Merge pull request #12705 from astromechza/bm_etcd_peer_server_cert

etcdmain: added peer-client-{client,key}-file parameters for supporting separate client and server certs when communicating between peers
etcd-io · Mar 2, 2021 · 102c198 · 102c198
2 parents 102096a + 3d44f5b
commit 102c198
Show file tree

Hide file tree

Showing 32 changed files with 556 additions and 374 deletions.
diff --git a/pkg/transport/listener.go b/pkg/transport/listener.go
@@ -64,8 +64,16 @@ func wrapTLS(scheme string, tlsinfo *TLSInfo, l net.Listener) (net.Listener, err
 }
 
 type TLSInfo struct {
-	CertFile            string
-	KeyFile             string
+	// CertFile is the _server_ cert, it will also be used as a _client_ certificate if ClientCertFile is empty
+	CertFile string
+	// KeyFile is the key for the CertFile
+	KeyFile string
+	// ClientCertFile is a _client_ cert for initiating connections when ClientCertAuth is defined. If ClientCertAuth
+	// is true but this value is empty, the CertFile will be used instead.
+	ClientCertFile string
+	// ClientKeyFile is the key for the ClientCertFile
+	ClientKeyFile string
+
 	TrustedCAFile       string
 	ClientCertAuth      bool
 	CRLFile             string
@@ -107,7 +115,7 @@ type TLSInfo struct {
 }
 
 func (info TLSInfo) String() string {
-	return fmt.Sprintf("cert = %s, key = %s, trusted-ca = %s, client-cert-auth = %v, crl-file = %s", info.CertFile, info.KeyFile, info.TrustedCAFile, info.ClientCertAuth, info.CRLFile)
+	return fmt.Sprintf("cert = %s, key = %s, client-cert=%s, client-key=%s, trusted-ca = %s, client-cert-auth = %v, crl-file = %s", info.CertFile, info.KeyFile, info.ClientCertFile, info.ClientKeyFile, info.TrustedCAFile, info.ClientCertAuth, info.CRLFile)
 }
 
 func (info TLSInfo) Empty() bool {
@@ -142,6 +150,8 @@ func SelfCert(lg *zap.Logger, dirpath string, hosts []string, selfSignedCertVali
 	if errcert == nil && errkey == nil {
 		info.CertFile = certPath
 		info.KeyFile = keyPath
+		info.ClientCertFile = certPath
+		info.ClientKeyFile = keyPath
 		info.selfCert = true
 		return
 	}
@@ -278,6 +288,17 @@ func (info TLSInfo) baseConfig() (*tls.Config, error) {
 		return nil, err
 	}
 
+	// Perform prevalidation of client cert and key if either are provided. This makes sure we crash before accepting any connections.
+	if (info.ClientKeyFile == "") != (info.ClientCertFile == "") {
+		return nil, fmt.Errorf("ClientKeyFile and ClientCertFile must both be present or both absent: key: %v, cert: %v]", info.ClientKeyFile, info.ClientCertFile)
+	}
+	if info.ClientCertFile != "" {
+		_, err := tlsutil.NewCert(info.ClientCertFile, info.ClientKeyFile, info.parseFunc)
+		if err != nil {
+			return nil, err
+		}
+	}
+
 	cfg := &tls.Config{
 		MinVersion: tls.VersionTLS12,
 		ServerName: info.ServerName,
@@ -342,22 +363,26 @@ func (info TLSInfo) baseConfig() (*tls.Config, error) {
 		return cert, err
 	}
 	cfg.GetClientCertificate = func(unused *tls.CertificateRequestInfo) (cert *tls.Certificate, err error) {
-		cert, err = tlsutil.NewCert(info.CertFile, info.KeyFile, info.parseFunc)
+		certfile, keyfile := info.CertFile, info.KeyFile
+		if info.ClientCertFile != "" {
+			certfile, keyfile = info.ClientCertFile, info.ClientKeyFile
+		}
+		cert, err = tlsutil.NewCert(certfile, keyfile, info.parseFunc)
 		if os.IsNotExist(err) {
 			if info.Logger != nil {
 				info.Logger.Warn(
 					"failed to find client cert files",
-					zap.String("cert-file", info.CertFile),
-					zap.String("key-file", info.KeyFile),
+					zap.String("cert-file", certfile),
+					zap.String("key-file", keyfile),
 					zap.Error(err),
 				)
 			}
 		} else if err != nil {
 			if info.Logger != nil {
 				info.Logger.Warn(
 					"failed to create client certificate",
-					zap.String("cert-file", info.CertFile),
-					zap.String("key-file", info.KeyFile),
+					zap.String("cert-file", certfile),
+					zap.String("key-file", keyfile),
 					zap.Error(err),
 				)
 			}

diff --git a/server/embed/config.go b/server/embed/config.go
@@ -368,11 +368,13 @@ type configJSON struct {
 }
 
 type securityConfig struct {
-	CertFile      string `json:"cert-file"`
-	KeyFile       string `json:"key-file"`
-	CertAuth      bool   `json:"client-cert-auth"`
-	TrustedCAFile string `json:"trusted-ca-file"`
-	AutoTLS       bool   `json:"auto-tls"`
+	CertFile       string `json:"cert-file"`
+	KeyFile        string `json:"key-file"`
+	ClientCertFile string `json:"client-cert-file"`
+	ClientKeyFile  string `json:"client-key-file"`
+	CertAuth       bool   `json:"client-cert-auth"`
+	TrustedCAFile  string `json:"trusted-ca-file"`
+	AutoTLS        bool   `json:"auto-tls"`
 }
 
 // NewConfig creates a new Config populated with default values.
@@ -523,6 +525,8 @@ func (cfg *configYAML) configFromFile(path string) error {
 	copySecurityDetails := func(tls *transport.TLSInfo, ysc *securityConfig) {
 		tls.CertFile = ysc.CertFile
 		tls.KeyFile = ysc.KeyFile
+		tls.ClientCertFile = ysc.ClientCertFile
+		tls.ClientKeyFile = ysc.ClientKeyFile
 		tls.ClientCertAuth = ysc.CertAuth
 		tls.TrustedCAFile = ysc.TrustedCAFile
 	}

diff --git a/server/etcdmain/config.go b/server/etcdmain/config.go
@@ -202,13 +202,17 @@ func newConfig() *config {
 	// security
 	fs.StringVar(&cfg.ec.ClientTLSInfo.CertFile, "cert-file", "", "Path to the client server TLS cert file.")
 	fs.StringVar(&cfg.ec.ClientTLSInfo.KeyFile, "key-file", "", "Path to the client server TLS key file.")
+	fs.StringVar(&cfg.ec.ClientTLSInfo.ClientCertFile, "client-cert-file", "", "Path to an explicit peer client TLS cert file otherwise cert file will be used when client auth is required.")
+	fs.StringVar(&cfg.ec.ClientTLSInfo.ClientKeyFile, "client-key-file", "", "Path to an explicit peer client TLS key file otherwise key file will be used when client auth is required.")
 	fs.BoolVar(&cfg.ec.ClientTLSInfo.ClientCertAuth, "client-cert-auth", false, "Enable client cert authentication.")
 	fs.StringVar(&cfg.ec.ClientTLSInfo.CRLFile, "client-crl-file", "", "Path to the client certificate revocation list file.")
 	fs.StringVar(&cfg.ec.ClientTLSInfo.AllowedHostname, "client-cert-allowed-hostname", "", "Allowed TLS hostname for client cert authentication.")
 	fs.StringVar(&cfg.ec.ClientTLSInfo.TrustedCAFile, "trusted-ca-file", "", "Path to the client server TLS trusted CA cert file.")
 	fs.BoolVar(&cfg.ec.ClientAutoTLS, "auto-tls", false, "Client TLS using generated certificates")
 	fs.StringVar(&cfg.ec.PeerTLSInfo.CertFile, "peer-cert-file", "", "Path to the peer server TLS cert file.")
 	fs.StringVar(&cfg.ec.PeerTLSInfo.KeyFile, "peer-key-file", "", "Path to the peer server TLS key file.")
+	fs.StringVar(&cfg.ec.PeerTLSInfo.ClientCertFile, "peer-client-cert-file", "", "Path to an explicit peer client TLS cert file otherwise peer cert file will be used when client auth is required.")
+	fs.StringVar(&cfg.ec.PeerTLSInfo.ClientKeyFile, "peer-client-key-file", "", "Path to an explicit peer client TLS key file otherwise peer key file will be used when client auth is required.")
 	fs.BoolVar(&cfg.ec.PeerTLSInfo.ClientCertAuth, "peer-client-cert-auth", false, "Enable peer client cert authentication.")
 	fs.StringVar(&cfg.ec.PeerTLSInfo.TrustedCAFile, "peer-trusted-ca-file", "", "Path to the peer server TLS trusted CA file.")
 	fs.BoolVar(&cfg.ec.PeerAutoTLS, "peer-auto-tls", false, "Peer TLS using generated certificates")

diff --git a/tests/e2e/etcd_config_test.go b/tests/e2e/etcd_config_test.go
@@ -163,6 +163,8 @@ func TestEtcdPeerCNAuth(t *testing.T) {
 			args = []string{
 				"--peer-cert-file", certPath,
 				"--peer-key-file", privateKeyPath,
+				"--peer-client-cert-file", certPath,
+				"--peer-client-key-file", privateKeyPath,
 				"--peer-trusted-ca-file", caPath,
 				"--peer-client-cert-auth",
 				"--peer-cert-allowed-cn", "example.com",
@@ -171,6 +173,8 @@ func TestEtcdPeerCNAuth(t *testing.T) {
 			args = []string{
 				"--peer-cert-file", certPath2,
 				"--peer-key-file", privateKeyPath2,
+				"--peer-client-cert-file", certPath2,
+				"--peer-client-key-file", privateKeyPath2,
 				"--peer-trusted-ca-file", caPath,
 				"--peer-client-cert-auth",
 				"--peer-cert-allowed-cn", "example2.com",

diff --git a/tests/fixtures/ca.crt b/tests/fixtures/ca.crt
@@ -1,22 +1,22 @@
 -----BEGIN CERTIFICATE-----
-MIIDrjCCApagAwIBAgIUb9uSXkXCq2x822QXvNdvkf/3ClkwDQYJKoZIhvcNAQEL
+MIIDrjCCApagAwIBAgIUNkN+TZ3hgHno+H9j56nWkmb4dBEwDQYJKoZIhvcNAQEL
 BQAwbzEMMAoGA1UEBhMDVVNBMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRYwFAYDVQQH
 Ew1TYW4gRnJhbmNpc2NvMQ0wCwYDVQQKEwRldGNkMRYwFAYDVQQLEw1ldGNkIFNl
-Y3VyaXR5MQswCQYDVQQDEwJjYTAeFw0yMDA5MDcwOTQzMDBaFw0zMDA5MDUwOTQz
+Y3VyaXR5MQswCQYDVQQDEwJjYTAeFw0yMTAyMjgxMDQ4MDBaFw0zMTAyMjYxMDQ4
 MDBaMG8xDDAKBgNVBAYTA1VTQTETMBEGA1UECBMKQ2FsaWZvcm5pYTEWMBQGA1UE
 BxMNU2FuIEZyYW5jaXNjbzENMAsGA1UEChMEZXRjZDEWMBQGA1UECxMNZXRjZCBT
 ZWN1cml0eTELMAkGA1UEAxMCY2EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK
-AoIBAQCQfDHia502Omwu1BkWB6yO4tQ2pMUkJccU6NWV1jhEJotXr6Nl84u4Z5Mf
-EUUKNJ9frS928RXnL9bWepk1iyILHECOTZbQvolEy4u9xkuddovDvYr3Id7AopkX
-z08OKPdclxTrcRPP5MUtYJ2Z7nwAYBamRMIl/oTXiDNf406V0dP9fk3MHs5DcDa5
-FpFXUII5fM3rHCv6UtwYJ++H1imy1LfpYyOd+/71Mk082/5EtHr35O/LG/ySTozp
-bi6pkNVhy6aylNdsGml03dQNzam8G19KW+W01c9EOI00SgZxanK2JxUQisAbXUba
-fseHa7eKMTdlr7wZe6Cw2s1x2ROBAgMBAAGjQjBAMA4GA1UdDwEB/wQEAwIBBjAP
-BgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBTRTZxGpVyNLLwH02fkOEb3hsqgEzAN
-BgkqhkiG9w0BAQsFAAOCAQEAa7LXcHHXKRSxNv3+InYyi5/5pMjHO+v22s8/+3cJ
-qIIdUgCDrtoxLalyhpRbMYOGWfIjM3bUGW+I03AGzMwQDlmz01vP5UDv6toMswFE
-5F32sDbJw08qIngFOUmz629fi4/D5XOVzDBBh8Nw6ZAd5RJLbutNb+R/dnZYh+Cf
-Uwv4iY3qksXlNXLoGUc41Fi8rNBwVsx2R2dF3qKGoKoQV+8aMiCvYObHptIS5DZe
-T0pgg6RRTH3QeVEFUKNn4L0TDTm4NrqdSXysOFG6YhSI+Yp3gXLSWmH9XJLOKS64
-KgAUhYSWjzQ2TAiZD7cKzSvaWg29j9QlA4Bx6DnAvJLNrg==
+AoIBAQDZwQPFZB+Kt6RIzYvTgbNlRIX/cLVknIy4ZqhLYDQNOdosJn04jjkCfS3k
+F5JZuabkUs6d6JcLTbLWV5hCrwZVlCFf3PDn6DvK12GZpybhuqMPZ2T8P2U17AFP
+mUj/Rm+25t8Er5r+8ijZmqVi1X1Ef041CFGESr3KjaMjec2kYf38cfEOp2Yq1JWO
+0wpVfLElnyDQY9XILdnBepCRZYPq1eW1OSkRk+dZQnJP6BO95IoyREDuBUeTrteR
+7dHHTF9AAgR5tnyZ+eLuVUZ2kskcWLxH3y9RyjvVJ+1uCzbdydVPf0H1pBoqWcuA
+PYjYkLKMOKBWfYJhSzykhf+QMC7xAgMBAAGjQjBAMA4GA1UdDwEB/wQEAwIBBjAP
+BgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBQpJiv07dkY9WB0zgB6wOb/HMi8oDAN
+BgkqhkiG9w0BAQsFAAOCAQEA0TQ8rRmLt4wYjz0BKh+jElMIg6LBPsCPpfmGDLmK
+fdj4Jp7QFlLmXlQSmm8zKz3ftKoOFPYGQYHUkIirIrQB/tdHoXJLgxCzI0SrdCiM
+m/DPVjfOTa9Mm5rPcUR79rGDLj2BgzDB+NTETVDXo8mAL5MjFdUyh6jOGBctkCG/
+TWdUaN33ZLwUl488NLaw98fIZ/F4d/dsyCJvHEaoo++dgjduoQxmH9Scr2Frmd8G
+zYxOoZHG3ARBDp2mpr+I3UCR1/KTITF/NXL6gDcNY3wyZzoaGua7Bd/ysMSi1w3j
+CyvClSvRPJRLQemGUP7B/Y8FUkbJ2i/7tz6ozn8sLi3V2Q==
 -----END CERTIFICATE-----
diff --git a/tests/fixtures/client-clientusage.crt b/tests/fixtures/client-clientusage.crt
@@ -0,0 +1,24 @@
+-----BEGIN CERTIFICATE-----
+MIIECDCCAvCgAwIBAgIULbzkAv8zbkJzZIRDPnBwXl0/BH0wDQYJKoZIhvcNAQEL
+BQAwbzEMMAoGA1UEBhMDVVNBMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRYwFAYDVQQH
+Ew1TYW4gRnJhbmNpc2NvMQ0wCwYDVQQKEwRldGNkMRYwFAYDVQQLEw1ldGNkIFNl
+Y3VyaXR5MQswCQYDVQQDEwJjYTAeFw0yMTAyMjgxMDQ4MDBaFw0zMTAyMjYxMDQ4
+MDBaMHgxDDAKBgNVBAYTA1VTQTETMBEGA1UECBMKQ2FsaWZvcm5pYTEWMBQGA1UE
+BxMNU2FuIEZyYW5jaXNjbzENMAsGA1UEChMEZXRjZDEWMBQGA1UECxMNZXRjZCBT
+ZWN1cml0eTEUMBIGA1UEAxMLZXhhbXBsZS5jb20wggEiMA0GCSqGSIb3DQEBAQUA
+A4IBDwAwggEKAoIBAQDWBNo9tYRoQKv76xabz0EPXGJKHIrUjf0NbXz3d9jbP2sH
+3hutXr/A221pULfZYIZdaUtmEuEr1905nYwJ2gnO9Y/iSc6fQ/4EjoT+VZLdINQw
+I1dG2rtv2ZuYL5oYfgCjLkV1LzYuyfY/zJ93WoJW0YA0t50MEQNGEqD7pYlhsPej
+iGyjagSi7zsoAkAagNprULH6RyAqDG7db+MfJOUzHUv4PWGBXPb0PHY3xA+WayFB
+nP5AZO16oDh/UnzvfEAJULXeIOLs4eOmtzKMwZwrWzgCB+jBeVlc1FOwXQcmBamN
+eYUs75GoO9aSSLROvnQiw2P0z0xVNmDokDXGsSRxAgMBAAGjgZIwgY8wDgYDVR0P
+AQH/BAQDAgWgMBMGA1UdJQQMMAoGCCsGAQUFBwMCMAwGA1UdEwEB/wQCMAAwHQYD
+VR0OBBYEFCB4ysDF81d6lkKIvebj08BcRWNoMB8GA1UdIwQYMBaAFCkmK/Tt2Rj1
+YHTOAHrA5v8cyLygMBoGA1UdEQQTMBGCCWxvY2FsaG9zdIcEfwAAATANBgkqhkiG
+9w0BAQsFAAOCAQEAo2B+piCBTjdpCLFj/kc+A0alZTbNdr0+BTsN+5aBE9k4JlZS
+smkIQL0vyzjKw/W/o2EyPVcVKJX52/GQsC3bQrBb2lH1jRYgt5pRo24kKHy4Nlc3
+IaYg++ssfT2ZdpYiL3lzLyOHEumcynz3nI5M81e5CCIdEennxaM8FuiYN5OXDOR3
+j+bCYHLYPaWYZopfiSrnq+Z4gRUS2sMI1yqtiPSUdIJLnTfyEEdexvs/KUtFWvFO
+4AcecKvT6HA8oNDiWfE6e854uDLTkbXW1rK+FWPU9pv5NR50+GBCvxvmDGtGXxQu
+yu+kOsx2gfgNc4idIv1pjZF/1YzrrKGAhChN2A==
+-----END CERTIFICATE-----
diff --git a/tests/fixtures/client-clientusage.key.insecure b/tests/fixtures/client-clientusage.key.insecure
@@ -0,0 +1,27 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIEogIBAAKCAQEA1gTaPbWEaECr++sWm89BD1xiShyK1I39DW1893fY2z9rB94b
+rV6/wNttaVC32WCGXWlLZhLhK9fdOZ2MCdoJzvWP4knOn0P+BI6E/lWS3SDUMCNX
+Rtq7b9mbmC+aGH4Aoy5FdS82Lsn2P8yfd1qCVtGANLedDBEDRhKg+6WJYbD3o4hs
+o2oEou87KAJAGoDaa1Cx+kcgKgxu3W/jHyTlMx1L+D1hgVz29Dx2N8QPlmshQZz+
+QGTteqA4f1J873xACVC13iDi7OHjprcyjMGcK1s4AgfowXlZXNRTsF0HJgWpjXmF
+LO+RqDvWkki0Tr50IsNj9M9MVTZg6JA1xrEkcQIDAQABAoIBAAGBZTub5EOLeOo7
+vBv6eD2wa6yTyNI38Xi/tWpUOH1KU+lpQY6VpQmpQXrFK5Xm3OsZS4N7TIQvb4nx
+NsP2+aywA4QW+tIZ+1Zy3jKfzXmqunNgPEPuU/U0dai7ZP0ZHc4IDEsHuvzXRNks
+Ck8fnt0XeixkwkEMeZZrmSBMCMxcHAWxiv+oXF+olN3vTD2aDC8T6YwahMyQUQfW
+IA9fuO8Dzzmk2I7mDHa29cbB+PW4E5tkJmHVZqEu8jPgMjCJGc2IR1YpLAXF8YBB
+vgh6ZgI6JOg1OiNETuQekamAMOblFVOdPUjPSxuyJzEE8VpIdD3Z9UMNq+FDQh/F
+j1lEEEECgYEA9nYwUh+e0H9c9IRBLNYAbq2PV4SpFKvFrHOTQpylMPisUTgdHKLT
+CvO1wbNprElBAulOWobCyKshWGd5ECFsCvsWS6xmGi442q3ov5xtAMmvSmtW8s+8
+tUeVRQGS/Yn5Uxj2msUPe6vJEniLgsxmbFbDYqvr65COrAsCDEY3DkkCgYEA3k09
+EGhiO1joDtJPI21vUzzecBuep32oKiwip3OgS/mct04/QR+6lp1x4sPMYlyxbyk9
+jPdkzU07d8r+mES9RweE5lc1aCaF5eA8y6qtL9vBgsXRiEXlpYLxb0TOQaYNU0qM
+aYumYPWjsjwYDvRKaVzThFUkYwapKFqtMV98BOkCgYAkIOkucLIwMCtpMKX5M5m2
+n7yegLTkcdW1VO/mWN4iUqG3+jjSRNAZD+a58VnxRn/ANIEm5hBRqDxoICrwAWY8
+Kdh32VrSRapR7CJtTDnyXp5Sk2+YgnlQPaEVD4kDn6Er3EHyKCb/4wvDqGYTE3GE
+OifEJB2eV3+Cms5/DB/v+QKBgFzV8r9saEGSkm7GI2iPJiOj0t0Mm8gksNrTzbES
+l4nC91CR69adkoWdwNbLoAof3bWnil3ZXw5hx4jyjDo40rbcDANJvjL9i4OBjsIb
+R/Ipmvmq9SMs1Ye2VG98U4qU9xGmm1bkjBoH21HuyLlOCdlQe8DS8bwtJu2EWLm6
+v4cpAoGAP3pqi6iIZAbJVqw6p5Xd/BLzn3iS+lwQjwF/IWp5UnFCGovnVSJG2wqP
+kxL9jy4asMDDuMKzEzO3+UT6WBRI+idV8PgDNEYkXcnVAA5lZ+2kCJwRICsC6MYH
+1nIHJtPngUrwT3TUhMp/WfpYUjTdiOC3aJmKq/NGZxE8/Sb3G6U=
+-----END RSA PRIVATE KEY-----
diff --git a/tests/fixtures/client-nocn.crt b/tests/fixtures/client-nocn.crt
@@ -1,24 +1,24 @@
 -----BEGIN CERTIFICATE-----
-MIID/DCCAuSgAwIBAgIUWFc9bqAgLYdNGvkVaddwlCvrGskwDQYJKoZIhvcNAQEL
+MIID/DCCAuSgAwIBAgIUCzIuVb3586z5C2rQ65jeo4wfbfowDQYJKoZIhvcNAQEL
 BQAwbzEMMAoGA1UEBhMDVVNBMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRYwFAYDVQQH
 Ew1TYW4gRnJhbmNpc2NvMQ0wCwYDVQQKEwRldGNkMRYwFAYDVQQLEw1ldGNkIFNl
-Y3VyaXR5MQswCQYDVQQDEwJjYTAeFw0yMDA5MDcwOTQzMDBaFw0zMDA5MDUwOTQz
+Y3VyaXR5MQswCQYDVQQDEwJjYTAeFw0yMTAyMjgxMDQ4MDBaFw0zMTAyMjYxMDQ4
 MDBaMGIxDDAKBgNVBAYTA1VTQTETMBEGA1UECBMKQ2FsaWZvcm5pYTEWMBQGA1UE
 BxMNU2FuIEZyYW5jaXNjbzENMAsGA1UEChMEZXRjZDEWMBQGA1UECxMNZXRjZCBT
-ZWN1cml0eTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKtllzAymU7Q
-/TVdZwqP84zXC2btrq8I0nXRQ3dx5MyATb8/RGRgIYLUc3k9w5OvS3Eo6Tloxz2L
-BzZ2Y/aJibfzVl/mKbGrQYYGD/iGKDLv+iJ7+uOLf/eqERDe4K41OIJRfGD/a9Y8
-XXBIxYrtayfjv1gbonWjgwdcrEX3vsDWZ5cWK7BBoaBuL0lUPJgU0QCSBQqKC8EO
-2KXVjnSZglywRDDPa4vZrmSdpGeci9b1jj3CeBjcVjbEmgQxLZ83W1ASe74+IBtH
-fHtNSGNF5/joxqeF0X3Ve+luzhRyHUd3k2bfVXZJ+vEAymabY680Hvp5mfYPKUIu
-NL5gF6bfZ68CAwEAAaOBnDCBmTAOBgNVHQ8BAf8EBAMCBaAwHQYDVR0lBBYwFAYI
-KwYBBQUHAwEGCCsGAQUFBwMCMAwGA1UdEwEB/wQCMAAwHQYDVR0OBBYEFLtGYQh2
-/fZo6O14SmcaAIiTVgHOMB8GA1UdIwQYMBaAFNFNnEalXI0svAfTZ+Q4RveGyqAT
+ZWN1cml0eTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKmOrIfZ9mH9
+O3wLgGinUXDAG+XAP6P6NG9VkWaCUfOkY8x8RKSeuOri31EgYGmFYmQXCtS/WlHD
+GCLrUhTnIrC1/WqvuPJIoMMTw7JLh59IuIWdlxds7FWjyuLmi4oUHvCG6aXiT/Z3
+ylp4r/HBL+R6KKqQpRjFfwhb1bIWpxZe5ghUtx4AuAW7ayQgpC7FJ3aVW/SS5p0m
+IxyKqGvl45IsZuZY59Sa/X2AWSRpr+qe0tM4n1R+1bDhjcV6EuhyfubdSkZHfUJp
+PaoUdynHT/VuI5xMF4OXbiwXP36XvHiHd9LIrPOyubrRYvn8dKweBJkvNCnlQo09
+zVH5zb9p0DsCAwEAAaOBnDCBmTAOBgNVHQ8BAf8EBAMCBaAwHQYDVR0lBBYwFAYI
+KwYBBQUHAwEGCCsGAQUFBwMCMAwGA1UdEwEB/wQCMAAwHQYDVR0OBBYEFG5evtY/
+UIPMBcah3B/1BWDI14nUMB8GA1UdIwQYMBaAFCkmK/Tt2Rj1YHTOAHrA5v8cyLyg
 MBoGA1UdEQQTMBGCCWxvY2FsaG9zdIcEfwAAATANBgkqhkiG9w0BAQsFAAOCAQEA
-EYaGSg5EaDBNte90AkjcP/NPbK22mE4aOUDMoNXMCmjmT4LVUhxV9MnwPmfAIvzz
-GHLZsVTZPt91ex3lzf/mKV5CPbAnpn29U7tTHkgGaUhXuVN1/U7SEIEygApuvPTX
-tYdY5vCTIRdlylNjYm29tQFIY/+L4og5lxFnfbjVyr3QPxHPB/9T7j0Tl5ppDjoL
-zOhWe6PSUI0hVDpEwL70JH6CvqdS/5VjcToPwUw6YtUXNc2SvgJZK1biaSiJMnLf
-k+ao0d/33BfZMzY2TTzX3UUNhcRk6plv1ljtyQiXsIOeUpNptQ/SdPVZlOI0biMW
-Lo+BNaBpRERregCuiuuVnw==
+VBjy5UtSe/f66d7dKgZVVfKDiOeSb1knATSy7/JyubxVgq64yTN6fqIYRQg4gyVW
+IPf8W4BbhEXeA7VumVuTTKjILoufGecjrjA1Skb4lWGfV21A51Fs9TcMLPiQYZ1b
+e2J2Trtd0CsteQj4BDrbgiSxahJBaj+4PfXM1tef51DJs+gEg16DGxdzFBtlY+ih
+SwOX6YcUyxYzYX2szafPpVRuQqU0B63FkvBbsNMX1KamtAsLtvf/JxYpPY9eg5t/
+b5L6pXQkp6bK3q8Gv1WApjD8tcwqBkcJrbjgJ6gfW9h3zEbLmxkAv46sJodVLInL
+SYrHgrQ7TRd29DybB6cPAQ==
 -----END CERTIFICATE-----
diff --git a/tests/fixtures/client-nocn.key.insecure b/tests/fixtures/client-nocn.key.insecure
@@ -1,27 +1,27 @@
 -----BEGIN RSA PRIVATE KEY-----
-MIIEowIBAAKCAQEAq2WXMDKZTtD9NV1nCo/zjNcLZu2urwjSddFDd3HkzIBNvz9E
-ZGAhgtRzeT3Dk69LcSjpOWjHPYsHNnZj9omJt/NWX+YpsatBhgYP+IYoMu/6Inv6
-44t/96oREN7grjU4glF8YP9r1jxdcEjFiu1rJ+O/WBuidaODB1ysRfe+wNZnlxYr
-sEGhoG4vSVQ8mBTRAJIFCooLwQ7YpdWOdJmCXLBEMM9ri9muZJ2kZ5yL1vWOPcJ4
-GNxWNsSaBDEtnzdbUBJ7vj4gG0d8e01IY0Xn+OjGp4XRfdV76W7OFHIdR3eTZt9V
-dkn68QDKZptjrzQe+nmZ9g8pQi40vmAXpt9nrwIDAQABAoIBAAZjRmO29wy/cDht
-bzovDEIq/5NJ93ExkHpwnqWUepT+kSc4Cen9xTH1jgouOZxG87ZXcn2/wHE0PcQT
-XH1jOd0/te/kCZjEC7CdiDnYciYX2Igxe7PATrghv/oTfGcxt5XvyIVq749v94GI
-TMh1OcGmVMrJWOAuhGMhWpBO/+5634pt/GwbE8xAimMpOLtk5G/wHM9yWEPu3fVK
-fhz57gvlZXwWtSAsNgvGnRYw5FABJ+TxskM8TJmnWkeea6kmg7IhRQpXIPoxYyGJ
-P9d6xGNBoPzLoXcZfQUL/E3m93gN51P4bCQ7O2sIX9WKbnuFQ5B27zQtitnT0JCZ
-TwHyD+ECgYEA1hJE5x5LuNRS5Tq8miGmo2YPg+zYQ+5gQNwAbdae8s1G+HnKbdS0
-U3RUcLa/RD/F0cvNpUC8FIQNTBFX9+vfek3kB37AiGDgRJHmRD+yudhympbj9RvM
-iw2zQzr56V8nHBY3gS7Gq6EgZqN+9JCtHof2cBa6EnBGPVfpZ6UtMKECgYEAzPeV
-EdUKGHOcZsEFYfCFkY7sSOD+KlDcMmuCEzRgpNrhhqwmxSFWEbrQ11+Il5/WL58e
-x1J8ZwQAarjeAHMGCbZaxWmN6Owz08XvwSQWasHeRqR0jiuJywSbsg94lUY87mSl
-7k8FJ4+fhp7fAzjBr9LwM448TGRPKe2T6yVFpk8CgYBtNMqzwM/OTXqweCNo2cvh
-xZoaqgO1u/Cchd8uKXPS14fiEHeFSiJoBItjKMcwMPxgx4B0Ui7gpHEIIjznPAw4
-n225qR7dM9aVBH0cygYKKvJkDJ/kFbdmJKoTnQ2K0UDpYigUneE6Ayu9UKDecMPw
-NFoy2lU4PNCIUMXAWxJPoQKBgA8aSxymQvksQ6D6pgfibiUcj+KK2Y+Kp777VvlN
-SbW7/xQqSS0LWMkzp8HG40yw1Vpq8hyjwlDg5Zr3hjwoPZCnpCaZsYAxL1xyYEkt
-/IzfPh6cbY4wPRX9f+9t3me5ZjH2rpdRsUKJ/aowuKQHIZZwB4z09RJ37bFcNSMF
-ew1XAoGBAM9lh717yxLq7my60R68AKpvACOz3fyhGDDJdQT8h3b4UcO9C8luOtIS
-LRVZHkv9O4uCLh+XHik87qc9ntxDIGElikjymey19xWjuk8HQSYAyWbw5SHdDsth
-1W8QacI9KLlHAujZwi1VB9HuUnGhtlLt6IW5sZxFItiV0OxJZX79
+MIIEowIBAAKCAQEAqY6sh9n2Yf07fAuAaKdRcMAb5cA/o/o0b1WRZoJR86RjzHxE
+pJ646uLfUSBgaYViZBcK1L9aUcMYIutSFOcisLX9aq+48kigwxPDskuHn0i4hZ2X
+F2zsVaPK4uaLihQe8IbppeJP9nfKWniv8cEv5HooqpClGMV/CFvVshanFl7mCFS3
+HgC4BbtrJCCkLsUndpVb9JLmnSYjHIqoa+Xjkixm5ljn1Jr9fYBZJGmv6p7S0zif
+VH7VsOGNxXoS6HJ+5t1KRkd9Qmk9qhR3KcdP9W4jnEwXg5duLBc/fpe8eId30sis
+87K5utFi+fx0rB4EmS80KeVCjT3NUfnNv2nQOwIDAQABAoIBAECPnM4VhiUFgTLY
+RkqS+wWNgJHYw+KyEGkcEcMQeBfnTkC8SH7OGOcG/7UqOMu1CCPISk17lu5u9K/H
+HnfrEmBqy1VmF2vZj6z3x5oJ/FgAHpJx0OgQh2SMe2IuGo+23ZkEJc8N/xh/wEL2
+lTfeMVgz02wuq05lVNtf7FxlF7YCSaxxxDtQQTDR3BSq6l12tB81TQvAD+yh35Gs
+1jGhPeKHWc1jny309vczpJq4eIK2xhE+MT8YZAiuHCLGOHUlBBpleo5knyMueVE/
+/Ezbz6eFiIFYpoHA3d3pv3Dy+5WVnhD0YDQPe+jCQrzxyFGDiN488JQ2tVeRM85b
+q0naaZECgYEA1T8XWPqRkhjMy0vJxTVux+wdD3u9DIvgBfHxjBUS2xlZdOiLLmBD
+CDVLKe+Twn0KiTb0eU+zNn4g1qnxLXmAH7xYWPLtqoI4mM0O89SWxr06ExplamHp
+w5k5O3eJr0veKyCUqVbZRZsOQLi1zqEbaOqpA7TrsQOOT5io+0vVoV0CgYEAy407
+JRaGBTBNOPayBVFY+7PRsSRPtcjzbOHriCe4rDn8aIPPmzHyWEIL0pXk5I1eW978
+veC/2oZMsxO2vaKta1bSSOrNA8UJQ+t5Ipp6Fj6yAI5dMDcgOIctE8ctxDUfccQM
+kS5DDw0W3zYMI7ixyOe6ydX4OAlcpZgqFpNIJncCgYEAuB1pAyIUXZeb+krNQsAH
+jgWGcb/cUeDS408pxlDLnvAcFJxSzw+90HBzHRoE8X8UgbQ5ECSIDxyHLdA8s46b
+2Mq9XM8h9H3Kb+NcbZm3NJBce/Hmbhtrwb2hdH6ZGgjfIU1YDX02yqo9fBP+pRDk
+oYk5tEGY3ZS8YmzkOVQYduECgYACgnNAOc7dMYNCOIhpWF9oewcS0AfLjfayWPa2
+bwbv2KcsArQEjdEXFXlf10lDKBsJtu4WyTaUUyOO8adHH0JUGHXvQDXW3g8HL1gG
+/TCUJaG8MAUmGwfiqof7vnDqAl2o4WnmQFPDU738coYjypsmhvTemCy/RB5ITF/4
+d0hkcQKBgAWpzCnPAh4tPWw1OGE2QSsbRR15hR+67BltiZ+nxJnDcXXS2i08QBkA
+3VR0ywWsos+Sox6jm8LpH8RiKqZ5laUjHHUUuX1Tgfxn4EmHo6bBffw7k9vkY7xr
+w5Nw/gMRevkRrDQ4Z66z2HspyCHfmdPzWX9zsaSc4nzNs7fw2/uf
 -----END RSA PRIVATE KEY-----
diff --git a/tests/fixtures/gencert.json b/tests/fixtures/gencert.json
@@ -8,6 +8,24 @@
           "client auth"
         ],
         "expiry": "87600h"
+    },
+    "profiles": {
+      "client-only": {
+        "usages": [
+          "signing",
+          "key encipherment",
+          "client auth"
+        ],
+        "expiry": "87600h"
+      },
+      "server-only": {
+        "usages": [
+          "signing",
+          "key encipherment",
+          "server auth"
+        ],
+        "expiry": "87600h"
+      }
     }
   }
 }
diff --git a/tests/fixtures/gencerts.sh b/tests/fixtures/gencerts.sh
@@ -31,9 +31,15 @@ function gencert {
   mv $2-key.pem $2.key.insecure
 }
 
-# generate DNS: localhost, IP: 127.0.0.1, CN: example.com certificates
+# generate DNS: localhost, IP: 127.0.0.1, CN: example.com certificates, with dual usage
 gencert ./server-ca-csr.json server
 
+#generates certificate that only has the 'server auth' usage
+gencert "--profile=server-only ./server-ca-csr.json" server-serverusage
+
+#generates certificate that only has the 'client auth' usage
+gencert "--profile=client-only ./server-ca-csr.json" client-clientusage
+
 #generates certificate that does not contain CN, to be used for proxy -> server connections.
 gencert ./client-ca-csr-nocn.json client-nocn
 

diff --git a/tests/fixtures/revoke.crl b/tests/fixtures/revoke.crl