testing: Add wrapper script to build certificates in root image
authorTobias Brunner <tobias@strongswan.org>
Thu, 18 Apr 2019 13:10:10 +0000 (15:10 +0200)
committerTobias Brunner <tobias@strongswan.org>
Wed, 8 May 2019 12:56:48 +0000 (14:56 +0200)
This does not modify the root image but uses the strongSwan version
installed there (avoids build dependencies on version installed on the
host to use pki to generate all the keys and certificates).

testing/scripts/build-certs
testing/scripts/build-certs-chroot [new file with mode: 0755]

index 2bf717d..d473cdc 100755 (executable)
 #!/bin/bash
 
-echo "Building certificates"
-
-# Disable leak detective when using pki as it produces warnings in tzset
-export LEAK_DETECTIVE_DISABLE=1
-
-# Determine testing directory
 DIR="$(dirname `readlink -f $0`)/.."
+. $DIR/testing.conf
+. $DIR/scripts/function.sh
 
-# Define some global variables
-PROJECT="strongSwan Project"
-CA_DIR="${DIR}/hosts/winnetou/etc/ca"
-CA_KEY="${CA_DIR}/strongswanKey.pem"
-CA_CERT="${CA_DIR}/strongswanCert.pem"
-CA_CERT_DER="${CA_DIR}/strongswanCert.der"
-CA_CRL="${CA_DIR}/strongswan.crl"
-CA_LAST_CRL="${CA_DIR}/strongswan_last.crl"
-CA_CDP="http://crl.strongswan.org/strongswan.crl"
-CA_BASE_CDP="http://crl.strongswan.org/strongswan_base.crl"
-CA_OCSP="http://ocsp.strongswan.org:8880"
-#
-START=`date  -d "-2 day"    "+%d.%m.%y %T"`
-SH_END=`date -d "-1 day"    "+%d.%m.%y %T"`    #  1 day
-CA_END=`date -d "+3651 day" "+%d.%m.%y %T"`    # 10 years
-IM_END=`date -d "+3286 day" "+%d.%m.%y %T"`    #  9 years
-EE_END=`date -d "+2920 day" "+%d.%m.%y %T"`    #  8 years
-SH_EXP=`date -d "-1 day"    "+%y%m%d%H%M%SZ"`  #  1 day
-IM_EXP=`date -d "+3286 day" "+%y%m%d%H%M%SZ"`  #  9 years
-EE_EXP=`date -d "+2920 day" "+%y%m%d%H%M%SZ"`  #  8 years
-NOW=`date "+%y%m%d%H%M%SZ"`
-#
-RESEARCH_DIR="${CA_DIR}/research"
-RESEARCH_KEY="${RESEARCH_DIR}/researchKey.pem"
-RESEARCH_CERT="${RESEARCH_DIR}/researchCert.pem"
-RESEARCH_CERT_DER="${RESEARCH_DIR}/researchCert.der"
-RESEARCH_CDP="http://crl.strongswan.org/research.crl"
-#
-SALES_DIR="${CA_DIR}/sales"
-SALES_KEY="${SALES_DIR}/salesKey.pem"
-SALES_CERT="${SALES_DIR}/salesCert.pem"
-SALES_CERT_DER="${SALES_DIR}/salesCert.der"
-SALES_CDP="http://crl.strongswan.org/sales.crl"
-#
-DUCK_DIR="${CA_DIR}/duck"
-DUCK_KEY="${DUCK_DIR}/duckKey.pem"
-DUCK_CERT="${DUCK_DIR}/duckCert.pem"
-#
-ECDSA_DIR="${CA_DIR}/ecdsa"
-ECDSA_KEY="${ECDSA_DIR}/strongswanKey.pem"
-ECDSA_CERT="${ECDSA_DIR}/strongswanCert.pem"
-ECDSA_CDP="http://crl.strongswan.org/strongswan_ecdsa.crl"
-#
-RFC3779_DIR="${CA_DIR}/rfc3779"
-RFC3779_KEY="${RFC3779_DIR}/strongswanKey.pem"
-RFC3779_CERT="${RFC3779_DIR}/strongswanCert.pem"
-RFC3779_CDP="http://crl.strongswan.org/strongswan_rfc3779.crl"
-#
-SHA3_RSA_DIR="${CA_DIR}/sha3-rsa"
-SHA3_RSA_KEY="${SHA3_RSA_DIR}/strongswanKey.pem"
-SHA3_RSA_CERT="${SHA3_RSA_DIR}/strongswanCert.pem"
-SHA3_RSA_CDP="http://crl.strongswan.org/strongswan_sha3_rsa.crl"
-#
-ED25519_DIR="${CA_DIR}/ed25519"
-ED25519_KEY="${ED25519_DIR}/strongswanKey.pem"
-ED25519_CERT="${ED25519_DIR}/strongswanCert.pem"
-ED25519_CDP="http://crl.strongswan.org/strongswan_ed25519.crl"
-#
-MONSTER_DIR="${CA_DIR}/monster"
-MONSTER_KEY="${MONSTER_DIR}/strongswanKey.pem"
-MONSTER_CERT="${MONSTER_DIR}/strongswanCert.pem"
-MONSTER_CDP="http://crl.strongswan.org/strongswan_monster.crl"
-MONSTER_CA_RSA_SIZE="8192"
-MONSTER_EE_RSA_SIZE="4096"
-#
-BLISS_DIR="${CA_DIR}/bliss"
-BLISS_KEY="${BLISS_DIR}/strongswan_blissKey.der"
-BLISS_CERT="${BLISS_DIR}/strongswan_blissCert.der"
-BLISS_CDP="http://crl.strongswan.org/strongswan_bliss.crl"
-#
-RSA_SIZE="3072"
-IPSEC_DIR="etc/ipsec.d"
-SWANCTL_DIR="etc/swanctl"
-TKM_DIR="etc/tkm"
-HOSTS="carol dave moon sun alice venus bob"
-TEST_DIR="${DIR}/tests"
-
-# Create directories
-mkdir -p ${CA_DIR}/certs
-mkdir -p ${CA_DIR}/keys
-mkdir -p ${RESEARCH_DIR}/certs
-mkdir -p ${RESEARCH_DIR}/keys
-mkdir -p ${SALES_DIR}/certs
-mkdir -p ${SALES_DIR}/keys
-mkdir -p ${DUCK_DIR}/certs
-mkdir -p ${ECDSA_DIR}/certs
-mkdir -p ${RFC3779_DIR}/certs
-mkdir -p ${SHA3_RSA_DIR}/certs
-mkdir -p ${ED25519_DIR}/certs
-mkdir -p ${MONSTER_DIR}/certs
-mkdir -p ${BLISS_DIR}/certs
-
-################################################################################
-# strongSwan Root CA                                                           #
-################################################################################
-
-# Generate strongSwan Root CA
-pki --gen  --type rsa --size ${RSA_SIZE} --outform pem > ${CA_KEY}
-pki --self --type rsa --in ${CA_KEY} --not-before "${START}" --not-after "${CA_END}" \
-    --ca --pathlen 1 --dn "C=CH, O=${PROJECT}, CN=strongSwan Root CA" \
-    --outform pem > ${CA_CERT}
-
-# Distribute strongSwan Root CA certificate
-for h in ${HOSTS}
-do
-  HOST_DIR="${DIR}/hosts/${h}"
-  mkdir -p ${HOST_DIR}/${IPSEC_DIR}/cacerts
-  mkdir -p ${HOST_DIR}/${SWANCTL_DIR}/x509ca
-  cp ${CA_CERT} ${HOST_DIR}/${IPSEC_DIR}/cacerts
-  cp ${CA_CERT} ${HOST_DIR}/${SWANCTL_DIR}/x509ca
-done
-
-# Put a copy onto the alice FreeRADIUS server
-mkdir -p ${DIR}/hosts/alice/etc/raddb/certs
-cp ${CA_CERT} ${DIR}/hosts/alice/etc/raddb/certs
-
-# Convert strongSwan Root CA certificate into DER format
-openssl x509 -in ${CA_CERT} -outform der -out ${CA_CERT_DER}
-
-# Gernerate a stale CRL
-pki --signcrl --cakey ${CA_KEY} --cacert ${CA_CERT} \
-    --this-update "${START}" --lifetime 1 > ${CA_LAST_CRL}
-
-# Put a CRL copy into the ikev2/crl-ldap scenario to be used as a stale crl
-TEST="${TEST_DIR}/ikev2/crl-ldap"
-mkdir -p ${TEST}/hosts/carol/${IPSEC_DIR}/crls
-mkdir -p ${TEST}/hosts/moon/${IPSEC_DIR}/crls
-cp ${CA_LAST_CRL} ${TEST}/hosts/carol/${IPSEC_DIR}/crls/stale.crl
-cp ${CA_LAST_CRL} ${TEST}/hosts/moon/${IPSEC_DIR}/crls/stale.crl
-
-# Generate host keys
-for h in ${HOSTS}
-do
-  HOST_DIR="${DIR}/hosts/${h}"
-  HOST_KEY="${HOST_DIR}/${IPSEC_DIR}/private/${h}Key.pem"
-  mkdir -p ${HOST_DIR}/${IPSEC_DIR}/private
-  pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${HOST_KEY}
-
-  # Put a copy into swanctl directory tree
-  mkdir -p ${HOST_DIR}/${SWANCTL_DIR}/rsa
-  cp ${HOST_KEY} ${HOST_DIR}/${SWANCTL_DIR}/rsa
-
-  # Convert host key into DER format
-  openssl rsa -in ${HOST_KEY} -outform der -out ${CA_DIR}/keys/${h}Key.der \
-          2> /dev/null
-done
-
-# Put DER-encoded moon private key and Root CA certificate into tkm scenarios
-for t in host2host-initiator host2host-responder host2host-xfrmproxy \
-         net2net-initiator net2net-xfrmproxy xfrmproxy-expire xfrmproxy-rekey
-do
-  TEST="${TEST_DIR}/tkm/${t}"
-  mkdir -p ${TEST}/hosts/moon/${TKM_DIR}
-  cp ${CA_DIR}/keys/moonKey.der ${CA_CERT_DER} ${TEST}/hosts/moon/${TKM_DIR}
-done
-
-# Put DER_encoded sun private key and Root CA certificate into tkm scenarios
-TEST="${TEST_DIR}/tkm/multiple-clients"
-mkdir -p ${TEST}/hosts/sun/${TKM_DIR}
-cp ${CA_DIR}/keys/sunKey.der ${CA_CERT_DER} ${TEST}/hosts/sun/${TKM_DIR}
-
-# Convert moon private key into unencrypted PKCS#8 format
-TEST="${TEST_DIR}/ikev2/rw-pkcs8"
-HOST_KEY="${DIR}/hosts/moon/${SWANCTL_DIR}/rsa/moonKey.pem"
-TEST_KEY="${TEST}/hosts/moon/${IPSEC_DIR}/private/moonKey.pem"
-mkdir -p ${TEST}/hosts/moon/${IPSEC_DIR}/private
-openssl pkcs8 -in ${HOST_KEY} -nocrypt -topk8 -out ${TEST_KEY}
-
-# Convert carol private key into v1.5 DES encrypted PKCS#8 format
-HOST_KEY="${DIR}/hosts/carol/${SWANCTL_DIR}/rsa/carolKey.pem"
-TEST_KEY="${TEST}/hosts/carol/${IPSEC_DIR}/private/carolKey.pem"
-mkdir -p ${TEST}/hosts/carol/${IPSEC_DIR}/private
-openssl pkcs8 -in ${HOST_KEY} -nocrypt -topk8 -v1 PBE-MD5-DES \
-              -passout "pass:nH5ZQEWtku0RJEZ6" -out ${TEST_KEY}
-
-# Convert dave private key into v2.0 AES-128 encrypted PKCS#8 format
-HOST_KEY="${DIR}/hosts/dave/${SWANCTL_DIR}/rsa/daveKey.pem"
-TEST_KEY="${TEST}/hosts/dave/${IPSEC_DIR}/private/daveKey.pem"
-mkdir -p ${TEST}/hosts/dave/${IPSEC_DIR}/private
-openssl pkcs8 -in ${HOST_KEY} -nocrypt -topk8  -v2 aes128 \
-              -passout "pass:OJlNZBx+80dLh4wC6fw5LmBd" -out ${TEST_KEY}
-
-################################################################################
-# Public Key Extraction                                                        #
-################################################################################
-
-# Extract the raw moon public key for the swanctl/net2net-pubkey scenario
-TEST="${TEST_DIR}/swanctl/net2net-pubkey"
-TEST_PUB="${TEST}/hosts/moon/${SWANCTL_DIR}/pubkey/moonPub.pem"
-HOST_KEY="${DIR}/hosts/moon/${SWANCTL_DIR}/rsa/moonKey.pem"
-mkdir -p ${TEST}/hosts/moon/${SWANCTL_DIR}/pubkey
-mkdir -p ${TEST}/hosts/sun/${SWANCTL_DIR}/pubkey
-pki --pub --type rsa --in ${HOST_KEY} --outform pem > ${TEST_PUB}
-cp ${TEST_PUB} ${TEST}/hosts/sun/${SWANCTL_DIR}/pubkey
-
-# Put a copy into the  following ikev2 scenarios
-for t in net2net-dnssec net2net-pubkey rw-dnssec
-do
-  TEST="${TEST_DIR}/ikev2/${t}"
-  mkdir -p ${TEST}/hosts/moon/${IPSEC_DIR}/certs
-  cp ${TEST_PUB} ${TEST}/hosts/moon/${IPSEC_DIR}/certs
-done
-
-# Put a copy into the ikev2/net2net-pubkey scenario
-TEST="${TEST_DIR}/ikev2/net2net-pubkey"
-mkdir -p ${TEST}/hosts/sun/${IPSEC_DIR}/certs
-cp ${TEST_PUB} ${TEST}/hosts/sun/${IPSEC_DIR}/certs
-
-# Put a copy into the swanctl/rw-dnssec scenario
-TEST="${TEST_DIR}/swanctl/rw-dnssec"
-mkdir -p ${TEST}/hosts/moon/${SWANCTL_DIR}/pubkey
-cp ${TEST_PUB} ${TEST}/hosts/moon/${SWANCTL_DIR}/pubkey
-
-# Put a copy into the following swanctl scenarios
-for t in rw-pubkey-anon rw-pubkey-keyid
-do
-  TEST="${TEST_DIR}/swanctl/${t}"
-  for h in moon carol dave
-  do
-    mkdir -p ${TEST}/hosts/${h}/${SWANCTL_DIR}/pubkey
-    cp ${TEST_PUB} ${TEST}/hosts/${h}/${SWANCTL_DIR}/pubkey
-  done
-done
-
-# Extract the raw sun public key for the swanctl/net2net-pubkey scenario
-TEST="${TEST_DIR}/swanctl/net2net-pubkey"
-TEST_PUB="${TEST}/hosts/sun/${SWANCTL_DIR}/pubkey/sunPub.pem"
-HOST_KEY="${DIR}/hosts/sun/${SWANCTL_DIR}/rsa/sunKey.pem"
-pki --pub --type rsa --in ${HOST_KEY} --outform pem > ${TEST_PUB}
-cp ${TEST_PUB} ${TEST}/hosts/moon/${SWANCTL_DIR}/pubkey
-
-# Put a copy into the ikev2/net2net-dnssec scenario
-TEST="${TEST_DIR}/ikev2/net2net-dnssec"
-mkdir -p ${TEST}/hosts/sun/${IPSEC_DIR}/certs
-cp ${TEST_PUB} ${TEST}/hosts/sun/${IPSEC_DIR}/certs
-
-# Put a copy into the ikev2/net2net-pubkey scenario
-TEST="${TEST_DIR}/ikev2/net2net-pubkey"
-cp ${TEST_PUB} ${TEST}/hosts/moon/${IPSEC_DIR}/certs
-cp ${TEST_PUB} ${TEST}/hosts/sun/${IPSEC_DIR}/certs
-
-# Put a copy into the swanctl/rw-pubkey-anon scenario
-TEST="${TEST_DIR}/swanctl/rw-pubkey-anon"
-cp ${TEST_PUB} ${TEST}/hosts/moon/${SWANCTL_DIR}/pubkey
-
-# Extract the raw carol public key for the swanctl/rw-dnssec scenario
-TEST="${TEST_DIR}/swanctl/rw-dnssec"
-TEST_PUB="${TEST}/hosts/carol/${SWANCTL_DIR}/pubkey/carolPub.pem"
-HOST_KEY="${DIR}/hosts/carol/${SWANCTL_DIR}/rsa/carolKey.pem"
-mkdir -p ${TEST}/hosts/carol/${SWANCTL_DIR}/pubkey
-pki --pub --type rsa --in ${HOST_KEY} --outform pem > ${TEST_PUB}
-
-# Put a copy into the swanctl/rw-pubkey-anon scenario
-TEST="${TEST_DIR}/swanctl/rw-pubkey-anon"
-cp ${TEST_PUB} ${TEST}/hosts/carol/${SWANCTL_DIR}/pubkey
-cp ${TEST_PUB} ${TEST}/hosts/moon/${SWANCTL_DIR}/pubkey
-
-# Put a copy into the swanctl/rw-pubkey-keyid scenario
-TEST="${TEST_DIR}/swanctl/rw-pubkey-keyid"
-cp ${TEST_PUB} ${TEST}/hosts/carol/${SWANCTL_DIR}/pubkey
-cp ${TEST_PUB} ${TEST}/hosts/moon/${SWANCTL_DIR}/pubkey
-
-# Extract the raw dave public key for the swanctl/rw-dnssec scenario
-TEST="${TEST_DIR}/swanctl/rw-dnssec"
-TEST_PUB="${TEST}/hosts/dave/${SWANCTL_DIR}/pubkey/davePub.pem"
-HOST_KEY="${DIR}/hosts/dave/${SWANCTL_DIR}/rsa/daveKey.pem"
-mkdir -p ${TEST}/hosts/dave/${SWANCTL_DIR}/pubkey
-pki --pub --type rsa --in ${HOST_KEY} --outform pem > ${TEST_PUB}
-
-# Put a copy into the swanctl/rw-pubkey-anon scenario
-TEST="${TEST_DIR}/swanctl/rw-pubkey-anon"
-cp ${TEST_PUB} ${TEST}/hosts/dave/${SWANCTL_DIR}/pubkey
-cp ${TEST_PUB} ${TEST}/hosts/moon/${SWANCTL_DIR}/pubkey
-
-# Put a copy into the swanctl/rw-pubkey-keyid scenario
-TEST="${TEST_DIR}/swanctl/rw-pubkey-keyid"
-cp ${TEST_PUB} ${TEST}/hosts/dave/${SWANCTL_DIR}/pubkey
-cp ${TEST_PUB} ${TEST}/hosts/moon/${SWANCTL_DIR}/pubkey
-
-################################################################################
-# Host Certificate Generation                                                  #
-################################################################################
-
-# function issue_cert: serial host cn [ou]
-issue_cert()
-{
-  # does optional OU argument exist?
-  if [ -z "${4}" ]
-  then
-    OU=""
-  else
-    OU=" OU=${4},"
-  fi
-
-  HOST_DIR="${DIR}/hosts/${2}"
-  HOST_KEY="${HOST_DIR}/${IPSEC_DIR}/private/${2}Key.pem"
-  HOST_CERT="${HOST_DIR}/${IPSEC_DIR}/certs/${2}Cert.pem"
-  mkdir -p ${HOST_DIR}/${IPSEC_DIR}/certs
-  pki --issue --cakey ${CA_KEY} --cacert ${CA_CERT} --crl ${CA_CDP} --type rsa \
-      --in ${HOST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${3} \
-      --serial ${1} --dn "C=CH, O=${PROJECT},${OU} CN=${3}" \
-      --outform pem > ${HOST_CERT}
-  cp ${HOST_CERT} ${CA_DIR}/certs/${1}.pem
-
-  # Put a certificate copy into swanctl directory tree
-  mkdir -p ${HOST_DIR}/${SWANCTL_DIR}/x509
-  cp ${HOST_CERT} ${HOST_DIR}/${SWANCTL_DIR}/x509
-}
-
-# Generate host certificates
-issue_cert 01 carol carol@strongswan.org Research
-issue_cert 02 dave dave@strongswan.org Accounting
-issue_cert 03 moon moon.strongswan.org
-issue_cert 04 sun sun.strongswan.org
-issue_cert 05 alice alice@strongswan.org Sales
-issue_cert 06 venus venus.strongswan.org
-issue_cert 07 bob bob@strongswan.org Research
-
-# Create PKCS#12 file for moon
-TEST="${TEST_DIR}/ikev2/net2net-pkcs12"
-HOST_KEY="${DIR}/hosts/moon/${SWANCTL_DIR}/rsa/moonKey.pem"
-HOST_CERT="${DIR}/hosts/moon/${SWANCTL_DIR}/x509/moonCert.pem"
-MOON_PKCS12="${TEST}/hosts/moon/${IPSEC_DIR}/private/moonCert.p12"
-mkdir -p ${TEST}/hosts/moon/${IPSEC_DIR}/private
-openssl pkcs12 -export -inkey ${HOST_KEY} -in ${HOST_CERT} -name "moon" \
-        -certfile ${CA_CERT} -caname "strongSwan Root CA" \
-        -aes128 -passout "pass:kUqd8O7mzbjXNJKQ" > ${MOON_PKCS12} 2> /dev/null
-
-# Create PKCS#12 file for sun
-HOST_KEY="${DIR}/hosts/sun/${SWANCTL_DIR}/rsa/sunKey.pem"
-HOST_CERT="${DIR}/hosts/sun/${SWANCTL_DIR}/x509/sunCert.pem"
-SUN_PKCS12="${TEST}/hosts/sun/${IPSEC_DIR}/private/sunCert.p12"
-mkdir -p ${TEST}/hosts/sun/${IPSEC_DIR}/private
-openssl pkcs12 -export -inkey ${HOST_KEY} -in ${HOST_CERT} -name "sun" \
-        -certfile ${CA_CERT} -caname "strongSwan Root CA" \
-        -aes128 -passout "pass:IxjQVCF3JGI+MoPi" > ${SUN_PKCS12} 2> /dev/null
-
-# Put a PKCS#12 copy into the botan/net2net-pkcs12 scenario
-for t in botan/net2net-pkcs12 openssl-ikev2/net2net-pkcs12
-do
-  TEST="${TEST_DIR}/${t}"
-  mkdir -p ${TEST}/hosts/moon/${SWANCTL_DIR}/pkcs12
-  mkdir -p ${TEST}/hosts/sun/${SWANCTL_DIR}/pkcs12
-  cp ${MOON_PKCS12} ${TEST}/hosts/moon/${SWANCTL_DIR}/pkcs12
-  cp ${SUN_PKCS12}  ${TEST}/hosts/sun/${SWANCTL_DIR}/pkcs12
-done
-
-################################################################################
-# DNSSEC Zone Files                                                            #
-################################################################################
-
-# Store moon and sun certificates in strongswan.org zone
-ZONE_FILE="${CA_DIR}/db.strongswan.org.certs-and-keys"
-echo "; Automatically generated for inclusion in zone file" > ${ZONE_FILE}
-for h in moon sun
-do
-  HOST_CERT=${DIR}/hosts/${h}/${SWANCTL_DIR}/x509/${h}Cert.pem
-  cert=$(grep --invert-match ^----- ${HOST_CERT}| sed -e 's/^/\t\t\t\t/')
-  echo -e "${h}\tIN\tCERT\t( 1 0 0\n${cert}\n\t\t\t\t)" >> ${ZONE_FILE}
-done
-
-# Store public keys in strongswan.org zone
-echo ";" >> ${ZONE_FILE}
-for h in moon sun carol dave
-do
-  HOST_CERT=${DIR}/hosts/${h}/${SWANCTL_DIR}/x509/${h}Cert.pem
-  pubkey=$(pki --pub --type x509 --in ${HOST_CERT} --outform dnskey | sed 's/\(.\{0,64\}\)/\t\t\t\t\1\n/g')
-  echo -e "${h}\tIN\tIPSECKEY\t( 10 3 2 ${h}.strongswan.org.\n${pubkey}\n\t\t\t\t)" >> ${ZONE_FILE}
-done
-
-# Generate a carol certificate for the swanctl/crl-to-cache scenario with base CDP
-TEST="${TEST_DIR}/swanctl/crl-to-cache"
-TEST_CERT="${TEST}/hosts/carol/${SWANCTL_DIR}/x509/carolCert.pem"
-HOST_KEY="${DIR}/hosts/carol/${SWANCTL_DIR}/rsa/carolKey.pem"
-CN="carol@strongswan.org"
-mkdir -p ${TEST}/hosts/carol/${SWANCTL_DIR}/x509
-pki --issue --cakey ${CA_KEY} --cacert ${CA_CERT} --crl ${CA_BASE_CDP} --type rsa \
-    --in ${HOST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
-    --serial 01 --dn "C=CH, O=${PROJECT}, OU=Research, CN=${CN}" \
-    --outform pem > ${TEST_CERT}
-
-# Generate a moon certificate for the swanctl/crl-to-cache scenario with base CDP
-TEST_CERT="${TEST}/hosts/moon/${SWANCTL_DIR}/x509/moonCert.pem"
-HOST_KEY="${DIR}/hosts/moon/${SWANCTL_DIR}/rsa/moonKey.pem"
-CN="moon.strongswan.org"
-mkdir -p ${TEST}/hosts/moon/${SWANCTL_DIR}/x509
-pki --issue --cakey ${CA_KEY} --cacert ${CA_CERT} --crl ${CA_BASE_CDP} --type rsa \
-    --in ${HOST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
-    --serial 03 --dn "C=CH, O=${PROJECT}, CN=${CN}" \
-    --outform pem > ${TEST_CERT}
-
-# Encrypt carolKey.pem
-HOST_KEY="${DIR}/hosts/carol/${IPSEC_DIR}/private/carolKey.pem"
-KEY_PWD="nH5ZQEWtku0RJEZ6"
-openssl rsa -in ${HOST_KEY} -aes128 --passout pass:${KEY_PWD} -out ${HOST_KEY} \
-        2> /dev/null
-
-# Put a copy into the ikev2/dynamic-initiator scenario
-for t in ikev2/dynamic-initiator ikev1/dynamic-initiator ikev1/dynamic-responder
-do
-  TEST="${TEST_DIR}/${t}"
-  mkdir -p ${TEST}/hosts/dave/${IPSEC_DIR}/private
-  mkdir -p ${TEST}/hosts/dave/${IPSEC_DIR}/certs
-  cp ${HOST_KEY} ${TEST}/hosts/dave/${IPSEC_DIR}/private
-  cp ${CA_DIR}/certs/01.pem ${TEST}/hosts/dave/${IPSEC_DIR}/certs/carolCert.pem
-done
-
-# Put a copy into the swanctl/rw-cert scenario
-TEST="${TEST_DIR}/swanctl/rw-cert"
-mkdir -p ${TEST}/hosts/carol/${SWANCTL_DIR}/rsa
-cp ${HOST_KEY} ${TEST}/hosts/carol/${SWANCTL_DIR}/rsa
-
-# Generate another carol certificate and revoke it
-TEST="${TEST_DIR}/ikev2/crl-revoked"
-TEST_KEY="${TEST}/hosts/carol/${IPSEC_DIR}/private/carolKey.pem"
-TEST_CERT="${TEST}/hosts/carol/${IPSEC_DIR}/certs/carolCert.pem"
-CN="carol@strongswan.org"
-SERIAL="08"
-mkdir -p ${TEST}/hosts/carol/${IPSEC_DIR}/private
-mkdir -p ${TEST}/hosts/carol/${IPSEC_DIR}/certs
-pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${TEST_KEY}
-pki --issue --cakey ${CA_KEY} --cacert ${CA_CERT} --crl ${CA_CDP} --type rsa \
-    --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
-    --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=Research, CN=${CN}" \
-    --outform pem > ${TEST_CERT}
-cp ${TEST_CERT} ${CA_DIR}/certs/${SERIAL}.pem
-pki --signcrl --cakey ${CA_KEY} --cacert ${CA_CERT} --reason "key-compromise" \
-    --serial ${SERIAL} > ${CA_CRL}
-cp ${CA_CRL} ${CA_LAST_CRL}
-
-# Put a copy into the ikev2/ocsp-revoked scenario
-TEST="${TEST_DIR}/ikev2/ocsp-revoked"
-mkdir -p ${TEST}/hosts/carol/${IPSEC_DIR}/private
-mkdir -p ${TEST}/hosts/carol/${IPSEC_DIR}/certs
-cp ${TEST_KEY}  ${TEST}/hosts/carol/${IPSEC_DIR}/private
-cp ${TEST_CERT} ${TEST}/hosts/carol/${IPSEC_DIR}/certs
-
-# Generate another carol certificate with SN=002
-TEST="${TEST_DIR}/ikev2/two-certs"
-TEST_KEY="${TEST}/hosts/carol/${IPSEC_DIR}/private/carolKey-002.pem"
-TEST_CERT="${TEST}/hosts/carol/${IPSEC_DIR}/certs/carolCert-002.pem"
-SERIAL="09"
-mkdir -p ${TEST}/hosts/carol/${IPSEC_DIR}/private
-mkdir -p ${TEST}/hosts/carol/${IPSEC_DIR}/certs
-pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${TEST_KEY}
-pki --issue --cakey ${CA_KEY} --cacert ${CA_CERT} --crl ${CA_CDP} --type rsa \
-    --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
-    --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=Research, SN=002, CN=${CN}" \
-    --outform pem > ${TEST_CERT}
-cp ${TEST_CERT} ${CA_DIR}/certs/${SERIAL}.pem
-
-################################################################################
-# Research CA Certificate Generation                                           #
-################################################################################
-
-# Generate a Research CA certificate signed by the Root CA and revoke it
-TEST="${TEST_DIR}/ikev2/multi-level-ca-revoked"
-TEST_CERT="${TEST}/hosts/moon/${IPSEC_DIR}/cacerts/researchCert.pem"
-SERIAL="0A"
-mkdir -p ${TEST}/hosts/moon/${IPSEC_DIR}/cacerts/
-pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${RESEARCH_KEY}
-pki --issue --cakey ${CA_KEY} --cacert ${CA_CERT} --crl ${CA_CDP} --type rsa \
-    --in ${RESEARCH_KEY} --not-before "${START}" --not-after "${IM_END}" --ca \
-    --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=Research, CN=Research CA" \
-    --outform pem > ${TEST_CERT}
-cp ${TEST_CERT} ${CA_DIR}/certs/${SERIAL}.pem
-pki --signcrl --cakey ${CA_KEY} --cacert ${CA_CERT} --reason "ca-compromise" \
-    --serial ${SERIAL} --lastcrl ${CA_LAST_CRL} > ${CA_CRL}
-rm ${CA_LAST_CRL}
-
-# Generate Research CA with the same private key as above signed by Root CA
-SERIAL="0B"
-pki --issue --cakey ${CA_KEY} --cacert ${CA_CERT} --crl ${CA_CDP} --type rsa \
-    --in ${RESEARCH_KEY} --not-before "${START}" --not-after "${IM_END}" --ca \
-    --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=Research, CN=Research CA" \
-    --outform pem > ${RESEARCH_CERT}
-cp ${RESEARCH_CERT} ${CA_DIR}/certs/${SERIAL}.pem
-
-# Put a certificate copy into the following scenarios
-for t in ikev1/multi-level-ca ikev2/multi-level-ca ikev2/multi-level-ca-ldap \
-         ikev2/multi-level-ca-pathlen ikev2/multi-level-ca-strict \
-         ikev2/ocsp-multi-level ikev2/ocsp-strict-ifuri
-do
-  TEST="${TEST_DIR}/${t}"
-  mkdir -p ${TEST}/hosts/moon/${IPSEC_DIR}/cacerts
-  cp ${RESEARCH_CERT} ${TEST}/hosts/moon/${IPSEC_DIR}/cacerts
-done
-
-for t in ikev1/multi-level-ca-cr-init ikev1/multi-level-ca-cr-resp \
-         ikev2/multi-level-ca-cr-init ikev2/multi-level-ca-cr-resp
-do
-  TEST="${TEST_DIR}/${t}"
-  mkdir -p ${TEST}/hosts/carol/${IPSEC_DIR}/cacerts
-  cp ${RESEARCH_CERT} ${TEST}/hosts/carol/${IPSEC_DIR}/cacerts
-done
-
-for t in multi-level-ca ocsp-multi-level
-do
-  TEST="${TEST_DIR}/swanctl/${t}"
-  mkdir -p ${TEST}/hosts/moon/${SWANCTL_DIR}/x509ca
-  cp ${RESEARCH_CERT} ${TEST}/hosts/moon/${SWANCTL_DIR}/x509ca
-done
-
-# Convert Research CA certificate into DER format
-openssl x509 -in ${RESEARCH_CERT} -outform der -out ${RESEARCH_CERT_DER}
-
-# Generate Research CA with the same private key as above but invalid CDP
-TEST="${TEST_DIR}/ikev2/multi-level-ca-skipped"
-TEST_CERT="${TEST}/hosts/moon/${IPSEC_DIR}/cacerts/researchCert.pem"
-mkdir -p ${TEST}/hosts/moon/${IPSEC_DIR}/cacerts
-pki --issue --cakey ${CA_KEY} --cacert ${CA_CERT} --type rsa \
-    --crl "http://crl.strongswan.org/not-available.crl" \
-    --in ${RESEARCH_KEY} --not-before "${START}" --not-after "${IM_END}" --ca \
-    --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=Research, CN=Research CA" \
-    --outform pem > ${TEST_CERT}
-
-################################################################################
-# Sales CA Certificate Generation                                              #
-################################################################################
-
-# Generate Sales CA signed by Root CA
-SERIAL="0C"
-pki --gen  --type rsa --size ${RSA_SIZE} --outform pem > ${SALES_KEY}
-pki --issue --cakey ${CA_KEY} --cacert ${CA_CERT} --crl ${CA_CDP} --type rsa \
-    --in ${SALES_KEY} --not-before "${START}" --not-after "${IM_END}" --ca \
-    --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=Sales, CN=Sales CA" \
-    --outform pem > ${SALES_CERT}
-cp ${SALES_CERT} ${CA_DIR}/certs/${SERIAL}.pem
-
-# Put a certificate copy into the following scenarios
-for t in ikev1/multi-level-ca ikev2/multi-level-ca ikev2/multi-level-ca-ldap \
-         ikev2/multi-level-ca-strict ikev2/ocsp-multi-level \
-         ikev2/ocsp-multi-level ikev2/ocsp-strict-ifuri
-do
-  TEST="${TEST_DIR}/${t}"
-  cp ${SALES_CERT} ${TEST}/hosts/moon/${IPSEC_DIR}/cacerts
-done
-
-for t in ikev1/multi-level-ca-cr-init ikev1/multi-level-ca-cr-resp \
-         ikev2/multi-level-ca-cr-init ikev2/multi-level-ca-cr-resp
-do
-  TEST="${TEST_DIR}/${t}"
-  mkdir -p ${TEST}/hosts/dave/${IPSEC_DIR}/cacerts
-  cp ${SALES_CERT} ${TEST}/hosts/dave/${IPSEC_DIR}/cacerts
-done
-
-for t in multi-level-ca ocsp-multi-level
-do
-  TEST="${TEST_DIR}/swanctl/${t}"
-  cp ${SALES_CERT} ${TEST}/hosts/moon/${SWANCTL_DIR}/x509ca
-done
-
-# Convert Sales CA certificate into DER format
-openssl x509 -in ${SALES_CERT} -outform der -out ${SALES_CERT_DER}
-
-# Generate an AES-128 encrypted moon key and a SHA-224 hashed certificate
-TEST="${TEST_DIR}/ikev2/strong-keys-certs"
-TEST_KEY="${TEST}/hosts/moon/${IPSEC_DIR}/private/moonKey-aes128.pem"
-TEST_CERT="${TEST}/hosts/moon/${IPSEC_DIR}/certs/moonCert-sha224.pem"
-KEY_PWD="gOQHdrSWeFuiZtYPetWuyzHW"
-CN="moon.strongswan.org"
-SERIAL="0D"
-mkdir -p ${TEST}/hosts/moon/${IPSEC_DIR}/private
-mkdir -p ${TEST}/hosts/moon/${IPSEC_DIR}/certs
-pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${TEST_KEY}
-pki --issue --cakey ${CA_KEY} --cacert ${CA_CERT} --crl ${CA_CDP} --type rsa \
-    --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
-    --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=SHA-224, CN=${CN}" \
-    --digest sha224 --outform pem > ${TEST_CERT}
-openssl rsa -in ${TEST_KEY} -aes128 --passout pass:${KEY_PWD} -out ${TEST_KEY} \
-        2> /dev/null
-cp ${TEST_CERT} ${CA_DIR}/certs/${SERIAL}.pem
-
-# Generate an AES-192 encrypted carol key and a SHA-384 hashed certificate
-TEST_KEY="${TEST}/hosts/carol/${IPSEC_DIR}/private/carolKey-aes192.pem"
-TEST_CERT="${TEST}/hosts/carol/${IPSEC_DIR}/certs/carolCert-sha384.pem"
-KEY_PWD="ITP/H4lSHqGpUGmCpgNDklbzTNV+swjA"
-CN="carol@strongswan.org"
-SERIAL="0E"
-mkdir -p ${TEST}/hosts/carol/${IPSEC_DIR}/private
-mkdir -p ${TEST}/hosts/carol/${IPSEC_DIR}/certs
-pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${TEST_KEY}
-pki --issue --cakey ${CA_KEY} --cacert ${CA_CERT} --crl ${CA_CDP} --type rsa \
-    --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
-    --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=SHA-384, CN=${CN}" \
-    --digest sha384 --outform pem > ${TEST_CERT}
-openssl rsa -in ${TEST_KEY} -aes192 --passout pass:${KEY_PWD} -out ${TEST_KEY} \
-        2> /dev/null
-cp ${TEST_CERT} ${CA_DIR}/certs/${SERIAL}.pem
-
-# Generate an AES-256 encrypted dave key and a SHA-512 hashed certificate
-TEST_KEY="${TEST}/hosts/dave/${IPSEC_DIR}/private/daveKey-aes256.pem"
-TEST_CERT="${TEST}/hosts/dave/${IPSEC_DIR}/certs/daveCert-sha512.pem"
-KEY_PWD="MeFnDN7VUbj+qU/bkgRIFvbCketIk2wrrs5Ii8297N2v"
-CN="dave@strongswan.org"
-SERIAL="0F"
-mkdir -p ${TEST}/hosts/dave/${IPSEC_DIR}/private
-mkdir -p ${TEST}/hosts/dave/${IPSEC_DIR}/certs
-pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${TEST_KEY}
-pki --issue --cakey ${CA_KEY} --cacert ${CA_CERT} --crl ${CA_CDP} --type rsa \
-    --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
-    --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=SHA-512, CN=${CN}" \
-    --digest sha512 --outform pem > ${TEST_CERT}
-openssl rsa -in ${TEST_KEY} -aes256 --passout pass:${KEY_PWD} -out ${TEST_KEY} \
-        2> /dev/null
-cp ${TEST_CERT} ${CA_DIR}/certs/${SERIAL}.pem
-
-# Generate another carol certificate with an OCSP URI
-TEST="${TEST_DIR}/ikev2/ocsp-signer-cert"
-TEST_KEY="${TEST}/hosts/carol/${IPSEC_DIR}/private/carolKey.pem"
-TEST_CERT="${TEST}/hosts/carol/${IPSEC_DIR}/certs/carolCert.pem"
-CN="carol@strongswan.org"
-SERIAL="10"
-mkdir -p ${TEST}/hosts/carol/${IPSEC_DIR}/private
-mkdir -p ${TEST}/hosts/carol/${IPSEC_DIR}/certs
-pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${TEST_KEY}
-pki --issue --cakey ${CA_KEY} --cacert ${CA_CERT} --crl ${CA_CDP} --type rsa \
-    --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
-    --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=OCSP, CN=${CN}" \
-    --ocsp ${CA_OCSP} --outform pem > ${TEST_CERT}
-cp ${TEST_CERT} ${CA_DIR}/certs/${SERIAL}.pem
-
-# Put a copy into the ikev2/ocsp-timeouts-good scenario
-TEST="${TEST_DIR}/ikev2/ocsp-timeouts-good"
-mkdir -p ${TEST}/hosts/carol/${IPSEC_DIR}/private
-mkdir -p ${TEST}/hosts/carol/${IPSEC_DIR}/certs
-cp ${TEST_KEY}  ${TEST}/hosts/carol/${IPSEC_DIR}/private
-cp ${TEST_CERT} ${TEST}/hosts/carol/${IPSEC_DIR}/certs
-
-# Put a copy into the swanctl/ocsp-signer-cert scenario
-for t in ocsp-signer-cert ocsp-disabled
-do
-  cd "${TEST_DIR}/swanctl/${t}/hosts/carol/${SWANCTL_DIR}"
-  mkdir -p rsa x509
-  cp ${TEST_KEY} rsa
-  cp ${TEST_CERT} x509
-done
-
-# Generate an OCSP Signing certificate for the strongSwan Root CA
-TEST_KEY="${CA_DIR}/ocspKey.pem"
-TEST_CERT="${CA_DIR}/ocspCert.pem"
-CN="ocsp.strongswan.org"
-OU="OCSP Signing Authority"
-SERIAL="11"
-pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${TEST_KEY}
-pki --issue --cakey ${CA_KEY} --cacert ${CA_CERT} --crl ${CA_CDP} --type rsa \
-    --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
-    --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=${OU}, CN=${CN}" \
-    --flag ocspSigning --outform pem > ${TEST_CERT}
-cp ${TEST_CERT} ${CA_DIR}/certs/${SERIAL}.pem
-
-# Generate a self-signed OCSP Signing certificate
-TEST_KEY="${CA_DIR}/ocspKey-self.pem"
-TEST_CERT="${CA_DIR}/ocspCert-self.pem"
-OU="OCSP Self-Signed Authority"
-pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${TEST_KEY}
-pki --self --type rsa --in ${TEST_KEY} --flag ocspSigning \
-    --not-before "${START}" --not-after "${CA_END}" --san ${CN} \
-    --dn "C=CH, O=${PROJECT}, OU=${OU}, CN=${CN}" \
-    --outform pem > ${TEST_CERT}
-
-# Copy self-signed OCSP Signing certificate to ikev2/ocsp-local-cert scenario
-TEST="${TEST_DIR}/ikev2/ocsp-local-cert"
-mkdir -p ${TEST}/hosts/carol/${IPSEC_DIR}/ocspcerts
-mkdir -p ${TEST}/hosts/moon/${IPSEC_DIR}/ocspcerts
-cp ${TEST_CERT} ${TEST}/hosts/carol/${IPSEC_DIR}/ocspcerts
-cp ${TEST_CERT} ${TEST}/hosts/moon/${IPSEC_DIR}/ocspcerts
-
-# Generate mars virtual server certificate
-TEST="${TEST_DIR}/ha/both-active"
-TEST_KEY="${TEST}/hosts/moon/${IPSEC_DIR}/private/marsKey.pem"
-TEST_CERT="${TEST}/hosts/moon/${IPSEC_DIR}/certs/marsCert.pem"
-CN="mars.strongswan.org"
-OU="Virtual VPN Gateway"
-SERIAL="12"
-mkdir -p ${TEST}/hosts/moon/${IPSEC_DIR}/private
-mkdir -p ${TEST}/hosts/moon/${IPSEC_DIR}/certs
-pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${TEST_KEY}
-pki --issue --cakey ${CA_KEY} --cacert ${CA_CERT} --crl ${CA_CDP} --type rsa \
-    --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
-    --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=${OU}, CN=${CN}" \
-    --flag serverAuth --outform pem > ${TEST_CERT}
-cp ${TEST_CERT} ${CA_DIR}/certs/${SERIAL}.pem
-
-# Put a copy into the mirrored gateway
-mkdir -p ${TEST}/hosts/alice/${IPSEC_DIR}/private
-mkdir -p ${TEST}/hosts/alice/${IPSEC_DIR}/certs
-cp ${TEST_KEY}  ${TEST}/hosts/alice/${IPSEC_DIR}/private
-cp ${TEST_CERT} ${TEST}/hosts/alice/${IPSEC_DIR}/certs
-
-# Put a copy into the ha/active-passive and ikev2-redirect-active scenarios
-for t in "ha/active-passive" "ikev2/redirect-active"
-do
-  TEST="${TEST_DIR}/${t}"
-  for h in alice moon
-  do
-    mkdir -p ${TEST}/hosts/${h}/${IPSEC_DIR}/private
-    mkdir -p ${TEST}/hosts/${h}/${IPSEC_DIR}/certs
-    cp ${TEST_KEY}  ${TEST}/hosts/${h}/${IPSEC_DIR}/private
-    cp ${TEST_CERT} ${TEST}/hosts/${h}/${IPSEC_DIR}/certs
-  done
-done
-
-# Generate moon certificate with an unsupported critical X.509 extension
-TEST="${TEST_DIR}/ikev2/critical-extension"
-TEST_KEY="${TEST}/hosts/moon/${IPSEC_DIR}/private/moonKey.pem"
-TEST_CERT="${TEST}/hosts/moon/${IPSEC_DIR}/certs/moonCert.pem"
-CN="moon.strongswan.org"
-SERIAL="13"
-mkdir -p ${TEST}/hosts/moon/${IPSEC_DIR}/private
-mkdir -p ${TEST}/hosts/moon/${IPSEC_DIR}/certs
-pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${TEST_KEY}
-pki --issue --cakey ${CA_KEY} --cacert ${CA_CERT} --crl ${CA_CDP} --type rsa \
-    --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
-    --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=Critical Extension, CN=${CN}" \
-    --critical 1.3.6.1.4.1.36906.1 --flag serverAuth \
-    --outform pem > ${TEST_CERT}
-cp ${TEST_CERT} ${CA_DIR}/certs/${SERIAL}.pem
-
-# Put a copy in the openssl-ikev2/critical extension scenario
-TEST="${TEST_DIR}/openssl-ikev2/critical-extension"
-mkdir -p ${TEST}/hosts/moon/${SWANCTL_DIR}/rsa
-mkdir -p ${TEST}/hosts/moon/${SWANCTL_DIR}/x509
-cp ${TEST_KEY} ${TEST}/hosts/moon/${SWANCTL_DIR}/rsa
-cp ${TEST_CERT} ${TEST}/hosts/moon/${SWANCTL_DIR}/x509
-
-# Generate sun certificate with an unsupported critical X.509 extension
-TEST="${TEST_DIR}/ikev2/critical-extension"
-TEST_KEY="${TEST}/hosts/sun/${IPSEC_DIR}/private/sunKey.pem"
-TEST_CERT="${TEST}/hosts/sun/${IPSEC_DIR}/certs/sunCert.pem"
-CN="sun.strongswan.org"
-SERIAL="14"
-mkdir -p ${TEST}/hosts/sun/${IPSEC_DIR}/private
-mkdir -p ${TEST}/hosts/sun/${IPSEC_DIR}/certs
-pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${TEST_KEY}
-pki --issue --cakey ${CA_KEY} --cacert ${CA_CERT} --crl ${CA_CDP} --type rsa \
-    --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
-    --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=Critical Extension, CN=${CN}" \
-    --critical 1.3.6.1.4.1.36906.1 --flag serverAuth \
-    --outform pem > ${TEST_CERT}
-cp ${TEST_CERT} ${CA_DIR}/certs/${SERIAL}.pem
-
-# Put a copy in the openssl-ikev2/critical extension scenario
-TEST="${TEST_DIR}/openssl-ikev2/critical-extension"
-mkdir -p ${TEST}/hosts/sun/${SWANCTL_DIR}/rsa
-mkdir -p ${TEST}/hosts/sun/${SWANCTL_DIR}/x509
-cp ${TEST_KEY} ${TEST}/hosts/sun/${SWANCTL_DIR}/rsa
-cp ${TEST_CERT} ${TEST}/hosts/sun/${SWANCTL_DIR}/x509
-
-# Generate winnetou server certificate
-HOST_KEY="${CA_DIR}/winnetouKey.pem"
-HOST_CERT="${CA_DIR}/winnetouCert.pem"
-CN="winnetou.strongswan.org"
-SERIAL="15"
-pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${HOST_KEY}
-pki --issue --cakey ${CA_KEY} --cacert ${CA_CERT} --crl ${CA_CDP} --type rsa \
-    --in ${HOST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
-    --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, CN=${CN}" \
-    --flag serverAuth --outform pem > ${HOST_CERT}
-cp ${HOST_CERT} ${CA_DIR}/certs/${SERIAL}.pem
-
-# Generate AAA server certificate
-TEST="${TEST_DIR}/tnc/tnccs-20-pdp-eap"
-TEST_KEY="${TEST}/hosts/alice/${SWANCTL_DIR}/rsa/aaaKey.pem"
-TEST_CERT="${TEST}/hosts/alice/${SWANCTL_DIR}/x509/aaaCert.pem"
-CN="aaa.strongswan.org"
-SERIAL="16"
-cd "${TEST}/hosts/alice/${SWANCTL_DIR}"
-mkdir -p rsa x509
-pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${TEST_KEY}
-pki --issue --cakey ${CA_KEY} --cacert ${CA_CERT} --crl ${CA_CDP} --type rsa \
---in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
-    --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, CN=${CN}" \
-    --flag serverAuth --outform pem > ${TEST_CERT}
-cp ${TEST_CERT} ${CA_DIR}/certs/${SERIAL}.pem
-
-# Put a copy into various tnc scenarios
-for t in tnccs-20-pdp-pt-tls tnccs-20-ev-pt-tls tnccs-20-hcd-eap
-do
-  cd "${TEST_DIR}/tnc/${t}/hosts/alice/${SWANCTL_DIR}"
-  mkdir -p rsa x509
-  cp ${TEST_KEY}  rsa
-  cp ${TEST_CERT} x509
-done
-
-# Put a copy into the alice FreeRADIUS server
-cp ${TEST_KEY} ${TEST_CERT} ${DIR}/hosts/alice/etc/raddb/certs
-
-################################################################################
-# strongSwan Attribute Authority                                               #
-################################################################################
-
-# Generate Attritbute Authority certificate
-TEST="${TEST_DIR}/ikev2/acert-cached"
-TEST_KEY="${TEST}/hosts/moon/${IPSEC_DIR}/private/aaKey.pem"
-TEST_CERT="${TEST}/hosts/moon/${IPSEC_DIR}/aacerts/aaCert.pem"
-CN="strongSwan Attribute Authority"
-SERIAL="17"
-mkdir -p ${TEST}/hosts/moon/${IPSEC_DIR}/private
-mkdir -p ${TEST}/hosts/moon/${IPSEC_DIR}/aacerts
-mkdir -p ${TEST}/hosts/moon/${IPSEC_DIR}/acerts
-pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${TEST_KEY}
-pki --issue --cakey ${CA_KEY} --cacert ${CA_CERT} --crl ${CA_CDP} --type rsa \
-    --in ${TEST_KEY} --not-before "${START}" --not-after "${IM_END}" \
-    --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, CN=${CN}" \
-    --outform pem > ${TEST_CERT}
-cp ${TEST_CERT} ${CA_DIR}/certs/${SERIAL}.pem
-
-# Generate carol's attribute certificate for sales and finance
-ACERT="${TEST}/hosts/moon/${IPSEC_DIR}/acerts/carol-sales-finance.pem"
-pki --acert --issuerkey ${TEST_KEY} --issuercert ${TEST_CERT} \
-    --in ${CA_DIR}/certs/01.pem --group sales --group finance \
-    --not-before "${START}" --not-after "${EE_END}" --outform pem > ${ACERT}
-
-# Generate dave's expired attribute certificate for sales
-ACERT="${TEST}/hosts/moon/${IPSEC_DIR}/acerts/dave-sales-expired.pem"
-pki --acert --issuerkey ${TEST_KEY} --issuercert ${TEST_CERT} \
-    --in ${CA_DIR}/certs/02.pem --group sales \
-    --not-before "${START}" --not-after "${SH_END}" --outform pem  > ${ACERT}
-
-# Generate dave's attribute certificate for marketing
-ACERT_DM="${TEST}/hosts/moon/${IPSEC_DIR}/acerts/dave-marketing.pem"
-pki --acert --issuerkey ${TEST_KEY} --issuercert ${TEST_CERT} \
-    --in ${CA_DIR}/certs/02.pem --group marketing \
-    --not-before "${SH_END}" --not-after "${EE_END}" --outform pem > ${ACERT_DM}
-
-# Put a copy into the ikev2/acert-fallback scenario
-TEST="${TEST_DIR}/ikev2/acert-fallback"
-mkdir -p ${TEST}/hosts/moon/${IPSEC_DIR}/private
-mkdir -p ${TEST}/hosts/moon/${IPSEC_DIR}/aacerts
-mkdir -p ${TEST}/hosts/moon/${IPSEC_DIR}/acerts
-cp ${TEST_KEY}  ${TEST}/hosts/moon/${IPSEC_DIR}/private
-cp ${TEST_CERT} ${TEST}/hosts/moon/${IPSEC_DIR}/aacerts
-
-# Generate carol's expired attribute certificate for finance
-ACERT=${TEST}/hosts/carol/${IPSEC_DIR}/acerts/carol-finance-expired.pem
-mkdir -p ${TEST}/hosts/carol/${IPSEC_DIR}/acerts
-pki --acert --issuerkey ${TEST_KEY} --issuercert ${TEST_CERT} \
-    --in ${CA_DIR}/certs/01.pem --group finance \
-    --not-before "${START}" --not-after "${SH_END}" --outform pem  > ${ACERT}
-
-# Generate carol's valid attribute certificate for sales
-ACERT_CS=${TEST}/hosts/carol/${IPSEC_DIR}/acerts/carol-sales.pem
-pki --acert --issuerkey ${TEST_KEY} --issuercert ${TEST_CERT} \
-    --in ${CA_DIR}/certs/01.pem --group sales \
-    --not-before "${SH_END}" --not-after "${EE_END}" --outform pem > ${ACERT_CS}
-
-# Put a copy into the ikev2/acert-inline scenarion
-TEST="${TEST_DIR}/ikev2/acert-inline"
-mkdir -p ${TEST}/hosts/moon/${IPSEC_DIR}/private
-mkdir -p ${TEST}/hosts/moon/${IPSEC_DIR}/aacerts
-mkdir -p ${TEST}/hosts/carol/${IPSEC_DIR}/acerts
-mkdir -p ${TEST}/hosts/dave/${IPSEC_DIR}/acerts
-cp ${TEST_KEY}  ${TEST}/hosts/moon/${IPSEC_DIR}/private
-cp ${TEST_CERT} ${TEST}/hosts/moon/${IPSEC_DIR}/aacerts
-cp ${ACERT_CS}  ${TEST}/hosts/carol/${IPSEC_DIR}/acerts
-cp ${ACERT_DM}  ${TEST}/hosts/dave/${IPSEC_DIR}/acerts
-
-# Generate a short-lived Attritbute Authority certificate
-CN="strongSwan Legacy AA"
-TEST_KEY="${TEST}/hosts/moon/${IPSEC_DIR}/private/aaKey-expired.pem"
-TEST_CERT="${TEST}/hosts/moon/${IPSEC_DIR}/aacerts/aaCert-expired.pem"
-SERIAL="18"
-pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${TEST_KEY}
-pki --issue --cakey ${CA_KEY} --cacert ${CA_CERT} --crl ${CA_CDP} --type rsa \
-    --in ${TEST_KEY} --not-before "${START}" --not-after "${SH_END}" \
-    --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, CN=${CN}" \
-    --outform pem > ${TEST_CERT}
-cp ${TEST_CERT} ${CA_DIR}/certs/${SERIAL}.pem
-
-# Genrate dave's attribute certificate for sales from expired AA
-ACERT=${TEST}/hosts/dave/${IPSEC_DIR}/acerts/dave-expired-aa.pem
-mkdir -p ${TEST}/hosts/dave/${IPSEC_DIR}/acerts
-pki --acert --issuerkey ${TEST_KEY} --issuercert ${TEST_CERT} \
-    --in ${CA_DIR}/certs/02.pem --group sales \
-    --not-before "${START}" --not-after "${EE_END}" --outform pem > ${ACERT}
-
-################################################################################
-# strongSwan Root CA index for OCSP server                                     #
-################################################################################
-
-# generate index.txt file for Root OCSP server
-cp ${CA_DIR}/index.txt.template ${CA_DIR}/index.txt
-sed -i -e "s/EE_EXPIRATION/${EE_EXP}/g" ${CA_DIR}/index.txt
-sed -i -e "s/IM_EXPIRATION/${IM_EXP}/g" ${CA_DIR}/index.txt
-sed -i -e "s/SH_EXPIRATION/${SH_EXP}/g" ${CA_DIR}/index.txt
-sed -i -e "s/REVOCATION/${NOW}/g" ${CA_DIR}/index.txt
-
-################################################################################
-# Research CA                                                                  #
-################################################################################
-
-# Generate a carol research certificate
-TEST="${TEST_DIR}/ikev2/multi-level-ca"
-TEST_KEY="${TEST}/hosts/carol/${IPSEC_DIR}/private/carolKey.pem"
-TEST_CERT="${TEST}/hosts/carol/${IPSEC_DIR}/certs/carolCert.pem"
-CN="carol@strongswan.org"
-SERIAL="01"
-mkdir -p ${TEST}/hosts/carol/${IPSEC_DIR}/private
-mkdir -p ${TEST}/hosts/carol/${IPSEC_DIR}/certs
-pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${TEST_KEY}
-pki --issue --cakey ${RESEARCH_KEY} --cacert ${RESEARCH_CERT} --type rsa \
-    --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
-    --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=Research, CN=${CN}" \
-    --crl ${RESEARCH_CDP} --outform pem > ${TEST_CERT}
-cp ${TEST_CERT} ${RESEARCH_DIR}/certs/${SERIAL}.pem
-
-# Save a copy of the private key in DER format
-openssl rsa -in ${TEST_KEY} -outform der \
-            -out ${RESEARCH_DIR}/keys/${SERIAL}.der 2> /dev/null
-
-# Put a copy in the following scenarios
-for t in ikev2/multi-level-ca-cr-init ikev2/multi-level-ca-cr-resp \
-         ikev2/multi-level-ca-ldap ikev2/multi-level-ca-loop \
-         ikev2/multi-level-ca-revoked ikev2/multi-level-ca-skipped \
-         ikev2/multi-level-ca-strict ikev2/ocsp-multi-level \
-         ikev1/multi-level-ca ikev1/multi-level-ca-cr-init \
-         ikev1/multi-level-ca-cr-resp
-do
-  TEST="${TEST_DIR}/${t}"
-  mkdir -p ${TEST}/hosts/carol/${IPSEC_DIR}/private
-  mkdir -p ${TEST}/hosts/carol/${IPSEC_DIR}/certs
-  cp ${TEST_KEY} ${TEST}/hosts/carol/${IPSEC_DIR}/private
-  cp ${TEST_CERT} ${TEST}/hosts/carol/${IPSEC_DIR}/certs
-done
-
-for t in multi-level-ca ocsp-multi-level
-do
-  TEST="${TEST_DIR}/swanctl/${t}"
-  mkdir -p ${TEST}/hosts/carol/${SWANCTL_DIR}/rsa
-  mkdir -p ${TEST}/hosts/carol/${SWANCTL_DIR}/x509
-  cp ${TEST_KEY} ${TEST}/hosts/carol/${SWANCTL_DIR}/rsa
-  cp ${TEST_CERT} ${TEST}/hosts/carol/${SWANCTL_DIR}/x509
-done
-
-# Generate a carol research certificate without a CDP
-TEST="${TEST_DIR}/ikev2/ocsp-strict-ifuri"
-TEST_CERT="${TEST}/hosts/carol/${IPSEC_DIR}/certs/carolCert.pem"
-mkdir -p ${TEST}/hosts/carol/${IPSEC_DIR}/certs
-mkdir -p ${TEST}/hosts/carol/${IPSEC_DIR}/private
-pki --issue --cakey ${RESEARCH_KEY} --cacert ${RESEARCH_CERT} --type rsa \
-    --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
-    --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=Research, CN=${CN}" \
-    --outform pem > ${TEST_CERT}
-cp ${TEST_KEY} ${TEST}/hosts/carol/${IPSEC_DIR}/private
-
-# Generate an OCSP Signing certificate for the Research CA
-TEST_KEY="${RESEARCH_DIR}/ocspKey.pem"
-TEST_CERT="${RESEARCH_DIR}/ocspCert.pem"
-OU="Research OCSP Signing Authority"
-CN="ocsp.research.strongswan.org"
-SERIAL="02"
-pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${TEST_KEY}
-pki --issue --cakey ${RESEARCH_KEY} --cacert ${RESEARCH_CERT} --type rsa \
-    --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
-    --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=${OU}, CN=${CN}" \
-    --crl ${RESEARCH_CDP} --flag ocspSigning --outform pem > ${TEST_CERT}
-cp ${TEST_CERT} ${RESEARCH_DIR}/certs/${SERIAL}.pem
-
-# Generate a Sales CA certificate signed by the Research CA
-TEST="${TEST_DIR}/ikev2/multi-level-ca-loop"
-TEST_CERT="${TEST}/hosts/moon/${IPSEC_DIR}/cacerts/sales_by_researchCert.pem"
-SERIAL="03"
-mkdir -p ${TEST}/hosts/moon/${IPSEC_DIR}/cacerts
-pki --issue --cakey ${RESEARCH_KEY} --cacert ${RESEARCH_CERT} --type rsa \
-    --in ${SALES_KEY} --not-before "${START}" --not-after "${EE_END}" --ca \
-    --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=Sales, CN=Sales CA" \
-    --crl ${RESEARCH_CDP} --outform pem > ${TEST_CERT}
-cp ${TEST_CERT} ${RESEARCH_DIR}/certs/${SERIAL}.pem
-
-################################################################################
-# Duck Research CA                                                                     #
-################################################################################
-
-# Generate a Duck Research CA certificate signed by the Research CA
-SERIAL="04"
-pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${DUCK_KEY}
-pki --issue --cakey ${RESEARCH_KEY} --cacert ${RESEARCH_CERT} --type rsa \
-    --in ${DUCK_KEY} --not-before "${START}" --not-after "${EE_END}" --ca \
-    --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=Research, CN=Duck Research CA" \
-    --crl ${RESEARCH_CDP} --outform pem > ${DUCK_CERT}
-cp ${DUCK_CERT} ${RESEARCH_DIR}/certs/${SERIAL}.pem
-
-# Put a certificate copy in the ikev2/multilevel-ca-pathlen scenario
-TEST="${TEST_DIR}/ikev2/multi-level-ca-pathlen"
-cp ${DUCK_CERT} ${TEST}/hosts/moon/${IPSEC_DIR}/cacerts
-
-# Generate a carol certificate signed by the Duck Research CA
-TEST_KEY="${TEST}/hosts/carol/${IPSEC_DIR}/private/carolKey.pem"
-TEST_CERT="${TEST}/hosts/carol/${IPSEC_DIR}/certs/carolCert.pem"
-CN="carol@strongswan.org"
-SERIAL="01"
-mkdir -p ${TEST}/hosts/carol/${IPSEC_DIR}/private
-mkdir -p ${TEST}/hosts/carol/${IPSEC_DIR}/certs
-pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${TEST_KEY}
-pki --issue --cakey ${DUCK_KEY} --cacert ${DUCK_CERT} --type rsa \
-    --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
-    --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=Duck Research, CN=${CN}" \
-    --outform pem > ${TEST_CERT}
-cp ${TEST_CERT} ${DUCK_DIR}/certs/${SERIAL}.pem
-
-# Generate index.txt file for Research OCSP server
-cp ${RESEARCH_DIR}/index.txt.template ${RESEARCH_DIR}/index.txt
-sed -i -e "s/EE_EXPIRATION/${EE_EXP}/g" ${RESEARCH_DIR}/index.txt
-
-################################################################################
-# Sales CA                                                                     #
-################################################################################
-
-# Generate a dave sales certificate
-TEST="${TEST_DIR}/ikev2/multi-level-ca"
-TEST_KEY="${TEST}/hosts/dave/${IPSEC_DIR}/private/daveKey.pem"
-TEST_CERT="${TEST}/hosts/dave/${IPSEC_DIR}/certs/daveCert.pem"
-CN="dave@strongswan.org"
-SERIAL="01"
-mkdir -p ${TEST}/hosts/dave/${IPSEC_DIR}/private
-mkdir -p ${TEST}/hosts/dave/${IPSEC_DIR}/certs
-pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${TEST_KEY}
-pki --issue --cakey ${SALES_KEY} --cacert ${SALES_CERT} --type rsa \
-    --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
-    --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=Sales, CN=${CN}" \
-    --crl ${SALES_CDP} --outform pem > ${TEST_CERT}
-cp ${TEST_CERT} ${SALES_DIR}/certs/${SERIAL}.pem
-
-# Save a copy of the private key in DER format
-openssl rsa -in ${TEST_KEY} -outform der \
-            -out ${SALES_DIR}/keys/${SERIAL}.der 2> /dev/null
-
-# Put a copy in the following scenarios
-for t in ikev2/multi-level-ca-cr-init ikev2/multi-level-ca-cr-resp \
-         ikev2/multi-level-ca-ldap ikev2/multi-level-ca-strict \
-         ikev2/ocsp-multi-level ikev1/multi-level-ca \
-         ikev1/multi-level-ca-cr-init ikev1/multi-level-ca-cr-resp
-do
-  TEST="${TEST_DIR}/${t}"
-  mkdir -p ${TEST}/hosts/dave/${IPSEC_DIR}/private
-  mkdir -p ${TEST}/hosts/dave/${IPSEC_DIR}/certs
-  cp ${TEST_KEY} ${TEST}/hosts/dave/${IPSEC_DIR}/private
-  cp ${TEST_CERT} ${TEST}/hosts/dave/${IPSEC_DIR}/certs
-done
-
-for t in multi-level-ca ocsp-multi-level
-do
-  TEST="${TEST_DIR}/swanctl/${t}"
-  mkdir -p ${TEST}/hosts/dave/${SWANCTL_DIR}/rsa
-  mkdir -p ${TEST}/hosts/dave/${SWANCTL_DIR}/x509
-  cp ${TEST_KEY} ${TEST}/hosts/dave/${SWANCTL_DIR}/rsa
-  cp ${TEST_CERT} ${TEST}/hosts/dave/${SWANCTL_DIR}/x509
-done
-
-# Generate a dave sales certificate with an inactive OCSP URI and no CDP
-TEST="${TEST_DIR}/ikev2/ocsp-strict-ifuri"
-TEST_CERT="${TEST}/hosts/dave/${IPSEC_DIR}/certs/daveCert.pem"
-mkdir -p ${TEST}/hosts/dave/${IPSEC_DIR}/certs
-mkdir -p ${TEST}/hosts/dave/${IPSEC_DIR}/private
-pki --issue --cakey ${SALES_KEY} --cacert ${SALES_CERT} --type rsa \
-    --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
-    --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=Sales, CN=${CN}" \
-    --ocsp "http://ocsp2.strongswan.org:8882" --outform pem > ${TEST_CERT}
-cp ${TEST_KEY} ${TEST}/hosts/dave/${IPSEC_DIR}/private
-
-# Generate an OCSP Signing certificate for the Sales CA
-TEST_KEY="${SALES_DIR}/ocspKey.pem"
-TEST_CERT="${SALES_DIR}/ocspCert.pem"
-OU="Sales OCSP Signing Authority"
-CN="ocsp.sales.strongswan.org"
-SERIAL="02"
-pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${TEST_KEY}
-pki --issue --cakey ${SALES_KEY} --cacert ${SALES_CERT} --type rsa \
-    --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
-    --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=${OU}, CN=${CN}" \
-    --crl ${SALES_CDP} --flag ocspSigning --outform pem > ${TEST_CERT}
-cp ${TEST_CERT} ${SALES_DIR}/certs/${SERIAL}.pem
-
-# Generate a Research CA certificate signed by the Sales CA
-TEST="${TEST_DIR}/ikev2/multi-level-ca-loop"
-TEST_CERT="${TEST}/hosts/moon/${IPSEC_DIR}/cacerts/research_by_salesCert.pem"
-SERIAL="03"
-mkdir -p ${TEST}/hosts/moon/${IPSEC_DIR}/cacerts
-pki --issue --cakey ${SALES_KEY} --cacert ${SALES_CERT} --type rsa \
-    --in ${RESEARCH_KEY} --not-before "${START}" --not-after "${EE_END}" --ca \
-    --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=Research, CN=Research CA" \
-    --crl ${SALES_CDP} --outform pem > ${TEST_CERT}
-cp ${TEST_CERT} ${SALES_DIR}/certs/${SERIAL}.pem
-
-# generate index.txt file for Sales OCSP server
-cp ${SALES_DIR}/index.txt.template ${SALES_DIR}/index.txt
-sed -i -e "s/EE_EXPIRATION/${EE_EXP}/g" ${SALES_DIR}/index.txt
-
-################################################################################
-# strongSwan EC Root CA                                                        #
-################################################################################
-
-# Generate strongSwan EC Root CA
-pki --gen  --type ecdsa --size 521 --outform pem > ${ECDSA_KEY}
-pki --self --type ecdsa --in ${ECDSA_KEY} \
-    --not-before "${START}" --not-after "${CA_END}" --ca \
-    --dn "C=CH, O=${PROJECT}, CN=strongSwan EC Root CA" \
-    --outform pem > ${ECDSA_CERT}
-
-# Put a copy in the openssl-ikev2/ecdsa-certs scenario
-for t in ecdsa-certs ecdsa-pkcs8
-do
-  TEST="${TEST_DIR}/openssl-ikev2/${t}"
-  for h in moon carol dave
-  do
-    mkdir -p ${TEST}/hosts/${h}/${SWANCTL_DIR}/x509ca
-    cp ${ECDSA_CERT} ${TEST}/hosts/${h}/${SWANCTL_DIR}/x509ca
-  done
-done
-
-# Generate a moon ECDSA 521 bit certificate
-TEST="${TEST_DIR}/openssl-ikev2/ecdsa-certs"
-MOON_KEY="${TEST}/hosts/moon/${SWANCTL_DIR}/ecdsa/moonKey.pem"
-MOON_CERT="${TEST}/hosts/moon/${SWANCTL_DIR}/x509/moonCert.pem"
-CN="moon.strongswan.org"
-SERIAL="01"
-mkdir -p ${TEST}/hosts/moon/${SWANCTL_DIR}/ecdsa
-mkdir -p ${TEST}/hosts/moon/${SWANCTL_DIR}/x509
-pki --gen --type ecdsa --size 521 --outform pem > ${MOON_KEY}
-pki --issue --cakey ${ECDSA_KEY} --cacert ${ECDSA_CERT} --type ecdsa \
-    --in ${MOON_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
-    --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=ECDSA 512 bit, CN=${CN}" \
-    --crl ${ECDSA_CDP} --outform pem > ${MOON_CERT}
-cp ${MOON_CERT} ${ECDSA_DIR}/certs/${SERIAL}.pem
-
-# Generate a carol ECDSA 256 bit certificate
-CAROL_KEY="${TEST}/hosts/carol/${SWANCTL_DIR}/ecdsa/carolKey.pem"
-CAROL_CERT="${TEST}/hosts/carol/${SWANCTL_DIR}/x509/carolCert.pem"
-CN="carol@strongswan.org"
-SERIAL="02"
-mkdir -p ${TEST}/hosts/carol/${SWANCTL_DIR}/ecdsa
-mkdir -p ${TEST}/hosts/carol/${SWANCTL_DIR}/x509
-pki --gen --type ecdsa --size 256 --outform pem > ${CAROL_KEY}
-pki --issue --cakey ${ECDSA_KEY} --cacert ${ECDSA_CERT} --type ecdsa \
-    --in ${CAROL_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
-    --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=ECDSA 256 bit, CN=${CN}" \
-    --crl ${ECDSA_CDP} --outform pem > ${CAROL_CERT}
-cp ${CAROL_CERT} ${ECDSA_DIR}/certs/${SERIAL}.pem
-
-# Generate a dave ECDSA 384 bit certificate
-DAVE_KEY="${TEST}/hosts/dave/${SWANCTL_DIR}/ecdsa/daveKey.pem"
-DAVE_CERT="${TEST}/hosts/dave/${SWANCTL_DIR}/x509/daveCert.pem"
-CN="dave@strongswan.org"
-SERIAL="03"
-mkdir -p ${TEST}/hosts/dave/${SWANCTL_DIR}/ecdsa
-mkdir -p ${TEST}/hosts/dave/${SWANCTL_DIR}/x509
-pki --gen --type ecdsa --size 384 --outform pem > ${DAVE_KEY}
-pki --issue --cakey ${ECDSA_KEY} --cacert ${ECDSA_CERT} --type ecdsa \
-    --in ${DAVE_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
-    --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=ECDSA 384 bit, CN=${CN}" \
-    --crl ${ECDSA_CDP} --outform pem > ${DAVE_CERT}
-cp ${DAVE_CERT} ${ECDSA_DIR}/certs/${SERIAL}.pem
-
-# Put CA and EE certificate copies in the openssl-ikev2/ecdsa-pkcs8 scenario
-TEST="${TEST_DIR}/openssl-ikev2/ecdsa-pkcs8"
-mkdir -p ${TEST}/hosts/moon/${SWANCTL_DIR}/x509
-mkdir -p ${TEST}/hosts/carol/${SWANCTL_DIR}/x509
-mkdir -p ${TEST}/hosts/dave/${SWANCTL_DIR}/x509
-cp ${MOON_CERT}  ${TEST}/hosts/moon/${SWANCTL_DIR}/x509
-cp ${CAROL_CERT} ${TEST}/hosts/carol/${SWANCTL_DIR}/x509
-cp ${DAVE_CERT}  ${TEST}/hosts/dave/${SWANCTL_DIR}/x509
-
-# Convert moon private key into unencrypted PKCS#8 format
-TEST_KEY="${TEST}/hosts/moon/${SWANCTL_DIR}/pkcs8/moonKey.pem"
-mkdir -p ${TEST}/hosts/moon/${SWANCTL_DIR}/pkcs8
-openssl pkcs8 -in ${MOON_KEY} -nocrypt -topk8 -out ${TEST_KEY}
-
-# Convert carol private key into v1.5 DES encrypted PKCS#8 format
-TEST_KEY="${TEST}/hosts/carol/${SWANCTL_DIR}/pkcs8/carolKey.pem"
-mkdir -p ${TEST}/hosts/carol/${SWANCTL_DIR}/pkcs8
-openssl pkcs8 -in ${CAROL_KEY} -nocrypt -topk8 -v1 PBE-MD5-DES \
-              -passout "pass:nH5ZQEWtku0RJEZ6" -out ${TEST_KEY}
-
-# Convert dave private key into v2.0 AES-128 encrypted PKCS#8 format
-TEST_KEY="${TEST}/hosts/dave/${SWANCTL_DIR}/pkcs8/daveKey.pem"
-mkdir -p ${TEST}/hosts/dave/${SWANCTL_DIR}/pkcs8
-openssl pkcs8 -in ${DAVE_KEY} -nocrypt -topk8  -v2 aes128 \
-              -passout "pass:OJlNZBx+80dLh4wC6fw5LmBd" -out ${TEST_KEY}
-
-# Put CA and EE certificate copies in the openssl-ikev1/ecdsa-certs scenario
-TEST="${TEST_DIR}/openssl-ikev1/ecdsa-certs"
-cd ${TEST}/hosts/moon/${SWANCTL_DIR}
-mkdir -p ecdsa x509 x509ca
-cp ${MOON_KEY}   ecdsa
-cp ${MOON_CERT}  x509
-cp ${ECDSA_CERT} x509ca
-cd ${TEST}/hosts/carol/${SWANCTL_DIR}
-mkdir -p ecdsa x509 x509ca
-cp ${CAROL_KEY}  ecdsa
-cp ${CAROL_CERT} x509
-cp ${ECDSA_CERT} x509ca
-cd ${TEST}/hosts/dave/${SWANCTL_DIR}
-mkdir -p ecdsa x509 x509ca
-cp ${DAVE_KEY}   ecdsa
-cp ${DAVE_CERT}  x509
-cp ${ECDSA_CERT} x509ca
-
-################################################################################
-# strongSwan RFC3779 Root CA                                                   #
-################################################################################
-
-# Generate strongSwan RFC3779 Root CA
-pki --gen  --type rsa --size ${RSA_SIZE} --outform pem > ${RFC3779_KEY}
-pki --self --type rsa --in ${RFC3779_KEY} \
-    --not-before "${START}" --not-after "${CA_END}" --ca \
-    --dn "C=CH, O=${PROJECT}, OU=RFC3779, CN=strongSwan RFC3779 Root CA" \
-    --addrblock "10.1.0.0-10.2.255.255" \
-    --addrblock "10.3.0.1-10.3.3.232" \
-    --addrblock "192.168.0.0/24" \
-    --addrblock "fec0::-fec2:ffff:ffff:ffff:ffff:ffff:ffff:ffff" \
-    --outform pem > ${RFC3779_CERT}
-
-# Put a copy in the ikev2/net2net-rfc3779 scenario
-TEST="${TEST_DIR}/ikev2/net2net-rfc3779"
-mkdir -p ${TEST}/hosts/moon/${IPSEC_DIR}/cacerts
-mkdir -p ${TEST}/hosts/sun/${IPSEC_DIR}/cacerts
-cp ${RFC3779_CERT} ${TEST}/hosts/moon/${IPSEC_DIR}/cacerts
-cp ${RFC3779_CERT} ${TEST}/hosts/sun/${IPSEC_DIR}/cacerts
-
-# Put a copy in the ipv6/rw-rfc3779-ikev2 scenario
-TEST="${TEST_DIR}/ipv6/rw-rfc3779-ikev2"
-mkdir -p ${TEST}/hosts/carol/${SWANCTL_DIR}/x509ca
-mkdir -p ${TEST}/hosts/dave/${SWANCTL_DIR}/x509ca
-cp ${RFC3779_CERT} ${TEST}/hosts/carol/${SWANCTL_DIR}/x509ca
-cp ${RFC3779_CERT} ${TEST}/hosts/dave/${SWANCTL_DIR}/x509ca
-
-# Generate a moon RFC3779 certificate
-TEST="${TEST_DIR}/ikev2/net2net-rfc3779"
-TEST_KEY="${TEST}/hosts/moon/${IPSEC_DIR}/private/moonKey.pem"
-TEST_CERT="${TEST}/hosts/moon/${IPSEC_DIR}/certs/moonCert.pem"
-CN="moon.strongswan.org"
-SERIAL="01"
-mkdir -p ${TEST}/hosts/moon/${IPSEC_DIR}/private
-mkdir -p ${TEST}/hosts/moon/${IPSEC_DIR}/certs
-pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${TEST_KEY}
-pki --issue --cakey ${RFC3779_KEY} --cacert ${RFC3779_CERT} --type rsa \
-    --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
-    --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=RFC3779, CN=${CN}" \
-    --addrblock "10.1.0.0/16" --addrblock "192.168.0.1/32" \
-    --addrblock "fec0::1/128" --addrblock "fec1::/16" \
-    --crl ${RFC3779_CDP} --outform pem > ${TEST_CERT}
-cp ${TEST_CERT} ${RFC3779_DIR}/certs/${SERIAL}.pem
-
-# Put a copy in the ipv6 scenarios
-for t in net2net-rfc3779-ikev2 rw-rfc3779-ikev2
-do
-  cd "${TEST_DIR}/ipv6/${t}/hosts/moon/${SWANCTL_DIR}"
-  mkdir -p rsa x509 x509ca
-  cp ${TEST_KEY}  rsa
-  cp ${TEST_CERT} x509
-  cp ${RFC3779_CERT} x509ca
-done
-
-# Generate a sun RFC3779 certificate
-TEST="${TEST_DIR}/ikev2/net2net-rfc3779"
-TEST_KEY="${TEST}/hosts/sun/${IPSEC_DIR}/private/sunKey.pem"
-TEST_CERT="${TEST}/hosts/sun/${IPSEC_DIR}/certs/sunCert.pem"
-CN="sun.strongswan.org"
-SERIAL="02"
-mkdir -p ${TEST}/hosts/sun/${IPSEC_DIR}/private
-mkdir -p ${TEST}/hosts/sun/${IPSEC_DIR}/certs
-pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${TEST_KEY}
-pki --issue --cakey ${RFC3779_KEY} --cacert ${RFC3779_CERT} --type rsa \
-    --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
-    --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=RFC3779, CN=${CN}" \
-    --addrblock "10.2.0.0/16" --addrblock "192.168.0.2/32" \
-    --addrblock "fec0::2/128" --addrblock "fec2::/16" \
-    --crl ${RFC3779_CDP} --outform pem > ${TEST_CERT}
-cp ${TEST_CERT} ${RFC3779_DIR}/certs/${SERIAL}.pem
-
-# Put a copy in the ipv6/net2net-rfc3779-ikev2 scenario
-cd "${TEST_DIR}/ipv6/net2net-rfc3779-ikev2/hosts/sun/${SWANCTL_DIR}"
-mkdir -p rsa x509 x509ca
-cp ${TEST_KEY} rsa
-cp ${TEST_CERT} x509
-cp ${RFC3779_CERT} x509ca
-
-# Generate a carol RFC3779 certificate
-TEST="${TEST_DIR}/ipv6/rw-rfc3779-ikev2"
-TEST_KEY="${TEST}/hosts/carol/${SWANCTL_DIR}/rsa/carolKey.pem"
-TEST_CERT="${TEST}/hosts/carol/${SWANCTL_DIR}/x509/carolCert.pem"
-CN="carol@strongswan.org"
-SERIAL="03"
-mkdir -p ${TEST}/hosts/carol/${SWANCTL_DIR}/rsa
-mkdir -p ${TEST}/hosts/carol/${SWANCTL_DIR}/x509
-pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${TEST_KEY}
-pki --issue --cakey ${RFC3779_KEY} --cacert ${RFC3779_CERT} --type rsa \
-    --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
-    --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=RFC3779, CN=${CN}" \
-    --addrblock "10.3.0.1/32" --addrblock "192.168.0.100/32" \
-    --addrblock "fec0::10/128" \
-    --crl ${RFC3779_CDP} --outform pem > ${TEST_CERT}
-cp ${TEST_CERT} ${RFC3779_DIR}/certs/${SERIAL}.pem
-
-# Generate a carol RFC3779 certificate
-TEST="${TEST_DIR}/ipv6/rw-rfc3779-ikev2"
-TEST_KEY="${TEST}/hosts/dave/${SWANCTL_DIR}/rsa/daveKey.pem"
-TEST_CERT="${TEST}/hosts/dave/${SWANCTL_DIR}/x509/daveCert.pem"
-CN="dave@strongswan.org"
-SERIAL="04"
-mkdir -p ${TEST}/hosts/dave/${SWANCTL_DIR}/rsa
-mkdir -p ${TEST}/hosts/dave/${SWANCTL_DIR}/x509
-pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${TEST_KEY}
-pki --issue --cakey ${RFC3779_KEY} --cacert ${RFC3779_CERT} --type rsa \
-    --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
-    --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=RFC3779, CN=${CN}" \
-    --addrblock "10.3.0.2/32" --addrblock "192.168.0.200/32" \
-    --addrblock "fec0::20/128" \
-    --crl ${RFC3779_CDP} --outform pem > ${TEST_CERT}
-cp ${TEST_CERT} ${RFC3779_DIR}/certs/${SERIAL}.pem
-
-################################################################################
-# strongSwan SHA3-RSA Root CA                                                  #
-################################################################################
-
-# Generate strongSwan SHA3-RSA Root CA
-pki --gen  --type rsa --size ${RSA_SIZE} --outform pem > ${SHA3_RSA_KEY}
-pki --self --type rsa --in ${SHA3_RSA_KEY} --digest sha3_256 \
-    --not-before "${START}" --not-after "${CA_END}" --ca \
-    --dn "C=CH, O=${PROJECT}, OU=SHA-3, CN=strongSwan Root CA" \
-    --outform pem > ${SHA3_RSA_CERT}
-
-# Put a copy in the swanctl/net2net-sha3-rsa-cert scenario
-TEST="${TEST_DIR}/swanctl/net2net-sha3-rsa-cert"
-mkdir -p ${TEST}/hosts/moon/${SWANCTL_DIR}/x509ca
-mkdir -p ${TEST}/hosts/sun/${SWANCTL_DIR}/x509ca
-cp ${SHA3_RSA_CERT} ${TEST}/hosts/moon/${SWANCTL_DIR}/x509ca
-cp ${SHA3_RSA_CERT} ${TEST}/hosts/sun/${SWANCTL_DIR}/x509ca
-
-# Generate a sun SHA3-RSA certificate
-SUN_KEY="${TEST}/hosts/sun/${SWANCTL_DIR}/rsa/sunKey.pem"
-SUN_CERT="${TEST}/hosts/sun/${SWANCTL_DIR}/x509/sunCert.pem"
-CN="sun.strongswan.org"
-SERIAL="01"
-mkdir -p ${TEST}/hosts/sun/${SWANCTL_DIR}/rsa
-mkdir -p ${TEST}/hosts/sun/${SWANCTL_DIR}/x509
-pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${SUN_KEY}
-pki --issue --cakey ${SHA3_RSA_KEY} --cacert ${SHA3_RSA_CERT} --type rsa \
-    --in ${SUN_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
-    --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=SHA-3, CN=${CN}" \
-    --crl ${SHA3_RSA_CDP} --digest sha3_256 --outform pem > ${SUN_CERT}
-cp ${SUN_CERT} ${SHA3_RSA_DIR}/certs/${SERIAL}.pem
-
-# Generate a moon SHA3-RSA certificate
-MOON_KEY="${TEST}/hosts/moon/${SWANCTL_DIR}/rsa/moonKey.pem"
-MOON_CERT="${TEST}/hosts/moon/${SWANCTL_DIR}/x509/moonCert.pem"
-CN="moon.strongswan.org"
-SERIAL="02"
-mkdir -p ${TEST}/hosts/moon/${SWANCTL_DIR}/rsa
-mkdir -p ${TEST}/hosts/moon/${SWANCTL_DIR}/x509
-pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${MOON_KEY}
-pki --issue --cakey ${SHA3_RSA_KEY} --cacert ${SHA3_RSA_CERT} --type rsa \
-    --in ${MOON_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
-    --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=SHA-3, CN=${CN}" \
-    --crl ${SHA3_RSA_CDP} --digest sha3_256 --outform pem > ${MOON_CERT}
-cp ${MOON_CERT} ${SHA3_RSA_DIR}/certs/${SERIAL}.pem
-
-# Put a copy in the botan/net2net-sha3-rsa-cert scenario
-TEST="${TEST_DIR}/botan/net2net-sha3-rsa-cert"
-cd ${TEST}/hosts/moon/${SWANCTL_DIR}
-mkdir -p rsa x509 x509ca
-cp ${MOON_KEY}      rsa
-cp ${MOON_CERT}     x509
-cp ${SHA3_RSA_CERT} x509ca
-cd ${TEST}/hosts/sun/${SWANCTL_DIR}
-mkdir -p rsa x509 x509ca
-cp ${SUN_KEY}       rsa
-cp ${SUN_CERT}      x509
-cp ${SHA3_RSA_CERT} x509ca
-
-# Put a copy in the swanctl/rw-eap-tls-sha3-rsa scenario
-TEST="${TEST_DIR}/swanctl/rw-eap-tls-sha3-rsa"
-mkdir -p ${TEST}/hosts/moon/${SWANCTL_DIR}/rsa
-mkdir -p ${TEST}/hosts/moon/${SWANCTL_DIR}/x509
-cp ${MOON_KEY} ${TEST}/hosts/moon/${SWANCTL_DIR}/rsa
-cp ${MOON_CERT} ${TEST}/hosts/moon/${SWANCTL_DIR}/x509
-
-# Generate a carol SHA3-RSA certificate
-TEST_KEY="${TEST}/hosts/carol/${SWANCTL_DIR}/rsa/carolKey.pem"
-TEST_CERT="${TEST}/hosts/carol/${SWANCTL_DIR}/x509/carolCert.pem"
-CN="carol@strongswan.org"
-SERIAL="03"
-mkdir -p ${TEST}/hosts/carol/${SWANCTL_DIR}/rsa
-mkdir -p ${TEST}/hosts/carol/${SWANCTL_DIR}/x509
-pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${TEST_KEY}
-pki --issue --cakey ${SHA3_RSA_KEY} --cacert ${SHA3_RSA_CERT} --type rsa \
-    --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
-    --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=SHA-3, CN=${CN}" \
-    --crl ${SHA3_RSA_CDP} --digest sha3_256 --outform pem > ${TEST_CERT}
-cp ${TEST_CERT} ${SHA3_RSA_DIR}/certs/${SERIAL}.pem
-
-# Generate a dave SHA3-RSA certificate
-TEST_KEY="${TEST}/hosts/dave/${SWANCTL_DIR}/rsa/daveKey.pem"
-TEST_CERT="${TEST}/hosts/dave/${SWANCTL_DIR}/x509/daveCert.pem"
-CN="dave@strongswan.org"
-SERIAL="04"
-mkdir -p ${TEST}/hosts/dave/${SWANCTL_DIR}/rsa
-mkdir -p ${TEST}/hosts/dave/${SWANCTL_DIR}/x509
-pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${TEST_KEY}
-pki --issue --cakey ${SHA3_RSA_KEY} --cacert ${SHA3_RSA_CERT} --type rsa \
-    --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
-    --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=SHA-3, CN=${CN}" \
-    --crl ${SHA3_RSA_CDP} --digest sha3_256 --outform pem > ${TEST_CERT}
-cp ${TEST_CERT} ${SHA3_RSA_DIR}/certs/${SERIAL}.pem
-
-for h in moon carol dave
-do
-  mkdir -p ${TEST}/hosts/${h}/${SWANCTL_DIR}/x509ca
-  cp ${SHA3_RSA_CERT} ${TEST}/hosts/${h}/${SWANCTL_DIR}/x509ca
-done
-
-################################################################################
-# strongSwan Ed25519 Root CA                                                   #
-################################################################################
-
-# Generate strongSwan Ed25519 Root CA
-pki --gen  --type ed25519 --outform pem > ${ED25519_KEY}
-pki --self --type ed25519 --in ${ED25519_KEY} \
-    --not-before "${START}" --not-after "${CA_END}" --ca \
-    --dn "C=CH, O=${PROJECT}, CN=strongSwan Ed25519 Root CA" \
-    --cert-policy "1.3.6.1.4.1.36906.1.1.1" \
-    --cert-policy "1.3.6.1.4.1.36906.1.1.2" \
-    --outform pem > ${ED25519_CERT}
-
-# Put a copy in the swanctl/net2net-ed25519 scenario
-TEST="${TEST_DIR}/swanctl/net2net-ed25519"
-mkdir -p ${TEST}/hosts/moon/${SWANCTL_DIR}/x509ca
-mkdir -p ${TEST}/hosts/sun/${SWANCTL_DIR}/x509ca
-cp ${ED25519_CERT} ${TEST}/hosts/moon/${SWANCTL_DIR}/x509ca
-cp ${ED25519_CERT} ${TEST}/hosts/sun/${SWANCTL_DIR}/x509ca
-
-# Generate a sun Ed25519 certificate
-SUN_KEY="${TEST}/hosts/sun/${SWANCTL_DIR}/pkcs8/sunKey.pem"
-SUN_CERT="${TEST}/hosts/sun/${SWANCTL_DIR}/x509/sunCert.pem"
-CN="sun.strongswan.org"
-SERIAL="01"
-mkdir -p ${TEST}/hosts/sun/${SWANCTL_DIR}/pkcs8
-mkdir -p ${TEST}/hosts/sun/${SWANCTL_DIR}/x509
-pki --gen --type ed25519 --outform pem > ${SUN_KEY}
-pki --issue --cakey ${ED25519_KEY} --cacert ${ED25519_CERT} --type ed25519 \
-    --in ${SUN_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
-    --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=Ed25519, CN=${CN}" \
-    --cert-policy "1.3.6.1.4.1.36906.1.1.2" --flag "serverAuth" \
-    --crl ${ED25519_CDP} --outform pem > ${SUN_CERT}
-cp ${SUN_CERT} ${ED25519_DIR}/certs/${SERIAL}.pem
-
-# Generate a moon Ed25519 certificate
-MOON_KEY="${TEST}/hosts/moon/${SWANCTL_DIR}/pkcs8/moonKey.pem"
-MOON_CERT="${TEST}/hosts/moon/${SWANCTL_DIR}/x509/moonCert.pem"
-CN="moon.strongswan.org"
-SERIAL="02"
-mkdir -p ${TEST}/hosts/moon/${SWANCTL_DIR}/pkcs8
-mkdir -p ${TEST}/hosts/moon/${SWANCTL_DIR}/x509
-pki --gen --type ed25519 --outform pem > ${MOON_KEY}
-pki --issue --cakey ${ED25519_KEY} --cacert ${ED25519_CERT} --type ed25519 \
-    --in ${MOON_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
-    --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=Ed25519, CN=${CN}" \
-    --cert-policy "1.3.6.1.4.1.36906.1.1.1" --flag "serverAuth" \
-    --crl ${ED25519_CDP} --outform pem > ${MOON_CERT}
-cp ${MOON_CERT} ${ED25519_DIR}/certs/${SERIAL}.pem
-
-# Put a copy in the botan/net2net-ed25519 scenario
-TEST="${TEST_DIR}/botan/net2net-ed25519"
-cd ${TEST}/hosts/moon/${SWANCTL_DIR}
-mkdir -p pkcs8 x509 x509ca
-cp ${MOON_KEY}     pkcs8
-cp ${MOON_CERT}    x509
-cp ${ED25519_CERT} x509ca
-cd ${TEST}/hosts/sun/${SWANCTL_DIR}
-mkdir -p pkcs8 x509 x509ca
-cp ${SUN_KEY}      pkcs8
-cp ${SUN_CERT}     x509
-cp ${ED25519_CERT} x509ca
-
-# Put a copy in the ikev2/net2net-ed25519 scenario
-TEST="${TEST_DIR}/ikev2/net2net-ed25519"
-mkdir -p ${TEST}/hosts/moon/${IPSEC_DIR}
-cd ${TEST}/hosts/moon/${IPSEC_DIR}
-mkdir -p cacerts certs private
-cp ${MOON_KEY}     private
-cp ${MOON_CERT}    certs
-cp ${ED25519_CERT} cacerts
-mkdir -p ${TEST}/hosts/sun/${IPSEC_DIR}
-cd ${TEST}/hosts/sun/${IPSEC_DIR}
-mkdir -p cacerts certs private
-cp ${SUN_KEY}      private
-cp ${SUN_CERT}     certs
-cp ${ED25519_CERT} cacerts
-
-# Put a copy in the swanctl/rw-ed25519-certpol scenario
-TEST="${TEST_DIR}/swanctl/rw-ed25519-certpol"
-mkdir -p ${TEST}/hosts/moon/${SWANCTL_DIR}/pkcs8
-mkdir -p ${TEST}/hosts/moon/${SWANCTL_DIR}/x509
-cp ${MOON_KEY}  ${TEST}/hosts/moon/${SWANCTL_DIR}/pkcs8
-cp ${MOON_CERT} ${TEST}/hosts/moon/${SWANCTL_DIR}/x509
-
-for h in moon carol dave
-do
-  mkdir -p ${TEST}/hosts/${h}/${SWANCTL_DIR}/x509ca
-  cp ${ED25519_CERT} ${TEST}/hosts/${h}/${SWANCTL_DIR}/x509ca
-done
-
-# Generate a carol Ed25519 certificate
-TEST_KEY="${TEST}/hosts/carol/${SWANCTL_DIR}/pkcs8/carolKey.pem"
-TEST_CERT="${TEST}/hosts/carol/${SWANCTL_DIR}/x509/carolCert.pem"
-CN="carol@strongswan.org"
-SERIAL="03"
-mkdir -p ${TEST}/hosts/carol/${SWANCTL_DIR}/pkcs8
-mkdir -p ${TEST}/hosts/carol/${SWANCTL_DIR}/x509
-pki --gen --type ed25519 --outform pem > ${TEST_KEY}
-pki --issue --cakey ${ED25519_KEY} --cacert ${ED25519_CERT} --type ed25519 \
-    --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
-    --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=Ed25519, CN=${CN}" \
-    --cert-policy "1.3.6.1.4.1.36906.1.1.1" --flag "clientAuth" \
-    --crl ${ED25519_CDP} --outform pem > ${TEST_CERT}
-cp ${TEST_CERT} ${ED25519_DIR}/certs/${SERIAL}.pem
-
-# Generate a dave Ed25519 certificate
-TEST_KEY="${TEST}/hosts/dave/${SWANCTL_DIR}/pkcs8/daveKey.pem"
-TEST_CERT="${TEST}/hosts/dave/${SWANCTL_DIR}/x509/daveCert.pem"
-CN="dave@strongswan.org"
-SERIAL="04"
-mkdir -p ${TEST}/hosts/dave/${SWANCTL_DIR}/pkcs8
-mkdir -p ${TEST}/hosts/dave/${SWANCTL_DIR}/x509
-pki --gen --type ed25519 --outform pem > ${TEST_KEY}
-pki --issue --cakey ${ED25519_KEY} --cacert ${ED25519_CERT} --type ed25519 \
-    --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
-    --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=Ed25519, CN=${CN}" \
-    --cert-policy "1.3.6.1.4.1.36906.1.1.2" --flag "clientAuth" \
-    --crl ${ED25519_CDP} --outform pem > ${TEST_CERT}
-cp ${TEST_CERT} ${ED25519_DIR}/certs/${SERIAL}.pem
-
-################################################################################
-# strongSwan Monster Root CA                                                   #
-################################################################################
-
-# Generate strongSwan Monster Root CA
-pki --gen  --type rsa --size ${MONSTER_CA_RSA_SIZE} --outform pem > ${MONSTER_KEY}
-pki --self --type rsa --in ${MONSTER_KEY} \
-    --not-before "01.05.09 15:00:00" --not-after "01.05.59 15:00:00" --ca \
-    --dn "C=CH, O=${PROJECT}, CN=strongSwan Monster CA" \
-    --outform pem > ${MONSTER_CERT}
-
-# Put a copy in the ikev2/after-2038-certs scenario
-TEST="${TEST_DIR}/ikev2/after-2038-certs"
-mkdir -p ${TEST}/hosts/moon/${IPSEC_DIR}/cacerts
-mkdir -p ${TEST}/hosts/carol/${IPSEC_DIR}/cacerts
-cp ${MONSTER_CERT} ${TEST}/hosts/moon/${IPSEC_DIR}/cacerts
-cp ${MONSTER_CERT} ${TEST}/hosts/carol/${IPSEC_DIR}/cacerts
-
-# Generate a moon Monster certificate
-TEST_KEY="${TEST}/hosts/moon/${IPSEC_DIR}/private/moonKey.pem"
-TEST_CERT="${TEST}/hosts/moon/${IPSEC_DIR}/certs/moonCert.pem"
-CN="moon.strongswan.org"
-SERIAL="01"
-mkdir -p ${TEST}/hosts/moon/${IPSEC_DIR}/private
-mkdir -p ${TEST}/hosts/moon/${IPSEC_DIR}/certs
-pki --gen --type rsa --size ${MONSTER_EE_RSA_SIZE} --outform pem > ${TEST_KEY}
-pki --issue --cakey ${MONSTER_KEY} --cacert ${MONSTER_CERT} --type rsa \
-    --in ${TEST_KEY} --san ${CN} \
-    --not-before "01.05.09 15:00:00" --not-after "01.05.39 15:00:00" - \
-    --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=Monster, CN=${CN}" \
-    --crl ${MONSTER_CDP} --outform pem > ${TEST_CERT}
-cp ${TEST_CERT} ${MONSTER_DIR}/certs/${SERIAL}.pem
-
-# Generate a carol Monster certificate
-TEST_KEY="${TEST}/hosts/carol/${IPSEC_DIR}/private/carolKey.pem"
-TEST_CERT="${TEST}/hosts/carol/${IPSEC_DIR}/certs/carolCert.pem"
-CN="carol@strongswan.org"
-SERIAL="02"
-mkdir -p ${TEST}/hosts/carol/${IPSEC_DIR}/private
-mkdir -p ${TEST}/hosts/carol/${IPSEC_DIR}/certs
-pki --gen --type rsa --size ${MONSTER_EE_RSA_SIZE} --outform pem > ${TEST_KEY}
-pki --issue --cakey ${MONSTER_KEY} --cacert ${MONSTER_CERT} --type rsa \
-    --in ${TEST_KEY} --san ${CN} \
-    --not-before "01.05.09 15:00:00" --not-after "01.05.39 15:00:00" - \
-    --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=Monster, CN=${CN}" \
-    --crl ${MONSTER_CDP} --outform pem > ${TEST_CERT}
-cp ${TEST_CERT} ${MONSTER_DIR}/certs/${SERIAL}.pem
-
-################################################################################
-# Bliss CA                                                                     #
-################################################################################
-
-# Generate BLISS Root CA with 192 bit security strength
-pki --gen  --type bliss --size 4 > ${BLISS_KEY}
-pki --self --type bliss --in ${BLISS_KEY} --digest sha3_512 \
-    --not-before "${START}" --not-after "${CA_END}" --ca \
-    --dn "C=CH, O=${PROJECT}, CN=strongSwan BLISS Root CA" > ${BLISS_CERT}
-
-# Put a copy in the following scenarios
-for t in rw-newhope-bliss rw-ntru-bliss
-do
-  TEST="${TEST_DIR}/ikev2/${t}"
-  for h in moon carol dave
-  do
-    mkdir -p ${TEST}/hosts/${h}/${IPSEC_DIR}/cacerts
-    cp ${BLISS_CERT} ${TEST}/hosts/${h}/${IPSEC_DIR}/cacerts
-  done
-done
-
-TEST="${TEST_DIR}/swanctl/rw-ntru-bliss"
-for h in moon carol dave
-do
-   mkdir -p ${TEST}/hosts/${h}/${SWANCTL_DIR}/x509ca
-   cp ${BLISS_CERT} ${TEST}/hosts/${h}/${SWANCTL_DIR}/x509ca
-done
-
-# Generate a carol BLISS certificate with 128 bit security strength
-TEST="${TEST_DIR}/ikev2/rw-newhope-bliss"
-TEST_KEY="${TEST}/hosts/carol/${IPSEC_DIR}/private/carolKey.der"
-TEST_CERT="${TEST}/hosts/carol/${IPSEC_DIR}/certs/carolCert.der"
-CN="carol@strongswan.org"
-SERIAL="01"
-mkdir -p ${TEST}/hosts/carol/${IPSEC_DIR}/private
-mkdir -p ${TEST}/hosts/carol/${IPSEC_DIR}/certs
-pki --gen --type bliss --size 1 > ${TEST_KEY}
-pki --issue --cakey ${BLISS_KEY} --cacert ${BLISS_CERT} --type bliss \
-    --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
-    --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=BLISS I, CN=${CN}" \
-    --crl ${BLISS_CDP} --digest sha3_512 > ${TEST_CERT}
-cp ${TEST_CERT} ${BLISS_DIR}/certs/${SERIAL}.der
-
-# Put a copy in the ikev2/rw-ntru-bliss scenario
-TEST="${TEST_DIR}/ikev2/rw-ntru-bliss"
-mkdir -p ${TEST}/hosts/carol/${IPSEC_DIR}/private
-mkdir -p ${TEST}/hosts/carol/${IPSEC_DIR}/certs
-cp ${TEST_KEY} ${TEST}/hosts/carol/${IPSEC_DIR}/private
-cp ${TEST_CERT} ${TEST}/hosts/carol/${IPSEC_DIR}/certs
+[ `id -u` -eq 0 ] || die "You must be root to run $0"
+[ -f "$BASEIMG" ] || die "Base image $BASEIMG not found"
+[ -f "$ROOTIMG" ] || die "Root image $ROOTIMG not found"
+running_any $STRONGSWANHOSTS && die "Please stop test environment before running $0"
 
-# Put a copy in the swanctl/rw-ntru-bliss scenario
-TEST="${TEST_DIR}/swanctl/rw-ntru-bliss"
-mkdir -p ${TEST}/hosts/carol/${SWANCTL_DIR}/bliss
-mkdir -p ${TEST}/hosts/carol/${SWANCTL_DIR}/x509
-cp ${TEST_KEY} ${TEST}/hosts/carol/${SWANCTL_DIR}/bliss
-cp ${TEST_CERT} ${TEST}/hosts/carol/${SWANCTL_DIR}/x509
+SRCUID=${SUDO_UID:-$(id -u)}
+SRCGID=${SUDO_GID:-$(id -g)}
 
-# Generate a dave BLISS certificate with 160 bit security strength
-TEST="${TEST_DIR}/ikev2/rw-newhope-bliss"
-TEST_KEY="${TEST}/hosts/dave/${IPSEC_DIR}/private/daveKey.der"
-TEST_CERT="${TEST}/hosts/dave/${IPSEC_DIR}/certs/daveCert.der"
-CN="dave@strongswan.org"
-SERIAL="02"
-mkdir -p ${TEST}/hosts/dave/${IPSEC_DIR}/private
-mkdir -p ${TEST}/hosts/dave/${IPSEC_DIR}/certs
-pki --gen --type bliss --size 3 > ${TEST_KEY}
-pki --issue --cakey ${BLISS_KEY} --cacert ${BLISS_CERT} --type bliss \
-    --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
-    --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=BLISS III, CN=${CN}" \
-    --crl ${BLISS_CDP} --digest sha3_512 > ${TEST_CERT}
-cp ${TEST_CERT} ${BLISS_DIR}/certs/${SERIAL}.der
+check_commands partprobe qemu-img qemu-nbd bindfs
 
-# Put a copy in the ikev2/rw-ntru-bliss scenario
-TEST="${TEST_DIR}/ikev2/rw-ntru-bliss"
-mkdir -p ${TEST}/hosts/dave/${IPSEC_DIR}/private
-mkdir -p ${TEST}/hosts/dave/${IPSEC_DIR}/certs
-cp ${TEST_KEY} ${TEST}/hosts/dave/${IPSEC_DIR}/private/
-cp ${TEST_CERT} ${TEST}/hosts/dave/${IPSEC_DIR}/certs/
+load_qemu_nbd
 
-# Put a copy in the swanctl/rw-ntru-bliss scenario
-TEST="${TEST_DIR}/swanctl/rw-ntru-bliss"
-mkdir -p ${TEST}/hosts/dave/${SWANCTL_DIR}/bliss
-mkdir -p ${TEST}/hosts/dave/${SWANCTL_DIR}/x509
-cp ${TEST_KEY} ${TEST}/hosts/dave/${SWANCTL_DIR}/bliss/
-cp ${TEST_CERT} ${TEST}/hosts/dave/${SWANCTL_DIR}/x509/
+mkdir -p $LOOPDIR
+mkdir -p $IMGDIR
 
-# Generate a moon BLISS certificate with 192 bit security strength
-TEST="${TEST_DIR}/ikev2/rw-newhope-bliss"
-TEST_KEY="${TEST}/hosts/moon/${IPSEC_DIR}/private/moonKey.der"
-TEST_CERT="${TEST}/hosts/moon/${IPSEC_DIR}/certs/moonCert.der"
-CN="moon.strongswan.org"
-SERIAL="03"
-mkdir -p ${TEST}/hosts/moon/${IPSEC_DIR}/private
-mkdir -p ${TEST}/hosts/moon/${IPSEC_DIR}/certs
-pki --gen --type bliss --size 4 > ${TEST_KEY}
-pki --issue --cakey ${BLISS_KEY} --cacert ${BLISS_CERT} --type bliss \
-    --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
-    --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=BLISS IV, CN=${CN}" \
-    --crl ${BLISS_CDP} --digest sha3_512 > ${TEST_CERT}
-cp ${TEST_CERT} ${BLISS_DIR}/certs/${SERIAL}.der
+log_action "Connecting root image to NBD device $NBDEV"
+execute "qemu-nbd -c $NBDEV $ROOTIMG"
+do_on_exit qemu-nbd -d $NBDEV
+partprobe $NBDEV
 
-# Put a copy in the ikev2/rw-ntru-bliss scenario
-TEST="${TEST_DIR}/ikev2/rw-ntru-bliss"
-mkdir -p ${TEST}/hosts/moon/${IPSEC_DIR}/private
-mkdir -p ${TEST}/hosts/moon/${IPSEC_DIR}/certs
-cp ${TEST_KEY} ${TEST}/hosts/moon/${IPSEC_DIR}/private/
-cp ${TEST_CERT} ${TEST}/hosts/moon/${IPSEC_DIR}/certs/
+log_action "Mounting $NBDPARTITION to $LOOPDIR"
+execute "mount $NBDPARTITION $LOOPDIR"
+do_on_exit umount $LOOPDIR
 
-# Put a copy in the swanctl/rw-ntru-bliss scenario
-TEST="${TEST_DIR}/swanctl/rw-ntru-bliss"
-mkdir -p ${TEST}/hosts/moon/${SWANCTL_DIR}/bliss
-mkdir -p ${TEST}/hosts/moon/${SWANCTL_DIR}/x509
-cp ${TEST_KEY} ${TEST}/hosts/moon/${SWANCTL_DIR}/bliss/
-cp ${TEST_CERT} ${TEST}/hosts/moon/${SWANCTL_DIR}/x509/
+log_action "Mounting proc filesystem to $LOOPDIR/proc"
+execute "mount -t proc none $LOOPDIR/proc"
+do_on_exit umount $LOOPDIR/proc
 
-################################################################################
-# SQL Data                                                                     #
-################################################################################
+mkdir -p $LOOPDIR/root/testing
+log_action "Mounting ${DIR} as /root/testing"
+execute "bindfs -u $SRCUID -g $SRCGID --create-for-user=$SRCUID --create-for-group=$SRCGID ${DIR} $LOOPDIR/root/testing"
+do_on_exit umount $LOOPDIR/root/testing
 
-CA_SPK_HEX=`pki --keyid --type rsa --format hex --id spk --in ${CA_KEY}`
-CA_SPKI_HEX=`pki --keyid --type rsa --format hex --id spki --in ${CA_KEY}`
-CA_CERT_HEX=`cat ${CA_CERT_DER} | hexdump -v -e '/1 "%02x"'`
-CA_CERT_PEM_HEX=`cat ${CA_CERT} | hexdump -v -e '/1 "%02x"'`
-#
-MOON_CERT="${DIR}/hosts/moon/${SWANCTL_DIR}/x509/moonCert.pem"
-MOON_KEY="${CA_DIR}/keys/moonKey.der"
-MOON_KEY_PEM="${DIR}/hosts/moon/${SWANCTL_DIR}/rsa/moonKey.pem"
-MOON_KEY_PEM_HEX=`cat ${MOON_KEY_PEM} | hexdump -v -e '/1 "%02x"'`
-MOON_KEY_HEX=`cat ${MOON_KEY} | hexdump -v -e '/1 "%02x"'`
-MOON_SPK_HEX=`pki --keyid --type rsa --format hex --id spk --in ${MOON_KEY}`
-MOON_PUB_HEX=`pki --pub --type rsa --in ${MOON_KEY} | hexdump -v -e '/1 "%02x"'`
-MOON_CERT_HEX=`openssl x509 -in ${MOON_CERT} -outform der | hexdump -v -e '/1 "%02x"'`
-MOON_CERT_PEM_HEX=`cat ${MOON_CERT} | hexdump -v -e '/1 "%02x"'`
-#
-SUN_CERT="${DIR}/hosts/sun/${SWANCTL_DIR}/x509/sunCert.pem"
-SUN_KEY="${CA_DIR}/keys/sunKey.der"
-SUN_KEY_PEM="${DIR}/hosts/sun/${SWANCTL_DIR}/rsa/sunKey.pem"
-SUN_KEY_PEM_HEX=`cat ${SUN_KEY_PEM} | hexdump -v -e '/1 "%02x"'`
-SUN_KEY_HEX=`cat ${SUN_KEY} | hexdump -v -e '/1 "%02x"'`
-SUN_SPK_HEX=`pki --keyid --type rsa --format hex --id spk --in ${SUN_KEY}`
-SUN_CERT_HEX=`openssl x509 -in ${SUN_CERT} -outform der | hexdump -v -e '/1 "%02x"'`
-SUN_CERT_PEM_HEX=`cat ${SUN_CERT} | hexdump -v -e '/1 "%02x"'`
-#
-CAROL_CERT="${DIR}/hosts/carol/${SWANCTL_DIR}/x509/carolCert.pem"
-CAROL_KEY="${CA_DIR}/keys/carolKey.der"
-CAROL_KEY_HEX=`cat ${CAROL_KEY} | hexdump -v -e '/1 "%02x"'`
-CAROL_SPK_HEX=`pki --keyid --type rsa --format hex --id spk --in ${CAROL_KEY}`
-CAROL_PUB_HEX=`pki --pub --type rsa --in ${CAROL_KEY} | hexdump -v -e '/1 "%02x"'`
-CAROL_CERT_HEX=`openssl x509 -in ${CAROL_CERT} -outform der | hexdump -v -e '/1 "%02x"'`
-#
-DAVE_CERT="${DIR}/hosts/dave/${SWANCTL_DIR}/x509/daveCert.pem"
-DAVE_KEY="${CA_DIR}/keys/daveKey.der"
-DAVE_KEY_HEX=`cat ${DAVE_KEY} | hexdump -v -e '/1 "%02x"'`
-DAVE_SPK_HEX=`pki --keyid --type rsa --format hex --id spk --in ${DAVE_KEY}`
-DAVE_PUB_HEX=`pki --pub --type rsa --in ${DAVE_KEY} | hexdump -v -e '/1 "%02x"'`
-DAVE_CERT_HEX=`openssl x509 -in ${DAVE_CERT} -outform der | hexdump -v -e '/1 "%02x"'`
-#
-ALICE_CERT="${DIR}/hosts/alice/${SWANCTL_DIR}/x509/aliceCert.pem"
-ALICE_KEY="${CA_DIR}/keys/aliceKey.der"
-ALICE_KEY_HEX=`cat ${ALICE_KEY} | hexdump -v -e '/1 "%02x"'`
-ALICE_SPK_HEX=`pki --keyid --type rsa --format hex --id spk --in ${ALICE_KEY}`
-ALICE_CERT_HEX=`openssl x509 -in ${ALICE_CERT} -outform der | hexdump -v -e '/1 "%02x"'`
-#
-VENUS_CERT="${DIR}/hosts/venus/${SWANCTL_DIR}/x509/venusCert.pem"
-VENUS_KEY="${CA_DIR}/keys/venusKey.der"
-VENUS_KEY_HEX=`cat ${VENUS_KEY} | hexdump -v -e '/1 "%02x"'`
-VENUS_SPK_HEX=`pki --keyid --type rsa --format hex --id spk --in ${VENUS_KEY}`
-VENUS_CERT_HEX=`openssl x509 -in ${VENUS_CERT} -outform der | hexdump -v -e '/1 "%02x"'`
-#
-RESEARCH_SPK_HEX=`pki --keyid --type rsa --format hex --id spk --in ${RESEARCH_KEY}`
-RESEARCH_SPKI_HEX=`pki --keyid --type rsa --format hex --id spki --in ${RESEARCH_KEY}`
-RESEARCH_CERT_HEX=`cat ${RESEARCH_CERT_DER} | hexdump -v -e '/1 "%02x"'`
-#
-CAROL_R_CERT="${RESEARCH_DIR}/certs/01.pem"
-CAROL_R_KEY="${RESEARCH_DIR}/keys/01.der"
-CAROL_R_KEY_HEX=`cat ${CAROL_R_KEY} | hexdump -v -e '/1 "%02x"'`
-CAROL_R_SPK_HEX=`pki --keyid --type rsa --format hex --id spk --in ${CAROL_R_KEY}`
-CAROL_R_CERT_HEX=`openssl x509 -in ${CAROL_R_CERT} -outform der | hexdump -v -e '/1 "%02x"'`
-#
-SALES_SPK_HEX=`pki --keyid --type rsa --format hex --id spk --in ${SALES_KEY}`
-SALES_SPKI_HEX=`pki --keyid --type rsa --format hex --id spki --in ${SALES_KEY}`
-SALES_CERT_HEX=`cat ${SALES_CERT_DER} | hexdump -v -e '/1 "%02x"'`
-#
-DAVE_S_CERT="${SALES_DIR}/certs/01.pem"
-DAVE_S_KEY="${SALES_DIR}/keys/01.der"
-DAVE_S_KEY_HEX=`cat ${DAVE_S_KEY} | hexdump -v -e '/1 "%02x"'`
-DAVE_S_SPK_HEX=`pki --keyid --type rsa --format hex --id spk --in ${DAVE_S_KEY}`
-DAVE_S_CERT_HEX=`openssl x509 -in ${DAVE_S_CERT} -outform der | hexdump -v -e '/1 "%02x"'`
-#
-for t in ip-pool-db ip-pool-db-expired ip-pool-db-restart ip-split-pools-db \
-         ip-split-pools-db-restart multi-level-ca rw-cert rw-psk-rsa-split \
-         rw-psk-ipv4 rw-psk-ipv6 rw-rsa rw-rsa-keyid
-do
-  for h in carol dave moon
-  do
-    TEST_DATA="${TEST_DIR}/sql/${t}/hosts/${h}/${IPSEC_DIR}/data.sql"
-    sed -e "s/CA_SPK_HEX/${CA_SPK_HEX}/g" \
-        -e "s/CA_SPKI_HEX/${CA_SPKI_HEX}/g" \
-        -e "s/CA_CERT_HEX/${CA_CERT_HEX}/g" \
-        -e "s/MOON_KEY_HEX/${MOON_KEY_HEX}/g" \
-        -e "s/MOON_SPK_HEX/${MOON_SPK_HEX}/g" \
-        -e "s/MOON_PUB_HEX/${MOON_PUB_HEX}/g" \
-        -e "s/MOON_CERT_HEX/${MOON_CERT_HEX}/g" \
-        -e "s/CAROL_KEY_HEX/${CAROL_KEY_HEX}/g" \
-        -e "s/CAROL_SPK_HEX/${CAROL_SPK_HEX}/g" \
-        -e "s/CAROL_PUB_HEX/${CAROL_PUB_HEX}/g" \
-        -e "s/CAROL_CERT_HEX/${CAROL_CERT_HEX}/g" \
-        -e "s/DAVE_KEY_HEX/${DAVE_KEY_HEX}/g" \
-        -e "s/DAVE_SPK_HEX/${DAVE_SPK_HEX}/g" \
-        -e "s/DAVE_PUB_HEX/${DAVE_PUB_HEX}/g" \
-        -e "s/DAVE_CERT_HEX/${DAVE_CERT_HEX}/g" \
-        -e "s/RESEARCH_SPK_HEX/${RESEARCH_SPK_HEX}/g" \
-        -e "s/RESEARCH_SPKI_HEX/${RESEARCH_SPKI_HEX}/g" \
-        -e "s/RESEARCH_CERT_HEX/${RESEARCH_CERT_HEX}/g" \
-        -e "s/CAROL_R_KEY_HEX/${CAROL_R_KEY_HEX}/g" \
-        -e "s/CAROL_R_SPK_HEX/${CAROL_R_SPK_HEX}/g" \
-        -e "s/CAROL_R_CERT_HEX/${CAROL_R_CERT_HEX}/g" \
-        -e "s/SALES_SPK_HEX/${SALES_SPK_HEX}/g" \
-        -e "s/SALES_SPKI_HEX/${SALES_SPKI_HEX}/g" \
-        -e "s/SALES_CERT_HEX/${SALES_CERT_HEX}/g" \
-        -e "s/DAVE_S_KEY_HEX/${DAVE_S_KEY_HEX}/g" \
-        -e "s/DAVE_S_SPK_HEX/${DAVE_S_SPK_HEX}/g" \
-        -e "s/DAVE_S_CERT_HEX/${DAVE_S_CERT_HEX}/g" \
-        ${TEST_DATA}.in > ${TEST_DATA}
-  done
-done
-#
-for t in rw-eap-aka-rsa
-do
-  for h in carol moon
-  do
-    TEST_DATA="${TEST_DIR}/sql/${t}/hosts/${h}/${IPSEC_DIR}/data.sql"
-    sed -e "s/CA_SPK_HEX/${CA_SPK_HEX}/g" \
-        -e "s/CA_SPKI_HEX/${CA_SPKI_HEX}/g" \
-        -e "s/CA_CERT_HEX/${CA_CERT_HEX}/g" \
-        -e "s/MOON_KEY_HEX/${MOON_KEY_HEX}/g" \
-        -e "s/MOON_SPK_HEX/${MOON_SPK_HEX}/g" \
-        -e "s/MOON_CERT_HEX/${MOON_CERT_HEX}/g" \
-        ${TEST_DATA}.in > ${TEST_DATA}
-  done
-done
-#
-for t in net2net-cert net2net-psk net2net-route-pem net2net-start-pem
-do
-  for h in moon sun
-  do
-    TEST_DATA="${TEST_DIR}/sql/${t}/hosts/${h}/${IPSEC_DIR}/data.sql"
-    sed -e "s/CA_SPK_HEX/${CA_SPK_HEX}/g" \
-        -e "s/CA_SPKI_HEX/${CA_SPKI_HEX}/g" \
-        -e "s/CA_CERT_HEX/${CA_CERT_HEX}/g" \
-        -e "s/CA_CERT_PEM_HEX/${CA_CERT_PEM_HEX}/g" \
-        -e "s/MOON_KEY_PEM_HEX/${MOON_KEY_PEM_HEX}/g" \
-        -e "s/MOON_KEY_HEX/${MOON_KEY_HEX}/g" \
-        -e "s/MOON_SPK_HEX/${MOON_SPK_HEX}/g" \
-        -e "s/MOON_CERT_HEX/${MOON_CERT_HEX}/g" \
-        -e "s/MOON_CERT_PEM_HEX/${MOON_CERT_PEM_HEX}/g" \
-        -e "s/SUN_KEY_PEM_HEX/${SUN_KEY_PEM_HEX}/g" \
-        -e "s/SUN_KEY_HEX/${SUN_KEY_HEX}/g" \
-        -e "s/SUN_SPK_HEX/${SUN_SPK_HEX}/g" \
-        -e "s/SUN_CERT_HEX/${SUN_CERT_HEX}/g" \
-        -e "s/SUN_CERT_PEM_HEX/${SUN_CERT_PEM_HEX}/g" \
-               ${TEST_DATA}.in > ${TEST_DATA}
-  done
-done
-#
-for t in shunt-policies-nat-rw
-do
-  for h in alice venus sun
-  do
-    TEST_DATA="${TEST_DIR}/sql/${t}/hosts/${h}/${IPSEC_DIR}/data.sql"
-    sed -e "s/CA_SPK_HEX/${CA_SPK_HEX}/g" \
-        -e "s/CA_SPKI_HEX/${CA_SPKI_HEX}/g" \
-        -e "s/CA_CERT_HEX/${CA_CERT_HEX}/g" \
-        -e "s/ALICE_KEY_HEX/${ALICE_KEY_HEX}/g" \
-        -e "s/ALICE_SPK_HEX/${ALICE_SPK_HEX}/g" \
-        -e "s/ALICE_CERT_HEX/${ALICE_CERT_HEX}/g" \
-        -e "s/VENUS_KEY_HEX/${VENUS_KEY_HEX}/g" \
-        -e "s/VENUS_SPK_HEX/${VENUS_SPK_HEX}/g" \
-        -e "s/VENUS_CERT_HEX/${VENUS_CERT_HEX}/g" \
-        -e "s/SUN_KEY_HEX/${SUN_KEY_HEX}/g" \
-        -e "s/SUN_SPK_HEX/${SUN_SPK_HEX}/g" \
-        -e "s/SUN_CERT_HEX/${SUN_CERT_HEX}/g" \
-        ${TEST_DATA}.in > ${TEST_DATA}
-  done
-done
+log_action "Building certificates"
+execute_chroot "/root/testing/scripts/build-certs-chroot"
diff --git a/testing/scripts/build-certs-chroot b/testing/scripts/build-certs-chroot
new file mode 100755 (executable)
index 0000000..2bf717d
--- /dev/null
@@ -0,0 +1,1876 @@
+#!/bin/bash
+
+echo "Building certificates"
+
+# Disable leak detective when using pki as it produces warnings in tzset
+export LEAK_DETECTIVE_DISABLE=1
+
+# Determine testing directory
+DIR="$(dirname `readlink -f $0`)/.."
+
+# Define some global variables
+PROJECT="strongSwan Project"
+CA_DIR="${DIR}/hosts/winnetou/etc/ca"
+CA_KEY="${CA_DIR}/strongswanKey.pem"
+CA_CERT="${CA_DIR}/strongswanCert.pem"
+CA_CERT_DER="${CA_DIR}/strongswanCert.der"
+CA_CRL="${CA_DIR}/strongswan.crl"
+CA_LAST_CRL="${CA_DIR}/strongswan_last.crl"
+CA_CDP="http://crl.strongswan.org/strongswan.crl"
+CA_BASE_CDP="http://crl.strongswan.org/strongswan_base.crl"
+CA_OCSP="http://ocsp.strongswan.org:8880"
+#
+START=`date  -d "-2 day"    "+%d.%m.%y %T"`
+SH_END=`date -d "-1 day"    "+%d.%m.%y %T"`    #  1 day
+CA_END=`date -d "+3651 day" "+%d.%m.%y %T"`    # 10 years
+IM_END=`date -d "+3286 day" "+%d.%m.%y %T"`    #  9 years
+EE_END=`date -d "+2920 day" "+%d.%m.%y %T"`    #  8 years
+SH_EXP=`date -d "-1 day"    "+%y%m%d%H%M%SZ"`  #  1 day
+IM_EXP=`date -d "+3286 day" "+%y%m%d%H%M%SZ"`  #  9 years
+EE_EXP=`date -d "+2920 day" "+%y%m%d%H%M%SZ"`  #  8 years
+NOW=`date "+%y%m%d%H%M%SZ"`
+#
+RESEARCH_DIR="${CA_DIR}/research"
+RESEARCH_KEY="${RESEARCH_DIR}/researchKey.pem"
+RESEARCH_CERT="${RESEARCH_DIR}/researchCert.pem"
+RESEARCH_CERT_DER="${RESEARCH_DIR}/researchCert.der"
+RESEARCH_CDP="http://crl.strongswan.org/research.crl"
+#
+SALES_DIR="${CA_DIR}/sales"
+SALES_KEY="${SALES_DIR}/salesKey.pem"
+SALES_CERT="${SALES_DIR}/salesCert.pem"
+SALES_CERT_DER="${SALES_DIR}/salesCert.der"
+SALES_CDP="http://crl.strongswan.org/sales.crl"
+#
+DUCK_DIR="${CA_DIR}/duck"
+DUCK_KEY="${DUCK_DIR}/duckKey.pem"
+DUCK_CERT="${DUCK_DIR}/duckCert.pem"
+#
+ECDSA_DIR="${CA_DIR}/ecdsa"
+ECDSA_KEY="${ECDSA_DIR}/strongswanKey.pem"
+ECDSA_CERT="${ECDSA_DIR}/strongswanCert.pem"
+ECDSA_CDP="http://crl.strongswan.org/strongswan_ecdsa.crl"
+#
+RFC3779_DIR="${CA_DIR}/rfc3779"
+RFC3779_KEY="${RFC3779_DIR}/strongswanKey.pem"
+RFC3779_CERT="${RFC3779_DIR}/strongswanCert.pem"
+RFC3779_CDP="http://crl.strongswan.org/strongswan_rfc3779.crl"
+#
+SHA3_RSA_DIR="${CA_DIR}/sha3-rsa"
+SHA3_RSA_KEY="${SHA3_RSA_DIR}/strongswanKey.pem"
+SHA3_RSA_CERT="${SHA3_RSA_DIR}/strongswanCert.pem"
+SHA3_RSA_CDP="http://crl.strongswan.org/strongswan_sha3_rsa.crl"
+#
+ED25519_DIR="${CA_DIR}/ed25519"
+ED25519_KEY="${ED25519_DIR}/strongswanKey.pem"
+ED25519_CERT="${ED25519_DIR}/strongswanCert.pem"
+ED25519_CDP="http://crl.strongswan.org/strongswan_ed25519.crl"
+#
+MONSTER_DIR="${CA_DIR}/monster"
+MONSTER_KEY="${MONSTER_DIR}/strongswanKey.pem"
+MONSTER_CERT="${MONSTER_DIR}/strongswanCert.pem"
+MONSTER_CDP="http://crl.strongswan.org/strongswan_monster.crl"
+MONSTER_CA_RSA_SIZE="8192"
+MONSTER_EE_RSA_SIZE="4096"
+#
+BLISS_DIR="${CA_DIR}/bliss"
+BLISS_KEY="${BLISS_DIR}/strongswan_blissKey.der"
+BLISS_CERT="${BLISS_DIR}/strongswan_blissCert.der"
+BLISS_CDP="http://crl.strongswan.org/strongswan_bliss.crl"
+#
+RSA_SIZE="3072"
+IPSEC_DIR="etc/ipsec.d"
+SWANCTL_DIR="etc/swanctl"
+TKM_DIR="etc/tkm"
+HOSTS="carol dave moon sun alice venus bob"
+TEST_DIR="${DIR}/tests"
+
+# Create directories
+mkdir -p ${CA_DIR}/certs
+mkdir -p ${CA_DIR}/keys
+mkdir -p ${RESEARCH_DIR}/certs
+mkdir -p ${RESEARCH_DIR}/keys
+mkdir -p ${SALES_DIR}/certs
+mkdir -p ${SALES_DIR}/keys
+mkdir -p ${DUCK_DIR}/certs
+mkdir -p ${ECDSA_DIR}/certs
+mkdir -p ${RFC3779_DIR}/certs
+mkdir -p ${SHA3_RSA_DIR}/certs
+mkdir -p ${ED25519_DIR}/certs
+mkdir -p ${MONSTER_DIR}/certs
+mkdir -p ${BLISS_DIR}/certs
+
+################################################################################
+# strongSwan Root CA                                                           #
+################################################################################
+
+# Generate strongSwan Root CA
+pki --gen  --type rsa --size ${RSA_SIZE} --outform pem > ${CA_KEY}
+pki --self --type rsa --in ${CA_KEY} --not-before "${START}" --not-after "${CA_END}" \
+    --ca --pathlen 1 --dn "C=CH, O=${PROJECT}, CN=strongSwan Root CA" \
+    --outform pem > ${CA_CERT}
+
+# Distribute strongSwan Root CA certificate
+for h in ${HOSTS}
+do
+  HOST_DIR="${DIR}/hosts/${h}"
+  mkdir -p ${HOST_DIR}/${IPSEC_DIR}/cacerts
+  mkdir -p ${HOST_DIR}/${SWANCTL_DIR}/x509ca
+  cp ${CA_CERT} ${HOST_DIR}/${IPSEC_DIR}/cacerts
+  cp ${CA_CERT} ${HOST_DIR}/${SWANCTL_DIR}/x509ca
+done
+
+# Put a copy onto the alice FreeRADIUS server
+mkdir -p ${DIR}/hosts/alice/etc/raddb/certs
+cp ${CA_CERT} ${DIR}/hosts/alice/etc/raddb/certs
+
+# Convert strongSwan Root CA certificate into DER format
+openssl x509 -in ${CA_CERT} -outform der -out ${CA_CERT_DER}
+
+# Gernerate a stale CRL
+pki --signcrl --cakey ${CA_KEY} --cacert ${CA_CERT} \
+    --this-update "${START}" --lifetime 1 > ${CA_LAST_CRL}
+
+# Put a CRL copy into the ikev2/crl-ldap scenario to be used as a stale crl
+TEST="${TEST_DIR}/ikev2/crl-ldap"
+mkdir -p ${TEST}/hosts/carol/${IPSEC_DIR}/crls
+mkdir -p ${TEST}/hosts/moon/${IPSEC_DIR}/crls
+cp ${CA_LAST_CRL} ${TEST}/hosts/carol/${IPSEC_DIR}/crls/stale.crl
+cp ${CA_LAST_CRL} ${TEST}/hosts/moon/${IPSEC_DIR}/crls/stale.crl
+
+# Generate host keys
+for h in ${HOSTS}
+do
+  HOST_DIR="${DIR}/hosts/${h}"
+  HOST_KEY="${HOST_DIR}/${IPSEC_DIR}/private/${h}Key.pem"
+  mkdir -p ${HOST_DIR}/${IPSEC_DIR}/private
+  pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${HOST_KEY}
+
+  # Put a copy into swanctl directory tree
+  mkdir -p ${HOST_DIR}/${SWANCTL_DIR}/rsa
+  cp ${HOST_KEY} ${HOST_DIR}/${SWANCTL_DIR}/rsa
+
+  # Convert host key into DER format
+  openssl rsa -in ${HOST_KEY} -outform der -out ${CA_DIR}/keys/${h}Key.der \
+          2> /dev/null
+done
+
+# Put DER-encoded moon private key and Root CA certificate into tkm scenarios
+for t in host2host-initiator host2host-responder host2host-xfrmproxy \
+         net2net-initiator net2net-xfrmproxy xfrmproxy-expire xfrmproxy-rekey
+do
+  TEST="${TEST_DIR}/tkm/${t}"
+  mkdir -p ${TEST}/hosts/moon/${TKM_DIR}
+  cp ${CA_DIR}/keys/moonKey.der ${CA_CERT_DER} ${TEST}/hosts/moon/${TKM_DIR}
+done
+
+# Put DER_encoded sun private key and Root CA certificate into tkm scenarios
+TEST="${TEST_DIR}/tkm/multiple-clients"
+mkdir -p ${TEST}/hosts/sun/${TKM_DIR}
+cp ${CA_DIR}/keys/sunKey.der ${CA_CERT_DER} ${TEST}/hosts/sun/${TKM_DIR}
+
+# Convert moon private key into unencrypted PKCS#8 format
+TEST="${TEST_DIR}/ikev2/rw-pkcs8"
+HOST_KEY="${DIR}/hosts/moon/${SWANCTL_DIR}/rsa/moonKey.pem"
+TEST_KEY="${TEST}/hosts/moon/${IPSEC_DIR}/private/moonKey.pem"
+mkdir -p ${TEST}/hosts/moon/${IPSEC_DIR}/private
+openssl pkcs8 -in ${HOST_KEY} -nocrypt -topk8 -out ${TEST_KEY}
+
+# Convert carol private key into v1.5 DES encrypted PKCS#8 format
+HOST_KEY="${DIR}/hosts/carol/${SWANCTL_DIR}/rsa/carolKey.pem"
+TEST_KEY="${TEST}/hosts/carol/${IPSEC_DIR}/private/carolKey.pem"
+mkdir -p ${TEST}/hosts/carol/${IPSEC_DIR}/private
+openssl pkcs8 -in ${HOST_KEY} -nocrypt -topk8 -v1 PBE-MD5-DES \
+              -passout "pass:nH5ZQEWtku0RJEZ6" -out ${TEST_KEY}
+
+# Convert dave private key into v2.0 AES-128 encrypted PKCS#8 format
+HOST_KEY="${DIR}/hosts/dave/${SWANCTL_DIR}/rsa/daveKey.pem"
+TEST_KEY="${TEST}/hosts/dave/${IPSEC_DIR}/private/daveKey.pem"
+mkdir -p ${TEST}/hosts/dave/${IPSEC_DIR}/private
+openssl pkcs8 -in ${HOST_KEY} -nocrypt -topk8  -v2 aes128 \
+              -passout "pass:OJlNZBx+80dLh4wC6fw5LmBd" -out ${TEST_KEY}
+
+################################################################################
+# Public Key Extraction                                                        #
+################################################################################
+
+# Extract the raw moon public key for the swanctl/net2net-pubkey scenario
+TEST="${TEST_DIR}/swanctl/net2net-pubkey"
+TEST_PUB="${TEST}/hosts/moon/${SWANCTL_DIR}/pubkey/moonPub.pem"
+HOST_KEY="${DIR}/hosts/moon/${SWANCTL_DIR}/rsa/moonKey.pem"
+mkdir -p ${TEST}/hosts/moon/${SWANCTL_DIR}/pubkey
+mkdir -p ${TEST}/hosts/sun/${SWANCTL_DIR}/pubkey
+pki --pub --type rsa --in ${HOST_KEY} --outform pem > ${TEST_PUB}
+cp ${TEST_PUB} ${TEST}/hosts/sun/${SWANCTL_DIR}/pubkey
+
+# Put a copy into the  following ikev2 scenarios
+for t in net2net-dnssec net2net-pubkey rw-dnssec
+do
+  TEST="${TEST_DIR}/ikev2/${t}"
+  mkdir -p ${TEST}/hosts/moon/${IPSEC_DIR}/certs
+  cp ${TEST_PUB} ${TEST}/hosts/moon/${IPSEC_DIR}/certs
+done
+
+# Put a copy into the ikev2/net2net-pubkey scenario
+TEST="${TEST_DIR}/ikev2/net2net-pubkey"
+mkdir -p ${TEST}/hosts/sun/${IPSEC_DIR}/certs
+cp ${TEST_PUB} ${TEST}/hosts/sun/${IPSEC_DIR}/certs
+
+# Put a copy into the swanctl/rw-dnssec scenario
+TEST="${TEST_DIR}/swanctl/rw-dnssec"
+mkdir -p ${TEST}/hosts/moon/${SWANCTL_DIR}/pubkey
+cp ${TEST_PUB} ${TEST}/hosts/moon/${SWANCTL_DIR}/pubkey
+
+# Put a copy into the following swanctl scenarios
+for t in rw-pubkey-anon rw-pubkey-keyid
+do
+  TEST="${TEST_DIR}/swanctl/${t}"
+  for h in moon carol dave
+  do
+    mkdir -p ${TEST}/hosts/${h}/${SWANCTL_DIR}/pubkey
+    cp ${TEST_PUB} ${TEST}/hosts/${h}/${SWANCTL_DIR}/pubkey
+  done
+done
+
+# Extract the raw sun public key for the swanctl/net2net-pubkey scenario
+TEST="${TEST_DIR}/swanctl/net2net-pubkey"
+TEST_PUB="${TEST}/hosts/sun/${SWANCTL_DIR}/pubkey/sunPub.pem"
+HOST_KEY="${DIR}/hosts/sun/${SWANCTL_DIR}/rsa/sunKey.pem"
+pki --pub --type rsa --in ${HOST_KEY} --outform pem > ${TEST_PUB}
+cp ${TEST_PUB} ${TEST}/hosts/moon/${SWANCTL_DIR}/pubkey
+
+# Put a copy into the ikev2/net2net-dnssec scenario
+TEST="${TEST_DIR}/ikev2/net2net-dnssec"
+mkdir -p ${TEST}/hosts/sun/${IPSEC_DIR}/certs
+cp ${TEST_PUB} ${TEST}/hosts/sun/${IPSEC_DIR}/certs
+
+# Put a copy into the ikev2/net2net-pubkey scenario
+TEST="${TEST_DIR}/ikev2/net2net-pubkey"
+cp ${TEST_PUB} ${TEST}/hosts/moon/${IPSEC_DIR}/certs
+cp ${TEST_PUB} ${TEST}/hosts/sun/${IPSEC_DIR}/certs
+
+# Put a copy into the swanctl/rw-pubkey-anon scenario
+TEST="${TEST_DIR}/swanctl/rw-pubkey-anon"
+cp ${TEST_PUB} ${TEST}/hosts/moon/${SWANCTL_DIR}/pubkey
+
+# Extract the raw carol public key for the swanctl/rw-dnssec scenario
+TEST="${TEST_DIR}/swanctl/rw-dnssec"
+TEST_PUB="${TEST}/hosts/carol/${SWANCTL_DIR}/pubkey/carolPub.pem"
+HOST_KEY="${DIR}/hosts/carol/${SWANCTL_DIR}/rsa/carolKey.pem"
+mkdir -p ${TEST}/hosts/carol/${SWANCTL_DIR}/pubkey
+pki --pub --type rsa --in ${HOST_KEY} --outform pem > ${TEST_PUB}
+
+# Put a copy into the swanctl/rw-pubkey-anon scenario
+TEST="${TEST_DIR}/swanctl/rw-pubkey-anon"
+cp ${TEST_PUB} ${TEST}/hosts/carol/${SWANCTL_DIR}/pubkey
+cp ${TEST_PUB} ${TEST}/hosts/moon/${SWANCTL_DIR}/pubkey
+
+# Put a copy into the swanctl/rw-pubkey-keyid scenario
+TEST="${TEST_DIR}/swanctl/rw-pubkey-keyid"
+cp ${TEST_PUB} ${TEST}/hosts/carol/${SWANCTL_DIR}/pubkey
+cp ${TEST_PUB} ${TEST}/hosts/moon/${SWANCTL_DIR}/pubkey
+
+# Extract the raw dave public key for the swanctl/rw-dnssec scenario
+TEST="${TEST_DIR}/swanctl/rw-dnssec"
+TEST_PUB="${TEST}/hosts/dave/${SWANCTL_DIR}/pubkey/davePub.pem"
+HOST_KEY="${DIR}/hosts/dave/${SWANCTL_DIR}/rsa/daveKey.pem"
+mkdir -p ${TEST}/hosts/dave/${SWANCTL_DIR}/pubkey
+pki --pub --type rsa --in ${HOST_KEY} --outform pem > ${TEST_PUB}
+
+# Put a copy into the swanctl/rw-pubkey-anon scenario
+TEST="${TEST_DIR}/swanctl/rw-pubkey-anon"
+cp ${TEST_PUB} ${TEST}/hosts/dave/${SWANCTL_DIR}/pubkey
+cp ${TEST_PUB} ${TEST}/hosts/moon/${SWANCTL_DIR}/pubkey
+
+# Put a copy into the swanctl/rw-pubkey-keyid scenario
+TEST="${TEST_DIR}/swanctl/rw-pubkey-keyid"
+cp ${TEST_PUB} ${TEST}/hosts/dave/${SWANCTL_DIR}/pubkey
+cp ${TEST_PUB} ${TEST}/hosts/moon/${SWANCTL_DIR}/pubkey
+
+################################################################################
+# Host Certificate Generation                                                  #
+################################################################################
+
+# function issue_cert: serial host cn [ou]
+issue_cert()
+{
+  # does optional OU argument exist?
+  if [ -z "${4}" ]
+  then
+    OU=""
+  else
+    OU=" OU=${4},"
+  fi
+
+  HOST_DIR="${DIR}/hosts/${2}"
+  HOST_KEY="${HOST_DIR}/${IPSEC_DIR}/private/${2}Key.pem"
+  HOST_CERT="${HOST_DIR}/${IPSEC_DIR}/certs/${2}Cert.pem"
+  mkdir -p ${HOST_DIR}/${IPSEC_DIR}/certs
+  pki --issue --cakey ${CA_KEY} --cacert ${CA_CERT} --crl ${CA_CDP} --type rsa \
+      --in ${HOST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${3} \
+      --serial ${1} --dn "C=CH, O=${PROJECT},${OU} CN=${3}" \
+      --outform pem > ${HOST_CERT}
+  cp ${HOST_CERT} ${CA_DIR}/certs/${1}.pem
+
+  # Put a certificate copy into swanctl directory tree
+  mkdir -p ${HOST_DIR}/${SWANCTL_DIR}/x509
+  cp ${HOST_CERT} ${HOST_DIR}/${SWANCTL_DIR}/x509
+}
+
+# Generate host certificates
+issue_cert 01 carol carol@strongswan.org Research
+issue_cert 02 dave dave@strongswan.org Accounting
+issue_cert 03 moon moon.strongswan.org
+issue_cert 04 sun sun.strongswan.org
+issue_cert 05 alice alice@strongswan.org Sales
+issue_cert 06 venus venus.strongswan.org
+issue_cert 07 bob bob@strongswan.org Research
+
+# Create PKCS#12 file for moon
+TEST="${TEST_DIR}/ikev2/net2net-pkcs12"
+HOST_KEY="${DIR}/hosts/moon/${SWANCTL_DIR}/rsa/moonKey.pem"
+HOST_CERT="${DIR}/hosts/moon/${SWANCTL_DIR}/x509/moonCert.pem"
+MOON_PKCS12="${TEST}/hosts/moon/${IPSEC_DIR}/private/moonCert.p12"
+mkdir -p ${TEST}/hosts/moon/${IPSEC_DIR}/private
+openssl pkcs12 -export -inkey ${HOST_KEY} -in ${HOST_CERT} -name "moon" \
+        -certfile ${CA_CERT} -caname "strongSwan Root CA" \
+        -aes128 -passout "pass:kUqd8O7mzbjXNJKQ" > ${MOON_PKCS12} 2> /dev/null
+
+# Create PKCS#12 file for sun
+HOST_KEY="${DIR}/hosts/sun/${SWANCTL_DIR}/rsa/sunKey.pem"
+HOST_CERT="${DIR}/hosts/sun/${SWANCTL_DIR}/x509/sunCert.pem"
+SUN_PKCS12="${TEST}/hosts/sun/${IPSEC_DIR}/private/sunCert.p12"
+mkdir -p ${TEST}/hosts/sun/${IPSEC_DIR}/private
+openssl pkcs12 -export -inkey ${HOST_KEY} -in ${HOST_CERT} -name "sun" \
+        -certfile ${CA_CERT} -caname "strongSwan Root CA" \
+        -aes128 -passout "pass:IxjQVCF3JGI+MoPi" > ${SUN_PKCS12} 2> /dev/null
+
+# Put a PKCS#12 copy into the botan/net2net-pkcs12 scenario
+for t in botan/net2net-pkcs12 openssl-ikev2/net2net-pkcs12
+do
+  TEST="${TEST_DIR}/${t}"
+  mkdir -p ${TEST}/hosts/moon/${SWANCTL_DIR}/pkcs12
+  mkdir -p ${TEST}/hosts/sun/${SWANCTL_DIR}/pkcs12
+  cp ${MOON_PKCS12} ${TEST}/hosts/moon/${SWANCTL_DIR}/pkcs12
+  cp ${SUN_PKCS12}  ${TEST}/hosts/sun/${SWANCTL_DIR}/pkcs12
+done
+
+################################################################################
+# DNSSEC Zone Files                                                            #
+################################################################################
+
+# Store moon and sun certificates in strongswan.org zone
+ZONE_FILE="${CA_DIR}/db.strongswan.org.certs-and-keys"
+echo "; Automatically generated for inclusion in zone file" > ${ZONE_FILE}
+for h in moon sun
+do
+  HOST_CERT=${DIR}/hosts/${h}/${SWANCTL_DIR}/x509/${h}Cert.pem
+  cert=$(grep --invert-match ^----- ${HOST_CERT}| sed -e 's/^/\t\t\t\t/')
+  echo -e "${h}\tIN\tCERT\t( 1 0 0\n${cert}\n\t\t\t\t)" >> ${ZONE_FILE}
+done
+
+# Store public keys in strongswan.org zone
+echo ";" >> ${ZONE_FILE}
+for h in moon sun carol dave
+do
+  HOST_CERT=${DIR}/hosts/${h}/${SWANCTL_DIR}/x509/${h}Cert.pem
+  pubkey=$(pki --pub --type x509 --in ${HOST_CERT} --outform dnskey | sed 's/\(.\{0,64\}\)/\t\t\t\t\1\n/g')
+  echo -e "${h}\tIN\tIPSECKEY\t( 10 3 2 ${h}.strongswan.org.\n${pubkey}\n\t\t\t\t)" >> ${ZONE_FILE}
+done
+
+# Generate a carol certificate for the swanctl/crl-to-cache scenario with base CDP
+TEST="${TEST_DIR}/swanctl/crl-to-cache"
+TEST_CERT="${TEST}/hosts/carol/${SWANCTL_DIR}/x509/carolCert.pem"
+HOST_KEY="${DIR}/hosts/carol/${SWANCTL_DIR}/rsa/carolKey.pem"
+CN="carol@strongswan.org"
+mkdir -p ${TEST}/hosts/carol/${SWANCTL_DIR}/x509
+pki --issue --cakey ${CA_KEY} --cacert ${CA_CERT} --crl ${CA_BASE_CDP} --type rsa \
+    --in ${HOST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
+    --serial 01 --dn "C=CH, O=${PROJECT}, OU=Research, CN=${CN}" \
+    --outform pem > ${TEST_CERT}
+
+# Generate a moon certificate for the swanctl/crl-to-cache scenario with base CDP
+TEST_CERT="${TEST}/hosts/moon/${SWANCTL_DIR}/x509/moonCert.pem"
+HOST_KEY="${DIR}/hosts/moon/${SWANCTL_DIR}/rsa/moonKey.pem"
+CN="moon.strongswan.org"
+mkdir -p ${TEST}/hosts/moon/${SWANCTL_DIR}/x509
+pki --issue --cakey ${CA_KEY} --cacert ${CA_CERT} --crl ${CA_BASE_CDP} --type rsa \
+    --in ${HOST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
+    --serial 03 --dn "C=CH, O=${PROJECT}, CN=${CN}" \
+    --outform pem > ${TEST_CERT}
+
+# Encrypt carolKey.pem
+HOST_KEY="${DIR}/hosts/carol/${IPSEC_DIR}/private/carolKey.pem"
+KEY_PWD="nH5ZQEWtku0RJEZ6"
+openssl rsa -in ${HOST_KEY} -aes128 --passout pass:${KEY_PWD} -out ${HOST_KEY} \
+        2> /dev/null
+
+# Put a copy into the ikev2/dynamic-initiator scenario
+for t in ikev2/dynamic-initiator ikev1/dynamic-initiator ikev1/dynamic-responder
+do
+  TEST="${TEST_DIR}/${t}"
+  mkdir -p ${TEST}/hosts/dave/${IPSEC_DIR}/private
+  mkdir -p ${TEST}/hosts/dave/${IPSEC_DIR}/certs
+  cp ${HOST_KEY} ${TEST}/hosts/dave/${IPSEC_DIR}/private
+  cp ${CA_DIR}/certs/01.pem ${TEST}/hosts/dave/${IPSEC_DIR}/certs/carolCert.pem
+done
+
+# Put a copy into the swanctl/rw-cert scenario
+TEST="${TEST_DIR}/swanctl/rw-cert"
+mkdir -p ${TEST}/hosts/carol/${SWANCTL_DIR}/rsa
+cp ${HOST_KEY} ${TEST}/hosts/carol/${SWANCTL_DIR}/rsa
+
+# Generate another carol certificate and revoke it
+TEST="${TEST_DIR}/ikev2/crl-revoked"
+TEST_KEY="${TEST}/hosts/carol/${IPSEC_DIR}/private/carolKey.pem"
+TEST_CERT="${TEST}/hosts/carol/${IPSEC_DIR}/certs/carolCert.pem"
+CN="carol@strongswan.org"
+SERIAL="08"
+mkdir -p ${TEST}/hosts/carol/${IPSEC_DIR}/private
+mkdir -p ${TEST}/hosts/carol/${IPSEC_DIR}/certs
+pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${TEST_KEY}
+pki --issue --cakey ${CA_KEY} --cacert ${CA_CERT} --crl ${CA_CDP} --type rsa \
+    --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
+    --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=Research, CN=${CN}" \
+    --outform pem > ${TEST_CERT}
+cp ${TEST_CERT} ${CA_DIR}/certs/${SERIAL}.pem
+pki --signcrl --cakey ${CA_KEY} --cacert ${CA_CERT} --reason "key-compromise" \
+    --serial ${SERIAL} > ${CA_CRL}
+cp ${CA_CRL} ${CA_LAST_CRL}
+
+# Put a copy into the ikev2/ocsp-revoked scenario
+TEST="${TEST_DIR}/ikev2/ocsp-revoked"
+mkdir -p ${TEST}/hosts/carol/${IPSEC_DIR}/private
+mkdir -p ${TEST}/hosts/carol/${IPSEC_DIR}/certs
+cp ${TEST_KEY}  ${TEST}/hosts/carol/${IPSEC_DIR}/private
+cp ${TEST_CERT} ${TEST}/hosts/carol/${IPSEC_DIR}/certs
+
+# Generate another carol certificate with SN=002
+TEST="${TEST_DIR}/ikev2/two-certs"
+TEST_KEY="${TEST}/hosts/carol/${IPSEC_DIR}/private/carolKey-002.pem"
+TEST_CERT="${TEST}/hosts/carol/${IPSEC_DIR}/certs/carolCert-002.pem"
+SERIAL="09"
+mkdir -p ${TEST}/hosts/carol/${IPSEC_DIR}/private
+mkdir -p ${TEST}/hosts/carol/${IPSEC_DIR}/certs
+pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${TEST_KEY}
+pki --issue --cakey ${CA_KEY} --cacert ${CA_CERT} --crl ${CA_CDP} --type rsa \
+    --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
+    --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=Research, SN=002, CN=${CN}" \
+    --outform pem > ${TEST_CERT}
+cp ${TEST_CERT} ${CA_DIR}/certs/${SERIAL}.pem
+
+################################################################################
+# Research CA Certificate Generation                                           #
+################################################################################
+
+# Generate a Research CA certificate signed by the Root CA and revoke it
+TEST="${TEST_DIR}/ikev2/multi-level-ca-revoked"
+TEST_CERT="${TEST}/hosts/moon/${IPSEC_DIR}/cacerts/researchCert.pem"
+SERIAL="0A"
+mkdir -p ${TEST}/hosts/moon/${IPSEC_DIR}/cacerts/
+pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${RESEARCH_KEY}
+pki --issue --cakey ${CA_KEY} --cacert ${CA_CERT} --crl ${CA_CDP} --type rsa \
+    --in ${RESEARCH_KEY} --not-before "${START}" --not-after "${IM_END}" --ca \
+    --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=Research, CN=Research CA" \
+    --outform pem > ${TEST_CERT}
+cp ${TEST_CERT} ${CA_DIR}/certs/${SERIAL}.pem
+pki --signcrl --cakey ${CA_KEY} --cacert ${CA_CERT} --reason "ca-compromise" \
+    --serial ${SERIAL} --lastcrl ${CA_LAST_CRL} > ${CA_CRL}
+rm ${CA_LAST_CRL}
+
+# Generate Research CA with the same private key as above signed by Root CA
+SERIAL="0B"
+pki --issue --cakey ${CA_KEY} --cacert ${CA_CERT} --crl ${CA_CDP} --type rsa \
+    --in ${RESEARCH_KEY} --not-before "${START}" --not-after "${IM_END}" --ca \
+    --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=Research, CN=Research CA" \
+    --outform pem > ${RESEARCH_CERT}
+cp ${RESEARCH_CERT} ${CA_DIR}/certs/${SERIAL}.pem
+
+# Put a certificate copy into the following scenarios
+for t in ikev1/multi-level-ca ikev2/multi-level-ca ikev2/multi-level-ca-ldap \
+         ikev2/multi-level-ca-pathlen ikev2/multi-level-ca-strict \
+         ikev2/ocsp-multi-level ikev2/ocsp-strict-ifuri
+do
+  TEST="${TEST_DIR}/${t}"
+  mkdir -p ${TEST}/hosts/moon/${IPSEC_DIR}/cacerts
+  cp ${RESEARCH_CERT} ${TEST}/hosts/moon/${IPSEC_DIR}/cacerts
+done
+
+for t in ikev1/multi-level-ca-cr-init ikev1/multi-level-ca-cr-resp \
+         ikev2/multi-level-ca-cr-init ikev2/multi-level-ca-cr-resp
+do
+  TEST="${TEST_DIR}/${t}"
+  mkdir -p ${TEST}/hosts/carol/${IPSEC_DIR}/cacerts
+  cp ${RESEARCH_CERT} ${TEST}/hosts/carol/${IPSEC_DIR}/cacerts
+done
+
+for t in multi-level-ca ocsp-multi-level
+do
+  TEST="${TEST_DIR}/swanctl/${t}"
+  mkdir -p ${TEST}/hosts/moon/${SWANCTL_DIR}/x509ca
+  cp ${RESEARCH_CERT} ${TEST}/hosts/moon/${SWANCTL_DIR}/x509ca
+done
+
+# Convert Research CA certificate into DER format
+openssl x509 -in ${RESEARCH_CERT} -outform der -out ${RESEARCH_CERT_DER}
+
+# Generate Research CA with the same private key as above but invalid CDP
+TEST="${TEST_DIR}/ikev2/multi-level-ca-skipped"
+TEST_CERT="${TEST}/hosts/moon/${IPSEC_DIR}/cacerts/researchCert.pem"
+mkdir -p ${TEST}/hosts/moon/${IPSEC_DIR}/cacerts
+pki --issue --cakey ${CA_KEY} --cacert ${CA_CERT} --type rsa \
+    --crl "http://crl.strongswan.org/not-available.crl" \
+    --in ${RESEARCH_KEY} --not-before "${START}" --not-after "${IM_END}" --ca \
+    --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=Research, CN=Research CA" \
+    --outform pem > ${TEST_CERT}
+
+################################################################################
+# Sales CA Certificate Generation                                              #
+################################################################################
+
+# Generate Sales CA signed by Root CA
+SERIAL="0C"
+pki --gen  --type rsa --size ${RSA_SIZE} --outform pem > ${SALES_KEY}
+pki --issue --cakey ${CA_KEY} --cacert ${CA_CERT} --crl ${CA_CDP} --type rsa \
+    --in ${SALES_KEY} --not-before "${START}" --not-after "${IM_END}" --ca \
+    --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=Sales, CN=Sales CA" \
+    --outform pem > ${SALES_CERT}
+cp ${SALES_CERT} ${CA_DIR}/certs/${SERIAL}.pem
+
+# Put a certificate copy into the following scenarios
+for t in ikev1/multi-level-ca ikev2/multi-level-ca ikev2/multi-level-ca-ldap \
+         ikev2/multi-level-ca-strict ikev2/ocsp-multi-level \
+         ikev2/ocsp-multi-level ikev2/ocsp-strict-ifuri
+do
+  TEST="${TEST_DIR}/${t}"
+  cp ${SALES_CERT} ${TEST}/hosts/moon/${IPSEC_DIR}/cacerts
+done
+
+for t in ikev1/multi-level-ca-cr-init ikev1/multi-level-ca-cr-resp \
+         ikev2/multi-level-ca-cr-init ikev2/multi-level-ca-cr-resp
+do
+  TEST="${TEST_DIR}/${t}"
+  mkdir -p ${TEST}/hosts/dave/${IPSEC_DIR}/cacerts
+  cp ${SALES_CERT} ${TEST}/hosts/dave/${IPSEC_DIR}/cacerts
+done
+
+for t in multi-level-ca ocsp-multi-level
+do
+  TEST="${TEST_DIR}/swanctl/${t}"
+  cp ${SALES_CERT} ${TEST}/hosts/moon/${SWANCTL_DIR}/x509ca
+done
+
+# Convert Sales CA certificate into DER format
+openssl x509 -in ${SALES_CERT} -outform der -out ${SALES_CERT_DER}
+
+# Generate an AES-128 encrypted moon key and a SHA-224 hashed certificate
+TEST="${TEST_DIR}/ikev2/strong-keys-certs"
+TEST_KEY="${TEST}/hosts/moon/${IPSEC_DIR}/private/moonKey-aes128.pem"
+TEST_CERT="${TEST}/hosts/moon/${IPSEC_DIR}/certs/moonCert-sha224.pem"
+KEY_PWD="gOQHdrSWeFuiZtYPetWuyzHW"
+CN="moon.strongswan.org"
+SERIAL="0D"
+mkdir -p ${TEST}/hosts/moon/${IPSEC_DIR}/private
+mkdir -p ${TEST}/hosts/moon/${IPSEC_DIR}/certs
+pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${TEST_KEY}
+pki --issue --cakey ${CA_KEY} --cacert ${CA_CERT} --crl ${CA_CDP} --type rsa \
+    --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
+    --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=SHA-224, CN=${CN}" \
+    --digest sha224 --outform pem > ${TEST_CERT}
+openssl rsa -in ${TEST_KEY} -aes128 --passout pass:${KEY_PWD} -out ${TEST_KEY} \
+        2> /dev/null
+cp ${TEST_CERT} ${CA_DIR}/certs/${SERIAL}.pem
+
+# Generate an AES-192 encrypted carol key and a SHA-384 hashed certificate
+TEST_KEY="${TEST}/hosts/carol/${IPSEC_DIR}/private/carolKey-aes192.pem"
+TEST_CERT="${TEST}/hosts/carol/${IPSEC_DIR}/certs/carolCert-sha384.pem"
+KEY_PWD="ITP/H4lSHqGpUGmCpgNDklbzTNV+swjA"
+CN="carol@strongswan.org"
+SERIAL="0E"
+mkdir -p ${TEST}/hosts/carol/${IPSEC_DIR}/private
+mkdir -p ${TEST}/hosts/carol/${IPSEC_DIR}/certs
+pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${TEST_KEY}
+pki --issue --cakey ${CA_KEY} --cacert ${CA_CERT} --crl ${CA_CDP} --type rsa \
+    --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
+    --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=SHA-384, CN=${CN}" \
+    --digest sha384 --outform pem > ${TEST_CERT}
+openssl rsa -in ${TEST_KEY} -aes192 --passout pass:${KEY_PWD} -out ${TEST_KEY} \
+        2> /dev/null
+cp ${TEST_CERT} ${CA_DIR}/certs/${SERIAL}.pem
+
+# Generate an AES-256 encrypted dave key and a SHA-512 hashed certificate
+TEST_KEY="${TEST}/hosts/dave/${IPSEC_DIR}/private/daveKey-aes256.pem"
+TEST_CERT="${TEST}/hosts/dave/${IPSEC_DIR}/certs/daveCert-sha512.pem"
+KEY_PWD="MeFnDN7VUbj+qU/bkgRIFvbCketIk2wrrs5Ii8297N2v"
+CN="dave@strongswan.org"
+SERIAL="0F"
+mkdir -p ${TEST}/hosts/dave/${IPSEC_DIR}/private
+mkdir -p ${TEST}/hosts/dave/${IPSEC_DIR}/certs
+pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${TEST_KEY}
+pki --issue --cakey ${CA_KEY} --cacert ${CA_CERT} --crl ${CA_CDP} --type rsa \
+    --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
+    --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=SHA-512, CN=${CN}" \
+    --digest sha512 --outform pem > ${TEST_CERT}
+openssl rsa -in ${TEST_KEY} -aes256 --passout pass:${KEY_PWD} -out ${TEST_KEY} \
+        2> /dev/null
+cp ${TEST_CERT} ${CA_DIR}/certs/${SERIAL}.pem
+
+# Generate another carol certificate with an OCSP URI
+TEST="${TEST_DIR}/ikev2/ocsp-signer-cert"
+TEST_KEY="${TEST}/hosts/carol/${IPSEC_DIR}/private/carolKey.pem"
+TEST_CERT="${TEST}/hosts/carol/${IPSEC_DIR}/certs/carolCert.pem"
+CN="carol@strongswan.org"
+SERIAL="10"
+mkdir -p ${TEST}/hosts/carol/${IPSEC_DIR}/private
+mkdir -p ${TEST}/hosts/carol/${IPSEC_DIR}/certs
+pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${TEST_KEY}
+pki --issue --cakey ${CA_KEY} --cacert ${CA_CERT} --crl ${CA_CDP} --type rsa \
+    --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
+    --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=OCSP, CN=${CN}" \
+    --ocsp ${CA_OCSP} --outform pem > ${TEST_CERT}
+cp ${TEST_CERT} ${CA_DIR}/certs/${SERIAL}.pem
+
+# Put a copy into the ikev2/ocsp-timeouts-good scenario
+TEST="${TEST_DIR}/ikev2/ocsp-timeouts-good"
+mkdir -p ${TEST}/hosts/carol/${IPSEC_DIR}/private
+mkdir -p ${TEST}/hosts/carol/${IPSEC_DIR}/certs
+cp ${TEST_KEY}  ${TEST}/hosts/carol/${IPSEC_DIR}/private
+cp ${TEST_CERT} ${TEST}/hosts/carol/${IPSEC_DIR}/certs
+
+# Put a copy into the swanctl/ocsp-signer-cert scenario
+for t in ocsp-signer-cert ocsp-disabled
+do
+  cd "${TEST_DIR}/swanctl/${t}/hosts/carol/${SWANCTL_DIR}"
+  mkdir -p rsa x509
+  cp ${TEST_KEY} rsa
+  cp ${TEST_CERT} x509
+done
+
+# Generate an OCSP Signing certificate for the strongSwan Root CA
+TEST_KEY="${CA_DIR}/ocspKey.pem"
+TEST_CERT="${CA_DIR}/ocspCert.pem"
+CN="ocsp.strongswan.org"
+OU="OCSP Signing Authority"
+SERIAL="11"
+pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${TEST_KEY}
+pki --issue --cakey ${CA_KEY} --cacert ${CA_CERT} --crl ${CA_CDP} --type rsa \
+    --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
+    --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=${OU}, CN=${CN}" \
+    --flag ocspSigning --outform pem > ${TEST_CERT}
+cp ${TEST_CERT} ${CA_DIR}/certs/${SERIAL}.pem
+
+# Generate a self-signed OCSP Signing certificate
+TEST_KEY="${CA_DIR}/ocspKey-self.pem"
+TEST_CERT="${CA_DIR}/ocspCert-self.pem"
+OU="OCSP Self-Signed Authority"
+pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${TEST_KEY}
+pki --self --type rsa --in ${TEST_KEY} --flag ocspSigning \
+    --not-before "${START}" --not-after "${CA_END}" --san ${CN} \
+    --dn "C=CH, O=${PROJECT}, OU=${OU}, CN=${CN}" \
+    --outform pem > ${TEST_CERT}
+
+# Copy self-signed OCSP Signing certificate to ikev2/ocsp-local-cert scenario
+TEST="${TEST_DIR}/ikev2/ocsp-local-cert"
+mkdir -p ${TEST}/hosts/carol/${IPSEC_DIR}/ocspcerts
+mkdir -p ${TEST}/hosts/moon/${IPSEC_DIR}/ocspcerts
+cp ${TEST_CERT} ${TEST}/hosts/carol/${IPSEC_DIR}/ocspcerts
+cp ${TEST_CERT} ${TEST}/hosts/moon/${IPSEC_DIR}/ocspcerts
+
+# Generate mars virtual server certificate
+TEST="${TEST_DIR}/ha/both-active"
+TEST_KEY="${TEST}/hosts/moon/${IPSEC_DIR}/private/marsKey.pem"
+TEST_CERT="${TEST}/hosts/moon/${IPSEC_DIR}/certs/marsCert.pem"
+CN="mars.strongswan.org"
+OU="Virtual VPN Gateway"
+SERIAL="12"
+mkdir -p ${TEST}/hosts/moon/${IPSEC_DIR}/private
+mkdir -p ${TEST}/hosts/moon/${IPSEC_DIR}/certs
+pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${TEST_KEY}
+pki --issue --cakey ${CA_KEY} --cacert ${CA_CERT} --crl ${CA_CDP} --type rsa \
+    --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
+    --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=${OU}, CN=${CN}" \
+    --flag serverAuth --outform pem > ${TEST_CERT}
+cp ${TEST_CERT} ${CA_DIR}/certs/${SERIAL}.pem
+
+# Put a copy into the mirrored gateway
+mkdir -p ${TEST}/hosts/alice/${IPSEC_DIR}/private
+mkdir -p ${TEST}/hosts/alice/${IPSEC_DIR}/certs
+cp ${TEST_KEY}  ${TEST}/hosts/alice/${IPSEC_DIR}/private
+cp ${TEST_CERT} ${TEST}/hosts/alice/${IPSEC_DIR}/certs
+
+# Put a copy into the ha/active-passive and ikev2-redirect-active scenarios
+for t in "ha/active-passive" "ikev2/redirect-active"
+do
+  TEST="${TEST_DIR}/${t}"
+  for h in alice moon
+  do
+    mkdir -p ${TEST}/hosts/${h}/${IPSEC_DIR}/private
+    mkdir -p ${TEST}/hosts/${h}/${IPSEC_DIR}/certs
+    cp ${TEST_KEY}  ${TEST}/hosts/${h}/${IPSEC_DIR}/private
+    cp ${TEST_CERT} ${TEST}/hosts/${h}/${IPSEC_DIR}/certs
+  done
+done
+
+# Generate moon certificate with an unsupported critical X.509 extension
+TEST="${TEST_DIR}/ikev2/critical-extension"
+TEST_KEY="${TEST}/hosts/moon/${IPSEC_DIR}/private/moonKey.pem"
+TEST_CERT="${TEST}/hosts/moon/${IPSEC_DIR}/certs/moonCert.pem"
+CN="moon.strongswan.org"
+SERIAL="13"
+mkdir -p ${TEST}/hosts/moon/${IPSEC_DIR}/private
+mkdir -p ${TEST}/hosts/moon/${IPSEC_DIR}/certs
+pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${TEST_KEY}
+pki --issue --cakey ${CA_KEY} --cacert ${CA_CERT} --crl ${CA_CDP} --type rsa \
+    --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
+    --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=Critical Extension, CN=${CN}" \
+    --critical 1.3.6.1.4.1.36906.1 --flag serverAuth \
+    --outform pem > ${TEST_CERT}
+cp ${TEST_CERT} ${CA_DIR}/certs/${SERIAL}.pem
+
+# Put a copy in the openssl-ikev2/critical extension scenario
+TEST="${TEST_DIR}/openssl-ikev2/critical-extension"
+mkdir -p ${TEST}/hosts/moon/${SWANCTL_DIR}/rsa
+mkdir -p ${TEST}/hosts/moon/${SWANCTL_DIR}/x509
+cp ${TEST_KEY} ${TEST}/hosts/moon/${SWANCTL_DIR}/rsa
+cp ${TEST_CERT} ${TEST}/hosts/moon/${SWANCTL_DIR}/x509
+
+# Generate sun certificate with an unsupported critical X.509 extension
+TEST="${TEST_DIR}/ikev2/critical-extension"
+TEST_KEY="${TEST}/hosts/sun/${IPSEC_DIR}/private/sunKey.pem"
+TEST_CERT="${TEST}/hosts/sun/${IPSEC_DIR}/certs/sunCert.pem"
+CN="sun.strongswan.org"
+SERIAL="14"
+mkdir -p ${TEST}/hosts/sun/${IPSEC_DIR}/private
+mkdir -p ${TEST}/hosts/sun/${IPSEC_DIR}/certs
+pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${TEST_KEY}
+pki --issue --cakey ${CA_KEY} --cacert ${CA_CERT} --crl ${CA_CDP} --type rsa \
+    --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
+    --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=Critical Extension, CN=${CN}" \
+    --critical 1.3.6.1.4.1.36906.1 --flag serverAuth \
+    --outform pem > ${TEST_CERT}
+cp ${TEST_CERT} ${CA_DIR}/certs/${SERIAL}.pem
+
+# Put a copy in the openssl-ikev2/critical extension scenario
+TEST="${TEST_DIR}/openssl-ikev2/critical-extension"
+mkdir -p ${TEST}/hosts/sun/${SWANCTL_DIR}/rsa
+mkdir -p ${TEST}/hosts/sun/${SWANCTL_DIR}/x509
+cp ${TEST_KEY} ${TEST}/hosts/sun/${SWANCTL_DIR}/rsa
+cp ${TEST_CERT} ${TEST}/hosts/sun/${SWANCTL_DIR}/x509
+
+# Generate winnetou server certificate
+HOST_KEY="${CA_DIR}/winnetouKey.pem"
+HOST_CERT="${CA_DIR}/winnetouCert.pem"
+CN="winnetou.strongswan.org"
+SERIAL="15"
+pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${HOST_KEY}
+pki --issue --cakey ${CA_KEY} --cacert ${CA_CERT} --crl ${CA_CDP} --type rsa \
+    --in ${HOST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
+    --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, CN=${CN}" \
+    --flag serverAuth --outform pem > ${HOST_CERT}
+cp ${HOST_CERT} ${CA_DIR}/certs/${SERIAL}.pem
+
+# Generate AAA server certificate
+TEST="${TEST_DIR}/tnc/tnccs-20-pdp-eap"
+TEST_KEY="${TEST}/hosts/alice/${SWANCTL_DIR}/rsa/aaaKey.pem"
+TEST_CERT="${TEST}/hosts/alice/${SWANCTL_DIR}/x509/aaaCert.pem"
+CN="aaa.strongswan.org"
+SERIAL="16"
+cd "${TEST}/hosts/alice/${SWANCTL_DIR}"
+mkdir -p rsa x509
+pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${TEST_KEY}
+pki --issue --cakey ${CA_KEY} --cacert ${CA_CERT} --crl ${CA_CDP} --type rsa \
+--in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
+    --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, CN=${CN}" \
+    --flag serverAuth --outform pem > ${TEST_CERT}
+cp ${TEST_CERT} ${CA_DIR}/certs/${SERIAL}.pem
+
+# Put a copy into various tnc scenarios
+for t in tnccs-20-pdp-pt-tls tnccs-20-ev-pt-tls tnccs-20-hcd-eap
+do
+  cd "${TEST_DIR}/tnc/${t}/hosts/alice/${SWANCTL_DIR}"
+  mkdir -p rsa x509
+  cp ${TEST_KEY}  rsa
+  cp ${TEST_CERT} x509
+done
+
+# Put a copy into the alice FreeRADIUS server
+cp ${TEST_KEY} ${TEST_CERT} ${DIR}/hosts/alice/etc/raddb/certs
+
+################################################################################
+# strongSwan Attribute Authority                                               #
+################################################################################
+
+# Generate Attritbute Authority certificate
+TEST="${TEST_DIR}/ikev2/acert-cached"
+TEST_KEY="${TEST}/hosts/moon/${IPSEC_DIR}/private/aaKey.pem"
+TEST_CERT="${TEST}/hosts/moon/${IPSEC_DIR}/aacerts/aaCert.pem"
+CN="strongSwan Attribute Authority"
+SERIAL="17"
+mkdir -p ${TEST}/hosts/moon/${IPSEC_DIR}/private
+mkdir -p ${TEST}/hosts/moon/${IPSEC_DIR}/aacerts
+mkdir -p ${TEST}/hosts/moon/${IPSEC_DIR}/acerts
+pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${TEST_KEY}
+pki --issue --cakey ${CA_KEY} --cacert ${CA_CERT} --crl ${CA_CDP} --type rsa \
+    --in ${TEST_KEY} --not-before "${START}" --not-after "${IM_END}" \
+    --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, CN=${CN}" \
+    --outform pem > ${TEST_CERT}
+cp ${TEST_CERT} ${CA_DIR}/certs/${SERIAL}.pem
+
+# Generate carol's attribute certificate for sales and finance
+ACERT="${TEST}/hosts/moon/${IPSEC_DIR}/acerts/carol-sales-finance.pem"
+pki --acert --issuerkey ${TEST_KEY} --issuercert ${TEST_CERT} \
+    --in ${CA_DIR}/certs/01.pem --group sales --group finance \
+    --not-before "${START}" --not-after "${EE_END}" --outform pem > ${ACERT}
+
+# Generate dave's expired attribute certificate for sales
+ACERT="${TEST}/hosts/moon/${IPSEC_DIR}/acerts/dave-sales-expired.pem"
+pki --acert --issuerkey ${TEST_KEY} --issuercert ${TEST_CERT} \
+    --in ${CA_DIR}/certs/02.pem --group sales \
+    --not-before "${START}" --not-after "${SH_END}" --outform pem  > ${ACERT}
+
+# Generate dave's attribute certificate for marketing
+ACERT_DM="${TEST}/hosts/moon/${IPSEC_DIR}/acerts/dave-marketing.pem"
+pki --acert --issuerkey ${TEST_KEY} --issuercert ${TEST_CERT} \
+    --in ${CA_DIR}/certs/02.pem --group marketing \
+    --not-before "${SH_END}" --not-after "${EE_END}" --outform pem > ${ACERT_DM}
+
+# Put a copy into the ikev2/acert-fallback scenario
+TEST="${TEST_DIR}/ikev2/acert-fallback"
+mkdir -p ${TEST}/hosts/moon/${IPSEC_DIR}/private
+mkdir -p ${TEST}/hosts/moon/${IPSEC_DIR}/aacerts
+mkdir -p ${TEST}/hosts/moon/${IPSEC_DIR}/acerts
+cp ${TEST_KEY}  ${TEST}/hosts/moon/${IPSEC_DIR}/private
+cp ${TEST_CERT} ${TEST}/hosts/moon/${IPSEC_DIR}/aacerts
+
+# Generate carol's expired attribute certificate for finance
+ACERT=${TEST}/hosts/carol/${IPSEC_DIR}/acerts/carol-finance-expired.pem
+mkdir -p ${TEST}/hosts/carol/${IPSEC_DIR}/acerts
+pki --acert --issuerkey ${TEST_KEY} --issuercert ${TEST_CERT} \
+    --in ${CA_DIR}/certs/01.pem --group finance \
+    --not-before "${START}" --not-after "${SH_END}" --outform pem  > ${ACERT}
+
+# Generate carol's valid attribute certificate for sales
+ACERT_CS=${TEST}/hosts/carol/${IPSEC_DIR}/acerts/carol-sales.pem
+pki --acert --issuerkey ${TEST_KEY} --issuercert ${TEST_CERT} \
+    --in ${CA_DIR}/certs/01.pem --group sales \
+    --not-before "${SH_END}" --not-after "${EE_END}" --outform pem > ${ACERT_CS}
+
+# Put a copy into the ikev2/acert-inline scenarion
+TEST="${TEST_DIR}/ikev2/acert-inline"
+mkdir -p ${TEST}/hosts/moon/${IPSEC_DIR}/private
+mkdir -p ${TEST}/hosts/moon/${IPSEC_DIR}/aacerts
+mkdir -p ${TEST}/hosts/carol/${IPSEC_DIR}/acerts
+mkdir -p ${TEST}/hosts/dave/${IPSEC_DIR}/acerts
+cp ${TEST_KEY}  ${TEST}/hosts/moon/${IPSEC_DIR}/private
+cp ${TEST_CERT} ${TEST}/hosts/moon/${IPSEC_DIR}/aacerts
+cp ${ACERT_CS}  ${TEST}/hosts/carol/${IPSEC_DIR}/acerts
+cp ${ACERT_DM}  ${TEST}/hosts/dave/${IPSEC_DIR}/acerts
+
+# Generate a short-lived Attritbute Authority certificate
+CN="strongSwan Legacy AA"
+TEST_KEY="${TEST}/hosts/moon/${IPSEC_DIR}/private/aaKey-expired.pem"
+TEST_CERT="${TEST}/hosts/moon/${IPSEC_DIR}/aacerts/aaCert-expired.pem"
+SERIAL="18"
+pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${TEST_KEY}
+pki --issue --cakey ${CA_KEY} --cacert ${CA_CERT} --crl ${CA_CDP} --type rsa \
+    --in ${TEST_KEY} --not-before "${START}" --not-after "${SH_END}" \
+    --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, CN=${CN}" \
+    --outform pem > ${TEST_CERT}
+cp ${TEST_CERT} ${CA_DIR}/certs/${SERIAL}.pem
+
+# Genrate dave's attribute certificate for sales from expired AA
+ACERT=${TEST}/hosts/dave/${IPSEC_DIR}/acerts/dave-expired-aa.pem
+mkdir -p ${TEST}/hosts/dave/${IPSEC_DIR}/acerts
+pki --acert --issuerkey ${TEST_KEY} --issuercert ${TEST_CERT} \
+    --in ${CA_DIR}/certs/02.pem --group sales \
+    --not-before "${START}" --not-after "${EE_END}" --outform pem > ${ACERT}
+
+################################################################################
+# strongSwan Root CA index for OCSP server                                     #
+################################################################################
+
+# generate index.txt file for Root OCSP server
+cp ${CA_DIR}/index.txt.template ${CA_DIR}/index.txt
+sed -i -e "s/EE_EXPIRATION/${EE_EXP}/g" ${CA_DIR}/index.txt
+sed -i -e "s/IM_EXPIRATION/${IM_EXP}/g" ${CA_DIR}/index.txt
+sed -i -e "s/SH_EXPIRATION/${SH_EXP}/g" ${CA_DIR}/index.txt
+sed -i -e "s/REVOCATION/${NOW}/g" ${CA_DIR}/index.txt
+
+################################################################################
+# Research CA                                                                  #
+################################################################################
+
+# Generate a carol research certificate
+TEST="${TEST_DIR}/ikev2/multi-level-ca"
+TEST_KEY="${TEST}/hosts/carol/${IPSEC_DIR}/private/carolKey.pem"
+TEST_CERT="${TEST}/hosts/carol/${IPSEC_DIR}/certs/carolCert.pem"
+CN="carol@strongswan.org"
+SERIAL="01"
+mkdir -p ${TEST}/hosts/carol/${IPSEC_DIR}/private
+mkdir -p ${TEST}/hosts/carol/${IPSEC_DIR}/certs
+pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${TEST_KEY}
+pki --issue --cakey ${RESEARCH_KEY} --cacert ${RESEARCH_CERT} --type rsa \
+    --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
+    --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=Research, CN=${CN}" \
+    --crl ${RESEARCH_CDP} --outform pem > ${TEST_CERT}
+cp ${TEST_CERT} ${RESEARCH_DIR}/certs/${SERIAL}.pem
+
+# Save a copy of the private key in DER format
+openssl rsa -in ${TEST_KEY} -outform der \
+            -out ${RESEARCH_DIR}/keys/${SERIAL}.der 2> /dev/null
+
+# Put a copy in the following scenarios
+for t in ikev2/multi-level-ca-cr-init ikev2/multi-level-ca-cr-resp \
+         ikev2/multi-level-ca-ldap ikev2/multi-level-ca-loop \
+         ikev2/multi-level-ca-revoked ikev2/multi-level-ca-skipped \
+         ikev2/multi-level-ca-strict ikev2/ocsp-multi-level \
+         ikev1/multi-level-ca ikev1/multi-level-ca-cr-init \
+         ikev1/multi-level-ca-cr-resp
+do
+  TEST="${TEST_DIR}/${t}"
+  mkdir -p ${TEST}/hosts/carol/${IPSEC_DIR}/private
+  mkdir -p ${TEST}/hosts/carol/${IPSEC_DIR}/certs
+  cp ${TEST_KEY} ${TEST}/hosts/carol/${IPSEC_DIR}/private
+  cp ${TEST_CERT} ${TEST}/hosts/carol/${IPSEC_DIR}/certs
+done
+
+for t in multi-level-ca ocsp-multi-level
+do
+  TEST="${TEST_DIR}/swanctl/${t}"
+  mkdir -p ${TEST}/hosts/carol/${SWANCTL_DIR}/rsa
+  mkdir -p ${TEST}/hosts/carol/${SWANCTL_DIR}/x509
+  cp ${TEST_KEY} ${TEST}/hosts/carol/${SWANCTL_DIR}/rsa
+  cp ${TEST_CERT} ${TEST}/hosts/carol/${SWANCTL_DIR}/x509
+done
+
+# Generate a carol research certificate without a CDP
+TEST="${TEST_DIR}/ikev2/ocsp-strict-ifuri"
+TEST_CERT="${TEST}/hosts/carol/${IPSEC_DIR}/certs/carolCert.pem"
+mkdir -p ${TEST}/hosts/carol/${IPSEC_DIR}/certs
+mkdir -p ${TEST}/hosts/carol/${IPSEC_DIR}/private
+pki --issue --cakey ${RESEARCH_KEY} --cacert ${RESEARCH_CERT} --type rsa \
+    --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
+    --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=Research, CN=${CN}" \
+    --outform pem > ${TEST_CERT}
+cp ${TEST_KEY} ${TEST}/hosts/carol/${IPSEC_DIR}/private
+
+# Generate an OCSP Signing certificate for the Research CA
+TEST_KEY="${RESEARCH_DIR}/ocspKey.pem"
+TEST_CERT="${RESEARCH_DIR}/ocspCert.pem"
+OU="Research OCSP Signing Authority"
+CN="ocsp.research.strongswan.org"
+SERIAL="02"
+pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${TEST_KEY}
+pki --issue --cakey ${RESEARCH_KEY} --cacert ${RESEARCH_CERT} --type rsa \
+    --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
+    --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=${OU}, CN=${CN}" \
+    --crl ${RESEARCH_CDP} --flag ocspSigning --outform pem > ${TEST_CERT}
+cp ${TEST_CERT} ${RESEARCH_DIR}/certs/${SERIAL}.pem
+
+# Generate a Sales CA certificate signed by the Research CA
+TEST="${TEST_DIR}/ikev2/multi-level-ca-loop"
+TEST_CERT="${TEST}/hosts/moon/${IPSEC_DIR}/cacerts/sales_by_researchCert.pem"
+SERIAL="03"
+mkdir -p ${TEST}/hosts/moon/${IPSEC_DIR}/cacerts
+pki --issue --cakey ${RESEARCH_KEY} --cacert ${RESEARCH_CERT} --type rsa \
+    --in ${SALES_KEY} --not-before "${START}" --not-after "${EE_END}" --ca \
+    --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=Sales, CN=Sales CA" \
+    --crl ${RESEARCH_CDP} --outform pem > ${TEST_CERT}
+cp ${TEST_CERT} ${RESEARCH_DIR}/certs/${SERIAL}.pem
+
+################################################################################
+# Duck Research CA                                                                     #
+################################################################################
+
+# Generate a Duck Research CA certificate signed by the Research CA
+SERIAL="04"
+pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${DUCK_KEY}
+pki --issue --cakey ${RESEARCH_KEY} --cacert ${RESEARCH_CERT} --type rsa \
+    --in ${DUCK_KEY} --not-before "${START}" --not-after "${EE_END}" --ca \
+    --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=Research, CN=Duck Research CA" \
+    --crl ${RESEARCH_CDP} --outform pem > ${DUCK_CERT}
+cp ${DUCK_CERT} ${RESEARCH_DIR}/certs/${SERIAL}.pem
+
+# Put a certificate copy in the ikev2/multilevel-ca-pathlen scenario
+TEST="${TEST_DIR}/ikev2/multi-level-ca-pathlen"
+cp ${DUCK_CERT} ${TEST}/hosts/moon/${IPSEC_DIR}/cacerts
+
+# Generate a carol certificate signed by the Duck Research CA
+TEST_KEY="${TEST}/hosts/carol/${IPSEC_DIR}/private/carolKey.pem"
+TEST_CERT="${TEST}/hosts/carol/${IPSEC_DIR}/certs/carolCert.pem"
+CN="carol@strongswan.org"
+SERIAL="01"
+mkdir -p ${TEST}/hosts/carol/${IPSEC_DIR}/private
+mkdir -p ${TEST}/hosts/carol/${IPSEC_DIR}/certs
+pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${TEST_KEY}
+pki --issue --cakey ${DUCK_KEY} --cacert ${DUCK_CERT} --type rsa \
+    --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
+    --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=Duck Research, CN=${CN}" \
+    --outform pem > ${TEST_CERT}
+cp ${TEST_CERT} ${DUCK_DIR}/certs/${SERIAL}.pem
+
+# Generate index.txt file for Research OCSP server
+cp ${RESEARCH_DIR}/index.txt.template ${RESEARCH_DIR}/index.txt
+sed -i -e "s/EE_EXPIRATION/${EE_EXP}/g" ${RESEARCH_DIR}/index.txt
+
+################################################################################
+# Sales CA                                                                     #
+################################################################################
+
+# Generate a dave sales certificate
+TEST="${TEST_DIR}/ikev2/multi-level-ca"
+TEST_KEY="${TEST}/hosts/dave/${IPSEC_DIR}/private/daveKey.pem"
+TEST_CERT="${TEST}/hosts/dave/${IPSEC_DIR}/certs/daveCert.pem"
+CN="dave@strongswan.org"
+SERIAL="01"
+mkdir -p ${TEST}/hosts/dave/${IPSEC_DIR}/private
+mkdir -p ${TEST}/hosts/dave/${IPSEC_DIR}/certs
+pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${TEST_KEY}
+pki --issue --cakey ${SALES_KEY} --cacert ${SALES_CERT} --type rsa \
+    --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
+    --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=Sales, CN=${CN}" \
+    --crl ${SALES_CDP} --outform pem > ${TEST_CERT}
+cp ${TEST_CERT} ${SALES_DIR}/certs/${SERIAL}.pem
+
+# Save a copy of the private key in DER format
+openssl rsa -in ${TEST_KEY} -outform der \
+            -out ${SALES_DIR}/keys/${SERIAL}.der 2> /dev/null
+
+# Put a copy in the following scenarios
+for t in ikev2/multi-level-ca-cr-init ikev2/multi-level-ca-cr-resp \
+         ikev2/multi-level-ca-ldap ikev2/multi-level-ca-strict \
+         ikev2/ocsp-multi-level ikev1/multi-level-ca \
+         ikev1/multi-level-ca-cr-init ikev1/multi-level-ca-cr-resp
+do
+  TEST="${TEST_DIR}/${t}"
+  mkdir -p ${TEST}/hosts/dave/${IPSEC_DIR}/private
+  mkdir -p ${TEST}/hosts/dave/${IPSEC_DIR}/certs
+  cp ${TEST_KEY} ${TEST}/hosts/dave/${IPSEC_DIR}/private
+  cp ${TEST_CERT} ${TEST}/hosts/dave/${IPSEC_DIR}/certs
+done
+
+for t in multi-level-ca ocsp-multi-level
+do
+  TEST="${TEST_DIR}/swanctl/${t}"
+  mkdir -p ${TEST}/hosts/dave/${SWANCTL_DIR}/rsa
+  mkdir -p ${TEST}/hosts/dave/${SWANCTL_DIR}/x509
+  cp ${TEST_KEY} ${TEST}/hosts/dave/${SWANCTL_DIR}/rsa
+  cp ${TEST_CERT} ${TEST}/hosts/dave/${SWANCTL_DIR}/x509
+done
+
+# Generate a dave sales certificate with an inactive OCSP URI and no CDP
+TEST="${TEST_DIR}/ikev2/ocsp-strict-ifuri"
+TEST_CERT="${TEST}/hosts/dave/${IPSEC_DIR}/certs/daveCert.pem"
+mkdir -p ${TEST}/hosts/dave/${IPSEC_DIR}/certs
+mkdir -p ${TEST}/hosts/dave/${IPSEC_DIR}/private
+pki --issue --cakey ${SALES_KEY} --cacert ${SALES_CERT} --type rsa \
+    --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
+    --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=Sales, CN=${CN}" \
+    --ocsp "http://ocsp2.strongswan.org:8882" --outform pem > ${TEST_CERT}
+cp ${TEST_KEY} ${TEST}/hosts/dave/${IPSEC_DIR}/private
+
+# Generate an OCSP Signing certificate for the Sales CA
+TEST_KEY="${SALES_DIR}/ocspKey.pem"
+TEST_CERT="${SALES_DIR}/ocspCert.pem"
+OU="Sales OCSP Signing Authority"
+CN="ocsp.sales.strongswan.org"
+SERIAL="02"
+pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${TEST_KEY}
+pki --issue --cakey ${SALES_KEY} --cacert ${SALES_CERT} --type rsa \
+    --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
+    --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=${OU}, CN=${CN}" \
+    --crl ${SALES_CDP} --flag ocspSigning --outform pem > ${TEST_CERT}
+cp ${TEST_CERT} ${SALES_DIR}/certs/${SERIAL}.pem
+
+# Generate a Research CA certificate signed by the Sales CA
+TEST="${TEST_DIR}/ikev2/multi-level-ca-loop"
+TEST_CERT="${TEST}/hosts/moon/${IPSEC_DIR}/cacerts/research_by_salesCert.pem"
+SERIAL="03"
+mkdir -p ${TEST}/hosts/moon/${IPSEC_DIR}/cacerts
+pki --issue --cakey ${SALES_KEY} --cacert ${SALES_CERT} --type rsa \
+    --in ${RESEARCH_KEY} --not-before "${START}" --not-after "${EE_END}" --ca \
+    --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=Research, CN=Research CA" \
+    --crl ${SALES_CDP} --outform pem > ${TEST_CERT}
+cp ${TEST_CERT} ${SALES_DIR}/certs/${SERIAL}.pem
+
+# generate index.txt file for Sales OCSP server
+cp ${SALES_DIR}/index.txt.template ${SALES_DIR}/index.txt
+sed -i -e "s/EE_EXPIRATION/${EE_EXP}/g" ${SALES_DIR}/index.txt
+
+################################################################################
+# strongSwan EC Root CA                                                        #
+################################################################################
+
+# Generate strongSwan EC Root CA
+pki --gen  --type ecdsa --size 521 --outform pem > ${ECDSA_KEY}
+pki --self --type ecdsa --in ${ECDSA_KEY} \
+    --not-before "${START}" --not-after "${CA_END}" --ca \
+    --dn "C=CH, O=${PROJECT}, CN=strongSwan EC Root CA" \
+    --outform pem > ${ECDSA_CERT}
+
+# Put a copy in the openssl-ikev2/ecdsa-certs scenario
+for t in ecdsa-certs ecdsa-pkcs8
+do
+  TEST="${TEST_DIR}/openssl-ikev2/${t}"
+  for h in moon carol dave
+  do
+    mkdir -p ${TEST}/hosts/${h}/${SWANCTL_DIR}/x509ca
+    cp ${ECDSA_CERT} ${TEST}/hosts/${h}/${SWANCTL_DIR}/x509ca
+  done
+done
+
+# Generate a moon ECDSA 521 bit certificate
+TEST="${TEST_DIR}/openssl-ikev2/ecdsa-certs"
+MOON_KEY="${TEST}/hosts/moon/${SWANCTL_DIR}/ecdsa/moonKey.pem"
+MOON_CERT="${TEST}/hosts/moon/${SWANCTL_DIR}/x509/moonCert.pem"
+CN="moon.strongswan.org"
+SERIAL="01"
+mkdir -p ${TEST}/hosts/moon/${SWANCTL_DIR}/ecdsa
+mkdir -p ${TEST}/hosts/moon/${SWANCTL_DIR}/x509
+pki --gen --type ecdsa --size 521 --outform pem > ${MOON_KEY}
+pki --issue --cakey ${ECDSA_KEY} --cacert ${ECDSA_CERT} --type ecdsa \
+    --in ${MOON_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
+    --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=ECDSA 512 bit, CN=${CN}" \
+    --crl ${ECDSA_CDP} --outform pem > ${MOON_CERT}
+cp ${MOON_CERT} ${ECDSA_DIR}/certs/${SERIAL}.pem
+
+# Generate a carol ECDSA 256 bit certificate
+CAROL_KEY="${TEST}/hosts/carol/${SWANCTL_DIR}/ecdsa/carolKey.pem"
+CAROL_CERT="${TEST}/hosts/carol/${SWANCTL_DIR}/x509/carolCert.pem"
+CN="carol@strongswan.org"
+SERIAL="02"
+mkdir -p ${TEST}/hosts/carol/${SWANCTL_DIR}/ecdsa
+mkdir -p ${TEST}/hosts/carol/${SWANCTL_DIR}/x509
+pki --gen --type ecdsa --size 256 --outform pem > ${CAROL_KEY}
+pki --issue --cakey ${ECDSA_KEY} --cacert ${ECDSA_CERT} --type ecdsa \
+    --in ${CAROL_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
+    --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=ECDSA 256 bit, CN=${CN}" \
+    --crl ${ECDSA_CDP} --outform pem > ${CAROL_CERT}
+cp ${CAROL_CERT} ${ECDSA_DIR}/certs/${SERIAL}.pem
+
+# Generate a dave ECDSA 384 bit certificate
+DAVE_KEY="${TEST}/hosts/dave/${SWANCTL_DIR}/ecdsa/daveKey.pem"
+DAVE_CERT="${TEST}/hosts/dave/${SWANCTL_DIR}/x509/daveCert.pem"
+CN="dave@strongswan.org"
+SERIAL="03"
+mkdir -p ${TEST}/hosts/dave/${SWANCTL_DIR}/ecdsa
+mkdir -p ${TEST}/hosts/dave/${SWANCTL_DIR}/x509
+pki --gen --type ecdsa --size 384 --outform pem > ${DAVE_KEY}
+pki --issue --cakey ${ECDSA_KEY} --cacert ${ECDSA_CERT} --type ecdsa \
+    --in ${DAVE_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
+    --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=ECDSA 384 bit, CN=${CN}" \
+    --crl ${ECDSA_CDP} --outform pem > ${DAVE_CERT}
+cp ${DAVE_CERT} ${ECDSA_DIR}/certs/${SERIAL}.pem
+
+# Put CA and EE certificate copies in the openssl-ikev2/ecdsa-pkcs8 scenario
+TEST="${TEST_DIR}/openssl-ikev2/ecdsa-pkcs8"
+mkdir -p ${TEST}/hosts/moon/${SWANCTL_DIR}/x509
+mkdir -p ${TEST}/hosts/carol/${SWANCTL_DIR}/x509
+mkdir -p ${TEST}/hosts/dave/${SWANCTL_DIR}/x509
+cp ${MOON_CERT}  ${TEST}/hosts/moon/${SWANCTL_DIR}/x509
+cp ${CAROL_CERT} ${TEST}/hosts/carol/${SWANCTL_DIR}/x509
+cp ${DAVE_CERT}  ${TEST}/hosts/dave/${SWANCTL_DIR}/x509
+
+# Convert moon private key into unencrypted PKCS#8 format
+TEST_KEY="${TEST}/hosts/moon/${SWANCTL_DIR}/pkcs8/moonKey.pem"
+mkdir -p ${TEST}/hosts/moon/${SWANCTL_DIR}/pkcs8
+openssl pkcs8 -in ${MOON_KEY} -nocrypt -topk8 -out ${TEST_KEY}
+
+# Convert carol private key into v1.5 DES encrypted PKCS#8 format
+TEST_KEY="${TEST}/hosts/carol/${SWANCTL_DIR}/pkcs8/carolKey.pem"
+mkdir -p ${TEST}/hosts/carol/${SWANCTL_DIR}/pkcs8
+openssl pkcs8 -in ${CAROL_KEY} -nocrypt -topk8 -v1 PBE-MD5-DES \
+              -passout "pass:nH5ZQEWtku0RJEZ6" -out ${TEST_KEY}
+
+# Convert dave private key into v2.0 AES-128 encrypted PKCS#8 format
+TEST_KEY="${TEST}/hosts/dave/${SWANCTL_DIR}/pkcs8/daveKey.pem"
+mkdir -p ${TEST}/hosts/dave/${SWANCTL_DIR}/pkcs8
+openssl pkcs8 -in ${DAVE_KEY} -nocrypt -topk8  -v2 aes128 \
+              -passout "pass:OJlNZBx+80dLh4wC6fw5LmBd" -out ${TEST_KEY}
+
+# Put CA and EE certificate copies in the openssl-ikev1/ecdsa-certs scenario
+TEST="${TEST_DIR}/openssl-ikev1/ecdsa-certs"
+cd ${TEST}/hosts/moon/${SWANCTL_DIR}
+mkdir -p ecdsa x509 x509ca
+cp ${MOON_KEY}   ecdsa
+cp ${MOON_CERT}  x509
+cp ${ECDSA_CERT} x509ca
+cd ${TEST}/hosts/carol/${SWANCTL_DIR}
+mkdir -p ecdsa x509 x509ca
+cp ${CAROL_KEY}  ecdsa
+cp ${CAROL_CERT} x509
+cp ${ECDSA_CERT} x509ca
+cd ${TEST}/hosts/dave/${SWANCTL_DIR}
+mkdir -p ecdsa x509 x509ca
+cp ${DAVE_KEY}   ecdsa
+cp ${DAVE_CERT}  x509
+cp ${ECDSA_CERT} x509ca
+
+################################################################################
+# strongSwan RFC3779 Root CA                                                   #
+################################################################################
+
+# Generate strongSwan RFC3779 Root CA
+pki --gen  --type rsa --size ${RSA_SIZE} --outform pem > ${RFC3779_KEY}
+pki --self --type rsa --in ${RFC3779_KEY} \
+    --not-before "${START}" --not-after "${CA_END}" --ca \
+    --dn "C=CH, O=${PROJECT}, OU=RFC3779, CN=strongSwan RFC3779 Root CA" \
+    --addrblock "10.1.0.0-10.2.255.255" \
+    --addrblock "10.3.0.1-10.3.3.232" \
+    --addrblock "192.168.0.0/24" \
+    --addrblock "fec0::-fec2:ffff:ffff:ffff:ffff:ffff:ffff:ffff" \
+    --outform pem > ${RFC3779_CERT}
+
+# Put a copy in the ikev2/net2net-rfc3779 scenario
+TEST="${TEST_DIR}/ikev2/net2net-rfc3779"
+mkdir -p ${TEST}/hosts/moon/${IPSEC_DIR}/cacerts
+mkdir -p ${TEST}/hosts/sun/${IPSEC_DIR}/cacerts
+cp ${RFC3779_CERT} ${TEST}/hosts/moon/${IPSEC_DIR}/cacerts
+cp ${RFC3779_CERT} ${TEST}/hosts/sun/${IPSEC_DIR}/cacerts
+
+# Put a copy in the ipv6/rw-rfc3779-ikev2 scenario
+TEST="${TEST_DIR}/ipv6/rw-rfc3779-ikev2"
+mkdir -p ${TEST}/hosts/carol/${SWANCTL_DIR}/x509ca
+mkdir -p ${TEST}/hosts/dave/${SWANCTL_DIR}/x509ca
+cp ${RFC3779_CERT} ${TEST}/hosts/carol/${SWANCTL_DIR}/x509ca
+cp ${RFC3779_CERT} ${TEST}/hosts/dave/${SWANCTL_DIR}/x509ca
+
+# Generate a moon RFC3779 certificate
+TEST="${TEST_DIR}/ikev2/net2net-rfc3779"
+TEST_KEY="${TEST}/hosts/moon/${IPSEC_DIR}/private/moonKey.pem"
+TEST_CERT="${TEST}/hosts/moon/${IPSEC_DIR}/certs/moonCert.pem"
+CN="moon.strongswan.org"
+SERIAL="01"
+mkdir -p ${TEST}/hosts/moon/${IPSEC_DIR}/private
+mkdir -p ${TEST}/hosts/moon/${IPSEC_DIR}/certs
+pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${TEST_KEY}
+pki --issue --cakey ${RFC3779_KEY} --cacert ${RFC3779_CERT} --type rsa \
+    --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
+    --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=RFC3779, CN=${CN}" \
+    --addrblock "10.1.0.0/16" --addrblock "192.168.0.1/32" \
+    --addrblock "fec0::1/128" --addrblock "fec1::/16" \
+    --crl ${RFC3779_CDP} --outform pem > ${TEST_CERT}
+cp ${TEST_CERT} ${RFC3779_DIR}/certs/${SERIAL}.pem
+
+# Put a copy in the ipv6 scenarios
+for t in net2net-rfc3779-ikev2 rw-rfc3779-ikev2
+do
+  cd "${TEST_DIR}/ipv6/${t}/hosts/moon/${SWANCTL_DIR}"
+  mkdir -p rsa x509 x509ca
+  cp ${TEST_KEY}  rsa
+  cp ${TEST_CERT} x509
+  cp ${RFC3779_CERT} x509ca
+done
+
+# Generate a sun RFC3779 certificate
+TEST="${TEST_DIR}/ikev2/net2net-rfc3779"
+TEST_KEY="${TEST}/hosts/sun/${IPSEC_DIR}/private/sunKey.pem"
+TEST_CERT="${TEST}/hosts/sun/${IPSEC_DIR}/certs/sunCert.pem"
+CN="sun.strongswan.org"
+SERIAL="02"
+mkdir -p ${TEST}/hosts/sun/${IPSEC_DIR}/private
+mkdir -p ${TEST}/hosts/sun/${IPSEC_DIR}/certs
+pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${TEST_KEY}
+pki --issue --cakey ${RFC3779_KEY} --cacert ${RFC3779_CERT} --type rsa \
+    --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
+    --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=RFC3779, CN=${CN}" \
+    --addrblock "10.2.0.0/16" --addrblock "192.168.0.2/32" \
+    --addrblock "fec0::2/128" --addrblock "fec2::/16" \
+    --crl ${RFC3779_CDP} --outform pem > ${TEST_CERT}
+cp ${TEST_CERT} ${RFC3779_DIR}/certs/${SERIAL}.pem
+
+# Put a copy in the ipv6/net2net-rfc3779-ikev2 scenario
+cd "${TEST_DIR}/ipv6/net2net-rfc3779-ikev2/hosts/sun/${SWANCTL_DIR}"
+mkdir -p rsa x509 x509ca
+cp ${TEST_KEY} rsa
+cp ${TEST_CERT} x509
+cp ${RFC3779_CERT} x509ca
+
+# Generate a carol RFC3779 certificate
+TEST="${TEST_DIR}/ipv6/rw-rfc3779-ikev2"
+TEST_KEY="${TEST}/hosts/carol/${SWANCTL_DIR}/rsa/carolKey.pem"
+TEST_CERT="${TEST}/hosts/carol/${SWANCTL_DIR}/x509/carolCert.pem"
+CN="carol@strongswan.org"
+SERIAL="03"
+mkdir -p ${TEST}/hosts/carol/${SWANCTL_DIR}/rsa
+mkdir -p ${TEST}/hosts/carol/${SWANCTL_DIR}/x509
+pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${TEST_KEY}
+pki --issue --cakey ${RFC3779_KEY} --cacert ${RFC3779_CERT} --type rsa \
+    --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
+    --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=RFC3779, CN=${CN}" \
+    --addrblock "10.3.0.1/32" --addrblock "192.168.0.100/32" \
+    --addrblock "fec0::10/128" \
+    --crl ${RFC3779_CDP} --outform pem > ${TEST_CERT}
+cp ${TEST_CERT} ${RFC3779_DIR}/certs/${SERIAL}.pem
+
+# Generate a carol RFC3779 certificate
+TEST="${TEST_DIR}/ipv6/rw-rfc3779-ikev2"
+TEST_KEY="${TEST}/hosts/dave/${SWANCTL_DIR}/rsa/daveKey.pem"
+TEST_CERT="${TEST}/hosts/dave/${SWANCTL_DIR}/x509/daveCert.pem"
+CN="dave@strongswan.org"
+SERIAL="04"
+mkdir -p ${TEST}/hosts/dave/${SWANCTL_DIR}/rsa
+mkdir -p ${TEST}/hosts/dave/${SWANCTL_DIR}/x509
+pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${TEST_KEY}
+pki --issue --cakey ${RFC3779_KEY} --cacert ${RFC3779_CERT} --type rsa \
+    --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
+    --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=RFC3779, CN=${CN}" \
+    --addrblock "10.3.0.2/32" --addrblock "192.168.0.200/32" \
+    --addrblock "fec0::20/128" \
+    --crl ${RFC3779_CDP} --outform pem > ${TEST_CERT}
+cp ${TEST_CERT} ${RFC3779_DIR}/certs/${SERIAL}.pem
+
+################################################################################
+# strongSwan SHA3-RSA Root CA                                                  #
+################################################################################
+
+# Generate strongSwan SHA3-RSA Root CA
+pki --gen  --type rsa --size ${RSA_SIZE} --outform pem > ${SHA3_RSA_KEY}
+pki --self --type rsa --in ${SHA3_RSA_KEY} --digest sha3_256 \
+    --not-before "${START}" --not-after "${CA_END}" --ca \
+    --dn "C=CH, O=${PROJECT}, OU=SHA-3, CN=strongSwan Root CA" \
+    --outform pem > ${SHA3_RSA_CERT}
+
+# Put a copy in the swanctl/net2net-sha3-rsa-cert scenario
+TEST="${TEST_DIR}/swanctl/net2net-sha3-rsa-cert"
+mkdir -p ${TEST}/hosts/moon/${SWANCTL_DIR}/x509ca
+mkdir -p ${TEST}/hosts/sun/${SWANCTL_DIR}/x509ca
+cp ${SHA3_RSA_CERT} ${TEST}/hosts/moon/${SWANCTL_DIR}/x509ca
+cp ${SHA3_RSA_CERT} ${TEST}/hosts/sun/${SWANCTL_DIR}/x509ca
+
+# Generate a sun SHA3-RSA certificate
+SUN_KEY="${TEST}/hosts/sun/${SWANCTL_DIR}/rsa/sunKey.pem"
+SUN_CERT="${TEST}/hosts/sun/${SWANCTL_DIR}/x509/sunCert.pem"
+CN="sun.strongswan.org"
+SERIAL="01"
+mkdir -p ${TEST}/hosts/sun/${SWANCTL_DIR}/rsa
+mkdir -p ${TEST}/hosts/sun/${SWANCTL_DIR}/x509
+pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${SUN_KEY}
+pki --issue --cakey ${SHA3_RSA_KEY} --cacert ${SHA3_RSA_CERT} --type rsa \
+    --in ${SUN_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
+    --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=SHA-3, CN=${CN}" \
+    --crl ${SHA3_RSA_CDP} --digest sha3_256 --outform pem > ${SUN_CERT}
+cp ${SUN_CERT} ${SHA3_RSA_DIR}/certs/${SERIAL}.pem
+
+# Generate a moon SHA3-RSA certificate
+MOON_KEY="${TEST}/hosts/moon/${SWANCTL_DIR}/rsa/moonKey.pem"
+MOON_CERT="${TEST}/hosts/moon/${SWANCTL_DIR}/x509/moonCert.pem"
+CN="moon.strongswan.org"
+SERIAL="02"
+mkdir -p ${TEST}/hosts/moon/${SWANCTL_DIR}/rsa
+mkdir -p ${TEST}/hosts/moon/${SWANCTL_DIR}/x509
+pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${MOON_KEY}
+pki --issue --cakey ${SHA3_RSA_KEY} --cacert ${SHA3_RSA_CERT} --type rsa \
+    --in ${MOON_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
+    --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=SHA-3, CN=${CN}" \
+    --crl ${SHA3_RSA_CDP} --digest sha3_256 --outform pem > ${MOON_CERT}
+cp ${MOON_CERT} ${SHA3_RSA_DIR}/certs/${SERIAL}.pem
+
+# Put a copy in the botan/net2net-sha3-rsa-cert scenario
+TEST="${TEST_DIR}/botan/net2net-sha3-rsa-cert"
+cd ${TEST}/hosts/moon/${SWANCTL_DIR}
+mkdir -p rsa x509 x509ca
+cp ${MOON_KEY}      rsa
+cp ${MOON_CERT}     x509
+cp ${SHA3_RSA_CERT} x509ca
+cd ${TEST}/hosts/sun/${SWANCTL_DIR}
+mkdir -p rsa x509 x509ca
+cp ${SUN_KEY}       rsa
+cp ${SUN_CERT}      x509
+cp ${SHA3_RSA_CERT} x509ca
+
+# Put a copy in the swanctl/rw-eap-tls-sha3-rsa scenario
+TEST="${TEST_DIR}/swanctl/rw-eap-tls-sha3-rsa"
+mkdir -p ${TEST}/hosts/moon/${SWANCTL_DIR}/rsa
+mkdir -p ${TEST}/hosts/moon/${SWANCTL_DIR}/x509
+cp ${MOON_KEY} ${TEST}/hosts/moon/${SWANCTL_DIR}/rsa
+cp ${MOON_CERT} ${TEST}/hosts/moon/${SWANCTL_DIR}/x509
+
+# Generate a carol SHA3-RSA certificate
+TEST_KEY="${TEST}/hosts/carol/${SWANCTL_DIR}/rsa/carolKey.pem"
+TEST_CERT="${TEST}/hosts/carol/${SWANCTL_DIR}/x509/carolCert.pem"
+CN="carol@strongswan.org"
+SERIAL="03"
+mkdir -p ${TEST}/hosts/carol/${SWANCTL_DIR}/rsa
+mkdir -p ${TEST}/hosts/carol/${SWANCTL_DIR}/x509
+pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${TEST_KEY}
+pki --issue --cakey ${SHA3_RSA_KEY} --cacert ${SHA3_RSA_CERT} --type rsa \
+    --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
+    --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=SHA-3, CN=${CN}" \
+    --crl ${SHA3_RSA_CDP} --digest sha3_256 --outform pem > ${TEST_CERT}
+cp ${TEST_CERT} ${SHA3_RSA_DIR}/certs/${SERIAL}.pem
+
+# Generate a dave SHA3-RSA certificate
+TEST_KEY="${TEST}/hosts/dave/${SWANCTL_DIR}/rsa/daveKey.pem"
+TEST_CERT="${TEST}/hosts/dave/${SWANCTL_DIR}/x509/daveCert.pem"
+CN="dave@strongswan.org"
+SERIAL="04"
+mkdir -p ${TEST}/hosts/dave/${SWANCTL_DIR}/rsa
+mkdir -p ${TEST}/hosts/dave/${SWANCTL_DIR}/x509
+pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${TEST_KEY}
+pki --issue --cakey ${SHA3_RSA_KEY} --cacert ${SHA3_RSA_CERT} --type rsa \
+    --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
+    --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=SHA-3, CN=${CN}" \
+    --crl ${SHA3_RSA_CDP} --digest sha3_256 --outform pem > ${TEST_CERT}
+cp ${TEST_CERT} ${SHA3_RSA_DIR}/certs/${SERIAL}.pem
+
+for h in moon carol dave
+do
+  mkdir -p ${TEST}/hosts/${h}/${SWANCTL_DIR}/x509ca
+  cp ${SHA3_RSA_CERT} ${TEST}/hosts/${h}/${SWANCTL_DIR}/x509ca
+done
+
+################################################################################
+# strongSwan Ed25519 Root CA                                                   #
+################################################################################
+
+# Generate strongSwan Ed25519 Root CA
+pki --gen  --type ed25519 --outform pem > ${ED25519_KEY}
+pki --self --type ed25519 --in ${ED25519_KEY} \
+    --not-before "${START}" --not-after "${CA_END}" --ca \
+    --dn "C=CH, O=${PROJECT}, CN=strongSwan Ed25519 Root CA" \
+    --cert-policy "1.3.6.1.4.1.36906.1.1.1" \
+    --cert-policy "1.3.6.1.4.1.36906.1.1.2" \
+    --outform pem > ${ED25519_CERT}
+
+# Put a copy in the swanctl/net2net-ed25519 scenario
+TEST="${TEST_DIR}/swanctl/net2net-ed25519"
+mkdir -p ${TEST}/hosts/moon/${SWANCTL_DIR}/x509ca
+mkdir -p ${TEST}/hosts/sun/${SWANCTL_DIR}/x509ca
+cp ${ED25519_CERT} ${TEST}/hosts/moon/${SWANCTL_DIR}/x509ca
+cp ${ED25519_CERT} ${TEST}/hosts/sun/${SWANCTL_DIR}/x509ca
+
+# Generate a sun Ed25519 certificate
+SUN_KEY="${TEST}/hosts/sun/${SWANCTL_DIR}/pkcs8/sunKey.pem"
+SUN_CERT="${TEST}/hosts/sun/${SWANCTL_DIR}/x509/sunCert.pem"
+CN="sun.strongswan.org"
+SERIAL="01"
+mkdir -p ${TEST}/hosts/sun/${SWANCTL_DIR}/pkcs8
+mkdir -p ${TEST}/hosts/sun/${SWANCTL_DIR}/x509
+pki --gen --type ed25519 --outform pem > ${SUN_KEY}
+pki --issue --cakey ${ED25519_KEY} --cacert ${ED25519_CERT} --type ed25519 \
+    --in ${SUN_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
+    --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=Ed25519, CN=${CN}" \
+    --cert-policy "1.3.6.1.4.1.36906.1.1.2" --flag "serverAuth" \
+    --crl ${ED25519_CDP} --outform pem > ${SUN_CERT}
+cp ${SUN_CERT} ${ED25519_DIR}/certs/${SERIAL}.pem
+
+# Generate a moon Ed25519 certificate
+MOON_KEY="${TEST}/hosts/moon/${SWANCTL_DIR}/pkcs8/moonKey.pem"
+MOON_CERT="${TEST}/hosts/moon/${SWANCTL_DIR}/x509/moonCert.pem"
+CN="moon.strongswan.org"
+SERIAL="02"
+mkdir -p ${TEST}/hosts/moon/${SWANCTL_DIR}/pkcs8
+mkdir -p ${TEST}/hosts/moon/${SWANCTL_DIR}/x509
+pki --gen --type ed25519 --outform pem > ${MOON_KEY}
+pki --issue --cakey ${ED25519_KEY} --cacert ${ED25519_CERT} --type ed25519 \
+    --in ${MOON_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
+    --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=Ed25519, CN=${CN}" \
+    --cert-policy "1.3.6.1.4.1.36906.1.1.1" --flag "serverAuth" \
+    --crl ${ED25519_CDP} --outform pem > ${MOON_CERT}
+cp ${MOON_CERT} ${ED25519_DIR}/certs/${SERIAL}.pem
+
+# Put a copy in the botan/net2net-ed25519 scenario
+TEST="${TEST_DIR}/botan/net2net-ed25519"
+cd ${TEST}/hosts/moon/${SWANCTL_DIR}
+mkdir -p pkcs8 x509 x509ca
+cp ${MOON_KEY}     pkcs8
+cp ${MOON_CERT}    x509
+cp ${ED25519_CERT} x509ca
+cd ${TEST}/hosts/sun/${SWANCTL_DIR}
+mkdir -p pkcs8 x509 x509ca
+cp ${SUN_KEY}      pkcs8
+cp ${SUN_CERT}     x509
+cp ${ED25519_CERT} x509ca
+
+# Put a copy in the ikev2/net2net-ed25519 scenario
+TEST="${TEST_DIR}/ikev2/net2net-ed25519"
+mkdir -p ${TEST}/hosts/moon/${IPSEC_DIR}
+cd ${TEST}/hosts/moon/${IPSEC_DIR}
+mkdir -p cacerts certs private
+cp ${MOON_KEY}     private
+cp ${MOON_CERT}    certs
+cp ${ED25519_CERT} cacerts
+mkdir -p ${TEST}/hosts/sun/${IPSEC_DIR}
+cd ${TEST}/hosts/sun/${IPSEC_DIR}
+mkdir -p cacerts certs private
+cp ${SUN_KEY}      private
+cp ${SUN_CERT}     certs
+cp ${ED25519_CERT} cacerts
+
+# Put a copy in the swanctl/rw-ed25519-certpol scenario
+TEST="${TEST_DIR}/swanctl/rw-ed25519-certpol"
+mkdir -p ${TEST}/hosts/moon/${SWANCTL_DIR}/pkcs8
+mkdir -p ${TEST}/hosts/moon/${SWANCTL_DIR}/x509
+cp ${MOON_KEY}  ${TEST}/hosts/moon/${SWANCTL_DIR}/pkcs8
+cp ${MOON_CERT} ${TEST}/hosts/moon/${SWANCTL_DIR}/x509
+
+for h in moon carol dave
+do
+  mkdir -p ${TEST}/hosts/${h}/${SWANCTL_DIR}/x509ca
+  cp ${ED25519_CERT} ${TEST}/hosts/${h}/${SWANCTL_DIR}/x509ca
+done
+
+# Generate a carol Ed25519 certificate
+TEST_KEY="${TEST}/hosts/carol/${SWANCTL_DIR}/pkcs8/carolKey.pem"
+TEST_CERT="${TEST}/hosts/carol/${SWANCTL_DIR}/x509/carolCert.pem"
+CN="carol@strongswan.org"
+SERIAL="03"
+mkdir -p ${TEST}/hosts/carol/${SWANCTL_DIR}/pkcs8
+mkdir -p ${TEST}/hosts/carol/${SWANCTL_DIR}/x509
+pki --gen --type ed25519 --outform pem > ${TEST_KEY}
+pki --issue --cakey ${ED25519_KEY} --cacert ${ED25519_CERT} --type ed25519 \
+    --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
+    --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=Ed25519, CN=${CN}" \
+    --cert-policy "1.3.6.1.4.1.36906.1.1.1" --flag "clientAuth" \
+    --crl ${ED25519_CDP} --outform pem > ${TEST_CERT}
+cp ${TEST_CERT} ${ED25519_DIR}/certs/${SERIAL}.pem
+
+# Generate a dave Ed25519 certificate
+TEST_KEY="${TEST}/hosts/dave/${SWANCTL_DIR}/pkcs8/daveKey.pem"
+TEST_CERT="${TEST}/hosts/dave/${SWANCTL_DIR}/x509/daveCert.pem"
+CN="dave@strongswan.org"
+SERIAL="04"
+mkdir -p ${TEST}/hosts/dave/${SWANCTL_DIR}/pkcs8
+mkdir -p ${TEST}/hosts/dave/${SWANCTL_DIR}/x509
+pki --gen --type ed25519 --outform pem > ${TEST_KEY}
+pki --issue --cakey ${ED25519_KEY} --cacert ${ED25519_CERT} --type ed25519 \
+    --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
+    --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=Ed25519, CN=${CN}" \
+    --cert-policy "1.3.6.1.4.1.36906.1.1.2" --flag "clientAuth" \
+    --crl ${ED25519_CDP} --outform pem > ${TEST_CERT}
+cp ${TEST_CERT} ${ED25519_DIR}/certs/${SERIAL}.pem
+
+################################################################################
+# strongSwan Monster Root CA                                                   #
+################################################################################
+
+# Generate strongSwan Monster Root CA
+pki --gen  --type rsa --size ${MONSTER_CA_RSA_SIZE} --outform pem > ${MONSTER_KEY}
+pki --self --type rsa --in ${MONSTER_KEY} \
+    --not-before "01.05.09 15:00:00" --not-after "01.05.59 15:00:00" --ca \
+    --dn "C=CH, O=${PROJECT}, CN=strongSwan Monster CA" \
+    --outform pem > ${MONSTER_CERT}
+
+# Put a copy in the ikev2/after-2038-certs scenario
+TEST="${TEST_DIR}/ikev2/after-2038-certs"
+mkdir -p ${TEST}/hosts/moon/${IPSEC_DIR}/cacerts
+mkdir -p ${TEST}/hosts/carol/${IPSEC_DIR}/cacerts
+cp ${MONSTER_CERT} ${TEST}/hosts/moon/${IPSEC_DIR}/cacerts
+cp ${MONSTER_CERT} ${TEST}/hosts/carol/${IPSEC_DIR}/cacerts
+
+# Generate a moon Monster certificate
+TEST_KEY="${TEST}/hosts/moon/${IPSEC_DIR}/private/moonKey.pem"
+TEST_CERT="${TEST}/hosts/moon/${IPSEC_DIR}/certs/moonCert.pem"
+CN="moon.strongswan.org"
+SERIAL="01"
+mkdir -p ${TEST}/hosts/moon/${IPSEC_DIR}/private
+mkdir -p ${TEST}/hosts/moon/${IPSEC_DIR}/certs
+pki --gen --type rsa --size ${MONSTER_EE_RSA_SIZE} --outform pem > ${TEST_KEY}
+pki --issue --cakey ${MONSTER_KEY} --cacert ${MONSTER_CERT} --type rsa \
+    --in ${TEST_KEY} --san ${CN} \
+    --not-before "01.05.09 15:00:00" --not-after "01.05.39 15:00:00" - \
+    --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=Monster, CN=${CN}" \
+    --crl ${MONSTER_CDP} --outform pem > ${TEST_CERT}
+cp ${TEST_CERT} ${MONSTER_DIR}/certs/${SERIAL}.pem
+
+# Generate a carol Monster certificate
+TEST_KEY="${TEST}/hosts/carol/${IPSEC_DIR}/private/carolKey.pem"
+TEST_CERT="${TEST}/hosts/carol/${IPSEC_DIR}/certs/carolCert.pem"
+CN="carol@strongswan.org"
+SERIAL="02"
+mkdir -p ${TEST}/hosts/carol/${IPSEC_DIR}/private
+mkdir -p ${TEST}/hosts/carol/${IPSEC_DIR}/certs
+pki --gen --type rsa --size ${MONSTER_EE_RSA_SIZE} --outform pem > ${TEST_KEY}
+pki --issue --cakey ${MONSTER_KEY} --cacert ${MONSTER_CERT} --type rsa \
+    --in ${TEST_KEY} --san ${CN} \
+    --not-before "01.05.09 15:00:00" --not-after "01.05.39 15:00:00" - \
+    --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=Monster, CN=${CN}" \
+    --crl ${MONSTER_CDP} --outform pem > ${TEST_CERT}
+cp ${TEST_CERT} ${MONSTER_DIR}/certs/${SERIAL}.pem
+
+################################################################################
+# Bliss CA                                                                     #
+################################################################################
+
+# Generate BLISS Root CA with 192 bit security strength
+pki --gen  --type bliss --size 4 > ${BLISS_KEY}
+pki --self --type bliss --in ${BLISS_KEY} --digest sha3_512 \
+    --not-before "${START}" --not-after "${CA_END}" --ca \
+    --dn "C=CH, O=${PROJECT}, CN=strongSwan BLISS Root CA" > ${BLISS_CERT}
+
+# Put a copy in the following scenarios
+for t in rw-newhope-bliss rw-ntru-bliss
+do
+  TEST="${TEST_DIR}/ikev2/${t}"
+  for h in moon carol dave
+  do
+    mkdir -p ${TEST}/hosts/${h}/${IPSEC_DIR}/cacerts
+    cp ${BLISS_CERT} ${TEST}/hosts/${h}/${IPSEC_DIR}/cacerts
+  done
+done
+
+TEST="${TEST_DIR}/swanctl/rw-ntru-bliss"
+for h in moon carol dave
+do
+   mkdir -p ${TEST}/hosts/${h}/${SWANCTL_DIR}/x509ca
+   cp ${BLISS_CERT} ${TEST}/hosts/${h}/${SWANCTL_DIR}/x509ca
+done
+
+# Generate a carol BLISS certificate with 128 bit security strength
+TEST="${TEST_DIR}/ikev2/rw-newhope-bliss"
+TEST_KEY="${TEST}/hosts/carol/${IPSEC_DIR}/private/carolKey.der"
+TEST_CERT="${TEST}/hosts/carol/${IPSEC_DIR}/certs/carolCert.der"
+CN="carol@strongswan.org"
+SERIAL="01"
+mkdir -p ${TEST}/hosts/carol/${IPSEC_DIR}/private
+mkdir -p ${TEST}/hosts/carol/${IPSEC_DIR}/certs
+pki --gen --type bliss --size 1 > ${TEST_KEY}
+pki --issue --cakey ${BLISS_KEY} --cacert ${BLISS_CERT} --type bliss \
+    --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
+    --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=BLISS I, CN=${CN}" \
+    --crl ${BLISS_CDP} --digest sha3_512 > ${TEST_CERT}
+cp ${TEST_CERT} ${BLISS_DIR}/certs/${SERIAL}.der
+
+# Put a copy in the ikev2/rw-ntru-bliss scenario
+TEST="${TEST_DIR}/ikev2/rw-ntru-bliss"
+mkdir -p ${TEST}/hosts/carol/${IPSEC_DIR}/private
+mkdir -p ${TEST}/hosts/carol/${IPSEC_DIR}/certs
+cp ${TEST_KEY} ${TEST}/hosts/carol/${IPSEC_DIR}/private
+cp ${TEST_CERT} ${TEST}/hosts/carol/${IPSEC_DIR}/certs
+
+# Put a copy in the swanctl/rw-ntru-bliss scenario
+TEST="${TEST_DIR}/swanctl/rw-ntru-bliss"
+mkdir -p ${TEST}/hosts/carol/${SWANCTL_DIR}/bliss
+mkdir -p ${TEST}/hosts/carol/${SWANCTL_DIR}/x509
+cp ${TEST_KEY} ${TEST}/hosts/carol/${SWANCTL_DIR}/bliss
+cp ${TEST_CERT} ${TEST}/hosts/carol/${SWANCTL_DIR}/x509
+
+# Generate a dave BLISS certificate with 160 bit security strength
+TEST="${TEST_DIR}/ikev2/rw-newhope-bliss"
+TEST_KEY="${TEST}/hosts/dave/${IPSEC_DIR}/private/daveKey.der"
+TEST_CERT="${TEST}/hosts/dave/${IPSEC_DIR}/certs/daveCert.der"
+CN="dave@strongswan.org"
+SERIAL="02"
+mkdir -p ${TEST}/hosts/dave/${IPSEC_DIR}/private
+mkdir -p ${TEST}/hosts/dave/${IPSEC_DIR}/certs
+pki --gen --type bliss --size 3 > ${TEST_KEY}
+pki --issue --cakey ${BLISS_KEY} --cacert ${BLISS_CERT} --type bliss \
+    --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
+    --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=BLISS III, CN=${CN}" \
+    --crl ${BLISS_CDP} --digest sha3_512 > ${TEST_CERT}
+cp ${TEST_CERT} ${BLISS_DIR}/certs/${SERIAL}.der
+
+# Put a copy in the ikev2/rw-ntru-bliss scenario
+TEST="${TEST_DIR}/ikev2/rw-ntru-bliss"
+mkdir -p ${TEST}/hosts/dave/${IPSEC_DIR}/private
+mkdir -p ${TEST}/hosts/dave/${IPSEC_DIR}/certs
+cp ${TEST_KEY} ${TEST}/hosts/dave/${IPSEC_DIR}/private/
+cp ${TEST_CERT} ${TEST}/hosts/dave/${IPSEC_DIR}/certs/
+
+# Put a copy in the swanctl/rw-ntru-bliss scenario
+TEST="${TEST_DIR}/swanctl/rw-ntru-bliss"
+mkdir -p ${TEST}/hosts/dave/${SWANCTL_DIR}/bliss
+mkdir -p ${TEST}/hosts/dave/${SWANCTL_DIR}/x509
+cp ${TEST_KEY} ${TEST}/hosts/dave/${SWANCTL_DIR}/bliss/
+cp ${TEST_CERT} ${TEST}/hosts/dave/${SWANCTL_DIR}/x509/
+
+# Generate a moon BLISS certificate with 192 bit security strength
+TEST="${TEST_DIR}/ikev2/rw-newhope-bliss"
+TEST_KEY="${TEST}/hosts/moon/${IPSEC_DIR}/private/moonKey.der"
+TEST_CERT="${TEST}/hosts/moon/${IPSEC_DIR}/certs/moonCert.der"
+CN="moon.strongswan.org"
+SERIAL="03"
+mkdir -p ${TEST}/hosts/moon/${IPSEC_DIR}/private
+mkdir -p ${TEST}/hosts/moon/${IPSEC_DIR}/certs
+pki --gen --type bliss --size 4 > ${TEST_KEY}
+pki --issue --cakey ${BLISS_KEY} --cacert ${BLISS_CERT} --type bliss \
+    --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
+    --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=BLISS IV, CN=${CN}" \
+    --crl ${BLISS_CDP} --digest sha3_512 > ${TEST_CERT}
+cp ${TEST_CERT} ${BLISS_DIR}/certs/${SERIAL}.der
+
+# Put a copy in the ikev2/rw-ntru-bliss scenario
+TEST="${TEST_DIR}/ikev2/rw-ntru-bliss"
+mkdir -p ${TEST}/hosts/moon/${IPSEC_DIR}/private
+mkdir -p ${TEST}/hosts/moon/${IPSEC_DIR}/certs
+cp ${TEST_KEY} ${TEST}/hosts/moon/${IPSEC_DIR}/private/
+cp ${TEST_CERT} ${TEST}/hosts/moon/${IPSEC_DIR}/certs/
+
+# Put a copy in the swanctl/rw-ntru-bliss scenario
+TEST="${TEST_DIR}/swanctl/rw-ntru-bliss"
+mkdir -p ${TEST}/hosts/moon/${SWANCTL_DIR}/bliss
+mkdir -p ${TEST}/hosts/moon/${SWANCTL_DIR}/x509
+cp ${TEST_KEY} ${TEST}/hosts/moon/${SWANCTL_DIR}/bliss/
+cp ${TEST_CERT} ${TEST}/hosts/moon/${SWANCTL_DIR}/x509/
+
+################################################################################
+# SQL Data                                                                     #
+################################################################################
+
+CA_SPK_HEX=`pki --keyid --type rsa --format hex --id spk --in ${CA_KEY}`
+CA_SPKI_HEX=`pki --keyid --type rsa --format hex --id spki --in ${CA_KEY}`
+CA_CERT_HEX=`cat ${CA_CERT_DER} | hexdump -v -e '/1 "%02x"'`
+CA_CERT_PEM_HEX=`cat ${CA_CERT} | hexdump -v -e '/1 "%02x"'`
+#
+MOON_CERT="${DIR}/hosts/moon/${SWANCTL_DIR}/x509/moonCert.pem"
+MOON_KEY="${CA_DIR}/keys/moonKey.der"
+MOON_KEY_PEM="${DIR}/hosts/moon/${SWANCTL_DIR}/rsa/moonKey.pem"
+MOON_KEY_PEM_HEX=`cat ${MOON_KEY_PEM} | hexdump -v -e '/1 "%02x"'`
+MOON_KEY_HEX=`cat ${MOON_KEY} | hexdump -v -e '/1 "%02x"'`
+MOON_SPK_HEX=`pki --keyid --type rsa --format hex --id spk --in ${MOON_KEY}`
+MOON_PUB_HEX=`pki --pub --type rsa --in ${MOON_KEY} | hexdump -v -e '/1 "%02x"'`
+MOON_CERT_HEX=`openssl x509 -in ${MOON_CERT} -outform der | hexdump -v -e '/1 "%02x"'`
+MOON_CERT_PEM_HEX=`cat ${MOON_CERT} | hexdump -v -e '/1 "%02x"'`
+#
+SUN_CERT="${DIR}/hosts/sun/${SWANCTL_DIR}/x509/sunCert.pem"
+SUN_KEY="${CA_DIR}/keys/sunKey.der"
+SUN_KEY_PEM="${DIR}/hosts/sun/${SWANCTL_DIR}/rsa/sunKey.pem"
+SUN_KEY_PEM_HEX=`cat ${SUN_KEY_PEM} | hexdump -v -e '/1 "%02x"'`
+SUN_KEY_HEX=`cat ${SUN_KEY} | hexdump -v -e '/1 "%02x"'`
+SUN_SPK_HEX=`pki --keyid --type rsa --format hex --id spk --in ${SUN_KEY}`
+SUN_CERT_HEX=`openssl x509 -in ${SUN_CERT} -outform der | hexdump -v -e '/1 "%02x"'`
+SUN_CERT_PEM_HEX=`cat ${SUN_CERT} | hexdump -v -e '/1 "%02x"'`
+#
+CAROL_CERT="${DIR}/hosts/carol/${SWANCTL_DIR}/x509/carolCert.pem"
+CAROL_KEY="${CA_DIR}/keys/carolKey.der"
+CAROL_KEY_HEX=`cat ${CAROL_KEY} | hexdump -v -e '/1 "%02x"'`
+CAROL_SPK_HEX=`pki --keyid --type rsa --format hex --id spk --in ${CAROL_KEY}`
+CAROL_PUB_HEX=`pki --pub --type rsa --in ${CAROL_KEY} | hexdump -v -e '/1 "%02x"'`
+CAROL_CERT_HEX=`openssl x509 -in ${CAROL_CERT} -outform der | hexdump -v -e '/1 "%02x"'`
+#
+DAVE_CERT="${DIR}/hosts/dave/${SWANCTL_DIR}/x509/daveCert.pem"
+DAVE_KEY="${CA_DIR}/keys/daveKey.der"
+DAVE_KEY_HEX=`cat ${DAVE_KEY} | hexdump -v -e '/1 "%02x"'`
+DAVE_SPK_HEX=`pki --keyid --type rsa --format hex --id spk --in ${DAVE_KEY}`
+DAVE_PUB_HEX=`pki --pub --type rsa --in ${DAVE_KEY} | hexdump -v -e '/1 "%02x"'`
+DAVE_CERT_HEX=`openssl x509 -in ${DAVE_CERT} -outform der | hexdump -v -e '/1 "%02x"'`
+#
+ALICE_CERT="${DIR}/hosts/alice/${SWANCTL_DIR}/x509/aliceCert.pem"
+ALICE_KEY="${CA_DIR}/keys/aliceKey.der"
+ALICE_KEY_HEX=`cat ${ALICE_KEY} | hexdump -v -e '/1 "%02x"'`
+ALICE_SPK_HEX=`pki --keyid --type rsa --format hex --id spk --in ${ALICE_KEY}`
+ALICE_CERT_HEX=`openssl x509 -in ${ALICE_CERT} -outform der | hexdump -v -e '/1 "%02x"'`
+#
+VENUS_CERT="${DIR}/hosts/venus/${SWANCTL_DIR}/x509/venusCert.pem"
+VENUS_KEY="${CA_DIR}/keys/venusKey.der"
+VENUS_KEY_HEX=`cat ${VENUS_KEY} | hexdump -v -e '/1 "%02x"'`
+VENUS_SPK_HEX=`pki --keyid --type rsa --format hex --id spk --in ${VENUS_KEY}`
+VENUS_CERT_HEX=`openssl x509 -in ${VENUS_CERT} -outform der | hexdump -v -e '/1 "%02x"'`
+#
+RESEARCH_SPK_HEX=`pki --keyid --type rsa --format hex --id spk --in ${RESEARCH_KEY}`
+RESEARCH_SPKI_HEX=`pki --keyid --type rsa --format hex --id spki --in ${RESEARCH_KEY}`
+RESEARCH_CERT_HEX=`cat ${RESEARCH_CERT_DER} | hexdump -v -e '/1 "%02x"'`
+#
+CAROL_R_CERT="${RESEARCH_DIR}/certs/01.pem"
+CAROL_R_KEY="${RESEARCH_DIR}/keys/01.der"
+CAROL_R_KEY_HEX=`cat ${CAROL_R_KEY} | hexdump -v -e '/1 "%02x"'`
+CAROL_R_SPK_HEX=`pki --keyid --type rsa --format hex --id spk --in ${CAROL_R_KEY}`
+CAROL_R_CERT_HEX=`openssl x509 -in ${CAROL_R_CERT} -outform der | hexdump -v -e '/1 "%02x"'`
+#
+SALES_SPK_HEX=`pki --keyid --type rsa --format hex --id spk --in ${SALES_KEY}`
+SALES_SPKI_HEX=`pki --keyid --type rsa --format hex --id spki --in ${SALES_KEY}`
+SALES_CERT_HEX=`cat ${SALES_CERT_DER} | hexdump -v -e '/1 "%02x"'`
+#
+DAVE_S_CERT="${SALES_DIR}/certs/01.pem"
+DAVE_S_KEY="${SALES_DIR}/keys/01.der"
+DAVE_S_KEY_HEX=`cat ${DAVE_S_KEY} | hexdump -v -e '/1 "%02x"'`
+DAVE_S_SPK_HEX=`pki --keyid --type rsa --format hex --id spk --in ${DAVE_S_KEY}`
+DAVE_S_CERT_HEX=`openssl x509 -in ${DAVE_S_CERT} -outform der | hexdump -v -e '/1 "%02x"'`
+#
+for t in ip-pool-db ip-pool-db-expired ip-pool-db-restart ip-split-pools-db \
+         ip-split-pools-db-restart multi-level-ca rw-cert rw-psk-rsa-split \
+         rw-psk-ipv4 rw-psk-ipv6 rw-rsa rw-rsa-keyid
+do
+  for h in carol dave moon
+  do
+    TEST_DATA="${TEST_DIR}/sql/${t}/hosts/${h}/${IPSEC_DIR}/data.sql"
+    sed -e "s/CA_SPK_HEX/${CA_SPK_HEX}/g" \
+        -e "s/CA_SPKI_HEX/${CA_SPKI_HEX}/g" \
+        -e "s/CA_CERT_HEX/${CA_CERT_HEX}/g" \
+        -e "s/MOON_KEY_HEX/${MOON_KEY_HEX}/g" \
+        -e "s/MOON_SPK_HEX/${MOON_SPK_HEX}/g" \
+        -e "s/MOON_PUB_HEX/${MOON_PUB_HEX}/g" \
+        -e "s/MOON_CERT_HEX/${MOON_CERT_HEX}/g" \
+        -e "s/CAROL_KEY_HEX/${CAROL_KEY_HEX}/g" \
+        -e "s/CAROL_SPK_HEX/${CAROL_SPK_HEX}/g" \
+        -e "s/CAROL_PUB_HEX/${CAROL_PUB_HEX}/g" \
+        -e "s/CAROL_CERT_HEX/${CAROL_CERT_HEX}/g" \
+        -e "s/DAVE_KEY_HEX/${DAVE_KEY_HEX}/g" \
+        -e "s/DAVE_SPK_HEX/${DAVE_SPK_HEX}/g" \
+        -e "s/DAVE_PUB_HEX/${DAVE_PUB_HEX}/g" \
+        -e "s/DAVE_CERT_HEX/${DAVE_CERT_HEX}/g" \
+        -e "s/RESEARCH_SPK_HEX/${RESEARCH_SPK_HEX}/g" \
+        -e "s/RESEARCH_SPKI_HEX/${RESEARCH_SPKI_HEX}/g" \
+        -e "s/RESEARCH_CERT_HEX/${RESEARCH_CERT_HEX}/g" \
+        -e "s/CAROL_R_KEY_HEX/${CAROL_R_KEY_HEX}/g" \
+        -e "s/CAROL_R_SPK_HEX/${CAROL_R_SPK_HEX}/g" \
+        -e "s/CAROL_R_CERT_HEX/${CAROL_R_CERT_HEX}/g" \
+        -e "s/SALES_SPK_HEX/${SALES_SPK_HEX}/g" \
+        -e "s/SALES_SPKI_HEX/${SALES_SPKI_HEX}/g" \
+        -e "s/SALES_CERT_HEX/${SALES_CERT_HEX}/g" \
+        -e "s/DAVE_S_KEY_HEX/${DAVE_S_KEY_HEX}/g" \
+        -e "s/DAVE_S_SPK_HEX/${DAVE_S_SPK_HEX}/g" \
+        -e "s/DAVE_S_CERT_HEX/${DAVE_S_CERT_HEX}/g" \
+        ${TEST_DATA}.in > ${TEST_DATA}
+  done
+done
+#
+for t in rw-eap-aka-rsa
+do
+  for h in carol moon
+  do
+    TEST_DATA="${TEST_DIR}/sql/${t}/hosts/${h}/${IPSEC_DIR}/data.sql"
+    sed -e "s/CA_SPK_HEX/${CA_SPK_HEX}/g" \
+        -e "s/CA_SPKI_HEX/${CA_SPKI_HEX}/g" \
+        -e "s/CA_CERT_HEX/${CA_CERT_HEX}/g" \
+        -e "s/MOON_KEY_HEX/${MOON_KEY_HEX}/g" \
+        -e "s/MOON_SPK_HEX/${MOON_SPK_HEX}/g" \
+        -e "s/MOON_CERT_HEX/${MOON_CERT_HEX}/g" \
+        ${TEST_DATA}.in > ${TEST_DATA}
+  done
+done
+#
+for t in net2net-cert net2net-psk net2net-route-pem net2net-start-pem
+do
+  for h in moon sun
+  do
+    TEST_DATA="${TEST_DIR}/sql/${t}/hosts/${h}/${IPSEC_DIR}/data.sql"
+    sed -e "s/CA_SPK_HEX/${CA_SPK_HEX}/g" \
+        -e "s/CA_SPKI_HEX/${CA_SPKI_HEX}/g" \
+        -e "s/CA_CERT_HEX/${CA_CERT_HEX}/g" \
+        -e "s/CA_CERT_PEM_HEX/${CA_CERT_PEM_HEX}/g" \
+        -e "s/MOON_KEY_PEM_HEX/${MOON_KEY_PEM_HEX}/g" \
+        -e "s/MOON_KEY_HEX/${MOON_KEY_HEX}/g" \
+        -e "s/MOON_SPK_HEX/${MOON_SPK_HEX}/g" \
+        -e "s/MOON_CERT_HEX/${MOON_CERT_HEX}/g" \
+        -e "s/MOON_CERT_PEM_HEX/${MOON_CERT_PEM_HEX}/g" \
+        -e "s/SUN_KEY_PEM_HEX/${SUN_KEY_PEM_HEX}/g" \
+        -e "s/SUN_KEY_HEX/${SUN_KEY_HEX}/g" \
+        -e "s/SUN_SPK_HEX/${SUN_SPK_HEX}/g" \
+        -e "s/SUN_CERT_HEX/${SUN_CERT_HEX}/g" \
+        -e "s/SUN_CERT_PEM_HEX/${SUN_CERT_PEM_HEX}/g" \
+               ${TEST_DATA}.in > ${TEST_DATA}
+  done
+done
+#
+for t in shunt-policies-nat-rw
+do
+  for h in alice venus sun
+  do
+    TEST_DATA="${TEST_DIR}/sql/${t}/hosts/${h}/${IPSEC_DIR}/data.sql"
+    sed -e "s/CA_SPK_HEX/${CA_SPK_HEX}/g" \
+        -e "s/CA_SPKI_HEX/${CA_SPKI_HEX}/g" \
+        -e "s/CA_CERT_HEX/${CA_CERT_HEX}/g" \
+        -e "s/ALICE_KEY_HEX/${ALICE_KEY_HEX}/g" \
+        -e "s/ALICE_SPK_HEX/${ALICE_SPK_HEX}/g" \
+        -e "s/ALICE_CERT_HEX/${ALICE_CERT_HEX}/g" \
+        -e "s/VENUS_KEY_HEX/${VENUS_KEY_HEX}/g" \
+        -e "s/VENUS_SPK_HEX/${VENUS_SPK_HEX}/g" \
+        -e "s/VENUS_CERT_HEX/${VENUS_CERT_HEX}/g" \
+        -e "s/SUN_KEY_HEX/${SUN_KEY_HEX}/g" \
+        -e "s/SUN_SPK_HEX/${SUN_SPK_HEX}/g" \
+        -e "s/SUN_CERT_HEX/${SUN_CERT_HEX}/g" \
+        ${TEST_DATA}.in > ${TEST_DATA}
+  done
+done