Update test certificates to support SNI (#716)

go 1.15 mandates certificates use SNI. Update test certificates with new certs supporting this. Additionally, add a script and light tooling to regenerate
kolide · Feb 22, 2021 · cd1c48b · cd1c48b
1 parent 5ec27e6
commit cd1c48b
Show file tree

Hide file tree

Showing 20 changed files with 459 additions and 237 deletions.
diff --git a/pkg/service/dial_test.go b/pkg/service/dial_test.go
@@ -2,9 +2,12 @@ package service
 
 import (
 	"context"
+	"crypto/sha256"
 	"crypto/tls"
 	"crypto/x509"
 	"encoding/hex"
+	"encoding/pem"
+	"fmt"
 	"io/ioutil"
 	"net"
 	"strings"
@@ -53,18 +56,37 @@ const (
 	badCert = "testdata/bad-cert.pem"
 	badKey  = "testdata/bad-key.pem"
 
-	goodCert = "testdata/good-cert.pem"
-	goodKey  = "testdata/good-key.pem"
+	goodCert = "testdata/good.crt"
+	goodKey  = "testdata/good.key"
 
 	leafCert = "testdata/certchain/leaf.crt"
 	leafKey  = "testdata/certchain/leaf.key"
 
+	intermediateCert = "testdata/certchain/intermediate.crt"
+	intermediateKey  = "testdata/certchain/intermediate.key"
+
 	rootCert = "testdata/certchain/root.crt"
 	rootKey  = "testdata/certchain/root.key"
 
 	chainPem = "testdata/certchain/chain.pem"
 )
 
+func calcCertFingerprint(t *testing.T, certpath string) string {
+	// openssl rsa -in certchain-old/leaf.key -outform der -pubout | openssl dgst -sha256
+	certcontents, err := ioutil.ReadFile(certpath)
+	require.NoError(t, err, "reading", certpath)
+
+	block, _ := pem.Decode(certcontents)
+	require.NotNil(t, block, "pem decoding", certpath)
+
+	cert, err := x509.ParseCertificate(block.Bytes)
+	require.NoError(t, err, "x509.ParseCertificate", certpath)
+
+	digest := sha256.Sum256(cert.RawSubjectPublicKeyInfo)
+
+	return fmt.Sprintf("%x", digest)
+}
+
 func TestSwappingCert(t *testing.T) {
 	cert, err := tls.LoadX509KeyPair(badCert, badKey)
 	require.Nil(t, err)
@@ -82,7 +104,7 @@ func TestSwappingCert(t *testing.T) {
 	conn, err := DialGRPC("localhost:8443", false, false, nil, nil, log.NewNopLogger(),
 		grpc.WithTransportCredentials(&tlsCreds{credentials.NewTLS(&tls.Config{RootCAs: pool})}),
 	)
-	require.Nil(t, err)
+	require.NoError(t, err)
 	defer conn.Close()
 
 	client := NewGRPCClient(conn, log.NewNopLogger())
@@ -116,23 +138,23 @@ func TestCertRemainsBad(t *testing.T) {
 	<-timer.C
 
 	pem1, err := ioutil.ReadFile(badCert)
-	require.Nil(t, err)
+	require.NoError(t, err)
 	pem2, err := ioutil.ReadFile(goodCert)
-	require.Nil(t, err)
+	require.NoError(t, err)
 	pool := x509.NewCertPool()
 	pool.AppendCertsFromPEM(pem1)
 	pool.AppendCertsFromPEM(pem2)
 
 	conn, err := DialGRPC("localhost:8443", false, false, nil, nil, log.NewNopLogger(),
 		grpc.WithTransportCredentials(&tlsCreds{credentials.NewTLS(&tls.Config{RootCAs: pool})}),
 	)
-	require.Nil(t, err)
+	require.NoError(t, err)
 	defer conn.Close()
 
 	client := NewGRPCClient(conn, log.NewNopLogger())
 
 	_, _, err = client.RequestEnrollment(context.Background(), "", "", EnrollmentDetails{})
-	require.NotNil(t, err)
+	require.Error(t, err)
 
 	stop()
 
@@ -143,7 +165,7 @@ func TestCertRemainsBad(t *testing.T) {
 
 	// Should still fail with bad cert
 	_, _, err = client.RequestEnrollment(context.Background(), "", "", EnrollmentDetails{})
-	require.NotNil(t, err)
+	require.Error(t, err)
 
 	stop()
 }
@@ -162,25 +184,29 @@ func TestCertPinning(t *testing.T) {
 	require.True(t, ok)
 
 	testCases := []struct {
-		pins    string
+		pins    []string
 		success bool
 	}{
 		// Success cases
 		// pin leaf
-		{"eb46067da68f80b5d9f0b027985182aa875bcda6c0d8713dbdb8d1523993bd92", true},
+		{[]string{calcCertFingerprint(t, leafCert)}, true},
 		// pin leaf + extra garbage
-		{"deadb33f,eb46067da68f80b5d9f0b027985182aa875bcda6c0d8713dbdb8d1523993bd92", true},
+		{[]string{"deadb33f", calcCertFingerprint(t, leafCert)}, true},
 		// pin intermediate
-		{"73db41a73c5ede78709fc926a2b93e7ad044a40333ce4ce5ae0fb7424620646e", true},
+		{[]string{calcCertFingerprint(t, intermediateCert)}, true},
 		// pin root
-		{"b48364002b8ac4dd3794d41c204a0282f8cd4f7dc80b26274659512c9619ac1b", true},
+		{[]string{calcCertFingerprint(t, rootCert)}, true},
 		// pin all three
-		{"b48364002b8ac4dd3794d41c204a0282f8cd4f7dc80b26274659512c9619ac1b,73db41a73c5ede78709fc926a2b93e7ad044a40333ce4ce5ae0fb7424620646e,b48364002b8ac4dd3794d41c204a0282f8cd4f7dc80b26274659512c9619ac1b", true},
+		{[]string{
+			calcCertFingerprint(t, rootCert),
+			calcCertFingerprint(t, intermediateCert),
+			calcCertFingerprint(t, leafCert),
+		}, true},
 
 		// Failure cases
-		{"deadb33f", false},
-		{"deadb33f,34567fff", false},
-		{"5dc4d2318f1ffabb80d94ad67a6f05ab9f77591ffc131498ed03eef3b5075281", false},
+		{[]string{"deadb33f"}, false},
+		{[]string{"deadb33f", "34567fff"}, false},
+		{[]string{"5dc4d2318f1ffabb80d94ad67a6f05ab9f77591ffc131498ed03eef3b5075281"}, false},
 	}
 
 	for _, tt := range testCases {
@@ -194,7 +220,7 @@ func TestCertPinning(t *testing.T) {
 			conn, err := DialGRPC("localhost:8443", false, false, nil, nil, log.NewNopLogger(),
 				grpc.WithTransportCredentials(&tlsCreds{credentials.NewTLS(tlsconf)}),
 			)
-			require.Nil(t, err)
+			require.NoError(t, err)
 			defer conn.Close()
 
 			client := NewGRPCClient(conn, log.NewNopLogger())
@@ -211,15 +237,15 @@ func TestCertPinning(t *testing.T) {
 
 func TestRootCAs(t *testing.T) {
 	cert, err := tls.LoadX509KeyPair(chainPem, leafKey)
-	require.Nil(t, err)
+	require.NoError(t, err)
 	stop := startServer(t, &tls.Config{Certificates: []tls.Certificate{cert}})
 	defer stop()
 	time.Sleep(1 * time.Second)
 
 	rootPEM, err := ioutil.ReadFile(rootCert)
-	require.Nil(t, err)
+	require.NoError(t, err)
 	otherPEM, err := ioutil.ReadFile(goodCert)
-	require.Nil(t, err)
+	require.NoError(t, err)
 
 	emptyPool := x509.NewCertPool()
 
@@ -253,7 +279,7 @@ func TestRootCAs(t *testing.T) {
 	for _, tt := range testCases {
 		t.Run("", func(t *testing.T) {
 			conn, err := DialGRPC("localhost:8443", false, false, nil, tt.pool, log.NewNopLogger())
-			require.Nil(t, err)
+			require.NoError(t, err)
 			defer conn.Close()
 
 			client := NewGRPCClient(conn, log.NewNopLogger())
@@ -268,10 +294,10 @@ func TestRootCAs(t *testing.T) {
 	}
 }
 
-func parseCertPins(pins string) ([][]byte, error) {
+func parseCertPins(pins []string) ([][]byte, error) {
 	var certPins [][]byte
-	if pins != "" {
-		for _, hexPin := range strings.Split(pins, ",") {
+	if len(pins) > 0 {
+		for _, hexPin := range pins {
 			pin, err := hex.DecodeString(hexPin)
 			if err != nil {
 				return nil, errors.Wrap(err, "decoding cert pin")

diff --git a/pkg/service/testdata/certchain/chain.pem b/pkg/service/testdata/certchain/chain.pem
@@ -1,67 +1,62 @@
 -----BEGIN CERTIFICATE-----
-MIIEFzCCAv+gAwIBAgIBEjANBgkqhkiG9w0BAQsFADBBMRQwEgYDVQQKDAtLb2xp
-ZGUgVGVzdDEVMBMGA1UECwwMSW50ZXJtZWRpYXRlMRIwEAYDVQQDDAlsb2NhbGhv
-c3QwIBcNMTgwMzIwMjIxNzU0WhgPMjI5MjAxMDIyMjE3NTRaMDkxFDASBgNVBAoM
-C0tvbGlkZSBUZXN0MQ0wCwYDVQQLDARMZWFmMRIwEAYDVQQDDAlsb2NhbGhvc3Qw
-ggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDBmAZ1ZXtNh8eyZTmDRv/p
-hPxZmSvbynw4rIhtfo9vxkSB2NZ2KjFehIradV+v84B+18PaJiNxzewR4zNGs/LY
-eg/CVFzDI+UQeYSHYPFy3HgpXvOz3P0KPeD6AYah0im5J+wb9bwWawVqX64s4ee9
-i94P19Na3AiBuCo+v0CMMyrl0hwoLkrkrI0ng9mmXdktLeq/j5VN1ADsJcNs5cnS
-7PfOoGBll5toViisipUvCg+k1pg8Fj3SbQ9fLtpiR83GKGBFH6GbnM3QsNooqjFF
-Mfq+Eo3CfCI49CQ27fzg9FpnpqQbV9fZPVt72p4eAfBd6h515I9e2hvLKuX9Ej/B
-AgMBAAGjggEeMIIBGjAJBgNVHRMEAjAAMBEGCWCGSAGG+EIBAQQEAwIGQDAzBglg
-hkgBhvhCAQ0EJhYkT3BlblNTTCBHZW5lcmF0ZWQgU2VydmVyIENlcnRpZmljYXRl
-MB0GA1UdDgQWBBRymF6oK8bmdjLansuGiPBWU72dOzCBgAYDVR0jBHkwd4AUh+pK
-Cb7//2FGHdAz2Ht2YFEgj52hXKRaMFgxCzAJBgNVBAYTAkdCMRAwDgYDVQQIDAdF
-bmdsYW5kMRQwEgYDVQQKDAtLb2xpZGUgVGVzdDENMAsGA1UECwwEVGVzdDESMBAG
-A1UEAwwJbG9jYWxob3N0ggERMA4GA1UdDwEB/wQEAwIFoDATBgNVHSUEDDAKBggr
-BgEFBQcDATANBgkqhkiG9w0BAQsFAAOCAQEAYVF8B9HyLAbtLfz7oDDh8SG5I38K
-wwwYgTnH1hPTe6jDl1tSj1io1wLL9USHFO8Y5RVKwzZc4L9b1bBiZOByXADPNLlJ
-QJZVHfGDKP+6blWIxJyj1tFP33N0DhIITOArqNDWVJ2YYTIp3vDcYdOTl+gNE0Dy
-sbah5K06zjNdqJBjU19J7OuwS7HHlRW5azw+3dItB/YTH6yYtrUC0l8IifUe5zrY
-kQCUplNTzScS79bjLnKsyq7SHFofAzNnK7lgD+fypedIcI74ImNZkyxMG7ox0kz+
-YnYe5nOLneCMwSSlXckcA4oKnHOINVHvBLPJapXmpWXsh6yL4G+uuiJbig==
+MIIDYTCCAkmgAwIBAgIJAKfnjRYUIlLEMA0GCSqGSIb3DQEBCwUAMEExFDASBgNV
+BAoMC0tvbGlkZSBUZXN0MRUwEwYDVQQLDAxJbnRlcm1lZGlhdGUxEjAQBgNVBAMM
+CWxvY2FsaG9zdDAeFw0yMTAyMjEwNDExNDFaFw00ODA3MDgwNDExNDFaMDkxFDAS
+BgNVBAoMC0tvbGlkZSBUZXN0MQ0wCwYDVQQLDARMZWFmMRIwEAYDVQQDDAlsb2Nh
+bGhvc3QwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC4dCu1dG14MoU2
+yfhpJEhcu3P5EnK37FuTJ2MR+Lg1yrFXEi1f2SAZQX9hz4MvuV3V/UXN/lUOWfPE
+HiABlnH3ni/6p81Y14uzOT/+3kCzrQ6uj8YN9hPw1uCuo+msxSMxnmVtWSuKAie5
+r8popcUJkzS5c2e8A0M1M7/L8DkLopiJxZShc85duzRUSkuOTwOI1mFJ0JHL4odk
+HVn3y0pXJlLUsyoSIXIH6yEQZJ4K8sdf4h4lpl16NKKXzJisRUeqUf17ex3T1y7R
+EIvTDDiVZ3zTaOh49y/qXHKwqNafIPnTaC0h4GQfXN83mp2TLrMuNhzbGDIEqLDt
+KzKtxlvfAgMBAAGjZDBiMAkGA1UdEwQCMAAwHQYDVR0OBBYEFLIPzaBkDozRWgi7
+u43t5xfGEER7MAsGA1UdDwQEAwIFoDATBgNVHSUEDDAKBggrBgEFBQcDATAUBgNV
+HREEDTALgglsb2NhbGhvc3QwDQYJKoZIhvcNAQELBQADggEBALWKDlF6m+AN7m91
+TQnTIolRrpXNjZ5avS0yRu8LYUu5BofeMhcz0TBmvMxPjurGaDZqATNKEhFzNibf
+SxWlMijBaKiX3jSn2xAhESviqrLFQvR73j8Aqq25Ynmynw3AXYMxyNle+sHnOhli
+lOF0FJoatQEoXqa6ECNvdnt8Q3imGJsUqGhpD4GFr6qn6fuidfNwhLgIllvMBmXT
+LgEQkVv4gN1tc4gy1la+FAYM7F2WO5AMvmWTOID2NUYLCitQ7Z/dr+GJjiSvnH7F
+WuMQWc8i9DV52btgJLJw8Pg1IerbRNhacBTDoqMz4TQtisG6HQZtyV+QyXaF+k2o
+zLBZhB8=
 -----END CERTIFICATE-----
 -----BEGIN CERTIFICATE-----
-MIIDfDCCAmSgAwIBAgIBETANBgkqhkiG9w0BAQsFADBYMQswCQYDVQQGEwJHQjEQ
-MA4GA1UECAwHRW5nbGFuZDEUMBIGA1UECgwLS29saWRlIFRlc3QxDTALBgNVBAsM
-BFRlc3QxEjAQBgNVBAMMCWxvY2FsaG9zdDAgFw0xODAzMjAyMjExMDVaGA8yMjky
-MDEwMjIyMTEwNVowQTEUMBIGA1UECgwLS29saWRlIFRlc3QxFTATBgNVBAsMDElu
-dGVybWVkaWF0ZTESMBAGA1UEAwwJbG9jYWxob3N0MIIBIjANBgkqhkiG9w0BAQEF
-AAOCAQ8AMIIBCgKCAQEA4/E0D1GTnwpUBebbpEL+xuuxFIfWD86R/Hot9IM/872a
-AICCarQ4wzUyOK6lGnew+dNXV8q0cxqfbsUIJTfMIZLk9xc4haOHrVEkGxhh8cZn
-z+cvK9nV+w1nE489GqeFhcRMT4aMTYkok30HPGhwPu1OAOae0wx8rI+xp/YQHutM
-amU63P2nY0Y3fScTra+NagGBRj1CSPx9aTQFNw2DgjM+HGR4lVdvoLbRfEwihgdA
-zN3ZF+JstmlUcBar8EecS55Rs9qag6MJSY2EqybaYNvyzJ9cF6qcBeocu9OmANFW
-kCO/vh/CyzX6IiLfujA9+EYBSDg6qMNThdr+54zbuwIDAQABo2YwZDAdBgNVHQ4E
-FgQUh+pKCb7//2FGHdAz2Ht2YFEgj50wHwYDVR0jBBgwFoAUgQtceKkR61mCgzJA
-MxTaGvDanwMwEgYDVR0TAQH/BAgwBgEB/wIBADAOBgNVHQ8BAf8EBAMCAYYwDQYJ
-KoZIhvcNAQELBQADggEBALGluU5Vq4GBBoxIGXruHXBq0YObaqE+jWyhmeTdqOWc
-jl+2nppQHClwfnI7wSZ6vlEEfE+7fQwMZdIvke47vmRDx+O/p3Kcvb0q1DiiiBsY
-hs+/tiCCkRML/amELVbkOQ+FOZ1X465e6C3FkFzelNost7R2kOXpNIUQgs3BdF+g
-Ef0szhjKBRhgIahtMERMaymTaO9pV7HRoet0BnGsMNvzp+F+bVo/DlkT/DXMwyRA
-4IQdpH4yMp49+G7RC0E8bAkd9Btr3tuufnonyN1DWWQ+UJ/zGMot2N8h03o2i4IZ
-G5lZeWClTClEIRKdaIA++fX0qxjSU43gdp5vUEthEdA=
+MIIDXDCCAkSgAwIBAgIJAP6ZXtailWKdMA0GCSqGSIb3DQEBCwUAMEQxCzAJBgNV
+BAYTAlVTMQswCQYDVQQIDAJNQTEUMBIGA1UECgwLS29saWRlIFRlc3QxEjAQBgNV
+BAMMCWxvY2FsaG9zdDAeFw0yMTAyMjEwNDExNDBaFw00ODA3MDgwNDExNDBaMEEx
+FDASBgNVBAoMC0tvbGlkZSBUZXN0MRUwEwYDVQQLDAxJbnRlcm1lZGlhdGUxEjAQ
+BgNVBAMMCWxvY2FsaG9zdDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB
+AMCBUokGb/JOJRFmK7k1cnk5ClQfCuAZspwyS3IvZa9DSbG3pv/5b/UT6KS1/JFQ
+Hqdc0NcD1M8gQKV2M3YP+flKVXafr2jEv87loc/RAjcusRJPh79H6T/iUJ5hbQ2g
+iiBinsFgwKkQRjl2ywQ/NPluCOW0L/4NDWA6P6CzupAFSBefDx9nzTR330awDA5k
+xiatuem2sK+S60m58O7HHck1yaz/Y+nkD5bBzOhrimTUYF8xgCIMMpPkNabwYm6z
+h54dGaJRhoyh4Hoddefi2+myTquwBSlD86yMcfo+ComILwi/LPg+ywYmp9YM6zwg
+CjgabC0QQ9Brj4kv+oXPCKkCAwEAAaNUMFIwDAYDVR0TBAUwAwEB/zAdBgNVHQ4E
+FgQUD5HnwQKP+zng0LwGtrbBRHUh4RAwDgYDVR0PAQH/BAQDAgIEMBMGA1UdJQQM
+MAoGCCsGAQUFBwMBMA0GCSqGSIb3DQEBCwUAA4IBAQAPpqmE3Bl7AQnK3bCosIcj
+wLwQ+4bAX14oQPdo0+3iqeNbY0fB6Qb4fk4GCHmJk0MzD03veSj8SRWWOlm0oqtd
+5kfCMseykVXFk2IC/2Ngza2Mbu4tetUYKB7CNleC3GT0S8UAxTvcSTcY8V9EUbd4
+9z7zqfNP7gJXzu6FA1oCeDPVdhGwiRX2jm3kYXzvClHMArxEgUEnUEgZwQG8Fq3g
+zjAYOyhW9j9SBooFtJR25RLEEdvGuCZz30YA3W/uiqixsqqPpuKhk8vuH6pTmfC1
+1FIArAbZnFarn3rpmYvrG2Bkknd3yShgBfK+wleUg6Ps8a6mnwMqZJFKk+ZctaRD
 -----END CERTIFICATE-----
 -----BEGIN CERTIFICATE-----
-MIIDmDCCAoCgAwIBAgIJALt10fPSwjhiMA0GCSqGSIb3DQEBCwUAMFgxCzAJBgNV
-BAYTAkdCMRAwDgYDVQQIDAdFbmdsYW5kMRQwEgYDVQQKDAtLb2xpZGUgVGVzdDEN
-MAsGA1UECwwEVGVzdDESMBAGA1UEAwwJbG9jYWxob3N0MCAXDTE4MDMyMDIyMDIx
-MloYDzIyOTIwMTAyMjIwMjEyWjBYMQswCQYDVQQGEwJHQjEQMA4GA1UECAwHRW5n
-bGFuZDEUMBIGA1UECgwLS29saWRlIFRlc3QxDTALBgNVBAsMBFRlc3QxEjAQBgNV
-BAMMCWxvY2FsaG9zdDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMmR
-LRTYn9W9kB1QAXmY/W6g6uvKzldXFEMT+BuEtVDSCxDOgbTzdaP/BQyFBHeVKPEI
-mSM04y0Jstae+sWqC+VE8cWskLDqQhmnkifxe9cm3YUb9tx0IxtnBDgcrui+E3tc
-xMUD2kMti+38vESzfQ3NTuY8ojELtu5Uy17FapN4LTsxBBOHHp65+f/VBeudvXwr
-SbnhtQMokNyguGZeKBgkO0eAcAnpWRA6rv5+pJIZvkqoOKOjs0Q6MjRWBFbd+kAz
-89TY/f9uBlKGncxG56h/PD8XpFNIDi6nr3juSt1MIyVrFn8Jl94G/9aFlboWyy9r
-a7D8yFOK9xtx9LnqNC0CAwEAAaNjMGEwHQYDVR0OBBYEFIELXHipEetZgoMyQDMU
-2hrw2p8DMB8GA1UdIwQYMBaAFIELXHipEetZgoMyQDMU2hrw2p8DMA8GA1UdEwEB
-/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgGGMA0GCSqGSIb3DQEBCwUAA4IBAQB4MGMp
-TRT1+Z6/Dtf1XoxTat+WxMrwtOPQAZkCHIL4xP1ppMTcst5RdI5fxs82RGDBkrXr
-zbsMrfF840B23nE9uphZp5G4vpJdjSZt8wsZeaf6DsHq9f0mYgexdRT8TTP14qzq
-166tDUFmz28TMnsnSE/NGFnb05CyTCB5lqjSxi2TMOwzYYWT6k62M99GRM7LeqXB
-qr/tTva2CJQnzYFlXTVtZnbRqknNVHgh4FLe4yIeV2R5UN8qlOXkqVi/LCy4Fmq6
-tNh2DqQmAsY1NZF2YrLSsSz8XM7awPVtRKLeC7wvvkrp4Iwt/NVkHm+3FZlChThT
-mhB7KKl0jotfmwfP
+MIIDazCCAlOgAwIBAgIJAJmGusbxUQbSMA0GCSqGSIb3DQEBCwUAMEQxCzAJBgNV
+BAYTAlVTMQswCQYDVQQIDAJNQTEUMBIGA1UECgwLS29saWRlIFRlc3QxEjAQBgNV
+BAMMCWxvY2FsaG9zdDAgFw0yMTAyMjEwNDExNDBaGA8yMjk0MTIwNjA0MTE0MFow
+RDELMAkGA1UEBhMCVVMxCzAJBgNVBAgMAk1BMRQwEgYDVQQKDAtLb2xpZGUgVGVz
+dDESMBAGA1UEAwwJbG9jYWxob3N0MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB
+CgKCAQEAvYfAZDk5tyovy0DnWCywwJSH8VhT+YHPCnQEjhSKZNIrRtXe2krMSfjE
+gqqnZwjRmf3tK9Dm14sYQRwSBKIR/1xnyL5BJVVTcFW+Z61vFa819QC7CFgsvy9k
+AHSCG6Z+KUD0I+oU9p60tI4L3bj9XEwiZCbFeOEQYHk+wlxqXQ21g/rK7W7/dKQW
+riCHev0IWmo6UagLnZ1NALWFCAor2LKTuLQit6KXQcEaYP9WkokU72/f6tRRPvvJ
+ylAf9XArmW/IQhqAF19pnJ9/t+CUTHEMYCgvE4c9Y3RwnKCPNwoo3PI024DEuE7C
+KiFAWAIOXkHDs3oM0WBqA7caX0QjuwIDAQABo14wXDAMBgNVHRMEBTADAQH/MB0G
+A1UdDgQWBBSt50BM32eQAwHgzQD5yUYBH4yRuDAOBgNVHQ8BAf8EBAMCAgQwHQYD
+VR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUFBwMBMA0GCSqGSIb3DQEBCwUAA4IBAQBT
+ELjX4krOkBBm4DruulgkDURyXdWUA6bwDbC6jcY9c39+VNRo0WSr7o7A1GvEP0vj
+weE0uuYvnYnxBCC39n3PDn48RyIIbzWKRuyKENVnKf/RuqJr8KN4slJ8+6nHijY6
+lvnkvHxXzQPj/O2wbcAXXZaXS1SsPqk45nJM1eXRqXgmI+DKP9ZxaU/28p0TOGxS
+akTgpKBGGUiJdf8V1Ghla6vMddy8yka+0wcRYtI9VY/0iBO8RUw2PJSrOWAQy8wS
+EPrKN6HvUQ5DZvPEV99EhQOAJAtIMPUlzOeZdtcA93qeos4QuPOgmYm0/Z3DTtcr
+BizsRCryXoQ2+82aEEsh
 -----END CERTIFICATE-----
diff --git a/pkg/service/testdata/certchain/intermediate.cnf b/pkg/service/testdata/certchain/intermediate.cnf
@@ -0,0 +1,21 @@
+[req]
+default_bits = 2048
+encrypt_key  = no
+default_md   = sha256
+prompt       = no
+utf8         = yes
+distinguished_name = req_distinguished_name
+
+# Extensions for SAN IP and SAN DNS
+req_extensions = v3_req
+
+[req_distinguished_name]
+O  = Kolide Test
+OU = Intermediate
+CN = localhost
+
+[v3_req]
+basicConstraints     = CA:TRUE
+subjectKeyIdentifier = hash
+keyUsage             = critical, keyCertSign
+extendedKeyUsage     = serverAuth
diff --git a/pkg/service/testdata/certchain/intermediate.crt b/pkg/service/testdata/certchain/intermediate.crt
@@ -1,21 +1,20 @@
 -----BEGIN CERTIFICATE-----
-MIIDfDCCAmSgAwIBAgIBETANBgkqhkiG9w0BAQsFADBYMQswCQYDVQQGEwJHQjEQ
-MA4GA1UECAwHRW5nbGFuZDEUMBIGA1UECgwLS29saWRlIFRlc3QxDTALBgNVBAsM
-BFRlc3QxEjAQBgNVBAMMCWxvY2FsaG9zdDAgFw0xODAzMjAyMjExMDVaGA8yMjky
-MDEwMjIyMTEwNVowQTEUMBIGA1UECgwLS29saWRlIFRlc3QxFTATBgNVBAsMDElu
-dGVybWVkaWF0ZTESMBAGA1UEAwwJbG9jYWxob3N0MIIBIjANBgkqhkiG9w0BAQEF
-AAOCAQ8AMIIBCgKCAQEA4/E0D1GTnwpUBebbpEL+xuuxFIfWD86R/Hot9IM/872a
-AICCarQ4wzUyOK6lGnew+dNXV8q0cxqfbsUIJTfMIZLk9xc4haOHrVEkGxhh8cZn
-z+cvK9nV+w1nE489GqeFhcRMT4aMTYkok30HPGhwPu1OAOae0wx8rI+xp/YQHutM
-amU63P2nY0Y3fScTra+NagGBRj1CSPx9aTQFNw2DgjM+HGR4lVdvoLbRfEwihgdA
-zN3ZF+JstmlUcBar8EecS55Rs9qag6MJSY2EqybaYNvyzJ9cF6qcBeocu9OmANFW
-kCO/vh/CyzX6IiLfujA9+EYBSDg6qMNThdr+54zbuwIDAQABo2YwZDAdBgNVHQ4E
-FgQUh+pKCb7//2FGHdAz2Ht2YFEgj50wHwYDVR0jBBgwFoAUgQtceKkR61mCgzJA
-MxTaGvDanwMwEgYDVR0TAQH/BAgwBgEB/wIBADAOBgNVHQ8BAf8EBAMCAYYwDQYJ
-KoZIhvcNAQELBQADggEBALGluU5Vq4GBBoxIGXruHXBq0YObaqE+jWyhmeTdqOWc
-jl+2nppQHClwfnI7wSZ6vlEEfE+7fQwMZdIvke47vmRDx+O/p3Kcvb0q1DiiiBsY
-hs+/tiCCkRML/amELVbkOQ+FOZ1X465e6C3FkFzelNost7R2kOXpNIUQgs3BdF+g
-Ef0szhjKBRhgIahtMERMaymTaO9pV7HRoet0BnGsMNvzp+F+bVo/DlkT/DXMwyRA
-4IQdpH4yMp49+G7RC0E8bAkd9Btr3tuufnonyN1DWWQ+UJ/zGMot2N8h03o2i4IZ
-G5lZeWClTClEIRKdaIA++fX0qxjSU43gdp5vUEthEdA=
+MIIDXDCCAkSgAwIBAgIJAP6ZXtailWKdMA0GCSqGSIb3DQEBCwUAMEQxCzAJBgNV
+BAYTAlVTMQswCQYDVQQIDAJNQTEUMBIGA1UECgwLS29saWRlIFRlc3QxEjAQBgNV
+BAMMCWxvY2FsaG9zdDAeFw0yMTAyMjEwNDExNDBaFw00ODA3MDgwNDExNDBaMEEx
+FDASBgNVBAoMC0tvbGlkZSBUZXN0MRUwEwYDVQQLDAxJbnRlcm1lZGlhdGUxEjAQ
+BgNVBAMMCWxvY2FsaG9zdDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB
+AMCBUokGb/JOJRFmK7k1cnk5ClQfCuAZspwyS3IvZa9DSbG3pv/5b/UT6KS1/JFQ
+Hqdc0NcD1M8gQKV2M3YP+flKVXafr2jEv87loc/RAjcusRJPh79H6T/iUJ5hbQ2g
+iiBinsFgwKkQRjl2ywQ/NPluCOW0L/4NDWA6P6CzupAFSBefDx9nzTR330awDA5k
+xiatuem2sK+S60m58O7HHck1yaz/Y+nkD5bBzOhrimTUYF8xgCIMMpPkNabwYm6z
+h54dGaJRhoyh4Hoddefi2+myTquwBSlD86yMcfo+ComILwi/LPg+ywYmp9YM6zwg
+CjgabC0QQ9Brj4kv+oXPCKkCAwEAAaNUMFIwDAYDVR0TBAUwAwEB/zAdBgNVHQ4E
+FgQUD5HnwQKP+zng0LwGtrbBRHUh4RAwDgYDVR0PAQH/BAQDAgIEMBMGA1UdJQQM
+MAoGCCsGAQUFBwMBMA0GCSqGSIb3DQEBCwUAA4IBAQAPpqmE3Bl7AQnK3bCosIcj
+wLwQ+4bAX14oQPdo0+3iqeNbY0fB6Qb4fk4GCHmJk0MzD03veSj8SRWWOlm0oqtd
+5kfCMseykVXFk2IC/2Ngza2Mbu4tetUYKB7CNleC3GT0S8UAxTvcSTcY8V9EUbd4
+9z7zqfNP7gJXzu6FA1oCeDPVdhGwiRX2jm3kYXzvClHMArxEgUEnUEgZwQG8Fq3g
+zjAYOyhW9j9SBooFtJR25RLEEdvGuCZz30YA3W/uiqixsqqPpuKhk8vuH6pTmfC1
+1FIArAbZnFarn3rpmYvrG2Bkknd3yShgBfK+wleUg6Ps8a6mnwMqZJFKk+ZctaRD
 -----END CERTIFICATE-----
diff --git a/pkg/service/testdata/certchain/intermediate.csr b/pkg/service/testdata/certchain/intermediate.csr
@@ -0,0 +1,18 @@
+-----BEGIN CERTIFICATE REQUEST-----
+MIIC6TCCAdECAQAwQTEUMBIGA1UECgwLS29saWRlIFRlc3QxFTATBgNVBAsMDElu
+dGVybWVkaWF0ZTESMBAGA1UEAwwJbG9jYWxob3N0MIIBIjANBgkqhkiG9w0BAQEF
+AAOCAQ8AMIIBCgKCAQEAwIFSiQZv8k4lEWYruTVyeTkKVB8K4BmynDJLci9lr0NJ
+sbem//lv9RPopLX8kVAep1zQ1wPUzyBApXYzdg/5+UpVdp+vaMS/zuWhz9ECNy6x
+Ek+Hv0fpP+JQnmFtDaCKIGKewWDAqRBGOXbLBD80+W4I5bQv/g0NYDo/oLO6kAVI
+F58PH2fNNHffRrAMDmTGJq256bawr5LrSbnw7scdyTXJrP9j6eQPlsHM6GuKZNRg
+XzGAIgwyk+Q1pvBibrOHnh0ZolGGjKHgeh115+Lb6bJOq7AFKUPzrIxx+j4KiYgv
+CL8s+D7LBian1gzrPCAKOBpsLRBD0GuPiS/6hc8IqQIDAQABoGMwYQYJKoZIhvcN
+AQkOMVQwUjAMBgNVHRMEBTADAQH/MB0GA1UdDgQWBBQPkefBAo/7OeDQvAa2tsFE
+dSHhEDAOBgNVHQ8BAf8EBAMCAgQwEwYDVR0lBAwwCgYIKwYBBQUHAwEwDQYJKoZI
+hvcNAQELBQADggEBAEOf3zT6vyDtbJotvC0XaYVBhMe++nGIR92zcmqPnpp9pphn
+5R7UMirXDO3OVvOx/4DTex8FbBwsnbnBlg65ywBQFKYaOVOfBCwccahnxK/I9nwH
+UbfDTql/36JRrNIhvmLfGHDdrKvMTfax6+Xj6dERo9SLHKOaB+XC/AF5VfsKBlXw
+/C/wOqUaCkDwiVxF7o7Ry+J6msK5V+qPKhpZ6muyM2qDnyEfGazOiErd0VUzWIdD
+Qh3EaDWCRcnm/9s7032eTEM8pPaRDAudAXVZgjrWvIw6s+V753tFElZb3eRbP8Kw
+E2WSBKRTZC3pgcsv+saVxbos//Nzz8YqZbFTU9s=
+-----END CERTIFICATE REQUEST-----