, US"tls_out_sni")
-       ))
+    if (  state->tls_certificate
+       && (  Ustrstr(state->tls_certificate, US"tls_sni")
+	  || Ustrstr(state->tls_certificate, US"tls_in_sni")
+	  || Ustrstr(state->tls_certificate, US"tls_out_sni")
+       )  )
       {
       DEBUG(D_tls) debug_printf("We will re-expand TLS session files if we receive SNI.\n");
       state->trigger_sni_changes = TRUE;
@@ -910,13 +922,29 @@ if (state->exp_tls_certificate && *state->exp_tls_certificate)
       DEBUG(D_tls) debug_printf("TLS SNI: have a changed cert/key pair.\n");
       }
 
-  rc = gnutls_certificate_set_x509_key_file(state->x509_cred,
-      CS state->exp_tls_certificate, CS state->exp_tls_privatekey,
-      GNUTLS_X509_FMT_PEM);
-  exim_gnutls_err_check(
-      string_sprintf("cert/key setup: cert=%s key=%s",
-        state->exp_tls_certificate, state->exp_tls_privatekey));
-  DEBUG(D_tls) debug_printf("TLS: cert/key registered\n");
+  if (!host)	/* server */
+    {
+    const uschar * clist = state->exp_tls_certificate;
+    const uschar * klist = state->exp_tls_privatekey;
+    int csep = 0, ksep = 0;
+    uschar * cfile, * kfile;
+
+    while (cfile = string_nextinlist(&clist, &csep, NULL, 0))
+      if (!(kfile = string_nextinlist(&klist, &ksep, NULL, 0)))
+	return tls_error(US"cert/key setup: out of keys", NULL, host, errstr);
+      else if ((rc = tls_add_certfile(state, host, cfile, kfile, errstr)))
+	return rc;
+      else
+	DEBUG(D_tls) debug_printf("TLS: cert/key %s registered\n", cfile);
+    }
+  else
+    {
+    if ((rc = tls_add_certfile(state, host,
+		state->exp_tls_certificate, state->exp_tls_privatekey, errstr)))
+      return rc;
+    DEBUG(D_tls) debug_printf("TLS: cert/key registered\n");
+    }
+
   } /* tls_certificate */
 
 
@@ -1276,7 +1304,7 @@ if (host)
   }
 else if (state->tls_sni)
   DEBUG(D_tls) debug_printf("*** PROBABLY A BUG *** " \
-      "have an SNI set for a client [%s]\n", state->tls_sni);
+      "have an SNI set for a server [%s]\n", state->tls_sni);
 
 /* This is the priority string support,
 http://www.gnutls.org/manual/html_node/Priority-Strings.html
diff --git a/src/src/tls-openssl.c b/src/src/tls-openssl.c
index 58401e932..f1176a63e 100644
--- a/src/src/tls-openssl.c
+++ b/src/src/tls-openssl.c
@@ -1024,6 +1024,30 @@ err:
 
 
 
+static int
+tls_add_certfile(SSL_CTX * sctx, tls_ext_ctx_cb * cbinfo, uschar * file,
+  uschar ** errstr)
+{
+DEBUG(D_tls) debug_printf("tls_certificate file %s\n", file);
+if (!SSL_CTX_use_certificate_chain_file(sctx, CS file))
+  return tls_error(string_sprintf(
+    "SSL_CTX_use_certificate_chain_file file=%s", file),
+      cbinfo->host, NULL, errstr);
+return 0;
+}
+
+static int
+tls_add_pkeyfile(SSL_CTX * sctx, tls_ext_ctx_cb * cbinfo, uschar * file,
+  uschar ** errstr)
+{
+DEBUG(D_tls) debug_printf("tls_privatekey file %s\n", file);
+if (!SSL_CTX_use_PrivateKey_file(sctx, CS file, SSL_FILETYPE_PEM))
+  return tls_error(string_sprintf(
+    "SSL_CTX_use_PrivateKey_file file=%s", file), cbinfo->host, NULL, errstr);
+return 0;
+}
+
+
 /*************************************************
 *        Expand key and cert file specs          *
 *************************************************/
@@ -1048,7 +1072,7 @@ uschar *expanded;
 
 if (!cbinfo->certificate)
   {
-  if (cbinfo->host)			/* client */
+  if (!cbinfo->is_server)		/* client */
     return OK;
   					/* server */
   if (tls_install_selfsign(sctx, errstr) != OK)
@@ -1056,6 +1080,8 @@ if (!cbinfo->certificate)
   }
 else
   {
+  int err;
+
   if (Ustrstr(cbinfo->certificate, US"tls_sni") ||
       Ustrstr(cbinfo->certificate, US"tls_in_sni") ||
       Ustrstr(cbinfo->certificate, US"tls_out_sni")
@@ -1065,14 +1091,20 @@ else
   if (!expand_check(cbinfo->certificate, US"tls_certificate", &expanded, errstr))
     return DEFER;
 
-  if (expanded != NULL)
-    {
-    DEBUG(D_tls) debug_printf("tls_certificate file %s\n", expanded);
-    if (!SSL_CTX_use_certificate_chain_file(sctx, CS expanded))
-      return tls_error(string_sprintf(
-	"SSL_CTX_use_certificate_chain_file file=%s", expanded),
-	  cbinfo->host, NULL, errstr);
-    }
+  if (expanded)
+    if (cbinfo->is_server)
+      {
+      const uschar * file_list = expanded;
+      int sep = 0;
+      uschar * file;
+
+      while (file = string_nextinlist(&file_list, &sep, NULL, 0))
+	if ((err = tls_add_certfile(sctx, cbinfo, file, errstr)))
+	  return err;
+      }
+    else	/* would there ever be a need for multiple client certs? */
+      if ((err = tls_add_certfile(sctx, cbinfo, expanded, errstr)))
+	return err;
 
   if (cbinfo->privatekey != NULL &&
       !expand_check(cbinfo->privatekey, US"tls_privatekey", &expanded, errstr))
@@ -1083,12 +1115,19 @@ else
   key is in the same file as the certificate. */
 
   if (expanded && *expanded)
-    {
-    DEBUG(D_tls) debug_printf("tls_privatekey file %s\n", expanded);
-    if (!SSL_CTX_use_PrivateKey_file(sctx, CS expanded, SSL_FILETYPE_PEM))
-      return tls_error(string_sprintf(
-	"SSL_CTX_use_PrivateKey_file file=%s", expanded), cbinfo->host, NULL, errstr);
-    }
+    if (cbinfo->is_server)
+      {
+      const uschar * file_list = expanded;
+      int sep = 0;
+      uschar * file;
+
+      while (file = string_nextinlist(&file_list, &sep, NULL, 0))
+	if ((err = tls_add_pkeyfile(sctx, cbinfo, file, errstr)))
+	  return err;
+      }
+    else	/* would there ever be a need for multiple client certs? */
+      if ((err = tls_add_pkeyfile(sctx, cbinfo, expanded, errstr)))
+	return err;
   }
 
 #ifndef DISABLE_OCSP
diff --git a/test/aux-fixed/exim-ca/example.com/BLANK/CA.pem b/test/aux-fixed/exim-ca/example.com/BLANK/CA.pem
index e54eb9ac1..8695b3696 100644
--- a/test/aux-fixed/exim-ca/example.com/BLANK/CA.pem
+++ b/test/aux-fixed/exim-ca/example.com/BLANK/CA.pem
@@ -1,13 +1,13 @@
 -----BEGIN CERTIFICATE-----
-MIIB7jCCAVegAwIBAgIBATANBgkqhkiG9w0BAQsFADApMRQwEgYDVQQKEwtleGFt
-cGxlLmNvbTERMA8GA1UEAxMIY2xpY2EgQ0EwHhcNMTIxMTAxMTIzNDAxWhcNMzgw
-MTAxMTIzNDAxWjApMRQwEgYDVQQKEwtleGFtcGxlLmNvbTERMA8GA1UEAxMIY2xp
-Y2EgQ0EwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAJmw215lURHtIlsmndGX
-4rn6AyPcReCzRClw8icPv5GzxDnXxqbjK8Ghvkil8RAV8mAkDXDzDi8J5NIsMKwk
-EF8LaGfnbhaeRkvfDXN4YGrGclMMCVN4zk810pDrfrz3KCGpokOKoaWUsRTTdftk
-xyfw2Ui1nPNfg9fO/cfAyr9FAgMBAAGjJjAkMBIGA1UdEwEB/wQIMAYBAf8CAQEw
-DgYDVR0PAQH/BAQDAgEGMA0GCSqGSIb3DQEBCwUAA4GBABrTmR8+gtECLU7zsbrs
-RKIeE9YSXxsqzv3DPpUj9VN7l05ERe3db7/TNePBLH0KwpjWljuPDUhKWC5jQvkf
-gBEr0CKALQGWU0sQJDNhR3SDsPUGU0BFUQT7g1B94Dmp72ivHLjMrtxnLrOT32Uh
-iaEG3X51ApoqRRyXcSJZBcYN
+MIIB9jCCAV+gAwIBAgIBATANBgkqhkiG9w0BAQsFADAtMRQwEgYDVQQKEwtleGFt
+cGxlLmNvbTEVMBMGA1UEAxMMY2xpY2EgQ0EgcnNhMB4XDTEyMTEwMTEyMzQwMVoX
+DTM4MDEwMTEyMzQwMVowLTEUMBIGA1UEChMLZXhhbXBsZS5jb20xFTATBgNVBAMT
+DGNsaWNhIENBIHJzYTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA2N3YjbHA
+BEKAiUHwJ0VMAAe/KMOM8slXOAKni4v7Vf6BzbO5B6uaKhDV2n3V0vXwMdAoeBaq
+3s9CHOjDXwjF1qf/p4w3Z2aUIVt/Mb+uEcPUlq0Nr8OLlH11QKbkvFtLxU3sUAoi
+fcaydi1q3tszjPQ0tKlLo6kOzcgi8d47WccCAwEAAaMmMCQwEgYDVR0TAQH/BAgw
+BgEB/wIBATAOBgNVHQ8BAf8EBAMCAQYwDQYJKoZIhvcNAQELBQADgYEAAzD/Zszo
+X4ieSQQxDOH53VkiAJDs32qso9YzGbQaenuRnVFCuo7rt68cjMcOjzf18/I+iMeH
+nEcdqkfoYB4Z3LXvDaRGZhg/ZOv58muzRnsW2oQI9yFqDwD0FZPtM6Vq0AWXjLuq
+IogOI5fShSo7H5hc3vrkvS7KUhzuv3FKnaQ=
 -----END CERTIFICATE-----
diff --git a/test/aux-fixed/exim-ca/example.com/BLANK/Signer.pem b/test/aux-fixed/exim-ca/example.com/BLANK/Signer.pem
index 7c7305548..46a83eb29 100644
--- a/test/aux-fixed/exim-ca/example.com/BLANK/Signer.pem
+++ b/test/aux-fixed/exim-ca/example.com/BLANK/Signer.pem
@@ -1,14 +1,14 @@
 -----BEGIN CERTIFICATE-----
-MIICLDCCAZWgAwIBAgIBAjANBgkqhkiG9w0BAQsFADApMRQwEgYDVQQKEwtleGFt
-cGxlLmNvbTERMA8GA1UEAxMIY2xpY2EgQ0EwHhcNMTIxMTAxMTIzNDAxWhcNMzgw
-MTAxMTIzNDAxWjAzMRQwEgYDVQQKEwtleGFtcGxlLmNvbTEbMBkGA1UEAxMSY2xp
-Y2EgU2lnbmluZyBDZXJ0MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDC2Ph5
-2UMdD8CAW6mAoSUKgQbCEps6VYPBqa031JzDBzpHD8cmIJfRlmPg9V8K2LXP8VVe
-eG7LW2RBVlSx9082EZNC545NFKDg4Xu01jYP8BrNcJzzu8ip8osiqAzo993AZXoW
-eGZKJ7hYA1M5RCMkSIBhFxwoObjG9Bt1LQ/keQIDAQABo1owWDAOBgNVHQ8BAf8E
-BAMCAQYwEgYDVR0TAQH/BAgwBgEB/wIBADAyBgNVHR8EKzApMCegJaAjhiFodHRw
-Oi8vY3JsLmV4YW1wbGUuY29tL2xhdGVzdC5jcmwwDQYJKoZIhvcNAQELBQADgYEA
-JV9x4BGPTibmtXmXJOR0tETUR4RKc+Cis07H55mGDweIWtDT0dmlisLFyFK/rNdO
-zSeOIw2xchD86uNckYZd28OMEoSDI/lVhIxlEXaWvrf+BiaFX3AaPB3oivAp5aF4
-iy9WlTtH1uoE7iNueRd+beg5BgpgV0hyZAnoePQojH0=
+MIICNDCCAZ2gAwIBAgIBAjANBgkqhkiG9w0BAQsFADAtMRQwEgYDVQQKEwtleGFt
+cGxlLmNvbTEVMBMGA1UEAxMMY2xpY2EgQ0EgcnNhMB4XDTEyMTEwMTEyMzQwMVoX
+DTM4MDEwMTEyMzQwMVowNzEUMBIGA1UEChMLZXhhbXBsZS5jb20xHzAdBgNVBAMT
+FmNsaWNhIFNpZ25pbmcgQ2VydCByc2EwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJ
+AoGBANlcwo5q84SEtVy5W/xqbYAzOiYUZ0Shp9+ry/Q/X5uhrDF9JSHNWJbXut+8
+ZJGICt0RYVIJCcaa7FUt5hTKEx4fgURr+Hz84ZgwesMxcECHJPq9ylrCqbPkbmFR
+1XUy2MvioMH2lyc/PbV62XXggJhHioStVLRfyVlkS1KvvR+HAgMBAAGjWjBYMA4G
+A1UdDwEB/wQEAwIBBjASBgNVHRMBAf8ECDAGAQH/AgEAMDIGA1UdHwQrMCkwJ6Al
+oCOGIWh0dHA6Ly9jcmwuZXhhbXBsZS5jb20vbGF0ZXN0LmNybDANBgkqhkiG9w0B
+AQsFAAOBgQBtPJwqu7DiDmFZd58L4xQ6JJhrJzJUDHmT7ikW2tOM58yisCgSnzrR
+xihW+49vUQ9lSGxBHaFwdehAuGTXydnf7/i9i6KA2RZ+Rq12FJFYOhjaIP7Sy1zq
+VXtb+P1eDBQQhz0WgysLVjgGdBiokRv86yY56ficoTQ6EyWzQLCU+A==
 -----END CERTIFICATE-----
diff --git a/test/aux-fixed/exim-ca/example.com/BLANK/cert8.db b/test/aux-fixed/exim-ca/example.com/BLANK/cert8.db
index 327af2a8a..5fc8c5baf 100644
Binary files a/test/aux-fixed/exim-ca/example.com/BLANK/cert8.db and b/test/aux-fixed/exim-ca/example.com/BLANK/cert8.db differ
diff --git a/test/aux-fixed/exim-ca/example.com/BLANK/key3.db b/test/aux-fixed/exim-ca/example.com/BLANK/key3.db
index f081060f9..7c95320c9 100644
Binary files a/test/aux-fixed/exim-ca/example.com/BLANK/key3.db and b/test/aux-fixed/exim-ca/example.com/BLANK/key3.db differ
diff --git a/test/aux-fixed/exim-ca/example.com/CA/CA.pem b/test/aux-fixed/exim-ca/example.com/CA/CA.pem
index e54eb9ac1..8695b3696 100644
--- a/test/aux-fixed/exim-ca/example.com/CA/CA.pem
+++ b/test/aux-fixed/exim-ca/example.com/CA/CA.pem
@@ -1,13 +1,13 @@
 -----BEGIN CERTIFICATE-----
-MIIB7jCCAVegAwIBAgIBATANBgkqhkiG9w0BAQsFADApMRQwEgYDVQQKEwtleGFt
-cGxlLmNvbTERMA8GA1UEAxMIY2xpY2EgQ0EwHhcNMTIxMTAxMTIzNDAxWhcNMzgw
-MTAxMTIzNDAxWjApMRQwEgYDVQQKEwtleGFtcGxlLmNvbTERMA8GA1UEAxMIY2xp
-Y2EgQ0EwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAJmw215lURHtIlsmndGX
-4rn6AyPcReCzRClw8icPv5GzxDnXxqbjK8Ghvkil8RAV8mAkDXDzDi8J5NIsMKwk
-EF8LaGfnbhaeRkvfDXN4YGrGclMMCVN4zk810pDrfrz3KCGpokOKoaWUsRTTdftk
-xyfw2Ui1nPNfg9fO/cfAyr9FAgMBAAGjJjAkMBIGA1UdEwEB/wQIMAYBAf8CAQEw
-DgYDVR0PAQH/BAQDAgEGMA0GCSqGSIb3DQEBCwUAA4GBABrTmR8+gtECLU7zsbrs
-RKIeE9YSXxsqzv3DPpUj9VN7l05ERe3db7/TNePBLH0KwpjWljuPDUhKWC5jQvkf
-gBEr0CKALQGWU0sQJDNhR3SDsPUGU0BFUQT7g1B94Dmp72ivHLjMrtxnLrOT32Uh
-iaEG3X51ApoqRRyXcSJZBcYN
+MIIB9jCCAV+gAwIBAgIBATANBgkqhkiG9w0BAQsFADAtMRQwEgYDVQQKEwtleGFt
+cGxlLmNvbTEVMBMGA1UEAxMMY2xpY2EgQ0EgcnNhMB4XDTEyMTEwMTEyMzQwMVoX
+DTM4MDEwMTEyMzQwMVowLTEUMBIGA1UEChMLZXhhbXBsZS5jb20xFTATBgNVBAMT
+DGNsaWNhIENBIHJzYTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA2N3YjbHA
+BEKAiUHwJ0VMAAe/KMOM8slXOAKni4v7Vf6BzbO5B6uaKhDV2n3V0vXwMdAoeBaq
+3s9CHOjDXwjF1qf/p4w3Z2aUIVt/Mb+uEcPUlq0Nr8OLlH11QKbkvFtLxU3sUAoi
+fcaydi1q3tszjPQ0tKlLo6kOzcgi8d47WccCAwEAAaMmMCQwEgYDVR0TAQH/BAgw
+BgEB/wIBATAOBgNVHQ8BAf8EBAMCAQYwDQYJKoZIhvcNAQELBQADgYEAAzD/Zszo
+X4ieSQQxDOH53VkiAJDs32qso9YzGbQaenuRnVFCuo7rt68cjMcOjzf18/I+iMeH
+nEcdqkfoYB4Z3LXvDaRGZhg/ZOv58muzRnsW2oQI9yFqDwD0FZPtM6Vq0AWXjLuq
+IogOI5fShSo7H5hc3vrkvS7KUhzuv3FKnaQ=
 -----END CERTIFICATE-----
diff --git a/test/aux-fixed/exim-ca/example.com/CA/OCSP.key b/test/aux-fixed/exim-ca/example.com/CA/OCSP.key
index dd521595b..bc3ac3dd6 100644
--- a/test/aux-fixed/exim-ca/example.com/CA/OCSP.key
+++ b/test/aux-fixed/exim-ca/example.com/CA/OCSP.key
@@ -1,20 +1,20 @@
 Bag Attributes
-    friendlyName: OCSP Signer
-    localKeyID: 71 A9 2F 71 11 ED 33 7A 5A AC BD 8A E8 31 B5 F4 00 1A 96 7B 
+    friendlyName: OCSP Signer rsa
+    localKeyID: DF 7B 92 8A 30 65 84 F5 1F 40 C2 E3 04 B8 D5 94 4B 27 A3 0A 
 Key Attributes: <No Attributes>
 -----BEGIN PRIVATE KEY-----
-MIICeAIBADANBgkqhkiG9w0BAQEFAASCAmIwggJeAgEAAoGBAMWL5GdlufxkZH6j
-c2yV5cjRyUotDklCAjNi0lHUqcIddHDE3JYoOY+awfoK8p0uIbBuLYucYKoPJT9p
-k7Q5S3dGjMR83AMig36vaLqkUoDHGH1WVcwYzyFYyNn6xsV7lPqD+gdb3NdmhrPN
-XOUwZPVs47fprqRGqTuuqthmr3inAgMBAAECgYAFRZ951vAouTEpZAlPi4yPWHHr
-xdoMwHM4ldmRD4DcSlbyL37HjxlCKNomZyZkZXfGspoKkMjPoQnYcGPdum22HC2V
-kfiiVbT9+1JHfEQ52MJPf5DC38KSiJXigOwljN580baDNEcFuyqQY/+zv7iH1AeM
-kRXeUs8k4+SI4DNSGQJBAOT9gNbe/GfBUQHPWkB4RGYFcwJSZrRyBCKqYK6W38Fs
-Ii/8OKZ/WRxzEQQ5+AA9PR9EWXFVMq7wU9Zn1Ufzdj0CQQDc2OzFIpkyAG5T1iXo
-ptf41hzva2Z8mH9BeYCk8ChSq76vIYig1x//+Hndwsx8X2gCxcbijMJvjHQPrG6Y
-C7yzAkEApgt0e1qiKBIzzV4wEYOkBV56MPrTYpEyknh9NtxMUBM7DxSTd5fsZAbE
-Fg562KGPSrbjLJ0c7WFzSYttSokt+QJBAIcxiCfZ2TwhxWgvBP/Z+wYKVKY/8fo+
-BFDZh2Xw2k5Zcp6VAaWsa5tvyXJ2yGUupmZkGi8fifttWLMrlHwhWz8CQQDWKBtW
-NRAwS7yq8DNFEJs4zP8P4U3/7iQnlX1VPzU517m3x++VSwWcMSSy7pF3toXZJRF+
-eF94ASUz85rI54FT
+MIICdwIBADANBgkqhkiG9w0BAQEFAASCAmEwggJdAgEAAoGBANfwT5lSrhpXixJb
+YhRazEgMSNNfUrJ5y1Qyh24hGpwyV6njExis/lSzce77xW/f+g1M9DKa9c971B5+
+bpSoH+b3psJEHQ2lx8I3tBnQMzjAaIJknLNoEyE47gqAT7KmLINS1hIFVgMObg8q
+LvXO1NN4pUKUPNaVb8bMe3hTSWl/AgMBAAECgYALabxN879CTX81ugETPKtQYYnV
+1ijGSHFVOBMitdA0vOUXlGoKzgCRPydrRKuuRThvodzER0ltAnP3JU04lobnssl9
+5hCLEA3YFJ+Xu1Rp3ZijJkUaPpBMxxvojceW/jn9SZYj76AiOVHcToLqmWcQylk7
+pQ9aC+tML8/WWO4I0QJBAP7no1XNczYeygGlVJUlwj+vJhGfkEBflDjcxZsQjzft
+wpoZcFxxmTMZPoesQPxiiLQioLR0sYkPpqXqDpB1K/ECQQDY3dC1flCrlJxV3JYV
+gneZL9oFfdHlFWovR61Mm03qdW4pkqag934WAcJhW5baoCYtisZcwhBu2u0C9KIb
+fRxvAkEAqst6XZtzfufSYpfsvKK4LQOmdlh7xyZDonYK0YOe8tKUebxh1Q8on1xi
+0XVRdcpv3oL1OvSVoEikWLcjWxengQJBAK4QS8aA3kr5ewnHhYc6Mrh3meyyclgG
++jV8uHI2bTF0k7k2hhvIyiDrxJLUKp7L0BjZvCETepEfkwC+Tab2om0CQHSaLUT8
+TtGDEOIJ+6jWoGOGaHXy2HOPPAP6BKmQ4zndbPM5DXo7DXOZF9Wv2JhCqvtCVXi/
+uTasfeGJOuOrp9U=
 -----END PRIVATE KEY-----
diff --git a/test/aux-fixed/exim-ca/example.com/CA/OCSP.p12 b/test/aux-fixed/exim-ca/example.com/CA/OCSP.p12
index d51806d3e..877a0865b 100644
Binary files a/test/aux-fixed/exim-ca/example.com/CA/OCSP.p12 and b/test/aux-fixed/exim-ca/example.com/CA/OCSP.p12 differ
diff --git a/test/aux-fixed/exim-ca/example.com/CA/OCSP.pem b/test/aux-fixed/exim-ca/example.com/CA/OCSP.pem
index 6ca582bf4..4374c4892 100644
--- a/test/aux-fixed/exim-ca/example.com/CA/OCSP.pem
+++ b/test/aux-fixed/exim-ca/example.com/CA/OCSP.pem
@@ -1,13 +1,14 @@
 -----BEGIN CERTIFICATE-----
-MIICBTCCAW6gAwIBAgIBAzANBgkqhkiG9w0BAQsFADAzMRQwEgYDVQQKEwtleGFt
-cGxlLmNvbTEbMBkGA1UEAxMSY2xpY2EgU2lnbmluZyBDZXJ0MB4XDTEyMTEwMTEy
-MzQwMVoXDTM4MDEwMTEyMzQwMVowMjEUMBIGA1UEChMLZXhhbXBsZS5jb20xGjAY
-BgNVBAMTEWNsaWNhIE9DU1AgU2lnbmVyMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCB
-iQKBgQDFi+RnZbn8ZGR+o3NsleXI0clKLQ5JQgIzYtJR1KnCHXRwxNyWKDmPmsH6
-CvKdLiGwbi2LnGCqDyU/aZO0OUt3RozEfNwDIoN+r2i6pFKAxxh9VlXMGM8hWMjZ
-+sbFe5T6g/oHW9zXZoazzVzlMGT1bOO36a6kRqk7rqrYZq94pwIDAQABoyowKDAO
-BgNVHQ8BAf8EBAMCB4AwFgYDVR0lAQH/BAwwCgYIKwYBBQUHAwkwDQYJKoZIhvcN
-AQELBQADgYEAVv4Md0Knp0gutMKCvPTb78cQbCrYJCZY/rD5bFrLdjb04/Vp6wxZ
-Zml5UeYlXDrlaAZ9pvv2JItNrkJdDgy4dfXnHYkEyf0VRXchy/ORnzOCIiq83lim
-Zng6m70reCwFJar9yaofPk7eMOOl2BoNJIMalmZH3Sn0PW+zLa98qi8=
+MIICDTCCAXagAwIBAgIBAzANBgkqhkiG9w0BAQsFADA3MRQwEgYDVQQKEwtleGFt
+cGxlLmNvbTEfMB0GA1UEAxMWY2xpY2EgU2lnbmluZyBDZXJ0IHJzYTAeFw0xMjEx
+MDExMjM0MDFaFw0zODAxMDExMjM0MDFaMDYxFDASBgNVBAoTC2V4YW1wbGUuY29t
+MR4wHAYDVQQDExVjbGljYSBPQ1NQIFNpZ25lciByc2EwgZ8wDQYJKoZIhvcNAQEB
+BQADgY0AMIGJAoGBANfwT5lSrhpXixJbYhRazEgMSNNfUrJ5y1Qyh24hGpwyV6nj
+Exis/lSzce77xW/f+g1M9DKa9c971B5+bpSoH+b3psJEHQ2lx8I3tBnQMzjAaIJk
+nLNoEyE47gqAT7KmLINS1hIFVgMObg8qLvXO1NN4pUKUPNaVb8bMe3hTSWl/AgMB
+AAGjKjAoMA4GA1UdDwEB/wQEAwIHgDAWBgNVHSUBAf8EDDAKBggrBgEFBQcDCTAN
+BgkqhkiG9w0BAQsFAAOBgQCJjBL0Q8ZmS1u+Ch1GQYctaj6ob+3qtYHYURCmXnZB
+dQIL9BIsZ8bPRjs1i7Og1EfsWp7INs2qTsThPa4OWFYLrI55AvI/9ztwjf5i2BKJ
+aS8yVTmxSb+K/6wUOo4frpHtq/xogNSVhuD0b99xk76cSEganrtEE6dClZMJu9o8
+Qg==
 -----END CERTIFICATE-----
diff --git a/test/aux-fixed/exim-ca/example.com/CA/Signer.key b/test/aux-fixed/exim-ca/example.com/CA/Signer.key
index e70b1ff3b..76b414e25 100644
--- a/test/aux-fixed/exim-ca/example.com/CA/Signer.key
+++ b/test/aux-fixed/exim-ca/example.com/CA/Signer.key
@@ -1,20 +1,20 @@
 Bag Attributes
-    friendlyName: Signing Cert
-    localKeyID: 9E 3C E0 62 B3 A1 22 50 86 25 CD A7 F5 F1 59 CD A0 DC FE 07 
+    friendlyName: Signing Cert rsa
+    localKeyID: 99 41 8D A8 6D 6D BA 5B D5 FF CE 4A 2F 1F CE A0 88 4C 77 87 
 Key Attributes: <No Attributes>
 -----BEGIN PRIVATE KEY-----
-MIICdwIBADANBgkqhkiG9w0BAQEFAASCAmEwggJdAgEAAoGBAMLY+HnZQx0PwIBb
-qYChJQqBBsISmzpVg8GprTfUnMMHOkcPxyYgl9GWY+D1XwrYtc/xVV54bstbZEFW
-VLH3TzYRk0Lnjk0UoODhe7TWNg/wGs1wnPO7yKnyiyKoDOj33cBlehZ4ZkonuFgD
-UzlEIyRIgGEXHCg5uMb0G3UtD+R5AgMBAAECgYABeqTaab8XyIOBnMprpC2DY0rN
-nV1UOGa/RhCFR1IesowxgGbQjCvo9HelOTjAoVBWxCbTznwEibdWn31MsezSOFKs
-vIiXfyFJUhONnt88Yx4YmSfoRLNjSUsjXyxc5qnnk1zEXyrg8Ek2HzBmxEY1nuGA
-JTAF6q8c6y15PL4pdQJBAOaBfap41wGg2RjKRHgcop0xcLIw4+GIJM4FLw6H5LyB
-MuqiGi93otTgCWgNS1diV1D9PEjvxxXA5TJgx/u5m30CQQDYZdsvYF3qXI1wPLXk
-uATJDFEHpk3doHEXPoErvkGrEke9HC6spSkMk2yxj1Rdkd/U1PF4dqJi35BaDYgi
-p+WtAkB5D8FkaxrhLA1ZS8IyIzf0vyalL7A/nzVVTrusMgscRe7r9D80duz6SMAn
-+fN77ZZWXunulKBG+IxnrRTbTFwxAkEArRVTKmK225RpoMM+bZFuamyKh0bScxk4
-O3JIGPfVSIKXlL/s6TQ1UBS+1Iqi3TCnSnGELmkdW14b9JtsLuQCBQJBAOH9NRNW
-rCQRCy+zlEo1c5Aukm+q2JHkuZwyVbBx7EEqX9RXwQ74OMVUUfqk7XhspY3SOg5i
-+BfrMwWtyFCfgmg=
+MIICdQIBADANBgkqhkiG9w0BAQEFAASCAl8wggJbAgEAAoGBANlcwo5q84SEtVy5
+W/xqbYAzOiYUZ0Shp9+ry/Q/X5uhrDF9JSHNWJbXut+8ZJGICt0RYVIJCcaa7FUt
+5hTKEx4fgURr+Hz84ZgwesMxcECHJPq9ylrCqbPkbmFR1XUy2MvioMH2lyc/PbV6
+2XXggJhHioStVLRfyVlkS1KvvR+HAgMBAAECgYA8HZ0LgYXvMTrttbA8q/yz97cN
+4Be9kg4ZXOzQFRTuuLSkjU2PPzlQosKi7XpNC7ihcpSdeTV0cdWKK2MWfdryN4V4
+6PazAXU1scw8IaL1nsLY3B22cyc0I3FAN7KD/DitqHfGvIBxVHBVnY7nCnG5jtkA
+M6YlVsktAhv2PwAiWQJBAP2xKizmPHb5ivcxwBB0CyH5Za3WghPE9EIN4HyBw2m+
+ph3g66KY1DjN/bZWunB4f9DjVOGBQBcSmETjqwPJcv8CQQDbVvw7+9S+FnIuIrA9
+Bs/XovnFsFdN8itIjv1DpruDctUOa3WFHtGBRn816PVeS6ZAMri5TDvPqoThgD1I
++zt5AkBtSwgKc94Uu4kc2bgO3o91QYaGj+VWMwGv+159BUJ0qgfS03VwhTrYhhYJ
+me+USLV3/pgw1ogP6JjlBNhGN2FtAkBhuTSySPY1Ju0CTyQ0XGeXzJ36DSIosT/F
+mSePz6Z132C7hvcaM2vmbBFbZIqF07Cjo7WXoTZ4xKFlkuw7KuwJAkA1aQipz4g5
+7bRW+8/h0+k9ZlYZlJyaQlIA2lMLJLVu3WPd9e3+8AxIS49I1iJKEDlGwtigPt4x
+uJx/V9ryk+xn
 -----END PRIVATE KEY-----
diff --git a/test/aux-fixed/exim-ca/example.com/CA/Signer.p12 b/test/aux-fixed/exim-ca/example.com/CA/Signer.p12
index 6d58d5e8c..2d30fe16a 100644
Binary files a/test/aux-fixed/exim-ca/example.com/CA/Signer.p12 and b/test/aux-fixed/exim-ca/example.com/CA/Signer.p12 differ
diff --git a/test/aux-fixed/exim-ca/example.com/CA/Signer.pem b/test/aux-fixed/exim-ca/example.com/CA/Signer.pem
index 7c7305548..46a83eb29 100644
--- a/test/aux-fixed/exim-ca/example.com/CA/Signer.pem
+++ b/test/aux-fixed/exim-ca/example.com/CA/Signer.pem
@@ -1,14 +1,14 @@
 -----BEGIN CERTIFICATE-----
-MIICLDCCAZWgAwIBAgIBAjANBgkqhkiG9w0BAQsFADApMRQwEgYDVQQKEwtleGFt
-cGxlLmNvbTERMA8GA1UEAxMIY2xpY2EgQ0EwHhcNMTIxMTAxMTIzNDAxWhcNMzgw
-MTAxMTIzNDAxWjAzMRQwEgYDVQQKEwtleGFtcGxlLmNvbTEbMBkGA1UEAxMSY2xp
-Y2EgU2lnbmluZyBDZXJ0MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDC2Ph5
-2UMdD8CAW6mAoSUKgQbCEps6VYPBqa031JzDBzpHD8cmIJfRlmPg9V8K2LXP8VVe
-eG7LW2RBVlSx9082EZNC545NFKDg4Xu01jYP8BrNcJzzu8ip8osiqAzo993AZXoW
-eGZKJ7hYA1M5RCMkSIBhFxwoObjG9Bt1LQ/keQIDAQABo1owWDAOBgNVHQ8BAf8E
-BAMCAQYwEgYDVR0TAQH/BAgwBgEB/wIBADAyBgNVHR8EKzApMCegJaAjhiFodHRw
-Oi8vY3JsLmV4YW1wbGUuY29tL2xhdGVzdC5jcmwwDQYJKoZIhvcNAQELBQADgYEA
-JV9x4BGPTibmtXmXJOR0tETUR4RKc+Cis07H55mGDweIWtDT0dmlisLFyFK/rNdO
-zSeOIw2xchD86uNckYZd28OMEoSDI/lVhIxlEXaWvrf+BiaFX3AaPB3oivAp5aF4
-iy9WlTtH1uoE7iNueRd+beg5BgpgV0hyZAnoePQojH0=
+MIICNDCCAZ2gAwIBAgIBAjANBgkqhkiG9w0BAQsFADAtMRQwEgYDVQQKEwtleGFt
+cGxlLmNvbTEVMBMGA1UEAxMMY2xpY2EgQ0EgcnNhMB4XDTEyMTEwMTEyMzQwMVoX
+DTM4MDEwMTEyMzQwMVowNzEUMBIGA1UEChMLZXhhbXBsZS5jb20xHzAdBgNVBAMT
+FmNsaWNhIFNpZ25pbmcgQ2VydCByc2EwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJ
+AoGBANlcwo5q84SEtVy5W/xqbYAzOiYUZ0Shp9+ry/Q/X5uhrDF9JSHNWJbXut+8
+ZJGICt0RYVIJCcaa7FUt5hTKEx4fgURr+Hz84ZgwesMxcECHJPq9ylrCqbPkbmFR
+1XUy2MvioMH2lyc/PbV62XXggJhHioStVLRfyVlkS1KvvR+HAgMBAAGjWjBYMA4G
+A1UdDwEB/wQEAwIBBjASBgNVHRMBAf8ECDAGAQH/AgEAMDIGA1UdHwQrMCkwJ6Al
+oCOGIWh0dHA6Ly9jcmwuZXhhbXBsZS5jb20vbGF0ZXN0LmNybDANBgkqhkiG9w0B
+AQsFAAOBgQBtPJwqu7DiDmFZd58L4xQ6JJhrJzJUDHmT7ikW2tOM58yisCgSnzrR
+xihW+49vUQ9lSGxBHaFwdehAuGTXydnf7/i9i6KA2RZ+Rq12FJFYOhjaIP7Sy1zq
+VXtb+P1eDBQQhz0WgysLVjgGdBiokRv86yY56ficoTQ6EyWzQLCU+A==
 -----END CERTIFICATE-----
diff --git a/test/aux-fixed/exim-ca/example.com/CA/ca.conf b/test/aux-fixed/exim-ca/example.com/CA/ca.conf
index 915a72efc..ae7b6b644 100644
--- a/test/aux-fixed/exim-ca/example.com/CA/ca.conf
+++ b/test/aux-fixed/exim-ca/example.com/CA/ca.conf
@@ -2,18 +2,17 @@
 ; Thu Nov  1 12:34:01 2012
 
 [CA]
-bits=1024
-org=example.com
+name=Certificate Authority rsa
 subject=clica CA
-name=Certificate Authority
+org=example.com
+bits=1024
 
 [CLICA]
-crl_url=http://crl.example.com/latest.crl
-ocsp_url=http://oscp.example.com/
-signer=Signing Cert
-ocsp_signer=OCSP Signer
-sighash=SHA256
-crl_signer=Signing Cert
+ocsp_signer=OCSP Signer rsa
+signer=Signing Cert rsa
 level=1
+sighash=SHA256
+ocsp_url=http://oscp.example.com/
+crl_url=http://crl.example.com/latest.crl
 
 
diff --git a/test/aux-fixed/exim-ca/example.com/CA/cert8.db b/test/aux-fixed/exim-ca/example.com/CA/cert8.db
index f3eb5710d..9513a3b2d 100644
Binary files a/test/aux-fixed/exim-ca/example.com/CA/cert8.db and b/test/aux-fixed/exim-ca/example.com/CA/cert8.db differ
diff --git a/test/aux-fixed/exim-ca/example.com/CA/crl.empty b/test/aux-fixed/exim-ca/example.com/CA/crl.empty
index f88dc832e..db811f4e8 100644
Binary files a/test/aux-fixed/exim-ca/example.com/CA/crl.empty and b/test/aux-fixed/exim-ca/example.com/CA/crl.empty differ
diff --git a/test/aux-fixed/exim-ca/example.com/CA/crl.empty.in.txt b/test/aux-fixed/exim-ca/example.com/CA/crl.empty.in.txt
index 94f20b071..5c3cda501 100644
--- a/test/aux-fixed/exim-ca/example.com/CA/crl.empty.in.txt
+++ b/test/aux-fixed/exim-ca/example.com/CA/crl.empty.in.txt
@@ -1 +1 @@
-update=20170131185506Z 
+update=20171105161901Z 
diff --git a/test/aux-fixed/exim-ca/example.com/CA/crl.empty.pem b/test/aux-fixed/exim-ca/example.com/CA/crl.empty.pem
index bbe01d70d..c77198919 100644
--- a/test/aux-fixed/exim-ca/example.com/CA/crl.empty.pem
+++ b/test/aux-fixed/exim-ca/example.com/CA/crl.empty.pem
@@ -1,7 +1,8 @@
 -----BEGIN X509 CRL-----
-MIHtMFgCAQEwDQYJKoZIhvcNAQELBQAwMzEUMBIGA1UEChMLZXhhbXBsZS5jb20x
-GzAZBgNVBAMTEmNsaWNhIFNpZ25pbmcgQ2VydBgPMjAxNzAxMzExODU1MDZaMA0G
-CSqGSIb3DQEBCwUAA4GBALweRJiNR6xxBHSq8yJwCQ8QTPk20k3HZMqkiHJsXk2k
-7Bi8u084dWT6qusM0sX+EIijWaq0PeI62eMIxTypD8f+ug3ookeq1uTr5/oxitfp
-5Q2t5yFzk6fqmnozxyb2BhRGiEpwouLFngt9yz3WjJmOXVIQbz3JDpzHBx8kIhMm
+MIHxMFwCAQEwDQYJKoZIhvcNAQELBQAwNzEUMBIGA1UEChMLZXhhbXBsZS5jb20x
+HzAdBgNVBAMTFmNsaWNhIFNpZ25pbmcgQ2VydCByc2EYDzIwMTcxMTA1MTYxOTAx
+WjANBgkqhkiG9w0BAQsFAAOBgQA3fw/iu8rnPn5It/R8IHmx+65u1PC851Y0N2QV
+AuKfYM9PsoCykxFXC3YVq7pL/PecqTZEsE/aoQx6HuBdfJnLWB5djArqSUua/ENY
+lYabOFfr8ueNQmC+mcqbuATx6pt33JzXNPD13uhTKwFjkx1A7DrlQX/jkqUZe8nH
+HCCDeA==
 -----END X509 CRL-----
diff --git a/test/aux-fixed/exim-ca/example.com/CA/crl.v2 b/test/aux-fixed/exim-ca/example.com/CA/crl.v2
index 7a4733b84..cc4c5d7c5 100644
Binary files a/test/aux-fixed/exim-ca/example.com/CA/crl.v2 and b/test/aux-fixed/exim-ca/example.com/CA/crl.v2 differ
diff --git a/test/aux-fixed/exim-ca/example.com/CA/crl.v2.in.txt b/test/aux-fixed/exim-ca/example.com/CA/crl.v2.in.txt
index 8384c35bd..20311aa93 100644
--- a/test/aux-fixed/exim-ca/example.com/CA/crl.v2.in.txt
+++ b/test/aux-fixed/exim-ca/example.com/CA/crl.v2.in.txt
@@ -1,3 +1,3 @@
-update=20170131185508Z 
-addcert 102 20170131185508Z
-addcert 202 20170131185508Z
+update=20171105161903Z 
+addcert 102 20171105161903Z
+addcert 202 20171105161903Z
diff --git a/test/aux-fixed/exim-ca/example.com/CA/crl.v2.pem b/test/aux-fixed/exim-ca/example.com/CA/crl.v2.pem
index fb08e4a12..7840f5d41 100644
--- a/test/aux-fixed/exim-ca/example.com/CA/crl.v2.pem
+++ b/test/aux-fixed/exim-ca/example.com/CA/crl.v2.pem
@@ -1,9 +1,9 @@
 -----BEGIN X509 CRL-----
-MIIBHTCBhwIBATANBgkqhkiG9w0BAQsFADAzMRQwEgYDVQQKEwtleGFtcGxlLmNv
-bTEbMBkGA1UEAxMSY2xpY2EgU2lnbmluZyBDZXJ0GA8yMDE3MDEzMTE4NTUwOFow
-LTAUAgFmGA8yMDE3MDEzMTE4NTUwOFowFQICAMoYDzIwMTcwMTMxMTg1NTA4WjAN
-BgkqhkiG9w0BAQsFAAOBgQB+5VosBl1uvUXUQ17NdPZJSR0ZyJ9+jwTSauGwGjHa
-sKjpVCwT8Lzf0CL15/sv3mR4P67v3xLHKuxLpdzVhrgOFanoeplGUJFmXjIQ547H
-5Psyeg3C1+Ob6uIUZR0p7SVSeJJNiv8XlrIu78YsPrFigE8X/qUqEeXOXYyINlFh
-7w==
+MIIBITCBiwIBATANBgkqhkiG9w0BAQsFADA3MRQwEgYDVQQKEwtleGFtcGxlLmNv
+bTEfMB0GA1UEAxMWY2xpY2EgU2lnbmluZyBDZXJ0IHJzYRgPMjAxNzExMDUxNjE5
+MDNaMC0wFAIBZhgPMjAxNzExMDUxNjE5MDNaMBUCAgDKGA8yMDE3MTEwNTE2MTkw
+M1owDQYJKoZIhvcNAQELBQADgYEAWSJk6909DsDkqmIg0ZPhJD9Wkvg93KI7xfzr
+P1Jl76DJBDYLfEeCG2tCP0BEK9qiiigLm+4yq03xpWFaNYo9LYwK+vcoqaBDkUy+
+96ODhpGM2+Sd/9X2RQAxKTBQKKv8/OkVrP9fV92Ee1PItdI3FC32Ca7+/HDMfmfV
+lQDNxU8=
 -----END X509 CRL-----
diff --git a/test/aux-fixed/exim-ca/example.com/CA/key3.db b/test/aux-fixed/exim-ca/example.com/CA/key3.db
index a39c46087..6565d0cd8 100644
Binary files a/test/aux-fixed/exim-ca/example.com/CA/key3.db and b/test/aux-fixed/exim-ca/example.com/CA/key3.db differ
diff --git a/test/aux-fixed/exim-ca/example.com/CA/noise.file b/test/aux-fixed/exim-ca/example.com/CA/noise.file
index 7aea9a551..bb707059d 100644
--- a/test/aux-fixed/exim-ca/example.com/CA/noise.file
+++ b/test/aux-fixed/exim-ca/example.com/CA/noise.file
@@ -4,7 +4,7 @@ cpu family	: 6
 model		: 94
 model name	: Intel(R) Core(TM) i7-6820HQ CPU @ 2.70GHz
 stepping	: 3
-microcode	: 0x9e
+microcode	: 0xba
 cpu MHz		: 2700.000
 cache size	: 8192 KB
 physical id	: 0
@@ -17,7 +17,7 @@ fpu		: yes
 fpu_exception	: yes
 cpuid level	: 22
 wp		: yes
-flags		: fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clflush dts acpi mmx fxsr sse sse2 ss ht tm pbe syscall nx pdpe1gb rdtscp lm constant_tsc art arch_perfmon pebs bts rep_good nopl xtopology nonstop_tsc aperfmperf eagerfpu pni pclmulqdq dtes64 monitor ds_cpl vmx smx est tm2 ssse3 sdbg fma cx16 xtpr pdcm pcid sse4_1 sse4_2 x2apic movbe popcnt tsc_deadline_timer aes xsave avx f16c rdrand lahf_lm abm 3dnowprefetch epb intel_pt tpr_shadow vnmi flexpriority ept vpid fsgsbase tsc_adjust bmi1 hle avx2 smep bmi2 erms invpcid rtm mpx rdseed adx smap clflushopt xsaveopt xsavec xgetbv1 xsaves dtherm ida arat pln pts hwp hwp_notify hwp_act_window hwp_epp
+flags		: fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clflush dts acpi mmx fxsr sse sse2 ss ht tm pbe syscall nx pdpe1gb rdtscp lm constant_tsc art arch_perfmon pebs bts rep_good nopl xtopology nonstop_tsc cpuid aperfmperf tsc_known_freq pni pclmulqdq dtes64 monitor ds_cpl vmx smx est tm2 ssse3 sdbg fma cx16 xtpr pdcm pcid sse4_1 sse4_2 x2apic movbe popcnt tsc_deadline_timer aes xsave avx f16c rdrand lahf_lm abm 3dnowprefetch cpuid_fault epb intel_pt tpr_shadow vnmi flexpriority ept vpid fsgsbase tsc_adjust bmi1 hle avx2 smep bmi2 erms invpcid rtm mpx rdseed adx smap clflushopt xsaveopt xsavec xgetbv1 xsaves dtherm ida arat pln pts hwp hwp_notify hwp_act_window hwp_epp
 bugs		:
 bogomips	: 5424.00
 clflush size	: 64
@@ -31,7 +31,7 @@ cpu family	: 6
 model		: 94
 model name	: Intel(R) Core(TM) i7-6820HQ CPU @ 2.70GHz
 stepping	: 3
-microcode	: 0x9e
+microcode	: 0xba
 cpu MHz		: 2700.000
 cache size	: 8192 KB
 physical id	: 0
@@ -44,9 +44,9 @@ fpu		: yes
 fpu_exception	: yes
 cpuid level	: 22
 wp		: yes
-flags		: fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clflush dts acpi mmx fxsr sse sse2 ss ht tm pbe syscall nx pdpe1gb rdtscp lm constant_tsc art arch_perfmon pebs bts rep_good nopl xtopology nonstop_tsc aperfmperf eagerfpu pni pclmulqdq dtes64 monitor ds_cpl vmx smx est tm2 ssse3 sdbg fma cx16 xtpr pdcm pcid sse4_1 sse4_2 x2apic movbe popcnt tsc_deadline_timer aes xsave avx f16c rdrand lahf_lm abm 3dnowprefetch epb intel_pt tpr_shadow vnmi flexpriority ept vpid fsgsbase tsc_adjust bmi1 hle avx2 smep bmi2 erms invpcid rtm mpx rdseed adx smap clflushopt xsaveopt xsavec xgetbv1 xsaves dtherm ida arat pln pts hwp hwp_notify hwp_act_window hwp_epp
+flags		: fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clflush dts acpi mmx fxsr sse sse2 ss ht tm pbe syscall nx pdpe1gb rdtscp lm constant_tsc art arch_perfmon pebs bts rep_good nopl xtopology nonstop_tsc cpuid aperfmperf tsc_known_freq pni pclmulqdq dtes64 monitor ds_cpl vmx smx est tm2 ssse3 sdbg fma cx16 xtpr pdcm pcid sse4_1 sse4_2 x2apic movbe popcnt tsc_deadline_timer aes xsave avx f16c rdrand lahf_lm abm 3dnowprefetch cpuid_fault epb intel_pt tpr_shadow vnmi flexpriority ept vpid fsgsbase tsc_adjust bmi1 hle avx2 smep bmi2 erms invpcid rtm mpx rdseed adx smap clflushopt xsaveopt xsavec xgetbv1 xsaves dtherm ida arat pln pts hwp hwp_notify hwp_act_window hwp_epp
 bugs		:
-bogomips	: 5427.15
+bogomips	: 5431.34
 clflush size	: 64
 cache_alignment	: 64
 address sizes	: 39 bits physical, 48 bits virtual
@@ -58,7 +58,7 @@ cpu family	: 6
 model		: 94
 model name	: Intel(R) Core(TM) i7-6820HQ CPU @ 2.70GHz
 stepping	: 3
-microcode	: 0x9e
+microcode	: 0xba
 cpu MHz		: 2700.000
 cache size	: 8192 KB
 physical id	: 0
@@ -71,9 +71,9 @@ fpu		: yes
 fpu_exception	: yes
 cpuid level	: 22
 wp		: yes
-flags		: fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clflush dts acpi mmx fxsr sse sse2 ss ht tm pbe syscall nx pdpe1gb rdtscp lm constant_tsc art arch_perfmon pebs bts rep_good nopl xtopology nonstop_tsc aperfmperf eagerfpu pni pclmulqdq dtes64 monitor ds_cpl vmx smx est tm2 ssse3 sdbg fma cx16 xtpr pdcm pcid sse4_1 sse4_2 x2apic movbe popcnt tsc_deadline_timer aes xsave avx f16c rdrand lahf_lm abm 3dnowprefetch epb intel_pt tpr_shadow vnmi flexpriority ept vpid fsgsbase tsc_adjust bmi1 hle avx2 smep bmi2 erms invpcid rtm mpx rdseed adx smap clflushopt xsaveopt xsavec xgetbv1 xsaves dtherm ida arat pln pts hwp hwp_notify hwp_act_window hwp_epp
+flags		: fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clflush dts acpi mmx fxsr sse sse2 ss ht tm pbe syscall nx pdpe1gb rdtscp lm constant_tsc art arch_perfmon pebs bts rep_good nopl xtopology nonstop_tsc cpuid aperfmperf tsc_known_freq pni pclmulqdq dtes64 monitor ds_cpl vmx smx est tm2 ssse3 sdbg fma cx16 xtpr pdcm pcid sse4_1 sse4_2 x2apic movbe popcnt tsc_deadline_timer aes xsave avx f16c rdrand lahf_lm abm 3dnowprefetch cpuid_fault epb intel_pt tpr_shadow vnmi flexpriority ept vpid fsgsbase tsc_adjust bmi1 hle avx2 smep bmi2 erms invpcid rtm mpx rdseed adx smap clflushopt xsaveopt xsavec xgetbv1 xsaves dtherm ida arat pln pts hwp hwp_notify hwp_act_window hwp_epp
 bugs		:
-bogomips	: 5427.09
+bogomips	: 5431.79
 clflush size	: 64
 cache_alignment	: 64
 address sizes	: 39 bits physical, 48 bits virtual
@@ -85,7 +85,7 @@ cpu family	: 6
 model		: 94
 model name	: Intel(R) Core(TM) i7-6820HQ CPU @ 2.70GHz
 stepping	: 3
-microcode	: 0x9e
+microcode	: 0xba
 cpu MHz		: 2700.000
 cache size	: 8192 KB
 physical id	: 0
@@ -98,9 +98,9 @@ fpu		: yes
 fpu_exception	: yes
 cpuid level	: 22
 wp		: yes
-flags		: fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clflush dts acpi mmx fxsr sse sse2 ss ht tm pbe syscall nx pdpe1gb rdtscp lm constant_tsc art arch_perfmon pebs bts rep_good nopl xtopology nonstop_tsc aperfmperf eagerfpu pni pclmulqdq dtes64 monitor ds_cpl vmx smx est tm2 ssse3 sdbg fma cx16 xtpr pdcm pcid sse4_1 sse4_2 x2apic movbe popcnt tsc_deadline_timer aes xsave avx f16c rdrand lahf_lm abm 3dnowprefetch epb intel_pt tpr_shadow vnmi flexpriority ept vpid fsgsbase tsc_adjust bmi1 hle avx2 smep bmi2 erms invpcid rtm mpx rdseed adx smap clflushopt xsaveopt xsavec xgetbv1 xsaves dtherm ida arat pln pts hwp hwp_notify hwp_act_window hwp_epp
+flags		: fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clflush dts acpi mmx fxsr sse sse2 ss ht tm pbe syscall nx pdpe1gb rdtscp lm constant_tsc art arch_perfmon pebs bts rep_good nopl xtopology nonstop_tsc cpuid aperfmperf tsc_known_freq pni pclmulqdq dtes64 monitor ds_cpl vmx smx est tm2 ssse3 sdbg fma cx16 xtpr pdcm pcid sse4_1 sse4_2 x2apic movbe popcnt tsc_deadline_timer aes xsave avx f16c rdrand lahf_lm abm 3dnowprefetch cpuid_fault epb intel_pt tpr_shadow vnmi flexpriority ept vpid fsgsbase tsc_adjust bmi1 hle avx2 smep bmi2 erms invpcid rtm mpx rdseed adx smap clflushopt xsaveopt xsavec xgetbv1 xsaves dtherm ida arat pln pts hwp hwp_notify hwp_act_window hwp_epp
 bugs		:
-bogomips	: 5427.13
+bogomips	: 5431.63
 clflush size	: 64
 cache_alignment	: 64
 address sizes	: 39 bits physical, 48 bits virtual
@@ -112,7 +112,7 @@ cpu family	: 6
 model		: 94
 model name	: Intel(R) Core(TM) i7-6820HQ CPU @ 2.70GHz
 stepping	: 3
-microcode	: 0x9e
+microcode	: 0xba
 cpu MHz		: 2700.000
 cache size	: 8192 KB
 physical id	: 0
@@ -125,9 +125,9 @@ fpu		: yes
 fpu_exception	: yes
 cpuid level	: 22
 wp		: yes
-flags		: fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clflush dts acpi mmx fxsr sse sse2 ss ht tm pbe syscall nx pdpe1gb rdtscp lm constant_tsc art arch_perfmon pebs bts rep_good nopl xtopology nonstop_tsc aperfmperf eagerfpu pni pclmulqdq dtes64 monitor ds_cpl vmx smx est tm2 ssse3 sdbg fma cx16 xtpr pdcm pcid sse4_1 sse4_2 x2apic movbe popcnt tsc_deadline_timer aes xsave avx f16c rdrand lahf_lm abm 3dnowprefetch epb intel_pt tpr_shadow vnmi flexpriority ept vpid fsgsbase tsc_adjust bmi1 hle avx2 smep bmi2 erms invpcid rtm mpx rdseed adx smap clflushopt xsaveopt xsavec xgetbv1 xsaves dtherm ida arat pln pts hwp hwp_notify hwp_act_window hwp_epp
+flags		: fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clflush dts acpi mmx fxsr sse sse2 ss ht tm pbe syscall nx pdpe1gb rdtscp lm constant_tsc art arch_perfmon pebs bts rep_good nopl xtopology nonstop_tsc cpuid aperfmperf tsc_known_freq pni pclmulqdq dtes64 monitor ds_cpl vmx smx est tm2 ssse3 sdbg fma cx16 xtpr pdcm pcid sse4_1 sse4_2 x2apic movbe popcnt tsc_deadline_timer aes xsave avx f16c rdrand lahf_lm abm 3dnowprefetch cpuid_fault epb intel_pt tpr_shadow vnmi flexpriority ept vpid fsgsbase tsc_adjust bmi1 hle avx2 smep bmi2 erms invpcid rtm mpx rdseed adx smap clflushopt xsaveopt xsavec xgetbv1 xsaves dtherm ida arat pln pts hwp hwp_notify hwp_act_window hwp_epp
 bugs		:
-bogomips	: 5428.40
+bogomips	: 5434.63
 clflush size	: 64
 cache_alignment	: 64
 address sizes	: 39 bits physical, 48 bits virtual
@@ -139,7 +139,7 @@ cpu family	: 6
 model		: 94
 model name	: Intel(R) Core(TM) i7-6820HQ CPU @ 2.70GHz
 stepping	: 3
-microcode	: 0x9e
+microcode	: 0xba
 cpu MHz		: 2700.000
 cache size	: 8192 KB
 physical id	: 0
@@ -152,9 +152,9 @@ fpu		: yes
 fpu_exception	: yes
 cpuid level	: 22
 wp		: yes
-flags		: fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clflush dts acpi mmx fxsr sse sse2 ss ht tm pbe syscall nx pdpe1gb rdtscp lm constant_tsc art arch_perfmon pebs bts rep_good nopl xtopology nonstop_tsc aperfmperf eagerfpu pni pclmulqdq dtes64 monitor ds_cpl vmx smx est tm2 ssse3 sdbg fma cx16 xtpr pdcm pcid sse4_1 sse4_2 x2apic movbe popcnt tsc_deadline_timer aes xsave avx f16c rdrand lahf_lm abm 3dnowprefetch epb intel_pt tpr_shadow vnmi flexpriority ept vpid fsgsbase tsc_adjust bmi1 hle avx2 smep bmi2 erms invpcid rtm mpx rdseed adx smap clflushopt xsaveopt xsavec xgetbv1 xsaves dtherm ida arat pln pts hwp hwp_notify hwp_act_window hwp_epp
+flags		: fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clflush dts acpi mmx fxsr sse sse2 ss ht tm pbe syscall nx pdpe1gb rdtscp lm constant_tsc art arch_perfmon pebs bts rep_good nopl xtopology nonstop_tsc cpuid aperfmperf tsc_known_freq pni pclmulqdq dtes64 monitor ds_cpl vmx smx est tm2 ssse3 sdbg fma cx16 xtpr pdcm pcid sse4_1 sse4_2 x2apic movbe popcnt tsc_deadline_timer aes xsave avx f16c rdrand lahf_lm abm 3dnowprefetch cpuid_fault epb intel_pt tpr_shadow vnmi flexpriority ept vpid fsgsbase tsc_adjust bmi1 hle avx2 smep bmi2 erms invpcid rtm mpx rdseed adx smap clflushopt xsaveopt xsavec xgetbv1 xsaves dtherm ida arat pln pts hwp hwp_notify hwp_act_window hwp_epp
 bugs		:
-bogomips	: 5428.13
+bogomips	: 5432.00
 clflush size	: 64
 cache_alignment	: 64
 address sizes	: 39 bits physical, 48 bits virtual
@@ -166,7 +166,7 @@ cpu family	: 6
 model		: 94
 model name	: Intel(R) Core(TM) i7-6820HQ CPU @ 2.70GHz
 stepping	: 3
-microcode	: 0x9e
+microcode	: 0xba
 cpu MHz		: 2700.000
 cache size	: 8192 KB
 physical id	: 0
@@ -179,9 +179,9 @@ fpu		: yes
 fpu_exception	: yes
 cpuid level	: 22
 wp		: yes
-flags		: fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clflush dts acpi mmx fxsr sse sse2 ss ht tm pbe syscall nx pdpe1gb rdtscp lm constant_tsc art arch_perfmon pebs bts rep_good nopl xtopology nonstop_tsc aperfmperf eagerfpu pni pclmulqdq dtes64 monitor ds_cpl vmx smx est tm2 ssse3 sdbg fma cx16 xtpr pdcm pcid sse4_1 sse4_2 x2apic movbe popcnt tsc_deadline_timer aes xsave avx f16c rdrand lahf_lm abm 3dnowprefetch epb intel_pt tpr_shadow vnmi flexpriority ept vpid fsgsbase tsc_adjust bmi1 hle avx2 smep bmi2 erms invpcid rtm mpx rdseed adx smap clflushopt xsaveopt xsavec xgetbv1 xsaves dtherm ida arat pln pts hwp hwp_notify hwp_act_window hwp_epp
+flags		: fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clflush dts acpi mmx fxsr sse sse2 ss ht tm pbe syscall nx pdpe1gb rdtscp lm constant_tsc art arch_perfmon pebs bts rep_good nopl xtopology nonstop_tsc cpuid aperfmperf tsc_known_freq pni pclmulqdq dtes64 monitor ds_cpl vmx smx est tm2 ssse3 sdbg fma cx16 xtpr pdcm pcid sse4_1 sse4_2 x2apic movbe popcnt tsc_deadline_timer aes xsave avx f16c rdrand lahf_lm abm 3dnowprefetch cpuid_fault epb intel_pt tpr_shadow vnmi flexpriority ept vpid fsgsbase tsc_adjust bmi1 hle avx2 smep bmi2 erms invpcid rtm mpx rdseed adx smap clflushopt xsaveopt xsavec xgetbv1 xsaves dtherm ida arat pln pts hwp hwp_notify hwp_act_window hwp_epp
 bugs		:
-bogomips	: 5427.27
+bogomips	: 5431.94
 clflush size	: 64
 cache_alignment	: 64
 address sizes	: 39 bits physical, 48 bits virtual
@@ -193,7 +193,7 @@ cpu family	: 6
 model		: 94
 model name	: Intel(R) Core(TM) i7-6820HQ CPU @ 2.70GHz
 stepping	: 3
-microcode	: 0x9e
+microcode	: 0xba
 cpu MHz		: 2700.000
 cache size	: 8192 KB
 physical id	: 0
@@ -206,87 +206,87 @@ fpu		: yes
 fpu_exception	: yes
 cpuid level	: 22
 wp		: yes
-flags		: fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clflush dts acpi mmx fxsr sse sse2 ss ht tm pbe syscall nx pdpe1gb rdtscp lm constant_tsc art arch_perfmon pebs bts rep_good nopl xtopology nonstop_tsc aperfmperf eagerfpu pni pclmulqdq dtes64 monitor ds_cpl vmx smx est tm2 ssse3 sdbg fma cx16 xtpr pdcm pcid sse4_1 sse4_2 x2apic movbe popcnt tsc_deadline_timer aes xsave avx f16c rdrand lahf_lm abm 3dnowprefetch epb intel_pt tpr_shadow vnmi flexpriority ept vpid fsgsbase tsc_adjust bmi1 hle avx2 smep bmi2 erms invpcid rtm mpx rdseed adx smap clflushopt xsaveopt xsavec xgetbv1 xsaves dtherm ida arat pln pts hwp hwp_notify hwp_act_window hwp_epp
+flags		: fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clflush dts acpi mmx fxsr sse sse2 ss ht tm pbe syscall nx pdpe1gb rdtscp lm constant_tsc art arch_perfmon pebs bts rep_good nopl xtopology nonstop_tsc cpuid aperfmperf tsc_known_freq pni pclmulqdq dtes64 monitor ds_cpl vmx smx est tm2 ssse3 sdbg fma cx16 xtpr pdcm pcid sse4_1 sse4_2 x2apic movbe popcnt tsc_deadline_timer aes xsave avx f16c rdrand lahf_lm abm 3dnowprefetch cpuid_fault epb intel_pt tpr_shadow vnmi flexpriority ept vpid fsgsbase tsc_adjust bmi1 hle avx2 smep bmi2 erms invpcid rtm mpx rdseed adx smap clflushopt xsaveopt xsavec xgetbv1 xsaves dtherm ida arat pln pts hwp hwp_notify hwp_act_window hwp_epp
 bugs		:
-bogomips	: 5427.26
+bogomips	: 5431.94
 clflush size	: 64
 cache_alignment	: 64
 address sizes	: 39 bits physical, 48 bits virtual
 power management:
 
             CPU0       CPU1       CPU2       CPU3       CPU4       CPU5       CPU6       CPU7       
-   0:         52          0          0          0          0          0          0          0  IR-IO-APIC    2-edge      timer
-   1:         16        459         44         16         71         52         37         18  IR-IO-APIC    1-edge      i8042
-   8:          0          0          0          1          0          0          0          0  IR-IO-APIC    8-edge      rtc0
-   9:         89        154         83        105        355        114        136         53  IR-IO-APIC    9-fasteoi   acpi
-  12:        201      49375       1144       1233       5340       1378       1701        919  IR-IO-APIC   12-edge      i8042
+   0:         70          0          0          0          0          0          0          0  IR-IO-APIC    2-edge      timer
+   1:         39      16476       1416       1089       6857       1983       1674       1959  IR-IO-APIC    1-edge      i8042
+   8:          0          0          1          0          0          0          0          0  IR-IO-APIC    8-edge      rtc0
+   9:        284       4834       2265       1628       7027       2758       1632       1695  IR-IO-APIC    9-fasteoi   acpi
+  12:        273    1626151      37392      40715     288530      39254      36081      51183  IR-IO-APIC   12-edge      i8042
   16:          1          0          0          0          0          0          0          0  IR-IO-APIC   16-fasteoi   i801_smbus
-  19:          5          3          2          0          8          2          2          2  IR-IO-APIC   19-fasteoi 
  120:          0          0          0          0          0          0          0          0  DMAR-MSI    0-edge      dmar0
  121:          0          0          0          0          0          0          0          0  DMAR-MSI    1-edge      dmar1
- 124:       7929       1965       1951      91785       6129       4099       2324       2579  IR-PCI-MSI 376832-edge      ahci[0000:00:17.0]
- 125:        219         13          6         32         12          8          6         22  IR-PCI-MSI 327680-edge      xhci_hcd
- 126:         97         12         17         44         16          8          5          2  IR-PCI-MSI 2097152-edge      rtsx_pci
- 127:          0          0         87          0         58          0         61         36  IR-PCI-MSI 520192-edge      enp0s31f6
- 128:          0          0          0          2          2          0          1          8  IR-PCI-MSI 1048576-edge    
- 129:        725         32        125        185      13085        451       6925        254  IR-PCI-MSI 32768-edge      i915
- 130:         23          9          7          0         11          0          1          0  IR-PCI-MSI 360448-edge      mei_me
- 131:         21          6          4          2          7          4          3          0  IR-PCI-MSI 1572864-edge      iwlwifi
- 132:        713          0         63         42        106         45        129        120  IR-PCI-MSI 514048-edge      snd_hda_intel:card0
- NMI:          2          1          1          1          2          4          1          1   Non-maskable interrupts
- LOC:      33252      27470      28482      27041      44011      60675      27232      32342   Local timer interrupts
+ 122:       7136       3040       2312       1908       4546       3822      75945       2347  IR-PCI-MSI 376832-edge      ahci[0000:00:17.0]
+ 123:         22          7          1          0          7          3          4          1  IR-PCI-MSI 327680-edge      xhci_hcd
+ 124:         89         19         22         25         79         55         27         54  IR-PCI-MSI 2097152-edge      rtsx_pci
+ 125:         88         15     127570         11         48         25         19         21  IR-PCI-MSI 520192-edge      enp0s31f6
+ 126:          1          1          1          0          3          1          3          6  IR-PCI-MSI 1048576-edge    
+ 127:        561        174         98     789459        240        230        184        147  IR-PCI-MSI 32768-edge      i915
+ 128:         34         14          0          0          1          0          0          0  IR-PCI-MSI 360448-edge      mei_me
+ 129:         22         10          0          1         10          0          0          0  IR-PCI-MSI 1572864-edge      iwlwifi
+ 130:         92        103         30         22        194        115         10         45  IR-PCI-MSI 514048-edge      snd_hda_intel:card0
+ NMI:          9         12          9         14         10          9          9         10   Non-maskable interrupts
+ LOC:     567716     554896     727085    1034643     584080     592635     624369     549045   Local timer interrupts
  SPU:          0          0          0          0          0          0          0          0   Spurious interrupts
- PMI:          2          1          1          1          2          4          1          1   Performance monitoring interrupts
- IWI:          4          0          0          2          0          0          1          1   IRQ work interrupts
+ PMI:          9         12          9         14         10          9          9         10   Performance monitoring interrupts
+ IWI:          0          1          0          0          0          0          2          0   IRQ work interrupts
  RTR:          7          0          0          0          0          0          0          0   APIC ICR read retries
- RES:       9953       4152       2811       2503       2970       1497       2330       2606   Rescheduling interrupts
- CAL:      51614      26930      27696      38549      30005      38582      36536      38830   Function call interrupts
- TLB:      44868      21971      22151      33281      24454      32863      30173      34882   TLB shootdowns
+ RES:      85583      31067      11917       8325       7466       6913       6401       5898   Rescheduling interrupts
+ CAL:      73161      74171      68752      70655      80169      75209      61391      70903   Function call interrupts
+ TLB:      55150      56119      50377      53791      62195      57072      43366      55765   TLB shootdowns
  TRM:          0          0          0          0          0          0          0          0   Thermal event interrupts
  THR:          0          0          0          0          0          0          0          0   Threshold APIC interrupts
  DFR:          0          0          0          0          0          0          0          0   Deferred Error APIC interrupts
  MCE:          0          0          0          0          0          0          0          0   Machine check exceptions
- MCP:          3          3          3          3          3          3          3          3   Machine check polls
+ MCP:         49         49         49         49         49         49         49         49   Machine check polls
  ERR:          0
  MIS:          0
  PIN:          0          0          0          0          0          0          0          0   Posted-interrupt notification event
+ NPI:          0          0          0          0          0          0          0          0   Nested posted-interrupt event
  PIW:          0          0          0          0          0          0          0          0   Posted-interrupt wakeup event
-MemTotal:       15855100 kB
-MemFree:        11476980 kB
-MemAvailable:   12986624 kB
-Buffers:          385492 kB
-Cached:          1341284 kB
+MemTotal:       15852528 kB
+MemFree:        10535936 kB
+MemAvailable:   12484200 kB
+Buffers:          128136 kB
+Cached:          1542420 kB
 SwapCached:            0 kB
-Active:          2944176 kB
-Inactive:         986248 kB
-Active(anon):    2204748 kB
-Inactive(anon):    57096 kB
-Active(file):     739428 kB
-Inactive(file):   929152 kB
-Unevictable:           0 kB
-Mlocked:               0 kB
+Active:          3134176 kB
+Inactive:        1817128 kB
+Active(anon):    2706712 kB
+Inactive(anon):    79680 kB
+Active(file):     427464 kB
+Inactive(file):  1737448 kB
+Unevictable:          32 kB
+Mlocked:              32 kB
 SwapTotal:       7933948 kB
 SwapFree:        7933948 kB
-Dirty:               896 kB
-Writeback:            24 kB
-AnonPages:       1629712 kB
-Mapped:           243280 kB
-Shmem:             58204 kB
-Slab:             251984 kB
-SReclaimable:     179424 kB
-SUnreclaim:        72560 kB
-KernelStack:        6816 kB
-PageTables:        29640 kB
+Dirty:              3980 kB
+Writeback:             0 kB
+AnonPages:       2975780 kB
+Mapped:           495468 kB
+Shmem:             80740 kB
+Slab:             143672 kB
+SReclaimable:      74472 kB
+SUnreclaim:        69200 kB
+KernelStack:        9152 kB
+PageTables:        39092 kB
 NFS_Unstable:          0 kB
 Bounce:                0 kB
 WritebackTmp:          0 kB
-CommitLimit:    15861496 kB
-Committed_AS:    8757188 kB
+CommitLimit:    15860212 kB
+Committed_AS:   11673848 kB
 VmallocTotal:   34359738367 kB
 VmallocUsed:           0 kB
 VmallocChunk:          0 kB
 HardwareCorrupted:     0 kB
-AnonHugePages:    684032 kB
+AnonHugePages:    966656 kB
 ShmemHugePages:        0 kB
 ShmemPmdMapped:        0 kB
 CmaTotal:              0 kB
@@ -296,14 +296,15 @@ HugePages_Free:        0
 HugePages_Rsvd:        0
 HugePages_Surp:        0
 Hugepagesize:       2048 kB
-DirectMap4k:      147456 kB
-DirectMap2M:     6608896 kB
-DirectMap1G:    10485760 kB
+DirectMap4k:      202752 kB
+DirectMap2M:     7602176 kB
+DirectMap1G:     9437184 kB
 Inter-|   Receive                                                |  Transmit
  face |bytes    packets errs drop fifo frame compressed multicast|bytes    packets errs drop fifo colls carrier compressed
-wlp3s0:       0       0    0    0    0     0          0         0        0       0    0    0    0     0       0          0
-enp0s31f6:       0       0    0    0    0     0          0         0        0       0    0    0    0     0       0          0
- vnet0:   32675     319    0    0    0     0          0         0    42290     545    0    0    0     0       0          0
-virbr1:   28209     319    0    0    0     0          0         0    27394     284    0    0    0     0       0          0
+virbr1:  353867    2838    0    0    0     0          0         0  1474230    3810    0    0    0     0       0          0
+enp0s31f6: 43449731   65089    0    0    0     0          0      2075  6949500   57088    0    0    0     0       0          0
 virbr1-nic:       0       0    0    0    0     0          0         0        0       0    0    0    0     0       0          0
-    lo:   92538    1136    0    0    0     0          0         0    92538    1136    0    0    0     0       0          0
+tun_wizint: 4130741    7381    0    0    0     0          0         0  1092175    8002    0    0    0     0       0          0
+    lo:    5706      74    0    0    0     0          0         0     5706      74    0    0    0     0       0          0
+ vnet0:  393599    2838    0    0    0     0          0         0  1609950    6362    0    0    0     0       0          0
+wlp3s0:       0       0    0    0    0     0          0         0        0       0    0    0    0     0       0          0
diff --git a/test/aux-fixed/exim-ca/example.com/expired1.example.com/ca_chain.pem b/test/aux-fixed/exim-ca/example.com/expired1.example.com/ca_chain.pem
index 93e18035b..cde036853 100644
--- a/test/aux-fixed/exim-ca/example.com/expired1.example.com/ca_chain.pem
+++ b/test/aux-fixed/exim-ca/example.com/expired1.example.com/ca_chain.pem
@@ -1,35 +1,35 @@
 Bag Attributes
-    friendlyName: Signing Cert
-subject=/O=example.com/CN=clica Signing Cert
-issuer=/O=example.com/CN=clica CA
+    friendlyName: Signing Cert rsa
+subject=/O=example.com/CN=clica Signing Cert rsa
+issuer=/O=example.com/CN=clica CA rsa
 -----BEGIN CERTIFICATE-----
-MIICLDCCAZWgAwIBAgIBAjANBgkqhkiG9w0BAQsFADApMRQwEgYDVQQKEwtleGFt
-cGxlLmNvbTERMA8GA1UEAxMIY2xpY2EgQ0EwHhcNMTIxMTAxMTIzNDAxWhcNMzgw
-MTAxMTIzNDAxWjAzMRQwEgYDVQQKEwtleGFtcGxlLmNvbTEbMBkGA1UEAxMSY2xp
-Y2EgU2lnbmluZyBDZXJ0MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDC2Ph5
-2UMdD8CAW6mAoSUKgQbCEps6VYPBqa031JzDBzpHD8cmIJfRlmPg9V8K2LXP8VVe
-eG7LW2RBVlSx9082EZNC545NFKDg4Xu01jYP8BrNcJzzu8ip8osiqAzo993AZXoW
-eGZKJ7hYA1M5RCMkSIBhFxwoObjG9Bt1LQ/keQIDAQABo1owWDAOBgNVHQ8BAf8E
-BAMCAQYwEgYDVR0TAQH/BAgwBgEB/wIBADAyBgNVHR8EKzApMCegJaAjhiFodHRw
-Oi8vY3JsLmV4YW1wbGUuY29tL2xhdGVzdC5jcmwwDQYJKoZIhvcNAQELBQADgYEA
-JV9x4BGPTibmtXmXJOR0tETUR4RKc+Cis07H55mGDweIWtDT0dmlisLFyFK/rNdO
-zSeOIw2xchD86uNckYZd28OMEoSDI/lVhIxlEXaWvrf+BiaFX3AaPB3oivAp5aF4
-iy9WlTtH1uoE7iNueRd+beg5BgpgV0hyZAnoePQojH0=
+MIICNDCCAZ2gAwIBAgIBAjANBgkqhkiG9w0BAQsFADAtMRQwEgYDVQQKEwtleGFt
+cGxlLmNvbTEVMBMGA1UEAxMMY2xpY2EgQ0EgcnNhMB4XDTEyMTEwMTEyMzQwMVoX
+DTM4MDEwMTEyMzQwMVowNzEUMBIGA1UEChMLZXhhbXBsZS5jb20xHzAdBgNVBAMT
+FmNsaWNhIFNpZ25pbmcgQ2VydCByc2EwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJ
+AoGBANlcwo5q84SEtVy5W/xqbYAzOiYUZ0Shp9+ry/Q/X5uhrDF9JSHNWJbXut+8
+ZJGICt0RYVIJCcaa7FUt5hTKEx4fgURr+Hz84ZgwesMxcECHJPq9ylrCqbPkbmFR
+1XUy2MvioMH2lyc/PbV62XXggJhHioStVLRfyVlkS1KvvR+HAgMBAAGjWjBYMA4G
+A1UdDwEB/wQEAwIBBjASBgNVHRMBAf8ECDAGAQH/AgEAMDIGA1UdHwQrMCkwJ6Al
+oCOGIWh0dHA6Ly9jcmwuZXhhbXBsZS5jb20vbGF0ZXN0LmNybDANBgkqhkiG9w0B
+AQsFAAOBgQBtPJwqu7DiDmFZd58L4xQ6JJhrJzJUDHmT7ikW2tOM58yisCgSnzrR
+xihW+49vUQ9lSGxBHaFwdehAuGTXydnf7/i9i6KA2RZ+Rq12FJFYOhjaIP7Sy1zq
+VXtb+P1eDBQQhz0WgysLVjgGdBiokRv86yY56ficoTQ6EyWzQLCU+A==
 -----END CERTIFICATE-----
 Bag Attributes
-    friendlyName: Certificate Authority
-subject=/O=example.com/CN=clica CA
-issuer=/O=example.com/CN=clica CA
+    friendlyName: Certificate Authority rsa
+subject=/O=example.com/CN=clica CA rsa
+issuer=/O=example.com/CN=clica CA rsa
 -----BEGIN CERTIFICATE-----
-MIIB7jCCAVegAwIBAgIBATANBgkqhkiG9w0BAQsFADApMRQwEgYDVQQKEwtleGFt
-cGxlLmNvbTERMA8GA1UEAxMIY2xpY2EgQ0EwHhcNMTIxMTAxMTIzNDAxWhcNMzgw
-MTAxMTIzNDAxWjApMRQwEgYDVQQKEwtleGFtcGxlLmNvbTERMA8GA1UEAxMIY2xp
-Y2EgQ0EwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAJmw215lURHtIlsmndGX
-4rn6AyPcReCzRClw8icPv5GzxDnXxqbjK8Ghvkil8RAV8mAkDXDzDi8J5NIsMKwk
-EF8LaGfnbhaeRkvfDXN4YGrGclMMCVN4zk810pDrfrz3KCGpokOKoaWUsRTTdftk
-xyfw2Ui1nPNfg9fO/cfAyr9FAgMBAAGjJjAkMBIGA1UdEwEB/wQIMAYBAf8CAQEw
-DgYDVR0PAQH/BAQDAgEGMA0GCSqGSIb3DQEBCwUAA4GBABrTmR8+gtECLU7zsbrs
-RKIeE9YSXxsqzv3DPpUj9VN7l05ERe3db7/TNePBLH0KwpjWljuPDUhKWC5jQvkf
-gBEr0CKALQGWU0sQJDNhR3SDsPUGU0BFUQT7g1B94Dmp72ivHLjMrtxnLrOT32Uh
-iaEG3X51ApoqRRyXcSJZBcYN
+MIIB9jCCAV+gAwIBAgIBATANBgkqhkiG9w0BAQsFADAtMRQwEgYDVQQKEwtleGFt
+cGxlLmNvbTEVMBMGA1UEAxMMY2xpY2EgQ0EgcnNhMB4XDTEyMTEwMTEyMzQwMVoX
+DTM4MDEwMTEyMzQwMVowLTEUMBIGA1UEChMLZXhhbXBsZS5jb20xFTATBgNVBAMT
+DGNsaWNhIENBIHJzYTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA2N3YjbHA
+BEKAiUHwJ0VMAAe/KMOM8slXOAKni4v7Vf6BzbO5B6uaKhDV2n3V0vXwMdAoeBaq
+3s9CHOjDXwjF1qf/p4w3Z2aUIVt/Mb+uEcPUlq0Nr8OLlH11QKbkvFtLxU3sUAoi
+fcaydi1q3tszjPQ0tKlLo6kOzcgi8d47WccCAwEAAaMmMCQwEgYDVR0TAQH/BAgw
+BgEB/wIBATAOBgNVHQ8BAf8EBAMCAQYwDQYJKoZIhvcNAQELBQADgYEAAzD/Zszo
+X4ieSQQxDOH53VkiAJDs32qso9YzGbQaenuRnVFCuo7rt68cjMcOjzf18/I+iMeH
+nEcdqkfoYB4Z3LXvDaRGZhg/ZOv58muzRnsW2oQI9yFqDwD0FZPtM6Vq0AWXjLuq
+IogOI5fShSo7H5hc3vrkvS7KUhzuv3FKnaQ=
 -----END CERTIFICATE-----
diff --git a/test/aux-fixed/exim-ca/example.com/expired1.example.com/cert8.db b/test/aux-fixed/exim-ca/example.com/expired1.example.com/cert8.db
index eb69671b3..5082e03ed 100644
Binary files a/test/aux-fixed/exim-ca/example.com/expired1.example.com/cert8.db and b/test/aux-fixed/exim-ca/example.com/expired1.example.com/cert8.db differ
diff --git a/test/aux-fixed/exim-ca/example.com/expired1.example.com/expired1.example.com.chain.pem b/test/aux-fixed/exim-ca/example.com/expired1.example.com/expired1.example.com.chain.pem
index 86c4cf923..f6cdd036b 100644
--- a/test/aux-fixed/exim-ca/example.com/expired1.example.com/expired1.example.com.chain.pem
+++ b/test/aux-fixed/exim-ca/example.com/expired1.example.com/expired1.example.com.chain.pem
@@ -1,35 +1,35 @@
 Bag Attributes
     friendlyName: expired1.example.com
-    localKeyID: 99 F4 E5 1B DE CB 48 9B DF 6F 48 1E 2F F7 D0 45 87 BF E1 AA 
+    localKeyID: 2D F0 80 D5 36 FE D2 A2 89 8B 45 96 53 27 78 75 9A E2 AB 74 
 subject=/CN=expired1.example.com
-issuer=/O=example.com/CN=clica Signing Cert
+issuer=/O=example.com/CN=clica Signing Cert rsa
 -----BEGIN CERTIFICATE-----
-MIICiTCCAfKgAwIBAgIBZzANBgkqhkiG9w0BAQsFADAzMRQwEgYDVQQKEwtleGFt
-cGxlLmNvbTEbMBkGA1UEAxMSY2xpY2EgU2lnbmluZyBDZXJ0MB4XDTEyMTEwMTEy
-MzQwMloXDTEyMTIwMTEyMzQwMlowHzEdMBsGA1UEAxMUZXhwaXJlZDEuZXhhbXBs
-ZS5jb20wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAMTCvf315OK4Yr6gzhR/
-UgD+UArs0hNH2W2Uc+IJnRyrXrfqH3WYRV+tWsijqOoA9z6JcgXaImH5XSq35buY
-caS1IhHg7ubtIEG0QcY4qf1wZK0V1A48Yk9iwYU4eBlBaqe2hNjVnXZprYteZ9Ws
-VWfjH+H3/Xh3BGrxL6FjcE+pAgMBAAGjgcAwgb0wDgYDVR0PAQH/BAQDAgTwMCAG
-A1UdJQEB/wQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAyBgNVHR8EKzApMCegJaAj
-hiFodHRwOi8vY3JsLmV4YW1wbGUuY29tL2xhdGVzdC5jcmwwNAYIKwYBBQUHAQEE
-KDAmMCQGCCsGAQUFBzABhhhodHRwOi8vb3NjcC5leGFtcGxlLmNvbS8wHwYDVR0R
-BBgwFoIUZXhwaXJlZDEuZXhhbXBsZS5jb20wDQYJKoZIhvcNAQELBQADgYEAnAU6
-0ELaqsG85xaBG0ygY7VPEZFvsO45F37Y/VXp3YmwMMKpyN3DT6B3vSl64XLHCBcb
-91Sl1A3kkTJS4lLxPt12PNuImc+lr+D3vJqgJ2uoKznYmgX7cHWLnXkL3fX8TmSc
-UW3WlWPM+DqP9rTX1Rpw0PLb02WgnkAzbDegeR8=
+MIICjTCCAfagAwIBAgIBZzANBgkqhkiG9w0BAQsFADA3MRQwEgYDVQQKEwtleGFt
+cGxlLmNvbTEfMB0GA1UEAxMWY2xpY2EgU2lnbmluZyBDZXJ0IHJzYTAeFw0xMjEx
+MDExMjM0MDFaFw0xMjEyMDExMjM0MDFaMB8xHTAbBgNVBAMTFGV4cGlyZWQxLmV4
+YW1wbGUuY29tMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCtHBMZtGtODyg6
+OC4nWNIjICkgfR3e831qmWUhMR671zF0tcywM8yH74jRQJP30nHzvrvkIT11Z540
+yvZzK4mzoZXQm466fwivjUkUK6T5nT76zbc2+mN8pK6s+xG2oxF+w1aeMaldJ9nY
+D1jEPenQL/rq5Sb0kC52wkwSSDI/MQIDAQABo4HAMIG9MA4GA1UdDwEB/wQEAwIE
+8DAgBgNVHSUBAf8EFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwMgYDVR0fBCswKTAn
+oCWgI4YhaHR0cDovL2NybC5leGFtcGxlLmNvbS9sYXRlc3QuY3JsMDQGCCsGAQUF
+BwEBBCgwJjAkBggrBgEFBQcwAYYYaHR0cDovL29zY3AuZXhhbXBsZS5jb20vMB8G
+A1UdEQQYMBaCFGV4cGlyZWQxLmV4YW1wbGUuY29tMA0GCSqGSIb3DQEBCwUAA4GB
+AHBdui6MIhv8xE3jegdB+3d/UaC9iZJhrhxFfD3eirbvdA2IOfpglHoora5Ll/WB
+CgKC8NkwYf7kdTPM0T0hSjy9nlollFTxk0BaS7xKJdOjwDHVAIR1xpnw3wC/jIK6
+U42/WCIXJG1VsbpwI7zohfcfL+1OsJ4SvKYGMR9Tpbqb
 -----END CERTIFICATE-----
 -----BEGIN CERTIFICATE-----
-MIICLDCCAZWgAwIBAgIBAjANBgkqhkiG9w0BAQsFADApMRQwEgYDVQQKEwtleGFt
-cGxlLmNvbTERMA8GA1UEAxMIY2xpY2EgQ0EwHhcNMTIxMTAxMTIzNDAxWhcNMzgw
-MTAxMTIzNDAxWjAzMRQwEgYDVQQKEwtleGFtcGxlLmNvbTEbMBkGA1UEAxMSY2xp
-Y2EgU2lnbmluZyBDZXJ0MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDC2Ph5
-2UMdD8CAW6mAoSUKgQbCEps6VYPBqa031JzDBzpHD8cmIJfRlmPg9V8K2LXP8VVe
-eG7LW2RBVlSx9082EZNC545NFKDg4Xu01jYP8BrNcJzzu8ip8osiqAzo993AZXoW
-eGZKJ7hYA1M5RCMkSIBhFxwoObjG9Bt1LQ/keQIDAQABo1owWDAOBgNVHQ8BAf8E
-BAMCAQYwEgYDVR0TAQH/BAgwBgEB/wIBADAyBgNVHR8EKzApMCegJaAjhiFodHRw
-Oi8vY3JsLmV4YW1wbGUuY29tL2xhdGVzdC5jcmwwDQYJKoZIhvcNAQELBQADgYEA
-JV9x4BGPTibmtXmXJOR0tETUR4RKc+Cis07H55mGDweIWtDT0dmlisLFyFK/rNdO
-zSeOIw2xchD86uNckYZd28OMEoSDI/lVhIxlEXaWvrf+BiaFX3AaPB3oivAp5aF4
-iy9WlTtH1uoE7iNueRd+beg5BgpgV0hyZAnoePQojH0=
+MIICNDCCAZ2gAwIBAgIBAjANBgkqhkiG9w0BAQsFADAtMRQwEgYDVQQKEwtleGFt
+cGxlLmNvbTEVMBMGA1UEAxMMY2xpY2EgQ0EgcnNhMB4XDTEyMTEwMTEyMzQwMVoX
+DTM4MDEwMTEyMzQwMVowNzEUMBIGA1UEChMLZXhhbXBsZS5jb20xHzAdBgNVBAMT
+FmNsaWNhIFNpZ25pbmcgQ2VydCByc2EwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJ
+AoGBANlcwo5q84SEtVy5W/xqbYAzOiYUZ0Shp9+ry/Q/X5uhrDF9JSHNWJbXut+8
+ZJGICt0RYVIJCcaa7FUt5hTKEx4fgURr+Hz84ZgwesMxcECHJPq9ylrCqbPkbmFR
+1XUy2MvioMH2lyc/PbV62XXggJhHioStVLRfyVlkS1KvvR+HAgMBAAGjWjBYMA4G
+A1UdDwEB/wQEAwIBBjASBgNVHRMBAf8ECDAGAQH/AgEAMDIGA1UdHwQrMCkwJ6Al
+oCOGIWh0dHA6Ly9jcmwuZXhhbXBsZS5jb20vbGF0ZXN0LmNybDANBgkqhkiG9w0B
+AQsFAAOBgQBtPJwqu7DiDmFZd58L4xQ6JJhrJzJUDHmT7ikW2tOM58yisCgSnzrR
+xihW+49vUQ9lSGxBHaFwdehAuGTXydnf7/i9i6KA2RZ+Rq12FJFYOhjaIP7Sy1zq
+VXtb+P1eDBQQhz0WgysLVjgGdBiokRv86yY56ficoTQ6EyWzQLCU+A==
 -----END CERTIFICATE-----
diff --git a/test/aux-fixed/exim-ca/example.com/expired1.example.com/expired1.example.com.key b/test/aux-fixed/exim-ca/example.com/expired1.example.com/expired1.example.com.key
index a4d132e90..d770088a3 100644
--- a/test/aux-fixed/exim-ca/example.com/expired1.example.com/expired1.example.com.key
+++ b/test/aux-fixed/exim-ca/example.com/expired1.example.com/expired1.example.com.key
@@ -1,21 +1,21 @@
 Bag Attributes
     friendlyName: expired1.example.com
-    localKeyID: 99 F4 E5 1B DE CB 48 9B DF 6F 48 1E 2F F7 D0 45 87 BF E1 AA 
+    localKeyID: 2D F0 80 D5 36 FE D2 A2 89 8B 45 96 53 27 78 75 9A E2 AB 74 
 Key Attributes: <No Attributes>
 -----BEGIN ENCRYPTED PRIVATE KEY-----
-MIICxjBABgkqhkiG9w0BBQ0wMzAbBgkqhkiG9w0BBQwwDgQIF6bmOIjY8xECAggA
-MBQGCCqGSIb3DQMHBAi/0D3fDlzKwgSCAoBNavhFtNwnXQ+Um51KYksca5ul2XDp
-IIOweOixkUeOsPLlWEXE1FnD795WqWMcJHilFGtC01cTplsf0W042ECwBbAzr4Z2
-aniI+IyTDtSD9LbIqOHQEDzR0MfrtwyQ66A1OFxhi1yU5uYDCvLqzSQp485l3LHK
-/ZN2hloTgUYZMFQr9g+PTpzgyHwUls0jnOMN6BVVblwv1L4MqeS+15Z2AtnRWGtl
-rDmAbGLm/aeCe49IrFRIc0jHE3gDs+iRUTJ/bnSEgLUtRL2w7aNTA4XcvCQP631V
-+AYXH91FSRpq1braQZjlJSmZCK0whdqDuZDy+pHl9dTqOEqtrOeryY7hsmKpibZG
-t69G6A7fJGsWCxi/pVw92y1rfn3TNSxx6EiZMDwL+Y7A47+u7tGYitNtoN2s9gS+
-WQqHqgVd81zGxwi79VIH/K2kyaBc2fhIJspa7a9CUQW+nA5abrwCrDP5d+Y1OfaQ
-q6vT/eVto05T4LlcwrqIdhkvcWxk/lQG3oi6f/Wy80bOdk5CmfpwJc87J4mRTcwK
-6mK9b8nq1eX/aj4JXZPrbl/boz2KMP4lxbmw4H0kueC84JgZmqifCCGIVSHZFUDV
-tNpijNXLAwgnNBUxk0ffFI8LC6FvSHs46Ij+RS0Hth8D2+DA5b//N/Z18iIi8chQ
-11f/MzCuN4MsZ6f8yrvTYfsf9FlMpUCWFnrKMCMHikVh4usk1VAUjszyMp2wwujl
-mt531rN/eB8P9edh8+2Zg0FG8wZeiRaLzBmktEZmDXv3A4o/Ksr2bDqp8nAU5n8V
-wBEQ3q6AAHosVq5PyRAbm2KwOEJVMDdR8tF3QZuogvXW2GbyhNsthsjz
+MIICxjBABgkqhkiG9w0BBQ0wMzAbBgkqhkiG9w0BBQwwDgQI1UyiYnYKO9UCAggA
+MBQGCCqGSIb3DQMHBAjWD6vdWh3+PwSCAoByLQ9hJ+2ANh1Z88M4f7pVMVnGk0yr
+qxX/IjoB9H8KnweVCtXP38T6Wuhm5JEVXOK1HWA/5A37mfLyk7YHvvYWcH7CmLMa
+ssMOlDmCBXZWwnSseeZyvuJedsXIm6VDc8JNPeshVTkXEAmaA7wu5Vr3Tggg/tIh
+S2XBReFIZWa4+ibGGj7n3z5TsDQMIufZKAtl4WdrwDnUBGrQ5gt5TpXrtdHsYsHA
+cVrt5XFDMytSPVgiL3X46p5/b3MCUBivyKvvRzDz5LmcJ3iGERnfFoUKiASJPoPp
+YBx91ehwq2tC+ciQFGOcQ2yt8F45yiMwgHYQK3McDf3NbScylfuTzDU+BA19HPBC
+yE2taZAwYmqfihXiZQ3t20kT2n7CbdZBYJJsyKnc+K32AYofspKzZEU4ypqcTJ4+
+4HDAgCwzKuUrMvbKUFyQw+OkaD8e7Vl8q/X6yYtwPviWDO893cigFCYiPcPYaqBc
+snzL+T7zjw7x5rtQ2IPqx3jfjX7hDbQvvK3ZEWTxqkUrx4JeLGHIK5kNE5DHK6G7
+0jjuNzYN57BuzYKzO5Nd/N6vstyITTEpEWz2jTOXqWgr1lF3isy3yKcVETL/tUd8
+nDltQvN4kzqbvW9f1VtD+pKBhyuBv077FXw3RbHukIjaIDSg+fSjukm5vbEpx+ms
+JuB2Jx/VSOfUH303Q+lbz1Q2X1Ikn6d7oF7hTrvz6dts0bqtbXxB3+2RY+c3RPhE
+wfTzyqKQVCwifbEXC4aMKRZruhzWpw6H0GEvOfSXgc9O7ntm8B20pCka4tr58R+6
+iB5S+2vmsjCGC0PSUjpCj0jkPmnw1fDP7W9bg23w0CtMKQRw2xrxMIiG
 -----END ENCRYPTED PRIVATE KEY-----
diff --git a/test/aux-fixed/exim-ca/example.com/expired1.example.com/expired1.example.com.ocsp.dated.resp b/test/aux-fixed/exim-ca/example.com/expired1.example.com/expired1.example.com.ocsp.dated.resp
index d5ac08077..76a1b88cf 100644
Binary files a/test/aux-fixed/exim-ca/example.com/expired1.example.com/expired1.example.com.ocsp.dated.resp and b/test/aux-fixed/exim-ca/example.com/expired1.example.com/expired1.example.com.ocsp.dated.resp differ
diff --git a/test/aux-fixed/exim-ca/example.com/expired1.example.com/expired1.example.com.ocsp.good.resp b/test/aux-fixed/exim-ca/example.com/expired1.example.com/expired1.example.com.ocsp.good.resp
index d0b3a807a..9ef0b4f54 100644
Binary files a/test/aux-fixed/exim-ca/example.com/expired1.example.com/expired1.example.com.ocsp.good.resp and b/test/aux-fixed/exim-ca/example.com/expired1.example.com/expired1.example.com.ocsp.good.resp differ
diff --git a/test/aux-fixed/exim-ca/example.com/expired1.example.com/expired1.example.com.ocsp.req b/test/aux-fixed/exim-ca/example.com/expired1.example.com/expired1.example.com.ocsp.req
index 44c149549..9e192919d 100644
Binary files a/test/aux-fixed/exim-ca/example.com/expired1.example.com/expired1.example.com.ocsp.req and b/test/aux-fixed/exim-ca/example.com/expired1.example.com/expired1.example.com.ocsp.req differ
diff --git a/test/aux-fixed/exim-ca/example.com/expired1.example.com/expired1.example.com.ocsp.revoked.resp b/test/aux-fixed/exim-ca/example.com/expired1.example.com/expired1.example.com.ocsp.revoked.resp
index 36fb0d1e6..fbcc60ed9 100644
Binary files a/test/aux-fixed/exim-ca/example.com/expired1.example.com/expired1.example.com.ocsp.revoked.resp and b/test/aux-fixed/exim-ca/example.com/expired1.example.com/expired1.example.com.ocsp.revoked.resp differ
diff --git a/test/aux-fixed/exim-ca/example.com/expired1.example.com/expired1.example.com.ocsp.signer.dated.resp b/test/aux-fixed/exim-ca/example.com/expired1.example.com/expired1.example.com.ocsp.signer.dated.resp
index b4a9aeba9..a1b7a417c 100644
Binary files a/test/aux-fixed/exim-ca/example.com/expired1.example.com/expired1.example.com.ocsp.signer.dated.resp and b/test/aux-fixed/exim-ca/example.com/expired1.example.com/expired1.example.com.ocsp.signer.dated.resp differ
diff --git a/test/aux-fixed/exim-ca/example.com/expired1.example.com/expired1.example.com.ocsp.signer.good.resp b/test/aux-fixed/exim-ca/example.com/expired1.example.com/expired1.example.com.ocsp.signer.good.resp
index 156b36b81..2dbb36d65 100644
Binary files a/test/aux-fixed/exim-ca/example.com/expired1.example.com/expired1.example.com.ocsp.signer.good.resp and b/test/aux-fixed/exim-ca/example.com/expired1.example.com/expired1.example.com.ocsp.signer.good.resp differ
diff --git a/test/aux-fixed/exim-ca/example.com/expired1.example.com/expired1.example.com.ocsp.signer.revoked.resp b/test/aux-fixed/exim-ca/example.com/expired1.example.com/expired1.example.com.ocsp.signer.revoked.resp
index a9cb57832..d9f4b0110 100644
Binary files a/test/aux-fixed/exim-ca/example.com/expired1.example.com/expired1.example.com.ocsp.signer.revoked.resp and b/test/aux-fixed/exim-ca/example.com/expired1.example.com/expired1.example.com.ocsp.signer.revoked.resp differ
diff --git a/test/aux-fixed/exim-ca/example.com/expired1.example.com/expired1.example.com.ocsp.signernocert.dated.resp b/test/aux-fixed/exim-ca/example.com/expired1.example.com/expired1.example.com.ocsp.signernocert.dated.resp
index 5b3670296..6524a9d08 100644
Binary files a/test/aux-fixed/exim-ca/example.com/expired1.example.com/expired1.example.com.ocsp.signernocert.dated.resp and b/test/aux-fixed/exim-ca/example.com/expired1.example.com/expired1.example.com.ocsp.signernocert.dated.resp differ
diff --git a/test/aux-fixed/exim-ca/example.com/expired1.example.com/expired1.example.com.ocsp.signernocert.good.resp b/test/aux-fixed/exim-ca/example.com/expired1.example.com/expired1.example.com.ocsp.signernocert.good.resp
index 51478aa06..acdbc9ee9 100644
Binary files a/test/aux-fixed/exim-ca/example.com/expired1.example.com/expired1.example.com.ocsp.signernocert.good.resp and b/test/aux-fixed/exim-ca/example.com/expired1.example.com/expired1.example.com.ocsp.signernocert.good.resp differ
diff --git a/test/aux-fixed/exim-ca/example.com/expired1.example.com/expired1.example.com.ocsp.signernocert.revoked.resp b/test/aux-fixed/exim-ca/example.com/expired1.example.com/expired1.example.com.ocsp.signernocert.revoked.resp
index 03c8b7a26..7cab7b15b 100644
Binary files a/test/aux-fixed/exim-ca/example.com/expired1.example.com/expired1.example.com.ocsp.signernocert.revoked.resp and b/test/aux-fixed/exim-ca/example.com/expired1.example.com/expired1.example.com.ocsp.signernocert.revoked.resp differ
diff --git a/test/aux-fixed/exim-ca/example.com/expired1.example.com/expired1.example.com.p12 b/test/aux-fixed/exim-ca/example.com/expired1.example.com/expired1.example.com.p12
index 4ac3a7019..db7574a05 100644
Binary files a/test/aux-fixed/exim-ca/example.com/expired1.example.com/expired1.example.com.p12 and b/test/aux-fixed/exim-ca/example.com/expired1.example.com/expired1.example.com.p12 differ
diff --git a/test/aux-fixed/exim-ca/example.com/expired1.example.com/expired1.example.com.pem b/test/aux-fixed/exim-ca/example.com/expired1.example.com/expired1.example.com.pem
index a73389074..b74a2ff05 100644
--- a/test/aux-fixed/exim-ca/example.com/expired1.example.com/expired1.example.com.pem
+++ b/test/aux-fixed/exim-ca/example.com/expired1.example.com/expired1.example.com.pem
@@ -1,21 +1,21 @@
 Bag Attributes
     friendlyName: expired1.example.com
-    localKeyID: 99 F4 E5 1B DE CB 48 9B DF 6F 48 1E 2F F7 D0 45 87 BF E1 AA 
+    localKeyID: 2D F0 80 D5 36 FE D2 A2 89 8B 45 96 53 27 78 75 9A E2 AB 74 
 subject=/CN=expired1.example.com
-issuer=/O=example.com/CN=clica Signing Cert
+issuer=/O=example.com/CN=clica Signing Cert rsa
 -----BEGIN CERTIFICATE-----
-MIICiTCCAfKgAwIBAgIBZzANBgkqhkiG9w0BAQsFADAzMRQwEgYDVQQKEwtleGFt
-cGxlLmNvbTEbMBkGA1UEAxMSY2xpY2EgU2lnbmluZyBDZXJ0MB4XDTEyMTEwMTEy
-MzQwMloXDTEyMTIwMTEyMzQwMlowHzEdMBsGA1UEAxMUZXhwaXJlZDEuZXhhbXBs
-ZS5jb20wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAMTCvf315OK4Yr6gzhR/
-UgD+UArs0hNH2W2Uc+IJnRyrXrfqH3WYRV+tWsijqOoA9z6JcgXaImH5XSq35buY
-caS1IhHg7ubtIEG0QcY4qf1wZK0V1A48Yk9iwYU4eBlBaqe2hNjVnXZprYteZ9Ws
-VWfjH+H3/Xh3BGrxL6FjcE+pAgMBAAGjgcAwgb0wDgYDVR0PAQH/BAQDAgTwMCAG
-A1UdJQEB/wQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAyBgNVHR8EKzApMCegJaAj
-hiFodHRwOi8vY3JsLmV4YW1wbGUuY29tL2xhdGVzdC5jcmwwNAYIKwYBBQUHAQEE
-KDAmMCQGCCsGAQUFBzABhhhodHRwOi8vb3NjcC5leGFtcGxlLmNvbS8wHwYDVR0R
-BBgwFoIUZXhwaXJlZDEuZXhhbXBsZS5jb20wDQYJKoZIhvcNAQELBQADgYEAnAU6
-0ELaqsG85xaBG0ygY7VPEZFvsO45F37Y/VXp3YmwMMKpyN3DT6B3vSl64XLHCBcb
-91Sl1A3kkTJS4lLxPt12PNuImc+lr+D3vJqgJ2uoKznYmgX7cHWLnXkL3fX8TmSc
-UW3WlWPM+DqP9rTX1Rpw0PLb02WgnkAzbDegeR8=
+MIICjTCCAfagAwIBAgIBZzANBgkqhkiG9w0BAQsFADA3MRQwEgYDVQQKEwtleGFt
+cGxlLmNvbTEfMB0GA1UEAxMWY2xpY2EgU2lnbmluZyBDZXJ0IHJzYTAeFw0xMjEx
+MDExMjM0MDFaFw0xMjEyMDExMjM0MDFaMB8xHTAbBgNVBAMTFGV4cGlyZWQxLmV4
+YW1wbGUuY29tMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCtHBMZtGtODyg6
+OC4nWNIjICkgfR3e831qmWUhMR671zF0tcywM8yH74jRQJP30nHzvrvkIT11Z540
+yvZzK4mzoZXQm466fwivjUkUK6T5nT76zbc2+mN8pK6s+xG2oxF+w1aeMaldJ9nY
+D1jEPenQL/rq5Sb0kC52wkwSSDI/MQIDAQABo4HAMIG9MA4GA1UdDwEB/wQEAwIE
+8DAgBgNVHSUBAf8EFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwMgYDVR0fBCswKTAn
+oCWgI4YhaHR0cDovL2NybC5leGFtcGxlLmNvbS9sYXRlc3QuY3JsMDQGCCsGAQUF
+BwEBBCgwJjAkBggrBgEFBQcwAYYYaHR0cDovL29zY3AuZXhhbXBsZS5jb20vMB8G
+A1UdEQQYMBaCFGV4cGlyZWQxLmV4YW1wbGUuY29tMA0GCSqGSIb3DQEBCwUAA4GB
+AHBdui6MIhv8xE3jegdB+3d/UaC9iZJhrhxFfD3eirbvdA2IOfpglHoora5Ll/WB
+CgKC8NkwYf7kdTPM0T0hSjy9nlollFTxk0BaS7xKJdOjwDHVAIR1xpnw3wC/jIK6
+U42/WCIXJG1VsbpwI7zohfcfL+1OsJ4SvKYGMR9Tpbqb
 -----END CERTIFICATE-----
diff --git a/test/aux-fixed/exim-ca/example.com/expired1.example.com/expired1.example.com.unlocked.key b/test/aux-fixed/exim-ca/example.com/expired1.example.com/expired1.example.com.unlocked.key
index 9856ea8a9..223bc5ce1 100644
--- a/test/aux-fixed/exim-ca/example.com/expired1.example.com/expired1.example.com.unlocked.key
+++ b/test/aux-fixed/exim-ca/example.com/expired1.example.com/expired1.example.com.unlocked.key
@@ -1,15 +1,15 @@
 -----BEGIN RSA PRIVATE KEY-----
-MIICXQIBAAKBgQDEwr399eTiuGK+oM4Uf1IA/lAK7NITR9ltlHPiCZ0cq1636h91
-mEVfrVrIo6jqAPc+iXIF2iJh+V0qt+W7mHGktSIR4O7m7SBBtEHGOKn9cGStFdQO
-PGJPYsGFOHgZQWqntoTY1Z12aa2LXmfVrFVn4x/h9/14dwRq8S+hY3BPqQIDAQAB
-AoGAAqXDgbHNKSHQWP6ilz2uqvXBD6HnzRDymNoJBHnFo+zzDX14e+VsdYudxO+y
-0PyUrGzpXFvMNPjygHsl+7QNlLg4i0dP762tHD4QE32qMBVhBPty1koAyM1cWi3P
-QttMl+/pGcVy4h/YtEA2MFnFqAG3oNpYwqolaVjm1qCqENsCQQDzgVgUKq++/y8D
-I7gqxSjoYapzGm7izJpHR4fXoSlYuSNiF1DXlwKSj0RgXcYueKYViycxt2zJnF2g
-UEOTiWr/AkEAztteDppqGJAW8qI5e0llnZwKe67osrw6s7I/ttXfcNxRCqGWiqH8
-aP9hShFx9urN4ytgi6XLWo0E84jAILINVwJAYlqhH+wp9mSOMZ9w2N2v60TfmwRX
-O4ZW3mmXBdKTp8GH+CvgvGPDZz006hOWY9jZhKQjHaKv7zMYYhNpaCM+MwJBALiy
-PeUkEp8j6Jl0J4bhHg4ACYwtvC/6yR8xhJonlH4c+W9YoCXgRJMrkx6jPPKO7I5t
-aKLHwi5zw3v/Gi0XTbkCQQC+2rPSR007V864RuUK2ze112YtiL50nAEywbbQVvtf
-56yQWG6eI0hVTWVJ5iRAdtUdyBgnAGHWKga1IVOqE+zc
+MIICXQIBAAKBgQCtHBMZtGtODyg6OC4nWNIjICkgfR3e831qmWUhMR671zF0tcyw
+M8yH74jRQJP30nHzvrvkIT11Z540yvZzK4mzoZXQm466fwivjUkUK6T5nT76zbc2
++mN8pK6s+xG2oxF+w1aeMaldJ9nYD1jEPenQL/rq5Sb0kC52wkwSSDI/MQIDAQAB
+AoGAAQboAucHG/ELFA1Xq/QWJKjNyNuOw2ikyqHn769GHc2RBYtukD0LOzAFZ8Uy
+TrrfSJe0SNr80/PhasuP2rvcMHbtM0ajvsnUPlF+wRezWlj8ibKMfH8vw5gW95G2
+3+ZI3wf5uoesaSGNb6ITEnHxcIfpR1SXOyhIf9OOmJGtoAECQQDZI1iwHZhZIxND
+LgnVyD7xLhv1aVIeR9ahOccaa7+AWySVkwK8udiw9NmbApbLAku4au9GC9jLBwWj
+KuZYNitBAkEAzBd4jUWGxiOreVViywiuVVwCNjU9CtEgUMhZUEpNSS8qNr7MDEiI
+90+rjOSVmnyJ5gqwHnkJIIH4dYBuIJTH8QJBAM1KPspbYLM9lzOXrlLBfMi3SFWw
+2qOoVcKehqBzKF3pTeBgWmEl8Dn1dFq6iuiqZf6Yk1oNT008eVb380mJBUECQH0x
+4Kd4gOZGt0dk04eMubRvDoRGQD3EbzhezjrseWBtaE3Q2MaoMCzVWHzDM+pifwz4
+fXUT9j9Uux8JO4UM/2ECQQDVOjqxjLlRoX67D3G3k8ObBOMT0tufK0ekfJvdgQzc
+rLsc9QZXGoeOSEoaf4AQxByy6J4QnjVW66G+UhItPxRB
 -----END RSA PRIVATE KEY-----
diff --git a/test/aux-fixed/exim-ca/example.com/expired1.example.com/key3.db b/test/aux-fixed/exim-ca/example.com/expired1.example.com/key3.db
index 1f6fb6eee..e3f1e846d 100644
Binary files a/test/aux-fixed/exim-ca/example.com/expired1.example.com/key3.db and b/test/aux-fixed/exim-ca/example.com/expired1.example.com/key3.db differ
diff --git a/test/aux-fixed/exim-ca/example.com/expired2.example.com/ca_chain.pem b/test/aux-fixed/exim-ca/example.com/expired2.example.com/ca_chain.pem
index 93e18035b..cde036853 100644
--- a/test/aux-fixed/exim-ca/example.com/expired2.example.com/ca_chain.pem
+++ b/test/aux-fixed/exim-ca/example.com/expired2.example.com/ca_chain.pem
@@ -1,35 +1,35 @@
 Bag Attributes
-    friendlyName: Signing Cert
-subject=/O=example.com/CN=clica Signing Cert
-issuer=/O=example.com/CN=clica CA
+    friendlyName: Signing Cert rsa
+subject=/O=example.com/CN=clica Signing Cert rsa
+issuer=/O=example.com/CN=clica CA rsa
 -----BEGIN CERTIFICATE-----
-MIICLDCCAZWgAwIBAgIBAjANBgkqhkiG9w0BAQsFADApMRQwEgYDVQQKEwtleGFt
-cGxlLmNvbTERMA8GA1UEAxMIY2xpY2EgQ0EwHhcNMTIxMTAxMTIzNDAxWhcNMzgw
-MTAxMTIzNDAxWjAzMRQwEgYDVQQKEwtleGFtcGxlLmNvbTEbMBkGA1UEAxMSY2xp
-Y2EgU2lnbmluZyBDZXJ0MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDC2Ph5
-2UMdD8CAW6mAoSUKgQbCEps6VYPBqa031JzDBzpHD8cmIJfRlmPg9V8K2LXP8VVe
-eG7LW2RBVlSx9082EZNC545NFKDg4Xu01jYP8BrNcJzzu8ip8osiqAzo993AZXoW
-eGZKJ7hYA1M5RCMkSIBhFxwoObjG9Bt1LQ/keQIDAQABo1owWDAOBgNVHQ8BAf8E
-BAMCAQYwEgYDVR0TAQH/BAgwBgEB/wIBADAyBgNVHR8EKzApMCegJaAjhiFodHRw
-Oi8vY3JsLmV4YW1wbGUuY29tL2xhdGVzdC5jcmwwDQYJKoZIhvcNAQELBQADgYEA
-JV9x4BGPTibmtXmXJOR0tETUR4RKc+Cis07H55mGDweIWtDT0dmlisLFyFK/rNdO
-zSeOIw2xchD86uNckYZd28OMEoSDI/lVhIxlEXaWvrf+BiaFX3AaPB3oivAp5aF4
-iy9WlTtH1uoE7iNueRd+beg5BgpgV0hyZAnoePQojH0=
+MIICNDCCAZ2gAwIBAgIBAjANBgkqhkiG9w0BAQsFADAtMRQwEgYDVQQKEwtleGFt
+cGxlLmNvbTEVMBMGA1UEAxMMY2xpY2EgQ0EgcnNhMB4XDTEyMTEwMTEyMzQwMVoX
+DTM4MDEwMTEyMzQwMVowNzEUMBIGA1UEChMLZXhhbXBsZS5jb20xHzAdBgNVBAMT
+FmNsaWNhIFNpZ25pbmcgQ2VydCByc2EwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJ
+AoGBANlcwo5q84SEtVy5W/xqbYAzOiYUZ0Shp9+ry/Q/X5uhrDF9JSHNWJbXut+8
+ZJGICt0RYVIJCcaa7FUt5hTKEx4fgURr+Hz84ZgwesMxcECHJPq9ylrCqbPkbmFR
+1XUy2MvioMH2lyc/PbV62XXggJhHioStVLRfyVlkS1KvvR+HAgMBAAGjWjBYMA4G
+A1UdDwEB/wQEAwIBBjASBgNVHRMBAf8ECDAGAQH/AgEAMDIGA1UdHwQrMCkwJ6Al
+oCOGIWh0dHA6Ly9jcmwuZXhhbXBsZS5jb20vbGF0ZXN0LmNybDANBgkqhkiG9w0B
+AQsFAAOBgQBtPJwqu7DiDmFZd58L4xQ6JJhrJzJUDHmT7ikW2tOM58yisCgSnzrR
+xihW+49vUQ9lSGxBHaFwdehAuGTXydnf7/i9i6KA2RZ+Rq12FJFYOhjaIP7Sy1zq
+VXtb+P1eDBQQhz0WgysLVjgGdBiokRv86yY56ficoTQ6EyWzQLCU+A==
 -----END CERTIFICATE-----
 Bag Attributes
-    friendlyName: Certificate Authority
-subject=/O=example.com/CN=clica CA
-issuer=/O=example.com/CN=clica CA
+    friendlyName: Certificate Authority rsa
+subject=/O=example.com/CN=clica CA rsa
+issuer=/O=example.com/CN=clica CA rsa
 -----BEGIN CERTIFICATE-----
-MIIB7jCCAVegAwIBAgIBATANBgkqhkiG9w0BAQsFADApMRQwEgYDVQQKEwtleGFt
-cGxlLmNvbTERMA8GA1UEAxMIY2xpY2EgQ0EwHhcNMTIxMTAxMTIzNDAxWhcNMzgw
-MTAxMTIzNDAxWjApMRQwEgYDVQQKEwtleGFtcGxlLmNvbTERMA8GA1UEAxMIY2xp
-Y2EgQ0EwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAJmw215lURHtIlsmndGX
-4rn6AyPcReCzRClw8icPv5GzxDnXxqbjK8Ghvkil8RAV8mAkDXDzDi8J5NIsMKwk
-EF8LaGfnbhaeRkvfDXN4YGrGclMMCVN4zk810pDrfrz3KCGpokOKoaWUsRTTdftk
-xyfw2Ui1nPNfg9fO/cfAyr9FAgMBAAGjJjAkMBIGA1UdEwEB/wQIMAYBAf8CAQEw
-DgYDVR0PAQH/BAQDAgEGMA0GCSqGSIb3DQEBCwUAA4GBABrTmR8+gtECLU7zsbrs
-RKIeE9YSXxsqzv3DPpUj9VN7l05ERe3db7/TNePBLH0KwpjWljuPDUhKWC5jQvkf
-gBEr0CKALQGWU0sQJDNhR3SDsPUGU0BFUQT7g1B94Dmp72ivHLjMrtxnLrOT32Uh
-iaEG3X51ApoqRRyXcSJZBcYN
+MIIB9jCCAV+gAwIBAgIBATANBgkqhkiG9w0BAQsFADAtMRQwEgYDVQQKEwtleGFt
+cGxlLmNvbTEVMBMGA1UEAxMMY2xpY2EgQ0EgcnNhMB4XDTEyMTEwMTEyMzQwMVoX
+DTM4MDEwMTEyMzQwMVowLTEUMBIGA1UEChMLZXhhbXBsZS5jb20xFTATBgNVBAMT
+DGNsaWNhIENBIHJzYTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA2N3YjbHA
+BEKAiUHwJ0VMAAe/KMOM8slXOAKni4v7Vf6BzbO5B6uaKhDV2n3V0vXwMdAoeBaq
+3s9CHOjDXwjF1qf/p4w3Z2aUIVt/Mb+uEcPUlq0Nr8OLlH11QKbkvFtLxU3sUAoi
+fcaydi1q3tszjPQ0tKlLo6kOzcgi8d47WccCAwEAAaMmMCQwEgYDVR0TAQH/BAgw
+BgEB/wIBATAOBgNVHQ8BAf8EBAMCAQYwDQYJKoZIhvcNAQELBQADgYEAAzD/Zszo
+X4ieSQQxDOH53VkiAJDs32qso9YzGbQaenuRnVFCuo7rt68cjMcOjzf18/I+iMeH
+nEcdqkfoYB4Z3LXvDaRGZhg/ZOv58muzRnsW2oQI9yFqDwD0FZPtM6Vq0AWXjLuq
+IogOI5fShSo7H5hc3vrkvS7KUhzuv3FKnaQ=
 -----END CERTIFICATE-----
diff --git a/test/aux-fixed/exim-ca/example.com/expired2.example.com/cert8.db b/test/aux-fixed/exim-ca/example.com/expired2.example.com/cert8.db
index e05e2b59e..b1949366c 100644
Binary files a/test/aux-fixed/exim-ca/example.com/expired2.example.com/cert8.db and b/test/aux-fixed/exim-ca/example.com/expired2.example.com/cert8.db differ
diff --git a/test/aux-fixed/exim-ca/example.com/expired2.example.com/expired2.example.com.chain.pem b/test/aux-fixed/exim-ca/example.com/expired2.example.com/expired2.example.com.chain.pem
index 219a4b87a..e1f627620 100644
--- a/test/aux-fixed/exim-ca/example.com/expired2.example.com/expired2.example.com.chain.pem
+++ b/test/aux-fixed/exim-ca/example.com/expired2.example.com/expired2.example.com.chain.pem
@@ -1,35 +1,35 @@
 Bag Attributes
     friendlyName: expired2.example.com
-    localKeyID: 03 C3 7C BA 9F F2 B7 B8 7D 68 60 75 BE 3B 17 47 A0 02 67 B2 
+    localKeyID: D7 25 3D B0 CD 84 B6 A0 91 23 8D 39 0C 9F E3 D8 A0 D6 E6 35 
 subject=/CN=expired2.example.com
-issuer=/O=example.com/CN=clica Signing Cert
+issuer=/O=example.com/CN=clica Signing Cert rsa
 -----BEGIN CERTIFICATE-----
-MIICijCCAfOgAwIBAgICAMswDQYJKoZIhvcNAQELBQAwMzEUMBIGA1UEChMLZXhh
-bXBsZS5jb20xGzAZBgNVBAMTEmNsaWNhIFNpZ25pbmcgQ2VydDAeFw0xMjExMDEx
-MjM0MDJaFw0xMjEyMDExMjM0MDJaMB8xHTAbBgNVBAMTFGV4cGlyZWQyLmV4YW1w
-bGUuY29tMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC7gLu3gydH924Hw35f
-2W2KQeNCRRwrL1Urn3H9q7NnKccK3QSUizcx83byD4Csd/rkHnVSTm3VJdpCcmXN
-42Snj3D+F2+/IY3pLnWt49n3ivgQKk9pnnRfXMQO7rG/U8geumxXp6XC5Q3qeZqv
-EHa+i5pUt5Uz/TDC+u+AIxTwWwIDAQABo4HAMIG9MA4GA1UdDwEB/wQEAwIE8DAg
-BgNVHSUBAf8EFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwMgYDVR0fBCswKTAnoCWg
-I4YhaHR0cDovL2NybC5leGFtcGxlLmNvbS9sYXRlc3QuY3JsMDQGCCsGAQUFBwEB
-BCgwJjAkBggrBgEFBQcwAYYYaHR0cDovL29zY3AuZXhhbXBsZS5jb20vMB8GA1Ud
-EQQYMBaCFGV4cGlyZWQyLmV4YW1wbGUuY29tMA0GCSqGSIb3DQEBCwUAA4GBAHhC
-cMpcjXZKmjzJJQm9VepmbPizYXxR2KMOVNC5G8JH0/0U6TfIkdu+qF4G0WXRJEVT
-44ePzwgjOK/7mmHMQvNxwtWAQhQzQ2JFxrQ7vjXGhqVFIm0fNU/Gf01300si1HUI
-nwRhyQxG9IxIE7/FbT01JsWUxtHBHOHCohaEYSyq
+MIICjjCCAfegAwIBAgICAMswDQYJKoZIhvcNAQELBQAwNzEUMBIGA1UEChMLZXhh
+bXBsZS5jb20xHzAdBgNVBAMTFmNsaWNhIFNpZ25pbmcgQ2VydCByc2EwHhcNMTIx
+MTAxMTIzNDAyWhcNMTIxMjAxMTIzNDAyWjAfMR0wGwYDVQQDExRleHBpcmVkMi5l
+eGFtcGxlLmNvbTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEApen5xbyDM2wZ
+HlNaaYAjXzrDC/qwnlhffLVl0l+/+fMx83Yf9yn/MoB+RHxK2Zl8W3BHu+WmlJan
+MLK7q3Tv1X6hYQLR16CluTpLQswUK5Sxc/TdH0k8b+vR9uwDPQ7NVQ4LGnWwEMxN
+zGw1jWiGSg9fL13WKU9fCScIkQVe42cCAwEAAaOBwDCBvTAOBgNVHQ8BAf8EBAMC
+BPAwIAYDVR0lAQH/BBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMDIGA1UdHwQrMCkw
+J6AloCOGIWh0dHA6Ly9jcmwuZXhhbXBsZS5jb20vbGF0ZXN0LmNybDA0BggrBgEF
+BQcBAQQoMCYwJAYIKwYBBQUHMAGGGGh0dHA6Ly9vc2NwLmV4YW1wbGUuY29tLzAf
+BgNVHREEGDAWghRleHBpcmVkMi5leGFtcGxlLmNvbTANBgkqhkiG9w0BAQsFAAOB
+gQDGjEY07fjC0JYOYgwOhBXOMJkrTa8Hh4FvXMBB+Rt2VsRf5thkkcKl9Wi1BadE
+os+7qAhS2PHxtmM3aWilxC/esEe7w6bqSv5VT2qSAzOp/q+LGNOB/vDeR+tr04Jx
+o3AhBqpoy9FL3zue1VYYqZn2myvMsWQ0fqwRQAd/h7RQhQ==
 -----END CERTIFICATE-----
 -----BEGIN CERTIFICATE-----
-MIICLDCCAZWgAwIBAgIBAjANBgkqhkiG9w0BAQsFADApMRQwEgYDVQQKEwtleGFt
-cGxlLmNvbTERMA8GA1UEAxMIY2xpY2EgQ0EwHhcNMTIxMTAxMTIzNDAxWhcNMzgw
-MTAxMTIzNDAxWjAzMRQwEgYDVQQKEwtleGFtcGxlLmNvbTEbMBkGA1UEAxMSY2xp
-Y2EgU2lnbmluZyBDZXJ0MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDC2Ph5
-2UMdD8CAW6mAoSUKgQbCEps6VYPBqa031JzDBzpHD8cmIJfRlmPg9V8K2LXP8VVe
-eG7LW2RBVlSx9082EZNC545NFKDg4Xu01jYP8BrNcJzzu8ip8osiqAzo993AZXoW
-eGZKJ7hYA1M5RCMkSIBhFxwoObjG9Bt1LQ/keQIDAQABo1owWDAOBgNVHQ8BAf8E
-BAMCAQYwEgYDVR0TAQH/BAgwBgEB/wIBADAyBgNVHR8EKzApMCegJaAjhiFodHRw
-Oi8vY3JsLmV4YW1wbGUuY29tL2xhdGVzdC5jcmwwDQYJKoZIhvcNAQELBQADgYEA
-JV9x4BGPTibmtXmXJOR0tETUR4RKc+Cis07H55mGDweIWtDT0dmlisLFyFK/rNdO
-zSeOIw2xchD86uNckYZd28OMEoSDI/lVhIxlEXaWvrf+BiaFX3AaPB3oivAp5aF4
-iy9WlTtH1uoE7iNueRd+beg5BgpgV0hyZAnoePQojH0=
+MIICNDCCAZ2gAwIBAgIBAjANBgkqhkiG9w0BAQsFADAtMRQwEgYDVQQKEwtleGFt
+cGxlLmNvbTEVMBMGA1UEAxMMY2xpY2EgQ0EgcnNhMB4XDTEyMTEwMTEyMzQwMVoX
+DTM4MDEwMTEyMzQwMVowNzEUMBIGA1UEChMLZXhhbXBsZS5jb20xHzAdBgNVBAMT
+FmNsaWNhIFNpZ25pbmcgQ2VydCByc2EwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJ
+AoGBANlcwo5q84SEtVy5W/xqbYAzOiYUZ0Shp9+ry/Q/X5uhrDF9JSHNWJbXut+8
+ZJGICt0RYVIJCcaa7FUt5hTKEx4fgURr+Hz84ZgwesMxcECHJPq9ylrCqbPkbmFR
+1XUy2MvioMH2lyc/PbV62XXggJhHioStVLRfyVlkS1KvvR+HAgMBAAGjWjBYMA4G
+A1UdDwEB/wQEAwIBBjASBgNVHRMBAf8ECDAGAQH/AgEAMDIGA1UdHwQrMCkwJ6Al
+oCOGIWh0dHA6Ly9jcmwuZXhhbXBsZS5jb20vbGF0ZXN0LmNybDANBgkqhkiG9w0B
+AQsFAAOBgQBtPJwqu7DiDmFZd58L4xQ6JJhrJzJUDHmT7ikW2tOM58yisCgSnzrR
+xihW+49vUQ9lSGxBHaFwdehAuGTXydnf7/i9i6KA2RZ+Rq12FJFYOhjaIP7Sy1zq
+VXtb+P1eDBQQhz0WgysLVjgGdBiokRv86yY56ficoTQ6EyWzQLCU+A==
 -----END CERTIFICATE-----
diff --git a/test/aux-fixed/exim-ca/example.com/expired2.example.com/expired2.example.com.key b/test/aux-fixed/exim-ca/example.com/expired2.example.com/expired2.example.com.key
index 3b31a57f7..29fd9aebc 100644
--- a/test/aux-fixed/exim-ca/example.com/expired2.example.com/expired2.example.com.key
+++ b/test/aux-fixed/exim-ca/example.com/expired2.example.com/expired2.example.com.key
@@ -1,21 +1,21 @@
 Bag Attributes
     friendlyName: expired2.example.com
-    localKeyID: 03 C3 7C BA 9F F2 B7 B8 7D 68 60 75 BE 3B 17 47 A0 02 67 B2 
+    localKeyID: D7 25 3D B0 CD 84 B6 A0 91 23 8D 39 0C 9F E3 D8 A0 D6 E6 35 
 Key Attributes: <No Attributes>
 -----BEGIN ENCRYPTED PRIVATE KEY-----
-MIICxjBABgkqhkiG9w0BBQ0wMzAbBgkqhkiG9w0BBQwwDgQI+1fTTnzZeCICAggA
-MBQGCCqGSIb3DQMHBAjtTHCBCPf9ngSCAoAVmQMk3hX9mk0xc4GhSQUW/ncAfK/N
-WxlMvcE+C85Liy+ZNFIn509+boPd1Di4DCTcM1Q88JDAqGkeS5uv38pPK+c4EpSQ
-Wn5UWx1ly0OYmebzGVgQMgF6pa2HBhbcEyAiWkvZX/9+ME0amR0glQj6N6G61TjG
-WmRGjUqkPkYkKBSg5+HqlGJRNOwYWLR2R/mAw9L+zsPOVzyalfeyNDHOEMjWF6MZ
-bWQRH79UWD7uC10652/VXpxua+myPQ4WWYBy3aYLKLAAxYfzEfZddnegrt+vK2zn
-oSST1nwEKXRKxs3s6CMrEoA1wy7u8MD+YCSBy1ciXqa3Lf51GjOKJJzdbAblVoEu
-5ST/OpX7ivqbsq6zHRulFqeeggN9Hoqc4CGKj+R4aia2EumMro3qNNCAJVrMHDIH
-/ncXvAW1zU6ZlpP8aOjc+ITHXtOGIhCFa5+XP5/D78To7Jz793NZAG3yxcVgSlUV
-rdJ2I4RqBEpOUdyAABbpHjocsey554gbv+0htleuwTTe+jXNuwMY1m0CCzPaMRno
-LL18EXndjsyuEhhOw78wLUTLF0ZKfhBTvoa/wHr1ahzWTjkgvp5z5h/2WWGiGT76
-8dP6ZX2WyX5smXHqKfnpncAXeAGFdDYz2VPiRcj5pAN8bgrZF5b10rREP6BluLxJ
-DmT719RyDcGLjR3vZzWk3yMXsnruJTvNE3bVufQ8uHeHJXLpO4tvxKQqJa4MbyhI
-ZIdZsRMopmoqh6ZZUFtjBcF7Rg8GmD5xgGmRUeGDDm9dhGlmtCGhqlkrS4p50hhE
-iZ1rYvts3vEjkGwrMyRBBDEKAmbNPX1SOF9IIaClV5MOvMEUrUuPDs18
+MIICxjBABgkqhkiG9w0BBQ0wMzAbBgkqhkiG9w0BBQwwDgQImZNS2klCPs4CAggA
+MBQGCCqGSIb3DQMHBAhII6fkFNt8pwSCAoD0/XaFALLxjx8IJE5txE8nJBFbLuLi
+K1iL5ahVQ9UbPcDp+Ysjh4ME9b+tX/n0lZIc2Bhj7mUgLWQ2l5E8SjcZkWD4EkwF
+DzRm6/VvKIWZAx2Izc/fklbgBC4Ua8juXELF10sdJ9a9aixb6ur7a0c92VBdDiWb
+NKAJ38yeEuYKQbQuyC+HbI1wzOGWNzFAwlkOm/uHJr3+rA/l3KWGg/ok3yRLUoth
+q6HQ1f3T5ZRKzLE3oacjRgSsvo+1wNwpAtUcasUdQmqwmkoBbwfPJpNOFNxMWmz1
+z/eu8grSlVVmBhVOywAHhowzN4B+qRYWt19laYcUK9dQDdix6enCdf23loZIwF+M
+8bdajFdHcvpQ+7UW7Z94oa2/Lq/sGUxUMQtjO6Tr0sywoNCPIyS6YfvZ8TuAiazF
+xW/enLYQr2GbZ9abkKBtSxGBaPOzrcuNB82ja9TYS/f+Dn1q1fABUj1XzKuDJCWP
+PmdTdphnA/M9hie7ceDFkAKZZi1S/m3KZjQWg3mJYdgXBNlZSoL5lnEtoIAqdg6y
+6PS5aK7DOClEEGd2v/8I4awT4SxtQOlNdwGfgtsw8rdOwaUEZSeXJHPPMUu+6iPD
+if1xj5Pw1KBkcYePQRX5JBEOC0IZ0OtmxvWWbJ4uK5Ng7W+1mgf2PUCWwtOYtQvL
+Kxxgk/9/kolu3Txg0FcSYU8fZKoKaSJl+CP41fK7GONiduHc8Ok33jZShdcw5E2k
+k90hk3l6yp6hdUnAyzbY8DnSWPRHnoy/ZkHcwUvwr2u9p/PXKwK4cSyRKgKTsusP
+uAM4Ifxj+AKCRR75LxBy6BrSTLZzFtV5SmvdjDKGc3kPiSjulSjCm860
 -----END ENCRYPTED PRIVATE KEY-----
diff --git a/test/aux-fixed/exim-ca/example.com/expired2.example.com/expired2.example.com.ocsp.dated.resp b/test/aux-fixed/exim-ca/example.com/expired2.example.com/expired2.example.com.ocsp.dated.resp
index 0363b8e87..48a7985f6 100644
Binary files a/test/aux-fixed/exim-ca/example.com/expired2.example.com/expired2.example.com.ocsp.dated.resp and b/test/aux-fixed/exim-ca/example.com/expired2.example.com/expired2.example.com.ocsp.dated.resp differ
diff --git a/test/aux-fixed/exim-ca/example.com/expired2.example.com/expired2.example.com.ocsp.good.resp b/test/aux-fixed/exim-ca/example.com/expired2.example.com/expired2.example.com.ocsp.good.resp
index 2cccecfd6..0243f9dbe 100644
Binary files a/test/aux-fixed/exim-ca/example.com/expired2.example.com/expired2.example.com.ocsp.good.resp and b/test/aux-fixed/exim-ca/example.com/expired2.example.com/expired2.example.com.ocsp.good.resp differ
diff --git a/test/aux-fixed/exim-ca/example.com/expired2.example.com/expired2.example.com.ocsp.req b/test/aux-fixed/exim-ca/example.com/expired2.example.com/expired2.example.com.ocsp.req
index efd3ec215..63246620f 100644
Binary files a/test/aux-fixed/exim-ca/example.com/expired2.example.com/expired2.example.com.ocsp.req and b/test/aux-fixed/exim-ca/example.com/expired2.example.com/expired2.example.com.ocsp.req differ
diff --git a/test/aux-fixed/exim-ca/example.com/expired2.example.com/expired2.example.com.ocsp.revoked.resp b/test/aux-fixed/exim-ca/example.com/expired2.example.com/expired2.example.com.ocsp.revoked.resp
index 2cccecfd6..0243f9dbe 100644
Binary files a/test/aux-fixed/exim-ca/example.com/expired2.example.com/expired2.example.com.ocsp.revoked.resp and b/test/aux-fixed/exim-ca/example.com/expired2.example.com/expired2.example.com.ocsp.revoked.resp differ
diff --git a/test/aux-fixed/exim-ca/example.com/expired2.example.com/expired2.example.com.ocsp.signer.dated.resp b/test/aux-fixed/exim-ca/example.com/expired2.example.com/expired2.example.com.ocsp.signer.dated.resp
index 25419ffdf..b6ec943ea 100644
Binary files a/test/aux-fixed/exim-ca/example.com/expired2.example.com/expired2.example.com.ocsp.signer.dated.resp and b/test/aux-fixed/exim-ca/example.com/expired2.example.com/expired2.example.com.ocsp.signer.dated.resp differ
diff --git a/test/aux-fixed/exim-ca/example.com/expired2.example.com/expired2.example.com.ocsp.signer.good.resp b/test/aux-fixed/exim-ca/example.com/expired2.example.com/expired2.example.com.ocsp.signer.good.resp
index 8bb7a2983..d151d8546 100644
Binary files a/test/aux-fixed/exim-ca/example.com/expired2.example.com/expired2.example.com.ocsp.signer.good.resp and b/test/aux-fixed/exim-ca/example.com/expired2.example.com/expired2.example.com.ocsp.signer.good.resp differ
diff --git a/test/aux-fixed/exim-ca/example.com/expired2.example.com/expired2.example.com.ocsp.signer.revoked.resp b/test/aux-fixed/exim-ca/example.com/expired2.example.com/expired2.example.com.ocsp.signer.revoked.resp
index 8bb7a2983..d151d8546 100644
Binary files a/test/aux-fixed/exim-ca/example.com/expired2.example.com/expired2.example.com.ocsp.signer.revoked.resp and b/test/aux-fixed/exim-ca/example.com/expired2.example.com/expired2.example.com.ocsp.signer.revoked.resp differ
diff --git a/test/aux-fixed/exim-ca/example.com/expired2.example.com/expired2.example.com.ocsp.signernocert.dated.resp b/test/aux-fixed/exim-ca/example.com/expired2.example.com/expired2.example.com.ocsp.signernocert.dated.resp
index 3991276a0..69f266075 100644
Binary files a/test/aux-fixed/exim-ca/example.com/expired2.example.com/expired2.example.com.ocsp.signernocert.dated.resp and b/test/aux-fixed/exim-ca/example.com/expired2.example.com/expired2.example.com.ocsp.signernocert.dated.resp differ
diff --git a/test/aux-fixed/exim-ca/example.com/expired2.example.com/expired2.example.com.ocsp.signernocert.good.resp b/test/aux-fixed/exim-ca/example.com/expired2.example.com/expired2.example.com.ocsp.signernocert.good.resp
index 70ff76ef7..5da2d5fb6 100644
Binary files a/test/aux-fixed/exim-ca/example.com/expired2.example.com/expired2.example.com.ocsp.signernocert.good.resp and b/test/aux-fixed/exim-ca/example.com/expired2.example.com/expired2.example.com.ocsp.signernocert.good.resp differ
diff --git a/test/aux-fixed/exim-ca/example.com/expired2.example.com/expired2.example.com.ocsp.signernocert.revoked.resp b/test/aux-fixed/exim-ca/example.com/expired2.example.com/expired2.example.com.ocsp.signernocert.revoked.resp
index 70ff76ef7..5da2d5fb6 100644
Binary files a/test/aux-fixed/exim-ca/example.com/expired2.example.com/expired2.example.com.ocsp.signernocert.revoked.resp and b/test/aux-fixed/exim-ca/example.com/expired2.example.com/expired2.example.com.ocsp.signernocert.revoked.resp differ
diff --git a/test/aux-fixed/exim-ca/example.com/expired2.example.com/expired2.example.com.p12 b/test/aux-fixed/exim-ca/example.com/expired2.example.com/expired2.example.com.p12
index 88f517bab..c75c7daf6 100644
Binary files a/test/aux-fixed/exim-ca/example.com/expired2.example.com/expired2.example.com.p12 and b/test/aux-fixed/exim-ca/example.com/expired2.example.com/expired2.example.com.p12 differ
diff --git a/test/aux-fixed/exim-ca/example.com/expired2.example.com/expired2.example.com.pem b/test/aux-fixed/exim-ca/example.com/expired2.example.com/expired2.example.com.pem
index 2535405f0..edf8f941d 100644
--- a/test/aux-fixed/exim-ca/example.com/expired2.example.com/expired2.example.com.pem
+++ b/test/aux-fixed/exim-ca/example.com/expired2.example.com/expired2.example.com.pem
@@ -1,21 +1,21 @@
 Bag Attributes
     friendlyName: expired2.example.com
-    localKeyID: 03 C3 7C BA 9F F2 B7 B8 7D 68 60 75 BE 3B 17 47 A0 02 67 B2 
+    localKeyID: D7 25 3D B0 CD 84 B6 A0 91 23 8D 39 0C 9F E3 D8 A0 D6 E6 35 
 subject=/CN=expired2.example.com
-issuer=/O=example.com/CN=clica Signing Cert
+issuer=/O=example.com/CN=clica Signing Cert rsa
 -----BEGIN CERTIFICATE-----
-MIICijCCAfOgAwIBAgICAMswDQYJKoZIhvcNAQELBQAwMzEUMBIGA1UEChMLZXhh
-bXBsZS5jb20xGzAZBgNVBAMTEmNsaWNhIFNpZ25pbmcgQ2VydDAeFw0xMjExMDEx
-MjM0MDJaFw0xMjEyMDExMjM0MDJaMB8xHTAbBgNVBAMTFGV4cGlyZWQyLmV4YW1w
-bGUuY29tMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC7gLu3gydH924Hw35f
-2W2KQeNCRRwrL1Urn3H9q7NnKccK3QSUizcx83byD4Csd/rkHnVSTm3VJdpCcmXN
-42Snj3D+F2+/IY3pLnWt49n3ivgQKk9pnnRfXMQO7rG/U8geumxXp6XC5Q3qeZqv
-EHa+i5pUt5Uz/TDC+u+AIxTwWwIDAQABo4HAMIG9MA4GA1UdDwEB/wQEAwIE8DAg
-BgNVHSUBAf8EFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwMgYDVR0fBCswKTAnoCWg
-I4YhaHR0cDovL2NybC5leGFtcGxlLmNvbS9sYXRlc3QuY3JsMDQGCCsGAQUFBwEB
-BCgwJjAkBggrBgEFBQcwAYYYaHR0cDovL29zY3AuZXhhbXBsZS5jb20vMB8GA1Ud
-EQQYMBaCFGV4cGlyZWQyLmV4YW1wbGUuY29tMA0GCSqGSIb3DQEBCwUAA4GBAHhC
-cMpcjXZKmjzJJQm9VepmbPizYXxR2KMOVNC5G8JH0/0U6TfIkdu+qF4G0WXRJEVT
-44ePzwgjOK/7mmHMQvNxwtWAQhQzQ2JFxrQ7vjXGhqVFIm0fNU/Gf01300si1HUI
-nwRhyQxG9IxIE7/FbT01JsWUxtHBHOHCohaEYSyq
+MIICjjCCAfegAwIBAgICAMswDQYJKoZIhvcNAQELBQAwNzEUMBIGA1UEChMLZXhh
+bXBsZS5jb20xHzAdBgNVBAMTFmNsaWNhIFNpZ25pbmcgQ2VydCByc2EwHhcNMTIx
+MTAxMTIzNDAyWhcNMTIxMjAxMTIzNDAyWjAfMR0wGwYDVQQDExRleHBpcmVkMi5l
+eGFtcGxlLmNvbTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEApen5xbyDM2wZ
+HlNaaYAjXzrDC/qwnlhffLVl0l+/+fMx83Yf9yn/MoB+RHxK2Zl8W3BHu+WmlJan
+MLK7q3Tv1X6hYQLR16CluTpLQswUK5Sxc/TdH0k8b+vR9uwDPQ7NVQ4LGnWwEMxN
+zGw1jWiGSg9fL13WKU9fCScIkQVe42cCAwEAAaOBwDCBvTAOBgNVHQ8BAf8EBAMC
+BPAwIAYDVR0lAQH/BBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMDIGA1UdHwQrMCkw
+J6AloCOGIWh0dHA6Ly9jcmwuZXhhbXBsZS5jb20vbGF0ZXN0LmNybDA0BggrBgEF
+BQcBAQQoMCYwJAYIKwYBBQUHMAGGGGh0dHA6Ly9vc2NwLmV4YW1wbGUuY29tLzAf
+BgNVHREEGDAWghRleHBpcmVkMi5leGFtcGxlLmNvbTANBgkqhkiG9w0BAQsFAAOB
+gQDGjEY07fjC0JYOYgwOhBXOMJkrTa8Hh4FvXMBB+Rt2VsRf5thkkcKl9Wi1BadE
+os+7qAhS2PHxtmM3aWilxC/esEe7w6bqSv5VT2qSAzOp/q+LGNOB/vDeR+tr04Jx
+o3AhBqpoy9FL3zue1VYYqZn2myvMsWQ0fqwRQAd/h7RQhQ==
 -----END CERTIFICATE-----
diff --git a/test/aux-fixed/exim-ca/example.com/expired2.example.com/expired2.example.com.unlocked.key b/test/aux-fixed/exim-ca/example.com/expired2.example.com/expired2.example.com.unlocked.key
index b0af1ef1c..0509284ac 100644
--- a/test/aux-fixed/exim-ca/example.com/expired2.example.com/expired2.example.com.unlocked.key
+++ b/test/aux-fixed/exim-ca/example.com/expired2.example.com/expired2.example.com.unlocked.key
@@ -1,15 +1,15 @@
 -----BEGIN RSA PRIVATE KEY-----
-MIICXAIBAAKBgQC7gLu3gydH924Hw35f2W2KQeNCRRwrL1Urn3H9q7NnKccK3QSU
-izcx83byD4Csd/rkHnVSTm3VJdpCcmXN42Snj3D+F2+/IY3pLnWt49n3ivgQKk9p
-nnRfXMQO7rG/U8geumxXp6XC5Q3qeZqvEHa+i5pUt5Uz/TDC+u+AIxTwWwIDAQAB
-AoGAAJl5xf7kikKj0MmhUnLFQHACChpLvTc+5DJcZ/HegfqSTv0JvbYHg8lH8/1F
-+Q0EbhLW245sGGOOUnYRLXH8aWXiLZHL/Y/RHZf/F2MCu+8nB1n2WRwzJAiJFlah
-heSPV7DzQdIdSl4CSBh69hLQKYYltbM+iihKfDDcn8nHKjkCQQDrIZIu3Sk8LW35
-xstQkNASR6u2IoMeNVZmvPwyCJGvqz6VXMGIxSGi7DWUpiXleFzFBUNCzZORhosX
-yufpGI9XAkEAzCT/UdesO59lhc+DfezRM/yFc1IhBzbdYCrg4XsdGjfj5XwnDE4a
-1vDSgXwFuRagQlqdAd6uZjcfsisFBWY4nQJAUIJmM3W2sMw9Y9EVvLhZBmlT+kFG
-9Aj/VJ5RHDCi8auI+kuQWOxm4ApRLlzVjQTxfuSWa0FIzgNrjPIFBmNKcQJAQPWM
-4QgV4CsKbRfpKYrPzxENjfKWW+tTaiR6xoUcb5lVRVLKQhogZEDhWx6R26GdgT/A
-MjYfnJrx1QnnYR5z6QJBAL/xT2kJ2qnd1HTnJN8Qnst0qyFtM7A6CAg4KbT+DXhz
-KQiPnjaJ90xM6ulBhFXgFxxZf17Il3D0oKgpIBD1hBk=
+MIICXQIBAAKBgQCl6fnFvIMzbBkeU1ppgCNfOsML+rCeWF98tWXSX7/58zHzdh/3
+Kf8ygH5EfErZmXxbcEe75aaUlqcwsrurdO/VfqFhAtHXoKW5OktCzBQrlLFz9N0f
+STxv69H27AM9Ds1VDgsadbAQzE3MbDWNaIZKD18vXdYpT18JJwiRBV7jZwIDAQAB
+AoGABY+IeAif6xbJ5rrLcnLBfL0W8W1XAw+aL69SuNDNud5dQ7gnTRziuToWQUxb
+I9zhjpz+Qn1pblx4QQkUgiQar6LLMgW4ZpJBCKQd7AGdzirSUqUgY2IwRUam+9Jr
+NkBLiUlPcQ9GbEDUBSZ/JQJCIMrtCUAc//uERHgNF3prJ3UCQQDUX3gedmnKvMQY
++YLRIYEfFo6ASUfTEs0Dt2A4p8ICLNXa2rVsE09dAqUyepUYa6geXXRxEPeEsLUg
+xYGK+ZAbAkEAx/9D3k45moQYt+S0NE/fPcd673mAGV8i8d0cr2QG9zTpoIszmHH6
+kqJkh0JmOuBLOP7pldqR8Vibqj1JsXMmpQJBALrLri+9H5g/KIx/Cl1ABv59LKIR
+0qcJJmJabLvocnDPVtrE/EYvReMdbIhV4cY1Cw6KTN0We1+uveIxVpwSnnkCQH9D
+gQVqE5+uZShHgSA0nyLp1+GhGBGNB2iOwh0dco1F/1Boo9li1gcPDRdA+lqGtXc8
+RplT70B7mPqYa1depf0CQQDT02pzQYCGet7u/NKyJi1Cc3UFx6FnielEL96zmtWT
+EbYXb7aoazRiRttYiYGauU8NebHaTWAHaTFf+EVzfJLz
 -----END RSA PRIVATE KEY-----
diff --git a/test/aux-fixed/exim-ca/example.com/expired2.example.com/key3.db b/test/aux-fixed/exim-ca/example.com/expired2.example.com/key3.db
index 73e05e43e..2768cbd5f 100644
Binary files a/test/aux-fixed/exim-ca/example.com/expired2.example.com/key3.db and b/test/aux-fixed/exim-ca/example.com/expired2.example.com/key3.db differ
diff --git a/test/aux-fixed/exim-ca/example.com/revoked1.example.com/ca_chain.pem b/test/aux-fixed/exim-ca/example.com/revoked1.example.com/ca_chain.pem
index 93e18035b..cde036853 100644
--- a/test/aux-fixed/exim-ca/example.com/revoked1.example.com/ca_chain.pem
+++ b/test/aux-fixed/exim-ca/example.com/revoked1.example.com/ca_chain.pem
@@ -1,35 +1,35 @@
 Bag Attributes
-    friendlyName: Signing Cert
-subject=/O=example.com/CN=clica Signing Cert
-issuer=/O=example.com/CN=clica CA
+    friendlyName: Signing Cert rsa
+subject=/O=example.com/CN=clica Signing Cert rsa
+issuer=/O=example.com/CN=clica CA rsa
 -----BEGIN CERTIFICATE-----
-MIICLDCCAZWgAwIBAgIBAjANBgkqhkiG9w0BAQsFADApMRQwEgYDVQQKEwtleGFt
-cGxlLmNvbTERMA8GA1UEAxMIY2xpY2EgQ0EwHhcNMTIxMTAxMTIzNDAxWhcNMzgw
-MTAxMTIzNDAxWjAzMRQwEgYDVQQKEwtleGFtcGxlLmNvbTEbMBkGA1UEAxMSY2xp
-Y2EgU2lnbmluZyBDZXJ0MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDC2Ph5
-2UMdD8CAW6mAoSUKgQbCEps6VYPBqa031JzDBzpHD8cmIJfRlmPg9V8K2LXP8VVe
-eG7LW2RBVlSx9082EZNC545NFKDg4Xu01jYP8BrNcJzzu8ip8osiqAzo993AZXoW
-eGZKJ7hYA1M5RCMkSIBhFxwoObjG9Bt1LQ/keQIDAQABo1owWDAOBgNVHQ8BAf8E
-BAMCAQYwEgYDVR0TAQH/BAgwBgEB/wIBADAyBgNVHR8EKzApMCegJaAjhiFodHRw
-Oi8vY3JsLmV4YW1wbGUuY29tL2xhdGVzdC5jcmwwDQYJKoZIhvcNAQELBQADgYEA
-JV9x4BGPTibmtXmXJOR0tETUR4RKc+Cis07H55mGDweIWtDT0dmlisLFyFK/rNdO
-zSeOIw2xchD86uNckYZd28OMEoSDI/lVhIxlEXaWvrf+BiaFX3AaPB3oivAp5aF4
-iy9WlTtH1uoE7iNueRd+beg5BgpgV0hyZAnoePQojH0=
+MIICNDCCAZ2gAwIBAgIBAjANBgkqhkiG9w0BAQsFADAtMRQwEgYDVQQKEwtleGFt
+cGxlLmNvbTEVMBMGA1UEAxMMY2xpY2EgQ0EgcnNhMB4XDTEyMTEwMTEyMzQwMVoX
+DTM4MDEwMTEyMzQwMVowNzEUMBIGA1UEChMLZXhhbXBsZS5jb20xHzAdBgNVBAMT
+FmNsaWNhIFNpZ25pbmcgQ2VydCByc2EwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJ
+AoGBANlcwo5q84SEtVy5W/xqbYAzOiYUZ0Shp9+ry/Q/X5uhrDF9JSHNWJbXut+8
+ZJGICt0RYVIJCcaa7FUt5hTKEx4fgURr+Hz84ZgwesMxcECHJPq9ylrCqbPkbmFR
+1XUy2MvioMH2lyc/PbV62XXggJhHioStVLRfyVlkS1KvvR+HAgMBAAGjWjBYMA4G
+A1UdDwEB/wQEAwIBBjASBgNVHRMBAf8ECDAGAQH/AgEAMDIGA1UdHwQrMCkwJ6Al
+oCOGIWh0dHA6Ly9jcmwuZXhhbXBsZS5jb20vbGF0ZXN0LmNybDANBgkqhkiG9w0B
+AQsFAAOBgQBtPJwqu7DiDmFZd58L4xQ6JJhrJzJUDHmT7ikW2tOM58yisCgSnzrR
+xihW+49vUQ9lSGxBHaFwdehAuGTXydnf7/i9i6KA2RZ+Rq12FJFYOhjaIP7Sy1zq
+VXtb+P1eDBQQhz0WgysLVjgGdBiokRv86yY56ficoTQ6EyWzQLCU+A==
 -----END CERTIFICATE-----
 Bag Attributes
-    friendlyName: Certificate Authority
-subject=/O=example.com/CN=clica CA
-issuer=/O=example.com/CN=clica CA
+    friendlyName: Certificate Authority rsa
+subject=/O=example.com/CN=clica CA rsa
+issuer=/O=example.com/CN=clica CA rsa
 -----BEGIN CERTIFICATE-----
-MIIB7jCCAVegAwIBAgIBATANBgkqhkiG9w0BAQsFADApMRQwEgYDVQQKEwtleGFt
-cGxlLmNvbTERMA8GA1UEAxMIY2xpY2EgQ0EwHhcNMTIxMTAxMTIzNDAxWhcNMzgw
-MTAxMTIzNDAxWjApMRQwEgYDVQQKEwtleGFtcGxlLmNvbTERMA8GA1UEAxMIY2xp
-Y2EgQ0EwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAJmw215lURHtIlsmndGX
-4rn6AyPcReCzRClw8icPv5GzxDnXxqbjK8Ghvkil8RAV8mAkDXDzDi8J5NIsMKwk
-EF8LaGfnbhaeRkvfDXN4YGrGclMMCVN4zk810pDrfrz3KCGpokOKoaWUsRTTdftk
-xyfw2Ui1nPNfg9fO/cfAyr9FAgMBAAGjJjAkMBIGA1UdEwEB/wQIMAYBAf8CAQEw
-DgYDVR0PAQH/BAQDAgEGMA0GCSqGSIb3DQEBCwUAA4GBABrTmR8+gtECLU7zsbrs
-RKIeE9YSXxsqzv3DPpUj9VN7l05ERe3db7/TNePBLH0KwpjWljuPDUhKWC5jQvkf
-gBEr0CKALQGWU0sQJDNhR3SDsPUGU0BFUQT7g1B94Dmp72ivHLjMrtxnLrOT32Uh
-iaEG3X51ApoqRRyXcSJZBcYN
+MIIB9jCCAV+gAwIBAgIBATANBgkqhkiG9w0BAQsFADAtMRQwEgYDVQQKEwtleGFt
+cGxlLmNvbTEVMBMGA1UEAxMMY2xpY2EgQ0EgcnNhMB4XDTEyMTEwMTEyMzQwMVoX
+DTM4MDEwMTEyMzQwMVowLTEUMBIGA1UEChMLZXhhbXBsZS5jb20xFTATBgNVBAMT
+DGNsaWNhIENBIHJzYTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA2N3YjbHA
+BEKAiUHwJ0VMAAe/KMOM8slXOAKni4v7Vf6BzbO5B6uaKhDV2n3V0vXwMdAoeBaq
+3s9CHOjDXwjF1qf/p4w3Z2aUIVt/Mb+uEcPUlq0Nr8OLlH11QKbkvFtLxU3sUAoi
+fcaydi1q3tszjPQ0tKlLo6kOzcgi8d47WccCAwEAAaMmMCQwEgYDVR0TAQH/BAgw
+BgEB/wIBATAOBgNVHQ8BAf8EBAMCAQYwDQYJKoZIhvcNAQELBQADgYEAAzD/Zszo
+X4ieSQQxDOH53VkiAJDs32qso9YzGbQaenuRnVFCuo7rt68cjMcOjzf18/I+iMeH
+nEcdqkfoYB4Z3LXvDaRGZhg/ZOv58muzRnsW2oQI9yFqDwD0FZPtM6Vq0AWXjLuq
+IogOI5fShSo7H5hc3vrkvS7KUhzuv3FKnaQ=
 -----END CERTIFICATE-----
diff --git a/test/aux-fixed/exim-ca/example.com/revoked1.example.com/cert8.db b/test/aux-fixed/exim-ca/example.com/revoked1.example.com/cert8.db
index e2220994d..90c6e822f 100644
Binary files a/test/aux-fixed/exim-ca/example.com/revoked1.example.com/cert8.db and b/test/aux-fixed/exim-ca/example.com/revoked1.example.com/cert8.db differ
diff --git a/test/aux-fixed/exim-ca/example.com/revoked1.example.com/key3.db b/test/aux-fixed/exim-ca/example.com/revoked1.example.com/key3.db
index d2c6f319f..f4d6ffc16 100644
Binary files a/test/aux-fixed/exim-ca/example.com/revoked1.example.com/key3.db and b/test/aux-fixed/exim-ca/example.com/revoked1.example.com/key3.db differ
diff --git a/test/aux-fixed/exim-ca/example.com/revoked1.example.com/revoked1.example.com.chain.pem b/test/aux-fixed/exim-ca/example.com/revoked1.example.com/revoked1.example.com.chain.pem
index e08a47ed1..b25f19a6a 100644
--- a/test/aux-fixed/exim-ca/example.com/revoked1.example.com/revoked1.example.com.chain.pem
+++ b/test/aux-fixed/exim-ca/example.com/revoked1.example.com/revoked1.example.com.chain.pem
@@ -1,35 +1,35 @@
 Bag Attributes
     friendlyName: revoked1.example.com
-    localKeyID: A4 6E 43 75 F5 17 61 E2 7D E3 F3 6D D0 F8 F9 9C D7 EE AD 1A 
+    localKeyID: 4C C0 73 49 E2 6D E5 D1 73 F1 0A 72 4B 0F 9F 07 88 2E E2 A4 
 subject=/CN=revoked1.example.com
-issuer=/O=example.com/CN=clica Signing Cert
+issuer=/O=example.com/CN=clica Signing Cert rsa
 -----BEGIN CERTIFICATE-----
-MIICiTCCAfKgAwIBAgIBZjANBgkqhkiG9w0BAQsFADAzMRQwEgYDVQQKEwtleGFt
-cGxlLmNvbTEbMBkGA1UEAxMSY2xpY2EgU2lnbmluZyBDZXJ0MB4XDTEyMTEwMTEy
-MzQwMVoXDTM3MTIwMTEyMzQwMVowHzEdMBsGA1UEAxMUcmV2b2tlZDEuZXhhbXBs
-ZS5jb20wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAKWRE4+5vBjQ8HKVvG6A
-P63xO0tLcyJqfWDiQs+1dis0POIH5U3UJ3gTUxgwii0Lbmm+f9cjXITGTEjifTOt
-+jI4t7X2wOYNC4986xlj+OqtcwpkjByUoRiJUgZqkrjRqA3OLaXBoK6CJnz0Ar9W
-XR+xSPTfS0M9erQ4u4pUptVvAgMBAAGjgcAwgb0wDgYDVR0PAQH/BAQDAgTwMCAG
-A1UdJQEB/wQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAyBgNVHR8EKzApMCegJaAj
-hiFodHRwOi8vY3JsLmV4YW1wbGUuY29tL2xhdGVzdC5jcmwwNAYIKwYBBQUHAQEE
-KDAmMCQGCCsGAQUFBzABhhhodHRwOi8vb3NjcC5leGFtcGxlLmNvbS8wHwYDVR0R
-BBgwFoIUcmV2b2tlZDEuZXhhbXBsZS5jb20wDQYJKoZIhvcNAQELBQADgYEAfMKs
-DF9N6RkX03DDgnHCSeWrGGTbkD+O2r8MutrHUGDVOkd0HNTH6q207Ro7PX5kqvhO
-lboY6ZEvQKVNSfAi01i5Y5s6wb1DDv7DxHhcLqHwtdFBieoSlyWZKP2wO63g79DF
-ApUPsvWWzYNNY00kw375TMgpKwWuT41Ku6su4eU=
+MIICjTCCAfagAwIBAgIBZjANBgkqhkiG9w0BAQsFADA3MRQwEgYDVQQKEwtleGFt
+cGxlLmNvbTEfMB0GA1UEAxMWY2xpY2EgU2lnbmluZyBDZXJ0IHJzYTAeFw0xMjEx
+MDExMjM0MDFaFw0zNzEyMDExMjM0MDFaMB8xHTAbBgNVBAMTFHJldm9rZWQxLmV4
+YW1wbGUuY29tMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDWGeoiTtjQGgld
++qA53Ah8LKoHUUf68bUK2LApL/QX385PUGx4s5D9nWRrJcyUjWDa6Dcq5a2KzamD
+JNIrzknF0kvPgY0wNtWhuxHMKfKWL/1cPGqXe2tW1RQRWZ9+NnfQT1zJJGe7bhgm
+MxKc/u7bw5g3rS6mijIBTj0NIwLSxwIDAQABo4HAMIG9MA4GA1UdDwEB/wQEAwIE
+8DAgBgNVHSUBAf8EFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwMgYDVR0fBCswKTAn
+oCWgI4YhaHR0cDovL2NybC5leGFtcGxlLmNvbS9sYXRlc3QuY3JsMDQGCCsGAQUF
+BwEBBCgwJjAkBggrBgEFBQcwAYYYaHR0cDovL29zY3AuZXhhbXBsZS5jb20vMB8G
+A1UdEQQYMBaCFHJldm9rZWQxLmV4YW1wbGUuY29tMA0GCSqGSIb3DQEBCwUAA4GB
+AMK62ueK6c1CLviNLweAAmUedPoDq+60UsXHgJdapLd3SPTbOnON90e252gkLBcF
+cx/HssJUysJic+r3qKrSPRDtT4KK1j2fx/KIEDgyr8/u4F5R7UcK+WyiA/IVX1y5
+8Z0iNPzOTKGTAAlnnF+nZTvoOQS0Y93N9IVNFWLjrqTV
 -----END CERTIFICATE-----
 -----BEGIN CERTIFICATE-----
-MIICLDCCAZWgAwIBAgIBAjANBgkqhkiG9w0BAQsFADApMRQwEgYDVQQKEwtleGFt
-cGxlLmNvbTERMA8GA1UEAxMIY2xpY2EgQ0EwHhcNMTIxMTAxMTIzNDAxWhcNMzgw
-MTAxMTIzNDAxWjAzMRQwEgYDVQQKEwtleGFtcGxlLmNvbTEbMBkGA1UEAxMSY2xp
-Y2EgU2lnbmluZyBDZXJ0MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDC2Ph5
-2UMdD8CAW6mAoSUKgQbCEps6VYPBqa031JzDBzpHD8cmIJfRlmPg9V8K2LXP8VVe
-eG7LW2RBVlSx9082EZNC545NFKDg4Xu01jYP8BrNcJzzu8ip8osiqAzo993AZXoW
-eGZKJ7hYA1M5RCMkSIBhFxwoObjG9Bt1LQ/keQIDAQABo1owWDAOBgNVHQ8BAf8E
-BAMCAQYwEgYDVR0TAQH/BAgwBgEB/wIBADAyBgNVHR8EKzApMCegJaAjhiFodHRw
-Oi8vY3JsLmV4YW1wbGUuY29tL2xhdGVzdC5jcmwwDQYJKoZIhvcNAQELBQADgYEA
-JV9x4BGPTibmtXmXJOR0tETUR4RKc+Cis07H55mGDweIWtDT0dmlisLFyFK/rNdO
-zSeOIw2xchD86uNckYZd28OMEoSDI/lVhIxlEXaWvrf+BiaFX3AaPB3oivAp5aF4
-iy9WlTtH1uoE7iNueRd+beg5BgpgV0hyZAnoePQojH0=
+MIICNDCCAZ2gAwIBAgIBAjANBgkqhkiG9w0BAQsFADAtMRQwEgYDVQQKEwtleGFt
+cGxlLmNvbTEVMBMGA1UEAxMMY2xpY2EgQ0EgcnNhMB4XDTEyMTEwMTEyMzQwMVoX
+DTM4MDEwMTEyMzQwMVowNzEUMBIGA1UEChMLZXhhbXBsZS5jb20xHzAdBgNVBAMT
+FmNsaWNhIFNpZ25pbmcgQ2VydCByc2EwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJ
+AoGBANlcwo5q84SEtVy5W/xqbYAzOiYUZ0Shp9+ry/Q/X5uhrDF9JSHNWJbXut+8
+ZJGICt0RYVIJCcaa7FUt5hTKEx4fgURr+Hz84ZgwesMxcECHJPq9ylrCqbPkbmFR
+1XUy2MvioMH2lyc/PbV62XXggJhHioStVLRfyVlkS1KvvR+HAgMBAAGjWjBYMA4G
+A1UdDwEB/wQEAwIBBjASBgNVHRMBAf8ECDAGAQH/AgEAMDIGA1UdHwQrMCkwJ6Al
+oCOGIWh0dHA6Ly9jcmwuZXhhbXBsZS5jb20vbGF0ZXN0LmNybDANBgkqhkiG9w0B
+AQsFAAOBgQBtPJwqu7DiDmFZd58L4xQ6JJhrJzJUDHmT7ikW2tOM58yisCgSnzrR
+xihW+49vUQ9lSGxBHaFwdehAuGTXydnf7/i9i6KA2RZ+Rq12FJFYOhjaIP7Sy1zq
+VXtb+P1eDBQQhz0WgysLVjgGdBiokRv86yY56ficoTQ6EyWzQLCU+A==
 -----END CERTIFICATE-----
diff --git a/test/aux-fixed/exim-ca/example.com/revoked1.example.com/revoked1.example.com.key b/test/aux-fixed/exim-ca/example.com/revoked1.example.com/revoked1.example.com.key
index 271ee628f..d1d3f0ea5 100644
--- a/test/aux-fixed/exim-ca/example.com/revoked1.example.com/revoked1.example.com.key
+++ b/test/aux-fixed/exim-ca/example.com/revoked1.example.com/revoked1.example.com.key
@@ -1,21 +1,21 @@
 Bag Attributes
     friendlyName: revoked1.example.com
-    localKeyID: A4 6E 43 75 F5 17 61 E2 7D E3 F3 6D D0 F8 F9 9C D7 EE AD 1A 
+    localKeyID: 4C C0 73 49 E2 6D E5 D1 73 F1 0A 72 4B 0F 9F 07 88 2E E2 A4 
 Key Attributes: <No Attributes>
 -----BEGIN ENCRYPTED PRIVATE KEY-----
-MIICxjBABgkqhkiG9w0BBQ0wMzAbBgkqhkiG9w0BBQwwDgQIxIoJd+wM7r8CAggA
-MBQGCCqGSIb3DQMHBAjniEOF/iAnggSCAoCGcL9tpCttSP5YygyMiWoJAGuIku9p
-VqA1arNd3rxsKTOWeBnl/c8+p/bbRCkQ/6/Ibf+53AHaNCazVdXWrZQqr8mUK+vu
-DtIUD9at2Ke+rKmSyZXxQ6R9USnU2XI3OQtRou1h1Ba9dSd8YmbTAs9eTuwxeI8/
-0k2lD46LhCIulQZRNzW5Balb8GnvCK+qeIbFzFti8R8ofqA9/mNNTCxHa1ZiXREe
-R1Wtd9GdRxagshp6VIm4huKaa7NPfDALaH6OHKtCh3ZmV4y+V/ZBpFRe8JHc1ppS
-ZM0viEW4+upIGdW1wO1LC5Ncf9B2T4nH0bx9Ic2WP3EntTISkPfDzirQxpkkjqOk
-6cn657OM2Yz8ueqsj/jFf+ah0+x+CeXQCMduZIVm6Us5KhjXW0uuliIegQzqv3bF
-wEEt+Qf6hno3VmDVLfS9G1P+FVEJh8yIpvxJt2wtV8w94HeaNHsE4EFpc9GBloY1
-XjlMm81rNFWxUQwRd7pN004IA/WnUpBg9ZdC2zxsoympCbe+GrLnlv9XG/aCLYpM
-0JneX5RjM4l+S46UgjpDgwsmkvtxdubYiu1O7b0btEV0pg0poz//PxR/MCPLFcrc
-vuuj03BJPEVJkHWq+LtszRI2WMqz1kfHcmDVoWC05IkpIUYjd8pSv4tFkGbdaczr
-3alR5o6UFRMiL7ziURnxwUlJvqxIy0533rTtdU42qUxX1fNfKTQXAABBhBAQME68
-vApjNrrTbr0FlEcZvGMRDedbxTWqvRSlM50FpiTLpm4+roSpKKOs150+TW6fXX7F
-CC0y0s+NCxFawyi2BZacLRWb95OuZoVOLw34nJcpaSOc9uVHOS34KzAa
+MIICxjBABgkqhkiG9w0BBQ0wMzAbBgkqhkiG9w0BBQwwDgQIde1ywCSD4GcCAggA
+MBQGCCqGSIb3DQMHBAg4DHTMV0XGBQSCAoC1KXNuYDr6cKKrifCTLM2Ig/tKxl5v
+dgxEKjzyyFu9elepe+DM/DJFzt3kK16SL257va54hubh1ics6GfHTmVVSKk7P2dg
+tG9ERb1/IU+S1Ybn3zyVF1yzLXS2+2eIsiA2YlqwI3HHs8QVbQA23ZTzSVoGjZJF
+xZHPIovabqk+8waN0aqGkySdy7DVMMpI0zmpZ+v+eTkox9hxZ35eekBO297qlL9G
++q9RXJxG0K32s33imDsz9laRlbU2o953Eto08YfiZr498L8ZIXlfGeaTBsZGiF3+
+R5vT9KgoImdg04gVqeP1I2t1oVEcqyljxxHzTlIdsNKXKVw7G3iX183HC1iyRc9O
+e3b3GzBrRsgu6lM/PphPKzOtzct+Pzv/RypMWEodbfRmGAibWXbNeFX0TjTCT/zt
+cpqD0m6oErjFvPmB4tDR+8BrDr1WbVUT60ZTPV/EFpcazY07/MvyjLbNX/v3lvrg
+fJnlh3E3P/m0CsopbdzaLcIBvLbdLnGxN1Q+pJjwJupsDO8PX/kbIg8nTaTP0ZK9
+XPG+whtccwaehBB1yC/21UJ/SQJa3eJwieaOEKkt6DXzsnOAUXaTNaWrGs7bDS58
+n/BioHG76HJVJorJ+nblE66kFsicxOdMAL6dP+l7bsup4RjwjlCGBpknwt2Vnhm2
+Kyn17WhZqsl01dyTGwy67qbQG5L7YEIckoRyl5pKS3l0z5xZV8q7qDMIuO63zre+
+j3yhSu2NROvYSkZAoDSIo+4hq7X9G4cqSx6CycR6xfo0vnFVu0Yu9nJKURzLKNdi
+xjxEYdjY/9R5R1ji+YB1rNALLdAQMHLIyFZuC54rqWA/Ta+V9E5047zO
 -----END ENCRYPTED PRIVATE KEY-----
diff --git a/test/aux-fixed/exim-ca/example.com/revoked1.example.com/revoked1.example.com.ocsp.dated.resp b/test/aux-fixed/exim-ca/example.com/revoked1.example.com/revoked1.example.com.ocsp.dated.resp
index 3cb228176..486bc4fed 100644
Binary files a/test/aux-fixed/exim-ca/example.com/revoked1.example.com/revoked1.example.com.ocsp.dated.resp and b/test/aux-fixed/exim-ca/example.com/revoked1.example.com/revoked1.example.com.ocsp.dated.resp differ
diff --git a/test/aux-fixed/exim-ca/example.com/revoked1.example.com/revoked1.example.com.ocsp.good.resp b/test/aux-fixed/exim-ca/example.com/revoked1.example.com/revoked1.example.com.ocsp.good.resp
index 3c06a8106..84739bc4f 100644
Binary files a/test/aux-fixed/exim-ca/example.com/revoked1.example.com/revoked1.example.com.ocsp.good.resp and b/test/aux-fixed/exim-ca/example.com/revoked1.example.com/revoked1.example.com.ocsp.good.resp differ
diff --git a/test/aux-fixed/exim-ca/example.com/revoked1.example.com/revoked1.example.com.ocsp.req b/test/aux-fixed/exim-ca/example.com/revoked1.example.com/revoked1.example.com.ocsp.req
index 2f76807ae..5eca96c9b 100644
Binary files a/test/aux-fixed/exim-ca/example.com/revoked1.example.com/revoked1.example.com.ocsp.req and b/test/aux-fixed/exim-ca/example.com/revoked1.example.com/revoked1.example.com.ocsp.req differ
diff --git a/test/aux-fixed/exim-ca/example.com/revoked1.example.com/revoked1.example.com.ocsp.revoked.resp b/test/aux-fixed/exim-ca/example.com/revoked1.example.com/revoked1.example.com.ocsp.revoked.resp
index f5fe0ca4b..305958559 100644
Binary files a/test/aux-fixed/exim-ca/example.com/revoked1.example.com/revoked1.example.com.ocsp.revoked.resp and b/test/aux-fixed/exim-ca/example.com/revoked1.example.com/revoked1.example.com.ocsp.revoked.resp differ
diff --git a/test/aux-fixed/exim-ca/example.com/revoked1.example.com/revoked1.example.com.ocsp.signer.dated.resp b/test/aux-fixed/exim-ca/example.com/revoked1.example.com/revoked1.example.com.ocsp.signer.dated.resp
index 1422efe94..db49977dc 100644
Binary files a/test/aux-fixed/exim-ca/example.com/revoked1.example.com/revoked1.example.com.ocsp.signer.dated.resp and b/test/aux-fixed/exim-ca/example.com/revoked1.example.com/revoked1.example.com.ocsp.signer.dated.resp differ
diff --git a/test/aux-fixed/exim-ca/example.com/revoked1.example.com/revoked1.example.com.ocsp.signer.good.resp b/test/aux-fixed/exim-ca/example.com/revoked1.example.com/revoked1.example.com.ocsp.signer.good.resp
index efbb9da11..c2c5d68b6 100644
Binary files a/test/aux-fixed/exim-ca/example.com/revoked1.example.com/revoked1.example.com.ocsp.signer.good.resp and b/test/aux-fixed/exim-ca/example.com/revoked1.example.com/revoked1.example.com.ocsp.signer.good.resp differ
diff --git a/test/aux-fixed/exim-ca/example.com/revoked1.example.com/revoked1.example.com.ocsp.signer.revoked.resp b/test/aux-fixed/exim-ca/example.com/revoked1.example.com/revoked1.example.com.ocsp.signer.revoked.resp
index b3fe7e7f0..f9b913e46 100644
Binary files a/test/aux-fixed/exim-ca/example.com/revoked1.example.com/revoked1.example.com.ocsp.signer.revoked.resp and b/test/aux-fixed/exim-ca/example.com/revoked1.example.com/revoked1.example.com.ocsp.signer.revoked.resp differ
diff --git a/test/aux-fixed/exim-ca/example.com/revoked1.example.com/revoked1.example.com.ocsp.signernocert.dated.resp b/test/aux-fixed/exim-ca/example.com/revoked1.example.com/revoked1.example.com.ocsp.signernocert.dated.resp
index 752c3dcb3..3990794fc 100644
Binary files a/test/aux-fixed/exim-ca/example.com/revoked1.example.com/revoked1.example.com.ocsp.signernocert.dated.resp and b/test/aux-fixed/exim-ca/example.com/revoked1.example.com/revoked1.example.com.ocsp.signernocert.dated.resp differ
diff --git a/test/aux-fixed/exim-ca/example.com/revoked1.example.com/revoked1.example.com.ocsp.signernocert.good.resp b/test/aux-fixed/exim-ca/example.com/revoked1.example.com/revoked1.example.com.ocsp.signernocert.good.resp
index 6e2c784ea..6f2e84d1f 100644
Binary files a/test/aux-fixed/exim-ca/example.com/revoked1.example.com/revoked1.example.com.ocsp.signernocert.good.resp and b/test/aux-fixed/exim-ca/example.com/revoked1.example.com/revoked1.example.com.ocsp.signernocert.good.resp differ
diff --git a/test/aux-fixed/exim-ca/example.com/revoked1.example.com/revoked1.example.com.ocsp.signernocert.revoked.resp b/test/aux-fixed/exim-ca/example.com/revoked1.example.com/revoked1.example.com.ocsp.signernocert.revoked.resp
index 54464e5ac..8e288b063 100644
Binary files a/test/aux-fixed/exim-ca/example.com/revoked1.example.com/revoked1.example.com.ocsp.signernocert.revoked.resp and b/test/aux-fixed/exim-ca/example.com/revoked1.example.com/revoked1.example.com.ocsp.signernocert.revoked.resp differ
diff --git a/test/aux-fixed/exim-ca/example.com/revoked1.example.com/revoked1.example.com.p12 b/test/aux-fixed/exim-ca/example.com/revoked1.example.com/revoked1.example.com.p12
index f2cb65b65..134885c8c 100644
Binary files a/test/aux-fixed/exim-ca/example.com/revoked1.example.com/revoked1.example.com.p12 and b/test/aux-fixed/exim-ca/example.com/revoked1.example.com/revoked1.example.com.p12 differ
diff --git a/test/aux-fixed/exim-ca/example.com/revoked1.example.com/revoked1.example.com.pem b/test/aux-fixed/exim-ca/example.com/revoked1.example.com/revoked1.example.com.pem
index 4ba3317de..835876efd 100644
--- a/test/aux-fixed/exim-ca/example.com/revoked1.example.com/revoked1.example.com.pem
+++ b/test/aux-fixed/exim-ca/example.com/revoked1.example.com/revoked1.example.com.pem
@@ -1,21 +1,21 @@
 Bag Attributes
     friendlyName: revoked1.example.com
-    localKeyID: A4 6E 43 75 F5 17 61 E2 7D E3 F3 6D D0 F8 F9 9C D7 EE AD 1A 
+    localKeyID: 4C C0 73 49 E2 6D E5 D1 73 F1 0A 72 4B 0F 9F 07 88 2E E2 A4 
 subject=/CN=revoked1.example.com
-issuer=/O=example.com/CN=clica Signing Cert
+issuer=/O=example.com/CN=clica Signing Cert rsa
 -----BEGIN CERTIFICATE-----
-MIICiTCCAfKgAwIBAgIBZjANBgkqhkiG9w0BAQsFADAzMRQwEgYDVQQKEwtleGFt
-cGxlLmNvbTEbMBkGA1UEAxMSY2xpY2EgU2lnbmluZyBDZXJ0MB4XDTEyMTEwMTEy
-MzQwMVoXDTM3MTIwMTEyMzQwMVowHzEdMBsGA1UEAxMUcmV2b2tlZDEuZXhhbXBs
-ZS5jb20wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAKWRE4+5vBjQ8HKVvG6A
-P63xO0tLcyJqfWDiQs+1dis0POIH5U3UJ3gTUxgwii0Lbmm+f9cjXITGTEjifTOt
-+jI4t7X2wOYNC4986xlj+OqtcwpkjByUoRiJUgZqkrjRqA3OLaXBoK6CJnz0Ar9W
-XR+xSPTfS0M9erQ4u4pUptVvAgMBAAGjgcAwgb0wDgYDVR0PAQH/BAQDAgTwMCAG
-A1UdJQEB/wQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAyBgNVHR8EKzApMCegJaAj
-hiFodHRwOi8vY3JsLmV4YW1wbGUuY29tL2xhdGVzdC5jcmwwNAYIKwYBBQUHAQEE
-KDAmMCQGCCsGAQUFBzABhhhodHRwOi8vb3NjcC5leGFtcGxlLmNvbS8wHwYDVR0R
-BBgwFoIUcmV2b2tlZDEuZXhhbXBsZS5jb20wDQYJKoZIhvcNAQELBQADgYEAfMKs
-DF9N6RkX03DDgnHCSeWrGGTbkD+O2r8MutrHUGDVOkd0HNTH6q207Ro7PX5kqvhO
-lboY6ZEvQKVNSfAi01i5Y5s6wb1DDv7DxHhcLqHwtdFBieoSlyWZKP2wO63g79DF
-ApUPsvWWzYNNY00kw375TMgpKwWuT41Ku6su4eU=
+MIICjTCCAfagAwIBAgIBZjANBgkqhkiG9w0BAQsFADA3MRQwEgYDVQQKEwtleGFt
+cGxlLmNvbTEfMB0GA1UEAxMWY2xpY2EgU2lnbmluZyBDZXJ0IHJzYTAeFw0xMjEx
+MDExMjM0MDFaFw0zNzEyMDExMjM0MDFaMB8xHTAbBgNVBAMTFHJldm9rZWQxLmV4
+YW1wbGUuY29tMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDWGeoiTtjQGgld
++qA53Ah8LKoHUUf68bUK2LApL/QX385PUGx4s5D9nWRrJcyUjWDa6Dcq5a2KzamD
+JNIrzknF0kvPgY0wNtWhuxHMKfKWL/1cPGqXe2tW1RQRWZ9+NnfQT1zJJGe7bhgm
+MxKc/u7bw5g3rS6mijIBTj0NIwLSxwIDAQABo4HAMIG9MA4GA1UdDwEB/wQEAwIE
+8DAgBgNVHSUBAf8EFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwMgYDVR0fBCswKTAn
+oCWgI4YhaHR0cDovL2NybC5leGFtcGxlLmNvbS9sYXRlc3QuY3JsMDQGCCsGAQUF
+BwEBBCgwJjAkBggrBgEFBQcwAYYYaHR0cDovL29zY3AuZXhhbXBsZS5jb20vMB8G
+A1UdEQQYMBaCFHJldm9rZWQxLmV4YW1wbGUuY29tMA0GCSqGSIb3DQEBCwUAA4GB
+AMK62ueK6c1CLviNLweAAmUedPoDq+60UsXHgJdapLd3SPTbOnON90e252gkLBcF
+cx/HssJUysJic+r3qKrSPRDtT4KK1j2fx/KIEDgyr8/u4F5R7UcK+WyiA/IVX1y5
+8Z0iNPzOTKGTAAlnnF+nZTvoOQS0Y93N9IVNFWLjrqTV
 -----END CERTIFICATE-----
diff --git a/test/aux-fixed/exim-ca/example.com/revoked1.example.com/revoked1.example.com.unlocked.key b/test/aux-fixed/exim-ca/example.com/revoked1.example.com/revoked1.example.com.unlocked.key
index bc27cf915..f0fdba7ba 100644
--- a/test/aux-fixed/exim-ca/example.com/revoked1.example.com/revoked1.example.com.unlocked.key
+++ b/test/aux-fixed/exim-ca/example.com/revoked1.example.com/revoked1.example.com.unlocked.key
@@ -1,15 +1,15 @@
 -----BEGIN RSA PRIVATE KEY-----
-MIICXQIBAAKBgQClkROPubwY0PBylbxugD+t8TtLS3Mian1g4kLPtXYrNDziB+VN
-1Cd4E1MYMIotC25pvn/XI1yExkxI4n0zrfoyOLe19sDmDQuPfOsZY/jqrXMKZIwc
-lKEYiVIGapK40agNzi2lwaCugiZ89AK/Vl0fsUj030tDPXq0OLuKVKbVbwIDAQAB
-AoGAT+DK+bwH0kc3wmiYdQ1964snar+3iAKtg8kVp8VqAhUdTIW3rRFui2FzZQfC
-GlJaDj1gyyhd0hcjpcRT2FOXEc4g489xkS/kOgeQPCFlwPN+I/PmZ1E3iDM7Qs4i
-2XUePg2Zb+el4QEuBNWkVpU3btOy+8gQmao0GnRX9Q0C0O0CQQDN8NjE7cLIZKBQ
-00yVtD7F40yGWnKl/DW0QzHbn+etWJ5xsZk17BiTHFXfEUtTzzYA79WsNFJX5j7+
-neGJhtONAkEAzc/bEQwF3KclOfGo5o8LGftbafME64QYhrp46R086jpuZR+mw3vv
-5deBNgYwyswomQklAR9z4DnXH16klmrv6wJBAMhQ5FkxOAz6LCJSVaUsbP7JaE8r
-PWeM2qQb1Cxf7tdjYsMOUAvuOb0mi7RtuwqrfEkPAJT/U7UiRdYethmypqUCQAW/
-NhjFwywkJq/1hYfamq7BDA5rUMnayGyKrHGl9Vt9AjQkrB1tSoeaeustRROEm+Wa
-EcR0QmISe2VO2T2yAr0CQQCznB4IUSbabutzmEavAlwu45Bart2lDTm+WVq1+Tn0
-/fcwC7q50lB5yfnlJPuhWGvEZmluFcr8HeMIAZ8mHuPZ
+MIICXQIBAAKBgQDWGeoiTtjQGgld+qA53Ah8LKoHUUf68bUK2LApL/QX385PUGx4
+s5D9nWRrJcyUjWDa6Dcq5a2KzamDJNIrzknF0kvPgY0wNtWhuxHMKfKWL/1cPGqX
+e2tW1RQRWZ9+NnfQT1zJJGe7bhgmMxKc/u7bw5g3rS6mijIBTj0NIwLSxwIDAQAB
+AoGAFPW/HT7qn98+QoQm/z/iWF6HaL77obGomSUi6qCGSd4M4WizFDmNr+s8KcP7
+qSFfTx7246a0XIdxmTEK630lbWAMc6uIpk1ylHQ+MrtIthhwXMN9Pe6SOoVYVrlD
+IjjW/xywRN2Bv4C7LO++vwijZC0y+LKPOZgGvgu+8JFPy+0CQQDulW422AGwE3dx
+brQ3DIVoue0JVGAqOoWXDbrRpFzMb/E0rXejI1dypjRhcE2ZCu9Q0cnNqE7sTRTK
+SgnY8NVVAkEA5br2wtUf+46W2VmW1I9zFYnkJ6m2egnuJsnA93pJiRrUkCJBMswt
+RFhIGouq0MWUE4aco8SxdqiD3CJ/kxMHqwJBAMAHnD8eWzVqZa/yJ7FLLbHePFBP
+DlvO4Kl1DpIgVeTikOUSXgH7ty37YpuutXZiG78UK/aQ6n09iWdMcmKfbUUCQD9w
+nAg9trFPNRUcimx0mMFP7POPCFc3Os73VBSDbp8wC5cp/ns6qx1+i5rZCvjQNw4V
+VFhdTuyHqLI3zKce0DUCQQDMd2vUyYNolhTjUOg+ojj0JGr1AmTpRqBbVd3Qu84r
+LjyF3YKaiD18Y4dtzQfCWNzyhkKd4k4nVaY1cygxSqEF
 -----END RSA PRIVATE KEY-----
diff --git a/test/aux-fixed/exim-ca/example.com/revoked2.example.com/ca_chain.pem b/test/aux-fixed/exim-ca/example.com/revoked2.example.com/ca_chain.pem
index 93e18035b..cde036853 100644
--- a/test/aux-fixed/exim-ca/example.com/revoked2.example.com/ca_chain.pem
+++ b/test/aux-fixed/exim-ca/example.com/revoked2.example.com/ca_chain.pem
@@ -1,35 +1,35 @@
 Bag Attributes
-    friendlyName: Signing Cert
-subject=/O=example.com/CN=clica Signing Cert
-issuer=/O=example.com/CN=clica CA
+    friendlyName: Signing Cert rsa
+subject=/O=example.com/CN=clica Signing Cert rsa
+issuer=/O=example.com/CN=clica CA rsa
 -----BEGIN CERTIFICATE-----
-MIICLDCCAZWgAwIBAgIBAjANBgkqhkiG9w0BAQsFADApMRQwEgYDVQQKEwtleGFt
-cGxlLmNvbTERMA8GA1UEAxMIY2xpY2EgQ0EwHhcNMTIxMTAxMTIzNDAxWhcNMzgw
-MTAxMTIzNDAxWjAzMRQwEgYDVQQKEwtleGFtcGxlLmNvbTEbMBkGA1UEAxMSY2xp
-Y2EgU2lnbmluZyBDZXJ0MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDC2Ph5
-2UMdD8CAW6mAoSUKgQbCEps6VYPBqa031JzDBzpHD8cmIJfRlmPg9V8K2LXP8VVe
-eG7LW2RBVlSx9082EZNC545NFKDg4Xu01jYP8BrNcJzzu8ip8osiqAzo993AZXoW
-eGZKJ7hYA1M5RCMkSIBhFxwoObjG9Bt1LQ/keQIDAQABo1owWDAOBgNVHQ8BAf8E
-BAMCAQYwEgYDVR0TAQH/BAgwBgEB/wIBADAyBgNVHR8EKzApMCegJaAjhiFodHRw
-Oi8vY3JsLmV4YW1wbGUuY29tL2xhdGVzdC5jcmwwDQYJKoZIhvcNAQELBQADgYEA
-JV9x4BGPTibmtXmXJOR0tETUR4RKc+Cis07H55mGDweIWtDT0dmlisLFyFK/rNdO
-zSeOIw2xchD86uNckYZd28OMEoSDI/lVhIxlEXaWvrf+BiaFX3AaPB3oivAp5aF4
-iy9WlTtH1uoE7iNueRd+beg5BgpgV0hyZAnoePQojH0=
+MIICNDCCAZ2gAwIBAgIBAjANBgkqhkiG9w0BAQsFADAtMRQwEgYDVQQKEwtleGFt
+cGxlLmNvbTEVMBMGA1UEAxMMY2xpY2EgQ0EgcnNhMB4XDTEyMTEwMTEyMzQwMVoX
+DTM4MDEwMTEyMzQwMVowNzEUMBIGA1UEChMLZXhhbXBsZS5jb20xHzAdBgNVBAMT
+FmNsaWNhIFNpZ25pbmcgQ2VydCByc2EwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJ
+AoGBANlcwo5q84SEtVy5W/xqbYAzOiYUZ0Shp9+ry/Q/X5uhrDF9JSHNWJbXut+8
+ZJGICt0RYVIJCcaa7FUt5hTKEx4fgURr+Hz84ZgwesMxcECHJPq9ylrCqbPkbmFR
+1XUy2MvioMH2lyc/PbV62XXggJhHioStVLRfyVlkS1KvvR+HAgMBAAGjWjBYMA4G
+A1UdDwEB/wQEAwIBBjASBgNVHRMBAf8ECDAGAQH/AgEAMDIGA1UdHwQrMCkwJ6Al
+oCOGIWh0dHA6Ly9jcmwuZXhhbXBsZS5jb20vbGF0ZXN0LmNybDANBgkqhkiG9w0B
+AQsFAAOBgQBtPJwqu7DiDmFZd58L4xQ6JJhrJzJUDHmT7ikW2tOM58yisCgSnzrR
+xihW+49vUQ9lSGxBHaFwdehAuGTXydnf7/i9i6KA2RZ+Rq12FJFYOhjaIP7Sy1zq
+VXtb+P1eDBQQhz0WgysLVjgGdBiokRv86yY56ficoTQ6EyWzQLCU+A==
 -----END CERTIFICATE-----
 Bag Attributes
-    friendlyName: Certificate Authority
-subject=/O=example.com/CN=clica CA
-issuer=/O=example.com/CN=clica CA
+    friendlyName: Certificate Authority rsa
+subject=/O=example.com/CN=clica CA rsa
+issuer=/O=example.com/CN=clica CA rsa
 -----BEGIN CERTIFICATE-----
-MIIB7jCCAVegAwIBAgIBATANBgkqhkiG9w0BAQsFADApMRQwEgYDVQQKEwtleGFt
-cGxlLmNvbTERMA8GA1UEAxMIY2xpY2EgQ0EwHhcNMTIxMTAxMTIzNDAxWhcNMzgw
-MTAxMTIzNDAxWjApMRQwEgYDVQQKEwtleGFtcGxlLmNvbTERMA8GA1UEAxMIY2xp
-Y2EgQ0EwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAJmw215lURHtIlsmndGX
-4rn6AyPcReCzRClw8icPv5GzxDnXxqbjK8Ghvkil8RAV8mAkDXDzDi8J5NIsMKwk
-EF8LaGfnbhaeRkvfDXN4YGrGclMMCVN4zk810pDrfrz3KCGpokOKoaWUsRTTdftk
-xyfw2Ui1nPNfg9fO/cfAyr9FAgMBAAGjJjAkMBIGA1UdEwEB/wQIMAYBAf8CAQEw
-DgYDVR0PAQH/BAQDAgEGMA0GCSqGSIb3DQEBCwUAA4GBABrTmR8+gtECLU7zsbrs
-RKIeE9YSXxsqzv3DPpUj9VN7l05ERe3db7/TNePBLH0KwpjWljuPDUhKWC5jQvkf
-gBEr0CKALQGWU0sQJDNhR3SDsPUGU0BFUQT7g1B94Dmp72ivHLjMrtxnLrOT32Uh
-iaEG3X51ApoqRRyXcSJZBcYN
+MIIB9jCCAV+gAwIBAgIBATANBgkqhkiG9w0BAQsFADAtMRQwEgYDVQQKEwtleGFt
+cGxlLmNvbTEVMBMGA1UEAxMMY2xpY2EgQ0EgcnNhMB4XDTEyMTEwMTEyMzQwMVoX
+DTM4MDEwMTEyMzQwMVowLTEUMBIGA1UEChMLZXhhbXBsZS5jb20xFTATBgNVBAMT
+DGNsaWNhIENBIHJzYTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA2N3YjbHA
+BEKAiUHwJ0VMAAe/KMOM8slXOAKni4v7Vf6BzbO5B6uaKhDV2n3V0vXwMdAoeBaq
+3s9CHOjDXwjF1qf/p4w3Z2aUIVt/Mb+uEcPUlq0Nr8OLlH11QKbkvFtLxU3sUAoi
+fcaydi1q3tszjPQ0tKlLo6kOzcgi8d47WccCAwEAAaMmMCQwEgYDVR0TAQH/BAgw
+BgEB/wIBATAOBgNVHQ8BAf8EBAMCAQYwDQYJKoZIhvcNAQELBQADgYEAAzD/Zszo
+X4ieSQQxDOH53VkiAJDs32qso9YzGbQaenuRnVFCuo7rt68cjMcOjzf18/I+iMeH
+nEcdqkfoYB4Z3LXvDaRGZhg/ZOv58muzRnsW2oQI9yFqDwD0FZPtM6Vq0AWXjLuq
+IogOI5fShSo7H5hc3vrkvS7KUhzuv3FKnaQ=
 -----END CERTIFICATE-----
diff --git a/test/aux-fixed/exim-ca/example.com/revoked2.example.com/cert8.db b/test/aux-fixed/exim-ca/example.com/revoked2.example.com/cert8.db
index f43b3af59..59574bcc2 100644
Binary files a/test/aux-fixed/exim-ca/example.com/revoked2.example.com/cert8.db and b/test/aux-fixed/exim-ca/example.com/revoked2.example.com/cert8.db differ
diff --git a/test/aux-fixed/exim-ca/example.com/revoked2.example.com/key3.db b/test/aux-fixed/exim-ca/example.com/revoked2.example.com/key3.db
index 757fb3c0a..7ae7ae479 100644
Binary files a/test/aux-fixed/exim-ca/example.com/revoked2.example.com/key3.db and b/test/aux-fixed/exim-ca/example.com/revoked2.example.com/key3.db differ
diff --git a/test/aux-fixed/exim-ca/example.com/revoked2.example.com/revoked2.example.com.chain.pem b/test/aux-fixed/exim-ca/example.com/revoked2.example.com/revoked2.example.com.chain.pem
index ca60c8119..e084d258f 100644
--- a/test/aux-fixed/exim-ca/example.com/revoked2.example.com/revoked2.example.com.chain.pem
+++ b/test/aux-fixed/exim-ca/example.com/revoked2.example.com/revoked2.example.com.chain.pem
@@ -1,35 +1,35 @@
 Bag Attributes
     friendlyName: revoked2.example.com
-    localKeyID: 56 16 8A 9E 0B EB F6 31 A5 7D 38 3F 0D E9 67 70 05 98 7D 89 
+    localKeyID: 7E 85 5C 51 34 1E 3A D0 E3 21 36 59 EF 77 71 6C C2 DC D5 42 
 subject=/CN=revoked2.example.com
-issuer=/O=example.com/CN=clica Signing Cert
+issuer=/O=example.com/CN=clica Signing Cert rsa
 -----BEGIN CERTIFICATE-----
-MIICijCCAfOgAwIBAgICAMowDQYJKoZIhvcNAQELBQAwMzEUMBIGA1UEChMLZXhh
-bXBsZS5jb20xGzAZBgNVBAMTEmNsaWNhIFNpZ25pbmcgQ2VydDAeFw0xMjExMDEx
-MjM0MDJaFw0zNzEyMDExMjM0MDJaMB8xHTAbBgNVBAMTFHJldm9rZWQyLmV4YW1w
-bGUuY29tMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDGe+/fQwDwwqWA0ysH
-eTLg7C1qmbgu39qxlggpYqfD9FmphJnhw9fDwndeCVxiAtYFThJ6MtJgTV1R/II9
-4oBftgWT2LlvCrUK+3j6PjVHlpFSoLtmOSj0I4NBTcxofXH6Vje6pYruEOnXLhxK
-Sn7vtx8Fzgo3aLTlgCQIRRs/fQIDAQABo4HAMIG9MA4GA1UdDwEB/wQEAwIE8DAg
-BgNVHSUBAf8EFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwMgYDVR0fBCswKTAnoCWg
-I4YhaHR0cDovL2NybC5leGFtcGxlLmNvbS9sYXRlc3QuY3JsMDQGCCsGAQUFBwEB
-BCgwJjAkBggrBgEFBQcwAYYYaHR0cDovL29zY3AuZXhhbXBsZS5jb20vMB8GA1Ud
-EQQYMBaCFHJldm9rZWQyLmV4YW1wbGUuY29tMA0GCSqGSIb3DQEBCwUAA4GBABzS
-kAeaoXMuHHyYsrKY2nuzP2OWi65kgyL6TngE1rDGySkhrgkro+Am8/z1uHzpwR6c
-hfCMY/XA2LEfenVJ71gxTBHnIItIAcLN7ZJkLKhgOGMEupzPNZlUnqFwUpAhxtPy
-0tIlyeKHR4hlWb1hs2z6PEqqOLB2ovvfqAxdqf9h
+MIICjjCCAfegAwIBAgICAMowDQYJKoZIhvcNAQELBQAwNzEUMBIGA1UEChMLZXhh
+bXBsZS5jb20xHzAdBgNVBAMTFmNsaWNhIFNpZ25pbmcgQ2VydCByc2EwHhcNMTIx
+MTAxMTIzNDAyWhcNMzcxMjAxMTIzNDAyWjAfMR0wGwYDVQQDExRyZXZva2VkMi5l
+eGFtcGxlLmNvbTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAv457HTnG6tQp
+fQeayAQ6Coz7JiuYkLEqRanlL2R6qdvWENPIkr3LAeXjZBb3la0lEgg1ouwL4RL4
+yYEHMnwt99jXethIG+JZS6SYVTaopm9gOWk1HpacaMFTMZgwv52R1cgCUm/Uth50
+1Be7C8lWgPSR03KfkdmBxYLuSUyPfg8CAwEAAaOBwDCBvTAOBgNVHQ8BAf8EBAMC
+BPAwIAYDVR0lAQH/BBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMDIGA1UdHwQrMCkw
+J6AloCOGIWh0dHA6Ly9jcmwuZXhhbXBsZS5jb20vbGF0ZXN0LmNybDA0BggrBgEF
+BQcBAQQoMCYwJAYIKwYBBQUHMAGGGGh0dHA6Ly9vc2NwLmV4YW1wbGUuY29tLzAf
+BgNVHREEGDAWghRyZXZva2VkMi5leGFtcGxlLmNvbTANBgkqhkiG9w0BAQsFAAOB
+gQCEiOCabF5VLQs0vTdIV0JVYNZKYFDpOI8sLar23Xxhf0RN9fBTiAQnXPCw7ZHy
+Tcy8Sc63lYuXqOQos9GM3ejsAtevrol2xZoYcnWvigZUHRX+p5kwN9E4mGkVLO14
+raobs9XhLSIlPDcEXW15cuHa66Mq5xWuAZ9wUMvwCyoFRQ==
 -----END CERTIFICATE-----
 -----BEGIN CERTIFICATE-----
-MIICLDCCAZWgAwIBAgIBAjANBgkqhkiG9w0BAQsFADApMRQwEgYDVQQKEwtleGFt
-cGxlLmNvbTERMA8GA1UEAxMIY2xpY2EgQ0EwHhcNMTIxMTAxMTIzNDAxWhcNMzgw
-MTAxMTIzNDAxWjAzMRQwEgYDVQQKEwtleGFtcGxlLmNvbTEbMBkGA1UEAxMSY2xp
-Y2EgU2lnbmluZyBDZXJ0MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDC2Ph5
-2UMdD8CAW6mAoSUKgQbCEps6VYPBqa031JzDBzpHD8cmIJfRlmPg9V8K2LXP8VVe
-eG7LW2RBVlSx9082EZNC545NFKDg4Xu01jYP8BrNcJzzu8ip8osiqAzo993AZXoW
-eGZKJ7hYA1M5RCMkSIBhFxwoObjG9Bt1LQ/keQIDAQABo1owWDAOBgNVHQ8BAf8E
-BAMCAQYwEgYDVR0TAQH/BAgwBgEB/wIBADAyBgNVHR8EKzApMCegJaAjhiFodHRw
-Oi8vY3JsLmV4YW1wbGUuY29tL2xhdGVzdC5jcmwwDQYJKoZIhvcNAQELBQADgYEA
-JV9x4BGPTibmtXmXJOR0tETUR4RKc+Cis07H55mGDweIWtDT0dmlisLFyFK/rNdO
-zSeOIw2xchD86uNckYZd28OMEoSDI/lVhIxlEXaWvrf+BiaFX3AaPB3oivAp5aF4
-iy9WlTtH1uoE7iNueRd+beg5BgpgV0hyZAnoePQojH0=
+MIICNDCCAZ2gAwIBAgIBAjANBgkqhkiG9w0BAQsFADAtMRQwEgYDVQQKEwtleGFt
+cGxlLmNvbTEVMBMGA1UEAxMMY2xpY2EgQ0EgcnNhMB4XDTEyMTEwMTEyMzQwMVoX
+DTM4MDEwMTEyMzQwMVowNzEUMBIGA1UEChMLZXhhbXBsZS5jb20xHzAdBgNVBAMT
+FmNsaWNhIFNpZ25pbmcgQ2VydCByc2EwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJ
+AoGBANlcwo5q84SEtVy5W/xqbYAzOiYUZ0Shp9+ry/Q/X5uhrDF9JSHNWJbXut+8
+ZJGICt0RYVIJCcaa7FUt5hTKEx4fgURr+Hz84ZgwesMxcECHJPq9ylrCqbPkbmFR
+1XUy2MvioMH2lyc/PbV62XXggJhHioStVLRfyVlkS1KvvR+HAgMBAAGjWjBYMA4G
+A1UdDwEB/wQEAwIBBjASBgNVHRMBAf8ECDAGAQH/AgEAMDIGA1UdHwQrMCkwJ6Al
+oCOGIWh0dHA6Ly9jcmwuZXhhbXBsZS5jb20vbGF0ZXN0LmNybDANBgkqhkiG9w0B
+AQsFAAOBgQBtPJwqu7DiDmFZd58L4xQ6JJhrJzJUDHmT7ikW2tOM58yisCgSnzrR
+xihW+49vUQ9lSGxBHaFwdehAuGTXydnf7/i9i6KA2RZ+Rq12FJFYOhjaIP7Sy1zq
+VXtb+P1eDBQQhz0WgysLVjgGdBiokRv86yY56ficoTQ6EyWzQLCU+A==
 -----END CERTIFICATE-----
diff --git a/test/aux-fixed/exim-ca/example.com/revoked2.example.com/revoked2.example.com.key b/test/aux-fixed/exim-ca/example.com/revoked2.example.com/revoked2.example.com.key
index ff49272f2..348d76186 100644
--- a/test/aux-fixed/exim-ca/example.com/revoked2.example.com/revoked2.example.com.key
+++ b/test/aux-fixed/exim-ca/example.com/revoked2.example.com/revoked2.example.com.key
@@ -1,21 +1,21 @@
 Bag Attributes
     friendlyName: revoked2.example.com
-    localKeyID: 56 16 8A 9E 0B EB F6 31 A5 7D 38 3F 0D E9 67 70 05 98 7D 89 
+    localKeyID: 7E 85 5C 51 34 1E 3A D0 E3 21 36 59 EF 77 71 6C C2 DC D5 42 
 Key Attributes: <No Attributes>
 -----BEGIN ENCRYPTED PRIVATE KEY-----
-MIICxjBABgkqhkiG9w0BBQ0wMzAbBgkqhkiG9w0BBQwwDgQIb0wALdeJZD8CAggA
-MBQGCCqGSIb3DQMHBAgKGxPM9mU8ZASCAoCTwlu6oehSYz24UqwHYgk5EjZzaGKC
-O2cedBNqLeuR2XONmnsELaFSlPgUpiPcV//AjuJapRy0Jizm8g+mKL95P6NNx61J
-ha/Tr7ACCJnnD0HaqVx/2lLyjCS781oXrB3hSM4M9lsgL8XR88yw9cVly5PA6vfE
-IICqsJWI7ZENYfmwJSx2Sbh0NhPt6S0Ps33l7i/0iPiXcIjJdDDdtZy6HSMz2eDH
-apZlEZcEeUsZ42esDOnyB3zAFIt1I27ex0D5Yj/LjcSdP6nuxn87lqfppwciKSRm
-8HfVFtpqb3b2M2Q70E/yNEND5BL00LZzuotEo7CMvTK37OQIJhindWE8Hk0Q8x3H
-5p7cEKKclqoPB0MiXHXtPiV9j8Amn8FtquRYsBqJn8VQDum/7BCpduiMNrHaj0hU
-6775q2qbC8A5JVbcplTerCuRHaX/DE3vjAIBnFmXm+AGwcu9j/Q6ZWSWW4mDO1UW
-p77EHLHBkluFI0P2rhccgyg7O/31d48Lf2csS/rUKGb9B0gR0eumzCgLw5UCtD6y
-2U2GWL3H2EGN1Ph3L5lOjG6PdS9o8u0omU23JtYVpRwEDwS/fvS4emFunMpH2X4O
-9cmPAvTh0RwQIwcbG81dxhNR8AEa2GENwYBIuh0S9ZWiWB3Z+a2eXNPtzt28wPfo
-sPeRnVuvooGbu29hzKuY9L8s+aqAYccqzrOn3Z6Qwl7VPml/yMxPjpyfTjvu5vxU
-1z8jzzuCZG7Pn9wqSvQjSImUoqE+c0NXkFU0jA0cvrTceODNcgylRvwy8l05YeOW
-uFmMzr+GCY2Fvk37BS+2yUetIU49EHLCXnzk+nsLkRG8pGgdnl1MTnJV
+MIICxjBABgkqhkiG9w0BBQ0wMzAbBgkqhkiG9w0BBQwwDgQIxsl/hF+kYl4CAggA
+MBQGCCqGSIb3DQMHBAiCbdpohZr9+ASCAoCzG+J1yg/PB+jphh1qXT84lTBK4G1m
+v46KcDdsWM12ZdTTZZVLFpgoux1diGwOJ0DEwbXudXVjc6pXfmJphgOvhfF2RWcl
+kN8VDPslm5AHDNyMzxK9gMkjsTItyBkpAn3KZeGrllnitJGrXb5oyUG5wC/8QrH2
+vfip7bZr0QpwdmHCy5dGrKFbhq1M5wHu3jtXeUlvvOoWCHJbg2BZx9VD/Xc6ytE6
+eJPe4J2seeYMzNI8t6MwSPvnwIzC8rEcO5nteWBJdWetucC4w3OWWU4/2iIV9SvP
+/YBT9wHpstWVYTxLYnIE/59vXUGZEJXsgHvLGaYH2VFziDuCk+N4oGko9FrTMYHV
+2LmdfamGLKq3qtfTbqemJ4XEehBghGiMDxHca8CqBX4EF0QI32AxZarhCGaUBGuF
+NWWD4Qyv2Q8J+C6amCCl1ht9sfIvjH9a+hOH/h7Cy2gvEHPNiwN8ppbfdIxxvdDO
+gF+8gA3RtcOMnEMHUi2mRgiT5cVG2+0D17X6rBwYvOBIjZQZB0CKBuNWzdcbWNeG
+jmwuMbEAnSN85pcxIf559VQ8151CxpZ4E166eEOXe3dQ0A2GGwS+Up7BgdYyFpub
+U7FRHwJTuGCZ1ecFAekPnDYGMloOg/adXmuDLpuFdYAy0rftfzY1NljEYx/77HsR
+mmZD7Hs0NqJNRaaC2WWfzc9SNG4ru9msOWCP8kKAEvVQDa9keel8qbkK/d/RDLvI
+b4chuUejqeZ0oOfw7FK24VIrmXRJnuDGfb/J7ryIJctDhSe1e4RIHoTnqUTWg09B
+c4nuMBSB85ghoP2aXX9aab/V19yhQ0UnCU3RqUJlfvpWGmhJYoMSwc0I
 -----END ENCRYPTED PRIVATE KEY-----
diff --git a/test/aux-fixed/exim-ca/example.com/revoked2.example.com/revoked2.example.com.ocsp.dated.resp b/test/aux-fixed/exim-ca/example.com/revoked2.example.com/revoked2.example.com.ocsp.dated.resp
index 684fb7a9a..862739b47 100644
Binary files a/test/aux-fixed/exim-ca/example.com/revoked2.example.com/revoked2.example.com.ocsp.dated.resp and b/test/aux-fixed/exim-ca/example.com/revoked2.example.com/revoked2.example.com.ocsp.dated.resp differ
diff --git a/test/aux-fixed/exim-ca/example.com/revoked2.example.com/revoked2.example.com.ocsp.good.resp b/test/aux-fixed/exim-ca/example.com/revoked2.example.com/revoked2.example.com.ocsp.good.resp
index dc454be8b..db6f0e980 100644
Binary files a/test/aux-fixed/exim-ca/example.com/revoked2.example.com/revoked2.example.com.ocsp.good.resp and b/test/aux-fixed/exim-ca/example.com/revoked2.example.com/revoked2.example.com.ocsp.good.resp differ
diff --git a/test/aux-fixed/exim-ca/example.com/revoked2.example.com/revoked2.example.com.ocsp.req b/test/aux-fixed/exim-ca/example.com/revoked2.example.com/revoked2.example.com.ocsp.req
index 3e2db6bec..2072ac479 100644
Binary files a/test/aux-fixed/exim-ca/example.com/revoked2.example.com/revoked2.example.com.ocsp.req and b/test/aux-fixed/exim-ca/example.com/revoked2.example.com/revoked2.example.com.ocsp.req differ
diff --git a/test/aux-fixed/exim-ca/example.com/revoked2.example.com/revoked2.example.com.ocsp.revoked.resp b/test/aux-fixed/exim-ca/example.com/revoked2.example.com/revoked2.example.com.ocsp.revoked.resp
index dc454be8b..db6f0e980 100644
Binary files a/test/aux-fixed/exim-ca/example.com/revoked2.example.com/revoked2.example.com.ocsp.revoked.resp and b/test/aux-fixed/exim-ca/example.com/revoked2.example.com/revoked2.example.com.ocsp.revoked.resp differ
diff --git a/test/aux-fixed/exim-ca/example.com/revoked2.example.com/revoked2.example.com.ocsp.signer.dated.resp b/test/aux-fixed/exim-ca/example.com/revoked2.example.com/revoked2.example.com.ocsp.signer.dated.resp
index 838cf031b..77c7a2f78 100644
Binary files a/test/aux-fixed/exim-ca/example.com/revoked2.example.com/revoked2.example.com.ocsp.signer.dated.resp and b/test/aux-fixed/exim-ca/example.com/revoked2.example.com/revoked2.example.com.ocsp.signer.dated.resp differ
diff --git a/test/aux-fixed/exim-ca/example.com/revoked2.example.com/revoked2.example.com.ocsp.signer.good.resp b/test/aux-fixed/exim-ca/example.com/revoked2.example.com/revoked2.example.com.ocsp.signer.good.resp
index 39f3cd5fc..cb0de9731 100644
Binary files a/test/aux-fixed/exim-ca/example.com/revoked2.example.com/revoked2.example.com.ocsp.signer.good.resp and b/test/aux-fixed/exim-ca/example.com/revoked2.example.com/revoked2.example.com.ocsp.signer.good.resp differ
diff --git a/test/aux-fixed/exim-ca/example.com/revoked2.example.com/revoked2.example.com.ocsp.signer.revoked.resp b/test/aux-fixed/exim-ca/example.com/revoked2.example.com/revoked2.example.com.ocsp.signer.revoked.resp
index 39f3cd5fc..cb0de9731 100644
Binary files a/test/aux-fixed/exim-ca/example.com/revoked2.example.com/revoked2.example.com.ocsp.signer.revoked.resp and b/test/aux-fixed/exim-ca/example.com/revoked2.example.com/revoked2.example.com.ocsp.signer.revoked.resp differ
diff --git a/test/aux-fixed/exim-ca/example.com/revoked2.example.com/revoked2.example.com.ocsp.signernocert.dated.resp b/test/aux-fixed/exim-ca/example.com/revoked2.example.com/revoked2.example.com.ocsp.signernocert.dated.resp
index 50e526ae6..eced7fefd 100644
Binary files a/test/aux-fixed/exim-ca/example.com/revoked2.example.com/revoked2.example.com.ocsp.signernocert.dated.resp and b/test/aux-fixed/exim-ca/example.com/revoked2.example.com/revoked2.example.com.ocsp.signernocert.dated.resp differ
diff --git a/test/aux-fixed/exim-ca/example.com/revoked2.example.com/revoked2.example.com.ocsp.signernocert.good.resp b/test/aux-fixed/exim-ca/example.com/revoked2.example.com/revoked2.example.com.ocsp.signernocert.good.resp
index 9a394d8b4..843eb9130 100644
Binary files a/test/aux-fixed/exim-ca/example.com/revoked2.example.com/revoked2.example.com.ocsp.signernocert.good.resp and b/test/aux-fixed/exim-ca/example.com/revoked2.example.com/revoked2.example.com.ocsp.signernocert.good.resp differ
diff --git a/test/aux-fixed/exim-ca/example.com/revoked2.example.com/revoked2.example.com.ocsp.signernocert.revoked.resp b/test/aux-fixed/exim-ca/example.com/revoked2.example.com/revoked2.example.com.ocsp.signernocert.revoked.resp
index 9a394d8b4..843eb9130 100644
Binary files a/test/aux-fixed/exim-ca/example.com/revoked2.example.com/revoked2.example.com.ocsp.signernocert.revoked.resp and b/test/aux-fixed/exim-ca/example.com/revoked2.example.com/revoked2.example.com.ocsp.signernocert.revoked.resp differ
diff --git a/test/aux-fixed/exim-ca/example.com/revoked2.example.com/revoked2.example.com.p12 b/test/aux-fixed/exim-ca/example.com/revoked2.example.com/revoked2.example.com.p12
index 910292602..2d32de43e 100644
Binary files a/test/aux-fixed/exim-ca/example.com/revoked2.example.com/revoked2.example.com.p12 and b/test/aux-fixed/exim-ca/example.com/revoked2.example.com/revoked2.example.com.p12 differ
diff --git a/test/aux-fixed/exim-ca/example.com/revoked2.example.com/revoked2.example.com.pem b/test/aux-fixed/exim-ca/example.com/revoked2.example.com/revoked2.example.com.pem
index dafaf5713..05cb86845 100644
--- a/test/aux-fixed/exim-ca/example.com/revoked2.example.com/revoked2.example.com.pem
+++ b/test/aux-fixed/exim-ca/example.com/revoked2.example.com/revoked2.example.com.pem
@@ -1,21 +1,21 @@
 Bag Attributes
     friendlyName: revoked2.example.com
-    localKeyID: 56 16 8A 9E 0B EB F6 31 A5 7D 38 3F 0D E9 67 70 05 98 7D 89 
+    localKeyID: 7E 85 5C 51 34 1E 3A D0 E3 21 36 59 EF 77 71 6C C2 DC D5 42 
 subject=/CN=revoked2.example.com
-issuer=/O=example.com/CN=clica Signing Cert
+issuer=/O=example.com/CN=clica Signing Cert rsa
 -----BEGIN CERTIFICATE-----
-MIICijCCAfOgAwIBAgICAMowDQYJKoZIhvcNAQELBQAwMzEUMBIGA1UEChMLZXhh
-bXBsZS5jb20xGzAZBgNVBAMTEmNsaWNhIFNpZ25pbmcgQ2VydDAeFw0xMjExMDEx
-MjM0MDJaFw0zNzEyMDExMjM0MDJaMB8xHTAbBgNVBAMTFHJldm9rZWQyLmV4YW1w
-bGUuY29tMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDGe+/fQwDwwqWA0ysH
-eTLg7C1qmbgu39qxlggpYqfD9FmphJnhw9fDwndeCVxiAtYFThJ6MtJgTV1R/II9
-4oBftgWT2LlvCrUK+3j6PjVHlpFSoLtmOSj0I4NBTcxofXH6Vje6pYruEOnXLhxK
-Sn7vtx8Fzgo3aLTlgCQIRRs/fQIDAQABo4HAMIG9MA4GA1UdDwEB/wQEAwIE8DAg
-BgNVHSUBAf8EFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwMgYDVR0fBCswKTAnoCWg
-I4YhaHR0cDovL2NybC5leGFtcGxlLmNvbS9sYXRlc3QuY3JsMDQGCCsGAQUFBwEB
-BCgwJjAkBggrBgEFBQcwAYYYaHR0cDovL29zY3AuZXhhbXBsZS5jb20vMB8GA1Ud
-EQQYMBaCFHJldm9rZWQyLmV4YW1wbGUuY29tMA0GCSqGSIb3DQEBCwUAA4GBABzS
-kAeaoXMuHHyYsrKY2nuzP2OWi65kgyL6TngE1rDGySkhrgkro+Am8/z1uHzpwR6c
-hfCMY/XA2LEfenVJ71gxTBHnIItIAcLN7ZJkLKhgOGMEupzPNZlUnqFwUpAhxtPy
-0tIlyeKHR4hlWb1hs2z6PEqqOLB2ovvfqAxdqf9h
+MIICjjCCAfegAwIBAgICAMowDQYJKoZIhvcNAQELBQAwNzEUMBIGA1UEChMLZXhh
+bXBsZS5jb20xHzAdBgNVBAMTFmNsaWNhIFNpZ25pbmcgQ2VydCByc2EwHhcNMTIx
+MTAxMTIzNDAyWhcNMzcxMjAxMTIzNDAyWjAfMR0wGwYDVQQDExRyZXZva2VkMi5l
+eGFtcGxlLmNvbTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAv457HTnG6tQp
+fQeayAQ6Coz7JiuYkLEqRanlL2R6qdvWENPIkr3LAeXjZBb3la0lEgg1ouwL4RL4
+yYEHMnwt99jXethIG+JZS6SYVTaopm9gOWk1HpacaMFTMZgwv52R1cgCUm/Uth50
+1Be7C8lWgPSR03KfkdmBxYLuSUyPfg8CAwEAAaOBwDCBvTAOBgNVHQ8BAf8EBAMC
+BPAwIAYDVR0lAQH/BBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMDIGA1UdHwQrMCkw
+J6AloCOGIWh0dHA6Ly9jcmwuZXhhbXBsZS5jb20vbGF0ZXN0LmNybDA0BggrBgEF
+BQcBAQQoMCYwJAYIKwYBBQUHMAGGGGh0dHA6Ly9vc2NwLmV4YW1wbGUuY29tLzAf
+BgNVHREEGDAWghRyZXZva2VkMi5leGFtcGxlLmNvbTANBgkqhkiG9w0BAQsFAAOB
+gQCEiOCabF5VLQs0vTdIV0JVYNZKYFDpOI8sLar23Xxhf0RN9fBTiAQnXPCw7ZHy
+Tcy8Sc63lYuXqOQos9GM3ejsAtevrol2xZoYcnWvigZUHRX+p5kwN9E4mGkVLO14
+raobs9XhLSIlPDcEXW15cuHa66Mq5xWuAZ9wUMvwCyoFRQ==
 -----END CERTIFICATE-----
diff --git a/test/aux-fixed/exim-ca/example.com/revoked2.example.com/revoked2.example.com.unlocked.key b/test/aux-fixed/exim-ca/example.com/revoked2.example.com/revoked2.example.com.unlocked.key
index e0cc51add..097ade916 100644
--- a/test/aux-fixed/exim-ca/example.com/revoked2.example.com/revoked2.example.com.unlocked.key
+++ b/test/aux-fixed/exim-ca/example.com/revoked2.example.com/revoked2.example.com.unlocked.key
@@ -1,15 +1,15 @@
 -----BEGIN RSA PRIVATE KEY-----
-MIICXQIBAAKBgQDGe+/fQwDwwqWA0ysHeTLg7C1qmbgu39qxlggpYqfD9FmphJnh
-w9fDwndeCVxiAtYFThJ6MtJgTV1R/II94oBftgWT2LlvCrUK+3j6PjVHlpFSoLtm
-OSj0I4NBTcxofXH6Vje6pYruEOnXLhxKSn7vtx8Fzgo3aLTlgCQIRRs/fQIDAQAB
-AoGAI6UXT2+PiC1Unp2NwTJVXkpb36SKjLR76F+KyK/kdA76WTSsk/xhT9EpMbSZ
-qCpdOCesrtBYsp3CMBqaYzW9muGko3LchOCXVxMTp0GUQDNg51qZSTCgDf7656TL
-mW1P39sqqPdabA6+SyjV1sKv2uvOPOvbK4Wipk+M7pqSjEsCQQDqoD8olMo7rdxb
-D/+3DuoeeZepoMNUsXK2goWzbYuy4DKCEkXsTjg7RM+MIk8t+RNXXQvA7j6aysvV
-dozFkpOHAkEA2JDR+X/idbwjGa23Qep01oBQzEMb38u+vdJFC0lKl8u2CQ471Uxt
-a+ILOs+V+pxAU/GCSZNP6TgiNebCu6ld2wJBAMY6QWI942bsi0H8kGXPGgpJXNOZ
-2a4ShgKg3+kqYl7sgH/YhG8T3vpkNp4E1rTWvXqQSD/micoqEHD3ShQatL0CQBV8
-WLiuLWOM5NaZW4MYpbraRCnfxpYvep8Oi3cRMGta9JZ1aQ5CZOC9LmwJSFHyypcJ
-cOmnydfTj+FVIaDIrt0CQQC/YwxvWaM9zTasK7xJqNabFF+nFb2mfi2xhmguqr6u
-TinTMeyhZR4q78Qg/xrYSQTilrZgwGaDp7ikVSwonkjZ
+MIICXAIBAAKBgQC/jnsdOcbq1Cl9B5rIBDoKjPsmK5iQsSpFqeUvZHqp29YQ08iS
+vcsB5eNkFveVrSUSCDWi7AvhEvjJgQcyfC332Nd62Egb4llLpJhVNqimb2A5aTUe
+lpxowVMxmDC/nZHVyAJSb9S2HnTUF7sLyVaA9JHTcp+R2YHFgu5JTI9+DwIDAQAB
+AoGADyC5zlQQG97c1pfxfFcBHRuHK2Yz//FN4lSJhKr4bk5YjdmmicLdXm1WU5g7
+aKGqP3il1mkH2Hg+wkMjW179OOZKHihJc9p4Pq+A9fOUuCGjuC/2kP22XjpEOlfa
+p11855B529/gu3ZzLutmquryKwq6N7KjwLdi0FuanN0ZzekCQQDjZDWReujtC8eF
+0SFsAxe4QhEnG2vQ8WO1J7s6UceroE7z8HgrCYCgtK15wfJ0yM0CuTcB9KWRqemR
+PEoZMcFFAkEA16gbbZD2ryCla7WareBAGiHPPey9Szb7+yYS5OLymJ4p62Uc+StD
+pRcvo8fRnNi4od6O+hnVKI6NZNhGJMZVQwJABiCfKOps+GZG3B5EjkqPCxIMsEcW
+4qx+iVUmwG2Pudo6BmzGcDJzWuFDg3JsfCUlERu4lb7n70Lq3lUHkiI7GQJAdMYb
+a/3GBdhYmnUwt5wpOb06+d4aNgMk+L6KFpRpJojmTAdpY+awb1GZw0as0xBrEYNw
+yi54xMhD+eo+OSWH/wJBALWEww0MZgdci3eje6m27lB4tNNOpTfHRGsO3ZHinj3W
+fOHlOvsB//6IEOHkrglt48Tm1C7h05svpOQTav/toDQ=
 -----END RSA PRIVATE KEY-----
diff --git a/test/aux-fixed/exim-ca/example.com/server1.example.com/ca_chain.pem b/test/aux-fixed/exim-ca/example.com/server1.example.com/ca_chain.pem
index 93e18035b..cde036853 100644
--- a/test/aux-fixed/exim-ca/example.com/server1.example.com/ca_chain.pem
+++ b/test/aux-fixed/exim-ca/example.com/server1.example.com/ca_chain.pem
@@ -1,35 +1,35 @@
 Bag Attributes
-    friendlyName: Signing Cert
-subject=/O=example.com/CN=clica Signing Cert
-issuer=/O=example.com/CN=clica CA
+    friendlyName: Signing Cert rsa
+subject=/O=example.com/CN=clica Signing Cert rsa
+issuer=/O=example.com/CN=clica CA rsa
 -----BEGIN CERTIFICATE-----
-MIICLDCCAZWgAwIBAgIBAjANBgkqhkiG9w0BAQsFADApMRQwEgYDVQQKEwtleGFt
-cGxlLmNvbTERMA8GA1UEAxMIY2xpY2EgQ0EwHhcNMTIxMTAxMTIzNDAxWhcNMzgw
-MTAxMTIzNDAxWjAzMRQwEgYDVQQKEwtleGFtcGxlLmNvbTEbMBkGA1UEAxMSY2xp
-Y2EgU2lnbmluZyBDZXJ0MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDC2Ph5
-2UMdD8CAW6mAoSUKgQbCEps6VYPBqa031JzDBzpHD8cmIJfRlmPg9V8K2LXP8VVe
-eG7LW2RBVlSx9082EZNC545NFKDg4Xu01jYP8BrNcJzzu8ip8osiqAzo993AZXoW
-eGZKJ7hYA1M5RCMkSIBhFxwoObjG9Bt1LQ/keQIDAQABo1owWDAOBgNVHQ8BAf8E
-BAMCAQYwEgYDVR0TAQH/BAgwBgEB/wIBADAyBgNVHR8EKzApMCegJaAjhiFodHRw
-Oi8vY3JsLmV4YW1wbGUuY29tL2xhdGVzdC5jcmwwDQYJKoZIhvcNAQELBQADgYEA
-JV9x4BGPTibmtXmXJOR0tETUR4RKc+Cis07H55mGDweIWtDT0dmlisLFyFK/rNdO
-zSeOIw2xchD86uNckYZd28OMEoSDI/lVhIxlEXaWvrf+BiaFX3AaPB3oivAp5aF4
-iy9WlTtH1uoE7iNueRd+beg5BgpgV0hyZAnoePQojH0=
+MIICNDCCAZ2gAwIBAgIBAjANBgkqhkiG9w0BAQsFADAtMRQwEgYDVQQKEwtleGFt
+cGxlLmNvbTEVMBMGA1UEAxMMY2xpY2EgQ0EgcnNhMB4XDTEyMTEwMTEyMzQwMVoX
+DTM4MDEwMTEyMzQwMVowNzEUMBIGA1UEChMLZXhhbXBsZS5jb20xHzAdBgNVBAMT
+FmNsaWNhIFNpZ25pbmcgQ2VydCByc2EwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJ
+AoGBANlcwo5q84SEtVy5W/xqbYAzOiYUZ0Shp9+ry/Q/X5uhrDF9JSHNWJbXut+8
+ZJGICt0RYVIJCcaa7FUt5hTKEx4fgURr+Hz84ZgwesMxcECHJPq9ylrCqbPkbmFR
+1XUy2MvioMH2lyc/PbV62XXggJhHioStVLRfyVlkS1KvvR+HAgMBAAGjWjBYMA4G
+A1UdDwEB/wQEAwIBBjASBgNVHRMBAf8ECDAGAQH/AgEAMDIGA1UdHwQrMCkwJ6Al
+oCOGIWh0dHA6Ly9jcmwuZXhhbXBsZS5jb20vbGF0ZXN0LmNybDANBgkqhkiG9w0B
+AQsFAAOBgQBtPJwqu7DiDmFZd58L4xQ6JJhrJzJUDHmT7ikW2tOM58yisCgSnzrR
+xihW+49vUQ9lSGxBHaFwdehAuGTXydnf7/i9i6KA2RZ+Rq12FJFYOhjaIP7Sy1zq
+VXtb+P1eDBQQhz0WgysLVjgGdBiokRv86yY56ficoTQ6EyWzQLCU+A==
 -----END CERTIFICATE-----
 Bag Attributes
-    friendlyName: Certificate Authority
-subject=/O=example.com/CN=clica CA
-issuer=/O=example.com/CN=clica CA
+    friendlyName: Certificate Authority rsa
+subject=/O=example.com/CN=clica CA rsa
+issuer=/O=example.com/CN=clica CA rsa
 -----BEGIN CERTIFICATE-----
-MIIB7jCCAVegAwIBAgIBATANBgkqhkiG9w0BAQsFADApMRQwEgYDVQQKEwtleGFt
-cGxlLmNvbTERMA8GA1UEAxMIY2xpY2EgQ0EwHhcNMTIxMTAxMTIzNDAxWhcNMzgw
-MTAxMTIzNDAxWjApMRQwEgYDVQQKEwtleGFtcGxlLmNvbTERMA8GA1UEAxMIY2xp
-Y2EgQ0EwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAJmw215lURHtIlsmndGX
-4rn6AyPcReCzRClw8icPv5GzxDnXxqbjK8Ghvkil8RAV8mAkDXDzDi8J5NIsMKwk
-EF8LaGfnbhaeRkvfDXN4YGrGclMMCVN4zk810pDrfrz3KCGpokOKoaWUsRTTdftk
-xyfw2Ui1nPNfg9fO/cfAyr9FAgMBAAGjJjAkMBIGA1UdEwEB/wQIMAYBAf8CAQEw
-DgYDVR0PAQH/BAQDAgEGMA0GCSqGSIb3DQEBCwUAA4GBABrTmR8+gtECLU7zsbrs
-RKIeE9YSXxsqzv3DPpUj9VN7l05ERe3db7/TNePBLH0KwpjWljuPDUhKWC5jQvkf
-gBEr0CKALQGWU0sQJDNhR3SDsPUGU0BFUQT7g1B94Dmp72ivHLjMrtxnLrOT32Uh
-iaEG3X51ApoqRRyXcSJZBcYN
+MIIB9jCCAV+gAwIBAgIBATANBgkqhkiG9w0BAQsFADAtMRQwEgYDVQQKEwtleGFt
+cGxlLmNvbTEVMBMGA1UEAxMMY2xpY2EgQ0EgcnNhMB4XDTEyMTEwMTEyMzQwMVoX
+DTM4MDEwMTEyMzQwMVowLTEUMBIGA1UEChMLZXhhbXBsZS5jb20xFTATBgNVBAMT
+DGNsaWNhIENBIHJzYTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA2N3YjbHA
+BEKAiUHwJ0VMAAe/KMOM8slXOAKni4v7Vf6BzbO5B6uaKhDV2n3V0vXwMdAoeBaq
+3s9CHOjDXwjF1qf/p4w3Z2aUIVt/Mb+uEcPUlq0Nr8OLlH11QKbkvFtLxU3sUAoi
+fcaydi1q3tszjPQ0tKlLo6kOzcgi8d47WccCAwEAAaMmMCQwEgYDVR0TAQH/BAgw
+BgEB/wIBATAOBgNVHQ8BAf8EBAMCAQYwDQYJKoZIhvcNAQELBQADgYEAAzD/Zszo
+X4ieSQQxDOH53VkiAJDs32qso9YzGbQaenuRnVFCuo7rt68cjMcOjzf18/I+iMeH
+nEcdqkfoYB4Z3LXvDaRGZhg/ZOv58muzRnsW2oQI9yFqDwD0FZPtM6Vq0AWXjLuq
+IogOI5fShSo7H5hc3vrkvS7KUhzuv3FKnaQ=
 -----END CERTIFICATE-----
diff --git a/test/aux-fixed/exim-ca/example.com/server1.example.com/cert8.db b/test/aux-fixed/exim-ca/example.com/server1.example.com/cert8.db
index d2fdfb3cd..8a9e724da 100644
Binary files a/test/aux-fixed/exim-ca/example.com/server1.example.com/cert8.db and b/test/aux-fixed/exim-ca/example.com/server1.example.com/cert8.db differ
diff --git a/test/aux-fixed/exim-ca/example.com/server1.example.com/certdir/08c48a5f.0 b/test/aux-fixed/exim-ca/example.com/server1.example.com/certdir/08c48a5f.0
deleted file mode 120000
index 0bc47166d..000000000
--- a/test/aux-fixed/exim-ca/example.com/server1.example.com/certdir/08c48a5f.0
+++ /dev/null
@@ -1 +0,0 @@
-../../CA/CA.pem
\ No newline at end of file
diff --git a/test/aux-fixed/exim-ca/example.com/server1.example.com/certdir/61e813e6.0 b/test/aux-fixed/exim-ca/example.com/server1.example.com/certdir/61e813e6.0
deleted file mode 120000
index 890dffc23..000000000
--- a/test/aux-fixed/exim-ca/example.com/server1.example.com/certdir/61e813e6.0
+++ /dev/null
@@ -1 +0,0 @@
-../../CA/Signer.pem
\ No newline at end of file
diff --git a/test/aux-fixed/exim-ca/example.com/server1.example.com/certdir/9ec80de3.0 b/test/aux-fixed/exim-ca/example.com/server1.example.com/certdir/9ec80de3.0
new file mode 120000
index 000000000..0bc47166d
--- /dev/null
+++ b/test/aux-fixed/exim-ca/example.com/server1.example.com/certdir/9ec80de3.0
@@ -0,0 +1 @@
+../../CA/CA.pem
\ No newline at end of file
diff --git a/test/aux-fixed/exim-ca/example.com/server1.example.com/certdir/d89e5358.0 b/test/aux-fixed/exim-ca/example.com/server1.example.com/certdir/d89e5358.0
new file mode 120000
index 000000000..890dffc23
--- /dev/null
+++ b/test/aux-fixed/exim-ca/example.com/server1.example.com/certdir/d89e5358.0
@@ -0,0 +1 @@
+../../CA/Signer.pem
\ No newline at end of file
diff --git a/test/aux-fixed/exim-ca/example.com/server1.example.com/fullchain.pem b/test/aux-fixed/exim-ca/example.com/server1.example.com/fullchain.pem
index 8e63fba38..73a429b46 100644
--- a/test/aux-fixed/exim-ca/example.com/server1.example.com/fullchain.pem
+++ b/test/aux-fixed/exim-ca/example.com/server1.example.com/fullchain.pem
@@ -1,58 +1,58 @@
 Bag Attributes
     friendlyName: server1.example.com
-    localKeyID: 7E BF 00 86 25 1D DE A8 18 31 F5 E2 4E E5 2B CD D1 6E 90 BD 
+    localKeyID: 68 38 70 91 66 B0 26 4D FC 76 CF 59 D5 A5 27 13 36 F5 B7 71 
 subject=/CN=server1.example.com
-issuer=/O=example.com/CN=clica Signing Cert
+issuer=/O=example.com/CN=clica Signing Cert rsa
 -----BEGIN CERTIFICATE-----
-MIIC2zCCAkSgAwIBAgIBZTANBgkqhkiG9w0BAQsFADAzMRQwEgYDVQQKEwtleGFt
-cGxlLmNvbTEbMBkGA1UEAxMSY2xpY2EgU2lnbmluZyBDZXJ0MB4XDTEyMTEwMTEy
-MzQwMVoXDTM3MTIwMTEyMzQwMVowHjEcMBoGA1UEAxMTc2VydmVyMS5leGFtcGxl
-LmNvbTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA9UMQX5gjkbMrFRq70L7d
-FF9ZZ+lMjEevQNUUKrMRwbDWLx2c343YCPalFGDSypcxsWchc4AnIpzKIAjfzb4r
-d+xmFyaUV/vFmGFCuN7A5vIC9YI/eKG5CpzY4H7lHmeWnPSVJpGO5/IfnlXHHXtE
-v7uRqn0xt+VzSSp0zlVCfNkCAwEAAaOCARIwggEOMA4GA1UdDwEB/wQEAwIE8DAg
-BgNVHSUBAf8EFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwMgYDVR0fBCswKTAnoCWg
-I4YhaHR0cDovL2NybC5leGFtcGxlLmNvbS9sYXRlc3QuY3JsMDQGCCsGAQUFBwEB
-BCgwJjAkBggrBgEFBQcwAYYYaHR0cDovL29zY3AuZXhhbXBsZS5jb20vMHAGA1Ud
-EQRpMGeCImFsdGVybmF0ZW5hbWUyLnNlcnZlcjEuZXhhbXBsZS5jb22CIWFsdGVy
-bmF0ZW5hbWUuc2VydmVyMS5leGFtcGxlLmNvbYIJKi50ZXN0LmV4ghNzZXJ2ZXIx
-LmV4YW1wbGUuY29tMA0GCSqGSIb3DQEBCwUAA4GBAGfvLUOOQ1D1P0HuQs/0tDE9
-2Ii19yQfJoMyamz/ija3vssoSGicqTxuLy2l9PzSCZsdBAAmfaX5ORMG3Z1pePh7
-9TyCnY+5Txq28At/IIJugE44CdFDIyLdN12AbVqqIzPkeckNjcy47V9rAVYsSYmb
-yl7Vs7CTftVe8Jh9XwdL
+MIIC3zCCAkigAwIBAgIBZTANBgkqhkiG9w0BAQsFADA3MRQwEgYDVQQKEwtleGFt
+cGxlLmNvbTEfMB0GA1UEAxMWY2xpY2EgU2lnbmluZyBDZXJ0IHJzYTAeFw0xMjEx
+MDExMjM0MDFaFw0zNzEyMDExMjM0MDFaMB4xHDAaBgNVBAMTE3NlcnZlcjEuZXhh
+bXBsZS5jb20wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBALlFAifASi7qE45T
+XoRxVVlxMIINSa5ZYyGBSoLbQKLv1RsPGvxrKrJqJz8ofI136t91H5nWhHF8Bf5s
+V+1sAdfj3jhz0Qz/HJDGXTmU/3562nyyFyTXqhV2n/NJLCwfHOs7vWk7rR3R2R/p
+lTjXvUKU91aSRy0luEDhvxq/PosZAgMBAAGjggESMIIBDjAOBgNVHQ8BAf8EBAMC
+BPAwIAYDVR0lAQH/BBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMDIGA1UdHwQrMCkw
+J6AloCOGIWh0dHA6Ly9jcmwuZXhhbXBsZS5jb20vbGF0ZXN0LmNybDA0BggrBgEF
+BQcBAQQoMCYwJAYIKwYBBQUHMAGGGGh0dHA6Ly9vc2NwLmV4YW1wbGUuY29tLzBw
+BgNVHREEaTBngiJhbHRlcm5hdGVuYW1lMi5zZXJ2ZXIxLmV4YW1wbGUuY29tghNz
+ZXJ2ZXIxLmV4YW1wbGUuY29tgiFhbHRlcm5hdGVuYW1lLnNlcnZlcjEuZXhhbXBs
+ZS5jb22CCSoudGVzdC5leDANBgkqhkiG9w0BAQsFAAOBgQB6zTAn0nyd/scSF7rq
+9DiRwk5akqjirevjFh0RDKyiPtB0E3Eu3E3CNax+bqqsnVl8qJzFGfQFlqaj4wzg
+DEsFzjpQMqB+skObhcYaZNLB++T350AGUdvoUN4ToOzG77h1XNu9jlILwWZNReBx
+sth3GIF5TCnewLmrm6oUHmrdnw==
 -----END CERTIFICATE-----
 Bag Attributes
-    friendlyName: Signing Cert
-subject=/O=example.com/CN=clica Signing Cert
-issuer=/O=example.com/CN=clica CA
+    friendlyName: Signing Cert rsa
+subject=/O=example.com/CN=clica Signing Cert rsa
+issuer=/O=example.com/CN=clica CA rsa
 -----BEGIN CERTIFICATE-----
-MIICLDCCAZWgAwIBAgIBAjANBgkqhkiG9w0BAQsFADApMRQwEgYDVQQKEwtleGFt
-cGxlLmNvbTERMA8GA1UEAxMIY2xpY2EgQ0EwHhcNMTIxMTAxMTIzNDAxWhcNMzgw
-MTAxMTIzNDAxWjAzMRQwEgYDVQQKEwtleGFtcGxlLmNvbTEbMBkGA1UEAxMSY2xp
-Y2EgU2lnbmluZyBDZXJ0MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDC2Ph5
-2UMdD8CAW6mAoSUKgQbCEps6VYPBqa031JzDBzpHD8cmIJfRlmPg9V8K2LXP8VVe
-eG7LW2RBVlSx9082EZNC545NFKDg4Xu01jYP8BrNcJzzu8ip8osiqAzo993AZXoW
-eGZKJ7hYA1M5RCMkSIBhFxwoObjG9Bt1LQ/keQIDAQABo1owWDAOBgNVHQ8BAf8E
-BAMCAQYwEgYDVR0TAQH/BAgwBgEB/wIBADAyBgNVHR8EKzApMCegJaAjhiFodHRw
-Oi8vY3JsLmV4YW1wbGUuY29tL2xhdGVzdC5jcmwwDQYJKoZIhvcNAQELBQADgYEA
-JV9x4BGPTibmtXmXJOR0tETUR4RKc+Cis07H55mGDweIWtDT0dmlisLFyFK/rNdO
-zSeOIw2xchD86uNckYZd28OMEoSDI/lVhIxlEXaWvrf+BiaFX3AaPB3oivAp5aF4
-iy9WlTtH1uoE7iNueRd+beg5BgpgV0hyZAnoePQojH0=
+MIICNDCCAZ2gAwIBAgIBAjANBgkqhkiG9w0BAQsFADAtMRQwEgYDVQQKEwtleGFt
+cGxlLmNvbTEVMBMGA1UEAxMMY2xpY2EgQ0EgcnNhMB4XDTEyMTEwMTEyMzQwMVoX
+DTM4MDEwMTEyMzQwMVowNzEUMBIGA1UEChMLZXhhbXBsZS5jb20xHzAdBgNVBAMT
+FmNsaWNhIFNpZ25pbmcgQ2VydCByc2EwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJ
+AoGBANlcwo5q84SEtVy5W/xqbYAzOiYUZ0Shp9+ry/Q/X5uhrDF9JSHNWJbXut+8
+ZJGICt0RYVIJCcaa7FUt5hTKEx4fgURr+Hz84ZgwesMxcECHJPq9ylrCqbPkbmFR
+1XUy2MvioMH2lyc/PbV62XXggJhHioStVLRfyVlkS1KvvR+HAgMBAAGjWjBYMA4G
+A1UdDwEB/wQEAwIBBjASBgNVHRMBAf8ECDAGAQH/AgEAMDIGA1UdHwQrMCkwJ6Al
+oCOGIWh0dHA6Ly9jcmwuZXhhbXBsZS5jb20vbGF0ZXN0LmNybDANBgkqhkiG9w0B
+AQsFAAOBgQBtPJwqu7DiDmFZd58L4xQ6JJhrJzJUDHmT7ikW2tOM58yisCgSnzrR
+xihW+49vUQ9lSGxBHaFwdehAuGTXydnf7/i9i6KA2RZ+Rq12FJFYOhjaIP7Sy1zq
+VXtb+P1eDBQQhz0WgysLVjgGdBiokRv86yY56ficoTQ6EyWzQLCU+A==
 -----END CERTIFICATE-----
 Bag Attributes
-    friendlyName: Certificate Authority
-subject=/O=example.com/CN=clica CA
-issuer=/O=example.com/CN=clica CA
+    friendlyName: Certificate Authority rsa
+subject=/O=example.com/CN=clica CA rsa
+issuer=/O=example.com/CN=clica CA rsa
 -----BEGIN CERTIFICATE-----
-MIIB7jCCAVegAwIBAgIBATANBgkqhkiG9w0BAQsFADApMRQwEgYDVQQKEwtleGFt
-cGxlLmNvbTERMA8GA1UEAxMIY2xpY2EgQ0EwHhcNMTIxMTAxMTIzNDAxWhcNMzgw
-MTAxMTIzNDAxWjApMRQwEgYDVQQKEwtleGFtcGxlLmNvbTERMA8GA1UEAxMIY2xp
-Y2EgQ0EwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAJmw215lURHtIlsmndGX
-4rn6AyPcReCzRClw8icPv5GzxDnXxqbjK8Ghvkil8RAV8mAkDXDzDi8J5NIsMKwk
-EF8LaGfnbhaeRkvfDXN4YGrGclMMCVN4zk810pDrfrz3KCGpokOKoaWUsRTTdftk
-xyfw2Ui1nPNfg9fO/cfAyr9FAgMBAAGjJjAkMBIGA1UdEwEB/wQIMAYBAf8CAQEw
-DgYDVR0PAQH/BAQDAgEGMA0GCSqGSIb3DQEBCwUAA4GBABrTmR8+gtECLU7zsbrs
-RKIeE9YSXxsqzv3DPpUj9VN7l05ERe3db7/TNePBLH0KwpjWljuPDUhKWC5jQvkf
-gBEr0CKALQGWU0sQJDNhR3SDsPUGU0BFUQT7g1B94Dmp72ivHLjMrtxnLrOT32Uh
-iaEG3X51ApoqRRyXcSJZBcYN
+MIIB9jCCAV+gAwIBAgIBATANBgkqhkiG9w0BAQsFADAtMRQwEgYDVQQKEwtleGFt
+cGxlLmNvbTEVMBMGA1UEAxMMY2xpY2EgQ0EgcnNhMB4XDTEyMTEwMTEyMzQwMVoX
+DTM4MDEwMTEyMzQwMVowLTEUMBIGA1UEChMLZXhhbXBsZS5jb20xFTATBgNVBAMT
+DGNsaWNhIENBIHJzYTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA2N3YjbHA
+BEKAiUHwJ0VMAAe/KMOM8slXOAKni4v7Vf6BzbO5B6uaKhDV2n3V0vXwMdAoeBaq
+3s9CHOjDXwjF1qf/p4w3Z2aUIVt/Mb+uEcPUlq0Nr8OLlH11QKbkvFtLxU3sUAoi
+fcaydi1q3tszjPQ0tKlLo6kOzcgi8d47WccCAwEAAaMmMCQwEgYDVR0TAQH/BAgw
+BgEB/wIBATAOBgNVHQ8BAf8EBAMCAQYwDQYJKoZIhvcNAQELBQADgYEAAzD/Zszo
+X4ieSQQxDOH53VkiAJDs32qso9YzGbQaenuRnVFCuo7rt68cjMcOjzf18/I+iMeH
+nEcdqkfoYB4Z3LXvDaRGZhg/ZOv58muzRnsW2oQI9yFqDwD0FZPtM6Vq0AWXjLuq
+IogOI5fShSo7H5hc3vrkvS7KUhzuv3FKnaQ=
 -----END CERTIFICATE-----
diff --git a/test/aux-fixed/exim-ca/example.com/server1.example.com/key3.db b/test/aux-fixed/exim-ca/example.com/server1.example.com/key3.db
index 1b5f36a4f..e2e3ace41 100644
Binary files a/test/aux-fixed/exim-ca/example.com/server1.example.com/key3.db and b/test/aux-fixed/exim-ca/example.com/server1.example.com/key3.db differ
diff --git a/test/aux-fixed/exim-ca/example.com/server1.example.com/server1.example.com.chain.pem b/test/aux-fixed/exim-ca/example.com/server1.example.com/server1.example.com.chain.pem
index 6783c7ca1..24f29d1a7 100644
--- a/test/aux-fixed/exim-ca/example.com/server1.example.com/server1.example.com.chain.pem
+++ b/test/aux-fixed/exim-ca/example.com/server1.example.com/server1.example.com.chain.pem
@@ -1,37 +1,37 @@
 Bag Attributes
     friendlyName: server1.example.com
-    localKeyID: 7E BF 00 86 25 1D DE A8 18 31 F5 E2 4E E5 2B CD D1 6E 90 BD 
+    localKeyID: 68 38 70 91 66 B0 26 4D FC 76 CF 59 D5 A5 27 13 36 F5 B7 71 
 subject=/CN=server1.example.com
-issuer=/O=example.com/CN=clica Signing Cert
+issuer=/O=example.com/CN=clica Signing Cert rsa
 -----BEGIN CERTIFICATE-----
-MIIC2zCCAkSgAwIBAgIBZTANBgkqhkiG9w0BAQsFADAzMRQwEgYDVQQKEwtleGFt
-cGxlLmNvbTEbMBkGA1UEAxMSY2xpY2EgU2lnbmluZyBDZXJ0MB4XDTEyMTEwMTEy
-MzQwMVoXDTM3MTIwMTEyMzQwMVowHjEcMBoGA1UEAxMTc2VydmVyMS5leGFtcGxl
-LmNvbTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA9UMQX5gjkbMrFRq70L7d
-FF9ZZ+lMjEevQNUUKrMRwbDWLx2c343YCPalFGDSypcxsWchc4AnIpzKIAjfzb4r
-d+xmFyaUV/vFmGFCuN7A5vIC9YI/eKG5CpzY4H7lHmeWnPSVJpGO5/IfnlXHHXtE
-v7uRqn0xt+VzSSp0zlVCfNkCAwEAAaOCARIwggEOMA4GA1UdDwEB/wQEAwIE8DAg
-BgNVHSUBAf8EFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwMgYDVR0fBCswKTAnoCWg
-I4YhaHR0cDovL2NybC5leGFtcGxlLmNvbS9sYXRlc3QuY3JsMDQGCCsGAQUFBwEB
-BCgwJjAkBggrBgEFBQcwAYYYaHR0cDovL29zY3AuZXhhbXBsZS5jb20vMHAGA1Ud
-EQRpMGeCImFsdGVybmF0ZW5hbWUyLnNlcnZlcjEuZXhhbXBsZS5jb22CIWFsdGVy
-bmF0ZW5hbWUuc2VydmVyMS5leGFtcGxlLmNvbYIJKi50ZXN0LmV4ghNzZXJ2ZXIx
-LmV4YW1wbGUuY29tMA0GCSqGSIb3DQEBCwUAA4GBAGfvLUOOQ1D1P0HuQs/0tDE9
-2Ii19yQfJoMyamz/ija3vssoSGicqTxuLy2l9PzSCZsdBAAmfaX5ORMG3Z1pePh7
-9TyCnY+5Txq28At/IIJugE44CdFDIyLdN12AbVqqIzPkeckNjcy47V9rAVYsSYmb
-yl7Vs7CTftVe8Jh9XwdL
+MIIC3zCCAkigAwIBAgIBZTANBgkqhkiG9w0BAQsFADA3MRQwEgYDVQQKEwtleGFt
+cGxlLmNvbTEfMB0GA1UEAxMWY2xpY2EgU2lnbmluZyBDZXJ0IHJzYTAeFw0xMjEx
+MDExMjM0MDFaFw0zNzEyMDExMjM0MDFaMB4xHDAaBgNVBAMTE3NlcnZlcjEuZXhh
+bXBsZS5jb20wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBALlFAifASi7qE45T
+XoRxVVlxMIINSa5ZYyGBSoLbQKLv1RsPGvxrKrJqJz8ofI136t91H5nWhHF8Bf5s
+V+1sAdfj3jhz0Qz/HJDGXTmU/3562nyyFyTXqhV2n/NJLCwfHOs7vWk7rR3R2R/p
+lTjXvUKU91aSRy0luEDhvxq/PosZAgMBAAGjggESMIIBDjAOBgNVHQ8BAf8EBAMC
+BPAwIAYDVR0lAQH/BBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMDIGA1UdHwQrMCkw
+J6AloCOGIWh0dHA6Ly9jcmwuZXhhbXBsZS5jb20vbGF0ZXN0LmNybDA0BggrBgEF
+BQcBAQQoMCYwJAYIKwYBBQUHMAGGGGh0dHA6Ly9vc2NwLmV4YW1wbGUuY29tLzBw
+BgNVHREEaTBngiJhbHRlcm5hdGVuYW1lMi5zZXJ2ZXIxLmV4YW1wbGUuY29tghNz
+ZXJ2ZXIxLmV4YW1wbGUuY29tgiFhbHRlcm5hdGVuYW1lLnNlcnZlcjEuZXhhbXBs
+ZS5jb22CCSoudGVzdC5leDANBgkqhkiG9w0BAQsFAAOBgQB6zTAn0nyd/scSF7rq
+9DiRwk5akqjirevjFh0RDKyiPtB0E3Eu3E3CNax+bqqsnVl8qJzFGfQFlqaj4wzg
+DEsFzjpQMqB+skObhcYaZNLB++T350AGUdvoUN4ToOzG77h1XNu9jlILwWZNReBx
+sth3GIF5TCnewLmrm6oUHmrdnw==
 -----END CERTIFICATE-----
 -----BEGIN CERTIFICATE-----
-MIICLDCCAZWgAwIBAgIBAjANBgkqhkiG9w0BAQsFADApMRQwEgYDVQQKEwtleGFt
-cGxlLmNvbTERMA8GA1UEAxMIY2xpY2EgQ0EwHhcNMTIxMTAxMTIzNDAxWhcNMzgw
-MTAxMTIzNDAxWjAzMRQwEgYDVQQKEwtleGFtcGxlLmNvbTEbMBkGA1UEAxMSY2xp
-Y2EgU2lnbmluZyBDZXJ0MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDC2Ph5
-2UMdD8CAW6mAoSUKgQbCEps6VYPBqa031JzDBzpHD8cmIJfRlmPg9V8K2LXP8VVe
-eG7LW2RBVlSx9082EZNC545NFKDg4Xu01jYP8BrNcJzzu8ip8osiqAzo993AZXoW
-eGZKJ7hYA1M5RCMkSIBhFxwoObjG9Bt1LQ/keQIDAQABo1owWDAOBgNVHQ8BAf8E
-BAMCAQYwEgYDVR0TAQH/BAgwBgEB/wIBADAyBgNVHR8EKzApMCegJaAjhiFodHRw
-Oi8vY3JsLmV4YW1wbGUuY29tL2xhdGVzdC5jcmwwDQYJKoZIhvcNAQELBQADgYEA
-JV9x4BGPTibmtXmXJOR0tETUR4RKc+Cis07H55mGDweIWtDT0dmlisLFyFK/rNdO
-zSeOIw2xchD86uNckYZd28OMEoSDI/lVhIxlEXaWvrf+BiaFX3AaPB3oivAp5aF4
-iy9WlTtH1uoE7iNueRd+beg5BgpgV0hyZAnoePQojH0=
+MIICNDCCAZ2gAwIBAgIBAjANBgkqhkiG9w0BAQsFADAtMRQwEgYDVQQKEwtleGFt
+cGxlLmNvbTEVMBMGA1UEAxMMY2xpY2EgQ0EgcnNhMB4XDTEyMTEwMTEyMzQwMVoX
+DTM4MDEwMTEyMzQwMVowNzEUMBIGA1UEChMLZXhhbXBsZS5jb20xHzAdBgNVBAMT
+FmNsaWNhIFNpZ25pbmcgQ2VydCByc2EwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJ
+AoGBANlcwo5q84SEtVy5W/xqbYAzOiYUZ0Shp9+ry/Q/X5uhrDF9JSHNWJbXut+8
+ZJGICt0RYVIJCcaa7FUt5hTKEx4fgURr+Hz84ZgwesMxcECHJPq9ylrCqbPkbmFR
+1XUy2MvioMH2lyc/PbV62XXggJhHioStVLRfyVlkS1KvvR+HAgMBAAGjWjBYMA4G
+A1UdDwEB/wQEAwIBBjASBgNVHRMBAf8ECDAGAQH/AgEAMDIGA1UdHwQrMCkwJ6Al
+oCOGIWh0dHA6Ly9jcmwuZXhhbXBsZS5jb20vbGF0ZXN0LmNybDANBgkqhkiG9w0B
+AQsFAAOBgQBtPJwqu7DiDmFZd58L4xQ6JJhrJzJUDHmT7ikW2tOM58yisCgSnzrR
+xihW+49vUQ9lSGxBHaFwdehAuGTXydnf7/i9i6KA2RZ+Rq12FJFYOhjaIP7Sy1zq
+VXtb+P1eDBQQhz0WgysLVjgGdBiokRv86yY56ficoTQ6EyWzQLCU+A==
 -----END CERTIFICATE-----
diff --git a/test/aux-fixed/exim-ca/example.com/server1.example.com/server1.example.com.key b/test/aux-fixed/exim-ca/example.com/server1.example.com/server1.example.com.key
index 28b557938..92aaeef74 100644
--- a/test/aux-fixed/exim-ca/example.com/server1.example.com/server1.example.com.key
+++ b/test/aux-fixed/exim-ca/example.com/server1.example.com/server1.example.com.key
@@ -1,21 +1,21 @@
 Bag Attributes
     friendlyName: server1.example.com
-    localKeyID: 7E BF 00 86 25 1D DE A8 18 31 F5 E2 4E E5 2B CD D1 6E 90 BD 
+    localKeyID: 68 38 70 91 66 B0 26 4D FC 76 CF 59 D5 A5 27 13 36 F5 B7 71 
 Key Attributes: <No Attributes>
 -----BEGIN ENCRYPTED PRIVATE KEY-----
-MIICxjBABgkqhkiG9w0BBQ0wMzAbBgkqhkiG9w0BBQwwDgQIYGrq4Gcw4KoCAggA
-MBQGCCqGSIb3DQMHBAg+KGahXoie+ASCAoAri89FemSuJebVOZnSJM5inxBeqLLV
-FqWPjgIrpjlTnc2Vjus37RMwToxqo0E8u1oXFoeaDbn2S78JNuf04SdQ+sxBsFEi
-wur1n6HftSyokdVZeN7I60HEscpYpGgodU0RhxdnvrypHpVLbi8mqwVys36MkF/W
-e0achT07b5g7mOisy52cf7hVWnHVFuGWHGAdUL6UpUBhT2uv3C+0V0Pj+XqMDU7z
-OFSqE3ctFt+QzXQDPtxesVH06JVvLhTsS+2wpLPt+ATny3W140K4mg69eaeHHEMk
-VKcvnUDxr3ByuD6WoEyB4Co2oTJ7Zk0F4HvN/59uOo1z7Rq8Ex54ZW3FIjrV6xOS
-6idg5D8DsBXN1tTQ1EWF1KsVufiH2cPkm8t5rAB9kX4w7NPYeYgY/V62Z93uhe56
-iIrPcBm0/dnVObkQRhk1DcaBL8DsSBlTP+jmb55+RVGJR3kGWgPpeCIf1qF5dG+H
-qIluxf5BEZ+BE8mRcj6hKm99lB5bA8TG/MFFQdYC9i1z5rtcRpKp3HJhCXBWfhwf
-D3VPpLp9rPXKXK4Fr9G/1JmnrExI9+PGlGj9QuyNizoiBCBF33JnoGedorbV2nFc
-igh+LJf2Kc4GSRYGaxsTieYC4mvZ0OxUHcWkJ3u7kSDqqyvxqd9CruYDpj4s2iSg
-0i3DVwerMK39qZhWoMLDBdI8aq/BVSItQXjPESuZb1YH1V8N06gmF6qjcRHaXzC/
-gUH6m0WMyZM3hPFSfXzb89aaLIn1UsH7we+6RWpoDb2a6VJke4M7XtcfM1KuAMBF
-INmjVC6LoVQrA3zHydnmYImkHVz4n4KHCi31mrA+G/mj2vAB6pKQi/Re
+MIICxjBABgkqhkiG9w0BBQ0wMzAbBgkqhkiG9w0BBQwwDgQIHHll4kyNluoCAggA
+MBQGCCqGSIb3DQMHBAiqfjrDuLu0ngSCAoASeOAmvBbKOFWqco4j31ohBkskyIo1
+lHZiUJzeVc+6FVyrLgikBELx2/P4+xpVQD1eyEBSIE42aT9M1kZ18mxWwNIOIrzx
+40lP+AY5Pc1ATUdLSe9Zx1LR9tgMJFBDBvUYuH0dzkYzXdYntfk549dlyAaISSN2
+JEHcva3+DfMt39YHGjDCk59QMHbKJv0hBjhtZJ3Wy/Djys6pDnfPa7rXm+mE/xgP
+1T02A6g3b29BgHykpxwL1gqrrOVoWfDkRDUbQeDNha+B1hGvoioUg88ncTC414pq
+w5UkHUEPsU0rRWnEL6OOcGojNc5vFXNypD5lAsX9DBTyZ0IagJmpJwAb6eXkZm01
+yu3ZHFOakHeaumBbjGXpCyvyfYmMQ6ZEWhySZe6sdZANN11tDk276+i/qqCRSKnr
+XXFyNQn+8trT7v5Jwy9CXpFUviPgRd7xAjLrvItMWpzK+0heMJimsDORXNnHlkOs
+vPJQa+nIzQ2isr7ZF1noarbOcjNYJvkPK3yuoG/oZQXtFWz84/QxGLnRmryP2aTj
+GLgU/xBEBkm1GjhlWzkNQE8t7XVm47MX9i+MzuuManUMTDA7hRqAAzKc4m1Lx801
+ju7yJl9TKcVXVyx/n0/SV4u7DM0y5UotuunEwn2WB8mTOvIwX3Wqyc8kw4m2wEDG
+GcsuH6jvN3ATJ1sWwpnExNEzJiY50idzgSI6Oamf8fCKiJRyjJ5/LX5w9QpdH4G8
+yrypanaU6S/Sn7zBVASY8UGtWtV9J8HJFuZgtWhdm3F6cnAeQszDZHD5FPxYfv/E
+R/dp+6VuUDlnGAwW0ukNGdaNYm7ym3ZtkGknN7tn81cDCAf7f7XpFodI
 -----END ENCRYPTED PRIVATE KEY-----
diff --git a/test/aux-fixed/exim-ca/example.com/server1.example.com/server1.example.com.ocsp.dated.resp b/test/aux-fixed/exim-ca/example.com/server1.example.com/server1.example.com.ocsp.dated.resp
index e4a2994fc..fba3a5451 100644
Binary files a/test/aux-fixed/exim-ca/example.com/server1.example.com/server1.example.com.ocsp.dated.resp and b/test/aux-fixed/exim-ca/example.com/server1.example.com/server1.example.com.ocsp.dated.resp differ
diff --git a/test/aux-fixed/exim-ca/example.com/server1.example.com/server1.example.com.ocsp.good.resp b/test/aux-fixed/exim-ca/example.com/server1.example.com/server1.example.com.ocsp.good.resp
index 750fae3bf..5d1bde4ae 100644
Binary files a/test/aux-fixed/exim-ca/example.com/server1.example.com/server1.example.com.ocsp.good.resp and b/test/aux-fixed/exim-ca/example.com/server1.example.com/server1.example.com.ocsp.good.resp differ
diff --git a/test/aux-fixed/exim-ca/example.com/server1.example.com/server1.example.com.ocsp.req b/test/aux-fixed/exim-ca/example.com/server1.example.com/server1.example.com.ocsp.req
index 9a08c91b7..136f595ff 100644
Binary files a/test/aux-fixed/exim-ca/example.com/server1.example.com/server1.example.com.ocsp.req and b/test/aux-fixed/exim-ca/example.com/server1.example.com/server1.example.com.ocsp.req differ
diff --git a/test/aux-fixed/exim-ca/example.com/server1.example.com/server1.example.com.ocsp.revoked.resp b/test/aux-fixed/exim-ca/example.com/server1.example.com/server1.example.com.ocsp.revoked.resp
index 2f51ebdd5..68738ea96 100644
Binary files a/test/aux-fixed/exim-ca/example.com/server1.example.com/server1.example.com.ocsp.revoked.resp and b/test/aux-fixed/exim-ca/example.com/server1.example.com/server1.example.com.ocsp.revoked.resp differ
diff --git a/test/aux-fixed/exim-ca/example.com/server1.example.com/server1.example.com.ocsp.signer.dated.resp b/test/aux-fixed/exim-ca/example.com/server1.example.com/server1.example.com.ocsp.signer.dated.resp
index 3c556b30a..a3c75feae 100644
Binary files a/test/aux-fixed/exim-ca/example.com/server1.example.com/server1.example.com.ocsp.signer.dated.resp and b/test/aux-fixed/exim-ca/example.com/server1.example.com/server1.example.com.ocsp.signer.dated.resp differ
diff --git a/test/aux-fixed/exim-ca/example.com/server1.example.com/server1.example.com.ocsp.signer.good.resp b/test/aux-fixed/exim-ca/example.com/server1.example.com/server1.example.com.ocsp.signer.good.resp
index 6183d248c..e2b192e16 100644
Binary files a/test/aux-fixed/exim-ca/example.com/server1.example.com/server1.example.com.ocsp.signer.good.resp and b/test/aux-fixed/exim-ca/example.com/server1.example.com/server1.example.com.ocsp.signer.good.resp differ
diff --git a/test/aux-fixed/exim-ca/example.com/server1.example.com/server1.example.com.ocsp.signer.revoked.resp b/test/aux-fixed/exim-ca/example.com/server1.example.com/server1.example.com.ocsp.signer.revoked.resp
index e4d3bbdfb..8df84c747 100644
Binary files a/test/aux-fixed/exim-ca/example.com/server1.example.com/server1.example.com.ocsp.signer.revoked.resp and b/test/aux-fixed/exim-ca/example.com/server1.example.com/server1.example.com.ocsp.signer.revoked.resp differ
diff --git a/test/aux-fixed/exim-ca/example.com/server1.example.com/server1.example.com.ocsp.signernocert.dated.resp b/test/aux-fixed/exim-ca/example.com/server1.example.com/server1.example.com.ocsp.signernocert.dated.resp
index e3c7cae6b..3563a96a7 100644
Binary files a/test/aux-fixed/exim-ca/example.com/server1.example.com/server1.example.com.ocsp.signernocert.dated.resp and b/test/aux-fixed/exim-ca/example.com/server1.example.com/server1.example.com.ocsp.signernocert.dated.resp differ
diff --git a/test/aux-fixed/exim-ca/example.com/server1.example.com/server1.example.com.ocsp.signernocert.good.resp b/test/aux-fixed/exim-ca/example.com/server1.example.com/server1.example.com.ocsp.signernocert.good.resp
index 23d726d2a..e10a9e747 100644
Binary files a/test/aux-fixed/exim-ca/example.com/server1.example.com/server1.example.com.ocsp.signernocert.good.resp and b/test/aux-fixed/exim-ca/example.com/server1.example.com/server1.example.com.ocsp.signernocert.good.resp differ
diff --git a/test/aux-fixed/exim-ca/example.com/server1.example.com/server1.example.com.ocsp.signernocert.revoked.resp b/test/aux-fixed/exim-ca/example.com/server1.example.com/server1.example.com.ocsp.signernocert.revoked.resp
index 9969c2718..3914b9bc8 100644
Binary files a/test/aux-fixed/exim-ca/example.com/server1.example.com/server1.example.com.ocsp.signernocert.revoked.resp and b/test/aux-fixed/exim-ca/example.com/server1.example.com/server1.example.com.ocsp.signernocert.revoked.resp differ
diff --git a/test/aux-fixed/exim-ca/example.com/server1.example.com/server1.example.com.p12 b/test/aux-fixed/exim-ca/example.com/server1.example.com/server1.example.com.p12
index 82a927baa..c445f0d1f 100644
Binary files a/test/aux-fixed/exim-ca/example.com/server1.example.com/server1.example.com.p12 and b/test/aux-fixed/exim-ca/example.com/server1.example.com/server1.example.com.p12 differ
diff --git a/test/aux-fixed/exim-ca/example.com/server1.example.com/server1.example.com.pem b/test/aux-fixed/exim-ca/example.com/server1.example.com/server1.example.com.pem
index 3f0fedf3d..9ba919c3c 100644
--- a/test/aux-fixed/exim-ca/example.com/server1.example.com/server1.example.com.pem
+++ b/test/aux-fixed/exim-ca/example.com/server1.example.com/server1.example.com.pem
@@ -1,23 +1,23 @@
 Bag Attributes
     friendlyName: server1.example.com
-    localKeyID: 7E BF 00 86 25 1D DE A8 18 31 F5 E2 4E E5 2B CD D1 6E 90 BD 
+    localKeyID: 68 38 70 91 66 B0 26 4D FC 76 CF 59 D5 A5 27 13 36 F5 B7 71 
 subject=/CN=server1.example.com
-issuer=/O=example.com/CN=clica Signing Cert
+issuer=/O=example.com/CN=clica Signing Cert rsa
 -----BEGIN CERTIFICATE-----
-MIIC2zCCAkSgAwIBAgIBZTANBgkqhkiG9w0BAQsFADAzMRQwEgYDVQQKEwtleGFt
-cGxlLmNvbTEbMBkGA1UEAxMSY2xpY2EgU2lnbmluZyBDZXJ0MB4XDTEyMTEwMTEy
-MzQwMVoXDTM3MTIwMTEyMzQwMVowHjEcMBoGA1UEAxMTc2VydmVyMS5leGFtcGxl
-LmNvbTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA9UMQX5gjkbMrFRq70L7d
-FF9ZZ+lMjEevQNUUKrMRwbDWLx2c343YCPalFGDSypcxsWchc4AnIpzKIAjfzb4r
-d+xmFyaUV/vFmGFCuN7A5vIC9YI/eKG5CpzY4H7lHmeWnPSVJpGO5/IfnlXHHXtE
-v7uRqn0xt+VzSSp0zlVCfNkCAwEAAaOCARIwggEOMA4GA1UdDwEB/wQEAwIE8DAg
-BgNVHSUBAf8EFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwMgYDVR0fBCswKTAnoCWg
-I4YhaHR0cDovL2NybC5leGFtcGxlLmNvbS9sYXRlc3QuY3JsMDQGCCsGAQUFBwEB
-BCgwJjAkBggrBgEFBQcwAYYYaHR0cDovL29zY3AuZXhhbXBsZS5jb20vMHAGA1Ud
-EQRpMGeCImFsdGVybmF0ZW5hbWUyLnNlcnZlcjEuZXhhbXBsZS5jb22CIWFsdGVy
-bmF0ZW5hbWUuc2VydmVyMS5leGFtcGxlLmNvbYIJKi50ZXN0LmV4ghNzZXJ2ZXIx
-LmV4YW1wbGUuY29tMA0GCSqGSIb3DQEBCwUAA4GBAGfvLUOOQ1D1P0HuQs/0tDE9
-2Ii19yQfJoMyamz/ija3vssoSGicqTxuLy2l9PzSCZsdBAAmfaX5ORMG3Z1pePh7
-9TyCnY+5Txq28At/IIJugE44CdFDIyLdN12AbVqqIzPkeckNjcy47V9rAVYsSYmb
-yl7Vs7CTftVe8Jh9XwdL
+MIIC3zCCAkigAwIBAgIBZTANBgkqhkiG9w0BAQsFADA3MRQwEgYDVQQKEwtleGFt
+cGxlLmNvbTEfMB0GA1UEAxMWY2xpY2EgU2lnbmluZyBDZXJ0IHJzYTAeFw0xMjEx
+MDExMjM0MDFaFw0zNzEyMDExMjM0MDFaMB4xHDAaBgNVBAMTE3NlcnZlcjEuZXhh
+bXBsZS5jb20wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBALlFAifASi7qE45T
+XoRxVVlxMIINSa5ZYyGBSoLbQKLv1RsPGvxrKrJqJz8ofI136t91H5nWhHF8Bf5s
+V+1sAdfj3jhz0Qz/HJDGXTmU/3562nyyFyTXqhV2n/NJLCwfHOs7vWk7rR3R2R/p
+lTjXvUKU91aSRy0luEDhvxq/PosZAgMBAAGjggESMIIBDjAOBgNVHQ8BAf8EBAMC
+BPAwIAYDVR0lAQH/BBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMDIGA1UdHwQrMCkw
+J6AloCOGIWh0dHA6Ly9jcmwuZXhhbXBsZS5jb20vbGF0ZXN0LmNybDA0BggrBgEF
+BQcBAQQoMCYwJAYIKwYBBQUHMAGGGGh0dHA6Ly9vc2NwLmV4YW1wbGUuY29tLzBw
+BgNVHREEaTBngiJhbHRlcm5hdGVuYW1lMi5zZXJ2ZXIxLmV4YW1wbGUuY29tghNz
+ZXJ2ZXIxLmV4YW1wbGUuY29tgiFhbHRlcm5hdGVuYW1lLnNlcnZlcjEuZXhhbXBs
+ZS5jb22CCSoudGVzdC5leDANBgkqhkiG9w0BAQsFAAOBgQB6zTAn0nyd/scSF7rq
+9DiRwk5akqjirevjFh0RDKyiPtB0E3Eu3E3CNax+bqqsnVl8qJzFGfQFlqaj4wzg
+DEsFzjpQMqB+skObhcYaZNLB++T350AGUdvoUN4ToOzG77h1XNu9jlILwWZNReBx
+sth3GIF5TCnewLmrm6oUHmrdnw==
 -----END CERTIFICATE-----
diff --git a/test/aux-fixed/exim-ca/example.com/server1.example.com/server1.example.com.unlocked.key b/test/aux-fixed/exim-ca/example.com/server1.example.com/server1.example.com.unlocked.key
index 4fa103a17..1aee1ff42 100644
--- a/test/aux-fixed/exim-ca/example.com/server1.example.com/server1.example.com.unlocked.key
+++ b/test/aux-fixed/exim-ca/example.com/server1.example.com/server1.example.com.unlocked.key
@@ -1,15 +1,15 @@
 -----BEGIN RSA PRIVATE KEY-----
-MIICXAIBAAKBgQD1QxBfmCORsysVGrvQvt0UX1ln6UyMR69A1RQqsxHBsNYvHZzf
-jdgI9qUUYNLKlzGxZyFzgCcinMogCN/Nvit37GYXJpRX+8WYYUK43sDm8gL1gj94
-obkKnNjgfuUeZ5ac9JUmkY7n8h+eVccde0S/u5GqfTG35XNJKnTOVUJ82QIDAQAB
-AoGAXyp6EHWym4bXeTVp2gotM4n54ZGLc8Ue8fub+yOHiM4KlbaaV74srPGzRVB6
-ikSXchwvxSbdSJdo8HwxBx66s2fLKb/XfntFDdUij36qmZfJjPElBPMpjwU1PYlc
-mgIXIPGsicKTowjws5kX8SwB+dQFxDqO0LZEBlGq0bpl80cCQQD+Tm3LP4nIHjQM
-YTllT2pcPIFoG+qq3ff2AJkcw94UdLuerb4IkDC1G8l5tqIXz3fJ6nyMAUoRIA+d
-dDQmFq9rAkEA9uU3E1l0BLxtDYGtsJ6uGI9QYdtfc+NuhBIU1KLZyO43PVsKA7QJ
-i7Y0PzlyeYItttsB0zgY7uPAZFXKaxfpywJBAPwKTSTohyzQSnOOlG0FRXu+995v
-9Kd+MPgeZaGtulf5zc2ZksM37R5COO+pg4MnuyhifyffS0InzXIXLmwlhZsCQB+o
-/QsKKYqB7yoQOwmvD3wuxIwH6ZGe1IkzGGC8EVlm0saXag1XhPHZh5Gj+D4Ep4AP
-TYicZPYdVoqHRdG920kCQGVrR1boFcnMavhdlOUUIupDXldVsThol4jI0A82EgSy
-0HoqR7W9I23uGOtAMGLJsITVNr67FixHyxJ5g26oXv8=
+MIICXQIBAAKBgQC5RQInwEou6hOOU16EcVVZcTCCDUmuWWMhgUqC20Ci79UbDxr8
+ayqyaic/KHyNd+rfdR+Z1oRxfAX+bFftbAHX4944c9EM/xyQxl05lP9+etp8shck
+16oVdp/zSSwsHxzrO71pO60d0dkf6ZU4171ClPdWkkctJbhA4b8avz6LGQIDAQAB
+AoGADsP/C8+ppJCM9h293Ydcz9qTYky7JRVEWczAn/+SaLSoQtZS28WSFb3Gb/mt
+kjwkRiKYXf3jTgTI7iyQsMBCwIvM00VLAbQE3t3BjBhYNBztXHgCGOGD36kFCQJk
+nKLGC+TdEdhlqWpvVcdUzcHsY1n8o54IoBQaTnR6wJdcyyMCQQDkRoUO3ehedl8J
+h5dVn87qmKZAaKdCj+0zv1+fIEXn8DlBGzKxNkjdjZAEekuIcqqHODc8duFO2NlL
+fwE//nXDAkEAz8VcSyGTCO+STV5BSCP5c5P4ovoIRAXuWaJJ7bfwicrbtZfgpfOe
+U0Cppqayp75U2wsvP2MCaFbHmsQFbdUB8wJBAJ+qD4Ehh1ki9EBHHXufRmviD063
+pF2zK5bpQSmcuiiLZpB6RI+cx4RncpcfLtumUE457LCW+epbVEkw8R/gjF8CQQCU
+WN06A6HhKnTyas7/vDfazxci/pUyRG3Xb+mLIt9K8x2Gfgd3VgeAd9Xp2HINFPev
+Yj/86SuJ5hQkq7sYnZMDAkBgqwXIJ6N5W2jH+d06aBhi1ChZ+JmeUqhzZOV4eT+h
+ya+PwKiQrPJo6EOCciHq2wJiIw5ADShZXi7+IdA2g4yp
 -----END RSA PRIVATE KEY-----
diff --git a/test/aux-fixed/exim-ca/example.com/server1_ec.example.com/ca_chain.pem b/test/aux-fixed/exim-ca/example.com/server1_ec.example.com/ca_chain.pem
new file mode 100644
index 000000000..cde036853
--- /dev/null
+++ b/test/aux-fixed/exim-ca/example.com/server1_ec.example.com/ca_chain.pem
@@ -0,0 +1,35 @@
+Bag Attributes
+    friendlyName: Signing Cert rsa
+subject=/O=example.com/CN=clica Signing Cert rsa
+issuer=/O=example.com/CN=clica CA rsa
+-----BEGIN CERTIFICATE-----
+MIICNDCCAZ2gAwIBAgIBAjANBgkqhkiG9w0BAQsFADAtMRQwEgYDVQQKEwtleGFt
+cGxlLmNvbTEVMBMGA1UEAxMMY2xpY2EgQ0EgcnNhMB4XDTEyMTEwMTEyMzQwMVoX
+DTM4MDEwMTEyMzQwMVowNzEUMBIGA1UEChMLZXhhbXBsZS5jb20xHzAdBgNVBAMT
+FmNsaWNhIFNpZ25pbmcgQ2VydCByc2EwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJ
+AoGBANlcwo5q84SEtVy5W/xqbYAzOiYUZ0Shp9+ry/Q/X5uhrDF9JSHNWJbXut+8
+ZJGICt0RYVIJCcaa7FUt5hTKEx4fgURr+Hz84ZgwesMxcECHJPq9ylrCqbPkbmFR
+1XUy2MvioMH2lyc/PbV62XXggJhHioStVLRfyVlkS1KvvR+HAgMBAAGjWjBYMA4G
+A1UdDwEB/wQEAwIBBjASBgNVHRMBAf8ECDAGAQH/AgEAMDIGA1UdHwQrMCkwJ6Al
+oCOGIWh0dHA6Ly9jcmwuZXhhbXBsZS5jb20vbGF0ZXN0LmNybDANBgkqhkiG9w0B
+AQsFAAOBgQBtPJwqu7DiDmFZd58L4xQ6JJhrJzJUDHmT7ikW2tOM58yisCgSnzrR
+xihW+49vUQ9lSGxBHaFwdehAuGTXydnf7/i9i6KA2RZ+Rq12FJFYOhjaIP7Sy1zq
+VXtb+P1eDBQQhz0WgysLVjgGdBiokRv86yY56ficoTQ6EyWzQLCU+A==
+-----END CERTIFICATE-----
+Bag Attributes
+    friendlyName: Certificate Authority rsa
+subject=/O=example.com/CN=clica CA rsa
+issuer=/O=example.com/CN=clica CA rsa
+-----BEGIN CERTIFICATE-----
+MIIB9jCCAV+gAwIBAgIBATANBgkqhkiG9w0BAQsFADAtMRQwEgYDVQQKEwtleGFt
+cGxlLmNvbTEVMBMGA1UEAxMMY2xpY2EgQ0EgcnNhMB4XDTEyMTEwMTEyMzQwMVoX
+DTM4MDEwMTEyMzQwMVowLTEUMBIGA1UEChMLZXhhbXBsZS5jb20xFTATBgNVBAMT
+DGNsaWNhIENBIHJzYTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA2N3YjbHA
+BEKAiUHwJ0VMAAe/KMOM8slXOAKni4v7Vf6BzbO5B6uaKhDV2n3V0vXwMdAoeBaq
+3s9CHOjDXwjF1qf/p4w3Z2aUIVt/Mb+uEcPUlq0Nr8OLlH11QKbkvFtLxU3sUAoi
+fcaydi1q3tszjPQ0tKlLo6kOzcgi8d47WccCAwEAAaMmMCQwEgYDVR0TAQH/BAgw
+BgEB/wIBATAOBgNVHQ8BAf8EBAMCAQYwDQYJKoZIhvcNAQELBQADgYEAAzD/Zszo
+X4ieSQQxDOH53VkiAJDs32qso9YzGbQaenuRnVFCuo7rt68cjMcOjzf18/I+iMeH
+nEcdqkfoYB4Z3LXvDaRGZhg/ZOv58muzRnsW2oQI9yFqDwD0FZPtM6Vq0AWXjLuq
+IogOI5fShSo7H5hc3vrkvS7KUhzuv3FKnaQ=
+-----END CERTIFICATE-----
diff --git a/test/aux-fixed/exim-ca/example.com/server1_ec.example.com/cert8.db b/test/aux-fixed/exim-ca/example.com/server1_ec.example.com/cert8.db
new file mode 100644
index 000000000..9c31e2c70
Binary files /dev/null and b/test/aux-fixed/exim-ca/example.com/server1_ec.example.com/cert8.db differ
diff --git a/test/aux-fixed/exim-ca/example.com/server1_ec.example.com/key3.db b/test/aux-fixed/exim-ca/example.com/server1_ec.example.com/key3.db
new file mode 100644
index 000000000..5a863771b
Binary files /dev/null and b/test/aux-fixed/exim-ca/example.com/server1_ec.example.com/key3.db differ
diff --git a/test/aux-fixed/exim-ca/example.com/server1_ec.example.com/pwdfile b/test/aux-fixed/exim-ca/example.com/server1_ec.example.com/pwdfile
new file mode 100644
index 000000000..f3097ab13
--- /dev/null
+++ b/test/aux-fixed/exim-ca/example.com/server1_ec.example.com/pwdfile
@@ -0,0 +1 @@
+password
diff --git a/test/aux-fixed/exim-ca/example.com/server1_ec.example.com/secmod.db b/test/aux-fixed/exim-ca/example.com/server1_ec.example.com/secmod.db
new file mode 100644
index 000000000..bd782e8a1
Binary files /dev/null and b/test/aux-fixed/exim-ca/example.com/server1_ec.example.com/secmod.db differ
diff --git a/test/aux-fixed/exim-ca/example.com/server1_ec.example.com/server1_ec.example.com.chain.pem b/test/aux-fixed/exim-ca/example.com/server1_ec.example.com/server1_ec.example.com.chain.pem
new file mode 100644
index 000000000..5821da3a6
--- /dev/null
+++ b/test/aux-fixed/exim-ca/example.com/server1_ec.example.com/server1_ec.example.com.chain.pem
@@ -0,0 +1,36 @@
+Bag Attributes
+    friendlyName: server1_ec.example.com
+    localKeyID: F3 51 92 80 EE 0E 15 CF 66 DD 08 F5 3B 25 04 72 96 18 B5 3C 
+subject=/CN=server1_ec.example.com
+issuer=/O=example.com/CN=clica Signing Cert rsa
+-----BEGIN CERTIFICATE-----
+MIICrjCCAhegAwIBAgICBE0wDQYJKoZIhvcNAQELBQAwNzEUMBIGA1UEChMLZXhh
+bXBsZS5jb20xHzAdBgNVBAMTFmNsaWNhIFNpZ25pbmcgQ2VydCByc2EwHhcNMTIx
+MTAxMTIzNDA0WhcNMzcxMjAxMTIzNDA0WjAhMR8wHQYDVQQDDBZzZXJ2ZXIxX2Vj
+LmV4YW1wbGUuY29tMIGbMBAGByqGSM49AgEGBSuBBAAjA4GGAAQBSrVQcxLe6HON
+7ZWl3ImT2edPxEqzGZYbZrEPsv+AjOdoFwlEeyW1otKLM8N0nAWDU7NukAA+Y+eV
+87AuYHs+sTMALjgmY+PxNrCy3eqe0FNxg+O4zN5fY+V2KLkuK9i2weChU6GKz6VI
+t6vW+joSxsew+P7lL96AOntFZ8xN3xl4StCjgeIwgd8wDgYDVR0PAQH/BAQDAgTw
+MCAGA1UdJQEB/wQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAyBgNVHR8EKzApMCeg
+JaAjhiFodHRwOi8vY3JsLmV4YW1wbGUuY29tL2xhdGVzdC5jcmwwNAYIKwYBBQUH
+AQEEKDAmMCQGCCsGAQUFBzABhhhodHRwOi8vb3NjcC5leGFtcGxlLmNvbS8wQQYD
+VR0RBDowOIIJKi50ZXN0LmV4ghNzZXJ2ZXIxLmV4YW1wbGUuY29tghZzZXJ2ZXIx
+X2VjLmV4YW1wbGUuY29tMA0GCSqGSIb3DQEBCwUAA4GBABnqbnB1EKQisMe/a1D7
+oHulTvJoHlg9HI3ROcvxCWn3gKKiZ8JpRyIXneDNNZpCz8B5MWJfwijONA+aL+oG
+5wjYL9IgnqsUzklUXD2rN6epWLaLICsNxQoPVGcq1xMt4FkKdvk3I/0ulLjCYTPo
+kBVn+I2iCYu9gm0l9U+p8bbw
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIICNDCCAZ2gAwIBAgIBAjANBgkqhkiG9w0BAQsFADAtMRQwEgYDVQQKEwtleGFt
+cGxlLmNvbTEVMBMGA1UEAxMMY2xpY2EgQ0EgcnNhMB4XDTEyMTEwMTEyMzQwMVoX
+DTM4MDEwMTEyMzQwMVowNzEUMBIGA1UEChMLZXhhbXBsZS5jb20xHzAdBgNVBAMT
+FmNsaWNhIFNpZ25pbmcgQ2VydCByc2EwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJ
+AoGBANlcwo5q84SEtVy5W/xqbYAzOiYUZ0Shp9+ry/Q/X5uhrDF9JSHNWJbXut+8
+ZJGICt0RYVIJCcaa7FUt5hTKEx4fgURr+Hz84ZgwesMxcECHJPq9ylrCqbPkbmFR
+1XUy2MvioMH2lyc/PbV62XXggJhHioStVLRfyVlkS1KvvR+HAgMBAAGjWjBYMA4G
+A1UdDwEB/wQEAwIBBjASBgNVHRMBAf8ECDAGAQH/AgEAMDIGA1UdHwQrMCkwJ6Al
+oCOGIWh0dHA6Ly9jcmwuZXhhbXBsZS5jb20vbGF0ZXN0LmNybDANBgkqhkiG9w0B
+AQsFAAOBgQBtPJwqu7DiDmFZd58L4xQ6JJhrJzJUDHmT7ikW2tOM58yisCgSnzrR
+xihW+49vUQ9lSGxBHaFwdehAuGTXydnf7/i9i6KA2RZ+Rq12FJFYOhjaIP7Sy1zq
+VXtb+P1eDBQQhz0WgysLVjgGdBiokRv86yY56ficoTQ6EyWzQLCU+A==
+-----END CERTIFICATE-----
diff --git a/test/aux-fixed/exim-ca/example.com/server1_ec.example.com/server1_ec.example.com.key b/test/aux-fixed/exim-ca/example.com/server1_ec.example.com/server1_ec.example.com.key
new file mode 100644
index 000000000..78989a870
--- /dev/null
+++ b/test/aux-fixed/exim-ca/example.com/server1_ec.example.com/server1_ec.example.com.key
@@ -0,0 +1,13 @@
+Bag Attributes
+    friendlyName: server1_ec.example.com
+    localKeyID: F3 51 92 80 EE 0E 15 CF 66 DD 08 F5 3B 25 04 72 96 18 B5 3C 
+Key Attributes: <No Attributes>
+-----BEGIN ENCRYPTED PRIVATE KEY-----
+MIIBPTBABgkqhkiG9w0BBQ0wMzAbBgkqhkiG9w0BBQwwDgQIlcwjFE5MPHkCAggA
+MBQGCCqGSIb3DQMHBAi+ikbijJKLjASB+LizSd30D7Y5KjItwF/PHonzaf3/HhKV
+umjASvrpYlvy8U71q5CGYVyzGZZ01qZ9UibWCFBvD311nO/MU4gikRSCDCwGhFrH
+yLuGpOsp5pEN7aZACFvDChtyb+SAmINOxmeGtITaQrd39fK0jvbNJDPlc/NIpVPR
+BLddi8+Qr4L+qM3QZi93aZSfBJiPwEIwUKsfhxEEVVcKlF7Uh2uV8lHpwIP1KHAY
+07Acl/Z/k6yPL6/9a9+x92sSYM8ysMc2oOuIlv9bsjhOh1OvuNZ02DCSG4yE5PUt
+Uq1dOg/vqBGfBWoJ4PB+QnCcMf9avHV2C2uJJsNys8jx
+-----END ENCRYPTED PRIVATE KEY-----
diff --git a/test/aux-fixed/exim-ca/example.com/server1_ec.example.com/server1_ec.example.com.p12 b/test/aux-fixed/exim-ca/example.com/server1_ec.example.com/server1_ec.example.com.p12
new file mode 100644
index 000000000..47ada66bf
Binary files /dev/null and b/test/aux-fixed/exim-ca/example.com/server1_ec.example.com/server1_ec.example.com.p12 differ
diff --git a/test/aux-fixed/exim-ca/example.com/server1_ec.example.com/server1_ec.example.com.pem b/test/aux-fixed/exim-ca/example.com/server1_ec.example.com/server1_ec.example.com.pem
new file mode 100644
index 000000000..97e86943a
--- /dev/null
+++ b/test/aux-fixed/exim-ca/example.com/server1_ec.example.com/server1_ec.example.com.pem
@@ -0,0 +1,22 @@
+Bag Attributes
+    friendlyName: server1_ec.example.com
+    localKeyID: F3 51 92 80 EE 0E 15 CF 66 DD 08 F5 3B 25 04 72 96 18 B5 3C 
+subject=/CN=server1_ec.example.com
+issuer=/O=example.com/CN=clica Signing Cert rsa
+-----BEGIN CERTIFICATE-----
+MIICrjCCAhegAwIBAgICBE0wDQYJKoZIhvcNAQELBQAwNzEUMBIGA1UEChMLZXhh
+bXBsZS5jb20xHzAdBgNVBAMTFmNsaWNhIFNpZ25pbmcgQ2VydCByc2EwHhcNMTIx
+MTAxMTIzNDA0WhcNMzcxMjAxMTIzNDA0WjAhMR8wHQYDVQQDDBZzZXJ2ZXIxX2Vj
+LmV4YW1wbGUuY29tMIGbMBAGByqGSM49AgEGBSuBBAAjA4GGAAQBSrVQcxLe6HON
+7ZWl3ImT2edPxEqzGZYbZrEPsv+AjOdoFwlEeyW1otKLM8N0nAWDU7NukAA+Y+eV
+87AuYHs+sTMALjgmY+PxNrCy3eqe0FNxg+O4zN5fY+V2KLkuK9i2weChU6GKz6VI
+t6vW+joSxsew+P7lL96AOntFZ8xN3xl4StCjgeIwgd8wDgYDVR0PAQH/BAQDAgTw
+MCAGA1UdJQEB/wQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAyBgNVHR8EKzApMCeg
+JaAjhiFodHRwOi8vY3JsLmV4YW1wbGUuY29tL2xhdGVzdC5jcmwwNAYIKwYBBQUH
+AQEEKDAmMCQGCCsGAQUFBzABhhhodHRwOi8vb3NjcC5leGFtcGxlLmNvbS8wQQYD
+VR0RBDowOIIJKi50ZXN0LmV4ghNzZXJ2ZXIxLmV4YW1wbGUuY29tghZzZXJ2ZXIx
+X2VjLmV4YW1wbGUuY29tMA0GCSqGSIb3DQEBCwUAA4GBABnqbnB1EKQisMe/a1D7
+oHulTvJoHlg9HI3ROcvxCWn3gKKiZ8JpRyIXneDNNZpCz8B5MWJfwijONA+aL+oG
+5wjYL9IgnqsUzklUXD2rN6epWLaLICsNxQoPVGcq1xMt4FkKdvk3I/0ulLjCYTPo
+kBVn+I2iCYu9gm0l9U+p8bbw
+-----END CERTIFICATE-----
diff --git a/test/aux-fixed/exim-ca/example.com/server1_ec.example.com/server1_ec.example.com.unlocked.key b/test/aux-fixed/exim-ca/example.com/server1_ec.example.com/server1_ec.example.com.unlocked.key
new file mode 100644
index 000000000..a0fd598b5
--- /dev/null
+++ b/test/aux-fixed/exim-ca/example.com/server1_ec.example.com/server1_ec.example.com.unlocked.key
@@ -0,0 +1,7 @@
+-----BEGIN EC PRIVATE KEY-----
+MIHcAgEBBEIBPUPiTROKyPZXKuNddLWl8ngGLh7mZnD37RZdNf5iGZn86fGM9tWT
+eCs+sA1FGbyLLVt+SXGOR0iS0V5zguTqpLigBwYFK4EEACOhgYkDgYYABAFKtVBz
+Et7oc43tlaXciZPZ50/ESrMZlhtmsQ+y/4CM52gXCUR7JbWi0oszw3ScBYNTs26Q
+AD5j55XzsC5gez6xMwAuOCZj4/E2sLLd6p7QU3GD47jM3l9j5XYouS4r2LbB4KFT
+oYrPpUi3q9b6OhLGx7D4/uUv3oA6e0VnzE3fGXhK0A==
+-----END EC PRIVATE KEY-----
diff --git a/test/aux-fixed/exim-ca/example.com/server2.example.com/ca_chain.pem b/test/aux-fixed/exim-ca/example.com/server2.example.com/ca_chain.pem
index 93e18035b..cde036853 100644
--- a/test/aux-fixed/exim-ca/example.com/server2.example.com/ca_chain.pem
+++ b/test/aux-fixed/exim-ca/example.com/server2.example.com/ca_chain.pem
@@ -1,35 +1,35 @@
 Bag Attributes
-    friendlyName: Signing Cert
-subject=/O=example.com/CN=clica Signing Cert
-issuer=/O=example.com/CN=clica CA
+    friendlyName: Signing Cert rsa
+subject=/O=example.com/CN=clica Signing Cert rsa
+issuer=/O=example.com/CN=clica CA rsa
 -----BEGIN CERTIFICATE-----
-MIICLDCCAZWgAwIBAgIBAjANBgkqhkiG9w0BAQsFADApMRQwEgYDVQQKEwtleGFt
-cGxlLmNvbTERMA8GA1UEAxMIY2xpY2EgQ0EwHhcNMTIxMTAxMTIzNDAxWhcNMzgw
-MTAxMTIzNDAxWjAzMRQwEgYDVQQKEwtleGFtcGxlLmNvbTEbMBkGA1UEAxMSY2xp
-Y2EgU2lnbmluZyBDZXJ0MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDC2Ph5
-2UMdD8CAW6mAoSUKgQbCEps6VYPBqa031JzDBzpHD8cmIJfRlmPg9V8K2LXP8VVe
-eG7LW2RBVlSx9082EZNC545NFKDg4Xu01jYP8BrNcJzzu8ip8osiqAzo993AZXoW
-eGZKJ7hYA1M5RCMkSIBhFxwoObjG9Bt1LQ/keQIDAQABo1owWDAOBgNVHQ8BAf8E
-BAMCAQYwEgYDVR0TAQH/BAgwBgEB/wIBADAyBgNVHR8EKzApMCegJaAjhiFodHRw
-Oi8vY3JsLmV4YW1wbGUuY29tL2xhdGVzdC5jcmwwDQYJKoZIhvcNAQELBQADgYEA
-JV9x4BGPTibmtXmXJOR0tETUR4RKc+Cis07H55mGDweIWtDT0dmlisLFyFK/rNdO
-zSeOIw2xchD86uNckYZd28OMEoSDI/lVhIxlEXaWvrf+BiaFX3AaPB3oivAp5aF4
-iy9WlTtH1uoE7iNueRd+beg5BgpgV0hyZAnoePQojH0=
+MIICNDCCAZ2gAwIBAgIBAjANBgkqhkiG9w0BAQsFADAtMRQwEgYDVQQKEwtleGFt
+cGxlLmNvbTEVMBMGA1UEAxMMY2xpY2EgQ0EgcnNhMB4XDTEyMTEwMTEyMzQwMVoX
+DTM4MDEwMTEyMzQwMVowNzEUMBIGA1UEChMLZXhhbXBsZS5jb20xHzAdBgNVBAMT
+FmNsaWNhIFNpZ25pbmcgQ2VydCByc2EwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJ
+AoGBANlcwo5q84SEtVy5W/xqbYAzOiYUZ0Shp9+ry/Q/X5uhrDF9JSHNWJbXut+8
+ZJGICt0RYVIJCcaa7FUt5hTKEx4fgURr+Hz84ZgwesMxcECHJPq9ylrCqbPkbmFR
+1XUy2MvioMH2lyc/PbV62XXggJhHioStVLRfyVlkS1KvvR+HAgMBAAGjWjBYMA4G
+A1UdDwEB/wQEAwIBBjASBgNVHRMBAf8ECDAGAQH/AgEAMDIGA1UdHwQrMCkwJ6Al
+oCOGIWh0dHA6Ly9jcmwuZXhhbXBsZS5jb20vbGF0ZXN0LmNybDANBgkqhkiG9w0B
+AQsFAAOBgQBtPJwqu7DiDmFZd58L4xQ6JJhrJzJUDHmT7ikW2tOM58yisCgSnzrR
+xihW+49vUQ9lSGxBHaFwdehAuGTXydnf7/i9i6KA2RZ+Rq12FJFYOhjaIP7Sy1zq
+VXtb+P1eDBQQhz0WgysLVjgGdBiokRv86yY56ficoTQ6EyWzQLCU+A==
 -----END CERTIFICATE-----
 Bag Attributes
-    friendlyName: Certificate Authority
-subject=/O=example.com/CN=clica CA
-issuer=/O=example.com/CN=clica CA
+    friendlyName: Certificate Authority rsa
+subject=/O=example.com/CN=clica CA rsa
+issuer=/O=example.com/CN=clica CA rsa
 -----BEGIN CERTIFICATE-----
-MIIB7jCCAVegAwIBAgIBATANBgkqhkiG9w0BAQsFADApMRQwEgYDVQQKEwtleGFt
-cGxlLmNvbTERMA8GA1UEAxMIY2xpY2EgQ0EwHhcNMTIxMTAxMTIzNDAxWhcNMzgw
-MTAxMTIzNDAxWjApMRQwEgYDVQQKEwtleGFtcGxlLmNvbTERMA8GA1UEAxMIY2xp
-Y2EgQ0EwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAJmw215lURHtIlsmndGX
-4rn6AyPcReCzRClw8icPv5GzxDnXxqbjK8Ghvkil8RAV8mAkDXDzDi8J5NIsMKwk
-EF8LaGfnbhaeRkvfDXN4YGrGclMMCVN4zk810pDrfrz3KCGpokOKoaWUsRTTdftk
-xyfw2Ui1nPNfg9fO/cfAyr9FAgMBAAGjJjAkMBIGA1UdEwEB/wQIMAYBAf8CAQEw
-DgYDVR0PAQH/BAQDAgEGMA0GCSqGSIb3DQEBCwUAA4GBABrTmR8+gtECLU7zsbrs
-RKIeE9YSXxsqzv3DPpUj9VN7l05ERe3db7/TNePBLH0KwpjWljuPDUhKWC5jQvkf
-gBEr0CKALQGWU0sQJDNhR3SDsPUGU0BFUQT7g1B94Dmp72ivHLjMrtxnLrOT32Uh
-iaEG3X51ApoqRRyXcSJZBcYN
+MIIB9jCCAV+gAwIBAgIBATANBgkqhkiG9w0BAQsFADAtMRQwEgYDVQQKEwtleGFt
+cGxlLmNvbTEVMBMGA1UEAxMMY2xpY2EgQ0EgcnNhMB4XDTEyMTEwMTEyMzQwMVoX
+DTM4MDEwMTEyMzQwMVowLTEUMBIGA1UEChMLZXhhbXBsZS5jb20xFTATBgNVBAMT
+DGNsaWNhIENBIHJzYTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA2N3YjbHA
+BEKAiUHwJ0VMAAe/KMOM8slXOAKni4v7Vf6BzbO5B6uaKhDV2n3V0vXwMdAoeBaq
+3s9CHOjDXwjF1qf/p4w3Z2aUIVt/Mb+uEcPUlq0Nr8OLlH11QKbkvFtLxU3sUAoi
+fcaydi1q3tszjPQ0tKlLo6kOzcgi8d47WccCAwEAAaMmMCQwEgYDVR0TAQH/BAgw
+BgEB/wIBATAOBgNVHQ8BAf8EBAMCAQYwDQYJKoZIhvcNAQELBQADgYEAAzD/Zszo
+X4ieSQQxDOH53VkiAJDs32qso9YzGbQaenuRnVFCuo7rt68cjMcOjzf18/I+iMeH
+nEcdqkfoYB4Z3LXvDaRGZhg/ZOv58muzRnsW2oQI9yFqDwD0FZPtM6Vq0AWXjLuq
+IogOI5fShSo7H5hc3vrkvS7KUhzuv3FKnaQ=
 -----END CERTIFICATE-----
diff --git a/test/aux-fixed/exim-ca/example.com/server2.example.com/cert8.db b/test/aux-fixed/exim-ca/example.com/server2.example.com/cert8.db
index cc10d01bc..ff0d142d7 100644
Binary files a/test/aux-fixed/exim-ca/example.com/server2.example.com/cert8.db and b/test/aux-fixed/exim-ca/example.com/server2.example.com/cert8.db differ
diff --git a/test/aux-fixed/exim-ca/example.com/server2.example.com/key3.db b/test/aux-fixed/exim-ca/example.com/server2.example.com/key3.db
index 1b6a8c362..f038ea5c8 100644
Binary files a/test/aux-fixed/exim-ca/example.com/server2.example.com/key3.db and b/test/aux-fixed/exim-ca/example.com/server2.example.com/key3.db differ
diff --git a/test/aux-fixed/exim-ca/example.com/server2.example.com/server2.example.com.chain.pem b/test/aux-fixed/exim-ca/example.com/server2.example.com/server2.example.com.chain.pem
index 6f9460635..82b640ff3 100644
--- a/test/aux-fixed/exim-ca/example.com/server2.example.com/server2.example.com.chain.pem
+++ b/test/aux-fixed/exim-ca/example.com/server2.example.com/server2.example.com.chain.pem
@@ -1,35 +1,35 @@
 Bag Attributes
     friendlyName: server2.example.com
-    localKeyID: 3E 38 B3 52 20 A0 E1 80 39 74 EA 8D D9 D2 2C DA F6 53 CC BF 
+    localKeyID: 0D 9E 77 6B 02 AF DE FB 02 31 58 89 27 D3 05 CA 81 F0 03 66 
 subject=/CN=server2.example.com
-issuer=/O=example.com/CN=clica Signing Cert
+issuer=/O=example.com/CN=clica Signing Cert rsa
 -----BEGIN CERTIFICATE-----
-MIICiDCCAfGgAwIBAgICAMkwDQYJKoZIhvcNAQELBQAwMzEUMBIGA1UEChMLZXhh
-bXBsZS5jb20xGzAZBgNVBAMTEmNsaWNhIFNpZ25pbmcgQ2VydDAeFw0xMjExMDEx
-MjM0MDJaFw0zNzEyMDExMjM0MDJaMB4xHDAaBgNVBAMTE3NlcnZlcjIuZXhhbXBs
-ZS5jb20wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAKpVDMWYm+sUgk2Suy9g
-bFS1QSurQJANa1I4+2yQhqK8r2KaNMODeTBPm8wjDaia3OUPUXx0dUwzF5oi6sr7
-ztThjz6vAvPyq7fCyIO5P19FdQ8Po1QefxoPWTvN7giWjh0n1FeoG/Ls+sROjchm
-TbVuxrbU9kGfSqmBIPF1R0qPAgMBAAGjgb8wgbwwDgYDVR0PAQH/BAQDAgTwMCAG
-A1UdJQEB/wQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAyBgNVHR8EKzApMCegJaAj
-hiFodHRwOi8vY3JsLmV4YW1wbGUuY29tL2xhdGVzdC5jcmwwNAYIKwYBBQUHAQEE
-KDAmMCQGCCsGAQUFBzABhhhodHRwOi8vb3NjcC5leGFtcGxlLmNvbS8wHgYDVR0R
-BBcwFYITc2VydmVyMi5leGFtcGxlLmNvbTANBgkqhkiG9w0BAQsFAAOBgQA64kuJ
-wKno+NK76n34V3qqJkKzlAQEJPcNbTPegpB1dro6pH3g5W06POZ0P7Stz9G5vWoG
-ROqpoxReNNdULu1as/vK31q2Itiw8DhoSKjNNGuy6X+WzexI+l0OL2bww7/59GUQ
-gLn0+tu+pCbDPSU6f7fprc3WBlXxmD7qtc92oQ==
+MIICjDCCAfWgAwIBAgICAMkwDQYJKoZIhvcNAQELBQAwNzEUMBIGA1UEChMLZXhh
+bXBsZS5jb20xHzAdBgNVBAMTFmNsaWNhIFNpZ25pbmcgQ2VydCByc2EwHhcNMTIx
+MTAxMTIzNDAxWhcNMzcxMjAxMTIzNDAxWjAeMRwwGgYDVQQDExNzZXJ2ZXIyLmV4
+YW1wbGUuY29tMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC5xczcpFPcohZh
+Legf/wzSJvwj/dVkXg0MEyVulbMS+sgCwwSO6uGykJVc6ZKUnGqFyv5Icp1zG9Y9
+/joYefiXN5K1n/3NrtsET+6AJDWzZYz/AyRGd07xLwEw+Ip0/bqqNaxpc07L1qAA
+Bcwz2lcSeKsIDbYC9znSdEzuNUFmGQIDAQABo4G/MIG8MA4GA1UdDwEB/wQEAwIE
+8DAgBgNVHSUBAf8EFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwMgYDVR0fBCswKTAn
+oCWgI4YhaHR0cDovL2NybC5leGFtcGxlLmNvbS9sYXRlc3QuY3JsMDQGCCsGAQUF
+BwEBBCgwJjAkBggrBgEFBQcwAYYYaHR0cDovL29zY3AuZXhhbXBsZS5jb20vMB4G
+A1UdEQQXMBWCE3NlcnZlcjIuZXhhbXBsZS5jb20wDQYJKoZIhvcNAQELBQADgYEA
+GQz0ggxKkEXx50eX/uWtlC7+JFwsJLBhU/nGBmOLxzHhptrRBLiqLYr8Chj92eZN
+nDr1HUY0jIC8PcPDjpgz1rs+6HOy3F++t7u+x1x89MQ2DUjCqqyjiM/PzuKsdU4V
+TVXsu8R4x8YSjCfXeKJAlOL4rPy2wU3wXRhzCf4Et4E=
 -----END CERTIFICATE-----
 -----BEGIN CERTIFICATE-----
-MIICLDCCAZWgAwIBAgIBAjANBgkqhkiG9w0BAQsFADApMRQwEgYDVQQKEwtleGFt
-cGxlLmNvbTERMA8GA1UEAxMIY2xpY2EgQ0EwHhcNMTIxMTAxMTIzNDAxWhcNMzgw
-MTAxMTIzNDAxWjAzMRQwEgYDVQQKEwtleGFtcGxlLmNvbTEbMBkGA1UEAxMSY2xp
-Y2EgU2lnbmluZyBDZXJ0MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDC2Ph5
-2UMdD8CAW6mAoSUKgQbCEps6VYPBqa031JzDBzpHD8cmIJfRlmPg9V8K2LXP8VVe
-eG7LW2RBVlSx9082EZNC545NFKDg4Xu01jYP8BrNcJzzu8ip8osiqAzo993AZXoW
-eGZKJ7hYA1M5RCMkSIBhFxwoObjG9Bt1LQ/keQIDAQABo1owWDAOBgNVHQ8BAf8E
-BAMCAQYwEgYDVR0TAQH/BAgwBgEB/wIBADAyBgNVHR8EKzApMCegJaAjhiFodHRw
-Oi8vY3JsLmV4YW1wbGUuY29tL2xhdGVzdC5jcmwwDQYJKoZIhvcNAQELBQADgYEA
-JV9x4BGPTibmtXmXJOR0tETUR4RKc+Cis07H55mGDweIWtDT0dmlisLFyFK/rNdO
-zSeOIw2xchD86uNckYZd28OMEoSDI/lVhIxlEXaWvrf+BiaFX3AaPB3oivAp5aF4
-iy9WlTtH1uoE7iNueRd+beg5BgpgV0hyZAnoePQojH0=
+MIICNDCCAZ2gAwIBAgIBAjANBgkqhkiG9w0BAQsFADAtMRQwEgYDVQQKEwtleGFt
+cGxlLmNvbTEVMBMGA1UEAxMMY2xpY2EgQ0EgcnNhMB4XDTEyMTEwMTEyMzQwMVoX
+DTM4MDEwMTEyMzQwMVowNzEUMBIGA1UEChMLZXhhbXBsZS5jb20xHzAdBgNVBAMT
+FmNsaWNhIFNpZ25pbmcgQ2VydCByc2EwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJ
+AoGBANlcwo5q84SEtVy5W/xqbYAzOiYUZ0Shp9+ry/Q/X5uhrDF9JSHNWJbXut+8
+ZJGICt0RYVIJCcaa7FUt5hTKEx4fgURr+Hz84ZgwesMxcECHJPq9ylrCqbPkbmFR
+1XUy2MvioMH2lyc/PbV62XXggJhHioStVLRfyVlkS1KvvR+HAgMBAAGjWjBYMA4G
+A1UdDwEB/wQEAwIBBjASBgNVHRMBAf8ECDAGAQH/AgEAMDIGA1UdHwQrMCkwJ6Al
+oCOGIWh0dHA6Ly9jcmwuZXhhbXBsZS5jb20vbGF0ZXN0LmNybDANBgkqhkiG9w0B
+AQsFAAOBgQBtPJwqu7DiDmFZd58L4xQ6JJhrJzJUDHmT7ikW2tOM58yisCgSnzrR
+xihW+49vUQ9lSGxBHaFwdehAuGTXydnf7/i9i6KA2RZ+Rq12FJFYOhjaIP7Sy1zq
+VXtb+P1eDBQQhz0WgysLVjgGdBiokRv86yY56ficoTQ6EyWzQLCU+A==
 -----END CERTIFICATE-----
diff --git a/test/aux-fixed/exim-ca/example.com/server2.example.com/server2.example.com.key b/test/aux-fixed/exim-ca/example.com/server2.example.com/server2.example.com.key
index b412ecbc3..3b100bdbd 100644
--- a/test/aux-fixed/exim-ca/example.com/server2.example.com/server2.example.com.key
+++ b/test/aux-fixed/exim-ca/example.com/server2.example.com/server2.example.com.key
@@ -1,21 +1,21 @@
 Bag Attributes
     friendlyName: server2.example.com
-    localKeyID: 3E 38 B3 52 20 A0 E1 80 39 74 EA 8D D9 D2 2C DA F6 53 CC BF 
+    localKeyID: 0D 9E 77 6B 02 AF DE FB 02 31 58 89 27 D3 05 CA 81 F0 03 66 
 Key Attributes: <No Attributes>
 -----BEGIN ENCRYPTED PRIVATE KEY-----
-MIICxjBABgkqhkiG9w0BBQ0wMzAbBgkqhkiG9w0BBQwwDgQIA6708poqRaECAggA
-MBQGCCqGSIb3DQMHBAjxI7tR7pallgSCAoApDIMC+I4DyiyYAbZ0rp4FD4IrabLn
-Vnwa/QMJ3b8oXVOD57zgJtV3hqRWQ1vjMm+dhW2UegFaFwluutEKTuijw25Vu6CF
-CfiHf+3Lnf7l/3vjYJcLuP58BRMe6VcK3BWBbvJu/kCEyyYYqY8Z4bfR/CeCiNb1
-oOInQ2IallqhzJU4/DpSzTzSwP2gjMTRkmMtMhdiGV/OC4t1stXNuSTkvf6SrckH
-4/LcLWyl0zf+HKA/VXdyko05XEM226BFX1GfhDTgLHMVc4Z552XYIdsXCJfwhNQ6
-IGct946WRV2elrq7YwaVFI6dTKv2Gh+rs5K4excypcFSEt2fE3DYsnVlsDAs/Lut
-i8DOHktLNoULrqmSDu3G6bhQ9R2CAy46Jr/1qyN/PyLx7qdGQ0VDUlxLRbitjFJf
-v3bV8xcGjDhmv1qZbUcBBP2ugsSk29mAXyyRF/nemggetvIUWqVduZyYVT/BYAK1
-Nag8ZzDhL0GWWXLky6hinDnhp6Q9P1xDV2Uz7NIPMiRXkW+JRsIoRZ1an+mbDp74
-iIuNDIIoonF48Wgj6uV0UfZB03zOM5lY+YtIkPBD7BFViWPBP7h0tDUyQn6Li0X3
-GabS4rws5YwSBzgqTIEJli4FnCFMFrWKdtdT3eBsbPp/CR4WszDgKgtUdddYLu+P
-hfny8mEbftelyd66a0ufyKTGgvoC+Up9WVavnJEMaipIgOIQ33akNPrjJUOKBmUo
-NeEr9bKaazZmvNfFadaQBf5c68OK0VIsyS//9Px7d39NcmA7pM9Z4a5fmWbFn59D
-XymB042vK2hcuGBCx4B+Crc4kSVkGHah0LsmnfKBeMStKux+I1cX7FzB
+MIICxjBABgkqhkiG9w0BBQ0wMzAbBgkqhkiG9w0BBQwwDgQISj8NfM4dQjsCAggA
+MBQGCCqGSIb3DQMHBAhAlCJYloV1gwSCAoCMamEc/QOzHYxmYK/+Qw9dFFXN52MT
+kpSO+pDm1MKb8lIm8IECdl4vth1uAcW9wj8g1u1sMPxXFlf95Pv2AyTGqQmG2lWU
+Z7yvrxBT/2KE1PuRQZOBkySuXQjZ8qOgw8tzr5bdunucDd7fyB3UXELIJd6bbLwY
+MwZ8X7lP/TWglgemfEYL06D7w6oZA22eM5lRuUfvhhdnM0E0SNO6T48lNtCXeFMG
+qU9wNgYpSlUoHaak/wITZC648NFablVtvxiQ9QVYblON+OPt1mOtFo3MTTTb7JQC
+NAITVl2OGcGJeDI6qTCDNRe6YKX80JkSNPkDsHzTchwpxPoIYA4rkxyAbVmPD2zd
+q0KmLZshoMeMXsh3GPqh3XB42lwK5GVVWUqD2d/RezMGsEO5GyxLsBnG+w9Bl8iz
+kDtIgy8eUgtWBRryb8QLaYbzpnV3TbGx9dRnoOWxivPe0VHNAvB63kSYIY2ja3yc
+iNX0B00x14Ec1dzfqG2k/xdewwuTyy0vfs6wkNKfBTloztop6LdInSzOJayc6B0L
+tRGA/l+IlR9MnKEYLE4v57kWc6Sdk/w4Ou+9EFyAy/IXFBDT8PXeJH4huYvuc6ZI
+2taUdSNoIf2OPvGoWp9x5g88lmLEMWCq3qa/UH9PpRApq77mCNfW+aiupmdhHEZF
+AE5kdzYZ4btAO3WhHNho1k3YZmbfa56lrCjKUusOjcrhRNwmkzQBX78FXUZd8hSh
+LnxKsVhIat4u4Ypa/XP+pdU6I2h+peeUF3wa0jqPZoNLTuA2aK0INxPVBmBEJY9u
+WTxYtjixUvAgegTgU0n3ck9LW3AjjjMi0rcZU6GyYV0sYxSvrJY3D06z
 -----END ENCRYPTED PRIVATE KEY-----
diff --git a/test/aux-fixed/exim-ca/example.com/server2.example.com/server2.example.com.ocsp.dated.resp b/test/aux-fixed/exim-ca/example.com/server2.example.com/server2.example.com.ocsp.dated.resp
index 32ad1b5b2..3519ae5b0 100644
Binary files a/test/aux-fixed/exim-ca/example.com/server2.example.com/server2.example.com.ocsp.dated.resp and b/test/aux-fixed/exim-ca/example.com/server2.example.com/server2.example.com.ocsp.dated.resp differ
diff --git a/test/aux-fixed/exim-ca/example.com/server2.example.com/server2.example.com.ocsp.good.resp b/test/aux-fixed/exim-ca/example.com/server2.example.com/server2.example.com.ocsp.good.resp
index 3df8a2cb5..d0693f144 100644
Binary files a/test/aux-fixed/exim-ca/example.com/server2.example.com/server2.example.com.ocsp.good.resp and b/test/aux-fixed/exim-ca/example.com/server2.example.com/server2.example.com.ocsp.good.resp differ
diff --git a/test/aux-fixed/exim-ca/example.com/server2.example.com/server2.example.com.ocsp.req b/test/aux-fixed/exim-ca/example.com/server2.example.com/server2.example.com.ocsp.req
index bad8c46dd..b47ce8b4d 100644
Binary files a/test/aux-fixed/exim-ca/example.com/server2.example.com/server2.example.com.ocsp.req and b/test/aux-fixed/exim-ca/example.com/server2.example.com/server2.example.com.ocsp.req differ
diff --git a/test/aux-fixed/exim-ca/example.com/server2.example.com/server2.example.com.ocsp.revoked.resp b/test/aux-fixed/exim-ca/example.com/server2.example.com/server2.example.com.ocsp.revoked.resp
index 3df8a2cb5..d0693f144 100644
Binary files a/test/aux-fixed/exim-ca/example.com/server2.example.com/server2.example.com.ocsp.revoked.resp and b/test/aux-fixed/exim-ca/example.com/server2.example.com/server2.example.com.ocsp.revoked.resp differ
diff --git a/test/aux-fixed/exim-ca/example.com/server2.example.com/server2.example.com.ocsp.signer.dated.resp b/test/aux-fixed/exim-ca/example.com/server2.example.com/server2.example.com.ocsp.signer.dated.resp
index b3302cf5c..7724fda3f 100644
Binary files a/test/aux-fixed/exim-ca/example.com/server2.example.com/server2.example.com.ocsp.signer.dated.resp and b/test/aux-fixed/exim-ca/example.com/server2.example.com/server2.example.com.ocsp.signer.dated.resp differ
diff --git a/test/aux-fixed/exim-ca/example.com/server2.example.com/server2.example.com.ocsp.signer.good.resp b/test/aux-fixed/exim-ca/example.com/server2.example.com/server2.example.com.ocsp.signer.good.resp
index 1bc719448..8ade2db36 100644
Binary files a/test/aux-fixed/exim-ca/example.com/server2.example.com/server2.example.com.ocsp.signer.good.resp and b/test/aux-fixed/exim-ca/example.com/server2.example.com/server2.example.com.ocsp.signer.good.resp differ
diff --git a/test/aux-fixed/exim-ca/example.com/server2.example.com/server2.example.com.ocsp.signer.revoked.resp b/test/aux-fixed/exim-ca/example.com/server2.example.com/server2.example.com.ocsp.signer.revoked.resp
index 1bc719448..8ade2db36 100644
Binary files a/test/aux-fixed/exim-ca/example.com/server2.example.com/server2.example.com.ocsp.signer.revoked.resp and b/test/aux-fixed/exim-ca/example.com/server2.example.com/server2.example.com.ocsp.signer.revoked.resp differ
diff --git a/test/aux-fixed/exim-ca/example.com/server2.example.com/server2.example.com.ocsp.signernocert.dated.resp b/test/aux-fixed/exim-ca/example.com/server2.example.com/server2.example.com.ocsp.signernocert.dated.resp
index c7af3c3d3..5123b172b 100644
Binary files a/test/aux-fixed/exim-ca/example.com/server2.example.com/server2.example.com.ocsp.signernocert.dated.resp and b/test/aux-fixed/exim-ca/example.com/server2.example.com/server2.example.com.ocsp.signernocert.dated.resp differ
diff --git a/test/aux-fixed/exim-ca/example.com/server2.example.com/server2.example.com.ocsp.signernocert.good.resp b/test/aux-fixed/exim-ca/example.com/server2.example.com/server2.example.com.ocsp.signernocert.good.resp
index 4af21f954..6eabdffa4 100644
Binary files a/test/aux-fixed/exim-ca/example.com/server2.example.com/server2.example.com.ocsp.signernocert.good.resp and b/test/aux-fixed/exim-ca/example.com/server2.example.com/server2.example.com.ocsp.signernocert.good.resp differ
diff --git a/test/aux-fixed/exim-ca/example.com/server2.example.com/server2.example.com.ocsp.signernocert.revoked.resp b/test/aux-fixed/exim-ca/example.com/server2.example.com/server2.example.com.ocsp.signernocert.revoked.resp
index 4af21f954..6eabdffa4 100644
Binary files a/test/aux-fixed/exim-ca/example.com/server2.example.com/server2.example.com.ocsp.signernocert.revoked.resp and b/test/aux-fixed/exim-ca/example.com/server2.example.com/server2.example.com.ocsp.signernocert.revoked.resp differ
diff --git a/test/aux-fixed/exim-ca/example.com/server2.example.com/server2.example.com.p12 b/test/aux-fixed/exim-ca/example.com/server2.example.com/server2.example.com.p12
index 4d7263d67..ce12e54fe 100644
Binary files a/test/aux-fixed/exim-ca/example.com/server2.example.com/server2.example.com.p12 and b/test/aux-fixed/exim-ca/example.com/server2.example.com/server2.example.com.p12 differ
diff --git a/test/aux-fixed/exim-ca/example.com/server2.example.com/server2.example.com.pem b/test/aux-fixed/exim-ca/example.com/server2.example.com/server2.example.com.pem
index a36f946df..b820bf8f5 100644
--- a/test/aux-fixed/exim-ca/example.com/server2.example.com/server2.example.com.pem
+++ b/test/aux-fixed/exim-ca/example.com/server2.example.com/server2.example.com.pem
@@ -1,21 +1,21 @@
 Bag Attributes
     friendlyName: server2.example.com
-    localKeyID: 3E 38 B3 52 20 A0 E1 80 39 74 EA 8D D9 D2 2C DA F6 53 CC BF 
+    localKeyID: 0D 9E 77 6B 02 AF DE FB 02 31 58 89 27 D3 05 CA 81 F0 03 66 
 subject=/CN=server2.example.com
-issuer=/O=example.com/CN=clica Signing Cert
+issuer=/O=example.com/CN=clica Signing Cert rsa
 -----BEGIN CERTIFICATE-----
-MIICiDCCAfGgAwIBAgICAMkwDQYJKoZIhvcNAQELBQAwMzEUMBIGA1UEChMLZXhh
-bXBsZS5jb20xGzAZBgNVBAMTEmNsaWNhIFNpZ25pbmcgQ2VydDAeFw0xMjExMDEx
-MjM0MDJaFw0zNzEyMDExMjM0MDJaMB4xHDAaBgNVBAMTE3NlcnZlcjIuZXhhbXBs
-ZS5jb20wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAKpVDMWYm+sUgk2Suy9g
-bFS1QSurQJANa1I4+2yQhqK8r2KaNMODeTBPm8wjDaia3OUPUXx0dUwzF5oi6sr7
-ztThjz6vAvPyq7fCyIO5P19FdQ8Po1QefxoPWTvN7giWjh0n1FeoG/Ls+sROjchm
-TbVuxrbU9kGfSqmBIPF1R0qPAgMBAAGjgb8wgbwwDgYDVR0PAQH/BAQDAgTwMCAG
-A1UdJQEB/wQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAyBgNVHR8EKzApMCegJaAj
-hiFodHRwOi8vY3JsLmV4YW1wbGUuY29tL2xhdGVzdC5jcmwwNAYIKwYBBQUHAQEE
-KDAmMCQGCCsGAQUFBzABhhhodHRwOi8vb3NjcC5leGFtcGxlLmNvbS8wHgYDVR0R
-BBcwFYITc2VydmVyMi5leGFtcGxlLmNvbTANBgkqhkiG9w0BAQsFAAOBgQA64kuJ
-wKno+NK76n34V3qqJkKzlAQEJPcNbTPegpB1dro6pH3g5W06POZ0P7Stz9G5vWoG
-ROqpoxReNNdULu1as/vK31q2Itiw8DhoSKjNNGuy6X+WzexI+l0OL2bww7/59GUQ
-gLn0+tu+pCbDPSU6f7fprc3WBlXxmD7qtc92oQ==
+MIICjDCCAfWgAwIBAgICAMkwDQYJKoZIhvcNAQELBQAwNzEUMBIGA1UEChMLZXhh
+bXBsZS5jb20xHzAdBgNVBAMTFmNsaWNhIFNpZ25pbmcgQ2VydCByc2EwHhcNMTIx
+MTAxMTIzNDAxWhcNMzcxMjAxMTIzNDAxWjAeMRwwGgYDVQQDExNzZXJ2ZXIyLmV4
+YW1wbGUuY29tMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC5xczcpFPcohZh
+Legf/wzSJvwj/dVkXg0MEyVulbMS+sgCwwSO6uGykJVc6ZKUnGqFyv5Icp1zG9Y9
+/joYefiXN5K1n/3NrtsET+6AJDWzZYz/AyRGd07xLwEw+Ip0/bqqNaxpc07L1qAA
+Bcwz2lcSeKsIDbYC9znSdEzuNUFmGQIDAQABo4G/MIG8MA4GA1UdDwEB/wQEAwIE
+8DAgBgNVHSUBAf8EFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwMgYDVR0fBCswKTAn
+oCWgI4YhaHR0cDovL2NybC5leGFtcGxlLmNvbS9sYXRlc3QuY3JsMDQGCCsGAQUF
+BwEBBCgwJjAkBggrBgEFBQcwAYYYaHR0cDovL29zY3AuZXhhbXBsZS5jb20vMB4G
+A1UdEQQXMBWCE3NlcnZlcjIuZXhhbXBsZS5jb20wDQYJKoZIhvcNAQELBQADgYEA
+GQz0ggxKkEXx50eX/uWtlC7+JFwsJLBhU/nGBmOLxzHhptrRBLiqLYr8Chj92eZN
+nDr1HUY0jIC8PcPDjpgz1rs+6HOy3F++t7u+x1x89MQ2DUjCqqyjiM/PzuKsdU4V
+TVXsu8R4x8YSjCfXeKJAlOL4rPy2wU3wXRhzCf4Et4E=
 -----END CERTIFICATE-----
diff --git a/test/aux-fixed/exim-ca/example.com/server2.example.com/server2.example.com.unlocked.key b/test/aux-fixed/exim-ca/example.com/server2.example.com/server2.example.com.unlocked.key
index e1deb2de7..c16d834bd 100644
--- a/test/aux-fixed/exim-ca/example.com/server2.example.com/server2.example.com.unlocked.key
+++ b/test/aux-fixed/exim-ca/example.com/server2.example.com/server2.example.com.unlocked.key
@@ -1,15 +1,15 @@
 -----BEGIN RSA PRIVATE KEY-----
-MIICXAIBAAKBgQCqVQzFmJvrFIJNkrsvYGxUtUErq0CQDWtSOPtskIaivK9imjTD
-g3kwT5vMIw2omtzlD1F8dHVMMxeaIurK+87U4Y8+rwLz8qu3wsiDuT9fRXUPD6NU
-Hn8aD1k7ze4Ilo4dJ9RXqBvy7PrETo3IZk21bsa21PZBn0qpgSDxdUdKjwIDAQAB
-AoGAGoE9iYnjyULZu+R3SDoC4XOK/paZZ1EPQC4pwY0DxlMCH5/LUhklRIU+wxc5
-SuE+Ok6V6X3dusvAgnWof4mLd4erej11dbPL0o9m5oUT9RYmajOLDHsM6sPgwlpi
-FNMHi1iM0KRfwexu1pQ4jR8pXOlSF7VcXRPvHtmI+kTd25ECQQDhjCDtp8iCBVPE
-2uv0FMv3yow7X26xj/Ah08jrDwsq+eS6NxX+ZZcbbBR4pcbw7adQ+mXl6q+jqfk5
-3TbqDddbAkEAwVRzvAq17TkIfGkNGhpN91/lb0UM4ogYfIUKlHBBa973tdtH9YNk
-ZiXU3GeYb1adVjRRJff6msaGMHm0eQvz3QJBAJstsBIS2A8s3x+Xh7OdA2BuyOCo
-nh4obAy6C4g+B28AE3BTKhynhLlnOQZw+FkXCYDbZnQzbbhq34ACRR/vefUCQHj4
-jzKqwQufFGBEm54pt3+C0d2+J0HYRvojhWs8krMc4YM5ot1NShVgtsDzUb7ZQ7od
-ImnPsVAHyQ+sF/FmOUECQH/JRqucORx5ZrJUh3dkMmELYQXQ3n9J2hhbOvuv/7oe
-BXCWOE7DqDODFARgXbqA7uaZfWmVKT4s/6AO9aDvmSo=
+MIICXQIBAAKBgQC5xczcpFPcohZhLegf/wzSJvwj/dVkXg0MEyVulbMS+sgCwwSO
+6uGykJVc6ZKUnGqFyv5Icp1zG9Y9/joYefiXN5K1n/3NrtsET+6AJDWzZYz/AyRG
+d07xLwEw+Ip0/bqqNaxpc07L1qAABcwz2lcSeKsIDbYC9znSdEzuNUFmGQIDAQAB
+AoGAEXVcVlP/KZn1/nYA/ZjLjKhrQ7qkJkWMdlkKSIU7CgqVZ2UKdZ/vTAe4cb3l
+r5+vhxlXollbIKk6DiNpNEmqKerZKzH7n7VGnWRZsqeIQKVafO8+zchh6yKNmWWB
+Vpr0iyzPruv4bX5mnlMyzCBR/p6ThYqzGvwJIyCY1EupZoECQQDnGO3hnpDZeNW+
+goZ3rHYlZYVDbb4IUOg/sDFQ+AKUbeSU6Iz+XgpZt9dxqLBPha75jbqIAM/p9EhH
+BBqmACRxAkEAzcqKI0Ic/673dD1BfTJ8PP1bqrEg2Gn/7+jL/BXJz4tH1kPvQjdl
+uBdOCVj0A0TRVGEsgqWK34t8uIeYJHyQKQJAHOW2IUdVr4v3lln1/JL5NxXpwxO+
+9oU/dW9Py2Mn122ibqhhsRELVEqzywef/GGoDpaVY5pOZV/hhdfSiT1tUQJBAKNG
+SDVTNijSjDiohTYtAQ9uwPT71iB+cXbKUFWwf87wJc3lVoZF56mYq+yUq/2P8zms
+Y6FAcJ+OTyUlR9vjDIkCQQDPIe6ggdYsOjRZewUscxmGKEZCHiJcqWIzD2aURknx
+DHKbxu5n3tZlhBoaK0OxJCoNDWLF/cE5PYJpBhGatJLR
 -----END RSA PRIVATE KEY-----
diff --git a/test/aux-fixed/exim-ca/example.net/BLANK/CA.pem b/test/aux-fixed/exim-ca/example.net/BLANK/CA.pem
index a28c0b558..b48d20d40 100644
--- a/test/aux-fixed/exim-ca/example.net/BLANK/CA.pem
+++ b/test/aux-fixed/exim-ca/example.net/BLANK/CA.pem
@@ -1,13 +1,13 @@
 -----BEGIN CERTIFICATE-----
-MIIB7jCCAVegAwIBAgIBATANBgkqhkiG9w0BAQsFADApMRQwEgYDVQQKEwtleGFt
-cGxlLm5ldDERMA8GA1UEAxMIY2xpY2EgQ0EwHhcNMTIxMTAxMTIzNDAzWhcNMzgw
-MTAxMTIzNDAzWjApMRQwEgYDVQQKEwtleGFtcGxlLm5ldDERMA8GA1UEAxMIY2xp
-Y2EgQ0EwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAMTEbMTyGaBnI5WpLVtz
-wWIEzR2lJyq5MHV6t9cIw/M1VFc0a9Woq8IeEyEmlycNe1/HgJfr7jq2JCtFu4VZ
-ZFMJW6bD7KiUGp2DwPEeC5yN1q7T4Yuho8kIdzpRTYnWo4RgPhl7wxSYoier+8/V
-1Zy3PrsciWI7Avp2Uq8iNGl/AgMBAAGjJjAkMBIGA1UdEwEB/wQIMAYBAf8CAQEw
-DgYDVR0PAQH/BAQDAgEGMA0GCSqGSIb3DQEBCwUAA4GBADczofjhb+kWLvYcdK+w
-jEMvqwiEsm947WXuWYtg0Wi2IWhyZId9KfVJtHs7b/720WX2VeewkafuV+QfwE5c
-/Q7N8M1tnFbKT/2Af7o3MVxDH9cYXPTYWgM5i0Yv5k73VBZ/dhT5HSj1Ri1sxv3C
-vAJ2oHvLkS1MOpYEUICjB6xe
+MIIB9jCCAV+gAwIBAgIBATANBgkqhkiG9w0BAQsFADAtMRQwEgYDVQQKEwtleGFt
+cGxlLm5ldDEVMBMGA1UEAxMMY2xpY2EgQ0EgcnNhMB4XDTEyMTEwMTEyMzQwM1oX
+DTM4MDEwMTEyMzQwM1owLTEUMBIGA1UEChMLZXhhbXBsZS5uZXQxFTATBgNVBAMT
+DGNsaWNhIENBIHJzYTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA3kwC9CHz
+JH7sEDkHMdZRq8+XpV7l/hEqfv2gPvT3mak46dWrI/T3pJOqyNvUZV/LJ/gx/0uw
+9pmCg6Y5zNCN0qAGY4rSS/sbEOLYIw5wJbFnYfHtTwe3ZAdG+5WqKMBF2lHNBM3b
+PUB/kweoLhNLwserKHwMDC3sksfrwH29rpMCAwEAAaMmMCQwEgYDVR0TAQH/BAgw
+BgEB/wIBATAOBgNVHQ8BAf8EBAMCAQYwDQYJKoZIhvcNAQELBQADgYEAzXt6KHIB
+qOJfZECgwhAWipxVR0BXek0hAfyTWl7q18+mWKYydQW0Z2VMN4Bq/ZUlOg+EM8NU
+1n9PJ4+I2QgAwVVXN4+cz7zgZ6XRZc1OkE98NyK504bVpJpan1gsx3I5GLJUgP2t
+B/WwqoFO+ANhT2margZSM6avJfaIh8gEass=
 -----END CERTIFICATE-----
diff --git a/test/aux-fixed/exim-ca/example.net/BLANK/Signer.pem b/test/aux-fixed/exim-ca/example.net/BLANK/Signer.pem
index 9d19239da..34c6c36f2 100644
--- a/test/aux-fixed/exim-ca/example.net/BLANK/Signer.pem
+++ b/test/aux-fixed/exim-ca/example.net/BLANK/Signer.pem
@@ -1,14 +1,14 @@
 -----BEGIN CERTIFICATE-----
-MIICLDCCAZWgAwIBAgIBAjANBgkqhkiG9w0BAQsFADApMRQwEgYDVQQKEwtleGFt
-cGxlLm5ldDERMA8GA1UEAxMIY2xpY2EgQ0EwHhcNMTIxMTAxMTIzNDAzWhcNMzgw
-MTAxMTIzNDAzWjAzMRQwEgYDVQQKEwtleGFtcGxlLm5ldDEbMBkGA1UEAxMSY2xp
-Y2EgU2lnbmluZyBDZXJ0MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDCsZOv
-pjcv45hvkXmbkZLSoywwX94a3jFC993OxTL8ixpQ0KxY2bc8TLcOTA+p3hH0pi2N
-JwiiWVQjA9HXrf7s/RmytXFZiJ5sE/mtkBNCUjH2uoGz9x1uVuIwq2colRe7JdQ5
-aCnb3D77nFy9bOvE59sljCbjeU2NwI1LIaUgfQIDAQABo1owWDAOBgNVHQ8BAf8E
-BAMCAQYwEgYDVR0TAQH/BAgwBgEB/wIBADAyBgNVHR8EKzApMCegJaAjhiFodHRw
-Oi8vY3JsLmV4YW1wbGUubmV0L2xhdGVzdC5jcmwwDQYJKoZIhvcNAQELBQADgYEA
-Xi2XyqKqdhCOdcNmhhaOaPc9M5/W/52Y4y8DNEveJdbn9ZOIjz7w2vnxJ8hhbJHF
-RDGz6jeTnYz7wIYwRxU6y8vUNtXbV+S6RcWL6Symek52O32tj+TTP99lSu/bC2+f
-7cNOqfsUzyMi4EagINLkPFT8p0ozjXeWu7/Cy17K75s=
+MIICNDCCAZ2gAwIBAgIBAjANBgkqhkiG9w0BAQsFADAtMRQwEgYDVQQKEwtleGFt
+cGxlLm5ldDEVMBMGA1UEAxMMY2xpY2EgQ0EgcnNhMB4XDTEyMTEwMTEyMzQwM1oX
+DTM4MDEwMTEyMzQwM1owNzEUMBIGA1UEChMLZXhhbXBsZS5uZXQxHzAdBgNVBAMT
+FmNsaWNhIFNpZ25pbmcgQ2VydCByc2EwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJ
+AoGBALMuDick/uNCkK8zWtdko5eynjJq0y8NVNlhSFkbwfjbxOQycuyMhMlYNnvs
+ESWZTV5ckpsvoDrFQLFk6ZB7RVYHUoOHNfANm8JWC9GR5zqbquibA/MMQ4h2Xlkz
+zQz12AzPpouZUyYs1+SjwlgfBRVhtxApDR2bPEDzI6s9VUdXAgMBAAGjWjBYMA4G
+A1UdDwEB/wQEAwIBBjASBgNVHRMBAf8ECDAGAQH/AgEAMDIGA1UdHwQrMCkwJ6Al
+oCOGIWh0dHA6Ly9jcmwuZXhhbXBsZS5uZXQvbGF0ZXN0LmNybDANBgkqhkiG9w0B
+AQsFAAOBgQDCXkPeCURjOJwCBgbLERuNghPiWLqHPopm1idM2A032jDgbRXD9/DP
+1xOPgSLEW59EiJac0RNae0D2KyhnG90NZLccXK0a9Uu1iaAmdcJ7s4a0x0ZH9Kza
+hqz0cr4oStUOHxG/AtPKuhZ9PkZ7GDSPDW0k/z64WYCm1fqSWkbVig==
 -----END CERTIFICATE-----
diff --git a/test/aux-fixed/exim-ca/example.net/BLANK/cert8.db b/test/aux-fixed/exim-ca/example.net/BLANK/cert8.db
index 2aa87e55c..f412e95da 100644
Binary files a/test/aux-fixed/exim-ca/example.net/BLANK/cert8.db and b/test/aux-fixed/exim-ca/example.net/BLANK/cert8.db differ
diff --git a/test/aux-fixed/exim-ca/example.net/BLANK/key3.db b/test/aux-fixed/exim-ca/example.net/BLANK/key3.db
index 9133b96b1..d1a9ad944 100644
Binary files a/test/aux-fixed/exim-ca/example.net/BLANK/key3.db and b/test/aux-fixed/exim-ca/example.net/BLANK/key3.db differ
diff --git a/test/aux-fixed/exim-ca/example.net/CA/CA.pem b/test/aux-fixed/exim-ca/example.net/CA/CA.pem
index a28c0b558..b48d20d40 100644
--- a/test/aux-fixed/exim-ca/example.net/CA/CA.pem
+++ b/test/aux-fixed/exim-ca/example.net/CA/CA.pem
@@ -1,13 +1,13 @@
 -----BEGIN CERTIFICATE-----
-MIIB7jCCAVegAwIBAgIBATANBgkqhkiG9w0BAQsFADApMRQwEgYDVQQKEwtleGFt
-cGxlLm5ldDERMA8GA1UEAxMIY2xpY2EgQ0EwHhcNMTIxMTAxMTIzNDAzWhcNMzgw
-MTAxMTIzNDAzWjApMRQwEgYDVQQKEwtleGFtcGxlLm5ldDERMA8GA1UEAxMIY2xp
-Y2EgQ0EwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAMTEbMTyGaBnI5WpLVtz
-wWIEzR2lJyq5MHV6t9cIw/M1VFc0a9Woq8IeEyEmlycNe1/HgJfr7jq2JCtFu4VZ
-ZFMJW6bD7KiUGp2DwPEeC5yN1q7T4Yuho8kIdzpRTYnWo4RgPhl7wxSYoier+8/V
-1Zy3PrsciWI7Avp2Uq8iNGl/AgMBAAGjJjAkMBIGA1UdEwEB/wQIMAYBAf8CAQEw
-DgYDVR0PAQH/BAQDAgEGMA0GCSqGSIb3DQEBCwUAA4GBADczofjhb+kWLvYcdK+w
-jEMvqwiEsm947WXuWYtg0Wi2IWhyZId9KfVJtHs7b/720WX2VeewkafuV+QfwE5c
-/Q7N8M1tnFbKT/2Af7o3MVxDH9cYXPTYWgM5i0Yv5k73VBZ/dhT5HSj1Ri1sxv3C
-vAJ2oHvLkS1MOpYEUICjB6xe
+MIIB9jCCAV+gAwIBAgIBATANBgkqhkiG9w0BAQsFADAtMRQwEgYDVQQKEwtleGFt
+cGxlLm5ldDEVMBMGA1UEAxMMY2xpY2EgQ0EgcnNhMB4XDTEyMTEwMTEyMzQwM1oX
+DTM4MDEwMTEyMzQwM1owLTEUMBIGA1UEChMLZXhhbXBsZS5uZXQxFTATBgNVBAMT
+DGNsaWNhIENBIHJzYTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA3kwC9CHz
+JH7sEDkHMdZRq8+XpV7l/hEqfv2gPvT3mak46dWrI/T3pJOqyNvUZV/LJ/gx/0uw
+9pmCg6Y5zNCN0qAGY4rSS/sbEOLYIw5wJbFnYfHtTwe3ZAdG+5WqKMBF2lHNBM3b
+PUB/kweoLhNLwserKHwMDC3sksfrwH29rpMCAwEAAaMmMCQwEgYDVR0TAQH/BAgw
+BgEB/wIBATAOBgNVHQ8BAf8EBAMCAQYwDQYJKoZIhvcNAQELBQADgYEAzXt6KHIB
+qOJfZECgwhAWipxVR0BXek0hAfyTWl7q18+mWKYydQW0Z2VMN4Bq/ZUlOg+EM8NU
+1n9PJ4+I2QgAwVVXN4+cz7zgZ6XRZc1OkE98NyK504bVpJpan1gsx3I5GLJUgP2t
+B/WwqoFO+ANhT2margZSM6avJfaIh8gEass=
 -----END CERTIFICATE-----
diff --git a/test/aux-fixed/exim-ca/example.net/CA/OCSP.key b/test/aux-fixed/exim-ca/example.net/CA/OCSP.key
index 38b9a202e..f7b826f74 100644
--- a/test/aux-fixed/exim-ca/example.net/CA/OCSP.key
+++ b/test/aux-fixed/exim-ca/example.net/CA/OCSP.key
@@ -1,20 +1,20 @@
 Bag Attributes
-    friendlyName: OCSP Signer
-    localKeyID: 78 F3 7C 5D 22 37 23 2E 25 E0 FB 04 7C 0C B4 05 54 05 99 6A 
+    friendlyName: OCSP Signer rsa
+    localKeyID: 53 BB 1F 68 6E BB 81 B7 1F CD FD 8C B0 08 7A D9 61 BC 81 79 
 Key Attributes: <No Attributes>
 -----BEGIN PRIVATE KEY-----
-MIICdgIBADANBgkqhkiG9w0BAQEFAASCAmAwggJcAgEAAoGBANomNfuqsa1ahnza
-wpXuvhr2NkfdzFXzZlL1NXZUcfQFV/h0gg0V/+OBfyvWiA7Gcx1g9nhREuHNaMDU
-0K0w5C+gUChtEflLiXVnsYPDpAtP+SqjmbnqxH8sI/GrZAB1Ssgd8eNQiYvv+PWl
-5BPNB2zocWfNwAs7SWWbeUtPeML7AgMBAAECgYAC86zC730fhVKF0IxsKfS1D/OI
-CblPb/7InZbDixMy4qcER7d8neMtrvwvp6aFXCPH+YheWIxpwG+8ofw6XXVeMEH6
-TF93OmZU8b1nt/hjDi/hO8BpP6uLgdAbBQwhP9GJwtKjXwwx2lbkXtlMhNDzAjF1
-wVoAWwsbJ5HjOPnWbQJBAPQW06A7K/dbv00sYPPUGfUnmM1nmGxbt15NgJLh8gWv
-9Dnk56vrluBVDEm08x69ymN543olGPRAY4USPqFBxdcCQQDky1d5BXtqLqqUaqVq
-5tj4uY0F5hVLswne2x19/cTtE9XwbIRFjEUfFs6hwaz7dIdi9lbjpmb789vX74wG
-xv99AkB6c9ErO0QtTfvEzZS9/hQfpwPDWEthYQm2546vIWb3b3RIbwvCdeg1FrWZ
-bIvjSjd0fDuglWfVcU/7/FErOQH1AkEAj18NFX1l9QgBRLf/qJm4ZUSBJq0jsygi
-i1BrjsQzXw0LB3o4+QwJVI4KNjsTlw9St6T+lfF0n3YU0Z/+81BIUQJALwXf4X5O
-yHXXoXEKDKoRzduu2jzY8NtorkVwdroNa/Ey38cU7Qfq8E+yP+RkBoZBkC0GFYYk
-uMDc6VSZR8FHGQ==
+MIICdQIBADANBgkqhkiG9w0BAQEFAASCAl8wggJbAgEAAoGBAKmmzvfGqq47MB1y
+7DsxXEYhlmLV+i0IN96elKWG9f0aExsitasvaxErD0lBijwHk4efsajdadla5Chf
+0J8RZn0eBQL7k5e6jiXvmKcvFDA0M5gXRLuh7CUjJWh6hMRRoMWaCc5DcdalL0EF
+OEhkm5PlVH2UgOvJCC6anG8UTeDXAgMBAAECgYAf56wCsw0ESUNKNoOwuh61Xbmv
+irhK4cHIDyC7ZH88gzvWnZd2wysqhmOQjk/V7ELVfbXmoQU4CDziTuqoD5irXmUe
+T02zYAaFYvMEQkLW9QiiKmQHpuhf5GUsEvxYe8qmpuVtCoygWCl0SppUxGRDpStS
+KCx87FTvWSJDBE3H+QJBAOInRyeXjKaUl0eYUySOuiAXl23amZpxVN+7gvjn9ewr
+TcWYkAsQF3yyA6n6PEYYe+FugSf+XhLcSpMRuvcGjNMCQQDACpV/R/JIjEC26AWq
+yWXhRV+1Wo3PZebInYsxDf9PBgtaeYLY8mrf65XhXgGC1Zg5bOgERMzL1pzOE78B
+3YltAkAIW5c/mVQzW85zcOextCygvv5zqt5+XK3cTtu6QyhNgBQxtz+riP61Nwb3
+oy3TEViSrjjLt5TWcZm38bHNK0rNAkAK2Q400GWZP4LwUg7v5MyCex666dCU5Jay
+wmN4c+f2GMtPYwnHI3pyB6bBwkOnllUw+Tvp8dD3urnE0ky52D/JAkAbX1GzRGNj
+HPICsVvPLUiLHFQHTjmkItJzkLqfN5rT6WFpGnmuAWw/f0QbjWx53ob2bRBEN17P
+5aANr4UJMFMd
 -----END PRIVATE KEY-----
diff --git a/test/aux-fixed/exim-ca/example.net/CA/OCSP.p12 b/test/aux-fixed/exim-ca/example.net/CA/OCSP.p12
index cf83d60a9..7d604b43e 100644
Binary files a/test/aux-fixed/exim-ca/example.net/CA/OCSP.p12 and b/test/aux-fixed/exim-ca/example.net/CA/OCSP.p12 differ
diff --git a/test/aux-fixed/exim-ca/example.net/CA/OCSP.pem b/test/aux-fixed/exim-ca/example.net/CA/OCSP.pem
index b010e6c4e..dd807941b 100644
--- a/test/aux-fixed/exim-ca/example.net/CA/OCSP.pem
+++ b/test/aux-fixed/exim-ca/example.net/CA/OCSP.pem
@@ -1,13 +1,14 @@
 -----BEGIN CERTIFICATE-----
-MIICBTCCAW6gAwIBAgIBAzANBgkqhkiG9w0BAQsFADAzMRQwEgYDVQQKEwtleGFt
-cGxlLm5ldDEbMBkGA1UEAxMSY2xpY2EgU2lnbmluZyBDZXJ0MB4XDTEyMTEwMTEy
-MzQwM1oXDTM4MDEwMTEyMzQwM1owMjEUMBIGA1UEChMLZXhhbXBsZS5uZXQxGjAY
-BgNVBAMTEWNsaWNhIE9DU1AgU2lnbmVyMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCB
-iQKBgQDaJjX7qrGtWoZ82sKV7r4a9jZH3cxV82ZS9TV2VHH0BVf4dIINFf/jgX8r
-1ogOxnMdYPZ4URLhzWjA1NCtMOQvoFAobRH5S4l1Z7GDw6QLT/kqo5m56sR/LCPx
-q2QAdUrIHfHjUImL7/j1peQTzQds6HFnzcALO0llm3lLT3jC+wIDAQABoyowKDAO
-BgNVHQ8BAf8EBAMCB4AwFgYDVR0lAQH/BAwwCgYIKwYBBQUHAwkwDQYJKoZIhvcN
-AQELBQADgYEAXPnZ7D7SoaGa8EcMXI5DgJwI7kH3Ww/9xa3/0aF0OD7dsw/qeW1W
-2r04MuiGb6MBfNxa1njL3kSnCmKs6G7Ronpb6icFZq3v+f9LabhLBI3uz6kgwrI/
-Js4k0c9VlR18yb2xYY89m32HkRefAsBMjEiCv/xl5PuBLQ4O0gjkr9s=
+MIICDTCCAXagAwIBAgIBAzANBgkqhkiG9w0BAQsFADA3MRQwEgYDVQQKEwtleGFt
+cGxlLm5ldDEfMB0GA1UEAxMWY2xpY2EgU2lnbmluZyBDZXJ0IHJzYTAeFw0xMjEx
+MDExMjM0MDNaFw0zODAxMDExMjM0MDNaMDYxFDASBgNVBAoTC2V4YW1wbGUubmV0
+MR4wHAYDVQQDExVjbGljYSBPQ1NQIFNpZ25lciByc2EwgZ8wDQYJKoZIhvcNAQEB
+BQADgY0AMIGJAoGBAKmmzvfGqq47MB1y7DsxXEYhlmLV+i0IN96elKWG9f0aExsi
+tasvaxErD0lBijwHk4efsajdadla5Chf0J8RZn0eBQL7k5e6jiXvmKcvFDA0M5gX
+RLuh7CUjJWh6hMRRoMWaCc5DcdalL0EFOEhkm5PlVH2UgOvJCC6anG8UTeDXAgMB
+AAGjKjAoMA4GA1UdDwEB/wQEAwIHgDAWBgNVHSUBAf8EDDAKBggrBgEFBQcDCTAN
+BgkqhkiG9w0BAQsFAAOBgQAlUlo3jGxtQ0d/SLb7UN1j73P6ZY0cDxkSHASza/6x
+4cnDXBiD3qdHugdYHKED/OOMxm8XK49wDj9c6s9GZy9hP9AOn/EPqTQxJge/IjXL
+P7B2fE9Zz+Dg5m3kMqyBzrB/oTXOD3t9CbRJCECawofQ+5/ANXFnVB8eWuPggw7R
+Jg==
 -----END CERTIFICATE-----
diff --git a/test/aux-fixed/exim-ca/example.net/CA/Signer.key b/test/aux-fixed/exim-ca/example.net/CA/Signer.key
index 386f31090..ae0a3f706 100644
--- a/test/aux-fixed/exim-ca/example.net/CA/Signer.key
+++ b/test/aux-fixed/exim-ca/example.net/CA/Signer.key
@@ -1,20 +1,20 @@
 Bag Attributes
-    friendlyName: Signing Cert
-    localKeyID: FD CF A0 42 1B 5A 49 F7 CD E2 2C 14 DF 08 5F 77 54 CA 2E 9B 
+    friendlyName: Signing Cert rsa
+    localKeyID: 75 B1 07 68 61 48 3B 2E BF D9 57 2E 67 F1 ED 1E E4 00 97 1D 
 Key Attributes: <No Attributes>
 -----BEGIN PRIVATE KEY-----
-MIICdwIBADANBgkqhkiG9w0BAQEFAASCAmEwggJdAgEAAoGBAMKxk6+mNy/jmG+R
-eZuRktKjLDBf3hreMUL33c7FMvyLGlDQrFjZtzxMtw5MD6neEfSmLY0nCKJZVCMD
-0det/uz9GbK1cVmInmwT+a2QE0JSMfa6gbP3HW5W4jCrZyiVF7sl1DloKdvcPvuc
-XL1s68Tn2yWMJuN5TY3AjUshpSB9AgMBAAECgYAD3vH3wQ9B1X2XYkYPsMJBi9r6
-Dz3kPNyv3yu6y7Lq0H0ydCOpFJMPENtm3l5FW1PyEEfBkbAbQjlpBM9sQVpbJPUq
-bqMdEq2GR6/qNp/GOIS6oJe7uBzab8lxVrcUt0nYc1DFku1oTpI5MLlotStB/Ssl
-oQdBmkuCgIXh73lxAQJBAPalNgKdVJojCFw8keUNTPSpr/qDnIWheM9VbU+DsPPd
-bjEnBJNy32PNn5OZabAIsi3RqAMXSkMAX93NoYfCpkECQQDKE/GjAN8NzLx6/cQi
-Fhl1UKWU5RQiMcg3N6rE6tkz4VnkISUsJb/D+r0ZvPSIb7bkQFheQMnUC2bbAsPb
-oMM9AkEA249OeR1dBqlQ8+rnZSNl8hZsFXG7kCmhxc+iMzpj93KSeSbmp+uGeO2+
-tEHJF29mTetoyPeen+5haK14scXRAQJACTXNfptsjyl0sbpdNRyCvokVcurZ9xED
-yhh8bQszKR0tRquIETILQnhsI/8rugg1csPIA0u6pzJ51qOSn7D9FQJBANutlC47
-4MzmhDPsXKyNM4bSfqByIHf+LbRLj8zIug6cyxmZomy55wCQbpqXUcg/W+i58ydJ
-JNoOayt+2wuK4/M=
+MIICdwIBADANBgkqhkiG9w0BAQEFAASCAmEwggJdAgEAAoGBALMuDick/uNCkK8z
+Wtdko5eynjJq0y8NVNlhSFkbwfjbxOQycuyMhMlYNnvsESWZTV5ckpsvoDrFQLFk
+6ZB7RVYHUoOHNfANm8JWC9GR5zqbquibA/MMQ4h2XlkzzQz12AzPpouZUyYs1+Sj
+wlgfBRVhtxApDR2bPEDzI6s9VUdXAgMBAAECgYAYIRAb2mIOxaSJS2+kyPM01wNx
+w6v7zp5KBc1B3riQ5DuQBXEvhL7PBHeV2ZT3jLz8A5hkmJXJxE1xdibz433THXTG
+71l+rNfZzNlmDjFpVI+Rwe8wqiNb5gi98jU5sSJHuW235el/TBps4yXgfMz4ZErN
+S7Lh7l6hhXOCVmzG6QJBAO6j9rnVC2heNzRnPz1o4j3a/8cvFanGzYkGTi89CbyP
+1ZVxgY855OyPiR7KwkIhHtnxB++42dMmrfKudpEuwgkCQQDANsxhsUynfNjG51Vp
+uj5giqzmMcGhUL1/URxorLt3Am3p6vmpSpMxS01NzYzwJvpO4rA3lWVZhdkyLLlH
+epZfAkEA11JQY3qsUV55Vyo1sHY7dO5uTU3ZsRe1CocK8qqTZ3UslSwWZ6IoQZ59
+bbArOTnjOWi27YEP4eqLl2X9i5/x6QJAB2cU3/5QEXNBdgeaxoOhu14b4pGv/2J4
+qdqZ2X4tihvR19xw2RBCMvfPdlugPe+CXF9mof1i9dutzbzjNdmGyQJBAOlnPy02
+myqvM9YoP6tbgwPJxN/9g5tne20Ji4F4u8gZC4vvk4oEbdV+OUkA07gIZL0KWkKi
+14t8FjtLaie2nk8=
 -----END PRIVATE KEY-----
diff --git a/test/aux-fixed/exim-ca/example.net/CA/Signer.p12 b/test/aux-fixed/exim-ca/example.net/CA/Signer.p12
index 1fb6ca85f..8bdf74131 100644
Binary files a/test/aux-fixed/exim-ca/example.net/CA/Signer.p12 and b/test/aux-fixed/exim-ca/example.net/CA/Signer.p12 differ
diff --git a/test/aux-fixed/exim-ca/example.net/CA/Signer.pem b/test/aux-fixed/exim-ca/example.net/CA/Signer.pem
index 9d19239da..34c6c36f2 100644
--- a/test/aux-fixed/exim-ca/example.net/CA/Signer.pem
+++ b/test/aux-fixed/exim-ca/example.net/CA/Signer.pem
@@ -1,14 +1,14 @@
 -----BEGIN CERTIFICATE-----
-MIICLDCCAZWgAwIBAgIBAjANBgkqhkiG9w0BAQsFADApMRQwEgYDVQQKEwtleGFt
-cGxlLm5ldDERMA8GA1UEAxMIY2xpY2EgQ0EwHhcNMTIxMTAxMTIzNDAzWhcNMzgw
-MTAxMTIzNDAzWjAzMRQwEgYDVQQKEwtleGFtcGxlLm5ldDEbMBkGA1UEAxMSY2xp
-Y2EgU2lnbmluZyBDZXJ0MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDCsZOv
-pjcv45hvkXmbkZLSoywwX94a3jFC993OxTL8ixpQ0KxY2bc8TLcOTA+p3hH0pi2N
-JwiiWVQjA9HXrf7s/RmytXFZiJ5sE/mtkBNCUjH2uoGz9x1uVuIwq2colRe7JdQ5
-aCnb3D77nFy9bOvE59sljCbjeU2NwI1LIaUgfQIDAQABo1owWDAOBgNVHQ8BAf8E
-BAMCAQYwEgYDVR0TAQH/BAgwBgEB/wIBADAyBgNVHR8EKzApMCegJaAjhiFodHRw
-Oi8vY3JsLmV4YW1wbGUubmV0L2xhdGVzdC5jcmwwDQYJKoZIhvcNAQELBQADgYEA
-Xi2XyqKqdhCOdcNmhhaOaPc9M5/W/52Y4y8DNEveJdbn9ZOIjz7w2vnxJ8hhbJHF
-RDGz6jeTnYz7wIYwRxU6y8vUNtXbV+S6RcWL6Symek52O32tj+TTP99lSu/bC2+f
-7cNOqfsUzyMi4EagINLkPFT8p0ozjXeWu7/Cy17K75s=
+MIICNDCCAZ2gAwIBAgIBAjANBgkqhkiG9w0BAQsFADAtMRQwEgYDVQQKEwtleGFt
+cGxlLm5ldDEVMBMGA1UEAxMMY2xpY2EgQ0EgcnNhMB4XDTEyMTEwMTEyMzQwM1oX
+DTM4MDEwMTEyMzQwM1owNzEUMBIGA1UEChMLZXhhbXBsZS5uZXQxHzAdBgNVBAMT
+FmNsaWNhIFNpZ25pbmcgQ2VydCByc2EwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJ
+AoGBALMuDick/uNCkK8zWtdko5eynjJq0y8NVNlhSFkbwfjbxOQycuyMhMlYNnvs
+ESWZTV5ckpsvoDrFQLFk6ZB7RVYHUoOHNfANm8JWC9GR5zqbquibA/MMQ4h2Xlkz
+zQz12AzPpouZUyYs1+SjwlgfBRVhtxApDR2bPEDzI6s9VUdXAgMBAAGjWjBYMA4G
+A1UdDwEB/wQEAwIBBjASBgNVHRMBAf8ECDAGAQH/AgEAMDIGA1UdHwQrMCkwJ6Al
+oCOGIWh0dHA6Ly9jcmwuZXhhbXBsZS5uZXQvbGF0ZXN0LmNybDANBgkqhkiG9w0B
+AQsFAAOBgQDCXkPeCURjOJwCBgbLERuNghPiWLqHPopm1idM2A032jDgbRXD9/DP
+1xOPgSLEW59EiJac0RNae0D2KyhnG90NZLccXK0a9Uu1iaAmdcJ7s4a0x0ZH9Kza
+hqz0cr4oStUOHxG/AtPKuhZ9PkZ7GDSPDW0k/z64WYCm1fqSWkbVig==
 -----END CERTIFICATE-----
diff --git a/test/aux-fixed/exim-ca/example.net/CA/ca.conf b/test/aux-fixed/exim-ca/example.net/CA/ca.conf
index f89e93d81..2ebcda676 100644
--- a/test/aux-fixed/exim-ca/example.net/CA/ca.conf
+++ b/test/aux-fixed/exim-ca/example.net/CA/ca.conf
@@ -1,19 +1,18 @@
 ; Config::Simple 4.59
 ; Thu Nov  1 12:34:03 2012
 
-[CA]
-org=example.net
-name=Certificate Authority
-subject=clica CA
-bits=1024
-
 [CLICA]
-crl_signer=Signing Cert
-ocsp_url=http://oscp.example.net/
-crl_url=http://crl.example.net/latest.crl
-signer=Signing Cert
 sighash=SHA256
-ocsp_signer=OCSP Signer
+crl_url=http://crl.example.net/latest.crl
 level=1
+ocsp_url=http://oscp.example.net/
+ocsp_signer=OCSP Signer rsa
+signer=Signing Cert rsa
+
+[CA]
+subject=clica CA
+name=Certificate Authority rsa
+bits=1024
+org=example.net
 
 
diff --git a/test/aux-fixed/exim-ca/example.net/CA/cert8.db b/test/aux-fixed/exim-ca/example.net/CA/cert8.db
index 1d6b1ded9..372f1132f 100644
Binary files a/test/aux-fixed/exim-ca/example.net/CA/cert8.db and b/test/aux-fixed/exim-ca/example.net/CA/cert8.db differ
diff --git a/test/aux-fixed/exim-ca/example.net/CA/crl.empty b/test/aux-fixed/exim-ca/example.net/CA/crl.empty
index ac5cd63e9..bbca4d630 100644
Binary files a/test/aux-fixed/exim-ca/example.net/CA/crl.empty and b/test/aux-fixed/exim-ca/example.net/CA/crl.empty differ
diff --git a/test/aux-fixed/exim-ca/example.net/CA/crl.empty.in.txt b/test/aux-fixed/exim-ca/example.net/CA/crl.empty.in.txt
index 94f20b071..5c3cda501 100644
--- a/test/aux-fixed/exim-ca/example.net/CA/crl.empty.in.txt
+++ b/test/aux-fixed/exim-ca/example.net/CA/crl.empty.in.txt
@@ -1 +1 @@
-update=20170131185506Z 
+update=20171105161901Z 
diff --git a/test/aux-fixed/exim-ca/example.net/CA/crl.empty.pem b/test/aux-fixed/exim-ca/example.net/CA/crl.empty.pem
index bd2c5aba4..a71c9c797 100644
--- a/test/aux-fixed/exim-ca/example.net/CA/crl.empty.pem
+++ b/test/aux-fixed/exim-ca/example.net/CA/crl.empty.pem
@@ -1,7 +1,8 @@
 -----BEGIN X509 CRL-----
-MIHtMFgCAQEwDQYJKoZIhvcNAQELBQAwMzEUMBIGA1UEChMLZXhhbXBsZS5uZXQx
-GzAZBgNVBAMTEmNsaWNhIFNpZ25pbmcgQ2VydBgPMjAxNzAxMzExODU1MDZaMA0G
-CSqGSIb3DQEBCwUAA4GBAHNFzPgtGmXUXcr29O60RAqo47rUjgMgna6Se3uI9DDh
-uKhuf23lrT8pEVtvedYFo3cuTO8t4LH6B/3b+giyboxkoAEbC1PA6aHGJC1W9DCc
-xJenmVm5JbqEjiI3ondpNyvyOiLYX9J7iVMl1/XoW/dFI4p1reA8z2Zc1iDOvgzP
+MIHxMFwCAQEwDQYJKoZIhvcNAQELBQAwNzEUMBIGA1UEChMLZXhhbXBsZS5uZXQx
+HzAdBgNVBAMTFmNsaWNhIFNpZ25pbmcgQ2VydCByc2EYDzIwMTcxMTA1MTYxOTAx
+WjANBgkqhkiG9w0BAQsFAAOBgQA0kBwok3/EQWTCJ8zQRDz1Gjm1BL+E2cb/8DFg
+wIXTVWUkKqL8SsmufLrY8cb5qrCzFnhklOxaXC4vUB305qiMmfrECsXaGKn1udYQ
+90CLyLO5rJQzp6gpFp8Xe5W6Tx7ftfSQFaft63Knb+kT1BgzvWt4kZYeB36Om7v6
+fwtmXA==
 -----END X509 CRL-----
diff --git a/test/aux-fixed/exim-ca/example.net/CA/crl.v2 b/test/aux-fixed/exim-ca/example.net/CA/crl.v2
index 7d8dcfc0c..46ff265e0 100644
Binary files a/test/aux-fixed/exim-ca/example.net/CA/crl.v2 and b/test/aux-fixed/exim-ca/example.net/CA/crl.v2 differ
diff --git a/test/aux-fixed/exim-ca/example.net/CA/crl.v2.in.txt b/test/aux-fixed/exim-ca/example.net/CA/crl.v2.in.txt
index 8384c35bd..20311aa93 100644
--- a/test/aux-fixed/exim-ca/example.net/CA/crl.v2.in.txt
+++ b/test/aux-fixed/exim-ca/example.net/CA/crl.v2.in.txt
@@ -1,3 +1,3 @@
-update=20170131185508Z 
-addcert 102 20170131185508Z
-addcert 202 20170131185508Z
+update=20171105161903Z 
+addcert 102 20171105161903Z
+addcert 202 20171105161903Z
diff --git a/test/aux-fixed/exim-ca/example.net/CA/crl.v2.pem b/test/aux-fixed/exim-ca/example.net/CA/crl.v2.pem
index 4098c4ce2..555c14759 100644
--- a/test/aux-fixed/exim-ca/example.net/CA/crl.v2.pem
+++ b/test/aux-fixed/exim-ca/example.net/CA/crl.v2.pem
@@ -1,9 +1,9 @@
 -----BEGIN X509 CRL-----
-MIIBHTCBhwIBATANBgkqhkiG9w0BAQsFADAzMRQwEgYDVQQKEwtleGFtcGxlLm5l
-dDEbMBkGA1UEAxMSY2xpY2EgU2lnbmluZyBDZXJ0GA8yMDE3MDEzMTE4NTUwOFow
-LTAUAgFmGA8yMDE3MDEzMTE4NTUwOFowFQICAMoYDzIwMTcwMTMxMTg1NTA4WjAN
-BgkqhkiG9w0BAQsFAAOBgQCzAPuByn/+gsqzO6hE8JPs6AIPSK98dA2x2R7rOMuf
-tAekmPym5wdfeEAISyxRSeDZbT9tbNcG3N7SBaZf/tAC6zdGP8lMqnYiSfkwq7ee
-iVwLdAUxyusgPW4jmEKk5n7ppFS8tlaY+lmSHfnE5dCbD9Ol4fnyRC2dobuD0pNe
-bg==
+MIIBITCBiwIBATANBgkqhkiG9w0BAQsFADA3MRQwEgYDVQQKEwtleGFtcGxlLm5l
+dDEfMB0GA1UEAxMWY2xpY2EgU2lnbmluZyBDZXJ0IHJzYRgPMjAxNzExMDUxNjE5
+MDNaMC0wFAIBZhgPMjAxNzExMDUxNjE5MDNaMBUCAgDKGA8yMDE3MTEwNTE2MTkw
+M1owDQYJKoZIhvcNAQELBQADgYEAljNKSLoRFHBtaoS6FNgra+O+ssbZzFpWOtK4
+l30UXD5ZmDTb70XrOZ8mQ2LbhJxMQSHoKYiSJw7gFu48CwjcVCd6UPDzRs9DRIM+
+lHqWU8DrsADTYnSBJSD4kPxK+HX9iw7KX5UZVeFOdj++p6JEG4ijEOOOkPeJ6C/9
+NCu2bns=
 -----END X509 CRL-----
diff --git a/test/aux-fixed/exim-ca/example.net/CA/key3.db b/test/aux-fixed/exim-ca/example.net/CA/key3.db
index 69821ef1e..c392363b6 100644
Binary files a/test/aux-fixed/exim-ca/example.net/CA/key3.db and b/test/aux-fixed/exim-ca/example.net/CA/key3.db differ
diff --git a/test/aux-fixed/exim-ca/example.net/CA/noise.file b/test/aux-fixed/exim-ca/example.net/CA/noise.file
index b66651f29..bce75de82 100644
--- a/test/aux-fixed/exim-ca/example.net/CA/noise.file
+++ b/test/aux-fixed/exim-ca/example.net/CA/noise.file
@@ -4,7 +4,7 @@ cpu family	: 6
 model		: 94
 model name	: Intel(R) Core(TM) i7-6820HQ CPU @ 2.70GHz
 stepping	: 3
-microcode	: 0x9e
+microcode	: 0xba
 cpu MHz		: 2700.000
 cache size	: 8192 KB
 physical id	: 0
@@ -17,7 +17,7 @@ fpu		: yes
 fpu_exception	: yes
 cpuid level	: 22
 wp		: yes
-flags		: fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clflush dts acpi mmx fxsr sse sse2 ss ht tm pbe syscall nx pdpe1gb rdtscp lm constant_tsc art arch_perfmon pebs bts rep_good nopl xtopology nonstop_tsc aperfmperf eagerfpu pni pclmulqdq dtes64 monitor ds_cpl vmx smx est tm2 ssse3 sdbg fma cx16 xtpr pdcm pcid sse4_1 sse4_2 x2apic movbe popcnt tsc_deadline_timer aes xsave avx f16c rdrand lahf_lm abm 3dnowprefetch epb intel_pt tpr_shadow vnmi flexpriority ept vpid fsgsbase tsc_adjust bmi1 hle avx2 smep bmi2 erms invpcid rtm mpx rdseed adx smap clflushopt xsaveopt xsavec xgetbv1 xsaves dtherm ida arat pln pts hwp hwp_notify hwp_act_window hwp_epp
+flags		: fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clflush dts acpi mmx fxsr sse sse2 ss ht tm pbe syscall nx pdpe1gb rdtscp lm constant_tsc art arch_perfmon pebs bts rep_good nopl xtopology nonstop_tsc cpuid aperfmperf tsc_known_freq pni pclmulqdq dtes64 monitor ds_cpl vmx smx est tm2 ssse3 sdbg fma cx16 xtpr pdcm pcid sse4_1 sse4_2 x2apic movbe popcnt tsc_deadline_timer aes xsave avx f16c rdrand lahf_lm abm 3dnowprefetch cpuid_fault epb intel_pt tpr_shadow vnmi flexpriority ept vpid fsgsbase tsc_adjust bmi1 hle avx2 smep bmi2 erms invpcid rtm mpx rdseed adx smap clflushopt xsaveopt xsavec xgetbv1 xsaves dtherm ida arat pln pts hwp hwp_notify hwp_act_window hwp_epp
 bugs		:
 bogomips	: 5424.00
 clflush size	: 64
@@ -31,7 +31,7 @@ cpu family	: 6
 model		: 94
 model name	: Intel(R) Core(TM) i7-6820HQ CPU @ 2.70GHz
 stepping	: 3
-microcode	: 0x9e
+microcode	: 0xba
 cpu MHz		: 2700.000
 cache size	: 8192 KB
 physical id	: 0
@@ -44,9 +44,9 @@ fpu		: yes
 fpu_exception	: yes
 cpuid level	: 22
 wp		: yes
-flags		: fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clflush dts acpi mmx fxsr sse sse2 ss ht tm pbe syscall nx pdpe1gb rdtscp lm constant_tsc art arch_perfmon pebs bts rep_good nopl xtopology nonstop_tsc aperfmperf eagerfpu pni pclmulqdq dtes64 monitor ds_cpl vmx smx est tm2 ssse3 sdbg fma cx16 xtpr pdcm pcid sse4_1 sse4_2 x2apic movbe popcnt tsc_deadline_timer aes xsave avx f16c rdrand lahf_lm abm 3dnowprefetch epb intel_pt tpr_shadow vnmi flexpriority ept vpid fsgsbase tsc_adjust bmi1 hle avx2 smep bmi2 erms invpcid rtm mpx rdseed adx smap clflushopt xsaveopt xsavec xgetbv1 xsaves dtherm ida arat pln pts hwp hwp_notify hwp_act_window hwp_epp
+flags		: fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clflush dts acpi mmx fxsr sse sse2 ss ht tm pbe syscall nx pdpe1gb rdtscp lm constant_tsc art arch_perfmon pebs bts rep_good nopl xtopology nonstop_tsc cpuid aperfmperf tsc_known_freq pni pclmulqdq dtes64 monitor ds_cpl vmx smx est tm2 ssse3 sdbg fma cx16 xtpr pdcm pcid sse4_1 sse4_2 x2apic movbe popcnt tsc_deadline_timer aes xsave avx f16c rdrand lahf_lm abm 3dnowprefetch cpuid_fault epb intel_pt tpr_shadow vnmi flexpriority ept vpid fsgsbase tsc_adjust bmi1 hle avx2 smep bmi2 erms invpcid rtm mpx rdseed adx smap clflushopt xsaveopt xsavec xgetbv1 xsaves dtherm ida arat pln pts hwp hwp_notify hwp_act_window hwp_epp
 bugs		:
-bogomips	: 5427.15
+bogomips	: 5431.34
 clflush size	: 64
 cache_alignment	: 64
 address sizes	: 39 bits physical, 48 bits virtual
@@ -58,8 +58,8 @@ cpu family	: 6
 model		: 94
 model name	: Intel(R) Core(TM) i7-6820HQ CPU @ 2.70GHz
 stepping	: 3
-microcode	: 0x9e
-cpu MHz		: 2700.164
+microcode	: 0xba
+cpu MHz		: 2700.000
 cache size	: 8192 KB
 physical id	: 0
 siblings	: 8
@@ -71,9 +71,9 @@ fpu		: yes
 fpu_exception	: yes
 cpuid level	: 22
 wp		: yes
-flags		: fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clflush dts acpi mmx fxsr sse sse2 ss ht tm pbe syscall nx pdpe1gb rdtscp lm constant_tsc art arch_perfmon pebs bts rep_good nopl xtopology nonstop_tsc aperfmperf eagerfpu pni pclmulqdq dtes64 monitor ds_cpl vmx smx est tm2 ssse3 sdbg fma cx16 xtpr pdcm pcid sse4_1 sse4_2 x2apic movbe popcnt tsc_deadline_timer aes xsave avx f16c rdrand lahf_lm abm 3dnowprefetch epb intel_pt tpr_shadow vnmi flexpriority ept vpid fsgsbase tsc_adjust bmi1 hle avx2 smep bmi2 erms invpcid rtm mpx rdseed adx smap clflushopt xsaveopt xsavec xgetbv1 xsaves dtherm ida arat pln pts hwp hwp_notify hwp_act_window hwp_epp
+flags		: fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clflush dts acpi mmx fxsr sse sse2 ss ht tm pbe syscall nx pdpe1gb rdtscp lm constant_tsc art arch_perfmon pebs bts rep_good nopl xtopology nonstop_tsc cpuid aperfmperf tsc_known_freq pni pclmulqdq dtes64 monitor ds_cpl vmx smx est tm2 ssse3 sdbg fma cx16 xtpr pdcm pcid sse4_1 sse4_2 x2apic movbe popcnt tsc_deadline_timer aes xsave avx f16c rdrand lahf_lm abm 3dnowprefetch cpuid_fault epb intel_pt tpr_shadow vnmi flexpriority ept vpid fsgsbase tsc_adjust bmi1 hle avx2 smep bmi2 erms invpcid rtm mpx rdseed adx smap clflushopt xsaveopt xsavec xgetbv1 xsaves dtherm ida arat pln pts hwp hwp_notify hwp_act_window hwp_epp
 bugs		:
-bogomips	: 5427.09
+bogomips	: 5431.79
 clflush size	: 64
 cache_alignment	: 64
 address sizes	: 39 bits physical, 48 bits virtual
@@ -85,7 +85,7 @@ cpu family	: 6
 model		: 94
 model name	: Intel(R) Core(TM) i7-6820HQ CPU @ 2.70GHz
 stepping	: 3
-microcode	: 0x9e
+microcode	: 0xba
 cpu MHz		: 2700.000
 cache size	: 8192 KB
 physical id	: 0
@@ -98,9 +98,9 @@ fpu		: yes
 fpu_exception	: yes
 cpuid level	: 22
 wp		: yes
-flags		: fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clflush dts acpi mmx fxsr sse sse2 ss ht tm pbe syscall nx pdpe1gb rdtscp lm constant_tsc art arch_perfmon pebs bts rep_good nopl xtopology nonstop_tsc aperfmperf eagerfpu pni pclmulqdq dtes64 monitor ds_cpl vmx smx est tm2 ssse3 sdbg fma cx16 xtpr pdcm pcid sse4_1 sse4_2 x2apic movbe popcnt tsc_deadline_timer aes xsave avx f16c rdrand lahf_lm abm 3dnowprefetch epb intel_pt tpr_shadow vnmi flexpriority ept vpid fsgsbase tsc_adjust bmi1 hle avx2 smep bmi2 erms invpcid rtm mpx rdseed adx smap clflushopt xsaveopt xsavec xgetbv1 xsaves dtherm ida arat pln pts hwp hwp_notify hwp_act_window hwp_epp
+flags		: fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clflush dts acpi mmx fxsr sse sse2 ss ht tm pbe syscall nx pdpe1gb rdtscp lm constant_tsc art arch_perfmon pebs bts rep_good nopl xtopology nonstop_tsc cpuid aperfmperf tsc_known_freq pni pclmulqdq dtes64 monitor ds_cpl vmx smx est tm2 ssse3 sdbg fma cx16 xtpr pdcm pcid sse4_1 sse4_2 x2apic movbe popcnt tsc_deadline_timer aes xsave avx f16c rdrand lahf_lm abm 3dnowprefetch cpuid_fault epb intel_pt tpr_shadow vnmi flexpriority ept vpid fsgsbase tsc_adjust bmi1 hle avx2 smep bmi2 erms invpcid rtm mpx rdseed adx smap clflushopt xsaveopt xsavec xgetbv1 xsaves dtherm ida arat pln pts hwp hwp_notify hwp_act_window hwp_epp
 bugs		:
-bogomips	: 5427.13
+bogomips	: 5431.63
 clflush size	: 64
 cache_alignment	: 64
 address sizes	: 39 bits physical, 48 bits virtual
@@ -112,7 +112,7 @@ cpu family	: 6
 model		: 94
 model name	: Intel(R) Core(TM) i7-6820HQ CPU @ 2.70GHz
 stepping	: 3
-microcode	: 0x9e
+microcode	: 0xba
 cpu MHz		: 2700.000
 cache size	: 8192 KB
 physical id	: 0
@@ -125,9 +125,9 @@ fpu		: yes
 fpu_exception	: yes
 cpuid level	: 22
 wp		: yes
-flags		: fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clflush dts acpi mmx fxsr sse sse2 ss ht tm pbe syscall nx pdpe1gb rdtscp lm constant_tsc art arch_perfmon pebs bts rep_good nopl xtopology nonstop_tsc aperfmperf eagerfpu pni pclmulqdq dtes64 monitor ds_cpl vmx smx est tm2 ssse3 sdbg fma cx16 xtpr pdcm pcid sse4_1 sse4_2 x2apic movbe popcnt tsc_deadline_timer aes xsave avx f16c rdrand lahf_lm abm 3dnowprefetch epb intel_pt tpr_shadow vnmi flexpriority ept vpid fsgsbase tsc_adjust bmi1 hle avx2 smep bmi2 erms invpcid rtm mpx rdseed adx smap clflushopt xsaveopt xsavec xgetbv1 xsaves dtherm ida arat pln pts hwp hwp_notify hwp_act_window hwp_epp
+flags		: fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clflush dts acpi mmx fxsr sse sse2 ss ht tm pbe syscall nx pdpe1gb rdtscp lm constant_tsc art arch_perfmon pebs bts rep_good nopl xtopology nonstop_tsc cpuid aperfmperf tsc_known_freq pni pclmulqdq dtes64 monitor ds_cpl vmx smx est tm2 ssse3 sdbg fma cx16 xtpr pdcm pcid sse4_1 sse4_2 x2apic movbe popcnt tsc_deadline_timer aes xsave avx f16c rdrand lahf_lm abm 3dnowprefetch cpuid_fault epb intel_pt tpr_shadow vnmi flexpriority ept vpid fsgsbase tsc_adjust bmi1 hle avx2 smep bmi2 erms invpcid rtm mpx rdseed adx smap clflushopt xsaveopt xsavec xgetbv1 xsaves dtherm ida arat pln pts hwp hwp_notify hwp_act_window hwp_epp
 bugs		:
-bogomips	: 5428.40
+bogomips	: 5434.63
 clflush size	: 64
 cache_alignment	: 64
 address sizes	: 39 bits physical, 48 bits virtual
@@ -139,7 +139,7 @@ cpu family	: 6
 model		: 94
 model name	: Intel(R) Core(TM) i7-6820HQ CPU @ 2.70GHz
 stepping	: 3
-microcode	: 0x9e
+microcode	: 0xba
 cpu MHz		: 2700.000
 cache size	: 8192 KB
 physical id	: 0
@@ -152,9 +152,9 @@ fpu		: yes
 fpu_exception	: yes
 cpuid level	: 22
 wp		: yes
-flags		: fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clflush dts acpi mmx fxsr sse sse2 ss ht tm pbe syscall nx pdpe1gb rdtscp lm constant_tsc art arch_perfmon pebs bts rep_good nopl xtopology nonstop_tsc aperfmperf eagerfpu pni pclmulqdq dtes64 monitor ds_cpl vmx smx est tm2 ssse3 sdbg fma cx16 xtpr pdcm pcid sse4_1 sse4_2 x2apic movbe popcnt tsc_deadline_timer aes xsave avx f16c rdrand lahf_lm abm 3dnowprefetch epb intel_pt tpr_shadow vnmi flexpriority ept vpid fsgsbase tsc_adjust bmi1 hle avx2 smep bmi2 erms invpcid rtm mpx rdseed adx smap clflushopt xsaveopt xsavec xgetbv1 xsaves dtherm ida arat pln pts hwp hwp_notify hwp_act_window hwp_epp
+flags		: fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clflush dts acpi mmx fxsr sse sse2 ss ht tm pbe syscall nx pdpe1gb rdtscp lm constant_tsc art arch_perfmon pebs bts rep_good nopl xtopology nonstop_tsc cpuid aperfmperf tsc_known_freq pni pclmulqdq dtes64 monitor ds_cpl vmx smx est tm2 ssse3 sdbg fma cx16 xtpr pdcm pcid sse4_1 sse4_2 x2apic movbe popcnt tsc_deadline_timer aes xsave avx f16c rdrand lahf_lm abm 3dnowprefetch cpuid_fault epb intel_pt tpr_shadow vnmi flexpriority ept vpid fsgsbase tsc_adjust bmi1 hle avx2 smep bmi2 erms invpcid rtm mpx rdseed adx smap clflushopt xsaveopt xsavec xgetbv1 xsaves dtherm ida arat pln pts hwp hwp_notify hwp_act_window hwp_epp
 bugs		:
-bogomips	: 5428.13
+bogomips	: 5432.00
 clflush size	: 64
 cache_alignment	: 64
 address sizes	: 39 bits physical, 48 bits virtual
@@ -166,7 +166,7 @@ cpu family	: 6
 model		: 94
 model name	: Intel(R) Core(TM) i7-6820HQ CPU @ 2.70GHz
 stepping	: 3
-microcode	: 0x9e
+microcode	: 0xba
 cpu MHz		: 2700.000
 cache size	: 8192 KB
 physical id	: 0
@@ -179,9 +179,9 @@ fpu		: yes
 fpu_exception	: yes
 cpuid level	: 22
 wp		: yes
-flags		: fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clflush dts acpi mmx fxsr sse sse2 ss ht tm pbe syscall nx pdpe1gb rdtscp lm constant_tsc art arch_perfmon pebs bts rep_good nopl xtopology nonstop_tsc aperfmperf eagerfpu pni pclmulqdq dtes64 monitor ds_cpl vmx smx est tm2 ssse3 sdbg fma cx16 xtpr pdcm pcid sse4_1 sse4_2 x2apic movbe popcnt tsc_deadline_timer aes xsave avx f16c rdrand lahf_lm abm 3dnowprefetch epb intel_pt tpr_shadow vnmi flexpriority ept vpid fsgsbase tsc_adjust bmi1 hle avx2 smep bmi2 erms invpcid rtm mpx rdseed adx smap clflushopt xsaveopt xsavec xgetbv1 xsaves dtherm ida arat pln pts hwp hwp_notify hwp_act_window hwp_epp
+flags		: fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clflush dts acpi mmx fxsr sse sse2 ss ht tm pbe syscall nx pdpe1gb rdtscp lm constant_tsc art arch_perfmon pebs bts rep_good nopl xtopology nonstop_tsc cpuid aperfmperf tsc_known_freq pni pclmulqdq dtes64 monitor ds_cpl vmx smx est tm2 ssse3 sdbg fma cx16 xtpr pdcm pcid sse4_1 sse4_2 x2apic movbe popcnt tsc_deadline_timer aes xsave avx f16c rdrand lahf_lm abm 3dnowprefetch cpuid_fault epb intel_pt tpr_shadow vnmi flexpriority ept vpid fsgsbase tsc_adjust bmi1 hle avx2 smep bmi2 erms invpcid rtm mpx rdseed adx smap clflushopt xsaveopt xsavec xgetbv1 xsaves dtherm ida arat pln pts hwp hwp_notify hwp_act_window hwp_epp
 bugs		:
-bogomips	: 5427.27
+bogomips	: 5431.94
 clflush size	: 64
 cache_alignment	: 64
 address sizes	: 39 bits physical, 48 bits virtual
@@ -193,7 +193,7 @@ cpu family	: 6
 model		: 94
 model name	: Intel(R) Core(TM) i7-6820HQ CPU @ 2.70GHz
 stepping	: 3
-microcode	: 0x9e
+microcode	: 0xba
 cpu MHz		: 2700.000
 cache size	: 8192 KB
 physical id	: 0
@@ -206,87 +206,87 @@ fpu		: yes
 fpu_exception	: yes
 cpuid level	: 22
 wp		: yes
-flags		: fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clflush dts acpi mmx fxsr sse sse2 ss ht tm pbe syscall nx pdpe1gb rdtscp lm constant_tsc art arch_perfmon pebs bts rep_good nopl xtopology nonstop_tsc aperfmperf eagerfpu pni pclmulqdq dtes64 monitor ds_cpl vmx smx est tm2 ssse3 sdbg fma cx16 xtpr pdcm pcid sse4_1 sse4_2 x2apic movbe popcnt tsc_deadline_timer aes xsave avx f16c rdrand lahf_lm abm 3dnowprefetch epb intel_pt tpr_shadow vnmi flexpriority ept vpid fsgsbase tsc_adjust bmi1 hle avx2 smep bmi2 erms invpcid rtm mpx rdseed adx smap clflushopt xsaveopt xsavec xgetbv1 xsaves dtherm ida arat pln pts hwp hwp_notify hwp_act_window hwp_epp
+flags		: fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clflush dts acpi mmx fxsr sse sse2 ss ht tm pbe syscall nx pdpe1gb rdtscp lm constant_tsc art arch_perfmon pebs bts rep_good nopl xtopology nonstop_tsc cpuid aperfmperf tsc_known_freq pni pclmulqdq dtes64 monitor ds_cpl vmx smx est tm2 ssse3 sdbg fma cx16 xtpr pdcm pcid sse4_1 sse4_2 x2apic movbe popcnt tsc_deadline_timer aes xsave avx f16c rdrand lahf_lm abm 3dnowprefetch cpuid_fault epb intel_pt tpr_shadow vnmi flexpriority ept vpid fsgsbase tsc_adjust bmi1 hle avx2 smep bmi2 erms invpcid rtm mpx rdseed adx smap clflushopt xsaveopt xsavec xgetbv1 xsaves dtherm ida arat pln pts hwp hwp_notify hwp_act_window hwp_epp
 bugs		:
-bogomips	: 5427.26
+bogomips	: 5431.94
 clflush size	: 64
 cache_alignment	: 64
 address sizes	: 39 bits physical, 48 bits virtual
 power management:
 
             CPU0       CPU1       CPU2       CPU3       CPU4       CPU5       CPU6       CPU7       
-   0:         52          0          0          0          0          0          0          0  IR-IO-APIC    2-edge      timer
-   1:         16        459         44         16         71         52         37         18  IR-IO-APIC    1-edge      i8042
-   8:          0          0          0          1          0          0          0          0  IR-IO-APIC    8-edge      rtc0
-   9:         89        154         83        105        355        114        136         53  IR-IO-APIC    9-fasteoi   acpi
-  12:        201      49498       1295       1310       5642       1517       1861       1019  IR-IO-APIC   12-edge      i8042
+   0:         70          0          0          0          0          0          0          0  IR-IO-APIC    2-edge      timer
+   1:         39      16476       1416       1089       6857       1983       1674       1959  IR-IO-APIC    1-edge      i8042
+   8:          0          0          1          0          0          0          0          0  IR-IO-APIC    8-edge      rtc0
+   9:        284       4834       2265       1628       7027       2758       1632       1695  IR-IO-APIC    9-fasteoi   acpi
+  12:        273    1626151      37392      40715     288530      39254      36081      51183  IR-IO-APIC   12-edge      i8042
   16:          1          0          0          0          0          0          0          0  IR-IO-APIC   16-fasteoi   i801_smbus
-  19:          5          3          2          0          8          2          2          2  IR-IO-APIC   19-fasteoi 
  120:          0          0          0          0          0          0          0          0  DMAR-MSI    0-edge      dmar0
  121:          0          0          0          0          0          0          0          0  DMAR-MSI    1-edge      dmar1
- 124:       7929       1965       1951      91821       6129       4099       2324       2579  IR-PCI-MSI 376832-edge      ahci[0000:00:17.0]
- 125:        219         13          6         32         12          8          6         22  IR-PCI-MSI 327680-edge      xhci_hcd
- 126:         97         12         17         44         16          8          5          2  IR-PCI-MSI 2097152-edge      rtsx_pci
- 127:          0          0         88          0         58          0         61         36  IR-PCI-MSI 520192-edge      enp0s31f6
- 128:          0          0          0          2          2          0          1          8  IR-PCI-MSI 1048576-edge    
- 129:        725         32        125        185      13085        451       7280        254  IR-PCI-MSI 32768-edge      i915
- 130:         23          9          7          0         11          0          1          0  IR-PCI-MSI 360448-edge      mei_me
- 131:         21          6          4          2          7          4          3          0  IR-PCI-MSI 1572864-edge      iwlwifi
- 132:        713          0         63         42        106         45        129        120  IR-PCI-MSI 514048-edge      snd_hda_intel:card0
- NMI:          2          1          1          1          2          4          1          1   Non-maskable interrupts
- LOC:      33592      27812      28870      27337      44352      61045      27556      32668   Local timer interrupts
+ 122:       7136       3040       2312       1908       4546       3822      75943       2347  IR-PCI-MSI 376832-edge      ahci[0000:00:17.0]
+ 123:         22          7          1          0          7          3          4          1  IR-PCI-MSI 327680-edge      xhci_hcd
+ 124:         89         19         22         25         79         55         27         54  IR-PCI-MSI 2097152-edge      rtsx_pci
+ 125:         88         15     127558         11         48         25         19         21  IR-PCI-MSI 520192-edge      enp0s31f6
+ 126:          1          1          1          0          3          1          3          6  IR-PCI-MSI 1048576-edge    
+ 127:        561        174         98     789305        240        230        184        147  IR-PCI-MSI 32768-edge      i915
+ 128:         34         14          0          0          1          0          0          0  IR-PCI-MSI 360448-edge      mei_me
+ 129:         22         10          0          1         10          0          0          0  IR-PCI-MSI 1572864-edge      iwlwifi
+ 130:         92        103         30         22        194        115         10         45  IR-PCI-MSI 514048-edge      snd_hda_intel:card0
+ NMI:          9         12          9         14         10          9          9         10   Non-maskable interrupts
+ LOC:     567497     554673     726762    1034458     583903     592347     624108     548791   Local timer interrupts
  SPU:          0          0          0          0          0          0          0          0   Spurious interrupts
- PMI:          2          1          1          1          2          4          1          1   Performance monitoring interrupts
- IWI:          4          0          0          2          0          0          1          1   IRQ work interrupts
+ PMI:          9         12          9         14         10          9          9         10   Performance monitoring interrupts
+ IWI:          0          1          0          0          0          0          2          0   IRQ work interrupts
  RTR:          7          0          0          0          0          0          0          0   APIC ICR read retries
- RES:      10018       4170       2813       2504       2970       1497       2333       2607   Rescheduling interrupts
- CAL:      51614      26932      27696      38549      30005      38583      36538      38831   Function call interrupts
- TLB:      44868      21971      22151      33281      24454      32863      30173      34882   TLB shootdowns
+ RES:      85573      31055      11911       8316       7459       6910       6400       5898   Rescheduling interrupts
+ CAL:      73161      74171      68752      70655      80168      75208      61391      70903   Function call interrupts
+ TLB:      55150      56119      50377      53791      62195      57072      43366      55765   TLB shootdowns
  TRM:          0          0          0          0          0          0          0          0   Thermal event interrupts
  THR:          0          0          0          0          0          0          0          0   Threshold APIC interrupts
  DFR:          0          0          0          0          0          0          0          0   Deferred Error APIC interrupts
  MCE:          0          0          0          0          0          0          0          0   Machine check exceptions
- MCP:          3          3          3          3          3          3          3          3   Machine check polls
+ MCP:         49         49         49         49         49         49         49         49   Machine check polls
  ERR:          0
  MIS:          0
  PIN:          0          0          0          0          0          0          0          0   Posted-interrupt notification event
+ NPI:          0          0          0          0          0          0          0          0   Nested posted-interrupt event
  PIW:          0          0          0          0          0          0          0          0   Posted-interrupt wakeup event
-MemTotal:       15855100 kB
-MemFree:        11478688 kB
-MemAvailable:   12987704 kB
-Buffers:          385504 kB
-Cached:          1340144 kB
+MemTotal:       15852528 kB
+MemFree:        10535328 kB
+MemAvailable:   12483184 kB
+Buffers:          128136 kB
+Cached:          1542012 kB
 SwapCached:            0 kB
-Active:          2943928 kB
-Inactive:         985216 kB
-Active(anon):    2204596 kB
-Inactive(anon):    56576 kB
-Active(file):     739332 kB
-Inactive(file):   928640 kB
-Unevictable:           0 kB
-Mlocked:               0 kB
+Active:          3133856 kB
+Inactive:        1816836 kB
+Active(anon):    2706508 kB
+Inactive(anon):    79680 kB
+Active(file):     427348 kB
+Inactive(file):  1737156 kB
+Unevictable:          32 kB
+Mlocked:              32 kB
 SwapTotal:       7933948 kB
 SwapFree:        7933948 kB
-Dirty:              2456 kB
+Dirty:              3596 kB
 Writeback:             0 kB
-AnonPages:       1629696 kB
-Mapped:           242564 kB
-Shmem:             57684 kB
-Slab:             251912 kB
-SReclaimable:     179404 kB
-SUnreclaim:        72508 kB
-KernelStack:        6864 kB
-PageTables:        29584 kB
+AnonPages:       2975520 kB
+Mapped:           495452 kB
+Shmem:             80740 kB
+Slab:             143660 kB
+SReclaimable:      74472 kB
+SUnreclaim:        69188 kB
+KernelStack:        9188 kB
+PageTables:        38964 kB
 NFS_Unstable:          0 kB
 Bounce:                0 kB
 WritebackTmp:          0 kB
-CommitLimit:    15861496 kB
-Committed_AS:    8745148 kB
+CommitLimit:    15860212 kB
+Committed_AS:   11692028 kB
 VmallocTotal:   34359738367 kB
 VmallocUsed:           0 kB
 VmallocChunk:          0 kB
 HardwareCorrupted:     0 kB
-AnonHugePages:    684032 kB
+AnonHugePages:    966656 kB
 ShmemHugePages:        0 kB
 ShmemPmdMapped:        0 kB
 CmaTotal:              0 kB
@@ -296,14 +296,15 @@ HugePages_Free:        0
 HugePages_Rsvd:        0
 HugePages_Surp:        0
 Hugepagesize:       2048 kB
-DirectMap4k:      147456 kB
-DirectMap2M:     6608896 kB
-DirectMap1G:    10485760 kB
+DirectMap4k:      202752 kB
+DirectMap2M:     7602176 kB
+DirectMap1G:     9437184 kB
 Inter-|   Receive                                                |  Transmit
  face |bytes    packets errs drop fifo frame compressed multicast|bytes    packets errs drop fifo colls carrier compressed
-wlp3s0:       0       0    0    0    0     0          0         0        0       0    0    0    0     0       0          0
-enp0s31f6:       0       0    0    0    0     0          0         0        0       0    0    0    0     0       0          0
- vnet0:   32675     319    0    0    0     0          0         0    42342     546    0    0    0     0       0          0
-virbr1:   28209     319    0    0    0     0          0         0    27394     284    0    0    0     0       0          0
+virbr1:  353867    2838    0    0    0     0          0         0  1474230    3810    0    0    0     0       0          0
+enp0s31f6: 43448732   65083    0    0    0     0          0      2074  6948879   57082    0    0    0     0       0          0
 virbr1-nic:       0       0    0    0    0     0          0         0        0       0    0    0    0     0       0          0
-    lo:   92538    1136    0    0    0     0          0         0    92538    1136    0    0    0     0       0          0
+tun_wizint: 4130741    7381    0    0    0     0          0         0  1092175    8002    0    0    0     0       0          0
+    lo:    5706      74    0    0    0     0          0         0     5706      74    0    0    0     0       0          0
+ vnet0:  393599    2838    0    0    0     0          0         0  1609950    6362    0    0    0     0       0          0
+wlp3s0:       0       0    0    0    0     0          0         0        0       0    0    0    0     0       0          0
diff --git a/test/aux-fixed/exim-ca/example.net/expired1.example.net/ca_chain.pem b/test/aux-fixed/exim-ca/example.net/expired1.example.net/ca_chain.pem
index 569dda104..fef1020ef 100644
--- a/test/aux-fixed/exim-ca/example.net/expired1.example.net/ca_chain.pem
+++ b/test/aux-fixed/exim-ca/example.net/expired1.example.net/ca_chain.pem
@@ -1,35 +1,35 @@
 Bag Attributes
-    friendlyName: Signing Cert
-subject=/O=example.net/CN=clica Signing Cert
-issuer=/O=example.net/CN=clica CA
+    friendlyName: Signing Cert rsa
+subject=/O=example.net/CN=clica Signing Cert rsa
+issuer=/O=example.net/CN=clica CA rsa
 -----BEGIN CERTIFICATE-----
-MIICLDCCAZWgAwIBAgIBAjANBgkqhkiG9w0BAQsFADApMRQwEgYDVQQKEwtleGFt
-cGxlLm5ldDERMA8GA1UEAxMIY2xpY2EgQ0EwHhcNMTIxMTAxMTIzNDAzWhcNMzgw
-MTAxMTIzNDAzWjAzMRQwEgYDVQQKEwtleGFtcGxlLm5ldDEbMBkGA1UEAxMSY2xp
-Y2EgU2lnbmluZyBDZXJ0MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDCsZOv
-pjcv45hvkXmbkZLSoywwX94a3jFC993OxTL8ixpQ0KxY2bc8TLcOTA+p3hH0pi2N
-JwiiWVQjA9HXrf7s/RmytXFZiJ5sE/mtkBNCUjH2uoGz9x1uVuIwq2colRe7JdQ5
-aCnb3D77nFy9bOvE59sljCbjeU2NwI1LIaUgfQIDAQABo1owWDAOBgNVHQ8BAf8E
-BAMCAQYwEgYDVR0TAQH/BAgwBgEB/wIBADAyBgNVHR8EKzApMCegJaAjhiFodHRw
-Oi8vY3JsLmV4YW1wbGUubmV0L2xhdGVzdC5jcmwwDQYJKoZIhvcNAQELBQADgYEA
-Xi2XyqKqdhCOdcNmhhaOaPc9M5/W/52Y4y8DNEveJdbn9ZOIjz7w2vnxJ8hhbJHF
-RDGz6jeTnYz7wIYwRxU6y8vUNtXbV+S6RcWL6Symek52O32tj+TTP99lSu/bC2+f
-7cNOqfsUzyMi4EagINLkPFT8p0ozjXeWu7/Cy17K75s=
+MIICNDCCAZ2gAwIBAgIBAjANBgkqhkiG9w0BAQsFADAtMRQwEgYDVQQKEwtleGFt
+cGxlLm5ldDEVMBMGA1UEAxMMY2xpY2EgQ0EgcnNhMB4XDTEyMTEwMTEyMzQwM1oX
+DTM4MDEwMTEyMzQwM1owNzEUMBIGA1UEChMLZXhhbXBsZS5uZXQxHzAdBgNVBAMT
+FmNsaWNhIFNpZ25pbmcgQ2VydCByc2EwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJ
+AoGBALMuDick/uNCkK8zWtdko5eynjJq0y8NVNlhSFkbwfjbxOQycuyMhMlYNnvs
+ESWZTV5ckpsvoDrFQLFk6ZB7RVYHUoOHNfANm8JWC9GR5zqbquibA/MMQ4h2Xlkz
+zQz12AzPpouZUyYs1+SjwlgfBRVhtxApDR2bPEDzI6s9VUdXAgMBAAGjWjBYMA4G
+A1UdDwEB/wQEAwIBBjASBgNVHRMBAf8ECDAGAQH/AgEAMDIGA1UdHwQrMCkwJ6Al
+oCOGIWh0dHA6Ly9jcmwuZXhhbXBsZS5uZXQvbGF0ZXN0LmNybDANBgkqhkiG9w0B
+AQsFAAOBgQDCXkPeCURjOJwCBgbLERuNghPiWLqHPopm1idM2A032jDgbRXD9/DP
+1xOPgSLEW59EiJac0RNae0D2KyhnG90NZLccXK0a9Uu1iaAmdcJ7s4a0x0ZH9Kza
+hqz0cr4oStUOHxG/AtPKuhZ9PkZ7GDSPDW0k/z64WYCm1fqSWkbVig==
 -----END CERTIFICATE-----
 Bag Attributes
-    friendlyName: Certificate Authority
-subject=/O=example.net/CN=clica CA
-issuer=/O=example.net/CN=clica CA
+    friendlyName: Certificate Authority rsa
+subject=/O=example.net/CN=clica CA rsa
+issuer=/O=example.net/CN=clica CA rsa
 -----BEGIN CERTIFICATE-----
-MIIB7jCCAVegAwIBAgIBATANBgkqhkiG9w0BAQsFADApMRQwEgYDVQQKEwtleGFt
-cGxlLm5ldDERMA8GA1UEAxMIY2xpY2EgQ0EwHhcNMTIxMTAxMTIzNDAzWhcNMzgw
-MTAxMTIzNDAzWjApMRQwEgYDVQQKEwtleGFtcGxlLm5ldDERMA8GA1UEAxMIY2xp
-Y2EgQ0EwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAMTEbMTyGaBnI5WpLVtz
-wWIEzR2lJyq5MHV6t9cIw/M1VFc0a9Woq8IeEyEmlycNe1/HgJfr7jq2JCtFu4VZ
-ZFMJW6bD7KiUGp2DwPEeC5yN1q7T4Yuho8kIdzpRTYnWo4RgPhl7wxSYoier+8/V
-1Zy3PrsciWI7Avp2Uq8iNGl/AgMBAAGjJjAkMBIGA1UdEwEB/wQIMAYBAf8CAQEw
-DgYDVR0PAQH/BAQDAgEGMA0GCSqGSIb3DQEBCwUAA4GBADczofjhb+kWLvYcdK+w
-jEMvqwiEsm947WXuWYtg0Wi2IWhyZId9KfVJtHs7b/720WX2VeewkafuV+QfwE5c
-/Q7N8M1tnFbKT/2Af7o3MVxDH9cYXPTYWgM5i0Yv5k73VBZ/dhT5HSj1Ri1sxv3C
-vAJ2oHvLkS1MOpYEUICjB6xe
+MIIB9jCCAV+gAwIBAgIBATANBgkqhkiG9w0BAQsFADAtMRQwEgYDVQQKEwtleGFt
+cGxlLm5ldDEVMBMGA1UEAxMMY2xpY2EgQ0EgcnNhMB4XDTEyMTEwMTEyMzQwM1oX
+DTM4MDEwMTEyMzQwM1owLTEUMBIGA1UEChMLZXhhbXBsZS5uZXQxFTATBgNVBAMT
+DGNsaWNhIENBIHJzYTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA3kwC9CHz
+JH7sEDkHMdZRq8+XpV7l/hEqfv2gPvT3mak46dWrI/T3pJOqyNvUZV/LJ/gx/0uw
+9pmCg6Y5zNCN0qAGY4rSS/sbEOLYIw5wJbFnYfHtTwe3ZAdG+5WqKMBF2lHNBM3b
+PUB/kweoLhNLwserKHwMDC3sksfrwH29rpMCAwEAAaMmMCQwEgYDVR0TAQH/BAgw
+BgEB/wIBATAOBgNVHQ8BAf8EBAMCAQYwDQYJKoZIhvcNAQELBQADgYEAzXt6KHIB
+qOJfZECgwhAWipxVR0BXek0hAfyTWl7q18+mWKYydQW0Z2VMN4Bq/ZUlOg+EM8NU
+1n9PJ4+I2QgAwVVXN4+cz7zgZ6XRZc1OkE98NyK504bVpJpan1gsx3I5GLJUgP2t
+B/WwqoFO+ANhT2margZSM6avJfaIh8gEass=
 -----END CERTIFICATE-----
diff --git a/test/aux-fixed/exim-ca/example.net/expired1.example.net/cert8.db b/test/aux-fixed/exim-ca/example.net/expired1.example.net/cert8.db
index 70bb25cf0..9d88971c0 100644
Binary files a/test/aux-fixed/exim-ca/example.net/expired1.example.net/cert8.db and b/test/aux-fixed/exim-ca/example.net/expired1.example.net/cert8.db differ
diff --git a/test/aux-fixed/exim-ca/example.net/expired1.example.net/expired1.example.net.chain.pem b/test/aux-fixed/exim-ca/example.net/expired1.example.net/expired1.example.net.chain.pem
index 2510822e0..415238ac0 100644
--- a/test/aux-fixed/exim-ca/example.net/expired1.example.net/expired1.example.net.chain.pem
+++ b/test/aux-fixed/exim-ca/example.net/expired1.example.net/expired1.example.net.chain.pem
@@ -1,35 +1,35 @@
 Bag Attributes
     friendlyName: expired1.example.net
-    localKeyID: 8C 4C 0B E5 B0 98 94 3A D9 D7 F9 9B 4C 08 90 41 D2 D2 81 BA 
+    localKeyID: F8 8C 05 1E F2 1C 44 26 76 14 77 28 6F 4B C8 10 A6 E5 E1 A0 
 subject=/CN=expired1.example.net
-issuer=/O=example.net/CN=clica Signing Cert
+issuer=/O=example.net/CN=clica Signing Cert rsa
 -----BEGIN CERTIFICATE-----
-MIICiTCCAfKgAwIBAgIBZzANBgkqhkiG9w0BAQsFADAzMRQwEgYDVQQKEwtleGFt
-cGxlLm5ldDEbMBkGA1UEAxMSY2xpY2EgU2lnbmluZyBDZXJ0MB4XDTEyMTEwMTEy
-MzQwM1oXDTEyMTIwMTEyMzQwM1owHzEdMBsGA1UEAxMUZXhwaXJlZDEuZXhhbXBs
-ZS5uZXQwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBALam9ms8TMqjajj0f4Lp
-kkzchktMmqxsekP+x7juWbpWHA2jcu5k3FQ8uk6haYR2L5azhTugyvKMmUhs22QM
-xLklebk+vJgsFDYD+Hp1P/KOljuohaIEemNf0S5KochyQnsVaRlYUGjnSnms3BTH
-VoiUsmVgfTx+Uc+nFHyud90VAgMBAAGjgcAwgb0wDgYDVR0PAQH/BAQDAgTwMCAG
-A1UdJQEB/wQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAyBgNVHR8EKzApMCegJaAj
-hiFodHRwOi8vY3JsLmV4YW1wbGUubmV0L2xhdGVzdC5jcmwwNAYIKwYBBQUHAQEE
-KDAmMCQGCCsGAQUFBzABhhhodHRwOi8vb3NjcC5leGFtcGxlLm5ldC8wHwYDVR0R
-BBgwFoIUZXhwaXJlZDEuZXhhbXBsZS5uZXQwDQYJKoZIhvcNAQELBQADgYEAiafH
-LUsttmpVmeexSBZLTDznG7cn+TnqwtXrzcxj0R4n3qwdN/JwySsxTGBtBRWYp2bj
-3GrEMxNZA05KtZ7dWWK2hib/Re8MqDoOEJmpgGxQAZ2i7qJdXGworodKU+dWPKDJ
-URTK97yW4e+l/krzF0ZquGYl9Lv1qeL75xB0FP0=
+MIICjTCCAfagAwIBAgIBZzANBgkqhkiG9w0BAQsFADA3MRQwEgYDVQQKEwtleGFt
+cGxlLm5ldDEfMB0GA1UEAxMWY2xpY2EgU2lnbmluZyBDZXJ0IHJzYTAeFw0xMjEx
+MDExMjM0MDNaFw0xMjEyMDExMjM0MDNaMB8xHTAbBgNVBAMTFGV4cGlyZWQxLmV4
+YW1wbGUubmV0MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC6sferp1lp0jW/
+rpTqM3glt5VEOHO3w5a4nvEplLqNbZSUNAqgMhw1nXsYA0xfCeS0zCaEvuK9U58Q
+jxddvQxGEbtF1wFWPHa0P3HuEuZpQxstgr+Dmjh2v2C8cu6gA/8/0AM/JEQ1pPMj
+wXAGaCRtkUhY7RW+X4t9sgjjrH68hwIDAQABo4HAMIG9MA4GA1UdDwEB/wQEAwIE
+8DAgBgNVHSUBAf8EFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwMgYDVR0fBCswKTAn
+oCWgI4YhaHR0cDovL2NybC5leGFtcGxlLm5ldC9sYXRlc3QuY3JsMDQGCCsGAQUF
+BwEBBCgwJjAkBggrBgEFBQcwAYYYaHR0cDovL29zY3AuZXhhbXBsZS5uZXQvMB8G
+A1UdEQQYMBaCFGV4cGlyZWQxLmV4YW1wbGUubmV0MA0GCSqGSIb3DQEBCwUAA4GB
+ACLOp0fuRcZP3yahPxZ0zOX73LmUCS3NAksjvmwBUMR0jvI+454qu9XkxfsKJ8pJ
+4bK+gJinpd2U6j+UXeU46aQ5x1ilJvMBE2EiOINRgQZB+5OC7ihn73uW4B0OLU1V
+DiEUk8LeYjWAks6AnxHJfbihkxoe8+aNdORFiSp3lmNd
 -----END CERTIFICATE-----
 -----BEGIN CERTIFICATE-----
-MIICLDCCAZWgAwIBAgIBAjANBgkqhkiG9w0BAQsFADApMRQwEgYDVQQKEwtleGFt
-cGxlLm5ldDERMA8GA1UEAxMIY2xpY2EgQ0EwHhcNMTIxMTAxMTIzNDAzWhcNMzgw
-MTAxMTIzNDAzWjAzMRQwEgYDVQQKEwtleGFtcGxlLm5ldDEbMBkGA1UEAxMSY2xp
-Y2EgU2lnbmluZyBDZXJ0MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDCsZOv
-pjcv45hvkXmbkZLSoywwX94a3jFC993OxTL8ixpQ0KxY2bc8TLcOTA+p3hH0pi2N
-JwiiWVQjA9HXrf7s/RmytXFZiJ5sE/mtkBNCUjH2uoGz9x1uVuIwq2colRe7JdQ5
-aCnb3D77nFy9bOvE59sljCbjeU2NwI1LIaUgfQIDAQABo1owWDAOBgNVHQ8BAf8E
-BAMCAQYwEgYDVR0TAQH/BAgwBgEB/wIBADAyBgNVHR8EKzApMCegJaAjhiFodHRw
-Oi8vY3JsLmV4YW1wbGUubmV0L2xhdGVzdC5jcmwwDQYJKoZIhvcNAQELBQADgYEA
-Xi2XyqKqdhCOdcNmhhaOaPc9M5/W/52Y4y8DNEveJdbn9ZOIjz7w2vnxJ8hhbJHF
-RDGz6jeTnYz7wIYwRxU6y8vUNtXbV+S6RcWL6Symek52O32tj+TTP99lSu/bC2+f
-7cNOqfsUzyMi4EagINLkPFT8p0ozjXeWu7/Cy17K75s=
+MIICNDCCAZ2gAwIBAgIBAjANBgkqhkiG9w0BAQsFADAtMRQwEgYDVQQKEwtleGFt
+cGxlLm5ldDEVMBMGA1UEAxMMY2xpY2EgQ0EgcnNhMB4XDTEyMTEwMTEyMzQwM1oX
+DTM4MDEwMTEyMzQwM1owNzEUMBIGA1UEChMLZXhhbXBsZS5uZXQxHzAdBgNVBAMT
+FmNsaWNhIFNpZ25pbmcgQ2VydCByc2EwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJ
+AoGBALMuDick/uNCkK8zWtdko5eynjJq0y8NVNlhSFkbwfjbxOQycuyMhMlYNnvs
+ESWZTV5ckpsvoDrFQLFk6ZB7RVYHUoOHNfANm8JWC9GR5zqbquibA/MMQ4h2Xlkz
+zQz12AzPpouZUyYs1+SjwlgfBRVhtxApDR2bPEDzI6s9VUdXAgMBAAGjWjBYMA4G
+A1UdDwEB/wQEAwIBBjASBgNVHRMBAf8ECDAGAQH/AgEAMDIGA1UdHwQrMCkwJ6Al
+oCOGIWh0dHA6Ly9jcmwuZXhhbXBsZS5uZXQvbGF0ZXN0LmNybDANBgkqhkiG9w0B
+AQsFAAOBgQDCXkPeCURjOJwCBgbLERuNghPiWLqHPopm1idM2A032jDgbRXD9/DP
+1xOPgSLEW59EiJac0RNae0D2KyhnG90NZLccXK0a9Uu1iaAmdcJ7s4a0x0ZH9Kza
+hqz0cr4oStUOHxG/AtPKuhZ9PkZ7GDSPDW0k/z64WYCm1fqSWkbVig==
 -----END CERTIFICATE-----
diff --git a/test/aux-fixed/exim-ca/example.net/expired1.example.net/expired1.example.net.key b/test/aux-fixed/exim-ca/example.net/expired1.example.net/expired1.example.net.key
index 5f3f8886f..9f728c279 100644
--- a/test/aux-fixed/exim-ca/example.net/expired1.example.net/expired1.example.net.key
+++ b/test/aux-fixed/exim-ca/example.net/expired1.example.net/expired1.example.net.key
@@ -1,21 +1,21 @@
 Bag Attributes
     friendlyName: expired1.example.net
-    localKeyID: 8C 4C 0B E5 B0 98 94 3A D9 D7 F9 9B 4C 08 90 41 D2 D2 81 BA 
+    localKeyID: F8 8C 05 1E F2 1C 44 26 76 14 77 28 6F 4B C8 10 A6 E5 E1 A0 
 Key Attributes: <No Attributes>
 -----BEGIN ENCRYPTED PRIVATE KEY-----
-MIICxjBABgkqhkiG9w0BBQ0wMzAbBgkqhkiG9w0BBQwwDgQI9iAVPu6cdvECAggA
-MBQGCCqGSIb3DQMHBAjfYK+uNUzfKwSCAoApd2yPxqavn4kI8V7+3bhs3VNKL+3N
-CvrQR3uHo+UQcRRhgE/mMzWvVxAL1YFwW8y5SQ/2qXyeT7Rfvqx6iOvWWpHg/yIp
-7FdwM83zCHgTEUGYTEzyhCbt4MZvvtf9SBhrqCT7LSg3oDklWj9xQ0BBBS1C5fY3
-g47WyXTButmUK0QTqENQrzCTm5QD1YJtZVD1zaWp6txUPCSv8zKb1HSZEFvetU6t
-P5LdIfja+2ntqipiU6X53tN3RphZXJtquQH8oNLxwmixgDfHQW7+cPrZGUJ4MfMy
-nJOWzjalg2/LT6P/LCxI4wL7nlVQvoT6e2DByHMnG+dvUN6DHTUzBTGabzVQN9KC
-HfiNWtmsQlb2clcd9WKmuVcGRiI944o5PKjn2kfrzZqWIa1R0Os0Y55sOg4981nK
-VsTsUNuc4ap3V8m+3MI3yTXD7nRwZaHw5GTdacGOWAS+7v+dm6z8sqB+fjDsgwED
-3t9b42N4LmMEX5GrmJ0lE/3PqF3emYmJfbkAD6Juf1Y+jBRzEhav24y6p7dBwlPo
-qrntYHRikiOlwMVJQ/qsLsJwz87VhYhslRpmERE/vp44uENGTu/1JomhGKDXpZDL
-P+Q9iuGVAJihFF2AsaOEQxHEKMxY7bOmHjSoiF8bzloi2PHkwF9tZqdfRjoRjLnH
-YEWTuJ1DvzWGskq+oy/3ywzZg3BjO7H5hD38ujdp/xNfsGre9yZYIr8VXXFSyPEe
-XfEqrgjnAeAiAQgXiHOJXQGr/cwRn1wS1bZPJfq4P0ubdymdtkwdTfR189fmfQGD
-AoUXyRdU+Ewg0ne40wON6LQjkAXMw7FPP6jJIC8fLfwhuXw3w1EBqD2p
+MIICxjBABgkqhkiG9w0BBQ0wMzAbBgkqhkiG9w0BBQwwDgQIpeL9csmvxjwCAggA
+MBQGCCqGSIb3DQMHBAjpXC1GIppx0gSCAoDrhHT1p1greqAUV6QPgJNPoPkAEXTY
+uslD8u6wtwZTcZBFumAfx1KXwVK/rNAVo74ZrDawvMsUDk+THtNRe8K7LS22NxUj
+VEAfsgvm5XmmT7TQjJQIcJZ6H8bBqSEFW353n4lkKaaIzQezTCsPsFdR4TmTDE6v
+LsqtTCCbe0l58JJhZpALkhFc3Bx/qitwQKHE/YzATAw1bokzq7S/TZFCqm5/Rkj7
+/yA/CpmKwOpD8hY8rgkzAY+AYLjC6/ID2d14xPVi6WMQa1pBufoWXFZcKI5eGzd7
+WgLPiiFhgJTtyucyxUUNJJ0lr0oV/J1LDurG70qcPiomkLFVda0pWW0oDIxDe39b
+nOREDh/uHFhSEvOk+izF8tS641iJWcRrcz6fjHu0Sp8heLGnEz8UpZsZ5aSgtPM8
+3VVRTYVWya/8N5EG0mUXdj1sB1augi0spAd9D1PxiKCE0LR9xZWQOm5ewq/ybUl7
+jWF7DS9pZYiTBhN3lzlmSQlm5RVxlCDwaZjdJwzhJgpg0RQgwQFhln0jYjD4jKKz
+dInjaz7NunXbhlrQQmYte2oWantUKWm5TgR526N5HHsrbbznci0r+Umq7d5PR70P
+xfbE6FFWCxZ1AuYCp4iGoUAr7xUo5SIh26OjnLHytDRPPXFSyZLsupMGfWtiy6Wc
+7cArmFIBeYj/B8IfCobTp+W7O5sAxRW/7UBiK1q2jr8/v3+Y1jSD9JbWRgk97AHw
+xI5v7I1L/1mmAHLuNEopvuyYSy0EdajW3VecoNHhTKyZURxlQ1M3oMGnn5gwRg2g
+YRECXyC/FzyyquWhaIJ2iTgdyBG6wZKVwkMpeP9IdcEi26pRE6vmLeIn
 -----END ENCRYPTED PRIVATE KEY-----
diff --git a/test/aux-fixed/exim-ca/example.net/expired1.example.net/expired1.example.net.ocsp.dated.resp b/test/aux-fixed/exim-ca/example.net/expired1.example.net/expired1.example.net.ocsp.dated.resp
index 2d3a92c5e..0490e88db 100644
Binary files a/test/aux-fixed/exim-ca/example.net/expired1.example.net/expired1.example.net.ocsp.dated.resp and b/test/aux-fixed/exim-ca/example.net/expired1.example.net/expired1.example.net.ocsp.dated.resp differ
diff --git a/test/aux-fixed/exim-ca/example.net/expired1.example.net/expired1.example.net.ocsp.good.resp b/test/aux-fixed/exim-ca/example.net/expired1.example.net/expired1.example.net.ocsp.good.resp
index f6f43cf5b..57bca6af0 100644
Binary files a/test/aux-fixed/exim-ca/example.net/expired1.example.net/expired1.example.net.ocsp.good.resp and b/test/aux-fixed/exim-ca/example.net/expired1.example.net/expired1.example.net.ocsp.good.resp differ
diff --git a/test/aux-fixed/exim-ca/example.net/expired1.example.net/expired1.example.net.ocsp.req b/test/aux-fixed/exim-ca/example.net/expired1.example.net/expired1.example.net.ocsp.req
index 8897daba2..3a4818c5e 100644
Binary files a/test/aux-fixed/exim-ca/example.net/expired1.example.net/expired1.example.net.ocsp.req and b/test/aux-fixed/exim-ca/example.net/expired1.example.net/expired1.example.net.ocsp.req differ
diff --git a/test/aux-fixed/exim-ca/example.net/expired1.example.net/expired1.example.net.ocsp.revoked.resp b/test/aux-fixed/exim-ca/example.net/expired1.example.net/expired1.example.net.ocsp.revoked.resp
index ed32fc345..dfa138b8e 100644
Binary files a/test/aux-fixed/exim-ca/example.net/expired1.example.net/expired1.example.net.ocsp.revoked.resp and b/test/aux-fixed/exim-ca/example.net/expired1.example.net/expired1.example.net.ocsp.revoked.resp differ
diff --git a/test/aux-fixed/exim-ca/example.net/expired1.example.net/expired1.example.net.ocsp.signer.dated.resp b/test/aux-fixed/exim-ca/example.net/expired1.example.net/expired1.example.net.ocsp.signer.dated.resp
index edd7b7b08..8d12019c9 100644
Binary files a/test/aux-fixed/exim-ca/example.net/expired1.example.net/expired1.example.net.ocsp.signer.dated.resp and b/test/aux-fixed/exim-ca/example.net/expired1.example.net/expired1.example.net.ocsp.signer.dated.resp differ
diff --git a/test/aux-fixed/exim-ca/example.net/expired1.example.net/expired1.example.net.ocsp.signer.good.resp b/test/aux-fixed/exim-ca/example.net/expired1.example.net/expired1.example.net.ocsp.signer.good.resp
index fcf145ba2..8cb087fa8 100644
Binary files a/test/aux-fixed/exim-ca/example.net/expired1.example.net/expired1.example.net.ocsp.signer.good.resp and b/test/aux-fixed/exim-ca/example.net/expired1.example.net/expired1.example.net.ocsp.signer.good.resp differ
diff --git a/test/aux-fixed/exim-ca/example.net/expired1.example.net/expired1.example.net.ocsp.signer.revoked.resp b/test/aux-fixed/exim-ca/example.net/expired1.example.net/expired1.example.net.ocsp.signer.revoked.resp
index 506d7bb42..a34cdc96f 100644
Binary files a/test/aux-fixed/exim-ca/example.net/expired1.example.net/expired1.example.net.ocsp.signer.revoked.resp and b/test/aux-fixed/exim-ca/example.net/expired1.example.net/expired1.example.net.ocsp.signer.revoked.resp differ
diff --git a/test/aux-fixed/exim-ca/example.net/expired1.example.net/expired1.example.net.ocsp.signernocert.dated.resp b/test/aux-fixed/exim-ca/example.net/expired1.example.net/expired1.example.net.ocsp.signernocert.dated.resp
index bfa8543eb..36aac9603 100644
Binary files a/test/aux-fixed/exim-ca/example.net/expired1.example.net/expired1.example.net.ocsp.signernocert.dated.resp and b/test/aux-fixed/exim-ca/example.net/expired1.example.net/expired1.example.net.ocsp.signernocert.dated.resp differ
diff --git a/test/aux-fixed/exim-ca/example.net/expired1.example.net/expired1.example.net.ocsp.signernocert.good.resp b/test/aux-fixed/exim-ca/example.net/expired1.example.net/expired1.example.net.ocsp.signernocert.good.resp
index 9a2cdd0c9..ee8fe3bcd 100644
Binary files a/test/aux-fixed/exim-ca/example.net/expired1.example.net/expired1.example.net.ocsp.signernocert.good.resp and b/test/aux-fixed/exim-ca/example.net/expired1.example.net/expired1.example.net.ocsp.signernocert.good.resp differ
diff --git a/test/aux-fixed/exim-ca/example.net/expired1.example.net/expired1.example.net.ocsp.signernocert.revoked.resp b/test/aux-fixed/exim-ca/example.net/expired1.example.net/expired1.example.net.ocsp.signernocert.revoked.resp
index a9949f332..44a9709c2 100644
Binary files a/test/aux-fixed/exim-ca/example.net/expired1.example.net/expired1.example.net.ocsp.signernocert.revoked.resp and b/test/aux-fixed/exim-ca/example.net/expired1.example.net/expired1.example.net.ocsp.signernocert.revoked.resp differ
diff --git a/test/aux-fixed/exim-ca/example.net/expired1.example.net/expired1.example.net.p12 b/test/aux-fixed/exim-ca/example.net/expired1.example.net/expired1.example.net.p12
index a386c0aee..8b22edc22 100644
Binary files a/test/aux-fixed/exim-ca/example.net/expired1.example.net/expired1.example.net.p12 and b/test/aux-fixed/exim-ca/example.net/expired1.example.net/expired1.example.net.p12 differ
diff --git a/test/aux-fixed/exim-ca/example.net/expired1.example.net/expired1.example.net.pem b/test/aux-fixed/exim-ca/example.net/expired1.example.net/expired1.example.net.pem
index 296dcca3e..a598ab08b 100644
--- a/test/aux-fixed/exim-ca/example.net/expired1.example.net/expired1.example.net.pem
+++ b/test/aux-fixed/exim-ca/example.net/expired1.example.net/expired1.example.net.pem
@@ -1,21 +1,21 @@
 Bag Attributes
     friendlyName: expired1.example.net
-    localKeyID: 8C 4C 0B E5 B0 98 94 3A D9 D7 F9 9B 4C 08 90 41 D2 D2 81 BA 
+    localKeyID: F8 8C 05 1E F2 1C 44 26 76 14 77 28 6F 4B C8 10 A6 E5 E1 A0 
 subject=/CN=expired1.example.net
-issuer=/O=example.net/CN=clica Signing Cert
+issuer=/O=example.net/CN=clica Signing Cert rsa
 -----BEGIN CERTIFICATE-----
-MIICiTCCAfKgAwIBAgIBZzANBgkqhkiG9w0BAQsFADAzMRQwEgYDVQQKEwtleGFt
-cGxlLm5ldDEbMBkGA1UEAxMSY2xpY2EgU2lnbmluZyBDZXJ0MB4XDTEyMTEwMTEy
-MzQwM1oXDTEyMTIwMTEyMzQwM1owHzEdMBsGA1UEAxMUZXhwaXJlZDEuZXhhbXBs
-ZS5uZXQwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBALam9ms8TMqjajj0f4Lp
-kkzchktMmqxsekP+x7juWbpWHA2jcu5k3FQ8uk6haYR2L5azhTugyvKMmUhs22QM
-xLklebk+vJgsFDYD+Hp1P/KOljuohaIEemNf0S5KochyQnsVaRlYUGjnSnms3BTH
-VoiUsmVgfTx+Uc+nFHyud90VAgMBAAGjgcAwgb0wDgYDVR0PAQH/BAQDAgTwMCAG
-A1UdJQEB/wQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAyBgNVHR8EKzApMCegJaAj
-hiFodHRwOi8vY3JsLmV4YW1wbGUubmV0L2xhdGVzdC5jcmwwNAYIKwYBBQUHAQEE
-KDAmMCQGCCsGAQUFBzABhhhodHRwOi8vb3NjcC5leGFtcGxlLm5ldC8wHwYDVR0R
-BBgwFoIUZXhwaXJlZDEuZXhhbXBsZS5uZXQwDQYJKoZIhvcNAQELBQADgYEAiafH
-LUsttmpVmeexSBZLTDznG7cn+TnqwtXrzcxj0R4n3qwdN/JwySsxTGBtBRWYp2bj
-3GrEMxNZA05KtZ7dWWK2hib/Re8MqDoOEJmpgGxQAZ2i7qJdXGworodKU+dWPKDJ
-URTK97yW4e+l/krzF0ZquGYl9Lv1qeL75xB0FP0=
+MIICjTCCAfagAwIBAgIBZzANBgkqhkiG9w0BAQsFADA3MRQwEgYDVQQKEwtleGFt
+cGxlLm5ldDEfMB0GA1UEAxMWY2xpY2EgU2lnbmluZyBDZXJ0IHJzYTAeFw0xMjEx
+MDExMjM0MDNaFw0xMjEyMDExMjM0MDNaMB8xHTAbBgNVBAMTFGV4cGlyZWQxLmV4
+YW1wbGUubmV0MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC6sferp1lp0jW/
+rpTqM3glt5VEOHO3w5a4nvEplLqNbZSUNAqgMhw1nXsYA0xfCeS0zCaEvuK9U58Q
+jxddvQxGEbtF1wFWPHa0P3HuEuZpQxstgr+Dmjh2v2C8cu6gA/8/0AM/JEQ1pPMj
+wXAGaCRtkUhY7RW+X4t9sgjjrH68hwIDAQABo4HAMIG9MA4GA1UdDwEB/wQEAwIE
+8DAgBgNVHSUBAf8EFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwMgYDVR0fBCswKTAn
+oCWgI4YhaHR0cDovL2NybC5leGFtcGxlLm5ldC9sYXRlc3QuY3JsMDQGCCsGAQUF
+BwEBBCgwJjAkBggrBgEFBQcwAYYYaHR0cDovL29zY3AuZXhhbXBsZS5uZXQvMB8G
+A1UdEQQYMBaCFGV4cGlyZWQxLmV4YW1wbGUubmV0MA0GCSqGSIb3DQEBCwUAA4GB
+ACLOp0fuRcZP3yahPxZ0zOX73LmUCS3NAksjvmwBUMR0jvI+454qu9XkxfsKJ8pJ
+4bK+gJinpd2U6j+UXeU46aQ5x1ilJvMBE2EiOINRgQZB+5OC7ihn73uW4B0OLU1V
+DiEUk8LeYjWAks6AnxHJfbihkxoe8+aNdORFiSp3lmNd
 -----END CERTIFICATE-----
diff --git a/test/aux-fixed/exim-ca/example.net/expired1.example.net/expired1.example.net.unlocked.key b/test/aux-fixed/exim-ca/example.net/expired1.example.net/expired1.example.net.unlocked.key
index 399877118..5c3ed79d0 100644
--- a/test/aux-fixed/exim-ca/example.net/expired1.example.net/expired1.example.net.unlocked.key
+++ b/test/aux-fixed/exim-ca/example.net/expired1.example.net/expired1.example.net.unlocked.key
@@ -1,15 +1,15 @@
 -----BEGIN RSA PRIVATE KEY-----
-MIICXgIBAAKBgQC2pvZrPEzKo2o49H+C6ZJM3IZLTJqsbHpD/se47lm6VhwNo3Lu
-ZNxUPLpOoWmEdi+Ws4U7oMryjJlIbNtkDMS5JXm5PryYLBQ2A/h6dT/yjpY7qIWi
-BHpjX9EuSqHIckJ7FWkZWFBo50p5rNwUx1aIlLJlYH08flHPpxR8rnfdFQIDAQAB
-AoGAB/2u/8sLf5iiO0c9ZlLBQwe7tvCkGkhWrC+XlJhxg8ytWM6MMAuyByUl3cnM
-wFvBVIa/HNOnaxVKDzPAAJUP2nYCVKUhHT5H1/ifG+sovO7K3KAvUSgthJMFIQwp
-urRAFAI8ItacZh5Gwf6VEIw2Ivpt0/YRBfT8q1wRzLKrVVMCQQDfI47B/sCROF7X
-PDpCVih1o9TYRQnB1n8UXZ91oYUd9/NNjM+qhcj+vvxDoXySWHTRHY2bZyY37qkc
-NNWCttubAkEA0Y0JgZ3Jk89p7LEHdawAkKvXd9vP7HvC1BjbcdGSggs0OfRCv/2r
-QelPlxCyBiieEUBbXdxzhq/ammhmwsBtDwJBANfWzEMoidqu3UZzMqNyNca9R6g+
-95YxRlFL0m/1Yg9ABW/RMhrvOCH6WYeN0DK7L5wLayuUFirqR1hKXvEGsdsCQQC0
-bBWyRxPnMx+FjorYsyataXeUmGr2tzxxd5GB9yqI03K9L2VFfvi0QFipvdM54EDw
-o5PHRecmIUU7ywYnSpzbAkEAvmoueUG/+ZtS0QFzAc5X4qdZBPhHXZqPzG7EodrP
-9JxPzbtd5ydroRoQIEv6t9zlpRVDinMzoeCA6fbFbsrdTw==
+MIICXAIBAAKBgQC6sferp1lp0jW/rpTqM3glt5VEOHO3w5a4nvEplLqNbZSUNAqg
+Mhw1nXsYA0xfCeS0zCaEvuK9U58QjxddvQxGEbtF1wFWPHa0P3HuEuZpQxstgr+D
+mjh2v2C8cu6gA/8/0AM/JEQ1pPMjwXAGaCRtkUhY7RW+X4t9sgjjrH68hwIDAQAB
+AoGAPpJZLPnYuOPQSd8sX9ZCRXnjGEtHVWbDRDtZHpOPdsksTAOpMAm7dKjEUccB
+OLUrJwFpQ4JqogO9wyICNdOfoeWqQijRwwibqpVD9lGgpDz2ERiw/WafF83BhmPz
+IfO7Pk811ZisMjKAW++GOCodnHzk3MzVVkHSWM/dvaHJrokCQQDk8mgCqWF1mOPj
+q3c4HeLKW8ch54/EL7c3F50SPsdQAT2rs7qggBLPoQs1HnZchjIKfXbdjZspcRDf
+tP1uCfP7AkEA0MF0v3h2oaflZXo5BLrSF+RPcbsDJLvnBVy8bwQuusLt3mEnXOBL
+u98desC7FUJihJjpDqH8sKXDhRuHzFDn5QJBALx0dP1L47djJKMxby84Goirx1y3
+OXYqOMwWmep81p+aheMiTIr1IYbbb1hIPPGoXOSZphB1EbWpJlSerMW5V6UCQCaj
+R9qQj1SIYNsRbjBD69LkPRgNxx0rciz55x6dJZEHt0MrtD9qfFn/h9NKjNX4fYeR
+TcGZlc2UQMYIPHBCoUkCQEE6JDrkpyFB8++TEO6fovwL1FYY6cvThB6dfHgsJNng
+zcmVCXyqZsp+UVWeCsn1gTYk58E6ABr9dFfE+kMnYXA=
 -----END RSA PRIVATE KEY-----
diff --git a/test/aux-fixed/exim-ca/example.net/expired1.example.net/key3.db b/test/aux-fixed/exim-ca/example.net/expired1.example.net/key3.db
index e6fdf8d56..5c5a91092 100644
Binary files a/test/aux-fixed/exim-ca/example.net/expired1.example.net/key3.db and b/test/aux-fixed/exim-ca/example.net/expired1.example.net/key3.db differ
diff --git a/test/aux-fixed/exim-ca/example.net/expired2.example.net/ca_chain.pem b/test/aux-fixed/exim-ca/example.net/expired2.example.net/ca_chain.pem
index 569dda104..fef1020ef 100644
--- a/test/aux-fixed/exim-ca/example.net/expired2.example.net/ca_chain.pem
+++ b/test/aux-fixed/exim-ca/example.net/expired2.example.net/ca_chain.pem
@@ -1,35 +1,35 @@
 Bag Attributes
-    friendlyName: Signing Cert
-subject=/O=example.net/CN=clica Signing Cert
-issuer=/O=example.net/CN=clica CA
+    friendlyName: Signing Cert rsa
+subject=/O=example.net/CN=clica Signing Cert rsa
+issuer=/O=example.net/CN=clica CA rsa
 -----BEGIN CERTIFICATE-----
-MIICLDCCAZWgAwIBAgIBAjANBgkqhkiG9w0BAQsFADApMRQwEgYDVQQKEwtleGFt
-cGxlLm5ldDERMA8GA1UEAxMIY2xpY2EgQ0EwHhcNMTIxMTAxMTIzNDAzWhcNMzgw
-MTAxMTIzNDAzWjAzMRQwEgYDVQQKEwtleGFtcGxlLm5ldDEbMBkGA1UEAxMSY2xp
-Y2EgU2lnbmluZyBDZXJ0MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDCsZOv
-pjcv45hvkXmbkZLSoywwX94a3jFC993OxTL8ixpQ0KxY2bc8TLcOTA+p3hH0pi2N
-JwiiWVQjA9HXrf7s/RmytXFZiJ5sE/mtkBNCUjH2uoGz9x1uVuIwq2colRe7JdQ5
-aCnb3D77nFy9bOvE59sljCbjeU2NwI1LIaUgfQIDAQABo1owWDAOBgNVHQ8BAf8E
-BAMCAQYwEgYDVR0TAQH/BAgwBgEB/wIBADAyBgNVHR8EKzApMCegJaAjhiFodHRw
-Oi8vY3JsLmV4YW1wbGUubmV0L2xhdGVzdC5jcmwwDQYJKoZIhvcNAQELBQADgYEA
-Xi2XyqKqdhCOdcNmhhaOaPc9M5/W/52Y4y8DNEveJdbn9ZOIjz7w2vnxJ8hhbJHF
-RDGz6jeTnYz7wIYwRxU6y8vUNtXbV+S6RcWL6Symek52O32tj+TTP99lSu/bC2+f
-7cNOqfsUzyMi4EagINLkPFT8p0ozjXeWu7/Cy17K75s=
+MIICNDCCAZ2gAwIBAgIBAjANBgkqhkiG9w0BAQsFADAtMRQwEgYDVQQKEwtleGFt
+cGxlLm5ldDEVMBMGA1UEAxMMY2xpY2EgQ0EgcnNhMB4XDTEyMTEwMTEyMzQwM1oX
+DTM4MDEwMTEyMzQwM1owNzEUMBIGA1UEChMLZXhhbXBsZS5uZXQxHzAdBgNVBAMT
+FmNsaWNhIFNpZ25pbmcgQ2VydCByc2EwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJ
+AoGBALMuDick/uNCkK8zWtdko5eynjJq0y8NVNlhSFkbwfjbxOQycuyMhMlYNnvs
+ESWZTV5ckpsvoDrFQLFk6ZB7RVYHUoOHNfANm8JWC9GR5zqbquibA/MMQ4h2Xlkz
+zQz12AzPpouZUyYs1+SjwlgfBRVhtxApDR2bPEDzI6s9VUdXAgMBAAGjWjBYMA4G
+A1UdDwEB/wQEAwIBBjASBgNVHRMBAf8ECDAGAQH/AgEAMDIGA1UdHwQrMCkwJ6Al
+oCOGIWh0dHA6Ly9jcmwuZXhhbXBsZS5uZXQvbGF0ZXN0LmNybDANBgkqhkiG9w0B
+AQsFAAOBgQDCXkPeCURjOJwCBgbLERuNghPiWLqHPopm1idM2A032jDgbRXD9/DP
+1xOPgSLEW59EiJac0RNae0D2KyhnG90NZLccXK0a9Uu1iaAmdcJ7s4a0x0ZH9Kza
+hqz0cr4oStUOHxG/AtPKuhZ9PkZ7GDSPDW0k/z64WYCm1fqSWkbVig==
 -----END CERTIFICATE-----
 Bag Attributes
-    friendlyName: Certificate Authority
-subject=/O=example.net/CN=clica CA
-issuer=/O=example.net/CN=clica CA
+    friendlyName: Certificate Authority rsa
+subject=/O=example.net/CN=clica CA rsa
+issuer=/O=example.net/CN=clica CA rsa
 -----BEGIN CERTIFICATE-----
-MIIB7jCCAVegAwIBAgIBATANBgkqhkiG9w0BAQsFADApMRQwEgYDVQQKEwtleGFt
-cGxlLm5ldDERMA8GA1UEAxMIY2xpY2EgQ0EwHhcNMTIxMTAxMTIzNDAzWhcNMzgw
-MTAxMTIzNDAzWjApMRQwEgYDVQQKEwtleGFtcGxlLm5ldDERMA8GA1UEAxMIY2xp
-Y2EgQ0EwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAMTEbMTyGaBnI5WpLVtz
-wWIEzR2lJyq5MHV6t9cIw/M1VFc0a9Woq8IeEyEmlycNe1/HgJfr7jq2JCtFu4VZ
-ZFMJW6bD7KiUGp2DwPEeC5yN1q7T4Yuho8kIdzpRTYnWo4RgPhl7wxSYoier+8/V
-1Zy3PrsciWI7Avp2Uq8iNGl/AgMBAAGjJjAkMBIGA1UdEwEB/wQIMAYBAf8CAQEw
-DgYDVR0PAQH/BAQDAgEGMA0GCSqGSIb3DQEBCwUAA4GBADczofjhb+kWLvYcdK+w
-jEMvqwiEsm947WXuWYtg0Wi2IWhyZId9KfVJtHs7b/720WX2VeewkafuV+QfwE5c
-/Q7N8M1tnFbKT/2Af7o3MVxDH9cYXPTYWgM5i0Yv5k73VBZ/dhT5HSj1Ri1sxv3C
-vAJ2oHvLkS1MOpYEUICjB6xe
+MIIB9jCCAV+gAwIBAgIBATANBgkqhkiG9w0BAQsFADAtMRQwEgYDVQQKEwtleGFt
+cGxlLm5ldDEVMBMGA1UEAxMMY2xpY2EgQ0EgcnNhMB4XDTEyMTEwMTEyMzQwM1oX
+DTM4MDEwMTEyMzQwM1owLTEUMBIGA1UEChMLZXhhbXBsZS5uZXQxFTATBgNVBAMT
+DGNsaWNhIENBIHJzYTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA3kwC9CHz
+JH7sEDkHMdZRq8+XpV7l/hEqfv2gPvT3mak46dWrI/T3pJOqyNvUZV/LJ/gx/0uw
+9pmCg6Y5zNCN0qAGY4rSS/sbEOLYIw5wJbFnYfHtTwe3ZAdG+5WqKMBF2lHNBM3b
+PUB/kweoLhNLwserKHwMDC3sksfrwH29rpMCAwEAAaMmMCQwEgYDVR0TAQH/BAgw
+BgEB/wIBATAOBgNVHQ8BAf8EBAMCAQYwDQYJKoZIhvcNAQELBQADgYEAzXt6KHIB
+qOJfZECgwhAWipxVR0BXek0hAfyTWl7q18+mWKYydQW0Z2VMN4Bq/ZUlOg+EM8NU
+1n9PJ4+I2QgAwVVXN4+cz7zgZ6XRZc1OkE98NyK504bVpJpan1gsx3I5GLJUgP2t
+B/WwqoFO+ANhT2margZSM6avJfaIh8gEass=
 -----END CERTIFICATE-----
diff --git a/test/aux-fixed/exim-ca/example.net/expired2.example.net/cert8.db b/test/aux-fixed/exim-ca/example.net/expired2.example.net/cert8.db
index be6560fc6..065d431b1 100644
Binary files a/test/aux-fixed/exim-ca/example.net/expired2.example.net/cert8.db and b/test/aux-fixed/exim-ca/example.net/expired2.example.net/cert8.db differ
diff --git a/test/aux-fixed/exim-ca/example.net/expired2.example.net/expired2.example.net.chain.pem b/test/aux-fixed/exim-ca/example.net/expired2.example.net/expired2.example.net.chain.pem
index 2ae07e26d..5247d5038 100644
--- a/test/aux-fixed/exim-ca/example.net/expired2.example.net/expired2.example.net.chain.pem
+++ b/test/aux-fixed/exim-ca/example.net/expired2.example.net/expired2.example.net.chain.pem
@@ -1,35 +1,35 @@
 Bag Attributes
     friendlyName: expired2.example.net
-    localKeyID: 09 05 6A 30 14 31 F8 40 DC EA 06 CA 52 BE 1D 22 3B DE D2 C6 
+    localKeyID: C6 68 7F 28 99 08 18 A8 DF E7 DA 8E D1 60 FC 31 84 CE 22 4B 
 subject=/CN=expired2.example.net
-issuer=/O=example.net/CN=clica Signing Cert
+issuer=/O=example.net/CN=clica Signing Cert rsa
 -----BEGIN CERTIFICATE-----
-MIICijCCAfOgAwIBAgICAMswDQYJKoZIhvcNAQELBQAwMzEUMBIGA1UEChMLZXhh
-bXBsZS5uZXQxGzAZBgNVBAMTEmNsaWNhIFNpZ25pbmcgQ2VydDAeFw0xMjExMDEx
-MjM0MDRaFw0xMjEyMDExMjM0MDRaMB8xHTAbBgNVBAMTFGV4cGlyZWQyLmV4YW1w
-bGUubmV0MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCzNkxwec9ojJFsCyEr
-TAgCTdOF6iJTzJkyvZVJvhVoa9JRjlNL9tKmQl0TEI1iINQ46uhnQ8xtRuqgZyTa
-RgIsYMWT1o0PtFD0dDXpI3NkmWgkVMTmI+mBfS4DDBd5zG4r1qW2ZkWriGPd/Be7
-kjsIXvKfhzJT/X4Q3vnmgD2SLQIDAQABo4HAMIG9MA4GA1UdDwEB/wQEAwIE8DAg
-BgNVHSUBAf8EFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwMgYDVR0fBCswKTAnoCWg
-I4YhaHR0cDovL2NybC5leGFtcGxlLm5ldC9sYXRlc3QuY3JsMDQGCCsGAQUFBwEB
-BCgwJjAkBggrBgEFBQcwAYYYaHR0cDovL29zY3AuZXhhbXBsZS5uZXQvMB8GA1Ud
-EQQYMBaCFGV4cGlyZWQyLmV4YW1wbGUubmV0MA0GCSqGSIb3DQEBCwUAA4GBAKli
-I2LORJdRj6SUnyA5wnuIIJ8hmCur9T+IfclLrsUOFixrGd7GYkOKkQgulErZth4e
-cz2IQvc4dsR/moJxiVJvcgRJ+bPSI+K1jTVuZo3RY7N+kAMcWmiWNWlvfx5sQy91
-jkCpTUy+4I2Uj3iRxuQK6iGKyx2t7RH495VfXn5J
+MIICjjCCAfegAwIBAgICAMswDQYJKoZIhvcNAQELBQAwNzEUMBIGA1UEChMLZXhh
+bXBsZS5uZXQxHzAdBgNVBAMTFmNsaWNhIFNpZ25pbmcgQ2VydCByc2EwHhcNMTIx
+MTAxMTIzNDA0WhcNMTIxMjAxMTIzNDA0WjAfMR0wGwYDVQQDExRleHBpcmVkMi5l
+eGFtcGxlLm5ldDCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAlZdym0qw/GF7
+n4Vq0Mp/Mg+/OLcbQUczPFRqxebHkZMMYgFYg6GttP8NoAFdnQhfNeNKSE7cuNKa
+jvUw9H5kEkjsrxHmciNcjM18slFm0VoJRhNs9wJSyB47e0gJnC0FM7txUq+UdiLS
+R5PF8xU1OTymmgP+6Itd9f8kx85ipRsCAwEAAaOBwDCBvTAOBgNVHQ8BAf8EBAMC
+BPAwIAYDVR0lAQH/BBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMDIGA1UdHwQrMCkw
+J6AloCOGIWh0dHA6Ly9jcmwuZXhhbXBsZS5uZXQvbGF0ZXN0LmNybDA0BggrBgEF
+BQcBAQQoMCYwJAYIKwYBBQUHMAGGGGh0dHA6Ly9vc2NwLmV4YW1wbGUubmV0LzAf
+BgNVHREEGDAWghRleHBpcmVkMi5leGFtcGxlLm5ldDANBgkqhkiG9w0BAQsFAAOB
+gQCpO1ztM/B+QWkJWCTaFrBLOJ44ZQEN0jhKb0JVZ9wlW3T6d9cN6a58ptjBvsc3
+EmbB1iBaKGLiPRlZKzfiPBMN6djS1/VGDxXiwiTklI41Atd4p7mnoWA5fRp+b4pN
+dgj+FC2LTfl0s03MMe1xhO8kAL1lU7ueJDkHhicOsHkEjg==
 -----END CERTIFICATE-----
 -----BEGIN CERTIFICATE-----
-MIICLDCCAZWgAwIBAgIBAjANBgkqhkiG9w0BAQsFADApMRQwEgYDVQQKEwtleGFt
-cGxlLm5ldDERMA8GA1UEAxMIY2xpY2EgQ0EwHhcNMTIxMTAxMTIzNDAzWhcNMzgw
-MTAxMTIzNDAzWjAzMRQwEgYDVQQKEwtleGFtcGxlLm5ldDEbMBkGA1UEAxMSY2xp
-Y2EgU2lnbmluZyBDZXJ0MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDCsZOv
-pjcv45hvkXmbkZLSoywwX94a3jFC993OxTL8ixpQ0KxY2bc8TLcOTA+p3hH0pi2N
-JwiiWVQjA9HXrf7s/RmytXFZiJ5sE/mtkBNCUjH2uoGz9x1uVuIwq2colRe7JdQ5
-aCnb3D77nFy9bOvE59sljCbjeU2NwI1LIaUgfQIDAQABo1owWDAOBgNVHQ8BAf8E
-BAMCAQYwEgYDVR0TAQH/BAgwBgEB/wIBADAyBgNVHR8EKzApMCegJaAjhiFodHRw
-Oi8vY3JsLmV4YW1wbGUubmV0L2xhdGVzdC5jcmwwDQYJKoZIhvcNAQELBQADgYEA
-Xi2XyqKqdhCOdcNmhhaOaPc9M5/W/52Y4y8DNEveJdbn9ZOIjz7w2vnxJ8hhbJHF
-RDGz6jeTnYz7wIYwRxU6y8vUNtXbV+S6RcWL6Symek52O32tj+TTP99lSu/bC2+f
-7cNOqfsUzyMi4EagINLkPFT8p0ozjXeWu7/Cy17K75s=
+MIICNDCCAZ2gAwIBAgIBAjANBgkqhkiG9w0BAQsFADAtMRQwEgYDVQQKEwtleGFt
+cGxlLm5ldDEVMBMGA1UEAxMMY2xpY2EgQ0EgcnNhMB4XDTEyMTEwMTEyMzQwM1oX
+DTM4MDEwMTEyMzQwM1owNzEUMBIGA1UEChMLZXhhbXBsZS5uZXQxHzAdBgNVBAMT
+FmNsaWNhIFNpZ25pbmcgQ2VydCByc2EwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJ
+AoGBALMuDick/uNCkK8zWtdko5eynjJq0y8NVNlhSFkbwfjbxOQycuyMhMlYNnvs
+ESWZTV5ckpsvoDrFQLFk6ZB7RVYHUoOHNfANm8JWC9GR5zqbquibA/MMQ4h2Xlkz
+zQz12AzPpouZUyYs1+SjwlgfBRVhtxApDR2bPEDzI6s9VUdXAgMBAAGjWjBYMA4G
+A1UdDwEB/wQEAwIBBjASBgNVHRMBAf8ECDAGAQH/AgEAMDIGA1UdHwQrMCkwJ6Al
+oCOGIWh0dHA6Ly9jcmwuZXhhbXBsZS5uZXQvbGF0ZXN0LmNybDANBgkqhkiG9w0B
+AQsFAAOBgQDCXkPeCURjOJwCBgbLERuNghPiWLqHPopm1idM2A032jDgbRXD9/DP
+1xOPgSLEW59EiJac0RNae0D2KyhnG90NZLccXK0a9Uu1iaAmdcJ7s4a0x0ZH9Kza
+hqz0cr4oStUOHxG/AtPKuhZ9PkZ7GDSPDW0k/z64WYCm1fqSWkbVig==
 -----END CERTIFICATE-----
diff --git a/test/aux-fixed/exim-ca/example.net/expired2.example.net/expired2.example.net.key b/test/aux-fixed/exim-ca/example.net/expired2.example.net/expired2.example.net.key
index 3e122f97c..bda73e53b 100644
--- a/test/aux-fixed/exim-ca/example.net/expired2.example.net/expired2.example.net.key
+++ b/test/aux-fixed/exim-ca/example.net/expired2.example.net/expired2.example.net.key
@@ -1,21 +1,21 @@
 Bag Attributes
     friendlyName: expired2.example.net
-    localKeyID: 09 05 6A 30 14 31 F8 40 DC EA 06 CA 52 BE 1D 22 3B DE D2 C6 
+    localKeyID: C6 68 7F 28 99 08 18 A8 DF E7 DA 8E D1 60 FC 31 84 CE 22 4B 
 Key Attributes: <No Attributes>
 -----BEGIN ENCRYPTED PRIVATE KEY-----
-MIICxjBABgkqhkiG9w0BBQ0wMzAbBgkqhkiG9w0BBQwwDgQIX/6iAvJ+djQCAggA
-MBQGCCqGSIb3DQMHBAgCbjjMCQenvQSCAoBe+ruh68oZ5C59n0MZioRk71eDPokd
-vVl9WuJ5jC7h3Zo7ELDl0GRGUxunULkGPsUyj6za/64OALKIcrLbdWnqfVjssF60
-l8TansAcp0ZwWcK1BGSXopYFNSUdrZtW0l9NSLp/rBvtvVeT74LzZ3GY0QN/IA/o
-9ZcmYM11XKJU8dCTJ6AZ7xnBDnJWDrsG3imcBdWDKLORhBrRYyCDgUVwc5nT24gS
-uOhUV8PzsClUglGVSeXbnUDJRwETG/IraToPjxUi/YS/MJVXecHCeR0kDRb4dvMU
-BOQ1Gn7bbKpIfaCJgLBiCGzBm6AIJ0NTQnhovBm9N6w22DssGZ18P5EjDj0ppat+
-42YMgH6CJE6RPT4CU1NvIthe8mhYJVVzXEStFSStF2igxcj+4pTdx5+mz8EnzFch
-M99vzblIivfh2CnR0DJceQf+G1WFwMqu2on3VEqYEyKYlFTkan8QkbCz21eI4UsV
-IVqlLurlGbIoDYK9ttBN8YrKFVemoE1lrZVQj2aPHIoZCZ2QQxrQYxv9B/BnnUOF
-3IUMGgzdzvs1VwH2SBLHIZtb+8LrPkNb0gtEPuHJKA8yZUobARVWaeaOXaxz4BM9
-RUGM2AyFnhIhfrZjinT3RShVjCkVTTng3JaJDcqgmHIeLGR/J5ZRO/bTyXMHFAly
-ib7QjkgnxAo+Bv+UHO9rCBp8vVKg1Digq4PnNVosYRMOz8Ew9U4/gnbAK2qkrY8h
-yqSAc15kgEU3ezSkZnsKqoqXMA6CfmtXAUNWnPXsdCDfcFdr6+BlP+uT1n4Agacv
-inqxUoOHAn/nw4NQmdwAzpDtIlFCJjT18uTVhDknDRF1UACzR1tsCA3g
+MIICxjBABgkqhkiG9w0BBQ0wMzAbBgkqhkiG9w0BBQwwDgQIFKoStEDfs1gCAggA
+MBQGCCqGSIb3DQMHBAhNSq4RJSvU7wSCAoDRULMeVsx9fTuxmEvZaNIfTD8l5Osn
+ce+LR14anKy91ou8mY4JhngN48E5WGhxo2Uq3rxvyVAoqxb7mDoqTJvjUWpAR0Aw
+f3hAMmfXEwGyvm0ABbmAOnmkNT86djmKPfpwE/oKo1fVr+3Hl9SRkxPtVxVUj1Ue
+Ql2KhU44Abq8G2ExY909HZXrPo9Za2YOBtrDesmdfJkxKurd3F/1+UdfTSUAOOQH
+C9wst1SO5xdyCdx3w3PvDrzcLWeR8c1bva3HQopgnJdWUxlnU0G2dxj6sYfJrc6D
+tdr58jDzfqNRrDsVGw/nFXulSp1SmMDyhnjW7oROah5l26Uvsw9btOhZjmwdbTz4
+rzdz3eGk5hAV7mezZrIbFF8JdEzmIb5guDD5IOIzEEP/jP9hxe1ZvveV1a1s0jPy
+18CHn435wFilRLUdQT5U9x6vuy/hsp7CrSyFPZ9lD6dUpe5SZz1omvXPEy8lky6T
+bXGN5Ug1R+u4BQHzXO4uj1xnF+BKSUJCW9HdUzG4ASLeR+ZUhg65l1LCG++/2ZD1
+HjGU+mSmJ6ob8X9//W3cTyHPMLrTgtfrrTnPCVAwdLyW4oMdVnonIZlpysRA8tmK
+ATp2I1QiXrCGkgJeDFT3hQ0Is6Em+TNzWQrNsEak4qAtRcpvoW+zE9mUW7a3zCXn
+nXg9kfBYvY5GmpPpWkTPLqSUeHqoKnEg9361PZ4Zwpxa5eX79jLqHMDzrWdmbkG2
+6//wNVND0+eMhznyB2RRr9uUjEGmlU3piVmASvJ1Ahe88zIi/9VDl4/FGJFzUHoh
+OpIphHp1w9rkvgBtOa9rEObGL6KEbd+jgaWrt1evMiq5mnGJaApjiqul
 -----END ENCRYPTED PRIVATE KEY-----
diff --git a/test/aux-fixed/exim-ca/example.net/expired2.example.net/expired2.example.net.ocsp.dated.resp b/test/aux-fixed/exim-ca/example.net/expired2.example.net/expired2.example.net.ocsp.dated.resp
index af61419ee..6d478aac1 100644
Binary files a/test/aux-fixed/exim-ca/example.net/expired2.example.net/expired2.example.net.ocsp.dated.resp and b/test/aux-fixed/exim-ca/example.net/expired2.example.net/expired2.example.net.ocsp.dated.resp differ
diff --git a/test/aux-fixed/exim-ca/example.net/expired2.example.net/expired2.example.net.ocsp.good.resp b/test/aux-fixed/exim-ca/example.net/expired2.example.net/expired2.example.net.ocsp.good.resp
index af3e08231..fa196e54e 100644
Binary files a/test/aux-fixed/exim-ca/example.net/expired2.example.net/expired2.example.net.ocsp.good.resp and b/test/aux-fixed/exim-ca/example.net/expired2.example.net/expired2.example.net.ocsp.good.resp differ
diff --git a/test/aux-fixed/exim-ca/example.net/expired2.example.net/expired2.example.net.ocsp.req b/test/aux-fixed/exim-ca/example.net/expired2.example.net/expired2.example.net.ocsp.req
index 32e07d186..1ef5e1e01 100644
Binary files a/test/aux-fixed/exim-ca/example.net/expired2.example.net/expired2.example.net.ocsp.req and b/test/aux-fixed/exim-ca/example.net/expired2.example.net/expired2.example.net.ocsp.req differ
diff --git a/test/aux-fixed/exim-ca/example.net/expired2.example.net/expired2.example.net.ocsp.revoked.resp b/test/aux-fixed/exim-ca/example.net/expired2.example.net/expired2.example.net.ocsp.revoked.resp
index af3e08231..fa196e54e 100644
Binary files a/test/aux-fixed/exim-ca/example.net/expired2.example.net/expired2.example.net.ocsp.revoked.resp and b/test/aux-fixed/exim-ca/example.net/expired2.example.net/expired2.example.net.ocsp.revoked.resp differ
diff --git a/test/aux-fixed/exim-ca/example.net/expired2.example.net/expired2.example.net.ocsp.signer.dated.resp b/test/aux-fixed/exim-ca/example.net/expired2.example.net/expired2.example.net.ocsp.signer.dated.resp
index 847c9cca4..21001bfa1 100644
Binary files a/test/aux-fixed/exim-ca/example.net/expired2.example.net/expired2.example.net.ocsp.signer.dated.resp and b/test/aux-fixed/exim-ca/example.net/expired2.example.net/expired2.example.net.ocsp.signer.dated.resp differ
diff --git a/test/aux-fixed/exim-ca/example.net/expired2.example.net/expired2.example.net.ocsp.signer.good.resp b/test/aux-fixed/exim-ca/example.net/expired2.example.net/expired2.example.net.ocsp.signer.good.resp
index fa2dfdbf1..c7b3e820e 100644
Binary files a/test/aux-fixed/exim-ca/example.net/expired2.example.net/expired2.example.net.ocsp.signer.good.resp and b/test/aux-fixed/exim-ca/example.net/expired2.example.net/expired2.example.net.ocsp.signer.good.resp differ
diff --git a/test/aux-fixed/exim-ca/example.net/expired2.example.net/expired2.example.net.ocsp.signer.revoked.resp b/test/aux-fixed/exim-ca/example.net/expired2.example.net/expired2.example.net.ocsp.signer.revoked.resp
index fa2dfdbf1..c7b3e820e 100644
Binary files a/test/aux-fixed/exim-ca/example.net/expired2.example.net/expired2.example.net.ocsp.signer.revoked.resp and b/test/aux-fixed/exim-ca/example.net/expired2.example.net/expired2.example.net.ocsp.signer.revoked.resp differ
diff --git a/test/aux-fixed/exim-ca/example.net/expired2.example.net/expired2.example.net.ocsp.signernocert.dated.resp b/test/aux-fixed/exim-ca/example.net/expired2.example.net/expired2.example.net.ocsp.signernocert.dated.resp
index e7ae2b9d0..6f4b6027c 100644
Binary files a/test/aux-fixed/exim-ca/example.net/expired2.example.net/expired2.example.net.ocsp.signernocert.dated.resp and b/test/aux-fixed/exim-ca/example.net/expired2.example.net/expired2.example.net.ocsp.signernocert.dated.resp differ
diff --git a/test/aux-fixed/exim-ca/example.net/expired2.example.net/expired2.example.net.ocsp.signernocert.good.resp b/test/aux-fixed/exim-ca/example.net/expired2.example.net/expired2.example.net.ocsp.signernocert.good.resp
index 37eca0e41..1708125dc 100644
Binary files a/test/aux-fixed/exim-ca/example.net/expired2.example.net/expired2.example.net.ocsp.signernocert.good.resp and b/test/aux-fixed/exim-ca/example.net/expired2.example.net/expired2.example.net.ocsp.signernocert.good.resp differ
diff --git a/test/aux-fixed/exim-ca/example.net/expired2.example.net/expired2.example.net.ocsp.signernocert.revoked.resp b/test/aux-fixed/exim-ca/example.net/expired2.example.net/expired2.example.net.ocsp.signernocert.revoked.resp
index 37eca0e41..1708125dc 100644
Binary files a/test/aux-fixed/exim-ca/example.net/expired2.example.net/expired2.example.net.ocsp.signernocert.revoked.resp and b/test/aux-fixed/exim-ca/example.net/expired2.example.net/expired2.example.net.ocsp.signernocert.revoked.resp differ
diff --git a/test/aux-fixed/exim-ca/example.net/expired2.example.net/expired2.example.net.p12 b/test/aux-fixed/exim-ca/example.net/expired2.example.net/expired2.example.net.p12
index 0cdde0250..c38a9af5a 100644
Binary files a/test/aux-fixed/exim-ca/example.net/expired2.example.net/expired2.example.net.p12 and b/test/aux-fixed/exim-ca/example.net/expired2.example.net/expired2.example.net.p12 differ
diff --git a/test/aux-fixed/exim-ca/example.net/expired2.example.net/expired2.example.net.pem b/test/aux-fixed/exim-ca/example.net/expired2.example.net/expired2.example.net.pem
index ee3b22499..eb4f41bd2 100644
--- a/test/aux-fixed/exim-ca/example.net/expired2.example.net/expired2.example.net.pem
+++ b/test/aux-fixed/exim-ca/example.net/expired2.example.net/expired2.example.net.pem
@@ -1,21 +1,21 @@
 Bag Attributes
     friendlyName: expired2.example.net
-    localKeyID: 09 05 6A 30 14 31 F8 40 DC EA 06 CA 52 BE 1D 22 3B DE D2 C6 
+    localKeyID: C6 68 7F 28 99 08 18 A8 DF E7 DA 8E D1 60 FC 31 84 CE 22 4B 
 subject=/CN=expired2.example.net
-issuer=/O=example.net/CN=clica Signing Cert
+issuer=/O=example.net/CN=clica Signing Cert rsa
 -----BEGIN CERTIFICATE-----
-MIICijCCAfOgAwIBAgICAMswDQYJKoZIhvcNAQELBQAwMzEUMBIGA1UEChMLZXhh
-bXBsZS5uZXQxGzAZBgNVBAMTEmNsaWNhIFNpZ25pbmcgQ2VydDAeFw0xMjExMDEx
-MjM0MDRaFw0xMjEyMDExMjM0MDRaMB8xHTAbBgNVBAMTFGV4cGlyZWQyLmV4YW1w
-bGUubmV0MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCzNkxwec9ojJFsCyEr
-TAgCTdOF6iJTzJkyvZVJvhVoa9JRjlNL9tKmQl0TEI1iINQ46uhnQ8xtRuqgZyTa
-RgIsYMWT1o0PtFD0dDXpI3NkmWgkVMTmI+mBfS4DDBd5zG4r1qW2ZkWriGPd/Be7
-kjsIXvKfhzJT/X4Q3vnmgD2SLQIDAQABo4HAMIG9MA4GA1UdDwEB/wQEAwIE8DAg
-BgNVHSUBAf8EFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwMgYDVR0fBCswKTAnoCWg
-I4YhaHR0cDovL2NybC5leGFtcGxlLm5ldC9sYXRlc3QuY3JsMDQGCCsGAQUFBwEB
-BCgwJjAkBggrBgEFBQcwAYYYaHR0cDovL29zY3AuZXhhbXBsZS5uZXQvMB8GA1Ud
-EQQYMBaCFGV4cGlyZWQyLmV4YW1wbGUubmV0MA0GCSqGSIb3DQEBCwUAA4GBAKli
-I2LORJdRj6SUnyA5wnuIIJ8hmCur9T+IfclLrsUOFixrGd7GYkOKkQgulErZth4e
-cz2IQvc4dsR/moJxiVJvcgRJ+bPSI+K1jTVuZo3RY7N+kAMcWmiWNWlvfx5sQy91
-jkCpTUy+4I2Uj3iRxuQK6iGKyx2t7RH495VfXn5J
+MIICjjCCAfegAwIBAgICAMswDQYJKoZIhvcNAQELBQAwNzEUMBIGA1UEChMLZXhh
+bXBsZS5uZXQxHzAdBgNVBAMTFmNsaWNhIFNpZ25pbmcgQ2VydCByc2EwHhcNMTIx
+MTAxMTIzNDA0WhcNMTIxMjAxMTIzNDA0WjAfMR0wGwYDVQQDExRleHBpcmVkMi5l
+eGFtcGxlLm5ldDCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAlZdym0qw/GF7
+n4Vq0Mp/Mg+/OLcbQUczPFRqxebHkZMMYgFYg6GttP8NoAFdnQhfNeNKSE7cuNKa
+jvUw9H5kEkjsrxHmciNcjM18slFm0VoJRhNs9wJSyB47e0gJnC0FM7txUq+UdiLS
+R5PF8xU1OTymmgP+6Itd9f8kx85ipRsCAwEAAaOBwDCBvTAOBgNVHQ8BAf8EBAMC
+BPAwIAYDVR0lAQH/BBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMDIGA1UdHwQrMCkw
+J6AloCOGIWh0dHA6Ly9jcmwuZXhhbXBsZS5uZXQvbGF0ZXN0LmNybDA0BggrBgEF
+BQcBAQQoMCYwJAYIKwYBBQUHMAGGGGh0dHA6Ly9vc2NwLmV4YW1wbGUubmV0LzAf
+BgNVHREEGDAWghRleHBpcmVkMi5leGFtcGxlLm5ldDANBgkqhkiG9w0BAQsFAAOB
+gQCpO1ztM/B+QWkJWCTaFrBLOJ44ZQEN0jhKb0JVZ9wlW3T6d9cN6a58ptjBvsc3
+EmbB1iBaKGLiPRlZKzfiPBMN6djS1/VGDxXiwiTklI41Atd4p7mnoWA5fRp+b4pN
+dgj+FC2LTfl0s03MMe1xhO8kAL1lU7ueJDkHhicOsHkEjg==
 -----END CERTIFICATE-----
diff --git a/test/aux-fixed/exim-ca/example.net/expired2.example.net/expired2.example.net.unlocked.key b/test/aux-fixed/exim-ca/example.net/expired2.example.net/expired2.example.net.unlocked.key
index e6d853e8b..89d27555a 100644
--- a/test/aux-fixed/exim-ca/example.net/expired2.example.net/expired2.example.net.unlocked.key
+++ b/test/aux-fixed/exim-ca/example.net/expired2.example.net/expired2.example.net.unlocked.key
@@ -1,15 +1,15 @@
 -----BEGIN RSA PRIVATE KEY-----
-MIICXQIBAAKBgQCzNkxwec9ojJFsCyErTAgCTdOF6iJTzJkyvZVJvhVoa9JRjlNL
-9tKmQl0TEI1iINQ46uhnQ8xtRuqgZyTaRgIsYMWT1o0PtFD0dDXpI3NkmWgkVMTm
-I+mBfS4DDBd5zG4r1qW2ZkWriGPd/Be7kjsIXvKfhzJT/X4Q3vnmgD2SLQIDAQAB
-AoGAImNPbJ+7EE001F4YWcYHnWWQqpggSSMv3GArhtBuLDDQVSzxx9hPWG7QjEl3
-T7aL8nYE7VfBoNBkUi4okKexX79JJM2+05EdYXIm3aYjA+lwgESIFFNr/TxFHC+E
-jFCRmhddUYPmUf5lbs+6ICvPyKTVmShfLb8R+j6gKeXcljMCQQDiMelc2eBM6waF
-3MVemNAqiPpgntpOKJPuHpSnugGDHMYO1Al+mmMLy9ru8G2htOy/RCzdGefhK9Yv
-N2pSEMbvAkEAytOLZHcDeX8j8AgPydkfkHE4sQjY0fiSHBY7O3FU4hQzeALXEfQ5
-f99uLVRBP4pndiXsbkJa/DvkIvEU9Z+YowJAcJeDn9JcEi2TC6L/I71RMTsJ1np8
-FBeiuw7B1FOEWS1DcTIen8RdtQt+KR3IlIuopPRcmJpCkBTwAoTFCaCMRQJBAL3w
-f2A05+cWflQhaI+xKhL9RIbdbxaq/kEZPJz9E+2n108y8a+Zk2NBnI8MkRHtDdih
-yRi0QTpm580lEWi37ZsCQQCki1fxtuErImwvdQhnuGyZWu/2v0AhRlr3w3QLgs8Q
-Gcwpvv56og8XdKqJ+ZHjuxfbnV2X9rXJ12ywNaQtxZ5I
+MIICXAIBAAKBgQCVl3KbSrD8YXufhWrQyn8yD784txtBRzM8VGrF5seRkwxiAViD
+oa20/w2gAV2dCF8140pITty40pqO9TD0fmQSSOyvEeZyI1yMzXyyUWbRWglGE2z3
+AlLIHjt7SAmcLQUzu3FSr5R2ItJHk8XzFTU5PKaaA/7oi131/yTHzmKlGwIDAQAB
+AoGABUU5t3jxNWMl3N/xfHu18YiWfyQMZMdiaby7qk9QNrPMmuNbQAABQ8A8tad2
+qeKyoA5q/pMwuZ5J7cF7wRF26xQ2WlladjWLSPgCYn1fHJTj7jtfYHeKMMmdbtOw
+ZBrBDQ4b2GvMGP59LHjuO4Ud5DTy3sopCQY5a1oYxiZTeSECQQDF1V3CUPHVTTy7
+I5fY+Rt1HL4fG5CkV3N5jkRAWnmElpstFF9KooWG7LZJBnU0v6R8Kw3fQp+kRsmh
+RFBYXFprAkEAwZL8o2xOTTqbNZDQ4SJvRP3sl1dLNozBpol3NeSZDTIxUWU1EbwU
+d0p2yElA+FyZbRl0vxYuJ3UESQTqbDLsEQJAUL4wsipPSXtomgiA5TFmn3nHrvKV
+Kj33B1mlSY6johXF57Q04EVMsjDShSN5mrnM7FC2LLUIawfpK0Sydh3bWQJBALpf
+hgTmk2FCCwwA2UvZ9p3LiY6RCqaD0TNB6VgnN8D/0YIX2oevuVi9hi4CcZ5usX3c
+Y45Tka6FuNGA/R+dy7ECQGYdoHCbptExaOs/ET7qwI6nHXkmbk8HcTrlKtFm39xd
++3MDN12RJLmWDpt2OS4mEzQiH7Cn70IbuBzKsObklNY=
 -----END RSA PRIVATE KEY-----
diff --git a/test/aux-fixed/exim-ca/example.net/expired2.example.net/key3.db b/test/aux-fixed/exim-ca/example.net/expired2.example.net/key3.db
index f0d8d1904..9447851c0 100644
Binary files a/test/aux-fixed/exim-ca/example.net/expired2.example.net/key3.db and b/test/aux-fixed/exim-ca/example.net/expired2.example.net/key3.db differ
diff --git a/test/aux-fixed/exim-ca/example.net/revoked1.example.net/ca_chain.pem b/test/aux-fixed/exim-ca/example.net/revoked1.example.net/ca_chain.pem
index 569dda104..fef1020ef 100644
--- a/test/aux-fixed/exim-ca/example.net/revoked1.example.net/ca_chain.pem
+++ b/test/aux-fixed/exim-ca/example.net/revoked1.example.net/ca_chain.pem
@@ -1,35 +1,35 @@
 Bag Attributes
-    friendlyName: Signing Cert
-subject=/O=example.net/CN=clica Signing Cert
-issuer=/O=example.net/CN=clica CA
+    friendlyName: Signing Cert rsa
+subject=/O=example.net/CN=clica Signing Cert rsa
+issuer=/O=example.net/CN=clica CA rsa
 -----BEGIN CERTIFICATE-----
-MIICLDCCAZWgAwIBAgIBAjANBgkqhkiG9w0BAQsFADApMRQwEgYDVQQKEwtleGFt
-cGxlLm5ldDERMA8GA1UEAxMIY2xpY2EgQ0EwHhcNMTIxMTAxMTIzNDAzWhcNMzgw
-MTAxMTIzNDAzWjAzMRQwEgYDVQQKEwtleGFtcGxlLm5ldDEbMBkGA1UEAxMSY2xp
-Y2EgU2lnbmluZyBDZXJ0MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDCsZOv
-pjcv45hvkXmbkZLSoywwX94a3jFC993OxTL8ixpQ0KxY2bc8TLcOTA+p3hH0pi2N
-JwiiWVQjA9HXrf7s/RmytXFZiJ5sE/mtkBNCUjH2uoGz9x1uVuIwq2colRe7JdQ5
-aCnb3D77nFy9bOvE59sljCbjeU2NwI1LIaUgfQIDAQABo1owWDAOBgNVHQ8BAf8E
-BAMCAQYwEgYDVR0TAQH/BAgwBgEB/wIBADAyBgNVHR8EKzApMCegJaAjhiFodHRw
-Oi8vY3JsLmV4YW1wbGUubmV0L2xhdGVzdC5jcmwwDQYJKoZIhvcNAQELBQADgYEA
-Xi2XyqKqdhCOdcNmhhaOaPc9M5/W/52Y4y8DNEveJdbn9ZOIjz7w2vnxJ8hhbJHF
-RDGz6jeTnYz7wIYwRxU6y8vUNtXbV+S6RcWL6Symek52O32tj+TTP99lSu/bC2+f
-7cNOqfsUzyMi4EagINLkPFT8p0ozjXeWu7/Cy17K75s=
+MIICNDCCAZ2gAwIBAgIBAjANBgkqhkiG9w0BAQsFADAtMRQwEgYDVQQKEwtleGFt
+cGxlLm5ldDEVMBMGA1UEAxMMY2xpY2EgQ0EgcnNhMB4XDTEyMTEwMTEyMzQwM1oX
+DTM4MDEwMTEyMzQwM1owNzEUMBIGA1UEChMLZXhhbXBsZS5uZXQxHzAdBgNVBAMT
+FmNsaWNhIFNpZ25pbmcgQ2VydCByc2EwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJ
+AoGBALMuDick/uNCkK8zWtdko5eynjJq0y8NVNlhSFkbwfjbxOQycuyMhMlYNnvs
+ESWZTV5ckpsvoDrFQLFk6ZB7RVYHUoOHNfANm8JWC9GR5zqbquibA/MMQ4h2Xlkz
+zQz12AzPpouZUyYs1+SjwlgfBRVhtxApDR2bPEDzI6s9VUdXAgMBAAGjWjBYMA4G
+A1UdDwEB/wQEAwIBBjASBgNVHRMBAf8ECDAGAQH/AgEAMDIGA1UdHwQrMCkwJ6Al
+oCOGIWh0dHA6Ly9jcmwuZXhhbXBsZS5uZXQvbGF0ZXN0LmNybDANBgkqhkiG9w0B
+AQsFAAOBgQDCXkPeCURjOJwCBgbLERuNghPiWLqHPopm1idM2A032jDgbRXD9/DP
+1xOPgSLEW59EiJac0RNae0D2KyhnG90NZLccXK0a9Uu1iaAmdcJ7s4a0x0ZH9Kza
+hqz0cr4oStUOHxG/AtPKuhZ9PkZ7GDSPDW0k/z64WYCm1fqSWkbVig==
 -----END CERTIFICATE-----
 Bag Attributes
-    friendlyName: Certificate Authority
-subject=/O=example.net/CN=clica CA
-issuer=/O=example.net/CN=clica CA
+    friendlyName: Certificate Authority rsa
+subject=/O=example.net/CN=clica CA rsa
+issuer=/O=example.net/CN=clica CA rsa
 -----BEGIN CERTIFICATE-----
-MIIB7jCCAVegAwIBAgIBATANBgkqhkiG9w0BAQsFADApMRQwEgYDVQQKEwtleGFt
-cGxlLm5ldDERMA8GA1UEAxMIY2xpY2EgQ0EwHhcNMTIxMTAxMTIzNDAzWhcNMzgw
-MTAxMTIzNDAzWjApMRQwEgYDVQQKEwtleGFtcGxlLm5ldDERMA8GA1UEAxMIY2xp
-Y2EgQ0EwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAMTEbMTyGaBnI5WpLVtz
-wWIEzR2lJyq5MHV6t9cIw/M1VFc0a9Woq8IeEyEmlycNe1/HgJfr7jq2JCtFu4VZ
-ZFMJW6bD7KiUGp2DwPEeC5yN1q7T4Yuho8kIdzpRTYnWo4RgPhl7wxSYoier+8/V
-1Zy3PrsciWI7Avp2Uq8iNGl/AgMBAAGjJjAkMBIGA1UdEwEB/wQIMAYBAf8CAQEw
-DgYDVR0PAQH/BAQDAgEGMA0GCSqGSIb3DQEBCwUAA4GBADczofjhb+kWLvYcdK+w
-jEMvqwiEsm947WXuWYtg0Wi2IWhyZId9KfVJtHs7b/720WX2VeewkafuV+QfwE5c
-/Q7N8M1tnFbKT/2Af7o3MVxDH9cYXPTYWgM5i0Yv5k73VBZ/dhT5HSj1Ri1sxv3C
-vAJ2oHvLkS1MOpYEUICjB6xe
+MIIB9jCCAV+gAwIBAgIBATANBgkqhkiG9w0BAQsFADAtMRQwEgYDVQQKEwtleGFt
+cGxlLm5ldDEVMBMGA1UEAxMMY2xpY2EgQ0EgcnNhMB4XDTEyMTEwMTEyMzQwM1oX
+DTM4MDEwMTEyMzQwM1owLTEUMBIGA1UEChMLZXhhbXBsZS5uZXQxFTATBgNVBAMT
+DGNsaWNhIENBIHJzYTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA3kwC9CHz
+JH7sEDkHMdZRq8+XpV7l/hEqfv2gPvT3mak46dWrI/T3pJOqyNvUZV/LJ/gx/0uw
+9pmCg6Y5zNCN0qAGY4rSS/sbEOLYIw5wJbFnYfHtTwe3ZAdG+5WqKMBF2lHNBM3b
+PUB/kweoLhNLwserKHwMDC3sksfrwH29rpMCAwEAAaMmMCQwEgYDVR0TAQH/BAgw
+BgEB/wIBATAOBgNVHQ8BAf8EBAMCAQYwDQYJKoZIhvcNAQELBQADgYEAzXt6KHIB
+qOJfZECgwhAWipxVR0BXek0hAfyTWl7q18+mWKYydQW0Z2VMN4Bq/ZUlOg+EM8NU
+1n9PJ4+I2QgAwVVXN4+cz7zgZ6XRZc1OkE98NyK504bVpJpan1gsx3I5GLJUgP2t
+B/WwqoFO+ANhT2margZSM6avJfaIh8gEass=
 -----END CERTIFICATE-----
diff --git a/test/aux-fixed/exim-ca/example.net/revoked1.example.net/cert8.db b/test/aux-fixed/exim-ca/example.net/revoked1.example.net/cert8.db
index 9aec4e267..b5a81a847 100644
Binary files a/test/aux-fixed/exim-ca/example.net/revoked1.example.net/cert8.db and b/test/aux-fixed/exim-ca/example.net/revoked1.example.net/cert8.db differ
diff --git a/test/aux-fixed/exim-ca/example.net/revoked1.example.net/key3.db b/test/aux-fixed/exim-ca/example.net/revoked1.example.net/key3.db
index 5bb055ca6..e6ebd8e85 100644
Binary files a/test/aux-fixed/exim-ca/example.net/revoked1.example.net/key3.db and b/test/aux-fixed/exim-ca/example.net/revoked1.example.net/key3.db differ
diff --git a/test/aux-fixed/exim-ca/example.net/revoked1.example.net/revoked1.example.net.chain.pem b/test/aux-fixed/exim-ca/example.net/revoked1.example.net/revoked1.example.net.chain.pem
index cd6af40b2..4e5064d0f 100644
--- a/test/aux-fixed/exim-ca/example.net/revoked1.example.net/revoked1.example.net.chain.pem
+++ b/test/aux-fixed/exim-ca/example.net/revoked1.example.net/revoked1.example.net.chain.pem
@@ -1,35 +1,35 @@
 Bag Attributes
     friendlyName: revoked1.example.net
-    localKeyID: B9 50 B8 D8 AC F9 E3 3F F6 C9 39 EF D2 03 54 FF 4C B7 04 F0 
+    localKeyID: 57 06 4E 14 FC DC 71 C6 63 79 23 6B 37 E6 62 C4 FC DE 8A 12 
 subject=/CN=revoked1.example.net
-issuer=/O=example.net/CN=clica Signing Cert
+issuer=/O=example.net/CN=clica Signing Cert rsa
 -----BEGIN CERTIFICATE-----
-MIICiTCCAfKgAwIBAgIBZjANBgkqhkiG9w0BAQsFADAzMRQwEgYDVQQKEwtleGFt
-cGxlLm5ldDEbMBkGA1UEAxMSY2xpY2EgU2lnbmluZyBDZXJ0MB4XDTEyMTEwMTEy
-MzQwM1oXDTM3MTIwMTEyMzQwM1owHzEdMBsGA1UEAxMUcmV2b2tlZDEuZXhhbXBs
-ZS5uZXQwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAOrqKjZH8h3OBLrGB30b
-KJNKeJq0+93l6ojTCdaCRY9/LaTrHMcz0b9STUJr40NtD8rrfrqHT+u8LyiBFGPP
-WXtau5oPn0nwfPCwnMCqRL0JHP8rcNjkJ2IrVMUaxf7ESt37gP9HtY107W/M65qM
-I4L8fQKSFAOE9S3mDOr5LwGrAgMBAAGjgcAwgb0wDgYDVR0PAQH/BAQDAgTwMCAG
-A1UdJQEB/wQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAyBgNVHR8EKzApMCegJaAj
-hiFodHRwOi8vY3JsLmV4YW1wbGUubmV0L2xhdGVzdC5jcmwwNAYIKwYBBQUHAQEE
-KDAmMCQGCCsGAQUFBzABhhhodHRwOi8vb3NjcC5leGFtcGxlLm5ldC8wHwYDVR0R
-BBgwFoIUcmV2b2tlZDEuZXhhbXBsZS5uZXQwDQYJKoZIhvcNAQELBQADgYEApfi5
-vZVllEdnt9Ak/2SGu7jNuKWegXJaO9L04B3Bjdr+KMM2lRUSEkWGHg/KIdIPsOC2
-rH0ThzwFBq628WXf+1eD2KdSMK2YMrAWXV9Xt+rIjz/NT8mvjsl0dKU13gwnptqs
-cgOCEUY8hm0LET0p/0NmyRwKqZsvqDgoNEnHzuw=
+MIICjTCCAfagAwIBAgIBZjANBgkqhkiG9w0BAQsFADA3MRQwEgYDVQQKEwtleGFt
+cGxlLm5ldDEfMB0GA1UEAxMWY2xpY2EgU2lnbmluZyBDZXJ0IHJzYTAeFw0xMjEx
+MDExMjM0MDNaFw0zNzEyMDExMjM0MDNaMB8xHTAbBgNVBAMTFHJldm9rZWQxLmV4
+YW1wbGUubmV0MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQClVUp0vfMtcek7
+PsuUAGg48vVKkml3MA71SPxgfjTb3RZFrIaezkF4AJBeT3l4VHNMU7tDqSnvqOgT
+CH2+32Ezjqbod5KtRMLstKUk1h9YZyWZTvqGTHXb+uVzRe8TQZTs8XIcNdPjTXTe
+g0Pd4tQzioM7+Outj0M3V+dK+BYh8QIDAQABo4HAMIG9MA4GA1UdDwEB/wQEAwIE
+8DAgBgNVHSUBAf8EFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwMgYDVR0fBCswKTAn
+oCWgI4YhaHR0cDovL2NybC5leGFtcGxlLm5ldC9sYXRlc3QuY3JsMDQGCCsGAQUF
+BwEBBCgwJjAkBggrBgEFBQcwAYYYaHR0cDovL29zY3AuZXhhbXBsZS5uZXQvMB8G
+A1UdEQQYMBaCFHJldm9rZWQxLmV4YW1wbGUubmV0MA0GCSqGSIb3DQEBCwUAA4GB
+AH9kBPA4F7u2PcjLNm+AYRWQv2bnOBLmrL/qBpfwFxJ0Ptt/bkPW8TpvQJwjxc+o
+gnCwZVL5RIUr+Q6UFar1UKPC+fPC0m5BuXDZNTXShlQdUrNoIvvqNjvBNFiKJVLj
+bALzz44mI44mpEAJiuiQcDdVFcD7s3o0knDxvy8ReBCr
 -----END CERTIFICATE-----
 -----BEGIN CERTIFICATE-----
-MIICLDCCAZWgAwIBAgIBAjANBgkqhkiG9w0BAQsFADApMRQwEgYDVQQKEwtleGFt
-cGxlLm5ldDERMA8GA1UEAxMIY2xpY2EgQ0EwHhcNMTIxMTAxMTIzNDAzWhcNMzgw
-MTAxMTIzNDAzWjAzMRQwEgYDVQQKEwtleGFtcGxlLm5ldDEbMBkGA1UEAxMSY2xp
-Y2EgU2lnbmluZyBDZXJ0MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDCsZOv
-pjcv45hvkXmbkZLSoywwX94a3jFC993OxTL8ixpQ0KxY2bc8TLcOTA+p3hH0pi2N
-JwiiWVQjA9HXrf7s/RmytXFZiJ5sE/mtkBNCUjH2uoGz9x1uVuIwq2colRe7JdQ5
-aCnb3D77nFy9bOvE59sljCbjeU2NwI1LIaUgfQIDAQABo1owWDAOBgNVHQ8BAf8E
-BAMCAQYwEgYDVR0TAQH/BAgwBgEB/wIBADAyBgNVHR8EKzApMCegJaAjhiFodHRw
-Oi8vY3JsLmV4YW1wbGUubmV0L2xhdGVzdC5jcmwwDQYJKoZIhvcNAQELBQADgYEA
-Xi2XyqKqdhCOdcNmhhaOaPc9M5/W/52Y4y8DNEveJdbn9ZOIjz7w2vnxJ8hhbJHF
-RDGz6jeTnYz7wIYwRxU6y8vUNtXbV+S6RcWL6Symek52O32tj+TTP99lSu/bC2+f
-7cNOqfsUzyMi4EagINLkPFT8p0ozjXeWu7/Cy17K75s=
+MIICNDCCAZ2gAwIBAgIBAjANBgkqhkiG9w0BAQsFADAtMRQwEgYDVQQKEwtleGFt
+cGxlLm5ldDEVMBMGA1UEAxMMY2xpY2EgQ0EgcnNhMB4XDTEyMTEwMTEyMzQwM1oX
+DTM4MDEwMTEyMzQwM1owNzEUMBIGA1UEChMLZXhhbXBsZS5uZXQxHzAdBgNVBAMT
+FmNsaWNhIFNpZ25pbmcgQ2VydCByc2EwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJ
+AoGBALMuDick/uNCkK8zWtdko5eynjJq0y8NVNlhSFkbwfjbxOQycuyMhMlYNnvs
+ESWZTV5ckpsvoDrFQLFk6ZB7RVYHUoOHNfANm8JWC9GR5zqbquibA/MMQ4h2Xlkz
+zQz12AzPpouZUyYs1+SjwlgfBRVhtxApDR2bPEDzI6s9VUdXAgMBAAGjWjBYMA4G
+A1UdDwEB/wQEAwIBBjASBgNVHRMBAf8ECDAGAQH/AgEAMDIGA1UdHwQrMCkwJ6Al
+oCOGIWh0dHA6Ly9jcmwuZXhhbXBsZS5uZXQvbGF0ZXN0LmNybDANBgkqhkiG9w0B
+AQsFAAOBgQDCXkPeCURjOJwCBgbLERuNghPiWLqHPopm1idM2A032jDgbRXD9/DP
+1xOPgSLEW59EiJac0RNae0D2KyhnG90NZLccXK0a9Uu1iaAmdcJ7s4a0x0ZH9Kza
+hqz0cr4oStUOHxG/AtPKuhZ9PkZ7GDSPDW0k/z64WYCm1fqSWkbVig==
 -----END CERTIFICATE-----
diff --git a/test/aux-fixed/exim-ca/example.net/revoked1.example.net/revoked1.example.net.key b/test/aux-fixed/exim-ca/example.net/revoked1.example.net/revoked1.example.net.key
index d941be809..c67310cb7 100644
--- a/test/aux-fixed/exim-ca/example.net/revoked1.example.net/revoked1.example.net.key
+++ b/test/aux-fixed/exim-ca/example.net/revoked1.example.net/revoked1.example.net.key
@@ -1,21 +1,21 @@
 Bag Attributes
     friendlyName: revoked1.example.net
-    localKeyID: B9 50 B8 D8 AC F9 E3 3F F6 C9 39 EF D2 03 54 FF 4C B7 04 F0 
+    localKeyID: 57 06 4E 14 FC DC 71 C6 63 79 23 6B 37 E6 62 C4 FC DE 8A 12 
 Key Attributes: <No Attributes>
 -----BEGIN ENCRYPTED PRIVATE KEY-----
-MIICxjBABgkqhkiG9w0BBQ0wMzAbBgkqhkiG9w0BBQwwDgQIWBK2hryEVlACAggA
-MBQGCCqGSIb3DQMHBAh9wEe6UUaoqgSCAoA7ZNT4mYD7fU9qRc7DECUXO5q+VmFm
-H3rmQOV0npaSJb9EVF1/ZCayzYpCAV7n0rXkXdnDY/j/jACCMa/EXnRAp5v0z1nC
-U3q48FwjBXyJpUiZsxq8py+8XdQrILFxNO6gELahmMU11ZC5Car1UunWYTZfVr+7
-MpP3PE9KqqTrrIWlUDj7b3UuMIvX04pq++4R01/ctA/SltzsjH0Rv1bbuvoLdTrZ
-MhBMLZG54Y8W1a+VaDdXsatiZn0TxZ6hCg3LszJ7eh0/xasXPfjfmqT3wnS6lzSE
-nsSYJM2jgcKQi/WCHqXIMl2ZQvvVTmja/0P5IZ94EFMzyItP4DPZY5pWv1wAk6wZ
-DTQTrxsBbZF8DuO+yTA/3iPTMHzYdsqLyZMTg5mEdE8dIEJu5B3Fx7bNRgvAcSU6
-GRnNdFaXKfb/LmZu0KDBpHF+BCqMRAFXqSsijwyvwy1Jt23QLFQUajZM7yms8rX1
-ev6tlSpSVxhlUnwEuCVNgbact8YfFSEeAv3hmFPTt8h3VmNp06Y2C/U8hBNJm+SR
-b4H6RdUFq6i50ygd52HEO5NCwQuDsQMLLysDau7plUOdwql8NO1ji0PzLYIbBowZ
-WhibSjWx6bKpmwNS+Dh//BY3XosvCNCHRRm+QnDqnK2IIFfPGuabw2YlmVTqSY0V
-ooOq3iaKuhuREakZ6XaW2l/bQel//9uVkb5aqo8/8Zg56xEfIVg+6XNiG+zIBtj6
-en0y6/fWLT9zonam2V8h7FUdsIGLsHMoGoWaW7ItZqrJF7Z9esgz4lU7gOtWl7YG
-Wd2KhJfciJcemystNsUxB5opNg37Xz54bwUcAKvceCmSaq9ZzAkklhFa
+MIICxjBABgkqhkiG9w0BBQ0wMzAbBgkqhkiG9w0BBQwwDgQIf9OSVB86sHICAggA
+MBQGCCqGSIb3DQMHBAiqIV68HjGNLwSCAoAdEXi9V8dcsC6EEfsQYOTicEAzPxhv
+lGIqP+vwr9q2By1bV/L4gZEHX7ok+ZVTaf5YsRQONNhxaiZzoKoyb3cfWMg9kaH/
+jOctkpCHzt5g6denofUtx2Qir9ktmu1bIy015yT2kNdEBR8RIgyWkYkbcuPqnfJU
+4g9c0t7Pa6yBkSau8ilLd+USV/BRLW9f2HxMtWmZTNWcK3mpsALamp7Wabka/S0G
+fhJawgdhqvDQXd/f5byKykQ7lqTR1s33eipa1EOEFmwDePHzS5SDnZ5wze+FfOsF
+9SZSdUjuRv85hV0jJg1XgeoV0Ax8Fo+35xRvIEQswkzV08/9i4A3cHskaya7jMGX
+l9bs+/rZWHsbIIp5SFrFIqbIvWreebH2rmgyKjk94GbioiijnY8xRHE98wG4lGB4
+51NPMKmnM1D+wXsqDgR5tkz9/U1V5bX7VvDr+4mfm9X9YbUiUy9VBfWa88bqou3T
+cRtPyEX7gx6dtgsAl4QUCycdsPpG+PjbtRwZq2Ox0MxS4bsmYpvowWCk+cZNzsXq
+FdSqiqG661AzEVqUlgU1MuPH10HCpy1mTICr638Gq7pQrHhR475QowZ+yvxL+VdU
+FuC3s+7RBebWzyswuALv5zOC41TqynAFVnoV8yKxFutdvi9DlvScyXKZ+0wb2hJe
+Je1GXLsGqZ1ArPrLtxrcA7MuSfM+IVHO3jL0qCOM76IV8Mbm874ubkyTnIL6FPon
+4G5ZZ10KAwRolBTrPwbyC058s+XxyumGLVgZ0FfVqF1MIU7G8hgreQ4vyXsiOT5p
+bkv01MyCdnUZQO4XlT2lndRnL9xrQIIsjLZYHjDkkmXmO6sVBu2bWiMT
 -----END ENCRYPTED PRIVATE KEY-----
diff --git a/test/aux-fixed/exim-ca/example.net/revoked1.example.net/revoked1.example.net.ocsp.dated.resp b/test/aux-fixed/exim-ca/example.net/revoked1.example.net/revoked1.example.net.ocsp.dated.resp
index 7165ae429..df02cbb38 100644
Binary files a/test/aux-fixed/exim-ca/example.net/revoked1.example.net/revoked1.example.net.ocsp.dated.resp and b/test/aux-fixed/exim-ca/example.net/revoked1.example.net/revoked1.example.net.ocsp.dated.resp differ
diff --git a/test/aux-fixed/exim-ca/example.net/revoked1.example.net/revoked1.example.net.ocsp.good.resp b/test/aux-fixed/exim-ca/example.net/revoked1.example.net/revoked1.example.net.ocsp.good.resp
index a5e322a6c..7d9b8a383 100644
Binary files a/test/aux-fixed/exim-ca/example.net/revoked1.example.net/revoked1.example.net.ocsp.good.resp and b/test/aux-fixed/exim-ca/example.net/revoked1.example.net/revoked1.example.net.ocsp.good.resp differ
diff --git a/test/aux-fixed/exim-ca/example.net/revoked1.example.net/revoked1.example.net.ocsp.req b/test/aux-fixed/exim-ca/example.net/revoked1.example.net/revoked1.example.net.ocsp.req
index 48faff2e9..0fdc79a07 100644
Binary files a/test/aux-fixed/exim-ca/example.net/revoked1.example.net/revoked1.example.net.ocsp.req and b/test/aux-fixed/exim-ca/example.net/revoked1.example.net/revoked1.example.net.ocsp.req differ
diff --git a/test/aux-fixed/exim-ca/example.net/revoked1.example.net/revoked1.example.net.ocsp.revoked.resp b/test/aux-fixed/exim-ca/example.net/revoked1.example.net/revoked1.example.net.ocsp.revoked.resp
index f62b91fb8..ae516388e 100644
Binary files a/test/aux-fixed/exim-ca/example.net/revoked1.example.net/revoked1.example.net.ocsp.revoked.resp and b/test/aux-fixed/exim-ca/example.net/revoked1.example.net/revoked1.example.net.ocsp.revoked.resp differ
diff --git a/test/aux-fixed/exim-ca/example.net/revoked1.example.net/revoked1.example.net.ocsp.signer.dated.resp b/test/aux-fixed/exim-ca/example.net/revoked1.example.net/revoked1.example.net.ocsp.signer.dated.resp
index d3829c6f2..ef8dd3045 100644
Binary files a/test/aux-fixed/exim-ca/example.net/revoked1.example.net/revoked1.example.net.ocsp.signer.dated.resp and b/test/aux-fixed/exim-ca/example.net/revoked1.example.net/revoked1.example.net.ocsp.signer.dated.resp differ
diff --git a/test/aux-fixed/exim-ca/example.net/revoked1.example.net/revoked1.example.net.ocsp.signer.good.resp b/test/aux-fixed/exim-ca/example.net/revoked1.example.net/revoked1.example.net.ocsp.signer.good.resp
index 0d5b4ec42..af17e90e3 100644
Binary files a/test/aux-fixed/exim-ca/example.net/revoked1.example.net/revoked1.example.net.ocsp.signer.good.resp and b/test/aux-fixed/exim-ca/example.net/revoked1.example.net/revoked1.example.net.ocsp.signer.good.resp differ
diff --git a/test/aux-fixed/exim-ca/example.net/revoked1.example.net/revoked1.example.net.ocsp.signer.revoked.resp b/test/aux-fixed/exim-ca/example.net/revoked1.example.net/revoked1.example.net.ocsp.signer.revoked.resp
index 4c36df01c..0f88626f6 100644
Binary files a/test/aux-fixed/exim-ca/example.net/revoked1.example.net/revoked1.example.net.ocsp.signer.revoked.resp and b/test/aux-fixed/exim-ca/example.net/revoked1.example.net/revoked1.example.net.ocsp.signer.revoked.resp differ
diff --git a/test/aux-fixed/exim-ca/example.net/revoked1.example.net/revoked1.example.net.ocsp.signernocert.dated.resp b/test/aux-fixed/exim-ca/example.net/revoked1.example.net/revoked1.example.net.ocsp.signernocert.dated.resp
index 22fbeeb2f..2e5c57439 100644
Binary files a/test/aux-fixed/exim-ca/example.net/revoked1.example.net/revoked1.example.net.ocsp.signernocert.dated.resp and b/test/aux-fixed/exim-ca/example.net/revoked1.example.net/revoked1.example.net.ocsp.signernocert.dated.resp differ
diff --git a/test/aux-fixed/exim-ca/example.net/revoked1.example.net/revoked1.example.net.ocsp.signernocert.good.resp b/test/aux-fixed/exim-ca/example.net/revoked1.example.net/revoked1.example.net.ocsp.signernocert.good.resp
index e43caebb2..7fd640deb 100644
Binary files a/test/aux-fixed/exim-ca/example.net/revoked1.example.net/revoked1.example.net.ocsp.signernocert.good.resp and b/test/aux-fixed/exim-ca/example.net/revoked1.example.net/revoked1.example.net.ocsp.signernocert.good.resp differ
diff --git a/test/aux-fixed/exim-ca/example.net/revoked1.example.net/revoked1.example.net.ocsp.signernocert.revoked.resp b/test/aux-fixed/exim-ca/example.net/revoked1.example.net/revoked1.example.net.ocsp.signernocert.revoked.resp
index 799cd4503..2aa919492 100644
Binary files a/test/aux-fixed/exim-ca/example.net/revoked1.example.net/revoked1.example.net.ocsp.signernocert.revoked.resp and b/test/aux-fixed/exim-ca/example.net/revoked1.example.net/revoked1.example.net.ocsp.signernocert.revoked.resp differ
diff --git a/test/aux-fixed/exim-ca/example.net/revoked1.example.net/revoked1.example.net.p12 b/test/aux-fixed/exim-ca/example.net/revoked1.example.net/revoked1.example.net.p12
index a077b23f1..86bcddae0 100644
Binary files a/test/aux-fixed/exim-ca/example.net/revoked1.example.net/revoked1.example.net.p12 and b/test/aux-fixed/exim-ca/example.net/revoked1.example.net/revoked1.example.net.p12 differ
diff --git a/test/aux-fixed/exim-ca/example.net/revoked1.example.net/revoked1.example.net.pem b/test/aux-fixed/exim-ca/example.net/revoked1.example.net/revoked1.example.net.pem
index 64fb3709d..f938b6878 100644
--- a/test/aux-fixed/exim-ca/example.net/revoked1.example.net/revoked1.example.net.pem
+++ b/test/aux-fixed/exim-ca/example.net/revoked1.example.net/revoked1.example.net.pem
@@ -1,21 +1,21 @@
 Bag Attributes
     friendlyName: revoked1.example.net
-    localKeyID: B9 50 B8 D8 AC F9 E3 3F F6 C9 39 EF D2 03 54 FF 4C B7 04 F0 
+    localKeyID: 57 06 4E 14 FC DC 71 C6 63 79 23 6B 37 E6 62 C4 FC DE 8A 12 
 subject=/CN=revoked1.example.net
-issuer=/O=example.net/CN=clica Signing Cert
+issuer=/O=example.net/CN=clica Signing Cert rsa
 -----BEGIN CERTIFICATE-----
-MIICiTCCAfKgAwIBAgIBZjANBgkqhkiG9w0BAQsFADAzMRQwEgYDVQQKEwtleGFt
-cGxlLm5ldDEbMBkGA1UEAxMSY2xpY2EgU2lnbmluZyBDZXJ0MB4XDTEyMTEwMTEy
-MzQwM1oXDTM3MTIwMTEyMzQwM1owHzEdMBsGA1UEAxMUcmV2b2tlZDEuZXhhbXBs
-ZS5uZXQwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAOrqKjZH8h3OBLrGB30b
-KJNKeJq0+93l6ojTCdaCRY9/LaTrHMcz0b9STUJr40NtD8rrfrqHT+u8LyiBFGPP
-WXtau5oPn0nwfPCwnMCqRL0JHP8rcNjkJ2IrVMUaxf7ESt37gP9HtY107W/M65qM
-I4L8fQKSFAOE9S3mDOr5LwGrAgMBAAGjgcAwgb0wDgYDVR0PAQH/BAQDAgTwMCAG
-A1UdJQEB/wQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAyBgNVHR8EKzApMCegJaAj
-hiFodHRwOi8vY3JsLmV4YW1wbGUubmV0L2xhdGVzdC5jcmwwNAYIKwYBBQUHAQEE
-KDAmMCQGCCsGAQUFBzABhhhodHRwOi8vb3NjcC5leGFtcGxlLm5ldC8wHwYDVR0R
-BBgwFoIUcmV2b2tlZDEuZXhhbXBsZS5uZXQwDQYJKoZIhvcNAQELBQADgYEApfi5
-vZVllEdnt9Ak/2SGu7jNuKWegXJaO9L04B3Bjdr+KMM2lRUSEkWGHg/KIdIPsOC2
-rH0ThzwFBq628WXf+1eD2KdSMK2YMrAWXV9Xt+rIjz/NT8mvjsl0dKU13gwnptqs
-cgOCEUY8hm0LET0p/0NmyRwKqZsvqDgoNEnHzuw=
+MIICjTCCAfagAwIBAgIBZjANBgkqhkiG9w0BAQsFADA3MRQwEgYDVQQKEwtleGFt
+cGxlLm5ldDEfMB0GA1UEAxMWY2xpY2EgU2lnbmluZyBDZXJ0IHJzYTAeFw0xMjEx
+MDExMjM0MDNaFw0zNzEyMDExMjM0MDNaMB8xHTAbBgNVBAMTFHJldm9rZWQxLmV4
+YW1wbGUubmV0MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQClVUp0vfMtcek7
+PsuUAGg48vVKkml3MA71SPxgfjTb3RZFrIaezkF4AJBeT3l4VHNMU7tDqSnvqOgT
+CH2+32Ezjqbod5KtRMLstKUk1h9YZyWZTvqGTHXb+uVzRe8TQZTs8XIcNdPjTXTe
+g0Pd4tQzioM7+Outj0M3V+dK+BYh8QIDAQABo4HAMIG9MA4GA1UdDwEB/wQEAwIE
+8DAgBgNVHSUBAf8EFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwMgYDVR0fBCswKTAn
+oCWgI4YhaHR0cDovL2NybC5leGFtcGxlLm5ldC9sYXRlc3QuY3JsMDQGCCsGAQUF
+BwEBBCgwJjAkBggrBgEFBQcwAYYYaHR0cDovL29zY3AuZXhhbXBsZS5uZXQvMB8G
+A1UdEQQYMBaCFHJldm9rZWQxLmV4YW1wbGUubmV0MA0GCSqGSIb3DQEBCwUAA4GB
+AH9kBPA4F7u2PcjLNm+AYRWQv2bnOBLmrL/qBpfwFxJ0Ptt/bkPW8TpvQJwjxc+o
+gnCwZVL5RIUr+Q6UFar1UKPC+fPC0m5BuXDZNTXShlQdUrNoIvvqNjvBNFiKJVLj
+bALzz44mI44mpEAJiuiQcDdVFcD7s3o0knDxvy8ReBCr
 -----END CERTIFICATE-----
diff --git a/test/aux-fixed/exim-ca/example.net/revoked1.example.net/revoked1.example.net.unlocked.key b/test/aux-fixed/exim-ca/example.net/revoked1.example.net/revoked1.example.net.unlocked.key
index 58cae2c9d..fee960ce4 100644
--- a/test/aux-fixed/exim-ca/example.net/revoked1.example.net/revoked1.example.net.unlocked.key
+++ b/test/aux-fixed/exim-ca/example.net/revoked1.example.net/revoked1.example.net.unlocked.key
@@ -1,15 +1,15 @@
 -----BEGIN RSA PRIVATE KEY-----
-MIICXAIBAAKBgQDq6io2R/IdzgS6xgd9GyiTSniatPvd5eqI0wnWgkWPfy2k6xzH
-M9G/Uk1Ca+NDbQ/K6366h0/rvC8ogRRjz1l7WruaD59J8HzwsJzAqkS9CRz/K3DY
-5CdiK1TFGsX+xErd+4D/R7WNdO1vzOuajCOC/H0CkhQDhPUt5gzq+S8BqwIDAQAB
-AoGAFLdNVt4Y9t6zjt9ml6mTQwuLmTEIQqhDR4k80kLiUxltcznpa5O64nryjAuR
-muEwrFdm8WVI+5cfA+mZXIS59W1pXGeJ7+plhLEan97ja6bQKHUAzfJoF/iN3B0y
-oSC7DpO5jcI4s/iF4BgHFk6/CRGKqnmvHe3F+69IaRoeVKkCQQD1s4zslyBoCrvH
-2dESoKGRVgm/DgOL01ky1igkiMj8ICmOkjI+kciAKnGOcQEgUW48rgV8zYTA25mi
-3ZT6pjutAkEA9MLeym0eGVER5bMvhes9QTtIpaOvEIhgFGGq50mbcPfE8s4Uq8xL
-oVfDL2AEIsV7mpXxxbZrfBat/rxUEO7dtwJAQnHC63xXFCvK6lnaM1pjNwV4b0Vf
-6iFGnvvRMUgYai5cbqTUl50fBqHzwZyHvHCpChnZfA2sF+eLHcMkdcAcpQJBANfw
-xVaahp+XYs7hE+B29ogCoclhbCaN6xaQRJPh4P392wjMwHgBuggSweWeNIfo63Ar
-Mi9ZDeNgrwm7Zf+6fmkCQARjGSwgobjSXiABXj3t/psyoeEScKHk2vwjgUtjHWMS
-imyxwPsWyorJxFYLT6EWjkGd9OSJ3EXaBbNWFMAMbgM=
+MIICXAIBAAKBgQClVUp0vfMtcek7PsuUAGg48vVKkml3MA71SPxgfjTb3RZFrIae
+zkF4AJBeT3l4VHNMU7tDqSnvqOgTCH2+32Ezjqbod5KtRMLstKUk1h9YZyWZTvqG
+THXb+uVzRe8TQZTs8XIcNdPjTXTeg0Pd4tQzioM7+Outj0M3V+dK+BYh8QIDAQAB
+AoGAEaS5Mh2eMJSWJOQl4fisJp2o1wkqV5WJlxvvkNWPCwJ8MLnBUPumSWnX/jSB
+fDmY50WNN6J7DvAJuhQ/JQoeC3BN8tIAjbgxFEa3hDAnO7qPhire0R56qhnBbx97
+hBvc1w87mUb1qvTX3LZHMv3k7R+oYlA3ManFGfe+2XKY5/ECQQDOx9Ntet4jngjf
+MaXPC75Pe3fbqHzm6mU31Lecx57jYehlm7MLZfgOtwNjFLFAG2e4GXLdQnNKJNQF
+00NrXqC5AkEAzK/eEi2P57qQu0vEEzkNYB9PdOBvrQ8P2jmwN0O1p+T2XAbbIWiR
+kuIAIJltHEAhTHEgMdod6Ys4umpx2Zc++QJBAK1rwdJr3aoZfG9UAC+pNa8LafZ7
+VGWF5+XvLR77/DHPh0zQTFUe6+/LZbfPPuj5Ev+/uCoA9RgV0wwfpseB0WECQDID
+IqKUaV34ctagq5b60K7U16g6Em9Zh8kNYWYPcDpGsn9H2ZDvKOqXt+o/Mq69aKVx
+2qjzn21p7AF4crr0vpkCQGNfEwTDUbdYMv0nuVF1J/GBCAcaUwzF/LUAUU0HjCRl
+ANzfeChglO4b/4UZQWrtJr8Ut2GFFxad7ClzI/9xnqc=
 -----END RSA PRIVATE KEY-----
diff --git a/test/aux-fixed/exim-ca/example.net/revoked2.example.net/ca_chain.pem b/test/aux-fixed/exim-ca/example.net/revoked2.example.net/ca_chain.pem
index 569dda104..fef1020ef 100644
--- a/test/aux-fixed/exim-ca/example.net/revoked2.example.net/ca_chain.pem
+++ b/test/aux-fixed/exim-ca/example.net/revoked2.example.net/ca_chain.pem
@@ -1,35 +1,35 @@
 Bag Attributes
-    friendlyName: Signing Cert
-subject=/O=example.net/CN=clica Signing Cert
-issuer=/O=example.net/CN=clica CA
+    friendlyName: Signing Cert rsa
+subject=/O=example.net/CN=clica Signing Cert rsa
+issuer=/O=example.net/CN=clica CA rsa
 -----BEGIN CERTIFICATE-----
-MIICLDCCAZWgAwIBAgIBAjANBgkqhkiG9w0BAQsFADApMRQwEgYDVQQKEwtleGFt
-cGxlLm5ldDERMA8GA1UEAxMIY2xpY2EgQ0EwHhcNMTIxMTAxMTIzNDAzWhcNMzgw
-MTAxMTIzNDAzWjAzMRQwEgYDVQQKEwtleGFtcGxlLm5ldDEbMBkGA1UEAxMSY2xp
-Y2EgU2lnbmluZyBDZXJ0MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDCsZOv
-pjcv45hvkXmbkZLSoywwX94a3jFC993OxTL8ixpQ0KxY2bc8TLcOTA+p3hH0pi2N
-JwiiWVQjA9HXrf7s/RmytXFZiJ5sE/mtkBNCUjH2uoGz9x1uVuIwq2colRe7JdQ5
-aCnb3D77nFy9bOvE59sljCbjeU2NwI1LIaUgfQIDAQABo1owWDAOBgNVHQ8BAf8E
-BAMCAQYwEgYDVR0TAQH/BAgwBgEB/wIBADAyBgNVHR8EKzApMCegJaAjhiFodHRw
-Oi8vY3JsLmV4YW1wbGUubmV0L2xhdGVzdC5jcmwwDQYJKoZIhvcNAQELBQADgYEA
-Xi2XyqKqdhCOdcNmhhaOaPc9M5/W/52Y4y8DNEveJdbn9ZOIjz7w2vnxJ8hhbJHF
-RDGz6jeTnYz7wIYwRxU6y8vUNtXbV+S6RcWL6Symek52O32tj+TTP99lSu/bC2+f
-7cNOqfsUzyMi4EagINLkPFT8p0ozjXeWu7/Cy17K75s=
+MIICNDCCAZ2gAwIBAgIBAjANBgkqhkiG9w0BAQsFADAtMRQwEgYDVQQKEwtleGFt
+cGxlLm5ldDEVMBMGA1UEAxMMY2xpY2EgQ0EgcnNhMB4XDTEyMTEwMTEyMzQwM1oX
+DTM4MDEwMTEyMzQwM1owNzEUMBIGA1UEChMLZXhhbXBsZS5uZXQxHzAdBgNVBAMT
+FmNsaWNhIFNpZ25pbmcgQ2VydCByc2EwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJ
+AoGBALMuDick/uNCkK8zWtdko5eynjJq0y8NVNlhSFkbwfjbxOQycuyMhMlYNnvs
+ESWZTV5ckpsvoDrFQLFk6ZB7RVYHUoOHNfANm8JWC9GR5zqbquibA/MMQ4h2Xlkz
+zQz12AzPpouZUyYs1+SjwlgfBRVhtxApDR2bPEDzI6s9VUdXAgMBAAGjWjBYMA4G
+A1UdDwEB/wQEAwIBBjASBgNVHRMBAf8ECDAGAQH/AgEAMDIGA1UdHwQrMCkwJ6Al
+oCOGIWh0dHA6Ly9jcmwuZXhhbXBsZS5uZXQvbGF0ZXN0LmNybDANBgkqhkiG9w0B
+AQsFAAOBgQDCXkPeCURjOJwCBgbLERuNghPiWLqHPopm1idM2A032jDgbRXD9/DP
+1xOPgSLEW59EiJac0RNae0D2KyhnG90NZLccXK0a9Uu1iaAmdcJ7s4a0x0ZH9Kza
+hqz0cr4oStUOHxG/AtPKuhZ9PkZ7GDSPDW0k/z64WYCm1fqSWkbVig==
 -----END CERTIFICATE-----
 Bag Attributes
-    friendlyName: Certificate Authority
-subject=/O=example.net/CN=clica CA
-issuer=/O=example.net/CN=clica CA
+    friendlyName: Certificate Authority rsa
+subject=/O=example.net/CN=clica CA rsa
+issuer=/O=example.net/CN=clica CA rsa
 -----BEGIN CERTIFICATE-----
-MIIB7jCCAVegAwIBAgIBATANBgkqhkiG9w0BAQsFADApMRQwEgYDVQQKEwtleGFt
-cGxlLm5ldDERMA8GA1UEAxMIY2xpY2EgQ0EwHhcNMTIxMTAxMTIzNDAzWhcNMzgw
-MTAxMTIzNDAzWjApMRQwEgYDVQQKEwtleGFtcGxlLm5ldDERMA8GA1UEAxMIY2xp
-Y2EgQ0EwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAMTEbMTyGaBnI5WpLVtz
-wWIEzR2lJyq5MHV6t9cIw/M1VFc0a9Woq8IeEyEmlycNe1/HgJfr7jq2JCtFu4VZ
-ZFMJW6bD7KiUGp2DwPEeC5yN1q7T4Yuho8kIdzpRTYnWo4RgPhl7wxSYoier+8/V
-1Zy3PrsciWI7Avp2Uq8iNGl/AgMBAAGjJjAkMBIGA1UdEwEB/wQIMAYBAf8CAQEw
-DgYDVR0PAQH/BAQDAgEGMA0GCSqGSIb3DQEBCwUAA4GBADczofjhb+kWLvYcdK+w
-jEMvqwiEsm947WXuWYtg0Wi2IWhyZId9KfVJtHs7b/720WX2VeewkafuV+QfwE5c
-/Q7N8M1tnFbKT/2Af7o3MVxDH9cYXPTYWgM5i0Yv5k73VBZ/dhT5HSj1Ri1sxv3C
-vAJ2oHvLkS1MOpYEUICjB6xe
+MIIB9jCCAV+gAwIBAgIBATANBgkqhkiG9w0BAQsFADAtMRQwEgYDVQQKEwtleGFt
+cGxlLm5ldDEVMBMGA1UEAxMMY2xpY2EgQ0EgcnNhMB4XDTEyMTEwMTEyMzQwM1oX
+DTM4MDEwMTEyMzQwM1owLTEUMBIGA1UEChMLZXhhbXBsZS5uZXQxFTATBgNVBAMT
+DGNsaWNhIENBIHJzYTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA3kwC9CHz
+JH7sEDkHMdZRq8+XpV7l/hEqfv2gPvT3mak46dWrI/T3pJOqyNvUZV/LJ/gx/0uw
+9pmCg6Y5zNCN0qAGY4rSS/sbEOLYIw5wJbFnYfHtTwe3ZAdG+5WqKMBF2lHNBM3b
+PUB/kweoLhNLwserKHwMDC3sksfrwH29rpMCAwEAAaMmMCQwEgYDVR0TAQH/BAgw
+BgEB/wIBATAOBgNVHQ8BAf8EBAMCAQYwDQYJKoZIhvcNAQELBQADgYEAzXt6KHIB
+qOJfZECgwhAWipxVR0BXek0hAfyTWl7q18+mWKYydQW0Z2VMN4Bq/ZUlOg+EM8NU
+1n9PJ4+I2QgAwVVXN4+cz7zgZ6XRZc1OkE98NyK504bVpJpan1gsx3I5GLJUgP2t
+B/WwqoFO+ANhT2margZSM6avJfaIh8gEass=
 -----END CERTIFICATE-----
diff --git a/test/aux-fixed/exim-ca/example.net/revoked2.example.net/cert8.db b/test/aux-fixed/exim-ca/example.net/revoked2.example.net/cert8.db
index 41044e5c9..ca5847ed9 100644
Binary files a/test/aux-fixed/exim-ca/example.net/revoked2.example.net/cert8.db and b/test/aux-fixed/exim-ca/example.net/revoked2.example.net/cert8.db differ
diff --git a/test/aux-fixed/exim-ca/example.net/revoked2.example.net/key3.db b/test/aux-fixed/exim-ca/example.net/revoked2.example.net/key3.db
index 7ac296788..bed8d0958 100644
Binary files a/test/aux-fixed/exim-ca/example.net/revoked2.example.net/key3.db and b/test/aux-fixed/exim-ca/example.net/revoked2.example.net/key3.db differ
diff --git a/test/aux-fixed/exim-ca/example.net/revoked2.example.net/revoked2.example.net.chain.pem b/test/aux-fixed/exim-ca/example.net/revoked2.example.net/revoked2.example.net.chain.pem
index da13c8cff..cd6072437 100644
--- a/test/aux-fixed/exim-ca/example.net/revoked2.example.net/revoked2.example.net.chain.pem
+++ b/test/aux-fixed/exim-ca/example.net/revoked2.example.net/revoked2.example.net.chain.pem
@@ -1,35 +1,35 @@
 Bag Attributes
     friendlyName: revoked2.example.net
-    localKeyID: 7A 3D 99 D0 B9 57 D0 D1 D2 6F 5D C0 3F CA F3 A9 34 49 BC 45 
+    localKeyID: 9D 94 B3 78 78 92 F0 B8 83 21 D7 C0 CB 0E 1B 33 EF 39 B6 17 
 subject=/CN=revoked2.example.net
-issuer=/O=example.net/CN=clica Signing Cert
+issuer=/O=example.net/CN=clica Signing Cert rsa
 -----BEGIN CERTIFICATE-----
-MIICijCCAfOgAwIBAgICAMowDQYJKoZIhvcNAQELBQAwMzEUMBIGA1UEChMLZXhh
-bXBsZS5uZXQxGzAZBgNVBAMTEmNsaWNhIFNpZ25pbmcgQ2VydDAeFw0xMjExMDEx
-MjM0MDRaFw0zNzEyMDExMjM0MDRaMB8xHTAbBgNVBAMTFHJldm9rZWQyLmV4YW1w
-bGUubmV0MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC6mq2TPyXL30lDv6nm
-k6cDAfPw70OceffXFbBtGT0gVYo1uu3uwbgsXlVAWKbOVwB5eyANgjCu1cT8Ijmu
-Smver4PEI54NVT5LCMhaqZh//eh99KCeCL9bsRPFWNP6HLYDMJrLbEfcCTk+l0NQ
-1Qw9CX5d5YTQuIsJtad8I3bimQIDAQABo4HAMIG9MA4GA1UdDwEB/wQEAwIE8DAg
-BgNVHSUBAf8EFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwMgYDVR0fBCswKTAnoCWg
-I4YhaHR0cDovL2NybC5leGFtcGxlLm5ldC9sYXRlc3QuY3JsMDQGCCsGAQUFBwEB
-BCgwJjAkBggrBgEFBQcwAYYYaHR0cDovL29zY3AuZXhhbXBsZS5uZXQvMB8GA1Ud
-EQQYMBaCFHJldm9rZWQyLmV4YW1wbGUubmV0MA0GCSqGSIb3DQEBCwUAA4GBALZH
-gmXhmLpZ7kqPoOiA/DU17X0wfouWx7wPSbzlNRnSuv255oLXnuYaFAadSr0V9fIq
-pwfS4SOSuvL9eil1hBSUDaFrYfLdmCgXNa+W3mskvDc8M589CnHEoR6QOrOZGzgB
-ffLYT2L+Z8A0K3XOGhA6JSrUKG46Ilmph3D17USQ
+MIICjjCCAfegAwIBAgICAMowDQYJKoZIhvcNAQELBQAwNzEUMBIGA1UEChMLZXhh
+bXBsZS5uZXQxHzAdBgNVBAMTFmNsaWNhIFNpZ25pbmcgQ2VydCByc2EwHhcNMTIx
+MTAxMTIzNDA0WhcNMzcxMjAxMTIzNDA0WjAfMR0wGwYDVQQDExRyZXZva2VkMi5l
+eGFtcGxlLm5ldDCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA3Se+qbZkX/Fl
+i5PBS0yDe8c7so0Ze+yVeuM0NBZY0h0K6ahKb8NuFQ7jpL7BtQRlFGoU2foVLdLd
+/zSg5802qaTsuDISGnLxX0Fpr1gm+OvQkGdJt8eeVZEpNLph8zvp3eFtG8HE9l6R
+QbsEDTnJGHYlHNscnW1CMB3p6NyzMXkCAwEAAaOBwDCBvTAOBgNVHQ8BAf8EBAMC
+BPAwIAYDVR0lAQH/BBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMDIGA1UdHwQrMCkw
+J6AloCOGIWh0dHA6Ly9jcmwuZXhhbXBsZS5uZXQvbGF0ZXN0LmNybDA0BggrBgEF
+BQcBAQQoMCYwJAYIKwYBBQUHMAGGGGh0dHA6Ly9vc2NwLmV4YW1wbGUubmV0LzAf
+BgNVHREEGDAWghRyZXZva2VkMi5leGFtcGxlLm5ldDANBgkqhkiG9w0BAQsFAAOB
+gQBomN+m0L4SwIi+CoZOyIQTjKiKZU2XuripqrazQflD4hJoWqFxod6gGrrLBhSS
+481+/zt26E0+49e9f6rU4FLnkjt6rr2hoJk8Sw9/MRUQ54HroEq3Gk6fPJjIlZd6
+DXp1rbYTRkJKLZcdDtDjUqENU750mQfLIl7zQ9CGweKZpA==
 -----END CERTIFICATE-----
 -----BEGIN CERTIFICATE-----
-MIICLDCCAZWgAwIBAgIBAjANBgkqhkiG9w0BAQsFADApMRQwEgYDVQQKEwtleGFt
-cGxlLm5ldDERMA8GA1UEAxMIY2xpY2EgQ0EwHhcNMTIxMTAxMTIzNDAzWhcNMzgw
-MTAxMTIzNDAzWjAzMRQwEgYDVQQKEwtleGFtcGxlLm5ldDEbMBkGA1UEAxMSY2xp
-Y2EgU2lnbmluZyBDZXJ0MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDCsZOv
-pjcv45hvkXmbkZLSoywwX94a3jFC993OxTL8ixpQ0KxY2bc8TLcOTA+p3hH0pi2N
-JwiiWVQjA9HXrf7s/RmytXFZiJ5sE/mtkBNCUjH2uoGz9x1uVuIwq2colRe7JdQ5
-aCnb3D77nFy9bOvE59sljCbjeU2NwI1LIaUgfQIDAQABo1owWDAOBgNVHQ8BAf8E
-BAMCAQYwEgYDVR0TAQH/BAgwBgEB/wIBADAyBgNVHR8EKzApMCegJaAjhiFodHRw
-Oi8vY3JsLmV4YW1wbGUubmV0L2xhdGVzdC5jcmwwDQYJKoZIhvcNAQELBQADgYEA
-Xi2XyqKqdhCOdcNmhhaOaPc9M5/W/52Y4y8DNEveJdbn9ZOIjz7w2vnxJ8hhbJHF
-RDGz6jeTnYz7wIYwRxU6y8vUNtXbV+S6RcWL6Symek52O32tj+TTP99lSu/bC2+f
-7cNOqfsUzyMi4EagINLkPFT8p0ozjXeWu7/Cy17K75s=
+MIICNDCCAZ2gAwIBAgIBAjANBgkqhkiG9w0BAQsFADAtMRQwEgYDVQQKEwtleGFt
+cGxlLm5ldDEVMBMGA1UEAxMMY2xpY2EgQ0EgcnNhMB4XDTEyMTEwMTEyMzQwM1oX
+DTM4MDEwMTEyMzQwM1owNzEUMBIGA1UEChMLZXhhbXBsZS5uZXQxHzAdBgNVBAMT
+FmNsaWNhIFNpZ25pbmcgQ2VydCByc2EwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJ
+AoGBALMuDick/uNCkK8zWtdko5eynjJq0y8NVNlhSFkbwfjbxOQycuyMhMlYNnvs
+ESWZTV5ckpsvoDrFQLFk6ZB7RVYHUoOHNfANm8JWC9GR5zqbquibA/MMQ4h2Xlkz
+zQz12AzPpouZUyYs1+SjwlgfBRVhtxApDR2bPEDzI6s9VUdXAgMBAAGjWjBYMA4G
+A1UdDwEB/wQEAwIBBjASBgNVHRMBAf8ECDAGAQH/AgEAMDIGA1UdHwQrMCkwJ6Al
+oCOGIWh0dHA6Ly9jcmwuZXhhbXBsZS5uZXQvbGF0ZXN0LmNybDANBgkqhkiG9w0B
+AQsFAAOBgQDCXkPeCURjOJwCBgbLERuNghPiWLqHPopm1idM2A032jDgbRXD9/DP
+1xOPgSLEW59EiJac0RNae0D2KyhnG90NZLccXK0a9Uu1iaAmdcJ7s4a0x0ZH9Kza
+hqz0cr4oStUOHxG/AtPKuhZ9PkZ7GDSPDW0k/z64WYCm1fqSWkbVig==
 -----END CERTIFICATE-----
diff --git a/test/aux-fixed/exim-ca/example.net/revoked2.example.net/revoked2.example.net.key b/test/aux-fixed/exim-ca/example.net/revoked2.example.net/revoked2.example.net.key
index d6c969189..762dfd421 100644
--- a/test/aux-fixed/exim-ca/example.net/revoked2.example.net/revoked2.example.net.key
+++ b/test/aux-fixed/exim-ca/example.net/revoked2.example.net/revoked2.example.net.key
@@ -1,21 +1,21 @@
 Bag Attributes
     friendlyName: revoked2.example.net
-    localKeyID: 7A 3D 99 D0 B9 57 D0 D1 D2 6F 5D C0 3F CA F3 A9 34 49 BC 45 
+    localKeyID: 9D 94 B3 78 78 92 F0 B8 83 21 D7 C0 CB 0E 1B 33 EF 39 B6 17 
 Key Attributes: <No Attributes>
 -----BEGIN ENCRYPTED PRIVATE KEY-----
-MIICxjBABgkqhkiG9w0BBQ0wMzAbBgkqhkiG9w0BBQwwDgQIl8ORkiq1WgcCAggA
-MBQGCCqGSIb3DQMHBAhQynRXr7dKyASCAoCUInV8bnrIdALtUsJjSorOPDnKfo31
-jvT9nnowjwQGVDSB0spwjChqab2BanhimzPgPJatNsp3eoQ4Tqg+vCRa543PQMTv
-C3DNngH9mC2gv9utEnoOlg0bhT8WbgTsLTlbY8cg2bz2APRVvjyug46G3uZkbq4d
-vaHIZJtL6JeokSAaRnuHJHxZmbsxlbDj2A1kmt4kH7+PRrrs/VLESQ6gTATnb24R
-ChHPW/9nhCT4VJTkN2XgLGdnuja2HmFjOSlhOUU6gCh9oCQIbqOz/eJNQassbEub
-4AvFuOUTAG/O+1DxGe5ou61+i32WW3eOgAgobnrz0Ws/7EwME1mDUzQX0PxSiEVn
-kWqvg58LDcsi6Vl8Xm+LEDalh6xYRKtmM06dhfis9itxKQCWTj4uN2UDukQE2p7L
-epZjeoGAJ1YkaE8dRewM7VbaVRx037Qe93MUNhifngMWimni9uL2k5sgP4sfiks4
-x7jXbc5T1xNOkMRNpkjUyu2YbdnyKfdSg0iUV8+cFJ74oc8lwpXxkj2Uoq0Q3VhA
-TEMKlDeKvI0QIf7MXKhWRG025+44kLVzdloFIGZvg/3viBWaxbnSzMJS6nJWSbEq
-feXN03XpomrB2Cw3GkS5EcHSibuQ5ziXUnVbOnD+7wkKyA0NxPsavDt+0u9DqoWk
-0Upu2/Q8eVa6s6bFVLc0xeHCoxITIJXYNF421yE3D4PgXN3Jx10GJVo6LAk9eTjD
-GRZ73oLHnzEUkE/G7uuDt69nPPW+GEaskW8Mc8ZAedJ21/SSmkvLB1/cnUQsf9Sp
-fd2RKymIozWGXImbnEgMO/7pfhm7acgo+V1IUmY0mCTjWUAYWQj4Ba6a
+MIICxjBABgkqhkiG9w0BBQ0wMzAbBgkqhkiG9w0BBQwwDgQIsyCJhTC8O8oCAggA
+MBQGCCqGSIb3DQMHBAgbxjkbvtYrXwSCAoB4294psQBogCZpAG8qJhEpCNl7jtD7
+Y7dZTMcifXZUzJhuWk68qIOAoPdxswrszif/+mry+ebEVPIKFRSdXudYoghI44bM
+BKm8eX6zy1EMZDJk5u1A/+U3ny21xS7avh4jHzzBWgDc3qXuE2oaTms4BNg2L++L
+Xj/6UA0+t3ieXRbTaDRehofuSZN6yWbCBpf/xpjOPiy6O0hsGdzSv228ok3RJNcH
+j83dtsQrDQqRKhx1ElfVgE68QuR+6LGYtjaxXi28SEKVdIA1JDDvTQyxw9l+cyzm
+awbVmYX4kzTP49VBe8y0QhVlZ4qKIIfsXz8Z7lSJxnYgoRqgXtjaqZ02YkKZhBfe
+EHXkofxtgDpIHs/vHQRtFwkHI7hPnTrKYCUkQzAysVVGMbfcqtfqTB4Cg8onrJHt
+vOXyKhDePYEt7D2JK/hJM+Dr5SbAeBOFD31ZYOxp4/dgT3kKuy3f7SKebAw+wgTZ
+qiGYAN9VLyyjqGs+PB8AtuMlyUCyOELZEJpedTp3bqun1C4zamvgZezXNN+87mUT
+uLVmEfAQ97Wkr1HwFq5QQ17bgEM58gwgGjGHySaLrjfeGqOIxT4/3LXTLYwnbR7Y
+lF+2frBjGxWxgljxuKwimUr/OQ/2HnBB24i7A5N2IVzDkGarxd2v6bkgQElxsNAc
+XwDZvP7wIzp3vpb3beWPG37t70PR+eWAJYNyGMRupPDJnXvnY05o0Gn2dKYPeGsI
+s21+elEFUMYvv3CCf8q+AfF5yXVkJC9/DOKIQR8kTHOlOPRJdhdE0NDUU0/2f+nY
+83Uvgrppv+N7Y6ADFTf73KlOTnn5MQStavXoduJYL1s//+T/BAImh4oe
 -----END ENCRYPTED PRIVATE KEY-----
diff --git a/test/aux-fixed/exim-ca/example.net/revoked2.example.net/revoked2.example.net.ocsp.dated.resp b/test/aux-fixed/exim-ca/example.net/revoked2.example.net/revoked2.example.net.ocsp.dated.resp
index 311ca3f8c..7a098d604 100644
Binary files a/test/aux-fixed/exim-ca/example.net/revoked2.example.net/revoked2.example.net.ocsp.dated.resp and b/test/aux-fixed/exim-ca/example.net/revoked2.example.net/revoked2.example.net.ocsp.dated.resp differ
diff --git a/test/aux-fixed/exim-ca/example.net/revoked2.example.net/revoked2.example.net.ocsp.good.resp b/test/aux-fixed/exim-ca/example.net/revoked2.example.net/revoked2.example.net.ocsp.good.resp
index 720caf8aa..2e7255f88 100644
Binary files a/test/aux-fixed/exim-ca/example.net/revoked2.example.net/revoked2.example.net.ocsp.good.resp and b/test/aux-fixed/exim-ca/example.net/revoked2.example.net/revoked2.example.net.ocsp.good.resp differ
diff --git a/test/aux-fixed/exim-ca/example.net/revoked2.example.net/revoked2.example.net.ocsp.req b/test/aux-fixed/exim-ca/example.net/revoked2.example.net/revoked2.example.net.ocsp.req
index 4c541f56d..018d3b2e4 100644
Binary files a/test/aux-fixed/exim-ca/example.net/revoked2.example.net/revoked2.example.net.ocsp.req and b/test/aux-fixed/exim-ca/example.net/revoked2.example.net/revoked2.example.net.ocsp.req differ
diff --git a/test/aux-fixed/exim-ca/example.net/revoked2.example.net/revoked2.example.net.ocsp.revoked.resp b/test/aux-fixed/exim-ca/example.net/revoked2.example.net/revoked2.example.net.ocsp.revoked.resp
index 720caf8aa..2e7255f88 100644
Binary files a/test/aux-fixed/exim-ca/example.net/revoked2.example.net/revoked2.example.net.ocsp.revoked.resp and b/test/aux-fixed/exim-ca/example.net/revoked2.example.net/revoked2.example.net.ocsp.revoked.resp differ
diff --git a/test/aux-fixed/exim-ca/example.net/revoked2.example.net/revoked2.example.net.ocsp.signer.dated.resp b/test/aux-fixed/exim-ca/example.net/revoked2.example.net/revoked2.example.net.ocsp.signer.dated.resp
index d9087df0c..6d4f33027 100644
Binary files a/test/aux-fixed/exim-ca/example.net/revoked2.example.net/revoked2.example.net.ocsp.signer.dated.resp and b/test/aux-fixed/exim-ca/example.net/revoked2.example.net/revoked2.example.net.ocsp.signer.dated.resp differ
diff --git a/test/aux-fixed/exim-ca/example.net/revoked2.example.net/revoked2.example.net.ocsp.signer.good.resp b/test/aux-fixed/exim-ca/example.net/revoked2.example.net/revoked2.example.net.ocsp.signer.good.resp
index 0aa2cd301..758da1405 100644
Binary files a/test/aux-fixed/exim-ca/example.net/revoked2.example.net/revoked2.example.net.ocsp.signer.good.resp and b/test/aux-fixed/exim-ca/example.net/revoked2.example.net/revoked2.example.net.ocsp.signer.good.resp differ
diff --git a/test/aux-fixed/exim-ca/example.net/revoked2.example.net/revoked2.example.net.ocsp.signer.revoked.resp b/test/aux-fixed/exim-ca/example.net/revoked2.example.net/revoked2.example.net.ocsp.signer.revoked.resp
index 0aa2cd301..758da1405 100644
Binary files a/test/aux-fixed/exim-ca/example.net/revoked2.example.net/revoked2.example.net.ocsp.signer.revoked.resp and b/test/aux-fixed/exim-ca/example.net/revoked2.example.net/revoked2.example.net.ocsp.signer.revoked.resp differ
diff --git a/test/aux-fixed/exim-ca/example.net/revoked2.example.net/revoked2.example.net.ocsp.signernocert.dated.resp b/test/aux-fixed/exim-ca/example.net/revoked2.example.net/revoked2.example.net.ocsp.signernocert.dated.resp
index 3714e9405..f41b3d2a5 100644
Binary files a/test/aux-fixed/exim-ca/example.net/revoked2.example.net/revoked2.example.net.ocsp.signernocert.dated.resp and b/test/aux-fixed/exim-ca/example.net/revoked2.example.net/revoked2.example.net.ocsp.signernocert.dated.resp differ
diff --git a/test/aux-fixed/exim-ca/example.net/revoked2.example.net/revoked2.example.net.ocsp.signernocert.good.resp b/test/aux-fixed/exim-ca/example.net/revoked2.example.net/revoked2.example.net.ocsp.signernocert.good.resp
index e4a7c38cf..9705c9547 100644
Binary files a/test/aux-fixed/exim-ca/example.net/revoked2.example.net/revoked2.example.net.ocsp.signernocert.good.resp and b/test/aux-fixed/exim-ca/example.net/revoked2.example.net/revoked2.example.net.ocsp.signernocert.good.resp differ
diff --git a/test/aux-fixed/exim-ca/example.net/revoked2.example.net/revoked2.example.net.ocsp.signernocert.revoked.resp b/test/aux-fixed/exim-ca/example.net/revoked2.example.net/revoked2.example.net.ocsp.signernocert.revoked.resp
index e4a7c38cf..9705c9547 100644
Binary files a/test/aux-fixed/exim-ca/example.net/revoked2.example.net/revoked2.example.net.ocsp.signernocert.revoked.resp and b/test/aux-fixed/exim-ca/example.net/revoked2.example.net/revoked2.example.net.ocsp.signernocert.revoked.resp differ
diff --git a/test/aux-fixed/exim-ca/example.net/revoked2.example.net/revoked2.example.net.p12 b/test/aux-fixed/exim-ca/example.net/revoked2.example.net/revoked2.example.net.p12
index e91449ff3..2b6f862d1 100644
Binary files a/test/aux-fixed/exim-ca/example.net/revoked2.example.net/revoked2.example.net.p12 and b/test/aux-fixed/exim-ca/example.net/revoked2.example.net/revoked2.example.net.p12 differ
diff --git a/test/aux-fixed/exim-ca/example.net/revoked2.example.net/revoked2.example.net.pem b/test/aux-fixed/exim-ca/example.net/revoked2.example.net/revoked2.example.net.pem
index dfbb8f3e5..15393cf86 100644
--- a/test/aux-fixed/exim-ca/example.net/revoked2.example.net/revoked2.example.net.pem
+++ b/test/aux-fixed/exim-ca/example.net/revoked2.example.net/revoked2.example.net.pem
@@ -1,21 +1,21 @@
 Bag Attributes
     friendlyName: revoked2.example.net
-    localKeyID: 7A 3D 99 D0 B9 57 D0 D1 D2 6F 5D C0 3F CA F3 A9 34 49 BC 45 
+    localKeyID: 9D 94 B3 78 78 92 F0 B8 83 21 D7 C0 CB 0E 1B 33 EF 39 B6 17 
 subject=/CN=revoked2.example.net
-issuer=/O=example.net/CN=clica Signing Cert
+issuer=/O=example.net/CN=clica Signing Cert rsa
 -----BEGIN CERTIFICATE-----
-MIICijCCAfOgAwIBAgICAMowDQYJKoZIhvcNAQELBQAwMzEUMBIGA1UEChMLZXhh
-bXBsZS5uZXQxGzAZBgNVBAMTEmNsaWNhIFNpZ25pbmcgQ2VydDAeFw0xMjExMDEx
-MjM0MDRaFw0zNzEyMDExMjM0MDRaMB8xHTAbBgNVBAMTFHJldm9rZWQyLmV4YW1w
-bGUubmV0MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC6mq2TPyXL30lDv6nm
-k6cDAfPw70OceffXFbBtGT0gVYo1uu3uwbgsXlVAWKbOVwB5eyANgjCu1cT8Ijmu
-Smver4PEI54NVT5LCMhaqZh//eh99KCeCL9bsRPFWNP6HLYDMJrLbEfcCTk+l0NQ
-1Qw9CX5d5YTQuIsJtad8I3bimQIDAQABo4HAMIG9MA4GA1UdDwEB/wQEAwIE8DAg
-BgNVHSUBAf8EFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwMgYDVR0fBCswKTAnoCWg
-I4YhaHR0cDovL2NybC5leGFtcGxlLm5ldC9sYXRlc3QuY3JsMDQGCCsGAQUFBwEB
-BCgwJjAkBggrBgEFBQcwAYYYaHR0cDovL29zY3AuZXhhbXBsZS5uZXQvMB8GA1Ud
-EQQYMBaCFHJldm9rZWQyLmV4YW1wbGUubmV0MA0GCSqGSIb3DQEBCwUAA4GBALZH
-gmXhmLpZ7kqPoOiA/DU17X0wfouWx7wPSbzlNRnSuv255oLXnuYaFAadSr0V9fIq
-pwfS4SOSuvL9eil1hBSUDaFrYfLdmCgXNa+W3mskvDc8M589CnHEoR6QOrOZGzgB
-ffLYT2L+Z8A0K3XOGhA6JSrUKG46Ilmph3D17USQ
+MIICjjCCAfegAwIBAgICAMowDQYJKoZIhvcNAQELBQAwNzEUMBIGA1UEChMLZXhh
+bXBsZS5uZXQxHzAdBgNVBAMTFmNsaWNhIFNpZ25pbmcgQ2VydCByc2EwHhcNMTIx
+MTAxMTIzNDA0WhcNMzcxMjAxMTIzNDA0WjAfMR0wGwYDVQQDExRyZXZva2VkMi5l
+eGFtcGxlLm5ldDCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA3Se+qbZkX/Fl
+i5PBS0yDe8c7so0Ze+yVeuM0NBZY0h0K6ahKb8NuFQ7jpL7BtQRlFGoU2foVLdLd
+/zSg5802qaTsuDISGnLxX0Fpr1gm+OvQkGdJt8eeVZEpNLph8zvp3eFtG8HE9l6R
+QbsEDTnJGHYlHNscnW1CMB3p6NyzMXkCAwEAAaOBwDCBvTAOBgNVHQ8BAf8EBAMC
+BPAwIAYDVR0lAQH/BBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMDIGA1UdHwQrMCkw
+J6AloCOGIWh0dHA6Ly9jcmwuZXhhbXBsZS5uZXQvbGF0ZXN0LmNybDA0BggrBgEF
+BQcBAQQoMCYwJAYIKwYBBQUHMAGGGGh0dHA6Ly9vc2NwLmV4YW1wbGUubmV0LzAf
+BgNVHREEGDAWghRyZXZva2VkMi5leGFtcGxlLm5ldDANBgkqhkiG9w0BAQsFAAOB
+gQBomN+m0L4SwIi+CoZOyIQTjKiKZU2XuripqrazQflD4hJoWqFxod6gGrrLBhSS
+481+/zt26E0+49e9f6rU4FLnkjt6rr2hoJk8Sw9/MRUQ54HroEq3Gk6fPJjIlZd6
+DXp1rbYTRkJKLZcdDtDjUqENU750mQfLIl7zQ9CGweKZpA==
 -----END CERTIFICATE-----
diff --git a/test/aux-fixed/exim-ca/example.net/revoked2.example.net/revoked2.example.net.unlocked.key b/test/aux-fixed/exim-ca/example.net/revoked2.example.net/revoked2.example.net.unlocked.key
index 22c52831b..adec37e32 100644
--- a/test/aux-fixed/exim-ca/example.net/revoked2.example.net/revoked2.example.net.unlocked.key
+++ b/test/aux-fixed/exim-ca/example.net/revoked2.example.net/revoked2.example.net.unlocked.key
@@ -1,15 +1,15 @@
 -----BEGIN RSA PRIVATE KEY-----
-MIICXAIBAAKBgQC6mq2TPyXL30lDv6nmk6cDAfPw70OceffXFbBtGT0gVYo1uu3u
-wbgsXlVAWKbOVwB5eyANgjCu1cT8IjmuSmver4PEI54NVT5LCMhaqZh//eh99KCe
-CL9bsRPFWNP6HLYDMJrLbEfcCTk+l0NQ1Qw9CX5d5YTQuIsJtad8I3bimQIDAQAB
-AoGAHPmlrYaRrOLYB9q8BrSzVeaOEBcRouYsKMwSYBkaLRTQkt/wJYcTvQ1MzuK1
-IWHQY2H4q9WlD5DcDIvtSaCpYl+/XWf5LB+F7UQNOzqVCVADBgGIbf+kvncIHYud
-OAf+ifgEJrN4JJAmPpf+jIb4Z7THBl1nPzErxC1ZfRXzrT0CQQDhmHEtF3d4JpsZ
-Sg7AK9g9ZOLq775ufjRFt65nI49Iq/zg2NxUO4GVxd3LIKK91P+tdchenZSMa58b
-boHjI7c3AkEA08DyzF2lJk4HyEDssxJQGPSf4Qkb14ialSnYnQKcuY9uFaSq2qmD
-UqKCy2K07bWbxFST+SgbWXjuUYdppCJ8rwJBAJPnVPQiOYJ9lRwscKVPWZNOzHMJ
-QYnBllXLCj22k58qmz1zEGjtJpViR3qAaBIbTpGT8g0ONTEm8gaTGfcoGFsCQChK
-kGhecSwmsMhjwiYYl/EHqtww1YFfVrqHKdZGRvfv2Kx5lqDgnEI+9dApSe/pHGhx
-B27jOMD/h6kvsOQwQ7UCQFT6lidTnHgwDif41JCGxTE3HggKfhkPEz3ZOcQ+WOgf
-qsGi1sjzEl1pEwJwYm6xTp17AonJ6wnl6gNTbQIcGmU=
+MIICXAIBAAKBgQDdJ76ptmRf8WWLk8FLTIN7xzuyjRl77JV64zQ0FljSHQrpqEpv
+w24VDuOkvsG1BGUUahTZ+hUt0t3/NKDnzTappOy4MhIacvFfQWmvWCb469CQZ0m3
+x55VkSk0umHzO+nd4W0bwcT2XpFBuwQNOckYdiUc2xydbUIwHeno3LMxeQIDAQAB
+AoGAG5Ysm2DsDme/QfTxZKIruJH2qWQebK3rS4Px7BlphPQoe1MJzf0zyx6rWM6O
+vTTKIwzEgxhF8gxessnu1Ftt2OoPPBkSjEW96fK6U0zdyBQbCjLmHA2gGOeo7wLL
+mp1pVMAXZofrn2aJYC4rXrJ7EYrge3GoqoympofijIpOobECQQD6v4IEQgA8lytu
+Kv17vrRcgkSkEkofePe2+J/8L5QJPry/TPWeLG9KasZ1SppUZkM66CffAGAQEHvi
+C21RUXWdAkEA4cmP+w/5Ypg3P+4+5cyaTcKHEzd2Drqo7ANXV78Go3+AqX7beVzc
+0GxKn4S/94ZX6RkfYYE5WIWfXH8tgxPyjQJAO5kzNQHe/ofLydasAzKTuf04hWrX
+dV2SO0oi9JT2cbAYurt3Ec5r8Vspqo0921unFSRC/c0gCBFy8IpYxGBBPQJAMrr8
+C7fyG5IBz+5y2WUYQmJzwQCUGQkdjTHO/Rshnbi3Kt4i5+jSgE3kkmTcUPwxYmFP
+qLPFM7uKK9kzW6EuvQJBAIYFifaV0eG2nrhOoWW5Kgelqw3aXn3qvhnIRwXU/4xB
+gihTV/prnLLPWx/+AqlXFEeHGC/lOQmZSkClu56JIW0=
 -----END RSA PRIVATE KEY-----
diff --git a/test/aux-fixed/exim-ca/example.net/server1.example.net/ca_chain.pem b/test/aux-fixed/exim-ca/example.net/server1.example.net/ca_chain.pem
index 569dda104..fef1020ef 100644
--- a/test/aux-fixed/exim-ca/example.net/server1.example.net/ca_chain.pem
+++ b/test/aux-fixed/exim-ca/example.net/server1.example.net/ca_chain.pem
@@ -1,35 +1,35 @@
 Bag Attributes
-    friendlyName: Signing Cert
-subject=/O=example.net/CN=clica Signing Cert
-issuer=/O=example.net/CN=clica CA
+    friendlyName: Signing Cert rsa
+subject=/O=example.net/CN=clica Signing Cert rsa
+issuer=/O=example.net/CN=clica CA rsa
 -----BEGIN CERTIFICATE-----
-MIICLDCCAZWgAwIBAgIBAjANBgkqhkiG9w0BAQsFADApMRQwEgYDVQQKEwtleGFt
-cGxlLm5ldDERMA8GA1UEAxMIY2xpY2EgQ0EwHhcNMTIxMTAxMTIzNDAzWhcNMzgw
-MTAxMTIzNDAzWjAzMRQwEgYDVQQKEwtleGFtcGxlLm5ldDEbMBkGA1UEAxMSY2xp
-Y2EgU2lnbmluZyBDZXJ0MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDCsZOv
-pjcv45hvkXmbkZLSoywwX94a3jFC993OxTL8ixpQ0KxY2bc8TLcOTA+p3hH0pi2N
-JwiiWVQjA9HXrf7s/RmytXFZiJ5sE/mtkBNCUjH2uoGz9x1uVuIwq2colRe7JdQ5
-aCnb3D77nFy9bOvE59sljCbjeU2NwI1LIaUgfQIDAQABo1owWDAOBgNVHQ8BAf8E
-BAMCAQYwEgYDVR0TAQH/BAgwBgEB/wIBADAyBgNVHR8EKzApMCegJaAjhiFodHRw
-Oi8vY3JsLmV4YW1wbGUubmV0L2xhdGVzdC5jcmwwDQYJKoZIhvcNAQELBQADgYEA
-Xi2XyqKqdhCOdcNmhhaOaPc9M5/W/52Y4y8DNEveJdbn9ZOIjz7w2vnxJ8hhbJHF
-RDGz6jeTnYz7wIYwRxU6y8vUNtXbV+S6RcWL6Symek52O32tj+TTP99lSu/bC2+f
-7cNOqfsUzyMi4EagINLkPFT8p0ozjXeWu7/Cy17K75s=
+MIICNDCCAZ2gAwIBAgIBAjANBgkqhkiG9w0BAQsFADAtMRQwEgYDVQQKEwtleGFt
+cGxlLm5ldDEVMBMGA1UEAxMMY2xpY2EgQ0EgcnNhMB4XDTEyMTEwMTEyMzQwM1oX
+DTM4MDEwMTEyMzQwM1owNzEUMBIGA1UEChMLZXhhbXBsZS5uZXQxHzAdBgNVBAMT
+FmNsaWNhIFNpZ25pbmcgQ2VydCByc2EwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJ
+AoGBALMuDick/uNCkK8zWtdko5eynjJq0y8NVNlhSFkbwfjbxOQycuyMhMlYNnvs
+ESWZTV5ckpsvoDrFQLFk6ZB7RVYHUoOHNfANm8JWC9GR5zqbquibA/MMQ4h2Xlkz
+zQz12AzPpouZUyYs1+SjwlgfBRVhtxApDR2bPEDzI6s9VUdXAgMBAAGjWjBYMA4G
+A1UdDwEB/wQEAwIBBjASBgNVHRMBAf8ECDAGAQH/AgEAMDIGA1UdHwQrMCkwJ6Al
+oCOGIWh0dHA6Ly9jcmwuZXhhbXBsZS5uZXQvbGF0ZXN0LmNybDANBgkqhkiG9w0B
+AQsFAAOBgQDCXkPeCURjOJwCBgbLERuNghPiWLqHPopm1idM2A032jDgbRXD9/DP
+1xOPgSLEW59EiJac0RNae0D2KyhnG90NZLccXK0a9Uu1iaAmdcJ7s4a0x0ZH9Kza
+hqz0cr4oStUOHxG/AtPKuhZ9PkZ7GDSPDW0k/z64WYCm1fqSWkbVig==
 -----END CERTIFICATE-----
 Bag Attributes
-    friendlyName: Certificate Authority
-subject=/O=example.net/CN=clica CA
-issuer=/O=example.net/CN=clica CA
+    friendlyName: Certificate Authority rsa
+subject=/O=example.net/CN=clica CA rsa
+issuer=/O=example.net/CN=clica CA rsa
 -----BEGIN CERTIFICATE-----
-MIIB7jCCAVegAwIBAgIBATANBgkqhkiG9w0BAQsFADApMRQwEgYDVQQKEwtleGFt
-cGxlLm5ldDERMA8GA1UEAxMIY2xpY2EgQ0EwHhcNMTIxMTAxMTIzNDAzWhcNMzgw
-MTAxMTIzNDAzWjApMRQwEgYDVQQKEwtleGFtcGxlLm5ldDERMA8GA1UEAxMIY2xp
-Y2EgQ0EwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAMTEbMTyGaBnI5WpLVtz
-wWIEzR2lJyq5MHV6t9cIw/M1VFc0a9Woq8IeEyEmlycNe1/HgJfr7jq2JCtFu4VZ
-ZFMJW6bD7KiUGp2DwPEeC5yN1q7T4Yuho8kIdzpRTYnWo4RgPhl7wxSYoier+8/V
-1Zy3PrsciWI7Avp2Uq8iNGl/AgMBAAGjJjAkMBIGA1UdEwEB/wQIMAYBAf8CAQEw
-DgYDVR0PAQH/BAQDAgEGMA0GCSqGSIb3DQEBCwUAA4GBADczofjhb+kWLvYcdK+w
-jEMvqwiEsm947WXuWYtg0Wi2IWhyZId9KfVJtHs7b/720WX2VeewkafuV+QfwE5c
-/Q7N8M1tnFbKT/2Af7o3MVxDH9cYXPTYWgM5i0Yv5k73VBZ/dhT5HSj1Ri1sxv3C
-vAJ2oHvLkS1MOpYEUICjB6xe
+MIIB9jCCAV+gAwIBAgIBATANBgkqhkiG9w0BAQsFADAtMRQwEgYDVQQKEwtleGFt
+cGxlLm5ldDEVMBMGA1UEAxMMY2xpY2EgQ0EgcnNhMB4XDTEyMTEwMTEyMzQwM1oX
+DTM4MDEwMTEyMzQwM1owLTEUMBIGA1UEChMLZXhhbXBsZS5uZXQxFTATBgNVBAMT
+DGNsaWNhIENBIHJzYTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA3kwC9CHz
+JH7sEDkHMdZRq8+XpV7l/hEqfv2gPvT3mak46dWrI/T3pJOqyNvUZV/LJ/gx/0uw
+9pmCg6Y5zNCN0qAGY4rSS/sbEOLYIw5wJbFnYfHtTwe3ZAdG+5WqKMBF2lHNBM3b
+PUB/kweoLhNLwserKHwMDC3sksfrwH29rpMCAwEAAaMmMCQwEgYDVR0TAQH/BAgw
+BgEB/wIBATAOBgNVHQ8BAf8EBAMCAQYwDQYJKoZIhvcNAQELBQADgYEAzXt6KHIB
+qOJfZECgwhAWipxVR0BXek0hAfyTWl7q18+mWKYydQW0Z2VMN4Bq/ZUlOg+EM8NU
+1n9PJ4+I2QgAwVVXN4+cz7zgZ6XRZc1OkE98NyK504bVpJpan1gsx3I5GLJUgP2t
+B/WwqoFO+ANhT2margZSM6avJfaIh8gEass=
 -----END CERTIFICATE-----
diff --git a/test/aux-fixed/exim-ca/example.net/server1.example.net/cert8.db b/test/aux-fixed/exim-ca/example.net/server1.example.net/cert8.db
index c4d097941..4743f74b1 100644
Binary files a/test/aux-fixed/exim-ca/example.net/server1.example.net/cert8.db and b/test/aux-fixed/exim-ca/example.net/server1.example.net/cert8.db differ
diff --git a/test/aux-fixed/exim-ca/example.net/server1.example.net/fullchain.pem b/test/aux-fixed/exim-ca/example.net/server1.example.net/fullchain.pem
index 8df23cc80..adefd178a 100644
--- a/test/aux-fixed/exim-ca/example.net/server1.example.net/fullchain.pem
+++ b/test/aux-fixed/exim-ca/example.net/server1.example.net/fullchain.pem
@@ -1,58 +1,58 @@
 Bag Attributes
     friendlyName: server1.example.net
-    localKeyID: 9D 8E 88 6D C1 6C A7 AA FE CC D9 E9 36 E1 6B F2 AE 65 AC 4D 
+    localKeyID: 50 2F A4 71 29 E1 8A B0 EC 68 30 74 B4 8C 03 81 45 2F F7 17 
 subject=/CN=server1.example.net
-issuer=/O=example.net/CN=clica Signing Cert
+issuer=/O=example.net/CN=clica Signing Cert rsa
 -----BEGIN CERTIFICATE-----
-MIIC2zCCAkSgAwIBAgIBZTANBgkqhkiG9w0BAQsFADAzMRQwEgYDVQQKEwtleGFt
-cGxlLm5ldDEbMBkGA1UEAxMSY2xpY2EgU2lnbmluZyBDZXJ0MB4XDTEyMTEwMTEy
-MzQwM1oXDTM3MTIwMTEyMzQwM1owHjEcMBoGA1UEAxMTc2VydmVyMS5leGFtcGxl
-Lm5ldDCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA9hrjHUQ00de8LbF1elKa
-Kjiz5UBYzmj8BWEH2Jy4Bz3lWfBVLx7YlLYRo7nwwlj7IAJ5bU6u9NSXLxDUI3w1
-B7iXZpbbGMOai2zpUOVKnhWonkr++9d8ed34eNv01HHQw5xqupXQh8MoVQ9MOnTr
-XsMkE8gkDpDT5piFzrYDLIUCAwEAAaOCARIwggEOMA4GA1UdDwEB/wQEAwIE8DAg
-BgNVHSUBAf8EFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwMgYDVR0fBCswKTAnoCWg
-I4YhaHR0cDovL2NybC5leGFtcGxlLm5ldC9sYXRlc3QuY3JsMDQGCCsGAQUFBwEB
-BCgwJjAkBggrBgEFBQcwAYYYaHR0cDovL29zY3AuZXhhbXBsZS5uZXQvMHAGA1Ud
-EQRpMGeCImFsdGVybmF0ZW5hbWUyLnNlcnZlcjEuZXhhbXBsZS5uZXSCE3NlcnZl
-cjEuZXhhbXBsZS5uZXSCIWFsdGVybmF0ZW5hbWUuc2VydmVyMS5leGFtcGxlLm5l
-dIIJKi50ZXN0LmV4MA0GCSqGSIb3DQEBCwUAA4GBAJPC1iV+zpSU3ehQpNtQKe2Y
-qSPt5GUvpsbCr8aG53zJ6dLktcuTaE685cYfKZiX1stqIFSLKLFKiTQ9tWL1u3Yu
-MsqRDKXuMWqNL3i8d8A0ZcRTtpyKsHbJ2nhp1j9bUJnGsMMZ8XPb8oZqy/8EvXsk
-g0JdrloqoSXkK9aDIAD3
+MIIC3zCCAkigAwIBAgIBZTANBgkqhkiG9w0BAQsFADA3MRQwEgYDVQQKEwtleGFt
+cGxlLm5ldDEfMB0GA1UEAxMWY2xpY2EgU2lnbmluZyBDZXJ0IHJzYTAeFw0xMjEx
+MDExMjM0MDNaFw0zNzEyMDExMjM0MDNaMB4xHDAaBgNVBAMTE3NlcnZlcjEuZXhh
+bXBsZS5uZXQwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBANp87d14zXozAbdw
+wD0AfnhqecV/D5GidUy4QnTVfSBMWjDkcjd7rajPnRHiM+NQFLkY5DKXuqpqZ0+W
+kH5dJrs2ZE5abmyfOzHUwai5IGVUIvOnBH4pXPLBcDQ6IAOEhpsaQaauHn/NpP7r
+X8n8WB/S3zmRk5Q92K/maQ8cgRt9AgMBAAGjggESMIIBDjAOBgNVHQ8BAf8EBAMC
+BPAwIAYDVR0lAQH/BBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMDIGA1UdHwQrMCkw
+J6AloCOGIWh0dHA6Ly9jcmwuZXhhbXBsZS5uZXQvbGF0ZXN0LmNybDA0BggrBgEF
+BQcBAQQoMCYwJAYIKwYBBQUHMAGGGGh0dHA6Ly9vc2NwLmV4YW1wbGUubmV0LzBw
+BgNVHREEaTBngiFhbHRlcm5hdGVuYW1lLnNlcnZlcjEuZXhhbXBsZS5uZXSCImFs
+dGVybmF0ZW5hbWUyLnNlcnZlcjEuZXhhbXBsZS5uZXSCE3NlcnZlcjEuZXhhbXBs
+ZS5uZXSCCSoudGVzdC5leDANBgkqhkiG9w0BAQsFAAOBgQCv5vsWzpkMj5OL+V3g
+bgXzhu0K05aOK5pv85sT4UGZpqrhLSTDjGvd5kFXLQwUH36CAzrqJOOV3vrWugrR
+/iR6VRcwqjq9Z2jT+XeSF6Immo5rnKjOl9Mor5mBwAHVW8Ojk2Ce3ww06AodpqaD
+yNB7Kmo3G2o63vGcVUg9gB+ohg==
 -----END CERTIFICATE-----
 Bag Attributes
-    friendlyName: Signing Cert
-subject=/O=example.net/CN=clica Signing Cert
-issuer=/O=example.net/CN=clica CA
+    friendlyName: Signing Cert rsa
+subject=/O=example.net/CN=clica Signing Cert rsa
+issuer=/O=example.net/CN=clica CA rsa
 -----BEGIN CERTIFICATE-----
-MIICLDCCAZWgAwIBAgIBAjANBgkqhkiG9w0BAQsFADApMRQwEgYDVQQKEwtleGFt
-cGxlLm5ldDERMA8GA1UEAxMIY2xpY2EgQ0EwHhcNMTIxMTAxMTIzNDAzWhcNMzgw
-MTAxMTIzNDAzWjAzMRQwEgYDVQQKEwtleGFtcGxlLm5ldDEbMBkGA1UEAxMSY2xp
-Y2EgU2lnbmluZyBDZXJ0MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDCsZOv
-pjcv45hvkXmbkZLSoywwX94a3jFC993OxTL8ixpQ0KxY2bc8TLcOTA+p3hH0pi2N
-JwiiWVQjA9HXrf7s/RmytXFZiJ5sE/mtkBNCUjH2uoGz9x1uVuIwq2colRe7JdQ5
-aCnb3D77nFy9bOvE59sljCbjeU2NwI1LIaUgfQIDAQABo1owWDAOBgNVHQ8BAf8E
-BAMCAQYwEgYDVR0TAQH/BAgwBgEB/wIBADAyBgNVHR8EKzApMCegJaAjhiFodHRw
-Oi8vY3JsLmV4YW1wbGUubmV0L2xhdGVzdC5jcmwwDQYJKoZIhvcNAQELBQADgYEA
-Xi2XyqKqdhCOdcNmhhaOaPc9M5/W/52Y4y8DNEveJdbn9ZOIjz7w2vnxJ8hhbJHF
-RDGz6jeTnYz7wIYwRxU6y8vUNtXbV+S6RcWL6Symek52O32tj+TTP99lSu/bC2+f
-7cNOqfsUzyMi4EagINLkPFT8p0ozjXeWu7/Cy17K75s=
+MIICNDCCAZ2gAwIBAgIBAjANBgkqhkiG9w0BAQsFADAtMRQwEgYDVQQKEwtleGFt
+cGxlLm5ldDEVMBMGA1UEAxMMY2xpY2EgQ0EgcnNhMB4XDTEyMTEwMTEyMzQwM1oX
+DTM4MDEwMTEyMzQwM1owNzEUMBIGA1UEChMLZXhhbXBsZS5uZXQxHzAdBgNVBAMT
+FmNsaWNhIFNpZ25pbmcgQ2VydCByc2EwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJ
+AoGBALMuDick/uNCkK8zWtdko5eynjJq0y8NVNlhSFkbwfjbxOQycuyMhMlYNnvs
+ESWZTV5ckpsvoDrFQLFk6ZB7RVYHUoOHNfANm8JWC9GR5zqbquibA/MMQ4h2Xlkz
+zQz12AzPpouZUyYs1+SjwlgfBRVhtxApDR2bPEDzI6s9VUdXAgMBAAGjWjBYMA4G
+A1UdDwEB/wQEAwIBBjASBgNVHRMBAf8ECDAGAQH/AgEAMDIGA1UdHwQrMCkwJ6Al
+oCOGIWh0dHA6Ly9jcmwuZXhhbXBsZS5uZXQvbGF0ZXN0LmNybDANBgkqhkiG9w0B
+AQsFAAOBgQDCXkPeCURjOJwCBgbLERuNghPiWLqHPopm1idM2A032jDgbRXD9/DP
+1xOPgSLEW59EiJac0RNae0D2KyhnG90NZLccXK0a9Uu1iaAmdcJ7s4a0x0ZH9Kza
+hqz0cr4oStUOHxG/AtPKuhZ9PkZ7GDSPDW0k/z64WYCm1fqSWkbVig==
 -----END CERTIFICATE-----
 Bag Attributes
-    friendlyName: Certificate Authority
-subject=/O=example.net/CN=clica CA
-issuer=/O=example.net/CN=clica CA
+    friendlyName: Certificate Authority rsa
+subject=/O=example.net/CN=clica CA rsa
+issuer=/O=example.net/CN=clica CA rsa
 -----BEGIN CERTIFICATE-----
-MIIB7jCCAVegAwIBAgIBATANBgkqhkiG9w0BAQsFADApMRQwEgYDVQQKEwtleGFt
-cGxlLm5ldDERMA8GA1UEAxMIY2xpY2EgQ0EwHhcNMTIxMTAxMTIzNDAzWhcNMzgw
-MTAxMTIzNDAzWjApMRQwEgYDVQQKEwtleGFtcGxlLm5ldDERMA8GA1UEAxMIY2xp
-Y2EgQ0EwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAMTEbMTyGaBnI5WpLVtz
-wWIEzR2lJyq5MHV6t9cIw/M1VFc0a9Woq8IeEyEmlycNe1/HgJfr7jq2JCtFu4VZ
-ZFMJW6bD7KiUGp2DwPEeC5yN1q7T4Yuho8kIdzpRTYnWo4RgPhl7wxSYoier+8/V
-1Zy3PrsciWI7Avp2Uq8iNGl/AgMBAAGjJjAkMBIGA1UdEwEB/wQIMAYBAf8CAQEw
-DgYDVR0PAQH/BAQDAgEGMA0GCSqGSIb3DQEBCwUAA4GBADczofjhb+kWLvYcdK+w
-jEMvqwiEsm947WXuWYtg0Wi2IWhyZId9KfVJtHs7b/720WX2VeewkafuV+QfwE5c
-/Q7N8M1tnFbKT/2Af7o3MVxDH9cYXPTYWgM5i0Yv5k73VBZ/dhT5HSj1Ri1sxv3C
-vAJ2oHvLkS1MOpYEUICjB6xe
+MIIB9jCCAV+gAwIBAgIBATANBgkqhkiG9w0BAQsFADAtMRQwEgYDVQQKEwtleGFt
+cGxlLm5ldDEVMBMGA1UEAxMMY2xpY2EgQ0EgcnNhMB4XDTEyMTEwMTEyMzQwM1oX
+DTM4MDEwMTEyMzQwM1owLTEUMBIGA1UEChMLZXhhbXBsZS5uZXQxFTATBgNVBAMT
+DGNsaWNhIENBIHJzYTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA3kwC9CHz
+JH7sEDkHMdZRq8+XpV7l/hEqfv2gPvT3mak46dWrI/T3pJOqyNvUZV/LJ/gx/0uw
+9pmCg6Y5zNCN0qAGY4rSS/sbEOLYIw5wJbFnYfHtTwe3ZAdG+5WqKMBF2lHNBM3b
+PUB/kweoLhNLwserKHwMDC3sksfrwH29rpMCAwEAAaMmMCQwEgYDVR0TAQH/BAgw
+BgEB/wIBATAOBgNVHQ8BAf8EBAMCAQYwDQYJKoZIhvcNAQELBQADgYEAzXt6KHIB
+qOJfZECgwhAWipxVR0BXek0hAfyTWl7q18+mWKYydQW0Z2VMN4Bq/ZUlOg+EM8NU
+1n9PJ4+I2QgAwVVXN4+cz7zgZ6XRZc1OkE98NyK504bVpJpan1gsx3I5GLJUgP2t
+B/WwqoFO+ANhT2margZSM6avJfaIh8gEass=
 -----END CERTIFICATE-----
diff --git a/test/aux-fixed/exim-ca/example.net/server1.example.net/key3.db b/test/aux-fixed/exim-ca/example.net/server1.example.net/key3.db
index fb072382e..2dcef1d2a 100644
Binary files a/test/aux-fixed/exim-ca/example.net/server1.example.net/key3.db and b/test/aux-fixed/exim-ca/example.net/server1.example.net/key3.db differ
diff --git a/test/aux-fixed/exim-ca/example.net/server1.example.net/server1.example.net.chain.pem b/test/aux-fixed/exim-ca/example.net/server1.example.net/server1.example.net.chain.pem
index fc08b865f..2321af905 100644
--- a/test/aux-fixed/exim-ca/example.net/server1.example.net/server1.example.net.chain.pem
+++ b/test/aux-fixed/exim-ca/example.net/server1.example.net/server1.example.net.chain.pem
@@ -1,37 +1,37 @@
 Bag Attributes
     friendlyName: server1.example.net
-    localKeyID: 9D 8E 88 6D C1 6C A7 AA FE CC D9 E9 36 E1 6B F2 AE 65 AC 4D 
+    localKeyID: 50 2F A4 71 29 E1 8A B0 EC 68 30 74 B4 8C 03 81 45 2F F7 17 
 subject=/CN=server1.example.net
-issuer=/O=example.net/CN=clica Signing Cert
+issuer=/O=example.net/CN=clica Signing Cert rsa
 -----BEGIN CERTIFICATE-----
-MIIC2zCCAkSgAwIBAgIBZTANBgkqhkiG9w0BAQsFADAzMRQwEgYDVQQKEwtleGFt
-cGxlLm5ldDEbMBkGA1UEAxMSY2xpY2EgU2lnbmluZyBDZXJ0MB4XDTEyMTEwMTEy
-MzQwM1oXDTM3MTIwMTEyMzQwM1owHjEcMBoGA1UEAxMTc2VydmVyMS5leGFtcGxl
-Lm5ldDCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA9hrjHUQ00de8LbF1elKa
-Kjiz5UBYzmj8BWEH2Jy4Bz3lWfBVLx7YlLYRo7nwwlj7IAJ5bU6u9NSXLxDUI3w1
-B7iXZpbbGMOai2zpUOVKnhWonkr++9d8ed34eNv01HHQw5xqupXQh8MoVQ9MOnTr
-XsMkE8gkDpDT5piFzrYDLIUCAwEAAaOCARIwggEOMA4GA1UdDwEB/wQEAwIE8DAg
-BgNVHSUBAf8EFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwMgYDVR0fBCswKTAnoCWg
-I4YhaHR0cDovL2NybC5leGFtcGxlLm5ldC9sYXRlc3QuY3JsMDQGCCsGAQUFBwEB
-BCgwJjAkBggrBgEFBQcwAYYYaHR0cDovL29zY3AuZXhhbXBsZS5uZXQvMHAGA1Ud
-EQRpMGeCImFsdGVybmF0ZW5hbWUyLnNlcnZlcjEuZXhhbXBsZS5uZXSCE3NlcnZl
-cjEuZXhhbXBsZS5uZXSCIWFsdGVybmF0ZW5hbWUuc2VydmVyMS5leGFtcGxlLm5l
-dIIJKi50ZXN0LmV4MA0GCSqGSIb3DQEBCwUAA4GBAJPC1iV+zpSU3ehQpNtQKe2Y
-qSPt5GUvpsbCr8aG53zJ6dLktcuTaE685cYfKZiX1stqIFSLKLFKiTQ9tWL1u3Yu
-MsqRDKXuMWqNL3i8d8A0ZcRTtpyKsHbJ2nhp1j9bUJnGsMMZ8XPb8oZqy/8EvXsk
-g0JdrloqoSXkK9aDIAD3
+MIIC3zCCAkigAwIBAgIBZTANBgkqhkiG9w0BAQsFADA3MRQwEgYDVQQKEwtleGFt
+cGxlLm5ldDEfMB0GA1UEAxMWY2xpY2EgU2lnbmluZyBDZXJ0IHJzYTAeFw0xMjEx
+MDExMjM0MDNaFw0zNzEyMDExMjM0MDNaMB4xHDAaBgNVBAMTE3NlcnZlcjEuZXhh
+bXBsZS5uZXQwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBANp87d14zXozAbdw
+wD0AfnhqecV/D5GidUy4QnTVfSBMWjDkcjd7rajPnRHiM+NQFLkY5DKXuqpqZ0+W
+kH5dJrs2ZE5abmyfOzHUwai5IGVUIvOnBH4pXPLBcDQ6IAOEhpsaQaauHn/NpP7r
+X8n8WB/S3zmRk5Q92K/maQ8cgRt9AgMBAAGjggESMIIBDjAOBgNVHQ8BAf8EBAMC
+BPAwIAYDVR0lAQH/BBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMDIGA1UdHwQrMCkw
+J6AloCOGIWh0dHA6Ly9jcmwuZXhhbXBsZS5uZXQvbGF0ZXN0LmNybDA0BggrBgEF
+BQcBAQQoMCYwJAYIKwYBBQUHMAGGGGh0dHA6Ly9vc2NwLmV4YW1wbGUubmV0LzBw
+BgNVHREEaTBngiFhbHRlcm5hdGVuYW1lLnNlcnZlcjEuZXhhbXBsZS5uZXSCImFs
+dGVybmF0ZW5hbWUyLnNlcnZlcjEuZXhhbXBsZS5uZXSCE3NlcnZlcjEuZXhhbXBs
+ZS5uZXSCCSoudGVzdC5leDANBgkqhkiG9w0BAQsFAAOBgQCv5vsWzpkMj5OL+V3g
+bgXzhu0K05aOK5pv85sT4UGZpqrhLSTDjGvd5kFXLQwUH36CAzrqJOOV3vrWugrR
+/iR6VRcwqjq9Z2jT+XeSF6Immo5rnKjOl9Mor5mBwAHVW8Ojk2Ce3ww06AodpqaD
+yNB7Kmo3G2o63vGcVUg9gB+ohg==
 -----END CERTIFICATE-----
 -----BEGIN CERTIFICATE-----
-MIICLDCCAZWgAwIBAgIBAjANBgkqhkiG9w0BAQsFADApMRQwEgYDVQQKEwtleGFt
-cGxlLm5ldDERMA8GA1UEAxMIY2xpY2EgQ0EwHhcNMTIxMTAxMTIzNDAzWhcNMzgw
-MTAxMTIzNDAzWjAzMRQwEgYDVQQKEwtleGFtcGxlLm5ldDEbMBkGA1UEAxMSY2xp
-Y2EgU2lnbmluZyBDZXJ0MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDCsZOv
-pjcv45hvkXmbkZLSoywwX94a3jFC993OxTL8ixpQ0KxY2bc8TLcOTA+p3hH0pi2N
-JwiiWVQjA9HXrf7s/RmytXFZiJ5sE/mtkBNCUjH2uoGz9x1uVuIwq2colRe7JdQ5
-aCnb3D77nFy9bOvE59sljCbjeU2NwI1LIaUgfQIDAQABo1owWDAOBgNVHQ8BAf8E
-BAMCAQYwEgYDVR0TAQH/BAgwBgEB/wIBADAyBgNVHR8EKzApMCegJaAjhiFodHRw
-Oi8vY3JsLmV4YW1wbGUubmV0L2xhdGVzdC5jcmwwDQYJKoZIhvcNAQELBQADgYEA
-Xi2XyqKqdhCOdcNmhhaOaPc9M5/W/52Y4y8DNEveJdbn9ZOIjz7w2vnxJ8hhbJHF
-RDGz6jeTnYz7wIYwRxU6y8vUNtXbV+S6RcWL6Symek52O32tj+TTP99lSu/bC2+f
-7cNOqfsUzyMi4EagINLkPFT8p0ozjXeWu7/Cy17K75s=
+MIICNDCCAZ2gAwIBAgIBAjANBgkqhkiG9w0BAQsFADAtMRQwEgYDVQQKEwtleGFt
+cGxlLm5ldDEVMBMGA1UEAxMMY2xpY2EgQ0EgcnNhMB4XDTEyMTEwMTEyMzQwM1oX
+DTM4MDEwMTEyMzQwM1owNzEUMBIGA1UEChMLZXhhbXBsZS5uZXQxHzAdBgNVBAMT
+FmNsaWNhIFNpZ25pbmcgQ2VydCByc2EwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJ
+AoGBALMuDick/uNCkK8zWtdko5eynjJq0y8NVNlhSFkbwfjbxOQycuyMhMlYNnvs
+ESWZTV5ckpsvoDrFQLFk6ZB7RVYHUoOHNfANm8JWC9GR5zqbquibA/MMQ4h2Xlkz
+zQz12AzPpouZUyYs1+SjwlgfBRVhtxApDR2bPEDzI6s9VUdXAgMBAAGjWjBYMA4G
+A1UdDwEB/wQEAwIBBjASBgNVHRMBAf8ECDAGAQH/AgEAMDIGA1UdHwQrMCkwJ6Al
+oCOGIWh0dHA6Ly9jcmwuZXhhbXBsZS5uZXQvbGF0ZXN0LmNybDANBgkqhkiG9w0B
+AQsFAAOBgQDCXkPeCURjOJwCBgbLERuNghPiWLqHPopm1idM2A032jDgbRXD9/DP
+1xOPgSLEW59EiJac0RNae0D2KyhnG90NZLccXK0a9Uu1iaAmdcJ7s4a0x0ZH9Kza
+hqz0cr4oStUOHxG/AtPKuhZ9PkZ7GDSPDW0k/z64WYCm1fqSWkbVig==
 -----END CERTIFICATE-----
diff --git a/test/aux-fixed/exim-ca/example.net/server1.example.net/server1.example.net.key b/test/aux-fixed/exim-ca/example.net/server1.example.net/server1.example.net.key
index 392037a4b..0e5f497dd 100644
--- a/test/aux-fixed/exim-ca/example.net/server1.example.net/server1.example.net.key
+++ b/test/aux-fixed/exim-ca/example.net/server1.example.net/server1.example.net.key
@@ -1,21 +1,21 @@
 Bag Attributes
     friendlyName: server1.example.net
-    localKeyID: 9D 8E 88 6D C1 6C A7 AA FE CC D9 E9 36 E1 6B F2 AE 65 AC 4D 
+    localKeyID: 50 2F A4 71 29 E1 8A B0 EC 68 30 74 B4 8C 03 81 45 2F F7 17 
 Key Attributes: <No Attributes>
 -----BEGIN ENCRYPTED PRIVATE KEY-----
-MIICxjBABgkqhkiG9w0BBQ0wMzAbBgkqhkiG9w0BBQwwDgQIOd+1INjFUxECAggA
-MBQGCCqGSIb3DQMHBAg9VZq9DU5CbwSCAoA7jHnjoTklLx5kS/0wLcjzd/+EmYuz
-X2jVsD6al33pBgKbvOdMt3Jss26llvNB5MSGev/HcXK6+U512zhnjhL5f0eBoVEM
-K+zkwO/D4j5wR9URRB3i6Z/H1qWf+lpvB4S8BGeFENM/aLEPUvf4JN4BhKmeAIyD
-367Q0nlkNhRNNPvFQ8UNTDBhfXYT25lDMtBUl6cyibbc+LmFX6MUAbfffjoqaBBX
-OF7sJ/AJmCZDKI+QFeeabf1hiroyio661Ip09ygz2xnaY7CxJLuEJySVzNA3NyNJ
-hOevn78Owerv57F9X6hkSRteKJ8drc+hbbV6BIglkkoFEMWwJXshy+q6raKaqzfy
-mZ6tY9ehgC/wzCIPWFZOQCFDGNpLvxrX0SncSFegr8utueHBf1Je4maxAXl+qVtr
-wmU6ybI8XY6CaRWgpCohed8xjR5hEokmhNV0BXDghChb5TORk2578a8AhsgdhB0t
-wthyCE1i7zS61ITP86E5LWOhOpThZmm4E01QHgnXzjr5f8pAkO/guXizAsD37W9W
-NmgfQYwKu6H64HbjPguLxXLP5FuVryYlyAYse/RtLOG9aiH+gUce2rGxkr6FQNKt
-dg82cctgMWDJ4STbrEr+D4yceCYErpDiXx7D3ZH7ZouunReEhZpG6E3o/T0jGuzv
-0G5WY5C989TH2p2OS7EL3Od8HtqtCuV16ECNUkaEVkOXI6fq9GuRBUPeRWd6V7iU
-DBn5NOtMoBY0qJ5rOgBY9t391VaZpTIQp5A0SilXuoKFM69d+3IQOzvnKAT8Ok/8
-l4pODZvzgHAwcXL+U7DzVcBswxaKukbv2yLag7Ebh19GzLEYWZJhUUUS
+MIICxjBABgkqhkiG9w0BBQ0wMzAbBgkqhkiG9w0BBQwwDgQIF5UpLi3LhbgCAggA
+MBQGCCqGSIb3DQMHBAia5QVJXajfbgSCAoAgeXf3jyr8o71Ul/fOMeq2Ye2cUkx6
+4ymZg/Pnjj/vkOPCMsByOADVDGf2NVza8pUqU2FFiGxetfMSM/VzimsANaLr5pdP
+eM4bitqaLCJEP7cJq+Zs+0cvkpPf4Mv9RpZKso7B/ChEhEdvU5YevfY2FVt7ZQIk
+Jna2XnNSI9uuAxQrC11rkbbaq3/5grv0bIB/5K8Ut4ViVNI7hPlK2nTPizyIhOkk
+vGdphf1Z3uvoW7uYuud5r6NJf0Cf2n41CTKQ6zNZ/HH8igysPrej/GGIO5a8FmSt
+cHraE6tSw5MbCNtcyGq43pWVvBDeHp4uCcghPpXAnfkR/svrgnxDrDVniZ6VMA78
+7QL8o6VnsuUJONjWh9GeVusM+qZH6/9s5rg7l6gNlPlMpIqZqiDOx6pDXhoOddHW
+yEiHysguCHZa04O8zqYkhx7cPE2VNgJm6sYC0CwyJFC0KgrxMGgjPGY+MEqMWX8v
+qrqPOrPURFlHmFEndFdInK9sA1LW1rDw1M1t4IdNliC90EPwauXSpWzzkNo3Ygt+
+3iTAPScE67z19DY4pbrRLs6uF7emI9pi84lCTDVbby2ZkB18e5vn6kHE8M5dfkdd
+8qcsFU9bBuI4wu1S9CJxXeT30JjFOu6Y2Jb2erimIQe+JS/D+CkNuYx9gGuCEedn
+Yn6CM+CxjuxxMQX1nu+Cap1vAbFYfETZcdxtbIwpqPVLHXi0/F5CJMj/XNwQ1rUD
+x8L76n7kaYMOiNfmgKwXWEOJ4Bx2bteRK0OdnsrhABmjc0ENmX4y/WNF4YVg2Yml
+wHn3xhuoJkNoMjCNWOFB8GYELc09aLzRnOXQChRqAmEZY9JBUAFE6xvi
 -----END ENCRYPTED PRIVATE KEY-----
diff --git a/test/aux-fixed/exim-ca/example.net/server1.example.net/server1.example.net.ocsp.dated.resp b/test/aux-fixed/exim-ca/example.net/server1.example.net/server1.example.net.ocsp.dated.resp
index 5eb365022..6704e1343 100644
Binary files a/test/aux-fixed/exim-ca/example.net/server1.example.net/server1.example.net.ocsp.dated.resp and b/test/aux-fixed/exim-ca/example.net/server1.example.net/server1.example.net.ocsp.dated.resp differ
diff --git a/test/aux-fixed/exim-ca/example.net/server1.example.net/server1.example.net.ocsp.good.resp b/test/aux-fixed/exim-ca/example.net/server1.example.net/server1.example.net.ocsp.good.resp
index 24d598ab7..db2cf4eae 100644
Binary files a/test/aux-fixed/exim-ca/example.net/server1.example.net/server1.example.net.ocsp.good.resp and b/test/aux-fixed/exim-ca/example.net/server1.example.net/server1.example.net.ocsp.good.resp differ
diff --git a/test/aux-fixed/exim-ca/example.net/server1.example.net/server1.example.net.ocsp.req b/test/aux-fixed/exim-ca/example.net/server1.example.net/server1.example.net.ocsp.req
index ffee1ffe2..6bbcfb8d4 100644
Binary files a/test/aux-fixed/exim-ca/example.net/server1.example.net/server1.example.net.ocsp.req and b/test/aux-fixed/exim-ca/example.net/server1.example.net/server1.example.net.ocsp.req differ
diff --git a/test/aux-fixed/exim-ca/example.net/server1.example.net/server1.example.net.ocsp.revoked.resp b/test/aux-fixed/exim-ca/example.net/server1.example.net/server1.example.net.ocsp.revoked.resp
index c0cc4682a..17cd00182 100644
Binary files a/test/aux-fixed/exim-ca/example.net/server1.example.net/server1.example.net.ocsp.revoked.resp and b/test/aux-fixed/exim-ca/example.net/server1.example.net/server1.example.net.ocsp.revoked.resp differ
diff --git a/test/aux-fixed/exim-ca/example.net/server1.example.net/server1.example.net.ocsp.signer.dated.resp b/test/aux-fixed/exim-ca/example.net/server1.example.net/server1.example.net.ocsp.signer.dated.resp
index 68671e583..abbda91f9 100644
Binary files a/test/aux-fixed/exim-ca/example.net/server1.example.net/server1.example.net.ocsp.signer.dated.resp and b/test/aux-fixed/exim-ca/example.net/server1.example.net/server1.example.net.ocsp.signer.dated.resp differ
diff --git a/test/aux-fixed/exim-ca/example.net/server1.example.net/server1.example.net.ocsp.signer.good.resp b/test/aux-fixed/exim-ca/example.net/server1.example.net/server1.example.net.ocsp.signer.good.resp
index 9c1cbf83c..0e2c4c0ea 100644
Binary files a/test/aux-fixed/exim-ca/example.net/server1.example.net/server1.example.net.ocsp.signer.good.resp and b/test/aux-fixed/exim-ca/example.net/server1.example.net/server1.example.net.ocsp.signer.good.resp differ
diff --git a/test/aux-fixed/exim-ca/example.net/server1.example.net/server1.example.net.ocsp.signer.revoked.resp b/test/aux-fixed/exim-ca/example.net/server1.example.net/server1.example.net.ocsp.signer.revoked.resp
index 5347205dc..48561ad02 100644
Binary files a/test/aux-fixed/exim-ca/example.net/server1.example.net/server1.example.net.ocsp.signer.revoked.resp and b/test/aux-fixed/exim-ca/example.net/server1.example.net/server1.example.net.ocsp.signer.revoked.resp differ
diff --git a/test/aux-fixed/exim-ca/example.net/server1.example.net/server1.example.net.ocsp.signernocert.dated.resp b/test/aux-fixed/exim-ca/example.net/server1.example.net/server1.example.net.ocsp.signernocert.dated.resp
index 4a1e5040a..f03b4ff2f 100644
Binary files a/test/aux-fixed/exim-ca/example.net/server1.example.net/server1.example.net.ocsp.signernocert.dated.resp and b/test/aux-fixed/exim-ca/example.net/server1.example.net/server1.example.net.ocsp.signernocert.dated.resp differ
diff --git a/test/aux-fixed/exim-ca/example.net/server1.example.net/server1.example.net.ocsp.signernocert.good.resp b/test/aux-fixed/exim-ca/example.net/server1.example.net/server1.example.net.ocsp.signernocert.good.resp
index 3cacf4f91..b11114ea4 100644
Binary files a/test/aux-fixed/exim-ca/example.net/server1.example.net/server1.example.net.ocsp.signernocert.good.resp and b/test/aux-fixed/exim-ca/example.net/server1.example.net/server1.example.net.ocsp.signernocert.good.resp differ
diff --git a/test/aux-fixed/exim-ca/example.net/server1.example.net/server1.example.net.ocsp.signernocert.revoked.resp b/test/aux-fixed/exim-ca/example.net/server1.example.net/server1.example.net.ocsp.signernocert.revoked.resp
index d3b83e123..a8cc12542 100644
Binary files a/test/aux-fixed/exim-ca/example.net/server1.example.net/server1.example.net.ocsp.signernocert.revoked.resp and b/test/aux-fixed/exim-ca/example.net/server1.example.net/server1.example.net.ocsp.signernocert.revoked.resp differ
diff --git a/test/aux-fixed/exim-ca/example.net/server1.example.net/server1.example.net.p12 b/test/aux-fixed/exim-ca/example.net/server1.example.net/server1.example.net.p12
index e138cb631..6b5c704a0 100644
Binary files a/test/aux-fixed/exim-ca/example.net/server1.example.net/server1.example.net.p12 and b/test/aux-fixed/exim-ca/example.net/server1.example.net/server1.example.net.p12 differ
diff --git a/test/aux-fixed/exim-ca/example.net/server1.example.net/server1.example.net.pem b/test/aux-fixed/exim-ca/example.net/server1.example.net/server1.example.net.pem
index b58dc977f..57c62b1a7 100644
--- a/test/aux-fixed/exim-ca/example.net/server1.example.net/server1.example.net.pem
+++ b/test/aux-fixed/exim-ca/example.net/server1.example.net/server1.example.net.pem
@@ -1,23 +1,23 @@
 Bag Attributes
     friendlyName: server1.example.net
-    localKeyID: 9D 8E 88 6D C1 6C A7 AA FE CC D9 E9 36 E1 6B F2 AE 65 AC 4D 
+    localKeyID: 50 2F A4 71 29 E1 8A B0 EC 68 30 74 B4 8C 03 81 45 2F F7 17 
 subject=/CN=server1.example.net
-issuer=/O=example.net/CN=clica Signing Cert
+issuer=/O=example.net/CN=clica Signing Cert rsa
 -----BEGIN CERTIFICATE-----
-MIIC2zCCAkSgAwIBAgIBZTANBgkqhkiG9w0BAQsFADAzMRQwEgYDVQQKEwtleGFt
-cGxlLm5ldDEbMBkGA1UEAxMSY2xpY2EgU2lnbmluZyBDZXJ0MB4XDTEyMTEwMTEy
-MzQwM1oXDTM3MTIwMTEyMzQwM1owHjEcMBoGA1UEAxMTc2VydmVyMS5leGFtcGxl
-Lm5ldDCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA9hrjHUQ00de8LbF1elKa
-Kjiz5UBYzmj8BWEH2Jy4Bz3lWfBVLx7YlLYRo7nwwlj7IAJ5bU6u9NSXLxDUI3w1
-B7iXZpbbGMOai2zpUOVKnhWonkr++9d8ed34eNv01HHQw5xqupXQh8MoVQ9MOnTr
-XsMkE8gkDpDT5piFzrYDLIUCAwEAAaOCARIwggEOMA4GA1UdDwEB/wQEAwIE8DAg
-BgNVHSUBAf8EFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwMgYDVR0fBCswKTAnoCWg
-I4YhaHR0cDovL2NybC5leGFtcGxlLm5ldC9sYXRlc3QuY3JsMDQGCCsGAQUFBwEB
-BCgwJjAkBggrBgEFBQcwAYYYaHR0cDovL29zY3AuZXhhbXBsZS5uZXQvMHAGA1Ud
-EQRpMGeCImFsdGVybmF0ZW5hbWUyLnNlcnZlcjEuZXhhbXBsZS5uZXSCE3NlcnZl
-cjEuZXhhbXBsZS5uZXSCIWFsdGVybmF0ZW5hbWUuc2VydmVyMS5leGFtcGxlLm5l
-dIIJKi50ZXN0LmV4MA0GCSqGSIb3DQEBCwUAA4GBAJPC1iV+zpSU3ehQpNtQKe2Y
-qSPt5GUvpsbCr8aG53zJ6dLktcuTaE685cYfKZiX1stqIFSLKLFKiTQ9tWL1u3Yu
-MsqRDKXuMWqNL3i8d8A0ZcRTtpyKsHbJ2nhp1j9bUJnGsMMZ8XPb8oZqy/8EvXsk
-g0JdrloqoSXkK9aDIAD3
+MIIC3zCCAkigAwIBAgIBZTANBgkqhkiG9w0BAQsFADA3MRQwEgYDVQQKEwtleGFt
+cGxlLm5ldDEfMB0GA1UEAxMWY2xpY2EgU2lnbmluZyBDZXJ0IHJzYTAeFw0xMjEx
+MDExMjM0MDNaFw0zNzEyMDExMjM0MDNaMB4xHDAaBgNVBAMTE3NlcnZlcjEuZXhh
+bXBsZS5uZXQwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBANp87d14zXozAbdw
+wD0AfnhqecV/D5GidUy4QnTVfSBMWjDkcjd7rajPnRHiM+NQFLkY5DKXuqpqZ0+W
+kH5dJrs2ZE5abmyfOzHUwai5IGVUIvOnBH4pXPLBcDQ6IAOEhpsaQaauHn/NpP7r
+X8n8WB/S3zmRk5Q92K/maQ8cgRt9AgMBAAGjggESMIIBDjAOBgNVHQ8BAf8EBAMC
+BPAwIAYDVR0lAQH/BBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMDIGA1UdHwQrMCkw
+J6AloCOGIWh0dHA6Ly9jcmwuZXhhbXBsZS5uZXQvbGF0ZXN0LmNybDA0BggrBgEF
+BQcBAQQoMCYwJAYIKwYBBQUHMAGGGGh0dHA6Ly9vc2NwLmV4YW1wbGUubmV0LzBw
+BgNVHREEaTBngiFhbHRlcm5hdGVuYW1lLnNlcnZlcjEuZXhhbXBsZS5uZXSCImFs
+dGVybmF0ZW5hbWUyLnNlcnZlcjEuZXhhbXBsZS5uZXSCE3NlcnZlcjEuZXhhbXBs
+ZS5uZXSCCSoudGVzdC5leDANBgkqhkiG9w0BAQsFAAOBgQCv5vsWzpkMj5OL+V3g
+bgXzhu0K05aOK5pv85sT4UGZpqrhLSTDjGvd5kFXLQwUH36CAzrqJOOV3vrWugrR
+/iR6VRcwqjq9Z2jT+XeSF6Immo5rnKjOl9Mor5mBwAHVW8Ojk2Ce3ww06AodpqaD
+yNB7Kmo3G2o63vGcVUg9gB+ohg==
 -----END CERTIFICATE-----
diff --git a/test/aux-fixed/exim-ca/example.net/server1.example.net/server1.example.net.unlocked.key b/test/aux-fixed/exim-ca/example.net/server1.example.net/server1.example.net.unlocked.key
index ee116a16f..1795c9aa2 100644
--- a/test/aux-fixed/exim-ca/example.net/server1.example.net/server1.example.net.unlocked.key
+++ b/test/aux-fixed/exim-ca/example.net/server1.example.net/server1.example.net.unlocked.key
@@ -1,15 +1,15 @@
 -----BEGIN RSA PRIVATE KEY-----
-MIICXAIBAAKBgQD2GuMdRDTR17wtsXV6UpoqOLPlQFjOaPwFYQfYnLgHPeVZ8FUv
-HtiUthGjufDCWPsgAnltTq701JcvENQjfDUHuJdmltsYw5qLbOlQ5UqeFaieSv77
-13x53fh42/TUcdDDnGq6ldCHwyhVD0w6dOtewyQTyCQOkNPmmIXOtgMshQIDAQAB
-AoGABy2kQVXVS67vqGreAQIMOm/t2gUVIEHrN+zyYaP0IxO3Gb5AYV/p14V5xHYc
-2PkD5M475HaHgvvAbusB2l45+iNBW6wgTLCztPYbgMPiDVp47AcACRqIaC3SoDqC
-rUP8cUhlge1KTKjIlP7q8MVRl1ckPFaoTOM7hyNqyev6BHECQQD9HWO77AyIUcUC
-6gaPuvx2FZ6C7dnN+ojyVMu6lcd6CJekNhoN912AoKB8vsjoEuPejPsipGWuWso6
-ZwbFl3izAkEA+OkK3s5woOSd0NjP7BHRHEOAW337qMMcT3AI8CzJDg1YBZTMrX6r
-ixk77khw3FjWk4USTpJpBYjsansJslkx5wJAXBPx8S4IzRp6AfpikqziJI7u0BB4
-uG7YnNduGZ1dKK6xg4JO7h+7uwwz9c1txscAcDh3L34Ao3HRuXc7Rmw48wJABjS5
-QqjfAgPxM13UgUxIbG36a02O0rxanlhqwKI9OQ54HVuCZuj7mfI9HknMFpJYd0Eg
-HblkyPCLBHSg30N+DQJBALpMoB9ayQBQgTWUl9yJs1b4bu6/SUduAgVTdIU+0Af8
-yfzJkTVaCEH+Y0MS8uyuu6vdnhsQnbwk1eFVj6XMXlU=
+MIICXAIBAAKBgQDafO3deM16MwG3cMA9AH54annFfw+RonVMuEJ01X0gTFow5HI3
+e62oz50R4jPjUBS5GOQyl7qqamdPlpB+XSa7NmROWm5snzsx1MGouSBlVCLzpwR+
+KVzywXA0OiADhIabGkGmrh5/zaT+61/J/Fgf0t85kZOUPdiv5mkPHIEbfQIDAQAB
+AoGAWGGJ3PmFcQWaD6jp8qM1BaPYn2XvF9PWTFMK+vTzOTH5l+aJN11t2agmGvpc
+T/rwbxGdGcQby9zf7qdyytMGm5uS05HHkOtayKc8V2xSEsPpwY6xGnXklT9wHEl8
+IkCTHNtEBchIMSPvTMhY12JsHi4LXeerkwJt6VlhDwENchcCQQD/jhYZWSNChAic
+WBoEHCjeUPUae+6EI5AEzxjgHBczAaAGGxVUcBaNPVLdECPKVzkVLC8R8RL1SbVO
+3y0g18ibAkEA2t5R+TLPPwZB/AF9+b4Eig4t16jsb2wZvOkluga+0JOrRzS9ATBc
+L18TXrNieKzKsmLjJdQ9RbXpUYKbj8OxxwJAfWibvaq5m+2xUBAIDFZJU/gEoA+L
+V/sftMxwl6IRXG2CuxxVVk9/MaaTYHqIJcax84rwOmzEcezO9bqdqc1a2wJAKQmG
+VTMxqJ+Dv7yH4ku+jiQadFU3/6xFJyaP7FFXdcQ6WR+KUK7AmiE5gIgh7n53gvsH
+nBAvbOKu3JmgkVQgAQJBAN3Vx7RLrLr2BjJiCBNflSU1dUOaqa/IybkHX29or5kH
+IvATeI8ptmiphSil/uy79c6jzYuyiuRtrgnUh/WrKeM=
 -----END RSA PRIVATE KEY-----
diff --git a/test/aux-fixed/exim-ca/example.net/server2.example.net/ca_chain.pem b/test/aux-fixed/exim-ca/example.net/server2.example.net/ca_chain.pem
index 569dda104..fef1020ef 100644
--- a/test/aux-fixed/exim-ca/example.net/server2.example.net/ca_chain.pem
+++ b/test/aux-fixed/exim-ca/example.net/server2.example.net/ca_chain.pem
@@ -1,35 +1,35 @@
 Bag Attributes
-    friendlyName: Signing Cert
-subject=/O=example.net/CN=clica Signing Cert
-issuer=/O=example.net/CN=clica CA
+    friendlyName: Signing Cert rsa
+subject=/O=example.net/CN=clica Signing Cert rsa
+issuer=/O=example.net/CN=clica CA rsa
 -----BEGIN CERTIFICATE-----
-MIICLDCCAZWgAwIBAgIBAjANBgkqhkiG9w0BAQsFADApMRQwEgYDVQQKEwtleGFt
-cGxlLm5ldDERMA8GA1UEAxMIY2xpY2EgQ0EwHhcNMTIxMTAxMTIzNDAzWhcNMzgw
-MTAxMTIzNDAzWjAzMRQwEgYDVQQKEwtleGFtcGxlLm5ldDEbMBkGA1UEAxMSY2xp
-Y2EgU2lnbmluZyBDZXJ0MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDCsZOv
-pjcv45hvkXmbkZLSoywwX94a3jFC993OxTL8ixpQ0KxY2bc8TLcOTA+p3hH0pi2N
-JwiiWVQjA9HXrf7s/RmytXFZiJ5sE/mtkBNCUjH2uoGz9x1uVuIwq2colRe7JdQ5
-aCnb3D77nFy9bOvE59sljCbjeU2NwI1LIaUgfQIDAQABo1owWDAOBgNVHQ8BAf8E
-BAMCAQYwEgYDVR0TAQH/BAgwBgEB/wIBADAyBgNVHR8EKzApMCegJaAjhiFodHRw
-Oi8vY3JsLmV4YW1wbGUubmV0L2xhdGVzdC5jcmwwDQYJKoZIhvcNAQELBQADgYEA
-Xi2XyqKqdhCOdcNmhhaOaPc9M5/W/52Y4y8DNEveJdbn9ZOIjz7w2vnxJ8hhbJHF
-RDGz6jeTnYz7wIYwRxU6y8vUNtXbV+S6RcWL6Symek52O32tj+TTP99lSu/bC2+f
-7cNOqfsUzyMi4EagINLkPFT8p0ozjXeWu7/Cy17K75s=
+MIICNDCCAZ2gAwIBAgIBAjANBgkqhkiG9w0BAQsFADAtMRQwEgYDVQQKEwtleGFt
+cGxlLm5ldDEVMBMGA1UEAxMMY2xpY2EgQ0EgcnNhMB4XDTEyMTEwMTEyMzQwM1oX
+DTM4MDEwMTEyMzQwM1owNzEUMBIGA1UEChMLZXhhbXBsZS5uZXQxHzAdBgNVBAMT
+FmNsaWNhIFNpZ25pbmcgQ2VydCByc2EwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJ
+AoGBALMuDick/uNCkK8zWtdko5eynjJq0y8NVNlhSFkbwfjbxOQycuyMhMlYNnvs
+ESWZTV5ckpsvoDrFQLFk6ZB7RVYHUoOHNfANm8JWC9GR5zqbquibA/MMQ4h2Xlkz
+zQz12AzPpouZUyYs1+SjwlgfBRVhtxApDR2bPEDzI6s9VUdXAgMBAAGjWjBYMA4G
+A1UdDwEB/wQEAwIBBjASBgNVHRMBAf8ECDAGAQH/AgEAMDIGA1UdHwQrMCkwJ6Al
+oCOGIWh0dHA6Ly9jcmwuZXhhbXBsZS5uZXQvbGF0ZXN0LmNybDANBgkqhkiG9w0B
+AQsFAAOBgQDCXkPeCURjOJwCBgbLERuNghPiWLqHPopm1idM2A032jDgbRXD9/DP
+1xOPgSLEW59EiJac0RNae0D2KyhnG90NZLccXK0a9Uu1iaAmdcJ7s4a0x0ZH9Kza
+hqz0cr4oStUOHxG/AtPKuhZ9PkZ7GDSPDW0k/z64WYCm1fqSWkbVig==
 -----END CERTIFICATE-----
 Bag Attributes
-    friendlyName: Certificate Authority
-subject=/O=example.net/CN=clica CA
-issuer=/O=example.net/CN=clica CA
+    friendlyName: Certificate Authority rsa
+subject=/O=example.net/CN=clica CA rsa
+issuer=/O=example.net/CN=clica CA rsa
 -----BEGIN CERTIFICATE-----
-MIIB7jCCAVegAwIBAgIBATANBgkqhkiG9w0BAQsFADApMRQwEgYDVQQKEwtleGFt
-cGxlLm5ldDERMA8GA1UEAxMIY2xpY2EgQ0EwHhcNMTIxMTAxMTIzNDAzWhcNMzgw
-MTAxMTIzNDAzWjApMRQwEgYDVQQKEwtleGFtcGxlLm5ldDERMA8GA1UEAxMIY2xp
-Y2EgQ0EwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAMTEbMTyGaBnI5WpLVtz
-wWIEzR2lJyq5MHV6t9cIw/M1VFc0a9Woq8IeEyEmlycNe1/HgJfr7jq2JCtFu4VZ
-ZFMJW6bD7KiUGp2DwPEeC5yN1q7T4Yuho8kIdzpRTYnWo4RgPhl7wxSYoier+8/V
-1Zy3PrsciWI7Avp2Uq8iNGl/AgMBAAGjJjAkMBIGA1UdEwEB/wQIMAYBAf8CAQEw
-DgYDVR0PAQH/BAQDAgEGMA0GCSqGSIb3DQEBCwUAA4GBADczofjhb+kWLvYcdK+w
-jEMvqwiEsm947WXuWYtg0Wi2IWhyZId9KfVJtHs7b/720WX2VeewkafuV+QfwE5c
-/Q7N8M1tnFbKT/2Af7o3MVxDH9cYXPTYWgM5i0Yv5k73VBZ/dhT5HSj1Ri1sxv3C
-vAJ2oHvLkS1MOpYEUICjB6xe
+MIIB9jCCAV+gAwIBAgIBATANBgkqhkiG9w0BAQsFADAtMRQwEgYDVQQKEwtleGFt
+cGxlLm5ldDEVMBMGA1UEAxMMY2xpY2EgQ0EgcnNhMB4XDTEyMTEwMTEyMzQwM1oX
+DTM4MDEwMTEyMzQwM1owLTEUMBIGA1UEChMLZXhhbXBsZS5uZXQxFTATBgNVBAMT
+DGNsaWNhIENBIHJzYTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA3kwC9CHz
+JH7sEDkHMdZRq8+XpV7l/hEqfv2gPvT3mak46dWrI/T3pJOqyNvUZV/LJ/gx/0uw
+9pmCg6Y5zNCN0qAGY4rSS/sbEOLYIw5wJbFnYfHtTwe3ZAdG+5WqKMBF2lHNBM3b
+PUB/kweoLhNLwserKHwMDC3sksfrwH29rpMCAwEAAaMmMCQwEgYDVR0TAQH/BAgw
+BgEB/wIBATAOBgNVHQ8BAf8EBAMCAQYwDQYJKoZIhvcNAQELBQADgYEAzXt6KHIB
+qOJfZECgwhAWipxVR0BXek0hAfyTWl7q18+mWKYydQW0Z2VMN4Bq/ZUlOg+EM8NU
+1n9PJ4+I2QgAwVVXN4+cz7zgZ6XRZc1OkE98NyK504bVpJpan1gsx3I5GLJUgP2t
+B/WwqoFO+ANhT2margZSM6avJfaIh8gEass=
 -----END CERTIFICATE-----
diff --git a/test/aux-fixed/exim-ca/example.net/server2.example.net/cert8.db b/test/aux-fixed/exim-ca/example.net/server2.example.net/cert8.db
index ea2c6ab33..5ee0f8149 100644
Binary files a/test/aux-fixed/exim-ca/example.net/server2.example.net/cert8.db and b/test/aux-fixed/exim-ca/example.net/server2.example.net/cert8.db differ
diff --git a/test/aux-fixed/exim-ca/example.net/server2.example.net/key3.db b/test/aux-fixed/exim-ca/example.net/server2.example.net/key3.db
index 685a75715..8e7bc550b 100644
Binary files a/test/aux-fixed/exim-ca/example.net/server2.example.net/key3.db and b/test/aux-fixed/exim-ca/example.net/server2.example.net/key3.db differ
diff --git a/test/aux-fixed/exim-ca/example.net/server2.example.net/server2.example.net.chain.pem b/test/aux-fixed/exim-ca/example.net/server2.example.net/server2.example.net.chain.pem
index 145287924..4fcf7ad88 100644
--- a/test/aux-fixed/exim-ca/example.net/server2.example.net/server2.example.net.chain.pem
+++ b/test/aux-fixed/exim-ca/example.net/server2.example.net/server2.example.net.chain.pem
@@ -1,35 +1,35 @@
 Bag Attributes
     friendlyName: server2.example.net
-    localKeyID: 6A E8 46 7A BF C8 D0 A8 0B BF 99 5B 88 D4 21 1C F5 D1 29 B0 
+    localKeyID: D2 9B A9 F4 48 0F EB D4 1A CA 1B 29 7A 49 FB 09 0B AA 4D 02 
 subject=/CN=server2.example.net
-issuer=/O=example.net/CN=clica Signing Cert
+issuer=/O=example.net/CN=clica Signing Cert rsa
 -----BEGIN CERTIFICATE-----
-MIICiDCCAfGgAwIBAgICAMkwDQYJKoZIhvcNAQELBQAwMzEUMBIGA1UEChMLZXhh
-bXBsZS5uZXQxGzAZBgNVBAMTEmNsaWNhIFNpZ25pbmcgQ2VydDAeFw0xMjExMDEx
-MjM0MDNaFw0zNzEyMDExMjM0MDNaMB4xHDAaBgNVBAMTE3NlcnZlcjIuZXhhbXBs
-ZS5uZXQwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAJlsgV5oLe2Grkp1uZAu
-FPgYedF8iBTxWxeMwDYrv02zlMGYVvNpqu0rYFw9Z5AMTUt8nCTVWlo17KkWUkfl
-1jLL4+5VYVcSmQkh8Th7N9hjwks5dgoGttXODEIraagU0Q00K+3iWkHaUkJL/jOh
-xEeDfO83QB3xZL9WOgyFM0xvAgMBAAGjgb8wgbwwDgYDVR0PAQH/BAQDAgTwMCAG
-A1UdJQEB/wQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAyBgNVHR8EKzApMCegJaAj
-hiFodHRwOi8vY3JsLmV4YW1wbGUubmV0L2xhdGVzdC5jcmwwNAYIKwYBBQUHAQEE
-KDAmMCQGCCsGAQUFBzABhhhodHRwOi8vb3NjcC5leGFtcGxlLm5ldC8wHgYDVR0R
-BBcwFYITc2VydmVyMi5leGFtcGxlLm5ldDANBgkqhkiG9w0BAQsFAAOBgQBivwX4
-EgnDGiBc5peorNumyRuk5OBSiftJoy+CvV7tOqs/hU64PJZri103eEr49cgt3FC+
-YcuZWVJtzb6x5XN2YtEvwZY2WdGEdo7H4v0AVGfevguvIqtTxoBc8ZyYtXEflIVD
-tavL2kS8jbk82eIIVn6S2FvR/PBhH4wW6NK3XQ==
+MIICjDCCAfWgAwIBAgICAMkwDQYJKoZIhvcNAQELBQAwNzEUMBIGA1UEChMLZXhh
+bXBsZS5uZXQxHzAdBgNVBAMTFmNsaWNhIFNpZ25pbmcgQ2VydCByc2EwHhcNMTIx
+MTAxMTIzNDA0WhcNMzcxMjAxMTIzNDA0WjAeMRwwGgYDVQQDExNzZXJ2ZXIyLmV4
+YW1wbGUubmV0MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDJyy5Qho3LBb3L
+EbQZgsrtkPAqRXRhTME03lUdXHmtEkhGGe4zCrZ7RemAJADhR8aguhAebrVYno5e
+nZ+KS8CvE8z6eBJqQ5VhaKkb3JvCb5PyoWyXm3tMPufYtJ/1C13VT5cupGW4rJg0
+BEsRqlWl3qbfHmhgyDd1VWgLn6+X9wIDAQABo4G/MIG8MA4GA1UdDwEB/wQEAwIE
+8DAgBgNVHSUBAf8EFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwMgYDVR0fBCswKTAn
+oCWgI4YhaHR0cDovL2NybC5leGFtcGxlLm5ldC9sYXRlc3QuY3JsMDQGCCsGAQUF
+BwEBBCgwJjAkBggrBgEFBQcwAYYYaHR0cDovL29zY3AuZXhhbXBsZS5uZXQvMB4G
+A1UdEQQXMBWCE3NlcnZlcjIuZXhhbXBsZS5uZXQwDQYJKoZIhvcNAQELBQADgYEA
+YfsNBKmjTjfIZw0vSzK7pq+ouXe9KAlCDZU/mgKMp0be6RYd9BRvAn4R2J452W2h
+AtBVl6vRqaqpMzsUIfwPe1lOb3at/ESz7CwtERTAfHPj6STDXLDyAF2Eg0B7xf1W
+9ag0Vwa1/6UPAALHQ5juuKAFsZSDVms2uz0x1oh9y+I=
 -----END CERTIFICATE-----
 -----BEGIN CERTIFICATE-----
-MIICLDCCAZWgAwIBAgIBAjANBgkqhkiG9w0BAQsFADApMRQwEgYDVQQKEwtleGFt
-cGxlLm5ldDERMA8GA1UEAxMIY2xpY2EgQ0EwHhcNMTIxMTAxMTIzNDAzWhcNMzgw
-MTAxMTIzNDAzWjAzMRQwEgYDVQQKEwtleGFtcGxlLm5ldDEbMBkGA1UEAxMSY2xp
-Y2EgU2lnbmluZyBDZXJ0MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDCsZOv
-pjcv45hvkXmbkZLSoywwX94a3jFC993OxTL8ixpQ0KxY2bc8TLcOTA+p3hH0pi2N
-JwiiWVQjA9HXrf7s/RmytXFZiJ5sE/mtkBNCUjH2uoGz9x1uVuIwq2colRe7JdQ5
-aCnb3D77nFy9bOvE59sljCbjeU2NwI1LIaUgfQIDAQABo1owWDAOBgNVHQ8BAf8E
-BAMCAQYwEgYDVR0TAQH/BAgwBgEB/wIBADAyBgNVHR8EKzApMCegJaAjhiFodHRw
-Oi8vY3JsLmV4YW1wbGUubmV0L2xhdGVzdC5jcmwwDQYJKoZIhvcNAQELBQADgYEA
-Xi2XyqKqdhCOdcNmhhaOaPc9M5/W/52Y4y8DNEveJdbn9ZOIjz7w2vnxJ8hhbJHF
-RDGz6jeTnYz7wIYwRxU6y8vUNtXbV+S6RcWL6Symek52O32tj+TTP99lSu/bC2+f
-7cNOqfsUzyMi4EagINLkPFT8p0ozjXeWu7/Cy17K75s=
+MIICNDCCAZ2gAwIBAgIBAjANBgkqhkiG9w0BAQsFADAtMRQwEgYDVQQKEwtleGFt
+cGxlLm5ldDEVMBMGA1UEAxMMY2xpY2EgQ0EgcnNhMB4XDTEyMTEwMTEyMzQwM1oX
+DTM4MDEwMTEyMzQwM1owNzEUMBIGA1UEChMLZXhhbXBsZS5uZXQxHzAdBgNVBAMT
+FmNsaWNhIFNpZ25pbmcgQ2VydCByc2EwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJ
+AoGBALMuDick/uNCkK8zWtdko5eynjJq0y8NVNlhSFkbwfjbxOQycuyMhMlYNnvs
+ESWZTV5ckpsvoDrFQLFk6ZB7RVYHUoOHNfANm8JWC9GR5zqbquibA/MMQ4h2Xlkz
+zQz12AzPpouZUyYs1+SjwlgfBRVhtxApDR2bPEDzI6s9VUdXAgMBAAGjWjBYMA4G
+A1UdDwEB/wQEAwIBBjASBgNVHRMBAf8ECDAGAQH/AgEAMDIGA1UdHwQrMCkwJ6Al
+oCOGIWh0dHA6Ly9jcmwuZXhhbXBsZS5uZXQvbGF0ZXN0LmNybDANBgkqhkiG9w0B
+AQsFAAOBgQDCXkPeCURjOJwCBgbLERuNghPiWLqHPopm1idM2A032jDgbRXD9/DP
+1xOPgSLEW59EiJac0RNae0D2KyhnG90NZLccXK0a9Uu1iaAmdcJ7s4a0x0ZH9Kza
+hqz0cr4oStUOHxG/AtPKuhZ9PkZ7GDSPDW0k/z64WYCm1fqSWkbVig==
 -----END CERTIFICATE-----
diff --git a/test/aux-fixed/exim-ca/example.net/server2.example.net/server2.example.net.key b/test/aux-fixed/exim-ca/example.net/server2.example.net/server2.example.net.key
index dfce3c7c2..94275d88d 100644
--- a/test/aux-fixed/exim-ca/example.net/server2.example.net/server2.example.net.key
+++ b/test/aux-fixed/exim-ca/example.net/server2.example.net/server2.example.net.key
@@ -1,21 +1,21 @@
 Bag Attributes
     friendlyName: server2.example.net
-    localKeyID: 6A E8 46 7A BF C8 D0 A8 0B BF 99 5B 88 D4 21 1C F5 D1 29 B0 
+    localKeyID: D2 9B A9 F4 48 0F EB D4 1A CA 1B 29 7A 49 FB 09 0B AA 4D 02 
 Key Attributes: <No Attributes>
 -----BEGIN ENCRYPTED PRIVATE KEY-----
-MIICxjBABgkqhkiG9w0BBQ0wMzAbBgkqhkiG9w0BBQwwDgQI2ZqeNNhoV1ICAggA
-MBQGCCqGSIb3DQMHBAiVpXY5TfQEiQSCAoAiD60iC1798cMn9RFq3fpWITpKISb6
-VX9n+SrWrNe14JeDXFAm1xoqCJtL1hi8lbpNXXwtzSk+s4ZTIa+VCegKFZ26lVfG
-uTPT8ivNLHNq1vEGP0Kl/PJvJW7aNJP9R0fYnbtQwXNbvPGfWfGzL/6y/5toLp+d
-FNBZCda5bZ5UTLXCUX3mFq9+y7bz4NjcyryAjOQ+mhTewo6XSZR48FNyZmql47Ca
-hwtkfkRCd0AMZTJFUv5uYavjP+qgpv1JOoM6DQPacWdqG6Bc7wUL4rlXCipzQCkc
-rKOw73T5wYgrHLc7kNMbIxOGfYt+rBkNGjlQ/RoJ/NJgq9EPswY13AglDZRXnCtC
-yd7HXrllM2+3tAjmipC1kXX9+V/cqmt4SuLWnXstpF9wuu9N0/hJtxC1sg5kinMt
-2K4M4XRTby5x/9FMCebCRPGJnCSUbCyV9Jsc9IK/9M9N2r5VSVHCHkjNOMJdALBm
-1OqaxDOIOy5/CaCCUTxM6WHqQPEEIz5bPkt+Pgbg5zmdTGMnM8HbJogFu/Tiyihz
-zVDgnsv8cXMHp16ZfFULbuDf1RLdfYGaJVu94MNXnsLJtKQ96QVxaXCtC4ywpkPO
-DWVne+Svu5YtrangHhUILbbMtivj1zgJmfZ35Qo8RVhCeNsV57k0GutYnto+Vcde
-iR8j94i2cE/V9q/b12i4+aMS7gfvcxEVIYEz81L51cm/lOCxPmhwQcV/ozHrqA15
-U/FDFYMEvQBNOjiiTQZvzwd+FDidFR/szYGVQ8nNiMcPLvmeLgRHKgAi6PSyrPi4
-MVK3EFCdQC0Otb6uKDbsD8yRKKB47V2ky4gi7xSKN8j1muf1kG4WS372
+MIICxjBABgkqhkiG9w0BBQ0wMzAbBgkqhkiG9w0BBQwwDgQIB9bHTJXCqmUCAggA
+MBQGCCqGSIb3DQMHBAi6w8GSieGl9QSCAoAZsxqDNKfVkeE7n0BKx6DmbVE1ZpS2
+bnVSmvRxkevnEmevvplRPzpVEt2zHCQ3kBaUFk+SFf3dZVJ97veK94knyKhQ+mFQ
+QUpa2D840yDIJHeXyYc5zNo6oPOMHI4khd2B8Wmfaht1N+EUY+He4rpdYFX4KHhR
+HGxhnPwT5F48AaDZ8LyG92Q9onffGcMFXnO1GC/8zYvsff89K9udmMn749plYXRE
+ISZpF1e73Mn3Cr/rPk6YUX39K+pg8SqcKd2cT8VqOVnkw6EB4XxmfEsXX796Zif1
+qDxKtYguVbOzE3vJKQP2WM1nRh0rPttNyB3O3MyCF5R6h2Gyw7EtPvFUquGqbw94
+SAUOCFAUbP965xQfhMvXKAO30p2dJxqRFZp4hKsrnpx0AnxgaXKN2EvRLtzCSolS
+/nphNhLCqcZZmFQliL/TbHN4r9xdCpvqTnsByVFCWsdVVrW+ThgO69OAx7j+rVG0
+JC9kJzVnl6WAYA68DiyRVxr5L+2bTQq9ehBmkUT4RikU1X2cTNgc7DdbWp+/gna5
+9LfBfZ6NwDXssbQJLDlE7YTgfLU423q/fDtODDZgqg3dVqayOGqLOZfQD45wIqzW
+9owGO1Ncbtp2duYWIHYzAJIlrWuwkBHlqfk2AZcmId+T5y9cgGHaWeB/4OWScFgq
+8ZAo7USCv8TSCvJB+zKiOzvT+oMzYs7gWAZZVlpaBbeCbnNpDtp2ItvKe+ScCBtc
+dGwLbDGwt9rC3GkUF7+IsCgpq6xQjIa4NU0o42MqjQw5z3qkxnEgO36Iy6xu96JA
+I1qQ8aOqaEaFnhxDWh5TTUb0nortQn7KmEsPpdg1lhoV3Q3Y3DQfzZ1J
 -----END ENCRYPTED PRIVATE KEY-----
diff --git a/test/aux-fixed/exim-ca/example.net/server2.example.net/server2.example.net.ocsp.dated.resp b/test/aux-fixed/exim-ca/example.net/server2.example.net/server2.example.net.ocsp.dated.resp
index fb4b91a9d..d3f0f45b3 100644
Binary files a/test/aux-fixed/exim-ca/example.net/server2.example.net/server2.example.net.ocsp.dated.resp and b/test/aux-fixed/exim-ca/example.net/server2.example.net/server2.example.net.ocsp.dated.resp differ
diff --git a/test/aux-fixed/exim-ca/example.net/server2.example.net/server2.example.net.ocsp.good.resp b/test/aux-fixed/exim-ca/example.net/server2.example.net/server2.example.net.ocsp.good.resp
index 750f63c0e..475f38e03 100644
Binary files a/test/aux-fixed/exim-ca/example.net/server2.example.net/server2.example.net.ocsp.good.resp and b/test/aux-fixed/exim-ca/example.net/server2.example.net/server2.example.net.ocsp.good.resp differ
diff --git a/test/aux-fixed/exim-ca/example.net/server2.example.net/server2.example.net.ocsp.req b/test/aux-fixed/exim-ca/example.net/server2.example.net/server2.example.net.ocsp.req
index 3eb1b603f..b0f894083 100644
Binary files a/test/aux-fixed/exim-ca/example.net/server2.example.net/server2.example.net.ocsp.req and b/test/aux-fixed/exim-ca/example.net/server2.example.net/server2.example.net.ocsp.req differ
diff --git a/test/aux-fixed/exim-ca/example.net/server2.example.net/server2.example.net.ocsp.revoked.resp b/test/aux-fixed/exim-ca/example.net/server2.example.net/server2.example.net.ocsp.revoked.resp
index 750f63c0e..475f38e03 100644
Binary files a/test/aux-fixed/exim-ca/example.net/server2.example.net/server2.example.net.ocsp.revoked.resp and b/test/aux-fixed/exim-ca/example.net/server2.example.net/server2.example.net.ocsp.revoked.resp differ
diff --git a/test/aux-fixed/exim-ca/example.net/server2.example.net/server2.example.net.ocsp.signer.dated.resp b/test/aux-fixed/exim-ca/example.net/server2.example.net/server2.example.net.ocsp.signer.dated.resp
index 5e422d6ae..9b8ca8936 100644
Binary files a/test/aux-fixed/exim-ca/example.net/server2.example.net/server2.example.net.ocsp.signer.dated.resp and b/test/aux-fixed/exim-ca/example.net/server2.example.net/server2.example.net.ocsp.signer.dated.resp differ
diff --git a/test/aux-fixed/exim-ca/example.net/server2.example.net/server2.example.net.ocsp.signer.good.resp b/test/aux-fixed/exim-ca/example.net/server2.example.net/server2.example.net.ocsp.signer.good.resp
index 51de6e670..a6cb1068c 100644
Binary files a/test/aux-fixed/exim-ca/example.net/server2.example.net/server2.example.net.ocsp.signer.good.resp and b/test/aux-fixed/exim-ca/example.net/server2.example.net/server2.example.net.ocsp.signer.good.resp differ
diff --git a/test/aux-fixed/exim-ca/example.net/server2.example.net/server2.example.net.ocsp.signer.revoked.resp b/test/aux-fixed/exim-ca/example.net/server2.example.net/server2.example.net.ocsp.signer.revoked.resp
index 51de6e670..a6cb1068c 100644
Binary files a/test/aux-fixed/exim-ca/example.net/server2.example.net/server2.example.net.ocsp.signer.revoked.resp and b/test/aux-fixed/exim-ca/example.net/server2.example.net/server2.example.net.ocsp.signer.revoked.resp differ
diff --git a/test/aux-fixed/exim-ca/example.net/server2.example.net/server2.example.net.ocsp.signernocert.dated.resp b/test/aux-fixed/exim-ca/example.net/server2.example.net/server2.example.net.ocsp.signernocert.dated.resp
index 6083eeb0d..d5f1d2bd4 100644
Binary files a/test/aux-fixed/exim-ca/example.net/server2.example.net/server2.example.net.ocsp.signernocert.dated.resp and b/test/aux-fixed/exim-ca/example.net/server2.example.net/server2.example.net.ocsp.signernocert.dated.resp differ
diff --git a/test/aux-fixed/exim-ca/example.net/server2.example.net/server2.example.net.ocsp.signernocert.good.resp b/test/aux-fixed/exim-ca/example.net/server2.example.net/server2.example.net.ocsp.signernocert.good.resp
index e81863f0d..56825b59a 100644
Binary files a/test/aux-fixed/exim-ca/example.net/server2.example.net/server2.example.net.ocsp.signernocert.good.resp and b/test/aux-fixed/exim-ca/example.net/server2.example.net/server2.example.net.ocsp.signernocert.good.resp differ
diff --git a/test/aux-fixed/exim-ca/example.net/server2.example.net/server2.example.net.ocsp.signernocert.revoked.resp b/test/aux-fixed/exim-ca/example.net/server2.example.net/server2.example.net.ocsp.signernocert.revoked.resp
index e81863f0d..56825b59a 100644
Binary files a/test/aux-fixed/exim-ca/example.net/server2.example.net/server2.example.net.ocsp.signernocert.revoked.resp and b/test/aux-fixed/exim-ca/example.net/server2.example.net/server2.example.net.ocsp.signernocert.revoked.resp differ
diff --git a/test/aux-fixed/exim-ca/example.net/server2.example.net/server2.example.net.p12 b/test/aux-fixed/exim-ca/example.net/server2.example.net/server2.example.net.p12
index 4c4b6aced..21aa30fbe 100644
Binary files a/test/aux-fixed/exim-ca/example.net/server2.example.net/server2.example.net.p12 and b/test/aux-fixed/exim-ca/example.net/server2.example.net/server2.example.net.p12 differ
diff --git a/test/aux-fixed/exim-ca/example.net/server2.example.net/server2.example.net.pem b/test/aux-fixed/exim-ca/example.net/server2.example.net/server2.example.net.pem
index 0a92703ad..f0cfdc467 100644
--- a/test/aux-fixed/exim-ca/example.net/server2.example.net/server2.example.net.pem
+++ b/test/aux-fixed/exim-ca/example.net/server2.example.net/server2.example.net.pem
@@ -1,21 +1,21 @@
 Bag Attributes
     friendlyName: server2.example.net
-    localKeyID: 6A E8 46 7A BF C8 D0 A8 0B BF 99 5B 88 D4 21 1C F5 D1 29 B0 
+    localKeyID: D2 9B A9 F4 48 0F EB D4 1A CA 1B 29 7A 49 FB 09 0B AA 4D 02 
 subject=/CN=server2.example.net
-issuer=/O=example.net/CN=clica Signing Cert
+issuer=/O=example.net/CN=clica Signing Cert rsa
 -----BEGIN CERTIFICATE-----
-MIICiDCCAfGgAwIBAgICAMkwDQYJKoZIhvcNAQELBQAwMzEUMBIGA1UEChMLZXhh
-bXBsZS5uZXQxGzAZBgNVBAMTEmNsaWNhIFNpZ25pbmcgQ2VydDAeFw0xMjExMDEx
-MjM0MDNaFw0zNzEyMDExMjM0MDNaMB4xHDAaBgNVBAMTE3NlcnZlcjIuZXhhbXBs
-ZS5uZXQwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAJlsgV5oLe2Grkp1uZAu
-FPgYedF8iBTxWxeMwDYrv02zlMGYVvNpqu0rYFw9Z5AMTUt8nCTVWlo17KkWUkfl
-1jLL4+5VYVcSmQkh8Th7N9hjwks5dgoGttXODEIraagU0Q00K+3iWkHaUkJL/jOh
-xEeDfO83QB3xZL9WOgyFM0xvAgMBAAGjgb8wgbwwDgYDVR0PAQH/BAQDAgTwMCAG
-A1UdJQEB/wQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAyBgNVHR8EKzApMCegJaAj
-hiFodHRwOi8vY3JsLmV4YW1wbGUubmV0L2xhdGVzdC5jcmwwNAYIKwYBBQUHAQEE
-KDAmMCQGCCsGAQUFBzABhhhodHRwOi8vb3NjcC5leGFtcGxlLm5ldC8wHgYDVR0R
-BBcwFYITc2VydmVyMi5leGFtcGxlLm5ldDANBgkqhkiG9w0BAQsFAAOBgQBivwX4
-EgnDGiBc5peorNumyRuk5OBSiftJoy+CvV7tOqs/hU64PJZri103eEr49cgt3FC+
-YcuZWVJtzb6x5XN2YtEvwZY2WdGEdo7H4v0AVGfevguvIqtTxoBc8ZyYtXEflIVD
-tavL2kS8jbk82eIIVn6S2FvR/PBhH4wW6NK3XQ==
+MIICjDCCAfWgAwIBAgICAMkwDQYJKoZIhvcNAQELBQAwNzEUMBIGA1UEChMLZXhh
+bXBsZS5uZXQxHzAdBgNVBAMTFmNsaWNhIFNpZ25pbmcgQ2VydCByc2EwHhcNMTIx
+MTAxMTIzNDA0WhcNMzcxMjAxMTIzNDA0WjAeMRwwGgYDVQQDExNzZXJ2ZXIyLmV4
+YW1wbGUubmV0MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDJyy5Qho3LBb3L
+EbQZgsrtkPAqRXRhTME03lUdXHmtEkhGGe4zCrZ7RemAJADhR8aguhAebrVYno5e
+nZ+KS8CvE8z6eBJqQ5VhaKkb3JvCb5PyoWyXm3tMPufYtJ/1C13VT5cupGW4rJg0
+BEsRqlWl3qbfHmhgyDd1VWgLn6+X9wIDAQABo4G/MIG8MA4GA1UdDwEB/wQEAwIE
+8DAgBgNVHSUBAf8EFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwMgYDVR0fBCswKTAn
+oCWgI4YhaHR0cDovL2NybC5leGFtcGxlLm5ldC9sYXRlc3QuY3JsMDQGCCsGAQUF
+BwEBBCgwJjAkBggrBgEFBQcwAYYYaHR0cDovL29zY3AuZXhhbXBsZS5uZXQvMB4G
+A1UdEQQXMBWCE3NlcnZlcjIuZXhhbXBsZS5uZXQwDQYJKoZIhvcNAQELBQADgYEA
+YfsNBKmjTjfIZw0vSzK7pq+ouXe9KAlCDZU/mgKMp0be6RYd9BRvAn4R2J452W2h
+AtBVl6vRqaqpMzsUIfwPe1lOb3at/ESz7CwtERTAfHPj6STDXLDyAF2Eg0B7xf1W
+9ag0Vwa1/6UPAALHQ5juuKAFsZSDVms2uz0x1oh9y+I=
 -----END CERTIFICATE-----
diff --git a/test/aux-fixed/exim-ca/example.net/server2.example.net/server2.example.net.unlocked.key b/test/aux-fixed/exim-ca/example.net/server2.example.net/server2.example.net.unlocked.key
index 5e8472b67..6a6b032fb 100644
--- a/test/aux-fixed/exim-ca/example.net/server2.example.net/server2.example.net.unlocked.key
+++ b/test/aux-fixed/exim-ca/example.net/server2.example.net/server2.example.net.unlocked.key
@@ -1,15 +1,15 @@
 -----BEGIN RSA PRIVATE KEY-----
-MIICXQIBAAKBgQCZbIFeaC3thq5KdbmQLhT4GHnRfIgU8VsXjMA2K79Ns5TBmFbz
-aartK2BcPWeQDE1LfJwk1VpaNeypFlJH5dYyy+PuVWFXEpkJIfE4ezfYY8JLOXYK
-BrbVzgxCK2moFNENNCvt4lpB2lJCS/4zocRHg3zvN0Ad8WS/VjoMhTNMbwIDAQAB
-AoGAArP+s4MdDApLbSnAfeHR920MTbyRSTfXZbAn0syChQPyTaw5cUsd+n/BJYmP
-bDegmlaKXxEYk8OkynXc4pdnZrFk0nFGjWISvXWe0ONd651UP4BBuMPP/K+H980D
-mWEe5UK5kbem0d5v8+i1UVx2Kf6TRnm0mCysqiqU2zqEtsECQQDKFWJNUXOQPIaF
-DLbK4dl5njJSSh5IqwEplnrzngokN55xc2aZgcpUnB0kXMPQikoeron0gbcvVe/d
-vZKwOttFAkEAwluXGGVShUpJLyjT+elvtY1yXI3Waez5/xFrEJys20EboUfNXpoN
-Hm9E7zE8k9gwXuh42WqfO/WlEdR2bFYqIwJBAIQqRCZpNPmKfDgcPpil6UPfMO4c
-x32jSZlXb4ZRQDS7o4ZzgRC4kAmSKIUVnoOPTjaO1G7zP0lYHQ6a44sakzkCQQCQ
-XcgV7u0k5NEHnqQV9jdr++z+orypYcUwmZeVd0tOcUY8vkDmDDfCa5Qgt8nvZ55G
-YRejJ3ev6f77B34PatFRAkBd4mWCQ7joLRU4x9cTJnZVtk7ZS/9AvGm2Exiu89Z0
-yuRHeHU4uLKy4cww8xgQHEUDk+qZf/4yuhL+CzeQMepx
+MIICXQIBAAKBgQDJyy5Qho3LBb3LEbQZgsrtkPAqRXRhTME03lUdXHmtEkhGGe4z
+CrZ7RemAJADhR8aguhAebrVYno5enZ+KS8CvE8z6eBJqQ5VhaKkb3JvCb5PyoWyX
+m3tMPufYtJ/1C13VT5cupGW4rJg0BEsRqlWl3qbfHmhgyDd1VWgLn6+X9wIDAQAB
+AoGAXpuZ3TsYY2UPtJNaQtOlXHglgUwK4ktgEe9jLF7c1R3LMMKbgOa241jFvsQi
+fXxvTY+uWvZAo4nC6e0wjWAyt42LG7zyxeB6U20MA1IXhsOP0kDcC8grqcJ7f6dB
+o3xXm3AElUKbNQC6s2KGPL18VXUjwD4JGN75Q6brvVnKOCECQQDkOC3tQXXgjX21
+AfchkpajQwCKHsg5o6/YbiahGEQradrZIy8wBV/KvQm6l7k766wpTHJl9moXVieb
+e8oFGP4fAkEA4luEI6YW5yuEQkvf+fuu6dbBINU6cVxJHYd1XXz4XGtsbUm+1zQC
+VUCxxJRoWOA6URzbyK5LVynEgGOhdKp7KQJAVKeaMaXUieUyOhBukV+EzS6vZoyg
+jPDw64GAhsUvlEMB0QXCHTgBHn0cvMBHD7kN9YvL65KKK/njW0OB3n401QJBAKX/
+URdHjRI4YoSv2fAcd3h7CiSG2pYZhHEITrShmg1Epj47T53IQVG94N/1qdRLk9i6
+Hh+8Wfnw4m75IYVKJIkCQQDdEuPXVKYWrzEkgmM1+gGjjGRrBgrrMQ39hza+jq7C
+vYZM+Ulld9tBSaCmn3g3BYw+RNGGgxb46IZCS25RWQKW
 -----END RSA PRIVATE KEY-----
diff --git a/test/aux-fixed/exim-ca/example.org/BLANK/CA.pem b/test/aux-fixed/exim-ca/example.org/BLANK/CA.pem
index df582786b..5336e837a 100644
--- a/test/aux-fixed/exim-ca/example.org/BLANK/CA.pem
+++ b/test/aux-fixed/exim-ca/example.org/BLANK/CA.pem
@@ -1,13 +1,13 @@
 -----BEGIN CERTIFICATE-----
-MIIB7jCCAVegAwIBAgIBATANBgkqhkiG9w0BAQsFADApMRQwEgYDVQQKEwtleGFt
-cGxlLm9yZzERMA8GA1UEAxMIY2xpY2EgQ0EwHhcNMTIxMTAxMTIzNDAyWhcNMzgw
-MTAxMTIzNDAyWjApMRQwEgYDVQQKEwtleGFtcGxlLm9yZzERMA8GA1UEAxMIY2xp
-Y2EgQ0EwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAKKaWSv0duLwJQQ6t18l
-yWSGmELgaflSPTidcPii6YYskJAQjnHH13P63PUwXj68knq9JdgeXwZLWszq04Uk
-esjSLJ/e9eIE+Uk9Y2zaes0vTiOIMnYe9u4S6VUNYBO6S+zX89+CHBicNr9tnEEd
-FAw56VTBKtMDA2oPWi5BQ+8/AgMBAAGjJjAkMBIGA1UdEwEB/wQIMAYBAf8CAQEw
-DgYDVR0PAQH/BAQDAgEGMA0GCSqGSIb3DQEBCwUAA4GBAKGed/hvquJ9QctYRyCB
-uIYN1ogbfRj2bSYvKMrSvuW8bVyYAR0C8jj8LA9IEK33EZKBz+D0RHV7s13Cnom9
-tHjIX1ncfl5vPR/Hus0ZKqwauvSauo7hkWRO7isuUzmNBp7YjgLSPr2QYptlpBS5
-U9+lNhpF9AUWEAAo3FqHgShh
+MIIB9jCCAV+gAwIBAgIBATANBgkqhkiG9w0BAQsFADAtMRQwEgYDVQQKEwtleGFt
+cGxlLm9yZzEVMBMGA1UEAxMMY2xpY2EgQ0EgcnNhMB4XDTEyMTEwMTEyMzQwMloX
+DTM4MDEwMTEyMzQwMlowLTEUMBIGA1UEChMLZXhhbXBsZS5vcmcxFTATBgNVBAMT
+DGNsaWNhIENBIHJzYTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAsOI8xlyV
+2kpju6cf0E8/c0QwaOBvUGzkTdCau/DyQrwFPToVpVW8mzDQUOnoUXLl92EJa4Td
+a4uN/uyiyTcjUQWrlZKdFn9HaLB7+rLUox6fZF06jsWgC0Qfr3HHWsrMINn6bucC
+9/eZag5ADPyO5XYnCW4pIFnuFVQ+w3Qr060CAwEAAaMmMCQwEgYDVR0TAQH/BAgw
+BgEB/wIBATAOBgNVHQ8BAf8EBAMCAQYwDQYJKoZIhvcNAQELBQADgYEALAPJGCfj
+ldkldb3pxmUf8V2luI38AVKNZokjATe3tyv7ikhb2g20BRi92fMHOqfAMUfoJKAu
+lT5vLep0SUETmAXdr3+WfFeZu2KZ9t5lhxyUGnHhxDc3k8TzobZSpFS9+ZnR/4GY
+TwGhx36iRUIFRZ/PUQrkRniedLSkO+H+Xko=
 -----END CERTIFICATE-----
diff --git a/test/aux-fixed/exim-ca/example.org/BLANK/Signer.pem b/test/aux-fixed/exim-ca/example.org/BLANK/Signer.pem
index ad4e9f4db..0939297fe 100644
--- a/test/aux-fixed/exim-ca/example.org/BLANK/Signer.pem
+++ b/test/aux-fixed/exim-ca/example.org/BLANK/Signer.pem
@@ -1,14 +1,14 @@
 -----BEGIN CERTIFICATE-----
-MIICLDCCAZWgAwIBAgIBAjANBgkqhkiG9w0BAQsFADApMRQwEgYDVQQKEwtleGFt
-cGxlLm9yZzERMA8GA1UEAxMIY2xpY2EgQ0EwHhcNMTIxMTAxMTIzNDAyWhcNMzgw
-MTAxMTIzNDAyWjAzMRQwEgYDVQQKEwtleGFtcGxlLm9yZzEbMBkGA1UEAxMSY2xp
-Y2EgU2lnbmluZyBDZXJ0MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI0peZ
-vtd+Oo8OMPy/EIlcNiVSJQ6zb5awuAcPjb5gUE3dZ1+7PiB4BlLhT1wbUJiqC3s6
-Uo2jzzNScWmwIbMTwckUIjS6Q+3khgZHWh2uBAX9j9OrMaJ6DjtyjWitDXMUcrns
-tvQs4TMoFkvBvH94gsYtnbTC5DCmKKLRkWwQhQIDAQABo1owWDAOBgNVHQ8BAf8E
-BAMCAQYwEgYDVR0TAQH/BAgwBgEB/wIBADAyBgNVHR8EKzApMCegJaAjhiFodHRw
-Oi8vY3JsLmV4YW1wbGUub3JnL2xhdGVzdC5jcmwwDQYJKoZIhvcNAQELBQADgYEA
-eqMhcknWmbpCS7ail+FEhRpiLgZU05d7jdf3yQLu1EmMS/fdDvY8R8G17FDcCoLQ
-mSgIvn73UqTgmDgErGZgZ2LqcgioBo7fgxS2knxFKIi/WlKHpiqOkSYtqtacIUnk
-1NkPYWjBwP3bUYauHu7EcTTHO6iWd0doLrMJvGUtm9c=
+MIICNDCCAZ2gAwIBAgIBAjANBgkqhkiG9w0BAQsFADAtMRQwEgYDVQQKEwtleGFt
+cGxlLm9yZzEVMBMGA1UEAxMMY2xpY2EgQ0EgcnNhMB4XDTEyMTEwMTEyMzQwMloX
+DTM4MDEwMTEyMzQwMlowNzEUMBIGA1UEChMLZXhhbXBsZS5vcmcxHzAdBgNVBAMT
+FmNsaWNhIFNpZ25pbmcgQ2VydCByc2EwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJ
+AoGBAJXe07nxVSZPJ3rVBHQp+m5gWb5/JkzXwcWKEvcmMnJzo2ydVfHBBRmTpzpS
+ST3js2awNbhEdOU7AeBtAvyOtwlT/yp6SHhOlI8PlgLwL9/xedeC0Ex412VOeaV/
+LRbvj0j+WutuglAFXfD5IlwnRoDUB1Q51JFtYZxlxvOqbLb9AgMBAAGjWjBYMA4G
+A1UdDwEB/wQEAwIBBjASBgNVHRMBAf8ECDAGAQH/AgEAMDIGA1UdHwQrMCkwJ6Al
+oCOGIWh0dHA6Ly9jcmwuZXhhbXBsZS5vcmcvbGF0ZXN0LmNybDANBgkqhkiG9w0B
+AQsFAAOBgQCf9uWkJrIlu9DvKwiiRj6/vMFydd9kLq11COjAovfD6+VbRLeX1lpC
+XpHDhUlrAKOV/5Virl+iXao5YnfnCm1oud0jRGcG8x1JPqUKW3REch4vR0wkjaBS
+5eI7DiydPL1yts588Z6gLjHZBaR0cuXS4e1k9rcXuBC9tZjv7rYskQ==
 -----END CERTIFICATE-----
diff --git a/test/aux-fixed/exim-ca/example.org/BLANK/cert8.db b/test/aux-fixed/exim-ca/example.org/BLANK/cert8.db
index e93ba1bfc..85733eb3c 100644
Binary files a/test/aux-fixed/exim-ca/example.org/BLANK/cert8.db and b/test/aux-fixed/exim-ca/example.org/BLANK/cert8.db differ
diff --git a/test/aux-fixed/exim-ca/example.org/BLANK/key3.db b/test/aux-fixed/exim-ca/example.org/BLANK/key3.db
index c283f5f74..9211ef024 100644
Binary files a/test/aux-fixed/exim-ca/example.org/BLANK/key3.db and b/test/aux-fixed/exim-ca/example.org/BLANK/key3.db differ
diff --git a/test/aux-fixed/exim-ca/example.org/CA/CA.pem b/test/aux-fixed/exim-ca/example.org/CA/CA.pem
index df582786b..5336e837a 100644
--- a/test/aux-fixed/exim-ca/example.org/CA/CA.pem
+++ b/test/aux-fixed/exim-ca/example.org/CA/CA.pem
@@ -1,13 +1,13 @@
 -----BEGIN CERTIFICATE-----
-MIIB7jCCAVegAwIBAgIBATANBgkqhkiG9w0BAQsFADApMRQwEgYDVQQKEwtleGFt
-cGxlLm9yZzERMA8GA1UEAxMIY2xpY2EgQ0EwHhcNMTIxMTAxMTIzNDAyWhcNMzgw
-MTAxMTIzNDAyWjApMRQwEgYDVQQKEwtleGFtcGxlLm9yZzERMA8GA1UEAxMIY2xp
-Y2EgQ0EwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAKKaWSv0duLwJQQ6t18l
-yWSGmELgaflSPTidcPii6YYskJAQjnHH13P63PUwXj68knq9JdgeXwZLWszq04Uk
-esjSLJ/e9eIE+Uk9Y2zaes0vTiOIMnYe9u4S6VUNYBO6S+zX89+CHBicNr9tnEEd
-FAw56VTBKtMDA2oPWi5BQ+8/AgMBAAGjJjAkMBIGA1UdEwEB/wQIMAYBAf8CAQEw
-DgYDVR0PAQH/BAQDAgEGMA0GCSqGSIb3DQEBCwUAA4GBAKGed/hvquJ9QctYRyCB
-uIYN1ogbfRj2bSYvKMrSvuW8bVyYAR0C8jj8LA9IEK33EZKBz+D0RHV7s13Cnom9
-tHjIX1ncfl5vPR/Hus0ZKqwauvSauo7hkWRO7isuUzmNBp7YjgLSPr2QYptlpBS5
-U9+lNhpF9AUWEAAo3FqHgShh
+MIIB9jCCAV+gAwIBAgIBATANBgkqhkiG9w0BAQsFADAtMRQwEgYDVQQKEwtleGFt
+cGxlLm9yZzEVMBMGA1UEAxMMY2xpY2EgQ0EgcnNhMB4XDTEyMTEwMTEyMzQwMloX
+DTM4MDEwMTEyMzQwMlowLTEUMBIGA1UEChMLZXhhbXBsZS5vcmcxFTATBgNVBAMT
+DGNsaWNhIENBIHJzYTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAsOI8xlyV
+2kpju6cf0E8/c0QwaOBvUGzkTdCau/DyQrwFPToVpVW8mzDQUOnoUXLl92EJa4Td
+a4uN/uyiyTcjUQWrlZKdFn9HaLB7+rLUox6fZF06jsWgC0Qfr3HHWsrMINn6bucC
+9/eZag5ADPyO5XYnCW4pIFnuFVQ+w3Qr060CAwEAAaMmMCQwEgYDVR0TAQH/BAgw
+BgEB/wIBATAOBgNVHQ8BAf8EBAMCAQYwDQYJKoZIhvcNAQELBQADgYEALAPJGCfj
+ldkldb3pxmUf8V2luI38AVKNZokjATe3tyv7ikhb2g20BRi92fMHOqfAMUfoJKAu
+lT5vLep0SUETmAXdr3+WfFeZu2KZ9t5lhxyUGnHhxDc3k8TzobZSpFS9+ZnR/4GY
+TwGhx36iRUIFRZ/PUQrkRniedLSkO+H+Xko=
 -----END CERTIFICATE-----
diff --git a/test/aux-fixed/exim-ca/example.org/CA/OCSP.key b/test/aux-fixed/exim-ca/example.org/CA/OCSP.key
index ce5c4d450..e36360781 100644
--- a/test/aux-fixed/exim-ca/example.org/CA/OCSP.key
+++ b/test/aux-fixed/exim-ca/example.org/CA/OCSP.key
@@ -1,20 +1,20 @@
 Bag Attributes
-    friendlyName: OCSP Signer
-    localKeyID: 46 CA 70 9F 5E 12 ED DE C8 E5 3C 49 74 8F 24 5E E6 2A 3F C4 
+    friendlyName: OCSP Signer rsa
+    localKeyID: 40 A2 82 95 E6 C7 D6 28 0E 8F 21 64 5E DA 33 D4 7A 73 03 83 
 Key Attributes: <No Attributes>
 -----BEGIN PRIVATE KEY-----
-MIICdgIBADANBgkqhkiG9w0BAQEFAASCAmAwggJcAgEAAoGBAMvqTqy7scJ4os3C
-niym37cs2tEu4h1QQUPTb9KoZZwnnZzaiYb8jrx6PSCDAQK1IRCtTFi9vtSZWHlg
-B25y2Ul296C9ME/ajj9k4c/47oAypdbYzfagIblPzL47/AyAG94Fk//mAIfxWrBa
-MH8CyWh9vtnpih132yhg48wPMOZFAgMBAAECgYABNEIArR8QmevEMUkD1HxvtXkZ
-USCOscGg5+e6I7pt4KICohu7y1QAcuxXe86OuIkYcx2HTJ+K29j05odEtLLpxHIy
-J/rFhAD4D/cenUzAJG8LdN2AHCtLdzSwL5e9W9Fed7lO/hwzNWwxGTtYuf2qEo3r
-2MKsYt1FLw6qZsyIhQJBAOg9dmeo4SEaeFddg5WFdmsaYk604Mmp0yPfKOKybGzp
-mutxVf9wEbJ0wpoPxiKQIf9qdFBH2si/hcyxpwEavIMCQQDgxv84eI1NTrCa9Qf5
-/ZU72EL8kNU6v5UjOg7g8a2Y/8yh5AJDtUt/dcppLVF1dsC53mKAcHfo4rbeYiFw
-sWeXAkEAk+Be/o5YG34BVo/i81gyGOyJ4FfoMkCCgvrby82UoJz22igmfCnd+uXB
-69tTbDqei0Y7ncrDEsRw6+/KyTc/BQJAOFkKb/Cgk4mvchkM99lfCNKM8F2qZoDS
-dTM/uZo8R4eQl+DdxHV1SK2RoU4wBn9Pjwi1rrcDCEmVSChXc7W1XwJAJ9Dw+hxl
-YgQoz5SSsK+oLai8eKqKp03AH0xeqZGZS1uEkEaPRDVhsx36b6UTZVDnzmEnP73e
-0E2TXBv9glr6pg==
+MIICdgIBADANBgkqhkiG9w0BAQEFAASCAmAwggJcAgEAAoGBALiViJBUHorb4RG/
+jrgpS3iOJlZ6ayVLd8IL+YslLSO4a5acRCSepJfkTrik3nzLe/ZXWz3VfbUd0AJr
+WDCL7rtYx0LsxiqZ1WVBGziil5wU7egskcXBpDVjGFBnYXqqRDrTDIvAvf5kCY8i
+JnI4YnAZTOI4mL1qYsGXtIAy6rjhAgMBAAECgYAIqGrpaiislret33BQTw+NLg26
+TK+t5iZN4cXosuu1Gzdgrx+7H/3Uag8PNhyBegHsghhzhAoLbsSM+IAAdu/RoWf7
+r1DaNji7IG+UX2xOtaGhyokF//pD2KDNc1cAFYQNTZUzoA9W9PNKr6SdCDjzQs3Z
+3IBF5S42MtZqwTOjKQJBAN9gHu646DjhsRX7eFvSa043wx5+choccbxA7Meq8yn3
+ss2b/qPYUTq5ih2TrIjnYXVQ7RHQHotZPB7K0KOcDmsCQQDTiwa8jLc2kVJ32TrH
+oTPyJ552Rep5Cdxk/zClLAA2gJiKekcNqPbsKj28gw88Dqu5tfKfsZpAzEeXgh7a
+OdDjAkEAkkm4+E5QhzAHcYYHBNuBOvB58HaO81q9gbRjXUAvj8SQbOdElLkOOY9Z
+TJVx4RbnVJVzLL9HwarnHKNmkD+bkQJAApKVQWPAsqQvyY9VvKnENPSwY6XUBSbO
+jFfiIpAXbJJByKVWCd99KUAWQh2h6MwQ4JBK5BBH3PPfBwOpFmRPmwJAP0qZl67D
+TCFly6SwuTmElJd2q9sVEXMNp6fp30MZlzndIY9jv9qu3EWVNYDAtbTkorTnF/Pw
+SMafmDVqhKEEjw==
 -----END PRIVATE KEY-----
diff --git a/test/aux-fixed/exim-ca/example.org/CA/OCSP.p12 b/test/aux-fixed/exim-ca/example.org/CA/OCSP.p12
index fbda1a4bd..fac3ec48e 100644
Binary files a/test/aux-fixed/exim-ca/example.org/CA/OCSP.p12 and b/test/aux-fixed/exim-ca/example.org/CA/OCSP.p12 differ
diff --git a/test/aux-fixed/exim-ca/example.org/CA/OCSP.pem b/test/aux-fixed/exim-ca/example.org/CA/OCSP.pem
index 65549aa96..32d446240 100644
--- a/test/aux-fixed/exim-ca/example.org/CA/OCSP.pem
+++ b/test/aux-fixed/exim-ca/example.org/CA/OCSP.pem
@@ -1,13 +1,14 @@
 -----BEGIN CERTIFICATE-----
-MIICBTCCAW6gAwIBAgIBAzANBgkqhkiG9w0BAQsFADAzMRQwEgYDVQQKEwtleGFt
-cGxlLm9yZzEbMBkGA1UEAxMSY2xpY2EgU2lnbmluZyBDZXJ0MB4XDTEyMTEwMTEy
-MzQwMloXDTM4MDEwMTEyMzQwMlowMjEUMBIGA1UEChMLZXhhbXBsZS5vcmcxGjAY
-BgNVBAMTEWNsaWNhIE9DU1AgU2lnbmVyMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCB
-iQKBgQDL6k6su7HCeKLNwp4spt+3LNrRLuIdUEFD02/SqGWcJ52c2omG/I68ej0g
-gwECtSEQrUxYvb7UmVh5YAductlJdvegvTBP2o4/ZOHP+O6AMqXW2M32oCG5T8y+
-O/wMgBveBZP/5gCH8VqwWjB/Aslofb7Z6Yodd9soYOPMDzDmRQIDAQABoyowKDAO
-BgNVHQ8BAf8EBAMCB4AwFgYDVR0lAQH/BAwwCgYIKwYBBQUHAwkwDQYJKoZIhvcN
-AQELBQADgYEADdWWEn+mEAo9wST4LfuXNT4gVs7xKDvGarvDmFHEQo+vK4MdBz/l
-kdDlN2gSJmKkJz/gDLTAA2pnJc/28fM/n/WLIcn2xW5QyMPJkpbLETRMQz7Dy0NH
-ZEJ/GefzAfetO9kPTYckCWxANRfOkBEs0Bq+me6khDH2ckLaNBMi+A0=
+MIICDTCCAXagAwIBAgIBAzANBgkqhkiG9w0BAQsFADA3MRQwEgYDVQQKEwtleGFt
+cGxlLm9yZzEfMB0GA1UEAxMWY2xpY2EgU2lnbmluZyBDZXJ0IHJzYTAeFw0xMjEx
+MDExMjM0MDJaFw0zODAxMDExMjM0MDJaMDYxFDASBgNVBAoTC2V4YW1wbGUub3Jn
+MR4wHAYDVQQDExVjbGljYSBPQ1NQIFNpZ25lciByc2EwgZ8wDQYJKoZIhvcNAQEB
+BQADgY0AMIGJAoGBALiViJBUHorb4RG/jrgpS3iOJlZ6ayVLd8IL+YslLSO4a5ac
+RCSepJfkTrik3nzLe/ZXWz3VfbUd0AJrWDCL7rtYx0LsxiqZ1WVBGziil5wU7egs
+kcXBpDVjGFBnYXqqRDrTDIvAvf5kCY8iJnI4YnAZTOI4mL1qYsGXtIAy6rjhAgMB
+AAGjKjAoMA4GA1UdDwEB/wQEAwIHgDAWBgNVHSUBAf8EDDAKBggrBgEFBQcDCTAN
+BgkqhkiG9w0BAQsFAAOBgQBJRBZ/AnWUjALF5lLFmikzKRZ/HYBL9NhNAFqiXfe5
+bJSUaPZQARdnAy/o7g01pSM4sDLQvvlkzntzxJTduXd0JvBcNKylexSg50hOSp1M
+XxFuJLAnP2b3N6qhAvGvwEgI/fwUK9jYKRYBbJnGWxJophW6uFaAYQnctSeqrew0
+/g==
 -----END CERTIFICATE-----
diff --git a/test/aux-fixed/exim-ca/example.org/CA/Signer.key b/test/aux-fixed/exim-ca/example.org/CA/Signer.key
index 17c1099b2..45a71f094 100644
--- a/test/aux-fixed/exim-ca/example.org/CA/Signer.key
+++ b/test/aux-fixed/exim-ca/example.org/CA/Signer.key
@@ -1,20 +1,20 @@
 Bag Attributes
-    friendlyName: Signing Cert
-    localKeyID: 2C 93 44 07 DE 13 D0 4A 78 2F 06 D4 27 89 FB 9E 82 64 50 E8 
+    friendlyName: Signing Cert rsa
+    localKeyID: 57 22 42 CA 16 F3 3D D7 FE 71 12 9C 02 B5 FE A6 36 46 4F BC 
 Key Attributes: <No Attributes>
 -----BEGIN PRIVATE KEY-----
-MIICdgIBADANBgkqhkiG9w0BAQEFAASCAmAwggJcAgEAAoGBAMjSl5m+1346jw4w
-/L8QiVw2JVIlDrNvlrC4Bw+NvmBQTd1nX7s+IHgGUuFPXBtQmKoLezpSjaPPM1Jx
-abAhsxPByRQiNLpD7eSGBkdaHa4EBf2P06sxonoOO3KNaK0NcxRyuey29CzhMygW
-S8G8f3iCxi2dtMLkMKYootGRbBCFAgMBAAECgYAFJkVF53teHMFLU10/xvxGtYq6
-cwHP/xYFnQptTyypCpYcjciKJBswCLV6Wo8ZkjT/80BrK+++2hLOU+MqZYrSdLqH
-W2P3vBlaAhssaGu4dxa/X6og2fKrsn6Q9JBPNL4hvHNbUkQNCz7YAKgKdVaBbp98
-cRrWqV2Oz0inGl+k5wJBAO5zEhZIzKUUJZYdwP8q605+lTGua6hW1zf/OgvYaJxu
-V4KS8t4RGyK69ELp7fsGeZoXpgH+CZyYYcm9Z7ltvY8CQQDXmovFMDtNL36U7661
-uIJz1wI9eB3ISGo4EhuK5FDF0Wd3G4JlvZ+s99JoNRlkP60pSNX4mIVNWaFlTMpY
-JW6rAkAAyEHb7ts1A27oIira63IgLMwigJb702UbWuv+0/Pr53TECeVgEyBKqeBZ
-Q9kzBJ9rgP5bbVDswZc4iTWI5zJDAkAajHdFksjamkyV/mWfDtdReFpYQ2A3d2NN
-AD3P/olLsptw+Tw3VwBAhkusdU1pIMYr3UIr2GwhuDW9iZUpAYL9AkEA3QUuCDHa
-nUNJ7095aeaFIsRcKS8GDAiQS9+RMOadhvH9cWButRuoLEAZxxGkcnL1Pby3lGa/
-cLQpsTMExg5Log==
+MIICdgIBADANBgkqhkiG9w0BAQEFAASCAmAwggJcAgEAAoGBAJXe07nxVSZPJ3rV
+BHQp+m5gWb5/JkzXwcWKEvcmMnJzo2ydVfHBBRmTpzpSST3js2awNbhEdOU7AeBt
+AvyOtwlT/yp6SHhOlI8PlgLwL9/xedeC0Ex412VOeaV/LRbvj0j+WutuglAFXfD5
+IlwnRoDUB1Q51JFtYZxlxvOqbLb9AgMBAAECgYAfeOAoe5QAi/3D7yjUxh33gNdH
+yEbAO0zPUVwDN6u/WiZXAEFUl86c3ONwvWfxDbiWV2mojQOpQbd2rB3E8KliA0/Z
+d2hi8jMNXCX0IHwgwo/rCNIQ86TeiyN/6gWUKIjH/+/ll0lgfma0Noe+Sab3Q1R5
+RS7TP+OauhdKWfJshwJBAMe0Cv3BXdbMsaUI+D5o/HvlVjmEsBhHBNldStRcuka9
+F+Tft59eTdXfl3RZxbtywctCbjEzaeqDu0JWYU+SLjsCQQDAHoCuvp8hbKJFDeM+
+BpfjWikL9xAhBn3KoRnlr+PcVqHY2mJyy5UJkjkXodEN6fUtU1YAS1tzhfx867tW
+oEQnAkBm/3P/xqBobbBdpw+p2KoIGJNtHQNZsh9NIHG8r4qfe118fOoOtyu72BMc
+PkTeVeSfucZtd8/z1TdakoSj7ogLAkEAljbDUt5EufOgpPGI3jR1ihQyx+IzQD89
+F7QC9a4jMWKjRVTraOp463TjIvEo7gIh64CfW7eQF7GJi3sdjUvePQJAWyeVm67R
+OGIjTsTgut0/fviuEB1nWtXg5sh8LsEymg1jVOxKMc8oN8TFOAGBVplHOjMUhxZI
+ngDQZEDpSs5+9A==
 -----END PRIVATE KEY-----
diff --git a/test/aux-fixed/exim-ca/example.org/CA/Signer.p12 b/test/aux-fixed/exim-ca/example.org/CA/Signer.p12
index 52bd39fc4..37f7f7e79 100644
Binary files a/test/aux-fixed/exim-ca/example.org/CA/Signer.p12 and b/test/aux-fixed/exim-ca/example.org/CA/Signer.p12 differ
diff --git a/test/aux-fixed/exim-ca/example.org/CA/Signer.pem b/test/aux-fixed/exim-ca/example.org/CA/Signer.pem
index ad4e9f4db..0939297fe 100644
--- a/test/aux-fixed/exim-ca/example.org/CA/Signer.pem
+++ b/test/aux-fixed/exim-ca/example.org/CA/Signer.pem
@@ -1,14 +1,14 @@
 -----BEGIN CERTIFICATE-----
-MIICLDCCAZWgAwIBAgIBAjANBgkqhkiG9w0BAQsFADApMRQwEgYDVQQKEwtleGFt
-cGxlLm9yZzERMA8GA1UEAxMIY2xpY2EgQ0EwHhcNMTIxMTAxMTIzNDAyWhcNMzgw
-MTAxMTIzNDAyWjAzMRQwEgYDVQQKEwtleGFtcGxlLm9yZzEbMBkGA1UEAxMSY2xp
-Y2EgU2lnbmluZyBDZXJ0MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI0peZ
-vtd+Oo8OMPy/EIlcNiVSJQ6zb5awuAcPjb5gUE3dZ1+7PiB4BlLhT1wbUJiqC3s6
-Uo2jzzNScWmwIbMTwckUIjS6Q+3khgZHWh2uBAX9j9OrMaJ6DjtyjWitDXMUcrns
-tvQs4TMoFkvBvH94gsYtnbTC5DCmKKLRkWwQhQIDAQABo1owWDAOBgNVHQ8BAf8E
-BAMCAQYwEgYDVR0TAQH/BAgwBgEB/wIBADAyBgNVHR8EKzApMCegJaAjhiFodHRw
-Oi8vY3JsLmV4YW1wbGUub3JnL2xhdGVzdC5jcmwwDQYJKoZIhvcNAQELBQADgYEA
-eqMhcknWmbpCS7ail+FEhRpiLgZU05d7jdf3yQLu1EmMS/fdDvY8R8G17FDcCoLQ
-mSgIvn73UqTgmDgErGZgZ2LqcgioBo7fgxS2knxFKIi/WlKHpiqOkSYtqtacIUnk
-1NkPYWjBwP3bUYauHu7EcTTHO6iWd0doLrMJvGUtm9c=
+MIICNDCCAZ2gAwIBAgIBAjANBgkqhkiG9w0BAQsFADAtMRQwEgYDVQQKEwtleGFt
+cGxlLm9yZzEVMBMGA1UEAxMMY2xpY2EgQ0EgcnNhMB4XDTEyMTEwMTEyMzQwMloX
+DTM4MDEwMTEyMzQwMlowNzEUMBIGA1UEChMLZXhhbXBsZS5vcmcxHzAdBgNVBAMT
+FmNsaWNhIFNpZ25pbmcgQ2VydCByc2EwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJ
+AoGBAJXe07nxVSZPJ3rVBHQp+m5gWb5/JkzXwcWKEvcmMnJzo2ydVfHBBRmTpzpS
+ST3js2awNbhEdOU7AeBtAvyOtwlT/yp6SHhOlI8PlgLwL9/xedeC0Ex412VOeaV/
+LRbvj0j+WutuglAFXfD5IlwnRoDUB1Q51JFtYZxlxvOqbLb9AgMBAAGjWjBYMA4G
+A1UdDwEB/wQEAwIBBjASBgNVHRMBAf8ECDAGAQH/AgEAMDIGA1UdHwQrMCkwJ6Al
+oCOGIWh0dHA6Ly9jcmwuZXhhbXBsZS5vcmcvbGF0ZXN0LmNybDANBgkqhkiG9w0B
+AQsFAAOBgQCf9uWkJrIlu9DvKwiiRj6/vMFydd9kLq11COjAovfD6+VbRLeX1lpC
+XpHDhUlrAKOV/5Virl+iXao5YnfnCm1oud0jRGcG8x1JPqUKW3REch4vR0wkjaBS
+5eI7DiydPL1yts588Z6gLjHZBaR0cuXS4e1k9rcXuBC9tZjv7rYskQ==
 -----END CERTIFICATE-----
diff --git a/test/aux-fixed/exim-ca/example.org/CA/ca.conf b/test/aux-fixed/exim-ca/example.org/CA/ca.conf
index cfc13019c..84a452b99 100644
--- a/test/aux-fixed/exim-ca/example.org/CA/ca.conf
+++ b/test/aux-fixed/exim-ca/example.org/CA/ca.conf
@@ -2,18 +2,17 @@
 ; Thu Nov  1 12:34:02 2012
 
 [CLICA]
+ocsp_signer=OCSP Signer rsa
+signer=Signing Cert rsa
 sighash=SHA256
-signer=Signing Cert
-level=1
-ocsp_url=http://oscp.example.org/
-crl_signer=Signing Cert
-ocsp_signer=OCSP Signer
 crl_url=http://crl.example.org/latest.crl
+ocsp_url=http://oscp.example.org/
+level=1
 
 [CA]
-name=Certificate Authority
-subject=clica CA
-bits=1024
 org=example.org
+bits=1024
+subject=clica CA
+name=Certificate Authority rsa
 
 
diff --git a/test/aux-fixed/exim-ca/example.org/CA/cert8.db b/test/aux-fixed/exim-ca/example.org/CA/cert8.db
index ce972c62b..0df961e63 100644
Binary files a/test/aux-fixed/exim-ca/example.org/CA/cert8.db and b/test/aux-fixed/exim-ca/example.org/CA/cert8.db differ
diff --git a/test/aux-fixed/exim-ca/example.org/CA/crl.empty b/test/aux-fixed/exim-ca/example.org/CA/crl.empty
index fe8f07b90..96d946c0a 100644
Binary files a/test/aux-fixed/exim-ca/example.org/CA/crl.empty and b/test/aux-fixed/exim-ca/example.org/CA/crl.empty differ
diff --git a/test/aux-fixed/exim-ca/example.org/CA/crl.empty.in.txt b/test/aux-fixed/exim-ca/example.org/CA/crl.empty.in.txt
index 94f20b071..5c3cda501 100644
--- a/test/aux-fixed/exim-ca/example.org/CA/crl.empty.in.txt
+++ b/test/aux-fixed/exim-ca/example.org/CA/crl.empty.in.txt
@@ -1 +1 @@
-update=20170131185506Z 
+update=20171105161901Z 
diff --git a/test/aux-fixed/exim-ca/example.org/CA/crl.empty.pem b/test/aux-fixed/exim-ca/example.org/CA/crl.empty.pem
index 4f821e838..efa2cc268 100644
--- a/test/aux-fixed/exim-ca/example.org/CA/crl.empty.pem
+++ b/test/aux-fixed/exim-ca/example.org/CA/crl.empty.pem
@@ -1,7 +1,8 @@
 -----BEGIN X509 CRL-----
-MIHtMFgCAQEwDQYJKoZIhvcNAQELBQAwMzEUMBIGA1UEChMLZXhhbXBsZS5vcmcx
-GzAZBgNVBAMTEmNsaWNhIFNpZ25pbmcgQ2VydBgPMjAxNzAxMzExODU1MDZaMA0G
-CSqGSIb3DQEBCwUAA4GBADLD6OroW8EWuq29VZY20bC+GRrfYYQVr6bnlFBeXci4
-9OeBuLSiuil3JJ6+dxudnY5EiuR5n0xCbrtXZl0Vo5vOG5715rHZJa1qClmuN/lg
-/1qEhrv07xM0Nr1KAolfY/AbCG/qfJQqYjfGE4PhYHoWCkorediQEZcCZttWNa1X
+MIHxMFwCAQEwDQYJKoZIhvcNAQELBQAwNzEUMBIGA1UEChMLZXhhbXBsZS5vcmcx
+HzAdBgNVBAMTFmNsaWNhIFNpZ25pbmcgQ2VydCByc2EYDzIwMTcxMTA1MTYxOTAx
+WjANBgkqhkiG9w0BAQsFAAOBgQA8uBZdwLbNPmVSCrUO9zYyV1CW5pY/2qUKN0/A
+iJWf9MZj7dqGZ3itIG/APWCscJA4pEwPiV7sZEm6SzhLDfddEmcmfuu88etso945
+JXG/MC5SVf1RCih5e39Dp13PYwuDVbbGsrhc/K8GW4cZX7GUEa2Ce9O53TIfgP+D
+717JDQ==
 -----END X509 CRL-----
diff --git a/test/aux-fixed/exim-ca/example.org/CA/crl.v2 b/test/aux-fixed/exim-ca/example.org/CA/crl.v2
index 8bebdc182..b83c8b71a 100644
Binary files a/test/aux-fixed/exim-ca/example.org/CA/crl.v2 and b/test/aux-fixed/exim-ca/example.org/CA/crl.v2 differ
diff --git a/test/aux-fixed/exim-ca/example.org/CA/crl.v2.in.txt b/test/aux-fixed/exim-ca/example.org/CA/crl.v2.in.txt
index 8384c35bd..20311aa93 100644
--- a/test/aux-fixed/exim-ca/example.org/CA/crl.v2.in.txt
+++ b/test/aux-fixed/exim-ca/example.org/CA/crl.v2.in.txt
@@ -1,3 +1,3 @@
-update=20170131185508Z 
-addcert 102 20170131185508Z
-addcert 202 20170131185508Z
+update=20171105161903Z 
+addcert 102 20171105161903Z
+addcert 202 20171105161903Z
diff --git a/test/aux-fixed/exim-ca/example.org/CA/crl.v2.pem b/test/aux-fixed/exim-ca/example.org/CA/crl.v2.pem
index 921dcbe94..ab3ec93af 100644
--- a/test/aux-fixed/exim-ca/example.org/CA/crl.v2.pem
+++ b/test/aux-fixed/exim-ca/example.org/CA/crl.v2.pem
@@ -1,9 +1,9 @@
 -----BEGIN X509 CRL-----
-MIIBHTCBhwIBATANBgkqhkiG9w0BAQsFADAzMRQwEgYDVQQKEwtleGFtcGxlLm9y
-ZzEbMBkGA1UEAxMSY2xpY2EgU2lnbmluZyBDZXJ0GA8yMDE3MDEzMTE4NTUwOFow
-LTAUAgFmGA8yMDE3MDEzMTE4NTUwOFowFQICAMoYDzIwMTcwMTMxMTg1NTA4WjAN
-BgkqhkiG9w0BAQsFAAOBgQAJBbIgdSCMTdcUL0399zEfbd5c12WOIo+emgVrfNsr
-23prPL1ZoPm8l+49oPX+QEamoupbYNwAAKZ+pB1geKL/h7fOidLHunsee8Fh7D/L
-KTxHFe93JZzHl5+xiQM8WRGnsWrRVVebmcktKHG2oGglzY3e1m1xZrIJ6eXmzPXM
-zw==
+MIIBITCBiwIBATANBgkqhkiG9w0BAQsFADA3MRQwEgYDVQQKEwtleGFtcGxlLm9y
+ZzEfMB0GA1UEAxMWY2xpY2EgU2lnbmluZyBDZXJ0IHJzYRgPMjAxNzExMDUxNjE5
+MDNaMC0wFAIBZhgPMjAxNzExMDUxNjE5MDNaMBUCAgDKGA8yMDE3MTEwNTE2MTkw
+M1owDQYJKoZIhvcNAQELBQADgYEAYXKPoFWC81FyBxDjPGFfHqAtAJT2fSiPFUWj
+Cqx2UVGi1xTbaFLGH48bdSgkAl5E6LK9fWRSlBXxSGJjOuB6LMs/WvNDdb+SPZd+
+vggXSPh4pOrWuImMczoyb1MCBvLcLrdA3/A/Z/U/sep6GKIj8llUuSxM9kjjokPy
+XIyXQwk=
 -----END X509 CRL-----
diff --git a/test/aux-fixed/exim-ca/example.org/CA/key3.db b/test/aux-fixed/exim-ca/example.org/CA/key3.db
index 1da610737..7e3d6b685 100644
Binary files a/test/aux-fixed/exim-ca/example.org/CA/key3.db and b/test/aux-fixed/exim-ca/example.org/CA/key3.db differ
diff --git a/test/aux-fixed/exim-ca/example.org/CA/noise.file b/test/aux-fixed/exim-ca/example.org/CA/noise.file
index f8678deb1..ffe9102b5 100644
--- a/test/aux-fixed/exim-ca/example.org/CA/noise.file
+++ b/test/aux-fixed/exim-ca/example.org/CA/noise.file
@@ -4,7 +4,7 @@ cpu family	: 6
 model		: 94
 model name	: Intel(R) Core(TM) i7-6820HQ CPU @ 2.70GHz
 stepping	: 3
-microcode	: 0x9e
+microcode	: 0xba
 cpu MHz		: 2700.000
 cache size	: 8192 KB
 physical id	: 0
@@ -17,7 +17,7 @@ fpu		: yes
 fpu_exception	: yes
 cpuid level	: 22
 wp		: yes
-flags		: fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clflush dts acpi mmx fxsr sse sse2 ss ht tm pbe syscall nx pdpe1gb rdtscp lm constant_tsc art arch_perfmon pebs bts rep_good nopl xtopology nonstop_tsc aperfmperf eagerfpu pni pclmulqdq dtes64 monitor ds_cpl vmx smx est tm2 ssse3 sdbg fma cx16 xtpr pdcm pcid sse4_1 sse4_2 x2apic movbe popcnt tsc_deadline_timer aes xsave avx f16c rdrand lahf_lm abm 3dnowprefetch epb intel_pt tpr_shadow vnmi flexpriority ept vpid fsgsbase tsc_adjust bmi1 hle avx2 smep bmi2 erms invpcid rtm mpx rdseed adx smap clflushopt xsaveopt xsavec xgetbv1 xsaves dtherm ida arat pln pts hwp hwp_notify hwp_act_window hwp_epp
+flags		: fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clflush dts acpi mmx fxsr sse sse2 ss ht tm pbe syscall nx pdpe1gb rdtscp lm constant_tsc art arch_perfmon pebs bts rep_good nopl xtopology nonstop_tsc cpuid aperfmperf tsc_known_freq pni pclmulqdq dtes64 monitor ds_cpl vmx smx est tm2 ssse3 sdbg fma cx16 xtpr pdcm pcid sse4_1 sse4_2 x2apic movbe popcnt tsc_deadline_timer aes xsave avx f16c rdrand lahf_lm abm 3dnowprefetch cpuid_fault epb intel_pt tpr_shadow vnmi flexpriority ept vpid fsgsbase tsc_adjust bmi1 hle avx2 smep bmi2 erms invpcid rtm mpx rdseed adx smap clflushopt xsaveopt xsavec xgetbv1 xsaves dtherm ida arat pln pts hwp hwp_notify hwp_act_window hwp_epp
 bugs		:
 bogomips	: 5424.00
 clflush size	: 64
@@ -31,7 +31,7 @@ cpu family	: 6
 model		: 94
 model name	: Intel(R) Core(TM) i7-6820HQ CPU @ 2.70GHz
 stepping	: 3
-microcode	: 0x9e
+microcode	: 0xba
 cpu MHz		: 2700.000
 cache size	: 8192 KB
 physical id	: 0
@@ -44,9 +44,9 @@ fpu		: yes
 fpu_exception	: yes
 cpuid level	: 22
 wp		: yes
-flags		: fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clflush dts acpi mmx fxsr sse sse2 ss ht tm pbe syscall nx pdpe1gb rdtscp lm constant_tsc art arch_perfmon pebs bts rep_good nopl xtopology nonstop_tsc aperfmperf eagerfpu pni pclmulqdq dtes64 monitor ds_cpl vmx smx est tm2 ssse3 sdbg fma cx16 xtpr pdcm pcid sse4_1 sse4_2 x2apic movbe popcnt tsc_deadline_timer aes xsave avx f16c rdrand lahf_lm abm 3dnowprefetch epb intel_pt tpr_shadow vnmi flexpriority ept vpid fsgsbase tsc_adjust bmi1 hle avx2 smep bmi2 erms invpcid rtm mpx rdseed adx smap clflushopt xsaveopt xsavec xgetbv1 xsaves dtherm ida arat pln pts hwp hwp_notify hwp_act_window hwp_epp
+flags		: fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clflush dts acpi mmx fxsr sse sse2 ss ht tm pbe syscall nx pdpe1gb rdtscp lm constant_tsc art arch_perfmon pebs bts rep_good nopl xtopology nonstop_tsc cpuid aperfmperf tsc_known_freq pni pclmulqdq dtes64 monitor ds_cpl vmx smx est tm2 ssse3 sdbg fma cx16 xtpr pdcm pcid sse4_1 sse4_2 x2apic movbe popcnt tsc_deadline_timer aes xsave avx f16c rdrand lahf_lm abm 3dnowprefetch cpuid_fault epb intel_pt tpr_shadow vnmi flexpriority ept vpid fsgsbase tsc_adjust bmi1 hle avx2 smep bmi2 erms invpcid rtm mpx rdseed adx smap clflushopt xsaveopt xsavec xgetbv1 xsaves dtherm ida arat pln pts hwp hwp_notify hwp_act_window hwp_epp
 bugs		:
-bogomips	: 5427.15
+bogomips	: 5431.34
 clflush size	: 64
 cache_alignment	: 64
 address sizes	: 39 bits physical, 48 bits virtual
@@ -58,7 +58,7 @@ cpu family	: 6
 model		: 94
 model name	: Intel(R) Core(TM) i7-6820HQ CPU @ 2.70GHz
 stepping	: 3
-microcode	: 0x9e
+microcode	: 0xba
 cpu MHz		: 2700.000
 cache size	: 8192 KB
 physical id	: 0
@@ -71,9 +71,9 @@ fpu		: yes
 fpu_exception	: yes
 cpuid level	: 22
 wp		: yes
-flags		: fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clflush dts acpi mmx fxsr sse sse2 ss ht tm pbe syscall nx pdpe1gb rdtscp lm constant_tsc art arch_perfmon pebs bts rep_good nopl xtopology nonstop_tsc aperfmperf eagerfpu pni pclmulqdq dtes64 monitor ds_cpl vmx smx est tm2 ssse3 sdbg fma cx16 xtpr pdcm pcid sse4_1 sse4_2 x2apic movbe popcnt tsc_deadline_timer aes xsave avx f16c rdrand lahf_lm abm 3dnowprefetch epb intel_pt tpr_shadow vnmi flexpriority ept vpid fsgsbase tsc_adjust bmi1 hle avx2 smep bmi2 erms invpcid rtm mpx rdseed adx smap clflushopt xsaveopt xsavec xgetbv1 xsaves dtherm ida arat pln pts hwp hwp_notify hwp_act_window hwp_epp
+flags		: fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clflush dts acpi mmx fxsr sse sse2 ss ht tm pbe syscall nx pdpe1gb rdtscp lm constant_tsc art arch_perfmon pebs bts rep_good nopl xtopology nonstop_tsc cpuid aperfmperf tsc_known_freq pni pclmulqdq dtes64 monitor ds_cpl vmx smx est tm2 ssse3 sdbg fma cx16 xtpr pdcm pcid sse4_1 sse4_2 x2apic movbe popcnt tsc_deadline_timer aes xsave avx f16c rdrand lahf_lm abm 3dnowprefetch cpuid_fault epb intel_pt tpr_shadow vnmi flexpriority ept vpid fsgsbase tsc_adjust bmi1 hle avx2 smep bmi2 erms invpcid rtm mpx rdseed adx smap clflushopt xsaveopt xsavec xgetbv1 xsaves dtherm ida arat pln pts hwp hwp_notify hwp_act_window hwp_epp
 bugs		:
-bogomips	: 5427.09
+bogomips	: 5431.79
 clflush size	: 64
 cache_alignment	: 64
 address sizes	: 39 bits physical, 48 bits virtual
@@ -85,7 +85,7 @@ cpu family	: 6
 model		: 94
 model name	: Intel(R) Core(TM) i7-6820HQ CPU @ 2.70GHz
 stepping	: 3
-microcode	: 0x9e
+microcode	: 0xba
 cpu MHz		: 2700.000
 cache size	: 8192 KB
 physical id	: 0
@@ -98,9 +98,9 @@ fpu		: yes
 fpu_exception	: yes
 cpuid level	: 22
 wp		: yes
-flags		: fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clflush dts acpi mmx fxsr sse sse2 ss ht tm pbe syscall nx pdpe1gb rdtscp lm constant_tsc art arch_perfmon pebs bts rep_good nopl xtopology nonstop_tsc aperfmperf eagerfpu pni pclmulqdq dtes64 monitor ds_cpl vmx smx est tm2 ssse3 sdbg fma cx16 xtpr pdcm pcid sse4_1 sse4_2 x2apic movbe popcnt tsc_deadline_timer aes xsave avx f16c rdrand lahf_lm abm 3dnowprefetch epb intel_pt tpr_shadow vnmi flexpriority ept vpid fsgsbase tsc_adjust bmi1 hle avx2 smep bmi2 erms invpcid rtm mpx rdseed adx smap clflushopt xsaveopt xsavec xgetbv1 xsaves dtherm ida arat pln pts hwp hwp_notify hwp_act_window hwp_epp
+flags		: fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clflush dts acpi mmx fxsr sse sse2 ss ht tm pbe syscall nx pdpe1gb rdtscp lm constant_tsc art arch_perfmon pebs bts rep_good nopl xtopology nonstop_tsc cpuid aperfmperf tsc_known_freq pni pclmulqdq dtes64 monitor ds_cpl vmx smx est tm2 ssse3 sdbg fma cx16 xtpr pdcm pcid sse4_1 sse4_2 x2apic movbe popcnt tsc_deadline_timer aes xsave avx f16c rdrand lahf_lm abm 3dnowprefetch cpuid_fault epb intel_pt tpr_shadow vnmi flexpriority ept vpid fsgsbase tsc_adjust bmi1 hle avx2 smep bmi2 erms invpcid rtm mpx rdseed adx smap clflushopt xsaveopt xsavec xgetbv1 xsaves dtherm ida arat pln pts hwp hwp_notify hwp_act_window hwp_epp
 bugs		:
-bogomips	: 5427.13
+bogomips	: 5431.63
 clflush size	: 64
 cache_alignment	: 64
 address sizes	: 39 bits physical, 48 bits virtual
@@ -112,7 +112,7 @@ cpu family	: 6
 model		: 94
 model name	: Intel(R) Core(TM) i7-6820HQ CPU @ 2.70GHz
 stepping	: 3
-microcode	: 0x9e
+microcode	: 0xba
 cpu MHz		: 2700.000
 cache size	: 8192 KB
 physical id	: 0
@@ -125,9 +125,9 @@ fpu		: yes
 fpu_exception	: yes
 cpuid level	: 22
 wp		: yes
-flags		: fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clflush dts acpi mmx fxsr sse sse2 ss ht tm pbe syscall nx pdpe1gb rdtscp lm constant_tsc art arch_perfmon pebs bts rep_good nopl xtopology nonstop_tsc aperfmperf eagerfpu pni pclmulqdq dtes64 monitor ds_cpl vmx smx est tm2 ssse3 sdbg fma cx16 xtpr pdcm pcid sse4_1 sse4_2 x2apic movbe popcnt tsc_deadline_timer aes xsave avx f16c rdrand lahf_lm abm 3dnowprefetch epb intel_pt tpr_shadow vnmi flexpriority ept vpid fsgsbase tsc_adjust bmi1 hle avx2 smep bmi2 erms invpcid rtm mpx rdseed adx smap clflushopt xsaveopt xsavec xgetbv1 xsaves dtherm ida arat pln pts hwp hwp_notify hwp_act_window hwp_epp
+flags		: fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clflush dts acpi mmx fxsr sse sse2 ss ht tm pbe syscall nx pdpe1gb rdtscp lm constant_tsc art arch_perfmon pebs bts rep_good nopl xtopology nonstop_tsc cpuid aperfmperf tsc_known_freq pni pclmulqdq dtes64 monitor ds_cpl vmx smx est tm2 ssse3 sdbg fma cx16 xtpr pdcm pcid sse4_1 sse4_2 x2apic movbe popcnt tsc_deadline_timer aes xsave avx f16c rdrand lahf_lm abm 3dnowprefetch cpuid_fault epb intel_pt tpr_shadow vnmi flexpriority ept vpid fsgsbase tsc_adjust bmi1 hle avx2 smep bmi2 erms invpcid rtm mpx rdseed adx smap clflushopt xsaveopt xsavec xgetbv1 xsaves dtherm ida arat pln pts hwp hwp_notify hwp_act_window hwp_epp
 bugs		:
-bogomips	: 5428.40
+bogomips	: 5434.63
 clflush size	: 64
 cache_alignment	: 64
 address sizes	: 39 bits physical, 48 bits virtual
@@ -139,7 +139,7 @@ cpu family	: 6
 model		: 94
 model name	: Intel(R) Core(TM) i7-6820HQ CPU @ 2.70GHz
 stepping	: 3
-microcode	: 0x9e
+microcode	: 0xba
 cpu MHz		: 2700.000
 cache size	: 8192 KB
 physical id	: 0
@@ -152,9 +152,9 @@ fpu		: yes
 fpu_exception	: yes
 cpuid level	: 22
 wp		: yes
-flags		: fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clflush dts acpi mmx fxsr sse sse2 ss ht tm pbe syscall nx pdpe1gb rdtscp lm constant_tsc art arch_perfmon pebs bts rep_good nopl xtopology nonstop_tsc aperfmperf eagerfpu pni pclmulqdq dtes64 monitor ds_cpl vmx smx est tm2 ssse3 sdbg fma cx16 xtpr pdcm pcid sse4_1 sse4_2 x2apic movbe popcnt tsc_deadline_timer aes xsave avx f16c rdrand lahf_lm abm 3dnowprefetch epb intel_pt tpr_shadow vnmi flexpriority ept vpid fsgsbase tsc_adjust bmi1 hle avx2 smep bmi2 erms invpcid rtm mpx rdseed adx smap clflushopt xsaveopt xsavec xgetbv1 xsaves dtherm ida arat pln pts hwp hwp_notify hwp_act_window hwp_epp
+flags		: fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clflush dts acpi mmx fxsr sse sse2 ss ht tm pbe syscall nx pdpe1gb rdtscp lm constant_tsc art arch_perfmon pebs bts rep_good nopl xtopology nonstop_tsc cpuid aperfmperf tsc_known_freq pni pclmulqdq dtes64 monitor ds_cpl vmx smx est tm2 ssse3 sdbg fma cx16 xtpr pdcm pcid sse4_1 sse4_2 x2apic movbe popcnt tsc_deadline_timer aes xsave avx f16c rdrand lahf_lm abm 3dnowprefetch cpuid_fault epb intel_pt tpr_shadow vnmi flexpriority ept vpid fsgsbase tsc_adjust bmi1 hle avx2 smep bmi2 erms invpcid rtm mpx rdseed adx smap clflushopt xsaveopt xsavec xgetbv1 xsaves dtherm ida arat pln pts hwp hwp_notify hwp_act_window hwp_epp
 bugs		:
-bogomips	: 5428.13
+bogomips	: 5432.00
 clflush size	: 64
 cache_alignment	: 64
 address sizes	: 39 bits physical, 48 bits virtual
@@ -166,8 +166,8 @@ cpu family	: 6
 model		: 94
 model name	: Intel(R) Core(TM) i7-6820HQ CPU @ 2.70GHz
 stepping	: 3
-microcode	: 0x9e
-cpu MHz		: 2700.164
+microcode	: 0xba
+cpu MHz		: 2700.000
 cache size	: 8192 KB
 physical id	: 0
 siblings	: 8
@@ -179,9 +179,9 @@ fpu		: yes
 fpu_exception	: yes
 cpuid level	: 22
 wp		: yes
-flags		: fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clflush dts acpi mmx fxsr sse sse2 ss ht tm pbe syscall nx pdpe1gb rdtscp lm constant_tsc art arch_perfmon pebs bts rep_good nopl xtopology nonstop_tsc aperfmperf eagerfpu pni pclmulqdq dtes64 monitor ds_cpl vmx smx est tm2 ssse3 sdbg fma cx16 xtpr pdcm pcid sse4_1 sse4_2 x2apic movbe popcnt tsc_deadline_timer aes xsave avx f16c rdrand lahf_lm abm 3dnowprefetch epb intel_pt tpr_shadow vnmi flexpriority ept vpid fsgsbase tsc_adjust bmi1 hle avx2 smep bmi2 erms invpcid rtm mpx rdseed adx smap clflushopt xsaveopt xsavec xgetbv1 xsaves dtherm ida arat pln pts hwp hwp_notify hwp_act_window hwp_epp
+flags		: fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clflush dts acpi mmx fxsr sse sse2 ss ht tm pbe syscall nx pdpe1gb rdtscp lm constant_tsc art arch_perfmon pebs bts rep_good nopl xtopology nonstop_tsc cpuid aperfmperf tsc_known_freq pni pclmulqdq dtes64 monitor ds_cpl vmx smx est tm2 ssse3 sdbg fma cx16 xtpr pdcm pcid sse4_1 sse4_2 x2apic movbe popcnt tsc_deadline_timer aes xsave avx f16c rdrand lahf_lm abm 3dnowprefetch cpuid_fault epb intel_pt tpr_shadow vnmi flexpriority ept vpid fsgsbase tsc_adjust bmi1 hle avx2 smep bmi2 erms invpcid rtm mpx rdseed adx smap clflushopt xsaveopt xsavec xgetbv1 xsaves dtherm ida arat pln pts hwp hwp_notify hwp_act_window hwp_epp
 bugs		:
-bogomips	: 5427.27
+bogomips	: 5431.94
 clflush size	: 64
 cache_alignment	: 64
 address sizes	: 39 bits physical, 48 bits virtual
@@ -193,7 +193,7 @@ cpu family	: 6
 model		: 94
 model name	: Intel(R) Core(TM) i7-6820HQ CPU @ 2.70GHz
 stepping	: 3
-microcode	: 0x9e
+microcode	: 0xba
 cpu MHz		: 2700.000
 cache size	: 8192 KB
 physical id	: 0
@@ -206,87 +206,87 @@ fpu		: yes
 fpu_exception	: yes
 cpuid level	: 22
 wp		: yes
-flags		: fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clflush dts acpi mmx fxsr sse sse2 ss ht tm pbe syscall nx pdpe1gb rdtscp lm constant_tsc art arch_perfmon pebs bts rep_good nopl xtopology nonstop_tsc aperfmperf eagerfpu pni pclmulqdq dtes64 monitor ds_cpl vmx smx est tm2 ssse3 sdbg fma cx16 xtpr pdcm pcid sse4_1 sse4_2 x2apic movbe popcnt tsc_deadline_timer aes xsave avx f16c rdrand lahf_lm abm 3dnowprefetch epb intel_pt tpr_shadow vnmi flexpriority ept vpid fsgsbase tsc_adjust bmi1 hle avx2 smep bmi2 erms invpcid rtm mpx rdseed adx smap clflushopt xsaveopt xsavec xgetbv1 xsaves dtherm ida arat pln pts hwp hwp_notify hwp_act_window hwp_epp
+flags		: fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clflush dts acpi mmx fxsr sse sse2 ss ht tm pbe syscall nx pdpe1gb rdtscp lm constant_tsc art arch_perfmon pebs bts rep_good nopl xtopology nonstop_tsc cpuid aperfmperf tsc_known_freq pni pclmulqdq dtes64 monitor ds_cpl vmx smx est tm2 ssse3 sdbg fma cx16 xtpr pdcm pcid sse4_1 sse4_2 x2apic movbe popcnt tsc_deadline_timer aes xsave avx f16c rdrand lahf_lm abm 3dnowprefetch cpuid_fault epb intel_pt tpr_shadow vnmi flexpriority ept vpid fsgsbase tsc_adjust bmi1 hle avx2 smep bmi2 erms invpcid rtm mpx rdseed adx smap clflushopt xsaveopt xsavec xgetbv1 xsaves dtherm ida arat pln pts hwp hwp_notify hwp_act_window hwp_epp
 bugs		:
-bogomips	: 5427.26
+bogomips	: 5431.94
 clflush size	: 64
 cache_alignment	: 64
 address sizes	: 39 bits physical, 48 bits virtual
 power management:
 
             CPU0       CPU1       CPU2       CPU3       CPU4       CPU5       CPU6       CPU7       
-   0:         52          0          0          0          0          0          0          0  IR-IO-APIC    2-edge      timer
-   1:         16        459         44         16         71         52         37         18  IR-IO-APIC    1-edge      i8042
-   8:          0          0          0          1          0          0          0          0  IR-IO-APIC    8-edge      rtc0
-   9:         89        154         83        105        355        114        136         53  IR-IO-APIC    9-fasteoi   acpi
-  12:        201      49438       1213       1262       5483       1423       1806        952  IR-IO-APIC   12-edge      i8042
+   0:         70          0          0          0          0          0          0          0  IR-IO-APIC    2-edge      timer
+   1:         39      16476       1416       1089       6857       1983       1674       1959  IR-IO-APIC    1-edge      i8042
+   8:          0          0          1          0          0          0          0          0  IR-IO-APIC    8-edge      rtc0
+   9:        284       4834       2265       1628       7027       2758       1632       1695  IR-IO-APIC    9-fasteoi   acpi
+  12:        273    1626151      37392      40715     288530      39254      36081      51183  IR-IO-APIC   12-edge      i8042
   16:          1          0          0          0          0          0          0          0  IR-IO-APIC   16-fasteoi   i801_smbus
-  19:          5          3          2          0          8          2          2          2  IR-IO-APIC   19-fasteoi 
  120:          0          0          0          0          0          0          0          0  DMAR-MSI    0-edge      dmar0
  121:          0          0          0          0          0          0          0          0  DMAR-MSI    1-edge      dmar1
- 124:       7929       1965       1951      91801       6129       4099       2324       2579  IR-PCI-MSI 376832-edge      ahci[0000:00:17.0]
- 125:        219         13          6         32         12          8          6         22  IR-PCI-MSI 327680-edge      xhci_hcd
- 126:         97         12         17         44         16          8          5          2  IR-PCI-MSI 2097152-edge      rtsx_pci
- 127:          0          0         88          0         58          0         61         36  IR-PCI-MSI 520192-edge      enp0s31f6
- 128:          0          0          0          2          2          0          1          8  IR-PCI-MSI 1048576-edge    
- 129:        725         32        125        185      13085        451       7136        254  IR-PCI-MSI 32768-edge      i915
- 130:         23          9          7          0         11          0          1          0  IR-PCI-MSI 360448-edge      mei_me
- 131:         21          6          4          2          7          4          3          0  IR-PCI-MSI 1572864-edge      iwlwifi
- 132:        713          0         63         42        106         45        129        120  IR-PCI-MSI 514048-edge      snd_hda_intel:card0
- NMI:          2          1          1          1          2          4          1          1   Non-maskable interrupts
- LOC:      33466      27621      28699      27181      44170      60850      27384      32510   Local timer interrupts
+ 122:       7136       3040       2312       1908       4546       3822      75927       2347  IR-PCI-MSI 376832-edge      ahci[0000:00:17.0]
+ 123:         22          7          1          0          7          3          4          1  IR-PCI-MSI 327680-edge      xhci_hcd
+ 124:         89         19         22         25         79         55         27         54  IR-PCI-MSI 2097152-edge      rtsx_pci
+ 125:         88         15     127557         11         48         25         19         21  IR-PCI-MSI 520192-edge      enp0s31f6
+ 126:          1          1          1          0          3          1          3          6  IR-PCI-MSI 1048576-edge    
+ 127:        561        174         98     789036        240        230        184        147  IR-PCI-MSI 32768-edge      i915
+ 128:         34         14          0          0          1          0          0          0  IR-PCI-MSI 360448-edge      mei_me
+ 129:         22         10          0          1         10          0          0          0  IR-PCI-MSI 1572864-edge      iwlwifi
+ 130:         92        103         30         22        194        115         10         45  IR-PCI-MSI 514048-edge      snd_hda_intel:card0
+ NMI:          9         12          9         14         10          9          9         10   Non-maskable interrupts
+ LOC:     567091     554090     726169    1033887     583159     591752     623530     548535   Local timer interrupts
  SPU:          0          0          0          0          0          0          0          0   Spurious interrupts
- PMI:          2          1          1          1          2          4          1          1   Performance monitoring interrupts
- IWI:          4          0          0          2          0          0          1          1   IRQ work interrupts
+ PMI:          9         12          9         14         10          9          9         10   Performance monitoring interrupts
+ IWI:          0          1          0          0          0          0          2          0   IRQ work interrupts
  RTR:          7          0          0          0          0          0          0          0   APIC ICR read retries
- RES:       9981       4165       2812       2504       2970       1497       2331       2607   Rescheduling interrupts
- CAL:      51614      26930      27696      38549      30005      38583      36536      38830   Function call interrupts
- TLB:      44868      21971      22151      33281      24454      32863      30173      34882   TLB shootdowns
+ RES:      85537      31040      11902       8295       7457       6904       6399       5894   Rescheduling interrupts
+ CAL:      73161      74171      68751      70654      80168      75208      61391      70903   Function call interrupts
+ TLB:      55150      56119      50377      53791      62195      57072      43366      55765   TLB shootdowns
  TRM:          0          0          0          0          0          0          0          0   Thermal event interrupts
  THR:          0          0          0          0          0          0          0          0   Threshold APIC interrupts
  DFR:          0          0          0          0          0          0          0          0   Deferred Error APIC interrupts
  MCE:          0          0          0          0          0          0          0          0   Machine check exceptions
- MCP:          3          3          3          3          3          3          3          3   Machine check polls
+ MCP:         49         49         49         49         49         49         49         49   Machine check polls
  ERR:          0
  MIS:          0
  PIN:          0          0          0          0          0          0          0          0   Posted-interrupt notification event
+ NPI:          0          0          0          0          0          0          0          0   Nested posted-interrupt event
  PIW:          0          0          0          0          0          0          0          0   Posted-interrupt wakeup event
-MemTotal:       15855100 kB
-MemFree:        11477720 kB
-MemAvailable:   12987088 kB
-Buffers:          385492 kB
-Cached:          1340976 kB
+MemTotal:       15852528 kB
+MemFree:        10535556 kB
+MemAvailable:   12483484 kB
+Buffers:          128136 kB
+Cached:          1542080 kB
 SwapCached:            0 kB
-Active:          2943984 kB
-Inactive:         985944 kB
-Active(anon):    2204564 kB
-Inactive(anon):    57088 kB
-Active(file):     739420 kB
-Inactive(file):   928856 kB
-Unevictable:           0 kB
-Mlocked:               0 kB
+Active:          3133764 kB
+Inactive:        1816968 kB
+Active(anon):    2706480 kB
+Inactive(anon):    79680 kB
+Active(file):     427284 kB
+Inactive(file):  1737288 kB
+Unevictable:          32 kB
+Mlocked:              32 kB
 SwapTotal:       7933948 kB
 SwapFree:        7933948 kB
-Dirty:              1696 kB
+Dirty:              2536 kB
 Writeback:             0 kB
-AnonPages:       1629620 kB
-Mapped:           242948 kB
-Shmem:             58196 kB
-Slab:             252040 kB
-SReclaimable:     179452 kB
-SUnreclaim:        72588 kB
-KernelStack:        6800 kB
-PageTables:        29632 kB
+AnonPages:       2975436 kB
+Mapped:           494980 kB
+Shmem:             80740 kB
+Slab:             143696 kB
+SReclaimable:      74480 kB
+SUnreclaim:        69216 kB
+KernelStack:        9184 kB
+PageTables:        38812 kB
 NFS_Unstable:          0 kB
 Bounce:                0 kB
 WritebackTmp:          0 kB
-CommitLimit:    15861496 kB
-Committed_AS:    8751488 kB
+CommitLimit:    15860212 kB
+Committed_AS:   11690812 kB
 VmallocTotal:   34359738367 kB
 VmallocUsed:           0 kB
 VmallocChunk:          0 kB
 HardwareCorrupted:     0 kB
-AnonHugePages:    684032 kB
+AnonHugePages:    966656 kB
 ShmemHugePages:        0 kB
 ShmemPmdMapped:        0 kB
 CmaTotal:              0 kB
@@ -296,14 +296,15 @@ HugePages_Free:        0
 HugePages_Rsvd:        0
 HugePages_Surp:        0
 Hugepagesize:       2048 kB
-DirectMap4k:      147456 kB
-DirectMap2M:     6608896 kB
-DirectMap1G:    10485760 kB
+DirectMap4k:      202752 kB
+DirectMap2M:     7602176 kB
+DirectMap1G:     9437184 kB
 Inter-|   Receive                                                |  Transmit
  face |bytes    packets errs drop fifo frame compressed multicast|bytes    packets errs drop fifo colls carrier compressed
-wlp3s0:       0       0    0    0    0     0          0         0        0       0    0    0    0     0       0          0
-enp0s31f6:       0       0    0    0    0     0          0         0        0       0    0    0    0     0       0          0
- vnet0:   32675     319    0    0    0     0          0         0    42290     545    0    0    0     0       0          0
-virbr1:   28209     319    0    0    0     0          0         0    27394     284    0    0    0     0       0          0
+virbr1:  353867    2838    0    0    0     0          0         0  1474230    3810    0    0    0     0       0          0
+enp0s31f6: 43448732   65083    0    0    0     0          0      2074  6948879   57082    0    0    0     0       0          0
 virbr1-nic:       0       0    0    0    0     0          0         0        0       0    0    0    0     0       0          0
-    lo:   92538    1136    0    0    0     0          0         0    92538    1136    0    0    0     0       0          0
+tun_wizint: 4130741    7381    0    0    0     0          0         0  1092175    8002    0    0    0     0       0          0
+    lo:    5706      74    0    0    0     0          0         0     5706      74    0    0    0     0       0          0
+ vnet0:  393599    2838    0    0    0     0          0         0  1609950    6362    0    0    0     0       0          0
+wlp3s0:       0       0    0    0    0     0          0         0        0       0    0    0    0     0       0          0
diff --git a/test/aux-fixed/exim-ca/example.org/expired1.example.org/ca_chain.pem b/test/aux-fixed/exim-ca/example.org/expired1.example.org/ca_chain.pem
index e3165d194..f262d8f92 100644
--- a/test/aux-fixed/exim-ca/example.org/expired1.example.org/ca_chain.pem
+++ b/test/aux-fixed/exim-ca/example.org/expired1.example.org/ca_chain.pem
@@ -1,35 +1,35 @@
 Bag Attributes
-    friendlyName: Signing Cert
-subject=/O=example.org/CN=clica Signing Cert
-issuer=/O=example.org/CN=clica CA
+    friendlyName: Signing Cert rsa
+subject=/O=example.org/CN=clica Signing Cert rsa
+issuer=/O=example.org/CN=clica CA rsa
 -----BEGIN CERTIFICATE-----
-MIICLDCCAZWgAwIBAgIBAjANBgkqhkiG9w0BAQsFADApMRQwEgYDVQQKEwtleGFt
-cGxlLm9yZzERMA8GA1UEAxMIY2xpY2EgQ0EwHhcNMTIxMTAxMTIzNDAyWhcNMzgw
-MTAxMTIzNDAyWjAzMRQwEgYDVQQKEwtleGFtcGxlLm9yZzEbMBkGA1UEAxMSY2xp
-Y2EgU2lnbmluZyBDZXJ0MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI0peZ
-vtd+Oo8OMPy/EIlcNiVSJQ6zb5awuAcPjb5gUE3dZ1+7PiB4BlLhT1wbUJiqC3s6
-Uo2jzzNScWmwIbMTwckUIjS6Q+3khgZHWh2uBAX9j9OrMaJ6DjtyjWitDXMUcrns
-tvQs4TMoFkvBvH94gsYtnbTC5DCmKKLRkWwQhQIDAQABo1owWDAOBgNVHQ8BAf8E
-BAMCAQYwEgYDVR0TAQH/BAgwBgEB/wIBADAyBgNVHR8EKzApMCegJaAjhiFodHRw
-Oi8vY3JsLmV4YW1wbGUub3JnL2xhdGVzdC5jcmwwDQYJKoZIhvcNAQELBQADgYEA
-eqMhcknWmbpCS7ail+FEhRpiLgZU05d7jdf3yQLu1EmMS/fdDvY8R8G17FDcCoLQ
-mSgIvn73UqTgmDgErGZgZ2LqcgioBo7fgxS2knxFKIi/WlKHpiqOkSYtqtacIUnk
-1NkPYWjBwP3bUYauHu7EcTTHO6iWd0doLrMJvGUtm9c=
+MIICNDCCAZ2gAwIBAgIBAjANBgkqhkiG9w0BAQsFADAtMRQwEgYDVQQKEwtleGFt
+cGxlLm9yZzEVMBMGA1UEAxMMY2xpY2EgQ0EgcnNhMB4XDTEyMTEwMTEyMzQwMloX
+DTM4MDEwMTEyMzQwMlowNzEUMBIGA1UEChMLZXhhbXBsZS5vcmcxHzAdBgNVBAMT
+FmNsaWNhIFNpZ25pbmcgQ2VydCByc2EwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJ
+AoGBAJXe07nxVSZPJ3rVBHQp+m5gWb5/JkzXwcWKEvcmMnJzo2ydVfHBBRmTpzpS
+ST3js2awNbhEdOU7AeBtAvyOtwlT/yp6SHhOlI8PlgLwL9/xedeC0Ex412VOeaV/
+LRbvj0j+WutuglAFXfD5IlwnRoDUB1Q51JFtYZxlxvOqbLb9AgMBAAGjWjBYMA4G
+A1UdDwEB/wQEAwIBBjASBgNVHRMBAf8ECDAGAQH/AgEAMDIGA1UdHwQrMCkwJ6Al
+oCOGIWh0dHA6Ly9jcmwuZXhhbXBsZS5vcmcvbGF0ZXN0LmNybDANBgkqhkiG9w0B
+AQsFAAOBgQCf9uWkJrIlu9DvKwiiRj6/vMFydd9kLq11COjAovfD6+VbRLeX1lpC
+XpHDhUlrAKOV/5Virl+iXao5YnfnCm1oud0jRGcG8x1JPqUKW3REch4vR0wkjaBS
+5eI7DiydPL1yts588Z6gLjHZBaR0cuXS4e1k9rcXuBC9tZjv7rYskQ==
 -----END CERTIFICATE-----
 Bag Attributes
-    friendlyName: Certificate Authority
-subject=/O=example.org/CN=clica CA
-issuer=/O=example.org/CN=clica CA
+    friendlyName: Certificate Authority rsa
+subject=/O=example.org/CN=clica CA rsa
+issuer=/O=example.org/CN=clica CA rsa
 -----BEGIN CERTIFICATE-----
-MIIB7jCCAVegAwIBAgIBATANBgkqhkiG9w0BAQsFADApMRQwEgYDVQQKEwtleGFt
-cGxlLm9yZzERMA8GA1UEAxMIY2xpY2EgQ0EwHhcNMTIxMTAxMTIzNDAyWhcNMzgw
-MTAxMTIzNDAyWjApMRQwEgYDVQQKEwtleGFtcGxlLm9yZzERMA8GA1UEAxMIY2xp
-Y2EgQ0EwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAKKaWSv0duLwJQQ6t18l
-yWSGmELgaflSPTidcPii6YYskJAQjnHH13P63PUwXj68knq9JdgeXwZLWszq04Uk
-esjSLJ/e9eIE+Uk9Y2zaes0vTiOIMnYe9u4S6VUNYBO6S+zX89+CHBicNr9tnEEd
-FAw56VTBKtMDA2oPWi5BQ+8/AgMBAAGjJjAkMBIGA1UdEwEB/wQIMAYBAf8CAQEw
-DgYDVR0PAQH/BAQDAgEGMA0GCSqGSIb3DQEBCwUAA4GBAKGed/hvquJ9QctYRyCB
-uIYN1ogbfRj2bSYvKMrSvuW8bVyYAR0C8jj8LA9IEK33EZKBz+D0RHV7s13Cnom9
-tHjIX1ncfl5vPR/Hus0ZKqwauvSauo7hkWRO7isuUzmNBp7YjgLSPr2QYptlpBS5
-U9+lNhpF9AUWEAAo3FqHgShh
+MIIB9jCCAV+gAwIBAgIBATANBgkqhkiG9w0BAQsFADAtMRQwEgYDVQQKEwtleGFt
+cGxlLm9yZzEVMBMGA1UEAxMMY2xpY2EgQ0EgcnNhMB4XDTEyMTEwMTEyMzQwMloX
+DTM4MDEwMTEyMzQwMlowLTEUMBIGA1UEChMLZXhhbXBsZS5vcmcxFTATBgNVBAMT
+DGNsaWNhIENBIHJzYTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAsOI8xlyV
+2kpju6cf0E8/c0QwaOBvUGzkTdCau/DyQrwFPToVpVW8mzDQUOnoUXLl92EJa4Td
+a4uN/uyiyTcjUQWrlZKdFn9HaLB7+rLUox6fZF06jsWgC0Qfr3HHWsrMINn6bucC
+9/eZag5ADPyO5XYnCW4pIFnuFVQ+w3Qr060CAwEAAaMmMCQwEgYDVR0TAQH/BAgw
+BgEB/wIBATAOBgNVHQ8BAf8EBAMCAQYwDQYJKoZIhvcNAQELBQADgYEALAPJGCfj
+ldkldb3pxmUf8V2luI38AVKNZokjATe3tyv7ikhb2g20BRi92fMHOqfAMUfoJKAu
+lT5vLep0SUETmAXdr3+WfFeZu2KZ9t5lhxyUGnHhxDc3k8TzobZSpFS9+ZnR/4GY
+TwGhx36iRUIFRZ/PUQrkRniedLSkO+H+Xko=
 -----END CERTIFICATE-----
diff --git a/test/aux-fixed/exim-ca/example.org/expired1.example.org/cert8.db b/test/aux-fixed/exim-ca/example.org/expired1.example.org/cert8.db
index 79273d121..21f26241e 100644
Binary files a/test/aux-fixed/exim-ca/example.org/expired1.example.org/cert8.db and b/test/aux-fixed/exim-ca/example.org/expired1.example.org/cert8.db differ
diff --git a/test/aux-fixed/exim-ca/example.org/expired1.example.org/expired1.example.org.chain.pem b/test/aux-fixed/exim-ca/example.org/expired1.example.org/expired1.example.org.chain.pem
index dec44d33a..6d101731c 100644
--- a/test/aux-fixed/exim-ca/example.org/expired1.example.org/expired1.example.org.chain.pem
+++ b/test/aux-fixed/exim-ca/example.org/expired1.example.org/expired1.example.org.chain.pem
@@ -1,35 +1,35 @@
 Bag Attributes
     friendlyName: expired1.example.org
-    localKeyID: 56 97 A6 F6 EB 03 2D 8E E5 E1 57 7E 7B F0 BC F3 C9 BB F3 D1 
+    localKeyID: C0 42 EE F9 5E E5 53 45 FD 79 A4 AC 05 EC 40 D5 63 4D 07 CE 
 subject=/CN=expired1.example.org
-issuer=/O=example.org/CN=clica Signing Cert
+issuer=/O=example.org/CN=clica Signing Cert rsa
 -----BEGIN CERTIFICATE-----
-MIICiTCCAfKgAwIBAgIBZzANBgkqhkiG9w0BAQsFADAzMRQwEgYDVQQKEwtleGFt
-cGxlLm9yZzEbMBkGA1UEAxMSY2xpY2EgU2lnbmluZyBDZXJ0MB4XDTEyMTEwMTEy
-MzQwMloXDTEyMTIwMTEyMzQwMlowHzEdMBsGA1UEAxMUZXhwaXJlZDEuZXhhbXBs
-ZS5vcmcwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBANImCjuDNWSYsLa2Kav2
-9Pu+dMrn+gXIUJ5WGNzjc0fZUf9u3W2is1Y/6XrNkHsMAELyadAD9DJCzNQxB7YL
-Gn0wlo/glr8Njxe4q3FmJq1AjCUB0lDXEeHbyP8HoVu1Y/aY5vAJsVwW5od+S77d
-ewSvg6vR8zhjTAZiscgHwzPnAgMBAAGjgcAwgb0wDgYDVR0PAQH/BAQDAgTwMCAG
-A1UdJQEB/wQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAyBgNVHR8EKzApMCegJaAj
-hiFodHRwOi8vY3JsLmV4YW1wbGUub3JnL2xhdGVzdC5jcmwwNAYIKwYBBQUHAQEE
-KDAmMCQGCCsGAQUFBzABhhhodHRwOi8vb3NjcC5leGFtcGxlLm9yZy8wHwYDVR0R
-BBgwFoIUZXhwaXJlZDEuZXhhbXBsZS5vcmcwDQYJKoZIhvcNAQELBQADgYEAN3HU
-uSw4LZzflDXB6rtzOBrYU52GnZmBgwdKO851kHDIi5HJSe8KFk7thDtMQHQskh/R
-650WMAHy+S/k87OONlk4p9ZoM7yIoJgvJ2WFcGK66eM76o5vnm2dhy88s4MzNsks
-+H3xFAI2lPYBoKJKeKz3XZj0QuDli6KjlCte290=
+MIICjTCCAfagAwIBAgIBZzANBgkqhkiG9w0BAQsFADA3MRQwEgYDVQQKEwtleGFt
+cGxlLm9yZzEfMB0GA1UEAxMWY2xpY2EgU2lnbmluZyBDZXJ0IHJzYTAeFw0xMjEx
+MDExMjM0MDJaFw0xMjEyMDExMjM0MDJaMB8xHTAbBgNVBAMTFGV4cGlyZWQxLmV4
+YW1wbGUub3JnMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCueZ0F7/IW0RMT
+3iSkesPfszC/A1LWajEbbJEWxRGME3LvwfMHuayw7WP5dIfi3SGD+mmc0awR2Iio
+bEgNsuba3x3H8J9np91boXmjSwyutq4KoqXEaS3sXvcj7FGTvskfNikIEJ4eFTKp
+XjiA+PwR2Ri2VFsnxuk7f/5aoHd8HwIDAQABo4HAMIG9MA4GA1UdDwEB/wQEAwIE
+8DAgBgNVHSUBAf8EFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwMgYDVR0fBCswKTAn
+oCWgI4YhaHR0cDovL2NybC5leGFtcGxlLm9yZy9sYXRlc3QuY3JsMDQGCCsGAQUF
+BwEBBCgwJjAkBggrBgEFBQcwAYYYaHR0cDovL29zY3AuZXhhbXBsZS5vcmcvMB8G
+A1UdEQQYMBaCFGV4cGlyZWQxLmV4YW1wbGUub3JnMA0GCSqGSIb3DQEBCwUAA4GB
+ADbKFUEs8pzPVlv1YaitfHIH3SXKUIxc2UfCB4y51Y1K6DCYMBUMG9vJjdhFaWj0
+ViMRJIlnYnCUXiEKyPvJNuAU1+C9W7/S349qF42X8+TdflF9fxLXjXms62tzezFh
+kJ2Ouwf+rNdj+5dQOLzlngRMSspVR1mf/4xmHepdqBZP
 -----END CERTIFICATE-----
 -----BEGIN CERTIFICATE-----
-MIICLDCCAZWgAwIBAgIBAjANBgkqhkiG9w0BAQsFADApMRQwEgYDVQQKEwtleGFt
-cGxlLm9yZzERMA8GA1UEAxMIY2xpY2EgQ0EwHhcNMTIxMTAxMTIzNDAyWhcNMzgw
-MTAxMTIzNDAyWjAzMRQwEgYDVQQKEwtleGFtcGxlLm9yZzEbMBkGA1UEAxMSY2xp
-Y2EgU2lnbmluZyBDZXJ0MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI0peZ
-vtd+Oo8OMPy/EIlcNiVSJQ6zb5awuAcPjb5gUE3dZ1+7PiB4BlLhT1wbUJiqC3s6
-Uo2jzzNScWmwIbMTwckUIjS6Q+3khgZHWh2uBAX9j9OrMaJ6DjtyjWitDXMUcrns
-tvQs4TMoFkvBvH94gsYtnbTC5DCmKKLRkWwQhQIDAQABo1owWDAOBgNVHQ8BAf8E
-BAMCAQYwEgYDVR0TAQH/BAgwBgEB/wIBADAyBgNVHR8EKzApMCegJaAjhiFodHRw
-Oi8vY3JsLmV4YW1wbGUub3JnL2xhdGVzdC5jcmwwDQYJKoZIhvcNAQELBQADgYEA
-eqMhcknWmbpCS7ail+FEhRpiLgZU05d7jdf3yQLu1EmMS/fdDvY8R8G17FDcCoLQ
-mSgIvn73UqTgmDgErGZgZ2LqcgioBo7fgxS2knxFKIi/WlKHpiqOkSYtqtacIUnk
-1NkPYWjBwP3bUYauHu7EcTTHO6iWd0doLrMJvGUtm9c=
+MIICNDCCAZ2gAwIBAgIBAjANBgkqhkiG9w0BAQsFADAtMRQwEgYDVQQKEwtleGFt
+cGxlLm9yZzEVMBMGA1UEAxMMY2xpY2EgQ0EgcnNhMB4XDTEyMTEwMTEyMzQwMloX
+DTM4MDEwMTEyMzQwMlowNzEUMBIGA1UEChMLZXhhbXBsZS5vcmcxHzAdBgNVBAMT
+FmNsaWNhIFNpZ25pbmcgQ2VydCByc2EwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJ
+AoGBAJXe07nxVSZPJ3rVBHQp+m5gWb5/JkzXwcWKEvcmMnJzo2ydVfHBBRmTpzpS
+ST3js2awNbhEdOU7AeBtAvyOtwlT/yp6SHhOlI8PlgLwL9/xedeC0Ex412VOeaV/
+LRbvj0j+WutuglAFXfD5IlwnRoDUB1Q51JFtYZxlxvOqbLb9AgMBAAGjWjBYMA4G
+A1UdDwEB/wQEAwIBBjASBgNVHRMBAf8ECDAGAQH/AgEAMDIGA1UdHwQrMCkwJ6Al
+oCOGIWh0dHA6Ly9jcmwuZXhhbXBsZS5vcmcvbGF0ZXN0LmNybDANBgkqhkiG9w0B
+AQsFAAOBgQCf9uWkJrIlu9DvKwiiRj6/vMFydd9kLq11COjAovfD6+VbRLeX1lpC
+XpHDhUlrAKOV/5Virl+iXao5YnfnCm1oud0jRGcG8x1JPqUKW3REch4vR0wkjaBS
+5eI7DiydPL1yts588Z6gLjHZBaR0cuXS4e1k9rcXuBC9tZjv7rYskQ==
 -----END CERTIFICATE-----
diff --git a/test/aux-fixed/exim-ca/example.org/expired1.example.org/expired1.example.org.key b/test/aux-fixed/exim-ca/example.org/expired1.example.org/expired1.example.org.key
index 5af649a8f..f233cea98 100644
--- a/test/aux-fixed/exim-ca/example.org/expired1.example.org/expired1.example.org.key
+++ b/test/aux-fixed/exim-ca/example.org/expired1.example.org/expired1.example.org.key
@@ -1,21 +1,21 @@
 Bag Attributes
     friendlyName: expired1.example.org
-    localKeyID: 56 97 A6 F6 EB 03 2D 8E E5 E1 57 7E 7B F0 BC F3 C9 BB F3 D1 
+    localKeyID: C0 42 EE F9 5E E5 53 45 FD 79 A4 AC 05 EC 40 D5 63 4D 07 CE 
 Key Attributes: <No Attributes>
 -----BEGIN ENCRYPTED PRIVATE KEY-----
-MIICxjBABgkqhkiG9w0BBQ0wMzAbBgkqhkiG9w0BBQwwDgQIYw5AHKHpvwACAggA
-MBQGCCqGSIb3DQMHBAjPjI96QuNFaASCAoAjCiOv8zLE19SudivjlvejgTBwUXXb
-RKTIijmHGXjP2WaW47vWcCZ8hSDI5TEuDF56khVea56GyWW86XFB/1P2Mcwg2HBP
-OfqrFG5ZZI1zQ/40U/jkYpQ79IUAvY1Xn3Af8hsbFGo0saIG2HpWdDQqWE+MM+fU
-rTliQVtCHaU2V5w4clcz+CkzUyHtRogc+gX+VMl/bKK0OkyT8R1tA1eRJIUiDTc9
-kpEFD9wQB+TpWH3UyMg8Vy+GBQVH9R6Q9mcoDMWvmYTnT9wkcb3DhHZ7Fb+vlzNK
-NssdtTjxguFpjDozvxbUH9niJUAZcC5owd0LO8q/0IVuNhJEZOAtP9aeCklMvs5n
-u+4e4/jDXWmU3LHIPVy4X3j8Rf1y5YTdu2DZQLZs707mplLtBqnf0DLY1va1Y4/E
-i2SDfRamfjvQKissZL1QywniMLXT66dXMSINSG+jPt8l8DkYNEgwcaSepJAERF1q
-3y3TCBXhj+juhN4aiZT0zbQiDA4NHzHI8+xs2yThpaqA71o5xh35l+dMcRNLcWuc
-3CpVQvsGeVyF6Rn9isMFa3TuzGMfeG+2GNWjL1/hy5i3ROiV3yuuGX10kSSbg0sn
-nbAhCFugRYEywE6+Rnv9tfTwU9zutQPK2VZrG6GNzT0cucLGLbsHIts20QOWjiI8
-5cV5fDKTZhzPld2K8OpkhGSnRkdWvay89RwAzebcsBwSNoPfuxX0pXgi98mnaXVY
-KDhpmGhUya+AcflPJyd3DY9Ys/Eldq8aPEj0JWUGhyJyy0K6waoFTuZ6lIZMMLWV
-vHfsQlgTEqHlaXvs4qg9yzLHJaa40ucaeIbPjDtHB82Rd4APCoSkYTFn
+MIICxjBABgkqhkiG9w0BBQ0wMzAbBgkqhkiG9w0BBQwwDgQItFoLVVYqyWMCAggA
+MBQGCCqGSIb3DQMHBAh2qL3MfztfBASCAoBeZgesYzG4byPUr9CZhwVLl7dQR3J/
+ftFIzD67jpGmyXG8eHz4PvxYzq3767Vn0ZGdLkZGY8XfZ7nwJZxrCa7UAYFkLFIT
+6O3iVL+BEoHABASMS5lFzeEoK7wZW0OP4DzEiXDb+AG2GcPAPv6Dzp4ctflzhj4h
+p3RKDBI0xj76YlQFX9SKpFd/dOCIa5KTIVigp9R4IbnSmgw3THckGNH25GtVeEp3
+jdDxmQjMMDgwP13HQz2A3d7dTSU4TzS3y/1QZ53Fenj7T3B/nalNWeeBJh6J+A1F
+eAJeyBVVvulbN+3/ju881m2VTYTjluTL8oEMww8FrWb7Dje4moeKTDOfzVa0hR8r
+Q5hFlbudhAG/vqNZWxvsSi3JJ9sUJqaXvPWXeKg9kBB1m1UxsF/VuvEmi60U15JJ
+rpD8MFKEztaD7JsBhu7kEKmZ4fxokFF9pJCWqPSWuEvyi2dGxfupAu34kubJMXi5
+FPnq7p9KPHqVkZ8cc1vEwmgVLi9MnYQcARbKB56BlyiJAXWU5e6UYlka3pchEp+O
+fCGa61zdeTFvEVPhtyQa8Bx7/OB2pgAOJJ3Pa9lBaFTTsUQF9CL9kuXVl4ZBo0k4
+xMyYKpbN9goSe25QKtEDeZIhuBB9myf/FKwwo0SKO+K0392rEthTiUvjA6FJ3DhK
+iEO24YZc5rNNX3qYnqFcmPSdcx/+/UvTCY2M6Q7dU1dcrAvM3JYfiU0T2ympgUjd
+tfef74DRRmlCt5OWKT/9sIq++CWvrKE7Pz4UqvGxWP7VszVu16DRP9S8bYTAU1iX
+JhUErfXvfsC7A8GTEXVG+UpPdUs94+qvWUILscWZP6L0+4IqOTe5wsfy
 -----END ENCRYPTED PRIVATE KEY-----
diff --git a/test/aux-fixed/exim-ca/example.org/expired1.example.org/expired1.example.org.ocsp.dated.resp b/test/aux-fixed/exim-ca/example.org/expired1.example.org/expired1.example.org.ocsp.dated.resp
index 78092bac6..e8206f793 100644
Binary files a/test/aux-fixed/exim-ca/example.org/expired1.example.org/expired1.example.org.ocsp.dated.resp and b/test/aux-fixed/exim-ca/example.org/expired1.example.org/expired1.example.org.ocsp.dated.resp differ
diff --git a/test/aux-fixed/exim-ca/example.org/expired1.example.org/expired1.example.org.ocsp.good.resp b/test/aux-fixed/exim-ca/example.org/expired1.example.org/expired1.example.org.ocsp.good.resp
index 67705a989..cf8ae53c5 100644
Binary files a/test/aux-fixed/exim-ca/example.org/expired1.example.org/expired1.example.org.ocsp.good.resp and b/test/aux-fixed/exim-ca/example.org/expired1.example.org/expired1.example.org.ocsp.good.resp differ
diff --git a/test/aux-fixed/exim-ca/example.org/expired1.example.org/expired1.example.org.ocsp.req b/test/aux-fixed/exim-ca/example.org/expired1.example.org/expired1.example.org.ocsp.req
index e7cd35cba..d7bebd8cc 100644
Binary files a/test/aux-fixed/exim-ca/example.org/expired1.example.org/expired1.example.org.ocsp.req and b/test/aux-fixed/exim-ca/example.org/expired1.example.org/expired1.example.org.ocsp.req differ
diff --git a/test/aux-fixed/exim-ca/example.org/expired1.example.org/expired1.example.org.ocsp.revoked.resp b/test/aux-fixed/exim-ca/example.org/expired1.example.org/expired1.example.org.ocsp.revoked.resp
index 6ecf45ecb..70e580919 100644
Binary files a/test/aux-fixed/exim-ca/example.org/expired1.example.org/expired1.example.org.ocsp.revoked.resp and b/test/aux-fixed/exim-ca/example.org/expired1.example.org/expired1.example.org.ocsp.revoked.resp differ
diff --git a/test/aux-fixed/exim-ca/example.org/expired1.example.org/expired1.example.org.ocsp.signer.dated.resp b/test/aux-fixed/exim-ca/example.org/expired1.example.org/expired1.example.org.ocsp.signer.dated.resp
index 3e16f3650..6eee696dc 100644
Binary files a/test/aux-fixed/exim-ca/example.org/expired1.example.org/expired1.example.org.ocsp.signer.dated.resp and b/test/aux-fixed/exim-ca/example.org/expired1.example.org/expired1.example.org.ocsp.signer.dated.resp differ
diff --git a/test/aux-fixed/exim-ca/example.org/expired1.example.org/expired1.example.org.ocsp.signer.good.resp b/test/aux-fixed/exim-ca/example.org/expired1.example.org/expired1.example.org.ocsp.signer.good.resp
index d7e27c332..feb1b3138 100644
Binary files a/test/aux-fixed/exim-ca/example.org/expired1.example.org/expired1.example.org.ocsp.signer.good.resp and b/test/aux-fixed/exim-ca/example.org/expired1.example.org/expired1.example.org.ocsp.signer.good.resp differ
diff --git a/test/aux-fixed/exim-ca/example.org/expired1.example.org/expired1.example.org.ocsp.signer.revoked.resp b/test/aux-fixed/exim-ca/example.org/expired1.example.org/expired1.example.org.ocsp.signer.revoked.resp
index efa865b60..9c58b1936 100644
Binary files a/test/aux-fixed/exim-ca/example.org/expired1.example.org/expired1.example.org.ocsp.signer.revoked.resp and b/test/aux-fixed/exim-ca/example.org/expired1.example.org/expired1.example.org.ocsp.signer.revoked.resp differ
diff --git a/test/aux-fixed/exim-ca/example.org/expired1.example.org/expired1.example.org.ocsp.signernocert.dated.resp b/test/aux-fixed/exim-ca/example.org/expired1.example.org/expired1.example.org.ocsp.signernocert.dated.resp
index e42697062..4ac3df37a 100644
Binary files a/test/aux-fixed/exim-ca/example.org/expired1.example.org/expired1.example.org.ocsp.signernocert.dated.resp and b/test/aux-fixed/exim-ca/example.org/expired1.example.org/expired1.example.org.ocsp.signernocert.dated.resp differ
diff --git a/test/aux-fixed/exim-ca/example.org/expired1.example.org/expired1.example.org.ocsp.signernocert.good.resp b/test/aux-fixed/exim-ca/example.org/expired1.example.org/expired1.example.org.ocsp.signernocert.good.resp
index 6a96d0a50..60260bfc7 100644
Binary files a/test/aux-fixed/exim-ca/example.org/expired1.example.org/expired1.example.org.ocsp.signernocert.good.resp and b/test/aux-fixed/exim-ca/example.org/expired1.example.org/expired1.example.org.ocsp.signernocert.good.resp differ
diff --git a/test/aux-fixed/exim-ca/example.org/expired1.example.org/expired1.example.org.ocsp.signernocert.revoked.resp b/test/aux-fixed/exim-ca/example.org/expired1.example.org/expired1.example.org.ocsp.signernocert.revoked.resp
index 2e9ba797a..8287809c0 100644
Binary files a/test/aux-fixed/exim-ca/example.org/expired1.example.org/expired1.example.org.ocsp.signernocert.revoked.resp and b/test/aux-fixed/exim-ca/example.org/expired1.example.org/expired1.example.org.ocsp.signernocert.revoked.resp differ
diff --git a/test/aux-fixed/exim-ca/example.org/expired1.example.org/expired1.example.org.p12 b/test/aux-fixed/exim-ca/example.org/expired1.example.org/expired1.example.org.p12
index 103ccc9e5..3620be97d 100644
Binary files a/test/aux-fixed/exim-ca/example.org/expired1.example.org/expired1.example.org.p12 and b/test/aux-fixed/exim-ca/example.org/expired1.example.org/expired1.example.org.p12 differ
diff --git a/test/aux-fixed/exim-ca/example.org/expired1.example.org/expired1.example.org.pem b/test/aux-fixed/exim-ca/example.org/expired1.example.org/expired1.example.org.pem
index ed4ff4c2f..401056644 100644
--- a/test/aux-fixed/exim-ca/example.org/expired1.example.org/expired1.example.org.pem
+++ b/test/aux-fixed/exim-ca/example.org/expired1.example.org/expired1.example.org.pem
@@ -1,21 +1,21 @@
 Bag Attributes
     friendlyName: expired1.example.org
-    localKeyID: 56 97 A6 F6 EB 03 2D 8E E5 E1 57 7E 7B F0 BC F3 C9 BB F3 D1 
+    localKeyID: C0 42 EE F9 5E E5 53 45 FD 79 A4 AC 05 EC 40 D5 63 4D 07 CE 
 subject=/CN=expired1.example.org
-issuer=/O=example.org/CN=clica Signing Cert
+issuer=/O=example.org/CN=clica Signing Cert rsa
 -----BEGIN CERTIFICATE-----
-MIICiTCCAfKgAwIBAgIBZzANBgkqhkiG9w0BAQsFADAzMRQwEgYDVQQKEwtleGFt
-cGxlLm9yZzEbMBkGA1UEAxMSY2xpY2EgU2lnbmluZyBDZXJ0MB4XDTEyMTEwMTEy
-MzQwMloXDTEyMTIwMTEyMzQwMlowHzEdMBsGA1UEAxMUZXhwaXJlZDEuZXhhbXBs
-ZS5vcmcwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBANImCjuDNWSYsLa2Kav2
-9Pu+dMrn+gXIUJ5WGNzjc0fZUf9u3W2is1Y/6XrNkHsMAELyadAD9DJCzNQxB7YL
-Gn0wlo/glr8Njxe4q3FmJq1AjCUB0lDXEeHbyP8HoVu1Y/aY5vAJsVwW5od+S77d
-ewSvg6vR8zhjTAZiscgHwzPnAgMBAAGjgcAwgb0wDgYDVR0PAQH/BAQDAgTwMCAG
-A1UdJQEB/wQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAyBgNVHR8EKzApMCegJaAj
-hiFodHRwOi8vY3JsLmV4YW1wbGUub3JnL2xhdGVzdC5jcmwwNAYIKwYBBQUHAQEE
-KDAmMCQGCCsGAQUFBzABhhhodHRwOi8vb3NjcC5leGFtcGxlLm9yZy8wHwYDVR0R
-BBgwFoIUZXhwaXJlZDEuZXhhbXBsZS5vcmcwDQYJKoZIhvcNAQELBQADgYEAN3HU
-uSw4LZzflDXB6rtzOBrYU52GnZmBgwdKO851kHDIi5HJSe8KFk7thDtMQHQskh/R
-650WMAHy+S/k87OONlk4p9ZoM7yIoJgvJ2WFcGK66eM76o5vnm2dhy88s4MzNsks
-+H3xFAI2lPYBoKJKeKz3XZj0QuDli6KjlCte290=
+MIICjTCCAfagAwIBAgIBZzANBgkqhkiG9w0BAQsFADA3MRQwEgYDVQQKEwtleGFt
+cGxlLm9yZzEfMB0GA1UEAxMWY2xpY2EgU2lnbmluZyBDZXJ0IHJzYTAeFw0xMjEx
+MDExMjM0MDJaFw0xMjEyMDExMjM0MDJaMB8xHTAbBgNVBAMTFGV4cGlyZWQxLmV4
+YW1wbGUub3JnMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCueZ0F7/IW0RMT
+3iSkesPfszC/A1LWajEbbJEWxRGME3LvwfMHuayw7WP5dIfi3SGD+mmc0awR2Iio
+bEgNsuba3x3H8J9np91boXmjSwyutq4KoqXEaS3sXvcj7FGTvskfNikIEJ4eFTKp
+XjiA+PwR2Ri2VFsnxuk7f/5aoHd8HwIDAQABo4HAMIG9MA4GA1UdDwEB/wQEAwIE
+8DAgBgNVHSUBAf8EFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwMgYDVR0fBCswKTAn
+oCWgI4YhaHR0cDovL2NybC5leGFtcGxlLm9yZy9sYXRlc3QuY3JsMDQGCCsGAQUF
+BwEBBCgwJjAkBggrBgEFBQcwAYYYaHR0cDovL29zY3AuZXhhbXBsZS5vcmcvMB8G
+A1UdEQQYMBaCFGV4cGlyZWQxLmV4YW1wbGUub3JnMA0GCSqGSIb3DQEBCwUAA4GB
+ADbKFUEs8pzPVlv1YaitfHIH3SXKUIxc2UfCB4y51Y1K6DCYMBUMG9vJjdhFaWj0
+ViMRJIlnYnCUXiEKyPvJNuAU1+C9W7/S349qF42X8+TdflF9fxLXjXms62tzezFh
+kJ2Ouwf+rNdj+5dQOLzlngRMSspVR1mf/4xmHepdqBZP
 -----END CERTIFICATE-----
diff --git a/test/aux-fixed/exim-ca/example.org/expired1.example.org/expired1.example.org.unlocked.key b/test/aux-fixed/exim-ca/example.org/expired1.example.org/expired1.example.org.unlocked.key
index 1b00779ad..fe037ffb7 100644
--- a/test/aux-fixed/exim-ca/example.org/expired1.example.org/expired1.example.org.unlocked.key
+++ b/test/aux-fixed/exim-ca/example.org/expired1.example.org/expired1.example.org.unlocked.key
@@ -1,15 +1,15 @@
 -----BEGIN RSA PRIVATE KEY-----
-MIICXAIBAAKBgQDSJgo7gzVkmLC2timr9vT7vnTK5/oFyFCeVhjc43NH2VH/bt1t
-orNWP+l6zZB7DABC8mnQA/QyQszUMQe2Cxp9MJaP4Ja/DY8XuKtxZiatQIwlAdJQ
-1xHh28j/B6FbtWP2mObwCbFcFuaHfku+3XsEr4Or0fM4Y0wGYrHIB8Mz5wIDAQAB
-AoGAQNzE48GHxVjrkjl/ezhqPRl36vjWztoZKAXi/qqldlO5X2HUrnY9bC2l3uV7
-5r65hfBUgIP351t+5S+M9b9PmS0cMTQ9M6GHF8Ahvw5CKlttg1cHcU+5GMYUGPJ6
-NRI3V3RVJI8ew7SljN9dEoPjXThqAQwgDfxAbJCvr163rOECQQDuxqjJxMfvg3Yf
-RYvMPsAfaYfGymXXKoAUsEZdqcWFVk4OcMd+lpN2yWZ7+CSVok0XaLA3wObgRV1S
-Le5IhrSzAkEA4U68AOuu8fgTGwY62Z/ux6K0qYFomwhUxy/RVdezMHP/KSgjH5cT
-6L3jVr2vOfO8WwNst7IdUNQG9LhLkUhl/QJAXl/YsL79QzaThnKneZfHueKtDq5K
-qEudChBOD5Edh8D/4wdCYk9Dg6zAu/jtBNN8Yuc21yKAXl4sL2IGD1ZmrwJAD/nM
-POh5TDEB8c2cSKgdf0xbMRW6/Bs4H7OVTVfxHcNr2Vg+PVQyFjO4tgLXNO3CclWo
-1NGtYHjYUWvr985BZQJBAOD5MMnrWWpXW1b7GTQfw24zMfYbw5CNEYXUn3t8mwhL
-/wDBfNicDchags/kP7AhQ9xR5br29v41kJhk6DuoKbk=
+MIICXAIBAAKBgQCueZ0F7/IW0RMT3iSkesPfszC/A1LWajEbbJEWxRGME3LvwfMH
+uayw7WP5dIfi3SGD+mmc0awR2IiobEgNsuba3x3H8J9np91boXmjSwyutq4KoqXE
+aS3sXvcj7FGTvskfNikIEJ4eFTKpXjiA+PwR2Ri2VFsnxuk7f/5aoHd8HwIDAQAB
+AoGABY6WCQ8KtN3/2jgkY/YNBbOdWoLD6/8B2rprJ0CA6JHjV+44zAbb5d60ZR49
+sw9moTTOkadpRZWR9LCjiDF/LMKVkX+X17R8q3f9Jn54xeaJH0OOwJxMJ+RUTcDN
+Z18HE8UYCoptiSf5oEYHQ8cfGBj+C+G2uELoIJsvyuVsXLECQQDlkKQVN42pD3+X
+fFxRIkXtGrYmZEAA9ukiFnD9+pGxqfXx6JZdl9UkGi/+hCdz+VAfcM6q1Xt2XmWo
+ML0Uf4+dAkEAwpD5CMh/7w9GftWlDM+gjYSONV2Kkvb4DvwUVrDtESemBBdHx3S3
+TNHM5XGStNEj/mah8qBUteF7alr5N64T6wJBAMMPAbzddUr/VkTbcH2oB46OMdOx
+PwkSw8kpFF1Z+U3iwo4IOSvRhVOlxL4YgIV0g/YTHifeOYe8cdhVgXPXZ6kCQHUr
+bv2uGPUzYsXBDWtgohR3bliO44PLvOjxP6JRXALHuL+f8XcZP8XAVr8aHTpM9Hsg
+/Ygqq7j4eCU9cfXpHE8CQBbekvmT3gQ0SrbUHKNzW1/5OvvgaYx6Dm5VvkzhquRA
+FoLvXHuCAe+/rsPE2LF08ewSvAZOQcKUOSZjIHxYAdc=
 -----END RSA PRIVATE KEY-----
diff --git a/test/aux-fixed/exim-ca/example.org/expired1.example.org/key3.db b/test/aux-fixed/exim-ca/example.org/expired1.example.org/key3.db
index 77823254c..80d66e771 100644
Binary files a/test/aux-fixed/exim-ca/example.org/expired1.example.org/key3.db and b/test/aux-fixed/exim-ca/example.org/expired1.example.org/key3.db differ
diff --git a/test/aux-fixed/exim-ca/example.org/expired2.example.org/ca_chain.pem b/test/aux-fixed/exim-ca/example.org/expired2.example.org/ca_chain.pem
index e3165d194..f262d8f92 100644
--- a/test/aux-fixed/exim-ca/example.org/expired2.example.org/ca_chain.pem
+++ b/test/aux-fixed/exim-ca/example.org/expired2.example.org/ca_chain.pem
@@ -1,35 +1,35 @@
 Bag Attributes
-    friendlyName: Signing Cert
-subject=/O=example.org/CN=clica Signing Cert
-issuer=/O=example.org/CN=clica CA
+    friendlyName: Signing Cert rsa
+subject=/O=example.org/CN=clica Signing Cert rsa
+issuer=/O=example.org/CN=clica CA rsa
 -----BEGIN CERTIFICATE-----
-MIICLDCCAZWgAwIBAgIBAjANBgkqhkiG9w0BAQsFADApMRQwEgYDVQQKEwtleGFt
-cGxlLm9yZzERMA8GA1UEAxMIY2xpY2EgQ0EwHhcNMTIxMTAxMTIzNDAyWhcNMzgw
-MTAxMTIzNDAyWjAzMRQwEgYDVQQKEwtleGFtcGxlLm9yZzEbMBkGA1UEAxMSY2xp
-Y2EgU2lnbmluZyBDZXJ0MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI0peZ
-vtd+Oo8OMPy/EIlcNiVSJQ6zb5awuAcPjb5gUE3dZ1+7PiB4BlLhT1wbUJiqC3s6
-Uo2jzzNScWmwIbMTwckUIjS6Q+3khgZHWh2uBAX9j9OrMaJ6DjtyjWitDXMUcrns
-tvQs4TMoFkvBvH94gsYtnbTC5DCmKKLRkWwQhQIDAQABo1owWDAOBgNVHQ8BAf8E
-BAMCAQYwEgYDVR0TAQH/BAgwBgEB/wIBADAyBgNVHR8EKzApMCegJaAjhiFodHRw
-Oi8vY3JsLmV4YW1wbGUub3JnL2xhdGVzdC5jcmwwDQYJKoZIhvcNAQELBQADgYEA
-eqMhcknWmbpCS7ail+FEhRpiLgZU05d7jdf3yQLu1EmMS/fdDvY8R8G17FDcCoLQ
-mSgIvn73UqTgmDgErGZgZ2LqcgioBo7fgxS2knxFKIi/WlKHpiqOkSYtqtacIUnk
-1NkPYWjBwP3bUYauHu7EcTTHO6iWd0doLrMJvGUtm9c=
+MIICNDCCAZ2gAwIBAgIBAjANBgkqhkiG9w0BAQsFADAtMRQwEgYDVQQKEwtleGFt
+cGxlLm9yZzEVMBMGA1UEAxMMY2xpY2EgQ0EgcnNhMB4XDTEyMTEwMTEyMzQwMloX
+DTM4MDEwMTEyMzQwMlowNzEUMBIGA1UEChMLZXhhbXBsZS5vcmcxHzAdBgNVBAMT
+FmNsaWNhIFNpZ25pbmcgQ2VydCByc2EwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJ
+AoGBAJXe07nxVSZPJ3rVBHQp+m5gWb5/JkzXwcWKEvcmMnJzo2ydVfHBBRmTpzpS
+ST3js2awNbhEdOU7AeBtAvyOtwlT/yp6SHhOlI8PlgLwL9/xedeC0Ex412VOeaV/
+LRbvj0j+WutuglAFXfD5IlwnRoDUB1Q51JFtYZxlxvOqbLb9AgMBAAGjWjBYMA4G
+A1UdDwEB/wQEAwIBBjASBgNVHRMBAf8ECDAGAQH/AgEAMDIGA1UdHwQrMCkwJ6Al
+oCOGIWh0dHA6Ly9jcmwuZXhhbXBsZS5vcmcvbGF0ZXN0LmNybDANBgkqhkiG9w0B
+AQsFAAOBgQCf9uWkJrIlu9DvKwiiRj6/vMFydd9kLq11COjAovfD6+VbRLeX1lpC
+XpHDhUlrAKOV/5Virl+iXao5YnfnCm1oud0jRGcG8x1JPqUKW3REch4vR0wkjaBS
+5eI7DiydPL1yts588Z6gLjHZBaR0cuXS4e1k9rcXuBC9tZjv7rYskQ==
 -----END CERTIFICATE-----
 Bag Attributes
-    friendlyName: Certificate Authority
-subject=/O=example.org/CN=clica CA
-issuer=/O=example.org/CN=clica CA
+    friendlyName: Certificate Authority rsa
+subject=/O=example.org/CN=clica CA rsa
+issuer=/O=example.org/CN=clica CA rsa
 -----BEGIN CERTIFICATE-----
-MIIB7jCCAVegAwIBAgIBATANBgkqhkiG9w0BAQsFADApMRQwEgYDVQQKEwtleGFt
-cGxlLm9yZzERMA8GA1UEAxMIY2xpY2EgQ0EwHhcNMTIxMTAxMTIzNDAyWhcNMzgw
-MTAxMTIzNDAyWjApMRQwEgYDVQQKEwtleGFtcGxlLm9yZzERMA8GA1UEAxMIY2xp
-Y2EgQ0EwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAKKaWSv0duLwJQQ6t18l
-yWSGmELgaflSPTidcPii6YYskJAQjnHH13P63PUwXj68knq9JdgeXwZLWszq04Uk
-esjSLJ/e9eIE+Uk9Y2zaes0vTiOIMnYe9u4S6VUNYBO6S+zX89+CHBicNr9tnEEd
-FAw56VTBKtMDA2oPWi5BQ+8/AgMBAAGjJjAkMBIGA1UdEwEB/wQIMAYBAf8CAQEw
-DgYDVR0PAQH/BAQDAgEGMA0GCSqGSIb3DQEBCwUAA4GBAKGed/hvquJ9QctYRyCB
-uIYN1ogbfRj2bSYvKMrSvuW8bVyYAR0C8jj8LA9IEK33EZKBz+D0RHV7s13Cnom9
-tHjIX1ncfl5vPR/Hus0ZKqwauvSauo7hkWRO7isuUzmNBp7YjgLSPr2QYptlpBS5
-U9+lNhpF9AUWEAAo3FqHgShh
+MIIB9jCCAV+gAwIBAgIBATANBgkqhkiG9w0BAQsFADAtMRQwEgYDVQQKEwtleGFt
+cGxlLm9yZzEVMBMGA1UEAxMMY2xpY2EgQ0EgcnNhMB4XDTEyMTEwMTEyMzQwMloX
+DTM4MDEwMTEyMzQwMlowLTEUMBIGA1UEChMLZXhhbXBsZS5vcmcxFTATBgNVBAMT
+DGNsaWNhIENBIHJzYTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAsOI8xlyV
+2kpju6cf0E8/c0QwaOBvUGzkTdCau/DyQrwFPToVpVW8mzDQUOnoUXLl92EJa4Td
+a4uN/uyiyTcjUQWrlZKdFn9HaLB7+rLUox6fZF06jsWgC0Qfr3HHWsrMINn6bucC
+9/eZag5ADPyO5XYnCW4pIFnuFVQ+w3Qr060CAwEAAaMmMCQwEgYDVR0TAQH/BAgw
+BgEB/wIBATAOBgNVHQ8BAf8EBAMCAQYwDQYJKoZIhvcNAQELBQADgYEALAPJGCfj
+ldkldb3pxmUf8V2luI38AVKNZokjATe3tyv7ikhb2g20BRi92fMHOqfAMUfoJKAu
+lT5vLep0SUETmAXdr3+WfFeZu2KZ9t5lhxyUGnHhxDc3k8TzobZSpFS9+ZnR/4GY
+TwGhx36iRUIFRZ/PUQrkRniedLSkO+H+Xko=
 -----END CERTIFICATE-----
diff --git a/test/aux-fixed/exim-ca/example.org/expired2.example.org/cert8.db b/test/aux-fixed/exim-ca/example.org/expired2.example.org/cert8.db
index 240836f84..df32fcc24 100644
Binary files a/test/aux-fixed/exim-ca/example.org/expired2.example.org/cert8.db and b/test/aux-fixed/exim-ca/example.org/expired2.example.org/cert8.db differ
diff --git a/test/aux-fixed/exim-ca/example.org/expired2.example.org/expired2.example.org.chain.pem b/test/aux-fixed/exim-ca/example.org/expired2.example.org/expired2.example.org.chain.pem
index 8d7c0244e..6f578b3e3 100644
--- a/test/aux-fixed/exim-ca/example.org/expired2.example.org/expired2.example.org.chain.pem
+++ b/test/aux-fixed/exim-ca/example.org/expired2.example.org/expired2.example.org.chain.pem
@@ -1,35 +1,35 @@
 Bag Attributes
     friendlyName: expired2.example.org
-    localKeyID: 0D 1B DB 87 3F A0 82 FE 25 25 17 FB 02 8B 11 A0 C7 3B 3F 2D 
+    localKeyID: BB AD 3B 61 9B C1 5F B5 67 B4 E6 DC D0 B0 CD DA DF 58 AF 9A 
 subject=/CN=expired2.example.org
-issuer=/O=example.org/CN=clica Signing Cert
+issuer=/O=example.org/CN=clica Signing Cert rsa
 -----BEGIN CERTIFICATE-----
-MIICijCCAfOgAwIBAgICAMswDQYJKoZIhvcNAQELBQAwMzEUMBIGA1UEChMLZXhh
-bXBsZS5vcmcxGzAZBgNVBAMTEmNsaWNhIFNpZ25pbmcgQ2VydDAeFw0xMjExMDEx
-MjM0MDNaFw0xMjEyMDExMjM0MDNaMB8xHTAbBgNVBAMTFGV4cGlyZWQyLmV4YW1w
-bGUub3JnMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCrcutPy6MwDf8v9KY+
-EmfD1UgqwzWDfExzOLltPoqYDe/925YdyR4APYZwMYKSz6aCqcr2RHXNlhaQxn28
-QXBEiqYN9oDxSUBGnMYpahG1kVChdwDOmB7xs6Qr8fyMQSQ6fxOSs8NpSiobBd5v
-JXvFsLyoqpWHF1hvRFpPAtjY9wIDAQABo4HAMIG9MA4GA1UdDwEB/wQEAwIE8DAg
-BgNVHSUBAf8EFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwMgYDVR0fBCswKTAnoCWg
-I4YhaHR0cDovL2NybC5leGFtcGxlLm9yZy9sYXRlc3QuY3JsMDQGCCsGAQUFBwEB
-BCgwJjAkBggrBgEFBQcwAYYYaHR0cDovL29zY3AuZXhhbXBsZS5vcmcvMB8GA1Ud
-EQQYMBaCFGV4cGlyZWQyLmV4YW1wbGUub3JnMA0GCSqGSIb3DQEBCwUAA4GBAIlD
-3fGGN1764ZR0OBfhIcfR18putZkIlFQSQojhj4ZgCisqU/pXlkQ8FM2mUhDLZfi1
-dezo36i6x3tmNnnVVc0DUn8mmD0t0SlH7PBrIyhv10spu2wfitNqnuyknAIpEE5V
-v2FZRwnBxqhQkWoGjDb+vCOJxH3zYgXMEaN99Ifu
+MIICjjCCAfegAwIBAgICAMswDQYJKoZIhvcNAQELBQAwNzEUMBIGA1UEChMLZXhh
+bXBsZS5vcmcxHzAdBgNVBAMTFmNsaWNhIFNpZ25pbmcgQ2VydCByc2EwHhcNMTIx
+MTAxMTIzNDAzWhcNMTIxMjAxMTIzNDAzWjAfMR0wGwYDVQQDExRleHBpcmVkMi5l
+eGFtcGxlLm9yZzCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAuC3gS3mRxtQs
+p4mpWah7L1G1/XIVVKxVRhfI2UGEOsSKZNOP5R0qZoknOR9aMKIlNLlG3N50yzbi
+1MnPpZspxORknzmixiLWk8JcB2sAHWkFeZiCzlEQRAfAc3ky1tPNq+SvYOKRtP4Q
+WmMioidONvkk6BXVoIkzK2UlH3xCmp0CAwEAAaOBwDCBvTAOBgNVHQ8BAf8EBAMC
+BPAwIAYDVR0lAQH/BBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMDIGA1UdHwQrMCkw
+J6AloCOGIWh0dHA6Ly9jcmwuZXhhbXBsZS5vcmcvbGF0ZXN0LmNybDA0BggrBgEF
+BQcBAQQoMCYwJAYIKwYBBQUHMAGGGGh0dHA6Ly9vc2NwLmV4YW1wbGUub3JnLzAf
+BgNVHREEGDAWghRleHBpcmVkMi5leGFtcGxlLm9yZzANBgkqhkiG9w0BAQsFAAOB
+gQBNWz+6NypcliTvDdbksywD8VXNkGaK4FjJeb9nSqFWaAQdIT9sBeHQEusBWdJv
+cfX/Ik2JHtjCpuGCcfK0thQllovsY5dXrSW92F6VBuQvls+ETsNnRqJKz3CtJ9mO
+mC/FGMXIStcSIH931F7afUyw66QLJILUqXcot8HZtn/lUg==
 -----END CERTIFICATE-----
 -----BEGIN CERTIFICATE-----
-MIICLDCCAZWgAwIBAgIBAjANBgkqhkiG9w0BAQsFADApMRQwEgYDVQQKEwtleGFt
-cGxlLm9yZzERMA8GA1UEAxMIY2xpY2EgQ0EwHhcNMTIxMTAxMTIzNDAyWhcNMzgw
-MTAxMTIzNDAyWjAzMRQwEgYDVQQKEwtleGFtcGxlLm9yZzEbMBkGA1UEAxMSY2xp
-Y2EgU2lnbmluZyBDZXJ0MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI0peZ
-vtd+Oo8OMPy/EIlcNiVSJQ6zb5awuAcPjb5gUE3dZ1+7PiB4BlLhT1wbUJiqC3s6
-Uo2jzzNScWmwIbMTwckUIjS6Q+3khgZHWh2uBAX9j9OrMaJ6DjtyjWitDXMUcrns
-tvQs4TMoFkvBvH94gsYtnbTC5DCmKKLRkWwQhQIDAQABo1owWDAOBgNVHQ8BAf8E
-BAMCAQYwEgYDVR0TAQH/BAgwBgEB/wIBADAyBgNVHR8EKzApMCegJaAjhiFodHRw
-Oi8vY3JsLmV4YW1wbGUub3JnL2xhdGVzdC5jcmwwDQYJKoZIhvcNAQELBQADgYEA
-eqMhcknWmbpCS7ail+FEhRpiLgZU05d7jdf3yQLu1EmMS/fdDvY8R8G17FDcCoLQ
-mSgIvn73UqTgmDgErGZgZ2LqcgioBo7fgxS2knxFKIi/WlKHpiqOkSYtqtacIUnk
-1NkPYWjBwP3bUYauHu7EcTTHO6iWd0doLrMJvGUtm9c=
+MIICNDCCAZ2gAwIBAgIBAjANBgkqhkiG9w0BAQsFADAtMRQwEgYDVQQKEwtleGFt
+cGxlLm9yZzEVMBMGA1UEAxMMY2xpY2EgQ0EgcnNhMB4XDTEyMTEwMTEyMzQwMloX
+DTM4MDEwMTEyMzQwMlowNzEUMBIGA1UEChMLZXhhbXBsZS5vcmcxHzAdBgNVBAMT
+FmNsaWNhIFNpZ25pbmcgQ2VydCByc2EwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJ
+AoGBAJXe07nxVSZPJ3rVBHQp+m5gWb5/JkzXwcWKEvcmMnJzo2ydVfHBBRmTpzpS
+ST3js2awNbhEdOU7AeBtAvyOtwlT/yp6SHhOlI8PlgLwL9/xedeC0Ex412VOeaV/
+LRbvj0j+WutuglAFXfD5IlwnRoDUB1Q51JFtYZxlxvOqbLb9AgMBAAGjWjBYMA4G
+A1UdDwEB/wQEAwIBBjASBgNVHRMBAf8ECDAGAQH/AgEAMDIGA1UdHwQrMCkwJ6Al
+oCOGIWh0dHA6Ly9jcmwuZXhhbXBsZS5vcmcvbGF0ZXN0LmNybDANBgkqhkiG9w0B
+AQsFAAOBgQCf9uWkJrIlu9DvKwiiRj6/vMFydd9kLq11COjAovfD6+VbRLeX1lpC
+XpHDhUlrAKOV/5Virl+iXao5YnfnCm1oud0jRGcG8x1JPqUKW3REch4vR0wkjaBS
+5eI7DiydPL1yts588Z6gLjHZBaR0cuXS4e1k9rcXuBC9tZjv7rYskQ==
 -----END CERTIFICATE-----
diff --git a/test/aux-fixed/exim-ca/example.org/expired2.example.org/expired2.example.org.key b/test/aux-fixed/exim-ca/example.org/expired2.example.org/expired2.example.org.key
index 9bb8a7902..7cf237255 100644
--- a/test/aux-fixed/exim-ca/example.org/expired2.example.org/expired2.example.org.key
+++ b/test/aux-fixed/exim-ca/example.org/expired2.example.org/expired2.example.org.key
@@ -1,21 +1,21 @@
 Bag Attributes
     friendlyName: expired2.example.org
-    localKeyID: 0D 1B DB 87 3F A0 82 FE 25 25 17 FB 02 8B 11 A0 C7 3B 3F 2D 
+    localKeyID: BB AD 3B 61 9B C1 5F B5 67 B4 E6 DC D0 B0 CD DA DF 58 AF 9A 
 Key Attributes: <No Attributes>
 -----BEGIN ENCRYPTED PRIVATE KEY-----
-MIICxjBABgkqhkiG9w0BBQ0wMzAbBgkqhkiG9w0BBQwwDgQIm43+EhADc5wCAggA
-MBQGCCqGSIb3DQMHBAhpt6/mtIXjNwSCAoDi0VXOiUz3lGJBbkvrD9woQ6e5w3gu
-VVIfze/89KJsBTlLo7Idg1/veb9I2swd8XuKMjo3uiJdt3Xtv5LyJysF8qMRlm4L
-WosNaJ5iTve6beJlLcy1KnPyrReq+CHGToALGoejewlaU4zRzW8yTY6J1Hg7xiKD
-QzgfbGeji+4W8fsWMVk1vhmj1edf1upNeFdTS8esmZOfk4LlP5WGV8KtE2ikZ/mj
-V8kHg0pJY3jNhcolpUSw1y4C4U4Sus00L3wiRFEG98ltZPPtp6wcVV1brU7XwzP8
-StKMCyCte6e/PoOklkcznZZZKABo+/yfrzrH7GI0ATwoyQATvObAZdmsF41Lw8Zx
-aY1YEYulFVcqjrGFP8b1vRllw//XvYm6xr3xcPgSnifJ0b4lGjqjW3peJW2n5fp7
-mwr6pmWEGFE5c//DjbvvswiIMa5xBbBkEaySbSnS2mzzTIHYP8ezEgyU8jDACEJD
-/F/evkvyTM3fYQMh+x9npD5dI3Ea7rd+6CikFhFGT2f4JT3HO9z5pB2VWR8i5E06
-c73VwLQGCkQKyPj+5M+ISooVgohKo9MhPpNPdG7lDLW6Z/PNhCS60TorQF7BbqhZ
-1r1sp9Cc+rFlV6fAJy0DB7lrVUKi7Sfk+uaqtNlHc4shPEs4uB4SLPBLXXgoYzBD
-mFi7OFQwLaSQVv4XV88ewxYTNkRJFowZzeRoxRZit8ReVC+28Tv8ISnKK6+ZAY1o
-N3CkI4CBdZtg6I9KS9ABt2BspcSEGuN3XEzkfVDk09POVaO2t/HQZIAyNVu4RAny
-afaGdLUyaGWNYNSqH436XeiNZyoIg/QfI041JQb4/fwcrYikZNlCo4i6
+MIICxjBABgkqhkiG9w0BBQ0wMzAbBgkqhkiG9w0BBQwwDgQIhR31sug2jNUCAggA
+MBQGCCqGSIb3DQMHBAjmdQ9DQshYOASCAoB/PWWnLSUdq0gZinlHkq5wBMm1yEwT
+xxYLoGurDsSDN6j7fbHW/ZDTfHAMrf9ecXfODIPn2wntOF8SDifq5YZDH4+zaHvR
+Rsz/2I5/xQ/+WlDOXrxpNPC2NqkK0N5R/VXfAWCSs1MaE19w56tYuPuzBtRtcw5x
+Ln2uJkjJl1SWh1TOiIfpc2Ld+7g6IpTR44JLz9k7GNtJWFUg/NDYGMy9vEDLQv4e
+lPPmol8ipjR1GXymv22abNi9aL6RND6olOnUZQk1Gr9ugMxAUEAOWFhsrtY6+Ul0
+dPAhgOsmXlUuwDIpewRw++gbkr4+rIKgWveHG8uZy+Z+sjlgqjqb85onnWCGU9xz
+HtarbkvVp2FKa8frAF6bCG7yRaImIFBnyNJQn1qYQtfJuu60RmrKYLhvM2rGTqKX
+V7BQ72GrJ4VeG77I1uvYKNwiSELYaWrKnTIZR/KhJJVCN1/XNSXJzb+zpZDIo2xW
+seyvfsoKIX+RXtOjtx9OhBT24DREiz1F7pV12e0q4z8VUMxpV16fmVA8SH+3v251
+5TTRksGSbFm43z45WWnylOhzJj+bkSOPoRGPBTDU9/Xvem8ni2ZCAoPxBewkLs99
+JsYHsjPGclynF9Lglsb3plN2unhPwH+kIsJ6hi4RMRJAzsWV0LWtRx49UBEinnDM
+1udwIzveVAaZzcM3qC4oQf7L1yHjBdj+eh6sj017uAPdptIDLjsCT789zJUj0qUq
+kEia++A+ks0qhhuBCPMUrkxEwF7V5x5aBCYwLLES5gtD9xn3ruYrZVnXGtIRAK4Z
+YZu3G+qVXwjBlbECSmnVSgR/dC31+c2s/F4TBjQ0pKlxt272agIdNjBE
 -----END ENCRYPTED PRIVATE KEY-----
diff --git a/test/aux-fixed/exim-ca/example.org/expired2.example.org/expired2.example.org.ocsp.dated.resp b/test/aux-fixed/exim-ca/example.org/expired2.example.org/expired2.example.org.ocsp.dated.resp
index 441d6e14c..6db1fb1a0 100644
Binary files a/test/aux-fixed/exim-ca/example.org/expired2.example.org/expired2.example.org.ocsp.dated.resp and b/test/aux-fixed/exim-ca/example.org/expired2.example.org/expired2.example.org.ocsp.dated.resp differ
diff --git a/test/aux-fixed/exim-ca/example.org/expired2.example.org/expired2.example.org.ocsp.good.resp b/test/aux-fixed/exim-ca/example.org/expired2.example.org/expired2.example.org.ocsp.good.resp
index 7ad2ba7f6..8d8d1d62f 100644
Binary files a/test/aux-fixed/exim-ca/example.org/expired2.example.org/expired2.example.org.ocsp.good.resp and b/test/aux-fixed/exim-ca/example.org/expired2.example.org/expired2.example.org.ocsp.good.resp differ
diff --git a/test/aux-fixed/exim-ca/example.org/expired2.example.org/expired2.example.org.ocsp.req b/test/aux-fixed/exim-ca/example.org/expired2.example.org/expired2.example.org.ocsp.req
index a73559a97..359deeb9f 100644
Binary files a/test/aux-fixed/exim-ca/example.org/expired2.example.org/expired2.example.org.ocsp.req and b/test/aux-fixed/exim-ca/example.org/expired2.example.org/expired2.example.org.ocsp.req differ
diff --git a/test/aux-fixed/exim-ca/example.org/expired2.example.org/expired2.example.org.ocsp.revoked.resp b/test/aux-fixed/exim-ca/example.org/expired2.example.org/expired2.example.org.ocsp.revoked.resp
index 7ad2ba7f6..8d8d1d62f 100644
Binary files a/test/aux-fixed/exim-ca/example.org/expired2.example.org/expired2.example.org.ocsp.revoked.resp and b/test/aux-fixed/exim-ca/example.org/expired2.example.org/expired2.example.org.ocsp.revoked.resp differ
diff --git a/test/aux-fixed/exim-ca/example.org/expired2.example.org/expired2.example.org.ocsp.signer.dated.resp b/test/aux-fixed/exim-ca/example.org/expired2.example.org/expired2.example.org.ocsp.signer.dated.resp
index 449f9b8c0..297300c72 100644
Binary files a/test/aux-fixed/exim-ca/example.org/expired2.example.org/expired2.example.org.ocsp.signer.dated.resp and b/test/aux-fixed/exim-ca/example.org/expired2.example.org/expired2.example.org.ocsp.signer.dated.resp differ
diff --git a/test/aux-fixed/exim-ca/example.org/expired2.example.org/expired2.example.org.ocsp.signer.good.resp b/test/aux-fixed/exim-ca/example.org/expired2.example.org/expired2.example.org.ocsp.signer.good.resp
index 44a4f95f4..3e4d296fe 100644
Binary files a/test/aux-fixed/exim-ca/example.org/expired2.example.org/expired2.example.org.ocsp.signer.good.resp and b/test/aux-fixed/exim-ca/example.org/expired2.example.org/expired2.example.org.ocsp.signer.good.resp differ
diff --git a/test/aux-fixed/exim-ca/example.org/expired2.example.org/expired2.example.org.ocsp.signer.revoked.resp b/test/aux-fixed/exim-ca/example.org/expired2.example.org/expired2.example.org.ocsp.signer.revoked.resp
index 44a4f95f4..3e4d296fe 100644
Binary files a/test/aux-fixed/exim-ca/example.org/expired2.example.org/expired2.example.org.ocsp.signer.revoked.resp and b/test/aux-fixed/exim-ca/example.org/expired2.example.org/expired2.example.org.ocsp.signer.revoked.resp differ
diff --git a/test/aux-fixed/exim-ca/example.org/expired2.example.org/expired2.example.org.ocsp.signernocert.dated.resp b/test/aux-fixed/exim-ca/example.org/expired2.example.org/expired2.example.org.ocsp.signernocert.dated.resp
index 21a46a381..23c7542ec 100644
Binary files a/test/aux-fixed/exim-ca/example.org/expired2.example.org/expired2.example.org.ocsp.signernocert.dated.resp and b/test/aux-fixed/exim-ca/example.org/expired2.example.org/expired2.example.org.ocsp.signernocert.dated.resp differ
diff --git a/test/aux-fixed/exim-ca/example.org/expired2.example.org/expired2.example.org.ocsp.signernocert.good.resp b/test/aux-fixed/exim-ca/example.org/expired2.example.org/expired2.example.org.ocsp.signernocert.good.resp
index 138d7c7a2..089e56efa 100644
Binary files a/test/aux-fixed/exim-ca/example.org/expired2.example.org/expired2.example.org.ocsp.signernocert.good.resp and b/test/aux-fixed/exim-ca/example.org/expired2.example.org/expired2.example.org.ocsp.signernocert.good.resp differ
diff --git a/test/aux-fixed/exim-ca/example.org/expired2.example.org/expired2.example.org.ocsp.signernocert.revoked.resp b/test/aux-fixed/exim-ca/example.org/expired2.example.org/expired2.example.org.ocsp.signernocert.revoked.resp
index 138d7c7a2..089e56efa 100644
Binary files a/test/aux-fixed/exim-ca/example.org/expired2.example.org/expired2.example.org.ocsp.signernocert.revoked.resp and b/test/aux-fixed/exim-ca/example.org/expired2.example.org/expired2.example.org.ocsp.signernocert.revoked.resp differ
diff --git a/test/aux-fixed/exim-ca/example.org/expired2.example.org/expired2.example.org.p12 b/test/aux-fixed/exim-ca/example.org/expired2.example.org/expired2.example.org.p12
index c960a7c9d..05237d5d0 100644
Binary files a/test/aux-fixed/exim-ca/example.org/expired2.example.org/expired2.example.org.p12 and b/test/aux-fixed/exim-ca/example.org/expired2.example.org/expired2.example.org.p12 differ
diff --git a/test/aux-fixed/exim-ca/example.org/expired2.example.org/expired2.example.org.pem b/test/aux-fixed/exim-ca/example.org/expired2.example.org/expired2.example.org.pem
index 244eb7543..b40e4a1fb 100644
--- a/test/aux-fixed/exim-ca/example.org/expired2.example.org/expired2.example.org.pem
+++ b/test/aux-fixed/exim-ca/example.org/expired2.example.org/expired2.example.org.pem
@@ -1,21 +1,21 @@
 Bag Attributes
     friendlyName: expired2.example.org
-    localKeyID: 0D 1B DB 87 3F A0 82 FE 25 25 17 FB 02 8B 11 A0 C7 3B 3F 2D 
+    localKeyID: BB AD 3B 61 9B C1 5F B5 67 B4 E6 DC D0 B0 CD DA DF 58 AF 9A 
 subject=/CN=expired2.example.org
-issuer=/O=example.org/CN=clica Signing Cert
+issuer=/O=example.org/CN=clica Signing Cert rsa
 -----BEGIN CERTIFICATE-----
-MIICijCCAfOgAwIBAgICAMswDQYJKoZIhvcNAQELBQAwMzEUMBIGA1UEChMLZXhh
-bXBsZS5vcmcxGzAZBgNVBAMTEmNsaWNhIFNpZ25pbmcgQ2VydDAeFw0xMjExMDEx
-MjM0MDNaFw0xMjEyMDExMjM0MDNaMB8xHTAbBgNVBAMTFGV4cGlyZWQyLmV4YW1w
-bGUub3JnMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCrcutPy6MwDf8v9KY+
-EmfD1UgqwzWDfExzOLltPoqYDe/925YdyR4APYZwMYKSz6aCqcr2RHXNlhaQxn28
-QXBEiqYN9oDxSUBGnMYpahG1kVChdwDOmB7xs6Qr8fyMQSQ6fxOSs8NpSiobBd5v
-JXvFsLyoqpWHF1hvRFpPAtjY9wIDAQABo4HAMIG9MA4GA1UdDwEB/wQEAwIE8DAg
-BgNVHSUBAf8EFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwMgYDVR0fBCswKTAnoCWg
-I4YhaHR0cDovL2NybC5leGFtcGxlLm9yZy9sYXRlc3QuY3JsMDQGCCsGAQUFBwEB
-BCgwJjAkBggrBgEFBQcwAYYYaHR0cDovL29zY3AuZXhhbXBsZS5vcmcvMB8GA1Ud
-EQQYMBaCFGV4cGlyZWQyLmV4YW1wbGUub3JnMA0GCSqGSIb3DQEBCwUAA4GBAIlD
-3fGGN1764ZR0OBfhIcfR18putZkIlFQSQojhj4ZgCisqU/pXlkQ8FM2mUhDLZfi1
-dezo36i6x3tmNnnVVc0DUn8mmD0t0SlH7PBrIyhv10spu2wfitNqnuyknAIpEE5V
-v2FZRwnBxqhQkWoGjDb+vCOJxH3zYgXMEaN99Ifu
+MIICjjCCAfegAwIBAgICAMswDQYJKoZIhvcNAQELBQAwNzEUMBIGA1UEChMLZXhh
+bXBsZS5vcmcxHzAdBgNVBAMTFmNsaWNhIFNpZ25pbmcgQ2VydCByc2EwHhcNMTIx
+MTAxMTIzNDAzWhcNMTIxMjAxMTIzNDAzWjAfMR0wGwYDVQQDExRleHBpcmVkMi5l
+eGFtcGxlLm9yZzCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAuC3gS3mRxtQs
+p4mpWah7L1G1/XIVVKxVRhfI2UGEOsSKZNOP5R0qZoknOR9aMKIlNLlG3N50yzbi
+1MnPpZspxORknzmixiLWk8JcB2sAHWkFeZiCzlEQRAfAc3ky1tPNq+SvYOKRtP4Q
+WmMioidONvkk6BXVoIkzK2UlH3xCmp0CAwEAAaOBwDCBvTAOBgNVHQ8BAf8EBAMC
+BPAwIAYDVR0lAQH/BBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMDIGA1UdHwQrMCkw
+J6AloCOGIWh0dHA6Ly9jcmwuZXhhbXBsZS5vcmcvbGF0ZXN0LmNybDA0BggrBgEF
+BQcBAQQoMCYwJAYIKwYBBQUHMAGGGGh0dHA6Ly9vc2NwLmV4YW1wbGUub3JnLzAf
+BgNVHREEGDAWghRleHBpcmVkMi5leGFtcGxlLm9yZzANBgkqhkiG9w0BAQsFAAOB
+gQBNWz+6NypcliTvDdbksywD8VXNkGaK4FjJeb9nSqFWaAQdIT9sBeHQEusBWdJv
+cfX/Ik2JHtjCpuGCcfK0thQllovsY5dXrSW92F6VBuQvls+ETsNnRqJKz3CtJ9mO
+mC/FGMXIStcSIH931F7afUyw66QLJILUqXcot8HZtn/lUg==
 -----END CERTIFICATE-----
diff --git a/test/aux-fixed/exim-ca/example.org/expired2.example.org/expired2.example.org.unlocked.key b/test/aux-fixed/exim-ca/example.org/expired2.example.org/expired2.example.org.unlocked.key
index a7bd3fb80..37f00cb47 100644
--- a/test/aux-fixed/exim-ca/example.org/expired2.example.org/expired2.example.org.unlocked.key
+++ b/test/aux-fixed/exim-ca/example.org/expired2.example.org/expired2.example.org.unlocked.key
@@ -1,15 +1,15 @@
 -----BEGIN RSA PRIVATE KEY-----
-MIICXAIBAAKBgQCrcutPy6MwDf8v9KY+EmfD1UgqwzWDfExzOLltPoqYDe/925Yd
-yR4APYZwMYKSz6aCqcr2RHXNlhaQxn28QXBEiqYN9oDxSUBGnMYpahG1kVChdwDO
-mB7xs6Qr8fyMQSQ6fxOSs8NpSiobBd5vJXvFsLyoqpWHF1hvRFpPAtjY9wIDAQAB
-AoGAJC0c+trgpaCmcnOAaoOOspM75Y4IKiTdqshS0/rI2rnCJIIjhEhuFKXmyqCf
-ySOYomR6Z4ldhBJB062WVVVHf05811usTNPaaKGsYlgN9h8VZkMXL6jGdUCuoKV7
-4RpMN5cXoLofZEiuqQgfoJRPksEPFkq4vIFwCtMylE+ecoECQQDY8MJYCFh6XO6R
-JtmDgT5x1nIPKXNx7b2JSFkKr2HDRwuc/U/RlTHZNIqJy0B0EOunurQf46aq4yHm
-luZ8KROBAkEAylFbyhfEbhT1Ky0zZtwHsgfyi8ZifXeY1XQPU4QGsckeH6VuU+Qt
-di5IX42xvn5fNiv7OnOwYWokwTIYJoTIdwJAOYBfUuwrX4ugZHLytoucXJols2Ue
-R3VnhqrZhx6DgDolluABtyCfjN4DVpC8LceKXvP66HTz6Vm406DtyL0ugQJAQ5Ee
-RYTgfh8TreK/mud6znMnBpUviVVqvkavY6XhEnjnTYxTJ0M6B5D3bKoGpWbQ52eS
-1HeUfUQUmEzhkeOgiwJBAIuSckRkCGwPz1lJMEXWGPnXIHX5m6xS7czZiXYEQjDI
-sc7ZX5ChkTH+xkG/kKCux3uzWZV9/Bze9Nf1HTJQlHY=
+MIICXAIBAAKBgQC4LeBLeZHG1CynialZqHsvUbX9chVUrFVGF8jZQYQ6xIpk04/l
+HSpmiSc5H1owoiU0uUbc3nTLNuLUyc+lmynE5GSfOaLGItaTwlwHawAdaQV5mILO
+URBEB8BzeTLW082r5K9g4pG0/hBaYyKiJ042+SToFdWgiTMrZSUffEKanQIDAQAB
+AoGABlqm01PFYLuvMrSAIDS80zwZcD4AWGR9qKZnan9lJXXkZGgcHcZs0Q7ISKM5
+RFZDvFbsB/CwzNX+62JvBIKe5ToSgpF2DxBeIiMCIqDYeD2RYEcozGaV1KIjxpMJ
+ZZlwTKcgx0f53QbNK0jpfJu/7kS4afFmjp3iPDVxqSIkMqECQQDgAd08lz5Jd61/
+X7OLK9HVYHD44WbgYnSQcg/oYoOxPw5Rr5VPc2ZSoemITs0uZtsbc+y2Qb2TDbJC
+zuHV5foVAkEA0nvSLsru8rXpanhZbKtMXXQjZaaphQh6cCBzxyonHABlQNzgNZQs
+ZpGk0MbAkK0o12MCMBSB4OCCV3QuDBzoaQJBANu22GIq0qxK14D8xGU4KMuKmaRz
+qW1jBIP9bL75icQbXhcfCmtwfCeGqkHJURU3S6gEr2Qg3SnUoElJFFeyB/UCQBtS
+XU8bona47EqYwqrbdXcwCyQ3xQtytUn2vHCe5SK6XmpUAXqS+Ex8HVPIaNie0Y1b
+2b3Z+53wJpsphoyl9/kCQExmOpZ5BaPGbzJ0MfJ+j9JBXs8mvQ/PEwNZc6COagvX
+WlV64tajDOtGMZt2l5Hy/0Y0gxbyINm5jEb3boG6NQw=
 -----END RSA PRIVATE KEY-----
diff --git a/test/aux-fixed/exim-ca/example.org/expired2.example.org/key3.db b/test/aux-fixed/exim-ca/example.org/expired2.example.org/key3.db
index 50a71ba19..72fa289f2 100644
Binary files a/test/aux-fixed/exim-ca/example.org/expired2.example.org/key3.db and b/test/aux-fixed/exim-ca/example.org/expired2.example.org/key3.db differ
diff --git a/test/aux-fixed/exim-ca/example.org/revoked1.example.org/ca_chain.pem b/test/aux-fixed/exim-ca/example.org/revoked1.example.org/ca_chain.pem
index e3165d194..f262d8f92 100644
--- a/test/aux-fixed/exim-ca/example.org/revoked1.example.org/ca_chain.pem
+++ b/test/aux-fixed/exim-ca/example.org/revoked1.example.org/ca_chain.pem
@@ -1,35 +1,35 @@
 Bag Attributes
-    friendlyName: Signing Cert
-subject=/O=example.org/CN=clica Signing Cert
-issuer=/O=example.org/CN=clica CA
+    friendlyName: Signing Cert rsa
+subject=/O=example.org/CN=clica Signing Cert rsa
+issuer=/O=example.org/CN=clica CA rsa
 -----BEGIN CERTIFICATE-----
-MIICLDCCAZWgAwIBAgIBAjANBgkqhkiG9w0BAQsFADApMRQwEgYDVQQKEwtleGFt
-cGxlLm9yZzERMA8GA1UEAxMIY2xpY2EgQ0EwHhcNMTIxMTAxMTIzNDAyWhcNMzgw
-MTAxMTIzNDAyWjAzMRQwEgYDVQQKEwtleGFtcGxlLm9yZzEbMBkGA1UEAxMSY2xp
-Y2EgU2lnbmluZyBDZXJ0MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI0peZ
-vtd+Oo8OMPy/EIlcNiVSJQ6zb5awuAcPjb5gUE3dZ1+7PiB4BlLhT1wbUJiqC3s6
-Uo2jzzNScWmwIbMTwckUIjS6Q+3khgZHWh2uBAX9j9OrMaJ6DjtyjWitDXMUcrns
-tvQs4TMoFkvBvH94gsYtnbTC5DCmKKLRkWwQhQIDAQABo1owWDAOBgNVHQ8BAf8E
-BAMCAQYwEgYDVR0TAQH/BAgwBgEB/wIBADAyBgNVHR8EKzApMCegJaAjhiFodHRw
-Oi8vY3JsLmV4YW1wbGUub3JnL2xhdGVzdC5jcmwwDQYJKoZIhvcNAQELBQADgYEA
-eqMhcknWmbpCS7ail+FEhRpiLgZU05d7jdf3yQLu1EmMS/fdDvY8R8G17FDcCoLQ
-mSgIvn73UqTgmDgErGZgZ2LqcgioBo7fgxS2knxFKIi/WlKHpiqOkSYtqtacIUnk
-1NkPYWjBwP3bUYauHu7EcTTHO6iWd0doLrMJvGUtm9c=
+MIICNDCCAZ2gAwIBAgIBAjANBgkqhkiG9w0BAQsFADAtMRQwEgYDVQQKEwtleGFt
+cGxlLm9yZzEVMBMGA1UEAxMMY2xpY2EgQ0EgcnNhMB4XDTEyMTEwMTEyMzQwMloX
+DTM4MDEwMTEyMzQwMlowNzEUMBIGA1UEChMLZXhhbXBsZS5vcmcxHzAdBgNVBAMT
+FmNsaWNhIFNpZ25pbmcgQ2VydCByc2EwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJ
+AoGBAJXe07nxVSZPJ3rVBHQp+m5gWb5/JkzXwcWKEvcmMnJzo2ydVfHBBRmTpzpS
+ST3js2awNbhEdOU7AeBtAvyOtwlT/yp6SHhOlI8PlgLwL9/xedeC0Ex412VOeaV/
+LRbvj0j+WutuglAFXfD5IlwnRoDUB1Q51JFtYZxlxvOqbLb9AgMBAAGjWjBYMA4G
+A1UdDwEB/wQEAwIBBjASBgNVHRMBAf8ECDAGAQH/AgEAMDIGA1UdHwQrMCkwJ6Al
+oCOGIWh0dHA6Ly9jcmwuZXhhbXBsZS5vcmcvbGF0ZXN0LmNybDANBgkqhkiG9w0B
+AQsFAAOBgQCf9uWkJrIlu9DvKwiiRj6/vMFydd9kLq11COjAovfD6+VbRLeX1lpC
+XpHDhUlrAKOV/5Virl+iXao5YnfnCm1oud0jRGcG8x1JPqUKW3REch4vR0wkjaBS
+5eI7DiydPL1yts588Z6gLjHZBaR0cuXS4e1k9rcXuBC9tZjv7rYskQ==
 -----END CERTIFICATE-----
 Bag Attributes
-    friendlyName: Certificate Authority
-subject=/O=example.org/CN=clica CA
-issuer=/O=example.org/CN=clica CA
+    friendlyName: Certificate Authority rsa
+subject=/O=example.org/CN=clica CA rsa
+issuer=/O=example.org/CN=clica CA rsa
 -----BEGIN CERTIFICATE-----
-MIIB7jCCAVegAwIBAgIBATANBgkqhkiG9w0BAQsFADApMRQwEgYDVQQKEwtleGFt
-cGxlLm9yZzERMA8GA1UEAxMIY2xpY2EgQ0EwHhcNMTIxMTAxMTIzNDAyWhcNMzgw
-MTAxMTIzNDAyWjApMRQwEgYDVQQKEwtleGFtcGxlLm9yZzERMA8GA1UEAxMIY2xp
-Y2EgQ0EwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAKKaWSv0duLwJQQ6t18l
-yWSGmELgaflSPTidcPii6YYskJAQjnHH13P63PUwXj68knq9JdgeXwZLWszq04Uk
-esjSLJ/e9eIE+Uk9Y2zaes0vTiOIMnYe9u4S6VUNYBO6S+zX89+CHBicNr9tnEEd
-FAw56VTBKtMDA2oPWi5BQ+8/AgMBAAGjJjAkMBIGA1UdEwEB/wQIMAYBAf8CAQEw
-DgYDVR0PAQH/BAQDAgEGMA0GCSqGSIb3DQEBCwUAA4GBAKGed/hvquJ9QctYRyCB
-uIYN1ogbfRj2bSYvKMrSvuW8bVyYAR0C8jj8LA9IEK33EZKBz+D0RHV7s13Cnom9
-tHjIX1ncfl5vPR/Hus0ZKqwauvSauo7hkWRO7isuUzmNBp7YjgLSPr2QYptlpBS5
-U9+lNhpF9AUWEAAo3FqHgShh
+MIIB9jCCAV+gAwIBAgIBATANBgkqhkiG9w0BAQsFADAtMRQwEgYDVQQKEwtleGFt
+cGxlLm9yZzEVMBMGA1UEAxMMY2xpY2EgQ0EgcnNhMB4XDTEyMTEwMTEyMzQwMloX
+DTM4MDEwMTEyMzQwMlowLTEUMBIGA1UEChMLZXhhbXBsZS5vcmcxFTATBgNVBAMT
+DGNsaWNhIENBIHJzYTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAsOI8xlyV
+2kpju6cf0E8/c0QwaOBvUGzkTdCau/DyQrwFPToVpVW8mzDQUOnoUXLl92EJa4Td
+a4uN/uyiyTcjUQWrlZKdFn9HaLB7+rLUox6fZF06jsWgC0Qfr3HHWsrMINn6bucC
+9/eZag5ADPyO5XYnCW4pIFnuFVQ+w3Qr060CAwEAAaMmMCQwEgYDVR0TAQH/BAgw
+BgEB/wIBATAOBgNVHQ8BAf8EBAMCAQYwDQYJKoZIhvcNAQELBQADgYEALAPJGCfj
+ldkldb3pxmUf8V2luI38AVKNZokjATe3tyv7ikhb2g20BRi92fMHOqfAMUfoJKAu
+lT5vLep0SUETmAXdr3+WfFeZu2KZ9t5lhxyUGnHhxDc3k8TzobZSpFS9+ZnR/4GY
+TwGhx36iRUIFRZ/PUQrkRniedLSkO+H+Xko=
 -----END CERTIFICATE-----
diff --git a/test/aux-fixed/exim-ca/example.org/revoked1.example.org/cert8.db b/test/aux-fixed/exim-ca/example.org/revoked1.example.org/cert8.db
index 778894200..611eb8a73 100644
Binary files a/test/aux-fixed/exim-ca/example.org/revoked1.example.org/cert8.db and b/test/aux-fixed/exim-ca/example.org/revoked1.example.org/cert8.db differ
diff --git a/test/aux-fixed/exim-ca/example.org/revoked1.example.org/key3.db b/test/aux-fixed/exim-ca/example.org/revoked1.example.org/key3.db
index 8716501f2..6525b877c 100644
Binary files a/test/aux-fixed/exim-ca/example.org/revoked1.example.org/key3.db and b/test/aux-fixed/exim-ca/example.org/revoked1.example.org/key3.db differ
diff --git a/test/aux-fixed/exim-ca/example.org/revoked1.example.org/revoked1.example.org.chain.pem b/test/aux-fixed/exim-ca/example.org/revoked1.example.org/revoked1.example.org.chain.pem
index e7c28b9ce..fb82c3630 100644
--- a/test/aux-fixed/exim-ca/example.org/revoked1.example.org/revoked1.example.org.chain.pem
+++ b/test/aux-fixed/exim-ca/example.org/revoked1.example.org/revoked1.example.org.chain.pem
@@ -1,35 +1,35 @@
 Bag Attributes
     friendlyName: revoked1.example.org
-    localKeyID: 16 B3 32 55 D8 A1 08 97 7C BC 6A 34 A8 E5 16 99 80 90 A9 65 
+    localKeyID: 27 6D 8F 54 63 7F A4 DA F5 52 64 C8 BB 3A 42 49 78 4F 50 38 
 subject=/CN=revoked1.example.org
-issuer=/O=example.org/CN=clica Signing Cert
+issuer=/O=example.org/CN=clica Signing Cert rsa
 -----BEGIN CERTIFICATE-----
-MIICiTCCAfKgAwIBAgIBZjANBgkqhkiG9w0BAQsFADAzMRQwEgYDVQQKEwtleGFt
-cGxlLm9yZzEbMBkGA1UEAxMSY2xpY2EgU2lnbmluZyBDZXJ0MB4XDTEyMTEwMTEy
-MzQwMloXDTM3MTIwMTEyMzQwMlowHzEdMBsGA1UEAxMUcmV2b2tlZDEuZXhhbXBs
-ZS5vcmcwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBANQ5TGY6CeRUAIwm8yIr
-LUEgx8w4fgM8aoZJ7e3rm4nyNHbokZKUz/ixjsfTmvp2HP64GGhfi7s2tV+4m4oe
-uklEvxjc5beTOOF2kLPAD85ycizzUtA2zYPp00F52FwDHC17/5wGwXmQ43ULuguJ
-xlWLAAnhtTLvlt4kizHeI9JxAgMBAAGjgcAwgb0wDgYDVR0PAQH/BAQDAgTwMCAG
-A1UdJQEB/wQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAyBgNVHR8EKzApMCegJaAj
-hiFodHRwOi8vY3JsLmV4YW1wbGUub3JnL2xhdGVzdC5jcmwwNAYIKwYBBQUHAQEE
-KDAmMCQGCCsGAQUFBzABhhhodHRwOi8vb3NjcC5leGFtcGxlLm9yZy8wHwYDVR0R
-BBgwFoIUcmV2b2tlZDEuZXhhbXBsZS5vcmcwDQYJKoZIhvcNAQELBQADgYEAAFxO
-ibdqx4Poxsp/s48C8LnzVoudTMFqszwDTaUdiOQppBL9PMEgQKo2Ai/stxGfSl/s
-/QcBVjXt6fhGs6jojVWMuDbAmLGa8JUjSK9zwcvHvHef0lIw30nwI7OXK6pV1Nnk
-ShW5r683Zm3fWBPk/meEDUNuKH4fVC5hcbJPulQ=
+MIICjTCCAfagAwIBAgIBZjANBgkqhkiG9w0BAQsFADA3MRQwEgYDVQQKEwtleGFt
+cGxlLm9yZzEfMB0GA1UEAxMWY2xpY2EgU2lnbmluZyBDZXJ0IHJzYTAeFw0xMjEx
+MDExMjM0MDJaFw0zNzEyMDExMjM0MDJaMB8xHTAbBgNVBAMTFHJldm9rZWQxLmV4
+YW1wbGUub3JnMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDKeZLx6cvfgQqG
+2GCqCtIPzKd3WI/iZ5QLIbQCxVwx0R6O12kUPALt0c1cWNgYuTr6PZob7jshFAX0
+/L0i4mMLFA7yOY+ykCllZ5vUSqXm40RNoA3PNdYPBFCy3AUfPDdqtXkIm4CQVub+
+r2UC6lDNn+T/QGVNQC8/ddn+tUdi0QIDAQABo4HAMIG9MA4GA1UdDwEB/wQEAwIE
+8DAgBgNVHSUBAf8EFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwMgYDVR0fBCswKTAn
+oCWgI4YhaHR0cDovL2NybC5leGFtcGxlLm9yZy9sYXRlc3QuY3JsMDQGCCsGAQUF
+BwEBBCgwJjAkBggrBgEFBQcwAYYYaHR0cDovL29zY3AuZXhhbXBsZS5vcmcvMB8G
+A1UdEQQYMBaCFHJldm9rZWQxLmV4YW1wbGUub3JnMA0GCSqGSIb3DQEBCwUAA4GB
+AIxvZgTdJEcdez/AsP/RrWPPW13ceqq82D/UGCWfiBynDwvlEObWB3ec0h2Mccza
+sRiVwtexp7ssNUH2GCNM6B6rUrEOHGwZ6SHAesOZZnOCiRC039G6gzCWfcOhKQ/N
+YJN3nAJXWR2sH0uYi5OSey/aifbL7PxbbjU70JOotDq+
 -----END CERTIFICATE-----
 -----BEGIN CERTIFICATE-----
-MIICLDCCAZWgAwIBAgIBAjANBgkqhkiG9w0BAQsFADApMRQwEgYDVQQKEwtleGFt
-cGxlLm9yZzERMA8GA1UEAxMIY2xpY2EgQ0EwHhcNMTIxMTAxMTIzNDAyWhcNMzgw
-MTAxMTIzNDAyWjAzMRQwEgYDVQQKEwtleGFtcGxlLm9yZzEbMBkGA1UEAxMSY2xp
-Y2EgU2lnbmluZyBDZXJ0MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI0peZ
-vtd+Oo8OMPy/EIlcNiVSJQ6zb5awuAcPjb5gUE3dZ1+7PiB4BlLhT1wbUJiqC3s6
-Uo2jzzNScWmwIbMTwckUIjS6Q+3khgZHWh2uBAX9j9OrMaJ6DjtyjWitDXMUcrns
-tvQs4TMoFkvBvH94gsYtnbTC5DCmKKLRkWwQhQIDAQABo1owWDAOBgNVHQ8BAf8E
-BAMCAQYwEgYDVR0TAQH/BAgwBgEB/wIBADAyBgNVHR8EKzApMCegJaAjhiFodHRw
-Oi8vY3JsLmV4YW1wbGUub3JnL2xhdGVzdC5jcmwwDQYJKoZIhvcNAQELBQADgYEA
-eqMhcknWmbpCS7ail+FEhRpiLgZU05d7jdf3yQLu1EmMS/fdDvY8R8G17FDcCoLQ
-mSgIvn73UqTgmDgErGZgZ2LqcgioBo7fgxS2knxFKIi/WlKHpiqOkSYtqtacIUnk
-1NkPYWjBwP3bUYauHu7EcTTHO6iWd0doLrMJvGUtm9c=
+MIICNDCCAZ2gAwIBAgIBAjANBgkqhkiG9w0BAQsFADAtMRQwEgYDVQQKEwtleGFt
+cGxlLm9yZzEVMBMGA1UEAxMMY2xpY2EgQ0EgcnNhMB4XDTEyMTEwMTEyMzQwMloX
+DTM4MDEwMTEyMzQwMlowNzEUMBIGA1UEChMLZXhhbXBsZS5vcmcxHzAdBgNVBAMT
+FmNsaWNhIFNpZ25pbmcgQ2VydCByc2EwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJ
+AoGBAJXe07nxVSZPJ3rVBHQp+m5gWb5/JkzXwcWKEvcmMnJzo2ydVfHBBRmTpzpS
+ST3js2awNbhEdOU7AeBtAvyOtwlT/yp6SHhOlI8PlgLwL9/xedeC0Ex412VOeaV/
+LRbvj0j+WutuglAFXfD5IlwnRoDUB1Q51JFtYZxlxvOqbLb9AgMBAAGjWjBYMA4G
+A1UdDwEB/wQEAwIBBjASBgNVHRMBAf8ECDAGAQH/AgEAMDIGA1UdHwQrMCkwJ6Al
+oCOGIWh0dHA6Ly9jcmwuZXhhbXBsZS5vcmcvbGF0ZXN0LmNybDANBgkqhkiG9w0B
+AQsFAAOBgQCf9uWkJrIlu9DvKwiiRj6/vMFydd9kLq11COjAovfD6+VbRLeX1lpC
+XpHDhUlrAKOV/5Virl+iXao5YnfnCm1oud0jRGcG8x1JPqUKW3REch4vR0wkjaBS
+5eI7DiydPL1yts588Z6gLjHZBaR0cuXS4e1k9rcXuBC9tZjv7rYskQ==
 -----END CERTIFICATE-----
diff --git a/test/aux-fixed/exim-ca/example.org/revoked1.example.org/revoked1.example.org.key b/test/aux-fixed/exim-ca/example.org/revoked1.example.org/revoked1.example.org.key
index 502671182..88b64d0ff 100644
--- a/test/aux-fixed/exim-ca/example.org/revoked1.example.org/revoked1.example.org.key
+++ b/test/aux-fixed/exim-ca/example.org/revoked1.example.org/revoked1.example.org.key
@@ -1,21 +1,21 @@
 Bag Attributes
     friendlyName: revoked1.example.org
-    localKeyID: 16 B3 32 55 D8 A1 08 97 7C BC 6A 34 A8 E5 16 99 80 90 A9 65 
+    localKeyID: 27 6D 8F 54 63 7F A4 DA F5 52 64 C8 BB 3A 42 49 78 4F 50 38 
 Key Attributes: <No Attributes>
 -----BEGIN ENCRYPTED PRIVATE KEY-----
-MIICxjBABgkqhkiG9w0BBQ0wMzAbBgkqhkiG9w0BBQwwDgQIRkXoekprbYgCAggA
-MBQGCCqGSIb3DQMHBAjhK23s2B87MgSCAoDQv3pazdLUvYbPkShsuco700PJRn0i
-Iu4o446zUSLfgrFRbMfGdMSQoCklSGtHfhEwqIwg9j7mkJ3Rh9BoA/tFcM7/eOsx
-2rbb9EFPGsNm4a6AXkI+1+umXJJizPORGZ2uYrqoQ/ACaLegS8VMeEOvp2RJXxBN
-MqeESk2OCxA21YHgrGH0Noiuhy9NjW9WWFzvis5lgCJd24gLiEXyNBY6oq1oIUd7
-Xi095aBC+KHsQRQngbGxNd/M/TYI6RkdxNhPpvibHN83fhza+y/EVWtkJ/UW9gcv
-WPeBFFLjFHfQg51R8Ra4xZvaVgR6PB8ULPi+fSLt7XtvextUuR65mbTk8a15fljB
-SkJnjGFS1zZABJD7rDj1WpqMEH+2QIqn3usRxYa5tGVbONI3wlqV49Z08eIjDPwT
-DDXTlUOGZg1VIYWN1qkAJuApuZS4Ax/ND0fK/Qm5UMPBjbXOG6FLX3R2EfXcOeXC
-HVhSRTlRay/7YTlByek1V9UQv5NCF2Urpvio4xaMs5K5DFMpXsnUyzgfIzv0101e
-nEjDrZjkDmWqIm0hMjJpgAzu6GC5dzBS8gu4tLFhmdxMnBnhd6xRscu4Tkqtl6oy
-pIWdgiCJZfQ6ydUnzbOl6qgI0RNDrV8kg0FSINFbQ+aDUts3P3TVL+DM5locJiRd
-zCz3Cs4YcEYrKeHi3NT2tIouDE3+wNSa1LfGCdUm+tv47sS+7zBuQ32cZn6fPLH+
-9C8SFlE1dMqf+DaBbF+EssQuwotl4c335I9WfYO5//zgBHkc9kuft9B9yJ8BRiN6
-o2NJu6dkC3rENWpaKA7t28Kfq0KHkrz1QWmaQf/3UeHnjXoEBVRY8bnf
+MIICxjBABgkqhkiG9w0BBQ0wMzAbBgkqhkiG9w0BBQwwDgQIoExh6ojG6u8CAggA
+MBQGCCqGSIb3DQMHBAgf4iFQHuI4XASCAoCPI1ItB5BFCIf5IyU1CTjbtm7bR79s
+70Q1bE0MTWMZlBhgBdqrNXfBklEBkq1xm2bv3h7TCblZd+VGvQyX45p1bYeTq3FO
+S0j+xt2YbLqKmYhKjix912ZOkpk84tWx6RYRz4uR178WHvfKBkxkOmCGIiHQteQj
+N9j7ZDfKJjm+eftEa1Wz+97sDowWNo4s8iNXuxfvLPwWVCKQtWrB2naoCnokhgFv
+SQNdNRTAPyDegMDR73DU4WEWou0Z7SaqV2/VDmQLtFGkl3kWMSH5eVYJoekyHR/A
+jjcTqz3ISNoMhjJk7u4ZMgImn2cvH7nYiRKO4UVqT/ln8DjUok39uw/l6CgdcLym
+2bEquC2MVMLSbltSgF1qMTciQEcXzD9mqCs3tkAby5posO4B1G5iIBRmY3xtiAVE
+LlK8mRi+0MosPSik+sQvVr0gAFxJYnXMM4x8Fso4iRDf0BY2KbaQ+RaCVgHN9iyl
+/QJu/OBtd7syFczUe7s8IClEna5cHfgiJOdb3DNVL76BOda9h4eHYDih4eiKLVx7
+HRbeHcNAOxYaz8xR1U/rMPCw8lVmqVXwrqPllYsmksfqbM5bDYv4+rOz0iVxjZqH
+kNtnjpsR0WWVXEi6pMXs5HJ2qHxczNvOsYJlxJjpcDOTnUKmV4HV0ML4GU287Vhy
+wJUBp7k4NacXKxsFKwF8BOZrqG4410iNpcpSu25oQ4upwb4tBwT6Xn4TKDAY63fx
+uK3MSfv07AH3mVyKmdmFvg76Hrjn7CvD0yi8/F/wSN+ori4ieJTZRo4UHrhcojjP
+aa4tUnoCdHPJIieBk4VJNqQpHVoXvQDRdQTcsrchrsYER3Fn12eXtUr8
 -----END ENCRYPTED PRIVATE KEY-----
diff --git a/test/aux-fixed/exim-ca/example.org/revoked1.example.org/revoked1.example.org.ocsp.dated.resp b/test/aux-fixed/exim-ca/example.org/revoked1.example.org/revoked1.example.org.ocsp.dated.resp
index 66eb161d4..5d60d6bbc 100644
Binary files a/test/aux-fixed/exim-ca/example.org/revoked1.example.org/revoked1.example.org.ocsp.dated.resp and b/test/aux-fixed/exim-ca/example.org/revoked1.example.org/revoked1.example.org.ocsp.dated.resp differ
diff --git a/test/aux-fixed/exim-ca/example.org/revoked1.example.org/revoked1.example.org.ocsp.good.resp b/test/aux-fixed/exim-ca/example.org/revoked1.example.org/revoked1.example.org.ocsp.good.resp
index e07271c4f..dcf4cb0fd 100644
Binary files a/test/aux-fixed/exim-ca/example.org/revoked1.example.org/revoked1.example.org.ocsp.good.resp and b/test/aux-fixed/exim-ca/example.org/revoked1.example.org/revoked1.example.org.ocsp.good.resp differ
diff --git a/test/aux-fixed/exim-ca/example.org/revoked1.example.org/revoked1.example.org.ocsp.req b/test/aux-fixed/exim-ca/example.org/revoked1.example.org/revoked1.example.org.ocsp.req
index de30e995c..f78d2f561 100644
Binary files a/test/aux-fixed/exim-ca/example.org/revoked1.example.org/revoked1.example.org.ocsp.req and b/test/aux-fixed/exim-ca/example.org/revoked1.example.org/revoked1.example.org.ocsp.req differ
diff --git a/test/aux-fixed/exim-ca/example.org/revoked1.example.org/revoked1.example.org.ocsp.revoked.resp b/test/aux-fixed/exim-ca/example.org/revoked1.example.org/revoked1.example.org.ocsp.revoked.resp
index d1225b963..892d80b52 100644
Binary files a/test/aux-fixed/exim-ca/example.org/revoked1.example.org/revoked1.example.org.ocsp.revoked.resp and b/test/aux-fixed/exim-ca/example.org/revoked1.example.org/revoked1.example.org.ocsp.revoked.resp differ
diff --git a/test/aux-fixed/exim-ca/example.org/revoked1.example.org/revoked1.example.org.ocsp.signer.dated.resp b/test/aux-fixed/exim-ca/example.org/revoked1.example.org/revoked1.example.org.ocsp.signer.dated.resp
index b879412df..4c38f33a2 100644
Binary files a/test/aux-fixed/exim-ca/example.org/revoked1.example.org/revoked1.example.org.ocsp.signer.dated.resp and b/test/aux-fixed/exim-ca/example.org/revoked1.example.org/revoked1.example.org.ocsp.signer.dated.resp differ
diff --git a/test/aux-fixed/exim-ca/example.org/revoked1.example.org/revoked1.example.org.ocsp.signer.good.resp b/test/aux-fixed/exim-ca/example.org/revoked1.example.org/revoked1.example.org.ocsp.signer.good.resp
index b56a3fd9b..5790e5ee2 100644
Binary files a/test/aux-fixed/exim-ca/example.org/revoked1.example.org/revoked1.example.org.ocsp.signer.good.resp and b/test/aux-fixed/exim-ca/example.org/revoked1.example.org/revoked1.example.org.ocsp.signer.good.resp differ
diff --git a/test/aux-fixed/exim-ca/example.org/revoked1.example.org/revoked1.example.org.ocsp.signer.revoked.resp b/test/aux-fixed/exim-ca/example.org/revoked1.example.org/revoked1.example.org.ocsp.signer.revoked.resp
index b94f5f907..143e1c864 100644
Binary files a/test/aux-fixed/exim-ca/example.org/revoked1.example.org/revoked1.example.org.ocsp.signer.revoked.resp and b/test/aux-fixed/exim-ca/example.org/revoked1.example.org/revoked1.example.org.ocsp.signer.revoked.resp differ
diff --git a/test/aux-fixed/exim-ca/example.org/revoked1.example.org/revoked1.example.org.ocsp.signernocert.dated.resp b/test/aux-fixed/exim-ca/example.org/revoked1.example.org/revoked1.example.org.ocsp.signernocert.dated.resp
index ec08fcf97..3e1c4ca8d 100644
Binary files a/test/aux-fixed/exim-ca/example.org/revoked1.example.org/revoked1.example.org.ocsp.signernocert.dated.resp and b/test/aux-fixed/exim-ca/example.org/revoked1.example.org/revoked1.example.org.ocsp.signernocert.dated.resp differ
diff --git a/test/aux-fixed/exim-ca/example.org/revoked1.example.org/revoked1.example.org.ocsp.signernocert.good.resp b/test/aux-fixed/exim-ca/example.org/revoked1.example.org/revoked1.example.org.ocsp.signernocert.good.resp
index e6647785e..d39b0e6f6 100644
Binary files a/test/aux-fixed/exim-ca/example.org/revoked1.example.org/revoked1.example.org.ocsp.signernocert.good.resp and b/test/aux-fixed/exim-ca/example.org/revoked1.example.org/revoked1.example.org.ocsp.signernocert.good.resp differ
diff --git a/test/aux-fixed/exim-ca/example.org/revoked1.example.org/revoked1.example.org.ocsp.signernocert.revoked.resp b/test/aux-fixed/exim-ca/example.org/revoked1.example.org/revoked1.example.org.ocsp.signernocert.revoked.resp
index e44178050..2f29f04ea 100644
Binary files a/test/aux-fixed/exim-ca/example.org/revoked1.example.org/revoked1.example.org.ocsp.signernocert.revoked.resp and b/test/aux-fixed/exim-ca/example.org/revoked1.example.org/revoked1.example.org.ocsp.signernocert.revoked.resp differ
diff --git a/test/aux-fixed/exim-ca/example.org/revoked1.example.org/revoked1.example.org.p12 b/test/aux-fixed/exim-ca/example.org/revoked1.example.org/revoked1.example.org.p12
index 83a353f8d..20a77d2c8 100644
Binary files a/test/aux-fixed/exim-ca/example.org/revoked1.example.org/revoked1.example.org.p12 and b/test/aux-fixed/exim-ca/example.org/revoked1.example.org/revoked1.example.org.p12 differ
diff --git a/test/aux-fixed/exim-ca/example.org/revoked1.example.org/revoked1.example.org.pem b/test/aux-fixed/exim-ca/example.org/revoked1.example.org/revoked1.example.org.pem
index 3387863d6..91b8ca3e6 100644
--- a/test/aux-fixed/exim-ca/example.org/revoked1.example.org/revoked1.example.org.pem
+++ b/test/aux-fixed/exim-ca/example.org/revoked1.example.org/revoked1.example.org.pem
@@ -1,21 +1,21 @@
 Bag Attributes
     friendlyName: revoked1.example.org
-    localKeyID: 16 B3 32 55 D8 A1 08 97 7C BC 6A 34 A8 E5 16 99 80 90 A9 65 
+    localKeyID: 27 6D 8F 54 63 7F A4 DA F5 52 64 C8 BB 3A 42 49 78 4F 50 38 
 subject=/CN=revoked1.example.org
-issuer=/O=example.org/CN=clica Signing Cert
+issuer=/O=example.org/CN=clica Signing Cert rsa
 -----BEGIN CERTIFICATE-----
-MIICiTCCAfKgAwIBAgIBZjANBgkqhkiG9w0BAQsFADAzMRQwEgYDVQQKEwtleGFt
-cGxlLm9yZzEbMBkGA1UEAxMSY2xpY2EgU2lnbmluZyBDZXJ0MB4XDTEyMTEwMTEy
-MzQwMloXDTM3MTIwMTEyMzQwMlowHzEdMBsGA1UEAxMUcmV2b2tlZDEuZXhhbXBs
-ZS5vcmcwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBANQ5TGY6CeRUAIwm8yIr
-LUEgx8w4fgM8aoZJ7e3rm4nyNHbokZKUz/ixjsfTmvp2HP64GGhfi7s2tV+4m4oe
-uklEvxjc5beTOOF2kLPAD85ycizzUtA2zYPp00F52FwDHC17/5wGwXmQ43ULuguJ
-xlWLAAnhtTLvlt4kizHeI9JxAgMBAAGjgcAwgb0wDgYDVR0PAQH/BAQDAgTwMCAG
-A1UdJQEB/wQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAyBgNVHR8EKzApMCegJaAj
-hiFodHRwOi8vY3JsLmV4YW1wbGUub3JnL2xhdGVzdC5jcmwwNAYIKwYBBQUHAQEE
-KDAmMCQGCCsGAQUFBzABhhhodHRwOi8vb3NjcC5leGFtcGxlLm9yZy8wHwYDVR0R
-BBgwFoIUcmV2b2tlZDEuZXhhbXBsZS5vcmcwDQYJKoZIhvcNAQELBQADgYEAAFxO
-ibdqx4Poxsp/s48C8LnzVoudTMFqszwDTaUdiOQppBL9PMEgQKo2Ai/stxGfSl/s
-/QcBVjXt6fhGs6jojVWMuDbAmLGa8JUjSK9zwcvHvHef0lIw30nwI7OXK6pV1Nnk
-ShW5r683Zm3fWBPk/meEDUNuKH4fVC5hcbJPulQ=
+MIICjTCCAfagAwIBAgIBZjANBgkqhkiG9w0BAQsFADA3MRQwEgYDVQQKEwtleGFt
+cGxlLm9yZzEfMB0GA1UEAxMWY2xpY2EgU2lnbmluZyBDZXJ0IHJzYTAeFw0xMjEx
+MDExMjM0MDJaFw0zNzEyMDExMjM0MDJaMB8xHTAbBgNVBAMTFHJldm9rZWQxLmV4
+YW1wbGUub3JnMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDKeZLx6cvfgQqG
+2GCqCtIPzKd3WI/iZ5QLIbQCxVwx0R6O12kUPALt0c1cWNgYuTr6PZob7jshFAX0
+/L0i4mMLFA7yOY+ykCllZ5vUSqXm40RNoA3PNdYPBFCy3AUfPDdqtXkIm4CQVub+
+r2UC6lDNn+T/QGVNQC8/ddn+tUdi0QIDAQABo4HAMIG9MA4GA1UdDwEB/wQEAwIE
+8DAgBgNVHSUBAf8EFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwMgYDVR0fBCswKTAn
+oCWgI4YhaHR0cDovL2NybC5leGFtcGxlLm9yZy9sYXRlc3QuY3JsMDQGCCsGAQUF
+BwEBBCgwJjAkBggrBgEFBQcwAYYYaHR0cDovL29zY3AuZXhhbXBsZS5vcmcvMB8G
+A1UdEQQYMBaCFHJldm9rZWQxLmV4YW1wbGUub3JnMA0GCSqGSIb3DQEBCwUAA4GB
+AIxvZgTdJEcdez/AsP/RrWPPW13ceqq82D/UGCWfiBynDwvlEObWB3ec0h2Mccza
+sRiVwtexp7ssNUH2GCNM6B6rUrEOHGwZ6SHAesOZZnOCiRC039G6gzCWfcOhKQ/N
+YJN3nAJXWR2sH0uYi5OSey/aifbL7PxbbjU70JOotDq+
 -----END CERTIFICATE-----
diff --git a/test/aux-fixed/exim-ca/example.org/revoked1.example.org/revoked1.example.org.unlocked.key b/test/aux-fixed/exim-ca/example.org/revoked1.example.org/revoked1.example.org.unlocked.key
index cf58651d3..0db850532 100644
--- a/test/aux-fixed/exim-ca/example.org/revoked1.example.org/revoked1.example.org.unlocked.key
+++ b/test/aux-fixed/exim-ca/example.org/revoked1.example.org/revoked1.example.org.unlocked.key
@@ -1,15 +1,15 @@
 -----BEGIN RSA PRIVATE KEY-----
-MIICXAIBAAKBgQDUOUxmOgnkVACMJvMiKy1BIMfMOH4DPGqGSe3t65uJ8jR26JGS
-lM/4sY7H05r6dhz+uBhoX4u7NrVfuJuKHrpJRL8Y3OW3kzjhdpCzwA/OcnIs81LQ
-Ns2D6dNBedhcAxwte/+cBsF5kON1C7oLicZViwAJ4bUy75beJIsx3iPScQIDAQAB
-AoGAB7cGssYsHHhHIKaHVZqyeCuaBnpsw/nEU8Stq7snkhKYyz795hwMZJmcK6Ht
-ixVJYqNRuX9KB/36MWRCMkRBncM5AwgX/BOX29xSXtDW0F1A/5iao2mPiZBu/fOB
-XVouF9w/XJsIy+QmL+exux+0IF5gAezgGopMQ/5yyu6D/AkCQQDtV5AUoav7rk8S
-1xtk8L4mZGh5QWJCeEQsN7Xp1zde8QCTFd2hfvzHkncDPDWL9+m+NL46X2xeeD1C
-aNRDf0q5AkEA5Og9LtO3nB1ti6HMMms9HX4X5v6p96bJhQl5/EXyFbO6rJBXbWe+
-2AmwBbXFU1Me/na1G6c7vY75WNsY96EJeQJATNG2lLbvT3rPpS1ydG1nXk3JctWy
-1AjRJ+6wNouuJFCk+vZs0cSkVIQXeTiXrEIFqcawe3w/OyR3z3LWoTImIQJBAKfT
-QXBAl0BlLviNwnlAuIkT9pBMK+8/IEZioUX9PjT9FaMJHKBAzOH1kFFPaIHj0jh8
-beH9ZUZgOZ4U3KRJM/kCQEVAgKgZaulkv8IxPoTLuaimonyJPI0Ku8P5jzxuAdHw
-1sHXicVddvjPJtJ09ptt58X5qVbkrXX7IHxtcSZTSXM=
+MIICXAIBAAKBgQDKeZLx6cvfgQqG2GCqCtIPzKd3WI/iZ5QLIbQCxVwx0R6O12kU
+PALt0c1cWNgYuTr6PZob7jshFAX0/L0i4mMLFA7yOY+ykCllZ5vUSqXm40RNoA3P
+NdYPBFCy3AUfPDdqtXkIm4CQVub+r2UC6lDNn+T/QGVNQC8/ddn+tUdi0QIDAQAB
+AoGAAtRnTethI/RDJVEjAWAJ1q/a8PjN9/wlGPEQDuWFt+ou2xBedv/YtaH+lKlm
+3xTq+AIs5BzfUC4eCty5DaKsKijZ6TfIjJr3557uKieFxvDD4qhTvQYd8ActA8ry
+LKF/c/rQSAaG0AcAOGYzt8T3sDcmFK+J3rSs/wHDYtrEtQ0CQQDuMV48z9gYKNxn
+Hm4869hsGc1qUf319TPmX/YfKmcqwYOQwbL4HCWA2OvSfLjOJ38nYDHjNJzIUFDY
+wAFo21ylAkEA2ZyfCwu4+GIyK24SgA/frwuLWpZKFMaoop8nqG/Jyq06JpOOhhz3
+YmN9QhnK4pKUscfECYip+vhun2n8skJ5vQJAYiU9a1lI9UuA5YyIZ9nWJ1TKa1C1
+kC8k33wS8eyK7fcmuvLVR55xZZH8OZLioy9rGVJtu+zl3TQa2/Thn88jcQJAD0Rz
+zByYb6TEDFP+rElw0iEnN8XPkMGXV0F/UMv3Bmc86zPzDem+WYLNaPPSTi8mi4qO
+cHTMKDWB3WFcP012qQJBAJm1ylDMwcttP3b1yEKkW25uXGYJqLsYsLx+tPrgAsiP
+QleA68sgn/R26yQBichKZS6enLIsDK0QQVr/JTkjOyU=
 -----END RSA PRIVATE KEY-----
diff --git a/test/aux-fixed/exim-ca/example.org/revoked2.example.org/ca_chain.pem b/test/aux-fixed/exim-ca/example.org/revoked2.example.org/ca_chain.pem
index e3165d194..f262d8f92 100644
--- a/test/aux-fixed/exim-ca/example.org/revoked2.example.org/ca_chain.pem
+++ b/test/aux-fixed/exim-ca/example.org/revoked2.example.org/ca_chain.pem
@@ -1,35 +1,35 @@
 Bag Attributes
-    friendlyName: Signing Cert
-subject=/O=example.org/CN=clica Signing Cert
-issuer=/O=example.org/CN=clica CA
+    friendlyName: Signing Cert rsa
+subject=/O=example.org/CN=clica Signing Cert rsa
+issuer=/O=example.org/CN=clica CA rsa
 -----BEGIN CERTIFICATE-----
-MIICLDCCAZWgAwIBAgIBAjANBgkqhkiG9w0BAQsFADApMRQwEgYDVQQKEwtleGFt
-cGxlLm9yZzERMA8GA1UEAxMIY2xpY2EgQ0EwHhcNMTIxMTAxMTIzNDAyWhcNMzgw
-MTAxMTIzNDAyWjAzMRQwEgYDVQQKEwtleGFtcGxlLm9yZzEbMBkGA1UEAxMSY2xp
-Y2EgU2lnbmluZyBDZXJ0MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI0peZ
-vtd+Oo8OMPy/EIlcNiVSJQ6zb5awuAcPjb5gUE3dZ1+7PiB4BlLhT1wbUJiqC3s6
-Uo2jzzNScWmwIbMTwckUIjS6Q+3khgZHWh2uBAX9j9OrMaJ6DjtyjWitDXMUcrns
-tvQs4TMoFkvBvH94gsYtnbTC5DCmKKLRkWwQhQIDAQABo1owWDAOBgNVHQ8BAf8E
-BAMCAQYwEgYDVR0TAQH/BAgwBgEB/wIBADAyBgNVHR8EKzApMCegJaAjhiFodHRw
-Oi8vY3JsLmV4YW1wbGUub3JnL2xhdGVzdC5jcmwwDQYJKoZIhvcNAQELBQADgYEA
-eqMhcknWmbpCS7ail+FEhRpiLgZU05d7jdf3yQLu1EmMS/fdDvY8R8G17FDcCoLQ
-mSgIvn73UqTgmDgErGZgZ2LqcgioBo7fgxS2knxFKIi/WlKHpiqOkSYtqtacIUnk
-1NkPYWjBwP3bUYauHu7EcTTHO6iWd0doLrMJvGUtm9c=
+MIICNDCCAZ2gAwIBAgIBAjANBgkqhkiG9w0BAQsFADAtMRQwEgYDVQQKEwtleGFt
+cGxlLm9yZzEVMBMGA1UEAxMMY2xpY2EgQ0EgcnNhMB4XDTEyMTEwMTEyMzQwMloX
+DTM4MDEwMTEyMzQwMlowNzEUMBIGA1UEChMLZXhhbXBsZS5vcmcxHzAdBgNVBAMT
+FmNsaWNhIFNpZ25pbmcgQ2VydCByc2EwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJ
+AoGBAJXe07nxVSZPJ3rVBHQp+m5gWb5/JkzXwcWKEvcmMnJzo2ydVfHBBRmTpzpS
+ST3js2awNbhEdOU7AeBtAvyOtwlT/yp6SHhOlI8PlgLwL9/xedeC0Ex412VOeaV/
+LRbvj0j+WutuglAFXfD5IlwnRoDUB1Q51JFtYZxlxvOqbLb9AgMBAAGjWjBYMA4G
+A1UdDwEB/wQEAwIBBjASBgNVHRMBAf8ECDAGAQH/AgEAMDIGA1UdHwQrMCkwJ6Al
+oCOGIWh0dHA6Ly9jcmwuZXhhbXBsZS5vcmcvbGF0ZXN0LmNybDANBgkqhkiG9w0B
+AQsFAAOBgQCf9uWkJrIlu9DvKwiiRj6/vMFydd9kLq11COjAovfD6+VbRLeX1lpC
+XpHDhUlrAKOV/5Virl+iXao5YnfnCm1oud0jRGcG8x1JPqUKW3REch4vR0wkjaBS
+5eI7DiydPL1yts588Z6gLjHZBaR0cuXS4e1k9rcXuBC9tZjv7rYskQ==
 -----END CERTIFICATE-----
 Bag Attributes
-    friendlyName: Certificate Authority
-subject=/O=example.org/CN=clica CA
-issuer=/O=example.org/CN=clica CA
+    friendlyName: Certificate Authority rsa
+subject=/O=example.org/CN=clica CA rsa
+issuer=/O=example.org/CN=clica CA rsa
 -----BEGIN CERTIFICATE-----
-MIIB7jCCAVegAwIBAgIBATANBgkqhkiG9w0BAQsFADApMRQwEgYDVQQKEwtleGFt
-cGxlLm9yZzERMA8GA1UEAxMIY2xpY2EgQ0EwHhcNMTIxMTAxMTIzNDAyWhcNMzgw
-MTAxMTIzNDAyWjApMRQwEgYDVQQKEwtleGFtcGxlLm9yZzERMA8GA1UEAxMIY2xp
-Y2EgQ0EwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAKKaWSv0duLwJQQ6t18l
-yWSGmELgaflSPTidcPii6YYskJAQjnHH13P63PUwXj68knq9JdgeXwZLWszq04Uk
-esjSLJ/e9eIE+Uk9Y2zaes0vTiOIMnYe9u4S6VUNYBO6S+zX89+CHBicNr9tnEEd
-FAw56VTBKtMDA2oPWi5BQ+8/AgMBAAGjJjAkMBIGA1UdEwEB/wQIMAYBAf8CAQEw
-DgYDVR0PAQH/BAQDAgEGMA0GCSqGSIb3DQEBCwUAA4GBAKGed/hvquJ9QctYRyCB
-uIYN1ogbfRj2bSYvKMrSvuW8bVyYAR0C8jj8LA9IEK33EZKBz+D0RHV7s13Cnom9
-tHjIX1ncfl5vPR/Hus0ZKqwauvSauo7hkWRO7isuUzmNBp7YjgLSPr2QYptlpBS5
-U9+lNhpF9AUWEAAo3FqHgShh
+MIIB9jCCAV+gAwIBAgIBATANBgkqhkiG9w0BAQsFADAtMRQwEgYDVQQKEwtleGFt
+cGxlLm9yZzEVMBMGA1UEAxMMY2xpY2EgQ0EgcnNhMB4XDTEyMTEwMTEyMzQwMloX
+DTM4MDEwMTEyMzQwMlowLTEUMBIGA1UEChMLZXhhbXBsZS5vcmcxFTATBgNVBAMT
+DGNsaWNhIENBIHJzYTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAsOI8xlyV
+2kpju6cf0E8/c0QwaOBvUGzkTdCau/DyQrwFPToVpVW8mzDQUOnoUXLl92EJa4Td
+a4uN/uyiyTcjUQWrlZKdFn9HaLB7+rLUox6fZF06jsWgC0Qfr3HHWsrMINn6bucC
+9/eZag5ADPyO5XYnCW4pIFnuFVQ+w3Qr060CAwEAAaMmMCQwEgYDVR0TAQH/BAgw
+BgEB/wIBATAOBgNVHQ8BAf8EBAMCAQYwDQYJKoZIhvcNAQELBQADgYEALAPJGCfj
+ldkldb3pxmUf8V2luI38AVKNZokjATe3tyv7ikhb2g20BRi92fMHOqfAMUfoJKAu
+lT5vLep0SUETmAXdr3+WfFeZu2KZ9t5lhxyUGnHhxDc3k8TzobZSpFS9+ZnR/4GY
+TwGhx36iRUIFRZ/PUQrkRniedLSkO+H+Xko=
 -----END CERTIFICATE-----
diff --git a/test/aux-fixed/exim-ca/example.org/revoked2.example.org/cert8.db b/test/aux-fixed/exim-ca/example.org/revoked2.example.org/cert8.db
index b7df35b8c..a536c9e54 100644
Binary files a/test/aux-fixed/exim-ca/example.org/revoked2.example.org/cert8.db and b/test/aux-fixed/exim-ca/example.org/revoked2.example.org/cert8.db differ
diff --git a/test/aux-fixed/exim-ca/example.org/revoked2.example.org/key3.db b/test/aux-fixed/exim-ca/example.org/revoked2.example.org/key3.db
index 34a29287e..f0d8932d8 100644
Binary files a/test/aux-fixed/exim-ca/example.org/revoked2.example.org/key3.db and b/test/aux-fixed/exim-ca/example.org/revoked2.example.org/key3.db differ
diff --git a/test/aux-fixed/exim-ca/example.org/revoked2.example.org/revoked2.example.org.chain.pem b/test/aux-fixed/exim-ca/example.org/revoked2.example.org/revoked2.example.org.chain.pem
index b6d2fef98..d624b4c39 100644
--- a/test/aux-fixed/exim-ca/example.org/revoked2.example.org/revoked2.example.org.chain.pem
+++ b/test/aux-fixed/exim-ca/example.org/revoked2.example.org/revoked2.example.org.chain.pem
@@ -1,35 +1,35 @@
 Bag Attributes
     friendlyName: revoked2.example.org
-    localKeyID: 6A 36 1A 58 1C FF A8 9F 66 D1 B4 67 09 EB 27 63 A2 71 2E E8 
+    localKeyID: D0 14 76 0E D8 FB A2 5B 61 59 4C C9 F2 FC B4 9D 6D 80 46 6A 
 subject=/CN=revoked2.example.org
-issuer=/O=example.org/CN=clica Signing Cert
+issuer=/O=example.org/CN=clica Signing Cert rsa
 -----BEGIN CERTIFICATE-----
-MIICijCCAfOgAwIBAgICAMowDQYJKoZIhvcNAQELBQAwMzEUMBIGA1UEChMLZXhh
-bXBsZS5vcmcxGzAZBgNVBAMTEmNsaWNhIFNpZ25pbmcgQ2VydDAeFw0xMjExMDEx
-MjM0MDNaFw0zNzEyMDExMjM0MDNaMB8xHTAbBgNVBAMTFHJldm9rZWQyLmV4YW1w
-bGUub3JnMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDh98fCkIQKwpKyfg2o
-fEYF9ZV7Lo9dQWnHtumygfIipzVtMzEEvQ0UKOwvaUdKqT81IrmEokjBo/phHjMN
-iQxunhO4i//CNk0qImDrR3/alvxMO1lquWB/l8kDOx9PjR8ntGb8vWB29GbMDpj9
-BLyMkg0EOZZHo46VW5J3EFA21wIDAQABo4HAMIG9MA4GA1UdDwEB/wQEAwIE8DAg
-BgNVHSUBAf8EFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwMgYDVR0fBCswKTAnoCWg
-I4YhaHR0cDovL2NybC5leGFtcGxlLm9yZy9sYXRlc3QuY3JsMDQGCCsGAQUFBwEB
-BCgwJjAkBggrBgEFBQcwAYYYaHR0cDovL29zY3AuZXhhbXBsZS5vcmcvMB8GA1Ud
-EQQYMBaCFHJldm9rZWQyLmV4YW1wbGUub3JnMA0GCSqGSIb3DQEBCwUAA4GBAET9
-V8w/BEUzYzeBZlFLAsgfTQxc4OxqWfJDCfEA/fJ7TrTpBPRkqV3ndx4ML4TkP6qt
-dtAe6FMV2ZFhqe4X2uvHPXTcO44Zz3cLR7S1ykJcEK3S6w6cmjgOAIBwsSW1enrX
-G42IbhOW5XVRrASQSA4ylHbGvEsoz5yfnCTzaNfs
+MIICjjCCAfegAwIBAgICAMowDQYJKoZIhvcNAQELBQAwNzEUMBIGA1UEChMLZXhh
+bXBsZS5vcmcxHzAdBgNVBAMTFmNsaWNhIFNpZ25pbmcgQ2VydCByc2EwHhcNMTIx
+MTAxMTIzNDAzWhcNMzcxMjAxMTIzNDAzWjAfMR0wGwYDVQQDExRyZXZva2VkMi5l
+eGFtcGxlLm9yZzCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA6eEsn9l+YWNJ
+57x5be0XgFrpjoYgjYodEWTkPXDfN3yARk8hS5aG+2gKrwo56O7HiZIU6k3Jd6VL
+WNeCsuMvSttiOe/SRHOZCs/WOEaeJq0Z6jMH5U/6n2sneLTrJ1FuYHg6rOAoRQgN
+R/Urz83nRgI87eM5Hwke9wUjX1FjqoUCAwEAAaOBwDCBvTAOBgNVHQ8BAf8EBAMC
+BPAwIAYDVR0lAQH/BBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMDIGA1UdHwQrMCkw
+J6AloCOGIWh0dHA6Ly9jcmwuZXhhbXBsZS5vcmcvbGF0ZXN0LmNybDA0BggrBgEF
+BQcBAQQoMCYwJAYIKwYBBQUHMAGGGGh0dHA6Ly9vc2NwLmV4YW1wbGUub3JnLzAf
+BgNVHREEGDAWghRyZXZva2VkMi5leGFtcGxlLm9yZzANBgkqhkiG9w0BAQsFAAOB
+gQBhVWKH0uNU8a7ujHtLc//8YCFLpVFQJUln8FeXDdEEYpmb5VbFW8w0jmdz0nQI
+F5z3iaz51G+1JwWEpLen6ijCpr1ry1G8ZyDy/R+mHGyEU8uyYIfiOokL43trcobn
+YgRE9agT/hbkPhLu0SxXLsuGhjZPNDsIHDlwEwxROG+JCA==
 -----END CERTIFICATE-----
 -----BEGIN CERTIFICATE-----
-MIICLDCCAZWgAwIBAgIBAjANBgkqhkiG9w0BAQsFADApMRQwEgYDVQQKEwtleGFt
-cGxlLm9yZzERMA8GA1UEAxMIY2xpY2EgQ0EwHhcNMTIxMTAxMTIzNDAyWhcNMzgw
-MTAxMTIzNDAyWjAzMRQwEgYDVQQKEwtleGFtcGxlLm9yZzEbMBkGA1UEAxMSY2xp
-Y2EgU2lnbmluZyBDZXJ0MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI0peZ
-vtd+Oo8OMPy/EIlcNiVSJQ6zb5awuAcPjb5gUE3dZ1+7PiB4BlLhT1wbUJiqC3s6
-Uo2jzzNScWmwIbMTwckUIjS6Q+3khgZHWh2uBAX9j9OrMaJ6DjtyjWitDXMUcrns
-tvQs4TMoFkvBvH94gsYtnbTC5DCmKKLRkWwQhQIDAQABo1owWDAOBgNVHQ8BAf8E
-BAMCAQYwEgYDVR0TAQH/BAgwBgEB/wIBADAyBgNVHR8EKzApMCegJaAjhiFodHRw
-Oi8vY3JsLmV4YW1wbGUub3JnL2xhdGVzdC5jcmwwDQYJKoZIhvcNAQELBQADgYEA
-eqMhcknWmbpCS7ail+FEhRpiLgZU05d7jdf3yQLu1EmMS/fdDvY8R8G17FDcCoLQ
-mSgIvn73UqTgmDgErGZgZ2LqcgioBo7fgxS2knxFKIi/WlKHpiqOkSYtqtacIUnk
-1NkPYWjBwP3bUYauHu7EcTTHO6iWd0doLrMJvGUtm9c=
+MIICNDCCAZ2gAwIBAgIBAjANBgkqhkiG9w0BAQsFADAtMRQwEgYDVQQKEwtleGFt
+cGxlLm9yZzEVMBMGA1UEAxMMY2xpY2EgQ0EgcnNhMB4XDTEyMTEwMTEyMzQwMloX
+DTM4MDEwMTEyMzQwMlowNzEUMBIGA1UEChMLZXhhbXBsZS5vcmcxHzAdBgNVBAMT
+FmNsaWNhIFNpZ25pbmcgQ2VydCByc2EwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJ
+AoGBAJXe07nxVSZPJ3rVBHQp+m5gWb5/JkzXwcWKEvcmMnJzo2ydVfHBBRmTpzpS
+ST3js2awNbhEdOU7AeBtAvyOtwlT/yp6SHhOlI8PlgLwL9/xedeC0Ex412VOeaV/
+LRbvj0j+WutuglAFXfD5IlwnRoDUB1Q51JFtYZxlxvOqbLb9AgMBAAGjWjBYMA4G
+A1UdDwEB/wQEAwIBBjASBgNVHRMBAf8ECDAGAQH/AgEAMDIGA1UdHwQrMCkwJ6Al
+oCOGIWh0dHA6Ly9jcmwuZXhhbXBsZS5vcmcvbGF0ZXN0LmNybDANBgkqhkiG9w0B
+AQsFAAOBgQCf9uWkJrIlu9DvKwiiRj6/vMFydd9kLq11COjAovfD6+VbRLeX1lpC
+XpHDhUlrAKOV/5Virl+iXao5YnfnCm1oud0jRGcG8x1JPqUKW3REch4vR0wkjaBS
+5eI7DiydPL1yts588Z6gLjHZBaR0cuXS4e1k9rcXuBC9tZjv7rYskQ==
 -----END CERTIFICATE-----
diff --git a/test/aux-fixed/exim-ca/example.org/revoked2.example.org/revoked2.example.org.key b/test/aux-fixed/exim-ca/example.org/revoked2.example.org/revoked2.example.org.key
index 17517724a..6120e5d72 100644
--- a/test/aux-fixed/exim-ca/example.org/revoked2.example.org/revoked2.example.org.key
+++ b/test/aux-fixed/exim-ca/example.org/revoked2.example.org/revoked2.example.org.key
@@ -1,21 +1,21 @@
 Bag Attributes
     friendlyName: revoked2.example.org
-    localKeyID: 6A 36 1A 58 1C FF A8 9F 66 D1 B4 67 09 EB 27 63 A2 71 2E E8 
+    localKeyID: D0 14 76 0E D8 FB A2 5B 61 59 4C C9 F2 FC B4 9D 6D 80 46 6A 
 Key Attributes: <No Attributes>
 -----BEGIN ENCRYPTED PRIVATE KEY-----
-MIICxjBABgkqhkiG9w0BBQ0wMzAbBgkqhkiG9w0BBQwwDgQIGHbR7WtopmoCAggA
-MBQGCCqGSIb3DQMHBAh0zlUUYCw0mQSCAoAfAQ9wwJjxeHg8cun5HROWb8uU0e1x
-8i70wELecOA0U34te0Ng3n9sjsGj/YHSiGJIHws9zO3pA9mGW5o9QpqV97MVA9ix
-E8JDU+4aI120s02p8y2PW9WUARJUKudp31TOxITv28HuXdsE3XPkevHqAD1TotUV
-nyVTib5efhqDkBMv1t7tPhPd6fwoxttgR6HL1tzEg48kb6pFAjp2Wijf3m5kt6DE
-xOoujA3b50aSkpkdlpDDoD+4QoPYs33KUuQ7ScFvXI5+u70DC30NBqqkghOrwTnM
-TK+5ralTXuWEn72PZPAAlvFFORyVySAbM5lMIwBukeUD1DwWKztVspg+3m9yd/2+
-4F4LcQiRnK61k0UBico+NxOzu8Nty0foRLXVQOmjGVMV40FLxTqV8zDAT3dxysij
-Mhy0lKWq7PIwUYUfue/MLe6bs48kK2tm5oEjhdR/j8JHi2dWje4iH3KyYqZzEtTH
-X8ezmSsIkx2w2CGTt4K5kFZv19kGEavzZ9JfG0PMnV90KGI1MvJvcQ1o/Mb0mQdq
-ZkzF9gAoLwGqMImDFXx7byaxGYcAdAFK6ZpmEE/+lFAVMo4/8z/i87xpEdPGtWbQ
-f7npJ80oK6G0nog+HOmY58n8iIf/2/oRrCuC+OMcl8/slA7/JwkXfaUQaiZyUvMf
-Csja31m7nL/OOmvsPUwlxlDRKP55egEmy5qCyJWKzfEPBK7CbzPbvGuTmfF5aGEq
-B/eLlr42JJV2vAAc3XnSCOwp5zyaZyKlTsnI5A+ywK6FAj/bQ2xe+tj6SeAD9k28
-Gt8cwWVyKGXsAv1JTXPzv1uzQPORU4pDqA4gZAKC4S0E1Q1VN8O9tMw3
+MIICxjBABgkqhkiG9w0BBQ0wMzAbBgkqhkiG9w0BBQwwDgQItJ3O9PoZq0UCAggA
+MBQGCCqGSIb3DQMHBAjwM4/9qvXIHgSCAoAIOS9hz8tWX52arrf/7NlYPABpLsDQ
+PHFmvb1V1wMKfIFOqq4LZ28fbhckyTutznCZCyBae74ywxxCgGEpjK75RUyI/whm
+hyVnJ6oTXrTOn9OwD4O5ElGsR5x0UdDxKPBiMdwYyDbNvaYZ+alMA7FEH9WiKVmW
+0k2uxTcjGa+EC+s3XUrxdiB7d3tncAT/kS3BCt5Rer10iGtta+bKr8toWMd3v9NP
+MGJxwaHKDP+DxX8q1Jqw4Y2w4sK4ScY7tkPOTTr48hzGeJAhyiMqr0zqGvmzWucc
+CRDDyYxm8QQ69n/xVRFUHf1z81v1gJKxr4SHaD1nbuPVrT6ZFkcDT5aR4lJ7Lo2P
+LU4U1o24zzelNrJM5sEz5er1e9T2jFfOHe+3JF8wh4s7cgIee0IPwY28WFUmGQ6k
+ovlTHFF6fVmIj59zz3IvirJnx8oyAs5mPJJgrIZ/Ov7r8/+t2LGyy21toPHJ7356
+MnK62wM0Mbb8xzzcXYFDZeaN7Wcmu9sKnGWfplj8Qi1sBGBLGLL4BGhKEU6xzjvX
+VfckyYfmwMRIaql+UphIjNH1Ik5A3iGMDxe1m9cWYLbrHnNbIg2xxz7tsBv5v3Dl
+bCNRWCF8k/MRdMOBoMqdWNCxIKKJPLmh/v796sC9xW+rBMWphAYjFX2aeaXLa+iQ
+XfMH8nEQIXMKxUfgEjOnBySixGY2hJScpAhozJZN85W4yMW2uvqlSnI17C5cB5Sg
+mt+Au3UdaCqNDP89cAC59vokrdAl7vP1ikRWXlU3LZZMggfMaNLx4beoGazgbyP6
+FYiqBuG0INDlRyDuuL6qJB39Sj9N0C+b+29W1RQEUuEfgQ8z638P+y3s
 -----END ENCRYPTED PRIVATE KEY-----
diff --git a/test/aux-fixed/exim-ca/example.org/revoked2.example.org/revoked2.example.org.ocsp.dated.resp b/test/aux-fixed/exim-ca/example.org/revoked2.example.org/revoked2.example.org.ocsp.dated.resp
index 7e4277842..be5dda167 100644
Binary files a/test/aux-fixed/exim-ca/example.org/revoked2.example.org/revoked2.example.org.ocsp.dated.resp and b/test/aux-fixed/exim-ca/example.org/revoked2.example.org/revoked2.example.org.ocsp.dated.resp differ
diff --git a/test/aux-fixed/exim-ca/example.org/revoked2.example.org/revoked2.example.org.ocsp.good.resp b/test/aux-fixed/exim-ca/example.org/revoked2.example.org/revoked2.example.org.ocsp.good.resp
index d52907068..30b36d6a1 100644
Binary files a/test/aux-fixed/exim-ca/example.org/revoked2.example.org/revoked2.example.org.ocsp.good.resp and b/test/aux-fixed/exim-ca/example.org/revoked2.example.org/revoked2.example.org.ocsp.good.resp differ
diff --git a/test/aux-fixed/exim-ca/example.org/revoked2.example.org/revoked2.example.org.ocsp.req b/test/aux-fixed/exim-ca/example.org/revoked2.example.org/revoked2.example.org.ocsp.req
index 824205d9b..8dcb4ccba 100644
Binary files a/test/aux-fixed/exim-ca/example.org/revoked2.example.org/revoked2.example.org.ocsp.req and b/test/aux-fixed/exim-ca/example.org/revoked2.example.org/revoked2.example.org.ocsp.req differ
diff --git a/test/aux-fixed/exim-ca/example.org/revoked2.example.org/revoked2.example.org.ocsp.revoked.resp b/test/aux-fixed/exim-ca/example.org/revoked2.example.org/revoked2.example.org.ocsp.revoked.resp
index d52907068..30b36d6a1 100644
Binary files a/test/aux-fixed/exim-ca/example.org/revoked2.example.org/revoked2.example.org.ocsp.revoked.resp and b/test/aux-fixed/exim-ca/example.org/revoked2.example.org/revoked2.example.org.ocsp.revoked.resp differ
diff --git a/test/aux-fixed/exim-ca/example.org/revoked2.example.org/revoked2.example.org.ocsp.signer.dated.resp b/test/aux-fixed/exim-ca/example.org/revoked2.example.org/revoked2.example.org.ocsp.signer.dated.resp
index 7d8416e13..73dc39004 100644
Binary files a/test/aux-fixed/exim-ca/example.org/revoked2.example.org/revoked2.example.org.ocsp.signer.dated.resp and b/test/aux-fixed/exim-ca/example.org/revoked2.example.org/revoked2.example.org.ocsp.signer.dated.resp differ
diff --git a/test/aux-fixed/exim-ca/example.org/revoked2.example.org/revoked2.example.org.ocsp.signer.good.resp b/test/aux-fixed/exim-ca/example.org/revoked2.example.org/revoked2.example.org.ocsp.signer.good.resp
index f0a5b99b2..2167187bf 100644
Binary files a/test/aux-fixed/exim-ca/example.org/revoked2.example.org/revoked2.example.org.ocsp.signer.good.resp and b/test/aux-fixed/exim-ca/example.org/revoked2.example.org/revoked2.example.org.ocsp.signer.good.resp differ
diff --git a/test/aux-fixed/exim-ca/example.org/revoked2.example.org/revoked2.example.org.ocsp.signer.revoked.resp b/test/aux-fixed/exim-ca/example.org/revoked2.example.org/revoked2.example.org.ocsp.signer.revoked.resp
index f0a5b99b2..2167187bf 100644
Binary files a/test/aux-fixed/exim-ca/example.org/revoked2.example.org/revoked2.example.org.ocsp.signer.revoked.resp and b/test/aux-fixed/exim-ca/example.org/revoked2.example.org/revoked2.example.org.ocsp.signer.revoked.resp differ
diff --git a/test/aux-fixed/exim-ca/example.org/revoked2.example.org/revoked2.example.org.ocsp.signernocert.dated.resp b/test/aux-fixed/exim-ca/example.org/revoked2.example.org/revoked2.example.org.ocsp.signernocert.dated.resp
index 85365674f..14d796979 100644
Binary files a/test/aux-fixed/exim-ca/example.org/revoked2.example.org/revoked2.example.org.ocsp.signernocert.dated.resp and b/test/aux-fixed/exim-ca/example.org/revoked2.example.org/revoked2.example.org.ocsp.signernocert.dated.resp differ
diff --git a/test/aux-fixed/exim-ca/example.org/revoked2.example.org/revoked2.example.org.ocsp.signernocert.good.resp b/test/aux-fixed/exim-ca/example.org/revoked2.example.org/revoked2.example.org.ocsp.signernocert.good.resp
index 604cfe4a9..1cdcd52a2 100644
Binary files a/test/aux-fixed/exim-ca/example.org/revoked2.example.org/revoked2.example.org.ocsp.signernocert.good.resp and b/test/aux-fixed/exim-ca/example.org/revoked2.example.org/revoked2.example.org.ocsp.signernocert.good.resp differ
diff --git a/test/aux-fixed/exim-ca/example.org/revoked2.example.org/revoked2.example.org.ocsp.signernocert.revoked.resp b/test/aux-fixed/exim-ca/example.org/revoked2.example.org/revoked2.example.org.ocsp.signernocert.revoked.resp
index 604cfe4a9..1cdcd52a2 100644
Binary files a/test/aux-fixed/exim-ca/example.org/revoked2.example.org/revoked2.example.org.ocsp.signernocert.revoked.resp and b/test/aux-fixed/exim-ca/example.org/revoked2.example.org/revoked2.example.org.ocsp.signernocert.revoked.resp differ
diff --git a/test/aux-fixed/exim-ca/example.org/revoked2.example.org/revoked2.example.org.p12 b/test/aux-fixed/exim-ca/example.org/revoked2.example.org/revoked2.example.org.p12
index 9bf7bea0e..2a75bf424 100644
Binary files a/test/aux-fixed/exim-ca/example.org/revoked2.example.org/revoked2.example.org.p12 and b/test/aux-fixed/exim-ca/example.org/revoked2.example.org/revoked2.example.org.p12 differ
diff --git a/test/aux-fixed/exim-ca/example.org/revoked2.example.org/revoked2.example.org.pem b/test/aux-fixed/exim-ca/example.org/revoked2.example.org/revoked2.example.org.pem
index 4964312cb..1237215e9 100644
--- a/test/aux-fixed/exim-ca/example.org/revoked2.example.org/revoked2.example.org.pem
+++ b/test/aux-fixed/exim-ca/example.org/revoked2.example.org/revoked2.example.org.pem
@@ -1,21 +1,21 @@
 Bag Attributes
     friendlyName: revoked2.example.org
-    localKeyID: 6A 36 1A 58 1C FF A8 9F 66 D1 B4 67 09 EB 27 63 A2 71 2E E8 
+    localKeyID: D0 14 76 0E D8 FB A2 5B 61 59 4C C9 F2 FC B4 9D 6D 80 46 6A 
 subject=/CN=revoked2.example.org
-issuer=/O=example.org/CN=clica Signing Cert
+issuer=/O=example.org/CN=clica Signing Cert rsa
 -----BEGIN CERTIFICATE-----
-MIICijCCAfOgAwIBAgICAMowDQYJKoZIhvcNAQELBQAwMzEUMBIGA1UEChMLZXhh
-bXBsZS5vcmcxGzAZBgNVBAMTEmNsaWNhIFNpZ25pbmcgQ2VydDAeFw0xMjExMDEx
-MjM0MDNaFw0zNzEyMDExMjM0MDNaMB8xHTAbBgNVBAMTFHJldm9rZWQyLmV4YW1w
-bGUub3JnMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDh98fCkIQKwpKyfg2o
-fEYF9ZV7Lo9dQWnHtumygfIipzVtMzEEvQ0UKOwvaUdKqT81IrmEokjBo/phHjMN
-iQxunhO4i//CNk0qImDrR3/alvxMO1lquWB/l8kDOx9PjR8ntGb8vWB29GbMDpj9
-BLyMkg0EOZZHo46VW5J3EFA21wIDAQABo4HAMIG9MA4GA1UdDwEB/wQEAwIE8DAg
-BgNVHSUBAf8EFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwMgYDVR0fBCswKTAnoCWg
-I4YhaHR0cDovL2NybC5leGFtcGxlLm9yZy9sYXRlc3QuY3JsMDQGCCsGAQUFBwEB
-BCgwJjAkBggrBgEFBQcwAYYYaHR0cDovL29zY3AuZXhhbXBsZS5vcmcvMB8GA1Ud
-EQQYMBaCFHJldm9rZWQyLmV4YW1wbGUub3JnMA0GCSqGSIb3DQEBCwUAA4GBAET9
-V8w/BEUzYzeBZlFLAsgfTQxc4OxqWfJDCfEA/fJ7TrTpBPRkqV3ndx4ML4TkP6qt
-dtAe6FMV2ZFhqe4X2uvHPXTcO44Zz3cLR7S1ykJcEK3S6w6cmjgOAIBwsSW1enrX
-G42IbhOW5XVRrASQSA4ylHbGvEsoz5yfnCTzaNfs
+MIICjjCCAfegAwIBAgICAMowDQYJKoZIhvcNAQELBQAwNzEUMBIGA1UEChMLZXhh
+bXBsZS5vcmcxHzAdBgNVBAMTFmNsaWNhIFNpZ25pbmcgQ2VydCByc2EwHhcNMTIx
+MTAxMTIzNDAzWhcNMzcxMjAxMTIzNDAzWjAfMR0wGwYDVQQDExRyZXZva2VkMi5l
+eGFtcGxlLm9yZzCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA6eEsn9l+YWNJ
+57x5be0XgFrpjoYgjYodEWTkPXDfN3yARk8hS5aG+2gKrwo56O7HiZIU6k3Jd6VL
+WNeCsuMvSttiOe/SRHOZCs/WOEaeJq0Z6jMH5U/6n2sneLTrJ1FuYHg6rOAoRQgN
+R/Urz83nRgI87eM5Hwke9wUjX1FjqoUCAwEAAaOBwDCBvTAOBgNVHQ8BAf8EBAMC
+BPAwIAYDVR0lAQH/BBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMDIGA1UdHwQrMCkw
+J6AloCOGIWh0dHA6Ly9jcmwuZXhhbXBsZS5vcmcvbGF0ZXN0LmNybDA0BggrBgEF
+BQcBAQQoMCYwJAYIKwYBBQUHMAGGGGh0dHA6Ly9vc2NwLmV4YW1wbGUub3JnLzAf
+BgNVHREEGDAWghRyZXZva2VkMi5leGFtcGxlLm9yZzANBgkqhkiG9w0BAQsFAAOB
+gQBhVWKH0uNU8a7ujHtLc//8YCFLpVFQJUln8FeXDdEEYpmb5VbFW8w0jmdz0nQI
+F5z3iaz51G+1JwWEpLen6ijCpr1ry1G8ZyDy/R+mHGyEU8uyYIfiOokL43trcobn
+YgRE9agT/hbkPhLu0SxXLsuGhjZPNDsIHDlwEwxROG+JCA==
 -----END CERTIFICATE-----
diff --git a/test/aux-fixed/exim-ca/example.org/revoked2.example.org/revoked2.example.org.unlocked.key b/test/aux-fixed/exim-ca/example.org/revoked2.example.org/revoked2.example.org.unlocked.key
index 6e587259b..ed58c27aa 100644
--- a/test/aux-fixed/exim-ca/example.org/revoked2.example.org/revoked2.example.org.unlocked.key
+++ b/test/aux-fixed/exim-ca/example.org/revoked2.example.org/revoked2.example.org.unlocked.key
@@ -1,15 +1,15 @@
 -----BEGIN RSA PRIVATE KEY-----
-MIICXQIBAAKBgQDh98fCkIQKwpKyfg2ofEYF9ZV7Lo9dQWnHtumygfIipzVtMzEE
-vQ0UKOwvaUdKqT81IrmEokjBo/phHjMNiQxunhO4i//CNk0qImDrR3/alvxMO1lq
-uWB/l8kDOx9PjR8ntGb8vWB29GbMDpj9BLyMkg0EOZZHo46VW5J3EFA21wIDAQAB
-AoGAGDk5M1zNot+n3TWRHkIwOXxRqXJc0Qjtn4i2tbmjbN6S5iFqPFFN4R7f7tcw
-2sqY6YfO7m59MTD0asvTejx6Vf+4Ff/GGMXMTw2SNyQwk0U6bYJLuz6MqhHAd4N0
-BDntsPAvmPi4io8oenbodx0SJlAE4yPWIt/SJX2BawA9To0CQQD/c4cmjYP/ic9Z
-VFrrZpKKrRJXoBtw7hdhpd5oi9gIlOIZ1H2iJKK44qbnHTOm8b6J/OG4Z+Zdqu8L
-JI0dg3dVAkEA4nQKHtfCb37DpF0fQe2JymcjtV126wV8zWlCqzP0W9Kphe2tt9QY
-mjgOgwB6LwzMrVd1LQQVz18lssMyyJxdewJAM+lAP79mYZmZv2d7CndPtEqzfYcV
-zH811Swl5Ez229eVkvYxia+0OaoljLXMd1KNC/GN1TGYCNThuvv0iVjb+QJBAJiu
-emBfQuZfxtMcQkX2PXAtaEMRWGuPkJ0CeoPqDLiYado17WnDZC8e2pHzEW6Fp767
-9/I5Ded6lHVZ7PSbkN8CQQCZrZqk4elkEUH6mjnENehBxLYod03U01Ghyg/HH/e2
-on2c+26Cjj9Qd81SDU5Hy5yInEm28Htz5//R1wX7QVLK
+MIICXQIBAAKBgQDp4Syf2X5hY0nnvHlt7ReAWumOhiCNih0RZOQ9cN83fIBGTyFL
+lob7aAqvCjno7seJkhTqTcl3pUtY14Ky4y9K22I579JEc5kKz9Y4Rp4mrRnqMwfl
+T/qfayd4tOsnUW5geDqs4ChFCA1H9SvPzedGAjzt4zkfCR73BSNfUWOqhQIDAQAB
+AoGAKVwkld0y3BqgsH5UdBPsZsrNCGMgYR92XgPbWCE8nFWkYqquPu2PD+k5kHRs
+wsxtVZ8Tm07nzMSaw0qTZrrF+y6p8X12rXAz/C/nQ5iMAwF0/KJec2o8VeoVd2+Y
+2PxK1owBv25Ku/2gUosTvk/siwf+PWtBwIeGEVM0MBpjxwECQQD57xwU6WpPs2aN
+OJTSAQHfJhCNFrxtv0hbMU0sAlqnj7XlAeGnoABpuMkd6tZoDCrQkyDT8ksl49IC
+aXB8pHEBAkEA745QsDQMixLz/ExUr8fu+ygjG01BwyRqGVAstxLU/7Wj9/HAzLnO
+Z2wWdsPVmCHpbvEZW+AxV+q1CcLd0M/1hQJBALH5fvm1LSsMCR7PB8pzRS3uISMW
+6Z8M8y1c8iNAmeVwBIrKyDFhUmn2V+Ch9YOqBmL4IgxLIRAeJtHo210mjAECQHjX
+7dQ1LW6qrPHE/6N81A1Wff8zxczO/cavLx9bHJ+x3XkiNwQPZxO87sgSmhkYYk1Y
+ylYSjlGvUIwQBR1lCpECQQCA6JqiYrdNHbFHJcpgJ9BJRyVs1EPg8ra4Oa75qn1h
+xS/7/RGMsCeMXNVwzJyzo4gM+fDejI/OZQZXxFHUY6dE
 -----END RSA PRIVATE KEY-----
diff --git a/test/aux-fixed/exim-ca/example.org/server1.example.org/ca_chain.pem b/test/aux-fixed/exim-ca/example.org/server1.example.org/ca_chain.pem
index e3165d194..f262d8f92 100644
--- a/test/aux-fixed/exim-ca/example.org/server1.example.org/ca_chain.pem
+++ b/test/aux-fixed/exim-ca/example.org/server1.example.org/ca_chain.pem
@@ -1,35 +1,35 @@
 Bag Attributes
-    friendlyName: Signing Cert
-subject=/O=example.org/CN=clica Signing Cert
-issuer=/O=example.org/CN=clica CA
+    friendlyName: Signing Cert rsa
+subject=/O=example.org/CN=clica Signing Cert rsa
+issuer=/O=example.org/CN=clica CA rsa
 -----BEGIN CERTIFICATE-----
-MIICLDCCAZWgAwIBAgIBAjANBgkqhkiG9w0BAQsFADApMRQwEgYDVQQKEwtleGFt
-cGxlLm9yZzERMA8GA1UEAxMIY2xpY2EgQ0EwHhcNMTIxMTAxMTIzNDAyWhcNMzgw
-MTAxMTIzNDAyWjAzMRQwEgYDVQQKEwtleGFtcGxlLm9yZzEbMBkGA1UEAxMSY2xp
-Y2EgU2lnbmluZyBDZXJ0MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI0peZ
-vtd+Oo8OMPy/EIlcNiVSJQ6zb5awuAcPjb5gUE3dZ1+7PiB4BlLhT1wbUJiqC3s6
-Uo2jzzNScWmwIbMTwckUIjS6Q+3khgZHWh2uBAX9j9OrMaJ6DjtyjWitDXMUcrns
-tvQs4TMoFkvBvH94gsYtnbTC5DCmKKLRkWwQhQIDAQABo1owWDAOBgNVHQ8BAf8E
-BAMCAQYwEgYDVR0TAQH/BAgwBgEB/wIBADAyBgNVHR8EKzApMCegJaAjhiFodHRw
-Oi8vY3JsLmV4YW1wbGUub3JnL2xhdGVzdC5jcmwwDQYJKoZIhvcNAQELBQADgYEA
-eqMhcknWmbpCS7ail+FEhRpiLgZU05d7jdf3yQLu1EmMS/fdDvY8R8G17FDcCoLQ
-mSgIvn73UqTgmDgErGZgZ2LqcgioBo7fgxS2knxFKIi/WlKHpiqOkSYtqtacIUnk
-1NkPYWjBwP3bUYauHu7EcTTHO6iWd0doLrMJvGUtm9c=
+MIICNDCCAZ2gAwIBAgIBAjANBgkqhkiG9w0BAQsFADAtMRQwEgYDVQQKEwtleGFt
+cGxlLm9yZzEVMBMGA1UEAxMMY2xpY2EgQ0EgcnNhMB4XDTEyMTEwMTEyMzQwMloX
+DTM4MDEwMTEyMzQwMlowNzEUMBIGA1UEChMLZXhhbXBsZS5vcmcxHzAdBgNVBAMT
+FmNsaWNhIFNpZ25pbmcgQ2VydCByc2EwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJ
+AoGBAJXe07nxVSZPJ3rVBHQp+m5gWb5/JkzXwcWKEvcmMnJzo2ydVfHBBRmTpzpS
+ST3js2awNbhEdOU7AeBtAvyOtwlT/yp6SHhOlI8PlgLwL9/xedeC0Ex412VOeaV/
+LRbvj0j+WutuglAFXfD5IlwnRoDUB1Q51JFtYZxlxvOqbLb9AgMBAAGjWjBYMA4G
+A1UdDwEB/wQEAwIBBjASBgNVHRMBAf8ECDAGAQH/AgEAMDIGA1UdHwQrMCkwJ6Al
+oCOGIWh0dHA6Ly9jcmwuZXhhbXBsZS5vcmcvbGF0ZXN0LmNybDANBgkqhkiG9w0B
+AQsFAAOBgQCf9uWkJrIlu9DvKwiiRj6/vMFydd9kLq11COjAovfD6+VbRLeX1lpC
+XpHDhUlrAKOV/5Virl+iXao5YnfnCm1oud0jRGcG8x1JPqUKW3REch4vR0wkjaBS
+5eI7DiydPL1yts588Z6gLjHZBaR0cuXS4e1k9rcXuBC9tZjv7rYskQ==
 -----END CERTIFICATE-----
 Bag Attributes
-    friendlyName: Certificate Authority
-subject=/O=example.org/CN=clica CA
-issuer=/O=example.org/CN=clica CA
+    friendlyName: Certificate Authority rsa
+subject=/O=example.org/CN=clica CA rsa
+issuer=/O=example.org/CN=clica CA rsa
 -----BEGIN CERTIFICATE-----
-MIIB7jCCAVegAwIBAgIBATANBgkqhkiG9w0BAQsFADApMRQwEgYDVQQKEwtleGFt
-cGxlLm9yZzERMA8GA1UEAxMIY2xpY2EgQ0EwHhcNMTIxMTAxMTIzNDAyWhcNMzgw
-MTAxMTIzNDAyWjApMRQwEgYDVQQKEwtleGFtcGxlLm9yZzERMA8GA1UEAxMIY2xp
-Y2EgQ0EwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAKKaWSv0duLwJQQ6t18l
-yWSGmELgaflSPTidcPii6YYskJAQjnHH13P63PUwXj68knq9JdgeXwZLWszq04Uk
-esjSLJ/e9eIE+Uk9Y2zaes0vTiOIMnYe9u4S6VUNYBO6S+zX89+CHBicNr9tnEEd
-FAw56VTBKtMDA2oPWi5BQ+8/AgMBAAGjJjAkMBIGA1UdEwEB/wQIMAYBAf8CAQEw
-DgYDVR0PAQH/BAQDAgEGMA0GCSqGSIb3DQEBCwUAA4GBAKGed/hvquJ9QctYRyCB
-uIYN1ogbfRj2bSYvKMrSvuW8bVyYAR0C8jj8LA9IEK33EZKBz+D0RHV7s13Cnom9
-tHjIX1ncfl5vPR/Hus0ZKqwauvSauo7hkWRO7isuUzmNBp7YjgLSPr2QYptlpBS5
-U9+lNhpF9AUWEAAo3FqHgShh
+MIIB9jCCAV+gAwIBAgIBATANBgkqhkiG9w0BAQsFADAtMRQwEgYDVQQKEwtleGFt
+cGxlLm9yZzEVMBMGA1UEAxMMY2xpY2EgQ0EgcnNhMB4XDTEyMTEwMTEyMzQwMloX
+DTM4MDEwMTEyMzQwMlowLTEUMBIGA1UEChMLZXhhbXBsZS5vcmcxFTATBgNVBAMT
+DGNsaWNhIENBIHJzYTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAsOI8xlyV
+2kpju6cf0E8/c0QwaOBvUGzkTdCau/DyQrwFPToVpVW8mzDQUOnoUXLl92EJa4Td
+a4uN/uyiyTcjUQWrlZKdFn9HaLB7+rLUox6fZF06jsWgC0Qfr3HHWsrMINn6bucC
+9/eZag5ADPyO5XYnCW4pIFnuFVQ+w3Qr060CAwEAAaMmMCQwEgYDVR0TAQH/BAgw
+BgEB/wIBATAOBgNVHQ8BAf8EBAMCAQYwDQYJKoZIhvcNAQELBQADgYEALAPJGCfj
+ldkldb3pxmUf8V2luI38AVKNZokjATe3tyv7ikhb2g20BRi92fMHOqfAMUfoJKAu
+lT5vLep0SUETmAXdr3+WfFeZu2KZ9t5lhxyUGnHhxDc3k8TzobZSpFS9+ZnR/4GY
+TwGhx36iRUIFRZ/PUQrkRniedLSkO+H+Xko=
 -----END CERTIFICATE-----
diff --git a/test/aux-fixed/exim-ca/example.org/server1.example.org/cert8.db b/test/aux-fixed/exim-ca/example.org/server1.example.org/cert8.db
index 2cd26382e..3626f0b68 100644
Binary files a/test/aux-fixed/exim-ca/example.org/server1.example.org/cert8.db and b/test/aux-fixed/exim-ca/example.org/server1.example.org/cert8.db differ
diff --git a/test/aux-fixed/exim-ca/example.org/server1.example.org/fullchain.pem b/test/aux-fixed/exim-ca/example.org/server1.example.org/fullchain.pem
index 324c7a6d9..b24f726e8 100644
--- a/test/aux-fixed/exim-ca/example.org/server1.example.org/fullchain.pem
+++ b/test/aux-fixed/exim-ca/example.org/server1.example.org/fullchain.pem
@@ -1,58 +1,58 @@
 Bag Attributes
     friendlyName: server1.example.org
-    localKeyID: 31 14 69 34 8C 81 EC 6D 46 82 02 96 40 E3 D7 65 60 72 C1 47 
+    localKeyID: 3B 5C 4E 1E 72 62 AE 31 20 9A E4 E3 FF 16 93 6D 9B D7 95 39 
 subject=/CN=server1.example.org
-issuer=/O=example.org/CN=clica Signing Cert
+issuer=/O=example.org/CN=clica Signing Cert rsa
 -----BEGIN CERTIFICATE-----
-MIIC2zCCAkSgAwIBAgIBZTANBgkqhkiG9w0BAQsFADAzMRQwEgYDVQQKEwtleGFt
-cGxlLm9yZzEbMBkGA1UEAxMSY2xpY2EgU2lnbmluZyBDZXJ0MB4XDTEyMTEwMTEy
-MzQwMloXDTM3MTIwMTEyMzQwMlowHjEcMBoGA1UEAxMTc2VydmVyMS5leGFtcGxl
-Lm9yZzCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAtz5/dxB0WGrlSPBl2obN
-4UL+JhCslJJbTnd4oYpQNG7gsmPSaxf3W3+i1QA0ugfvdUP7zEOlU+H6YaoUIrPG
-/S0h6cGkwW1Z68HDvYRzUIdiVFJfIUuSKMckQHv1lkiX2GXOHfAE6VJM4iaTgeVW
-r//JrJ6qtVNen4aipdR0ChsCAwEAAaOCARIwggEOMA4GA1UdDwEB/wQEAwIE8DAg
-BgNVHSUBAf8EFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwMgYDVR0fBCswKTAnoCWg
-I4YhaHR0cDovL2NybC5leGFtcGxlLm9yZy9sYXRlc3QuY3JsMDQGCCsGAQUFBwEB
-BCgwJjAkBggrBgEFBQcwAYYYaHR0cDovL29zY3AuZXhhbXBsZS5vcmcvMHAGA1Ud
-EQRpMGeCIWFsdGVybmF0ZW5hbWUuc2VydmVyMS5leGFtcGxlLm9yZ4IiYWx0ZXJu
-YXRlbmFtZTIuc2VydmVyMS5leGFtcGxlLm9yZ4ITc2VydmVyMS5leGFtcGxlLm9y
-Z4IJKi50ZXN0LmV4MA0GCSqGSIb3DQEBCwUAA4GBAFIri9zSly2pxUJqdgI+KGeQ
-Gu1Ipo7uN7psbST9aZf+BlJ/6vcebmYs8BR9kIwBwwDZ9nmUV8cX8iZOr7CrBQ/F
-IiAUrTzUEcFgiwGjTyG8m9QF/RJnHrehjCwTwhpF04SN/qpIPUl2l4+b9trTRexB
-7RhKtFMpHNW3cm2hITZf
+MIIC3zCCAkigAwIBAgIBZTANBgkqhkiG9w0BAQsFADA3MRQwEgYDVQQKEwtleGFt
+cGxlLm9yZzEfMB0GA1UEAxMWY2xpY2EgU2lnbmluZyBDZXJ0IHJzYTAeFw0xMjEx
+MDExMjM0MDJaFw0zNzEyMDExMjM0MDJaMB4xHDAaBgNVBAMTE3NlcnZlcjEuZXhh
+bXBsZS5vcmcwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBALQR4qm/kntqDomp
+Xnl7DvuQ7Mx3KzXoyvtqncdQnZ2R0P5FECp5ou9UjX0twezyZtUmoHhPfpTUDkOe
+7GPz8jNhT8XQun2UHnUblfeDL96am9hr0iiSaB3tYxJ3hWZ78O/2J1GvVQNWmBXS
+kCoQUVJVmXN/yTVMR21qxFhGcmb7AgMBAAGjggESMIIBDjAOBgNVHQ8BAf8EBAMC
+BPAwIAYDVR0lAQH/BBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMDIGA1UdHwQrMCkw
+J6AloCOGIWh0dHA6Ly9jcmwuZXhhbXBsZS5vcmcvbGF0ZXN0LmNybDA0BggrBgEF
+BQcBAQQoMCYwJAYIKwYBBQUHMAGGGGh0dHA6Ly9vc2NwLmV4YW1wbGUub3JnLzBw
+BgNVHREEaTBnghNzZXJ2ZXIxLmV4YW1wbGUub3JngiFhbHRlcm5hdGVuYW1lLnNl
+cnZlcjEuZXhhbXBsZS5vcmeCCSoudGVzdC5leIIiYWx0ZXJuYXRlbmFtZTIuc2Vy
+dmVyMS5leGFtcGxlLm9yZzANBgkqhkiG9w0BAQsFAAOBgQAnF12Xe/y99pELMeNx
+JGTLm0HWhBydqfKBy0OhUoUrDl7jzMZFad7GkLDgtqR2WDF4p9/inE/ZDupw2jHI
+T4O9mtt5JsT0B4OuzPAF5iL3BgFh7xq3eWifOydk2HbXN4fdvFdi1k6sdV3OFfQe
+f04Khku2+5mfjEvZXT407FiV2w==
 -----END CERTIFICATE-----
 Bag Attributes
-    friendlyName: Signing Cert
-subject=/O=example.org/CN=clica Signing Cert
-issuer=/O=example.org/CN=clica CA
+    friendlyName: Signing Cert rsa
+subject=/O=example.org/CN=clica Signing Cert rsa
+issuer=/O=example.org/CN=clica CA rsa
 -----BEGIN CERTIFICATE-----
-MIICLDCCAZWgAwIBAgIBAjANBgkqhkiG9w0BAQsFADApMRQwEgYDVQQKEwtleGFt
-cGxlLm9yZzERMA8GA1UEAxMIY2xpY2EgQ0EwHhcNMTIxMTAxMTIzNDAyWhcNMzgw
-MTAxMTIzNDAyWjAzMRQwEgYDVQQKEwtleGFtcGxlLm9yZzEbMBkGA1UEAxMSY2xp
-Y2EgU2lnbmluZyBDZXJ0MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI0peZ
-vtd+Oo8OMPy/EIlcNiVSJQ6zb5awuAcPjb5gUE3dZ1+7PiB4BlLhT1wbUJiqC3s6
-Uo2jzzNScWmwIbMTwckUIjS6Q+3khgZHWh2uBAX9j9OrMaJ6DjtyjWitDXMUcrns
-tvQs4TMoFkvBvH94gsYtnbTC5DCmKKLRkWwQhQIDAQABo1owWDAOBgNVHQ8BAf8E
-BAMCAQYwEgYDVR0TAQH/BAgwBgEB/wIBADAyBgNVHR8EKzApMCegJaAjhiFodHRw
-Oi8vY3JsLmV4YW1wbGUub3JnL2xhdGVzdC5jcmwwDQYJKoZIhvcNAQELBQADgYEA
-eqMhcknWmbpCS7ail+FEhRpiLgZU05d7jdf3yQLu1EmMS/fdDvY8R8G17FDcCoLQ
-mSgIvn73UqTgmDgErGZgZ2LqcgioBo7fgxS2knxFKIi/WlKHpiqOkSYtqtacIUnk
-1NkPYWjBwP3bUYauHu7EcTTHO6iWd0doLrMJvGUtm9c=
+MIICNDCCAZ2gAwIBAgIBAjANBgkqhkiG9w0BAQsFADAtMRQwEgYDVQQKEwtleGFt
+cGxlLm9yZzEVMBMGA1UEAxMMY2xpY2EgQ0EgcnNhMB4XDTEyMTEwMTEyMzQwMloX
+DTM4MDEwMTEyMzQwMlowNzEUMBIGA1UEChMLZXhhbXBsZS5vcmcxHzAdBgNVBAMT
+FmNsaWNhIFNpZ25pbmcgQ2VydCByc2EwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJ
+AoGBAJXe07nxVSZPJ3rVBHQp+m5gWb5/JkzXwcWKEvcmMnJzo2ydVfHBBRmTpzpS
+ST3js2awNbhEdOU7AeBtAvyOtwlT/yp6SHhOlI8PlgLwL9/xedeC0Ex412VOeaV/
+LRbvj0j+WutuglAFXfD5IlwnRoDUB1Q51JFtYZxlxvOqbLb9AgMBAAGjWjBYMA4G
+A1UdDwEB/wQEAwIBBjASBgNVHRMBAf8ECDAGAQH/AgEAMDIGA1UdHwQrMCkwJ6Al
+oCOGIWh0dHA6Ly9jcmwuZXhhbXBsZS5vcmcvbGF0ZXN0LmNybDANBgkqhkiG9w0B
+AQsFAAOBgQCf9uWkJrIlu9DvKwiiRj6/vMFydd9kLq11COjAovfD6+VbRLeX1lpC
+XpHDhUlrAKOV/5Virl+iXao5YnfnCm1oud0jRGcG8x1JPqUKW3REch4vR0wkjaBS
+5eI7DiydPL1yts588Z6gLjHZBaR0cuXS4e1k9rcXuBC9tZjv7rYskQ==
 -----END CERTIFICATE-----
 Bag Attributes
-    friendlyName: Certificate Authority
-subject=/O=example.org/CN=clica CA
-issuer=/O=example.org/CN=clica CA
+    friendlyName: Certificate Authority rsa
+subject=/O=example.org/CN=clica CA rsa
+issuer=/O=example.org/CN=clica CA rsa
 -----BEGIN CERTIFICATE-----
-MIIB7jCCAVegAwIBAgIBATANBgkqhkiG9w0BAQsFADApMRQwEgYDVQQKEwtleGFt
-cGxlLm9yZzERMA8GA1UEAxMIY2xpY2EgQ0EwHhcNMTIxMTAxMTIzNDAyWhcNMzgw
-MTAxMTIzNDAyWjApMRQwEgYDVQQKEwtleGFtcGxlLm9yZzERMA8GA1UEAxMIY2xp
-Y2EgQ0EwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAKKaWSv0duLwJQQ6t18l
-yWSGmELgaflSPTidcPii6YYskJAQjnHH13P63PUwXj68knq9JdgeXwZLWszq04Uk
-esjSLJ/e9eIE+Uk9Y2zaes0vTiOIMnYe9u4S6VUNYBO6S+zX89+CHBicNr9tnEEd
-FAw56VTBKtMDA2oPWi5BQ+8/AgMBAAGjJjAkMBIGA1UdEwEB/wQIMAYBAf8CAQEw
-DgYDVR0PAQH/BAQDAgEGMA0GCSqGSIb3DQEBCwUAA4GBAKGed/hvquJ9QctYRyCB
-uIYN1ogbfRj2bSYvKMrSvuW8bVyYAR0C8jj8LA9IEK33EZKBz+D0RHV7s13Cnom9
-tHjIX1ncfl5vPR/Hus0ZKqwauvSauo7hkWRO7isuUzmNBp7YjgLSPr2QYptlpBS5
-U9+lNhpF9AUWEAAo3FqHgShh
+MIIB9jCCAV+gAwIBAgIBATANBgkqhkiG9w0BAQsFADAtMRQwEgYDVQQKEwtleGFt
+cGxlLm9yZzEVMBMGA1UEAxMMY2xpY2EgQ0EgcnNhMB4XDTEyMTEwMTEyMzQwMloX
+DTM4MDEwMTEyMzQwMlowLTEUMBIGA1UEChMLZXhhbXBsZS5vcmcxFTATBgNVBAMT
+DGNsaWNhIENBIHJzYTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAsOI8xlyV
+2kpju6cf0E8/c0QwaOBvUGzkTdCau/DyQrwFPToVpVW8mzDQUOnoUXLl92EJa4Td
+a4uN/uyiyTcjUQWrlZKdFn9HaLB7+rLUox6fZF06jsWgC0Qfr3HHWsrMINn6bucC
+9/eZag5ADPyO5XYnCW4pIFnuFVQ+w3Qr060CAwEAAaMmMCQwEgYDVR0TAQH/BAgw
+BgEB/wIBATAOBgNVHQ8BAf8EBAMCAQYwDQYJKoZIhvcNAQELBQADgYEALAPJGCfj
+ldkldb3pxmUf8V2luI38AVKNZokjATe3tyv7ikhb2g20BRi92fMHOqfAMUfoJKAu
+lT5vLep0SUETmAXdr3+WfFeZu2KZ9t5lhxyUGnHhxDc3k8TzobZSpFS9+ZnR/4GY
+TwGhx36iRUIFRZ/PUQrkRniedLSkO+H+Xko=
 -----END CERTIFICATE-----
diff --git a/test/aux-fixed/exim-ca/example.org/server1.example.org/key3.db b/test/aux-fixed/exim-ca/example.org/server1.example.org/key3.db
index 5d78385d2..75dc94562 100644
Binary files a/test/aux-fixed/exim-ca/example.org/server1.example.org/key3.db and b/test/aux-fixed/exim-ca/example.org/server1.example.org/key3.db differ
diff --git a/test/aux-fixed/exim-ca/example.org/server1.example.org/server1.example.org.chain.pem b/test/aux-fixed/exim-ca/example.org/server1.example.org/server1.example.org.chain.pem
index d7861820a..64f599f2d 100644
--- a/test/aux-fixed/exim-ca/example.org/server1.example.org/server1.example.org.chain.pem
+++ b/test/aux-fixed/exim-ca/example.org/server1.example.org/server1.example.org.chain.pem
@@ -1,37 +1,37 @@
 Bag Attributes
     friendlyName: server1.example.org
-    localKeyID: 31 14 69 34 8C 81 EC 6D 46 82 02 96 40 E3 D7 65 60 72 C1 47 
+    localKeyID: 3B 5C 4E 1E 72 62 AE 31 20 9A E4 E3 FF 16 93 6D 9B D7 95 39 
 subject=/CN=server1.example.org
-issuer=/O=example.org/CN=clica Signing Cert
+issuer=/O=example.org/CN=clica Signing Cert rsa
 -----BEGIN CERTIFICATE-----
-MIIC2zCCAkSgAwIBAgIBZTANBgkqhkiG9w0BAQsFADAzMRQwEgYDVQQKEwtleGFt
-cGxlLm9yZzEbMBkGA1UEAxMSY2xpY2EgU2lnbmluZyBDZXJ0MB4XDTEyMTEwMTEy
-MzQwMloXDTM3MTIwMTEyMzQwMlowHjEcMBoGA1UEAxMTc2VydmVyMS5leGFtcGxl
-Lm9yZzCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAtz5/dxB0WGrlSPBl2obN
-4UL+JhCslJJbTnd4oYpQNG7gsmPSaxf3W3+i1QA0ugfvdUP7zEOlU+H6YaoUIrPG
-/S0h6cGkwW1Z68HDvYRzUIdiVFJfIUuSKMckQHv1lkiX2GXOHfAE6VJM4iaTgeVW
-r//JrJ6qtVNen4aipdR0ChsCAwEAAaOCARIwggEOMA4GA1UdDwEB/wQEAwIE8DAg
-BgNVHSUBAf8EFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwMgYDVR0fBCswKTAnoCWg
-I4YhaHR0cDovL2NybC5leGFtcGxlLm9yZy9sYXRlc3QuY3JsMDQGCCsGAQUFBwEB
-BCgwJjAkBggrBgEFBQcwAYYYaHR0cDovL29zY3AuZXhhbXBsZS5vcmcvMHAGA1Ud
-EQRpMGeCIWFsdGVybmF0ZW5hbWUuc2VydmVyMS5leGFtcGxlLm9yZ4IiYWx0ZXJu
-YXRlbmFtZTIuc2VydmVyMS5leGFtcGxlLm9yZ4ITc2VydmVyMS5leGFtcGxlLm9y
-Z4IJKi50ZXN0LmV4MA0GCSqGSIb3DQEBCwUAA4GBAFIri9zSly2pxUJqdgI+KGeQ
-Gu1Ipo7uN7psbST9aZf+BlJ/6vcebmYs8BR9kIwBwwDZ9nmUV8cX8iZOr7CrBQ/F
-IiAUrTzUEcFgiwGjTyG8m9QF/RJnHrehjCwTwhpF04SN/qpIPUl2l4+b9trTRexB
-7RhKtFMpHNW3cm2hITZf
+MIIC3zCCAkigAwIBAgIBZTANBgkqhkiG9w0BAQsFADA3MRQwEgYDVQQKEwtleGFt
+cGxlLm9yZzEfMB0GA1UEAxMWY2xpY2EgU2lnbmluZyBDZXJ0IHJzYTAeFw0xMjEx
+MDExMjM0MDJaFw0zNzEyMDExMjM0MDJaMB4xHDAaBgNVBAMTE3NlcnZlcjEuZXhh
+bXBsZS5vcmcwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBALQR4qm/kntqDomp
+Xnl7DvuQ7Mx3KzXoyvtqncdQnZ2R0P5FECp5ou9UjX0twezyZtUmoHhPfpTUDkOe
+7GPz8jNhT8XQun2UHnUblfeDL96am9hr0iiSaB3tYxJ3hWZ78O/2J1GvVQNWmBXS
+kCoQUVJVmXN/yTVMR21qxFhGcmb7AgMBAAGjggESMIIBDjAOBgNVHQ8BAf8EBAMC
+BPAwIAYDVR0lAQH/BBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMDIGA1UdHwQrMCkw
+J6AloCOGIWh0dHA6Ly9jcmwuZXhhbXBsZS5vcmcvbGF0ZXN0LmNybDA0BggrBgEF
+BQcBAQQoMCYwJAYIKwYBBQUHMAGGGGh0dHA6Ly9vc2NwLmV4YW1wbGUub3JnLzBw
+BgNVHREEaTBnghNzZXJ2ZXIxLmV4YW1wbGUub3JngiFhbHRlcm5hdGVuYW1lLnNl
+cnZlcjEuZXhhbXBsZS5vcmeCCSoudGVzdC5leIIiYWx0ZXJuYXRlbmFtZTIuc2Vy
+dmVyMS5leGFtcGxlLm9yZzANBgkqhkiG9w0BAQsFAAOBgQAnF12Xe/y99pELMeNx
+JGTLm0HWhBydqfKBy0OhUoUrDl7jzMZFad7GkLDgtqR2WDF4p9/inE/ZDupw2jHI
+T4O9mtt5JsT0B4OuzPAF5iL3BgFh7xq3eWifOydk2HbXN4fdvFdi1k6sdV3OFfQe
+f04Khku2+5mfjEvZXT407FiV2w==
 -----END CERTIFICATE-----
 -----BEGIN CERTIFICATE-----
-MIICLDCCAZWgAwIBAgIBAjANBgkqhkiG9w0BAQsFADApMRQwEgYDVQQKEwtleGFt
-cGxlLm9yZzERMA8GA1UEAxMIY2xpY2EgQ0EwHhcNMTIxMTAxMTIzNDAyWhcNMzgw
-MTAxMTIzNDAyWjAzMRQwEgYDVQQKEwtleGFtcGxlLm9yZzEbMBkGA1UEAxMSY2xp
-Y2EgU2lnbmluZyBDZXJ0MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI0peZ
-vtd+Oo8OMPy/EIlcNiVSJQ6zb5awuAcPjb5gUE3dZ1+7PiB4BlLhT1wbUJiqC3s6
-Uo2jzzNScWmwIbMTwckUIjS6Q+3khgZHWh2uBAX9j9OrMaJ6DjtyjWitDXMUcrns
-tvQs4TMoFkvBvH94gsYtnbTC5DCmKKLRkWwQhQIDAQABo1owWDAOBgNVHQ8BAf8E
-BAMCAQYwEgYDVR0TAQH/BAgwBgEB/wIBADAyBgNVHR8EKzApMCegJaAjhiFodHRw
-Oi8vY3JsLmV4YW1wbGUub3JnL2xhdGVzdC5jcmwwDQYJKoZIhvcNAQELBQADgYEA
-eqMhcknWmbpCS7ail+FEhRpiLgZU05d7jdf3yQLu1EmMS/fdDvY8R8G17FDcCoLQ
-mSgIvn73UqTgmDgErGZgZ2LqcgioBo7fgxS2knxFKIi/WlKHpiqOkSYtqtacIUnk
-1NkPYWjBwP3bUYauHu7EcTTHO6iWd0doLrMJvGUtm9c=
+MIICNDCCAZ2gAwIBAgIBAjANBgkqhkiG9w0BAQsFADAtMRQwEgYDVQQKEwtleGFt
+cGxlLm9yZzEVMBMGA1UEAxMMY2xpY2EgQ0EgcnNhMB4XDTEyMTEwMTEyMzQwMloX
+DTM4MDEwMTEyMzQwMlowNzEUMBIGA1UEChMLZXhhbXBsZS5vcmcxHzAdBgNVBAMT
+FmNsaWNhIFNpZ25pbmcgQ2VydCByc2EwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJ
+AoGBAJXe07nxVSZPJ3rVBHQp+m5gWb5/JkzXwcWKEvcmMnJzo2ydVfHBBRmTpzpS
+ST3js2awNbhEdOU7AeBtAvyOtwlT/yp6SHhOlI8PlgLwL9/xedeC0Ex412VOeaV/
+LRbvj0j+WutuglAFXfD5IlwnRoDUB1Q51JFtYZxlxvOqbLb9AgMBAAGjWjBYMA4G
+A1UdDwEB/wQEAwIBBjASBgNVHRMBAf8ECDAGAQH/AgEAMDIGA1UdHwQrMCkwJ6Al
+oCOGIWh0dHA6Ly9jcmwuZXhhbXBsZS5vcmcvbGF0ZXN0LmNybDANBgkqhkiG9w0B
+AQsFAAOBgQCf9uWkJrIlu9DvKwiiRj6/vMFydd9kLq11COjAovfD6+VbRLeX1lpC
+XpHDhUlrAKOV/5Virl+iXao5YnfnCm1oud0jRGcG8x1JPqUKW3REch4vR0wkjaBS
+5eI7DiydPL1yts588Z6gLjHZBaR0cuXS4e1k9rcXuBC9tZjv7rYskQ==
 -----END CERTIFICATE-----
diff --git a/test/aux-fixed/exim-ca/example.org/server1.example.org/server1.example.org.key b/test/aux-fixed/exim-ca/example.org/server1.example.org/server1.example.org.key
index 0f11091db..a0dee8784 100644
--- a/test/aux-fixed/exim-ca/example.org/server1.example.org/server1.example.org.key
+++ b/test/aux-fixed/exim-ca/example.org/server1.example.org/server1.example.org.key
@@ -1,21 +1,21 @@
 Bag Attributes
     friendlyName: server1.example.org
-    localKeyID: 31 14 69 34 8C 81 EC 6D 46 82 02 96 40 E3 D7 65 60 72 C1 47 
+    localKeyID: 3B 5C 4E 1E 72 62 AE 31 20 9A E4 E3 FF 16 93 6D 9B D7 95 39 
 Key Attributes: <No Attributes>
 -----BEGIN ENCRYPTED PRIVATE KEY-----
-MIICxjBABgkqhkiG9w0BBQ0wMzAbBgkqhkiG9w0BBQwwDgQI0KA9siaIVP8CAggA
-MBQGCCqGSIb3DQMHBAg6Gg3j5UDUbQSCAoDUEoPxBLNYMXBTA+6k8MdrSurwRYSS
-VcYEV6au+lbp27F8VBgiBk0eQEo6AAAYsV2qyucZ+r4TfMuWgF3kHMqUqesTDePB
-0p2WNSB8Fy6/9vjwzhDwzKGNi8kksnUNmEgqZKEEn01H+TT1F3a0o7//teDJnNCg
-5avTCnnNkcXzZcKaMKQRos1cg1QIBdgrLdFIVzvAa+2Osd5v3UWI7lSSJT5sA9Od
-sU2bPYTDSQx2iK8+fMVCsGvUeTxae5DATYvo17ypBZEMW5eoUG+aHerueOtihdMU
-vvq0pPmP1dcKVSWxBYVepc/IMeoM7axyA+JJATTK7asBbnB4Biq813p/vKpRCqLF
-dAgMTeces6Kax/rxMIUJ+LbEPDY9umooJbwMxREz1tyrvc7gOoIPNss/9LdiFtzY
-lrKlL/gt1Xfp1NAHHtmD5znzpzJVXDaw7U8jWuy9ADb29LpOAaffdZy24hpCa/My
-qzJz4qhGtjXKvzXfqhy+ZMu91e+rRO1kqe7AVY58B7yvmm9kQBZeAaQOknjdWyS4
-ofylo2DpeIRgkt2zvt1KBEDXJMI/dZfbL52EoCdFGZ7mLSDsOh9A8/tMg1TZBUaZ
-BTo6igkcjeKXYd+poCD3pSftFvOz2APKJqxH/I74/jtf1g2l5TJa/mTxRllPSWRF
-embdxZetofkZ2w5HvRAt8xa8ePckd8dOqcOsQ2ZVHabyAylH0fara8mdzaD4NvWE
-meWtSdv5jkYa9MSqiQvgDGBAeBIRwi98vJcbdcTjdEkgWRNfEKDeEXj/TRd6KLp4
-RooJAzlvtUa7XrwYvvmJr1YYhkVUN/ZLe71Z8tsYzIVhEgux8Lm4P4wA
+MIICxjBABgkqhkiG9w0BBQ0wMzAbBgkqhkiG9w0BBQwwDgQIrIU9gOA7NeYCAggA
+MBQGCCqGSIb3DQMHBAiloTRVYesP1wSCAoAYe5MrxSpkot5DvFkMxEJBNPBcvm86
+vc3SW9WC4eoC7pQAWKMAmAb/wiT6h4KwSkYQa/b+3RviE1uSHNXIZBycc3y2rTJR
+77fLKwzQ2dx81CN+39csGEsp/vVHzQfRzPCjsaSIuba8+8CHFKOZn5kYZTCdzYFu
+6F/c+Ts3a06A8Ep9oRDX6KTHT5QaPQegAgSHNAs5fwaxYiJP476il1N9D2pN2iBG
+KjbSzzn8QyDqXvVDT6zYSrljzHXjcWteVDKURZFFfz0CIXLyNeB7nbJMYXueEO0+
+LBspE9LMCvapDhR8EebOCTXMoOrmzoKl550KDKVDGm+B2Da79owHrf2JTaAkK6xn
+46XhXG0BZQcvvz97LYiUjI9AJZytFy9V8hBCyTsL2Y3QDgfihndwnk5B+Dc57PHa
+rmF+/b9kO7DbTAiD2IDh5JszewLejS6aqycZKuJoV71c+t4jhvuZMvgtxNLIFxzQ
+u6uWbu7V2y0Moe9u7Ha1My1pv+/nQ6Y3s3gz9xXzb7kK/Rb9n50tsJhAKLQ1btUj
+3lU47PiL2hkRzH50eLKb81LW7+zCSC6u3B39BUKn2Xf86TN7r5AvRsF+A3dEisFT
++qvk202FduE9Js/jpaJH4qpxLYOdWikwmmxtQNRNzZzVKGs/uczcga0xqeQ1itlA
+BoNKg0QRT1yV6u2gF4w0alXH6nL1+quzqmFcoAiaQULqM0E3wSwoep43pQFC+cBY
++5wj3ASo79dTHiZcgjdWLBjtdFG/+PukQV9Cl+oIuD2SOBt4n/P90jSKqu3P1JJn
+UK8/1jeyY53ZGsNbfPZHBRIDQ0IV7x60/VX8z0P0h8FLzftRGGC+wotK
 -----END ENCRYPTED PRIVATE KEY-----
diff --git a/test/aux-fixed/exim-ca/example.org/server1.example.org/server1.example.org.ocsp.dated.resp b/test/aux-fixed/exim-ca/example.org/server1.example.org/server1.example.org.ocsp.dated.resp
index d41465aed..071e6520b 100644
Binary files a/test/aux-fixed/exim-ca/example.org/server1.example.org/server1.example.org.ocsp.dated.resp and b/test/aux-fixed/exim-ca/example.org/server1.example.org/server1.example.org.ocsp.dated.resp differ
diff --git a/test/aux-fixed/exim-ca/example.org/server1.example.org/server1.example.org.ocsp.good.resp b/test/aux-fixed/exim-ca/example.org/server1.example.org/server1.example.org.ocsp.good.resp
index 160d28a6b..689ed6aa7 100644
Binary files a/test/aux-fixed/exim-ca/example.org/server1.example.org/server1.example.org.ocsp.good.resp and b/test/aux-fixed/exim-ca/example.org/server1.example.org/server1.example.org.ocsp.good.resp differ
diff --git a/test/aux-fixed/exim-ca/example.org/server1.example.org/server1.example.org.ocsp.req b/test/aux-fixed/exim-ca/example.org/server1.example.org/server1.example.org.ocsp.req
index 8ba90699e..63596191a 100644
Binary files a/test/aux-fixed/exim-ca/example.org/server1.example.org/server1.example.org.ocsp.req and b/test/aux-fixed/exim-ca/example.org/server1.example.org/server1.example.org.ocsp.req differ
diff --git a/test/aux-fixed/exim-ca/example.org/server1.example.org/server1.example.org.ocsp.revoked.resp b/test/aux-fixed/exim-ca/example.org/server1.example.org/server1.example.org.ocsp.revoked.resp
index 352e29e7d..f6fc0dcbf 100644
Binary files a/test/aux-fixed/exim-ca/example.org/server1.example.org/server1.example.org.ocsp.revoked.resp and b/test/aux-fixed/exim-ca/example.org/server1.example.org/server1.example.org.ocsp.revoked.resp differ
diff --git a/test/aux-fixed/exim-ca/example.org/server1.example.org/server1.example.org.ocsp.signer.dated.resp b/test/aux-fixed/exim-ca/example.org/server1.example.org/server1.example.org.ocsp.signer.dated.resp
index 4db1e1546..4c5cba3c9 100644
Binary files a/test/aux-fixed/exim-ca/example.org/server1.example.org/server1.example.org.ocsp.signer.dated.resp and b/test/aux-fixed/exim-ca/example.org/server1.example.org/server1.example.org.ocsp.signer.dated.resp differ
diff --git a/test/aux-fixed/exim-ca/example.org/server1.example.org/server1.example.org.ocsp.signer.good.resp b/test/aux-fixed/exim-ca/example.org/server1.example.org/server1.example.org.ocsp.signer.good.resp
index fede7d492..83cec5b92 100644
Binary files a/test/aux-fixed/exim-ca/example.org/server1.example.org/server1.example.org.ocsp.signer.good.resp and b/test/aux-fixed/exim-ca/example.org/server1.example.org/server1.example.org.ocsp.signer.good.resp differ
diff --git a/test/aux-fixed/exim-ca/example.org/server1.example.org/server1.example.org.ocsp.signer.revoked.resp b/test/aux-fixed/exim-ca/example.org/server1.example.org/server1.example.org.ocsp.signer.revoked.resp
index 635d4dcc7..45f9e3481 100644
Binary files a/test/aux-fixed/exim-ca/example.org/server1.example.org/server1.example.org.ocsp.signer.revoked.resp and b/test/aux-fixed/exim-ca/example.org/server1.example.org/server1.example.org.ocsp.signer.revoked.resp differ
diff --git a/test/aux-fixed/exim-ca/example.org/server1.example.org/server1.example.org.ocsp.signernocert.dated.resp b/test/aux-fixed/exim-ca/example.org/server1.example.org/server1.example.org.ocsp.signernocert.dated.resp
index 7663a5a01..92a200a47 100644
Binary files a/test/aux-fixed/exim-ca/example.org/server1.example.org/server1.example.org.ocsp.signernocert.dated.resp and b/test/aux-fixed/exim-ca/example.org/server1.example.org/server1.example.org.ocsp.signernocert.dated.resp differ
diff --git a/test/aux-fixed/exim-ca/example.org/server1.example.org/server1.example.org.ocsp.signernocert.good.resp b/test/aux-fixed/exim-ca/example.org/server1.example.org/server1.example.org.ocsp.signernocert.good.resp
index 52200b461..9394d01dc 100644
Binary files a/test/aux-fixed/exim-ca/example.org/server1.example.org/server1.example.org.ocsp.signernocert.good.resp and b/test/aux-fixed/exim-ca/example.org/server1.example.org/server1.example.org.ocsp.signernocert.good.resp differ
diff --git a/test/aux-fixed/exim-ca/example.org/server1.example.org/server1.example.org.ocsp.signernocert.revoked.resp b/test/aux-fixed/exim-ca/example.org/server1.example.org/server1.example.org.ocsp.signernocert.revoked.resp
index edb77946d..0492e5e39 100644
Binary files a/test/aux-fixed/exim-ca/example.org/server1.example.org/server1.example.org.ocsp.signernocert.revoked.resp and b/test/aux-fixed/exim-ca/example.org/server1.example.org/server1.example.org.ocsp.signernocert.revoked.resp differ
diff --git a/test/aux-fixed/exim-ca/example.org/server1.example.org/server1.example.org.p12 b/test/aux-fixed/exim-ca/example.org/server1.example.org/server1.example.org.p12
index 53f965419..8a868135a 100644
Binary files a/test/aux-fixed/exim-ca/example.org/server1.example.org/server1.example.org.p12 and b/test/aux-fixed/exim-ca/example.org/server1.example.org/server1.example.org.p12 differ
diff --git a/test/aux-fixed/exim-ca/example.org/server1.example.org/server1.example.org.pem b/test/aux-fixed/exim-ca/example.org/server1.example.org/server1.example.org.pem
index 9169187a9..d95f41a7a 100644
--- a/test/aux-fixed/exim-ca/example.org/server1.example.org/server1.example.org.pem
+++ b/test/aux-fixed/exim-ca/example.org/server1.example.org/server1.example.org.pem
@@ -1,23 +1,23 @@
 Bag Attributes
     friendlyName: server1.example.org
-    localKeyID: 31 14 69 34 8C 81 EC 6D 46 82 02 96 40 E3 D7 65 60 72 C1 47 
+    localKeyID: 3B 5C 4E 1E 72 62 AE 31 20 9A E4 E3 FF 16 93 6D 9B D7 95 39 
 subject=/CN=server1.example.org
-issuer=/O=example.org/CN=clica Signing Cert
+issuer=/O=example.org/CN=clica Signing Cert rsa
 -----BEGIN CERTIFICATE-----
-MIIC2zCCAkSgAwIBAgIBZTANBgkqhkiG9w0BAQsFADAzMRQwEgYDVQQKEwtleGFt
-cGxlLm9yZzEbMBkGA1UEAxMSY2xpY2EgU2lnbmluZyBDZXJ0MB4XDTEyMTEwMTEy
-MzQwMloXDTM3MTIwMTEyMzQwMlowHjEcMBoGA1UEAxMTc2VydmVyMS5leGFtcGxl
-Lm9yZzCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAtz5/dxB0WGrlSPBl2obN
-4UL+JhCslJJbTnd4oYpQNG7gsmPSaxf3W3+i1QA0ugfvdUP7zEOlU+H6YaoUIrPG
-/S0h6cGkwW1Z68HDvYRzUIdiVFJfIUuSKMckQHv1lkiX2GXOHfAE6VJM4iaTgeVW
-r//JrJ6qtVNen4aipdR0ChsCAwEAAaOCARIwggEOMA4GA1UdDwEB/wQEAwIE8DAg
-BgNVHSUBAf8EFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwMgYDVR0fBCswKTAnoCWg
-I4YhaHR0cDovL2NybC5leGFtcGxlLm9yZy9sYXRlc3QuY3JsMDQGCCsGAQUFBwEB
-BCgwJjAkBggrBgEFBQcwAYYYaHR0cDovL29zY3AuZXhhbXBsZS5vcmcvMHAGA1Ud
-EQRpMGeCIWFsdGVybmF0ZW5hbWUuc2VydmVyMS5leGFtcGxlLm9yZ4IiYWx0ZXJu
-YXRlbmFtZTIuc2VydmVyMS5leGFtcGxlLm9yZ4ITc2VydmVyMS5leGFtcGxlLm9y
-Z4IJKi50ZXN0LmV4MA0GCSqGSIb3DQEBCwUAA4GBAFIri9zSly2pxUJqdgI+KGeQ
-Gu1Ipo7uN7psbST9aZf+BlJ/6vcebmYs8BR9kIwBwwDZ9nmUV8cX8iZOr7CrBQ/F
-IiAUrTzUEcFgiwGjTyG8m9QF/RJnHrehjCwTwhpF04SN/qpIPUl2l4+b9trTRexB
-7RhKtFMpHNW3cm2hITZf
+MIIC3zCCAkigAwIBAgIBZTANBgkqhkiG9w0BAQsFADA3MRQwEgYDVQQKEwtleGFt
+cGxlLm9yZzEfMB0GA1UEAxMWY2xpY2EgU2lnbmluZyBDZXJ0IHJzYTAeFw0xMjEx
+MDExMjM0MDJaFw0zNzEyMDExMjM0MDJaMB4xHDAaBgNVBAMTE3NlcnZlcjEuZXhh
+bXBsZS5vcmcwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBALQR4qm/kntqDomp
+Xnl7DvuQ7Mx3KzXoyvtqncdQnZ2R0P5FECp5ou9UjX0twezyZtUmoHhPfpTUDkOe
+7GPz8jNhT8XQun2UHnUblfeDL96am9hr0iiSaB3tYxJ3hWZ78O/2J1GvVQNWmBXS
+kCoQUVJVmXN/yTVMR21qxFhGcmb7AgMBAAGjggESMIIBDjAOBgNVHQ8BAf8EBAMC
+BPAwIAYDVR0lAQH/BBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMDIGA1UdHwQrMCkw
+J6AloCOGIWh0dHA6Ly9jcmwuZXhhbXBsZS5vcmcvbGF0ZXN0LmNybDA0BggrBgEF
+BQcBAQQoMCYwJAYIKwYBBQUHMAGGGGh0dHA6Ly9vc2NwLmV4YW1wbGUub3JnLzBw
+BgNVHREEaTBnghNzZXJ2ZXIxLmV4YW1wbGUub3JngiFhbHRlcm5hdGVuYW1lLnNl
+cnZlcjEuZXhhbXBsZS5vcmeCCSoudGVzdC5leIIiYWx0ZXJuYXRlbmFtZTIuc2Vy
+dmVyMS5leGFtcGxlLm9yZzANBgkqhkiG9w0BAQsFAAOBgQAnF12Xe/y99pELMeNx
+JGTLm0HWhBydqfKBy0OhUoUrDl7jzMZFad7GkLDgtqR2WDF4p9/inE/ZDupw2jHI
+T4O9mtt5JsT0B4OuzPAF5iL3BgFh7xq3eWifOydk2HbXN4fdvFdi1k6sdV3OFfQe
+f04Khku2+5mfjEvZXT407FiV2w==
 -----END CERTIFICATE-----
diff --git a/test/aux-fixed/exim-ca/example.org/server1.example.org/server1.example.org.unlocked.key b/test/aux-fixed/exim-ca/example.org/server1.example.org/server1.example.org.unlocked.key
index e30f94b37..e23439735 100644
--- a/test/aux-fixed/exim-ca/example.org/server1.example.org/server1.example.org.unlocked.key
+++ b/test/aux-fixed/exim-ca/example.org/server1.example.org/server1.example.org.unlocked.key
@@ -1,15 +1,15 @@
 -----BEGIN RSA PRIVATE KEY-----
-MIICWwIBAAKBgQC3Pn93EHRYauVI8GXahs3hQv4mEKyUkltOd3ihilA0buCyY9Jr
-F/dbf6LVADS6B+91Q/vMQ6VT4fphqhQis8b9LSHpwaTBbVnrwcO9hHNQh2JUUl8h
-S5IoxyRAe/WWSJfYZc4d8ATpUkziJpOB5Vav/8msnqq1U16fhqKl1HQKGwIDAQAB
-AoGAEgIF08Udsey7YKojUFDsHaWQRVxhIW6qo3DxPWrSy/xTf6R4ssaVq/vEnEsb
-Y2bRPQRz09SYBEDSctOci/Z/6QntdIeuh+07EOQnjZpKHn60uat/cWUMvj53texv
-YKjsNGdavZHWlS7unI7dQBlCt6BzYX0WOHSmx4CQcBADQ1UCQQDjpVE0IIiXpRAo
-C2b8Wq0dBO1L6Y8lHQ5bkqbMteX4/PfIK7JjKfmdl0sU+scxlHzXEpfD/8qZudx5
-I+JpGJb3AkEAzhFlXwc6iJhBAon7J/nDKV4LGRjISbV207YnQ0espGTTjlhubckl
-5v/SHbUmo4I/wKxaDrrVn7LJenK266Ho/QJAE2HkBBgxCRhYw9AUuK/PxYTB35DH
-S1Wp/0oBQbTLG+QOBNETozXTtwNGtUaU5zfJWVaP7XQ9/9C/YOEZSfF6CQJATuWS
-LmQSISJKIbK6mn+iHUCIdz9pz+7OZBilx7i1fOutpB5viVEuVdc0l3M4K/o+doKG
-qIUYLWDCi0NIjccb8QJAJJcst+8d9yW6IX6/KeMJ2C1NConB6mtrjRbxHsGG1ViE
-jwEHoX0bhn5EhNZOpxOYVMdQTg7PoNGBCPh1BQ4nzQ==
+MIICXQIBAAKBgQC0EeKpv5J7ag6JqV55ew77kOzMdys16Mr7ap3HUJ2dkdD+RRAq
+eaLvVI19LcHs8mbVJqB4T36U1A5Dnuxj8/IzYU/F0Lp9lB51G5X3gy/empvYa9Io
+kmgd7WMSd4Vme/Dv9idRr1UDVpgV0pAqEFFSVZlzf8k1TEdtasRYRnJm+wIDAQAB
+AoGADNrMAg81f07ya7xmDKkOyEGvzebh9E7CktEpI03repCqyUQX49hcG9a+5QVL
+t0UUtzmzMfOG10wOGqCxQm9rRkYH7/xWevSdI7IkNkxK610YMHQ1FTf3TJlD7Q2N
+h7pyIEGmGluVsrc7kpqXksGLj3HlIH+H5RmparK+DhZaIxkCQQDgrYN69iSlE0wl
+jLmjKrCApuGpXF2vN50VBOWzmubIjKVuBgmEW9JAqnREdWwV1DgK2ZRm8g+q4YqY
+W/qOMJdTAkEAzSxeD+u6hNR6uOuyc81+3W95ydhYKuyfINdN0P05eJPUkju15TRT
+bNwoUUZ4bMcxI6035Xc37j/BRVRuOPFEuQJBAJ8F8NOtOE6mk/TX3+S/KGJGu94V
+hDGqWUIxTyuKbeJwuf5fw4itPOmMO/LgcXoZ1PjI+6LJnZFDRceFAph1iAUCQQCl
+99vnGRL6XD8h01e5oWOckI5+HsnDf0GB+WhzREP3K+5qlG6hiGBr0PO0O0MzCzbO
+21I6BuRxj5UyFghLe6/RAkBgiKuhaKsfeZ/k2SqNjDjDKgXCyKbRug4JRytjPBob
+yt2O8FZTdsUAQ/50mQAdh2Y6YA9xwkKS93/tg++hfL6h
 -----END RSA PRIVATE KEY-----
diff --git a/test/aux-fixed/exim-ca/example.org/server2.example.org/ca_chain.pem b/test/aux-fixed/exim-ca/example.org/server2.example.org/ca_chain.pem
index e3165d194..f262d8f92 100644
--- a/test/aux-fixed/exim-ca/example.org/server2.example.org/ca_chain.pem
+++ b/test/aux-fixed/exim-ca/example.org/server2.example.org/ca_chain.pem
@@ -1,35 +1,35 @@
 Bag Attributes
-    friendlyName: Signing Cert
-subject=/O=example.org/CN=clica Signing Cert
-issuer=/O=example.org/CN=clica CA
+    friendlyName: Signing Cert rsa
+subject=/O=example.org/CN=clica Signing Cert rsa
+issuer=/O=example.org/CN=clica CA rsa
 -----BEGIN CERTIFICATE-----
-MIICLDCCAZWgAwIBAgIBAjANBgkqhkiG9w0BAQsFADApMRQwEgYDVQQKEwtleGFt
-cGxlLm9yZzERMA8GA1UEAxMIY2xpY2EgQ0EwHhcNMTIxMTAxMTIzNDAyWhcNMzgw
-MTAxMTIzNDAyWjAzMRQwEgYDVQQKEwtleGFtcGxlLm9yZzEbMBkGA1UEAxMSY2xp
-Y2EgU2lnbmluZyBDZXJ0MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI0peZ
-vtd+Oo8OMPy/EIlcNiVSJQ6zb5awuAcPjb5gUE3dZ1+7PiB4BlLhT1wbUJiqC3s6
-Uo2jzzNScWmwIbMTwckUIjS6Q+3khgZHWh2uBAX9j9OrMaJ6DjtyjWitDXMUcrns
-tvQs4TMoFkvBvH94gsYtnbTC5DCmKKLRkWwQhQIDAQABo1owWDAOBgNVHQ8BAf8E
-BAMCAQYwEgYDVR0TAQH/BAgwBgEB/wIBADAyBgNVHR8EKzApMCegJaAjhiFodHRw
-Oi8vY3JsLmV4YW1wbGUub3JnL2xhdGVzdC5jcmwwDQYJKoZIhvcNAQELBQADgYEA
-eqMhcknWmbpCS7ail+FEhRpiLgZU05d7jdf3yQLu1EmMS/fdDvY8R8G17FDcCoLQ
-mSgIvn73UqTgmDgErGZgZ2LqcgioBo7fgxS2knxFKIi/WlKHpiqOkSYtqtacIUnk
-1NkPYWjBwP3bUYauHu7EcTTHO6iWd0doLrMJvGUtm9c=
+MIICNDCCAZ2gAwIBAgIBAjANBgkqhkiG9w0BAQsFADAtMRQwEgYDVQQKEwtleGFt
+cGxlLm9yZzEVMBMGA1UEAxMMY2xpY2EgQ0EgcnNhMB4XDTEyMTEwMTEyMzQwMloX
+DTM4MDEwMTEyMzQwMlowNzEUMBIGA1UEChMLZXhhbXBsZS5vcmcxHzAdBgNVBAMT
+FmNsaWNhIFNpZ25pbmcgQ2VydCByc2EwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJ
+AoGBAJXe07nxVSZPJ3rVBHQp+m5gWb5/JkzXwcWKEvcmMnJzo2ydVfHBBRmTpzpS
+ST3js2awNbhEdOU7AeBtAvyOtwlT/yp6SHhOlI8PlgLwL9/xedeC0Ex412VOeaV/
+LRbvj0j+WutuglAFXfD5IlwnRoDUB1Q51JFtYZxlxvOqbLb9AgMBAAGjWjBYMA4G
+A1UdDwEB/wQEAwIBBjASBgNVHRMBAf8ECDAGAQH/AgEAMDIGA1UdHwQrMCkwJ6Al
+oCOGIWh0dHA6Ly9jcmwuZXhhbXBsZS5vcmcvbGF0ZXN0LmNybDANBgkqhkiG9w0B
+AQsFAAOBgQCf9uWkJrIlu9DvKwiiRj6/vMFydd9kLq11COjAovfD6+VbRLeX1lpC
+XpHDhUlrAKOV/5Virl+iXao5YnfnCm1oud0jRGcG8x1JPqUKW3REch4vR0wkjaBS
+5eI7DiydPL1yts588Z6gLjHZBaR0cuXS4e1k9rcXuBC9tZjv7rYskQ==
 -----END CERTIFICATE-----
 Bag Attributes
-    friendlyName: Certificate Authority
-subject=/O=example.org/CN=clica CA
-issuer=/O=example.org/CN=clica CA
+    friendlyName: Certificate Authority rsa
+subject=/O=example.org/CN=clica CA rsa
+issuer=/O=example.org/CN=clica CA rsa
 -----BEGIN CERTIFICATE-----
-MIIB7jCCAVegAwIBAgIBATANBgkqhkiG9w0BAQsFADApMRQwEgYDVQQKEwtleGFt
-cGxlLm9yZzERMA8GA1UEAxMIY2xpY2EgQ0EwHhcNMTIxMTAxMTIzNDAyWhcNMzgw
-MTAxMTIzNDAyWjApMRQwEgYDVQQKEwtleGFtcGxlLm9yZzERMA8GA1UEAxMIY2xp
-Y2EgQ0EwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAKKaWSv0duLwJQQ6t18l
-yWSGmELgaflSPTidcPii6YYskJAQjnHH13P63PUwXj68knq9JdgeXwZLWszq04Uk
-esjSLJ/e9eIE+Uk9Y2zaes0vTiOIMnYe9u4S6VUNYBO6S+zX89+CHBicNr9tnEEd
-FAw56VTBKtMDA2oPWi5BQ+8/AgMBAAGjJjAkMBIGA1UdEwEB/wQIMAYBAf8CAQEw
-DgYDVR0PAQH/BAQDAgEGMA0GCSqGSIb3DQEBCwUAA4GBAKGed/hvquJ9QctYRyCB
-uIYN1ogbfRj2bSYvKMrSvuW8bVyYAR0C8jj8LA9IEK33EZKBz+D0RHV7s13Cnom9
-tHjIX1ncfl5vPR/Hus0ZKqwauvSauo7hkWRO7isuUzmNBp7YjgLSPr2QYptlpBS5
-U9+lNhpF9AUWEAAo3FqHgShh
+MIIB9jCCAV+gAwIBAgIBATANBgkqhkiG9w0BAQsFADAtMRQwEgYDVQQKEwtleGFt
+cGxlLm9yZzEVMBMGA1UEAxMMY2xpY2EgQ0EgcnNhMB4XDTEyMTEwMTEyMzQwMloX
+DTM4MDEwMTEyMzQwMlowLTEUMBIGA1UEChMLZXhhbXBsZS5vcmcxFTATBgNVBAMT
+DGNsaWNhIENBIHJzYTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAsOI8xlyV
+2kpju6cf0E8/c0QwaOBvUGzkTdCau/DyQrwFPToVpVW8mzDQUOnoUXLl92EJa4Td
+a4uN/uyiyTcjUQWrlZKdFn9HaLB7+rLUox6fZF06jsWgC0Qfr3HHWsrMINn6bucC
+9/eZag5ADPyO5XYnCW4pIFnuFVQ+w3Qr060CAwEAAaMmMCQwEgYDVR0TAQH/BAgw
+BgEB/wIBATAOBgNVHQ8BAf8EBAMCAQYwDQYJKoZIhvcNAQELBQADgYEALAPJGCfj
+ldkldb3pxmUf8V2luI38AVKNZokjATe3tyv7ikhb2g20BRi92fMHOqfAMUfoJKAu
+lT5vLep0SUETmAXdr3+WfFeZu2KZ9t5lhxyUGnHhxDc3k8TzobZSpFS9+ZnR/4GY
+TwGhx36iRUIFRZ/PUQrkRniedLSkO+H+Xko=
 -----END CERTIFICATE-----
diff --git a/test/aux-fixed/exim-ca/example.org/server2.example.org/cert8.db b/test/aux-fixed/exim-ca/example.org/server2.example.org/cert8.db
index 9c520f79c..4a75d00e1 100644
Binary files a/test/aux-fixed/exim-ca/example.org/server2.example.org/cert8.db and b/test/aux-fixed/exim-ca/example.org/server2.example.org/cert8.db differ
diff --git a/test/aux-fixed/exim-ca/example.org/server2.example.org/key3.db b/test/aux-fixed/exim-ca/example.org/server2.example.org/key3.db
index 7bcd71382..d791d5020 100644
Binary files a/test/aux-fixed/exim-ca/example.org/server2.example.org/key3.db and b/test/aux-fixed/exim-ca/example.org/server2.example.org/key3.db differ
diff --git a/test/aux-fixed/exim-ca/example.org/server2.example.org/server2.example.org.chain.pem b/test/aux-fixed/exim-ca/example.org/server2.example.org/server2.example.org.chain.pem
index c844ed859..331a661a1 100644
--- a/test/aux-fixed/exim-ca/example.org/server2.example.org/server2.example.org.chain.pem
+++ b/test/aux-fixed/exim-ca/example.org/server2.example.org/server2.example.org.chain.pem
@@ -1,35 +1,35 @@
 Bag Attributes
     friendlyName: server2.example.org
-    localKeyID: E2 38 5B 24 CB CF B7 53 1B 69 87 7A EF 67 67 6C 88 CD 28 0E 
+    localKeyID: F2 22 5F 3C 18 C2 87 76 E0 B3 30 CE 6A 44 7B 4F 15 9B 58 3A 
 subject=/CN=server2.example.org
-issuer=/O=example.org/CN=clica Signing Cert
+issuer=/O=example.org/CN=clica Signing Cert rsa
 -----BEGIN CERTIFICATE-----
-MIICiDCCAfGgAwIBAgICAMkwDQYJKoZIhvcNAQELBQAwMzEUMBIGA1UEChMLZXhh
-bXBsZS5vcmcxGzAZBgNVBAMTEmNsaWNhIFNpZ25pbmcgQ2VydDAeFw0xMjExMDEx
-MjM0MDNaFw0zNzEyMDExMjM0MDNaMB4xHDAaBgNVBAMTE3NlcnZlcjIuZXhhbXBs
-ZS5vcmcwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAPK/TJn4ZDN286XMhCLH
-ipnWbbNsFpqMotrAxdyA9thomMnYXU89uqPnQsyUyD5c7rUp+F2LWUGDPkd8v4q+
-EL3dUTRTnVY47ZMtVLz08nyucZTo/y+8ysaYDGmgioCQ8MME4C1lYe06bK33OYUe
-jYCM1DgDB/h04vkftlrQcOAbAgMBAAGjgb8wgbwwDgYDVR0PAQH/BAQDAgTwMCAG
-A1UdJQEB/wQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAyBgNVHR8EKzApMCegJaAj
-hiFodHRwOi8vY3JsLmV4YW1wbGUub3JnL2xhdGVzdC5jcmwwNAYIKwYBBQUHAQEE
-KDAmMCQGCCsGAQUFBzABhhhodHRwOi8vb3NjcC5leGFtcGxlLm9yZy8wHgYDVR0R
-BBcwFYITc2VydmVyMi5leGFtcGxlLm9yZzANBgkqhkiG9w0BAQsFAAOBgQCs5mI1
-W3xtz2hR/I2EWAAr415QJ43LRyzNQun0/b4k52BgubGDVAXKzkhes7RRNCW7+h6d
-wgJKFvBnHviThkmM00DGzSYJ2VCmHXsogJmWMl8zcEjOgC9E3LZKjp27dsjr4GlM
-jwf8XjoOCu3RUtdzuFOEmXviVYNbeiSlFsJSEQ==
+MIICjDCCAfWgAwIBAgICAMkwDQYJKoZIhvcNAQELBQAwNzEUMBIGA1UEChMLZXhh
+bXBsZS5vcmcxHzAdBgNVBAMTFmNsaWNhIFNpZ25pbmcgQ2VydCByc2EwHhcNMTIx
+MTAxMTIzNDAyWhcNMzcxMjAxMTIzNDAyWjAeMRwwGgYDVQQDExNzZXJ2ZXIyLmV4
+YW1wbGUub3JnMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC5BlHN8UOr/LlK
+VpPJZWRtbucPRiAUWJJp5leYn+/zbAXYPNoRbV+eaUPUTkOaLbcEQk7GWw7qFPzD
+K3voal1kELERvlr4OONx6/sYuDpF64zFHW4PXhSgo+sYiM/tEkIC2cyxr82iVX4d
+S45OgYpBzGDvv9aiai871VJMd9O2kwIDAQABo4G/MIG8MA4GA1UdDwEB/wQEAwIE
+8DAgBgNVHSUBAf8EFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwMgYDVR0fBCswKTAn
+oCWgI4YhaHR0cDovL2NybC5leGFtcGxlLm9yZy9sYXRlc3QuY3JsMDQGCCsGAQUF
+BwEBBCgwJjAkBggrBgEFBQcwAYYYaHR0cDovL29zY3AuZXhhbXBsZS5vcmcvMB4G
+A1UdEQQXMBWCE3NlcnZlcjIuZXhhbXBsZS5vcmcwDQYJKoZIhvcNAQELBQADgYEA
+bTzC8dtmbbqFpn6huub316XONZIeRKPhGY9Rb1UsUCD7KtMvUkArGmz7p39VS0iE
++ffBvvtggteJGs8xZ79a3110Y7Bx0ASIt1wa4+vaVAu/Ujx3r1vLDZYwq+Dl3fAq
+1oaFvoD9ANg+FYcjiybT96eKTCT1IXuKs86aTj2jAeo=
 -----END CERTIFICATE-----
 -----BEGIN CERTIFICATE-----
-MIICLDCCAZWgAwIBAgIBAjANBgkqhkiG9w0BAQsFADApMRQwEgYDVQQKEwtleGFt
-cGxlLm9yZzERMA8GA1UEAxMIY2xpY2EgQ0EwHhcNMTIxMTAxMTIzNDAyWhcNMzgw
-MTAxMTIzNDAyWjAzMRQwEgYDVQQKEwtleGFtcGxlLm9yZzEbMBkGA1UEAxMSY2xp
-Y2EgU2lnbmluZyBDZXJ0MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI0peZ
-vtd+Oo8OMPy/EIlcNiVSJQ6zb5awuAcPjb5gUE3dZ1+7PiB4BlLhT1wbUJiqC3s6
-Uo2jzzNScWmwIbMTwckUIjS6Q+3khgZHWh2uBAX9j9OrMaJ6DjtyjWitDXMUcrns
-tvQs4TMoFkvBvH94gsYtnbTC5DCmKKLRkWwQhQIDAQABo1owWDAOBgNVHQ8BAf8E
-BAMCAQYwEgYDVR0TAQH/BAgwBgEB/wIBADAyBgNVHR8EKzApMCegJaAjhiFodHRw
-Oi8vY3JsLmV4YW1wbGUub3JnL2xhdGVzdC5jcmwwDQYJKoZIhvcNAQELBQADgYEA
-eqMhcknWmbpCS7ail+FEhRpiLgZU05d7jdf3yQLu1EmMS/fdDvY8R8G17FDcCoLQ
-mSgIvn73UqTgmDgErGZgZ2LqcgioBo7fgxS2knxFKIi/WlKHpiqOkSYtqtacIUnk
-1NkPYWjBwP3bUYauHu7EcTTHO6iWd0doLrMJvGUtm9c=
+MIICNDCCAZ2gAwIBAgIBAjANBgkqhkiG9w0BAQsFADAtMRQwEgYDVQQKEwtleGFt
+cGxlLm9yZzEVMBMGA1UEAxMMY2xpY2EgQ0EgcnNhMB4XDTEyMTEwMTEyMzQwMloX
+DTM4MDEwMTEyMzQwMlowNzEUMBIGA1UEChMLZXhhbXBsZS5vcmcxHzAdBgNVBAMT
+FmNsaWNhIFNpZ25pbmcgQ2VydCByc2EwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJ
+AoGBAJXe07nxVSZPJ3rVBHQp+m5gWb5/JkzXwcWKEvcmMnJzo2ydVfHBBRmTpzpS
+ST3js2awNbhEdOU7AeBtAvyOtwlT/yp6SHhOlI8PlgLwL9/xedeC0Ex412VOeaV/
+LRbvj0j+WutuglAFXfD5IlwnRoDUB1Q51JFtYZxlxvOqbLb9AgMBAAGjWjBYMA4G
+A1UdDwEB/wQEAwIBBjASBgNVHRMBAf8ECDAGAQH/AgEAMDIGA1UdHwQrMCkwJ6Al
+oCOGIWh0dHA6Ly9jcmwuZXhhbXBsZS5vcmcvbGF0ZXN0LmNybDANBgkqhkiG9w0B
+AQsFAAOBgQCf9uWkJrIlu9DvKwiiRj6/vMFydd9kLq11COjAovfD6+VbRLeX1lpC
+XpHDhUlrAKOV/5Virl+iXao5YnfnCm1oud0jRGcG8x1JPqUKW3REch4vR0wkjaBS
+5eI7DiydPL1yts588Z6gLjHZBaR0cuXS4e1k9rcXuBC9tZjv7rYskQ==
 -----END CERTIFICATE-----
diff --git a/test/aux-fixed/exim-ca/example.org/server2.example.org/server2.example.org.key b/test/aux-fixed/exim-ca/example.org/server2.example.org/server2.example.org.key
index 7de7196ba..176b96a29 100644
--- a/test/aux-fixed/exim-ca/example.org/server2.example.org/server2.example.org.key
+++ b/test/aux-fixed/exim-ca/example.org/server2.example.org/server2.example.org.key
@@ -1,21 +1,21 @@
 Bag Attributes
     friendlyName: server2.example.org
-    localKeyID: E2 38 5B 24 CB CF B7 53 1B 69 87 7A EF 67 67 6C 88 CD 28 0E 
+    localKeyID: F2 22 5F 3C 18 C2 87 76 E0 B3 30 CE 6A 44 7B 4F 15 9B 58 3A 
 Key Attributes: <No Attributes>
 -----BEGIN ENCRYPTED PRIVATE KEY-----
-MIICxjBABgkqhkiG9w0BBQ0wMzAbBgkqhkiG9w0BBQwwDgQIdTvmpL9IhJ8CAggA
-MBQGCCqGSIb3DQMHBAgW9kM3XgA1bASCAoB8x3/0XnKhZ+FysQyzoVMHHPf8834g
-pMx1U/2cIO+fvHH/3nQEiO/J5eOTbWdUoBKKujsGf7y+Y3fZ2jW5KRd4NAw708v0
-lCncRlEaTuQSAxMl/njeouj+VZPYth2KXewRMLwetvQN1r5ZnpE7DRdYvDggEzLA
-rAF2ss30BRpe1+pziIFxnBPaEZ8IaZmDBRLyhrVuvNRDQ0+9AzQGxX1AUchlTrNM
-1dtKZGgma/sV6RTKrHcsxswy9iY18bmsSOLlSf4Vmia8j5WUY48NyTqLYR1bm+2l
-MQxP2TrKw9DrnAcIFo13Xfz32bhYz7fCA6vheOxA7/j/n/Wab/0f1QCbVyGg6qj8
-Nle9bBQMyo/4A9jXKPJq9Ja3XpLBwuaPd4kNG/nC5qmpxYAkiJY2yoaF+eWUb/Bd
-VnaKTzyEHedKi2TkB3lnTwRhDNiP9e55L0BaCGrDy289X37FmNOqv1TZ8bbbl78m
-icGaQlKmdVIP8za7jjBuyt0FUxgMZ395SY0CcIBNT0g4wv1p08QNQKOR6ElLPumR
-n7419MxONeQlRKbN1ADKmhDUNSSW1r0RAaVx5nDVuVhzFybHAEiuoAdx9RR1/juC
-hey2ukbytqACDbfbkXp0k+xbNFtkFohdUfc1RgAXs7jKIxqw1Ump7CyGO7RpQEYi
-/HLjnRCbaGJSSrPXSDE52L+n1aCWLQ5iovh5/eRLqxzLpL8Wir+ye9m3c4y3ak6x
-vJr5tx3ECx3/9/EHh2H4xo0F3dNb+fNmC+JYVLcPoZLc+46xSh02ODAaKK3r1H9/
-2gvVLUpByG8hpAhCvvOoNunUu/0i1pEFPhuLj3nVB7IUb28a5MmatUSa
+MIICxjBABgkqhkiG9w0BBQ0wMzAbBgkqhkiG9w0BBQwwDgQIZ9OUsRRqLWsCAggA
+MBQGCCqGSIb3DQMHBAhLcG8uKTZ3cwSCAoCNCH+f1FjSvVfEsR3oPurIEmH2bJ0B
+O7qrhXO0E8twk3rvoJQjzqzmAy7DE/EwOo+iAybViX3PqzXkDMDIdHxvuv+oKZEI
+nH412oib3mv36wfLF2YFNQIz499gJi/O7GqAYQmYwnD9e+DafyI5zY/9HW30IL9C
+gKsPKY1T+kMVE45yzPx2mxAnxlxuGHTX6MJ+t7vIaUNG1X6m0uxvwIx+kSnN3EBW
+FWkXxZ8Dw6KfSDfFmL1YtL22VD9DxUx15Pp3jz/fCzP6JySRlysUGo9waWNDtXCy
+x6XVDxiIl9zxb8BQrvUniFegod5FIpIJLJkTLgarqgJLejizHJRzM5j/sw+IfNPo
+Cg+U6WZhGWDn1p+A5WJNXtJasycvxXNswtZsdkxSAC/0dHKuMQcwZfe2EAAsVLWc
+umU0XGUvOuh17gA70Rarr9WO1JMBaEuQFv1DxCbAha+jg0lXoA3bbfW9i2cUjSu0
+T7rtWVi7uXQCSMYcCDdMV4ICYGiCOru+EHIBsHgLtXFneUuVZoBGxy0lqrKI89Jl
+XtUmDRYZQ0wYwYcRptL0/rfC1N5TT+O6FfF54R/SggNwMPWJ1gRdJA5N78oKxBNT
+fbKUB5ZvX92zCbyuUwDnKdNHvcHKgU3DHLdaN3cIZv+g5XlPv8XaBIfpjiUT0adn
+NUexZ7FwfQo73Q4pgVzANDe2AfWn1hGPAfrtjQL4NipkiAs5Q5bMDXGWzJsz9GUl
+LQi65XBQDuwOG8j7boDXXYgLmBO6Q/u35Z+RQ4VscsnbN9IBiTAX5AYs42sup9sa
+X/OVtz5KlxL99BJYyq5MhoJyXfRudqN1hygTjwZL80sVpT9U+N89ylfY
 -----END ENCRYPTED PRIVATE KEY-----
diff --git a/test/aux-fixed/exim-ca/example.org/server2.example.org/server2.example.org.ocsp.dated.resp b/test/aux-fixed/exim-ca/example.org/server2.example.org/server2.example.org.ocsp.dated.resp
index f0a9cdb85..5026d12bd 100644
Binary files a/test/aux-fixed/exim-ca/example.org/server2.example.org/server2.example.org.ocsp.dated.resp and b/test/aux-fixed/exim-ca/example.org/server2.example.org/server2.example.org.ocsp.dated.resp differ
diff --git a/test/aux-fixed/exim-ca/example.org/server2.example.org/server2.example.org.ocsp.good.resp b/test/aux-fixed/exim-ca/example.org/server2.example.org/server2.example.org.ocsp.good.resp
index 759f541ba..9b13288ec 100644
Binary files a/test/aux-fixed/exim-ca/example.org/server2.example.org/server2.example.org.ocsp.good.resp and b/test/aux-fixed/exim-ca/example.org/server2.example.org/server2.example.org.ocsp.good.resp differ
diff --git a/test/aux-fixed/exim-ca/example.org/server2.example.org/server2.example.org.ocsp.req b/test/aux-fixed/exim-ca/example.org/server2.example.org/server2.example.org.ocsp.req
index cb97e6098..771fbc644 100644
Binary files a/test/aux-fixed/exim-ca/example.org/server2.example.org/server2.example.org.ocsp.req and b/test/aux-fixed/exim-ca/example.org/server2.example.org/server2.example.org.ocsp.req differ
diff --git a/test/aux-fixed/exim-ca/example.org/server2.example.org/server2.example.org.ocsp.revoked.resp b/test/aux-fixed/exim-ca/example.org/server2.example.org/server2.example.org.ocsp.revoked.resp
index 759f541ba..9b13288ec 100644
Binary files a/test/aux-fixed/exim-ca/example.org/server2.example.org/server2.example.org.ocsp.revoked.resp and b/test/aux-fixed/exim-ca/example.org/server2.example.org/server2.example.org.ocsp.revoked.resp differ
diff --git a/test/aux-fixed/exim-ca/example.org/server2.example.org/server2.example.org.ocsp.signer.dated.resp b/test/aux-fixed/exim-ca/example.org/server2.example.org/server2.example.org.ocsp.signer.dated.resp
index b530829b0..b349d3d1c 100644
Binary files a/test/aux-fixed/exim-ca/example.org/server2.example.org/server2.example.org.ocsp.signer.dated.resp and b/test/aux-fixed/exim-ca/example.org/server2.example.org/server2.example.org.ocsp.signer.dated.resp differ
diff --git a/test/aux-fixed/exim-ca/example.org/server2.example.org/server2.example.org.ocsp.signer.good.resp b/test/aux-fixed/exim-ca/example.org/server2.example.org/server2.example.org.ocsp.signer.good.resp
index c242afcee..d1d340efd 100644
Binary files a/test/aux-fixed/exim-ca/example.org/server2.example.org/server2.example.org.ocsp.signer.good.resp and b/test/aux-fixed/exim-ca/example.org/server2.example.org/server2.example.org.ocsp.signer.good.resp differ
diff --git a/test/aux-fixed/exim-ca/example.org/server2.example.org/server2.example.org.ocsp.signer.revoked.resp b/test/aux-fixed/exim-ca/example.org/server2.example.org/server2.example.org.ocsp.signer.revoked.resp
index c242afcee..d1d340efd 100644
Binary files a/test/aux-fixed/exim-ca/example.org/server2.example.org/server2.example.org.ocsp.signer.revoked.resp and b/test/aux-fixed/exim-ca/example.org/server2.example.org/server2.example.org.ocsp.signer.revoked.resp differ
diff --git a/test/aux-fixed/exim-ca/example.org/server2.example.org/server2.example.org.ocsp.signernocert.dated.resp b/test/aux-fixed/exim-ca/example.org/server2.example.org/server2.example.org.ocsp.signernocert.dated.resp
index de2bcf556..ae782e40c 100644
Binary files a/test/aux-fixed/exim-ca/example.org/server2.example.org/server2.example.org.ocsp.signernocert.dated.resp and b/test/aux-fixed/exim-ca/example.org/server2.example.org/server2.example.org.ocsp.signernocert.dated.resp differ
diff --git a/test/aux-fixed/exim-ca/example.org/server2.example.org/server2.example.org.ocsp.signernocert.good.resp b/test/aux-fixed/exim-ca/example.org/server2.example.org/server2.example.org.ocsp.signernocert.good.resp
index d0eaf3900..132bb9193 100644
Binary files a/test/aux-fixed/exim-ca/example.org/server2.example.org/server2.example.org.ocsp.signernocert.good.resp and b/test/aux-fixed/exim-ca/example.org/server2.example.org/server2.example.org.ocsp.signernocert.good.resp differ
diff --git a/test/aux-fixed/exim-ca/example.org/server2.example.org/server2.example.org.ocsp.signernocert.revoked.resp b/test/aux-fixed/exim-ca/example.org/server2.example.org/server2.example.org.ocsp.signernocert.revoked.resp
index d0eaf3900..132bb9193 100644
Binary files a/test/aux-fixed/exim-ca/example.org/server2.example.org/server2.example.org.ocsp.signernocert.revoked.resp and b/test/aux-fixed/exim-ca/example.org/server2.example.org/server2.example.org.ocsp.signernocert.revoked.resp differ
diff --git a/test/aux-fixed/exim-ca/example.org/server2.example.org/server2.example.org.p12 b/test/aux-fixed/exim-ca/example.org/server2.example.org/server2.example.org.p12
index 46c7e55e1..48264feec 100644
Binary files a/test/aux-fixed/exim-ca/example.org/server2.example.org/server2.example.org.p12 and b/test/aux-fixed/exim-ca/example.org/server2.example.org/server2.example.org.p12 differ
diff --git a/test/aux-fixed/exim-ca/example.org/server2.example.org/server2.example.org.pem b/test/aux-fixed/exim-ca/example.org/server2.example.org/server2.example.org.pem
index a4b7b9332..109ba95b7 100644
--- a/test/aux-fixed/exim-ca/example.org/server2.example.org/server2.example.org.pem
+++ b/test/aux-fixed/exim-ca/example.org/server2.example.org/server2.example.org.pem
@@ -1,21 +1,21 @@
 Bag Attributes
     friendlyName: server2.example.org
-    localKeyID: E2 38 5B 24 CB CF B7 53 1B 69 87 7A EF 67 67 6C 88 CD 28 0E 
+    localKeyID: F2 22 5F 3C 18 C2 87 76 E0 B3 30 CE 6A 44 7B 4F 15 9B 58 3A 
 subject=/CN=server2.example.org
-issuer=/O=example.org/CN=clica Signing Cert
+issuer=/O=example.org/CN=clica Signing Cert rsa
 -----BEGIN CERTIFICATE-----
-MIICiDCCAfGgAwIBAgICAMkwDQYJKoZIhvcNAQELBQAwMzEUMBIGA1UEChMLZXhh
-bXBsZS5vcmcxGzAZBgNVBAMTEmNsaWNhIFNpZ25pbmcgQ2VydDAeFw0xMjExMDEx
-MjM0MDNaFw0zNzEyMDExMjM0MDNaMB4xHDAaBgNVBAMTE3NlcnZlcjIuZXhhbXBs
-ZS5vcmcwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAPK/TJn4ZDN286XMhCLH
-ipnWbbNsFpqMotrAxdyA9thomMnYXU89uqPnQsyUyD5c7rUp+F2LWUGDPkd8v4q+
-EL3dUTRTnVY47ZMtVLz08nyucZTo/y+8ysaYDGmgioCQ8MME4C1lYe06bK33OYUe
-jYCM1DgDB/h04vkftlrQcOAbAgMBAAGjgb8wgbwwDgYDVR0PAQH/BAQDAgTwMCAG
-A1UdJQEB/wQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAyBgNVHR8EKzApMCegJaAj
-hiFodHRwOi8vY3JsLmV4YW1wbGUub3JnL2xhdGVzdC5jcmwwNAYIKwYBBQUHAQEE
-KDAmMCQGCCsGAQUFBzABhhhodHRwOi8vb3NjcC5leGFtcGxlLm9yZy8wHgYDVR0R
-BBcwFYITc2VydmVyMi5leGFtcGxlLm9yZzANBgkqhkiG9w0BAQsFAAOBgQCs5mI1
-W3xtz2hR/I2EWAAr415QJ43LRyzNQun0/b4k52BgubGDVAXKzkhes7RRNCW7+h6d
-wgJKFvBnHviThkmM00DGzSYJ2VCmHXsogJmWMl8zcEjOgC9E3LZKjp27dsjr4GlM
-jwf8XjoOCu3RUtdzuFOEmXviVYNbeiSlFsJSEQ==
+MIICjDCCAfWgAwIBAgICAMkwDQYJKoZIhvcNAQELBQAwNzEUMBIGA1UEChMLZXhh
+bXBsZS5vcmcxHzAdBgNVBAMTFmNsaWNhIFNpZ25pbmcgQ2VydCByc2EwHhcNMTIx
+MTAxMTIzNDAyWhcNMzcxMjAxMTIzNDAyWjAeMRwwGgYDVQQDExNzZXJ2ZXIyLmV4
+YW1wbGUub3JnMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC5BlHN8UOr/LlK
+VpPJZWRtbucPRiAUWJJp5leYn+/zbAXYPNoRbV+eaUPUTkOaLbcEQk7GWw7qFPzD
+K3voal1kELERvlr4OONx6/sYuDpF64zFHW4PXhSgo+sYiM/tEkIC2cyxr82iVX4d
+S45OgYpBzGDvv9aiai871VJMd9O2kwIDAQABo4G/MIG8MA4GA1UdDwEB/wQEAwIE
+8DAgBgNVHSUBAf8EFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwMgYDVR0fBCswKTAn
+oCWgI4YhaHR0cDovL2NybC5leGFtcGxlLm9yZy9sYXRlc3QuY3JsMDQGCCsGAQUF
+BwEBBCgwJjAkBggrBgEFBQcwAYYYaHR0cDovL29zY3AuZXhhbXBsZS5vcmcvMB4G
+A1UdEQQXMBWCE3NlcnZlcjIuZXhhbXBsZS5vcmcwDQYJKoZIhvcNAQELBQADgYEA
+bTzC8dtmbbqFpn6huub316XONZIeRKPhGY9Rb1UsUCD7KtMvUkArGmz7p39VS0iE
++ffBvvtggteJGs8xZ79a3110Y7Bx0ASIt1wa4+vaVAu/Ujx3r1vLDZYwq+Dl3fAq
+1oaFvoD9ANg+FYcjiybT96eKTCT1IXuKs86aTj2jAeo=
 -----END CERTIFICATE-----
diff --git a/test/aux-fixed/exim-ca/example.org/server2.example.org/server2.example.org.unlocked.key b/test/aux-fixed/exim-ca/example.org/server2.example.org/server2.example.org.unlocked.key
index c17253a81..d4fc65314 100644
--- a/test/aux-fixed/exim-ca/example.org/server2.example.org/server2.example.org.unlocked.key
+++ b/test/aux-fixed/exim-ca/example.org/server2.example.org/server2.example.org.unlocked.key
@@ -1,15 +1,15 @@
 -----BEGIN RSA PRIVATE KEY-----
-MIICWwIBAAKBgQDyv0yZ+GQzdvOlzIQix4qZ1m2zbBaajKLawMXcgPbYaJjJ2F1P
-Pbqj50LMlMg+XO61Kfhdi1lBgz5HfL+KvhC93VE0U51WOO2TLVS89PJ8rnGU6P8v
-vMrGmAxpoIqAkPDDBOAtZWHtOmyt9zmFHo2AjNQ4Awf4dOL5H7Za0HDgGwIDAQAB
-AoGAKCTvJUbDmhKRxaQWYBgReafRWYrxDAW2XaiOsDeFsGalNJA7Ei06Y1EN+35J
-cALMw+9ucFiTXgxh2CRZxYycK4TsAc9pxDr5Kqicr1kJbcIvYVA+Ddv5amI7wnVB
-abXMwCkoiVx7Kx1NgOMNT2RxF5pRDwioirQ0tMgLTN+U1n0CQQD8Fvqj//LRiKh9
-ADcK/gW0pZlD+4JzWKgF2Mx3wUsYZOppzkYj4KhAEGGMvN1Gz7RcNUxUGr9Y3aqA
-lDYuCkEHAkEA9oM43HW+Bm1+4ykhNzHGoN0FZZfeKhNXuH2VgYnBAZ2K47OQTTA6
-6JdmU3fiutquH59JTgnis2eoepdIHmLnTQJAaFBd8OUlpn0FM4yWOk85LzJjRJVb
-ur1R8fFvUpLCr1p7AcNglNIO7UuaAjHY4sdqG8nWRus2iOBZAJHUBaMqmwJAMEYu
-Qm4EUnnq2U1apdZnkWT3A5gj95VmHkjpmD6Dv288na6yWYtSXe4YKcxWaEUeyC6H
-SnMBJCTuh2NMyjaQGQJAJlzGzxq5Vxqt+QKfXiCbsj1tMW+8S8UYQqZLET/+/4kF
-8HKKO6653D1kjcvonBI/OyuwaZESdOImNzdAAhfgxQ==
+MIICWwIBAAKBgQC5BlHN8UOr/LlKVpPJZWRtbucPRiAUWJJp5leYn+/zbAXYPNoR
+bV+eaUPUTkOaLbcEQk7GWw7qFPzDK3voal1kELERvlr4OONx6/sYuDpF64zFHW4P
+XhSgo+sYiM/tEkIC2cyxr82iVX4dS45OgYpBzGDvv9aiai871VJMd9O2kwIDAQAB
+AoGABBhWNispVsSkqzcIVVRHqT5jocxpCFo/f1WIScn8axRQes05/FnB3IUy6Z+D
+0oVBgDghezVnupmVUJKFTwsPnw40/yKkcBxKCJPNzs/WhQjdJs1a2HW3uQISFnQs
+kMe7cwW+nv5ku1iN7QlRTmW7hSTKptdwX8TusvHorwnqNVUCQQDjHjfF6gK2GnpI
+YwF5OIdcCHkfzok7UUb6ONA8HUfOYe3uly2cXKq8Ar67/Ae7v/PSz05KR+aHr3zj
+RMFShkhvAkEA0I3C012AGrffDBjSCTTy/7trwggKDTLw3SBojR0T31LBfhzD3/RS
+h7JUi837DRtsioEEXcgOhEIsFgjJmyeeHQJAGvRhJioJvFcUIDcv25Ur625OAcpf
+WxzgUZ4giKHo/cN9m41xqlcNJFcnD+Rvfobfhyt3XTV/VKctKUPltceeHQJADt4M
+RYUk3MK+493hG0brC9AQnoR0MvyurxTgXy7ze7gqkxL5471HJOVRoaXNf+G0mysX
+ZJgecM9G1UtLFAR/AQJARcXGcLgixR6dPcw7ZAB1uUaVx5YBmxa+gxqYdTYUEJou
+zUS2ot33BFwNLFJ8vBWCoFNVD8tm+8CxwbWLK9+rFA==
 -----END RSA PRIVATE KEY-----
diff --git a/test/aux-fixed/exim-ca/example_ec.com/BLANK/CA.pem b/test/aux-fixed/exim-ca/example_ec.com/BLANK/CA.pem
new file mode 100644
index 000000000..515af39b6
--- /dev/null
+++ b/test/aux-fixed/exim-ca/example_ec.com/BLANK/CA.pem
@@ -0,0 +1,13 @@
+-----BEGIN CERTIFICATE-----
+MIIB+zCCAVygAwIBAgIBATAKBggqhkjOPQQDAjAvMRcwFQYDVQQKDA5leGFtcGxl
+X2VjLmNvbTEUMBIGA1UEAxMLY2xpY2EgQ0EgZWMwHhcNMTIxMTAxMTIzNDA0WhcN
+MzgwMTAxMTIzNDA0WjAvMRcwFQYDVQQKDA5leGFtcGxlX2VjLmNvbTEUMBIGA1UE
+AxMLY2xpY2EgQ0EgZWMwgZswEAYHKoZIzj0CAQYFK4EEACMDgYYABAHm9U9VOWgT
+kXnFOEy1kfkVx0n/XZygNm1Z+WnyU3Nt/c7b8m/Xwv4/VZO9bYm9dENOjT5+FHZ6
+MyJVIZVsYIfmlgG7BGeHDUzgLkmm30rM+QKU8pMNIMUggwY3CtV7tdeX/T/dtayh
+uxB2oyHvv2jGLIi1P8d4k87/9JWjvhfIjS6ImqMmMCQwEgYDVR0TAQH/BAgwBgEB
+/wIBATAOBgNVHQ8BAf8EBAMCAQYwCgYIKoZIzj0EAwIDgYwAMIGIAkIBEFmSdl+a
+k48M4+Ntzzkt+U0CfFIsW86KpYe0BcYjrNUVOUGu7s7RmFgMjYmGrWNCCJ2PNL9x
+eXwyFQMITjEvYy0CQgGl5U/yWaqe/PGKEQmyvhlcXF6ylv4iJES2SFlyhdqEFqrT
+biYVM/zSvSn2K3B3c/JHA4L21LcUjAPi8cphpgVIEQ==
+-----END CERTIFICATE-----
diff --git a/test/aux-fixed/exim-ca/example_ec.com/BLANK/Signer.pem b/test/aux-fixed/exim-ca/example_ec.com/BLANK/Signer.pem
new file mode 100644
index 000000000..e5e865cbe
--- /dev/null
+++ b/test/aux-fixed/exim-ca/example_ec.com/BLANK/Signer.pem
@@ -0,0 +1,14 @@
+-----BEGIN CERTIFICATE-----
+MIICOTCCAZqgAwIBAgIBAjAKBggqhkjOPQQDAjAvMRcwFQYDVQQKDA5leGFtcGxl
+X2VjLmNvbTEUMBIGA1UEAxMLY2xpY2EgQ0EgZWMwHhcNMTIxMTAxMTIzNDA0WhcN
+MzgwMTAxMTIzNDA0WjA5MRcwFQYDVQQKDA5leGFtcGxlX2VjLmNvbTEeMBwGA1UE
+AxMVY2xpY2EgU2lnbmluZyBDZXJ0IGVjMIGbMBAGByqGSM49AgEGBSuBBAAjA4GG
+AAQB3RMF5qTA8Mhf1/DtiauE272gyO6MJmiYGJn16gwbUU4J8PIXHXDKH5O5Y99z
+0xYrhX+eLTuNvTA0O8O1DkLGpeQAyo65/kRq+B6zWhCIXkl1/Tqqx6WM3kF0xHfb
+7xKeorKtz8cToLXFw5SscZNVv32S9rnKTxwif3+7dgaC1eVKWjyjWjBYMA4GA1Ud
+DwEB/wQEAwIBBjASBgNVHRMBAf8ECDAGAQH/AgEAMDIGA1UdHwQrMCkwJ6AloCOG
+IWh0dHA6Ly9jcmwuZXhhbXBsZS5jb20vbGF0ZXN0LmNybDAKBggqhkjOPQQDAgOB
+jAAwgYgCQgC7QqFcSVRN5pZoaHw6Z1no0QjnpzcGHEO/kI7XNg2q+u41Xk96DE85
+jTs+ryef/GJ9scPeShvxOOaXlutP7RKL9wJCAaa6Un0wubdhy5djZ3Qv09kRt/XT
+jLkY6s1aiotpl5mX+puxLRutrLML1w3ZACe2Ippibv3Puvg2I3eaJyVjg76q
+-----END CERTIFICATE-----
diff --git a/test/aux-fixed/exim-ca/example_ec.com/BLANK/cert8.db b/test/aux-fixed/exim-ca/example_ec.com/BLANK/cert8.db
new file mode 100644
index 000000000..4e07781d4
Binary files /dev/null and b/test/aux-fixed/exim-ca/example_ec.com/BLANK/cert8.db differ
diff --git a/test/aux-fixed/exim-ca/example_ec.com/BLANK/key3.db b/test/aux-fixed/exim-ca/example_ec.com/BLANK/key3.db
new file mode 100644
index 000000000..793190674
Binary files /dev/null and b/test/aux-fixed/exim-ca/example_ec.com/BLANK/key3.db differ
diff --git a/test/aux-fixed/exim-ca/example_ec.com/BLANK/pwdfile b/test/aux-fixed/exim-ca/example_ec.com/BLANK/pwdfile
new file mode 100644
index 000000000..8b1378917
--- /dev/null
+++ b/test/aux-fixed/exim-ca/example_ec.com/BLANK/pwdfile
@@ -0,0 +1 @@
+
diff --git a/test/aux-fixed/exim-ca/example_ec.com/BLANK/secmod.db b/test/aux-fixed/exim-ca/example_ec.com/BLANK/secmod.db
new file mode 100644
index 000000000..b709dd8a5
Binary files /dev/null and b/test/aux-fixed/exim-ca/example_ec.com/BLANK/secmod.db differ
diff --git a/test/aux-fixed/exim-ca/example_ec.com/CA/CA.pem b/test/aux-fixed/exim-ca/example_ec.com/CA/CA.pem
new file mode 100644
index 000000000..515af39b6
--- /dev/null
+++ b/test/aux-fixed/exim-ca/example_ec.com/CA/CA.pem
@@ -0,0 +1,13 @@
+-----BEGIN CERTIFICATE-----
+MIIB+zCCAVygAwIBAgIBATAKBggqhkjOPQQDAjAvMRcwFQYDVQQKDA5leGFtcGxl
+X2VjLmNvbTEUMBIGA1UEAxMLY2xpY2EgQ0EgZWMwHhcNMTIxMTAxMTIzNDA0WhcN
+MzgwMTAxMTIzNDA0WjAvMRcwFQYDVQQKDA5leGFtcGxlX2VjLmNvbTEUMBIGA1UE
+AxMLY2xpY2EgQ0EgZWMwgZswEAYHKoZIzj0CAQYFK4EEACMDgYYABAHm9U9VOWgT
+kXnFOEy1kfkVx0n/XZygNm1Z+WnyU3Nt/c7b8m/Xwv4/VZO9bYm9dENOjT5+FHZ6
+MyJVIZVsYIfmlgG7BGeHDUzgLkmm30rM+QKU8pMNIMUggwY3CtV7tdeX/T/dtayh
+uxB2oyHvv2jGLIi1P8d4k87/9JWjvhfIjS6ImqMmMCQwEgYDVR0TAQH/BAgwBgEB
+/wIBATAOBgNVHQ8BAf8EBAMCAQYwCgYIKoZIzj0EAwIDgYwAMIGIAkIBEFmSdl+a
+k48M4+Ntzzkt+U0CfFIsW86KpYe0BcYjrNUVOUGu7s7RmFgMjYmGrWNCCJ2PNL9x
+eXwyFQMITjEvYy0CQgGl5U/yWaqe/PGKEQmyvhlcXF6ylv4iJES2SFlyhdqEFqrT
+biYVM/zSvSn2K3B3c/JHA4L21LcUjAPi8cphpgVIEQ==
+-----END CERTIFICATE-----
diff --git a/test/aux-fixed/exim-ca/example_ec.com/CA/OCSP.pem b/test/aux-fixed/exim-ca/example_ec.com/CA/OCSP.pem
new file mode 100644
index 000000000..7ec75d2e4
--- /dev/null
+++ b/test/aux-fixed/exim-ca/example_ec.com/CA/OCSP.pem
@@ -0,0 +1,14 @@
+-----BEGIN CERTIFICATE-----
+MIICEjCCAXOgAwIBAgIBAzAKBggqhkjOPQQDAjA5MRcwFQYDVQQKDA5leGFtcGxl
+X2VjLmNvbTEeMBwGA1UEAxMVY2xpY2EgU2lnbmluZyBDZXJ0IGVjMB4XDTEyMTEw
+MTEyMzQwNFoXDTM4MDEwMTEyMzQwNFowODEXMBUGA1UECgwOZXhhbXBsZV9lYy5j
+b20xHTAbBgNVBAMTFGNsaWNhIE9DU1AgU2lnbmVyIGVjMIGbMBAGByqGSM49AgEG
+BSuBBAAjA4GGAAQAJynCmmornvQ63iMqF0W+P5TRPMw0O53ePt6N20Tl41dod1IK
+LQsK7x15ylstBH3yJZKxIRLasdASeUMBAqMvTqsB7Ltvh9GoIWQls/K4tu6gTjfc
+0i9maAEsXUx4MfK+tEcZe4Z7bhUqthxRUULbq9MRFsh3+dFr9SheK9zdbJCdmzCj
+KjAoMA4GA1UdDwEB/wQEAwIHgDAWBgNVHSUBAf8EDDAKBggrBgEFBQcDCTAKBggq
+hkjOPQQDAgOBjAAwgYgCQgFCPxemEF+1AqOGRumb3Znk2x/xBMAQ1H3iqRwsaiCm
+Ai01OHvff7b6O15nQljA/RWoU60pZ3ugva1t5SIvkAuwTwJCAcIbZORgJ9Lt2Zj4
+BObSUFgEbsI1OM6rKrI85+ITFyy2lRk+VSuoQMctK3aw4xuMuerEp+1O6YuWNflF
+/SUBW7uU
+-----END CERTIFICATE-----
diff --git a/test/aux-fixed/exim-ca/example_ec.com/CA/Signer.pem b/test/aux-fixed/exim-ca/example_ec.com/CA/Signer.pem
new file mode 100644
index 000000000..e5e865cbe
--- /dev/null
+++ b/test/aux-fixed/exim-ca/example_ec.com/CA/Signer.pem
@@ -0,0 +1,14 @@
+-----BEGIN CERTIFICATE-----
+MIICOTCCAZqgAwIBAgIBAjAKBggqhkjOPQQDAjAvMRcwFQYDVQQKDA5leGFtcGxl
+X2VjLmNvbTEUMBIGA1UEAxMLY2xpY2EgQ0EgZWMwHhcNMTIxMTAxMTIzNDA0WhcN
+MzgwMTAxMTIzNDA0WjA5MRcwFQYDVQQKDA5leGFtcGxlX2VjLmNvbTEeMBwGA1UE
+AxMVY2xpY2EgU2lnbmluZyBDZXJ0IGVjMIGbMBAGByqGSM49AgEGBSuBBAAjA4GG
+AAQB3RMF5qTA8Mhf1/DtiauE272gyO6MJmiYGJn16gwbUU4J8PIXHXDKH5O5Y99z
+0xYrhX+eLTuNvTA0O8O1DkLGpeQAyo65/kRq+B6zWhCIXkl1/Tqqx6WM3kF0xHfb
+7xKeorKtz8cToLXFw5SscZNVv32S9rnKTxwif3+7dgaC1eVKWjyjWjBYMA4GA1Ud
+DwEB/wQEAwIBBjASBgNVHRMBAf8ECDAGAQH/AgEAMDIGA1UdHwQrMCkwJ6AloCOG
+IWh0dHA6Ly9jcmwuZXhhbXBsZS5jb20vbGF0ZXN0LmNybDAKBggqhkjOPQQDAgOB
+jAAwgYgCQgC7QqFcSVRN5pZoaHw6Z1no0QjnpzcGHEO/kI7XNg2q+u41Xk96DE85
+jTs+ryef/GJ9scPeShvxOOaXlutP7RKL9wJCAaa6Un0wubdhy5djZ3Qv09kRt/XT
+jLkY6s1aiotpl5mX+puxLRutrLML1w3ZACe2Ippibv3Puvg2I3eaJyVjg76q
+-----END CERTIFICATE-----
diff --git a/test/aux-fixed/exim-ca/example_ec.com/CA/ca.conf b/test/aux-fixed/exim-ca/example_ec.com/CA/ca.conf
new file mode 100644
index 000000000..b13709f72
--- /dev/null
+++ b/test/aux-fixed/exim-ca/example_ec.com/CA/ca.conf
@@ -0,0 +1,18 @@
+; Config::Simple 4.59
+; Thu Nov  1 12:34:04 2012
+
+[CA]
+subject=clica CA
+org=example_ec.com
+name=Certificate Authority ec
+bits=1024
+
+[CLICA]
+ocsp_signer=OCSP Signer ec
+signer=Signing Cert ec
+crl_url=http://crl.example.com/latest.crl
+sighash=SHA256
+level=1
+ocsp_url=http://oscp.example.com/
+
+
diff --git a/test/aux-fixed/exim-ca/example_ec.com/CA/cert8.db b/test/aux-fixed/exim-ca/example_ec.com/CA/cert8.db
new file mode 100644
index 000000000..4b0f5a88f
Binary files /dev/null and b/test/aux-fixed/exim-ca/example_ec.com/CA/cert8.db differ
diff --git a/test/aux-fixed/exim-ca/example_ec.com/CA/key3.db b/test/aux-fixed/exim-ca/example_ec.com/CA/key3.db
new file mode 100644
index 000000000..0c53c21d8
Binary files /dev/null and b/test/aux-fixed/exim-ca/example_ec.com/CA/key3.db differ
diff --git a/test/aux-fixed/exim-ca/example_ec.com/CA/noise.file b/test/aux-fixed/exim-ca/example_ec.com/CA/noise.file
new file mode 100644
index 000000000..0627cdd21
--- /dev/null
+++ b/test/aux-fixed/exim-ca/example_ec.com/CA/noise.file
@@ -0,0 +1,310 @@
+processor	: 0
+vendor_id	: GenuineIntel
+cpu family	: 6
+model		: 94
+model name	: Intel(R) Core(TM) i7-6820HQ CPU @ 2.70GHz
+stepping	: 3
+microcode	: 0xba
+cpu MHz		: 2700.000
+cache size	: 8192 KB
+physical id	: 0
+siblings	: 8
+core id		: 0
+cpu cores	: 4
+apicid		: 0
+initial apicid	: 0
+fpu		: yes
+fpu_exception	: yes
+cpuid level	: 22
+wp		: yes
+flags		: fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clflush dts acpi mmx fxsr sse sse2 ss ht tm pbe syscall nx pdpe1gb rdtscp lm constant_tsc art arch_perfmon pebs bts rep_good nopl xtopology nonstop_tsc cpuid aperfmperf tsc_known_freq pni pclmulqdq dtes64 monitor ds_cpl vmx smx est tm2 ssse3 sdbg fma cx16 xtpr pdcm pcid sse4_1 sse4_2 x2apic movbe popcnt tsc_deadline_timer aes xsave avx f16c rdrand lahf_lm abm 3dnowprefetch cpuid_fault epb intel_pt tpr_shadow vnmi flexpriority ept vpid fsgsbase tsc_adjust bmi1 hle avx2 smep bmi2 erms invpcid rtm mpx rdseed adx smap clflushopt xsaveopt xsavec xgetbv1 xsaves dtherm ida arat pln pts hwp hwp_notify hwp_act_window hwp_epp
+bugs		:
+bogomips	: 5424.00
+clflush size	: 64
+cache_alignment	: 64
+address sizes	: 39 bits physical, 48 bits virtual
+power management:
+
+processor	: 1
+vendor_id	: GenuineIntel
+cpu family	: 6
+model		: 94
+model name	: Intel(R) Core(TM) i7-6820HQ CPU @ 2.70GHz
+stepping	: 3
+microcode	: 0xba
+cpu MHz		: 2700.000
+cache size	: 8192 KB
+physical id	: 0
+siblings	: 8
+core id		: 1
+cpu cores	: 4
+apicid		: 2
+initial apicid	: 2
+fpu		: yes
+fpu_exception	: yes
+cpuid level	: 22
+wp		: yes
+flags		: fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clflush dts acpi mmx fxsr sse sse2 ss ht tm pbe syscall nx pdpe1gb rdtscp lm constant_tsc art arch_perfmon pebs bts rep_good nopl xtopology nonstop_tsc cpuid aperfmperf tsc_known_freq pni pclmulqdq dtes64 monitor ds_cpl vmx smx est tm2 ssse3 sdbg fma cx16 xtpr pdcm pcid sse4_1 sse4_2 x2apic movbe popcnt tsc_deadline_timer aes xsave avx f16c rdrand lahf_lm abm 3dnowprefetch cpuid_fault epb intel_pt tpr_shadow vnmi flexpriority ept vpid fsgsbase tsc_adjust bmi1 hle avx2 smep bmi2 erms invpcid rtm mpx rdseed adx smap clflushopt xsaveopt xsavec xgetbv1 xsaves dtherm ida arat pln pts hwp hwp_notify hwp_act_window hwp_epp
+bugs		:
+bogomips	: 5431.34
+clflush size	: 64
+cache_alignment	: 64
+address sizes	: 39 bits physical, 48 bits virtual
+power management:
+
+processor	: 2
+vendor_id	: GenuineIntel
+cpu family	: 6
+model		: 94
+model name	: Intel(R) Core(TM) i7-6820HQ CPU @ 2.70GHz
+stepping	: 3
+microcode	: 0xba
+cpu MHz		: 2700.000
+cache size	: 8192 KB
+physical id	: 0
+siblings	: 8
+core id		: 2
+cpu cores	: 4
+apicid		: 4
+initial apicid	: 4
+fpu		: yes
+fpu_exception	: yes
+cpuid level	: 22
+wp		: yes
+flags		: fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clflush dts acpi mmx fxsr sse sse2 ss ht tm pbe syscall nx pdpe1gb rdtscp lm constant_tsc art arch_perfmon pebs bts rep_good nopl xtopology nonstop_tsc cpuid aperfmperf tsc_known_freq pni pclmulqdq dtes64 monitor ds_cpl vmx smx est tm2 ssse3 sdbg fma cx16 xtpr pdcm pcid sse4_1 sse4_2 x2apic movbe popcnt tsc_deadline_timer aes xsave avx f16c rdrand lahf_lm abm 3dnowprefetch cpuid_fault epb intel_pt tpr_shadow vnmi flexpriority ept vpid fsgsbase tsc_adjust bmi1 hle avx2 smep bmi2 erms invpcid rtm mpx rdseed adx smap clflushopt xsaveopt xsavec xgetbv1 xsaves dtherm ida arat pln pts hwp hwp_notify hwp_act_window hwp_epp
+bugs		:
+bogomips	: 5431.79
+clflush size	: 64
+cache_alignment	: 64
+address sizes	: 39 bits physical, 48 bits virtual
+power management:
+
+processor	: 3
+vendor_id	: GenuineIntel
+cpu family	: 6
+model		: 94
+model name	: Intel(R) Core(TM) i7-6820HQ CPU @ 2.70GHz
+stepping	: 3
+microcode	: 0xba
+cpu MHz		: 2700.000
+cache size	: 8192 KB
+physical id	: 0
+siblings	: 8
+core id		: 3
+cpu cores	: 4
+apicid		: 6
+initial apicid	: 6
+fpu		: yes
+fpu_exception	: yes
+cpuid level	: 22
+wp		: yes
+flags		: fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clflush dts acpi mmx fxsr sse sse2 ss ht tm pbe syscall nx pdpe1gb rdtscp lm constant_tsc art arch_perfmon pebs bts rep_good nopl xtopology nonstop_tsc cpuid aperfmperf tsc_known_freq pni pclmulqdq dtes64 monitor ds_cpl vmx smx est tm2 ssse3 sdbg fma cx16 xtpr pdcm pcid sse4_1 sse4_2 x2apic movbe popcnt tsc_deadline_timer aes xsave avx f16c rdrand lahf_lm abm 3dnowprefetch cpuid_fault epb intel_pt tpr_shadow vnmi flexpriority ept vpid fsgsbase tsc_adjust bmi1 hle avx2 smep bmi2 erms invpcid rtm mpx rdseed adx smap clflushopt xsaveopt xsavec xgetbv1 xsaves dtherm ida arat pln pts hwp hwp_notify hwp_act_window hwp_epp
+bugs		:
+bogomips	: 5431.63
+clflush size	: 64
+cache_alignment	: 64
+address sizes	: 39 bits physical, 48 bits virtual
+power management:
+
+processor	: 4
+vendor_id	: GenuineIntel
+cpu family	: 6
+model		: 94
+model name	: Intel(R) Core(TM) i7-6820HQ CPU @ 2.70GHz
+stepping	: 3
+microcode	: 0xba
+cpu MHz		: 2700.000
+cache size	: 8192 KB
+physical id	: 0
+siblings	: 8
+core id		: 0
+cpu cores	: 4
+apicid		: 1
+initial apicid	: 1
+fpu		: yes
+fpu_exception	: yes
+cpuid level	: 22
+wp		: yes
+flags		: fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clflush dts acpi mmx fxsr sse sse2 ss ht tm pbe syscall nx pdpe1gb rdtscp lm constant_tsc art arch_perfmon pebs bts rep_good nopl xtopology nonstop_tsc cpuid aperfmperf tsc_known_freq pni pclmulqdq dtes64 monitor ds_cpl vmx smx est tm2 ssse3 sdbg fma cx16 xtpr pdcm pcid sse4_1 sse4_2 x2apic movbe popcnt tsc_deadline_timer aes xsave avx f16c rdrand lahf_lm abm 3dnowprefetch cpuid_fault epb intel_pt tpr_shadow vnmi flexpriority ept vpid fsgsbase tsc_adjust bmi1 hle avx2 smep bmi2 erms invpcid rtm mpx rdseed adx smap clflushopt xsaveopt xsavec xgetbv1 xsaves dtherm ida arat pln pts hwp hwp_notify hwp_act_window hwp_epp
+bugs		:
+bogomips	: 5434.63
+clflush size	: 64
+cache_alignment	: 64
+address sizes	: 39 bits physical, 48 bits virtual
+power management:
+
+processor	: 5
+vendor_id	: GenuineIntel
+cpu family	: 6
+model		: 94
+model name	: Intel(R) Core(TM) i7-6820HQ CPU @ 2.70GHz
+stepping	: 3
+microcode	: 0xba
+cpu MHz		: 2700.000
+cache size	: 8192 KB
+physical id	: 0
+siblings	: 8
+core id		: 1
+cpu cores	: 4
+apicid		: 3
+initial apicid	: 3
+fpu		: yes
+fpu_exception	: yes
+cpuid level	: 22
+wp		: yes
+flags		: fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clflush dts acpi mmx fxsr sse sse2 ss ht tm pbe syscall nx pdpe1gb rdtscp lm constant_tsc art arch_perfmon pebs bts rep_good nopl xtopology nonstop_tsc cpuid aperfmperf tsc_known_freq pni pclmulqdq dtes64 monitor ds_cpl vmx smx est tm2 ssse3 sdbg fma cx16 xtpr pdcm pcid sse4_1 sse4_2 x2apic movbe popcnt tsc_deadline_timer aes xsave avx f16c rdrand lahf_lm abm 3dnowprefetch cpuid_fault epb intel_pt tpr_shadow vnmi flexpriority ept vpid fsgsbase tsc_adjust bmi1 hle avx2 smep bmi2 erms invpcid rtm mpx rdseed adx smap clflushopt xsaveopt xsavec xgetbv1 xsaves dtherm ida arat pln pts hwp hwp_notify hwp_act_window hwp_epp
+bugs		:
+bogomips	: 5432.00
+clflush size	: 64
+cache_alignment	: 64
+address sizes	: 39 bits physical, 48 bits virtual
+power management:
+
+processor	: 6
+vendor_id	: GenuineIntel
+cpu family	: 6
+model		: 94
+model name	: Intel(R) Core(TM) i7-6820HQ CPU @ 2.70GHz
+stepping	: 3
+microcode	: 0xba
+cpu MHz		: 2700.000
+cache size	: 8192 KB
+physical id	: 0
+siblings	: 8
+core id		: 2
+cpu cores	: 4
+apicid		: 5
+initial apicid	: 5
+fpu		: yes
+fpu_exception	: yes
+cpuid level	: 22
+wp		: yes
+flags		: fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clflush dts acpi mmx fxsr sse sse2 ss ht tm pbe syscall nx pdpe1gb rdtscp lm constant_tsc art arch_perfmon pebs bts rep_good nopl xtopology nonstop_tsc cpuid aperfmperf tsc_known_freq pni pclmulqdq dtes64 monitor ds_cpl vmx smx est tm2 ssse3 sdbg fma cx16 xtpr pdcm pcid sse4_1 sse4_2 x2apic movbe popcnt tsc_deadline_timer aes xsave avx f16c rdrand lahf_lm abm 3dnowprefetch cpuid_fault epb intel_pt tpr_shadow vnmi flexpriority ept vpid fsgsbase tsc_adjust bmi1 hle avx2 smep bmi2 erms invpcid rtm mpx rdseed adx smap clflushopt xsaveopt xsavec xgetbv1 xsaves dtherm ida arat pln pts hwp hwp_notify hwp_act_window hwp_epp
+bugs		:
+bogomips	: 5431.94
+clflush size	: 64
+cache_alignment	: 64
+address sizes	: 39 bits physical, 48 bits virtual
+power management:
+
+processor	: 7
+vendor_id	: GenuineIntel
+cpu family	: 6
+model		: 94
+model name	: Intel(R) Core(TM) i7-6820HQ CPU @ 2.70GHz
+stepping	: 3
+microcode	: 0xba
+cpu MHz		: 2700.000
+cache size	: 8192 KB
+physical id	: 0
+siblings	: 8
+core id		: 3
+cpu cores	: 4
+apicid		: 7
+initial apicid	: 7
+fpu		: yes
+fpu_exception	: yes
+cpuid level	: 22
+wp		: yes
+flags		: fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clflush dts acpi mmx fxsr sse sse2 ss ht tm pbe syscall nx pdpe1gb rdtscp lm constant_tsc art arch_perfmon pebs bts rep_good nopl xtopology nonstop_tsc cpuid aperfmperf tsc_known_freq pni pclmulqdq dtes64 monitor ds_cpl vmx smx est tm2 ssse3 sdbg fma cx16 xtpr pdcm pcid sse4_1 sse4_2 x2apic movbe popcnt tsc_deadline_timer aes xsave avx f16c rdrand lahf_lm abm 3dnowprefetch cpuid_fault epb intel_pt tpr_shadow vnmi flexpriority ept vpid fsgsbase tsc_adjust bmi1 hle avx2 smep bmi2 erms invpcid rtm mpx rdseed adx smap clflushopt xsaveopt xsavec xgetbv1 xsaves dtherm ida arat pln pts hwp hwp_notify hwp_act_window hwp_epp
+bugs		:
+bogomips	: 5431.94
+clflush size	: 64
+cache_alignment	: 64
+address sizes	: 39 bits physical, 48 bits virtual
+power management:
+
+            CPU0       CPU1       CPU2       CPU3       CPU4       CPU5       CPU6       CPU7       
+   0:         70          0          0          0          0          0          0          0  IR-IO-APIC    2-edge      timer
+   1:         39      16476       1416       1089       6857       1983       1674       1959  IR-IO-APIC    1-edge      i8042
+   8:          0          0          1          0          0          0          0          0  IR-IO-APIC    8-edge      rtc0
+   9:        284       4834       2265       1628       7027       2758       1632       1695  IR-IO-APIC    9-fasteoi   acpi
+  12:        273    1626151      37392      40715     288530      39254      36081      51183  IR-IO-APIC   12-edge      i8042
+  16:          1          0          0          0          0          0          0          0  IR-IO-APIC   16-fasteoi   i801_smbus
+ 120:          0          0          0          0          0          0          0          0  DMAR-MSI    0-edge      dmar0
+ 121:          0          0          0          0          0          0          0          0  DMAR-MSI    1-edge      dmar1
+ 122:       7136       3040       2312       1908       4546       3822      75951       2347  IR-PCI-MSI 376832-edge      ahci[0000:00:17.0]
+ 123:         22          7          1          0          7          3          4          1  IR-PCI-MSI 327680-edge      xhci_hcd
+ 124:         89         19         22         25         79         55         27         54  IR-PCI-MSI 2097152-edge      rtsx_pci
+ 125:         88         15     127583         11         48         25         19         21  IR-PCI-MSI 520192-edge      enp0s31f6
+ 126:          1          1          1          0          3          1          3          6  IR-PCI-MSI 1048576-edge    
+ 127:        561        174         98     789487        240        230        184        147  IR-PCI-MSI 32768-edge      i915
+ 128:         34         14          0          0          1          0          0          0  IR-PCI-MSI 360448-edge      mei_me
+ 129:         22         10          0          1         10          0          0          0  IR-PCI-MSI 1572864-edge      iwlwifi
+ 130:         92        103         30         22        194        115         10         45  IR-PCI-MSI 514048-edge      snd_hda_intel:card0
+ NMI:          9         12          9         14         10          9          9         10   Non-maskable interrupts
+ LOC:     567811     554960     727313    1034780     584239     592851     624459     549121   Local timer interrupts
+ SPU:          0          0          0          0          0          0          0          0   Spurious interrupts
+ PMI:          9         12          9         14         10          9          9         10   Performance monitoring interrupts
+ IWI:          0          1          0          0          0          0          2          0   IRQ work interrupts
+ RTR:          7          0          0          0          0          0          0          0   APIC ICR read retries
+ RES:      85589      31076      11918       8326       7466       6913       6401       5898   Rescheduling interrupts
+ CAL:      73161      74171      68752      70655      80169      75209      61391      70903   Function call interrupts
+ TLB:      55150      56119      50377      53791      62195      57072      43366      55765   TLB shootdowns
+ TRM:          0          0          0          0          0          0          0          0   Thermal event interrupts
+ THR:          0          0          0          0          0          0          0          0   Threshold APIC interrupts
+ DFR:          0          0          0          0          0          0          0          0   Deferred Error APIC interrupts
+ MCE:          0          0          0          0          0          0          0          0   Machine check exceptions
+ MCP:         49         49         49         49         49         49         49         49   Machine check polls
+ ERR:          0
+ MIS:          0
+ PIN:          0          0          0          0          0          0          0          0   Posted-interrupt notification event
+ NPI:          0          0          0          0          0          0          0          0   Nested posted-interrupt event
+ PIW:          0          0          0          0          0          0          0          0   Posted-interrupt wakeup event
+MemTotal:       15852528 kB
+MemFree:        10535240 kB
+MemAvailable:   12483528 kB
+Buffers:          128136 kB
+Cached:          1542444 kB
+SwapCached:            0 kB
+Active:          3134032 kB
+Inactive:        1817100 kB
+Active(anon):    2706516 kB
+Inactive(anon):    79680 kB
+Active(file):     427516 kB
+Inactive(file):  1737420 kB
+Unevictable:          32 kB
+Mlocked:              32 kB
+SwapTotal:       7933948 kB
+SwapFree:        7933948 kB
+Dirty:              4304 kB
+Writeback:             0 kB
+AnonPages:       2975608 kB
+Mapped:           495648 kB
+Shmem:             80740 kB
+Slab:             143688 kB
+SReclaimable:      74472 kB
+SUnreclaim:        69216 kB
+KernelStack:        9224 kB
+PageTables:        39488 kB
+NFS_Unstable:          0 kB
+Bounce:                0 kB
+WritebackTmp:          0 kB
+CommitLimit:    15860212 kB
+Committed_AS:   11681028 kB
+VmallocTotal:   34359738367 kB
+VmallocUsed:           0 kB
+VmallocChunk:          0 kB
+HardwareCorrupted:     0 kB
+AnonHugePages:    966656 kB
+ShmemHugePages:        0 kB
+ShmemPmdMapped:        0 kB
+CmaTotal:              0 kB
+CmaFree:               0 kB
+HugePages_Total:       0
+HugePages_Free:        0
+HugePages_Rsvd:        0
+HugePages_Surp:        0
+Hugepagesize:       2048 kB
+DirectMap4k:      202752 kB
+DirectMap2M:     7602176 kB
+DirectMap1G:     9437184 kB
+Inter-|   Receive                                                |  Transmit
+ face |bytes    packets errs drop fifo frame compressed multicast|bytes    packets errs drop fifo colls carrier compressed
+virbr1:  353867    2838    0    0    0     0          0         0  1474230    3810    0    0    0     0       0          0
+enp0s31f6: 43450858   65096    0    0    0     0          0      2075  6950121   57094    0    0    0     0       0          0
+virbr1-nic:       0       0    0    0    0     0          0         0        0       0    0    0    0     0       0          0
+tun_wizint: 4130741    7381    0    0    0     0          0         0  1092175    8002    0    0    0     0       0          0
+    lo:    5706      74    0    0    0     0          0         0     5706      74    0    0    0     0       0          0
+ vnet0:  393599    2838    0    0    0     0          0         0  1610002    6363    0    0    0     0       0          0
+wlp3s0:       0       0    0    0    0     0          0         0        0       0    0    0    0     0       0          0
diff --git a/test/aux-fixed/exim-ca/example_ec.com/CA/pwdfile b/test/aux-fixed/exim-ca/example_ec.com/CA/pwdfile
new file mode 100644
index 000000000..f3097ab13
--- /dev/null
+++ b/test/aux-fixed/exim-ca/example_ec.com/CA/pwdfile
@@ -0,0 +1 @@
+password
diff --git a/test/aux-fixed/exim-ca/example_ec.com/CA/secmod.db b/test/aux-fixed/exim-ca/example_ec.com/CA/secmod.db
new file mode 100644
index 000000000..f8cc0e78b
Binary files /dev/null and b/test/aux-fixed/exim-ca/example_ec.com/CA/secmod.db differ
diff --git a/test/aux-fixed/exim-ca/example_ec.com/server1.example_ec.com/ca_chain.pem b/test/aux-fixed/exim-ca/example_ec.com/server1.example_ec.com/ca_chain.pem
new file mode 100644
index 000000000..6dc10caf8
--- /dev/null
+++ b/test/aux-fixed/exim-ca/example_ec.com/server1.example_ec.com/ca_chain.pem
@@ -0,0 +1,35 @@
+Bag Attributes
+    friendlyName: Signing Cert ec
+subject=/O=example_ec.com/CN=clica Signing Cert ec
+issuer=/O=example_ec.com/CN=clica CA ec
+-----BEGIN CERTIFICATE-----
+MIICOTCCAZqgAwIBAgIBAjAKBggqhkjOPQQDAjAvMRcwFQYDVQQKDA5leGFtcGxl
+X2VjLmNvbTEUMBIGA1UEAxMLY2xpY2EgQ0EgZWMwHhcNMTIxMTAxMTIzNDA0WhcN
+MzgwMTAxMTIzNDA0WjA5MRcwFQYDVQQKDA5leGFtcGxlX2VjLmNvbTEeMBwGA1UE
+AxMVY2xpY2EgU2lnbmluZyBDZXJ0IGVjMIGbMBAGByqGSM49AgEGBSuBBAAjA4GG
+AAQB3RMF5qTA8Mhf1/DtiauE272gyO6MJmiYGJn16gwbUU4J8PIXHXDKH5O5Y99z
+0xYrhX+eLTuNvTA0O8O1DkLGpeQAyo65/kRq+B6zWhCIXkl1/Tqqx6WM3kF0xHfb
+7xKeorKtz8cToLXFw5SscZNVv32S9rnKTxwif3+7dgaC1eVKWjyjWjBYMA4GA1Ud
+DwEB/wQEAwIBBjASBgNVHRMBAf8ECDAGAQH/AgEAMDIGA1UdHwQrMCkwJ6AloCOG
+IWh0dHA6Ly9jcmwuZXhhbXBsZS5jb20vbGF0ZXN0LmNybDAKBggqhkjOPQQDAgOB
+jAAwgYgCQgC7QqFcSVRN5pZoaHw6Z1no0QjnpzcGHEO/kI7XNg2q+u41Xk96DE85
+jTs+ryef/GJ9scPeShvxOOaXlutP7RKL9wJCAaa6Un0wubdhy5djZ3Qv09kRt/XT
+jLkY6s1aiotpl5mX+puxLRutrLML1w3ZACe2Ippibv3Puvg2I3eaJyVjg76q
+-----END CERTIFICATE-----
+Bag Attributes
+    friendlyName: Certificate Authority ec
+subject=/O=example_ec.com/CN=clica CA ec
+issuer=/O=example_ec.com/CN=clica CA ec
+-----BEGIN CERTIFICATE-----
+MIIB+zCCAVygAwIBAgIBATAKBggqhkjOPQQDAjAvMRcwFQYDVQQKDA5leGFtcGxl
+X2VjLmNvbTEUMBIGA1UEAxMLY2xpY2EgQ0EgZWMwHhcNMTIxMTAxMTIzNDA0WhcN
+MzgwMTAxMTIzNDA0WjAvMRcwFQYDVQQKDA5leGFtcGxlX2VjLmNvbTEUMBIGA1UE
+AxMLY2xpY2EgQ0EgZWMwgZswEAYHKoZIzj0CAQYFK4EEACMDgYYABAHm9U9VOWgT
+kXnFOEy1kfkVx0n/XZygNm1Z+WnyU3Nt/c7b8m/Xwv4/VZO9bYm9dENOjT5+FHZ6
+MyJVIZVsYIfmlgG7BGeHDUzgLkmm30rM+QKU8pMNIMUggwY3CtV7tdeX/T/dtayh
+uxB2oyHvv2jGLIi1P8d4k87/9JWjvhfIjS6ImqMmMCQwEgYDVR0TAQH/BAgwBgEB
+/wIBATAOBgNVHQ8BAf8EBAMCAQYwCgYIKoZIzj0EAwIDgYwAMIGIAkIBEFmSdl+a
+k48M4+Ntzzkt+U0CfFIsW86KpYe0BcYjrNUVOUGu7s7RmFgMjYmGrWNCCJ2PNL9x
+eXwyFQMITjEvYy0CQgGl5U/yWaqe/PGKEQmyvhlcXF6ylv4iJES2SFlyhdqEFqrT
+biYVM/zSvSn2K3B3c/JHA4L21LcUjAPi8cphpgVIEQ==
+-----END CERTIFICATE-----
diff --git a/test/aux-fixed/exim-ca/example_ec.com/server1.example_ec.com/cert8.db b/test/aux-fixed/exim-ca/example_ec.com/server1.example_ec.com/cert8.db
new file mode 100644
index 000000000..62ecafcdb
Binary files /dev/null and b/test/aux-fixed/exim-ca/example_ec.com/server1.example_ec.com/cert8.db differ
diff --git a/test/aux-fixed/exim-ca/example_ec.com/server1.example_ec.com/fullchain.pem b/test/aux-fixed/exim-ca/example_ec.com/server1.example_ec.com/fullchain.pem
new file mode 100644
index 000000000..43648ad2a
--- /dev/null
+++ b/test/aux-fixed/exim-ca/example_ec.com/server1.example_ec.com/fullchain.pem
@@ -0,0 +1,59 @@
+Bag Attributes
+    friendlyName: server1.example_ec.com
+    localKeyID: E8 57 D2 D2 59 FF E7 C8 FE 43 26 2F ED 44 08 9F 53 83 10 A4 
+subject=/CN=server1.example_ec.com
+issuer=/O=example_ec.com/CN=clica Signing Cert ec
+-----BEGIN CERTIFICATE-----
+MIIDADCCAmGgAwIBAgICCDUwCgYIKoZIzj0EAwIwOTEXMBUGA1UECgwOZXhhbXBs
+ZV9lYy5jb20xHjAcBgNVBAMTFWNsaWNhIFNpZ25pbmcgQ2VydCBlYzAeFw0xMjEx
+MDExMjM0MDRaFw0zNzEyMDExMjM0MDRaMCExHzAdBgNVBAMMFnNlcnZlcjEuZXhh
+bXBsZV9lYy5jb20wgZswEAYHKoZIzj0CAQYFK4EEACMDgYYABAC5lSGys4Q+gTlp
+k5mJq6PEBwhXhPCpK2tWOtjjpxFdLABLnmojns6MiGwSWDgzjQLt09XnLkxJz0+V
++2nDzdPB4gBeTmn1HP8P97jPuCwWRWPZdDV+xXlXlhFjMM/em0BS3k3Ub4M7hR9l
+SG8yUP7xTbbROb1ogXYcTVbWvBLLSUXdJaOCASwwggEoMA4GA1UdDwEB/wQEAwIE
+8DAgBgNVHSUBAf8EFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwMgYDVR0fBCswKTAn
+oCWgI4YhaHR0cDovL2NybC5leGFtcGxlLmNvbS9sYXRlc3QuY3JsMDQGCCsGAQUF
+BwEBBCgwJjAkBggrBgEFBQcwAYYYaHR0cDovL29zY3AuZXhhbXBsZS5jb20vMIGJ
+BgNVHREEgYEwf4IWc2VydmVyMS5leGFtcGxlX2VjLmNvbYIhYWx0ZXJuYXRlbmFt
+ZS5zZXJ2ZXIxLmV4YW1wbGUuY29tgiJhbHRlcm5hdGVuYW1lMi5zZXJ2ZXIxLmV4
+YW1wbGUuY29tggkqLnRlc3QuZXiCE3NlcnZlcjEuZXhhbXBsZS5jb20wCgYIKoZI
+zj0EAwIDgYwAMIGIAkIAxsS/7bWclQDD4cR+PMtp0taiCGB9DZjOhqw2Z1hXUTXv
+Ak6FFdB9oNV+axXE8OzFE/xZwzI/7VKXb/TAHGN/lfkCQgDCI0B/b2OTUk5hfB+r
+4Vi/N/clg9lkJ6DlzoMcGV92dGsW1HQ4BYG7uABCaGCRwSmIs2VEy5jA0F5hAggQ
+8fjLQA==
+-----END CERTIFICATE-----
+Bag Attributes
+    friendlyName: Signing Cert ec
+subject=/O=example_ec.com/CN=clica Signing Cert ec
+issuer=/O=example_ec.com/CN=clica CA ec
+-----BEGIN CERTIFICATE-----
+MIICOTCCAZqgAwIBAgIBAjAKBggqhkjOPQQDAjAvMRcwFQYDVQQKDA5leGFtcGxl
+X2VjLmNvbTEUMBIGA1UEAxMLY2xpY2EgQ0EgZWMwHhcNMTIxMTAxMTIzNDA0WhcN
+MzgwMTAxMTIzNDA0WjA5MRcwFQYDVQQKDA5leGFtcGxlX2VjLmNvbTEeMBwGA1UE
+AxMVY2xpY2EgU2lnbmluZyBDZXJ0IGVjMIGbMBAGByqGSM49AgEGBSuBBAAjA4GG
+AAQB3RMF5qTA8Mhf1/DtiauE272gyO6MJmiYGJn16gwbUU4J8PIXHXDKH5O5Y99z
+0xYrhX+eLTuNvTA0O8O1DkLGpeQAyo65/kRq+B6zWhCIXkl1/Tqqx6WM3kF0xHfb
+7xKeorKtz8cToLXFw5SscZNVv32S9rnKTxwif3+7dgaC1eVKWjyjWjBYMA4GA1Ud
+DwEB/wQEAwIBBjASBgNVHRMBAf8ECDAGAQH/AgEAMDIGA1UdHwQrMCkwJ6AloCOG
+IWh0dHA6Ly9jcmwuZXhhbXBsZS5jb20vbGF0ZXN0LmNybDAKBggqhkjOPQQDAgOB
+jAAwgYgCQgC7QqFcSVRN5pZoaHw6Z1no0QjnpzcGHEO/kI7XNg2q+u41Xk96DE85
+jTs+ryef/GJ9scPeShvxOOaXlutP7RKL9wJCAaa6Un0wubdhy5djZ3Qv09kRt/XT
+jLkY6s1aiotpl5mX+puxLRutrLML1w3ZACe2Ippibv3Puvg2I3eaJyVjg76q
+-----END CERTIFICATE-----
+Bag Attributes
+    friendlyName: Certificate Authority ec
+subject=/O=example_ec.com/CN=clica CA ec
+issuer=/O=example_ec.com/CN=clica CA ec
+-----BEGIN CERTIFICATE-----
+MIIB+zCCAVygAwIBAgIBATAKBggqhkjOPQQDAjAvMRcwFQYDVQQKDA5leGFtcGxl
+X2VjLmNvbTEUMBIGA1UEAxMLY2xpY2EgQ0EgZWMwHhcNMTIxMTAxMTIzNDA0WhcN
+MzgwMTAxMTIzNDA0WjAvMRcwFQYDVQQKDA5leGFtcGxlX2VjLmNvbTEUMBIGA1UE
+AxMLY2xpY2EgQ0EgZWMwgZswEAYHKoZIzj0CAQYFK4EEACMDgYYABAHm9U9VOWgT
+kXnFOEy1kfkVx0n/XZygNm1Z+WnyU3Nt/c7b8m/Xwv4/VZO9bYm9dENOjT5+FHZ6
+MyJVIZVsYIfmlgG7BGeHDUzgLkmm30rM+QKU8pMNIMUggwY3CtV7tdeX/T/dtayh
+uxB2oyHvv2jGLIi1P8d4k87/9JWjvhfIjS6ImqMmMCQwEgYDVR0TAQH/BAgwBgEB
+/wIBATAOBgNVHQ8BAf8EBAMCAQYwCgYIKoZIzj0EAwIDgYwAMIGIAkIBEFmSdl+a
+k48M4+Ntzzkt+U0CfFIsW86KpYe0BcYjrNUVOUGu7s7RmFgMjYmGrWNCCJ2PNL9x
+eXwyFQMITjEvYy0CQgGl5U/yWaqe/PGKEQmyvhlcXF6ylv4iJES2SFlyhdqEFqrT
+biYVM/zSvSn2K3B3c/JHA4L21LcUjAPi8cphpgVIEQ==
+-----END CERTIFICATE-----
diff --git a/test/aux-fixed/exim-ca/example_ec.com/server1.example_ec.com/key3.db b/test/aux-fixed/exim-ca/example_ec.com/server1.example_ec.com/key3.db
new file mode 100644
index 000000000..69b354714
Binary files /dev/null and b/test/aux-fixed/exim-ca/example_ec.com/server1.example_ec.com/key3.db differ
diff --git a/test/aux-fixed/exim-ca/example_ec.com/server1.example_ec.com/pwdfile b/test/aux-fixed/exim-ca/example_ec.com/server1.example_ec.com/pwdfile
new file mode 100644
index 000000000..f3097ab13
--- /dev/null
+++ b/test/aux-fixed/exim-ca/example_ec.com/server1.example_ec.com/pwdfile
@@ -0,0 +1 @@
+password
diff --git a/test/aux-fixed/exim-ca/example_ec.com/server1.example_ec.com/secmod.db b/test/aux-fixed/exim-ca/example_ec.com/server1.example_ec.com/secmod.db
new file mode 100644
index 000000000..f85d8feef
Binary files /dev/null and b/test/aux-fixed/exim-ca/example_ec.com/server1.example_ec.com/secmod.db differ
diff --git a/test/aux-fixed/exim-ca/example_ec.com/server1.example_ec.com/server1.example_ec.com.chain.pem b/test/aux-fixed/exim-ca/example_ec.com/server1.example_ec.com/server1.example_ec.com.chain.pem
new file mode 100644
index 000000000..e167da08e
--- /dev/null
+++ b/test/aux-fixed/exim-ca/example_ec.com/server1.example_ec.com/server1.example_ec.com.chain.pem
@@ -0,0 +1,38 @@
+Bag Attributes
+    friendlyName: server1.example_ec.com
+    localKeyID: E8 57 D2 D2 59 FF E7 C8 FE 43 26 2F ED 44 08 9F 53 83 10 A4 
+subject=/CN=server1.example_ec.com
+issuer=/O=example_ec.com/CN=clica Signing Cert ec
+-----BEGIN CERTIFICATE-----
+MIIDADCCAmGgAwIBAgICCDUwCgYIKoZIzj0EAwIwOTEXMBUGA1UECgwOZXhhbXBs
+ZV9lYy5jb20xHjAcBgNVBAMTFWNsaWNhIFNpZ25pbmcgQ2VydCBlYzAeFw0xMjEx
+MDExMjM0MDRaFw0zNzEyMDExMjM0MDRaMCExHzAdBgNVBAMMFnNlcnZlcjEuZXhh
+bXBsZV9lYy5jb20wgZswEAYHKoZIzj0CAQYFK4EEACMDgYYABAC5lSGys4Q+gTlp
+k5mJq6PEBwhXhPCpK2tWOtjjpxFdLABLnmojns6MiGwSWDgzjQLt09XnLkxJz0+V
++2nDzdPB4gBeTmn1HP8P97jPuCwWRWPZdDV+xXlXlhFjMM/em0BS3k3Ub4M7hR9l
+SG8yUP7xTbbROb1ogXYcTVbWvBLLSUXdJaOCASwwggEoMA4GA1UdDwEB/wQEAwIE
+8DAgBgNVHSUBAf8EFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwMgYDVR0fBCswKTAn
+oCWgI4YhaHR0cDovL2NybC5leGFtcGxlLmNvbS9sYXRlc3QuY3JsMDQGCCsGAQUF
+BwEBBCgwJjAkBggrBgEFBQcwAYYYaHR0cDovL29zY3AuZXhhbXBsZS5jb20vMIGJ
+BgNVHREEgYEwf4IWc2VydmVyMS5leGFtcGxlX2VjLmNvbYIhYWx0ZXJuYXRlbmFt
+ZS5zZXJ2ZXIxLmV4YW1wbGUuY29tgiJhbHRlcm5hdGVuYW1lMi5zZXJ2ZXIxLmV4
+YW1wbGUuY29tggkqLnRlc3QuZXiCE3NlcnZlcjEuZXhhbXBsZS5jb20wCgYIKoZI
+zj0EAwIDgYwAMIGIAkIAxsS/7bWclQDD4cR+PMtp0taiCGB9DZjOhqw2Z1hXUTXv
+Ak6FFdB9oNV+axXE8OzFE/xZwzI/7VKXb/TAHGN/lfkCQgDCI0B/b2OTUk5hfB+r
+4Vi/N/clg9lkJ6DlzoMcGV92dGsW1HQ4BYG7uABCaGCRwSmIs2VEy5jA0F5hAggQ
+8fjLQA==
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIICNDCCAZ2gAwIBAgIBAjANBgkqhkiG9w0BAQsFADAtMRQwEgYDVQQKEwtleGFt
+cGxlLmNvbTEVMBMGA1UEAxMMY2xpY2EgQ0EgcnNhMB4XDTEyMTEwMTEyMzQwMVoX
+DTM4MDEwMTEyMzQwMVowNzEUMBIGA1UEChMLZXhhbXBsZS5jb20xHzAdBgNVBAMT
+FmNsaWNhIFNpZ25pbmcgQ2VydCByc2EwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJ
+AoGBANlcwo5q84SEtVy5W/xqbYAzOiYUZ0Shp9+ry/Q/X5uhrDF9JSHNWJbXut+8
+ZJGICt0RYVIJCcaa7FUt5hTKEx4fgURr+Hz84ZgwesMxcECHJPq9ylrCqbPkbmFR
+1XUy2MvioMH2lyc/PbV62XXggJhHioStVLRfyVlkS1KvvR+HAgMBAAGjWjBYMA4G
+A1UdDwEB/wQEAwIBBjASBgNVHRMBAf8ECDAGAQH/AgEAMDIGA1UdHwQrMCkwJ6Al
+oCOGIWh0dHA6Ly9jcmwuZXhhbXBsZS5jb20vbGF0ZXN0LmNybDANBgkqhkiG9w0B
+AQsFAAOBgQBtPJwqu7DiDmFZd58L4xQ6JJhrJzJUDHmT7ikW2tOM58yisCgSnzrR
+xihW+49vUQ9lSGxBHaFwdehAuGTXydnf7/i9i6KA2RZ+Rq12FJFYOhjaIP7Sy1zq
+VXtb+P1eDBQQhz0WgysLVjgGdBiokRv86yY56ficoTQ6EyWzQLCU+A==
+-----END CERTIFICATE-----
diff --git a/test/aux-fixed/exim-ca/example_ec.com/server1.example_ec.com/server1.example_ec.com.key b/test/aux-fixed/exim-ca/example_ec.com/server1.example_ec.com/server1.example_ec.com.key
new file mode 100644
index 000000000..750aaa2c9
--- /dev/null
+++ b/test/aux-fixed/exim-ca/example_ec.com/server1.example_ec.com/server1.example_ec.com.key
@@ -0,0 +1,13 @@
+Bag Attributes
+    friendlyName: server1.example_ec.com
+    localKeyID: E8 57 D2 D2 59 FF E7 C8 FE 43 26 2F ED 44 08 9F 53 83 10 A4 
+Key Attributes: <No Attributes>
+-----BEGIN ENCRYPTED PRIVATE KEY-----
+MIIBPTBABgkqhkiG9w0BBQ0wMzAbBgkqhkiG9w0BBQwwDgQIKzAztvM6FmICAggA
+MBQGCCqGSIb3DQMHBAiIeJLKyMqpiASB+PtDhx67fl/D/0nYcutWx5s5Ue9g8f/V
+zvQyZmGku0pc/c1aDpOdJ5z//YyMMyMeMngcntIcjmexR+bp5sEYUPorUz2IFMRv
+gHBHPHq3L7W8sb9fKdSotFNA1N1fRl52zPBI1WTfYL4Oj69efkO4ohn3GLq5gd6M
+lWMjdFlFjGa/7uiN8HVji2VEMXC17f/tLiz0rMiE3yOHwUwoBv3WPx3FT5rQRnDO
+rr6NrebQ4MRyHP8c8yMhM2L0q24CRIorPB76VxGwzjmDudfHsjZ0bND7NWFstPGL
+Hms4MRqCk0FSjrNEcZAXUQxxNi7sIuU6D1AbwWLnakq/
+-----END ENCRYPTED PRIVATE KEY-----
diff --git a/test/aux-fixed/exim-ca/example_ec.com/server1.example_ec.com/server1.example_ec.com.p12 b/test/aux-fixed/exim-ca/example_ec.com/server1.example_ec.com/server1.example_ec.com.p12
new file mode 100644
index 000000000..24e25a9aa
Binary files /dev/null and b/test/aux-fixed/exim-ca/example_ec.com/server1.example_ec.com/server1.example_ec.com.p12 differ
diff --git a/test/aux-fixed/exim-ca/example_ec.com/server1.example_ec.com/server1.example_ec.com.pem b/test/aux-fixed/exim-ca/example_ec.com/server1.example_ec.com/server1.example_ec.com.pem
new file mode 100644
index 000000000..662294f05
--- /dev/null
+++ b/test/aux-fixed/exim-ca/example_ec.com/server1.example_ec.com/server1.example_ec.com.pem
@@ -0,0 +1,24 @@
+Bag Attributes
+    friendlyName: server1.example_ec.com
+    localKeyID: E8 57 D2 D2 59 FF E7 C8 FE 43 26 2F ED 44 08 9F 53 83 10 A4 
+subject=/CN=server1.example_ec.com
+issuer=/O=example_ec.com/CN=clica Signing Cert ec
+-----BEGIN CERTIFICATE-----
+MIIDADCCAmGgAwIBAgICCDUwCgYIKoZIzj0EAwIwOTEXMBUGA1UECgwOZXhhbXBs
+ZV9lYy5jb20xHjAcBgNVBAMTFWNsaWNhIFNpZ25pbmcgQ2VydCBlYzAeFw0xMjEx
+MDExMjM0MDRaFw0zNzEyMDExMjM0MDRaMCExHzAdBgNVBAMMFnNlcnZlcjEuZXhh
+bXBsZV9lYy5jb20wgZswEAYHKoZIzj0CAQYFK4EEACMDgYYABAC5lSGys4Q+gTlp
+k5mJq6PEBwhXhPCpK2tWOtjjpxFdLABLnmojns6MiGwSWDgzjQLt09XnLkxJz0+V
++2nDzdPB4gBeTmn1HP8P97jPuCwWRWPZdDV+xXlXlhFjMM/em0BS3k3Ub4M7hR9l
+SG8yUP7xTbbROb1ogXYcTVbWvBLLSUXdJaOCASwwggEoMA4GA1UdDwEB/wQEAwIE
+8DAgBgNVHSUBAf8EFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwMgYDVR0fBCswKTAn
+oCWgI4YhaHR0cDovL2NybC5leGFtcGxlLmNvbS9sYXRlc3QuY3JsMDQGCCsGAQUF
+BwEBBCgwJjAkBggrBgEFBQcwAYYYaHR0cDovL29zY3AuZXhhbXBsZS5jb20vMIGJ
+BgNVHREEgYEwf4IWc2VydmVyMS5leGFtcGxlX2VjLmNvbYIhYWx0ZXJuYXRlbmFt
+ZS5zZXJ2ZXIxLmV4YW1wbGUuY29tgiJhbHRlcm5hdGVuYW1lMi5zZXJ2ZXIxLmV4
+YW1wbGUuY29tggkqLnRlc3QuZXiCE3NlcnZlcjEuZXhhbXBsZS5jb20wCgYIKoZI
+zj0EAwIDgYwAMIGIAkIAxsS/7bWclQDD4cR+PMtp0taiCGB9DZjOhqw2Z1hXUTXv
+Ak6FFdB9oNV+axXE8OzFE/xZwzI/7VKXb/TAHGN/lfkCQgDCI0B/b2OTUk5hfB+r
+4Vi/N/clg9lkJ6DlzoMcGV92dGsW1HQ4BYG7uABCaGCRwSmIs2VEy5jA0F5hAggQ
+8fjLQA==
+-----END CERTIFICATE-----
diff --git a/test/aux-fixed/exim-ca/example_ec.com/server1.example_ec.com/server1.example_ec.com.unlocked.key b/test/aux-fixed/exim-ca/example_ec.com/server1.example_ec.com/server1.example_ec.com.unlocked.key
new file mode 100644
index 000000000..31e377b8f
--- /dev/null
+++ b/test/aux-fixed/exim-ca/example_ec.com/server1.example_ec.com/server1.example_ec.com.unlocked.key
@@ -0,0 +1,7 @@
+-----BEGIN EC PRIVATE KEY-----
+MIHcAgEBBEIAzKUWe3GrwZUvhQ9/DJ2Fpek5/WH8LoZ5Z68VxoqcHJc8v7S0+VmZ
+wXG07OlzqaBLd17DwweW7wNXjY393zWGFHagBwYFK4EEACOhgYkDgYYABAC5lSGy
+s4Q+gTlpk5mJq6PEBwhXhPCpK2tWOtjjpxFdLABLnmojns6MiGwSWDgzjQLt09Xn
+LkxJz0+V+2nDzdPB4gBeTmn1HP8P97jPuCwWRWPZdDV+xXlXlhFjMM/em0BS3k3U
+b4M7hR9lSG8yUP7xTbbROb1ogXYcTVbWvBLLSUXdJQ==
+-----END EC PRIVATE KEY-----
diff --git a/test/aux-fixed/exim-ca/fullchain.pem b/test/aux-fixed/exim-ca/fullchain.pem
deleted file mode 100644
index e69de29bb..000000000
diff --git a/test/aux-fixed/exim-ca/genall b/test/aux-fixed/exim-ca/genall
index 899bb8069..09823704e 100755
--- a/test/aux-fixed/exim-ca/genall
+++ b/test/aux-fixed/exim-ca/genall
@@ -2,7 +2,11 @@
 #
 
 set -e
-set -x
+
+# Debugging.  Set V for clica verbosity.
+#set -x
+V=
+#V='-v'
 
 clica --help >/dev/null 2>&1
 
@@ -10,43 +14,62 @@ echo Ensure time is set to 2012/11/01 12:34
 echo use -  date -u 110112342012
 echo hit return when ready
 read junk
+
+# Main suite: RSA certs
 for tld in com org net
 do
-    idir="example.$tld"
+    iname="example.$tld"
+    idir=$iname
+
+####
+    # create CAs & server certs
     rm -fr "$idir"
-    clica -D "$idir" -p password -B 1024 -I -N example.$tld -F \
-	-C http://crl.example.$tld/latest.crl -O http://oscp.example.$tld/
 
+    # create CA cert + templates
+    clica $V -D "$idir" -p password -B 1024 -I -N $iname -F -C http://crl.$iname/latest.crl -O http://oscp.$iname/
+
+    # create server certs
     # -m <months>
-    clica -D example.$tld -p password -s 101 -S server1.example.$tld -m 301 \
+    clica $V -D $idir -p password -s 101 -S server1.$iname -m 301 \
 	-8 alternatename.server1.example.$tld,alternatename2.server1.example.$tld,*.test.ex
-    clica -D example.$tld -p password -s 102 -S revoked1.example.$tld -m 301
-    clica -D example.$tld -p password -s 103 -S expired1.example.$tld -m 1
-    clica -D example.$tld -p password -s 201 -S  server2.example.$tld -m 301
-    clica -D example.$tld -p password -s 202 -S revoked2.example.$tld -m 301
-    clica -D example.$tld -p password -s 203 -S expired2.example.$tld -m 1
+    clica $V -D $idir -p password -s 102 -S revoked1.$iname -m 301
+    clica $V -D $idir -p password -s 103 -S expired1.$iname -m 1
+    clica $V -D $idir -p password -s 201 -S  server2.$iname -m 301
+    clica $V -D $idir -p password -s 202 -S revoked2.$iname -m 301
+    clica $V -D $idir -p password -s 203 -S expired2.$iname -m 1
 
+####
 
     # openssl seems to generate a file (ca_chain.pam) in an order it
     # cannot then use (the key applies to the first cert in the file?).
     # Generate a shuffled one.
-    cd example.$tld/server1.example.$tld
-    openssl pkcs12 -in server1.example.$tld.p12 -passin file:pwdfile -cacerts -out cacerts.pem -nokeys
-    cat server1.example.$tld.pem cacerts.pem > fullchain.pem
-    rm cacerts.pem
+    cd $idir/server1.$iname
+        openssl pkcs12 -in server1.$iname.p12 -passin file:pwdfile -cacerts -out cacerts.pem -nokeys
+        cat server1.$iname.pem cacerts.pem > fullchain.pem
+        rm cacerts.pem
     cd ../..
-done
 
-# and loop again
-for tld in com org net
-do
-    CADIR=example.$tld/CA
+####
+
+    # generate unlocked keys and client cert bundles
+    for server in server1 revoked1 expired1 server2 revoked2 expired2
+    do
+	SDIR=$idir/$server.$iname
+	SPFX=$SDIR/$server.$iname
+	openssl rsa -in $SPFX.key -passin file:$SDIR/pwdfile -out $SPFX.unlocked.key
+	cat $SPFX.pem $iname/CA/Signer.pem >$SPFX.chain.pem
+    done
+
+####
+
+    # create OCSP reqs & resps
+    CADIR=$idir/CA
     #give ourselves an OSCP key to work with
-    pk12util -o $CADIR/OCSP.p12 -n 'OCSP Signer' -d $CADIR -K password -W password
+    pk12util -o $CADIR/OCSP.p12 -n 'OCSP Signer rsa' -d $CADIR -K password -W password
     openssl pkcs12 -in $CADIR/OCSP.p12 -passin pass:password -passout pass:password -nodes -nocerts -out $CADIR/OCSP.key
 
     # also need variation from Signer
-    pk12util -o $CADIR/Signer.p12 -n 'Signing Cert' -d $CADIR -K password -W password
+    pk12util -o $CADIR/Signer.p12 -n 'Signing Cert rsa' -d $CADIR -K password -W password
     openssl pkcs12 -in $CADIR/Signer.p12 -passin pass:password -passout pass:password -nodes -nocerts -out $CADIR/Signer.key
 
     # create some index files for the ocsp responder to work with
@@ -59,63 +82,119 @@ do
 # 5: DN, index
 
     cat >$CADIR/index.valid.txt <<EOF
-V	130110200751Z		65	unknown	CN=server1.example.$tld
-V	130110200751Z		66	unknown	CN=revoked1.example.$tld
-V	130110200751Z		67	unknown	CN=expired1.example.$tld
-V	130110200751Z		c9	unknown	CN=server2.example.$tld
-V	130110200751Z		ca	unknown	CN=revoked2.example.$tld
-V	130110200751Z		cb	unknown	CN=expired2.example.$tld
+V	130110200751Z		65	unknown	CN=server1.$iname
+V	130110200751Z		66	unknown	CN=revoked1.$iname
+V	130110200751Z		67	unknown	CN=expired1.$iname
+V	130110200751Z		c9	unknown	CN=server2.$iname
+V	130110200751Z		ca	unknown	CN=revoked2.$iname
+V	130110200751Z		cb	unknown	CN=expired2.$iname
 EOF
     cat >$CADIR/index.revoked.txt <<EOF
-R	130110200751Z	100201142709Z,superseded	65	unknown	CN=server1.example.$tld
-R	130110200751Z	100201142709Z,superseded	66	unknown	CN=revoked1.example.$tld
-R	130110200751Z	100201142709Z,superseded	67	unknown	CN=expired1.example.$tld
-R	130110200751Z	100201142709Z,superseded	c9	unknown	CN=server2.example.$tld
-R	130110200751Z	100201142709Z,superseded	ca	unknown	CN=revoked2.example.$tld
-R	130110200751Z	100201142709Z,superseded	cb	unknown	CN=expired2.example.$tld
+R	130110200751Z	100201142709Z,superseded	65	unknown	CN=server1.$iname
+R	130110200751Z	100201142709Z,superseded	66	unknown	CN=revoked1.$iname
+R	130110200751Z	100201142709Z,superseded	67	unknown	CN=expired1.$iname
+R	130110200751Z	100201142709Z,superseded	c9	unknown	CN=server2.$iname
+R	130110200751Z	100201142709Z,superseded	ca	unknown	CN=revoked2.$iname
+R	130110200751Z	100201142709Z,superseded	cb	unknown	CN=expired2.$iname
 EOF
 
     # Now create all the ocsp requests and responses
+    IVALID="-index $CADIR/index.valid.txt"
+    IREVOKED="-index $CADIR/index.revoked.txt"
     for server in server1 revoked1 expired1 server2 revoked2 expired2
     do
-	SPFX=example.$tld/$server.example.$tld/$server.example.$tld
+	SPFX=$idir/$server.$iname/$server.$iname
 	openssl ocsp -issuer $CADIR/Signer.pem -cert $SPFX.pem -no_nonce -sha256 -reqout $SPFX.ocsp.req
+	REQIN="-reqin $SPFX.ocsp.req"
 
 	OGENCOMMON="-rsigner $CADIR/OCSP.pem -rkey $CADIR/OCSP.key -CA $CADIR/Signer.pem -noverify"
-	openssl ocsp -index $CADIR/index.valid.txt $OGENCOMMON   -ndays 3652 -sha256 -reqin $SPFX.ocsp.req -respout $SPFX.ocsp.good.resp
-	openssl ocsp -index $CADIR/index.valid.txt $OGENCOMMON   -ndays 30   -sha256 -reqin $SPFX.ocsp.req -respout $SPFX.ocsp.dated.resp
-	openssl ocsp -index $CADIR/index.revoked.txt $OGENCOMMON -ndays 3652 -sha256 -reqin $SPFX.ocsp.req -respout $SPFX.ocsp.revoked.resp
+	openssl ocsp $IVALID   $OGENCOMMON -ndays 3652 -sha256 $REQIN -respout $SPFX.ocsp.good.resp
+	openssl ocsp $IVALID   $OGENCOMMON -ndays 30   -sha256 $REQIN -respout $SPFX.ocsp.dated.resp
+	openssl ocsp $IREVOKED $OGENCOMMON -ndays 3652 -sha256 $REQIN -respout $SPFX.ocsp.revoked.resp
 
 	OGENCOMMON="-rsigner $CADIR/Signer.pem -rkey $CADIR/Signer.key -CA $CADIR/Signer.pem -noverify"
-	openssl ocsp -index $CADIR/index.valid.txt $OGENCOMMON   -ndays 3652 -sha256 -reqin $SPFX.ocsp.req -respout $SPFX.ocsp.signer.good.resp
-	openssl ocsp -index $CADIR/index.valid.txt $OGENCOMMON   -ndays 30   -sha256 -reqin $SPFX.ocsp.req -respout $SPFX.ocsp.signer.dated.resp
-	openssl ocsp -index $CADIR/index.revoked.txt $OGENCOMMON -ndays 3652 -sha256 -reqin $SPFX.ocsp.req -respout $SPFX.ocsp.signer.revoked.resp
+	openssl ocsp $IVALID   $OGENCOMMON -ndays 3652 -sha256 $REQIN -respout $SPFX.ocsp.signer.good.resp
+	openssl ocsp $IVALID   $OGENCOMMON -ndays 30   -sha256 $REQIN -respout $SPFX.ocsp.signer.dated.resp
+	openssl ocsp $IREVOKED $OGENCOMMON -ndays 3652 -sha256 $REQIN -respout $SPFX.ocsp.signer.revoked.resp
 
 	OGENCOMMON="-rsigner $CADIR/Signer.pem -rkey $CADIR/Signer.key -CA $CADIR/Signer.pem -resp_no_certs -noverify"
-	openssl ocsp -index $CADIR/index.valid.txt $OGENCOMMON   -ndays 3652 -sha256 -reqin $SPFX.ocsp.req -respout $SPFX.ocsp.signernocert.good.resp
-	openssl ocsp -index $CADIR/index.valid.txt $OGENCOMMON   -ndays 30   -sha256 -reqin $SPFX.ocsp.req -respout $SPFX.ocsp.signernocert.dated.resp
-	openssl ocsp -index $CADIR/index.revoked.txt $OGENCOMMON -ndays 3652 -sha256 -reqin $SPFX.ocsp.req -respout $SPFX.ocsp.signernocert.revoked.resp
+	openssl ocsp $IVALID   $OGENCOMMON -ndays 3652 -sha256 $REQIN -respout $SPFX.ocsp.signernocert.good.resp
+	openssl ocsp $IVALID   $OGENCOMMON -ndays 30   -sha256 $REQIN -respout $SPFX.ocsp.signernocert.dated.resp
+	openssl ocsp $IREVOKED $OGENCOMMON -ndays 3652 -sha256 $REQIN -respout $SPFX.ocsp.signernocert.revoked.resp
     done
+####
 done
 
-# and loop again to generate unlocked keys and client cert bundles
-for tld in com org net
+# Create one EC leaf cert in the RSA cert tree.  It will have an EC pubkey but be signed using its parent
+# therefore its parent's algo, RSA.
+clica $V -D example.com -p password -k ec -q nistp521 -s 1101 -S server1_ec.example.com -m 301 -8 'server1.example.com,*.test.ex'
+SDIR=example.com/server1_ec.example.com
+SPFX=$SDIR/server1_ec.example.com
+openssl ec -in $SPFX.key -passin file:$SDIR/pwdfile -out $SPFX.unlocked.key
+cat $SPFX.pem example.com/CA/Signer.pem >$SPFX.chain.pem
+
+
+
+###############################################################################
+# Limited suite: EC certs
+# separate trust root & chain
+# .com only, server1 good only, no ocsp
+# with server1 in SAN of leaf
+
+for tld in com
 do
-    for server in server1 revoked1 expired1 server2 revoked2 expired2
+    iname="example_ec.$tld"
+    idir=$iname
+
+####
+    # create CAs & server certs
+    rm -fr "$idir"
+
+    # create CA cert + templates
+    clica $V -D "$idir" -p password -B 1024 -I -N $iname -F \
+	-k ec -q nistp521 \
+	-C http://crl.example.$tld/latest.crl -O http://oscp.example.$tld/
+
+    # create server certs
+    # -m <months>
+    clica $V -D $idir -p password -s 2101 -S server1.$iname -m 301 \
+	-k ec -q nistp521 \
+	-8 server1.example.$tld,alternatename.server1.example.$tld,alternatename2.server1.example.$tld,*.test.ex
+
+####
+
+    # openssl seems to generate a file (ca_chain.pam) in an order it
+    # cannot then use (the key applies to the first cert in the file?).
+    # Generate a shuffled one.
+    cd $idir/server1.$iname
+        openssl pkcs12 -in server1.$iname.p12 -passin file:pwdfile -cacerts -out cacerts.pem -nokeys
+        cat server1.$iname.pem cacerts.pem > fullchain.pem
+        rm cacerts.pem
+    cd ../..
+
+####
+
+    # generate unlocked keys and client cert bundles
+    for server in server1
     do
-	SDIR=example.$tld/$server.example.$tld
-	SPFX=$SDIR/$server.example.$tld
-	openssl rsa -in $SPFX.key -passin file:$SDIR/pwdfile -out $SPFX.unlocked.key
+	SDIR=$idir/$server.$iname
+	SPFX=$SDIR/$server.$iname
+	openssl ec -in $SPFX.key -passin file:$SDIR/pwdfile -out $SPFX.unlocked.key
 	cat $SPFX.pem example.$tld/CA/Signer.pem >$SPFX.chain.pem
     done
+
 done
 
+###############################################################################
+
 echo Please to reset date to now.
 echo 'service ntpdate start (not on a systemd though...)'
 echo 
 echo Then hit return
 read junk
 
+
+
 # Create CRL files in .der and .pem
 # empty versions, and ones with the revoked servers
 for tld in com org net
@@ -125,7 +204,7 @@ do
     DATENOW=`date -u +%Y%m%d%H%M%SZ`
     echo "update=$DATENOW " >$CRLIN
     crlutil -G -d $CADIR -f $CADIR/pwdfile \
-	-n 'Signing Cert' -c $CRLIN -o $CADIR/crl.empty
+	-n 'Signing Cert rsa' -c $CRLIN -o $CADIR/crl.empty
     openssl crl -in $CADIR/crl.empty -inform der -out $CADIR/crl.empty.pem
 done
 sleep 2
@@ -138,7 +217,7 @@ do
     echo "addcert 102 $DATENOW" >>$CRLIN
     echo "addcert 202 $DATENOW" >>$CRLIN
     crlutil -G -d $CADIR -f $CADIR/pwdfile \
-	-n 'Signing Cert' -c $CRLIN -o $CADIR/crl.v2
+	-n 'Signing Cert rsa' -c $CRLIN -o $CADIR/crl.v2
     openssl crl -in $CADIR/crl.v2 -inform der -out $CADIR/crl.v2.pem
 done
 
@@ -159,7 +238,7 @@ cd ../../..
 pwd
 ls -l
 
-find example.* -type d -print0 | xargs -0 chmod 755
-find example.* -type f -print0 | xargs -0 chmod 644
+find example* -type d -print0 | xargs -0 chmod 755
+find example* -type f -print0 | xargs -0 chmod 644
 
 echo "CA, Certificate, CRL and OSCP Response generation complete"
diff --git a/test/confs/2002 b/test/confs/2002
index ccbe6f192..dfeb172b1 100644
--- a/test/confs/2002
+++ b/test/confs/2002
@@ -16,11 +16,17 @@ queue_run_in_order
 
 tls_advertise_hosts = 127.0.0.1 : HOSTIPV4
 
-tls_certificate = DIR/aux-fixed/exim-ca/example.com/server1.example.com/server1.example.com.pem
-tls_privatekey = DIR/aux-fixed/exim-ca/example.com/server1.example.com/server1.example.com.unlocked.key
+CA = DIR/aux-fixed/exim-ca
+DRSA = CA/example.com
+DECDSA = CA/example_ec.com
+
+tls_certificate = DRSA/server1.example.com/server1.example.com.pem \
+		: DECDSA/server1.example_ec.com/server1.example_ec.com.pem
+tls_privatekey =  DRSA/server1.example.com/server1.example.com.unlocked.key \
+		: DECDSA/server1.example_ec.com/server1.example_ec.com.unlocked.key
 
 tls_verify_hosts = HOSTIPV4
-tls_verify_certificates = DIR/aux-fixed/exim-ca/example.com/server2.example.com/ca_chain.pem
+tls_verify_certificates = DRSA/server2.example.com/ca_chain.pem
 
 
 # ------ ACL ------
@@ -30,14 +36,7 @@ begin acl
 check_recipient:
   accept  hosts = :
   deny    hosts = HOSTIPV4
-         !encrypted = AES256-SHA : \
-                      AES256-GCM-SHA384 : \
-                      IDEA-CBC-MD5 : \
-                      DES-CBC3-SHA : \
-                      DHE_RSA_AES_256_CBC_SHA1 : \
-                      DHE_RSA_3DES_EDE_CBC_SHA : \
-                      RSA_AES_256_CBC_SHA1 : \
-		      ECDHE_RSA_AES_256_GCM_SHA384
+         !encrypted = *
   warn    logwrite =  ${if def:tls_in_ourcert \
 		{Our cert SN: <${certextract{subject}{$tls_in_ourcert}}>} \
 		{We did not present a cert}}
diff --git a/test/confs/2102 b/test/confs/2102
index 58ff6fbaa..0139a61c0 100644
--- a/test/confs/2102
+++ b/test/confs/2102
@@ -16,11 +16,21 @@ queue_run_in_order
 
 tls_advertise_hosts = 127.0.0.1 : HOSTIPV4
 
-tls_certificate = DIR/aux-fixed/exim-ca/example.com/server1.example.com/server1.example.com.pem
-tls_privatekey = DIR/aux-fixed/exim-ca/example.com/server1.example.com/server1.example.com.unlocked.key
+.ifdef ORDER
+tls_require_ciphers = ORDER
+.endif
+
+CA = DIR/aux-fixed/exim-ca
+DRSA = CA/example.com
+DECDSA = CA/example_ec.com
+
+tls_certificate = DRSA/server1.example.com/server1.example.com.pem \
+		: DECDSA/server1.example_ec.com/server1.example_ec.com.pem
+tls_privatekey =  DRSA/server1.example.com/server1.example.com.unlocked.key \
+		: DECDSA/server1.example_ec.com/server1.example_ec.com.unlocked.key
 
 tls_verify_hosts = HOSTIPV4
-tls_verify_certificates = DIR/aux-fixed/exim-ca/example.com/server2.example.com/ca_chain.pem
+tls_verify_certificates = DRSA/server2.example.com/ca_chain.pem
 
 
 # ------ ACL ------
@@ -30,19 +40,9 @@ begin acl
 check_recipient:
   accept  hosts = :
   deny    hosts = HOSTIPV4
-         !encrypted = AES256-SHA : \
-                      AES256-GCM-SHA384 : \
-                      AES128-GCM-SHA256 : \
-                      IDEA-CBC-MD5 : \
-                      DES-CBC3-SHA : \
-		      DHE-RSA-AES256-SHA : \
-		      DHE-RSA-AES256-GCM-SHA384 : \
-                      DHE_RSA_AES_256_CBC_SHA1 : \
-                      DHE_RSA_3DES_EDE_CBC_SHA : \
-                      ECDHE-RSA-AES256-GCM-SHA384 : \
-                      ECDHE-RSA-AES128-GCM-SHA256 : \
-		      ECDHE-RSA-CHACHA20-POLY1305
+         !encrypted = *
 	  logwrite = cipher: $tls_in_cipher
+# This appears to lie. Despite what's on the wire, it returns the last cert loaded.
   warn    logwrite =  ${if def:tls_in_ourcert \
 		{Our cert SN: <${certextract{subject}{$tls_in_ourcert}}>} \
 		{We did not present a cert}}
diff --git a/test/log/2002 b/test/log/2002
index 742897936..b5ed68f3d 100644
--- a/test/log/2002
+++ b/test/log/2002
@@ -5,35 +5,45 @@
 1999-03-02 09:44:33 10HmaY-0005vi-00 Completed
 1999-03-02 09:44:33 10HmaZ-0005vi-00 => CALLER <CALLER@test.ex> R=abc T=local_delivery
 1999-03-02 09:44:33 10HmaZ-0005vi-00 Completed
+1999-03-02 09:44:33 10HmbA-0005vi-00 => CALLER <CALLER@test.ex> R=abc T=local_delivery
+1999-03-02 09:44:33 10HmbA-0005vi-00 Completed
+1999-03-02 09:44:33 10HmbB-0005vi-00 => CALLER <CALLER@test.ex> R=abc T=local_delivery
+1999-03-02 09:44:33 10HmbB-0005vi-00 Completed
 1999-03-02 09:44:33 End queue run: pid=pppp -qf
 
 ******** SERVER ********
 1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port 1225
 1999-03-02 09:44:33 Our cert SN: <CN=server1.example.com>
 1999-03-02 09:44:33 Peer did not present a cert
-1999-03-02 09:44:33 10HmaX-0005vi-00 <= CALLER@test.ex H=[127.0.0.1] P=smtps X=TLS1.x:xxxxRSA_AES_256_CBC_SHAnnn:256 CV=no S=sss
+1999-03-02 09:44:33 10HmaX-0005vi-00 <= CALLER@test.ex H=[127.0.0.1] P=smtps X=TLS1.x:ke_RSA_AES_256_CBC_SHAnnn:256 CV=no S=sss
 1999-03-02 09:44:33 Our cert SN: <CN=server1.example.com>
 1999-03-02 09:44:33 Peer did not present a cert
-1999-03-02 09:44:33 10HmaY-0005vi-00 <= "name with spaces"@test.ex H=[127.0.0.1] P=smtps X=TLS1.x:xxxxRSA_AES_256_CBC_SHAnnn:256 CV=no S=sss
+1999-03-02 09:44:33 10HmaY-0005vi-00 <= "name with spaces"@test.ex H=[127.0.0.1] P=smtps X=TLS1.x:ke_RSA_AES_256_CBC_SHAnnn:256 CV=no S=sss
 1999-03-02 09:44:33 TLS error on connection from (rhu.barb) [ip4.ip4.ip4.ip4] (gnutls_handshake): The peer did not send any certificate.
 1999-03-02 09:44:33 Our cert SN: <CN=server1.example.com>
 1999-03-02 09:44:33 Peer cert:
 1999-03-02 09:44:33 ver 3
 1999-03-02 09:44:33 SR  <c9>
 1999-03-02 09:44:33 SN  <CN=server2.example.com>
-1999-03-02 09:44:33 IN  <O=example.com,CN=clica Signing Cert>
+1999-03-02 09:44:33 IN  <O=example.com,CN=clica Signing Cert rsa>
 1999-03-02 09:44:33 IN/O <example.com>
-1999-03-02 09:44:33 NB/r <Nov  1 12:34:02 2012 GMT>
-1999-03-02 09:44:33 NB   <Nov  1 12:34:02 2012 GMT>
-1999-03-02 09:44:33 NB/i <1351773242>
-1999-03-02 09:44:33 NA/i <2143283642>
-1999-03-02 09:44:33 NA   <Dec  1 12:34:02 2037 GMT>
+1999-03-02 09:44:33 NB/r <Nov  1 12:34:01 2012 GMT>
+1999-03-02 09:44:33 NB   <Nov  1 12:34:01 2012 GMT>
+1999-03-02 09:44:33 NB/i <1351773241>
+1999-03-02 09:44:33 NA/i <2143283641>
+1999-03-02 09:44:33 NA   <Dec  1 12:34:01 2037 GMT>
 1999-03-02 09:44:33 SA  <RSA-SHA256>
-1999-03-02 09:44:33 SG  <3a e2 4b 89 c0 a9 e8 f8 d2 bb ea 7d f8 57 7a aa 26 42 b3 94 04 04 24 f7 0d 6d 33 de 82 90 75 76 ba 3a a4 7d e0 e5 6d 3a 3c e6 74 3f b4 ad cf d1 b9 bd 6a 06 44 ea a9 a3 14 5e 34 d7 54 2e ed 5a b3 fb ca df 5a b6 22 d8 b0 f0 38 68 48 a8 cd 34 6b b2 e9 7f 96 cd ec 48 fa 5d 0e 2f 66 f0 c3 bf f9 f4 65 10 80 b9 f4 fa db be a4 26 c3 3d 25 3a 7f b7 e9 ad cd d6 06 55 f1 98 3e ea b5 cf 76 a1>
+1999-03-02 09:44:33 SG  <19 0c f4 82 0c 4a 90 45 f1 e7 47 97 fe e5 ad 94 2e fe 24 5c 2c 24 b0 61 53 f9 c6 06 63 8b c7 31 e1 a6 da d1 04 b8 aa 2d 8a fc 0a 18 fd d9 e6 4d 9c 3a f5 1d 46 34 8c 80 bc 3d c3 c3 8e 98 33 d6 bb 3e e8 73 b2 dc 5f be b7 bb be c7 5c 7c f4 c4 36 0d 48 c2 aa ac a3 88 cf cf ce e2 ac 75 4e 15 4d 55 ec bb c4 78 c7 c6 12 8c 27 d7 78 a2 40 94 e2 f8 ac fc b6 c1 4d f0 5d 18 73 09 fe 04 b7 81>
 1999-03-02 09:44:33 SAN <DNS=server2.example.com>
 1999-03-02 09:44:33 CRU <http://crl.example.com/latest.crl>
-1999-03-02 09:44:33 md5    fingerprint 61F3EF662C9186FC1CA4F6FF1C22F0C9
-1999-03-02 09:44:33 sha1   fingerprint 3E38B35220A0E1803974EA8DD9D22CDAF653CCBF
-1999-03-02 09:44:33 sha256 fingerprint 33177BB2668D3D95E81B241F3C71AF36DF691818CB47B882B59F349D7416B025
-1999-03-02 09:44:33 der_b64 MIICiDCCAfGgAwIBAgICAMkwDQYJKoZIhvcNAQELBQAwMzEUMBIGA1UEChMLZXhhbXBsZS5jb20xGzAZBgNVBAMTEmNsaWNhIFNpZ25pbmcgQ2VydDAeFw0xMjExMDExMjM0MDJaFw0zNzEyMDExMjM0MDJaMB4xHDAaBgNVBAMTE3NlcnZlcjIuZXhhbXBsZS5jb20wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAKpVDMWYm+sUgk2Suy9gbFS1QSurQJANa1I4+2yQhqK8r2KaNMODeTBPm8wjDaia3OUPUXx0dUwzF5oi6sr7ztThjz6vAvPyq7fCyIO5P19FdQ8Po1QefxoPWTvN7giWjh0n1FeoG/Ls+sROjchmTbVuxrbU9kGfSqmBIPF1R0qPAgMBAAGjgb8wgbwwDgYDVR0PAQH/BAQDAgTwMCAGA1UdJQEB/wQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAyBgNVHR8EKzApMCegJaAjhiFodHRwOi8vY3JsLmV4YW1wbGUuY29tL2xhdGVzdC5jcmwwNAYIKwYBBQUHAQEEKDAmMCQGCCsGAQUFBzABhhhodHRwOi8vb3NjcC5leGFtcGxlLmNvbS8wHgYDVR0RBBcwFYITc2VydmVyMi5leGFtcGxlLmNvbTANBgkqhkiG9w0BAQsFAAOBgQA64kuJwKno+NK76n34V3qqJkKzlAQEJPcNbTPegpB1dro6pH3g5W06POZ0P7Stz9G5vWoGROqpoxReNNdULu1as/vK31q2Itiw8DhoSKjNNGuy6X+WzexI+l0OL2bww7/59GUQgLn0+tu+pCbDPSU6f7fprc3WBlXxmD7qtc92oQ==
-1999-03-02 09:44:33 10HmaZ-0005vi-00 <= CALLER@test.ex H=[ip4.ip4.ip4.ip4] P=smtps X=TLS1.x:xxxxRSA_AES_256_CBC_SHAnnn:256 CV=yes DN="CN=server2.example.com" S=sss
+1999-03-02 09:44:33 md5    fingerprint 7A3C37D07696CADBC539AB02A8A0C82A
+1999-03-02 09:44:33 sha1   fingerprint 0D9E776B02AFDEFB0231588927D305CA81F00366
+1999-03-02 09:44:33 sha256 fingerprint 3B8118604CE886FD44668735B467D32CA1A03C9EBA610F6EF54BB8CCA223F12F
+1999-03-02 09:44:33 der_b64 MIICjDCCAfWgAwIBAgICAMkwDQYJKoZIhvcNAQELBQAwNzEUMBIGA1UEChMLZXhhbXBsZS5jb20xHzAdBgNVBAMTFmNsaWNhIFNpZ25pbmcgQ2VydCByc2EwHhcNMTIxMTAxMTIzNDAxWhcNMzcxMjAxMTIzNDAxWjAeMRwwGgYDVQQDExNzZXJ2ZXIyLmV4YW1wbGUuY29tMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC5xczcpFPcohZhLegf/wzSJvwj/dVkXg0MEyVulbMS+sgCwwSO6uGykJVc6ZKUnGqFyv5Icp1zG9Y9/joYefiXN5K1n/3NrtsET+6AJDWzZYz/AyRGd07xLwEw+Ip0/bqqNaxpc07L1qAABcwz2lcSeKsIDbYC9znSdEzuNUFmGQIDAQABo4G/MIG8MA4GA1UdDwEB/wQEAwIE8DAgBgNVHSUBAf8EFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwMgYDVR0fBCswKTAnoCWgI4YhaHR0cDovL2NybC5leGFtcGxlLmNvbS9sYXRlc3QuY3JsMDQGCCsGAQUFBwEBBCgwJjAkBggrBgEFBQcwAYYYaHR0cDovL29zY3AuZXhhbXBsZS5jb20vMB4GA1UdEQQXMBWCE3NlcnZlcjIuZXhhbXBsZS5jb20wDQYJKoZIhvcNAQELBQADgYEAGQz0ggxKkEXx50eX/uWtlC7+JFwsJLBhU/nGBmOLxzHhptrRBLiqLYr8Chj92eZNnDr1HUY0jIC8PcPDjpgz1rs+6HOy3F++t7u+x1x89MQ2DUjCqqyjiM/PzuKsdU4VTVXsu8R4x8YSjCfXeKJAlOL4rPy2wU3wXRhzCf4Et4E=
+1999-03-02 09:44:33 10HmaZ-0005vi-00 <= CALLER@test.ex H=[ip4.ip4.ip4.ip4] P=smtps X=TLS1.x:ke_RSA_AES_256_CBC_SHAnnn:256 CV=yes DN="CN=server2.example.com" S=sss
+1999-03-02 09:44:33 Our cert SN: <CN=server1.example.com>
+1999-03-02 09:44:33 Peer did not present a cert
+1999-03-02 09:44:33 10HmbA-0005vi-00 <= CALLER@test.ex H=[127.0.0.1] P=smtps X=TLS1.x:ke_RSA_AES_256_CBC_SHAnnn:256 CV=no S=sss
+1999-03-02 09:44:33 Our cert SN: <CN=server1.example_ec.com>
+1999-03-02 09:44:33 Peer did not present a cert
+1999-03-02 09:44:33 10HmbB-0005vi-00 <= CALLER@test.ex H=[127.0.0.1] P=smtps X=TLS1.x:ke_ECDSA_AES_256_CBC_SHAnnn:256 CV=no S=sss
diff --git a/test/log/2003 b/test/log/2003
index 1505af3f7..ea8e779a9 100644
--- a/test/log/2003
+++ b/test/log/2003
@@ -5,5 +5,5 @@
 
 ******** SERVER ********
 1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port 1225
-1999-03-02 09:44:33 H=[ip4.ip4.ip4.ip4] X=TLS1.x:xxxxRSA_AES_256_CBC_SHAnnn:256 CV=no F=<userx@test.ex> rejected RCPT <userx@test.ex>: unacceptable cipher TLS1.x:xxxxRSA_AES_256_CBC_SHAnnn:256
-1999-03-02 09:44:33 10HmaX-0005vi-00 <= userx@test.ex H=(rhu.barb) [127.0.0.1] P=smtps X=TLS1.x:xxxxRSA_AES_256_CBC_SHAnnn:256 CV=no S=sss
+1999-03-02 09:44:33 H=[ip4.ip4.ip4.ip4] X=TLS1.x:ke_RSA_AES_256_CBC_SHAnnn:256 CV=no F=<userx@test.ex> rejected RCPT <userx@test.ex>: unacceptable cipher TLS1.x:ke_RSA_AES_256_CBC_SHAnnn:256
+1999-03-02 09:44:33 10HmaX-0005vi-00 <= userx@test.ex H=(rhu.barb) [127.0.0.1] P=smtps X=TLS1.x:ke_RSA_AES_256_CBC_SHAnnn:256 CV=no S=sss
diff --git a/test/log/2007.FOO b/test/log/2007.FOO
new file mode 100644
index 000000000..54e85fae8
--- /dev/null
+++ b/test/log/2007.FOO
@@ -0,0 +1,9 @@
+1999-03-02 09:44:33 10HmaX-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss
+1999-03-02 09:44:33 Start queue run: pid=pppp -qf
+1999-03-02 09:44:33 10HmaX-0005vi-00 => userx@test.ex R=client T=send_to_server1 H=127.0.0.1 [127.0.0.1] X=TLS1.x:ke_RSA_AES_256_CBC_SHAnnn:256 CV=no DN="C=UK,O=The Exim Maintainers,OU=Test Suite,CN=Phil Pennock" C="250 OK id=10HmaY-0005vi-00"
+1999-03-02 09:44:33 10HmaX-0005vi-00 Completed
+1999-03-02 09:44:33 End queue run: pid=pppp -qf
+
+******** SERVER ********
+1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port 1225
+1999-03-02 09:44:33 10HmaY-0005vi-00 <= CALLER@myhost.test.ex H=localhost (myhost.test.ex) [127.0.0.1] P=esmtps X=TLS1.x:ke_RSA_AES_256_CBC_SHAnnn:256 CV=no S=sss id=E10HmaX-0005vi-00@myhost.test.ex
diff --git a/test/log/2008 b/test/log/2008
index c8eff5b11..2a476ea21 100644
--- a/test/log/2008
+++ b/test/log/2008
@@ -1,19 +1,19 @@
 1999-03-02 09:44:33 10HmaX-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss
 1999-03-02 09:44:33 10HmaY-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss
 1999-03-02 09:44:33 Start queue run: pid=pppp -qf
-1999-03-02 09:44:33 10HmaX-0005vi-00 => CALLER@test.ex R=client T=send_to_server1 H=127.0.0.1 [127.0.0.1] X=TLS1.x:xxxxRSA_AES_256_CBC_SHAnnn:256 CV=no DN="C=UK,O=The Exim Maintainers,OU=Test Suite,CN=Phil Pennock" C="250 OK id=10HmaZ-0005vi-00"
+1999-03-02 09:44:33 10HmaX-0005vi-00 => CALLER@test.ex R=client T=send_to_server1 H=127.0.0.1 [127.0.0.1] X=TLS1.x:ke_RSA_AES_256_CBC_SHAnnn:256 CV=no DN="C=UK,O=The Exim Maintainers,OU=Test Suite,CN=Phil Pennock" C="250 OK id=10HmaZ-0005vi-00"
 1999-03-02 09:44:33 10HmaX-0005vi-00 Completed
-1999-03-02 09:44:33 10HmaY-0005vi-00 => CALLER@test.ex R=client T=send_to_server1 H=127.0.0.1 [127.0.0.1] X=TLS1.x:xxxxRSA_AES_256_CBC_SHAnnn:256 CV=no DN="C=UK,O=The Exim Maintainers,OU=Test Suite,CN=Phil Pennock" C="250 OK id=10HmbA-0005vi-00"
-1999-03-02 09:44:33 10HmaY-0005vi-00 -> xyz@test.ex R=client T=send_to_server1 H=127.0.0.1 [127.0.0.1] X=TLS1.x:xxxxRSA_AES_256_CBC_SHAnnn:256 CV=no DN="C=UK,O=The Exim Maintainers,OU=Test Suite,CN=Phil Pennock" C="250 OK id=10HmbA-0005vi-00"
-1999-03-02 09:44:33 10HmaY-0005vi-00 => abcd@test.ex R=client T=send_to_server2 H=ip4.ip4.ip4.ip4 [ip4.ip4.ip4.ip4] X=TLS1.x:xxxxRSA_AES_256_CBC_SHAnnn:256 CV=no DN="C=UK,O=The Exim Maintainers,OU=Test Suite,CN=Phil Pennock" C="250 OK id=10HmbB-0005vi-00"
+1999-03-02 09:44:33 10HmaY-0005vi-00 => CALLER@test.ex R=client T=send_to_server1 H=127.0.0.1 [127.0.0.1] X=TLS1.x:ke_RSA_AES_256_CBC_SHAnnn:256 CV=no DN="C=UK,O=The Exim Maintainers,OU=Test Suite,CN=Phil Pennock" C="250 OK id=10HmbA-0005vi-00"
+1999-03-02 09:44:33 10HmaY-0005vi-00 -> xyz@test.ex R=client T=send_to_server1 H=127.0.0.1 [127.0.0.1] X=TLS1.x:ke_RSA_AES_256_CBC_SHAnnn:256 CV=no DN="C=UK,O=The Exim Maintainers,OU=Test Suite,CN=Phil Pennock" C="250 OK id=10HmbA-0005vi-00"
+1999-03-02 09:44:33 10HmaY-0005vi-00 => abcd@test.ex R=client T=send_to_server2 H=ip4.ip4.ip4.ip4 [ip4.ip4.ip4.ip4] X=TLS1.x:ke_RSA_AES_256_CBC_SHAnnn:256 CV=no DN="C=UK,O=The Exim Maintainers,OU=Test Suite,CN=Phil Pennock" C="250 OK id=10HmbB-0005vi-00"
 1999-03-02 09:44:33 10HmaY-0005vi-00 Completed
 1999-03-02 09:44:33 End queue run: pid=pppp -qf
 
 ******** SERVER ********
 1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port 1225
-1999-03-02 09:44:33 10HmaZ-0005vi-00 <= CALLER@myhost.test.ex H=(helo.data.changed) [127.0.0.1] P=esmtps X=TLS1.x:xxxxRSA_AES_256_CBC_SHAnnn:256 CV=no S=sss id=E10HmaX-0005vi-00@myhost.test.ex
-1999-03-02 09:44:33 10HmbA-0005vi-00 <= CALLER@myhost.test.ex H=(helo.data.changed) [127.0.0.1] P=esmtps X=TLS1.x:xxxxRSA_AES_256_CBC_SHAnnn:256 CV=no S=sss id=E10HmaY-0005vi-00@myhost.test.ex
-1999-03-02 09:44:33 10HmbB-0005vi-00 <= CALLER@myhost.test.ex H=the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] P=esmtps X=TLS1.x:xxxxRSA_AES_256_CBC_SHAnnn:256 CV=no S=sss id=E10HmaY-0005vi-00@myhost.test.ex
+1999-03-02 09:44:33 10HmaZ-0005vi-00 <= CALLER@myhost.test.ex H=(helo.data.changed) [127.0.0.1] P=esmtps X=TLS1.x:ke_RSA_AES_256_CBC_SHAnnn:256 CV=no S=sss id=E10HmaX-0005vi-00@myhost.test.ex
+1999-03-02 09:44:33 10HmbA-0005vi-00 <= CALLER@myhost.test.ex H=(helo.data.changed) [127.0.0.1] P=esmtps X=TLS1.x:ke_RSA_AES_256_CBC_SHAnnn:256 CV=no S=sss id=E10HmaY-0005vi-00@myhost.test.ex
+1999-03-02 09:44:33 10HmbB-0005vi-00 <= CALLER@myhost.test.ex H=the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] P=esmtps X=TLS1.x:ke_RSA_AES_256_CBC_SHAnnn:256 CV=no S=sss id=E10HmaY-0005vi-00@myhost.test.ex
 1999-03-02 09:44:33 Start queue run: pid=pppp -qf
 1999-03-02 09:44:33 10HmaZ-0005vi-00 => CALLER <CALLER@test.ex> R=server T=local_delivery
 1999-03-02 09:44:33 10HmaZ-0005vi-00 Completed
diff --git a/test/log/2010 b/test/log/2010
index f5cde396b..ea314ddee 100644
--- a/test/log/2010
+++ b/test/log/2010
@@ -1,7 +1,7 @@
 1999-03-02 09:44:33 10HmaX-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss
 1999-03-02 09:44:33 Start queue run: pid=pppp -qf
 1999-03-02 09:44:33 10HmaX-0005vi-00 H=127.0.0.1 [127.0.0.1]:1111: a TLS session is required, but the server did not offer TLS support
-1999-03-02 09:44:33 10HmaX-0005vi-00 => userx@test.ex R=client T=send_to_server H=ip4.ip4.ip4.ip4 [ip4.ip4.ip4.ip4]:1225 X=TLS1.x:xxxxRSA_AES_256_CBC_SHAnnn:256 CV=no C="250 OK id=10HmaY-0005vi-00"
+1999-03-02 09:44:33 10HmaX-0005vi-00 => userx@test.ex R=client T=send_to_server H=ip4.ip4.ip4.ip4 [ip4.ip4.ip4.ip4]:1225 X=TLS1.x:ke_RSA_AES_256_CBC_SHAnnn:256 CV=no C="250 OK id=10HmaY-0005vi-00"
 1999-03-02 09:44:33 10HmaX-0005vi-00 Completed
 1999-03-02 09:44:33 End queue run: pid=pppp -qf
 1999-03-02 09:44:33 Start queue run: pid=pppp -qf
@@ -14,4 +14,4 @@
 
 ******** SERVER ********
 1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port 1225
-1999-03-02 09:44:33 10HmaY-0005vi-00 <= CALLER@myhost.test.ex H=the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] P=esmtps X=TLS1.x:xxxxRSA_AES_256_CBC_SHAnnn:256 CV=no S=sss id=E10HmaX-0005vi-00@myhost.test.ex
+1999-03-02 09:44:33 10HmaY-0005vi-00 <= CALLER@myhost.test.ex H=the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] P=esmtps X=TLS1.x:ke_RSA_AES_256_CBC_SHAnnn:256 CV=no S=sss id=E10HmaX-0005vi-00@myhost.test.ex
diff --git a/test/log/2012 b/test/log/2012
index 4d6699ab0..bb6f597db 100644
--- a/test/log/2012
+++ b/test/log/2012
@@ -9,18 +9,18 @@
 1999-03-02 09:44:33 10HmaX-0005vi-00 ** userx@test.ex: retry timeout exceeded
 1999-03-02 09:44:33 10HmaX-0005vi-00 userx@test.ex: error ignored
 1999-03-02 09:44:33 10HmaX-0005vi-00 Completed
-1999-03-02 09:44:33 10HmaY-0005vi-00 => usery@test.ex R=client_y T=send_to_server_retry H=127.0.0.1 [127.0.0.1] X=TLS1.x:xxxxRSA_AES_256_CBC_SHAnnn:256 CV=yes DN="CN=server1.example.com" C="250 OK id=10HmbD-0005vi-00"
+1999-03-02 09:44:33 10HmaY-0005vi-00 => usery@test.ex R=client_y T=send_to_server_retry H=127.0.0.1 [127.0.0.1] X=TLS1.x:ke_RSA_AES_256_CBC_SHAnnn:256 CV=yes DN="CN=server1.example.com" C="250 OK id=10HmbD-0005vi-00"
 1999-03-02 09:44:33 10HmaY-0005vi-00 Completed
-1999-03-02 09:44:33 10HmaZ-0005vi-00 => userz@test.ex R=client_z T=send_to_server_crypt H=ip4.ip4.ip4.ip4 [ip4.ip4.ip4.ip4] X=TLS1.x:xxxxRSA_AES_256_CBC_SHAnnn:256 CV=no DN="CN=server1.example.com" C="250 OK id=10HmbE-0005vi-00"
+1999-03-02 09:44:33 10HmaZ-0005vi-00 => userz@test.ex R=client_z T=send_to_server_crypt H=ip4.ip4.ip4.ip4 [ip4.ip4.ip4.ip4] X=TLS1.x:ke_RSA_AES_256_CBC_SHAnnn:256 CV=no DN="CN=server1.example.com" C="250 OK id=10HmbE-0005vi-00"
 1999-03-02 09:44:33 10HmaZ-0005vi-00 Completed
 1999-03-02 09:44:33 10HmbA-0005vi-00 TLS session: (certificate verification failed): certificate invalid: delivering unencrypted to H=ip4.ip4.ip4.ip4 [ip4.ip4.ip4.ip4] (not in hosts_require_tls)
 1999-03-02 09:44:33 10HmbA-0005vi-00 => userq@test.ex R=client_q T=send_to_server_req_fail H=ip4.ip4.ip4.ip4 [ip4.ip4.ip4.ip4] C="250 OK id=10HmbF-0005vi-00"
 1999-03-02 09:44:33 10HmbA-0005vi-00 Completed
 1999-03-02 09:44:33 10HmbB-0005vi-00 no IP address found for host server1.example.net
-1999-03-02 09:44:33 10HmbB-0005vi-00 => userr@test.ex R=client_r T=send_to_server_req_failname H=ip4.ip4.ip4.ip4 [ip4.ip4.ip4.ip4] X=TLS1.x:xxxxRSA_AES_256_CBC_SHAnnn:256 CV=yes DN="CN=server1.example.com" C="250 OK id=10HmbG-0005vi-00"
+1999-03-02 09:44:33 10HmbB-0005vi-00 => userr@test.ex R=client_r T=send_to_server_req_failname H=ip4.ip4.ip4.ip4 [ip4.ip4.ip4.ip4] X=TLS1.x:ke_RSA_AES_256_CBC_SHAnnn:256 CV=yes DN="CN=server1.example.com" C="250 OK id=10HmbG-0005vi-00"
 1999-03-02 09:44:33 10HmbB-0005vi-00 Completed
 1999-03-02 09:44:33 10HmbC-0005vi-00 no IP address found for host noway.example.com
-1999-03-02 09:44:33 10HmbC-0005vi-00 => users@test.ex R=client_s T=send_to_server_req_passname H=ip4.ip4.ip4.ip4 [ip4.ip4.ip4.ip4] X=TLS1.x:xxxxRSA_AES_256_CBC_SHAnnn:256 CV=yes DN="CN=server1.example.com" C="250 OK id=10HmbH-0005vi-00"
+1999-03-02 09:44:33 10HmbC-0005vi-00 => users@test.ex R=client_s T=send_to_server_req_passname H=ip4.ip4.ip4.ip4 [ip4.ip4.ip4.ip4] X=TLS1.x:ke_RSA_AES_256_CBC_SHAnnn:256 CV=yes DN="CN=server1.example.com" C="250 OK id=10HmbH-0005vi-00"
 1999-03-02 09:44:33 10HmbC-0005vi-00 Completed
 1999-03-02 09:44:33 End queue run: pid=pppp -qf
 
@@ -30,10 +30,10 @@
 1999-03-02 09:44:33 TLS error on connection from the.local.host.name [ip4.ip4.ip4.ip4] (send): The specified session has been invalidated for some reason.
 1999-03-02 09:44:33 TLS error on connection from the.local.host.name [ip4.ip4.ip4.ip4] (recv): A TLS fatal alert has been received.: Certificate is bad
 1999-03-02 09:44:33 TLS error on connection from the.local.host.name [ip4.ip4.ip4.ip4] (send): The specified session has been invalidated for some reason.
-1999-03-02 09:44:33 10HmbD-0005vi-00 <= CALLER@myhost.test.ex H=localhost (myhost.test.ex) [127.0.0.1] P=esmtps X=TLS1.x:xxxxRSA_AES_256_CBC_SHAnnn:256 CV=yes DN="C=UK,O=The Exim Maintainers,OU=Test Suite,CN=Phil Pennock" S=sss id=E10HmaY-0005vi-00@myhost.test.ex
-1999-03-02 09:44:33 10HmbE-0005vi-00 <= CALLER@myhost.test.ex H=the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] P=esmtps X=TLS1.x:xxxxRSA_AES_256_CBC_SHAnnn:256 CV=yes DN="C=UK,O=The Exim Maintainers,OU=Test Suite,CN=Phil Pennock" S=sss id=E10HmaZ-0005vi-00@myhost.test.ex
+1999-03-02 09:44:33 10HmbD-0005vi-00 <= CALLER@myhost.test.ex H=localhost (myhost.test.ex) [127.0.0.1] P=esmtps X=TLS1.x:ke_RSA_AES_256_CBC_SHAnnn:256 CV=yes DN="C=UK,O=The Exim Maintainers,OU=Test Suite,CN=Phil Pennock" S=sss id=E10HmaY-0005vi-00@myhost.test.ex
+1999-03-02 09:44:33 10HmbE-0005vi-00 <= CALLER@myhost.test.ex H=the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] P=esmtps X=TLS1.x:ke_RSA_AES_256_CBC_SHAnnn:256 CV=yes DN="C=UK,O=The Exim Maintainers,OU=Test Suite,CN=Phil Pennock" S=sss id=E10HmaZ-0005vi-00@myhost.test.ex
 1999-03-02 09:44:33 TLS error on connection from the.local.host.name [ip4.ip4.ip4.ip4] (recv): A TLS fatal alert has been received.: Certificate is bad
 1999-03-02 09:44:33 TLS error on connection from the.local.host.name [ip4.ip4.ip4.ip4] (send): The specified session has been invalidated for some reason.
 1999-03-02 09:44:33 10HmbF-0005vi-00 <= CALLER@myhost.test.ex H=the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] P=esmtp S=sss id=E10HmbA-0005vi-00@myhost.test.ex
-1999-03-02 09:44:33 10HmbG-0005vi-00 <= CALLER@myhost.test.ex H=the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] P=esmtps X=TLS1.x:xxxxRSA_AES_256_CBC_SHAnnn:256 CV=yes DN="C=UK,O=The Exim Maintainers,OU=Test Suite,CN=Phil Pennock" S=sss id=E10HmbB-0005vi-00@myhost.test.ex
-1999-03-02 09:44:33 10HmbH-0005vi-00 <= CALLER@myhost.test.ex H=the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] P=esmtps X=TLS1.x:xxxxRSA_AES_256_CBC_SHAnnn:256 CV=yes DN="C=UK,O=The Exim Maintainers,OU=Test Suite,CN=Phil Pennock" S=sss id=E10HmbC-0005vi-00@myhost.test.ex
+1999-03-02 09:44:33 10HmbG-0005vi-00 <= CALLER@myhost.test.ex H=the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] P=esmtps X=TLS1.x:ke_RSA_AES_256_CBC_SHAnnn:256 CV=yes DN="C=UK,O=The Exim Maintainers,OU=Test Suite,CN=Phil Pennock" S=sss id=E10HmbB-0005vi-00@myhost.test.ex
+1999-03-02 09:44:33 10HmbH-0005vi-00 <= CALLER@myhost.test.ex H=the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] P=esmtps X=TLS1.x:ke_RSA_AES_256_CBC_SHAnnn:256 CV=yes DN="C=UK,O=The Exim Maintainers,OU=Test Suite,CN=Phil Pennock" S=sss id=E10HmbC-0005vi-00@myhost.test.ex
diff --git a/test/log/2013 b/test/log/2013
index fc71b5f24..364e5af81 100644
--- a/test/log/2013
+++ b/test/log/2013
@@ -2,31 +2,31 @@
 1999-03-02 09:44:33 10HmaY-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss for usery@test.ex
 1999-03-02 09:44:33 10HmaZ-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss for userz@test.ex
 1999-03-02 09:44:33 Start queue run: pid=pppp -qqf
-1999-03-02 09:44:33 10HmaX-0005vi-00 => userx@test.ex R=client T=send_to_server H=127.0.0.1 [127.0.0.1] X=TLS1.x:xxxxRSA_AES_256_CBC_SHAnnn:256 CV=no DN="C=UK,O=The Exim Maintainers,OU=Test Suite,CN=Phil Pennock" C="250 OK id=10HmbA-0005vi-00"
+1999-03-02 09:44:33 10HmaX-0005vi-00 => userx@test.ex R=client T=send_to_server H=127.0.0.1 [127.0.0.1] X=TLS1.x:ke_RSA_AES_256_CBC_SHAnnn:256 CV=no DN="C=UK,O=The Exim Maintainers,OU=Test Suite,CN=Phil Pennock" C="250 OK id=10HmbA-0005vi-00"
 1999-03-02 09:44:33 10HmaX-0005vi-00 Completed
-1999-03-02 09:44:33 10HmaZ-0005vi-00 => userz@test.ex R=client T=send_to_server H=127.0.0.1 [127.0.0.1]* X=TLS1.x:xxxxRSA_AES_256_CBC_SHAnnn:256 CV=no C="250 OK id=10HmbB-0005vi-00"
+1999-03-02 09:44:33 10HmaZ-0005vi-00 => userz@test.ex R=client T=send_to_server H=127.0.0.1 [127.0.0.1]* X=TLS1.x:ke_RSA_AES_256_CBC_SHAnnn:256 CV=no C="250 OK id=10HmbB-0005vi-00"
 1999-03-02 09:44:33 10HmaZ-0005vi-00 Completed
-1999-03-02 09:44:33 10HmaY-0005vi-00 => usery@test.ex R=client T=send_to_server H=127.0.0.1 [127.0.0.1]* X=TLS1.x:xxxxRSA_AES_256_CBC_SHAnnn:256 CV=no C="250 OK id=10HmbC-0005vi-00"
+1999-03-02 09:44:33 10HmaY-0005vi-00 => usery@test.ex R=client T=send_to_server H=127.0.0.1 [127.0.0.1]* X=TLS1.x:ke_RSA_AES_256_CBC_SHAnnn:256 CV=no C="250 OK id=10HmbC-0005vi-00"
 1999-03-02 09:44:33 10HmaY-0005vi-00 Completed
 1999-03-02 09:44:33 End queue run: pid=pppp -qqf
 1999-03-02 09:44:33 10HmbD-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss for usera@test.ex
 1999-03-02 09:44:33 10HmbE-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss for userb@test.ex
 1999-03-02 09:44:33 10HmbF-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss for userc@test.ex
 1999-03-02 09:44:33 Start queue run: pid=pppp -qqf
-1999-03-02 09:44:33 10HmbD-0005vi-00 => usera@test.ex R=cl_override T=send_to_server H=127.0.0.1 [127.0.0.1] X=TLS1.x:xxxxRSA_AES_256_CBC_SHAnnn:256 CV=no DN="C=UK,O=The Exim Maintainers,OU=Test Suite,CN=Phil Pennock" C="250 OK id=10HmbG-0005vi-00"
+1999-03-02 09:44:33 10HmbD-0005vi-00 => usera@test.ex R=cl_override T=send_to_server H=127.0.0.1 [127.0.0.1] X=TLS1.x:ke_RSA_AES_256_CBC_SHAnnn:256 CV=no DN="C=UK,O=The Exim Maintainers,OU=Test Suite,CN=Phil Pennock" C="250 OK id=10HmbG-0005vi-00"
 1999-03-02 09:44:33 10HmbD-0005vi-00 Completed
-1999-03-02 09:44:33 10HmbF-0005vi-00 => userc@test.ex R=cl_override T=send_to_server H=127.0.0.1 [127.0.0.1]* X=TLS1.x:xxxxRSA_AES_256_CBC_SHAnnn:256 CV=no C="250 OK id=10HmbH-0005vi-00"
+1999-03-02 09:44:33 10HmbF-0005vi-00 => userc@test.ex R=cl_override T=send_to_server H=127.0.0.1 [127.0.0.1]* X=TLS1.x:ke_RSA_AES_256_CBC_SHAnnn:256 CV=no C="250 OK id=10HmbH-0005vi-00"
 1999-03-02 09:44:33 10HmbF-0005vi-00 Completed
-1999-03-02 09:44:33 10HmbE-0005vi-00 => userb@test.ex R=cl_override T=send_to_server H=127.0.0.1 [127.0.0.1]* X=TLS1.x:xxxxRSA_AES_256_CBC_SHAnnn:256 CV=no C="250 OK id=10HmbI-0005vi-00"
+1999-03-02 09:44:33 10HmbE-0005vi-00 => userb@test.ex R=cl_override T=send_to_server H=127.0.0.1 [127.0.0.1]* X=TLS1.x:ke_RSA_AES_256_CBC_SHAnnn:256 CV=no C="250 OK id=10HmbI-0005vi-00"
 1999-03-02 09:44:33 10HmbE-0005vi-00 Completed
 1999-03-02 09:44:33 End queue run: pid=pppp -qqf
 
 ******** SERVER ********
 1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port 1225
 1999-03-02 09:44:33 SMTP connection from [127.0.0.1]:1111 (TCP/IP connection count = 1)
-1999-03-02 09:44:33 10HmbA-0005vi-00 <= CALLER@myhost.test.ex H=localhost (myhost.test.ex) [127.0.0.1]:1111 P=esmtps X=TLS1.x:xxxxRSA_AES_256_CBC_SHAnnn:256 CV=no S=sss id=E10HmaX-0005vi-00@myhost.test.ex for userx@test.ex
-1999-03-02 09:44:33 10HmbB-0005vi-00 <= CALLER@myhost.test.ex H=localhost (myhost.test.ex) [127.0.0.1]:1111 P=esmtps X=TLS1.x:xxxxRSA_AES_256_CBC_SHAnnn:256 CV=no S=sss id=E10HmaZ-0005vi-00@myhost.test.ex for userz@test.ex
-1999-03-02 09:44:33 10HmbC-0005vi-00 <= CALLER@myhost.test.ex H=localhost (myhost.test.ex) [127.0.0.1]:1111 P=esmtps X=TLS1.x:xxxxRSA_AES_256_CBC_SHAnnn:256 CV=no S=sss id=E10HmaY-0005vi-00@myhost.test.ex for usery@test.ex
+1999-03-02 09:44:33 10HmbA-0005vi-00 <= CALLER@myhost.test.ex H=localhost (myhost.test.ex) [127.0.0.1]:1111 P=esmtps X=TLS1.x:ke_RSA_AES_256_CBC_SHAnnn:256 CV=no S=sss id=E10HmaX-0005vi-00@myhost.test.ex for userx@test.ex
+1999-03-02 09:44:33 10HmbB-0005vi-00 <= CALLER@myhost.test.ex H=localhost (myhost.test.ex) [127.0.0.1]:1111 P=esmtps X=TLS1.x:ke_RSA_AES_256_CBC_SHAnnn:256 CV=no S=sss id=E10HmaZ-0005vi-00@myhost.test.ex for userz@test.ex
+1999-03-02 09:44:33 10HmbC-0005vi-00 <= CALLER@myhost.test.ex H=localhost (myhost.test.ex) [127.0.0.1]:1111 P=esmtps X=TLS1.x:ke_RSA_AES_256_CBC_SHAnnn:256 CV=no S=sss id=E10HmaY-0005vi-00@myhost.test.ex for usery@test.ex
 1999-03-02 09:44:33 SMTP connection from localhost (myhost.test.ex) [127.0.0.1]:1111 closed by QUIT
 1999-03-02 09:44:33 Start queue run: pid=pppp -qf
 1999-03-02 09:44:33 10HmbA-0005vi-00 => userx <userx@test.ex> R=server T=local_delivery
@@ -38,9 +38,9 @@
 1999-03-02 09:44:33 End queue run: pid=pppp -qf
 1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port 1225
 1999-03-02 09:44:33 SMTP connection from [127.0.0.1]:1112 (TCP/IP connection count = 1)
-1999-03-02 09:44:33 10HmbG-0005vi-00 <= CALLER@myhost.test.ex H=localhost (myhost.test.ex) [127.0.0.1]:1112 P=esmtps X=TLS1.x:xxxxRSA_AES_256_CBC_SHAnnn:256 CV=no S=sss id=E10HmbD-0005vi-00@myhost.test.ex for usera@test.ex
-1999-03-02 09:44:33 10HmbH-0005vi-00 <= CALLER@myhost.test.ex H=localhost (myhost.test.ex) [127.0.0.1]:1112 P=esmtps X=TLS1.x:xxxxRSA_AES_256_CBC_SHAnnn:256 CV=no S=sss id=E10HmbF-0005vi-00@myhost.test.ex for userc@test.ex
-1999-03-02 09:44:33 10HmbI-0005vi-00 <= CALLER@myhost.test.ex H=localhost (myhost.test.ex) [127.0.0.1]:1112 P=esmtps X=TLS1.x:xxxxRSA_AES_256_CBC_SHAnnn:256 CV=no S=sss id=E10HmbE-0005vi-00@myhost.test.ex for userb@test.ex
+1999-03-02 09:44:33 10HmbG-0005vi-00 <= CALLER@myhost.test.ex H=localhost (myhost.test.ex) [127.0.0.1]:1112 P=esmtps X=TLS1.x:ke_RSA_AES_256_CBC_SHAnnn:256 CV=no S=sss id=E10HmbD-0005vi-00@myhost.test.ex for usera@test.ex
+1999-03-02 09:44:33 10HmbH-0005vi-00 <= CALLER@myhost.test.ex H=localhost (myhost.test.ex) [127.0.0.1]:1112 P=esmtps X=TLS1.x:ke_RSA_AES_256_CBC_SHAnnn:256 CV=no S=sss id=E10HmbF-0005vi-00@myhost.test.ex for userc@test.ex
+1999-03-02 09:44:33 10HmbI-0005vi-00 <= CALLER@myhost.test.ex H=localhost (myhost.test.ex) [127.0.0.1]:1112 P=esmtps X=TLS1.x:ke_RSA_AES_256_CBC_SHAnnn:256 CV=no S=sss id=E10HmbE-0005vi-00@myhost.test.ex for userb@test.ex
 1999-03-02 09:44:33 SMTP connection from localhost (myhost.test.ex) [127.0.0.1]:1112 closed by QUIT
 1999-03-02 09:44:33 Start queue run: pid=pppp -qf
 1999-03-02 09:44:33 10HmbG-0005vi-00 => usera <usera@test.ex> R=server T=local_delivery
diff --git a/test/log/2014 b/test/log/2014
index 8af6a484d..163507dea 100644
--- a/test/log/2014
+++ b/test/log/2014
@@ -2,9 +2,9 @@
 ******** SERVER ********
 1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port 1225
 1999-03-02 09:44:33 TLS error on connection from (rhu1.barb) [ip4.ip4.ip4.ip4] (gnutls_handshake): The peer did not send any certificate.
-1999-03-02 09:44:33 H=(rhu2tls.barb) [127.0.0.1] X=TLS1.x:xxxxRSA_AES_256_CBC_SHAnnn:256 CV=no F=<userx@test.ex> rejected RCPT <userx@test.ex>: certificate not verified: peerdn=
+1999-03-02 09:44:33 H=(rhu2tls.barb) [127.0.0.1] X=TLS1.x:ke_RSA_AES_256_CBC_SHAnnn:256 CV=no F=<userx@test.ex> rejected RCPT <userx@test.ex>: certificate not verified: peerdn=
 1999-03-02 09:44:33 TLS error on connection from (rhu5.barb) [ip4.ip4.ip4.ip4] (certificate verification failed): certificate invalid
-1999-03-02 09:44:33 H=[127.0.0.1] X=TLS1.x:xxxxRSA_AES_256_CBC_SHAnnn:256 CV=no DN="C=UK,O=The Exim Maintainers,OU=Test Suite,CN=Phil Pennock" F=<userx@test.ex> rejected RCPT <userx@test.ex>: certificate not verified: peerdn=C=UK,O=The Exim Maintainers,OU=Test Suite,CN=Phil Pennock
+1999-03-02 09:44:33 H=[127.0.0.1] X=TLS1.x:ke_RSA_AES_256_CBC_SHAnnn:256 CV=no DN="C=UK,O=The Exim Maintainers,OU=Test Suite,CN=Phil Pennock" F=<userx@test.ex> rejected RCPT <userx@test.ex>: certificate not verified: peerdn=C=UK,O=The Exim Maintainers,OU=Test Suite,CN=Phil Pennock
 1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port 1225
 1999-03-02 09:44:33 TLS error on connection from (rhu7.barb) [ip4.ip4.ip4.ip4] (certificate verification failed): certificate revoked
-1999-03-02 09:44:33 H=[127.0.0.1] X=TLS1.x:xxxxRSA_AES_256_CBC_SHAnnn:256 CV=no DN="C=UK,O=The Exim Maintainers,OU=Test Suite,CN=Phil Pennock" F=<userx@test.ex> rejected RCPT <userx@test.ex>: certificate not verified: peerdn=C=UK,O=The Exim Maintainers,OU=Test Suite,CN=Phil Pennock
+1999-03-02 09:44:33 H=[127.0.0.1] X=TLS1.x:ke_RSA_AES_256_CBC_SHAnnn:256 CV=no DN="C=UK,O=The Exim Maintainers,OU=Test Suite,CN=Phil Pennock" F=<userx@test.ex> rejected RCPT <userx@test.ex>: certificate not verified: peerdn=C=UK,O=The Exim Maintainers,OU=Test Suite,CN=Phil Pennock
diff --git a/test/log/2017 b/test/log/2017
index 1db2ecb14..83f6e8c91 100644
--- a/test/log/2017
+++ b/test/log/2017
@@ -1,16 +1,16 @@
 1999-03-02 09:44:33 10HmaX-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss
 1999-03-02 09:44:33 10HmaY-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss
 1999-03-02 09:44:33 Start queue run: pid=pppp -qqf
-1999-03-02 09:44:33 10HmaX-0005vi-00 => userx@test.ex R=client T=send_to_server H=127.0.0.1 [127.0.0.1] X=TLS1.x:xxxxRSA_AES_256_CBC_SHAnnn:256 CV=no DN="C=UK,O=The Exim Maintainers,OU=Test Suite,CN=Phil Pennock" C="250 OK id=10HmaZ-0005vi-00"
+1999-03-02 09:44:33 10HmaX-0005vi-00 => userx@test.ex R=client T=send_to_server H=127.0.0.1 [127.0.0.1] X=TLS1.x:ke_RSA_AES_256_CBC_SHAnnn:256 CV=no DN="C=UK,O=The Exim Maintainers,OU=Test Suite,CN=Phil Pennock" C="250 OK id=10HmaZ-0005vi-00"
 1999-03-02 09:44:33 10HmaX-0005vi-00 Completed
-1999-03-02 09:44:33 10HmaY-0005vi-00 => userx@test.ex R=client T=send_to_server H=127.0.0.1 [127.0.0.1] X=TLS1.x:xxxxRSA_AES_256_CBC_SHAnnn:256 CV=no DN="C=UK,O=The Exim Maintainers,OU=Test Suite,CN=Phil Pennock" C="250 OK id=10HmbA-0005vi-00"
+1999-03-02 09:44:33 10HmaY-0005vi-00 => userx@test.ex R=client T=send_to_server H=127.0.0.1 [127.0.0.1] X=TLS1.x:ke_RSA_AES_256_CBC_SHAnnn:256 CV=no DN="C=UK,O=The Exim Maintainers,OU=Test Suite,CN=Phil Pennock" C="250 OK id=10HmbA-0005vi-00"
 1999-03-02 09:44:33 10HmaY-0005vi-00 Completed
 1999-03-02 09:44:33 End queue run: pid=pppp -qqf
 
 ******** SERVER ********
 1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port 1225
-1999-03-02 09:44:33 10HmaZ-0005vi-00 <= CALLER@myhost.test.ex H=localhost (myhost.test.ex) [127.0.0.1] P=esmtps X=TLS1.x:xxxxRSA_AES_256_CBC_SHAnnn:256 CV=no S=sss id=E10HmaX-0005vi-00@myhost.test.ex
-1999-03-02 09:44:33 10HmbA-0005vi-00 <= CALLER@myhost.test.ex H=localhost (myhost.test.ex) [127.0.0.1] P=esmtps X=TLS1.x:xxxxRSA_AES_256_CBC_SHAnnn:256 CV=no S=sss id=E10HmaY-0005vi-00@myhost.test.ex
+1999-03-02 09:44:33 10HmaZ-0005vi-00 <= CALLER@myhost.test.ex H=localhost (myhost.test.ex) [127.0.0.1] P=esmtps X=TLS1.x:ke_RSA_AES_256_CBC_SHAnnn:256 CV=no S=sss id=E10HmaX-0005vi-00@myhost.test.ex
+1999-03-02 09:44:33 10HmbA-0005vi-00 <= CALLER@myhost.test.ex H=localhost (myhost.test.ex) [127.0.0.1] P=esmtps X=TLS1.x:ke_RSA_AES_256_CBC_SHAnnn:256 CV=no S=sss id=E10HmaY-0005vi-00@myhost.test.ex
 1999-03-02 09:44:33 Start queue run: pid=pppp -qf
 1999-03-02 09:44:33 10HmaZ-0005vi-00 => userx <userx@test.ex> R=server T=local_delivery
 1999-03-02 09:44:33 10HmaZ-0005vi-00 Completed
diff --git a/test/log/2018 b/test/log/2018
index 25c51a131..8116733c6 100644
--- a/test/log/2018
+++ b/test/log/2018
@@ -1,5 +1,5 @@
 
 ******** SERVER ********
 1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port 1225
-1999-03-02 09:44:33 10HmaX-0005vi-00 <= userx@test.ex H=[127.0.0.1] P=smtps X=TLS1.x:xxxxRSA_AES_256_CBC_SHAnnn:256 CV=no S=sss
+1999-03-02 09:44:33 10HmaX-0005vi-00 <= userx@test.ex H=[127.0.0.1] P=smtps X=TLS1.x:ke_RSA_AES_256_CBC_SHAnnn:256 CV=no S=sss
 1999-03-02 09:44:33 H=(rhu.barb) [127.0.0.1] F=<userx@test.ex> rejected RCPT <userx@test.ex>: "You must encrypt"
diff --git a/test/log/2019 b/test/log/2019
index 1e96ea105..032cbaee6 100644
--- a/test/log/2019
+++ b/test/log/2019
@@ -7,5 +7,5 @@
 
 ******** SERVER ********
 1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTPS on port 1225
-1999-03-02 09:44:33 10HmaX-0005vi-00 <= userx@test.ex H=(rhu.barb) [127.0.0.1] P=esmtps X=TLS1.x:xxxxRSA_AES_256_CBC_SHAnnn:256 CV=no S=sss
-1999-03-02 09:44:33 10HmaY-0005vi-00 <= userx@test.ex H=[ip4.ip4.ip4.ip4] P=smtp X=TLS1.x:xxxxRSA_AES_256_CBC_SHAnnn:256 CV=yes DN="C=UK,O=The Exim Maintainers,OU=Test Suite,CN=Phil Pennock" S=sss
+1999-03-02 09:44:33 10HmaX-0005vi-00 <= userx@test.ex H=(rhu.barb) [127.0.0.1] P=esmtps X=TLS1.x:ke_RSA_AES_256_CBC_SHAnnn:256 CV=no S=sss
+1999-03-02 09:44:33 10HmaY-0005vi-00 <= userx@test.ex H=[ip4.ip4.ip4.ip4] P=smtp X=TLS1.x:ke_RSA_AES_256_CBC_SHAnnn:256 CV=yes DN="C=UK,O=The Exim Maintainers,OU=Test Suite,CN=Phil Pennock" S=sss
diff --git a/test/log/2020 b/test/log/2020
index 2e4a0944b..865ff5953 100644
--- a/test/log/2020
+++ b/test/log/2020
@@ -4,7 +4,7 @@
 1999-03-02 09:44:33 Warning: No server certificate defined; will use a selfsigned one.
  Suggested action: either install a certificate or change tls_advertise_hosts option
 1999-03-02 09:44:33 Start queue run: pid=pppp -qf
-1999-03-02 09:44:33 10HmaX-0005vi-00 => userx@thishost.test.ex R=abc T=t1 H=thishost.test.ex [127.0.0.1] X=TLS1.x:xxxxRSA_AES_256_CBC_SHAnnn:256 CV=no DN="C=UK,O=Exim Developers,CN=thishost.test.ex" C="250 OK id=10HmaY-0005vi-00"
+1999-03-02 09:44:33 10HmaX-0005vi-00 => userx@thishost.test.ex R=abc T=t1 H=thishost.test.ex [127.0.0.1] X=TLS1.x:ke_RSA_AES_256_CBC_SHAnnn:256 CV=no DN="C=UK,O=Exim Developers,CN=thishost.test.ex" C="250 OK id=10HmaY-0005vi-00"
 1999-03-02 09:44:33 10HmaX-0005vi-00 Completed
 1999-03-02 09:44:33 End queue run: pid=pppp -qf
 
@@ -12,4 +12,4 @@
 1999-03-02 09:44:33 Warning: No server certificate defined; will use a selfsigned one.
  Suggested action: either install a certificate or change tls_advertise_hosts option
 1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port 1225
-1999-03-02 09:44:33 10HmaY-0005vi-00 <= CALLER@thishost.test.ex H=localhost (thishost.test.ex) [127.0.0.1] P=esmtps X=TLS1.x:xxxxRSA_AES_256_CBC_SHAnnn:256 CV=no S=sss id=E10HmaX-0005vi-00@thishost.test.ex
+1999-03-02 09:44:33 10HmaY-0005vi-00 <= CALLER@thishost.test.ex H=localhost (thishost.test.ex) [127.0.0.1] P=esmtps X=TLS1.x:ke_RSA_AES_256_CBC_SHAnnn:256 CV=no S=sss id=E10HmaX-0005vi-00@thishost.test.ex
diff --git a/test/log/2025 b/test/log/2025
index f8e891059..2b015d5cd 100644
--- a/test/log/2025
+++ b/test/log/2025
@@ -1,11 +1,11 @@
 1999-03-02 09:44:33 10HmaX-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss
 1999-03-02 09:44:33 Start queue run: pid=pppp -qf
 1999-03-02 09:44:33 10HmaX-0005vi-00 H=ip4.ip4.ip4.ip4 [ip4.ip4.ip4.ip4]: a TLS session is required, but an attempt to start TLS failed
-1999-03-02 09:44:33 10HmaX-0005vi-00 => userx@test.ex R=client T=send_to_server H=127.0.0.1 [127.0.0.1] X=TLS1.x:xxxxRSA_AES_256_CBC_SHAnnn:256 CV=no DN="C=UK,O=The Exim Maintainers,OU=Test Suite,CN=Phil Pennock" C="250 OK id=10HmaY-0005vi-00"
+1999-03-02 09:44:33 10HmaX-0005vi-00 => userx@test.ex R=client T=send_to_server H=127.0.0.1 [127.0.0.1] X=TLS1.x:ke_RSA_AES_256_CBC_SHAnnn:256 CV=no DN="C=UK,O=The Exim Maintainers,OU=Test Suite,CN=Phil Pennock" C="250 OK id=10HmaY-0005vi-00"
 1999-03-02 09:44:33 10HmaX-0005vi-00 Completed
 1999-03-02 09:44:33 End queue run: pid=pppp -qf
 
 ******** SERVER ********
 1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port 1225
 1999-03-02 09:44:33 TLS error on connection from the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] (gnutls_handshake): Could not negotiate a supported cipher suite.
-1999-03-02 09:44:33 10HmaY-0005vi-00 <= CALLER@myhost.test.ex H=localhost (myhost.test.ex) [127.0.0.1] P=esmtps X=TLS1.x:xxxxRSA_AES_256_CBC_SHAnnn:256 CV=no S=sss id=E10HmaX-0005vi-00@myhost.test.ex
+1999-03-02 09:44:33 10HmaY-0005vi-00 <= CALLER@myhost.test.ex H=localhost (myhost.test.ex) [127.0.0.1] P=esmtps X=TLS1.x:ke_RSA_AES_256_CBC_SHAnnn:256 CV=no S=sss id=E10HmaX-0005vi-00@myhost.test.ex
diff --git a/test/log/2026 b/test/log/2026
index 08255f8a1..3b8112860 100644
--- a/test/log/2026
+++ b/test/log/2026
@@ -2,5 +2,5 @@
 1999-03-02 09:44:33 H=localhost (myhost.test.ex) [127.0.0.1] F=<CALLER@myhost.test.ex> temporarily rejected RCPT <usery@myhost.test.ex>
 1999-03-02 09:44:33 10HmaX-0005vi-00 <= CALLER@myhost.test.ex H=localhost (myhost.test.ex) [127.0.0.1] P=esmtp K S=sss id=E10HmaY-0005vi-00@myhost.test.ex
 1999-03-02 09:44:33 10HmaX-0005vi-00 no immediate delivery: queued by ACL
-1999-03-02 09:44:33 10HmaZ-0005vi-00 <= CALLER@myhost.test.ex H=the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] P=esmtps X=TLS1.x:xxxxRSA_AES_256_CBC_SHAnnn:256 CV=no K S=sss id=E10HmaY-0005vi-00@myhost.test.ex
+1999-03-02 09:44:33 10HmaZ-0005vi-00 <= CALLER@myhost.test.ex H=the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] P=esmtps X=TLS1.x:ke_RSA_AES_256_CBC_SHAnnn:256 CV=no K S=sss id=E10HmaY-0005vi-00@myhost.test.ex
 1999-03-02 09:44:33 10HmaZ-0005vi-00 no immediate delivery: queued by ACL
diff --git a/test/log/2027 b/test/log/2027
index 1c5a6a147..0bf44a63a 100644
--- a/test/log/2027
+++ b/test/log/2027
@@ -1,7 +1,7 @@
 1999-03-02 09:44:33 10HmaX-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss
 1999-03-02 09:44:33 10HmaY-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss
 1999-03-02 09:44:33 Start queue run: pid=pppp -qf
-1999-03-02 09:44:33 10HmaX-0005vi-00 => userx@test.ex R=client T=send_to_server H=127.0.0.1 [127.0.0.1] X=TLS1.x:xxxxRSA_AES_256_CBC_SHAnnn:256 CV=no C="250 OK id=10HmaZ-0005vi-00"
+1999-03-02 09:44:33 10HmaX-0005vi-00 => userx@test.ex R=client T=send_to_server H=127.0.0.1 [127.0.0.1] X=TLS1.x:ke_RSA_AES_256_CBC_SHAnnn:256 CV=no C="250 OK id=10HmaZ-0005vi-00"
 1999-03-02 09:44:33 10HmaX-0005vi-00 Completed
 1999-03-02 09:44:33 10HmaY-0005vi-00 TLS session: (gnutls_handshake): A TLS fatal alert has been received.: delivering unencrypted to H=ip4.ip4.ip4.ip4 [ip4.ip4.ip4.ip4] (not in hosts_require_tls)
 1999-03-02 09:44:33 10HmaY-0005vi-00 => usery@test.ex R=client T=send_to_server H=ip4.ip4.ip4.ip4 [ip4.ip4.ip4.ip4] C="250 OK id=10HmbA-0005vi-00"
@@ -10,7 +10,7 @@
 
 ******** SERVER ********
 1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port 1225
-1999-03-02 09:44:33 10HmaZ-0005vi-00 <= CALLER@myhost.test.ex H=localhost (myhost.test.ex) [127.0.0.1] P=esmtps X=TLS1.x:xxxxRSA_AES_256_CBC_SHAnnn:256 CV=no S=sss id=E10HmaX-0005vi-00@myhost.test.ex
+1999-03-02 09:44:33 10HmaZ-0005vi-00 <= CALLER@myhost.test.ex H=localhost (myhost.test.ex) [127.0.0.1] P=esmtps X=TLS1.x:ke_RSA_AES_256_CBC_SHAnnn:256 CV=no S=sss id=E10HmaX-0005vi-00@myhost.test.ex
 1999-03-02 09:44:33 10HmbA-0005vi-00 <= CALLER@myhost.test.ex H=the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] P=esmtp S=sss id=E10HmaY-0005vi-00@myhost.test.ex
 1999-03-02 09:44:33 TLS error on connection from the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] (gnutls_handshake): The peer did not send any certificate.
 1999-03-02 09:44:33 Start queue run: pid=pppp -qf
diff --git a/test/log/2030 b/test/log/2030
index 30b1fdc64..c25f3286b 100644
--- a/test/log/2030
+++ b/test/log/2030
@@ -1,10 +1,10 @@
 1999-03-02 09:44:33 10HmaX-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss
-1999-03-02 09:44:33 10HmaX-0005vi-00 => CALLER@test.ex R=client T=send_to_server1 H=ip4.ip4.ip4.ip4 [ip4.ip4.ip4.ip4] X=TLS1.x:xxxxRSA_AES_256_CBC_SHAnnn:256 CV=no DN="C=UK,O=The Exim Maintainers,OU=Test Suite,CN=Phil Pennock" C="250 OK id=10HmaY-0005vi-00"
+1999-03-02 09:44:33 10HmaX-0005vi-00 => CALLER@test.ex R=client T=send_to_server1 H=ip4.ip4.ip4.ip4 [ip4.ip4.ip4.ip4] X=TLS1.x:ke_RSA_AES_256_CBC_SHAnnn:256 CV=no DN="C=UK,O=The Exim Maintainers,OU=Test Suite,CN=Phil Pennock" C="250 OK id=10HmaY-0005vi-00"
 1999-03-02 09:44:33 10HmaX-0005vi-00 Completed
 
 ******** SERVER ********
 1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port 1225
 1999-03-02 09:44:33 SNI <fred>
-1999-03-02 09:44:33 10HmaY-0005vi-00 <= CALLER@myhost.test.ex H=the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] P=esmtps X=TLS1.x:xxxxRSA_AES_256_CBC_SHAnnn:256 CV=no SNI="fred" S=sss id=E10HmaX-0005vi-00@myhost.test.ex
+1999-03-02 09:44:33 10HmaY-0005vi-00 <= CALLER@myhost.test.ex H=the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] P=esmtps X=TLS1.x:ke_RSA_AES_256_CBC_SHAnnn:256 CV=no SNI="fred" S=sss id=E10HmaX-0005vi-00@myhost.test.ex
 1999-03-02 09:44:33 10HmaY-0005vi-00 => :blackhole: <CALLER@test.ex> R=server
 1999-03-02 09:44:33 10HmaY-0005vi-00 Completed
diff --git a/test/log/2031 b/test/log/2031
index b4d0e0bf6..d0c5a6258 100644
--- a/test/log/2031
+++ b/test/log/2031
@@ -1,17 +1,17 @@
 1999-03-02 09:44:33 10HmaX-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss for CALLER@test.ex
-1999-03-02 09:44:33 10HmaX-0005vi-00 => CALLER@test.ex R=client T=send_to_server1 H=ip4.ip4.ip4.ip4 [ip4.ip4.ip4.ip4] X=TLS1.x:xxxxRSA_AES_256_CBC_SHAnnn:256 CV=no DN="C=UK,O=The Exim Maintainers,OU=Test Suite,CN=Phil Pennock" C="250 OK id=10HmaY-0005vi-00"
+1999-03-02 09:44:33 10HmaX-0005vi-00 => CALLER@test.ex R=client T=send_to_server1 H=ip4.ip4.ip4.ip4 [ip4.ip4.ip4.ip4] X=TLS1.x:ke_RSA_AES_256_CBC_SHAnnn:256 CV=no DN="C=UK,O=The Exim Maintainers,OU=Test Suite,CN=Phil Pennock" C="250 OK id=10HmaY-0005vi-00"
 1999-03-02 09:44:33 10HmaX-0005vi-00 Completed
 1999-03-02 09:44:33 10HmaZ-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss for abcd@test.ex
-1999-03-02 09:44:33 10HmaZ-0005vi-00 => abcd@test.ex R=client T=send_to_server2 H=ip4.ip4.ip4.ip4 [ip4.ip4.ip4.ip4] X=TLS1.x:xxxxRSA_AES_256_CBC_SHAnnn:256 CV=no DN="CN=server1.example.com" C="250 OK id=10HmbA-0005vi-00"
+1999-03-02 09:44:33 10HmaZ-0005vi-00 => abcd@test.ex R=client T=send_to_server2 H=ip4.ip4.ip4.ip4 [ip4.ip4.ip4.ip4] X=TLS1.x:ke_RSA_AES_256_CBC_SHAnnn:256 CV=no DN="CN=server1.example.com" C="250 OK id=10HmbA-0005vi-00"
 1999-03-02 09:44:33 10HmaZ-0005vi-00 Completed
 
 ******** SERVER ********
 1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port 1225
 1999-03-02 09:44:33 SNI <fred>
-1999-03-02 09:44:33 10HmaY-0005vi-00 <= CALLER@myhost.test.ex H=the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] P=esmtps X=TLS1.x:xxxxRSA_AES_256_CBC_SHAnnn:256 CV=no SNI="fred" S=sss id=E10HmaX-0005vi-00@myhost.test.ex for CALLER@test.ex
+1999-03-02 09:44:33 10HmaY-0005vi-00 <= CALLER@myhost.test.ex H=the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] P=esmtps X=TLS1.x:ke_RSA_AES_256_CBC_SHAnnn:256 CV=no SNI="fred" S=sss id=E10HmaX-0005vi-00@myhost.test.ex for CALLER@test.ex
 1999-03-02 09:44:33 10HmaY-0005vi-00 => :blackhole: <CALLER@test.ex> R=server
 1999-03-02 09:44:33 10HmaY-0005vi-00 Completed
 1999-03-02 09:44:33 SNI <bill>
-1999-03-02 09:44:33 10HmbA-0005vi-00 <= CALLER@myhost.test.ex H=the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] P=esmtps X=TLS1.x:xxxxRSA_AES_256_CBC_SHAnnn:256 CV=no SNI="bill" S=sss id=E10HmaZ-0005vi-00@myhost.test.ex for abcd@test.ex
+1999-03-02 09:44:33 10HmbA-0005vi-00 <= CALLER@myhost.test.ex H=the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] P=esmtps X=TLS1.x:ke_RSA_AES_256_CBC_SHAnnn:256 CV=no SNI="bill" S=sss id=E10HmaZ-0005vi-00@myhost.test.ex for abcd@test.ex
 1999-03-02 09:44:33 10HmbA-0005vi-00 => :blackhole: <abcd@test.ex> R=server
 1999-03-02 09:44:33 10HmbA-0005vi-00 Completed
diff --git a/test/log/2033 b/test/log/2033
index d6686d572..ec4fb4520 100644
--- a/test/log/2033
+++ b/test/log/2033
@@ -5,9 +5,9 @@
 1999-03-02 09:44:33 10HmaX-0005vi-00 TLS session: (certificate verification failed): delivering unencrypted to H=the.local.host.name [ip4.ip4.ip4.ip4] (not in hosts_require_tls)
 1999-03-02 09:44:33 10HmaX-0005vi-00 => userr@test.ex R=client_r T=send_to_server_req_failname H=the.local.host.name [ip4.ip4.ip4.ip4] C="250 OK id=10HmbA-0005vi-00"
 1999-03-02 09:44:33 10HmaX-0005vi-00 Completed
-1999-03-02 09:44:33 10HmaY-0005vi-00 => users@test.ex R=client_s T=send_to_server_req_passname H=server1.example.com [ip4.ip4.ip4.ip4] X=TLS1.x:xxxxRSA_AES_256_CBC_SHAnnn:256 CV=yes DN="CN=server1.example.com" C="250 OK id=10HmbB-0005vi-00"
+1999-03-02 09:44:33 10HmaY-0005vi-00 => users@test.ex R=client_s T=send_to_server_req_passname H=server1.example.com [ip4.ip4.ip4.ip4] X=TLS1.x:ke_RSA_AES_256_CBC_SHAnnn:256 CV=yes DN="CN=server1.example.com" C="250 OK id=10HmbB-0005vi-00"
 1999-03-02 09:44:33 10HmaY-0005vi-00 Completed
-1999-03-02 09:44:33 10HmaZ-0005vi-00 => usert@test.ex R=client_t T=send_to_server_req_failcarryon H=the.local.host.name [ip4.ip4.ip4.ip4] X=TLS1.x:xxxxRSA_AES_256_CBC_SHAnnn:256 CV=no DN="CN=server1.example.com" C="250 OK id=10HmbC-0005vi-00"
+1999-03-02 09:44:33 10HmaZ-0005vi-00 => usert@test.ex R=client_t T=send_to_server_req_failcarryon H=the.local.host.name [ip4.ip4.ip4.ip4] X=TLS1.x:ke_RSA_AES_256_CBC_SHAnnn:256 CV=no DN="CN=server1.example.com" C="250 OK id=10HmbC-0005vi-00"
 1999-03-02 09:44:33 10HmaZ-0005vi-00 Completed
 1999-03-02 09:44:33 End queue run: pid=pppp -qf
 
@@ -16,5 +16,5 @@
 1999-03-02 09:44:33 TLS error on connection from the.local.host.name [ip4.ip4.ip4.ip4] (recv): A TLS fatal alert has been received.: Certificate is bad
 1999-03-02 09:44:33 TLS error on connection from the.local.host.name [ip4.ip4.ip4.ip4] (send): The specified session has been invalidated for some reason.
 1999-03-02 09:44:33 10HmbA-0005vi-00 <= CALLER@myhost.test.ex H=the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] P=esmtp S=sss id=E10HmaX-0005vi-00@myhost.test.ex
-1999-03-02 09:44:33 10HmbB-0005vi-00 <= CALLER@myhost.test.ex H=the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] P=esmtps X=TLS1.x:xxxxRSA_AES_256_CBC_SHAnnn:256 CV=yes DN="C=UK,O=The Exim Maintainers,OU=Test Suite,CN=Phil Pennock" S=sss id=E10HmaY-0005vi-00@myhost.test.ex
-1999-03-02 09:44:33 10HmbC-0005vi-00 <= CALLER@myhost.test.ex H=the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] P=esmtps X=TLS1.x:xxxxRSA_AES_256_CBC_SHAnnn:256 CV=yes DN="C=UK,O=The Exim Maintainers,OU=Test Suite,CN=Phil Pennock" S=sss id=E10HmaZ-0005vi-00@myhost.test.ex
+1999-03-02 09:44:33 10HmbB-0005vi-00 <= CALLER@myhost.test.ex H=the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] P=esmtps X=TLS1.x:ke_RSA_AES_256_CBC_SHAnnn:256 CV=yes DN="C=UK,O=The Exim Maintainers,OU=Test Suite,CN=Phil Pennock" S=sss id=E10HmaY-0005vi-00@myhost.test.ex
+1999-03-02 09:44:33 10HmbC-0005vi-00 <= CALLER@myhost.test.ex H=the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] P=esmtps X=TLS1.x:ke_RSA_AES_256_CBC_SHAnnn:256 CV=yes DN="C=UK,O=The Exim Maintainers,OU=Test Suite,CN=Phil Pennock" S=sss id=E10HmaZ-0005vi-00@myhost.test.ex
diff --git a/test/log/2035 b/test/log/2035
index ea335213a..7eaf22630 100644
--- a/test/log/2035
+++ b/test/log/2035
@@ -1,5 +1,5 @@
 1999-03-02 09:44:33 10HmaX-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local-smtp S=sss for userb@test.ex
-1999-03-02 09:44:33 10HmaX-0005vi-00 => userb@test.ex R=client T=t1 H=127.0.0.1 [127.0.0.1]:1225 X=TLS1.x:xxxxRSA_AES_256_CBC_SHAnnn:256 CV=no C="250 OK id=10HmaY-0005vi-00"
+1999-03-02 09:44:33 10HmaX-0005vi-00 => userb@test.ex R=client T=t1 H=127.0.0.1 [127.0.0.1]:1225 X=TLS1.x:ke_RSA_AES_256_CBC_SHAnnn:256 CV=no C="250 OK id=10HmaY-0005vi-00"
 1999-03-02 09:44:33 10HmaX-0005vi-00 Completed
 1999-03-02 09:44:33 Start queue run: pid=pppp
 1999-03-02 09:44:33 10HmaY-0005vi-00 => :blackhole: <userb@test.ex> R=target
@@ -8,4 +8,4 @@
 
 ******** SERVER ********
 1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port 1225
-1999-03-02 09:44:33 10HmaY-0005vi-00 <= usera@ok.example H=localhost (myhost.test.ex) [127.0.0.1] P=esmtps X=TLS1.x:xxxxRSA_AES_256_CBC_SHAnnn:256 CV=no S=sss id=E10HmaX-0005vi-00@myhost.test.ex for userb@test.ex
+1999-03-02 09:44:33 10HmaY-0005vi-00 <= usera@ok.example H=localhost (myhost.test.ex) [127.0.0.1] P=esmtps X=TLS1.x:ke_RSA_AES_256_CBC_SHAnnn:256 CV=no S=sss id=E10HmaX-0005vi-00@myhost.test.ex for userb@test.ex
diff --git a/test/log/2037 b/test/log/2037
index ac307f28d..769b6f693 100644
--- a/test/log/2037
+++ b/test/log/2037
@@ -4,5 +4,5 @@
 
 ******** SERVER ********
 1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port 1225
-1999-03-02 09:44:33 H=localhost (myhost.test.ex) [127.0.0.1] X=TLS1.x:xxxxRSA_AES_256_CBC_SHAnnn:256 CV=no F=<> temporarily rejected RCPT <rcpt_defer@test.ex>
-1999-03-02 09:44:33 10HmaX-0005vi-00 H=localhost (myhost.test.ex) [127.0.0.1] X=TLS1.x:xxxxRSA_AES_256_CBC_SHAnnn:256 CV=no F=<> temporarily rejected after DATA
+1999-03-02 09:44:33 H=localhost (myhost.test.ex) [127.0.0.1] X=TLS1.x:ke_RSA_AES_256_CBC_SHAnnn:256 CV=no F=<> temporarily rejected RCPT <rcpt_defer@test.ex>
+1999-03-02 09:44:33 10HmaX-0005vi-00 H=localhost (myhost.test.ex) [127.0.0.1] X=TLS1.x:ke_RSA_AES_256_CBC_SHAnnn:256 CV=no F=<> temporarily rejected after DATA
diff --git a/test/log/2038 b/test/log/2038
index 1ffc1aa92..bf061ff4f 100644
--- a/test/log/2038
+++ b/test/log/2038
@@ -2,28 +2,28 @@
 1999-03-02 09:44:33 10HmaY-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss for usery0@test.ex usery1@test.ex
 1999-03-02 09:44:33 10HmaZ-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss for userz0@test.ex userz1@test.ex
 1999-03-02 09:44:33 Start queue run: pid=pppp -qqf
-1999-03-02 09:44:33 10HmaX-0005vi-00 => userx0@test.ex R=client T=send_to_server H=127.0.0.1 [127.0.0.1] X=TLS1.x:xxxxRSA_AES_256_CBC_SHAnnn:256 CV=no DN="C=UK,O=The Exim Maintainers,OU=Test Suite,CN=Phil Pennock" C="250 OK id=10HmbA-0005vi-00"
-1999-03-02 09:44:33 10HmaX-0005vi-00 => userx1@test.ex R=client T=send_to_server H=127.0.0.1 [127.0.0.1] X=TLS1.x:xxxxRSA_AES_256_CBC_SHAnnn:256 CV=no DN="C=UK,O=The Exim Maintainers,OU=Test Suite,CN=Phil Pennock" C="250 OK id=10HmbB-0005vi-00"
+1999-03-02 09:44:33 10HmaX-0005vi-00 => userx0@test.ex R=client T=send_to_server H=127.0.0.1 [127.0.0.1] X=TLS1.x:ke_RSA_AES_256_CBC_SHAnnn:256 CV=no DN="C=UK,O=The Exim Maintainers,OU=Test Suite,CN=Phil Pennock" C="250 OK id=10HmbA-0005vi-00"
+1999-03-02 09:44:33 10HmaX-0005vi-00 => userx1@test.ex R=client T=send_to_server H=127.0.0.1 [127.0.0.1] X=TLS1.x:ke_RSA_AES_256_CBC_SHAnnn:256 CV=no DN="C=UK,O=The Exim Maintainers,OU=Test Suite,CN=Phil Pennock" C="250 OK id=10HmbB-0005vi-00"
 1999-03-02 09:44:33 10HmaX-0005vi-00 Completed
-1999-03-02 09:44:33 10HmaZ-0005vi-00 => userz0@test.ex R=client T=send_to_server H=127.0.0.1 [127.0.0.1]* X=TLS1.x:xxxxRSA_AES_256_CBC_SHAnnn:256 CV=no C="250 OK id=10HmbC-0005vi-00"
-1999-03-02 09:44:33 10HmaZ-0005vi-00 => userz1@test.ex R=client T=send_to_server H=127.0.0.1 [127.0.0.1]* X=TLS1.x:xxxxRSA_AES_256_CBC_SHAnnn:256 CV=no C="250 OK id=10HmbD-0005vi-00"
+1999-03-02 09:44:33 10HmaZ-0005vi-00 => userz0@test.ex R=client T=send_to_server H=127.0.0.1 [127.0.0.1]* X=TLS1.x:ke_RSA_AES_256_CBC_SHAnnn:256 CV=no C="250 OK id=10HmbC-0005vi-00"
+1999-03-02 09:44:33 10HmaZ-0005vi-00 => userz1@test.ex R=client T=send_to_server H=127.0.0.1 [127.0.0.1]* X=TLS1.x:ke_RSA_AES_256_CBC_SHAnnn:256 CV=no C="250 OK id=10HmbD-0005vi-00"
 1999-03-02 09:44:33 10HmaZ-0005vi-00 Completed
-1999-03-02 09:44:33 10HmaY-0005vi-00 => usery0@test.ex R=client T=send_to_server H=127.0.0.1 [127.0.0.1]* X=TLS1.x:xxxxRSA_AES_256_CBC_SHAnnn:256 CV=no C="250 OK id=10HmbE-0005vi-00"
-1999-03-02 09:44:33 10HmaY-0005vi-00 => usery1@test.ex R=client T=send_to_server H=127.0.0.1 [127.0.0.1]* X=TLS1.x:xxxxRSA_AES_256_CBC_SHAnnn:256 CV=no C="250 OK id=10HmbF-0005vi-00"
+1999-03-02 09:44:33 10HmaY-0005vi-00 => usery0@test.ex R=client T=send_to_server H=127.0.0.1 [127.0.0.1]* X=TLS1.x:ke_RSA_AES_256_CBC_SHAnnn:256 CV=no C="250 OK id=10HmbE-0005vi-00"
+1999-03-02 09:44:33 10HmaY-0005vi-00 => usery1@test.ex R=client T=send_to_server H=127.0.0.1 [127.0.0.1]* X=TLS1.x:ke_RSA_AES_256_CBC_SHAnnn:256 CV=no C="250 OK id=10HmbF-0005vi-00"
 1999-03-02 09:44:33 10HmaY-0005vi-00 Completed
 1999-03-02 09:44:33 End queue run: pid=pppp -qqf
 
 ******** SERVER ********
 1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port 1225
 1999-03-02 09:44:33 SMTP connection from [127.0.0.1]:1111 (TCP/IP connection count = 1)
-1999-03-02 09:44:33 10HmbA-0005vi-00 <= CALLER@myhost.test.ex H=localhost (myhost.test.ex) [127.0.0.1]:1111 P=esmtps X=TLS1.x:xxxxRSA_AES_256_CBC_SHAnnn:256 CV=no S=sss id=E10HmaX-0005vi-00@myhost.test.ex for userx0@test.ex
+1999-03-02 09:44:33 10HmbA-0005vi-00 <= CALLER@myhost.test.ex H=localhost (myhost.test.ex) [127.0.0.1]:1111 P=esmtps X=TLS1.x:ke_RSA_AES_256_CBC_SHAnnn:256 CV=no S=sss id=E10HmaX-0005vi-00@myhost.test.ex for userx0@test.ex
 1999-03-02 09:44:33 SMTP connection from [127.0.0.1]:1112 (TCP/IP connection count = 2)
-1999-03-02 09:44:33 10HmbB-0005vi-00 <= CALLER@myhost.test.ex H=localhost (myhost.test.ex) [127.0.0.1]:1112 P=esmtps X=TLS1.x:xxxxRSA_AES_256_CBC_SHAnnn:256 CV=no S=sss id=E10HmaX-0005vi-00@myhost.test.ex for userx1@test.ex
-1999-03-02 09:44:33 10HmbC-0005vi-00 <= CALLER@myhost.test.ex H=localhost (myhost.test.ex) [127.0.0.1]:1111 P=esmtps X=TLS1.x:xxxxRSA_AES_256_CBC_SHAnnn:256 CV=no S=sss id=E10HmaZ-0005vi-00@myhost.test.ex for userz0@test.ex
-1999-03-02 09:44:33 10HmbD-0005vi-00 <= CALLER@myhost.test.ex H=localhost (myhost.test.ex) [127.0.0.1]:1111 P=esmtps X=TLS1.x:xxxxRSA_AES_256_CBC_SHAnnn:256 CV=no S=sss id=E10HmaZ-0005vi-00@myhost.test.ex for userz1@test.ex
+1999-03-02 09:44:33 10HmbB-0005vi-00 <= CALLER@myhost.test.ex H=localhost (myhost.test.ex) [127.0.0.1]:1112 P=esmtps X=TLS1.x:ke_RSA_AES_256_CBC_SHAnnn:256 CV=no S=sss id=E10HmaX-0005vi-00@myhost.test.ex for userx1@test.ex
+1999-03-02 09:44:33 10HmbC-0005vi-00 <= CALLER@myhost.test.ex H=localhost (myhost.test.ex) [127.0.0.1]:1111 P=esmtps X=TLS1.x:ke_RSA_AES_256_CBC_SHAnnn:256 CV=no S=sss id=E10HmaZ-0005vi-00@myhost.test.ex for userz0@test.ex
+1999-03-02 09:44:33 10HmbD-0005vi-00 <= CALLER@myhost.test.ex H=localhost (myhost.test.ex) [127.0.0.1]:1111 P=esmtps X=TLS1.x:ke_RSA_AES_256_CBC_SHAnnn:256 CV=no S=sss id=E10HmaZ-0005vi-00@myhost.test.ex for userz1@test.ex
 1999-03-02 09:44:33 SMTP connection from localhost (myhost.test.ex) [127.0.0.1]:1111 closed by QUIT
-1999-03-02 09:44:33 10HmbE-0005vi-00 <= CALLER@myhost.test.ex H=localhost (myhost.test.ex) [127.0.0.1]:1112 P=esmtps X=TLS1.x:xxxxRSA_AES_256_CBC_SHAnnn:256 CV=no S=sss id=E10HmaY-0005vi-00@myhost.test.ex for usery0@test.ex
-1999-03-02 09:44:33 10HmbF-0005vi-00 <= CALLER@myhost.test.ex H=localhost (myhost.test.ex) [127.0.0.1]:1112 P=esmtps X=TLS1.x:xxxxRSA_AES_256_CBC_SHAnnn:256 CV=no S=sss id=E10HmaY-0005vi-00@myhost.test.ex for usery1@test.ex
+1999-03-02 09:44:33 10HmbE-0005vi-00 <= CALLER@myhost.test.ex H=localhost (myhost.test.ex) [127.0.0.1]:1112 P=esmtps X=TLS1.x:ke_RSA_AES_256_CBC_SHAnnn:256 CV=no S=sss id=E10HmaY-0005vi-00@myhost.test.ex for usery0@test.ex
+1999-03-02 09:44:33 10HmbF-0005vi-00 <= CALLER@myhost.test.ex H=localhost (myhost.test.ex) [127.0.0.1]:1112 P=esmtps X=TLS1.x:ke_RSA_AES_256_CBC_SHAnnn:256 CV=no S=sss id=E10HmaY-0005vi-00@myhost.test.ex for usery1@test.ex
 1999-03-02 09:44:33 SMTP connection from localhost (myhost.test.ex) [127.0.0.1]:1112 closed by QUIT
 1999-03-02 09:44:33 Start queue run: pid=pppp -qf
 1999-03-02 09:44:33 10HmbA-0005vi-00 => userx0 <userx0@test.ex> R=server T=local_delivery
diff --git a/test/log/2090 b/test/log/2090
index d7415d972..559a074a5 100644
--- a/test/log/2090
+++ b/test/log/2090
@@ -1,5 +1,5 @@
 
 ******** SERVER ********
 1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port 1225
-1999-03-02 09:44:33 10HmaX-0005vi-00 <= someone@some.domain H=(rhu.barb) [127.0.0.1] P=esmtps X=TLS1.x:xxxxRSA_AES_256_CBC_SHAnnn:256 CV=no K S=sss for CALLER@test.ex
-1999-03-02 09:44:33 10HmaY-0005vi-00 <= someone@some.domain H=(rhu.barb) [127.0.0.1] P=esmtps X=TLS1.x:xxxxRSA_AES_256_CBC_SHAnnn:256 CV=no K S=sss for CALLER@test.ex
+1999-03-02 09:44:33 10HmaX-0005vi-00 <= someone@some.domain H=(rhu.barb) [127.0.0.1] P=esmtps X=TLS1.x:ke_RSA_AES_256_CBC_SHAnnn:256 CV=no K S=sss for CALLER@test.ex
+1999-03-02 09:44:33 10HmaY-0005vi-00 <= someone@some.domain H=(rhu.barb) [127.0.0.1] P=esmtps X=TLS1.x:ke_RSA_AES_256_CBC_SHAnnn:256 CV=no K S=sss for CALLER@test.ex
diff --git a/test/log/2091 b/test/log/2091
index 1e8f6bb19..7f531d4c4 100644
--- a/test/log/2091
+++ b/test/log/2091
@@ -1,7 +1,7 @@
 1999-03-02 09:44:33 10HmaX-0005vi-00 <= this-user@testhost.test.ex U=this-user P=local S=sss for other-user@test.ex
-1999-03-02 09:44:33 10HmaX-0005vi-00 => other-user@test.ex R=to_server T=remote_smtp H=127.0.0.1 [127.0.0.1] X=TLS1.x:xxxxRSA_AES_256_CBC_SHAnnn:256 CV=no K C="250- 3nn byte chunk, total 3nn\\n250 OK id=10HmaY-0005vi-00"
+1999-03-02 09:44:33 10HmaX-0005vi-00 => other-user@test.ex R=to_server T=remote_smtp H=127.0.0.1 [127.0.0.1] X=TLS1.x:ke_RSA_AES_256_CBC_SHAnnn:256 CV=no K C="250- 3nn byte chunk, total 3nn\\n250 OK id=10HmaY-0005vi-00"
 1999-03-02 09:44:33 10HmaX-0005vi-00 Completed
 
 ******** SERVER ********
 1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port 1224
-1999-03-02 09:44:33 10HmaY-0005vi-00 <= <> H=localhost (testhost.test.ex) [127.0.0.1] P=esmtps X=TLS1.x:xxxxRSA_AES_256_CBC_SHAnnn:256 CV=no K S=sss id=E10HmaX-0005vi-00@testhost.test.ex for other-user@test.ex
+1999-03-02 09:44:33 10HmaY-0005vi-00 <= <> H=localhost (testhost.test.ex) [127.0.0.1] P=esmtps X=TLS1.x:ke_RSA_AES_256_CBC_SHAnnn:256 CV=no K S=sss id=E10HmaX-0005vi-00@testhost.test.ex for other-user@test.ex
diff --git a/test/log/2100 b/test/log/2100
index 1ed6351ff..1869398ba 100644
--- a/test/log/2100
+++ b/test/log/2100
@@ -1,9 +1,9 @@
 1999-03-02 09:44:33 10HmaX-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss
 1999-03-02 09:44:33 Start queue run: pid=pppp -qf
-1999-03-02 09:44:33 10HmaX-0005vi-00 => CALLER@test.ex R=client T=send_to_server H=127.0.0.1 [127.0.0.1] X=TLSv1:AES256-SHA:256 CV=no DN="/C=UK/O=The Exim Maintainers/OU=Test Suite/CN=Phil Pennock" C="250 OK id=10HmaY-0005vi-00"
+1999-03-02 09:44:33 10HmaX-0005vi-00 => CALLER@test.ex R=client T=send_to_server H=127.0.0.1 [127.0.0.1] X=TLSv1:ke-RSA-AES256-SHAxx:256 CV=no DN="/C=UK/O=The Exim Maintainers/OU=Test Suite/CN=Phil Pennock" C="250 OK id=10HmaY-0005vi-00"
 1999-03-02 09:44:33 10HmaX-0005vi-00 Completed
 1999-03-02 09:44:33 End queue run: pid=pppp -qf
 
 ******** SERVER ********
 1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port 1225
-1999-03-02 09:44:33 10HmaY-0005vi-00 <= CALLER@myhost.test.ex H=localhost (myhost.test.ex) [127.0.0.1] P=esmtps X=TLSv1:AES256-SHA:256 CV=yes DN="/C=UK/O=The Exim Maintainers/OU=Test Suite/CN=Phil Pennock" S=sss id=E10HmaX-0005vi-00@myhost.test.ex
+1999-03-02 09:44:33 10HmaY-0005vi-00 <= CALLER@myhost.test.ex H=localhost (myhost.test.ex) [127.0.0.1] P=esmtps X=TLSv1:ke-RSA-AES256-SHAxx:256 CV=yes DN="/C=UK/O=The Exim Maintainers/OU=Test Suite/CN=Phil Pennock" S=sss id=E10HmaX-0005vi-00@myhost.test.ex
diff --git a/test/log/2102 b/test/log/2102
index 3d6de84d0..cfe0bd24e 100644
--- a/test/log/2102
+++ b/test/log/2102
@@ -5,36 +5,42 @@
 1999-03-02 09:44:33 10HmaY-0005vi-00 Completed
 1999-03-02 09:44:33 10HmaZ-0005vi-00 => CALLER <CALLER@test.ex> R=abc T=local_delivery
 1999-03-02 09:44:33 10HmaZ-0005vi-00 Completed
+1999-03-02 09:44:33 10HmbA-0005vi-00 => CALLER <CALLER@test.ex> R=abc T=local_delivery
+1999-03-02 09:44:33 10HmbA-0005vi-00 Completed
 1999-03-02 09:44:33 End queue run: pid=pppp -qf
 
 ******** SERVER ********
 1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port 1225
-1999-03-02 09:44:33 Our cert SN: <CN=server1.example.com>
+1999-03-02 09:44:33 Our cert SN: <CN=server1.example_ec.com>
 1999-03-02 09:44:33 Peer did not present a cert
-1999-03-02 09:44:33 10HmaX-0005vi-00 <= CALLER@test.ex H=[127.0.0.1] P=smtps X=TLSv1:AES256-SHA:256 CV=no S=sss
-1999-03-02 09:44:33 Our cert SN: <CN=server1.example.com>
+1999-03-02 09:44:33 10HmaX-0005vi-00 <= CALLER@test.ex H=[127.0.0.1] P=smtps X=TLSv1:ke-RSA-AES256-SHAxx:256 CV=no S=sss
+1999-03-02 09:44:33 Our cert SN: <CN=server1.example_ec.com>
 1999-03-02 09:44:33 Peer did not present a cert
-1999-03-02 09:44:33 10HmaY-0005vi-00 <= "name with spaces"@test.ex H=[127.0.0.1] P=smtps X=TLSv1:AES256-SHA:256 CV=no S=sss
+1999-03-02 09:44:33 10HmaY-0005vi-00 <= "name with spaces"@test.ex H=[127.0.0.1] P=smtps X=TLSv1:ke-RSA-AES256-SHAxx:256 CV=no S=sss
 1999-03-02 09:44:33 TLS error on connection from (rhu.barb) [ip4.ip4.ip4.ip4] (SSL_accept): error: <<detail omitted>>
-1999-03-02 09:44:33 Our cert SN: <CN=server1.example.com>
+1999-03-02 09:44:33 Our cert SN: <CN=server1.example_ec.com>
 1999-03-02 09:44:33 Peer cert:
 1999-03-02 09:44:33 ver 2
 1999-03-02 09:44:33 SR  <c9>
 1999-03-02 09:44:33 SN  <CN=server2.example.com>
-1999-03-02 09:44:33 IN  <CN=clica Signing Cert,O=example.com>
+1999-03-02 09:44:33 IN  <CN=clica Signing Cert rsa,O=example.com>
 1999-03-02 09:44:33 IN/O <example.com>
-1999-03-02 09:44:33 NB/r <Nov  1 12:34:02 2012 GMT>
-1999-03-02 09:44:33 NB   <Nov  1 12:34:02 2012 +0000>
-1999-03-02 09:44:33 NB/i <1351773242>
-1999-03-02 09:44:33 NA/i <2143283642>
-1999-03-02 09:44:33 NA   <Dec  1 12:34:02 2037 +0000>
+1999-03-02 09:44:33 NB/r <Nov  1 12:34:01 2012 GMT>
+1999-03-02 09:44:33 NB   <Nov  1 12:34:01 2012 +0000>
+1999-03-02 09:44:33 NB/i <1351773241>
+1999-03-02 09:44:33 NA/i <2143283641>
+1999-03-02 09:44:33 NA   <Dec  1 12:34:01 2037 +0000>
 1999-03-02 09:44:33 SA  <sha256WithRSAEncryption>
-1999-03-02 09:44:33 SG  <         3a:e2:4b:89:c0:a9:e8:f8:d2:bb:ea:7d:f8:57:7a:aa:26:42:\n         b3:94:04:04:24:f7:0d:6d:33:de:82:90:75:76:ba:3a:a4:7d:\n         e0:e5:6d:3a:3c:e6:74:3f:b4:ad:cf:d1:b9:bd:6a:06:44:ea:\n         a9:a3:14:5e:34:d7:54:2e:ed:5a:b3:fb:ca:df:5a:b6:22:d8:\n         b0:f0:38:68:48:a8:cd:34:6b:b2:e9:7f:96:cd:ec:48:fa:5d:\n         0e:2f:66:f0:c3:bf:f9:f4:65:10:80:b9:f4:fa:db:be:a4:26:\n         c3:3d:25:3a:7f:b7:e9:ad:cd:d6:06:55:f1:98:3e:ea:b5:cf:\n         76:a1\n>
+1999-03-02 09:44:33 SG  <         19:0c:f4:82:0c:4a:90:45:f1:e7:47:97:fe:e5:ad:94:2e:fe:\n         24:5c:2c:24:b0:61:53:f9:c6:06:63:8b:c7:31:e1:a6:da:d1:\n         04:b8:aa:2d:8a:fc:0a:18:fd:d9:e6:4d:9c:3a:f5:1d:46:34:\n         8c:80:bc:3d:c3:c3:8e:98:33:d6:bb:3e:e8:73:b2:dc:5f:be:\n         b7:bb:be:c7:5c:7c:f4:c4:36:0d:48:c2:aa:ac:a3:88:cf:cf:\n         ce:e2:ac:75:4e:15:4d:55:ec:bb:c4:78:c7:c6:12:8c:27:d7:\n         78:a2:40:94:e2:f8:ac:fc:b6:c1:4d:f0:5d:18:73:09:fe:04:\n         b7:81\n>
 1999-03-02 09:44:33 SAN <DNS=server2.example.com>
 1999-03-02 09:44:33 OCU <http://oscp.example.com/>
 1999-03-02 09:44:33 CRU <http://crl.example.com/latest.crl>
-1999-03-02 09:44:33 md5    fingerprint 61F3EF662C9186FC1CA4F6FF1C22F0C9
-1999-03-02 09:44:33 sha1   fingerprint 3E38B35220A0E1803974EA8DD9D22CDAF653CCBF
-1999-03-02 09:44:33 sha256 fingerprint 33177BB2668D3D95E81B241F3C71AF36DF691818CB47B882B59F349D7416B025
-1999-03-02 09:44:33 der_b64 MIICiDCCAfGgAwIBAgICAMkwDQYJKoZIhvcNAQELBQAwMzEUMBIGA1UEChMLZXhhbXBsZS5jb20xGzAZBgNVBAMTEmNsaWNhIFNpZ25pbmcgQ2VydDAeFw0xMjExMDExMjM0MDJaFw0zNzEyMDExMjM0MDJaMB4xHDAaBgNVBAMTE3NlcnZlcjIuZXhhbXBsZS5jb20wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAKpVDMWYm+sUgk2Suy9gbFS1QSurQJANa1I4+2yQhqK8r2KaNMODeTBPm8wjDaia3OUPUXx0dUwzF5oi6sr7ztThjz6vAvPyq7fCyIO5P19FdQ8Po1QefxoPWTvN7giWjh0n1FeoG/Ls+sROjchmTbVuxrbU9kGfSqmBIPF1R0qPAgMBAAGjgb8wgbwwDgYDVR0PAQH/BAQDAgTwMCAGA1UdJQEB/wQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAyBgNVHR8EKzApMCegJaAjhiFodHRwOi8vY3JsLmV4YW1wbGUuY29tL2xhdGVzdC5jcmwwNAYIKwYBBQUHAQEEKDAmMCQGCCsGAQUFBzABhhhodHRwOi8vb3NjcC5leGFtcGxlLmNvbS8wHgYDVR0RBBcwFYITc2VydmVyMi5leGFtcGxlLmNvbTANBgkqhkiG9w0BAQsFAAOBgQA64kuJwKno+NK76n34V3qqJkKzlAQEJPcNbTPegpB1dro6pH3g5W06POZ0P7Stz9G5vWoGROqpoxReNNdULu1as/vK31q2Itiw8DhoSKjNNGuy6X+WzexI+l0OL2bww7/59GUQgLn0+tu+pCbDPSU6f7fprc3WBlXxmD7qtc92oQ==
-1999-03-02 09:44:33 10HmaZ-0005vi-00 <= CALLER@test.ex H=[ip4.ip4.ip4.ip4] P=smtps X=TLSv1:AES256-SHA:256 CV=yes DN="/CN=server2.example.com" S=sss
+1999-03-02 09:44:33 md5    fingerprint 7A3C37D07696CADBC539AB02A8A0C82A
+1999-03-02 09:44:33 sha1   fingerprint 0D9E776B02AFDEFB0231588927D305CA81F00366
+1999-03-02 09:44:33 sha256 fingerprint 3B8118604CE886FD44668735B467D32CA1A03C9EBA610F6EF54BB8CCA223F12F
+1999-03-02 09:44:33 der_b64 MIICjDCCAfWgAwIBAgICAMkwDQYJKoZIhvcNAQELBQAwNzEUMBIGA1UEChMLZXhhbXBsZS5jb20xHzAdBgNVBAMTFmNsaWNhIFNpZ25pbmcgQ2VydCByc2EwHhcNMTIxMTAxMTIzNDAxWhcNMzcxMjAxMTIzNDAxWjAeMRwwGgYDVQQDExNzZXJ2ZXIyLmV4YW1wbGUuY29tMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC5xczcpFPcohZhLegf/wzSJvwj/dVkXg0MEyVulbMS+sgCwwSO6uGykJVc6ZKUnGqFyv5Icp1zG9Y9/joYefiXN5K1n/3NrtsET+6AJDWzZYz/AyRGd07xLwEw+Ip0/bqqNaxpc07L1qAABcwz2lcSeKsIDbYC9znSdEzuNUFmGQIDAQABo4G/MIG8MA4GA1UdDwEB/wQEAwIE8DAgBgNVHSUBAf8EFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwMgYDVR0fBCswKTAnoCWgI4YhaHR0cDovL2NybC5leGFtcGxlLmNvbS9sYXRlc3QuY3JsMDQGCCsGAQUFBwEBBCgwJjAkBggrBgEFBQcwAYYYaHR0cDovL29zY3AuZXhhbXBsZS5jb20vMB4GA1UdEQQXMBWCE3NlcnZlcjIuZXhhbXBsZS5jb20wDQYJKoZIhvcNAQELBQADgYEAGQz0ggxKkEXx50eX/uWtlC7+JFwsJLBhU/nGBmOLxzHhptrRBLiqLYr8Chj92eZNnDr1HUY0jIC8PcPDjpgz1rs+6HOy3F++t7u+x1x89MQ2DUjCqqyjiM/PzuKsdU4VTVXsu8R4x8YSjCfXeKJAlOL4rPy2wU3wXRhzCf4Et4E=
+1999-03-02 09:44:33 10HmaZ-0005vi-00 <= CALLER@test.ex H=[ip4.ip4.ip4.ip4] P=smtps X=TLSv1:ke-RSA-AES256-SHAxx:256 CV=yes DN="/CN=server2.example.com" S=sss
+1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port 1225
+1999-03-02 09:44:33 Our cert SN: <CN=server1.example_ec.com>
+1999-03-02 09:44:33 Peer did not present a cert
+1999-03-02 09:44:33 10HmbA-0005vi-00 <= CALLER@test.ex H=[127.0.0.1] P=smtps X=TLSv1:ke-ECDSA-AES256-SHAxx:256 CV=no S=sss
diff --git a/test/log/2103 b/test/log/2103
index 9485414c6..1bd54536c 100644
--- a/test/log/2103
+++ b/test/log/2103
@@ -5,5 +5,5 @@
 
 ******** SERVER ********
 1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port 1225
-1999-03-02 09:44:33 H=[ip4.ip4.ip4.ip4] X=TLSv1:AES256-SHA:256 CV=no F=<userx@test.ex> rejected RCPT <userx@test.ex>: unacceptable cipher TLSv1:AES256-SHA:256
-1999-03-02 09:44:33 10HmaX-0005vi-00 <= userx@test.ex H=(rhu.barb) [127.0.0.1] P=smtps X=TLSv1:AES256-SHA:256 CV=no S=sss
+1999-03-02 09:44:33 H=[ip4.ip4.ip4.ip4] X=TLSv1:ke-RSA-AES256-SHAxx:256 CV=no F=<userx@test.ex> rejected RCPT <userx@test.ex>: unacceptable cipher TLSv1:ke-RSA-AES256-SHAxx:256
+1999-03-02 09:44:33 10HmaX-0005vi-00 <= userx@test.ex H=(rhu.barb) [127.0.0.1] P=smtps X=TLSv1:ke-RSA-AES256-SHAxx:256 CV=no S=sss
diff --git a/test/log/2108 b/test/log/2108
index c72dde7f4..4bc95ffce 100644
--- a/test/log/2108
+++ b/test/log/2108
@@ -3,23 +3,23 @@
 1999-03-02 09:44:33 Start queue run: pid=pppp -qf
 1999-03-02 09:44:33 10HmaX-0005vi-00 [127.0.0.1] SSL verify error: depth=0 error=self signed certificate cert=/C=UK/O=The Exim Maintainers/OU=Test Suite/CN=Phil Pennock
 1999-03-02 09:44:33 10HmaX-0005vi-00 [127.0.0.1] SSL verify error: certificate name mismatch: DN="/C=UK/O=The Exim Maintainers/OU=Test Suite/CN=Phil Pennock" H="127.0.0.1"
-1999-03-02 09:44:33 10HmaX-0005vi-00 => CALLER@test.ex R=client T=send_to_server1 H=127.0.0.1 [127.0.0.1] X=TLSv1:AES256-SHA:256 CV=no DN="/C=UK/O=The Exim Maintainers/OU=Test Suite/CN=Phil Pennock" C="250 OK id=10HmaZ-0005vi-00"
+1999-03-02 09:44:33 10HmaX-0005vi-00 => CALLER@test.ex R=client T=send_to_server1 H=127.0.0.1 [127.0.0.1] X=TLSv1:ke-RSA-AES256-SHAxx:256 CV=no DN="/C=UK/O=The Exim Maintainers/OU=Test Suite/CN=Phil Pennock" C="250 OK id=10HmaZ-0005vi-00"
 1999-03-02 09:44:33 10HmaX-0005vi-00 Completed
 1999-03-02 09:44:33 10HmaY-0005vi-00 [127.0.0.1] SSL verify error: depth=0 error=self signed certificate cert=/C=UK/O=The Exim Maintainers/OU=Test Suite/CN=Phil Pennock
 1999-03-02 09:44:33 10HmaY-0005vi-00 [127.0.0.1] SSL verify error: certificate name mismatch: DN="/C=UK/O=The Exim Maintainers/OU=Test Suite/CN=Phil Pennock" H="127.0.0.1"
-1999-03-02 09:44:33 10HmaY-0005vi-00 => CALLER@test.ex R=client T=send_to_server1 H=127.0.0.1 [127.0.0.1] X=TLSv1:AES256-SHA:256 CV=no DN="/C=UK/O=The Exim Maintainers/OU=Test Suite/CN=Phil Pennock" C="250 OK id=10HmbA-0005vi-00"
-1999-03-02 09:44:33 10HmaY-0005vi-00 -> xyz@test.ex R=client T=send_to_server1 H=127.0.0.1 [127.0.0.1] X=TLSv1:AES256-SHA:256 CV=no DN="/C=UK/O=The Exim Maintainers/OU=Test Suite/CN=Phil Pennock" C="250 OK id=10HmbA-0005vi-00"
+1999-03-02 09:44:33 10HmaY-0005vi-00 => CALLER@test.ex R=client T=send_to_server1 H=127.0.0.1 [127.0.0.1] X=TLSv1:ke-RSA-AES256-SHAxx:256 CV=no DN="/C=UK/O=The Exim Maintainers/OU=Test Suite/CN=Phil Pennock" C="250 OK id=10HmbA-0005vi-00"
+1999-03-02 09:44:33 10HmaY-0005vi-00 -> xyz@test.ex R=client T=send_to_server1 H=127.0.0.1 [127.0.0.1] X=TLSv1:ke-RSA-AES256-SHAxx:256 CV=no DN="/C=UK/O=The Exim Maintainers/OU=Test Suite/CN=Phil Pennock" C="250 OK id=10HmbA-0005vi-00"
 1999-03-02 09:44:33 10HmaY-0005vi-00 [ip4.ip4.ip4.ip4] SSL verify error: depth=0 error=self signed certificate cert=/C=UK/O=The Exim Maintainers/OU=Test Suite/CN=Phil Pennock
 1999-03-02 09:44:33 10HmaY-0005vi-00 [ip4.ip4.ip4.ip4] SSL verify error: certificate name mismatch: DN="/C=UK/O=The Exim Maintainers/OU=Test Suite/CN=Phil Pennock" H="ip4.ip4.ip4.ip4"
-1999-03-02 09:44:33 10HmaY-0005vi-00 => abcd@test.ex R=client T=send_to_server2 H=ip4.ip4.ip4.ip4 [ip4.ip4.ip4.ip4] X=TLSv1:AES256-SHA:256 CV=no DN="/C=UK/O=The Exim Maintainers/OU=Test Suite/CN=Phil Pennock" C="250 OK id=10HmbB-0005vi-00"
+1999-03-02 09:44:33 10HmaY-0005vi-00 => abcd@test.ex R=client T=send_to_server2 H=ip4.ip4.ip4.ip4 [ip4.ip4.ip4.ip4] X=TLSv1:ke-RSA-AES256-SHAxx:256 CV=no DN="/C=UK/O=The Exim Maintainers/OU=Test Suite/CN=Phil Pennock" C="250 OK id=10HmbB-0005vi-00"
 1999-03-02 09:44:33 10HmaY-0005vi-00 Completed
 1999-03-02 09:44:33 End queue run: pid=pppp -qf
 
 ******** SERVER ********
 1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port 1225
-1999-03-02 09:44:33 10HmaZ-0005vi-00 <= CALLER@myhost.test.ex H=(helo.data.changed) [127.0.0.1] P=esmtps X=TLSv1:AES256-SHA:256 CV=no S=sss id=E10HmaX-0005vi-00@myhost.test.ex
-1999-03-02 09:44:33 10HmbA-0005vi-00 <= CALLER@myhost.test.ex H=(helo.data.changed) [127.0.0.1] P=esmtps X=TLSv1:AES256-SHA:256 CV=no S=sss id=E10HmaY-0005vi-00@myhost.test.ex
-1999-03-02 09:44:33 10HmbB-0005vi-00 <= CALLER@myhost.test.ex H=the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] P=esmtps X=TLSv1:AES256-SHA:256 CV=no S=sss id=E10HmaY-0005vi-00@myhost.test.ex
+1999-03-02 09:44:33 10HmaZ-0005vi-00 <= CALLER@myhost.test.ex H=(helo.data.changed) [127.0.0.1] P=esmtps X=TLSv1:ke-RSA-AES256-SHAxx:256 CV=no S=sss id=E10HmaX-0005vi-00@myhost.test.ex
+1999-03-02 09:44:33 10HmbA-0005vi-00 <= CALLER@myhost.test.ex H=(helo.data.changed) [127.0.0.1] P=esmtps X=TLSv1:ke-RSA-AES256-SHAxx:256 CV=no S=sss id=E10HmaY-0005vi-00@myhost.test.ex
+1999-03-02 09:44:33 10HmbB-0005vi-00 <= CALLER@myhost.test.ex H=the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] P=esmtps X=TLSv1:ke-RSA-AES256-SHAxx:256 CV=no S=sss id=E10HmaY-0005vi-00@myhost.test.ex
 1999-03-02 09:44:33 Start queue run: pid=pppp -qf
 1999-03-02 09:44:33 10HmaZ-0005vi-00 => CALLER <CALLER@test.ex> R=server T=local_delivery
 1999-03-02 09:44:33 10HmaZ-0005vi-00 Completed
diff --git a/test/log/2110 b/test/log/2110
index 41cce7650..9688360a0 100644
--- a/test/log/2110
+++ b/test/log/2110
@@ -3,7 +3,7 @@
 1999-03-02 09:44:33 10HmaX-0005vi-00 H=127.0.0.1 [127.0.0.1]:1111: a TLS session is required, but the server did not offer TLS support
 1999-03-02 09:44:33 10HmaX-0005vi-00 [ip4.ip4.ip4.ip4] SSL verify error: depth=0 error=self signed certificate cert=/C=UK/O=The Exim Maintainers/OU=Test Suite/CN=Phil Pennock
 1999-03-02 09:44:33 10HmaX-0005vi-00 [ip4.ip4.ip4.ip4] SSL verify error: certificate name mismatch: DN="/C=UK/O=The Exim Maintainers/OU=Test Suite/CN=Phil Pennock" H="ip4.ip4.ip4.ip4"
-1999-03-02 09:44:33 10HmaX-0005vi-00 => userx@test.ex R=client T=send_to_server H=ip4.ip4.ip4.ip4 [ip4.ip4.ip4.ip4]:1225 X=TLSv1:AES256-SHA:256 CV=no C="250 OK id=10HmaY-0005vi-00"
+1999-03-02 09:44:33 10HmaX-0005vi-00 => userx@test.ex R=client T=send_to_server H=ip4.ip4.ip4.ip4 [ip4.ip4.ip4.ip4]:1225 X=TLSv1:ke-RSA-AES256-SHAxx:256 CV=no C="250 OK id=10HmaY-0005vi-00"
 1999-03-02 09:44:33 10HmaX-0005vi-00 Completed
 1999-03-02 09:44:33 End queue run: pid=pppp -qf
 1999-03-02 09:44:33 Start queue run: pid=pppp -qf
@@ -16,4 +16,4 @@
 
 ******** SERVER ********
 1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port 1225
-1999-03-02 09:44:33 10HmaY-0005vi-00 <= CALLER@myhost.test.ex H=the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] P=esmtps X=TLSv1:AES256-SHA:256 CV=no S=sss id=E10HmaX-0005vi-00@myhost.test.ex
+1999-03-02 09:44:33 10HmaY-0005vi-00 <= CALLER@myhost.test.ex H=the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] P=esmtps X=TLSv1:ke-RSA-AES256-SHAxx:256 CV=no S=sss id=E10HmaX-0005vi-00@myhost.test.ex
diff --git a/test/log/2112 b/test/log/2112
index 2e8211991..13306fbe7 100644
--- a/test/log/2112
+++ b/test/log/2112
@@ -17,21 +17,21 @@
 1999-03-02 09:44:33 10HmaX-0005vi-00 userx@test.ex: error ignored
 1999-03-02 09:44:33 10HmaX-0005vi-00 Completed
 1999-03-02 09:44:33 10HmaY-0005vi-00 [ip4.ip4.ip4.ip4] SSL verify error: depth=0 error=unable to get local issuer certificate cert=/CN=server1.example.com
-1999-03-02 09:44:33 10HmaY-0005vi-00 => usery@test.ex R=client_y T=send_to_server_retry H=127.0.0.1 [127.0.0.1] X=TLSv1:AES256-SHA:256 CV=yes DN="/CN=server1.example.com" C="250 OK id=10HmbD-0005vi-00"
+1999-03-02 09:44:33 10HmaY-0005vi-00 => usery@test.ex R=client_y T=send_to_server_retry H=127.0.0.1 [127.0.0.1] X=TLSv1:ke-RSA-AES256-SHAxx:256 CV=yes DN="/CN=server1.example.com" C="250 OK id=10HmbD-0005vi-00"
 1999-03-02 09:44:33 10HmaY-0005vi-00 Completed
 1999-03-02 09:44:33 10HmaZ-0005vi-00 [ip4.ip4.ip4.ip4] SSL verify error: depth=0 error=unable to get local issuer certificate cert=/CN=server1.example.com
 1999-03-02 09:44:33 10HmaZ-0005vi-00 [ip4.ip4.ip4.ip4] SSL verify error: depth=0 error=unable to verify the first certificate cert=/CN=server1.example.com
-1999-03-02 09:44:33 10HmaZ-0005vi-00 => userz@test.ex R=client_z T=send_to_server_crypt H=ip4.ip4.ip4.ip4 [ip4.ip4.ip4.ip4] X=TLSv1:AES256-SHA:256 CV=no DN="/CN=server1.example.com" C="250 OK id=10HmbE-0005vi-00"
+1999-03-02 09:44:33 10HmaZ-0005vi-00 => userz@test.ex R=client_z T=send_to_server_crypt H=ip4.ip4.ip4.ip4 [ip4.ip4.ip4.ip4] X=TLSv1:ke-RSA-AES256-SHAxx:256 CV=no DN="/CN=server1.example.com" C="250 OK id=10HmbE-0005vi-00"
 1999-03-02 09:44:33 10HmaZ-0005vi-00 Completed
 1999-03-02 09:44:33 10HmbA-0005vi-00 [ip4.ip4.ip4.ip4] SSL verify error: depth=0 error=unable to get local issuer certificate cert=/CN=server1.example.com
 1999-03-02 09:44:33 10HmbA-0005vi-00 TLS session: (SSL_connect): error: <<detail omitted>>
 1999-03-02 09:44:33 10HmbA-0005vi-00 => userq@test.ex R=client_q T=send_to_server_req_fail H=ip4.ip4.ip4.ip4 [ip4.ip4.ip4.ip4] C="250 OK id=10HmbF-0005vi-00"
 1999-03-02 09:44:33 10HmbA-0005vi-00 Completed
 1999-03-02 09:44:33 10HmbB-0005vi-00 no IP address found for host server1.example.net
-1999-03-02 09:44:33 10HmbB-0005vi-00 => userr@test.ex R=client_r T=send_to_server_req_failname H=ip4.ip4.ip4.ip4 [ip4.ip4.ip4.ip4] X=TLSv1:AES256-SHA:256 CV=yes DN="/CN=server1.example.com" C="250 OK id=10HmbG-0005vi-00"
+1999-03-02 09:44:33 10HmbB-0005vi-00 => userr@test.ex R=client_r T=send_to_server_req_failname H=ip4.ip4.ip4.ip4 [ip4.ip4.ip4.ip4] X=TLSv1:ke-RSA-AES256-SHAxx:256 CV=yes DN="/CN=server1.example.com" C="250 OK id=10HmbG-0005vi-00"
 1999-03-02 09:44:33 10HmbB-0005vi-00 Completed
 1999-03-02 09:44:33 10HmbC-0005vi-00 no IP address found for host noway.example.com
-1999-03-02 09:44:33 10HmbC-0005vi-00 => users@test.ex R=client_s T=send_to_server_req_passname H=ip4.ip4.ip4.ip4 [ip4.ip4.ip4.ip4] X=TLSv1:AES256-SHA:256 CV=yes DN="/CN=server1.example.com" C="250 OK id=10HmbH-0005vi-00"
+1999-03-02 09:44:33 10HmbC-0005vi-00 => users@test.ex R=client_s T=send_to_server_req_passname H=ip4.ip4.ip4.ip4 [ip4.ip4.ip4.ip4] X=TLSv1:ke-RSA-AES256-SHAxx:256 CV=yes DN="/CN=server1.example.com" C="250 OK id=10HmbH-0005vi-00"
 1999-03-02 09:44:33 10HmbC-0005vi-00 Completed
 1999-03-02 09:44:33 End queue run: pid=pppp -qf
 
@@ -39,9 +39,9 @@
 1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port 1225
 1999-03-02 09:44:33 TLS error on connection from the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] (SSL_accept): error: <<detail omitted>>
 1999-03-02 09:44:33 TLS error on connection from the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] (SSL_accept): error: <<detail omitted>>
-1999-03-02 09:44:33 10HmbD-0005vi-00 <= CALLER@myhost.test.ex H=localhost (myhost.test.ex) [127.0.0.1] P=esmtps X=TLSv1:AES256-SHA:256 CV=yes DN="/C=UK/O=The Exim Maintainers/OU=Test Suite/CN=Phil Pennock" S=sss id=E10HmaY-0005vi-00@myhost.test.ex for usery@test.ex
-1999-03-02 09:44:33 10HmbE-0005vi-00 <= CALLER@myhost.test.ex H=the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] P=esmtps X=TLSv1:AES256-SHA:256 CV=yes DN="/C=UK/O=The Exim Maintainers/OU=Test Suite/CN=Phil Pennock" S=sss id=E10HmaZ-0005vi-00@myhost.test.ex for userz@test.ex
+1999-03-02 09:44:33 10HmbD-0005vi-00 <= CALLER@myhost.test.ex H=localhost (myhost.test.ex) [127.0.0.1] P=esmtps X=TLSv1:ke-RSA-AES256-SHAxx:256 CV=yes DN="/C=UK/O=The Exim Maintainers/OU=Test Suite/CN=Phil Pennock" S=sss id=E10HmaY-0005vi-00@myhost.test.ex for usery@test.ex
+1999-03-02 09:44:33 10HmbE-0005vi-00 <= CALLER@myhost.test.ex H=the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] P=esmtps X=TLSv1:ke-RSA-AES256-SHAxx:256 CV=yes DN="/C=UK/O=The Exim Maintainers/OU=Test Suite/CN=Phil Pennock" S=sss id=E10HmaZ-0005vi-00@myhost.test.ex for userz@test.ex
 1999-03-02 09:44:33 TLS error on connection from the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] (SSL_accept): error: <<detail omitted>>
 1999-03-02 09:44:33 10HmbF-0005vi-00 <= CALLER@myhost.test.ex H=the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] P=esmtp S=sss id=E10HmbA-0005vi-00@myhost.test.ex for userq@test.ex
-1999-03-02 09:44:33 10HmbG-0005vi-00 <= CALLER@myhost.test.ex H=the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] P=esmtps X=TLSv1:AES256-SHA:256 CV=yes DN="/C=UK/O=The Exim Maintainers/OU=Test Suite/CN=Phil Pennock" S=sss id=E10HmbB-0005vi-00@myhost.test.ex for userr@test.ex
-1999-03-02 09:44:33 10HmbH-0005vi-00 <= CALLER@myhost.test.ex H=the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] P=esmtps X=TLSv1:AES256-SHA:256 CV=yes DN="/C=UK/O=The Exim Maintainers/OU=Test Suite/CN=Phil Pennock" S=sss id=E10HmbC-0005vi-00@myhost.test.ex for users@test.ex
+1999-03-02 09:44:33 10HmbG-0005vi-00 <= CALLER@myhost.test.ex H=the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] P=esmtps X=TLSv1:ke-RSA-AES256-SHAxx:256 CV=yes DN="/C=UK/O=The Exim Maintainers/OU=Test Suite/CN=Phil Pennock" S=sss id=E10HmbB-0005vi-00@myhost.test.ex for userr@test.ex
+1999-03-02 09:44:33 10HmbH-0005vi-00 <= CALLER@myhost.test.ex H=the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] P=esmtps X=TLSv1:ke-RSA-AES256-SHAxx:256 CV=yes DN="/C=UK/O=The Exim Maintainers/OU=Test Suite/CN=Phil Pennock" S=sss id=E10HmbC-0005vi-00@myhost.test.ex for users@test.ex
diff --git a/test/log/2113 b/test/log/2113
index 1d3ca3332..5fb952a40 100644
--- a/test/log/2113
+++ b/test/log/2113
@@ -2,31 +2,31 @@
 1999-03-02 09:44:33 10HmaY-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss for usery@test.ex
 1999-03-02 09:44:33 10HmaZ-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss for userz@test.ex
 1999-03-02 09:44:33 Start queue run: pid=pppp -qqf
-1999-03-02 09:44:33 10HmaX-0005vi-00 => userx@test.ex R=client T=send_to_server H=127.0.0.1 [127.0.0.1] X=TLSv1:AES256-SHA:256 CV=no DN="/C=UK/O=The Exim Maintainers/OU=Test Suite/CN=Phil Pennock" C="250 OK id=10HmbA-0005vi-00"
+1999-03-02 09:44:33 10HmaX-0005vi-00 => userx@test.ex R=client T=send_to_server H=127.0.0.1 [127.0.0.1] X=TLSv1:ke-RSA-AES256-SHAxx:256 CV=no DN="/C=UK/O=The Exim Maintainers/OU=Test Suite/CN=Phil Pennock" C="250 OK id=10HmbA-0005vi-00"
 1999-03-02 09:44:33 10HmaX-0005vi-00 Completed
-1999-03-02 09:44:33 10HmaZ-0005vi-00 => userz@test.ex R=client T=send_to_server H=127.0.0.1 [127.0.0.1]* X=TLSv1:AES256-SHA:256 CV=no C="250 OK id=10HmbB-0005vi-00"
+1999-03-02 09:44:33 10HmaZ-0005vi-00 => userz@test.ex R=client T=send_to_server H=127.0.0.1 [127.0.0.1]* X=TLSv1:ke-RSA-AES256-SHAxx:256 CV=no C="250 OK id=10HmbB-0005vi-00"
 1999-03-02 09:44:33 10HmaZ-0005vi-00 Completed
-1999-03-02 09:44:33 10HmaY-0005vi-00 => usery@test.ex R=client T=send_to_server H=127.0.0.1 [127.0.0.1]* X=TLSv1:AES256-SHA:256 CV=no C="250 OK id=10HmbC-0005vi-00"
+1999-03-02 09:44:33 10HmaY-0005vi-00 => usery@test.ex R=client T=send_to_server H=127.0.0.1 [127.0.0.1]* X=TLSv1:ke-RSA-AES256-SHAxx:256 CV=no C="250 OK id=10HmbC-0005vi-00"
 1999-03-02 09:44:33 10HmaY-0005vi-00 Completed
 1999-03-02 09:44:33 End queue run: pid=pppp -qqf
 1999-03-02 09:44:33 10HmbD-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss for usera@test.ex
 1999-03-02 09:44:33 10HmbE-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss for userb@test.ex
 1999-03-02 09:44:33 10HmbF-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss for userc@test.ex
 1999-03-02 09:44:33 Start queue run: pid=pppp -qqf
-1999-03-02 09:44:33 10HmbD-0005vi-00 => usera@test.ex R=cl_override T=send_to_server H=127.0.0.1 [127.0.0.1] X=TLSv1:AES256-SHA:256 CV=no DN="/C=UK/O=The Exim Maintainers/OU=Test Suite/CN=Phil Pennock" C="250 OK id=10HmbG-0005vi-00"
+1999-03-02 09:44:33 10HmbD-0005vi-00 => usera@test.ex R=cl_override T=send_to_server H=127.0.0.1 [127.0.0.1] X=TLSv1:ke-RSA-AES256-SHAxx:256 CV=no DN="/C=UK/O=The Exim Maintainers/OU=Test Suite/CN=Phil Pennock" C="250 OK id=10HmbG-0005vi-00"
 1999-03-02 09:44:33 10HmbD-0005vi-00 Completed
-1999-03-02 09:44:33 10HmbF-0005vi-00 => userc@test.ex R=cl_override T=send_to_server H=127.0.0.1 [127.0.0.1]* X=TLSv1:AES256-SHA:256 CV=no C="250 OK id=10HmbH-0005vi-00"
+1999-03-02 09:44:33 10HmbF-0005vi-00 => userc@test.ex R=cl_override T=send_to_server H=127.0.0.1 [127.0.0.1]* X=TLSv1:ke-RSA-AES256-SHAxx:256 CV=no C="250 OK id=10HmbH-0005vi-00"
 1999-03-02 09:44:33 10HmbF-0005vi-00 Completed
-1999-03-02 09:44:33 10HmbE-0005vi-00 => userb@test.ex R=cl_override T=send_to_server H=127.0.0.1 [127.0.0.1]* X=TLSv1:AES256-SHA:256 CV=no C="250 OK id=10HmbI-0005vi-00"
+1999-03-02 09:44:33 10HmbE-0005vi-00 => userb@test.ex R=cl_override T=send_to_server H=127.0.0.1 [127.0.0.1]* X=TLSv1:ke-RSA-AES256-SHAxx:256 CV=no C="250 OK id=10HmbI-0005vi-00"
 1999-03-02 09:44:33 10HmbE-0005vi-00 Completed
 1999-03-02 09:44:33 End queue run: pid=pppp -qqf
 
 ******** SERVER ********
 1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port 1225
 1999-03-02 09:44:33 SMTP connection from [127.0.0.1]:1111 (TCP/IP connection count = 1)
-1999-03-02 09:44:33 10HmbA-0005vi-00 <= CALLER@myhost.test.ex H=localhost (myhost.test.ex) [127.0.0.1]:1111 P=esmtps X=TLSv1:AES256-SHA:256 CV=no S=sss id=E10HmaX-0005vi-00@myhost.test.ex for userx@test.ex
-1999-03-02 09:44:33 10HmbB-0005vi-00 <= CALLER@myhost.test.ex H=localhost (myhost.test.ex) [127.0.0.1]:1111 P=esmtps X=TLSv1:AES256-SHA:256 CV=no S=sss id=E10HmaZ-0005vi-00@myhost.test.ex for userz@test.ex
-1999-03-02 09:44:33 10HmbC-0005vi-00 <= CALLER@myhost.test.ex H=localhost (myhost.test.ex) [127.0.0.1]:1111 P=esmtps X=TLSv1:AES256-SHA:256 CV=no S=sss id=E10HmaY-0005vi-00@myhost.test.ex for usery@test.ex
+1999-03-02 09:44:33 10HmbA-0005vi-00 <= CALLER@myhost.test.ex H=localhost (myhost.test.ex) [127.0.0.1]:1111 P=esmtps X=TLSv1:ke-RSA-AES256-SHAxx:256 CV=no S=sss id=E10HmaX-0005vi-00@myhost.test.ex for userx@test.ex
+1999-03-02 09:44:33 10HmbB-0005vi-00 <= CALLER@myhost.test.ex H=localhost (myhost.test.ex) [127.0.0.1]:1111 P=esmtps X=TLSv1:ke-RSA-AES256-SHAxx:256 CV=no S=sss id=E10HmaZ-0005vi-00@myhost.test.ex for userz@test.ex
+1999-03-02 09:44:33 10HmbC-0005vi-00 <= CALLER@myhost.test.ex H=localhost (myhost.test.ex) [127.0.0.1]:1111 P=esmtps X=TLSv1:ke-RSA-AES256-SHAxx:256 CV=no S=sss id=E10HmaY-0005vi-00@myhost.test.ex for usery@test.ex
 1999-03-02 09:44:33 SMTP connection from localhost (myhost.test.ex) [127.0.0.1]:1111 closed by QUIT
 1999-03-02 09:44:33 Start queue run: pid=pppp -qf
 1999-03-02 09:44:33 10HmbA-0005vi-00 => userx <userx@test.ex> R=server T=local_delivery
@@ -38,9 +38,9 @@
 1999-03-02 09:44:33 End queue run: pid=pppp -qf
 1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port 1225
 1999-03-02 09:44:33 SMTP connection from [127.0.0.1]:1112 (TCP/IP connection count = 1)
-1999-03-02 09:44:33 10HmbG-0005vi-00 <= CALLER@myhost.test.ex H=localhost (myhost.test.ex) [127.0.0.1]:1112 P=esmtps X=TLSv1:AES256-SHA:256 CV=no S=sss id=E10HmbD-0005vi-00@myhost.test.ex for usera@test.ex
-1999-03-02 09:44:33 10HmbH-0005vi-00 <= CALLER@myhost.test.ex H=localhost (myhost.test.ex) [127.0.0.1]:1112 P=esmtps X=TLSv1:AES256-SHA:256 CV=no S=sss id=E10HmbF-0005vi-00@myhost.test.ex for userc@test.ex
-1999-03-02 09:44:33 10HmbI-0005vi-00 <= CALLER@myhost.test.ex H=localhost (myhost.test.ex) [127.0.0.1]:1112 P=esmtps X=TLSv1:AES256-SHA:256 CV=no S=sss id=E10HmbE-0005vi-00@myhost.test.ex for userb@test.ex
+1999-03-02 09:44:33 10HmbG-0005vi-00 <= CALLER@myhost.test.ex H=localhost (myhost.test.ex) [127.0.0.1]:1112 P=esmtps X=TLSv1:ke-RSA-AES256-SHAxx:256 CV=no S=sss id=E10HmbD-0005vi-00@myhost.test.ex for usera@test.ex
+1999-03-02 09:44:33 10HmbH-0005vi-00 <= CALLER@myhost.test.ex H=localhost (myhost.test.ex) [127.0.0.1]:1112 P=esmtps X=TLSv1:ke-RSA-AES256-SHAxx:256 CV=no S=sss id=E10HmbF-0005vi-00@myhost.test.ex for userc@test.ex
+1999-03-02 09:44:33 10HmbI-0005vi-00 <= CALLER@myhost.test.ex H=localhost (myhost.test.ex) [127.0.0.1]:1112 P=esmtps X=TLSv1:ke-RSA-AES256-SHAxx:256 CV=no S=sss id=E10HmbE-0005vi-00@myhost.test.ex for userb@test.ex
 1999-03-02 09:44:33 SMTP connection from localhost (myhost.test.ex) [127.0.0.1]:1112 closed by QUIT
 1999-03-02 09:44:33 Start queue run: pid=pppp -qf
 1999-03-02 09:44:33 10HmbG-0005vi-00 => usera <usera@test.ex> R=server T=local_delivery
diff --git a/test/log/2114 b/test/log/2114
index b1afe484f..a7016dbd6 100644
--- a/test/log/2114
+++ b/test/log/2114
@@ -2,14 +2,14 @@
 ******** SERVER ********
 1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port 1225
 1999-03-02 09:44:33 TLS error on connection from (rhu.barb) [ip4.ip4.ip4.ip4] (SSL_accept): error: <<detail omitted>>
-1999-03-02 09:44:33 H=(rhu.barb) [127.0.0.1] X=TLSv1:AES256-SHA:256 CV=no F=<userx@test.ex> rejected RCPT <userx@test.ex>: certificate not verified: peerdn=
+1999-03-02 09:44:33 H=(rhu.barb) [127.0.0.1] X=TLSv1:ke-RSA-AES256-SHAxx:256 CV=no F=<userx@test.ex> rejected RCPT <userx@test.ex>: certificate not verified: peerdn=
 1999-03-02 09:44:33 [ip4.ip4.ip4.ip4] SSL verify error: depth=0 error=self signed certificate cert=/C=UK/O=The Exim Maintainers/OU=Test Suite/CN=Phil Pennock
 1999-03-02 09:44:33 TLS error on connection from (rhu.barb) [ip4.ip4.ip4.ip4] (SSL_accept): error: <<detail omitted>>
 1999-03-02 09:44:33 [127.0.0.1] SSL verify error: depth=0 error=self signed certificate cert=/C=UK/O=The Exim Maintainers/OU=Test Suite/CN=Phil Pennock
-1999-03-02 09:44:33 H=[127.0.0.1] X=TLSv1:AES256-SHA:256 CV=no DN="/C=UK/O=The Exim Maintainers/OU=Test Suite/CN=Phil Pennock" F=<userx@test.ex> rejected RCPT <userx@test.ex>: certificate not verified: peerdn=/C=UK/O=The Exim Maintainers/OU=Test Suite/CN=Phil Pennock
+1999-03-02 09:44:33 H=[127.0.0.1] X=TLSv1:ke-RSA-AES256-SHAxx:256 CV=no DN="/C=UK/O=The Exim Maintainers/OU=Test Suite/CN=Phil Pennock" F=<userx@test.ex> rejected RCPT <userx@test.ex>: certificate not verified: peerdn=/C=UK/O=The Exim Maintainers/OU=Test Suite/CN=Phil Pennock
 1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port 1225
 1999-03-02 09:44:33 [ip4.ip4.ip4.ip4] SSL verify error: depth=0 error=certificate revoked cert=/C=UK/O=The Exim Maintainers/OU=Test Suite/CN=Phil Pennock
 1999-03-02 09:44:33 TLS error on connection from (rhu.barb) [ip4.ip4.ip4.ip4] (SSL_accept): error: <<detail omitted>>
 1999-03-02 09:44:33 [127.0.0.1] SSL verify error: depth=0 error=self signed certificate cert=/C=UK/O=The Exim Maintainers/OU=Test Suite/CN=Phil Pennock
 1999-03-02 09:44:33 [127.0.0.1] SSL verify error: depth=0 error=CRL signature failure cert=/C=UK/O=The Exim Maintainers/OU=Test Suite/CN=Phil Pennock
-1999-03-02 09:44:33 H=[127.0.0.1] X=TLSv1:AES256-SHA:256 CV=no DN="/C=UK/O=The Exim Maintainers/OU=Test Suite/CN=Phil Pennock" F=<userx@test.ex> rejected RCPT <userx@test.ex>: certificate not verified: peerdn=/C=UK/O=The Exim Maintainers/OU=Test Suite/CN=Phil Pennock
+1999-03-02 09:44:33 H=[127.0.0.1] X=TLSv1:ke-RSA-AES256-SHAxx:256 CV=no DN="/C=UK/O=The Exim Maintainers/OU=Test Suite/CN=Phil Pennock" F=<userx@test.ex> rejected RCPT <userx@test.ex>: certificate not verified: peerdn=/C=UK/O=The Exim Maintainers/OU=Test Suite/CN=Phil Pennock
diff --git a/test/log/2117 b/test/log/2117
index 02b338951..e6aad6632 100644
--- a/test/log/2117
+++ b/test/log/2117
@@ -1,16 +1,16 @@
 1999-03-02 09:44:33 10HmaX-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss
 1999-03-02 09:44:33 10HmaY-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss
 1999-03-02 09:44:33 Start queue run: pid=pppp -qqf
-1999-03-02 09:44:33 10HmaX-0005vi-00 => userx@test.ex R=client T=send_to_server H=127.0.0.1 [127.0.0.1] X=TLSv1:AES256-SHA:256 CV=no DN="/C=UK/O=The Exim Maintainers/OU=Test Suite/CN=Phil Pennock" C="250 OK id=10HmaZ-0005vi-00"
+1999-03-02 09:44:33 10HmaX-0005vi-00 => userx@test.ex R=client T=send_to_server H=127.0.0.1 [127.0.0.1] X=TLSv1:ke-RSA-AES256-SHAxx:256 CV=no DN="/C=UK/O=The Exim Maintainers/OU=Test Suite/CN=Phil Pennock" C="250 OK id=10HmaZ-0005vi-00"
 1999-03-02 09:44:33 10HmaX-0005vi-00 Completed
-1999-03-02 09:44:33 10HmaY-0005vi-00 => userx@test.ex R=client T=send_to_server H=127.0.0.1 [127.0.0.1] X=TLSv1:AES256-SHA:256 CV=no DN="/C=UK/O=The Exim Maintainers/OU=Test Suite/CN=Phil Pennock" C="250 OK id=10HmbA-0005vi-00"
+1999-03-02 09:44:33 10HmaY-0005vi-00 => userx@test.ex R=client T=send_to_server H=127.0.0.1 [127.0.0.1] X=TLSv1:ke-RSA-AES256-SHAxx:256 CV=no DN="/C=UK/O=The Exim Maintainers/OU=Test Suite/CN=Phil Pennock" C="250 OK id=10HmbA-0005vi-00"
 1999-03-02 09:44:33 10HmaY-0005vi-00 Completed
 1999-03-02 09:44:33 End queue run: pid=pppp -qqf
 
 ******** SERVER ********
 1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port 1225
-1999-03-02 09:44:33 10HmaZ-0005vi-00 <= CALLER@myhost.test.ex H=localhost (myhost.test.ex) [127.0.0.1] P=esmtps X=TLSv1:AES256-SHA:256 CV=no S=sss id=E10HmaX-0005vi-00@myhost.test.ex
-1999-03-02 09:44:33 10HmbA-0005vi-00 <= CALLER@myhost.test.ex H=localhost (myhost.test.ex) [127.0.0.1] P=esmtps X=TLSv1:AES256-SHA:256 CV=no S=sss id=E10HmaY-0005vi-00@myhost.test.ex
+1999-03-02 09:44:33 10HmaZ-0005vi-00 <= CALLER@myhost.test.ex H=localhost (myhost.test.ex) [127.0.0.1] P=esmtps X=TLSv1:ke-RSA-AES256-SHAxx:256 CV=no S=sss id=E10HmaX-0005vi-00@myhost.test.ex
+1999-03-02 09:44:33 10HmbA-0005vi-00 <= CALLER@myhost.test.ex H=localhost (myhost.test.ex) [127.0.0.1] P=esmtps X=TLSv1:ke-RSA-AES256-SHAxx:256 CV=no S=sss id=E10HmaY-0005vi-00@myhost.test.ex
 1999-03-02 09:44:33 Start queue run: pid=pppp -qf
 1999-03-02 09:44:33 10HmaZ-0005vi-00 => userx <userx@test.ex> R=server T=local_delivery
 1999-03-02 09:44:33 10HmaZ-0005vi-00 Completed
diff --git a/test/log/2118 b/test/log/2118
index a797ddb2c..d513549c4 100644
--- a/test/log/2118
+++ b/test/log/2118
@@ -1,5 +1,5 @@
 
 ******** SERVER ********
 1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port 1225
-1999-03-02 09:44:33 10HmaX-0005vi-00 <= userx@test.ex H=[127.0.0.1] P=smtps X=TLSv1:AES256-SHA:256 CV=no S=sss
+1999-03-02 09:44:33 10HmaX-0005vi-00 <= userx@test.ex H=[127.0.0.1] P=smtps X=TLSv1:ke-RSA-AES256-SHAxx:256 CV=no S=sss
 1999-03-02 09:44:33 H=(rhu.barb) [127.0.0.1] F=<userx@test.ex> rejected RCPT <userx@test.ex>: "You must encrypt"
diff --git a/test/log/2119 b/test/log/2119
index 50ba0ab6b..c3b1394f8 100644
--- a/test/log/2119
+++ b/test/log/2119
@@ -7,5 +7,5 @@
 
 ******** SERVER ********
 1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTPS on port 1225
-1999-03-02 09:44:33 10HmaX-0005vi-00 <= userx@test.ex H=(rhu.barb) [127.0.0.1] P=esmtps X=TLSv1:AES256-SHA:256 CV=no S=sss
-1999-03-02 09:44:33 10HmaY-0005vi-00 <= userx@test.ex H=[ip4.ip4.ip4.ip4] P=smtp X=TLSv1:AES256-SHA:256 CV=yes DN="/C=UK/O=The Exim Maintainers/OU=Test Suite/CN=Phil Pennock" S=sss
+1999-03-02 09:44:33 10HmaX-0005vi-00 <= userx@test.ex H=(rhu.barb) [127.0.0.1] P=esmtps X=TLSv1:ke-RSA-AES256-SHAxx:256 CV=no S=sss
+1999-03-02 09:44:33 10HmaY-0005vi-00 <= userx@test.ex H=[ip4.ip4.ip4.ip4] P=smtp X=TLSv1:ke-RSA-AES256-SHAxx:256 CV=yes DN="/C=UK/O=The Exim Maintainers/OU=Test Suite/CN=Phil Pennock" S=sss
diff --git a/test/log/2120 b/test/log/2120
index c70f7d401..1216a1bbc 100644
--- a/test/log/2120
+++ b/test/log/2120
@@ -5,7 +5,7 @@
  Suggested action: either install a certificate or change tls_advertise_hosts option
 1999-03-02 09:44:33 Start queue run: pid=pppp -qf
 1999-03-02 09:44:33 10HmaX-0005vi-00 [127.0.0.1] SSL verify error: depth=0 error=self signed certificate cert=/C=UK/O=Exim Developers/CN=thishost.test.ex
-1999-03-02 09:44:33 10HmaX-0005vi-00 => userx@thishost.test.ex R=abc T=t1 H=thishost.test.ex [127.0.0.1] X=TLSv1:AES256-SHA:256 CV=no DN="/C=UK/O=Exim Developers/CN=thishost.test.ex" C="250 OK id=10HmaY-0005vi-00"
+1999-03-02 09:44:33 10HmaX-0005vi-00 => userx@thishost.test.ex R=abc T=t1 H=thishost.test.ex [127.0.0.1] X=TLSv1:ke-RSA-AES256-SHAxx:256 CV=no DN="/C=UK/O=Exim Developers/CN=thishost.test.ex" C="250 OK id=10HmaY-0005vi-00"
 1999-03-02 09:44:33 10HmaX-0005vi-00 Completed
 1999-03-02 09:44:33 End queue run: pid=pppp -qf
 
@@ -13,4 +13,4 @@
 1999-03-02 09:44:33 Warning: No server certificate defined; will use a selfsigned one.
  Suggested action: either install a certificate or change tls_advertise_hosts option
 1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port 1225
-1999-03-02 09:44:33 10HmaY-0005vi-00 <= CALLER@thishost.test.ex H=localhost (thishost.test.ex) [127.0.0.1] P=esmtps X=TLSv1:AES256-SHA:256 CV=no S=sss id=E10HmaX-0005vi-00@thishost.test.ex
+1999-03-02 09:44:33 10HmaY-0005vi-00 <= CALLER@thishost.test.ex H=localhost (thishost.test.ex) [127.0.0.1] P=esmtps X=TLSv1:ke-RSA-AES256-SHAxx:256 CV=no S=sss id=E10HmaX-0005vi-00@thishost.test.ex
diff --git a/test/log/2126 b/test/log/2126
index 492d10de3..497ed15a1 100644
--- a/test/log/2126
+++ b/test/log/2126
@@ -1,7 +1,7 @@
 1999-03-02 09:44:33 10HmaX-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss
 1999-03-02 09:44:33 10HmaX-0005vi-00 H=127.0.0.1 [127.0.0.1]: SMTP error from remote mail server after RCPT TO:<usery@myhost.test.ex>: 451 Temporary local problem - please try later
 1999-03-02 09:44:33 10HmaX-0005vi-00 => userx@myhost.test.ex R=r1 T=t1 H=127.0.0.1 [127.0.0.1] C="250 OK id=10HmaY-0005vi-00"
-1999-03-02 09:44:33 10HmaX-0005vi-00 => usery@myhost.test.ex R=r1 T=t1 H=ip4.ip4.ip4.ip4 [ip4.ip4.ip4.ip4] X=TLSv1:AES256-SHA:256 CV=no DN="/C=UK/O=The Exim Maintainers/OU=Test Suite/CN=Phil Pennock" C="250 OK id=10HmaZ-0005vi-00"
+1999-03-02 09:44:33 10HmaX-0005vi-00 => usery@myhost.test.ex R=r1 T=t1 H=ip4.ip4.ip4.ip4 [ip4.ip4.ip4.ip4] X=TLSv1:ke-RSA-AES256-SHAxx:256 CV=no DN="/C=UK/O=The Exim Maintainers/OU=Test Suite/CN=Phil Pennock" C="250 OK id=10HmaZ-0005vi-00"
 1999-03-02 09:44:33 10HmaX-0005vi-00 Completed
 
 ******** SERVER ********
@@ -10,6 +10,6 @@
 1999-03-02 09:44:33 10HmaY-0005vi-00 <= CALLER@myhost.test.ex H=localhost (myhost.test.ex) [127.0.0.1] P=esmtp S=sss id=E10HmaX-0005vi-00@myhost.test.ex
 1999-03-02 09:44:33 10HmaY-0005vi-00 => userx <userx@myhost.test.ex> R=r0 T=t2
 1999-03-02 09:44:33 10HmaY-0005vi-00 Completed
-1999-03-02 09:44:33 10HmaZ-0005vi-00 <= CALLER@myhost.test.ex H=the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] P=esmtps X=TLSv1:AES256-SHA:256 CV=no S=sss id=E10HmaX-0005vi-00@myhost.test.ex
+1999-03-02 09:44:33 10HmaZ-0005vi-00 <= CALLER@myhost.test.ex H=the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] P=esmtps X=TLSv1:ke-RSA-AES256-SHAxx:256 CV=no S=sss id=E10HmaX-0005vi-00@myhost.test.ex
 1999-03-02 09:44:33 10HmaZ-0005vi-00 => usery <usery@myhost.test.ex> R=r0 T=t2
 1999-03-02 09:44:33 10HmaZ-0005vi-00 Completed
diff --git a/test/log/2127 b/test/log/2127
index 7bc71bbde..1ca135ebf 100644
--- a/test/log/2127
+++ b/test/log/2127
@@ -1,7 +1,7 @@
 1999-03-02 09:44:33 10HmaX-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss
 1999-03-02 09:44:33 10HmaY-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss
 1999-03-02 09:44:33 Start queue run: pid=pppp -qf
-1999-03-02 09:44:33 10HmaX-0005vi-00 => userx@test.ex R=client T=send_to_server H=127.0.0.1 [127.0.0.1] X=TLSv1:AES256-SHA:256 CV=no C="250 OK id=10HmaZ-0005vi-00"
+1999-03-02 09:44:33 10HmaX-0005vi-00 => userx@test.ex R=client T=send_to_server H=127.0.0.1 [127.0.0.1] X=TLSv1:ke-RSA-AES256-SHAxx:256 CV=no C="250 OK id=10HmaZ-0005vi-00"
 1999-03-02 09:44:33 10HmaX-0005vi-00 Completed
 1999-03-02 09:44:33 10HmaY-0005vi-00 TLS session: (SSL_connect): error: <<detail omitted>>
 1999-03-02 09:44:33 10HmaY-0005vi-00 => usery@test.ex R=client T=send_to_server H=ip4.ip4.ip4.ip4 [ip4.ip4.ip4.ip4] C="250 OK id=10HmbA-0005vi-00"
@@ -10,7 +10,7 @@
 
 ******** SERVER ********
 1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port 1225
-1999-03-02 09:44:33 10HmaZ-0005vi-00 <= CALLER@myhost.test.ex H=localhost (myhost.test.ex) [127.0.0.1] P=esmtps X=TLSv1:AES256-SHA:256 CV=no S=sss id=E10HmaX-0005vi-00@myhost.test.ex
+1999-03-02 09:44:33 10HmaZ-0005vi-00 <= CALLER@myhost.test.ex H=localhost (myhost.test.ex) [127.0.0.1] P=esmtps X=TLSv1:ke-RSA-AES256-SHAxx:256 CV=no S=sss id=E10HmaX-0005vi-00@myhost.test.ex
 1999-03-02 09:44:33 TLS error on connection from the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] (SSL_accept): error: <<detail omitted>>
 1999-03-02 09:44:33 10HmbA-0005vi-00 <= CALLER@myhost.test.ex H=the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] P=esmtp S=sss id=E10HmaY-0005vi-00@myhost.test.ex
 1999-03-02 09:44:33 Start queue run: pid=pppp -qf
diff --git a/test/log/2130 b/test/log/2130
index 365943dab..b7c8101d0 100644
--- a/test/log/2130
+++ b/test/log/2130
@@ -1,10 +1,10 @@
 1999-03-02 09:44:33 10HmaX-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss
-1999-03-02 09:44:33 10HmaX-0005vi-00 => CALLER@test.ex R=client T=send_to_server1 H=ip4.ip4.ip4.ip4 [ip4.ip4.ip4.ip4] X=TLSv1:AES256-SHA:256 CV=no DN="/C=UK/O=The Exim Maintainers/OU=Test Suite/CN=Phil Pennock" C="250 OK id=10HmaY-0005vi-00"
+1999-03-02 09:44:33 10HmaX-0005vi-00 => CALLER@test.ex R=client T=send_to_server1 H=ip4.ip4.ip4.ip4 [ip4.ip4.ip4.ip4] X=TLSv1:ke-RSA-AES256-SHAxx:256 CV=no DN="/C=UK/O=The Exim Maintainers/OU=Test Suite/CN=Phil Pennock" C="250 OK id=10HmaY-0005vi-00"
 1999-03-02 09:44:33 10HmaX-0005vi-00 Completed
 
 ******** SERVER ********
 1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port 1225
 1999-03-02 09:44:33 SNI <fred>
-1999-03-02 09:44:33 10HmaY-0005vi-00 <= CALLER@myhost.test.ex H=the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] P=esmtps X=TLSv1:AES256-SHA:256 CV=no SNI="fred" S=sss id=E10HmaX-0005vi-00@myhost.test.ex
+1999-03-02 09:44:33 10HmaY-0005vi-00 <= CALLER@myhost.test.ex H=the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] P=esmtps X=TLSv1:ke-RSA-AES256-SHAxx:256 CV=no SNI="fred" S=sss id=E10HmaX-0005vi-00@myhost.test.ex
 1999-03-02 09:44:33 10HmaY-0005vi-00 => :blackhole: <CALLER@test.ex> R=server
 1999-03-02 09:44:33 10HmaY-0005vi-00 Completed
diff --git a/test/log/2131 b/test/log/2131
index 0865c81ab..dde0a9724 100644
--- a/test/log/2131
+++ b/test/log/2131
@@ -1,17 +1,17 @@
 1999-03-02 09:44:33 10HmaX-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss for CALLER@test.ex
-1999-03-02 09:44:33 10HmaX-0005vi-00 => CALLER@test.ex R=client T=send_to_server1 H=ip4.ip4.ip4.ip4 [ip4.ip4.ip4.ip4] X=TLSv1:AES256-SHA:256 CV=no DN="/C=UK/O=The Exim Maintainers/OU=Test Suite/CN=Phil Pennock" C="250 OK id=10HmaY-0005vi-00"
+1999-03-02 09:44:33 10HmaX-0005vi-00 => CALLER@test.ex R=client T=send_to_server1 H=ip4.ip4.ip4.ip4 [ip4.ip4.ip4.ip4] X=TLSv1:ke-RSA-AES256-SHAxx:256 CV=no DN="/C=UK/O=The Exim Maintainers/OU=Test Suite/CN=Phil Pennock" C="250 OK id=10HmaY-0005vi-00"
 1999-03-02 09:44:33 10HmaX-0005vi-00 Completed
 1999-03-02 09:44:33 10HmaZ-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss for abcd@test.ex
-1999-03-02 09:44:33 10HmaZ-0005vi-00 => abcd@test.ex R=client T=send_to_server2 H=ip4.ip4.ip4.ip4 [ip4.ip4.ip4.ip4] X=TLSv1:AES256-SHA:256 CV=no DN="/CN=server1.example.com" C="250 OK id=10HmbA-0005vi-00"
+1999-03-02 09:44:33 10HmaZ-0005vi-00 => abcd@test.ex R=client T=send_to_server2 H=ip4.ip4.ip4.ip4 [ip4.ip4.ip4.ip4] X=TLSv1:ke-RSA-AES256-SHAxx:256 CV=no DN="/CN=server1.example.com" C="250 OK id=10HmbA-0005vi-00"
 1999-03-02 09:44:33 10HmaZ-0005vi-00 Completed
 
 ******** SERVER ********
 1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port 1225
 1999-03-02 09:44:33 SNI <fred>
-1999-03-02 09:44:33 10HmaY-0005vi-00 <= CALLER@myhost.test.ex H=the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] P=esmtps X=TLSv1:AES256-SHA:256 CV=no SNI="fred" S=sss id=E10HmaX-0005vi-00@myhost.test.ex for CALLER@test.ex
+1999-03-02 09:44:33 10HmaY-0005vi-00 <= CALLER@myhost.test.ex H=the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] P=esmtps X=TLSv1:ke-RSA-AES256-SHAxx:256 CV=no SNI="fred" S=sss id=E10HmaX-0005vi-00@myhost.test.ex for CALLER@test.ex
 1999-03-02 09:44:33 10HmaY-0005vi-00 => :blackhole: <CALLER@test.ex> R=server
 1999-03-02 09:44:33 10HmaY-0005vi-00 Completed
 1999-03-02 09:44:33 SNI <bill>
-1999-03-02 09:44:33 10HmbA-0005vi-00 <= CALLER@myhost.test.ex H=the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] P=esmtps X=TLSv1:AES256-SHA:256 CV=no SNI="bill" S=sss id=E10HmaZ-0005vi-00@myhost.test.ex for abcd@test.ex
+1999-03-02 09:44:33 10HmbA-0005vi-00 <= CALLER@myhost.test.ex H=the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] P=esmtps X=TLSv1:ke-RSA-AES256-SHAxx:256 CV=no SNI="bill" S=sss id=E10HmaZ-0005vi-00@myhost.test.ex for abcd@test.ex
 1999-03-02 09:44:33 10HmbA-0005vi-00 => :blackhole: <abcd@test.ex> R=server
 1999-03-02 09:44:33 10HmbA-0005vi-00 Completed
diff --git a/test/log/2132 b/test/log/2132
index 0ef458308..bb05a7781 100644
--- a/test/log/2132
+++ b/test/log/2132
@@ -11,11 +11,11 @@
 1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port 1225
 1999-03-02 09:44:33 Our cert SN: <CN=server2.example.com>
 1999-03-02 09:44:33 Peer did not present a cert
-1999-03-02 09:44:33 10HmaX-0005vi-00 <= CALLER@test.ex H=[127.0.0.1] P=smtps X=TLSv1:AES256-SHA:256 CV=no S=sss
+1999-03-02 09:44:33 10HmaX-0005vi-00 <= CALLER@test.ex H=[127.0.0.1] P=smtps X=TLSv1:ke-RSA-AES256-SHAxx:256 CV=no S=sss
 1999-03-02 09:44:33 Our cert SN: <CN=server2.example.com>
 1999-03-02 09:44:33 Peer did not present a cert
-1999-03-02 09:44:33 10HmaY-0005vi-00 <= "name with spaces"@test.ex H=[127.0.0.1] P=smtps X=TLSv1:AES256-SHA:256 CV=no S=sss
+1999-03-02 09:44:33 10HmaY-0005vi-00 <= "name with spaces"@test.ex H=[127.0.0.1] P=smtps X=TLSv1:ke-RSA-AES256-SHAxx:256 CV=no S=sss
 1999-03-02 09:44:33 TLS error on connection from (rhu.barb) [ip4.ip4.ip4.ip4] (SSL_accept): error: <<detail omitted>>
 1999-03-02 09:44:33 Our cert SN: <CN=server2.example.com>
 1999-03-02 09:44:33 SN  <CN=server1.example.com>
-1999-03-02 09:44:33 10HmaZ-0005vi-00 <= CALLER@test.ex H=[ip4.ip4.ip4.ip4] P=smtps X=TLSv1:AES256-SHA:256 CV=yes DN="/CN=server1.example.com" S=sss
+1999-03-02 09:44:33 10HmaZ-0005vi-00 <= CALLER@test.ex H=[ip4.ip4.ip4.ip4] P=smtps X=TLSv1:ke-RSA-AES256-SHAxx:256 CV=yes DN="/CN=server1.example.com" S=sss
diff --git a/test/log/2133 b/test/log/2133
index d0f0a306f..973fd939a 100644
--- a/test/log/2133
+++ b/test/log/2133
@@ -11,10 +11,10 @@
 1999-03-02 09:44:33 10HmaY-0005vi-00 TLS session: (SSL_connect): error: <<detail omitted>>
 1999-03-02 09:44:33 10HmaY-0005vi-00 => userr@test.ex R=client_r T=send_to_server_req_failname H=the.local.host.name [ip4.ip4.ip4.ip4] C="250 OK id=10HmbC-0005vi-00"
 1999-03-02 09:44:33 10HmaY-0005vi-00 Completed
-1999-03-02 09:44:33 10HmaZ-0005vi-00 => users@test.ex R=client_s T=send_to_server_req_passname H=server1.example.com [ip4.ip4.ip4.ip4] X=TLSv1:AES256-SHA:256 CV=yes DN="/CN=server1.example.com" C="250 OK id=10HmbD-0005vi-00"
+1999-03-02 09:44:33 10HmaZ-0005vi-00 => users@test.ex R=client_s T=send_to_server_req_passname H=server1.example.com [ip4.ip4.ip4.ip4] X=TLSv1:ke-RSA-AES256-SHAxx:256 CV=yes DN="/CN=server1.example.com" C="250 OK id=10HmbD-0005vi-00"
 1999-03-02 09:44:33 10HmaZ-0005vi-00 Completed
 1999-03-02 09:44:33 10HmbA-0005vi-00 [ip4.ip4.ip4.ip4] SSL verify error: certificate name mismatch: DN="/CN=server1.example.com" H="the.local.host.name"
-1999-03-02 09:44:33 10HmbA-0005vi-00 => usert@test.ex R=client_t T=send_to_server_req_failcarryon H=the.local.host.name [ip4.ip4.ip4.ip4] X=TLSv1:AES256-SHA:256 CV=no DN="/CN=server1.example.com" C="250 OK id=10HmbE-0005vi-00"
+1999-03-02 09:44:33 10HmbA-0005vi-00 => usert@test.ex R=client_t T=send_to_server_req_failcarryon H=the.local.host.name [ip4.ip4.ip4.ip4] X=TLSv1:ke-RSA-AES256-SHAxx:256 CV=no DN="/CN=server1.example.com" C="250 OK id=10HmbE-0005vi-00"
 1999-03-02 09:44:33 10HmbA-0005vi-00 Completed
 1999-03-02 09:44:33 End queue run: pid=pppp -qf
 
@@ -24,5 +24,5 @@
 1999-03-02 09:44:33 10HmbB-0005vi-00 <= CALLER@myhost.test.ex H=the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] P=esmtp S=sss id=E10HmaX-0005vi-00@myhost.test.ex
 1999-03-02 09:44:33 TLS error on connection from the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] (SSL_accept): error: <<detail omitted>>
 1999-03-02 09:44:33 10HmbC-0005vi-00 <= CALLER@myhost.test.ex H=the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] P=esmtp S=sss id=E10HmaY-0005vi-00@myhost.test.ex
-1999-03-02 09:44:33 10HmbD-0005vi-00 <= CALLER@myhost.test.ex H=the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] P=esmtps X=TLSv1:AES256-SHA:256 CV=yes DN="/C=UK/O=The Exim Maintainers/OU=Test Suite/CN=Phil Pennock" S=sss id=E10HmaZ-0005vi-00@myhost.test.ex
-1999-03-02 09:44:33 10HmbE-0005vi-00 <= CALLER@myhost.test.ex H=the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] P=esmtps X=TLSv1:AES256-SHA:256 CV=yes DN="/C=UK/O=The Exim Maintainers/OU=Test Suite/CN=Phil Pennock" S=sss id=E10HmbA-0005vi-00@myhost.test.ex
+1999-03-02 09:44:33 10HmbD-0005vi-00 <= CALLER@myhost.test.ex H=the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] P=esmtps X=TLSv1:ke-RSA-AES256-SHAxx:256 CV=yes DN="/C=UK/O=The Exim Maintainers/OU=Test Suite/CN=Phil Pennock" S=sss id=E10HmaZ-0005vi-00@myhost.test.ex
+1999-03-02 09:44:33 10HmbE-0005vi-00 <= CALLER@myhost.test.ex H=the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] P=esmtps X=TLSv1:ke-RSA-AES256-SHAxx:256 CV=yes DN="/C=UK/O=The Exim Maintainers/OU=Test Suite/CN=Phil Pennock" S=sss id=E10HmbA-0005vi-00@myhost.test.ex
diff --git a/test/log/2135 b/test/log/2135
index 50a8dbc19..7d31c2c3b 100644
--- a/test/log/2135
+++ b/test/log/2135
@@ -1,5 +1,5 @@
 1999-03-02 09:44:33 10HmaX-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local-smtp S=sss for userb@test.ex
-1999-03-02 09:44:33 10HmaX-0005vi-00 => userb@test.ex R=client T=t1 H=127.0.0.1 [127.0.0.1]:1225 X=TLSv1:AES256-SHA:256 CV=no C="250 OK id=10HmaY-0005vi-00"
+1999-03-02 09:44:33 10HmaX-0005vi-00 => userb@test.ex R=client T=t1 H=127.0.0.1 [127.0.0.1]:1225 X=TLSv1:ke-RSA-AES256-SHAxx:256 CV=no C="250 OK id=10HmaY-0005vi-00"
 1999-03-02 09:44:33 10HmaX-0005vi-00 Completed
 1999-03-02 09:44:33 Start queue run: pid=pppp
 1999-03-02 09:44:33 10HmaY-0005vi-00 => :blackhole: <userb@test.ex> R=target
@@ -8,4 +8,4 @@
 
 ******** SERVER ********
 1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port 1225
-1999-03-02 09:44:33 10HmaY-0005vi-00 <= usera@ok.example H=localhost (myhost.test.ex) [127.0.0.1] P=esmtps X=TLSv1:AES256-SHA:256 CV=no S=sss id=E10HmaX-0005vi-00@myhost.test.ex for userb@test.ex
+1999-03-02 09:44:33 10HmaY-0005vi-00 <= usera@ok.example H=localhost (myhost.test.ex) [127.0.0.1] P=esmtps X=TLSv1:ke-RSA-AES256-SHAxx:256 CV=no S=sss id=E10HmaX-0005vi-00@myhost.test.ex for userb@test.ex
diff --git a/test/log/2137 b/test/log/2137
index 360f31ed6..d16bea0c7 100644
--- a/test/log/2137
+++ b/test/log/2137
@@ -4,5 +4,5 @@
 
 ******** SERVER ********
 1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port 1225
-1999-03-02 09:44:33 H=localhost (myhost.test.ex) [127.0.0.1] X=TLSv1:AES256-SHA:256 CV=no F=<> temporarily rejected RCPT <rcpt_defer@test.ex>
-1999-03-02 09:44:33 10HmaX-0005vi-00 H=localhost (myhost.test.ex) [127.0.0.1] X=TLSv1:AES256-SHA:256 CV=no F=<> temporarily rejected after DATA
+1999-03-02 09:44:33 H=localhost (myhost.test.ex) [127.0.0.1] X=TLSv1:ke-RSA-AES256-SHAxx:256 CV=no F=<> temporarily rejected RCPT <rcpt_defer@test.ex>
+1999-03-02 09:44:33 10HmaX-0005vi-00 H=localhost (myhost.test.ex) [127.0.0.1] X=TLSv1:ke-RSA-AES256-SHAxx:256 CV=no F=<> temporarily rejected after DATA
diff --git a/test/log/2138 b/test/log/2138
index 6e82af290..e5eead3c5 100644
--- a/test/log/2138
+++ b/test/log/2138
@@ -2,28 +2,28 @@
 1999-03-02 09:44:33 10HmaY-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss for usery0@test.ex usery1@test.ex
 1999-03-02 09:44:33 10HmaZ-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss for userz0@test.ex userz1@test.ex
 1999-03-02 09:44:33 Start queue run: pid=pppp -qqf
-1999-03-02 09:44:33 10HmaX-0005vi-00 => userx0@test.ex R=client T=send_to_server H=127.0.0.1 [127.0.0.1] X=TLSv1:AES256-SHA:256 CV=no DN="/C=UK/O=The Exim Maintainers/OU=Test Suite/CN=Phil Pennock" C="250 OK id=10HmbA-0005vi-00"
-1999-03-02 09:44:33 10HmaX-0005vi-00 => userx1@test.ex R=client T=send_to_server H=127.0.0.1 [127.0.0.1] X=TLSv1:AES256-SHA:256 CV=no DN="/C=UK/O=The Exim Maintainers/OU=Test Suite/CN=Phil Pennock" C="250 OK id=10HmbB-0005vi-00"
+1999-03-02 09:44:33 10HmaX-0005vi-00 => userx0@test.ex R=client T=send_to_server H=127.0.0.1 [127.0.0.1] X=TLSv1:ke-RSA-AES256-SHAxx:256 CV=no DN="/C=UK/O=The Exim Maintainers/OU=Test Suite/CN=Phil Pennock" C="250 OK id=10HmbA-0005vi-00"
+1999-03-02 09:44:33 10HmaX-0005vi-00 => userx1@test.ex R=client T=send_to_server H=127.0.0.1 [127.0.0.1] X=TLSv1:ke-RSA-AES256-SHAxx:256 CV=no DN="/C=UK/O=The Exim Maintainers/OU=Test Suite/CN=Phil Pennock" C="250 OK id=10HmbB-0005vi-00"
 1999-03-02 09:44:33 10HmaX-0005vi-00 Completed
-1999-03-02 09:44:33 10HmaZ-0005vi-00 => userz0@test.ex R=client T=send_to_server H=127.0.0.1 [127.0.0.1]* X=TLSv1:AES256-SHA:256 CV=no C="250 OK id=10HmbC-0005vi-00"
-1999-03-02 09:44:33 10HmaZ-0005vi-00 => userz1@test.ex R=client T=send_to_server H=127.0.0.1 [127.0.0.1]* X=TLSv1:AES256-SHA:256 CV=no C="250 OK id=10HmbD-0005vi-00"
+1999-03-02 09:44:33 10HmaZ-0005vi-00 => userz0@test.ex R=client T=send_to_server H=127.0.0.1 [127.0.0.1]* X=TLSv1:ke-RSA-AES256-SHAxx:256 CV=no C="250 OK id=10HmbC-0005vi-00"
+1999-03-02 09:44:33 10HmaZ-0005vi-00 => userz1@test.ex R=client T=send_to_server H=127.0.0.1 [127.0.0.1]* X=TLSv1:ke-RSA-AES256-SHAxx:256 CV=no C="250 OK id=10HmbD-0005vi-00"
 1999-03-02 09:44:33 10HmaZ-0005vi-00 Completed
-1999-03-02 09:44:33 10HmaY-0005vi-00 => usery0@test.ex R=client T=send_to_server H=127.0.0.1 [127.0.0.1]* X=TLSv1:AES256-SHA:256 CV=no C="250 OK id=10HmbE-0005vi-00"
-1999-03-02 09:44:33 10HmaY-0005vi-00 => usery1@test.ex R=client T=send_to_server H=127.0.0.1 [127.0.0.1]* X=TLSv1:AES256-SHA:256 CV=no C="250 OK id=10HmbF-0005vi-00"
+1999-03-02 09:44:33 10HmaY-0005vi-00 => usery0@test.ex R=client T=send_to_server H=127.0.0.1 [127.0.0.1]* X=TLSv1:ke-RSA-AES256-SHAxx:256 CV=no C="250 OK id=10HmbE-0005vi-00"
+1999-03-02 09:44:33 10HmaY-0005vi-00 => usery1@test.ex R=client T=send_to_server H=127.0.0.1 [127.0.0.1]* X=TLSv1:ke-RSA-AES256-SHAxx:256 CV=no C="250 OK id=10HmbF-0005vi-00"
 1999-03-02 09:44:33 10HmaY-0005vi-00 Completed
 1999-03-02 09:44:33 End queue run: pid=pppp -qqf
 
 ******** SERVER ********
 1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port 1225
 1999-03-02 09:44:33 SMTP connection from [127.0.0.1]:1111 (TCP/IP connection count = 1)
-1999-03-02 09:44:33 10HmbA-0005vi-00 <= CALLER@myhost.test.ex H=localhost (myhost.test.ex) [127.0.0.1]:1111 P=esmtps X=TLSv1:AES256-SHA:256 CV=no S=sss id=E10HmaX-0005vi-00@myhost.test.ex for userx0@test.ex
+1999-03-02 09:44:33 10HmbA-0005vi-00 <= CALLER@myhost.test.ex H=localhost (myhost.test.ex) [127.0.0.1]:1111 P=esmtps X=TLSv1:ke-RSA-AES256-SHAxx:256 CV=no S=sss id=E10HmaX-0005vi-00@myhost.test.ex for userx0@test.ex
 1999-03-02 09:44:33 SMTP connection from [127.0.0.1]:1112 (TCP/IP connection count = 2)
-1999-03-02 09:44:33 10HmbB-0005vi-00 <= CALLER@myhost.test.ex H=localhost (myhost.test.ex) [127.0.0.1]:1112 P=esmtps X=TLSv1:AES256-SHA:256 CV=no S=sss id=E10HmaX-0005vi-00@myhost.test.ex for userx1@test.ex
-1999-03-02 09:44:33 10HmbC-0005vi-00 <= CALLER@myhost.test.ex H=localhost (myhost.test.ex) [127.0.0.1]:1111 P=esmtps X=TLSv1:AES256-SHA:256 CV=no S=sss id=E10HmaZ-0005vi-00@myhost.test.ex for userz0@test.ex
-1999-03-02 09:44:33 10HmbD-0005vi-00 <= CALLER@myhost.test.ex H=localhost (myhost.test.ex) [127.0.0.1]:1111 P=esmtps X=TLSv1:AES256-SHA:256 CV=no S=sss id=E10HmaZ-0005vi-00@myhost.test.ex for userz1@test.ex
+1999-03-02 09:44:33 10HmbB-0005vi-00 <= CALLER@myhost.test.ex H=localhost (myhost.test.ex) [127.0.0.1]:1112 P=esmtps X=TLSv1:ke-RSA-AES256-SHAxx:256 CV=no S=sss id=E10HmaX-0005vi-00@myhost.test.ex for userx1@test.ex
+1999-03-02 09:44:33 10HmbC-0005vi-00 <= CALLER@myhost.test.ex H=localhost (myhost.test.ex) [127.0.0.1]:1111 P=esmtps X=TLSv1:ke-RSA-AES256-SHAxx:256 CV=no S=sss id=E10HmaZ-0005vi-00@myhost.test.ex for userz0@test.ex
+1999-03-02 09:44:33 10HmbD-0005vi-00 <= CALLER@myhost.test.ex H=localhost (myhost.test.ex) [127.0.0.1]:1111 P=esmtps X=TLSv1:ke-RSA-AES256-SHAxx:256 CV=no S=sss id=E10HmaZ-0005vi-00@myhost.test.ex for userz1@test.ex
 1999-03-02 09:44:33 SMTP connection from localhost (myhost.test.ex) [127.0.0.1]:1111 closed by QUIT
-1999-03-02 09:44:33 10HmbE-0005vi-00 <= CALLER@myhost.test.ex H=localhost (myhost.test.ex) [127.0.0.1]:1112 P=esmtps X=TLSv1:AES256-SHA:256 CV=no S=sss id=E10HmaY-0005vi-00@myhost.test.ex for usery0@test.ex
-1999-03-02 09:44:33 10HmbF-0005vi-00 <= CALLER@myhost.test.ex H=localhost (myhost.test.ex) [127.0.0.1]:1112 P=esmtps X=TLSv1:AES256-SHA:256 CV=no S=sss id=E10HmaY-0005vi-00@myhost.test.ex for usery1@test.ex
+1999-03-02 09:44:33 10HmbE-0005vi-00 <= CALLER@myhost.test.ex H=localhost (myhost.test.ex) [127.0.0.1]:1112 P=esmtps X=TLSv1:ke-RSA-AES256-SHAxx:256 CV=no S=sss id=E10HmaY-0005vi-00@myhost.test.ex for usery0@test.ex
+1999-03-02 09:44:33 10HmbF-0005vi-00 <= CALLER@myhost.test.ex H=localhost (myhost.test.ex) [127.0.0.1]:1112 P=esmtps X=TLSv1:ke-RSA-AES256-SHAxx:256 CV=no S=sss id=E10HmaY-0005vi-00@myhost.test.ex for usery1@test.ex
 1999-03-02 09:44:33 SMTP connection from localhost (myhost.test.ex) [127.0.0.1]:1112 closed by QUIT
 1999-03-02 09:44:33 Start queue run: pid=pppp -qf
 1999-03-02 09:44:33 10HmbA-0005vi-00 => userx0 <userx0@test.ex> R=server T=local_delivery
diff --git a/test/log/2149 b/test/log/2149
index 21b51450b..db9448921 100644
--- a/test/log/2149
+++ b/test/log/2149
@@ -1,12 +1,12 @@
 1999-03-02 09:44:33 10HmaX-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss
 1999-03-02 09:44:33 Start queue run: pid=pppp -qf
-1999-03-02 09:44:33 10HmaX-0005vi-00 => userx@test.ex R=client T=send_to_server H=127.0.0.1 [127.0.0.1] X=TLSv1:AES256-SHA:256 CV=no C="250 OK id=10HmaY-0005vi-00"
+1999-03-02 09:44:33 10HmaX-0005vi-00 => userx@test.ex R=client T=send_to_server H=127.0.0.1 [127.0.0.1] X=TLSv1:ke-RSA-AES256-SHAxx:256 CV=no C="250 OK id=10HmaY-0005vi-00"
 1999-03-02 09:44:33 10HmaX-0005vi-00 Completed
 1999-03-02 09:44:33 End queue run: pid=pppp -qf
 
 ******** SERVER ********
 1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port 1225
-1999-03-02 09:44:33 10HmaY-0005vi-00 <= CALLER@myhost.test.ex H=localhost (myhost.test.ex) [127.0.0.1] P=esmtps X=TLSv1:AES256-SHA:256 CV=no S=sss id=E10HmaX-0005vi-00@myhost.test.ex
+1999-03-02 09:44:33 10HmaY-0005vi-00 <= CALLER@myhost.test.ex H=localhost (myhost.test.ex) [127.0.0.1] P=esmtps X=TLSv1:ke-RSA-AES256-SHAxx:256 CV=no S=sss id=E10HmaX-0005vi-00@myhost.test.ex
 1999-03-02 09:44:33 Start queue run: pid=pppp -qf
 1999-03-02 09:44:33 10HmaY-0005vi-00 => userx <userx@test.ex> R=server T=local_delivery
 1999-03-02 09:44:33 10HmaY-0005vi-00 Completed
diff --git a/test/log/2190 b/test/log/2190
index 11ff67ddb..5ca12c3d7 100644
--- a/test/log/2190
+++ b/test/log/2190
@@ -1,5 +1,5 @@
 
 ******** SERVER ********
 1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port 1225
-1999-03-02 09:44:33 10HmaX-0005vi-00 <= someone@some.domain H=(rhu.barb) [127.0.0.1] P=esmtps X=TLSv1:AES256-SHA:256 CV=no K S=sss for CALLER@test.ex
-1999-03-02 09:44:33 10HmaY-0005vi-00 <= someone@some.domain H=(rhu.barb) [127.0.0.1] P=esmtps X=TLSv1:AES256-SHA:256 CV=no K S=sss for CALLER@test.ex
+1999-03-02 09:44:33 10HmaX-0005vi-00 <= someone@some.domain H=(rhu.barb) [127.0.0.1] P=esmtps X=TLSv1:ke-RSA-AES256-SHAxx:256 CV=no K S=sss for CALLER@test.ex
+1999-03-02 09:44:33 10HmaY-0005vi-00 <= someone@some.domain H=(rhu.barb) [127.0.0.1] P=esmtps X=TLSv1:ke-RSA-AES256-SHAxx:256 CV=no K S=sss for CALLER@test.ex
diff --git a/test/log/2191 b/test/log/2191
index c2c1f8742..a6fb26540 100644
--- a/test/log/2191
+++ b/test/log/2191
@@ -1,9 +1,9 @@
 1999-03-02 09:44:33 10HmaX-0005vi-00 <= this-user@testhost.test.ex U=this-user P=local S=sss for other-user@test.ex
 1999-03-02 09:44:33 10HmaX-0005vi-00 [127.0.0.1] SSL verify error: depth=0 error=self signed certificate cert=/C=UK/O=The Exim Maintainers/OU=Test Suite/CN=Phil Pennock
 1999-03-02 09:44:33 10HmaX-0005vi-00 [127.0.0.1] SSL verify error: certificate name mismatch: DN="/C=UK/O=The Exim Maintainers/OU=Test Suite/CN=Phil Pennock" H="127.0.0.1"
-1999-03-02 09:44:33 10HmaX-0005vi-00 => other-user@test.ex R=to_server T=remote_smtp H=127.0.0.1 [127.0.0.1] X=TLSv1:AES256-SHA:256 CV=no K C="250- 3nn byte chunk, total 3nn\\n250 OK id=10HmaY-0005vi-00"
+1999-03-02 09:44:33 10HmaX-0005vi-00 => other-user@test.ex R=to_server T=remote_smtp H=127.0.0.1 [127.0.0.1] X=TLSv1:ke-RSA-AES256-SHAxx:256 CV=no K C="250- 3nn byte chunk, total 3nn\\n250 OK id=10HmaY-0005vi-00"
 1999-03-02 09:44:33 10HmaX-0005vi-00 Completed
 
 ******** SERVER ********
 1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port 1224
-1999-03-02 09:44:33 10HmaY-0005vi-00 <= <> H=localhost (testhost.test.ex) [127.0.0.1] P=esmtps X=TLSv1:AES256-SHA:256 CV=no K S=sss id=E10HmaX-0005vi-00@testhost.test.ex for other-user@test.ex
+1999-03-02 09:44:33 10HmaY-0005vi-00 <= <> H=localhost (testhost.test.ex) [127.0.0.1] P=esmtps X=TLSv1:ke-RSA-AES256-SHAxx:256 CV=no K S=sss id=E10HmaX-0005vi-00@testhost.test.ex for other-user@test.ex
diff --git a/test/log/3451 b/test/log/3451
index c081bf55c..b731392eb 100644
--- a/test/log/3451
+++ b/test/log/3451
@@ -1,16 +1,16 @@
 1999-03-02 09:44:33 10HmaX-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss
 1999-03-02 09:44:33 10HmaY-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss
 1999-03-02 09:44:33 Start queue run: pid=pppp -qqf
-1999-03-02 09:44:33 10HmaX-0005vi-00 => userx@test.ex R=client T=send_to_server H=127.0.0.1 [127.0.0.1] X=TLS1.x:xxxxRSA_AES_256_CBC_SHAnnn:256 CV=no DN="C=UK,O=The Exim Maintainers,OU=Test Suite,CN=Phil Pennock" A=plain C="250 OK id=10HmaZ-0005vi-00"
+1999-03-02 09:44:33 10HmaX-0005vi-00 => userx@test.ex R=client T=send_to_server H=127.0.0.1 [127.0.0.1] X=TLS1.x:ke_RSA_AES_256_CBC_SHAnnn:256 CV=no DN="C=UK,O=The Exim Maintainers,OU=Test Suite,CN=Phil Pennock" A=plain C="250 OK id=10HmaZ-0005vi-00"
 1999-03-02 09:44:33 10HmaX-0005vi-00 Completed
-1999-03-02 09:44:33 10HmaY-0005vi-00 => userx@test.ex R=client T=send_to_server H=127.0.0.1 [127.0.0.1]* X=TLS1.x:xxxxRSA_AES_256_CBC_SHAnnn:256 CV=no DN="C=UK,O=The Exim Maintainers,OU=Test Suite,CN=Phil Pennock" A=plain C="250 OK id=10HmbA-0005vi-00"
+1999-03-02 09:44:33 10HmaY-0005vi-00 => userx@test.ex R=client T=send_to_server H=127.0.0.1 [127.0.0.1]* X=TLS1.x:ke_RSA_AES_256_CBC_SHAnnn:256 CV=no DN="C=UK,O=The Exim Maintainers,OU=Test Suite,CN=Phil Pennock" A=plain C="250 OK id=10HmbA-0005vi-00"
 1999-03-02 09:44:33 10HmaY-0005vi-00 Completed
 1999-03-02 09:44:33 End queue run: pid=pppp -qqf
 
 ******** SERVER ********
 1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port 1225
-1999-03-02 09:44:33 10HmaZ-0005vi-00 <= CALLER@myhost.test.ex H=localhost (myhost.test.ex) [127.0.0.1] P=esmtpsa X=TLS1.x:xxxxRSA_AES_256_CBC_SHAnnn:256 CV=no A=plain:userx S=sss id=E10HmaX-0005vi-00@myhost.test.ex
-1999-03-02 09:44:33 10HmbA-0005vi-00 <= CALLER@myhost.test.ex H=localhost (myhost.test.ex) [127.0.0.1] P=esmtpsa X=TLS1.x:xxxxRSA_AES_256_CBC_SHAnnn:256 CV=no A=plain:userx S=sss id=E10HmaY-0005vi-00@myhost.test.ex
+1999-03-02 09:44:33 10HmaZ-0005vi-00 <= CALLER@myhost.test.ex H=localhost (myhost.test.ex) [127.0.0.1] P=esmtpsa X=TLS1.x:ke_RSA_AES_256_CBC_SHAnnn:256 CV=no A=plain:userx S=sss id=E10HmaX-0005vi-00@myhost.test.ex
+1999-03-02 09:44:33 10HmbA-0005vi-00 <= CALLER@myhost.test.ex H=localhost (myhost.test.ex) [127.0.0.1] P=esmtpsa X=TLS1.x:ke_RSA_AES_256_CBC_SHAnnn:256 CV=no A=plain:userx S=sss id=E10HmaY-0005vi-00@myhost.test.ex
 1999-03-02 09:44:33 Start queue run: pid=pppp -qf
 1999-03-02 09:44:33 10HmaZ-0005vi-00 => userx <userx@test.ex> R=server T=local_delivery
 1999-03-02 09:44:33 10HmaZ-0005vi-00 Completed
diff --git a/test/log/3452 b/test/log/3452
index c081bf55c..b731392eb 100644
--- a/test/log/3452
+++ b/test/log/3452
@@ -1,16 +1,16 @@
 1999-03-02 09:44:33 10HmaX-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss
 1999-03-02 09:44:33 10HmaY-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss
 1999-03-02 09:44:33 Start queue run: pid=pppp -qqf
-1999-03-02 09:44:33 10HmaX-0005vi-00 => userx@test.ex R=client T=send_to_server H=127.0.0.1 [127.0.0.1] X=TLS1.x:xxxxRSA_AES_256_CBC_SHAnnn:256 CV=no DN="C=UK,O=The Exim Maintainers,OU=Test Suite,CN=Phil Pennock" A=plain C="250 OK id=10HmaZ-0005vi-00"
+1999-03-02 09:44:33 10HmaX-0005vi-00 => userx@test.ex R=client T=send_to_server H=127.0.0.1 [127.0.0.1] X=TLS1.x:ke_RSA_AES_256_CBC_SHAnnn:256 CV=no DN="C=UK,O=The Exim Maintainers,OU=Test Suite,CN=Phil Pennock" A=plain C="250 OK id=10HmaZ-0005vi-00"
 1999-03-02 09:44:33 10HmaX-0005vi-00 Completed
-1999-03-02 09:44:33 10HmaY-0005vi-00 => userx@test.ex R=client T=send_to_server H=127.0.0.1 [127.0.0.1]* X=TLS1.x:xxxxRSA_AES_256_CBC_SHAnnn:256 CV=no DN="C=UK,O=The Exim Maintainers,OU=Test Suite,CN=Phil Pennock" A=plain C="250 OK id=10HmbA-0005vi-00"
+1999-03-02 09:44:33 10HmaY-0005vi-00 => userx@test.ex R=client T=send_to_server H=127.0.0.1 [127.0.0.1]* X=TLS1.x:ke_RSA_AES_256_CBC_SHAnnn:256 CV=no DN="C=UK,O=The Exim Maintainers,OU=Test Suite,CN=Phil Pennock" A=plain C="250 OK id=10HmbA-0005vi-00"
 1999-03-02 09:44:33 10HmaY-0005vi-00 Completed
 1999-03-02 09:44:33 End queue run: pid=pppp -qqf
 
 ******** SERVER ********
 1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port 1225
-1999-03-02 09:44:33 10HmaZ-0005vi-00 <= CALLER@myhost.test.ex H=localhost (myhost.test.ex) [127.0.0.1] P=esmtpsa X=TLS1.x:xxxxRSA_AES_256_CBC_SHAnnn:256 CV=no A=plain:userx S=sss id=E10HmaX-0005vi-00@myhost.test.ex
-1999-03-02 09:44:33 10HmbA-0005vi-00 <= CALLER@myhost.test.ex H=localhost (myhost.test.ex) [127.0.0.1] P=esmtpsa X=TLS1.x:xxxxRSA_AES_256_CBC_SHAnnn:256 CV=no A=plain:userx S=sss id=E10HmaY-0005vi-00@myhost.test.ex
+1999-03-02 09:44:33 10HmaZ-0005vi-00 <= CALLER@myhost.test.ex H=localhost (myhost.test.ex) [127.0.0.1] P=esmtpsa X=TLS1.x:ke_RSA_AES_256_CBC_SHAnnn:256 CV=no A=plain:userx S=sss id=E10HmaX-0005vi-00@myhost.test.ex
+1999-03-02 09:44:33 10HmbA-0005vi-00 <= CALLER@myhost.test.ex H=localhost (myhost.test.ex) [127.0.0.1] P=esmtpsa X=TLS1.x:ke_RSA_AES_256_CBC_SHAnnn:256 CV=no A=plain:userx S=sss id=E10HmaY-0005vi-00@myhost.test.ex
 1999-03-02 09:44:33 Start queue run: pid=pppp -qf
 1999-03-02 09:44:33 10HmaZ-0005vi-00 => userx <userx@test.ex> R=server T=local_delivery
 1999-03-02 09:44:33 10HmaZ-0005vi-00 Completed
diff --git a/test/log/3454 b/test/log/3454
index 7578fc090..dc002ff5a 100644
--- a/test/log/3454
+++ b/test/log/3454
@@ -3,5 +3,5 @@
 1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port 1225
 1999-03-02 09:44:33 TLS error on connection from [127.0.0.1] (recv): The TLS connection was non-properly terminated.
 1999-03-02 09:44:33 TLS error on connection from [127.0.0.1] (send): The specified session has been invalidated for some reason.
-1999-03-02 09:44:33 no MAIL in SMTP connection from [127.0.0.1] D=qqs X=TLS1.x:xxxxRSA_AES_256_CBC_SHAnnn:256 CV=no C=EHLO,STARTTLS,AUTH
-1999-03-02 09:44:33 no MAIL in SMTP connection from (foobar) [127.0.0.1] D=qqs A=plain:userx X=TLS1.x:xxxxRSA_AES_256_CBC_SHAnnn:256 CV=no C=EHLO,STARTTLS,EHLO,AUTH,QUIT
+1999-03-02 09:44:33 no MAIL in SMTP connection from [127.0.0.1] D=qqs X=TLS1.x:ke_RSA_AES_256_CBC_SHAnnn:256 CV=no C=EHLO,STARTTLS,AUTH
+1999-03-02 09:44:33 no MAIL in SMTP connection from (foobar) [127.0.0.1] D=qqs A=plain:userx X=TLS1.x:ke_RSA_AES_256_CBC_SHAnnn:256 CV=no C=EHLO,STARTTLS,EHLO,AUTH,QUIT
diff --git a/test/log/3455 b/test/log/3455
index 445ff3e93..8beaa41bf 100644
--- a/test/log/3455
+++ b/test/log/3455
@@ -1,6 +1,6 @@
 1999-03-02 09:44:33 10HmaX-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss
 1999-03-02 09:44:33 Start queue run: pid=pppp -qf
-1999-03-02 09:44:33 10HmaX-0005vi-00 => userz@test.ex R=r1 T=t1 H=127.0.0.1 [127.0.0.1] X=TLS1.x:xxxxRSA_AES_256_CBC_SHAnnn:256 CV=no A=plain C="250 OK id=10HmaY-0005vi-00"
+1999-03-02 09:44:33 10HmaX-0005vi-00 => userz@test.ex R=r1 T=t1 H=127.0.0.1 [127.0.0.1] X=TLS1.x:ke_RSA_AES_256_CBC_SHAnnn:256 CV=no A=plain C="250 OK id=10HmaY-0005vi-00"
 1999-03-02 09:44:33 10HmaX-0005vi-00 Completed
 1999-03-02 09:44:33 End queue run: pid=pppp -qf
 1999-03-02 09:44:33 Start queue run: pid=pppp -qf
@@ -10,5 +10,5 @@
 
 ******** SERVER ********
 1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port 1225
-1999-03-02 09:44:33 10HmaY-0005vi-00 <= CALLER@myhost.test.ex H=localhost (myhost.test.ex) [127.0.0.1] P=esmtpsa X=TLS1.x:xxxxRSA_AES_256_CBC_SHAnnn:256 CV=no A=plain:userx S=sss id=E10HmaX-0005vi-00@myhost.test.ex
+1999-03-02 09:44:33 10HmaY-0005vi-00 <= CALLER@myhost.test.ex H=localhost (myhost.test.ex) [127.0.0.1] P=esmtpsa X=TLS1.x:ke_RSA_AES_256_CBC_SHAnnn:256 CV=no A=plain:userx S=sss id=E10HmaX-0005vi-00@myhost.test.ex
 1999-03-02 09:44:33 10HmaZ-0005vi-00 <= CALLER@myhost.test.ex H=localhost (myhost.test.ex) [127.0.0.1] P=esmtpa A=login:usery S=sss id=E10HmaX-0005vi-00@myhost.test.ex
diff --git a/test/log/3461 b/test/log/3461
index d293f97fe..a487492bd 100644
--- a/test/log/3461
+++ b/test/log/3461
@@ -1,16 +1,16 @@
 1999-03-02 09:44:33 10HmaX-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss
 1999-03-02 09:44:33 10HmaY-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss
 1999-03-02 09:44:33 Start queue run: pid=pppp -qqf
-1999-03-02 09:44:33 10HmaX-0005vi-00 => userx@test.ex R=client T=send_to_server H=127.0.0.1 [127.0.0.1] X=TLSv1:AES256-SHA:256 CV=no DN="/C=UK/O=The Exim Maintainers/OU=Test Suite/CN=Phil Pennock" A=plain C="250 OK id=10HmaZ-0005vi-00"
+1999-03-02 09:44:33 10HmaX-0005vi-00 => userx@test.ex R=client T=send_to_server H=127.0.0.1 [127.0.0.1] X=TLSv1:ke-RSA-AES256-SHAxx:256 CV=no DN="/C=UK/O=The Exim Maintainers/OU=Test Suite/CN=Phil Pennock" A=plain C="250 OK id=10HmaZ-0005vi-00"
 1999-03-02 09:44:33 10HmaX-0005vi-00 Completed
-1999-03-02 09:44:33 10HmaY-0005vi-00 => userx@test.ex R=client T=send_to_server H=127.0.0.1 [127.0.0.1]* X=TLSv1:AES256-SHA:256 CV=no DN="/C=UK/O=The Exim Maintainers/OU=Test Suite/CN=Phil Pennock" A=plain C="250 OK id=10HmbA-0005vi-00"
+1999-03-02 09:44:33 10HmaY-0005vi-00 => userx@test.ex R=client T=send_to_server H=127.0.0.1 [127.0.0.1]* X=TLSv1:ke-RSA-AES256-SHAxx:256 CV=no DN="/C=UK/O=The Exim Maintainers/OU=Test Suite/CN=Phil Pennock" A=plain C="250 OK id=10HmbA-0005vi-00"
 1999-03-02 09:44:33 10HmaY-0005vi-00 Completed
 1999-03-02 09:44:33 End queue run: pid=pppp -qqf
 
 ******** SERVER ********
 1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port 1225
-1999-03-02 09:44:33 10HmaZ-0005vi-00 <= CALLER@myhost.test.ex H=localhost (myhost.test.ex) [127.0.0.1] P=esmtpsa X=TLSv1:AES256-SHA:256 CV=no A=plain:userx S=sss id=E10HmaX-0005vi-00@myhost.test.ex
-1999-03-02 09:44:33 10HmbA-0005vi-00 <= CALLER@myhost.test.ex H=localhost (myhost.test.ex) [127.0.0.1] P=esmtpsa X=TLSv1:AES256-SHA:256 CV=no A=plain:userx S=sss id=E10HmaY-0005vi-00@myhost.test.ex
+1999-03-02 09:44:33 10HmaZ-0005vi-00 <= CALLER@myhost.test.ex H=localhost (myhost.test.ex) [127.0.0.1] P=esmtpsa X=TLSv1:ke-RSA-AES256-SHAxx:256 CV=no A=plain:userx S=sss id=E10HmaX-0005vi-00@myhost.test.ex
+1999-03-02 09:44:33 10HmbA-0005vi-00 <= CALLER@myhost.test.ex H=localhost (myhost.test.ex) [127.0.0.1] P=esmtpsa X=TLSv1:ke-RSA-AES256-SHAxx:256 CV=no A=plain:userx S=sss id=E10HmaY-0005vi-00@myhost.test.ex
 1999-03-02 09:44:33 Start queue run: pid=pppp -qf
 1999-03-02 09:44:33 10HmaZ-0005vi-00 => userx <userx@test.ex> R=server T=local_delivery
 1999-03-02 09:44:33 10HmaZ-0005vi-00 Completed
diff --git a/test/log/3462 b/test/log/3462
index d293f97fe..a487492bd 100644
--- a/test/log/3462
+++ b/test/log/3462
@@ -1,16 +1,16 @@
 1999-03-02 09:44:33 10HmaX-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss
 1999-03-02 09:44:33 10HmaY-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss
 1999-03-02 09:44:33 Start queue run: pid=pppp -qqf
-1999-03-02 09:44:33 10HmaX-0005vi-00 => userx@test.ex R=client T=send_to_server H=127.0.0.1 [127.0.0.1] X=TLSv1:AES256-SHA:256 CV=no DN="/C=UK/O=The Exim Maintainers/OU=Test Suite/CN=Phil Pennock" A=plain C="250 OK id=10HmaZ-0005vi-00"
+1999-03-02 09:44:33 10HmaX-0005vi-00 => userx@test.ex R=client T=send_to_server H=127.0.0.1 [127.0.0.1] X=TLSv1:ke-RSA-AES256-SHAxx:256 CV=no DN="/C=UK/O=The Exim Maintainers/OU=Test Suite/CN=Phil Pennock" A=plain C="250 OK id=10HmaZ-0005vi-00"
 1999-03-02 09:44:33 10HmaX-0005vi-00 Completed
-1999-03-02 09:44:33 10HmaY-0005vi-00 => userx@test.ex R=client T=send_to_server H=127.0.0.1 [127.0.0.1]* X=TLSv1:AES256-SHA:256 CV=no DN="/C=UK/O=The Exim Maintainers/OU=Test Suite/CN=Phil Pennock" A=plain C="250 OK id=10HmbA-0005vi-00"
+1999-03-02 09:44:33 10HmaY-0005vi-00 => userx@test.ex R=client T=send_to_server H=127.0.0.1 [127.0.0.1]* X=TLSv1:ke-RSA-AES256-SHAxx:256 CV=no DN="/C=UK/O=The Exim Maintainers/OU=Test Suite/CN=Phil Pennock" A=plain C="250 OK id=10HmbA-0005vi-00"
 1999-03-02 09:44:33 10HmaY-0005vi-00 Completed
 1999-03-02 09:44:33 End queue run: pid=pppp -qqf
 
 ******** SERVER ********
 1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port 1225
-1999-03-02 09:44:33 10HmaZ-0005vi-00 <= CALLER@myhost.test.ex H=localhost (myhost.test.ex) [127.0.0.1] P=esmtpsa X=TLSv1:AES256-SHA:256 CV=no A=plain:userx S=sss id=E10HmaX-0005vi-00@myhost.test.ex
-1999-03-02 09:44:33 10HmbA-0005vi-00 <= CALLER@myhost.test.ex H=localhost (myhost.test.ex) [127.0.0.1] P=esmtpsa X=TLSv1:AES256-SHA:256 CV=no A=plain:userx S=sss id=E10HmaY-0005vi-00@myhost.test.ex
+1999-03-02 09:44:33 10HmaZ-0005vi-00 <= CALLER@myhost.test.ex H=localhost (myhost.test.ex) [127.0.0.1] P=esmtpsa X=TLSv1:ke-RSA-AES256-SHAxx:256 CV=no A=plain:userx S=sss id=E10HmaX-0005vi-00@myhost.test.ex
+1999-03-02 09:44:33 10HmbA-0005vi-00 <= CALLER@myhost.test.ex H=localhost (myhost.test.ex) [127.0.0.1] P=esmtpsa X=TLSv1:ke-RSA-AES256-SHAxx:256 CV=no A=plain:userx S=sss id=E10HmaY-0005vi-00@myhost.test.ex
 1999-03-02 09:44:33 Start queue run: pid=pppp -qf
 1999-03-02 09:44:33 10HmaZ-0005vi-00 => userx <userx@test.ex> R=server T=local_delivery
 1999-03-02 09:44:33 10HmaZ-0005vi-00 Completed
diff --git a/test/log/3464 b/test/log/3464
index 842c13ade..db386425e 100644
--- a/test/log/3464
+++ b/test/log/3464
@@ -1,5 +1,5 @@
 
 ******** SERVER ********
 1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port 1225
-1999-03-02 09:44:33 no MAIL in SMTP connection from [127.0.0.1] D=qqs X=TLSv1:AES256-SHA:256 CV=no C=EHLO,STARTTLS,AUTH
-1999-03-02 09:44:33 no MAIL in SMTP connection from (foobar) [127.0.0.1] D=qqs A=plain:userx X=TLSv1:AES256-SHA:256 CV=no C=EHLO,STARTTLS,EHLO,AUTH,QUIT
+1999-03-02 09:44:33 no MAIL in SMTP connection from [127.0.0.1] D=qqs X=TLSv1:ke-RSA-AES256-SHAxx:256 CV=no C=EHLO,STARTTLS,AUTH
+1999-03-02 09:44:33 no MAIL in SMTP connection from (foobar) [127.0.0.1] D=qqs A=plain:userx X=TLSv1:ke-RSA-AES256-SHAxx:256 CV=no C=EHLO,STARTTLS,EHLO,AUTH,QUIT
diff --git a/test/log/3465 b/test/log/3465
index bfa1f38cd..2a1fd2462 100644
--- a/test/log/3465
+++ b/test/log/3465
@@ -1,6 +1,6 @@
 1999-03-02 09:44:33 10HmaX-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss
 1999-03-02 09:44:33 Start queue run: pid=pppp -qf
-1999-03-02 09:44:33 10HmaX-0005vi-00 => userz@test.ex R=r1 T=t1 H=127.0.0.1 [127.0.0.1] X=TLSv1:AES256-SHA:256 CV=no A=plain C="250 OK id=10HmaY-0005vi-00"
+1999-03-02 09:44:33 10HmaX-0005vi-00 => userz@test.ex R=r1 T=t1 H=127.0.0.1 [127.0.0.1] X=TLSv1:ke-RSA-AES256-SHAxx:256 CV=no A=plain C="250 OK id=10HmaY-0005vi-00"
 1999-03-02 09:44:33 10HmaX-0005vi-00 Completed
 1999-03-02 09:44:33 End queue run: pid=pppp -qf
 1999-03-02 09:44:33 Start queue run: pid=pppp -qf
@@ -10,5 +10,5 @@
 
 ******** SERVER ********
 1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port 1225
-1999-03-02 09:44:33 10HmaY-0005vi-00 <= CALLER@myhost.test.ex H=localhost (myhost.test.ex) [127.0.0.1] P=esmtpsa X=TLSv1:AES256-SHA:256 CV=no A=plain:userx S=sss id=E10HmaX-0005vi-00@myhost.test.ex
+1999-03-02 09:44:33 10HmaY-0005vi-00 <= CALLER@myhost.test.ex H=localhost (myhost.test.ex) [127.0.0.1] P=esmtpsa X=TLSv1:ke-RSA-AES256-SHAxx:256 CV=no A=plain:userx S=sss id=E10HmaX-0005vi-00@myhost.test.ex
 1999-03-02 09:44:33 10HmaZ-0005vi-00 <= CALLER@myhost.test.ex H=localhost (myhost.test.ex) [127.0.0.1] P=esmtpa A=login:usery S=sss id=E10HmaX-0005vi-00@myhost.test.ex
diff --git a/test/log/4211 b/test/log/4211
index 6e475eeb5..db559c223 100644
--- a/test/log/4211
+++ b/test/log/4211
@@ -1,12 +1,12 @@
 1999-03-02 09:44:33 10HmaX-0005vi-00 <= 他们为什么不说中文@hebrew.למההםפשוטלאמדבריםעברית.com U=CALLER P=utf8local-esmtp S=sss for usery@test.ex
-1999-03-02 09:44:33 10HmaX-0005vi-00 => usery@test.ex F=<他们为什么不说中文@hebrew.למההםפשוטלאמדבריםעברית.com> R=rmt T=rmt_smtp H=127.0.0.1 [127.0.0.1] X=TLS1.x:xxxxRSA_AES_256_CBC_SHAnnn:256 CV=no C="250 OK id=10HmaY-0005vi-00"
+1999-03-02 09:44:33 10HmaX-0005vi-00 => usery@test.ex F=<他们为什么不说中文@hebrew.למההםפשוטלאמדבריםעברית.com> R=rmt T=rmt_smtp H=127.0.0.1 [127.0.0.1] X=TLS1.x:ke_RSA_AES_256_CBC_SHAnnn:256 CV=no C="250 OK id=10HmaY-0005vi-00"
 1999-03-02 09:44:33 10HmaX-0005vi-00 Completed
 
 ******** SERVER ********
 1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port 1225
 1999-03-02 09:44:33 10HmaZ-0005vi-00 <= someone@some.domain H=(client) [127.0.0.1] P=utf8esmtp S=sss for userx@test.ex
 1999-03-02 09:44:33 10HmbA-0005vi-00 <= ليهمابتكلموشعربي؟@czech.Pročprostěnemluvíčesky.com H=(client) [127.0.0.1] P=utf8esmtp S=sss for userx@test.ex
-1999-03-02 09:44:33 10HmaY-0005vi-00 <= 他们为什么不说中文@hebrew.למההםפשוטלאמדבריםעברית.com H=localhost (the.local.host.name) [127.0.0.1] P=utf8esmtps X=TLS1.x:xxxxRSA_AES_256_CBC_SHAnnn:256 CV=no S=sss id=E10HmaX-0005vi-00@the.local.host.name for usery@test.ex
+1999-03-02 09:44:33 10HmaY-0005vi-00 <= 他们为什么不说中文@hebrew.למההםפשוטלאמדבריםעברית.com H=localhost (the.local.host.name) [127.0.0.1] P=utf8esmtps X=TLS1.x:ke_RSA_AES_256_CBC_SHAnnn:256 CV=no S=sss id=E10HmaX-0005vi-00@the.local.host.name for usery@test.ex
 1999-03-02 09:44:33 Start queue run: pid=pppp -qqff
 1999-03-02 09:44:33 10HmaZ-0005vi-00 => :blackhole: <userx@test.ex> R=localuser
 1999-03-02 09:44:33 10HmaZ-0005vi-00 Completed
diff --git a/test/log/4213 b/test/log/4213
index 1a9aa5eae..ac1e3bcce 100644
--- a/test/log/4213
+++ b/test/log/4213
@@ -1,6 +1,6 @@
 1999-03-02 09:44:33 10HmaX-0005vi-00 <= यहलोगहिन्दीक्योंनहींबोलसकतेहैं@japanese.なぜみんな日本語を話してくれないのか.local U=CALLER P=utf8local-esmtp S=sss for userz@test.ex
 1999-03-02 09:44:33 10HmaX-0005vi-00 H=127.0.0.1 [127.0.0.1]: utf8 support required but not offered for forwarding
-1999-03-02 09:44:33 10HmaX-0005vi-00 ** userz@test.ex F=<यहलोगहिन्दीक्योंनहींबोलसकतेहैं@japanese.なぜみんな日本語を話してくれないのか.local> R=rmt T=rmt_smtp H=127.0.0.1 [127.0.0.1] X=TLS1.x:xxxxRSA_AES_256_CBC_SHAnnn:256 CV=no: utf8 support required but not offered for forwarding
+1999-03-02 09:44:33 10HmaX-0005vi-00 ** userz@test.ex F=<यहलोगहिन्दीक्योंनहींबोलसकतेहैं@japanese.なぜみんな日本語を話してくれないのか.local> R=rmt T=rmt_smtp H=127.0.0.1 [127.0.0.1] X=TLS1.x:ke_RSA_AES_256_CBC_SHAnnn:256 CV=no: utf8 support required but not offered for forwarding
 1999-03-02 09:44:33 10HmaY-0005vi-00 <= <> R=10HmaX-0005vi-00 U=EXIMUSER P=local S=sss for यहलोगहिन्दीक्योंनहींबोलसकतेहैं@japanese.なぜみんな日本語を話してくれないのか.local
 1999-03-02 09:44:33 10HmaY-0005vi-00 no immediate delivery: queued by ACL
 1999-03-02 09:44:33 10HmaX-0005vi-00 Completed
diff --git a/test/log/4214 b/test/log/4214
index df902db45..8ee3eaec2 100644
--- a/test/log/4214
+++ b/test/log/4214
@@ -1,17 +1,17 @@
 1999-03-02 09:44:33 10HmaX-0005vi-00 <= 세계의모든사람들이한국어를이해한다면얼마나좋을까@russian.почемужеонинеговорятпорусски.com U=CALLER P=utf8local-esmtp S=sss for userQ@test.ex
-1999-03-02 09:44:33 10HmaX-0005vi-00 => userq@test.ex <userQ@test.ex> F=<세계의모든사람들이한국어를이해한다면얼마나좋을까@russian.почемужеонинеговорятпорусски.com> R=rmt T=rmt_smtp H=127.0.0.1 [127.0.0.1] X=TLS1.x:xxxxRSA_AES_256_CBC_SHAnnn:256 CV=no C="250 OK id=10HmaY-0005vi-00"
+1999-03-02 09:44:33 10HmaX-0005vi-00 => userq@test.ex <userQ@test.ex> F=<세계의모든사람들이한국어를이해한다면얼마나좋을까@russian.почемужеонинеговорятпорусски.com> R=rmt T=rmt_smtp H=127.0.0.1 [127.0.0.1] X=TLS1.x:ke_RSA_AES_256_CBC_SHAnnn:256 CV=no C="250 OK id=10HmaY-0005vi-00"
 1999-03-02 09:44:33 10HmaX-0005vi-00 Completed
 1999-03-02 09:44:33 10HmaZ-0005vi-00 <= 세계의모든사람들이한국어를이해한다면얼마나좋을까@russian.почемужеонинеговорятпорусски.com U=CALLER P=utf8local-esmtp S=sss for userR@test.ex
-1999-03-02 09:44:33 10HmaZ-0005vi-00 => userr@test.ex <userR@test.ex> F=<세계의모든사람들이한국어를이해한다면얼마나좋을까@russian.почемужеонинеговорятпорусски.com> R=rmt T=rmt_smtp H=127.0.0.1 [127.0.0.1] X=TLS1.x:xxxxRSA_AES_256_CBC_SHAnnn:256 CV=no C="250 OK id=10HmbA-0005vi-00"
+1999-03-02 09:44:33 10HmaZ-0005vi-00 => userr@test.ex <userR@test.ex> F=<세계의모든사람들이한국어를이해한다면얼마나좋을까@russian.почемужеонинеговорятпорусски.com> R=rmt T=rmt_smtp H=127.0.0.1 [127.0.0.1] X=TLS1.x:ke_RSA_AES_256_CBC_SHAnnn:256 CV=no C="250 OK id=10HmbA-0005vi-00"
 1999-03-02 09:44:33 10HmaZ-0005vi-00 Completed
 1999-03-02 09:44:33 U=CALLER F=<CALLER@spanish.PorquénopuedensimplementehablarenEspañol.local> rejected RCPT <userS@test.ex>: 127.0.0.1 [127.0.0.1] : response to "EHLO" did not include SMTPUTF8
 1999-03-02 09:44:33 U=CALLER F=<CALLER@vietnamese.TạisaohọkhôngthểchỉnóitiếngViệt.local> rejected RCPT <userT@test.ex>: 127.0.0.1 [127.0.0.1] : response to "EHLO" did not include SMTPUTF8
 
 ******** SERVER ********
 1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port 1225
-1999-03-02 09:44:33 10HmaY-0005vi-00 <= 세계의모든사람들이한국어를이해한다면얼마나좋을까@russian.почемужеонинеговорятпорусски.com H=localhost (the.local.host.name) [127.0.0.1] P=utf8esmtps X=TLS1.x:xxxxRSA_AES_256_CBC_SHAnnn:256 CV=no S=sss id=E10HmaX-0005vi-00@the.local.host.name for userQ@test.ex
-1999-03-02 09:44:33 H=localhost (the.local.host.name) [127.0.0.1] X=TLS1.x:xxxxRSA_AES_256_CBC_SHAnnn:256 CV=no F=<> rejected RCPT <the.local.host.name-dddddddd-testing@test.ex>: relay not permitted
-1999-03-02 09:44:33 10HmbA-0005vi-00 <= 세계의모든사람들이한국어를이해한다면얼마나좋을까@russian.почемужеонинеговорятпорусски.com H=localhost (the.local.host.name) [127.0.0.1] P=utf8esmtps X=TLS1.x:xxxxRSA_AES_256_CBC_SHAnnn:256 CV=no S=sss id=E10HmaZ-0005vi-00@the.local.host.name for userR@test.ex
+1999-03-02 09:44:33 10HmaY-0005vi-00 <= 세계의모든사람들이한국어를이해한다면얼마나좋을까@russian.почемужеонинеговорятпорусски.com H=localhost (the.local.host.name) [127.0.0.1] P=utf8esmtps X=TLS1.x:ke_RSA_AES_256_CBC_SHAnnn:256 CV=no S=sss id=E10HmaX-0005vi-00@the.local.host.name for userQ@test.ex
+1999-03-02 09:44:33 H=localhost (the.local.host.name) [127.0.0.1] X=TLS1.x:ke_RSA_AES_256_CBC_SHAnnn:256 CV=no F=<> rejected RCPT <the.local.host.name-dddddddd-testing@test.ex>: relay not permitted
+1999-03-02 09:44:33 10HmbA-0005vi-00 <= 세계의모든사람들이한국어를이해한다면얼마나좋을까@russian.почемужеонинеговорятпорусски.com H=localhost (the.local.host.name) [127.0.0.1] P=utf8esmtps X=TLS1.x:ke_RSA_AES_256_CBC_SHAnnn:256 CV=no S=sss id=E10HmaZ-0005vi-00@the.local.host.name for userR@test.ex
 1999-03-02 09:44:33 Start queue run: pid=pppp -qqff
 1999-03-02 09:44:33 10HmaY-0005vi-00 => :blackhole: <userQ@test.ex> R=localuser
 1999-03-02 09:44:33 10HmaY-0005vi-00 Completed
diff --git a/test/log/4215 b/test/log/4215
index 155008e4a..2e5ad2f02 100644
--- a/test/log/4215
+++ b/test/log/4215
@@ -1,10 +1,10 @@
 1999-03-02 09:44:33 10HmaX-0005vi-00 <= userU@test.ex U=CALLER P=utf8local-esmtp S=sss for user.γλυκύρριζα@test.ex
-1999-03-02 09:44:33 10HmaX-0005vi-00 => user.γλυκύρριζα@test.ex F=<userU@test.ex> R=rmt T=rmt_smtp H=127.0.0.1 [127.0.0.1] X=TLS1.x:xxxxRSA_AES_256_CBC_SHAnnn:256 CV=no C="250 OK id=10HmaY-0005vi-00"
+1999-03-02 09:44:33 10HmaX-0005vi-00 => user.γλυκύρριζα@test.ex F=<userU@test.ex> R=rmt T=rmt_smtp H=127.0.0.1 [127.0.0.1] X=TLS1.x:ke_RSA_AES_256_CBC_SHAnnn:256 CV=no C="250 OK id=10HmaY-0005vi-00"
 1999-03-02 09:44:33 10HmaX-0005vi-00 Completed
 
 ******** SERVER ********
 1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port 1225
-1999-03-02 09:44:33 10HmaY-0005vi-00 <= userU@test.ex H=localhost (the.local.host.name) [127.0.0.1] P=utf8esmtps X=TLS1.x:xxxxRSA_AES_256_CBC_SHAnnn:256 CV=no S=sss id=E10HmaX-0005vi-00@the.local.host.name for user.γλυκύρριζα@test.ex
+1999-03-02 09:44:33 10HmaY-0005vi-00 <= userU@test.ex H=localhost (the.local.host.name) [127.0.0.1] P=utf8esmtps X=TLS1.x:ke_RSA_AES_256_CBC_SHAnnn:256 CV=no S=sss id=E10HmaX-0005vi-00@the.local.host.name for user.γλυκύρριζα@test.ex
 1999-03-02 09:44:33 Start queue run: pid=pppp -qqff
 1999-03-02 09:44:33 10HmaY-0005vi-00 => :blackhole: <user.γλυκύρριζα@test.ex> R=localuser
 1999-03-02 09:44:33 10HmaY-0005vi-00 Completed
diff --git a/test/log/4216 b/test/log/4216
index 511a74365..4596c0f4a 100644
--- a/test/log/4216
+++ b/test/log/4216
@@ -1,8 +1,8 @@
 1999-03-02 09:44:33 10HmaX-0005vi-00 <= userV.වැල්_මී@test.ex U=CALLER P=utf8local-esmtp S=sss for user.அதிமதுரம்@test.ex
-1999-03-02 09:44:33 10HmaX-0005vi-00 => user.அதிமதுரம்@test.ex F=<userV.වැල්_මී@test.ex> R=rmt T=rmt_smtp H=127.0.0.1 [127.0.0.1] X=TLS1.x:xxxxRSA_AES_256_CBC_SHAnnn:256 CV=no C="250 OK id=10HmaY-0005vi-00"
+1999-03-02 09:44:33 10HmaX-0005vi-00 => user.அதிமதுரம்@test.ex F=<userV.වැල්_මී@test.ex> R=rmt T=rmt_smtp H=127.0.0.1 [127.0.0.1] X=TLS1.x:ke_RSA_AES_256_CBC_SHAnnn:256 CV=no C="250 OK id=10HmaY-0005vi-00"
 1999-03-02 09:44:33 10HmaX-0005vi-00 Completed
 1999-03-02 09:44:33 10HmaZ-0005vi-00 <= userW@test.ex U=CALLER P=utf8local-esmtp S=sss for user.ഇരട്ടിമധുരം@test.ex
-1999-03-02 09:44:33 10HmaZ-0005vi-00 => user.ഇരട്ടിമധുരം@test.ex F=<userW@test.ex> R=rmt T=rmt_smtp H=127.0.0.1 [127.0.0.1] X=TLS1.x:xxxxRSA_AES_256_CBC_SHAnnn:256 CV=no C="250 OK id=10HmbA-0005vi-00"
+1999-03-02 09:44:33 10HmaZ-0005vi-00 => user.ഇരട്ടിമധുരം@test.ex F=<userW@test.ex> R=rmt T=rmt_smtp H=127.0.0.1 [127.0.0.1] X=TLS1.x:ke_RSA_AES_256_CBC_SHAnnn:256 CV=no C="250 OK id=10HmbA-0005vi-00"
 1999-03-02 09:44:33 10HmaZ-0005vi-00 Completed
 1999-03-02 09:44:33 U=CALLER sender verify fail for <userA@test.ex>: 127.0.0.1 [127.0.0.1] : response to "EHLO" did not include SMTPUTF8
 1999-03-02 09:44:33 U=CALLER F=<userA@test.ex> rejected RCPT <user.यष्टिमधु@test.ex>: Sender verify failed
@@ -11,9 +11,9 @@
 
 ******** SERVER ********
 1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port 1225
-1999-03-02 09:44:33 10HmaY-0005vi-00 <= userV.වැල්_මී@test.ex H=localhost (the.local.host.name) [127.0.0.1] P=utf8esmtps X=TLS1.x:xxxxRSA_AES_256_CBC_SHAnnn:256 CV=no S=sss id=E10HmaX-0005vi-00@the.local.host.name for user.அதிமதுரம்@test.ex
-1999-03-02 09:44:33 H=localhost (the.local.host.name) [127.0.0.1] X=TLS1.x:xxxxRSA_AES_256_CBC_SHAnnn:256 CV=no F=<> rejected RCPT <the.local.host.name-dddddddd-testing@test.ex>: relay not permitted
-1999-03-02 09:44:33 10HmbA-0005vi-00 <= userW@test.ex H=localhost (the.local.host.name) [127.0.0.1] P=utf8esmtps X=TLS1.x:xxxxRSA_AES_256_CBC_SHAnnn:256 CV=no S=sss id=E10HmaZ-0005vi-00@the.local.host.name for user.ഇരട്ടിമധുരം@test.ex
+1999-03-02 09:44:33 10HmaY-0005vi-00 <= userV.වැල්_මී@test.ex H=localhost (the.local.host.name) [127.0.0.1] P=utf8esmtps X=TLS1.x:ke_RSA_AES_256_CBC_SHAnnn:256 CV=no S=sss id=E10HmaX-0005vi-00@the.local.host.name for user.அதிமதுரம்@test.ex
+1999-03-02 09:44:33 H=localhost (the.local.host.name) [127.0.0.1] X=TLS1.x:ke_RSA_AES_256_CBC_SHAnnn:256 CV=no F=<> rejected RCPT <the.local.host.name-dddddddd-testing@test.ex>: relay not permitted
+1999-03-02 09:44:33 10HmbA-0005vi-00 <= userW@test.ex H=localhost (the.local.host.name) [127.0.0.1] P=utf8esmtps X=TLS1.x:ke_RSA_AES_256_CBC_SHAnnn:256 CV=no S=sss id=E10HmaZ-0005vi-00@the.local.host.name for user.ഇരട്ടിമധുരം@test.ex
 1999-03-02 09:44:33 Start queue run: pid=pppp -qqff
 1999-03-02 09:44:33 10HmaY-0005vi-00 => :blackhole: <user.அதிமதுரம்@test.ex> R=localuser
 1999-03-02 09:44:33 10HmaY-0005vi-00 Completed
diff --git a/test/log/4221 b/test/log/4221
index 9e7adca52..081079490 100644
--- a/test/log/4221
+++ b/test/log/4221
@@ -1,12 +1,12 @@
 1999-03-02 09:44:33 10HmaX-0005vi-00 <= 他们为什么不说中文@hebrew.למההםפשוטלאמדבריםעברית.com U=CALLER P=utf8local-esmtp S=sss for usery@test.ex
-1999-03-02 09:44:33 10HmaX-0005vi-00 => usery@test.ex F=<他们为什么不说中文@hebrew.למההםפשוטלאמדבריםעברית.com> R=rmt T=rmt_smtp H=127.0.0.1 [127.0.0.1] X=TLSv1:AES256-SHA:256 CV=no C="250 OK id=10HmaY-0005vi-00"
+1999-03-02 09:44:33 10HmaX-0005vi-00 => usery@test.ex F=<他们为什么不说中文@hebrew.למההםפשוטלאמדבריםעברית.com> R=rmt T=rmt_smtp H=127.0.0.1 [127.0.0.1] X=TLSv1:ke-RSA-AES256-SHAxx:256 CV=no C="250 OK id=10HmaY-0005vi-00"
 1999-03-02 09:44:33 10HmaX-0005vi-00 Completed
 
 ******** SERVER ********
 1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port 1225
 1999-03-02 09:44:33 10HmaZ-0005vi-00 <= someone@some.domain H=(client) [127.0.0.1] P=utf8esmtp S=sss for userx@test.ex
 1999-03-02 09:44:33 10HmbA-0005vi-00 <= ليهمابتكلموشعربي؟@czech.Pročprostěnemluvíčesky.com H=(client) [127.0.0.1] P=utf8esmtp S=sss for userx@test.ex
-1999-03-02 09:44:33 10HmaY-0005vi-00 <= 他们为什么不说中文@hebrew.למההםפשוטלאמדבריםעברית.com H=localhost (the.local.host.name) [127.0.0.1] P=utf8esmtps X=TLSv1:AES256-SHA:256 CV=no S=sss id=E10HmaX-0005vi-00@the.local.host.name for usery@test.ex
+1999-03-02 09:44:33 10HmaY-0005vi-00 <= 他们为什么不说中文@hebrew.למההםפשוטלאמדבריםעברית.com H=localhost (the.local.host.name) [127.0.0.1] P=utf8esmtps X=TLSv1:ke-RSA-AES256-SHAxx:256 CV=no S=sss id=E10HmaX-0005vi-00@the.local.host.name for usery@test.ex
 1999-03-02 09:44:33 Start queue run: pid=pppp -qqff
 1999-03-02 09:44:33 10HmaZ-0005vi-00 => :blackhole: <userx@test.ex> R=localuser
 1999-03-02 09:44:33 10HmaZ-0005vi-00 Completed
diff --git a/test/log/4223 b/test/log/4223
index f4d4efa3a..b2a929a9a 100644
--- a/test/log/4223
+++ b/test/log/4223
@@ -1,6 +1,6 @@
 1999-03-02 09:44:33 10HmaX-0005vi-00 <= यहलोगहिन्दीक्योंनहींबोलसकतेहैं@japanese.なぜみんな日本語を話してくれないのか.local U=CALLER P=utf8local-esmtp S=sss for userz@test.ex
 1999-03-02 09:44:33 10HmaX-0005vi-00 H=127.0.0.1 [127.0.0.1]: utf8 support required but not offered for forwarding
-1999-03-02 09:44:33 10HmaX-0005vi-00 ** userz@test.ex F=<यहलोगहिन्दीक्योंनहींबोलसकतेहैं@japanese.なぜみんな日本語を話してくれないのか.local> R=rmt T=rmt_smtp H=127.0.0.1 [127.0.0.1] X=TLSv1:AES256-SHA:256 CV=no: utf8 support required but not offered for forwarding
+1999-03-02 09:44:33 10HmaX-0005vi-00 ** userz@test.ex F=<यहलोगहिन्दीक्योंनहींबोलसकतेहैं@japanese.なぜみんな日本語を話してくれないのか.local> R=rmt T=rmt_smtp H=127.0.0.1 [127.0.0.1] X=TLSv1:ke-RSA-AES256-SHAxx:256 CV=no: utf8 support required but not offered for forwarding
 1999-03-02 09:44:33 10HmaY-0005vi-00 <= <> R=10HmaX-0005vi-00 U=EXIMUSER P=local S=sss for यहलोगहिन्दीक्योंनहींबोलसकतेहैं@japanese.なぜみんな日本語を話してくれないのか.local
 1999-03-02 09:44:33 10HmaY-0005vi-00 no immediate delivery: queued by ACL
 1999-03-02 09:44:33 10HmaX-0005vi-00 Completed
diff --git a/test/log/4224 b/test/log/4224
index d53c397a9..9e275c163 100644
--- a/test/log/4224
+++ b/test/log/4224
@@ -1,17 +1,17 @@
 1999-03-02 09:44:33 10HmaX-0005vi-00 <= 세계의모든사람들이한국어를이해한다면얼마나좋을까@russian.почемужеонинеговорятпорусски.com U=CALLER P=utf8local-esmtp S=sss for userQ@test.ex
-1999-03-02 09:44:33 10HmaX-0005vi-00 => userq@test.ex <userQ@test.ex> F=<세계의모든사람들이한국어를이해한다면얼마나좋을까@russian.почемужеонинеговорятпорусски.com> R=rmt T=rmt_smtp H=127.0.0.1 [127.0.0.1] X=TLSv1:AES256-SHA:256 CV=no C="250 OK id=10HmaY-0005vi-00"
+1999-03-02 09:44:33 10HmaX-0005vi-00 => userq@test.ex <userQ@test.ex> F=<세계의모든사람들이한국어를이해한다면얼마나좋을까@russian.почемужеонинеговорятпорусски.com> R=rmt T=rmt_smtp H=127.0.0.1 [127.0.0.1] X=TLSv1:ke-RSA-AES256-SHAxx:256 CV=no C="250 OK id=10HmaY-0005vi-00"
 1999-03-02 09:44:33 10HmaX-0005vi-00 Completed
 1999-03-02 09:44:33 10HmaZ-0005vi-00 <= 세계의모든사람들이한국어를이해한다면얼마나좋을까@russian.почемужеонинеговорятпорусски.com U=CALLER P=utf8local-esmtp S=sss for userR@test.ex
-1999-03-02 09:44:33 10HmaZ-0005vi-00 => userr@test.ex <userR@test.ex> F=<세계의모든사람들이한국어를이해한다면얼마나좋을까@russian.почемужеонинеговорятпорусски.com> R=rmt T=rmt_smtp H=127.0.0.1 [127.0.0.1] X=TLSv1:AES256-SHA:256 CV=no C="250 OK id=10HmbA-0005vi-00"
+1999-03-02 09:44:33 10HmaZ-0005vi-00 => userr@test.ex <userR@test.ex> F=<세계의모든사람들이한국어를이해한다면얼마나좋을까@russian.почемужеонинеговорятпорусски.com> R=rmt T=rmt_smtp H=127.0.0.1 [127.0.0.1] X=TLSv1:ke-RSA-AES256-SHAxx:256 CV=no C="250 OK id=10HmbA-0005vi-00"
 1999-03-02 09:44:33 10HmaZ-0005vi-00 Completed
 1999-03-02 09:44:33 U=CALLER F=<CALLER@spanish.PorquénopuedensimplementehablarenEspañol.local> rejected RCPT <userS@test.ex>: 127.0.0.1 [127.0.0.1] : response to "EHLO" did not include SMTPUTF8
 1999-03-02 09:44:33 U=CALLER F=<CALLER@vietnamese.TạisaohọkhôngthểchỉnóitiếngViệt.local> rejected RCPT <userT@test.ex>: 127.0.0.1 [127.0.0.1] : response to "EHLO" did not include SMTPUTF8
 
 ******** SERVER ********
 1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port 1225
-1999-03-02 09:44:33 10HmaY-0005vi-00 <= 세계의모든사람들이한국어를이해한다면얼마나좋을까@russian.почемужеонинеговорятпорусски.com H=localhost (the.local.host.name) [127.0.0.1] P=utf8esmtps X=TLSv1:AES256-SHA:256 CV=no S=sss id=E10HmaX-0005vi-00@the.local.host.name for userQ@test.ex
-1999-03-02 09:44:33 H=localhost (the.local.host.name) [127.0.0.1] X=TLSv1:AES256-SHA:256 CV=no F=<> rejected RCPT <the.local.host.name-dddddddd-testing@test.ex>: relay not permitted
-1999-03-02 09:44:33 10HmbA-0005vi-00 <= 세계의모든사람들이한국어를이해한다면얼마나좋을까@russian.почемужеонинеговорятпорусски.com H=localhost (the.local.host.name) [127.0.0.1] P=utf8esmtps X=TLSv1:AES256-SHA:256 CV=no S=sss id=E10HmaZ-0005vi-00@the.local.host.name for userR@test.ex
+1999-03-02 09:44:33 10HmaY-0005vi-00 <= 세계의모든사람들이한국어를이해한다면얼마나좋을까@russian.почемужеонинеговорятпорусски.com H=localhost (the.local.host.name) [127.0.0.1] P=utf8esmtps X=TLSv1:ke-RSA-AES256-SHAxx:256 CV=no S=sss id=E10HmaX-0005vi-00@the.local.host.name for userQ@test.ex
+1999-03-02 09:44:33 H=localhost (the.local.host.name) [127.0.0.1] X=TLSv1:ke-RSA-AES256-SHAxx:256 CV=no F=<> rejected RCPT <the.local.host.name-dddddddd-testing@test.ex>: relay not permitted
+1999-03-02 09:44:33 10HmbA-0005vi-00 <= 세계의모든사람들이한국어를이해한다면얼마나좋을까@russian.почемужеонинеговорятпорусски.com H=localhost (the.local.host.name) [127.0.0.1] P=utf8esmtps X=TLSv1:ke-RSA-AES256-SHAxx:256 CV=no S=sss id=E10HmaZ-0005vi-00@the.local.host.name for userR@test.ex
 1999-03-02 09:44:33 Start queue run: pid=pppp -qqff
 1999-03-02 09:44:33 10HmaY-0005vi-00 => :blackhole: <userQ@test.ex> R=localuser
 1999-03-02 09:44:33 10HmaY-0005vi-00 Completed
diff --git a/test/log/4225 b/test/log/4225
index 8723ea7ae..9b3ee0ff4 100644
--- a/test/log/4225
+++ b/test/log/4225
@@ -1,10 +1,10 @@
 1999-03-02 09:44:33 10HmaX-0005vi-00 <= userU@test.ex U=CALLER P=utf8local-esmtp S=sss for user.γλυκύρριζα@test.ex
-1999-03-02 09:44:33 10HmaX-0005vi-00 => user.γλυκύρριζα@test.ex F=<userU@test.ex> R=rmt T=rmt_smtp H=127.0.0.1 [127.0.0.1] X=TLSv1:AES256-SHA:256 CV=no C="250 OK id=10HmaY-0005vi-00"
+1999-03-02 09:44:33 10HmaX-0005vi-00 => user.γλυκύρριζα@test.ex F=<userU@test.ex> R=rmt T=rmt_smtp H=127.0.0.1 [127.0.0.1] X=TLSv1:ke-RSA-AES256-SHAxx:256 CV=no C="250 OK id=10HmaY-0005vi-00"
 1999-03-02 09:44:33 10HmaX-0005vi-00 Completed
 
 ******** SERVER ********
 1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port 1225
-1999-03-02 09:44:33 10HmaY-0005vi-00 <= userU@test.ex H=localhost (the.local.host.name) [127.0.0.1] P=utf8esmtps X=TLSv1:AES256-SHA:256 CV=no S=sss id=E10HmaX-0005vi-00@the.local.host.name for user.γλυκύρριζα@test.ex
+1999-03-02 09:44:33 10HmaY-0005vi-00 <= userU@test.ex H=localhost (the.local.host.name) [127.0.0.1] P=utf8esmtps X=TLSv1:ke-RSA-AES256-SHAxx:256 CV=no S=sss id=E10HmaX-0005vi-00@the.local.host.name for user.γλυκύρριζα@test.ex
 1999-03-02 09:44:33 Start queue run: pid=pppp -qqff
 1999-03-02 09:44:33 10HmaY-0005vi-00 => :blackhole: <user.γλυκύρριζα@test.ex> R=localuser
 1999-03-02 09:44:33 10HmaY-0005vi-00 Completed
diff --git a/test/log/4226 b/test/log/4226
index 71deed543..ad79e036e 100644
--- a/test/log/4226
+++ b/test/log/4226
@@ -1,8 +1,8 @@
 1999-03-02 09:44:33 10HmaX-0005vi-00 <= userV.වැල්_මී@test.ex U=CALLER P=utf8local-esmtp S=sss for user.அதிமதுரம்@test.ex
-1999-03-02 09:44:33 10HmaX-0005vi-00 => user.அதிமதுரம்@test.ex F=<userV.වැල්_මී@test.ex> R=rmt T=rmt_smtp H=127.0.0.1 [127.0.0.1] X=TLSv1:AES256-SHA:256 CV=no C="250 OK id=10HmaY-0005vi-00"
+1999-03-02 09:44:33 10HmaX-0005vi-00 => user.அதிமதுரம்@test.ex F=<userV.වැල්_මී@test.ex> R=rmt T=rmt_smtp H=127.0.0.1 [127.0.0.1] X=TLSv1:ke-RSA-AES256-SHAxx:256 CV=no C="250 OK id=10HmaY-0005vi-00"
 1999-03-02 09:44:33 10HmaX-0005vi-00 Completed
 1999-03-02 09:44:33 10HmaZ-0005vi-00 <= userW@test.ex U=CALLER P=utf8local-esmtp S=sss for user.ഇരട്ടിമധുരം@test.ex
-1999-03-02 09:44:33 10HmaZ-0005vi-00 => user.ഇരട്ടിമധുരം@test.ex F=<userW@test.ex> R=rmt T=rmt_smtp H=127.0.0.1 [127.0.0.1] X=TLSv1:AES256-SHA:256 CV=no C="250 OK id=10HmbA-0005vi-00"
+1999-03-02 09:44:33 10HmaZ-0005vi-00 => user.ഇരട്ടിമധുരം@test.ex F=<userW@test.ex> R=rmt T=rmt_smtp H=127.0.0.1 [127.0.0.1] X=TLSv1:ke-RSA-AES256-SHAxx:256 CV=no C="250 OK id=10HmbA-0005vi-00"
 1999-03-02 09:44:33 10HmaZ-0005vi-00 Completed
 1999-03-02 09:44:33 U=CALLER sender verify fail for <userA@test.ex>: 127.0.0.1 [127.0.0.1] : response to "EHLO" did not include SMTPUTF8
 1999-03-02 09:44:33 U=CALLER F=<userA@test.ex> rejected RCPT <user.यष्टिमधु@test.ex>: Sender verify failed
@@ -11,9 +11,9 @@
 
 ******** SERVER ********
 1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port 1225
-1999-03-02 09:44:33 10HmaY-0005vi-00 <= userV.වැල්_මී@test.ex H=localhost (the.local.host.name) [127.0.0.1] P=utf8esmtps X=TLSv1:AES256-SHA:256 CV=no S=sss id=E10HmaX-0005vi-00@the.local.host.name for user.அதிமதுரம்@test.ex
-1999-03-02 09:44:33 H=localhost (the.local.host.name) [127.0.0.1] X=TLSv1:AES256-SHA:256 CV=no F=<> rejected RCPT <the.local.host.name-dddddddd-testing@test.ex>: relay not permitted
-1999-03-02 09:44:33 10HmbA-0005vi-00 <= userW@test.ex H=localhost (the.local.host.name) [127.0.0.1] P=utf8esmtps X=TLSv1:AES256-SHA:256 CV=no S=sss id=E10HmaZ-0005vi-00@the.local.host.name for user.ഇരട്ടിമധുരം@test.ex
+1999-03-02 09:44:33 10HmaY-0005vi-00 <= userV.වැල්_මී@test.ex H=localhost (the.local.host.name) [127.0.0.1] P=utf8esmtps X=TLSv1:ke-RSA-AES256-SHAxx:256 CV=no S=sss id=E10HmaX-0005vi-00@the.local.host.name for user.அதிமதுரம்@test.ex
+1999-03-02 09:44:33 H=localhost (the.local.host.name) [127.0.0.1] X=TLSv1:ke-RSA-AES256-SHAxx:256 CV=no F=<> rejected RCPT <the.local.host.name-dddddddd-testing@test.ex>: relay not permitted
+1999-03-02 09:44:33 10HmbA-0005vi-00 <= userW@test.ex H=localhost (the.local.host.name) [127.0.0.1] P=utf8esmtps X=TLSv1:ke-RSA-AES256-SHAxx:256 CV=no S=sss id=E10HmaZ-0005vi-00@the.local.host.name for user.ഇരട്ടിമധുരം@test.ex
 1999-03-02 09:44:33 Start queue run: pid=pppp -qqff
 1999-03-02 09:44:33 10HmaY-0005vi-00 => :blackhole: <user.அதிமதுரம்@test.ex> R=localuser
 1999-03-02 09:44:33 10HmaY-0005vi-00 Completed
diff --git a/test/log/5410 b/test/log/5410
index 805f4d9a7..17706884b 100644
--- a/test/log/5410
+++ b/test/log/5410
@@ -1,4 +1,4 @@
-1999-03-02 09:44:33 10HmaX-0005vi-00 >> userx@domain.com R=all T=smtp H=127.0.0.1 [127.0.0.1] X=TLSv1:AES256-SHA:256 CV=no C="250 OK id=10HmaY-0005vi-00"
+1999-03-02 09:44:33 10HmaX-0005vi-00 >> userx@domain.com R=all T=smtp H=127.0.0.1 [127.0.0.1] X=TLSv1:ke-RSA-AES256-SHAxx:256 CV=no C="250 OK id=10HmaY-0005vi-00"
 1999-03-02 09:44:33 10HmaX-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local-esmtp S=sss
 1999-03-02 09:44:33 10HmaX-0005vi-00 Completed
 1999-03-02 09:44:33 10HmaZ-0005vi-00 >> usery@domain.com R=all T=smtp H=127.0.0.1 [127.0.0.1] C="250 OK id=10HmbA-0005vi-00"
@@ -10,7 +10,7 @@
 
 ******** SERVER ********
 1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port 1225
-1999-03-02 09:44:33 10HmaY-0005vi-00 <= CALLER@myhost.test.ex H=the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] P=esmtps X=TLSv1:AES256-SHA:256 CV=no S=sss id=E10HmaX-0005vi-00@myhost.test.ex
+1999-03-02 09:44:33 10HmaY-0005vi-00 <= CALLER@myhost.test.ex H=the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] P=esmtps X=TLSv1:ke-RSA-AES256-SHAxx:256 CV=no S=sss id=E10HmaX-0005vi-00@myhost.test.ex
 1999-03-02 09:44:33 10HmaY-0005vi-00 no immediate delivery: queued by ACL
 1999-03-02 09:44:33 10HmbA-0005vi-00 <= CALLER@myhost.test.ex H=the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] P=esmtp S=sss id=E10HmaZ-0005vi-00@myhost.test.ex
 1999-03-02 09:44:33 10HmbA-0005vi-00 no immediate delivery: queued by ACL
diff --git a/test/log/5420 b/test/log/5420
index a08d4b292..6258ccaea 100644
--- a/test/log/5420
+++ b/test/log/5420
@@ -1,4 +1,4 @@
-1999-03-02 09:44:33 10HmaX-0005vi-00 >> userx@domain.com R=all T=smtp H=127.0.0.1 [127.0.0.1] X=TLS1.x:xxxxRSA_AES_256_CBC_SHAnnn:256 CV=no C="250 OK id=10HmaY-0005vi-00"
+1999-03-02 09:44:33 10HmaX-0005vi-00 >> userx@domain.com R=all T=smtp H=127.0.0.1 [127.0.0.1] X=TLS1.x:ke_RSA_AES_256_CBC_SHAnnn:256 CV=no C="250 OK id=10HmaY-0005vi-00"
 1999-03-02 09:44:33 10HmaX-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local-esmtp S=sss
 1999-03-02 09:44:33 10HmaX-0005vi-00 Completed
 1999-03-02 09:44:33 10HmaZ-0005vi-00 >> usery@domain.com R=all T=smtp H=127.0.0.1 [127.0.0.1] C="250 OK id=10HmbA-0005vi-00"
@@ -10,7 +10,7 @@
 
 ******** SERVER ********
 1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port 1225
-1999-03-02 09:44:33 10HmaY-0005vi-00 <= CALLER@myhost.test.ex H=the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] P=esmtps X=TLS1.x:xxxxRSA_AES_256_CBC_SHAnnn:256 CV=no S=sss id=E10HmaX-0005vi-00@myhost.test.ex
+1999-03-02 09:44:33 10HmaY-0005vi-00 <= CALLER@myhost.test.ex H=the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] P=esmtps X=TLS1.x:ke_RSA_AES_256_CBC_SHAnnn:256 CV=no S=sss id=E10HmaX-0005vi-00@myhost.test.ex
 1999-03-02 09:44:33 10HmaY-0005vi-00 no immediate delivery: queued by ACL
 1999-03-02 09:44:33 10HmbA-0005vi-00 <= CALLER@myhost.test.ex H=the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] P=esmtp S=sss id=E10HmaZ-0005vi-00@myhost.test.ex
 1999-03-02 09:44:33 10HmbA-0005vi-00 no immediate delivery: queued by ACL
diff --git a/test/log/5601 b/test/log/5601
index 564369845..f5f5c9c68 100644
--- a/test/log/5601
+++ b/test/log/5601
@@ -1,11 +1,11 @@
 1999-03-02 09:44:33 10HmaX-0005vi-00 <= CALLER@server1.example.com U=CALLER P=local S=sss for norequire@test.ex
-1999-03-02 09:44:33 10HmaX-0005vi-00 => norequire@test.ex R=client T=send_to_server2 H=ip4.ip4.ip4.ip4 [ip4.ip4.ip4.ip4] X=TLSv1:AES256-SHA:256 CV=yes DN="/CN=server1.example.com" C="250 OK id=10HmaY-0005vi-00"
+1999-03-02 09:44:33 10HmaX-0005vi-00 => norequire@test.ex R=client T=send_to_server2 H=ip4.ip4.ip4.ip4 [ip4.ip4.ip4.ip4] X=TLSv1:ke-RSA-AES256-SHAxx:256 CV=yes DN="/CN=server1.example.com" C="250 OK id=10HmaY-0005vi-00"
 1999-03-02 09:44:33 10HmaX-0005vi-00 Completed
 1999-03-02 09:44:33 10HmaZ-0005vi-00 <= CALLER@server1.example.com U=CALLER P=local S=sss for nostaple@test.ex
-1999-03-02 09:44:33 10HmaZ-0005vi-00 => nostaple@test.ex R=client T=send_to_server1 H=ip4.ip4.ip4.ip4 [ip4.ip4.ip4.ip4] X=TLSv1:AES256-SHA:256 CV=yes DN="/CN=server1.example.com" C="250 OK id=10HmbA-0005vi-00"
+1999-03-02 09:44:33 10HmaZ-0005vi-00 => nostaple@test.ex R=client T=send_to_server1 H=ip4.ip4.ip4.ip4 [ip4.ip4.ip4.ip4] X=TLSv1:ke-RSA-AES256-SHAxx:256 CV=yes DN="/CN=server1.example.com" C="250 OK id=10HmbA-0005vi-00"
 1999-03-02 09:44:33 10HmaZ-0005vi-00 Completed
 1999-03-02 09:44:33 10HmbB-0005vi-00 <= CALLER@server1.example.com U=CALLER P=local S=sss for CALLER@test.ex
-1999-03-02 09:44:33 10HmbB-0005vi-00 => CALLER@test.ex R=client T=send_to_server3 H=127.0.0.1 [127.0.0.1] X=TLSv1:AES256-SHA:256 CV=yes DN="/CN=server1.example.com" C="250 OK id=10HmbC-0005vi-00"
+1999-03-02 09:44:33 10HmbB-0005vi-00 => CALLER@test.ex R=client T=send_to_server3 H=127.0.0.1 [127.0.0.1] X=TLSv1:ke-RSA-AES256-SHAxx:256 CV=yes DN="/CN=server1.example.com" C="250 OK id=10HmbC-0005vi-00"
 1999-03-02 09:44:33 10HmbB-0005vi-00 Completed
 1999-03-02 09:44:33 10HmbD-0005vi-00 <= CALLER@server1.example.com U=CALLER P=local S=sss for CALLER@test.ex
 1999-03-02 09:44:33 10HmbD-0005vi-00 Received TLS status callback, null content
@@ -20,16 +20,16 @@
 ******** SERVER ********
 1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port 1225
 1999-03-02 09:44:33 10HmaY-0005vi-00 client claims: ocsp status 1 (notresp)
-1999-03-02 09:44:33 10HmaY-0005vi-00 <= CALLER@server1.example.com H=the.local.host.name (server1.example.com) [ip4.ip4.ip4.ip4] P=esmtps X=TLSv1:AES256-SHA:256 CV=no S=sss id=E10HmaX-0005vi-00@server1.example.com for norequire@test.ex
+1999-03-02 09:44:33 10HmaY-0005vi-00 <= CALLER@server1.example.com H=the.local.host.name (server1.example.com) [ip4.ip4.ip4.ip4] P=esmtps X=TLSv1:ke-RSA-AES256-SHAxx:256 CV=no S=sss id=E10HmaX-0005vi-00@server1.example.com for norequire@test.ex
 1999-03-02 09:44:33 10HmaY-0005vi-00 => :blackhole: <norequire@test.ex> R=server
 1999-03-02 09:44:33 10HmaY-0005vi-00 Completed
 1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port 1225
 1999-03-02 09:44:33 10HmbA-0005vi-00 client claims: ocsp status 0 (notreq)
-1999-03-02 09:44:33 10HmbA-0005vi-00 <= CALLER@server1.example.com H=the.local.host.name (server1.example.com) [ip4.ip4.ip4.ip4] P=esmtps X=TLSv1:AES256-SHA:256 CV=no S=sss id=E10HmaZ-0005vi-00@server1.example.com for nostaple@test.ex
+1999-03-02 09:44:33 10HmbA-0005vi-00 <= CALLER@server1.example.com H=the.local.host.name (server1.example.com) [ip4.ip4.ip4.ip4] P=esmtps X=TLSv1:ke-RSA-AES256-SHAxx:256 CV=no S=sss id=E10HmaZ-0005vi-00@server1.example.com for nostaple@test.ex
 1999-03-02 09:44:33 10HmbA-0005vi-00 => :blackhole: <nostaple@test.ex> R=server
 1999-03-02 09:44:33 10HmbA-0005vi-00 Completed
 1999-03-02 09:44:33 10HmbC-0005vi-00 client claims: ocsp status 4 (verified)
-1999-03-02 09:44:33 10HmbC-0005vi-00 <= CALLER@server1.example.com H=(helo.data.changed) [127.0.0.1] P=esmtps X=TLSv1:AES256-SHA:256 CV=no S=sss id=E10HmbB-0005vi-00@server1.example.com for CALLER@test.ex
+1999-03-02 09:44:33 10HmbC-0005vi-00 <= CALLER@server1.example.com H=(helo.data.changed) [127.0.0.1] P=esmtps X=TLSv1:ke-RSA-AES256-SHAxx:256 CV=no S=sss id=E10HmbB-0005vi-00@server1.example.com for CALLER@test.ex
 1999-03-02 09:44:33 10HmbC-0005vi-00 => :blackhole: <CALLER@test.ex> R=server
 1999-03-02 09:44:33 10HmbC-0005vi-00 Completed
 1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port 1225
diff --git a/test/log/5611 b/test/log/5611
index 2ddf7e2cd..918f7c429 100644
--- a/test/log/5611
+++ b/test/log/5611
@@ -1,11 +1,11 @@
 1999-03-02 09:44:33 10HmaX-0005vi-00 <= CALLER@server1.example.com U=CALLER P=local S=sss
-1999-03-02 09:44:33 10HmaX-0005vi-00 => norequire@test.ex R=client T=send_to_server2 H=ip4.ip4.ip4.ip4 [ip4.ip4.ip4.ip4] X=TLSv1:AES256-SHA:256 CV=yes DN="/CN=server1.example.com" C="250 OK id=10HmaY-0005vi-00"
+1999-03-02 09:44:33 10HmaX-0005vi-00 => norequire@test.ex R=client T=send_to_server2 H=ip4.ip4.ip4.ip4 [ip4.ip4.ip4.ip4] X=TLSv1:ke-RSA-AES256-SHAxx:256 CV=yes DN="/CN=server1.example.com" C="250 OK id=10HmaY-0005vi-00"
 1999-03-02 09:44:33 10HmaX-0005vi-00 Completed
 1999-03-02 09:44:33 10HmaZ-0005vi-00 <= CALLER@server1.example.com U=CALLER P=local S=sss
-1999-03-02 09:44:33 10HmaZ-0005vi-00 => nostaple@test.ex R=client T=send_to_server1 H=ip4.ip4.ip4.ip4 [ip4.ip4.ip4.ip4] X=TLSv1:AES256-SHA:256 CV=yes DN="/CN=server1.example.com" C="250 OK id=10HmbA-0005vi-00"
+1999-03-02 09:44:33 10HmaZ-0005vi-00 => nostaple@test.ex R=client T=send_to_server1 H=ip4.ip4.ip4.ip4 [ip4.ip4.ip4.ip4] X=TLSv1:ke-RSA-AES256-SHAxx:256 CV=yes DN="/CN=server1.example.com" C="250 OK id=10HmbA-0005vi-00"
 1999-03-02 09:44:33 10HmaZ-0005vi-00 Completed
 1999-03-02 09:44:33 10HmbB-0005vi-00 <= CALLER@server1.example.com U=CALLER P=local S=sss
-1999-03-02 09:44:33 10HmbB-0005vi-00 => CALLER@test.ex R=client T=send_to_server3 H=127.0.0.1 [127.0.0.1] X=TLSv1:AES256-SHA:256 CV=yes DN="/CN=server1.example.com" C="250 OK id=10HmbC-0005vi-00"
+1999-03-02 09:44:33 10HmbB-0005vi-00 => CALLER@test.ex R=client T=send_to_server3 H=127.0.0.1 [127.0.0.1] X=TLSv1:ke-RSA-AES256-SHAxx:256 CV=yes DN="/CN=server1.example.com" C="250 OK id=10HmbC-0005vi-00"
 1999-03-02 09:44:33 10HmbB-0005vi-00 Completed
 1999-03-02 09:44:33 10HmbD-0005vi-00 <= CALLER@server1.example.com U=CALLER P=local S=sss
 1999-03-02 09:44:33 10HmbD-0005vi-00 Received TLS status callback, null content
@@ -20,16 +20,16 @@
 ******** SERVER ********
 1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port 1225
 1999-03-02 09:44:33 10HmaY-0005vi-00 client claims: ocsp status 1 (notresp)
-1999-03-02 09:44:33 10HmaY-0005vi-00 <= CALLER@server1.example.com H=the.local.host.name (server1.example.com) [ip4.ip4.ip4.ip4] P=esmtps X=TLSv1:AES256-SHA:256 CV=no S=sss id=E10HmaX-0005vi-00@server1.example.com
+1999-03-02 09:44:33 10HmaY-0005vi-00 <= CALLER@server1.example.com H=the.local.host.name (server1.example.com) [ip4.ip4.ip4.ip4] P=esmtps X=TLSv1:ke-RSA-AES256-SHAxx:256 CV=no S=sss id=E10HmaX-0005vi-00@server1.example.com
 1999-03-02 09:44:33 10HmaY-0005vi-00 => :blackhole: <norequire@test.ex> R=server
 1999-03-02 09:44:33 10HmaY-0005vi-00 Completed
 1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port 1225
 1999-03-02 09:44:33 10HmbA-0005vi-00 client claims: ocsp status 0 (notreq)
-1999-03-02 09:44:33 10HmbA-0005vi-00 <= CALLER@server1.example.com H=the.local.host.name (server1.example.com) [ip4.ip4.ip4.ip4] P=esmtps X=TLSv1:AES256-SHA:256 CV=no S=sss id=E10HmaZ-0005vi-00@server1.example.com
+1999-03-02 09:44:33 10HmbA-0005vi-00 <= CALLER@server1.example.com H=the.local.host.name (server1.example.com) [ip4.ip4.ip4.ip4] P=esmtps X=TLSv1:ke-RSA-AES256-SHAxx:256 CV=no S=sss id=E10HmaZ-0005vi-00@server1.example.com
 1999-03-02 09:44:33 10HmbA-0005vi-00 => :blackhole: <nostaple@test.ex> R=server
 1999-03-02 09:44:33 10HmbA-0005vi-00 Completed
 1999-03-02 09:44:33 10HmbC-0005vi-00 client claims: ocsp status 4 (verified)
-1999-03-02 09:44:33 10HmbC-0005vi-00 <= CALLER@server1.example.com H=(helo.data.changed) [127.0.0.1] P=esmtps X=TLSv1:AES256-SHA:256 CV=no S=sss id=E10HmbB-0005vi-00@server1.example.com
+1999-03-02 09:44:33 10HmbC-0005vi-00 <= CALLER@server1.example.com H=(helo.data.changed) [127.0.0.1] P=esmtps X=TLSv1:ke-RSA-AES256-SHAxx:256 CV=no S=sss id=E10HmbB-0005vi-00@server1.example.com
 1999-03-02 09:44:33 10HmbC-0005vi-00 => :blackhole: <CALLER@test.ex> R=server
 1999-03-02 09:44:33 10HmbC-0005vi-00 Completed
 1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port 1225
diff --git a/test/log/5651 b/test/log/5651
index 74d5a3343..56e50ca29 100644
--- a/test/log/5651
+++ b/test/log/5651
@@ -1,11 +1,11 @@
 1999-03-02 09:44:33 10HmaX-0005vi-00 <= CALLER@server1.example.com U=CALLER P=local S=sss
-1999-03-02 09:44:33 10HmaX-0005vi-00 => norequire@test.ex R=client T=send_to_server2 H=ip4.ip4.ip4.ip4 [ip4.ip4.ip4.ip4] X=TLS1.x:xxxxRSA_AES_256_CBC_SHAnnn:256 CV=yes DN="CN=server1.example.com" C="250 OK id=10HmaY-0005vi-00"
+1999-03-02 09:44:33 10HmaX-0005vi-00 => norequire@test.ex R=client T=send_to_server2 H=ip4.ip4.ip4.ip4 [ip4.ip4.ip4.ip4] X=TLS1.x:ke_RSA_AES_256_CBC_SHAnnn:256 CV=yes DN="CN=server1.example.com" C="250 OK id=10HmaY-0005vi-00"
 1999-03-02 09:44:33 10HmaX-0005vi-00 Completed
 1999-03-02 09:44:33 10HmaZ-0005vi-00 <= CALLER@server1.example.com U=CALLER P=local S=sss
-1999-03-02 09:44:33 10HmaZ-0005vi-00 => nostaple@test.ex R=client T=send_to_server1 H=ip4.ip4.ip4.ip4 [ip4.ip4.ip4.ip4] X=TLS1.x:xxxxRSA_AES_256_CBC_SHAnnn:256 CV=yes DN="CN=server1.example.com" C="250 OK id=10HmbA-0005vi-00"
+1999-03-02 09:44:33 10HmaZ-0005vi-00 => nostaple@test.ex R=client T=send_to_server1 H=ip4.ip4.ip4.ip4 [ip4.ip4.ip4.ip4] X=TLS1.x:ke_RSA_AES_256_CBC_SHAnnn:256 CV=yes DN="CN=server1.example.com" C="250 OK id=10HmbA-0005vi-00"
 1999-03-02 09:44:33 10HmaZ-0005vi-00 Completed
 1999-03-02 09:44:33 10HmbB-0005vi-00 <= CALLER@server1.example.com U=CALLER P=local S=sss
-1999-03-02 09:44:33 10HmbB-0005vi-00 => CALLER@test.ex R=client T=send_to_server3 H=127.0.0.1 [127.0.0.1] X=TLS1.x:xxxxRSA_AES_256_CBC_SHAnnn:256 CV=yes DN="CN=server1.example.com" C="250 OK id=10HmbC-0005vi-00"
+1999-03-02 09:44:33 10HmbB-0005vi-00 => CALLER@test.ex R=client T=send_to_server3 H=127.0.0.1 [127.0.0.1] X=TLS1.x:ke_RSA_AES_256_CBC_SHAnnn:256 CV=yes DN="CN=server1.example.com" C="250 OK id=10HmbC-0005vi-00"
 1999-03-02 09:44:33 10HmbB-0005vi-00 Completed
 1999-03-02 09:44:33 10HmbD-0005vi-00 <= CALLER@server1.example.com U=CALLER P=local S=sss
 1999-03-02 09:44:33 10HmbD-0005vi-00 == CALLER@test.ex R=client T=send_to_server3 defer (-37) H=127.0.0.1 [127.0.0.1]: TLS session: (certificate status check failed)
@@ -17,16 +17,16 @@
 ******** SERVER ********
 1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port 1225
 1999-03-02 09:44:33 10HmaY-0005vi-00 client claims: OCSP status 1 (notresp)
-1999-03-02 09:44:33 10HmaY-0005vi-00 <= CALLER@server1.example.com H=the.local.host.name (server1.example.com) [ip4.ip4.ip4.ip4] P=esmtps X=TLS1.x:xxxxRSA_AES_256_CBC_SHAnnn:256 CV=no S=sss id=E10HmaX-0005vi-00@server1.example.com
+1999-03-02 09:44:33 10HmaY-0005vi-00 <= CALLER@server1.example.com H=the.local.host.name (server1.example.com) [ip4.ip4.ip4.ip4] P=esmtps X=TLS1.x:ke_RSA_AES_256_CBC_SHAnnn:256 CV=no S=sss id=E10HmaX-0005vi-00@server1.example.com
 1999-03-02 09:44:33 10HmaY-0005vi-00 => :blackhole: <norequire@test.ex> R=server
 1999-03-02 09:44:33 10HmaY-0005vi-00 Completed
 1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port 1225
 1999-03-02 09:44:33 10HmbA-0005vi-00 client claims: OCSP status 0 (notreq)
-1999-03-02 09:44:33 10HmbA-0005vi-00 <= CALLER@server1.example.com H=the.local.host.name (server1.example.com) [ip4.ip4.ip4.ip4] P=esmtps X=TLS1.x:xxxxRSA_AES_256_CBC_SHAnnn:256 CV=no S=sss id=E10HmaZ-0005vi-00@server1.example.com
+1999-03-02 09:44:33 10HmbA-0005vi-00 <= CALLER@server1.example.com H=the.local.host.name (server1.example.com) [ip4.ip4.ip4.ip4] P=esmtps X=TLS1.x:ke_RSA_AES_256_CBC_SHAnnn:256 CV=no S=sss id=E10HmaZ-0005vi-00@server1.example.com
 1999-03-02 09:44:33 10HmbA-0005vi-00 => :blackhole: <nostaple@test.ex> R=server
 1999-03-02 09:44:33 10HmbA-0005vi-00 Completed
 1999-03-02 09:44:33 10HmbC-0005vi-00 client claims: OCSP status 4 (verified)
-1999-03-02 09:44:33 10HmbC-0005vi-00 <= CALLER@server1.example.com H=(helo.data.changed) [127.0.0.1] P=esmtps X=TLS1.x:xxxxRSA_AES_256_CBC_SHAnnn:256 CV=no S=sss id=E10HmbB-0005vi-00@server1.example.com
+1999-03-02 09:44:33 10HmbC-0005vi-00 <= CALLER@server1.example.com H=(helo.data.changed) [127.0.0.1] P=esmtps X=TLS1.x:ke_RSA_AES_256_CBC_SHAnnn:256 CV=no S=sss id=E10HmbB-0005vi-00@server1.example.com
 1999-03-02 09:44:33 10HmbC-0005vi-00 => :blackhole: <CALLER@test.ex> R=server
 1999-03-02 09:44:33 10HmbC-0005vi-00 Completed
 1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port 1225
diff --git a/test/log/5710 b/test/log/5710
index af98f686f..a9c5bb211 100644
--- a/test/log/5710
+++ b/test/log/5710
@@ -9,12 +9,12 @@
 1999-03-02 09:44:33 10HmaX-0005vi-00 SN  <CN=server1.example.com>
 1999-03-02 09:44:33 10HmaX-0005vi-00 SN; <CN=server1.example.com>
 1999-03-02 09:44:33 10HmaX-0005vi-00 SNCN<server1.example.com>
-1999-03-02 09:44:33 10HmaX-0005vi-00 IN  <O=example.com,CN=clica Signing Cert>
+1999-03-02 09:44:33 10HmaX-0005vi-00 IN  <O=example.com,CN=clica Signing Cert rsa>
 1999-03-02 09:44:33 10HmaX-0005vi-00 NB  <Nov  1 12:34:01 2012 GMT>
 1999-03-02 09:44:33 10HmaX-0005vi-00 NA  <Dec  1 12:34:01 2037 GMT>
 1999-03-02 09:44:33 10HmaX-0005vi-00 SA  <RSA-SHA256>
-1999-03-02 09:44:33 10HmaX-0005vi-00 SG  <67 ef 2d 43 8e 43 50 f5 3f 41 ee 42 cf f4 b4 31 3d d8 88 b5 f7 24 1f 26 83 32 6a 6c ff 8a 36 b7 be cb 28 48 68 9c a9 3c 6e 2f 2d a5 f4 fc d2 09 9b 1d 04 00 26 7d a5 f9 39 13 06 dd 9d 69 78 f8 7b f5 3c 82 9d 8f b9 4f 1a b6 f0 0b 7f 20 82 6e 80 4e 38 09 d1 43 23 22 dd 37 5d 80 6d 5a aa 23 33 e4 79 c9 0d 8d cc b8 ed 5f 6b 01 56 2c 49 89 9b ca 5e d5 b3 b0 93 7e d5 5e f0 98 7d 5f 07 4b>
-1999-03-02 09:44:33 10HmaX-0005vi-00 SAN <DNS=alternatename2.server1.example.com\nDNS=alternatename.server1.example.com\nDNS=*.test.ex\nDNS=server1.example.com>
+1999-03-02 09:44:33 10HmaX-0005vi-00 SG  <7a cd 30 27 d2 7c 9d fe c7 12 17 ba ea f4 38 91 c2 4e 5a 92 a8 e2 ad eb e3 16 1d 11 0c ac a2 3e d0 74 13 71 2e dc 4d c2 35 ac 7e 6e aa ac 9d 59 7c a8 9c c5 19 f4 05 96 a6 a3 e3 0c e0 0c 4b 05 ce 3a 50 32 a0 7e b2 43 9b 85 c6 1a 64 d2 c1 fb e4 f7 e7 40 06 51 db e8 50 de 13 a0 ec c6 ef b8 75 5c db bd 8e 52 0b c1 66 4d 45 e0 71 b2 d8 77 18 81 79 4c 29 de c0 b9 ab 9b aa 14 1e 6a dd 9f>
+1999-03-02 09:44:33 10HmaX-0005vi-00 SAN <DNS=alternatename2.server1.example.com\nDNS=server1.example.com\nDNS=alternatename.server1.example.com\nDNS=*.test.ex>
 1999-03-02 09:44:33 10HmaX-0005vi-00 CRU <http://crl.example.com/latest.crl>
 1999-03-02 09:44:33 10HmaX-0005vi-00 TLS session: (certificate verification failed): certificate invalid: delivering unencrypted to H=127.0.0.1 [127.0.0.1] (not in hosts_require_tls)
 1999-03-02 09:44:33 10HmaX-0005vi-00 => bad@test.ex R=client T=send_to_server H=127.0.0.1 [127.0.0.1] C="250 OK id=10HmaZ-0005vi-00"
@@ -23,7 +23,7 @@
 1999-03-02 09:44:33 10HmaX-0005vi-00 No Peer cert
 1999-03-02 09:44:33 10HmaX-0005vi-00 Completed
 1999-03-02 09:44:33 10HmaY-0005vi-00 tls:cert depth=0 <CN=server1.example.com>
-1999-03-02 09:44:33 10HmaY-0005vi-00 => good@test.ex R=client T=send_to_server H=127.0.0.1 [127.0.0.1] X=TLS1.x:xxxxRSA_AES_256_CBC_SHAnnn:256 CV=yes DN="CN=server1.example.com" C="250 OK id=10HmbA-0005vi-00"
+1999-03-02 09:44:33 10HmaY-0005vi-00 => good@test.ex R=client T=send_to_server H=127.0.0.1 [127.0.0.1] X=TLS1.x:ke_RSA_AES_256_CBC_SHAnnn:256 CV=yes DN="CN=server1.example.com" C="250 OK id=10HmbA-0005vi-00"
 1999-03-02 09:44:33 10HmaY-0005vi-00 msg:delivery good
 1999-03-02 09:44:33 10HmaY-0005vi-00 Our cert SN: CN=server2.example.com
 1999-03-02 09:44:33 10HmaY-0005vi-00 Peer cert:
@@ -31,12 +31,12 @@
 1999-03-02 09:44:33 10HmaY-0005vi-00 SN  <CN=server1.example.com>
 1999-03-02 09:44:33 10HmaY-0005vi-00 SN; <CN=server1.example.com>
 1999-03-02 09:44:33 10HmaY-0005vi-00 SNCN<server1.example.com>
-1999-03-02 09:44:33 10HmaY-0005vi-00 IN  <O=example.com,CN=clica Signing Cert>
+1999-03-02 09:44:33 10HmaY-0005vi-00 IN  <O=example.com,CN=clica Signing Cert rsa>
 1999-03-02 09:44:33 10HmaY-0005vi-00 NB  <Nov  1 12:34:01 2012 GMT>
 1999-03-02 09:44:33 10HmaY-0005vi-00 NA  <Dec  1 12:34:01 2037 GMT>
 1999-03-02 09:44:33 10HmaY-0005vi-00 SA  <RSA-SHA256>
-1999-03-02 09:44:33 10HmaY-0005vi-00 SG  <67 ef 2d 43 8e 43 50 f5 3f 41 ee 42 cf f4 b4 31 3d d8 88 b5 f7 24 1f 26 83 32 6a 6c ff 8a 36 b7 be cb 28 48 68 9c a9 3c 6e 2f 2d a5 f4 fc d2 09 9b 1d 04 00 26 7d a5 f9 39 13 06 dd 9d 69 78 f8 7b f5 3c 82 9d 8f b9 4f 1a b6 f0 0b 7f 20 82 6e 80 4e 38 09 d1 43 23 22 dd 37 5d 80 6d 5a aa 23 33 e4 79 c9 0d 8d cc b8 ed 5f 6b 01 56 2c 49 89 9b ca 5e d5 b3 b0 93 7e d5 5e f0 98 7d 5f 07 4b>
-1999-03-02 09:44:33 10HmaY-0005vi-00 SAN <DNS=alternatename2.server1.example.com\nDNS=alternatename.server1.example.com\nDNS=*.test.ex\nDNS=server1.example.com>
+1999-03-02 09:44:33 10HmaY-0005vi-00 SG  <7a cd 30 27 d2 7c 9d fe c7 12 17 ba ea f4 38 91 c2 4e 5a 92 a8 e2 ad eb e3 16 1d 11 0c ac a2 3e d0 74 13 71 2e dc 4d c2 35 ac 7e 6e aa ac 9d 59 7c a8 9c c5 19 f4 05 96 a6 a3 e3 0c e0 0c 4b 05 ce 3a 50 32 a0 7e b2 43 9b 85 c6 1a 64 d2 c1 fb e4 f7 e7 40 06 51 db e8 50 de 13 a0 ec c6 ef b8 75 5c db bd 8e 52 0b c1 66 4d 45 e0 71 b2 d8 77 18 81 79 4c 29 de c0 b9 ab 9b aa 14 1e 6a dd 9f>
+1999-03-02 09:44:33 10HmaY-0005vi-00 SAN <DNS=alternatename2.server1.example.com\nDNS=server1.example.com\nDNS=alternatename.server1.example.com\nDNS=*.test.ex>
 1999-03-02 09:44:33 10HmaY-0005vi-00 CRU <http://crl.example.com/latest.crl>
 1999-03-02 09:44:33 10HmaY-0005vi-00 Completed
 1999-03-02 09:44:33 End queue run: pid=pppp -qf
@@ -48,4 +48,4 @@
 1999-03-02 09:44:33 TLS error on connection from localhost [127.0.0.1] (send): The specified session has been invalidated for some reason.
 1999-03-02 09:44:33 10HmaZ-0005vi-00 <= CALLER@myhost.test.ex H=localhost (myhost.test.ex) [127.0.0.1] P=esmtp S=sss id=E10HmaX-0005vi-00@myhost.test.ex
 1999-03-02 09:44:33 [127.0.0.1] depth=0 CN=server2.example.com
-1999-03-02 09:44:33 10HmbA-0005vi-00 <= CALLER@myhost.test.ex H=localhost (myhost.test.ex) [127.0.0.1] P=esmtps X=TLS1.x:xxxxRSA_AES_256_CBC_SHAnnn:256 CV=yes DN="CN=server2.example.com" S=sss id=E10HmaY-0005vi-00@myhost.test.ex
+1999-03-02 09:44:33 10HmbA-0005vi-00 <= CALLER@myhost.test.ex H=localhost (myhost.test.ex) [127.0.0.1] P=esmtps X=TLS1.x:ke_RSA_AES_256_CBC_SHAnnn:256 CV=yes DN="CN=server2.example.com" S=sss id=E10HmaY-0005vi-00@myhost.test.ex
diff --git a/test/log/5720 b/test/log/5720
index 55602874e..4afe4bfe3 100644
--- a/test/log/5720
+++ b/test/log/5720
@@ -1,19 +1,19 @@
 1999-03-02 09:44:33 10HmaX-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss
 1999-03-02 09:44:33 10HmaY-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss
 1999-03-02 09:44:33 Start queue run: pid=pppp -qf
-1999-03-02 09:44:33 10HmaX-0005vi-00 [127.0.0.1] SSL verify error: depth=2 error=self signed certificate in certificate chain cert=/O=example.com/CN=clica CA
+1999-03-02 09:44:33 10HmaX-0005vi-00 [127.0.0.1] SSL verify error: depth=2 error=self signed certificate in certificate chain cert=/O=example.com/CN=clica CA rsa
 1999-03-02 09:44:33 10HmaX-0005vi-00 msg:host:defer bad
 1999-03-02 09:44:33 10HmaX-0005vi-00 NO CLIENT CERT presented
 1999-03-02 09:44:33 10HmaX-0005vi-00 Peer cert:
 1999-03-02 09:44:33 10HmaX-0005vi-00 ver <2>
-1999-03-02 09:44:33 10HmaX-0005vi-00 SN  <CN=clica CA,O=example.com>
-1999-03-02 09:44:33 10HmaX-0005vi-00 SN; <CN=clica CA;O=example.com>
+1999-03-02 09:44:33 10HmaX-0005vi-00 SN  <CN=clica CA rsa,O=example.com>
+1999-03-02 09:44:33 10HmaX-0005vi-00 SN; <CN=clica CA rsa;O=example.com>
 1999-03-02 09:44:33 10HmaX-0005vi-00 SNO <example.com>
-1999-03-02 09:44:33 10HmaX-0005vi-00 IN  <CN=clica CA,O=example.com>
+1999-03-02 09:44:33 10HmaX-0005vi-00 IN  <CN=clica CA rsa,O=example.com>
 1999-03-02 09:44:33 10HmaX-0005vi-00 NB  <Nov  1 12:34:01 2012 +0000>
 1999-03-02 09:44:33 10HmaX-0005vi-00 NA  <Jan  1 12:34:01 2038 +0000>
 1999-03-02 09:44:33 10HmaX-0005vi-00 SA  <sha256WithRSAEncryption>
-1999-03-02 09:44:33 10HmaX-0005vi-00 SG  <         1a:d3:99:1f:3e:82:d1:02:2d:4e:f3:b1:ba:ec:44:a2:1e:13:\n         d6:12:5f:1b:2a:ce:fd:c3:3e:95:23:f5:53:7b:97:4e:44:45:\n         ed:dd:6f:bf:d3:35:e3:c1:2c:7d:0a:c2:98:d6:96:3b:8f:0d:\n         48:4a:58:2e:63:42:f9:1f:80:11:2b:d0:22:80:2d:01:96:53:\n         4b:10:24:33:61:47:74:83:b0:f5:06:53:40:45:51:04:fb:83:\n         50:7d:e0:39:a9:ef:68:af:1c:b8:cc:ae:dc:67:2e:b3:93:df:\n         65:21:89:a1:06:dd:7e:75:02:9a:2a:45:1c:97:71:22:59:05:\n         c6:0d\n>
+1999-03-02 09:44:33 10HmaX-0005vi-00 SG  <         03:30:ff:66:cc:e8:5f:88:9e:49:04:31:0c:e1:f9:dd:59:22:\n         00:90:ec:df:6a:ac:a3:d6:33:19:b4:1a:7a:7b:91:9d:51:42:\n         ba:8e:eb:b7:af:1c:8c:c7:0e:8f:37:f5:f3:f2:3e:88:c7:87:\n         9c:47:1d:aa:47:e8:60:1e:19:dc:b5:ef:0d:a4:46:66:18:3f:\n         64:eb:f9:f2:6b:b3:46:7b:16:da:84:08:f7:21:6a:0f:00:f4:\n         15:93:ed:33:a5:6a:d0:05:97:8c:bb:aa:22:88:0e:23:97:d2:\n         85:2a:3b:1f:98:5c:de:fa:e4:bd:2e:ca:52:1c:ee:bf:71:4a:\n         9d:a4\n>
 1999-03-02 09:44:33 10HmaX-0005vi-00 (no SAN)
 1999-03-02 09:44:33 10HmaX-0005vi-00 (no OCU)
 1999-03-02 09:44:33 10HmaX-0005vi-00 (no CRU)
@@ -23,10 +23,10 @@
 1999-03-02 09:44:33 10HmaX-0005vi-00 NO CLIENT CERT presented
 1999-03-02 09:44:33 10HmaX-0005vi-00 No Peer cert
 1999-03-02 09:44:33 10HmaX-0005vi-00 Completed
-1999-03-02 09:44:33 10HmaY-0005vi-00 tls:cert depth=2 <CN=clica CA,O=example.com>
-1999-03-02 09:44:33 10HmaY-0005vi-00 tls:cert depth=1 <CN=clica Signing Cert,O=example.com>
+1999-03-02 09:44:33 10HmaY-0005vi-00 tls:cert depth=2 <CN=clica CA rsa,O=example.com>
+1999-03-02 09:44:33 10HmaY-0005vi-00 tls:cert depth=1 <CN=clica Signing Cert rsa,O=example.com>
 1999-03-02 09:44:33 10HmaY-0005vi-00 tls:cert depth=0 <CN=server1.example.com>
-1999-03-02 09:44:33 10HmaY-0005vi-00 => good@test.ex R=client T=send_to_server H=127.0.0.1 [127.0.0.1] X=TLSv1:AES256-SHA:256 CV=yes DN="/CN=server1.example.com" C="250 OK id=10HmbA-0005vi-00"
+1999-03-02 09:44:33 10HmaY-0005vi-00 => good@test.ex R=client T=send_to_server H=127.0.0.1 [127.0.0.1] X=TLSv1:ke-RSA-AES256-SHAxx:256 CV=yes DN="/CN=server1.example.com" C="250 OK id=10HmbA-0005vi-00"
 1999-03-02 09:44:33 10HmaY-0005vi-00 msg:delivery good
 1999-03-02 09:44:33 10HmaY-0005vi-00 Our cert SN: CN=server2.example.com
 1999-03-02 09:44:33 10HmaY-0005vi-00 Peer cert:
@@ -34,12 +34,12 @@
 1999-03-02 09:44:33 10HmaY-0005vi-00 SN  <CN=server1.example.com>
 1999-03-02 09:44:33 10HmaY-0005vi-00 SN; <CN=server1.example.com>
 1999-03-02 09:44:33 10HmaY-0005vi-00 SNO <>
-1999-03-02 09:44:33 10HmaY-0005vi-00 IN  <CN=clica Signing Cert,O=example.com>
+1999-03-02 09:44:33 10HmaY-0005vi-00 IN  <CN=clica Signing Cert rsa,O=example.com>
 1999-03-02 09:44:33 10HmaY-0005vi-00 NB  <Nov  1 12:34:01 2012 +0000>
 1999-03-02 09:44:33 10HmaY-0005vi-00 NA  <Dec  1 12:34:01 2037 +0000>
 1999-03-02 09:44:33 10HmaY-0005vi-00 SA  <sha256WithRSAEncryption>
-1999-03-02 09:44:33 10HmaY-0005vi-00 SG  <         67:ef:2d:43:8e:43:50:f5:3f:41:ee:42:cf:f4:b4:31:3d:d8:\n         88:b5:f7:24:1f:26:83:32:6a:6c:ff:8a:36:b7:be:cb:28:48:\n         68:9c:a9:3c:6e:2f:2d:a5:f4:fc:d2:09:9b:1d:04:00:26:7d:\n         a5:f9:39:13:06:dd:9d:69:78:f8:7b:f5:3c:82:9d:8f:b9:4f:\n         1a:b6:f0:0b:7f:20:82:6e:80:4e:38:09:d1:43:23:22:dd:37:\n         5d:80:6d:5a:aa:23:33:e4:79:c9:0d:8d:cc:b8:ed:5f:6b:01:\n         56:2c:49:89:9b:ca:5e:d5:b3:b0:93:7e:d5:5e:f0:98:7d:5f:\n         07:4b\n>
-1999-03-02 09:44:33 10HmaY-0005vi-00 SAN <DNS=server1.example.com;DNS=*.test.ex;DNS=alternatename.server1.example.com;DNS=alternatename2.server1.example.com>
+1999-03-02 09:44:33 10HmaY-0005vi-00 SG  <         7a:cd:30:27:d2:7c:9d:fe:c7:12:17:ba:ea:f4:38:91:c2:4e:\n         5a:92:a8:e2:ad:eb:e3:16:1d:11:0c:ac:a2:3e:d0:74:13:71:\n         2e:dc:4d:c2:35:ac:7e:6e:aa:ac:9d:59:7c:a8:9c:c5:19:f4:\n         05:96:a6:a3:e3:0c:e0:0c:4b:05:ce:3a:50:32:a0:7e:b2:43:\n         9b:85:c6:1a:64:d2:c1:fb:e4:f7:e7:40:06:51:db:e8:50:de:\n         13:a0:ec:c6:ef:b8:75:5c:db:bd:8e:52:0b:c1:66:4d:45:e0:\n         71:b2:d8:77:18:81:79:4c:29:de:c0:b9:ab:9b:aa:14:1e:6a:\n         dd:9f\n>
+1999-03-02 09:44:33 10HmaY-0005vi-00 SAN <DNS=*.test.ex;DNS=alternatename.server1.example.com;DNS=server1.example.com;DNS=alternatename2.server1.example.com>
 1999-03-02 09:44:33 10HmaY-0005vi-00 OCU <http://oscp.example.com/>
 1999-03-02 09:44:33 10HmaY-0005vi-00 CRU <http://crl.example.com/latest.crl>
 1999-03-02 09:44:33 10HmaY-0005vi-00 Completed
@@ -49,7 +49,7 @@
 1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port 1225
 1999-03-02 09:44:33 TLS error on connection from localhost (myhost.test.ex) [127.0.0.1] (SSL_accept): error: <<detail omitted>>
 1999-03-02 09:44:33 10HmaZ-0005vi-00 <= CALLER@myhost.test.ex H=localhost (myhost.test.ex) [127.0.0.1] P=esmtp S=sss id=E10HmaX-0005vi-00@myhost.test.ex
-1999-03-02 09:44:33 [127.0.0.1] depth=2 CN=clica CA,O=example.com
-1999-03-02 09:44:33 [127.0.0.1] depth=1 CN=clica Signing Cert,O=example.com
+1999-03-02 09:44:33 [127.0.0.1] depth=2 CN=clica CA rsa,O=example.com
+1999-03-02 09:44:33 [127.0.0.1] depth=1 CN=clica Signing Cert rsa,O=example.com
 1999-03-02 09:44:33 [127.0.0.1] depth=0 CN=server2.example.com
-1999-03-02 09:44:33 10HmbA-0005vi-00 <= CALLER@myhost.test.ex H=localhost (myhost.test.ex) [127.0.0.1] P=esmtps X=TLSv1:AES256-SHA:256 CV=yes DN="/CN=server2.example.com" S=sss id=E10HmaY-0005vi-00@myhost.test.ex
+1999-03-02 09:44:33 10HmbA-0005vi-00 <= CALLER@myhost.test.ex H=localhost (myhost.test.ex) [127.0.0.1] P=esmtps X=TLSv1:ke-RSA-AES256-SHAxx:256 CV=yes DN="/CN=server2.example.com" S=sss id=E10HmaY-0005vi-00@myhost.test.ex
diff --git a/test/log/5730 b/test/log/5730
index f73bd20eb..d55498009 100644
--- a/test/log/5730
+++ b/test/log/5730
@@ -1,17 +1,17 @@
 1999-03-02 09:44:33 10HmaX-0005vi-00 <= CALLER@server1.example.com U=CALLER P=local S=sss
-1999-03-02 09:44:33 10HmaX-0005vi-00 => norequire@test.ex R=client T=send_to_server2 H=ip4.ip4.ip4.ip4 [ip4.ip4.ip4.ip4] X=TLS1.x:xxxxRSA_AES_256_CBC_SHAnnn:256 CV=yes DN="CN=server1.example.com" C="250 OK id=10HmaY-0005vi-00"
+1999-03-02 09:44:33 10HmaX-0005vi-00 => norequire@test.ex R=client T=send_to_server2 H=ip4.ip4.ip4.ip4 [ip4.ip4.ip4.ip4] X=TLS1.x:ke_RSA_AES_256_CBC_SHAnnn:256 CV=yes DN="CN=server1.example.com" C="250 OK id=10HmaY-0005vi-00"
 1999-03-02 09:44:33 10HmaX-0005vi-00 client ocsp status: 1 (notresp)
 1999-03-02 09:44:33 10HmaX-0005vi-00 Completed
 1999-03-02 09:44:33 10HmaZ-0005vi-00 <= CALLER@server1.example.com U=CALLER P=local S=sss
-1999-03-02 09:44:33 10HmaZ-0005vi-00 => norequire@test.ex R=client T=send_to_server2 H=ip4.ip4.ip4.ip4 [ip4.ip4.ip4.ip4] X=TLS1.x:xxxxRSA_AES_256_CBC_SHAnnn:256 CV=yes DN="CN=server1.example.com" C="250 OK id=10HmbA-0005vi-00"
+1999-03-02 09:44:33 10HmaZ-0005vi-00 => norequire@test.ex R=client T=send_to_server2 H=ip4.ip4.ip4.ip4 [ip4.ip4.ip4.ip4] X=TLS1.x:ke_RSA_AES_256_CBC_SHAnnn:256 CV=yes DN="CN=server1.example.com" C="250 OK id=10HmbA-0005vi-00"
 1999-03-02 09:44:33 10HmaZ-0005vi-00 client ocsp status: 1 (notresp)
 1999-03-02 09:44:33 10HmaZ-0005vi-00 Completed
 1999-03-02 09:44:33 10HmbB-0005vi-00 <= CALLER@server1.example.com U=CALLER P=local S=sss
-1999-03-02 09:44:33 10HmbB-0005vi-00 => nostaple@test.ex R=client T=send_to_server1 H=ip4.ip4.ip4.ip4 [ip4.ip4.ip4.ip4] X=TLS1.x:xxxxRSA_AES_256_CBC_SHAnnn:256 CV=yes DN="CN=server1.example.com" C="250 OK id=10HmbC-0005vi-00"
+1999-03-02 09:44:33 10HmbB-0005vi-00 => nostaple@test.ex R=client T=send_to_server1 H=ip4.ip4.ip4.ip4 [ip4.ip4.ip4.ip4] X=TLS1.x:ke_RSA_AES_256_CBC_SHAnnn:256 CV=yes DN="CN=server1.example.com" C="250 OK id=10HmbC-0005vi-00"
 1999-03-02 09:44:33 10HmbB-0005vi-00 client ocsp status: 0 (notreq)
 1999-03-02 09:44:33 10HmbB-0005vi-00 Completed
 1999-03-02 09:44:33 10HmbD-0005vi-00 <= CALLER@server1.example.com U=CALLER P=local S=sss
-1999-03-02 09:44:33 10HmbD-0005vi-00 => good@test.ex R=client T=send_to_server3 H=127.0.0.1 [127.0.0.1] X=TLS1.x:xxxxRSA_AES_256_CBC_SHAnnn:256 CV=yes DN="CN=server1.example.com" C="250 OK id=10HmbE-0005vi-00"
+1999-03-02 09:44:33 10HmbD-0005vi-00 => good@test.ex R=client T=send_to_server3 H=127.0.0.1 [127.0.0.1] X=TLS1.x:ke_RSA_AES_256_CBC_SHAnnn:256 CV=yes DN="CN=server1.example.com" C="250 OK id=10HmbE-0005vi-00"
 1999-03-02 09:44:33 10HmbD-0005vi-00 client ocsp status: 4 (verified)
 1999-03-02 09:44:33 10HmbD-0005vi-00 Completed
 1999-03-02 09:44:33 10HmbF-0005vi-00 <= CALLER@server1.example.com U=CALLER P=local S=sss
@@ -27,20 +27,20 @@
 ******** SERVER ********
 1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port 1225
 1999-03-02 09:44:33 10HmaY-0005vi-00 client claims: OCSP status 1 (notresp)
-1999-03-02 09:44:33 10HmaY-0005vi-00 <= CALLER@server1.example.com H=the.local.host.name (server1.example.com) [ip4.ip4.ip4.ip4] P=esmtps X=TLS1.x:xxxxRSA_AES_256_CBC_SHAnnn:256 CV=no S=sss id=E10HmaX-0005vi-00@server1.example.com
+1999-03-02 09:44:33 10HmaY-0005vi-00 <= CALLER@server1.example.com H=the.local.host.name (server1.example.com) [ip4.ip4.ip4.ip4] P=esmtps X=TLS1.x:ke_RSA_AES_256_CBC_SHAnnn:256 CV=no S=sss id=E10HmaX-0005vi-00@server1.example.com
 1999-03-02 09:44:33 10HmaY-0005vi-00 => :blackhole: <norequire@test.ex> R=server
 1999-03-02 09:44:33 10HmaY-0005vi-00 Completed
 1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port 1225
 1999-03-02 09:44:33 10HmbA-0005vi-00 client claims: OCSP status 1 (notresp)
-1999-03-02 09:44:33 10HmbA-0005vi-00 <= CALLER@server1.example.com H=the.local.host.name (server1.example.com) [ip4.ip4.ip4.ip4] P=esmtps X=TLS1.x:xxxxRSA_AES_256_CBC_SHAnnn:256 CV=no S=sss id=E10HmaZ-0005vi-00@server1.example.com
+1999-03-02 09:44:33 10HmbA-0005vi-00 <= CALLER@server1.example.com H=the.local.host.name (server1.example.com) [ip4.ip4.ip4.ip4] P=esmtps X=TLS1.x:ke_RSA_AES_256_CBC_SHAnnn:256 CV=no S=sss id=E10HmaZ-0005vi-00@server1.example.com
 1999-03-02 09:44:33 10HmbA-0005vi-00 => :blackhole: <norequire@test.ex> R=server
 1999-03-02 09:44:33 10HmbA-0005vi-00 Completed
 1999-03-02 09:44:33 10HmbC-0005vi-00 client claims: OCSP status 0 (notreq)
-1999-03-02 09:44:33 10HmbC-0005vi-00 <= CALLER@server1.example.com H=the.local.host.name (server1.example.com) [ip4.ip4.ip4.ip4] P=esmtps X=TLS1.x:xxxxRSA_AES_256_CBC_SHAnnn:256 CV=no S=sss id=E10HmbB-0005vi-00@server1.example.com
+1999-03-02 09:44:33 10HmbC-0005vi-00 <= CALLER@server1.example.com H=the.local.host.name (server1.example.com) [ip4.ip4.ip4.ip4] P=esmtps X=TLS1.x:ke_RSA_AES_256_CBC_SHAnnn:256 CV=no S=sss id=E10HmbB-0005vi-00@server1.example.com
 1999-03-02 09:44:33 10HmbC-0005vi-00 => :blackhole: <nostaple@test.ex> R=server
 1999-03-02 09:44:33 10HmbC-0005vi-00 Completed
 1999-03-02 09:44:33 10HmbE-0005vi-00 client claims: OCSP status 4 (verified)
-1999-03-02 09:44:33 10HmbE-0005vi-00 <= CALLER@server1.example.com H=(helo.data.changed) [127.0.0.1] P=esmtps X=TLS1.x:xxxxRSA_AES_256_CBC_SHAnnn:256 CV=no S=sss id=E10HmbD-0005vi-00@server1.example.com
+1999-03-02 09:44:33 10HmbE-0005vi-00 <= CALLER@server1.example.com H=(helo.data.changed) [127.0.0.1] P=esmtps X=TLS1.x:ke_RSA_AES_256_CBC_SHAnnn:256 CV=no S=sss id=E10HmbD-0005vi-00@server1.example.com
 1999-03-02 09:44:33 10HmbE-0005vi-00 => :blackhole: <good@test.ex> R=server
 1999-03-02 09:44:33 10HmbE-0005vi-00 Completed
 1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port 1225
diff --git a/test/log/5740 b/test/log/5740
index 2b82395f9..d923fbda8 100644
--- a/test/log/5740
+++ b/test/log/5740
@@ -1,17 +1,17 @@
 1999-03-02 09:44:33 10HmaX-0005vi-00 <= CALLER@server1.example.com U=CALLER P=local S=sss for norequire_1@test.ex
-1999-03-02 09:44:33 10HmaX-0005vi-00 => norequire_1@test.ex R=client T=send_to_server2 H=ip4.ip4.ip4.ip4 [ip4.ip4.ip4.ip4] X=TLSv1:AES256-SHA:256 CV=yes DN="/CN=server1.example.com" C="250 OK id=10HmaY-0005vi-00"
+1999-03-02 09:44:33 10HmaX-0005vi-00 => norequire_1@test.ex R=client T=send_to_server2 H=ip4.ip4.ip4.ip4 [ip4.ip4.ip4.ip4] X=TLSv1:ke-RSA-AES256-SHAxx:256 CV=yes DN="/CN=server1.example.com" C="250 OK id=10HmaY-0005vi-00"
 1999-03-02 09:44:33 10HmaX-0005vi-00 client ocsp status: 1 (notresp)
 1999-03-02 09:44:33 10HmaX-0005vi-00 Completed
 1999-03-02 09:44:33 10HmaZ-0005vi-00 <= CALLER@server1.example.com U=CALLER P=local S=sss for norequire_2@test.ex
-1999-03-02 09:44:33 10HmaZ-0005vi-00 => norequire_2@test.ex R=client T=send_to_server2 H=ip4.ip4.ip4.ip4 [ip4.ip4.ip4.ip4] X=TLSv1:AES256-SHA:256 CV=yes DN="/CN=server1.example.com" C="250 OK id=10HmbA-0005vi-00"
+1999-03-02 09:44:33 10HmaZ-0005vi-00 => norequire_2@test.ex R=client T=send_to_server2 H=ip4.ip4.ip4.ip4 [ip4.ip4.ip4.ip4] X=TLSv1:ke-RSA-AES256-SHAxx:256 CV=yes DN="/CN=server1.example.com" C="250 OK id=10HmbA-0005vi-00"
 1999-03-02 09:44:33 10HmaZ-0005vi-00 client ocsp status: 4 (verified)
 1999-03-02 09:44:33 10HmaZ-0005vi-00 Completed
 1999-03-02 09:44:33 10HmbB-0005vi-00 <= CALLER@server1.example.com U=CALLER P=local S=sss for nostaple@test.ex
-1999-03-02 09:44:33 10HmbB-0005vi-00 => nostaple@test.ex R=client T=send_to_server1 H=ip4.ip4.ip4.ip4 [ip4.ip4.ip4.ip4] X=TLSv1:AES256-SHA:256 CV=yes DN="/CN=server1.example.com" C="250 OK id=10HmbC-0005vi-00"
+1999-03-02 09:44:33 10HmbB-0005vi-00 => nostaple@test.ex R=client T=send_to_server1 H=ip4.ip4.ip4.ip4 [ip4.ip4.ip4.ip4] X=TLSv1:ke-RSA-AES256-SHAxx:256 CV=yes DN="/CN=server1.example.com" C="250 OK id=10HmbC-0005vi-00"
 1999-03-02 09:44:33 10HmbB-0005vi-00 client ocsp status: 0 (notreq)
 1999-03-02 09:44:33 10HmbB-0005vi-00 Completed
 1999-03-02 09:44:33 10HmbD-0005vi-00 <= CALLER@server1.example.com U=CALLER P=local S=sss for good@test.ex
-1999-03-02 09:44:33 10HmbD-0005vi-00 => good@test.ex R=client T=send_to_server3 H=127.0.0.1 [127.0.0.1] X=TLSv1:AES256-SHA:256 CV=yes DN="/CN=server1.example.com" C="250 OK id=10HmbE-0005vi-00"
+1999-03-02 09:44:33 10HmbD-0005vi-00 => good@test.ex R=client T=send_to_server3 H=127.0.0.1 [127.0.0.1] X=TLSv1:ke-RSA-AES256-SHAxx:256 CV=yes DN="/CN=server1.example.com" C="250 OK id=10HmbE-0005vi-00"
 1999-03-02 09:44:33 10HmbD-0005vi-00 client ocsp status: 4 (verified)
 1999-03-02 09:44:33 10HmbD-0005vi-00 Completed
 1999-03-02 09:44:33 10HmbF-0005vi-00 <= CALLER@server1.example.com U=CALLER P=local S=sss for failrequire@test.ex
@@ -30,20 +30,20 @@
 ******** SERVER ********
 1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port 1225
 1999-03-02 09:44:33 10HmaY-0005vi-00 client claims: ocsp status 1
-1999-03-02 09:44:33 10HmaY-0005vi-00 <= CALLER@server1.example.com H=the.local.host.name (server1.example.com) [ip4.ip4.ip4.ip4] P=esmtps X=TLSv1:AES256-SHA:256 CV=no S=sss id=E10HmaX-0005vi-00@server1.example.com for norequire_1@test.ex
+1999-03-02 09:44:33 10HmaY-0005vi-00 <= CALLER@server1.example.com H=the.local.host.name (server1.example.com) [ip4.ip4.ip4.ip4] P=esmtps X=TLSv1:ke-RSA-AES256-SHAxx:256 CV=no S=sss id=E10HmaX-0005vi-00@server1.example.com for norequire_1@test.ex
 1999-03-02 09:44:33 10HmaY-0005vi-00 => :blackhole: <norequire_1@test.ex> R=server
 1999-03-02 09:44:33 10HmaY-0005vi-00 Completed
 1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port 1225
 1999-03-02 09:44:33 10HmbA-0005vi-00 client claims: ocsp status 4
-1999-03-02 09:44:33 10HmbA-0005vi-00 <= CALLER@server1.example.com H=the.local.host.name (server1.example.com) [ip4.ip4.ip4.ip4] P=esmtps X=TLSv1:AES256-SHA:256 CV=no S=sss id=E10HmaZ-0005vi-00@server1.example.com for norequire_2@test.ex
+1999-03-02 09:44:33 10HmbA-0005vi-00 <= CALLER@server1.example.com H=the.local.host.name (server1.example.com) [ip4.ip4.ip4.ip4] P=esmtps X=TLSv1:ke-RSA-AES256-SHAxx:256 CV=no S=sss id=E10HmaZ-0005vi-00@server1.example.com for norequire_2@test.ex
 1999-03-02 09:44:33 10HmbA-0005vi-00 => :blackhole: <norequire_2@test.ex> R=server
 1999-03-02 09:44:33 10HmbA-0005vi-00 Completed
 1999-03-02 09:44:33 10HmbC-0005vi-00 client claims: ocsp status 0
-1999-03-02 09:44:33 10HmbC-0005vi-00 <= CALLER@server1.example.com H=the.local.host.name (server1.example.com) [ip4.ip4.ip4.ip4] P=esmtps X=TLSv1:AES256-SHA:256 CV=no S=sss id=E10HmbB-0005vi-00@server1.example.com for nostaple@test.ex
+1999-03-02 09:44:33 10HmbC-0005vi-00 <= CALLER@server1.example.com H=the.local.host.name (server1.example.com) [ip4.ip4.ip4.ip4] P=esmtps X=TLSv1:ke-RSA-AES256-SHAxx:256 CV=no S=sss id=E10HmbB-0005vi-00@server1.example.com for nostaple@test.ex
 1999-03-02 09:44:33 10HmbC-0005vi-00 => :blackhole: <nostaple@test.ex> R=server
 1999-03-02 09:44:33 10HmbC-0005vi-00 Completed
 1999-03-02 09:44:33 10HmbE-0005vi-00 client claims: ocsp status 4
-1999-03-02 09:44:33 10HmbE-0005vi-00 <= CALLER@server1.example.com H=(helo.data.changed) [127.0.0.1] P=esmtps X=TLSv1:AES256-SHA:256 CV=no S=sss id=E10HmbD-0005vi-00@server1.example.com for good@test.ex
+1999-03-02 09:44:33 10HmbE-0005vi-00 <= CALLER@server1.example.com H=(helo.data.changed) [127.0.0.1] P=esmtps X=TLSv1:ke-RSA-AES256-SHAxx:256 CV=no S=sss id=E10HmbD-0005vi-00@server1.example.com for good@test.ex
 1999-03-02 09:44:33 10HmbE-0005vi-00 => :blackhole: <good@test.ex> R=server
 1999-03-02 09:44:33 10HmbE-0005vi-00 Completed
 1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port 1225
diff --git a/test/log/5840 b/test/log/5840
index 9d134ca6d..c666b680a 100644
--- a/test/log/5840
+++ b/test/log/5840
@@ -1,80 +1,87 @@
 1999-03-02 09:44:33 10HmaX-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss for CALLER@dane256ee.test.ex
 1999-03-02 09:44:33 10HmaY-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss for CALLER@mxdane512ee.test.ex
 1999-03-02 09:44:33 Start queue run: pid=pppp -qf
-1999-03-02 09:44:33 10HmaX-0005vi-00 => CALLER@dane256ee.test.ex R=client T=send_to_server H=dane256ee.test.ex [ip4.ip4.ip4.ip4] X=TLSv1:AES256-SHA:256 CV=dane DN="/C=UK/O=The Exim Maintainers/OU=Test Suite/CN=Phil Pennock" C="250 OK id=10HmaZ-0005vi-00"
+1999-03-02 09:44:33 10HmaX-0005vi-00 => CALLER@dane256ee.test.ex R=client T=send_to_server H=dane256ee.test.ex [ip4.ip4.ip4.ip4] X=TLSv1:ke-RSA-AES256-SHAxx:256 CV=dane DN="/C=UK/O=The Exim Maintainers/OU=Test Suite/CN=Phil Pennock" C="250 OK id=10HmaZ-0005vi-00"
 1999-03-02 09:44:33 10HmaX-0005vi-00 Completed
-1999-03-02 09:44:33 10HmaY-0005vi-00 => CALLER@mxdane512ee.test.ex R=client T=send_to_server H=dane512ee.test.ex [ip4.ip4.ip4.ip4] X=TLSv1:AES256-SHA:256 CV=dane DN="/C=UK/O=The Exim Maintainers/OU=Test Suite/CN=Phil Pennock" C="250 OK id=10HmbA-0005vi-00"
+1999-03-02 09:44:33 10HmaY-0005vi-00 => CALLER@mxdane512ee.test.ex R=client T=send_to_server H=dane512ee.test.ex [ip4.ip4.ip4.ip4] X=TLSv1:ke-RSA-AES256-SHAxx:256 CV=dane DN="/C=UK/O=The Exim Maintainers/OU=Test Suite/CN=Phil Pennock" C="250 OK id=10HmbA-0005vi-00"
 1999-03-02 09:44:33 10HmaY-0005vi-00 Completed
 1999-03-02 09:44:33 End queue run: pid=pppp -qf
 1999-03-02 09:44:33 10HmbB-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss for CALLER@mxdane256ta.test.ex
 1999-03-02 09:44:33 Start queue run: pid=pppp -qf
-1999-03-02 09:44:33 10HmbB-0005vi-00 => CALLER@mxdane256ta.test.ex R=client T=send_to_server H=dane256ta.test.ex [ip4.ip4.ip4.ip4] X=TLSv1:AES256-SHA:256 CV=dane DN="/CN=server1.example.com" C="250 OK id=10HmbC-0005vi-00"
-1999-03-02 09:44:33 10HmbB-0005vi-00 Completed
+1999-03-02 09:44:33 10HmbB-0005vi-00 DANE attempt failed; TLS connection to dane256ta.test.ex [ip4.ip4.ip4.ip4]: (SSL_connect): error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed
+1999-03-02 09:44:33 10HmbB-0005vi-00 == CALLER@mxdane256ta.test.ex R=client T=send_to_server defer (-37) H=dane256ta.test.ex [ip4.ip4.ip4.ip4]: TLS session: (SSL_connect): error: <<detail omitted>>
 1999-03-02 09:44:33 End queue run: pid=pppp -qf
-1999-03-02 09:44:33 10HmbD-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss for CALLER@thishost.test.ex
+1999-03-02 09:44:33 10HmbC-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss for CALLER@thishost.test.ex
 1999-03-02 09:44:33 Start queue run: pid=pppp -qf
-1999-03-02 09:44:33 10HmbD-0005vi-00 [127.0.0.1] SSL verify error: depth=0 error=self signed certificate cert=/C=UK/O=The Exim Maintainers/OU=Test Suite/CN=Phil Pennock
-1999-03-02 09:44:33 10HmbD-0005vi-00 [127.0.0.1] SSL verify error: certificate name mismatch: DN="/C=UK/O=The Exim Maintainers/OU=Test Suite/CN=Phil Pennock" H="thishost.test.ex"
-1999-03-02 09:44:33 10HmbD-0005vi-00 => CALLER@thishost.test.ex R=client T=send_to_server H=thishost.test.ex [127.0.0.1] X=TLSv1:AES256-SHA:256 CV=no DN="/C=UK/O=The Exim Maintainers/OU=Test Suite/CN=Phil Pennock" C="250 OK id=10HmbE-0005vi-00"
-1999-03-02 09:44:33 10HmbD-0005vi-00 Completed
+1999-03-02 09:44:33 10HmbB-0005vi-00 DANE attempt failed; TLS connection to dane256ta.test.ex [ip4.ip4.ip4.ip4]: (SSL_connect): error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed
+1999-03-02 09:44:33 10HmbB-0005vi-00 == CALLER@mxdane256ta.test.ex R=client T=send_to_server defer (-37) H=dane256ta.test.ex [ip4.ip4.ip4.ip4]: TLS session: (SSL_connect): error: <<detail omitted>>
+1999-03-02 09:44:33 10HmbC-0005vi-00 [127.0.0.1] SSL verify error: depth=0 error=self signed certificate cert=/C=UK/O=The Exim Maintainers/OU=Test Suite/CN=Phil Pennock
+1999-03-02 09:44:33 10HmbC-0005vi-00 [127.0.0.1] SSL verify error: certificate name mismatch: DN="/C=UK/O=The Exim Maintainers/OU=Test Suite/CN=Phil Pennock" H="thishost.test.ex"
+1999-03-02 09:44:33 10HmbC-0005vi-00 => CALLER@thishost.test.ex R=client T=send_to_server H=thishost.test.ex [127.0.0.1] X=TLSv1:ke-RSA-AES256-SHAxx:256 CV=no DN="/C=UK/O=The Exim Maintainers/OU=Test Suite/CN=Phil Pennock" C="250 OK id=10HmbD-0005vi-00"
+1999-03-02 09:44:33 10HmbC-0005vi-00 Completed
 1999-03-02 09:44:33 End queue run: pid=pppp -qf
-1999-03-02 09:44:33 10HmbF-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss for CALLER@thishost.test.ex
+1999-03-02 09:44:33 10HmbE-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss for CALLER@thishost.test.ex
 1999-03-02 09:44:33 Start queue run: pid=pppp -qf
-1999-03-02 09:44:33 10HmbF-0005vi-00 => CALLER@thishost.test.ex R=client T=send_to_server H=thishost.test.ex [127.0.0.1] X=TLSv1:AES256-SHA:256 CV=yes DN="/CN=server1.example.com" C="250 OK id=10HmbG-0005vi-00"
-1999-03-02 09:44:33 10HmbF-0005vi-00 Completed
+1999-03-02 09:44:33 10HmbB-0005vi-00 DANE attempt failed; TLS connection to dane256ta.test.ex [ip4.ip4.ip4.ip4]: (SSL_connect): error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed
+1999-03-02 09:44:33 10HmbB-0005vi-00 == CALLER@mxdane256ta.test.ex R=client T=send_to_server defer (-37) H=dane256ta.test.ex [ip4.ip4.ip4.ip4]: TLS session: (SSL_connect): error: <<detail omitted>>
+1999-03-02 09:44:33 10HmbE-0005vi-00 => CALLER@thishost.test.ex R=client T=send_to_server H=thishost.test.ex [127.0.0.1] X=TLSv1:ke-RSA-AES256-SHAxx:256 CV=yes DN="/CN=server1.example.com" C="250 OK id=10HmbF-0005vi-00"
+1999-03-02 09:44:33 10HmbE-0005vi-00 Completed
 1999-03-02 09:44:33 End queue run: pid=pppp -qf
-1999-03-02 09:44:33 10HmbH-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss for CALLER@mxdanelazy.test.ex
-1999-03-02 09:44:33 10HmbI-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss for CALLER@dane.no.1.test.ex
-1999-03-02 09:44:33 10HmbJ-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss for CALLER@dane.no.2.test.ex
-1999-03-02 09:44:33 10HmbK-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss for CALLER@danebroken1.test.ex
-1999-03-02 09:44:33 10HmbL-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss for CALLER@dane.no.3.test.ex
-1999-03-02 09:44:33 10HmbM-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss for CALLER@dane.no.4.test.ex
+1999-03-02 09:44:33 10HmbG-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss for CALLER@mxdanelazy.test.ex
+1999-03-02 09:44:33 10HmbH-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss for CALLER@dane.no.1.test.ex
+1999-03-02 09:44:33 10HmbI-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss for CALLER@dane.no.2.test.ex
+1999-03-02 09:44:33 10HmbJ-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss for CALLER@danebroken1.test.ex
+1999-03-02 09:44:33 10HmbK-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss for CALLER@dane.no.3.test.ex
+1999-03-02 09:44:33 10HmbL-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss for CALLER@dane.no.4.test.ex
 1999-03-02 09:44:33 Start queue run: pid=pppp -qf
-1999-03-02 09:44:33 10HmbH-0005vi-00 H=danelazy.test.ex [ip4.ip4.ip4.ip4]: DANE error: tlsa lookup DEFER
-1999-03-02 09:44:33 10HmbH-0005vi-00 H=danelazy2.test.ex [127.0.0.1]: DANE error: tlsa lookup DEFER
-1999-03-02 09:44:33 10HmbH-0005vi-00 == CALLER@mxdanelazy.test.ex R=client T=send_to_server defer (-36): DANE error: tlsa lookup DEFER
-1999-03-02 09:44:33 10HmbI-0005vi-00 ** CALLER@dane.no.1.test.ex R=client T=send_to_server: DANE error: tlsa lookup FAIL
-1999-03-02 09:44:33 10HmbI-0005vi-00 CALLER@dane.no.1.test.ex: error ignored
+1999-03-02 09:44:33 10HmbB-0005vi-00 DANE attempt failed; TLS connection to dane256ta.test.ex [ip4.ip4.ip4.ip4]: (SSL_connect): error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed
+1999-03-02 09:44:33 10HmbB-0005vi-00 == CALLER@mxdane256ta.test.ex R=client T=send_to_server defer (-37) H=dane256ta.test.ex [ip4.ip4.ip4.ip4]: TLS session: (SSL_connect): error: <<detail omitted>>
+1999-03-02 09:44:33 10HmbG-0005vi-00 H=danelazy.test.ex [ip4.ip4.ip4.ip4]: DANE error: tlsa lookup DEFER
+1999-03-02 09:44:33 10HmbG-0005vi-00 H=danelazy2.test.ex [127.0.0.1]: DANE error: tlsa lookup DEFER
+1999-03-02 09:44:33 10HmbG-0005vi-00 == CALLER@mxdanelazy.test.ex R=client T=send_to_server defer (-36): DANE error: tlsa lookup DEFER
+1999-03-02 09:44:33 10HmbH-0005vi-00 ** CALLER@dane.no.1.test.ex R=client T=send_to_server: DANE error: tlsa lookup FAIL
+1999-03-02 09:44:33 10HmbH-0005vi-00 CALLER@dane.no.1.test.ex: error ignored
+1999-03-02 09:44:33 10HmbH-0005vi-00 Completed
+1999-03-02 09:44:33 10HmbI-0005vi-00 [127.0.0.1] SSL verify error: depth=0 error=self signed certificate cert=/C=UK/O=The Exim Maintainers/OU=Test Suite/CN=Phil Pennock
+1999-03-02 09:44:33 10HmbI-0005vi-00 [127.0.0.1] SSL verify error: certificate name mismatch: DN="/C=UK/O=The Exim Maintainers/OU=Test Suite/CN=Phil Pennock" H="dane.no.2.test.ex"
+1999-03-02 09:44:33 10HmbI-0005vi-00 => CALLER@dane.no.2.test.ex R=client T=send_to_server H=dane.no.2.test.ex [127.0.0.1] X=TLSv1:ke-RSA-AES256-SHAxx:256 CV=no DN="/C=UK/O=The Exim Maintainers/OU=Test Suite/CN=Phil Pennock" C="250 OK id=10HmbM-0005vi-00"
 1999-03-02 09:44:33 10HmbI-0005vi-00 Completed
-1999-03-02 09:44:33 10HmbJ-0005vi-00 [127.0.0.1] SSL verify error: depth=0 error=self signed certificate cert=/C=UK/O=The Exim Maintainers/OU=Test Suite/CN=Phil Pennock
-1999-03-02 09:44:33 10HmbJ-0005vi-00 [127.0.0.1] SSL verify error: certificate name mismatch: DN="/C=UK/O=The Exim Maintainers/OU=Test Suite/CN=Phil Pennock" H="dane.no.2.test.ex"
-1999-03-02 09:44:33 10HmbJ-0005vi-00 => CALLER@dane.no.2.test.ex R=client T=send_to_server H=dane.no.2.test.ex [127.0.0.1] X=TLSv1:AES256-SHA:256 CV=no DN="/C=UK/O=The Exim Maintainers/OU=Test Suite/CN=Phil Pennock" C="250 OK id=10HmbN-0005vi-00"
-1999-03-02 09:44:33 10HmbJ-0005vi-00 Completed
-1999-03-02 09:44:33 10HmbK-0005vi-00 H=danebroken1.test.ex [127.0.0.1]: DANE error: tlsa lookup DEFER
-1999-03-02 09:44:33 10HmbK-0005vi-00 == CALLER@danebroken1.test.ex R=client T=send_to_server defer (-36): DANE error: tlsa lookup DEFER
-1999-03-02 09:44:33 10HmbL-0005vi-00 ** CALLER@dane.no.3.test.ex R=client T=send_to_server: DANE error: tlsa lookup FAIL
-1999-03-02 09:44:33 10HmbL-0005vi-00 CALLER@dane.no.3.test.ex: error ignored
+1999-03-02 09:44:33 10HmbJ-0005vi-00 H=danebroken1.test.ex [127.0.0.1]: DANE error: tlsa lookup DEFER
+1999-03-02 09:44:33 10HmbJ-0005vi-00 == CALLER@danebroken1.test.ex R=client T=send_to_server defer (-36): DANE error: tlsa lookup DEFER
+1999-03-02 09:44:33 10HmbK-0005vi-00 ** CALLER@dane.no.3.test.ex R=client T=send_to_server: DANE error: tlsa lookup FAIL
+1999-03-02 09:44:33 10HmbK-0005vi-00 CALLER@dane.no.3.test.ex: error ignored
+1999-03-02 09:44:33 10HmbK-0005vi-00 Completed
+1999-03-02 09:44:33 10HmbL-0005vi-00 [127.0.0.1] SSL verify error: depth=0 error=self signed certificate cert=/C=UK/O=The Exim Maintainers/OU=Test Suite/CN=Phil Pennock
+1999-03-02 09:44:33 10HmbL-0005vi-00 [127.0.0.1] SSL verify error: certificate name mismatch: DN="/C=UK/O=The Exim Maintainers/OU=Test Suite/CN=Phil Pennock" H="dane.no.4.test.ex"
+1999-03-02 09:44:33 10HmbL-0005vi-00 => CALLER@dane.no.4.test.ex R=client T=send_to_server H=dane.no.4.test.ex [127.0.0.1] X=TLSv1:ke-RSA-AES256-SHAxx:256 CV=no DN="/C=UK/O=The Exim Maintainers/OU=Test Suite/CN=Phil Pennock" C="250 OK id=10HmbN-0005vi-00"
 1999-03-02 09:44:33 10HmbL-0005vi-00 Completed
-1999-03-02 09:44:33 10HmbM-0005vi-00 [127.0.0.1] SSL verify error: depth=0 error=self signed certificate cert=/C=UK/O=The Exim Maintainers/OU=Test Suite/CN=Phil Pennock
-1999-03-02 09:44:33 10HmbM-0005vi-00 [127.0.0.1] SSL verify error: certificate name mismatch: DN="/C=UK/O=The Exim Maintainers/OU=Test Suite/CN=Phil Pennock" H="dane.no.4.test.ex"
-1999-03-02 09:44:33 10HmbM-0005vi-00 => CALLER@dane.no.4.test.ex R=client T=send_to_server H=dane.no.4.test.ex [127.0.0.1] X=TLSv1:AES256-SHA:256 CV=no DN="/C=UK/O=The Exim Maintainers/OU=Test Suite/CN=Phil Pennock" C="250 OK id=10HmbO-0005vi-00"
-1999-03-02 09:44:33 10HmbM-0005vi-00 Completed
 1999-03-02 09:44:33 End queue run: pid=pppp -qf
 
 ******** SERVER ********
 1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port 1225
-1999-03-02 09:44:33 10HmaZ-0005vi-00 <= <> H=the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] P=esmtps X=TLSv1:AES256-SHA:256 CV=no S=sss id=E10HmaX-0005vi-00@myhost.test.ex for CALLER@dane256ee.test.ex
+1999-03-02 09:44:33 10HmaZ-0005vi-00 <= <> H=the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] P=esmtps X=TLSv1:ke-RSA-AES256-SHAxx:256 CV=no S=sss id=E10HmaX-0005vi-00@myhost.test.ex for CALLER@dane256ee.test.ex
 1999-03-02 09:44:33 10HmaZ-0005vi-00 => :blackhole: <CALLER@dane256ee.test.ex> R=server
 1999-03-02 09:44:33 10HmaZ-0005vi-00 Completed
-1999-03-02 09:44:33 10HmbA-0005vi-00 <= <> H=the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] P=esmtps X=TLSv1:AES256-SHA:256 CV=no S=sss id=E10HmaY-0005vi-00@myhost.test.ex for CALLER@mxdane512ee.test.ex
+1999-03-02 09:44:33 10HmbA-0005vi-00 <= <> H=the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] P=esmtps X=TLSv1:ke-RSA-AES256-SHAxx:256 CV=no S=sss id=E10HmaY-0005vi-00@myhost.test.ex for CALLER@mxdane512ee.test.ex
 1999-03-02 09:44:33 10HmbA-0005vi-00 => :blackhole: <CALLER@mxdane512ee.test.ex> R=server
 1999-03-02 09:44:33 10HmbA-0005vi-00 Completed
 1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port 1225
-1999-03-02 09:44:33 10HmbC-0005vi-00 <= <> H=the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] P=esmtps X=TLSv1:AES256-SHA:256 CV=no S=sss id=E10HmbB-0005vi-00@myhost.test.ex for CALLER@mxdane256ta.test.ex
-1999-03-02 09:44:33 10HmbC-0005vi-00 => :blackhole: <CALLER@mxdane256ta.test.ex> R=server
-1999-03-02 09:44:33 10HmbC-0005vi-00 Completed
+1999-03-02 09:44:33 TLS error on connection from the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] (SSL_accept): error: <<detail omitted>>
 1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port 1225
-1999-03-02 09:44:33 10HmbE-0005vi-00 <= <> H=localhost (myhost.test.ex) [127.0.0.1] P=esmtps X=TLSv1:AES256-SHA:256 CV=no S=sss id=E10HmbD-0005vi-00@myhost.test.ex for CALLER@thishost.test.ex
-1999-03-02 09:44:33 10HmbE-0005vi-00 => :blackhole: <CALLER@thishost.test.ex> R=server
-1999-03-02 09:44:33 10HmbE-0005vi-00 Completed
+1999-03-02 09:44:33 TLS error on connection from the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] (SSL_accept): error: <<detail omitted>>
+1999-03-02 09:44:33 10HmbD-0005vi-00 <= <> H=localhost (myhost.test.ex) [127.0.0.1] P=esmtps X=TLSv1:ke-RSA-AES256-SHAxx:256 CV=no S=sss id=E10HmbC-0005vi-00@myhost.test.ex for CALLER@thishost.test.ex
+1999-03-02 09:44:33 10HmbD-0005vi-00 => :blackhole: <CALLER@thishost.test.ex> R=server
+1999-03-02 09:44:33 10HmbD-0005vi-00 Completed
 1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port 1225
-1999-03-02 09:44:33 10HmbG-0005vi-00 <= <> H=localhost (myhost.test.ex) [127.0.0.1] P=esmtps X=TLSv1:AES256-SHA:256 CV=no S=sss id=E10HmbF-0005vi-00@myhost.test.ex for CALLER@thishost.test.ex
-1999-03-02 09:44:33 10HmbG-0005vi-00 => :blackhole: <CALLER@thishost.test.ex> R=server
-1999-03-02 09:44:33 10HmbG-0005vi-00 Completed
+1999-03-02 09:44:33 TLS error on connection from the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] (SSL_accept): error: <<detail omitted>>
+1999-03-02 09:44:33 10HmbF-0005vi-00 <= <> H=localhost (myhost.test.ex) [127.0.0.1] P=esmtps X=TLSv1:ke-RSA-AES256-SHAxx:256 CV=no S=sss id=E10HmbE-0005vi-00@myhost.test.ex for CALLER@thishost.test.ex
+1999-03-02 09:44:33 10HmbF-0005vi-00 => :blackhole: <CALLER@thishost.test.ex> R=server
+1999-03-02 09:44:33 10HmbF-0005vi-00 Completed
 1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port 1225
-1999-03-02 09:44:33 10HmbN-0005vi-00 <= <> H=localhost (myhost.test.ex) [127.0.0.1] P=esmtps X=TLSv1:AES256-SHA:256 CV=no S=sss id=E10HmbJ-0005vi-00@myhost.test.ex for CALLER@dane.no.2.test.ex
-1999-03-02 09:44:33 10HmbN-0005vi-00 => :blackhole: <CALLER@dane.no.2.test.ex> R=server
+1999-03-02 09:44:33 TLS error on connection from the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] (SSL_accept): error: <<detail omitted>>
+1999-03-02 09:44:33 10HmbM-0005vi-00 <= <> H=localhost (myhost.test.ex) [127.0.0.1] P=esmtps X=TLSv1:ke-RSA-AES256-SHAxx:256 CV=no S=sss id=E10HmbI-0005vi-00@myhost.test.ex for CALLER@dane.no.2.test.ex
+1999-03-02 09:44:33 10HmbM-0005vi-00 => :blackhole: <CALLER@dane.no.2.test.ex> R=server
+1999-03-02 09:44:33 10HmbM-0005vi-00 Completed
+1999-03-02 09:44:33 10HmbN-0005vi-00 <= <> H=localhost (myhost.test.ex) [127.0.0.1] P=esmtps X=TLSv1:ke-RSA-AES256-SHAxx:256 CV=no S=sss id=E10HmbL-0005vi-00@myhost.test.ex for CALLER@dane.no.4.test.ex
+1999-03-02 09:44:33 10HmbN-0005vi-00 => :blackhole: <CALLER@dane.no.4.test.ex> R=server
 1999-03-02 09:44:33 10HmbN-0005vi-00 Completed
-1999-03-02 09:44:33 10HmbO-0005vi-00 <= <> H=localhost (myhost.test.ex) [127.0.0.1] P=esmtps X=TLSv1:AES256-SHA:256 CV=no S=sss id=E10HmbM-0005vi-00@myhost.test.ex for CALLER@dane.no.4.test.ex
-1999-03-02 09:44:33 10HmbO-0005vi-00 => :blackhole: <CALLER@dane.no.4.test.ex> R=server
-1999-03-02 09:44:33 10HmbO-0005vi-00 Completed
diff --git a/test/log/5860 b/test/log/5860
index c41838020..1cfa7ba2d 100644
--- a/test/log/5860
+++ b/test/log/5860
@@ -2,28 +2,29 @@
 1999-03-02 09:44:33 10HmaY-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss for CALLER@mxdane512ee.test.ex
 1999-03-02 09:44:33 Start queue run: pid=pppp -qf
 1999-03-02 09:44:33 10HmaX-0005vi-00 tls:cert depth = 0 <CN=Phil Pennock,OU=Test Suite,O=The Exim Maintainers,C=UK>
-1999-03-02 09:44:33 10HmaX-0005vi-00 => CALLER@dane256ee.test.ex R=client T=send_to_server H=dane256ee.test.ex [ip4.ip4.ip4.ip4] X=TLSv1:AES256-SHA:256 CV=dane DN="/C=UK/O=The Exim Maintainers/OU=Test Suite/CN=Phil Pennock" C="250 OK id=10HmaZ-0005vi-00"
+1999-03-02 09:44:33 10HmaX-0005vi-00 => CALLER@dane256ee.test.ex R=client T=send_to_server H=dane256ee.test.ex [ip4.ip4.ip4.ip4] X=TLSv1:ke-RSA-AES256-SHAxx:256 CV=dane DN="/C=UK/O=The Exim Maintainers/OU=Test Suite/CN=Phil Pennock" C="250 OK id=10HmaZ-0005vi-00"
 1999-03-02 09:44:33 10HmaX-0005vi-00 msg:delivery dane=yes
 1999-03-02 09:44:33 10HmaX-0005vi-00 Completed
 1999-03-02 09:44:33 10HmaY-0005vi-00 tls:cert depth = 0 <CN=Phil Pennock,OU=Test Suite,O=The Exim Maintainers,C=UK>
-1999-03-02 09:44:33 10HmaY-0005vi-00 => CALLER@mxdane512ee.test.ex R=client T=send_to_server H=dane512ee.test.ex [ip4.ip4.ip4.ip4] X=TLSv1:AES256-SHA:256 CV=dane DN="/C=UK/O=The Exim Maintainers/OU=Test Suite/CN=Phil Pennock" C="250 OK id=10HmbA-0005vi-00"
+1999-03-02 09:44:33 10HmaY-0005vi-00 => CALLER@mxdane512ee.test.ex R=client T=send_to_server H=dane512ee.test.ex [ip4.ip4.ip4.ip4] X=TLSv1:ke-RSA-AES256-SHAxx:256 CV=dane DN="/C=UK/O=The Exim Maintainers/OU=Test Suite/CN=Phil Pennock" C="250 OK id=10HmbA-0005vi-00"
 1999-03-02 09:44:33 10HmaY-0005vi-00 msg:delivery dane=yes
 1999-03-02 09:44:33 10HmaY-0005vi-00 Completed
 1999-03-02 09:44:33 End queue run: pid=pppp -qf
 1999-03-02 09:44:33 10HmbB-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss for CALLER@mxdane256ta.test.ex
 1999-03-02 09:44:33 Start queue run: pid=pppp -qf
-1999-03-02 09:44:33 10HmbB-0005vi-00 tls:cert depth = 2 <CN=clica CA,O=example.com>
-1999-03-02 09:44:33 10HmbB-0005vi-00 tls:cert depth = 1 <CN=clica Signing Cert,O=example.com>
-1999-03-02 09:44:33 10HmbB-0005vi-00 tls:cert depth = 0 <CN=server1.example.com>
-1999-03-02 09:44:33 10HmbB-0005vi-00 => CALLER@mxdane256ta.test.ex R=client T=send_to_server H=dane256ta.test.ex [ip4.ip4.ip4.ip4] X=TLSv1:AES256-SHA:256 CV=dane DN="/CN=server1.example.com" C="250 OK id=10HmbC-0005vi-00"
-1999-03-02 09:44:33 10HmbB-0005vi-00 msg:delivery dane=yes
+1999-03-02 09:44:33 10HmbB-0005vi-00 tls:cert depth = 2 <CN=clica CA rsa,O=example.com>
+1999-03-02 09:44:33 10HmbB-0005vi-00 DANE attempt failed; TLS connection to dane256ta.test.ex [ip4.ip4.ip4.ip4]: (SSL_connect): error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed
+1999-03-02 09:44:33 10HmbB-0005vi-00 msg:host:defer dane=no
+1999-03-02 09:44:33 10HmbB-0005vi-00 == CALLER@mxdane256ta.test.ex R=client T=send_to_server defer (-37) H=dane256ta.test.ex [ip4.ip4.ip4.ip4]: TLS session: (SSL_connect): error: <<detail omitted>>
+1999-03-02 09:44:33 10HmbB-0005vi-00 ** CALLER@mxdane256ta.test.ex: retry timeout exceeded
+1999-03-02 09:44:33 10HmbC-0005vi-00 <= <> R=10HmbB-0005vi-00 U=EXIMUSER P=local S=sss for CALLER@myhost.test.ex
 1999-03-02 09:44:33 10HmbB-0005vi-00 Completed
 1999-03-02 09:44:33 End queue run: pid=pppp -qf
 
 ******** SERVER ********
 1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port 1225
-1999-03-02 09:44:33 10HmaZ-0005vi-00 <= CALLER@myhost.test.ex H=the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] P=esmtps X=TLSv1:AES256-SHA:256 CV=no S=sss id=E10HmaX-0005vi-00@myhost.test.ex for CALLER@dane256ee.test.ex
-1999-03-02 09:44:33 10HmbA-0005vi-00 <= CALLER@myhost.test.ex H=the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] P=esmtps X=TLSv1:AES256-SHA:256 CV=no S=sss id=E10HmaY-0005vi-00@myhost.test.ex for CALLER@mxdane512ee.test.ex
+1999-03-02 09:44:33 10HmaZ-0005vi-00 <= CALLER@myhost.test.ex H=the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] P=esmtps X=TLSv1:ke-RSA-AES256-SHAxx:256 CV=no S=sss id=E10HmaX-0005vi-00@myhost.test.ex for CALLER@dane256ee.test.ex
+1999-03-02 09:44:33 10HmbA-0005vi-00 <= CALLER@myhost.test.ex H=the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] P=esmtps X=TLSv1:ke-RSA-AES256-SHAxx:256 CV=no S=sss id=E10HmaY-0005vi-00@myhost.test.ex for CALLER@mxdane512ee.test.ex
 1999-03-02 09:44:33 Start queue run: pid=pppp -qf
 1999-03-02 09:44:33 10HmaZ-0005vi-00 => :blackhole: <CALLER@dane256ee.test.ex> R=server
 1999-03-02 09:44:33 10HmaZ-0005vi-00 Completed
@@ -31,8 +32,8 @@
 1999-03-02 09:44:33 10HmbA-0005vi-00 Completed
 1999-03-02 09:44:33 End queue run: pid=pppp -qf
 1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port 1225
-1999-03-02 09:44:33 10HmbC-0005vi-00 <= CALLER@myhost.test.ex H=the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] P=esmtps X=TLSv1:AES256-SHA:256 CV=no S=sss id=E10HmbB-0005vi-00@myhost.test.ex for CALLER@mxdane256ta.test.ex
+1999-03-02 09:44:33 TLS error on connection from the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] (SSL_accept): error: <<detail omitted>>
 1999-03-02 09:44:33 Start queue run: pid=pppp -qf
-1999-03-02 09:44:33 10HmbC-0005vi-00 => :blackhole: <CALLER@mxdane256ta.test.ex> R=server
+1999-03-02 09:44:33 10HmbC-0005vi-00 => :blackhole: <CALLER@myhost.test.ex> R=server
 1999-03-02 09:44:33 10HmbC-0005vi-00 Completed
 1999-03-02 09:44:33 End queue run: pid=pppp -qf
diff --git a/test/mail/2002.CALLER b/test/mail/2002.CALLER
index 23b5f61a5..766a8373c 100644
--- a/test/mail/2002.CALLER
+++ b/test/mail/2002.CALLER
@@ -1,36 +1,62 @@
 From CALLER@test.ex Tue Mar 02 09:44:33 1999
 Received: from [127.0.0.1]
-	by myhost.test.ex with smtps (TLS1.x:xxxxRSA_AES_256_CBC_SHAnnn:256)
+	by myhost.test.ex with smtps (TLS1.x:ke_RSA_AES_256_CBC_SHAnnn:256)
 	(Exim x.yz)
 	(envelope-from <CALLER@test.ex>)
 	id 10HmaX-0005vi-00
 	for CALLER@test.ex; Tue, 2 Mar 1999 09:44:33 +0000
 tls-certificate-verified: 0
-TLS: cipher=TLS1.x:xxxxRSA_AES_256_CBC_SHAnnn:256 peerdn=
+TLS: cipher=TLS1.x:ke_RSA_AES_256_CBC_SHAnnn:256 peerdn=
 
 This is a test encrypted message.
 
 From "name with spaces"@test.ex Tue Mar 02 09:44:33 1999
 Received: from [127.0.0.1]
-	by myhost.test.ex with smtps (TLS1.x:xxxxRSA_AES_256_CBC_SHAnnn:256)
+	by myhost.test.ex with smtps (TLS1.x:ke_RSA_AES_256_CBC_SHAnnn:256)
 	(Exim x.yz)
 	(envelope-from <"name with spaces"@test.ex>)
 	id 10HmaY-0005vi-00
 	for CALLER@test.ex; Tue, 2 Mar 1999 09:44:33 +0000
 tls-certificate-verified: 0
-TLS: cipher=TLS1.x:xxxxRSA_AES_256_CBC_SHAnnn:256 peerdn=
+TLS: cipher=TLS1.x:ke_RSA_AES_256_CBC_SHAnnn:256 peerdn=
 
 This is a test encrypted message.
 
 From CALLER@test.ex Tue Mar 02 09:44:33 1999
 Received: from [ip4.ip4.ip4.ip4]
-	by myhost.test.ex with smtps (TLS1.x:xxxxRSA_AES_256_CBC_SHAnnn:256)
+	by myhost.test.ex with smtps (TLS1.x:ke_RSA_AES_256_CBC_SHAnnn:256)
 	(Exim x.yz)
 	(envelope-from <CALLER@test.ex>)
 	id 10HmaZ-0005vi-00
 	for CALLER@test.ex; Tue, 2 Mar 1999 09:44:33 +0000
 tls-certificate-verified: 1
-TLS: cipher=TLS1.x:xxxxRSA_AES_256_CBC_SHAnnn:256 peerdn=CN=server2.example.com
+TLS: cipher=TLS1.x:ke_RSA_AES_256_CBC_SHAnnn:256 peerdn=CN=server2.example.com
 
 This is a test encrypted message from a verified host.
 
+From CALLER@test.ex Tue Mar 02 09:44:33 1999
+Received: from [127.0.0.1]
+	by myhost.test.ex with smtps (TLS1.x:ke_RSA_AES_256_CBC_SHAnnn:256)
+	(Exim x.yz)
+	(envelope-from <CALLER@test.ex>)
+	id 10HmbA-0005vi-00
+	for CALLER@test.ex; Tue, 2 Mar 1999 09:44:33 +0000
+tls-certificate-verified: 0
+TLS: cipher=TLS1.x:ke_RSA_AES_256_CBC_SHAnnn:256 peerdn=
+
+This is a test encrypted message.
+It should be sent under the RSA server cert and with an RSA cipher.
+
+From CALLER@test.ex Tue Mar 02 09:44:33 1999
+Received: from [127.0.0.1]
+	by myhost.test.ex with smtps (TLS1.x:ke_ECDSA_AES_256_CBC_SHAnnn:256)
+	(Exim x.yz)
+	(envelope-from <CALLER@test.ex>)
+	id 10HmbB-0005vi-00
+	for CALLER@test.ex; Tue, 2 Mar 1999 09:44:33 +0000
+tls-certificate-verified: 0
+TLS: cipher=TLS1.x:ke_ECDSA_AES_256_CBC_SHAnnn:256 peerdn=
+
+This is a test encrypted message.
+It should be sent under the EC server cert and with an ECDSA cipher.
+
diff --git a/test/mail/2003.userx b/test/mail/2003.userx
index 2862ffa2a..960b4f2b2 100644
--- a/test/mail/2003.userx
+++ b/test/mail/2003.userx
@@ -1,11 +1,11 @@
 From userx@test.ex Tue Mar 02 09:44:33 1999
 Received: from [127.0.0.1] (helo=rhu.barb)
-	by myhost.test.ex with smtps (TLS1.x:xxxxRSA_AES_256_CBC_SHAnnn:256)
+	by myhost.test.ex with smtps (TLS1.x:ke_RSA_AES_256_CBC_SHAnnn:256)
 	(Exim x.yz)
 	(envelope-from <userx@test.ex>)
 	id 10HmaX-0005vi-00
 	for userx@test.ex; Tue, 2 Mar 1999 09:44:33 +0000
-TLS: cipher=TLS1.x:xxxxRSA_AES_256_CBC_SHAnnn:256 peerdn=
+TLS: cipher=TLS1.x:ke_RSA_AES_256_CBC_SHAnnn:256 peerdn=
 
 This is a test encrypted message.
 
diff --git a/test/mail/2008.CALLER b/test/mail/2008.CALLER
index 213ed889a..4cabd4afa 100644
--- a/test/mail/2008.CALLER
+++ b/test/mail/2008.CALLER
@@ -1,6 +1,6 @@
 From CALLER@myhost.test.ex Tue Mar 02 09:44:33 1999
 Received: from [127.0.0.1] (helo=helo.data.changed)
-	by myhost.test.ex with esmtps (TLS1.x:xxxxRSA_AES_256_CBC_SHAnnn:256)
+	by myhost.test.ex with esmtps (TLS1.x:ke_RSA_AES_256_CBC_SHAnnn:256)
 	(Exim x.yz)
 	(envelope-from <CALLER@myhost.test.ex>)
 	id 10HmaZ-0005vi-00
@@ -12,13 +12,13 @@ Received: from CALLER by myhost.test.ex with local (Exim x.yz)
 Message-Id: <E10HmaX-0005vi-00@myhost.test.ex>
 From: CALLER_NAME <CALLER@myhost.test.ex>
 Date: Tue, 2 Mar 1999 09:44:33 +0000
-TLS: cipher=TLS1.x:xxxxRSA_AES_256_CBC_SHAnnn:256 peerdn=
+TLS: cipher=TLS1.x:ke_RSA_AES_256_CBC_SHAnnn:256 peerdn=
 
 Test message. Contains FF: �
 
 From CALLER@myhost.test.ex Tue Mar 02 09:44:33 1999
 Received: from [127.0.0.1] (helo=helo.data.changed)
-	by myhost.test.ex with esmtps (TLS1.x:xxxxRSA_AES_256_CBC_SHAnnn:256)
+	by myhost.test.ex with esmtps (TLS1.x:ke_RSA_AES_256_CBC_SHAnnn:256)
 	(Exim x.yz)
 	(envelope-from <CALLER@myhost.test.ex>)
 	id 10HmbA-0005vi-00; Tue, 2 Mar 1999 09:44:33 +0000
@@ -28,7 +28,7 @@ Received: from CALLER by myhost.test.ex with local (Exim x.yz)
 Message-Id: <E10HmaY-0005vi-00@myhost.test.ex>
 From: CALLER_NAME <CALLER@myhost.test.ex>
 Date: Tue, 2 Mar 1999 09:44:33 +0000
-TLS: cipher=TLS1.x:xxxxRSA_AES_256_CBC_SHAnnn:256 peerdn=
+TLS: cipher=TLS1.x:ke_RSA_AES_256_CBC_SHAnnn:256 peerdn=
 
 Test message to two different hosts
 
diff --git a/test/mail/2008.abcd b/test/mail/2008.abcd
index edbb0b8c4..c92af5469 100644
--- a/test/mail/2008.abcd
+++ b/test/mail/2008.abcd
@@ -1,6 +1,6 @@
 From CALLER@myhost.test.ex Tue Mar 02 09:44:33 1999
 Received: from the.local.host.name ([ip4.ip4.ip4.ip4] helo=myhost.test.ex)
-	by myhost.test.ex with esmtps (TLS1.x:xxxxRSA_AES_256_CBC_SHAnnn:256)
+	by myhost.test.ex with esmtps (TLS1.x:ke_RSA_AES_256_CBC_SHAnnn:256)
 	(Exim x.yz)
 	(envelope-from <CALLER@myhost.test.ex>)
 	id 10HmbB-0005vi-00
@@ -11,7 +11,7 @@ Received: from CALLER by myhost.test.ex with local (Exim x.yz)
 Message-Id: <E10HmaY-0005vi-00@myhost.test.ex>
 From: CALLER_NAME <CALLER@myhost.test.ex>
 Date: Tue, 2 Mar 1999 09:44:33 +0000
-TLS: cipher=TLS1.x:xxxxRSA_AES_256_CBC_SHAnnn:256 peerdn=
+TLS: cipher=TLS1.x:ke_RSA_AES_256_CBC_SHAnnn:256 peerdn=
 
 Test message to two different hosts
 
diff --git a/test/mail/2008.xyz b/test/mail/2008.xyz
index c144d9726..daac14920 100644
--- a/test/mail/2008.xyz
+++ b/test/mail/2008.xyz
@@ -1,6 +1,6 @@
 From CALLER@myhost.test.ex Tue Mar 02 09:44:33 1999
 Received: from [127.0.0.1] (helo=helo.data.changed)
-	by myhost.test.ex with esmtps (TLS1.x:xxxxRSA_AES_256_CBC_SHAnnn:256)
+	by myhost.test.ex with esmtps (TLS1.x:ke_RSA_AES_256_CBC_SHAnnn:256)
 	(Exim x.yz)
 	(envelope-from <CALLER@myhost.test.ex>)
 	id 10HmbA-0005vi-00; Tue, 2 Mar 1999 09:44:33 +0000
@@ -10,7 +10,7 @@ Received: from CALLER by myhost.test.ex with local (Exim x.yz)
 Message-Id: <E10HmaY-0005vi-00@myhost.test.ex>
 From: CALLER_NAME <CALLER@myhost.test.ex>
 Date: Tue, 2 Mar 1999 09:44:33 +0000
-TLS: cipher=TLS1.x:xxxxRSA_AES_256_CBC_SHAnnn:256 peerdn=
+TLS: cipher=TLS1.x:ke_RSA_AES_256_CBC_SHAnnn:256 peerdn=
 
 Test message to two different hosts
 
diff --git a/test/mail/2013.usera b/test/mail/2013.usera
index 8e17aeefc..3dda5a8dd 100644
--- a/test/mail/2013.usera
+++ b/test/mail/2013.usera
@@ -1,6 +1,6 @@
 From CALLER@myhost.test.ex Tue Mar 02 09:44:33 1999
 Received: from localhost ([127.0.0.1]:1112 helo=myhost.test.ex)
-	by myhost.test.ex with esmtps (TLS1.x:xxxxRSA_AES_256_CBC_SHAnnn:256)
+	by myhost.test.ex with esmtps (TLS1.x:ke_RSA_AES_256_CBC_SHAnnn:256)
 	(Exim x.yz)
 	(envelope-from <CALLER@myhost.test.ex>)
 	id 10HmbG-0005vi-00
@@ -12,7 +12,7 @@ Received: from CALLER by myhost.test.ex with local (Exim x.yz)
 Message-Id: <E10HmbD-0005vi-00@myhost.test.ex>
 From: CALLER_NAME <CALLER@myhost.test.ex>
 Date: Tue, 2 Mar 1999 09:44:33 +0000
-TLS: cipher=TLS1.x:xxxxRSA_AES_256_CBC_SHAnnn:256 peerdn=
+TLS: cipher=TLS1.x:ke_RSA_AES_256_CBC_SHAnnn:256 peerdn=
 
 Test message 1
 
diff --git a/test/mail/2013.userb b/test/mail/2013.userb
index 556fb35e8..1d6476b93 100644
--- a/test/mail/2013.userb
+++ b/test/mail/2013.userb
@@ -1,6 +1,6 @@
 From CALLER@myhost.test.ex Tue Mar 02 09:44:33 1999
 Received: from localhost ([127.0.0.1]:1112 helo=myhost.test.ex)
-	by myhost.test.ex with esmtps (TLS1.x:xxxxRSA_AES_256_CBC_SHAnnn:256)
+	by myhost.test.ex with esmtps (TLS1.x:ke_RSA_AES_256_CBC_SHAnnn:256)
 	(Exim x.yz)
 	(envelope-from <CALLER@myhost.test.ex>)
 	id 10HmbI-0005vi-00
@@ -12,7 +12,7 @@ Received: from CALLER by myhost.test.ex with local (Exim x.yz)
 Message-Id: <E10HmbE-0005vi-00@myhost.test.ex>
 From: CALLER_NAME <CALLER@myhost.test.ex>
 Date: Tue, 2 Mar 1999 09:44:33 +0000
-TLS: cipher=TLS1.x:xxxxRSA_AES_256_CBC_SHAnnn:256 peerdn=
+TLS: cipher=TLS1.x:ke_RSA_AES_256_CBC_SHAnnn:256 peerdn=
 
 Test message 2
 
diff --git a/test/mail/2013.userc b/test/mail/2013.userc
index 818aafb5e..a2f0e0c1e 100644
--- a/test/mail/2013.userc
+++ b/test/mail/2013.userc
@@ -1,6 +1,6 @@
 From CALLER@myhost.test.ex Tue Mar 02 09:44:33 1999
 Received: from localhost ([127.0.0.1]:1112 helo=myhost.test.ex)
-	by myhost.test.ex with esmtps (TLS1.x:xxxxRSA_AES_256_CBC_SHAnnn:256)
+	by myhost.test.ex with esmtps (TLS1.x:ke_RSA_AES_256_CBC_SHAnnn:256)
 	(Exim x.yz)
 	(envelope-from <CALLER@myhost.test.ex>)
 	id 10HmbH-0005vi-00
@@ -12,7 +12,7 @@ Received: from CALLER by myhost.test.ex with local (Exim x.yz)
 Message-Id: <E10HmbF-0005vi-00@myhost.test.ex>
 From: CALLER_NAME <CALLER@myhost.test.ex>
 Date: Tue, 2 Mar 1999 09:44:33 +0000
-TLS: cipher=TLS1.x:xxxxRSA_AES_256_CBC_SHAnnn:256 peerdn=
+TLS: cipher=TLS1.x:ke_RSA_AES_256_CBC_SHAnnn:256 peerdn=
 
 Test message 3
 
diff --git a/test/mail/2013.userx b/test/mail/2013.userx
index 0d421f497..b6359a012 100644
--- a/test/mail/2013.userx
+++ b/test/mail/2013.userx
@@ -1,6 +1,6 @@
 From CALLER@myhost.test.ex Tue Mar 02 09:44:33 1999
 Received: from localhost ([127.0.0.1]:1111 helo=myhost.test.ex)
-	by myhost.test.ex with esmtps (TLS1.x:xxxxRSA_AES_256_CBC_SHAnnn:256)
+	by myhost.test.ex with esmtps (TLS1.x:ke_RSA_AES_256_CBC_SHAnnn:256)
 	(Exim x.yz)
 	(envelope-from <CALLER@myhost.test.ex>)
 	id 10HmbA-0005vi-00
@@ -12,7 +12,7 @@ Received: from CALLER by myhost.test.ex with local (Exim x.yz)
 Message-Id: <E10HmaX-0005vi-00@myhost.test.ex>
 From: CALLER_NAME <CALLER@myhost.test.ex>
 Date: Tue, 2 Mar 1999 09:44:33 +0000
-TLS: cipher=TLS1.x:xxxxRSA_AES_256_CBC_SHAnnn:256 peerdn=
+TLS: cipher=TLS1.x:ke_RSA_AES_256_CBC_SHAnnn:256 peerdn=
 
 Test message 1
 
diff --git a/test/mail/2013.usery b/test/mail/2013.usery
index 70e5f37fb..d3170ce10 100644
--- a/test/mail/2013.usery
+++ b/test/mail/2013.usery
@@ -1,6 +1,6 @@
 From CALLER@myhost.test.ex Tue Mar 02 09:44:33 1999
 Received: from localhost ([127.0.0.1]:1111 helo=myhost.test.ex)
-	by myhost.test.ex with esmtps (TLS1.x:xxxxRSA_AES_256_CBC_SHAnnn:256)
+	by myhost.test.ex with esmtps (TLS1.x:ke_RSA_AES_256_CBC_SHAnnn:256)
 	(Exim x.yz)
 	(envelope-from <CALLER@myhost.test.ex>)
 	id 10HmbC-0005vi-00
@@ -12,7 +12,7 @@ Received: from CALLER by myhost.test.ex with local (Exim x.yz)
 Message-Id: <E10HmaY-0005vi-00@myhost.test.ex>
 From: CALLER_NAME <CALLER@myhost.test.ex>
 Date: Tue, 2 Mar 1999 09:44:33 +0000
-TLS: cipher=TLS1.x:xxxxRSA_AES_256_CBC_SHAnnn:256 peerdn=
+TLS: cipher=TLS1.x:ke_RSA_AES_256_CBC_SHAnnn:256 peerdn=
 
 Test message 2
 
diff --git a/test/mail/2013.userz b/test/mail/2013.userz
index f7b8e9c1d..0c0a49ba0 100644
--- a/test/mail/2013.userz
+++ b/test/mail/2013.userz
@@ -1,6 +1,6 @@
 From CALLER@myhost.test.ex Tue Mar 02 09:44:33 1999
 Received: from localhost ([127.0.0.1]:1111 helo=myhost.test.ex)
-	by myhost.test.ex with esmtps (TLS1.x:xxxxRSA_AES_256_CBC_SHAnnn:256)
+	by myhost.test.ex with esmtps (TLS1.x:ke_RSA_AES_256_CBC_SHAnnn:256)
 	(Exim x.yz)
 	(envelope-from <CALLER@myhost.test.ex>)
 	id 10HmbB-0005vi-00
@@ -12,7 +12,7 @@ Received: from CALLER by myhost.test.ex with local (Exim x.yz)
 Message-Id: <E10HmaZ-0005vi-00@myhost.test.ex>
 From: CALLER_NAME <CALLER@myhost.test.ex>
 Date: Tue, 2 Mar 1999 09:44:33 +0000
-TLS: cipher=TLS1.x:xxxxRSA_AES_256_CBC_SHAnnn:256 peerdn=
+TLS: cipher=TLS1.x:ke_RSA_AES_256_CBC_SHAnnn:256 peerdn=
 
 Test message 3
 
diff --git a/test/mail/2017.userx b/test/mail/2017.userx
index 0e0d96571..885709a7a 100644
--- a/test/mail/2017.userx
+++ b/test/mail/2017.userx
@@ -1,6 +1,6 @@
 From CALLER@myhost.test.ex Tue Mar 02 09:44:33 1999
 Received: from localhost ([127.0.0.1] helo=myhost.test.ex)
-	by myhost.test.ex with esmtps (TLS1.x:xxxxRSA_AES_256_CBC_SHAnnn:256)
+	by myhost.test.ex with esmtps (TLS1.x:ke_RSA_AES_256_CBC_SHAnnn:256)
 	(Exim x.yz)
 	(envelope-from <CALLER@myhost.test.ex>)
 	id 10HmaZ-0005vi-00
@@ -12,13 +12,13 @@ Received: from CALLER by myhost.test.ex with local (Exim x.yz)
 Message-Id: <E10HmaX-0005vi-00@myhost.test.ex>
 From: CALLER_NAME <CALLER@myhost.test.ex>
 Date: Tue, 2 Mar 1999 09:44:33 +0000
-TLS: cipher=TLS1.x:xxxxRSA_AES_256_CBC_SHAnnn:256 peerdn=
+TLS: cipher=TLS1.x:ke_RSA_AES_256_CBC_SHAnnn:256 peerdn=
 
 Test message 1
 
 From CALLER@myhost.test.ex Tue Mar 02 09:44:33 1999
 Received: from localhost ([127.0.0.1] helo=myhost.test.ex)
-	by myhost.test.ex with esmtps (TLS1.x:xxxxRSA_AES_256_CBC_SHAnnn:256)
+	by myhost.test.ex with esmtps (TLS1.x:ke_RSA_AES_256_CBC_SHAnnn:256)
 	(Exim x.yz)
 	(envelope-from <CALLER@myhost.test.ex>)
 	id 10HmbA-0005vi-00
@@ -30,7 +30,7 @@ Received: from CALLER by myhost.test.ex with local (Exim x.yz)
 Message-Id: <E10HmaY-0005vi-00@myhost.test.ex>
 From: CALLER_NAME <CALLER@myhost.test.ex>
 Date: Tue, 2 Mar 1999 09:44:33 +0000
-TLS: cipher=TLS1.x:xxxxRSA_AES_256_CBC_SHAnnn:256 peerdn=
+TLS: cipher=TLS1.x:ke_RSA_AES_256_CBC_SHAnnn:256 peerdn=
 
 Test message 2
 
diff --git a/test/mail/2019.userx b/test/mail/2019.userx
index 7408ad7f9..abb9e7c3c 100644
--- a/test/mail/2019.userx
+++ b/test/mail/2019.userx
@@ -1,22 +1,22 @@
 From userx@test.ex Tue Mar 02 09:44:33 1999
 Received: from [127.0.0.1] (helo=rhu.barb)
-	by myhost.test.ex with esmtps (TLS1.x:xxxxRSA_AES_256_CBC_SHAnnn:256)
+	by myhost.test.ex with esmtps (TLS1.x:ke_RSA_AES_256_CBC_SHAnnn:256)
 	(Exim x.yz)
 	(envelope-from <userx@test.ex>)
 	id 10HmaX-0005vi-00
 	for userx@test.ex; Tue, 2 Mar 1999 09:44:33 +0000
-TLS: cipher=TLS1.x:xxxxRSA_AES_256_CBC_SHAnnn:256 peerdn=
+TLS: cipher=TLS1.x:ke_RSA_AES_256_CBC_SHAnnn:256 peerdn=
 
 This is a test encrypted message.
 
 From userx@test.ex Tue Mar 02 09:44:33 1999
 Received: from [ip4.ip4.ip4.ip4]
-	by myhost.test.ex with smtp (TLS1.x:xxxxRSA_AES_256_CBC_SHAnnn:256)
+	by myhost.test.ex with smtp (TLS1.x:ke_RSA_AES_256_CBC_SHAnnn:256)
 	(Exim x.yz)
 	(envelope-from <userx@test.ex>)
 	id 10HmaY-0005vi-00
 	for userx@test.ex; Tue, 2 Mar 1999 09:44:33 +0000
-TLS: cipher=TLS1.x:xxxxRSA_AES_256_CBC_SHAnnn:256 peerdn=C=UK,O=The Exim Maintainers,OU=Test Suite,CN=Phil Pennock
+TLS: cipher=TLS1.x:ke_RSA_AES_256_CBC_SHAnnn:256 peerdn=C=UK,O=The Exim Maintainers,OU=Test Suite,CN=Phil Pennock
 
 This is a test encrypted message from a verified host.
 
diff --git a/test/mail/2027.userx b/test/mail/2027.userx
index 96b609820..e8a41a452 100644
--- a/test/mail/2027.userx
+++ b/test/mail/2027.userx
@@ -1,6 +1,6 @@
 From CALLER@myhost.test.ex Tue Mar 02 09:44:33 1999
 Received: from localhost ([127.0.0.1] helo=myhost.test.ex)
-	by myhost.test.ex with esmtps (TLS1.x:xxxxRSA_AES_256_CBC_SHAnnn:256)
+	by myhost.test.ex with esmtps (TLS1.x:ke_RSA_AES_256_CBC_SHAnnn:256)
 	(Exim x.yz)
 	(envelope-from <CALLER@myhost.test.ex>)
 	id 10HmaZ-0005vi-00
@@ -12,7 +12,7 @@ Received: from CALLER by myhost.test.ex with local (Exim x.yz)
 Message-Id: <E10HmaX-0005vi-00@myhost.test.ex>
 From: CALLER_NAME <CALLER@myhost.test.ex>
 Date: Tue, 2 Mar 1999 09:44:33 +0000
-TLS: cipher=TLS1.x:xxxxRSA_AES_256_CBC_SHAnnn:256 peerdn=
+TLS: cipher=TLS1.x:ke_RSA_AES_256_CBC_SHAnnn:256 peerdn=
 
 Test message
 
diff --git a/test/mail/2038.userx0 b/test/mail/2038.userx0
index 4acc59105..3da6908c6 100644
--- a/test/mail/2038.userx0
+++ b/test/mail/2038.userx0
@@ -1,6 +1,6 @@
 From CALLER@myhost.test.ex Tue Mar 02 09:44:33 1999
 Received: from localhost ([127.0.0.1]:1111 helo=myhost.test.ex)
-	by myhost.test.ex with esmtps (TLS1.x:xxxxRSA_AES_256_CBC_SHAnnn:256)
+	by myhost.test.ex with esmtps (TLS1.x:ke_RSA_AES_256_CBC_SHAnnn:256)
 	(Exim x.yz)
 	(envelope-from <CALLER@myhost.test.ex>)
 	id 10HmbA-0005vi-00
@@ -11,7 +11,7 @@ Received: from CALLER by myhost.test.ex with local (Exim x.yz)
 Message-Id: <E10HmaX-0005vi-00@myhost.test.ex>
 From: CALLER_NAME <CALLER@myhost.test.ex>
 Date: Tue, 2 Mar 1999 09:44:33 +0000
-TLS: cipher=TLS1.x:xxxxRSA_AES_256_CBC_SHAnnn:256 peerdn=
+TLS: cipher=TLS1.x:ke_RSA_AES_256_CBC_SHAnnn:256 peerdn=
 
 Test message 1
 
diff --git a/test/mail/2038.userx1 b/test/mail/2038.userx1
index 2d4691e52..846e2f424 100644
--- a/test/mail/2038.userx1
+++ b/test/mail/2038.userx1
@@ -1,6 +1,6 @@
 From CALLER@myhost.test.ex Tue Mar 02 09:44:33 1999
 Received: from localhost ([127.0.0.1]:1112 helo=myhost.test.ex)
-	by myhost.test.ex with esmtps (TLS1.x:xxxxRSA_AES_256_CBC_SHAnnn:256)
+	by myhost.test.ex with esmtps (TLS1.x:ke_RSA_AES_256_CBC_SHAnnn:256)
 	(Exim x.yz)
 	(envelope-from <CALLER@myhost.test.ex>)
 	id 10HmbB-0005vi-00
@@ -11,7 +11,7 @@ Received: from CALLER by myhost.test.ex with local (Exim x.yz)
 Message-Id: <E10HmaX-0005vi-00@myhost.test.ex>
 From: CALLER_NAME <CALLER@myhost.test.ex>
 Date: Tue, 2 Mar 1999 09:44:33 +0000
-TLS: cipher=TLS1.x:xxxxRSA_AES_256_CBC_SHAnnn:256 peerdn=
+TLS: cipher=TLS1.x:ke_RSA_AES_256_CBC_SHAnnn:256 peerdn=
 
 Test message 1
 
diff --git a/test/mail/2038.usery0 b/test/mail/2038.usery0
index 0959b777b..7dcb5f643 100644
--- a/test/mail/2038.usery0
+++ b/test/mail/2038.usery0
@@ -1,6 +1,6 @@
 From CALLER@myhost.test.ex Tue Mar 02 09:44:33 1999
 Received: from localhost ([127.0.0.1]:1112 helo=myhost.test.ex)
-	by myhost.test.ex with esmtps (TLS1.x:xxxxRSA_AES_256_CBC_SHAnnn:256)
+	by myhost.test.ex with esmtps (TLS1.x:ke_RSA_AES_256_CBC_SHAnnn:256)
 	(Exim x.yz)
 	(envelope-from <CALLER@myhost.test.ex>)
 	id 10HmbE-0005vi-00
@@ -11,7 +11,7 @@ Received: from CALLER by myhost.test.ex with local (Exim x.yz)
 Message-Id: <E10HmaY-0005vi-00@myhost.test.ex>
 From: CALLER_NAME <CALLER@myhost.test.ex>
 Date: Tue, 2 Mar 1999 09:44:33 +0000
-TLS: cipher=TLS1.x:xxxxRSA_AES_256_CBC_SHAnnn:256 peerdn=
+TLS: cipher=TLS1.x:ke_RSA_AES_256_CBC_SHAnnn:256 peerdn=
 
 Test message 2
 
diff --git a/test/mail/2038.usery1 b/test/mail/2038.usery1
index 0aaf2a5ff..6c6e34d6e 100644
--- a/test/mail/2038.usery1
+++ b/test/mail/2038.usery1
@@ -1,6 +1,6 @@
 From CALLER@myhost.test.ex Tue Mar 02 09:44:33 1999
 Received: from localhost ([127.0.0.1]:1112 helo=myhost.test.ex)
-	by myhost.test.ex with esmtps (TLS1.x:xxxxRSA_AES_256_CBC_SHAnnn:256)
+	by myhost.test.ex with esmtps (TLS1.x:ke_RSA_AES_256_CBC_SHAnnn:256)
 	(Exim x.yz)
 	(envelope-from <CALLER@myhost.test.ex>)
 	id 10HmbF-0005vi-00
@@ -11,7 +11,7 @@ Received: from CALLER by myhost.test.ex with local (Exim x.yz)
 Message-Id: <E10HmaY-0005vi-00@myhost.test.ex>
 From: CALLER_NAME <CALLER@myhost.test.ex>
 Date: Tue, 2 Mar 1999 09:44:33 +0000
-TLS: cipher=TLS1.x:xxxxRSA_AES_256_CBC_SHAnnn:256 peerdn=
+TLS: cipher=TLS1.x:ke_RSA_AES_256_CBC_SHAnnn:256 peerdn=
 
 Test message 2
 
diff --git a/test/mail/2038.userz0 b/test/mail/2038.userz0
index dac74adae..c13d81d35 100644
--- a/test/mail/2038.userz0
+++ b/test/mail/2038.userz0
@@ -1,6 +1,6 @@
 From CALLER@myhost.test.ex Tue Mar 02 09:44:33 1999
 Received: from localhost ([127.0.0.1]:1111 helo=myhost.test.ex)
-	by myhost.test.ex with esmtps (TLS1.x:xxxxRSA_AES_256_CBC_SHAnnn:256)
+	by myhost.test.ex with esmtps (TLS1.x:ke_RSA_AES_256_CBC_SHAnnn:256)
 	(Exim x.yz)
 	(envelope-from <CALLER@myhost.test.ex>)
 	id 10HmbC-0005vi-00
@@ -11,7 +11,7 @@ Received: from CALLER by myhost.test.ex with local (Exim x.yz)
 Message-Id: <E10HmaZ-0005vi-00@myhost.test.ex>
 From: CALLER_NAME <CALLER@myhost.test.ex>
 Date: Tue, 2 Mar 1999 09:44:33 +0000
-TLS: cipher=TLS1.x:xxxxRSA_AES_256_CBC_SHAnnn:256 peerdn=
+TLS: cipher=TLS1.x:ke_RSA_AES_256_CBC_SHAnnn:256 peerdn=
 
 Test message 3
 
diff --git a/test/mail/2038.userz1 b/test/mail/2038.userz1
index 4797ffdf8..b90ad2c98 100644
--- a/test/mail/2038.userz1
+++ b/test/mail/2038.userz1
@@ -1,6 +1,6 @@
 From CALLER@myhost.test.ex Tue Mar 02 09:44:33 1999
 Received: from localhost ([127.0.0.1]:1111 helo=myhost.test.ex)
-	by myhost.test.ex with esmtps (TLS1.x:xxxxRSA_AES_256_CBC_SHAnnn:256)
+	by myhost.test.ex with esmtps (TLS1.x:ke_RSA_AES_256_CBC_SHAnnn:256)
 	(Exim x.yz)
 	(envelope-from <CALLER@myhost.test.ex>)
 	id 10HmbD-0005vi-00
@@ -11,7 +11,7 @@ Received: from CALLER by myhost.test.ex with local (Exim x.yz)
 Message-Id: <E10HmaZ-0005vi-00@myhost.test.ex>
 From: CALLER_NAME <CALLER@myhost.test.ex>
 Date: Tue, 2 Mar 1999 09:44:33 +0000
-TLS: cipher=TLS1.x:xxxxRSA_AES_256_CBC_SHAnnn:256 peerdn=
+TLS: cipher=TLS1.x:ke_RSA_AES_256_CBC_SHAnnn:256 peerdn=
 
 Test message 3
 
diff --git a/test/mail/2102.CALLER b/test/mail/2102.CALLER
index 42c189f78..a518a665c 100644
--- a/test/mail/2102.CALLER
+++ b/test/mail/2102.CALLER
@@ -1,36 +1,49 @@
 From CALLER@test.ex Tue Mar 02 09:44:33 1999
 Received: from [127.0.0.1]
-	by myhost.test.ex with smtps (TLSv1:AES256-SHA:256)
+	by myhost.test.ex with smtps (TLSv1:ke-RSA-AES256-SHAxx:256)
 	(Exim x.yz)
 	(envelope-from <CALLER@test.ex>)
 	id 10HmaX-0005vi-00
 	for CALLER@test.ex; Tue, 2 Mar 1999 09:44:33 +0000
 tls-certificate-verified: 0
-TLS: cipher=TLSv1:AES256-SHA:256 peerdn=
+TLS: cipher=TLSv1:ke-RSA-AES256-SHAxx:256 peerdn=
 
 This is a test encrypted message.
 
 From "name with spaces"@test.ex Tue Mar 02 09:44:33 1999
 Received: from [127.0.0.1]
-	by myhost.test.ex with smtps (TLSv1:AES256-SHA:256)
+	by myhost.test.ex with smtps (TLSv1:ke-RSA-AES256-SHAxx:256)
 	(Exim x.yz)
 	(envelope-from <"name with spaces"@test.ex>)
 	id 10HmaY-0005vi-00
 	for CALLER@test.ex; Tue, 2 Mar 1999 09:44:33 +0000
 tls-certificate-verified: 0
-TLS: cipher=TLSv1:AES256-SHA:256 peerdn=
+TLS: cipher=TLSv1:ke-RSA-AES256-SHAxx:256 peerdn=
 
 This is a test encrypted message.
 
 From CALLER@test.ex Tue Mar 02 09:44:33 1999
 Received: from [ip4.ip4.ip4.ip4]
-	by myhost.test.ex with smtps (TLSv1:AES256-SHA:256)
+	by myhost.test.ex with smtps (TLSv1:ke-RSA-AES256-SHAxx:256)
 	(Exim x.yz)
 	(envelope-from <CALLER@test.ex>)
 	id 10HmaZ-0005vi-00
 	for CALLER@test.ex; Tue, 2 Mar 1999 09:44:33 +0000
 tls-certificate-verified: 1
-TLS: cipher=TLSv1:AES256-SHA:256 peerdn=/CN=server2.example.com
+TLS: cipher=TLSv1:ke-RSA-AES256-SHAxx:256 peerdn=/CN=server2.example.com
 
 This is a test encrypted message from a verified host.
 
+From CALLER@test.ex Tue Mar 02 09:44:33 1999
+Received: from [127.0.0.1]
+	by myhost.test.ex with smtps (TLSv1:ke-ECDSA-AES256-SHAxx:256)
+	(Exim x.yz)
+	(envelope-from <CALLER@test.ex>)
+	id 10HmbA-0005vi-00
+	for CALLER@test.ex; Tue, 2 Mar 1999 09:44:33 +0000
+tls-certificate-verified: 0
+TLS: cipher=TLSv1:ke-ECDSA-AES256-SHAxx:256 peerdn=
+
+This is a test encrypted message.
+It should be sent under the EC server cert and with an ECDSA cipher.
+
diff --git a/test/mail/2103.userx b/test/mail/2103.userx
index ac3b90ea3..01d0311f0 100644
--- a/test/mail/2103.userx
+++ b/test/mail/2103.userx
@@ -1,11 +1,11 @@
 From userx@test.ex Tue Mar 02 09:44:33 1999
 Received: from [127.0.0.1] (helo=rhu.barb)
-	by myhost.test.ex with smtps (TLSv1:AES256-SHA:256)
+	by myhost.test.ex with smtps (TLSv1:ke-RSA-AES256-SHAxx:256)
 	(Exim x.yz)
 	(envelope-from <userx@test.ex>)
 	id 10HmaX-0005vi-00
 	for userx@test.ex; Tue, 2 Mar 1999 09:44:33 +0000
-TLS: cipher=TLSv1:AES256-SHA:256 peerdn=
+TLS: cipher=TLSv1:ke-RSA-AES256-SHAxx:256 peerdn=
 
 This is a test encrypted message.
 
diff --git a/test/mail/2108.CALLER b/test/mail/2108.CALLER
index 6c2f220b0..5c1d425ab 100644
--- a/test/mail/2108.CALLER
+++ b/test/mail/2108.CALLER
@@ -1,6 +1,6 @@
 From CALLER@myhost.test.ex Tue Mar 02 09:44:33 1999
 Received: from [127.0.0.1] (helo=helo.data.changed)
-	by myhost.test.ex with esmtps (TLSv1:AES256-SHA:256)
+	by myhost.test.ex with esmtps (TLSv1:ke-RSA-AES256-SHAxx:256)
 	(Exim x.yz)
 	(envelope-from <CALLER@myhost.test.ex>)
 	id 10HmaZ-0005vi-00
@@ -12,13 +12,13 @@ Received: from CALLER by myhost.test.ex with local (Exim x.yz)
 Message-Id: <E10HmaX-0005vi-00@myhost.test.ex>
 From: CALLER_NAME <CALLER@myhost.test.ex>
 Date: Tue, 2 Mar 1999 09:44:33 +0000
-TLS: cipher=TLSv1:AES256-SHA:256 peerdn=
+TLS: cipher=TLSv1:ke-RSA-AES256-SHAxx:256 peerdn=
 
 Test message. Contains FF: �
 
 From CALLER@myhost.test.ex Tue Mar 02 09:44:33 1999
 Received: from [127.0.0.1] (helo=helo.data.changed)
-	by myhost.test.ex with esmtps (TLSv1:AES256-SHA:256)
+	by myhost.test.ex with esmtps (TLSv1:ke-RSA-AES256-SHAxx:256)
 	(Exim x.yz)
 	(envelope-from <CALLER@myhost.test.ex>)
 	id 10HmbA-0005vi-00; Tue, 2 Mar 1999 09:44:33 +0000
@@ -28,7 +28,7 @@ Received: from CALLER by myhost.test.ex with local (Exim x.yz)
 Message-Id: <E10HmaY-0005vi-00@myhost.test.ex>
 From: CALLER_NAME <CALLER@myhost.test.ex>
 Date: Tue, 2 Mar 1999 09:44:33 +0000
-TLS: cipher=TLSv1:AES256-SHA:256 peerdn=
+TLS: cipher=TLSv1:ke-RSA-AES256-SHAxx:256 peerdn=
 
 Test message to two different hosts
 
diff --git a/test/mail/2108.abcd b/test/mail/2108.abcd
index 5a6128532..ffb02d37a 100644
--- a/test/mail/2108.abcd
+++ b/test/mail/2108.abcd
@@ -1,6 +1,6 @@
 From CALLER@myhost.test.ex Tue Mar 02 09:44:33 1999
 Received: from the.local.host.name ([ip4.ip4.ip4.ip4] helo=myhost.test.ex)
-	by myhost.test.ex with esmtps (TLSv1:AES256-SHA:256)
+	by myhost.test.ex with esmtps (TLSv1:ke-RSA-AES256-SHAxx:256)
 	(Exim x.yz)
 	(envelope-from <CALLER@myhost.test.ex>)
 	id 10HmbB-0005vi-00
@@ -11,7 +11,7 @@ Received: from CALLER by myhost.test.ex with local (Exim x.yz)
 Message-Id: <E10HmaY-0005vi-00@myhost.test.ex>
 From: CALLER_NAME <CALLER@myhost.test.ex>
 Date: Tue, 2 Mar 1999 09:44:33 +0000
-TLS: cipher=TLSv1:AES256-SHA:256 peerdn=
+TLS: cipher=TLSv1:ke-RSA-AES256-SHAxx:256 peerdn=
 
 Test message to two different hosts
 
diff --git a/test/mail/2108.xyz b/test/mail/2108.xyz
index 4004e8dce..a72885aba 100644
--- a/test/mail/2108.xyz
+++ b/test/mail/2108.xyz
@@ -1,6 +1,6 @@
 From CALLER@myhost.test.ex Tue Mar 02 09:44:33 1999
 Received: from [127.0.0.1] (helo=helo.data.changed)
-	by myhost.test.ex with esmtps (TLSv1:AES256-SHA:256)
+	by myhost.test.ex with esmtps (TLSv1:ke-RSA-AES256-SHAxx:256)
 	(Exim x.yz)
 	(envelope-from <CALLER@myhost.test.ex>)
 	id 10HmbA-0005vi-00; Tue, 2 Mar 1999 09:44:33 +0000
@@ -10,7 +10,7 @@ Received: from CALLER by myhost.test.ex with local (Exim x.yz)
 Message-Id: <E10HmaY-0005vi-00@myhost.test.ex>
 From: CALLER_NAME <CALLER@myhost.test.ex>
 Date: Tue, 2 Mar 1999 09:44:33 +0000
-TLS: cipher=TLSv1:AES256-SHA:256 peerdn=
+TLS: cipher=TLSv1:ke-RSA-AES256-SHAxx:256 peerdn=
 
 Test message to two different hosts
 
diff --git a/test/mail/2113.usera b/test/mail/2113.usera
index 43e950776..6e84f4699 100644
--- a/test/mail/2113.usera
+++ b/test/mail/2113.usera
@@ -1,6 +1,6 @@
 From CALLER@myhost.test.ex Tue Mar 02 09:44:33 1999
 Received: from localhost ([127.0.0.1]:1112 helo=myhost.test.ex)
-	by myhost.test.ex with esmtps (TLSv1:AES256-SHA:256)
+	by myhost.test.ex with esmtps (TLSv1:ke-RSA-AES256-SHAxx:256)
 	(Exim x.yz)
 	(envelope-from <CALLER@myhost.test.ex>)
 	id 10HmbG-0005vi-00
@@ -12,7 +12,7 @@ Received: from CALLER by myhost.test.ex with local (Exim x.yz)
 Message-Id: <E10HmbD-0005vi-00@myhost.test.ex>
 From: CALLER_NAME <CALLER@myhost.test.ex>
 Date: Tue, 2 Mar 1999 09:44:33 +0000
-TLS: cipher=TLSv1:AES256-SHA:256 peerdn=
+TLS: cipher=TLSv1:ke-RSA-AES256-SHAxx:256 peerdn=
 
 Test message 1
 
diff --git a/test/mail/2113.userb b/test/mail/2113.userb
index d93f45f7c..805f6f732 100644
--- a/test/mail/2113.userb
+++ b/test/mail/2113.userb
@@ -1,6 +1,6 @@
 From CALLER@myhost.test.ex Tue Mar 02 09:44:33 1999
 Received: from localhost ([127.0.0.1]:1112 helo=myhost.test.ex)
-	by myhost.test.ex with esmtps (TLSv1:AES256-SHA:256)
+	by myhost.test.ex with esmtps (TLSv1:ke-RSA-AES256-SHAxx:256)
 	(Exim x.yz)
 	(envelope-from <CALLER@myhost.test.ex>)
 	id 10HmbI-0005vi-00
@@ -12,7 +12,7 @@ Received: from CALLER by myhost.test.ex with local (Exim x.yz)
 Message-Id: <E10HmbE-0005vi-00@myhost.test.ex>
 From: CALLER_NAME <CALLER@myhost.test.ex>
 Date: Tue, 2 Mar 1999 09:44:33 +0000
-TLS: cipher=TLSv1:AES256-SHA:256 peerdn=
+TLS: cipher=TLSv1:ke-RSA-AES256-SHAxx:256 peerdn=
 
 Test message 2
 
diff --git a/test/mail/2113.userc b/test/mail/2113.userc
index 5bc9043fb..c20ed1a3f 100644
--- a/test/mail/2113.userc
+++ b/test/mail/2113.userc
@@ -1,6 +1,6 @@
 From CALLER@myhost.test.ex Tue Mar 02 09:44:33 1999
 Received: from localhost ([127.0.0.1]:1112 helo=myhost.test.ex)
-	by myhost.test.ex with esmtps (TLSv1:AES256-SHA:256)
+	by myhost.test.ex with esmtps (TLSv1:ke-RSA-AES256-SHAxx:256)
 	(Exim x.yz)
 	(envelope-from <CALLER@myhost.test.ex>)
 	id 10HmbH-0005vi-00
@@ -12,7 +12,7 @@ Received: from CALLER by myhost.test.ex with local (Exim x.yz)
 Message-Id: <E10HmbF-0005vi-00@myhost.test.ex>
 From: CALLER_NAME <CALLER@myhost.test.ex>
 Date: Tue, 2 Mar 1999 09:44:33 +0000
-TLS: cipher=TLSv1:AES256-SHA:256 peerdn=
+TLS: cipher=TLSv1:ke-RSA-AES256-SHAxx:256 peerdn=
 
 Test message 3
 
diff --git a/test/mail/2113.userx b/test/mail/2113.userx
index 247218ae0..a49dbda78 100644
--- a/test/mail/2113.userx
+++ b/test/mail/2113.userx
@@ -1,6 +1,6 @@
 From CALLER@myhost.test.ex Tue Mar 02 09:44:33 1999
 Received: from localhost ([127.0.0.1]:1111 helo=myhost.test.ex)
-	by myhost.test.ex with esmtps (TLSv1:AES256-SHA:256)
+	by myhost.test.ex with esmtps (TLSv1:ke-RSA-AES256-SHAxx:256)
 	(Exim x.yz)
 	(envelope-from <CALLER@myhost.test.ex>)
 	id 10HmbA-0005vi-00
@@ -12,7 +12,7 @@ Received: from CALLER by myhost.test.ex with local (Exim x.yz)
 Message-Id: <E10HmaX-0005vi-00@myhost.test.ex>
 From: CALLER_NAME <CALLER@myhost.test.ex>
 Date: Tue, 2 Mar 1999 09:44:33 +0000
-TLS: cipher=TLSv1:AES256-SHA:256 peerdn=
+TLS: cipher=TLSv1:ke-RSA-AES256-SHAxx:256 peerdn=
 
 Test message 1
 
diff --git a/test/mail/2113.usery b/test/mail/2113.usery
index 78402a324..fa354c206 100644
--- a/test/mail/2113.usery
+++ b/test/mail/2113.usery
@@ -1,6 +1,6 @@
 From CALLER@myhost.test.ex Tue Mar 02 09:44:33 1999
 Received: from localhost ([127.0.0.1]:1111 helo=myhost.test.ex)
-	by myhost.test.ex with esmtps (TLSv1:AES256-SHA:256)
+	by myhost.test.ex with esmtps (TLSv1:ke-RSA-AES256-SHAxx:256)
 	(Exim x.yz)
 	(envelope-from <CALLER@myhost.test.ex>)
 	id 10HmbC-0005vi-00
@@ -12,7 +12,7 @@ Received: from CALLER by myhost.test.ex with local (Exim x.yz)
 Message-Id: <E10HmaY-0005vi-00@myhost.test.ex>
 From: CALLER_NAME <CALLER@myhost.test.ex>
 Date: Tue, 2 Mar 1999 09:44:33 +0000
-TLS: cipher=TLSv1:AES256-SHA:256 peerdn=
+TLS: cipher=TLSv1:ke-RSA-AES256-SHAxx:256 peerdn=
 
 Test message 2
 
diff --git a/test/mail/2113.userz b/test/mail/2113.userz
index 0d8210281..d73a6ab90 100644
--- a/test/mail/2113.userz
+++ b/test/mail/2113.userz
@@ -1,6 +1,6 @@
 From CALLER@myhost.test.ex Tue Mar 02 09:44:33 1999
 Received: from localhost ([127.0.0.1]:1111 helo=myhost.test.ex)
-	by myhost.test.ex with esmtps (TLSv1:AES256-SHA:256)
+	by myhost.test.ex with esmtps (TLSv1:ke-RSA-AES256-SHAxx:256)
 	(Exim x.yz)
 	(envelope-from <CALLER@myhost.test.ex>)
 	id 10HmbB-0005vi-00
@@ -12,7 +12,7 @@ Received: from CALLER by myhost.test.ex with local (Exim x.yz)
 Message-Id: <E10HmaZ-0005vi-00@myhost.test.ex>
 From: CALLER_NAME <CALLER@myhost.test.ex>
 Date: Tue, 2 Mar 1999 09:44:33 +0000
-TLS: cipher=TLSv1:AES256-SHA:256 peerdn=
+TLS: cipher=TLSv1:ke-RSA-AES256-SHAxx:256 peerdn=
 
 Test message 3
 
diff --git a/test/mail/2117.userx b/test/mail/2117.userx
index bc7668ef1..1bba267ae 100644
--- a/test/mail/2117.userx
+++ b/test/mail/2117.userx
@@ -1,6 +1,6 @@
 From CALLER@myhost.test.ex Tue Mar 02 09:44:33 1999
 Received: from localhost ([127.0.0.1] helo=myhost.test.ex)
-	by myhost.test.ex with esmtps (TLSv1:AES256-SHA:256)
+	by myhost.test.ex with esmtps (TLSv1:ke-RSA-AES256-SHAxx:256)
 	(Exim x.yz)
 	(envelope-from <CALLER@myhost.test.ex>)
 	id 10HmaZ-0005vi-00
@@ -12,13 +12,13 @@ Received: from CALLER by myhost.test.ex with local (Exim x.yz)
 Message-Id: <E10HmaX-0005vi-00@myhost.test.ex>
 From: CALLER_NAME <CALLER@myhost.test.ex>
 Date: Tue, 2 Mar 1999 09:44:33 +0000
-TLS: cipher=TLSv1:AES256-SHA:256 peerdn=
+TLS: cipher=TLSv1:ke-RSA-AES256-SHAxx:256 peerdn=
 
 Test message 1
 
 From CALLER@myhost.test.ex Tue Mar 02 09:44:33 1999
 Received: from localhost ([127.0.0.1] helo=myhost.test.ex)
-	by myhost.test.ex with esmtps (TLSv1:AES256-SHA:256)
+	by myhost.test.ex with esmtps (TLSv1:ke-RSA-AES256-SHAxx:256)
 	(Exim x.yz)
 	(envelope-from <CALLER@myhost.test.ex>)
 	id 10HmbA-0005vi-00
@@ -30,7 +30,7 @@ Received: from CALLER by myhost.test.ex with local (Exim x.yz)
 Message-Id: <E10HmaY-0005vi-00@myhost.test.ex>
 From: CALLER_NAME <CALLER@myhost.test.ex>
 Date: Tue, 2 Mar 1999 09:44:33 +0000
-TLS: cipher=TLSv1:AES256-SHA:256 peerdn=
+TLS: cipher=TLSv1:ke-RSA-AES256-SHAxx:256 peerdn=
 
 Test message 2
 
diff --git a/test/mail/2119.userx b/test/mail/2119.userx
index 313fd6fa8..d0edb3545 100644
--- a/test/mail/2119.userx
+++ b/test/mail/2119.userx
@@ -1,22 +1,22 @@
 From userx@test.ex Tue Mar 02 09:44:33 1999
 Received: from [127.0.0.1] (helo=rhu.barb)
-	by myhost.test.ex with esmtps (TLSv1:AES256-SHA:256)
+	by myhost.test.ex with esmtps (TLSv1:ke-RSA-AES256-SHAxx:256)
 	(Exim x.yz)
 	(envelope-from <userx@test.ex>)
 	id 10HmaX-0005vi-00
 	for userx@test.ex; Tue, 2 Mar 1999 09:44:33 +0000
-TLS: cipher=TLSv1:AES256-SHA:256 peerdn=
+TLS: cipher=TLSv1:ke-RSA-AES256-SHAxx:256 peerdn=
 
 This is a test encrypted message.
 
 From userx@test.ex Tue Mar 02 09:44:33 1999
 Received: from [ip4.ip4.ip4.ip4]
-	by myhost.test.ex with smtp (TLSv1:AES256-SHA:256)
+	by myhost.test.ex with smtp (TLSv1:ke-RSA-AES256-SHAxx:256)
 	(Exim x.yz)
 	(envelope-from <userx@test.ex>)
 	id 10HmaY-0005vi-00
 	for userx@test.ex; Tue, 2 Mar 1999 09:44:33 +0000
-TLS: cipher=TLSv1:AES256-SHA:256 peerdn=/C=UK/O=The Exim Maintainers/OU=Test Suite/CN=Phil Pennock
+TLS: cipher=TLSv1:ke-RSA-AES256-SHAxx:256 peerdn=/C=UK/O=The Exim Maintainers/OU=Test Suite/CN=Phil Pennock
 
 This is a test encrypted message from a verified host.
 
diff --git a/test/mail/2127.userx b/test/mail/2127.userx
index 5f0a48734..a2a47d5ef 100644
--- a/test/mail/2127.userx
+++ b/test/mail/2127.userx
@@ -1,6 +1,6 @@
 From CALLER@myhost.test.ex Tue Mar 02 09:44:33 1999
 Received: from localhost ([127.0.0.1] helo=myhost.test.ex)
-	by myhost.test.ex with esmtps (TLSv1:AES256-SHA:256)
+	by myhost.test.ex with esmtps (TLSv1:ke-RSA-AES256-SHAxx:256)
 	(Exim x.yz)
 	(envelope-from <CALLER@myhost.test.ex>)
 	id 10HmaZ-0005vi-00
@@ -12,7 +12,7 @@ Received: from CALLER by myhost.test.ex with local (Exim x.yz)
 Message-Id: <E10HmaX-0005vi-00@myhost.test.ex>
 From: CALLER_NAME <CALLER@myhost.test.ex>
 Date: Tue, 2 Mar 1999 09:44:33 +0000
-TLS: cipher=TLSv1:AES256-SHA:256 peerdn=
+TLS: cipher=TLSv1:ke-RSA-AES256-SHAxx:256 peerdn=
 
 Test message
 
diff --git a/test/mail/2132.CALLER b/test/mail/2132.CALLER
index 21b5e2c66..5bc4c80da 100644
--- a/test/mail/2132.CALLER
+++ b/test/mail/2132.CALLER
@@ -1,36 +1,36 @@
 From CALLER@test.ex Tue Mar 02 09:44:33 1999
 Received: from [127.0.0.1]
-	by myhost.test.ex with smtps (TLSv1:AES256-SHA:256)
+	by myhost.test.ex with smtps (TLSv1:ke-RSA-AES256-SHAxx:256)
 	(Exim x.yz)
 	(envelope-from <CALLER@test.ex>)
 	id 10HmaX-0005vi-00
 	for CALLER@test.ex; Tue, 2 Mar 1999 09:44:33 +0000
 tls-certificate-verified: 0
-TLS: cipher=TLSv1:AES256-SHA:256 peerdn=
+TLS: cipher=TLSv1:ke-RSA-AES256-SHAxx:256 peerdn=
 
 This is a test encrypted message.
 
 From "name with spaces"@test.ex Tue Mar 02 09:44:33 1999
 Received: from [127.0.0.1]
-	by myhost.test.ex with smtps (TLSv1:AES256-SHA:256)
+	by myhost.test.ex with smtps (TLSv1:ke-RSA-AES256-SHAxx:256)
 	(Exim x.yz)
 	(envelope-from <"name with spaces"@test.ex>)
 	id 10HmaY-0005vi-00
 	for CALLER@test.ex; Tue, 2 Mar 1999 09:44:33 +0000
 tls-certificate-verified: 0
-TLS: cipher=TLSv1:AES256-SHA:256 peerdn=
+TLS: cipher=TLSv1:ke-RSA-AES256-SHAxx:256 peerdn=
 
 This is a test encrypted message.
 
 From CALLER@test.ex Tue Mar 02 09:44:33 1999
 Received: from [ip4.ip4.ip4.ip4]
-	by myhost.test.ex with smtps (TLSv1:AES256-SHA:256)
+	by myhost.test.ex with smtps (TLSv1:ke-RSA-AES256-SHAxx:256)
 	(Exim x.yz)
 	(envelope-from <CALLER@test.ex>)
 	id 10HmaZ-0005vi-00
 	for CALLER@test.ex; Tue, 2 Mar 1999 09:44:33 +0000
 tls-certificate-verified: 1
-TLS: cipher=TLSv1:AES256-SHA:256 peerdn=/CN=server1.example.com
+TLS: cipher=TLSv1:ke-RSA-AES256-SHAxx:256 peerdn=/CN=server1.example.com
 
 This is a test encrypted message from a verified host.
 
diff --git a/test/mail/2138.userx0 b/test/mail/2138.userx0
index 952a4546f..5d9ddb542 100644
--- a/test/mail/2138.userx0
+++ b/test/mail/2138.userx0
@@ -1,6 +1,6 @@
 From CALLER@myhost.test.ex Tue Mar 02 09:44:33 1999
 Received: from localhost ([127.0.0.1]:1111 helo=myhost.test.ex)
-	by myhost.test.ex with esmtps (TLSv1:AES256-SHA:256)
+	by myhost.test.ex with esmtps (TLSv1:ke-RSA-AES256-SHAxx:256)
 	(Exim x.yz)
 	(envelope-from <CALLER@myhost.test.ex>)
 	id 10HmbA-0005vi-00
@@ -11,7 +11,7 @@ Received: from CALLER by myhost.test.ex with local (Exim x.yz)
 Message-Id: <E10HmaX-0005vi-00@myhost.test.ex>
 From: CALLER_NAME <CALLER@myhost.test.ex>
 Date: Tue, 2 Mar 1999 09:44:33 +0000
-TLS: cipher=TLSv1:AES256-SHA:256 peerdn=
+TLS: cipher=TLSv1:ke-RSA-AES256-SHAxx:256 peerdn=
 
 Test message 1
 
diff --git a/test/mail/2138.userx1 b/test/mail/2138.userx1
index a6f4b9762..3e7abf7da 100644
--- a/test/mail/2138.userx1
+++ b/test/mail/2138.userx1
@@ -1,6 +1,6 @@
 From CALLER@myhost.test.ex Tue Mar 02 09:44:33 1999
 Received: from localhost ([127.0.0.1]:1112 helo=myhost.test.ex)
-	by myhost.test.ex with esmtps (TLSv1:AES256-SHA:256)
+	by myhost.test.ex with esmtps (TLSv1:ke-RSA-AES256-SHAxx:256)
 	(Exim x.yz)
 	(envelope-from <CALLER@myhost.test.ex>)
 	id 10HmbB-0005vi-00
@@ -11,7 +11,7 @@ Received: from CALLER by myhost.test.ex with local (Exim x.yz)
 Message-Id: <E10HmaX-0005vi-00@myhost.test.ex>
 From: CALLER_NAME <CALLER@myhost.test.ex>
 Date: Tue, 2 Mar 1999 09:44:33 +0000
-TLS: cipher=TLSv1:AES256-SHA:256 peerdn=
+TLS: cipher=TLSv1:ke-RSA-AES256-SHAxx:256 peerdn=
 
 Test message 1
 
diff --git a/test/mail/2138.usery0 b/test/mail/2138.usery0
index d0c8c270f..6817ec2a8 100644
--- a/test/mail/2138.usery0
+++ b/test/mail/2138.usery0
@@ -1,6 +1,6 @@
 From CALLER@myhost.test.ex Tue Mar 02 09:44:33 1999
 Received: from localhost ([127.0.0.1]:1112 helo=myhost.test.ex)
-	by myhost.test.ex with esmtps (TLSv1:AES256-SHA:256)
+	by myhost.test.ex with esmtps (TLSv1:ke-RSA-AES256-SHAxx:256)
 	(Exim x.yz)
 	(envelope-from <CALLER@myhost.test.ex>)
 	id 10HmbE-0005vi-00
@@ -11,7 +11,7 @@ Received: from CALLER by myhost.test.ex with local (Exim x.yz)
 Message-Id: <E10HmaY-0005vi-00@myhost.test.ex>
 From: CALLER_NAME <CALLER@myhost.test.ex>
 Date: Tue, 2 Mar 1999 09:44:33 +0000
-TLS: cipher=TLSv1:AES256-SHA:256 peerdn=
+TLS: cipher=TLSv1:ke-RSA-AES256-SHAxx:256 peerdn=
 
 Test message 2
 
diff --git a/test/mail/2138.usery1 b/test/mail/2138.usery1
index b7d4c665e..455487912 100644
--- a/test/mail/2138.usery1
+++ b/test/mail/2138.usery1
@@ -1,6 +1,6 @@
 From CALLER@myhost.test.ex Tue Mar 02 09:44:33 1999
 Received: from localhost ([127.0.0.1]:1112 helo=myhost.test.ex)
-	by myhost.test.ex with esmtps (TLSv1:AES256-SHA:256)
+	by myhost.test.ex with esmtps (TLSv1:ke-RSA-AES256-SHAxx:256)
 	(Exim x.yz)
 	(envelope-from <CALLER@myhost.test.ex>)
 	id 10HmbF-0005vi-00
@@ -11,7 +11,7 @@ Received: from CALLER by myhost.test.ex with local (Exim x.yz)
 Message-Id: <E10HmaY-0005vi-00@myhost.test.ex>
 From: CALLER_NAME <CALLER@myhost.test.ex>
 Date: Tue, 2 Mar 1999 09:44:33 +0000
-TLS: cipher=TLSv1:AES256-SHA:256 peerdn=
+TLS: cipher=TLSv1:ke-RSA-AES256-SHAxx:256 peerdn=
 
 Test message 2
 
diff --git a/test/mail/2138.userz0 b/test/mail/2138.userz0
index 4a0f92398..86aaf4af6 100644
--- a/test/mail/2138.userz0
+++ b/test/mail/2138.userz0
@@ -1,6 +1,6 @@
 From CALLER@myhost.test.ex Tue Mar 02 09:44:33 1999
 Received: from localhost ([127.0.0.1]:1111 helo=myhost.test.ex)
-	by myhost.test.ex with esmtps (TLSv1:AES256-SHA:256)
+	by myhost.test.ex with esmtps (TLSv1:ke-RSA-AES256-SHAxx:256)
 	(Exim x.yz)
 	(envelope-from <CALLER@myhost.test.ex>)
 	id 10HmbC-0005vi-00
@@ -11,7 +11,7 @@ Received: from CALLER by myhost.test.ex with local (Exim x.yz)
 Message-Id: <E10HmaZ-0005vi-00@myhost.test.ex>
 From: CALLER_NAME <CALLER@myhost.test.ex>
 Date: Tue, 2 Mar 1999 09:44:33 +0000
-TLS: cipher=TLSv1:AES256-SHA:256 peerdn=
+TLS: cipher=TLSv1:ke-RSA-AES256-SHAxx:256 peerdn=
 
 Test message 3
 
diff --git a/test/mail/2138.userz1 b/test/mail/2138.userz1
index 5aca0f53a..47ac1370a 100644
--- a/test/mail/2138.userz1
+++ b/test/mail/2138.userz1
@@ -1,6 +1,6 @@
 From CALLER@myhost.test.ex Tue Mar 02 09:44:33 1999
 Received: from localhost ([127.0.0.1]:1111 helo=myhost.test.ex)
-	by myhost.test.ex with esmtps (TLSv1:AES256-SHA:256)
+	by myhost.test.ex with esmtps (TLSv1:ke-RSA-AES256-SHAxx:256)
 	(Exim x.yz)
 	(envelope-from <CALLER@myhost.test.ex>)
 	id 10HmbD-0005vi-00
@@ -11,7 +11,7 @@ Received: from CALLER by myhost.test.ex with local (Exim x.yz)
 Message-Id: <E10HmaZ-0005vi-00@myhost.test.ex>
 From: CALLER_NAME <CALLER@myhost.test.ex>
 Date: Tue, 2 Mar 1999 09:44:33 +0000
-TLS: cipher=TLSv1:AES256-SHA:256 peerdn=
+TLS: cipher=TLSv1:ke-RSA-AES256-SHAxx:256 peerdn=
 
 Test message 3
 
diff --git a/test/mail/2149.userx b/test/mail/2149.userx
index c74b8ded8..2f193f9fe 100644
--- a/test/mail/2149.userx
+++ b/test/mail/2149.userx
@@ -1,6 +1,6 @@
 From CALLER@myhost.test.ex Tue Mar 02 09:44:33 1999
 Received: from localhost ([127.0.0.1] helo=myhost.test.ex)
-	by myhost.test.ex with esmtps (TLSv1:AES256-SHA:256)
+	by myhost.test.ex with esmtps (TLSv1:ke-RSA-AES256-SHAxx:256)
 	(Exim x.yz)
 	(envelope-from <CALLER@myhost.test.ex>)
 	id 10HmaY-0005vi-00
@@ -12,7 +12,7 @@ Received: from CALLER by myhost.test.ex with local (Exim x.yz)
 Message-Id: <E10HmaX-0005vi-00@myhost.test.ex>
 From: CALLER_NAME <CALLER@myhost.test.ex>
 Date: Tue, 2 Mar 1999 09:44:33 +0000
-TLS: cipher=TLSv1:AES256-SHA:256 peerdn=
+TLS: cipher=TLSv1:ke-RSA-AES256-SHAxx:256 peerdn=
 
 Test message
 
diff --git a/test/mail/3451.userx b/test/mail/3451.userx
index 17957a9a2..b2e058317 100644
--- a/test/mail/3451.userx
+++ b/test/mail/3451.userx
@@ -1,6 +1,6 @@
 From CALLER@myhost.test.ex Tue Mar 02 09:44:33 1999
 Received: from localhost ([127.0.0.1] helo=myhost.test.ex)
-	by myhost.test.ex with esmtpsa (TLS1.x:xxxxRSA_AES_256_CBC_SHAnnn:256)
+	by myhost.test.ex with esmtpsa (TLS1.x:ke_RSA_AES_256_CBC_SHAnnn:256)
 	(Exim x.yz)
 	(envelope-from <CALLER@myhost.test.ex>)
 	id 10HmaZ-0005vi-00
@@ -12,13 +12,13 @@ Received: from CALLER by myhost.test.ex with local (Exim x.yz)
 Message-Id: <E10HmaX-0005vi-00@myhost.test.ex>
 From: CALLER_NAME <CALLER@myhost.test.ex>
 Date: Tue, 2 Mar 1999 09:44:33 +0000
-TLS: cipher=TLS1.x:xxxxRSA_AES_256_CBC_SHAnnn:256 peerdn=
+TLS: cipher=TLS1.x:ke_RSA_AES_256_CBC_SHAnnn:256 peerdn=
 
 Test message 1
 
 From CALLER@myhost.test.ex Tue Mar 02 09:44:33 1999
 Received: from localhost ([127.0.0.1] helo=myhost.test.ex)
-	by myhost.test.ex with esmtpsa (TLS1.x:xxxxRSA_AES_256_CBC_SHAnnn:256)
+	by myhost.test.ex with esmtpsa (TLS1.x:ke_RSA_AES_256_CBC_SHAnnn:256)
 	(Exim x.yz)
 	(envelope-from <CALLER@myhost.test.ex>)
 	id 10HmbA-0005vi-00
@@ -30,7 +30,7 @@ Received: from CALLER by myhost.test.ex with local (Exim x.yz)
 Message-Id: <E10HmaY-0005vi-00@myhost.test.ex>
 From: CALLER_NAME <CALLER@myhost.test.ex>
 Date: Tue, 2 Mar 1999 09:44:33 +0000
-TLS: cipher=TLS1.x:xxxxRSA_AES_256_CBC_SHAnnn:256 peerdn=
+TLS: cipher=TLS1.x:ke_RSA_AES_256_CBC_SHAnnn:256 peerdn=
 
 Test message 2
 
diff --git a/test/mail/3452.userx b/test/mail/3452.userx
index 17957a9a2..b2e058317 100644
--- a/test/mail/3452.userx
+++ b/test/mail/3452.userx
@@ -1,6 +1,6 @@
 From CALLER@myhost.test.ex Tue Mar 02 09:44:33 1999
 Received: from localhost ([127.0.0.1] helo=myhost.test.ex)
-	by myhost.test.ex with esmtpsa (TLS1.x:xxxxRSA_AES_256_CBC_SHAnnn:256)
+	by myhost.test.ex with esmtpsa (TLS1.x:ke_RSA_AES_256_CBC_SHAnnn:256)
 	(Exim x.yz)
 	(envelope-from <CALLER@myhost.test.ex>)
 	id 10HmaZ-0005vi-00
@@ -12,13 +12,13 @@ Received: from CALLER by myhost.test.ex with local (Exim x.yz)
 Message-Id: <E10HmaX-0005vi-00@myhost.test.ex>
 From: CALLER_NAME <CALLER@myhost.test.ex>
 Date: Tue, 2 Mar 1999 09:44:33 +0000
-TLS: cipher=TLS1.x:xxxxRSA_AES_256_CBC_SHAnnn:256 peerdn=
+TLS: cipher=TLS1.x:ke_RSA_AES_256_CBC_SHAnnn:256 peerdn=
 
 Test message 1
 
 From CALLER@myhost.test.ex Tue Mar 02 09:44:33 1999
 Received: from localhost ([127.0.0.1] helo=myhost.test.ex)
-	by myhost.test.ex with esmtpsa (TLS1.x:xxxxRSA_AES_256_CBC_SHAnnn:256)
+	by myhost.test.ex with esmtpsa (TLS1.x:ke_RSA_AES_256_CBC_SHAnnn:256)
 	(Exim x.yz)
 	(envelope-from <CALLER@myhost.test.ex>)
 	id 10HmbA-0005vi-00
@@ -30,7 +30,7 @@ Received: from CALLER by myhost.test.ex with local (Exim x.yz)
 Message-Id: <E10HmaY-0005vi-00@myhost.test.ex>
 From: CALLER_NAME <CALLER@myhost.test.ex>
 Date: Tue, 2 Mar 1999 09:44:33 +0000
-TLS: cipher=TLS1.x:xxxxRSA_AES_256_CBC_SHAnnn:256 peerdn=
+TLS: cipher=TLS1.x:ke_RSA_AES_256_CBC_SHAnnn:256 peerdn=
 
 Test message 2
 
diff --git a/test/mail/3461.userx b/test/mail/3461.userx
index bab082ede..ec7ad309f 100644
--- a/test/mail/3461.userx
+++ b/test/mail/3461.userx
@@ -1,6 +1,6 @@
 From CALLER@myhost.test.ex Tue Mar 02 09:44:33 1999
 Received: from localhost ([127.0.0.1] helo=myhost.test.ex)
-	by myhost.test.ex with esmtpsa (TLSv1:AES256-SHA:256)
+	by myhost.test.ex with esmtpsa (TLSv1:ke-RSA-AES256-SHAxx:256)
 	(Exim x.yz)
 	(envelope-from <CALLER@myhost.test.ex>)
 	id 10HmaZ-0005vi-00
@@ -12,13 +12,13 @@ Received: from CALLER by myhost.test.ex with local (Exim x.yz)
 Message-Id: <E10HmaX-0005vi-00@myhost.test.ex>
 From: CALLER_NAME <CALLER@myhost.test.ex>
 Date: Tue, 2 Mar 1999 09:44:33 +0000
-TLS: cipher=TLSv1:AES256-SHA:256 peerdn=
+TLS: cipher=TLSv1:ke-RSA-AES256-SHAxx:256 peerdn=
 
 Test message 1
 
 From CALLER@myhost.test.ex Tue Mar 02 09:44:33 1999
 Received: from localhost ([127.0.0.1] helo=myhost.test.ex)
-	by myhost.test.ex with esmtpsa (TLSv1:AES256-SHA:256)
+	by myhost.test.ex with esmtpsa (TLSv1:ke-RSA-AES256-SHAxx:256)
 	(Exim x.yz)
 	(envelope-from <CALLER@myhost.test.ex>)
 	id 10HmbA-0005vi-00
@@ -30,7 +30,7 @@ Received: from CALLER by myhost.test.ex with local (Exim x.yz)
 Message-Id: <E10HmaY-0005vi-00@myhost.test.ex>
 From: CALLER_NAME <CALLER@myhost.test.ex>
 Date: Tue, 2 Mar 1999 09:44:33 +0000
-TLS: cipher=TLSv1:AES256-SHA:256 peerdn=
+TLS: cipher=TLSv1:ke-RSA-AES256-SHAxx:256 peerdn=
 
 Test message 2
 
diff --git a/test/mail/3462.userx b/test/mail/3462.userx
index bab082ede..ec7ad309f 100644
--- a/test/mail/3462.userx
+++ b/test/mail/3462.userx
@@ -1,6 +1,6 @@
 From CALLER@myhost.test.ex Tue Mar 02 09:44:33 1999
 Received: from localhost ([127.0.0.1] helo=myhost.test.ex)
-	by myhost.test.ex with esmtpsa (TLSv1:AES256-SHA:256)
+	by myhost.test.ex with esmtpsa (TLSv1:ke-RSA-AES256-SHAxx:256)
 	(Exim x.yz)
 	(envelope-from <CALLER@myhost.test.ex>)
 	id 10HmaZ-0005vi-00
@@ -12,13 +12,13 @@ Received: from CALLER by myhost.test.ex with local (Exim x.yz)
 Message-Id: <E10HmaX-0005vi-00@myhost.test.ex>
 From: CALLER_NAME <CALLER@myhost.test.ex>
 Date: Tue, 2 Mar 1999 09:44:33 +0000
-TLS: cipher=TLSv1:AES256-SHA:256 peerdn=
+TLS: cipher=TLSv1:ke-RSA-AES256-SHAxx:256 peerdn=
 
 Test message 1
 
 From CALLER@myhost.test.ex Tue Mar 02 09:44:33 1999
 Received: from localhost ([127.0.0.1] helo=myhost.test.ex)
-	by myhost.test.ex with esmtpsa (TLSv1:AES256-SHA:256)
+	by myhost.test.ex with esmtpsa (TLSv1:ke-RSA-AES256-SHAxx:256)
 	(Exim x.yz)
 	(envelope-from <CALLER@myhost.test.ex>)
 	id 10HmbA-0005vi-00
@@ -30,7 +30,7 @@ Received: from CALLER by myhost.test.ex with local (Exim x.yz)
 Message-Id: <E10HmaY-0005vi-00@myhost.test.ex>
 From: CALLER_NAME <CALLER@myhost.test.ex>
 Date: Tue, 2 Mar 1999 09:44:33 +0000
-TLS: cipher=TLSv1:AES256-SHA:256 peerdn=
+TLS: cipher=TLSv1:ke-RSA-AES256-SHAxx:256 peerdn=
 
 Test message 2
 
diff --git a/test/rejectlog/2003 b/test/rejectlog/2003
index f4945520b..c372ad907 100644
--- a/test/rejectlog/2003
+++ b/test/rejectlog/2003
@@ -1,3 +1,3 @@
 
 ******** SERVER ********
-1999-03-02 09:44:33 H=[ip4.ip4.ip4.ip4] X=TLS1.x:xxxxRSA_AES_256_CBC_SHAnnn:256 CV=no F=<userx@test.ex> rejected RCPT <userx@test.ex>: unacceptable cipher TLS1.x:xxxxRSA_AES_256_CBC_SHAnnn:256
+1999-03-02 09:44:33 H=[ip4.ip4.ip4.ip4] X=TLS1.x:ke_RSA_AES_256_CBC_SHAnnn:256 CV=no F=<userx@test.ex> rejected RCPT <userx@test.ex>: unacceptable cipher TLS1.x:ke_RSA_AES_256_CBC_SHAnnn:256
diff --git a/test/rejectlog/2014 b/test/rejectlog/2014
index 3a7e9a6a3..c0a340ea4 100644
--- a/test/rejectlog/2014
+++ b/test/rejectlog/2014
@@ -1,5 +1,5 @@
 
 ******** SERVER ********
-1999-03-02 09:44:33 H=(rhu2tls.barb) [127.0.0.1] X=TLS1.x:xxxxRSA_AES_256_CBC_SHAnnn:256 CV=no F=<userx@test.ex> rejected RCPT <userx@test.ex>: certificate not verified: peerdn=
-1999-03-02 09:44:33 H=[127.0.0.1] X=TLS1.x:xxxxRSA_AES_256_CBC_SHAnnn:256 CV=no DN="C=UK,O=The Exim Maintainers,OU=Test Suite,CN=Phil Pennock" F=<userx@test.ex> rejected RCPT <userx@test.ex>: certificate not verified: peerdn=C=UK,O=The Exim Maintainers,OU=Test Suite,CN=Phil Pennock
-1999-03-02 09:44:33 H=[127.0.0.1] X=TLS1.x:xxxxRSA_AES_256_CBC_SHAnnn:256 CV=no DN="C=UK,O=The Exim Maintainers,OU=Test Suite,CN=Phil Pennock" F=<userx@test.ex> rejected RCPT <userx@test.ex>: certificate not verified: peerdn=C=UK,O=The Exim Maintainers,OU=Test Suite,CN=Phil Pennock
+1999-03-02 09:44:33 H=(rhu2tls.barb) [127.0.0.1] X=TLS1.x:ke_RSA_AES_256_CBC_SHAnnn:256 CV=no F=<userx@test.ex> rejected RCPT <userx@test.ex>: certificate not verified: peerdn=
+1999-03-02 09:44:33 H=[127.0.0.1] X=TLS1.x:ke_RSA_AES_256_CBC_SHAnnn:256 CV=no DN="C=UK,O=The Exim Maintainers,OU=Test Suite,CN=Phil Pennock" F=<userx@test.ex> rejected RCPT <userx@test.ex>: certificate not verified: peerdn=C=UK,O=The Exim Maintainers,OU=Test Suite,CN=Phil Pennock
+1999-03-02 09:44:33 H=[127.0.0.1] X=TLS1.x:ke_RSA_AES_256_CBC_SHAnnn:256 CV=no DN="C=UK,O=The Exim Maintainers,OU=Test Suite,CN=Phil Pennock" F=<userx@test.ex> rejected RCPT <userx@test.ex>: certificate not verified: peerdn=C=UK,O=The Exim Maintainers,OU=Test Suite,CN=Phil Pennock
diff --git a/test/rejectlog/2037 b/test/rejectlog/2037
index 210641393..e0359a37a 100644
--- a/test/rejectlog/2037
+++ b/test/rejectlog/2037
@@ -1,12 +1,12 @@
 1999-03-02 09:44:33 U=CALLER F=<> temporarily rejected RCPT <rcpt_defer@test.ex>: Could not complete recipient verify callout: 127.0.0.1 [127.0.0.1] : SMTP error from remote mail server after RCPT TO:<rcpt_defer@test.ex>: 451 Temporary local problem - please try later
 
 ******** SERVER ********
-1999-03-02 09:44:33 H=localhost (myhost.test.ex) [127.0.0.1] X=TLS1.x:xxxxRSA_AES_256_CBC_SHAnnn:256 CV=no F=<> temporarily rejected RCPT <rcpt_defer@test.ex>
-1999-03-02 09:44:33 10HmaX-0005vi-00 H=localhost (myhost.test.ex) [127.0.0.1] X=TLS1.x:xxxxRSA_AES_256_CBC_SHAnnn:256 CV=no F=<> temporarily rejected after DATA
+1999-03-02 09:44:33 H=localhost (myhost.test.ex) [127.0.0.1] X=TLS1.x:ke_RSA_AES_256_CBC_SHAnnn:256 CV=no F=<> temporarily rejected RCPT <rcpt_defer@test.ex>
+1999-03-02 09:44:33 10HmaX-0005vi-00 H=localhost (myhost.test.ex) [127.0.0.1] X=TLS1.x:ke_RSA_AES_256_CBC_SHAnnn:256 CV=no F=<> temporarily rejected after DATA
 Envelope-from: <>
 Envelope-to: <data_defer@test.ex>
 P Received: from localhost ([127.0.0.1] helo=myhost.test.ex)
-	by myhost.test.ex with esmtps (TLS1.x:xxxxRSA_AES_256_CBC_SHAnnn:256)
+	by myhost.test.ex with esmtps (TLS1.x:ke_RSA_AES_256_CBC_SHAnnn:256)
 	(Exim x.yz)
 	id 10HmaX-0005vi-00
 	for data_defer@test.ex; Tue, 2 Mar 1999 09:44:33 +0000
diff --git a/test/rejectlog/2103 b/test/rejectlog/2103
index dc9db1627..ad0307b46 100644
--- a/test/rejectlog/2103
+++ b/test/rejectlog/2103
@@ -1,3 +1,3 @@
 
 ******** SERVER ********
-1999-03-02 09:44:33 H=[ip4.ip4.ip4.ip4] X=TLSv1:AES256-SHA:256 CV=no F=<userx@test.ex> rejected RCPT <userx@test.ex>: unacceptable cipher TLSv1:AES256-SHA:256
+1999-03-02 09:44:33 H=[ip4.ip4.ip4.ip4] X=TLSv1:ke-RSA-AES256-SHAxx:256 CV=no F=<userx@test.ex> rejected RCPT <userx@test.ex>: unacceptable cipher TLSv1:ke-RSA-AES256-SHAxx:256
diff --git a/test/rejectlog/2114 b/test/rejectlog/2114
index 895425c5a..a8e0b0b26 100644
--- a/test/rejectlog/2114
+++ b/test/rejectlog/2114
@@ -1,5 +1,5 @@
 
 ******** SERVER ********
-1999-03-02 09:44:33 H=(rhu.barb) [127.0.0.1] X=TLSv1:AES256-SHA:256 CV=no F=<userx@test.ex> rejected RCPT <userx@test.ex>: certificate not verified: peerdn=
-1999-03-02 09:44:33 H=[127.0.0.1] X=TLSv1:AES256-SHA:256 CV=no DN="/C=UK/O=The Exim Maintainers/OU=Test Suite/CN=Phil Pennock" F=<userx@test.ex> rejected RCPT <userx@test.ex>: certificate not verified: peerdn=/C=UK/O=The Exim Maintainers/OU=Test Suite/CN=Phil Pennock
-1999-03-02 09:44:33 H=[127.0.0.1] X=TLSv1:AES256-SHA:256 CV=no DN="/C=UK/O=The Exim Maintainers/OU=Test Suite/CN=Phil Pennock" F=<userx@test.ex> rejected RCPT <userx@test.ex>: certificate not verified: peerdn=/C=UK/O=The Exim Maintainers/OU=Test Suite/CN=Phil Pennock
+1999-03-02 09:44:33 H=(rhu.barb) [127.0.0.1] X=TLSv1:ke-RSA-AES256-SHAxx:256 CV=no F=<userx@test.ex> rejected RCPT <userx@test.ex>: certificate not verified: peerdn=
+1999-03-02 09:44:33 H=[127.0.0.1] X=TLSv1:ke-RSA-AES256-SHAxx:256 CV=no DN="/C=UK/O=The Exim Maintainers/OU=Test Suite/CN=Phil Pennock" F=<userx@test.ex> rejected RCPT <userx@test.ex>: certificate not verified: peerdn=/C=UK/O=The Exim Maintainers/OU=Test Suite/CN=Phil Pennock
+1999-03-02 09:44:33 H=[127.0.0.1] X=TLSv1:ke-RSA-AES256-SHAxx:256 CV=no DN="/C=UK/O=The Exim Maintainers/OU=Test Suite/CN=Phil Pennock" F=<userx@test.ex> rejected RCPT <userx@test.ex>: certificate not verified: peerdn=/C=UK/O=The Exim Maintainers/OU=Test Suite/CN=Phil Pennock
diff --git a/test/rejectlog/2137 b/test/rejectlog/2137
index 6ec734584..2ca91c31a 100644
--- a/test/rejectlog/2137
+++ b/test/rejectlog/2137
@@ -1,12 +1,12 @@
 1999-03-02 09:44:33 U=CALLER F=<> temporarily rejected RCPT <rcpt_defer@test.ex>: Could not complete recipient verify callout: 127.0.0.1 [127.0.0.1] : SMTP error from remote mail server after RCPT TO:<rcpt_defer@test.ex>: 451 Temporary local problem - please try later
 
 ******** SERVER ********
-1999-03-02 09:44:33 H=localhost (myhost.test.ex) [127.0.0.1] X=TLSv1:AES256-SHA:256 CV=no F=<> temporarily rejected RCPT <rcpt_defer@test.ex>
-1999-03-02 09:44:33 10HmaX-0005vi-00 H=localhost (myhost.test.ex) [127.0.0.1] X=TLSv1:AES256-SHA:256 CV=no F=<> temporarily rejected after DATA
+1999-03-02 09:44:33 H=localhost (myhost.test.ex) [127.0.0.1] X=TLSv1:ke-RSA-AES256-SHAxx:256 CV=no F=<> temporarily rejected RCPT <rcpt_defer@test.ex>
+1999-03-02 09:44:33 10HmaX-0005vi-00 H=localhost (myhost.test.ex) [127.0.0.1] X=TLSv1:ke-RSA-AES256-SHAxx:256 CV=no F=<> temporarily rejected after DATA
 Envelope-from: <>
 Envelope-to: <data_defer@test.ex>
 P Received: from localhost ([127.0.0.1] helo=myhost.test.ex)
-	by myhost.test.ex with esmtps (TLSv1:AES256-SHA:256)
+	by myhost.test.ex with esmtps (TLSv1:ke-RSA-AES256-SHAxx:256)
 	(Exim x.yz)
 	id 10HmaX-0005vi-00
 	for data_defer@test.ex; Tue, 2 Mar 1999 09:44:33 +0000
diff --git a/test/rejectlog/4214 b/test/rejectlog/4214
index b7613eb45..7ec6099c0 100644
--- a/test/rejectlog/4214
+++ b/test/rejectlog/4214
@@ -2,4 +2,4 @@
 1999-03-02 09:44:33 U=CALLER F=<CALLER@vietnamese.TạisaohọkhôngthểchỉnóitiếngViệt.local> rejected RCPT <userT@test.ex>: 127.0.0.1 [127.0.0.1] : response to "EHLO" did not include SMTPUTF8
 
 ******** SERVER ********
-1999-03-02 09:44:33 H=localhost (the.local.host.name) [127.0.0.1] X=TLS1.x:xxxxRSA_AES_256_CBC_SHAnnn:256 CV=no F=<> rejected RCPT <the.local.host.name-dddddddd-testing@test.ex>: relay not permitted
+1999-03-02 09:44:33 H=localhost (the.local.host.name) [127.0.0.1] X=TLS1.x:ke_RSA_AES_256_CBC_SHAnnn:256 CV=no F=<> rejected RCPT <the.local.host.name-dddddddd-testing@test.ex>: relay not permitted
diff --git a/test/rejectlog/4216 b/test/rejectlog/4216
index b100cfaca..caf4e22b6 100644
--- a/test/rejectlog/4216
+++ b/test/rejectlog/4216
@@ -4,4 +4,4 @@
 1999-03-02 09:44:33 U=CALLER F=<userB.જેઠીમધ@test.ex> rejected RCPT <user.ქართული@test.ex>: Sender verify failed
 
 ******** SERVER ********
-1999-03-02 09:44:33 H=localhost (the.local.host.name) [127.0.0.1] X=TLS1.x:xxxxRSA_AES_256_CBC_SHAnnn:256 CV=no F=<> rejected RCPT <the.local.host.name-dddddddd-testing@test.ex>: relay not permitted
+1999-03-02 09:44:33 H=localhost (the.local.host.name) [127.0.0.1] X=TLS1.x:ke_RSA_AES_256_CBC_SHAnnn:256 CV=no F=<> rejected RCPT <the.local.host.name-dddddddd-testing@test.ex>: relay not permitted
diff --git a/test/rejectlog/4224 b/test/rejectlog/4224
index 05de432a4..7b4115874 100644
--- a/test/rejectlog/4224
+++ b/test/rejectlog/4224
@@ -2,4 +2,4 @@
 1999-03-02 09:44:33 U=CALLER F=<CALLER@vietnamese.TạisaohọkhôngthểchỉnóitiếngViệt.local> rejected RCPT <userT@test.ex>: 127.0.0.1 [127.0.0.1] : response to "EHLO" did not include SMTPUTF8
 
 ******** SERVER ********
-1999-03-02 09:44:33 H=localhost (the.local.host.name) [127.0.0.1] X=TLSv1:AES256-SHA:256 CV=no F=<> rejected RCPT <the.local.host.name-dddddddd-testing@test.ex>: relay not permitted
+1999-03-02 09:44:33 H=localhost (the.local.host.name) [127.0.0.1] X=TLSv1:ke-RSA-AES256-SHAxx:256 CV=no F=<> rejected RCPT <the.local.host.name-dddddddd-testing@test.ex>: relay not permitted
diff --git a/test/rejectlog/4226 b/test/rejectlog/4226
index 6030c623d..12b503b52 100644
--- a/test/rejectlog/4226
+++ b/test/rejectlog/4226
@@ -4,4 +4,4 @@
 1999-03-02 09:44:33 U=CALLER F=<userB.જેઠીમધ@test.ex> rejected RCPT <user.ქართული@test.ex>: Sender verify failed
 
 ******** SERVER ********
-1999-03-02 09:44:33 H=localhost (the.local.host.name) [127.0.0.1] X=TLSv1:AES256-SHA:256 CV=no F=<> rejected RCPT <the.local.host.name-dddddddd-testing@test.ex>: relay not permitted
+1999-03-02 09:44:33 H=localhost (the.local.host.name) [127.0.0.1] X=TLSv1:ke-RSA-AES256-SHAxx:256 CV=no F=<> rejected RCPT <the.local.host.name-dddddddd-testing@test.ex>: relay not permitted
diff --git a/test/runtest b/test/runtest
index 57e2d8a10..46c9871d0 100755
--- a/test/runtest
+++ b/test/runtest
@@ -572,8 +572,8 @@ RESET_AFTER_EXTRA_LINE_READ:
   #   DHE-RSA-AES256-SHA
   # picking latter as canonical simply because regex easier that way.
   s/\bDHE_RSA_AES_128_CBC_SHA1:128/RSA_AES_256_CBC_SHA1:256/g;
-  s/TLS1.[012]:((EC)?DHE_)?RSA_AES_(256|128)_(CBC|GCM)_SHA(1|256|384):(256|128)/TLS1.x:xxxxRSA_AES_256_CBC_SHAnnn:256/g;
-  s/\b(ECDHE-RSA-AES256-SHA|DHE-RSA-AES256-SHA256)\b/AES256-SHA/g;
+  s/TLS1.[012]:((EC)?DHE_)?(RSA|ECDSA)_AES_(256|128)_(CBC|GCM)_SHA(1|256|384):(256|128)/TLS1.x:ke_$3_AES_256_CBC_SHAnnn:256/g;
+  s/\b(ECDHE-(RSA|ECDSA)-AES256-SHA|DHE-RSA-AES256-SHA256)\b/ke-$2-AES256-SHAxx/g;
 
   # GnuTLS library error message changes
   s/No certificate was found/The peer did not send any certificate/g;
diff --git a/test/scripts/2000-GnuTLS/2002 b/test/scripts/2000-GnuTLS/2002
index 49f841e56..4ecbf229b 100644
--- a/test/scripts/2000-GnuTLS/2002
+++ b/test/scripts/2000-GnuTLS/2002
@@ -83,6 +83,64 @@ This is a test encrypted message from a verified host.
 quit
 ??? 221
 ****
+#
+#
+# A client that only talks RSA.
+#
+# We have to specify the key-exchange as well as the authentication, otherwise,
+# the GnuTLS server side being foolish - it picks an ECDSA cipher-suite and then can't use it :(
+# Possibly fixed in 3.6.x ? 
+client-gnutls -p NONE:+SIGN-RSA-SHA256:+VERS-TLS-ALL:+ECDHE-RSA:+DHE-RSA:+RSA:+CIPHER-ALL:+MAC-ALL:+COMP-NULL:+CURVE-ALL:+CTYPE-X509 127.0.0.1 PORT_D
+??? 220
+ehlo rhu.barb
+??? 250-
+??? 250-
+??? 250-
+??? 250-
+??? 250-
+??? 250
+starttls
+??? 220
+mail from:<CALLER@test.ex>
+??? 250
+rcpt to:<CALLER@test.ex>
+??? 250
+DATA
+??? 3
+This is a test encrypted message.
+It should be sent under the RSA server cert and with an RSA cipher.
+.
+??? 250
+quit
+??? 221
+****
+#
+#
+# Make ECDSA authentication preferred (normally RSA is, it seems).
+client-gnutls -p NONE:+SIGN-ECDSA-SHA512:+VERS-TLS-ALL:+KX-ALL:+CIPHER-ALL:+MAC-ALL:+COMP-NULL:+CURVE-ALL:+CTYPE-X509 127.0.0.1 PORT_D
+??? 220
+ehlo rhu.barb
+??? 250-
+??? 250-
+??? 250-
+??? 250-
+??? 250-
+??? 250
+starttls
+??? 220
+mail from:<CALLER@test.ex>
+??? 250
+rcpt to:<CALLER@test.ex>
+??? 250
+DATA
+??? 3
+This is a test encrypted message.
+It should be sent under the EC server cert and with an ECDSA cipher.
+.
+??? 250
+quit
+??? 221
+****
 killdaemon
 exim -qf
 ****
diff --git a/test/scripts/2100-OpenSSL/2102 b/test/scripts/2100-OpenSSL/2102
index bdf5496f6..e9fdbfdca 100644
--- a/test/scripts/2100-OpenSSL/2102
+++ b/test/scripts/2100-OpenSSL/2102
@@ -87,6 +87,36 @@ quit
 ??? 221
 ****
 killdaemon
+#
+# make ECDSA authentication preferred
+# DEFAULT:+RSA should work but does not seem to
+exim -DSERVER=server -DORDER=ECDSA:RSA:!COMPLEMENTOFDEFAULT -bd -oX PORT_D
+****
+client-ssl 127.0.0.1 PORT_D
+??? 220
+ehlo rhu.barb
+??? 250-
+??? 250-
+??? 250-
+??? 250-
+??? 250-
+??? 250
+starttls
+??? 220
+mail from:<CALLER@test.ex>
+??? 250
+rcpt to:<CALLER@test.ex>
+??? 250
+DATA
+??? 3
+This is a test encrypted message.
+It should be sent under the EC server cert and with an ECDSA cipher.
+.
+??? 250
+quit
+??? 221
+****
+killdaemon
 exim -qf
 ****
 exim -bh 10.0.0.1
diff --git a/test/src/client.c b/test/src/client.c
index 4ac130df2..be8b1cc0d 100644
--- a/test/src/client.c
+++ b/test/src/client.c
@@ -103,7 +103,7 @@ static int  ssl_session_timeout = 200;
 
 /* Priorities for TLS algorithms to use. */
 
-#if GNUTLS_VERSION_NUMBER < 0x030400
+# if GNUTLS_VERSION_NUMBER < 0x030400
 static const int protocol_priority[16] = { GNUTLS_TLS1, GNUTLS_SSL3, 0 };
 
 static const int kx_priority[16] = {
@@ -125,7 +125,7 @@ static const int mac_priority[16] = {
   0 };
 
 static const int comp_priority[16] = { GNUTLS_COMP_NULL, 0 };
-#endif
+# endif
 
 #endif	/*HAVE_GNUTLS*/
 
@@ -133,6 +133,7 @@ static const int comp_priority[16] = { GNUTLS_COMP_NULL, 0 };
 
 #ifdef HAVE_TLS
 char * ocsp_stapling = NULL;
+char * pri_string = NULL;
 #endif
 
 
@@ -454,7 +455,7 @@ gnutls_session_t session;
 
 gnutls_init(&session, GNUTLS_CLIENT | GNUTLS_NO_EXTENSIONS);
 
-#if GNUTLS_VERSION_NUMBER < 0x030400
+# if GNUTLS_VERSION_NUMBER < 0x030400
 gnutls_cipher_set_priority(session, default_cipher_priority);
 gnutls_compression_set_priority(session, comp_priority);
 gnutls_kx_set_priority(session, kx_priority);
@@ -462,10 +463,19 @@ gnutls_protocol_set_priority(session, protocol_priority);
 gnutls_mac_set_priority(session, mac_priority);
 
 gnutls_cred_set(session, GNUTLS_CRD_CERTIFICATE, x509_cred);
-#else
-gnutls_set_default_priority(session);
+# else
+if (pri_string)
+  {
+  gnutls_priority_t priority_cache;
+  const char * errpos;
+
+  gnutls_priority_init(&priority_cache, pri_string, &errpos);
+  gnutls_priority_set(session, priority_cache);
+  }
+else
+  gnutls_set_default_priority(session);
 gnutls_credentials_set(session, GNUTLS_CRD_CERTIFICATE, x509_cred);
-#endif
+# endif
 
 gnutls_dh_set_prime_bits(session, DH_BITS);
 gnutls_db_set_cache_expiration(session, ssl_session_timeout);
@@ -836,6 +846,10 @@ Usage: client\n"
 "\
           [-tls-on-connect]\n\
           [-ocsp]\n"
+# ifdef HAVE_GNUTLS
+"\
+          [-p priority-string]\n"
+# endif
 #endif
 "\
           [-tn] n seconds timeout\n\
@@ -901,6 +915,17 @@ while (argc >= argi + 1 && argv[argi][0] == '-')
       }
     ocsp_stapling = argv[argi++];
     }
+# ifdef HAVE_GNUTLS
+  else if (strcmp(argv[argi], "-p") == 0)
+    {
+    if (argc < ++argi + 1)
+      {
+      fprintf(stderr, "Missing priority string\n");
+      exit(96);
+      }
+    pri_string = argv[argi++];
+    }
+#endif
 
 #endif
   else if (argv[argi][1] == 't' && isdigit(argv[argi][2]))
diff --git a/test/stderr/2008 b/test/stderr/2008
index dd4abbe40..b8ff33fc6 100644
--- a/test/stderr/2008
+++ b/test/stderr/2008
@@ -29,7 +29,7 @@ Connecting to 127.0.0.1 [127.0.0.1]:1225 ... connected
   SMTP>> QUIT
   SMTP(close)>>
 LOG: MAIN
-  => CALLER@test.ex R=client T=send_to_server1 H=127.0.0.1 [127.0.0.1] X=TLS1.x:xxxxRSA_AES_256_CBC_SHAnnn:256 CV=no DN="C=UK,O=The Exim Maintainers,OU=Test Suite,CN=Phil Pennock" C="250 OK id=10HmaZ-0005vi-00"
+  => CALLER@test.ex R=client T=send_to_server1 H=127.0.0.1 [127.0.0.1] X=TLS1.x:ke_RSA_AES_256_CBC_SHAnnn:256 CV=no DN="C=UK,O=The Exim Maintainers,OU=Test Suite,CN=Phil Pennock" C="250 OK id=10HmaZ-0005vi-00"
 LOG: MAIN
   Completed
 delivering 10HmaY-0005vi-00 (queue run pid ppppp)
@@ -63,9 +63,9 @@ Connecting to 127.0.0.1 [127.0.0.1]:1225 ... connected
   SMTP>> QUIT
   SMTP(close)>>
 LOG: MAIN
-  => CALLER@test.ex R=client T=send_to_server1 H=127.0.0.1 [127.0.0.1] X=TLS1.x:xxxxRSA_AES_256_CBC_SHAnnn:256 CV=no DN="C=UK,O=The Exim Maintainers,OU=Test Suite,CN=Phil Pennock" C="250 OK id=10HmbA-0005vi-00"
+  => CALLER@test.ex R=client T=send_to_server1 H=127.0.0.1 [127.0.0.1] X=TLS1.x:ke_RSA_AES_256_CBC_SHAnnn:256 CV=no DN="C=UK,O=The Exim Maintainers,OU=Test Suite,CN=Phil Pennock" C="250 OK id=10HmbA-0005vi-00"
 LOG: MAIN
-  -> xyz@test.ex R=client T=send_to_server1 H=127.0.0.1 [127.0.0.1] X=TLS1.x:xxxxRSA_AES_256_CBC_SHAnnn:256 CV=no DN="C=UK,O=The Exim Maintainers,OU=Test Suite,CN=Phil Pennock" C="250 OK id=10HmbA-0005vi-00"
+  -> xyz@test.ex R=client T=send_to_server1 H=127.0.0.1 [127.0.0.1] X=TLS1.x:ke_RSA_AES_256_CBC_SHAnnn:256 CV=no DN="C=UK,O=The Exim Maintainers,OU=Test Suite,CN=Phil Pennock" C="250 OK id=10HmbA-0005vi-00"
 Connecting to ip4.ip4.ip4.ip4 [ip4.ip4.ip4.ip4]:1225 ... connected
   SMTP<< 220 myhost.test.ex ESMTP Exim x.yz Tue, 2 Mar 1999 09:44:33 +0000
   SMTP>> EHLO myhost.test.ex
@@ -94,7 +94,7 @@ Connecting to ip4.ip4.ip4.ip4 [ip4.ip4.ip4.ip4]:1225 ... connected
   SMTP>> QUIT
   SMTP(close)>>
 LOG: MAIN
-  => abcd@test.ex R=client T=send_to_server2 H=ip4.ip4.ip4.ip4 [ip4.ip4.ip4.ip4] X=TLS1.x:xxxxRSA_AES_256_CBC_SHAnnn:256 CV=no DN="C=UK,O=The Exim Maintainers,OU=Test Suite,CN=Phil Pennock" C="250 OK id=10HmbB-0005vi-00"
+  => abcd@test.ex R=client T=send_to_server2 H=ip4.ip4.ip4.ip4 [ip4.ip4.ip4.ip4] X=TLS1.x:ke_RSA_AES_256_CBC_SHAnnn:256 CV=no DN="C=UK,O=The Exim Maintainers,OU=Test Suite,CN=Phil Pennock" C="250 OK id=10HmbB-0005vi-00"
 LOG: MAIN
   Completed
 LOG: queue_run MAIN
diff --git a/test/stderr/2013 b/test/stderr/2013
index 9f96c99eb..d050ebd30 100644
--- a/test/stderr/2013
+++ b/test/stderr/2013
@@ -32,7 +32,7 @@ cmd buf flush ddd bytes
   SMTP<< 354 Enter message, ending with "." on a line by itself
   SMTP<< 250 OK id=10HmbA-0005vi-00
 LOG: MAIN
-  => userx@test.ex R=client T=send_to_server H=127.0.0.1 [127.0.0.1] X=TLS1.x:xxxxRSA_AES_256_CBC_SHAnnn:256 CV=no DN="C=UK,O=The Exim Maintainers,OU=Test Suite,CN=Phil Pennock" C="250 OK id=10HmbA-0005vi-00"
+  => userx@test.ex R=client T=send_to_server H=127.0.0.1 [127.0.0.1] X=TLS1.x:ke_RSA_AES_256_CBC_SHAnnn:256 CV=no DN="C=UK,O=The Exim Maintainers,OU=Test Suite,CN=Phil Pennock" C="250 OK id=10HmbA-0005vi-00"
 LOG: MAIN
   Completed
 Exim version x.yz ....
@@ -49,7 +49,7 @@ cmd buf flush ddd bytes
   SMTP<< 250 OK id=10HmbB-0005vi-00
   SMTP(close)>>
 LOG: MAIN
-  => userz@test.ex R=client T=send_to_server H=127.0.0.1 [127.0.0.1]* X=TLS1.x:xxxxRSA_AES_256_CBC_SHAnnn:256 CV=no C="250 OK id=10HmbB-0005vi-00"
+  => userz@test.ex R=client T=send_to_server H=127.0.0.1 [127.0.0.1]* X=TLS1.x:ke_RSA_AES_256_CBC_SHAnnn:256 CV=no C="250 OK id=10HmbB-0005vi-00"
 LOG: MAIN
   Completed
 >>>>>>>>>>>>>>>> Exim pid=pppp (main) terminating with rc=0 >>>>>>>>>>>>>>>>
@@ -69,7 +69,7 @@ cmd buf flush ddd bytes
 cmd buf flush ddd bytes
   SMTP(close)>>
 LOG: MAIN
-  => usery@test.ex R=client T=send_to_server H=127.0.0.1 [127.0.0.1]* X=TLS1.x:xxxxRSA_AES_256_CBC_SHAnnn:256 CV=no C="250 OK id=10HmbC-0005vi-00"
+  => usery@test.ex R=client T=send_to_server H=127.0.0.1 [127.0.0.1]* X=TLS1.x:ke_RSA_AES_256_CBC_SHAnnn:256 CV=no C="250 OK id=10HmbC-0005vi-00"
 LOG: MAIN
   Completed
 >>>>>>>>>>>>>>>> Exim pid=pppp (main) terminating with rc=0 >>>>>>>>>>>>>>>>
@@ -111,7 +111,7 @@ cmd buf flush ddd bytes
   SMTP<< 354 Enter message, ending with "." on a line by itself
   SMTP<< 250 OK id=10HmbG-0005vi-00
 LOG: MAIN
-  => usera@test.ex R=cl_override T=send_to_server H=127.0.0.1 [127.0.0.1] X=TLS1.x:xxxxRSA_AES_256_CBC_SHAnnn:256 CV=no DN="C=UK,O=The Exim Maintainers,OU=Test Suite,CN=Phil Pennock" C="250 OK id=10HmbG-0005vi-00"
+  => usera@test.ex R=cl_override T=send_to_server H=127.0.0.1 [127.0.0.1] X=TLS1.x:ke_RSA_AES_256_CBC_SHAnnn:256 CV=no DN="C=UK,O=The Exim Maintainers,OU=Test Suite,CN=Phil Pennock" C="250 OK id=10HmbG-0005vi-00"
 LOG: MAIN
   Completed
 Exim version x.yz ....
@@ -128,7 +128,7 @@ cmd buf flush ddd bytes
   SMTP<< 250 OK id=10HmbH-0005vi-00
   SMTP(close)>>
 LOG: MAIN
-  => userc@test.ex R=cl_override T=send_to_server H=127.0.0.1 [127.0.0.1]* X=TLS1.x:xxxxRSA_AES_256_CBC_SHAnnn:256 CV=no C="250 OK id=10HmbH-0005vi-00"
+  => userc@test.ex R=cl_override T=send_to_server H=127.0.0.1 [127.0.0.1]* X=TLS1.x:ke_RSA_AES_256_CBC_SHAnnn:256 CV=no C="250 OK id=10HmbH-0005vi-00"
 LOG: MAIN
   Completed
 >>>>>>>>>>>>>>>> Exim pid=pppp (main) terminating with rc=0 >>>>>>>>>>>>>>>>
@@ -148,7 +148,7 @@ cmd buf flush ddd bytes
 cmd buf flush ddd bytes
   SMTP(close)>>
 LOG: MAIN
-  => userb@test.ex R=cl_override T=send_to_server H=127.0.0.1 [127.0.0.1]* X=TLS1.x:xxxxRSA_AES_256_CBC_SHAnnn:256 CV=no C="250 OK id=10HmbI-0005vi-00"
+  => userb@test.ex R=cl_override T=send_to_server H=127.0.0.1 [127.0.0.1]* X=TLS1.x:ke_RSA_AES_256_CBC_SHAnnn:256 CV=no C="250 OK id=10HmbI-0005vi-00"
 LOG: MAIN
   Completed
 >>>>>>>>>>>>>>>> Exim pid=pppp (main) terminating with rc=0 >>>>>>>>>>>>>>>>
diff --git a/test/stderr/2035 b/test/stderr/2035
index 80c2476d8..3b2031bae 100644
--- a/test/stderr/2035
+++ b/test/stderr/2035
@@ -67,7 +67,7 @@ cmd buf flush ddd bytes
   SMTP(close)>>
 Leaving t1 transport
 LOG: MAIN
-  => userb@test.ex R=client T=t1 H=127.0.0.1 [127.0.0.1]:1225 X=TLS1.x:xxxxRSA_AES_256_CBC_SHAnnn:256 CV=no C="250 OK id=10HmaY-0005vi-00"
+  => userb@test.ex R=client T=t1 H=127.0.0.1 [127.0.0.1]:1225 X=TLS1.x:ke_RSA_AES_256_CBC_SHAnnn:256 CV=no C="250 OK id=10HmaY-0005vi-00"
 LOG: MAIN
   Completed
 >>>>>>>>>>>>>>>> Exim pid=pppp (main) terminating with rc=0 >>>>>>>>>>>>>>>>
diff --git a/test/stderr/2108 b/test/stderr/2108
index 84ae3536e..19e7b3621 100644
--- a/test/stderr/2108
+++ b/test/stderr/2108
@@ -33,7 +33,7 @@ LOG: MAIN
   SMTP>> QUIT
   SMTP(close)>>
 LOG: MAIN
-  => CALLER@test.ex R=client T=send_to_server1 H=127.0.0.1 [127.0.0.1] X=TLSv1:AES256-SHA:256 CV=no DN="/C=UK/O=The Exim Maintainers/OU=Test Suite/CN=Phil Pennock" C="250 OK id=10HmaZ-0005vi-00"
+  => CALLER@test.ex R=client T=send_to_server1 H=127.0.0.1 [127.0.0.1] X=TLSv1:ke-RSA-AES256-SHAxx:256 CV=no DN="/C=UK/O=The Exim Maintainers/OU=Test Suite/CN=Phil Pennock" C="250 OK id=10HmaZ-0005vi-00"
 LOG: MAIN
   Completed
 delivering 10HmaY-0005vi-00 (queue run pid ppppp)
@@ -71,9 +71,9 @@ LOG: MAIN
   SMTP>> QUIT
   SMTP(close)>>
 LOG: MAIN
-  => CALLER@test.ex R=client T=send_to_server1 H=127.0.0.1 [127.0.0.1] X=TLSv1:AES256-SHA:256 CV=no DN="/C=UK/O=The Exim Maintainers/OU=Test Suite/CN=Phil Pennock" C="250 OK id=10HmbA-0005vi-00"
+  => CALLER@test.ex R=client T=send_to_server1 H=127.0.0.1 [127.0.0.1] X=TLSv1:ke-RSA-AES256-SHAxx:256 CV=no DN="/C=UK/O=The Exim Maintainers/OU=Test Suite/CN=Phil Pennock" C="250 OK id=10HmbA-0005vi-00"
 LOG: MAIN
-  -> xyz@test.ex R=client T=send_to_server1 H=127.0.0.1 [127.0.0.1] X=TLSv1:AES256-SHA:256 CV=no DN="/C=UK/O=The Exim Maintainers/OU=Test Suite/CN=Phil Pennock" C="250 OK id=10HmbA-0005vi-00"
+  -> xyz@test.ex R=client T=send_to_server1 H=127.0.0.1 [127.0.0.1] X=TLSv1:ke-RSA-AES256-SHAxx:256 CV=no DN="/C=UK/O=The Exim Maintainers/OU=Test Suite/CN=Phil Pennock" C="250 OK id=10HmbA-0005vi-00"
 Connecting to ip4.ip4.ip4.ip4 [ip4.ip4.ip4.ip4]:1225 ... connected
   SMTP<< 220 myhost.test.ex ESMTP Exim x.yz Tue, 2 Mar 1999 09:44:33 +0000
   SMTP>> EHLO myhost.test.ex
@@ -106,7 +106,7 @@ LOG: MAIN
   SMTP>> QUIT
   SMTP(close)>>
 LOG: MAIN
-  => abcd@test.ex R=client T=send_to_server2 H=ip4.ip4.ip4.ip4 [ip4.ip4.ip4.ip4] X=TLSv1:AES256-SHA:256 CV=no DN="/C=UK/O=The Exim Maintainers/OU=Test Suite/CN=Phil Pennock" C="250 OK id=10HmbB-0005vi-00"
+  => abcd@test.ex R=client T=send_to_server2 H=ip4.ip4.ip4.ip4 [ip4.ip4.ip4.ip4] X=TLSv1:ke-RSA-AES256-SHAxx:256 CV=no DN="/C=UK/O=The Exim Maintainers/OU=Test Suite/CN=Phil Pennock" C="250 OK id=10HmbB-0005vi-00"
 LOG: MAIN
   Completed
 LOG: queue_run MAIN
diff --git a/test/stderr/2113 b/test/stderr/2113
index fcb7691fb..369a800e7 100644
--- a/test/stderr/2113
+++ b/test/stderr/2113
@@ -32,7 +32,7 @@ cmd buf flush ddd bytes
   SMTP<< 354 Enter message, ending with "." on a line by itself
   SMTP<< 250 OK id=10HmbA-0005vi-00
 LOG: MAIN
-  => userx@test.ex R=client T=send_to_server H=127.0.0.1 [127.0.0.1] X=TLSv1:AES256-SHA:256 CV=no DN="/C=UK/O=The Exim Maintainers/OU=Test Suite/CN=Phil Pennock" C="250 OK id=10HmbA-0005vi-00"
+  => userx@test.ex R=client T=send_to_server H=127.0.0.1 [127.0.0.1] X=TLSv1:ke-RSA-AES256-SHAxx:256 CV=no DN="/C=UK/O=The Exim Maintainers/OU=Test Suite/CN=Phil Pennock" C="250 OK id=10HmbA-0005vi-00"
 LOG: MAIN
   Completed
 Exim version x.yz ....
@@ -49,7 +49,7 @@ cmd buf flush ddd bytes
   SMTP<< 250 OK id=10HmbB-0005vi-00
   SMTP(close)>>
 LOG: MAIN
-  => userz@test.ex R=client T=send_to_server H=127.0.0.1 [127.0.0.1]* X=TLSv1:AES256-SHA:256 CV=no C="250 OK id=10HmbB-0005vi-00"
+  => userz@test.ex R=client T=send_to_server H=127.0.0.1 [127.0.0.1]* X=TLSv1:ke-RSA-AES256-SHAxx:256 CV=no C="250 OK id=10HmbB-0005vi-00"
 LOG: MAIN
   Completed
 >>>>>>>>>>>>>>>> Exim pid=pppp (main) terminating with rc=0 >>>>>>>>>>>>>>>>
@@ -69,7 +69,7 @@ cmd buf flush ddd bytes
 cmd buf flush ddd bytes
   SMTP(close)>>
 LOG: MAIN
-  => usery@test.ex R=client T=send_to_server H=127.0.0.1 [127.0.0.1]* X=TLSv1:AES256-SHA:256 CV=no C="250 OK id=10HmbC-0005vi-00"
+  => usery@test.ex R=client T=send_to_server H=127.0.0.1 [127.0.0.1]* X=TLSv1:ke-RSA-AES256-SHAxx:256 CV=no C="250 OK id=10HmbC-0005vi-00"
 LOG: MAIN
   Completed
 >>>>>>>>>>>>>>>> Exim pid=pppp (main) terminating with rc=0 >>>>>>>>>>>>>>>>
@@ -111,7 +111,7 @@ cmd buf flush ddd bytes
   SMTP<< 354 Enter message, ending with "." on a line by itself
   SMTP<< 250 OK id=10HmbG-0005vi-00
 LOG: MAIN
-  => usera@test.ex R=cl_override T=send_to_server H=127.0.0.1 [127.0.0.1] X=TLSv1:AES256-SHA:256 CV=no DN="/C=UK/O=The Exim Maintainers/OU=Test Suite/CN=Phil Pennock" C="250 OK id=10HmbG-0005vi-00"
+  => usera@test.ex R=cl_override T=send_to_server H=127.0.0.1 [127.0.0.1] X=TLSv1:ke-RSA-AES256-SHAxx:256 CV=no DN="/C=UK/O=The Exim Maintainers/OU=Test Suite/CN=Phil Pennock" C="250 OK id=10HmbG-0005vi-00"
 LOG: MAIN
   Completed
 Exim version x.yz ....
@@ -128,7 +128,7 @@ cmd buf flush ddd bytes
   SMTP<< 250 OK id=10HmbH-0005vi-00
   SMTP(close)>>
 LOG: MAIN
-  => userc@test.ex R=cl_override T=send_to_server H=127.0.0.1 [127.0.0.1]* X=TLSv1:AES256-SHA:256 CV=no C="250 OK id=10HmbH-0005vi-00"
+  => userc@test.ex R=cl_override T=send_to_server H=127.0.0.1 [127.0.0.1]* X=TLSv1:ke-RSA-AES256-SHAxx:256 CV=no C="250 OK id=10HmbH-0005vi-00"
 LOG: MAIN
   Completed
 >>>>>>>>>>>>>>>> Exim pid=pppp (main) terminating with rc=0 >>>>>>>>>>>>>>>>
@@ -148,7 +148,7 @@ cmd buf flush ddd bytes
 cmd buf flush ddd bytes
   SMTP(close)>>
 LOG: MAIN
-  => userb@test.ex R=cl_override T=send_to_server H=127.0.0.1 [127.0.0.1]* X=TLSv1:AES256-SHA:256 CV=no C="250 OK id=10HmbI-0005vi-00"
+  => userb@test.ex R=cl_override T=send_to_server H=127.0.0.1 [127.0.0.1]* X=TLSv1:ke-RSA-AES256-SHAxx:256 CV=no C="250 OK id=10HmbI-0005vi-00"
 LOG: MAIN
   Completed
 >>>>>>>>>>>>>>>> Exim pid=pppp (main) terminating with rc=0 >>>>>>>>>>>>>>>>
diff --git a/test/stderr/2135 b/test/stderr/2135
index e7e1c3f65..baa08c005 100644
--- a/test/stderr/2135
+++ b/test/stderr/2135
@@ -67,7 +67,7 @@ cmd buf flush ddd bytes
   SMTP(close)>>
 Leaving t1 transport
 LOG: MAIN
-  => userb@test.ex R=client T=t1 H=127.0.0.1 [127.0.0.1]:1225 X=TLSv1:AES256-SHA:256 CV=no C="250 OK id=10HmaY-0005vi-00"
+  => userb@test.ex R=client T=t1 H=127.0.0.1 [127.0.0.1]:1225 X=TLSv1:ke-RSA-AES256-SHAxx:256 CV=no C="250 OK id=10HmaY-0005vi-00"
 LOG: MAIN
   Completed
 >>>>>>>>>>>>>>>> Exim pid=pppp (main) terminating with rc=0 >>>>>>>>>>>>>>>>
diff --git a/test/stderr/5410 b/test/stderr/5410
index 515d05334..b6e0d06b0 100644
--- a/test/stderr/5410
+++ b/test/stderr/5410
@@ -233,7 +233,7 @@ end of inline ACL: ACCEPT
   SMTP>> .
   SMTP<< 250 OK id=10HmaY-0005vi-00
 LOG: MAIN
-  >> userx@domain.com R=all T=smtp H=127.0.0.1 [127.0.0.1] X=TLSv1:AES256-SHA:256 CV=no C="250 OK id=10HmaY-0005vi-00"
+  >> userx@domain.com R=all T=smtp H=127.0.0.1 [127.0.0.1] X=TLSv1:ke-RSA-AES256-SHAxx:256 CV=no C="250 OK id=10HmaY-0005vi-00"
   SMTP>> QUIT
   SMTP<< 221 myhost.test.ex closing connection
   SMTP(close)>>
diff --git a/test/stderr/5420 b/test/stderr/5420
index 430a82dd9..97af80b4f 100644
--- a/test/stderr/5420
+++ b/test/stderr/5420
@@ -232,7 +232,7 @@ end of inline ACL: ACCEPT
   SMTP>> .
   SMTP<< 250 OK id=10HmaY-0005vi-00
 LOG: MAIN
-  >> userx@domain.com R=all T=smtp H=127.0.0.1 [127.0.0.1] X=TLS1.x:xxxxRSA_AES_256_CBC_SHAnnn:256 CV=no C="250 OK id=10HmaY-0005vi-00"
+  >> userx@domain.com R=all T=smtp H=127.0.0.1 [127.0.0.1] X=TLS1.x:ke_RSA_AES_256_CBC_SHAnnn:256 CV=no C="250 OK id=10HmaY-0005vi-00"
   SMTP>> QUIT
   SMTP<< 221 myhost.test.ex closing connection
   SMTP(close)>>
diff --git a/test/stdout/2002 b/test/stdout/2002
index 7fd17f029..7462793a3 100644
--- a/test/stdout/2002
+++ b/test/stdout/2002
@@ -137,6 +137,84 @@ Succeeded in starting TLS
 ??? 221
 <<< 221 myhost.test.ex closing connection
 End of script
+Connecting to 127.0.0.1 port 1225 ... connected
+??? 220
+<<< 220 myhost.test.ex ESMTP Exim x.yz Tue, 2 Mar 1999 09:44:33 +0000
+>>> ehlo rhu.barb
+??? 250-
+<<< 250-myhost.test.ex Hello rhu.barb [127.0.0.1]
+??? 250-
+<<< 250-SIZE 52428800
+??? 250-
+<<< 250-8BITMIME
+??? 250-
+<<< 250-PIPELINING
+??? 250-
+<<< 250-STARTTLS
+??? 250
+<<< 250 HELP
+>>> starttls
+??? 220
+<<< 220 TLS go ahead
+Attempting to start TLS
+Succeeded in starting TLS
+>>> mail from:<CALLER@test.ex>
+??? 250
+<<< 250 OK
+>>> rcpt to:<CALLER@test.ex>
+??? 250
+<<< 250 Accepted
+>>> DATA
+??? 3
+<<< 354 Enter message, ending with "." on a line by itself
+>>> This is a test encrypted message.
+>>> It should be sent under the RSA server cert and with an RSA cipher.
+>>> .
+??? 250
+<<< 250 OK id=10HmbA-0005vi-00
+>>> quit
+??? 221
+<<< 221 myhost.test.ex closing connection
+End of script
+Connecting to 127.0.0.1 port 1225 ... connected
+??? 220
+<<< 220 myhost.test.ex ESMTP Exim x.yz Tue, 2 Mar 1999 09:44:33 +0000
+>>> ehlo rhu.barb
+??? 250-
+<<< 250-myhost.test.ex Hello rhu.barb [127.0.0.1]
+??? 250-
+<<< 250-SIZE 52428800
+??? 250-
+<<< 250-8BITMIME
+??? 250-
+<<< 250-PIPELINING
+??? 250-
+<<< 250-STARTTLS
+??? 250
+<<< 250 HELP
+>>> starttls
+??? 220
+<<< 220 TLS go ahead
+Attempting to start TLS
+Succeeded in starting TLS
+>>> mail from:<CALLER@test.ex>
+??? 250
+<<< 250 OK
+>>> rcpt to:<CALLER@test.ex>
+??? 250
+<<< 250 Accepted
+>>> DATA
+??? 3
+<<< 354 Enter message, ending with "." on a line by itself
+>>> This is a test encrypted message.
+>>> It should be sent under the EC server cert and with an ECDSA cipher.
+>>> .
+??? 250
+<<< 250 OK id=10HmbB-0005vi-00
+>>> quit
+??? 221
+<<< 221 myhost.test.ex closing connection
+End of script
 
 **** SMTP testing session as if from host 10.0.0.1
 **** but without any ident (RFC 1413) callback.
diff --git a/test/stdout/2003 b/test/stdout/2003
index 3176f19e6..fbdbae47f 100644
--- a/test/stdout/2003
+++ b/test/stdout/2003
@@ -24,7 +24,7 @@ Succeeded in starting TLS
 <<< 250 OK
 >>> rcpt to:<userx@test.ex>
 ??? 550
-<<< 550 unacceptable cipher TLS1.x:xxxxRSA_AES_256_CBC_SHAnnn:256
+<<< 550 unacceptable cipher TLS1.x:ke_RSA_AES_256_CBC_SHAnnn:256
 >>> quit
 ??? 221
 <<< 221 myhost.test.ex closing connection
diff --git a/test/stdout/2102 b/test/stdout/2102
index 2df808595..2a1ec1870 100644
--- a/test/stdout/2102
+++ b/test/stdout/2102
@@ -18,7 +18,7 @@ Connecting to 127.0.0.1 port 1225 ... connected
 ??? 220
 <<< 220 TLS go ahead
 Attempting to start TLS
-SSL connection using AES256-SHA
+SSL connection using ke-RSA-AES256-SHAxx
 Succeeded in starting TLS
 >>> mail from:<CALLER@test.ex>
 ??? 250
@@ -57,7 +57,7 @@ Connecting to 127.0.0.1 port 1225 ... connected
 ??? 220
 <<< 220 TLS go ahead
 Attempting to start TLS
-SSL connection using AES256-SHA
+SSL connection using ke-RSA-AES256-SHAxx
 Succeeded in starting TLS
 >>> mail from:<"name with spaces"@test.ex>
 ??? 250
@@ -125,7 +125,7 @@ Key file = TESTSUITE/aux-fixed/exim-ca/example.com/server2.example.com/server2.e
 ??? 220
 <<< 220 TLS go ahead
 Attempting to start TLS
-SSL connection using AES256-SHA
+SSL connection using ke-RSA-AES256-SHAxx
 Succeeded in starting TLS
 >>> mail from:<CALLER@test.ex>
 ??? 250
@@ -144,6 +144,46 @@ Succeeded in starting TLS
 ??? 221
 <<< 221 myhost.test.ex closing connection
 End of script
+Connecting to 127.0.0.1 port 1225 ... connected
+??? 220
+<<< 220 myhost.test.ex ESMTP Exim x.yz Tue, 2 Mar 1999 09:44:33 +0000
+>>> ehlo rhu.barb
+??? 250-
+<<< 250-myhost.test.ex Hello rhu.barb [127.0.0.1]
+??? 250-
+<<< 250-SIZE 52428800
+??? 250-
+<<< 250-8BITMIME
+??? 250-
+<<< 250-PIPELINING
+??? 250-
+<<< 250-STARTTLS
+??? 250
+<<< 250 HELP
+>>> starttls
+??? 220
+<<< 220 TLS go ahead
+Attempting to start TLS
+SSL connection using ke-ECDSA-AES256-SHAxx
+Succeeded in starting TLS
+>>> mail from:<CALLER@test.ex>
+??? 250
+<<< 250 OK
+>>> rcpt to:<CALLER@test.ex>
+??? 250
+<<< 250 Accepted
+>>> DATA
+??? 3
+<<< 354 Enter message, ending with "." on a line by itself
+>>> This is a test encrypted message.
+>>> It should be sent under the EC server cert and with an ECDSA cipher.
+>>> .
+??? 250
+<<< 250 OK id=10HmbA-0005vi-00
+>>> quit
+??? 221
+<<< 221 myhost.test.ex closing connection
+End of script
 
 **** SMTP testing session as if from host 10.0.0.1
 **** but without any ident (RFC 1413) callback.
diff --git a/test/stdout/2103 b/test/stdout/2103
index f987fe59c..deb4e87e7 100644
--- a/test/stdout/2103
+++ b/test/stdout/2103
@@ -18,14 +18,14 @@ Connecting to ip4.ip4.ip4.ip4 port 1225 ... connected
 ??? 220
 <<< 220 TLS go ahead
 Attempting to start TLS
-SSL connection using AES256-SHA
+SSL connection using ke-RSA-AES256-SHAxx
 Succeeded in starting TLS
 >>> mail from:<userx@test.ex>
 ??? 250
 <<< 250 OK
 >>> rcpt to:<userx@test.ex>
 ??? 550
-<<< 550 unacceptable cipher TLSv1:AES256-SHA:256
+<<< 550 unacceptable cipher TLSv1:ke-RSA-AES256-SHAxx:256
 >>> quit
 ??? 221
 <<< 221 myhost.test.ex closing connection
@@ -50,7 +50,7 @@ Connecting to 127.0.0.1 port 1225 ... connected
 ??? 220
 <<< 220 TLS go ahead
 Attempting to start TLS
-SSL connection using AES256-SHA
+SSL connection using ke-RSA-AES256-SHAxx
 Succeeded in starting TLS
 >>> helo rhu.barb
 ??? 250
diff --git a/test/stdout/2105 b/test/stdout/2105
index 5395110c7..a9d15806b 100644
--- a/test/stdout/2105
+++ b/test/stdout/2105
@@ -24,7 +24,7 @@ Connecting to 127.0.0.1 port 1225 ... connected
 ??? 220
 <<< 220 TLS go ahead
 Attempting to start TLS
-SSL connection using AES256-SHA
+SSL connection using ke-RSA-AES256-SHAxx
 Succeeded in starting TLS
 >>> mail from:<userx@test.ex>
 ??? 250
diff --git a/test/stdout/2106 b/test/stdout/2106
index 3c6dc5d36..7552f9bfd 100644
--- a/test/stdout/2106
+++ b/test/stdout/2106
@@ -18,7 +18,7 @@ Connecting to 127.0.0.1 port 1225 ... connected
 ??? 220
 <<< 220 TLS go ahead
 Attempting to start TLS
-SSL connection using AES256-SHA
+SSL connection using ke-RSA-AES256-SHAxx
 Succeeded in starting TLS
 +++ 3
 End of script
diff --git a/test/stdout/2114 b/test/stdout/2114
index 7020b0c57..84de023e8 100644
--- a/test/stdout/2114
+++ b/test/stdout/2114
@@ -41,7 +41,7 @@ Connecting to 127.0.0.1 port 1225 ... connected
 ??? 220
 <<< 220 TLS go ahead
 Attempting to start TLS
-SSL connection using AES256-SHA
+SSL connection using ke-RSA-AES256-SHAxx
 Succeeded in starting TLS
 >>> helo rhu.barb
 ??? 250
@@ -78,7 +78,7 @@ Key file = aux-fixed/cert2
 ??? 220
 <<< 220 TLS go ahead
 Attempting to start TLS
-SSL connection using AES256-SHA
+SSL connection using ke-RSA-AES256-SHAxx
 Succeeded in starting TLS
 >>> mail from:<userx@test.ex>
 ??? 250
@@ -112,7 +112,7 @@ Key file = aux-fixed/cert2
 ??? 220
 <<< 220 TLS go ahead
 Attempting to start TLS
-SSL connection using AES256-SHA
+SSL connection using ke-RSA-AES256-SHAxx
 Succeeded in starting TLS
 >>> mail from:<userx@test.ex>
 ??? 250
@@ -171,7 +171,7 @@ Key file = aux-fixed/cert1
 ??? 220
 <<< 220 TLS go ahead
 Attempting to start TLS
-SSL connection using AES256-SHA
+SSL connection using ke-RSA-AES256-SHAxx
 Succeeded in starting TLS
 >>> mail from:<userx@test.ex>
 ??? 250
@@ -232,7 +232,7 @@ Key file = aux-fixed/cert1
 ??? 220
 <<< 220 TLS go ahead
 Attempting to start TLS
-SSL connection using AES256-SHA
+SSL connection using ke-RSA-AES256-SHAxx
 Succeeded in starting TLS
 >>> mail from:<userx@test.ex>
 ??? 250
diff --git a/test/stdout/2118 b/test/stdout/2118
index c026a063b..897799791 100644
--- a/test/stdout/2118
+++ b/test/stdout/2118
@@ -18,7 +18,7 @@ Connecting to 127.0.0.1 port 1225 ... connected
 ??? 220
 <<< 220 TLS go ahead
 Attempting to start TLS
-SSL connection using AES256-SHA
+SSL connection using ke-RSA-AES256-SHAxx
 Succeeded in starting TLS
 >>> mail from:<userx@test.ex>
 ??? 250
diff --git a/test/stdout/2119 b/test/stdout/2119
index 5fffd603a..d5a9abd7b 100644
--- a/test/stdout/2119
+++ b/test/stdout/2119
@@ -1,6 +1,6 @@
 Connecting to 127.0.0.1 port 1225 ... connected
 Attempting to start TLS
-SSL connection using AES256-SHA
+SSL connection using ke-RSA-AES256-SHAxx
 Succeeded in starting TLS
 ??? 220
 <<< 220 myhost.test.ex ESMTP Exim x.yz Tue, 2 Mar 1999 09:44:33 +0000
@@ -36,7 +36,7 @@ Connecting to ip4.ip4.ip4.ip4 port 1225 ... connected
 Certificate file = aux-fixed/cert2
 Key file = aux-fixed/cert2
 Attempting to start TLS
-SSL connection using AES256-SHA
+SSL connection using ke-RSA-AES256-SHAxx
 Succeeded in starting TLS
 ??? 220
 <<< 220 myhost.test.ex ESMTP Exim x.yz Tue, 2 Mar 1999 09:44:33 +0000
diff --git a/test/stdout/2122 b/test/stdout/2122
index 8fe3d56a2..a6644b7a6 100644
--- a/test/stdout/2122
+++ b/test/stdout/2122
@@ -18,7 +18,7 @@ Connecting to ip4.ip4.ip4.ip4 port 1225 ... connected
 ??? 220
 <<< 220 TLS go ahead
 Attempting to start TLS
-SSL connection using AES256-SHA
+SSL connection using ke-RSA-AES256-SHAxx
 Succeeded in starting TLS
 >>> help
 ??? 214-
diff --git a/test/stdout/2128 b/test/stdout/2128
index b251b4cc4..694d9e0e6 100644
--- a/test/stdout/2128
+++ b/test/stdout/2128
@@ -18,7 +18,7 @@ Connecting to 127.0.0.1 port 1225 ... connected
 ??? 220
 <<< 220 TLS go ahead
 Attempting to start TLS
-SSL connection using AES256-SHA
+SSL connection using ke-RSA-AES256-SHAxx
 Succeeded in starting TLS
 >>> quit
 ??? 221
@@ -26,7 +26,7 @@ Succeeded in starting TLS
 End of script
 Connecting to 127.0.0.1 port 1226 ... connected
 Attempting to start TLS
-SSL connection using AES256-SHA
+SSL connection using ke-RSA-AES256-SHAxx
 Succeeded in starting TLS
 ??? 220
 <<< 220 myhost.test.ex ESMTP Exim x.yz Tue, 2 Mar 1999 09:44:33 +0000
diff --git a/test/stdout/2132 b/test/stdout/2132
index 64915c1fb..ee38b360b 100644
--- a/test/stdout/2132
+++ b/test/stdout/2132
@@ -18,7 +18,7 @@ Connecting to 127.0.0.1 port 1225 ... connected
 ??? 220
 <<< 220 TLS go ahead
 Attempting to start TLS
-SSL connection using AES256-SHA
+SSL connection using ke-RSA-AES256-SHAxx
 Succeeded in starting TLS
 >>> mail from:<CALLER@test.ex>
 ??? 250
@@ -57,7 +57,7 @@ Connecting to 127.0.0.1 port 1225 ... connected
 ??? 220
 <<< 220 TLS go ahead
 Attempting to start TLS
-SSL connection using AES256-SHA
+SSL connection using ke-RSA-AES256-SHAxx
 Succeeded in starting TLS
 >>> mail from:<"name with spaces"@test.ex>
 ??? 250
@@ -125,7 +125,7 @@ Key file = TESTSUITE/aux-fixed/exim-ca/example.com/server1.example.com/server1.e
 ??? 220
 <<< 220 TLS go ahead
 Attempting to start TLS
-SSL connection using AES256-SHA
+SSL connection using ke-RSA-AES256-SHAxx
 Succeeded in starting TLS
 >>> mail from:<CALLER@test.ex>
 ??? 250
diff --git a/test/stdout/2150 b/test/stdout/2150
index 75f7c5b54..8cfc68ae8 100644
--- a/test/stdout/2150
+++ b/test/stdout/2150
@@ -18,7 +18,7 @@ Connecting to 127.0.0.1 port 1225 ... connected
 ??? 220
 <<< 220 TLS go ahead
 Attempting to start TLS
-SSL connection using AES256-SHA
+SSL connection using ke-RSA-AES256-SHAxx
 Succeeded in starting TLS
 >>> mail from:<userx@test.ex>
 ??? 250
diff --git a/test/stdout/2190 b/test/stdout/2190
index e09556e69..47d2a3910 100644
--- a/test/stdout/2190
+++ b/test/stdout/2190
@@ -20,7 +20,7 @@ Connecting to 127.0.0.1 port 1225 ... connected
 ??? 220
 <<< 220 TLS go ahead
 Attempting to start TLS
-SSL connection using AES256-SHA
+SSL connection using ke-RSA-AES256-SHAxx
 Succeeded in starting TLS
 >>> EHLO rhu.barb
 ??? 250-
@@ -76,7 +76,7 @@ Connecting to 127.0.0.1 port 1225 ... connected
 ??? 220
 <<< 220 TLS go ahead
 Attempting to start TLS
-SSL connection using AES256-SHA
+SSL connection using ke-RSA-AES256-SHAxx
 Succeeded in starting TLS
 >>> EHLO rhu.barb
 ??? 250-
diff --git a/test/stdout/3450 b/test/stdout/3450
index 5efba0069..f9fbd1f5c 100644
--- a/test/stdout/3450
+++ b/test/stdout/3450
@@ -48,7 +48,7 @@ Connecting to 127.0.0.1 port 1225 ... connected
 ??? 220
 <<< 220 TLS go ahead
 Attempting to start TLS
-SSL connection using AES256-SHA
+SSL connection using ke-RSA-AES256-SHAxx
 Succeeded in starting TLS
 >>> ehlo foobar
 ??? 250-
diff --git a/test/stdout/3454 b/test/stdout/3454
index eec5221b5..d1586ffa3 100644
--- a/test/stdout/3454
+++ b/test/stdout/3454
@@ -20,7 +20,7 @@ Connecting to 127.0.0.1 port 1225 ... connected
 ??? 220 TLS
 <<< 220 TLS go ahead
 Attempting to start TLS
-SSL connection using AES256-SHA
+SSL connection using ke-RSA-AES256-SHAxx
 Succeeded in starting TLS
 >>> auth plain AHVzZXJ4AHNlY3JldA==
 ??? 503
@@ -48,7 +48,7 @@ Connecting to 127.0.0.1 port 1225 ... connected
 ??? 220 TLS
 <<< 220 TLS go ahead
 Attempting to start TLS
-SSL connection using AES256-SHA
+SSL connection using ke-RSA-AES256-SHAxx
 Succeeded in starting TLS
 >>> ehlo foobar
 ??? 250-myhost
diff --git a/test/stdout/3460 b/test/stdout/3460
index 5efba0069..f9fbd1f5c 100644
--- a/test/stdout/3460
+++ b/test/stdout/3460
@@ -48,7 +48,7 @@ Connecting to 127.0.0.1 port 1225 ... connected
 ??? 220
 <<< 220 TLS go ahead
 Attempting to start TLS
-SSL connection using AES256-SHA
+SSL connection using ke-RSA-AES256-SHAxx
 Succeeded in starting TLS
 >>> ehlo foobar
 ??? 250-
diff --git a/test/stdout/3463 b/test/stdout/3463
index 60ba9d3a9..6b9c189c8 100644
--- a/test/stdout/3463
+++ b/test/stdout/3463
@@ -20,7 +20,7 @@ Connecting to 127.0.0.1 port 1225 ... connected
 ??? 220
 <<< 220 TLS go ahead
 Attempting to start TLS
-SSL connection using AES256-SHA
+SSL connection using ke-RSA-AES256-SHAxx
 Succeeded in starting TLS
 >>> auth plain AHVzZXJ4AHNlY3JldA==
 ??? 503
@@ -54,7 +54,7 @@ Connecting to 127.0.0.1 port 1225 ... connected
 ??? 220
 <<< 220 TLS go ahead
 Attempting to start TLS
-SSL connection using AES256-SHA
+SSL connection using ke-RSA-AES256-SHAxx
 Succeeded in starting TLS
 >>> auth plain AHVzZXJ4AHNlY3JldA==
 ??? 235
diff --git a/test/stdout/3464 b/test/stdout/3464
index 3668f5e8a..3516b407b 100644
--- a/test/stdout/3464
+++ b/test/stdout/3464
@@ -20,7 +20,7 @@ Connecting to 127.0.0.1 port 1225 ... connected
 ??? 220
 <<< 220 TLS go ahead
 Attempting to start TLS
-SSL connection using AES256-SHA
+SSL connection using ke-RSA-AES256-SHAxx
 Succeeded in starting TLS
 >>> auth plain AHVzZXJ4AHNlY3JldA==
 ??? 503
@@ -48,7 +48,7 @@ Connecting to 127.0.0.1 port 1225 ... connected
 ??? 220
 <<< 220 TLS go ahead
 Attempting to start TLS
-SSL connection using AES256-SHA
+SSL connection using ke-RSA-AES256-SHAxx
 Succeeded in starting TLS
 >>> ehlo foobar
 ??? 250-
diff --git a/test/stdout/5600 b/test/stdout/5600
index 9af94384a..ace133c61 100644
--- a/test/stdout/5600
+++ b/test/stdout/5600
@@ -21,7 +21,7 @@ Key file = aux-fixed/cert2
 <<< 220 TLS go ahead
 Attempting to start TLS
 Response verify OK
-SSL connection using AES256-SHA
+SSL connection using ke-RSA-AES256-SHAxx
 Succeeded in starting TLS
 >>> mail from:<userx@test.ex>
 ??? 250
@@ -56,7 +56,7 @@ Key file = aux-fixed/cert2
 <<< 220 TLS go ahead
 Attempting to start TLS
 no response received
-SSL connection using AES256-SHA
+SSL connection using ke-RSA-AES256-SHAxx
 Succeeded in starting TLS
 End of script
 Connecting to ip4.ip4.ip4.ip4 port 1225 ... connected
@@ -82,7 +82,7 @@ Key file = aux-fixed/cert2
 <<< 220 TLS go ahead
 Attempting to start TLS
 no response received
-SSL connection using AES256-SHA
+SSL connection using ke-RSA-AES256-SHAxx
 Succeeded in starting TLS
 End of script
 Connecting to ip4.ip4.ip4.ip4 port 1225 ... connected
@@ -107,7 +107,7 @@ Key file = aux-fixed/cert2
 ??? 220
 <<< 220 TLS go ahead
 Attempting to start TLS
-SSL connection using AES256-SHA
+SSL connection using ke-RSA-AES256-SHAxx
 Succeeded in starting TLS
 >>> ehlo rhu.barb.tls
 ??? 250-
diff --git a/test/stdout/5610 b/test/stdout/5610
index 9af94384a..ace133c61 100644
--- a/test/stdout/5610
+++ b/test/stdout/5610
@@ -21,7 +21,7 @@ Key file = aux-fixed/cert2
 <<< 220 TLS go ahead
 Attempting to start TLS
 Response verify OK
-SSL connection using AES256-SHA
+SSL connection using ke-RSA-AES256-SHAxx
 Succeeded in starting TLS
 >>> mail from:<userx@test.ex>
 ??? 250
@@ -56,7 +56,7 @@ Key file = aux-fixed/cert2
 <<< 220 TLS go ahead
 Attempting to start TLS
 no response received
-SSL connection using AES256-SHA
+SSL connection using ke-RSA-AES256-SHAxx
 Succeeded in starting TLS
 End of script
 Connecting to ip4.ip4.ip4.ip4 port 1225 ... connected
@@ -82,7 +82,7 @@ Key file = aux-fixed/cert2
 <<< 220 TLS go ahead
 Attempting to start TLS
 no response received
-SSL connection using AES256-SHA
+SSL connection using ke-RSA-AES256-SHAxx
 Succeeded in starting TLS
 End of script
 Connecting to ip4.ip4.ip4.ip4 port 1225 ... connected
@@ -107,7 +107,7 @@ Key file = aux-fixed/cert2
 ??? 220
 <<< 220 TLS go ahead
 Attempting to start TLS
-SSL connection using AES256-SHA
+SSL connection using ke-RSA-AES256-SHAxx
 Succeeded in starting TLS
 >>> ehlo rhu.barb.tls
 ??? 250-
-- 
cgit v1.2.3


From a79d883474c84fa2a286b7797a7664b599912fcd Mon Sep 17 00:00:00 2001
From: Jeremy Harris <jgh146exb@wizmail.org>
Date: Tue, 7 Nov 2017 19:01:42 +0000
Subject: DKIM: Allow the DKIM ACL to override verification results.  Bug 2186

This provides generic support, though is covers the need introduced
by https://datatracker.ietf.org/doc/draft-ietf-dcrup-dkim-usage/?include_text=1
(deprecating sha-1 and RSA keys shorter than 1024 bits).
---
 doc/doc-docbook/spec.xfpt   |  17 ++++
 doc/doc-txt/NewStuff        |   1 +
 src/src/acl.c               |  51 ++++++++++--
 src/src/dkim.c              | 193 +++++++++++++++++++++++++-------------------
 src/src/dkim.h              |   2 +
 src/src/expand.c            |   4 +-
 src/src/globals.c           |   2 +
 src/src/globals.h           |   2 +
 src/src/receive.c           |   9 ++-
 test/confs/4500             |  16 +++-
 test/log/4500               |  13 ++-
 test/log/4501               |   4 +-
 test/log/4502               |   8 +-
 test/log/4503               |   2 +-
 test/log/4506               |   8 +-
 test/log/4520               |  17 ++--
 test/log/4523               |   3 +-
 test/log/4524               |   3 +-
 test/log/4550               |   2 +-
 test/scripts/4500-DKIM/4500 |  38 +++++++++
 test/stderr/4507            |  10 ++-
 21 files changed, 281 insertions(+), 124 deletions(-)

(limited to 'src')

diff --git a/doc/doc-docbook/spec.xfpt b/doc/doc-docbook/spec.xfpt
index 7a0841cb2..98986e032 100644
--- a/doc/doc-docbook/spec.xfpt
+++ b/doc/doc-docbook/spec.xfpt
@@ -38731,6 +38731,19 @@ available in &%$dkim_verify_reason%&.
 &%pass%&: The signature passed verification. It is valid.
 .endlist
 
+.new
+This variable can be overwritten using an ACL 'set' modifier.
+This might, for instance, be done to enforce a policy restriction on
+hash-method or key-size:
+.code
+  warn	condition =	${if eq {$dkim_algo}{rsa-sha1}}
+	condition =	${if eq {$dkim_verify_status}{pass}}
+	logwrite =	NOTE: forcing dkim verify fail (was pass)
+	set dkim_verify_status = fail
+	set dkim_verify_reason = hash too weak
+.endd
+.wen
+
 .vitem &%$dkim_verify_reason%&
 A string giving a little bit more detail when &%$dkim_verify_status%& is either
 "fail" or "invalid". One of
@@ -38751,6 +38764,10 @@ re-written or otherwise changed in a way which is incompatible with
 DKIM verification. It may of course also mean that the signature is forged.
 .endlist
 
+.new
+This variable can be overwritten using an ACL 'set' modifier.
+.wen
+
 .vitem &%$dkim_domain%&
 The signing domain. IMPORTANT: This variable is only populated if there is
 an actual signature in the message for the current domain or identity (as
diff --git a/doc/doc-txt/NewStuff b/doc/doc-txt/NewStuff
index 7e6971dde..aa2117e7e 100644
--- a/doc/doc-txt/NewStuff
+++ b/doc/doc-txt/NewStuff
@@ -55,6 +55,7 @@ Version 4.90
     DKIM support for multiple hashes, and for alternate-identity tags.
     Builtin macro with default list of signed headers.
     Better syntax for specifying oversigning.
+    The DKIM ACL can override verification results.
 
 14. Exipick understands -C|--config for an alternative Exim
     configuration file.
diff --git a/src/src/acl.c b/src/src/acl.c
index 640989997..739cd91ae 100644
--- a/src/src/acl.c
+++ b/src/src/acl.c
@@ -852,6 +852,26 @@ while ((s = (*func)()) != NULL)
   compatibility. */
 
   if (c == ACLC_SET)
+#ifndef DISABLE_DKIM
+    if (  Ustrncmp(s, "dkim_verify_status", 18) == 0
+       || Ustrncmp(s, "dkim_verify_reason", 18) == 0)
+      {
+      uschar * endptr = s+18;
+
+      if (isalnum(*endptr))
+	{
+	*error = string_sprintf("invalid variable name after \"set\" in ACL "
+	  "modifier \"set %s\" "
+	  "(only \"dkim_verify_status\" or \"dkim_verify_reason\" permitted)",
+	  s);
+	return NULL;
+	}
+      cond->u.varname = string_copyn(s, 18);
+      s = endptr;
+      while (isspace(*s)) s++;
+      }
+    else
+#endif
     {
     uschar *endptr;
 
@@ -2899,8 +2919,19 @@ for (; cb != NULL; cb = cb->next)
 
     if (cb->type == ACLC_SET)
       {
-      debug_printf("acl_%s ", cb->u.varname);
-      lhswidth += 5 + Ustrlen(cb->u.varname);
+#ifndef DISABLE_DKIM
+      if (  Ustrcmp(cb->u.varname, "dkim_verify_status") == 0
+	 || Ustrcmp(cb->u.varname, "dkim_verify_reason") == 0)
+	{
+	debug_printf("%s ", cb->u.varname);
+	lhswidth += 19;
+	}
+      else
+#endif
+	{
+	debug_printf("acl_%s ", cb->u.varname);
+	lhswidth += 5 + Ustrlen(cb->u.varname);
+	}
       }
 
     debug_printf("= %s\n", cb->arg);
@@ -3402,7 +3433,7 @@ for (; cb != NULL; cb = cb->next)
 
     #ifndef DISABLE_DKIM
     case ACLC_DKIM_SIGNER:
-    if (dkim_cur_signer != NULL)
+    if (dkim_cur_signer)
       rc = match_isinlist(dkim_cur_signer,
                           &arg,0,NULL,NULL,MCL_STRING,TRUE,NULL);
     else
@@ -3410,7 +3441,7 @@ for (; cb != NULL; cb = cb->next)
     break;
 
     case ACLC_DKIM_STATUS:
-    rc = match_isinlist(dkim_exim_expand_query(DKIM_VERIFY_STATUS),
+    rc = match_isinlist(dkim_verify_status,
                         &arg,0,NULL,NULL,MCL_STRING,TRUE,NULL);
     break;
     #endif
@@ -3609,12 +3640,22 @@ for (; cb != NULL; cb = cb->next)
       {
       int old_pool = store_pool;
       if (  cb->u.varname[0] == 'c'
+#ifndef DISABLE_DKIM
+         || cb->u.varname[0] == 'd'
+#endif
 #ifndef DISABLE_EVENT
 	 || event_name		/* An event is being delivered */
 #endif
 	 )
         store_pool = POOL_PERM;
-      acl_var_create(cb->u.varname)->data.ptr = string_copy(arg);
+#ifndef DISABLE_DKIM	/* Overwriteable dkim result variables */
+      if (Ustrcmp(cb->u.varname, "dkim_verify_status") == 0)
+	dkim_verify_status = string_copy(arg);
+      else if (Ustrcmp(cb->u.varname, "dkim_verify_reason") == 0)
+	dkim_verify_reason = string_copy(arg);
+      else
+#endif
+	acl_var_create(cb->u.varname)->data.ptr = string_copy(arg);
       store_pool = old_pool;
       }
     break;
diff --git a/src/src/dkim.c b/src/src/dkim.c
index d31cae9c7..9a13e2a80 100644
--- a/src/src/dkim.c
+++ b/src/src/dkim.c
@@ -134,67 +134,35 @@ store_pool = dkim_verify_oldpool;
 }
 
 
-void
-dkim_exim_verify_finish(void)
+/* Log the result for the given signature */
+static void
+dkim_exim_verify_log_sig(pdkim_signature * sig)
 {
-pdkim_signature * sig = NULL;
-int rc;
-gstring * g = NULL;
-const uschar * errstr;
-
-store_pool = POOL_PERM;
-
-/* Delete eventual previous signature chain */
-
-dkim_signers = NULL;
-dkim_signatures = NULL;
-
-if (dkim_collect_error)
-  {
-  log_write(0, LOG_MAIN,
-      "DKIM: Error during validation, disabling signature verification: %.100s",
-      dkim_collect_error);
-  dkim_disable_verify = TRUE;
-  goto out;
-  }
-
-dkim_collect_input = FALSE;
-
-/* Finish DKIM operation and fetch link to signatures chain */
-
-rc = pdkim_feed_finish(dkim_verify_ctx, &dkim_signatures, &errstr);
-if (rc != PDKIM_OK)
-  {
-  log_write(0, LOG_MAIN, "DKIM: validation error: %.100s%s%s", pdkim_errstr(rc),
-	    errstr ? ": " : "", errstr ? errstr : US"");
-  goto out;
-  }
-
-for (sig = dkim_signatures; sig; sig = sig->next)
-  {
-  uschar * s;
-  gstring * logmsg;
-
-  /* Log a line for each signature */
-
-  if (!(s = sig->domain)) s = US"<UNSET>";
-  logmsg = string_append(NULL, 2, "d=", s);
-  if (!(s = sig->selector)) s = US"<UNSET>";
-  logmsg = string_append(logmsg, 2, " s=", s);
-  logmsg = string_append(logmsg, 7, 
-	" c=", sig->canon_headers == PDKIM_CANON_SIMPLE ? "simple" : "relaxed",
-	"/",   sig->canon_body    == PDKIM_CANON_SIMPLE ? "simple" : "relaxed",
-	" a=", dkim_sig_to_a_tag(sig),
-	string_sprintf(" b=" SIZE_T_FMT,
-			(int)sig->sighash.len > -1 ? sig->sighash.len * 8 : 0));
-  if ((s= sig->identity)) logmsg = string_append(logmsg, 2, " i=", s);
-  if (sig->created > 0) logmsg = string_cat(logmsg,
-				      string_sprintf(" t=%lu", sig->created));
-  if (sig->expires > 0) logmsg = string_cat(logmsg,
-				      string_sprintf(" x=%lu", sig->expires));
-  if (sig->bodylength > -1) logmsg = string_cat(logmsg,
-				      string_sprintf(" l=%lu", sig->bodylength));
-
+gstring * logmsg = string_catn(NULL, "DKIM: ", 6);
+uschar * s;
+
+if (!(s = sig->domain)) s = US"<UNSET>";
+logmsg = string_append(logmsg, 2, "d=", s);
+if (!(s = sig->selector)) s = US"<UNSET>";
+logmsg = string_append(logmsg, 2, " s=", s);
+logmsg = string_append(logmsg, 7, 
+" c=", sig->canon_headers == PDKIM_CANON_SIMPLE ? "simple" : "relaxed",
+"/",   sig->canon_body    == PDKIM_CANON_SIMPLE ? "simple" : "relaxed",
+" a=", dkim_sig_to_a_tag(sig),
+string_sprintf(" b=" SIZE_T_FMT,
+		(int)sig->sighash.len > -1 ? sig->sighash.len * 8 : 0));
+if ((s= sig->identity)) logmsg = string_append(logmsg, 2, " i=", s);
+if (sig->created > 0) logmsg = string_cat(logmsg,
+			      string_sprintf(" t=%lu", sig->created));
+if (sig->expires > 0) logmsg = string_cat(logmsg,
+			      string_sprintf(" x=%lu", sig->expires));
+if (sig->bodylength > -1) logmsg = string_cat(logmsg,
+			      string_sprintf(" l=%lu", sig->bodylength));
+
+if (  !dkim_verify_status
+   || (  dkim_verify_status == dkim_exim_expand_query(DKIM_VERIFY_STATUS)
+      && dkim_verify_reason == dkim_exim_expand_query(DKIM_VERIFY_REASON)
+   )  )
   switch (sig->verify_status)
     {
     case PDKIM_VERIFY_NONE:
@@ -207,7 +175,7 @@ for (sig = dkim_signatures; sig; sig = sig->next)
 	{
 	case PDKIM_VERIFY_INVALID_PUBKEY_UNAVAILABLE:
 	  logmsg = string_cat(logmsg,
-		        "public key record (currently?) unavailable]");
+			"public key record (currently?) unavailable]");
 	  break;
 
 	case PDKIM_VERIFY_INVALID_BUFFER_SIZE:
@@ -219,13 +187,13 @@ for (sig = dkim_signatures; sig; sig = sig->next)
 	  logmsg = string_cat(logmsg, "syntax error in public key record]");
 	  break;
 
-        case PDKIM_VERIFY_INVALID_SIGNATURE_ERROR:
-          logmsg = string_cat(logmsg, "signature tag missing or invalid]");
-          break;
+	case PDKIM_VERIFY_INVALID_SIGNATURE_ERROR:
+	  logmsg = string_cat(logmsg, "signature tag missing or invalid]");
+	  break;
 
-        case PDKIM_VERIFY_INVALID_DKIM_VERSION:
-          logmsg = string_cat(logmsg, "unsupported DKIM version]");
-          break;
+	case PDKIM_VERIFY_INVALID_DKIM_VERSION:
+	  logmsg = string_cat(logmsg, "unsupported DKIM version]");
+	  break;
 
 	default:
 	  logmsg = string_cat(logmsg, "unspecified problem]");
@@ -233,8 +201,7 @@ for (sig = dkim_signatures; sig; sig = sig->next)
       break;
 
     case PDKIM_VERIFY_FAIL:
-      logmsg =
-	string_cat(logmsg, " [verification failed - ");
+      logmsg = string_cat(logmsg, " [verification failed - ");
       switch (sig->verify_ext_status)
 	{
 	case PDKIM_VERIFY_FAIL_BODY:
@@ -256,18 +223,74 @@ for (sig = dkim_signatures; sig; sig = sig->next)
       logmsg = string_cat(logmsg, " [verification succeeded]");
       break;
     }
+else
+  logmsg = string_append(logmsg, 5,
+	    US" [", dkim_verify_status, US" - ", dkim_verify_reason, US"]");
+
+log_write(0, LOG_MAIN, string_from_gstring(logmsg));
+return;
+}
+
+
+/* Log a line for "the current" signature */
+void
+dkim_exim_verify_log_item(void)
+{
+dkim_exim_verify_log_sig(dkim_cur_sig);
+}
+
+
+/* Log a line for each signature */
+void
+dkim_exim_verify_log_all(void)
+{
+pdkim_signature * sig;
+for (sig = dkim_signatures; sig; sig = sig->next) dkim_exim_verify_log_sig(sig);
+}
 
-  log_write(0, LOG_MAIN, "DKIM: %s", string_from_gstring(logmsg));
 
-  /* Build a colon-separated list of signing domains (and identities, if present) in dkim_signers */
+void
+dkim_exim_verify_finish(void)
+{
+pdkim_signature * sig;
+int rc;
+gstring * g = NULL;
+const uschar * errstr;
 
-  if (sig->domain)
-    g = string_append_listele(g, ':', sig->domain);
+store_pool = POOL_PERM;
 
-  if (sig->identity)
-    g = string_append_listele(g, ':', sig->identity);
+/* Delete eventual previous signature chain */
 
-  /* Process next signature */
+dkim_signers = NULL;
+dkim_signatures = NULL;
+
+if (dkim_collect_error)
+  {
+  log_write(0, LOG_MAIN,
+      "DKIM: Error during validation, disabling signature verification: %.100s",
+      dkim_collect_error);
+  dkim_disable_verify = TRUE;
+  goto out;
+  }
+
+dkim_collect_input = FALSE;
+
+/* Finish DKIM operation and fetch link to signatures chain */
+
+rc = pdkim_feed_finish(dkim_verify_ctx, &dkim_signatures, &errstr);
+if (rc != PDKIM_OK)
+  {
+  log_write(0, LOG_MAIN, "DKIM: validation error: %.100s%s%s", pdkim_errstr(rc),
+	    errstr ? ": " : "", errstr ? errstr : US"");
+  goto out;
+  }
+
+/* Build a colon-separated list of signing domains (and identities, if present) in dkim_signers */
+
+for (sig = dkim_signatures; sig; sig = sig->next)
+  {
+  if (sig->domain)   g = string_append_listele(g, ':', sig->domain);
+  if (sig->identity) g = string_append_listele(g, ':', sig->identity);
   }
 
 if (g) dkim_signers = g->s;
@@ -309,6 +332,12 @@ for (sig = dkim_signatures; sig; sig = sig->next)
     dkim_signing_domain = US sig->domain;
     dkim_signing_selector = US sig->selector;
     dkim_key_length = sig->sighash.len * 8;
+
+    /* These two return static strings, so we can compare the addr
+    later to see if the ACL overwrote them.  Check that when logging */
+
+    dkim_verify_status = dkim_exim_expand_query(DKIM_VERIFY_STATUS);
+    dkim_verify_reason = dkim_exim_expand_query(DKIM_VERIFY_REASON);
     return;
     }
 }
@@ -365,12 +394,12 @@ switch (what)
       }
 
   case DKIM_CANON_HEADERS:
-  switch (dkim_cur_sig->canon_headers)
-    {
-    case PDKIM_CANON_RELAXED:	return US"relaxed";
-    case PDKIM_CANON_SIMPLE:
-    default:			return US"simple";
-    }
+    switch (dkim_cur_sig->canon_headers)
+      {
+      case PDKIM_CANON_RELAXED:	return US"relaxed";
+      case PDKIM_CANON_SIMPLE:
+      default:			return US"simple";
+      }
 
   case DKIM_COPIEDHEADERS:
     return dkim_cur_sig->copiedheaders
diff --git a/src/src/dkim.h b/src/src/dkim.h
index 735a1162a..f32aa6635 100644
--- a/src/src/dkim.h
+++ b/src/src/dkim.h
@@ -10,6 +10,8 @@ gstring * dkim_exim_sign(int, off_t, uschar *, struct ob_dkim *, const uschar **
 void    dkim_exim_verify_init(BOOL);
 void    dkim_exim_verify_feed(uschar *, int);
 void    dkim_exim_verify_finish(void);
+void    dkim_exim_verify_log_item(void);
+void    dkim_exim_verify_log_all(void);
 void    dkim_exim_acl_setup(uschar *);
 uschar *dkim_exim_expand_query(int);
 
diff --git a/src/src/expand.c b/src/src/expand.c
index 782467ff7..f44ddf8b8 100644
--- a/src/src/expand.c
+++ b/src/src/expand.c
@@ -508,8 +508,8 @@ static var_entry var_table[] = {
   { "dkim_key_testing",    vtype_dkim,        (void *)DKIM_KEY_TESTING },
   { "dkim_selector",       vtype_stringptr,   &dkim_signing_selector },
   { "dkim_signers",        vtype_stringptr,   &dkim_signers },
-  { "dkim_verify_reason",  vtype_dkim,        (void *)DKIM_VERIFY_REASON },
-  { "dkim_verify_status",  vtype_dkim,        (void *)DKIM_VERIFY_STATUS},
+  { "dkim_verify_reason",  vtype_stringptr,   &dkim_verify_reason },
+  { "dkim_verify_status",  vtype_stringptr,   &dkim_verify_status },
 #endif
 #ifdef EXPERIMENTAL_DMARC
   { "dmarc_ar_header",     vtype_stringptr,   &dmarc_ar_header },
diff --git a/src/src/globals.c b/src/src/globals.c
index 2a53835e9..5df84bd10 100644
--- a/src/src/globals.c
+++ b/src/src/globals.c
@@ -668,6 +668,8 @@ uschar *dkim_signers             = NULL;
 uschar *dkim_signing_domain      = NULL;
 uschar *dkim_signing_selector    = NULL;
 uschar *dkim_verify_signers      = US"$dkim_signers";
+uschar *dkim_verify_status	 = NULL;
+uschar *dkim_verify_reason	 = NULL;
 #endif
 #ifdef EXPERIMENTAL_DMARC
 BOOL    dmarc_has_been_checked  = FALSE;
diff --git a/src/src/globals.h b/src/src/globals.h
index 62336c275..37d4cada3 100644
--- a/src/src/globals.h
+++ b/src/src/globals.h
@@ -393,6 +393,8 @@ extern uschar *dkim_signers;           /* Expansion variable, holds colon-separa
 extern uschar *dkim_signing_domain;    /* Expansion variable, domain used for signing a message. */
 extern uschar *dkim_signing_selector;  /* Expansion variable, selector used for signing a message. */
 extern uschar *dkim_verify_signers;    /* Colon-separated list of domains for each of which we call the DKIM ACL */
+extern uschar *dkim_verify_status;     /* result for this signature */
+extern uschar *dkim_verify_reason;     /* result for this signature */
 #endif
 #ifdef EXPERIMENTAL_DMARC
 extern BOOL    dmarc_has_been_checked; /* Global variable to check if test has been called yet */
diff --git a/src/src/receive.c b/src/src/receive.c
index 31402925d..f181f1a51 100644
--- a/src/src/receive.c
+++ b/src/src/receive.c
@@ -3405,8 +3405,8 @@ else
         else
           {
           int sep = 0;
-          const uschar *ptr = dkim_verify_signers_expanded;
-          uschar *item = NULL;
+          const uschar * ptr = dkim_verify_signers_expanded;
+          uschar * item = NULL;
           gstring * seen_items = NULL;
 
           /* Default to OK when no items are present */
@@ -3452,6 +3452,7 @@ else
             dkim_exim_acl_setup(item);
             rc = acl_check(ACL_WHERE_DKIM, NULL, acl_smtp_dkim,
 		  &user_msg, &log_msg);
+	    dkim_exim_verify_log_item();
 
             if (rc != OK)
 	      {
@@ -3467,7 +3468,7 @@ else
             {
             recipients_count = 0;
             blackholed_by = US"DKIM ACL";
-            if (log_msg != NULL)
+            if (log_msg)
               blackhole_log_msg = string_sprintf(": %s", log_msg);
             }
           else if (rc != OK)
@@ -3481,6 +3482,8 @@ else
             }
           }
         }
+      else
+	dkim_exim_verify_log_all();
       }
 #endif /* DISABLE_DKIM */
 
diff --git a/test/confs/4500 b/test/confs/4500
index bf4f1f6ad..f2e44beff 100644
--- a/test/confs/4500
+++ b/test/confs/4500
@@ -9,9 +9,23 @@ primary_hostname = myhost.test.ex
 # ----- Main settings -----
 
 acl_smtp_rcpt = accept
-acl_smtp_dkim = accept logwrite = signer: $dkim_cur_signer bits: $dkim_key_length
+acl_smtp_dkim = check_dkim
 
 queue_only
 queue_run_in_order
 
+
+begin acl
+
+check_dkim:
+.ifdef OPTION
+  warn	condition =	${if eq {$dkim_algo}{rsa-sha1}}
+	condition =	${if eq {$dkim_verify_status}{pass}}
+	logwrite =	NOTE: forcing dkim verify fail (was pass)
+	set dkim_verify_status = fail
+	set dkim_verify_reason = hash too weak
+.endif
+  accept
+	logwrite = signer: $dkim_cur_signer bits: $dkim_key_length
+
 # End
diff --git a/test/log/4500 b/test/log/4500
index ec8ef088e..347e03683 100644
--- a/test/log/4500
+++ b/test/log/4500
@@ -1,15 +1,20 @@
 
 ******** SERVER ********
 1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port 1225
-1999-03-02 09:44:33 10HmaX-0005vi-00 DKIM: d=test.ex s=sel c=simple/simple a=rsa-sha1 b=1024 [verification succeeded]
 1999-03-02 09:44:33 10HmaX-0005vi-00 signer: test.ex bits: 1024
+1999-03-02 09:44:33 10HmaX-0005vi-00 DKIM: d=test.ex s=sel c=simple/simple a=rsa-sha1 b=1024 [verification succeeded]
 1999-03-02 09:44:33 10HmaX-0005vi-00 <= CALLER@bloggs.com H=(xxx) [127.0.0.1] P=smtp S=sss id=qwerty1234@disco-zombie.net
-1999-03-02 09:44:33 10HmaY-0005vi-00 DKIM: d=test.ex s=ses c=simple/simple a=rsa-sha1 b=512 [verification succeeded]
 1999-03-02 09:44:33 10HmaY-0005vi-00 signer: test.ex bits: 512
+1999-03-02 09:44:33 10HmaY-0005vi-00 DKIM: d=test.ex s=ses c=simple/simple a=rsa-sha1 b=512 [verification succeeded]
 1999-03-02 09:44:33 10HmaY-0005vi-00 <= CALLER@bloggs.com H=(xxx) [127.0.0.1] P=smtp S=sss id=qwerty1234@disco-zombie.net
-1999-03-02 09:44:33 10HmaZ-0005vi-00 DKIM: d=test.ex s=sel c=simple/simple a=rsa-sha256 b=1024 [verification succeeded]
 1999-03-02 09:44:33 10HmaZ-0005vi-00 signer: test.ex bits: 1024
+1999-03-02 09:44:33 10HmaZ-0005vi-00 DKIM: d=test.ex s=sel c=simple/simple a=rsa-sha256 b=1024 [verification succeeded]
 1999-03-02 09:44:33 10HmaZ-0005vi-00 <= CALLER@bloggs.com H=(xxx) [127.0.0.1] P=smtp S=sss id=qwerty1234@disco-zombie.net
-1999-03-02 09:44:33 10HmbA-0005vi-00 DKIM: d=test.ex s=ses_sha1 c=simple/simple a=rsa-sha1 b=512 [verification succeeded]
 1999-03-02 09:44:33 10HmbA-0005vi-00 signer: test.ex bits: 512
+1999-03-02 09:44:33 10HmbA-0005vi-00 DKIM: d=test.ex s=ses_sha1 c=simple/simple a=rsa-sha1 b=512 [verification succeeded]
 1999-03-02 09:44:33 10HmbA-0005vi-00 <= CALLER@bloggs.com H=(xxx) [127.0.0.1] P=smtp S=sss id=qwerty1234@disco-zombie.net
+1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port 1225
+1999-03-02 09:44:33 10HmbB-0005vi-00 NOTE: forcing dkim verify fail (was pass)
+1999-03-02 09:44:33 10HmbB-0005vi-00 signer: test.ex bits: 1024
+1999-03-02 09:44:33 10HmbB-0005vi-00 DKIM: d=test.ex s=sel c=simple/simple a=rsa-sha1 b=1024 [fail - hash too weak]
+1999-03-02 09:44:33 10HmbB-0005vi-00 <= CALLER@bloggs.com H=(xxx) [127.0.0.1] P=smtp S=sss id=qwerty1234@disco-zombie.net
diff --git a/test/log/4501 b/test/log/4501
index 153f6f242..654431459 100644
--- a/test/log/4501
+++ b/test/log/4501
@@ -1,9 +1,9 @@
 
 ******** SERVER ********
 1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port 1225
-1999-03-02 09:44:33 10HmaX-0005vi-00 DKIM: d=test.ex s=sel c=simple/simple a=rsa-sha1 b=1024 [verification succeeded]
 1999-03-02 09:44:33 10HmaX-0005vi-00 signer: test.ex bits: 1024
+1999-03-02 09:44:33 10HmaX-0005vi-00 DKIM: d=test.ex s=sel c=simple/simple a=rsa-sha1 b=1024 [verification succeeded]
 1999-03-02 09:44:33 10HmaX-0005vi-00 <= pass@bloggs.com H=(xxx) [127.0.0.1] P=smtp S=sss id=qwerty1234@disco-zombie.net
-1999-03-02 09:44:33 10HmaY-0005vi-00 DKIM: d=test.ex s=sel c=simple/simple a=rsa-sha1 b=1024 [verification failed - body hash mismatch (body probably modified in transit)]
 1999-03-02 09:44:33 10HmaY-0005vi-00 signer: test.ex bits: 1024
+1999-03-02 09:44:33 10HmaY-0005vi-00 DKIM: d=test.ex s=sel c=simple/simple a=rsa-sha1 b=1024 [verification failed - body hash mismatch (body probably modified in transit)]
 1999-03-02 09:44:33 10HmaY-0005vi-00 <= fail@bloggs.com H=(xxx) [127.0.0.1] P=smtp S=sss id=qwerty1234@disco-zombie.net
diff --git a/test/log/4502 b/test/log/4502
index b7e4a8ddd..9aef5cb30 100644
--- a/test/log/4502
+++ b/test/log/4502
@@ -1,15 +1,15 @@
 
 ******** SERVER ********
 1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port 1225
-1999-03-02 09:44:33 10HmaX-0005vi-00 DKIM: d=test.ex s=sel c=relaxed/relaxed a=rsa-sha1 b=1024 [verification succeeded]
 1999-03-02 09:44:33 10HmaX-0005vi-00 signer: test.ex bits: 1024
+1999-03-02 09:44:33 10HmaX-0005vi-00 DKIM: d=test.ex s=sel c=relaxed/relaxed a=rsa-sha1 b=1024 [verification succeeded]
 1999-03-02 09:44:33 10HmaX-0005vi-00 <= CALLER@bloggs.com H=(xxx) [127.0.0.1] P=smtp S=sss id=564CFC9B.1040905@yahoo.com
-1999-03-02 09:44:33 10HmaY-0005vi-00 DKIM: d=test.ex s=sel c=relaxed/simple a=rsa-sha1 b=1024 [verification succeeded]
 1999-03-02 09:44:33 10HmaY-0005vi-00 signer: test.ex bits: 1024
+1999-03-02 09:44:33 10HmaY-0005vi-00 DKIM: d=test.ex s=sel c=relaxed/simple a=rsa-sha1 b=1024 [verification succeeded]
 1999-03-02 09:44:33 10HmaY-0005vi-00 <= CALLER@bloggs.com H=(xxx) [127.0.0.1] P=smtp S=sss
-1999-03-02 09:44:33 10HmaZ-0005vi-00 DKIM: d=test.ex s=sel c=relaxed/simple a=rsa-sha1 b=1024 [verification succeeded]
 1999-03-02 09:44:33 10HmaZ-0005vi-00 signer: test.ex bits: 1024
+1999-03-02 09:44:33 10HmaZ-0005vi-00 DKIM: d=test.ex s=sel c=relaxed/simple a=rsa-sha1 b=1024 [verification succeeded]
 1999-03-02 09:44:33 10HmaZ-0005vi-00 <= CALLER@bloggs.com H=(xxx) [127.0.0.1] P=smtp S=sss
-1999-03-02 09:44:33 10HmbA-0005vi-00 DKIM: d=test.ex s=sel_bad c=relaxed/relaxed a=rsa-sha1 b=1024 [invalid - syntax error in public key record]
 1999-03-02 09:44:33 10HmbA-0005vi-00 signer: test.ex bits: 1024
+1999-03-02 09:44:33 10HmbA-0005vi-00 DKIM: d=test.ex s=sel_bad c=relaxed/relaxed a=rsa-sha1 b=1024 [invalid - syntax error in public key record]
 1999-03-02 09:44:33 10HmbA-0005vi-00 <= CALLER@bloggs.com H=(xxx) [127.0.0.1] P=smtp S=sss id=564CFC9B.1040905@yahoo.com
diff --git a/test/log/4503 b/test/log/4503
index 7ec93a1f5..55374fa33 100644
--- a/test/log/4503
+++ b/test/log/4503
@@ -1,6 +1,6 @@
 
 ******** SERVER ********
 1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port 1225
-1999-03-02 09:44:33 10HmaX-0005vi-00 DKIM: d=test.ex s=sel c=simple/simple a=rsa-sha512 b=1024 [verification failed - signature did not verify (headers probably modified in transit)]
 1999-03-02 09:44:33 10HmaX-0005vi-00 signer: test.ex bits: 1024
+1999-03-02 09:44:33 10HmaX-0005vi-00 DKIM: d=test.ex s=sel c=simple/simple a=rsa-sha512 b=1024 [verification failed - signature did not verify (headers probably modified in transit)]
 1999-03-02 09:44:33 10HmaX-0005vi-00 <= CALLER@bloggs.com H=(xxx) [127.0.0.1] P=smtp S=sss id=qwerty1234@disco-zombie.net
diff --git a/test/log/4506 b/test/log/4506
index 027169df0..07b3ee8ce 100644
--- a/test/log/4506
+++ b/test/log/4506
@@ -1,18 +1,18 @@
 
 ******** SERVER ********
 1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port 1225
-1999-03-02 09:44:33 10HmaX-0005vi-00 DKIM: d=test.ex s=sel c=simple/simple a=rsa-sha1 b=0 [invalid - signature tag missing or invalid]
 1999-03-02 09:44:33 10HmaX-0005vi-00 signer: test.ex bits: 0
+1999-03-02 09:44:33 10HmaX-0005vi-00 DKIM: d=test.ex s=sel c=simple/simple a=rsa-sha1 b=0 [invalid - signature tag missing or invalid]
 1999-03-02 09:44:33 10HmaX-0005vi-00 <= CALLER@bloggs.com H=(xxx) [127.0.0.1] P=smtp S=sss id=qwerty1234@disco-zombie.net
-1999-03-02 09:44:33 10HmaY-0005vi-00 DKIM: d=test.ex s=sel c=simple/simple a=rsa-sha1 b=1024 [invalid - signature tag missing or invalid]
 1999-03-02 09:44:33 10HmaY-0005vi-00 signer: test.ex bits: 1024
+1999-03-02 09:44:33 10HmaY-0005vi-00 DKIM: d=test.ex s=sel c=simple/simple a=rsa-sha1 b=1024 [invalid - signature tag missing or invalid]
 1999-03-02 09:44:33 10HmaY-0005vi-00 <= CALLER@bloggs.com H=(xxx) [127.0.0.1] P=smtp S=sss id=qwerty1234@disco-zombie.net
-1999-03-02 09:44:33 10HmaZ-0005vi-00 DKIM: d=test.ex s=sel c=simple/simple a=rsa-sha1 b=1024 [verification failed - body hash mismatch (body probably modified in transit)]
 1999-03-02 09:44:33 10HmaZ-0005vi-00 signer: test.ex bits: 1024
+1999-03-02 09:44:33 10HmaZ-0005vi-00 DKIM: d=test.ex s=sel c=simple/simple a=rsa-sha1 b=1024 [verification failed - body hash mismatch (body probably modified in transit)]
 1999-03-02 09:44:33 10HmaZ-0005vi-00 <= CALLER@bloggs.com H=(xxx) [127.0.0.1] P=smtp S=sss id=qwerty1234@disco-zombie.net
 1999-03-02 09:44:33 10HmbA-0005vi-00 DKIM: validation error: RSA_LONG_LINE
 1999-03-02 09:44:33 10HmbA-0005vi-00 DKIM: Error during validation, disabling signature verification: RSA_LONG_LINE
 1999-03-02 09:44:33 10HmbA-0005vi-00 <= CALLER@bloggs.com H=(xxx) [127.0.0.1] P=smtp S=sss id=qwerty1234@disco-zombie.net
-1999-03-02 09:44:33 10HmbB-0005vi-00 DKIM: d=test.ex s=ses_sha256 c=simple/simple a=rsa-sha1 b=512 [verification failed - unspecified reason]
 1999-03-02 09:44:33 10HmbB-0005vi-00 signer: test.ex bits: 512
+1999-03-02 09:44:33 10HmbB-0005vi-00 DKIM: d=test.ex s=ses_sha256 c=simple/simple a=rsa-sha1 b=512 [verification failed - unspecified reason]
 1999-03-02 09:44:33 10HmbB-0005vi-00 <= CALLER@bloggs.com H=(xxx) [127.0.0.1] P=smtp S=sss id=qwerty1234@disco-zombie.net
diff --git a/test/log/4520 b/test/log/4520
index 7bee5d786..4617326db 100644
--- a/test/log/4520
+++ b/test/log/4520
@@ -26,51 +26,52 @@
 ******** SERVER ********
 1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port 1225
 1999-03-02 09:44:33 macro: From:Sender:Reply-To:Subject:Date:Message-ID:To:Cc:MIME-Version:Content-Type:Content-Transfer-Encoding:Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To:References:List-Id:List-Help:List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive
-1999-03-02 09:44:33 10HmaY-0005vi-00 DKIM: d=test.ex s=sel c=relaxed/relaxed a=rsa-sha256 b=1024 [verification succeeded]
 1999-03-02 09:44:33 10HmaY-0005vi-00 signer: test.ex bits: 1024 h=From
+1999-03-02 09:44:33 10HmaY-0005vi-00 DKIM: d=test.ex s=sel c=relaxed/relaxed a=rsa-sha256 b=1024 [verification succeeded]
 1999-03-02 09:44:33 10HmaY-0005vi-00 <= CALLER@myhost.test.ex H=the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] P=esmtp S=sss id=E10HmaX-0005vi-00@myhost.test.ex
 1999-03-02 09:44:33 10HmaY-0005vi-00 => :blackhole: <a@test.ex> R=server_dump
 1999-03-02 09:44:33 10HmaY-0005vi-00 Completed
 1999-03-02 09:44:33 macro: From:Sender:Reply-To:Subject:Date:Message-ID:To:Cc:MIME-Version:Content-Type:Content-Transfer-Encoding:Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To:References:List-Id:List-Help:List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive
-1999-03-02 09:44:33 10HmbA-0005vi-00 DKIM: d=test.ex s=sel c=relaxed/relaxed a=rsa-sha256 b=1024 [verification succeeded]
 1999-03-02 09:44:33 10HmbA-0005vi-00 signer: test.ex bits: 1024 h=From:From
+1999-03-02 09:44:33 10HmbA-0005vi-00 DKIM: d=test.ex s=sel c=relaxed/relaxed a=rsa-sha256 b=1024 [verification succeeded]
 1999-03-02 09:44:33 10HmbA-0005vi-00 <= CALLER@myhost.test.ex H=the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] P=esmtp S=sss id=E10HmaZ-0005vi-00@myhost.test.ex
 1999-03-02 09:44:33 10HmbA-0005vi-00 => :blackhole: <b@test.ex> R=server_dump
 1999-03-02 09:44:33 10HmbA-0005vi-00 Completed
 1999-03-02 09:44:33 macro: From:Sender:Reply-To:Subject:Date:Message-ID:To:Cc:MIME-Version:Content-Type:Content-Transfer-Encoding:Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To:References:List-Id:List-Help:List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive
-1999-03-02 09:44:33 10HmbC-0005vi-00 DKIM: d=test.ex s=sel c=relaxed/relaxed a=rsa-sha256 b=1024 [verification succeeded]
 1999-03-02 09:44:33 10HmbC-0005vi-00 signer: test.ex bits: 1024 h=From
+1999-03-02 09:44:33 10HmbC-0005vi-00 DKIM: d=test.ex s=sel c=relaxed/relaxed a=rsa-sha256 b=1024 [verification succeeded]
 1999-03-02 09:44:33 10HmbC-0005vi-00 <= CALLER@myhost.test.ex H=the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] P=esmtp S=sss id=E10HmbB-0005vi-00@myhost.test.ex
 1999-03-02 09:44:33 10HmbC-0005vi-00 => :blackhole: <b10@test.ex> R=server_dump
 1999-03-02 09:44:33 10HmbC-0005vi-00 Completed
 1999-03-02 09:44:33 macro: From:Sender:Reply-To:Subject:Date:Message-ID:To:Cc:MIME-Version:Content-Type:Content-Transfer-Encoding:Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To:References:List-Id:List-Help:List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive
-1999-03-02 09:44:33 10HmbE-0005vi-00 DKIM: d=test.ex s=sel c=relaxed/relaxed a=rsa-sha256 b=1024 [verification succeeded]
 1999-03-02 09:44:33 10HmbE-0005vi-00 signer: test.ex bits: 1024 h=X-mine:X-mine:From
+1999-03-02 09:44:33 10HmbE-0005vi-00 DKIM: d=test.ex s=sel c=relaxed/relaxed a=rsa-sha256 b=1024 [verification succeeded]
 1999-03-02 09:44:33 10HmbE-0005vi-00 <= CALLER@myhost.test.ex H=the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] P=esmtp S=sss id=E10HmbD-0005vi-00@myhost.test.ex
 1999-03-02 09:44:33 10HmbE-0005vi-00 => :blackhole: <b12@test.ex> R=server_dump
 1999-03-02 09:44:33 10HmbE-0005vi-00 Completed
 1999-03-02 09:44:33 macro: From:Sender:Reply-To:Subject:Date:Message-ID:To:Cc:MIME-Version:Content-Type:Content-Transfer-Encoding:Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To:References:List-Id:List-Help:List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive
-1999-03-02 09:44:33 10HmbG-0005vi-00 DKIM: d=test.ex s=sel c=relaxed/relaxed a=rsa-sha256 b=1024 [verification succeeded]
 1999-03-02 09:44:33 10HmbG-0005vi-00 signer: test.ex bits: 1024 h=X-Mine
+1999-03-02 09:44:33 10HmbG-0005vi-00 DKIM: d=test.ex s=sel c=relaxed/relaxed a=rsa-sha256 b=1024 [verification succeeded]
 1999-03-02 09:44:33 10HmbG-0005vi-00 <= CALLER@myhost.test.ex H=the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] P=esmtp S=sss id=E10HmbF-0005vi-00@myhost.test.ex
 1999-03-02 09:44:33 10HmbG-0005vi-00 => :blackhole: <b20@test.ex> R=server_dump
 1999-03-02 09:44:33 10HmbG-0005vi-00 Completed
 1999-03-02 09:44:33 macro: From:Sender:Reply-To:Subject:Date:Message-ID:To:Cc:MIME-Version:Content-Type:Content-Transfer-Encoding:Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To:References:List-Id:List-Help:List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive
-1999-03-02 09:44:33 10HmbI-0005vi-00 DKIM: d=test.ex s=sel c=relaxed/relaxed a=rsa-sha256 b=1024 [verification succeeded]
 1999-03-02 09:44:33 10HmbI-0005vi-00 signer: test.ex bits: 1024 h=X-mine:X-mine:X-Mine
+1999-03-02 09:44:33 10HmbI-0005vi-00 DKIM: d=test.ex s=sel c=relaxed/relaxed a=rsa-sha256 b=1024 [verification succeeded]
 1999-03-02 09:44:33 10HmbI-0005vi-00 <= CALLER@myhost.test.ex H=the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] P=esmtp S=sss id=E10HmbH-0005vi-00@myhost.test.ex
 1999-03-02 09:44:33 10HmbI-0005vi-00 => :blackhole: <b22@test.ex> R=server_dump
 1999-03-02 09:44:33 10HmbI-0005vi-00 Completed
 1999-03-02 09:44:33 macro: From:Sender:Reply-To:Subject:Date:Message-ID:To:Cc:MIME-Version:Content-Type:Content-Transfer-Encoding:Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To:References:List-Id:List-Help:List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive
-1999-03-02 09:44:33 10HmbK-0005vi-00 DKIM: d=test.ex s=sel c=relaxed/relaxed a=rsa-sha256 b=1024 i=allheaders@test.ex [verification succeeded]
 1999-03-02 09:44:33 10HmbK-0005vi-00 signer: test.ex bits: 1024 h=Date:Sender:Message-Id:From:Reply-To:Subject:To:Cc:MIME-Version:Content-Type:Content-Transfer-Encoding:Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To:References:List-Id:List-Help:List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive
+1999-03-02 09:44:33 10HmbK-0005vi-00 DKIM: d=test.ex s=sel c=relaxed/relaxed a=rsa-sha256 b=1024 i=allheaders@test.ex [verification succeeded]
 1999-03-02 09:44:33 10HmbK-0005vi-00 signer: allheaders@test.ex bits: 1024 h=Date:Sender:Message-Id:From:Reply-To:Subject:To:Cc:MIME-Version:Content-Type:Content-Transfer-Encoding:Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To:References:List-Id:List-Help:List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive
+1999-03-02 09:44:33 10HmbK-0005vi-00 DKIM: d=test.ex s=sel c=relaxed/relaxed a=rsa-sha256 b=1024 i=allheaders@test.ex [verification succeeded]
 1999-03-02 09:44:33 10HmbK-0005vi-00 <= CALLER@myhost.test.ex H=the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] P=esmtp S=sss id=E10HmbJ-0005vi-00@myhost.test.ex
 1999-03-02 09:44:33 10HmbK-0005vi-00 => :blackhole: <c@test.ex> R=server_dump
 1999-03-02 09:44:33 10HmbK-0005vi-00 Completed
 1999-03-02 09:44:33 macro: From:Sender:Reply-To:Subject:Date:Message-ID:To:Cc:MIME-Version:Content-Type:Content-Transfer-Encoding:Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To:References:List-Id:List-Help:List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive
-1999-03-02 09:44:33 10HmbM-0005vi-00 DKIM: d=test.ex s=sel_bad c=relaxed/relaxed a=rsa-sha256 b=1024 [invalid - syntax error in public key record]
 1999-03-02 09:44:33 10HmbM-0005vi-00 signer: test.ex bits: 1024 h=From
+1999-03-02 09:44:33 10HmbM-0005vi-00 DKIM: d=test.ex s=sel_bad c=relaxed/relaxed a=rsa-sha256 b=1024 [invalid - syntax error in public key record]
 1999-03-02 09:44:33 10HmbM-0005vi-00 <= CALLER@myhost.test.ex H=the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] P=esmtp S=sss id=E10HmbL-0005vi-00@myhost.test.ex
 1999-03-02 09:44:33 10HmbM-0005vi-00 => :blackhole: <d@test.ex> R=server_dump
 1999-03-02 09:44:33 10HmbM-0005vi-00 Completed
diff --git a/test/log/4523 b/test/log/4523
index 5c07fa5a2..92bf9478f 100644
--- a/test/log/4523
+++ b/test/log/4523
@@ -5,9 +5,10 @@
 ******** SERVER ********
 1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port 1225
 1999-03-02 09:44:33 macro: From:Sender:Reply-To:Subject:Date:Message-ID:To:Cc:MIME-Version:Content-Type:Content-Transfer-Encoding:Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To:References:List-Id:List-Help:List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive
-1999-03-02 09:44:33 10HmaY-0005vi-00 DKIM: d=test.ex s=sel c=relaxed/relaxed a=rsa-sha512 b=1024 i=allheaders@test.ex [verification succeeded]
 1999-03-02 09:44:33 10HmaY-0005vi-00 signer: test.ex bits: 1024 h=Date:Sender:Message-Id:From:Reply-To:Subject:To:Cc:MIME-Version:Content-Type:Content-Transfer-Encoding:Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To:References:List-Id:List-Help:List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive
+1999-03-02 09:44:33 10HmaY-0005vi-00 DKIM: d=test.ex s=sel c=relaxed/relaxed a=rsa-sha512 b=1024 i=allheaders@test.ex [verification succeeded]
 1999-03-02 09:44:33 10HmaY-0005vi-00 signer: allheaders@test.ex bits: 1024 h=Date:Sender:Message-Id:From:Reply-To:Subject:To:Cc:MIME-Version:Content-Type:Content-Transfer-Encoding:Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To:References:List-Id:List-Help:List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive
+1999-03-02 09:44:33 10HmaY-0005vi-00 DKIM: d=test.ex s=sel c=relaxed/relaxed a=rsa-sha512 b=1024 i=allheaders@test.ex [verification succeeded]
 1999-03-02 09:44:33 10HmaY-0005vi-00 <= CALLER@myhost.test.ex H=the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] P=esmtp S=sss id=E10HmaX-0005vi-00@myhost.test.ex
 1999-03-02 09:44:33 10HmaY-0005vi-00 => :blackhole: <a@test.ex> R=server_dump
 1999-03-02 09:44:33 10HmaY-0005vi-00 Completed
diff --git a/test/log/4524 b/test/log/4524
index e0dde322a..f6e75458f 100644
--- a/test/log/4524
+++ b/test/log/4524
@@ -5,9 +5,8 @@
 ******** SERVER ********
 1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port 1225
 1999-03-02 09:44:33 macro: From:Sender:Reply-To:Subject:Date:Message-ID:To:Cc:MIME-Version:Content-Type:Content-Transfer-Encoding:Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To:References:List-Id:List-Help:List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive
-1999-03-02 09:44:33 10HmaY-0005vi-00 DKIM: d=test.ex s=ses c=relaxed/relaxed a=rsa-sha256 b=512 [verification succeeded]
-1999-03-02 09:44:33 10HmaY-0005vi-00 DKIM: d=test.ex s=sel c=relaxed/relaxed a=rsa-sha256 b=1024 [verification succeeded]
 1999-03-02 09:44:33 10HmaY-0005vi-00 signer: test.ex bits: 512 h=From:To:Subject
+1999-03-02 09:44:33 10HmaY-0005vi-00 DKIM: d=test.ex s=ses c=relaxed/relaxed a=rsa-sha256 b=512 [verification succeeded]
 1999-03-02 09:44:33 10HmaY-0005vi-00 <= CALLER@myhost.test.ex H=the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] P=esmtp S=sss id=E10HmaX-0005vi-00@myhost.test.ex
 1999-03-02 09:44:33 10HmaY-0005vi-00 => :blackhole: <c@test.ex> R=server_dump
 1999-03-02 09:44:33 10HmaY-0005vi-00 Completed
diff --git a/test/log/4550 b/test/log/4550
index 0d826ab32..bbe9841c0 100644
--- a/test/log/4550
+++ b/test/log/4550
@@ -8,8 +8,8 @@
 
 ******** SERVER ********
 1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port 1225
-1999-03-02 09:44:33 10HmbA-0005vi-00 DKIM: d=test.ex s=sel c=relaxed/relaxed a=rsa-sha256 b=1024 [verification succeeded]
 1999-03-02 09:44:33 10HmbA-0005vi-00 signer: test.ex bits: 1024 h=From
+1999-03-02 09:44:33 10HmbA-0005vi-00 DKIM: d=test.ex s=sel c=relaxed/relaxed a=rsa-sha256 b=1024 [verification succeeded]
 1999-03-02 09:44:33 10HmbA-0005vi-00 PRDR R=<baduser@test.ex> refusal
 1999-03-02 09:44:33 10HmbA-0005vi-00 PRDR R=<okuser@test.ex> acceptance
 1999-03-02 09:44:33 10HmbA-0005vi-00 <= CALLER@myhost.test.ex H=the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] P=esmtp PRDR S=sss id=E10HmaX-0005vi-00@myhost.test.ex
diff --git a/test/scripts/4500-DKIM/4500 b/test/scripts/4500-DKIM/4500
index 6b3ff5fcf..3999d4988 100644
--- a/test/scripts/4500-DKIM/4500
+++ b/test/scripts/4500-DKIM/4500
@@ -136,5 +136,43 @@ QUIT
 #
 #
 killdaemon
+#
+# A verifier that refuses sha1
+exim -DSERVER=server -DOPTION -bd -oX PORT_D
+****
+#
+# This should fail despite being a passing submission above (with the unlimited verifier).
+#  - sha1, 1024b
+# Mail original in aux-fixed/4500.msg1.txt
+# Sig generated by: perl aux-fixed/dkim/sign.pl --method=simple/simple < aux-fixed/4500.msg1.txt
+client 127.0.0.1 PORT_D
+??? 220
+HELO xxx
+??? 250
+MAIL FROM:<CALLER@bloggs.com>
+??? 250
+RCPT TO:<a@test.ex>
+??? 250
+DATA
+??? 354
+DKIM-Signature: v=1; a=rsa-sha1; c=simple/simple; d=test.ex; h=from:to
+	:date:message-id:subject; s=sel; bh=OB9dZVu7+5/ufs3TH9leIcEpXSo=; b=
+	PeUA8iBGfStWv+9/BBKkvCEYj/AVMl4e9k+AqWOXKyuEUfHxqAnV+sPnOejpmvT8
+	41kuM4u0bICvK371YvB/yO61vtliRhyqU76Y2e55p2uvMADb3UyDhLyzpco4+yBo
+	1w0AuIxu0VU4TK8UmOLyCw/1hxrh1DcEInbEMEKJ7kI=
+From: mrgus@text.ex
+To: bakawolf@yahoo.com
+Date: Thu, 19 Nov 2015 17:00:07 -0700
+Message-ID: <qwerty1234@disco-zombie.net>
+Subject: simple test
+
+This is a simple test.
+.
+??? 250
+QUIT
+??? 221
+****
+killdaemon
+#
 no_stdout_check
 no_msglog_check
diff --git a/test/stderr/4507 b/test/stderr/4507
index 1df9537ea..4a5d4d2fa 100644
--- a/test/stderr/4507
+++ b/test/stderr/4507
@@ -13,10 +13,12 @@
 >>> accept: condition test succeeded in inline ACL
 >>> end of inline ACL: ACCEPT
 >>> host in ignore_fromline_hosts? no (option unset)
-LOG: 10HmaX-0005vi-00 DKIM: d=test.ex s=sel c=simple/simple a=rsa-sha1 b=1024 [verification succeeded]
+>>> using ACL "check_dkim"
 >>> processing "accept"
->>> check logwrite = signer: test.ex bits: 1024
+>>> check logwrite = signer: $dkim_cur_signer bits: $dkim_key_length
+>>>                = signer: test.ex bits: 1024
 LOG: 10HmaX-0005vi-00 signer: test.ex bits: 1024
->>> accept: condition test succeeded in inline ACL
->>> end of inline ACL: ACCEPT
+>>> accept: condition test succeeded in ACL "check_dkim"
+>>> end of ACL "check_dkim": ACCEPT
+LOG: 10HmaX-0005vi-00 DKIM: d=test.ex s=sel c=simple/simple a=rsa-sha1 b=1024 [verification succeeded]
 LOG: 10HmaX-0005vi-00 <= CALLER@bloggs.com H=(xxx) [127.0.0.1] P=smtp S=sss id=qwerty1234@disco-zombie.net
-- 
cgit v1.2.3


From cc55f4208e997ee8cdd87bf2a141be0c615488f9 Mon Sep 17 00:00:00 2001
From: Jeremy Harris <jgh146exb@wizmail.org>
Date: Tue, 7 Nov 2017 21:40:19 +0000
Subject: DKIM: make verification results visible in data ACL

---
 doc/doc-docbook/spec.xfpt   |  11 ++-
 doc/doc-txt/NewStuff        |   3 +-
 src/src/dkim.c              |   7 +-
 src/src/receive.c           | 164 +++++++++++++++++++++++---------------------
 test/confs/4520             |   9 ++-
 test/log/4520               |  42 +++++++-----
 test/log/4523               |   7 +-
 test/log/4524               |   6 +-
 test/scripts/4500-DKIM/4524 |   2 +-
 9 files changed, 142 insertions(+), 109 deletions(-)

(limited to 'src')

diff --git a/doc/doc-docbook/spec.xfpt b/doc/doc-docbook/spec.xfpt
index 98986e032..1a7a7baa6 100644
--- a/doc/doc-docbook/spec.xfpt
+++ b/doc/doc-docbook/spec.xfpt
@@ -11665,8 +11665,11 @@ contain the trailing slash. If &$config_file$& does not contain a slash,
 .vindex "&$config_file$&"
 The name of the main configuration file Exim is using.
 
+.vitem &$dkim_verify_status$& &&&
+Results of DKIM verification.
+For details see chapter &<<CHAPdkim>>&.
+
 .vitem &$dkim_cur_signer$& &&&
-       &$dkim_verify_status$& &&&
        &$dkim_verify_reason$& &&&
        &$dkim_domain$& &&&
        &$dkim_identity$& &&&
@@ -38717,7 +38720,8 @@ an identity. This is one of the list items from the expanded main option
 &%dkim_verify_signers%& (see above).
 
 .vitem &%$dkim_verify_status%&
-A string describing the general status of the signature. One of
+Within the DKIM ACL,
+a string describing the general status of the signature. One of
 .ilist
 &%none%&: There is no signature in the message for the current domain or
 identity (as reflected by &%$dkim_cur_signer%&).
@@ -38742,6 +38746,9 @@ hash-method or key-size:
 	set dkim_verify_status = fail
 	set dkim_verify_reason = hash too weak
 .endd
+
+After all the DKIM ACL runs have completed, the value becomes a
+colon-separated list of the values after each run.
 .wen
 
 .vitem &%$dkim_verify_reason%&
diff --git a/doc/doc-txt/NewStuff b/doc/doc-txt/NewStuff
index aa2117e7e..4261beb76 100644
--- a/doc/doc-txt/NewStuff
+++ b/doc/doc-txt/NewStuff
@@ -55,7 +55,8 @@ Version 4.90
     DKIM support for multiple hashes, and for alternate-identity tags.
     Builtin macro with default list of signed headers.
     Better syntax for specifying oversigning.
-    The DKIM ACL can override verification results.
+    The DKIM ACL can override verification status, and status is visible in
+    the data ACL.
 
 14. Exipick understands -C|--config for an alternative Exim
     configuration file.
diff --git a/src/src/dkim.c b/src/src/dkim.c
index 9a13e2a80..528ce82c4 100644
--- a/src/src/dkim.c
+++ b/src/src/dkim.c
@@ -138,9 +138,12 @@ store_pool = dkim_verify_oldpool;
 static void
 dkim_exim_verify_log_sig(pdkim_signature * sig)
 {
-gstring * logmsg = string_catn(NULL, "DKIM: ", 6);
+gstring * logmsg;
 uschar * s;
 
+if (!sig) return;
+
+logmsg = string_catn(NULL, "DKIM: ", 6);
 if (!(s = sig->domain)) s = US"<UNSET>";
 logmsg = string_append(logmsg, 2, "d=", s);
 if (!(s = sig->selector)) s = US"<UNSET>";
@@ -306,6 +309,8 @@ dkim_exim_acl_setup(uschar * id)
 pdkim_signature * sig;
 uschar * cmp_val;
 
+dkim_verify_status = US"none";
+dkim_verify_reason = US"";
 dkim_cur_sig = NULL;
 dkim_cur_signer = id;
 
diff --git a/src/src/receive.c b/src/src/receive.c
index f181f1a51..8aa890bd0 100644
--- a/src/src/receive.c
+++ b/src/src/receive.c
@@ -3388,99 +3388,103 @@ else
 #ifndef DISABLE_DKIM
     if (!dkim_disable_verify)
       {
-      /* Finish verification, this will log individual signature results to
-         the mainlog */
+      /* Finish verification */
       dkim_exim_verify_finish();
 
       /* Check if we must run the DKIM ACL */
       if (acl_smtp_dkim && dkim_verify_signers && *dkim_verify_signers)
         {
-        uschar *dkim_verify_signers_expanded =
+        uschar * dkim_verify_signers_expanded =
           expand_string(dkim_verify_signers);
-        if (!dkim_verify_signers_expanded)
+	gstring * results = NULL;
+	int signer_sep = 0;
+	const uschar * ptr;
+	uschar * item;
+	gstring * seen_items = NULL;
+	int old_pool = store_pool;
+
+	store_pool = POOL_PERM;   /* Allow created variables to live to data ACL */
+
+        if (!(ptr = dkim_verify_signers_expanded))
           log_write(0, LOG_MAIN|LOG_PANIC,
             "expansion of dkim_verify_signers option failed: %s",
             expand_string_message);
 
-        else
-          {
-          int sep = 0;
-          const uschar * ptr = dkim_verify_signers_expanded;
-          uschar * item = NULL;
-          gstring * seen_items = NULL;
-
-          /* Default to OK when no items are present */
-          rc = OK;
-          while ((item = string_nextinlist(&ptr, &sep, NULL, 0)))
-            {
-            /* Prevent running ACL for an empty item */
-            if (!item || !*item) continue;
-
-            /* Only run ACL once for each domain or identity,
-	    no matter how often it appears in the expanded list. */
-            if (seen_items)
-              {
-              uschar *seen_item;
-              const uschar *seen_items_list = string_from_gstring(seen_items);
-              BOOL seen_this_item = FALSE;
-
-              while ((seen_item = string_nextinlist(&seen_items_list, &sep,
-                                                    NULL, 0)))
-		if (Ustrcmp(seen_item,item) == 0)
-		  {
-		  seen_this_item = TRUE;
-		  break;
-		  }
-
-              if (seen_this_item)
-                {
-                DEBUG(D_receive)
-                  debug_printf("acl_smtp_dkim: skipping signer %s, "
-		    "already seen\n", item);
-                continue;
-                }
-
-              seen_items = string_cat(seen_items, ":");
-              }
-
-            seen_items = string_cat(seen_items, item);
-
-            DEBUG(D_receive)
-              debug_printf("calling acl_smtp_dkim for dkim_cur_signer=%s\n",
-		item);
-
-            dkim_exim_acl_setup(item);
-            rc = acl_check(ACL_WHERE_DKIM, NULL, acl_smtp_dkim,
-		  &user_msg, &log_msg);
-	    dkim_exim_verify_log_item();
-
-            if (rc != OK)
+	/* Default to OK when no items are present */
+	rc = OK;
+	while ((item = string_nextinlist(&ptr, &signer_sep, NULL, 0)))
+	  {
+	  /* Prevent running ACL for an empty item */
+	  if (!item || !*item) continue;
+
+	  /* Only run ACL once for each domain or identity,
+	  no matter how often it appears in the expanded list. */
+	  if (seen_items)
+	    {
+	    uschar * seen_item;
+	    const uschar * seen_items_list = string_from_gstring(seen_items);
+	    int seen_sep = ':';
+	    BOOL seen_this_item = FALSE;
+
+	    while ((seen_item = string_nextinlist(&seen_items_list, &seen_sep,
+						  NULL, 0)))
+	      if (Ustrcmp(seen_item,item) == 0)
+		{
+		seen_this_item = TRUE;
+		break;
+		}
+
+	    if (seen_this_item)
 	      {
 	      DEBUG(D_receive)
-		debug_printf("acl_smtp_dkim: acl_check returned %d on %s, "
-		  "skipping remaining items\n", rc, item);
-	      cancel_cutthrough_connection(TRUE, US"dkim acl not ok");
-	      break;
+		debug_printf("acl_smtp_dkim: skipping signer %s, "
+		  "already seen\n", item);
+	      continue;
 	      }
-            }
-          add_acl_headers(ACL_WHERE_DKIM, US"DKIM");
-          if (rc == DISCARD)
-            {
-            recipients_count = 0;
-            blackholed_by = US"DKIM ACL";
-            if (log_msg)
-              blackhole_log_msg = string_sprintf(": %s", log_msg);
-            }
-          else if (rc != OK)
-            {
-            Uunlink(spool_name);
-            if (smtp_handle_acl_fail(ACL_WHERE_DKIM, rc, user_msg, log_msg) != 0)
-              smtp_yield = FALSE;    /* No more messages after dropped connection */
-            smtp_reply = US"";       /* Indicate reply already sent */
-            message_id[0] = 0;       /* Indicate no message accepted */
-            goto TIDYUP;             /* Skip to end of function */
-            }
-          }
+
+	    seen_items = string_catn(seen_items, ":", 1);
+	    }
+
+	  seen_items = string_cat(seen_items, item);
+
+	  dkim_exim_acl_setup(item);
+	  DEBUG(D_receive)
+	    debug_printf("calling acl_smtp_dkim for dkim_cur_signer='%s'\n",
+	      item);
+
+	  rc = acl_check(ACL_WHERE_DKIM, NULL, acl_smtp_dkim,
+		&user_msg, &log_msg);
+	  dkim_exim_verify_log_item();
+	  results = string_append_listele(results, ':', dkim_verify_status);
+
+	  if (rc != OK)
+	    {
+	    DEBUG(D_receive)
+	      debug_printf("acl_smtp_dkim: acl_check returned %d on %s, "
+		"skipping remaining items\n", rc, item);
+	    cancel_cutthrough_connection(TRUE, US"dkim acl not ok");
+	    break;
+	    }
+	  }
+	dkim_verify_status = string_from_gstring(results);
+	store_pool = old_pool;
+	add_acl_headers(ACL_WHERE_DKIM, US"DKIM");
+	if (rc == DISCARD)
+	  {
+	  recipients_count = 0;
+	  blackholed_by = US"DKIM ACL";
+	  if (log_msg)
+	    blackhole_log_msg = string_sprintf(": %s", log_msg);
+	  }
+	else if (rc != OK)
+	  {
+	  Uunlink(spool_name);
+	  if (smtp_handle_acl_fail(ACL_WHERE_DKIM, rc, user_msg, log_msg) != 0)
+	    smtp_yield = FALSE;    /* No more messages after dropped connection */
+	  smtp_reply = US"";       /* Indicate reply already sent */
+	  message_id[0] = 0;       /* Indicate no message accepted */
+	  goto TIDYUP;             /* Skip to end of function */
+	  }
         }
       else
 	dkim_exim_verify_log_all();
diff --git a/test/confs/4520 b/test/confs/4520
index 8fa3c38c8..3127d13b3 100644
--- a/test/confs/4520
+++ b/test/confs/4520
@@ -2,6 +2,7 @@
 
 SERVER=
 OPT=
+FAKE =
 
 .include DIR/aux-var/std_conf_prefix
 
@@ -9,11 +10,15 @@ primary_hostname = myhost.test.ex
 
 # ----- Main settings -----
 
-acl_smtp_rcpt = accept logwrite = macro: _DKIM_SIGN_HEADERS
-acl_smtp_dkim = accept logwrite = signer: $dkim_cur_signer bits: $dkim_key_length h=$dkim_headernames
+acl_smtp_rcpt = accept logwrite = rcpt acl: macro: _DKIM_SIGN_HEADERS
+acl_smtp_dkim = accept logwrite = dkim_acl: signer: $dkim_cur_signer bits: $dkim_key_length h=$dkim_headernames
+acl_smtp_data = accept logwrite = data acl: dkim status $dkim_verify_status
+
+dkim_verify_signers = $dkim_signers : FAKE
 
 DDIR=DIR/aux-fixed/dkim
 
+
 # ----- Routers
 
 begin routers
diff --git a/test/log/4520 b/test/log/4520
index 4617326db..4a6502bb6 100644
--- a/test/log/4520
+++ b/test/log/4520
@@ -25,53 +25,61 @@
 
 ******** SERVER ********
 1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port 1225
-1999-03-02 09:44:33 macro: From:Sender:Reply-To:Subject:Date:Message-ID:To:Cc:MIME-Version:Content-Type:Content-Transfer-Encoding:Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To:References:List-Id:List-Help:List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive
-1999-03-02 09:44:33 10HmaY-0005vi-00 signer: test.ex bits: 1024 h=From
+1999-03-02 09:44:33 rcpt acl: macro: From:Sender:Reply-To:Subject:Date:Message-ID:To:Cc:MIME-Version:Content-Type:Content-Transfer-Encoding:Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To:References:List-Id:List-Help:List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive
+1999-03-02 09:44:33 10HmaY-0005vi-00 dkim_acl: signer: test.ex bits: 1024 h=From
 1999-03-02 09:44:33 10HmaY-0005vi-00 DKIM: d=test.ex s=sel c=relaxed/relaxed a=rsa-sha256 b=1024 [verification succeeded]
+1999-03-02 09:44:33 10HmaY-0005vi-00 data acl: dkim status pass
 1999-03-02 09:44:33 10HmaY-0005vi-00 <= CALLER@myhost.test.ex H=the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] P=esmtp S=sss id=E10HmaX-0005vi-00@myhost.test.ex
 1999-03-02 09:44:33 10HmaY-0005vi-00 => :blackhole: <a@test.ex> R=server_dump
 1999-03-02 09:44:33 10HmaY-0005vi-00 Completed
-1999-03-02 09:44:33 macro: From:Sender:Reply-To:Subject:Date:Message-ID:To:Cc:MIME-Version:Content-Type:Content-Transfer-Encoding:Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To:References:List-Id:List-Help:List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive
-1999-03-02 09:44:33 10HmbA-0005vi-00 signer: test.ex bits: 1024 h=From:From
+1999-03-02 09:44:33 rcpt acl: macro: From:Sender:Reply-To:Subject:Date:Message-ID:To:Cc:MIME-Version:Content-Type:Content-Transfer-Encoding:Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To:References:List-Id:List-Help:List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive
+1999-03-02 09:44:33 10HmbA-0005vi-00 dkim_acl: signer: test.ex bits: 1024 h=From:From
 1999-03-02 09:44:33 10HmbA-0005vi-00 DKIM: d=test.ex s=sel c=relaxed/relaxed a=rsa-sha256 b=1024 [verification succeeded]
+1999-03-02 09:44:33 10HmbA-0005vi-00 data acl: dkim status pass
 1999-03-02 09:44:33 10HmbA-0005vi-00 <= CALLER@myhost.test.ex H=the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] P=esmtp S=sss id=E10HmaZ-0005vi-00@myhost.test.ex
 1999-03-02 09:44:33 10HmbA-0005vi-00 => :blackhole: <b@test.ex> R=server_dump
 1999-03-02 09:44:33 10HmbA-0005vi-00 Completed
-1999-03-02 09:44:33 macro: From:Sender:Reply-To:Subject:Date:Message-ID:To:Cc:MIME-Version:Content-Type:Content-Transfer-Encoding:Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To:References:List-Id:List-Help:List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive
-1999-03-02 09:44:33 10HmbC-0005vi-00 signer: test.ex bits: 1024 h=From
+1999-03-02 09:44:33 rcpt acl: macro: From:Sender:Reply-To:Subject:Date:Message-ID:To:Cc:MIME-Version:Content-Type:Content-Transfer-Encoding:Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To:References:List-Id:List-Help:List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive
+1999-03-02 09:44:33 10HmbC-0005vi-00 dkim_acl: signer: test.ex bits: 1024 h=From
 1999-03-02 09:44:33 10HmbC-0005vi-00 DKIM: d=test.ex s=sel c=relaxed/relaxed a=rsa-sha256 b=1024 [verification succeeded]
+1999-03-02 09:44:33 10HmbC-0005vi-00 data acl: dkim status pass
 1999-03-02 09:44:33 10HmbC-0005vi-00 <= CALLER@myhost.test.ex H=the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] P=esmtp S=sss id=E10HmbB-0005vi-00@myhost.test.ex
 1999-03-02 09:44:33 10HmbC-0005vi-00 => :blackhole: <b10@test.ex> R=server_dump
 1999-03-02 09:44:33 10HmbC-0005vi-00 Completed
-1999-03-02 09:44:33 macro: From:Sender:Reply-To:Subject:Date:Message-ID:To:Cc:MIME-Version:Content-Type:Content-Transfer-Encoding:Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To:References:List-Id:List-Help:List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive
-1999-03-02 09:44:33 10HmbE-0005vi-00 signer: test.ex bits: 1024 h=X-mine:X-mine:From
+1999-03-02 09:44:33 rcpt acl: macro: From:Sender:Reply-To:Subject:Date:Message-ID:To:Cc:MIME-Version:Content-Type:Content-Transfer-Encoding:Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To:References:List-Id:List-Help:List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive
+1999-03-02 09:44:33 10HmbE-0005vi-00 dkim_acl: signer: test.ex bits: 1024 h=X-mine:X-mine:From
 1999-03-02 09:44:33 10HmbE-0005vi-00 DKIM: d=test.ex s=sel c=relaxed/relaxed a=rsa-sha256 b=1024 [verification succeeded]
+1999-03-02 09:44:33 10HmbE-0005vi-00 data acl: dkim status pass
 1999-03-02 09:44:33 10HmbE-0005vi-00 <= CALLER@myhost.test.ex H=the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] P=esmtp S=sss id=E10HmbD-0005vi-00@myhost.test.ex
 1999-03-02 09:44:33 10HmbE-0005vi-00 => :blackhole: <b12@test.ex> R=server_dump
 1999-03-02 09:44:33 10HmbE-0005vi-00 Completed
-1999-03-02 09:44:33 macro: From:Sender:Reply-To:Subject:Date:Message-ID:To:Cc:MIME-Version:Content-Type:Content-Transfer-Encoding:Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To:References:List-Id:List-Help:List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive
-1999-03-02 09:44:33 10HmbG-0005vi-00 signer: test.ex bits: 1024 h=X-Mine
+1999-03-02 09:44:33 rcpt acl: macro: From:Sender:Reply-To:Subject:Date:Message-ID:To:Cc:MIME-Version:Content-Type:Content-Transfer-Encoding:Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To:References:List-Id:List-Help:List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive
+1999-03-02 09:44:33 10HmbG-0005vi-00 dkim_acl: signer: test.ex bits: 1024 h=X-Mine
 1999-03-02 09:44:33 10HmbG-0005vi-00 DKIM: d=test.ex s=sel c=relaxed/relaxed a=rsa-sha256 b=1024 [verification succeeded]
+1999-03-02 09:44:33 10HmbG-0005vi-00 data acl: dkim status pass
 1999-03-02 09:44:33 10HmbG-0005vi-00 <= CALLER@myhost.test.ex H=the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] P=esmtp S=sss id=E10HmbF-0005vi-00@myhost.test.ex
 1999-03-02 09:44:33 10HmbG-0005vi-00 => :blackhole: <b20@test.ex> R=server_dump
 1999-03-02 09:44:33 10HmbG-0005vi-00 Completed
-1999-03-02 09:44:33 macro: From:Sender:Reply-To:Subject:Date:Message-ID:To:Cc:MIME-Version:Content-Type:Content-Transfer-Encoding:Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To:References:List-Id:List-Help:List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive
-1999-03-02 09:44:33 10HmbI-0005vi-00 signer: test.ex bits: 1024 h=X-mine:X-mine:X-Mine
+1999-03-02 09:44:33 rcpt acl: macro: From:Sender:Reply-To:Subject:Date:Message-ID:To:Cc:MIME-Version:Content-Type:Content-Transfer-Encoding:Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To:References:List-Id:List-Help:List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive
+1999-03-02 09:44:33 10HmbI-0005vi-00 dkim_acl: signer: test.ex bits: 1024 h=X-mine:X-mine:X-Mine
 1999-03-02 09:44:33 10HmbI-0005vi-00 DKIM: d=test.ex s=sel c=relaxed/relaxed a=rsa-sha256 b=1024 [verification succeeded]
+1999-03-02 09:44:33 10HmbI-0005vi-00 data acl: dkim status pass
 1999-03-02 09:44:33 10HmbI-0005vi-00 <= CALLER@myhost.test.ex H=the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] P=esmtp S=sss id=E10HmbH-0005vi-00@myhost.test.ex
 1999-03-02 09:44:33 10HmbI-0005vi-00 => :blackhole: <b22@test.ex> R=server_dump
 1999-03-02 09:44:33 10HmbI-0005vi-00 Completed
-1999-03-02 09:44:33 macro: From:Sender:Reply-To:Subject:Date:Message-ID:To:Cc:MIME-Version:Content-Type:Content-Transfer-Encoding:Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To:References:List-Id:List-Help:List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive
-1999-03-02 09:44:33 10HmbK-0005vi-00 signer: test.ex bits: 1024 h=Date:Sender:Message-Id:From:Reply-To:Subject:To:Cc:MIME-Version:Content-Type:Content-Transfer-Encoding:Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To:References:List-Id:List-Help:List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive
+1999-03-02 09:44:33 rcpt acl: macro: From:Sender:Reply-To:Subject:Date:Message-ID:To:Cc:MIME-Version:Content-Type:Content-Transfer-Encoding:Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To:References:List-Id:List-Help:List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive
+1999-03-02 09:44:33 10HmbK-0005vi-00 dkim_acl: signer: test.ex bits: 1024 h=Date:Sender:Message-Id:From:Reply-To:Subject:To:Cc:MIME-Version:Content-Type:Content-Transfer-Encoding:Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To:References:List-Id:List-Help:List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive
 1999-03-02 09:44:33 10HmbK-0005vi-00 DKIM: d=test.ex s=sel c=relaxed/relaxed a=rsa-sha256 b=1024 i=allheaders@test.ex [verification succeeded]
-1999-03-02 09:44:33 10HmbK-0005vi-00 signer: allheaders@test.ex bits: 1024 h=Date:Sender:Message-Id:From:Reply-To:Subject:To:Cc:MIME-Version:Content-Type:Content-Transfer-Encoding:Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To:References:List-Id:List-Help:List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive
+1999-03-02 09:44:33 10HmbK-0005vi-00 dkim_acl: signer: allheaders@test.ex bits: 1024 h=Date:Sender:Message-Id:From:Reply-To:Subject:To:Cc:MIME-Version:Content-Type:Content-Transfer-Encoding:Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To:References:List-Id:List-Help:List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive
 1999-03-02 09:44:33 10HmbK-0005vi-00 DKIM: d=test.ex s=sel c=relaxed/relaxed a=rsa-sha256 b=1024 i=allheaders@test.ex [verification succeeded]
+1999-03-02 09:44:33 10HmbK-0005vi-00 data acl: dkim status pass:pass
 1999-03-02 09:44:33 10HmbK-0005vi-00 <= CALLER@myhost.test.ex H=the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] P=esmtp S=sss id=E10HmbJ-0005vi-00@myhost.test.ex
 1999-03-02 09:44:33 10HmbK-0005vi-00 => :blackhole: <c@test.ex> R=server_dump
 1999-03-02 09:44:33 10HmbK-0005vi-00 Completed
-1999-03-02 09:44:33 macro: From:Sender:Reply-To:Subject:Date:Message-ID:To:Cc:MIME-Version:Content-Type:Content-Transfer-Encoding:Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To:References:List-Id:List-Help:List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive
-1999-03-02 09:44:33 10HmbM-0005vi-00 signer: test.ex bits: 1024 h=From
+1999-03-02 09:44:33 rcpt acl: macro: From:Sender:Reply-To:Subject:Date:Message-ID:To:Cc:MIME-Version:Content-Type:Content-Transfer-Encoding:Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To:References:List-Id:List-Help:List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive
+1999-03-02 09:44:33 10HmbM-0005vi-00 dkim_acl: signer: test.ex bits: 1024 h=From
 1999-03-02 09:44:33 10HmbM-0005vi-00 DKIM: d=test.ex s=sel_bad c=relaxed/relaxed a=rsa-sha256 b=1024 [invalid - syntax error in public key record]
+1999-03-02 09:44:33 10HmbM-0005vi-00 data acl: dkim status invalid
 1999-03-02 09:44:33 10HmbM-0005vi-00 <= CALLER@myhost.test.ex H=the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] P=esmtp S=sss id=E10HmbL-0005vi-00@myhost.test.ex
 1999-03-02 09:44:33 10HmbM-0005vi-00 => :blackhole: <d@test.ex> R=server_dump
 1999-03-02 09:44:33 10HmbM-0005vi-00 Completed
diff --git a/test/log/4523 b/test/log/4523
index 92bf9478f..dfba629ed 100644
--- a/test/log/4523
+++ b/test/log/4523
@@ -4,11 +4,12 @@
 
 ******** SERVER ********
 1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port 1225
-1999-03-02 09:44:33 macro: From:Sender:Reply-To:Subject:Date:Message-ID:To:Cc:MIME-Version:Content-Type:Content-Transfer-Encoding:Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To:References:List-Id:List-Help:List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive
-1999-03-02 09:44:33 10HmaY-0005vi-00 signer: test.ex bits: 1024 h=Date:Sender:Message-Id:From:Reply-To:Subject:To:Cc:MIME-Version:Content-Type:Content-Transfer-Encoding:Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To:References:List-Id:List-Help:List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive
+1999-03-02 09:44:33 rcpt acl: macro: From:Sender:Reply-To:Subject:Date:Message-ID:To:Cc:MIME-Version:Content-Type:Content-Transfer-Encoding:Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To:References:List-Id:List-Help:List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive
+1999-03-02 09:44:33 10HmaY-0005vi-00 dkim_acl: signer: test.ex bits: 1024 h=Date:Sender:Message-Id:From:Reply-To:Subject:To:Cc:MIME-Version:Content-Type:Content-Transfer-Encoding:Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To:References:List-Id:List-Help:List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive
 1999-03-02 09:44:33 10HmaY-0005vi-00 DKIM: d=test.ex s=sel c=relaxed/relaxed a=rsa-sha512 b=1024 i=allheaders@test.ex [verification succeeded]
-1999-03-02 09:44:33 10HmaY-0005vi-00 signer: allheaders@test.ex bits: 1024 h=Date:Sender:Message-Id:From:Reply-To:Subject:To:Cc:MIME-Version:Content-Type:Content-Transfer-Encoding:Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To:References:List-Id:List-Help:List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive
+1999-03-02 09:44:33 10HmaY-0005vi-00 dkim_acl: signer: allheaders@test.ex bits: 1024 h=Date:Sender:Message-Id:From:Reply-To:Subject:To:Cc:MIME-Version:Content-Type:Content-Transfer-Encoding:Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To:References:List-Id:List-Help:List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive
 1999-03-02 09:44:33 10HmaY-0005vi-00 DKIM: d=test.ex s=sel c=relaxed/relaxed a=rsa-sha512 b=1024 i=allheaders@test.ex [verification succeeded]
+1999-03-02 09:44:33 10HmaY-0005vi-00 data acl: dkim status pass:pass
 1999-03-02 09:44:33 10HmaY-0005vi-00 <= CALLER@myhost.test.ex H=the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] P=esmtp S=sss id=E10HmaX-0005vi-00@myhost.test.ex
 1999-03-02 09:44:33 10HmaY-0005vi-00 => :blackhole: <a@test.ex> R=server_dump
 1999-03-02 09:44:33 10HmaY-0005vi-00 Completed
diff --git a/test/log/4524 b/test/log/4524
index f6e75458f..917646132 100644
--- a/test/log/4524
+++ b/test/log/4524
@@ -4,9 +4,11 @@
 
 ******** SERVER ********
 1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port 1225
-1999-03-02 09:44:33 macro: From:Sender:Reply-To:Subject:Date:Message-ID:To:Cc:MIME-Version:Content-Type:Content-Transfer-Encoding:Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To:References:List-Id:List-Help:List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive
-1999-03-02 09:44:33 10HmaY-0005vi-00 signer: test.ex bits: 512 h=From:To:Subject
+1999-03-02 09:44:33 rcpt acl: macro: From:Sender:Reply-To:Subject:Date:Message-ID:To:Cc:MIME-Version:Content-Type:Content-Transfer-Encoding:Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To:References:List-Id:List-Help:List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive
+1999-03-02 09:44:33 10HmaY-0005vi-00 dkim_acl: signer: test.ex bits: 512 h=From:To:Subject
 1999-03-02 09:44:33 10HmaY-0005vi-00 DKIM: d=test.ex s=ses c=relaxed/relaxed a=rsa-sha256 b=512 [verification succeeded]
+1999-03-02 09:44:33 10HmaY-0005vi-00 dkim_acl: signer: test.dkim.dom.ain bits: 512 h=
+1999-03-02 09:44:33 10HmaY-0005vi-00 data acl: dkim status pass:none
 1999-03-02 09:44:33 10HmaY-0005vi-00 <= CALLER@myhost.test.ex H=the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] P=esmtp S=sss id=E10HmaX-0005vi-00@myhost.test.ex
 1999-03-02 09:44:33 10HmaY-0005vi-00 => :blackhole: <c@test.ex> R=server_dump
 1999-03-02 09:44:33 10HmaY-0005vi-00 Completed
diff --git a/test/scripts/4500-DKIM/4524 b/test/scripts/4500-DKIM/4524
index 9737ad583..4076f10d5 100644
--- a/test/scripts/4500-DKIM/4524
+++ b/test/scripts/4500-DKIM/4524
@@ -1,6 +1,6 @@
 # DKIM signing, multiple
 #
-exim -bd -DSERVER=server -oX PORT_D
+exim -bd -DSERVER=server -DFAKE=test.dkim.dom.ain -oX PORT_D
 ****
 #
 exim -DSELECTOR=ses:sel -DOPT=From:To:Subject -odf c@test.ex
-- 
cgit v1.2.3


From 18067c75fc8494ce7968776cd61a1693d20d8380 Mon Sep 17 00:00:00 2001
From: Jeremy Harris <jgh146exb@wizmail.org>
Date: Wed, 8 Nov 2017 10:43:28 +0000
Subject: DKIM: call ACL once for each signature matching the identity from
 dkim_verify_signers.  Bug 2189

---
 doc/doc-docbook/spec.xfpt |  5 +++
 doc/doc-txt/ChangeLog     |  4 +++
 src/src/dkim.c            | 81 ++++++++++++++++++++++++++++++++++-------------
 src/src/dkim.h            |  3 +-
 src/src/receive.c         | 12 +------
 test/log/4524             |  6 ++--
 6 files changed, 74 insertions(+), 37 deletions(-)

(limited to 'src')

diff --git a/doc/doc-docbook/spec.xfpt b/doc/doc-docbook/spec.xfpt
index 1a7a7baa6..cfee04ccd 100644
--- a/doc/doc-docbook/spec.xfpt
+++ b/doc/doc-docbook/spec.xfpt
@@ -38708,6 +38708,11 @@ dkim_verify_signers = $sender_address_domain:$dkim_signers
 If a domain or identity is listed several times in the (expanded) value of
 &%dkim_verify_signers%&, the ACL is only called once for that domain or identity.
 
+.new
+If multiple signatures match a domain (or identity), the ACL is called once
+for each matching signature.
+.wen
+
 
 Inside the &%acl_smtp_dkim%&, the following expansion variables are
 available (from most to least important):
diff --git a/doc/doc-txt/ChangeLog b/doc/doc-txt/ChangeLog
index 4b3d64e0c..fd188a00a 100644
--- a/doc/doc-txt/ChangeLog
+++ b/doc/doc-txt/ChangeLog
@@ -182,6 +182,10 @@ JH/31 Fix CHUNKING code to properly flush the unwanted chunk after an error.
       Previously only that bufferd was discarded, resulting in SYMTP command
       desynchronisation.
 
+JH/32 DKIM: when a message has multiple signatures matching an identity given
+      in dkim_verify_signers, run the dkim acl once for each.  Previously only
+      one run was done.  Bug 2189.
+
 
 Exim version 4.89
 -----------------
diff --git a/src/src/dkim.c b/src/src/dkim.c
index 528ce82c4..396e5b905 100644
--- a/src/src/dkim.c
+++ b/src/src/dkim.c
@@ -235,14 +235,6 @@ return;
 }
 
 
-/* Log a line for "the current" signature */
-void
-dkim_exim_verify_log_item(void)
-{
-dkim_exim_verify_log_sig(dkim_cur_sig);
-}
-
-
 /* Log a line for each signature */
 void
 dkim_exim_verify_log_all(void)
@@ -303,37 +295,72 @@ store_pool = dkim_verify_oldpool;
 }
 
 
-void
-dkim_exim_acl_setup(uschar * id)
+
+/* Args as per dkim_exim_acl_run() below */
+static int
+dkim_acl_call(uschar * id, gstring ** res_ptr,
+  uschar ** user_msgptr, uschar ** log_msgptr)
+{
+int rc;
+DEBUG(D_receive)
+  debug_printf("calling acl_smtp_dkim for dkim_cur_signer='%s'\n", id);
+
+rc = acl_check(ACL_WHERE_DKIM, NULL, acl_smtp_dkim, user_msgptr, log_msgptr);
+dkim_exim_verify_log_sig(dkim_cur_sig);
+*res_ptr = string_append_listele(*res_ptr, ':', dkim_verify_status);
+return rc;
+}
+
+
+
+/* For the given identity, run the DKIM ACL once for each matching signature.
+
+Arguments
+ id		Identity to look for in dkim signatures
+ res_ptr	ptr to growable string-list of status results,
+		appended to per ACL run
+ user_msgptr	where to put a user error (for SMTP response)
+ log_msgptr	where to put a logging message (not for SMTP response)
+
+Returns:       OK         access is granted by an ACCEPT verb
+               DISCARD    access is granted by a DISCARD verb
+               FAIL       access is denied
+               FAIL_DROP  access is denied; drop the connection
+               DEFER      can't tell at the moment
+               ERROR      disaster
+*/
+
+int
+dkim_exim_acl_run(uschar * id, gstring ** res_ptr,
+  uschar ** user_msgptr, uschar ** log_msgptr)
 {
 pdkim_signature * sig;
 uschar * cmp_val;
+int rc = -1;
 
 dkim_verify_status = US"none";
 dkim_verify_reason = US"";
-dkim_cur_sig = NULL;
 dkim_cur_signer = id;
 
 if (dkim_disable_verify || !id || !dkim_verify_ctx)
-  return;
+  return OK;
 
-/* Find signature to run ACL on */
+/* Find signatures to run ACL on */
 
 for (sig = dkim_signatures; sig; sig = sig->next)
   if (  (cmp_val = Ustrchr(id, '@') != NULL ? US sig->identity : US sig->domain)
      && strcmpic(cmp_val, id) == 0
      )
     {
-    dkim_cur_sig = sig;
-
     /* The "dkim_domain" and "dkim_selector" expansion variables have
-       related globals, since they are used in the signing code too.
-       Instead of inventing separate names for verification, we set
-       them here. This is easy since a domain and selector is guaranteed
-       to be in a signature. The other dkim_* expansion items are
-       dynamically fetched from dkim_cur_sig at expansion time (see
-       function below). */
+    related globals, since they are used in the signing code too.
+    Instead of inventing separate names for verification, we set
+    them here. This is easy since a domain and selector is guaranteed
+    to be in a signature. The other dkim_* expansion items are
+    dynamically fetched from dkim_cur_sig at expansion time (see
+    function below). */
 
+    dkim_cur_sig = sig;
     dkim_signing_domain = US sig->domain;
     dkim_signing_selector = US sig->selector;
     dkim_key_length = sig->sighash.len * 8;
@@ -343,8 +370,18 @@ for (sig = dkim_signatures; sig; sig = sig->next)
 
     dkim_verify_status = dkim_exim_expand_query(DKIM_VERIFY_STATUS);
     dkim_verify_reason = dkim_exim_expand_query(DKIM_VERIFY_REASON);
-    return;
+    
+    if ((rc = dkim_acl_call(id, res_ptr, user_msgptr, log_msgptr)) != OK)
+      return rc;
     }
+
+if (rc != -1)
+  return rc;
+
+/* No matching sig found.  Call ACL once anyway. */
+
+dkim_cur_sig = NULL;
+return dkim_acl_call(id, res_ptr, user_msgptr, log_msgptr);
 }
 
 
diff --git a/src/src/dkim.h b/src/src/dkim.h
index f32aa6635..c48241ce2 100644
--- a/src/src/dkim.h
+++ b/src/src/dkim.h
@@ -10,9 +10,8 @@ gstring * dkim_exim_sign(int, off_t, uschar *, struct ob_dkim *, const uschar **
 void    dkim_exim_verify_init(BOOL);
 void    dkim_exim_verify_feed(uschar *, int);
 void    dkim_exim_verify_finish(void);
-void    dkim_exim_verify_log_item(void);
 void    dkim_exim_verify_log_all(void);
-void    dkim_exim_acl_setup(uschar *);
+int     dkim_exim_acl_run(uschar *, gstring **, uschar **, uschar **);
 uschar *dkim_exim_expand_query(int);
 
 #define DKIM_ALGO               1
diff --git a/src/src/receive.c b/src/src/receive.c
index 8aa890bd0..e7e518a92 100644
--- a/src/src/receive.c
+++ b/src/src/receive.c
@@ -3444,19 +3444,9 @@ else
 
 	    seen_items = string_catn(seen_items, ":", 1);
 	    }
-
 	  seen_items = string_cat(seen_items, item);
 
-	  dkim_exim_acl_setup(item);
-	  DEBUG(D_receive)
-	    debug_printf("calling acl_smtp_dkim for dkim_cur_signer='%s'\n",
-	      item);
-
-	  rc = acl_check(ACL_WHERE_DKIM, NULL, acl_smtp_dkim,
-		&user_msg, &log_msg);
-	  dkim_exim_verify_log_item();
-	  results = string_append_listele(results, ':', dkim_verify_status);
-
+	  rc = dkim_exim_acl_run(item, &results, &user_msg, &log_msg);
 	  if (rc != OK)
 	    {
 	    DEBUG(D_receive)
diff --git a/test/log/4524 b/test/log/4524
index 917646132..1eaac2f1b 100644
--- a/test/log/4524
+++ b/test/log/4524
@@ -7,8 +7,10 @@
 1999-03-02 09:44:33 rcpt acl: macro: From:Sender:Reply-To:Subject:Date:Message-ID:To:Cc:MIME-Version:Content-Type:Content-Transfer-Encoding:Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To:References:List-Id:List-Help:List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive
 1999-03-02 09:44:33 10HmaY-0005vi-00 dkim_acl: signer: test.ex bits: 512 h=From:To:Subject
 1999-03-02 09:44:33 10HmaY-0005vi-00 DKIM: d=test.ex s=ses c=relaxed/relaxed a=rsa-sha256 b=512 [verification succeeded]
-1999-03-02 09:44:33 10HmaY-0005vi-00 dkim_acl: signer: test.dkim.dom.ain bits: 512 h=
-1999-03-02 09:44:33 10HmaY-0005vi-00 data acl: dkim status pass:none
+1999-03-02 09:44:33 10HmaY-0005vi-00 dkim_acl: signer: test.ex bits: 1024 h=From:To:Subject
+1999-03-02 09:44:33 10HmaY-0005vi-00 DKIM: d=test.ex s=sel c=relaxed/relaxed a=rsa-sha256 b=1024 [verification succeeded]
+1999-03-02 09:44:33 10HmaY-0005vi-00 dkim_acl: signer: test.dkim.dom.ain bits: 1024 h=
+1999-03-02 09:44:33 10HmaY-0005vi-00 data acl: dkim status pass:pass:none
 1999-03-02 09:44:33 10HmaY-0005vi-00 <= CALLER@myhost.test.ex H=the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] P=esmtp S=sss id=E10HmaX-0005vi-00@myhost.test.ex
 1999-03-02 09:44:33 10HmaY-0005vi-00 => :blackhole: <c@test.ex> R=server_dump
 1999-03-02 09:44:33 10HmaY-0005vi-00 Completed
-- 
cgit v1.2.3


From aaaa94ea8e4e7f53aec90ba28b3f7f26f28b317f Mon Sep 17 00:00:00 2001
From: Jeremy Harris <jgh146exb@wizmail.org>
Date: Wed, 8 Nov 2017 12:01:20 +0000
Subject: tidying

---
 src/src/dkim.c | 31 ++++++++++++++++---------------
 1 file changed, 16 insertions(+), 15 deletions(-)

(limited to 'src')

diff --git a/src/src/dkim.c b/src/src/dkim.c
index 396e5b905..6bc711ac1 100644
--- a/src/src/dkim.c
+++ b/src/src/dkim.c
@@ -143,7 +143,7 @@ uschar * s;
 
 if (!sig) return;
 
-logmsg = string_catn(NULL, "DKIM: ", 6);
+logmsg = string_catn(NULL, US"DKIM: ", 6);
 if (!(s = sig->domain)) s = US"<UNSET>";
 logmsg = string_append(logmsg, 2, "d=", s);
 if (!(s = sig->selector)) s = US"<UNSET>";
@@ -169,68 +169,69 @@ if (  !dkim_verify_status
   switch (sig->verify_status)
     {
     case PDKIM_VERIFY_NONE:
-      logmsg = string_cat(logmsg, " [not verified]");
+      logmsg = string_cat(logmsg, US" [not verified]");
       break;
 
     case PDKIM_VERIFY_INVALID:
-      logmsg = string_cat(logmsg, " [invalid - ");
+      logmsg = string_cat(logmsg, US" [invalid - ");
       switch (sig->verify_ext_status)
 	{
 	case PDKIM_VERIFY_INVALID_PUBKEY_UNAVAILABLE:
 	  logmsg = string_cat(logmsg,
-			"public key record (currently?) unavailable]");
+			US"public key record (currently?) unavailable]");
 	  break;
 
 	case PDKIM_VERIFY_INVALID_BUFFER_SIZE:
-	  logmsg = string_cat(logmsg, "overlong public key record]");
+	  logmsg = string_cat(logmsg, US"overlong public key record]");
 	  break;
 
 	case PDKIM_VERIFY_INVALID_PUBKEY_DNSRECORD:
 	case PDKIM_VERIFY_INVALID_PUBKEY_IMPORT:
-	  logmsg = string_cat(logmsg, "syntax error in public key record]");
+	  logmsg = string_cat(logmsg, US"syntax error in public key record]");
 	  break;
 
 	case PDKIM_VERIFY_INVALID_SIGNATURE_ERROR:
-	  logmsg = string_cat(logmsg, "signature tag missing or invalid]");
+	  logmsg = string_cat(logmsg, US"signature tag missing or invalid]");
 	  break;
 
 	case PDKIM_VERIFY_INVALID_DKIM_VERSION:
-	  logmsg = string_cat(logmsg, "unsupported DKIM version]");
+	  logmsg = string_cat(logmsg, US"unsupported DKIM version]");
 	  break;
 
 	default:
-	  logmsg = string_cat(logmsg, "unspecified problem]");
+	  logmsg = string_cat(logmsg, US"unspecified problem]");
 	}
       break;
 
     case PDKIM_VERIFY_FAIL:
-      logmsg = string_cat(logmsg, " [verification failed - ");
+      logmsg = string_cat(logmsg, US" [verification failed - ");
       switch (sig->verify_ext_status)
 	{
 	case PDKIM_VERIFY_FAIL_BODY:
 	  logmsg = string_cat(logmsg,
-		       "body hash mismatch (body probably modified in transit)]");
+	       US"body hash mismatch (body probably modified in transit)]");
 	  break;
 
 	case PDKIM_VERIFY_FAIL_MESSAGE:
 	  logmsg = string_cat(logmsg,
-		       "signature did not verify (headers probably modified in transit)]");
+		US"signature did not verify "
+		"(headers probably modified in transit)]");
 	break;
 
 	default:
-	  logmsg = string_cat(logmsg, "unspecified reason]");
+	  logmsg = string_cat(logmsg, US"unspecified reason]");
 	}
       break;
 
     case PDKIM_VERIFY_PASS:
-      logmsg = string_cat(logmsg, " [verification succeeded]");
+      logmsg = string_cat(logmsg, US" [verification succeeded]");
       break;
     }
 else
   logmsg = string_append(logmsg, 5,
 	    US" [", dkim_verify_status, US" - ", dkim_verify_reason, US"]");
 
-log_write(0, LOG_MAIN, string_from_gstring(logmsg));
+log_write(0, LOG_MAIN, "%s", string_from_gstring(logmsg));
 return;
 }
 
-- 
cgit v1.2.3


From 72934ba73e5ac5fbd64b56dc684e3371a9651909 Mon Sep 17 00:00:00 2001
From: Jeremy Harris <jgh146exb@wizmail.org>
Date: Sat, 11 Nov 2017 16:11:06 +0000
Subject: Downgrade an unfound-list name from panic to DEFER.  Bug 1645

---
 doc/doc-txt/ChangeLog        |   7 ++
 src/src/match.c              | 238 +++++++++++++++++++++----------------------
 test/confs/0275              |  10 ++
 test/scripts/0000-Basic/0275 |   9 ++
 test/stderr/0275             |  78 ++++++++++++++
 test/stdout/0275             |  10 ++
 6 files changed, 230 insertions(+), 122 deletions(-)

(limited to 'src')

diff --git a/doc/doc-txt/ChangeLog b/doc/doc-txt/ChangeLog
index fd188a00a..00377b9ff 100644
--- a/doc/doc-txt/ChangeLog
+++ b/doc/doc-txt/ChangeLog
@@ -186,6 +186,13 @@ JH/32 DKIM: when a message has multiple signatures matching an identity given
       in dkim_verify_signers, run the dkim acl once for each.  Previously only
       one run was done.  Bug 2189.
 
+JH/33 Downgrade an unfound-list name (usually a typo in the config file) from
+      "panic the current process" to "deliberately defer".  The panic log is
+      still written with the problem list name; the mail and reject logs now
+      get a temp-reject line for the message that was being handled, saying
+      something like "domains check lookup or other defer".  The SMTP 451
+      message is still "Temporary local problem".
+
 
 Exim version 4.89
 -----------------
diff --git a/src/src/match.c b/src/src/match.c
index c21711410..08ec0eeab 100644
--- a/src/src/match.c
+++ b/src/src/match.c
@@ -461,12 +461,9 @@ HDEBUG(D_any)
 /* If the list is empty, the answer is no. Skip the debugging output for
 an unnamed list. */
 
-if (*listptr == NULL)
+if (!*listptr)
   {
-  HDEBUG(D_lists)
-    {
-    if (ot != NULL) debug_printf("%s no (option unset)\n", ot);
-    }
+  HDEBUG(D_lists) if (ot) debug_printf("%s no (option unset)\n", ot);
   return FAIL;
   }
 
@@ -485,17 +482,17 @@ else
   /* If we are searching a domain list, and $domain is not set, set it to the
   subject that is being sought for the duration of the expansion. */
 
-  if (type == MCL_DOMAIN && deliver_domain == NULL)
+  if (type == MCL_DOMAIN && !deliver_domain)
     {
     check_string_block *cb = (check_string_block *)arg;
     deliver_domain = string_copy(cb->subject);
     list = expand_cstring(*listptr);
     deliver_domain = NULL;
     }
+  else
+    list = expand_cstring(*listptr);
 
-  else list = expand_cstring(*listptr);
-
-  if (list == NULL)
+  if (!list)
     {
     if (expand_string_forcedfail)
       {
@@ -511,17 +508,14 @@ else
 
 /* For an unnamed list, use the expanded version in comments */
 
-HDEBUG(D_any)
-  {
-  if (ot == NULL) ot = string_sprintf("%s in \"%s\"?", name, list);
-  }
+HDEBUG(D_any) if (ot == NULL) ot = string_sprintf("%s in \"%s\"?", name, list);
 
 /* Now scan the list and process each item in turn, until one of them matches,
 or we hit an error. */
 
-while ((sss = string_nextinlist(&list, &sep, buffer, sizeof(buffer))) != NULL)
+while ((sss = string_nextinlist(&list, &sep, buffer, sizeof(buffer))))
   {
-  uschar *ss = sss;
+  uschar * ss = sss;
 
   /* Address lists may contain +caseful, to restore caseful matching of the
   local part. We have to know the layout of the control block, unfortunately.
@@ -534,7 +528,8 @@ while ((sss = string_nextinlist(&list, &sep, buffer, sizeof(buffer))) != NULL)
       {
       check_address_block *cb = (check_address_block *)arg;
       uschar *at = Ustrrchr(cb->origaddress, '@');
-      if (at != NULL)
+
+      if (at)
         Ustrncpy(cb->address, cb->origaddress, at - cb->origaddress);
       cb->caseless = FALSE;
       continue;
@@ -594,7 +589,8 @@ while ((sss = string_nextinlist(&list, &sep, buffer, sizeof(buffer))) != NULL)
     yield = FAIL;
     while (isspace((*(++ss))));
     }
-  else yield = OK;
+  else
+    yield = OK;
 
   /* If the item does not begin with '/', it might be a + item for a named
   list. Otherwise, it is just a single list entry that has to be matched.
@@ -602,7 +598,7 @@ while ((sss = string_nextinlist(&list, &sep, buffer, sizeof(buffer))) != NULL)
 
   if (*ss != '/')
     {
-    if (*ss == '+' && anchorptr != NULL)
+    if (*ss == '+' && anchorptr)
       {
       int bits = 0;
       int offset = 0;
@@ -610,15 +606,18 @@ while ((sss = string_nextinlist(&list, &sep, buffer, sizeof(buffer))) != NULL)
       unsigned int *use_cache_bits = original_cache_bits;
       uschar *cached = US"";
       namedlist_block *nb;
-      tree_node *t = tree_search(*anchorptr, ss+1);
-
-      if (t == NULL)
-        log_write(0, LOG_MAIN|LOG_PANIC_DIE, "unknown named%s list \"%s\"",
-          (type == MCL_DOMAIN)?    " domain" :
-          (type == MCL_HOST)?      " host" :
-          (type == MCL_ADDRESS)?   " address" :
-          (type == MCL_LOCALPART)? " local part" : "",
+      tree_node * t;
+
+      if (!(t = tree_search(*anchorptr, ss+1)))
+	{
+        log_write(0, LOG_MAIN|LOG_PANIC, "unknown named%s list \"%s\"",
+          type == MCL_DOMAIN ?    " domain" :
+          type == MCL_HOST ?      " host" :
+          type == MCL_ADDRESS ?   " address" :
+          type == MCL_LOCALPART ? " local part" : "",
           ss);
+	return DEFER;
+	}
       nb = t->data.ptr;
 
       /* If the list number is negative, it means that this list is not
@@ -630,7 +629,7 @@ while ((sss = string_nextinlist(&list, &sep, buffer, sizeof(buffer))) != NULL)
       because the pointer may be NULL from the start if caching is not
       required. */
 
-      if (use_cache_bits != NULL)
+      if (use_cache_bits)
         {
         offset = (nb->number)/16;
         shift = ((nb->number)%16)*2;
@@ -654,15 +653,13 @@ while ((sss = string_nextinlist(&list, &sep, buffer, sizeof(buffer))) != NULL)
         wasn't before. Ensure that this is passed up to the next level.
         Otherwise, remember the result of the search in the cache. */
 
-        if (use_cache_bits == NULL)
-          {
+        if (!use_cache_bits)
           *cache_ptr = NULL;
-          }
         else
           {
           use_cache_bits[offset] |= bits << shift;
 
-          if (valueptr != NULL)
+          if (valueptr)
             {
             int old_pool = store_pool;
             namedlist_cacheblock *p;
@@ -675,16 +672,14 @@ while ((sss = string_nextinlist(&list, &sep, buffer, sizeof(buffer))) != NULL)
             p->key = string_copy(get_check_key(arg, type));
 
 
-            p->data = (*valueptr == NULL)? NULL : string_copy(*valueptr);
+            p->data = *valueptr ? string_copy(*valueptr) : NULL;
             store_pool = old_pool;
 
             p->next = nb->cache_data;
             nb->cache_data = p;
-            if (*valueptr != NULL)
-              {
+            if (*valueptr)
               DEBUG(D_lists) debug_printf("data from lookup saved for "
                 "cache for %s: %s\n", ss, *valueptr);
-              }
             }
           }
         }
@@ -697,19 +692,18 @@ while ((sss = string_nextinlist(&list, &sep, buffer, sizeof(buffer))) != NULL)
         {
         DEBUG(D_lists) debug_printf("cached %s match for %s\n",
           ((bits & (-bits)) == bits)? "yes" : "no", ss);
+
         cached = US" - cached";
-        if (valueptr != NULL)
+        if (valueptr)
           {
           const uschar *key = get_check_key(arg, type);
           namedlist_cacheblock *p;
-          for (p = nb->cache_data; p != NULL; p = p->next)
-            {
+          for (p = nb->cache_data; p; p = p->next)
             if (Ustrcmp(key, p->key) == 0)
               {
               *valueptr = p->data;
               break;
               }
-            }
           DEBUG(D_lists) debug_printf("cached lookup data = %s\n", *valueptr);
           }
         }
@@ -729,30 +723,30 @@ while ((sss = string_nextinlist(&list, &sep, buffer, sizeof(buffer))) != NULL)
 
     else
       {
-      uschar *error = NULL;
+      uschar * error = NULL;
       switch ((func)(arg, ss, valueptr, &error))
         {
         case OK:
-        HDEBUG(D_lists) debug_printf("%s %s (matched \"%s\")\n", ot,
-          (yield == OK)? "yes" : "no", sss);
-        return yield;
+	  HDEBUG(D_lists) debug_printf("%s %s (matched \"%s\")\n", ot,
+	    (yield == OK)? "yes" : "no", sss);
+	  return yield;
 
         case DEFER:
-        if (error == NULL)
-          error = string_sprintf("DNS lookup of \"%s\" deferred", ss);
-        if (ignore_defer)
-          {
-          HDEBUG(D_lists) debug_printf("%s: item ignored by +ignore_defer\n",
-            error);
-          break;
-          }
-        if (include_defer)
-          {
-          log_write(0, LOG_MAIN, "%s: accepted by +include_defer", error);
-          return OK;
-          }
-        if (!search_error_message) search_error_message = error;
-        goto DEFER_RETURN;
+	  if (!error)
+	    error = string_sprintf("DNS lookup of \"%s\" deferred", ss);
+	  if (ignore_defer)
+	    {
+	    HDEBUG(D_lists) debug_printf("%s: item ignored by +ignore_defer\n",
+	      error);
+	    break;
+	    }
+	  if (include_defer)
+	    {
+	    log_write(0, LOG_MAIN, "%s: accepted by +include_defer", error);
+	    return OK;
+	    }
+	  if (!search_error_message) search_error_message = error;
+	  goto DEFER_RETURN;
 
         /* The ERROR return occurs when checking hosts, when either a forward
         or reverse lookup has failed. It can also occur in a match_ip list if a
@@ -760,24 +754,24 @@ while ((sss = string_nextinlist(&list, &sep, buffer, sizeof(buffer))) != NULL)
         which it was. */
 
         case ERROR:
-        if (ignore_unknown)
-          {
-          HDEBUG(D_lists) debug_printf("%s: item ignored by +ignore_unknown\n",
-            error);
-          }
-        else
-          {
-          HDEBUG(D_lists) debug_printf("%s %s (%s)\n", ot,
-            include_unknown? "yes":"no", error);
-          if (!include_unknown)
-            {
-            if (LOGGING(unknown_in_list))
-              log_write(0, LOG_MAIN, "list matching forced to fail: %s", error);
-            return FAIL;
-            }
-          log_write(0, LOG_MAIN, "%s: accepted by +include_unknown", error);
-          return OK;
-          }
+	  if (ignore_unknown)
+	    {
+	    HDEBUG(D_lists) debug_printf("%s: item ignored by +ignore_unknown\n",
+	      error);
+	    }
+	  else
+	    {
+	    HDEBUG(D_lists) debug_printf("%s %s (%s)\n", ot,
+	      include_unknown? "yes":"no", error);
+	    if (!include_unknown)
+	      {
+	      if (LOGGING(unknown_in_list))
+		log_write(0, LOG_MAIN, "list matching forced to fail: %s", error);
+	      return FAIL;
+	      }
+	    log_write(0, LOG_MAIN, "%s: accepted by +include_unknown", error);
+	    return OK;
+	    }
         }
       }
     }
@@ -788,16 +782,16 @@ while ((sss = string_nextinlist(&list, &sep, buffer, sizeof(buffer))) != NULL)
   else
     {
     int file_yield = yield;       /* In case empty file */
-    uschar *filename = ss;
-    FILE *f = Ufopen(filename, "rb");
+    uschar * filename = ss;
+    FILE * f = Ufopen(filename, "rb");
     uschar filebuffer[1024];
 
     /* ot will be null in non-debugging cases, and anyway, we get better
     wording by reworking it. */
 
-    if (f == NULL)
+    if (!f)
       {
-      uschar *listname = readconf_find_option(listptr);
+      uschar * listname = readconf_find_option(listptr);
       if (listname[0] == 0)
         listname = string_sprintf("\"%s\"", *listptr);
       log_write(0, LOG_MAIN|LOG_PANIC_DIE, "%s",
@@ -845,48 +839,48 @@ while ((sss = string_nextinlist(&list, &sep, buffer, sizeof(buffer))) != NULL)
       switch ((func)(arg, ss, valueptr, &error))
         {
         case OK:
-        (void)fclose(f);
-        HDEBUG(D_lists) debug_printf("%s %s (matched \"%s\" in %s)\n", ot,
-          (yield == OK)? "yes" : "no", sss, filename);
-        return file_yield;
+	  (void)fclose(f);
+	  HDEBUG(D_lists) debug_printf("%s %s (matched \"%s\" in %s)\n", ot,
+	    yield == OK ? "yes" : "no", sss, filename);
+	  return file_yield;
 
         case DEFER:
-        if (error == NULL)
-          error = string_sprintf("DNS lookup of %s deferred", ss);
-        if (ignore_defer)
-          {
-          HDEBUG(D_lists) debug_printf("%s: item ignored by +ignore_defer\n",
-            error);
-          break;
-          }
-        (void)fclose(f);
-        if (include_defer)
-          {
-          log_write(0, LOG_MAIN, "%s: accepted by +include_defer", error);
-          return OK;
-          }
-        goto DEFER_RETURN;
-
-        case ERROR:          /* host name lookup failed - this can only */
-        if (ignore_unknown)  /* be for an incoming host (not outgoing) */
-          {
-          HDEBUG(D_lists) debug_printf("%s: item ignored by +ignore_unknown\n",
-            error);
-          }
-        else
-         {
-          HDEBUG(D_lists) debug_printf("%s %s (%s)\n", ot,
-            include_unknown? "yes":"no", error);
-          (void)fclose(f);
-          if (!include_unknown)
-            {
-            if (LOGGING(unknown_in_list))
-              log_write(0, LOG_MAIN, "list matching forced to fail: %s", error);
-            return FAIL;
-            }
-          log_write(0, LOG_MAIN, "%s: accepted by +include_unknown", error);
-          return OK;
-          }
+	  if (!error)
+	    error = string_sprintf("DNS lookup of %s deferred", ss);
+	  if (ignore_defer)
+	    {
+	    HDEBUG(D_lists) debug_printf("%s: item ignored by +ignore_defer\n",
+	      error);
+	    break;
+	    }
+	  (void)fclose(f);
+	  if (include_defer)
+	    {
+	    log_write(0, LOG_MAIN, "%s: accepted by +include_defer", error);
+	    return OK;
+	    }
+	  goto DEFER_RETURN;
+
+        case ERROR:		/* host name lookup failed - this can only */
+	  if (ignore_unknown)	/* be for an incoming host (not outgoing) */
+	    {
+	    HDEBUG(D_lists) debug_printf("%s: item ignored by +ignore_unknown\n",
+	      error);
+	    }
+	  else
+	   {
+	    HDEBUG(D_lists) debug_printf("%s %s (%s)\n", ot,
+	      include_unknown? "yes":"no", error);
+	    (void)fclose(f);
+	    if (!include_unknown)
+	      {
+	      if (LOGGING(unknown_in_list))
+		log_write(0, LOG_MAIN, "list matching forced to fail: %s", error);
+	      return FAIL;
+	      }
+	    log_write(0, LOG_MAIN, "%s: accepted by +include_unknown", error);
+	    return OK;
+	    }
         }
       }
 
@@ -901,8 +895,8 @@ while ((sss = string_nextinlist(&list, &sep, buffer, sizeof(buffer))) != NULL)
 /* End of list reached: if the last item was negated yield OK, else FAIL. */
 
 HDEBUG(D_lists)
-  debug_printf("%s %s (end of list)\n", ot, (yield == OK)? "no":"yes");
-return (yield == OK)? FAIL : OK;
+  debug_printf("%s %s (end of list)\n", ot, yield == OK ? "no":"yes");
+return yield == OK ? FAIL : OK;
 
 /* Something deferred */
 
diff --git a/test/confs/0275 b/test/confs/0275
index 3734e03ea..7117d517c 100644
--- a/test/confs/0275
+++ b/test/confs/0275
@@ -6,6 +6,8 @@ primary_hostname = myhost.test.ex
 
 # ----- Main settings -----
 
+acl_smtp_rcpt = accept verify = recipient
+
 domainlist nocache = $local_part
 domainlist nocache2 = +nocache
 domainlist local_domains = test.ex
@@ -36,6 +38,14 @@ t1:
 
 begin routers
 
+.ifdef FAKE
+r0f:
+  driver = accept
+  local_parts = error
+  domains = +no_such_list
+  transport = t1
+.endif
+
 r00:
   driver = accept
   domains = +nocache
diff --git a/test/scripts/0000-Basic/0275 b/test/scripts/0000-Basic/0275
index 410efa8d3..953ab7e8f 100644
--- a/test/scripts/0000-Basic/0275
+++ b/test/scripts/0000-Basic/0275
@@ -1,5 +1,14 @@
 # named domain lists
 exim -d -bt userx@test.ex
 ****
+#
 exim -d -odi userx@test.ex
 ****
+#
+exim -d -DFAKE -bh 127.0.0.1
+HELO test
+MAIL FROM:<test@test.ex>
+RCPT TO:<error@test.ex>
+QUIT
+****
+#
diff --git a/test/stderr/0275 b/test/stderr/0275
index b663ad4b8..f34132b55 100644
--- a/test/stderr/0275
+++ b/test/stderr/0275
@@ -357,3 +357,81 @@ search_tidyup called
 >>>>>>>>>>>>>>>> Exim pid=pppp (main) terminating with rc=0 >>>>>>>>>>>>>>>>
 search_tidyup called
 >>>>>>>>>>>>>>>> Exim pid=pppp (main) terminating with rc=0 >>>>>>>>>>>>>>>>
+Exim version x.yz ....
+changed uid/gid: forcing real = effective
+  uid=uuuu gid=CALLER_GID pid=pppp
+configuration file is TESTSUITE/test-config
+admin user
+changed uid/gid: privilege not needed
+  uid=EXIM_UID gid=EXIM_GID pid=pppp
+seeking password data for user "CALLER": cache not available
+getpwnam() succeeded uid=CALLER_UID gid=CALLER_GID
+DSN: r0f propagating DSN
+DSN: r00 propagating DSN
+DSN: r01 propagating DSN
+DSN: r02 propagating DSN
+DSN: r03 propagating DSN
+DSN: r04 propagating DSN
+DSN: r05 propagating DSN
+DSN: r1 propagating DSN
+DSN: r2 propagating DSN
+DSN: r3 propagating DSN
+originator: uid=CALLER_UID gid=CALLER_GID login=CALLER name=CALLER_NAME
+sender address = CALLER@test.ex
+sender_fullhost = [127.0.0.1]
+sender_rcvhost = [127.0.0.1]
+host in hosts_connection_nolog? no (option unset)
+LOG: smtp_connection MAIN
+  SMTP connection from [127.0.0.1]
+host in host_lookup? no (option unset)
+set_process_info: pppp handling incoming connection from [127.0.0.1]
+host in host_reject_connection? no (option unset)
+host in sender_unqualified_hosts? no (option unset)
+host in recipient_unqualified_hosts? no (option unset)
+host in helo_verify_hosts? no (option unset)
+host in helo_try_verify_hosts? no (option unset)
+host in helo_accept_junk_hosts? no (option unset)
+SMTP>> 220 myhost.test.ex ESMTP Exim x.yz Tue, 2 Mar 1999 09:44:33 +0000
+smtp_setup_msg entered
+SMTP<< HELO test
+test in helo_lookup_domains? no (end of list)
+sender_fullhost = (test) [127.0.0.1]
+sender_rcvhost = [127.0.0.1] (helo=test)
+set_process_info: pppp handling incoming connection from (test) [127.0.0.1]
+SMTP>> 250 myhost.test.ex Hello test [127.0.0.1]
+SMTP<< MAIL FROM:<test@test.ex>
+spool directory space = nnnnnK inodes = nnnnn check_space = 10240K inodes = 100 msg_size = 0
+log directory space = nnnnnK inodes = nnnnn check_space = 10240K inodes = 100
+SMTP>> 250 OK
+SMTP<< RCPT TO:<error@test.ex>
+test.ex in "! *.ex"? no (matched "! *.ex")
+test.ex in "test.ex"? yes (matched "test.ex")
+test.ex in percent_hack_domains? yes (matched "+not_queue_domains")
+processing "accept"
+check verify = recipient
+>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
+Verifying error@test.ex
+>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
+Considering error@test.ex
+cached no match for +hold_domains
+cached yes match for +not_queue_domains
+test.ex in percent_hack_domains? yes (matched "+not_queue_domains" - cached)
+>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
+routing error@test.ex
+--------> r0f router <--------
+local_part=error domain=test.ex
+checking domains
+LOG: MAIN PANIC
+  unknown named domain list "+no_such_list"
+domains check lookup or other defer
+----------- end verify ------------
+accept: condition test deferred in inline ACL
+SMTP>> 451 Temporary local problem - please try later
+LOG: MAIN REJECT
+  H=(test) [127.0.0.1] F=<test@test.ex> temporarily rejected RCPT <error@test.ex>: domains check lookup or other defer
+SMTP<< QUIT
+SMTP>> 221 myhost.test.ex closing connection
+LOG: smtp_connection MAIN
+  SMTP connection from (test) [127.0.0.1] closed by QUIT
+search_tidyup called
+>>>>>>>>>>>>>>>> Exim pid=pppp (main) terminating with rc=0 >>>>>>>>>>>>>>>>
diff --git a/test/stdout/0275 b/test/stdout/0275
index fa02efa75..1642be115 100644
--- a/test/stdout/0275
+++ b/test/stdout/0275
@@ -1,2 +1,12 @@
 userx@test.ex
   router = r3, transport = t1
+
+**** SMTP testing session as if from host 127.0.0.1
+**** but without any ident (RFC 1413) callback.
+**** This is not for real!
+
+220 myhost.test.ex ESMTP Exim x.yz Tue, 2 Mar 1999 09:44:33 +0000
+250 myhost.test.ex Hello test [127.0.0.1]
+250 OK
+451 Temporary local problem - please try later
+221 myhost.test.ex closing connection
-- 
cgit v1.2.3