summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorLinus Nordberg <linus@nordberg.se>2015-03-25 09:53:34 +0100
committerLinus Nordberg <linus@nordberg.se>2015-03-25 09:53:34 +0100
commitcbf3f563074e4f9a9024db0c0393aa4e6ba97087 (patch)
tree52f63e83bc31936204f59a89d4aa89914c0ed4e9
parent999bffa05d2f99cb33e14f50ed17b2da331b887b (diff)
Store rejected certificates.
Not storing the full chain, which would be even more useful. No rate limiting, which would be good. Also, reorganise some in x509.erl and add tests.
-rw-r--r--src/x509.erl146
-rw-r--r--test/testdata/chains/001.9ed5072acb40d74aa5034b4525e4db56e2733ed0.pem52
-rw-r--r--test/testdata/chains/002.8094ee90e2725c8ebde18bb83dd3cabe246ecb2b.pem62
-rw-r--r--test/testdata/chains/003.842456568ed7904347aa89ab777da4943ba1a7d5.pem213
-rw-r--r--test/testdata/chains/004.3ee62cb678014c14d22ebf96f44cc899adea72f1.pem50
-rw-r--r--test/testdata/chains/005.6969562e4080f424a1e7199f14baf3ee58ab6abb.pem13
-rw-r--r--test/testdata/chains/006.96974cd6b663a7184526b1d648ad815cf51e801a.pem (renamed from test/testdata/chains/5.96974cd6b663a7184526b1d648ad815cf51e801a.pem)0
-rw-r--r--test/testdata/chains/007.cb0d9182ec62dfef2f233441335f32667a5ce85b.pem89
-rw-r--r--test/testdata/chains/008.97eea3ff4bc293adb9de14a8fcf915804b4f026a.pem87
-rw-r--r--test/testdata/chains/009.29dcb4c215b563e71d615cae5f5a57dbfc2c2871.pem35
-rw-r--r--test/testdata/chains/010.2cf11ca183130b3ea882cbe2b620cc83bc8e4a6a.pem38
-rw-r--r--test/testdata/chains/011.7c2d41564b256f4115e646f71387aa9e1aaa0f56.pem80
-rw-r--r--test/testdata/chains/012.41b4b3980ab6389afe5647353b5abe882870b032.pem73
-rw-r--r--test/testdata/chains/013.9e862686af81aa013267c2b5fd098720734bc93b.pem69
14 files changed, 955 insertions, 52 deletions
diff --git a/src/x509.erl b/src/x509.erl
index c3a829f..1b0db5e 100644
--- a/src/x509.erl
+++ b/src/x509.erl
@@ -127,37 +127,55 @@ encoded_tbs_cert(DerCert) ->
PKIXCert,
EncodedTBSCert.
--spec extract_verify_data(#'Certificate'{}, binary()) -> {ok, tuple()} | error.
-%% @doc Return DER encoded TBScertificate, digest type and signature.
-%% Code from pubkey_cert:extract_verify_data/2.
-extract_verify_data(Cert, DerCert) ->
- PlainText = encoded_tbs_cert(DerCert),
- {_, Sig} = Cert#'Certificate'.signature,
- SigAlgRecord = Cert#'Certificate'.signatureAlgorithm,
- SigAlg = SigAlgRecord#'AlgorithmIdentifier'.algorithm,
- try
- {DigestType, _} = public_key:pkix_sign_types(SigAlg),
- {ok, {PlainText, DigestType, Sig}}
- catch
- error:function_clause ->
- lager:debug("signature algorithm not supported: ~p", [SigAlg]),
+-spec decode_cert(binary()) -> #'Certificate'{} | error.
+decode_cert(Der) ->
+ case (catch public_key:pkix_decode_cert(Der, plain)) of
+ #'Certificate'{} = Cert ->
+ Cert;
+ {'EXIT', Reason} ->
+ lager:info("invalid certificate: ~p: ~p", [cert_string(Der), Reason]),
+ dump_unparsable_cert(Der),
+ error;
+ Unknown ->
+ lager:info("unknown error decoding cert: ~p: ~p",
+ [cert_string(Der), Unknown]),
error
end.
-%% @doc Verify that Cert/DerCert is signed by Issuer.
--spec verify_sig(#'Certificate'{}, binary(), #'Certificate'{}) -> boolean().
-verify_sig(Cert, DerCert, % Certificate to verify.
- #'Certificate'{ % Issuer.
- tbsCertificate = #'TBSCertificate'{
- subjectPublicKeyInfo = IssuerSPKI}}) ->
- %% Dig out digest, digest type and signature from Cert/DerCert.
- case extract_verify_data(Cert, DerCert) of
- error -> false;
- {ok, Tuple} -> verify_sig2(IssuerSPKI, Tuple)
+parsable_cert_p(Der) ->
+ case decode_cert(Der) of
+ error ->
+ false;
+ _ ->
+ true
end.
-verify_sig2(IssuerSPKI, {DigestOrPlainText, DigestType, Signature}) ->
- %% Dig out issuer key from issuer cert.
+%% @doc Is Cert signed by Issuer? Only verify that the signature
+%% matches and don't check things like Cert.issuer == Issuer.subject.
+-spec signed_by_p(binary(), binary()) -> boolean().
+signed_by_p(SubjectDer, IssuerDer) ->
+ SubjectCert = decode_cert(SubjectDer),
+ IssuerCert = decode_cert(IssuerDer),
+
+ case {SubjectCert, IssuerCert} of
+ {#'Certificate'{},
+ #'Certificate'{tbsCertificate =
+ #'TBSCertificate'{subjectPublicKeyInfo =
+ IssuerSPKI}}} ->
+ %% Dig out digest, digest type and signature from subject cert and
+ %% verify signature.
+ case extract_verify_data(decode_cert(SubjectDer), SubjectDer) of
+ error ->
+ false;
+ {ok, SubjectData} ->
+ verify_sig(IssuerSPKI, SubjectData)
+ end;
+ _ ->
+ false
+ end.
+
+verify_sig(IssuerSPKI, {DigestOrPlainText, DigestType, Signature}) ->
+ %% Dig out alg, params and key from issuer.
#'SubjectPublicKeyInfo'{
algorithm = #'AlgorithmIdentifier'{algorithm = Alg, parameters = Params},
subjectPublicKey = {0, Key0}} = IssuerSPKI,
@@ -170,33 +188,29 @@ verify_sig2(IssuerSPKI, {DigestOrPlainText, DigestType, Signature}) ->
Point = #'ECPoint'{point = Key0},
ECParams = public_key:der_decode('EcpkParameters', Params),
{Point, ECParams};
- _ -> % FIXME: 'DSAPublicKey'
+ _ -> % FIXME: 'DSAPublicKey'
lager:error("NIY: Issuer key type ~p", [KeyType]),
false
end,
%% Verify the signature.
public_key:verify(DigestOrPlainText, DigestType, Signature, IssuerKey).
-%% @doc Is Cert signed by Issuer? Only verify that the signature
-%% matches and don't check things like Cert.issuer == Issuer.subject.
--spec signed_by_p(binary(), binary()) -> boolean().
-signed_by_p(DerCert, IssuerDerCert) when is_binary(DerCert),
- is_binary(IssuerDerCert) ->
- verify_sig(public_key:pkix_decode_cert(DerCert, plain),
- DerCert,
- public_key:pkix_decode_cert(IssuerDerCert, plain)).
-
-parsable_cert_p(Der) ->
- case (catch public_key:pkix_decode_cert(Der, plain)) of
- #'Certificate'{} ->
- true;
- {'EXIT', Reason} ->
- lager:info("invalid certificate: ~p: ~p", [cert_string(Der), Reason]),
- false;
- Unknown ->
- lager:info("unknown error decoding cert: ~p: ~p",
- [cert_string(Der), Unknown]),
- false
+-spec extract_verify_data(#'Certificate'{}, binary()) -> {ok, tuple()} | error.
+%% @doc Return DER encoded TBScertificate, digest type and signature.
+%% Code from pubkey_cert:extract_verify_data/2.
+extract_verify_data(Cert, DerCert) ->
+ PlainText = encoded_tbs_cert(DerCert),
+ {_, Sig} = Cert#'Certificate'.signature,
+ SigAlgRecord = Cert#'Certificate'.signatureAlgorithm,
+ SigAlg = SigAlgRecord#'AlgorithmIdentifier'.algorithm,
+ try
+ {DigestType, _} = public_key:pkix_sign_types(SigAlg),
+ {ok, {PlainText, DigestType, Sig}}
+ catch
+ error:function_clause ->
+ lager:debug("~p: signature algorithm not supported: ~p",
+ [cert_string(DerCert), SigAlg]),
+ error
end.
%% Precerts according to RFC6962.
@@ -367,18 +381,18 @@ pems_from_file(Filename) ->
Pems.
-spec dump_unparsable_cert(binary()) -> ok | {error, atom()} | not_logged.
-dump_unparsable_cert(CertDer) ->
+dump_unparsable_cert(Der) ->
case application:get_env(catlfish, rejected_certs_path) of
{ok, Directory} ->
{NowMegaSec, NowSec, NowMicroSec} = now(),
Filename =
filename:join(Directory,
io_lib:format("~p:~p.~p",
- [cert_string(CertDer),
+ [cert_string(Der),
NowMegaSec * 1000 * 1000 + NowSec,
NowMicroSec])),
- lager:debug("dumping cert to ~p~n", [Filename]),
- file:write_file(Filename, CertDer);
+ lager:info("dumping cert to ~p~n", [Filename]),
+ file:write_file(Filename, Der);
_ ->
not_logged
end.
@@ -429,7 +443,35 @@ valid_cert_test_() ->
%% Signature Algorithm: md2WithRSAEncryption
%% CA cert with sha1 96974cd6b663a7184526b1d648ad815cf51e801a
?_assertMatch(false, signed_by_p(hd(nth(6, Chains)),
- hd(nth(6, Chains))))
+ hd(nth(6, Chains)))),
+
+ %% Supposedly problematic chains from Google Aviator, fatal.
+ %% 00459972: asn1: syntax error: sequence truncated
+ ?_assertMatch({true, _}, normalise_chain(nth(7, Chains),
+ nth(7, Chains), 10)),
+ %% 1402673: x509: RSA modulus is not a positive number
+ ?_assertMatch({true, _}, normalise_chain(nth(8, Chains),
+ nth(8, Chains), 10)),
+ %% 1345105: asn1: syntax error: IA5String contains invalid character
+ ?_assertMatch({true, _}, normalise_chain(nth(9, Chains),
+ nth(9, Chains), 10)),
+ %% 1557693: asn1: structure error: integer too large
+ ?_assertMatch({true, _}, normalise_chain(nth(10, Chains),
+ nth(10, Chains), 10)),
+
+ %% Supposedly problematic chains from Google Aviator, non-fatal.
+ %% 16800: x509: negative serial number
+ %% a.pem
+ ?_assertMatch({true, _}, normalise_chain(nth(11, Chains),
+ nth(11, Chains), 10)),
+ %% 22487: x509: unhandled critical extension ([2 5 29 32])
+ %% b.pem
+ ?_assertMatch({true, _}, normalise_chain(nth(12, Chains),
+ nth(12, Chains), 10)),
+ %% 5198: x509: certificate contained IP address of length 8
+ %% c.pem
+ ?_assertMatch({true, _}, normalise_chain(nth(13, Chains),
+ nth(13, Chains), 10))
] end}.
chain_test_() ->
diff --git a/test/testdata/chains/001.9ed5072acb40d74aa5034b4525e4db56e2733ed0.pem b/test/testdata/chains/001.9ed5072acb40d74aa5034b4525e4db56e2733ed0.pem
new file mode 100644
index 0000000..0c8847b
--- /dev/null
+++ b/test/testdata/chains/001.9ed5072acb40d74aa5034b4525e4db56e2733ed0.pem
@@ -0,0 +1,52 @@
+Certificate:
+ Data:
+ Version: 3 (0x2)
+ Serial Number: 1167666620 (0x45992dbc)
+ Signature Algorithm: md5WithRSAEncryption
+ Issuer: C=US, ST=California, L=Sunnyvale, O=HTTPS Management Certificate for SonicWALL (self-signed), OU=HTTPS Management Certificate for SonicWALL (self-signed), CN=192.168.168.168
+ Validity
+ Not Before: Jan 1 00:00:01 1970 GMT
+ Not After : Jan 19 03:14:07 2038 GMT
+ Subject: C=US, ST=California, L=Sunnyvale, O=HTTPS Management Certificate for SonicWALL (self-signed), OU=HTTPS Management Certificate for SonicWALL (self-signed), CN=192.168.168.168
+ Subject Public Key Info:
+ Public Key Algorithm: rsaEncryption
+ Public-Key: (1024 bit)
+ Modulus:
+ 00:d0:e3:96:0a:8c:4c:c6:86:72:99:f6:c4:3d:d9:
+ 87:56:12:65:1b:5b:ab:a7:fc:23:0f:d7:d3:66:a8:
+ eb:ff:04:6b:53:6a:e3:75:5e:c4:bd:f7:41:10:2c:
+ 4e:47:f6:ab:4a:99:79:f0:30:8a:9d:71:a2:5f:a5:
+ 11:79:5e:c9:85:28:1e:dd:17:c6:41:e9:94:60:ac:
+ 2f:cd:1b:7f:10:60:0c:9c:4a:be:11:00:10:83:70:
+ 44:df:b6:b3:81:ff:64:26:83:63:b1:30:7e:60:9f:
+ 15:26:41:f6:7b:23:aa:0a:54:4f:ad:9c:6f:25:d6:
+ 3a:e3:f1:7d:3f:28:22:c5:d9
+ Exponent: 65537 (0x10001)
+ Signature Algorithm: md5WithRSAEncryption
+ cd:2a:0b:e6:e9:f6:cb:cd:5f:8c:cd:7d:21:25:21:69:33:dd:
+ a3:a2:e9:25:4b:c4:56:51:c9:00:26:57:53:42:f2:27:50:d0:
+ 71:61:a8:c1:56:40:1e:5a:65:b1:79:35:b0:44:50:57:5f:87:
+ e9:c4:14:8d:5e:8f:3e:b9:11:9b:4f:91:99:06:82:68:17:53:
+ 5e:88:3c:4c:e7:2e:46:80:88:fc:6c:a9:b2:23:65:71:d0:f7:
+ df:22:53:0e:0c:4b:90:d2:ee:49:b8:c8:c3:e9:66:5d:72:a5:
+ 91:21:f0:c1:9d:b9:2f:38:14:da:d5:15:0f:fc:f4:0b:64:29:
+ b1:6f
+-----BEGIN CERTIFICATE-----
+MIIDJTCCAo6gAwIBAgIERZktvDANBgkqhkiG9w0BAQQFADCB1jELMAkGA1UEBhYC
+VVMxEzARBgNVBAgWCkNhbGlmb3JuaWExEjAQBgNVBAcWCVN1bm55dmFsZTFBMD8G
+A1UEChY4SFRUUFMgTWFuYWdlbWVudCBDZXJ0aWZpY2F0ZSBmb3IgU29uaWNXQUxM
+IChzZWxmLXNpZ25lZCkxQTA/BgNVBAsWOEhUVFBTIE1hbmFnZW1lbnQgQ2VydGlm
+aWNhdGUgZm9yIFNvbmljV0FMTCAoc2VsZi1zaWduZWQpMRgwFgYDVQQDFg8xOTIu
+MTY4LjE2OC4xNjgwHhcNNzAwMTAxMDAwMDAxWhcNMzgwMTE5MDMxNDA3WjCB1jEL
+MAkGA1UEBhYCVVMxEzARBgNVBAgWCkNhbGlmb3JuaWExEjAQBgNVBAcWCVN1bm55
+dmFsZTFBMD8GA1UEChY4SFRUUFMgTWFuYWdlbWVudCBDZXJ0aWZpY2F0ZSBmb3Ig
+U29uaWNXQUxMIChzZWxmLXNpZ25lZCkxQTA/BgNVBAsWOEhUVFBTIE1hbmFnZW1l
+bnQgQ2VydGlmaWNhdGUgZm9yIFNvbmljV0FMTCAoc2VsZi1zaWduZWQpMRgwFgYD
+VQQDFg8xOTIuMTY4LjE2OC4xNjgwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGB
+ANDjlgqMTMaGcpn2xD3Zh1YSZRtbq6f8Iw/X02ao6/8Ea1Nq43VexL33QRAsTkf2
+q0qZefAwip1xol+lEXleyYUoHt0XxkHplGCsL80bfxBgDJxKvhEAEINwRN+2s4H/
+ZCaDY7EwfmCfFSZB9nsjqgpUT62cbyXWOuPxfT8oIsXZAgMBAAEwDQYJKoZIhvcN
+AQEEBQADgYEAzSoL5un2y81fjM19ISUhaTPdo6LpJUvEVlHJACZXU0LyJ1DQcWGo
+wVZAHlplsXk1sERQV1+H6cQUjV6PPrkRm0+RmQaCaBdTXog8TOcuRoCI/GypsiNl
+cdD33yJTDgxLkNLuSbjIw+lmXXKlkSHwwZ25LzgU2tUVD/z0C2QpsW8=
+-----END CERTIFICATE-----
diff --git a/test/testdata/chains/002.8094ee90e2725c8ebde18bb83dd3cabe246ecb2b.pem b/test/testdata/chains/002.8094ee90e2725c8ebde18bb83dd3cabe246ecb2b.pem
new file mode 100644
index 0000000..36ea7fd
--- /dev/null
+++ b/test/testdata/chains/002.8094ee90e2725c8ebde18bb83dd3cabe246ecb2b.pem
@@ -0,0 +1,62 @@
+% Self-signed.
+
+Certificate:
+ Data:
+ Version: 3 (0x2)
+ Serial Number: 0 (0x0)
+ Signature Algorithm: sha256WithRSAEncryption
+ Issuer: C=AU, ST=Some-State, O=Internet Widgits Pty Ltd, CN=flimsytest
+ Validity
+ Not Before: May 4 10:17:19 2014 GMT
+ Not After : May 4 10:17:19 2015 GMT
+ Subject: C=AU, ST=Some-State, O=Internet Widgits Pty Ltd, CN=flimsytest
+ Subject Public Key Info:
+ Public Key Algorithm: rsaEncryption
+ Public-Key: (1024 bit)
+ Modulus:
+ 00:c5:1e:c3:c1:9a:26:e8:64:7f:dd:1c:05:5a:e0:
+ 9a:87:cc:d1:d4:f5:30:95:62:73:79:56:a8:8e:8e:
+ eb:12:7b:cb:8d:5e:5f:eb:3b:12:c9:c4:7d:fe:ad:
+ 85:c5:89:81:63:2f:3c:dc:a1:b6:ee:7c:7b:42:9d:
+ 6d:69:81:a4:c7:34:0e:85:f0:f3:ee:5f:34:92:a1:
+ 01:bb:f6:f6:c1:6a:e8:c6:cf:7f:44:8d:b7:9d:62:
+ d5:9a:7a:22:bc:f2:d4:e3:fa:03:e9:b1:ca:01:f0:
+ db:84:33:9f:64:60:f3:f8:7a:5b:f0:e3:9d:4e:b2:
+ 21:a1:49:a8:d9:e5:e8:7f:f5
+ Exponent: 65537 (0x10001)
+ X509v3 extensions:
+ X509v3 Basic Constraints:
+ CA:FALSE
+ Netscape Comment:
+ OpenSSL Generated Certificate
+ X509v3 Subject Key Identifier:
+ 7C:05:0C:BA:09:58:C2:DE:46:7F:ED:39:5B:87:B2:28:8B:99:D7:28
+ X509v3 Authority Key Identifier:
+ keyid:7C:05:0C:BA:09:58:C2:DE:46:7F:ED:39:5B:87:B2:28:8B:99:D7:28
+
+ Signature Algorithm: sha256WithRSAEncryption
+ 59:47:3b:91:85:21:40:31:af:82:bf:57:21:c3:46:07:eb:14:
+ bf:be:ec:f8:98:d1:0e:51:0b:eb:2c:44:8a:95:d0:e9:43:04:
+ 56:43:c5:10:41:76:2e:6c:f3:0a:9b:e4:5f:15:f5:2e:38:17:
+ dd:f6:f7:9e:5f:ed:f7:b2:76:b2:c2:55:da:48:73:e4:54:dc:
+ 3b:7e:b8:88:33:27:83:67:34:c8:a4:e7:b2:c7:20:51:0e:9f:
+ f6:b8:f3:a5:73:e2:b2:fc:5e:cf:82:43:6b:0e:73:fa:ef:ce:
+ 5d:46:f8:de:54:6c:b1:96:17:be:1c:f9:c4:49:cb:8d:ee:0a:
+ da:32
+-----BEGIN CERTIFICATE-----
+MIICpTCCAg6gAwIBAgIBADANBgkqhkiG9w0BAQsFADBaMQswCQYDVQQGEwJBVTET
+MBEGA1UECAwKU29tZS1TdGF0ZTEhMB8GA1UECgwYSW50ZXJuZXQgV2lkZ2l0cyBQ
+dHkgTHRkMRMwEQYDVQQDDApmbGltc3l0ZXN0MB4XDTE0MDUwNDEwMTcxOVoXDTE1
+MDUwNDEwMTcxOVowWjELMAkGA1UEBhMCQVUxEzARBgNVBAgMClNvbWUtU3RhdGUx
+ITAfBgNVBAoMGEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZDETMBEGA1UEAwwKZmxp
+bXN5dGVzdDCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAxR7DwZom6GR/3RwF
+WuCah8zR1PUwlWJzeVaojo7rEnvLjV5f6zsSycR9/q2FxYmBYy883KG27nx7Qp1t
+aYGkxzQOhfDz7l80kqEBu/b2wWroxs9/RI23nWLVmnoivPLU4/oD6bHKAfDbhDOf
+ZGDz+Hpb8OOdTrIhoUmo2eXof/UCAwEAAaN7MHkwCQYDVR0TBAIwADAsBglghkgB
+hvhCAQ0EHxYdT3BlblNTTCBHZW5lcmF0ZWQgQ2VydGlmaWNhdGUwHQYDVR0OBBYE
+FHwFDLoJWMLeRn/tOVuHsiiLmdcoMB8GA1UdIwQYMBaAFHwFDLoJWMLeRn/tOVuH
+siiLmdcoMA0GCSqGSIb3DQEBCwUAA4GBAFlHO5GFIUAxr4K/VyHDRgfrFL++7PiY
+0Q5RC+ssRIqV0OlDBFZDxRBBdi5s8wqb5F8V9S44F932955f7feydrLCVdpIc+RU
+3Dt+uIgzJ4NnNMik57LHIFEOn/a486Vz4rL8Xs+CQ2sOc/rvzl1G+N5UbLGWF74c
++cRJy43uCtoy
+-----END CERTIFICATE-----
diff --git a/test/testdata/chains/003.842456568ed7904347aa89ab777da4943ba1a7d5.pem b/test/testdata/chains/003.842456568ed7904347aa89ab777da4943ba1a7d5.pem
new file mode 100644
index 0000000..7d86862
--- /dev/null
+++ b/test/testdata/chains/003.842456568ed7904347aa89ab777da4943ba1a7d5.pem
@@ -0,0 +1,213 @@
+Certificate:
+ Data:
+ Version: 3 (0x2)
+ Serial Number:
+ 09:48:b1:a9:3b:25:1d:0d:b1:05:10:59:e2:c2:68:0a
+ Signature Algorithm: sha256WithRSAEncryption
+ Issuer: C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert SHA2 High Assurance Server CA
+ Validity
+ Not Before: Oct 22 12:00:01 2013 GMT
+ Not After : May 3 12:00:00 2016 GMT
+ Subject: C=US, ST=Massachusetts, L=Walpole, O=The Tor Project, Inc., CN=*.torproject.org
+ Subject Public Key Info:
+ Public Key Algorithm: rsaEncryption
+ Public-Key: (2048 bit)
+ Modulus:
+ 00:b7:23:39:ed:c8:68:85:27:e5:81:0e:9c:00:0c:
+ fa:e2:25:2a:6d:07:c8:75:1a:47:aa:f0:53:49:b9:
+ 62:17:52:57:c0:d1:19:40:7c:d1:0e:bb:ce:42:1b:
+ ba:d4:cc:6c:49:5a:f0:aa:4f:4a:ab:0a:fc:54:a1:
+ 49:78:4b:58:1e:87:bf:95:15:da:34:7a:fc:fc:f1:
+ 8b:c4:1a:2c:c3:00:b8:b4:f9:a0:70:a4:47:a2:67:
+ 2c:56:6b:52:d3:ea:e7:44:66:85:87:e0:d7:99:30:
+ a2:c9:84:cc:fa:8b:6b:73:43:70:ae:6d:a5:35:f9:
+ 17:8f:03:bc:14:fe:d1:a0:99:40:b9:dd:28:6c:d5:
+ 86:22:48:a4:42:5d:7d:37:3a:f5:bd:62:e3:11:b2:
+ 87:3a:78:0a:15:05:0e:d9:8a:f4:c4:59:15:1b:c3:
+ 16:5e:19:69:50:5e:da:16:b0:ff:ed:64:7a:61:b0:
+ 87:95:2e:68:3f:8f:0e:a4:c9:97:ec:70:41:d5:02:
+ ac:a5:81:83:09:ce:54:b2:4a:aa:ba:76:fd:87:34:
+ 9a:49:13:15:7a:9d:50:3d:41:4b:ec:20:bc:20:e2:
+ eb:87:fb:9d:dc:b2:4d:08:1b:f0:85:a8:58:47:85:
+ e8:a1:db:88:56:4b:55:1f:e9:b8:7e:b8:71:bc:91:
+ 17:c7
+ Exponent: 65537 (0x10001)
+ X509v3 extensions:
+ X509v3 Authority Key Identifier:
+ keyid:51:68:FF:90:AF:02:07:75:3C:CC:D9:65:64:62:A2:12:B8:59:72:3B
+
+ X509v3 Subject Key Identifier:
+ 82:26:08:F1:13:29:55:34:14:B4:8F:80:1D:71:B8:60:DA:4B:41:CC
+ X509v3 Subject Alternative Name:
+ DNS:*.torproject.org, DNS:torproject.org
+ X509v3 Key Usage: critical
+ Digital Signature, Key Encipherment
+ X509v3 Extended Key Usage:
+ TLS Web Server Authentication, TLS Web Client Authentication
+ X509v3 CRL Distribution Points:
+
+ Full Name:
+ URI:http://crl3.digicert.com/sha2-ha-server-g1.crl
+
+ Full Name:
+ URI:http://crl4.digicert.com/sha2-ha-server-g1.crl
+
+ X509v3 Certificate Policies:
+ Policy: 2.16.840.1.114412.1.1
+ CPS: https://www.digicert.com/CPS
+
+ Authority Information Access:
+ OCSP - URI:http://ocsp.digicert.com
+ CA Issuers - URI:http://cacerts.digicert.com/DigiCertSHA2HighAssuranceServerCA.crt
+
+ X509v3 Basic Constraints: critical
+ CA:FALSE
+ Signature Algorithm: sha256WithRSAEncryption
+ 6f:70:71:7e:80:11:d0:aa:60:09:61:3a:e9:a9:4b:42:34:8f:
+ ab:74:63:d0:d6:8b:58:83:1e:04:d7:aa:99:85:df:64:52:0c:
+ 2e:83:d7:3e:ca:0a:3d:2e:c4:6a:6a:9f:5a:04:c4:8e:29:82:
+ 9c:e4:c6:c7:5f:56:bd:aa:41:18:14:ec:25:0c:dd:b8:23:20:
+ a5:01:5f:8c:3e:40:95:50:ab:cd:95:9f:59:23:40:b4:6f:5b:
+ db:b2:5e:8b:e8:cb:5b:d0:60:35:e5:e8:c5:e7:f0:53:e9:0d:
+ fc:b0:df:38:3e:67:96:a7:99:db:60:9d:19:00:ab:2b:93:2f:
+ dc:4c:e4:bf:5f:12:b7:13:b1:66:1e:ca:fa:8b:f3:87:88:68:
+ 4a:d5:e5:9b:1c:a3:c0:77:aa:53:83:b4:d3:dd:50:e5:ab:2b:
+ 2c:f0:4f:ad:ed:d7:24:b8:0a:c4:7a:45:63:9b:2f:28:a7:2e:
+ f9:37:8c:64:cc:48:6e:44:c7:4f:ab:bd:b6:b8:e9:c7:b1:8c:
+ 57:bc:f3:80:f7:a4:4a:b9:f4:e4:17:02:63:7b:fc:55:9b:f8:
+ 3b:be:53:76:dc:81:01:78:a9:bb:50:ea:7a:92:c2:11:19:3a:
+ 3a:6f:ec:98:af:67:f3:54:e5:71:a5:79:cc:36:46:c9:ed:63:
+ 52:fd:9b:52
+-----BEGIN CERTIFICATE-----
+MIIFXTCCBEWgAwIBAgIQCUixqTslHQ2xBRBZ4sJoCjANBgkqhkiG9w0BAQsFADBw
+MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3
+d3cuZGlnaWNlcnQuY29tMS8wLQYDVQQDEyZEaWdpQ2VydCBTSEEyIEhpZ2ggQXNz
+dXJhbmNlIFNlcnZlciBDQTAeFw0xMzEwMjIxMjAwMDFaFw0xNjA1MDMxMjAwMDBa
+MHIxCzAJBgNVBAYTAlVTMRYwFAYDVQQIEw1NYXNzYWNodXNldHRzMRAwDgYDVQQH
+EwdXYWxwb2xlMR4wHAYDVQQKExVUaGUgVG9yIFByb2plY3QsIEluYy4xGTAXBgNV
+BAMMECoudG9ycHJvamVjdC5vcmcwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK
+AoIBAQC3IzntyGiFJ+WBDpwADPriJSptB8h1Gkeq8FNJuWIXUlfA0RlAfNEOu85C
+G7rUzGxJWvCqT0qrCvxUoUl4S1geh7+VFdo0evz88YvEGizDALi0+aBwpEeiZyxW
+a1LT6udEZoWH4NeZMKLJhMz6i2tzQ3CubaU1+RePA7wU/tGgmUC53Shs1YYiSKRC
+XX03OvW9YuMRsoc6eAoVBQ7ZivTEWRUbwxZeGWlQXtoWsP/tZHphsIeVLmg/jw6k
+yZfscEHVAqylgYMJzlSySqq6dv2HNJpJExV6nVA9QUvsILwg4uuH+53csk0IG/CF
+qFhHheih24hWS1Uf6bh+uHG8kRfHAgMBAAGjggHvMIIB6zAfBgNVHSMEGDAWgBRR
+aP+QrwIHdTzM2WVkYqISuFlyOzAdBgNVHQ4EFgQUgiYI8RMpVTQUtI+AHXG4YNpL
+QcwwKwYDVR0RBCQwIoIQKi50b3Jwcm9qZWN0Lm9yZ4IOdG9ycHJvamVjdC5vcmcw
+DgYDVR0PAQH/BAQDAgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjB1
+BgNVHR8EbjBsMDSgMqAwhi5odHRwOi8vY3JsMy5kaWdpY2VydC5jb20vc2hhMi1o
+YS1zZXJ2ZXItZzEuY3JsMDSgMqAwhi5odHRwOi8vY3JsNC5kaWdpY2VydC5jb20v
+c2hhMi1oYS1zZXJ2ZXItZzEuY3JsMEIGA1UdIAQ7MDkwNwYJYIZIAYb9bAEBMCow
+KAYIKwYBBQUHAgEWHGh0dHBzOi8vd3d3LmRpZ2ljZXJ0LmNvbS9DUFMwgYMGCCsG
+AQUFBwEBBHcwdTAkBggrBgEFBQcwAYYYaHR0cDovL29jc3AuZGlnaWNlcnQuY29t
+ME0GCCsGAQUFBzAChkFodHRwOi8vY2FjZXJ0cy5kaWdpY2VydC5jb20vRGlnaUNl
+cnRTSEEySGlnaEFzc3VyYW5jZVNlcnZlckNBLmNydDAMBgNVHRMBAf8EAjAAMA0G
+CSqGSIb3DQEBCwUAA4IBAQBvcHF+gBHQqmAJYTrpqUtCNI+rdGPQ1otYgx4E16qZ
+hd9kUgwug9c+ygo9LsRqap9aBMSOKYKc5MbHX1a9qkEYFOwlDN24IyClAV+MPkCV
+UKvNlZ9ZI0C0b1vbsl6L6Mtb0GA15ejF5/BT6Q38sN84PmeWp5nbYJ0ZAKsrky/c
+TOS/XxK3E7FmHsr6i/OHiGhK1eWbHKPAd6pTg7TT3VDlqyss8E+t7dckuArEekVj
+my8opy75N4xkzEhuRMdPq722uOnHsYxXvPOA96RKufTkFwJje/xVm/g7vlN23IEB
+eKm7UOp6ksIRGTo6b+yYr2fzVOVxpXnMNkbJ7WNS/ZtS
+-----END CERTIFICATE-----
+Certificate:
+ Data:
+ Version: 3 (0x2)
+ Serial Number:
+ 04:e1:e7:a4:dc:5c:f2:f3:6d:c0:2b:42:b8:5d:15:9f
+ Signature Algorithm: sha256WithRSAEncryption
+ Issuer: C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert High Assurance EV Root CA
+ Validity
+ Not Before: Oct 22 12:00:00 2013 GMT
+ Not After : Oct 22 12:00:00 2028 GMT
+ Subject: C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert SHA2 High Assurance Server CA
+ Subject Public Key Info:
+ Public Key Algorithm: rsaEncryption
+ Public-Key: (2048 bit)
+ Modulus:
+ 00:b6:e0:2f:c2:24:06:c8:6d:04:5f:d7:ef:0a:64:
+ 06:b2:7d:22:26:65:16:ae:42:40:9b:ce:dc:9f:9f:
+ 76:07:3e:c3:30:55:87:19:b9:4f:94:0e:5a:94:1f:
+ 55:56:b4:c2:02:2a:af:d0:98:ee:0b:40:d7:c4:d0:
+ 3b:72:c8:14:9e:ef:90:b1:11:a9:ae:d2:c8:b8:43:
+ 3a:d9:0b:0b:d5:d5:95:f5:40:af:c8:1d:ed:4d:9c:
+ 5f:57:b7:86:50:68:99:f5:8a:da:d2:c7:05:1f:a8:
+ 97:c9:dc:a4:b1:82:84:2d:c6:ad:a5:9c:c7:19:82:
+ a6:85:0f:5e:44:58:2a:37:8f:fd:35:f1:0b:08:27:
+ 32:5a:f5:bb:8b:9e:a4:bd:51:d0:27:e2:dd:3b:42:
+ 33:a3:05:28:c4:bb:28:cc:9a:ac:2b:23:0d:78:c6:
+ 7b:e6:5e:71:b7:4a:3e:08:fb:81:b7:16:16:a1:9d:
+ 23:12:4d:e5:d7:92:08:ac:75:a4:9c:ba:cd:17:b2:
+ 1e:44:35:65:7f:53:25:39:d1:1c:0a:9a:63:1b:19:
+ 92:74:68:0a:37:c2:c2:52:48:cb:39:5a:a2:b6:e1:
+ 5d:c1:dd:a0:20:b8:21:a2:93:26:6f:14:4a:21:41:
+ c7:ed:6d:9b:f2:48:2f:f3:03:f5:a2:68:92:53:2f:
+ 5e:e3
+ Exponent: 65537 (0x10001)
+ X509v3 extensions:
+ X509v3 Basic Constraints: critical
+ CA:TRUE, pathlen:0
+ X509v3 Key Usage: critical
+ Digital Signature, Certificate Sign, CRL Sign
+ X509v3 Extended Key Usage:
+ TLS Web Server Authentication, TLS Web Client Authentication
+ Authority Information Access:
+ OCSP - URI:http://ocsp.digicert.com
+
+ X509v3 CRL Distribution Points:
+
+ Full Name:
+ URI:http://crl4.digicert.com/DigiCertHighAssuranceEVRootCA.crl
+
+ X509v3 Certificate Policies:
+ Policy: X509v3 Any Policy
+ CPS: https://www.digicert.com/CPS
+
+ X509v3 Subject Key Identifier:
+ 51:68:FF:90:AF:02:07:75:3C:CC:D9:65:64:62:A2:12:B8:59:72:3B
+ X509v3 Authority Key Identifier:
+ keyid:B1:3E:C3:69:03:F8:BF:47:01:D4:98:26:1A:08:02:EF:63:64:2B:C3
+
+ Signature Algorithm: sha256WithRSAEncryption
+ 18:8a:95:89:03:e6:6d:df:5c:fc:1d:68:ea:4a:8f:83:d6:51:
+ 2f:8d:6b:44:16:9e:ac:63:f5:d2:6e:6c:84:99:8b:aa:81:71:
+ 84:5b:ed:34:4e:b0:b7:79:92:29:cc:2d:80:6a:f0:8e:20:e1:
+ 79:a4:fe:03:47:13:ea:f5:86:ca:59:71:7d:f4:04:96:6b:d3:
+ 59:58:3d:fe:d3:31:25:5c:18:38:84:a3:e6:9f:82:fd:8c:5b:
+ 98:31:4e:cd:78:9e:1a:fd:85:cb:49:aa:f2:27:8b:99:72:fc:
+ 3e:aa:d5:41:0b:da:d5:36:a1:bf:1c:6e:47:49:7f:5e:d9:48:
+ 7c:03:d9:fd:8b:49:a0:98:26:42:40:eb:d6:92:11:a4:64:0a:
+ 57:54:c4:f5:1d:d6:02:5e:6b:ac:ee:c4:80:9a:12:72:fa:56:
+ 93:d7:ff:bf:30:85:06:30:bf:0b:7f:4e:ff:57:05:9d:24:ed:
+ 85:c3:2b:fb:a6:75:a8:ac:2d:16:ef:7d:79:27:b2:eb:c2:9d:
+ 0b:07:ea:aa:85:d3:01:a3:20:28:41:59:43:28:d2:81:e3:aa:
+ f6:ec:7b:3b:77:b6:40:62:80:05:41:45:01:ef:17:06:3e:de:
+ c0:33:9b:67:d3:61:2e:72:87:e4:69:fc:12:00:57:40:1e:70:
+ f5:1e:c9:b4
+-----BEGIN CERTIFICATE-----
+MIIEsTCCA5mgAwIBAgIQBOHnpNxc8vNtwCtCuF0VnzANBgkqhkiG9w0BAQsFADBs
+MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3
+d3cuZGlnaWNlcnQuY29tMSswKQYDVQQDEyJEaWdpQ2VydCBIaWdoIEFzc3VyYW5j
+ZSBFViBSb290IENBMB4XDTEzMTAyMjEyMDAwMFoXDTI4MTAyMjEyMDAwMFowcDEL
+MAkGA1UEBhMCVVMxFTATBgNVBAoTDERpZ2lDZXJ0IEluYzEZMBcGA1UECxMQd3d3
+LmRpZ2ljZXJ0LmNvbTEvMC0GA1UEAxMmRGlnaUNlcnQgU0hBMiBIaWdoIEFzc3Vy
+YW5jZSBTZXJ2ZXIgQ0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC2
+4C/CJAbIbQRf1+8KZAayfSImZRauQkCbztyfn3YHPsMwVYcZuU+UDlqUH1VWtMIC
+Kq/QmO4LQNfE0DtyyBSe75CxEamu0si4QzrZCwvV1ZX1QK/IHe1NnF9Xt4ZQaJn1
+itrSxwUfqJfJ3KSxgoQtxq2lnMcZgqaFD15EWCo3j/018QsIJzJa9buLnqS9UdAn
+4t07QjOjBSjEuyjMmqwrIw14xnvmXnG3Sj4I+4G3FhahnSMSTeXXkgisdaScus0X
+sh5ENWV/UyU50RwKmmMbGZJ0aAo3wsJSSMs5WqK24V3B3aAguCGikyZvFEohQcft
+bZvySC/zA/WiaJJTL17jAgMBAAGjggFJMIIBRTASBgNVHRMBAf8ECDAGAQH/AgEA
+MA4GA1UdDwEB/wQEAwIBhjAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIw
+NAYIKwYBBQUHAQEEKDAmMCQGCCsGAQUFBzABhhhodHRwOi8vb2NzcC5kaWdpY2Vy
+dC5jb20wSwYDVR0fBEQwQjBAoD6gPIY6aHR0cDovL2NybDQuZGlnaWNlcnQuY29t
+L0RpZ2lDZXJ0SGlnaEFzc3VyYW5jZUVWUm9vdENBLmNybDA9BgNVHSAENjA0MDIG
+BFUdIAAwKjAoBggrBgEFBQcCARYcaHR0cHM6Ly93d3cuZGlnaWNlcnQuY29tL0NQ
+UzAdBgNVHQ4EFgQUUWj/kK8CB3U8zNllZGKiErhZcjswHwYDVR0jBBgwFoAUsT7D
+aQP4v0cB1JgmGggC72NkK8MwDQYJKoZIhvcNAQELBQADggEBABiKlYkD5m3fXPwd
+aOpKj4PWUS+Na0QWnqxj9dJubISZi6qBcYRb7TROsLd5kinMLYBq8I4g4Xmk/gNH
+E+r1hspZcX30BJZr01lYPf7TMSVcGDiEo+afgv2MW5gxTs14nhr9hctJqvIni5ly
+/D6q1UEL2tU2ob8cbkdJf17ZSHwD2f2LSaCYJkJA69aSEaRkCldUxPUd1gJea6zu
+xICaEnL6VpPX/78whQYwvwt/Tv9XBZ0k7YXDK/umdaisLRbvfXknsuvCnQsH6qqF
+0wGjIChBWUMo0oHjqvbsezt3tkBigAVBRQHvFwY+3sAzm2fTYS5yh+Rp/BIAV0Ae
+cPUeybQ=
+-----END CERTIFICATE-----
diff --git a/test/testdata/chains/004.3ee62cb678014c14d22ebf96f44cc899adea72f1.pem b/test/testdata/chains/004.3ee62cb678014c14d22ebf96f44cc899adea72f1.pem
new file mode 100644
index 0000000..2affd7a
--- /dev/null
+++ b/test/testdata/chains/004.3ee62cb678014c14d22ebf96f44cc899adea72f1.pem
@@ -0,0 +1,50 @@
+SHA1 Fingerprint=3E:E6:2C:B6:78:01:4C:14:D2:2E:BF:96:F4:4C:C8:99:AD:EA:72:F1
+Timestamp: 1364288520513
+Leafhash: F1BB1CD704EDFE2A37AB1FFD4EFB9E523F9F7227E945B06C18F52BF270729314
+-----BEGIN CERTIFICATE-----
+MIIE0jCCA7qgAwIBAgIEAP3y5DANBgkqhkiG9w0BAQUFADBQMQswCQYDVQQGEwJLUjEcMBoGA1UE
+CgwTR292ZXJubWVudCBvZiBLb3JlYTENMAsGA1UECwwER1BLSTEUMBIGA1UEAwwLQ0ExMzQwNDAw
+MDEwHhcNMTExMTAxMDQ1ODAwWhcNMTQwMjAxMDQ1NzU5WjCBmjELMAkGA1UEBhMCS1IxHDAaBgNV
+BAoME0dvdmVybm1lbnQgb2YgS29yZWExGDAWBgNVBAsMD0dyb3VwIG9mIFNlcnZlcjEeMBwGA1UE
+CwwV6rWQ7Jyh6rO87ZWZ6riw7Iig67aAMRgwFgYDVQQDDA93d3cuYmVyZWEuYWMua3IxGTAXBgNV
+BAMMEGhha3NhLmJpdHMuYWMua3IwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBALLf+nRKv05O
+fUAfobmxtuMuh+ZLXZeBM141nN0K8H3KN3BiqYqOONe7bbAreiz0p42Ul4rhL1FOwwNcvVf4nXBo
+wfu+Hiwp3WrD8ef8CJc3LywzJyq5fQ4MT0xYQYu1J4icv1SXacvXbSPwHK3Brt2JHxOpfzeVnh4T
+TAYRV3ZfAgMBAAGjggHrMIIB5zBnBggrBgEFBQcBAQRbMFkwVwYIKwYBBQUHMAKGS2xkYXA6Ly9s
+ZGFwLmVwa2kuZ28ua3I6Mzg5L2NuPUdQS0lSb290Q0Esb3U9R1BLSSxvPUdvdmVybm1lbnQgb2Yg
+S29yZWEsYz1LUjCBhgYDVR0jBH8wfYAU+nIEA5n96tt8UN2+5XKk0nclFcihU6RRME8xCzAJBgNV
+BAYTAktSMRwwGgYDVQQKDBNHb3Zlcm5tZW50IG9mIEtvcmVhMQ0wCwYDVQQLDARHUEtJMRMwEQYD
+VQQDDApHUEtJUm9vdENBghBH/vYAAgeG2AGSNf+eSiACMB0GA1UdDgQWBBSM7j+3kdc2M6QCR5H+
+xdNdfh2cEzALBgNVHQ8EBAMCBaAwDAYDVR0TBAUwAwEB/zAoBgNVHSUEITAfBggrBgEFBQcDAQYI
+KwYBBQUHAwIGCWCGSAGG+EIEATB8BgNVHR8EdTBzMHGgb6BthmtsZGFwOi8vbGRhcC5lcGtpLmdv
+LmtyOjM4OS9vdT1kcDFwMjA1NTYsb3U9Q1JMLG91PUdQS0ksbz1Hb3Zlcm5tZW50IG9mIEtvcmVh
+LGM9a3I/Y2VydGlmaWNhdGVSZXZvY2F0aW9uTGlzdDARBglghkgBhvhCAQEEBAMCBsAwDQYJKoZI
+hvcNAQEFBQADggEBAC14Ht+BTjUGTgeG0Q5C5Bdj2RqewI4asd8UPTkXf0N+Tg7VhR3f1bfyHnsX
+Zx8Dbdzij0dMD7NlMur5I1LKYTKMYruAxEPULLMhp9qsQX2i91t8s+uRYxcPWqK96DoRoeLJCpmQ
+D338GwoUsy+vy43K4urJnCLnEe/ZtWFD+XMIux89T7DglieBA4+PkUhsD3QA0Pd+l15Kx2RFh4os
+fX3IfKundxzJ0jQ4OzyeV/2NjyRb2GZQlJUuA9On+8EobU4nwDKJCv3MmsjlFFUa3TQk/n3JusRl
+Iwu3vNPWc3mqoWbF61oF/0aNPmsf17vLRCDOfDsEcufz1ZPQa02dpDY=
+-----END CERTIFICATE-----
+
+-----BEGIN CERTIFICATE-----
+MIIEXjCCA0agAwIBAgIQR/72AAIHhtgBkjX/nkogAjANBgkqhkiG9w0BAQUFADBPMQswCQYDVQQG
+EwJLUjEcMBoGA1UECgwTR292ZXJubWVudCBvZiBLb3JlYTENMAsGA1UECwwER1BLSTETMBEGA1UE
+AwwKR1BLSVJvb3RDQTAeFw0wODA2MDkxNDA5MjFaFw0xODA2MDkxNDA5MjFaMFAxCzAJBgNVBAYT
+AktSMRwwGgYDVQQKDBNHb3Zlcm5tZW50IG9mIEtvcmVhMQ0wCwYDVQQLDARHUEtJMRQwEgYDVQQD
+DAtDQTEzNDA0MDAwMTCCASEwDQYJKoZIhvcNAQEBBQADggEOADCCAQkCggEAZvDlMT1PwNhEkeB5
+WvvyCrQXf10ah2jWNDq3A86IEHOVRB3sNoABgkCHue70jIa/EI9PRpdoouPYdR+DJPkFS9QLizlg
+krPCNQhJqr7vuXQd/JV2OFhKhsrlIrKZaB1FU0ndJmzezZUZZxBfsBz6LAjRZn4EVPPqQY+DR7fS
+rgh8h6yGPMhMtV8aADTpMkLmnfSjYJKsY4NTYheBsXQ7kr2d3CK5a7Sn3Nze4TvC05DyctpTWPJN
+yFOx8Ahyi0dVg77mNNx4uPXQhlip4n4pV4ibLlVw+O9E9/7lUDG31yH/wgSl4ukwcQjHHXI2dadv
+P2M63tjdHXfZVHBHY3IgKwIDAQABo4IBNDCCATAwHwYDVR0jBBgwFoAUFmcy9GheaDFH2+3szmEu
+miRGxH0wHQYDVR0OBBYEFPpyBAOZ/erbfFDdvuVypNJ3JRXIMA4GA1UdDwEB/wQEAwIBBjBPBgNV
+HSAESDBGMAwGCiqDGoaNIQUDAQMwDAYKKoMaho0hBQMBATAMBgoqgxqGjSEFAwEHMAwGCiqDGoaN
+IQUDAQkwDAYKKoMaho0hBQMBBTASBgNVHRMBAf8ECDAGAQH/AgEAMHkGA1UdHwRyMHAwbqBsoGqG
+aGxkYXA6Ly9jZW4uZGlyLmdvLmtyOjM4OS9jbj1HUEtJUm9vdENBLG91PUdQS0ksbz1Hb3Zlcm5t
+ZW50IG9mIEtvcmVhLGM9S1I/YXV0aG9yaXR5UmV2b2NhdGlvbmxpc3Q7YmluYXJ5MA0GCSqGSIb3
+DQEBBQUAA4IBAQAhagazxtMY+p+i1F/OyJJ0kwZU8PrKISJUZMpBxMaZpfCzUWSnaO9Ha6SPnqm8
+gE71ZJV+KUj6ll6YL3VExaGU2YPpNUzbo4mFuTP5QBo+d18sEZAIsKPAG2ZXw1wUBx51jduMBWGY
+o43JFS+XPlrxrYULPobprudrqTt+EffG++hey18VBk/mPubyovFlMZ74esV96IenJvGxMNhsS+U+
+RIE1QoLDscJrlenmjctbowNZ8pq91MJw6V8OG0w9ELVQMt98uidzU2fzF4W0XxHiIlZBtp6imOZx
+Q+xtCiJd0/S/jpEoHBU9ZEJrBRolRMdvf5Oh2qTLeowZU17RtC8T
+-----END CERTIFICATE-----
diff --git a/test/testdata/chains/005.6969562e4080f424a1e7199f14baf3ee58ab6abb.pem b/test/testdata/chains/005.6969562e4080f424a1e7199f14baf3ee58ab6abb.pem
new file mode 100644
index 0000000..e9d0c33
--- /dev/null
+++ b/test/testdata/chains/005.6969562e4080f424a1e7199f14baf3ee58ab6abb.pem
@@ -0,0 +1,13 @@
+-----BEGIN CERTIFICATE-----
+MIIB4TCCAYegAwIBAgIRKjikHJYKBN5CsiilC+g0mAIwCgYIKoZIzj0EAwIwUDEk
+MCIGA1UECxMbR2xvYmFsU2lnbiBFQ0MgUm9vdCBDQSAtIFI0MRMwEQYDVQQKEwpH
+bG9iYWxTaWduMRMwEQYDVQQDEwpHbG9iYWxTaWduMB4XDTEyMTExMzAwMDAwMFoX
+DTM4MDExOTAzMTQwN1owUDEkMCIGA1UECxMbR2xvYmFsU2lnbiBFQ0MgUm9vdCBD
+QSAtIFI0MRMwEQYDVQQKEwpHbG9iYWxTaWduMRMwEQYDVQQDEwpHbG9iYWxTaWdu
+MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEuMZ5049sJQ6fLjkZHAOkrprlOQcJ
+FspjsbmG+IpXwVfOQvpzofdlQv8ewQCybnMO/8ch5RikqtlxP6jUuc6MHaNCMEAw
+DgYDVR0PAQH/BAQDAgEGMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFFSwe61F
+uOJAf/sKbvu+M8k8o4TVMAoGCCqGSM49BAMCA0gAMEUCIQDckqGgE6bPA7DmxCGX
+kPoUVy0D7O48027KqGx2vKLeuwIgJ6iFJzWbVsaj8kfSt24bAgAXqmemFZHe+pTs
+ewv4n4Q=
+-----END CERTIFICATE-----
diff --git a/test/testdata/chains/5.96974cd6b663a7184526b1d648ad815cf51e801a.pem b/test/testdata/chains/006.96974cd6b663a7184526b1d648ad815cf51e801a.pem
index 4b0bcf5..4b0bcf5 100644
--- a/test/testdata/chains/5.96974cd6b663a7184526b1d648ad815cf51e801a.pem
+++ b/test/testdata/chains/006.96974cd6b663a7184526b1d648ad815cf51e801a.pem
diff --git a/test/testdata/chains/007.cb0d9182ec62dfef2f233441335f32667a5ce85b.pem b/test/testdata/chains/007.cb0d9182ec62dfef2f233441335f32667a5ce85b.pem
new file mode 100644
index 0000000..2fca29e
--- /dev/null
+++ b/test/testdata/chains/007.cb0d9182ec62dfef2f233441335f32667a5ce85b.pem
@@ -0,0 +1,89 @@
+-----BEGIN CERTIFICATE-----
+MIIFXjCCBEagAwIBAgICBx0wDQYJKoZIhvcNAQEFBQAwUDELMAkGA1UEBhMCREUxDzANBgNVBAoM
+BkdBRCBFRzERMA8GA1UECwwIVlIgSURFTlQxHTAbBgNVBAMMFFZSIElERU5UIFNTTCBDQSAyMDA5
+MB4XDTEzMDQwNDA4NDcxNFoXDTE0MDUwNDIxNTk1OVowgZUxCzAJBgNVBAYTAkRFMQ8wDQYDVQQI
+DAZCQVlFUk4xETAPBgNVBAcMCE1VRU5DSEVOMSwwKgYDVQQKDCNERVVUU0NIRVIgR0VOT1NTRU5T
+Q0hBRlRTLVZFUkxBRyBFRzEYMBYGA1UECwwPRElBTE9HTUFSS0VUSU5HMRowGAYDVQQDDBFXV1cu
+R0VOTy1MT0dJTi5ERTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMbXt0nKG39wuCkg
+XkxtxNnvsAFxlLjJdbp9JpXJOtPSGqTK2c8x5jGCgsD4krDAcbBzVSWTMCkpwyL4Wq+pwhgTcZX2
+Ozuipsj5vGNNtSWgx46y8qOKaaQZAaJhXkuIH3uSXOqYz7iUymDyXUrw08itQJLCvMkY0Sici5sZ
+XNX7tZS91ltLjq/oOFE945Do6DmDrMqIkqf1aQJ+Z2eXoEvoeoZf6dEFxWK39M0fmLhEsyf1K7Nu
+6f4Eea/UUDdnNOV7Szs1O8zPzpb53rXvbyfWLWZ1sOsZkUo6tItGuQFWqj8x2Z+m8GjVpgh/hHsd
+HY0wGUXzjpChLcV2S/84Kz0CAwEAAaOCAfowggH2MGYGCCsGAQUFBwEBBFowWDBWBggrBgEFBQcw
+AYZKaHR0cDovL29jc3AudnItaWRlbnQuZGUvZ3Rub2NzcC9PQ1NQUmVzcG9uZGVyL1ZSJTIwSWRl
+bnQlMjBTU0wlMjBDQSUyMDIwMDkwgZIGA1UdIwSBijCBh4AiUFJPRC5HVE4uRVhTU0xDQS5TSUdH
+RU5SUy4wMDAwMTYwMKFepFwwWjELMAkGA1UEBhMCREUxDzANBgNVBAoTBkdBRCBlRzERMA8GA1UE
+CxMIVlIgSURFTlQxJzAlBgNVBAMTHlZSIElERU5UIEVYVEVSTkFMIFJPT1QgQ0EgMjAwOYIBAjCB
+sgYDVR0fBIGqMIGnME2gS6BJhkdodHRwOi8vd3d3LnZyLWlkZW50LmRlL2d0bmNybC9DUkxSZXNw
+b25kZXIvVlIlMjBJZGVudCUyMFNTTCUyMENBJTIwMjAwOTBWolSkUjBQMQswCQYDVQQGEwJERTEP
+MA0GA1UECgwGR0FEIEVHMREwDwYDVQQLDAhWUiBJREVOVDEdMBsGA1UEAwwUVlIgSURFTlQgU1NM
+IENBIDIwMDkwDgYDVR0PAQH/BAQDAgWgMB0GA1UdDgQWBBQygVXLjfIZAVbUPQH/WYD7yYA+0TAT
+BgNVHSUEDDAKBggrBgEFBQcDATANBgkqhkiG9w0BAQUFAAOCAQEAJdYUSflPqF47cCpCb3E7TKhQ
+YAouGo3/0nEecjgaCBkV3Z5O0KkNqKctpxH+1JO6rrT8O8+qZph+MCxYl3YVXDyrqXVdq2bMbN/h
+rUx2WCJYyz0g71rSJyBFALwSDSTh6fLEBQmuG45MOcvCe/rwwM8qI/C/PAmSzuxwCQ53mdpmiNP5
+5IJzhHjzGTB0hLM1VCGhDWhz4gCcR0gOok3dT1S4wxln5TUTSC2r97oe6olmLWtwG5g+svKtov/b
+7YDRSY4bwuIpY95GHMArmsIc3ceNQe5QKsBsEYgZPAh6yti2mcPIoVQltKJrQk4YcXAhOI+eeX5e
+e6zSirwDBbDMsQ==
+-----END CERTIFICATE-----
+
+-----BEGIN CERTIFICATE-----
+MIIEZzCCA1GgAwIBAgIBAjALBgkqhkiG9w0BAQUwWjELMAkGA1UEBhMCREUxDzANBgNVBAoTBkdB
+RCBlRzERMA8GA1UECxMIVlIgSURFTlQxJzAlBgNVBAMTHlZSIElERU5UIEVYVEVSTkFMIFJPT1Qg
+Q0EgMjAwOTAeFw0wOTA5MDExMzQzNThaFw0xNjA4MDUxNzMwNDNaMFAxCzAJBgNVBAYTAkRFMQ8w
+DQYDVQQKDAZHQUQgRUcxETAPBgNVBAsMCFZSIElERU5UMR0wGwYDVQQDDBRWUiBJREVOVCBTU0wg
+Q0EgMjAwOTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMkkUOLwvOHMwNf7OCp9V688
+5K+YHKD74mswf3p0y8QcmA5g/6jbExXbfLH8X2iuKDbFJGJ6lEoFnyK+ZEE4aHIIlsZXjBWVqSuT
+mA2QXTMCX4lQB0uTEMbkp8l9VJZOcwnp56/422+B+V/PQE4IWTbbIa46MVpiS0LpYU5dyzdlwScF
+yV8uH1IRhJkC05/7o4MrsqxsN9ZU9KI2ezo6oyJwEEfpbsqsGm50f8wwHtIzuNMnOkg6ZLIp1+bw
+ezclGnpwaYAcAUUbJLjD1BjXDlopVR7trlgrrCH/ZJ5/x1z/Dxq4wXXeY6SY7MAAECg6o4fmSeK+
+hE2pdY7qNzDJWJMCAwEAAaOCAUQwggFAMGYGCCsGAQUFBwEBBFowWDBWBggrBgEFBQcwAYZKaHR0
+cDovL29jc3AudnItaWRlbnQuZGUvZ3Rub2NzcC9PQ1NQUmVzcG9uZGVyL1ZSJTIwSWRlbnQlMjBT
+U0wlMjBDQSUyMDIwMDkwLgYDVR0jBCcwJYAjUFJPRC5HVE4uRVhST09UQ0EuU0lHR0VOUlMuMDAw
+MDE2MDAwDwYDVR0TAQH/BAUwAwEB/zBYBgNVHR8EUTBPME2gS6BJhkdodHRwOi8vd3d3LnZyLWlk
+ZW50LmRlL2d0bmNybC9DUkxSZXNwb25kZXIvVlIlMjBJZGVudCUyMFNTTCUyMENBJTIwMjAwOTAO
+BgNVHQ8BAf8EBAMCAYYwKwYDVR0OBCQEIlBST0QuR1ROLkVYU1NMQ0EuU0lHR0VOUlMuMDAwMDE2
+MDAwCwYJKoZIhvcNAQEFA4IBAQARXS47O/pO2QPLWV5bBey+x8Qc6EnkdzNyZRbniAa4ZRwoNFWH
+ZUuBO9BpyJ5Ej2MLpERrVdD62N8r1HCBWDI53dotZz2CrfLTxHWhpXE11G/f48aTi57pIS/Wi1iX
+IJNF67jf5q6WJrIcDkFJaOP/Sv4k3AGNdYBGtVHqOQf/zm/VEmCOsSLxndd8ql+1WDL0eNXXbQRM
+l7HgOy7UH9xU/uzd2cg2peTKs6IhUy/Xmt3+ogJm8dxP8r4Cr7EqQGvMV7qclkrLqaVa1LOPBa3j
+XWO4s7U1YXmdUIGAW/BAf6PRh/mjX9AEX5RpvrIJ8rjqzTgn1tQl+tyW6g8wrHlE
+-----END CERTIFICATE-----
+
+-----BEGIN CERTIFICATE-----
+MIIETDCCA7WgAwIBAgIEBydInjANBgkqhkiG9w0BAQUFADB1MQswCQYDVQQGEwJVUzEYMBYGA1UE
+ChMPR1RFIENvcnBvcmF0aW9uMScwJQYDVQQLEx5HVEUgQ3liZXJUcnVzdCBTb2x1dGlvbnMsIElu
+Yy4xIzAhBgNVBAMTGkdURSBDeWJlclRydXN0IEdsb2JhbCBSb290MB4XDTA5MDgwNTE3MzEzMVoX
+DTE2MDgwNTE3MzA0M1owWjELMAkGA1UEBhMCREUxDzANBgNVBAoTBkdBRCBlRzERMA8GA1UECxMI
+VlIgSURFTlQxJzAlBgNVBAMTHlZSIElERU5UIEVYVEVSTkFMIFJPT1QgQ0EgMjAwOTCCASIwDQYJ
+KoZIhvcNAQEBBQADggEPADCCAQoCggEBAKeQvkjveaO0Rz7TBwrFMa/4zNg8spAAZA1dJy9vjbee
+BK1jB8+wUD7/N2MMGmTM4wsot9962nyYsoss3OcJAHjpU2gfgtYydz+qEheA4P1SxUuyY9l2AT/S
+HKkLOB7uKrR9nMWYau9e8Z/rbniwDuN0RO3qwThS1xy5glViyWZZH7N8kMuqsWrlesq6Gg5q06yt
+3xFzt0+zFyAKjcbBnHxMZ97Ll56lhsZ1e4frbuT5uH/AsB8zq6moqXGgfrKOGgrX40xwDSBP6pDM
+EEQhMFBpuvsn8zqaGzy4zDyq2sODe88f0UF97Svt8SE6lS2TmbrJzILGgYt88QCEQZNh70UCAwEA
+AaOCAX4wggF6MBIGA1UdEwEB/wQIMAYBAf8CAQEwUwYDVR0gBEwwSjBIBgkrBgEEAbE+AQAwOzA5
+BggrBgEFBQcCARYtaHR0cDovL2N5YmVydHJ1c3Qub21uaXJvb3QuY29tL3JlcG9zaXRvcnkuY2Zt
+MA4GA1UdDwEB/wQEAwIBhjCBiQYDVR0jBIGBMH+heaR3MHUxCzAJBgNVBAYTAlVTMRgwFgYDVQQK
+Ew9HVEUgQ29ycG9yYXRpb24xJzAlBgNVBAsTHkdURSBDeWJlclRydXN0IFNvbHV0aW9ucywgSW5j
+LjEjMCEGA1UEAxMaR1RFIEN5YmVyVHJ1c3QgR2xvYmFsIFJvb3SCAgGlMEUGA1UdHwQ+MDwwOqA4
+oDaGNGh0dHA6Ly93d3cucHVibGljLXRydXN0LmNvbS9jZ2ktYmluL0NSTC8yMDE4L2NkcC5jcmww
+LAYDVR0OBCUEI1BST0QuR1ROLkVYUk9PVENBLlNJR0dFTlJTLjAwMDAxNjAwMA0GCSqGSIb3DQEB
+BQUAA4GBAIBqVFa9Y7EtnJTRyiLS5ShQM+3BBSJIOz+mxxv3ir7/AAK66yop5aKcUVlvx9kJQ+O5
+nbqhSQlyqsYCJLyH1Ay2LOV/Jjc1vHDbpGEhsup+24tPM9+kubQazh+8xgHgZN2JxCFHpqYurwPI
+JTJ0IpQNX3EiqFgfd4IuiY4u+Y3j
+-----END CERTIFICATE-----
+
+-----BEGIN CERTIFICATE-----
+MIICWjCCAcMCAgGlMA0GCSqGSIb3DQEBBAUAMHUxCzAJBgNVBAYTAlVTMRgwFgYDVQQKEw9HVEUg
+Q29ycG9yYXRpb24xJzAlBgNVBAsTHkdURSBDeWJlclRydXN0IFNvbHV0aW9ucywgSW5jLjEjMCEG
+A1UEAxMaR1RFIEN5YmVyVHJ1c3QgR2xvYmFsIFJvb3QwHhcNOTgwODEzMDAyOTAwWhcNMTgwODEz
+MjM1OTAwWjB1MQswCQYDVQQGEwJVUzEYMBYGA1UEChMPR1RFIENvcnBvcmF0aW9uMScwJQYDVQQL
+Ex5HVEUgQ3liZXJUcnVzdCBTb2x1dGlvbnMsIEluYy4xIzAhBgNVBAMTGkdURSBDeWJlclRydXN0
+IEdsb2JhbCBSb290MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCVD6C28FCc6HrHiM3dFw4u
+sJTQGz0O9pTAipTHBsiQl8i4ZBp6fmw8U+E3KHNgf7KXUwefU/ltWJTSr41tiGeA5u2ylc9yMcql
+HHK6XALnZELn+aks1joNrI1CqiQBOeacPwGFVw1Yh0X404Wqk2kmhXBIgD8SFcd5tB8FLztimQID
+AQABMA0GCSqGSIb3DQEBBAUAA4GBAG3rGwnpXtlR22ciYaQqPEh346B8pt5zohQDhT37qw4wxYMW
+M4ETCJ57NE7fQMh017l93PR2VX2bY1QY6fDq81yx2YtCHrnAlU66+tXifPVoYb+O7AWXX1uw16OF
+NMQkpw0PlZPvy5TYnh+dXIVtx6quTx8itc2VrbqnzPmrC3p/
+-----END CERTIFICATE-----
+
+
diff --git a/test/testdata/chains/008.97eea3ff4bc293adb9de14a8fcf915804b4f026a.pem b/test/testdata/chains/008.97eea3ff4bc293adb9de14a8fcf915804b4f026a.pem
new file mode 100644
index 0000000..6b88b0c
--- /dev/null
+++ b/test/testdata/chains/008.97eea3ff4bc293adb9de14a8fcf915804b4f026a.pem
@@ -0,0 +1,87 @@
+-----BEGIN CERTIFICATE-----
+MIIGxTCCBa2gAwIBAgIQCxFta0HqQmeJFiuJSXo7gDANBgkqhkiG9w0BAQUFADBmMQswCQYDVQQG
+EwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3d3cuZGlnaWNlcnQuY29tMSUw
+IwYDVQQDExxEaWdpQ2VydCBIaWdoIEFzc3VyYW5jZSBDQS0zMB4XDTEzMDkxMzAwMDAwMFoXDTE0
+MDkxODEyMDAwMFowgYExCzAJBgNVBAYTAlVTMRIwEAYDVQQIEwlXaXNjb25zaW4xDzANBgNVBAcT
+BlJhY2luZTEgMB4GA1UEChMXVHdpbiBEaXNjLCBJbmNvcnBvcmF0ZWQxEjAQBgNVBAsTCUNvcnBv
+cmF0ZTEXMBUGA1UEAwwOKi50d2luZGlzYy5jb20wggEhMA0GCSqGSIb3DQEBAQUAA4IBDgAwggEJ
+AoIBALVeexMOuUpRrjhs9hfQm7zHVr30YUPmm1aa/LWjC795NwdTdhUYQzEqBjUagD5WaqBcrJET
+1oZ3ygeTVuxj3CYbsDd1ysgtR0Dku0FCKbpQylZQY/6Ez3VH/0cSMb0kr53sY9ftd+n+h3e8lEvR
+KDUEYKfALY8rmCdqTSNIIXSJpWHjfL9IHsCvzrOjwHukPnpKmVMXfCAqptiHBUzdihddnM0LhnLb
+vQott6KqcLXm84TxoC0ORdbulfpKAMwG1xNUD6DBONEVS7KjIGxJrNqHFongvSCSDsYQU271scen
+eVoESGxMFDzJr2QYe0CCq6COF/Q4hRwHZPpxiNBQv/cCAwEAAaOCA1IwggNOMB8GA1UdIwQYMBaA
+FFDqc4nbKfsQj57lASDU3nmZSIP3MB0GA1UdDgQWBBT8YtDCALtftoQt43QQ7Qoj2fMPRjAnBgNV
+HREEIDAegg4qLnR3aW5kaXNjLmNvbYIMdHdpbmRpc2MuY29tMA4GA1UdDwEB/wQEAwIFoDAdBgNV
+HSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwYQYDVR0fBFowWDAqoCigJoYkaHR0cDovL2NybDMu
+ZGlnaWNlcnQuY29tL2NhMy1nMjQuY3JsMCqgKKAmhiRodHRwOi8vY3JsNC5kaWdpY2VydC5jb20v
+Y2EzLWcyNC5jcmwwggHEBgNVHSAEggG7MIIBtzCCAbMGCWCGSAGG/WwBATCCAaQwOgYIKwYBBQUH
+AgEWLmh0dHA6Ly93d3cuZGlnaWNlcnQuY29tL3NzbC1jcHMtcmVwb3NpdG9yeS5odG0wggFkBggr
+BgEFBQcCAjCCAVYeggFSAEEAbgB5ACAAdQBzAGUAIABvAGYAIAB0AGgAaQBzACAAQwBlAHIAdABp
+AGYAaQBjAGEAdABlACAAYwBvAG4AcwB0AGkAdAB1AHQAZQBzACAAYQBjAGMAZQBwAHQAYQBuAGMA
+ZQAgAG8AZgAgAHQAaABlACAARABpAGcAaQBDAGUAcgB0ACAAQwBQAC8AQwBQAFMAIABhAG4AZAAg
+AHQAaABlACAAUgBlAGwAeQBpAG4AZwAgAFAAYQByAHQAeQAgAEEAZwByAGUAZQBtAGUAbgB0ACAA
+dwBoAGkAYwBoACAAbABpAG0AaQB0ACAAbABpAGEAYgBpAGwAaQB0AHkAIABhAG4AZAAgAGEAcgBl
+ACAAaQBuAGMAbwByAHAAbwByAGEAdABlAGQAIABoAGUAcgBlAGkAbgAgAGIAeQAgAHIAZQBmAGUA
+cgBlAG4AYwBlAC4wewYIKwYBBQUHAQEEbzBtMCQGCCsGAQUFBzABhhhodHRwOi8vb2NzcC5kaWdp
+Y2VydC5jb20wRQYIKwYBBQUHMAKGOWh0dHA6Ly9jYWNlcnRzLmRpZ2ljZXJ0LmNvbS9EaWdpQ2Vy
+dEhpZ2hBc3N1cmFuY2VDQS0zLmNydDAMBgNVHRMBAf8EAjAAMA0GCSqGSIb3DQEBBQUAA4IBAQA1
+qAE+6nL92rvilZrGKwgPPl8AHzxAg8Ghlex5FTIUfqj+1GvCHpK3g1RhgNiZ8PTqKDeQlt8D9smr
+HXhq9Tzc4KbWuXhPojsEZuWc0mX2zhRJEB8MpJq0cmgtoeq/oPIhICY+5DcyUhVzUSusd24068Ps
+QUbBTeBq5taXRKKoI2M6fPONWLJaLwapConAzx5VSr8avcoWF35H0Xt+9LuZIioktmlqD+0cd0np
+JBacoVkM6MSyLHxXGZymF9BbQkWlrnD/mGBufUZuP5XHynSG2iRA9EGS2X/5i+3/4qOE9S8vmoA6
+DEXE2FCEteD9gJRi5BBFCmEIUSzFTl1Efhk5
+-----END CERTIFICATE-----
+
+-----BEGIN CERTIFICATE-----
+MIIGWDCCBUCgAwIBAgIQCl8RTQNbF5EX0u/UA4w/OzANBgkqhkiG9w0BAQUFADBsMQswCQYDVQQG
+EwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3d3cuZGlnaWNlcnQuY29tMSsw
+KQYDVQQDEyJEaWdpQ2VydCBIaWdoIEFzc3VyYW5jZSBFViBSb290IENBMB4XDTA4MDQwMjEyMDAw
+MFoXDTIyMDQwMzAwMDAwMFowZjELMAkGA1UEBhMCVVMxFTATBgNVBAoTDERpZ2lDZXJ0IEluYzEZ
+MBcGA1UECxMQd3d3LmRpZ2ljZXJ0LmNvbTElMCMGA1UEAxMcRGlnaUNlcnQgSGlnaCBBc3N1cmFu
+Y2UgQ0EtMzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAL9hCikQH17+NDdRCPge+yLt
+Yb4LDXBMUGMmdRW5QYiXtvCgFbsIYOBC6AUpEIc2iihlqO8xB3RtNpcvKEZmBMcqeSZ6mdWOw21P
+oF6tvD2Rwll7XjZswFPPAAgyPhBkWBATaccM7pxCUQD5BUTuJM56H+2MEb0SqPMV9Bx6MWkBG6fm
+XcCabH4JnudSREoQOiPkm7YDr6ictFuf1EutkozOtREqqjcYjbTCuNhcBoz4/yO9NV7UfD5+gw6R
+lgWYw7If48hl66l7XaAszPw82W3tzPpLQ4zJ1LilYRyyQLYoEt+5+F/+07LJ7z20Hkt8HEyZNp49
+6+ynaF4d32duXvsCAwEAAaOCAvowggL2MA4GA1UdDwEB/wQEAwIBhjCCAcYGA1UdIASCAb0wggG5
+MIIBtQYLYIZIAYb9bAEDAAIwggGkMDoGCCsGAQUFBwIBFi5odHRwOi8vd3d3LmRpZ2ljZXJ0LmNv
+bS9zc2wtY3BzLXJlcG9zaXRvcnkuaHRtMIIBZAYIKwYBBQUHAgIwggFWHoIBUgBBAG4AeQAgAHUA
+cwBlACAAbwBmACAAdABoAGkAcwAgAEMAZQByAHQAaQBmAGkAYwBhAHQAZQAgAGMAbwBuAHMAdABp
+AHQAdQB0AGUAcwAgAGEAYwBjAGUAcAB0AGEAbgBjAGUAIABvAGYAIAB0AGgAZQAgAEQAaQBnAGkA
+QwBlAHIAdAAgAEMAUAAvAEMAUABTACAAYQBuAGQAIAB0AGgAZQAgAFIAZQBsAHkAaQBuAGcAIABQ
+AGEAcgB0AHkAIABBAGcAcgBlAGUAbQBlAG4AdAAgAHcAaABpAGMAaAAgAGwAaQBtAGkAdAAgAGwA
+aQBhAGIAaQBsAGkAdAB5ACAAYQBuAGQAIABhAHIAZQAgAGkAbgBjAG8AcgBwAG8AcgBhAHQAZQBk
+ACAAaABlAHIAZQBpAG4AIABiAHkAIAByAGUAZgBlAHIAZQBuAGMAZQAuMBIGA1UdEwEB/wQIMAYB
+Af8CAQAwNAYIKwYBBQUHAQEEKDAmMCQGCCsGAQUFBzABhhhodHRwOi8vb2NzcC5kaWdpY2VydC5j
+b20wgY8GA1UdHwSBhzCBhDBAoD6gPIY6aHR0cDovL2NybDMuZGlnaWNlcnQuY29tL0RpZ2lDZXJ0
+SGlnaEFzc3VyYW5jZUVWUm9vdENBLmNybDBAoD6gPIY6aHR0cDovL2NybDQuZGlnaWNlcnQuY29t
+L0RpZ2lDZXJ0SGlnaEFzc3VyYW5jZUVWUm9vdENBLmNybDAfBgNVHSMEGDAWgBSxPsNpA/i/RwHU
+mCYaCALvY2QrwzAdBgNVHQ4EFgQUUOpzidsp+xCPnuUBINTeeZlIg/cwDQYJKoZIhvcNAQEFBQAD
+ggEBAB7ipUiebNtTOA/vphoqrOIDQ+2avD6OdRvw/S4iWawTwGHi5/rpmc2HCXVUKL9GYNy+USyS
+8xuRfDEIcOI3ucFbqL2jCwD7GhX9A61YasXHJJlIR0YxHpLvtF9ONMeQvzHB+LGEhtCcAarfilYG
+zjrpDq6XdF3XcZpCdF/ejUN83ulV7WkAywXgemFhM9EZTfkI7qA5xSU1tyvED7Ld8aW3DiTEJiiN
+eXf1L/BXunwH1OH8zVowV36GEEfdMR/X/KLCvzB8XSSq6PmuX2p0ws5rs0bYIb4p1I5eFdZCSucy
+b6Sxa1GDWL4/bcf72gMhy2oWGU4K8K2Eyl2Us1p292E=
+-----END CERTIFICATE-----
+
+-----BEGIN CERTIFICATE-----
+MIIDxTCCAq2gAwIBAgIQAqxcJmoLQJuPC3nyrkYldzANBgkqhkiG9w0BAQUFADBsMQswCQYDVQQG
+EwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3d3cuZGlnaWNlcnQuY29tMSsw
+KQYDVQQDEyJEaWdpQ2VydCBIaWdoIEFzc3VyYW5jZSBFViBSb290IENBMB4XDTA2MTExMDAwMDAw
+MFoXDTMxMTExMDAwMDAwMFowbDELMAkGA1UEBhMCVVMxFTATBgNVBAoTDERpZ2lDZXJ0IEluYzEZ
+MBcGA1UECxMQd3d3LmRpZ2ljZXJ0LmNvbTErMCkGA1UEAxMiRGlnaUNlcnQgSGlnaCBBc3N1cmFu
+Y2UgRVYgUm9vdCBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMbM5XPm+9S75S0t
+Mqbf5YE/yc0lSbZxKsPVlDRnogocsF9ppkCxxLeyj9CYpKlBWTrT3JTWPNt0OKRKzE0lgvdKpVMS
+OO7zSW1xkX5jtqumX8OkhPhPYlG++MXs2ziS4wblCJEMxChBVfvLWokVfnHoNb9Ncgk9vjo4UFt3
+MRuNs8ckRZqnrG0AFFoEt7oT61EKmEFBIk5lYYeBQVCmeVyJ3hlKV9Uu5l0cUyx+mM0aBhakaHPQ
+NAQTXKFx01p8VdteZOE3hzBWBOURtCmAEvF5OYiiAhF8J2a3iLd48soKqDirCmTCv2ZdlYTBoSUe
+h10aUAsgEsxBu24LUTi4S8sCAwEAAaNjMGEwDgYDVR0PAQH/BAQDAgGGMA8GA1UdEwEB/wQFMAMB
+Af8wHQYDVR0OBBYEFLE+w2kD+L9HAdSYJhoIAu9jZCvDMB8GA1UdIwQYMBaAFLE+w2kD+L9HAdSY
+JhoIAu9jZCvDMA0GCSqGSIb3DQEBBQUAA4IBAQAcGgaX3NecnzyIZgYIVyHbIUf4KmeqvxgydkAQ
+V8GK83rZEWWONfqe/EW1ntlMMUu4kehDLI6zeM7b41N5cdblIZQB2lWHmiRk9opmzN6cN82oNLFp
+myPInngiK3BD41VHMWEZ71jFhS9OMPagMRYjyOfiZRYzy78aG6A9+MpeizGLYAiJLQwGXFK3xPkK
+mNEVX58Svnw2Yzi9RKR/5CYrCsSXaQ3pjOLAEFe4yHYSkVXySGnYvCoCWw9E1CAx2/S6cCZdkGCe
+vEsXCS+0yx5DaMkHJ8HSXPfqIbloEpw8nL+e/IBcm2PN7EeqJSdnoDfzAIJ9VNep+OkuE6N36B9K
+-----END CERTIFICATE-----
+
+
diff --git a/test/testdata/chains/009.29dcb4c215b563e71d615cae5f5a57dbfc2c2871.pem b/test/testdata/chains/009.29dcb4c215b563e71d615cae5f5a57dbfc2c2871.pem
new file mode 100644
index 0000000..5da5ef8
--- /dev/null
+++ b/test/testdata/chains/009.29dcb4c215b563e71d615cae5f5a57dbfc2c2871.pem
@@ -0,0 +1,35 @@
+-----BEGIN CERTIFICATE-----
+MIIDBTCCAm6gAwIBAgIDCIjoMA0GCSqGSIb3DQEBBAUAMIHEMQswCQYDVQQGEwJaQTEVMBMGA1UE
+CBMMV2VzdGVybiBDYXBlMRIwEAYDVQQHEwlDYXBlIFRvd24xHTAbBgNVBAoTFFRoYXd0ZSBDb25z
+dWx0aW5nIGNjMSgwJgYDVQQLEx9DZXJ0aWZpY2F0aW9uIFNlcnZpY2VzIERpdmlzaW9uMRkwFwYD
+VQQDExBUaGF3dGUgU2VydmVyIENBMSYwJAYJKoZIhvcNAQkBFhdzZXJ2ZXItY2VydHNAdGhhd3Rl
+LmNvbTAeFw0wMjAxMjUxMzQ2MjFaFw0wMzAxMjUxMzQ2MjFaMIGiMQswCQYDVQQGEwJERTEMMAoG
+A1UECBMDTlJXMQ8wDQYDVQQHEwZBYWNoZW4xRzBFBgNVBAoWPnRlYW0gaW4gbWVkaWFzIGdlc2Vs
+bHNjaGFmdCBm/HIgbXVsdGltZWRpYWxlIGtvbW11bmlrYXRpb24gbWJIMQ8wDQYDVQQLEwZBYWNo
+ZW4xGjAYBgNVBAMTEWltYWlsLmlubWVkaWFzLmRlMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKB
+gQC73OnDMoVrurUCrgOmbBnGZKoNLRV++LPbSlxH1joI0WlheRr/bkxf3oyfgJWWFSiltkAaj5M2
+ODWQbZ9sJSUW/54A3r90oHVuu4RxjMU66GwuiZXr8zNMzkpBhSAtrCJPCHJ0tYh7PLvjHSAugvu2
+9DDLrjXoHtu33EATi1ny9wIDAQABoyUwIzATBgNVHSUEDDAKBggrBgEFBQcDATAMBgNVHRMBAf8E
+AjAAMA0GCSqGSIb3DQEBBAUAA4GBAJcYvfKP2JNdn3m4wRg+uWxGgXc1vgcDNNtRLlFTo7zvXMTa
+FZQ3Wx6KPRkdZFCWIm29mVlUJ7r9EaaPlEuJAh0FLmWGlTsxYB0jtOKBC3WwEOa5ZAwrz965rAxD
+P98UK9+WZ/jqynERXcQvJcxn0lcMFr1d9fnQTXLNtQueM6BJ
+-----END CERTIFICATE-----
+
+-----BEGIN CERTIFICATE-----
+MIIDEzCCAnygAwIBAgIBATANBgkqhkiG9w0BAQQFADCBxDELMAkGA1UEBhMCWkExFTATBgNVBAgT
+DFdlc3Rlcm4gQ2FwZTESMBAGA1UEBxMJQ2FwZSBUb3duMR0wGwYDVQQKExRUaGF3dGUgQ29uc3Vs
+dGluZyBjYzEoMCYGA1UECxMfQ2VydGlmaWNhdGlvbiBTZXJ2aWNlcyBEaXZpc2lvbjEZMBcGA1UE
+AxMQVGhhd3RlIFNlcnZlciBDQTEmMCQGCSqGSIb3DQEJARYXc2VydmVyLWNlcnRzQHRoYXd0ZS5j
+b20wHhcNOTYwODAxMDAwMDAwWhcNMjAxMjMxMjM1OTU5WjCBxDELMAkGA1UEBhMCWkExFTATBgNV
+BAgTDFdlc3Rlcm4gQ2FwZTESMBAGA1UEBxMJQ2FwZSBUb3duMR0wGwYDVQQKExRUaGF3dGUgQ29u
+c3VsdGluZyBjYzEoMCYGA1UECxMfQ2VydGlmaWNhdGlvbiBTZXJ2aWNlcyBEaXZpc2lvbjEZMBcG
+A1UEAxMQVGhhd3RlIFNlcnZlciBDQTEmMCQGCSqGSIb3DQEJARYXc2VydmVyLWNlcnRzQHRoYXd0
+ZS5jb20wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBANOkUG7I/1Zr5s9dtuoMaHVHoqrC2oQl
+/Kj0R1HahbUgdJSGHg91yekIYfUGbTBuFRkC6VLAYttNmZ7iagxEOM3+vuNkCXDF/rFrKbYvScg7
+1CcEJRCXL+eQbcAoQpnXTEPew/UhbVSfXcNY4cDk2VuwuNy0e982OsK1ZiIS1ocNAgMBAAGjEzAR
+MA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQEEBQADgYEAB/pMaVz7lcxG7oWDTSEwjsrZqG9J
+GubaUeNgcGyEYRGhGshIPllDfU+VPaGLtwtimHp1it2ITk6eQNuozDJ0uW8NxuOzRAvZim+aKZuZ
+GCg70eNAKJpaPNW15yAbi8qkq43pUdniTCxZqdq5snUb9kLy78fyGPmJvKP/iiMucEc=
+-----END CERTIFICATE-----
+
+
diff --git a/test/testdata/chains/010.2cf11ca183130b3ea882cbe2b620cc83bc8e4a6a.pem b/test/testdata/chains/010.2cf11ca183130b3ea882cbe2b620cc83bc8e4a6a.pem
new file mode 100644
index 0000000..4200803
--- /dev/null
+++ b/test/testdata/chains/010.2cf11ca183130b3ea882cbe2b620cc83bc8e4a6a.pem
@@ -0,0 +1,38 @@
+-----BEGIN CERTIFICATE-----
+MIIDgTCCAuqgAwIBAgIQIsWFzBD0GDkG+p8oIxaD6DANBgkqhkiG9w0BAQUFADCBzjELMAkGA1UE
+BhMCWkExFTATBgNVBAgTDFdlc3Rlcm4gQ2FwZTESMBAGA1UEBxMJQ2FwZSBUb3duMR0wGwYDVQQK
+ExRUaGF3dGUgQ29uc3VsdGluZyBjYzEoMCYGA1UECxMfQ2VydGlmaWNhdGlvbiBTZXJ2aWNlcyBE
+aXZpc2lvbjEhMB8GA1UEAxMYVGhhd3RlIFByZW1pdW0gU2VydmVyIENBMSgwJgYJKoZIhvcNAQkB
+FhlwcmVtaXVtLXNlcnZlckB0aGF3dGUuY29tMB4XDTA5MDgwNjAwMDAwMFoXDTEyMDgyMzIzNTk1
+OVowgYQxCzAJBgNVBAYTAlVTMREwDwYDVQQIEwhLZW50dWNreTETMBEGA1UEBxMKTG91aXN2aWxs
+ZTEWMBQGA1UEChMNSEVQQXJ0cywgSW5jLjEbMBkGA1UECxMSV2ViIEFkbWluaXN0cmF0aW9uMRgw
+FgYDVQQDEw93d3cuSEVQQXJ0cy5jb20wgaAwDQYJKoZIhvcNAQEBBQADgY4AMIGKAoGAVk8R3cq8
+FFr39vPzHBRM7vffaz/XHSZu9prSRkzw8u99qsby9gDPVWougR6a0osPf4t9HwNVPirJohX2IXz/
+Tka8I4Ba7fcWWOImQQXvMF756Qsg0iDkFdPo7jgWYFrcxtHMzgRAQSUKE6gZRNx6xJ4W/B1djQS7
+JT3VVtTpvmUCBQCkj/mHo4GmMIGjMAwGA1UdEwEB/wQCMAAwQAYDVR0fBDkwNzA1oDOgMYYvaHR0
+cDovL2NybC50aGF3dGUuY29tL1RoYXd0ZVNlcnZlclByZW1pdW1DQS5jcmwwHQYDVR0lBBYwFAYI
+KwYBBQUHAwEGCCsGAQUFBwMCMDIGCCsGAQUFBwEBBCYwJDAiBggrBgEFBQcwAYYWaHR0cDovL29j
+c3AudGhhd3RlLmNvbTANBgkqhkiG9w0BAQUFAAOBgQDMJdmHnzSMrQ/zDpgwelwk4E1vwieSxGJW
+3ELtaA5uU15CaVNKvu9Zk0aPXVD+JEWNjXO2ZXs0xLBgKyeMMUZUL4CCASCQsaAKyvsi0wMi2l2K
+5v6VzfOnwKLevRDlLV7t++r0QWutXtbU85/Hq5ba2orUYiNauv5v9CK6s4IaAg==
+-----END CERTIFICATE-----
+
+-----BEGIN CERTIFICATE-----
+MIIDJzCCApCgAwIBAgIBATANBgkqhkiG9w0BAQQFADCBzjELMAkGA1UEBhMCWkExFTATBgNVBAgT
+DFdlc3Rlcm4gQ2FwZTESMBAGA1UEBxMJQ2FwZSBUb3duMR0wGwYDVQQKExRUaGF3dGUgQ29uc3Vs
+dGluZyBjYzEoMCYGA1UECxMfQ2VydGlmaWNhdGlvbiBTZXJ2aWNlcyBEaXZpc2lvbjEhMB8GA1UE
+AxMYVGhhd3RlIFByZW1pdW0gU2VydmVyIENBMSgwJgYJKoZIhvcNAQkBFhlwcmVtaXVtLXNlcnZl
+ckB0aGF3dGUuY29tMB4XDTk2MDgwMTAwMDAwMFoXDTIwMTIzMTIzNTk1OVowgc4xCzAJBgNVBAYT
+AlpBMRUwEwYDVQQIEwxXZXN0ZXJuIENhcGUxEjAQBgNVBAcTCUNhcGUgVG93bjEdMBsGA1UEChMU
+VGhhd3RlIENvbnN1bHRpbmcgY2MxKDAmBgNVBAsTH0NlcnRpZmljYXRpb24gU2VydmljZXMgRGl2
+aXNpb24xITAfBgNVBAMTGFRoYXd0ZSBQcmVtaXVtIFNlcnZlciBDQTEoMCYGCSqGSIb3DQEJARYZ
+cHJlbWl1bS1zZXJ2ZXJAdGhhd3RlLmNvbTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA0jY2
+aovXwlue2oFBYo847kkEVdbQ7xwblRZH7xhINTpS9CtqBo87L+pW46+GjZ4X9560ZXUCTe/LCaIh
+Udib0GfQug2SBhRz1JPLlyoAnFxODLz6FVL88kRu2hFKbgifLy3j+ao6hnO2RlNYyIkFvYMRuHM/
+qgeN9EJN50CdHDcCAwEAAaMTMBEwDwYDVR0TAQH/BAUwAwEB/zANBgkqhkiG9w0BAQQFAAOBgQAm
+SCwWwlj66BZ0DKqqX1Q/8tfJeGBeXm43YyJ3Nn6yF8Q0ufUIhfzJATj/Tb7yFkJD57taRvvBxhEf
+8UqwKEbJw8RCfbz6q1lu1bdRiBHjpIUZa4JMpAwSremkrj/xw0llmozFyD4lt5SZu5IycQfwhl7t
+UCemDaYj+bvLpgcUQg==
+-----END CERTIFICATE-----
+
+
diff --git a/test/testdata/chains/011.7c2d41564b256f4115e646f71387aa9e1aaa0f56.pem b/test/testdata/chains/011.7c2d41564b256f4115e646f71387aa9e1aaa0f56.pem
new file mode 100644
index 0000000..9bc2446
--- /dev/null
+++ b/test/testdata/chains/011.7c2d41564b256f4115e646f71387aa9e1aaa0f56.pem
@@ -0,0 +1,80 @@
+-----BEGIN CERTIFICATE-----
+MIIFpjCCBI6gAwIBAgIIjK0t3AAANcYwDQYJKoZIhvcNAQEFBQAwXjELMAkGA1UEBhMCS1IxEjAQ
+BgNVBAoMCUNyb3NzQ2VydDEVMBMGA1UECwwMQWNjcmVkaXRlZENBMSQwIgYDVQQDDBtDcm9zc0Nl
+cnQgQ2xhc3MgMSBTZXJ2ZXIgQ0EwHhcNMTIxMTA5MDc0NjAwWhcNMTMxMTExMTQ1OTU5WjBwMQsw
+CQYDVQQGEwJLUjESMBAGA1UECgwJQ3Jvc3NDZXJ0MRUwEwYDVQQLDAxBY2NyZWRpdGVkQ0ExDDAK
+BgNVBAsMA1NTTDEMMAoGA1UECwwDMDAxMRowGAYDVQQDDBF3d3cuZ2V0ZmlsZS5jby5rcjCCASIw
+DQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAJ6VG9Dvx5t1iL1rjyfX36/yqj2+xfpxtDaXueoD
+qRoMSJBmVZiio2VX/mfcbSTUJH3XoEjBkPzjKDMouvCBF8AhGPUX6HnaeTRtxejTdoqYP4SaxT7Q
+2CUJFtqQ4PI+QOyA4DMTUNMNFv3ZRemrJKk0YluL+sNcy12su58QNmAmsVjjTVmQtPs+mE28E2vP
+yJ2Ze472wYnJOs2giWo16ewahd0swoeowcVRFOnRMXCXIsgiMn0Bv97As7eS4xv1dFmKfEmNCQPm
++X4qmLZFlIw9SGO1TPS/wDblXvsqb6VH2JnL7qv+j2cn3frv/T57UFnSLTXGIKrb13Lo6nmjah0C
+AwEAAaOCAlQwggJQMIGPBgNVHSMEgYcwgYSAFG24/5Jcsb/pSXgxfIB1wGIQS704oWikZjBkMQsw
+CQYDVQQGEwJLUjENMAsGA1UECgwES0lTQTEuMCwGA1UECwwlS29yZWEgQ2VydGlmaWNhdGlvbiBB
+dXRob3JpdHkgQ2VudHJhbDEWMBQGA1UEAwwNS0lTQSBSb290Q0EgMYICJ4cwHQYDVR0OBBYEFLCn
+RDny9eLbgtg6lumkKmesw5TzMA4GA1UdDwEB/wQEAwIFoDB7BgNVHSAEdDByMHAGCSqDGoyaRAUE
+BjBjMC0GCCsGAQUFBwIBFiFodHRwOi8vZ2NhLmNyb3NzY2VydC5jb20vY3BzLmh0bWwwMgYIKwYB
+BQUHAgIwJh4kx3QAIMd4yZ3BHLKUACDG+cEcvIQAIMd4yZ3BHMeFssiy5AAuMH8GA1UdHwR4MHYw
+dKByoHCGbmxkYXA6Ly9zc2xkaXIuY3Jvc3NjZXJ0LmNvbTozODkvY249czFkcDZwMSxvdT1jcmxk
+cCxvdT1BY2NyZWRpdGVkQ0Esbz1Dcm9zc0NlcnQsYz1LUj9jZXJ0aWZpY2F0ZVJldm9jYXRpb25M
+aXN0MIGOBggrBgEFBQcBAQSBgTB/MH0GCCsGAQUFBzAChnFsZGFwOi8vc3NsLmNyb3NzY2VydC5j
+b206Mzg5L2NuPUNyb3NzQ2VydCBDbGFzcyAxIFNlcnZlciBDQSxvdT1BY2NyZWRpdGVkQ0Esbz1D
+cm9zc0NlcnQsYz1LUj9jQUNlcnRpZmljYXRlO2JpbmFyeTANBgkqhkiG9w0BAQUFAAOCAQEA1t7F
+EWpwXWm4TULUIHbV1HhDLXqjav1ybE7KzTye3/bTGpvzzy7DdMs0ppgLSXOT2ADhE4bWabh1VVAE
+eqniqsg0iui5IpFquA6lKHOmqyh+IoCOza83ovx7f+Ku8M6enYcDgaWindw88eWl0dYsukp5p2F9
+GSFnk+b3SAdAZ5gDvp0BFZ0dBEV0Bn8rQFFiju740WEaEobGFBTfhXDE+Znk2x5UErwyxqEO2R3i
+I7Og79SXTy9Pygmin+A5KD+2yiJqxhDKuck2nmLmNSja81tO3CyLagfiNewCefg05dUExXTwFncY
+eiRkIBn8s1lL9zhzY55XoduTw40BR7rn4w==
+-----END CERTIFICATE-----
+
+-----BEGIN CERTIFICATE-----
+MIIGHjCCBQagAwIBAgICJ4cwDQYJKoZIhvcNAQEFBQAwZDELMAkGA1UEBhMCS1IxDTALBgNVBAoM
+BEtJU0ExLjAsBgNVBAsMJUtvcmVhIENlcnRpZmljYXRpb24gQXV0aG9yaXR5IENlbnRyYWwxFjAU
+BgNVBAMMDUtJU0EgUm9vdENBIDEwHhcNMTAwNzMwMDcxMTM0WhcNMjAwNzMwMDcxMTM0WjBeMQsw
+CQYDVQQGEwJLUjESMBAGA1UECgwJQ3Jvc3NDZXJ0MRUwEwYDVQQLDAxBY2NyZWRpdGVkQ0ExJDAi
+BgNVBAMMG0Nyb3NzQ2VydCBDbGFzcyAxIFNlcnZlciBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEP
+ADCCAQoCggEBAODF0o/q0AUTtbuc2AL8q4SZ2PP0MPfYGs8sWCnIOnQGdY4BOfK85CKgZGaiE14W
+E/AZvxYuSSIkuy4lH4k6+MPbiKTk1UGLLdM5Xi0NYLR9/zs2OrfwFKEpjH0mSBXjoZk8ioqDRED6
+kkkzt9WOHIRqz7RqmJP9typp7NQVRKwQWP77Ny2yJlevlz0l2rhdd+4F2HNgDNjXxuda2Ivis1Ws
+O6LlrS/KFbz9o9QJ0yy7k7nCVISwPABPWZTz/Zzxd2fNGhPQF4dV9uOnIfi1sKbvWabTPJctPB54
+3mtH3tpEnlpOsaGxegEGsUqYBFHx6IvvfDDbE4pm+pg4AeZ6nRMCAwEAAaOCAt4wggLaMIGOBgNV
+HSMEgYYwgYOAFL+2J9gDWnZlTGEBQVYx5Yt7OtnMoWikZjBkMQswCQYDVQQGEwJLUjENMAsGA1UE
+CgwES0lTQTEuMCwGA1UECwwlS29yZWEgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkgQ2VudHJhbDEW
+MBQGA1UEAwwNS0lTQSBSb290Q0EgMYIBBDAdBgNVHQ4EFgQUbbj/klyxv+lJeDF8gHXAYhBLvTgw
+DgYDVR0PAQH/BAQDAgEGMIIBLgYDVR0gBIIBJTCCASEwggEdBgRVHSAAMIIBEzAwBggrBgEFBQcC
+ARYkaHR0cDovL3d3dy5yb290Y2Eub3Iua3IvcmNhL2Nwcy5odG1sMIHeBggrBgEFBQcCAjCB0R6B
+zsd0ACDHeMmdwRyylAAgrPXHeMd4yZ3BHMeFssiy5AAoAFQAaABpAHMAIABjAGUAcgB0AGkAZgBp
+AGMAYQB0AGUAIABpAHMAIABhAGMAYwByAGUAZABpAHQAZQBkACAAdQBuAGQAZQByACAARQBsAGUA
+YwB0AHIAbwBuAGkAYwAgAFMAaQBnAG4AYQB0AHUAcgBlACAAQQBjAHQAIABvAGYAIAB0AGgAZQAg
+AFIAZQBwAHUAYgBsAGkAYwAgAG8AZgAgAEsAbwByAGUAYQApMDMGA1UdEQQsMCqgKAYJKoMajJpE
+CgEBoBswGQwX7ZWc6rWt7KCE7J6Q7J247KadKOyjvCkwEgYDVR0TAQH/BAgwBgEB/wIBADAMBgNV
+HSQEBTADgAEAMIGOBgNVHR8EgYYwgYMwgYCgfqB8hnpsZGFwOi8vZGlyLmNyb3NzY2VydC5jb206
+Mzg5L0NOPUtJU0EtUm9vdENBLTEsT1U9S29yZWEtQ2VydGlmaWNhdGlvbi1BdXRob3JpdHktQ2Vu
+dHJhbCxPPUtJU0EsQz1LUj9hdXRob3JpdHlSZXZvY2F0aW9uTGlzdDANBgkqhkiG9w0BAQUFAAOC
+AQEAfAovYTiiuBdEs42+wvBYT/+aVm6C2G4/Udk1Uo3JcMbCtpvHH+7cUvRXjNH6nCYXBcjnFCD1
+Zv17WL6hEfVa3WYJhQWSQXyadOp9pmpRFf1APuCtYq/JnV/uevkxoYmYXXzvT8teTK7BacEqg8/w
+DzsHkk+xw6eXCgB5ul6fOBRHJEKPmWKHSgp0o5C+3pTi5siicEL+rHPQUzb/cPBBlhfOXrkMc5Vt
+14oM8N5xfBZBgxX3fEFrj2vXhR8dYPsrqm7D+87YDUqN4kP637k7wWm74RtXAAcIp/m0iQ00OjDh
+cBAEMLT/e9ObEcEK6l5nGfzZK/duSvq3PnAjWFznzw==
+-----END CERTIFICATE-----
+
+-----BEGIN CERTIFICATE-----
+MIIDczCCAlugAwIBAgIBBDANBgkqhkiG9w0BAQUFADBkMQswCQYDVQQGEwJLUjENMAsGA1UECgwE
+S0lTQTEuMCwGA1UECwwlS29yZWEgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkgQ2VudHJhbDEWMBQG
+A1UEAwwNS0lTQSBSb290Q0EgMTAeFw0wNTA4MjQwODA1NDZaFw0yNTA4MjQwODA1NDZaMGQxCzAJ
+BgNVBAYTAktSMQ0wCwYDVQQKDARLSVNBMS4wLAYDVQQLDCVLb3JlYSBDZXJ0aWZpY2F0aW9uIEF1
+dGhvcml0eSBDZW50cmFsMRYwFAYDVQQDDA1LSVNBIFJvb3RDQSAxMIIBIDANBgkqhkiG9w0BAQEF
+AAOCAQ0AMIIBCAKCAQEAvATk+hM58DSWIGtsaLv623f/J/es7C/n/fB/bW+MKs0lCVsk9KFo/Cjs
+ySXirO3eyDOE9bClCTqnsUdIxcxPjHmc+QZXfd3uOPbPFLKc6tPAXXdi8EcNuRpAU1xkcK8IWsD3
+z3X5bI1kKB4g/rcbGdNaZoNy4rCbvdMlFQ0yb2Q3lIVGyHK+d9VuHygvx2nt54OJM1jT3qC/QOhD
+UO7cTWu8peqmyGGO9cNkrwYV3CmLP3WMvHFE2/yttRcdbYmDz8Yzvb9Fov4Kn6MRXw+5H5wawkbM
+nChmn3AmPC7fqoD+jMUECSVPzZNHPDfqAmeS/vwiJFys0izgXAEzisEZ2wIBA6MyMDAwHQYDVR0O
+BBYEFL+2J9gDWnZlTGEBQVYx5Yt7OtnMMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQEFBQAD
+ggEBABOvUQveimpb5poKyLGQSk6hAp3MiNKrZr097LuxQpVqslxa/6FjZJapaBV/JV6K+KRzwYCK
+hQoOUugy50X4TmWAkZl0Q+VFnUkq8JSV3enhMNITbslOsXflBM+tWh6UCVrXPAgcrnrpFDLBRa3S
+JkhyrKhB2vAhhzle3/xk/2F0KpzZm4tfwjeT2KM3LzuTa7IbB6d/CVDv0zq+IWuKkDsnSlFOa56c
+h534eJAx7REnxqhZvvwYC/uOfi5C4e3nCSG9uRPFVmf0JqZCQ5BEVLRxm3bkGhKsGigA35vB1fjb
+XKP4krG9tNT5UNkAAk/bg9ART6RCVmE6fhMy04Qfybo=
+-----END CERTIFICATE-----
+
+
diff --git a/test/testdata/chains/012.41b4b3980ab6389afe5647353b5abe882870b032.pem b/test/testdata/chains/012.41b4b3980ab6389afe5647353b5abe882870b032.pem
new file mode 100644
index 0000000..c72fd6e
--- /dev/null
+++ b/test/testdata/chains/012.41b4b3980ab6389afe5647353b5abe882870b032.pem
@@ -0,0 +1,73 @@
+-----BEGIN CERTIFICATE-----
+MIIFVTCCBD2gAwIBAgIUKt2G2CQP6ZyX6+/O9gHZcFqZRikwDQYJKoZIhvcNAQEFBQAwUDELMAkG
+A1UEBhMCS1IxHDAaBgNVBAoME0dvdmVybm1lbnQgb2YgS29yZWExDTALBgNVBAsMBEdQS0kxFDAS
+BgNVBAMMC0NBMTM0MTAwMDMxMB4XDTEyMDEzMTAzMDIzOFoXDTE0MDUwMTE0NTk1OVowgYAxCzAJ
+BgNVBAYTAktSMRwwGgYDVQQKDBNHb3Zlcm5tZW50IG9mIEtvcmVhMRgwFgYDVQQLDA9Hcm91cCBv
+ZiBTZXJ2ZXIxHjAcBgNVBAsMFeq1kOycoeqzvO2Vmeq4sOyIoOu2gDEZMBcGA1UEAwwQYm1yaS5r
+b3JlYS5hYy5rcjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKuV73B+Gx1+DsUtIF5o
+pF0B8vcMD1WibgWMRlgw0GG4zWhKxTIztNQ9pTctUdN4mrKvtf/rDCqDGXT9sagyipJY8OUukykA
+hwqFVmfrceLbxZEGnF34HqAZrCOV/rH7S1qD0AZqnzfM7R8unXor43GPzdu5Uhf4NbUwYOpjeYm/
+vm48cx467kUjpLAAPsvg9E4Pgx7dvnwLuuDfnhcCKXTj3I2PrA1MDc32rpi8SNm/bbtO8Ze5Zb6H
+o/dAiiLYd3rn/gyvvHKoZfCO/CeKI4u7MONyh8HWMxlpfPG3XOcINo61RMPq6d/hzKnwAh3zRy11
+J+EBJZO/SHhHnmVV3YcCAwEAAaOCAfQwggHwMHkGA1UdIwRyMHCAFI5G+A2eeHaizBrkD1F/UtdN
+nFsboVSkUjBQMQswCQYDVQQGEwJLUjEcMBoGA1UECgwTR292ZXJubWVudCBvZiBLb3JlYTENMAsG
+A1UECwwER1BLSTEUMBIGA1UEAwwLR1BLSVJvb3RDQTGCAicZMB0GA1UdDgQWBBRavyyJ3U49seIB
+OfL702AETmd9ljAOBgNVHQ8BAf8EBAMCBaAwbQYDVR0gAQH/BGMwYTBfBgoqgxqGjSEFAwEJMFEw
+KgYIKwYBBQUHAgEWHmh0dHA6Ly93d3cuZXBraS5nby5rci9jcHMuaHRtbDAjBggrBgEFBQcCAjAX
+GhVFZHVjYXRpb24gQ2VydGlmaWNhdGUwGwYDVR0RBBQwEoIQYm1yaS5rb3JlYS5hYy5rcjAxBgNV
+HRIEKjAooCYGCSqDGoyaRAoBAaAZMBcMFeq1kOycoeqzvO2Vmeq4sOyIoOu2gDCBhAYDVR0fBH0w
+ezB5oHegdYZzbGRhcDovL2xkYXAuZXBraS5nby5rcjozODkvY249Y3JsMXAxZHAxMSxvdT1DUkws
+b3U9R1BLSSxvPUdvdmVybm1lbnQgb2YgS29yZWEsYz1rcj9jZXJ0aWZpY2F0ZVJldm9jYXRpb25M
+aXN0O2JpbmFyeTANBgkqhkiG9w0BAQUFAAOCAQEAr5A5ISBwFUftV3M2/0T7FR77+Zli/wMtHjVd
+i2KkvDtv3jotmtDLKNqsyhYTVtas7y8HtRdH/GGFNdG2wY+EKGZjI2tsHtMgZ0jb5xCCh8DMONsy
+ACSTOlGp3eR1Y/1ER8yolR7jm67nFyNSAp0vjSCprXExQ9Q8UIqrm/6iYG6N08W7Or0l9qAT4Q5N
+VNx068Jx+UF6Wj10gYCsbCG7YvEunPTLkldLxL3MeDoyFU3wx23MDnWYEr/EeLPZo7DyrOg++9Oq
+ixNY1wuJr+WgfjGQjotiSGB6Bgy8pBZRSihGKGNbi6pp+r4UZWu+W53LL4qXoRbDBqRiXZ44C4Z0
+Ng==
+-----END CERTIFICATE-----
+
+-----BEGIN CERTIFICATE-----
+MIIEvTCCA6WgAwIBAgICJxkwDQYJKoZIhvcNAQELBQAwUDELMAkGA1UEBhMCS1IxHDAaBgNVBAoM
+E0dvdmVybm1lbnQgb2YgS29yZWExDTALBgNVBAsMBEdQS0kxFDASBgNVBAMMC0dQS0lSb290Q0Ex
+MB4XDTExMTIxNTA2MDAxM1oXDTIxMTIxNTA2MDAxM1owUDELMAkGA1UEBhMCS1IxHDAaBgNVBAoM
+E0dvdmVybm1lbnQgb2YgS29yZWExDTALBgNVBAsMBEdQS0kxFDASBgNVBAMMC0NBMTM0MTAwMDMx
+MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAwxGkCUA8iQHQdsTjMpV7zYjb3sBAvF/Q
+K7OhhCfMGcUZVfh4z1A7X94Lxfu6CeyFn2KF2wy+AsCUs1xG+AqXB/y/zB9QPp1lZAEJotSyKbhQ
+cJUNG+YwsdeEV8PIy2TvKmGjT6J+8G/RtRVA2I/lpOYcuFxS7ipu8kx78FHS9NyXiYGWPKxjemWs
+VgYrfwjkcIt1mAt30nZEvcO9LuFSlldtGSEir6lZjLv9Igb/K2ayHmmnSB5i7y2DOzYKF6o1GnNF
+c0fdK5VCuoyX4puQeDcSv3rVR6kwIL9c5HuC1czrD86cVY9kqe5qQUPeuvNd0gfG75mDv26yAMbm
+Sx+LeQIDAQABo4IBnzCCAZsweAYDVR0jBHEwb4AUeAPrDIym01V1pIe069GaZg9Mc4uhVKRSMFAx
+CzAJBgNVBAYTAktSMRwwGgYDVQQKDBNHb3Zlcm5tZW50IG9mIEtvcmVhMQ0wCwYDVQQLDARHUEtJ
+MRQwEgYDVQQDDAtHUEtJUm9vdENBMYIBATAdBgNVHQ4EFgQUjkb4DZ54dqLMGuQPUX9S102cWxsw
+DgYDVR0PAQH/BAQDAgEGME8GA1UdIARIMEYwDAYKKoMaho0hBQMBAzAMBgoqgxqGjSEFAwEBMAwG
+CiqDGoaNIQUDAQcwDAYKKoMaho0hBQMBCTAMBgoqgxqGjSEFAwEFMBIGA1UdEwEB/wQIMAYBAf8C
+AQAwDwYDVR0kAQH/BAUwA4ABADB6BgNVHR8EczBxMG+gbaBrhmlsZGFwOi8vY2VuLmRpci5nby5r
+cjozODkvY249R1BLSVJvb3RDQTEsb3U9R1BLSSxvPUdvdmVybm1lbnQgb2YgS29yZWEsYz1LUj9h
+dXRob3JpdHlSZXZvY2F0aW9ubGlzdDtiaW5hcnkwDQYJKoZIhvcNAQELBQADggEBAH22zMoINn+l
+mZeGtxjvbSIzT8xvKH8VNw0KifIjqBbRS48duCctrCS5YGXkksNcDyAofKc1I0YyteeFJQtVGYXB
+05NN10i/IwklDdOSCfsWGBprYoFG/dBaEt4cSh/cgTQYxQWYmPhxYPUDF24yIVJSUvt1heZnSBP8
+vHayUa5Cvyyh8NibORHyGRZ0183cJrpqjDgw80Y/YgD7CMxw6P/rRw9vx1c0pbhhp68uc1jrYvKN
+xlfJrt/aGCm/sSxAPnbTUOtgBG22ghWnzamTtQingsgJiKF7GCDXeTRkt2GQgkHarm7vbZykMHmq
+8w1dYdrwkPFb8E5ejajxn30Uyyo=
+-----END CERTIFICATE-----
+
+-----BEGIN CERTIFICATE-----
+MIIDXTCCAkWgAwIBAgIBATANBgkqhkiG9w0BAQsFADBQMQswCQYDVQQGEwJLUjEcMBoGA1UECgwT
+R292ZXJubWVudCBvZiBLb3JlYTENMAsGA1UECwwER1BLSTEUMBIGA1UEAwwLR1BLSVJvb3RDQTEw
+HhcNMTEwODAzMDY1MjMwWhcNMzEwODAzMDY1MjMwWjBQMQswCQYDVQQGEwJLUjEcMBoGA1UECgwT
+R292ZXJubWVudCBvZiBLb3JlYTENMAsGA1UECwwER1BLSTEUMBIGA1UEAwwLR1BLSVJvb3RDQTEw
+ggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCh/m8EBbDJhGQyN2+g5dTlsgjtaRKqhgj3
+gkYKBgtuXsXkaTVxbf99AvbN3QE8+WCIaPJUd0091UGmLzaBVyW4ct+iUNrX/FXyzjafbNbbl1nf
+HhaZhkiOTVQhmY5zuj96evEtJMevnxe6iRADOPWnqp+CxT2IzcSFkQCq7L2qn8hU2/LpXUvnAYgl
+JZi8t6Ef+r03P1r8dA5OzZ8yV3qhD1R1wsNQtCzMgwcErFRZhFZYuxpfmS5y0fZW0seeTjcdxHiR
+3whYI5U6AI7DjdWIrT9Cd9ByV4aevkBhqkePPIYGmUPXnnqCkdHdnzkMH0WP9TBhD2jTXZKdcFtT
+yEJrAgMBAAGjQjBAMB0GA1UdDgQWBBR4A+sMjKbTVXWkh7Tr0ZpmD0xzizAOBgNVHQ8BAf8EBAMC
+AQYwDwYDVR0TAQH/BAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEARGJWATwo81x7UEQugNbicL8I
+WXoV51SZVH3kz49fNUjVoq1n2yzfaMddlblbflDNObp/68DxTlSXCeqFHkgi/WvyVHERRECXnF0W
+eeelI+Q8XdF3IJZLT3u5Ss0VAB2loCuC+4hBWSRQu2WZu2Yks9eBN0x6NmtopRmnf2d6VrcFA+WO
+gUeTjXiDkG52IaPw0w1uTfmRw5epky5idyY2bfJ1JeVUINMJnOWpgLkOH3xxakoD8F1Fbi6C3t7M
+mKupojUq/toUDms6zTk3DIkcwd7PALNWL5U8TxNLoroTHSf/lzaOv3o9KDRa0FQo58bPI7MdbRWE
+4F3mS/ZIrnv7jQ==
+-----END CERTIFICATE-----
+
+
diff --git a/test/testdata/chains/013.9e862686af81aa013267c2b5fd098720734bc93b.pem b/test/testdata/chains/013.9e862686af81aa013267c2b5fd098720734bc93b.pem
new file mode 100644
index 0000000..08b7b4e
--- /dev/null
+++ b/test/testdata/chains/013.9e862686af81aa013267c2b5fd098720734bc93b.pem
@@ -0,0 +1,69 @@
+-----BEGIN CERTIFICATE-----
+MIIGFTCCBP2gAwIBAgIDAuH+MA0GCSqGSIb3DQEBBQUAMHAxCzAJBgNVBAYTAlVTMRcwFQYDVQQK
+Ew5DeWJlcnRydXN0IEluYzERMA8GA1UECxMIU2VydmljZXMxDDAKBgNVBAsTA1BLSTEnMCUGA1UE
+AxMeQ3liZXJ0cnVzdCBQdWJsaWMgSXNzdWluZyBDQSAxMB4XDTEzMDkwMzE3NDkwMloXDTE0MDkw
+MzE3NDkwMlowgdMxEzARBgoJkiaJk/IsZAEZFgNnb3YxEjAQBgoJkiaJk/IsZAEZFgJ2YTElMCMG
+A1UECAwcV2VzdCBWaXJnaW5pYSxEQ1w9dmEsRENcPWdvdjEXMBUGA1UEBxMORmFsbGluZyBXYXRl
+cnMxKjAoBgNVBAoTIVVTIERlcGFydG1lbnQgb2YgVmV0ZXJhbnMgQWZmYWlyczEjMCEGA1UECxMa
+Q2FwaXRvbCBSZWdpb24gRGF0YSBDZW50ZXIxFzAVBgNVBAMTDnd3dy5wYXkudmEuZ292MIIBIjAN
+BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAm1g8bd2bmPCPClPcM85qxhvGKKt/k2FxsipOyGec
+imRM4V3weC3mKvUBOEJmQuLm2B81NTVJmEFBgxIlho09HGDxpMj8B+JGDe0VHkjvJgf6xod4a5gC
+jHaKSkCv/DsIWeyi/9SIJlTUgc8MdAXU5PMCYUvOD8IEq6Q9L6g28g9FDeFGboDKCgtRSsLaEGoX
+QV4VqTu6aBT1Ecrhy0IdcvE9O+LRCAvZh/z3+k0tpkA/C6gdH5mBiALjGbpqRbwCmXC04RkJG9r2
+WBA+cMXK1vhM7PrsdcJhqLvDTM3aqGhYxkR/8ixuYsHn7QML/AKXeEXrXD6phi4Foik8gO1Q8QID
+AQABo4ICUjCCAk4wEwYDVR0RBAwwCocIAAAAAP///wAwgdMGCCsGAQUFBwEBBIHGMIHDMEAGCCsG
+AQUFBzAChjRodHRwOi8vYWlhMS5jb20tc3Ryb25nLWlkLm5ldC9DQS9DVC1QVUJMSUMtSUNBLTEu
+cDdjMH8GCCsGAQUFBzAChnNsZGFwOi8vZGlyMS5jb20tc3Ryb25nLWlkLm5ldC9jbj1DeWJlcnRy
+dXN0IFB1YmxpYyBJc3N1aW5nIENBIDEsb3U9UEtJLG91PVNlcnZpY2VzLG89Q3liZXJ0cnVzdCwg
+Yz1VUz9jQUNlcnRpZmljYXRlMA4GA1UdDwEB/wQEAwIFoDAjBgNVHSUEHDAaBgRVHSUABggrBgEF
+BQcDAQYIKwYBBQUHAwIwHwYDVR0jBBgwFoAUVJyBRgoWyv9g+eqKRQp1XE6y3oowgesGA1UdHwSB
+4zCB4DA8oDqgOIY2aHR0cDovL2NkcDEuY29tLXN0cm9uZy1pZC5uZXQvQ0RQL0NULVBVQkxJQy1J
+LUNBLTEuY3JsMIGfoIGcoIGZhoGWbGRhcDovL2RpcjEuc3NwLXN0cm9uZy1pZC5uZXQvY24lM2RD
+eWJlcnRydXN0JTIwUHVibGljJTIwSXNzdWluZyUyMENBJTIwMSxvdSUzZFBLSSxvdSUzZFNlcnZp
+Y2VzLG8lM2RDeWJlcnRydXN0JTIwSW5jLGMlM2RVUz9jZXJ0aWZpY2F0ZVJldm9jYXRpb25MaXN0
+MB0GA1UdDgQWBBSgzZLv1sNwrXLn8if9Dk6qpxQUFjANBgkqhkiG9w0BAQUFAAOCAQEAn5xdVJ99
+9WnC+NPfnb7TAobQzKKnsuQu0AfHXFLaLkgVGePG7uBo+W3dtWWLk45YO8ae5hOAcPhhnarYIQir
+5TaPYpSoZvzOu/bRw8ZajPQsuGNv0PbGPhqLP8MzGJxlCHeWkG44MPSvRpbuh5IrWsI7eqpInUPq
+azJMUyC+D+HhqW9GHyAfWsZyR/NlNFN2R3mx2EbTkflfD1vGWPhyqW7i33nh2MKMiuQMe2rUO5iL
+ZsLA/JaIshWp4vjFQLo/a8lrcUNan5gs45sO6ibTK6Vpr03KpVg3GVa4PsfdGiY6PLPtyK0WIF2O
+ETUkNcR0xhFmuK850LNDorhyzUdCiw==
+-----END CERTIFICATE-----
+
+-----BEGIN CERTIFICATE-----
+MIIEUzCCA7ygAwIBAgIEBycUnzANBgkqhkiG9w0BAQUFADB1MQswCQYDVQQGEwJVUzEYMBYGA1UE
+ChMPR1RFIENvcnBvcmF0aW9uMScwJQYDVQQLEx5HVEUgQ3liZXJUcnVzdCBTb2x1dGlvbnMsIElu
+Yy4xIzAhBgNVBAMTGkdURSBDeWJlclRydXN0IEdsb2JhbCBSb290MB4XDTA3MDcxMTE4MTYxMFoX
+DTE3MDcxMTE4MTUyMFowcDELMAkGA1UEBhMCVVMxFzAVBgNVBAoTDkN5YmVydHJ1c3QgSW5jMREw
+DwYDVQQLEwhTZXJ2aWNlczEMMAoGA1UECxMDUEtJMScwJQYDVQQDEx5DeWJlcnRydXN0IFB1Ymxp
+YyBJc3N1aW5nIENBIDEwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCybxFtLjT4sEpg
+TGaXge5SLQp13Uq5uznggVhoT0+deGB550ttPPeGAC4hSEnGjeMhvKszR+r1/biw0NpGCxMR7wAM
+nwFW0cBZIgjWNdoHfooFyGweAqB+SQMvJUNibbHKw1RQH2CpQoGwDk8wNfpP04My+xwnYKaqZ3FR
+IexAUNzeoCVBzIIDruXgmEmmF2eUtWy9VhWFvNxHLJjVGYDL3Ai9AciKntwV71YwR1XZqga6/Fxq
+fdWDzltCANQhBE/yoI+PQTemTJ0bnsHmL0XszBdKE5CFZgVebQu9ssVomVu8SEnnDJFx0fj1EhT8
+9+mDTzae6Zd7Npe1B3BB1XllAgMBAAGjggFvMIIBazASBgNVHRMBAf8ECDAGAQH/AgEAMFMGA1Ud
+IARMMEowSAYJKwYBBAGxPgEAMDswOQYIKwYBBQUHAgEWLWh0dHA6Ly9jeWJlcnRydXN0Lm9tbmly
+b290LmNvbS9yZXBvc2l0b3J5LmNmbTAOBgNVHQ8BAf8EBAMCAcYwgYkGA1UdIwSBgTB/oXmkdzB1
+MQswCQYDVQQGEwJVUzEYMBYGA1UEChMPR1RFIENvcnBvcmF0aW9uMScwJQYDVQQLEx5HVEUgQ3li
+ZXJUcnVzdCBTb2x1dGlvbnMsIEluYy4xIzAhBgNVBAMTGkdURSBDeWJlclRydXN0IEdsb2JhbCBS
+b290ggIBpTBFBgNVHR8EPjA8MDqgOKA2hjRodHRwOi8vd3d3LnB1YmxpYy10cnVzdC5jb20vY2dp
+LWJpbi9DUkwvMjAxOC9jZHAuY3JsMB0GA1UdDgQWBBRUnIFGChbK/2D56opFCnVcTrLeijANBgkq
+hkiG9w0BAQUFAAOBgQAPZ5XZrnS2sqq3+uErzpLVkpRbQRWUUdCxMtN7RLL3HKc8xmXRJ3lhMslE
+AgDk+xr5QxLOuUa2EqTnMFlwvh9J81O3+uZACBZqWkb1db2ThW49WnlO7Nok78Rmb6ZQvTTNjsCx
+GYKcu9v6m4Z6AK2Y6vyc+jTx/WL+jlTJMkOahg==
+-----END CERTIFICATE-----
+
+-----BEGIN CERTIFICATE-----
+MIICWjCCAcMCAgGlMA0GCSqGSIb3DQEBBAUAMHUxCzAJBgNVBAYTAlVTMRgwFgYDVQQKEw9HVEUg
+Q29ycG9yYXRpb24xJzAlBgNVBAsTHkdURSBDeWJlclRydXN0IFNvbHV0aW9ucywgSW5jLjEjMCEG
+A1UEAxMaR1RFIEN5YmVyVHJ1c3QgR2xvYmFsIFJvb3QwHhcNOTgwODEzMDAyOTAwWhcNMTgwODEz
+MjM1OTAwWjB1MQswCQYDVQQGEwJVUzEYMBYGA1UEChMPR1RFIENvcnBvcmF0aW9uMScwJQYDVQQL
+Ex5HVEUgQ3liZXJUcnVzdCBTb2x1dGlvbnMsIEluYy4xIzAhBgNVBAMTGkdURSBDeWJlclRydXN0
+IEdsb2JhbCBSb290MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCVD6C28FCc6HrHiM3dFw4u
+sJTQGz0O9pTAipTHBsiQl8i4ZBp6fmw8U+E3KHNgf7KXUwefU/ltWJTSr41tiGeA5u2ylc9yMcql
+HHK6XALnZELn+aks1joNrI1CqiQBOeacPwGFVw1Yh0X404Wqk2kmhXBIgD8SFcd5tB8FLztimQID
+AQABMA0GCSqGSIb3DQEBBAUAA4GBAG3rGwnpXtlR22ciYaQqPEh346B8pt5zohQDhT37qw4wxYMW
+M4ETCJ57NE7fQMh017l93PR2VX2bY1QY6fDq81yx2YtCHrnAlU66+tXifPVoYb+O7AWXX1uw16OF
+NMQkpw0PlZPvy5TYnh+dXIVtx6quTx8itc2VrbqnzPmrC3p/
+-----END CERTIFICATE-----
+
+