17377205 IPS should not use M2Crypto
authorYiteng Zhang <yiteng.zhang@oracle.com>
Wed, 09 Mar 2016 11:27:23 -0800
changeset 3321 52e8eec3014c
parent 3320 f727edff50bd
child 3322 a0e75b0ba097
17377205 IPS should not use M2Crypto 22332625 test suite should test signing certs with unsupported extensions 16718631 pkg verify traceback "AttributeError: 'int' object has no attribute 'check__ca'"
.hgignore
src/Makefile
src/modules/actions/signature.py
src/modules/client/api_errors.py
src/modules/client/image.py
src/modules/client/publisher.py
src/modules/misc.py
src/modules/server/repository.py
src/pkg/external_deps.txt
src/pkg/manifests/developer:opensolaris:pkg5.p5m
src/pkg/manifests/package:pkg.p5m
src/sign.py
src/tests/certgenerator.py
src/tests/cli/t_pkg_temp_sources.py
src/tests/cli/t_pkgsign.py
src/tests/pkg5unittest.py
src/tests/ro_data/signing_certs/generate_certs.py
src/tests/ro_data/signing_certs/produced/chain_certs/01.pem
src/tests/ro_data/signing_certs/produced/chain_certs/02.pem
src/tests/ro_data/signing_certs/produced/chain_certs/03.pem
src/tests/ro_data/signing_certs/produced/chain_certs/04.pem
src/tests/ro_data/signing_certs/produced/chain_certs/05.pem
src/tests/ro_data/signing_certs/produced/chain_certs/08.pem
src/tests/ro_data/signing_certs/produced/chain_certs/0A.pem
src/tests/ro_data/signing_certs/produced/chain_certs/0C.pem
src/tests/ro_data/signing_certs/produced/chain_certs/0D.pem
src/tests/ro_data/signing_certs/produced/chain_certs/10.pem
src/tests/ro_data/signing_certs/produced/chain_certs/1A.pem
src/tests/ro_data/signing_certs/produced/chain_certs/1B.pem
src/tests/ro_data/signing_certs/produced/chain_certs/1C.pem
src/tests/ro_data/signing_certs/produced/chain_certs/1D.pem
src/tests/ro_data/signing_certs/produced/chain_certs/1E.pem
src/tests/ro_data/signing_certs/produced/chain_certs/1F.pem
src/tests/ro_data/signing_certs/produced/chain_certs/20.pem
src/tests/ro_data/signing_certs/produced/chain_certs/21.pem
src/tests/ro_data/signing_certs/produced/chain_certs/22.pem
src/tests/ro_data/signing_certs/produced/chain_certs/23.pem
src/tests/ro_data/signing_certs/produced/chain_certs/26.pem
src/tests/ro_data/signing_certs/produced/chain_certs/27.pem
src/tests/ro_data/signing_certs/produced/chain_certs/28.pem
src/tests/ro_data/signing_certs/produced/chain_certs/29.pem
src/tests/ro_data/signing_certs/produced/chain_certs/ch1.1_ta3_cert.pem
src/tests/ro_data/signing_certs/produced/chain_certs/ch1.1_ta4_cert.pem
src/tests/ro_data/signing_certs/produced/chain_certs/ch1.2_ta3_cert.pem
src/tests/ro_data/signing_certs/produced/chain_certs/ch1.3_ta3_cert.pem
src/tests/ro_data/signing_certs/produced/chain_certs/ch1.4_ta3_cert.pem
src/tests/ro_data/signing_certs/produced/chain_certs/ch1_ta1_cert.pem
src/tests/ro_data/signing_certs/produced/chain_certs/ch1_ta3_cert.pem
src/tests/ro_data/signing_certs/produced/chain_certs/ch1_ta4_cert.pem
src/tests/ro_data/signing_certs/produced/chain_certs/ch1_ta5_cert.pem
src/tests/ro_data/signing_certs/produced/chain_certs/ch2_ta1_cert.pem
src/tests/ro_data/signing_certs/produced/chain_certs/ch3_ta1_cert.pem
src/tests/ro_data/signing_certs/produced/chain_certs/ch4.3_ta1_cert.pem
src/tests/ro_data/signing_certs/produced/chain_certs/ch4_ta1_cert.pem
src/tests/ro_data/signing_certs/produced/chain_certs/ch5.1_ta1_cert.pem
src/tests/ro_data/signing_certs/produced/chain_certs/ch5.2_ta1_cert.pem
src/tests/ro_data/signing_certs/produced/chain_certs/ch5.3_ta1_cert.pem
src/tests/ro_data/signing_certs/produced/chain_certs/ch5_ta1_cert.pem
src/tests/ro_data/signing_certs/produced/code_signing_certs/06.pem
src/tests/ro_data/signing_certs/produced/code_signing_certs/07.pem
src/tests/ro_data/signing_certs/produced/code_signing_certs/09.pem
src/tests/ro_data/signing_certs/produced/code_signing_certs/0B.pem
src/tests/ro_data/signing_certs/produced/code_signing_certs/0E.pem
src/tests/ro_data/signing_certs/produced/code_signing_certs/0F.pem
src/tests/ro_data/signing_certs/produced/code_signing_certs/11.pem
src/tests/ro_data/signing_certs/produced/code_signing_certs/12.pem
src/tests/ro_data/signing_certs/produced/code_signing_certs/13.pem
src/tests/ro_data/signing_certs/produced/code_signing_certs/14.pem
src/tests/ro_data/signing_certs/produced/code_signing_certs/15.pem
src/tests/ro_data/signing_certs/produced/code_signing_certs/16.pem
src/tests/ro_data/signing_certs/produced/code_signing_certs/17.pem
src/tests/ro_data/signing_certs/produced/code_signing_certs/18.pem
src/tests/ro_data/signing_certs/produced/code_signing_certs/19.pem
src/tests/ro_data/signing_certs/produced/code_signing_certs/1A.pem
src/tests/ro_data/signing_certs/produced/code_signing_certs/1B.pem
src/tests/ro_data/signing_certs/produced/code_signing_certs/1C.pem
src/tests/ro_data/signing_certs/produced/code_signing_certs/1D.pem
src/tests/ro_data/signing_certs/produced/code_signing_certs/1E.pem
src/tests/ro_data/signing_certs/produced/code_signing_certs/1F.pem
src/tests/ro_data/signing_certs/produced/code_signing_certs/20.pem
src/tests/ro_data/signing_certs/produced/code_signing_certs/21.pem
src/tests/ro_data/signing_certs/produced/code_signing_certs/22.pem
src/tests/ro_data/signing_certs/produced/code_signing_certs/23.pem
src/tests/ro_data/signing_certs/produced/code_signing_certs/24.pem
src/tests/ro_data/signing_certs/produced/code_signing_certs/25.pem
src/tests/ro_data/signing_certs/produced/code_signing_certs/26.pem
src/tests/ro_data/signing_certs/produced/code_signing_certs/27.pem
src/tests/ro_data/signing_certs/produced/code_signing_certs/28.pem
src/tests/ro_data/signing_certs/produced/code_signing_certs/29.pem
src/tests/ro_data/signing_certs/produced/code_signing_certs/2A.pem
src/tests/ro_data/signing_certs/produced/code_signing_certs/2B.pem
src/tests/ro_data/signing_certs/produced/code_signing_certs/2C.pem
src/tests/ro_data/signing_certs/produced/code_signing_certs/2D.pem
src/tests/ro_data/signing_certs/produced/code_signing_certs/2E.pem
src/tests/ro_data/signing_certs/produced/code_signing_certs/2F.pem
src/tests/ro_data/signing_certs/produced/code_signing_certs/30.pem
src/tests/ro_data/signing_certs/produced/code_signing_certs/cs1_ch1.1_ta3_cert.pem
src/tests/ro_data/signing_certs/produced/code_signing_certs/cs1_ch1.1_ta4_cert.pem
src/tests/ro_data/signing_certs/produced/code_signing_certs/cs1_ch1.2_ta3_cert.pem
src/tests/ro_data/signing_certs/produced/code_signing_certs/cs1_ch1.3_ta3_cert.pem
src/tests/ro_data/signing_certs/produced/code_signing_certs/cs1_ch1.4_ta3_cert.pem
src/tests/ro_data/signing_certs/produced/code_signing_certs/cs1_ch1_ta3_cert.pem
src/tests/ro_data/signing_certs/produced/code_signing_certs/cs1_ch1_ta4_cert.pem
src/tests/ro_data/signing_certs/produced/code_signing_certs/cs1_ch1_ta5_cert.pem
src/tests/ro_data/signing_certs/produced/code_signing_certs/cs1_ch5.1_ta1_cert.pem
src/tests/ro_data/signing_certs/produced/code_signing_certs/cs1_ch5.2_ta1_cert.pem
src/tests/ro_data/signing_certs/produced/code_signing_certs/cs1_ch5.3_ta1_cert.pem
src/tests/ro_data/signing_certs/produced/code_signing_certs/cs1_ch5_ta1_cert.pem
src/tests/ro_data/signing_certs/produced/code_signing_certs/cs1_cs8_ch1_ta3_cert.pem
src/tests/ro_data/signing_certs/produced/code_signing_certs/cs1_ta10_cert.pem
src/tests/ro_data/signing_certs/produced/code_signing_certs/cs1_ta11_cert.pem
src/tests/ro_data/signing_certs/produced/code_signing_certs/cs1_ta2_cert.pem
src/tests/ro_data/signing_certs/produced/code_signing_certs/cs1_ta6_cert.pem
src/tests/ro_data/signing_certs/produced/code_signing_certs/cs1_ta7_cert.pem
src/tests/ro_data/signing_certs/produced/code_signing_certs/cs1_ta8_cert.pem
src/tests/ro_data/signing_certs/produced/code_signing_certs/cs1_ta9_cert.pem
src/tests/ro_data/signing_certs/produced/code_signing_certs/cs2_ch1_ta3_cert.pem
src/tests/ro_data/signing_certs/produced/code_signing_certs/cs2_ch1_ta4_cert.pem
src/tests/ro_data/signing_certs/produced/code_signing_certs/cs2_ch5_ta1_cert.pem
src/tests/ro_data/signing_certs/produced/code_signing_certs/cs3_ch1_ta3_cert.pem
src/tests/ro_data/signing_certs/produced/code_signing_certs/cs3_ch1_ta4_cert.pem
src/tests/ro_data/signing_certs/produced/code_signing_certs/cs4_ch1_ta3_cert.pem
src/tests/ro_data/signing_certs/produced/code_signing_certs/cs5_ch1_ta3_cert.pem
src/tests/ro_data/signing_certs/produced/code_signing_certs/cs6_ch1_ta3_cert.pem
src/tests/ro_data/signing_certs/produced/code_signing_certs/cs7_ch1_ta3_cert.pem
src/tests/ro_data/signing_certs/produced/code_signing_certs/cs8_ch1_ta3_cert.pem
src/tests/ro_data/signing_certs/produced/code_signing_certs/cs9_ch1_ta3_cert.pem
src/tests/ro_data/signing_certs/produced/code_signing_certs/cust_cert.pem
src/tests/ro_data/signing_certs/produced/combined_cas.pem
src/tests/ro_data/signing_certs/produced/crl/ch1.1_ta4_crl.pem
src/tests/ro_data/signing_certs/produced/crl/ch1_ta4_crl.pem
src/tests/ro_data/signing_certs/produced/crl/ch5_ta1_crl.pem
src/tests/ro_data/signing_certs/produced/crl/ta5_crl.pem
src/tests/ro_data/signing_certs/produced/index
src/tests/ro_data/signing_certs/produced/keys/ch1.1_ta3_key.pem
src/tests/ro_data/signing_certs/produced/keys/ch1.1_ta4_key.pem
src/tests/ro_data/signing_certs/produced/keys/ch1.2_ta3_key.pem
src/tests/ro_data/signing_certs/produced/keys/ch1.3_ta3_key.pem
src/tests/ro_data/signing_certs/produced/keys/ch1.4_ta3_key.pem
src/tests/ro_data/signing_certs/produced/keys/ch1_ta1_key.pem
src/tests/ro_data/signing_certs/produced/keys/ch1_ta3_key.pem
src/tests/ro_data/signing_certs/produced/keys/ch1_ta4_key.pem
src/tests/ro_data/signing_certs/produced/keys/ch1_ta5_key.pem
src/tests/ro_data/signing_certs/produced/keys/ch2_ta1_key.pem
src/tests/ro_data/signing_certs/produced/keys/ch3_ta1_key.pem
src/tests/ro_data/signing_certs/produced/keys/ch4.3_ta1_key.pem
src/tests/ro_data/signing_certs/produced/keys/ch4_ta1_key.pem
src/tests/ro_data/signing_certs/produced/keys/ch5.1_ta1_key.pem
src/tests/ro_data/signing_certs/produced/keys/ch5.2_ta1_key.pem
src/tests/ro_data/signing_certs/produced/keys/ch5.3_ta1_key.pem
src/tests/ro_data/signing_certs/produced/keys/ch5_ta1_key.pem
src/tests/ro_data/signing_certs/produced/keys/cs1_ch1.1_ta3_key.pem
src/tests/ro_data/signing_certs/produced/keys/cs1_ch1.1_ta4_key.pem
src/tests/ro_data/signing_certs/produced/keys/cs1_ch1.2_ta3_key.pem
src/tests/ro_data/signing_certs/produced/keys/cs1_ch1.3_ta3_key.pem
src/tests/ro_data/signing_certs/produced/keys/cs1_ch1.4_ta3_key.pem
src/tests/ro_data/signing_certs/produced/keys/cs1_ch1_ta3_key.pem
src/tests/ro_data/signing_certs/produced/keys/cs1_ch1_ta4_key.pem
src/tests/ro_data/signing_certs/produced/keys/cs1_ch1_ta5_key.pem
src/tests/ro_data/signing_certs/produced/keys/cs1_ch5.1_ta1_key.pem
src/tests/ro_data/signing_certs/produced/keys/cs1_ch5.2_ta1_key.pem
src/tests/ro_data/signing_certs/produced/keys/cs1_ch5.3_ta1_key.pem
src/tests/ro_data/signing_certs/produced/keys/cs1_ch5_ta1_key.pem
src/tests/ro_data/signing_certs/produced/keys/cs1_cs8_ch1_ta3_key.pem
src/tests/ro_data/signing_certs/produced/keys/cs1_ta10_key.pem
src/tests/ro_data/signing_certs/produced/keys/cs1_ta11_key.pem
src/tests/ro_data/signing_certs/produced/keys/cs1_ta2_key.pem
src/tests/ro_data/signing_certs/produced/keys/cs1_ta6_key.pem
src/tests/ro_data/signing_certs/produced/keys/cs1_ta7_key.pem
src/tests/ro_data/signing_certs/produced/keys/cs1_ta7_reqpass_key.pem
src/tests/ro_data/signing_certs/produced/keys/cs1_ta8_key.pem
src/tests/ro_data/signing_certs/produced/keys/cs1_ta9_key.pem
src/tests/ro_data/signing_certs/produced/keys/cs2_ch1_ta3_key.pem
src/tests/ro_data/signing_certs/produced/keys/cs2_ch1_ta4_key.pem
src/tests/ro_data/signing_certs/produced/keys/cs2_ch5_ta1_key.pem
src/tests/ro_data/signing_certs/produced/keys/cs3_ch1_ta3_key.pem
src/tests/ro_data/signing_certs/produced/keys/cs3_ch1_ta4_key.pem
src/tests/ro_data/signing_certs/produced/keys/cs4_ch1_ta3_key.pem
src/tests/ro_data/signing_certs/produced/keys/cs5_ch1_ta3_key.pem
src/tests/ro_data/signing_certs/produced/keys/cs6_ch1_ta3_key.pem
src/tests/ro_data/signing_certs/produced/keys/cs7_ch1_ta3_key.pem
src/tests/ro_data/signing_certs/produced/keys/cs8_ch1_ta3_key.pem
src/tests/ro_data/signing_certs/produced/keys/cs9_ch1_ta3_key.pem
src/tests/ro_data/signing_certs/produced/keys/cust_key.pem
src/tests/ro_data/signing_certs/produced/keys/ta10_key.pem
src/tests/ro_data/signing_certs/produced/keys/ta11_key.pem
src/tests/ro_data/signing_certs/produced/keys/ta1_key.pem
src/tests/ro_data/signing_certs/produced/keys/ta2_key.pem
src/tests/ro_data/signing_certs/produced/keys/ta3_key.pem
src/tests/ro_data/signing_certs/produced/keys/ta4_key.pem
src/tests/ro_data/signing_certs/produced/keys/ta5_key.pem
src/tests/ro_data/signing_certs/produced/keys/ta6_key.pem
src/tests/ro_data/signing_certs/produced/keys/ta7_key.pem
src/tests/ro_data/signing_certs/produced/keys/ta8_key.pem
src/tests/ro_data/signing_certs/produced/keys/ta9_key.pem
src/tests/ro_data/signing_certs/produced/serial
src/tests/ro_data/signing_certs/produced/ta1/ta1_cert.pem
src/tests/ro_data/signing_certs/produced/ta10/ta10_cert.pem
src/tests/ro_data/signing_certs/produced/ta11/ta11_cert.pem
src/tests/ro_data/signing_certs/produced/ta2/ta2_cert.pem
src/tests/ro_data/signing_certs/produced/ta3/ta3_cert.pem
src/tests/ro_data/signing_certs/produced/ta4/ta4_cert.pem
src/tests/ro_data/signing_certs/produced/ta5/ta5_cert.pem
src/tests/ro_data/signing_certs/produced/ta6/ta6_cert.pem
src/tests/ro_data/signing_certs/produced/ta7/ta7_cert.pem
src/tests/ro_data/signing_certs/produced/ta8/ta8_cert.pem
src/tests/ro_data/signing_certs/produced/ta9/ta9_cert.pem
src/tests/ro_data/signing_certs/produced/trust_anchors/cust_cert.pem
src/tests/ro_data/signing_certs/produced/trust_anchors/ta10_cert.pem
src/tests/ro_data/signing_certs/produced/trust_anchors/ta11_cert.pem
src/tests/ro_data/signing_certs/produced/trust_anchors/ta1_cert.pem
src/tests/ro_data/signing_certs/produced/trust_anchors/ta2_cert.pem
src/tests/ro_data/signing_certs/produced/trust_anchors/ta3_cert.pem
src/tests/ro_data/signing_certs/produced/trust_anchors/ta4_cert.pem
src/tests/ro_data/signing_certs/produced/trust_anchors/ta5_cert.pem
src/tests/ro_data/signing_certs/produced/trust_anchors/ta6_cert.pem
src/tests/ro_data/signing_certs/produced/trust_anchors/ta7_cert.pem
src/tests/ro_data/signing_certs/produced/trust_anchors/ta8_cert.pem
src/tests/ro_data/signing_certs/produced/trust_anchors/ta9_cert.pem
src/tests/run.py
src/util/mkcert/Makefile
src/util/mkcert/mkcert.c
--- a/.hgignore	Tue Mar 08 11:12:06 2016 -0800
+++ b/.hgignore	Wed Mar 09 11:27:23 2016 -0800
@@ -42,4 +42,5 @@
 ^src/zoneproxy/zoneproxy-adm/zoneproxy-adm$
 ^src/zoneproxy/zoneproxy-client/zoneproxy-client$
 ^src/zoneproxy/zoneproxyd/zoneproxyd$
+^src/util/mkcert/certgen$
 ^webrev
--- a/src/Makefile	Tue Mar 08 11:12:06 2016 -0800
+++ b/src/Makefile	Wed Mar 09 11:27:23 2016 -0800
@@ -20,7 +20,7 @@
 #
 
 #
-# Copyright (c) 2007, 2015, Oracle and/or its affiliates. All rights reserved.
+# Copyright (c) 2007, 2016, Oracle and/or its affiliates. All rights reserved.
 #
 
 PYTHON27 = /usr/bin/python2.7
@@ -50,7 +50,7 @@
 
 PEP8 = /usr/bin/pep8
 
-SUBDIRS=zoneproxy
+SUBDIRS=zoneproxy util/mkcert
 
 all: $(SUBDIRS)
 	$(PYTHON27) setup.py build
--- a/src/modules/actions/signature.py	Tue Mar 08 11:12:06 2016 -0800
+++ b/src/modules/actions/signature.py	Wed Mar 09 11:27:23 2016 -0800
@@ -21,19 +21,24 @@
 #
 
 #
-# Copyright (c) 2009, 2015, Oracle and/or its affiliates. All rights reserved.
+# Copyright (c) 2009, 2016, Oracle and/or its affiliates. All rights reserved.
 #
 
+import hashlib
 import os
 import shutil
 import tempfile
 
+from cryptography.exceptions import InvalidSignature
+from cryptography.hazmat.backends import default_backend
+from cryptography.hazmat.primitives import serialization, hashes
+from cryptography.hazmat.primitives.asymmetric import padding
+
 import generic
 import pkg.actions
 import pkg.client.api_errors as apx
 import pkg.digest as digest
 import pkg.misc as misc
-import M2Crypto as m2
 
 valid_hash_algs = ("sha256", "sha384", "sha512")
 valid_sig_algs = ("rsa",)
@@ -171,6 +176,14 @@
                         for attr in digest.DEFAULT_CHAIN_CHASH_ATTRS:
                                 self.attrs[attr] = " ".join(chain_chshes[attr])
 
+        def __get_hash_by_name(self, name):
+                """Get the cryptopgraphy Hash() class based on the OpenSSL
+                algorithm name."""
+
+                for h in hashes.HashAlgorithm._abc_registry:
+                        if h.name == name:
+                                return h
+
         def get_size(self):
                 res = generic.Action.get_size(self)
                 for s in self.attrs.get("chain.sizes", "").split():
@@ -418,11 +431,10 @@
                 # of the actions, not a signed value.
                 if self.hash is None:
                         assert self.sig_alg is None
-                        dgst = m2.EVP.MessageDigest(self.hash_alg)
-                        res = dgst.update(self.actions_to_str(acts, ver))
-                        assert res == 1, \
-                            "Res was expected to be 1, but was {0}".format(res)
-                        computed_hash = dgst.final()
+                        h = hashlib.new(self.hash_alg)
+                        h.update(misc.force_bytes(self.actions_to_str(
+                            acts, ver)))
+                        computed_hash = h.digest()
                         # The attrs value is stored in hex so that it's easy
                         # to read.
                         if misc.hex_to_binary(self.attrs["value"]) != \
@@ -456,15 +468,19 @@
                         e.act = self
                         raise
                 # Check that the certificate verifies against this signature.
-                pub_key = cert.get_pubkey(md=self.hash_alg)
-                pub_key.verify_init()
-                pub_key.verify_update(self.actions_to_str(acts, ver))
-                res = pub_key.verify_final(
-                    misc.hex_to_binary(self.attrs["value"]))
-                if not res:
+                pub_key = cert.public_key()
+                hhash = self.__get_hash_by_name(self.hash_alg)
+                verifier = pub_key.verifier(
+                    misc.hex_to_binary(self.attrs["value"]), padding.PKCS1v15(),
+                    hhash())
+                verifier.update(self.actions_to_str(acts, ver))
+                try:
+                        verifier.verify()
+                except InvalidSignature:
                         raise apx.UnverifiedSignature(self,
                             _("The signature value did not match the expected "
-                            "value. Res: {0}").format(res))
+                            "value."))
+
                 return True
 
         def set_signature(self, acts, key_path=None, chain_paths=misc.EmptyI,
@@ -495,13 +511,10 @@
                         # If no private key is set, then no certificate should
                         # have been given.
                         assert self.data is None
-                        dgst = m2.EVP.MessageDigest(self.hash_alg)
-                        res = dgst.update(self.actions_to_str(acts,
-                            generic.Action.sig_version))
-                        assert res == 1, \
-                            "Res was expected to be 1, it was {0}".format(res)
-                        self.attrs["value"] = \
-                            misc.binary_to_hex(dgst.final())
+                        h = hashlib.new(self.hash_alg)
+                        h.update(misc.force_bytes(self.actions_to_str(acts,
+                            generic.Action.sig_version)))
+                        self.attrs["value"] = h.hexdigest()
                 else:
                         # If a private key is used, then the certificate it's
                         # paired with must be provided.
@@ -509,20 +522,21 @@
                         self.__set_chain_certs_data(chain_paths, chash_dir)
 
                         try:
-                                priv_key = m2.RSA.load_key(key_path)
-                        except m2.RSA.RSAError:
+                                with open(key_path, "rb") as f:
+                                        priv_key = serialization.load_pem_private_key(
+                                            f.read(), password=None,
+                                            backend=default_backend())
+                        except ValueError:
                                 raise apx.BadFileFormat(_("{0} was expected to "
                                     "be a RSA key but could not be read "
                                     "correctly.").format(key_path))
-                        signer = m2.EVP.PKey(md=self.hash_alg)
-                        signer.assign_rsa(priv_key, 1)
-                        del priv_key
-                        signer.sign_init()
-                        signer.sign_update(self.actions_to_str(acts,
-                            generic.Action.sig_version))
 
+                        hhash = self.__get_hash_by_name(self.hash_alg)
+                        signer = priv_key.signer(padding.PKCS1v15(), hhash())
+                        signer.update(misc.force_bytes(self.actions_to_str(acts,
+                            generic.Action.sig_version)))
                         self.attrs["value"] = \
-                            misc.binary_to_hex(signer.sign_final())
+                            misc.binary_to_hex(signer.finalize())
 
         def generate_indices(self):
                 """Generates the indices needed by the search dictionary.  See
--- a/src/modules/client/api_errors.py	Tue Mar 08 11:12:06 2016 -0800
+++ b/src/modules/client/api_errors.py	Wed Mar 09 11:27:23 2016 -0800
@@ -21,7 +21,7 @@
 #
 
 #
-# Copyright (c) 2008, 2015, Oracle and/or its affiliates. All rights reserved.
+# Copyright (c) 2008, 2016, Oracle and/or its affiliates. All rights reserved.
 #
 
 import errno
@@ -2299,8 +2299,10 @@
                         "\n".join([str(e) for e in self.ext_exs])
                 return _("The certificate which issued this "
                     "certificate: {subj} could not be found. The issuer "
-                    "is: {issuer}\n").format(subj=self.cert.get_subject(),
-                    issuer=self.cert.get_issuer()) + s + \
+                    "is: {issuer}\n").format(subj="/".join("{0}={1}".format(
+                    sub.oid._name, sub.value) for sub in self.cert.subject),
+                    issuer="/".join("{0}={1}".format(i.oid._name, i.value)
+                    for i in self.cert.issuer)) + s + "\n" + \
                     CertificateException.__str__(self)
 
 
@@ -2314,7 +2316,8 @@
 
         def __str__(self):
                 return _("This certificate was revoked:{cert} for this "
-                    "reason:\n{reason}").format(cert=self.cert.get_subject(),
+                    "reason:\n{reason}\n").format(cert="/".join("{0}={1}".format(
+                    s.oid._name, s.value) for s in self.cert.subject),
                     reason=self.reason) + CertificateException.__str__(self)
 
 
@@ -2385,7 +2388,7 @@
 
 class UnsupportedCriticalExtension(SigningException):
         """Exception used when a certificate in the chain of trust uses a
-        critical extension pkg5 doesn't understand."""
+        critical extension pkg doesn't understand."""
 
         def __init__(self, cert, ext):
                 SigningException.__init__(self)
@@ -2394,31 +2397,50 @@
 
         def __str__(self):
                 return _("The certificate whose subject is {cert} could not "
-                    "be verified "
-                    "because it uses a critical extension that pkg5 cannot "
-                    "handle yet.\nExtension name:{name}\nExtension "
-                    "value:{val}").format(cert=self.cert.get_subject(),
-                    name=self.ext.get_name(), val=self.ext.get_value())
+                    "be verified because it uses an unsupported critical "
+                    "extension.\nExtension name: {name}\nExtension "
+                    "value: {val}").format(cert="/".join("{0}={1}".format(
+                    s.oid._name, s.value) for s in self.cert.subject),
+                    name=self.ext.oid._name, val=self.ext.value)
 
 class UnsupportedExtensionValue(SigningException):
         """Exception used when a certificate in the chain of trust has an
-        extension with a value pkg5 doesn't understand."""
-
-        def __init__(self, cert, ext, bad_val=None):
+        extension with a value pkg doesn't understand."""
+
+        def __init__(self, cert, ext, val, bad_val=None):
                 SigningException.__init__(self)
                 self.cert = cert
                 self.ext = ext
+                self.val = val
                 self.bad_val = bad_val
 
         def __str__(self):
                 s = _("The certificate whose subject is {cert} could not be "
                     "verified because it has an extension with a value that "
                     "pkg(5) does not understand."
-                    "\nExtension name:{name}\nExtension value:{val}").format(
-                    cert=self.cert.get_subject(),
-                    name=self.ext.get_name(), val=self.ext.get_value())
+                    "\nExtension name: {name}\nExtension value: {val}").format(
+                    cert="/".join("{0}={1}".format(
+                    s.oid._name, s.value) for s in self.cert.subject),
+                    name=self.ext.oid._name, val=self.val)
                 if self.bad_val:
-                        s += _("\nProblematic Value:{0}").format(self.bad_val)
+                        s += _("\nProblematic value: {0}").format(self.bad_val)
+                return s
+
+class InvalidCertificateExtensions(SigningException):
+        """Exception used when a certificate in the chain of trust has
+        invalid extensions."""
+
+        def __init__(self, cert, error):
+                SigningException.__init__(self)
+                self.cert = cert
+                self.error = error
+
+        def __str__(self):
+                s = _("The certificate whose subject is {cert} could not be "
+                    "verified because it has invalid extensions:\n{error}"
+                    ).format(cert="/".join("{0}={1}".format(
+                    s.oid._name, s.value) for s in self.cert.subject),
+                    error=self.error)
                 return s
 
 class InappropriateCertificateUse(SigningException):
@@ -2427,20 +2449,22 @@
         supposed to be used to sign code being used to sign other certificates.
         """
 
-        def __init__(self, cert, ext, use):
+        def __init__(self, cert, ext, use, val):
                 SigningException.__init__(self)
                 self.cert = cert
                 self.ext = ext
                 self.use = use
+                self.val = val
 
         def __str__(self):
                 return _("The certificate whose subject is {cert} could not "
                     "be verified because it has been used inappropriately.  "
                     "The way it is used means that the value for extension "
                     "{name} must include '{use}' but the value was "
-                    "'{val}'.").format(cert=self.cert.get_subject(),
-                    use=self.use, name=self.ext.get_name(),
-                    val=self.ext.get_value())
+                    "'{val}'.").format(cert="/".join("{0}={1}".format(
+                    s.oid._name, s.value) for s in self.cert.subject),
+                    use=self.use, name=self.ext.oid._name,
+                    val=self.val)
 
 class PathlenTooShort(InappropriateCertificateUse):
         """Exception used when a certificate in the chain of trust has been used
@@ -2461,7 +2485,8 @@
                     "certificate and the leaf certificate.  There are {al} "
                     "certificates between this certificate and the leaf in "
                     "this chain.").format(
-                        cert=self.cert.get_subject(),
+                        cert="/".join("{0}={1}".format(
+                        s.oid._name, s.value) for s in self.cert.subject),
                         al=self.al,
                         cl=self.cl
                    )
--- a/src/modules/client/image.py	Tue Mar 08 11:12:06 2016 -0800
+++ b/src/modules/client/image.py	Wed Mar 09 11:27:23 2016 -0800
@@ -24,7 +24,6 @@
 # Copyright (c) 2007, 2016, Oracle and/or its affiliates. All rights reserved.
 #
 
-import M2Crypto as m2
 import atexit
 import calendar
 import collections
@@ -43,6 +42,8 @@
 import time
 
 from contextlib import contextmanager
+from cryptography import x509
+from cryptography.hazmat.backends import default_backend
 from six.moves.urllib.parse import quote, unquote
 
 import pkg.actions
@@ -340,16 +341,19 @@
                                 if os.path.islink(pth):
                                         continue
                                 try:
-                                        trusted_ca = m2.X509.load_cert(pth)
-                                except m2.X509.X509Error as e:
+                                        with open(pth, "rb") as f:
+                                                raw = f.read()
+                                        trusted_ca = \
+                                            x509.load_pem_x509_certificate(
+                                            raw, default_backend())
+                                except (ValueError, IOError) as e:
                                         self.__bad_trust_anchors.append(
                                             (pth, str(e)))
                                 else:
-                                        # M2Crypto's subject hash doesn't match
-                                        # openssl's subject hash so recompute it
-                                        # so all hashes are in the same
-                                        # universe.
-                                        s = trusted_ca.get_subject().as_hash()
+                                        # We store certificates internally by
+                                        # the SHA-1 hash of its subject.
+                                        s = hashlib.sha1(misc.force_bytes(
+                                            trusted_ca.subject)).hexdigest()
                                         self.__trust_anchors.setdefault(s, [])
                                         self.__trust_anchors[s].append(
                                             trusted_ca)
--- a/src/modules/client/publisher.py	Tue Mar 08 11:12:06 2016 -0800
+++ b/src/modules/client/publisher.py	Wed Mar 09 11:27:23 2016 -0800
@@ -49,6 +49,10 @@
 import time
 import uuid
 
+from cryptography import x509
+from cryptography.hazmat.backends import default_backend
+from cryptography.hazmat.primitives import serialization
+from cryptography.hazmat.primitives.asymmetric import padding
 from six.moves.urllib.parse import quote, urlsplit, urlparse, urlunparse, \
     ParseResult
 from six.moves.urllib.request import url2pathname
@@ -61,7 +65,6 @@
 import pkg.misc as misc
 import pkg.portable as portable
 import pkg.server.catalog as old_catalog
-import M2Crypto as m2
 
 from pkg.client import global_settings
 from pkg.client.debugvalues import DebugValues
@@ -101,24 +104,37 @@
     URI_SORT_PRIORITY: lambda obj: (obj.priority, obj.uri),
 }
 
-# This dictionary records the recognized values of extensions.
+# The strings in the value field refer to the boolean properties of the
+# Cryptography extension classes. If a property has a value True set, it means
+# this property is added as an extension value in the certificate generation,
+# and vice versa.
+EXTENSIONS_VALUES = {
+    x509.BasicConstraints: ["ca", "path_length"],
+    x509.KeyUsage: ["digital_signature", "content_commitment",
+    "key_encipherment", "data_encipherment", "key_agreement", "key_cert_sign",
+    "crl_sign", "encipher_only", "decipher_only"]
+}
+
+# Only listed extension values (properties) here can have a value True set in a
+# certificate extension; any other properties with a value True set will be
+# treated as unsupported.
 SUPPORTED_EXTENSION_VALUES = {
-    "basicConstraints": ("CA:TRUE", "CA:FALSE", "PATHLEN:"),
-    "keyUsage": ("DIGITAL SIGNATURE", "CERTIFICATE SIGN", "CRL SIGN")
+    x509.BasicConstraints: ("ca", "path_length"),
+    x509.KeyUsage: ("digital_signature", "key_cert_sign", "crl_sign")
 }
 
 # These dictionaries map uses into their extensions.
 CODE_SIGNING_USE = {
-    "keyUsage": ["DIGITAL SIGNATURE"]
+    x509.KeyUsage: ["digital_signature"],
 }
 
 CERT_SIGNING_USE = {
-    "basicConstraints": ["CA:TRUE"],
-    "keyUsage": ["CERTIFICATE SIGN"]
+    x509.BasicConstraints: ["ca"],
+    x509.KeyUsage: ["key_cert_sign"],
 }
 
 CRL_SIGNING_USE = {
-    "keyUsage": ["CRL SIGN"]
+    x509.KeyUsage: ["crl_sign"],
 }
 
 POSSIBLE_USES = [CODE_SIGNING_USE, CERT_SIGNING_USE, CRL_SIGNING_USE]
@@ -2444,15 +2460,17 @@
         def __hash_cert(c):
                 # In order to interoperate with older images, we must use SHA-1
                 # here.
-                return hashlib.sha1(c.as_pem()).hexdigest()
+                return hashlib.sha1(
+                    c.public_bytes(serialization.Encoding.PEM)).hexdigest()
 
         @staticmethod
         def __string_to_cert(s, pkg_hash=None):
                 """Convert a string to a X509 cert."""
 
                 try:
-                        return m2.X509.load_cert_string(s)
-                except m2.X509.X509Error as e:
+                        return x509.load_pem_x509_certificate(
+                            misc.force_bytes(s), default_backend())
+                except ValueError:
                         if pkg_hash is not None:
                                 raise api_errors.BadFileFormat(_("The file "
                                     "with hash {0} was expected to be a PEM "
@@ -2473,14 +2491,20 @@
                 file_problem = False
                 try:
                         with open(pkg_hash_pth, "wb") as fh:
-                                fh.write(cert.as_pem())
+                                fh.write(cert.public_bytes(
+                                    serialization.Encoding.PEM))
                 except EnvironmentError as e:
+                        if e.errno == errno.EACCES:
+                                raise api_errors.PermissionsException(
+                                    e.filename)
                         file_problem = True
 
                 # Note that while we store certs by their subject hashes,
-                # M2Crypto's subject hashes differ from what openssl reports
-                # the subject hash to be.
-                subj_hsh = cert.get_subject().as_hash()
+                # we use our own hashing since cryptography has no interface
+                # for the subject hash and other crypto frameworks have been
+                # inconsistent with OpenSSL.
+                subj_hsh = hashlib.sha1(misc.force_bytes(
+                    cert.subject)).hexdigest()
                 c = 0
                 made_link = False
                 while not made_link:
@@ -2544,21 +2568,59 @@
                                     pth)
                 return c
 
+        def __rebuild_subj_root(self):
+                """Rebuild subject hash metadata."""
+
+                # clean up the old subject hash files to prevent
+                # junk files residing in the directory
+                try:
+                        shutil.rmtree(self.__subj_root)
+                except EnvironmentError:
+                        # if unprivileged user, we can't add
+                        # certs to it
+                        pass
+                else:
+                        for p in os.listdir(self.cert_root):
+                                path = os.path.join(self.cert_root, p)
+                                if not os.path.isfile(path):
+                                        continue
+                                with open(path, "rb") as fh:
+                                        s = fh.read()
+                                cert = self.__string_to_cert(s)
+                                self.__add_cert(cert)
+
         def __get_certs_by_name(self, name):
-                """Given 'name', a M2Crypto X509_Name, return the certs with
-                that name as a subject."""
+                """Given 'name', a Cryptograhy 'Name' object, return the certs
+                with that name as a subject."""
 
                 res = []
-                c = 0
-                name_hsh = name.as_hash()
+                count = 0
+                name_hsh = hashlib.sha1(misc.force_bytes(name)).hexdigest()
+
+                def load_cert(pth):
+                        with open(pth, "rb") as f:
+                                return x509.load_pem_x509_certificate(
+                                    f.read(), default_backend())
+
                 try:
                         while True:
                                 pth = os.path.join(self.__subj_root,
-                                    "{0}.{1}".format(name_hsh, c))
-                                cert = m2.X509.load_cert(pth)
-                                res.append(cert)
-                                c += 1
+                                    "{0}.{1}".format(name_hsh, count))
+                                res.append(load_cert(pth))
+                                count += 1
                 except EnvironmentError as e:
+                        # When switching to a different hash algorithm, the hash
+                        # name of file changes so that we couldn't find the
+                        # file. We try harder to rebuild the subject's metadata
+                        # if it's the first time we fail (count == 0).
+                        if count == 0 and e.errno == errno.ENOENT:
+                                self.__rebuild_subj_root()
+                                try:
+                                        res.append(load_cert(pth))
+                                except EnvironmentError as e:
+                                        if e.errno != errno.ENOENT:
+                                                raise
+
                         t = api_errors._convert_error(e,
                             [errno.ENOENT])
                         if t:
@@ -2578,7 +2640,8 @@
                 # have or have not been approved.
                 for h in set(self.approved_ca_certs):
                         c = self.get_cert_by_hash(h, verify_hash=True)
-                        s = c.get_subject().as_hash()
+                        s = hashlib.sha1(misc.force_bytes(
+                            c.subject)).hexdigest()
                         self.ca_dict.setdefault(s, [])
                         self.ca_dict[s].append(c)
                 return self.ca_dict
@@ -2652,13 +2715,16 @@
                 """CRLs seem to frequently come in DER format, so try reading
                 the CRL using both of the formats before giving up."""
 
+                with open(pth, "rb") as f:
+                        raw = f.read()
+
                 try:
-                        return m2.X509.load_crl(pth)
-                except m2.X509.X509Error:
+                        return x509.load_pem_x509_crl(raw, default_backend())
+                except ValueError:
                         try:
-                                return m2.X509.load_crl(pth,
-                                    format=m2.X509.FORMAT_DER)
-                        except m2.X509.X509Error:
+                                return x509.load_der_x509_crl(raw,
+                                    default_backend())
+                        except ValueError:
                                 raise api_errors.BadFileFormat(_("The CRL file "
                                     "{0} is not in a recognized "
                                     "format.").format(pth))
@@ -2703,14 +2769,9 @@
                         except EnvironmentError:
                                 pass
                         else:
-                                nu = crl.get_next_update().get_datetime()
-                                # get_datetime is supposed to return a UTC time,
-                                # so assert that's the case.
-                                assert nu.tzinfo.utcoffset(nu) == \
-                                    dt.timedelta(0)
-                                # Add timezone info to cur_time so that cur_time
-                                # and nu can be compared.
-                                cur_time = dt.datetime.now(nu.tzinfo)
+                                nu = crl.next_update
+                                cur_time = dt.datetime.utcnow()
+
                                 if cur_time < nu:
                                         self.__tmp_crls[uri] = crl
                                         return crl
@@ -2765,23 +2826,41 @@
                                 pass
                 return ncrl
 
-        def __check_crls(self, cert, ca_dict):
-                """Determines whether the certificate has been revoked by its
-                CRL.
+
+        def __verify_x509_signature(self, c, key):
+                """Verify the signature of a certificate or CRL 'c' against a
+                provided public key 'key'."""
+
+                verifier = key.verifier(
+                    c.signature, padding.PKCS1v15(),
+                    c.signature_hash_algorithm)
+
+                if isinstance(c, x509.Certificate):
+                        data = c.tbs_certificate_bytes
+                elif isinstance(c, x509.CertificateRevocationList):
+                        data = c.tbs_certlist_bytes
+                else:
+                        raise AssertionError("Invalid x509 object for "
+                            "signature verification: {0}".format(type(c)))
+
+                verifier.update(data)
+                try:
+                        verifier.verify()
+                        return True
+                except Exception:
+                        return False
+
+        def __check_crl(self, cert, ca_dict, crl_uri):
+                """Determines whether the certificate has been revoked by the
+                CRL located at 'crl_uri'.
 
                 The 'cert' parameter is the certificate to check for revocation.
 
                 The 'ca_dict' is a dictionary which maps subject hashes to
                 certs treated as trust anchors."""
 
-                # If the certificate doesn't have a CRL location listed, treat
-                # it as valid.
-                try:
-                        ext = cert.get_ext("crlDistributionPoints")
-                except LookupError as e:
-                        return True
-                uri = ext.get_value()
-                crl = self.__get_crl(uri)
+                crl = self.__get_crl(crl_uri)
+
                 # If we couldn't retrieve a CRL from the distribution point
                 # and no CRL is cached on disk, assume the cert has not been
                 # revoked.  It's possible that this should be an image or
@@ -2792,11 +2871,13 @@
                 # A CRL has been found, now it needs to be validated like
                 # a certificate is.
                 verified_crl = False
-                crl_issuer = crl.get_issuer()
-                tas = ca_dict.get(crl_issuer.as_hash(), [])
+                crl_issuer = crl.issuer
+                tas = ca_dict.get(hashlib.sha1(misc.force_bytes(
+                    crl_issuer)).hexdigest(), [])
                 for t in tas:
                         try:
-                                if crl.verify(t.get_pubkey()):
+                                if self.__verify_x509_signature(crl,
+                                    t.public_key()):
                                         # If t isn't approved for signing crls,
                                         # the exception __check_extensions
                                         # raises will take the code to the
@@ -2809,7 +2890,8 @@
                 if not verified_crl:
                         crl_cas = self.__get_certs_by_name(crl_issuer)
                         for c in crl_cas:
-                                if crl.verify(c.get_pubkey()):
+                                if self.__verify_x509_signature(crl,
+                                    c.public_key()):
                                         try:
                                                 self.verify_chain(c, ca_dict, 0,
                                                     True,
@@ -2821,11 +2903,69 @@
                                                 break
                 if not verified_crl:
                         return True
+
                 # For a certificate to be revoked, its CRL must be validated
                 # and revoked the certificate.
-                rev = crl.is_revoked(cert)
-                if rev:
-                        raise api_errors.RevokedCertificate(cert, rev[1])
+
+                assert crl.issuer == cert.issuer
+                for rev in crl:
+                        if rev.serial_number != cert.serial:
+                                continue
+                        try:
+                                reason = rev.extensions.get_extension_for_oid(
+                                    x509.OID_CRL_REASON).value
+                        except x509.ExtensionNotFound:
+                                reason = None
+                        raise api_errors.RevokedCertificate(cert, reason)
+
+        def __check_crls(self, cert, ca_dict):
+                """Determines whether the certificate has been revoked by one of
+                its CRLs.
+
+                The 'cert' parameter is the certificate to check for revocation.
+
+                The 'ca_dict' is a dictionary which maps subject hashes to
+                certs treated as trust anchors."""
+
+                # If the certificate doesn't have a CRL location listed, treat
+                # it as valid.
+
+                # The CRLs to be retrieved are stored in the
+                # CRLDistributionPoints extensions which is structured like
+                # this:
+                #
+                # CRLDitsributionPoints = [
+                #     CRLDistributionPoint = [
+                #         union  {
+                #             full_name     = [ GeneralName, ... ]
+                #             relative_name = [ GeneralName, ... ]
+                #         }, ... ]
+                #     , ... ]
+                # 
+                # Relative names are a feature in X509 certs which allow to
+                # specify a location relative to another certificate. We are not
+                # supporting this and I'm not sure anybody is using this for
+                # CRLs.
+                # Full names are absolute locations but can be in different
+                # formats (refer to RFC5280) but in general only the URI type is
+                # used for CRLs. So this is the only thing we support here.
+
+                try:
+                        dps = cert.extensions.get_extension_for_oid(
+                            x509.oid.ExtensionOID.CRL_DISTRIBUTION_POINTS).value
+                except x509.ExtensionNotFound:
+                        return
+
+                for dp in dps:
+                        if not dp.full_name:
+                                # we don't support relative names
+                                continue
+                        for uri in dp.full_name:
+                                if not isinstance(uri,
+                                    x509.UniformResourceIdentifier):
+                                        # we only support URIs
+                                        continue
+                                self.__check_crl(cert, ca_dict, str(uri.value))
 
         def __check_revocation(self, cert, ca_dict, use_crls):
                 hsh = self.__hash_cert(cert)
@@ -2839,51 +2979,67 @@
                 """Check whether the critical extensions in this certificate
                 are supported and allow the provided use(s)."""
 
+                try:
+                        exts = cert.extensions
+                except (ValueError, x509.UnsupportedExtension) as e:
+                        raise api_errors.InvalidCertificateExtensions(
+                            cert, e)
+
                 def check_values(vs):
                         for v in vs:
                                 if v in supported_vs:
                                         continue
-                                if v.startswith("PATHLEN:") and \
-                                    "PATHLEN:" in supported_vs:
-                                        try:
-                                                cert_pathlen = int(v[len("PATHLEN:"):])
-                                        except ValueError as e:
-                                                raise api_errors.UnsupportedExtensionValue(cert, ext, v)
-                                        if cur_pathlen > cert_pathlen:
-                                                raise api_errors.PathlenTooShort(cert, cur_pathlen, cert_pathlen)
-                                        continue
+                                # If there is only one extension value, it must
+                                # be the problematic one. Otherwise, we also
+                                # output the first unsupported value as the
+                                # problematic value following extension value.
                                 if len(vs) < 2:
-                                        raise api_errors.UnsupportedExtensionValue(cert, ext)
-                                else:
-                                        raise api_errors.UnsupportedExtensionValue(cert, ext, v)
-
-
-                for i in range(0, cert.get_ext_count()):
-                        ext = cert.get_ext_at(i)
-                        name = ext.get_name()
-                        if name == "UNDEF":
-                                continue
-                        v = ext.get_value().upper()
-                        # Check whether the extension name is recognized.
-                        if name in SUPPORTED_EXTENSION_VALUES:
-                                supported_vs = \
-                                    SUPPORTED_EXTENSION_VALUES[name]
-                                vs = [s.strip() for s in v.split(",")]
+                                        raise api_errors.UnsupportedExtensionValue(
+                                            cert, ext, ", ".join(vs))
+                                raise api_errors.UnsupportedExtensionValue(
+                                    cert, ext, ", ".join(vs), v)
+
+                for ext in exts:
+                        etype = type(ext.value)
+                        if etype in SUPPORTED_EXTENSION_VALUES:
+                                supported_vs = SUPPORTED_EXTENSION_VALUES[etype]
+                                keys = EXTENSIONS_VALUES[etype]
+                                if etype == x509.BasicConstraints:
+                                        pathlen = ext.value.path_length
+                                        if pathlen is not None and \
+                                            cur_pathlen > pathlen:
+                                                raise api_errors.PathlenTooShort(cert,
+                                                    cur_pathlen, pathlen)
+                                elif etype == x509.KeyUsage:
+                                        keys = list(EXTENSIONS_VALUES[etype])
+                                        if not getattr(ext.value,
+                                            "key_agreement"):
+                                                # Cryptography error:
+                                                # encipher_only/decipher_only is
+                                                # undefined unless key_agreement
+                                                # is true
+                                                keys.remove("encipher_only")
+                                                keys.remove("decipher_only")
+                                vs = [
+                                    key
+                                    for key in keys
+                                    if getattr(ext.value, key)
+                                ]
                                 # Check whether the values for the extension are
                                 # recognized.
                                 check_values(vs)
-                                uses = usages.get(name, [])
-                                if isinstance(uses, six.string_types):
-                                        uses = [uses]
                                 # For each use, check to see whether it's
                                 # permitted by the certificate's extension
                                 # values.
-                                for u in uses:
+                                if etype not in usages:
+                                        continue
+                                for u in usages[etype]:
                                         if u not in vs:
-                                                raise api_errors.InappropriateCertificateUse(cert, ext, u)
+                                                raise api_errors.InappropriateCertificateUse(
+                                                    cert, ext, u, ", ".join(vs))
                         # If the extension name is unrecognized and critical,
                         # then the chain cannot be verified.
-                        elif ext.get_critical():
+                        elif ext.critical:
                                 raise api_errors.UnsupportedCriticalExtension(
                                     cert, ext)
 
@@ -2930,10 +3086,10 @@
 
                 def discard_names(cert, required_names):
                         for cert_cn in [
-                            str(c.get_data())
+                            str(c.value)
                             for c
-                            in cert.get_subject().get_entries_by_nid(
-                                m2.X509.X509_Name.nid["CN"])
+                            in cert.subject.get_attributes_for_oid(
+                                x509.oid.NameOID.COMMON_NAME)
                         ]:
                                 required_names.discard(cert_cn)
 
@@ -2954,13 +3110,15 @@
                         discard_names(cert, required_names)
 
                         # Find the certificate that issued this certificate.
-                        issuer = cert.get_issuer()
-                        issuer_hash = issuer.as_hash()
+                        issuer = cert.issuer
+                        issuer_hash = hashlib.sha1(misc.force_bytes(
+                            issuer)).hexdigest()
 
                         # See whether this certificate was issued by any of the
                         # given trust anchors.
                         for c in ca_dict.get(issuer_hash, []):
-                                if cert.verify(c.get_pubkey()):
+                                if self.__verify_x509_signature(cert,
+                                    c.public_key()):
                                         verified = True
                                         # Remove any required names found in the
                                         # trust anchor.
@@ -2976,7 +3134,8 @@
                         # identical and the certificate hasn't been verified
                         # then this is an untrusted self-signed cert and should
                         # be rejected.
-                        if cert.get_subject().as_hash() == issuer_hash:
+                        if hashlib.sha1(misc.force_bytes(
+                            cert.subject)).hexdigest() == issuer_hash:
                                 if not verified:
                                         raise \
                                             api_errors.UntrustedSelfSignedCert(
@@ -3002,8 +3161,9 @@
                                         # next link in the chain.  check_ca
                                         # checks both the basicConstraints
                                         # extension and the keyUsage extension.
-                                        if c.check_ca() and \
-                                            cert.verify(c.get_pubkey()):
+                                        if misc.check_ca(c) and \
+                                            self.__verify_x509_signature(cert,
+                                            c.public_key()):
                                                 problem = False
                                                 # Check whether this certificate
                                                 # has a critical extension we
--- a/src/modules/misc.py	Tue Mar 08 11:12:06 2016 -0800
+++ b/src/modules/misc.py	Wed Mar 09 11:27:23 2016 -0800
@@ -2964,3 +2964,23 @@
         # 'path' as relative to 'root', that is, 'root' will be prepended to
         # 'path', so we need to call os.path.relpath here.
         return os.fdopen(ar_open(root, os.path.relpath(path, root), flag, mode))
+
+
+def check_ca(cert):
+        """Check if 'cert' is a proper CA. For this the BasicConstraints need to
+        identify it as a CA cert and it needs to have the CertSign
+        (key_cert_sign in Cryptography) KeyUsage flag. Based loosely on
+        OpenSSL's check_ca()"""
+
+        from cryptography import x509
+
+        bconst_ca = None
+        kuse_sign = None
+
+        for e in cert.extensions:
+                if isinstance(e.value, x509.BasicConstraints):
+                        bconst_ca = e.value.ca
+                elif isinstance(e.value, x509.KeyUsage):
+                        kuse_sign = e.value.key_cert_sign
+
+        return kuse_sign is not False and bconst_ca
--- a/src/modules/server/repository.py	Tue Mar 08 11:12:06 2016 -0800
+++ b/src/modules/server/repository.py	Wed Mar 09 11:27:23 2016 -0800
@@ -19,12 +19,13 @@
 #
 # CDDL HEADER END
 #
-# Copyright (c) 2008, 2015, Oracle and/or its affiliates. All rights reserved.
+# Copyright (c) 2008, 2016, Oracle and/or its affiliates. All rights reserved.
 
 import cStringIO
 import codecs
 import datetime
 import errno
+import hashlib
 import logging
 import os
 import os.path
@@ -34,8 +35,9 @@
 import sys
 import tempfile
 import zlib
-import M2Crypto as m2
-
+
+from cryptography import x509
+from cryptography.hazmat.backends import default_backend
 from six.moves.urllib.parse import unquote
 
 import pkg.actions as actions
@@ -2439,11 +2441,16 @@
                         pth = os.path.join(trust_anchor_dir, fn)
                         if os.path.islink(pth):
                                 continue
-                        trusted_ca = m2.X509.load_cert(pth)
-                        # M2Crypto's subject hash doesn't match
-                        # openssl's subject hash so recompute it so all
-                        # hashes are in the same universe.
-                        s = trusted_ca.get_subject().as_hash()
+                        with open(pth, "rb") as f:
+                                trusted_ca = x509.load_pem_x509_certificate(
+                                    f.read(), default_backend())
+
+                        # Note that while we store certs by their subject
+                        # hashes, we use our own hashing since cryptography has
+                        # no interface for the subject hash and other crypto
+                        # frameworks have been inconsistent with OpenSSL.
+                        s = hashlib.sha1(misc.force_bytes(
+                            trusted_ca.subject)).hexdigest()
                         trust_anchors.setdefault(s, [])
                         trust_anchors[s].append(trusted_ca)
 
--- a/src/pkg/external_deps.txt	Tue Mar 08 11:12:06 2016 -0800
+++ b/src/pkg/external_deps.txt	Wed Mar 09 11:27:23 2016 -0800
@@ -10,11 +10,11 @@
     pkg:/developer/versioning/mercurial
     pkg:/library/python/cffi-27
     pkg:/library/python/cherrypy-27
+    pkg:/library/python/cryptography-27
     pkg:/library/python/coverage-27
     pkg:/library/python/jsonrpclib-27
     pkg:/library/python/jsonschema-27
     pkg:/library/python/locale-services
-    pkg:/library/python/m2crypto-27
     pkg:/library/python/mako-27
     pkg:/library/python/pep8
     pkg:/library/python/ply-27
--- a/src/pkg/manifests/developer:opensolaris:pkg5.p5m	Tue Mar 08 11:12:06 2016 -0800
+++ b/src/pkg/manifests/developer:opensolaris:pkg5.p5m	Wed Mar 09 11:27:23 2016 -0800
@@ -18,7 +18,7 @@
 #
 # CDDL HEADER END
 #
-# Copyright (c) 2010, 2015, Oracle and/or its affiliates. All rights reserved.
+# Copyright (c) 2010, 2016, Oracle and/or its affiliates. All rights reserved.
 #
 
 set name=pkg.fmri value=pkg:/developer/opensolaris/[email protected]$(PKGVERS)
@@ -36,8 +36,9 @@
 depend type=require fmri=pkg:/developer/gnome/gnome-doc-utils
 depend type=require fmri=pkg:/developer/python/pylint
 depend type=require fmri=pkg:/developer/versioning/mercurial
-depend type=require fmri=pkg:/library/python/[email protected]
+depend type=require fmri=pkg:/library/python/[email protected]
 depend type=require fmri=pkg:/library/python/coverage-27
+depend type=require fmri=pkg:/library/python/cryptography-27
 depend type=require fmri=pkg:/library/python/jsonrpclib-27
 depend type=require fmri=pkg:/library/python/jsonschema-27
 depend type=require fmri=pkg:/library/python/locale-services
--- a/src/pkg/manifests/package:pkg.p5m	Tue Mar 08 11:12:06 2016 -0800
+++ b/src/pkg/manifests/package:pkg.p5m	Wed Mar 09 11:27:23 2016 -0800
@@ -18,7 +18,7 @@
 #
 # CDDL HEADER END
 #
-# Copyright (c) 2010, 2015, Oracle and/or its affiliates. All rights reserved.
+# Copyright (c) 2010, 2016, Oracle and/or its affiliates. All rights reserved.
 #
 
 set name=pkg.fmri value=pkg:/package/[email protected]$(PKGVERS)
@@ -487,4 +487,4 @@
     variant.opensolaris.zone=nonglobal
 depend type=require fmri=crypto/ca-certificates
 # CFFI import is done in C code, so it isn't picked up by pkgdepend
-depend type=require fmri=library/python/[email protected]
+depend type=require fmri=library/python/[email protected]
--- a/src/sign.py	Tue Mar 08 11:12:06 2016 -0800
+++ b/src/sign.py	Wed Mar 09 11:27:23 2016 -0800
@@ -21,7 +21,7 @@
 #
 
 #
-# Copyright (c) 2010, 2015, Oracle and/or its affiliates. All rights reserved.
+# Copyright (c) 2010, 2016, Oracle and/or its affiliates. All rights reserved.
 #
 
 import getopt
@@ -33,6 +33,10 @@
 import sys
 import tempfile
 import traceback
+
+from cryptography import x509
+from cryptography.hazmat.backends import default_backend
+from cryptography.hazmat.primitives import serialization
 from imp import reload
 
 import pkg
@@ -47,7 +51,6 @@
 from pkg.client import global_settings
 from pkg.client.debugvalues import DebugValues
 from pkg.misc import emsg, msg, PipeError
-import M2Crypto as m2
 
 PKG_CLIENT_NAME = "pkgsign"
 
@@ -107,14 +110,16 @@
 
 def __make_tmp_cert(d, pth):
         try:
-                cert = m2.X509.load_cert(pth)
-        except m2.X509.X509Error as e:
+                with open(pth, "rb") as f:
+                        cert = x509.load_pem_x509_certificate(f.read(),
+                            default_backend())
+        except (ValueError, IOError) as e:
                 raise api_errors.BadFileFormat(_("The file {0} was expected to "
                     "be a PEM certificate but it could not be read.").format(
                     pth))
         fd, fp = tempfile.mkstemp(dir=d)
         with os.fdopen(fd, "wb") as fh:
-                fh.write(cert.as_pem())
+                fh.write(cert.public_bytes(serialization.Encoding.PEM))
         return fp
 
 def main_func():
--- a/src/tests/certgenerator.py	Tue Mar 08 11:12:06 2016 -0800
+++ b/src/tests/certgenerator.py	Wed Mar 09 11:27:23 2016 -0800
@@ -21,7 +21,7 @@
 #
 
 #
-# Copyright (c) 2014, 2015, Oracle and/or its affiliates. All rights reserved.
+# Copyright (c) 2014, 2016, Oracle and/or its affiliates. All rights reserved.
 #
 
 import os
@@ -435,14 +435,24 @@
 # Used to test a recognized non-critical extension with an unrecognized value.
 
 basicConstraints = critical,CA:FALSE
-keyUsage = encipherOnly
+keyUsage = keyAgreement
 
 [ issuer_ext_bad_val ]
 
 # Used to test a recognized critical extension with an unrecognized value.
+# keyAgreement needs to be set because otherwise Cryptography complains that
+# encipherOnly requires keyAgreement.
 
 basicConstraints = critical,CA:FALSE
-keyUsage = critical, encipherOnly
+keyUsage = critical, encipherOnly, keyAgreement
+
+[ invalid_ext ]
+
+# Used to test an invalid extension. Cryptography complains that enciperOnly
+# requires keyAgreement, so this is an invalid extension.
+
+basicConstraints = critical,CA:FALSE
+keyUsage = encipherOnly
 
 [ crl_ext ]
 
--- a/src/tests/cli/t_pkg_temp_sources.py	Tue Mar 08 11:12:06 2016 -0800
+++ b/src/tests/cli/t_pkg_temp_sources.py	Wed Mar 09 11:27:23 2016 -0800
@@ -21,7 +21,7 @@
 #
 
 #
-# Copyright (c) 2011, 2015, Oracle and/or its affiliates. All rights reserved.
+# Copyright (c) 2011, 2016, Oracle and/or its affiliates. All rights reserved.
 #
 
 import testutils
@@ -519,7 +519,7 @@
        Version: 1.0
         Branch: None
 Packaging Date: {signed10_pkg_date}
-          Size: 7.81 kB
+          Size: 10.05 kB
           FMRI: {signed10_pkg_fmri}
 """.format(**{"foo10_pkg_date": pd(self.foo10), "foo10_pkg_fmri": \
         self.foo10.get_fmri(include_build=False),
--- a/src/tests/cli/t_pkgsign.py	Tue Mar 08 11:12:06 2016 -0800
+++ b/src/tests/cli/t_pkgsign.py	Wed Mar 09 11:27:23 2016 -0800
@@ -21,7 +21,7 @@
 #
 
 #
-# Copyright (c) 2010, 2015, Oracle and/or its affiliates. All rights reserved.
+# Copyright (c) 2010, 2016, Oracle and/or its affiliates. All rights reserved.
 #
 
 import testutils
@@ -36,6 +36,10 @@
 import tempfile
 import unittest
 
+from cryptography import x509
+from cryptography.hazmat.backends import default_backend
+from cryptography.hazmat.primitives import serialization
+
 import pkg.actions as action
 import pkg.actions.signature as signature
 import pkg.client.api_errors as apx
@@ -44,7 +48,6 @@
 import pkg.fmri as fmri
 import pkg.misc as misc
 import pkg.portable as portable
-import M2Crypto as m2
 
 from pkg.client.debugvalues import DebugValues
 from pkg.pkggzip import PkgGzipFile
@@ -1287,15 +1290,13 @@
                         i1=os.path.join(self.chain_certs_dir,
                             "ch1_ta3_cert.pem"))
                 self.pkgsign(self.rurl1, sign_args)
-
                 self.pkg_image_create(self.rurl1)
                 self.seed_ta_dir("ta3")
-
                 self.pkg("set-property signature-policy verify")
                 api_obj = self.get_img_api_obj()
                 self.assertRaises(apx.UnsupportedExtensionValue,
                     self._api_install, api_obj, ["example_pkg"])
-                # Tests that the cli can handle an UnsupportedCriticalExtension.
+                # Tests that the cli can handle an UnsupportedExtensionValue.
                 self.pkg("install example_pkg", exit=1)
                 self.pkg("set-property signature-policy ignore")
                 self.pkg("set-publisher --set-property signature-policy=ignore "
@@ -1308,7 +1309,7 @@
                 extension causes an exception to be raised."""
 
                 plist = self.pkgsend_bulk(self.rurl1, self.example_pkg10)
-                sign_args = "-k {key} -c {cert} {name}".format(
+                sign_args = "-k {key} -c {cert} -i {i1} {name}".format(
                         name=plist[0],
                         key=os.path.join(self.keys_dir,
                             "cs6_ch1_ta3_key.pem"),
@@ -1325,6 +1326,66 @@
                 api_obj = self.get_img_api_obj()
                 self.assertRaises(apx.UnsupportedExtensionValue,
                     self._api_install, api_obj, ["example_pkg"])
+                # Tests that the cli can handle an UnsupportedExtensionValue.
+                self.pkg("install example_pkg", exit=1)
+                self.pkg("set-property signature-policy ignore")
+                self.pkg("set-publisher --set-property signature-policy=ignore "
+                    "test")
+                api_obj = self.get_img_api_obj()
+                self._api_install(api_obj, ["example_pkg"])
+
+        def test_invalid_extension_1(self):
+                """Test that an invalid value in the extension causes an
+                exception to be raised."""
+
+                plist = self.pkgsend_bulk(self.rurl1, self.example_pkg10)
+                sign_args = "-k {key} -c {cert} -i {i1} {name}".format(
+                        name=plist[0],
+                        key=os.path.join(self.keys_dir,
+                            "cs9_ch1_ta3_key.pem"),
+                        cert=os.path.join(self.cs_dir,
+                            "cs9_ch1_ta3_cert.pem"),
+                        i1=os.path.join(self.chain_certs_dir,
+                            "ch1_ta3_cert.pem"))
+                self.pkgsign(self.rurl1, sign_args)
+
+                self.pkg_image_create(self.rurl1)
+                self.seed_ta_dir("ta3")
+
+                self.pkg("set-property signature-policy verify")
+                api_obj = self.get_img_api_obj()
+                self.assertRaises(apx.InvalidCertificateExtensions,
+                    self._api_install, api_obj, ["example_pkg"])
+                # Tests that the cli can handle an InvalidCertificateExtensions.
+                self.pkg("install example_pkg", exit=1)
+                self.pkg("set-property signature-policy ignore")
+                self.pkg("set-publisher --set-property signature-policy=ignore "
+                    "test")
+                api_obj = self.get_img_api_obj()
+                self._api_install(api_obj, ["example_pkg"])
+
+        def test_invalid_extension_2(self):
+                """Test that a critical extension that Cryptography can't
+                understand causes an exception to be raised."""
+
+                plist = self.pkgsend_bulk(self.rurl1, self.example_pkg10)
+                sign_args = "-k {key} -c {cert} {name}".format(
+                        name=plist[0],
+                        key=os.path.join(self.keys_dir,
+                            "cust_key.pem"),
+                        cert=os.path.join(self.cs_dir,
+                            "cust_cert.pem"))
+                self.pkgsign(self.rurl1, sign_args)
+
+                self.pkg_image_create(self.rurl1)
+                self.seed_ta_dir("cust")
+
+                self.pkg("set-property signature-policy verify")
+                api_obj = self.get_img_api_obj()
+                self.assertRaises(apx.InvalidCertificateExtensions,
+                    self._api_install, api_obj, ["example_pkg"])
+                # Tests that the cli can handle an InvalidCertificateExtensions.
+                self.pkg("install example_pkg", exit=1)
                 self.pkg("set-property signature-policy ignore")
                 self.pkg("set-publisher --set-property signature-policy=ignore "
                     "test")
@@ -1472,11 +1533,23 @@
         def test_crl_0(self):
                 """Test that the X509 CRL revocation works correctly."""
 
-                crl = m2.X509.load_crl(os.path.join(self.crl_dir,
-                    "ch1_ta4_crl.pem"))
-                revoked_cert = m2.X509.load_cert(os.path.join(self.cs_dir,
-                    "cs1_ch1_ta4_cert.pem"))
-                assert crl.is_revoked(revoked_cert)[0]
+                with open(os.path.join(self.crl_dir, "ch1_ta4_crl.pem"),
+                    "rb") as f:
+                        crl = x509.load_pem_x509_crl(
+                            f.read(), default_backend())
+
+                with open(os.path.join(self.cs_dir,
+                    "cs1_ch1_ta4_cert.pem"), "rb") as f:
+                        cert = x509.load_pem_x509_certificate(
+                            f.read(), default_backend())
+
+                self.assertTrue(crl.issuer == cert.issuer)
+                for rev in crl:
+                        if rev.serial_number == cert.serial:
+                                break
+                else:
+                        self.assertTrue(False, "Can not find revoked "
+                            "certificate in CRL!")
 
         def test_bogus_inter_certs(self):
                 """Test that if SignatureAction.set_signature is given invalid
@@ -2266,7 +2339,7 @@
 
         def test_small_pathlen(self):
                 """Test that a chain cert which has a smaller pathlen value than
-                is needed is allowed."""
+                is needed is disallowed."""
 
                 plist = self.pkgsend_bulk(self.rurl1, self.example_pkg10)
                 sign_args = "-k {key} -c {cert} -i {i1} -i {i2} " \
@@ -2934,10 +3007,15 @@
                 repo_location = self.dcs[1].get_repodir()
                 cache_dir = os.path.join(self.test_root, "cache")
                 os.mkdir(cache_dir)
-                cert = m2.X509.load_cert(cert_path)
+
+                with open(cert_path, "rb") as f:
+                        cert = x509.load_pem_x509_certificate(
+                            f.read(), default_backend())
+
                 fd, new_cert = tempfile.mkstemp(dir=self.test_root)
                 with os.fdopen(fd, "wb") as fh:
-                        fh.write(cert.as_pem())
+                        fh.write(cert.public_bytes(
+                            serialization.Encoding.PEM))
 
                 # the file-store uses the least-preferred hash when storing
                 # content
@@ -2948,7 +3026,7 @@
                 os.mkdir(subdir)
                 fp = os.path.join(subdir, file_name)
                 fh = PkgGzipFile(fp, "wb")
-                fh.write(cert.as_pem())
+                fh.write(cert.public_bytes(serialization.Encoding.PEM))
                 fh.close()
 
                 self.pkgrecv(self.rurl2, "-c {0} -d {1} '*'".format(
@@ -2982,10 +3060,16 @@
                 repo_location = self.dcs[1].get_repodir()
                 cache_dir = os.path.join(self.test_root, "cache")
                 os.mkdir(cache_dir)
-                cert = m2.X509.load_cert(ta_path)
+
+                with open(ta_path, "rb") as f:
+                        cert = x509.load_pem_x509_certificate(
+                            f.read(), default_backend())
+
                 fd, new_cert = tempfile.mkstemp(dir=self.test_root)
                 with os.fdopen(fd, "wb") as fh:
-                        fh.write(cert.as_pem())
+                        fh.write(cert.public_bytes(
+                            serialization.Encoding.PEM))
+
                 for attr in digest.DEFAULT_HASH_ATTRS:
                         alg = digest.HASH_ALGS[attr]
                         file_name = misc.get_data_digest(new_cert,
@@ -2994,7 +3078,8 @@
                         os.mkdir(subdir)
                         fp = os.path.join(subdir, file_name)
                         fh = PkgGzipFile(fp, "wb")
-                        fh.write(cert.as_pem())
+                        fh.write(cert.public_bytes(
+                            serialization.Encoding.PEM))
                         fh.close()
 
                 self.pkgrecv(self.rurl2, "-c {0} -d {1} '*'".format(
--- a/src/tests/pkg5unittest.py	Tue Mar 08 11:12:06 2016 -0800
+++ b/src/tests/pkg5unittest.py	Wed Mar 09 11:27:23 2016 -0800
@@ -67,6 +67,9 @@
 import traceback
 import types
 
+from cryptography import x509
+from cryptography.hazmat.backends import default_backend
+from cryptography.hazmat.primitives import serialization
 from imp import reload
 from six.moves import configparser, http_client
 from six.moves.urllib.error import HTTPError, URLError
@@ -79,7 +82,6 @@
 import pkg.client.publisher as publisher
 import pkg.portable as portable
 import pkg.server.repository as sr
-import M2Crypto as m2
 
 from pkg.client.debugvalues import DebugValues
 
@@ -922,9 +924,12 @@
 
         @staticmethod
         def calc_pem_hash(pth):
-                # Find the hash of pem representation the file.
-                cert = m2.X509.load_cert(pth)
-                return hashlib.sha1(cert.as_pem()).hexdigest()
+                """Find the hash of pem representation the file."""
+                with open(pth) as f:
+                        cert = x509.load_pem_x509_certificate(
+                            f.read(), default_backend())
+                return hashlib.sha1(
+                    cert.public_bytes(serialization.Encoding.PEM)).hexdigest()
 
         def reduceSpaces(self, string):
                 """Reduce runs of spaces down to a single space."""
--- a/src/tests/ro_data/signing_certs/generate_certs.py	Tue Mar 08 11:12:06 2016 -0800
+++ b/src/tests/ro_data/signing_certs/generate_certs.py	Wed Mar 09 11:27:23 2016 -0800
@@ -21,12 +21,13 @@
 #
 
 #
-# Copyright (c) 2010, 2015, Oracle and/or its affiliates. All rights reserved.
+# Copyright (c) 2010, 2016, Oracle and/or its affiliates. All rights reserved.
 #
 
+from __future__ import print_function
 import os
+import pkg.pkgsubprocess as subprocess
 import shutil
-import subprocess
 import sys
 
 sys.path.append("../../")
@@ -109,6 +110,9 @@
             ext="v3_confused_cs")
         cg.make_cs_cert("cs1_cs8_ch1_ta3", "cs8_ch1_ta3",
             parent_loc="code_signing_certs")
+        # Add a certificate to the length 3 chain that has an invalid extension.
+        cg.make_cs_cert("cs9_ch1_ta3", "ch1_ta3", parent_loc="chain_certs",
+            ext="invalid_ext")
         # Make a chain where the CA has an unsupported critical extension.
         cg.make_ca_cert("ch1.1_ta3", "ta3", ext="issuer_ext_ca")
         cg.make_cs_cert("cs1_ch1.1_ta3", "ch1.1_ta3", parent_loc="chain_certs")
@@ -164,7 +168,7 @@
         fhw = open(os.path.join(output_dir, "combined_cas.pem"), "w")
         for x in range(6,12):
                 if x == 7:
-                        # ta requires a password to unlock cert, don't use 
+                        # ta requires a password to unlock cert, don't use
                         continue
                 fn = "{0}/ta{1:d}/ta{2:d}_cert.pem".format(output_dir, x, x)
                 fhr = open(fn, "r")
@@ -172,3 +176,28 @@
                 fhr.close()
         fhw.close()
 
+        # Create a certificate with an extension that Cryptography can't
+        # understand. We can't do it by the OpenSSL CLI, but we can use a C
+        # program that calls OpenSSL libraries to do it.
+        os.chdir("../../../util/mkcert")
+        cmdline = "./certgen"
+        p = subprocess.Popen(cmdline, stdout=subprocess.PIPE,
+            stderr=subprocess.PIPE, shell=True)
+        p.wait()
+
+        output, error = p.communicate()
+        if p.returncode == 127:
+                print("certgen not found; execute 'make' in the mkcert "
+                    "directory first")
+                sys.exit(p.returncode)
+        elif p.returncode != 0:
+                print("failed: {0} {1}".format(output, error))
+                sys.exit(p.returncode)
+
+        # copy the generated cert files from util/mkcert to the ro_data area
+        shutil.copy("cust_key.pem",
+            "../../tests/ro_data/signing_certs/produced/keys/")
+        shutil.copy("cust_cert.pem",
+            "../../tests/ro_data/signing_certs/produced/code_signing_certs/")
+        shutil.copy("cust_cert.pem",
+            "../../tests/ro_data/signing_certs/produced/trust_anchors/")
--- a/src/tests/ro_data/signing_certs/produced/chain_certs/01.pem	Tue Mar 08 11:12:06 2016 -0800
+++ b/src/tests/ro_data/signing_certs/produced/chain_certs/01.pem	Wed Mar 09 11:27:23 2016 -0800
@@ -5,61 +5,82 @@
     Signature Algorithm: sha256WithRSAEncryption
         Issuer: C=US, ST=California, L=Santa Clara, O=pkg5, CN=ta1/emailAddress=ta1
         Validity
-            Not Before: Dec 13 00:13:34 2013 GMT
-            Not After : Sep  8 00:13:34 2016 GMT
+            Not Before: Jan 22 01:57:53 2016 GMT
+            Not After : Oct 18 01:57:53 2018 GMT
         Subject: C=US, ST=California, L=Santa Clara, O=pkg5, CN=ch1_ta1/emailAddress=ch1_ta1
         Subject Public Key Info:
             Public Key Algorithm: rsaEncryption
-                Public-Key: (1024 bit)
+                Public-Key: (2048 bit)
                 Modulus:
-                    00:da:3a:b2:74:16:5c:38:7c:93:3a:48:cb:9f:71:
-                    7c:aa:b9:ff:d7:25:5f:cd:90:6c:e6:87:6d:ed:34:
-                    0f:12:19:00:a8:36:fe:51:4b:b2:38:76:55:2a:d1:
-                    ce:3b:a3:78:75:db:c8:ba:85:8b:ad:80:0e:84:ab:
-                    1f:4b:80:90:20:56:49:7b:71:a0:16:f8:15:8a:cd:
-                    70:ee:45:1f:53:34:3c:85:df:10:75:e2:b1:68:97:
-                    c5:0d:66:7f:bf:e7:b3:d1:09:03:1b:50:14:dc:e3:
-                    3e:a9:b6:6a:63:e6:0f:51:3e:06:59:50:43:da:10:
-                    99:0d:79:a3:b4:76:89:a2:01
+                    00:ef:e4:87:59:74:82:97:b8:fa:7e:12:4a:e8:48:
+                    fe:95:28:15:6a:c7:07:ac:10:27:fb:58:9e:2c:9a:
+                    43:84:2b:1d:e4:04:68:e1:64:cd:3d:be:97:4a:f1:
+                    c0:e5:3f:b9:04:70:eb:02:7f:e2:f4:3c:23:44:80:
+                    b0:9f:ab:02:09:37:10:c6:25:53:f2:9b:24:d8:7e:
+                    c6:0a:71:56:95:72:71:e9:97:d6:70:5f:76:2b:bf:
+                    f4:c4:43:93:9c:62:ad:60:3c:27:3a:19:e6:64:db:
+                    1d:56:60:a5:32:8c:91:61:15:b9:9a:ef:89:4e:bf:
+                    4b:ca:90:7b:01:05:1c:1f:51:ec:33:43:66:f2:eb:
+                    45:17:e9:dc:fa:f3:d3:73:82:ae:9b:cc:fb:c8:44:
+                    29:3a:c8:24:5c:b7:52:d2:fa:30:0d:42:7a:8c:e1:
+                    0a:4c:5a:0c:6e:57:7b:0f:9f:e3:ae:84:bd:1b:10:
+                    ee:63:f2:5e:0d:91:bd:9a:b6:e4:f6:a6:85:92:e8:
+                    bc:3c:b4:da:13:6e:0b:9b:f9:6f:4b:1d:61:57:44:
+                    23:a7:78:35:72:ef:51:a8:98:14:2a:78:d0:55:da:
+                    fe:f1:93:e0:fd:6c:e6:42:6b:3b:eb:4f:f8:b1:ac:
+                    dd:78:9b:9f:f8:c1:51:28:fe:04:aa:8b:c8:40:f7:
+                    f6:73
                 Exponent: 65537 (0x10001)
         X509v3 extensions:
             X509v3 Subject Key Identifier: 
-                36:46:2D:8A:1B:8B:CE:C1:1D:02:37:B9:EC:A5:FF:BA:73:AE:E5:48
+                2E:B3:14:E2:95:4C:93:07:05:A4:87:64:EA:C4:57:2D:52:3B:8C:F9
             X509v3 Authority Key Identifier: 
-                keyid:81:54:6B:06:08:DD:44:4F:08:81:21:7A:7C:D5:96:EA:53:2B:E3:0A
+                keyid:D6:A2:C9:8F:BE:AC:C1:F3:E7:8A:8D:01:1C:0A:7D:C1:EE:88:E5:A6
                 DirName:/C=US/ST=California/L=Santa Clara/O=pkg5/CN=ta1/emailAddress=ta1
-                serial:F6:A8:B6:5C:10:8D:04:4F
+                serial:B8:ED:CE:51:42:C8:90:81
 
             X509v3 Basic Constraints: critical
                 CA:TRUE, pathlen:4
             X509v3 Key Usage: critical
                 Certificate Sign, CRL Sign
     Signature Algorithm: sha256WithRSAEncryption
-         38:4a:69:9d:14:fa:51:b9:35:9c:c8:ae:e5:c0:e2:2e:4c:d4:
-         57:ad:64:05:99:e4:94:b3:d3:97:e0:0e:bd:1c:b4:64:c8:2b:
-         07:18:26:7f:99:ef:9c:48:e6:23:b3:96:37:92:54:85:8b:29:
-         19:60:12:11:fc:d8:62:84:5c:75:73:76:9e:0f:f8:a7:95:79:
-         c8:3c:75:f7:13:73:1f:be:fa:60:79:5c:6c:12:8d:ca:f9:58:
-         4b:1f:ed:0a:52:4c:61:95:6f:9a:a7:57:0c:20:9a:19:73:dc:
-         3d:42:aa:47:29:ac:92:a9:cc:4a:eb:85:6d:ab:cd:ed:2b:9a:
-         e5:c1
+         32:8d:c5:57:e8:49:29:70:35:e7:5a:4f:c7:78:70:ad:9e:6e:
+         2d:27:e2:a6:95:eb:30:a8:b5:71:6b:0e:5b:de:ca:9b:3e:be:
+         8d:34:d4:98:68:67:2f:8a:63:50:66:71:5b:3b:5b:1e:b4:37:
+         6b:6b:df:7c:1e:9e:24:01:8d:0a:ea:b0:e5:1f:31:1e:d1:ed:
+         68:cf:73:00:56:36:cc:e5:83:3f:c4:c0:00:d5:3f:3c:f8:2f:
+         dd:4e:c6:68:08:b5:80:ef:d0:ab:4c:55:a1:7b:4a:1e:67:02:
+         5d:fb:56:68:88:f2:49:2f:e5:f5:4c:3a:2d:54:b7:9a:79:38:
+         f1:87:b4:d9:8d:b6:0c:88:ec:a1:ce:00:e0:9a:13:3b:57:d6:
+         80:17:a0:e8:1b:3e:e6:25:d8:bd:8e:1d:bb:45:36:9f:4b:a7:
+         4e:3e:f5:fb:60:73:85:2e:4e:35:10:9a:a8:44:ea:22:8f:6f:
+         27:84:3f:e8:02:05:7c:fd:57:61:76:1b:6b:52:6b:b9:c4:6c:
+         9b:84:e3:c5:91:16:14:03:a0:80:e8:80:35:bc:92:97:35:13:
+         e5:d9:1b:4e:4b:0c:ba:15:cf:d8:5f:c9:86:fd:44:74:88:34:
+         76:12:85:90:a1:d9:3a:cf:d3:63:3f:be:91:d1:66:04:fc:5b:
+         84:8d:f8:a7
 -----BEGIN CERTIFICATE-----
-MIIDNTCCAp6gAwIBAgIBATANBgkqhkiG9w0BAQsFADBpMQswCQYDVQQGEwJVUzET
+MIIEOjCCAyKgAwIBAgIBATANBgkqhkiG9w0BAQsFADBpMQswCQYDVQQGEwJVUzET
 MBEGA1UECAwKQ2FsaWZvcm5pYTEUMBIGA1UEBwwLU2FudGEgQ2xhcmExDTALBgNV
-BAoMBHBrZzUxDDAKBgNVBAMMA3RhMTESMBAGCSqGSIb3DQEJARYDdGExMB4XDTEz
-MTIxMzAwMTMzNFoXDTE2MDkwODAwMTMzNFowcTELMAkGA1UEBhMCVVMxEzARBgNV
+BAoMBHBrZzUxDDAKBgNVBAMMA3RhMTESMBAGCSqGSIb3DQEJARYDdGExMB4XDTE2
+MDEyMjAxNTc1M1oXDTE4MTAxODAxNTc1M1owcTELMAkGA1UEBhMCVVMxEzARBgNV
 BAgMCkNhbGlmb3JuaWExFDASBgNVBAcMC1NhbnRhIENsYXJhMQ0wCwYDVQQKDARw
-a2c1MRAwDgYDVQQDDAdjaDFfdGExMRYwFAYJKoZIhvcNAQkBFgdjaDFfdGExMIGf
-MA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDaOrJ0Flw4fJM6SMufcXyquf/XJV/N
-kGzmh23tNA8SGQCoNv5RS7I4dlUq0c47o3h128i6hYutgA6Eqx9LgJAgVkl7caAW
-+BWKzXDuRR9TNDyF3xB14rFol8UNZn+/57PRCQMbUBTc4z6ptmpj5g9RPgZZUEPa
-EJkNeaO0domiAQIDAQABo4HkMIHhMB0GA1UdDgQWBBQ2Ri2KG4vOwR0CN7nspf+6
-c67lSDCBmwYDVR0jBIGTMIGQgBSBVGsGCN1ETwiBIXp81ZbqUyvjCqFtpGswaTEL
-MAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFDASBgNVBAcMC1NhbnRh
-IENsYXJhMQ0wCwYDVQQKDARwa2c1MQwwCgYDVQQDDAN0YTExEjAQBgkqhkiG9w0B
-CQEWA3RhMYIJAPaotlwQjQRPMBIGA1UdEwEB/wQIMAYBAf8CAQQwDgYDVR0PAQH/
-BAQDAgEGMA0GCSqGSIb3DQEBCwUAA4GBADhKaZ0U+lG5NZzIruXA4i5M1FetZAWZ
-5JSz05fgDr0ctGTIKwcYJn+Z75xI5iOzljeSVIWLKRlgEhH82GKEXHVzdp4P+KeV
-ecg8dfcTcx+++mB5XGwSjcr5WEsf7QpSTGGVb5qnVwwgmhlz3D1CqkcprJKpzErr
-hW2rze0rmuXB
+a2c1MRAwDgYDVQQDDAdjaDFfdGExMRYwFAYJKoZIhvcNAQkBFgdjaDFfdGExMIIB
+IjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA7+SHWXSCl7j6fhJK6Ej+lSgV
+ascHrBAn+1ieLJpDhCsd5ARo4WTNPb6XSvHA5T+5BHDrAn/i9DwjRICwn6sCCTcQ
+xiVT8psk2H7GCnFWlXJx6ZfWcF92K7/0xEOTnGKtYDwnOhnmZNsdVmClMoyRYRW5
+mu+JTr9LypB7AQUcH1HsM0Nm8utFF+nc+vPTc4Kum8z7yEQpOsgkXLdS0vowDUJ6
+jOEKTFoMbld7D5/jroS9GxDuY/JeDZG9mrbk9qaFkui8PLTaE24Lm/lvSx1hV0Qj
+p3g1cu9RqJgUKnjQVdr+8ZPg/WzmQms760/4sazdeJuf+MFRKP4EqovIQPf2cwID
+AQABo4HkMIHhMB0GA1UdDgQWBBQusxTilUyTBwWkh2TqxFctUjuM+TCBmwYDVR0j
+BIGTMIGQgBTWosmPvqzB8+eKjQEcCn3B7ojlpqFtpGswaTELMAkGA1UEBhMCVVMx
+EzARBgNVBAgMCkNhbGlmb3JuaWExFDASBgNVBAcMC1NhbnRhIENsYXJhMQ0wCwYD
+VQQKDARwa2c1MQwwCgYDVQQDDAN0YTExEjAQBgkqhkiG9w0BCQEWA3RhMYIJALjt
+zlFCyJCBMBIGA1UdEwEB/wQIMAYBAf8CAQQwDgYDVR0PAQH/BAQDAgEGMA0GCSqG
+SIb3DQEBCwUAA4IBAQAyjcVX6EkpcDXnWk/HeHCtnm4tJ+KmleswqLVxaw5b3sqb
+Pr6NNNSYaGcvimNQZnFbO1setDdra998Hp4kAY0K6rDlHzEe0e1oz3MAVjbM5YM/
+xMAA1T88+C/dTsZoCLWA79CrTFWhe0oeZwJd+1ZoiPJJL+X1TDotVLeaeTjxh7TZ
+jbYMiOyhzgDgmhM7V9aAF6DoGz7mJdi9jh27RTafS6dOPvX7YHOFLk41EJqoROoi
+j28nhD/oAgV8/VdhdhtrUmu5xGybhOPFkRYUA6CA6IA1vJKXNRPl2RtOSwy6Fc/Y
+X8mG/UR0iDR2EoWQodk6z9NjP76R0WYE/FuEjfin
 -----END CERTIFICATE-----
--- a/src/tests/ro_data/signing_certs/produced/chain_certs/02.pem	Tue Mar 08 11:12:06 2016 -0800
+++ b/src/tests/ro_data/signing_certs/produced/chain_certs/02.pem	Wed Mar 09 11:27:23 2016 -0800
@@ -5,28 +5,37 @@
     Signature Algorithm: sha256WithRSAEncryption
         Issuer: C=US, ST=California, L=Santa Clara, O=pkg5, CN=ch1_ta1/emailAddress=ch1_ta1
         Validity
-            Not Before: Dec 13 00:13:34 2013 GMT
-            Not After : Sep  8 00:13:34 2016 GMT
+            Not Before: Jan 22 01:57:53 2016 GMT
+            Not After : Oct 18 01:57:53 2018 GMT
         Subject: C=US, ST=California, L=Santa Clara, O=pkg5, CN=ch2_ta1/emailAddress=ch2_ta1
         Subject Public Key Info:
             Public Key Algorithm: rsaEncryption
-                Public-Key: (1024 bit)
+                Public-Key: (2048 bit)
                 Modulus:
-                    00:be:c1:86:30:d2:a3:02:f4:00:33:fc:54:f3:6f:
-                    d7:27:99:7b:57:e2:f1:93:f8:58:1c:eb:9a:cc:6b:
-                    23:9b:b8:a9:11:27:50:9b:d7:a7:c2:fe:8b:ee:54:
-                    d0:5d:e2:24:04:47:1c:cc:54:b5:89:bb:a6:26:de:
-                    b9:3b:73:19:67:5e:9a:88:12:de:87:de:0e:26:c9:
-                    0c:44:13:65:23:cd:7f:34:d6:bb:45:20:87:7e:ba:
-                    48:d5:2f:3f:fc:d6:8d:d7:b7:b2:9f:42:ef:76:9a:
-                    cf:c3:01:ae:b9:8f:00:33:ea:28:15:ca:30:da:8f:
-                    25:76:a4:55:2a:2c:7a:b8:eb
+                    00:ac:2b:63:c0:6d:3e:96:73:cf:d9:f6:76:40:27:
+                    72:6b:c9:d4:10:27:d9:b1:b5:7b:f1:98:aa:d3:39:
+                    78:eb:98:40:95:81:6c:0b:d8:b7:ea:14:76:4b:36:
+                    f9:d6:c2:d2:2a:d7:01:2b:f6:1a:77:6f:dd:b8:01:
+                    0b:f5:89:cd:3b:94:5a:76:43:94:79:b5:62:a0:f7:
+                    b1:4e:3e:8a:9a:41:38:cf:ff:b4:e2:b8:97:ae:1f:
+                    55:5a:2c:bf:4b:c0:ba:25:66:4f:d3:c1:06:62:f8:
+                    b9:3f:a8:52:c0:55:a8:cc:8a:7e:ee:4a:1a:70:60:
+                    20:ee:66:88:9d:af:c9:58:13:bd:1b:59:cc:23:b4:
+                    94:56:88:ef:02:e1:da:45:28:7e:ba:6b:90:65:1b:
+                    b8:79:e8:6f:2e:92:5b:7f:e1:d2:f3:f0:26:64:64:
+                    b6:01:3f:78:73:6f:52:b3:26:e2:c9:be:0a:b8:13:
+                    72:e5:05:cc:bb:b8:68:93:2d:63:0b:f8:66:44:68:
+                    98:60:eb:a4:36:52:11:0d:eb:db:cf:a5:2d:dc:1d:
+                    ab:ff:cc:99:fc:1d:e8:82:3a:d6:a5:55:37:a3:96:
+                    12:e4:44:a3:bd:ec:4a:48:11:f6:95:17:31:1f:fc:
+                    00:ac:32:33:86:97:7e:8c:2f:09:8e:9e:08:22:56:
+                    9a:3d
                 Exponent: 65537 (0x10001)
         X509v3 extensions:
             X509v3 Subject Key Identifier: 
-                12:30:0A:74:FD:DE:71:CF:4A:77:1E:1E:57:5E:F8:76:71:D7:5B:9E
+                36:30:72:96:D2:F9:D4:7A:AE:CF:C2:4B:3F:EE:52:AA:DF:9B:F3:12
             X509v3 Authority Key Identifier: 
-                keyid:36:46:2D:8A:1B:8B:CE:C1:1D:02:37:B9:EC:A5:FF:BA:73:AE:E5:48
+                keyid:2E:B3:14:E2:95:4C:93:07:05:A4:87:64:EA:C4:57:2D:52:3B:8C:F9
                 DirName:/C=US/ST=California/L=Santa Clara/O=pkg5/CN=ta1/emailAddress=ta1
                 serial:01
 
@@ -35,31 +44,43 @@
             X509v3 Key Usage: critical
                 Certificate Sign, CRL Sign
     Signature Algorithm: sha256WithRSAEncryption
-         8e:a5:2a:c9:3f:e0:1f:a9:8c:a3:45:b8:0d:0e:35:43:c3:d6:
-         fe:f6:bc:0d:76:f0:26:d6:ab:e7:39:30:92:6f:cc:8e:0e:5f:
-         b0:92:29:41:39:41:14:2a:43:b1:bb:e5:d4:8c:b3:6e:b7:7b:
-         89:ab:3d:a4:e1:98:45:40:b9:1e:86:7b:b6:3f:55:e3:46:ab:
-         ed:41:45:6a:cc:af:a4:63:54:c8:ab:27:3f:59:67:8a:f5:60:
-         1b:63:b7:bb:27:94:00:8f:ee:f9:31:53:59:98:85:76:77:db:
-         dd:39:6f:1a:61:fe:0d:68:88:20:a8:d5:2b:c7:6a:08:5b:f1:
-         ac:9a
+         66:4a:2f:69:a3:d8:4f:31:e6:3b:89:bd:3e:9e:5a:b9:e7:f1:
+         a8:ba:dd:ef:e3:f5:73:b8:50:05:aa:65:50:01:db:14:47:d2:
+         03:f8:83:a0:ae:79:53:00:89:da:46:00:c7:31:b7:54:6d:17:
+         98:01:60:34:12:c0:df:1b:fb:c2:8e:74:34:74:76:1a:48:cf:
+         01:8f:45:ea:91:bb:39:73:9d:cb:3f:21:46:60:00:e8:5c:08:
+         cf:16:40:00:4b:b3:37:54:92:38:6f:bf:77:eb:78:71:3f:5f:
+         85:81:12:57:77:17:69:fc:5a:0e:ea:ca:50:29:0b:e2:b5:de:
+         20:bd:9c:bd:24:e4:c8:13:d4:04:de:f2:91:c5:ce:3a:7a:26:
+         a0:70:e0:d7:1b:60:43:61:c2:51:76:5a:4a:c4:9f:31:71:68:
+         55:9f:95:61:7b:bd:e2:bf:1f:b0:bb:4a:e7:01:48:10:3e:ea:
+         33:a5:75:0a:d6:96:c2:3b:fc:77:64:e4:79:fd:29:4d:00:24:
+         bb:57:41:ec:7f:69:e5:f5:92:ff:2c:1d:7a:43:06:04:7a:60:
+         e0:c0:65:f6:d5:cd:21:8d:3a:38:55:da:7f:5b:04:f2:5c:ab:
+         68:ba:9d:83:ef:71:21:6f:3b:60:e2:d4:50:40:0b:81:9b:4e:
+         1c:7b:c4:57
 -----BEGIN CERTIFICATE-----
-MIIDNTCCAp6gAwIBAgIBAjANBgkqhkiG9w0BAQsFADBxMQswCQYDVQQGEwJVUzET
+MIIEOjCCAyKgAwIBAgIBAjANBgkqhkiG9w0BAQsFADBxMQswCQYDVQQGEwJVUzET
 MBEGA1UECAwKQ2FsaWZvcm5pYTEUMBIGA1UEBwwLU2FudGEgQ2xhcmExDTALBgNV
 BAoMBHBrZzUxEDAOBgNVBAMMB2NoMV90YTExFjAUBgkqhkiG9w0BCQEWB2NoMV90
-YTEwHhcNMTMxMjEzMDAxMzM0WhcNMTYwOTA4MDAxMzM0WjBxMQswCQYDVQQGEwJV
+YTEwHhcNMTYwMTIyMDE1NzUzWhcNMTgxMDE4MDE1NzUzWjBxMQswCQYDVQQGEwJV
 UzETMBEGA1UECAwKQ2FsaWZvcm5pYTEUMBIGA1UEBwwLU2FudGEgQ2xhcmExDTAL
 BgNVBAoMBHBrZzUxEDAOBgNVBAMMB2NoMl90YTExFjAUBgkqhkiG9w0BCQEWB2No
-Ml90YTEwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAL7BhjDSowL0ADP8VPNv
-1yeZe1fi8ZP4WBzrmsxrI5u4qREnUJvXp8L+i+5U0F3iJARHHMxUtYm7pibeuTtz
-GWdemogS3ofeDibJDEQTZSPNfzTWu0Ugh366SNUvP/zWjde3sp9C73aaz8MBrrmP
-ADPqKBXKMNqPJXakVSoserjrAgMBAAGjgdwwgdkwHQYDVR0OBBYEFBIwCnT93nHP
-SnceHlde+HZx11ueMIGTBgNVHSMEgYswgYiAFDZGLYobi87BHQI3ueyl/7pzruVI
-oW2kazBpMQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEUMBIGA1UE
-BwwLU2FudGEgQ2xhcmExDTALBgNVBAoMBHBrZzUxDDAKBgNVBAMMA3RhMTESMBAG
-CSqGSIb3DQEJARYDdGExggEBMBIGA1UdEwEB/wQIMAYBAf8CAQMwDgYDVR0PAQH/
-BAQDAgEGMA0GCSqGSIb3DQEBCwUAA4GBAI6lKsk/4B+pjKNFuA0ONUPD1v72vA12
-8CbWq+c5MJJvzI4OX7CSKUE5QRQqQ7G75dSMs263e4mrPaThmEVAuR6Ge7Y/VeNG
-q+1BRWrMr6RjVMirJz9ZZ4r1YBtjt7snlACP7vkxU1mYhXZ32905bxph/g1oiCCo
-1SvHaghb8aya
+Ml90YTEwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCsK2PAbT6Wc8/Z
+9nZAJ3JrydQQJ9mxtXvxmKrTOXjrmECVgWwL2LfqFHZLNvnWwtIq1wEr9hp3b924
+AQv1ic07lFp2Q5R5tWKg97FOPoqaQTjP/7TiuJeuH1VaLL9LwLolZk/TwQZi+Lk/
+qFLAVajMin7uShpwYCDuZoidr8lYE70bWcwjtJRWiO8C4dpFKH66a5BlG7h56G8u
+klt/4dLz8CZkZLYBP3hzb1KzJuLJvgq4E3LlBcy7uGiTLWML+GZEaJhg66Q2UhEN
+69vPpS3cHav/zJn8HeiCOtalVTejlhLkRKO97EpIEfaVFzEf/ACsMjOGl36MLwmO
+nggiVpo9AgMBAAGjgdwwgdkwHQYDVR0OBBYEFDYwcpbS+dR6rs/CSz/uUqrfm/MS
+MIGTBgNVHSMEgYswgYiAFC6zFOKVTJMHBaSHZOrEVy1SO4z5oW2kazBpMQswCQYD
+VQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEUMBIGA1UEBwwLU2FudGEgQ2xh
+cmExDTALBgNVBAoMBHBrZzUxDDAKBgNVBAMMA3RhMTESMBAGCSqGSIb3DQEJARYD
+dGExggEBMBIGA1UdEwEB/wQIMAYBAf8CAQMwDgYDVR0PAQH/BAQDAgEGMA0GCSqG
+SIb3DQEBCwUAA4IBAQBmSi9po9hPMeY7ib0+nlq55/Gout3v4/VzuFAFqmVQAdsU
+R9ID+IOgrnlTAInaRgDHMbdUbReYAWA0EsDfG/vCjnQ0dHYaSM8Bj0Xqkbs5c53L
+PyFGYADoXAjPFkAAS7M3VJI4b79363hxP1+FgRJXdxdp/FoO6spQKQvitd4gvZy9
+JOTIE9QE3vKRxc46eiagcODXG2BDYcJRdlpKxJ8xcWhVn5Vhe73ivx+wu0rnAUgQ
+PuozpXUK1pbCO/x3ZOR5/SlNACS7V0Hsf2nl9ZL/LB16QwYEemDgwGX21c0hjTo4
+Vdp/WwTyXKtoup2D73Ehbztg4tRQQAuBm04ce8RX
 -----END CERTIFICATE-----
--- a/src/tests/ro_data/signing_certs/produced/chain_certs/03.pem	Tue Mar 08 11:12:06 2016 -0800
+++ b/src/tests/ro_data/signing_certs/produced/chain_certs/03.pem	Wed Mar 09 11:27:23 2016 -0800
@@ -5,28 +5,37 @@
     Signature Algorithm: sha256WithRSAEncryption
         Issuer: C=US, ST=California, L=Santa Clara, O=pkg5, CN=ch2_ta1/emailAddress=ch2_ta1
         Validity
-            Not Before: Dec 13 00:13:34 2013 GMT
-            Not After : Sep  8 00:13:34 2016 GMT
+            Not Before: Jan 22 01:57:54 2016 GMT
+            Not After : Oct 18 01:57:54 2018 GMT
         Subject: C=US, ST=California, L=Santa Clara, O=pkg5, CN=ch3_ta1/emailAddress=ch3_ta1
         Subject Public Key Info:
             Public Key Algorithm: rsaEncryption
-                Public-Key: (1024 bit)
+                Public-Key: (2048 bit)
                 Modulus:
-                    00:d3:5b:f1:93:8f:01:0f:c0:25:d9:07:f1:70:29:
-                    1e:56:0b:ff:93:70:1d:45:02:ef:52:22:8a:04:c9:
-                    08:85:33:db:77:c3:33:d9:5c:fe:30:2a:a8:ac:9d:
-                    d8:97:dc:b4:69:51:5e:d1:c9:86:68:a7:e3:ab:35:
-                    e2:8f:d0:36:1b:67:be:50:88:66:7c:4b:4f:d3:86:
-                    78:92:d9:c5:62:c7:04:a3:d7:9e:8c:c3:ca:48:41:
-                    52:3f:a1:82:dc:f2:bb:d2:9c:a9:58:25:3a:0b:73:
-                    b6:41:ab:6a:c3:6a:70:ce:a1:20:0f:b6:db:e0:91:
-                    0b:0a:1f:dc:02:f4:ed:32:0f
+                    00:b6:d0:0d:56:d4:83:c8:22:08:fd:38:bd:e2:34:
+                    1e:1a:4e:8a:ca:b8:97:9b:69:75:be:78:1b:45:ae:
+                    aa:60:19:86:eb:4b:9a:9f:4b:76:4b:0e:20:e3:bf:
+                    31:89:b0:36:9e:b2:7f:70:17:50:d5:f3:5a:84:ee:
+                    57:3d:86:83:6e:34:47:bf:9a:3a:cb:a3:f1:e9:00:
+                    5a:82:cd:b9:61:63:ac:fa:dd:1a:23:9e:79:a0:13:
+                    1c:5b:9c:20:8f:a4:73:09:0b:6e:40:82:e1:13:98:
+                    8c:71:27:8b:4b:f9:20:a2:14:17:69:3c:ef:ba:68:
+                    8e:4d:61:b8:f4:fd:92:fc:5c:10:9c:12:5f:91:63:
+                    ae:57:a4:31:a2:67:46:60:c8:d9:10:ba:86:33:6f:
+                    99:a7:14:3a:42:5d:b2:77:f5:e5:52:9e:e9:f6:f5:
+                    01:ea:63:b1:71:97:cd:83:18:5c:07:40:44:b3:43:
+                    c7:af:f7:ad:d7:61:0f:7c:c7:60:5e:df:d4:06:f5:
+                    1d:ee:c1:19:0e:4b:13:e3:51:b6:b7:cc:3f:35:8f:
+                    6c:99:56:42:eb:86:8a:42:fa:4a:5c:60:06:75:a4:
+                    b1:6b:ea:eb:0c:eb:21:5d:2d:0f:0c:a0:fd:3e:67:
+                    42:b4:a1:da:57:3c:a6:50:a4:df:0a:8e:ca:fc:10:
+                    2c:bd
                 Exponent: 65537 (0x10001)
         X509v3 extensions:
             X509v3 Subject Key Identifier: 
-                8F:2A:82:4C:1E:39:97:C3:4A:6A:52:FC:D4:CB:E6:37:CE:12:91:59
+                EE:A0:C0:54:B5:84:89:28:80:79:49:CE:D0:A9:C6:8B:B9:8E:85:20
             X509v3 Authority Key Identifier: 
-                keyid:12:30:0A:74:FD:DE:71:CF:4A:77:1E:1E:57:5E:F8:76:71:D7:5B:9E
+                keyid:36:30:72:96:D2:F9:D4:7A:AE:CF:C2:4B:3F:EE:52:AA:DF:9B:F3:12
                 DirName:/C=US/ST=California/L=Santa Clara/O=pkg5/CN=ch1_ta1/emailAddress=ch1_ta1
                 serial:02
 
@@ -35,31 +44,43 @@
             X509v3 Key Usage: critical
                 Certificate Sign, CRL Sign
     Signature Algorithm: sha256WithRSAEncryption
-         94:2a:c9:c9:21:b7:bd:3a:72:31:65:89:16:11:00:e1:46:38:
-         16:b6:cd:d4:04:b3:18:71:3d:8d:4a:0a:ec:02:4e:ee:58:2c:
-         7d:d2:0b:6f:c6:d2:be:a6:f9:1c:e7:c2:76:2a:09:87:d2:06:
-         8e:0d:aa:66:70:e8:8f:ff:7d:1d:e4:4e:9b:58:71:f7:40:46:
-         a8:79:9d:86:6c:bf:64:3b:76:66:6c:08:21:62:09:6d:7b:f4:
-         5d:e2:8e:1c:e6:e3:56:71:de:b7:fe:92:07:f0:7e:13:e0:ad:
-         62:b3:08:9f:06:7e:9b:f6:8b:76:96:df:86:30:0e:bb:ef:9b:
-         b3:07
+         a6:cf:99:19:6d:0e:6c:46:8b:9a:79:e7:12:d9:3b:13:6f:c9:
+         98:05:09:5c:a4:14:42:de:2d:bf:cc:85:39:a7:ec:e3:fb:1c:
+         73:76:0c:8f:ab:1a:e7:f3:4a:cb:44:8e:33:a0:3c:3d:6a:21:
+         88:87:e2:52:d7:27:23:05:c9:f5:59:a8:b7:c3:e6:00:01:6c:
+         85:98:cd:37:30:f9:f9:d7:6f:07:56:5d:f0:c6:a6:d7:aa:ec:
+         a6:f4:40:97:aa:45:f3:3e:25:22:fa:fb:4a:04:42:3c:77:36:
+         96:91:2d:49:8a:ba:07:cb:70:69:71:6d:4f:5e:9c:f0:1d:8f:
+         ed:22:fd:5b:c6:c6:87:b0:e9:0c:20:51:17:09:a3:2f:fd:da:
+         e9:84:5e:5e:d4:9a:39:b9:e4:75:e2:4f:8e:35:71:97:46:2d:
+         3c:6e:30:dd:92:5a:86:29:b4:7a:27:aa:cf:1e:d2:31:6e:f7:
+         d7:7f:f3:d6:17:e3:dd:4d:13:d3:d4:3e:d4:3a:ab:46:f7:68:
+         e7:b9:9f:28:26:f2:ec:f4:f1:96:ea:09:d0:fe:ed:08:8c:52:
+         98:ff:ad:47:0d:2f:c5:24:9b:58:17:5c:4e:a2:bb:11:29:84:
+         03:91:d8:a6:31:a7:cf:b3:f7:3b:e0:f1:6e:4b:90:13:77:ba:
+         7f:0b:cc:ea
 -----BEGIN CERTIFICATE-----
-MIIDPTCCAqagAwIBAgIBAzANBgkqhkiG9w0BAQsFADBxMQswCQYDVQQGEwJVUzET
+MIIEQjCCAyqgAwIBAgIBAzANBgkqhkiG9w0BAQsFADBxMQswCQYDVQQGEwJVUzET
 MBEGA1UECAwKQ2FsaWZvcm5pYTEUMBIGA1UEBwwLU2FudGEgQ2xhcmExDTALBgNV
 BAoMBHBrZzUxEDAOBgNVBAMMB2NoMl90YTExFjAUBgkqhkiG9w0BCQEWB2NoMl90
-YTEwHhcNMTMxMjEzMDAxMzM0WhcNMTYwOTA4MDAxMzM0WjBxMQswCQYDVQQGEwJV
+YTEwHhcNMTYwMTIyMDE1NzU0WhcNMTgxMDE4MDE1NzU0WjBxMQswCQYDVQQGEwJV
 UzETMBEGA1UECAwKQ2FsaWZvcm5pYTEUMBIGA1UEBwwLU2FudGEgQ2xhcmExDTAL
 BgNVBAoMBHBrZzUxEDAOBgNVBAMMB2NoM190YTExFjAUBgkqhkiG9w0BCQEWB2No
-M190YTEwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBANNb8ZOPAQ/AJdkH8XAp
-HlYL/5NwHUUC71IiigTJCIUz23fDM9lc/jAqqKyd2JfctGlRXtHJhmin46s14o/Q
-NhtnvlCIZnxLT9OGeJLZxWLHBKPXnozDykhBUj+hgtzyu9KcqVglOgtztkGrasNq
-cM6hIA+22+CRCwof3AL07TIPAgMBAAGjgeQwgeEwHQYDVR0OBBYEFI8qgkweOZfD
-SmpS/NTL5jfOEpFZMIGbBgNVHSMEgZMwgZCAFBIwCnT93nHPSnceHlde+HZx11ue
-oXWkczBxMQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEUMBIGA1UE
-BwwLU2FudGEgQ2xhcmExDTALBgNVBAoMBHBrZzUxEDAOBgNVBAMMB2NoMV90YTEx
-FjAUBgkqhkiG9w0BCQEWB2NoMV90YTGCAQIwEgYDVR0TAQH/BAgwBgEB/wIBAjAO
-BgNVHQ8BAf8EBAMCAQYwDQYJKoZIhvcNAQELBQADgYEAlCrJySG3vTpyMWWJFhEA
-4UY4FrbN1ASzGHE9jUoK7AJO7lgsfdILb8bSvqb5HOfCdioJh9IGjg2qZnDoj/99
-HeROm1hx90BGqHmdhmy/ZDt2ZmwIIWIJbXv0XeKOHObjVnHet/6SB/B+E+CtYrMI
-nwZ+m/aLdpbfhjAOu++bswc=
+M190YTEwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC20A1W1IPIIgj9
+OL3iNB4aTorKuJebaXW+eBtFrqpgGYbrS5qfS3ZLDiDjvzGJsDaesn9wF1DV81qE
+7lc9hoNuNEe/mjrLo/HpAFqCzblhY6z63RojnnmgExxbnCCPpHMJC25AguETmIxx
+J4tL+SCiFBdpPO+6aI5NYbj0/ZL8XBCcEl+RY65XpDGiZ0ZgyNkQuoYzb5mnFDpC
+XbJ39eVSnun29QHqY7Fxl82DGFwHQESzQ8ev963XYQ98x2Be39QG9R3uwRkOSxPj
+Uba3zD81j2yZVkLrhopC+kpcYAZ1pLFr6usM6yFdLQ8MoP0+Z0K0odpXPKZQpN8K
+jsr8ECy9AgMBAAGjgeQwgeEwHQYDVR0OBBYEFO6gwFS1hIkogHlJztCpxou5joUg
+MIGbBgNVHSMEgZMwgZCAFDYwcpbS+dR6rs/CSz/uUqrfm/MSoXWkczBxMQswCQYD
+VQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEUMBIGA1UEBwwLU2FudGEgQ2xh
+cmExDTALBgNVBAoMBHBrZzUxEDAOBgNVBAMMB2NoMV90YTExFjAUBgkqhkiG9w0B
+CQEWB2NoMV90YTGCAQIwEgYDVR0TAQH/BAgwBgEB/wIBAjAOBgNVHQ8BAf8EBAMC
+AQYwDQYJKoZIhvcNAQELBQADggEBAKbPmRltDmxGi5p55xLZOxNvyZgFCVykFELe
+Lb/MhTmn7OP7HHN2DI+rGufzSstEjjOgPD1qIYiH4lLXJyMFyfVZqLfD5gABbIWY
+zTcw+fnXbwdWXfDGpteq7Kb0QJeqRfM+JSL6+0oEQjx3NpaRLUmKugfLcGlxbU9e
+nPAdj+0i/VvGxoew6QwgURcJoy/92umEXl7Umjm55HXiT441cZdGLTxuMN2SWoYp
+tHonqs8e0jFu99d/89YX491NE9PUPtQ6q0b3aOe5nygm8uz08ZbqCdD+7QiMUpj/
+rUcNL8Ukm1gXXE6iuxEphAOR2KYxp8+z9zvg8W5LkBN3un8LzOo=
 -----END CERTIFICATE-----
--- a/src/tests/ro_data/signing_certs/produced/chain_certs/04.pem	Tue Mar 08 11:12:06 2016 -0800
+++ b/src/tests/ro_data/signing_certs/produced/chain_certs/04.pem	Wed Mar 09 11:27:23 2016 -0800
@@ -5,28 +5,37 @@
     Signature Algorithm: sha256WithRSAEncryption
         Issuer: C=US, ST=California, L=Santa Clara, O=pkg5, CN=ch3_ta1/emailAddress=ch3_ta1
         Validity
-            Not Before: Dec 13 00:13:34 2013 GMT
-            Not After : Sep  8 00:13:34 2016 GMT
+            Not Before: Jan 22 01:57:54 2016 GMT
+            Not After : Oct 18 01:57:54 2018 GMT
         Subject: C=US, ST=California, L=Santa Clara, O=pkg5, CN=ch4_ta1/emailAddress=ch4_ta1
         Subject Public Key Info:
             Public Key Algorithm: rsaEncryption
-                Public-Key: (1024 bit)
+                Public-Key: (2048 bit)
                 Modulus:
-                    00:af:c3:8b:39:3e:21:56:8a:d6:97:1b:c7:aa:c7:
-                    51:9e:e9:cf:15:1f:24:e6:91:92:81:b3:7d:30:eb:
-                    ea:12:30:13:03:d0:b9:60:41:8b:eb:88:f4:1f:e5:
-                    43:cf:b5:ae:47:7a:4d:46:6e:f8:16:42:67:db:20:
-                    e4:0d:1f:96:4f:21:59:95:f6:70:33:32:45:81:18:
-                    5e:a5:5b:fd:4a:e6:d7:97:cf:45:65:e7:74:79:5f:
-                    a5:9f:e1:c7:a5:d0:5d:24:a7:32:18:68:13:57:4c:
-                    cf:78:12:6f:9f:5c:e6:4d:be:89:24:4b:29:d8:02:
-                    b2:f9:f9:13:cf:92:43:0f:e5
+                    00:f0:be:9f:7c:fb:8e:9a:93:80:30:b8:43:a6:70:
+                    13:a9:0b:fb:0c:f7:02:6d:4e:75:db:4a:19:9c:4a:
+                    29:c3:e8:58:ba:7b:39:66:4e:d0:04:d6:e4:4c:73:
+                    0b:9b:c1:e2:c5:fa:e7:4d:19:c6:e3:ec:ae:13:23:
+                    54:ab:12:42:d0:fc:ef:10:5c:8b:2c:c7:00:b8:35:
+                    ad:d8:f6:af:cc:9d:6f:19:1c:20:f9:14:f3:1e:69:
+                    ce:85:c0:3d:2d:25:6d:79:01:1c:89:fb:2b:f6:2a:
+                    c7:ea:89:3f:b8:6a:c5:20:60:79:cd:c5:3d:2f:d4:
+                    57:54:63:04:69:fc:fa:0c:a6:23:ee:e4:6e:e3:e2:
+                    60:ac:91:01:a2:64:a4:f5:44:8a:7c:90:f3:b7:69:
+                    31:14:0e:53:f5:81:08:0b:50:0d:1c:43:f6:92:59:
+                    a5:fa:3a:98:72:38:c7:5f:e1:4e:a8:54:64:a9:d4:
+                    93:0e:e9:27:88:4a:b9:98:ba:aa:c8:31:0d:dc:fb:
+                    70:0d:06:63:1b:d0:ee:61:2f:9b:cf:18:d5:74:bc:
+                    53:63:b9:0d:0d:b9:f2:bc:6d:b2:c3:3d:0b:4c:84:
+                    09:28:9e:80:94:74:58:b7:af:97:9b:55:ed:a5:c7:
+                    c5:79:f9:df:a0:6d:ca:40:c0:a5:dc:09:c4:cd:ed:
+                    39:1b
                 Exponent: 65537 (0x10001)
         X509v3 extensions:
             X509v3 Subject Key Identifier: 
-                54:8A:14:10:0B:AF:89:DC:1E:65:8A:17:37:6A:AC:D2:2B:6C:27:5C
+                44:81:49:A3:5B:7C:85:F2:A7:56:19:FF:64:98:AB:61:89:3E:E1:B7
             X509v3 Authority Key Identifier: 
-                keyid:8F:2A:82:4C:1E:39:97:C3:4A:6A:52:FC:D4:CB:E6:37:CE:12:91:59
+                keyid:EE:A0:C0:54:B5:84:89:28:80:79:49:CE:D0:A9:C6:8B:B9:8E:85:20
                 DirName:/C=US/ST=California/L=Santa Clara/O=pkg5/CN=ch2_ta1/emailAddress=ch2_ta1
                 serial:03
 
@@ -35,31 +44,43 @@
             X509v3 Key Usage: critical
                 Certificate Sign, CRL Sign
     Signature Algorithm: sha256WithRSAEncryption
-         6a:17:96:16:a6:3f:96:b7:8e:fb:e5:d7:14:f9:a8:8e:52:16:
-         04:0d:58:4b:f7:c6:70:c4:3f:d3:2b:13:24:7b:47:2d:cf:89:
-         59:bf:5c:6c:17:31:46:c4:17:e5:41:fe:5e:3f:ec:44:2e:92:
-         94:eb:3b:c9:ff:d1:5e:c0:ad:d3:51:2b:12:11:87:b2:17:2f:
-         40:5a:ac:76:f0:0f:ed:cd:ca:be:b6:b2:ef:bf:d4:79:04:e0:
-         ed:88:33:96:b0:a4:27:41:a7:31:0b:c4:d9:6a:ad:7d:82:bb:
-         63:15:2a:00:8e:60:af:ee:a6:8a:d3:65:6a:b8:f9:7e:0e:cd:
-         bf:d5
+         36:66:82:04:35:26:cc:ce:07:00:e7:19:db:4e:05:22:af:98:
+         9f:8f:88:84:1b:75:57:3b:f7:0f:2a:da:ae:fe:36:e4:35:a9:
+         ff:57:7a:3f:4a:ec:71:ba:c6:4a:b5:6a:c7:e3:46:27:52:5b:
+         d0:dd:a3:c4:3a:78:8b:ac:21:5c:2a:68:71:ec:d8:cb:0f:f3:
+         35:07:82:53:3c:01:1b:69:34:cb:2a:85:3b:da:f1:b7:11:fe:
+         ec:12:3a:a2:c8:b1:80:fd:bd:40:b1:f2:b2:ed:1b:b3:83:87:
+         60:12:21:b9:e1:3a:ff:4a:3c:d0:6e:b5:07:4c:a8:db:e8:f4:
+         81:50:14:3c:4b:09:3a:fe:85:88:1a:72:d6:3c:2a:e2:67:c4:
+         51:cb:21:7e:22:78:30:34:dc:e9:41:fe:15:f5:cc:fc:85:64:
+         de:8f:89:c3:de:de:56:bb:a8:7f:4f:8c:98:27:e5:de:d0:4c:
+         13:f5:56:d9:7b:18:d4:09:21:99:6e:cd:27:c2:0f:e2:45:58:
+         a9:b1:b9:89:92:58:dd:94:a6:be:c5:3f:99:86:ca:15:74:00:
+         63:85:3f:ce:2a:d6:6d:04:03:91:c8:1f:de:dd:cc:0b:49:c3:
+         ea:76:e3:2f:87:4d:2e:75:86:ea:19:49:0f:a2:78:e5:7d:bb:
+         ef:bf:1c:b2
 -----BEGIN CERTIFICATE-----
-MIIDPTCCAqagAwIBAgIBBDANBgkqhkiG9w0BAQsFADBxMQswCQYDVQQGEwJVUzET
+MIIEQjCCAyqgAwIBAgIBBDANBgkqhkiG9w0BAQsFADBxMQswCQYDVQQGEwJVUzET
 MBEGA1UECAwKQ2FsaWZvcm5pYTEUMBIGA1UEBwwLU2FudGEgQ2xhcmExDTALBgNV
 BAoMBHBrZzUxEDAOBgNVBAMMB2NoM190YTExFjAUBgkqhkiG9w0BCQEWB2NoM190
-YTEwHhcNMTMxMjEzMDAxMzM0WhcNMTYwOTA4MDAxMzM0WjBxMQswCQYDVQQGEwJV
+YTEwHhcNMTYwMTIyMDE1NzU0WhcNMTgxMDE4MDE1NzU0WjBxMQswCQYDVQQGEwJV
 UzETMBEGA1UECAwKQ2FsaWZvcm5pYTEUMBIGA1UEBwwLU2FudGEgQ2xhcmExDTAL
 BgNVBAoMBHBrZzUxEDAOBgNVBAMMB2NoNF90YTExFjAUBgkqhkiG9w0BCQEWB2No
-NF90YTEwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAK/Dizk+IVaK1pcbx6rH
-UZ7pzxUfJOaRkoGzfTDr6hIwEwPQuWBBi+uI9B/lQ8+1rkd6TUZu+BZCZ9sg5A0f
-lk8hWZX2cDMyRYEYXqVb/Urm15fPRWXndHlfpZ/hx6XQXSSnMhhoE1dMz3gSb59c
-5k2+iSRLKdgCsvn5E8+SQw/lAgMBAAGjgeQwgeEwHQYDVR0OBBYEFFSKFBALr4nc
-HmWKFzdqrNIrbCdcMIGbBgNVHSMEgZMwgZCAFI8qgkweOZfDSmpS/NTL5jfOEpFZ
-oXWkczBxMQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEUMBIGA1UE
-BwwLU2FudGEgQ2xhcmExDTALBgNVBAoMBHBrZzUxEDAOBgNVBAMMB2NoMl90YTEx
-FjAUBgkqhkiG9w0BCQEWB2NoMl90YTGCAQMwEgYDVR0TAQH/BAgwBgEB/wIBATAO
-BgNVHQ8BAf8EBAMCAQYwDQYJKoZIhvcNAQELBQADgYEAaheWFqY/lreO++XXFPmo
-jlIWBA1YS/fGcMQ/0ysTJHtHLc+JWb9cbBcxRsQX5UH+Xj/sRC6SlOs7yf/RXsCt
-01ErEhGHshcvQFqsdvAP7c3Kvray77/UeQTg7YgzlrCkJ0GnMQvE2WqtfYK7YxUq
-AI5gr+6mitNlarj5fg7Nv9U=
+NF90YTEwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDwvp98+46ak4Aw
+uEOmcBOpC/sM9wJtTnXbShmcSinD6Fi6ezlmTtAE1uRMcwubweLF+udNGcbj7K4T
+I1SrEkLQ/O8QXIssxwC4Na3Y9q/MnW8ZHCD5FPMeac6FwD0tJW15ARyJ+yv2Ksfq
+iT+4asUgYHnNxT0v1FdUYwRp/PoMpiPu5G7j4mCskQGiZKT1RIp8kPO3aTEUDlP1
+gQgLUA0cQ/aSWaX6OphyOMdf4U6oVGSp1JMO6SeISrmYuqrIMQ3c+3ANBmMb0O5h
+L5vPGNV0vFNjuQ0NufK8bbLDPQtMhAkonoCUdFi3r5ebVe2lx8V5+d+gbcpAwKXc
+CcTN7TkbAgMBAAGjgeQwgeEwHQYDVR0OBBYEFESBSaNbfIXyp1YZ/2SYq2GJPuG3
+MIGbBgNVHSMEgZMwgZCAFO6gwFS1hIkogHlJztCpxou5joUgoXWkczBxMQswCQYD
+VQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEUMBIGA1UEBwwLU2FudGEgQ2xh
+cmExDTALBgNVBAoMBHBrZzUxEDAOBgNVBAMMB2NoMl90YTExFjAUBgkqhkiG9w0B
+CQEWB2NoMl90YTGCAQMwEgYDVR0TAQH/BAgwBgEB/wIBATAOBgNVHQ8BAf8EBAMC
+AQYwDQYJKoZIhvcNAQELBQADggEBADZmggQ1JszOBwDnGdtOBSKvmJ+PiIQbdVc7
+9w8q2q7+NuQ1qf9Xej9K7HG6xkq1asfjRidSW9Ddo8Q6eIusIVwqaHHs2MsP8zUH
+glM8ARtpNMsqhTva8bcR/uwSOqLIsYD9vUCx8rLtG7ODh2ASIbnhOv9KPNButQdM
+qNvo9IFQFDxLCTr+hYgactY8KuJnxFHLIX4ieDA03OlB/hX1zPyFZN6PicPe3la7
+qH9PjJgn5d7QTBP1Vtl7GNQJIZluzSfCD+JFWKmxuYmSWN2Upr7FP5mGyhV0AGOF
+P84q1m0EA5HIH97dzAtJw+p24y+HTS51huoZSQ+ieOV9u++/HLI=
 -----END CERTIFICATE-----
--- a/src/tests/ro_data/signing_certs/produced/chain_certs/05.pem	Tue Mar 08 11:12:06 2016 -0800
+++ b/src/tests/ro_data/signing_certs/produced/chain_certs/05.pem	Wed Mar 09 11:27:23 2016 -0800
@@ -5,28 +5,37 @@
     Signature Algorithm: sha256WithRSAEncryption
         Issuer: C=US, ST=California, L=Santa Clara, O=pkg5, CN=ch4_ta1/emailAddress=ch4_ta1
         Validity
-            Not Before: Dec 13 00:13:34 2013 GMT
-            Not After : Sep  8 00:13:34 2016 GMT
+            Not Before: Jan 22 01:57:54 2016 GMT
+            Not After : Oct 18 01:57:54 2018 GMT
         Subject: C=US, ST=California, L=Santa Clara, O=pkg5, CN=ch5_ta1/emailAddress=ch5_ta1
         Subject Public Key Info:
             Public Key Algorithm: rsaEncryption
-                Public-Key: (1024 bit)
+                Public-Key: (2048 bit)
                 Modulus:
-                    00:df:c0:ed:cc:df:82:ab:d3:9b:54:8d:56:f7:0d:
-                    e4:d8:b4:ba:03:ef:a3:82:f6:b6:e6:4d:0f:b4:e5:
-                    61:98:88:bd:32:b3:47:21:4b:2c:e8:c3:9a:22:9c:
-                    35:63:a8:4f:2a:c1:47:1a:3a:b2:46:d6:61:4e:87:
-                    2a:13:3a:d8:35:3e:3c:ae:67:43:b8:3d:a9:95:df:
-                    7b:ba:e9:71:ec:31:99:b3:fa:00:96:8c:80:4b:1d:
-                    d9:77:e5:d2:14:9d:95:a2:ce:32:21:d5:2e:67:ae:
-                    b1:08:04:fb:9d:fb:70:16:74:5f:1a:d1:36:77:e8:
-                    4b:68:c3:d8:d4:fb:18:20:31
+                    00:a8:92:25:84:36:2c:16:5b:7e:99:d4:a8:ac:bf:
+                    2b:63:99:2c:65:69:ec:f3:13:3f:fb:b3:c9:33:0c:
+                    43:1a:e9:04:a3:8c:27:5e:e5:f8:47:a5:4d:5f:39:
+                    2f:9b:b9:5f:3e:2e:9c:18:8b:16:d4:4c:0c:f7:02:
+                    35:37:a1:81:c6:d1:0d:43:eb:7d:1c:e4:d4:81:73:
+                    58:fc:b2:94:a2:4e:04:a5:bb:b2:f4:64:d0:c6:54:
+                    91:71:33:45:8e:22:a4:f2:35:1e:b3:69:e4:fc:5e:
+                    a9:5b:7a:8c:7c:6a:e2:7b:2d:d0:ad:d8:d1:76:47:
+                    c6:99:a6:2e:8d:1b:56:f8:8c:f7:04:2f:99:c5:3d:
+                    81:67:cc:73:ec:c1:d6:97:41:73:04:1c:8b:45:eb:
+                    60:f9:60:d6:11:f6:c6:5c:19:5d:d2:18:a8:2e:53:
+                    78:33:46:3b:5c:43:b0:54:7d:e4:57:5a:36:08:84:
+                    50:a5:c0:1e:1d:21:11:6d:63:c4:df:fc:ee:0f:a8:
+                    8f:ca:7c:2a:5c:0a:2d:ad:17:64:c8:5d:e2:9b:e1:
+                    d4:57:a3:8e:0f:1d:4f:60:1e:79:bf:9f:39:94:6a:
+                    73:e6:19:0d:ef:74:c2:a3:fc:85:a2:03:a4:99:13:
+                    9e:85:5e:f3:8c:31:f1:7d:91:50:98:6f:18:ec:fc:
+                    98:2f
                 Exponent: 65537 (0x10001)
         X509v3 extensions:
             X509v3 Subject Key Identifier: 
-                B7:43:D6:5A:46:C2:2F:15:50:05:D5:FB:5E:BE:EC:F8:33:9E:EC:EC
+                64:B3:47:B8:70:CE:F3:CD:0F:95:A6:B0:0F:5F:D5:66:E1:1B:30:E7
             X509v3 Authority Key Identifier: 
-                keyid:54:8A:14:10:0B:AF:89:DC:1E:65:8A:17:37:6A:AC:D2:2B:6C:27:5C
+                keyid:44:81:49:A3:5B:7C:85:F2:A7:56:19:FF:64:98:AB:61:89:3E:E1:B7
                 DirName:/C=US/ST=California/L=Santa Clara/O=pkg5/CN=ch3_ta1/emailAddress=ch3_ta1
                 serial:04
 
@@ -35,31 +44,43 @@
             X509v3 Key Usage: critical
                 Certificate Sign, CRL Sign
     Signature Algorithm: sha256WithRSAEncryption
-         96:fb:63:43:cf:70:0a:14:7b:47:4e:37:4b:2f:7c:7f:8c:75:
-         85:bb:e3:44:af:9c:2c:08:c5:9c:4d:c7:59:f1:70:3a:67:82:
-         1c:4c:3c:f7:8b:e7:00:f0:05:db:af:29:79:53:6f:09:a2:ac:
-         ae:4d:e2:df:4a:7d:4e:56:79:8c:85:97:47:14:4e:2f:7e:bd:
-         07:2c:70:01:85:43:3c:18:32:ed:24:36:24:1c:29:e0:0b:ce:
-         86:4d:a7:a9:88:b8:de:f1:0e:a3:13:c1:5c:d7:1b:76:81:c2:
-         3f:63:c3:76:1d:60:f7:e5:43:1f:25:3b:ae:d2:a5:1f:02:fa:
-         8c:a3
+         b6:f5:d5:78:23:16:4f:ca:8f:3a:a7:fd:a8:91:2a:c5:3e:e2:
+         bf:32:ca:b3:38:6b:2f:64:9c:1d:99:d8:d2:b5:a8:2c:a4:db:
+         8e:9d:31:5c:40:b9:05:32:a0:1c:b6:21:72:46:69:d1:eb:49:
+         50:20:f9:e8:95:6f:e7:91:34:f9:e1:bb:3f:e7:b6:a4:f9:d3:
+         12:36:3a:40:c6:76:35:a5:c9:b7:71:70:50:55:19:b4:ff:51:
+         ef:40:3e:41:4f:f3:1a:70:f5:fd:3b:0a:4d:d9:43:a6:57:e4:
+         42:9c:77:3d:26:7a:c2:e2:54:7f:76:6f:fd:af:52:31:29:07:
+         ac:ae:78:4c:76:d9:f9:80:b5:4c:79:60:a0:e9:59:5f:bf:fe:
+         cd:6a:fe:ee:92:ca:79:0e:5c:e6:1d:8f:59:a9:62:51:a1:2e:
+         d9:b2:37:fa:e1:ef:7c:88:b5:29:d2:5f:13:74:76:ef:ed:fe:
+         7f:e9:81:5d:9c:62:91:8f:21:ef:45:95:7c:12:a6:d5:46:45:
+         8e:9e:d1:a8:9a:aa:a8:5e:fd:65:55:d2:f9:08:d0:3c:66:f9:
+         69:ee:c1:0f:a9:15:06:a9:8e:ac:e0:08:06:13:0c:7e:9c:81:
+         94:60:1b:ad:3a:7d:3e:ed:b4:79:d2:51:0c:80:8c:42:69:fe:
+         f3:99:56:1c
 -----BEGIN CERTIFICATE-----
-MIIDPTCCAqagAwIBAgIBBTANBgkqhkiG9w0BAQsFADBxMQswCQYDVQQGEwJVUzET
+MIIEQjCCAyqgAwIBAgIBBTANBgkqhkiG9w0BAQsFADBxMQswCQYDVQQGEwJVUzET
 MBEGA1UECAwKQ2FsaWZvcm5pYTEUMBIGA1UEBwwLU2FudGEgQ2xhcmExDTALBgNV
 BAoMBHBrZzUxEDAOBgNVBAMMB2NoNF90YTExFjAUBgkqhkiG9w0BCQEWB2NoNF90
-YTEwHhcNMTMxMjEzMDAxMzM0WhcNMTYwOTA4MDAxMzM0WjBxMQswCQYDVQQGEwJV
+YTEwHhcNMTYwMTIyMDE1NzU0WhcNMTgxMDE4MDE1NzU0WjBxMQswCQYDVQQGEwJV
 UzETMBEGA1UECAwKQ2FsaWZvcm5pYTEUMBIGA1UEBwwLU2FudGEgQ2xhcmExDTAL
 BgNVBAoMBHBrZzUxEDAOBgNVBAMMB2NoNV90YTExFjAUBgkqhkiG9w0BCQEWB2No
-NV90YTEwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAN/A7czfgqvTm1SNVvcN
-5Ni0ugPvo4L2tuZND7TlYZiIvTKzRyFLLOjDmiKcNWOoTyrBRxo6skbWYU6HKhM6
-2DU+PK5nQ7g9qZXfe7rpcewxmbP6AJaMgEsd2Xfl0hSdlaLOMiHVLmeusQgE+537
-cBZ0XxrRNnfoS2jD2NT7GCAxAgMBAAGjgeQwgeEwHQYDVR0OBBYEFLdD1lpGwi8V
-UAXV+16+7PgznuzsMIGbBgNVHSMEgZMwgZCAFFSKFBALr4ncHmWKFzdqrNIrbCdc
-oXWkczBxMQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEUMBIGA1UE
-BwwLU2FudGEgQ2xhcmExDTALBgNVBAoMBHBrZzUxEDAOBgNVBAMMB2NoM190YTEx
-FjAUBgkqhkiG9w0BCQEWB2NoM190YTGCAQQwEgYDVR0TAQH/BAgwBgEB/wIBADAO
-BgNVHQ8BAf8EBAMCAQYwDQYJKoZIhvcNAQELBQADgYEAlvtjQ89wChR7R043Sy98
-f4x1hbvjRK+cLAjFnE3HWfFwOmeCHEw894vnAPAF268peVNvCaKsrk3i30p9TlZ5
-jIWXRxROL369ByxwAYVDPBgy7SQ2JBwp4AvOhk2nqYi43vEOoxPBXNcbdoHCP2PD
-dh1g9+VDHyU7rtKlHwL6jKM=
+NV90YTEwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCokiWENiwWW36Z
+1KisvytjmSxlaezzEz/7s8kzDEMa6QSjjCde5fhHpU1fOS+buV8+LpwYixbUTAz3
+AjU3oYHG0Q1D630c5NSBc1j8spSiTgSlu7L0ZNDGVJFxM0WOIqTyNR6zaeT8Xqlb
+eox8auJ7LdCt2NF2R8aZpi6NG1b4jPcEL5nFPYFnzHPswdaXQXMEHItF62D5YNYR
+9sZcGV3SGKguU3gzRjtcQ7BUfeRXWjYIhFClwB4dIRFtY8Tf/O4PqI/KfCpcCi2t
+F2TIXeKb4dRXo44PHU9gHnm/nzmUanPmGQ3vdMKj/IWiA6SZE56FXvOMMfF9kVCY
+bxjs/JgvAgMBAAGjgeQwgeEwHQYDVR0OBBYEFGSzR7hwzvPND5WmsA9f1WbhGzDn
+MIGbBgNVHSMEgZMwgZCAFESBSaNbfIXyp1YZ/2SYq2GJPuG3oXWkczBxMQswCQYD
+VQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEUMBIGA1UEBwwLU2FudGEgQ2xh
+cmExDTALBgNVBAoMBHBrZzUxEDAOBgNVBAMMB2NoM190YTExFjAUBgkqhkiG9w0B
+CQEWB2NoM190YTGCAQQwEgYDVR0TAQH/BAgwBgEB/wIBADAOBgNVHQ8BAf8EBAMC
+AQYwDQYJKoZIhvcNAQELBQADggEBALb11XgjFk/Kjzqn/aiRKsU+4r8yyrM4ay9k
+nB2Z2NK1qCyk246dMVxAuQUyoBy2IXJGadHrSVAg+eiVb+eRNPnhuz/ntqT50xI2
+OkDGdjWlybdxcFBVGbT/Ue9APkFP8xpw9f07Ck3ZQ6ZX5EKcdz0mesLiVH92b/2v
+UjEpB6yueEx22fmAtUx5YKDpWV+//s1q/u6SynkOXOYdj1mpYlGhLtmyN/rh73yI
+tSnSXxN0du/t/n/pgV2cYpGPIe9FlXwSptVGRY6e0aiaqqhe/WVV0vkI0Dxm+Wnu
+wQ+pFQapjqzgCAYTDH6cgZRgG606fT7ttHnSUQyAjEJp/vOZVhw=
 -----END CERTIFICATE-----
--- a/src/tests/ro_data/signing_certs/produced/chain_certs/08.pem	Tue Mar 08 11:12:06 2016 -0800
+++ b/src/tests/ro_data/signing_certs/produced/chain_certs/08.pem	Wed Mar 09 11:27:23 2016 -0800
@@ -5,22 +5,31 @@
     Signature Algorithm: sha256WithRSAEncryption
         Issuer: C=US, ST=California, L=Santa Clara, O=pkg5, CN=ch4_ta1/emailAddress=ch4_ta1
         Validity
-            Not Before: Dec 13 00:13:34 2013 GMT
-            Not After : Sep  8 00:13:34 2016 GMT
+            Not Before: Jan 22 01:57:54 2016 GMT
+            Not After : Oct 18 01:57:54 2018 GMT
         Subject: C=US, ST=California, L=Santa Clara, O=pkg5, CN=ch5.1_ta1/emailAddress=ch5.1_ta1
         Subject Public Key Info:
             Public Key Algorithm: rsaEncryption
-                Public-Key: (1024 bit)
+                Public-Key: (2048 bit)
                 Modulus:
-                    00:9d:91:87:82:56:78:7f:64:32:62:7e:ee:6c:38:
-                    f2:a2:f6:34:ba:a9:ec:bb:6e:0f:87:ab:46:a4:37:
-                    ce:80:f1:b5:8b:9b:0a:4b:2a:b6:46:9b:f1:47:c0:
-                    6b:85:7f:64:08:61:ac:53:d4:3b:ce:54:2a:6d:a4:
-                    65:cd:a7:dc:a5:3a:33:bf:86:2b:f6:d0:fb:24:80:
-                    56:8f:4f:d4:f9:96:71:f3:86:74:4b:47:38:da:18:
-                    79:ae:d9:5b:9d:09:9e:f7:cb:b4:a7:85:33:85:20:
-                    d3:2a:fc:72:c1:37:62:01:d6:b1:cb:4a:a0:09:c2:
-                    72:ea:fd:b8:5d:03:68:33:7d
+                    00:f8:99:82:00:c1:73:68:ee:ab:3e:93:5c:b8:fa:
+                    1c:2d:94:58:4a:a7:ab:b7:0b:d5:6e:02:b5:2f:b0:
+                    e1:6c:c7:6f:aa:63:2d:1a:30:a3:2f:88:6d:21:be:
+                    e1:36:23:e4:22:19:99:3a:1d:2a:9e:ec:a6:2c:a2:
+                    5c:a1:26:96:70:22:80:04:0a:6b:c6:3f:b2:8c:ce:
+                    6a:32:e0:ae:4f:43:73:9a:db:0e:9e:b7:e5:92:a0:
+                    06:ac:48:a0:c8:fe:16:27:96:14:27:64:38:8a:78:
+                    a3:20:60:d4:9b:ed:47:14:b9:08:6b:7a:4f:ba:dc:
+                    db:c9:1c:c9:92:df:0a:37:01:7e:8e:1f:30:b0:fb:
+                    35:32:41:2d:65:c9:3f:65:b1:20:e7:e4:8a:1d:e1:
+                    10:b5:e8:57:14:59:bd:b8:2d:2b:d6:e8:7f:3c:c3:
+                    e2:7c:c6:f7:d3:08:d6:75:06:c7:56:32:fe:80:8e:
+                    f6:fd:c5:25:ac:49:c7:ad:1b:eb:de:aa:67:50:92:
+                    a3:2c:e5:09:81:07:44:b5:cf:9b:16:10:29:f8:98:
+                    05:3e:49:fc:e6:58:1f:93:b1:dd:82:67:e5:6b:dd:
+                    50:2f:0f:a1:ec:5a:34:83:b9:33:9d:65:37:c3:a7:
+                    03:e1:2a:56:48:3d:0f:d5:06:88:60:e6:3e:cb:ef:
+                    98:27
                 Exponent: 65537 (0x10001)
         X509v3 extensions:
             X509v3 Basic Constraints: critical
@@ -29,27 +38,39 @@
                 <EMPTY>
 
     Signature Algorithm: sha256WithRSAEncryption
-         11:3c:6b:22:14:f6:1a:18:8b:59:a4:8d:38:d6:6f:48:8a:01:
-         e2:d3:9d:6a:26:40:61:d3:9b:ce:8a:ab:b9:25:c4:89:c4:f9:
-         98:1e:6c:f5:1c:d7:f7:6a:c9:7b:48:ba:d7:e0:03:59:41:4d:
-         29:28:7d:2d:61:c5:7f:7f:8c:2f:30:2b:c6:6e:16:31:7d:45:
-         d2:2a:83:ea:fc:25:92:1f:cb:85:28:0a:f4:2c:a0:c4:c2:fc:
-         52:43:53:d1:46:e7:fd:3c:0a:9b:11:45:0f:09:2e:c6:93:26:
-         72:c9:20:28:7a:db:18:55:1b:15:70:1f:bc:0e:ab:18:c1:f8:
-         64:03
+         ed:1f:86:cd:a6:67:a8:48:fa:9a:c4:ad:a8:de:08:14:96:f5:
+         16:44:e3:a1:b2:d5:06:6b:bb:0e:9d:f3:59:84:84:f1:a5:0d:
+         f3:38:50:af:43:fe:91:c5:08:54:1d:2d:59:fd:1d:1b:bd:18:
+         71:97:b3:d7:ba:21:f8:90:05:4d:9e:79:13:7a:12:40:0b:3d:
+         97:00:ac:b1:fd:70:9b:e3:80:89:e6:8d:0f:07:56:15:e4:ed:
+         99:9a:8b:85:27:a1:9c:c4:f9:19:8e:f1:d3:c3:76:0a:5d:51:
+         a5:f9:2c:81:ef:76:c1:75:b9:50:96:2a:f0:65:9d:7e:aa:2f:
+         16:30:8c:e6:82:83:67:cf:2d:53:89:f8:82:f1:c6:0d:a9:77:
+         fe:3a:50:6b:34:1a:b4:f8:16:94:8b:59:4d:e1:d8:da:a9:5c:
+         06:84:6b:23:0d:d0:d5:41:5d:02:ec:5a:c2:5a:a8:41:3e:fb:
+         cf:42:76:c9:96:ed:c9:c6:16:50:5a:dc:ef:be:4c:a8:5b:f5:
+         9f:fe:31:9c:c7:55:38:ac:a1:72:3b:4b:55:92:16:40:10:86:
+         fe:40:99:ba:ee:b1:65:48:6f:34:75:bc:f0:af:c0:b6:be:81:
+         8f:0f:41:7d:ba:b7:26:e7:9f:75:55:8b:94:95:b0:ef:23:fb:
+         9b:5a:14:6b
 -----BEGIN CERTIFICATE-----
-MIICfTCCAeagAwIBAgIBCDANBgkqhkiG9w0BAQsFADBxMQswCQYDVQQGEwJVUzET
+MIIDgjCCAmqgAwIBAgIBCDANBgkqhkiG9w0BAQsFADBxMQswCQYDVQQGEwJVUzET
 MBEGA1UECAwKQ2FsaWZvcm5pYTEUMBIGA1UEBwwLU2FudGEgQ2xhcmExDTALBgNV
 BAoMBHBrZzUxEDAOBgNVBAMMB2NoNF90YTExFjAUBgkqhkiG9w0BCQEWB2NoNF90
-YTEwHhcNMTMxMjEzMDAxMzM0WhcNMTYwOTA4MDAxMzM0WjB1MQswCQYDVQQGEwJV
+YTEwHhcNMTYwMTIyMDE1NzU0WhcNMTgxMDE4MDE1NzU0WjB1MQswCQYDVQQGEwJV
 UzETMBEGA1UECAwKQ2FsaWZvcm5pYTEUMBIGA1UEBwwLU2FudGEgQ2xhcmExDTAL
 BgNVBAoMBHBrZzUxEjAQBgNVBAMMCWNoNS4xX3RhMTEYMBYGCSqGSIb3DQEJARYJ
-Y2g1LjFfdGExMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCdkYeCVnh/ZDJi
-fu5sOPKi9jS6qey7bg+Hq0akN86A8bWLmwpLKrZGm/FHwGuFf2QIYaxT1DvOVCpt
-pGXNp9ylOjO/hiv20PskgFaPT9T5lnHzhnRLRzjaGHmu2VudCZ73y7SnhTOFINMq
-/HLBN2IB1rHLSqAJwnLq/bhdA2gzfQIDAQABoyEwHzAPBgNVHRMBAf8EBTADAQH/
-MAwGA1UdEgEB/wQCMAAwDQYJKoZIhvcNAQELBQADgYEAETxrIhT2GhiLWaSNONZv
-SIoB4tOdaiZAYdObzoqruSXEicT5mB5s9RzX92rJe0i61+ADWUFNKSh9LWHFf3+M
-LzArxm4WMX1F0iqD6vwlkh/LhSgK9CygxML8UkNT0Ubn/TwKmxFFDwkuxpMmcskg
-KHrbGFUbFXAfvA6rGMH4ZAM=
+Y2g1LjFfdGExMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA+JmCAMFz
+aO6rPpNcuPocLZRYSqertwvVbgK1L7DhbMdvqmMtGjCjL4htIb7hNiPkIhmZOh0q
+nuymLKJcoSaWcCKABAprxj+yjM5qMuCuT0NzmtsOnrflkqAGrEigyP4WJ5YUJ2Q4
+inijIGDUm+1HFLkIa3pPutzbyRzJkt8KNwF+jh8wsPs1MkEtZck/ZbEg5+SKHeEQ
+tehXFFm9uC0r1uh/PMPifMb30wjWdQbHVjL+gI72/cUlrEnHrRvr3qpnUJKjLOUJ
+gQdEtc+bFhAp+JgFPkn85lgfk7Hdgmfla91QLw+h7Fo0g7kznWU3w6cD4SpWSD0P
+1QaIYOY+y++YJwIDAQABoyEwHzAPBgNVHRMBAf8EBTADAQH/MAwGA1UdEgEB/wQC
+MAAwDQYJKoZIhvcNAQELBQADggEBAO0fhs2mZ6hI+prErajeCBSW9RZE46Gy1QZr
+uw6d81mEhPGlDfM4UK9D/pHFCFQdLVn9HRu9GHGXs9e6IfiQBU2eeRN6EkALPZcA
+rLH9cJvjgInmjQ8HVhXk7Zmai4UnoZzE+RmO8dPDdgpdUaX5LIHvdsF1uVCWKvBl
+nX6qLxYwjOaCg2fPLVOJ+ILxxg2pd/46UGs0GrT4FpSLWU3h2NqpXAaEayMN0NVB
+XQLsWsJaqEE++89CdsmW7cnGFlBa3O++TKhb9Z/+MZzHVTisoXI7S1WSFkAQhv5A
+mbrusWVIbzR1vPCvwLa+gY8PQX26tybnn3VVi5SVsO8j+5taFGs=
 -----END CERTIFICATE-----
--- a/src/tests/ro_data/signing_certs/produced/chain_certs/0A.pem	Tue Mar 08 11:12:06 2016 -0800
+++ b/src/tests/ro_data/signing_certs/produced/chain_certs/0A.pem	Wed Mar 09 11:27:23 2016 -0800
@@ -5,28 +5,37 @@
     Signature Algorithm: sha256WithRSAEncryption
         Issuer: C=US, ST=California, L=Santa Clara, O=pkg5, CN=ch4_ta1/emailAddress=ch4_ta1
         Validity
-            Not Before: Dec 13 00:13:34 2013 GMT
-            Not After : Sep  8 00:13:34 2016 GMT
+            Not Before: Jan 22 01:57:55 2016 GMT
+            Not After : Oct 18 01:57:55 2018 GMT
         Subject: C=US, ST=California, L=Santa Clara, O=pkg5, CN=ch5.2_ta1/emailAddress=ch5.2_ta1
         Subject Public Key Info:
             Public Key Algorithm: rsaEncryption
-                Public-Key: (1024 bit)
+                Public-Key: (2048 bit)
                 Modulus:
-                    00:a0:b5:e8:50:6e:0b:2e:be:8a:39:95:a1:f3:8f:
-                    03:1c:da:d3:74:5c:9d:ed:34:54:5e:3f:ac:e2:91:
-                    40:50:5e:d7:e3:bc:b1:8e:a6:62:d1:0b:33:e2:59:
-                    d7:67:f1:b7:af:f9:61:37:b1:24:aa:6f:67:e0:4f:
-                    ef:5d:a2:72:42:70:41:1e:32:e5:1a:94:4f:de:60:
-                    6c:e7:e1:96:99:82:d0:35:f2:40:03:de:92:10:f3:
-                    4f:91:e8:78:24:a1:ef:92:da:7b:49:4b:57:03:80:
-                    57:d8:fc:41:60:8a:f0:e6:55:fe:67:55:5e:68:bf:
-                    fe:fd:23:2b:ab:94:cb:12:c3
+                    00:9e:9d:c2:a0:df:34:68:63:c6:f3:28:8b:68:8d:
+                    0e:9c:04:a3:31:bf:95:37:9b:00:49:81:7f:35:8d:
+                    a3:7d:4a:6c:0f:35:14:1d:2a:f9:99:eb:8b:84:6e:
+                    65:5d:b9:d9:66:c6:11:57:bf:83:49:04:f1:35:d3:
+                    75:22:30:bc:22:b1:a7:91:af:25:b9:f3:5e:6f:7b:
+                    74:c2:25:f4:a7:1a:a6:c2:88:3c:db:31:fd:42:79:
+                    53:87:10:d4:ad:bf:a7:23:55:4d:b6:9f:9c:e5:31:
+                    0f:72:d6:fc:0e:b8:2c:46:7a:4f:cf:de:61:3e:39:
+                    0e:fc:0e:fd:a4:08:05:e8:aa:c8:7c:a5:33:a9:c9:
+                    9e:ae:35:51:10:85:06:cc:c1:ae:41:d3:0f:c9:2f:
+                    8f:01:0a:6d:a2:06:bb:7c:40:96:ff:a4:cb:3f:5e:
+                    11:2f:aa:2b:59:f9:8d:d0:ff:b4:0f:3f:a5:58:f5:
+                    cf:a9:20:aa:e6:fe:f4:6b:5d:09:24:9f:26:00:18:
+                    a5:f2:9c:e8:79:de:4d:f9:fb:d1:e5:89:6b:d8:de:
+                    27:de:f8:0b:28:6f:b3:d1:2e:01:9e:e1:ba:00:0f:
+                    21:b2:43:b1:96:b0:46:d9:a3:14:08:a1:6d:1c:e7:
+                    a0:9e:84:74:45:91:a8:d9:24:14:f7:a9:3f:8f:95:
+                    cb:35
                 Exponent: 65537 (0x10001)
         X509v3 extensions:
             X509v3 Subject Key Identifier: 
-                A4:07:01:64:2E:FC:65:F5:BC:44:82:AB:87:E5:17:5F:91:F5:8A:DD
+                29:4E:31:FF:45:35:28:B4:BE:69:AE:55:E5:CE:F3:89:B2:BF:DA:2F
             X509v3 Authority Key Identifier: 
-                keyid:54:8A:14:10:0B:AF:89:DC:1E:65:8A:17:37:6A:AC:D2:2B:6C:27:5C
+                keyid:44:81:49:A3:5B:7C:85:F2:A7:56:19:FF:64:98:AB:61:89:3E:E1:B7
                 DirName:/C=US/ST=California/L=Santa Clara/O=pkg5/CN=ch3_ta1/emailAddress=ch3_ta1
                 serial:04
 
@@ -35,31 +44,43 @@
             X509v3 Key Usage: critical
                 Certificate Sign, CRL Sign
     Signature Algorithm: sha256WithRSAEncryption
-         04:21:55:e4:d4:f9:07:b1:55:dd:d3:6c:5e:17:f5:84:36:49:
-         08:3f:96:1b:79:f6:1f:c8:aa:0a:e2:64:bd:90:e1:00:89:23:
-         94:1c:d9:c8:7d:a6:5e:48:4f:e4:6a:9d:c1:2a:b9:6c:6b:ed:
-         24:14:54:9f:87:bf:a1:d3:fd:73:39:eb:c4:88:85:7e:f5:35:
-         91:3d:85:ad:9e:c5:1f:fc:f6:06:71:ce:3f:dc:12:e8:6c:a6:
-         61:07:b8:d0:78:03:de:e6:be:e9:67:59:2f:70:24:c3:54:4e:
-         b3:5c:6e:54:8e:04:c3:b6:f1:83:1b:8d:7f:e8:b7:5b:3d:b2:
-         26:fe
+         1b:01:5a:d2:0c:c2:a9:cf:84:c1:9e:42:98:bb:fc:3f:b7:b3:
+         33:c9:c1:4b:1b:5c:02:86:4b:d9:37:0e:1b:26:10:68:84:68:
+         ed:54:94:69:5d:b8:01:5d:f7:1f:d8:57:ec:e1:f3:b4:7e:81:
+         ae:71:f0:79:8a:52:60:81:55:77:c8:a7:20:1a:48:bb:cb:b4:
+         cb:26:a9:0b:1a:45:62:0c:b5:d2:0d:ec:75:8c:50:3d:2d:25:
+         6c:96:a6:6e:b0:f3:8b:27:7c:ed:ac:44:6e:5b:ef:01:49:6d:
+         b4:7a:30:26:cf:73:2a:79:91:60:1a:5e:a1:ba:50:e3:cc:93:
+         68:53:6f:8e:fe:d0:48:4a:41:db:6a:15:cc:59:dc:a5:a7:79:
+         fc:e5:f9:d1:0e:2b:f4:45:6b:2b:56:e7:69:2a:b2:a1:e2:16:
+         79:74:45:7c:ab:3a:49:40:52:1b:5b:ef:29:f9:1f:48:16:31:
+         61:aa:17:a2:6f:36:a4:49:d8:d6:c5:ff:4a:33:2e:be:cd:3e:
+         9a:38:c6:12:42:9c:1f:08:53:7a:c2:61:88:43:86:17:95:8c:
+         f2:4f:dd:b4:b3:66:fa:ef:ac:51:a4:70:f6:4c:a4:6d:70:6f:
+         dc:5a:a5:c7:da:94:4f:d6:71:2a:5b:fe:0f:f2:25:72:3d:e4:
+         62:c5:3d:87
 -----BEGIN CERTIFICATE-----
-MIIDQTCCAqqgAwIBAgIBCjANBgkqhkiG9w0BAQsFADBxMQswCQYDVQQGEwJVUzET
+MIIERjCCAy6gAwIBAgIBCjANBgkqhkiG9w0BAQsFADBxMQswCQYDVQQGEwJVUzET
 MBEGA1UECAwKQ2FsaWZvcm5pYTEUMBIGA1UEBwwLU2FudGEgQ2xhcmExDTALBgNV
 BAoMBHBrZzUxEDAOBgNVBAMMB2NoNF90YTExFjAUBgkqhkiG9w0BCQEWB2NoNF90
-YTEwHhcNMTMxMjEzMDAxMzM0WhcNMTYwOTA4MDAxMzM0WjB1MQswCQYDVQQGEwJV
+YTEwHhcNMTYwMTIyMDE1NzU1WhcNMTgxMDE4MDE1NzU1WjB1MQswCQYDVQQGEwJV
 UzETMBEGA1UECAwKQ2FsaWZvcm5pYTEUMBIGA1UEBwwLU2FudGEgQ2xhcmExDTAL
 BgNVBAoMBHBrZzUxEjAQBgNVBAMMCWNoNS4yX3RhMTEYMBYGCSqGSIb3DQEJARYJ
-Y2g1LjJfdGExMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCgtehQbgsuvoo5
-laHzjwMc2tN0XJ3tNFReP6zikUBQXtfjvLGOpmLRCzPiWddn8bev+WE3sSSqb2fg
-T+9donJCcEEeMuUalE/eYGzn4ZaZgtA18kAD3pIQ80+R6Hgkoe+S2ntJS1cDgFfY
-/EFgivDmVf5nVV5ov/79IyurlMsSwwIDAQABo4HkMIHhMB0GA1UdDgQWBBSkBwFk
-Lvxl9bxEgquH5RdfkfWK3TCBmwYDVR0jBIGTMIGQgBRUihQQC6+J3B5lihc3aqzS
-K2wnXKF1pHMwcTELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFDAS
-BgNVBAcMC1NhbnRhIENsYXJhMQ0wCwYDVQQKDARwa2c1MRAwDgYDVQQDDAdjaDNf
-dGExMRYwFAYJKoZIhvcNAQkBFgdjaDNfdGExggEEMBIGA1UdEwEB/wQIMAYBAf8C
-AQEwDgYDVR0PAQH/BAQDAgEGMA0GCSqGSIb3DQEBCwUAA4GBAAQhVeTU+QexVd3T
-bF4X9YQ2SQg/lht59h/IqgriZL2Q4QCJI5Qc2ch9pl5IT+RqncEquWxr7SQUVJ+H
-v6HT/XM568SIhX71NZE9ha2exR/89gZxzj/cEuhspmEHuNB4A97mvulnWS9wJMNU
-TrNcblSOBMO28YMbjX/ot1s9sib+
+Y2g1LjJfdGExMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAnp3CoN80
+aGPG8yiLaI0OnASjMb+VN5sASYF/NY2jfUpsDzUUHSr5meuLhG5lXbnZZsYRV7+D
+SQTxNdN1IjC8IrGnka8lufNeb3t0wiX0pxqmwog82zH9QnlThxDUrb+nI1VNtp+c
+5TEPctb8DrgsRnpPz95hPjkO/A79pAgF6KrIfKUzqcmerjVREIUGzMGuQdMPyS+P
+AQptoga7fECW/6TLP14RL6orWfmN0P+0Dz+lWPXPqSCq5v70a10JJJ8mABil8pzo
+ed5N+fvR5Ylr2N4n3vgLKG+z0S4BnuG6AA8hskOxlrBG2aMUCKFtHOegnoR0RZGo
+2SQU96k/j5XLNQIDAQABo4HkMIHhMB0GA1UdDgQWBBQpTjH/RTUotL5prlXlzvOJ
+sr/aLzCBmwYDVR0jBIGTMIGQgBREgUmjW3yF8qdWGf9kmKthiT7ht6F1pHMwcTEL
+MAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFDASBgNVBAcMC1NhbnRh
+IENsYXJhMQ0wCwYDVQQKDARwa2c1MRAwDgYDVQQDDAdjaDNfdGExMRYwFAYJKoZI
+hvcNAQkBFgdjaDNfdGExggEEMBIGA1UdEwEB/wQIMAYBAf8CAQEwDgYDVR0PAQH/
+BAQDAgEGMA0GCSqGSIb3DQEBCwUAA4IBAQAbAVrSDMKpz4TBnkKYu/w/t7MzycFL
+G1wChkvZNw4bJhBohGjtVJRpXbgBXfcf2Ffs4fO0foGucfB5ilJggVV3yKcgGki7
+y7TLJqkLGkViDLXSDex1jFA9LSVslqZusPOLJ3ztrERuW+8BSW20ejAmz3MqeZFg
+Gl6hulDjzJNoU2+O/tBISkHbahXMWdylp3n85fnRDiv0RWsrVudpKrKh4hZ5dEV8
+qzpJQFIbW+8p+R9IFjFhqheibzakSdjWxf9KMy6+zT6aOMYSQpwfCFN6wmGIQ4YX
+lYzyT920s2b676xRpHD2TKRtcG/cWqXH2pRP1nEqW/4P8iVyPeRixT2H
 -----END CERTIFICATE-----
--- a/src/tests/ro_data/signing_certs/produced/chain_certs/0C.pem	Tue Mar 08 11:12:06 2016 -0800
+++ b/src/tests/ro_data/signing_certs/produced/chain_certs/0C.pem	Wed Mar 09 11:27:23 2016 -0800
@@ -5,28 +5,37 @@
     Signature Algorithm: sha256WithRSAEncryption
         Issuer: C=US, ST=California, L=Santa Clara, O=pkg5, CN=ch3_ta1/emailAddress=ch3_ta1
         Validity
-            Not Before: Dec 13 00:13:35 2013 GMT
-            Not After : Sep  8 00:13:35 2016 GMT
+            Not Before: Jan 22 01:57:55 2016 GMT
+            Not After : Oct 18 01:57:55 2018 GMT
         Subject: C=US, ST=California, L=Santa Clara, O=pkg5, CN=ch4.3_ta1/emailAddress=ch4.3_ta1
         Subject Public Key Info:
             Public Key Algorithm: rsaEncryption
-                Public-Key: (1024 bit)
+                Public-Key: (2048 bit)
                 Modulus:
-                    00:dd:ec:30:ee:2a:39:ec:cf:6d:c0:b9:04:f2:e0:
-                    0f:04:7a:e9:ab:f0:27:28:d9:6b:70:e5:c4:9b:c6:
-                    1b:bb:71:16:42:d5:47:80:60:2c:f6:26:90:9d:0b:
-                    cc:1b:18:bf:54:98:c7:e8:ba:bf:a2:5d:60:c9:b3:
-                    09:79:de:ee:02:d9:b9:70:22:c3:cd:60:04:5f:1e:
-                    df:a3:8f:43:73:ea:68:5e:df:70:86:aa:67:75:5a:
-                    59:ef:cd:0d:e4:f1:6d:ee:d3:bb:04:c7:52:e5:72:
-                    53:2a:e2:f3:02:65:7f:53:46:c3:15:e4:cb:8d:1b:
-                    cf:8f:1e:8d:6d:04:07:09:77
+                    00:b1:69:ee:17:3e:0a:15:50:23:89:d7:d7:87:ee:
+                    b7:6d:ec:73:ba:42:9f:ea:ba:f5:89:74:b7:be:8d:
+                    4b:42:9b:7b:30:37:1a:62:fa:39:05:38:95:c2:72:
+                    3f:99:ed:73:6f:f0:e9:4a:20:7b:6c:e8:bf:b3:7a:
+                    78:95:50:3e:95:25:6d:fb:ac:90:7d:48:82:87:1f:
+                    9f:37:7b:58:51:19:3e:1f:a7:14:42:04:84:12:06:
+                    4e:29:c9:25:45:8c:fc:08:c9:c9:8a:16:0d:55:ec:
+                    45:b5:80:6e:aa:82:a3:4d:fd:d1:cf:80:d3:b6:e6:
+                    01:7a:17:3a:fa:51:90:de:05:02:44:ba:c5:c2:4d:
+                    ba:d1:25:1a:7c:2e:ad:d1:84:c2:ce:0e:78:c2:8f:
+                    d8:42:ce:52:b1:3e:7f:b1:e4:14:bc:95:7d:16:b9:
+                    4a:a8:1d:b5:bd:15:b8:7e:89:5d:11:f9:b6:3a:c0:
+                    f2:ec:01:6e:8a:79:a6:5c:ac:c1:bb:d8:1c:b3:c7:
+                    2a:ed:4a:1d:83:9f:94:da:ac:f8:c7:29:ce:23:5b:
+                    e5:17:62:ec:14:86:a2:a1:22:81:55:b7:22:ef:a2:
+                    a7:e0:77:be:a9:c8:b0:e5:fe:87:93:fe:47:68:dc:
+                    eb:bc:57:b0:b4:cb:5c:d8:97:0d:49:01:d6:71:fe:
+                    7a:d7
                 Exponent: 65537 (0x10001)
         X509v3 extensions:
             X509v3 Subject Key Identifier: 
-                16:06:DB:79:36:82:5D:96:BA:FD:0F:C3:3D:E2:64:BA:E6:03:E6:3A
+                CA:50:20:B6:70:62:DE:6B:28:77:63:00:64:FE:D0:58:9E:50:16:24
             X509v3 Authority Key Identifier: 
-                keyid:8F:2A:82:4C:1E:39:97:C3:4A:6A:52:FC:D4:CB:E6:37:CE:12:91:59
+                keyid:EE:A0:C0:54:B5:84:89:28:80:79:49:CE:D0:A9:C6:8B:B9:8E:85:20
                 DirName:/C=US/ST=California/L=Santa Clara/O=pkg5/CN=ch2_ta1/emailAddress=ch2_ta1
                 serial:03
 
@@ -35,31 +44,43 @@
             X509v3 Key Usage: critical
                 Certificate Sign, CRL Sign
     Signature Algorithm: sha256WithRSAEncryption
-         26:70:cc:69:5b:26:cf:cc:1d:19:b6:61:20:59:22:d7:fa:a3:
-         d9:fa:e2:e3:87:07:24:5a:41:5b:7e:21:4c:f5:32:d2:d8:fd:
-         a5:17:b5:c4:0f:9a:d2:a6:dd:45:9f:13:2a:30:8a:75:5b:69:
-         9b:dd:06:85:3e:19:06:7d:5d:0f:3f:15:64:76:41:e9:a8:30:
-         bd:d7:26:66:07:60:da:e2:ec:80:44:6d:a5:8b:fd:9a:3a:0b:
-         92:b9:6c:f8:72:cc:7e:24:78:a2:a3:f7:ef:47:7a:aa:8b:89:
-         45:33:ff:01:bd:a0:d0:18:ea:a1:46:98:b5:7f:00:e1:00:8e:
-         7e:68
+         25:89:18:a4:a1:6c:3e:e3:f0:0f:a9:9c:3e:4e:15:a6:42:34:
+         22:b6:27:35:b0:d1:88:96:c3:3e:05:4a:26:dc:3f:65:a1:09:
+         64:b1:60:d8:af:2f:5c:4b:fe:d1:48:d5:b7:84:83:30:f8:e6:
+         42:7f:d2:a0:e4:a7:77:5c:92:87:64:20:b7:48:df:0b:ef:de:
+         eb:84:83:4b:5c:60:0e:89:85:1e:5e:9a:65:bc:c5:ac:96:85:
+         83:17:85:dd:2f:0a:e8:f5:80:89:a6:4a:55:c6:1a:69:0f:1b:
+         3f:25:da:42:31:91:92:87:c7:07:40:9f:20:5a:ac:c5:c5:5d:
+         9c:fc:82:4b:2e:ea:8e:b3:fd:94:85:dd:0b:10:09:de:16:4d:
+         47:af:59:86:ca:e8:84:c0:75:ac:2a:9c:9e:c7:16:c9:64:75:
+         04:87:35:a9:89:b3:a8:92:01:c8:11:fd:79:27:69:16:52:bf:
+         23:ff:2f:91:31:e6:b0:e8:66:54:fe:99:c4:7c:bd:d2:53:bf:
+         22:14:e2:4e:15:f3:f1:c6:f7:2e:6d:07:95:09:69:66:01:d7:
+         89:ce:f9:92:3c:25:fb:84:9a:16:fd:c0:b8:bf:65:6d:b2:34:
+         a4:61:79:21:13:62:c6:72:97:aa:64:42:ab:8f:ce:83:84:2a:
+         1e:b0:4f:bc
 -----BEGIN CERTIFICATE-----
-MIIDQTCCAqqgAwIBAgIBDDANBgkqhkiG9w0BAQsFADBxMQswCQYDVQQGEwJVUzET
+MIIERjCCAy6gAwIBAgIBDDANBgkqhkiG9w0BAQsFADBxMQswCQYDVQQGEwJVUzET
 MBEGA1UECAwKQ2FsaWZvcm5pYTEUMBIGA1UEBwwLU2FudGEgQ2xhcmExDTALBgNV
 BAoMBHBrZzUxEDAOBgNVBAMMB2NoM190YTExFjAUBgkqhkiG9w0BCQEWB2NoM190
-YTEwHhcNMTMxMjEzMDAxMzM1WhcNMTYwOTA4MDAxMzM1WjB1MQswCQYDVQQGEwJV
+YTEwHhcNMTYwMTIyMDE1NzU1WhcNMTgxMDE4MDE1NzU1WjB1MQswCQYDVQQGEwJV
 UzETMBEGA1UECAwKQ2FsaWZvcm5pYTEUMBIGA1UEBwwLU2FudGEgQ2xhcmExDTAL
 BgNVBAoMBHBrZzUxEjAQBgNVBAMMCWNoNC4zX3RhMTEYMBYGCSqGSIb3DQEJARYJ
-Y2g0LjNfdGExMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDd7DDuKjnsz23A
-uQTy4A8Eeumr8Cco2Wtw5cSbxhu7cRZC1UeAYCz2JpCdC8wbGL9UmMfour+iXWDJ
-swl53u4C2blwIsPNYARfHt+jj0Nz6mhe33CGqmd1WlnvzQ3k8W3u07sEx1LlclMq
-4vMCZX9TRsMV5MuNG8+PHo1tBAcJdwIDAQABo4HkMIHhMB0GA1UdDgQWBBQWBtt5
-NoJdlrr9D8M94mS65gPmOjCBmwYDVR0jBIGTMIGQgBSPKoJMHjmXw0pqUvzUy+Y3
-zhKRWaF1pHMwcTELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFDAS
-BgNVBAcMC1NhbnRhIENsYXJhMQ0wCwYDVQQKDARwa2c1MRAwDgYDVQQDDAdjaDJf
-dGExMRYwFAYJKoZIhvcNAQkBFgdjaDJfdGExggEDMBIGA1UdEwEB/wQIMAYBAf8C
-AQAwDgYDVR0PAQH/BAQDAgEGMA0GCSqGSIb3DQEBCwUAA4GBACZwzGlbJs/MHRm2
-YSBZItf6o9n64uOHByRaQVt+IUz1MtLY/aUXtcQPmtKm3UWfEyowinVbaZvdBoU+
-GQZ9XQ8/FWR2QemoML3XJmYHYNri7IBEbaWL/Zo6C5K5bPhyzH4keKKj9+9HeqqL
-iUUz/wG9oNAY6qFGmLV/AOEAjn5o
+Y2g0LjNfdGExMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAsWnuFz4K
+FVAjidfXh+63bexzukKf6rr1iXS3vo1LQpt7MDcaYvo5BTiVwnI/me1zb/DpSiB7
+bOi/s3p4lVA+lSVt+6yQfUiChx+fN3tYURk+H6cUQgSEEgZOKcklRYz8CMnJihYN
+VexFtYBuqoKjTf3Rz4DTtuYBehc6+lGQ3gUCRLrFwk260SUafC6t0YTCzg54wo/Y
+Qs5SsT5/seQUvJV9FrlKqB21vRW4foldEfm2OsDy7AFuinmmXKzBu9gcs8cq7Uod
+g5+U2qz4xynOI1vlF2LsFIaioSKBVbci76Kn4He+qciw5f6Hk/5HaNzrvFewtMtc
+2JcNSQHWcf561wIDAQABo4HkMIHhMB0GA1UdDgQWBBTKUCC2cGLeayh3YwBk/tBY
+nlAWJDCBmwYDVR0jBIGTMIGQgBTuoMBUtYSJKIB5Sc7QqcaLuY6FIKF1pHMwcTEL
+MAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFDASBgNVBAcMC1NhbnRh
+IENsYXJhMQ0wCwYDVQQKDARwa2c1MRAwDgYDVQQDDAdjaDJfdGExMRYwFAYJKoZI
+hvcNAQkBFgdjaDJfdGExggEDMBIGA1UdEwEB/wQIMAYBAf8CAQAwDgYDVR0PAQH/
+BAQDAgEGMA0GCSqGSIb3DQEBCwUAA4IBAQAliRikoWw+4/APqZw+ThWmQjQitic1
+sNGIlsM+BUom3D9loQlksWDYry9cS/7RSNW3hIMw+OZCf9Kg5Kd3XJKHZCC3SN8L
+797rhINLXGAOiYUeXpplvMWsloWDF4XdLwro9YCJpkpVxhppDxs/JdpCMZGSh8cH
+QJ8gWqzFxV2c/IJLLuqOs/2Uhd0LEAneFk1Hr1mGyuiEwHWsKpyexxbJZHUEhzWp
+ibOokgHIEf15J2kWUr8j/y+RMeaw6GZU/pnEfL3SU78iFOJOFfPxxvcubQeVCWlm
+AdeJzvmSPCX7hJoW/cC4v2VtsjSkYXkhE2LGcpeqZEKrj86DhCoesE+8
 -----END CERTIFICATE-----
--- a/src/tests/ro_data/signing_certs/produced/chain_certs/0D.pem	Tue Mar 08 11:12:06 2016 -0800
+++ b/src/tests/ro_data/signing_certs/produced/chain_certs/0D.pem	Wed Mar 09 11:27:23 2016 -0800
@@ -5,28 +5,37 @@
     Signature Algorithm: sha256WithRSAEncryption
         Issuer: C=US, ST=California, L=Santa Clara, O=pkg5, CN=ch4.3_ta1/emailAddress=ch4.3_ta1
         Validity
-            Not Before: Dec 13 00:13:35 2013 GMT
-            Not After : Sep  8 00:13:35 2016 GMT
+            Not Before: Jan 22 01:57:55 2016 GMT
+            Not After : Oct 18 01:57:55 2018 GMT
         Subject: C=US, ST=California, L=Santa Clara, O=pkg5, CN=ch5.3_ta1/emailAddress=ch5.3_ta1
         Subject Public Key Info:
             Public Key Algorithm: rsaEncryption
-                Public-Key: (1024 bit)
+                Public-Key: (2048 bit)
                 Modulus:
-                    00:9a:0b:35:00:7e:06:fd:e2:50:97:7e:d2:c2:b8:
-                    20:2a:d9:bb:b8:3f:14:f9:aa:e3:98:dc:b9:49:62:
-                    32:9e:e7:51:16:ef:6b:69:59:7e:0f:c3:50:08:3d:
-                    dc:23:18:37:fa:70:cc:45:b8:47:1e:49:ef:18:15:
-                    47:8e:e6:c9:65:64:02:a8:f5:2a:d1:ef:3a:91:8f:
-                    5a:52:21:46:8f:61:87:55:c9:61:ea:e8:98:18:c5:
-                    99:1f:bd:43:02:13:a6:bf:c0:cd:d9:a5:ee:40:a3:
-                    05:bf:18:28:57:f6:4e:21:d0:89:a1:21:1c:39:ed:
-                    2d:ed:45:f0:da:75:37:da:7b
+                    00:c1:91:a3:1f:3a:14:29:24:3c:d6:fa:ad:16:b9:
+                    a4:c4:df:4a:04:c9:d6:01:16:03:54:de:36:4a:db:
+                    69:1c:b1:c0:f9:ee:64:3d:f3:63:5f:de:fd:4f:91:
+                    95:c4:86:99:07:d6:f3:3d:80:7e:5a:ef:16:84:05:
+                    d5:66:f7:ee:f8:e1:6b:d9:eb:78:1d:10:5e:85:28:
+                    6f:80:97:90:1f:cb:52:36:1d:c6:2a:30:f6:64:63:
+                    4f:3a:9f:b1:e3:36:98:92:62:df:d3:ec:6e:99:dd:
+                    37:16:e1:92:24:18:e2:53:e9:8c:38:84:50:c7:8d:
+                    3c:ae:21:b0:79:69:3b:f4:17:46:78:1b:d6:00:16:
+                    9a:46:61:e6:78:2d:75:2d:eb:d9:e0:93:c7:50:b1:
+                    43:a6:76:32:97:24:ea:98:8e:f0:08:31:9d:c7:81:
+                    be:66:65:eb:30:fd:c2:98:f8:6d:64:e6:6b:7b:19:
+                    e4:97:c3:31:20:8d:1a:f4:0c:4f:96:14:8b:64:cb:
+                    f4:75:31:3b:cd:b8:27:d5:25:3e:a3:f7:73:db:b9:
+                    ac:dd:e8:be:14:dc:2f:ca:e5:f6:f6:8d:c1:83:60:
+                    72:45:1d:e9:cd:e9:d5:a4:67:1c:df:56:3b:00:3b:
+                    fd:7a:3f:fc:78:ad:47:b0:53:ca:7d:17:57:fe:4c:
+                    de:cb
                 Exponent: 65537 (0x10001)
         X509v3 extensions:
             X509v3 Subject Key Identifier: 
-                A5:4B:BC:BC:6C:A7:1D:7E:CB:31:E5:DF:BE:24:BE:B9:86:28:DE:68
+                E3:AC:5A:33:E4:E3:9B:18:66:7B:0F:13:2A:89:91:5E:64:42:D3:05
             X509v3 Authority Key Identifier: 
-                keyid:16:06:DB:79:36:82:5D:96:BA:FD:0F:C3:3D:E2:64:BA:E6:03:E6:3A
+                keyid:CA:50:20:B6:70:62:DE:6B:28:77:63:00:64:FE:D0:58:9E:50:16:24
                 DirName:/C=US/ST=California/L=Santa Clara/O=pkg5/CN=ch3_ta1/emailAddress=ch3_ta1
                 serial:0C
 
@@ -35,31 +44,43 @@
             X509v3 Key Usage: critical
                 Certificate Sign, CRL Sign
     Signature Algorithm: sha256WithRSAEncryption
-         4b:1b:27:81:60:e8:9c:ca:e9:2b:c6:94:9e:64:d5:1a:44:18:
-         e7:fb:98:cf:a0:10:e3:ae:ad:b3:fa:a6:21:9d:be:35:46:17:
-         e6:42:3f:8c:79:81:c5:46:f4:f8:04:72:02:a5:5c:6a:1f:cf:
-         62:e1:f9:6f:3a:26:5c:7b:13:27:bd:27:e7:8d:e4:75:b0:04:
-         05:84:44:8b:cf:2c:8b:8b:44:35:c7:60:79:91:04:69:cc:35:
-         90:5b:e5:9a:71:cb:6d:65:dd:a1:09:2c:d0:35:69:cc:cf:0a:
-         62:41:8f:18:ac:9e:8f:52:4c:fa:77:14:98:45:ce:06:c5:f9:
-         5d:6a
+         1c:ac:db:1d:7e:66:ab:bd:02:09:67:5b:cf:c3:d4:2f:04:48:
+         63:3f:80:02:74:80:d9:77:a5:25:eb:c3:08:74:10:48:2d:8d:
+         b4:7b:1a:fb:66:ea:fe:bf:4d:19:7c:42:54:e2:6e:65:19:59:
+         60:3d:bf:ea:79:d3:c3:cd:3a:f7:4b:ac:31:fc:6f:40:25:2e:
+         41:eb:7b:54:36:78:f4:73:cb:7b:73:fa:d0:28:ca:65:a1:be:
+         b4:7c:c6:17:8b:d9:b1:5e:e5:ab:00:29:fc:78:bf:32:09:51:
+         41:fe:4c:ec:df:50:76:73:9e:b6:b3:9a:8a:ca:4d:0c:59:7c:
+         41:76:7b:5b:77:cd:71:74:ca:88:1a:0f:dc:20:62:be:dc:6a:
+         f9:d5:5f:26:7b:f5:6a:ed:22:9f:01:66:04:9e:45:71:37:da:
+         53:3a:4a:76:93:86:49:3b:6e:8e:87:dd:6a:28:0f:cc:fe:ce:
+         7f:1d:91:8b:20:94:8f:4a:66:5a:ab:e2:e8:1e:41:f3:d6:6e:
+         a1:4d:9c:c8:e6:57:cf:61:67:ab:bd:c7:39:f9:58:9a:18:05:
+         44:80:49:44:ff:3e:4f:ca:e3:09:1c:d3:cb:4f:7a:8b:78:72:
+         76:23:02:79:ef:70:8e:5f:f8:c2:ae:08:b0:b8:ba:84:39:37:
+         73:30:90:e8
 -----BEGIN CERTIFICATE-----
-MIIDRTCCAq6gAwIBAgIBDTANBgkqhkiG9w0BAQsFADB1MQswCQYDVQQGEwJVUzET
+MIIESjCCAzKgAwIBAgIBDTANBgkqhkiG9w0BAQsFADB1MQswCQYDVQQGEwJVUzET
 MBEGA1UECAwKQ2FsaWZvcm5pYTEUMBIGA1UEBwwLU2FudGEgQ2xhcmExDTALBgNV
 BAoMBHBrZzUxEjAQBgNVBAMMCWNoNC4zX3RhMTEYMBYGCSqGSIb3DQEJARYJY2g0
-LjNfdGExMB4XDTEzMTIxMzAwMTMzNVoXDTE2MDkwODAwMTMzNVowdTELMAkGA1UE
+LjNfdGExMB4XDTE2MDEyMjAxNTc1NVoXDTE4MTAxODAxNTc1NVowdTELMAkGA1UE
 BhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFDASBgNVBAcMC1NhbnRhIENsYXJh
 MQ0wCwYDVQQKDARwa2c1MRIwEAYDVQQDDAljaDUuM190YTExGDAWBgkqhkiG9w0B
-CQEWCWNoNS4zX3RhMTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAmgs1AH4G
-/eJQl37SwrggKtm7uD8U+arjmNy5SWIynudRFu9raVl+D8NQCD3cIxg3+nDMRbhH
-HknvGBVHjubJZWQCqPUq0e86kY9aUiFGj2GHVclh6uiYGMWZH71DAhOmv8DN2aXu
-QKMFvxgoV/ZOIdCJoSEcOe0t7UXw2nU32nsCAwEAAaOB5DCB4TAdBgNVHQ4EFgQU
-pUu8vGynHX7LMeXfviS+uYYo3mgwgZsGA1UdIwSBkzCBkIAUFgbbeTaCXZa6/Q/D
-PeJkuuYD5jqhdaRzMHExCzAJBgNVBAYTAlVTMRMwEQYDVQQIDApDYWxpZm9ybmlh
-MRQwEgYDVQQHDAtTYW50YSBDbGFyYTENMAsGA1UECgwEcGtnNTEQMA4GA1UEAwwH
-Y2gzX3RhMTEWMBQGCSqGSIb3DQEJARYHY2gzX3RhMYIBDDASBgNVHRMBAf8ECDAG
-AQH/AgEAMA4GA1UdDwEB/wQEAwIBBjANBgkqhkiG9w0BAQsFAAOBgQBLGyeBYOic
-yukrxpSeZNUaRBjn+5jPoBDjrq2z+qYhnb41RhfmQj+MeYHFRvT4BHICpVxqH89i
-4flvOiZcexMnvSfnjeR1sAQFhESLzyyLi0Q1x2B5kQRpzDWQW+WaccttZd2hCSzQ
-NWnMzwpiQY8YrJ6PUkz6dxSYRc4Gxfldag==
+CQEWCWNoNS4zX3RhMTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMGR
+ox86FCkkPNb6rRa5pMTfSgTJ1gEWA1TeNkrbaRyxwPnuZD3zY1/e/U+RlcSGmQfW
+8z2AflrvFoQF1Wb37vjha9nreB0QXoUob4CXkB/LUjYdxiow9mRjTzqfseM2mJJi
+39PsbpndNxbhkiQY4lPpjDiEUMeNPK4hsHlpO/QXRngb1gAWmkZh5ngtdS3r2eCT
+x1CxQ6Z2Mpck6piO8AgxnceBvmZl6zD9wpj4bWTma3sZ5JfDMSCNGvQMT5YUi2TL
+9HUxO824J9UlPqP3c9u5rN3ovhTcL8rl9vaNwYNgckUd6c3p1aRnHN9WOwA7/Xo/
+/HitR7BTyn0XV/5M3ssCAwEAAaOB5DCB4TAdBgNVHQ4EFgQU46xaM+Tjmxhmew8T
+KomRXmRC0wUwgZsGA1UdIwSBkzCBkIAUylAgtnBi3msod2MAZP7QWJ5QFiShdaRz
+MHExCzAJBgNVBAYTAlVTMRMwEQYDVQQIDApDYWxpZm9ybmlhMRQwEgYDVQQHDAtT
+YW50YSBDbGFyYTENMAsGA1UECgwEcGtnNTEQMA4GA1UEAwwHY2gzX3RhMTEWMBQG
+CSqGSIb3DQEJARYHY2gzX3RhMYIBDDASBgNVHRMBAf8ECDAGAQH/AgEAMA4GA1Ud
+DwEB/wQEAwIBBjANBgkqhkiG9w0BAQsFAAOCAQEAHKzbHX5mq70CCWdbz8PULwRI
+Yz+AAnSA2XelJevDCHQQSC2NtHsa+2bq/r9NGXxCVOJuZRlZYD2/6nnTw80690us
+MfxvQCUuQet7VDZ49HPLe3P60CjKZaG+tHzGF4vZsV7lqwAp/Hi/MglRQf5M7N9Q
+dnOetrOaispNDFl8QXZ7W3fNcXTKiBoP3CBivtxq+dVfJnv1au0inwFmBJ5FcTfa
+UzpKdpOGSTtujofdaigPzP7Ofx2RiyCUj0pmWqvi6B5B89ZuoU2cyOZXz2Fnq73H
+OflYmhgFRIBJRP8+T8rjCRzTy096i3hydiMCee9wjl/4wq4IsLi6hDk3czCQ6A==
 -----END CERTIFICATE-----
--- a/src/tests/ro_data/signing_certs/produced/chain_certs/10.pem	Tue Mar 08 11:12:06 2016 -0800
+++ b/src/tests/ro_data/signing_certs/produced/chain_certs/10.pem	Wed Mar 09 11:27:23 2016 -0800
@@ -5,61 +5,82 @@
     Signature Algorithm: sha256WithRSAEncryption
         Issuer: C=US, ST=California, L=Santa Clara, O=pkg5, CN=ta3/emailAddress=ta3
         Validity
-            Not Before: Dec 13 00:13:35 2013 GMT
-            Not After : Sep  8 00:13:35 2016 GMT
+            Not Before: Jan 22 01:57:56 2016 GMT
+            Not After : Oct 18 01:57:56 2018 GMT
         Subject: C=US, ST=California, L=Santa Clara, O=pkg5, CN=ch1_ta3/emailAddress=ch1_ta3
         Subject Public Key Info:
             Public Key Algorithm: rsaEncryption
-                Public-Key: (1024 bit)
+                Public-Key: (2048 bit)
                 Modulus:
-                    00:ba:0e:36:90:a0:6b:75:19:6b:30:76:54:9e:20:
-                    b0:81:70:21:47:97:9c:c1:15:7c:9e:2d:50:3c:db:
-                    dc:8c:d0:31:9c:b9:78:c6:2a:5c:53:ca:ed:d3:44:
-                    e2:f9:93:d8:b5:b6:a6:8a:c2:bd:be:4f:8b:f5:a0:
-                    28:68:cf:ec:f9:e3:e9:57:a8:ab:cd:a5:45:0d:82:
-                    eb:f0:5b:aa:2d:1b:88:65:30:9f:a1:74:59:1f:e5:
-                    d2:25:f9:d6:31:3f:0a:a2:4a:92:5d:2a:30:2e:3f:
-                    2f:72:48:93:f8:8d:7c:bf:79:21:e3:e1:91:9a:a7:
-                    03:01:ba:20:95:a6:da:56:35
+                    00:ad:c4:ce:08:be:18:a7:5c:74:34:46:19:29:0b:
+                    0e:09:7e:42:b2:ac:a4:40:2e:ee:2e:c8:0a:11:a8:
+                    88:85:73:a5:d8:15:65:9a:d6:4e:d4:8b:49:c1:32:
+                    dc:c3:f9:3d:99:87:d6:df:98:be:f6:71:db:f9:3d:
+                    63:98:65:7f:b9:a8:99:3c:f4:28:39:59:bf:e1:ff:
+                    7a:ef:a6:54:6e:43:31:33:95:72:d9:7d:11:24:e0:
+                    e0:47:24:df:84:27:a4:ee:19:6f:e8:f9:61:42:82:
+                    45:78:10:22:29:d5:b2:b8:1a:e6:7a:db:6d:d7:76:
+                    aa:27:bb:e7:cc:2b:60:39:8e:ac:3a:1c:b3:62:20:
+                    c4:db:10:5c:1d:22:fe:3d:36:ae:14:10:1f:81:d9:
+                    ce:bb:bc:93:4a:5f:1c:fc:1a:08:55:a6:4a:84:3b:
+                    0b:ca:89:8f:1e:f1:00:fe:6e:5b:9e:a3:57:dd:97:
+                    7c:fa:90:e7:ca:8d:9e:f2:b6:24:3e:f5:85:e8:77:
+                    53:1e:f5:c8:ba:37:53:05:43:dc:d8:56:c4:f9:cd:
+                    56:d3:3b:1a:16:c7:3d:e9:09:26:ef:6a:6a:b1:6b:
+                    28:77:14:69:d8:f5:67:a3:2e:04:d2:98:39:91:aa:
+                    c8:63:8f:55:56:f4:49:c9:67:84:82:a4:dd:d5:37:
+                    b9:8f
                 Exponent: 65537 (0x10001)
         X509v3 extensions:
             X509v3 Subject Key Identifier: 
-                A7:11:90:E6:5F:5F:79:74:A3:1D:B5:9E:0C:15:F1:16:C5:D4:FB:6B
+                2B:95:76:FC:68:FE:EC:2A:19:A1:FC:D3:30:D9:C8:26:24:79:BE:9B
             X509v3 Authority Key Identifier: 
-                keyid:B4:D4:36:9F:F8:CB:A2:5F:50:89:DA:21:E3:27:C4:91:F7:84:88:45
+                keyid:29:6E:FA:0C:C3:3A:D4:13:5F:93:39:0F:10:08:27:C7:BF:62:56:E5
                 DirName:/C=US/ST=California/L=Santa Clara/O=pkg5/CN=ta3/emailAddress=ta3
-                serial:C0:C4:B4:7D:88:D6:E3:3E
+                serial:8A:15:23:60:8D:FB:3E:84
 
             X509v3 Basic Constraints: critical
                 CA:TRUE
             X509v3 Key Usage: critical
                 Certificate Sign, CRL Sign
     Signature Algorithm: sha256WithRSAEncryption
-         5f:db:a1:d4:03:bc:a0:f9:d7:80:88:ac:94:2b:22:cc:1c:88:
-         56:65:bd:0d:57:d6:d4:ae:5c:a2:27:44:7c:5e:4d:23:8c:ba:
-         fe:1c:a6:49:96:20:c2:f5:45:cf:52:0e:0a:80:40:5b:1c:e7:
-         83:2b:d4:72:6c:95:10:c6:a7:44:27:85:6b:e5:37:f5:a4:25:
-         70:e4:e0:0e:de:1d:c1:72:1f:05:be:0f:4b:23:61:38:e3:52:
-         cb:05:c3:f4:41:26:80:58:ea:02:c6:6b:7d:f8:9f:41:40:76:
-         94:44:59:2e:da:bc:a8:54:11:22:bc:58:ff:61:85:3c:60:e7:
-         67:e6
+         82:73:57:62:96:05:6f:f0:f1:22:b0:e7:f7:4f:c8:a7:20:9e:
+         94:cc:80:fa:9f:4f:98:24:75:49:5d:e7:cf:51:11:de:0d:64:
+         3c:24:8c:2b:5d:84:7c:40:6a:d2:27:81:2e:19:f4:16:c0:d3:
+         e1:d3:fa:23:e9:25:cc:f8:e2:f5:e8:b7:2b:ae:c5:70:19:f7:
+         0e:d4:ac:35:16:56:ad:7c:dc:f6:39:f2:80:b4:d3:d3:67:f7:
+         d9:cd:58:bf:17:01:94:50:af:a4:17:b9:49:50:1a:73:d7:f9:
+         1e:f4:6b:43:01:53:cf:a1:da:66:9d:e4:1c:fc:48:41:24:83:
+         ae:ce:18:d2:a7:95:5f:70:c6:24:e0:72:ec:08:c4:49:67:ac:
+         73:dc:f0:ad:2c:1c:f6:6c:e2:e9:44:2f:38:d4:80:03:71:41:
+         be:7c:04:b9:07:3e:a5:9d:6a:3c:b1:46:d9:d2:4d:76:28:ee:
+         37:da:5b:53:30:30:31:23:0b:95:47:c3:41:d3:45:1b:08:47:
+         22:14:e7:84:11:da:b2:95:c8:ea:98:94:d0:d1:33:8a:36:71:
+         a1:2f:fe:65:2e:91:39:16:6e:5e:1c:ff:0a:57:d5:eb:88:50:
+         b3:f2:89:68:c2:ff:a9:bd:af:de:c6:0f:57:af:15:4e:c1:31:
+         1e:67:16:2c
 -----BEGIN CERTIFICATE-----
-MIIDMjCCApugAwIBAgIBEDANBgkqhkiG9w0BAQsFADBpMQswCQYDVQQGEwJVUzET
+MIIENzCCAx+gAwIBAgIBEDANBgkqhkiG9w0BAQsFADBpMQswCQYDVQQGEwJVUzET
 MBEGA1UECAwKQ2FsaWZvcm5pYTEUMBIGA1UEBwwLU2FudGEgQ2xhcmExDTALBgNV
-BAoMBHBrZzUxDDAKBgNVBAMMA3RhMzESMBAGCSqGSIb3DQEJARYDdGEzMB4XDTEz
-MTIxMzAwMTMzNVoXDTE2MDkwODAwMTMzNVowcTELMAkGA1UEBhMCVVMxEzARBgNV
+BAoMBHBrZzUxDDAKBgNVBAMMA3RhMzESMBAGCSqGSIb3DQEJARYDdGEzMB4XDTE2
+MDEyMjAxNTc1NloXDTE4MTAxODAxNTc1NlowcTELMAkGA1UEBhMCVVMxEzARBgNV
 BAgMCkNhbGlmb3JuaWExFDASBgNVBAcMC1NhbnRhIENsYXJhMQ0wCwYDVQQKDARw
-a2c1MRAwDgYDVQQDDAdjaDFfdGEzMRYwFAYJKoZIhvcNAQkBFgdjaDFfdGEzMIGf
-MA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC6DjaQoGt1GWswdlSeILCBcCFHl5zB
-FXyeLVA829yM0DGcuXjGKlxTyu3TROL5k9i1tqaKwr2+T4v1oChoz+z54+lXqKvN
-pUUNguvwW6otG4hlMJ+hdFkf5dIl+dYxPwqiSpJdKjAuPy9ySJP4jXy/eSHj4ZGa
-pwMBuiCVptpWNQIDAQABo4HhMIHeMB0GA1UdDgQWBBSnEZDmX195dKMdtZ4MFfEW
-xdT7azCBmwYDVR0jBIGTMIGQgBS01Daf+MuiX1CJ2iHjJ8SR94SIRaFtpGswaTEL
-MAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFDASBgNVBAcMC1NhbnRh
-IENsYXJhMQ0wCwYDVQQKDARwa2c1MQwwCgYDVQQDDAN0YTMxEjAQBgkqhkiG9w0B
-CQEWA3RhM4IJAMDEtH2I1uM+MA8GA1UdEwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQD
-AgEGMA0GCSqGSIb3DQEBCwUAA4GBAF/bodQDvKD514CIrJQrIswciFZlvQ1X1tSu
-XKInRHxeTSOMuv4cpkmWIML1Rc9SDgqAQFsc54Mr1HJslRDGp0QnhWvlN/WkJXDk
-4A7eHcFyHwW+D0sjYTjjUssFw/RBJoBY6gLGa334n0FAdpREWS7avKhUESK8WP9h
-hTxg52fm
+a2c1MRAwDgYDVQQDDAdjaDFfdGEzMRYwFAYJKoZIhvcNAQkBFgdjaDFfdGEzMIIB
+IjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEArcTOCL4Yp1x0NEYZKQsOCX5C
+sqykQC7uLsgKEaiIhXOl2BVlmtZO1ItJwTLcw/k9mYfW35i+9nHb+T1jmGV/uaiZ
+PPQoOVm/4f9676ZUbkMxM5Vy2X0RJODgRyTfhCek7hlv6PlhQoJFeBAiKdWyuBrm
+ettt13aqJ7vnzCtgOY6sOhyzYiDE2xBcHSL+PTauFBAfgdnOu7yTSl8c/BoIVaZK
+hDsLyomPHvEA/m5bnqNX3Zd8+pDnyo2e8rYkPvWF6HdTHvXIujdTBUPc2FbE+c1W
+0zsaFsc96Qkm72pqsWsodxRp2PVnoy4E0pg5karIY49VVvRJyWeEgqTd1Te5jwID
+AQABo4HhMIHeMB0GA1UdDgQWBBQrlXb8aP7sKhmh/NMw2cgmJHm+mzCBmwYDVR0j
+BIGTMIGQgBQpbvoMwzrUE1+TOQ8QCCfHv2JW5aFtpGswaTELMAkGA1UEBhMCVVMx
+EzARBgNVBAgMCkNhbGlmb3JuaWExFDASBgNVBAcMC1NhbnRhIENsYXJhMQ0wCwYD
+VQQKDARwa2c1MQwwCgYDVQQDDAN0YTMxEjAQBgkqhkiG9w0BCQEWA3RhM4IJAIoV
+I2CN+z6EMA8GA1UdEwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgEGMA0GCSqGSIb3
+DQEBCwUAA4IBAQCCc1dilgVv8PEisOf3T8inIJ6UzID6n0+YJHVJXefPURHeDWQ8
+JIwrXYR8QGrSJ4EuGfQWwNPh0/oj6SXM+OL16LcrrsVwGfcO1Kw1FlatfNz2OfKA
+tNPTZ/fZzVi/FwGUUK+kF7lJUBpz1/ke9GtDAVPPodpmneQc/EhBJIOuzhjSp5Vf
+cMYk4HLsCMRJZ6xz3PCtLBz2bOLpRC841IADcUG+fAS5Bz6lnWo8sUbZ0k12KO43
+2ltTMDAxIwuVR8NB00UbCEciFOeEEdqylcjqmJTQ0TOKNnGhL/5lLpE5Fm5eHP8K
+V9XriFCz8olowv+pva/exg9XrxVOwTEeZxYs
 -----END CERTIFICATE-----
--- a/src/tests/ro_data/signing_certs/produced/chain_certs/1A.pem	Tue Mar 08 11:12:06 2016 -0800
+++ /dev/null	Thu Jan 01 00:00:00 1970 +0000
@@ -1,55 +0,0 @@
-Certificate:
-    Data:
-        Version: 3 (0x2)
-        Serial Number: 26 (0x1a)
-    Signature Algorithm: sha256WithRSAEncryption
-        Issuer: C=US, ST=California, L=Santa Clara, O=pkg5, CN=ta3/emailAddress=ta3
-        Validity
-            Not Before: Dec 13 00:13:36 2013 GMT
-            Not After : Sep  8 00:13:36 2016 GMT
-        Subject: C=US, ST=California, L=Santa Clara, O=pkg5, CN=ch1.1_ta3/emailAddress=ch1.1_ta3
-        Subject Public Key Info:
-            Public Key Algorithm: rsaEncryption
-                Public-Key: (1024 bit)
-                Modulus:
-                    00:df:da:60:8b:c6:d6:55:f7:d0:5b:a7:5a:87:d2:
-                    90:7b:9c:46:31:96:5e:15:a0:c7:44:b3:79:ce:ae:
-                    d7:af:99:a9:fe:6d:c6:69:23:09:45:68:64:01:dc:
-                    a0:7e:8c:ed:c9:bc:14:d3:84:62:2a:8a:21:30:48:
-                    30:97:94:99:84:69:f0:c0:46:a4:72:82:51:30:fe:
-                    f0:fc:60:6c:ea:b8:7d:52:ce:fd:e5:20:b7:9f:4b:
-                    03:21:74:f3:58:35:3a:ef:f7:e0:84:64:06:84:36:
-                    62:e8:82:65:82:1e:56:c7:ea:1e:eb:65:7d:b3:83:
-                    9c:fc:e6:ba:65:c4:82:e3:5f
-                Exponent: 65537 (0x10001)
-        X509v3 extensions:
-            X509v3 Basic Constraints: critical
-                CA:TRUE
-            X509v3 Issuer Alternative Name: critical
-                <EMPTY>
-
-    Signature Algorithm: sha256WithRSAEncryption
-         ae:2b:af:4b:e6:7b:a1:28:27:46:1e:10:55:c2:2c:e4:6b:e9:
-         f2:6c:38:87:ed:f1:da:d5:92:39:89:22:53:3e:b4:da:3d:ae:
-         8d:ea:42:15:bb:4d:c6:ef:50:9c:1d:8b:93:92:7d:33:31:bd:
-         48:79:76:15:d4:8a:fd:bd:ae:1d:61:43:8d:88:ec:83:8d:15:
-         c9:50:73:e0:07:1a:41:e7:b2:a0:ac:9b:33:ed:bd:73:c5:32:
-         25:dd:ad:01:4b:90:62:25:e8:75:8e:19:e8:f5:4b:b8:89:2a:
-         c6:eb:d6:9c:31:f5:83:dd:1d:f9:71:11:ce:3b:0c:f5:e3:e4:
-         89:0a
------BEGIN CERTIFICATE-----
-MIICdTCCAd6gAwIBAgIBGjANBgkqhkiG9w0BAQsFADBpMQswCQYDVQQGEwJVUzET
-MBEGA1UECAwKQ2FsaWZvcm5pYTEUMBIGA1UEBwwLU2FudGEgQ2xhcmExDTALBgNV
-BAoMBHBrZzUxDDAKBgNVBAMMA3RhMzESMBAGCSqGSIb3DQEJARYDdGEzMB4XDTEz
-MTIxMzAwMTMzNloXDTE2MDkwODAwMTMzNlowdTELMAkGA1UEBhMCVVMxEzARBgNV
-BAgMCkNhbGlmb3JuaWExFDASBgNVBAcMC1NhbnRhIENsYXJhMQ0wCwYDVQQKDARw
-a2c1MRIwEAYDVQQDDAljaDEuMV90YTMxGDAWBgkqhkiG9w0BCQEWCWNoMS4xX3Rh
-MzCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA39pgi8bWVffQW6dah9KQe5xG
-MZZeFaDHRLN5zq7Xr5mp/m3GaSMJRWhkAdygfoztybwU04RiKoohMEgwl5SZhGnw
-wEakcoJRMP7w/GBs6rh9Us795SC3n0sDIXTzWDU67/fghGQGhDZi6IJlgh5Wx+oe
-62V9s4Oc/Oa6ZcSC418CAwEAAaMhMB8wDwYDVR0TAQH/BAUwAwEB/zAMBgNVHRIB
-Af8EAjAAMA0GCSqGSIb3DQEBCwUAA4GBAK4rr0vme6EoJ0YeEFXCLORr6fJsOIft
-8drVkjmJIlM+tNo9ro3qQhW7TcbvUJwdi5OSfTMxvUh5dhXUiv29rh1hQ42I7ION
-FclQc+AHGkHnsqCsmzPtvXPFMiXdrQFLkGIl6HWOGej1S7iJKsbr1pwx9YPdHflx
-Ec47DPXj5IkK
------END CERTIFICATE-----
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/src/tests/ro_data/signing_certs/produced/chain_certs/1B.pem	Wed Mar 09 11:27:23 2016 -0800
@@ -0,0 +1,76 @@
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number: 27 (0x1b)
+    Signature Algorithm: sha256WithRSAEncryption
+        Issuer: C=US, ST=California, L=Santa Clara, O=pkg5, CN=ta3/emailAddress=ta3
+        Validity
+            Not Before: Jan 22 01:57:57 2016 GMT
+            Not After : Oct 18 01:57:57 2018 GMT
+        Subject: C=US, ST=California, L=Santa Clara, O=pkg5, CN=ch1.1_ta3/emailAddress=ch1.1_ta3
+        Subject Public Key Info:
+            Public Key Algorithm: rsaEncryption
+                Public-Key: (2048 bit)
+                Modulus:
+                    00:9f:68:52:eb:ed:18:33:43:ef:ec:5d:7a:a7:a7:
+                    06:d7:86:ce:0d:52:d6:da:ab:34:ad:9f:cd:0a:79:
+                    20:47:a9:3d:8f:f8:6b:e3:1a:9d:df:88:5c:c4:ad:
+                    06:66:22:d9:d7:f0:c2:ca:b3:ae:9c:78:e6:2d:18:
+                    20:c9:cc:e1:1a:27:12:32:b3:0b:eb:ba:e2:0e:ce:
+                    dd:fa:22:0b:ae:00:03:ee:89:1e:03:14:d4:86:80:
+                    b9:a2:98:be:60:25:63:2a:16:b4:63:1a:3f:0b:53:
+                    13:c6:53:77:1c:ed:b2:11:e6:f4:d5:1a:51:c0:f5:
+                    0f:3c:f7:b7:85:cf:66:f4:88:b0:e3:ea:35:fd:bc:
+                    35:e0:82:16:a8:08:b0:9b:c9:2e:88:94:bb:ac:5d:
+                    76:2f:b5:cf:da:e7:4e:72:d3:dc:8e:df:aa:0b:ed:
+                    55:ac:41:01:4f:fd:68:87:ee:ee:32:90:d6:95:b0:
+                    f7:78:1c:82:34:31:46:44:fa:f4:1a:63:88:ee:14:
+                    96:b1:bf:bd:41:82:77:4e:bb:5f:06:2b:dc:2f:4c:
+                    d3:42:96:0c:c2:82:a8:fb:3b:9f:4b:9f:d5:0a:74:
+                    44:62:4f:9f:55:ce:ed:72:7e:26:ee:22:12:6f:69:
+                    87:53:b8:79:aa:ee:21:e2:5f:bc:dd:c1:2a:2a:75:
+                    86:45
+                Exponent: 65537 (0x10001)
+        X509v3 extensions:
+            X509v3 Basic Constraints: critical
+                CA:TRUE
+            X509v3 Issuer Alternative Name: critical
+                <EMPTY>
+
+    Signature Algorithm: sha256WithRSAEncryption
+         0e:01:13:03:6b:ee:cc:3f:ef:73:4b:8e:5e:a9:4d:67:34:05:
+         a7:58:5e:58:cf:09:25:77:74:82:da:76:03:79:cf:65:83:c5:
+         97:2c:dc:37:b8:d6:c9:bb:a9:5d:57:17:5b:da:c3:8d:18:11:
+         e4:47:d4:e5:a2:72:0d:15:eb:1c:de:82:ff:cc:30:98:0b:4c:
+         46:96:63:f0:00:87:db:ac:1d:88:b3:c4:3b:ea:ac:20:4b:b1:
+         e3:71:28:8f:a6:bb:b4:0d:b8:6f:8d:eb:e9:9a:0f:53:03:1a:
+         ab:a0:c7:db:0c:e8:6e:05:a3:90:26:00:68:65:67:b7:a1:8e:
+         0c:08:96:2e:27:03:4b:df:b6:c8:a1:53:ce:3c:83:b0:7b:d8:
+         5f:8f:cf:61:d9:7c:8a:79:e4:a6:3a:79:0a:a7:82:c1:d3:d4:
+         a4:01:a2:82:08:f0:01:77:0f:2c:dc:40:73:81:35:83:ff:56:
+         4e:70:65:89:4e:17:9a:ff:7d:c4:9f:eb:62:f3:d3:44:87:c2:
+         d5:41:28:2d:72:69:d9:f9:94:9a:c9:0a:f1:02:9a:47:04:3e:
+         80:d6:c8:14:ab:e2:c7:3a:24:86:01:77:58:af:2b:e4:6a:73:
+         81:96:7f:5d:0b:34:ff:ef:98:88:f9:ea:2b:43:a4:2c:56:65:
+         c1:2c:f5:48
+-----BEGIN CERTIFICATE-----
+MIIDejCCAmKgAwIBAgIBGzANBgkqhkiG9w0BAQsFADBpMQswCQYDVQQGEwJVUzET
+MBEGA1UECAwKQ2FsaWZvcm5pYTEUMBIGA1UEBwwLU2FudGEgQ2xhcmExDTALBgNV
+BAoMBHBrZzUxDDAKBgNVBAMMA3RhMzESMBAGCSqGSIb3DQEJARYDdGEzMB4XDTE2
+MDEyMjAxNTc1N1oXDTE4MTAxODAxNTc1N1owdTELMAkGA1UEBhMCVVMxEzARBgNV
+BAgMCkNhbGlmb3JuaWExFDASBgNVBAcMC1NhbnRhIENsYXJhMQ0wCwYDVQQKDARw
+a2c1MRIwEAYDVQQDDAljaDEuMV90YTMxGDAWBgkqhkiG9w0BCQEWCWNoMS4xX3Rh
+MzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAJ9oUuvtGDND7+xdeqen
+BteGzg1S1tqrNK2fzQp5IEepPY/4a+Mand+IXMStBmYi2dfwwsqzrpx45i0YIMnM
+4RonEjKzC+u64g7O3foiC64AA+6JHgMU1IaAuaKYvmAlYyoWtGMaPwtTE8ZTdxzt
+shHm9NUaUcD1Dzz3t4XPZvSIsOPqNf28NeCCFqgIsJvJLoiUu6xddi+1z9rnTnLT
+3I7fqgvtVaxBAU/9aIfu7jKQ1pWw93gcgjQxRkT69BpjiO4UlrG/vUGCd067XwYr
+3C9M00KWDMKCqPs7n0uf1Qp0RGJPn1XO7XJ+Ju4iEm9ph1O4earuIeJfvN3BKip1
+hkUCAwEAAaMhMB8wDwYDVR0TAQH/BAUwAwEB/zAMBgNVHRIBAf8EAjAAMA0GCSqG
+SIb3DQEBCwUAA4IBAQAOARMDa+7MP+9zS45eqU1nNAWnWF5Yzwkld3SC2nYDec9l
+g8WXLNw3uNbJu6ldVxdb2sONGBHkR9TlonINFesc3oL/zDCYC0xGlmPwAIfbrB2I
+s8Q76qwgS7HjcSiPpru0Dbhvjevpmg9TAxqroMfbDOhuBaOQJgBoZWe3oY4MCJYu
+JwNL37bIoVPOPIOwe9hfj89h2XyKeeSmOnkKp4LB09SkAaKCCPABdw8s3EBzgTWD
+/1ZOcGWJThea/33En+ti89NEh8LVQSgtcmnZ+ZSayQrxAppHBD6A1sgUq+LHOiSG
+AXdYryvkanOBln9dCzT/75iI+eorQ6QsVmXBLPVI
+-----END CERTIFICATE-----
--- a/src/tests/ro_data/signing_certs/produced/chain_certs/1C.pem	Tue Mar 08 11:12:06 2016 -0800
+++ /dev/null	Thu Jan 01 00:00:00 1970 +0000
@@ -1,65 +0,0 @@
-Certificate:
-    Data:
-        Version: 3 (0x2)
-        Serial Number: 28 (0x1c)
-    Signature Algorithm: sha256WithRSAEncryption
-        Issuer: C=US, ST=California, L=Santa Clara, O=pkg5, CN=ta3/emailAddress=ta3
-        Validity
-            Not Before: Jan  1 01:01:01 2009 GMT
-            Not After : Jan  2 01:01:01 2009 GMT
-        Subject: C=US, ST=California, L=Santa Clara, O=pkg5, CN=ch1.2_ta3/emailAddress=ch1.2_ta3
-        Subject Public Key Info:
-            Public Key Algorithm: rsaEncryption
-                Public-Key: (1024 bit)
-                Modulus:
-                    00:db:7e:41:d8:93:1f:35:e5:6b:38:25:93:e5:99:
-                    cf:fe:c7:b8:ab:0b:14:47:23:66:52:c7:d4:18:58:
-                    ff:39:a6:c4:a3:44:2e:46:be:24:7b:9d:71:26:12:
-                    6a:99:bd:92:01:5a:dc:a9:36:3c:2d:f8:42:b8:5f:
-                    db:87:8f:09:9a:83:32:5c:b6:1d:c5:e4:aa:47:6d:
-                    46:11:16:72:44:d7:49:ea:d3:4a:a4:52:9a:f4:8a:
-                    b5:e4:ef:32:7b:71:a0:d7:8e:71:86:22:34:44:4a:
-                    95:5a:37:ef:c4:7f:57:1f:99:32:39:ef:ab:94:05:
-                    1b:9a:88:de:39:85:56:4c:f7
-                Exponent: 65537 (0x10001)
-        X509v3 extensions:
-            X509v3 Subject Key Identifier: 
-                91:8B:82:B9:57:2C:1B:DB:4B:F6:16:04:D7:3F:04:10:DD:8B:3B:05
-            X509v3 Authority Key Identifier: 
-                keyid:B4:D4:36:9F:F8:CB:A2:5F:50:89:DA:21:E3:27:C4:91:F7:84:88:45
-                DirName:/C=US/ST=California/L=Santa Clara/O=pkg5/CN=ta3/emailAddress=ta3
-                serial:C0:C4:B4:7D:88:D6:E3:3E
-
-            X509v3 Basic Constraints: critical
-                CA:TRUE
-            X509v3 Key Usage: critical
-                Certificate Sign, CRL Sign
-    Signature Algorithm: sha256WithRSAEncryption
-         8a:bc:bf:7b:28:d4:bd:a2:a9:91:e8:24:cf:1e:1b:05:7c:32:
-         68:71:40:9a:ef:48:3c:58:43:6c:ae:90:7a:50:a3:49:86:12:
-         57:21:00:0c:49:28:ec:31:fb:04:58:a4:24:c6:7e:14:9d:5a:
-         96:bd:ba:cd:c1:31:cd:c8:f0:77:de:3f:81:0a:d0:31:65:f2:
-         d5:11:c9:6f:cc:5a:f8:f3:c1:8f:31:37:75:3a:c6:6d:6d:6e:
-         d7:16:0a:9b:b0:ce:07:d7:97:36:61:37:5e:4a:16:df:8d:97:
-         f4:71:fe:9b:32:4b:b6:d2:27:f4:9a:7c:b8:83:b3:92:48:2c:
-         ec:0c
------BEGIN CERTIFICATE-----
-MIIDNjCCAp+gAwIBAgIBHDANBgkqhkiG9w0BAQsFADBpMQswCQYDVQQGEwJVUzET
-MBEGA1UECAwKQ2FsaWZvcm5pYTEUMBIGA1UEBwwLU2FudGEgQ2xhcmExDTALBgNV
-BAoMBHBrZzUxDDAKBgNVBAMMA3RhMzESMBAGCSqGSIb3DQEJARYDdGEzMB4XDTA5
-MDEwMTAxMDEwMVoXDTA5MDEwMjAxMDEwMVowdTELMAkGA1UEBhMCVVMxEzARBgNV
-BAgMCkNhbGlmb3JuaWExFDASBgNVBAcMC1NhbnRhIENsYXJhMQ0wCwYDVQQKDARw
-a2c1MRIwEAYDVQQDDAljaDEuMl90YTMxGDAWBgkqhkiG9w0BCQEWCWNoMS4yX3Rh
-MzCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA235B2JMfNeVrOCWT5ZnP/se4
-qwsURyNmUsfUGFj/OabEo0QuRr4ke51xJhJqmb2SAVrcqTY8LfhCuF/bh48JmoMy
-XLYdxeSqR21GERZyRNdJ6tNKpFKa9Iq15O8ye3Gg145xhiI0REqVWjfvxH9XH5ky
-Oe+rlAUbmojeOYVWTPcCAwEAAaOB4TCB3jAdBgNVHQ4EFgQUkYuCuVcsG9tL9hYE
-1z8EEN2LOwUwgZsGA1UdIwSBkzCBkIAUtNQ2n/jLol9Qidoh4yfEkfeEiEWhbaRr
-MGkxCzAJBgNVBAYTAlVTMRMwEQYDVQQIDApDYWxpZm9ybmlhMRQwEgYDVQQHDAtT
-YW50YSBDbGFyYTENMAsGA1UECgwEcGtnNTEMMAoGA1UEAwwDdGEzMRIwEAYJKoZI
-hvcNAQkBFgN0YTOCCQDAxLR9iNbjPjAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB
-/wQEAwIBBjANBgkqhkiG9w0BAQsFAAOBgQCKvL97KNS9oqmR6CTPHhsFfDJocUCa
-70g8WENsrpB6UKNJhhJXIQAMSSjsMfsEWKQkxn4UnVqWvbrNwTHNyPB33j+BCtAx
-ZfLVEclvzFr488GPMTd1OsZtbW7XFgqbsM4H15c2YTdeShbfjZf0cf6bMku20if0
-mny4g7OSSCzsDA==
------END CERTIFICATE-----
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/src/tests/ro_data/signing_certs/produced/chain_certs/1D.pem	Wed Mar 09 11:27:23 2016 -0800
@@ -0,0 +1,86 @@
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number: 29 (0x1d)
+    Signature Algorithm: sha256WithRSAEncryption
+        Issuer: C=US, ST=California, L=Santa Clara, O=pkg5, CN=ta3/emailAddress=ta3
+        Validity
+            Not Before: Jan  1 01:01:01 2009 GMT
+            Not After : Jan  2 01:01:01 2009 GMT
+        Subject: C=US, ST=California, L=Santa Clara, O=pkg5, CN=ch1.2_ta3/emailAddress=ch1.2_ta3
+        Subject Public Key Info:
+            Public Key Algorithm: rsaEncryption
+                Public-Key: (2048 bit)
+                Modulus:
+                    00:d6:9f:34:ff:2a:8c:3f:a8:9d:6a:bf:0b:d9:66:
+                    57:2b:ba:9d:bd:88:b8:60:57:c9:b1:a8:2d:f1:74:
+                    e6:84:29:6c:93:9d:ed:12:03:f9:48:ee:8c:f0:5d:
+                    b0:da:9c:a6:2e:4b:64:f1:38:b8:cb:b9:d3:24:57:
+                    e1:57:b6:f1:79:4b:ee:d7:30:5c:89:67:43:1a:e1:
+                    aa:a2:b3:fb:f5:63:69:5b:55:98:3c:f9:2a:5f:56:
+                    f1:b9:6d:a6:4b:8b:9e:c4:2d:30:a2:0e:98:92:0d:
+                    c3:f7:80:69:d3:4b:a6:0a:5b:e8:d8:3d:0e:16:1b:
+                    09:12:b3:95:55:1b:b3:c8:5a:71:45:4d:05:30:ba:
+                    34:8d:86:a0:4a:0f:c3:e5:aa:19:3b:4c:5b:e6:20:
+                    03:7b:d5:c4:90:ec:b4:06:8b:55:ec:37:81:f7:f6:
+                    6d:f8:1e:01:7c:8f:45:08:25:2f:ab:eb:bb:c6:da:
+                    91:6a:f3:c2:21:6c:33:be:ce:56:2e:36:6c:bb:8c:
+                    12:3c:fc:1d:8b:33:14:d4:a0:4b:8e:0d:5b:3a:7c:
+                    47:32:93:03:48:66:6a:a4:1b:a4:b5:43:19:b9:79:
+                    cd:b5:f7:63:a9:5c:8f:ca:99:94:e3:d1:eb:15:a9:
+                    16:3b:92:73:a0:fb:2b:16:8b:31:42:28:6f:0a:6d:
+                    90:3f
+                Exponent: 65537 (0x10001)
+        X509v3 extensions:
+            X509v3 Subject Key Identifier: 
+                41:31:30:65:46:6B:1C:63:B9:C8:23:8E:02:37:E2:FF:FF:7C:C4:53
+            X509v3 Authority Key Identifier: 
+                keyid:29:6E:FA:0C:C3:3A:D4:13:5F:93:39:0F:10:08:27:C7:BF:62:56:E5
+                DirName:/C=US/ST=California/L=Santa Clara/O=pkg5/CN=ta3/emailAddress=ta3
+                serial:8A:15:23:60:8D:FB:3E:84
+
+            X509v3 Basic Constraints: critical
+                CA:TRUE
+            X509v3 Key Usage: critical
+                Certificate Sign, CRL Sign
+    Signature Algorithm: sha256WithRSAEncryption
+         8c:b9:ed:07:b3:f1:6f:53:7a:1d:62:ef:57:ba:ab:a5:46:93:
+         d0:af:3a:67:2d:50:b0:5a:3b:b0:90:e2:f6:71:5e:fd:d6:fc:
+         70:ce:6c:bf:51:ba:94:db:84:5d:c6:0b:d9:87:79:ea:bf:40:
+         fd:a9:0b:c3:dd:81:ba:7a:40:7e:71:54:89:8b:e4:b2:85:e4:
+         d6:93:d2:a4:9a:02:66:f9:7e:aa:48:e3:0c:ad:3c:f7:2e:55:
+         fa:a1:10:f9:17:d0:2b:36:8a:36:57:f4:6c:42:2f:cf:4a:dc:
+         f2:73:de:8b:08:e7:54:d6:8c:cf:83:ac:de:e0:b4:b5:f3:26:
+         9f:9c:a0:6e:1e:29:77:bf:7e:d4:1d:1a:51:77:e1:82:e4:6d:
+         fe:04:b4:23:8d:26:2b:9f:3f:f1:d9:98:35:b0:fe:b6:61:3c:
+         21:2d:54:e4:2d:f1:3f:88:3d:cb:7d:57:11:98:4b:01:68:0b:
+         af:79:a3:f4:8a:5d:11:c7:63:78:ac:94:e7:82:f0:4c:90:b1:
+         89:49:f0:8c:50:a3:38:04:98:38:14:49:cc:1d:69:57:84:5a:
+         4e:2d:10:f7:0c:88:73:48:de:83:90:0f:a0:53:b9:03:f6:f0:
+         bf:cc:d6:91:73:b3:9c:13:0a:dc:24:52:d9:d0:ac:6d:cf:11:
+         53:bc:d2:75
+-----BEGIN CERTIFICATE-----
+MIIEOzCCAyOgAwIBAgIBHTANBgkqhkiG9w0BAQsFADBpMQswCQYDVQQGEwJVUzET
+MBEGA1UECAwKQ2FsaWZvcm5pYTEUMBIGA1UEBwwLU2FudGEgQ2xhcmExDTALBgNV
+BAoMBHBrZzUxDDAKBgNVBAMMA3RhMzESMBAGCSqGSIb3DQEJARYDdGEzMB4XDTA5
+MDEwMTAxMDEwMVoXDTA5MDEwMjAxMDEwMVowdTELMAkGA1UEBhMCVVMxEzARBgNV
+BAgMCkNhbGlmb3JuaWExFDASBgNVBAcMC1NhbnRhIENsYXJhMQ0wCwYDVQQKDARw
+a2c1MRIwEAYDVQQDDAljaDEuMl90YTMxGDAWBgkqhkiG9w0BCQEWCWNoMS4yX3Rh
+MzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBANafNP8qjD+onWq/C9lm
+Vyu6nb2IuGBXybGoLfF05oQpbJOd7RID+UjujPBdsNqcpi5LZPE4uMu50yRX4Ve2
+8XlL7tcwXIlnQxrhqqKz+/VjaVtVmDz5Kl9W8bltpkuLnsQtMKIOmJINw/eAadNL
+pgpb6Ng9DhYbCRKzlVUbs8hacUVNBTC6NI2GoEoPw+WqGTtMW+YgA3vVxJDstAaL
+Vew3gff2bfgeAXyPRQglL6vru8bakWrzwiFsM77OVi42bLuMEjz8HYszFNSgS44N
+Wzp8RzKTA0hmaqQbpLVDGbl5zbX3Y6lcj8qZlOPR6xWpFjuSc6D7KxaLMUIobwpt
+kD8CAwEAAaOB4TCB3jAdBgNVHQ4EFgQUQTEwZUZrHGO5yCOOAjfi//98xFMwgZsG
+A1UdIwSBkzCBkIAUKW76DMM61BNfkzkPEAgnx79iVuWhbaRrMGkxCzAJBgNVBAYT
+AlVTMRMwEQYDVQQIDApDYWxpZm9ybmlhMRQwEgYDVQQHDAtTYW50YSBDbGFyYTEN
+MAsGA1UECgwEcGtnNTEMMAoGA1UEAwwDdGEzMRIwEAYJKoZIhvcNAQkBFgN0YTOC
+CQCKFSNgjfs+hDAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBBjANBgkq
+hkiG9w0BAQsFAAOCAQEAjLntB7Pxb1N6HWLvV7qrpUaT0K86Zy1QsFo7sJDi9nFe
+/db8cM5sv1G6lNuEXcYL2Yd56r9A/akLw92BunpAfnFUiYvksoXk1pPSpJoCZvl+
+qkjjDK089y5V+qEQ+RfQKzaKNlf0bEIvz0rc8nPeiwjnVNaMz4Os3uC0tfMmn5yg
+bh4pd79+1B0aUXfhguRt/gS0I40mK58/8dmYNbD+tmE8IS1U5C3xP4g9y31XEZhL
+AWgLr3mj9IpdEcdjeKyU54LwTJCxiUnwjFCjOASYOBRJzB1pV4RaTi0Q9wyIc0je
+g5APoFO5A/bwv8zWkXOznBMK3CRS2dCsbc8RU7zSdQ==
+-----END CERTIFICATE-----
--- a/src/tests/ro_data/signing_certs/produced/chain_certs/1E.pem	Tue Mar 08 11:12:06 2016 -0800
+++ /dev/null	Thu Jan 01 00:00:00 1970 +0000
@@ -1,65 +0,0 @@
-Certificate:
-    Data:
-        Version: 3 (0x2)
-        Serial Number: 30 (0x1e)
-    Signature Algorithm: sha256WithRSAEncryption
-        Issuer: C=US, ST=California, L=Santa Clara, O=pkg5, CN=ta3/emailAddress=ta3
-        Validity
-            Not Before: Jan  1 01:01:01 2035 GMT
-            Not After : Jan  2 01:01:01 2035 GMT
-        Subject: C=US, ST=California, L=Santa Clara, O=pkg5, CN=ch1.3_ta3/emailAddress=ch1.3_ta3
-        Subject Public Key Info:
-            Public Key Algorithm: rsaEncryption
-                Public-Key: (1024 bit)
-                Modulus:
-                    00:ce:58:8a:05:67:47:a9:62:99:37:13:35:4c:74:
-                    75:9b:2f:d7:4c:23:7a:cd:60:35:0c:95:4b:58:b3:
-                    dd:c8:2d:69:ad:3c:8d:d3:27:0d:02:06:d0:4b:6c:
-                    6e:57:e9:1f:3c:dc:f3:88:22:25:86:35:13:91:3c:
-                    9f:76:67:a4:ae:98:63:d2:73:4d:2f:07:d5:7f:80:
-                    7e:27:92:25:16:aa:32:fe:7a:17:65:d5:9f:ee:39:
-                    9f:c8:a1:57:6a:9b:2d:e3:61:d9:35:d5:94:fb:fa:
-                    95:21:c3:31:33:50:d6:2f:e5:c0:7a:bb:a7:61:a4:
-                    e0:9b:5e:ca:99:2a:5d:6a:db
-                Exponent: 65537 (0x10001)
-        X509v3 extensions:
-            X509v3 Subject Key Identifier: 
-                28:44:43:26:57:0F:45:87:1A:A5:36:FB:0F:49:91:4B:A1:38:F3:ED
-            X509v3 Authority Key Identifier: 
-                keyid:B4:D4:36:9F:F8:CB:A2:5F:50:89:DA:21:E3:27:C4:91:F7:84:88:45
-                DirName:/C=US/ST=California/L=Santa Clara/O=pkg5/CN=ta3/emailAddress=ta3
-                serial:C0:C4:B4:7D:88:D6:E3:3E
-
-            X509v3 Basic Constraints: critical
-                CA:TRUE
-            X509v3 Key Usage: critical
-                Certificate Sign, CRL Sign
-    Signature Algorithm: sha256WithRSAEncryption
-         b8:a1:7b:ba:b7:10:91:c0:21:86:fe:4d:01:f7:14:34:d9:aa:
-         dc:f3:04:56:c2:08:e6:66:f5:77:55:7e:dd:ea:b5:49:ff:d9:
-         32:39:2c:c9:9f:2f:9c:b3:cc:68:25:3e:d4:92:ef:be:b7:a1:
-         a5:d6:8c:31:3d:3a:7f:f4:5d:e8:ca:a3:30:29:ff:89:82:63:
-         cb:46:47:34:e8:ce:25:dd:a4:09:61:0b:08:7b:fd:24:1b:2b:
-         2d:9b:b9:84:ba:9e:fe:c1:2a:bd:df:e5:86:08:9c:74:ca:51:
-         c8:2e:b8:24:13:49:8c:a4:3e:c1:48:44:bd:30:18:40:88:43:
-         c1:a6
------BEGIN CERTIFICATE-----
-MIIDNjCCAp+gAwIBAgIBHjANBgkqhkiG9w0BAQsFADBpMQswCQYDVQQGEwJVUzET
-MBEGA1UECAwKQ2FsaWZvcm5pYTEUMBIGA1UEBwwLU2FudGEgQ2xhcmExDTALBgNV
-BAoMBHBrZzUxDDAKBgNVBAMMA3RhMzESMBAGCSqGSIb3DQEJARYDdGEzMB4XDTM1
-MDEwMTAxMDEwMVoXDTM1MDEwMjAxMDEwMVowdTELMAkGA1UEBhMCVVMxEzARBgNV
-BAgMCkNhbGlmb3JuaWExFDASBgNVBAcMC1NhbnRhIENsYXJhMQ0wCwYDVQQKDARw
-a2c1MRIwEAYDVQQDDAljaDEuM190YTMxGDAWBgkqhkiG9w0BCQEWCWNoMS4zX3Rh
-MzCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAzliKBWdHqWKZNxM1THR1my/X
-TCN6zWA1DJVLWLPdyC1prTyN0ycNAgbQS2xuV+kfPNzziCIlhjUTkTyfdmekrphj
-0nNNLwfVf4B+J5IlFqoy/noXZdWf7jmfyKFXapst42HZNdWU+/qVIcMxM1DWL+XA
-erunYaTgm17KmSpdatsCAwEAAaOB4TCB3jAdBgNVHQ4EFgQUKERDJlcPRYcapTb7
-D0mRS6E48+0wgZsGA1UdIwSBkzCBkIAUtNQ2n/jLol9Qidoh4yfEkfeEiEWhbaRr
-MGkxCzAJBgNVBAYTAlVTMRMwEQYDVQQIDApDYWxpZm9ybmlhMRQwEgYDVQQHDAtT
-YW50YSBDbGFyYTENMAsGA1UECgwEcGtnNTEMMAoGA1UEAwwDdGEzMRIwEAYJKoZI
-hvcNAQkBFgN0YTOCCQDAxLR9iNbjPjAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB
-/wQEAwIBBjANBgkqhkiG9w0BAQsFAAOBgQC4oXu6txCRwCGG/k0B9xQ02arc8wRW
-wgjmZvV3VX7d6rVJ/9kyOSzJny+cs8xoJT7Uku++t6Gl1owxPTp/9F3oyqMwKf+J
-gmPLRkc06M4l3aQJYQsIe/0kGystm7mEup7+wSq93+WGCJx0ylHILrgkE0mMpD7B
-SES9MBhAiEPBpg==
------END CERTIFICATE-----
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/src/tests/ro_data/signing_certs/produced/chain_certs/1F.pem	Wed Mar 09 11:27:23 2016 -0800
@@ -0,0 +1,86 @@
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number: 31 (0x1f)
+    Signature Algorithm: sha256WithRSAEncryption
+        Issuer: C=US, ST=California, L=Santa Clara, O=pkg5, CN=ta3/emailAddress=ta3
+        Validity
+            Not Before: Jan  1 01:01:01 2035 GMT
+            Not After : Jan  2 01:01:01 2035 GMT
+        Subject: C=US, ST=California, L=Santa Clara, O=pkg5, CN=ch1.3_ta3/emailAddress=ch1.3_ta3
+        Subject Public Key Info:
+            Public Key Algorithm: rsaEncryption
+                Public-Key: (2048 bit)
+                Modulus:
+                    00:a5:a2:9a:58:4a:0e:d7:07:3b:38:52:04:65:eb:
+                    e5:9e:7c:eb:2e:d6:22:89:1e:a8:b2:5c:d2:8b:6e:
+                    76:3b:7c:66:dd:ec:d9:ee:2a:6e:d0:b8:47:e2:cf:
+                    30:c8:13:9c:60:2b:6a:e1:9e:62:65:71:77:fb:50:
+                    8f:08:95:55:05:86:93:ed:38:f6:b8:5d:bf:07:a1:
+                    d9:66:7d:da:80:7b:09:c3:02:74:9c:33:44:6d:cd:
+                    7a:0e:be:46:54:14:65:f8:11:75:1f:d7:f4:6c:c8:
+                    97:76:fb:20:0c:86:ff:31:bd:c4:7b:86:38:4c:ee:
+                    96:c6:c2:b4:c1:ca:ce:9f:43:16:ef:86:d4:fe:fd:
+                    04:06:a6:a7:99:30:8e:aa:a8:d3:93:b2:b2:cd:0f:
+                    56:50:1a:02:8d:71:c9:2d:b5:97:b7:d2:ca:c8:b1:
+                    9d:9b:bd:a6:9c:5a:da:7d:22:2c:41:34:2d:b9:5f:
+                    06:d8:ad:26:20:98:f2:d7:48:71:5f:c7:9f:bb:02:
+                    6a:64:65:7b:ec:d6:80:ab:a3:c6:45:55:8a:e6:b2:
+                    1d:f6:d0:b9:c4:26:85:88:7b:ea:84:3a:3c:f1:c7:
+                    e6:b0:47:f6:5f:99:85:b1:cd:5c:20:6a:cc:e4:2c:
+                    7d:72:23:92:21:85:37:c5:20:e5:ff:07:36:35:d5:
+                    b7:2f
+                Exponent: 65537 (0x10001)
+        X509v3 extensions:
+            X509v3 Subject Key Identifier: 
+                8B:2B:21:B0:6C:71:E6:F0:68:6D:FC:32:0C:DB:53:38:EC:B3:43:A6
+            X509v3 Authority Key Identifier: 
+                keyid:29:6E:FA:0C:C3:3A:D4:13:5F:93:39:0F:10:08:27:C7:BF:62:56:E5
+                DirName:/C=US/ST=California/L=Santa Clara/O=pkg5/CN=ta3/emailAddress=ta3
+                serial:8A:15:23:60:8D:FB:3E:84
+
+            X509v3 Basic Constraints: critical
+                CA:TRUE
+            X509v3 Key Usage: critical
+                Certificate Sign, CRL Sign
+    Signature Algorithm: sha256WithRSAEncryption
+         84:66:26:74:86:86:ab:62:33:c4:6e:69:75:7c:54:be:52:f6:
+         0a:4e:3a:36:9c:11:a9:f0:7c:65:0d:eb:c5:f4:f7:bf:28:64:
+         9f:de:ac:f7:cb:cd:3b:eb:57:a1:2b:3f:d4:e9:d1:f9:2c:7b:
+         75:c8:5b:9c:a6:22:cc:fd:04:5e:48:f3:0f:22:a0:f7:75:a8:
+         56:b7:4a:95:ee:a0:be:29:c4:8b:9d:ef:d9:65:f6:ac:a8:37:
+         41:cc:79:cd:ea:b2:dd:d0:e8:b3:2d:80:36:dd:eb:31:62:7f:
+         7e:1a:15:ae:3b:14:cf:ae:aa:1d:8d:42:1e:aa:b7:28:4c:ae:
+         30:b2:ab:ac:b4:48:50:e6:ec:35:94:fb:7f:94:de:f8:ea:f9:
+         e5:7d:d4:3e:db:58:79:49:59:25:85:33:20:f0:b1:e0:7c:44:
+         79:4a:61:e3:39:d4:06:c8:87:05:a5:ce:ff:13:4d:ba:3a:2e:
+         9e:78:15:f3:d3:85:9c:41:e1:2d:6d:e2:ce:d1:1d:cc:4f:ee:
+         6e:3f:3d:d1:16:df:e2:fe:2a:fc:6b:1f:cc:e1:45:57:0b:b7:
+         26:3d:ca:14:ee:5d:81:cd:69:28:4b:d6:25:30:6f:68:39:ea:
+         b6:5c:e7:37:05:55:a6:c4:9b:72:42:f8:f1:46:fe:a0:56:27:
+         e1:c6:85:e8
+-----BEGIN CERTIFICATE-----
+MIIEOzCCAyOgAwIBAgIBHzANBgkqhkiG9w0BAQsFADBpMQswCQYDVQQGEwJVUzET
+MBEGA1UECAwKQ2FsaWZvcm5pYTEUMBIGA1UEBwwLU2FudGEgQ2xhcmExDTALBgNV
+BAoMBHBrZzUxDDAKBgNVBAMMA3RhMzESMBAGCSqGSIb3DQEJARYDdGEzMB4XDTM1
+MDEwMTAxMDEwMVoXDTM1MDEwMjAxMDEwMVowdTELMAkGA1UEBhMCVVMxEzARBgNV
+BAgMCkNhbGlmb3JuaWExFDASBgNVBAcMC1NhbnRhIENsYXJhMQ0wCwYDVQQKDARw
+a2c1MRIwEAYDVQQDDAljaDEuM190YTMxGDAWBgkqhkiG9w0BCQEWCWNoMS4zX3Rh
+MzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKWimlhKDtcHOzhSBGXr
+5Z586y7WIokeqLJc0otudjt8Zt3s2e4qbtC4R+LPMMgTnGArauGeYmVxd/tQjwiV
+VQWGk+049rhdvweh2WZ92oB7CcMCdJwzRG3Neg6+RlQUZfgRdR/X9GzIl3b7IAyG
+/zG9xHuGOEzulsbCtMHKzp9DFu+G1P79BAamp5kwjqqo05Oyss0PVlAaAo1xyS21
+l7fSysixnZu9ppxa2n0iLEE0LblfBtitJiCY8tdIcV/Hn7sCamRle+zWgKujxkVV
+iuayHfbQucQmhYh76oQ6PPHH5rBH9l+ZhbHNXCBqzOQsfXIjkiGFN8Ug5f8HNjXV
+ty8CAwEAAaOB4TCB3jAdBgNVHQ4EFgQUiyshsGxx5vBobfwyDNtTOOyzQ6YwgZsG
+A1UdIwSBkzCBkIAUKW76DMM61BNfkzkPEAgnx79iVuWhbaRrMGkxCzAJBgNVBAYT
+AlVTMRMwEQYDVQQIDApDYWxpZm9ybmlhMRQwEgYDVQQHDAtTYW50YSBDbGFyYTEN
+MAsGA1UECgwEcGtnNTEMMAoGA1UEAwwDdGEzMRIwEAYJKoZIhvcNAQkBFgN0YTOC
+CQCKFSNgjfs+hDAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBBjANBgkq
+hkiG9w0BAQsFAAOCAQEAhGYmdIaGq2IzxG5pdXxUvlL2Ck46NpwRqfB8ZQ3rxfT3
+vyhkn96s98vNO+tXoSs/1OnR+Sx7dchbnKYizP0EXkjzDyKg93WoVrdKle6gvinE
+i53v2WX2rKg3Qcx5zeqy3dDosy2ANt3rMWJ/fhoVrjsUz66qHY1CHqq3KEyuMLKr
+rLRIUObsNZT7f5Te+Or55X3UPttYeUlZJYUzIPCx4HxEeUph4znUBsiHBaXO/xNN
+ujounngV89OFnEHhLW3iztEdzE/ubj890Rbf4v4q/GsfzOFFVwu3Jj3KFO5dgc1p
+KEvWJTBvaDnqtlznNwVVpsSbckL48Ub+oFYn4caF6A==
+-----END CERTIFICATE-----
--- a/src/tests/ro_data/signing_certs/produced/chain_certs/20.pem	Tue Mar 08 11:12:06 2016 -0800
+++ /dev/null	Thu Jan 01 00:00:00 1970 +0000
@@ -1,62 +0,0 @@
-Certificate:
-    Data:
-        Version: 3 (0x2)
-        Serial Number: 32 (0x20)
-    Signature Algorithm: sha256WithRSAEncryption
-        Issuer: C=US, ST=California, L=Santa Clara, O=pkg5, CN=ta3/emailAddress=ta3
-        Validity
-            Not Before: Jan  1 01:01:01 2035 GMT
-            Not After : Jan  2 01:01:01 2035 GMT
-        Subject: C=US, ST=California, L=Santa Clara, O=pkg5, CN=ch1.4_ta3/emailAddress=ch1.4_ta3
-        Subject Public Key Info:
-            Public Key Algorithm: rsaEncryption
-                Public-Key: (1024 bit)
-                Modulus:
-                    00:e9:3c:28:6e:b8:7a:e3:7a:f2:ee:5e:69:7a:71:
-                    b8:bb:97:d5:d3:c4:77:3e:90:f3:29:69:b8:51:ba:
-                    8b:27:4d:3f:b2:10:76:86:6e:38:4a:49:be:ce:01:
-                    c5:d2:0e:6e:0e:a9:51:e9:94:57:ce:67:4b:99:ca:
-                    84:93:a9:f9:e6:35:1c:0f:d6:3d:b1:c1:c7:00:d7:
-                    fa:2c:05:a0:20:0d:86:6d:32:c0:54:0f:e8:b9:6e:
-                    b5:dd:1a:00:4c:89:bf:d4:6d:79:0e:e7:4e:10:d2:
-                    fb:75:2c:03:da:75:c8:e1:b7:dc:2e:42:c5:9b:ec:
-                    b2:f1:15:6d:db:56:f9:20:a3
-                Exponent: 65537 (0x10001)
-        X509v3 extensions:
-            X509v3 Subject Key Identifier: 
-                33:65:69:5E:6D:D8:12:02:E9:68:A2:6C:7D:77:F1:38:D8:7B:97:E6
-            X509v3 Authority Key Identifier: 
-                keyid:B4:D4:36:9F:F8:CB:A2:5F:50:89:DA:21:E3:27:C4:91:F7:84:88:45
-                DirName:/C=US/ST=California/L=Santa Clara/O=pkg5/CN=ta3/emailAddress=ta3
-                serial:C0:C4:B4:7D:88:D6:E3:3E
-
-            X509v3 Basic Constraints: critical
-                CA:TRUE
-    Signature Algorithm: sha256WithRSAEncryption
-         5c:06:87:8e:6c:26:b3:5d:7c:94:c0:e3:7d:9e:8c:7c:bf:86:
-         e0:07:8a:65:95:af:8f:93:0c:a6:72:e5:cb:36:a5:69:03:95:
-         03:7f:e0:18:c8:f2:da:ce:99:b8:54:7a:49:75:f2:61:00:d4:
-         f4:63:e1:5c:cc:f0:91:e7:85:92:0d:7e:91:4b:3a:8b:76:e6:
-         a0:c8:51:28:06:44:d2:c8:a8:4c:da:be:7e:78:88:45:d3:f7:
-         07:92:90:fc:96:4d:7d:ce:5a:c9:9a:21:d9:66:98:3e:9b:5d:
-         18:9a:0c:b8:c4:10:86:4d:06:15:d9:ea:19:9b:e7:f7:e2:74:
-         25:eb
------BEGIN CERTIFICATE-----
-MIIDJjCCAo+gAwIBAgIBIDANBgkqhkiG9w0BAQsFADBpMQswCQYDVQQGEwJVUzET
-MBEGA1UECAwKQ2FsaWZvcm5pYTEUMBIGA1UEBwwLU2FudGEgQ2xhcmExDTALBgNV
-BAoMBHBrZzUxDDAKBgNVBAMMA3RhMzESMBAGCSqGSIb3DQEJARYDdGEzMB4XDTM1
-MDEwMTAxMDEwMVoXDTM1MDEwMjAxMDEwMVowdTELMAkGA1UEBhMCVVMxEzARBgNV
-BAgMCkNhbGlmb3JuaWExFDASBgNVBAcMC1NhbnRhIENsYXJhMQ0wCwYDVQQKDARw
-a2c1MRIwEAYDVQQDDAljaDEuNF90YTMxGDAWBgkqhkiG9w0BCQEWCWNoMS40X3Rh
-MzCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA6Twobrh643ry7l5penG4u5fV
-08R3PpDzKWm4UbqLJ00/shB2hm44Skm+zgHF0g5uDqlR6ZRXzmdLmcqEk6n55jUc
-D9Y9scHHANf6LAWgIA2GbTLAVA/ouW613RoATIm/1G15DudOENL7dSwD2nXI4bfc
-LkLFm+yy8RVt21b5IKMCAwEAAaOB0TCBzjAdBgNVHQ4EFgQUM2VpXm3YEgLpaKJs
-fXfxONh7l+YwgZsGA1UdIwSBkzCBkIAUtNQ2n/jLol9Qidoh4yfEkfeEiEWhbaRr
-MGkxCzAJBgNVBAYTAlVTMRMwEQYDVQQIDApDYWxpZm9ybmlhMRQwEgYDVQQHDAtT
-YW50YSBDbGFyYTENMAsGA1UECgwEcGtnNTEMMAoGA1UEAwwDdGEzMRIwEAYJKoZI
-hvcNAQkBFgN0YTOCCQDAxLR9iNbjPjAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3
-DQEBCwUAA4GBAFwGh45sJrNdfJTA432ejHy/huAHimWVr4+TDKZy5cs2pWkDlQN/
-4BjI8trOmbhUekl18mEA1PRj4VzM8JHnhZINfpFLOot25qDIUSgGRNLIqEzavn54
-iEXT9weSkPyWTX3OWsmaIdlmmD6bXRiaDLjEEIZNBhXZ6hmb5/fidCXr
------END CERTIFICATE-----
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/src/tests/ro_data/signing_certs/produced/chain_certs/21.pem	Wed Mar 09 11:27:23 2016 -0800
@@ -0,0 +1,84 @@
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number: 33 (0x21)
+    Signature Algorithm: sha256WithRSAEncryption
+        Issuer: C=US, ST=California, L=Santa Clara, O=pkg5, CN=ta3/emailAddress=ta3
+        Validity
+            Not Before: Jan  1 01:01:01 2035 GMT
+            Not After : Jan  2 01:01:01 2035 GMT
+        Subject: C=US, ST=California, L=Santa Clara, O=pkg5, CN=ch1.4_ta3/emailAddress=ch1.4_ta3
+        Subject Public Key Info:
+            Public Key Algorithm: rsaEncryption
+                Public-Key: (2048 bit)
+                Modulus:
+                    00:c1:a0:1e:ec:bd:27:9e:d7:47:3d:4d:78:63:df:
+                    b7:54:05:09:1b:22:65:15:de:2a:98:ef:b4:28:f0:
+                    2a:92:87:2e:93:7f:0f:3d:ca:ce:d1:b5:23:26:8e:
+                    65:4c:c2:57:82:3a:45:8c:5e:77:ac:68:ef:ce:e5:
+                    1b:ba:b5:ba:f2:7d:73:04:d0:28:d8:27:74:bb:93:
+                    ec:9d:2a:8c:a3:52:95:c0:4b:1a:76:e9:c1:6a:d4:
+                    11:84:57:f2:9c:e9:4c:90:ba:7b:ac:cd:8b:a5:7f:
+                    ed:43:d7:c3:a0:9e:7b:c6:07:f9:e2:10:46:b9:1e:
+                    d6:87:aa:1c:e0:92:89:76:2c:ca:ab:5b:99:92:35:
+                    b0:28:88:2d:08:76:99:ed:27:1b:e9:5f:ba:3a:ef:
+                    fd:c5:09:43:74:ec:9d:7c:01:cf:db:37:43:3f:c8:
+                    6b:9c:8f:f9:c9:04:cb:28:5a:70:ee:19:da:b0:f8:
+                    65:5f:c1:d8:09:d0:9e:5e:94:e5:93:79:ad:25:ec:
+                    73:1e:4c:43:30:e8:62:bf:a1:f5:ba:3a:21:10:d0:
+                    5d:38:a8:fd:a0:4e:e8:b2:13:da:d3:da:b0:85:86:
+                    94:36:be:13:4a:66:ad:89:ac:41:0e:e5:47:dc:d4:
+                    bd:19:b2:9d:8b:58:27:e4:90:8c:77:09:62:c5:a9:
+                    55:c9
+                Exponent: 65537 (0x10001)
+        X509v3 extensions:
+            X509v3 Subject Key Identifier: 
+                5F:F9:18:9C:13:FA:0C:6D:68:90:7F:A8:63:2E:5F:68:8D:27:9D:A5
+            X509v3 Authority Key Identifier: 
+                keyid:29:6E:FA:0C:C3:3A:D4:13:5F:93:39:0F:10:08:27:C7:BF:62:56:E5
+                DirName:/C=US/ST=California/L=Santa Clara/O=pkg5/CN=ta3/emailAddress=ta3
+                serial:8A:15:23:60:8D:FB:3E:84
+
+            X509v3 Basic Constraints: critical
+                CA:TRUE
+    Signature Algorithm: sha256WithRSAEncryption
+         24:b0:07:7a:c9:05:ad:8b:61:44:b4:79:c6:5e:3f:af:82:d8:
+         ee:71:fb:a2:78:c8:40:aa:69:c0:66:76:31:20:62:e4:22:1e:
+         7f:db:47:50:76:f5:0c:09:c2:ef:c7:5f:18:7d:2f:a8:37:4f:
+         a8:aa:07:2c:5f:f1:e4:7d:6e:02:de:ae:6a:29:22:e5:d9:4e:
+         b7:5b:5f:fa:9c:e2:86:f3:4e:89:46:95:8a:70:3a:a3:da:a7:
+         5c:ad:c2:d0:35:cf:6b:8a:eb:8b:55:78:29:fe:c5:a8:71:fd:
+         96:e2:7f:05:8f:1e:eb:7c:c2:dd:cb:4c:94:05:a2:76:11:fe:
+         ed:d7:7a:df:92:13:7e:12:bb:e4:ff:11:19:b9:04:54:19:6f:
+         f0:e3:42:f1:d4:48:d2:5c:0d:83:b8:7d:04:49:ec:c1:6f:a0:
+         a7:41:68:8a:e8:78:2d:42:ad:58:b9:0e:0c:a9:14:5a:ce:2e:
+         2c:ba:4a:18:98:87:65:d3:8f:cd:23:11:22:35:ea:76:7a:a3:
+         33:74:a7:03:aa:84:df:6f:26:d5:e1:4a:e5:91:76:f8:79:2d:
+         e0:4d:18:f3:8c:95:5c:6f:c8:f8:03:3a:ab:d6:59:55:17:2b:
+         f8:6d:6d:1b:cd:e8:08:92:4c:ea:0d:98:f8:3f:e8:a8:12:fa:
+         bb:cb:13:de
+-----BEGIN CERTIFICATE-----
+MIIEKzCCAxOgAwIBAgIBITANBgkqhkiG9w0BAQsFADBpMQswCQYDVQQGEwJVUzET
+MBEGA1UECAwKQ2FsaWZvcm5pYTEUMBIGA1UEBwwLU2FudGEgQ2xhcmExDTALBgNV
+BAoMBHBrZzUxDDAKBgNVBAMMA3RhMzESMBAGCSqGSIb3DQEJARYDdGEzMB4XDTM1
+MDEwMTAxMDEwMVoXDTM1MDEwMjAxMDEwMVowdTELMAkGA1UEBhMCVVMxEzARBgNV
+BAgMCkNhbGlmb3JuaWExFDASBgNVBAcMC1NhbnRhIENsYXJhMQ0wCwYDVQQKDARw
+a2c1MRIwEAYDVQQDDAljaDEuNF90YTMxGDAWBgkqhkiG9w0BCQEWCWNoMS40X3Rh
+MzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMGgHuy9J57XRz1NeGPf
+t1QFCRsiZRXeKpjvtCjwKpKHLpN/Dz3KztG1IyaOZUzCV4I6RYxed6xo787lG7q1
+uvJ9cwTQKNgndLuT7J0qjKNSlcBLGnbpwWrUEYRX8pzpTJC6e6zNi6V/7UPXw6Ce
+e8YH+eIQRrke1oeqHOCSiXYsyqtbmZI1sCiILQh2me0nG+lfujrv/cUJQ3TsnXwB
+z9s3Qz/Ia5yP+ckEyyhacO4Z2rD4ZV/B2AnQnl6U5ZN5rSXscx5MQzDoYr+h9bo6
+IRDQXTio/aBO6LIT2tPasIWGlDa+E0pmrYmsQQ7lR9zUvRmynYtYJ+SQjHcJYsWp
+VckCAwEAAaOB0TCBzjAdBgNVHQ4EFgQUX/kYnBP6DG1okH+oYy5faI0nnaUwgZsG
+A1UdIwSBkzCBkIAUKW76DMM61BNfkzkPEAgnx79iVuWhbaRrMGkxCzAJBgNVBAYT
+AlVTMRMwEQYDVQQIDApDYWxpZm9ybmlhMRQwEgYDVQQHDAtTYW50YSBDbGFyYTEN
+MAsGA1UECgwEcGtnNTEMMAoGA1UEAwwDdGEzMRIwEAYJKoZIhvcNAQkBFgN0YTOC
+CQCKFSNgjfs+hDAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQAk
+sAd6yQWti2FEtHnGXj+vgtjucfuieMhAqmnAZnYxIGLkIh5/20dQdvUMCcLvx18Y
+fS+oN0+oqgcsX/HkfW4C3q5qKSLl2U63W1/6nOKG806JRpWKcDqj2qdcrcLQNc9r
+iuuLVXgp/sWocf2W4n8Fjx7rfMLdy0yUBaJ2Ef7t13rfkhN+Ervk/xEZuQRUGW/w
+40Lx1EjSXA2DuH0ESezBb6CnQWiK6HgtQq1YuQ4MqRRazi4sukoYmIdl04/NIxEi
+Nep2eqMzdKcDqoTfbybV4UrlkXb4eS3gTRjzjJVcb8j4Azqr1llVFyv4bW0bzegI
+kkzqDZj4P+ioEvq7yxPe
+-----END CERTIFICATE-----
--- a/src/tests/ro_data/signing_certs/produced/chain_certs/22.pem	Tue Mar 08 11:12:06 2016 -0800
+++ /dev/null	Thu Jan 01 00:00:00 1970 +0000
@@ -1,65 +0,0 @@
-Certificate:
-    Data:
-        Version: 3 (0x2)
-        Serial Number: 34 (0x22)
-    Signature Algorithm: sha256WithRSAEncryption
-        Issuer: C=US, ST=California, L=Santa Clara, O=pkg5, CN=ta4/emailAddress=ta4
-        Validity
-            Not Before: Dec 13 00:13:37 2013 GMT
-            Not After : Sep  8 00:13:37 2016 GMT
-        Subject: C=US, ST=California, L=Santa Clara, O=pkg5, CN=ch1_ta4/emailAddress=ch1_ta4
-        Subject Public Key Info:
-            Public Key Algorithm: rsaEncryption
-                Public-Key: (1024 bit)
-                Modulus:
-                    00:b4:25:1c:3a:c2:26:af:8d:82:4d:29:e3:e0:78:
-                    6f:2b:7f:3c:b1:8c:c0:37:96:71:d2:42:21:df:2e:
-                    c4:c0:5a:60:e4:71:6f:05:df:88:a8:4b:ec:87:54:
-                    8d:08:c9:f7:19:84:a5:d0:cc:cb:43:c3:70:69:67:
-                    2e:4c:be:e6:2d:93:90:f9:02:30:a7:43:d2:1f:e5:
-                    d4:cf:5b:5c:74:88:06:0e:ee:cd:78:2c:2f:27:4c:
-                    99:2f:be:9a:73:5b:9b:1c:e3:67:54:b6:74:a7:c9:
-                    31:d3:63:6a:c5:4a:50:22:eb:af:e2:cd:7a:de:59:
-                    68:6a:a6:0e:26:d6:52:b6:a1
-                Exponent: 65537 (0x10001)
-        X509v3 extensions:
-            X509v3 Subject Key Identifier: 
-                29:7A:F9:B4:E3:1B:8F:19:63:52:FA:19:A0:AB:DA:37:E4:70:A9:71
-            X509v3 Authority Key Identifier: 
-                keyid:84:46:29:88:74:31:EF:A6:CC:3C:E3:58:29:DE:BE:FD:1B:F4:59:98
-                DirName:/C=US/ST=California/L=Santa Clara/O=pkg5/CN=ta4/emailAddress=ta4
-                serial:E8:F7:8D:38:FA:4B:55:DD
-
-            X509v3 Basic Constraints: critical
-                CA:TRUE
-            X509v3 Key Usage: critical
-                Certificate Sign, CRL Sign
-    Signature Algorithm: sha256WithRSAEncryption
-         91:d2:2e:6f:55:ce:c6:39:d8:b4:1f:7a:df:7f:bd:8f:4e:66:
-         ec:10:3d:35:f1:36:22:90:ae:b7:16:e4:48:f5:ec:63:27:e8:
-         88:32:78:ac:21:cc:71:f9:46:6a:73:b7:09:24:a7:44:68:41:
-         a5:07:f9:a3:ec:c7:53:ca:68:e4:09:68:b7:ee:11:f2:8c:08:
-         80:3c:a5:56:e2:f3:a8:aa:1e:34:99:49:26:8a:1f:50:36:d2:
-         0e:ee:b6:a0:a6:e6:b0:94:41:a6:bc:de:93:6f:af:b3:fa:f4:
-         a3:c3:46:83:f8:27:67:8e:9e:40:ec:79:08:0b:e2:46:73:61:
-         0d:c6
------BEGIN CERTIFICATE-----
-MIIDMjCCApugAwIBAgIBIjANBgkqhkiG9w0BAQsFADBpMQswCQYDVQQGEwJVUzET
-MBEGA1UECAwKQ2FsaWZvcm5pYTEUMBIGA1UEBwwLU2FudGEgQ2xhcmExDTALBgNV
-BAoMBHBrZzUxDDAKBgNVBAMMA3RhNDESMBAGCSqGSIb3DQEJARYDdGE0MB4XDTEz
-MTIxMzAwMTMzN1oXDTE2MDkwODAwMTMzN1owcTELMAkGA1UEBhMCVVMxEzARBgNV
-BAgMCkNhbGlmb3JuaWExFDASBgNVBAcMC1NhbnRhIENsYXJhMQ0wCwYDVQQKDARw
-a2c1MRAwDgYDVQQDDAdjaDFfdGE0MRYwFAYJKoZIhvcNAQkBFgdjaDFfdGE0MIGf
-MA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC0JRw6wiavjYJNKePgeG8rfzyxjMA3
-lnHSQiHfLsTAWmDkcW8F34ioS+yHVI0IyfcZhKXQzMtDw3BpZy5MvuYtk5D5AjCn
-Q9If5dTPW1x0iAYO7s14LC8nTJkvvppzW5sc42dUtnSnyTHTY2rFSlAi66/izXre
-WWhqpg4m1lK2oQIDAQABo4HhMIHeMB0GA1UdDgQWBBQpevm04xuPGWNS+hmgq9o3
-5HCpcTCBmwYDVR0jBIGTMIGQgBSERimIdDHvpsw841gp3r79G/RZmKFtpGswaTEL
-MAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFDASBgNVBAcMC1NhbnRh
-IENsYXJhMQ0wCwYDVQQKDARwa2c1MQwwCgYDVQQDDAN0YTQxEjAQBgkqhkiG9w0B
-CQEWA3RhNIIJAOj3jTj6S1XdMA8GA1UdEwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQD
-AgEGMA0GCSqGSIb3DQEBCwUAA4GBAJHSLm9VzsY52LQfet9/vY9OZuwQPTXxNiKQ
-rrcW5Ej17GMn6IgyeKwhzHH5Rmpztwkkp0RoQaUH+aPsx1PKaOQJaLfuEfKMCIA8
-pVbi86iqHjSZSSaKH1A20g7utqCm5rCUQaa83pNvr7P69KPDRoP4J2eOnkDseQgL
-4kZzYQ3G
------END CERTIFICATE-----
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/src/tests/ro_data/signing_certs/produced/chain_certs/23.pem	Wed Mar 09 11:27:23 2016 -0800
@@ -0,0 +1,86 @@
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number: 35 (0x23)
+    Signature Algorithm: sha256WithRSAEncryption
+        Issuer: C=US, ST=California, L=Santa Clara, O=pkg5, CN=ta4/emailAddress=ta4
+        Validity
+            Not Before: Jan 22 01:57:59 2016 GMT
+            Not After : Oct 18 01:57:59 2018 GMT
+        Subject: C=US, ST=California, L=Santa Clara, O=pkg5, CN=ch1_ta4/emailAddress=ch1_ta4
+        Subject Public Key Info:
+            Public Key Algorithm: rsaEncryption
+                Public-Key: (2048 bit)
+                Modulus:
+                    00:bb:fd:5f:54:54:fb:49:01:62:e3:f9:cb:c6:a1:
+                    e4:26:2c:7d:8e:44:0c:d3:2a:de:7c:6d:c0:e3:7e:
+                    52:ac:7c:19:8e:6d:18:bd:76:2f:2c:89:d1:5b:e6:
+                    e4:cb:58:b4:19:8d:d4:16:c9:23:83:f7:48:7f:dd:
+                    4e:0f:8d:56:21:43:7b:69:3f:ec:13:dc:34:6e:f0:
+                    28:e5:21:eb:45:2c:0f:50:c1:17:0d:f7:81:ee:bb:
+                    6c:ee:f8:e7:3d:b9:62:d9:45:92:f1:52:f8:d3:e0:
+                    0c:fc:cc:db:98:6a:21:15:71:7e:a4:11:45:e2:bb:
+                    d5:bb:2a:6c:d2:ec:81:e0:92:59:e6:db:d9:c4:c2:
+                    36:e1:55:73:73:94:cb:c3:b5:1f:a4:27:2e:a3:60:
+                    a5:aa:52:3b:55:89:04:f8:f2:c8:4a:a0:04:c1:d1:
+                    4b:cb:ea:d9:d0:78:b4:48:db:47:24:bb:45:5b:17:
+                    6c:bd:70:0a:88:d7:0b:85:c0:3a:96:3d:ae:ac:da:
+                    c7:95:4a:8b:02:1a:42:bf:b1:8d:0d:67:96:75:74:
+                    d7:ea:58:4a:d7:f7:74:c2:38:19:94:18:95:a6:04:
+                    38:d9:38:24:81:91:d2:07:e1:3e:51:f4:57:83:b0:
+                    45:e2:34:e7:67:8e:0e:bd:d9:71:41:40:52:3b:7e:
+                    6e:91
+                Exponent: 65537 (0x10001)
+        X509v3 extensions:
+            X509v3 Subject Key Identifier: 
+                59:7F:0E:5C:5B:04:78:41:DB:55:AC:9E:07:50:E4:FB:9E:26:28:C8
+            X509v3 Authority Key Identifier: 
+                keyid:B1:21:EA:DF:EB:EB:ED:BB:BE:BE:0F:FA:69:1D:B6:28:E9:6F:8F:45
+                DirName:/C=US/ST=California/L=Santa Clara/O=pkg5/CN=ta4/emailAddress=ta4
+                serial:98:F5:DE:E5:E8:5C:CD:26
+
+            X509v3 Basic Constraints: critical
+                CA:TRUE
+            X509v3 Key Usage: critical
+                Certificate Sign, CRL Sign
+    Signature Algorithm: sha256WithRSAEncryption
+         4b:d5:d6:af:df:60:18:e2:66:8c:5e:87:2c:bb:50:8d:4b:c0:
+         85:63:c3:c4:6f:00:fb:3c:fa:5e:3f:8e:a6:b0:4c:91:ef:29:
+         c7:30:82:e6:25:68:44:b5:a8:d0:8a:37:e1:50:e2:2a:ce:37:
+         8d:d9:70:84:f0:90:c6:8f:2e:eb:09:f5:5a:5f:e6:4c:1c:24:
+         8a:32:17:50:51:47:e5:23:bb:c0:47:47:71:58:36:3a:4e:91:
+         79:06:0d:c8:00:e7:20:15:12:bb:28:e3:85:bd:55:dc:78:d5:
+         10:79:f8:f0:fb:62:af:81:50:0f:3d:fe:d4:36:4c:60:92:54:
+         3a:31:d0:6d:62:b4:29:dd:bd:33:c2:82:ba:00:5b:7a:b4:6d:
+         12:d0:0b:fc:dc:65:68:98:d1:73:2a:f1:c0:36:cd:16:b2:e6:
+         f5:8e:fc:b9:35:66:43:cb:2e:01:c7:73:4b:75:95:b8:4f:b4:
+         58:8c:f7:44:7e:cc:3b:26:39:8f:ad:10:e5:ad:16:f1:8b:1b:
+         17:bb:79:16:e6:c7:53:f5:7c:6b:4c:a8:fb:95:63:8f:69:ff:
+         67:39:7a:a0:33:67:00:e3:8f:49:77:e5:90:61:1f:da:7d:d8:
+         7f:f3:95:b6:74:fc:a0:36:5c:4d:99:39:d2:5f:62:2e:7b:78:
+         46:89:76:1a
+-----BEGIN CERTIFICATE-----
+MIIENzCCAx+gAwIBAgIBIzANBgkqhkiG9w0BAQsFADBpMQswCQYDVQQGEwJVUzET
+MBEGA1UECAwKQ2FsaWZvcm5pYTEUMBIGA1UEBwwLU2FudGEgQ2xhcmExDTALBgNV
+BAoMBHBrZzUxDDAKBgNVBAMMA3RhNDESMBAGCSqGSIb3DQEJARYDdGE0MB4XDTE2
+MDEyMjAxNTc1OVoXDTE4MTAxODAxNTc1OVowcTELMAkGA1UEBhMCVVMxEzARBgNV
+BAgMCkNhbGlmb3JuaWExFDASBgNVBAcMC1NhbnRhIENsYXJhMQ0wCwYDVQQKDARw
+a2c1MRAwDgYDVQQDDAdjaDFfdGE0MRYwFAYJKoZIhvcNAQkBFgdjaDFfdGE0MIIB
+IjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAu/1fVFT7SQFi4/nLxqHkJix9
+jkQM0yrefG3A435SrHwZjm0YvXYvLInRW+bky1i0GY3UFskjg/dIf91OD41WIUN7
+aT/sE9w0bvAo5SHrRSwPUMEXDfeB7rts7vjnPbli2UWS8VL40+AM/MzbmGohFXF+
+pBFF4rvVuyps0uyB4JJZ5tvZxMI24VVzc5TLw7UfpCcuo2ClqlI7VYkE+PLISqAE
+wdFLy+rZ0Hi0SNtHJLtFWxdsvXAKiNcLhcA6lj2urNrHlUqLAhpCv7GNDWeWdXTX
+6lhK1/d0wjgZlBiVpgQ42TgkgZHSB+E+UfRXg7BF4jTnZ44OvdlxQUBSO35ukQID
+AQABo4HhMIHeMB0GA1UdDgQWBBRZfw5cWwR4QdtVrJ4HUOT7niYoyDCBmwYDVR0j
+BIGTMIGQgBSxIerf6+vtu76+D/ppHbYo6W+PRaFtpGswaTELMAkGA1UEBhMCVVMx
+EzARBgNVBAgMCkNhbGlmb3JuaWExFDASBgNVBAcMC1NhbnRhIENsYXJhMQ0wCwYD
+VQQKDARwa2c1MQwwCgYDVQQDDAN0YTQxEjAQBgkqhkiG9w0BCQEWA3RhNIIJAJj1
+3uXoXM0mMA8GA1UdEwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgEGMA0GCSqGSIb3
+DQEBCwUAA4IBAQBL1dav32AY4maMXocsu1CNS8CFY8PEbwD7PPpeP46msEyR7ynH
+MILmJWhEtajQijfhUOIqzjeN2XCE8JDGjy7rCfVaX+ZMHCSKMhdQUUflI7vAR0dx
+WDY6TpF5Bg3IAOcgFRK7KOOFvVXceNUQefjw+2KvgVAPPf7UNkxgklQ6MdBtYrQp
+3b0zwoK6AFt6tG0S0Av83GVomNFzKvHANs0Wsub1jvy5NWZDyy4Bx3NLdZW4T7RY
+jPdEfsw7JjmPrRDlrRbxixsXu3kW5sdT9XxrTKj7lWOPaf9nOXqgM2cA449Jd+WQ
+YR/afdh/85W2dPygNlxNmTnSX2Iue3hGiXYa
+-----END CERTIFICATE-----
--- a/src/tests/ro_data/signing_certs/produced/chain_certs/26.pem	Tue Mar 08 11:12:06 2016 -0800
+++ /dev/null	Thu Jan 01 00:00:00 1970 +0000
@@ -1,65 +0,0 @@
-Certificate:
-    Data:
-        Version: 3 (0x2)
-        Serial Number: 38 (0x26)
-    Signature Algorithm: sha256WithRSAEncryption
-        Issuer: C=US, ST=California, L=Santa Clara, O=pkg5, CN=ta4/emailAddress=ta4
-        Validity
-            Not Before: Dec 13 00:13:37 2013 GMT
-            Not After : Sep  8 00:13:37 2016 GMT
-        Subject: C=US, ST=California, L=Santa Clara, O=pkg5, CN=ch1.1_ta4/emailAddress=ch1.1_ta4
-        Subject Public Key Info:
-            Public Key Algorithm: rsaEncryption
-                Public-Key: (1024 bit)
-                Modulus:
-                    00:ba:40:be:7e:1b:2f:92:11:cc:dc:44:14:76:87:
-                    8a:6a:94:b6:28:4e:87:5b:bc:57:46:75:63:38:4d:
-                    90:3e:7a:46:0e:87:e9:a9:04:1a:7d:e5:20:dc:81:
-                    9a:79:7e:1b:ab:ce:50:ce:47:54:04:98:16:d5:a6:
-                    6d:16:3c:52:ef:ed:43:c5:9b:d3:c8:48:cb:47:5d:
-                    08:1d:d1:44:fd:7c:c7:54:41:11:3b:3e:ae:bb:7f:
-                    94:a6:13:8f:89:6c:24:b3:a8:5e:e2:5d:20:40:85:
-                    2b:a0:ac:ed:a3:a8:b2:15:59:fc:ad:e8:5d:72:ee:
-                    64:eb:9c:30:8c:0a:97:32:f9
-                Exponent: 65537 (0x10001)
-        X509v3 extensions:
-            X509v3 Subject Key Identifier: 
-                D1:74:80:71:CE:2E:24:57:71:C0:CA:50:42:8B:B3:99:0C:C7:6B:AD
-            X509v3 Authority Key Identifier: 
-                keyid:84:46:29:88:74:31:EF:A6:CC:3C:E3:58:29:DE:BE:FD:1B:F4:59:98
-                DirName:/C=US/ST=California/L=Santa Clara/O=pkg5/CN=ta4/emailAddress=ta4
-                serial:E8:F7:8D:38:FA:4B:55:DD
-
-            X509v3 Basic Constraints: critical
-                CA:TRUE
-            X509v3 Key Usage: critical
-                Certificate Sign
-    Signature Algorithm: sha256WithRSAEncryption
-         25:f7:af:7c:b8:de:50:02:c2:31:ed:50:89:5e:85:bc:e5:f4:
-         a0:03:7e:35:85:d5:2c:4c:bb:62:39:45:e9:50:9b:db:7a:4b:
-         91:e1:dd:e7:dc:b6:da:36:69:d7:2d:68:5c:96:a9:7b:e8:33:
-         17:4c:28:75:c2:6c:53:a8:11:8f:8f:23:89:59:25:8b:26:75:
-         4c:ee:9a:13:eb:78:28:52:dc:b2:fd:96:04:73:a8:78:9e:24:
-         b2:b2:85:88:84:10:ec:83:42:65:22:f1:b5:15:76:14:db:5c:
-         28:43:a4:62:df:27:4a:c5:4b:00:d5:44:83:24:37:f5:c5:4d:
-         b0:4a
------BEGIN CERTIFICATE-----
-MIIDNjCCAp+gAwIBAgIBJjANBgkqhkiG9w0BAQsFADBpMQswCQYDVQQGEwJVUzET
-MBEGA1UECAwKQ2FsaWZvcm5pYTEUMBIGA1UEBwwLU2FudGEgQ2xhcmExDTALBgNV
-BAoMBHBrZzUxDDAKBgNVBAMMA3RhNDESMBAGCSqGSIb3DQEJARYDdGE0MB4XDTEz
-MTIxMzAwMTMzN1oXDTE2MDkwODAwMTMzN1owdTELMAkGA1UEBhMCVVMxEzARBgNV
-BAgMCkNhbGlmb3JuaWExFDASBgNVBAcMC1NhbnRhIENsYXJhMQ0wCwYDVQQKDARw
-a2c1MRIwEAYDVQQDDAljaDEuMV90YTQxGDAWBgkqhkiG9w0BCQEWCWNoMS4xX3Rh
-NDCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAukC+fhsvkhHM3EQUdoeKapS2
-KE6HW7xXRnVjOE2QPnpGDofpqQQafeUg3IGaeX4bq85QzkdUBJgW1aZtFjxS7+1D
-xZvTyEjLR10IHdFE/XzHVEEROz6uu3+UphOPiWwks6he4l0gQIUroKzto6iyFVn8
-rehdcu5k65wwjAqXMvkCAwEAAaOB4TCB3jAdBgNVHQ4EFgQU0XSAcc4uJFdxwMpQ
-QouzmQzHa60wgZsGA1UdIwSBkzCBkIAUhEYpiHQx76bMPONYKd6+/Rv0WZihbaRr
-MGkxCzAJBgNVBAYTAlVTMRMwEQYDVQQIDApDYWxpZm9ybmlhMRQwEgYDVQQHDAtT
-YW50YSBDbGFyYTENMAsGA1UECgwEcGtnNTEMMAoGA1UEAwwDdGE0MRIwEAYJKoZI
-hvcNAQkBFgN0YTSCCQDo9404+ktV3TAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB
-/wQEAwICBDANBgkqhkiG9w0BAQsFAAOBgQAl9698uN5QAsIx7VCJXoW85fSgA341
-hdUsTLtiOUXpUJvbekuR4d3n3LbaNmnXLWhclql76DMXTCh1wmxTqBGPjyOJWSWL
-JnVM7poT63goUtyy/ZYEc6h4niSysoWIhBDsg0JlIvG1FXYU21woQ6Ri3ydKxUsA
-1USDJDf1xU2wSg==
------END CERTIFICATE-----
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/src/tests/ro_data/signing_certs/produced/chain_certs/27.pem	Wed Mar 09 11:27:23 2016 -0800
@@ -0,0 +1,86 @@
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number: 39 (0x27)
+    Signature Algorithm: sha256WithRSAEncryption
+        Issuer: C=US, ST=California, L=Santa Clara, O=pkg5, CN=ta4/emailAddress=ta4
+        Validity
+            Not Before: Jan 22 01:57:59 2016 GMT
+            Not After : Oct 18 01:57:59 2018 GMT
+        Subject: C=US, ST=California, L=Santa Clara, O=pkg5, CN=ch1.1_ta4/emailAddress=ch1.1_ta4
+        Subject Public Key Info:
+            Public Key Algorithm: rsaEncryption
+                Public-Key: (2048 bit)
+                Modulus:
+                    00:c7:65:56:1d:48:8d:ff:08:42:35:57:38:6b:5a:
+                    12:0f:c8:73:a8:13:df:96:ce:9e:7c:bc:d7:09:1f:
+                    3e:31:7d:56:4b:0b:e8:51:5c:69:64:a2:43:96:6d:
+                    6a:96:d9:2c:6c:68:73:2e:40:5a:f6:51:5a:6b:e6:
+                    e4:78:4d:fd:5e:82:53:b8:98:0b:ce:66:37:14:8e:
+                    6b:6d:8d:53:a9:9b:cc:88:08:b5:77:c9:48:d9:b5:
+                    9d:9f:05:b9:2e:97:77:96:c5:f3:c5:a1:65:d0:f1:
+                    77:b2:98:d1:ee:6b:56:16:ab:23:65:11:ad:2c:16:
+                    6a:cb:eb:d8:87:5e:8e:f2:37:27:f0:9f:1f:ae:73:
+                    9b:0f:b0:06:1c:cf:da:9d:ac:c7:76:dd:30:94:69:
+                    7d:27:ce:62:d8:18:64:30:59:8c:1c:54:aa:74:c9:
+                    8c:a3:11:b0:04:3c:50:c5:27:1a:eb:51:fa:b8:92:
+                    10:ed:51:4a:65:e6:73:c7:97:4e:5a:6e:76:e2:61:
+                    cc:26:61:f1:c9:d6:4f:db:81:cb:69:6a:d0:91:16:
+                    c3:dd:70:9c:6a:8d:75:ea:a1:39:65:9f:86:16:ed:
+                    fa:c8:f1:f9:58:79:1e:4d:27:51:29:68:90:af:0a:
+                    08:54:1b:3c:4b:96:21:33:6f:a1:80:ed:b0:01:ff:
+                    92:19
+                Exponent: 65537 (0x10001)
+        X509v3 extensions:
+            X509v3 Subject Key Identifier: 
+                74:B1:C8:A0:9B:91:9E:DB:63:C3:A6:D4:AC:15:76:3A:16:50:A7:AF
+            X509v3 Authority Key Identifier: 
+                keyid:B1:21:EA:DF:EB:EB:ED:BB:BE:BE:0F:FA:69:1D:B6:28:E9:6F:8F:45
+                DirName:/C=US/ST=California/L=Santa Clara/O=pkg5/CN=ta4/emailAddress=ta4
+                serial:98:F5:DE:E5:E8:5C:CD:26
+
+            X509v3 Basic Constraints: critical
+                CA:TRUE
+            X509v3 Key Usage: critical
+                Certificate Sign
+    Signature Algorithm: sha256WithRSAEncryption
+         8c:be:94:6b:34:4c:b7:a7:c0:a6:33:3e:44:ea:88:43:16:71:
+         80:af:85:38:5f:5d:89:f0:bb:ca:3b:1a:48:75:ec:86:48:7b:
+         e7:c6:18:01:87:43:ee:26:22:a9:66:1a:af:d0:c5:4e:c3:f9:
+         b8:b6:30:34:c4:47:5c:75:fd:b4:b1:0a:95:52:87:3a:9c:bf:
+         7f:8e:94:b7:52:69:d5:cc:20:cd:0f:ab:fb:39:8a:5b:c0:94:
+         43:08:e1:ff:57:43:f1:73:82:2c:66:e5:8d:18:0d:69:1f:d4:
+         f8:04:40:df:46:81:58:e3:1f:8d:e1:ee:9b:35:39:89:16:ca:
+         d3:41:f6:6d:91:a5:18:bb:c3:59:a0:c2:58:e6:a5:d5:ca:3b:
+         8e:25:f2:ca:4d:81:7e:e3:0e:9b:98:22:ec:8f:15:19:fa:36:
+         66:76:52:b0:f3:37:87:0b:17:45:5a:0f:ad:40:63:4a:4c:59:
+         0d:3e:44:16:50:8f:42:ed:5d:16:be:41:c3:75:cc:bb:73:f3:
+         18:ad:25:37:c1:58:2f:53:b0:aa:14:f7:d9:e1:8d:ba:a5:f9:
+         28:fb:04:57:4a:41:13:7f:cb:bc:d6:f5:69:85:d9:f4:ed:8c:
+         95:ff:57:24:d5:3e:4b:84:7e:40:05:c1:1d:53:fa:ce:6b:5e:
+         05:e5:f1:10
+-----BEGIN CERTIFICATE-----
+MIIEOzCCAyOgAwIBAgIBJzANBgkqhkiG9w0BAQsFADBpMQswCQYDVQQGEwJVUzET
+MBEGA1UECAwKQ2FsaWZvcm5pYTEUMBIGA1UEBwwLU2FudGEgQ2xhcmExDTALBgNV
+BAoMBHBrZzUxDDAKBgNVBAMMA3RhNDESMBAGCSqGSIb3DQEJARYDdGE0MB4XDTE2
+MDEyMjAxNTc1OVoXDTE4MTAxODAxNTc1OVowdTELMAkGA1UEBhMCVVMxEzARBgNV
+BAgMCkNhbGlmb3JuaWExFDASBgNVBAcMC1NhbnRhIENsYXJhMQ0wCwYDVQQKDARw
+a2c1MRIwEAYDVQQDDAljaDEuMV90YTQxGDAWBgkqhkiG9w0BCQEWCWNoMS4xX3Rh
+NDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMdlVh1Ijf8IQjVXOGta
+Eg/Ic6gT35bOnny81wkfPjF9VksL6FFcaWSiQ5ZtapbZLGxocy5AWvZRWmvm5HhN
+/V6CU7iYC85mNxSOa22NU6mbzIgItXfJSNm1nZ8FuS6Xd5bF88WhZdDxd7KY0e5r
+VharI2URrSwWasvr2IdejvI3J/CfH65zmw+wBhzP2p2sx3bdMJRpfSfOYtgYZDBZ
+jBxUqnTJjKMRsAQ8UMUnGutR+riSEO1RSmXmc8eXTlpuduJhzCZh8cnWT9uBy2lq
+0JEWw91wnGqNdeqhOWWfhhbt+sjx+Vh5Hk0nUSlokK8KCFQbPEuWITNvoYDtsAH/
+khkCAwEAAaOB4TCB3jAdBgNVHQ4EFgQUdLHIoJuRnttjw6bUrBV2OhZQp68wgZsG
+A1UdIwSBkzCBkIAUsSHq3+vr7bu+vg/6aR22KOlvj0WhbaRrMGkxCzAJBgNVBAYT
+AlVTMRMwEQYDVQQIDApDYWxpZm9ybmlhMRQwEgYDVQQHDAtTYW50YSBDbGFyYTEN
+MAsGA1UECgwEcGtnNTEMMAoGA1UEAwwDdGE0MRIwEAYJKoZIhvcNAQkBFgN0YTSC
+CQCY9d7l6FzNJjAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwICBDANBgkq
+hkiG9w0BAQsFAAOCAQEAjL6UazRMt6fApjM+ROqIQxZxgK+FOF9difC7yjsaSHXs
+hkh758YYAYdD7iYiqWYar9DFTsP5uLYwNMRHXHX9tLEKlVKHOpy/f46Ut1Jp1cwg
+zQ+r+zmKW8CUQwjh/1dD8XOCLGbljRgNaR/U+ARA30aBWOMfjeHumzU5iRbK00H2
+bZGlGLvDWaDCWOal1co7jiXyyk2BfuMOm5gi7I8VGfo2ZnZSsPM3hwsXRVoPrUBj
+SkxZDT5EFlCPQu1dFr5Bw3XMu3PzGK0lN8FYL1OwqhT32eGNuqX5KPsEV0pBE3/L
+vNb1aYXZ9O2Mlf9XJNU+S4R+QAXBHVP6zmteBeXxEA==
+-----END CERTIFICATE-----
--- a/src/tests/ro_data/signing_certs/produced/chain_certs/28.pem	Tue Mar 08 11:12:06 2016 -0800
+++ /dev/null	Thu Jan 01 00:00:00 1970 +0000
@@ -1,71 +0,0 @@
-Certificate:
-    Data:
-        Version: 3 (0x2)
-        Serial Number: 40 (0x28)
-    Signature Algorithm: sha256WithRSAEncryption
-        Issuer: C=US, ST=California, L=Santa Clara, O=pkg5, CN=ta5/emailAddress=ta5
-        Validity
-            Not Before: Dec 13 00:13:38 2013 GMT
-            Not After : Sep  8 00:13:38 2016 GMT
-        Subject: C=US, ST=California, L=Santa Clara, O=pkg5, CN=ch1_ta5/emailAddress=ch1_ta5
-        Subject Public Key Info:
-            Public Key Algorithm: rsaEncryption
-                Public-Key: (1024 bit)
-                Modulus:
-                    00:c6:67:76:93:23:82:9f:2f:70:27:4f:64:9e:c3:
-                    80:4d:e3:9d:bb:f9:ea:2e:f1:02:e1:e1:a8:5b:f6:
-                    dc:c9:7b:ef:be:5a:41:11:bd:c4:51:e1:d8:74:6a:
-                    16:89:83:f7:3a:fd:0b:cc:9b:e6:96:d8:13:e3:ef:
-                    78:65:97:ff:81:90:97:e8:77:fd:ed:9c:56:2e:c7:
-                    a4:ec:f7:2c:fc:a0:f6:de:ab:ec:d6:e7:9e:35:e6:
-                    b7:dc:65:1b:c8:e4:5a:a2:9d:d8:5b:b9:fa:26:8c:
-                    8d:00:66:c4:05:28:9c:a8:3c:b1:81:c7:75:0a:51:
-                    ed:4f:49:d7:96:b5:8b:34:f9
-                Exponent: 65537 (0x10001)
-        X509v3 extensions:
-            X509v3 Subject Key Identifier: 
-                8E:29:B3:96:C1:67:FE:34:F3:55:99:68:C4:DA:2A:C0:24:8A:19:C6
-            X509v3 Authority Key Identifier: 
-                keyid:29:DA:B1:46:E3:61:51:AC:3C:3E:F6:78:5B:95:7B:6D:B2:F9:17:21
-                DirName:/C=US/ST=California/L=Santa Clara/O=pkg5/CN=ta5/emailAddress=ta5
-                serial:A7:8F:F0:5E:6B:64:C2:46
-
-            X509v3 Basic Constraints: critical
-                CA:TRUE
-            X509v3 CRL Distribution Points: 
-
-                Full Name:
-                  URI:http://localhost:12001/file/0/ta5_crl.pem
-
-            X509v3 Key Usage: critical
-                Certificate Sign, CRL Sign
-    Signature Algorithm: sha256WithRSAEncryption
-         9d:32:27:d7:4e:4e:8b:e4:9f:d0:0d:11:f3:e5:be:5f:7f:7e:
-         cf:ef:98:41:33:ba:04:ba:d9:7a:11:88:b8:13:66:74:44:1c:
-         fb:1e:f3:fa:d4:18:85:cd:ed:f0:f8:c2:be:ab:75:cf:65:da:
-         1a:77:01:0e:aa:49:ea:af:a7:db:39:84:f2:01:1d:28:e7:df:
-         22:a9:59:5a:21:f9:f9:30:84:64:52:50:01:9b:b2:bf:ca:8a:
-         b4:8b:36:96:e3:1a:ea:51:53:36:82:ba:88:8f:15:8c:e6:79:
-         59:aa:71:9b:4c:58:a2:68:f0:43:36:15:af:69:af:32:ed:49:
-         c8:9c
------BEGIN CERTIFICATE-----
-MIIDcDCCAtmgAwIBAgIBKDANBgkqhkiG9w0BAQsFADBpMQswCQYDVQQGEwJVUzET
-MBEGA1UECAwKQ2FsaWZvcm5pYTEUMBIGA1UEBwwLU2FudGEgQ2xhcmExDTALBgNV
-BAoMBHBrZzUxDDAKBgNVBAMMA3RhNTESMBAGCSqGSIb3DQEJARYDdGE1MB4XDTEz
-MTIxMzAwMTMzOFoXDTE2MDkwODAwMTMzOFowcTELMAkGA1UEBhMCVVMxEzARBgNV
-BAgMCkNhbGlmb3JuaWExFDASBgNVBAcMC1NhbnRhIENsYXJhMQ0wCwYDVQQKDARw
-a2c1MRAwDgYDVQQDDAdjaDFfdGE1MRYwFAYJKoZIhvcNAQkBFgdjaDFfdGE1MIGf
-MA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDGZ3aTI4KfL3AnT2Sew4BN4527+eou
-8QLh4ahb9tzJe+++WkERvcRR4dh0ahaJg/c6/QvMm+aW2BPj73hll/+BkJfod/3t
-nFYux6Ts9yz8oPbeq+zW55415rfcZRvI5FqindhbufomjI0AZsQFKJyoPLGBx3UK
-Ue1PSdeWtYs0+QIDAQABo4IBHjCCARowHQYDVR0OBBYEFI4ps5bBZ/4081WZaMTa
-KsAkihnGMIGbBgNVHSMEgZMwgZCAFCnasUbjYVGsPD72eFuVe22y+RchoW2kazBp
-MQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEUMBIGA1UEBwwLU2Fu
-dGEgQ2xhcmExDTALBgNVBAoMBHBrZzUxDDAKBgNVBAMMA3RhNTESMBAGCSqGSIb3
-DQEJARYDdGE1ggkAp4/wXmtkwkYwDwYDVR0TAQH/BAUwAwEB/zA6BgNVHR8EMzAx
-MC+gLaArhilodHRwOi8vbG9jYWxob3N0OjEyMDAxL2ZpbGUvMC90YTVfY3JsLnBl
-bTAOBgNVHQ8BAf8EBAMCAQYwDQYJKoZIhvcNAQELBQADgYEAnTIn105Oi+Sf0A0R
-8+W+X39+z++YQTO6BLrZehGIuBNmdEQc+x7z+tQYhc3t8PjCvqt1z2XaGncBDqpJ
-6q+n2zmE8gEdKOffIqlZWiH5+TCEZFJQAZuyv8qKtIs2luMa6lFTNoK6iI8VjOZ5
-Wapxm0xYomjwQzYVr2mvMu1JyJw=
------END CERTIFICATE-----
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/src/tests/ro_data/signing_certs/produced/chain_certs/29.pem	Wed Mar 09 11:27:23 2016 -0800
@@ -0,0 +1,92 @@
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number: 41 (0x29)
+    Signature Algorithm: sha256WithRSAEncryption
+        Issuer: C=US, ST=California, L=Santa Clara, O=pkg5, CN=ta5/emailAddress=ta5
+        Validity
+            Not Before: Jan 22 01:57:59 2016 GMT
+            Not After : Oct 18 01:57:59 2018 GMT
+        Subject: C=US, ST=California, L=Santa Clara, O=pkg5, CN=ch1_ta5/emailAddress=ch1_ta5
+        Subject Public Key Info:
+            Public Key Algorithm: rsaEncryption
+                Public-Key: (2048 bit)
+                Modulus:
+                    00:c4:30:ef:b0:77:4e:44:58:ca:72:ac:ea:37:5e:
+                    8d:4e:a1:89:7b:b1:ff:ee:da:e1:fb:3a:3c:b7:44:
+                    37:af:79:c9:ae:21:c6:d2:6d:27:68:a8:ac:b3:77:
+                    4f:9a:b9:51:af:f9:47:bf:49:6c:f6:21:f9:b9:78:
+                    2e:b4:a5:29:db:96:06:6a:2c:c6:25:6e:e9:eb:59:
+                    01:c1:c6:34:ef:1d:61:8f:5f:55:d8:fc:42:ac:12:
+                    5f:8c:b1:51:da:f6:82:7a:49:f4:2a:72:15:b0:1a:
+                    2c:7e:e5:4a:33:64:ca:ad:a2:7b:37:aa:7e:9a:ab:
+                    ce:e6:18:de:93:58:47:33:be:e7:48:da:c5:95:aa:
+                    fc:ff:83:b9:00:74:39:dd:21:b8:d3:5b:3d:e3:28:
+                    ef:11:59:65:9b:96:59:a5:fe:08:ab:8e:80:ba:32:
+                    09:38:1c:a1:b1:99:db:3e:90:0e:e6:cd:51:d4:4f:
+                    75:98:67:c3:42:71:76:0a:b4:e1:fb:44:c0:8a:35:
+                    d9:a2:d3:7b:e0:0c:4d:4b:67:06:ee:5c:06:72:81:
+                    25:bd:b1:5c:db:19:55:e3:9a:ee:ae:58:46:60:5c:
+                    a2:df:f5:89:09:48:3f:cd:7f:9b:20:0e:84:ef:8c:
+                    5a:ea:5e:99:59:4b:91:af:18:5d:0a:08:c3:0c:38:
+                    87:6f
+                Exponent: 65537 (0x10001)
+        X509v3 extensions:
+            X509v3 Subject Key Identifier: 
+                AB:85:31:3F:5E:AA:BD:C0:59:AC:A2:04:AA:D7:29:E8:19:AE:FB:F4
+            X509v3 Authority Key Identifier: 
+                keyid:DC:66:15:EE:AB:F6:53:B7:63:E5:B0:CB:B8:F0:D4:61:B5:27:94:3F
+                DirName:/C=US/ST=California/L=Santa Clara/O=pkg5/CN=ta5/emailAddress=ta5
+                serial:A9:DD:14:32:D5:19:7A:EA
+
+            X509v3 Basic Constraints: critical
+                CA:TRUE
+            X509v3 CRL Distribution Points: 
+
+                Full Name:
+                  URI:http://localhost:12001/file/0/ta5_crl.pem
+
+            X509v3 Key Usage: critical
+                Certificate Sign, CRL Sign
+    Signature Algorithm: sha256WithRSAEncryption
+         13:bc:5b:b0:af:1c:17:88:8d:4f:2b:ee:1c:3b:b2:fd:2f:b9:
+         c3:18:d6:08:1d:3f:46:31:56:ca:97:ec:d6:96:18:b4:f0:9e:
+         9a:c6:c9:52:bc:b3:e9:f2:6c:27:a9:29:54:33:fa:15:59:16:
+         b7:e8:0c:d7:4a:a9:34:02:19:72:43:56:c0:ad:d2:b4:c0:61:
+         be:22:e5:e5:cf:68:8a:5c:50:b1:ee:5d:38:3d:83:65:27:58:
+         a6:10:ee:46:17:54:94:85:da:5e:da:1c:a4:0c:5a:31:78:47:
+         07:37:c1:c7:fa:49:84:84:5e:a5:e3:67:83:66:55:b1:9b:06:
+         c2:4f:75:83:19:4a:1f:86:33:14:08:10:90:fa:6a:5d:a8:d0:
+         69:8c:8b:9b:36:9a:80:2e:bc:f8:ec:8f:12:22:75:78:b9:eb:
+         ff:02:90:d3:77:32:16:ab:78:c8:62:46:22:78:c6:c1:22:30:
+         8e:a0:7a:78:1d:9f:14:fe:bf:39:f3:d2:d3:4f:65:32:5d:26:
+         8c:02:c1:9d:55:94:dd:ec:e1:b8:ab:0a:08:ff:7f:9f:ba:55:
+         88:23:72:d5:79:1d:e7:b0:54:9c:a6:bf:fa:7f:73:bc:19:ac:
+         b3:38:ab:d0:00:33:c2:dd:cb:30:69:98:4b:d5:5b:a6:f8:cd:
+         00:19:9c:dd
+-----BEGIN CERTIFICATE-----
+MIIEdTCCA12gAwIBAgIBKTANBgkqhkiG9w0BAQsFADBpMQswCQYDVQQGEwJVUzET
+MBEGA1UECAwKQ2FsaWZvcm5pYTEUMBIGA1UEBwwLU2FudGEgQ2xhcmExDTALBgNV
+BAoMBHBrZzUxDDAKBgNVBAMMA3RhNTESMBAGCSqGSIb3DQEJARYDdGE1MB4XDTE2
+MDEyMjAxNTc1OVoXDTE4MTAxODAxNTc1OVowcTELMAkGA1UEBhMCVVMxEzARBgNV
+BAgMCkNhbGlmb3JuaWExFDASBgNVBAcMC1NhbnRhIENsYXJhMQ0wCwYDVQQKDARw
+a2c1MRAwDgYDVQQDDAdjaDFfdGE1MRYwFAYJKoZIhvcNAQkBFgdjaDFfdGE1MIIB
+IjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAxDDvsHdORFjKcqzqN16NTqGJ
+e7H/7trh+zo8t0Q3r3nJriHG0m0naKiss3dPmrlRr/lHv0ls9iH5uXgutKUp25YG
+aizGJW7p61kBwcY07x1hj19V2PxCrBJfjLFR2vaCekn0KnIVsBosfuVKM2TKraJ7
+N6p+mqvO5hjek1hHM77nSNrFlar8/4O5AHQ53SG401s94yjvEVllm5ZZpf4Iq46A
+ujIJOByhsZnbPpAO5s1R1E91mGfDQnF2CrTh+0TAijXZotN74AxNS2cG7lwGcoEl
+vbFc2xlV45rurlhGYFyi3/WJCUg/zX+bIA6E74xa6l6ZWUuRrxhdCgjDDDiHbwID
+AQABo4IBHjCCARowHQYDVR0OBBYEFKuFMT9eqr3AWayiBKrXKegZrvv0MIGbBgNV
+HSMEgZMwgZCAFNxmFe6r9lO3Y+Wwy7jw1GG1J5Q/oW2kazBpMQswCQYDVQQGEwJV
+UzETMBEGA1UECAwKQ2FsaWZvcm5pYTEUMBIGA1UEBwwLU2FudGEgQ2xhcmExDTAL
+BgNVBAoMBHBrZzUxDDAKBgNVBAMMA3RhNTESMBAGCSqGSIb3DQEJARYDdGE1ggkA
+qd0UMtUZeuowDwYDVR0TAQH/BAUwAwEB/zA6BgNVHR8EMzAxMC+gLaArhilodHRw
+Oi8vbG9jYWxob3N0OjEyMDAxL2ZpbGUvMC90YTVfY3JsLnBlbTAOBgNVHQ8BAf8E
+BAMCAQYwDQYJKoZIhvcNAQELBQADggEBABO8W7CvHBeIjU8r7hw7sv0vucMY1ggd
+P0YxVsqX7NaWGLTwnprGyVK8s+nybCepKVQz+hVZFrfoDNdKqTQCGXJDVsCt0rTA
+Yb4i5eXPaIpcULHuXTg9g2UnWKYQ7kYXVJSF2l7aHKQMWjF4Rwc3wcf6SYSEXqXj
+Z4NmVbGbBsJPdYMZSh+GMxQIEJD6al2o0GmMi5s2moAuvPjsjxIidXi56/8CkNN3
+MhareMhiRiJ4xsEiMI6gengdnxT+vznz0tNPZTJdJowCwZ1VlN3s4birCgj/f5+6
+VYgjctV5HeewVJymv/p/c7wZrLM4q9AAM8LdyzBpmEvVW6b4zQAZnN0=
+-----END CERTIFICATE-----
--- a/src/tests/ro_data/signing_certs/produced/chain_certs/ch1.1_ta3_cert.pem	Tue Mar 08 11:12:06 2016 -0800
+++ b/src/tests/ro_data/signing_certs/produced/chain_certs/ch1.1_ta3_cert.pem	Wed Mar 09 11:27:23 2016 -0800
@@ -1,26 +1,35 @@
 Certificate:
     Data:
         Version: 3 (0x2)
-        Serial Number: 26 (0x1a)
+        Serial Number: 27 (0x1b)
     Signature Algorithm: sha256WithRSAEncryption
         Issuer: C=US, ST=California, L=Santa Clara, O=pkg5, CN=ta3/emailAddress=ta3
         Validity
-            Not Before: Dec 13 00:13:36 2013 GMT
-            Not After : Sep  8 00:13:36 2016 GMT
+            Not Before: Jan 22 01:57:57 2016 GMT
+            Not After : Oct 18 01:57:57 2018 GMT
         Subject: C=US, ST=California, L=Santa Clara, O=pkg5, CN=ch1.1_ta3/emailAddress=ch1.1_ta3
         Subject Public Key Info:
             Public Key Algorithm: rsaEncryption
-                Public-Key: (1024 bit)
+                Public-Key: (2048 bit)
                 Modulus:
-                    00:df:da:60:8b:c6:d6:55:f7:d0:5b:a7:5a:87:d2:
-                    90:7b:9c:46:31:96:5e:15:a0:c7:44:b3:79:ce:ae:
-                    d7:af:99:a9:fe:6d:c6:69:23:09:45:68:64:01:dc:
-                    a0:7e:8c:ed:c9:bc:14:d3:84:62:2a:8a:21:30:48:
-                    30:97:94:99:84:69:f0:c0:46:a4:72:82:51:30:fe:
-                    f0:fc:60:6c:ea:b8:7d:52:ce:fd:e5:20:b7:9f:4b:
-                    03:21:74:f3:58:35:3a:ef:f7:e0:84:64:06:84:36:
-                    62:e8:82:65:82:1e:56:c7:ea:1e:eb:65:7d:b3:83:
-                    9c:fc:e6:ba:65:c4:82:e3:5f
+                    00:9f:68:52:eb:ed:18:33:43:ef:ec:5d:7a:a7:a7:
+                    06:d7:86:ce:0d:52:d6:da:ab:34:ad:9f:cd:0a:79:
+                    20:47:a9:3d:8f:f8:6b:e3:1a:9d:df:88:5c:c4:ad:
+                    06:66:22:d9:d7:f0:c2:ca:b3:ae:9c:78:e6:2d:18:
+                    20:c9:cc:e1:1a:27:12:32:b3:0b:eb:ba:e2:0e:ce:
+                    dd:fa:22:0b:ae:00:03:ee:89:1e:03:14:d4:86:80:
+                    b9:a2:98:be:60:25:63:2a:16:b4:63:1a:3f:0b:53:
+                    13:c6:53:77:1c:ed:b2:11:e6:f4:d5:1a:51:c0:f5:
+                    0f:3c:f7:b7:85:cf:66:f4:88:b0:e3:ea:35:fd:bc:
+                    35:e0:82:16:a8:08:b0:9b:c9:2e:88:94:bb:ac:5d:
+                    76:2f:b5:cf:da:e7:4e:72:d3:dc:8e:df:aa:0b:ed:
+                    55:ac:41:01:4f:fd:68:87:ee:ee:32:90:d6:95:b0:
+                    f7:78:1c:82:34:31:46:44:fa:f4:1a:63:88:ee:14:
+                    96:b1:bf:bd:41:82:77:4e:bb:5f:06:2b:dc:2f:4c:
+                    d3:42:96:0c:c2:82:a8:fb:3b:9f:4b:9f:d5:0a:74:
+                    44:62:4f:9f:55:ce:ed:72:7e:26:ee:22:12:6f:69:
+                    87:53:b8:79:aa:ee:21:e2:5f:bc:dd:c1:2a:2a:75:
+                    86:45
                 Exponent: 65537 (0x10001)
         X509v3 extensions:
             X509v3 Basic Constraints: critical
@@ -29,27 +38,39 @@
                 <EMPTY>
 
     Signature Algorithm: sha256WithRSAEncryption
-         ae:2b:af:4b:e6:7b:a1:28:27:46:1e:10:55:c2:2c:e4:6b:e9:
-         f2:6c:38:87:ed:f1:da:d5:92:39:89:22:53:3e:b4:da:3d:ae:
-         8d:ea:42:15:bb:4d:c6:ef:50:9c:1d:8b:93:92:7d:33:31:bd:
-         48:79:76:15:d4:8a:fd:bd:ae:1d:61:43:8d:88:ec:83:8d:15:
-         c9:50:73:e0:07:1a:41:e7:b2:a0:ac:9b:33:ed:bd:73:c5:32:
-         25:dd:ad:01:4b:90:62:25:e8:75:8e:19:e8:f5:4b:b8:89:2a:
-         c6:eb:d6:9c:31:f5:83:dd:1d:f9:71:11:ce:3b:0c:f5:e3:e4:
-         89:0a
+         0e:01:13:03:6b:ee:cc:3f:ef:73:4b:8e:5e:a9:4d:67:34:05:
+         a7:58:5e:58:cf:09:25:77:74:82:da:76:03:79:cf:65:83:c5:
+         97:2c:dc:37:b8:d6:c9:bb:a9:5d:57:17:5b:da:c3:8d:18:11:
+         e4:47:d4:e5:a2:72:0d:15:eb:1c:de:82:ff:cc:30:98:0b:4c:
+         46:96:63:f0:00:87:db:ac:1d:88:b3:c4:3b:ea:ac:20:4b:b1:
+         e3:71:28:8f:a6:bb:b4:0d:b8:6f:8d:eb:e9:9a:0f:53:03:1a:
+         ab:a0:c7:db:0c:e8:6e:05:a3:90:26:00:68:65:67:b7:a1:8e:
+         0c:08:96:2e:27:03:4b:df:b6:c8:a1:53:ce:3c:83:b0:7b:d8:
+         5f:8f:cf:61:d9:7c:8a:79:e4:a6:3a:79:0a:a7:82:c1:d3:d4:
+         a4:01:a2:82:08:f0:01:77:0f:2c:dc:40:73:81:35:83:ff:56:
+         4e:70:65:89:4e:17:9a:ff:7d:c4:9f:eb:62:f3:d3:44:87:c2:
+         d5:41:28:2d:72:69:d9:f9:94:9a:c9:0a:f1:02:9a:47:04:3e:
+         80:d6:c8:14:ab:e2:c7:3a:24:86:01:77:58:af:2b:e4:6a:73:
+         81:96:7f:5d:0b:34:ff:ef:98:88:f9:ea:2b:43:a4:2c:56:65:
+         c1:2c:f5:48
 -----BEGIN CERTIFICATE-----
-MIICdTCCAd6gAwIBAgIBGjANBgkqhkiG9w0BAQsFADBpMQswCQYDVQQGEwJVUzET
+MIIDejCCAmKgAwIBAgIBGzANBgkqhkiG9w0BAQsFADBpMQswCQYDVQQGEwJVUzET
 MBEGA1UECAwKQ2FsaWZvcm5pYTEUMBIGA1UEBwwLU2FudGEgQ2xhcmExDTALBgNV
-BAoMBHBrZzUxDDAKBgNVBAMMA3RhMzESMBAGCSqGSIb3DQEJARYDdGEzMB4XDTEz
-MTIxMzAwMTMzNloXDTE2MDkwODAwMTMzNlowdTELMAkGA1UEBhMCVVMxEzARBgNV
+BAoMBHBrZzUxDDAKBgNVBAMMA3RhMzESMBAGCSqGSIb3DQEJARYDdGEzMB4XDTE2
+MDEyMjAxNTc1N1oXDTE4MTAxODAxNTc1N1owdTELMAkGA1UEBhMCVVMxEzARBgNV
 BAgMCkNhbGlmb3JuaWExFDASBgNVBAcMC1NhbnRhIENsYXJhMQ0wCwYDVQQKDARw
 a2c1MRIwEAYDVQQDDAljaDEuMV90YTMxGDAWBgkqhkiG9w0BCQEWCWNoMS4xX3Rh
-MzCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA39pgi8bWVffQW6dah9KQe5xG
-MZZeFaDHRLN5zq7Xr5mp/m3GaSMJRWhkAdygfoztybwU04RiKoohMEgwl5SZhGnw
-wEakcoJRMP7w/GBs6rh9Us795SC3n0sDIXTzWDU67/fghGQGhDZi6IJlgh5Wx+oe
-62V9s4Oc/Oa6ZcSC418CAwEAAaMhMB8wDwYDVR0TAQH/BAUwAwEB/zAMBgNVHRIB
-Af8EAjAAMA0GCSqGSIb3DQEBCwUAA4GBAK4rr0vme6EoJ0YeEFXCLORr6fJsOIft
-8drVkjmJIlM+tNo9ro3qQhW7TcbvUJwdi5OSfTMxvUh5dhXUiv29rh1hQ42I7ION
-FclQc+AHGkHnsqCsmzPtvXPFMiXdrQFLkGIl6HWOGej1S7iJKsbr1pwx9YPdHflx
-Ec47DPXj5IkK
+MzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAJ9oUuvtGDND7+xdeqen
+BteGzg1S1tqrNK2fzQp5IEepPY/4a+Mand+IXMStBmYi2dfwwsqzrpx45i0YIMnM
+4RonEjKzC+u64g7O3foiC64AA+6JHgMU1IaAuaKYvmAlYyoWtGMaPwtTE8ZTdxzt
+shHm9NUaUcD1Dzz3t4XPZvSIsOPqNf28NeCCFqgIsJvJLoiUu6xddi+1z9rnTnLT
+3I7fqgvtVaxBAU/9aIfu7jKQ1pWw93gcgjQxRkT69BpjiO4UlrG/vUGCd067XwYr
+3C9M00KWDMKCqPs7n0uf1Qp0RGJPn1XO7XJ+Ju4iEm9ph1O4earuIeJfvN3BKip1
+hkUCAwEAAaMhMB8wDwYDVR0TAQH/BAUwAwEB/zAMBgNVHRIBAf8EAjAAMA0GCSqG
+SIb3DQEBCwUAA4IBAQAOARMDa+7MP+9zS45eqU1nNAWnWF5Yzwkld3SC2nYDec9l
+g8WXLNw3uNbJu6ldVxdb2sONGBHkR9TlonINFesc3oL/zDCYC0xGlmPwAIfbrB2I
+s8Q76qwgS7HjcSiPpru0Dbhvjevpmg9TAxqroMfbDOhuBaOQJgBoZWe3oY4MCJYu
+JwNL37bIoVPOPIOwe9hfj89h2XyKeeSmOnkKp4LB09SkAaKCCPABdw8s3EBzgTWD
+/1ZOcGWJThea/33En+ti89NEh8LVQSgtcmnZ+ZSayQrxAppHBD6A1sgUq+LHOiSG
+AXdYryvkanOBln9dCzT/75iI+eorQ6QsVmXBLPVI
 -----END CERTIFICATE-----
--- a/src/tests/ro_data/signing_certs/produced/chain_certs/ch1.1_ta4_cert.pem	Tue Mar 08 11:12:06 2016 -0800
+++ b/src/tests/ro_data/signing_certs/produced/chain_certs/ch1.1_ta4_cert.pem	Wed Mar 09 11:27:23 2016 -0800
@@ -1,65 +1,86 @@
 Certificate:
     Data:
         Version: 3 (0x2)
-        Serial Number: 38 (0x26)
+        Serial Number: 39 (0x27)
     Signature Algorithm: sha256WithRSAEncryption
         Issuer: C=US, ST=California, L=Santa Clara, O=pkg5, CN=ta4/emailAddress=ta4
         Validity
-            Not Before: Dec 13 00:13:37 2013 GMT
-            Not After : Sep  8 00:13:37 2016 GMT
+            Not Before: Jan 22 01:57:59 2016 GMT
+            Not After : Oct 18 01:57:59 2018 GMT
         Subject: C=US, ST=California, L=Santa Clara, O=pkg5, CN=ch1.1_ta4/emailAddress=ch1.1_ta4
         Subject Public Key Info:
             Public Key Algorithm: rsaEncryption
-                Public-Key: (1024 bit)
+                Public-Key: (2048 bit)
                 Modulus:
-                    00:ba:40:be:7e:1b:2f:92:11:cc:dc:44:14:76:87:
-                    8a:6a:94:b6:28:4e:87:5b:bc:57:46:75:63:38:4d:
-                    90:3e:7a:46:0e:87:e9:a9:04:1a:7d:e5:20:dc:81:
-                    9a:79:7e:1b:ab:ce:50:ce:47:54:04:98:16:d5:a6:
-                    6d:16:3c:52:ef:ed:43:c5:9b:d3:c8:48:cb:47:5d:
-                    08:1d:d1:44:fd:7c:c7:54:41:11:3b:3e:ae:bb:7f:
-                    94:a6:13:8f:89:6c:24:b3:a8:5e:e2:5d:20:40:85:
-                    2b:a0:ac:ed:a3:a8:b2:15:59:fc:ad:e8:5d:72:ee:
-                    64:eb:9c:30:8c:0a:97:32:f9
+                    00:c7:65:56:1d:48:8d:ff:08:42:35:57:38:6b:5a:
+                    12:0f:c8:73:a8:13:df:96:ce:9e:7c:bc:d7:09:1f:
+                    3e:31:7d:56:4b:0b:e8:51:5c:69:64:a2:43:96:6d:
+                    6a:96:d9:2c:6c:68:73:2e:40:5a:f6:51:5a:6b:e6:
+                    e4:78:4d:fd:5e:82:53:b8:98:0b:ce:66:37:14:8e:
+                    6b:6d:8d:53:a9:9b:cc:88:08:b5:77:c9:48:d9:b5:
+                    9d:9f:05:b9:2e:97:77:96:c5:f3:c5:a1:65:d0:f1:
+                    77:b2:98:d1:ee:6b:56:16:ab:23:65:11:ad:2c:16:
+                    6a:cb:eb:d8:87:5e:8e:f2:37:27:f0:9f:1f:ae:73:
+                    9b:0f:b0:06:1c:cf:da:9d:ac:c7:76:dd:30:94:69:
+                    7d:27:ce:62:d8:18:64:30:59:8c:1c:54:aa:74:c9:
+                    8c:a3:11:b0:04:3c:50:c5:27:1a:eb:51:fa:b8:92:
+                    10:ed:51:4a:65:e6:73:c7:97:4e:5a:6e:76:e2:61:
+                    cc:26:61:f1:c9:d6:4f:db:81:cb:69:6a:d0:91:16:
+                    c3:dd:70:9c:6a:8d:75:ea:a1:39:65:9f:86:16:ed:
+                    fa:c8:f1:f9:58:79:1e:4d:27:51:29:68:90:af:0a:
+                    08:54:1b:3c:4b:96:21:33:6f:a1:80:ed:b0:01:ff:
+                    92:19
                 Exponent: 65537 (0x10001)
         X509v3 extensions:
             X509v3 Subject Key Identifier: 
-                D1:74:80:71:CE:2E:24:57:71:C0:CA:50:42:8B:B3:99:0C:C7:6B:AD
+                74:B1:C8:A0:9B:91:9E:DB:63:C3:A6:D4:AC:15:76:3A:16:50:A7:AF
             X509v3 Authority Key Identifier: 
-                keyid:84:46:29:88:74:31:EF:A6:CC:3C:E3:58:29:DE:BE:FD:1B:F4:59:98
+                keyid:B1:21:EA:DF:EB:EB:ED:BB:BE:BE:0F:FA:69:1D:B6:28:E9:6F:8F:45
                 DirName:/C=US/ST=California/L=Santa Clara/O=pkg5/CN=ta4/emailAddress=ta4
-                serial:E8:F7:8D:38:FA:4B:55:DD
+                serial:98:F5:DE:E5:E8:5C:CD:26
 
             X509v3 Basic Constraints: critical
                 CA:TRUE
             X509v3 Key Usage: critical
                 Certificate Sign
     Signature Algorithm: sha256WithRSAEncryption
-         25:f7:af:7c:b8:de:50:02:c2:31:ed:50:89:5e:85:bc:e5:f4:
-         a0:03:7e:35:85:d5:2c:4c:bb:62:39:45:e9:50:9b:db:7a:4b:
-         91:e1:dd:e7:dc:b6:da:36:69:d7:2d:68:5c:96:a9:7b:e8:33:
-         17:4c:28:75:c2:6c:53:a8:11:8f:8f:23:89:59:25:8b:26:75:
-         4c:ee:9a:13:eb:78:28:52:dc:b2:fd:96:04:73:a8:78:9e:24:
-         b2:b2:85:88:84:10:ec:83:42:65:22:f1:b5:15:76:14:db:5c:
-         28:43:a4:62:df:27:4a:c5:4b:00:d5:44:83:24:37:f5:c5:4d:
-         b0:4a
+         8c:be:94:6b:34:4c:b7:a7:c0:a6:33:3e:44:ea:88:43:16:71:
+         80:af:85:38:5f:5d:89:f0:bb:ca:3b:1a:48:75:ec:86:48:7b:
+         e7:c6:18:01:87:43:ee:26:22:a9:66:1a:af:d0:c5:4e:c3:f9:
+         b8:b6:30:34:c4:47:5c:75:fd:b4:b1:0a:95:52:87:3a:9c:bf:
+         7f:8e:94:b7:52:69:d5:cc:20:cd:0f:ab:fb:39:8a:5b:c0:94:
+         43:08:e1:ff:57:43:f1:73:82:2c:66:e5:8d:18:0d:69:1f:d4:
+         f8:04:40:df:46:81:58:e3:1f:8d:e1:ee:9b:35:39:89:16:ca:
+         d3:41:f6:6d:91:a5:18:bb:c3:59:a0:c2:58:e6:a5:d5:ca:3b:
+         8e:25:f2:ca:4d:81:7e:e3:0e:9b:98:22:ec:8f:15:19:fa:36:
+         66:76:52:b0:f3:37:87:0b:17:45:5a:0f:ad:40:63:4a:4c:59:
+         0d:3e:44:16:50:8f:42:ed:5d:16:be:41:c3:75:cc:bb:73:f3:
+         18:ad:25:37:c1:58:2f:53:b0:aa:14:f7:d9:e1:8d:ba:a5:f9:
+         28:fb:04:57:4a:41:13:7f:cb:bc:d6:f5:69:85:d9:f4:ed:8c:
+         95:ff:57:24:d5:3e:4b:84:7e:40:05:c1:1d:53:fa:ce:6b:5e:
+         05:e5:f1:10
 -----BEGIN CERTIFICATE-----
-MIIDNjCCAp+gAwIBAgIBJjANBgkqhkiG9w0BAQsFADBpMQswCQYDVQQGEwJVUzET
+MIIEOzCCAyOgAwIBAgIBJzANBgkqhkiG9w0BAQsFADBpMQswCQYDVQQGEwJVUzET
 MBEGA1UECAwKQ2FsaWZvcm5pYTEUMBIGA1UEBwwLU2FudGEgQ2xhcmExDTALBgNV
-BAoMBHBrZzUxDDAKBgNVBAMMA3RhNDESMBAGCSqGSIb3DQEJARYDdGE0MB4XDTEz
-MTIxMzAwMTMzN1oXDTE2MDkwODAwMTMzN1owdTELMAkGA1UEBhMCVVMxEzARBgNV
+BAoMBHBrZzUxDDAKBgNVBAMMA3RhNDESMBAGCSqGSIb3DQEJARYDdGE0MB4XDTE2
+MDEyMjAxNTc1OVoXDTE4MTAxODAxNTc1OVowdTELMAkGA1UEBhMCVVMxEzARBgNV
 BAgMCkNhbGlmb3JuaWExFDASBgNVBAcMC1NhbnRhIENsYXJhMQ0wCwYDVQQKDARw
 a2c1MRIwEAYDVQQDDAljaDEuMV90YTQxGDAWBgkqhkiG9w0BCQEWCWNoMS4xX3Rh
-NDCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAukC+fhsvkhHM3EQUdoeKapS2
-KE6HW7xXRnVjOE2QPnpGDofpqQQafeUg3IGaeX4bq85QzkdUBJgW1aZtFjxS7+1D
-xZvTyEjLR10IHdFE/XzHVEEROz6uu3+UphOPiWwks6he4l0gQIUroKzto6iyFVn8
-rehdcu5k65wwjAqXMvkCAwEAAaOB4TCB3jAdBgNVHQ4EFgQU0XSAcc4uJFdxwMpQ
-QouzmQzHa60wgZsGA1UdIwSBkzCBkIAUhEYpiHQx76bMPONYKd6+/Rv0WZihbaRr
-MGkxCzAJBgNVBAYTAlVTMRMwEQYDVQQIDApDYWxpZm9ybmlhMRQwEgYDVQQHDAtT
-YW50YSBDbGFyYTENMAsGA1UECgwEcGtnNTEMMAoGA1UEAwwDdGE0MRIwEAYJKoZI
-hvcNAQkBFgN0YTSCCQDo9404+ktV3TAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB
-/wQEAwICBDANBgkqhkiG9w0BAQsFAAOBgQAl9698uN5QAsIx7VCJXoW85fSgA341
-hdUsTLtiOUXpUJvbekuR4d3n3LbaNmnXLWhclql76DMXTCh1wmxTqBGPjyOJWSWL
-JnVM7poT63goUtyy/ZYEc6h4niSysoWIhBDsg0JlIvG1FXYU21woQ6Ri3ydKxUsA
-1USDJDf1xU2wSg==
+NDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMdlVh1Ijf8IQjVXOGta
+Eg/Ic6gT35bOnny81wkfPjF9VksL6FFcaWSiQ5ZtapbZLGxocy5AWvZRWmvm5HhN
+/V6CU7iYC85mNxSOa22NU6mbzIgItXfJSNm1nZ8FuS6Xd5bF88WhZdDxd7KY0e5r
+VharI2URrSwWasvr2IdejvI3J/CfH65zmw+wBhzP2p2sx3bdMJRpfSfOYtgYZDBZ
+jBxUqnTJjKMRsAQ8UMUnGutR+riSEO1RSmXmc8eXTlpuduJhzCZh8cnWT9uBy2lq
+0JEWw91wnGqNdeqhOWWfhhbt+sjx+Vh5Hk0nUSlokK8KCFQbPEuWITNvoYDtsAH/
+khkCAwEAAaOB4TCB3jAdBgNVHQ4EFgQUdLHIoJuRnttjw6bUrBV2OhZQp68wgZsG
+A1UdIwSBkzCBkIAUsSHq3+vr7bu+vg/6aR22KOlvj0WhbaRrMGkxCzAJBgNVBAYT
+AlVTMRMwEQYDVQQIDApDYWxpZm9ybmlhMRQwEgYDVQQHDAtTYW50YSBDbGFyYTEN
+MAsGA1UECgwEcGtnNTEMMAoGA1UEAwwDdGE0MRIwEAYJKoZIhvcNAQkBFgN0YTSC
+CQCY9d7l6FzNJjAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwICBDANBgkq
+hkiG9w0BAQsFAAOCAQEAjL6UazRMt6fApjM+ROqIQxZxgK+FOF9difC7yjsaSHXs
+hkh758YYAYdD7iYiqWYar9DFTsP5uLYwNMRHXHX9tLEKlVKHOpy/f46Ut1Jp1cwg
+zQ+r+zmKW8CUQwjh/1dD8XOCLGbljRgNaR/U+ARA30aBWOMfjeHumzU5iRbK00H2
+bZGlGLvDWaDCWOal1co7jiXyyk2BfuMOm5gi7I8VGfo2ZnZSsPM3hwsXRVoPrUBj
+SkxZDT5EFlCPQu1dFr5Bw3XMu3PzGK0lN8FYL1OwqhT32eGNuqX5KPsEV0pBE3/L
+vNb1aYXZ9O2Mlf9XJNU+S4R+QAXBHVP6zmteBeXxEA==
 -----END CERTIFICATE-----
--- a/src/tests/ro_data/signing_certs/produced/chain_certs/ch1.2_ta3_cert.pem	Tue Mar 08 11:12:06 2016 -0800
+++ b/src/tests/ro_data/signing_certs/produced/chain_certs/ch1.2_ta3_cert.pem	Wed Mar 09 11:27:23 2016 -0800
@@ -1,7 +1,7 @@
 Certificate:
     Data:
         Version: 3 (0x2)
-        Serial Number: 28 (0x1c)
+        Serial Number: 29 (0x1d)
     Signature Algorithm: sha256WithRSAEncryption
         Issuer: C=US, ST=California, L=Santa Clara, O=pkg5, CN=ta3/emailAddress=ta3
         Validity
@@ -10,56 +10,77 @@
         Subject: C=US, ST=California, L=Santa Clara, O=pkg5, CN=ch1.2_ta3/emailAddress=ch1.2_ta3
         Subject Public Key Info:
             Public Key Algorithm: rsaEncryption
-                Public-Key: (1024 bit)
+                Public-Key: (2048 bit)
                 Modulus:
-                    00:db:7e:41:d8:93:1f:35:e5:6b:38:25:93:e5:99:
-                    cf:fe:c7:b8:ab:0b:14:47:23:66:52:c7:d4:18:58:
-                    ff:39:a6:c4:a3:44:2e:46:be:24:7b:9d:71:26:12:
-                    6a:99:bd:92:01:5a:dc:a9:36:3c:2d:f8:42:b8:5f:
-                    db:87:8f:09:9a:83:32:5c:b6:1d:c5:e4:aa:47:6d:
-                    46:11:16:72:44:d7:49:ea:d3:4a:a4:52:9a:f4:8a:
-                    b5:e4:ef:32:7b:71:a0:d7:8e:71:86:22:34:44:4a:
-                    95:5a:37:ef:c4:7f:57:1f:99:32:39:ef:ab:94:05:
-                    1b:9a:88:de:39:85:56:4c:f7
+                    00:d6:9f:34:ff:2a:8c:3f:a8:9d:6a:bf:0b:d9:66:
+                    57:2b:ba:9d:bd:88:b8:60:57:c9:b1:a8:2d:f1:74:
+                    e6:84:29:6c:93:9d:ed:12:03:f9:48:ee:8c:f0:5d:
+                    b0:da:9c:a6:2e:4b:64:f1:38:b8:cb:b9:d3:24:57:
+                    e1:57:b6:f1:79:4b:ee:d7:30:5c:89:67:43:1a:e1:
+                    aa:a2:b3:fb:f5:63:69:5b:55:98:3c:f9:2a:5f:56:
+                    f1:b9:6d:a6:4b:8b:9e:c4:2d:30:a2:0e:98:92:0d:
+                    c3:f7:80:69:d3:4b:a6:0a:5b:e8:d8:3d:0e:16:1b:
+                    09:12:b3:95:55:1b:b3:c8:5a:71:45:4d:05:30:ba:
+                    34:8d:86:a0:4a:0f:c3:e5:aa:19:3b:4c:5b:e6:20:
+                    03:7b:d5:c4:90:ec:b4:06:8b:55:ec:37:81:f7:f6:
+                    6d:f8:1e:01:7c:8f:45:08:25:2f:ab:eb:bb:c6:da:
+                    91:6a:f3:c2:21:6c:33:be:ce:56:2e:36:6c:bb:8c:
+                    12:3c:fc:1d:8b:33:14:d4:a0:4b:8e:0d:5b:3a:7c:
+                    47:32:93:03:48:66:6a:a4:1b:a4:b5:43:19:b9:79:
+                    cd:b5:f7:63:a9:5c:8f:ca:99:94:e3:d1:eb:15:a9:
+                    16:3b:92:73:a0:fb:2b:16:8b:31:42:28:6f:0a:6d:
+                    90:3f
                 Exponent: 65537 (0x10001)
         X509v3 extensions:
             X509v3 Subject Key Identifier: 
-                91:8B:82:B9:57:2C:1B:DB:4B:F6:16:04:D7:3F:04:10:DD:8B:3B:05
+                41:31:30:65:46:6B:1C:63:B9:C8:23:8E:02:37:E2:FF:FF:7C:C4:53
             X509v3 Authority Key Identifier: 
-                keyid:B4:D4:36:9F:F8:CB:A2:5F:50:89:DA:21:E3:27:C4:91:F7:84:88:45
+                keyid:29:6E:FA:0C:C3:3A:D4:13:5F:93:39:0F:10:08:27:C7:BF:62:56:E5
                 DirName:/C=US/ST=California/L=Santa Clara/O=pkg5/CN=ta3/emailAddress=ta3
-                serial:C0:C4:B4:7D:88:D6:E3:3E
+                serial:8A:15:23:60:8D:FB:3E:84
 
             X509v3 Basic Constraints: critical
                 CA:TRUE
             X509v3 Key Usage: critical
                 Certificate Sign, CRL Sign
     Signature Algorithm: sha256WithRSAEncryption
-         8a:bc:bf:7b:28:d4:bd:a2:a9:91:e8:24:cf:1e:1b:05:7c:32:
-         68:71:40:9a:ef:48:3c:58:43:6c:ae:90:7a:50:a3:49:86:12:
-         57:21:00:0c:49:28:ec:31:fb:04:58:a4:24:c6:7e:14:9d:5a:
-         96:bd:ba:cd:c1:31:cd:c8:f0:77:de:3f:81:0a:d0:31:65:f2:
-         d5:11:c9:6f:cc:5a:f8:f3:c1:8f:31:37:75:3a:c6:6d:6d:6e:
-         d7:16:0a:9b:b0:ce:07:d7:97:36:61:37:5e:4a:16:df:8d:97:
-         f4:71:fe:9b:32:4b:b6:d2:27:f4:9a:7c:b8:83:b3:92:48:2c:
-         ec:0c
+         8c:b9:ed:07:b3:f1:6f:53:7a:1d:62:ef:57:ba:ab:a5:46:93:
+         d0:af:3a:67:2d:50:b0:5a:3b:b0:90:e2:f6:71:5e:fd:d6:fc:
+         70:ce:6c:bf:51:ba:94:db:84:5d:c6:0b:d9:87:79:ea:bf:40:
+         fd:a9:0b:c3:dd:81:ba:7a:40:7e:71:54:89:8b:e4:b2:85:e4:
+         d6:93:d2:a4:9a:02:66:f9:7e:aa:48:e3:0c:ad:3c:f7:2e:55:
+         fa:a1:10:f9:17:d0:2b:36:8a:36:57:f4:6c:42:2f:cf:4a:dc:
+         f2:73:de:8b:08:e7:54:d6:8c:cf:83:ac:de:e0:b4:b5:f3:26:
+         9f:9c:a0:6e:1e:29:77:bf:7e:d4:1d:1a:51:77:e1:82:e4:6d:
+         fe:04:b4:23:8d:26:2b:9f:3f:f1:d9:98:35:b0:fe:b6:61:3c:
+         21:2d:54:e4:2d:f1:3f:88:3d:cb:7d:57:11:98:4b:01:68:0b:
+         af:79:a3:f4:8a:5d:11:c7:63:78:ac:94:e7:82:f0:4c:90:b1:
+         89:49:f0:8c:50:a3:38:04:98:38:14:49:cc:1d:69:57:84:5a:
+         4e:2d:10:f7:0c:88:73:48:de:83:90:0f:a0:53:b9:03:f6:f0:
+         bf:cc:d6:91:73:b3:9c:13:0a:dc:24:52:d9:d0:ac:6d:cf:11:
+         53:bc:d2:75
 -----BEGIN CERTIFICATE-----
-MIIDNjCCAp+gAwIBAgIBHDANBgkqhkiG9w0BAQsFADBpMQswCQYDVQQGEwJVUzET
+MIIEOzCCAyOgAwIBAgIBHTANBgkqhkiG9w0BAQsFADBpMQswCQYDVQQGEwJVUzET
 MBEGA1UECAwKQ2FsaWZvcm5pYTEUMBIGA1UEBwwLU2FudGEgQ2xhcmExDTALBgNV
 BAoMBHBrZzUxDDAKBgNVBAMMA3RhMzESMBAGCSqGSIb3DQEJARYDdGEzMB4XDTA5
 MDEwMTAxMDEwMVoXDTA5MDEwMjAxMDEwMVowdTELMAkGA1UEBhMCVVMxEzARBgNV
 BAgMCkNhbGlmb3JuaWExFDASBgNVBAcMC1NhbnRhIENsYXJhMQ0wCwYDVQQKDARw
 a2c1MRIwEAYDVQQDDAljaDEuMl90YTMxGDAWBgkqhkiG9w0BCQEWCWNoMS4yX3Rh
-MzCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA235B2JMfNeVrOCWT5ZnP/se4
-qwsURyNmUsfUGFj/OabEo0QuRr4ke51xJhJqmb2SAVrcqTY8LfhCuF/bh48JmoMy
-XLYdxeSqR21GERZyRNdJ6tNKpFKa9Iq15O8ye3Gg145xhiI0REqVWjfvxH9XH5ky
-Oe+rlAUbmojeOYVWTPcCAwEAAaOB4TCB3jAdBgNVHQ4EFgQUkYuCuVcsG9tL9hYE
-1z8EEN2LOwUwgZsGA1UdIwSBkzCBkIAUtNQ2n/jLol9Qidoh4yfEkfeEiEWhbaRr
-MGkxCzAJBgNVBAYTAlVTMRMwEQYDVQQIDApDYWxpZm9ybmlhMRQwEgYDVQQHDAtT
-YW50YSBDbGFyYTENMAsGA1UECgwEcGtnNTEMMAoGA1UEAwwDdGEzMRIwEAYJKoZI
-hvcNAQkBFgN0YTOCCQDAxLR9iNbjPjAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB
-/wQEAwIBBjANBgkqhkiG9w0BAQsFAAOBgQCKvL97KNS9oqmR6CTPHhsFfDJocUCa
-70g8WENsrpB6UKNJhhJXIQAMSSjsMfsEWKQkxn4UnVqWvbrNwTHNyPB33j+BCtAx
-ZfLVEclvzFr488GPMTd1OsZtbW7XFgqbsM4H15c2YTdeShbfjZf0cf6bMku20if0
-mny4g7OSSCzsDA==
+MzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBANafNP8qjD+onWq/C9lm
+Vyu6nb2IuGBXybGoLfF05oQpbJOd7RID+UjujPBdsNqcpi5LZPE4uMu50yRX4Ve2
+8XlL7tcwXIlnQxrhqqKz+/VjaVtVmDz5Kl9W8bltpkuLnsQtMKIOmJINw/eAadNL
+pgpb6Ng9DhYbCRKzlVUbs8hacUVNBTC6NI2GoEoPw+WqGTtMW+YgA3vVxJDstAaL
+Vew3gff2bfgeAXyPRQglL6vru8bakWrzwiFsM77OVi42bLuMEjz8HYszFNSgS44N
+Wzp8RzKTA0hmaqQbpLVDGbl5zbX3Y6lcj8qZlOPR6xWpFjuSc6D7KxaLMUIobwpt
+kD8CAwEAAaOB4TCB3jAdBgNVHQ4EFgQUQTEwZUZrHGO5yCOOAjfi//98xFMwgZsG
+A1UdIwSBkzCBkIAUKW76DMM61BNfkzkPEAgnx79iVuWhbaRrMGkxCzAJBgNVBAYT
+AlVTMRMwEQYDVQQIDApDYWxpZm9ybmlhMRQwEgYDVQQHDAtTYW50YSBDbGFyYTEN
+MAsGA1UECgwEcGtnNTEMMAoGA1UEAwwDdGEzMRIwEAYJKoZIhvcNAQkBFgN0YTOC
+CQCKFSNgjfs+hDAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBBjANBgkq
+hkiG9w0BAQsFAAOCAQEAjLntB7Pxb1N6HWLvV7qrpUaT0K86Zy1QsFo7sJDi9nFe
+/db8cM5sv1G6lNuEXcYL2Yd56r9A/akLw92BunpAfnFUiYvksoXk1pPSpJoCZvl+
+qkjjDK089y5V+qEQ+RfQKzaKNlf0bEIvz0rc8nPeiwjnVNaMz4Os3uC0tfMmn5yg
+bh4pd79+1B0aUXfhguRt/gS0I40mK58/8dmYNbD+tmE8IS1U5C3xP4g9y31XEZhL
+AWgLr3mj9IpdEcdjeKyU54LwTJCxiUnwjFCjOASYOBRJzB1pV4RaTi0Q9wyIc0je
+g5APoFO5A/bwv8zWkXOznBMK3CRS2dCsbc8RU7zSdQ==
 -----END CERTIFICATE-----
--- a/src/tests/ro_data/signing_certs/produced/chain_certs/ch1.3_ta3_cert.pem	Tue Mar 08 11:12:06 2016 -0800
+++ b/src/tests/ro_data/signing_certs/produced/chain_certs/ch1.3_ta3_cert.pem	Wed Mar 09 11:27:23 2016 -0800
@@ -1,7 +1,7 @@
 Certificate:
     Data:
         Version: 3 (0x2)
-        Serial Number: 30 (0x1e)
+        Serial Number: 31 (0x1f)
     Signature Algorithm: sha256WithRSAEncryption
         Issuer: C=US, ST=California, L=Santa Clara, O=pkg5, CN=ta3/emailAddress=ta3
         Validity
@@ -10,56 +10,77 @@
         Subject: C=US, ST=California, L=Santa Clara, O=pkg5, CN=ch1.3_ta3/emailAddress=ch1.3_ta3
         Subject Public Key Info:
             Public Key Algorithm: rsaEncryption
-                Public-Key: (1024 bit)
+                Public-Key: (2048 bit)
                 Modulus:
-                    00:ce:58:8a:05:67:47:a9:62:99:37:13:35:4c:74:
-                    75:9b:2f:d7:4c:23:7a:cd:60:35:0c:95:4b:58:b3:
-                    dd:c8:2d:69:ad:3c:8d:d3:27:0d:02:06:d0:4b:6c:
-                    6e:57:e9:1f:3c:dc:f3:88:22:25:86:35:13:91:3c:
-                    9f:76:67:a4:ae:98:63:d2:73:4d:2f:07:d5:7f:80:
-                    7e:27:92:25:16:aa:32:fe:7a:17:65:d5:9f:ee:39:
-                    9f:c8:a1:57:6a:9b:2d:e3:61:d9:35:d5:94:fb:fa:
-                    95:21:c3:31:33:50:d6:2f:e5:c0:7a:bb:a7:61:a4:
-                    e0:9b:5e:ca:99:2a:5d:6a:db
+                    00:a5:a2:9a:58:4a:0e:d7:07:3b:38:52:04:65:eb:
+                    e5:9e:7c:eb:2e:d6:22:89:1e:a8:b2:5c:d2:8b:6e:
+                    76:3b:7c:66:dd:ec:d9:ee:2a:6e:d0:b8:47:e2:cf:
+                    30:c8:13:9c:60:2b:6a:e1:9e:62:65:71:77:fb:50:
+                    8f:08:95:55:05:86:93:ed:38:f6:b8:5d:bf:07:a1:
+                    d9:66:7d:da:80:7b:09:c3:02:74:9c:33:44:6d:cd:
+                    7a:0e:be:46:54:14:65:f8:11:75:1f:d7:f4:6c:c8:
+                    97:76:fb:20:0c:86:ff:31:bd:c4:7b:86:38:4c:ee:
+                    96:c6:c2:b4:c1:ca:ce:9f:43:16:ef:86:d4:fe:fd:
+                    04:06:a6:a7:99:30:8e:aa:a8:d3:93:b2:b2:cd:0f:
+                    56:50:1a:02:8d:71:c9:2d:b5:97:b7:d2:ca:c8:b1:
+                    9d:9b:bd:a6:9c:5a:da:7d:22:2c:41:34:2d:b9:5f:
+                    06:d8:ad:26:20:98:f2:d7:48:71:5f:c7:9f:bb:02:
+                    6a:64:65:7b:ec:d6:80:ab:a3:c6:45:55:8a:e6:b2:
+                    1d:f6:d0:b9:c4:26:85:88:7b:ea:84:3a:3c:f1:c7:
+                    e6:b0:47:f6:5f:99:85:b1:cd:5c:20:6a:cc:e4:2c:
+                    7d:72:23:92:21:85:37:c5:20:e5:ff:07:36:35:d5:
+                    b7:2f
                 Exponent: 65537 (0x10001)
         X509v3 extensions:
             X509v3 Subject Key Identifier: 
-                28:44:43:26:57:0F:45:87:1A:A5:36:FB:0F:49:91:4B:A1:38:F3:ED
+                8B:2B:21:B0:6C:71:E6:F0:68:6D:FC:32:0C:DB:53:38:EC:B3:43:A6
             X509v3 Authority Key Identifier: 
-                keyid:B4:D4:36:9F:F8:CB:A2:5F:50:89:DA:21:E3:27:C4:91:F7:84:88:45
+                keyid:29:6E:FA:0C:C3:3A:D4:13:5F:93:39:0F:10:08:27:C7:BF:62:56:E5
                 DirName:/C=US/ST=California/L=Santa Clara/O=pkg5/CN=ta3/emailAddress=ta3
-                serial:C0:C4:B4:7D:88:D6:E3:3E
+                serial:8A:15:23:60:8D:FB:3E:84
 
             X509v3 Basic Constraints: critical
                 CA:TRUE
             X509v3 Key Usage: critical
                 Certificate Sign, CRL Sign
     Signature Algorithm: sha256WithRSAEncryption
-         b8:a1:7b:ba:b7:10:91:c0:21:86:fe:4d:01:f7:14:34:d9:aa:
-         dc:f3:04:56:c2:08:e6:66:f5:77:55:7e:dd:ea:b5:49:ff:d9:
-         32:39:2c:c9:9f:2f:9c:b3:cc:68:25:3e:d4:92:ef:be:b7:a1:
-         a5:d6:8c:31:3d:3a:7f:f4:5d:e8:ca:a3:30:29:ff:89:82:63:
-         cb:46:47:34:e8:ce:25:dd:a4:09:61:0b:08:7b:fd:24:1b:2b:
-         2d:9b:b9:84:ba:9e:fe:c1:2a:bd:df:e5:86:08:9c:74:ca:51:
-         c8:2e:b8:24:13:49:8c:a4:3e:c1:48:44:bd:30:18:40:88:43:
-         c1:a6
+         84:66:26:74:86:86:ab:62:33:c4:6e:69:75:7c:54:be:52:f6:
+         0a:4e:3a:36:9c:11:a9:f0:7c:65:0d:eb:c5:f4:f7:bf:28:64:
+         9f:de:ac:f7:cb:cd:3b:eb:57:a1:2b:3f:d4:e9:d1:f9:2c:7b:
+         75:c8:5b:9c:a6:22:cc:fd:04:5e:48:f3:0f:22:a0:f7:75:a8:
+         56:b7:4a:95:ee:a0:be:29:c4:8b:9d:ef:d9:65:f6:ac:a8:37:
+         41:cc:79:cd:ea:b2:dd:d0:e8:b3:2d:80:36:dd:eb:31:62:7f:
+         7e:1a:15:ae:3b:14:cf:ae:aa:1d:8d:42:1e:aa:b7:28:4c:ae:
+         30:b2:ab:ac:b4:48:50:e6:ec:35:94:fb:7f:94:de:f8:ea:f9:
+         e5:7d:d4:3e:db:58:79:49:59:25:85:33:20:f0:b1:e0:7c:44:
+         79:4a:61:e3:39:d4:06:c8:87:05:a5:ce:ff:13:4d:ba:3a:2e:
+         9e:78:15:f3:d3:85:9c:41:e1:2d:6d:e2:ce:d1:1d:cc:4f:ee:
+         6e:3f:3d:d1:16:df:e2:fe:2a:fc:6b:1f:cc:e1:45:57:0b:b7:
+         26:3d:ca:14:ee:5d:81:cd:69:28:4b:d6:25:30:6f:68:39:ea:
+         b6:5c:e7:37:05:55:a6:c4:9b:72:42:f8:f1:46:fe:a0:56:27:
+         e1:c6:85:e8
 -----BEGIN CERTIFICATE-----
-MIIDNjCCAp+gAwIBAgIBHjANBgkqhkiG9w0BAQsFADBpMQswCQYDVQQGEwJVUzET
+MIIEOzCCAyOgAwIBAgIBHzANBgkqhkiG9w0BAQsFADBpMQswCQYDVQQGEwJVUzET
 MBEGA1UECAwKQ2FsaWZvcm5pYTEUMBIGA1UEBwwLU2FudGEgQ2xhcmExDTALBgNV
 BAoMBHBrZzUxDDAKBgNVBAMMA3RhMzESMBAGCSqGSIb3DQEJARYDdGEzMB4XDTM1
 MDEwMTAxMDEwMVoXDTM1MDEwMjAxMDEwMVowdTELMAkGA1UEBhMCVVMxEzARBgNV
 BAgMCkNhbGlmb3JuaWExFDASBgNVBAcMC1NhbnRhIENsYXJhMQ0wCwYDVQQKDARw
 a2c1MRIwEAYDVQQDDAljaDEuM190YTMxGDAWBgkqhkiG9w0BCQEWCWNoMS4zX3Rh
-MzCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAzliKBWdHqWKZNxM1THR1my/X
-TCN6zWA1DJVLWLPdyC1prTyN0ycNAgbQS2xuV+kfPNzziCIlhjUTkTyfdmekrphj
-0nNNLwfVf4B+J5IlFqoy/noXZdWf7jmfyKFXapst42HZNdWU+/qVIcMxM1DWL+XA
-erunYaTgm17KmSpdatsCAwEAAaOB4TCB3jAdBgNVHQ4EFgQUKERDJlcPRYcapTb7
-D0mRS6E48+0wgZsGA1UdIwSBkzCBkIAUtNQ2n/jLol9Qidoh4yfEkfeEiEWhbaRr
-MGkxCzAJBgNVBAYTAlVTMRMwEQYDVQQIDApDYWxpZm9ybmlhMRQwEgYDVQQHDAtT
-YW50YSBDbGFyYTENMAsGA1UECgwEcGtnNTEMMAoGA1UEAwwDdGEzMRIwEAYJKoZI
-hvcNAQkBFgN0YTOCCQDAxLR9iNbjPjAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB
-/wQEAwIBBjANBgkqhkiG9w0BAQsFAAOBgQC4oXu6txCRwCGG/k0B9xQ02arc8wRW
-wgjmZvV3VX7d6rVJ/9kyOSzJny+cs8xoJT7Uku++t6Gl1owxPTp/9F3oyqMwKf+J
-gmPLRkc06M4l3aQJYQsIe/0kGystm7mEup7+wSq93+WGCJx0ylHILrgkE0mMpD7B
-SES9MBhAiEPBpg==
+MzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKWimlhKDtcHOzhSBGXr
+5Z586y7WIokeqLJc0otudjt8Zt3s2e4qbtC4R+LPMMgTnGArauGeYmVxd/tQjwiV
+VQWGk+049rhdvweh2WZ92oB7CcMCdJwzRG3Neg6+RlQUZfgRdR/X9GzIl3b7IAyG
+/zG9xHuGOEzulsbCtMHKzp9DFu+G1P79BAamp5kwjqqo05Oyss0PVlAaAo1xyS21
+l7fSysixnZu9ppxa2n0iLEE0LblfBtitJiCY8tdIcV/Hn7sCamRle+zWgKujxkVV
+iuayHfbQucQmhYh76oQ6PPHH5rBH9l+ZhbHNXCBqzOQsfXIjkiGFN8Ug5f8HNjXV
+ty8CAwEAAaOB4TCB3jAdBgNVHQ4EFgQUiyshsGxx5vBobfwyDNtTOOyzQ6YwgZsG
+A1UdIwSBkzCBkIAUKW76DMM61BNfkzkPEAgnx79iVuWhbaRrMGkxCzAJBgNVBAYT
+AlVTMRMwEQYDVQQIDApDYWxpZm9ybmlhMRQwEgYDVQQHDAtTYW50YSBDbGFyYTEN
+MAsGA1UECgwEcGtnNTEMMAoGA1UEAwwDdGEzMRIwEAYJKoZIhvcNAQkBFgN0YTOC
+CQCKFSNgjfs+hDAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBBjANBgkq
+hkiG9w0BAQsFAAOCAQEAhGYmdIaGq2IzxG5pdXxUvlL2Ck46NpwRqfB8ZQ3rxfT3
+vyhkn96s98vNO+tXoSs/1OnR+Sx7dchbnKYizP0EXkjzDyKg93WoVrdKle6gvinE
+i53v2WX2rKg3Qcx5zeqy3dDosy2ANt3rMWJ/fhoVrjsUz66qHY1CHqq3KEyuMLKr
+rLRIUObsNZT7f5Te+Or55X3UPttYeUlZJYUzIPCx4HxEeUph4znUBsiHBaXO/xNN
+ujounngV89OFnEHhLW3iztEdzE/ubj890Rbf4v4q/GsfzOFFVwu3Jj3KFO5dgc1p
+KEvWJTBvaDnqtlznNwVVpsSbckL48Ub+oFYn4caF6A==
 -----END CERTIFICATE-----
--- a/src/tests/ro_data/signing_certs/produced/chain_certs/ch1.4_ta3_cert.pem	Tue Mar 08 11:12:06 2016 -0800
+++ b/src/tests/ro_data/signing_certs/produced/chain_certs/ch1.4_ta3_cert.pem	Wed Mar 09 11:27:23 2016 -0800
@@ -1,7 +1,7 @@
 Certificate:
     Data:
         Version: 3 (0x2)
-        Serial Number: 32 (0x20)
+        Serial Number: 33 (0x21)
     Signature Algorithm: sha256WithRSAEncryption
         Issuer: C=US, ST=California, L=Santa Clara, O=pkg5, CN=ta3/emailAddress=ta3
         Validity
@@ -10,53 +10,75 @@
         Subject: C=US, ST=California, L=Santa Clara, O=pkg5, CN=ch1.4_ta3/emailAddress=ch1.4_ta3
         Subject Public Key Info:
             Public Key Algorithm: rsaEncryption
-                Public-Key: (1024 bit)
+                Public-Key: (2048 bit)
                 Modulus:
-                    00:e9:3c:28:6e:b8:7a:e3:7a:f2:ee:5e:69:7a:71:
-                    b8:bb:97:d5:d3:c4:77:3e:90:f3:29:69:b8:51:ba:
-                    8b:27:4d:3f:b2:10:76:86:6e:38:4a:49:be:ce:01:
-                    c5:d2:0e:6e:0e:a9:51:e9:94:57:ce:67:4b:99:ca:
-                    84:93:a9:f9:e6:35:1c:0f:d6:3d:b1:c1:c7:00:d7:
-                    fa:2c:05:a0:20:0d:86:6d:32:c0:54:0f:e8:b9:6e:
-                    b5:dd:1a:00:4c:89:bf:d4:6d:79:0e:e7:4e:10:d2:
-                    fb:75:2c:03:da:75:c8:e1:b7:dc:2e:42:c5:9b:ec:
-                    b2:f1:15:6d:db:56:f9:20:a3
+                    00:c1:a0:1e:ec:bd:27:9e:d7:47:3d:4d:78:63:df:
+                    b7:54:05:09:1b:22:65:15:de:2a:98:ef:b4:28:f0:
+                    2a:92:87:2e:93:7f:0f:3d:ca:ce:d1:b5:23:26:8e:
+                    65:4c:c2:57:82:3a:45:8c:5e:77:ac:68:ef:ce:e5:
+                    1b:ba:b5:ba:f2:7d:73:04:d0:28:d8:27:74:bb:93:
+                    ec:9d:2a:8c:a3:52:95:c0:4b:1a:76:e9:c1:6a:d4:
+                    11:84:57:f2:9c:e9:4c:90:ba:7b:ac:cd:8b:a5:7f:
+                    ed:43:d7:c3:a0:9e:7b:c6:07:f9:e2:10:46:b9:1e:
+                    d6:87:aa:1c:e0:92:89:76:2c:ca:ab:5b:99:92:35:
+                    b0:28:88:2d:08:76:99:ed:27:1b:e9:5f:ba:3a:ef:
+                    fd:c5:09:43:74:ec:9d:7c:01:cf:db:37:43:3f:c8:
+                    6b:9c:8f:f9:c9:04:cb:28:5a:70:ee:19:da:b0:f8:
+                    65:5f:c1:d8:09:d0:9e:5e:94:e5:93:79:ad:25:ec:
+                    73:1e:4c:43:30:e8:62:bf:a1:f5:ba:3a:21:10:d0:
+                    5d:38:a8:fd:a0:4e:e8:b2:13:da:d3:da:b0:85:86:
+                    94:36:be:13:4a:66:ad:89:ac:41:0e:e5:47:dc:d4:
+                    bd:19:b2:9d:8b:58:27:e4:90:8c:77:09:62:c5:a9:
+                    55:c9
                 Exponent: 65537 (0x10001)
         X509v3 extensions:
             X509v3 Subject Key Identifier: 
-                33:65:69:5E:6D:D8:12:02:E9:68:A2:6C:7D:77:F1:38:D8:7B:97:E6
+                5F:F9:18:9C:13:FA:0C:6D:68:90:7F:A8:63:2E:5F:68:8D:27:9D:A5
             X509v3 Authority Key Identifier: 
-                keyid:B4:D4:36:9F:F8:CB:A2:5F:50:89:DA:21:E3:27:C4:91:F7:84:88:45
+                keyid:29:6E:FA:0C:C3:3A:D4:13:5F:93:39:0F:10:08:27:C7:BF:62:56:E5
                 DirName:/C=US/ST=California/L=Santa Clara/O=pkg5/CN=ta3/emailAddress=ta3
-                serial:C0:C4:B4:7D:88:D6:E3:3E
+                serial:8A:15:23:60:8D:FB:3E:84
 
             X509v3 Basic Constraints: critical
                 CA:TRUE
     Signature Algorithm: sha256WithRSAEncryption
-         5c:06:87:8e:6c:26:b3:5d:7c:94:c0:e3:7d:9e:8c:7c:bf:86:
-         e0:07:8a:65:95:af:8f:93:0c:a6:72:e5:cb:36:a5:69:03:95:
-         03:7f:e0:18:c8:f2:da:ce:99:b8:54:7a:49:75:f2:61:00:d4:
-         f4:63:e1:5c:cc:f0:91:e7:85:92:0d:7e:91:4b:3a:8b:76:e6:
-         a0:c8:51:28:06:44:d2:c8:a8:4c:da:be:7e:78:88:45:d3:f7:
-         07:92:90:fc:96:4d:7d:ce:5a:c9:9a:21:d9:66:98:3e:9b:5d:
-         18:9a:0c:b8:c4:10:86:4d:06:15:d9:ea:19:9b:e7:f7:e2:74:
-         25:eb
+         24:b0:07:7a:c9:05:ad:8b:61:44:b4:79:c6:5e:3f:af:82:d8:
+         ee:71:fb:a2:78:c8:40:aa:69:c0:66:76:31:20:62:e4:22:1e:
+         7f:db:47:50:76:f5:0c:09:c2:ef:c7:5f:18:7d:2f:a8:37:4f:
+         a8:aa:07:2c:5f:f1:e4:7d:6e:02:de:ae:6a:29:22:e5:d9:4e:
+         b7:5b:5f:fa:9c:e2:86:f3:4e:89:46:95:8a:70:3a:a3:da:a7:
+         5c:ad:c2:d0:35:cf:6b:8a:eb:8b:55:78:29:fe:c5:a8:71:fd:
+         96:e2:7f:05:8f:1e:eb:7c:c2:dd:cb:4c:94:05:a2:76:11:fe:
+         ed:d7:7a:df:92:13:7e:12:bb:e4:ff:11:19:b9:04:54:19:6f:
+         f0:e3:42:f1:d4:48:d2:5c:0d:83:b8:7d:04:49:ec:c1:6f:a0:
+         a7:41:68:8a:e8:78:2d:42:ad:58:b9:0e:0c:a9:14:5a:ce:2e:
+         2c:ba:4a:18:98:87:65:d3:8f:cd:23:11:22:35:ea:76:7a:a3:
+         33:74:a7:03:aa:84:df:6f:26:d5:e1:4a:e5:91:76:f8:79:2d:
+         e0:4d:18:f3:8c:95:5c:6f:c8:f8:03:3a:ab:d6:59:55:17:2b:
+         f8:6d:6d:1b:cd:e8:08:92:4c:ea:0d:98:f8:3f:e8:a8:12:fa:
+         bb:cb:13:de
 -----BEGIN CERTIFICATE-----
-MIIDJjCCAo+gAwIBAgIBIDANBgkqhkiG9w0BAQsFADBpMQswCQYDVQQGEwJVUzET
+MIIEKzCCAxOgAwIBAgIBITANBgkqhkiG9w0BAQsFADBpMQswCQYDVQQGEwJVUzET
 MBEGA1UECAwKQ2FsaWZvcm5pYTEUMBIGA1UEBwwLU2FudGEgQ2xhcmExDTALBgNV
 BAoMBHBrZzUxDDAKBgNVBAMMA3RhMzESMBAGCSqGSIb3DQEJARYDdGEzMB4XDTM1
 MDEwMTAxMDEwMVoXDTM1MDEwMjAxMDEwMVowdTELMAkGA1UEBhMCVVMxEzARBgNV
 BAgMCkNhbGlmb3JuaWExFDASBgNVBAcMC1NhbnRhIENsYXJhMQ0wCwYDVQQKDARw
 a2c1MRIwEAYDVQQDDAljaDEuNF90YTMxGDAWBgkqhkiG9w0BCQEWCWNoMS40X3Rh
-MzCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA6Twobrh643ry7l5penG4u5fV
-08R3PpDzKWm4UbqLJ00/shB2hm44Skm+zgHF0g5uDqlR6ZRXzmdLmcqEk6n55jUc
-D9Y9scHHANf6LAWgIA2GbTLAVA/ouW613RoATIm/1G15DudOENL7dSwD2nXI4bfc
-LkLFm+yy8RVt21b5IKMCAwEAAaOB0TCBzjAdBgNVHQ4EFgQUM2VpXm3YEgLpaKJs
-fXfxONh7l+YwgZsGA1UdIwSBkzCBkIAUtNQ2n/jLol9Qidoh4yfEkfeEiEWhbaRr
-MGkxCzAJBgNVBAYTAlVTMRMwEQYDVQQIDApDYWxpZm9ybmlhMRQwEgYDVQQHDAtT
-YW50YSBDbGFyYTENMAsGA1UECgwEcGtnNTEMMAoGA1UEAwwDdGEzMRIwEAYJKoZI
-hvcNAQkBFgN0YTOCCQDAxLR9iNbjPjAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3
-DQEBCwUAA4GBAFwGh45sJrNdfJTA432ejHy/huAHimWVr4+TDKZy5cs2pWkDlQN/
-4BjI8trOmbhUekl18mEA1PRj4VzM8JHnhZINfpFLOot25qDIUSgGRNLIqEzavn54
-iEXT9weSkPyWTX3OWsmaIdlmmD6bXRiaDLjEEIZNBhXZ6hmb5/fidCXr
+MzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMGgHuy9J57XRz1NeGPf
+t1QFCRsiZRXeKpjvtCjwKpKHLpN/Dz3KztG1IyaOZUzCV4I6RYxed6xo787lG7q1
+uvJ9cwTQKNgndLuT7J0qjKNSlcBLGnbpwWrUEYRX8pzpTJC6e6zNi6V/7UPXw6Ce
+e8YH+eIQRrke1oeqHOCSiXYsyqtbmZI1sCiILQh2me0nG+lfujrv/cUJQ3TsnXwB
+z9s3Qz/Ia5yP+ckEyyhacO4Z2rD4ZV/B2AnQnl6U5ZN5rSXscx5MQzDoYr+h9bo6
+IRDQXTio/aBO6LIT2tPasIWGlDa+E0pmrYmsQQ7lR9zUvRmynYtYJ+SQjHcJYsWp
+VckCAwEAAaOB0TCBzjAdBgNVHQ4EFgQUX/kYnBP6DG1okH+oYy5faI0nnaUwgZsG
+A1UdIwSBkzCBkIAUKW76DMM61BNfkzkPEAgnx79iVuWhbaRrMGkxCzAJBgNVBAYT
+AlVTMRMwEQYDVQQIDApDYWxpZm9ybmlhMRQwEgYDVQQHDAtTYW50YSBDbGFyYTEN
+MAsGA1UECgwEcGtnNTEMMAoGA1UEAwwDdGEzMRIwEAYJKoZIhvcNAQkBFgN0YTOC
+CQCKFSNgjfs+hDAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQAk
+sAd6yQWti2FEtHnGXj+vgtjucfuieMhAqmnAZnYxIGLkIh5/20dQdvUMCcLvx18Y
+fS+oN0+oqgcsX/HkfW4C3q5qKSLl2U63W1/6nOKG806JRpWKcDqj2qdcrcLQNc9r
+iuuLVXgp/sWocf2W4n8Fjx7rfMLdy0yUBaJ2Ef7t13rfkhN+Ervk/xEZuQRUGW/w
+40Lx1EjSXA2DuH0ESezBb6CnQWiK6HgtQq1YuQ4MqRRazi4sukoYmIdl04/NIxEi
+Nep2eqMzdKcDqoTfbybV4UrlkXb4eS3gTRjzjJVcb8j4Azqr1llVFyv4bW0bzegI
+kkzqDZj4P+ioEvq7yxPe
 -----END CERTIFICATE-----
--- a/src/tests/ro_data/signing_certs/produced/chain_certs/ch1_ta1_cert.pem	Tue Mar 08 11:12:06 2016 -0800
+++ b/src/tests/ro_data/signing_certs/produced/chain_certs/ch1_ta1_cert.pem	Wed Mar 09 11:27:23 2016 -0800
@@ -5,61 +5,82 @@
     Signature Algorithm: sha256WithRSAEncryption
         Issuer: C=US, ST=California, L=Santa Clara, O=pkg5, CN=ta1/emailAddress=ta1
         Validity
-            Not Before: Dec 13 00:13:34 2013 GMT
-            Not After : Sep  8 00:13:34 2016 GMT
+            Not Before: Jan 22 01:57:53 2016 GMT
+            Not After : Oct 18 01:57:53 2018 GMT
         Subject: C=US, ST=California, L=Santa Clara, O=pkg5, CN=ch1_ta1/emailAddress=ch1_ta1
         Subject Public Key Info:
             Public Key Algorithm: rsaEncryption
-                Public-Key: (1024 bit)
+                Public-Key: (2048 bit)
                 Modulus:
-                    00:da:3a:b2:74:16:5c:38:7c:93:3a:48:cb:9f:71:
-                    7c:aa:b9:ff:d7:25:5f:cd:90:6c:e6:87:6d:ed:34:
-                    0f:12:19:00:a8:36:fe:51:4b:b2:38:76:55:2a:d1:
-                    ce:3b:a3:78:75:db:c8:ba:85:8b:ad:80:0e:84:ab:
-                    1f:4b:80:90:20:56:49:7b:71:a0:16:f8:15:8a:cd:
-                    70:ee:45:1f:53:34:3c:85:df:10:75:e2:b1:68:97:
-                    c5:0d:66:7f:bf:e7:b3:d1:09:03:1b:50:14:dc:e3:
-                    3e:a9:b6:6a:63:e6:0f:51:3e:06:59:50:43:da:10:
-                    99:0d:79:a3:b4:76:89:a2:01
+                    00:ef:e4:87:59:74:82:97:b8:fa:7e:12:4a:e8:48:
+                    fe:95:28:15:6a:c7:07:ac:10:27:fb:58:9e:2c:9a:
+                    43:84:2b:1d:e4:04:68:e1:64:cd:3d:be:97:4a:f1:
+                    c0:e5:3f:b9:04:70:eb:02:7f:e2:f4:3c:23:44:80:
+                    b0:9f:ab:02:09:37:10:c6:25:53:f2:9b:24:d8:7e:
+                    c6:0a:71:56:95:72:71:e9:97:d6:70:5f:76:2b:bf:
+                    f4:c4:43:93:9c:62:ad:60:3c:27:3a:19:e6:64:db:
+                    1d:56:60:a5:32:8c:91:61:15:b9:9a:ef:89:4e:bf:
+                    4b:ca:90:7b:01:05:1c:1f:51:ec:33:43:66:f2:eb:
+                    45:17:e9:dc:fa:f3:d3:73:82:ae:9b:cc:fb:c8:44:
+                    29:3a:c8:24:5c:b7:52:d2:fa:30:0d:42:7a:8c:e1:
+                    0a:4c:5a:0c:6e:57:7b:0f:9f:e3:ae:84:bd:1b:10:
+                    ee:63:f2:5e:0d:91:bd:9a:b6:e4:f6:a6:85:92:e8:
+                    bc:3c:b4:da:13:6e:0b:9b:f9:6f:4b:1d:61:57:44:
+                    23:a7:78:35:72:ef:51:a8:98:14:2a:78:d0:55:da:
+                    fe:f1:93:e0:fd:6c:e6:42:6b:3b:eb:4f:f8:b1:ac:
+                    dd:78:9b:9f:f8:c1:51:28:fe:04:aa:8b:c8:40:f7:
+                    f6:73
                 Exponent: 65537 (0x10001)
         X509v3 extensions:
             X509v3 Subject Key Identifier: 
-                36:46:2D:8A:1B:8B:CE:C1:1D:02:37:B9:EC:A5:FF:BA:73:AE:E5:48
+                2E:B3:14:E2:95:4C:93:07:05:A4:87:64:EA:C4:57:2D:52:3B:8C:F9
             X509v3 Authority Key Identifier: 
-                keyid:81:54:6B:06:08:DD:44:4F:08:81:21:7A:7C:D5:96:EA:53:2B:E3:0A
+                keyid:D6:A2:C9:8F:BE:AC:C1:F3:E7:8A:8D:01:1C:0A:7D:C1:EE:88:E5:A6
                 DirName:/C=US/ST=California/L=Santa Clara/O=pkg5/CN=ta1/emailAddress=ta1
-                serial:F6:A8:B6:5C:10:8D:04:4F
+                serial:B8:ED:CE:51:42:C8:90:81
 
             X509v3 Basic Constraints: critical
                 CA:TRUE, pathlen:4
             X509v3 Key Usage: critical
                 Certificate Sign, CRL Sign
     Signature Algorithm: sha256WithRSAEncryption
-         38:4a:69:9d:14:fa:51:b9:35:9c:c8:ae:e5:c0:e2:2e:4c:d4:
-         57:ad:64:05:99:e4:94:b3:d3:97:e0:0e:bd:1c:b4:64:c8:2b:
-         07:18:26:7f:99:ef:9c:48:e6:23:b3:96:37:92:54:85:8b:29:
-         19:60:12:11:fc:d8:62:84:5c:75:73:76:9e:0f:f8:a7:95:79:
-         c8:3c:75:f7:13:73:1f:be:fa:60:79:5c:6c:12:8d:ca:f9:58:
-         4b:1f:ed:0a:52:4c:61:95:6f:9a:a7:57:0c:20:9a:19:73:dc:
-         3d:42:aa:47:29:ac:92:a9:cc:4a:eb:85:6d:ab:cd:ed:2b:9a:
-         e5:c1
+         32:8d:c5:57:e8:49:29:70:35:e7:5a:4f:c7:78:70:ad:9e:6e:
+         2d:27:e2:a6:95:eb:30:a8:b5:71:6b:0e:5b:de:ca:9b:3e:be:
+         8d:34:d4:98:68:67:2f:8a:63:50:66:71:5b:3b:5b:1e:b4:37:
+         6b:6b:df:7c:1e:9e:24:01:8d:0a:ea:b0:e5:1f:31:1e:d1:ed:
+         68:cf:73:00:56:36:cc:e5:83:3f:c4:c0:00:d5:3f:3c:f8:2f:
+         dd:4e:c6:68:08:b5:80:ef:d0:ab:4c:55:a1:7b:4a:1e:67:02:
+         5d:fb:56:68:88:f2:49:2f:e5:f5:4c:3a:2d:54:b7:9a:79:38:
+         f1:87:b4:d9:8d:b6:0c:88:ec:a1:ce:00:e0:9a:13:3b:57:d6:
+         80:17:a0:e8:1b:3e:e6:25:d8:bd:8e:1d:bb:45:36:9f:4b:a7:
+         4e:3e:f5:fb:60:73:85:2e:4e:35:10:9a:a8:44:ea:22:8f:6f:
+         27:84:3f:e8:02:05:7c:fd:57:61:76:1b:6b:52:6b:b9:c4:6c:
+         9b:84:e3:c5:91:16:14:03:a0:80:e8:80:35:bc:92:97:35:13:
+         e5:d9:1b:4e:4b:0c:ba:15:cf:d8:5f:c9:86:fd:44:74:88:34:
+         76:12:85:90:a1:d9:3a:cf:d3:63:3f:be:91:d1:66:04:fc:5b:
+         84:8d:f8:a7
 -----BEGIN CERTIFICATE-----
-MIIDNTCCAp6gAwIBAgIBATANBgkqhkiG9w0BAQsFADBpMQswCQYDVQQGEwJVUzET
+MIIEOjCCAyKgAwIBAgIBATANBgkqhkiG9w0BAQsFADBpMQswCQYDVQQGEwJVUzET
 MBEGA1UECAwKQ2FsaWZvcm5pYTEUMBIGA1UEBwwLU2FudGEgQ2xhcmExDTALBgNV
-BAoMBHBrZzUxDDAKBgNVBAMMA3RhMTESMBAGCSqGSIb3DQEJARYDdGExMB4XDTEz
-MTIxMzAwMTMzNFoXDTE2MDkwODAwMTMzNFowcTELMAkGA1UEBhMCVVMxEzARBgNV
+BAoMBHBrZzUxDDAKBgNVBAMMA3RhMTESMBAGCSqGSIb3DQEJARYDdGExMB4XDTE2
+MDEyMjAxNTc1M1oXDTE4MTAxODAxNTc1M1owcTELMAkGA1UEBhMCVVMxEzARBgNV
 BAgMCkNhbGlmb3JuaWExFDASBgNVBAcMC1NhbnRhIENsYXJhMQ0wCwYDVQQKDARw
-a2c1MRAwDgYDVQQDDAdjaDFfdGExMRYwFAYJKoZIhvcNAQkBFgdjaDFfdGExMIGf
-MA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDaOrJ0Flw4fJM6SMufcXyquf/XJV/N
-kGzmh23tNA8SGQCoNv5RS7I4dlUq0c47o3h128i6hYutgA6Eqx9LgJAgVkl7caAW
-+BWKzXDuRR9TNDyF3xB14rFol8UNZn+/57PRCQMbUBTc4z6ptmpj5g9RPgZZUEPa
-EJkNeaO0domiAQIDAQABo4HkMIHhMB0GA1UdDgQWBBQ2Ri2KG4vOwR0CN7nspf+6
-c67lSDCBmwYDVR0jBIGTMIGQgBSBVGsGCN1ETwiBIXp81ZbqUyvjCqFtpGswaTEL
-MAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFDASBgNVBAcMC1NhbnRh
-IENsYXJhMQ0wCwYDVQQKDARwa2c1MQwwCgYDVQQDDAN0YTExEjAQBgkqhkiG9w0B
-CQEWA3RhMYIJAPaotlwQjQRPMBIGA1UdEwEB/wQIMAYBAf8CAQQwDgYDVR0PAQH/
-BAQDAgEGMA0GCSqGSIb3DQEBCwUAA4GBADhKaZ0U+lG5NZzIruXA4i5M1FetZAWZ
-5JSz05fgDr0ctGTIKwcYJn+Z75xI5iOzljeSVIWLKRlgEhH82GKEXHVzdp4P+KeV
-ecg8dfcTcx+++mB5XGwSjcr5WEsf7QpSTGGVb5qnVwwgmhlz3D1CqkcprJKpzErr
-hW2rze0rmuXB
+a2c1MRAwDgYDVQQDDAdjaDFfdGExMRYwFAYJKoZIhvcNAQkBFgdjaDFfdGExMIIB
+IjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA7+SHWXSCl7j6fhJK6Ej+lSgV
+ascHrBAn+1ieLJpDhCsd5ARo4WTNPb6XSvHA5T+5BHDrAn/i9DwjRICwn6sCCTcQ
+xiVT8psk2H7GCnFWlXJx6ZfWcF92K7/0xEOTnGKtYDwnOhnmZNsdVmClMoyRYRW5
+mu+JTr9LypB7AQUcH1HsM0Nm8utFF+nc+vPTc4Kum8z7yEQpOsgkXLdS0vowDUJ6
+jOEKTFoMbld7D5/jroS9GxDuY/JeDZG9mrbk9qaFkui8PLTaE24Lm/lvSx1hV0Qj
+p3g1cu9RqJgUKnjQVdr+8ZPg/WzmQms760/4sazdeJuf+MFRKP4EqovIQPf2cwID
+AQABo4HkMIHhMB0GA1UdDgQWBBQusxTilUyTBwWkh2TqxFctUjuM+TCBmwYDVR0j
+BIGTMIGQgBTWosmPvqzB8+eKjQEcCn3B7ojlpqFtpGswaTELMAkGA1UEBhMCVVMx
+EzARBgNVBAgMCkNhbGlmb3JuaWExFDASBgNVBAcMC1NhbnRhIENsYXJhMQ0wCwYD
+VQQKDARwa2c1MQwwCgYDVQQDDAN0YTExEjAQBgkqhkiG9w0BCQEWA3RhMYIJALjt
+zlFCyJCBMBIGA1UdEwEB/wQIMAYBAf8CAQQwDgYDVR0PAQH/BAQDAgEGMA0GCSqG
+SIb3DQEBCwUAA4IBAQAyjcVX6EkpcDXnWk/HeHCtnm4tJ+KmleswqLVxaw5b3sqb
+Pr6NNNSYaGcvimNQZnFbO1setDdra998Hp4kAY0K6rDlHzEe0e1oz3MAVjbM5YM/
+xMAA1T88+C/dTsZoCLWA79CrTFWhe0oeZwJd+1ZoiPJJL+X1TDotVLeaeTjxh7TZ
+jbYMiOyhzgDgmhM7V9aAF6DoGz7mJdi9jh27RTafS6dOPvX7YHOFLk41EJqoROoi
+j28nhD/oAgV8/VdhdhtrUmu5xGybhOPFkRYUA6CA6IA1vJKXNRPl2RtOSwy6Fc/Y
+X8mG/UR0iDR2EoWQodk6z9NjP76R0WYE/FuEjfin
 -----END CERTIFICATE-----
--- a/src/tests/ro_data/signing_certs/produced/chain_certs/ch1_ta3_cert.pem	Tue Mar 08 11:12:06 2016 -0800
+++ b/src/tests/ro_data/signing_certs/produced/chain_certs/ch1_ta3_cert.pem	Wed Mar 09 11:27:23 2016 -0800
@@ -5,61 +5,82 @@
     Signature Algorithm: sha256WithRSAEncryption
         Issuer: C=US, ST=California, L=Santa Clara, O=pkg5, CN=ta3/emailAddress=ta3
         Validity
-            Not Before: Dec 13 00:13:35 2013 GMT
-            Not After : Sep  8 00:13:35 2016 GMT
+            Not Before: Jan 22 01:57:56 2016 GMT
+            Not After : Oct 18 01:57:56 2018 GMT
         Subject: C=US, ST=California, L=Santa Clara, O=pkg5, CN=ch1_ta3/emailAddress=ch1_ta3
         Subject Public Key Info:
             Public Key Algorithm: rsaEncryption
-                Public-Key: (1024 bit)
+                Public-Key: (2048 bit)
                 Modulus:
-                    00:ba:0e:36:90:a0:6b:75:19:6b:30:76:54:9e:20:
-                    b0:81:70:21:47:97:9c:c1:15:7c:9e:2d:50:3c:db:
-                    dc:8c:d0:31:9c:b9:78:c6:2a:5c:53:ca:ed:d3:44:
-                    e2:f9:93:d8:b5:b6:a6:8a:c2:bd:be:4f:8b:f5:a0:
-                    28:68:cf:ec:f9:e3:e9:57:a8:ab:cd:a5:45:0d:82:
-                    eb:f0:5b:aa:2d:1b:88:65:30:9f:a1:74:59:1f:e5:
-                    d2:25:f9:d6:31:3f:0a:a2:4a:92:5d:2a:30:2e:3f:
-                    2f:72:48:93:f8:8d:7c:bf:79:21:e3:e1:91:9a:a7:
-                    03:01:ba:20:95:a6:da:56:35
+                    00:ad:c4:ce:08:be:18:a7:5c:74:34:46:19:29:0b:
+                    0e:09:7e:42:b2:ac:a4:40:2e:ee:2e:c8:0a:11:a8:
+                    88:85:73:a5:d8:15:65:9a:d6:4e:d4:8b:49:c1:32:
+                    dc:c3:f9:3d:99:87:d6:df:98:be:f6:71:db:f9:3d:
+                    63:98:65:7f:b9:a8:99:3c:f4:28:39:59:bf:e1:ff:
+                    7a:ef:a6:54:6e:43:31:33:95:72:d9:7d:11:24:e0:
+                    e0:47:24:df:84:27:a4:ee:19:6f:e8:f9:61:42:82:
+                    45:78:10:22:29:d5:b2:b8:1a:e6:7a:db:6d:d7:76:
+                    aa:27:bb:e7:cc:2b:60:39:8e:ac:3a:1c:b3:62:20:
+                    c4:db:10:5c:1d:22:fe:3d:36:ae:14:10:1f:81:d9:
+                    ce:bb:bc:93:4a:5f:1c:fc:1a:08:55:a6:4a:84:3b:
+                    0b:ca:89:8f:1e:f1:00:fe:6e:5b:9e:a3:57:dd:97:
+                    7c:fa:90:e7:ca:8d:9e:f2:b6:24:3e:f5:85:e8:77:
+                    53:1e:f5:c8:ba:37:53:05:43:dc:d8:56:c4:f9:cd:
+                    56:d3:3b:1a:16:c7:3d:e9:09:26:ef:6a:6a:b1:6b:
+                    28:77:14:69:d8:f5:67:a3:2e:04:d2:98:39:91:aa:
+                    c8:63:8f:55:56:f4:49:c9:67:84:82:a4:dd:d5:37:
+                    b9:8f
                 Exponent: 65537 (0x10001)
         X509v3 extensions:
             X509v3 Subject Key Identifier: 
-                A7:11:90:E6:5F:5F:79:74:A3:1D:B5:9E:0C:15:F1:16:C5:D4:FB:6B
+                2B:95:76:FC:68:FE:EC:2A:19:A1:FC:D3:30:D9:C8:26:24:79:BE:9B
             X509v3 Authority Key Identifier: 
-                keyid:B4:D4:36:9F:F8:CB:A2:5F:50:89:DA:21:E3:27:C4:91:F7:84:88:45
+                keyid:29:6E:FA:0C:C3:3A:D4:13:5F:93:39:0F:10:08:27:C7:BF:62:56:E5
                 DirName:/C=US/ST=California/L=Santa Clara/O=pkg5/CN=ta3/emailAddress=ta3
-                serial:C0:C4:B4:7D:88:D6:E3:3E
+                serial:8A:15:23:60:8D:FB:3E:84
 
             X509v3 Basic Constraints: critical
                 CA:TRUE
             X509v3 Key Usage: critical
                 Certificate Sign, CRL Sign
     Signature Algorithm: sha256WithRSAEncryption
-         5f:db:a1:d4:03:bc:a0:f9:d7:80:88:ac:94:2b:22:cc:1c:88:
-         56:65:bd:0d:57:d6:d4:ae:5c:a2:27:44:7c:5e:4d:23:8c:ba:
-         fe:1c:a6:49:96:20:c2:f5:45:cf:52:0e:0a:80:40:5b:1c:e7:
-         83:2b:d4:72:6c:95:10:c6:a7:44:27:85:6b:e5:37:f5:a4:25:
-         70:e4:e0:0e:de:1d:c1:72:1f:05:be:0f:4b:23:61:38:e3:52:
-         cb:05:c3:f4:41:26:80:58:ea:02:c6:6b:7d:f8:9f:41:40:76:
-         94:44:59:2e:da:bc:a8:54:11:22:bc:58:ff:61:85:3c:60:e7:
-         67:e6
+         82:73:57:62:96:05:6f:f0:f1:22:b0:e7:f7:4f:c8:a7:20:9e:
+         94:cc:80:fa:9f:4f:98:24:75:49:5d:e7:cf:51:11:de:0d:64:
+         3c:24:8c:2b:5d:84:7c:40:6a:d2:27:81:2e:19:f4:16:c0:d3:
+         e1:d3:fa:23:e9:25:cc:f8:e2:f5:e8:b7:2b:ae:c5:70:19:f7:
+         0e:d4:ac:35:16:56:ad:7c:dc:f6:39:f2:80:b4:d3:d3:67:f7:
+         d9:cd:58:bf:17:01:94:50:af:a4:17:b9:49:50:1a:73:d7:f9:
+         1e:f4:6b:43:01:53:cf:a1:da:66:9d:e4:1c:fc:48:41:24:83:
+         ae:ce:18:d2:a7:95:5f:70:c6:24:e0:72:ec:08:c4:49:67:ac:
+         73:dc:f0:ad:2c:1c:f6:6c:e2:e9:44:2f:38:d4:80:03:71:41:
+         be:7c:04:b9:07:3e:a5:9d:6a:3c:b1:46:d9:d2:4d:76:28:ee:
+         37:da:5b:53:30:30:31:23:0b:95:47:c3:41:d3:45:1b:08:47:
+         22:14:e7:84:11:da:b2:95:c8:ea:98:94:d0:d1:33:8a:36:71:
+         a1:2f:fe:65:2e:91:39:16:6e:5e:1c:ff:0a:57:d5:eb:88:50:
+         b3:f2:89:68:c2:ff:a9:bd:af:de:c6:0f:57:af:15:4e:c1:31:
+         1e:67:16:2c
 -----BEGIN CERTIFICATE-----
-MIIDMjCCApugAwIBAgIBEDANBgkqhkiG9w0BAQsFADBpMQswCQYDVQQGEwJVUzET
+MIIENzCCAx+gAwIBAgIBEDANBgkqhkiG9w0BAQsFADBpMQswCQYDVQQGEwJVUzET
 MBEGA1UECAwKQ2FsaWZvcm5pYTEUMBIGA1UEBwwLU2FudGEgQ2xhcmExDTALBgNV
-BAoMBHBrZzUxDDAKBgNVBAMMA3RhMzESMBAGCSqGSIb3DQEJARYDdGEzMB4XDTEz
-MTIxMzAwMTMzNVoXDTE2MDkwODAwMTMzNVowcTELMAkGA1UEBhMCVVMxEzARBgNV
+BAoMBHBrZzUxDDAKBgNVBAMMA3RhMzESMBAGCSqGSIb3DQEJARYDdGEzMB4XDTE2
+MDEyMjAxNTc1NloXDTE4MTAxODAxNTc1NlowcTELMAkGA1UEBhMCVVMxEzARBgNV
 BAgMCkNhbGlmb3JuaWExFDASBgNVBAcMC1NhbnRhIENsYXJhMQ0wCwYDVQQKDARw
-a2c1MRAwDgYDVQQDDAdjaDFfdGEzMRYwFAYJKoZIhvcNAQkBFgdjaDFfdGEzMIGf
-MA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC6DjaQoGt1GWswdlSeILCBcCFHl5zB
-FXyeLVA829yM0DGcuXjGKlxTyu3TROL5k9i1tqaKwr2+T4v1oChoz+z54+lXqKvN
-pUUNguvwW6otG4hlMJ+hdFkf5dIl+dYxPwqiSpJdKjAuPy9ySJP4jXy/eSHj4ZGa
-pwMBuiCVptpWNQIDAQABo4HhMIHeMB0GA1UdDgQWBBSnEZDmX195dKMdtZ4MFfEW
-xdT7azCBmwYDVR0jBIGTMIGQgBS01Daf+MuiX1CJ2iHjJ8SR94SIRaFtpGswaTEL
-MAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFDASBgNVBAcMC1NhbnRh
-IENsYXJhMQ0wCwYDVQQKDARwa2c1MQwwCgYDVQQDDAN0YTMxEjAQBgkqhkiG9w0B
-CQEWA3RhM4IJAMDEtH2I1uM+MA8GA1UdEwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQD
-AgEGMA0GCSqGSIb3DQEBCwUAA4GBAF/bodQDvKD514CIrJQrIswciFZlvQ1X1tSu
-XKInRHxeTSOMuv4cpkmWIML1Rc9SDgqAQFsc54Mr1HJslRDGp0QnhWvlN/WkJXDk
-4A7eHcFyHwW+D0sjYTjjUssFw/RBJoBY6gLGa334n0FAdpREWS7avKhUESK8WP9h
-hTxg52fm
+a2c1MRAwDgYDVQQDDAdjaDFfdGEzMRYwFAYJKoZIhvcNAQkBFgdjaDFfdGEzMIIB
+IjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEArcTOCL4Yp1x0NEYZKQsOCX5C
+sqykQC7uLsgKEaiIhXOl2BVlmtZO1ItJwTLcw/k9mYfW35i+9nHb+T1jmGV/uaiZ
+PPQoOVm/4f9676ZUbkMxM5Vy2X0RJODgRyTfhCek7hlv6PlhQoJFeBAiKdWyuBrm
+ettt13aqJ7vnzCtgOY6sOhyzYiDE2xBcHSL+PTauFBAfgdnOu7yTSl8c/BoIVaZK
+hDsLyomPHvEA/m5bnqNX3Zd8+pDnyo2e8rYkPvWF6HdTHvXIujdTBUPc2FbE+c1W
+0zsaFsc96Qkm72pqsWsodxRp2PVnoy4E0pg5karIY49VVvRJyWeEgqTd1Te5jwID
+AQABo4HhMIHeMB0GA1UdDgQWBBQrlXb8aP7sKhmh/NMw2cgmJHm+mzCBmwYDVR0j
+BIGTMIGQgBQpbvoMwzrUE1+TOQ8QCCfHv2JW5aFtpGswaTELMAkGA1UEBhMCVVMx
+EzARBgNVBAgMCkNhbGlmb3JuaWExFDASBgNVBAcMC1NhbnRhIENsYXJhMQ0wCwYD
+VQQKDARwa2c1MQwwCgYDVQQDDAN0YTMxEjAQBgkqhkiG9w0BCQEWA3RhM4IJAIoV
+I2CN+z6EMA8GA1UdEwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgEGMA0GCSqGSIb3
+DQEBCwUAA4IBAQCCc1dilgVv8PEisOf3T8inIJ6UzID6n0+YJHVJXefPURHeDWQ8
+JIwrXYR8QGrSJ4EuGfQWwNPh0/oj6SXM+OL16LcrrsVwGfcO1Kw1FlatfNz2OfKA
+tNPTZ/fZzVi/FwGUUK+kF7lJUBpz1/ke9GtDAVPPodpmneQc/EhBJIOuzhjSp5Vf
+cMYk4HLsCMRJZ6xz3PCtLBz2bOLpRC841IADcUG+fAS5Bz6lnWo8sUbZ0k12KO43
+2ltTMDAxIwuVR8NB00UbCEciFOeEEdqylcjqmJTQ0TOKNnGhL/5lLpE5Fm5eHP8K
+V9XriFCz8olowv+pva/exg9XrxVOwTEeZxYs
 -----END CERTIFICATE-----
--- a/src/tests/ro_data/signing_certs/produced/chain_certs/ch1_ta4_cert.pem	Tue Mar 08 11:12:06 2016 -0800
+++ b/src/tests/ro_data/signing_certs/produced/chain_certs/ch1_ta4_cert.pem	Wed Mar 09 11:27:23 2016 -0800
@@ -1,65 +1,86 @@
 Certificate:
     Data:
         Version: 3 (0x2)
-        Serial Number: 34 (0x22)
+        Serial Number: 35 (0x23)
     Signature Algorithm: sha256WithRSAEncryption
         Issuer: C=US, ST=California, L=Santa Clara, O=pkg5, CN=ta4/emailAddress=ta4
         Validity
-            Not Before: Dec 13 00:13:37 2013 GMT
-            Not After : Sep  8 00:13:37 2016 GMT
+            Not Before: Jan 22 01:57:59 2016 GMT
+            Not After : Oct 18 01:57:59 2018 GMT
         Subject: C=US, ST=California, L=Santa Clara, O=pkg5, CN=ch1_ta4/emailAddress=ch1_ta4
         Subject Public Key Info:
             Public Key Algorithm: rsaEncryption
-                Public-Key: (1024 bit)
+                Public-Key: (2048 bit)
                 Modulus:
-                    00:b4:25:1c:3a:c2:26:af:8d:82:4d:29:e3:e0:78:
-                    6f:2b:7f:3c:b1:8c:c0:37:96:71:d2:42:21:df:2e:
-                    c4:c0:5a:60:e4:71:6f:05:df:88:a8:4b:ec:87:54:
-                    8d:08:c9:f7:19:84:a5:d0:cc:cb:43:c3:70:69:67:
-                    2e:4c:be:e6:2d:93:90:f9:02:30:a7:43:d2:1f:e5:
-                    d4:cf:5b:5c:74:88:06:0e:ee:cd:78:2c:2f:27:4c:
-                    99:2f:be:9a:73:5b:9b:1c:e3:67:54:b6:74:a7:c9:
-                    31:d3:63:6a:c5:4a:50:22:eb:af:e2:cd:7a:de:59:
-                    68:6a:a6:0e:26:d6:52:b6:a1
+                    00:bb:fd:5f:54:54:fb:49:01:62:e3:f9:cb:c6:a1:
+                    e4:26:2c:7d:8e:44:0c:d3:2a:de:7c:6d:c0:e3:7e:
+                    52:ac:7c:19:8e:6d:18:bd:76:2f:2c:89:d1:5b:e6:
+                    e4:cb:58:b4:19:8d:d4:16:c9:23:83:f7:48:7f:dd:
+                    4e:0f:8d:56:21:43:7b:69:3f:ec:13:dc:34:6e:f0:
+                    28:e5:21:eb:45:2c:0f:50:c1:17:0d:f7:81:ee:bb:
+                    6c:ee:f8:e7:3d:b9:62:d9:45:92:f1:52:f8:d3:e0:
+                    0c:fc:cc:db:98:6a:21:15:71:7e:a4:11:45:e2:bb:
+                    d5:bb:2a:6c:d2:ec:81:e0:92:59:e6:db:d9:c4:c2:
+                    36:e1:55:73:73:94:cb:c3:b5:1f:a4:27:2e:a3:60:
+                    a5:aa:52:3b:55:89:04:f8:f2:c8:4a:a0:04:c1:d1:
+                    4b:cb:ea:d9:d0:78:b4:48:db:47:24:bb:45:5b:17:
+                    6c:bd:70:0a:88:d7:0b:85:c0:3a:96:3d:ae:ac:da:
+                    c7:95:4a:8b:02:1a:42:bf:b1:8d:0d:67:96:75:74:
+                    d7:ea:58:4a:d7:f7:74:c2:38:19:94:18:95:a6:04:
+                    38:d9:38:24:81:91:d2:07:e1:3e:51:f4:57:83:b0:
+                    45:e2:34:e7:67:8e:0e:bd:d9:71:41:40:52:3b:7e:
+                    6e:91
                 Exponent: 65537 (0x10001)
         X509v3 extensions:
             X509v3 Subject Key Identifier: 
-                29:7A:F9:B4:E3:1B:8F:19:63:52:FA:19:A0:AB:DA:37:E4:70:A9:71
+                59:7F:0E:5C:5B:04:78:41:DB:55:AC:9E:07:50:E4:FB:9E:26:28:C8
             X509v3 Authority Key Identifier: 
-                keyid:84:46:29:88:74:31:EF:A6:CC:3C:E3:58:29:DE:BE:FD:1B:F4:59:98
+                keyid:B1:21:EA:DF:EB:EB:ED:BB:BE:BE:0F:FA:69:1D:B6:28:E9:6F:8F:45
                 DirName:/C=US/ST=California/L=Santa Clara/O=pkg5/CN=ta4/emailAddress=ta4
-                serial:E8:F7:8D:38:FA:4B:55:DD
+                serial:98:F5:DE:E5:E8:5C:CD:26
 
             X509v3 Basic Constraints: critical
                 CA:TRUE
             X509v3 Key Usage: critical
                 Certificate Sign, CRL Sign
     Signature Algorithm: sha256WithRSAEncryption
-         91:d2:2e:6f:55:ce:c6:39:d8:b4:1f:7a:df:7f:bd:8f:4e:66:
-         ec:10:3d:35:f1:36:22:90:ae:b7:16:e4:48:f5:ec:63:27:e8:
-         88:32:78:ac:21:cc:71:f9:46:6a:73:b7:09:24:a7:44:68:41:
-         a5:07:f9:a3:ec:c7:53:ca:68:e4:09:68:b7:ee:11:f2:8c:08:
-         80:3c:a5:56:e2:f3:a8:aa:1e:34:99:49:26:8a:1f:50:36:d2:
-         0e:ee:b6:a0:a6:e6:b0:94:41:a6:bc:de:93:6f:af:b3:fa:f4:
-         a3:c3:46:83:f8:27:67:8e:9e:40:ec:79:08:0b:e2:46:73:61:
-         0d:c6
+         4b:d5:d6:af:df:60:18:e2:66:8c:5e:87:2c:bb:50:8d:4b:c0:
+         85:63:c3:c4:6f:00:fb:3c:fa:5e:3f:8e:a6:b0:4c:91:ef:29:
+         c7:30:82:e6:25:68:44:b5:a8:d0:8a:37:e1:50:e2:2a:ce:37:
+         8d:d9:70:84:f0:90:c6:8f:2e:eb:09:f5:5a:5f:e6:4c:1c:24:
+         8a:32:17:50:51:47:e5:23:bb:c0:47:47:71:58:36:3a:4e:91:
+         79:06:0d:c8:00:e7:20:15:12:bb:28:e3:85:bd:55:dc:78:d5:
+         10:79:f8:f0:fb:62:af:81:50:0f:3d:fe:d4:36:4c:60:92:54:
+         3a:31:d0:6d:62:b4:29:dd:bd:33:c2:82:ba:00:5b:7a:b4:6d:
+         12:d0:0b:fc:dc:65:68:98:d1:73:2a:f1:c0:36:cd:16:b2:e6:
+         f5:8e:fc:b9:35:66:43:cb:2e:01:c7:73:4b:75:95:b8:4f:b4:
+         58:8c:f7:44:7e:cc:3b:26:39:8f:ad:10:e5:ad:16:f1:8b:1b:
+         17:bb:79:16:e6:c7:53:f5:7c:6b:4c:a8:fb:95:63:8f:69:ff:
+         67:39:7a:a0:33:67:00:e3:8f:49:77:e5:90:61:1f:da:7d:d8:
+         7f:f3:95:b6:74:fc:a0:36:5c:4d:99:39:d2:5f:62:2e:7b:78:
+         46:89:76:1a
 -----BEGIN CERTIFICATE-----
-MIIDMjCCApugAwIBAgIBIjANBgkqhkiG9w0BAQsFADBpMQswCQYDVQQGEwJVUzET
+MIIENzCCAx+gAwIBAgIBIzANBgkqhkiG9w0BAQsFADBpMQswCQYDVQQGEwJVUzET
 MBEGA1UECAwKQ2FsaWZvcm5pYTEUMBIGA1UEBwwLU2FudGEgQ2xhcmExDTALBgNV
-BAoMBHBrZzUxDDAKBgNVBAMMA3RhNDESMBAGCSqGSIb3DQEJARYDdGE0MB4XDTEz
-MTIxMzAwMTMzN1oXDTE2MDkwODAwMTMzN1owcTELMAkGA1UEBhMCVVMxEzARBgNV
+BAoMBHBrZzUxDDAKBgNVBAMMA3RhNDESMBAGCSqGSIb3DQEJARYDdGE0MB4XDTE2
+MDEyMjAxNTc1OVoXDTE4MTAxODAxNTc1OVowcTELMAkGA1UEBhMCVVMxEzARBgNV
 BAgMCkNhbGlmb3JuaWExFDASBgNVBAcMC1NhbnRhIENsYXJhMQ0wCwYDVQQKDARw
-a2c1MRAwDgYDVQQDDAdjaDFfdGE0MRYwFAYJKoZIhvcNAQkBFgdjaDFfdGE0MIGf
-MA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC0JRw6wiavjYJNKePgeG8rfzyxjMA3
-lnHSQiHfLsTAWmDkcW8F34ioS+yHVI0IyfcZhKXQzMtDw3BpZy5MvuYtk5D5AjCn
-Q9If5dTPW1x0iAYO7s14LC8nTJkvvppzW5sc42dUtnSnyTHTY2rFSlAi66/izXre
-WWhqpg4m1lK2oQIDAQABo4HhMIHeMB0GA1UdDgQWBBQpevm04xuPGWNS+hmgq9o3
-5HCpcTCBmwYDVR0jBIGTMIGQgBSERimIdDHvpsw841gp3r79G/RZmKFtpGswaTEL
-MAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFDASBgNVBAcMC1NhbnRh
-IENsYXJhMQ0wCwYDVQQKDARwa2c1MQwwCgYDVQQDDAN0YTQxEjAQBgkqhkiG9w0B
-CQEWA3RhNIIJAOj3jTj6S1XdMA8GA1UdEwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQD
-AgEGMA0GCSqGSIb3DQEBCwUAA4GBAJHSLm9VzsY52LQfet9/vY9OZuwQPTXxNiKQ
-rrcW5Ej17GMn6IgyeKwhzHH5Rmpztwkkp0RoQaUH+aPsx1PKaOQJaLfuEfKMCIA8
-pVbi86iqHjSZSSaKH1A20g7utqCm5rCUQaa83pNvr7P69KPDRoP4J2eOnkDseQgL
-4kZzYQ3G
+a2c1MRAwDgYDVQQDDAdjaDFfdGE0MRYwFAYJKoZIhvcNAQkBFgdjaDFfdGE0MIIB
+IjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAu/1fVFT7SQFi4/nLxqHkJix9
+jkQM0yrefG3A435SrHwZjm0YvXYvLInRW+bky1i0GY3UFskjg/dIf91OD41WIUN7
+aT/sE9w0bvAo5SHrRSwPUMEXDfeB7rts7vjnPbli2UWS8VL40+AM/MzbmGohFXF+
+pBFF4rvVuyps0uyB4JJZ5tvZxMI24VVzc5TLw7UfpCcuo2ClqlI7VYkE+PLISqAE
+wdFLy+rZ0Hi0SNtHJLtFWxdsvXAKiNcLhcA6lj2urNrHlUqLAhpCv7GNDWeWdXTX
+6lhK1/d0wjgZlBiVpgQ42TgkgZHSB+E+UfRXg7BF4jTnZ44OvdlxQUBSO35ukQID
+AQABo4HhMIHeMB0GA1UdDgQWBBRZfw5cWwR4QdtVrJ4HUOT7niYoyDCBmwYDVR0j
+BIGTMIGQgBSxIerf6+vtu76+D/ppHbYo6W+PRaFtpGswaTELMAkGA1UEBhMCVVMx
+EzARBgNVBAgMCkNhbGlmb3JuaWExFDASBgNVBAcMC1NhbnRhIENsYXJhMQ0wCwYD
+VQQKDARwa2c1MQwwCgYDVQQDDAN0YTQxEjAQBgkqhkiG9w0BCQEWA3RhNIIJAJj1
+3uXoXM0mMA8GA1UdEwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgEGMA0GCSqGSIb3
+DQEBCwUAA4IBAQBL1dav32AY4maMXocsu1CNS8CFY8PEbwD7PPpeP46msEyR7ynH
+MILmJWhEtajQijfhUOIqzjeN2XCE8JDGjy7rCfVaX+ZMHCSKMhdQUUflI7vAR0dx
+WDY6TpF5Bg3IAOcgFRK7KOOFvVXceNUQefjw+2KvgVAPPf7UNkxgklQ6MdBtYrQp
+3b0zwoK6AFt6tG0S0Av83GVomNFzKvHANs0Wsub1jvy5NWZDyy4Bx3NLdZW4T7RY
+jPdEfsw7JjmPrRDlrRbxixsXu3kW5sdT9XxrTKj7lWOPaf9nOXqgM2cA449Jd+WQ
+YR/afdh/85W2dPygNlxNmTnSX2Iue3hGiXYa
 -----END CERTIFICATE-----
--- a/src/tests/ro_data/signing_certs/produced/chain_certs/ch1_ta5_cert.pem	Tue Mar 08 11:12:06 2016 -0800
+++ b/src/tests/ro_data/signing_certs/produced/chain_certs/ch1_ta5_cert.pem	Wed Mar 09 11:27:23 2016 -0800
@@ -1,34 +1,43 @@
 Certificate:
     Data:
         Version: 3 (0x2)
-        Serial Number: 40 (0x28)
+        Serial Number: 41 (0x29)
     Signature Algorithm: sha256WithRSAEncryption
         Issuer: C=US, ST=California, L=Santa Clara, O=pkg5, CN=ta5/emailAddress=ta5
         Validity
-            Not Before: Dec 13 00:13:38 2013 GMT
-            Not After : Sep  8 00:13:38 2016 GMT
+            Not Before: Jan 22 01:57:59 2016 GMT
+            Not After : Oct 18 01:57:59 2018 GMT
         Subject: C=US, ST=California, L=Santa Clara, O=pkg5, CN=ch1_ta5/emailAddress=ch1_ta5
         Subject Public Key Info:
             Public Key Algorithm: rsaEncryption
-                Public-Key: (1024 bit)
+                Public-Key: (2048 bit)
                 Modulus:
-                    00:c6:67:76:93:23:82:9f:2f:70:27:4f:64:9e:c3:
-                    80:4d:e3:9d:bb:f9:ea:2e:f1:02:e1:e1:a8:5b:f6:
-                    dc:c9:7b:ef:be:5a:41:11:bd:c4:51:e1:d8:74:6a:
-                    16:89:83:f7:3a:fd:0b:cc:9b:e6:96:d8:13:e3:ef:
-                    78:65:97:ff:81:90:97:e8:77:fd:ed:9c:56:2e:c7:
-                    a4:ec:f7:2c:fc:a0:f6:de:ab:ec:d6:e7:9e:35:e6:
-                    b7:dc:65:1b:c8:e4:5a:a2:9d:d8:5b:b9:fa:26:8c:
-                    8d:00:66:c4:05:28:9c:a8:3c:b1:81:c7:75:0a:51:
-                    ed:4f:49:d7:96:b5:8b:34:f9
+                    00:c4:30:ef:b0:77:4e:44:58:ca:72:ac:ea:37:5e:
+                    8d:4e:a1:89:7b:b1:ff:ee:da:e1:fb:3a:3c:b7:44:
+                    37:af:79:c9:ae:21:c6:d2:6d:27:68:a8:ac:b3:77:
+                    4f:9a:b9:51:af:f9:47:bf:49:6c:f6:21:f9:b9:78:
+                    2e:b4:a5:29:db:96:06:6a:2c:c6:25:6e:e9:eb:59:
+                    01:c1:c6:34:ef:1d:61:8f:5f:55:d8:fc:42:ac:12:
+                    5f:8c:b1:51:da:f6:82:7a:49:f4:2a:72:15:b0:1a:
+                    2c:7e:e5:4a:33:64:ca:ad:a2:7b:37:aa:7e:9a:ab:
+                    ce:e6:18:de:93:58:47:33:be:e7:48:da:c5:95:aa:
+                    fc:ff:83:b9:00:74:39:dd:21:b8:d3:5b:3d:e3:28:
+                    ef:11:59:65:9b:96:59:a5:fe:08:ab:8e:80:ba:32:
+                    09:38:1c:a1:b1:99:db:3e:90:0e:e6:cd:51:d4:4f:
+                    75:98:67:c3:42:71:76:0a:b4:e1:fb:44:c0:8a:35:
+                    d9:a2:d3:7b:e0:0c:4d:4b:67:06:ee:5c:06:72:81:
+                    25:bd:b1:5c:db:19:55:e3:9a:ee:ae:58:46:60:5c:
+                    a2:df:f5:89:09:48:3f:cd:7f:9b:20:0e:84:ef:8c:
+                    5a:ea:5e:99:59:4b:91:af:18:5d:0a:08:c3:0c:38:
+                    87:6f
                 Exponent: 65537 (0x10001)
         X509v3 extensions:
             X509v3 Subject Key Identifier: 
-                8E:29:B3:96:C1:67:FE:34:F3:55:99:68:C4:DA:2A:C0:24:8A:19:C6
+                AB:85:31:3F:5E:AA:BD:C0:59:AC:A2:04:AA:D7:29:E8:19:AE:FB:F4
             X509v3 Authority Key Identifier: 
-                keyid:29:DA:B1:46:E3:61:51:AC:3C:3E:F6:78:5B:95:7B:6D:B2:F9:17:21
+                keyid:DC:66:15:EE:AB:F6:53:B7:63:E5:B0:CB:B8:F0:D4:61:B5:27:94:3F
                 DirName:/C=US/ST=California/L=Santa Clara/O=pkg5/CN=ta5/emailAddress=ta5
-                serial:A7:8F:F0:5E:6B:64:C2:46
+                serial:A9:DD:14:32:D5:19:7A:EA
 
             X509v3 Basic Constraints: critical
                 CA:TRUE
@@ -40,32 +49,44 @@
             X509v3 Key Usage: critical
                 Certificate Sign, CRL Sign
     Signature Algorithm: sha256WithRSAEncryption
-         9d:32:27:d7:4e:4e:8b:e4:9f:d0:0d:11:f3:e5:be:5f:7f:7e:
-         cf:ef:98:41:33:ba:04:ba:d9:7a:11:88:b8:13:66:74:44:1c:
-         fb:1e:f3:fa:d4:18:85:cd:ed:f0:f8:c2:be:ab:75:cf:65:da:
-         1a:77:01:0e:aa:49:ea:af:a7:db:39:84:f2:01:1d:28:e7:df:
-         22:a9:59:5a:21:f9:f9:30:84:64:52:50:01:9b:b2:bf:ca:8a:
-         b4:8b:36:96:e3:1a:ea:51:53:36:82:ba:88:8f:15:8c:e6:79:
-         59:aa:71:9b:4c:58:a2:68:f0:43:36:15:af:69:af:32:ed:49:
-         c8:9c
+         13:bc:5b:b0:af:1c:17:88:8d:4f:2b:ee:1c:3b:b2:fd:2f:b9:
+         c3:18:d6:08:1d:3f:46:31:56:ca:97:ec:d6:96:18:b4:f0:9e:
+         9a:c6:c9:52:bc:b3:e9:f2:6c:27:a9:29:54:33:fa:15:59:16:
+         b7:e8:0c:d7:4a:a9:34:02:19:72:43:56:c0:ad:d2:b4:c0:61:
+         be:22:e5:e5:cf:68:8a:5c:50:b1:ee:5d:38:3d:83:65:27:58:
+         a6:10:ee:46:17:54:94:85:da:5e:da:1c:a4:0c:5a:31:78:47:
+         07:37:c1:c7:fa:49:84:84:5e:a5:e3:67:83:66:55:b1:9b:06:
+         c2:4f:75:83:19:4a:1f:86:33:14:08:10:90:fa:6a:5d:a8:d0:
+         69:8c:8b:9b:36:9a:80:2e:bc:f8:ec:8f:12:22:75:78:b9:eb:
+         ff:02:90:d3:77:32:16:ab:78:c8:62:46:22:78:c6:c1:22:30:
+         8e:a0:7a:78:1d:9f:14:fe:bf:39:f3:d2:d3:4f:65:32:5d:26:
+         8c:02:c1:9d:55:94:dd:ec:e1:b8:ab:0a:08:ff:7f:9f:ba:55:
+         88:23:72:d5:79:1d:e7:b0:54:9c:a6:bf:fa:7f:73:bc:19:ac:
+         b3:38:ab:d0:00:33:c2:dd:cb:30:69:98:4b:d5:5b:a6:f8:cd:
+         00:19:9c:dd
 -----BEGIN CERTIFICATE-----
-MIIDcDCCAtmgAwIBAgIBKDANBgkqhkiG9w0BAQsFADBpMQswCQYDVQQGEwJVUzET
+MIIEdTCCA12gAwIBAgIBKTANBgkqhkiG9w0BAQsFADBpMQswCQYDVQQGEwJVUzET
 MBEGA1UECAwKQ2FsaWZvcm5pYTEUMBIGA1UEBwwLU2FudGEgQ2xhcmExDTALBgNV
-BAoMBHBrZzUxDDAKBgNVBAMMA3RhNTESMBAGCSqGSIb3DQEJARYDdGE1MB4XDTEz
-MTIxMzAwMTMzOFoXDTE2MDkwODAwMTMzOFowcTELMAkGA1UEBhMCVVMxEzARBgNV
+BAoMBHBrZzUxDDAKBgNVBAMMA3RhNTESMBAGCSqGSIb3DQEJARYDdGE1MB4XDTE2
+MDEyMjAxNTc1OVoXDTE4MTAxODAxNTc1OVowcTELMAkGA1UEBhMCVVMxEzARBgNV
 BAgMCkNhbGlmb3JuaWExFDASBgNVBAcMC1NhbnRhIENsYXJhMQ0wCwYDVQQKDARw
-a2c1MRAwDgYDVQQDDAdjaDFfdGE1MRYwFAYJKoZIhvcNAQkBFgdjaDFfdGE1MIGf
-MA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDGZ3aTI4KfL3AnT2Sew4BN4527+eou
-8QLh4ahb9tzJe+++WkERvcRR4dh0ahaJg/c6/QvMm+aW2BPj73hll/+BkJfod/3t
-nFYux6Ts9yz8oPbeq+zW55415rfcZRvI5FqindhbufomjI0AZsQFKJyoPLGBx3UK
-Ue1PSdeWtYs0+QIDAQABo4IBHjCCARowHQYDVR0OBBYEFI4ps5bBZ/4081WZaMTa
-KsAkihnGMIGbBgNVHSMEgZMwgZCAFCnasUbjYVGsPD72eFuVe22y+RchoW2kazBp
-MQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEUMBIGA1UEBwwLU2Fu
-dGEgQ2xhcmExDTALBgNVBAoMBHBrZzUxDDAKBgNVBAMMA3RhNTESMBAGCSqGSIb3
-DQEJARYDdGE1ggkAp4/wXmtkwkYwDwYDVR0TAQH/BAUwAwEB/zA6BgNVHR8EMzAx
-MC+gLaArhilodHRwOi8vbG9jYWxob3N0OjEyMDAxL2ZpbGUvMC90YTVfY3JsLnBl
-bTAOBgNVHQ8BAf8EBAMCAQYwDQYJKoZIhvcNAQELBQADgYEAnTIn105Oi+Sf0A0R
-8+W+X39+z++YQTO6BLrZehGIuBNmdEQc+x7z+tQYhc3t8PjCvqt1z2XaGncBDqpJ
-6q+n2zmE8gEdKOffIqlZWiH5+TCEZFJQAZuyv8qKtIs2luMa6lFTNoK6iI8VjOZ5
-Wapxm0xYomjwQzYVr2mvMu1JyJw=
+a2c1MRAwDgYDVQQDDAdjaDFfdGE1MRYwFAYJKoZIhvcNAQkBFgdjaDFfdGE1MIIB
+IjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAxDDvsHdORFjKcqzqN16NTqGJ
+e7H/7trh+zo8t0Q3r3nJriHG0m0naKiss3dPmrlRr/lHv0ls9iH5uXgutKUp25YG
+aizGJW7p61kBwcY07x1hj19V2PxCrBJfjLFR2vaCekn0KnIVsBosfuVKM2TKraJ7
+N6p+mqvO5hjek1hHM77nSNrFlar8/4O5AHQ53SG401s94yjvEVllm5ZZpf4Iq46A
+ujIJOByhsZnbPpAO5s1R1E91mGfDQnF2CrTh+0TAijXZotN74AxNS2cG7lwGcoEl
+vbFc2xlV45rurlhGYFyi3/WJCUg/zX+bIA6E74xa6l6ZWUuRrxhdCgjDDDiHbwID
+AQABo4IBHjCCARowHQYDVR0OBBYEFKuFMT9eqr3AWayiBKrXKegZrvv0MIGbBgNV
+HSMEgZMwgZCAFNxmFe6r9lO3Y+Wwy7jw1GG1J5Q/oW2kazBpMQswCQYDVQQGEwJV
+UzETMBEGA1UECAwKQ2FsaWZvcm5pYTEUMBIGA1UEBwwLU2FudGEgQ2xhcmExDTAL
+BgNVBAoMBHBrZzUxDDAKBgNVBAMMA3RhNTESMBAGCSqGSIb3DQEJARYDdGE1ggkA
+qd0UMtUZeuowDwYDVR0TAQH/BAUwAwEB/zA6BgNVHR8EMzAxMC+gLaArhilodHRw
+Oi8vbG9jYWxob3N0OjEyMDAxL2ZpbGUvMC90YTVfY3JsLnBlbTAOBgNVHQ8BAf8E
+BAMCAQYwDQYJKoZIhvcNAQELBQADggEBABO8W7CvHBeIjU8r7hw7sv0vucMY1ggd
+P0YxVsqX7NaWGLTwnprGyVK8s+nybCepKVQz+hVZFrfoDNdKqTQCGXJDVsCt0rTA
+Yb4i5eXPaIpcULHuXTg9g2UnWKYQ7kYXVJSF2l7aHKQMWjF4Rwc3wcf6SYSEXqXj
+Z4NmVbGbBsJPdYMZSh+GMxQIEJD6al2o0GmMi5s2moAuvPjsjxIidXi56/8CkNN3
+MhareMhiRiJ4xsEiMI6gengdnxT+vznz0tNPZTJdJowCwZ1VlN3s4birCgj/f5+6
+VYgjctV5HeewVJymv/p/c7wZrLM4q9AAM8LdyzBpmEvVW6b4zQAZnN0=
 -----END CERTIFICATE-----
--- a/src/tests/ro_data/signing_certs/produced/chain_certs/ch2_ta1_cert.pem	Tue Mar 08 11:12:06 2016 -0800
+++ b/src/tests/ro_data/signing_certs/produced/chain_certs/ch2_ta1_cert.pem	Wed Mar 09 11:27:23 2016 -0800
@@ -5,28 +5,37 @@
     Signature Algorithm: sha256WithRSAEncryption
         Issuer: C=US, ST=California, L=Santa Clara, O=pkg5, CN=ch1_ta1/emailAddress=ch1_ta1
         Validity
-            Not Before: Dec 13 00:13:34 2013 GMT
-            Not After : Sep  8 00:13:34 2016 GMT
+            Not Before: Jan 22 01:57:53 2016 GMT
+            Not After : Oct 18 01:57:53 2018 GMT
         Subject: C=US, ST=California, L=Santa Clara, O=pkg5, CN=ch2_ta1/emailAddress=ch2_ta1
         Subject Public Key Info:
             Public Key Algorithm: rsaEncryption
-                Public-Key: (1024 bit)
+                Public-Key: (2048 bit)
                 Modulus:
-                    00:be:c1:86:30:d2:a3:02:f4:00:33:fc:54:f3:6f:
-                    d7:27:99:7b:57:e2:f1:93:f8:58:1c:eb:9a:cc:6b:
-                    23:9b:b8:a9:11:27:50:9b:d7:a7:c2:fe:8b:ee:54:
-                    d0:5d:e2:24:04:47:1c:cc:54:b5:89:bb:a6:26:de:
-                    b9:3b:73:19:67:5e:9a:88:12:de:87:de:0e:26:c9:
-                    0c:44:13:65:23:cd:7f:34:d6:bb:45:20:87:7e:ba:
-                    48:d5:2f:3f:fc:d6:8d:d7:b7:b2:9f:42:ef:76:9a:
-                    cf:c3:01:ae:b9:8f:00:33:ea:28:15:ca:30:da:8f:
-                    25:76:a4:55:2a:2c:7a:b8:eb
+                    00:ac:2b:63:c0:6d:3e:96:73:cf:d9:f6:76:40:27:
+                    72:6b:c9:d4:10:27:d9:b1:b5:7b:f1:98:aa:d3:39:
+                    78:eb:98:40:95:81:6c:0b:d8:b7:ea:14:76:4b:36:
+                    f9:d6:c2:d2:2a:d7:01:2b:f6:1a:77:6f:dd:b8:01:
+                    0b:f5:89:cd:3b:94:5a:76:43:94:79:b5:62:a0:f7:
+                    b1:4e:3e:8a:9a:41:38:cf:ff:b4:e2:b8:97:ae:1f:
+                    55:5a:2c:bf:4b:c0:ba:25:66:4f:d3:c1:06:62:f8:
+                    b9:3f:a8:52:c0:55:a8:cc:8a:7e:ee:4a:1a:70:60:
+                    20:ee:66:88:9d:af:c9:58:13:bd:1b:59:cc:23:b4:
+                    94:56:88:ef:02:e1:da:45:28:7e:ba:6b:90:65:1b:
+                    b8:79:e8:6f:2e:92:5b:7f:e1:d2:f3:f0:26:64:64:
+                    b6:01:3f:78:73:6f:52:b3:26:e2:c9:be:0a:b8:13:
+                    72:e5:05:cc:bb:b8:68:93:2d:63:0b:f8:66:44:68:
+                    98:60:eb:a4:36:52:11:0d:eb:db:cf:a5:2d:dc:1d:
+                    ab:ff:cc:99:fc:1d:e8:82:3a:d6:a5:55:37:a3:96:
+                    12:e4:44:a3:bd:ec:4a:48:11:f6:95:17:31:1f:fc:
+                    00:ac:32:33:86:97:7e:8c:2f:09:8e:9e:08:22:56:
+                    9a:3d
                 Exponent: 65537 (0x10001)
         X509v3 extensions:
             X509v3 Subject Key Identifier: 
-                12:30:0A:74:FD:DE:71:CF:4A:77:1E:1E:57:5E:F8:76:71:D7:5B:9E
+                36:30:72:96:D2:F9:D4:7A:AE:CF:C2:4B:3F:EE:52:AA:DF:9B:F3:12
             X509v3 Authority Key Identifier: 
-                keyid:36:46:2D:8A:1B:8B:CE:C1:1D:02:37:B9:EC:A5:FF:BA:73:AE:E5:48
+                keyid:2E:B3:14:E2:95:4C:93:07:05:A4:87:64:EA:C4:57:2D:52:3B:8C:F9
                 DirName:/C=US/ST=California/L=Santa Clara/O=pkg5/CN=ta1/emailAddress=ta1
                 serial:01
 
@@ -35,31 +44,43 @@
             X509v3 Key Usage: critical
                 Certificate Sign, CRL Sign
     Signature Algorithm: sha256WithRSAEncryption
-         8e:a5:2a:c9:3f:e0:1f:a9:8c:a3:45:b8:0d:0e:35:43:c3:d6:
-         fe:f6:bc:0d:76:f0:26:d6:ab:e7:39:30:92:6f:cc:8e:0e:5f:
-         b0:92:29:41:39:41:14:2a:43:b1:bb:e5:d4:8c:b3:6e:b7:7b:
-         89:ab:3d:a4:e1:98:45:40:b9:1e:86:7b:b6:3f:55:e3:46:ab:
-         ed:41:45:6a:cc:af:a4:63:54:c8:ab:27:3f:59:67:8a:f5:60:
-         1b:63:b7:bb:27:94:00:8f:ee:f9:31:53:59:98:85:76:77:db:
-         dd:39:6f:1a:61:fe:0d:68:88:20:a8:d5:2b:c7:6a:08:5b:f1:
-         ac:9a
+         66:4a:2f:69:a3:d8:4f:31:e6:3b:89:bd:3e:9e:5a:b9:e7:f1:
+         a8:ba:dd:ef:e3:f5:73:b8:50:05:aa:65:50:01:db:14:47:d2:
+         03:f8:83:a0:ae:79:53:00:89:da:46:00:c7:31:b7:54:6d:17:
+         98:01:60:34:12:c0:df:1b:fb:c2:8e:74:34:74:76:1a:48:cf:
+         01:8f:45:ea:91:bb:39:73:9d:cb:3f:21:46:60:00:e8:5c:08:
+         cf:16:40:00:4b:b3:37:54:92:38:6f:bf:77:eb:78:71:3f:5f:
+         85:81:12:57:77:17:69:fc:5a:0e:ea:ca:50:29:0b:e2:b5:de:
+         20:bd:9c:bd:24:e4:c8:13:d4:04:de:f2:91:c5:ce:3a:7a:26:
+         a0:70:e0:d7:1b:60:43:61:c2:51:76:5a:4a:c4:9f:31:71:68:
+         55:9f:95:61:7b:bd:e2:bf:1f:b0:bb:4a:e7:01:48:10:3e:ea:
+         33:a5:75:0a:d6:96:c2:3b:fc:77:64:e4:79:fd:29:4d:00:24:
+         bb:57:41:ec:7f:69:e5:f5:92:ff:2c:1d:7a:43:06:04:7a:60:
+         e0:c0:65:f6:d5:cd:21:8d:3a:38:55:da:7f:5b:04:f2:5c:ab:
+         68:ba:9d:83:ef:71:21:6f:3b:60:e2:d4:50:40:0b:81:9b:4e:
+         1c:7b:c4:57
 -----BEGIN CERTIFICATE-----
-MIIDNTCCAp6gAwIBAgIBAjANBgkqhkiG9w0BAQsFADBxMQswCQYDVQQGEwJVUzET
+MIIEOjCCAyKgAwIBAgIBAjANBgkqhkiG9w0BAQsFADBxMQswCQYDVQQGEwJVUzET
 MBEGA1UECAwKQ2FsaWZvcm5pYTEUMBIGA1UEBwwLU2FudGEgQ2xhcmExDTALBgNV
 BAoMBHBrZzUxEDAOBgNVBAMMB2NoMV90YTExFjAUBgkqhkiG9w0BCQEWB2NoMV90
-YTEwHhcNMTMxMjEzMDAxMzM0WhcNMTYwOTA4MDAxMzM0WjBxMQswCQYDVQQGEwJV
+YTEwHhcNMTYwMTIyMDE1NzUzWhcNMTgxMDE4MDE1NzUzWjBxMQswCQYDVQQGEwJV
 UzETMBEGA1UECAwKQ2FsaWZvcm5pYTEUMBIGA1UEBwwLU2FudGEgQ2xhcmExDTAL
 BgNVBAoMBHBrZzUxEDAOBgNVBAMMB2NoMl90YTExFjAUBgkqhkiG9w0BCQEWB2No
-Ml90YTEwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAL7BhjDSowL0ADP8VPNv
-1yeZe1fi8ZP4WBzrmsxrI5u4qREnUJvXp8L+i+5U0F3iJARHHMxUtYm7pibeuTtz
-GWdemogS3ofeDibJDEQTZSPNfzTWu0Ugh366SNUvP/zWjde3sp9C73aaz8MBrrmP
-ADPqKBXKMNqPJXakVSoserjrAgMBAAGjgdwwgdkwHQYDVR0OBBYEFBIwCnT93nHP
-SnceHlde+HZx11ueMIGTBgNVHSMEgYswgYiAFDZGLYobi87BHQI3ueyl/7pzruVI
-oW2kazBpMQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEUMBIGA1UE
-BwwLU2FudGEgQ2xhcmExDTALBgNVBAoMBHBrZzUxDDAKBgNVBAMMA3RhMTESMBAG
-CSqGSIb3DQEJARYDdGExggEBMBIGA1UdEwEB/wQIMAYBAf8CAQMwDgYDVR0PAQH/
-BAQDAgEGMA0GCSqGSIb3DQEBCwUAA4GBAI6lKsk/4B+pjKNFuA0ONUPD1v72vA12
-8CbWq+c5MJJvzI4OX7CSKUE5QRQqQ7G75dSMs263e4mrPaThmEVAuR6Ge7Y/VeNG
-q+1BRWrMr6RjVMirJz9ZZ4r1YBtjt7snlACP7vkxU1mYhXZ32905bxph/g1oiCCo
-1SvHaghb8aya
+Ml90YTEwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCsK2PAbT6Wc8/Z
+9nZAJ3JrydQQJ9mxtXvxmKrTOXjrmECVgWwL2LfqFHZLNvnWwtIq1wEr9hp3b924
+AQv1ic07lFp2Q5R5tWKg97FOPoqaQTjP/7TiuJeuH1VaLL9LwLolZk/TwQZi+Lk/
+qFLAVajMin7uShpwYCDuZoidr8lYE70bWcwjtJRWiO8C4dpFKH66a5BlG7h56G8u
+klt/4dLz8CZkZLYBP3hzb1KzJuLJvgq4E3LlBcy7uGiTLWML+GZEaJhg66Q2UhEN
+69vPpS3cHav/zJn8HeiCOtalVTejlhLkRKO97EpIEfaVFzEf/ACsMjOGl36MLwmO
+nggiVpo9AgMBAAGjgdwwgdkwHQYDVR0OBBYEFDYwcpbS+dR6rs/CSz/uUqrfm/MS
+MIGTBgNVHSMEgYswgYiAFC6zFOKVTJMHBaSHZOrEVy1SO4z5oW2kazBpMQswCQYD
+VQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEUMBIGA1UEBwwLU2FudGEgQ2xh
+cmExDTALBgNVBAoMBHBrZzUxDDAKBgNVBAMMA3RhMTESMBAGCSqGSIb3DQEJARYD
+dGExggEBMBIGA1UdEwEB/wQIMAYBAf8CAQMwDgYDVR0PAQH/BAQDAgEGMA0GCSqG
+SIb3DQEBCwUAA4IBAQBmSi9po9hPMeY7ib0+nlq55/Gout3v4/VzuFAFqmVQAdsU
+R9ID+IOgrnlTAInaRgDHMbdUbReYAWA0EsDfG/vCjnQ0dHYaSM8Bj0Xqkbs5c53L
+PyFGYADoXAjPFkAAS7M3VJI4b79363hxP1+FgRJXdxdp/FoO6spQKQvitd4gvZy9
+JOTIE9QE3vKRxc46eiagcODXG2BDYcJRdlpKxJ8xcWhVn5Vhe73ivx+wu0rnAUgQ
+PuozpXUK1pbCO/x3ZOR5/SlNACS7V0Hsf2nl9ZL/LB16QwYEemDgwGX21c0hjTo4
+Vdp/WwTyXKtoup2D73Ehbztg4tRQQAuBm04ce8RX
 -----END CERTIFICATE-----
--- a/src/tests/ro_data/signing_certs/produced/chain_certs/ch3_ta1_cert.pem	Tue Mar 08 11:12:06 2016 -0800
+++ b/src/tests/ro_data/signing_certs/produced/chain_certs/ch3_ta1_cert.pem	Wed Mar 09 11:27:23 2016 -0800
@@ -5,28 +5,37 @@
     Signature Algorithm: sha256WithRSAEncryption
         Issuer: C=US, ST=California, L=Santa Clara, O=pkg5, CN=ch2_ta1/emailAddress=ch2_ta1
         Validity
-            Not Before: Dec 13 00:13:34 2013 GMT
-            Not After : Sep  8 00:13:34 2016 GMT
+            Not Before: Jan 22 01:57:54 2016 GMT
+            Not After : Oct 18 01:57:54 2018 GMT
         Subject: C=US, ST=California, L=Santa Clara, O=pkg5, CN=ch3_ta1/emailAddress=ch3_ta1
         Subject Public Key Info:
             Public Key Algorithm: rsaEncryption
-                Public-Key: (1024 bit)
+                Public-Key: (2048 bit)
                 Modulus:
-                    00:d3:5b:f1:93:8f:01:0f:c0:25:d9:07:f1:70:29:
-                    1e:56:0b:ff:93:70:1d:45:02:ef:52:22:8a:04:c9:
-                    08:85:33:db:77:c3:33:d9:5c:fe:30:2a:a8:ac:9d:
-                    d8:97:dc:b4:69:51:5e:d1:c9:86:68:a7:e3:ab:35:
-                    e2:8f:d0:36:1b:67:be:50:88:66:7c:4b:4f:d3:86:
-                    78:92:d9:c5:62:c7:04:a3:d7:9e:8c:c3:ca:48:41:
-                    52:3f:a1:82:dc:f2:bb:d2:9c:a9:58:25:3a:0b:73:
-                    b6:41:ab:6a:c3:6a:70:ce:a1:20:0f:b6:db:e0:91:
-                    0b:0a:1f:dc:02:f4:ed:32:0f
+                    00:b6:d0:0d:56:d4:83:c8:22:08:fd:38:bd:e2:34:
+                    1e:1a:4e:8a:ca:b8:97:9b:69:75:be:78:1b:45:ae:
+                    aa:60:19:86:eb:4b:9a:9f:4b:76:4b:0e:20:e3:bf:
+                    31:89:b0:36:9e:b2:7f:70:17:50:d5:f3:5a:84:ee:
+                    57:3d:86:83:6e:34:47:bf:9a:3a:cb:a3:f1:e9:00:
+                    5a:82:cd:b9:61:63:ac:fa:dd:1a:23:9e:79:a0:13:
+                    1c:5b:9c:20:8f:a4:73:09:0b:6e:40:82:e1:13:98:
+                    8c:71:27:8b:4b:f9:20:a2:14:17:69:3c:ef:ba:68:
+                    8e:4d:61:b8:f4:fd:92:fc:5c:10:9c:12:5f:91:63:
+                    ae:57:a4:31:a2:67:46:60:c8:d9:10:ba:86:33:6f:
+                    99:a7:14:3a:42:5d:b2:77:f5:e5:52:9e:e9:f6:f5:
+                    01:ea:63:b1:71:97:cd:83:18:5c:07:40:44:b3:43:
+                    c7:af:f7:ad:d7:61:0f:7c:c7:60:5e:df:d4:06:f5:
+                    1d:ee:c1:19:0e:4b:13:e3:51:b6:b7:cc:3f:35:8f:
+                    6c:99:56:42:eb:86:8a:42:fa:4a:5c:60:06:75:a4:
+                    b1:6b:ea:eb:0c:eb:21:5d:2d:0f:0c:a0:fd:3e:67:
+                    42:b4:a1:da:57:3c:a6:50:a4:df:0a:8e:ca:fc:10:
+                    2c:bd
                 Exponent: 65537 (0x10001)
         X509v3 extensions:
             X509v3 Subject Key Identifier: 
-                8F:2A:82:4C:1E:39:97:C3:4A:6A:52:FC:D4:CB:E6:37:CE:12:91:59
+                EE:A0:C0:54:B5:84:89:28:80:79:49:CE:D0:A9:C6:8B:B9:8E:85:20
             X509v3 Authority Key Identifier: 
-                keyid:12:30:0A:74:FD:DE:71:CF:4A:77:1E:1E:57:5E:F8:76:71:D7:5B:9E
+                keyid:36:30:72:96:D2:F9:D4:7A:AE:CF:C2:4B:3F:EE:52:AA:DF:9B:F3:12
                 DirName:/C=US/ST=California/L=Santa Clara/O=pkg5/CN=ch1_ta1/emailAddress=ch1_ta1
                 serial:02
 
@@ -35,31 +44,43 @@
             X509v3 Key Usage: critical
                 Certificate Sign, CRL Sign
     Signature Algorithm: sha256WithRSAEncryption
-         94:2a:c9:c9:21:b7:bd:3a:72:31:65:89:16:11:00:e1:46:38:
-         16:b6:cd:d4:04:b3:18:71:3d:8d:4a:0a:ec:02:4e:ee:58:2c:
-         7d:d2:0b:6f:c6:d2:be:a6:f9:1c:e7:c2:76:2a:09:87:d2:06:
-         8e:0d:aa:66:70:e8:8f:ff:7d:1d:e4:4e:9b:58:71:f7:40:46:
-         a8:79:9d:86:6c:bf:64:3b:76:66:6c:08:21:62:09:6d:7b:f4:
-         5d:e2:8e:1c:e6:e3:56:71:de:b7:fe:92:07:f0:7e:13:e0:ad:
-         62:b3:08:9f:06:7e:9b:f6:8b:76:96:df:86:30:0e:bb:ef:9b:
-         b3:07
+         a6:cf:99:19:6d:0e:6c:46:8b:9a:79:e7:12:d9:3b:13:6f:c9:
+         98:05:09:5c:a4:14:42:de:2d:bf:cc:85:39:a7:ec:e3:fb:1c:
+         73:76:0c:8f:ab:1a:e7:f3:4a:cb:44:8e:33:a0:3c:3d:6a:21:
+         88:87:e2:52:d7:27:23:05:c9:f5:59:a8:b7:c3:e6:00:01:6c:
+         85:98:cd:37:30:f9:f9:d7:6f:07:56:5d:f0:c6:a6:d7:aa:ec:
+         a6:f4:40:97:aa:45:f3:3e:25:22:fa:fb:4a:04:42:3c:77:36:
+         96:91:2d:49:8a:ba:07:cb:70:69:71:6d:4f:5e:9c:f0:1d:8f:
+         ed:22:fd:5b:c6:c6:87:b0:e9:0c:20:51:17:09:a3:2f:fd:da:
+         e9:84:5e:5e:d4:9a:39:b9:e4:75:e2:4f:8e:35:71:97:46:2d:
+         3c:6e:30:dd:92:5a:86:29:b4:7a:27:aa:cf:1e:d2:31:6e:f7:
+         d7:7f:f3:d6:17:e3:dd:4d:13:d3:d4:3e:d4:3a:ab:46:f7:68:
+         e7:b9:9f:28:26:f2:ec:f4:f1:96:ea:09:d0:fe:ed:08:8c:52:
+         98:ff:ad:47:0d:2f:c5:24:9b:58:17:5c:4e:a2:bb:11:29:84:
+         03:91:d8:a6:31:a7:cf:b3:f7:3b:e0:f1:6e:4b:90:13:77:ba:
+         7f:0b:cc:ea
 -----BEGIN CERTIFICATE-----
-MIIDPTCCAqagAwIBAgIBAzANBgkqhkiG9w0BAQsFADBxMQswCQYDVQQGEwJVUzET
+MIIEQjCCAyqgAwIBAgIBAzANBgkqhkiG9w0BAQsFADBxMQswCQYDVQQGEwJVUzET
 MBEGA1UECAwKQ2FsaWZvcm5pYTEUMBIGA1UEBwwLU2FudGEgQ2xhcmExDTALBgNV
 BAoMBHBrZzUxEDAOBgNVBAMMB2NoMl90YTExFjAUBgkqhkiG9w0BCQEWB2NoMl90
-YTEwHhcNMTMxMjEzMDAxMzM0WhcNMTYwOTA4MDAxMzM0WjBxMQswCQYDVQQGEwJV
+YTEwHhcNMTYwMTIyMDE1NzU0WhcNMTgxMDE4MDE1NzU0WjBxMQswCQYDVQQGEwJV
 UzETMBEGA1UECAwKQ2FsaWZvcm5pYTEUMBIGA1UEBwwLU2FudGEgQ2xhcmExDTAL
 BgNVBAoMBHBrZzUxEDAOBgNVBAMMB2NoM190YTExFjAUBgkqhkiG9w0BCQEWB2No
-M190YTEwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBANNb8ZOPAQ/AJdkH8XAp
-HlYL/5NwHUUC71IiigTJCIUz23fDM9lc/jAqqKyd2JfctGlRXtHJhmin46s14o/Q
-NhtnvlCIZnxLT9OGeJLZxWLHBKPXnozDykhBUj+hgtzyu9KcqVglOgtztkGrasNq
-cM6hIA+22+CRCwof3AL07TIPAgMBAAGjgeQwgeEwHQYDVR0OBBYEFI8qgkweOZfD
-SmpS/NTL5jfOEpFZMIGbBgNVHSMEgZMwgZCAFBIwCnT93nHPSnceHlde+HZx11ue
-oXWkczBxMQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEUMBIGA1UE
-BwwLU2FudGEgQ2xhcmExDTALBgNVBAoMBHBrZzUxEDAOBgNVBAMMB2NoMV90YTEx
-FjAUBgkqhkiG9w0BCQEWB2NoMV90YTGCAQIwEgYDVR0TAQH/BAgwBgEB/wIBAjAO
-BgNVHQ8BAf8EBAMCAQYwDQYJKoZIhvcNAQELBQADgYEAlCrJySG3vTpyMWWJFhEA
-4UY4FrbN1ASzGHE9jUoK7AJO7lgsfdILb8bSvqb5HOfCdioJh9IGjg2qZnDoj/99
-HeROm1hx90BGqHmdhmy/ZDt2ZmwIIWIJbXv0XeKOHObjVnHet/6SB/B+E+CtYrMI
-nwZ+m/aLdpbfhjAOu++bswc=
+M190YTEwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC20A1W1IPIIgj9
+OL3iNB4aTorKuJebaXW+eBtFrqpgGYbrS5qfS3ZLDiDjvzGJsDaesn9wF1DV81qE
+7lc9hoNuNEe/mjrLo/HpAFqCzblhY6z63RojnnmgExxbnCCPpHMJC25AguETmIxx
+J4tL+SCiFBdpPO+6aI5NYbj0/ZL8XBCcEl+RY65XpDGiZ0ZgyNkQuoYzb5mnFDpC
+XbJ39eVSnun29QHqY7Fxl82DGFwHQESzQ8ev963XYQ98x2Be39QG9R3uwRkOSxPj
+Uba3zD81j2yZVkLrhopC+kpcYAZ1pLFr6usM6yFdLQ8MoP0+Z0K0odpXPKZQpN8K
+jsr8ECy9AgMBAAGjgeQwgeEwHQYDVR0OBBYEFO6gwFS1hIkogHlJztCpxou5joUg
+MIGbBgNVHSMEgZMwgZCAFDYwcpbS+dR6rs/CSz/uUqrfm/MSoXWkczBxMQswCQYD
+VQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEUMBIGA1UEBwwLU2FudGEgQ2xh
+cmExDTALBgNVBAoMBHBrZzUxEDAOBgNVBAMMB2NoMV90YTExFjAUBgkqhkiG9w0B
+CQEWB2NoMV90YTGCAQIwEgYDVR0TAQH/BAgwBgEB/wIBAjAOBgNVHQ8BAf8EBAMC
+AQYwDQYJKoZIhvcNAQELBQADggEBAKbPmRltDmxGi5p55xLZOxNvyZgFCVykFELe
+Lb/MhTmn7OP7HHN2DI+rGufzSstEjjOgPD1qIYiH4lLXJyMFyfVZqLfD5gABbIWY
+zTcw+fnXbwdWXfDGpteq7Kb0QJeqRfM+JSL6+0oEQjx3NpaRLUmKugfLcGlxbU9e
+nPAdj+0i/VvGxoew6QwgURcJoy/92umEXl7Umjm55HXiT441cZdGLTxuMN2SWoYp
+tHonqs8e0jFu99d/89YX491NE9PUPtQ6q0b3aOe5nygm8uz08ZbqCdD+7QiMUpj/
+rUcNL8Ukm1gXXE6iuxEphAOR2KYxp8+z9zvg8W5LkBN3un8LzOo=
 -----END CERTIFICATE-----
--- a/src/tests/ro_data/signing_certs/produced/chain_certs/ch4.3_ta1_cert.pem	Tue Mar 08 11:12:06 2016 -0800
+++ b/src/tests/ro_data/signing_certs/produced/chain_certs/ch4.3_ta1_cert.pem	Wed Mar 09 11:27:23 2016 -0800
@@ -5,28 +5,37 @@
     Signature Algorithm: sha256WithRSAEncryption
         Issuer: C=US, ST=California, L=Santa Clara, O=pkg5, CN=ch3_ta1/emailAddress=ch3_ta1
         Validity
-            Not Before: Dec 13 00:13:35 2013 GMT
-            Not After : Sep  8 00:13:35 2016 GMT
+            Not Before: Jan 22 01:57:55 2016 GMT
+            Not After : Oct 18 01:57:55 2018 GMT
         Subject: C=US, ST=California, L=Santa Clara, O=pkg5, CN=ch4.3_ta1/emailAddress=ch4.3_ta1
         Subject Public Key Info:
             Public Key Algorithm: rsaEncryption
-                Public-Key: (1024 bit)
+                Public-Key: (2048 bit)
                 Modulus:
-                    00:dd:ec:30:ee:2a:39:ec:cf:6d:c0:b9:04:f2:e0:
-                    0f:04:7a:e9:ab:f0:27:28:d9:6b:70:e5:c4:9b:c6:
-                    1b:bb:71:16:42:d5:47:80:60:2c:f6:26:90:9d:0b:
-                    cc:1b:18:bf:54:98:c7:e8:ba:bf:a2:5d:60:c9:b3:
-                    09:79:de:ee:02:d9:b9:70:22:c3:cd:60:04:5f:1e:
-                    df:a3:8f:43:73:ea:68:5e:df:70:86:aa:67:75:5a:
-                    59:ef:cd:0d:e4:f1:6d:ee:d3:bb:04:c7:52:e5:72:
-                    53:2a:e2:f3:02:65:7f:53:46:c3:15:e4:cb:8d:1b:
-                    cf:8f:1e:8d:6d:04:07:09:77
+                    00:b1:69:ee:17:3e:0a:15:50:23:89:d7:d7:87:ee:
+                    b7:6d:ec:73:ba:42:9f:ea:ba:f5:89:74:b7:be:8d:
+                    4b:42:9b:7b:30:37:1a:62:fa:39:05:38:95:c2:72:
+                    3f:99:ed:73:6f:f0:e9:4a:20:7b:6c:e8:bf:b3:7a:
+                    78:95:50:3e:95:25:6d:fb:ac:90:7d:48:82:87:1f:
+                    9f:37:7b:58:51:19:3e:1f:a7:14:42:04:84:12:06:
+                    4e:29:c9:25:45:8c:fc:08:c9:c9:8a:16:0d:55:ec:
+                    45:b5:80:6e:aa:82:a3:4d:fd:d1:cf:80:d3:b6:e6:
+                    01:7a:17:3a:fa:51:90:de:05:02:44:ba:c5:c2:4d:
+                    ba:d1:25:1a:7c:2e:ad:d1:84:c2:ce:0e:78:c2:8f:
+                    d8:42:ce:52:b1:3e:7f:b1:e4:14:bc:95:7d:16:b9:
+                    4a:a8:1d:b5:bd:15:b8:7e:89:5d:11:f9:b6:3a:c0:
+                    f2:ec:01:6e:8a:79:a6:5c:ac:c1:bb:d8:1c:b3:c7:
+                    2a:ed:4a:1d:83:9f:94:da:ac:f8:c7:29:ce:23:5b:
+                    e5:17:62:ec:14:86:a2:a1:22:81:55:b7:22:ef:a2:
+                    a7:e0:77:be:a9:c8:b0:e5:fe:87:93:fe:47:68:dc:
+                    eb:bc:57:b0:b4:cb:5c:d8:97:0d:49:01:d6:71:fe:
+                    7a:d7
                 Exponent: 65537 (0x10001)
         X509v3 extensions:
             X509v3 Subject Key Identifier: 
-                16:06:DB:79:36:82:5D:96:BA:FD:0F:C3:3D:E2:64:BA:E6:03:E6:3A
+                CA:50:20:B6:70:62:DE:6B:28:77:63:00:64:FE:D0:58:9E:50:16:24
             X509v3 Authority Key Identifier: 
-                keyid:8F:2A:82:4C:1E:39:97:C3:4A:6A:52:FC:D4:CB:E6:37:CE:12:91:59
+                keyid:EE:A0:C0:54:B5:84:89:28:80:79:49:CE:D0:A9:C6:8B:B9:8E:85:20
                 DirName:/C=US/ST=California/L=Santa Clara/O=pkg5/CN=ch2_ta1/emailAddress=ch2_ta1
                 serial:03
 
@@ -35,31 +44,43 @@
             X509v3 Key Usage: critical
                 Certificate Sign, CRL Sign
     Signature Algorithm: sha256WithRSAEncryption
-         26:70:cc:69:5b:26:cf:cc:1d:19:b6:61:20:59:22:d7:fa:a3:
-         d9:fa:e2:e3:87:07:24:5a:41:5b:7e:21:4c:f5:32:d2:d8:fd:
-         a5:17:b5:c4:0f:9a:d2:a6:dd:45:9f:13:2a:30:8a:75:5b:69:
-         9b:dd:06:85:3e:19:06:7d:5d:0f:3f:15:64:76:41:e9:a8:30:
-         bd:d7:26:66:07:60:da:e2:ec:80:44:6d:a5:8b:fd:9a:3a:0b:
-         92:b9:6c:f8:72:cc:7e:24:78:a2:a3:f7:ef:47:7a:aa:8b:89:
-         45:33:ff:01:bd:a0:d0:18:ea:a1:46:98:b5:7f:00:e1:00:8e:
-         7e:68
+         25:89:18:a4:a1:6c:3e:e3:f0:0f:a9:9c:3e:4e:15:a6:42:34:
+         22:b6:27:35:b0:d1:88:96:c3:3e:05:4a:26:dc:3f:65:a1:09:
+         64:b1:60:d8:af:2f:5c:4b:fe:d1:48:d5:b7:84:83:30:f8:e6:
+         42:7f:d2:a0:e4:a7:77:5c:92:87:64:20:b7:48:df:0b:ef:de:
+         eb:84:83:4b:5c:60:0e:89:85:1e:5e:9a:65:bc:c5:ac:96:85:
+         83:17:85:dd:2f:0a:e8:f5:80:89:a6:4a:55:c6:1a:69:0f:1b:
+         3f:25:da:42:31:91:92:87:c7:07:40:9f:20:5a:ac:c5:c5:5d:
+         9c:fc:82:4b:2e:ea:8e:b3:fd:94:85:dd:0b:10:09:de:16:4d:
+         47:af:59:86:ca:e8:84:c0:75:ac:2a:9c:9e:c7:16:c9:64:75:
+         04:87:35:a9:89:b3:a8:92:01:c8:11:fd:79:27:69:16:52:bf:
+         23:ff:2f:91:31:e6:b0:e8:66:54:fe:99:c4:7c:bd:d2:53:bf:
+         22:14:e2:4e:15:f3:f1:c6:f7:2e:6d:07:95:09:69:66:01:d7:
+         89:ce:f9:92:3c:25:fb:84:9a:16:fd:c0:b8:bf:65:6d:b2:34:
+         a4:61:79:21:13:62:c6:72:97:aa:64:42:ab:8f:ce:83:84:2a:
+         1e:b0:4f:bc
 -----BEGIN CERTIFICATE-----
-MIIDQTCCAqqgAwIBAgIBDDANBgkqhkiG9w0BAQsFADBxMQswCQYDVQQGEwJVUzET
+MIIERjCCAy6gAwIBAgIBDDANBgkqhkiG9w0BAQsFADBxMQswCQYDVQQGEwJVUzET
 MBEGA1UECAwKQ2FsaWZvcm5pYTEUMBIGA1UEBwwLU2FudGEgQ2xhcmExDTALBgNV
 BAoMBHBrZzUxEDAOBgNVBAMMB2NoM190YTExFjAUBgkqhkiG9w0BCQEWB2NoM190
-YTEwHhcNMTMxMjEzMDAxMzM1WhcNMTYwOTA4MDAxMzM1WjB1MQswCQYDVQQGEwJV
+YTEwHhcNMTYwMTIyMDE1NzU1WhcNMTgxMDE4MDE1NzU1WjB1MQswCQYDVQQGEwJV
 UzETMBEGA1UECAwKQ2FsaWZvcm5pYTEUMBIGA1UEBwwLU2FudGEgQ2xhcmExDTAL
 BgNVBAoMBHBrZzUxEjAQBgNVBAMMCWNoNC4zX3RhMTEYMBYGCSqGSIb3DQEJARYJ
-Y2g0LjNfdGExMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDd7DDuKjnsz23A
-uQTy4A8Eeumr8Cco2Wtw5cSbxhu7cRZC1UeAYCz2JpCdC8wbGL9UmMfour+iXWDJ
-swl53u4C2blwIsPNYARfHt+jj0Nz6mhe33CGqmd1WlnvzQ3k8W3u07sEx1LlclMq
-4vMCZX9TRsMV5MuNG8+PHo1tBAcJdwIDAQABo4HkMIHhMB0GA1UdDgQWBBQWBtt5
-NoJdlrr9D8M94mS65gPmOjCBmwYDVR0jBIGTMIGQgBSPKoJMHjmXw0pqUvzUy+Y3
-zhKRWaF1pHMwcTELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFDAS
-BgNVBAcMC1NhbnRhIENsYXJhMQ0wCwYDVQQKDARwa2c1MRAwDgYDVQQDDAdjaDJf
-dGExMRYwFAYJKoZIhvcNAQkBFgdjaDJfdGExggEDMBIGA1UdEwEB/wQIMAYBAf8C
-AQAwDgYDVR0PAQH/BAQDAgEGMA0GCSqGSIb3DQEBCwUAA4GBACZwzGlbJs/MHRm2
-YSBZItf6o9n64uOHByRaQVt+IUz1MtLY/aUXtcQPmtKm3UWfEyowinVbaZvdBoU+
-GQZ9XQ8/FWR2QemoML3XJmYHYNri7IBEbaWL/Zo6C5K5bPhyzH4keKKj9+9HeqqL
-iUUz/wG9oNAY6qFGmLV/AOEAjn5o
+Y2g0LjNfdGExMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAsWnuFz4K
+FVAjidfXh+63bexzukKf6rr1iXS3vo1LQpt7MDcaYvo5BTiVwnI/me1zb/DpSiB7
+bOi/s3p4lVA+lSVt+6yQfUiChx+fN3tYURk+H6cUQgSEEgZOKcklRYz8CMnJihYN
+VexFtYBuqoKjTf3Rz4DTtuYBehc6+lGQ3gUCRLrFwk260SUafC6t0YTCzg54wo/Y
+Qs5SsT5/seQUvJV9FrlKqB21vRW4foldEfm2OsDy7AFuinmmXKzBu9gcs8cq7Uod
+g5+U2qz4xynOI1vlF2LsFIaioSKBVbci76Kn4He+qciw5f6Hk/5HaNzrvFewtMtc
+2JcNSQHWcf561wIDAQABo4HkMIHhMB0GA1UdDgQWBBTKUCC2cGLeayh3YwBk/tBY
+nlAWJDCBmwYDVR0jBIGTMIGQgBTuoMBUtYSJKIB5Sc7QqcaLuY6FIKF1pHMwcTEL
+MAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFDASBgNVBAcMC1NhbnRh
+IENsYXJhMQ0wCwYDVQQKDARwa2c1MRAwDgYDVQQDDAdjaDJfdGExMRYwFAYJKoZI
+hvcNAQkBFgdjaDJfdGExggEDMBIGA1UdEwEB/wQIMAYBAf8CAQAwDgYDVR0PAQH/
+BAQDAgEGMA0GCSqGSIb3DQEBCwUAA4IBAQAliRikoWw+4/APqZw+ThWmQjQitic1
+sNGIlsM+BUom3D9loQlksWDYry9cS/7RSNW3hIMw+OZCf9Kg5Kd3XJKHZCC3SN8L
+797rhINLXGAOiYUeXpplvMWsloWDF4XdLwro9YCJpkpVxhppDxs/JdpCMZGSh8cH
+QJ8gWqzFxV2c/IJLLuqOs/2Uhd0LEAneFk1Hr1mGyuiEwHWsKpyexxbJZHUEhzWp
+ibOokgHIEf15J2kWUr8j/y+RMeaw6GZU/pnEfL3SU78iFOJOFfPxxvcubQeVCWlm
+AdeJzvmSPCX7hJoW/cC4v2VtsjSkYXkhE2LGcpeqZEKrj86DhCoesE+8
 -----END CERTIFICATE-----
--- a/src/tests/ro_data/signing_certs/produced/chain_certs/ch4_ta1_cert.pem	Tue Mar 08 11:12:06 2016 -0800
+++ b/src/tests/ro_data/signing_certs/produced/chain_certs/ch4_ta1_cert.pem	Wed Mar 09 11:27:23 2016 -0800
@@ -5,28 +5,37 @@
     Signature Algorithm: sha256WithRSAEncryption
         Issuer: C=US, ST=California, L=Santa Clara, O=pkg5, CN=ch3_ta1/emailAddress=ch3_ta1
         Validity
-            Not Before: Dec 13 00:13:34 2013 GMT
-            Not After : Sep  8 00:13:34 2016 GMT
+            Not Before: Jan 22 01:57:54 2016 GMT
+            Not After : Oct 18 01:57:54 2018 GMT
         Subject: C=US, ST=California, L=Santa Clara, O=pkg5, CN=ch4_ta1/emailAddress=ch4_ta1
         Subject Public Key Info:
             Public Key Algorithm: rsaEncryption
-                Public-Key: (1024 bit)
+                Public-Key: (2048 bit)
                 Modulus:
-                    00:af:c3:8b:39:3e:21:56:8a:d6:97:1b:c7:aa:c7:
-                    51:9e:e9:cf:15:1f:24:e6:91:92:81:b3:7d:30:eb:
-                    ea:12:30:13:03:d0:b9:60:41:8b:eb:88:f4:1f:e5:
-                    43:cf:b5:ae:47:7a:4d:46:6e:f8:16:42:67:db:20:
-                    e4:0d:1f:96:4f:21:59:95:f6:70:33:32:45:81:18:
-                    5e:a5:5b:fd:4a:e6:d7:97:cf:45:65:e7:74:79:5f:
-                    a5:9f:e1:c7:a5:d0:5d:24:a7:32:18:68:13:57:4c:
-                    cf:78:12:6f:9f:5c:e6:4d:be:89:24:4b:29:d8:02:
-                    b2:f9:f9:13:cf:92:43:0f:e5
+                    00:f0:be:9f:7c:fb:8e:9a:93:80:30:b8:43:a6:70:
+                    13:a9:0b:fb:0c:f7:02:6d:4e:75:db:4a:19:9c:4a:
+                    29:c3:e8:58:ba:7b:39:66:4e:d0:04:d6:e4:4c:73:
+                    0b:9b:c1:e2:c5:fa:e7:4d:19:c6:e3:ec:ae:13:23:
+                    54:ab:12:42:d0:fc:ef:10:5c:8b:2c:c7:00:b8:35:
+                    ad:d8:f6:af:cc:9d:6f:19:1c:20:f9:14:f3:1e:69:
+                    ce:85:c0:3d:2d:25:6d:79:01:1c:89:fb:2b:f6:2a:
+                    c7:ea:89:3f:b8:6a:c5:20:60:79:cd:c5:3d:2f:d4:
+                    57:54:63:04:69:fc:fa:0c:a6:23:ee:e4:6e:e3:e2:
+                    60:ac:91:01:a2:64:a4:f5:44:8a:7c:90:f3:b7:69:
+                    31:14:0e:53:f5:81:08:0b:50:0d:1c:43:f6:92:59:
+                    a5:fa:3a:98:72:38:c7:5f:e1:4e:a8:54:64:a9:d4:
+                    93:0e:e9:27:88:4a:b9:98:ba:aa:c8:31:0d:dc:fb:
+                    70:0d:06:63:1b:d0:ee:61:2f:9b:cf:18:d5:74:bc:
+                    53:63:b9:0d:0d:b9:f2:bc:6d:b2:c3:3d:0b:4c:84:
+                    09:28:9e:80:94:74:58:b7:af:97:9b:55:ed:a5:c7:
+                    c5:79:f9:df:a0:6d:ca:40:c0:a5:dc:09:c4:cd:ed:
+                    39:1b
                 Exponent: 65537 (0x10001)
         X509v3 extensions:
             X509v3 Subject Key Identifier: 
-                54:8A:14:10:0B:AF:89:DC:1E:65:8A:17:37:6A:AC:D2:2B:6C:27:5C
+                44:81:49:A3:5B:7C:85:F2:A7:56:19:FF:64:98:AB:61:89:3E:E1:B7
             X509v3 Authority Key Identifier: 
-                keyid:8F:2A:82:4C:1E:39:97:C3:4A:6A:52:FC:D4:CB:E6:37:CE:12:91:59
+                keyid:EE:A0:C0:54:B5:84:89:28:80:79:49:CE:D0:A9:C6:8B:B9:8E:85:20
                 DirName:/C=US/ST=California/L=Santa Clara/O=pkg5/CN=ch2_ta1/emailAddress=ch2_ta1
                 serial:03
 
@@ -35,31 +44,43 @@
             X509v3 Key Usage: critical
                 Certificate Sign, CRL Sign
     Signature Algorithm: sha256WithRSAEncryption
-         6a:17:96:16:a6:3f:96:b7:8e:fb:e5:d7:14:f9:a8:8e:52:16:
-         04:0d:58:4b:f7:c6:70:c4:3f:d3:2b:13:24:7b:47:2d:cf:89:
-         59:bf:5c:6c:17:31:46:c4:17:e5:41:fe:5e:3f:ec:44:2e:92:
-         94:eb:3b:c9:ff:d1:5e:c0:ad:d3:51:2b:12:11:87:b2:17:2f:
-         40:5a:ac:76:f0:0f:ed:cd:ca:be:b6:b2:ef:bf:d4:79:04:e0:
-         ed:88:33:96:b0:a4:27:41:a7:31:0b:c4:d9:6a:ad:7d:82:bb:
-         63:15:2a:00:8e:60:af:ee:a6:8a:d3:65:6a:b8:f9:7e:0e:cd:
-         bf:d5
+         36:66:82:04:35:26:cc:ce:07:00:e7:19:db:4e:05:22:af:98:
+         9f:8f:88:84:1b:75:57:3b:f7:0f:2a:da:ae:fe:36:e4:35:a9:
+         ff:57:7a:3f:4a:ec:71:ba:c6:4a:b5:6a:c7:e3:46:27:52:5b:
+         d0:dd:a3:c4:3a:78:8b:ac:21:5c:2a:68:71:ec:d8:cb:0f:f3:
+         35:07:82:53:3c:01:1b:69:34:cb:2a:85:3b:da:f1:b7:11:fe:
+         ec:12:3a:a2:c8:b1:80:fd:bd:40:b1:f2:b2:ed:1b:b3:83:87:
+         60:12:21:b9:e1:3a:ff:4a:3c:d0:6e:b5:07:4c:a8:db:e8:f4:
+         81:50:14:3c:4b:09:3a:fe:85:88:1a:72:d6:3c:2a:e2:67:c4:
+         51:cb:21:7e:22:78:30:34:dc:e9:41:fe:15:f5:cc:fc:85:64:
+         de:8f:89:c3:de:de:56:bb:a8:7f:4f:8c:98:27:e5:de:d0:4c:
+         13:f5:56:d9:7b:18:d4:09:21:99:6e:cd:27:c2:0f:e2:45:58:
+         a9:b1:b9:89:92:58:dd:94:a6:be:c5:3f:99:86:ca:15:74:00:
+         63:85:3f:ce:2a:d6:6d:04:03:91:c8:1f:de:dd:cc:0b:49:c3:
+         ea:76:e3:2f:87:4d:2e:75:86:ea:19:49:0f:a2:78:e5:7d:bb:
+         ef:bf:1c:b2
 -----BEGIN CERTIFICATE-----
-MIIDPTCCAqagAwIBAgIBBDANBgkqhkiG9w0BAQsFADBxMQswCQYDVQQGEwJVUzET
+MIIEQjCCAyqgAwIBAgIBBDANBgkqhkiG9w0BAQsFADBxMQswCQYDVQQGEwJVUzET
 MBEGA1UECAwKQ2FsaWZvcm5pYTEUMBIGA1UEBwwLU2FudGEgQ2xhcmExDTALBgNV
 BAoMBHBrZzUxEDAOBgNVBAMMB2NoM190YTExFjAUBgkqhkiG9w0BCQEWB2NoM190
-YTEwHhcNMTMxMjEzMDAxMzM0WhcNMTYwOTA4MDAxMzM0WjBxMQswCQYDVQQGEwJV
+YTEwHhcNMTYwMTIyMDE1NzU0WhcNMTgxMDE4MDE1NzU0WjBxMQswCQYDVQQGEwJV
 UzETMBEGA1UECAwKQ2FsaWZvcm5pYTEUMBIGA1UEBwwLU2FudGEgQ2xhcmExDTAL
 BgNVBAoMBHBrZzUxEDAOBgNVBAMMB2NoNF90YTExFjAUBgkqhkiG9w0BCQEWB2No
-NF90YTEwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAK/Dizk+IVaK1pcbx6rH
-UZ7pzxUfJOaRkoGzfTDr6hIwEwPQuWBBi+uI9B/lQ8+1rkd6TUZu+BZCZ9sg5A0f
-lk8hWZX2cDMyRYEYXqVb/Urm15fPRWXndHlfpZ/hx6XQXSSnMhhoE1dMz3gSb59c
-5k2+iSRLKdgCsvn5E8+SQw/lAgMBAAGjgeQwgeEwHQYDVR0OBBYEFFSKFBALr4nc
-HmWKFzdqrNIrbCdcMIGbBgNVHSMEgZMwgZCAFI8qgkweOZfDSmpS/NTL5jfOEpFZ
-oXWkczBxMQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEUMBIGA1UE
-BwwLU2FudGEgQ2xhcmExDTALBgNVBAoMBHBrZzUxEDAOBgNVBAMMB2NoMl90YTEx
-FjAUBgkqhkiG9w0BCQEWB2NoMl90YTGCAQMwEgYDVR0TAQH/BAgwBgEB/wIBATAO
-BgNVHQ8BAf8EBAMCAQYwDQYJKoZIhvcNAQELBQADgYEAaheWFqY/lreO++XXFPmo
-jlIWBA1YS/fGcMQ/0ysTJHtHLc+JWb9cbBcxRsQX5UH+Xj/sRC6SlOs7yf/RXsCt
-01ErEhGHshcvQFqsdvAP7c3Kvray77/UeQTg7YgzlrCkJ0GnMQvE2WqtfYK7YxUq
-AI5gr+6mitNlarj5fg7Nv9U=
+NF90YTEwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDwvp98+46ak4Aw
+uEOmcBOpC/sM9wJtTnXbShmcSinD6Fi6ezlmTtAE1uRMcwubweLF+udNGcbj7K4T
+I1SrEkLQ/O8QXIssxwC4Na3Y9q/MnW8ZHCD5FPMeac6FwD0tJW15ARyJ+yv2Ksfq
+iT+4asUgYHnNxT0v1FdUYwRp/PoMpiPu5G7j4mCskQGiZKT1RIp8kPO3aTEUDlP1
+gQgLUA0cQ/aSWaX6OphyOMdf4U6oVGSp1JMO6SeISrmYuqrIMQ3c+3ANBmMb0O5h
+L5vPGNV0vFNjuQ0NufK8bbLDPQtMhAkonoCUdFi3r5ebVe2lx8V5+d+gbcpAwKXc
+CcTN7TkbAgMBAAGjgeQwgeEwHQYDVR0OBBYEFESBSaNbfIXyp1YZ/2SYq2GJPuG3
+MIGbBgNVHSMEgZMwgZCAFO6gwFS1hIkogHlJztCpxou5joUgoXWkczBxMQswCQYD
+VQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEUMBIGA1UEBwwLU2FudGEgQ2xh
+cmExDTALBgNVBAoMBHBrZzUxEDAOBgNVBAMMB2NoMl90YTExFjAUBgkqhkiG9w0B
+CQEWB2NoMl90YTGCAQMwEgYDVR0TAQH/BAgwBgEB/wIBATAOBgNVHQ8BAf8EBAMC
+AQYwDQYJKoZIhvcNAQELBQADggEBADZmggQ1JszOBwDnGdtOBSKvmJ+PiIQbdVc7
+9w8q2q7+NuQ1qf9Xej9K7HG6xkq1asfjRidSW9Ddo8Q6eIusIVwqaHHs2MsP8zUH
+glM8ARtpNMsqhTva8bcR/uwSOqLIsYD9vUCx8rLtG7ODh2ASIbnhOv9KPNButQdM
+qNvo9IFQFDxLCTr+hYgactY8KuJnxFHLIX4ieDA03OlB/hX1zPyFZN6PicPe3la7
+qH9PjJgn5d7QTBP1Vtl7GNQJIZluzSfCD+JFWKmxuYmSWN2Upr7FP5mGyhV0AGOF
+P84q1m0EA5HIH97dzAtJw+p24y+HTS51huoZSQ+ieOV9u++/HLI=
 -----END CERTIFICATE-----
--- a/src/tests/ro_data/signing_certs/produced/chain_certs/ch5.1_ta1_cert.pem	Tue Mar 08 11:12:06 2016 -0800
+++ b/src/tests/ro_data/signing_certs/produced/chain_certs/ch5.1_ta1_cert.pem	Wed Mar 09 11:27:23 2016 -0800
@@ -5,22 +5,31 @@
     Signature Algorithm: sha256WithRSAEncryption
         Issuer: C=US, ST=California, L=Santa Clara, O=pkg5, CN=ch4_ta1/emailAddress=ch4_ta1
         Validity
-            Not Before: Dec 13 00:13:34 2013 GMT
-            Not After : Sep  8 00:13:34 2016 GMT
+            Not Before: Jan 22 01:57:54 2016 GMT
+            Not After : Oct 18 01:57:54 2018 GMT
         Subject: C=US, ST=California, L=Santa Clara, O=pkg5, CN=ch5.1_ta1/emailAddress=ch5.1_ta1
         Subject Public Key Info:
             Public Key Algorithm: rsaEncryption
-                Public-Key: (1024 bit)
+                Public-Key: (2048 bit)
                 Modulus:
-                    00:9d:91:87:82:56:78:7f:64:32:62:7e:ee:6c:38:
-                    f2:a2:f6:34:ba:a9:ec:bb:6e:0f:87:ab:46:a4:37:
-                    ce:80:f1:b5:8b:9b:0a:4b:2a:b6:46:9b:f1:47:c0:
-                    6b:85:7f:64:08:61:ac:53:d4:3b:ce:54:2a:6d:a4:
-                    65:cd:a7:dc:a5:3a:33:bf:86:2b:f6:d0:fb:24:80:
-                    56:8f:4f:d4:f9:96:71:f3:86:74:4b:47:38:da:18:
-                    79:ae:d9:5b:9d:09:9e:f7:cb:b4:a7:85:33:85:20:
-                    d3:2a:fc:72:c1:37:62:01:d6:b1:cb:4a:a0:09:c2:
-                    72:ea:fd:b8:5d:03:68:33:7d
+                    00:f8:99:82:00:c1:73:68:ee:ab:3e:93:5c:b8:fa:
+                    1c:2d:94:58:4a:a7:ab:b7:0b:d5:6e:02:b5:2f:b0:
+                    e1:6c:c7:6f:aa:63:2d:1a:30:a3:2f:88:6d:21:be:
+                    e1:36:23:e4:22:19:99:3a:1d:2a:9e:ec:a6:2c:a2:
+                    5c:a1:26:96:70:22:80:04:0a:6b:c6:3f:b2:8c:ce:
+                    6a:32:e0:ae:4f:43:73:9a:db:0e:9e:b7:e5:92:a0:
+                    06:ac:48:a0:c8:fe:16:27:96:14:27:64:38:8a:78:
+                    a3:20:60:d4:9b:ed:47:14:b9:08:6b:7a:4f:ba:dc:
+                    db:c9:1c:c9:92:df:0a:37:01:7e:8e:1f:30:b0:fb:
+                    35:32:41:2d:65:c9:3f:65:b1:20:e7:e4:8a:1d:e1:
+                    10:b5:e8:57:14:59:bd:b8:2d:2b:d6:e8:7f:3c:c3:
+                    e2:7c:c6:f7:d3:08:d6:75:06:c7:56:32:fe:80:8e:
+                    f6:fd:c5:25:ac:49:c7:ad:1b:eb:de:aa:67:50:92:
+                    a3:2c:e5:09:81:07:44:b5:cf:9b:16:10:29:f8:98:
+                    05:3e:49:fc:e6:58:1f:93:b1:dd:82:67:e5:6b:dd:
+                    50:2f:0f:a1:ec:5a:34:83:b9:33:9d:65:37:c3:a7:
+                    03:e1:2a:56:48:3d:0f:d5:06:88:60:e6:3e:cb:ef:
+                    98:27
                 Exponent: 65537 (0x10001)
         X509v3 extensions:
             X509v3 Basic Constraints: critical
@@ -29,27 +38,39 @@
                 <EMPTY>
 
     Signature Algorithm: sha256WithRSAEncryption
-         11:3c:6b:22:14:f6:1a:18:8b:59:a4:8d:38:d6:6f:48:8a:01:
-         e2:d3:9d:6a:26:40:61:d3:9b:ce:8a:ab:b9:25:c4:89:c4:f9:
-         98:1e:6c:f5:1c:d7:f7:6a:c9:7b:48:ba:d7:e0:03:59:41:4d:
-         29:28:7d:2d:61:c5:7f:7f:8c:2f:30:2b:c6:6e:16:31:7d:45:
-         d2:2a:83:ea:fc:25:92:1f:cb:85:28:0a:f4:2c:a0:c4:c2:fc:
-         52:43:53:d1:46:e7:fd:3c:0a:9b:11:45:0f:09:2e:c6:93:26:
-         72:c9:20:28:7a:db:18:55:1b:15:70:1f:bc:0e:ab:18:c1:f8:
-         64:03
+         ed:1f:86:cd:a6:67:a8:48:fa:9a:c4:ad:a8:de:08:14:96:f5:
+         16:44:e3:a1:b2:d5:06:6b:bb:0e:9d:f3:59:84:84:f1:a5:0d:
+         f3:38:50:af:43:fe:91:c5:08:54:1d:2d:59:fd:1d:1b:bd:18:
+         71:97:b3:d7:ba:21:f8:90:05:4d:9e:79:13:7a:12:40:0b:3d:
+         97:00:ac:b1:fd:70:9b:e3:80:89:e6:8d:0f:07:56:15:e4:ed:
+         99:9a:8b:85:27:a1:9c:c4:f9:19:8e:f1:d3:c3:76:0a:5d:51:
+         a5:f9:2c:81:ef:76:c1:75:b9:50:96:2a:f0:65:9d:7e:aa:2f:
+         16:30:8c:e6:82:83:67:cf:2d:53:89:f8:82:f1:c6:0d:a9:77:
+         fe:3a:50:6b:34:1a:b4:f8:16:94:8b:59:4d:e1:d8:da:a9:5c:
+         06:84:6b:23:0d:d0:d5:41:5d:02:ec:5a:c2:5a:a8:41:3e:fb:
+         cf:42:76:c9:96:ed:c9:c6:16:50:5a:dc:ef:be:4c:a8:5b:f5:
+         9f:fe:31:9c:c7:55:38:ac:a1:72:3b:4b:55:92:16:40:10:86:
+         fe:40:99:ba:ee:b1:65:48:6f:34:75:bc:f0:af:c0:b6:be:81:
+         8f:0f:41:7d:ba:b7:26:e7:9f:75:55:8b:94:95:b0:ef:23:fb:
+         9b:5a:14:6b
 -----BEGIN CERTIFICATE-----
-MIICfTCCAeagAwIBAgIBCDANBgkqhkiG9w0BAQsFADBxMQswCQYDVQQGEwJVUzET
+MIIDgjCCAmqgAwIBAgIBCDANBgkqhkiG9w0BAQsFADBxMQswCQYDVQQGEwJVUzET
 MBEGA1UECAwKQ2FsaWZvcm5pYTEUMBIGA1UEBwwLU2FudGEgQ2xhcmExDTALBgNV
 BAoMBHBrZzUxEDAOBgNVBAMMB2NoNF90YTExFjAUBgkqhkiG9w0BCQEWB2NoNF90
-YTEwHhcNMTMxMjEzMDAxMzM0WhcNMTYwOTA4MDAxMzM0WjB1MQswCQYDVQQGEwJV
+YTEwHhcNMTYwMTIyMDE1NzU0WhcNMTgxMDE4MDE1NzU0WjB1MQswCQYDVQQGEwJV
 UzETMBEGA1UECAwKQ2FsaWZvcm5pYTEUMBIGA1UEBwwLU2FudGEgQ2xhcmExDTAL
 BgNVBAoMBHBrZzUxEjAQBgNVBAMMCWNoNS4xX3RhMTEYMBYGCSqGSIb3DQEJARYJ
-Y2g1LjFfdGExMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCdkYeCVnh/ZDJi
-fu5sOPKi9jS6qey7bg+Hq0akN86A8bWLmwpLKrZGm/FHwGuFf2QIYaxT1DvOVCpt
-pGXNp9ylOjO/hiv20PskgFaPT9T5lnHzhnRLRzjaGHmu2VudCZ73y7SnhTOFINMq
-/HLBN2IB1rHLSqAJwnLq/bhdA2gzfQIDAQABoyEwHzAPBgNVHRMBAf8EBTADAQH/
-MAwGA1UdEgEB/wQCMAAwDQYJKoZIhvcNAQELBQADgYEAETxrIhT2GhiLWaSNONZv
-SIoB4tOdaiZAYdObzoqruSXEicT5mB5s9RzX92rJe0i61+ADWUFNKSh9LWHFf3+M
-LzArxm4WMX1F0iqD6vwlkh/LhSgK9CygxML8UkNT0Ubn/TwKmxFFDwkuxpMmcskg
-KHrbGFUbFXAfvA6rGMH4ZAM=
+Y2g1LjFfdGExMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA+JmCAMFz
+aO6rPpNcuPocLZRYSqertwvVbgK1L7DhbMdvqmMtGjCjL4htIb7hNiPkIhmZOh0q
+nuymLKJcoSaWcCKABAprxj+yjM5qMuCuT0NzmtsOnrflkqAGrEigyP4WJ5YUJ2Q4
+inijIGDUm+1HFLkIa3pPutzbyRzJkt8KNwF+jh8wsPs1MkEtZck/ZbEg5+SKHeEQ
+tehXFFm9uC0r1uh/PMPifMb30wjWdQbHVjL+gI72/cUlrEnHrRvr3qpnUJKjLOUJ
+gQdEtc+bFhAp+JgFPkn85lgfk7Hdgmfla91QLw+h7Fo0g7kznWU3w6cD4SpWSD0P
+1QaIYOY+y++YJwIDAQABoyEwHzAPBgNVHRMBAf8EBTADAQH/MAwGA1UdEgEB/wQC
+MAAwDQYJKoZIhvcNAQELBQADggEBAO0fhs2mZ6hI+prErajeCBSW9RZE46Gy1QZr
+uw6d81mEhPGlDfM4UK9D/pHFCFQdLVn9HRu9GHGXs9e6IfiQBU2eeRN6EkALPZcA
+rLH9cJvjgInmjQ8HVhXk7Zmai4UnoZzE+RmO8dPDdgpdUaX5LIHvdsF1uVCWKvBl
+nX6qLxYwjOaCg2fPLVOJ+ILxxg2pd/46UGs0GrT4FpSLWU3h2NqpXAaEayMN0NVB
+XQLsWsJaqEE++89CdsmW7cnGFlBa3O++TKhb9Z/+MZzHVTisoXI7S1WSFkAQhv5A
+mbrusWVIbzR1vPCvwLa+gY8PQX26tybnn3VVi5SVsO8j+5taFGs=
 -----END CERTIFICATE-----
--- a/src/tests/ro_data/signing_certs/produced/chain_certs/ch5.2_ta1_cert.pem	Tue Mar 08 11:12:06 2016 -0800
+++ b/src/tests/ro_data/signing_certs/produced/chain_certs/ch5.2_ta1_cert.pem	Wed Mar 09 11:27:23 2016 -0800
@@ -5,28 +5,37 @@
     Signature Algorithm: sha256WithRSAEncryption
         Issuer: C=US, ST=California, L=Santa Clara, O=pkg5, CN=ch4_ta1/emailAddress=ch4_ta1
         Validity
-            Not Before: Dec 13 00:13:34 2013 GMT
-            Not After : Sep  8 00:13:34 2016 GMT
+            Not Before: Jan 22 01:57:55 2016 GMT
+            Not After : Oct 18 01:57:55 2018 GMT
         Subject: C=US, ST=California, L=Santa Clara, O=pkg5, CN=ch5.2_ta1/emailAddress=ch5.2_ta1
         Subject Public Key Info:
             Public Key Algorithm: rsaEncryption
-                Public-Key: (1024 bit)
+                Public-Key: (2048 bit)
                 Modulus:
-                    00:a0:b5:e8:50:6e:0b:2e:be:8a:39:95:a1:f3:8f:
-                    03:1c:da:d3:74:5c:9d:ed:34:54:5e:3f:ac:e2:91:
-                    40:50:5e:d7:e3:bc:b1:8e:a6:62:d1:0b:33:e2:59:
-                    d7:67:f1:b7:af:f9:61:37:b1:24:aa:6f:67:e0:4f:
-                    ef:5d:a2:72:42:70:41:1e:32:e5:1a:94:4f:de:60:
-                    6c:e7:e1:96:99:82:d0:35:f2:40:03:de:92:10:f3:
-                    4f:91:e8:78:24:a1:ef:92:da:7b:49:4b:57:03:80:
-                    57:d8:fc:41:60:8a:f0:e6:55:fe:67:55:5e:68:bf:
-                    fe:fd:23:2b:ab:94:cb:12:c3
+                    00:9e:9d:c2:a0:df:34:68:63:c6:f3:28:8b:68:8d:
+                    0e:9c:04:a3:31:bf:95:37:9b:00:49:81:7f:35:8d:
+                    a3:7d:4a:6c:0f:35:14:1d:2a:f9:99:eb:8b:84:6e:
+                    65:5d:b9:d9:66:c6:11:57:bf:83:49:04:f1:35:d3:
+                    75:22:30:bc:22:b1:a7:91:af:25:b9:f3:5e:6f:7b:
+                    74:c2:25:f4:a7:1a:a6:c2:88:3c:db:31:fd:42:79:
+                    53:87:10:d4:ad:bf:a7:23:55:4d:b6:9f:9c:e5:31:
+                    0f:72:d6:fc:0e:b8:2c:46:7a:4f:cf:de:61:3e:39:
+                    0e:fc:0e:fd:a4:08:05:e8:aa:c8:7c:a5:33:a9:c9:
+                    9e:ae:35:51:10:85:06:cc:c1:ae:41:d3:0f:c9:2f:
+                    8f:01:0a:6d:a2:06:bb:7c:40:96:ff:a4:cb:3f:5e:
+                    11:2f:aa:2b:59:f9:8d:d0:ff:b4:0f:3f:a5:58:f5:
+                    cf:a9:20:aa:e6:fe:f4:6b:5d:09:24:9f:26:00:18:
+                    a5:f2:9c:e8:79:de:4d:f9:fb:d1:e5:89:6b:d8:de:
+                    27:de:f8:0b:28:6f:b3:d1:2e:01:9e:e1:ba:00:0f:
+                    21:b2:43:b1:96:b0:46:d9:a3:14:08:a1:6d:1c:e7:
+                    a0:9e:84:74:45:91:a8:d9:24:14:f7:a9:3f:8f:95:
+                    cb:35
                 Exponent: 65537 (0x10001)
         X509v3 extensions:
             X509v3 Subject Key Identifier: 
-                A4:07:01:64:2E:FC:65:F5:BC:44:82:AB:87:E5:17:5F:91:F5:8A:DD
+                29:4E:31:FF:45:35:28:B4:BE:69:AE:55:E5:CE:F3:89:B2:BF:DA:2F
             X509v3 Authority Key Identifier: 
-                keyid:54:8A:14:10:0B:AF:89:DC:1E:65:8A:17:37:6A:AC:D2:2B:6C:27:5C
+                keyid:44:81:49:A3:5B:7C:85:F2:A7:56:19:FF:64:98:AB:61:89:3E:E1:B7
                 DirName:/C=US/ST=California/L=Santa Clara/O=pkg5/CN=ch3_ta1/emailAddress=ch3_ta1
                 serial:04
 
@@ -35,31 +44,43 @@
             X509v3 Key Usage: critical
                 Certificate Sign, CRL Sign
     Signature Algorithm: sha256WithRSAEncryption
-         04:21:55:e4:d4:f9:07:b1:55:dd:d3:6c:5e:17:f5:84:36:49:
-         08:3f:96:1b:79:f6:1f:c8:aa:0a:e2:64:bd:90:e1:00:89:23:
-         94:1c:d9:c8:7d:a6:5e:48:4f:e4:6a:9d:c1:2a:b9:6c:6b:ed:
-         24:14:54:9f:87:bf:a1:d3:fd:73:39:eb:c4:88:85:7e:f5:35:
-         91:3d:85:ad:9e:c5:1f:fc:f6:06:71:ce:3f:dc:12:e8:6c:a6:
-         61:07:b8:d0:78:03:de:e6:be:e9:67:59:2f:70:24:c3:54:4e:
-         b3:5c:6e:54:8e:04:c3:b6:f1:83:1b:8d:7f:e8:b7:5b:3d:b2:
-         26:fe
+         1b:01:5a:d2:0c:c2:a9:cf:84:c1:9e:42:98:bb:fc:3f:b7:b3:
+         33:c9:c1:4b:1b:5c:02:86:4b:d9:37:0e:1b:26:10:68:84:68:
+         ed:54:94:69:5d:b8:01:5d:f7:1f:d8:57:ec:e1:f3:b4:7e:81:
+         ae:71:f0:79:8a:52:60:81:55:77:c8:a7:20:1a:48:bb:cb:b4:
+         cb:26:a9:0b:1a:45:62:0c:b5:d2:0d:ec:75:8c:50:3d:2d:25:
+         6c:96:a6:6e:b0:f3:8b:27:7c:ed:ac:44:6e:5b:ef:01:49:6d:
+         b4:7a:30:26:cf:73:2a:79:91:60:1a:5e:a1:ba:50:e3:cc:93:
+         68:53:6f:8e:fe:d0:48:4a:41:db:6a:15:cc:59:dc:a5:a7:79:
+         fc:e5:f9:d1:0e:2b:f4:45:6b:2b:56:e7:69:2a:b2:a1:e2:16:
+         79:74:45:7c:ab:3a:49:40:52:1b:5b:ef:29:f9:1f:48:16:31:
+         61:aa:17:a2:6f:36:a4:49:d8:d6:c5:ff:4a:33:2e:be:cd:3e:
+         9a:38:c6:12:42:9c:1f:08:53:7a:c2:61:88:43:86:17:95:8c:
+         f2:4f:dd:b4:b3:66:fa:ef:ac:51:a4:70:f6:4c:a4:6d:70:6f:
+         dc:5a:a5:c7:da:94:4f:d6:71:2a:5b:fe:0f:f2:25:72:3d:e4:
+         62:c5:3d:87
 -----BEGIN CERTIFICATE-----
-MIIDQTCCAqqgAwIBAgIBCjANBgkqhkiG9w0BAQsFADBxMQswCQYDVQQGEwJVUzET
+MIIERjCCAy6gAwIBAgIBCjANBgkqhkiG9w0BAQsFADBxMQswCQYDVQQGEwJVUzET
 MBEGA1UECAwKQ2FsaWZvcm5pYTEUMBIGA1UEBwwLU2FudGEgQ2xhcmExDTALBgNV
 BAoMBHBrZzUxEDAOBgNVBAMMB2NoNF90YTExFjAUBgkqhkiG9w0BCQEWB2NoNF90
-YTEwHhcNMTMxMjEzMDAxMzM0WhcNMTYwOTA4MDAxMzM0WjB1MQswCQYDVQQGEwJV
+YTEwHhcNMTYwMTIyMDE1NzU1WhcNMTgxMDE4MDE1NzU1WjB1MQswCQYDVQQGEwJV
 UzETMBEGA1UECAwKQ2FsaWZvcm5pYTEUMBIGA1UEBwwLU2FudGEgQ2xhcmExDTAL
 BgNVBAoMBHBrZzUxEjAQBgNVBAMMCWNoNS4yX3RhMTEYMBYGCSqGSIb3DQEJARYJ
-Y2g1LjJfdGExMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCgtehQbgsuvoo5
-laHzjwMc2tN0XJ3tNFReP6zikUBQXtfjvLGOpmLRCzPiWddn8bev+WE3sSSqb2fg
-T+9donJCcEEeMuUalE/eYGzn4ZaZgtA18kAD3pIQ80+R6Hgkoe+S2ntJS1cDgFfY
-/EFgivDmVf5nVV5ov/79IyurlMsSwwIDAQABo4HkMIHhMB0GA1UdDgQWBBSkBwFk
-Lvxl9bxEgquH5RdfkfWK3TCBmwYDVR0jBIGTMIGQgBRUihQQC6+J3B5lihc3aqzS
-K2wnXKF1pHMwcTELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFDAS
-BgNVBAcMC1NhbnRhIENsYXJhMQ0wCwYDVQQKDARwa2c1MRAwDgYDVQQDDAdjaDNf
-dGExMRYwFAYJKoZIhvcNAQkBFgdjaDNfdGExggEEMBIGA1UdEwEB/wQIMAYBAf8C
-AQEwDgYDVR0PAQH/BAQDAgEGMA0GCSqGSIb3DQEBCwUAA4GBAAQhVeTU+QexVd3T
-bF4X9YQ2SQg/lht59h/IqgriZL2Q4QCJI5Qc2ch9pl5IT+RqncEquWxr7SQUVJ+H
-v6HT/XM568SIhX71NZE9ha2exR/89gZxzj/cEuhspmEHuNB4A97mvulnWS9wJMNU
-TrNcblSOBMO28YMbjX/ot1s9sib+
+Y2g1LjJfdGExMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAnp3CoN80
+aGPG8yiLaI0OnASjMb+VN5sASYF/NY2jfUpsDzUUHSr5meuLhG5lXbnZZsYRV7+D
+SQTxNdN1IjC8IrGnka8lufNeb3t0wiX0pxqmwog82zH9QnlThxDUrb+nI1VNtp+c
+5TEPctb8DrgsRnpPz95hPjkO/A79pAgF6KrIfKUzqcmerjVREIUGzMGuQdMPyS+P
+AQptoga7fECW/6TLP14RL6orWfmN0P+0Dz+lWPXPqSCq5v70a10JJJ8mABil8pzo
+ed5N+fvR5Ylr2N4n3vgLKG+z0S4BnuG6AA8hskOxlrBG2aMUCKFtHOegnoR0RZGo
+2SQU96k/j5XLNQIDAQABo4HkMIHhMB0GA1UdDgQWBBQpTjH/RTUotL5prlXlzvOJ
+sr/aLzCBmwYDVR0jBIGTMIGQgBREgUmjW3yF8qdWGf9kmKthiT7ht6F1pHMwcTEL
+MAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFDASBgNVBAcMC1NhbnRh
+IENsYXJhMQ0wCwYDVQQKDARwa2c1MRAwDgYDVQQDDAdjaDNfdGExMRYwFAYJKoZI
+hvcNAQkBFgdjaDNfdGExggEEMBIGA1UdEwEB/wQIMAYBAf8CAQEwDgYDVR0PAQH/
+BAQDAgEGMA0GCSqGSIb3DQEBCwUAA4IBAQAbAVrSDMKpz4TBnkKYu/w/t7MzycFL
+G1wChkvZNw4bJhBohGjtVJRpXbgBXfcf2Ffs4fO0foGucfB5ilJggVV3yKcgGki7
+y7TLJqkLGkViDLXSDex1jFA9LSVslqZusPOLJ3ztrERuW+8BSW20ejAmz3MqeZFg
+Gl6hulDjzJNoU2+O/tBISkHbahXMWdylp3n85fnRDiv0RWsrVudpKrKh4hZ5dEV8
+qzpJQFIbW+8p+R9IFjFhqheibzakSdjWxf9KMy6+zT6aOMYSQpwfCFN6wmGIQ4YX
+lYzyT920s2b676xRpHD2TKRtcG/cWqXH2pRP1nEqW/4P8iVyPeRixT2H
 -----END CERTIFICATE-----
--- a/src/tests/ro_data/signing_certs/produced/chain_certs/ch5.3_ta1_cert.pem	Tue Mar 08 11:12:06 2016 -0800
+++ b/src/tests/ro_data/signing_certs/produced/chain_certs/ch5.3_ta1_cert.pem	Wed Mar 09 11:27:23 2016 -0800
@@ -5,28 +5,37 @@
     Signature Algorithm: sha256WithRSAEncryption
         Issuer: C=US, ST=California, L=Santa Clara, O=pkg5, CN=ch4.3_ta1/emailAddress=ch4.3_ta1
         Validity
-            Not Before: Dec 13 00:13:35 2013 GMT
-            Not After : Sep  8 00:13:35 2016 GMT
+            Not Before: Jan 22 01:57:55 2016 GMT
+            Not After : Oct 18 01:57:55 2018 GMT
         Subject: C=US, ST=California, L=Santa Clara, O=pkg5, CN=ch5.3_ta1/emailAddress=ch5.3_ta1
         Subject Public Key Info:
             Public Key Algorithm: rsaEncryption
-                Public-Key: (1024 bit)
+                Public-Key: (2048 bit)
                 Modulus:
-                    00:9a:0b:35:00:7e:06:fd:e2:50:97:7e:d2:c2:b8:
-                    20:2a:d9:bb:b8:3f:14:f9:aa:e3:98:dc:b9:49:62:
-                    32:9e:e7:51:16:ef:6b:69:59:7e:0f:c3:50:08:3d:
-                    dc:23:18:37:fa:70:cc:45:b8:47:1e:49:ef:18:15:
-                    47:8e:e6:c9:65:64:02:a8:f5:2a:d1:ef:3a:91:8f:
-                    5a:52:21:46:8f:61:87:55:c9:61:ea:e8:98:18:c5:
-                    99:1f:bd:43:02:13:a6:bf:c0:cd:d9:a5:ee:40:a3:
-                    05:bf:18:28:57:f6:4e:21:d0:89:a1:21:1c:39:ed:
-                    2d:ed:45:f0:da:75:37:da:7b
+                    00:c1:91:a3:1f:3a:14:29:24:3c:d6:fa:ad:16:b9:
+                    a4:c4:df:4a:04:c9:d6:01:16:03:54:de:36:4a:db:
+                    69:1c:b1:c0:f9:ee:64:3d:f3:63:5f:de:fd:4f:91:
+                    95:c4:86:99:07:d6:f3:3d:80:7e:5a:ef:16:84:05:
+                    d5:66:f7:ee:f8:e1:6b:d9:eb:78:1d:10:5e:85:28:
+                    6f:80:97:90:1f:cb:52:36:1d:c6:2a:30:f6:64:63:
+                    4f:3a:9f:b1:e3:36:98:92:62:df:d3:ec:6e:99:dd:
+                    37:16:e1:92:24:18:e2:53:e9:8c:38:84:50:c7:8d:
+                    3c:ae:21:b0:79:69:3b:f4:17:46:78:1b:d6:00:16:
+                    9a:46:61:e6:78:2d:75:2d:eb:d9:e0:93:c7:50:b1:
+                    43:a6:76:32:97:24:ea:98:8e:f0:08:31:9d:c7:81:
+                    be:66:65:eb:30:fd:c2:98:f8:6d:64:e6:6b:7b:19:
+                    e4:97:c3:31:20:8d:1a:f4:0c:4f:96:14:8b:64:cb:
+                    f4:75:31:3b:cd:b8:27:d5:25:3e:a3:f7:73:db:b9:
+                    ac:dd:e8:be:14:dc:2f:ca:e5:f6:f6:8d:c1:83:60:
+                    72:45:1d:e9:cd:e9:d5:a4:67:1c:df:56:3b:00:3b:
+                    fd:7a:3f:fc:78:ad:47:b0:53:ca:7d:17:57:fe:4c:
+                    de:cb
                 Exponent: 65537 (0x10001)
         X509v3 extensions:
             X509v3 Subject Key Identifier: 
-                A5:4B:BC:BC:6C:A7:1D:7E:CB:31:E5:DF:BE:24:BE:B9:86:28:DE:68
+                E3:AC:5A:33:E4:E3:9B:18:66:7B:0F:13:2A:89:91:5E:64:42:D3:05
             X509v3 Authority Key Identifier: 
-                keyid:16:06:DB:79:36:82:5D:96:BA:FD:0F:C3:3D:E2:64:BA:E6:03:E6:3A
+                keyid:CA:50:20:B6:70:62:DE:6B:28:77:63:00:64:FE:D0:58:9E:50:16:24
                 DirName:/C=US/ST=California/L=Santa Clara/O=pkg5/CN=ch3_ta1/emailAddress=ch3_ta1
                 serial:0C
 
@@ -35,31 +44,43 @@
             X509v3 Key Usage: critical
                 Certificate Sign, CRL Sign
     Signature Algorithm: sha256WithRSAEncryption
-         4b:1b:27:81:60:e8:9c:ca:e9:2b:c6:94:9e:64:d5:1a:44:18:
-         e7:fb:98:cf:a0:10:e3:ae:ad:b3:fa:a6:21:9d:be:35:46:17:
-         e6:42:3f:8c:79:81:c5:46:f4:f8:04:72:02:a5:5c:6a:1f:cf:
-         62:e1:f9:6f:3a:26:5c:7b:13:27:bd:27:e7:8d:e4:75:b0:04:
-         05:84:44:8b:cf:2c:8b:8b:44:35:c7:60:79:91:04:69:cc:35:
-         90:5b:e5:9a:71:cb:6d:65:dd:a1:09:2c:d0:35:69:cc:cf:0a:
-         62:41:8f:18:ac:9e:8f:52:4c:fa:77:14:98:45:ce:06:c5:f9:
-         5d:6a
+         1c:ac:db:1d:7e:66:ab:bd:02:09:67:5b:cf:c3:d4:2f:04:48:
+         63:3f:80:02:74:80:d9:77:a5:25:eb:c3:08:74:10:48:2d:8d:
+         b4:7b:1a:fb:66:ea:fe:bf:4d:19:7c:42:54:e2:6e:65:19:59:
+         60:3d:bf:ea:79:d3:c3:cd:3a:f7:4b:ac:31:fc:6f:40:25:2e:
+         41:eb:7b:54:36:78:f4:73:cb:7b:73:fa:d0:28:ca:65:a1:be:
+         b4:7c:c6:17:8b:d9:b1:5e:e5:ab:00:29:fc:78:bf:32:09:51:
+         41:fe:4c:ec:df:50:76:73:9e:b6:b3:9a:8a:ca:4d:0c:59:7c:
+         41:76:7b:5b:77:cd:71:74:ca:88:1a:0f:dc:20:62:be:dc:6a:
+         f9:d5:5f:26:7b:f5:6a:ed:22:9f:01:66:04:9e:45:71:37:da:
+         53:3a:4a:76:93:86:49:3b:6e:8e:87:dd:6a:28:0f:cc:fe:ce:
+         7f:1d:91:8b:20:94:8f:4a:66:5a:ab:e2:e8:1e:41:f3:d6:6e:
+         a1:4d:9c:c8:e6:57:cf:61:67:ab:bd:c7:39:f9:58:9a:18:05:
+         44:80:49:44:ff:3e:4f:ca:e3:09:1c:d3:cb:4f:7a:8b:78:72:
+         76:23:02:79:ef:70:8e:5f:f8:c2:ae:08:b0:b8:ba:84:39:37:
+         73:30:90:e8
 -----BEGIN CERTIFICATE-----
-MIIDRTCCAq6gAwIBAgIBDTANBgkqhkiG9w0BAQsFADB1MQswCQYDVQQGEwJVUzET
+MIIESjCCAzKgAwIBAgIBDTANBgkqhkiG9w0BAQsFADB1MQswCQYDVQQGEwJVUzET
 MBEGA1UECAwKQ2FsaWZvcm5pYTEUMBIGA1UEBwwLU2FudGEgQ2xhcmExDTALBgNV
 BAoMBHBrZzUxEjAQBgNVBAMMCWNoNC4zX3RhMTEYMBYGCSqGSIb3DQEJARYJY2g0
-LjNfdGExMB4XDTEzMTIxMzAwMTMzNVoXDTE2MDkwODAwMTMzNVowdTELMAkGA1UE
+LjNfdGExMB4XDTE2MDEyMjAxNTc1NVoXDTE4MTAxODAxNTc1NVowdTELMAkGA1UE
 BhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFDASBgNVBAcMC1NhbnRhIENsYXJh
 MQ0wCwYDVQQKDARwa2c1MRIwEAYDVQQDDAljaDUuM190YTExGDAWBgkqhkiG9w0B
-CQEWCWNoNS4zX3RhMTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAmgs1AH4G
-/eJQl37SwrggKtm7uD8U+arjmNy5SWIynudRFu9raVl+D8NQCD3cIxg3+nDMRbhH
-HknvGBVHjubJZWQCqPUq0e86kY9aUiFGj2GHVclh6uiYGMWZH71DAhOmv8DN2aXu
-QKMFvxgoV/ZOIdCJoSEcOe0t7UXw2nU32nsCAwEAAaOB5DCB4TAdBgNVHQ4EFgQU
-pUu8vGynHX7LMeXfviS+uYYo3mgwgZsGA1UdIwSBkzCBkIAUFgbbeTaCXZa6/Q/D
-PeJkuuYD5jqhdaRzMHExCzAJBgNVBAYTAlVTMRMwEQYDVQQIDApDYWxpZm9ybmlh
-MRQwEgYDVQQHDAtTYW50YSBDbGFyYTENMAsGA1UECgwEcGtnNTEQMA4GA1UEAwwH
-Y2gzX3RhMTEWMBQGCSqGSIb3DQEJARYHY2gzX3RhMYIBDDASBgNVHRMBAf8ECDAG
-AQH/AgEAMA4GA1UdDwEB/wQEAwIBBjANBgkqhkiG9w0BAQsFAAOBgQBLGyeBYOic
-yukrxpSeZNUaRBjn+5jPoBDjrq2z+qYhnb41RhfmQj+MeYHFRvT4BHICpVxqH89i
-4flvOiZcexMnvSfnjeR1sAQFhESLzyyLi0Q1x2B5kQRpzDWQW+WaccttZd2hCSzQ
-NWnMzwpiQY8YrJ6PUkz6dxSYRc4Gxfldag==
+CQEWCWNoNS4zX3RhMTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMGR
+ox86FCkkPNb6rRa5pMTfSgTJ1gEWA1TeNkrbaRyxwPnuZD3zY1/e/U+RlcSGmQfW
+8z2AflrvFoQF1Wb37vjha9nreB0QXoUob4CXkB/LUjYdxiow9mRjTzqfseM2mJJi
+39PsbpndNxbhkiQY4lPpjDiEUMeNPK4hsHlpO/QXRngb1gAWmkZh5ngtdS3r2eCT
+x1CxQ6Z2Mpck6piO8AgxnceBvmZl6zD9wpj4bWTma3sZ5JfDMSCNGvQMT5YUi2TL
+9HUxO824J9UlPqP3c9u5rN3ovhTcL8rl9vaNwYNgckUd6c3p1aRnHN9WOwA7/Xo/
+/HitR7BTyn0XV/5M3ssCAwEAAaOB5DCB4TAdBgNVHQ4EFgQU46xaM+Tjmxhmew8T
+KomRXmRC0wUwgZsGA1UdIwSBkzCBkIAUylAgtnBi3msod2MAZP7QWJ5QFiShdaRz
+MHExCzAJBgNVBAYTAlVTMRMwEQYDVQQIDApDYWxpZm9ybmlhMRQwEgYDVQQHDAtT
+YW50YSBDbGFyYTENMAsGA1UECgwEcGtnNTEQMA4GA1UEAwwHY2gzX3RhMTEWMBQG
+CSqGSIb3DQEJARYHY2gzX3RhMYIBDDASBgNVHRMBAf8ECDAGAQH/AgEAMA4GA1Ud
+DwEB/wQEAwIBBjANBgkqhkiG9w0BAQsFAAOCAQEAHKzbHX5mq70CCWdbz8PULwRI
+Yz+AAnSA2XelJevDCHQQSC2NtHsa+2bq/r9NGXxCVOJuZRlZYD2/6nnTw80690us
+MfxvQCUuQet7VDZ49HPLe3P60CjKZaG+tHzGF4vZsV7lqwAp/Hi/MglRQf5M7N9Q
+dnOetrOaispNDFl8QXZ7W3fNcXTKiBoP3CBivtxq+dVfJnv1au0inwFmBJ5FcTfa
+UzpKdpOGSTtujofdaigPzP7Ofx2RiyCUj0pmWqvi6B5B89ZuoU2cyOZXz2Fnq73H
+OflYmhgFRIBJRP8+T8rjCRzTy096i3hydiMCee9wjl/4wq4IsLi6hDk3czCQ6A==
 -----END CERTIFICATE-----
--- a/src/tests/ro_data/signing_certs/produced/chain_certs/ch5_ta1_cert.pem	Tue Mar 08 11:12:06 2016 -0800
+++ b/src/tests/ro_data/signing_certs/produced/chain_certs/ch5_ta1_cert.pem	Wed Mar 09 11:27:23 2016 -0800
@@ -5,28 +5,37 @@
     Signature Algorithm: sha256WithRSAEncryption
         Issuer: C=US, ST=California, L=Santa Clara, O=pkg5, CN=ch4_ta1/emailAddress=ch4_ta1
         Validity
-            Not Before: Dec 13 00:13:34 2013 GMT
-            Not After : Sep  8 00:13:34 2016 GMT
+            Not Before: Jan 22 01:57:54 2016 GMT
+            Not After : Oct 18 01:57:54 2018 GMT
         Subject: C=US, ST=California, L=Santa Clara, O=pkg5, CN=ch5_ta1/emailAddress=ch5_ta1
         Subject Public Key Info:
             Public Key Algorithm: rsaEncryption
-                Public-Key: (1024 bit)
+                Public-Key: (2048 bit)
                 Modulus:
-                    00:df:c0:ed:cc:df:82:ab:d3:9b:54:8d:56:f7:0d:
-                    e4:d8:b4:ba:03:ef:a3:82:f6:b6:e6:4d:0f:b4:e5:
-                    61:98:88:bd:32:b3:47:21:4b:2c:e8:c3:9a:22:9c:
-                    35:63:a8:4f:2a:c1:47:1a:3a:b2:46:d6:61:4e:87:
-                    2a:13:3a:d8:35:3e:3c:ae:67:43:b8:3d:a9:95:df:
-                    7b:ba:e9:71:ec:31:99:b3:fa:00:96:8c:80:4b:1d:
-                    d9:77:e5:d2:14:9d:95:a2:ce:32:21:d5:2e:67:ae:
-                    b1:08:04:fb:9d:fb:70:16:74:5f:1a:d1:36:77:e8:
-                    4b:68:c3:d8:d4:fb:18:20:31
+                    00:a8:92:25:84:36:2c:16:5b:7e:99:d4:a8:ac:bf:
+                    2b:63:99:2c:65:69:ec:f3:13:3f:fb:b3:c9:33:0c:
+                    43:1a:e9:04:a3:8c:27:5e:e5:f8:47:a5:4d:5f:39:
+                    2f:9b:b9:5f:3e:2e:9c:18:8b:16:d4:4c:0c:f7:02:
+                    35:37:a1:81:c6:d1:0d:43:eb:7d:1c:e4:d4:81:73:
+                    58:fc:b2:94:a2:4e:04:a5:bb:b2:f4:64:d0:c6:54:
+                    91:71:33:45:8e:22:a4:f2:35:1e:b3:69:e4:fc:5e:
+                    a9:5b:7a:8c:7c:6a:e2:7b:2d:d0:ad:d8:d1:76:47:
+                    c6:99:a6:2e:8d:1b:56:f8:8c:f7:04:2f:99:c5:3d:
+                    81:67:cc:73:ec:c1:d6:97:41:73:04:1c:8b:45:eb:
+                    60:f9:60:d6:11:f6:c6:5c:19:5d:d2:18:a8:2e:53:
+                    78:33:46:3b:5c:43:b0:54:7d:e4:57:5a:36:08:84:
+                    50:a5:c0:1e:1d:21:11:6d:63:c4:df:fc:ee:0f:a8:
+                    8f:ca:7c:2a:5c:0a:2d:ad:17:64:c8:5d:e2:9b:e1:
+                    d4:57:a3:8e:0f:1d:4f:60:1e:79:bf:9f:39:94:6a:
+                    73:e6:19:0d:ef:74:c2:a3:fc:85:a2:03:a4:99:13:
+                    9e:85:5e:f3:8c:31:f1:7d:91:50:98:6f:18:ec:fc:
+                    98:2f
                 Exponent: 65537 (0x10001)
         X509v3 extensions:
             X509v3 Subject Key Identifier: 
-                B7:43:D6:5A:46:C2:2F:15:50:05:D5:FB:5E:BE:EC:F8:33:9E:EC:EC
+                64:B3:47:B8:70:CE:F3:CD:0F:95:A6:B0:0F:5F:D5:66:E1:1B:30:E7
             X509v3 Authority Key Identifier: 
-                keyid:54:8A:14:10:0B:AF:89:DC:1E:65:8A:17:37:6A:AC:D2:2B:6C:27:5C
+                keyid:44:81:49:A3:5B:7C:85:F2:A7:56:19:FF:64:98:AB:61:89:3E:E1:B7
                 DirName:/C=US/ST=California/L=Santa Clara/O=pkg5/CN=ch3_ta1/emailAddress=ch3_ta1
                 serial:04
 
@@ -35,31 +44,43 @@
             X509v3 Key Usage: critical
                 Certificate Sign, CRL Sign
     Signature Algorithm: sha256WithRSAEncryption
-         96:fb:63:43:cf:70:0a:14:7b:47:4e:37:4b:2f:7c:7f:8c:75:
-         85:bb:e3:44:af:9c:2c:08:c5:9c:4d:c7:59:f1:70:3a:67:82:
-         1c:4c:3c:f7:8b:e7:00:f0:05:db:af:29:79:53:6f:09:a2:ac:
-         ae:4d:e2:df:4a:7d:4e:56:79:8c:85:97:47:14:4e:2f:7e:bd:
-         07:2c:70:01:85:43:3c:18:32:ed:24:36:24:1c:29:e0:0b:ce:
-         86:4d:a7:a9:88:b8:de:f1:0e:a3:13:c1:5c:d7:1b:76:81:c2:
-         3f:63:c3:76:1d:60:f7:e5:43:1f:25:3b:ae:d2:a5:1f:02:fa:
-         8c:a3
+         b6:f5:d5:78:23:16:4f:ca:8f:3a:a7:fd:a8:91:2a:c5:3e:e2:
+         bf:32:ca:b3:38:6b:2f:64:9c:1d:99:d8:d2:b5:a8:2c:a4:db:
+         8e:9d:31:5c:40:b9:05:32:a0:1c:b6:21:72:46:69:d1:eb:49:
+         50:20:f9:e8:95:6f:e7:91:34:f9:e1:bb:3f:e7:b6:a4:f9:d3:
+         12:36:3a:40:c6:76:35:a5:c9:b7:71:70:50:55:19:b4:ff:51:
+         ef:40:3e:41:4f:f3:1a:70:f5:fd:3b:0a:4d:d9:43:a6:57:e4:
+         42:9c:77:3d:26:7a:c2:e2:54:7f:76:6f:fd:af:52:31:29:07:
+         ac:ae:78:4c:76:d9:f9:80:b5:4c:79:60:a0:e9:59:5f:bf:fe:
+         cd:6a:fe:ee:92:ca:79:0e:5c:e6:1d:8f:59:a9:62:51:a1:2e:
+         d9:b2:37:fa:e1:ef:7c:88:b5:29:d2:5f:13:74:76:ef:ed:fe:
+         7f:e9:81:5d:9c:62:91:8f:21:ef:45:95:7c:12:a6:d5:46:45:
+         8e:9e:d1:a8:9a:aa:a8:5e:fd:65:55:d2:f9:08:d0:3c:66:f9:
+         69:ee:c1:0f:a9:15:06:a9:8e:ac:e0:08:06:13:0c:7e:9c:81:
+         94:60:1b:ad:3a:7d:3e:ed:b4:79:d2:51:0c:80:8c:42:69:fe:
+         f3:99:56:1c
 -----BEGIN CERTIFICATE-----
-MIIDPTCCAqagAwIBAgIBBTANBgkqhkiG9w0BAQsFADBxMQswCQYDVQQGEwJVUzET
+MIIEQjCCAyqgAwIBAgIBBTANBgkqhkiG9w0BAQsFADBxMQswCQYDVQQGEwJVUzET
 MBEGA1UECAwKQ2FsaWZvcm5pYTEUMBIGA1UEBwwLU2FudGEgQ2xhcmExDTALBgNV
 BAoMBHBrZzUxEDAOBgNVBAMMB2NoNF90YTExFjAUBgkqhkiG9w0BCQEWB2NoNF90
-YTEwHhcNMTMxMjEzMDAxMzM0WhcNMTYwOTA4MDAxMzM0WjBxMQswCQYDVQQGEwJV
+YTEwHhcNMTYwMTIyMDE1NzU0WhcNMTgxMDE4MDE1NzU0WjBxMQswCQYDVQQGEwJV
 UzETMBEGA1UECAwKQ2FsaWZvcm5pYTEUMBIGA1UEBwwLU2FudGEgQ2xhcmExDTAL
 BgNVBAoMBHBrZzUxEDAOBgNVBAMMB2NoNV90YTExFjAUBgkqhkiG9w0BCQEWB2No
-NV90YTEwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAN/A7czfgqvTm1SNVvcN
-5Ni0ugPvo4L2tuZND7TlYZiIvTKzRyFLLOjDmiKcNWOoTyrBRxo6skbWYU6HKhM6
-2DU+PK5nQ7g9qZXfe7rpcewxmbP6AJaMgEsd2Xfl0hSdlaLOMiHVLmeusQgE+537
-cBZ0XxrRNnfoS2jD2NT7GCAxAgMBAAGjgeQwgeEwHQYDVR0OBBYEFLdD1lpGwi8V
-UAXV+16+7PgznuzsMIGbBgNVHSMEgZMwgZCAFFSKFBALr4ncHmWKFzdqrNIrbCdc
-oXWkczBxMQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEUMBIGA1UE
-BwwLU2FudGEgQ2xhcmExDTALBgNVBAoMBHBrZzUxEDAOBgNVBAMMB2NoM190YTEx
-FjAUBgkqhkiG9w0BCQEWB2NoM190YTGCAQQwEgYDVR0TAQH/BAgwBgEB/wIBADAO
-BgNVHQ8BAf8EBAMCAQYwDQYJKoZIhvcNAQELBQADgYEAlvtjQ89wChR7R043Sy98
-f4x1hbvjRK+cLAjFnE3HWfFwOmeCHEw894vnAPAF268peVNvCaKsrk3i30p9TlZ5
-jIWXRxROL369ByxwAYVDPBgy7SQ2JBwp4AvOhk2nqYi43vEOoxPBXNcbdoHCP2PD
-dh1g9+VDHyU7rtKlHwL6jKM=
+NV90YTEwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCokiWENiwWW36Z
+1KisvytjmSxlaezzEz/7s8kzDEMa6QSjjCde5fhHpU1fOS+buV8+LpwYixbUTAz3
+AjU3oYHG0Q1D630c5NSBc1j8spSiTgSlu7L0ZNDGVJFxM0WOIqTyNR6zaeT8Xqlb
+eox8auJ7LdCt2NF2R8aZpi6NG1b4jPcEL5nFPYFnzHPswdaXQXMEHItF62D5YNYR
+9sZcGV3SGKguU3gzRjtcQ7BUfeRXWjYIhFClwB4dIRFtY8Tf/O4PqI/KfCpcCi2t
+F2TIXeKb4dRXo44PHU9gHnm/nzmUanPmGQ3vdMKj/IWiA6SZE56FXvOMMfF9kVCY
+bxjs/JgvAgMBAAGjgeQwgeEwHQYDVR0OBBYEFGSzR7hwzvPND5WmsA9f1WbhGzDn
+MIGbBgNVHSMEgZMwgZCAFESBSaNbfIXyp1YZ/2SYq2GJPuG3oXWkczBxMQswCQYD
+VQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEUMBIGA1UEBwwLU2FudGEgQ2xh
+cmExDTALBgNVBAoMBHBrZzUxEDAOBgNVBAMMB2NoM190YTExFjAUBgkqhkiG9w0B
+CQEWB2NoM190YTGCAQQwEgYDVR0TAQH/BAgwBgEB/wIBADAOBgNVHQ8BAf8EBAMC
+AQYwDQYJKoZIhvcNAQELBQADggEBALb11XgjFk/Kjzqn/aiRKsU+4r8yyrM4ay9k
+nB2Z2NK1qCyk246dMVxAuQUyoBy2IXJGadHrSVAg+eiVb+eRNPnhuz/ntqT50xI2
+OkDGdjWlybdxcFBVGbT/Ue9APkFP8xpw9f07Ck3ZQ6ZX5EKcdz0mesLiVH92b/2v
+UjEpB6yueEx22fmAtUx5YKDpWV+//s1q/u6SynkOXOYdj1mpYlGhLtmyN/rh73yI
+tSnSXxN0du/t/n/pgV2cYpGPIe9FlXwSptVGRY6e0aiaqqhe/WVV0vkI0Dxm+Wnu
+wQ+pFQapjqzgCAYTDH6cgZRgG606fT7ttHnSUQyAjEJp/vOZVhw=
 -----END CERTIFICATE-----
--- a/src/tests/ro_data/signing_certs/produced/code_signing_certs/06.pem	Tue Mar 08 11:12:06 2016 -0800
+++ b/src/tests/ro_data/signing_certs/produced/code_signing_certs/06.pem	Wed Mar 09 11:27:23 2016 -0800
@@ -5,22 +5,22 @@
     Signature Algorithm: sha256WithRSAEncryption
         Issuer: C=US, ST=California, L=Santa Clara, O=pkg5, CN=ch5_ta1/emailAddress=ch5_ta1
         Validity
-            Not Before: Dec 13 00:13:34 2013 GMT
-            Not After : Sep  8 00:13:34 2016 GMT
+            Not Before: Jan 22 01:57:54 2016 GMT
+            Not After : Oct 18 01:57:54 2018 GMT
         Subject: C=US, ST=California, L=Santa Clara, O=pkg5, CN=cs1_ch5_ta1/emailAddress=cs1_ch5_ta1
         Subject Public Key Info:
             Public Key Algorithm: rsaEncryption
                 Public-Key: (1024 bit)
                 Modulus:
-                    00:ba:a7:a1:60:33:eb:59:84:e6:2f:b0:30:38:b8:
-                    49:97:86:3b:82:4e:51:6a:28:bf:2a:6d:d3:46:77:
-                    67:ec:10:70:69:22:7f:e1:5d:7a:45:b5:81:2b:d2:
-                    ea:7d:41:5c:e2:4d:e8:2d:06:89:1c:4c:17:aa:3c:
-                    f5:2f:32:12:04:80:69:52:80:4a:ce:a1:4f:dc:76:
-                    a1:5a:d2:53:43:8f:7c:fb:82:eb:96:06:cd:05:89:
-                    74:34:7d:99:62:bc:09:67:e9:27:80:5b:78:65:05:
-                    57:c8:b6:b4:b7:83:5a:46:b2:80:6c:3f:05:3c:c6:
-                    49:2d:75:7c:48:2e:22:35:b7
+                    00:cf:e4:e6:a1:10:93:8b:7b:2a:9e:01:bb:ce:24:
+                    a4:42:74:51:7d:d9:c2:f5:4b:5c:9b:5b:c0:4c:a2:
+                    e2:e2:bf:9f:64:24:e9:bd:22:56:62:3b:f1:f2:49:
+                    c0:91:63:0a:48:a6:68:cb:36:b9:b1:9c:57:b1:5e:
+                    12:80:f8:26:c3:6e:c8:74:39:4a:23:39:bc:47:63:
+                    e5:ab:18:b7:22:be:d7:5c:00:f5:a6:ec:0d:fb:0d:
+                    cb:bd:fd:ae:b0:f2:e1:4c:c7:33:3b:50:1c:01:86:
+                    e7:1d:34:5e:d8:72:19:c5:87:78:06:f2:f5:af:d7:
+                    93:33:12:3a:4a:8a:4b:43:23
                 Exponent: 65537 (0x10001)
         X509v3 extensions:
             X509v3 Basic Constraints: critical
@@ -28,27 +28,37 @@
             X509v3 Key Usage: critical
                 Digital Signature
     Signature Algorithm: sha256WithRSAEncryption
-         c2:d0:56:dd:4a:bb:8f:f9:de:49:4c:0c:41:af:29:73:07:f5:
-         da:44:4a:aa:0b:9c:80:33:56:cc:eb:c5:58:14:f9:c2:c9:cc:
-         93:2f:75:eb:6c:fd:b8:79:de:0d:35:db:46:8b:a6:d7:0b:59:
-         3d:35:c9:ac:68:76:63:85:bd:b1:03:21:c7:53:a5:f5:22:9f:
-         f0:c2:23:7e:de:32:6f:4a:7b:d8:d5:2d:b1:ee:db:ad:5a:f9:
-         35:46:55:11:5a:bb:6b:53:21:1d:ea:c4:4d:16:5c:01:f5:af:
-         91:47:bb:16:c1:9b:71:4e:5b:52:b5:ea:f9:d8:7a:53:c0:ef:
-         e7:f4
+         7a:3f:1c:dd:05:05:04:00:12:66:28:10:1f:df:70:2b:5a:31:
+         1e:a4:c7:59:59:45:45:0e:f7:1e:99:2f:a2:fe:c5:a9:93:c6:
+         a8:a1:2b:b2:1d:56:a8:47:87:e7:46:25:f9:4c:bf:c2:65:cf:
+         62:d9:e9:cc:91:11:98:43:81:e1:45:de:49:03:06:d0:b3:60:
+         5a:d7:07:06:2e:fa:7b:32:24:b0:b2:6a:49:b1:aa:86:75:cf:
+         9a:91:d7:b2:8b:ce:7a:22:6c:18:d7:87:51:2b:1d:86:fb:28:
+         d4:64:37:59:68:70:73:07:8b:61:b9:74:fc:1a:cc:16:4b:5a:
+         e8:98:7e:f7:0a:d7:6c:28:7a:06:3e:9f:55:d7:19:d9:03:b4:
+         f2:a5:60:b0:34:c1:53:7b:0d:1c:fa:1c:80:7b:f1:9d:fd:38:
+         33:2b:c9:cc:ec:b8:73:24:db:22:81:34:f5:e7:ca:73:eb:e2:
+         ed:16:52:87:cc:92:e4:25:cb:19:9c:3f:2d:ec:2d:63:9d:24:
+         35:0e:09:eb:9e:eb:22:10:df:98:b4:62:2f:3e:bd:d2:0d:7f:
+         a4:d6:19:f2:80:64:7e:bf:e5:33:70:b1:d7:22:5e:b6:b2:f5:
+         33:3a:3a:b6:e7:e4:c0:03:5e:b0:2f:1b:5b:fc:6b:37:d0:68:
+         13:9d:ca:6f
 -----BEGIN CERTIFICATE-----
-MIICgDCCAemgAwIBAgIBBjANBgkqhkiG9w0BAQsFADBxMQswCQYDVQQGEwJVUzET
+MIIDATCCAemgAwIBAgIBBjANBgkqhkiG9w0BAQsFADBxMQswCQYDVQQGEwJVUzET
 MBEGA1UECAwKQ2FsaWZvcm5pYTEUMBIGA1UEBwwLU2FudGEgQ2xhcmExDTALBgNV
 BAoMBHBrZzUxEDAOBgNVBAMMB2NoNV90YTExFjAUBgkqhkiG9w0BCQEWB2NoNV90
-YTEwHhcNMTMxMjEzMDAxMzM0WhcNMTYwOTA4MDAxMzM0WjB5MQswCQYDVQQGEwJV
+YTEwHhcNMTYwMTIyMDE1NzU0WhcNMTgxMDE4MDE1NzU0WjB5MQswCQYDVQQGEwJV
 UzETMBEGA1UECAwKQ2FsaWZvcm5pYTEUMBIGA1UEBwwLU2FudGEgQ2xhcmExDTAL
 BgNVBAoMBHBrZzUxFDASBgNVBAMMC2NzMV9jaDVfdGExMRowGAYJKoZIhvcNAQkB
-FgtjczFfY2g1X3RhMTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAuqehYDPr
-WYTmL7AwOLhJl4Y7gk5Raii/Km3TRndn7BBwaSJ/4V16RbWBK9LqfUFc4k3oLQaJ
-HEwXqjz1LzISBIBpUoBKzqFP3HahWtJTQ498+4LrlgbNBYl0NH2ZYrwJZ+kngFt4
-ZQVXyLa0t4NaRrKAbD8FPMZJLXV8SC4iNbcCAwEAAaMgMB4wDAYDVR0TAQH/BAIw
-ADAOBgNVHQ8BAf8EBAMCB4AwDQYJKoZIhvcNAQELBQADgYEAwtBW3Uq7j/neSUwM
-Qa8pcwf12kRKqgucgDNWzOvFWBT5wsnMky9162z9uHneDTXbRoum1wtZPTXJrGh2
-Y4W9sQMhx1Ol9SKf8MIjft4yb0p72NUtse7brVr5NUZVEVq7a1MhHerETRZcAfWv
-kUe7FsGbcU5bUrXq+dh6U8Dv5/Q=
+FgtjczFfY2g1X3RhMTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAz+TmoRCT
+i3sqngG7ziSkQnRRfdnC9Utcm1vATKLi4r+fZCTpvSJWYjvx8knAkWMKSKZoyza5
+sZxXsV4SgPgmw27IdDlKIzm8R2Plqxi3Ir7XXAD1puwN+w3Lvf2usPLhTMczO1Ac
+AYbnHTRe2HIZxYd4BvL1r9eTMxI6SopLQyMCAwEAAaMgMB4wDAYDVR0TAQH/BAIw
+ADAOBgNVHQ8BAf8EBAMCB4AwDQYJKoZIhvcNAQELBQADggEBAHo/HN0FBQQAEmYo
+EB/fcCtaMR6kx1lZRUUO9x6ZL6L+xamTxqihK7IdVqhHh+dGJflMv8Jlz2LZ6cyR
+EZhDgeFF3kkDBtCzYFrXBwYu+nsyJLCyakmxqoZ1z5qR17KLznoibBjXh1ErHYb7
+KNRkN1locHMHi2G5dPwazBZLWuiYfvcK12woegY+n1XXGdkDtPKlYLA0wVN7DRz6
+HIB78Z39ODMryczsuHMk2yKBNPXnynPr4u0WUofMkuQlyxmcPy3sLWOdJDUOCeue
+6yIQ35i0Yi8+vdINf6TWGfKAZH6/5TNwsdciXray9TM6Orbn5MADXrAvG1v8azfQ
+aBOdym8=
 -----END CERTIFICATE-----
--- a/src/tests/ro_data/signing_certs/produced/code_signing_certs/07.pem	Tue Mar 08 11:12:06 2016 -0800
+++ b/src/tests/ro_data/signing_certs/produced/code_signing_certs/07.pem	Wed Mar 09 11:27:23 2016 -0800
@@ -5,22 +5,22 @@
     Signature Algorithm: sha256WithRSAEncryption
         Issuer: C=US, ST=California, L=Santa Clara, O=pkg5, CN=ch5_ta1/emailAddress=ch5_ta1
         Validity
-            Not Before: Dec 13 00:13:34 2013 GMT
-            Not After : Sep  8 00:13:34 2016 GMT
+            Not Before: Jan 22 01:57:54 2016 GMT
+            Not After : Oct 18 01:57:54 2018 GMT
         Subject: C=US, ST=California, L=Santa Clara, O=pkg5, CN=cs2_ch5_ta1/emailAddress=cs2_ch5_ta1
         Subject Public Key Info:
             Public Key Algorithm: rsaEncryption
                 Public-Key: (1024 bit)
                 Modulus:
-                    00:cc:51:a3:86:48:a6:81:11:01:ba:be:40:6d:dc:
-                    f7:b6:0a:f8:9a:11:71:ea:09:42:3a:ed:ee:4e:0f:
-                    87:10:99:6f:c8:ef:41:bd:f6:d0:17:a7:db:7b:fe:
-                    51:dd:de:3a:f2:3b:d7:de:7d:96:71:4e:7f:4e:d0:
-                    cf:dd:3b:d8:6b:ce:ca:83:3a:7d:6e:65:cd:b5:fb:
-                    4b:32:9a:e6:20:f8:ed:8e:4c:99:f4:02:de:c5:d4:
-                    3b:6e:35:a8:3c:b4:9f:3f:5e:3b:85:33:4a:4d:b3:
-                    35:a3:d0:76:78:74:d2:72:99:9e:c1:69:1f:d1:8f:
-                    2a:11:eb:35:32:7b:ba:8f:99
+                    00:d3:d4:82:0b:9b:af:f0:23:6b:b4:ad:ca:d8:b1:
+                    56:19:16:d9:49:67:f7:e5:cc:c1:d4:68:6a:75:30:
+                    f5:3f:02:02:31:3f:65:da:c3:f4:89:f1:d7:b8:17:
+                    39:d0:5f:83:a1:08:07:bf:61:42:96:e6:c8:a7:06:
+                    e8:22:cb:61:b3:73:87:6d:c6:f0:b6:1c:12:f7:7b:
+                    d2:4f:2f:25:03:ef:27:50:c2:15:b9:5c:36:c2:43:
+                    80:74:95:c6:be:9c:3e:83:72:11:d7:6a:1c:ea:71:
+                    32:b8:13:d2:75:3c:9b:df:f8:59:5c:1e:a6:c8:51:
+                    8b:87:e7:c7:3b:0e:d1:65:15
                 Exponent: 65537 (0x10001)
         X509v3 extensions:
             X509v3 Basic Constraints: critical
@@ -31,28 +31,38 @@
                   URI:http://localhost:12001/file/0/ch5_ta1_crl.pem
 
     Signature Algorithm: sha256WithRSAEncryption
-         2c:76:2d:19:cd:d6:f0:88:16:6c:99:6c:19:1b:5e:d3:ca:b1:
-         6d:3c:f1:5b:2c:3b:52:cd:7f:f5:1b:4f:e0:49:9e:48:5c:5e:
-         16:55:57:a3:0d:c6:eb:f5:a7:13:8d:57:c4:ff:df:3d:66:00:
-         a3:b9:18:c3:19:5c:ba:1c:ae:83:bd:90:a6:c8:6e:5a:c6:b5:
-         51:b5:33:69:59:7a:5a:00:24:61:02:41:c5:c2:ff:cc:12:a1:
-         d7:d4:d5:29:b9:22:94:e0:5c:5c:29:ec:82:ba:ff:1a:40:50:
-         88:58:98:a8:b3:2b:86:3c:a2:21:8b:b4:b2:fc:3a:b0:c7:f1:
-         03:e8
+         58:fb:c7:b9:31:27:7a:ac:c0:0d:82:11:6f:d9:8f:7c:0f:90:
+         b6:2b:13:bb:77:52:95:45:61:51:07:02:32:c6:01:19:15:47:
+         43:60:99:e8:49:1b:10:e3:ee:d3:4f:45:4a:86:2e:74:53:cb:
+         01:bb:7e:bf:7c:f2:b6:a3:d7:b0:5c:3c:56:fc:ea:01:ae:28:
+         7a:3c:68:01:b1:10:de:af:08:76:1c:46:78:62:40:44:5f:25:
+         17:c4:f9:ac:7b:d7:21:ea:86:f9:b1:0c:1b:97:1b:fe:9b:12:
+         b3:75:50:95:ca:8f:c4:07:a0:13:a0:f5:b5:7e:00:05:43:5d:
+         72:e5:aa:57:80:49:b7:cc:3f:5c:d1:5b:87:8e:58:5e:35:12:
+         10:60:e1:1b:69:fd:50:21:fc:29:00:01:3b:b0:64:43:eb:62:
+         02:56:e9:26:37:28:70:52:18:43:b9:49:e3:6e:bb:d6:3b:f5:
+         9c:2c:d7:e9:ab:d4:a9:1a:e7:af:35:a4:d6:d9:be:60:eb:80:
+         8d:bc:b8:63:5a:44:0b:0f:6a:5b:b4:04:5a:24:cd:0e:c3:b7:
+         45:03:fd:62:d1:0d:b8:d1:2c:76:67:a8:00:22:20:55:29:d2:
+         77:4f:36:af:81:60:24:22:8d:de:e4:b8:e4:e3:d0:44:52:39:
+         fa:33:98:b7
 -----BEGIN CERTIFICATE-----
-MIICsDCCAhmgAwIBAgIBBzANBgkqhkiG9w0BAQsFADBxMQswCQYDVQQGEwJVUzET
+MIIDMTCCAhmgAwIBAgIBBzANBgkqhkiG9w0BAQsFADBxMQswCQYDVQQGEwJVUzET
 MBEGA1UECAwKQ2FsaWZvcm5pYTEUMBIGA1UEBwwLU2FudGEgQ2xhcmExDTALBgNV
 BAoMBHBrZzUxEDAOBgNVBAMMB2NoNV90YTExFjAUBgkqhkiG9w0BCQEWB2NoNV90
-YTEwHhcNMTMxMjEzMDAxMzM0WhcNMTYwOTA4MDAxMzM0WjB5MQswCQYDVQQGEwJV
+YTEwHhcNMTYwMTIyMDE1NzU0WhcNMTgxMDE4MDE1NzU0WjB5MQswCQYDVQQGEwJV
 UzETMBEGA1UECAwKQ2FsaWZvcm5pYTEUMBIGA1UEBwwLU2FudGEgQ2xhcmExDTAL
 BgNVBAoMBHBrZzUxFDASBgNVBAMMC2NzMl9jaDVfdGExMRowGAYJKoZIhvcNAQkB
-FgtjczJfY2g1X3RhMTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAzFGjhkim
-gREBur5Abdz3tgr4mhFx6glCOu3uTg+HEJlvyO9BvfbQF6fbe/5R3d468jvX3n2W
-cU5/TtDP3TvYa87Kgzp9bmXNtftLMprmIPjtjkyZ9ALexdQ7bjWoPLSfP147hTNK
-TbM1o9B2eHTScpmewWkf0Y8qEes1Mnu6j5kCAwEAAaNQME4wDAYDVR0TAQH/BAIw
+FgtjczJfY2g1X3RhMTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA09SCC5uv
+8CNrtK3K2LFWGRbZSWf35czB1GhqdTD1PwICMT9l2sP0ifHXuBc50F+DoQgHv2FC
+lubIpwboIsths3OHbcbwthwS93vSTy8lA+8nUMIVuVw2wkOAdJXGvpw+g3IR12oc
+6nEyuBPSdTyb3/hZXB6myFGLh+fHOw7RZRUCAwEAAaNQME4wDAYDVR0TAQH/BAIw
 ADA+BgNVHR8ENzA1MDOgMaAvhi1odHRwOi8vbG9jYWxob3N0OjEyMDAxL2ZpbGUv
-MC9jaDVfdGExX2NybC5wZW0wDQYJKoZIhvcNAQELBQADgYEALHYtGc3W8IgWbJls
-GRte08qxbTzxWyw7Us1/9RtP4EmeSFxeFlVXow3G6/WnE41XxP/fPWYAo7kYwxlc
-uhyug72QpshuWsa1UbUzaVl6WgAkYQJBxcL/zBKh19TVKbkilOBcXCnsgrr/GkBQ
-iFiYqLMrhjyiIYu0svw6sMfxA+g=
+MC9jaDVfdGExX2NybC5wZW0wDQYJKoZIhvcNAQELBQADggEBAFj7x7kxJ3qswA2C
+EW/Zj3wPkLYrE7t3UpVFYVEHAjLGARkVR0NgmehJGxDj7tNPRUqGLnRTywG7fr98
+8raj17BcPFb86gGuKHo8aAGxEN6vCHYcRnhiQERfJRfE+ax71yHqhvmxDBuXG/6b
+ErN1UJXKj8QHoBOg9bV+AAVDXXLlqleASbfMP1zRW4eOWF41EhBg4Rtp/VAh/CkA
+ATuwZEPrYgJW6SY3KHBSGEO5SeNuu9Y79Zws1+mr1Kka5681pNbZvmDrgI28uGNa
+RAsPalu0BFokzQ7Dt0UD/WLRDbjRLHZnqAAiIFUp0ndPNq+BYCQijd7kuOTj0ERS
+OfozmLc=
 -----END CERTIFICATE-----
--- a/src/tests/ro_data/signing_certs/produced/code_signing_certs/09.pem	Tue Mar 08 11:12:06 2016 -0800
+++ b/src/tests/ro_data/signing_certs/produced/code_signing_certs/09.pem	Wed Mar 09 11:27:23 2016 -0800
@@ -5,22 +5,22 @@
     Signature Algorithm: sha256WithRSAEncryption
         Issuer: C=US, ST=California, L=Santa Clara, O=pkg5, CN=ch5.1_ta1/emailAddress=ch5.1_ta1
         Validity
-            Not Before: Dec 13 00:13:34 2013 GMT
-            Not After : Sep  8 00:13:34 2016 GMT
+            Not Before: Jan 22 01:57:55 2016 GMT
+            Not After : Oct 18 01:57:55 2018 GMT
         Subject: C=US, ST=California, L=Santa Clara, O=pkg5, CN=cs1_ch5.1_ta1/emailAddress=cs1_ch5.1_ta1
         Subject Public Key Info:
             Public Key Algorithm: rsaEncryption
                 Public-Key: (1024 bit)
                 Modulus:
-                    00:d5:b5:6f:9a:de:79:48:1e:9e:7c:61:b5:05:3f:
-                    f1:ef:a2:74:ac:83:92:f7:fa:6f:bc:ea:bf:7d:ac:
-                    d8:c9:ef:a3:50:01:2c:db:17:7c:68:6c:34:04:77:
-                    89:f6:77:db:63:08:2b:e7:59:6a:7a:d9:13:ef:d0:
-                    b1:1c:13:e0:3a:ee:0f:b6:e9:74:98:ce:30:25:dd:
-                    57:05:ed:55:f8:d2:5e:7a:c9:37:9d:29:87:a4:c8:
-                    55:f2:e7:a4:d8:cf:19:ee:af:d9:0d:35:e7:67:ae:
-                    87:70:f6:d2:98:1d:62:c6:aa:b6:ed:d0:50:77:79:
-                    ad:2e:5f:ef:a7:22:81:b3:2f
+                    00:a6:e7:4d:9e:5e:83:9a:ff:3d:49:f8:2f:68:50:
+                    a6:fb:5b:cd:53:53:02:25:34:3b:5c:26:f5:68:b4:
+                    c6:97:3c:69:1c:d6:b1:42:67:61:68:ad:f9:17:5e:
+                    4b:28:24:54:9d:de:05:9b:97:e1:22:d4:dc:cf:63:
+                    29:f6:0d:40:f4:de:7c:1a:81:e3:37:d8:26:ac:74:
+                    94:cc:a7:cb:e8:83:74:b7:23:9d:9f:2c:08:01:52:
+                    12:a1:99:79:df:a7:a5:00:c8:01:8e:d2:46:26:40:
+                    1f:79:0d:92:2d:c9:49:8e:26:17:59:34:3c:80:92:
+                    1b:43:80:96:89:a2:94:d0:81
                 Exponent: 65537 (0x10001)
         X509v3 extensions:
             X509v3 Basic Constraints: critical
@@ -28,27 +28,37 @@
             X509v3 Key Usage: critical
                 Digital Signature
     Signature Algorithm: sha256WithRSAEncryption
-         75:2d:87:c6:b6:d7:5c:e7:bd:77:6f:d7:63:e4:f4:04:d1:df:
-         37:6f:80:99:9d:fe:b3:81:30:b4:1d:0b:3b:c7:f6:6c:15:a5:
-         ad:c2:2e:dc:5a:87:88:e0:b0:c9:81:99:33:c3:6a:f1:8d:4b:
-         8f:8c:cd:99:d4:ff:86:fe:3e:6e:b1:00:f0:15:16:d7:01:16:
-         13:8e:0e:31:35:ca:00:3c:88:7e:ca:8f:e3:32:6e:74:02:35:
-         66:3a:db:c8:83:37:b7:8c:7b:ba:bf:0d:aa:b8:d4:d8:28:03:
-         f5:f7:6f:c9:aa:d0:3c:03:cf:3d:da:aa:ae:1a:04:c6:7e:58:
-         ff:fe
+         2e:6c:ea:2c:69:5e:54:16:4f:ad:8c:48:af:e0:60:0d:4f:2d:
+         9f:4c:4e:07:b1:90:1e:5c:48:da:3e:5c:f9:e9:c4:79:97:57:
+         45:c3:e4:27:70:c4:d5:ea:ea:db:cc:c7:5e:62:d5:0c:b6:2e:
+         68:88:df:de:ab:a8:08:73:75:c6:4c:72:d9:ef:3b:f8:2c:5c:
+         e9:8d:71:b4:82:5f:51:26:f5:b6:5e:5d:5d:18:ba:5b:ec:51:
+         b0:d2:2d:f6:f5:cc:9b:a2:62:67:77:0c:cc:9a:a8:b9:87:c9:
+         5b:85:bb:dd:1c:30:a9:03:77:6b:c8:ec:74:31:56:f0:eb:dd:
+         e9:b8:de:3b:79:22:34:e4:3c:1a:13:33:0e:3a:b3:ee:7c:b9:
+         5c:ba:a4:51:a4:a3:b1:1f:b7:f1:71:b2:1a:60:66:c1:70:9c:
+         cb:fc:36:03:eb:bc:cf:13:99:e8:41:92:ba:4b:91:55:51:e8:
+         8d:0e:28:40:17:e7:aa:07:ae:b0:ab:22:86:ee:7d:5f:0a:37:
+         f3:cf:9e:d7:b0:f9:11:80:ee:0c:3e:00:7d:1f:0e:19:0f:b0:
+         6e:af:08:20:b8:98:99:a0:5f:38:b0:6b:fd:f9:a0:ba:09:07:
+         15:cd:19:d0:6c:53:c1:b1:6c:5e:06:10:e4:e7:f6:f9:fa:44:
+         92:e8:da:3b
 -----BEGIN CERTIFICATE-----
-MIICiDCCAfGgAwIBAgIBCTANBgkqhkiG9w0BAQsFADB1MQswCQYDVQQGEwJVUzET
+MIIDCTCCAfGgAwIBAgIBCTANBgkqhkiG9w0BAQsFADB1MQswCQYDVQQGEwJVUzET
 MBEGA1UECAwKQ2FsaWZvcm5pYTEUMBIGA1UEBwwLU2FudGEgQ2xhcmExDTALBgNV
 BAoMBHBrZzUxEjAQBgNVBAMMCWNoNS4xX3RhMTEYMBYGCSqGSIb3DQEJARYJY2g1
-LjFfdGExMB4XDTEzMTIxMzAwMTMzNFoXDTE2MDkwODAwMTMzNFowfTELMAkGA1UE
+LjFfdGExMB4XDTE2MDEyMjAxNTc1NVoXDTE4MTAxODAxNTc1NVowfTELMAkGA1UE
 BhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFDASBgNVBAcMC1NhbnRhIENsYXJh
 MQ0wCwYDVQQKDARwa2c1MRYwFAYDVQQDDA1jczFfY2g1LjFfdGExMRwwGgYJKoZI
 hvcNAQkBFg1jczFfY2g1LjFfdGExMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKB
-gQDVtW+a3nlIHp58YbUFP/HvonSsg5L3+m+86r99rNjJ76NQASzbF3xobDQEd4n2
-d9tjCCvnWWp62RPv0LEcE+A67g+26XSYzjAl3VcF7VX40l56yTedKYekyFXy56TY
-zxnur9kNNednrodw9tKYHWLGqrbt0FB3ea0uX++nIoGzLwIDAQABoyAwHjAMBgNV
-HRMBAf8EAjAAMA4GA1UdDwEB/wQEAwIHgDANBgkqhkiG9w0BAQsFAAOBgQB1LYfG
-ttdc5713b9dj5PQE0d83b4CZnf6zgTC0HQs7x/ZsFaWtwi7cWoeI4LDJgZkzw2rx
-jUuPjM2Z1P+G/j5usQDwFRbXARYTjg4xNcoAPIh+yo/jMm50AjVmOtvIgze3jHu6
-vw2quNTYKAP192/JqtA8A8892qquGgTGflj//g==
+gQCm502eXoOa/z1J+C9oUKb7W81TUwIlNDtcJvVotMaXPGkc1rFCZ2ForfkXXkso
+JFSd3gWbl+Ei1NzPYyn2DUD03nwageM32CasdJTMp8vog3S3I52fLAgBUhKhmXnf
+p6UAyAGO0kYmQB95DZItyUmOJhdZNDyAkhtDgJaJopTQgQIDAQABoyAwHjAMBgNV
+HRMBAf8EAjAAMA4GA1UdDwEB/wQEAwIHgDANBgkqhkiG9w0BAQsFAAOCAQEALmzq
+LGleVBZPrYxIr+BgDU8tn0xOB7GQHlxI2j5c+enEeZdXRcPkJ3DE1erq28zHXmLV
+DLYuaIjf3quoCHN1xkxy2e87+Cxc6Y1xtIJfUSb1tl5dXRi6W+xRsNIt9vXMm6Ji
+Z3cMzJqouYfJW4W73RwwqQN3a8jsdDFW8Ovd6bjeO3kiNOQ8GhMzDjqz7ny5XLqk
+UaSjsR+38XGyGmBmwXCcy/w2A+u8zxOZ6EGSukuRVVHojQ4oQBfnqgeusKsihu59
+Xwo388+e17D5EYDuDD4AfR8OGQ+wbq8IILiYmaBfOLBr/fmgugkHFc0Z0GxTwbFs
+XgYQ5Of2+fpEkujaOw==
 -----END CERTIFICATE-----
--- a/src/tests/ro_data/signing_certs/produced/code_signing_certs/0B.pem	Tue Mar 08 11:12:06 2016 -0800
+++ b/src/tests/ro_data/signing_certs/produced/code_signing_certs/0B.pem	Wed Mar 09 11:27:23 2016 -0800
@@ -5,22 +5,22 @@
     Signature Algorithm: sha256WithRSAEncryption
         Issuer: C=US, ST=California, L=Santa Clara, O=pkg5, CN=ch5.2_ta1/emailAddress=ch5.2_ta1
         Validity
-            Not Before: Dec 13 00:13:35 2013 GMT
-            Not After : Sep  8 00:13:35 2016 GMT
+            Not Before: Jan 22 01:57:55 2016 GMT
+            Not After : Oct 18 01:57:55 2018 GMT
         Subject: C=US, ST=California, L=Santa Clara, O=pkg5, CN=cs1_ch5.2_ta1/emailAddress=cs1_ch5.2_ta1
         Subject Public Key Info:
             Public Key Algorithm: rsaEncryption
                 Public-Key: (1024 bit)
                 Modulus:
-                    00:b5:6f:3b:c4:aa:e3:6b:1a:e2:26:41:f2:49:f1:
-                    40:85:73:dc:ec:ef:04:d4:c9:fa:05:29:fc:bb:b9:
-                    83:5f:f1:05:d2:06:9c:e2:52:09:91:d7:d5:3c:45:
-                    ef:3f:77:2b:c8:fc:69:78:19:96:e5:14:c3:7e:8a:
-                    af:56:c0:44:ca:5c:49:bc:3c:71:0a:b9:05:6e:2a:
-                    b7:3f:02:8a:80:da:e7:ab:47:eb:18:40:18:4a:80:
-                    54:2c:dd:97:09:df:7d:ae:0f:f2:3a:9a:51:11:af:
-                    86:bb:f1:ec:5d:45:4d:64:11:d5:0f:2f:bd:79:eb:
-                    91:c1:5e:23:2e:18:aa:6e:89
+                    00:c7:15:71:1b:af:97:bf:7d:72:5c:0a:cb:58:b5:
+                    29:e5:72:e2:b4:35:c8:7b:b8:2f:c8:7d:99:de:4c:
+                    ce:d0:8b:7d:bc:ac:e9:1e:3e:c7:ea:8d:d1:56:4c:
+                    3c:7e:05:d8:8b:8e:d9:57:b2:1e:89:82:a7:e4:45:
+                    8c:c6:b8:57:17:32:6a:4a:d1:24:29:6c:fa:66:ff:
+                    eb:8b:9e:c5:97:99:8b:bf:d7:de:ec:32:20:9b:59:
+                    66:fc:91:88:f9:2e:9f:9a:69:87:e4:3a:91:51:98:
+                    ee:55:8a:1d:b3:27:56:85:36:da:2e:a9:13:3f:a5:
+                    77:b8:1c:9d:a9:33:af:c5:c9
                 Exponent: 65537 (0x10001)
         X509v3 extensions:
             X509v3 Basic Constraints: critical
@@ -28,27 +28,37 @@
             X509v3 Key Usage: critical
                 Digital Signature
     Signature Algorithm: sha256WithRSAEncryption
-         30:93:85:ec:3e:1b:11:03:97:84:c4:63:bf:5c:02:32:b6:56:
-         af:42:a5:28:24:7d:63:6c:a5:9c:9a:f5:52:7b:cf:c0:22:91:
-         47:7a:92:10:19:c4:51:08:1a:68:5e:50:a2:f1:fc:ac:23:8c:
-         dd:0c:a4:6a:21:8d:db:78:e1:5b:29:7b:8d:3c:5e:85:d8:4e:
-         5f:24:f4:17:f8:96:a8:62:db:04:2d:92:3c:ea:9f:7e:3b:ef:
-         1e:45:aa:0d:88:84:e9:a3:ee:42:bd:13:43:dd:e4:8f:0d:db:
-         e2:ae:0c:be:40:7b:a6:f1:86:19:ee:ff:6d:6f:5b:11:3a:41:
-         51:9c
+         93:39:98:08:42:89:d9:7f:42:79:80:ff:dd:0e:f1:ec:12:f2:
+         40:6e:81:87:d9:87:68:1d:f9:78:0e:64:51:86:16:25:4f:2b:
+         60:66:d5:3d:74:1e:9c:0e:78:55:9b:ed:3d:23:45:07:49:29:
+         b4:09:ef:af:6d:f9:23:d9:8a:e7:9f:23:6c:fb:ae:99:6c:57:
+         39:0f:32:7a:1e:12:e4:de:cb:8d:44:f7:4c:89:de:21:81:36:
+         77:b2:62:f4:97:60:4d:f8:f2:92:e8:e5:aa:c2:59:31:41:7c:
+         da:10:49:98:f0:a0:d6:77:dd:da:59:87:23:14:65:7f:88:85:
+         49:4e:47:65:4d:4e:57:41:85:8e:3b:9f:26:61:f4:ad:b2:d7:
+         3f:2e:d2:26:73:69:3d:b2:96:68:0b:75:f0:37:92:6b:3b:d9:
+         45:85:1b:0e:9d:96:5c:88:00:7f:7c:99:00:f5:df:b1:4d:c0:
+         1f:5b:ec:5a:00:9b:e5:55:ba:ec:d0:8d:fd:28:62:d4:67:63:
+         2f:9f:ec:06:3e:a9:b9:fd:02:3b:9d:db:19:7f:69:08:b4:fd:
+         13:cb:35:89:87:c2:ea:a6:8b:0c:ad:a0:57:6f:bc:91:7d:87:
+         38:f3:2a:4c:a9:c1:3f:69:a5:9b:b7:a1:1e:19:8d:c0:fa:c5:
+         3d:22:d6:e2
 -----BEGIN CERTIFICATE-----
-MIICiDCCAfGgAwIBAgIBCzANBgkqhkiG9w0BAQsFADB1MQswCQYDVQQGEwJVUzET
+MIIDCTCCAfGgAwIBAgIBCzANBgkqhkiG9w0BAQsFADB1MQswCQYDVQQGEwJVUzET
 MBEGA1UECAwKQ2FsaWZvcm5pYTEUMBIGA1UEBwwLU2FudGEgQ2xhcmExDTALBgNV
 BAoMBHBrZzUxEjAQBgNVBAMMCWNoNS4yX3RhMTEYMBYGCSqGSIb3DQEJARYJY2g1
-LjJfdGExMB4XDTEzMTIxMzAwMTMzNVoXDTE2MDkwODAwMTMzNVowfTELMAkGA1UE
+LjJfdGExMB4XDTE2MDEyMjAxNTc1NVoXDTE4MTAxODAxNTc1NVowfTELMAkGA1UE
 BhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFDASBgNVBAcMC1NhbnRhIENsYXJh
 MQ0wCwYDVQQKDARwa2c1MRYwFAYDVQQDDA1jczFfY2g1LjJfdGExMRwwGgYJKoZI
 hvcNAQkBFg1jczFfY2g1LjJfdGExMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKB
-gQC1bzvEquNrGuImQfJJ8UCFc9zs7wTUyfoFKfy7uYNf8QXSBpziUgmR19U8Re8/
-dyvI/Gl4GZblFMN+iq9WwETKXEm8PHEKuQVuKrc/AoqA2uerR+sYQBhKgFQs3ZcJ
-332uD/I6mlERr4a78exdRU1kEdUPL71565HBXiMuGKpuiQIDAQABoyAwHjAMBgNV
-HRMBAf8EAjAAMA4GA1UdDwEB/wQEAwIHgDANBgkqhkiG9w0BAQsFAAOBgQAwk4Xs
-PhsRA5eExGO/XAIytlavQqUoJH1jbKWcmvVSe8/AIpFHepIQGcRRCBpoXlCi8fys
-I4zdDKRqIY3beOFbKXuNPF6F2E5fJPQX+JaoYtsELZI86p9+O+8eRaoNiITpo+5C
-vRND3eSPDdvirgy+QHum8YYZ7v9tb1sROkFRnA==
+gQDHFXEbr5e/fXJcCstYtSnlcuK0Nch7uC/IfZneTM7Qi328rOkePsfqjdFWTDx+
+BdiLjtlXsh6JgqfkRYzGuFcXMmpK0SQpbPpm/+uLnsWXmYu/197sMiCbWWb8kYj5
+Lp+aaYfkOpFRmO5Vih2zJ1aFNtouqRM/pXe4HJ2pM6/FyQIDAQABoyAwHjAMBgNV
+HRMBAf8EAjAAMA4GA1UdDwEB/wQEAwIHgDANBgkqhkiG9w0BAQsFAAOCAQEAkzmY
+CEKJ2X9CeYD/3Q7x7BLyQG6Bh9mHaB35eA5kUYYWJU8rYGbVPXQenA54VZvtPSNF
+B0kptAnvr235I9mK558jbPuumWxXOQ8yeh4S5N7LjUT3TIneIYE2d7Ji9JdgTfjy
+kujlqsJZMUF82hBJmPCg1nfd2lmHIxRlf4iFSU5HZU1OV0GFjjufJmH0rbLXPy7S
+JnNpPbKWaAt18DeSazvZRYUbDp2WXIgAf3yZAPXfsU3AH1vsWgCb5VW67NCN/Shi
+1GdjL5/sBj6puf0CO53bGX9pCLT9E8s1iYfC6qaLDK2gV2+8kX2HOPMqTKnBP2ml
+m7ehHhmNwPrFPSLW4g==
 -----END CERTIFICATE-----
--- a/src/tests/ro_data/signing_certs/produced/code_signing_certs/0E.pem	Tue Mar 08 11:12:06 2016 -0800
+++ b/src/tests/ro_data/signing_certs/produced/code_signing_certs/0E.pem	Wed Mar 09 11:27:23 2016 -0800
@@ -5,22 +5,22 @@
     Signature Algorithm: sha256WithRSAEncryption
         Issuer: C=US, ST=California, L=Santa Clara, O=pkg5, CN=ch5.3_ta1/emailAddress=ch5.3_ta1
         Validity
-            Not Before: Dec 13 00:13:35 2013 GMT
-            Not After : Sep  8 00:13:35 2016 GMT
+            Not Before: Jan 22 01:57:55 2016 GMT
+            Not After : Oct 18 01:57:55 2018 GMT
         Subject: C=US, ST=California, L=Santa Clara, O=pkg5, CN=cs1_ch5.3_ta1/emailAddress=cs1_ch5.3_ta1
         Subject Public Key Info:
             Public Key Algorithm: rsaEncryption
                 Public-Key: (1024 bit)
                 Modulus:
-                    00:c5:03:2b:f6:07:4e:f1:a3:9b:96:87:6d:ea:e2:
-                    bb:0b:fb:95:70:f6:34:a7:bb:e7:9f:df:ff:8a:fd:
-                    28:56:0b:fb:de:5d:79:d1:ba:0f:41:73:7f:5b:b9:
-                    17:6b:24:db:6f:20:a3:62:5e:3a:bb:71:29:18:33:
-                    52:24:ff:a9:9b:70:49:7f:78:94:f7:bd:a3:bf:2f:
-                    f4:de:e2:6f:61:13:ce:4f:f3:6a:85:84:35:ae:1d:
-                    a7:fb:00:2d:35:33:cc:18:ff:85:d9:37:0a:15:2b:
-                    15:71:de:ae:8c:99:ef:5b:dc:7b:4b:c1:b3:08:d9:
-                    57:29:29:e0:8d:46:e0:79:83
+                    00:bf:b3:de:90:3b:93:8e:e5:95:66:95:4d:01:ce:
+                    55:c3:ae:8c:d8:e3:0d:64:cb:c9:36:fd:c2:85:39:
+                    16:c7:3d:7c:a6:6c:a7:b5:29:04:b5:4a:84:74:86:
+                    53:a8:73:04:11:e1:8c:c1:c0:5c:4c:fa:be:09:3a:
+                    c5:df:bb:0d:06:de:b3:42:1e:8d:9e:4c:50:de:d5:
+                    98:a5:32:55:f9:fe:bd:b3:9f:1e:83:c3:02:57:3e:
+                    2d:a8:ff:80:98:ce:94:13:8c:cc:6a:b3:d1:c3:89:
+                    60:8e:23:b6:87:a6:ed:f1:df:51:5a:da:0c:5a:9d:
+                    d0:4a:47:e5:11:2c:fa:55:9f
                 Exponent: 65537 (0x10001)
         X509v3 extensions:
             X509v3 Basic Constraints: critical
@@ -28,27 +28,37 @@
             X509v3 Key Usage: critical
                 Digital Signature
     Signature Algorithm: sha256WithRSAEncryption
-         0d:01:09:aa:c9:69:4c:33:74:70:07:ab:60:b6:0f:75:36:9e:
-         62:c2:96:82:f4:94:e4:9e:4b:6a:b4:fc:4e:45:21:e5:a7:20:
-         18:2a:a4:82:43:92:3a:d5:29:3a:f4:bb:e8:40:65:c8:08:53:
-         3b:46:42:4d:0b:f6:ba:8d:3f:08:ab:43:98:4b:41:40:8c:d6:
-         2d:58:dc:a8:53:e3:78:51:92:32:7e:00:9c:16:bb:c1:61:73:
-         68:2b:6d:4e:0f:f6:41:e4:08:43:b1:77:85:22:2b:06:1e:69:
-         48:38:28:9c:d5:60:65:7b:94:db:e7:d4:37:de:6a:0f:f3:cb:
-         53:45
+         82:46:80:6c:e6:98:56:e6:82:01:23:8c:9a:ad:cc:66:51:d2:
+         50:1e:50:6e:1e:f8:24:8a:ea:bd:1e:59:61:4e:ee:37:c8:57:
+         6a:a9:3d:59:ca:a5:20:25:92:dd:f1:86:4e:25:ee:32:70:86:
+         f6:a9:39:26:93:15:c1:dc:9b:a0:f9:62:ad:f1:f6:57:35:0c:
+         df:6f:b4:a7:c5:69:5e:da:42:0c:f0:b4:bd:9d:32:7f:0e:58:
+         54:5c:35:8f:77:5e:5c:5f:74:96:16:52:d3:41:2b:1b:7e:e6:
+         37:a3:57:8e:57:18:84:21:ff:97:ad:5e:03:9f:e5:e2:78:de:
+         ec:35:5e:1d:48:ee:12:eb:61:70:2f:cf:11:7c:64:82:2c:ea:
+         d6:5b:61:89:98:c8:4a:b7:a5:32:5f:09:48:d2:09:7e:7b:13:
+         ad:ba:a4:cd:dc:86:1f:50:5a:72:81:79:32:b1:54:4e:b5:2f:
+         da:55:f4:98:26:fb:ae:a7:60:b8:ce:ec:b4:dc:ea:7d:33:75:
+         ff:3c:df:8c:6c:e7:92:86:89:0f:23:c9:fb:7b:05:7b:56:20:
+         e0:5d:e9:d5:4b:6f:82:a4:be:47:48:9c:b9:69:13:ca:0f:af:
+         2b:ff:25:eb:98:2d:6d:ca:ee:8e:ad:de:20:df:27:02:a6:14:
+         c9:60:ab:b1
 -----BEGIN CERTIFICATE-----
-MIICiDCCAfGgAwIBAgIBDjANBgkqhkiG9w0BAQsFADB1MQswCQYDVQQGEwJVUzET
+MIIDCTCCAfGgAwIBAgIBDjANBgkqhkiG9w0BAQsFADB1MQswCQYDVQQGEwJVUzET
 MBEGA1UECAwKQ2FsaWZvcm5pYTEUMBIGA1UEBwwLU2FudGEgQ2xhcmExDTALBgNV
 BAoMBHBrZzUxEjAQBgNVBAMMCWNoNS4zX3RhMTEYMBYGCSqGSIb3DQEJARYJY2g1
-LjNfdGExMB4XDTEzMTIxMzAwMTMzNVoXDTE2MDkwODAwMTMzNVowfTELMAkGA1UE
+LjNfdGExMB4XDTE2MDEyMjAxNTc1NVoXDTE4MTAxODAxNTc1NVowfTELMAkGA1UE
 BhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFDASBgNVBAcMC1NhbnRhIENsYXJh
 MQ0wCwYDVQQKDARwa2c1MRYwFAYDVQQDDA1jczFfY2g1LjNfdGExMRwwGgYJKoZI
 hvcNAQkBFg1jczFfY2g1LjNfdGExMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKB
-gQDFAyv2B07xo5uWh23q4rsL+5Vw9jSnu+ef3/+K/ShWC/veXXnRug9Bc39buRdr
-JNtvIKNiXjq7cSkYM1Ik/6mbcEl/eJT3vaO/L/Te4m9hE85P82qFhDWuHaf7AC01
-M8wY/4XZNwoVKxVx3q6Mme9b3HtLwbMI2VcpKeCNRuB5gwIDAQABoyAwHjAMBgNV
-HRMBAf8EAjAAMA4GA1UdDwEB/wQEAwIHgDANBgkqhkiG9w0BAQsFAAOBgQANAQmq
-yWlMM3RwB6tgtg91Np5iwpaC9JTknktqtPxORSHlpyAYKqSCQ5I61Sk69LvoQGXI
-CFM7RkJNC/a6jT8Iq0OYS0FAjNYtWNyoU+N4UZIyfgCcFrvBYXNoK21OD/ZB5AhD
-sXeFIisGHmlIOCic1WBle5Tb59Q33moP88tTRQ==
+gQC/s96QO5OO5ZVmlU0BzlXDrozY4w1ky8k2/cKFORbHPXymbKe1KQS1SoR0hlOo
+cwQR4YzBwFxM+r4JOsXfuw0G3rNCHo2eTFDe1ZilMlX5/r2znx6DwwJXPi2o/4CY
+zpQTjMxqs9HDiWCOI7aHpu3x31Fa2gxandBKR+URLPpVnwIDAQABoyAwHjAMBgNV
+HRMBAf8EAjAAMA4GA1UdDwEB/wQEAwIHgDANBgkqhkiG9w0BAQsFAAOCAQEAgkaA
+bOaYVuaCASOMmq3MZlHSUB5Qbh74JIrqvR5ZYU7uN8hXaqk9WcqlICWS3fGGTiXu
+MnCG9qk5JpMVwdyboPlirfH2VzUM32+0p8VpXtpCDPC0vZ0yfw5YVFw1j3deXF90
+lhZS00ErG37mN6NXjlcYhCH/l61eA5/l4nje7DVeHUjuEuthcC/PEXxkgizq1lth
+iZjISrelMl8JSNIJfnsTrbqkzdyGH1BacoF5MrFUTrUv2lX0mCb7rqdguM7stNzq
+fTN1/zzfjGznkoaJDyPJ+3sFe1Yg4F3p1UtvgqS+R0icuWkTyg+vK/8l65gtbcru
+jq3eIN8nAqYUyWCrsQ==
 -----END CERTIFICATE-----
--- a/src/tests/ro_data/signing_certs/produced/code_signing_certs/0F.pem	Tue Mar 08 11:12:06 2016 -0800
+++ b/src/tests/ro_data/signing_certs/produced/code_signing_certs/0F.pem	Wed Mar 09 11:27:23 2016 -0800
@@ -5,22 +5,22 @@
     Signature Algorithm: sha256WithRSAEncryption
         Issuer: C=US, ST=California, L=Santa Clara, O=pkg5, CN=ta2/emailAddress=ta2
         Validity
-            Not Before: Dec 13 00:13:35 2013 GMT
-            Not After : Sep  8 00:13:35 2016 GMT
+            Not Before: Jan 22 01:57:56 2016 GMT
+            Not After : Oct 18 01:57:56 2018 GMT
         Subject: C=US, ST=California, L=Santa Clara, O=pkg5, CN=cs1_ta2/emailAddress=cs1_ta2
         Subject Public Key Info:
             Public Key Algorithm: rsaEncryption
                 Public-Key: (1024 bit)
                 Modulus:
-                    00:be:2d:d1:b2:aa:38:aa:c1:4f:f3:f7:07:f2:f3:
-                    30:0c:6d:f7:13:ed:c3:c7:c8:f8:87:8d:ea:a3:49:
-                    cf:74:dd:30:1b:1f:9d:a6:8e:b7:eb:fa:f5:f7:e5:
-                    e0:05:9a:e4:b1:ed:2d:ee:ff:f8:ab:23:9a:f3:24:
-                    ad:99:26:83:4d:e7:35:b7:c8:b1:60:3d:0c:44:e9:
-                    2c:24:50:ee:86:5c:f0:ba:61:34:5d:f9:6c:a3:b7:
-                    e3:16:0e:90:35:9e:05:15:99:32:ff:50:de:b5:e0:
-                    66:88:e6:d5:0b:ae:16:a9:91:f5:86:c4:23:c9:7e:
-                    f1:9d:2b:86:43:e6:fb:c1:a5
+                    00:cb:c5:b4:29:67:2e:59:1c:d9:e5:0e:f6:c8:d8:
+                    03:8d:1a:72:be:fc:67:e3:77:5e:a4:c6:d6:1a:0b:
+                    9d:95:9c:d0:db:5f:72:94:27:5f:91:ec:5c:dc:22:
+                    39:eb:23:5e:79:17:3e:1a:4a:cb:3d:04:7a:e6:43:
+                    9d:d9:97:c5:26:3e:72:6b:e7:4a:36:e2:5b:c6:69:
+                    ae:2c:83:c8:7d:a5:93:be:32:38:b8:13:c5:c5:d6:
+                    f1:9d:35:9b:9a:80:43:40:50:58:fc:89:68:0a:9c:
+                    fb:a2:5a:d2:b4:ed:a5:e5:7a:ea:54:89:8f:45:df:
+                    33:7a:8f:c0:e2:d2:97:70:7b
                 Exponent: 65537 (0x10001)
         X509v3 extensions:
             X509v3 Basic Constraints: critical
@@ -28,27 +28,36 @@
             X509v3 Key Usage: critical
                 Digital Signature
     Signature Algorithm: sha256WithRSAEncryption
-         10:82:e5:2b:f8:67:14:0c:22:0d:f4:4e:17:c5:d5:7f:3d:fa:
-         24:2a:ad:33:47:ff:2a:f5:37:f6:83:81:2f:32:df:01:18:80:
-         7a:00:0b:f5:37:f9:eb:de:b0:38:cc:38:94:94:83:76:38:bb:
-         0e:0a:72:9b:2c:87:ce:8c:46:ef:68:f4:e0:a9:2f:cc:28:53:
-         c3:ac:63:7d:2b:87:fb:76:7b:9e:98:c6:0e:80:9e:80:4e:40:
-         b8:1e:2c:8b:c1:8b:cd:13:58:16:ea:aa:a0:0e:b6:b8:4b:a7:
-         74:a1:0d:d9:41:70:44:1e:19:d2:25:4b:b1:52:65:40:32:b0:
-         5d:3d
+         57:7a:72:03:64:a0:35:b9:21:d9:44:2a:a8:56:27:d9:d6:e0:
+         8a:38:2b:6d:51:96:7e:92:49:85:94:29:65:2d:06:a2:5e:f7:
+         ff:08:55:a2:41:a3:05:c8:43:81:31:4a:db:44:2f:2f:24:08:
+         bc:50:3a:c5:9f:0c:04:af:d7:27:0a:67:ab:06:ad:e8:b8:7c:
+         6f:f1:c7:02:79:27:49:b8:d1:cd:34:7e:68:bb:10:e0:2d:6e:
+         32:c5:a8:21:34:13:55:d1:a1:a8:b1:4e:67:22:e0:bf:5f:a7:
+         39:b2:33:96:fa:90:93:1f:6b:a8:8b:a2:ef:b8:61:7a:98:57:
+         a9:b7:fe:04:bf:70:ae:ee:bc:1e:d7:ef:96:22:14:8d:b8:0b:
+         23:54:c6:1b:60:5a:fd:0d:2e:02:33:3b:78:a4:78:70:b8:15:
+         e9:aa:15:8e:c9:8a:84:95:60:2f:8a:ff:cc:43:f8:41:df:e9:
+         1d:b7:3b:1e:ec:c2:a9:de:bc:c3:f5:ac:25:d3:76:1a:70:f2:
+         00:79:f5:85:28:2e:39:4d:9e:b4:3f:76:0e:04:8c:ce:ad:bf:
+         03:f9:10:70:fa:a3:68:52:fd:77:99:e1:7c:f7:dc:72:7e:8d:
+         02:45:7d:07:ba:21:d5:15:0f:cf:b1:2b:5f:fa:24:ec:f4:74:
+         12:e2:3e:cd
 -----BEGIN CERTIFICATE-----
-MIICcDCCAdmgAwIBAgIBDzANBgkqhkiG9w0BAQsFADBpMQswCQYDVQQGEwJVUzET
+MIIC8TCCAdmgAwIBAgIBDzANBgkqhkiG9w0BAQsFADBpMQswCQYDVQQGEwJVUzET
 MBEGA1UECAwKQ2FsaWZvcm5pYTEUMBIGA1UEBwwLU2FudGEgQ2xhcmExDTALBgNV
-BAoMBHBrZzUxDDAKBgNVBAMMA3RhMjESMBAGCSqGSIb3DQEJARYDdGEyMB4XDTEz
-MTIxMzAwMTMzNVoXDTE2MDkwODAwMTMzNVowcTELMAkGA1UEBhMCVVMxEzARBgNV
+BAoMBHBrZzUxDDAKBgNVBAMMA3RhMjESMBAGCSqGSIb3DQEJARYDdGEyMB4XDTE2
+MDEyMjAxNTc1NloXDTE4MTAxODAxNTc1NlowcTELMAkGA1UEBhMCVVMxEzARBgNV
 BAgMCkNhbGlmb3JuaWExFDASBgNVBAcMC1NhbnRhIENsYXJhMQ0wCwYDVQQKDARw
 a2c1MRAwDgYDVQQDDAdjczFfdGEyMRYwFAYJKoZIhvcNAQkBFgdjczFfdGEyMIGf
-MA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC+LdGyqjiqwU/z9wfy8zAMbfcT7cPH
-yPiHjeqjSc903TAbH52mjrfr+vX35eAFmuSx7S3u//irI5rzJK2ZJoNN5zW3yLFg
-PQxE6SwkUO6GXPC6YTRd+Wyjt+MWDpA1ngUVmTL/UN614GaI5tULrhapkfWGxCPJ
-fvGdK4ZD5vvBpQIDAQABoyAwHjAMBgNVHRMBAf8EAjAAMA4GA1UdDwEB/wQEAwIH
-gDANBgkqhkiG9w0BAQsFAAOBgQAQguUr+GcUDCIN9E4XxdV/PfokKq0zR/8q9Tf2
-g4EvMt8BGIB6AAv1N/nr3rA4zDiUlIN2OLsOCnKbLIfOjEbvaPTgqS/MKFPDrGN9
-K4f7dnuemMYOgJ6ATkC4HiyLwYvNE1gW6qqgDra4S6d0oQ3ZQXBEHhnSJUuxUmVA
-MrBdPQ==
+MA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDLxbQpZy5ZHNnlDvbI2AONGnK+/Gfj
+d16kxtYaC52VnNDbX3KUJ1+R7FzcIjnrI155Fz4aSss9BHrmQ53Zl8UmPnJr50o2
+4lvGaa4sg8h9pZO+Mji4E8XF1vGdNZuagENAUFj8iWgKnPuiWtK07aXleupUiY9F
+3zN6j8Di0pdwewIDAQABoyAwHjAMBgNVHRMBAf8EAjAAMA4GA1UdDwEB/wQEAwIH
+gDANBgkqhkiG9w0BAQsFAAOCAQEAV3pyA2SgNbkh2UQqqFYn2dbgijgrbVGWfpJJ
+hZQpZS0Gol73/whVokGjBchDgTFK20QvLyQIvFA6xZ8MBK/XJwpnqwat6Lh8b/HH
+AnknSbjRzTR+aLsQ4C1uMsWoITQTVdGhqLFOZyLgv1+nObIzlvqQkx9rqIui77hh
+ephXqbf+BL9wru68HtfvliIUjbgLI1TGG2Ba/Q0uAjM7eKR4cLgV6aoVjsmKhJVg
+L4r/zEP4Qd/pHbc7HuzCqd68w/WsJdN2GnDyAHn1hSguOU2etD92DgSMzq2/A/kQ
+cPqjaFL9d5nhfPfccn6NAkV9B7oh1RUPz7ErX/ok7PR0EuI+zQ==
 -----END CERTIFICATE-----
--- a/src/tests/ro_data/signing_certs/produced/code_signing_certs/11.pem	Tue Mar 08 11:12:06 2016 -0800
+++ b/src/tests/ro_data/signing_certs/produced/code_signing_certs/11.pem	Wed Mar 09 11:27:23 2016 -0800
@@ -5,22 +5,22 @@
     Signature Algorithm: sha256WithRSAEncryption
         Issuer: C=US, ST=California, L=Santa Clara, O=pkg5, CN=ch1_ta3/emailAddress=ch1_ta3
         Validity
-            Not Before: Dec 13 00:13:35 2013 GMT
-            Not After : Sep  8 00:13:35 2016 GMT
+            Not Before: Jan 22 01:57:56 2016 GMT
+            Not After : Oct 18 01:57:56 2018 GMT
         Subject: C=US, ST=California, L=Santa Clara, O=pkg5, CN=cs1_ch1_ta3/emailAddress=cs1_ch1_ta3
         Subject Public Key Info:
             Public Key Algorithm: rsaEncryption
                 Public-Key: (1024 bit)
                 Modulus:
-                    00:ea:17:76:34:ce:b3:de:ac:50:62:a0:0f:14:50:
-                    89:72:26:d5:a2:97:17:91:eb:df:97:7e:80:ff:69:
-                    8e:01:0a:bb:d1:a1:e0:f3:d2:27:56:c6:2d:0f:b5:
-                    84:e4:70:f3:e1:7e:fc:92:8e:fd:77:48:cb:ac:cd:
-                    bf:f4:aa:fa:29:5f:1b:44:03:cf:fa:6f:6d:ae:db:
-                    61:f1:3e:ef:95:de:41:23:36:a2:3a:e7:67:26:04:
-                    6b:7e:9d:f6:92:5e:5b:4c:ab:0a:aa:cf:99:b4:4c:
-                    54:05:73:81:a3:7b:5d:82:cb:e0:ee:9b:29:29:e6:
-                    fb:dd:93:64:23:13:85:d1:e1
+                    00:bd:1a:02:7f:2c:e8:d7:9c:c2:2d:70:bd:9d:1f:
+                    56:c6:dd:f8:97:0e:5b:75:bd:d6:d9:d0:16:a0:c6:
+                    80:87:e4:b3:be:c3:aa:f4:a3:e9:20:04:f2:04:fa:
+                    0d:bd:32:0b:96:65:0c:22:35:05:7c:d5:68:29:1a:
+                    79:74:4d:21:5a:c8:11:e7:6e:7a:cd:79:f4:5d:7e:
+                    57:08:14:c9:16:12:40:60:f8:25:15:3f:02:2f:b8:
+                    eb:7f:06:9a:a4:f1:29:e7:48:55:1b:0c:9b:a5:4c:
+                    29:bd:33:63:8c:7e:8d:c6:38:ee:78:63:24:35:e2:
+                    3c:76:81:7a:6f:22:3e:82:97
                 Exponent: 65537 (0x10001)
         X509v3 extensions:
             X509v3 Basic Constraints: critical
@@ -28,27 +28,37 @@
             X509v3 Key Usage: critical
                 Digital Signature
     Signature Algorithm: sha256WithRSAEncryption
-         60:5d:82:5a:64:28:86:45:51:ab:d5:4c:74:ad:eb:84:37:fa:
-         ed:53:df:29:0d:00:9c:4b:33:f4:25:83:ad:b3:e4:cb:11:b0:
-         6e:92:cd:4f:9d:4b:7d:d0:bb:bc:c5:ef:b1:44:2e:54:e1:5e:
-         68:1f:a9:06:a7:e2:ca:82:f9:ac:e8:14:82:a3:26:03:7b:1b:
-         63:98:4f:bb:c9:5d:d5:79:77:bc:2e:e3:3d:7a:82:79:af:7d:
-         fc:e8:a0:9d:f9:e1:74:6d:e6:b9:47:84:19:dd:3f:43:51:8d:
-         9b:c1:27:9e:b7:c7:6b:e2:1f:77:29:bb:5f:a6:16:bf:d0:fd:
-         5a:c2
+         70:83:e0:e1:03:6f:db:c7:ed:52:d3:68:b3:2a:22:d9:0c:89:
+         f1:58:5b:2a:63:48:b5:eb:b1:ee:d9:ca:52:0c:c5:24:7f:cc:
+         c9:c5:5a:8d:69:27:a2:06:a8:4d:23:cc:94:91:f4:4c:bb:fd:
+         26:e7:b8:f7:08:8b:91:35:ec:68:bc:db:59:24:4b:d7:b7:f5:
+         21:6e:68:5d:a3:4a:85:a5:e7:d2:f3:9c:49:0c:37:e0:e8:7c:
+         c5:33:46:06:a3:92:b0:80:c4:05:52:89:55:8a:96:c2:90:44:
+         7c:c2:38:0d:16:23:37:b5:20:23:8f:46:c0:7d:3c:ae:e8:08:
+         7c:04:b5:01:e8:e9:28:df:c9:cb:74:08:35:c3:1d:55:76:18:
+         cd:5f:ae:00:50:0c:a2:41:e6:a5:b0:e7:b2:53:07:4a:32:38:
+         74:b6:25:2e:57:18:b7:32:04:b9:7e:03:4e:f5:3f:cf:9a:44:
+         b8:cf:d5:c8:aa:39:71:b8:e2:e8:4b:eb:7d:c1:94:f3:96:8b:
+         9e:3e:63:bb:a1:3c:52:e2:7f:76:b6:82:8e:a5:78:4c:4f:4f:
+         5c:f5:69:2a:88:55:fb:78:28:0f:e0:3a:77:a1:e3:c3:89:f5:
+         5c:41:91:1a:79:70:6c:28:6b:ad:64:56:8c:28:35:99:6c:ca:
+         94:8e:b5:4e
 -----BEGIN CERTIFICATE-----
-MIICgDCCAemgAwIBAgIBETANBgkqhkiG9w0BAQsFADBxMQswCQYDVQQGEwJVUzET
+MIIDATCCAemgAwIBAgIBETANBgkqhkiG9w0BAQsFADBxMQswCQYDVQQGEwJVUzET
 MBEGA1UECAwKQ2FsaWZvcm5pYTEUMBIGA1UEBwwLU2FudGEgQ2xhcmExDTALBgNV
 BAoMBHBrZzUxEDAOBgNVBAMMB2NoMV90YTMxFjAUBgkqhkiG9w0BCQEWB2NoMV90
-YTMwHhcNMTMxMjEzMDAxMzM1WhcNMTYwOTA4MDAxMzM1WjB5MQswCQYDVQQGEwJV
+YTMwHhcNMTYwMTIyMDE1NzU2WhcNMTgxMDE4MDE1NzU2WjB5MQswCQYDVQQGEwJV
 UzETMBEGA1UECAwKQ2FsaWZvcm5pYTEUMBIGA1UEBwwLU2FudGEgQ2xhcmExDTAL
 BgNVBAoMBHBrZzUxFDASBgNVBAMMC2NzMV9jaDFfdGEzMRowGAYJKoZIhvcNAQkB
-FgtjczFfY2gxX3RhMzCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA6hd2NM6z
-3qxQYqAPFFCJcibVopcXkevfl36A/2mOAQq70aHg89InVsYtD7WE5HDz4X78ko79
-d0jLrM2/9Kr6KV8bRAPP+m9trtth8T7vld5BIzaiOudnJgRrfp32kl5bTKsKqs+Z
-tExUBXOBo3tdgsvg7pspKeb73ZNkIxOF0eECAwEAAaMgMB4wDAYDVR0TAQH/BAIw
-ADAOBgNVHQ8BAf8EBAMCB4AwDQYJKoZIhvcNAQELBQADgYEAYF2CWmQohkVRq9VM
-dK3rhDf67VPfKQ0AnEsz9CWDrbPkyxGwbpLNT51LfdC7vMXvsUQuVOFeaB+pBqfi
-yoL5rOgUgqMmA3sbY5hPu8ld1Xl3vC7jPXqCea99/OignfnhdG3muUeEGd0/Q1GN
-m8EnnrfHa+Ifdym7X6YWv9D9WsI=
+FgtjczFfY2gxX3RhMzCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAvRoCfyzo
+15zCLXC9nR9Wxt34lw5bdb3W2dAWoMaAh+SzvsOq9KPpIATyBPoNvTILlmUMIjUF
+fNVoKRp5dE0hWsgR5256zXn0XX5XCBTJFhJAYPglFT8CL7jrfwaapPEp50hVGwyb
+pUwpvTNjjH6NxjjueGMkNeI8doF6byI+gpcCAwEAAaMgMB4wDAYDVR0TAQH/BAIw
+ADAOBgNVHQ8BAf8EBAMCB4AwDQYJKoZIhvcNAQELBQADggEBAHCD4OEDb9vH7VLT
+aLMqItkMifFYWypjSLXrse7ZylIMxSR/zMnFWo1pJ6IGqE0jzJSR9Ey7/SbnuPcI
+i5E17Gi821kkS9e39SFuaF2jSoWl59LznEkMN+DofMUzRgajkrCAxAVSiVWKlsKQ
+RHzCOA0WIze1ICOPRsB9PK7oCHwEtQHo6Sjfyct0CDXDHVV2GM1frgBQDKJB5qWw
+57JTB0oyOHS2JS5XGLcyBLl+A071P8+aRLjP1ciqOXG44uhL633BlPOWi54+Y7uh
+PFLif3a2go6leExPT1z1aSqIVft4KA/gOneh48OJ9VxBkRp5cGwoa61kVowoNZls
+ypSOtU4=
 -----END CERTIFICATE-----
--- a/src/tests/ro_data/signing_certs/produced/code_signing_certs/12.pem	Tue Mar 08 11:12:06 2016 -0800
+++ b/src/tests/ro_data/signing_certs/produced/code_signing_certs/12.pem	Wed Mar 09 11:27:23 2016 -0800
@@ -5,22 +5,22 @@
     Signature Algorithm: sha256WithRSAEncryption
         Issuer: C=US, ST=California, L=Santa Clara, O=pkg5, CN=ch1_ta3/emailAddress=ch1_ta3
         Validity
-            Not Before: Dec 13 00:13:35 2013 GMT
-            Not After : Sep  8 00:13:35 2016 GMT
+            Not Before: Jan 22 01:57:56 2016 GMT
+            Not After : Oct 18 01:57:56 2018 GMT
         Subject: C=US, ST=California, L=Santa Clara, O=pkg5, CN=cs2_ch1_ta3/emailAddress=cs2_ch1_ta3
         Subject Public Key Info:
             Public Key Algorithm: rsaEncryption
                 Public-Key: (1024 bit)
                 Modulus:
-                    00:98:97:30:92:90:4d:45:5a:0c:e2:6f:fb:25:9e:
-                    72:7f:56:64:f5:64:f5:b2:5b:85:27:b7:ad:fa:24:
-                    d7:54:00:1d:5c:4d:c2:92:81:76:f1:37:49:14:b7:
-                    9d:8c:fb:96:69:2d:11:32:6a:19:eb:eb:eb:27:a3:
-                    be:1f:00:29:c8:ba:d6:ca:97:df:e0:83:68:51:9c:
-                    81:f5:63:e0:69:39:1a:fe:5e:af:c3:af:b6:23:b8:
-                    aa:b4:65:c7:f4:7e:63:db:ff:1b:7e:ce:ed:60:7d:
-                    be:2f:fd:05:ee:d0:cd:72:7e:91:93:69:82:29:8f:
-                    a8:a8:53:b1:d7:ea:83:df:89
+                    00:a7:2e:16:f6:57:bd:96:ef:ec:40:c5:df:96:74:
+                    2f:34:9c:1f:66:a1:62:96:f3:fb:34:aa:ab:44:47:
+                    3b:0b:24:b1:ca:94:91:23:48:0e:0d:7a:07:57:87:
+                    1b:12:62:90:9f:b1:66:37:74:59:18:df:7b:ea:f2:
+                    04:b8:e9:d2:b8:cd:a9:67:2c:7d:59:81:7c:89:67:
+                    d3:44:e6:76:05:96:84:d1:eb:13:77:a3:cc:c8:58:
+                    ed:ce:d7:af:ef:e2:35:c0:ad:4e:f3:f9:c5:e9:68:
+                    39:35:0f:7d:90:cf:0b:29:d1:d9:19:a8:3b:17:2e:
+                    a1:53:19:e3:a2:99:6d:aa:3b
                 Exponent: 65537 (0x10001)
         X509v3 extensions:
             X509v3 Basic Constraints: critical
@@ -29,27 +29,37 @@
                 <EMPTY>
 
     Signature Algorithm: sha256WithRSAEncryption
-         53:10:01:62:32:bd:ff:7d:30:a5:09:5f:77:44:af:0d:81:d4:
-         4b:c8:f6:fe:ba:38:65:9f:b6:55:77:7a:36:86:42:64:1a:89:
-         66:4f:1d:f5:0a:65:1e:06:2c:07:46:b3:57:ba:98:1d:1c:46:
-         52:08:65:32:70:9d:98:3e:e9:6b:be:da:7e:91:54:60:52:ad:
-         0e:90:3f:ee:7c:2a:03:84:8f:4f:e4:1b:d3:4f:a8:d3:c2:29:
-         74:cc:ac:87:81:7e:38:07:cd:d8:5f:20:00:b6:e4:ea:c1:e5:
-         06:77:19:da:9c:3b:43:7f:91:ab:8c:f1:b7:03:09:09:0a:85:
-         de:91
+         83:33:ef:16:73:52:9e:83:99:ef:b6:f8:79:71:bc:0f:9e:58:
+         29:10:6b:8e:35:b4:40:d4:6a:51:0c:6a:e0:d9:29:f3:35:03:
+         79:4b:eb:42:57:f4:69:df:51:ef:aa:07:53:5d:84:64:e0:df:
+         82:49:1f:bf:79:3e:51:c6:d4:f5:39:a3:cf:7a:39:9a:a0:3d:
+         d8:df:88:b0:b4:c1:2c:5c:35:93:03:86:19:1d:b4:0f:02:b5:
+         78:89:3a:c5:05:1d:ed:87:09:5b:0f:34:2f:50:10:a8:ca:12:
+         60:cb:0b:b1:a5:68:7c:54:e6:15:c5:f9:01:92:28:72:10:bc:
+         64:1d:cc:3b:55:90:d0:e9:8d:30:e8:cf:3b:46:ab:a7:84:bf:
+         67:60:2b:83:f3:46:23:11:a8:69:d0:b7:8f:27:1f:f3:32:86:
+         40:fc:1f:34:bc:8d:66:66:22:3d:f1:9c:77:4a:c4:89:2d:ae:
+         32:ed:53:75:ef:02:46:37:3c:06:bd:31:cc:44:72:d1:7a:57:
+         17:91:5c:27:4b:13:9c:7b:59:e8:5c:ce:03:0c:f4:45:d8:68:
+         e6:0d:35:03:fd:11:8f:30:9b:79:a8:4e:3a:99:b5:d5:0f:cf:
+         cf:eb:24:ce:63:09:86:c1:f7:f2:2c:0b:8e:65:b3:ed:ed:0d:
+         49:bc:17:76
 -----BEGIN CERTIFICATE-----
-MIICfjCCAeegAwIBAgIBEjANBgkqhkiG9w0BAQsFADBxMQswCQYDVQQGEwJVUzET
+MIIC/zCCAeegAwIBAgIBEjANBgkqhkiG9w0BAQsFADBxMQswCQYDVQQGEwJVUzET
 MBEGA1UECAwKQ2FsaWZvcm5pYTEUMBIGA1UEBwwLU2FudGEgQ2xhcmExDTALBgNV
 BAoMBHBrZzUxEDAOBgNVBAMMB2NoMV90YTMxFjAUBgkqhkiG9w0BCQEWB2NoMV90
-YTMwHhcNMTMxMjEzMDAxMzM1WhcNMTYwOTA4MDAxMzM1WjB5MQswCQYDVQQGEwJV
+YTMwHhcNMTYwMTIyMDE1NzU2WhcNMTgxMDE4MDE1NzU2WjB5MQswCQYDVQQGEwJV
 UzETMBEGA1UECAwKQ2FsaWZvcm5pYTEUMBIGA1UEBwwLU2FudGEgQ2xhcmExDTAL
 BgNVBAoMBHBrZzUxFDASBgNVBAMMC2NzMl9jaDFfdGEzMRowGAYJKoZIhvcNAQkB
-FgtjczJfY2gxX3RhMzCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAmJcwkpBN
-RVoM4m/7JZ5yf1Zk9WT1sluFJ7et+iTXVAAdXE3CkoF28TdJFLedjPuWaS0RMmoZ
-6+vrJ6O+HwApyLrWypff4INoUZyB9WPgaTka/l6vw6+2I7iqtGXH9H5j2/8bfs7t
-YH2+L/0F7tDNcn6Rk2mCKY+oqFOx1+qD34kCAwEAAaMeMBwwDAYDVR0TAQH/BAIw
-ADAMBgNVHRIBAf8EAjAAMA0GCSqGSIb3DQEBCwUAA4GBAFMQAWIyvf99MKUJX3dE
-rw2B1EvI9v66OGWftlV3ejaGQmQaiWZPHfUKZR4GLAdGs1e6mB0cRlIIZTJwnZg+
-6Wu+2n6RVGBSrQ6QP+58KgOEj0/kG9NPqNPCKXTMrIeBfjgHzdhfIAC25OrB5QZ3
-GdqcO0N/kauM8bcDCQkKhd6R
+FgtjczJfY2gxX3RhMzCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEApy4W9le9
+lu/sQMXflnQvNJwfZqFilvP7NKqrREc7CySxypSRI0gODXoHV4cbEmKQn7FmN3RZ
+GN976vIEuOnSuM2pZyx9WYF8iWfTROZ2BZaE0esTd6PMyFjtztev7+I1wK1O8/nF
+6Wg5NQ99kM8LKdHZGag7Fy6hUxnjopltqjsCAwEAAaMeMBwwDAYDVR0TAQH/BAIw
+ADAMBgNVHRIBAf8EAjAAMA0GCSqGSIb3DQEBCwUAA4IBAQCDM+8Wc1Keg5nvtvh5
+cbwPnlgpEGuONbRA1GpRDGrg2SnzNQN5S+tCV/Rp31HvqgdTXYRk4N+CSR+/eT5R
+xtT1OaPPejmaoD3Y34iwtMEsXDWTA4YZHbQPArV4iTrFBR3thwlbDzQvUBCoyhJg
+ywuxpWh8VOYVxfkBkihyELxkHcw7VZDQ6Y0w6M87RqunhL9nYCuD80YjEahp0LeP
+Jx/zMoZA/B80vI1mZiI98Zx3SsSJLa4y7VN17wJGNzwGvTHMRHLRelcXkVwnSxOc
+e1noXM4DDPRF2GjmDTUD/RGPMJt5qE46mbXVD8/P6yTOYwmGwffyLAuOZbPt7Q1J
+vBd2
 -----END CERTIFICATE-----
--- a/src/tests/ro_data/signing_certs/produced/code_signing_certs/13.pem	Tue Mar 08 11:12:06 2016 -0800
+++ b/src/tests/ro_data/signing_certs/produced/code_signing_certs/13.pem	Wed Mar 09 11:27:23 2016 -0800
@@ -12,15 +12,15 @@
             Public Key Algorithm: rsaEncryption
                 Public-Key: (1024 bit)
                 Modulus:
-                    00:d3:01:be:68:e6:07:6b:d4:f1:10:9e:99:93:cb:
-                    79:4d:15:d1:39:fb:b2:de:74:10:57:84:c3:ab:3e:
-                    25:cc:f4:7e:66:1e:f2:fa:f2:32:b4:c5:6c:80:e7:
-                    31:80:1a:96:79:96:83:b5:44:58:f1:2a:9b:3b:c0:
-                    0d:42:00:27:49:bf:6e:0a:d6:8b:b4:20:5c:a7:3d:
-                    11:74:25:95:08:45:bb:c5:ca:07:42:a3:e8:19:36:
-                    e1:62:42:53:bc:2f:1f:a8:10:31:ee:40:7d:ec:b5:
-                    54:04:c4:63:e8:43:12:09:7d:1e:99:60:f6:db:ec:
-                    65:d3:13:bb:36:be:e2:d8:ed
+                    00:df:9f:1c:73:ce:11:ce:1a:fd:cd:f9:24:c0:c3:
+                    c7:cc:f3:3b:87:8a:2c:67:bb:e3:c0:18:29:63:03:
+                    01:49:08:0b:fc:95:23:81:e5:82:2c:24:f1:5f:06:
+                    ab:29:c1:a5:5f:05:10:f8:25:24:8e:21:a3:e0:f9:
+                    9d:5b:90:a8:78:76:7a:94:b7:70:5f:6b:0c:ac:2a:
+                    f1:c9:0e:75:d9:11:0c:f1:f1:69:00:f8:e3:c5:d4:
+                    52:ef:ec:ef:bb:cd:ff:28:1c:35:bb:1d:a0:df:46:
+                    c3:f5:79:df:05:05:31:34:03:1f:b1:c5:6b:76:64:
+                    72:a8:28:3b:d4:f4:6c:19:27
                 Exponent: 65537 (0x10001)
         X509v3 extensions:
             X509v3 Basic Constraints: critical
@@ -28,27 +28,37 @@
             X509v3 Key Usage: critical
                 Digital Signature
     Signature Algorithm: sha256WithRSAEncryption
-         5f:64:85:36:62:d2:01:78:45:6d:63:d5:c8:d8:01:cb:39:f7:
-         0f:75:61:87:9c:d0:2b:9d:3f:0f:56:4d:8c:7d:06:69:eb:60:
-         3a:ca:ed:91:39:ba:e8:8b:a9:42:58:33:32:e3:08:ac:a9:ca:
-         76:ef:37:39:74:46:2d:ea:54:e0:0d:e5:62:18:48:5e:e6:8b:
-         6c:6c:25:0c:8d:61:98:f6:7a:ae:b6:73:cb:8a:2d:27:a5:c7:
-         cf:5e:36:a5:2f:10:74:41:b0:93:6d:21:e2:52:c2:d5:88:6e:
-         ff:91:04:eb:92:8b:62:3a:81:a8:88:6c:10:67:4e:a2:6a:2c:
-         17:ec
+         6e:f5:fe:62:5d:34:38:cc:c7:c1:84:50:9f:9c:f8:1a:fc:19:
+         9f:06:a7:e6:9d:d9:88:3b:bb:34:24:a4:a0:15:98:b7:ad:ca:
+         b0:fa:b7:7d:e6:95:0e:e3:70:2d:dc:a2:1c:af:8d:8e:a9:eb:
+         eb:86:fe:13:14:9d:c7:9a:e6:e6:a9:49:d7:b7:60:dd:82:a2:
+         1b:36:d3:c4:da:1c:7e:e3:c1:a1:7d:59:68:6e:08:ab:64:ca:
+         1f:24:87:f3:a8:ee:d9:3b:42:95:31:cc:7c:47:c4:ac:4e:94:
+         d3:33:47:04:22:17:f1:da:bf:37:b3:f2:97:d2:ab:db:3c:5d:
+         87:ae:21:13:65:e8:0f:83:ad:f1:f1:1d:4e:0a:42:3d:b3:19:
+         9e:3d:b4:32:4c:39:5f:e2:b2:a7:ba:0f:04:68:42:e6:10:0b:
+         be:a9:ac:9d:1f:03:53:e1:93:70:60:fa:6b:81:76:25:be:d7:
+         05:00:52:0a:83:00:1f:1f:75:06:9b:14:ff:14:5a:69:db:c9:
+         21:f3:42:cf:3c:3d:e2:a6:a9:8c:f3:04:54:fa:0d:1a:b5:c8:
+         cf:d6:de:93:21:73:b0:02:04:aa:78:d5:96:4c:24:89:68:c0:
+         73:90:cf:ab:19:f1:d1:5d:a3:60:d1:ab:ad:d5:5d:fb:4f:35:
+         b2:15:2e:49
 -----BEGIN CERTIFICATE-----
-MIICgDCCAemgAwIBAgIBEzANBgkqhkiG9w0BAQsFADBxMQswCQYDVQQGEwJVUzET
+MIIDATCCAemgAwIBAgIBEzANBgkqhkiG9w0BAQsFADBxMQswCQYDVQQGEwJVUzET
 MBEGA1UECAwKQ2FsaWZvcm5pYTEUMBIGA1UEBwwLU2FudGEgQ2xhcmExDTALBgNV
 BAoMBHBrZzUxEDAOBgNVBAMMB2NoMV90YTMxFjAUBgkqhkiG9w0BCQEWB2NoMV90
 YTMwHhcNMDkwMTAxMDEwMTAxWhcNMDkwMTAyMDEwMTAxWjB5MQswCQYDVQQGEwJV
 UzETMBEGA1UECAwKQ2FsaWZvcm5pYTEUMBIGA1UEBwwLU2FudGEgQ2xhcmExDTAL
 BgNVBAoMBHBrZzUxFDASBgNVBAMMC2NzM19jaDFfdGEzMRowGAYJKoZIhvcNAQkB
-FgtjczNfY2gxX3RhMzCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA0wG+aOYH
-a9TxEJ6Zk8t5TRXROfuy3nQQV4TDqz4lzPR+Zh7y+vIytMVsgOcxgBqWeZaDtURY
-8SqbO8ANQgAnSb9uCtaLtCBcpz0RdCWVCEW7xcoHQqPoGTbhYkJTvC8fqBAx7kB9
-7LVUBMRj6EMSCX0emWD22+xl0xO7Nr7i2O0CAwEAAaMgMB4wDAYDVR0TAQH/BAIw
-ADAOBgNVHQ8BAf8EBAMCB4AwDQYJKoZIhvcNAQELBQADgYEAX2SFNmLSAXhFbWPV
-yNgByzn3D3Vhh5zQK50/D1ZNjH0GaetgOsrtkTm66IupQlgzMuMIrKnKdu83OXRG
-LepU4A3lYhhIXuaLbGwlDI1hmPZ6rrZzy4otJ6XHz142pS8QdEGwk20h4lLC1Yhu
-/5EE65KLYjqBqIhsEGdOomosF+w=
+FgtjczNfY2gxX3RhMzCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA358cc84R
+zhr9zfkkwMPHzPM7h4osZ7vjwBgpYwMBSQgL/JUjgeWCLCTxXwarKcGlXwUQ+CUk
+jiGj4PmdW5CoeHZ6lLdwX2sMrCrxyQ512REM8fFpAPjjxdRS7+zvu83/KBw1ux2g
+30bD9XnfBQUxNAMfscVrdmRyqCg71PRsGScCAwEAAaMgMB4wDAYDVR0TAQH/BAIw
+ADAOBgNVHQ8BAf8EBAMCB4AwDQYJKoZIhvcNAQELBQADggEBAG71/mJdNDjMx8GE
+UJ+c+Br8GZ8Gp+ad2Yg7uzQkpKAVmLetyrD6t33mlQ7jcC3cohyvjY6p6+uG/hMU
+ncea5uapSde3YN2Cohs208TaHH7jwaF9WWhuCKtkyh8kh/Oo7tk7QpUxzHxHxKxO
+lNMzRwQiF/Havzez8pfSq9s8XYeuIRNl6A+DrfHxHU4KQj2zGZ49tDJMOV/isqe6
+DwRoQuYQC76prJ0fA1Phk3Bg+muBdiW+1wUAUgqDAB8fdQabFP8UWmnbySHzQs88
+PeKmqYzzBFT6DRq1yM/W3pMhc7ACBKp41ZZMJIlowHOQz6sZ8dFdo2DRq63VXftP
+NbIVLkk=
 -----END CERTIFICATE-----
--- a/src/tests/ro_data/signing_certs/produced/code_signing_certs/14.pem	Tue Mar 08 11:12:06 2016 -0800
+++ b/src/tests/ro_data/signing_certs/produced/code_signing_certs/14.pem	Wed Mar 09 11:27:23 2016 -0800
@@ -12,15 +12,15 @@
             Public Key Algorithm: rsaEncryption
                 Public-Key: (1024 bit)
                 Modulus:
-                    00:cb:2c:5a:74:59:a7:60:a1:a4:1b:36:25:92:c1:
-                    aa:39:3f:7c:17:de:d0:36:c3:1c:bf:c6:25:30:e0:
-                    10:7b:d7:76:7d:de:d6:71:6c:81:df:95:22:a4:dd:
-                    80:55:2a:5e:fd:82:df:94:a0:aa:f9:8e:b1:e9:20:
-                    be:04:26:18:17:e8:04:9e:af:67:ca:57:8e:f6:92:
-                    2c:6e:76:02:4b:84:d8:2b:78:2b:32:74:8e:4c:ea:
-                    ab:3c:61:62:cb:95:af:5c:77:74:19:b2:0e:4f:49:
-                    63:8a:72:ac:c1:77:6a:42:ed:91:6f:be:a4:df:c8:
-                    0b:1b:b4:32:18:46:dc:b9:f5
+                    00:af:fc:e0:e3:83:fd:9f:ee:dc:30:08:85:84:50:
+                    19:ed:c0:ec:2d:41:a5:b9:a3:40:3b:a5:75:42:a8:
+                    ef:e8:bd:a8:7f:b7:53:13:8f:84:02:be:86:63:ea:
+                    8d:87:76:66:e4:ab:2c:ae:08:73:25:39:c6:70:e8:
+                    87:e5:4d:da:47:3a:cf:14:18:39:f3:c5:d8:3b:2f:
+                    41:64:8c:ed:8b:6a:db:0f:b4:cd:f1:aa:78:51:d5:
+                    be:e8:a8:7b:be:8f:3a:e6:95:27:bf:32:3e:37:eb:
+                    94:07:fc:83:bc:61:6e:fc:e4:70:60:a7:eb:47:32:
+                    17:fe:4f:60:77:84:da:3d:27
                 Exponent: 65537 (0x10001)
         X509v3 extensions:
             X509v3 Basic Constraints: critical
@@ -28,27 +28,37 @@
             X509v3 Key Usage: critical
                 Digital Signature
     Signature Algorithm: sha256WithRSAEncryption
-         40:91:53:35:b9:b9:31:8d:16:de:85:84:2f:b4:5e:35:7a:da:
-         a8:31:06:29:14:94:80:ee:0a:55:7d:8f:02:2f:74:f4:94:5e:
-         00:d1:c7:8b:2a:71:21:8d:3c:d6:f2:b6:50:84:fe:45:f1:56:
-         bd:36:68:72:b7:73:c6:b7:38:3b:fe:be:22:af:77:43:0d:32:
-         f7:7e:ce:2e:e9:1f:24:5a:b9:bb:ae:b3:fd:cd:ea:87:1a:43:
-         7b:22:71:2f:6b:16:74:e6:73:6b:af:38:17:c6:a4:c6:8c:01:
-         a9:c4:76:be:a3:02:8b:47:35:e1:53:c8:27:87:1e:5c:ad:cb:
-         93:4e
+         28:ae:4b:81:fc:7b:18:34:1e:35:19:79:5b:a0:b0:a0:7f:81:
+         8e:f0:f3:56:0d:5f:c9:a7:2b:13:ff:0c:12:f6:3c:f7:70:8f:
+         9a:55:a3:0b:a9:4f:5c:7b:b8:22:63:ae:bd:6e:6c:33:35:ba:
+         b1:3e:b8:60:67:73:bf:5a:ea:70:ec:98:60:bd:37:93:93:64:
+         e2:2b:e1:17:52:ca:7a:a5:bb:94:a4:ab:84:de:c0:64:1c:e3:
+         b6:13:0a:bb:79:24:38:6e:5d:64:5d:f0:22:2f:c9:01:2c:30:
+         c9:45:d8:6f:1c:41:c6:82:70:46:1c:61:d6:0a:90:0e:bf:87:
+         37:35:a3:f5:8b:b6:1c:e3:0b:24:a1:18:a5:fd:37:ca:46:3c:
+         a8:83:05:c2:f8:aa:96:4c:80:5d:b7:b3:4a:95:84:33:4a:e4:
+         bf:89:b0:3b:74:b1:57:db:4a:a1:de:3d:fd:b5:cb:cb:d4:45:
+         0a:4a:9f:d8:9a:87:48:f1:6c:d2:c6:16:f2:a4:98:10:c8:a5:
+         d5:bb:13:f5:4c:cf:ab:be:0c:2f:11:37:8d:8d:14:c0:37:30:
+         74:30:cd:27:0c:e2:96:cc:d4:05:fa:d8:b7:a7:46:e2:17:7a:
+         7e:09:d5:e2:63:85:fe:44:27:30:fd:ad:e6:21:43:fa:07:e9:
+         11:56:9b:22
 -----BEGIN CERTIFICATE-----
-MIICgDCCAemgAwIBAgIBFDANBgkqhkiG9w0BAQsFADBxMQswCQYDVQQGEwJVUzET
+MIIDATCCAemgAwIBAgIBFDANBgkqhkiG9w0BAQsFADBxMQswCQYDVQQGEwJVUzET
 MBEGA1UECAwKQ2FsaWZvcm5pYTEUMBIGA1UEBwwLU2FudGEgQ2xhcmExDTALBgNV
 BAoMBHBrZzUxEDAOBgNVBAMMB2NoMV90YTMxFjAUBgkqhkiG9w0BCQEWB2NoMV90
 YTMwHhcNMzUwMTAxMDEwMTAxWhcNMzUwMTAyMDEwMTAxWjB5MQswCQYDVQQGEwJV
 UzETMBEGA1UECAwKQ2FsaWZvcm5pYTEUMBIGA1UEBwwLU2FudGEgQ2xhcmExDTAL
 BgNVBAoMBHBrZzUxFDASBgNVBAMMC2NzNF9jaDFfdGEzMRowGAYJKoZIhvcNAQkB
-FgtjczRfY2gxX3RhMzCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAyyxadFmn
-YKGkGzYlksGqOT98F97QNsMcv8YlMOAQe9d2fd7WcWyB35UipN2AVSpe/YLflKCq
-+Y6x6SC+BCYYF+gEnq9nyleO9pIsbnYCS4TYK3grMnSOTOqrPGFiy5WvXHd0GbIO
-T0ljinKswXdqQu2Rb76k38gLG7QyGEbcufUCAwEAAaMgMB4wDAYDVR0TAQH/BAIw
-ADAOBgNVHQ8BAf8EBAMCB4AwDQYJKoZIhvcNAQELBQADgYEAQJFTNbm5MY0W3oWE
-L7ReNXraqDEGKRSUgO4KVX2PAi909JReANHHiypxIY081vK2UIT+RfFWvTZocrdz
-xrc4O/6+Iq93Qw0y937OLukfJFq5u66z/c3qhxpDeyJxL2sWdOZza684F8akxowB
-qcR2vqMCi0c14VPIJ4ceXK3Lk04=
+FgtjczRfY2gxX3RhMzCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAr/zg44P9
+n+7cMAiFhFAZ7cDsLUGluaNAO6V1Qqjv6L2of7dTE4+EAr6GY+qNh3Zm5Kssrghz
+JTnGcOiH5U3aRzrPFBg588XYOy9BZIzti2rbD7TN8ap4UdW+6Kh7vo865pUnvzI+
+N+uUB/yDvGFu/ORwYKfrRzIX/k9gd4TaPScCAwEAAaMgMB4wDAYDVR0TAQH/BAIw
+ADAOBgNVHQ8BAf8EBAMCB4AwDQYJKoZIhvcNAQELBQADggEBACiuS4H8exg0HjUZ
+eVugsKB/gY7w81YNX8mnKxP/DBL2PPdwj5pVowupT1x7uCJjrr1ubDM1urE+uGBn
+c79a6nDsmGC9N5OTZOIr4RdSynqlu5Skq4TewGQc47YTCrt5JDhuXWRd8CIvyQEs
+MMlF2G8cQcaCcEYcYdYKkA6/hzc1o/WLthzjCyShGKX9N8pGPKiDBcL4qpZMgF23
+s0qVhDNK5L+JsDt0sVfbSqHePf21y8vURQpKn9iah0jxbNLGFvKkmBDIpdW7E/VM
+z6u+DC8RN42NFMA3MHQwzScM4pbM1AX62LenRuIXen4J1eJjhf5EJzD9reYhQ/oH
+6RFWmyI=
 -----END CERTIFICATE-----
--- a/src/tests/ro_data/signing_certs/produced/code_signing_certs/15.pem	Tue Mar 08 11:12:06 2016 -0800
+++ b/src/tests/ro_data/signing_certs/produced/code_signing_certs/15.pem	Wed Mar 09 11:27:23 2016 -0800
@@ -5,50 +5,60 @@
     Signature Algorithm: sha256WithRSAEncryption
         Issuer: C=US, ST=California, L=Santa Clara, O=pkg5, CN=ch1_ta3/emailAddress=ch1_ta3
         Validity
-            Not Before: Dec 13 00:13:36 2013 GMT
-            Not After : Sep  8 00:13:36 2016 GMT
+            Not Before: Jan 22 01:57:56 2016 GMT
+            Not After : Oct 18 01:57:56 2018 GMT
         Subject: C=US, ST=California, L=Santa Clara, O=pkg5, CN=cs5_ch1_ta3/emailAddress=cs5_ch1_ta3
         Subject Public Key Info:
             Public Key Algorithm: rsaEncryption
                 Public-Key: (1024 bit)
                 Modulus:
-                    00:ea:23:95:11:2c:b5:2d:49:c5:10:77:74:82:98:
-                    da:5f:58:1f:2b:40:6e:1b:2e:d8:4f:30:07:6b:a2:
-                    ae:9f:f7:ed:8d:2d:b4:b3:68:48:ec:60:72:a2:fb:
-                    8b:7e:62:11:90:79:96:f9:ee:82:78:3f:09:22:2b:
-                    03:45:af:9e:ca:7e:3c:80:4f:ad:59:77:85:c5:e7:
-                    6b:4a:0b:a2:6b:4b:c5:e7:f9:38:81:64:05:ea:cd:
-                    76:9c:bf:eb:51:aa:29:6c:c1:3e:98:c6:ac:49:a2:
-                    ac:32:60:78:d8:ff:c6:79:f8:a5:a6:78:61:24:9a:
-                    27:26:2e:06:3a:19:8e:54:d1
+                    00:c0:4c:5c:3b:f3:4a:42:2d:01:68:35:9a:dc:c3:
+                    80:08:fc:20:ff:f0:30:e6:53:52:79:45:ca:61:1f:
+                    82:1a:f7:98:1b:2a:8a:c5:58:ca:9c:23:ac:ee:71:
+                    b7:07:6a:f4:dc:b2:57:42:86:fc:eb:84:cd:73:b4:
+                    85:27:46:c4:92:09:2c:08:9b:5c:98:93:7f:4c:32:
+                    5d:f2:76:37:b5:e3:5b:48:d2:1e:c1:49:84:fb:ff:
+                    76:01:55:b9:f4:9c:17:b9:53:9c:b2:b1:10:1a:e6:
+                    06:c6:55:c8:ad:be:3a:a4:ff:8e:1a:24:f1:af:05:
+                    a9:a8:d7:0b:5a:e8:b5:c7:17
                 Exponent: 65537 (0x10001)
         X509v3 extensions:
             X509v3 Basic Constraints: critical
                 CA:FALSE
             X509v3 Key Usage: 
-                Encipher Only
+                Key Agreement
     Signature Algorithm: sha256WithRSAEncryption
-         80:7c:f9:bc:bd:15:b1:9d:75:d1:82:b5:42:79:d3:5e:2c:e3:
-         c4:73:ed:3b:3c:8a:83:9c:51:e9:1f:93:75:1f:81:01:11:f9:
-         fd:a8:56:0f:cf:d3:a9:38:26:e3:f0:78:79:75:ef:97:7b:01:
-         0b:b7:37:65:6c:93:76:07:ec:fa:f5:1e:2d:6a:3b:6d:15:fc:
-         41:6f:fb:17:52:be:cc:a8:95:da:be:3b:6d:d8:5d:42:10:aa:
-         20:9e:8e:c5:33:ed:7b:8a:f1:e5:e3:45:21:05:2e:77:3b:c9:
-         66:46:25:37:e4:5c:b0:f5:29:0a:be:0d:bc:c8:e9:d8:fc:31:
-         22:e3
+         a2:d5:c8:a3:3d:5c:8f:03:3e:7d:e3:a1:f9:2b:ad:2a:f2:08:
+         6d:71:da:65:00:87:b1:b5:b9:9e:04:28:0d:fb:1f:ac:89:5a:
+         90:67:d1:3e:5e:bb:e1:19:5a:63:30:50:19:3a:6c:d6:18:9a:
+         0a:a0:b3:59:66:4a:28:5e:ea:02:3c:b3:4f:3b:46:67:94:ab:
+         dc:72:22:47:d0:52:af:6c:ef:fc:66:4f:63:5d:18:28:34:f7:
+         35:bd:ba:d5:66:b1:fc:32:7b:3a:4b:cc:4c:87:fb:87:16:c2:
+         90:18:6f:a8:b5:af:72:98:03:fe:92:e3:83:10:8f:f8:74:49:
+         80:1d:fb:16:49:3f:f6:86:41:6b:84:68:84:8c:e7:15:b4:c2:
+         12:c8:ea:dc:92:71:35:05:c7:5e:e1:ea:3f:a9:a2:13:bf:bd:
+         2b:c6:dc:cb:78:c0:e4:19:4a:4a:26:7d:5c:18:3b:2e:19:72:
+         94:11:d7:35:52:01:72:48:b4:f1:35:b3:ec:99:28:75:70:a8:
+         39:77:f4:8f:b6:40:ab:19:ea:e0:ad:fb:2d:52:f2:95:0b:38:
+         46:10:6c:50:01:88:bb:36:e9:db:92:16:21:14:f6:e3:ae:4b:
+         d8:d4:7e:2f:90:ad:a7:b5:36:fc:7c:3b:4a:cd:ca:b0:5d:25:
+         ba:68:7c:bd
 -----BEGIN CERTIFICATE-----
-MIICfTCCAeagAwIBAgIBFTANBgkqhkiG9w0BAQsFADBxMQswCQYDVQQGEwJVUzET
+MIIC/jCCAeagAwIBAgIBFTANBgkqhkiG9w0BAQsFADBxMQswCQYDVQQGEwJVUzET
 MBEGA1UECAwKQ2FsaWZvcm5pYTEUMBIGA1UEBwwLU2FudGEgQ2xhcmExDTALBgNV
 BAoMBHBrZzUxEDAOBgNVBAMMB2NoMV90YTMxFjAUBgkqhkiG9w0BCQEWB2NoMV90
-YTMwHhcNMTMxMjEzMDAxMzM2WhcNMTYwOTA4MDAxMzM2WjB5MQswCQYDVQQGEwJV
+YTMwHhcNMTYwMTIyMDE1NzU2WhcNMTgxMDE4MDE1NzU2WjB5MQswCQYDVQQGEwJV
 UzETMBEGA1UECAwKQ2FsaWZvcm5pYTEUMBIGA1UEBwwLU2FudGEgQ2xhcmExDTAL
 BgNVBAoMBHBrZzUxFDASBgNVBAMMC2NzNV9jaDFfdGEzMRowGAYJKoZIhvcNAQkB
-FgtjczVfY2gxX3RhMzCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA6iOVESy1
-LUnFEHd0gpjaX1gfK0BuGy7YTzAHa6Kun/ftjS20s2hI7GByovuLfmIRkHmW+e6C
-eD8JIisDRa+eyn48gE+tWXeFxedrSguia0vF5/k4gWQF6s12nL/rUaopbME+mMas
-SaKsMmB42P/GefilpnhhJJonJi4GOhmOVNECAwEAAaMdMBswDAYDVR0TAQH/BAIw
-ADALBgNVHQ8EBAMCAAEwDQYJKoZIhvcNAQELBQADgYEAgHz5vL0VsZ110YK1QnnT
-XizjxHPtOzyKg5xR6R+TdR+BARH5/ahWD8/TqTgm4/B4eXXvl3sBC7c3ZWyTdgfs
-+vUeLWo7bRX8QW/7F1K+zKiV2r47bdhdQhCqIJ6OxTPte4rx5eNFIQUudzvJZkYl
-N+RcsPUpCr4NvMjp2PwxIuM=
+FgtjczVfY2gxX3RhMzCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAwExcO/NK
+Qi0BaDWa3MOACPwg//Aw5lNSeUXKYR+CGveYGyqKxVjKnCOs7nG3B2r03LJXQob8
+64TNc7SFJ0bEkgksCJtcmJN/TDJd8nY3teNbSNIewUmE+/92AVW59JwXuVOcsrEQ
+GuYGxlXIrb46pP+OGiTxrwWpqNcLWui1xxcCAwEAAaMdMBswDAYDVR0TAQH/BAIw
+ADALBgNVHQ8EBAMCAwgwDQYJKoZIhvcNAQELBQADggEBAKLVyKM9XI8DPn3jofkr
+rSryCG1x2mUAh7G1uZ4EKA37H6yJWpBn0T5eu+EZWmMwUBk6bNYYmgqgs1lmSihe
+6gI8s087RmeUq9xyIkfQUq9s7/xmT2NdGCg09zW9utVmsfwyezpLzEyH+4cWwpAY
+b6i1r3KYA/6S44MQj/h0SYAd+xZJP/aGQWuEaISM5xW0whLI6tyScTUFx17h6j+p
+ohO/vSvG3Mt4wOQZSkomfVwYOy4ZcpQR1zVSAXJItPE1s+yZKHVwqDl39I+2QKsZ
+6uCt+y1S8pULOEYQbFABiLs26duSFiEU9uOuS9jUfi+Qrae1Nvx8O0rNyrBdJbpo
+fL0=
 -----END CERTIFICATE-----
--- a/src/tests/ro_data/signing_certs/produced/code_signing_certs/16.pem	Tue Mar 08 11:12:06 2016 -0800
+++ b/src/tests/ro_data/signing_certs/produced/code_signing_certs/16.pem	Wed Mar 09 11:27:23 2016 -0800
@@ -5,50 +5,60 @@
     Signature Algorithm: sha256WithRSAEncryption
         Issuer: C=US, ST=California, L=Santa Clara, O=pkg5, CN=ch1_ta3/emailAddress=ch1_ta3
         Validity
-            Not Before: Dec 13 00:13:36 2013 GMT
-            Not After : Sep  8 00:13:36 2016 GMT
+            Not Before: Jan 22 01:57:57 2016 GMT
+            Not After : Oct 18 01:57:57 2018 GMT
         Subject: C=US, ST=California, L=Santa Clara, O=pkg5, CN=cs6_ch1_ta3/emailAddress=cs6_ch1_ta3
         Subject Public Key Info:
             Public Key Algorithm: rsaEncryption
                 Public-Key: (1024 bit)
                 Modulus:
-                    00:a5:2e:d6:bd:fc:2f:5b:4c:b8:91:90:8e:f6:3f:
-                    bb:55:28:8d:4f:9d:47:70:ed:3e:a1:bd:70:42:47:
-                    b0:41:09:7b:87:4f:eb:1a:45:9f:09:6d:0a:8c:53:
-                    73:a3:3d:fb:3f:dc:67:f4:03:d3:7c:51:15:f3:ab:
-                    6c:2c:39:d0:a7:4e:c2:3f:5c:d2:d8:87:f1:03:3b:
-                    eb:75:9e:9e:66:d5:3d:d5:e5:6d:32:92:ad:05:b8:
-                    c2:3b:48:e5:72:b4:9d:c9:b7:42:4f:d7:b4:a5:8c:
-                    a4:88:76:df:11:3e:b1:5c:a2:bd:7d:56:f8:c8:76:
-                    00:c4:88:64:0f:36:7e:cb:23
+                    00:b1:3f:87:1b:dc:95:5e:04:08:cc:ff:c2:9a:91:
+                    c2:1d:ee:5d:b0:43:15:df:8d:8a:3a:fc:a5:0a:49:
+                    27:7a:e1:27:38:dd:c8:5a:47:76:6f:8d:df:c4:b8:
+                    81:23:ce:45:64:6a:ea:63:88:92:26:d8:74:d7:ee:
+                    28:17:31:f4:54:e6:74:be:dc:8c:dc:9d:29:24:87:
+                    34:02:2b:56:f9:2b:01:89:9a:3b:12:fe:99:42:92:
+                    22:55:89:fa:c4:40:58:ba:ef:23:85:60:33:4f:49:
+                    20:66:a0:6f:0f:36:ae:9c:7c:1c:39:78:97:94:f1:
+                    47:96:f6:ab:d1:d8:9b:c1:bb
                 Exponent: 65537 (0x10001)
         X509v3 extensions:
             X509v3 Basic Constraints: critical
                 CA:FALSE
             X509v3 Key Usage: critical
-                Encipher Only
+                Key Agreement, Encipher Only
     Signature Algorithm: sha256WithRSAEncryption
-         48:51:71:0e:8c:c2:42:98:91:34:dc:a9:8a:92:98:18:ce:30:
-         fd:61:11:66:9a:87:7a:7b:a6:dd:09:7f:36:9c:7d:d8:19:b6:
-         ab:5d:6a:22:b3:4a:00:45:66:1f:ed:d5:1f:b4:cc:c7:a5:07:
-         5f:6f:35:2c:bc:52:1a:c9:c0:96:56:fd:82:33:50:7b:2e:43:
-         79:2c:cb:e4:e9:22:55:0a:09:96:05:f7:96:e1:22:95:3a:8e:
-         66:b1:21:aa:88:f1:21:4a:20:ae:08:b1:27:7e:f6:6b:be:55:
-         68:0b:d0:d6:77:30:78:92:75:38:d2:ab:31:79:8e:5d:71:a3:
-         b3:2b
+         7b:4f:6a:70:e6:38:de:2d:d6:6c:e3:10:94:d8:3f:80:ed:0d:
+         7c:7b:f7:ec:cc:36:c8:2d:84:3c:78:5b:c3:c5:92:be:45:f1:
+         bc:52:c6:09:f9:cc:54:4b:01:30:b8:e4:4d:3e:43:00:93:ea:
+         b8:9f:71:18:35:37:3c:03:70:70:27:8f:8c:8c:ee:a7:06:aa:
+         60:a1:b7:c0:77:84:52:cb:4a:35:bc:e7:e7:95:42:8f:62:db:
+         14:83:80:fd:32:c0:30:7b:a0:94:b2:33:f6:da:31:5d:11:6b:
+         09:f6:32:57:0b:97:ed:e9:9e:ad:f3:f0:91:dc:c1:df:fe:db:
+         0a:88:da:e1:eb:77:f9:8c:d6:c4:29:a5:ef:35:bc:bd:9a:07:
+         9a:a0:8f:b1:1c:05:07:fe:00:50:4e:3d:71:bf:0f:27:ec:a8:
+         14:48:5a:31:ae:a0:66:74:9b:2e:b8:ef:d0:69:2b:3e:7a:cf:
+         cc:0d:2e:f1:78:6d:a7:72:c2:46:b8:4c:93:ad:10:73:2c:13:
+         10:71:b0:38:e0:03:eb:d2:c0:28:79:a1:e6:a5:e6:91:52:cb:
+         f2:ab:8e:a5:1b:0f:28:ae:13:57:db:87:92:13:fa:22:e4:3c:
+         a2:94:6b:0d:7a:fc:7f:e1:10:e5:36:87:55:b3:15:5a:ed:e5:
+         36:40:ac:d9
 -----BEGIN CERTIFICATE-----
-MIICgDCCAemgAwIBAgIBFjANBgkqhkiG9w0BAQsFADBxMQswCQYDVQQGEwJVUzET
+MIIDATCCAemgAwIBAgIBFjANBgkqhkiG9w0BAQsFADBxMQswCQYDVQQGEwJVUzET
 MBEGA1UECAwKQ2FsaWZvcm5pYTEUMBIGA1UEBwwLU2FudGEgQ2xhcmExDTALBgNV
 BAoMBHBrZzUxEDAOBgNVBAMMB2NoMV90YTMxFjAUBgkqhkiG9w0BCQEWB2NoMV90
-YTMwHhcNMTMxMjEzMDAxMzM2WhcNMTYwOTA4MDAxMzM2WjB5MQswCQYDVQQGEwJV
+YTMwHhcNMTYwMTIyMDE1NzU3WhcNMTgxMDE4MDE1NzU3WjB5MQswCQYDVQQGEwJV
 UzETMBEGA1UECAwKQ2FsaWZvcm5pYTEUMBIGA1UEBwwLU2FudGEgQ2xhcmExDTAL
 BgNVBAoMBHBrZzUxFDASBgNVBAMMC2NzNl9jaDFfdGEzMRowGAYJKoZIhvcNAQkB
-FgtjczZfY2gxX3RhMzCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEApS7Wvfwv
-W0y4kZCO9j+7VSiNT51HcO0+ob1wQkewQQl7h0/rGkWfCW0KjFNzoz37P9xn9APT
-fFEV86tsLDnQp07CP1zS2IfxAzvrdZ6eZtU91eVtMpKtBbjCO0jlcrSdybdCT9e0
-pYykiHbfET6xXKK9fVb4yHYAxIhkDzZ+yyMCAwEAAaMgMB4wDAYDVR0TAQH/BAIw
-ADAOBgNVHQ8BAf8EBAMCAAEwDQYJKoZIhvcNAQELBQADgYEASFFxDozCQpiRNNyp
-ipKYGM4w/WERZpqHenum3Ql/Npx92Bm2q11qIrNKAEVmH+3VH7TMx6UHX281LLxS
-GsnAllb9gjNQey5DeSzL5OkiVQoJlgX3luEilTqOZrEhqojxIUogrgixJ372a75V
-aAvQ1ncweJJ1ONKrMXmOXXGjsys=
+FgtjczZfY2gxX3RhMzCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAsT+HG9yV
+XgQIzP/CmpHCHe5dsEMV342KOvylCkkneuEnON3IWkd2b43fxLiBI85FZGrqY4iS
+Jth01+4oFzH0VOZ0vtyM3J0pJIc0AitW+SsBiZo7Ev6ZQpIiVYn6xEBYuu8jhWAz
+T0kgZqBvDzaunHwcOXiXlPFHlvar0dibwbsCAwEAAaMgMB4wDAYDVR0TAQH/BAIw
+ADAOBgNVHQ8BAf8EBAMCAAkwDQYJKoZIhvcNAQELBQADggEBAHtPanDmON4t1mzj
+EJTYP4DtDXx79+zMNsgthDx4W8PFkr5F8bxSxgn5zFRLATC45E0+QwCT6rifcRg1
+NzwDcHAnj4yM7qcGqmCht8B3hFLLSjW85+eVQo9i2xSDgP0ywDB7oJSyM/baMV0R
+awn2MlcLl+3pnq3z8JHcwd/+2wqI2uHrd/mM1sQppe81vL2aB5qgj7EcBQf+AFBO
+PXG/DyfsqBRIWjGuoGZ0my6479BpKz56z8wNLvF4badywka4TJOtEHMsExBxsDjg
+A+vSwCh5oeal5pFSy/KrjqUbDyiuE1fbh5IT+iLkPKKUaw16/H/hEOU2h1WzFVrt
+5TZArNk=
 -----END CERTIFICATE-----
--- a/src/tests/ro_data/signing_certs/produced/code_signing_certs/17.pem	Tue Mar 08 11:12:06 2016 -0800
+++ b/src/tests/ro_data/signing_certs/produced/code_signing_certs/17.pem	Wed Mar 09 11:27:23 2016 -0800
@@ -5,48 +5,57 @@
     Signature Algorithm: sha256WithRSAEncryption
         Issuer: C=US, ST=California, L=Santa Clara, O=pkg5, CN=ch1_ta3/emailAddress=ch1_ta3
         Validity
-            Not Before: Dec 13 00:13:36 2013 GMT
-            Not After : Sep  8 00:13:36 2016 GMT
+            Not Before: Jan 22 01:57:57 2016 GMT
+            Not After : Oct 18 01:57:57 2018 GMT
         Subject: C=US, ST=California, L=Santa Clara, O=pkg5, CN=cs7_ch1_ta3/emailAddress=cs7_ch1_ta3
         Subject Public Key Info:
             Public Key Algorithm: rsaEncryption
                 Public-Key: (1024 bit)
                 Modulus:
-                    00:bc:52:93:cc:6b:6d:63:bb:fe:a2:33:3d:40:a4:
-                    ba:3f:12:4c:72:69:a0:87:80:32:50:47:91:8f:39:
-                    6f:8a:78:78:9a:f6:34:83:2d:7d:6a:19:90:36:9f:
-                    fb:7c:1c:c8:13:f9:13:b2:6a:75:1a:2c:3a:76:2b:
-                    10:d2:f3:90:1f:65:df:65:04:0c:97:a2:fa:43:53:
-                    33:32:f8:8f:f3:30:a7:1c:4a:67:9c:da:81:b8:7a:
-                    55:c4:30:1d:59:5d:f1:0a:bc:b6:52:b3:09:41:24:
-                    1f:30:6b:ed:95:ba:90:cf:0d:af:eb:c7:fb:31:35:
-                    c5:5b:ff:67:9a:8a:1b:34:09
+                    00:a4:2c:ba:05:57:f3:8d:56:fb:58:aa:9e:dd:4e:
+                    3c:72:1e:5f:33:19:d9:d0:13:f8:af:41:df:83:4e:
+                    80:16:2c:c5:16:04:57:67:6e:ac:10:b9:b4:43:5c:
+                    b1:bd:42:87:f3:bc:35:6d:91:33:34:25:81:23:6e:
+                    ec:20:af:4d:46:5e:2c:b1:89:c2:8f:32:f6:5b:83:
+                    ed:3d:51:13:bc:59:3b:ec:0d:62:54:77:79:f5:c9:
+                    f5:8f:ac:b4:0e:2c:9d:20:00:b8:1f:de:c1:cc:fd:
+                    32:8b:44:fc:8d:44:1e:07:e7:16:a5:ea:a7:17:5b:
+                    7d:36:08:5a:15:41:52:12:69
                 Exponent: 65537 (0x10001)
         X509v3 extensions:
             X509v3 Basic Constraints: critical
                 CA:FALSE
     Signature Algorithm: sha256WithRSAEncryption
-         68:79:a6:5a:7f:1d:50:2a:e9:60:26:b2:31:e8:66:e2:c1:5e:
-         12:78:d9:32:fc:0c:07:5d:15:22:f7:f7:22:52:96:0d:35:8e:
-         bd:dd:60:ab:0f:d9:dc:6b:4e:a5:d8:57:83:ff:d1:60:a5:c1:
-         c7:0c:49:c3:05:c4:9a:9f:87:ba:ff:47:9f:51:dd:04:2a:90:
-         53:b1:f9:8d:fa:34:97:a2:4b:4b:70:84:67:1d:de:f4:e6:e6:
-         bd:0e:c4:24:8a:e2:8b:fa:ac:06:2c:09:ed:bd:7d:b3:1e:df:
-         a9:be:4c:c5:49:c1:72:bd:d8:a7:3f:25:89:15:3f:1c:19:e6:
-         84:15
+         8f:1e:a9:f9:4c:cc:3f:50:51:7d:4e:98:d9:93:7a:96:21:64:
+         16:4a:39:7b:d8:40:af:94:86:85:ab:ce:d7:56:46:ac:a3:03:
+         19:f5:cf:9b:c5:6e:4c:f1:4f:b4:82:8a:ae:d4:32:b9:a7:73:
+         79:b9:de:70:f7:fb:e0:72:45:fe:50:27:f9:80:3c:ed:0a:6a:
+         18:5c:35:ea:a3:b3:fe:f4:84:a1:8a:53:36:d2:08:d3:f5:b3:
+         a8:14:b3:77:da:10:c0:d8:e5:d6:3e:fe:6e:64:12:28:1d:f9:
+         f5:2c:44:4a:a7:1d:e0:c9:c6:54:c9:15:30:c6:cb:2e:a6:9f:
+         aa:37:7b:07:c1:4e:27:ec:ab:92:3a:9c:51:26:4e:5f:ce:29:
+         23:a8:aa:b8:6c:e8:1a:93:17:ba:46:32:8d:63:54:98:1d:7f:
+         b9:b2:1a:40:f9:63:47:e2:da:08:00:33:ec:9b:07:9a:4e:1f:
+         c8:ef:ba:e1:dd:8a:65:67:ef:d4:b5:a6:3c:5a:5f:b3:1e:72:
+         d5:65:19:ed:bf:66:99:5e:40:b4:8b:9c:16:83:b0:bd:0f:f6:
+         7e:6e:24:62:bb:54:23:3b:a8:19:6f:0b:1b:ef:f7:d1:14:a0:
+         79:79:12:3d:4e:2f:84:31:3d:69:7d:bb:d2:76:e5:b7:df:71:
+         26:8a:72:13
 -----BEGIN CERTIFICATE-----
-MIICcDCCAdmgAwIBAgIBFzANBgkqhkiG9w0BAQsFADBxMQswCQYDVQQGEwJVUzET
+MIIC8TCCAdmgAwIBAgIBFzANBgkqhkiG9w0BAQsFADBxMQswCQYDVQQGEwJVUzET
 MBEGA1UECAwKQ2FsaWZvcm5pYTEUMBIGA1UEBwwLU2FudGEgQ2xhcmExDTALBgNV
 BAoMBHBrZzUxEDAOBgNVBAMMB2NoMV90YTMxFjAUBgkqhkiG9w0BCQEWB2NoMV90
-YTMwHhcNMTMxMjEzMDAxMzM2WhcNMTYwOTA4MDAxMzM2WjB5MQswCQYDVQQGEwJV
+YTMwHhcNMTYwMTIyMDE1NzU3WhcNMTgxMDE4MDE1NzU3WjB5MQswCQYDVQQGEwJV
 UzETMBEGA1UECAwKQ2FsaWZvcm5pYTEUMBIGA1UEBwwLU2FudGEgQ2xhcmExDTAL
 BgNVBAoMBHBrZzUxFDASBgNVBAMMC2NzN19jaDFfdGEzMRowGAYJKoZIhvcNAQkB
-FgtjczdfY2gxX3RhMzCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAvFKTzGtt
-Y7v+ojM9QKS6PxJMcmmgh4AyUEeRjzlvinh4mvY0gy19ahmQNp/7fBzIE/kTsmp1
-Giw6disQ0vOQH2XfZQQMl6L6Q1MzMviP8zCnHEpnnNqBuHpVxDAdWV3xCry2UrMJ
-QSQfMGvtlbqQzw2v68f7MTXFW/9nmoobNAkCAwEAAaMQMA4wDAYDVR0TAQH/BAIw
-ADANBgkqhkiG9w0BAQsFAAOBgQBoeaZafx1QKulgJrIx6GbiwV4SeNky/AwHXRUi
-9/ciUpYNNY693WCrD9nca06l2FeD/9FgpcHHDEnDBcSan4e6/0efUd0EKpBTsfmN
-+jSXoktLcIRnHd705ua9DsQkiuKL+qwGLAntvX2zHt+pvkzFScFyvdinPyWJFT8c
-GeaEFQ==
+FgtjczdfY2gxX3RhMzCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEApCy6BVfz
+jVb7WKqe3U48ch5fMxnZ0BP4r0Hfg06AFizFFgRXZ26sELm0Q1yxvUKH87w1bZEz
+NCWBI27sIK9NRl4ssYnCjzL2W4PtPVETvFk77A1iVHd59cn1j6y0DiydIAC4H97B
+zP0yi0T8jUQeB+cWpeqnF1t9NghaFUFSEmkCAwEAAaMQMA4wDAYDVR0TAQH/BAIw
+ADANBgkqhkiG9w0BAQsFAAOCAQEAjx6p+UzMP1BRfU6Y2ZN6liFkFko5e9hAr5SG
+havO11ZGrKMDGfXPm8VuTPFPtIKKrtQyuadzebnecPf74HJF/lAn+YA87QpqGFw1
+6qOz/vSEoYpTNtII0/WzqBSzd9oQwNjl1j7+bmQSKB359SxESqcd4MnGVMkVMMbL
+Lqafqjd7B8FOJ+yrkjqcUSZOX84pI6iquGzoGpMXukYyjWNUmB1/ubIaQPljR+La
+CAAz7JsHmk4fyO+64d2KZWfv1LWmPFpfsx5y1WUZ7b9mmV5AtIucFoOwvQ/2fm4k
+YrtUIzuoGW8LG+/30RSgeXkSPU4vhDE9aX270nblt99xJopyEw==
 -----END CERTIFICATE-----
--- a/src/tests/ro_data/signing_certs/produced/code_signing_certs/18.pem	Tue Mar 08 11:12:06 2016 -0800
+++ b/src/tests/ro_data/signing_certs/produced/code_signing_certs/18.pem	Wed Mar 09 11:27:23 2016 -0800
@@ -5,22 +5,22 @@
     Signature Algorithm: sha256WithRSAEncryption
         Issuer: C=US, ST=California, L=Santa Clara, O=pkg5, CN=ch1_ta3/emailAddress=ch1_ta3
         Validity
-            Not Before: Dec 13 00:13:36 2013 GMT
-            Not After : Sep  8 00:13:36 2016 GMT
+            Not Before: Jan 22 01:57:57 2016 GMT
+            Not After : Oct 18 01:57:57