diff --git a/INSTALL b/INSTALL
index 7dabef740..cbd6bdcdb 100644
--- a/INSTALL
+++ b/INSTALL
@@ -168,13 +168,13 @@
 
     For a quick start, you can run the client and server like this:
 
-    $ ./examples/server/server -v 4 --oqs P521_KYBER_LEVEL5
-    $ ./examples/client/client -v 4 --oqs P521_KYBER_LEVEL5
+    $ ./examples/server/server -v 4 --pqc P521_KYBER_LEVEL5
+    $ ./examples/client/client -v 4 --pqc P521_KYBER_LEVEL5
 
     Look for the following line in the output of the server and client:
 
     ```
-    Using OQS KEM: P521_KYBER_LEVEL5
+    Using Post-Quantum KEM: P521_KYBER_LEVEL5
     ```
 
     For authentication, you can generate a certificate chain using the Open
@@ -208,13 +208,13 @@
       -A certs/falcon_level5_root_cert.pem \
       -c certs/falcon_level1_entity_cert.pem \
       -k certs/falcon_level1_entity_key.pem \
-      --oqs P521_KYBER_LEVEL5
+      --pqc P521_KYBER_LEVEL5
 
     $ examples/client/client -v 4 -l TLS_AES_256_GCM_SHA384 \
       -A certs/falcon_level1_root_cert.pem \
       -c certs/falcon_level5_entity_cert.pem \
       -k certs/falcon_level5_entity_key.pem \
-      --oqs P521_KYBER_LEVEL5
+      --pqc P521_KYBER_LEVEL5
 
     Congratulations! You have just achieved a fully quantum-safe TLS 1.3
     connection!
diff --git a/README.md b/README.md
index 5425df361..ac3861220 100644
--- a/README.md
+++ b/README.md
@@ -12,8 +12,9 @@ standard operating environments as well because of its royalty-free pricing
 and excellent cross platform support. wolfSSL supports industry standards up
 to the current [TLS 1.3](https://www.wolfssl.com/tls13) and DTLS 1.2, is up to
 20 times smaller than OpenSSL, and offers progressive ciphers such as ChaCha20,
-Curve25519, Blake2b and OQS TLS 1.3 groups. User benchmarking and feedback
-reports dramatically better performance when using wolfSSL over OpenSSL.
+Curve25519, Blake2b and Post-Quantum TLS 1.3 groups. User benchmarking and
+feedback reports dramatically better performance when using wolfSSL over
+OpenSSL.
 
 wolfSSL is powered by the wolfCrypt cryptography library. Two versions of
 wolfCrypt have been FIPS 140-2 validated (Certificate #2425 and
diff --git a/certs/1024/ca-cert.der b/certs/1024/ca-cert.der
index 1b1d9a12b..93f253bae 100644
Binary files a/certs/1024/ca-cert.der and b/certs/1024/ca-cert.der differ
diff --git a/certs/1024/ca-cert.pem b/certs/1024/ca-cert.pem
index 20c69ae6c..5aeb3fea8 100644
--- a/certs/1024/ca-cert.pem
+++ b/certs/1024/ca-cert.pem
@@ -1,16 +1,17 @@
 Certificate:
     Data:
         Version: 3 (0x2)
-        Serial Number: 10888915626055724693 (0x971d3311e8406e95)
-    Signature Algorithm: sha256WithRSAEncryption
-        Issuer: C=US, ST=Montana, L=Bozeman, O=Sawtooth, OU=Consulting_1024, CN=www.wolfssl.com/emailAddress=info@wolfssl.com
+        Serial Number:
+            28:91:57:80:6f:78:1e:99:86:3b:fd:1b:95:fc:06:e2:1d:62:b2:14
+        Signature Algorithm: sha256WithRSAEncryption
+        Issuer: C = US, ST = Montana, L = Bozeman, O = Sawtooth, OU = Consulting_1024, CN = www.wolfssl.com, emailAddress = info@wolfssl.com
         Validity
-            Not Before: Feb 10 19:49:53 2021 GMT
-            Not After : Nov  7 19:49:53 2023 GMT
-        Subject: C=US, ST=Montana, L=Bozeman, O=Sawtooth, OU=Consulting_1024, CN=www.wolfssl.com/emailAddress=info@wolfssl.com
+            Not Before: Dec 20 23:07:25 2021 GMT
+            Not After : Sep 15 23:07:25 2024 GMT
+        Subject: C = US, ST = Montana, L = Bozeman, O = Sawtooth, OU = Consulting_1024, CN = www.wolfssl.com, emailAddress = info@wolfssl.com
         Subject Public Key Info:
             Public Key Algorithm: rsaEncryption
-                Public-Key: (1024 bit)
+                RSA Public-Key: (1024 bit)
                 Modulus:
                     00:cd:ac:dd:47:ec:be:b7:24:c3:63:1b:54:98:79:
                     e1:c7:31:16:59:d6:9d:77:9d:8d:e2:8b:ed:04:17:
@@ -28,7 +29,7 @@ Certificate:
             X509v3 Authority Key Identifier: 
                 keyid:D3:22:8F:28:2C:E0:05:EE:D3:ED:C3:71:3D:C9:B2:36:3A:1D:BF:A8
                 DirName:/C=US/ST=Montana/L=Bozeman/O=Sawtooth/OU=Consulting_1024/CN=www.wolfssl.com/emailAddress=info@wolfssl.com
-                serial:97:1D:33:11:E8:40:6E:95
+                serial:28:91:57:80:6F:78:1E:99:86:3B:FD:1B:95:FC:06:E2:1D:62:B2:14
 
             X509v3 Basic Constraints: 
                 CA:TRUE
@@ -37,35 +38,35 @@ Certificate:
             X509v3 Extended Key Usage: 
                 TLS Web Server Authentication, TLS Web Client Authentication
     Signature Algorithm: sha256WithRSAEncryption
-         4e:b1:39:6a:23:a3:65:17:14:b6:52:2e:86:46:d5:4f:7c:d5:
-         6c:bb:fa:66:b1:71:54:a1:ad:0e:a2:b7:ba:59:65:8b:d5:87:
-         5d:51:d0:65:de:74:04:80:7c:da:3a:52:57:7a:1d:5d:46:7a:
-         06:79:75:e5:31:dd:1d:f6:54:77:fc:40:13:a1:5b:fd:9e:7d:
-         1c:fd:04:4f:7c:ee:92:a2:80:55:3c:3f:2a:1c:bd:3a:37:12:
-         0e:fd:52:60:66:19:d5:4b:f6:35:50:a3:59:d3:7f:6d:95:d7:
-         56:10:c6:86:28:f4:6e:6d:da:4e:1c:b4:e9:0b:4c:ed:62:0f:
-         64:06
+         0e:9f:a6:c0:6f:cf:a4:5f:ec:4a:18:4d:67:1a:8e:37:cc:9d:
+         97:dc:31:9c:d8:c5:08:70:fc:55:67:24:3f:ef:47:80:03:54:
+         5e:6c:91:fa:ba:71:1f:12:91:8f:f9:51:df:51:cd:ff:59:bc:
+         ed:b7:ac:e3:7c:53:48:73:cd:85:88:f2:23:aa:a9:6c:09:30:
+         6a:7b:a2:66:2e:1a:ad:12:5e:a8:ef:1e:a9:3f:f0:f9:44:64:
+         24:1e:0e:80:92:20:37:f9:e2:4f:d6:65:e3:ba:b3:55:99:ad:
+         0e:ca:7a:4c:3d:42:f6:7f:c7:23:6a:15:ae:b2:88:6e:45:a0:
+         a8:8e
 -----BEGIN CERTIFICATE-----
-MIID8zCCA1ygAwIBAgIJAJcdMxHoQG6VMA0GCSqGSIb3DQEBCwUAMIGZMQswCQYD
-VQQGEwJVUzEQMA4GA1UECAwHTW9udGFuYTEQMA4GA1UEBwwHQm96ZW1hbjERMA8G
-A1UECgwIU2F3dG9vdGgxGDAWBgNVBAsMD0NvbnN1bHRpbmdfMTAyNDEYMBYGA1UE
-AwwPd3d3LndvbGZzc2wuY29tMR8wHQYJKoZIhvcNAQkBFhBpbmZvQHdvbGZzc2wu
-Y29tMB4XDTIxMDIxMDE5NDk1M1oXDTIzMTEwNzE5NDk1M1owgZkxCzAJBgNVBAYT
-AlVTMRAwDgYDVQQIDAdNb250YW5hMRAwDgYDVQQHDAdCb3plbWFuMREwDwYDVQQK
-DAhTYXd0b290aDEYMBYGA1UECwwPQ29uc3VsdGluZ18xMDI0MRgwFgYDVQQDDA93
-d3cud29sZnNzbC5jb20xHzAdBgkqhkiG9w0BCQEWEGluZm9Ad29sZnNzbC5jb20w
-gZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAM2s3Ufsvrckw2MbVJh54ccxFlnW
-nXedjeKL7QQXssbr5JuRvjFQYpdYtX8p3rNxJAu/lwl/Jtwt7KgusmQreis1GS2i
-gMuZ/ZRxGyONVNsuYo2BCC30JHInbPnJjttMdbqbAfg/GPTmf/tXlJLMiMS0AMKq
-1OWIGLMRL3PA1ikJAgMBAAGjggE/MIIBOzAdBgNVHQ4EFgQU0yKPKCzgBe7T7cNx
-PcmyNjodv6gwgc4GA1UdIwSBxjCBw4AU0yKPKCzgBe7T7cNxPcmyNjodv6ihgZ+k
-gZwwgZkxCzAJBgNVBAYTAlVTMRAwDgYDVQQIDAdNb250YW5hMRAwDgYDVQQHDAdC
+MIIECTCCA3KgAwIBAgIUKJFXgG94HpmGO/0blfwG4h1ishQwDQYJKoZIhvcNAQEL
+BQAwgZkxCzAJBgNVBAYTAlVTMRAwDgYDVQQIDAdNb250YW5hMRAwDgYDVQQHDAdC
 b3plbWFuMREwDwYDVQQKDAhTYXd0b290aDEYMBYGA1UECwwPQ29uc3VsdGluZ18x
 MDI0MRgwFgYDVQQDDA93d3cud29sZnNzbC5jb20xHzAdBgkqhkiG9w0BCQEWEGlu
-Zm9Ad29sZnNzbC5jb22CCQCXHTMR6EBulTAMBgNVHRMEBTADAQH/MBwGA1UdEQQV
-MBOCC2V4YW1wbGUuY29thwR/AAABMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEF
-BQcDAjANBgkqhkiG9w0BAQsFAAOBgQBOsTlqI6NlFxS2Ui6GRtVPfNVsu/pmsXFU
-oa0Oore6WWWL1YddUdBl3nQEgHzaOlJXeh1dRnoGeXXlMd0d9lR3/EAToVv9nn0c
-/QRPfO6SooBVPD8qHL06NxIO/VJgZhnVS/Y1UKNZ039tlddWEMaGKPRubdpOHLTp
-C0ztYg9kBg==
+Zm9Ad29sZnNzbC5jb20wHhcNMjExMjIwMjMwNzI1WhcNMjQwOTE1MjMwNzI1WjCB
+mTELMAkGA1UEBhMCVVMxEDAOBgNVBAgMB01vbnRhbmExEDAOBgNVBAcMB0JvemVt
+YW4xETAPBgNVBAoMCFNhd3Rvb3RoMRgwFgYDVQQLDA9Db25zdWx0aW5nXzEwMjQx
+GDAWBgNVBAMMD3d3dy53b2xmc3NsLmNvbTEfMB0GCSqGSIb3DQEJARYQaW5mb0B3
+b2xmc3NsLmNvbTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAzazdR+y+tyTD
+YxtUmHnhxzEWWdadd52N4ovtBBeyxuvkm5G+MVBil1i1fynes3EkC7+XCX8m3C3s
+qC6yZCt6KzUZLaKAy5n9lHEbI41U2y5ijYEILfQkcids+cmO20x1upsB+D8Y9OZ/
++1eUksyIxLQAwqrU5YgYsxEvc8DWKQkCAwEAAaOCAUowggFGMB0GA1UdDgQWBBTT
+Io8oLOAF7tPtw3E9ybI2Oh2/qDCB2QYDVR0jBIHRMIHOgBTTIo8oLOAF7tPtw3E9
+ybI2Oh2/qKGBn6SBnDCBmTELMAkGA1UEBhMCVVMxEDAOBgNVBAgMB01vbnRhbmEx
+EDAOBgNVBAcMB0JvemVtYW4xETAPBgNVBAoMCFNhd3Rvb3RoMRgwFgYDVQQLDA9D
+b25zdWx0aW5nXzEwMjQxGDAWBgNVBAMMD3d3dy53b2xmc3NsLmNvbTEfMB0GCSqG
+SIb3DQEJARYQaW5mb0B3b2xmc3NsLmNvbYIUKJFXgG94HpmGO/0blfwG4h1ishQw
+DAYDVR0TBAUwAwEB/zAcBgNVHREEFTATggtleGFtcGxlLmNvbYcEfwAAATAdBgNV
+HSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwDQYJKoZIhvcNAQELBQADgYEADp+m
+wG/PpF/sShhNZxqON8ydl9wxnNjFCHD8VWckP+9HgANUXmyR+rpxHxKRj/lR31HN
+/1m87bes43xTSHPNhYjyI6qpbAkwanuiZi4arRJeqO8eqT/w+URkJB4OgJIgN/ni
+T9Zl47qzVZmtDsp6TD1C9n/HI2oVrrKIbkWgqI4=
 -----END CERTIFICATE-----
diff --git a/certs/1024/client-cert.der b/certs/1024/client-cert.der
index 01d6c63c3..9e7b2ef08 100644
Binary files a/certs/1024/client-cert.der and b/certs/1024/client-cert.der differ
diff --git a/certs/1024/client-cert.pem b/certs/1024/client-cert.pem
index 2262c8d5d..b581f181d 100644
--- a/certs/1024/client-cert.pem
+++ b/certs/1024/client-cert.pem
@@ -1,16 +1,17 @@
 Certificate:
     Data:
         Version: 3 (0x2)
-        Serial Number: 14202541924425994169 (0xc51990a1c9010fb9)
-    Signature Algorithm: sha256WithRSAEncryption
-        Issuer: C=US, ST=Montana, L=Bozeman, O=wolfSSL_1024, OU=Programming-1024, CN=www.wolfssl.com/emailAddress=info@wolfssl.com
+        Serial Number:
+            61:8c:af:82:14:94:51:c0:98:d3:a8:3b:a3:90:85:20:97:ba:62:18
+        Signature Algorithm: sha256WithRSAEncryption
+        Issuer: C = US, ST = Montana, L = Bozeman, O = wolfSSL_1024, OU = Programming-1024, CN = www.wolfssl.com, emailAddress = info@wolfssl.com
         Validity
-            Not Before: Feb 10 19:49:52 2021 GMT
-            Not After : Nov  7 19:49:52 2023 GMT
-        Subject: C=US, ST=Montana, L=Bozeman, O=wolfSSL_1024, OU=Programming-1024, CN=www.wolfssl.com/emailAddress=info@wolfssl.com
+            Not Before: Dec 20 23:07:24 2021 GMT
+            Not After : Sep 15 23:07:24 2024 GMT
+        Subject: C = US, ST = Montana, L = Bozeman, O = wolfSSL_1024, OU = Programming-1024, CN = www.wolfssl.com, emailAddress = info@wolfssl.com
         Subject Public Key Info:
             Public Key Algorithm: rsaEncryption
-                Public-Key: (1024 bit)
+                RSA Public-Key: (1024 bit)
                 Modulus:
                     00:bc:73:0e:a8:49:f3:74:a2:a9:ef:18:a5:da:55:
                     99:21:f9:c8:ec:b3:6d:48:e5:35:35:75:77:37:ec:
@@ -28,7 +29,7 @@ Certificate:
             X509v3 Authority Key Identifier: 
                 keyid:81:69:0F:F8:DF:DD:CF:34:29:D5:67:75:71:85:C7:75:10:69:59:EC
                 DirName:/C=US/ST=Montana/L=Bozeman/O=wolfSSL_1024/OU=Programming-1024/CN=www.wolfssl.com/emailAddress=info@wolfssl.com
-                serial:C5:19:90:A1:C9:01:0F:B9
+                serial:61:8C:AF:82:14:94:51:C0:98:D3:A8:3B:A3:90:85:20:97:BA:62:18
 
             X509v3 Basic Constraints: 
                 CA:TRUE
@@ -37,35 +38,35 @@ Certificate:
             X509v3 Extended Key Usage: 
                 TLS Web Server Authentication, TLS Web Client Authentication
     Signature Algorithm: sha256WithRSAEncryption
-         30:ce:46:43:6d:70:e1:6d:bb:8f:4a:05:64:f7:2c:8d:0e:d6:
-         f9:1e:b6:2a:8e:ed:52:e1:7c:44:bf:59:54:da:2d:31:4d:e6:
-         79:d2:d0:d8:b4:cf:5b:16:0a:16:a1:be:62:9f:6c:24:46:7b:
-         b8:dd:b8:8d:7f:fe:f1:ac:62:94:e0:34:ce:4c:59:3a:c5:5a:
-         e6:40:d5:60:7e:20:5d:ed:43:92:d3:f3:ea:e0:d1:57:c8:ce:
-         41:79:db:81:41:c6:f0:0e:35:d4:6f:92:58:2d:d6:b2:ec:f1:
-         88:ff:6d:ca:63:d6:4a:8d:10:a6:23:06:77:9a:d5:ab:9d:64:
-         46:02
+         a4:2f:c5:53:22:35:f9:c3:21:b9:85:3b:7d:a4:8e:a0:f3:9c:
+         2b:2a:e3:35:7a:62:4f:1c:73:61:f6:fe:85:05:af:55:17:c0:
+         13:ea:4d:8e:0b:20:dd:29:7c:fc:48:9b:47:3d:6e:05:f9:9f:
+         1f:fc:70:af:0a:5c:30:58:6e:4d:51:2d:93:de:7e:1b:10:b2:
+         ed:a2:5e:be:a1:8c:69:60:37:e8:b0:c9:35:4f:4e:2a:cd:9e:
+         e9:de:35:f0:85:98:41:c9:39:64:0e:52:21:6e:45:df:58:e9:
+         e0:95:51:22:4d:e1:ee:e5:58:57:7b:71:89:31:89:5f:e0:84:
+         db:4b
 -----BEGIN CERTIFICATE-----
-MIIEAjCCA2ugAwIBAgIJAMUZkKHJAQ+5MA0GCSqGSIb3DQEBCwUAMIGeMQswCQYD
-VQQGEwJVUzEQMA4GA1UECAwHTW9udGFuYTEQMA4GA1UEBwwHQm96ZW1hbjEVMBMG
-A1UECgwMd29sZlNTTF8xMDI0MRkwFwYDVQQLDBBQcm9ncmFtbWluZy0xMDI0MRgw
-FgYDVQQDDA93d3cud29sZnNzbC5jb20xHzAdBgkqhkiG9w0BCQEWEGluZm9Ad29s
-ZnNzbC5jb20wHhcNMjEwMjEwMTk0OTUyWhcNMjMxMTA3MTk0OTUyWjCBnjELMAkG
-A1UEBhMCVVMxEDAOBgNVBAgMB01vbnRhbmExEDAOBgNVBAcMB0JvemVtYW4xFTAT
-BgNVBAoMDHdvbGZTU0xfMTAyNDEZMBcGA1UECwwQUHJvZ3JhbW1pbmctMTAyNDEY
-MBYGA1UEAwwPd3d3LndvbGZzc2wuY29tMR8wHQYJKoZIhvcNAQkBFhBpbmZvQHdv
-bGZzc2wuY29tMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC8cw6oSfN0oqnv
-GKXaVZkh+cjss21I5TU1dXc37NFhkF8+2eTV35TKwanXGdqGyehNxGE2gv6rrX53
-JbuNEaW8YjqoOMw5ogRmtPf386raTQIOu16NaUjcd8koDiLpa6Qmukzowf1Kbysf
-74qu9pBi5WQe6ys8Z8jcJwD2kWhlqQIDAQABo4IBRDCCAUAwHQYDVR0OBBYEFIFp
-D/jf3c80KdVndXGFx3UQaVnsMIHTBgNVHSMEgcswgciAFIFpD/jf3c80KdVndXGF
-x3UQaVnsoYGkpIGhMIGeMQswCQYDVQQGEwJVUzEQMA4GA1UECAwHTW9udGFuYTEQ
-MA4GA1UEBwwHQm96ZW1hbjEVMBMGA1UECgwMd29sZlNTTF8xMDI0MRkwFwYDVQQL
-DBBQcm9ncmFtbWluZy0xMDI0MRgwFgYDVQQDDA93d3cud29sZnNzbC5jb20xHzAd
-BgkqhkiG9w0BCQEWEGluZm9Ad29sZnNzbC5jb22CCQDFGZChyQEPuTAMBgNVHRME
-BTADAQH/MBwGA1UdEQQVMBOCC2V4YW1wbGUuY29thwR/AAABMB0GA1UdJQQWMBQG
-CCsGAQUFBwMBBggrBgEFBQcDAjANBgkqhkiG9w0BAQsFAAOBgQAwzkZDbXDhbbuP
-SgVk9yyNDtb5HrYqju1S4XxEv1lU2i0xTeZ50tDYtM9bFgoWob5in2wkRnu43biN
-f/7xrGKU4DTOTFk6xVrmQNVgfiBd7UOS0/Pq4NFXyM5BeduBQcbwDjXUb5JYLday
-7PGI/23KY9ZKjRCmIwZ3mtWrnWRGAg==
+MIIEGDCCA4GgAwIBAgIUYYyvghSUUcCY06g7o5CFIJe6YhgwDQYJKoZIhvcNAQEL
+BQAwgZ4xCzAJBgNVBAYTAlVTMRAwDgYDVQQIDAdNb250YW5hMRAwDgYDVQQHDAdC
+b3plbWFuMRUwEwYDVQQKDAx3b2xmU1NMXzEwMjQxGTAXBgNVBAsMEFByb2dyYW1t
+aW5nLTEwMjQxGDAWBgNVBAMMD3d3dy53b2xmc3NsLmNvbTEfMB0GCSqGSIb3DQEJ
+ARYQaW5mb0B3b2xmc3NsLmNvbTAeFw0yMTEyMjAyMzA3MjRaFw0yNDA5MTUyMzA3
+MjRaMIGeMQswCQYDVQQGEwJVUzEQMA4GA1UECAwHTW9udGFuYTEQMA4GA1UEBwwH
+Qm96ZW1hbjEVMBMGA1UECgwMd29sZlNTTF8xMDI0MRkwFwYDVQQLDBBQcm9ncmFt
+bWluZy0xMDI0MRgwFgYDVQQDDA93d3cud29sZnNzbC5jb20xHzAdBgkqhkiG9w0B
+CQEWEGluZm9Ad29sZnNzbC5jb20wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGB
+ALxzDqhJ83Siqe8YpdpVmSH5yOyzbUjlNTV1dzfs0WGQXz7Z5NXflMrBqdcZ2obJ
+6E3EYTaC/qutfnclu40RpbxiOqg4zDmiBGa09/fzqtpNAg67Xo1pSNx3ySgOIulr
+pCa6TOjB/UpvKx/viq72kGLlZB7rKzxnyNwnAPaRaGWpAgMBAAGjggFPMIIBSzAd
+BgNVHQ4EFgQUgWkP+N/dzzQp1Wd1cYXHdRBpWewwgd4GA1UdIwSB1jCB04AUgWkP
++N/dzzQp1Wd1cYXHdRBpWeyhgaSkgaEwgZ4xCzAJBgNVBAYTAlVTMRAwDgYDVQQI
+DAdNb250YW5hMRAwDgYDVQQHDAdCb3plbWFuMRUwEwYDVQQKDAx3b2xmU1NMXzEw
+MjQxGTAXBgNVBAsMEFByb2dyYW1taW5nLTEwMjQxGDAWBgNVBAMMD3d3dy53b2xm
+c3NsLmNvbTEfMB0GCSqGSIb3DQEJARYQaW5mb0B3b2xmc3NsLmNvbYIUYYyvghSU
+UcCY06g7o5CFIJe6YhgwDAYDVR0TBAUwAwEB/zAcBgNVHREEFTATggtleGFtcGxl
+LmNvbYcEfwAAATAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwDQYJKoZI
+hvcNAQELBQADgYEApC/FUyI1+cMhuYU7faSOoPOcKyrjNXpiTxxzYfb+hQWvVRfA
+E+pNjgsg3Sl8/EibRz1uBfmfH/xwrwpcMFhuTVEtk95+GxCy7aJevqGMaWA36LDJ
+NU9OKs2e6d418IWYQck5ZA5SIW5F31jp4JVRIk3h7uVYV3txiTGJX+CE20s=
 -----END CERTIFICATE-----
diff --git a/certs/1024/server-cert.der b/certs/1024/server-cert.der
index 73ed3efb7..45cbba7d9 100644
Binary files a/certs/1024/server-cert.der and b/certs/1024/server-cert.der differ
diff --git a/certs/1024/server-cert.pem b/certs/1024/server-cert.pem
index dc8fda4ef..000333f41 100644
--- a/certs/1024/server-cert.pem
+++ b/certs/1024/server-cert.pem
@@ -2,15 +2,15 @@ Certificate:
     Data:
         Version: 3 (0x2)
         Serial Number: 1 (0x1)
-    Signature Algorithm: sha256WithRSAEncryption
-        Issuer: C=US, ST=Montana, L=Bozeman, O=Sawtooth, OU=Consulting_1024, CN=www.wolfssl.com/emailAddress=info@wolfssl.com
+        Signature Algorithm: sha256WithRSAEncryption
+        Issuer: C = US, ST = Montana, L = Bozeman, O = Sawtooth, OU = Consulting_1024, CN = www.wolfssl.com, emailAddress = info@wolfssl.com
         Validity
-            Not Before: Feb 10 19:49:53 2021 GMT
-            Not After : Nov  7 19:49:53 2023 GMT
-        Subject: C=US, ST=Montana, L=Bozeman, O=wolfSSL, OU=Support_1024, CN=www.wolfssl.com/emailAddress=info@wolfssl.com
+            Not Before: Dec 20 23:07:25 2021 GMT
+            Not After : Sep 15 23:07:25 2024 GMT
+        Subject: C = US, ST = Montana, L = Bozeman, O = wolfSSL, OU = Support_1024, CN = www.wolfssl.com, emailAddress = info@wolfssl.com
         Subject Public Key Info:
             Public Key Algorithm: rsaEncryption
-                Public-Key: (1024 bit)
+                RSA Public-Key: (1024 bit)
                 Modulus:
                     00:aa:3e:a5:9c:d3:17:49:65:43:de:d0:f3:4b:1c:
                     db:49:0c:fc:7a:65:05:6d:de:6a:c4:e4:73:2c:8a:
@@ -28,7 +28,7 @@ Certificate:
             X509v3 Authority Key Identifier: 
                 keyid:D3:22:8F:28:2C:E0:05:EE:D3:ED:C3:71:3D:C9:B2:36:3A:1D:BF:A8
                 DirName:/C=US/ST=Montana/L=Bozeman/O=Sawtooth/OU=Consulting_1024/CN=www.wolfssl.com/emailAddress=info@wolfssl.com
-                serial:97:1D:33:11:E8:40:6E:95
+                serial:28:91:57:80:6F:78:1E:99:86:3B:FD:1B:95:FC:06:E2:1D:62:B2:14
 
             X509v3 Basic Constraints: 
                 CA:TRUE
@@ -37,50 +37,52 @@ Certificate:
             X509v3 Extended Key Usage: 
                 TLS Web Server Authentication, TLS Web Client Authentication
     Signature Algorithm: sha256WithRSAEncryption
-         27:0a:4e:08:8c:ba:73:d0:05:f2:ea:f9:51:8c:7e:29:14:23:
-         8e:9e:9a:fc:46:6f:10:68:59:d9:a0:ea:53:19:bd:28:89:e1:
-         97:1e:4c:b8:1e:be:0f:4d:9d:1d:76:57:17:31:95:c2:80:be:
-         04:d0:c2:e9:5c:e0:f4:81:3f:c4:b0:c5:86:ae:58:68:b9:ae:
-         0f:88:e8:63:6f:b9:08:f1:1b:56:90:fb:1f:2e:cc:e5:69:1f:
-         7c:02:4f:ed:b0:45:7c:2d:a8:59:11:a5:95:51:c7:50:d8:89:
-         c2:90:63:68:a8:41:6f:d0:37:26:6f:c8:0e:b5:a0:15:9d:a5:
-         e6:d2
+         22:80:e9:9f:1c:36:d8:96:d9:8f:2c:7b:af:6e:cc:f8:b5:b4:
+         59:ac:05:45:b9:01:00:b9:82:23:82:7a:a5:30:3c:55:09:01:
+         e1:14:a0:fc:88:2e:47:c8:5e:e5:75:d2:89:43:fa:13:1e:ea:
+         6f:50:3e:1b:60:fe:bc:df:9b:e3:38:0d:dd:cf:17:1a:d6:07:
+         1a:41:a4:c4:ac:3b:10:ac:55:61:af:fe:c7:53:cf:29:c6:5b:
+         7a:c9:65:da:c3:94:02:7c:aa:5e:16:a3:64:ce:68:5e:74:91:
+         c5:8b:60:b5:bf:9d:63:0b:11:d5:40:74:7d:64:12:98:3b:10:
+         31:fd
 -----BEGIN CERTIFICATE-----
-MIID5zCCA1CgAwIBAgIBATANBgkqhkiG9w0BAQsFADCBmTELMAkGA1UEBhMCVVMx
+MIID8jCCA1ugAwIBAgIBATANBgkqhkiG9w0BAQsFADCBmTELMAkGA1UEBhMCVVMx
 EDAOBgNVBAgMB01vbnRhbmExEDAOBgNVBAcMB0JvemVtYW4xETAPBgNVBAoMCFNh
 d3Rvb3RoMRgwFgYDVQQLDA9Db25zdWx0aW5nXzEwMjQxGDAWBgNVBAMMD3d3dy53
 b2xmc3NsLmNvbTEfMB0GCSqGSIb3DQEJARYQaW5mb0B3b2xmc3NsLmNvbTAeFw0y
-MTAyMTAxOTQ5NTNaFw0yMzExMDcxOTQ5NTNaMIGVMQswCQYDVQQGEwJVUzEQMA4G
+MTEyMjAyMzA3MjVaFw0yNDA5MTUyMzA3MjVaMIGVMQswCQYDVQQGEwJVUzEQMA4G
 A1UECAwHTW9udGFuYTEQMA4GA1UEBwwHQm96ZW1hbjEQMA4GA1UECgwHd29sZlNT
 TDEVMBMGA1UECwwMU3VwcG9ydF8xMDI0MRgwFgYDVQQDDA93d3cud29sZnNzbC5j
 b20xHzAdBgkqhkiG9w0BCQEWEGluZm9Ad29sZnNzbC5jb20wgZ8wDQYJKoZIhvcN
 AQEBBQADgY0AMIGJAoGBAKo+pZzTF0llQ97Q80sc20kM/HplBW3easTkcyyKloKP
 I6UGcRwGPi+SjQspNEVZ6am8YdckN121xDeNumey7wMn+sG0zWsAZrTWc3AfCDrM
 d63p+TTU86AtqedYqcBhhLbsPQqt/VyGc6prR9iLLlhLaRKCJlXmFL9VcIj++XXh
-AgMBAAGjggE/MIIBOzAdBgNVHQ4EFgQU2Tw16nQOI76c/PopkAnB54QWn3wwgc4G
-A1UdIwSBxjCBw4AU0yKPKCzgBe7T7cNxPcmyNjodv6ihgZ+kgZwwgZkxCzAJBgNV
+AgMBAAGjggFKMIIBRjAdBgNVHQ4EFgQU2Tw16nQOI76c/PopkAnB54QWn3wwgdkG
+A1UdIwSB0TCBzoAU0yKPKCzgBe7T7cNxPcmyNjodv6ihgZ+kgZwwgZkxCzAJBgNV
 BAYTAlVTMRAwDgYDVQQIDAdNb250YW5hMRAwDgYDVQQHDAdCb3plbWFuMREwDwYD
 VQQKDAhTYXd0b290aDEYMBYGA1UECwwPQ29uc3VsdGluZ18xMDI0MRgwFgYDVQQD
 DA93d3cud29sZnNzbC5jb20xHzAdBgkqhkiG9w0BCQEWEGluZm9Ad29sZnNzbC5j
-b22CCQCXHTMR6EBulTAMBgNVHRMEBTADAQH/MBwGA1UdEQQVMBOCC2V4YW1wbGUu
-Y29thwR/AAABMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjANBgkqhkiG
-9w0BAQsFAAOBgQAnCk4IjLpz0AXy6vlRjH4pFCOOnpr8Rm8QaFnZoOpTGb0oieGX
-Hky4Hr4PTZ0ddlcXMZXCgL4E0MLpXOD0gT/EsMWGrlhoua4PiOhjb7kI8RtWkPsf
-LszlaR98Ak/tsEV8LahZEaWVUcdQ2InCkGNoqEFv0Dcmb8gOtaAVnaXm0g==
+b22CFCiRV4BveB6Zhjv9G5X8BuIdYrIUMAwGA1UdEwQFMAMBAf8wHAYDVR0RBBUw
+E4ILZXhhbXBsZS5jb22HBH8AAAEwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUF
+BwMCMA0GCSqGSIb3DQEBCwUAA4GBACKA6Z8cNtiW2Y8se69uzPi1tFmsBUW5AQC5
+giOCeqUwPFUJAeEUoPyILkfIXuV10olD+hMe6m9QPhtg/rzfm+M4Dd3PFxrWBxpB
+pMSsOxCsVWGv/sdTzynGW3rJZdrDlAJ8ql4Wo2TOaF50kcWLYLW/nWMLEdVAdH1k
+Epg7EDH9
 -----END CERTIFICATE-----
 Certificate:
     Data:
         Version: 3 (0x2)
-        Serial Number: 10888915626055724693 (0x971d3311e8406e95)
-    Signature Algorithm: sha256WithRSAEncryption
-        Issuer: C=US, ST=Montana, L=Bozeman, O=Sawtooth, OU=Consulting_1024, CN=www.wolfssl.com/emailAddress=info@wolfssl.com
+        Serial Number:
+            28:91:57:80:6f:78:1e:99:86:3b:fd:1b:95:fc:06:e2:1d:62:b2:14
+        Signature Algorithm: sha256WithRSAEncryption
+        Issuer: C = US, ST = Montana, L = Bozeman, O = Sawtooth, OU = Consulting_1024, CN = www.wolfssl.com, emailAddress = info@wolfssl.com
         Validity
-            Not Before: Feb 10 19:49:53 2021 GMT
-            Not After : Nov  7 19:49:53 2023 GMT
-        Subject: C=US, ST=Montana, L=Bozeman, O=Sawtooth, OU=Consulting_1024, CN=www.wolfssl.com/emailAddress=info@wolfssl.com
+            Not Before: Dec 20 23:07:25 2021 GMT
+            Not After : Sep 15 23:07:25 2024 GMT
+        Subject: C = US, ST = Montana, L = Bozeman, O = Sawtooth, OU = Consulting_1024, CN = www.wolfssl.com, emailAddress = info@wolfssl.com
         Subject Public Key Info:
             Public Key Algorithm: rsaEncryption
-                Public-Key: (1024 bit)
+                RSA Public-Key: (1024 bit)
                 Modulus:
                     00:cd:ac:dd:47:ec:be:b7:24:c3:63:1b:54:98:79:
                     e1:c7:31:16:59:d6:9d:77:9d:8d:e2:8b:ed:04:17:
@@ -98,7 +100,7 @@ Certificate:
             X509v3 Authority Key Identifier: 
                 keyid:D3:22:8F:28:2C:E0:05:EE:D3:ED:C3:71:3D:C9:B2:36:3A:1D:BF:A8
                 DirName:/C=US/ST=Montana/L=Bozeman/O=Sawtooth/OU=Consulting_1024/CN=www.wolfssl.com/emailAddress=info@wolfssl.com
-                serial:97:1D:33:11:E8:40:6E:95
+                serial:28:91:57:80:6F:78:1E:99:86:3B:FD:1B:95:FC:06:E2:1D:62:B2:14
 
             X509v3 Basic Constraints: 
                 CA:TRUE
@@ -107,35 +109,35 @@ Certificate:
             X509v3 Extended Key Usage: 
                 TLS Web Server Authentication, TLS Web Client Authentication
     Signature Algorithm: sha256WithRSAEncryption
-         4e:b1:39:6a:23:a3:65:17:14:b6:52:2e:86:46:d5:4f:7c:d5:
-         6c:bb:fa:66:b1:71:54:a1:ad:0e:a2:b7:ba:59:65:8b:d5:87:
-         5d:51:d0:65:de:74:04:80:7c:da:3a:52:57:7a:1d:5d:46:7a:
-         06:79:75:e5:31:dd:1d:f6:54:77:fc:40:13:a1:5b:fd:9e:7d:
-         1c:fd:04:4f:7c:ee:92:a2:80:55:3c:3f:2a:1c:bd:3a:37:12:
-         0e:fd:52:60:66:19:d5:4b:f6:35:50:a3:59:d3:7f:6d:95:d7:
-         56:10:c6:86:28:f4:6e:6d:da:4e:1c:b4:e9:0b:4c:ed:62:0f:
-         64:06
+         0e:9f:a6:c0:6f:cf:a4:5f:ec:4a:18:4d:67:1a:8e:37:cc:9d:
+         97:dc:31:9c:d8:c5:08:70:fc:55:67:24:3f:ef:47:80:03:54:
+         5e:6c:91:fa:ba:71:1f:12:91:8f:f9:51:df:51:cd:ff:59:bc:
+         ed:b7:ac:e3:7c:53:48:73:cd:85:88:f2:23:aa:a9:6c:09:30:
+         6a:7b:a2:66:2e:1a:ad:12:5e:a8:ef:1e:a9:3f:f0:f9:44:64:
+         24:1e:0e:80:92:20:37:f9:e2:4f:d6:65:e3:ba:b3:55:99:ad:
+         0e:ca:7a:4c:3d:42:f6:7f:c7:23:6a:15:ae:b2:88:6e:45:a0:
+         a8:8e
 -----BEGIN CERTIFICATE-----
-MIID8zCCA1ygAwIBAgIJAJcdMxHoQG6VMA0GCSqGSIb3DQEBCwUAMIGZMQswCQYD
-VQQGEwJVUzEQMA4GA1UECAwHTW9udGFuYTEQMA4GA1UEBwwHQm96ZW1hbjERMA8G
-A1UECgwIU2F3dG9vdGgxGDAWBgNVBAsMD0NvbnN1bHRpbmdfMTAyNDEYMBYGA1UE
-AwwPd3d3LndvbGZzc2wuY29tMR8wHQYJKoZIhvcNAQkBFhBpbmZvQHdvbGZzc2wu
-Y29tMB4XDTIxMDIxMDE5NDk1M1oXDTIzMTEwNzE5NDk1M1owgZkxCzAJBgNVBAYT
-AlVTMRAwDgYDVQQIDAdNb250YW5hMRAwDgYDVQQHDAdCb3plbWFuMREwDwYDVQQK
-DAhTYXd0b290aDEYMBYGA1UECwwPQ29uc3VsdGluZ18xMDI0MRgwFgYDVQQDDA93
-d3cud29sZnNzbC5jb20xHzAdBgkqhkiG9w0BCQEWEGluZm9Ad29sZnNzbC5jb20w
-gZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAM2s3Ufsvrckw2MbVJh54ccxFlnW
-nXedjeKL7QQXssbr5JuRvjFQYpdYtX8p3rNxJAu/lwl/Jtwt7KgusmQreis1GS2i
-gMuZ/ZRxGyONVNsuYo2BCC30JHInbPnJjttMdbqbAfg/GPTmf/tXlJLMiMS0AMKq
-1OWIGLMRL3PA1ikJAgMBAAGjggE/MIIBOzAdBgNVHQ4EFgQU0yKPKCzgBe7T7cNx
-PcmyNjodv6gwgc4GA1UdIwSBxjCBw4AU0yKPKCzgBe7T7cNxPcmyNjodv6ihgZ+k
-gZwwgZkxCzAJBgNVBAYTAlVTMRAwDgYDVQQIDAdNb250YW5hMRAwDgYDVQQHDAdC
+MIIECTCCA3KgAwIBAgIUKJFXgG94HpmGO/0blfwG4h1ishQwDQYJKoZIhvcNAQEL
+BQAwgZkxCzAJBgNVBAYTAlVTMRAwDgYDVQQIDAdNb250YW5hMRAwDgYDVQQHDAdC
 b3plbWFuMREwDwYDVQQKDAhTYXd0b290aDEYMBYGA1UECwwPQ29uc3VsdGluZ18x
 MDI0MRgwFgYDVQQDDA93d3cud29sZnNzbC5jb20xHzAdBgkqhkiG9w0BCQEWEGlu
-Zm9Ad29sZnNzbC5jb22CCQCXHTMR6EBulTAMBgNVHRMEBTADAQH/MBwGA1UdEQQV
-MBOCC2V4YW1wbGUuY29thwR/AAABMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEF
-BQcDAjANBgkqhkiG9w0BAQsFAAOBgQBOsTlqI6NlFxS2Ui6GRtVPfNVsu/pmsXFU
-oa0Oore6WWWL1YddUdBl3nQEgHzaOlJXeh1dRnoGeXXlMd0d9lR3/EAToVv9nn0c
-/QRPfO6SooBVPD8qHL06NxIO/VJgZhnVS/Y1UKNZ039tlddWEMaGKPRubdpOHLTp
-C0ztYg9kBg==
+Zm9Ad29sZnNzbC5jb20wHhcNMjExMjIwMjMwNzI1WhcNMjQwOTE1MjMwNzI1WjCB
+mTELMAkGA1UEBhMCVVMxEDAOBgNVBAgMB01vbnRhbmExEDAOBgNVBAcMB0JvemVt
+YW4xETAPBgNVBAoMCFNhd3Rvb3RoMRgwFgYDVQQLDA9Db25zdWx0aW5nXzEwMjQx
+GDAWBgNVBAMMD3d3dy53b2xmc3NsLmNvbTEfMB0GCSqGSIb3DQEJARYQaW5mb0B3
+b2xmc3NsLmNvbTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAzazdR+y+tyTD
+YxtUmHnhxzEWWdadd52N4ovtBBeyxuvkm5G+MVBil1i1fynes3EkC7+XCX8m3C3s
+qC6yZCt6KzUZLaKAy5n9lHEbI41U2y5ijYEILfQkcids+cmO20x1upsB+D8Y9OZ/
++1eUksyIxLQAwqrU5YgYsxEvc8DWKQkCAwEAAaOCAUowggFGMB0GA1UdDgQWBBTT
+Io8oLOAF7tPtw3E9ybI2Oh2/qDCB2QYDVR0jBIHRMIHOgBTTIo8oLOAF7tPtw3E9
+ybI2Oh2/qKGBn6SBnDCBmTELMAkGA1UEBhMCVVMxEDAOBgNVBAgMB01vbnRhbmEx
+EDAOBgNVBAcMB0JvemVtYW4xETAPBgNVBAoMCFNhd3Rvb3RoMRgwFgYDVQQLDA9D
+b25zdWx0aW5nXzEwMjQxGDAWBgNVBAMMD3d3dy53b2xmc3NsLmNvbTEfMB0GCSqG
+SIb3DQEJARYQaW5mb0B3b2xmc3NsLmNvbYIUKJFXgG94HpmGO/0blfwG4h1ishQw
+DAYDVR0TBAUwAwEB/zAcBgNVHREEFTATggtleGFtcGxlLmNvbYcEfwAAATAdBgNV
+HSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwDQYJKoZIhvcNAQELBQADgYEADp+m
+wG/PpF/sShhNZxqON8ydl9wxnNjFCHD8VWckP+9HgANUXmyR+rpxHxKRj/lR31HN
+/1m87bes43xTSHPNhYjyI6qpbAkwanuiZi4arRJeqO8eqT/w+URkJB4OgJIgN/ni
+T9Zl47qzVZmtDsp6TD1C9n/HI2oVrrKIbkWgqI4=
 -----END CERTIFICATE-----
diff --git a/certs/3072/client-cert.der b/certs/3072/client-cert.der
index 693acbcc2..3794da5dd 100644
Binary files a/certs/3072/client-cert.der and b/certs/3072/client-cert.der differ
diff --git a/certs/3072/client-cert.pem b/certs/3072/client-cert.pem
index 989763628..0454843ce 100644
--- a/certs/3072/client-cert.pem
+++ b/certs/3072/client-cert.pem
@@ -1,16 +1,17 @@
 Certificate:
     Data:
         Version: 3 (0x2)
-        Serial Number: 11880683778350266762 (0xa4e0aaf32950398a)
-    Signature Algorithm: sha256WithRSAEncryption
-        Issuer: C=US, ST=Montana, L=Bozeman, O=wolfSSL_3072, OU=Programming-3072, CN=www.wolfssl.com/emailAddress=info@wolfssl.com
+        Serial Number:
+            7f:8b:fd:1a:02:4e:04:53:8c:0d:42:cc:8d:e9:bc:de:23:18:35:4b
+        Signature Algorithm: sha256WithRSAEncryption
+        Issuer: C = US, ST = Montana, L = Bozeman, O = wolfSSL_3072, OU = Programming-3072, CN = www.wolfssl.com, emailAddress = info@wolfssl.com
         Validity
-            Not Before: Feb 10 19:49:52 2021 GMT
-            Not After : Nov  7 19:49:52 2023 GMT
-        Subject: C=US, ST=Montana, L=Bozeman, O=wolfSSL_3072, OU=Programming-3072, CN=www.wolfssl.com/emailAddress=info@wolfssl.com
+            Not Before: Dec 20 23:07:24 2021 GMT
+            Not After : Sep 15 23:07:24 2024 GMT
+        Subject: C = US, ST = Montana, L = Bozeman, O = wolfSSL_3072, OU = Programming-3072, CN = www.wolfssl.com, emailAddress = info@wolfssl.com
         Subject Public Key Info:
             Public Key Algorithm: rsaEncryption
-                Public-Key: (3072 bit)
+                RSA Public-Key: (3072 bit)
                 Modulus:
                     00:ac:39:50:68:8f:78:f8:10:9b:68:96:d3:e1:9c:
                     56:68:5a:41:62:e3:b3:41:b0:55:80:17:b0:88:16:
@@ -45,7 +46,7 @@ Certificate:
             X509v3 Authority Key Identifier: 
                 keyid:3D:D1:84:C2:AF:B0:20:49:BC:74:87:41:38:AB:BA:D2:D4:0C:A3:A8
                 DirName:/C=US/ST=Montana/L=Bozeman/O=wolfSSL_3072/OU=Programming-3072/CN=www.wolfssl.com/emailAddress=info@wolfssl.com
-                serial:A4:E0:AA:F3:29:50:39:8A
+                serial:7F:8B:FD:1A:02:4E:04:53:8C:0D:42:CC:8D:E9:BC:DE:23:18:35:4B
 
             X509v3 Basic Constraints: 
                 CA:TRUE
@@ -54,60 +55,60 @@ Certificate:
             X509v3 Extended Key Usage: 
                 TLS Web Server Authentication, TLS Web Client Authentication
     Signature Algorithm: sha256WithRSAEncryption
-         57:21:c0:ad:6e:16:74:d5:b1:8b:19:55:49:7a:a4:5e:d6:18:
-         f9:03:80:4b:c2:71:d1:04:47:9c:b3:73:9c:4f:62:4a:3a:9a:
-         d4:48:e4:81:db:8d:15:df:5d:0f:08:13:28:28:d7:05:44:c1:
-         b9:6d:f1:75:60:74:d0:44:ae:91:0f:3a:7c:f4:ee:ea:6f:06:
-         3a:41:ae:6b:5c:8a:0d:85:6b:b3:fb:b1:5f:70:f7:9b:32:57:
-         fb:c4:6b:ce:90:86:0c:96:8a:41:4e:61:f3:a1:3f:55:e8:94:
-         56:12:6d:9e:46:2c:31:bd:3f:8a:70:c8:20:a4:fb:fa:c6:53:
-         58:bb:05:28:ba:89:0c:b1:5f:21:ac:1e:f1:35:fd:6b:14:c1:
-         69:08:e9:37:14:d8:76:50:2a:fc:aa:94:7f:39:52:3a:a7:3c:
-         0a:53:5e:e0:13:1a:00:ca:ac:aa:7e:f7:09:68:78:60:11:73:
-         ab:7d:58:fe:03:9f:e6:84:ea:51:58:40:82:a5:ff:a7:2c:ea:
-         42:a5:4c:b6:3b:5c:6b:ab:cf:56:8a:8c:ec:3c:f0:ae:d3:ca:
-         0e:09:71:cf:79:96:72:63:4b:24:7a:f3:79:ca:69:75:c9:b2:
-         a4:54:b8:84:40:2b:8f:24:27:6a:ed:8f:53:e0:55:9b:35:91:
-         18:11:cf:b0:3b:b8:65:3c:c6:ef:b0:78:7c:43:26:f1:12:84:
-         6b:2b:f0:7d:3c:7f:dc:67:a4:17:89:75:00:86:1a:ea:cd:1a:
-         cf:da:11:64:cc:bd:10:26:ef:6b:1b:93:b3:37:14:7f:12:80:
-         81:b6:fd:8a:8a:d8:95:5f:f9:1e:a5:1e:65:5f:75:8d:90:2a:
-         0d:b1:ab:26:16:31:b2:06:64:6f:2b:7e:4a:f4:de:e9:7a:ec:
-         67:35:f3:40:71:75:37:b3:e1:1d:ef:7d:e2:92:ec:d5:e5:bb:
-         99:79:50:11:b2:8a:57:1b:30:2e:b7:16:4c:c8:a6:99:b1:01:
-         34:08:9d:d8:df:af
+         43:dc:b3:5c:82:c4:77:4b:e0:d9:2b:bb:c5:4a:cc:7a:0b:9c:
+         da:44:5e:c5:42:dc:bc:6f:fe:75:fc:12:18:01:61:3c:6d:5d:
+         30:4d:67:24:94:3e:4a:d3:da:a8:ba:b7:db:3c:e9:bd:bf:8f:
+         e8:be:81:9a:e4:bf:94:a2:ae:4d:3e:90:45:27:f2:22:bb:6a:
+         9b:04:91:db:fd:61:0c:ca:6d:f1:78:94:9e:57:ab:2e:f6:99:
+         da:9a:55:e7:07:87:01:8c:9a:7c:90:ad:f2:bc:2c:2f:5a:a3:
+         cc:c9:e2:ec:67:a9:1f:b7:2c:7b:b5:b4:ae:56:f3:86:f3:21:
+         06:71:3c:5f:3c:16:44:24:f1:f7:dd:78:c2:fd:b6:ef:90:c1:
+         fd:b2:a5:57:15:04:b6:90:3f:53:a8:4e:e0:49:22:09:08:35:
+         da:af:2c:8c:d1:4b:28:26:9e:d1:03:07:28:95:b6:4b:b1:41:
+         f2:94:2f:4c:3b:b3:0d:94:6b:cc:25:fc:5a:47:57:e5:6d:bd:
+         8e:02:e9:19:3f:e4:51:08:5a:c8:fb:6c:01:e0:7d:8a:95:9e:
+         1b:a6:e1:0e:da:3c:1e:69:f2:31:c8:f5:aa:72:a4:b5:01:5d:
+         ff:a4:2b:2d:1c:34:72:80:a8:73:5f:98:a6:8d:69:2f:5f:7b:
+         e8:7f:91:87:87:c5:61:cd:c7:c3:78:0c:aa:53:3e:fa:5d:8e:
+         2f:05:11:36:fb:c0:b0:87:df:8a:be:5b:ad:43:4b:0f:77:ea:
+         69:cd:ed:31:f7:48:96:09:d7:91:64:63:88:22:e3:b8:2c:72:
+         98:92:34:2a:0a:fe:06:47:f6:ad:25:49:12:19:1d:4d:6f:e7:
+         ad:94:08:2b:3b:6a:d2:d7:99:5e:2f:77:11:91:46:37:7b:5d:
+         54:81:3c:6e:09:dc:95:22:88:24:dd:84:f7:89:40:76:51:52:
+         81:c6:41:1f:ce:66:47:54:3f:fd:79:f9:af:16:42:a2:39:c5:
+         a6:3b:6e:00:5d:81
 -----BEGIN CERTIFICATE-----
-MIIGBzCCBG+gAwIBAgIJAKTgqvMpUDmKMA0GCSqGSIb3DQEBCwUAMIGeMQswCQYD
-VQQGEwJVUzEQMA4GA1UECAwHTW9udGFuYTEQMA4GA1UEBwwHQm96ZW1hbjEVMBMG
-A1UECgwMd29sZlNTTF8zMDcyMRkwFwYDVQQLDBBQcm9ncmFtbWluZy0zMDcyMRgw
-FgYDVQQDDA93d3cud29sZnNzbC5jb20xHzAdBgkqhkiG9w0BCQEWEGluZm9Ad29s
-ZnNzbC5jb20wHhcNMjEwMjEwMTk0OTUyWhcNMjMxMTA3MTk0OTUyWjCBnjELMAkG
-A1UEBhMCVVMxEDAOBgNVBAgMB01vbnRhbmExEDAOBgNVBAcMB0JvemVtYW4xFTAT
-BgNVBAoMDHdvbGZTU0xfMzA3MjEZMBcGA1UECwwQUHJvZ3JhbW1pbmctMzA3MjEY
-MBYGA1UEAwwPd3d3LndvbGZzc2wuY29tMR8wHQYJKoZIhvcNAQkBFhBpbmZvQHdv
-bGZzc2wuY29tMIIBojANBgkqhkiG9w0BAQEFAAOCAY8AMIIBigKCAYEArDlQaI94
-+BCbaJbT4ZxWaFpBYuOzQbBVgBewiBab4Jd0X0J5c0Lfk/Oqne4tb6q8J5CEwF3H
-7EnqXGYdcJxTXLqhs1jJPo6bcj1uAgIAnGVWgqMitAhfKu/fmtDnMVkmWwscY2H/
-1WkyGQZ+D0A8eh7I/FhsZK4QPagj/44aymqC4vkBZCyXoBqJoHTTtgUR8mIGSCr3
-Zs7BheHSJ+rKEqWRlz78lAZZUcDnE7aHe1/SwFYvXh0CwxEs3/cB2r2FVDUyX8XI
-+XqfifcDDn55XQSCNRD+bZu/uO7iYocmXi9QL3gM6HNPiGrWJqTJ/PoeirD0Ms9X
-zaFYikkPu6kdhqu5j41XGbJafqTqzLeWejs4zd7gYfzJBo+TWs6tKuMtPjldQYMB
-Hw/hf3bHKNpW77/cJjVAvq3HOK2kBqzK6FHrwPhoAiyboRS8+GGG11bXc/Sru2oh
-04gitOdvf5HlDsYISd7qE1hyoKo6+TYDRVdeh9JzZcSMo+7J1nN8lkGTAgMBAAGj
-ggFEMIIBQDAdBgNVHQ4EFgQUPdGEwq+wIEm8dIdBOKu60tQMo6gwgdMGA1UdIwSB
-yzCByIAUPdGEwq+wIEm8dIdBOKu60tQMo6ihgaSkgaEwgZ4xCzAJBgNVBAYTAlVT
-MRAwDgYDVQQIDAdNb250YW5hMRAwDgYDVQQHDAdCb3plbWFuMRUwEwYDVQQKDAx3
-b2xmU1NMXzMwNzIxGTAXBgNVBAsMEFByb2dyYW1taW5nLTMwNzIxGDAWBgNVBAMM
-D3d3dy53b2xmc3NsLmNvbTEfMB0GCSqGSIb3DQEJARYQaW5mb0B3b2xmc3NsLmNv
-bYIJAKTgqvMpUDmKMAwGA1UdEwQFMAMBAf8wHAYDVR0RBBUwE4ILZXhhbXBsZS5j
-b22HBH8AAAEwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMA0GCSqGSIb3
-DQEBCwUAA4IBgQBXIcCtbhZ01bGLGVVJeqRe1hj5A4BLwnHRBEecs3OcT2JKOprU
-SOSB240V310PCBMoKNcFRMG5bfF1YHTQRK6RDzp89O7qbwY6Qa5rXIoNhWuz+7Ff
-cPebMlf7xGvOkIYMlopBTmHzoT9V6JRWEm2eRiwxvT+KcMggpPv6xlNYuwUouokM
-sV8hrB7xNf1rFMFpCOk3FNh2UCr8qpR/OVI6pzwKU17gExoAyqyqfvcJaHhgEXOr
-fVj+A5/mhOpRWECCpf+nLOpCpUy2O1xrq89WiozsPPCu08oOCXHPeZZyY0skevN5
-yml1ybKkVLiEQCuPJCdq7Y9T4FWbNZEYEc+wO7hlPMbvsHh8QybxEoRrK/B9PH/c
-Z6QXiXUAhhrqzRrP2hFkzL0QJu9rG5OzNxR/EoCBtv2KitiVX/kepR5lX3WNkCoN
-sasmFjGyBmRvK35K9N7peuxnNfNAcXU3s+Ed733ikuzV5buZeVARsopXGzAutxZM
-yKaZsQE0CJ3Y368=
+MIIGHTCCBIWgAwIBAgIUf4v9GgJOBFOMDULMjem83iMYNUswDQYJKoZIhvcNAQEL
+BQAwgZ4xCzAJBgNVBAYTAlVTMRAwDgYDVQQIDAdNb250YW5hMRAwDgYDVQQHDAdC
+b3plbWFuMRUwEwYDVQQKDAx3b2xmU1NMXzMwNzIxGTAXBgNVBAsMEFByb2dyYW1t
+aW5nLTMwNzIxGDAWBgNVBAMMD3d3dy53b2xmc3NsLmNvbTEfMB0GCSqGSIb3DQEJ
+ARYQaW5mb0B3b2xmc3NsLmNvbTAeFw0yMTEyMjAyMzA3MjRaFw0yNDA5MTUyMzA3
+MjRaMIGeMQswCQYDVQQGEwJVUzEQMA4GA1UECAwHTW9udGFuYTEQMA4GA1UEBwwH
+Qm96ZW1hbjEVMBMGA1UECgwMd29sZlNTTF8zMDcyMRkwFwYDVQQLDBBQcm9ncmFt
+bWluZy0zMDcyMRgwFgYDVQQDDA93d3cud29sZnNzbC5jb20xHzAdBgkqhkiG9w0B
+CQEWEGluZm9Ad29sZnNzbC5jb20wggGiMA0GCSqGSIb3DQEBAQUAA4IBjwAwggGK
+AoIBgQCsOVBoj3j4EJtoltPhnFZoWkFi47NBsFWAF7CIFpvgl3RfQnlzQt+T86qd
+7i1vqrwnkITAXcfsSepcZh1wnFNcuqGzWMk+jptyPW4CAgCcZVaCoyK0CF8q79+a
+0OcxWSZbCxxjYf/VaTIZBn4PQDx6Hsj8WGxkrhA9qCP/jhrKaoLi+QFkLJegGomg
+dNO2BRHyYgZIKvdmzsGF4dIn6soSpZGXPvyUBllRwOcTtod7X9LAVi9eHQLDESzf
+9wHavYVUNTJfxcj5ep+J9wMOfnldBII1EP5tm7+47uJihyZeL1AveAzoc0+IatYm
+pMn8+h6KsPQyz1fNoViKSQ+7qR2Gq7mPjVcZslp+pOrMt5Z6OzjN3uBh/MkGj5Na
+zq0q4y0+OV1BgwEfD+F/dsco2lbvv9wmNUC+rcc4raQGrMroUevA+GgCLJuhFLz4
+YYbXVtdz9Ku7aiHTiCK0529/keUOxghJ3uoTWHKgqjr5NgNFV16H0nNlxIyj7snW
+c3yWQZMCAwEAAaOCAU8wggFLMB0GA1UdDgQWBBQ90YTCr7AgSbx0h0E4q7rS1Ayj
+qDCB3gYDVR0jBIHWMIHTgBQ90YTCr7AgSbx0h0E4q7rS1AyjqKGBpKSBoTCBnjEL
+MAkGA1UEBhMCVVMxEDAOBgNVBAgMB01vbnRhbmExEDAOBgNVBAcMB0JvemVtYW4x
+FTATBgNVBAoMDHdvbGZTU0xfMzA3MjEZMBcGA1UECwwQUHJvZ3JhbW1pbmctMzA3
+MjEYMBYGA1UEAwwPd3d3LndvbGZzc2wuY29tMR8wHQYJKoZIhvcNAQkBFhBpbmZv
+QHdvbGZzc2wuY29tghR/i/0aAk4EU4wNQsyN6bzeIxg1SzAMBgNVHRMEBTADAQH/
+MBwGA1UdEQQVMBOCC2V4YW1wbGUuY29thwR/AAABMB0GA1UdJQQWMBQGCCsGAQUF
+BwMBBggrBgEFBQcDAjANBgkqhkiG9w0BAQsFAAOCAYEAQ9yzXILEd0vg2Su7xUrM
+eguc2kRexULcvG/+dfwSGAFhPG1dME1nJJQ+StPaqLq32zzpvb+P6L6BmuS/lKKu
+TT6QRSfyIrtqmwSR2/1hDMpt8XiUnlerLvaZ2ppV5weHAYyafJCt8rwsL1qjzMni
+7GepH7cse7W0rlbzhvMhBnE8XzwWRCTx9914wv2275DB/bKlVxUEtpA/U6hO4Eki
+CQg12q8sjNFLKCae0QMHKJW2S7FB8pQvTDuzDZRrzCX8WkdX5W29jgLpGT/kUQha
+yPtsAeB9ipWeG6bhDto8HmnyMcj1qnKktQFd/6QrLRw0coCoc1+Ypo1pL1976H+R
+h4fFYc3Hw3gMqlM++l2OLwURNvvAsIffir5brUNLD3fqac3tMfdIlgnXkWRjiCLj
+uCxymJI0Kgr+Bkf2rSVJEhkdTW/nrZQIKztq0teZXi93EZFGN3tdVIE8bgnclSKI
+JN2E94lAdlFSgcZBH85mR1Q//Xn5rxZCojnFpjtuAF2B
 -----END CERTIFICATE-----
diff --git a/certs/4096/client-cert.der b/certs/4096/client-cert.der
index 50f44b43e..68e768f4b 100644
Binary files a/certs/4096/client-cert.der and b/certs/4096/client-cert.der differ
diff --git a/certs/4096/client-cert.pem b/certs/4096/client-cert.pem
index 66335cf6b..a7b1a0239 100644
--- a/certs/4096/client-cert.pem
+++ b/certs/4096/client-cert.pem
@@ -1,16 +1,17 @@
 Certificate:
     Data:
         Version: 3 (0x2)
-        Serial Number: 11546908179272725132 (0xa03edbcf979a728c)
-    Signature Algorithm: sha256WithRSAEncryption
-        Issuer: C=US, ST=Montana, L=Bozeman, O=wolfSSL_4096, OU=Programming-4096, CN=www.wolfssl.com/emailAddress=info@wolfssl.com
+        Serial Number:
+            07:91:84:28:88:1f:29:d0:53:fd:ed:42:1f:cf:88:4c:15:d1:f1:a4
+        Signature Algorithm: sha256WithRSAEncryption
+        Issuer: C = US, ST = Montana, L = Bozeman, O = wolfSSL_4096, OU = Programming-4096, CN = www.wolfssl.com, emailAddress = info@wolfssl.com
         Validity
-            Not Before: Feb 10 19:49:52 2021 GMT
-            Not After : Nov  7 19:49:52 2023 GMT
-        Subject: C=US, ST=Montana, L=Bozeman, O=wolfSSL_4096, OU=Programming-4096, CN=www.wolfssl.com/emailAddress=info@wolfssl.com
+            Not Before: Dec 20 23:07:24 2021 GMT
+            Not After : Sep 15 23:07:24 2024 GMT
+        Subject: C = US, ST = Montana, L = Bozeman, O = wolfSSL_4096, OU = Programming-4096, CN = www.wolfssl.com, emailAddress = info@wolfssl.com
         Subject Public Key Info:
             Public Key Algorithm: rsaEncryption
-                Public-Key: (4096 bit)
+                RSA Public-Key: (4096 bit)
                 Modulus:
                     00:f5:d0:31:e4:71:59:58:b3:07:50:dd:16:79:fc:
                     c6:95:50:fc:46:0e:57:12:86:71:8d:e3:9b:4a:33:
@@ -54,7 +55,7 @@ Certificate:
             X509v3 Authority Key Identifier: 
                 keyid:FA:54:89:67:E5:5F:B7:31:40:EA:FD:E7:F6:A3:C6:5A:56:16:A5:6E
                 DirName:/C=US/ST=Montana/L=Bozeman/O=wolfSSL_4096/OU=Programming-4096/CN=www.wolfssl.com/emailAddress=info@wolfssl.com
-                serial:A0:3E:DB:CF:97:9A:72:8C
+                serial:07:91:84:28:88:1F:29:D0:53:FD:ED:42:1F:CF:88:4C:15:D1:F1:A4
 
             X509v3 Basic Constraints: 
                 CA:TRUE
@@ -63,72 +64,73 @@ Certificate:
             X509v3 Extended Key Usage: 
                 TLS Web Server Authentication, TLS Web Client Authentication
     Signature Algorithm: sha256WithRSAEncryption
-         17:ab:22:61:05:6d:3a:c0:0d:6b:d9:15:82:11:cf:e7:f8:65:
-         da:c7:ef:da:0f:50:75:bd:55:cf:3d:50:dd:d4:0d:2c:04:48:
-         a8:25:3a:b9:c4:ce:48:7e:b8:63:cd:cd:ce:bc:50:26:dc:6d:
-         c2:1e:d1:71:3a:2f:db:e5:03:6b:73:55:23:70:76:1e:08:2a:
-         92:7b:d6:6a:ef:17:a0:f3:8c:ea:eb:c4:2e:cb:d4:d9:d5:ab:
-         f7:e6:8d:ec:d9:97:a1:56:a7:0b:5d:e5:3f:1f:5e:6a:7a:a4:
-         64:d7:b2:42:1a:1e:49:37:93:bc:be:13:a8:fb:b1:93:7b:a8:
-         2b:49:90:43:84:24:60:44:fc:32:74:85:0e:1b:f8:3a:92:3d:
-         aa:25:1b:9f:97:31:95:97:c5:3d:51:dd:b6:d5:4a:7e:41:b3:
-         90:83:7c:98:fa:cb:22:33:a5:f4:32:74:bd:3e:b1:3b:34:f9:
-         c3:3f:be:db:0e:d9:2f:1a:f9:d2:4f:14:53:63:f2:21:a3:e9:
-         c3:ad:04:6e:e7:ad:1f:6b:ce:4e:35:4a:61:84:b9:61:65:1d:
-         a2:d7:a1:e6:74:08:15:38:75:b0:23:70:22:15:59:2c:48:f0:
-         da:9a:99:d4:2b:83:df:9a:93:78:45:b9:84:5c:7e:71:90:da:
-         56:1c:9f:57:ed:76:f7:17:e5:d2:01:90:99:5f:4c:07:49:07:
-         82:75:92:44:7a:fe:9b:a7:4d:ec:c8:dc:46:67:28:04:8b:08:
-         17:94:13:e9:a0:d2:b2:26:56:27:60:94:5a:50:5c:cf:34:4d:
-         3f:35:e7:12:5d:c5:32:00:2f:e0:1d:09:e5:36:8d:77:93:f6:
-         e5:62:b4:a3:9b:c6:7c:e6:3d:d5:38:33:5f:23:5b:81:2e:24:
-         26:9e:98:a8:af:04:3d:65:3f:71:88:48:44:5c:1a:11:0e:1b:
-         e1:81:b1:b6:66:e6:3c:13:67:d6:6b:a3:f3:b7:f6:9f:14:a6:
-         87:7f:2b:14:31:22:7a:f5:0d:44:e6:a3:1a:d6:d2:dc:88:71:
-         37:28:11:6c:ef:95:ab:1d:c5:c3:9a:ef:1a:54:11:92:8e:89:
-         43:03:26:d0:e9:63:33:fe:79:4c:a6:6f:c4:58:58:2e:b6:ab:
-         57:a0:39:4d:ff:88:c0:23:2c:3b:e3:9a:df:48:d3:17:45:5d:
-         36:4e:00:58:72:c3:ef:e7:76:0b:f8:19:a8:5f:f6:53:98:49:
-         2b:52:b5:8e:a5:d8:73:6e:3c:23:23:06:86:25:6b:0d:3b:f2:
-         9a:17:33:a4:4e:f5:6b:de:b3:64:20:58:c6:6d:22:a9:ae:f4:
-         09:9d:0d:6e:9f:96:2a:9e
+         97:3a:5c:65:88:d6:bd:d6:80:4a:a3:a4:13:99:d8:7f:db:6d:
+         68:f6:32:c8:ef:7a:70:db:1b:c2:11:7a:21:2b:e4:df:1e:78:
+         08:0b:51:6d:0c:c4:cc:a8:e6:ad:ee:7d:67:6b:ce:74:3a:90:
+         4c:c0:33:18:c4:b4:ef:27:aa:73:e3:92:d7:f5:31:6f:6b:62:
+         57:22:e2:69:05:0f:c0:99:8e:c2:ff:be:99:bf:05:93:05:0b:
+         19:8d:0d:ba:92:c9:dd:68:1f:3e:e2:24:b7:34:13:32:0b:92:
+         dd:85:a1:fc:38:89:03:4d:96:4d:bf:1f:a2:7b:b1:9f:4c:de:
+         a2:7c:e3:1d:33:05:ea:f0:91:5e:e5:90:cd:62:06:b0:98:73:
+         f4:74:bc:f7:1d:10:43:6d:d0:85:c8:15:ca:43:6a:df:de:bc:
+         fa:3c:e7:03:6e:d4:aa:46:db:fe:18:1b:d0:ca:94:7e:7a:e4:
+         d4:21:c4:15:27:b9:46:7b:1f:b6:cd:03:ae:8d:a3:cf:14:df:
+         54:4f:4a:f6:58:4e:b1:bf:5e:d6:7c:21:73:c9:4e:c9:0d:0f:
+         b8:d1:a1:80:9e:e6:f3:4b:8e:cb:b7:bb:19:5d:f6:16:67:5e:
+         01:97:17:59:71:59:ca:eb:3b:ea:70:8e:8f:58:1f:5c:d0:ac:
+         12:b5:e4:de:f6:b0:7f:e7:86:fc:ab:d0:78:6c:e6:ba:f4:fa:
+         7f:42:cd:4e:7f:43:ed:39:b7:50:1b:34:39:c6:30:bc:d7:7e:
+         5c:59:ba:6b:7a:90:49:a0:de:f8:43:00:82:6d:6b:82:01:06:
+         01:b0:04:49:fe:bd:8b:2d:c6:10:9f:d3:fb:1d:56:3a:bf:28:
+         a2:a5:bd:c7:6b:a7:0c:01:bf:18:4e:75:77:49:86:ac:44:16:
+         2f:9e:fa:e6:4e:f5:81:00:e7:e9:49:6d:ee:1e:c2:0c:91:3e:
+         fc:14:07:cd:de:08:dc:cb:9a:3c:2c:9a:3e:32:03:ba:1e:42:
+         17:3b:63:8c:ce:da:fd:6c:d5:55:3a:28:a5:35:1d:5f:41:f8:
+         1c:fd:f5:73:a1:24:c5:a9:40:ab:ae:d0:4b:d3:d3:b1:23:64:
+         2b:64:be:c4:3b:39:dc:46:d6:f4:9f:f9:4a:74:a1:14:58:8e:
+         d7:8f:04:e5:cd:fb:35:a2:16:86:ed:95:ea:7a:f5:b5:0f:9b:
+         bd:0c:dc:61:4a:a0:d3:cf:51:f5:be:fd:3b:e7:66:41:37:6c:
+         89:d1:40:e0:2f:65:b6:03:a1:a9:57:4c:9f:93:95:95:97:ca:
+         4f:5a:71:92:98:5c:39:ed:24:ac:35:ca:51:b7:32:74:1e:f9:
+         83:e8:6b:4e:be:d4:75:85
 -----BEGIN CERTIFICATE-----
-MIIHBzCCBO+gAwIBAgIJAKA+28+XmnKMMA0GCSqGSIb3DQEBCwUAMIGeMQswCQYD
-VQQGEwJVUzEQMA4GA1UECAwHTW9udGFuYTEQMA4GA1UEBwwHQm96ZW1hbjEVMBMG
-A1UECgwMd29sZlNTTF80MDk2MRkwFwYDVQQLDBBQcm9ncmFtbWluZy00MDk2MRgw
-FgYDVQQDDA93d3cud29sZnNzbC5jb20xHzAdBgkqhkiG9w0BCQEWEGluZm9Ad29s
-ZnNzbC5jb20wHhcNMjEwMjEwMTk0OTUyWhcNMjMxMTA3MTk0OTUyWjCBnjELMAkG
-A1UEBhMCVVMxEDAOBgNVBAgMB01vbnRhbmExEDAOBgNVBAcMB0JvemVtYW4xFTAT
-BgNVBAoMDHdvbGZTU0xfNDA5NjEZMBcGA1UECwwQUHJvZ3JhbW1pbmctNDA5NjEY
-MBYGA1UEAwwPd3d3LndvbGZzc2wuY29tMR8wHQYJKoZIhvcNAQkBFhBpbmZvQHdv
-bGZzc2wuY29tMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA9dAx5HFZ
-WLMHUN0WefzGlVD8Rg5XEoZxjeObSjPqT9kXE21Iad9ZEQgCna8rxzC+DNyH1FoS
-CSNd4XZaYjdGdO8DBbsebSl1bC6dhw2Ph8sUlZu+F2tR0Uza15FmxTbr4Acadk2w
-+8H1XgXbussl2ZkTHMA13EDpNs3E1XpBcA8266VOFwXVdRtkYno/DShIauOsnKiP
-6e33zSSgsaADrOMD9T/Rlv8qfgix0+AYFOxlN1BDwmqM9Fv+xMuNP4EC98Ld5MGO
-gAwEJS2AWi4PIjVK9IXtUdirbY+iOyQAboHiHnbWrDES2/OOB6HeiUo5YHfFqvFR
-5gbxlVYq4Y6SMJ/+WESsRvL9mvyoHaHTVTdKi/ycM/inYUhBfJx3P/WAI31DtNWI
-Csl110QZTXdsCwpJqhwv1lpEpkdN5TaWQJksViax8pIxWdcs1LQh1mUTCz77/wTr
-uYW52NgoT1wXlqNRvv59CxtIQCV2lNxB+79zdtrrs2LnwchUapPhjTHoPj7fvIcC
-MCJXxOAYetOu5AKbqr1OSUdy6Y0TLVSbAKeRYXHJzEhP7t9eGxrfZ9Mg5kRFmH7n
-DmMWg8kmXZDB5SpcRVQTsoEYBiAuLmZatXtu1gxOiQFWcLuu3umZXtG5OrdsF7YD
-qQjdnPQUyclZOXLUfgI3Mc0Opz348s9rFasCAwEAAaOCAUQwggFAMB0GA1UdDgQW
-BBT6VIln5V+3MUDq/ef2o8ZaVhalbjCB0wYDVR0jBIHLMIHIgBT6VIln5V+3MUDq
-/ef2o8ZaVhalbqGBpKSBoTCBnjELMAkGA1UEBhMCVVMxEDAOBgNVBAgMB01vbnRh
-bmExEDAOBgNVBAcMB0JvemVtYW4xFTATBgNVBAoMDHdvbGZTU0xfNDA5NjEZMBcG
-A1UECwwQUHJvZ3JhbW1pbmctNDA5NjEYMBYGA1UEAwwPd3d3LndvbGZzc2wuY29t
-MR8wHQYJKoZIhvcNAQkBFhBpbmZvQHdvbGZzc2wuY29tggkAoD7bz5eacowwDAYD
-VR0TBAUwAwEB/zAcBgNVHREEFTATggtleGFtcGxlLmNvbYcEfwAAATAdBgNVHSUE
-FjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwDQYJKoZIhvcNAQELBQADggIBABerImEF
-bTrADWvZFYIRz+f4ZdrH79oPUHW9Vc89UN3UDSwESKglOrnEzkh+uGPNzc68UCbc
-bcIe0XE6L9vlA2tzVSNwdh4IKpJ71mrvF6DzjOrrxC7L1NnVq/fmjezZl6FWpwtd
-5T8fXmp6pGTXskIaHkk3k7y+E6j7sZN7qCtJkEOEJGBE/DJ0hQ4b+DqSPaolG5+X
-MZWXxT1R3bbVSn5Bs5CDfJj6yyIzpfQydL0+sTs0+cM/vtsO2S8a+dJPFFNj8iGj
-6cOtBG7nrR9rzk41SmGEuWFlHaLXoeZ0CBU4dbAjcCIVWSxI8NqamdQrg9+ak3hF
-uYRcfnGQ2lYcn1ftdvcX5dIBkJlfTAdJB4J1kkR6/punTezI3EZnKASLCBeUE+mg
-0rImVidglFpQXM80TT815xJdxTIAL+AdCeU2jXeT9uVitKObxnzmPdU4M18jW4Eu
-JCaemKivBD1lP3GISERcGhEOG+GBsbZm5jwTZ9Zro/O39p8Upod/KxQxInr1DUTm
-oxrW0tyIcTcoEWzvlasdxcOa7xpUEZKOiUMDJtDpYzP+eUymb8RYWC62q1egOU3/
-iMAjLDvjmt9I0xdFXTZOAFhyw+/ndgv4Gahf9lOYSStStY6l2HNuPCMjBoYlaw07
-8poXM6RO9Wves2QgWMZtIqmu9AmdDW6fliqe
+MIIHHTCCBQWgAwIBAgIUB5GEKIgfKdBT/e1CH8+ITBXR8aQwDQYJKoZIhvcNAQEL
+BQAwgZ4xCzAJBgNVBAYTAlVTMRAwDgYDVQQIDAdNb250YW5hMRAwDgYDVQQHDAdC
+b3plbWFuMRUwEwYDVQQKDAx3b2xmU1NMXzQwOTYxGTAXBgNVBAsMEFByb2dyYW1t
+aW5nLTQwOTYxGDAWBgNVBAMMD3d3dy53b2xmc3NsLmNvbTEfMB0GCSqGSIb3DQEJ
+ARYQaW5mb0B3b2xmc3NsLmNvbTAeFw0yMTEyMjAyMzA3MjRaFw0yNDA5MTUyMzA3
+MjRaMIGeMQswCQYDVQQGEwJVUzEQMA4GA1UECAwHTW9udGFuYTEQMA4GA1UEBwwH
+Qm96ZW1hbjEVMBMGA1UECgwMd29sZlNTTF80MDk2MRkwFwYDVQQLDBBQcm9ncmFt
+bWluZy00MDk2MRgwFgYDVQQDDA93d3cud29sZnNzbC5jb20xHzAdBgkqhkiG9w0B
+CQEWEGluZm9Ad29sZnNzbC5jb20wggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIK
+AoICAQD10DHkcVlYswdQ3RZ5/MaVUPxGDlcShnGN45tKM+pP2RcTbUhp31kRCAKd
+ryvHML4M3IfUWhIJI13hdlpiN0Z07wMFux5tKXVsLp2HDY+HyxSVm74Xa1HRTNrX
+kWbFNuvgBxp2TbD7wfVeBdu6yyXZmRMcwDXcQOk2zcTVekFwDzbrpU4XBdV1G2Ri
+ej8NKEhq46ycqI/p7ffNJKCxoAOs4wP1P9GW/yp+CLHT4BgU7GU3UEPCaoz0W/7E
+y40/gQL3wt3kwY6ADAQlLYBaLg8iNUr0he1R2Kttj6I7JABugeIedtasMRLb844H
+od6JSjlgd8Wq8VHmBvGVVirhjpIwn/5YRKxG8v2a/KgdodNVN0qL/Jwz+KdhSEF8
+nHc/9YAjfUO01YgKyXXXRBlNd2wLCkmqHC/WWkSmR03lNpZAmSxWJrHykjFZ1yzU
+tCHWZRMLPvv/BOu5hbnY2ChPXBeWo1G+/n0LG0hAJXaU3EH7v3N22uuzYufByFRq
+k+GNMeg+Pt+8hwIwIlfE4Bh6067kApuqvU5JR3LpjRMtVJsAp5FhccnMSE/u314b
+Gt9n0yDmREWYfucOYxaDySZdkMHlKlxFVBOygRgGIC4uZlq1e27WDE6JAVZwu67e
+6Zle0bk6t2wXtgOpCN2c9BTJyVk5ctR+AjcxzQ6nPfjyz2sVqwIDAQABo4IBTzCC
+AUswHQYDVR0OBBYEFPpUiWflX7cxQOr95/ajxlpWFqVuMIHeBgNVHSMEgdYwgdOA
+FPpUiWflX7cxQOr95/ajxlpWFqVuoYGkpIGhMIGeMQswCQYDVQQGEwJVUzEQMA4G
+A1UECAwHTW9udGFuYTEQMA4GA1UEBwwHQm96ZW1hbjEVMBMGA1UECgwMd29sZlNT
+TF80MDk2MRkwFwYDVQQLDBBQcm9ncmFtbWluZy00MDk2MRgwFgYDVQQDDA93d3cu
+d29sZnNzbC5jb20xHzAdBgkqhkiG9w0BCQEWEGluZm9Ad29sZnNzbC5jb22CFAeR
+hCiIHynQU/3tQh/PiEwV0fGkMAwGA1UdEwQFMAMBAf8wHAYDVR0RBBUwE4ILZXhh
+bXBsZS5jb22HBH8AAAEwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMA0G
+CSqGSIb3DQEBCwUAA4ICAQCXOlxliNa91oBKo6QTmdh/221o9jLI73pw2xvCEXoh
+K+TfHngIC1FtDMTMqOat7n1na850OpBMwDMYxLTvJ6pz45LX9TFva2JXIuJpBQ/A
+mY7C/76ZvwWTBQsZjQ26ksndaB8+4iS3NBMyC5LdhaH8OIkDTZZNvx+ie7GfTN6i
+fOMdMwXq8JFe5ZDNYgawmHP0dLz3HRBDbdCFyBXKQ2rf3rz6POcDbtSqRtv+GBvQ
+ypR+euTUIcQVJ7lGex+2zQOujaPPFN9UT0r2WE6xv17WfCFzyU7JDQ+40aGAnubz
+S47Lt7sZXfYWZ14BlxdZcVnK6zvqcI6PWB9c0KwSteTe9rB/54b8q9B4bOa69Pp/
+Qs1Of0PtObdQGzQ5xjC8135cWbprepBJoN74QwCCbWuCAQYBsARJ/r2LLcYQn9P7
+HVY6vyiipb3Ha6cMAb8YTnV3SYasRBYvnvrmTvWBAOfpSW3uHsIMkT78FAfN3gjc
+y5o8LJo+MgO6HkIXO2OMztr9bNVVOiilNR1fQfgc/fVzoSTFqUCrrtBL09OxI2Qr
+ZL7EOzncRtb0n/lKdKEUWI7XjwTlzfs1ohaG7ZXqevW1D5u9DNxhSqDTz1H1vv07
+52ZBN2yJ0UDgL2W2A6GpV0yfk5WVl8pPWnGSmFw57SSsNcpRtzJ0HvmD6GtOvtR1
+hQ==
 -----END CERTIFICATE-----
diff --git a/certs/ca-cert-chain.der b/certs/ca-cert-chain.der
index 848109a0f..c76c26793 100644
Binary files a/certs/ca-cert-chain.der and b/certs/ca-cert-chain.der differ
diff --git a/certs/ca-cert.der b/certs/ca-cert.der
index 9ca22e719..dbe39d2a4 100644
Binary files a/certs/ca-cert.der and b/certs/ca-cert.der differ
diff --git a/certs/ca-cert.pem b/certs/ca-cert.pem
index 47a3ba0a4..5c280581c 100644
--- a/certs/ca-cert.pem
+++ b/certs/ca-cert.pem
@@ -1,16 +1,17 @@
 Certificate:
     Data:
         Version: 3 (0x2)
-        Serial Number: 12309252214903945037 (0xaad33fac180a374d)
-    Signature Algorithm: sha256WithRSAEncryption
-        Issuer: C=US, ST=Montana, L=Bozeman, O=Sawtooth, OU=Consulting, CN=www.wolfssl.com/emailAddress=info@wolfssl.com
+        Serial Number:
+            7d:94:70:88:ba:07:42:8d:aa:af:4f:be:c2:1a:48:f0:d1:40:e6:42
+        Signature Algorithm: sha256WithRSAEncryption
+        Issuer: C = US, ST = Montana, L = Bozeman, O = Sawtooth, OU = Consulting, CN = www.wolfssl.com, emailAddress = info@wolfssl.com
         Validity
-            Not Before: Feb 10 19:49:52 2021 GMT
-            Not After : Nov  7 19:49:52 2023 GMT
-        Subject: C=US, ST=Montana, L=Bozeman, O=Sawtooth, OU=Consulting, CN=www.wolfssl.com/emailAddress=info@wolfssl.com
+            Not Before: Dec 20 23:07:24 2021 GMT
+            Not After : Sep 15 23:07:24 2024 GMT
+        Subject: C = US, ST = Montana, L = Bozeman, O = Sawtooth, OU = Consulting, CN = www.wolfssl.com, emailAddress = info@wolfssl.com
         Subject Public Key Info:
             Public Key Algorithm: rsaEncryption
-                Public-Key: (2048 bit)
+                RSA Public-Key: (2048 bit)
                 Modulus:
                     00:bf:0c:ca:2d:14:b2:1e:84:42:5b:cd:38:1f:4a:
                     f2:4d:75:10:f1:b6:35:9f:df:ca:7d:03:98:d3:ac:
@@ -37,7 +38,7 @@ Certificate:
             X509v3 Authority Key Identifier: 
                 keyid:27:8E:67:11:74:C3:26:1D:3F:ED:33:63:B3:A4:D8:1D:30:E5:E8:D5
                 DirName:/C=US/ST=Montana/L=Bozeman/O=Sawtooth/OU=Consulting/CN=www.wolfssl.com/emailAddress=info@wolfssl.com
-                serial:AA:D3:3F:AC:18:0A:37:4D
+                serial:7D:94:70:88:BA:07:42:8D:AA:AF:4F:BE:C2:1A:48:F0:D1:40:E6:42
 
             X509v3 Basic Constraints: 
                 CA:TRUE
@@ -46,47 +47,47 @@ Certificate:
             X509v3 Extended Key Usage: 
                 TLS Web Server Authentication, TLS Web Client Authentication
     Signature Algorithm: sha256WithRSAEncryption
-         62:98:c8:58:cf:56:03:86:5b:1b:71:49:7d:05:03:5d:e0:08:
-         86:ad:db:4a:de:ab:22:96:a8:c3:59:68:c1:37:90:40:df:bd:
-         89:d0:bc:da:8e:ef:87:b2:c2:62:52:e1:1a:29:17:6a:96:99:
-         c8:4e:d8:32:fe:b8:d1:5c:3b:0a:c2:3c:5f:a1:1e:98:7f:ce:
-         89:26:21:1f:64:9c:15:7a:9c:ef:fb:1d:85:6a:fa:98:ce:a8:
-         a9:ab:c3:a2:c0:eb:87:ed:bc:21:df:f3:07:5b:ae:fd:40:d4:
-         ae:20:d0:76:8a:31:0a:a2:62:7c:61:0d:ce:5d:9a:1e:e4:20:
-         88:51:49:fb:77:a9:cd:4d:c6:bf:54:99:33:ef:4b:a0:73:70:
-         6d:2e:d9:3d:08:f6:12:39:31:68:c6:61:5c:41:b5:1b:f4:38:
-         7d:fc:be:73:66:2d:f7:ca:5b:2c:5b:31:aa:cf:f6:7f:30:e4:
-         12:2c:8e:d6:38:51:e6:45:ee:d5:da:c3:83:d6:ed:5e:ec:d6:
-         b6:14:b3:93:59:e1:55:4a:7f:04:df:ce:65:d4:df:18:4f:dd:
-         b4:45:7f:a6:56:30:c4:05:44:98:9d:4f:26:6d:84:80:a0:5e:
-         ed:23:d1:48:87:0e:05:06:91:3b:b0:3c:bb:8c:8f:3c:7b:4c:
-         4f:a1:ca:98
+         b0:71:bb:ba:45:5a:80:25:02:a4:7e:88:0b:a9:7b:fd:b0:bb:
+         f6:46:b5:ba:f4:c7:e3:61:20:8c:03:15:66:f5:e4:54:82:ef:
+         13:80:97:22:67:c1:d1:88:5d:e2:2d:57:f6:e0:9f:69:d6:b1:
+         5c:b6:e8:e0:98:89:c8:14:12:d6:b6:89:8d:6c:b9:a0:59:4f:
+         92:ee:11:53:6b:7d:93:4a:69:0a:85:d9:d5:d2:62:e8:c9:b5:
+         c6:4e:17:f5:0a:e8:f3:2d:86:61:0b:eb:c4:c4:c6:67:75:ed:
+         9a:9f:53:a0:71:1e:a0:90:0d:f9:03:b4:bc:86:19:6e:f0:3b:
+         4f:e8:ed:68:f6:e7:23:43:3b:36:83:83:4b:46:a0:9a:01:d0:
+         c7:85:bb:7d:94:a0:21:3d:7e:3c:6a:3d:81:db:41:7b:46:d8:
+         15:62:d5:8f:4d:3d:c0:db:9a:c5:81:a8:ac:da:87:99:c7:dd:
+         b9:f1:14:af:d1:93:e3:f3:42:d7:a2:04:51:21:54:29:c3:45:
+         f6:be:5c:fa:cd:db:bf:2f:79:81:42:e5:8f:47:0b:d4:54:01:
+         b5:c2:4a:46:d6:a8:31:2e:64:80:3f:48:61:91:29:f3:aa:43:
+         5c:69:6e:f1:01:b9:df:63:71:3d:b9:5a:fb:36:c0:11:a2:c3:
+         30:9d:95:c3
 -----BEGIN CERTIFICATE-----
-MIIE6TCCA9GgAwIBAgIJAKrTP6wYCjdNMA0GCSqGSIb3DQEBCwUAMIGUMQswCQYD
+MIIE/zCCA+egAwIBAgIUfZRwiLoHQo2qr0++whpI8NFA5kIwDQYJKoZIhvcNAQEL
+BQAwgZQxCzAJBgNVBAYTAlVTMRAwDgYDVQQIDAdNb250YW5hMRAwDgYDVQQHDAdC
+b3plbWFuMREwDwYDVQQKDAhTYXd0b290aDETMBEGA1UECwwKQ29uc3VsdGluZzEY
+MBYGA1UEAwwPd3d3LndvbGZzc2wuY29tMR8wHQYJKoZIhvcNAQkBFhBpbmZvQHdv
+bGZzc2wuY29tMB4XDTIxMTIyMDIzMDcyNFoXDTI0MDkxNTIzMDcyNFowgZQxCzAJ
+BgNVBAYTAlVTMRAwDgYDVQQIDAdNb250YW5hMRAwDgYDVQQHDAdCb3plbWFuMREw
+DwYDVQQKDAhTYXd0b290aDETMBEGA1UECwwKQ29uc3VsdGluZzEYMBYGA1UEAwwP
+d3d3LndvbGZzc2wuY29tMR8wHQYJKoZIhvcNAQkBFhBpbmZvQHdvbGZzc2wuY29t
+MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAvwzKLRSyHoRCW804H0ry
+TXUQ8bY1n9/KfQOY06zeA2buKvHYsH1uB1QLEJghTYDLEiDnzE/eRX3Jcncy6sqQ
+u2lSEAMvqPOVxfGLYlYb72dvpBBBla0Km+OlwLDScHZQMFuo6AgsfO2nonqNOCkc
+rMft8nyVsJWCfUlcOM13Je+9gHVTlDw9ymNbnxW10x0TLxnRPNt2Osy4fcnlwtfa
+QG/YIdxzG0ItU5z+Gvx9q3o2P5jehHwFZ85qFDiHqfGMtWjLaH9xICv1oGP1Vi+j
+JtK3b7FaF9c4mQj+k1hv/sMTSQgWC6dNZwBSMWcjTpjtUUUduQTZC+zYKLNLve02
+eQIDAQABo4IBRTCCAUEwHQYDVR0OBBYEFCeOZxF0wyYdP+0zY7Ok2B0w5ejVMIHU
+BgNVHSMEgcwwgcmAFCeOZxF0wyYdP+0zY7Ok2B0w5ejVoYGapIGXMIGUMQswCQYD
 VQQGEwJVUzEQMA4GA1UECAwHTW9udGFuYTEQMA4GA1UEBwwHQm96ZW1hbjERMA8G
 A1UECgwIU2F3dG9vdGgxEzARBgNVBAsMCkNvbnN1bHRpbmcxGDAWBgNVBAMMD3d3
-dy53b2xmc3NsLmNvbTEfMB0GCSqGSIb3DQEJARYQaW5mb0B3b2xmc3NsLmNvbTAe
-Fw0yMTAyMTAxOTQ5NTJaFw0yMzExMDcxOTQ5NTJaMIGUMQswCQYDVQQGEwJVUzEQ
-MA4GA1UECAwHTW9udGFuYTEQMA4GA1UEBwwHQm96ZW1hbjERMA8GA1UECgwIU2F3
-dG9vdGgxEzARBgNVBAsMCkNvbnN1bHRpbmcxGDAWBgNVBAMMD3d3dy53b2xmc3Ns
-LmNvbTEfMB0GCSqGSIb3DQEJARYQaW5mb0B3b2xmc3NsLmNvbTCCASIwDQYJKoZI
-hvcNAQEBBQADggEPADCCAQoCggEBAL8Myi0Ush6EQlvNOB9K8k11EPG2NZ/fyn0D
-mNOs3gNm7irx2LB9bgdUCxCYIU2AyxIg58xP3kV9yXJ3MurKkLtpUhADL6jzlcXx
-i2JWG+9nb6QQQZWtCpvjpcCw0nB2UDBbqOgILHztp6J6jTgpHKzH7fJ8lbCVgn1J
-XDjNdyXvvYB1U5Q8PcpjW58VtdMdEy8Z0TzbdjrMuH3J5cLX2kBv2CHccxtCLVOc
-/hr8fat6Nj+Y3oR8BWfOahQ4h6nxjLVoy2h/cSAr9aBj9VYvoybSt2+xWhfXOJkI
-/pNYb/7DE0kIFgunTWcAUjFnI06Y7VFFHbkE2Qvs2CizS73tNnkCAwEAAaOCATow
-ggE2MB0GA1UdDgQWBBQnjmcRdMMmHT/tM2OzpNgdMOXo1TCByQYDVR0jBIHBMIG+
-gBQnjmcRdMMmHT/tM2OzpNgdMOXo1aGBmqSBlzCBlDELMAkGA1UEBhMCVVMxEDAO
-BgNVBAgMB01vbnRhbmExEDAOBgNVBAcMB0JvemVtYW4xETAPBgNVBAoMCFNhd3Rv
-b3RoMRMwEQYDVQQLDApDb25zdWx0aW5nMRgwFgYDVQQDDA93d3cud29sZnNzbC5j
-b20xHzAdBgkqhkiG9w0BCQEWEGluZm9Ad29sZnNzbC5jb22CCQCq0z+sGAo3TTAM
-BgNVHRMEBTADAQH/MBwGA1UdEQQVMBOCC2V4YW1wbGUuY29thwR/AAABMB0GA1Ud
-JQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjANBgkqhkiG9w0BAQsFAAOCAQEAYpjI
-WM9WA4ZbG3FJfQUDXeAIhq3bSt6rIpaow1lowTeQQN+9idC82o7vh7LCYlLhGikX
-apaZyE7YMv640Vw7CsI8X6EemH/OiSYhH2ScFXqc7/sdhWr6mM6oqavDosDrh+28
-Id/zB1uu/UDUriDQdooxCqJifGENzl2aHuQgiFFJ+3epzU3Gv1SZM+9LoHNwbS7Z
-PQj2EjkxaMZhXEG1G/Q4ffy+c2Yt98pbLFsxqs/2fzDkEiyO1jhR5kXu1drDg9bt
-XuzWthSzk1nhVUp/BN/OZdTfGE/dtEV/plYwxAVEmJ1PJm2EgKBe7SPRSIcOBQaR
-O7A8u4yPPHtMT6HKmA==
+dy53b2xmc3NsLmNvbTEfMB0GCSqGSIb3DQEJARYQaW5mb0B3b2xmc3NsLmNvbYIU
+fZRwiLoHQo2qr0++whpI8NFA5kIwDAYDVR0TBAUwAwEB/zAcBgNVHREEFTATggtl
+eGFtcGxlLmNvbYcEfwAAATAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIw
+DQYJKoZIhvcNAQELBQADggEBALBxu7pFWoAlAqR+iAupe/2wu/ZGtbr0x+NhIIwD
+FWb15FSC7xOAlyJnwdGIXeItV/bgn2nWsVy26OCYicgUEta2iY1suaBZT5LuEVNr
+fZNKaQqF2dXSYujJtcZOF/UK6PMthmEL68TExmd17ZqfU6BxHqCQDfkDtLyGGW7w
+O0/o7Wj25yNDOzaDg0tGoJoB0MeFu32UoCE9fjxqPYHbQXtG2BVi1Y9NPcDbmsWB
+qKzah5nH3bnxFK/Rk+PzQteiBFEhVCnDRfa+XPrN278veYFC5Y9HC9RUAbXCSkbW
+qDEuZIA/SGGRKfOqQ1xpbvEBud9jcT25Wvs2wBGiwzCdlcM=
 -----END CERTIFICATE-----
diff --git a/certs/ca-ecc-cert.der b/certs/ca-ecc-cert.der
index 57d2a42da..ae3bf0876 100644
Binary files a/certs/ca-ecc-cert.der and b/certs/ca-ecc-cert.der differ
diff --git a/certs/ca-ecc-cert.pem b/certs/ca-ecc-cert.pem
index 5b146d883..326d03968 100644
--- a/certs/ca-ecc-cert.pem
+++ b/certs/ca-ecc-cert.pem
@@ -1,17 +1,18 @@
 Certificate:
     Data:
         Version: 3 (0x2)
-        Serial Number: 9459666439398825038 (0x83477c81d60d1c4e)
-    Signature Algorithm: ecdsa-with-SHA256
-        Issuer: C=US, ST=Washington, L=Seattle, O=wolfSSL, OU=Development, CN=www.wolfssl.com/emailAddress=info@wolfssl.com
+        Serial Number:
+            2f:c0:2c:fe:1f:6a:5a:0b:dd:f6:08:63:99:42:7e:19:92:fa:dc:32
+        Signature Algorithm: ecdsa-with-SHA256
+        Issuer: C = US, ST = Washington, L = Seattle, O = wolfSSL, OU = Development, CN = www.wolfssl.com, emailAddress = info@wolfssl.com
         Validity
-            Not Before: Feb 10 19:49:53 2021 GMT
-            Not After : Nov  7 19:49:53 2023 GMT
-        Subject: C=US, ST=Washington, L=Seattle, O=wolfSSL, OU=Development, CN=www.wolfssl.com/emailAddress=info@wolfssl.com
+            Not Before: Dec 20 23:07:24 2021 GMT
+            Not After : Sep 15 23:07:24 2024 GMT
+        Subject: C = US, ST = Washington, L = Seattle, O = wolfSSL, OU = Development, CN = www.wolfssl.com, emailAddress = info@wolfssl.com
         Subject Public Key Info:
             Public Key Algorithm: id-ecPublicKey
                 Public-Key: (256 bit)
-                pub: 
+                pub:
                     04:02:d3:d9:6e:d6:01:8e:45:c8:b9:90:31:e5:c0:
                     4c:e3:9e:ad:29:38:98:ba:10:d6:e9:09:2a:80:a9:
                     2e:17:2a:b9:8a:bf:33:83:46:e3:95:0b:e4:77:40:
@@ -30,23 +31,23 @@ Certificate:
             X509v3 Key Usage: critical
                 Digital Signature, Certificate Sign, CRL Sign
     Signature Algorithm: ecdsa-with-SHA256
-         30:45:02:21:00:c5:83:ff:1e:51:f7:a1:e9:f1:42:c4:be:ed:
-         38:bd:38:32:8f:ae:3f:c7:6d:11:90:e9:99:ab:61:a2:db:a7:
-         4b:02:20:28:40:d9:ba:45:cc:a6:ea:fa:3f:3e:71:44:8e:02:
-         03:2f:41:0b:56:78:2d:a6:e8:5e:f6:ff:da:62:8c:f9:df
+         30:45:02:21:00:f2:a0:7a:0f:66:05:ec:81:a2:94:6a:31:e0:
+         0d:ee:8f:6a:ed:63:33:0e:27:31:b3:cf:c8:a0:0e:5b:88:51:
+         fa:02:20:51:0f:26:46:95:37:8e:49:4e:b0:4d:cd:b1:65:fe:
+         2d:43:ab:20:c7:83:70:44:11:13:86:a5:9b:3b:34:24:f2
 -----BEGIN CERTIFICATE-----
-MIICijCCAjCgAwIBAgIJAINHfIHWDRxOMAoGCCqGSM49BAMCMIGXMQswCQYDVQQG
-EwJVUzETMBEGA1UECAwKV2FzaGluZ3RvbjEQMA4GA1UEBwwHU2VhdHRsZTEQMA4G
-A1UECgwHd29sZlNTTDEUMBIGA1UECwwLRGV2ZWxvcG1lbnQxGDAWBgNVBAMMD3d3
-dy53b2xmc3NsLmNvbTEfMB0GCSqGSIb3DQEJARYQaW5mb0B3b2xmc3NsLmNvbTAe
-Fw0yMTAyMTAxOTQ5NTNaFw0yMzExMDcxOTQ5NTNaMIGXMQswCQYDVQQGEwJVUzET
-MBEGA1UECAwKV2FzaGluZ3RvbjEQMA4GA1UEBwwHU2VhdHRsZTEQMA4GA1UECgwH
-d29sZlNTTDEUMBIGA1UECwwLRGV2ZWxvcG1lbnQxGDAWBgNVBAMMD3d3dy53b2xm
-c3NsLmNvbTEfMB0GCSqGSIb3DQEJARYQaW5mb0B3b2xmc3NsLmNvbTBZMBMGByqG
-SM49AgEGCCqGSM49AwEHA0IABALT2W7WAY5FyLmQMeXATOOerSk4mLoQ1ukJKoCp
-LhcquYq/M4NG45UL5HdAtTtDRTMPYVN8N0TBy/yAyuhD6qejYzBhMB0GA1UdDgQW
-BBRWjprD8ELeGLlFVW75k8/qw/OlITAfBgNVHSMEGDAWgBRWjprD8ELeGLlFVW75
-k8/qw/OlITAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBhjAKBggqhkjO
-PQQDAgNIADBFAiEAxYP/HlH3oenxQsS+7Ti9ODKPrj/HbRGQ6ZmrYaLbp0sCIChA
-2bpFzKbq+j8+cUSOAgMvQQtWeC2m6F72/9pijPnf
+MIIClTCCAjugAwIBAgIUL8As/h9qWgvd9ghjmUJ+GZL63DIwCgYIKoZIzj0EAwIw
+gZcxCzAJBgNVBAYTAlVTMRMwEQYDVQQIDApXYXNoaW5ndG9uMRAwDgYDVQQHDAdT
+ZWF0dGxlMRAwDgYDVQQKDAd3b2xmU1NMMRQwEgYDVQQLDAtEZXZlbG9wbWVudDEY
+MBYGA1UEAwwPd3d3LndvbGZzc2wuY29tMR8wHQYJKoZIhvcNAQkBFhBpbmZvQHdv
+bGZzc2wuY29tMB4XDTIxMTIyMDIzMDcyNFoXDTI0MDkxNTIzMDcyNFowgZcxCzAJ
+BgNVBAYTAlVTMRMwEQYDVQQIDApXYXNoaW5ndG9uMRAwDgYDVQQHDAdTZWF0dGxl
+MRAwDgYDVQQKDAd3b2xmU1NMMRQwEgYDVQQLDAtEZXZlbG9wbWVudDEYMBYGA1UE
+AwwPd3d3LndvbGZzc2wuY29tMR8wHQYJKoZIhvcNAQkBFhBpbmZvQHdvbGZzc2wu
+Y29tMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEAtPZbtYBjkXIuZAx5cBM456t
+KTiYuhDW6QkqgKkuFyq5ir8zg0bjlQvkd0C1O0NFMw9hU3w3RMHL/IDK6EPqp6Nj
+MGEwHQYDVR0OBBYEFFaOmsPwQt4YuUVVbvmTz+rD86UhMB8GA1UdIwQYMBaAFFaO
+msPwQt4YuUVVbvmTz+rD86UhMA8GA1UdEwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQD
+AgGGMAoGCCqGSM49BAMCA0gAMEUCIQDyoHoPZgXsgaKUajHgDe6Pau1jMw4nMbPP
+yKAOW4hR+gIgUQ8mRpU3jklOsE3NsWX+LUOrIMeDcEQRE4almzs0JPI=
 -----END CERTIFICATE-----
diff --git a/certs/ca-ecc384-cert.der b/certs/ca-ecc384-cert.der
index 90588b4fa..2b0204519 100644
Binary files a/certs/ca-ecc384-cert.der and b/certs/ca-ecc384-cert.der differ
diff --git a/certs/ca-ecc384-cert.pem b/certs/ca-ecc384-cert.pem
index b7bad2ca7..a02156083 100644
--- a/certs/ca-ecc384-cert.pem
+++ b/certs/ca-ecc384-cert.pem
@@ -1,17 +1,18 @@
 Certificate:
     Data:
         Version: 3 (0x2)
-        Serial Number: 12132976075216541034 (0xa860fd750798556a)
-    Signature Algorithm: ecdsa-with-SHA384
-        Issuer: C=US, ST=Washington, L=Seattle, O=wolfSSL, OU=Development, CN=www.wolfssl.com/emailAddress=info@wolfssl.com
+        Serial Number:
+            1a:57:7f:62:de:7e:f2:6d:93:d2:83:35:86:82:7f:09:5a:8b:a4:09
+        Signature Algorithm: ecdsa-with-SHA384
+        Issuer: C = US, ST = Washington, L = Seattle, O = wolfSSL, OU = Development, CN = www.wolfssl.com, emailAddress = info@wolfssl.com
         Validity
-            Not Before: Feb 10 19:49:53 2021 GMT
-            Not After : Nov  7 19:49:53 2023 GMT
-        Subject: C=US, ST=Washington, L=Seattle, O=wolfSSL, OU=Development, CN=www.wolfssl.com/emailAddress=info@wolfssl.com
+            Not Before: Dec 20 23:07:24 2021 GMT
+            Not After : Sep 15 23:07:24 2024 GMT
+        Subject: C = US, ST = Washington, L = Seattle, O = wolfSSL, OU = Development, CN = www.wolfssl.com, emailAddress = info@wolfssl.com
         Subject Public Key Info:
             Public Key Algorithm: id-ecPublicKey
                 Public-Key: (384 bit)
-                pub: 
+                pub:
                     04:ee:82:d4:39:9a:b1:27:82:f4:d7:ea:c6:bc:03:
                     1d:4d:83:61:f4:03:ae:7e:bd:d8:5a:a5:b9:f0:8e:
                     a2:a5:da:ce:87:3b:5a:ab:44:16:9c:f5:9f:62:dd:
@@ -32,26 +33,27 @@ Certificate:
             X509v3 Key Usage: critical
                 Digital Signature, Certificate Sign, CRL Sign
     Signature Algorithm: ecdsa-with-SHA384
-         30:65:02:30:47:a2:36:33:f4:27:bd:d0:5c:e6:8d:3e:31:a9:
-         4e:51:57:a9:93:28:72:0a:72:ab:6e:f9:56:c0:f5:70:02:9f:
-         9c:b2:4a:9c:3e:9f:fb:c5:64:26:7a:88:dc:4a:2a:25:02:31:
-         00:88:f8:e2:d5:20:82:f2:de:7b:cb:13:ac:cd:ff:e8:1e:4e:
-         84:3d:9c:af:5d:f9:01:e7:4f:d4:03:09:84:3d:7b:2b:83:e2:
-         ae:08:68:2e:5b:85:6f:43:f5:41:e0:c7:c9
+         30:65:02:30:78:da:52:4f:11:fa:4f:a9:7b:02:af:63:40:a7:
+         54:bf:08:8b:cb:e4:ce:7d:35:38:46:d9:90:40:f5:f1:16:42:
+         e5:ef:7b:b0:8f:3d:b0:a0:07:a6:23:3e:8f:a3:be:57:02:31:
+         00:de:d2:23:84:4c:71:6a:2e:d0:17:73:55:b2:8b:e7:ac:4f:
+         83:21:f8:f1:7a:9a:f5:8b:a5:17:7b:06:03:dc:7e:90:29:81:
+         3e:6f:70:e7:50:f0:d4:a6:96:dc:28:51:96
 -----BEGIN CERTIFICATE-----
-MIICxzCCAk2gAwIBAgIJAKhg/XUHmFVqMAoGCCqGSM49BAMDMIGXMQswCQYDVQQG
-EwJVUzETMBEGA1UECAwKV2FzaGluZ3RvbjEQMA4GA1UEBwwHU2VhdHRsZTEQMA4G
-A1UECgwHd29sZlNTTDEUMBIGA1UECwwLRGV2ZWxvcG1lbnQxGDAWBgNVBAMMD3d3
-dy53b2xmc3NsLmNvbTEfMB0GCSqGSIb3DQEJARYQaW5mb0B3b2xmc3NsLmNvbTAe
-Fw0yMTAyMTAxOTQ5NTNaFw0yMzExMDcxOTQ5NTNaMIGXMQswCQYDVQQGEwJVUzET
-MBEGA1UECAwKV2FzaGluZ3RvbjEQMA4GA1UEBwwHU2VhdHRsZTEQMA4GA1UECgwH
-d29sZlNTTDEUMBIGA1UECwwLRGV2ZWxvcG1lbnQxGDAWBgNVBAMMD3d3dy53b2xm
-c3NsLmNvbTEfMB0GCSqGSIb3DQEJARYQaW5mb0B3b2xmc3NsLmNvbTB2MBAGByqG
-SM49AgEGBSuBBAAiA2IABO6C1DmasSeC9NfqxrwDHU2DYfQDrn692FqlufCOoqXa
-zoc7WqtEFpz1n2Ld9iDNnHY8QLE/lxffWfbN3s1GNcDtXi5ItmaRcXS3DD+5mreD
-vZM/X1AtcD/eNSXhkDuG4KNjMGEwHQYDVR0OBBYEFKvgwyZMGNRyu9KEjJwKBZKA
-ElNSMB8GA1UdIwQYMBaAFKvgwyZMGNRyu9KEjJwKBZKAElNSMA8GA1UdEwEB/wQF
-MAMBAf8wDgYDVR0PAQH/BAQDAgGGMAoGCCqGSM49BAMDA2gAMGUCMEeiNjP0J73Q
-XOaNPjGpTlFXqZMocgpyq275VsD1cAKfnLJKnD6f+8VkJnqI3EoqJQIxAIj44tUg
-gvLee8sTrM3/6B5OhD2cr135AedP1AMJhD17K4PirghoLluFb0P1QeDHyQ==
+MIIC0jCCAligAwIBAgIUGld/Yt5+8m2T0oM1hoJ/CVqLpAkwCgYIKoZIzj0EAwMw
+gZcxCzAJBgNVBAYTAlVTMRMwEQYDVQQIDApXYXNoaW5ndG9uMRAwDgYDVQQHDAdT
+ZWF0dGxlMRAwDgYDVQQKDAd3b2xmU1NMMRQwEgYDVQQLDAtEZXZlbG9wbWVudDEY
+MBYGA1UEAwwPd3d3LndvbGZzc2wuY29tMR8wHQYJKoZIhvcNAQkBFhBpbmZvQHdv
+bGZzc2wuY29tMB4XDTIxMTIyMDIzMDcyNFoXDTI0MDkxNTIzMDcyNFowgZcxCzAJ
+BgNVBAYTAlVTMRMwEQYDVQQIDApXYXNoaW5ndG9uMRAwDgYDVQQHDAdTZWF0dGxl
+MRAwDgYDVQQKDAd3b2xmU1NMMRQwEgYDVQQLDAtEZXZlbG9wbWVudDEYMBYGA1UE
+AwwPd3d3LndvbGZzc2wuY29tMR8wHQYJKoZIhvcNAQkBFhBpbmZvQHdvbGZzc2wu
+Y29tMHYwEAYHKoZIzj0CAQYFK4EEACIDYgAE7oLUOZqxJ4L01+rGvAMdTYNh9AOu
+fr3YWqW58I6ipdrOhztaq0QWnPWfYt32IM2cdjxAsT+XF99Z9s3ezUY1wO1eLki2
+ZpFxdLcMP7mat4O9kz9fUC1wP941JeGQO4bgo2MwYTAdBgNVHQ4EFgQUq+DDJkwY
+1HK70oSMnAoFkoASU1IwHwYDVR0jBBgwFoAUq+DDJkwY1HK70oSMnAoFkoASU1Iw
+DwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAYYwCgYIKoZIzj0EAwMDaAAw
+ZQIweNpSTxH6T6l7Aq9jQKdUvwiLy+TOfTU4RtmQQPXxFkLl73uwjz2woAemIz6P
+o75XAjEA3tIjhExxai7QF3NVsovnrE+DIfjxepr1i6UXewYD3H6QKYE+b3DnUPDU
+ppbcKFGW
 -----END CERTIFICATE-----
diff --git a/certs/client-ca.pem b/certs/client-ca.pem
index 24788cf89..79757b014 100644
--- a/certs/client-ca.pem
+++ b/certs/client-ca.pem
@@ -1,16 +1,17 @@
 Certificate:
     Data:
         Version: 3 (0x2)
-        Serial Number: 17391944375755183620 (0xf15c9943663d9604)
-    Signature Algorithm: sha256WithRSAEncryption
-        Issuer: C=US, ST=Montana, L=Bozeman, O=wolfSSL_2048, OU=Programming-2048, CN=www.wolfssl.com/emailAddress=info@wolfssl.com
+        Serial Number:
+            53:16:7c:a0:56:50:46:27:82:ed:60:b4:da:33:d8:6a:c0:ea:dc:31
+        Signature Algorithm: sha256WithRSAEncryption
+        Issuer: C = US, ST = Montana, L = Bozeman, O = wolfSSL_2048, OU = Programming-2048, CN = www.wolfssl.com, emailAddress = info@wolfssl.com
         Validity
-            Not Before: Feb 10 19:49:52 2021 GMT
-            Not After : Nov  7 19:49:52 2023 GMT
-        Subject: C=US, ST=Montana, L=Bozeman, O=wolfSSL_2048, OU=Programming-2048, CN=www.wolfssl.com/emailAddress=info@wolfssl.com
+            Not Before: Dec 20 23:07:24 2021 GMT
+            Not After : Sep 15 23:07:24 2024 GMT
+        Subject: C = US, ST = Montana, L = Bozeman, O = wolfSSL_2048, OU = Programming-2048, CN = www.wolfssl.com, emailAddress = info@wolfssl.com
         Subject Public Key Info:
             Public Key Algorithm: rsaEncryption
-                Public-Key: (2048 bit)
+                RSA Public-Key: (2048 bit)
                 Modulus:
                     00:c3:03:d1:2b:fe:39:a4:32:45:3b:53:c8:84:2b:
                     2a:7c:74:9a:bd:aa:2a:52:07:47:d6:a6:36:b2:07:
@@ -37,7 +38,7 @@ Certificate:
             X509v3 Authority Key Identifier: 
                 keyid:33:D8:45:66:D7:68:87:18:7E:54:0D:70:27:91:C7:26:D7:85:65:C0
                 DirName:/C=US/ST=Montana/L=Bozeman/O=wolfSSL_2048/OU=Programming-2048/CN=www.wolfssl.com/emailAddress=info@wolfssl.com
-                serial:F1:5C:99:43:66:3D:96:04
+                serial:53:16:7C:A0:56:50:46:27:82:ED:60:B4:DA:33:D8:6A:C0:EA:DC:31
 
             X509v3 Basic Constraints: 
                 CA:TRUE
@@ -46,64 +47,66 @@ Certificate:
             X509v3 Extended Key Usage: 
                 TLS Web Server Authentication, TLS Web Client Authentication
     Signature Algorithm: sha256WithRSAEncryption
-         ba:2b:48:d1:a8:e3:c2:84:42:96:a1:7c:e5:f1:46:ba:4c:f7:
-         87:57:c7:78:c8:c1:32:c4:69:ff:85:bb:5d:6a:dd:c9:87:7e:
-         fe:bb:f4:fd:15:0a:4c:94:95:80:30:90:45:03:f8:33:87:ca:
-         5f:74:38:a4:d0:5a:c7:65:38:c3:b0:e8:87:b1:49:32:b9:ac:
-         e9:fb:d3:08:1d:a4:51:7b:d7:d9:4b:79:35:a2:3a:0b:e4:0c:
-         a0:02:9c:a1:68:e1:5d:6c:8e:2e:3a:24:de:bb:d6:1c:a7:ac:
-         2e:cd:57:44:48:f6:72:e0:c7:5b:93:dc:7d:5b:64:0e:17:84:
-         68:2c:95:1d:2c:86:d6:b0:74:67:51:6e:7b:f4:d5:61:38:51:
-         b3:18:e3:10:16:73:4b:36:8a:8a:62:05:f5:56:8a:be:21:e1:
-         78:7d:bf:ad:45:f9:0b:f5:af:a0:62:01:fd:3f:49:df:39:3c:
-         ff:46:e8:0a:fe:5c:6b:bb:41:a5:64:f1:5c:9b:51:4c:bc:6d:
-         9f:a3:20:ed:e9:48:e1:a9:be:08:2d:85:42:59:d6:43:7d:47:
-         22:a5:fa:1f:a2:58:76:0b:70:1c:1d:59:1d:aa:be:5d:2d:25:
-         7c:b1:06:b6:c0:aa:28:aa:93:7c:d0:bd:43:ad:91:50:1c:7b:
-         4d:f3:e4:d7
+         b8:e8:e3:2a:48:6c:04:8b:f8:81:14:1a:ce:14:ed:c7:f0:d3:
+         cb:9a:91:d9:2c:1d:6e:73:36:8f:a3:61:c4:1f:da:d1:4b:b6:
+         40:d0:6a:c4:2b:43:c8:2f:fb:ee:5a:c9:41:9d:2b:6f:f3:39:
+         67:20:ec:7c:d6:a0:7f:06:79:cd:52:2c:c9:3c:5b:bf:e5:01:
+         47:90:f0:82:88:f1:3d:45:25:f4:d1:4b:ec:ac:3f:1b:ce:a1:
+         0e:61:a0:29:41:f6:21:0e:9f:73:b3:39:34:c4:1e:55:5f:9f:
+         e7:42:ca:ab:8f:3c:62:86:26:94:b5:b7:8b:7c:65:4c:3e:b7:
+         ac:f5:51:0d:a5:14:0f:6f:2b:fe:62:95:26:1e:10:52:ae:44:
+         58:95:dc:b4:c4:76:2f:14:28:64:45:aa:94:61:da:1a:d0:cf:
+         b3:3a:83:c8:66:fb:e8:58:dc:d4:91:4a:9a:e7:c8:b6:ea:f9:
+         52:19:b2:3d:5f:95:29:ac:8b:cf:9b:5c:d6:dd:cd:6b:f2:71:
+         fd:b6:4d:18:98:08:5b:8a:e7:2b:cb:bd:68:97:1c:02:aa:41:
+         59:0d:f8:0e:50:d7:48:6f:81:c4:00:70:56:67:64:1a:b3:56:
+         fc:23:f4:84:49:36:f7:7f:38:94:38:da:40:81:c0:b9:b0:ad:
+         ea:ce:38:f2
 -----BEGIN CERTIFICATE-----
-MIIFBzCCA++gAwIBAgIJAPFcmUNmPZYEMA0GCSqGSIb3DQEBCwUAMIGeMQswCQYD
-VQQGEwJVUzEQMA4GA1UECAwHTW9udGFuYTEQMA4GA1UEBwwHQm96ZW1hbjEVMBMG
-A1UECgwMd29sZlNTTF8yMDQ4MRkwFwYDVQQLDBBQcm9ncmFtbWluZy0yMDQ4MRgw
-FgYDVQQDDA93d3cud29sZnNzbC5jb20xHzAdBgkqhkiG9w0BCQEWEGluZm9Ad29s
-ZnNzbC5jb20wHhcNMjEwMjEwMTk0OTUyWhcNMjMxMTA3MTk0OTUyWjCBnjELMAkG
-A1UEBhMCVVMxEDAOBgNVBAgMB01vbnRhbmExEDAOBgNVBAcMB0JvemVtYW4xFTAT
-BgNVBAoMDHdvbGZTU0xfMjA0ODEZMBcGA1UECwwQUHJvZ3JhbW1pbmctMjA0ODEY
-MBYGA1UEAwwPd3d3LndvbGZzc2wuY29tMR8wHQYJKoZIhvcNAQkBFhBpbmZvQHdv
-bGZzc2wuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAwwPRK/45
-pDJFO1PIhCsqfHSavaoqUgdH1qY2sgcyjtC6aXvGw0Se1IFI/S1oootnu6F1yDYs
-StIb94u6zw357+zxgR57mwNHmr9lzH9lJGmm6BSJW+Q098WwFJP1Z3s6enjhAVZW
-kaYTQo3SPECcTO/Rht83URsMoTv18aNKNeThzpbfG36/TpfQEOioCDCBryALQxTF
-dGe0MoJvjYbCiECZNoO6HkByIhfXUmUkc7DO7xnNrv94bHvAEgPUTnINUG07ozuj
-mV6dyNkMhbPZitlUJttt+qy7/yVMxNF59HHThkAYE7BjtXJOMMSXhIYtVi/XFfd/
-wK71/Fvl+6G60wIDAQABo4IBRDCCAUAwHQYDVR0OBBYEFDPYRWbXaIcYflQNcCeR
-xybXhWXAMIHTBgNVHSMEgcswgciAFDPYRWbXaIcYflQNcCeRxybXhWXAoYGkpIGh
-MIGeMQswCQYDVQQGEwJVUzEQMA4GA1UECAwHTW9udGFuYTEQMA4GA1UEBwwHQm96
-ZW1hbjEVMBMGA1UECgwMd29sZlNTTF8yMDQ4MRkwFwYDVQQLDBBQcm9ncmFtbWlu
-Zy0yMDQ4MRgwFgYDVQQDDA93d3cud29sZnNzbC5jb20xHzAdBgkqhkiG9w0BCQEW
-EGluZm9Ad29sZnNzbC5jb22CCQDxXJlDZj2WBDAMBgNVHRMEBTADAQH/MBwGA1Ud
-EQQVMBOCC2V4YW1wbGUuY29thwR/AAABMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggr
-BgEFBQcDAjANBgkqhkiG9w0BAQsFAAOCAQEAuitI0ajjwoRClqF85fFGukz3h1fH
-eMjBMsRp/4W7XWrdyYd+/rv0/RUKTJSVgDCQRQP4M4fKX3Q4pNBax2U4w7Doh7FJ
-Mrms6fvTCB2kUXvX2Ut5NaI6C+QMoAKcoWjhXWyOLjok3rvWHKesLs1XREj2cuDH
-W5PcfVtkDheEaCyVHSyG1rB0Z1Fue/TVYThRsxjjEBZzSzaKimIF9VaKviHheH2/
-rUX5C/WvoGIB/T9J3zk8/0boCv5ca7tBpWTxXJtRTLxtn6Mg7elI4am+CC2FQlnW
-Q31HIqX6H6JYdgtwHB1ZHaq+XS0lfLEGtsCqKKqTfNC9Q62RUBx7TfPk1w==
+MIIFHTCCBAWgAwIBAgIUUxZ8oFZQRieC7WC02jPYasDq3DEwDQYJKoZIhvcNAQEL
+BQAwgZ4xCzAJBgNVBAYTAlVTMRAwDgYDVQQIDAdNb250YW5hMRAwDgYDVQQHDAdC
+b3plbWFuMRUwEwYDVQQKDAx3b2xmU1NMXzIwNDgxGTAXBgNVBAsMEFByb2dyYW1t
+aW5nLTIwNDgxGDAWBgNVBAMMD3d3dy53b2xmc3NsLmNvbTEfMB0GCSqGSIb3DQEJ
+ARYQaW5mb0B3b2xmc3NsLmNvbTAeFw0yMTEyMjAyMzA3MjRaFw0yNDA5MTUyMzA3
+MjRaMIGeMQswCQYDVQQGEwJVUzEQMA4GA1UECAwHTW9udGFuYTEQMA4GA1UEBwwH
+Qm96ZW1hbjEVMBMGA1UECgwMd29sZlNTTF8yMDQ4MRkwFwYDVQQLDBBQcm9ncmFt
+bWluZy0yMDQ4MRgwFgYDVQQDDA93d3cud29sZnNzbC5jb20xHzAdBgkqhkiG9w0B
+CQEWEGluZm9Ad29sZnNzbC5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK
+AoIBAQDDA9Er/jmkMkU7U8iEKyp8dJq9qipSB0fWpjayBzKO0Lppe8bDRJ7UgUj9
+LWiii2e7oXXINixK0hv3i7rPDfnv7PGBHnubA0eav2XMf2UkaaboFIlb5DT3xbAU
+k/Vnezp6eOEBVlaRphNCjdI8QJxM79GG3zdRGwyhO/Xxo0o15OHOlt8bfr9Ol9AQ
+6KgIMIGvIAtDFMV0Z7Qygm+NhsKIQJk2g7oeQHIiF9dSZSRzsM7vGc2u/3hse8AS
+A9ROcg1QbTujO6OZXp3I2QyFs9mK2VQm2236rLv/JUzE0Xn0cdOGQBgTsGO1ck4w
+xJeEhi1WL9cV93/ArvX8W+X7obrTAgMBAAGjggFPMIIBSzAdBgNVHQ4EFgQUM9hF
+Ztdohxh+VA1wJ5HHJteFZcAwgd4GA1UdIwSB1jCB04AUM9hFZtdohxh+VA1wJ5HH
+JteFZcChgaSkgaEwgZ4xCzAJBgNVBAYTAlVTMRAwDgYDVQQIDAdNb250YW5hMRAw
+DgYDVQQHDAdCb3plbWFuMRUwEwYDVQQKDAx3b2xmU1NMXzIwNDgxGTAXBgNVBAsM
+EFByb2dyYW1taW5nLTIwNDgxGDAWBgNVBAMMD3d3dy53b2xmc3NsLmNvbTEfMB0G
+CSqGSIb3DQEJARYQaW5mb0B3b2xmc3NsLmNvbYIUUxZ8oFZQRieC7WC02jPYasDq
+3DEwDAYDVR0TBAUwAwEB/zAcBgNVHREEFTATggtleGFtcGxlLmNvbYcEfwAAATAd
+BgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwDQYJKoZIhvcNAQELBQADggEB
+ALjo4ypIbASL+IEUGs4U7cfw08uakdksHW5zNo+jYcQf2tFLtkDQasQrQ8gv++5a
+yUGdK2/zOWcg7HzWoH8Gec1SLMk8W7/lAUeQ8IKI8T1FJfTRS+ysPxvOoQ5hoClB
+9iEOn3OzOTTEHlVfn+dCyquPPGKGJpS1t4t8ZUw+t6z1UQ2lFA9vK/5ilSYeEFKu
+RFiV3LTEdi8UKGRFqpRh2hrQz7M6g8hm++hY3NSRSprnyLbq+VIZsj1flSmsi8+b
+XNbdzWvycf22TRiYCFuK5yvLvWiXHAKqQVkN+A5Q10hvgcQAcFZnZBqzVvwj9IRJ
+Nvd/OJQ42kCBwLmwrerOOPI=
 -----END CERTIFICATE-----
 Certificate:
     Data:
         Version: 3 (0x2)
-        Serial Number: 16666221217456835267 (0xe74a4fe55697cac3)
-    Signature Algorithm: ecdsa-with-SHA256
-        Issuer: C=US, ST=Oregon, L=Salem, O=Client ECC, OU=Fast, CN=www.wolfssl.com/emailAddress=info@wolfssl.com
+        Serial Number:
+            3e:8d:40:a1:0b:e2:5f:d9:7f:b1:f3:ae:73:40:92:c1:d8:aa:f0:65
+        Signature Algorithm: ecdsa-with-SHA256
+        Issuer: C = US, ST = Oregon, L = Salem, O = Client ECC, OU = Fast, CN = www.wolfssl.com, emailAddress = info@wolfssl.com
         Validity
-            Not Before: Feb 10 19:49:53 2021 GMT
-            Not After : Nov  7 19:49:53 2023 GMT
-        Subject: C=US, ST=Oregon, L=Salem, O=Client ECC, OU=Fast, CN=www.wolfssl.com/emailAddress=info@wolfssl.com
+            Not Before: Dec 20 23:07:25 2021 GMT
+            Not After : Sep 15 23:07:25 2024 GMT
+        Subject: C = US, ST = Oregon, L = Salem, O = Client ECC, OU = Fast, CN = www.wolfssl.com, emailAddress = info@wolfssl.com
         Subject Public Key Info:
             Public Key Algorithm: id-ecPublicKey
                 Public-Key: (256 bit)
-                pub: 
+                pub:
                     04:55:bf:f4:0f:44:50:9a:3d:ce:9b:b7:f0:c5:4d:
                     f5:70:7b:d4:ec:24:8e:19:80:ec:5a:4c:a2:24:03:
                     62:2c:9b:da:ef:a2:35:12:43:84:76:16:c6:56:95:
@@ -117,7 +120,7 @@ Certificate:
             X509v3 Authority Key Identifier: 
                 keyid:EB:D4:4B:59:6B:95:61:3F:51:57:B6:04:4D:89:41:88:44:5C:AB:F2
                 DirName:/C=US/ST=Oregon/L=Salem/O=Client ECC/OU=Fast/CN=www.wolfssl.com/emailAddress=info@wolfssl.com
-                serial:E7:4A:4F:E5:56:97:CA:C3
+                serial:3E:8D:40:A1:0B:E2:5F:D9:7F:B1:F3:AE:73:40:92:C1:D8:AA:F0:65
 
             X509v3 Basic Constraints: 
                 CA:TRUE
@@ -126,27 +129,28 @@ Certificate:
             X509v3 Extended Key Usage: 
                 TLS Web Server Authentication, TLS Web Client Authentication
     Signature Algorithm: ecdsa-with-SHA256
-         30:46:02:21:00:e3:bb:ca:0e:31:2d:39:1d:94:25:81:90:d5:
-         11:f9:09:6d:58:16:23:be:9f:a9:18:64:83:3c:25:03:58:58:
-         39:02:21:00:a4:aa:b3:f0:09:c9:0c:2f:f7:b1:d4:8e:9f:a6:
-         b6:ab:1a:c7:37:ed:70:4d:34:04:a0:9b:3d:84:86:10:a0:f0
+         30:45:02:21:00:dd:a7:dd:14:ac:16:24:2f:39:34:83:a2:28:
+         e8:ba:73:2a:24:d3:56:cf:3d:3b:c9:46:91:4e:72:6c:62:9a:
+         c7:02:20:5f:02:f5:a4:d1:f1:f8:9c:03:8e:fe:c5:4e:dc:d5:
+         b0:f9:eb:ad:44:0f:26:35:93:0e:a3:76:ec:e0:a6:8b:ff
 -----BEGIN CERTIFICATE-----
-MIIDSTCCAu6gAwIBAgIJAOdKT+VWl8rDMAoGCCqGSM49BAMCMIGNMQswCQYDVQQG
-EwJVUzEPMA0GA1UECAwGT3JlZ29uMQ4wDAYDVQQHDAVTYWxlbTETMBEGA1UECgwK
-Q2xpZW50IEVDQzENMAsGA1UECwwERmFzdDEYMBYGA1UEAwwPd3d3LndvbGZzc2wu
-Y29tMR8wHQYJKoZIhvcNAQkBFhBpbmZvQHdvbGZzc2wuY29tMB4XDTIxMDIxMDE5
-NDk1M1oXDTIzMTEwNzE5NDk1M1owgY0xCzAJBgNVBAYTAlVTMQ8wDQYDVQQIDAZP
-cmVnb24xDjAMBgNVBAcMBVNhbGVtMRMwEQYDVQQKDApDbGllbnQgRUNDMQ0wCwYD
-VQQLDARGYXN0MRgwFgYDVQQDDA93d3cud29sZnNzbC5jb20xHzAdBgkqhkiG9w0B
-CQEWEGluZm9Ad29sZnNzbC5jb20wWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAARV
-v/QPRFCaPc6bt/DFTfVwe9TsJI4ZgOxaTKIkA2Ism9rvojUSQ4R2FsZWlQbMAam9
-9nUaQve9qbI2Il/HXX+0o4IBMzCCAS8wHQYDVR0OBBYEFOvUS1lrlWE/UVe2BE2J
-QYhEXKvyMIHCBgNVHSMEgbowgbeAFOvUS1lrlWE/UVe2BE2JQYhEXKvyoYGTpIGQ
-MIGNMQswCQYDVQQGEwJVUzEPMA0GA1UECAwGT3JlZ29uMQ4wDAYDVQQHDAVTYWxl
-bTETMBEGA1UECgwKQ2xpZW50IEVDQzENMAsGA1UECwwERmFzdDEYMBYGA1UEAwwP
-d3d3LndvbGZzc2wuY29tMR8wHQYJKoZIhvcNAQkBFhBpbmZvQHdvbGZzc2wuY29t
-ggkA50pP5VaXysMwDAYDVR0TBAUwAwEB/zAcBgNVHREEFTATggtleGFtcGxlLmNv
-bYcEfwAAATAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwCgYIKoZIzj0E
-AwIDSQAwRgIhAOO7yg4xLTkdlCWBkNUR+QltWBYjvp+pGGSDPCUDWFg5AiEApKqz
-8AnJDC/3sdSOn6a2qxrHN+1wTTQEoJs9hIYQoPA=
+MIIDXjCCAwSgAwIBAgIUPo1AoQviX9l/sfOuc0CSwdiq8GUwCgYIKoZIzj0EAwIw
+gY0xCzAJBgNVBAYTAlVTMQ8wDQYDVQQIDAZPcmVnb24xDjAMBgNVBAcMBVNhbGVt
+MRMwEQYDVQQKDApDbGllbnQgRUNDMQ0wCwYDVQQLDARGYXN0MRgwFgYDVQQDDA93
+d3cud29sZnNzbC5jb20xHzAdBgkqhkiG9w0BCQEWEGluZm9Ad29sZnNzbC5jb20w
+HhcNMjExMjIwMjMwNzI1WhcNMjQwOTE1MjMwNzI1WjCBjTELMAkGA1UEBhMCVVMx
+DzANBgNVBAgMBk9yZWdvbjEOMAwGA1UEBwwFU2FsZW0xEzARBgNVBAoMCkNsaWVu
+dCBFQ0MxDTALBgNVBAsMBEZhc3QxGDAWBgNVBAMMD3d3dy53b2xmc3NsLmNvbTEf
+MB0GCSqGSIb3DQEJARYQaW5mb0B3b2xmc3NsLmNvbTBZMBMGByqGSM49AgEGCCqG
+SM49AwEHA0IABFW/9A9EUJo9zpu38MVN9XB71OwkjhmA7FpMoiQDYiyb2u+iNRJD
+hHYWxlaVBswBqb32dRpC972psjYiX8ddf7SjggE+MIIBOjAdBgNVHQ4EFgQU69RL
+WWuVYT9RV7YETYlBiERcq/Iwgc0GA1UdIwSBxTCBwoAU69RLWWuVYT9RV7YETYlB
+iERcq/KhgZOkgZAwgY0xCzAJBgNVBAYTAlVTMQ8wDQYDVQQIDAZPcmVnb24xDjAM
+BgNVBAcMBVNhbGVtMRMwEQYDVQQKDApDbGllbnQgRUNDMQ0wCwYDVQQLDARGYXN0
+MRgwFgYDVQQDDA93d3cud29sZnNzbC5jb20xHzAdBgkqhkiG9w0BCQEWEGluZm9A
+d29sZnNzbC5jb22CFD6NQKEL4l/Zf7HzrnNAksHYqvBlMAwGA1UdEwQFMAMBAf8w
+HAYDVR0RBBUwE4ILZXhhbXBsZS5jb22HBH8AAAEwHQYDVR0lBBYwFAYIKwYBBQUH
+AwEGCCsGAQUFBwMCMAoGCCqGSM49BAMCA0gAMEUCIQDdp90UrBYkLzk0g6Io6Lpz
+KiTTVs89O8lGkU5ybGKaxwIgXwL1pNHx+JwDjv7FTtzVsPnrrUQPJjWTDqN27OCm
+i/8=
 -----END CERTIFICATE-----
diff --git a/certs/client-cert-ext.der b/certs/client-cert-ext.der
index d58a1dbf3..c27230590 100644
Binary files a/certs/client-cert-ext.der and b/certs/client-cert-ext.der differ
diff --git a/certs/client-cert-ext.pem b/certs/client-cert-ext.pem
index b50da7104..092fcf69d 100644
--- a/certs/client-cert-ext.pem
+++ b/certs/client-cert-ext.pem
@@ -2,12 +2,12 @@ Certificate:
     Data:
         Version: 3 (0x2)
         Serial Number:
-            7e:ff:c6:42:4f:83:8b:1f:1a:9d:4e:2f:ba:27:9f:97:d7:e2:ea:ab
+            49:5a:8b:94:7d:d7:9e:20:53:f4:6c:ea:2a:93:28:4e:2d:50:d3:66
         Signature Algorithm: sha256WithRSAEncryption
         Issuer: C = US, ST = Montana, L = Bozeman, O = wolfSSL_2048, OU = Programming-2048, CN = www.wolfssl.com, emailAddress = info@wolfssl.com
         Validity
-            Not Before: Sep 20 14:13:15 2019 GMT
-            Not After : Jun 16 14:13:15 2022 GMT
+            Not Before: Dec 20 23:07:24 2021 GMT
+            Not After : Sep 15 23:07:24 2024 GMT
         Subject: C = US, ST = Montana, L = Bozeman, O = wolfSSL_2048, OU = Programming-2048, CN = www.wolfssl.com, emailAddress = info@wolfssl.com
         Subject Public Key Info:
             Public Key Algorithm: rsaEncryption
@@ -38,7 +38,7 @@ Certificate:
             X509v3 Authority Key Identifier: 
                 keyid:33:D8:45:66:D7:68:87:18:7E:54:0D:70:27:91:C7:26:D7:85:65:C0
                 DirName:/C=US/ST=Montana/L=Bozeman/O=wolfSSL_2048/OU=Programming-2048/CN=www.wolfssl.com/emailAddress=info@wolfssl.com
-                serial:7E:FF:C6:42:4F:83:8B:1F:1A:9D:4E:2F:BA:27:9F:97:D7:E2:EA:AB
+                serial:49:5A:8B:94:7D:D7:9E:20:53:F4:6C:EA:2A:93:28:4E:2D:50:D3:66
 
             X509v3 Basic Constraints: 
                 CA:TRUE
@@ -47,28 +47,28 @@ Certificate:
             X509v3 Key Usage: critical
                 Digital Signature, Certificate Sign, CRL Sign
     Signature Algorithm: sha256WithRSAEncryption
-         46:c2:a5:a6:32:84:b0:68:03:41:de:37:da:c3:b8:46:71:3a:
-         31:aa:1a:f0:81:28:c3:07:37:61:17:7d:10:45:ee:ef:cd:c0:
-         19:2f:9e:95:01:5d:d6:09:13:8e:19:ea:da:27:75:66:21:e1:
-         bd:f8:97:a0:b5:8b:9e:71:13:26:75:50:34:f5:ac:8e:f8:d3:
-         89:d7:52:0a:f2:5f:3e:07:c2:02:e0:36:73:75:30:a9:5a:ba:
-         24:ef:fb:28:08:0d:31:53:84:3d:fd:1d:92:f9:15:da:01:7c:
-         20:70:d5:b6:0d:ea:3a:f1:85:90:b1:c3:b7:71:20:cb:03:22:
-         f3:8f:e5:02:4f:b1:77:1c:97:17:2c:3b:e9:41:1a:18:7c:89:
-         d9:8e:5f:34:6c:66:9c:61:79:f5:bd:df:68:2e:14:cc:11:d7:
-         e5:ce:9f:8a:0d:86:94:15:86:fa:32:0f:90:18:d1:2d:df:16:
-         56:58:09:25:91:21:c2:d3:f6:7e:c8:49:aa:00:d7:61:c7:9d:
-         d2:23:b1:7f:96:b0:79:6e:8b:09:38:2f:13:e1:48:9e:9a:28:
-         d4:08:44:73:29:52:49:eb:9d:fb:a6:f8:1f:2e:c5:d3:31:52:
-         86:ea:18:99:1d:73:ab:4b:f3:7c:6f:f5:84:c3:96:fb:02:36:
-         d9:13:64:8b
+         a0:ef:c6:76:4c:e4:0e:69:ef:eb:a3:67:60:58:97:b1:cc:a2:
+         d5:b5:25:a1:7a:5f:83:50:94:ce:2a:46:bb:4d:b0:63:64:d8:
+         67:8f:52:3c:41:76:c6:7f:6f:56:1c:5f:d6:70:60:b5:1f:4b:
+         b7:ff:b4:d5:2c:2d:89:c3:c4:d8:ca:d6:43:be:78:59:21:80:
+         78:fa:ea:e3:0e:b4:34:1f:18:8b:9c:5f:37:05:1b:8e:d6:59:
+         11:d4:30:2c:a4:9d:0b:3c:e8:cf:0b:26:cb:88:1e:bb:42:dd:
+         15:80:a8:d4:25:70:d5:2b:0c:0e:b4:cd:4f:97:d6:9c:aa:3a:
+         b9:97:71:e7:54:47:0b:fb:de:9f:ae:95:ad:40:72:87:f4:de:
+         87:2b:82:a9:c4:b9:f1:97:25:08:c0:48:aa:9f:f1:0c:3c:3b:
+         3f:72:6d:24:8e:43:09:82:6f:ca:10:b4:16:63:07:3f:51:c5:
+         0d:9d:4e:eb:0b:ea:07:02:9f:ac:63:1d:27:6a:f8:f9:03:e4:
+         1a:e5:11:e2:82:46:43:a3:50:6e:ef:1c:25:08:a1:9a:7e:0a:
+         f4:51:34:10:de:b4:cb:ee:4c:7e:37:67:67:5d:11:26:1d:90:
+         f6:e4:a8:8e:8b:87:b5:3c:1b:b5:34:00:e7:78:05:c0:94:7c:
+         57:9a:ff:f5
 -----BEGIN CERTIFICATE-----
-MIIFCDCCA/CgAwIBAgIUfv/GQk+Dix8anU4vuiefl9fi6qswDQYJKoZIhvcNAQEL
+MIIFCDCCA/CgAwIBAgIUSVqLlH3XniBT9GzqKpMoTi1Q02YwDQYJKoZIhvcNAQEL
 BQAwgZ4xCzAJBgNVBAYTAlVTMRAwDgYDVQQIDAdNb250YW5hMRAwDgYDVQQHDAdC
 b3plbWFuMRUwEwYDVQQKDAx3b2xmU1NMXzIwNDgxGTAXBgNVBAsMEFByb2dyYW1t
 aW5nLTIwNDgxGDAWBgNVBAMMD3d3dy53b2xmc3NsLmNvbTEfMB0GCSqGSIb3DQEJ
-ARYQaW5mb0B3b2xmc3NsLmNvbTAeFw0xOTA5MjAxNDEzMTVaFw0yMjA2MTYxNDEz
-MTVaMIGeMQswCQYDVQQGEwJVUzEQMA4GA1UECAwHTW9udGFuYTEQMA4GA1UEBwwH
+ARYQaW5mb0B3b2xmc3NsLmNvbTAeFw0yMTEyMjAyMzA3MjRaFw0yNDA5MTUyMzA3
+MjRaMIGeMQswCQYDVQQGEwJVUzEQMA4GA1UECAwHTW9udGFuYTEQMA4GA1UEBwwH
 Qm96ZW1hbjEVMBMGA1UECgwMd29sZlNTTF8yMDQ4MRkwFwYDVQQLDBBQcm9ncmFt
 bWluZy0yMDQ4MRgwFgYDVQQDDA93d3cud29sZnNzbC5jb20xHzAdBgkqhkiG9w0B
 CQEWEGluZm9Ad29sZnNzbC5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK
@@ -82,12 +82,12 @@ Ztdohxh+VA1wJ5HHJteFZcAwgd4GA1UdIwSB1jCB04AUM9hFZtdohxh+VA1wJ5HH
 JteFZcChgaSkgaEwgZ4xCzAJBgNVBAYTAlVTMRAwDgYDVQQIDAdNb250YW5hMRAw
 DgYDVQQHDAdCb3plbWFuMRUwEwYDVQQKDAx3b2xmU1NMXzIwNDgxGTAXBgNVBAsM
 EFByb2dyYW1taW5nLTIwNDgxGDAWBgNVBAMMD3d3dy53b2xmc3NsLmNvbTEfMB0G
-CSqGSIb3DQEJARYQaW5mb0B3b2xmc3NsLmNvbYIUfv/GQk+Dix8anU4vuiefl9fi
-6qswDAYDVR0TBAUwAwEB/zAWBgNVHREEDzANggtleGFtcGxlLmNvbTAOBgNVHQ8B
-Af8EBAMCAYYwDQYJKoZIhvcNAQELBQADggEBAEbCpaYyhLBoA0HeN9rDuEZxOjGq
-GvCBKMMHN2EXfRBF7u/NwBkvnpUBXdYJE44Z6tondWYh4b34l6C1i55xEyZ1UDT1
-rI7404nXUgryXz4HwgLgNnN1MKlauiTv+ygIDTFThD39HZL5FdoBfCBw1bYN6jrx
-hZCxw7dxIMsDIvOP5QJPsXcclxcsO+lBGhh8idmOXzRsZpxhefW932guFMwR1+XO
-n4oNhpQVhvoyD5AY0S3fFlZYCSWRIcLT9n7ISaoA12HHndIjsX+WsHluiwk4LxPh
-SJ6aKNQIRHMpUknrnfum+B8uxdMxUobqGJkdc6tL83xv9YTDlvsCNtkTZIs=
+CSqGSIb3DQEJARYQaW5mb0B3b2xmc3NsLmNvbYIUSVqLlH3XniBT9GzqKpMoTi1Q
+02YwDAYDVR0TBAUwAwEB/zAWBgNVHREEDzANggtleGFtcGxlLmNvbTAOBgNVHQ8B
+Af8EBAMCAYYwDQYJKoZIhvcNAQELBQADggEBAKDvxnZM5A5p7+ujZ2BYl7HMotW1
+JaF6X4NQlM4qRrtNsGNk2GePUjxBdsZ/b1YcX9ZwYLUfS7f/tNUsLYnDxNjK1kO+
+eFkhgHj66uMOtDQfGIucXzcFG47WWRHUMCyknQs86M8LJsuIHrtC3RWAqNQlcNUr
+DA60zU+X1pyqOrmXcedURwv73p+ula1Acof03ocrgqnEufGXJQjASKqf8Qw8Oz9y
+bSSOQwmCb8oQtBZjBz9RxQ2dTusL6gcCn6xjHSdq+PkD5BrlEeKCRkOjUG7vHCUI
+oZp+CvRRNBDetMvuTH43Z2ddESYdkPbkqI6Lh7U8G7U0AOd4BcCUfFea//U=
 -----END CERTIFICATE-----
diff --git a/certs/client-cert.der b/certs/client-cert.der
index 088abd900..857b8336c 100644
Binary files a/certs/client-cert.der and b/certs/client-cert.der differ
diff --git a/certs/client-cert.pem b/certs/client-cert.pem
index 87480f2e0..16c2975d7 100644
--- a/certs/client-cert.pem
+++ b/certs/client-cert.pem
@@ -1,16 +1,17 @@
 Certificate:
     Data:
         Version: 3 (0x2)
-        Serial Number: 17391944375755183620 (0xf15c9943663d9604)
-    Signature Algorithm: sha256WithRSAEncryption
-        Issuer: C=US, ST=Montana, L=Bozeman, O=wolfSSL_2048, OU=Programming-2048, CN=www.wolfssl.com/emailAddress=info@wolfssl.com
+        Serial Number:
+            53:16:7c:a0:56:50:46:27:82:ed:60:b4:da:33:d8:6a:c0:ea:dc:31
+        Signature Algorithm: sha256WithRSAEncryption
+        Issuer: C = US, ST = Montana, L = Bozeman, O = wolfSSL_2048, OU = Programming-2048, CN = www.wolfssl.com, emailAddress = info@wolfssl.com
         Validity
-            Not Before: Feb 10 19:49:52 2021 GMT
-            Not After : Nov  7 19:49:52 2023 GMT
-        Subject: C=US, ST=Montana, L=Bozeman, O=wolfSSL_2048, OU=Programming-2048, CN=www.wolfssl.com/emailAddress=info@wolfssl.com
+            Not Before: Dec 20 23:07:24 2021 GMT
+            Not After : Sep 15 23:07:24 2024 GMT
+        Subject: C = US, ST = Montana, L = Bozeman, O = wolfSSL_2048, OU = Programming-2048, CN = www.wolfssl.com, emailAddress = info@wolfssl.com
         Subject Public Key Info:
             Public Key Algorithm: rsaEncryption
-                Public-Key: (2048 bit)
+                RSA Public-Key: (2048 bit)
                 Modulus:
                     00:c3:03:d1:2b:fe:39:a4:32:45:3b:53:c8:84:2b:
                     2a:7c:74:9a:bd:aa:2a:52:07:47:d6:a6:36:b2:07:
@@ -37,7 +38,7 @@ Certificate:
             X509v3 Authority Key Identifier: 
                 keyid:33:D8:45:66:D7:68:87:18:7E:54:0D:70:27:91:C7:26:D7:85:65:C0
                 DirName:/C=US/ST=Montana/L=Bozeman/O=wolfSSL_2048/OU=Programming-2048/CN=www.wolfssl.com/emailAddress=info@wolfssl.com
-                serial:F1:5C:99:43:66:3D:96:04
+                serial:53:16:7C:A0:56:50:46:27:82:ED:60:B4:DA:33:D8:6A:C0:EA:DC:31
 
             X509v3 Basic Constraints: 
                 CA:TRUE
@@ -46,47 +47,48 @@ Certificate:
             X509v3 Extended Key Usage: 
                 TLS Web Server Authentication, TLS Web Client Authentication
     Signature Algorithm: sha256WithRSAEncryption
-         ba:2b:48:d1:a8:e3:c2:84:42:96:a1:7c:e5:f1:46:ba:4c:f7:
-         87:57:c7:78:c8:c1:32:c4:69:ff:85:bb:5d:6a:dd:c9:87:7e:
-         fe:bb:f4:fd:15:0a:4c:94:95:80:30:90:45:03:f8:33:87:ca:
-         5f:74:38:a4:d0:5a:c7:65:38:c3:b0:e8:87:b1:49:32:b9:ac:
-         e9:fb:d3:08:1d:a4:51:7b:d7:d9:4b:79:35:a2:3a:0b:e4:0c:
-         a0:02:9c:a1:68:e1:5d:6c:8e:2e:3a:24:de:bb:d6:1c:a7:ac:
-         2e:cd:57:44:48:f6:72:e0:c7:5b:93:dc:7d:5b:64:0e:17:84:
-         68:2c:95:1d:2c:86:d6:b0:74:67:51:6e:7b:f4:d5:61:38:51:
-         b3:18:e3:10:16:73:4b:36:8a:8a:62:05:f5:56:8a:be:21:e1:
-         78:7d:bf:ad:45:f9:0b:f5:af:a0:62:01:fd:3f:49:df:39:3c:
-         ff:46:e8:0a:fe:5c:6b:bb:41:a5:64:f1:5c:9b:51:4c:bc:6d:
-         9f:a3:20:ed:e9:48:e1:a9:be:08:2d:85:42:59:d6:43:7d:47:
-         22:a5:fa:1f:a2:58:76:0b:70:1c:1d:59:1d:aa:be:5d:2d:25:
-         7c:b1:06:b6:c0:aa:28:aa:93:7c:d0:bd:43:ad:91:50:1c:7b:
-         4d:f3:e4:d7
+         b8:e8:e3:2a:48:6c:04:8b:f8:81:14:1a:ce:14:ed:c7:f0:d3:
+         cb:9a:91:d9:2c:1d:6e:73:36:8f:a3:61:c4:1f:da:d1:4b:b6:
+         40:d0:6a:c4:2b:43:c8:2f:fb:ee:5a:c9:41:9d:2b:6f:f3:39:
+         67:20:ec:7c:d6:a0:7f:06:79:cd:52:2c:c9:3c:5b:bf:e5:01:
+         47:90:f0:82:88:f1:3d:45:25:f4:d1:4b:ec:ac:3f:1b:ce:a1:
+         0e:61:a0:29:41:f6:21:0e:9f:73:b3:39:34:c4:1e:55:5f:9f:
+         e7:42:ca:ab:8f:3c:62:86:26:94:b5:b7:8b:7c:65:4c:3e:b7:
+         ac:f5:51:0d:a5:14:0f:6f:2b:fe:62:95:26:1e:10:52:ae:44:
+         58:95:dc:b4:c4:76:2f:14:28:64:45:aa:94:61:da:1a:d0:cf:
+         b3:3a:83:c8:66:fb:e8:58:dc:d4:91:4a:9a:e7:c8:b6:ea:f9:
+         52:19:b2:3d:5f:95:29:ac:8b:cf:9b:5c:d6:dd:cd:6b:f2:71:
+         fd:b6:4d:18:98:08:5b:8a:e7:2b:cb:bd:68:97:1c:02:aa:41:
+         59:0d:f8:0e:50:d7:48:6f:81:c4:00:70:56:67:64:1a:b3:56:
+         fc:23:f4:84:49:36:f7:7f:38:94:38:da:40:81:c0:b9:b0:ad:
+         ea:ce:38:f2
 -----BEGIN CERTIFICATE-----
-MIIFBzCCA++gAwIBAgIJAPFcmUNmPZYEMA0GCSqGSIb3DQEBCwUAMIGeMQswCQYD
-VQQGEwJVUzEQMA4GA1UECAwHTW9udGFuYTEQMA4GA1UEBwwHQm96ZW1hbjEVMBMG
-A1UECgwMd29sZlNTTF8yMDQ4MRkwFwYDVQQLDBBQcm9ncmFtbWluZy0yMDQ4MRgw
-FgYDVQQDDA93d3cud29sZnNzbC5jb20xHzAdBgkqhkiG9w0BCQEWEGluZm9Ad29s
-ZnNzbC5jb20wHhcNMjEwMjEwMTk0OTUyWhcNMjMxMTA3MTk0OTUyWjCBnjELMAkG
-A1UEBhMCVVMxEDAOBgNVBAgMB01vbnRhbmExEDAOBgNVBAcMB0JvemVtYW4xFTAT
-BgNVBAoMDHdvbGZTU0xfMjA0ODEZMBcGA1UECwwQUHJvZ3JhbW1pbmctMjA0ODEY
-MBYGA1UEAwwPd3d3LndvbGZzc2wuY29tMR8wHQYJKoZIhvcNAQkBFhBpbmZvQHdv
-bGZzc2wuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAwwPRK/45
-pDJFO1PIhCsqfHSavaoqUgdH1qY2sgcyjtC6aXvGw0Se1IFI/S1oootnu6F1yDYs
-StIb94u6zw357+zxgR57mwNHmr9lzH9lJGmm6BSJW+Q098WwFJP1Z3s6enjhAVZW
-kaYTQo3SPECcTO/Rht83URsMoTv18aNKNeThzpbfG36/TpfQEOioCDCBryALQxTF
-dGe0MoJvjYbCiECZNoO6HkByIhfXUmUkc7DO7xnNrv94bHvAEgPUTnINUG07ozuj
-mV6dyNkMhbPZitlUJttt+qy7/yVMxNF59HHThkAYE7BjtXJOMMSXhIYtVi/XFfd/
-wK71/Fvl+6G60wIDAQABo4IBRDCCAUAwHQYDVR0OBBYEFDPYRWbXaIcYflQNcCeR
-xybXhWXAMIHTBgNVHSMEgcswgciAFDPYRWbXaIcYflQNcCeRxybXhWXAoYGkpIGh
-MIGeMQswCQYDVQQGEwJVUzEQMA4GA1UECAwHTW9udGFuYTEQMA4GA1UEBwwHQm96
-ZW1hbjEVMBMGA1UECgwMd29sZlNTTF8yMDQ4MRkwFwYDVQQLDBBQcm9ncmFtbWlu
-Zy0yMDQ4MRgwFgYDVQQDDA93d3cud29sZnNzbC5jb20xHzAdBgkqhkiG9w0BCQEW
-EGluZm9Ad29sZnNzbC5jb22CCQDxXJlDZj2WBDAMBgNVHRMEBTADAQH/MBwGA1Ud
-EQQVMBOCC2V4YW1wbGUuY29thwR/AAABMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggr
-BgEFBQcDAjANBgkqhkiG9w0BAQsFAAOCAQEAuitI0ajjwoRClqF85fFGukz3h1fH
-eMjBMsRp/4W7XWrdyYd+/rv0/RUKTJSVgDCQRQP4M4fKX3Q4pNBax2U4w7Doh7FJ
-Mrms6fvTCB2kUXvX2Ut5NaI6C+QMoAKcoWjhXWyOLjok3rvWHKesLs1XREj2cuDH
-W5PcfVtkDheEaCyVHSyG1rB0Z1Fue/TVYThRsxjjEBZzSzaKimIF9VaKviHheH2/
-rUX5C/WvoGIB/T9J3zk8/0boCv5ca7tBpWTxXJtRTLxtn6Mg7elI4am+CC2FQlnW
-Q31HIqX6H6JYdgtwHB1ZHaq+XS0lfLEGtsCqKKqTfNC9Q62RUBx7TfPk1w==
+MIIFHTCCBAWgAwIBAgIUUxZ8oFZQRieC7WC02jPYasDq3DEwDQYJKoZIhvcNAQEL
+BQAwgZ4xCzAJBgNVBAYTAlVTMRAwDgYDVQQIDAdNb250YW5hMRAwDgYDVQQHDAdC
+b3plbWFuMRUwEwYDVQQKDAx3b2xmU1NMXzIwNDgxGTAXBgNVBAsMEFByb2dyYW1t
+aW5nLTIwNDgxGDAWBgNVBAMMD3d3dy53b2xmc3NsLmNvbTEfMB0GCSqGSIb3DQEJ
+ARYQaW5mb0B3b2xmc3NsLmNvbTAeFw0yMTEyMjAyMzA3MjRaFw0yNDA5MTUyMzA3
+MjRaMIGeMQswCQYDVQQGEwJVUzEQMA4GA1UECAwHTW9udGFuYTEQMA4GA1UEBwwH
+Qm96ZW1hbjEVMBMGA1UECgwMd29sZlNTTF8yMDQ4MRkwFwYDVQQLDBBQcm9ncmFt
+bWluZy0yMDQ4MRgwFgYDVQQDDA93d3cud29sZnNzbC5jb20xHzAdBgkqhkiG9w0B
+CQEWEGluZm9Ad29sZnNzbC5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK
+AoIBAQDDA9Er/jmkMkU7U8iEKyp8dJq9qipSB0fWpjayBzKO0Lppe8bDRJ7UgUj9
+LWiii2e7oXXINixK0hv3i7rPDfnv7PGBHnubA0eav2XMf2UkaaboFIlb5DT3xbAU
+k/Vnezp6eOEBVlaRphNCjdI8QJxM79GG3zdRGwyhO/Xxo0o15OHOlt8bfr9Ol9AQ
+6KgIMIGvIAtDFMV0Z7Qygm+NhsKIQJk2g7oeQHIiF9dSZSRzsM7vGc2u/3hse8AS
+A9ROcg1QbTujO6OZXp3I2QyFs9mK2VQm2236rLv/JUzE0Xn0cdOGQBgTsGO1ck4w
+xJeEhi1WL9cV93/ArvX8W+X7obrTAgMBAAGjggFPMIIBSzAdBgNVHQ4EFgQUM9hF
+Ztdohxh+VA1wJ5HHJteFZcAwgd4GA1UdIwSB1jCB04AUM9hFZtdohxh+VA1wJ5HH
+JteFZcChgaSkgaEwgZ4xCzAJBgNVBAYTAlVTMRAwDgYDVQQIDAdNb250YW5hMRAw
+DgYDVQQHDAdCb3plbWFuMRUwEwYDVQQKDAx3b2xmU1NMXzIwNDgxGTAXBgNVBAsM
+EFByb2dyYW1taW5nLTIwNDgxGDAWBgNVBAMMD3d3dy53b2xmc3NsLmNvbTEfMB0G
+CSqGSIb3DQEJARYQaW5mb0B3b2xmc3NsLmNvbYIUUxZ8oFZQRieC7WC02jPYasDq
+3DEwDAYDVR0TBAUwAwEB/zAcBgNVHREEFTATggtleGFtcGxlLmNvbYcEfwAAATAd
+BgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwDQYJKoZIhvcNAQELBQADggEB
+ALjo4ypIbASL+IEUGs4U7cfw08uakdksHW5zNo+jYcQf2tFLtkDQasQrQ8gv++5a
+yUGdK2/zOWcg7HzWoH8Gec1SLMk8W7/lAUeQ8IKI8T1FJfTRS+ysPxvOoQ5hoClB
+9iEOn3OzOTTEHlVfn+dCyquPPGKGJpS1t4t8ZUw+t6z1UQ2lFA9vK/5ilSYeEFKu
+RFiV3LTEdi8UKGRFqpRh2hrQz7M6g8hm++hY3NSRSprnyLbq+VIZsj1flSmsi8+b
+XNbdzWvycf22TRiYCFuK5yvLvWiXHAKqQVkN+A5Q10hvgcQAcFZnZBqzVvwj9IRJ
+Nvd/OJQ42kCBwLmwrerOOPI=
 -----END CERTIFICATE-----
diff --git a/certs/client-crl-dist.der b/certs/client-crl-dist.der
index 60553fe4c..bfe203bed 100644
Binary files a/certs/client-crl-dist.der and b/certs/client-crl-dist.der differ
diff --git a/certs/client-crl-dist.pem b/certs/client-crl-dist.pem
index df53d1c09..76f013f2d 100644
--- a/certs/client-crl-dist.pem
+++ b/certs/client-crl-dist.pem
@@ -2,12 +2,12 @@ Certificate:
     Data:
         Version: 3 (0x2)
         Serial Number:
-            4e:b5:44:5a:f6:c7:eb:36:14:4d:24:cf:36:17:41:be:87:f1:52:d9
+            60:ee:3f:b5:d7:49:3d:a8:9b:a7:c6:c9:4d:fd:d4:aa:3f:d4:b1:b1
         Signature Algorithm: sha256WithRSAEncryption
         Issuer: C = US, ST = Montana, L = Bozeman, O = wolfSSL_2048, OU = CRL_DIST, CN = www.wolfssl.com, emailAddress = info@wolfssl.com
         Validity
-            Not Before: Aug  5 20:11:31 2021 GMT
-            Not After : May  1 20:11:31 2024 GMT
+            Not Before: Dec 20 23:07:24 2021 GMT
+            Not After : Sep 15 23:07:24 2024 GMT
         Subject: C = US, ST = Montana, L = Bozeman, O = wolfSSL_2048, OU = CRL_DIST, CN = www.wolfssl.com, emailAddress = info@wolfssl.com
         Subject Public Key Info:
             Public Key Algorithm: rsaEncryption
@@ -39,27 +39,27 @@ Certificate:
                   URI:http://www.wolfssl.com/crl.pem
 
     Signature Algorithm: sha256WithRSAEncryption
-         09:17:d1:10:ce:7d:ae:6f:ec:cf:5e:1d:38:1e:87:3b:41:7c:
-         30:b1:83:80:f8:6f:6d:4b:c9:91:f0:5c:cc:11:58:cf:ab:cd:
-         84:30:c2:e3:76:01:87:47:3a:ee:d9:1b:56:f6:dd:7a:4e:8c:
-         db:a9:af:46:98:56:80:81:57:e2:2d:e7:0d:bb:a4:3e:b4:b3:
-         d4:9d:fd:cc:06:56:13:4d:c0:18:2a:f0:4c:b9:2e:af:26:a6:
-         3a:2f:02:77:93:7d:92:de:c0:69:96:d4:c3:65:1e:6e:f8:7c:
-         c6:9b:12:87:a3:dd:9c:53:a7:e4:8f:d8:1e:cb:6c:0f:34:25:
-         a5:4a:70:f5:d8:de:44:dd:d9:f1:53:ed:3c:5d:77:0d:03:ae:
-         a5:6b:98:c2:53:d2:72:7f:7f:ee:ff:e3:2c:a0:56:be:c1:a7:
-         a3:16:9d:8e:0a:3c:69:1f:35:b1:31:00:0f:f4:72:a3:0a:e6:
-         6f:87:9b:e1:b2:e6:bd:57:fd:d2:84:99:48:dc:07:37:c4:a1:
-         c9:ad:55:6e:98:db:64:dc:74:83:21:32:9c:a8:a9:66:e6:06:
-         60:1d:22:86:70:61:6a:13:27:c7:7b:50:b3:37:cc:b2:cb:39:
-         fd:b6:02:60:c1:52:de:51:f1:fb:62:46:22:8a:37:ac:f0:17:
-         fe:42:79:cd
+         36:98:93:7f:51:bf:cb:d3:ed:2f:91:89:5e:0f:4c:a0:64:3e:
+         6a:ea:26:df:79:4b:a0:b0:89:a4:fe:87:e0:c0:84:da:cf:62:
+         53:46:60:f1:ef:44:8e:a5:67:c9:d8:98:c5:6d:de:be:5e:2a:
+         04:73:d0:28:e6:26:8b:5a:28:e5:9d:c2:93:09:76:ae:5e:29:
+         56:7e:82:9d:64:72:fc:c7:c7:58:59:40:e8:64:ad:ab:f7:58:
+         88:e4:4b:72:54:30:4b:d5:08:48:9a:93:4d:c2:74:89:83:63:
+         c5:be:16:21:a3:9f:19:77:74:8f:77:46:77:67:a4:39:06:2a:
+         c6:a8:78:96:e3:98:f6:6d:74:81:30:8b:ec:a1:b7:5a:63:69:
+         1d:3b:13:31:b8:1b:8d:b2:6d:43:a5:cf:55:9c:ea:89:72:0d:
+         f5:ad:cb:e7:35:a3:f5:fc:8a:65:a6:2d:7f:f8:19:5a:7c:27:
+         a1:18:d0:2a:e5:6a:ad:5e:fb:08:cc:72:fd:af:1b:f4:9d:2e:
+         1e:29:80:4e:eb:9d:85:59:2a:d9:b9:2b:a1:de:63:56:a5:e0:
+         17:ae:af:da:18:f9:e6:83:55:f3:62:09:ff:fc:2e:1b:49:13:
+         69:1a:bd:27:81:a5:d0:6c:54:21:52:1b:55:b2:3e:14:b5:6f:
+         6a:ab:68:52
 -----BEGIN CERTIFICATE-----
-MIID7zCCAtegAwIBAgIUTrVEWvbH6zYUTSTPNhdBvofxUtkwDQYJKoZIhvcNAQEL
+MIID7zCCAtegAwIBAgIUYO4/tddJPaibp8bJTf3Uqj/UsbEwDQYJKoZIhvcNAQEL
 BQAwgZYxCzAJBgNVBAYTAlVTMRAwDgYDVQQIDAdNb250YW5hMRAwDgYDVQQHDAdC
 b3plbWFuMRUwEwYDVQQKDAx3b2xmU1NMXzIwNDgxETAPBgNVBAsMCENSTF9ESVNU
 MRgwFgYDVQQDDA93d3cud29sZnNzbC5jb20xHzAdBgkqhkiG9w0BCQEWEGluZm9A
-d29sZnNzbC5jb20wHhcNMjEwODA1MjAxMTMxWhcNMjQwNTAxMjAxMTMxWjCBljEL
+d29sZnNzbC5jb20wHhcNMjExMjIwMjMwNzI0WhcNMjQwOTE1MjMwNzI0WjCBljEL
 MAkGA1UEBhMCVVMxEDAOBgNVBAgMB01vbnRhbmExEDAOBgNVBAcMB0JvemVtYW4x
 FTATBgNVBAoMDHdvbGZTU0xfMjA0ODERMA8GA1UECwwIQ1JMX0RJU1QxGDAWBgNV
 BAMMD3d3dy53b2xmc3NsLmNvbTEfMB0GCSqGSIb3DQEJARYQaW5mb0B3b2xmc3Ns
@@ -70,11 +70,11 @@ us8N+e/s8YEee5sDR5q/Zcx/ZSRppugUiVvkNPfFsBST9Wd7Onp44QFWVpGmE0KN
 b42GwohAmTaDuh5AciIX11JlJHOwzu8Zza7/eGx7wBID1E5yDVBtO6M7o5lencjZ
 DIWz2YrZVCbbbfqsu/8lTMTRefRx04ZAGBOwY7VyTjDEl4SGLVYv1xX3f8Cu9fxb
 5fuhutMCAwEAAaMzMDEwLwYDVR0fBCgwJjAkoCKgIIYeaHR0cDovL3d3dy53b2xm
-c3NsLmNvbS9jcmwucGVtMA0GCSqGSIb3DQEBCwUAA4IBAQAJF9EQzn2ub+zPXh04
-Hoc7QXwwsYOA+G9tS8mR8FzMEVjPq82EMMLjdgGHRzru2RtW9t16Tozbqa9GmFaA
-gVfiLecNu6Q+tLPUnf3MBlYTTcAYKvBMuS6vJqY6LwJ3k32S3sBpltTDZR5u+HzG
-mxKHo92cU6fkj9gey2wPNCWlSnD12N5E3dnxU+08XXcNA66la5jCU9Jyf3/u/+Ms
-oFa+waejFp2OCjxpHzWxMQAP9HKjCuZvh5vhsua9V/3ShJlI3Ac3xKHJrVVumNtk
-3HSDITKcqKlm5gZgHSKGcGFqEyfHe1CzN8yyyzn9tgJgwVLeUfH7YkYiijes8Bf+
-QnnN
+c3NsLmNvbS9jcmwucGVtMA0GCSqGSIb3DQEBCwUAA4IBAQA2mJN/Ub/L0+0vkYle
+D0ygZD5q6ibfeUugsImk/ofgwITaz2JTRmDx70SOpWfJ2JjFbd6+XioEc9Ao5iaL
+WijlncKTCXauXilWfoKdZHL8x8dYWUDoZK2r91iI5EtyVDBL1QhImpNNwnSJg2PF
+vhYho58Zd3SPd0Z3Z6Q5BirGqHiW45j2bXSBMIvsobdaY2kdOxMxuBuNsm1Dpc9V
+nOqJcg31rcvnNaP1/Iplpi1/+BlafCehGNAq5WqtXvsIzHL9rxv0nS4eKYBO652F
+WSrZuSuh3mNWpeAXrq/aGPnmg1XzYgn//C4bSRNpGr0ngaXQbFQhUhtVsj4UtW9q
+q2hS
 -----END CERTIFICATE-----
diff --git a/certs/client-ecc-cert.der b/certs/client-ecc-cert.der
index 9d87cc3dd..5cf2ff67c 100644
Binary files a/certs/client-ecc-cert.der and b/certs/client-ecc-cert.der differ
diff --git a/certs/client-ecc-cert.pem b/certs/client-ecc-cert.pem
index 81f676e92..211028755 100644
--- a/certs/client-ecc-cert.pem
+++ b/certs/client-ecc-cert.pem
@@ -1,17 +1,18 @@
 Certificate:
     Data:
         Version: 3 (0x2)
-        Serial Number: 16666221217456835267 (0xe74a4fe55697cac3)
-    Signature Algorithm: ecdsa-with-SHA256
-        Issuer: C=US, ST=Oregon, L=Salem, O=Client ECC, OU=Fast, CN=www.wolfssl.com/emailAddress=info@wolfssl.com
+        Serial Number:
+            3e:8d:40:a1:0b:e2:5f:d9:7f:b1:f3:ae:73:40:92:c1:d8:aa:f0:65
+        Signature Algorithm: ecdsa-with-SHA256
+        Issuer: C = US, ST = Oregon, L = Salem, O = Client ECC, OU = Fast, CN = www.wolfssl.com, emailAddress = info@wolfssl.com
         Validity
-            Not Before: Feb 10 19:49:53 2021 GMT
-            Not After : Nov  7 19:49:53 2023 GMT
-        Subject: C=US, ST=Oregon, L=Salem, O=Client ECC, OU=Fast, CN=www.wolfssl.com/emailAddress=info@wolfssl.com
+            Not Before: Dec 20 23:07:25 2021 GMT
+            Not After : Sep 15 23:07:25 2024 GMT
+        Subject: C = US, ST = Oregon, L = Salem, O = Client ECC, OU = Fast, CN = www.wolfssl.com, emailAddress = info@wolfssl.com
         Subject Public Key Info:
             Public Key Algorithm: id-ecPublicKey
                 Public-Key: (256 bit)
-                pub: 
+                pub:
                     04:55:bf:f4:0f:44:50:9a:3d:ce:9b:b7:f0:c5:4d:
                     f5:70:7b:d4:ec:24:8e:19:80:ec:5a:4c:a2:24:03:
                     62:2c:9b:da:ef:a2:35:12:43:84:76:16:c6:56:95:
@@ -25,7 +26,7 @@ Certificate:
             X509v3 Authority Key Identifier: 
                 keyid:EB:D4:4B:59:6B:95:61:3F:51:57:B6:04:4D:89:41:88:44:5C:AB:F2
                 DirName:/C=US/ST=Oregon/L=Salem/O=Client ECC/OU=Fast/CN=www.wolfssl.com/emailAddress=info@wolfssl.com
-                serial:E7:4A:4F:E5:56:97:CA:C3
+                serial:3E:8D:40:A1:0B:E2:5F:D9:7F:B1:F3:AE:73:40:92:C1:D8:AA:F0:65
 
             X509v3 Basic Constraints: 
                 CA:TRUE
@@ -34,27 +35,28 @@ Certificate:
             X509v3 Extended Key Usage: 
                 TLS Web Server Authentication, TLS Web Client Authentication
     Signature Algorithm: ecdsa-with-SHA256
-         30:46:02:21:00:e3:bb:ca:0e:31:2d:39:1d:94:25:81:90:d5:
-         11:f9:09:6d:58:16:23:be:9f:a9:18:64:83:3c:25:03:58:58:
-         39:02:21:00:a4:aa:b3:f0:09:c9:0c:2f:f7:b1:d4:8e:9f:a6:
-         b6:ab:1a:c7:37:ed:70:4d:34:04:a0:9b:3d:84:86:10:a0:f0
+         30:45:02:21:00:dd:a7:dd:14:ac:16:24:2f:39:34:83:a2:28:
+         e8:ba:73:2a:24:d3:56:cf:3d:3b:c9:46:91:4e:72:6c:62:9a:
+         c7:02:20:5f:02:f5:a4:d1:f1:f8:9c:03:8e:fe:c5:4e:dc:d5:
+         b0:f9:eb:ad:44:0f:26:35:93:0e:a3:76:ec:e0:a6:8b:ff
 -----BEGIN CERTIFICATE-----
-MIIDSTCCAu6gAwIBAgIJAOdKT+VWl8rDMAoGCCqGSM49BAMCMIGNMQswCQYDVQQG
-EwJVUzEPMA0GA1UECAwGT3JlZ29uMQ4wDAYDVQQHDAVTYWxlbTETMBEGA1UECgwK
-Q2xpZW50IEVDQzENMAsGA1UECwwERmFzdDEYMBYGA1UEAwwPd3d3LndvbGZzc2wu
-Y29tMR8wHQYJKoZIhvcNAQkBFhBpbmZvQHdvbGZzc2wuY29tMB4XDTIxMDIxMDE5
-NDk1M1oXDTIzMTEwNzE5NDk1M1owgY0xCzAJBgNVBAYTAlVTMQ8wDQYDVQQIDAZP
-cmVnb24xDjAMBgNVBAcMBVNhbGVtMRMwEQYDVQQKDApDbGllbnQgRUNDMQ0wCwYD
-VQQLDARGYXN0MRgwFgYDVQQDDA93d3cud29sZnNzbC5jb20xHzAdBgkqhkiG9w0B
-CQEWEGluZm9Ad29sZnNzbC5jb20wWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAARV
-v/QPRFCaPc6bt/DFTfVwe9TsJI4ZgOxaTKIkA2Ism9rvojUSQ4R2FsZWlQbMAam9
-9nUaQve9qbI2Il/HXX+0o4IBMzCCAS8wHQYDVR0OBBYEFOvUS1lrlWE/UVe2BE2J
-QYhEXKvyMIHCBgNVHSMEgbowgbeAFOvUS1lrlWE/UVe2BE2JQYhEXKvyoYGTpIGQ
-MIGNMQswCQYDVQQGEwJVUzEPMA0GA1UECAwGT3JlZ29uMQ4wDAYDVQQHDAVTYWxl
-bTETMBEGA1UECgwKQ2xpZW50IEVDQzENMAsGA1UECwwERmFzdDEYMBYGA1UEAwwP
-d3d3LndvbGZzc2wuY29tMR8wHQYJKoZIhvcNAQkBFhBpbmZvQHdvbGZzc2wuY29t
-ggkA50pP5VaXysMwDAYDVR0TBAUwAwEB/zAcBgNVHREEFTATggtleGFtcGxlLmNv
-bYcEfwAAATAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwCgYIKoZIzj0E
-AwIDSQAwRgIhAOO7yg4xLTkdlCWBkNUR+QltWBYjvp+pGGSDPCUDWFg5AiEApKqz
-8AnJDC/3sdSOn6a2qxrHN+1wTTQEoJs9hIYQoPA=
+MIIDXjCCAwSgAwIBAgIUPo1AoQviX9l/sfOuc0CSwdiq8GUwCgYIKoZIzj0EAwIw
+gY0xCzAJBgNVBAYTAlVTMQ8wDQYDVQQIDAZPcmVnb24xDjAMBgNVBAcMBVNhbGVt
+MRMwEQYDVQQKDApDbGllbnQgRUNDMQ0wCwYDVQQLDARGYXN0MRgwFgYDVQQDDA93
+d3cud29sZnNzbC5jb20xHzAdBgkqhkiG9w0BCQEWEGluZm9Ad29sZnNzbC5jb20w
+HhcNMjExMjIwMjMwNzI1WhcNMjQwOTE1MjMwNzI1WjCBjTELMAkGA1UEBhMCVVMx
+DzANBgNVBAgMBk9yZWdvbjEOMAwGA1UEBwwFU2FsZW0xEzARBgNVBAoMCkNsaWVu
+dCBFQ0MxDTALBgNVBAsMBEZhc3QxGDAWBgNVBAMMD3d3dy53b2xmc3NsLmNvbTEf
+MB0GCSqGSIb3DQEJARYQaW5mb0B3b2xmc3NsLmNvbTBZMBMGByqGSM49AgEGCCqG
+SM49AwEHA0IABFW/9A9EUJo9zpu38MVN9XB71OwkjhmA7FpMoiQDYiyb2u+iNRJD
+hHYWxlaVBswBqb32dRpC972psjYiX8ddf7SjggE+MIIBOjAdBgNVHQ4EFgQU69RL
+WWuVYT9RV7YETYlBiERcq/Iwgc0GA1UdIwSBxTCBwoAU69RLWWuVYT9RV7YETYlB
+iERcq/KhgZOkgZAwgY0xCzAJBgNVBAYTAlVTMQ8wDQYDVQQIDAZPcmVnb24xDjAM
+BgNVBAcMBVNhbGVtMRMwEQYDVQQKDApDbGllbnQgRUNDMQ0wCwYDVQQLDARGYXN0
+MRgwFgYDVQQDDA93d3cud29sZnNzbC5jb20xHzAdBgkqhkiG9w0BCQEWEGluZm9A
+d29sZnNzbC5jb22CFD6NQKEL4l/Zf7HzrnNAksHYqvBlMAwGA1UdEwQFMAMBAf8w
+HAYDVR0RBBUwE4ILZXhhbXBsZS5jb22HBH8AAAEwHQYDVR0lBBYwFAYIKwYBBQUH
+AwEGCCsGAQUFBwMCMAoGCCqGSM49BAMCA0gAMEUCIQDdp90UrBYkLzk0g6Io6Lpz
+KiTTVs89O8lGkU5ybGKaxwIgXwL1pNHx+JwDjv7FTtzVsPnrrUQPJjWTDqN27OCm
+i/8=
 -----END CERTIFICATE-----
diff --git a/certs/client-ecc384-cert.der b/certs/client-ecc384-cert.der
index 9bf89c7f1..c4fb5f59c 100644
Binary files a/certs/client-ecc384-cert.der and b/certs/client-ecc384-cert.der differ
diff --git a/certs/client-ecc384-cert.pem b/certs/client-ecc384-cert.pem
index e8392fcf1..753fe6e6a 100644
--- a/certs/client-ecc384-cert.pem
+++ b/certs/client-ecc384-cert.pem
@@ -1,18 +1,18 @@
 -----BEGIN CERTIFICATE-----
-MIIC7jCCAnOgAwIBAgICEAEwCgYIKoZIzj0EAwMwgZcxCzAJBgNVBAYTAlVTMRMw
+MIIC7jCCAnWgAwIBAgICEAIwCgYIKoZIzj0EAwMwgZcxCzAJBgNVBAYTAlVTMRMw
 EQYDVQQIDApXYXNoaW5ndG9uMRAwDgYDVQQHDAdTZWF0dGxlMRAwDgYDVQQKDAd3
 b2xmU1NMMRQwEgYDVQQLDAtEZXZlbG9wbWVudDEYMBYGA1UEAwwPd3d3LndvbGZz
-c2wuY29tMR8wHQYJKoZIhvcNAQkBFhBpbmZvQHdvbGZzc2wuY29tMB4XDTE4MTAx
-OTEzNDEwMloXDTQ4MTAxMTEzNDEwMlowgZYxCzAJBgNVBAYTAlVTMRMwEQYDVQQI
-DApXYXNoaW5ndG9uMRAwDgYDVQQHDAdTZWF0dGxlMRAwDgYDVQQKDAdFbGlwdGlj
-MRMwEQYDVQQLDApFQ0MzODRDbGl0MRgwFgYDVQQDDA93d3cud29sZnNzbC5jb20x
-HzAdBgkqhkiG9w0BCQEWEGluZm9Ad29sZnNzbC5jb20wdjAQBgcqhkjOPQIBBgUr
-gQQAIgNiAARmxAg9ZqehFdRTCiOzrQvOj8j0mB2m2LJuIhH6ue+ZwPopPkgA+f7C
-pkobpxKoa5BMHLusXW4OYs5wIPdDd9iXx3TTaP6J7HfLGS+JSh13+ZdLZgJopWKv
-lYHL4yQ264WjgZAwgY0wCQYDVR0TBAIwADARBglghkgBhvhCAQEEBAMCBaAwHQYD
-VR0OBBYEFB7y0Bv4/KXLP9yK9ZcqQlOwQvnUMB8GA1UdIwQYMBaAFKvgwyZMGNRy
-u9KEjJwKBZKAElNSMA4GA1UdDwEB/wQEAwIF4DAdBgNVHSUEFjAUBggrBgEFBQcD
-AgYIKwYBBQUHAwQwCgYIKoZIzj0EAwMDaQAwZgIxAPQNeML87vVHHBRaob0yBP0Q
-K4wxvwQEuyes/XSEHupNYfSvcK24YuLVm2mrx+3NyAIxAIn8dyiX85tuunv89xNC
-XIkXUHZlvK60fMYi9PBucuYhdy7UO22IRrRncuURVs3oJQ==
+c2wuY29tMR8wHQYJKoZIhvcNAQkBFhBpbmZvQHdvbGZzc2wuY29tMCAXDTIxMTIy
+MDIzMDcyNFoYDzIwNTExMjEzMjMwNzI0WjCBljELMAkGA1UEBhMCVVMxEzARBgNV
+BAgMCldhc2hpbmd0b24xEDAOBgNVBAcMB1NlYXR0bGUxEDAOBgNVBAoMB0VsaXB0
+aWMxEzARBgNVBAsMCkVDQzM4NENsaXQxGDAWBgNVBAMMD3d3dy53b2xmc3NsLmNv
+bTEfMB0GCSqGSIb3DQEJARYQaW5mb0B3b2xmc3NsLmNvbTB2MBAGByqGSM49AgEG
+BSuBBAAiA2IABGbECD1mp6EV1FMKI7OtC86PyPSYHabYsm4iEfq575nA+ik+SAD5
+/sKmShunEqhrkEwcu6xdbg5iznAg90N32JfHdNNo/onsd8sZL4lKHXf5l0tmAmil
+Yq+VgcvjJDbrhaOBkDCBjTAJBgNVHRMEAjAAMBEGCWCGSAGG+EIBAQQEAwIFoDAd
+BgNVHQ4EFgQUHvLQG/j8pcs/3Ir1lypCU7BC+dQwHwYDVR0jBBgwFoAUq+DDJkwY
+1HK70oSMnAoFkoASU1IwDgYDVR0PAQH/BAQDAgXgMB0GA1UdJQQWMBQGCCsGAQUF
+BwMCBggrBgEFBQcDBDAKBggqhkjOPQQDAwNnADBkAjBYEwssgvOt+l67d6Q7/R8m
+mDJvGV58DG+SGMJUlhf82f3s5hmanDL92f6SJhWP0PMCMCxWFcnfZYg5DMgupANo
+aoAIyQrZ/HWAcEsuoZMQC4BEx+HMDZM6b6Gcy1S9fwDhLg==
 -----END CERTIFICATE-----
diff --git a/certs/client-relative-uri.pem b/certs/client-relative-uri.pem
index 1dc786fd0..05cb2211c 100644
--- a/certs/client-relative-uri.pem
+++ b/certs/client-relative-uri.pem
@@ -1,16 +1,17 @@
 Certificate:
     Data:
         Version: 3 (0x2)
-        Serial Number: 10273515510344552519 (0x8e92dbecdc8d9047)
-    Signature Algorithm: sha256WithRSAEncryption
-        Issuer: C=US, ST=Montana, L=Bozeman, O=wolfSSL_2048, OU=RELATIVE_URI, CN=www.wolfssl.com/emailAddress=info@wolfssl.com
+        Serial Number:
+            5a:cb:8f:e5:df:1f:3f:51:f7:da:7f:14:e1:1a:e3:1b:4a:16:ad:89
+        Signature Algorithm: sha256WithRSAEncryption
+        Issuer: C = US, ST = Montana, L = Bozeman, O = wolfSSL_2048, OU = RELATIVE_URI, CN = www.wolfssl.com, emailAddress = info@wolfssl.com
         Validity
-            Not Before: Feb 10 19:49:52 2021 GMT
-            Not After : Nov  7 19:49:52 2023 GMT
-        Subject: C=US, ST=Montana, L=Bozeman, O=wolfSSL_2048, OU=RELATIVE_URI, CN=www.wolfssl.com/emailAddress=info@wolfssl.com
+            Not Before: Dec 20 23:07:24 2021 GMT
+            Not After : Sep 15 23:07:24 2024 GMT
+        Subject: C = US, ST = Montana, L = Bozeman, O = wolfSSL_2048, OU = RELATIVE_URI, CN = www.wolfssl.com, emailAddress = info@wolfssl.com
         Subject Public Key Info:
             Public Key Algorithm: rsaEncryption
-                Public-Key: (2048 bit)
+                RSA Public-Key: (2048 bit)
                 Modulus:
                     00:c3:03:d1:2b:fe:39:a4:32:45:3b:53:c8:84:2b:
                     2a:7c:74:9a:bd:aa:2a:52:07:47:d6:a6:36:b2:07:
@@ -37,54 +38,54 @@ Certificate:
             X509v3 Authority Key Identifier: 
                 keyid:33:D8:45:66:D7:68:87:18:7E:54:0D:70:27:91:C7:26:D7:85:65:C0
                 DirName:/C=US/ST=Montana/L=Bozeman/O=wolfSSL_2048/OU=RELATIVE_URI/CN=www.wolfssl.com/emailAddress=info@wolfssl.com
-                serial:8E:92:DB:EC:DC:8D:90:47
+                serial:5A:CB:8F:E5:DF:1F:3F:51:F7:DA:7F:14:E1:1A:E3:1B:4A:16:AD:89
 
             X509v3 Basic Constraints: 
                 CA:FALSE
             X509v3 Subject Alternative Name: 
                 URI:../relative/page.html
     Signature Algorithm: sha256WithRSAEncryption
-         b4:68:57:4f:dd:9b:14:4e:61:2e:7d:96:88:cc:bb:b9:9d:46:
-         70:48:ee:f3:ce:6e:cd:0a:06:5d:95:80:28:f5:e7:9c:50:8f:
-         a9:3a:6b:32:b1:33:92:87:13:6f:f6:ce:82:ef:5f:e7:a5:97:
-         23:1f:12:ff:a9:f3:33:54:4a:c9:92:68:47:12:51:89:84:48:
-         45:60:2e:9e:45:ca:3d:05:91:0f:dc:ef:0f:0e:3c:cb:95:f0:
-         68:f0:db:66:c6:06:35:88:8e:cd:18:94:2e:2c:7f:e8:b8:17:
-         fa:e8:31:2c:84:5a:f2:2d:92:47:e3:fa:8a:d2:5e:9a:16:ba:
-         fd:5f:75:cd:17:12:bd:e8:5f:61:93:ea:09:8b:da:ef:a1:9e:
-         4c:03:da:55:75:4e:b3:88:bb:a2:3a:5c:0b:90:41:60:63:84:
-         40:cf:c4:dd:87:6f:77:29:7b:00:c7:56:41:ce:04:5d:46:4e:
-         c1:6c:b0:75:dc:f2:b1:fd:35:68:79:b5:7e:9f:5d:00:b0:be:
-         b6:b6:19:71:44:bb:d3:41:1f:54:16:90:fb:32:41:0a:44:35:
-         59:0c:cc:a3:40:ff:02:fb:a1:e4:97:08:3a:e2:93:ed:6d:cf:
-         c8:a0:42:61:19:72:ee:e6:e4:30:af:5d:3b:76:e1:5c:7f:ca:
-         06:d5:20:0d
+         3e:74:e8:ec:bf:d8:23:17:cb:99:0b:78:b8:e4:44:4b:dd:c1:
+         c2:a9:3e:89:2d:e4:9c:c2:17:c0:4c:7a:c2:79:ef:30:ec:eb:
+         fd:6e:bf:46:29:42:a1:23:1a:87:b3:fd:9f:e9:f0:61:cd:28:
+         b8:35:1a:b2:42:32:fc:2e:71:e3:ec:a5:fc:b3:d9:39:f3:6e:
+         85:fc:5b:81:cb:a8:99:53:7a:6f:49:b2:a8:9e:8b:a4:1c:b4:
+         93:e6:c7:72:08:e2:53:09:43:5f:03:4a:f4:b4:7c:06:83:28:
+         00:42:73:bd:03:e0:7c:c9:33:d2:ea:08:12:76:08:6f:b1:e4:
+         b1:a9:eb:fa:27:c7:c1:02:16:4f:db:79:a4:a7:6b:4c:1d:79:
+         0d:7e:c6:5f:b6:2e:01:2d:e4:7d:52:f1:f4:72:53:92:3e:0d:
+         72:ae:49:c3:7c:65:22:cd:ad:22:b5:72:25:59:a4:15:50:d1:
+         5b:9c:c4:11:b7:ec:74:8b:37:ca:29:4e:6b:58:37:35:66:a8:
+         18:4b:45:00:b4:0c:aa:98:9c:80:8b:a6:46:74:d8:99:b4:80:
+         ce:bb:a7:13:f6:5e:05:1f:a6:93:94:b5:3e:40:73:38:ca:1b:
+         79:28:d6:65:3f:1a:60:d1:57:01:81:79:2c:27:0c:7c:dd:e0:
+         54:ea:df:c6
 -----BEGIN CERTIFICATE-----
-MIIE3TCCA8WgAwIBAgIJAI6S2+zcjZBHMA0GCSqGSIb3DQEBCwUAMIGaMQswCQYD
-VQQGEwJVUzEQMA4GA1UECAwHTW9udGFuYTEQMA4GA1UEBwwHQm96ZW1hbjEVMBMG
-A1UECgwMd29sZlNTTF8yMDQ4MRUwEwYDVQQLDAxSRUxBVElWRV9VUkkxGDAWBgNV
-BAMMD3d3dy53b2xmc3NsLmNvbTEfMB0GCSqGSIb3DQEJARYQaW5mb0B3b2xmc3Ns
-LmNvbTAeFw0yMTAyMTAxOTQ5NTJaFw0yMzExMDcxOTQ5NTJaMIGaMQswCQYDVQQG
-EwJVUzEQMA4GA1UECAwHTW9udGFuYTEQMA4GA1UEBwwHQm96ZW1hbjEVMBMGA1UE
-CgwMd29sZlNTTF8yMDQ4MRUwEwYDVQQLDAxSRUxBVElWRV9VUkkxGDAWBgNVBAMM
-D3d3dy53b2xmc3NsLmNvbTEfMB0GCSqGSIb3DQEJARYQaW5mb0B3b2xmc3NsLmNv
-bTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMMD0Sv+OaQyRTtTyIQr
-Knx0mr2qKlIHR9amNrIHMo7Quml7xsNEntSBSP0taKKLZ7uhdcg2LErSG/eLus8N
-+e/s8YEee5sDR5q/Zcx/ZSRppugUiVvkNPfFsBST9Wd7Onp44QFWVpGmE0KN0jxA
-nEzv0YbfN1EbDKE79fGjSjXk4c6W3xt+v06X0BDoqAgwga8gC0MUxXRntDKCb42G
-wohAmTaDuh5AciIX11JlJHOwzu8Zza7/eGx7wBID1E5yDVBtO6M7o5lencjZDIWz
-2YrZVCbbbfqsu/8lTMTRefRx04ZAGBOwY7VyTjDEl4SGLVYv1xX3f8Cu9fxb5fuh
-utMCAwEAAaOCASIwggEeMB0GA1UdDgQWBBQz2EVm12iHGH5UDXAnkccm14VlwDCB
-zwYDVR0jBIHHMIHEgBQz2EVm12iHGH5UDXAnkccm14VlwKGBoKSBnTCBmjELMAkG
-A1UEBhMCVVMxEDAOBgNVBAgMB01vbnRhbmExEDAOBgNVBAcMB0JvemVtYW4xFTAT
-BgNVBAoMDHdvbGZTU0xfMjA0ODEVMBMGA1UECwwMUkVMQVRJVkVfVVJJMRgwFgYD
-VQQDDA93d3cud29sZnNzbC5jb20xHzAdBgkqhkiG9w0BCQEWEGluZm9Ad29sZnNz
-bC5jb22CCQCOktvs3I2QRzAJBgNVHRMEAjAAMCAGA1UdEQQZMBeGFS4uL3JlbGF0
-aXZlL3BhZ2UuaHRtbDANBgkqhkiG9w0BAQsFAAOCAQEAtGhXT92bFE5hLn2WiMy7
-uZ1GcEju885uzQoGXZWAKPXnnFCPqTprMrEzkocTb/bOgu9f56WXIx8S/6nzM1RK
-yZJoRxJRiYRIRWAunkXKPQWRD9zvDw48y5XwaPDbZsYGNYiOzRiULix/6LgX+ugx
-LIRa8i2SR+P6itJemha6/V91zRcSvehfYZPqCYva76GeTAPaVXVOs4i7ojpcC5BB
-YGOEQM/E3Ydvdyl7AMdWQc4EXUZOwWywddzysf01aHm1fp9dALC+trYZcUS700Ef
-VBaQ+zJBCkQ1WQzMo0D/Avuh5JcIOuKT7W3PyKBCYRly7ubkMK9dO3bhXH/KBtUg
-DQ==
+MIIE8zCCA9ugAwIBAgIUWsuP5d8fP1H32n8U4RrjG0oWrYkwDQYJKoZIhvcNAQEL
+BQAwgZoxCzAJBgNVBAYTAlVTMRAwDgYDVQQIDAdNb250YW5hMRAwDgYDVQQHDAdC
+b3plbWFuMRUwEwYDVQQKDAx3b2xmU1NMXzIwNDgxFTATBgNVBAsMDFJFTEFUSVZF
+X1VSSTEYMBYGA1UEAwwPd3d3LndvbGZzc2wuY29tMR8wHQYJKoZIhvcNAQkBFhBp
+bmZvQHdvbGZzc2wuY29tMB4XDTIxMTIyMDIzMDcyNFoXDTI0MDkxNTIzMDcyNFow
+gZoxCzAJBgNVBAYTAlVTMRAwDgYDVQQIDAdNb250YW5hMRAwDgYDVQQHDAdCb3pl
+bWFuMRUwEwYDVQQKDAx3b2xmU1NMXzIwNDgxFTATBgNVBAsMDFJFTEFUSVZFX1VS
+STEYMBYGA1UEAwwPd3d3LndvbGZzc2wuY29tMR8wHQYJKoZIhvcNAQkBFhBpbmZv
+QHdvbGZzc2wuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAwwPR
+K/45pDJFO1PIhCsqfHSavaoqUgdH1qY2sgcyjtC6aXvGw0Se1IFI/S1oootnu6F1
+yDYsStIb94u6zw357+zxgR57mwNHmr9lzH9lJGmm6BSJW+Q098WwFJP1Z3s6enjh
+AVZWkaYTQo3SPECcTO/Rht83URsMoTv18aNKNeThzpbfG36/TpfQEOioCDCBryAL
+QxTFdGe0MoJvjYbCiECZNoO6HkByIhfXUmUkc7DO7xnNrv94bHvAEgPUTnINUG07
+ozujmV6dyNkMhbPZitlUJttt+qy7/yVMxNF59HHThkAYE7BjtXJOMMSXhIYtVi/X
+Ffd/wK71/Fvl+6G60wIDAQABo4IBLTCCASkwHQYDVR0OBBYEFDPYRWbXaIcYflQN
+cCeRxybXhWXAMIHaBgNVHSMEgdIwgc+AFDPYRWbXaIcYflQNcCeRxybXhWXAoYGg
+pIGdMIGaMQswCQYDVQQGEwJVUzEQMA4GA1UECAwHTW9udGFuYTEQMA4GA1UEBwwH
+Qm96ZW1hbjEVMBMGA1UECgwMd29sZlNTTF8yMDQ4MRUwEwYDVQQLDAxSRUxBVElW
+RV9VUkkxGDAWBgNVBAMMD3d3dy53b2xmc3NsLmNvbTEfMB0GCSqGSIb3DQEJARYQ
+aW5mb0B3b2xmc3NsLmNvbYIUWsuP5d8fP1H32n8U4RrjG0oWrYkwCQYDVR0TBAIw
+ADAgBgNVHREEGTAXhhUuLi9yZWxhdGl2ZS9wYWdlLmh0bWwwDQYJKoZIhvcNAQEL
+BQADggEBAD506Oy/2CMXy5kLeLjkREvdwcKpPokt5JzCF8BMesJ57zDs6/1uv0Yp
+QqEjGoez/Z/p8GHNKLg1GrJCMvwucePspfyz2TnzboX8W4HLqJlTem9Jsqiei6Qc
+tJPmx3II4lMJQ18DSvS0fAaDKABCc70D4HzJM9LqCBJ2CG+x5LGp6/onx8ECFk/b
+eaSna0wdeQ1+xl+2LgEt5H1S8fRyU5I+DXKuScN8ZSLNrSK1ciVZpBVQ0VucxBG3
+7HSLN8opTmtYNzVmqBhLRQC0DKqYnICLpkZ02Jm0gM67pxP2XgUfppOUtT5AczjK
+G3ko1mU/GmDRVwGBeSwnDHzd4FTq38Y=
 -----END CERTIFICATE-----
diff --git a/certs/client-uri-cert.pem b/certs/client-uri-cert.pem
index 122a76629..88297343e 100644
--- a/certs/client-uri-cert.pem
+++ b/certs/client-uri-cert.pem
@@ -1,16 +1,17 @@
 Certificate:
     Data:
         Version: 3 (0x2)
-        Serial Number: 14951923003315625164 (0xcf7fe6c0b99e9ccc)
-    Signature Algorithm: sha256WithRSAEncryption
-        Issuer: C=US, ST=Montana, L=Bozeman, O=wolfSSL_2048, OU=URI, CN=www.wolfssl.com/emailAddress=info@wolfssl.com
+        Serial Number:
+            4f:66:6a:6b:e2:e1:36:fd:c6:87:c1:92:2e:07:00:5e:50:cc:c2:c7
+        Signature Algorithm: sha256WithRSAEncryption
+        Issuer: C = US, ST = Montana, L = Bozeman, O = wolfSSL_2048, OU = URI, CN = www.wolfssl.com, emailAddress = info@wolfssl.com
         Validity
-            Not Before: Feb 10 19:49:52 2021 GMT
-            Not After : Nov  7 19:49:52 2023 GMT
-        Subject: C=US, ST=Montana, L=Bozeman, O=wolfSSL_2048, OU=URI, CN=www.wolfssl.com/emailAddress=info@wolfssl.com
+            Not Before: Dec 20 23:07:24 2021 GMT
+            Not After : Sep 15 23:07:24 2024 GMT
+        Subject: C = US, ST = Montana, L = Bozeman, O = wolfSSL_2048, OU = URI, CN = www.wolfssl.com, emailAddress = info@wolfssl.com
         Subject Public Key Info:
             Public Key Algorithm: rsaEncryption
-                Public-Key: (2048 bit)
+                RSA Public-Key: (2048 bit)
                 Modulus:
                     00:c3:03:d1:2b:fe:39:a4:32:45:3b:53:c8:84:2b:
                     2a:7c:74:9a:bd:aa:2a:52:07:47:d6:a6:36:b2:07:
@@ -37,53 +38,53 @@ Certificate:
             X509v3 Authority Key Identifier: 
                 keyid:33:D8:45:66:D7:68:87:18:7E:54:0D:70:27:91:C7:26:D7:85:65:C0
                 DirName:/C=US/ST=Montana/L=Bozeman/O=wolfSSL_2048/OU=URI/CN=www.wolfssl.com/emailAddress=info@wolfssl.com
-                serial:CF:7F:E6:C0:B9:9E:9C:CC
+                serial:4F:66:6A:6B:E2:E1:36:FD:C6:87:C1:92:2E:07:00:5E:50:CC:C2:C7
 
             X509v3 Basic Constraints: 
                 CA:FALSE
             X509v3 Subject Alternative Name: 
                 URI:https://www.wolfssl.com
     Signature Algorithm: sha256WithRSAEncryption
-         4b:f2:ec:8e:47:35:a9:fc:3c:36:98:48:b4:64:6c:3e:65:bd:
-         c9:d4:a7:38:3f:33:e2:60:ee:7f:aa:16:70:3f:c8:28:02:3e:
-         5c:d2:fe:a1:a7:d2:fb:e8:f6:6d:9f:c4:a4:b1:81:f4:6e:80:
-         3d:bc:27:f6:6e:d8:93:85:5e:cc:dd:5d:87:16:b3:75:85:72:
-         76:dd:9a:32:93:df:01:fa:4d:d2:d3:a4:27:fc:e3:bd:7a:f1:
-         9d:3d:08:2e:e7:1f:e3:b8:96:9e:11:0d:88:3b:ba:1f:b5:d8:
-         c7:67:9e:74:56:27:5b:55:88:5b:79:dc:2c:56:64:a0:71:72:
-         1a:06:d8:d4:0f:41:bf:9d:f3:3e:59:9e:b1:e5:41:6d:4a:a0:
-         44:e2:7a:d2:0b:3f:3a:45:14:ff:d5:42:8f:aa:8b:7d:ff:38:
-         e7:a9:c2:92:b0:4e:dc:c6:13:35:8c:25:ef:49:c1:06:c2:3b:
-         21:91:de:0f:14:0c:79:7d:3c:d6:14:57:ce:eb:9b:49:3f:c5:
-         ff:5c:5a:a8:81:cf:ba:0f:51:ec:01:82:56:0a:de:98:41:6f:
-         ec:43:47:6d:45:a4:92:67:f2:08:c0:65:d3:8c:47:9c:73:0e:
-         de:27:b7:44:33:44:eb:51:d5:ad:80:00:e1:f2:e3:ef:04:8c:
-         05:94:af:f6
+         48:88:32:c6:f3:41:f3:54:ef:85:22:6a:57:75:27:87:ac:0e:
+         5c:0f:ee:e5:93:15:54:27:93:b2:e3:5a:1b:15:63:f8:97:2c:
+         19:af:11:46:5d:92:ea:e0:b7:07:3f:13:0e:82:51:a3:24:6a:
+         1d:e9:4b:47:da:ed:93:1b:95:39:58:fc:6a:6f:d7:64:52:9f:
+         b0:92:b7:31:5b:8c:c1:bb:8f:a5:38:99:9e:69:fc:39:16:4d:
+         60:65:74:19:29:a1:29:50:38:a5:58:80:34:b4:ec:ae:2e:2f:
+         27:f9:a2:6c:af:8b:c9:99:2e:1e:d3:ff:20:53:03:0d:9c:62:
+         38:b8:ee:7c:79:e9:c7:ac:2c:d1:65:bb:26:b7:a5:db:db:12:
+         86:22:bc:e5:c0:71:97:c5:aa:29:c9:2f:8e:0c:9d:bf:91:2c:
+         d3:2e:db:d6:e5:e7:ae:c3:76:21:b4:a1:62:a4:4a:c9:13:d2:
+         df:62:fb:83:a7:0a:61:77:fe:a8:96:0e:ba:cb:a2:5d:12:05:
+         94:27:3a:e8:b8:3e:2b:fa:7d:38:26:84:d0:e7:ce:ae:d5:73:
+         e4:c3:cb:2f:5a:43:3f:0b:69:5e:28:e7:0a:fe:a2:85:1e:1f:
+         be:f1:72:c3:25:3b:fb:19:3d:73:d5:a8:af:f5:84:0f:29:f7:
+         0b:68:f5:a8
 -----BEGIN CERTIFICATE-----
-MIIExDCCA6ygAwIBAgIJAM9/5sC5npzMMA0GCSqGSIb3DQEBCwUAMIGRMQswCQYD
-VQQGEwJVUzEQMA4GA1UECAwHTW9udGFuYTEQMA4GA1UEBwwHQm96ZW1hbjEVMBMG
-A1UECgwMd29sZlNTTF8yMDQ4MQwwCgYDVQQLDANVUkkxGDAWBgNVBAMMD3d3dy53
-b2xmc3NsLmNvbTEfMB0GCSqGSIb3DQEJARYQaW5mb0B3b2xmc3NsLmNvbTAeFw0y
-MTAyMTAxOTQ5NTJaFw0yMzExMDcxOTQ5NTJaMIGRMQswCQYDVQQGEwJVUzEQMA4G
-A1UECAwHTW9udGFuYTEQMA4GA1UEBwwHQm96ZW1hbjEVMBMGA1UECgwMd29sZlNT
-TF8yMDQ4MQwwCgYDVQQLDANVUkkxGDAWBgNVBAMMD3d3dy53b2xmc3NsLmNvbTEf
-MB0GCSqGSIb3DQEJARYQaW5mb0B3b2xmc3NsLmNvbTCCASIwDQYJKoZIhvcNAQEB
-BQADggEPADCCAQoCggEBAMMD0Sv+OaQyRTtTyIQrKnx0mr2qKlIHR9amNrIHMo7Q
-uml7xsNEntSBSP0taKKLZ7uhdcg2LErSG/eLus8N+e/s8YEee5sDR5q/Zcx/ZSRp
-pugUiVvkNPfFsBST9Wd7Onp44QFWVpGmE0KN0jxAnEzv0YbfN1EbDKE79fGjSjXk
-4c6W3xt+v06X0BDoqAgwga8gC0MUxXRntDKCb42GwohAmTaDuh5AciIX11JlJHOw
-zu8Zza7/eGx7wBID1E5yDVBtO6M7o5lencjZDIWz2YrZVCbbbfqsu/8lTMTRefRx
-04ZAGBOwY7VyTjDEl4SGLVYv1xX3f8Cu9fxb5fuhutMCAwEAAaOCARswggEXMB0G
-A1UdDgQWBBQz2EVm12iHGH5UDXAnkccm14VlwDCBxgYDVR0jBIG+MIG7gBQz2EVm
-12iHGH5UDXAnkccm14VlwKGBl6SBlDCBkTELMAkGA1UEBhMCVVMxEDAOBgNVBAgM
-B01vbnRhbmExEDAOBgNVBAcMB0JvemVtYW4xFTATBgNVBAoMDHdvbGZTU0xfMjA0
-ODEMMAoGA1UECwwDVVJJMRgwFgYDVQQDDA93d3cud29sZnNzbC5jb20xHzAdBgkq
-hkiG9w0BCQEWEGluZm9Ad29sZnNzbC5jb22CCQDPf+bAuZ6czDAJBgNVHRMEAjAA
-MCIGA1UdEQQbMBmGF2h0dHBzOi8vd3d3LndvbGZzc2wuY29tMA0GCSqGSIb3DQEB
-CwUAA4IBAQBL8uyORzWp/Dw2mEi0ZGw+Zb3J1Kc4PzPiYO5/qhZwP8goAj5c0v6h
-p9L76PZtn8SksYH0boA9vCf2btiThV7M3V2HFrN1hXJ23Zoyk98B+k3S06Qn/OO9
-evGdPQgu5x/juJaeEQ2IO7oftdjHZ550VidbVYhbedwsVmSgcXIaBtjUD0G/nfM+
-WZ6x5UFtSqBE4nrSCz86RRT/1UKPqot9/zjnqcKSsE7cxhM1jCXvScEGwjshkd4P
-FAx5fTzWFFfO65tJP8X/XFqogc+6D1HsAYJWCt6YQW/sQ0dtRaSSZ/IIwGXTjEec
-cw7eJ7dEM0TrUdWtgADh8uPvBIwFlK/2
+MIIE2jCCA8KgAwIBAgIUT2Zqa+LhNv3Gh8GSLgcAXlDMwscwDQYJKoZIhvcNAQEL
+BQAwgZExCzAJBgNVBAYTAlVTMRAwDgYDVQQIDAdNb250YW5hMRAwDgYDVQQHDAdC
+b3plbWFuMRUwEwYDVQQKDAx3b2xmU1NMXzIwNDgxDDAKBgNVBAsMA1VSSTEYMBYG
+A1UEAwwPd3d3LndvbGZzc2wuY29tMR8wHQYJKoZIhvcNAQkBFhBpbmZvQHdvbGZz
+c2wuY29tMB4XDTIxMTIyMDIzMDcyNFoXDTI0MDkxNTIzMDcyNFowgZExCzAJBgNV
+BAYTAlVTMRAwDgYDVQQIDAdNb250YW5hMRAwDgYDVQQHDAdCb3plbWFuMRUwEwYD
+VQQKDAx3b2xmU1NMXzIwNDgxDDAKBgNVBAsMA1VSSTEYMBYGA1UEAwwPd3d3Lndv
+bGZzc2wuY29tMR8wHQYJKoZIhvcNAQkBFhBpbmZvQHdvbGZzc2wuY29tMIIBIjAN
+BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAwwPRK/45pDJFO1PIhCsqfHSavaoq
+UgdH1qY2sgcyjtC6aXvGw0Se1IFI/S1oootnu6F1yDYsStIb94u6zw357+zxgR57
+mwNHmr9lzH9lJGmm6BSJW+Q098WwFJP1Z3s6enjhAVZWkaYTQo3SPECcTO/Rht83
+URsMoTv18aNKNeThzpbfG36/TpfQEOioCDCBryALQxTFdGe0MoJvjYbCiECZNoO6
+HkByIhfXUmUkc7DO7xnNrv94bHvAEgPUTnINUG07ozujmV6dyNkMhbPZitlUJttt
++qy7/yVMxNF59HHThkAYE7BjtXJOMMSXhIYtVi/XFfd/wK71/Fvl+6G60wIDAQAB
+o4IBJjCCASIwHQYDVR0OBBYEFDPYRWbXaIcYflQNcCeRxybXhWXAMIHRBgNVHSME
+gckwgcaAFDPYRWbXaIcYflQNcCeRxybXhWXAoYGXpIGUMIGRMQswCQYDVQQGEwJV
+UzEQMA4GA1UECAwHTW9udGFuYTEQMA4GA1UEBwwHQm96ZW1hbjEVMBMGA1UECgwM
+d29sZlNTTF8yMDQ4MQwwCgYDVQQLDANVUkkxGDAWBgNVBAMMD3d3dy53b2xmc3Ns
+LmNvbTEfMB0GCSqGSIb3DQEJARYQaW5mb0B3b2xmc3NsLmNvbYIUT2Zqa+LhNv3G
+h8GSLgcAXlDMwscwCQYDVR0TBAIwADAiBgNVHREEGzAZhhdodHRwczovL3d3dy53
+b2xmc3NsLmNvbTANBgkqhkiG9w0BAQsFAAOCAQEASIgyxvNB81TvhSJqV3Unh6wO
+XA/u5ZMVVCeTsuNaGxVj+JcsGa8RRl2S6uC3Bz8TDoJRoyRqHelLR9rtkxuVOVj8
+am/XZFKfsJK3MVuMwbuPpTiZnmn8ORZNYGV0GSmhKVA4pViANLTsri4vJ/mibK+L
+yZkuHtP/IFMDDZxiOLjufHnpx6ws0WW7Jrel29sShiK85cBxl8WqKckvjgydv5Es
+0y7b1uXnrsN2IbShYqRKyRPS32L7g6cKYXf+qJYOusuiXRIFlCc66Lg+K/p9OCaE
+0OfOrtVz5MPLL1pDPwtpXijnCv6ihR4fvvFywyU7+xk9c9Wor/WEDyn3C2j1qA==
 -----END CERTIFICATE-----
diff --git a/certs/crl/caEcc384Crl.pem b/certs/crl/caEcc384Crl.pem
index 4f80f84f7..9a9278c8f 100644
--- a/certs/crl/caEcc384Crl.pem
+++ b/certs/crl/caEcc384Crl.pem
@@ -1,10 +1,10 @@
 -----BEGIN X509 CRL-----
-MIIBcjCB+AIBATAKBggqhkjOPQQDAjCBlzELMAkGA1UEBhMCVVMxEzARBgNVBAgM
+MIIBcTCB+AIBATAKBggqhkjOPQQDAjCBlzELMAkGA1UEBhMCVVMxEzARBgNVBAgM
 Cldhc2hpbmd0b24xEDAOBgNVBAcMB1NlYXR0bGUxEDAOBgNVBAoMB3dvbGZTU0wx
 FDASBgNVBAsMC0RldmVsb3BtZW50MRgwFgYDVQQDDA93d3cud29sZnNzbC5jb20x
-HzAdBgkqhkiG9w0BCQEWEGluZm9Ad29sZnNzbC5jb20XDTIxMDIxMDE5NDk1NVoX
-DTIzMTEwNzE5NDk1NVqgLzAtMB8GA1UdIwQYMBaAFKvgwyZMGNRyu9KEjJwKBZKA
-ElNSMAoGA1UdFAQDAgEKMAoGCCqGSM49BAMCA2kAMGYCMQDZ3syfCgdSX34hw/9W
-Vsh2Upsk5XetKwJ/t7YNniRF2xwPpWyNCB0Ib9ysoOKx+5wCMQDwHLLznMcFfY2p
-QkEWT1XRcJ3WANZmtx/m4XjvgIjw6dkPQBqdHy7MSjvVds1nQ80=
+HzAdBgkqhkiG9w0BCQEWEGluZm9Ad29sZnNzbC5jb20XDTIxMTIyMDIzMDcyNloX
+DTI0MDkxNTIzMDcyNlqgLzAtMB8GA1UdIwQYMBaAFKvgwyZMGNRyu9KEjJwKBZKA
+ElNSMAoGA1UdFAQDAgEKMAoGCCqGSM49BAMCA2gAMGUCME7EJJJqEQ1MLFdlCcBL
+FIYvwcJDDBF+GibwmrWY02PebJKpO4QB1FSHe4mwE5DVJwIxALqCGsXOv51JEBtk
+jHL3jM+84RpKVoANUCmSaNNYH2e6RZ4Qi7eRCELIBzWWQfbSMw==
 -----END X509 CRL-----
diff --git a/certs/crl/caEccCrl.pem b/certs/crl/caEccCrl.pem
index 1c94327e0..b3b6d9e9e 100644
--- a/certs/crl/caEccCrl.pem
+++ b/certs/crl/caEccCrl.pem
@@ -2,9 +2,9 @@
 MIIBUTCB+AIBATAKBggqhkjOPQQDAjCBlzELMAkGA1UEBhMCVVMxEzARBgNVBAgM
 Cldhc2hpbmd0b24xEDAOBgNVBAcMB1NlYXR0bGUxEDAOBgNVBAoMB3dvbGZTU0wx
 FDASBgNVBAsMC0RldmVsb3BtZW50MRgwFgYDVQQDDA93d3cud29sZnNzbC5jb20x
-HzAdBgkqhkiG9w0BCQEWEGluZm9Ad29sZnNzbC5jb20XDTIxMDIxMDE5NDk1NVoX
-DTIzMTEwNzE5NDk1NVqgLzAtMB8GA1UdIwQYMBaAFFaOmsPwQt4YuUVVbvmTz+rD
-86UhMAoGA1UdFAQDAgEJMAoGCCqGSM49BAMCA0gAMEUCIGl4TP2PbJhqSSZN/0f6
-4RWJhFwI1flAnFJPVBLBj+e7AiEAiGRDT35HS237kRWw4qlvQM57Gbaflq/aZ8SM
-MIqTs0E=
+HzAdBgkqhkiG9w0BCQEWEGluZm9Ad29sZnNzbC5jb20XDTIxMTIyMDIzMDcyNloX
+DTI0MDkxNTIzMDcyNlqgLzAtMB8GA1UdIwQYMBaAFFaOmsPwQt4YuUVVbvmTz+rD
+86UhMAoGA1UdFAQDAgEJMAoGCCqGSM49BAMCA0gAMEUCIQCzNgx6zbS8/yjmmvCw
+EXyHTmm3Wf0GcMoncek1xl+uOQIgOdSkkpps6A+yUtLt2qCMOopxPEEq7+GQIGxd
+n43A33c=
 -----END X509 CRL-----
diff --git a/certs/crl/cliCrl.pem b/certs/crl/cliCrl.pem
index c92b4852e..daa90fde3 100644
--- a/certs/crl/cliCrl.pem
+++ b/certs/crl/cliCrl.pem
@@ -1,42 +1,42 @@
 Certificate Revocation List (CRL):
         Version 2 (0x1)
-    Signature Algorithm: sha256WithRSAEncryption
-        Issuer: /C=US/ST=Montana/L=Bozeman/O=wolfSSL_2048/OU=Programming-2048/CN=www.wolfssl.com/emailAddress=info@wolfssl.com
-        Last Update: Feb 10 19:49:55 2021 GMT
-        Next Update: Nov  7 19:49:55 2023 GMT
+        Signature Algorithm: sha256WithRSAEncryption
+        Issuer: C = US, ST = Montana, L = Bozeman, O = wolfSSL_2048, OU = Programming-2048, CN = www.wolfssl.com, emailAddress = info@wolfssl.com
+        Last Update: Dec 20 23:07:26 2021 GMT
+        Next Update: Sep 15 23:07:26 2024 GMT
         CRL extensions:
             X509v3 CRL Number: 
                 6
 Revoked Certificates:
     Serial Number: 02
-        Revocation Date: Feb 10 19:49:55 2021 GMT
+        Revocation Date: Dec 20 23:07:25 2021 GMT
     Signature Algorithm: sha256WithRSAEncryption
-         a3:e5:bd:db:95:29:72:ae:b1:e9:1a:69:1e:7b:9c:ec:8e:e7:
-         1d:54:1e:22:b7:11:44:0b:20:3e:e4:ed:59:38:a7:81:07:6f:
-         bf:4d:f3:e0:5b:5e:46:3d:4e:04:7e:de:50:90:28:38:43:7e:
-         2b:3b:20:6b:c9:ac:fc:7b:e6:48:67:03:6a:24:82:52:97:ce:
-         82:0e:42:b8:0c:60:ac:3d:a5:bc:2b:39:cf:40:b4:c1:39:a9:
-         e9:af:84:9c:c4:87:74:e5:dc:c3:28:6e:f2:93:48:8a:6d:e2:
-         59:ae:f8:ed:16:77:46:4d:61:2a:7b:ec:bf:ae:8b:76:6e:3d:
-         13:b5:7e:68:af:41:7e:ee:ec:4f:ab:19:45:e3:72:94:1c:db:
-         5e:97:1a:24:4e:42:94:e4:b7:dc:5e:ba:6c:b0:1f:36:e7:63:
-         d3:4f:5d:53:4a:48:8c:91:8e:bb:51:c0:28:ed:0b:5c:a9:f7:
-         d7:ab:39:21:57:22:42:83:08:34:86:38:ca:3a:96:fc:6a:f0:
-         86:5e:0b:64:84:30:28:49:fe:62:43:1b:a5:f3:f4:e7:b6:30:
-         f4:ae:68:5a:82:9a:e1:00:2d:74:0e:60:b4:40:fe:f3:fe:b6:
-         f8:c9:21:79:7d:f1:ee:78:e4:8c:2d:96:69:13:c3:a8:53:d5:
-         af:5c:e9:0c
+         98:e9:a5:58:02:d9:8d:4d:d6:f8:22:6c:80:43:d5:54:82:0d:
+         dc:27:94:f8:b2:89:c5:4d:40:fa:03:fe:e7:4f:6f:36:41:f4:
+         d1:03:6d:da:dd:f8:70:94:93:d5:25:1a:47:b5:aa:33:22:56:
+         18:ac:d2:b4:f8:06:84:2c:ed:3d:df:7b:ee:0e:e2:50:ca:f5:
+         cb:20:ee:dd:c3:81:db:29:b2:f4:bd:3b:27:29:a1:55:92:d8:
+         4f:36:9b:ad:9c:83:b6:ef:a1:07:8e:8d:f8:22:01:c3:5a:fe:
+         f4:7d:4a:27:48:bb:56:6d:7d:b5:cd:f2:0f:b5:df:59:bc:66:
+         dd:4b:0a:c9:d2:51:7c:e4:69:5d:0d:04:60:1f:0e:b8:26:3f:
+         dd:5f:2b:53:11:7b:d6:a8:0b:b5:70:15:61:43:5f:22:d3:88:
+         77:04:28:a5:4c:ef:b5:b1:7d:04:c1:d2:92:cb:1f:3b:02:21:
+         d0:0d:ae:5c:e9:d7:9c:7e:81:03:11:70:43:91:13:08:12:f5:
+         8b:7d:d7:ff:bd:b8:ee:ef:d0:6b:76:7a:d9:11:48:a4:19:7e:
+         d2:e1:c2:96:c0:cc:21:56:27:19:de:27:ed:06:f2:58:cf:d1:
+         19:c0:56:70:aa:56:34:1c:e7:8f:9a:f5:96:c1:79:56:ab:b8:
+         32:63:03:ec
 -----BEGIN X509 CRL-----
 MIICDjCB9wIBATANBgkqhkiG9w0BAQsFADCBnjELMAkGA1UEBhMCVVMxEDAOBgNV
 BAgMB01vbnRhbmExEDAOBgNVBAcMB0JvemVtYW4xFTATBgNVBAoMDHdvbGZTU0xf
 MjA0ODEZMBcGA1UECwwQUHJvZ3JhbW1pbmctMjA0ODEYMBYGA1UEAwwPd3d3Lndv
-bGZzc2wuY29tMR8wHQYJKoZIhvcNAQkBFhBpbmZvQHdvbGZzc2wuY29tFw0yMTAy
-MTAxOTQ5NTVaFw0yMzExMDcxOTQ5NTVaMBQwEgIBAhcNMjEwMjEwMTk0OTU1WqAO
-MAwwCgYDVR0UBAMCAQYwDQYJKoZIhvcNAQELBQADggEBAKPlvduVKXKusekaaR57
-nOyO5x1UHiK3EUQLID7k7Vk4p4EHb79N8+BbXkY9TgR+3lCQKDhDfis7IGvJrPx7
-5khnA2okglKXzoIOQrgMYKw9pbwrOc9AtME5qemvhJzEh3Tl3MMobvKTSIpt4lmu
-+O0Wd0ZNYSp77L+ui3ZuPRO1fmivQX7u7E+rGUXjcpQc216XGiROQpTkt9xeumyw
-HzbnY9NPXVNKSIyRjrtRwCjtC1yp99erOSFXIkKDCDSGOMo6lvxq8IZeC2SEMChJ
-/mJDG6Xz9Oe2MPSuaFqCmuEALXQOYLRA/vP+tvjJIXl98e545IwtlmkTw6hT1a9c
-6Qw=
+bGZzc2wuY29tMR8wHQYJKoZIhvcNAQkBFhBpbmZvQHdvbGZzc2wuY29tFw0yMTEy
+MjAyMzA3MjZaFw0yNDA5MTUyMzA3MjZaMBQwEgIBAhcNMjExMjIwMjMwNzI1WqAO
+MAwwCgYDVR0UBAMCAQYwDQYJKoZIhvcNAQELBQADggEBAJjppVgC2Y1N1vgibIBD
+1VSCDdwnlPiyicVNQPoD/udPbzZB9NEDbdrd+HCUk9UlGke1qjMiVhis0rT4BoQs
+7T3fe+4O4lDK9csg7t3DgdspsvS9OycpoVWS2E82m62cg7bvoQeOjfgiAcNa/vR9
+SidIu1ZtfbXN8g+131m8Zt1LCsnSUXzkaV0NBGAfDrgmP91fK1MRe9aoC7VwFWFD
+XyLTiHcEKKVM77WxfQTB0pLLHzsCIdANrlzp15x+gQMRcEOREwgS9Yt91/+9uO7v
+0Gt2etkRSKQZftLhwpbAzCFWJxneJ+0G8ljP0RnAVnCqVjQc54+a9ZbBeVaruDJj
+A+w=
 -----END X509 CRL-----
diff --git a/certs/crl/crl.der b/certs/crl/crl.der
index f8726dd52..548d7aa92 100644
Binary files a/certs/crl/crl.der and b/certs/crl/crl.der differ
diff --git a/certs/crl/crl.pem b/certs/crl/crl.pem
index 7d9aa8770..4c6f2cc93 100644
--- a/certs/crl/crl.pem
+++ b/certs/crl/crl.pem
@@ -1,41 +1,41 @@
 Certificate Revocation List (CRL):
         Version 2 (0x1)
-    Signature Algorithm: sha256WithRSAEncryption
-        Issuer: /C=US/ST=Montana/L=Bozeman/O=Sawtooth/OU=Consulting/CN=www.wolfssl.com/emailAddress=info@wolfssl.com
-        Last Update: Feb 10 19:49:55 2021 GMT
-        Next Update: Nov  7 19:49:55 2023 GMT
+        Signature Algorithm: sha256WithRSAEncryption
+        Issuer: C = US, ST = Montana, L = Bozeman, O = Sawtooth, OU = Consulting, CN = www.wolfssl.com, emailAddress = info@wolfssl.com
+        Last Update: Dec 20 23:07:25 2021 GMT
+        Next Update: Sep 15 23:07:25 2024 GMT
         CRL extensions:
             X509v3 CRL Number: 
                 2
 Revoked Certificates:
     Serial Number: 02
-        Revocation Date: Feb 10 19:49:55 2021 GMT
+        Revocation Date: Dec 20 23:07:25 2021 GMT
     Signature Algorithm: sha256WithRSAEncryption
-         64:70:f6:a5:21:76:7d:3b:38:fd:42:a2:91:be:6a:54:05:7a:
-         a5:ce:4d:4c:57:db:d9:7b:5e:3c:86:8f:e8:d7:02:d7:7e:87:
-         9b:f2:0f:35:f3:62:c4:2a:5e:5e:f5:26:40:b1:d4:9a:8d:dc:
-         65:35:76:7e:e7:68:5a:57:66:48:d6:0b:bf:ac:d1:d3:5e:50:
-         40:14:ae:3f:3b:e7:5a:c2:c4:c2:41:ba:77:1d:b2:46:29:f8:
-         42:44:5c:3d:2a:92:87:18:fd:9d:54:11:5d:7b:82:0a:f0:46:
-         d0:c1:56:72:53:9d:85:ac:21:95:ff:65:8e:41:49:d3:be:c4:
-         b8:d0:f3:61:fb:eb:0a:a6:d9:f3:09:13:a9:74:01:2b:6c:8a:
-         08:59:ce:37:52:c4:0e:74:d0:52:56:9d:e1:22:42:13:1e:31:
-         cf:25:be:3e:df:c0:52:26:bf:f9:5b:c9:88:3f:29:4f:2f:80:
-         f9:90:97:cc:29:c8:28:4d:06:e9:d9:8e:a9:6c:1f:92:89:36:
-         67:c2:03:dc:02:99:4e:40:28:be:79:ef:ed:75:86:75:a2:06:
-         47:cd:a6:93:b0:8c:74:3c:97:3a:d2:b8:e2:b5:fb:b4:76:eb:
-         87:9f:97:f3:35:78:ee:d0:49:84:38:f1:2b:5c:5e:12:a1:c6:
-         69:7a:ff:85
+         8b:c0:b8:cb:03:5c:8c:d1:53:b2:c5:b1:4d:f3:b3:e8:13:bf:
+         5f:a7:1a:cc:74:e8:06:66:c1:cb:89:c3:e3:b3:fb:68:4e:8f:
+         d0:5b:33:d8:ed:5e:14:b3:21:c8:c0:06:66:97:6d:69:96:78:
+         bd:a9:d1:59:85:0f:13:29:2d:2f:49:87:94:84:14:94:38:74:
+         04:16:94:10:ea:f2:31:d8:34:b7:65:e8:5e:52:4f:96:ac:bf:
+         5f:4f:6c:ee:5d:04:2a:26:b2:29:7c:9d:06:82:b3:b5:e6:5b:
+         d5:11:72:56:d5:34:75:82:5e:2a:f3:c6:67:72:94:c6:02:83:
+         e8:58:85:2d:73:db:55:30:a2:c2:b1:bb:4c:bf:f6:a2:d8:b3:
+         fc:1b:bd:51:97:4e:f4:c2:04:4f:04:ee:61:e7:51:4b:4f:09:
+         fe:10:5c:3c:1e:e0:cb:51:1f:54:f4:38:3f:6c:58:ee:4e:f8:
+         ca:34:cd:37:ee:bb:06:53:14:c7:60:a4:89:ac:9a:50:4a:b5:
+         9e:b3:59:97:9b:27:5e:5c:fa:14:74:3d:a2:76:62:63:ae:e8:
+         d2:f9:b7:ad:0c:3f:07:40:50:5c:e4:fb:95:3c:3d:df:2e:81:
+         f2:6a:9e:01:69:c3:a2:1e:d7:00:2b:6d:6c:67:f0:fb:13:ce:
+         f1:a5:08:d6
 -----BEGIN X509 CRL-----
 MIICBDCB7QIBATANBgkqhkiG9w0BAQsFADCBlDELMAkGA1UEBhMCVVMxEDAOBgNV
 BAgMB01vbnRhbmExEDAOBgNVBAcMB0JvemVtYW4xETAPBgNVBAoMCFNhd3Rvb3Ro
 MRMwEQYDVQQLDApDb25zdWx0aW5nMRgwFgYDVQQDDA93d3cud29sZnNzbC5jb20x
-HzAdBgkqhkiG9w0BCQEWEGluZm9Ad29sZnNzbC5jb20XDTIxMDIxMDE5NDk1NVoX
-DTIzMTEwNzE5NDk1NVowFDASAgECFw0yMTAyMTAxOTQ5NTVaoA4wDDAKBgNVHRQE
-AwIBAjANBgkqhkiG9w0BAQsFAAOCAQEAZHD2pSF2fTs4/UKikb5qVAV6pc5NTFfb
-2XtePIaP6NcC136Hm/IPNfNixCpeXvUmQLHUmo3cZTV2fudoWldmSNYLv6zR015Q
-QBSuPzvnWsLEwkG6dx2yRin4QkRcPSqShxj9nVQRXXuCCvBG0MFWclOdhawhlf9l
-jkFJ077EuNDzYfvrCqbZ8wkTqXQBK2yKCFnON1LEDnTQUlad4SJCEx4xzyW+Pt/A
-Uia/+VvJiD8pTy+A+ZCXzCnIKE0G6dmOqWwfkok2Z8ID3AKZTkAovnnv7XWGdaIG
-R82mk7CMdDyXOtK44rX7tHbrh5+X8zV47tBJhDjxK1xeEqHGaXr/hQ==
+HzAdBgkqhkiG9w0BCQEWEGluZm9Ad29sZnNzbC5jb20XDTIxMTIyMDIzMDcyNVoX
+DTI0MDkxNTIzMDcyNVowFDASAgECFw0yMTEyMjAyMzA3MjVaoA4wDDAKBgNVHRQE
+AwIBAjANBgkqhkiG9w0BAQsFAAOCAQEAi8C4ywNcjNFTssWxTfOz6BO/X6cazHTo
+BmbBy4nD47P7aE6P0Fsz2O1eFLMhyMAGZpdtaZZ4vanRWYUPEyktL0mHlIQUlDh0
+BBaUEOryMdg0t2XoXlJPlqy/X09s7l0EKiayKXydBoKzteZb1RFyVtU0dYJeKvPG
+Z3KUxgKD6FiFLXPbVTCiwrG7TL/2otiz/Bu9UZdO9MIETwTuYedRS08J/hBcPB7g
+y1EfVPQ4P2xY7k74yjTNN+67BlMUx2CkiayaUEq1nrNZl5snXlz6FHQ9onZiY67o
+0vm3rQw/B0BQXOT7lTw93y6B8mqeAWnDoh7XACttbGfw+xPO8aUI1g==
 -----END X509 CRL-----
diff --git a/certs/crl/crl.revoked b/certs/crl/crl.revoked
index 54271024f..3224c46d6 100644
--- a/certs/crl/crl.revoked
+++ b/certs/crl/crl.revoked
@@ -1,44 +1,44 @@
 Certificate Revocation List (CRL):
         Version 2 (0x1)
-    Signature Algorithm: sha256WithRSAEncryption
-        Issuer: /C=US/ST=Montana/L=Bozeman/O=Sawtooth/OU=Consulting/CN=www.wolfssl.com/emailAddress=info@wolfssl.com
-        Last Update: Feb 10 19:49:55 2021 GMT
-        Next Update: Nov  7 19:49:55 2023 GMT
+        Signature Algorithm: sha256WithRSAEncryption
+        Issuer: C = US, ST = Montana, L = Bozeman, O = Sawtooth, OU = Consulting, CN = www.wolfssl.com, emailAddress = info@wolfssl.com
+        Last Update: Dec 20 23:07:25 2021 GMT
+        Next Update: Sep 15 23:07:25 2024 GMT
         CRL extensions:
             X509v3 CRL Number: 
                 3
 Revoked Certificates:
     Serial Number: 01
-        Revocation Date: Feb 10 19:49:55 2021 GMT
+        Revocation Date: Dec 20 23:07:25 2021 GMT
     Serial Number: 02
-        Revocation Date: Feb 10 19:49:55 2021 GMT
+        Revocation Date: Dec 20 23:07:25 2021 GMT
     Signature Algorithm: sha256WithRSAEncryption
-         8e:c0:a9:05:07:8f:c0:f0:e8:54:63:86:8b:0b:65:80:fc:d5:
-         b8:97:48:2f:c3:43:02:df:63:65:53:bb:cf:4c:d6:90:28:3c:
-         15:be:48:b4:1a:39:5e:0f:73:a6:f0:39:b5:ca:82:99:98:d8:
-         8f:94:d9:3a:9a:ed:54:50:8c:20:8d:90:ce:02:f8:f6:2d:5d:
-         d2:48:99:4d:15:8f:c5:61:95:35:31:83:80:9a:4a:19:01:5e:
-         d2:fd:9c:2e:ee:b6:d8:c0:fa:38:7d:cc:6c:ce:c5:62:dc:95:
-         70:79:3e:09:89:14:11:f9:8a:06:b1:1a:ab:52:25:a9:e6:01:
-         96:9d:ea:b8:aa:81:14:6c:d0:75:a2:03:41:e0:24:06:44:b5:
-         ff:95:50:7f:e4:50:78:03:24:f1:2c:4f:f9:ae:72:b4:3b:a2:
-         1b:cb:ab:cd:86:2f:9a:3f:81:4e:c3:a9:34:2f:e0:55:66:90:
-         55:d1:ee:37:d6:25:a0:b2:ae:d6:6b:2a:1b:21:aa:d8:2b:36:
-         c1:30:05:88:dd:a9:58:09:65:eb:29:0a:e8:c3:b7:dc:39:51:
-         2f:34:6d:3a:07:99:cd:b0:80:4e:82:1e:c2:8e:f4:64:15:54:
-         a1:25:95:95:65:ba:46:a5:6d:ac:f6:57:f9:ae:26:5e:80:51:
-         c2:79:21:d7
+         1a:64:b8:03:b0:03:c9:e1:75:c4:c1:6e:ab:af:8e:68:9b:b1:
+         d0:e1:12:c0:2c:c0:8e:74:6d:27:e2:e9:36:25:c3:be:10:d7:
+         00:e0:1e:a0:27:84:13:bb:75:73:d8:e7:c5:0b:14:3b:f3:3d:
+         ef:bc:dc:ad:5c:4c:bf:e3:67:82:ef:a3:84:2d:72:c6:15:f7:
+         4e:13:66:92:44:6f:78:d9:25:36:10:96:49:e1:37:9a:6f:db:
+         61:2b:4c:88:ff:d1:fa:fa:2c:d4:76:38:2d:c1:f8:14:e9:7e:
+         18:52:46:69:7c:74:8a:e4:fc:a2:a1:bc:f8:a5:cf:1f:61:dd:
+         b8:c7:61:d5:0c:e2:a1:24:3c:fe:6b:a7:61:dc:e0:39:2b:73:
+         56:d5:13:47:d5:2a:2f:03:83:07:bc:aa:4b:5e:46:87:09:03:
+         f2:f2:e7:64:63:ad:99:3e:c4:a8:e3:e6:98:ed:31:b8:4d:1e:
+         00:a0:95:ba:35:3a:c1:e1:50:4d:30:f6:65:e2:4f:8c:3a:87:
+         e3:0b:8d:a8:ec:15:aa:99:f0:65:57:b2:f4:f0:ed:5a:b6:ce:
+         56:a7:af:d1:cf:48:10:cb:a6:27:36:d8:05:ac:54:d4:2e:fb:
+         b9:64:79:44:59:9b:e9:81:c5:e2:11:59:ea:8f:78:ae:8f:7f:
+         2e:cf:3d:e8
 -----BEGIN X509 CRL-----
 MIICGTCCAQECAQEwDQYJKoZIhvcNAQELBQAwgZQxCzAJBgNVBAYTAlVTMRAwDgYD
 VQQIDAdNb250YW5hMRAwDgYDVQQHDAdCb3plbWFuMREwDwYDVQQKDAhTYXd0b290
 aDETMBEGA1UECwwKQ29uc3VsdGluZzEYMBYGA1UEAwwPd3d3LndvbGZzc2wuY29t
-MR8wHQYJKoZIhvcNAQkBFhBpbmZvQHdvbGZzc2wuY29tFw0yMTAyMTAxOTQ5NTVa
-Fw0yMzExMDcxOTQ5NTVaMCgwEgIBARcNMjEwMjEwMTk0OTU1WjASAgECFw0yMTAy
-MTAxOTQ5NTVaoA4wDDAKBgNVHRQEAwIBAzANBgkqhkiG9w0BAQsFAAOCAQEAjsCp
-BQePwPDoVGOGiwtlgPzVuJdIL8NDAt9jZVO7z0zWkCg8Fb5ItBo5Xg9zpvA5tcqC
-mZjYj5TZOprtVFCMII2QzgL49i1d0kiZTRWPxWGVNTGDgJpKGQFe0v2cLu622MD6
-OH3MbM7FYtyVcHk+CYkUEfmKBrEaq1IlqeYBlp3quKqBFGzQdaIDQeAkBkS1/5VQ
-f+RQeAMk8SxP+a5ytDuiG8urzYYvmj+BTsOpNC/gVWaQVdHuN9YloLKu1msqGyGq
-2Cs2wTAFiN2pWAll6ykK6MO33DlRLzRtOgeZzbCAToIewo70ZBVUoSWVlWW6RqVt
-rPZX+a4mXoBRwnkh1w==
+MR8wHQYJKoZIhvcNAQkBFhBpbmZvQHdvbGZzc2wuY29tFw0yMTEyMjAyMzA3MjVa
+Fw0yNDA5MTUyMzA3MjVaMCgwEgIBARcNMjExMjIwMjMwNzI1WjASAgECFw0yMTEy
+MjAyMzA3MjVaoA4wDDAKBgNVHRQEAwIBAzANBgkqhkiG9w0BAQsFAAOCAQEAGmS4
+A7ADyeF1xMFuq6+OaJux0OESwCzAjnRtJ+LpNiXDvhDXAOAeoCeEE7t1c9jnxQsU
+O/M977zcrVxMv+Nngu+jhC1yxhX3ThNmkkRveNklNhCWSeE3mm/bYStMiP/R+vos
+1HY4LcH4FOl+GFJGaXx0iuT8oqG8+KXPH2HduMdh1QzioSQ8/munYdzgOStzVtUT
+R9UqLwODB7yqS15GhwkD8vLnZGOtmT7EqOPmmO0xuE0eAKCVujU6weFQTTD2ZeJP
+jDqH4wuNqOwVqpnwZVey9PDtWrbOVqev0c9IEMumJzbYBaxU1C77uWR5RFmb6YHF
+4hFZ6o94ro9/Ls896A==
 -----END X509 CRL-----
diff --git a/certs/crl/crl2.der b/certs/crl/crl2.der
index f8726dd52..548d7aa92 100644
Binary files a/certs/crl/crl2.der and b/certs/crl/crl2.der differ
diff --git a/certs/crl/crl2.pem b/certs/crl/crl2.pem
index f1fa34a67..e93fe877a 100644
--- a/certs/crl/crl2.pem
+++ b/certs/crl/crl2.pem
@@ -1,80 +1,80 @@
 Certificate Revocation List (CRL):
         Version 2 (0x1)
-    Signature Algorithm: sha256WithRSAEncryption
-        Issuer: /C=US/ST=Montana/L=Bozeman/O=Sawtooth/OU=Consulting/CN=www.wolfssl.com/emailAddress=info@wolfssl.com
-        Last Update: Feb 10 19:49:55 2021 GMT
-        Next Update: Nov  7 19:49:55 2023 GMT
+        Signature Algorithm: sha256WithRSAEncryption
+        Issuer: C = US, ST = Montana, L = Bozeman, O = Sawtooth, OU = Consulting, CN = www.wolfssl.com, emailAddress = info@wolfssl.com
+        Last Update: Dec 20 23:07:25 2021 GMT
+        Next Update: Sep 15 23:07:25 2024 GMT
         CRL extensions:
             X509v3 CRL Number: 
                 2
 Revoked Certificates:
     Serial Number: 02
-        Revocation Date: Feb 10 19:49:55 2021 GMT
+        Revocation Date: Dec 20 23:07:25 2021 GMT
     Signature Algorithm: sha256WithRSAEncryption
-         64:70:f6:a5:21:76:7d:3b:38:fd:42:a2:91:be:6a:54:05:7a:
-         a5:ce:4d:4c:57:db:d9:7b:5e:3c:86:8f:e8:d7:02:d7:7e:87:
-         9b:f2:0f:35:f3:62:c4:2a:5e:5e:f5:26:40:b1:d4:9a:8d:dc:
-         65:35:76:7e:e7:68:5a:57:66:48:d6:0b:bf:ac:d1:d3:5e:50:
-         40:14:ae:3f:3b:e7:5a:c2:c4:c2:41:ba:77:1d:b2:46:29:f8:
-         42:44:5c:3d:2a:92:87:18:fd:9d:54:11:5d:7b:82:0a:f0:46:
-         d0:c1:56:72:53:9d:85:ac:21:95:ff:65:8e:41:49:d3:be:c4:
-         b8:d0:f3:61:fb:eb:0a:a6:d9:f3:09:13:a9:74:01:2b:6c:8a:
-         08:59:ce:37:52:c4:0e:74:d0:52:56:9d:e1:22:42:13:1e:31:
-         cf:25:be:3e:df:c0:52:26:bf:f9:5b:c9:88:3f:29:4f:2f:80:
-         f9:90:97:cc:29:c8:28:4d:06:e9:d9:8e:a9:6c:1f:92:89:36:
-         67:c2:03:dc:02:99:4e:40:28:be:79:ef:ed:75:86:75:a2:06:
-         47:cd:a6:93:b0:8c:74:3c:97:3a:d2:b8:e2:b5:fb:b4:76:eb:
-         87:9f:97:f3:35:78:ee:d0:49:84:38:f1:2b:5c:5e:12:a1:c6:
-         69:7a:ff:85
+         8b:c0:b8:cb:03:5c:8c:d1:53:b2:c5:b1:4d:f3:b3:e8:13:bf:
+         5f:a7:1a:cc:74:e8:06:66:c1:cb:89:c3:e3:b3:fb:68:4e:8f:
+         d0:5b:33:d8:ed:5e:14:b3:21:c8:c0:06:66:97:6d:69:96:78:
+         bd:a9:d1:59:85:0f:13:29:2d:2f:49:87:94:84:14:94:38:74:
+         04:16:94:10:ea:f2:31:d8:34:b7:65:e8:5e:52:4f:96:ac:bf:
+         5f:4f:6c:ee:5d:04:2a:26:b2:29:7c:9d:06:82:b3:b5:e6:5b:
+         d5:11:72:56:d5:34:75:82:5e:2a:f3:c6:67:72:94:c6:02:83:
+         e8:58:85:2d:73:db:55:30:a2:c2:b1:bb:4c:bf:f6:a2:d8:b3:
+         fc:1b:bd:51:97:4e:f4:c2:04:4f:04:ee:61:e7:51:4b:4f:09:
+         fe:10:5c:3c:1e:e0:cb:51:1f:54:f4:38:3f:6c:58:ee:4e:f8:
+         ca:34:cd:37:ee:bb:06:53:14:c7:60:a4:89:ac:9a:50:4a:b5:
+         9e:b3:59:97:9b:27:5e:5c:fa:14:74:3d:a2:76:62:63:ae:e8:
+         d2:f9:b7:ad:0c:3f:07:40:50:5c:e4:fb:95:3c:3d:df:2e:81:
+         f2:6a:9e:01:69:c3:a2:1e:d7:00:2b:6d:6c:67:f0:fb:13:ce:
+         f1:a5:08:d6
 -----BEGIN X509 CRL-----
 MIICBDCB7QIBATANBgkqhkiG9w0BAQsFADCBlDELMAkGA1UEBhMCVVMxEDAOBgNV
 BAgMB01vbnRhbmExEDAOBgNVBAcMB0JvemVtYW4xETAPBgNVBAoMCFNhd3Rvb3Ro
 MRMwEQYDVQQLDApDb25zdWx0aW5nMRgwFgYDVQQDDA93d3cud29sZnNzbC5jb20x
-HzAdBgkqhkiG9w0BCQEWEGluZm9Ad29sZnNzbC5jb20XDTIxMDIxMDE5NDk1NVoX
-DTIzMTEwNzE5NDk1NVowFDASAgECFw0yMTAyMTAxOTQ5NTVaoA4wDDAKBgNVHRQE
-AwIBAjANBgkqhkiG9w0BAQsFAAOCAQEAZHD2pSF2fTs4/UKikb5qVAV6pc5NTFfb
-2XtePIaP6NcC136Hm/IPNfNixCpeXvUmQLHUmo3cZTV2fudoWldmSNYLv6zR015Q
-QBSuPzvnWsLEwkG6dx2yRin4QkRcPSqShxj9nVQRXXuCCvBG0MFWclOdhawhlf9l
-jkFJ077EuNDzYfvrCqbZ8wkTqXQBK2yKCFnON1LEDnTQUlad4SJCEx4xzyW+Pt/A
-Uia/+VvJiD8pTy+A+ZCXzCnIKE0G6dmOqWwfkok2Z8ID3AKZTkAovnnv7XWGdaIG
-R82mk7CMdDyXOtK44rX7tHbrh5+X8zV47tBJhDjxK1xeEqHGaXr/hQ==
+HzAdBgkqhkiG9w0BCQEWEGluZm9Ad29sZnNzbC5jb20XDTIxMTIyMDIzMDcyNVoX
+DTI0MDkxNTIzMDcyNVowFDASAgECFw0yMTEyMjAyMzA3MjVaoA4wDDAKBgNVHRQE
+AwIBAjANBgkqhkiG9w0BAQsFAAOCAQEAi8C4ywNcjNFTssWxTfOz6BO/X6cazHTo
+BmbBy4nD47P7aE6P0Fsz2O1eFLMhyMAGZpdtaZZ4vanRWYUPEyktL0mHlIQUlDh0
+BBaUEOryMdg0t2XoXlJPlqy/X09s7l0EKiayKXydBoKzteZb1RFyVtU0dYJeKvPG
+Z3KUxgKD6FiFLXPbVTCiwrG7TL/2otiz/Bu9UZdO9MIETwTuYedRS08J/hBcPB7g
+y1EfVPQ4P2xY7k74yjTNN+67BlMUx2CkiayaUEq1nrNZl5snXlz6FHQ9onZiY67o
+0vm3rQw/B0BQXOT7lTw93y6B8mqeAWnDoh7XACttbGfw+xPO8aUI1g==
 -----END X509 CRL-----
 Certificate Revocation List (CRL):
         Version 2 (0x1)
-    Signature Algorithm: sha256WithRSAEncryption
-        Issuer: /C=US/ST=Montana/L=Bozeman/O=wolfSSL_2048/OU=Programming-2048/CN=www.wolfssl.com/emailAddress=info@wolfssl.com
-        Last Update: Feb 10 19:49:55 2021 GMT
-        Next Update: Nov  7 19:49:55 2023 GMT
+        Signature Algorithm: sha256WithRSAEncryption
+        Issuer: C = US, ST = Montana, L = Bozeman, O = wolfSSL_2048, OU = Programming-2048, CN = www.wolfssl.com, emailAddress = info@wolfssl.com
+        Last Update: Dec 20 23:07:25 2021 GMT
+        Next Update: Sep 15 23:07:25 2024 GMT
         CRL extensions:
             X509v3 CRL Number: 
                 1
 No Revoked Certificates.
     Signature Algorithm: sha256WithRSAEncryption
-         06:4d:a9:9b:4a:4c:b9:57:02:ff:06:89:d7:1b:39:3a:0a:64:
-         53:e1:15:93:77:f0:9c:69:f9:66:6d:76:67:2b:12:da:c6:9a:
-         9c:53:c1:3c:e5:17:d3:97:9f:bd:c7:d4:a3:6b:0d:e3:4b:f5:
-         ae:f2:63:58:70:28:e0:ab:09:5f:d1:b1:95:b3:4f:6a:7c:b7:
-         2c:a8:07:ef:d4:39:47:be:6d:31:a0:8f:f3:e9:0e:8a:3a:5f:
-         da:cd:7e:60:1e:cb:53:d9:18:31:7c:dc:d1:2f:ec:26:c8:f5:
-         e0:31:eb:f0:83:71:08:e7:05:bd:79:61:cb:7b:17:70:70:1a:
-         fa:f8:0b:a4:d0:b3:d5:53:ce:b7:88:7f:4d:96:0a:96:0d:28:
-         a3:4e:2c:8b:bb:d6:27:a0:12:b3:cd:78:79:8f:61:29:8a:e6:
-         d0:c6:a5:10:1e:f5:f8:a2:c2:cb:cd:a0:b5:6f:44:62:25:e8:
-         47:63:9f:5c:c3:d9:88:70:e8:a8:12:f5:7e:ba:99:ef:3c:73:
-         02:46:72:60:ea:80:d4:f0:98:2f:47:3f:e5:04:82:51:79:ae:
-         09:2c:60:2c:1d:8d:00:8b:60:27:e1:58:46:ac:48:4c:c6:bc:
-         26:43:72:08:4d:1d:c2:c9:e6:21:e6:0d:e9:19:ac:cb:65:f2:
-         96:9e:ff:d5
+         98:e6:2c:27:b3:f4:ea:70:d8:99:d3:28:27:59:65:aa:2b:65:
+         6d:d1:e6:fe:1b:7f:a9:16:bc:05:1c:fe:05:ee:46:fd:0d:f3:
+         cf:42:d6:99:4a:0c:e7:a7:34:37:12:df:16:bf:de:72:a2:ad:
+         98:73:e7:07:bc:be:ef:51:fb:6e:8b:ce:34:d1:e8:b5:86:6d:
+         c9:75:75:18:d0:4a:84:a0:bc:2c:2a:24:89:1e:2e:8e:e3:72:
+         db:df:94:46:fb:59:41:47:91:71:3d:b2:f7:d8:ce:02:06:63:
+         dc:47:bb:23:f0:19:47:b6:29:b9:e2:ea:63:0d:c9:b0:5f:74:
+         04:59:5b:59:cb:a5:16:8b:fa:c7:09:26:d5:d5:6f:f9:c9:ec:
+         13:21:3c:74:1b:02:da:e6:56:b1:5e:06:7f:07:ab:9a:7b:79:
+         aa:da:46:e4:87:35:10:5b:30:c4:a0:9b:1b:5e:fd:9b:6b:45:
+         bb:82:89:65:bd:f1:b8:6c:ae:31:f3:3f:87:e4:58:c9:f0:5e:
+         02:ed:49:46:46:3c:52:97:d8:fe:02:07:de:2c:b3:4e:c7:13:
+         e6:6f:25:a6:48:eb:01:45:d2:2f:d7:ec:8e:51:c2:de:96:ca:
+         85:da:b0:e7:54:91:dc:71:c9:17:57:d4:dc:06:a0:f9:df:f4:
+         a5:f4:05:bc
 -----BEGIN X509 CRL-----
 MIIB+DCB4QIBATANBgkqhkiG9w0BAQsFADCBnjELMAkGA1UEBhMCVVMxEDAOBgNV
 BAgMB01vbnRhbmExEDAOBgNVBAcMB0JvemVtYW4xFTATBgNVBAoMDHdvbGZTU0xf
 MjA0ODEZMBcGA1UECwwQUHJvZ3JhbW1pbmctMjA0ODEYMBYGA1UEAwwPd3d3Lndv
-bGZzc2wuY29tMR8wHQYJKoZIhvcNAQkBFhBpbmZvQHdvbGZzc2wuY29tFw0yMTAy
-MTAxOTQ5NTVaFw0yMzExMDcxOTQ5NTVaoA4wDDAKBgNVHRQEAwIBATANBgkqhkiG
-9w0BAQsFAAOCAQEABk2pm0pMuVcC/waJ1xs5OgpkU+EVk3fwnGn5Zm12ZysS2saa
-nFPBPOUX05efvcfUo2sN40v1rvJjWHAo4KsJX9GxlbNPany3LKgH79Q5R75tMaCP
-8+kOijpf2s1+YB7LU9kYMXzc0S/sJsj14DHr8INxCOcFvXlhy3sXcHAa+vgLpNCz
-1VPOt4h/TZYKlg0oo04si7vWJ6ASs814eY9hKYrm0MalEB71+KLCy82gtW9EYiXo
-R2OfXMPZiHDoqBL1frqZ7zxzAkZyYOqA1PCYL0c/5QSCUXmuCSxgLB2NAItgJ+FY
-RqxITMa8JkNyCE0dwsnmIeYN6Rmsy2Xylp7/1Q==
+bGZzc2wuY29tMR8wHQYJKoZIhvcNAQkBFhBpbmZvQHdvbGZzc2wuY29tFw0yMTEy
+MjAyMzA3MjVaFw0yNDA5MTUyMzA3MjVaoA4wDDAKBgNVHRQEAwIBATANBgkqhkiG
+9w0BAQsFAAOCAQEAmOYsJ7P06nDYmdMoJ1llqitlbdHm/ht/qRa8BRz+Be5G/Q3z
+z0LWmUoM56c0NxLfFr/ecqKtmHPnB7y+71H7bovONNHotYZtyXV1GNBKhKC8LCok
+iR4ujuNy29+URvtZQUeRcT2y99jOAgZj3Ee7I/AZR7YpueLqYw3JsF90BFlbWcul
+Fov6xwkm1dVv+cnsEyE8dBsC2uZWsV4Gfwermnt5qtpG5Ic1EFswxKCbG179m2tF
+u4KJZb3xuGyuMfM/h+RYyfBeAu1JRkY8UpfY/gIH3iyzTscT5m8lpkjrAUXSL9fs
+jlHC3pbKhdqw51SR3HHJF1fU3Aag+d/0pfQFvA==
 -----END X509 CRL-----
diff --git a/certs/crl/eccCliCRL.pem b/certs/crl/eccCliCRL.pem
index da3e77700..ee54c6b40 100644
--- a/certs/crl/eccCliCRL.pem
+++ b/certs/crl/eccCliCRL.pem
@@ -1,26 +1,26 @@
 Certificate Revocation List (CRL):
         Version 2 (0x1)
-    Signature Algorithm: ecdsa-with-SHA256
-        Issuer: /C=US/ST=Oregon/L=Salem/O=Client ECC/OU=Fast/CN=www.wolfssl.com/emailAddress=info@wolfssl.com
-        Last Update: Feb 10 19:49:55 2021 GMT
-        Next Update: Nov  7 19:49:55 2023 GMT
+        Signature Algorithm: ecdsa-with-SHA256
+        Issuer: C = US, ST = Oregon, L = Salem, O = Client ECC, OU = Fast, CN = www.wolfssl.com, emailAddress = info@wolfssl.com
+        Last Update: Dec 20 23:07:26 2021 GMT
+        Next Update: Sep 15 23:07:26 2024 GMT
         CRL extensions:
             X509v3 CRL Number: 
                 7
 Revoked Certificates:
     Serial Number: 02
-        Revocation Date: Feb 10 19:49:55 2021 GMT
+        Revocation Date: Dec 20 23:07:25 2021 GMT
     Signature Algorithm: ecdsa-with-SHA256
-         30:45:02:20:65:84:ba:e0:1c:9d:4b:be:e8:90:61:64:b6:0e:
-         c6:75:77:9e:dd:ed:08:59:93:7e:86:a9:02:98:b4:01:57:4c:
-         02:21:00:84:76:4a:98:1b:ae:ff:2e:6c:a5:65:3d:25:8f:5c:
-         20:6a:6c:bb:52:02:11:1f:f6:2f:d4:c9:aa:d6:2f:ab:65
+         30:44:02:20:7f:f8:7b:01:25:3c:02:e6:ad:1a:cd:ce:66:72:
+         db:ab:8b:42:3f:24:26:9f:c2:36:86:b7:49:b4:fe:09:05:61:
+         02:20:3f:0c:6c:bf:76:07:72:91:e6:49:bc:4b:23:d3:e1:62:
+         c3:12:b7:92:8c:f6:e2:8a:36:58:b6:49:c2:38:35:0a
 -----BEGIN X509 CRL-----
-MIIBPDCB4wIBATAKBggqhkjOPQQDAjCBjTELMAkGA1UEBhMCVVMxDzANBgNVBAgM
+MIIBOzCB4wIBATAKBggqhkjOPQQDAjCBjTELMAkGA1UEBhMCVVMxDzANBgNVBAgM
 Bk9yZWdvbjEOMAwGA1UEBwwFU2FsZW0xEzARBgNVBAoMCkNsaWVudCBFQ0MxDTAL
 BgNVBAsMBEZhc3QxGDAWBgNVBAMMD3d3dy53b2xmc3NsLmNvbTEfMB0GCSqGSIb3
-DQEJARYQaW5mb0B3b2xmc3NsLmNvbRcNMjEwMjEwMTk0OTU1WhcNMjMxMTA3MTk0
-OTU1WjAUMBICAQIXDTIxMDIxMDE5NDk1NVqgDjAMMAoGA1UdFAQDAgEHMAoGCCqG
-SM49BAMCA0gAMEUCIGWEuuAcnUu+6JBhZLYOxnV3nt3tCFmTfoapApi0AVdMAiEA
-hHZKmBuu/y5spWU9JY9cIGpsu1ICER/2L9TJqtYvq2U=
+DQEJARYQaW5mb0B3b2xmc3NsLmNvbRcNMjExMjIwMjMwNzI2WhcNMjQwOTE1MjMw
+NzI2WjAUMBICAQIXDTIxMTIyMDIzMDcyNVqgDjAMMAoGA1UdFAQDAgEHMAoGCCqG
+SM49BAMCA0cAMEQCIH/4ewElPALmrRrNzmZy26uLQj8kJp/CNoa3SbT+CQVhAiA/
+DGy/dgdykeZJvEsj0+FiwxK3koz24oo2WLZJwjg1Cg==
 -----END X509 CRL-----
diff --git a/certs/crl/eccSrvCRL.pem b/certs/crl/eccSrvCRL.pem
index 4d46f06ee..13fafd7c9 100644
--- a/certs/crl/eccSrvCRL.pem
+++ b/certs/crl/eccSrvCRL.pem
@@ -1,26 +1,26 @@
 Certificate Revocation List (CRL):
         Version 2 (0x1)
-    Signature Algorithm: ecdsa-with-SHA256
-        Issuer: /C=US/ST=Washington/L=Seattle/O=Eliptic/OU=ECC/CN=www.wolfssl.com/emailAddress=info@wolfssl.com
-        Last Update: Feb 10 19:49:55 2021 GMT
-        Next Update: Nov  7 19:49:55 2023 GMT
+        Signature Algorithm: ecdsa-with-SHA256
+        Issuer: C = US, ST = Washington, L = Seattle, O = Eliptic, OU = ECC, CN = www.wolfssl.com, emailAddress = info@wolfssl.com
+        Last Update: Dec 20 23:07:26 2021 GMT
+        Next Update: Sep 15 23:07:26 2024 GMT
         CRL extensions:
             X509v3 CRL Number: 
                 8
 Revoked Certificates:
     Serial Number: 02
-        Revocation Date: Feb 10 19:49:55 2021 GMT
+        Revocation Date: Dec 20 23:07:25 2021 GMT
     Signature Algorithm: ecdsa-with-SHA256
-         30:44:02:20:54:0d:dc:8e:be:14:0c:d9:ce:6e:46:67:b9:5e:
-         86:9a:e7:b4:1f:b2:e1:8a:66:90:0f:48:50:ae:49:0c:32:21:
-         02:20:5a:ef:02:db:83:cf:9e:df:d4:d7:9d:60:a5:7a:56:7d:
-         b3:c8:8c:5d:01:33:0f:bd:5e:d0:da:8a:59:e6:e0:42
+         30:46:02:21:00:80:d2:8e:ac:40:68:9b:f9:16:b9:4a:ae:9a:
+         c9:25:d9:6c:6f:ea:ed:c9:97:4a:e4:8e:50:c8:c1:4e:24:36:
+         69:02:21:00:b5:9d:01:c8:8c:2a:1c:a7:57:28:79:fa:94:30:
+         f7:18:d7:c7:78:ab:41:12:0d:de:7b:e0:7d:ee:8a:17:cb:06
 -----BEGIN X509 CRL-----
-MIIBPTCB5QIBATAKBggqhkjOPQQDAjCBjzELMAkGA1UEBhMCVVMxEzARBgNVBAgM
+MIIBPzCB5QIBATAKBggqhkjOPQQDAjCBjzELMAkGA1UEBhMCVVMxEzARBgNVBAgM
 Cldhc2hpbmd0b24xEDAOBgNVBAcMB1NlYXR0bGUxEDAOBgNVBAoMB0VsaXB0aWMx
 DDAKBgNVBAsMA0VDQzEYMBYGA1UEAwwPd3d3LndvbGZzc2wuY29tMR8wHQYJKoZI
-hvcNAQkBFhBpbmZvQHdvbGZzc2wuY29tFw0yMTAyMTAxOTQ5NTVaFw0yMzExMDcx
-OTQ5NTVaMBQwEgIBAhcNMjEwMjEwMTk0OTU1WqAOMAwwCgYDVR0UBAMCAQgwCgYI
-KoZIzj0EAwIDRwAwRAIgVA3cjr4UDNnObkZnuV6Gmue0H7LhimaQD0hQrkkMMiEC
-IFrvAtuDz57f1NedYKV6Vn2zyIxdATMPvV7Q2opZ5uBC
+hvcNAQkBFhBpbmZvQHdvbGZzc2wuY29tFw0yMTEyMjAyMzA3MjZaFw0yNDA5MTUy
+MzA3MjZaMBQwEgIBAhcNMjExMjIwMjMwNzI1WqAOMAwwCgYDVR0UBAMCAQgwCgYI
+KoZIzj0EAwIDSQAwRgIhAIDSjqxAaJv5FrlKrprJJdlsb+rtyZdK5I5QyMFOJDZp
+AiEAtZ0ByIwqHKdXKHn6lDD3GNfHeKtBEg3ee+B97ooXywY=
 -----END X509 CRL-----
diff --git a/certs/crl/server-goodaltCrl.pem b/certs/crl/server-goodaltCrl.pem
index 8550d9693..a5cbe3ecc 100644
--- a/certs/crl/server-goodaltCrl.pem
+++ b/certs/crl/server-goodaltCrl.pem
@@ -2,37 +2,37 @@ Certificate Revocation List (CRL):
         Version 2 (0x1)
         Signature Algorithm: sha256WithRSAEncryption
         Issuer: C = US, ST = Montana, L = Bozeman, OU = Engineering, CN = www.nomatch.com, emailAddress = info@wolfssl.com
-        Last Update: Jun 15 22:02:33 2021 GMT
-        Next Update: Mar 11 22:02:33 2024 GMT
+        Last Update: Dec 20 23:07:25 2021 GMT
+        Next Update: Sep 15 23:07:25 2024 GMT
         CRL extensions:
             X509v3 CRL Number: 
                 1
 No Revoked Certificates.
     Signature Algorithm: sha256WithRSAEncryption
-         8a:53:b8:29:0e:37:13:d7:8a:f8:3e:d3:c9:20:3b:fa:6c:8a:
-         1c:59:3a:54:4d:93:ca:68:e2:b0:08:b3:23:d1:98:a5:0e:44:
-         4c:19:e7:de:a1:e4:56:6e:c5:d2:9a:05:d4:d5:c7:07:8d:65:
-         ca:df:cf:5e:89:74:d3:9d:3f:1f:c4:1e:f2:cf:5c:e0:c7:a8:
-         23:cc:c3:db:cb:f6:9d:55:3a:9d:7a:7a:4b:c7:b8:7e:d1:6f:
-         17:d2:a3:03:2d:9f:97:12:12:e8:75:a0:2e:64:3e:f5:ae:72:
-         a6:52:4a:9d:fe:39:f5:82:fc:d7:cf:34:4d:c2:23:eb:64:95:
-         44:e6:1d:4b:2b:26:87:6e:3a:d0:e9:93:26:f7:a5:fd:45:66:
-         79:1f:14:93:1e:5d:92:07:f0:a1:53:ae:c3:32:b7:17:be:85:
-         57:cb:4d:a3:1f:26:71:be:ae:21:10:4f:df:6d:3e:ca:0a:84:
-         4c:b7:d2:29:b2:34:3e:5d:aa:0b:16:e1:c4:92:cc:aa:2d:13:
-         f0:7d:1d:cf:52:ff:15:4e:12:b3:ff:d9:b6:72:06:be:26:f7:
-         78:85:2d:ba:65:4a:55:85:85:71:47:8d:fd:23:68:c8:cd:8b:
-         de:d3:8b:33:56:77:03:72:41:d6:29:81:d9:bf:ae:bb:55:3b:
-         da:b0:bc:b8
+         1a:03:c0:19:f9:93:90:b3:b8:7e:f1:49:40:c0:3e:f7:5d:cb:
+         a4:6e:33:12:db:b2:e9:94:e2:e3:56:bb:fa:b1:2a:7b:48:53:
+         f4:92:84:0d:cc:71:b1:e9:64:b3:97:73:ef:8d:fe:71:17:3f:
+         f1:cf:fc:c0:c2:1f:40:02:1c:0b:0a:3c:c2:2d:6c:5c:8a:6f:
+         08:ce:5e:0a:c7:26:be:dd:ec:1b:42:46:8e:8c:0d:5c:0d:18:
+         a9:47:23:a8:7d:b2:eb:54:0f:b9:44:ff:fb:15:ac:ff:e2:81:
+         a6:66:18:3a:2d:d7:5e:58:fe:9e:ed:04:c0:af:c7:07:f9:80:
+         1c:68:57:a6:2b:a6:be:4e:83:83:4d:97:f6:78:6c:59:09:c1:
+         29:58:f0:dd:34:d3:4b:63:94:b5:0b:0f:8e:1d:29:c4:f0:91:
+         fc:17:8a:01:98:fe:d8:76:c7:ee:42:a3:a3:b0:b1:8d:b6:55:
+         a9:37:bf:ab:97:6b:a4:df:57:5e:5f:b4:9b:96:af:35:07:24:
+         c1:6d:d9:96:53:54:31:c1:4a:58:5e:92:7f:e7:33:25:bd:03:
+         bf:2c:f8:15:f8:42:52:af:89:40:f6:e4:3d:b3:82:37:d1:67:
+         fd:a2:a9:a0:bc:57:82:25:46:08:1f:d7:fb:d5:17:40:c3:85:
+         d0:d0:9f:cd
 -----BEGIN X509 CRL-----
 MIIB3DCBxQIBATANBgkqhkiG9w0BAQsFADCBgjELMAkGA1UEBhMCVVMxEDAOBgNV
 BAgMB01vbnRhbmExEDAOBgNVBAcMB0JvemVtYW4xFDASBgNVBAsMC0VuZ2luZWVy
 aW5nMRgwFgYDVQQDDA93d3cubm9tYXRjaC5jb20xHzAdBgkqhkiG9w0BCQEWEGlu
-Zm9Ad29sZnNzbC5jb20XDTIxMDYxNTIyMDIzM1oXDTI0MDMxMTIyMDIzM1qgDjAM
-MAoGA1UdFAQDAgEBMA0GCSqGSIb3DQEBCwUAA4IBAQCKU7gpDjcT14r4PtPJIDv6
-bIocWTpUTZPKaOKwCLMj0ZilDkRMGefeoeRWbsXSmgXU1ccHjWXK389eiXTTnT8f
-xB7yz1zgx6gjzMPby/adVTqdenpLx7h+0W8X0qMDLZ+XEhLodaAuZD71rnKmUkqd
-/jn1gvzXzzRNwiPrZJVE5h1LKyaHbjrQ6ZMm96X9RWZ5HxSTHl2SB/ChU67DMrcX
-voVXy02jHyZxvq4hEE/fbT7KCoRMt9IpsjQ+XaoLFuHEksyqLRPwfR3PUv8VThKz
-/9m2cga+Jvd4hS26ZUpVhYVxR439I2jIzYve04szVncDckHWKYHZv667VTvasLy4
+Zm9Ad29sZnNzbC5jb20XDTIxMTIyMDIzMDcyNVoXDTI0MDkxNTIzMDcyNVqgDjAM
+MAoGA1UdFAQDAgEBMA0GCSqGSIb3DQEBCwUAA4IBAQAaA8AZ+ZOQs7h+8UlAwD73
+XcukbjMS27LplOLjVrv6sSp7SFP0koQNzHGx6WSzl3Pvjf5xFz/xz/zAwh9AAhwL
+CjzCLWxcim8Izl4Kxya+3ewbQkaOjA1cDRipRyOofbLrVA+5RP/7Faz/4oGmZhg6
+LddeWP6e7QTAr8cH+YAcaFemK6a+ToODTZf2eGxZCcEpWPDdNNNLY5S1Cw+OHSnE
+8JH8F4oBmP7YdsfuQqOjsLGNtlWpN7+rl2uk31deX7Sblq81ByTBbdmWU1QxwUpY
+XpJ/5zMlvQO/LPgV+EJSr4lA9uQ9s4I30Wf9oqmgvFeCJUYIH9f71RdAw4XQ0J/N
 -----END X509 CRL-----
diff --git a/certs/crl/server-goodaltwildCrl.pem b/certs/crl/server-goodaltwildCrl.pem
index 8550d9693..a5cbe3ecc 100644
--- a/certs/crl/server-goodaltwildCrl.pem
+++ b/certs/crl/server-goodaltwildCrl.pem
@@ -2,37 +2,37 @@ Certificate Revocation List (CRL):
         Version 2 (0x1)
         Signature Algorithm: sha256WithRSAEncryption
         Issuer: C = US, ST = Montana, L = Bozeman, OU = Engineering, CN = www.nomatch.com, emailAddress = info@wolfssl.com
-        Last Update: Jun 15 22:02:33 2021 GMT
-        Next Update: Mar 11 22:02:33 2024 GMT
+        Last Update: Dec 20 23:07:25 2021 GMT
+        Next Update: Sep 15 23:07:25 2024 GMT
         CRL extensions:
             X509v3 CRL Number: 
                 1
 No Revoked Certificates.
     Signature Algorithm: sha256WithRSAEncryption
-         8a:53:b8:29:0e:37:13:d7:8a:f8:3e:d3:c9:20:3b:fa:6c:8a:
-         1c:59:3a:54:4d:93:ca:68:e2:b0:08:b3:23:d1:98:a5:0e:44:
-         4c:19:e7:de:a1:e4:56:6e:c5:d2:9a:05:d4:d5:c7:07:8d:65:
-         ca:df:cf:5e:89:74:d3:9d:3f:1f:c4:1e:f2:cf:5c:e0:c7:a8:
-         23:cc:c3:db:cb:f6:9d:55:3a:9d:7a:7a:4b:c7:b8:7e:d1:6f:
-         17:d2:a3:03:2d:9f:97:12:12:e8:75:a0:2e:64:3e:f5:ae:72:
-         a6:52:4a:9d:fe:39:f5:82:fc:d7:cf:34:4d:c2:23:eb:64:95:
-         44:e6:1d:4b:2b:26:87:6e:3a:d0:e9:93:26:f7:a5:fd:45:66:
-         79:1f:14:93:1e:5d:92:07:f0:a1:53:ae:c3:32:b7:17:be:85:
-         57:cb:4d:a3:1f:26:71:be:ae:21:10:4f:df:6d:3e:ca:0a:84:
-         4c:b7:d2:29:b2:34:3e:5d:aa:0b:16:e1:c4:92:cc:aa:2d:13:
-         f0:7d:1d:cf:52:ff:15:4e:12:b3:ff:d9:b6:72:06:be:26:f7:
-         78:85:2d:ba:65:4a:55:85:85:71:47:8d:fd:23:68:c8:cd:8b:
-         de:d3:8b:33:56:77:03:72:41:d6:29:81:d9:bf:ae:bb:55:3b:
-         da:b0:bc:b8
+         1a:03:c0:19:f9:93:90:b3:b8:7e:f1:49:40:c0:3e:f7:5d:cb:
+         a4:6e:33:12:db:b2:e9:94:e2:e3:56:bb:fa:b1:2a:7b:48:53:
+         f4:92:84:0d:cc:71:b1:e9:64:b3:97:73:ef:8d:fe:71:17:3f:
+         f1:cf:fc:c0:c2:1f:40:02:1c:0b:0a:3c:c2:2d:6c:5c:8a:6f:
+         08:ce:5e:0a:c7:26:be:dd:ec:1b:42:46:8e:8c:0d:5c:0d:18:
+         a9:47:23:a8:7d:b2:eb:54:0f:b9:44:ff:fb:15:ac:ff:e2:81:
+         a6:66:18:3a:2d:d7:5e:58:fe:9e:ed:04:c0:af:c7:07:f9:80:
+         1c:68:57:a6:2b:a6:be:4e:83:83:4d:97:f6:78:6c:59:09:c1:
+         29:58:f0:dd:34:d3:4b:63:94:b5:0b:0f:8e:1d:29:c4:f0:91:
+         fc:17:8a:01:98:fe:d8:76:c7:ee:42:a3:a3:b0:b1:8d:b6:55:
+         a9:37:bf:ab:97:6b:a4:df:57:5e:5f:b4:9b:96:af:35:07:24:
+         c1:6d:d9:96:53:54:31:c1:4a:58:5e:92:7f:e7:33:25:bd:03:
+         bf:2c:f8:15:f8:42:52:af:89:40:f6:e4:3d:b3:82:37:d1:67:
+         fd:a2:a9:a0:bc:57:82:25:46:08:1f:d7:fb:d5:17:40:c3:85:
+         d0:d0:9f:cd
 -----BEGIN X509 CRL-----
 MIIB3DCBxQIBATANBgkqhkiG9w0BAQsFADCBgjELMAkGA1UEBhMCVVMxEDAOBgNV
 BAgMB01vbnRhbmExEDAOBgNVBAcMB0JvemVtYW4xFDASBgNVBAsMC0VuZ2luZWVy
 aW5nMRgwFgYDVQQDDA93d3cubm9tYXRjaC5jb20xHzAdBgkqhkiG9w0BCQEWEGlu
-Zm9Ad29sZnNzbC5jb20XDTIxMDYxNTIyMDIzM1oXDTI0MDMxMTIyMDIzM1qgDjAM
-MAoGA1UdFAQDAgEBMA0GCSqGSIb3DQEBCwUAA4IBAQCKU7gpDjcT14r4PtPJIDv6
-bIocWTpUTZPKaOKwCLMj0ZilDkRMGefeoeRWbsXSmgXU1ccHjWXK389eiXTTnT8f
-xB7yz1zgx6gjzMPby/adVTqdenpLx7h+0W8X0qMDLZ+XEhLodaAuZD71rnKmUkqd
-/jn1gvzXzzRNwiPrZJVE5h1LKyaHbjrQ6ZMm96X9RWZ5HxSTHl2SB/ChU67DMrcX
-voVXy02jHyZxvq4hEE/fbT7KCoRMt9IpsjQ+XaoLFuHEksyqLRPwfR3PUv8VThKz
-/9m2cga+Jvd4hS26ZUpVhYVxR439I2jIzYve04szVncDckHWKYHZv667VTvasLy4
+Zm9Ad29sZnNzbC5jb20XDTIxMTIyMDIzMDcyNVoXDTI0MDkxNTIzMDcyNVqgDjAM
+MAoGA1UdFAQDAgEBMA0GCSqGSIb3DQEBCwUAA4IBAQAaA8AZ+ZOQs7h+8UlAwD73
+XcukbjMS27LplOLjVrv6sSp7SFP0koQNzHGx6WSzl3Pvjf5xFz/xz/zAwh9AAhwL
+CjzCLWxcim8Izl4Kxya+3ewbQkaOjA1cDRipRyOofbLrVA+5RP/7Faz/4oGmZhg6
+LddeWP6e7QTAr8cH+YAcaFemK6a+ToODTZf2eGxZCcEpWPDdNNNLY5S1Cw+OHSnE
+8JH8F4oBmP7YdsfuQqOjsLGNtlWpN7+rl2uk31deX7Sblq81ByTBbdmWU1QxwUpY
+XpJ/5zMlvQO/LPgV+EJSr4lA9uQ9s4I30Wf9oqmgvFeCJUYIH9f71RdAw4XQ0J/N
 -----END X509 CRL-----
diff --git a/certs/crl/server-goodcnCrl.pem b/certs/crl/server-goodcnCrl.pem
index a68d97881..3bc3483a8 100644
--- a/certs/crl/server-goodcnCrl.pem
+++ b/certs/crl/server-goodcnCrl.pem
@@ -2,37 +2,37 @@ Certificate Revocation List (CRL):
         Version 2 (0x1)
         Signature Algorithm: sha256WithRSAEncryption
         Issuer: C = US, ST = Montana, L = Bozeman, OU = Engineering, CN = localhost, emailAddress = info@wolfssl.com
-        Last Update: Jun 15 22:02:33 2021 GMT
-        Next Update: Mar 11 22:02:33 2024 GMT
+        Last Update: Dec 20 23:07:25 2021 GMT
+        Next Update: Sep 15 23:07:25 2024 GMT
         CRL extensions:
             X509v3 CRL Number: 
                 1
 No Revoked Certificates.
     Signature Algorithm: sha256WithRSAEncryption
-         00:64:45:a0:7a:db:6a:39:fb:5b:ac:38:18:9c:dd:62:a9:8d:
-         8f:76:64:1f:42:07:81:81:57:e3:58:14:cd:5c:49:53:cb:30:
-         fc:4e:28:0d:29:8e:12:96:f7:d3:59:87:27:cf:b9:70:95:79:
-         dc:2a:08:ce:0c:e8:96:fc:95:b3:d0:89:18:8d:7a:80:45:dc:
-         66:32:3b:e7:65:93:ed:87:59:f5:4b:4d:c9:88:f2:54:e3:b0:
-         d5:3d:29:1f:ff:01:7f:13:88:5b:1a:0c:bd:84:c0:ab:ea:7a:
-         cb:ea:bb:80:35:fa:e5:5d:72:8c:2b:5a:48:2d:b6:c7:90:fa:
-         32:71:e4:f5:ec:59:a0:b5:38:7e:0a:68:d7:f3:ab:c8:a1:33:
-         b6:1f:54:11:d1:a4:87:d7:a6:99:2f:c1:08:0a:a6:e8:91:12:
-         a9:e7:fe:46:84:a2:a8:6a:40:c8:b5:6c:28:f5:ad:80:34:98:
-         69:ae:a5:16:ca:e9:85:07:21:39:11:be:82:f0:9d:dc:6c:af:
-         24:8a:05:e9:26:14:c2:d5:f0:12:ba:73:dc:73:b9:31:24:5f:
-         a1:d5:cc:a5:f2:f3:85:33:b2:2b:50:8f:33:c9:85:b1:b9:20:
-         37:a8:92:55:66:45:06:da:3c:7b:85:c0:70:6d:fd:ae:e6:17:
-         5b:78:40:ae
+         93:03:a4:cc:d0:c4:8c:52:2e:08:a5:d3:fc:73:bb:2b:12:1a:
+         b5:21:c7:e0:78:1e:1a:32:b2:3b:3c:da:b7:33:7e:37:2c:55:
+         3e:ec:f0:97:e1:b5:a6:b4:1a:8d:c5:a3:a1:3f:5e:65:b0:45:
+         43:24:8b:d2:1d:8b:12:7d:b3:c8:2d:2b:38:01:af:e8:e5:41:
+         c1:21:be:cc:39:71:46:5e:b3:af:91:d7:ab:6e:1d:14:fc:1a:
+         5e:66:06:94:25:03:62:b9:bd:24:a3:5d:1b:ad:b9:92:3a:6d:
+         57:f4:ec:7d:d1:86:41:f6:74:a0:21:32:70:ff:aa:e2:7f:5c:
+         f0:5a:b4:2b:37:71:0d:38:84:9e:e6:b8:6f:6d:7a:ba:9e:c3:
+         fd:bc:4d:a0:38:5f:ac:88:67:69:a7:cc:7a:2b:7e:76:16:e8:
+         18:95:af:ab:91:58:1c:94:97:a4:d0:7b:ed:4e:5f:f4:59:82:
+         84:2d:6a:25:12:0b:76:75:00:7c:64:28:7c:59:13:3c:a9:14:
+         db:83:49:e2:2d:34:c4:34:d6:fa:e1:9f:9d:e2:a1:0c:d5:fc:
+         69:ab:8c:97:14:97:c7:66:37:90:09:68:d1:8b:30:86:ca:d1:
+         89:ed:00:48:0c:61:80:08:1f:9e:ad:87:5c:84:cd:3b:8d:4a:
+         df:3b:66:07
 -----BEGIN X509 CRL-----
 MIIB1TCBvgIBATANBgkqhkiG9w0BAQsFADB8MQswCQYDVQQGEwJVUzEQMA4GA1UE
 CAwHTW9udGFuYTEQMA4GA1UEBwwHQm96ZW1hbjEUMBIGA1UECwwLRW5naW5lZXJp
 bmcxEjAQBgNVBAMMCWxvY2FsaG9zdDEfMB0GCSqGSIb3DQEJARYQaW5mb0B3b2xm
-c3NsLmNvbRcNMjEwNjE1MjIwMjMzWhcNMjQwMzExMjIwMjMzWqAOMAwwCgYDVR0U
-BAMCAQEwDQYJKoZIhvcNAQELBQADggEBAABkRaB622o5+1usOBic3WKpjY92ZB9C
-B4GBV+NYFM1cSVPLMPxOKA0pjhKW99NZhyfPuXCVedwqCM4M6Jb8lbPQiRiNeoBF
-3GYyO+dlk+2HWfVLTcmI8lTjsNU9KR//AX8TiFsaDL2EwKvqesvqu4A1+uVdcowr
-WkgttseQ+jJx5PXsWaC1OH4KaNfzq8ihM7YfVBHRpIfXppkvwQgKpuiREqnn/kaE
-oqhqQMi1bCj1rYA0mGmupRbK6YUHITkRvoLwndxsrySKBekmFMLV8BK6c9xzuTEk
-X6HVzKXy84UzsitQjzPJhbG5IDeoklVmRQbaPHuFwHBt/a7mF1t4QK4=
+c3NsLmNvbRcNMjExMjIwMjMwNzI1WhcNMjQwOTE1MjMwNzI1WqAOMAwwCgYDVR0U
+BAMCAQEwDQYJKoZIhvcNAQELBQADggEBAJMDpMzQxIxSLgil0/xzuysSGrUhx+B4
+Hhoysjs82rczfjcsVT7s8Jfhtaa0Go3Fo6E/XmWwRUMki9IdixJ9s8gtKzgBr+jl
+QcEhvsw5cUZes6+R16tuHRT8Gl5mBpQlA2K5vSSjXRutuZI6bVf07H3RhkH2dKAh
+MnD/quJ/XPBatCs3cQ04hJ7muG9terqew/28TaA4X6yIZ2mnzHorfnYW6BiVr6uR
+WByUl6TQe+1OX/RZgoQtaiUSC3Z1AHxkKHxZEzypFNuDSeItNMQ01vrhn53ioQzV
+/GmrjJcUl8dmN5AJaNGLMIbK0YntAEgMYYAIH56th1yEzTuNSt87Zgc=
 -----END X509 CRL-----
diff --git a/certs/crl/server-goodcnwildCrl.pem b/certs/crl/server-goodcnwildCrl.pem
index cb82df6ff..04cf857b6 100644
--- a/certs/crl/server-goodcnwildCrl.pem
+++ b/certs/crl/server-goodcnwildCrl.pem
@@ -2,37 +2,37 @@ Certificate Revocation List (CRL):
         Version 2 (0x1)
         Signature Algorithm: sha256WithRSAEncryption
         Issuer: C = US, ST = Montana, L = Bozeman, OU = Engineering, CN = *localhost, emailAddress = info@wolfssl.com
-        Last Update: Jun 15 22:02:33 2021 GMT
-        Next Update: Mar 11 22:02:33 2024 GMT
+        Last Update: Dec 20 23:07:25 2021 GMT
+        Next Update: Sep 15 23:07:25 2024 GMT
         CRL extensions:
             X509v3 CRL Number: 
                 1
 No Revoked Certificates.
     Signature Algorithm: sha256WithRSAEncryption
-         70:25:b0:87:e0:58:78:55:a7:8f:4a:53:b8:46:39:2f:5f:fe:
-         7a:29:a9:e6:78:f4:3f:e4:ce:95:3f:fe:08:d2:7e:30:2e:7c:
-         2f:a2:9d:1d:30:36:35:6e:e6:20:89:58:d4:d8:23:42:dd:ae:
-         8a:63:3f:4c:20:14:40:24:0f:cd:a4:5e:da:1e:32:c1:08:fe:
-         b9:48:87:d4:07:dc:1e:0f:a5:5c:a7:5c:fe:20:96:54:60:69:
-         6c:dd:e2:55:77:e5:d1:b0:6e:b1:fb:a1:2b:89:59:55:ba:f1:
-         fd:23:bc:05:33:29:7c:5f:63:f3:ed:47:8a:db:46:f2:df:cd:
-         b4:57:55:28:25:0f:be:41:97:c7:69:cf:b7:36:e2:d4:13:8d:
-         53:dc:a6:3e:fb:e0:0a:98:bc:6d:3a:86:4b:13:3f:a2:a0:06:
-         97:d0:c9:2b:48:9f:a2:66:39:cb:64:07:cc:32:64:51:11:fb:
-         76:1d:28:af:89:8f:ba:f3:7f:1a:6b:b6:b7:1e:0d:6e:70:55:
-         ae:12:0b:af:8d:1c:46:f7:33:b3:36:8b:28:cb:9d:da:95:9e:
-         93:c6:8d:d3:c6:81:bf:93:01:99:dd:90:8e:20:89:6d:1f:cd:
-         e8:f2:0e:e3:26:a6:e8:ec:04:4c:4d:43:3f:d2:28:bd:e2:03:
-         c5:dc:e6:96
+         41:28:dc:c0:e0:86:a1:95:7d:23:ea:4d:7a:78:dc:be:1c:6f:
+         f9:d9:c9:53:ab:a0:60:4d:b9:68:22:b5:21:4c:b8:34:66:a4:
+         3e:ca:2d:52:c8:47:44:e9:00:47:8a:8c:2a:f0:2f:1e:6d:f9:
+         78:9b:a4:ab:28:e9:4f:f7:13:d9:f7:fe:47:c1:2c:e0:df:21:
+         5f:7e:29:fe:f0:50:46:6c:0b:8d:fd:94:08:c1:8c:45:54:b4:
+         f7:2b:a7:b9:a9:14:a0:a9:35:d7:f1:96:22:0d:41:94:2c:80:
+         55:d7:c8:cb:ee:fc:28:61:16:f7:50:a8:1b:26:2e:08:c7:15:
+         84:bc:55:96:5c:0e:91:de:a6:63:7c:37:fe:a5:70:2d:a0:bb:
+         65:b3:35:3e:77:90:d0:00:d4:d6:ac:ae:b1:3f:9f:eb:b1:28:
+         95:4c:21:27:65:d1:6d:4a:74:51:76:a8:c3:e0:c0:a7:a1:f6:
+         76:59:b9:f4:b1:96:4e:e3:ab:6a:ec:0c:46:21:15:5e:e8:a0:
+         59:25:ac:b7:94:04:90:09:82:22:83:23:a9:19:50:12:bd:54:
+         44:b0:b2:83:15:32:fa:99:b5:22:33:35:ca:47:d6:52:e3:59:
+         f1:6b:ea:39:59:5c:81:1c:36:56:5a:27:4b:0f:5f:d6:39:9d:
+         d0:4c:44:b4
 -----BEGIN X509 CRL-----
 MIIB1jCBvwIBATANBgkqhkiG9w0BAQsFADB9MQswCQYDVQQGEwJVUzEQMA4GA1UE
 CAwHTW9udGFuYTEQMA4GA1UEBwwHQm96ZW1hbjEUMBIGA1UECwwLRW5naW5lZXJp
 bmcxEzARBgNVBAMMCipsb2NhbGhvc3QxHzAdBgkqhkiG9w0BCQEWEGluZm9Ad29s
-ZnNzbC5jb20XDTIxMDYxNTIyMDIzM1oXDTI0MDMxMTIyMDIzM1qgDjAMMAoGA1Ud
-FAQDAgEBMA0GCSqGSIb3DQEBCwUAA4IBAQBwJbCH4Fh4VaePSlO4RjkvX/56Kanm
-ePQ/5M6VP/4I0n4wLnwvop0dMDY1buYgiVjU2CNC3a6KYz9MIBRAJA/NpF7aHjLB
-CP65SIfUB9weD6Vcp1z+IJZUYGls3eJVd+XRsG6x+6EriVlVuvH9I7wFMyl8X2Pz
-7UeK20by3820V1UoJQ++QZfHac+3NuLUE41T3KY+++AKmLxtOoZLEz+ioAaX0Mkr
-SJ+iZjnLZAfMMmRREft2HSiviY+6838aa7a3Hg1ucFWuEguvjRxG9zOzNosoy53a
-lZ6Txo3TxoG/kwGZ3ZCOIIltH83o8g7jJqbo7ARMTUM/0ii94gPF3OaW
+ZnNzbC5jb20XDTIxMTIyMDIzMDcyNVoXDTI0MDkxNTIzMDcyNVqgDjAMMAoGA1Ud
+FAQDAgEBMA0GCSqGSIb3DQEBCwUAA4IBAQBBKNzA4IahlX0j6k16eNy+HG/52clT
+q6BgTbloIrUhTLg0ZqQ+yi1SyEdE6QBHiowq8C8ebfl4m6SrKOlP9xPZ9/5HwSzg
+3yFffin+8FBGbAuN/ZQIwYxFVLT3K6e5qRSgqTXX8ZYiDUGULIBV18jL7vwoYRb3
+UKgbJi4IxxWEvFWWXA6R3qZjfDf+pXAtoLtlszU+d5DQANTWrK6xP5/rsSiVTCEn
+ZdFtSnRRdqjD4MCnofZ2Wbn0sZZO46tq7AxGIRVe6KBZJay3lASQCYIigyOpGVAS
+vVREsLKDFTL6mbUiMzXKR9ZS41nxa+o5WVyBHDZWWidLD1/WOZ3QTES0
 -----END X509 CRL-----
diff --git a/certs/ecc-privOnlyCert.pem b/certs/ecc-privOnlyCert.pem
index 9952d01a1..81e20abea 100644
--- a/certs/ecc-privOnlyCert.pem
+++ b/certs/ecc-privOnlyCert.pem
@@ -1,9 +1,9 @@
 -----BEGIN CERTIFICATE-----
-MIIBIzCBygIJAIxrmIr/9d3gMAoGCCqGSM49BAMCMBoxCzAJBgNVBAoMAldSMQsw
-CQYDVQQDDAJERTAeFw0yMTAyMTAxOTQ5NTNaFw0yMzExMDcxOTQ5NTNaMBoxCzAJ
-BgNVBAoMAldSMQswCQYDVQQDDAJERTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA
-BCXA/Ra4K/K4Ch7drM5iUnxYCmB9V3XavRHB1SrqVGt25j02991Rl2uoJv57pr2W
-VYVQnZp+aQHYQ0WJ2f5KKyYwCgYIKoZIzj0EAwIDSAAwRQIhAMaYJZ3Mpdbd/o0j
-o9X5/HUj5T15lRzwDVMbDy+DjOV3AiBEmFWgnQ3Xii2xcrHOyEG/iLzqZ5JuJqq/
-j9BaGBwdlA==
+MIIBLjCB1QIUF965sDpa/sfsWv1HigVT4n3a8RkwCgYIKoZIzj0EAwIwGjELMAkG
+A1UECgwCV1IxCzAJBgNVBAMMAkRFMB4XDTIxMTIyMDIzMDcyNVoXDTI0MDkxNTIz
+MDcyNVowGjELMAkGA1UECgwCV1IxCzAJBgNVBAMMAkRFMFkwEwYHKoZIzj0CAQYI
+KoZIzj0DAQcDQgAEJcD9Frgr8rgKHt2szmJSfFgKYH1Xddq9EcHVKupUa3bmPTb3
+3VGXa6gm/numvZZVhVCdmn5pAdhDRYnZ/korJjAKBggqhkjOPQQDAgNIADBFAiAz
+UkaLZfsxiQZ1eksr+DmUEDc6uxoJZbIXm6ZZe7FYBgIhAKgoyqyJ0NumdR/bkAbc
+XaUopgqv2gLSypLgiRWsE4te
 -----END CERTIFICATE-----
diff --git a/certs/ecc-rsa-server.p12 b/certs/ecc-rsa-server.p12
index d9de67f71..98db13b2e 100644
Binary files a/certs/ecc-rsa-server.p12 and b/certs/ecc-rsa-server.p12 differ
diff --git a/certs/ecc/bp256r1-key.der b/certs/ecc/bp256r1-key.der
index 86b9407ef..24fb3f61e 100644
Binary files a/certs/ecc/bp256r1-key.der and b/certs/ecc/bp256r1-key.der differ
diff --git a/certs/ecc/bp256r1-key.pem b/certs/ecc/bp256r1-key.pem
index 165d0a867..592a6459a 100644
--- a/certs/ecc/bp256r1-key.pem
+++ b/certs/ecc/bp256r1-key.pem
@@ -1,5 +1,5 @@
 -----BEGIN EC PRIVATE KEY-----
-MHgCAQEEIALRjSn7gQicLnRopI92xvo14rrdLVl0IEzDB40t3Pa7oAsGCSskAwMC
-CAEBB6FEA0IABC7vJ8tXOtxiJba1QlzuKVbjqM6GbkRSIxXIQ8BiEBYeSsuI0HXg
-OGuAhGSfcKrYuzOQwduBRq7pgckDabXOres=
+MHgCAQEEIEnTbJH3PQMWXFs1LveV+8qEYXGzmzC97+IDxRFtg2sXoAsGCSskAwMC
+CAEBB6FEA0IABJ0I3Fm3EF3kWH6qYt16iWnStRgoXSIxfG+luzGQQiDtnCnqSnQz
+oZNPmiZyYRxLcjmfrGPVskLfDrTyfsdI6ww=
 -----END EC PRIVATE KEY-----
diff --git a/certs/ecc/client-bp256r1-cert.der b/certs/ecc/client-bp256r1-cert.der
index 2a70bc9fe..6526379f7 100644
Binary files a/certs/ecc/client-bp256r1-cert.der and b/certs/ecc/client-bp256r1-cert.der differ
diff --git a/certs/ecc/client-bp256r1-cert.pem b/certs/ecc/client-bp256r1-cert.pem
index bdc13916e..7435009a9 100644
--- a/certs/ecc/client-bp256r1-cert.pem
+++ b/certs/ecc/client-bp256r1-cert.pem
@@ -2,22 +2,22 @@ Certificate:
     Data:
         Version: 3 (0x2)
         Serial Number:
-            23:c2:32:32:87:c0:20:35:77:e6:56:4b:ba:d3:ba:19:de:0e:ed:9e
+            3b:df:ba:29:40:bb:87:11:98:a2:b0:54:45:eb:7a:53:02:3a:89:72
         Signature Algorithm: ecdsa-with-SHA256
         Issuer: C = US, ST = Washington, L = Seattle, O = Eliptic, OU = ECC256BPR1-CLI, CN = www.wolfssl.com, emailAddress = info@wolfssl.com
         Validity
-            Not Before: Oct 15 20:13:58 2020 GMT
-            Not After : Oct 13 20:13:58 2030 GMT
+            Not Before: Dec 20 23:07:24 2021 GMT
+            Not After : Dec 18 23:07:24 2031 GMT
         Subject: C = US, ST = Washington, L = Seattle, O = Eliptic, OU = ECC256BPR1-CLI, CN = www.wolfssl.com, emailAddress = info@wolfssl.com
         Subject Public Key Info:
             Public Key Algorithm: id-ecPublicKey
                 Public-Key: (256 bit)
                 pub:
-                    04:2e:ef:27:cb:57:3a:dc:62:25:b6:b5:42:5c:ee:
-                    29:56:e3:a8:ce:86:6e:44:52:23:15:c8:43:c0:62:
-                    10:16:1e:4a:cb:88:d0:75:e0:38:6b:80:84:64:9f:
-                    70:aa:d8:bb:33:90:c1:db:81:46:ae:e9:81:c9:03:
-                    69:b5:ce:ad:eb
+                    04:9d:08:dc:59:b7:10:5d:e4:58:7e:aa:62:dd:7a:
+                    89:69:d2:b5:18:28:5d:22:31:7c:6f:a5:bb:31:90:
+                    42:20:ed:9c:29:ea:4a:74:33:a1:93:4f:9a:26:72:
+                    61:1c:4b:72:39:9f:ac:63:d5:b2:42:df:0e:b4:f2:
+                    7e:c7:48:eb:0c
                 ASN1 OID: brainpoolP256r1
         X509v3 extensions:
             X509v3 Basic Constraints: 
@@ -25,33 +25,33 @@ Certificate:
             Netscape Cert Type: 
                 SSL Client, S/MIME
             X509v3 Subject Key Identifier: 
-                B4:1B:3B:4F:65:F2:BF:9E:8A:8F:E3:33:96:44:1F:67:EA:B3:34:D5
+                CF:BD:08:4A:BF:DC:D1:7C:E9:D9:FE:E8:3B:FA:84:63:07:7C:88:DB
             X509v3 Authority Key Identifier: 
-                keyid:B4:1B:3B:4F:65:F2:BF:9E:8A:8F:E3:33:96:44:1F:67:EA:B3:34:D5
+                keyid:CF:BD:08:4A:BF:DC:D1:7C:E9:D9:FE:E8:3B:FA:84:63:07:7C:88:DB
 
             X509v3 Key Usage: critical
                 Digital Signature, Non Repudiation, Key Encipherment
             X509v3 Extended Key Usage: 
                 TLS Web Client Authentication, E-mail Protection
     Signature Algorithm: ecdsa-with-SHA256
-         30:44:02:20:28:b6:b4:eb:ae:c1:9b:71:0a:15:92:93:d6:2d:
-         12:a6:ff:2d:2a:f5:23:a8:e2:df:6c:d9:33:d4:7f:e9:2e:08:
-         02:20:33:eb:45:aa:c1:7c:36:c1:60:52:09:0e:2d:e4:2a:49:
-         1d:d8:b2:c5:79:3e:be:d4:61:c5:14:d0:b6:f2:42:d4
+         30:45:02:21:00:81:4c:2c:5d:44:da:ec:e4:9c:df:a8:c6:93:
+         ad:fa:45:68:43:6a:c2:63:00:60:e7:a6:3a:01:c4:95:ed:d8:
+         dd:02:20:74:94:80:83:97:25:17:6d:8a:28:dd:31:c7:ee:2a:
+         d9:13:f8:3b:48:a0:88:15:26:79:df:d4:00:7c:07:58:f8
 -----BEGIN CERTIFICATE-----
-MIICyTCCAnCgAwIBAgIUI8IyMofAIDV35lZLutO6Gd4O7Z4wCgYIKoZIzj0EAwIw
+MIICyjCCAnCgAwIBAgIUO9+6KUC7hxGYorBURet6UwI6iXIwCgYIKoZIzj0EAwIw
 gZoxCzAJBgNVBAYTAlVTMRMwEQYDVQQIDApXYXNoaW5ndG9uMRAwDgYDVQQHDAdT
 ZWF0dGxlMRAwDgYDVQQKDAdFbGlwdGljMRcwFQYDVQQLDA5FQ0MyNTZCUFIxLUNM
 STEYMBYGA1UEAwwPd3d3LndvbGZzc2wuY29tMR8wHQYJKoZIhvcNAQkBFhBpbmZv
-QHdvbGZzc2wuY29tMB4XDTIwMTAxNTIwMTM1OFoXDTMwMTAxMzIwMTM1OFowgZox
+QHdvbGZzc2wuY29tMB4XDTIxMTIyMDIzMDcyNFoXDTMxMTIxODIzMDcyNFowgZox
 CzAJBgNVBAYTAlVTMRMwEQYDVQQIDApXYXNoaW5ndG9uMRAwDgYDVQQHDAdTZWF0
 dGxlMRAwDgYDVQQKDAdFbGlwdGljMRcwFQYDVQQLDA5FQ0MyNTZCUFIxLUNMSTEY
 MBYGA1UEAwwPd3d3LndvbGZzc2wuY29tMR8wHQYJKoZIhvcNAQkBFhBpbmZvQHdv
-bGZzc2wuY29tMFowFAYHKoZIzj0CAQYJKyQDAwIIAQEHA0IABC7vJ8tXOtxiJba1
-QlzuKVbjqM6GbkRSIxXIQ8BiEBYeSsuI0HXgOGuAhGSfcKrYuzOQwduBRq7pgckD
-abXOreujgZAwgY0wCQYDVR0TBAIwADARBglghkgBhvhCAQEEBAMCBaAwHQYDVR0O
-BBYEFLQbO09l8r+eio/jM5ZEH2fqszTVMB8GA1UdIwQYMBaAFLQbO09l8r+eio/j
-M5ZEH2fqszTVMA4GA1UdDwEB/wQEAwIF4DAdBgNVHSUEFjAUBggrBgEFBQcDAgYI
-KwYBBQUHAwQwCgYIKoZIzj0EAwIDRwAwRAIgKLa0667Bm3EKFZKT1i0Spv8tKvUj
-qOLfbNkz1H/pLggCIDPrRarBfDbBYFIJDi3kKkkd2LLFeT6+1GHFFNC28kLU
+bGZzc2wuY29tMFowFAYHKoZIzj0CAQYJKyQDAwIIAQEHA0IABJ0I3Fm3EF3kWH6q
+Yt16iWnStRgoXSIxfG+luzGQQiDtnCnqSnQzoZNPmiZyYRxLcjmfrGPVskLfDrTy
+fsdI6wyjgZAwgY0wCQYDVR0TBAIwADARBglghkgBhvhCAQEEBAMCBaAwHQYDVR0O
+BBYEFM+9CEq/3NF86dn+6Dv6hGMHfIjbMB8GA1UdIwQYMBaAFM+9CEq/3NF86dn+
+6Dv6hGMHfIjbMA4GA1UdDwEB/wQEAwIF4DAdBgNVHSUEFjAUBggrBgEFBQcDAgYI
+KwYBBQUHAwQwCgYIKoZIzj0EAwIDSAAwRQIhAIFMLF1E2uzknN+oxpOt+kVoQ2rC
+YwBg56Y6AcSV7djdAiB0lICDlyUXbYoo3THH7irZE/g7SKCIFSZ539QAfAdY+A==
 -----END CERTIFICATE-----
diff --git a/certs/ecc/client-secp256k1-cert.der b/certs/ecc/client-secp256k1-cert.der
index 1185dc21e..e647131fa 100644
Binary files a/certs/ecc/client-secp256k1-cert.der and b/certs/ecc/client-secp256k1-cert.der differ
diff --git a/certs/ecc/client-secp256k1-cert.pem b/certs/ecc/client-secp256k1-cert.pem
index 0d03c0889..3741c76af 100644
--- a/certs/ecc/client-secp256k1-cert.pem
+++ b/certs/ecc/client-secp256k1-cert.pem
@@ -2,22 +2,22 @@ Certificate:
     Data:
         Version: 3 (0x2)
         Serial Number:
-            3d:12:fd:a2:a8:15:63:d8:4e:3f:48:81:46:92:ae:65:f3:27:7f:f2
+            31:2e:ed:e8:4e:07:51:aa:45:ce:4e:4d:8b:7d:d9:53:24:cd:c0:ce
         Signature Algorithm: ecdsa-with-SHA256
         Issuer: C = US, ST = Washington, L = Seattle, O = Eliptic, OU = ECC256K1-CLI, CN = www.wolfssl.com, emailAddress = info@wolfssl.com
         Validity
-            Not Before: Oct 15 20:13:49 2020 GMT
-            Not After : Oct 13 20:13:49 2030 GMT
+            Not Before: Dec 20 23:07:24 2021 GMT
+            Not After : Dec 18 23:07:24 2031 GMT
         Subject: C = US, ST = Washington, L = Seattle, O = Eliptic, OU = ECC256K1-CLI, CN = www.wolfssl.com, emailAddress = info@wolfssl.com
         Subject Public Key Info:
             Public Key Algorithm: id-ecPublicKey
                 Public-Key: (256 bit)
                 pub:
-                    04:d7:0d:0b:f1:0e:22:88:fe:fb:d5:e5:e1:09:a4:
-                    3e:90:76:b3:29:cb:d9:13:60:b7:ea:88:82:d7:8c:
-                    b6:db:21:dc:93:0f:e9:58:bb:c5:f2:a2:c2:f5:23:
-                    36:c5:d5:eb:24:a6:24:db:ee:02:b0:05:31:a6:33:
-                    1f:cd:79:82:10
+                    04:80:6c:01:93:26:6f:dd:fe:93:91:a1:4c:b9:df:
+                    0c:4b:e9:28:55:36:fc:71:2d:a6:55:65:3f:ac:96:
+                    90:67:80:d8:fb:79:f4:c0:7e:0f:3c:fa:15:1e:6e:
+                    ac:03:cf:29:50:8d:98:60:21:7d:6d:89:08:11:e2:
+                    44:7c:09:0d:e6
                 ASN1 OID: secp256k1
         X509v3 extensions:
             X509v3 Basic Constraints: 
@@ -25,33 +25,33 @@ Certificate:
             Netscape Cert Type: 
                 SSL Client, S/MIME
             X509v3 Subject Key Identifier: 
-                44:6A:D8:71:6D:AB:62:18:21:02:27:23:90:BF:1D:77:B6:79:4B:77
+                8B:F8:C3:8C:D6:A0:F9:D3:DA:85:3B:7E:4B:94:A1:F7:1A:82:E5:AA
             X509v3 Authority Key Identifier: 
-                keyid:44:6A:D8:71:6D:AB:62:18:21:02:27:23:90:BF:1D:77:B6:79:4B:77
+                keyid:8B:F8:C3:8C:D6:A0:F9:D3:DA:85:3B:7E:4B:94:A1:F7:1A:82:E5:AA
 
             X509v3 Key Usage: critical
                 Digital Signature, Non Repudiation, Key Encipherment
             X509v3 Extended Key Usage: 
                 TLS Web Client Authentication, E-mail Protection
     Signature Algorithm: ecdsa-with-SHA256
-         30:45:02:20:73:08:4a:18:d1:ad:81:f6:5c:59:27:da:36:9a:
-         cd:fb:4e:97:5a:58:b3:61:fe:b0:ec:7e:76:ca:0c:5a:d3:c1:
-         02:21:00:a5:05:b4:f5:2f:d3:bf:71:d4:0c:fb:bf:a0:64:0b:
-         cd:bb:18:ef:df:92:bc:5c:cc:6c:74:82:c8:52:5a:f6:46
+         30:46:02:21:00:ec:71:28:64:3a:65:f8:ed:66:d8:21:39:6b:
+         6f:d4:83:95:50:06:0b:83:ba:62:9c:2b:77:6f:ae:24:b8:f6:
+         7a:02:21:00:e8:ed:3d:7a:2c:64:53:ea:3a:f5:a8:ac:d1:0a:
+         6f:01:af:e4:82:fc:8d:90:dd:7c:5c:64:8d:82:60:2e:53:fb
 -----BEGIN CERTIFICATE-----
-MIICwjCCAmigAwIBAgIUPRL9oqgVY9hOP0iBRpKuZfMnf/IwCgYIKoZIzj0EAwIw
+MIICwzCCAmigAwIBAgIUMS7t6E4HUapFzk5Ni33ZUyTNwM4wCgYIKoZIzj0EAwIw
 gZgxCzAJBgNVBAYTAlVTMRMwEQYDVQQIDApXYXNoaW5ndG9uMRAwDgYDVQQHDAdT
 ZWF0dGxlMRAwDgYDVQQKDAdFbGlwdGljMRUwEwYDVQQLDAxFQ0MyNTZLMS1DTEkx
 GDAWBgNVBAMMD3d3dy53b2xmc3NsLmNvbTEfMB0GCSqGSIb3DQEJARYQaW5mb0B3
-b2xmc3NsLmNvbTAeFw0yMDEwMTUyMDEzNDlaFw0zMDEwMTMyMDEzNDlaMIGYMQsw
+b2xmc3NsLmNvbTAeFw0yMTEyMjAyMzA3MjRaFw0zMTEyMTgyMzA3MjRaMIGYMQsw
 CQYDVQQGEwJVUzETMBEGA1UECAwKV2FzaGluZ3RvbjEQMA4GA1UEBwwHU2VhdHRs
 ZTEQMA4GA1UECgwHRWxpcHRpYzEVMBMGA1UECwwMRUNDMjU2SzEtQ0xJMRgwFgYD
 VQQDDA93d3cud29sZnNzbC5jb20xHzAdBgkqhkiG9w0BCQEWEGluZm9Ad29sZnNz
-bC5jb20wVjAQBgcqhkjOPQIBBgUrgQQACgNCAATXDQvxDiKI/vvV5eEJpD6QdrMp
-y9kTYLfqiILXjLbbIdyTD+lYu8XyosL1IzbF1eskpiTb7gKwBTGmMx/NeYIQo4GQ
-MIGNMAkGA1UdEwQCMAAwEQYJYIZIAYb4QgEBBAQDAgWgMB0GA1UdDgQWBBREathx
-batiGCECJyOQvx13tnlLdzAfBgNVHSMEGDAWgBREathxbatiGCECJyOQvx13tnlL
-dzAOBgNVHQ8BAf8EBAMCBeAwHQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUFBwME
-MAoGCCqGSM49BAMCA0gAMEUCIHMIShjRrYH2XFkn2jaazftOl1pYs2H+sOx+dsoM
-WtPBAiEApQW09S/Tv3HUDPu/oGQLzbsY79+SvFzMbHSCyFJa9kY=
+bC5jb20wVjAQBgcqhkjOPQIBBgUrgQQACgNCAASAbAGTJm/d/pORoUy53wxL6ShV
+NvxxLaZVZT+slpBngNj7efTAfg88+hUebqwDzylQjZhgIX1tiQgR4kR8CQ3mo4GQ
+MIGNMAkGA1UdEwQCMAAwEQYJYIZIAYb4QgEBBAQDAgWgMB0GA1UdDgQWBBSL+MOM
+1qD509qFO35LlKH3GoLlqjAfBgNVHSMEGDAWgBSL+MOM1qD509qFO35LlKH3GoLl
+qjAOBgNVHQ8BAf8EBAMCBeAwHQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUFBwME
+MAoGCCqGSM49BAMCA0kAMEYCIQDscShkOmX47WbYITlrb9SDlVAGC4O6Ypwrd2+u
+JLj2egIhAOjtPXosZFPqOvWorNEKbwGv5IL8jZDdfFxkjYJgLlP7
 -----END CERTIFICATE-----
diff --git a/certs/ecc/genecc.sh b/certs/ecc/genecc.sh
index 752440e5f..3ecb01092 100755
--- a/certs/ecc/genecc.sh
+++ b/certs/ecc/genecc.sh
@@ -12,9 +12,14 @@ echo 1000 > ./certs/ecc/serial
 echo 2000 > ./certs/ecc/crlnumber
 
 # generate ECC 256-bit CA
-openssl ecparam -out ./certs/ca-ecc-key.par -name prime256v1
-openssl req -config ./certs/ecc/wolfssl.cnf -extensions v3_ca -x509 -nodes -newkey ec:./certs/ca-ecc-key.par -keyout ./certs/ca-ecc-key.pem -out ./certs/ca-ecc-cert.pem -sha256 \
+if [ -f ./certs/ca-ecc-key.pem ]; then
+    openssl req -config ./certs/ecc/wolfssl.cnf -extensions v3_ca -x509 -nodes -key ./certs/ca-ecc-key.pem -out ./certs/ca-ecc-cert.pem -sha256 \
 	-days 7300 -batch -subj "/C=US/ST=Washington/L=Seattle/O=wolfSSL/OU=Development/CN=www.wolfssl.com/emailAddress=info@wolfssl.com"
+else
+    openssl ecparam -out ./certs/ca-ecc-key.par -name prime256v1
+    openssl req -config ./certs/ecc/wolfssl.cnf -extensions v3_ca -x509 -nodes -newkey ec:./certs/ca-ecc-key.par -keyout ./certs/ca-ecc-key.pem -out ./certs/ca-ecc-cert.pem -sha256 \
+	-days 7300 -batch -subj "/C=US/ST=Washington/L=Seattle/O=wolfSSL/OU=Development/CN=www.wolfssl.com/emailAddress=info@wolfssl.com"
+fi
 
 openssl x509 -in ./certs/ca-ecc-cert.pem -inform PEM -out ./certs/ca-ecc-cert.der -outform DER
 openssl ec -in ./certs/ca-ecc-key.pem -inform PEM -out ./certs/ca-ecc-key.der -outform DER
@@ -22,7 +27,7 @@ openssl ec -in ./certs/ca-ecc-key.pem -inform PEM -out ./certs/ca-ecc-key.der -o
 rm ./certs/ca-ecc-key.par
 
 # Gen CA CRL
-openssl ca -config ./certs/ecc/wolfssl.cnf -gencrl -crldays 1000 -out ./certs/crl/caEccCrl.pem -keyfile ./certs/ca-ecc-key.pem -cert ./certs/ca-ecc-cert.pem
+openssl ca -batch -config ./certs/ecc/wolfssl.cnf -gencrl -crldays 1000 -out ./certs/crl/caEccCrl.pem -keyfile ./certs/ca-ecc-key.pem -cert ./certs/ca-ecc-cert.pem
 
 
 
@@ -31,7 +36,7 @@ openssl req -config ./certs/ecc/wolfssl.cnf -sha256 -new -key ./certs/ecc-key.pe
 openssl x509 -req -in ./certs/server-ecc-req.pem -CA ./certs/ca-ecc-cert.pem -CAkey ./certs/ca-ecc-key.pem -CAcreateserial -out ./certs/server-ecc.pem -sha256
 
 # Sign server certificate
-openssl ca -config ./certs/ecc/wolfssl.cnf -extensions server_cert -days 3650 -notext -md sha256 -in ./certs/server-ecc-req.pem -out ./certs/server-ecc.pem
+openssl ca -batch -config ./certs/ecc/wolfssl.cnf -extensions server_cert -days 3650 -notext -md sha256 -in ./certs/server-ecc-req.pem -out ./certs/server-ecc.pem
 openssl x509 -in ./certs/server-ecc.pem -outform der -out ./certs/server-ecc.der
 
 # Generate ECC 256-bit self-signed server cert
@@ -43,9 +48,14 @@ rm ./certs/server-ecc-req.pem
 
 
 # generate ECC 384-bit CA
-openssl ecparam -out ./certs/ca-ecc384-key.par -name secp384r1
-openssl req -config ./certs/ecc/wolfssl_384.cnf -extensions v3_ca -x509 -nodes -newkey ec:./certs/ca-ecc384-key.par -keyout ./certs/ca-ecc384-key.pem -out ./certs/ca-ecc384-cert.pem -sha384 \
+if [ -f ./certs/ca-ecc384-key.pem ]; then
+    openssl req -config ./certs/ecc/wolfssl_384.cnf -extensions v3_ca -x509 -nodes -key ./certs/ca-ecc384-key.pem -out ./certs/ca-ecc384-cert.pem -sha384 \
 	-days 7300 -batch -subj "/C=US/ST=Washington/L=Seattle/O=wolfSSL/OU=Development/CN=www.wolfssl.com/emailAddress=info@wolfssl.com"
+else
+    openssl ecparam -out ./certs/ca-ecc384-key.par -name secp384r1
+    openssl req -config ./certs/ecc/wolfssl_384.cnf -extensions v3_ca -x509 -nodes -newkey ec:./certs/ca-ecc384-key.par -keyout ./certs/ca-ecc384-key.pem -out ./certs/ca-ecc384-cert.pem -sha384 \
+	-days 7300 -batch -subj "/C=US/ST=Washington/L=Seattle/O=wolfSSL/OU=Development/CN=www.wolfssl.com/emailAddress=info@wolfssl.com"
+fi
 
 openssl x509 -in ./certs/ca-ecc384-cert.pem -inform PEM -out ./certs/ca-ecc384-cert.der -outform DER
 openssl ec -in ./certs/ca-ecc384-key.pem -inform PEM -out ./certs/ca-ecc384-key.der -outform DER
@@ -53,35 +63,45 @@ openssl ec -in ./certs/ca-ecc384-key.pem -inform PEM -out ./certs/ca-ecc384-key.
 rm ./certs/ca-ecc384-key.par
 
 # Gen CA CRL
-openssl ca -config ./certs/ecc/wolfssl_384.cnf -gencrl -crldays 1000 -out ./certs/crl/caEcc384Crl.pem -keyfile ./certs/ca-ecc384-key.pem -cert ./certs/ca-ecc384-cert.pem
+openssl ca -batch -config ./certs/ecc/wolfssl_384.cnf -gencrl -crldays 1000 -out ./certs/crl/caEcc384Crl.pem -keyfile ./certs/ca-ecc384-key.pem -cert ./certs/ca-ecc384-cert.pem
 
 
 
 # Generate ECC 384-bit server cert
-openssl ecparam -out ./certs/server-ecc384-key.par -name secp384r1
-openssl req -config ./certs/ecc/wolfssl_384.cnf -sha384 -x509 -nodes -newkey ec:./certs/server-ecc384-key.par -keyout ./certs/server-ecc384-key.pem -out ./certs/server-ecc384-req.pem \
+if [ -f ./certs/server-ecc384-key.pem ]; then
+    openssl req -config ./certs/ecc/wolfssl_384.cnf -sha384 -x509 -nodes -key ./certs/server-ecc384-key.pem -out ./certs/server-ecc384-req.pem \
 	-subj "/C=US/ST=Washington/L=Seattle/O=Eliptic/OU=ECC384Srv/CN=www.wolfssl.com/emailAddress=info@wolfssl.com/"
+else
+    openssl ecparam -out ./certs/server-ecc384-key.par -name secp384r1
+    openssl req -config ./certs/ecc/wolfssl_384.cnf -sha384 -x509 -nodes -newkey ec:./certs/server-ecc384-key.par -keyout ./certs/server-ecc384-key.pem -out ./certs/server-ecc384-req.pem \
+	-subj "/C=US/ST=Washington/L=Seattle/O=Eliptic/OU=ECC384Srv/CN=www.wolfssl.com/emailAddress=info@wolfssl.com/"
+fi
 openssl req -config ./certs/ecc/wolfssl_384.cnf -sha384 -new -key ./certs/server-ecc384-key.pem -out ./certs/server-ecc384-req.pem \
 	-subj "/C=US/ST=Washington/L=Seattle/O=Eliptic/OU=ECC384Srv/CN=www.wolfssl.com/emailAddress=info@wolfssl.com/"
 openssl ec -in ./certs/server-ecc384-key.pem -inform PEM -out ./certs/server-ecc384-key.der -outform DER
 
 # Sign server certificate
-openssl ca -config ./certs/ecc/wolfssl_384.cnf -extensions server_cert -days 10950 -notext -md sha384 -in ./certs/server-ecc384-req.pem -out ./certs/server-ecc384-cert.pem
+openssl ca -batch -config ./certs/ecc/wolfssl_384.cnf -extensions server_cert -days 10950 -notext -md sha384 -in ./certs/server-ecc384-req.pem -out ./certs/server-ecc384-cert.pem
 openssl x509 -in ./certs/server-ecc384-cert.pem -outform der -out ./certs/server-ecc384-cert.der
 
 rm ./certs/server-ecc384-req.pem 
 rm ./certs/server-ecc384-key.par
 
 # Generate ECC 384-bit client cert
-openssl ecparam -out ./certs/client-ecc384-key.par -name secp384r1
-openssl req -config ./certs/ecc/wolfssl_384.cnf -sha384 -x509 -nodes -newkey ec:./certs/client-ecc384-key.par -keyout ./certs/client-ecc384-key.pem -out ./certs/client-ecc384-req.pem \
+if [ -f ./certs/client-ecc384-key.pem ]; then
+    openssl req -config ./certs/ecc/wolfssl_384.cnf -sha384 -x509 -nodes -key ./certs/client-ecc384-key.pem -out ./certs/client-ecc384-req.pem \
 	-subj "/C=US/ST=Washington/L=Seattle/O=Eliptic/OU=ECC384Cli/CN=www.wolfssl.com/emailAddress=info@wolfssl.com/"
+else
+    openssl ecparam -out ./certs/client-ecc384-key.par -name secp384r1
+    openssl req -config ./certs/ecc/wolfssl_384.cnf -sha384 -x509 -nodes -newkey ec:./certs/client-ecc384-key.par -keyout ./certs/client-ecc384-key.pem -out ./certs/client-ecc384-req.pem \
+	-subj "/C=US/ST=Washington/L=Seattle/O=Eliptic/OU=ECC384Cli/CN=www.wolfssl.com/emailAddress=info@wolfssl.com/"
+fi
 openssl req -config ./certs/ecc/wolfssl_384.cnf -sha384 -new -key ./certs/client-ecc384-key.pem -out ./certs/client-ecc384-req.pem \
 	-subj "/C=US/ST=Washington/L=Seattle/O=Eliptic/OU=ECC384Clit/CN=www.wolfssl.com/emailAddress=info@wolfssl.com/"
 openssl ec -in ./certs/client-ecc384-key.pem -inform PEM -out ./certs/client-ecc384-key.der -outform DER
 
 # Sign client certificate
-openssl ca -config ./certs/ecc/wolfssl_384.cnf -extensions usr_cert -days 10950 -notext -md sha384 -in ./certs/client-ecc384-req.pem -out ./certs/client-ecc384-cert.pem
+openssl ca -batch -config ./certs/ecc/wolfssl_384.cnf -extensions usr_cert -days 10950 -notext -md sha384 -in ./certs/client-ecc384-req.pem -out ./certs/client-ecc384-cert.pem
 openssl x509 -in ./certs/client-ecc384-cert.pem -outform der -out ./certs/client-ecc384-cert.der
 
 rm ./certs/client-ecc384-req.pem 
@@ -121,8 +141,21 @@ openssl x509 -inform pem -in ./certs/ecc/client-bp256r1-cert.pem -outform der -o
 rm ./certs/ecc/client-bp256r1-req.pem
 
 
-# Also manually need to:
-# 1. Copy ./certs/server-ecc.der into ./certs/test/server-cert-ecc-badsig.der `cp ./certs/server-ecc.der ./certs/test/server-cert-ecc-badsig.der`
-# 2. Modify last byte so its invalidates signature in ./certs/test/server-cert-ecc-badsig.der
-# 3. Covert bad cert to pem `openssl x509 -inform der -in ./certs/test/server-cert-ecc-badsig.der -outform pem -out ./certs/test/server-cert-ecc-badsig.pem`
-# 4. Update AKID's for CA's in test.c certext_test() function akid_ecc.
+# update bad certificate with last byte in signature changed
+cp ./certs/server-ecc.der ./certs/test/server-cert-ecc-badsig.der
+sed '$s/.$/W/' ./certs/test/server-cert-ecc-badsig.der >> ./certs/test/server-cert-ecc-badsig-altered.der 
+mv ./certs/test/server-cert-ecc-badsig-altered.der ./certs/test/server-cert-ecc-badsig.der
+openssl x509 -inform der -in ./certs/test/server-cert-ecc-badsig.der -outform pem -out ./certs/test/server-cert-ecc-badsig.pem
+
+rm ./certs/ecc/*.old
+rm ./certs/ecc/index.txt*
+rm ./certs/ecc/serial
+rm ./certs/ecc/crlnumber
+rm ./certs/ecc/index.txt
+
+rm ./certs/1000.pem
+rm ./certs/1001.pem
+rm ./certs/1002.pem
+rm ./certs/ca-ecc-cert.srl
+
+exit 0
diff --git a/certs/ecc/secp256k1-key.der b/certs/ecc/secp256k1-key.der
index 6a80d8bdf..5aa6b5707 100644
Binary files a/certs/ecc/secp256k1-key.der and b/certs/ecc/secp256k1-key.der differ
diff --git a/certs/ecc/secp256k1-key.pem b/certs/ecc/secp256k1-key.pem
index be4b4889a..a87ff46b1 100644
--- a/certs/ecc/secp256k1-key.pem
+++ b/certs/ecc/secp256k1-key.pem
@@ -1,5 +1,5 @@
 -----BEGIN EC PRIVATE KEY-----
-MHQCAQEEILlFjaVww/Q8MLWZOcmS3ZCx3VCJWWoNXxRYRA3e4IApoAcGBSuBBAAK
-oUQDQgAE1w0L8Q4iiP771eXhCaQ+kHazKcvZE2C36oiC14y22yHckw/pWLvF8qLC
-9SM2xdXrJKYk2+4CsAUxpjMfzXmCEA==
+MHQCAQEEINaB0efSCjrBHSOrZ65ejqPTifCPI0r9xzblb5sBwawPoAcGBSuBBAAK
+oUQDQgAEgGwBkyZv3f6TkaFMud8MS+koVTb8cS2mVWU/rJaQZ4DY+3n0wH4PPPoV
+Hm6sA88pUI2YYCF9bYkIEeJEfAkN5g==
 -----END EC PRIVATE KEY-----
diff --git a/certs/ecc/server-bp256r1-cert.der b/certs/ecc/server-bp256r1-cert.der
index 2115e0572..be0c1e5fc 100644
Binary files a/certs/ecc/server-bp256r1-cert.der and b/certs/ecc/server-bp256r1-cert.der differ
diff --git a/certs/ecc/server-bp256r1-cert.pem b/certs/ecc/server-bp256r1-cert.pem
index 217d21c55..ae45aad26 100644
--- a/certs/ecc/server-bp256r1-cert.pem
+++ b/certs/ecc/server-bp256r1-cert.pem
@@ -2,22 +2,22 @@ Certificate:
     Data:
         Version: 3 (0x2)
         Serial Number:
-            2f:f8:fa:8b:cf:ec:8f:2c:bc:40:fb:95:a0:3e:04:db:dd:c5:7f:08
+            75:8b:6b:62:1b:10:fb:a0:c1:e3:79:bf:0a:2e:15:12:89:6f:df:a7
         Signature Algorithm: ecdsa-with-SHA256
         Issuer: C = US, ST = Washington, L = Seattle, O = Eliptic, OU = ECC256BPR1-SRV, CN = www.wolfssl.com, emailAddress = info@wolfssl.com
         Validity
-            Not Before: Oct 15 20:13:55 2020 GMT
-            Not After : Oct 13 20:13:55 2030 GMT
+            Not Before: Dec 20 23:07:24 2021 GMT
+            Not After : Dec 18 23:07:24 2031 GMT
         Subject: C = US, ST = Washington, L = Seattle, O = Eliptic, OU = ECC256BPR1-SRV, CN = www.wolfssl.com, emailAddress = info@wolfssl.com
         Subject Public Key Info:
             Public Key Algorithm: id-ecPublicKey
                 Public-Key: (256 bit)
                 pub:
-                    04:2e:ef:27:cb:57:3a:dc:62:25:b6:b5:42:5c:ee:
-                    29:56:e3:a8:ce:86:6e:44:52:23:15:c8:43:c0:62:
-                    10:16:1e:4a:cb:88:d0:75:e0:38:6b:80:84:64:9f:
-                    70:aa:d8:bb:33:90:c1:db:81:46:ae:e9:81:c9:03:
-                    69:b5:ce:ad:eb
+                    04:9d:08:dc:59:b7:10:5d:e4:58:7e:aa:62:dd:7a:
+                    89:69:d2:b5:18:28:5d:22:31:7c:6f:a5:bb:31:90:
+                    42:20:ed:9c:29:ea:4a:74:33:a1:93:4f:9a:26:72:
+                    61:1c:4b:72:39:9f:ac:63:d5:b2:42:df:0e:b4:f2:
+                    7e:c7:48:eb:0c
                 ASN1 OID: brainpoolP256r1
         X509v3 extensions:
             X509v3 Basic Constraints: 
@@ -25,39 +25,39 @@ Certificate:
             Netscape Cert Type: 
                 SSL Server
             X509v3 Subject Key Identifier: 
-                B4:1B:3B:4F:65:F2:BF:9E:8A:8F:E3:33:96:44:1F:67:EA:B3:34:D5
+                CF:BD:08:4A:BF:DC:D1:7C:E9:D9:FE:E8:3B:FA:84:63:07:7C:88:DB
             X509v3 Authority Key Identifier: 
-                keyid:B4:1B:3B:4F:65:F2:BF:9E:8A:8F:E3:33:96:44:1F:67:EA:B3:34:D5
+                keyid:CF:BD:08:4A:BF:DC:D1:7C:E9:D9:FE:E8:3B:FA:84:63:07:7C:88:DB
                 DirName:/C=US/ST=Washington/L=Seattle/O=Eliptic/OU=ECC256BPR1-SRV/CN=www.wolfssl.com/emailAddress=info@wolfssl.com
-                serial:2F:F8:FA:8B:CF:EC:8F:2C:BC:40:FB:95:A0:3E:04:DB:DD:C5:7F:08
+                serial:75:8B:6B:62:1B:10:FB:A0:C1:E3:79:BF:0A:2E:15:12:89:6F:DF:A7
 
             X509v3 Key Usage: critical
                 Digital Signature, Key Encipherment, Key Agreement
             X509v3 Extended Key Usage: 
                 TLS Web Server Authentication
     Signature Algorithm: ecdsa-with-SHA256
-         30:45:02:21:00:81:37:b3:f7:a7:e7:9d:1b:62:3f:25:20:02:
-         45:93:45:5c:91:23:1b:8b:bc:09:0c:f7:ef:51:29:a4:90:ec:
-         91:02:20:74:dd:26:c3:eb:24:e1:33:ce:b4:c6:f8:5f:9f:99:
-         6d:2b:9a:ee:ac:33:d8:08:29:19:3c:00:f1:83:de:a6:af
+         30:44:02:20:1e:54:83:c9:5c:94:38:fe:e8:f4:e6:51:cb:b9:
+         af:85:bc:97:e6:c1:09:3d:c7:bc:39:74:4e:b8:aa:ea:53:2c:
+         02:20:6e:89:c2:33:5a:13:13:32:0e:51:93:a4:5d:08:b0:14:
+         98:42:db:00:80:9e:0a:1f:de:19:8e:6c:80:bb:37:12
 -----BEGIN CERTIFICATE-----
-MIIDfjCCAySgAwIBAgIUL/j6i8/sjyy8QPuVoD4E293FfwgwCgYIKoZIzj0EAwIw
+MIIDfTCCAySgAwIBAgIUdYtrYhsQ+6DB43m/Ci4VEolv36cwCgYIKoZIzj0EAwIw
 gZoxCzAJBgNVBAYTAlVTMRMwEQYDVQQIDApXYXNoaW5ndG9uMRAwDgYDVQQHDAdT
 ZWF0dGxlMRAwDgYDVQQKDAdFbGlwdGljMRcwFQYDVQQLDA5FQ0MyNTZCUFIxLVNS
 VjEYMBYGA1UEAwwPd3d3LndvbGZzc2wuY29tMR8wHQYJKoZIhvcNAQkBFhBpbmZv
-QHdvbGZzc2wuY29tMB4XDTIwMTAxNTIwMTM1NVoXDTMwMTAxMzIwMTM1NVowgZox
+QHdvbGZzc2wuY29tMB4XDTIxMTIyMDIzMDcyNFoXDTMxMTIxODIzMDcyNFowgZox
 CzAJBgNVBAYTAlVTMRMwEQYDVQQIDApXYXNoaW5ndG9uMRAwDgYDVQQHDAdTZWF0
 dGxlMRAwDgYDVQQKDAdFbGlwdGljMRcwFQYDVQQLDA5FQ0MyNTZCUFIxLVNSVjEY
 MBYGA1UEAwwPd3d3LndvbGZzc2wuY29tMR8wHQYJKoZIhvcNAQkBFhBpbmZvQHdv
-bGZzc2wuY29tMFowFAYHKoZIzj0CAQYJKyQDAwIIAQEHA0IABC7vJ8tXOtxiJba1
-QlzuKVbjqM6GbkRSIxXIQ8BiEBYeSsuI0HXgOGuAhGSfcKrYuzOQwduBRq7pgckD
-abXOreujggFDMIIBPzAJBgNVHRMEAjAAMBEGCWCGSAGG+EIBAQQEAwIGQDAdBgNV
-HQ4EFgQUtBs7T2Xyv56Kj+MzlkQfZ+qzNNUwgdoGA1UdIwSB0jCBz4AUtBs7T2Xy
-v56Kj+MzlkQfZ+qzNNWhgaCkgZ0wgZoxCzAJBgNVBAYTAlVTMRMwEQYDVQQIDApX
+bGZzc2wuY29tMFowFAYHKoZIzj0CAQYJKyQDAwIIAQEHA0IABJ0I3Fm3EF3kWH6q
+Yt16iWnStRgoXSIxfG+luzGQQiDtnCnqSnQzoZNPmiZyYRxLcjmfrGPVskLfDrTy
+fsdI6wyjggFDMIIBPzAJBgNVHRMEAjAAMBEGCWCGSAGG+EIBAQQEAwIGQDAdBgNV
+HQ4EFgQUz70ISr/c0Xzp2f7oO/qEYwd8iNswgdoGA1UdIwSB0jCBz4AUz70ISr/c
+0Xzp2f7oO/qEYwd8iNuhgaCkgZ0wgZoxCzAJBgNVBAYTAlVTMRMwEQYDVQQIDApX
 YXNoaW5ndG9uMRAwDgYDVQQHDAdTZWF0dGxlMRAwDgYDVQQKDAdFbGlwdGljMRcw
 FQYDVQQLDA5FQ0MyNTZCUFIxLVNSVjEYMBYGA1UEAwwPd3d3LndvbGZzc2wuY29t
-MR8wHQYJKoZIhvcNAQkBFhBpbmZvQHdvbGZzc2wuY29tghQv+PqLz+yPLLxA+5Wg
-PgTb3cV/CDAOBgNVHQ8BAf8EBAMCA6gwEwYDVR0lBAwwCgYIKwYBBQUHAwEwCgYI
-KoZIzj0EAwIDSAAwRQIhAIE3s/en550bYj8lIAJFk0VckSMbi7wJDPfvUSmkkOyR
-AiB03SbD6yThM860xvhfn5ltK5rurDPYCCkZPADxg96mrw==
+MR8wHQYJKoZIhvcNAQkBFhBpbmZvQHdvbGZzc2wuY29tghR1i2tiGxD7oMHjeb8K
+LhUSiW/fpzAOBgNVHQ8BAf8EBAMCA6gwEwYDVR0lBAwwCgYIKwYBBQUHAwEwCgYI
+KoZIzj0EAwIDRwAwRAIgHlSDyVyUOP7o9OZRy7mvhbyX5sEJPce8OXROuKrqUywC
+IG6JwjNaExMyDlGTpF0IsBSYQtsAgJ4KH94ZjmyAuzcS
 -----END CERTIFICATE-----
diff --git a/certs/ecc/server-secp256k1-cert.der b/certs/ecc/server-secp256k1-cert.der
index 19f9ec7e8..843844786 100644
Binary files a/certs/ecc/server-secp256k1-cert.der and b/certs/ecc/server-secp256k1-cert.der differ
diff --git a/certs/ecc/server-secp256k1-cert.pem b/certs/ecc/server-secp256k1-cert.pem
index bc8d1952f..f56b0efee 100644
--- a/certs/ecc/server-secp256k1-cert.pem
+++ b/certs/ecc/server-secp256k1-cert.pem
@@ -2,22 +2,22 @@ Certificate:
     Data:
         Version: 3 (0x2)
         Serial Number:
-            60:d5:b7:78:ff:06:14:3b:1e:c5:ba:8b:dd:5e:67:b2:16:aa:b2:c7
+            22:6c:c8:6f:6c:60:63:40:fd:5c:fd:f5:59:dd:76:ed:b4:fa:48:2b
         Signature Algorithm: ecdsa-with-SHA256
         Issuer: C = US, ST = Washington, L = Seattle, O = Eliptic, OU = ECC256K1-SRV, CN = www.wolfssl.com, emailAddress = info@wolfssl.com
         Validity
-            Not Before: Oct 15 20:13:46 2020 GMT
-            Not After : Oct 13 20:13:46 2030 GMT
+            Not Before: Dec 20 23:07:24 2021 GMT
+            Not After : Dec 18 23:07:24 2031 GMT
         Subject: C = US, ST = Washington, L = Seattle, O = Eliptic, OU = ECC256K1-SRV, CN = www.wolfssl.com, emailAddress = info@wolfssl.com
         Subject Public Key Info:
             Public Key Algorithm: id-ecPublicKey
                 Public-Key: (256 bit)
                 pub:
-                    04:d7:0d:0b:f1:0e:22:88:fe:fb:d5:e5:e1:09:a4:
-                    3e:90:76:b3:29:cb:d9:13:60:b7:ea:88:82:d7:8c:
-                    b6:db:21:dc:93:0f:e9:58:bb:c5:f2:a2:c2:f5:23:
-                    36:c5:d5:eb:24:a6:24:db:ee:02:b0:05:31:a6:33:
-                    1f:cd:79:82:10
+                    04:80:6c:01:93:26:6f:dd:fe:93:91:a1:4c:b9:df:
+                    0c:4b:e9:28:55:36:fc:71:2d:a6:55:65:3f:ac:96:
+                    90:67:80:d8:fb:79:f4:c0:7e:0f:3c:fa:15:1e:6e:
+                    ac:03:cf:29:50:8d:98:60:21:7d:6d:89:08:11:e2:
+                    44:7c:09:0d:e6
                 ASN1 OID: secp256k1
         X509v3 extensions:
             X509v3 Basic Constraints: 
@@ -25,39 +25,39 @@ Certificate:
             Netscape Cert Type: 
                 SSL Server
             X509v3 Subject Key Identifier: 
-                44:6A:D8:71:6D:AB:62:18:21:02:27:23:90:BF:1D:77:B6:79:4B:77
+                8B:F8:C3:8C:D6:A0:F9:D3:DA:85:3B:7E:4B:94:A1:F7:1A:82:E5:AA
             X509v3 Authority Key Identifier: 
-                keyid:44:6A:D8:71:6D:AB:62:18:21:02:27:23:90:BF:1D:77:B6:79:4B:77
+                keyid:8B:F8:C3:8C:D6:A0:F9:D3:DA:85:3B:7E:4B:94:A1:F7:1A:82:E5:AA
                 DirName:/C=US/ST=Washington/L=Seattle/O=Eliptic/OU=ECC256K1-SRV/CN=www.wolfssl.com/emailAddress=info@wolfssl.com
-                serial:60:D5:B7:78:FF:06:14:3B:1E:C5:BA:8B:DD:5E:67:B2:16:AA:B2:C7
+                serial:22:6C:C8:6F:6C:60:63:40:FD:5C:FD:F5:59:DD:76:ED:B4:FA:48:2B
 
             X509v3 Key Usage: critical
                 Digital Signature, Key Encipherment, Key Agreement
             X509v3 Extended Key Usage: 
                 TLS Web Server Authentication
     Signature Algorithm: ecdsa-with-SHA256
-         30:44:02:20:01:71:b5:5f:e4:5b:b7:95:b4:59:9a:b0:dc:ef:
-         64:01:76:ef:04:07:d8:b4:44:e5:db:86:e4:05:8c:c1:22:19:
-         02:20:3e:93:fb:30:f9:4c:89:39:35:df:b3:79:d5:29:bb:2b:
-         08:84:8a:f8:55:7c:f9:68:d6:2c:11:28:af:a9:33:0f
+         30:45:02:20:62:78:c9:93:9b:1b:e3:79:52:4a:e2:73:33:c3:
+         40:3d:9b:cf:f4:11:08:57:d5:3d:b4:e5:0b:27:5b:d6:24:68:
+         02:21:00:c3:da:cf:12:2b:f6:c1:29:ec:6e:7f:1d:da:8e:4e:
+         02:8e:7e:94:73:71:6a:45:76:f0:3b:20:3b:8d:cc:15:cc
 -----BEGIN CERTIFICATE-----
-MIIDczCCAxqgAwIBAgIUYNW3eP8GFDsexbqL3V5nshaqsscwCgYIKoZIzj0EAwIw
+MIIDdDCCAxqgAwIBAgIUImzIb2xgY0D9XP31Wd127bT6SCswCgYIKoZIzj0EAwIw
 gZgxCzAJBgNVBAYTAlVTMRMwEQYDVQQIDApXYXNoaW5ndG9uMRAwDgYDVQQHDAdT
 ZWF0dGxlMRAwDgYDVQQKDAdFbGlwdGljMRUwEwYDVQQLDAxFQ0MyNTZLMS1TUlYx
 GDAWBgNVBAMMD3d3dy53b2xmc3NsLmNvbTEfMB0GCSqGSIb3DQEJARYQaW5mb0B3
-b2xmc3NsLmNvbTAeFw0yMDEwMTUyMDEzNDZaFw0zMDEwMTMyMDEzNDZaMIGYMQsw
+b2xmc3NsLmNvbTAeFw0yMTEyMjAyMzA3MjRaFw0zMTEyMTgyMzA3MjRaMIGYMQsw
 CQYDVQQGEwJVUzETMBEGA1UECAwKV2FzaGluZ3RvbjEQMA4GA1UEBwwHU2VhdHRs
 ZTEQMA4GA1UECgwHRWxpcHRpYzEVMBMGA1UECwwMRUNDMjU2SzEtU1JWMRgwFgYD
 VQQDDA93d3cud29sZnNzbC5jb20xHzAdBgkqhkiG9w0BCQEWEGluZm9Ad29sZnNz
-bC5jb20wVjAQBgcqhkjOPQIBBgUrgQQACgNCAATXDQvxDiKI/vvV5eEJpD6QdrMp
-y9kTYLfqiILXjLbbIdyTD+lYu8XyosL1IzbF1eskpiTb7gKwBTGmMx/NeYIQo4IB
-QTCCAT0wCQYDVR0TBAIwADARBglghkgBhvhCAQEEBAMCBkAwHQYDVR0OBBYEFERq
-2HFtq2IYIQInI5C/HXe2eUt3MIHYBgNVHSMEgdAwgc2AFERq2HFtq2IYIQInI5C/
-HXe2eUt3oYGepIGbMIGYMQswCQYDVQQGEwJVUzETMBEGA1UECAwKV2FzaGluZ3Rv
+bC5jb20wVjAQBgcqhkjOPQIBBgUrgQQACgNCAASAbAGTJm/d/pORoUy53wxL6ShV
+NvxxLaZVZT+slpBngNj7efTAfg88+hUebqwDzylQjZhgIX1tiQgR4kR8CQ3mo4IB
+QTCCAT0wCQYDVR0TBAIwADARBglghkgBhvhCAQEEBAMCBkAwHQYDVR0OBBYEFIv4
+w4zWoPnT2oU7fkuUofcaguWqMIHYBgNVHSMEgdAwgc2AFIv4w4zWoPnT2oU7fkuU
+ofcaguWqoYGepIGbMIGYMQswCQYDVQQGEwJVUzETMBEGA1UECAwKV2FzaGluZ3Rv
 bjEQMA4GA1UEBwwHU2VhdHRsZTEQMA4GA1UECgwHRWxpcHRpYzEVMBMGA1UECwwM
 RUNDMjU2SzEtU1JWMRgwFgYDVQQDDA93d3cud29sZnNzbC5jb20xHzAdBgkqhkiG
-9w0BCQEWEGluZm9Ad29sZnNzbC5jb22CFGDVt3j/BhQ7HsW6i91eZ7IWqrLHMA4G
-A1UdDwEB/wQEAwIDqDATBgNVHSUEDDAKBggrBgEFBQcDATAKBggqhkjOPQQDAgNH
-ADBEAiABcbVf5Fu3lbRZmrDc72QBdu8EB9i0ROXbhuQFjMEiGQIgPpP7MPlMiTk1
-37N51Sm7KwiEivhVfPlo1iwRKK+pMw8=
+9w0BCQEWEGluZm9Ad29sZnNzbC5jb22CFCJsyG9sYGNA/Vz99Vnddu20+kgrMA4G
+A1UdDwEB/wQEAwIDqDATBgNVHSUEDDAKBggrBgEFBQcDATAKBggqhkjOPQQDAgNI
+ADBFAiBieMmTmxvjeVJK4nMzw0A9m8/0EQhX1T205QsnW9YkaAIhAMPazxIr9sEp
+7G5/HdqOTgKOfpRzcWpFdvA7IDuNzBXM
 -----END CERTIFICATE-----
diff --git a/certs/ed25519/ca-ed25519.der b/certs/ed25519/ca-ed25519.der
index d46aa7926..f20249325 100644
Binary files a/certs/ed25519/ca-ed25519.der and b/certs/ed25519/ca-ed25519.der differ
diff --git a/certs/ed25519/ca-ed25519.pem b/certs/ed25519/ca-ed25519.pem
index 7b645aaf3..eb206841e 100644
--- a/certs/ed25519/ca-ed25519.pem
+++ b/certs/ed25519/ca-ed25519.pem
@@ -5,8 +5,8 @@ Certificate:
         Signature Algorithm: ED25519
         Issuer: C = US, ST = Montana, L = Bozeman, O = wolfSSL_Ed25519, OU = Root-Ed25519, CN = www.wolfssl.com, emailAddress = info@wolfssl.com
         Validity
-            Not Before: Mar 10 06:49:03 2021 GMT
-            Not After : Dec  5 06:49:03 2023 GMT
+            Not Before: Dec 21 16:49:35 2021 GMT
+            Not After : Sep 16 16:49:35 2024 GMT
         Subject: C = US, ST = Montana, L = Bozeman, O = wolfSSL_ed25519, OU = CA-ed25519, CN = www.wolfssl.com, emailAddress = info@wolfssl.com
         Subject Public Key Info:
             Public Key Algorithm: ED25519
@@ -26,22 +26,22 @@ Certificate:
             X509v3 Key Usage: critical
                 Digital Signature, Certificate Sign, CRL Sign
     Signature Algorithm: ED25519
-         da:fe:58:53:89:43:85:98:35:dc:13:1c:a3:f1:1f:8d:26:be:
-         b6:a2:fc:b7:fe:9c:b9:35:69:31:7e:d4:b9:11:45:16:a2:29:
-         35:a9:74:a7:97:da:7e:71:4f:b1:72:5d:75:17:ac:e3:f6:b8:
-         ce:1e:e4:8a:95:ba:cd:1d:ce:0d
+         71:66:ff:a7:fc:b9:fa:03:85:13:28:80:46:5b:22:84:1c:a2:
+         b8:f1:f4:85:83:66:4b:a2:44:8c:63:04:ba:3f:59:e1:ba:b3:
+         03:16:70:85:05:5d:50:20:29:69:7c:5b:82:25:31:c3:79:7e:
+         9a:eb:86:be:dc:33:e1:e0:57:0e
 -----BEGIN CERTIFICATE-----
 MIICTDCCAf6gAwIBAgIBATAFBgMrZXAwgZ0xCzAJBgNVBAYTAlVTMRAwDgYDVQQI
 DAdNb250YW5hMRAwDgYDVQQHDAdCb3plbWFuMRgwFgYDVQQKDA93b2xmU1NMX0Vk
 MjU1MTkxFTATBgNVBAsMDFJvb3QtRWQyNTUxOTEYMBYGA1UEAwwPd3d3LndvbGZz
-c2wuY29tMR8wHQYJKoZIhvcNAQkBFhBpbmZvQHdvbGZzc2wuY29tMB4XDTIxMDMx
-MDA2NDkwM1oXDTIzMTIwNTA2NDkwM1owgZsxCzAJBgNVBAYTAlVTMRAwDgYDVQQI
+c2wuY29tMR8wHQYJKoZIhvcNAQkBFhBpbmZvQHdvbGZzc2wuY29tMB4XDTIxMTIy
+MTE2NDkzNVoXDTI0MDkxNjE2NDkzNVowgZsxCzAJBgNVBAYTAlVTMRAwDgYDVQQI
 DAdNb250YW5hMRAwDgYDVQQHDAdCb3plbWFuMRgwFgYDVQQKDA93b2xmU1NMX2Vk
 MjU1MTkxEzARBgNVBAsMCkNBLWVkMjU1MTkxGDAWBgNVBAMMD3d3dy53b2xmc3Ns
 LmNvbTEfMB0GCSqGSIb3DQEJARYQaW5mb0B3b2xmc3NsLmNvbTAqMAUGAytlcAMh
 AEI7evmCz/nfGd3z8DIpbfr9dk9owsLgbEeuwlVorA1No2MwYTAdBgNVHQ4EFgQU
 dNU4GV6DuQP4AYo1NbuJTEm0I+kwHwYDVR0jBBgwFoAU+rpbdh3xHR1NdEjYmDtW
 77MU894wDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAYYwBQYDK2VwA0EA
-2v5YU4lDhZg13BMco/EfjSa+tqL8t/6cuTVpMX7UuRFFFqIpNal0p5fafnFPsXJd
-dRes4/a4zh7kipW6zR3ODQ==
+cWb/p/y5+gOFEyiARlsihByiuPH0hYNmS6JEjGMEuj9Z4bqzAxZwhQVdUCApaXxb
+giUxw3l+muuGvtwz4eBXDg==
 -----END CERTIFICATE-----
diff --git a/certs/ed25519/client-ed25519.der b/certs/ed25519/client-ed25519.der
index adfdaa58e..7f11a86e2 100644
Binary files a/certs/ed25519/client-ed25519.der and b/certs/ed25519/client-ed25519.der differ
diff --git a/certs/ed25519/client-ed25519.pem b/certs/ed25519/client-ed25519.pem
index 809742d6b..015f7d77f 100644
--- a/certs/ed25519/client-ed25519.pem
+++ b/certs/ed25519/client-ed25519.pem
@@ -2,12 +2,12 @@ Certificate:
     Data:
         Version: 3 (0x2)
         Serial Number:
-            40:66:c6:11:bc:00:f8:51:f9:e4:4b:bb:0b:ad:c1:09:38:b0:4a:e4
+            07:ff:95:e7:9e:2d:2d:16:1a:5d:bc:8e:44:4c:1e:0f:7c:c1:1b:73
         Signature Algorithm: ED25519
         Issuer: C = US, ST = Montana, L = Bozeman, O = wolfSSL_ed25519, OU = Client-ed25519, CN = www.wolfssl.com, emailAddress = info@wolfssl.com
         Validity
-            Not Before: Mar 10 06:49:03 2021 GMT
-            Not After : Dec  5 06:49:03 2023 GMT
+            Not Before: Dec 21 16:49:35 2021 GMT
+            Not After : Sep 16 16:49:35 2024 GMT
         Subject: C = US, ST = Montana, L = Bozeman, O = wolfSSL_ed25519, OU = Client-ed25519, CN = www.wolfssl.com, emailAddress = info@wolfssl.com
         Subject Public Key Info:
             Public Key Algorithm: ED25519
@@ -22,7 +22,7 @@ Certificate:
             X509v3 Authority Key Identifier: 
                 keyid:FE:41:5E:3E:81:E2:2E:46:B3:3E:47:89:90:D4:C2:B4:8E:11:D6:8A
                 DirName:/C=US/ST=Montana/L=Bozeman/O=wolfSSL_ed25519/OU=Client-ed25519/CN=www.wolfssl.com/emailAddress=info@wolfssl.com
-                serial:40:66:C6:11:BC:00:F8:51:F9:E4:4B:BB:0B:AD:C1:09:38:B0:4A:E4
+                serial:07:FF:95:E7:9E:2D:2D:16:1A:5D:BC:8E:44:4C:1E:0F:7C:C1:1B:73
 
             X509v3 Basic Constraints: 
                 CA:TRUE
@@ -31,16 +31,16 @@ Certificate:
             X509v3 Extended Key Usage: 
                 TLS Web Server Authentication, TLS Web Client Authentication
     Signature Algorithm: ED25519
-         e0:87:e2:ce:d3:87:77:9d:f7:44:c0:73:00:ff:07:6d:2e:90:
-         90:5c:bf:30:46:9c:75:a9:48:50:8a:da:09:0f:a8:a8:04:b4:
-         33:c8:f4:28:61:9e:c2:a5:19:b7:70:1e:69:cd:49:5c:9a:f3:
-         81:e0:de:38:b3:37:ff:33:bb:07
+         56:16:bb:d9:a4:39:84:64:21:ad:ca:36:aa:3f:01:97:7d:6d:
+         9b:49:8b:5b:ce:f0:f1:66:81:fb:f2:3f:86:02:f3:da:ea:20:
+         76:ed:5b:08:28:c9:a9:c1:af:82:3f:bb:fe:24:04:6e:5d:f7:
+         bd:b7:bb:52:cd:79:a3:ed:aa:01
 -----BEGIN CERTIFICATE-----
-MIIDVDCCAwagAwIBAgIUQGbGEbwA+FH55Eu7C63BCTiwSuQwBQYDK2VwMIGfMQsw
+MIIDVDCCAwagAwIBAgIUB/+V554tLRYaXbyOREweD3zBG3MwBQYDK2VwMIGfMQsw
 CQYDVQQGEwJVUzEQMA4GA1UECAwHTW9udGFuYTEQMA4GA1UEBwwHQm96ZW1hbjEY
 MBYGA1UECgwPd29sZlNTTF9lZDI1NTE5MRcwFQYDVQQLDA5DbGllbnQtZWQyNTUx
 OTEYMBYGA1UEAwwPd3d3LndvbGZzc2wuY29tMR8wHQYJKoZIhvcNAQkBFhBpbmZv
-QHdvbGZzc2wuY29tMB4XDTIxMDMxMDA2NDkwM1oXDTIzMTIwNTA2NDkwM1owgZ8x
+QHdvbGZzc2wuY29tMB4XDTIxMTIyMTE2NDkzNVoXDTI0MDkxNjE2NDkzNVowgZ8x
 CzAJBgNVBAYTAlVTMRAwDgYDVQQIDAdNb250YW5hMRAwDgYDVQQHDAdCb3plbWFu
 MRgwFgYDVQQKDA93b2xmU1NMX2VkMjU1MTkxFzAVBgNVBAsMDkNsaWVudC1lZDI1
 NTE5MRgwFgYDVQQDDA93d3cud29sZnNzbC5jb20xHzAdBgkqhkiG9w0BCQEWEGlu
@@ -50,8 +50,8 @@ ijCB3wYDVR0jBIHXMIHUgBT+QV4+geIuRrM+R4mQ1MK0jhHWiqGBpaSBojCBnzEL
 MAkGA1UEBhMCVVMxEDAOBgNVBAgMB01vbnRhbmExEDAOBgNVBAcMB0JvemVtYW4x
 GDAWBgNVBAoMD3dvbGZTU0xfZWQyNTUxOTEXMBUGA1UECwwOQ2xpZW50LWVkMjU1
 MTkxGDAWBgNVBAMMD3d3dy53b2xmc3NsLmNvbTEfMB0GCSqGSIb3DQEJARYQaW5m
-b0B3b2xmc3NsLmNvbYIUQGbGEbwA+FH55Eu7C63BCTiwSuQwDAYDVR0TBAUwAwEB
+b0B3b2xmc3NsLmNvbYIUB/+V554tLRYaXbyOREweD3zBG3MwDAYDVR0TBAUwAwEB
 /zAcBgNVHREEFTATggtleGFtcGxlLmNvbYcEfwAAATAdBgNVHSUEFjAUBggrBgEF
-BQcDAQYIKwYBBQUHAwIwBQYDK2VwA0EA4IfiztOHd533RMBzAP8HbS6QkFy/MEac
-dalIUIraCQ+oqAS0M8j0KGGewqUZt3Aeac1JXJrzgeDeOLM3/zO7Bw==
+BQcDAQYIKwYBBQUHAwIwBQYDK2VwA0EAVha72aQ5hGQhrco2qj8Bl31tm0mLW87w
+8WaB+/I/hgLz2uogdu1bCCjJqcGvgj+7/iQEbl33vbe7Us15o+2qAQ==
 -----END CERTIFICATE-----
diff --git a/certs/ed25519/gen-ed25519-certs.sh b/certs/ed25519/gen-ed25519-certs.sh
index 1e25707ee..b945e49b6 100755
--- a/certs/ed25519/gen-ed25519-certs.sh
+++ b/certs/ed25519/gen-ed25519-certs.sh
@@ -91,7 +91,7 @@ echo ""
 echo -e "US\\nMontana\\nBozeman\\nwolfSSL_ed25519\\nClient-ed25519\\nwww.wolfssl.com\\ninfo@wolfssl.com\\n\\n\\n\\n" | openssl req -new -key client-ed25519-priv.pem -config ../renewcerts/wolfssl.cnf -nodes -out client-ed25519.csr
 check_result $? "Generate request"
 
-openssl x509 -req -in client-ed25519.csr -days 1000 -extfile ../renewcerts/wolfssl.cnf -extensions client_ecc -signkey client-ed25519-priv.pem -out client-ed25519.pem
+openssl x509 -req -in client-ed25519.csr -days 1000 -extfile ../renewcerts/wolfssl.cnf -extensions wolfssl_opts -signkey client-ed25519-priv.pem -out client-ed25519.pem
 check_result $? "Generate certificate"
 rm client-ed25519.csr
 
diff --git a/certs/ed25519/root-ed25519.der b/certs/ed25519/root-ed25519.der
index 76117a27e..4cb192815 100644
Binary files a/certs/ed25519/root-ed25519.der and b/certs/ed25519/root-ed25519.der differ
diff --git a/certs/ed25519/root-ed25519.pem b/certs/ed25519/root-ed25519.pem
index 05720a367..72e576ed5 100644
--- a/certs/ed25519/root-ed25519.pem
+++ b/certs/ed25519/root-ed25519.pem
@@ -2,12 +2,12 @@ Certificate:
     Data:
         Version: 3 (0x2)
         Serial Number:
-            3c:8f:b8:f9:5c:f1:81:97:76:e0:cc:04:c6:f6:77:7b:4f:92:4c:c6
+            48:99:05:65:a6:02:5b:73:45:4c:6b:a0:0a:18:57:5d:b0:30:69:62
         Signature Algorithm: ED25519
         Issuer: C = US, ST = Montana, L = Bozeman, O = wolfSSL_Ed25519, OU = Root-Ed25519, CN = www.wolfssl.com, emailAddress = info@wolfssl.com
         Validity
-            Not Before: Mar 10 06:49:03 2021 GMT
-            Not After : Dec  5 06:49:03 2023 GMT
+            Not Before: Dec 21 16:49:35 2021 GMT
+            Not After : Sep 16 16:49:35 2024 GMT
         Subject: C = US, ST = Montana, L = Bozeman, O = wolfSSL_Ed25519, OU = Root-Ed25519, CN = www.wolfssl.com, emailAddress = info@wolfssl.com
         Subject Public Key Info:
             Public Key Algorithm: ED25519
@@ -27,22 +27,22 @@ Certificate:
             X509v3 Key Usage: critical
                 Digital Signature, Certificate Sign, CRL Sign
     Signature Algorithm: ED25519
-         44:f7:5d:ad:c0:68:5e:0c:af:c5:dd:da:a4:f9:34:4f:33:4f:
-         b3:db:bb:b6:36:67:f4:4d:63:a5:61:e8:b8:98:b7:e7:d3:52:
-         8b:fb:ca:61:97:db:34:55:63:a8:27:e8:22:16:b6:a9:f1:8d:
-         0e:f8:d1:56:08:45:b6:40:d9:09
+         9c:34:61:81:c1:f4:69:a7:f7:5f:da:3d:d4:14:52:38:65:50:
+         78:80:74:e7:ca:28:4b:d1:69:11:b7:c1:b7:2b:8b:6d:09:44:
+         fe:a1:a4:71:0a:03:23:38:a8:18:b5:2e:8a:0f:c3:8a:d2:42:
+         72:96:18:64:3d:b7:80:68:50:08
 -----BEGIN CERTIFICATE-----
-MIICYTCCAhOgAwIBAgIUPI+4+VzxgZd24MwExvZ3e0+STMYwBQYDK2VwMIGdMQsw
+MIICYTCCAhOgAwIBAgIUSJkFZaYCW3NFTGugChhXXbAwaWIwBQYDK2VwMIGdMQsw
 CQYDVQQGEwJVUzEQMA4GA1UECAwHTW9udGFuYTEQMA4GA1UEBwwHQm96ZW1hbjEY
 MBYGA1UECgwPd29sZlNTTF9FZDI1NTE5MRUwEwYDVQQLDAxSb290LUVkMjU1MTkx
 GDAWBgNVBAMMD3d3dy53b2xmc3NsLmNvbTEfMB0GCSqGSIb3DQEJARYQaW5mb0B3
-b2xmc3NsLmNvbTAeFw0yMTAzMTAwNjQ5MDNaFw0yMzEyMDUwNjQ5MDNaMIGdMQsw
+b2xmc3NsLmNvbTAeFw0yMTEyMjExNjQ5MzVaFw0yNDA5MTYxNjQ5MzVaMIGdMQsw
 CQYDVQQGEwJVUzEQMA4GA1UECAwHTW9udGFuYTEQMA4GA1UEBwwHQm96ZW1hbjEY
 MBYGA1UECgwPd29sZlNTTF9FZDI1NTE5MRUwEwYDVQQLDAxSb290LUVkMjU1MTkx
 GDAWBgNVBAMMD3d3dy53b2xmc3NsLmNvbTEfMB0GCSqGSIb3DQEJARYQaW5mb0B3
 b2xmc3NsLmNvbTAqMAUGAytlcAMhAOmzb3xwiqvKVCBOZHY8Gk/3+l5K//PbuWQt
 EKUMWj/ao2MwYTAdBgNVHQ4EFgQU+rpbdh3xHR1NdEjYmDtW77MU894wHwYDVR0j
 BBgwFoAU+rpbdh3xHR1NdEjYmDtW77MU894wDwYDVR0TAQH/BAUwAwEB/zAOBgNV
-HQ8BAf8EBAMCAYYwBQYDK2VwA0EARPddrcBoXgyvxd3apPk0TzNPs9u7tjZn9E1j
-pWHouJi359NSi/vKYZfbNFVjqCfoIha2qfGNDvjRVghFtkDZCQ==
+HQ8BAf8EBAMCAYYwBQYDK2VwA0EAnDRhgcH0aaf3X9o91BRSOGVQeIB058ooS9Fp
+EbfBtyuLbQlE/qGkcQoDIzioGLUuig/DitJCcpYYZD23gGhQCA==
 -----END CERTIFICATE-----
diff --git a/certs/ed25519/server-ed25519-cert.pem b/certs/ed25519/server-ed25519-cert.pem
index 2006b538d..e629875b5 100644
--- a/certs/ed25519/server-ed25519-cert.pem
+++ b/certs/ed25519/server-ed25519-cert.pem
@@ -5,8 +5,8 @@ Certificate:
         Signature Algorithm: ED25519
         Issuer: C = US, ST = Montana, L = Bozeman, O = wolfSSL_ed25519, OU = CA-ed25519, CN = www.wolfssl.com, emailAddress = info@wolfssl.com
         Validity
-            Not Before: Mar 10 06:49:03 2021 GMT
-            Not After : Dec  5 06:49:03 2023 GMT
+            Not Before: Dec 21 16:49:35 2021 GMT
+            Not After : Sep 16 16:49:35 2024 GMT
         Subject: C = US, ST = Montana, L = Bozeman, O = wolfSSL_ed25519, OU = Server-ed25519, CN = www.wolfssl.com, emailAddress = info@wolfssl.com
         Subject Public Key Info:
             Public Key Algorithm: ED25519
@@ -30,23 +30,23 @@ Certificate:
             Netscape Cert Type: 
                 SSL Server
     Signature Algorithm: ED25519
-         f3:c2:ef:8b:55:65:4f:bc:e3:df:fc:d8:a1:ad:8e:43:07:73:
-         c8:58:c3:46:0a:c1:f1:4d:3f:fb:3d:78:e6:76:58:26:ce:d7:
-         59:55:ec:c5:b5:b4:05:ed:f9:d4:97:69:66:d6:2c:1b:43:5a:
-         51:5c:be:10:28:95:c4:96:af:00
+         64:65:b1:5a:3b:18:07:36:42:ea:95:c9:de:96:59:04:cc:65:
+         8a:5a:97:ee:a5:94:06:66:f6:b8:78:68:d1:c1:9f:3f:5c:71:
+         4d:81:1e:80:ec:c2:52:44:b4:1f:d7:90:ad:84:37:a1:dd:c1:
+         f8:ae:fa:c2:92:4f:38:7d:b0:0c
 -----BEGIN CERTIFICATE-----
 MIICdTCCAiegAwIBAgIBATAFBgMrZXAwgZsxCzAJBgNVBAYTAlVTMRAwDgYDVQQI
 DAdNb250YW5hMRAwDgYDVQQHDAdCb3plbWFuMRgwFgYDVQQKDA93b2xmU1NMX2Vk
 MjU1MTkxEzARBgNVBAsMCkNBLWVkMjU1MTkxGDAWBgNVBAMMD3d3dy53b2xmc3Ns
-LmNvbTEfMB0GCSqGSIb3DQEJARYQaW5mb0B3b2xmc3NsLmNvbTAeFw0yMTAzMTAw
-NjQ5MDNaFw0yMzEyMDUwNjQ5MDNaMIGfMQswCQYDVQQGEwJVUzEQMA4GA1UECAwH
+LmNvbTEfMB0GCSqGSIb3DQEJARYQaW5mb0B3b2xmc3NsLmNvbTAeFw0yMTEyMjEx
+NjQ5MzVaFw0yNDA5MTYxNjQ5MzVaMIGfMQswCQYDVQQGEwJVUzEQMA4GA1UECAwH
 TW9udGFuYTEQMA4GA1UEBwwHQm96ZW1hbjEYMBYGA1UECgwPd29sZlNTTF9lZDI1
 NTE5MRcwFQYDVQQLDA5TZXJ2ZXItZWQyNTUxOTEYMBYGA1UEAwwPd3d3LndvbGZz
 c2wuY29tMR8wHQYJKoZIhvcNAQkBFhBpbmZvQHdvbGZzc2wuY29tMCowBQYDK2Vw
 AyEAI6pNYFDgE9M67av2qcxK/tdNL9JbGhAF71pBJc4bU3ijgYkwgYYwHQYDVR0O
 BBYEFKMpgeeQb7lg+K/MFXqu16H0tIa6MB8GA1UdIwQYMBaAFHTVOBleg7kD+AGK
 NTW7iUxJtCPpMAwGA1UdEwEB/wQCMAAwDgYDVR0PAQH/BAQDAgOoMBMGA1UdJQQM
-MAoGCCsGAQUFBwMBMBEGCWCGSAGG+EIBAQQEAwIGQDAFBgMrZXADQQDzwu+LVWVP
-vOPf/NihrY5DB3PIWMNGCsHxTT/7PXjmdlgmztdZVezFtbQF7fnUl2lm1iwbQ1pR
-XL4QKJXElq8A
+MAoGCCsGAQUFBwMBMBEGCWCGSAGG+EIBAQQEAwIGQDAFBgMrZXADQQBkZbFaOxgH
+NkLqlcnellkEzGWKWpfupZQGZva4eGjRwZ8/XHFNgR6A7MJSRLQf15CthDeh3cH4
+rvrCkk84fbAM
 -----END CERTIFICATE-----
diff --git a/certs/ed25519/server-ed25519.der b/certs/ed25519/server-ed25519.der
index dbc551d44..117225652 100644
Binary files a/certs/ed25519/server-ed25519.der and b/certs/ed25519/server-ed25519.der differ
diff --git a/certs/ed25519/server-ed25519.pem b/certs/ed25519/server-ed25519.pem
index d8d2277e7..3c64693b2 100644
--- a/certs/ed25519/server-ed25519.pem
+++ b/certs/ed25519/server-ed25519.pem
@@ -5,8 +5,8 @@ Certificate:
         Signature Algorithm: ED25519
         Issuer: C = US, ST = Montana, L = Bozeman, O = wolfSSL_ed25519, OU = CA-ed25519, CN = www.wolfssl.com, emailAddress = info@wolfssl.com
         Validity
-            Not Before: Mar 10 06:49:03 2021 GMT
-            Not After : Dec  5 06:49:03 2023 GMT
+            Not Before: Dec 21 16:49:35 2021 GMT
+            Not After : Sep 16 16:49:35 2024 GMT
         Subject: C = US, ST = Montana, L = Bozeman, O = wolfSSL_ed25519, OU = Server-ed25519, CN = www.wolfssl.com, emailAddress = info@wolfssl.com
         Subject Public Key Info:
             Public Key Algorithm: ED25519
@@ -30,25 +30,25 @@ Certificate:
             Netscape Cert Type: 
                 SSL Server
     Signature Algorithm: ED25519
-         f3:c2:ef:8b:55:65:4f:bc:e3:df:fc:d8:a1:ad:8e:43:07:73:
-         c8:58:c3:46:0a:c1:f1:4d:3f:fb:3d:78:e6:76:58:26:ce:d7:
-         59:55:ec:c5:b5:b4:05:ed:f9:d4:97:69:66:d6:2c:1b:43:5a:
-         51:5c:be:10:28:95:c4:96:af:00
+         64:65:b1:5a:3b:18:07:36:42:ea:95:c9:de:96:59:04:cc:65:
+         8a:5a:97:ee:a5:94:06:66:f6:b8:78:68:d1:c1:9f:3f:5c:71:
+         4d:81:1e:80:ec:c2:52:44:b4:1f:d7:90:ad:84:37:a1:dd:c1:
+         f8:ae:fa:c2:92:4f:38:7d:b0:0c
 -----BEGIN CERTIFICATE-----
 MIICdTCCAiegAwIBAgIBATAFBgMrZXAwgZsxCzAJBgNVBAYTAlVTMRAwDgYDVQQI
 DAdNb250YW5hMRAwDgYDVQQHDAdCb3plbWFuMRgwFgYDVQQKDA93b2xmU1NMX2Vk
 MjU1MTkxEzARBgNVBAsMCkNBLWVkMjU1MTkxGDAWBgNVBAMMD3d3dy53b2xmc3Ns
-LmNvbTEfMB0GCSqGSIb3DQEJARYQaW5mb0B3b2xmc3NsLmNvbTAeFw0yMTAzMTAw
-NjQ5MDNaFw0yMzEyMDUwNjQ5MDNaMIGfMQswCQYDVQQGEwJVUzEQMA4GA1UECAwH
+LmNvbTEfMB0GCSqGSIb3DQEJARYQaW5mb0B3b2xmc3NsLmNvbTAeFw0yMTEyMjEx
+NjQ5MzVaFw0yNDA5MTYxNjQ5MzVaMIGfMQswCQYDVQQGEwJVUzEQMA4GA1UECAwH
 TW9udGFuYTEQMA4GA1UEBwwHQm96ZW1hbjEYMBYGA1UECgwPd29sZlNTTF9lZDI1
 NTE5MRcwFQYDVQQLDA5TZXJ2ZXItZWQyNTUxOTEYMBYGA1UEAwwPd3d3LndvbGZz
 c2wuY29tMR8wHQYJKoZIhvcNAQkBFhBpbmZvQHdvbGZzc2wuY29tMCowBQYDK2Vw
 AyEAI6pNYFDgE9M67av2qcxK/tdNL9JbGhAF71pBJc4bU3ijgYkwgYYwHQYDVR0O
 BBYEFKMpgeeQb7lg+K/MFXqu16H0tIa6MB8GA1UdIwQYMBaAFHTVOBleg7kD+AGK
 NTW7iUxJtCPpMAwGA1UdEwEB/wQCMAAwDgYDVR0PAQH/BAQDAgOoMBMGA1UdJQQM
-MAoGCCsGAQUFBwMBMBEGCWCGSAGG+EIBAQQEAwIGQDAFBgMrZXADQQDzwu+LVWVP
-vOPf/NihrY5DB3PIWMNGCsHxTT/7PXjmdlgmztdZVezFtbQF7fnUl2lm1iwbQ1pR
-XL4QKJXElq8A
+MAoGCCsGAQUFBwMBMBEGCWCGSAGG+EIBAQQEAwIGQDAFBgMrZXADQQBkZbFaOxgH
+NkLqlcnellkEzGWKWpfupZQGZva4eGjRwZ8/XHFNgR6A7MJSRLQf15CthDeh3cH4
+rvrCkk84fbAM
 -----END CERTIFICATE-----
 Certificate:
     Data:
@@ -57,8 +57,8 @@ Certificate:
         Signature Algorithm: ED25519
         Issuer: C = US, ST = Montana, L = Bozeman, O = wolfSSL_Ed25519, OU = Root-Ed25519, CN = www.wolfssl.com, emailAddress = info@wolfssl.com
         Validity
-            Not Before: Mar 10 06:49:03 2021 GMT
-            Not After : Dec  5 06:49:03 2023 GMT
+            Not Before: Dec 21 16:49:35 2021 GMT
+            Not After : Sep 16 16:49:35 2024 GMT
         Subject: C = US, ST = Montana, L = Bozeman, O = wolfSSL_ed25519, OU = CA-ed25519, CN = www.wolfssl.com, emailAddress = info@wolfssl.com
         Subject Public Key Info:
             Public Key Algorithm: ED25519
@@ -78,22 +78,22 @@ Certificate:
             X509v3 Key Usage: critical
                 Digital Signature, Certificate Sign, CRL Sign
     Signature Algorithm: ED25519
-         da:fe:58:53:89:43:85:98:35:dc:13:1c:a3:f1:1f:8d:26:be:
-         b6:a2:fc:b7:fe:9c:b9:35:69:31:7e:d4:b9:11:45:16:a2:29:
-         35:a9:74:a7:97:da:7e:71:4f:b1:72:5d:75:17:ac:e3:f6:b8:
-         ce:1e:e4:8a:95:ba:cd:1d:ce:0d
+         71:66:ff:a7:fc:b9:fa:03:85:13:28:80:46:5b:22:84:1c:a2:
+         b8:f1:f4:85:83:66:4b:a2:44:8c:63:04:ba:3f:59:e1:ba:b3:
+         03:16:70:85:05:5d:50:20:29:69:7c:5b:82:25:31:c3:79:7e:
+         9a:eb:86:be:dc:33:e1:e0:57:0e
 -----BEGIN CERTIFICATE-----
 MIICTDCCAf6gAwIBAgIBATAFBgMrZXAwgZ0xCzAJBgNVBAYTAlVTMRAwDgYDVQQI
 DAdNb250YW5hMRAwDgYDVQQHDAdCb3plbWFuMRgwFgYDVQQKDA93b2xmU1NMX0Vk
 MjU1MTkxFTATBgNVBAsMDFJvb3QtRWQyNTUxOTEYMBYGA1UEAwwPd3d3LndvbGZz
-c2wuY29tMR8wHQYJKoZIhvcNAQkBFhBpbmZvQHdvbGZzc2wuY29tMB4XDTIxMDMx
-MDA2NDkwM1oXDTIzMTIwNTA2NDkwM1owgZsxCzAJBgNVBAYTAlVTMRAwDgYDVQQI
+c2wuY29tMR8wHQYJKoZIhvcNAQkBFhBpbmZvQHdvbGZzc2wuY29tMB4XDTIxMTIy
+MTE2NDkzNVoXDTI0MDkxNjE2NDkzNVowgZsxCzAJBgNVBAYTAlVTMRAwDgYDVQQI
 DAdNb250YW5hMRAwDgYDVQQHDAdCb3plbWFuMRgwFgYDVQQKDA93b2xmU1NMX2Vk
 MjU1MTkxEzARBgNVBAsMCkNBLWVkMjU1MTkxGDAWBgNVBAMMD3d3dy53b2xmc3Ns
 LmNvbTEfMB0GCSqGSIb3DQEJARYQaW5mb0B3b2xmc3NsLmNvbTAqMAUGAytlcAMh
 AEI7evmCz/nfGd3z8DIpbfr9dk9owsLgbEeuwlVorA1No2MwYTAdBgNVHQ4EFgQU
 dNU4GV6DuQP4AYo1NbuJTEm0I+kwHwYDVR0jBBgwFoAU+rpbdh3xHR1NdEjYmDtW
 77MU894wDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAYYwBQYDK2VwA0EA
-2v5YU4lDhZg13BMco/EfjSa+tqL8t/6cuTVpMX7UuRFFFqIpNal0p5fafnFPsXJd
-dRes4/a4zh7kipW6zR3ODQ==
+cWb/p/y5+gOFEyiARlsihByiuPH0hYNmS6JEjGMEuj9Z4bqzAxZwhQVdUCApaXxb
+giUxw3l+muuGvtwz4eBXDg==
 -----END CERTIFICATE-----
diff --git a/certs/ed448/ca-ed448.der b/certs/ed448/ca-ed448.der
index 0f147d75f..336decb48 100644
Binary files a/certs/ed448/ca-ed448.der and b/certs/ed448/ca-ed448.der differ
diff --git a/certs/ed448/ca-ed448.pem b/certs/ed448/ca-ed448.pem
index e1c1392ec..61e9aa7ed 100644
--- a/certs/ed448/ca-ed448.pem
+++ b/certs/ed448/ca-ed448.pem
@@ -5,8 +5,8 @@ Certificate:
         Signature Algorithm: ED448
         Issuer: C = US, ST = Montana, L = Bozeman, O = wolfSSL_Ed448, OU = Root-Ed448, CN = www.wolfssl.com, emailAddress = info@wolfssl.com
         Validity
-            Not Before: Jun 19 13:23:41 2020 GMT
-            Not After : Mar 16 13:23:41 2023 GMT
+            Not Before: Dec 20 23:07:25 2021 GMT
+            Not After : Sep 15 23:07:25 2024 GMT
         Subject: C = US, ST = Montana, L = Bozeman, O = wolfSSL_ed448, OU = CA-ed448, CN = www.wolfssl.com, emailAddress = info@wolfssl.com
         Subject Public Key Info:
             Public Key Algorithm: ED448
@@ -27,26 +27,26 @@ Certificate:
             X509v3 Key Usage: critical
                 Digital Signature, Certificate Sign, CRL Sign
     Signature Algorithm: ED448
-         12:5e:bc:a0:86:7e:26:a1:a8:5f:05:4a:ec:5e:3c:3b:9e:14:
-         9c:75:63:ce:33:3a:ac:2d:2e:18:72:46:0a:1d:87:e8:51:0c:
-         2e:1b:fb:8b:f0:36:f5:23:bc:77:f9:09:7d:39:fd:d8:08:0c:
-         34:4e:00:4f:2b:f9:9d:48:3e:0f:74:7a:52:b0:44:86:86:21:
-         a1:53:10:48:21:51:37:76:d3:f3:f0:42:f1:c6:8e:6a:9e:a2:
-         42:90:db:b2:a2:4f:c1:06:09:e9:ff:f3:a2:14:a9:12:43:40:
-         00:9e:78:1c:13:00
+         de:27:87:c7:7b:e8:c1:e5:1d:58:3e:5e:1e:51:4e:03:91:6a:
+         98:b3:87:13:0f:28:3c:69:c5:67:93:d2:c6:d6:39:3d:3d:66:
+         64:25:04:a1:80:5b:65:26:79:e8:39:78:d6:a2:d9:72:35:95:
+         70:86:00:6e:62:57:42:b3:a9:11:85:24:f7:29:e7:d3:99:7b:
+         61:00:84:c3:08:ee:34:be:ad:a5:7b:eb:52:4f:4d:ec:05:3e:
+         d5:d7:99:6f:70:ba:f2:01:5b:d6:43:39:28:e2:0e:79:f0:1e:
+         e8:16:3a:33:37:00
 -----BEGIN CERTIFICATE-----
 MIICjzCCAg+gAwIBAgIBATAFBgMrZXEwgZkxCzAJBgNVBAYTAlVTMRAwDgYDVQQI
 DAdNb250YW5hMRAwDgYDVQQHDAdCb3plbWFuMRYwFAYDVQQKDA13b2xmU1NMX0Vk
 NDQ4MRMwEQYDVQQLDApSb290LUVkNDQ4MRgwFgYDVQQDDA93d3cud29sZnNzbC5j
-b20xHzAdBgkqhkiG9w0BCQEWEGluZm9Ad29sZnNzbC5jb20wHhcNMjAwNjE5MTMy
-MzQxWhcNMjMwMzE2MTMyMzQxWjCBlzELMAkGA1UEBhMCVVMxEDAOBgNVBAgMB01v
+b20xHzAdBgkqhkiG9w0BCQEWEGluZm9Ad29sZnNzbC5jb20wHhcNMjExMjIwMjMw
+NzI1WhcNMjQwOTE1MjMwNzI1WjCBlzELMAkGA1UEBhMCVVMxEDAOBgNVBAgMB01v
 bnRhbmExEDAOBgNVBAcMB0JvemVtYW4xFjAUBgNVBAoMDXdvbGZTU0xfZWQ0NDgx
 ETAPBgNVBAsMCENBLWVkNDQ4MRgwFgYDVQQDDA93d3cud29sZnNzbC5jb20xHzAd
 BgkqhkiG9w0BCQEWEGluZm9Ad29sZnNzbC5jb20wQzAFBgMrZXEDOgAO4rR25dLM
 wkt7sCm+kvvDr2mllLpwJOij78hjmt2mr1hDOAQk8BCRvqcBkVTzz2mFTLmXjKQ3
 qgCjYzBhMB0GA1UdDgQWBBQ4WUXo3UQstX2lJdYLzDnwcsCUYzAfBgNVHSMEGDAW
 gBTaaZjJJkp1+1leU5pjSwy4iAsPHjAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB
-/wQEAwIBhjAFBgMrZXEDcwASXryghn4moahfBUrsXjw7nhScdWPOMzqsLS4YckYK
-HYfoUQwuG/uL8Db1I7x3+Ql9Of3YCAw0TgBPK/mdSD4PdHpSsESGhiGhUxBIIVE3
-dtPz8ELxxo5qnqJCkNuyok/BBgnp//OiFKkSQ0AAnngcEwA=
+/wQEAwIBhjAFBgMrZXEDcwDeJ4fHe+jB5R1YPl4eUU4DkWqYs4cTDyg8acVnk9LG
+1jk9PWZkJQShgFtlJnnoOXjWotlyNZVwhgBuYldCs6kRhST3KefTmXthAITDCO40
+vq2le+tST03sBT7V15lvcLryAVvWQzko4g558B7oFjozNwA=
 -----END CERTIFICATE-----
diff --git a/certs/ed448/client-ed448.der b/certs/ed448/client-ed448.der
index 77687246e..2062853b8 100644
Binary files a/certs/ed448/client-ed448.der and b/certs/ed448/client-ed448.der differ
diff --git a/certs/ed448/client-ed448.pem b/certs/ed448/client-ed448.pem
index 9f3ab2580..80a4771f0 100644
--- a/certs/ed448/client-ed448.pem
+++ b/certs/ed448/client-ed448.pem
@@ -2,12 +2,12 @@ Certificate:
     Data:
         Version: 3 (0x2)
         Serial Number:
-            74:e0:2f:55:75:06:b8:1f:8f:30:20:cb:0d:c7:15:73:d8:d0:32:27
+            31:26:1a:ec:1b:b4:ac:dc:fc:40:67:e4:6f:03:64:1c:58:f4:30:e5
         Signature Algorithm: ED448
         Issuer: C = US, ST = Montana, L = Bozeman, O = wolfSSL_ed448, OU = Client-ed448, CN = www.wolfssl.com, emailAddress = info@wolfssl.com
         Validity
-            Not Before: Jun 19 13:23:41 2020 GMT
-            Not After : Mar 16 13:23:41 2023 GMT
+            Not Before: Dec 20 23:07:25 2021 GMT
+            Not After : Sep 15 23:07:25 2024 GMT
         Subject: C = US, ST = Montana, L = Bozeman, O = wolfSSL_ed448, OU = Client-ed448, CN = www.wolfssl.com, emailAddress = info@wolfssl.com
         Subject Public Key Info:
             Public Key Algorithm: ED448
@@ -23,7 +23,7 @@ Certificate:
             X509v3 Authority Key Identifier: 
                 keyid:F3:C7:66:93:0D:CB:0E:1B:80:08:00:CF:E3:4E:11:4D:58:2B:4B:D4
                 DirName:/C=US/ST=Montana/L=Bozeman/O=wolfSSL_ed448/OU=Client-ed448/CN=www.wolfssl.com/emailAddress=info@wolfssl.com
-                serial:74:E0:2F:55:75:06:B8:1F:8F:30:20:CB:0D:C7:15:73:D8:D0:32:27
+                serial:31:26:1A:EC:1B:B4:AC:DC:FC:40:67:E4:6F:03:64:1C:58:F4:30:E5
 
             X509v3 Basic Constraints: 
                 CA:TRUE
@@ -32,19 +32,19 @@ Certificate:
             X509v3 Extended Key Usage: 
                 TLS Web Server Authentication, TLS Web Client Authentication
     Signature Algorithm: ED448
-         ee:19:f6:b7:bf:b8:7e:2b:74:77:f2:89:b2:eb:a0:45:5d:42:
-         18:f7:f3:aa:ba:7d:82:83:a0:70:b9:28:97:2d:9b:59:78:25:
-         ec:6b:1a:b6:4d:08:1f:52:10:3c:73:5c:71:40:b9:47:f9:cb:
-         e6:84:00:81:6c:c2:90:5c:16:3e:9c:ef:f7:34:b4:3b:98:55:
-         cc:85:47:b1:73:24:f4:90:1c:05:c5:fc:54:d7:73:5d:b3:e8:
-         18:d5:89:a6:b1:e2:6d:4b:09:06:35:ee:2e:82:6d:98:d4:da:
-         87:aa:6c:20:14:00
+         9c:5f:2a:91:dc:42:4c:43:1d:ec:a9:d3:68:5f:35:15:db:e2:
+         0b:c8:7c:c8:a2:9e:01:b0:1a:d7:c6:b2:00:90:4e:a6:c3:45:
+         0f:42:00:a7:53:67:f9:cb:0b:a5:d8:ac:63:d0:40:33:eb:6b:
+         bf:fd:00:1f:b9:78:62:ca:48:54:0f:35:0a:7e:af:69:f2:d6:
+         f9:ee:54:fe:71:a2:9b:55:0c:53:9b:18:1d:ed:74:74:67:aa:
+         8b:66:db:2b:71:49:38:d5:34:fb:f5:cf:55:8e:65:c1:09:d4:
+         05:8b:43:b7:25:00
 -----BEGIN CERTIFICATE-----
-MIIDkzCCAxOgAwIBAgIUdOAvVXUGuB+PMCDLDccVc9jQMicwBQYDK2VxMIGbMQsw
+MIIDkzCCAxOgAwIBAgIUMSYa7Bu0rNz8QGfkbwNkHFj0MOUwBQYDK2VxMIGbMQsw
 CQYDVQQGEwJVUzEQMA4GA1UECAwHTW9udGFuYTEQMA4GA1UEBwwHQm96ZW1hbjEW
 MBQGA1UECgwNd29sZlNTTF9lZDQ0ODEVMBMGA1UECwwMQ2xpZW50LWVkNDQ4MRgw
 FgYDVQQDDA93d3cud29sZnNzbC5jb20xHzAdBgkqhkiG9w0BCQEWEGluZm9Ad29s
-ZnNzbC5jb20wHhcNMjAwNjE5MTMyMzQxWhcNMjMwMzE2MTMyMzQxWjCBmzELMAkG
+ZnNzbC5jb20wHhcNMjExMjIwMjMwNzI1WhcNMjQwOTE1MjMwNzI1WjCBmzELMAkG
 A1UEBhMCVVMxEDAOBgNVBAgMB01vbnRhbmExEDAOBgNVBAcMB0JvemVtYW4xFjAU
 BgNVBAoMDXdvbGZTU0xfZWQ0NDgxFTATBgNVBAsMDENsaWVudC1lZDQ0ODEYMBYG
 A1UEAwwPd3d3LndvbGZzc2wuY29tMR8wHQYJKoZIhvcNAQkBFhBpbmZvQHdvbGZz
@@ -54,10 +54,10 @@ ZpMNyw4bgAgAz+NOEU1YK0vUMIHbBgNVHSMEgdMwgdCAFPPHZpMNyw4bgAgAz+NO
 EU1YK0vUoYGhpIGeMIGbMQswCQYDVQQGEwJVUzEQMA4GA1UECAwHTW9udGFuYTEQ
 MA4GA1UEBwwHQm96ZW1hbjEWMBQGA1UECgwNd29sZlNTTF9lZDQ0ODEVMBMGA1UE
 CwwMQ2xpZW50LWVkNDQ4MRgwFgYDVQQDDA93d3cud29sZnNzbC5jb20xHzAdBgkq
-hkiG9w0BCQEWEGluZm9Ad29sZnNzbC5jb22CFHTgL1V1BrgfjzAgyw3HFXPY0DIn
+hkiG9w0BCQEWEGluZm9Ad29sZnNzbC5jb22CFDEmGuwbtKzc/EBn5G8DZBxY9DDl
 MAwGA1UdEwQFMAMBAf8wHAYDVR0RBBUwE4ILZXhhbXBsZS5jb22HBH8AAAEwHQYD
-VR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMAUGAytlcQNzAO4Z9re/uH4rdHfy
-ibLroEVdQhj386q6fYKDoHC5KJctm1l4JexrGrZNCB9SEDxzXHFAuUf5y+aEAIFs
-wpBcFj6c7/c0tDuYVcyFR7FzJPSQHAXF/FTXc12z6BjViaax4m1LCQY17i6CbZjU
-2oeqbCAUAA==
+VR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMAUGAytlcQNzAJxfKpHcQkxDHeyp
+02hfNRXb4gvIfMiingGwGtfGsgCQTqbDRQ9CAKdTZ/nLC6XYrGPQQDPra7/9AB+5
+eGLKSFQPNQp+r2ny1vnuVP5xoptVDFObGB3tdHRnqotm2ytxSTjVNPv1z1WOZcEJ
+1AWLQ7clAA==
 -----END CERTIFICATE-----
diff --git a/certs/ed448/root-ed448.der b/certs/ed448/root-ed448.der
index 929c56617..ce3387e1a 100644
Binary files a/certs/ed448/root-ed448.der and b/certs/ed448/root-ed448.der differ
diff --git a/certs/ed448/root-ed448.pem b/certs/ed448/root-ed448.pem
index a77a0038f..330e22fed 100644
--- a/certs/ed448/root-ed448.pem
+++ b/certs/ed448/root-ed448.pem
@@ -2,12 +2,12 @@ Certificate:
     Data:
         Version: 3 (0x2)
         Serial Number:
-            3e:b1:2c:57:68:30:3f:06:46:47:d7:ea:ae:97:a2:cd:22:15:12:95
+            3f:91:2f:53:56:29:ef:34:b6:0a:94:7a:3e:0e:08:b1:f7:0d:7e:f2
         Signature Algorithm: ED448
         Issuer: C = US, ST = Montana, L = Bozeman, O = wolfSSL_Ed448, OU = Root-Ed448, CN = www.wolfssl.com, emailAddress = info@wolfssl.com
         Validity
-            Not Before: Jun 19 13:23:41 2020 GMT
-            Not After : Mar 16 13:23:41 2023 GMT
+            Not Before: Dec 20 23:07:25 2021 GMT
+            Not After : Sep 15 23:07:25 2024 GMT
         Subject: C = US, ST = Montana, L = Bozeman, O = wolfSSL_Ed448, OU = Root-Ed448, CN = www.wolfssl.com, emailAddress = info@wolfssl.com
         Subject Public Key Info:
             Public Key Algorithm: ED448
@@ -28,27 +28,27 @@ Certificate:
             X509v3 Key Usage: critical
                 Digital Signature, Certificate Sign, CRL Sign
     Signature Algorithm: ED448
-         b4:9d:00:0e:cd:5c:55:15:a9:e1:96:8a:47:6e:f8:19:43:1d:
-         bc:d6:ac:4c:cb:d0:cf:e3:1e:ef:38:8f:f8:7f:1f:2d:45:5b:
-         39:ff:05:1e:99:7e:b5:f7:4c:03:7e:25:ca:7b:c5:71:9e:f5:
-         8a:c1:80:89:37:a4:ff:76:25:75:83:89:c8:5c:15:f4:0c:ba:
-         46:fe:4d:ce:9a:9e:ae:b9:50:6e:1e:75:c5:47:6c:11:d0:f3:
-         34:39:d0:2c:d4:84:a2:19:3e:db:f5:05:ac:01:da:e6:8e:ec:
-         36:25:31:fa:0b:00
+         f5:c4:aa:7d:41:bd:e4:53:3d:03:c7:d2:c9:6d:93:0f:d2:3b:
+         c9:3e:5e:ef:f7:db:e3:a2:41:1b:22:30:e4:49:3d:88:bb:bd:
+         40:25:1a:f0:61:85:69:47:45:87:a8:11:00:31:41:28:b0:93:
+         c0:28:00:0d:40:0a:fb:e4:cb:dc:d9:cb:64:1a:04:a5:2c:5c:
+         9c:c9:93:a4:64:01:8e:09:77:c9:e2:b4:fb:a6:b2:cb:4f:4e:
+         07:62:94:44:ec:21:13:f1:de:3a:f9:0d:e9:18:9c:cb:2f:68:
+         25:80:ea:79:09:00
 -----BEGIN CERTIFICATE-----
-MIICpDCCAiSgAwIBAgIUPrEsV2gwPwZGR9fqrpeizSIVEpUwBQYDK2VxMIGZMQsw
+MIICpDCCAiSgAwIBAgIUP5EvU1Yp7zS2CpR6Pg4IsfcNfvIwBQYDK2VxMIGZMQsw
 CQYDVQQGEwJVUzEQMA4GA1UECAwHTW9udGFuYTEQMA4GA1UEBwwHQm96ZW1hbjEW
 MBQGA1UECgwNd29sZlNTTF9FZDQ0ODETMBEGA1UECwwKUm9vdC1FZDQ0ODEYMBYG
 A1UEAwwPd3d3LndvbGZzc2wuY29tMR8wHQYJKoZIhvcNAQkBFhBpbmZvQHdvbGZz
-c2wuY29tMB4XDTIwMDYxOTEzMjM0MVoXDTIzMDMxNjEzMjM0MVowgZkxCzAJBgNV
+c2wuY29tMB4XDTIxMTIyMDIzMDcyNVoXDTI0MDkxNTIzMDcyNVowgZkxCzAJBgNV
 BAYTAlVTMRAwDgYDVQQIDAdNb250YW5hMRAwDgYDVQQHDAdCb3plbWFuMRYwFAYD
 VQQKDA13b2xmU1NMX0VkNDQ4MRMwEQYDVQQLDApSb290LUVkNDQ4MRgwFgYDVQQD
 DA93d3cud29sZnNzbC5jb20xHzAdBgkqhkiG9w0BCQEWEGluZm9Ad29sZnNzbC5j
 b20wQzAFBgMrZXEDOgALZCYoz7VGm+4/6jv1Znoy1P59+IBfWFds13nuZqI9VI+N
 CK/LuEOUUF3lU2JpyHWCpl5EyktbCwCjYzBhMB0GA1UdDgQWBBTaaZjJJkp1+1le
 U5pjSwy4iAsPHjAfBgNVHSMEGDAWgBTaaZjJJkp1+1leU5pjSwy4iAsPHjAPBgNV
-HRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBhjAFBgMrZXEDcwC0nQAOzVxVFanh
-lopHbvgZQx281qxMy9DP4x7vOI/4fx8tRVs5/wUemX6190wDfiXKe8VxnvWKwYCJ
-N6T/diV1g4nIXBX0DLpG/k3Omp6uuVBuHnXFR2wR0PM0OdAs1ISiGT7b9QWsAdrm
-juw2JTH6CwA=
+HRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBhjAFBgMrZXEDcwD1xKp9Qb3kUz0D
+x9LJbZMP0jvJPl7v99vjokEbIjDkST2Iu71AJRrwYYVpR0WHqBEAMUEosJPAKAAN
+QAr75Mvc2ctkGgSlLFycyZOkZAGOCXfJ4rT7prLLT04HYpRE7CET8d46+Q3pGJzL
+L2glgOp5CQA=
 -----END CERTIFICATE-----
diff --git a/certs/ed448/server-ed448-cert.pem b/certs/ed448/server-ed448-cert.pem
index 8f6f49681..6b9d94d23 100644
--- a/certs/ed448/server-ed448-cert.pem
+++ b/certs/ed448/server-ed448-cert.pem
@@ -5,8 +5,8 @@ Certificate:
         Signature Algorithm: ED448
         Issuer: C = US, ST = Montana, L = Bozeman, O = wolfSSL_ed448, OU = CA-ed448, CN = www.wolfssl.com, emailAddress = info@wolfssl.com
         Validity
-            Not Before: Jun 19 13:23:41 2020 GMT
-            Not After : Mar 16 13:23:41 2023 GMT
+            Not Before: Dec 20 23:07:25 2021 GMT
+            Not After : Sep 15 23:07:25 2024 GMT
         Subject: C = US, ST = Montana, L = Bozeman, O = wolfSSL_ed448, OU = Server-ed448, CN = www.wolfssl.com, emailAddress = info@wolfssl.com
         Subject Public Key Info:
             Public Key Algorithm: ED448
@@ -31,19 +31,19 @@ Certificate:
             Netscape Cert Type: 
                 SSL Server
     Signature Algorithm: ED448
-         a1:10:74:ad:92:3d:73:cf:89:f1:e8:07:7f:79:18:f0:89:19:
-         b9:92:13:e4:8b:cc:f3:08:1a:d1:d3:52:d7:24:8d:7d:41:15:
-         a4:5b:f1:4a:22:6b:00:2d:2f:25:c1:33:23:85:7d:87:69:6f:
-         53:b3:00:3c:7f:a3:0b:9c:7d:ce:e5:77:91:70:a4:45:0a:c2:
-         de:06:23:c3:37:1e:0b:14:cc:d5:89:6e:cd:83:d6:b9:a9:69:
-         32:a2:c1:db:d6:39:d1:e2:70:93:c6:68:1b:55:aa:bf:87:b0:
-         61:ef:0a:8e:13:00
+         39:91:c6:6a:6c:93:f0:b8:27:ad:c8:d7:b2:49:3d:3f:91:b1:
+         c6:47:74:39:5a:8c:f9:7a:43:74:34:df:16:1d:60:62:78:69:
+         e1:ec:61:e3:a8:69:19:2d:a5:b8:c3:c7:62:d9:2e:c8:81:6d:
+         f5:6f:80:dd:d8:e2:02:ee:5b:f0:9c:cd:1e:cd:27:e2:98:c5:
+         37:93:46:88:8d:cd:0c:fe:00:6e:54:96:cd:f0:13:8b:01:d6:
+         f6:38:fc:81:8a:e6:05:75:12:74:4a:ce:b7:de:40:7b:43:c8:
+         25:07:27:07:15:00
 -----BEGIN CERTIFICATE-----
 MIICuDCCAjigAwIBAgIBATAFBgMrZXEwgZcxCzAJBgNVBAYTAlVTMRAwDgYDVQQI
 DAdNb250YW5hMRAwDgYDVQQHDAdCb3plbWFuMRYwFAYDVQQKDA13b2xmU1NMX2Vk
 NDQ4MREwDwYDVQQLDAhDQS1lZDQ0ODEYMBYGA1UEAwwPd3d3LndvbGZzc2wuY29t
-MR8wHQYJKoZIhvcNAQkBFhBpbmZvQHdvbGZzc2wuY29tMB4XDTIwMDYxOTEzMjM0
-MVoXDTIzMDMxNjEzMjM0MVowgZsxCzAJBgNVBAYTAlVTMRAwDgYDVQQIDAdNb250
+MR8wHQYJKoZIhvcNAQkBFhBpbmZvQHdvbGZzc2wuY29tMB4XDTIxMTIyMDIzMDcy
+NVoXDTI0MDkxNTIzMDcyNVowgZsxCzAJBgNVBAYTAlVTMRAwDgYDVQQIDAdNb250
 YW5hMRAwDgYDVQQHDAdCb3plbWFuMRYwFAYDVQQKDA13b2xmU1NMX2VkNDQ4MRUw
 EwYDVQQLDAxTZXJ2ZXItZWQ0NDgxGDAWBgNVBAMMD3d3dy53b2xmc3NsLmNvbTEf
 MB0GCSqGSIb3DQEJARYQaW5mb0B3b2xmc3NsLmNvbTBDMAUGAytlcQM6AFSBOQHr
@@ -51,7 +51,7 @@ N9mpB80BvJ1wFsIsK3VbY9vuOi1Ekka0ewcDT6Kuhobci0ssf+hrFI1Y3W3nbzoF
 lajvAKOBiTCBhjAdBgNVHQ4EFgQUfKtcEqlo2BgQKH2SxUq4TEx2DtswHwYDVR0j
 BBgwFoAUOFlF6N1ELLV9pSXWC8w58HLAlGMwDAYDVR0TAQH/BAIwADAOBgNVHQ8B
 Af8EBAMCA6gwEwYDVR0lBAwwCgYIKwYBBQUHAwEwEQYJYIZIAYb4QgEBBAQDAgZA
-MAUGAytlcQNzAKEQdK2SPXPPifHoB395GPCJGbmSE+SLzPMIGtHTUtckjX1BFaRb
-8UoiawAtLyXBMyOFfYdpb1OzADx/owucfc7ld5FwpEUKwt4GI8M3HgsUzNWJbs2D
-1rmpaTKiwdvWOdHicJPGaBtVqr+HsGHvCo4TAA==
+MAUGAytlcQNzADmRxmpsk/C4J63I17JJPT+RscZHdDlajPl6Q3Q03xYdYGJ4aeHs
+YeOoaRktpbjDx2LZLsiBbfVvgN3Y4gLuW/CczR7NJ+KYxTeTRoiNzQz+AG5Uls3w
+E4sB1vY4/IGK5gV1EnRKzrfeQHtDyCUHJwcVAA==
 -----END CERTIFICATE-----
diff --git a/certs/ed448/server-ed448.der b/certs/ed448/server-ed448.der
index b0de2d985..ec45a3b63 100644
Binary files a/certs/ed448/server-ed448.der and b/certs/ed448/server-ed448.der differ
diff --git a/certs/ed448/server-ed448.pem b/certs/ed448/server-ed448.pem
index 8cc2542d1..8510448cd 100644
--- a/certs/ed448/server-ed448.pem
+++ b/certs/ed448/server-ed448.pem
@@ -5,8 +5,8 @@ Certificate:
         Signature Algorithm: ED448
         Issuer: C = US, ST = Montana, L = Bozeman, O = wolfSSL_ed448, OU = CA-ed448, CN = www.wolfssl.com, emailAddress = info@wolfssl.com
         Validity
-            Not Before: Jun 19 13:23:41 2020 GMT
-            Not After : Mar 16 13:23:41 2023 GMT
+            Not Before: Dec 20 23:07:25 2021 GMT
+            Not After : Sep 15 23:07:25 2024 GMT
         Subject: C = US, ST = Montana, L = Bozeman, O = wolfSSL_ed448, OU = Server-ed448, CN = www.wolfssl.com, emailAddress = info@wolfssl.com
         Subject Public Key Info:
             Public Key Algorithm: ED448
@@ -31,19 +31,19 @@ Certificate:
             Netscape Cert Type: 
                 SSL Server
     Signature Algorithm: ED448
-         a1:10:74:ad:92:3d:73:cf:89:f1:e8:07:7f:79:18:f0:89:19:
-         b9:92:13:e4:8b:cc:f3:08:1a:d1:d3:52:d7:24:8d:7d:41:15:
-         a4:5b:f1:4a:22:6b:00:2d:2f:25:c1:33:23:85:7d:87:69:6f:
-         53:b3:00:3c:7f:a3:0b:9c:7d:ce:e5:77:91:70:a4:45:0a:c2:
-         de:06:23:c3:37:1e:0b:14:cc:d5:89:6e:cd:83:d6:b9:a9:69:
-         32:a2:c1:db:d6:39:d1:e2:70:93:c6:68:1b:55:aa:bf:87:b0:
-         61:ef:0a:8e:13:00
+         39:91:c6:6a:6c:93:f0:b8:27:ad:c8:d7:b2:49:3d:3f:91:b1:
+         c6:47:74:39:5a:8c:f9:7a:43:74:34:df:16:1d:60:62:78:69:
+         e1:ec:61:e3:a8:69:19:2d:a5:b8:c3:c7:62:d9:2e:c8:81:6d:
+         f5:6f:80:dd:d8:e2:02:ee:5b:f0:9c:cd:1e:cd:27:e2:98:c5:
+         37:93:46:88:8d:cd:0c:fe:00:6e:54:96:cd:f0:13:8b:01:d6:
+         f6:38:fc:81:8a:e6:05:75:12:74:4a:ce:b7:de:40:7b:43:c8:
+         25:07:27:07:15:00
 -----BEGIN CERTIFICATE-----
 MIICuDCCAjigAwIBAgIBATAFBgMrZXEwgZcxCzAJBgNVBAYTAlVTMRAwDgYDVQQI
 DAdNb250YW5hMRAwDgYDVQQHDAdCb3plbWFuMRYwFAYDVQQKDA13b2xmU1NMX2Vk
 NDQ4MREwDwYDVQQLDAhDQS1lZDQ0ODEYMBYGA1UEAwwPd3d3LndvbGZzc2wuY29t
-MR8wHQYJKoZIhvcNAQkBFhBpbmZvQHdvbGZzc2wuY29tMB4XDTIwMDYxOTEzMjM0
-MVoXDTIzMDMxNjEzMjM0MVowgZsxCzAJBgNVBAYTAlVTMRAwDgYDVQQIDAdNb250
+MR8wHQYJKoZIhvcNAQkBFhBpbmZvQHdvbGZzc2wuY29tMB4XDTIxMTIyMDIzMDcy
+NVoXDTI0MDkxNTIzMDcyNVowgZsxCzAJBgNVBAYTAlVTMRAwDgYDVQQIDAdNb250
 YW5hMRAwDgYDVQQHDAdCb3plbWFuMRYwFAYDVQQKDA13b2xmU1NMX2VkNDQ4MRUw
 EwYDVQQLDAxTZXJ2ZXItZWQ0NDgxGDAWBgNVBAMMD3d3dy53b2xmc3NsLmNvbTEf
 MB0GCSqGSIb3DQEJARYQaW5mb0B3b2xmc3NsLmNvbTBDMAUGAytlcQM6AFSBOQHr
@@ -51,9 +51,9 @@ N9mpB80BvJ1wFsIsK3VbY9vuOi1Ekka0ewcDT6Kuhobci0ssf+hrFI1Y3W3nbzoF
 lajvAKOBiTCBhjAdBgNVHQ4EFgQUfKtcEqlo2BgQKH2SxUq4TEx2DtswHwYDVR0j
 BBgwFoAUOFlF6N1ELLV9pSXWC8w58HLAlGMwDAYDVR0TAQH/BAIwADAOBgNVHQ8B
 Af8EBAMCA6gwEwYDVR0lBAwwCgYIKwYBBQUHAwEwEQYJYIZIAYb4QgEBBAQDAgZA
-MAUGAytlcQNzAKEQdK2SPXPPifHoB395GPCJGbmSE+SLzPMIGtHTUtckjX1BFaRb
-8UoiawAtLyXBMyOFfYdpb1OzADx/owucfc7ld5FwpEUKwt4GI8M3HgsUzNWJbs2D
-1rmpaTKiwdvWOdHicJPGaBtVqr+HsGHvCo4TAA==
+MAUGAytlcQNzADmRxmpsk/C4J63I17JJPT+RscZHdDlajPl6Q3Q03xYdYGJ4aeHs
+YeOoaRktpbjDx2LZLsiBbfVvgN3Y4gLuW/CczR7NJ+KYxTeTRoiNzQz+AG5Uls3w
+E4sB1vY4/IGK5gV1EnRKzrfeQHtDyCUHJwcVAA==
 -----END CERTIFICATE-----
 Certificate:
     Data:
@@ -62,8 +62,8 @@ Certificate:
         Signature Algorithm: ED448
         Issuer: C = US, ST = Montana, L = Bozeman, O = wolfSSL_Ed448, OU = Root-Ed448, CN = www.wolfssl.com, emailAddress = info@wolfssl.com
         Validity
-            Not Before: Jun 19 13:23:41 2020 GMT
-            Not After : Mar 16 13:23:41 2023 GMT
+            Not Before: Dec 20 23:07:25 2021 GMT
+            Not After : Sep 15 23:07:25 2024 GMT
         Subject: C = US, ST = Montana, L = Bozeman, O = wolfSSL_ed448, OU = CA-ed448, CN = www.wolfssl.com, emailAddress = info@wolfssl.com
         Subject Public Key Info:
             Public Key Algorithm: ED448
@@ -84,26 +84,26 @@ Certificate:
             X509v3 Key Usage: critical
                 Digital Signature, Certificate Sign, CRL Sign
     Signature Algorithm: ED448
-         12:5e:bc:a0:86:7e:26:a1:a8:5f:05:4a:ec:5e:3c:3b:9e:14:
-         9c:75:63:ce:33:3a:ac:2d:2e:18:72:46:0a:1d:87:e8:51:0c:
-         2e:1b:fb:8b:f0:36:f5:23:bc:77:f9:09:7d:39:fd:d8:08:0c:
-         34:4e:00:4f:2b:f9:9d:48:3e:0f:74:7a:52:b0:44:86:86:21:
-         a1:53:10:48:21:51:37:76:d3:f3:f0:42:f1:c6:8e:6a:9e:a2:
-         42:90:db:b2:a2:4f:c1:06:09:e9:ff:f3:a2:14:a9:12:43:40:
-         00:9e:78:1c:13:00
+         de:27:87:c7:7b:e8:c1:e5:1d:58:3e:5e:1e:51:4e:03:91:6a:
+         98:b3:87:13:0f:28:3c:69:c5:67:93:d2:c6:d6:39:3d:3d:66:
+         64:25:04:a1:80:5b:65:26:79:e8:39:78:d6:a2:d9:72:35:95:
+         70:86:00:6e:62:57:42:b3:a9:11:85:24:f7:29:e7:d3:99:7b:
+         61:00:84:c3:08:ee:34:be:ad:a5:7b:eb:52:4f:4d:ec:05:3e:
+         d5:d7:99:6f:70:ba:f2:01:5b:d6:43:39:28:e2:0e:79:f0:1e:
+         e8:16:3a:33:37:00
 -----BEGIN CERTIFICATE-----
 MIICjzCCAg+gAwIBAgIBATAFBgMrZXEwgZkxCzAJBgNVBAYTAlVTMRAwDgYDVQQI
 DAdNb250YW5hMRAwDgYDVQQHDAdCb3plbWFuMRYwFAYDVQQKDA13b2xmU1NMX0Vk
 NDQ4MRMwEQYDVQQLDApSb290LUVkNDQ4MRgwFgYDVQQDDA93d3cud29sZnNzbC5j
-b20xHzAdBgkqhkiG9w0BCQEWEGluZm9Ad29sZnNzbC5jb20wHhcNMjAwNjE5MTMy
-MzQxWhcNMjMwMzE2MTMyMzQxWjCBlzELMAkGA1UEBhMCVVMxEDAOBgNVBAgMB01v
+b20xHzAdBgkqhkiG9w0BCQEWEGluZm9Ad29sZnNzbC5jb20wHhcNMjExMjIwMjMw
+NzI1WhcNMjQwOTE1MjMwNzI1WjCBlzELMAkGA1UEBhMCVVMxEDAOBgNVBAgMB01v
 bnRhbmExEDAOBgNVBAcMB0JvemVtYW4xFjAUBgNVBAoMDXdvbGZTU0xfZWQ0NDgx
 ETAPBgNVBAsMCENBLWVkNDQ4MRgwFgYDVQQDDA93d3cud29sZnNzbC5jb20xHzAd
 BgkqhkiG9w0BCQEWEGluZm9Ad29sZnNzbC5jb20wQzAFBgMrZXEDOgAO4rR25dLM
 wkt7sCm+kvvDr2mllLpwJOij78hjmt2mr1hDOAQk8BCRvqcBkVTzz2mFTLmXjKQ3
 qgCjYzBhMB0GA1UdDgQWBBQ4WUXo3UQstX2lJdYLzDnwcsCUYzAfBgNVHSMEGDAW
 gBTaaZjJJkp1+1leU5pjSwy4iAsPHjAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB
-/wQEAwIBhjAFBgMrZXEDcwASXryghn4moahfBUrsXjw7nhScdWPOMzqsLS4YckYK
-HYfoUQwuG/uL8Db1I7x3+Ql9Of3YCAw0TgBPK/mdSD4PdHpSsESGhiGhUxBIIVE3
-dtPz8ELxxo5qnqJCkNuyok/BBgnp//OiFKkSQ0AAnngcEwA=
+/wQEAwIBhjAFBgMrZXEDcwDeJ4fHe+jB5R1YPl4eUU4DkWqYs4cTDyg8acVnk9LG
+1jk9PWZkJQShgFtlJnnoOXjWotlyNZVwhgBuYldCs6kRhST3KefTmXthAITDCO40
+vq2le+tST03sBT7V15lvcLryAVvWQzko4g558B7oFjozNwA=
 -----END CERTIFICATE-----
diff --git a/certs/entity-no-ca-bool-cert.pem b/certs/entity-no-ca-bool-cert.pem
index 8fba3910c..4112468d3 100644
--- a/certs/entity-no-ca-bool-cert.pem
+++ b/certs/entity-no-ca-bool-cert.pem
@@ -5,8 +5,8 @@ Certificate:
         Signature Algorithm: sha256WithRSAEncryption
         Issuer: C = US, ST = Montana, L = Bozeman, O = Sawtooth, OU = Consulting, CN = www.wolfssl.com, emailAddress = info@wolfssl.com
         Validity
-            Not Before: Jul  2 15:55:08 2021 GMT
-            Not After : Mar 28 15:55:08 2024 GMT
+            Not Before: Dec 20 23:07:25 2021 GMT
+            Not After : Sep 15 23:07:25 2024 GMT
         Subject: C = US, ST = Montana, L = Bozeman, O = wolfSSL, OU = NoCaBool, CN = www.wolfssl.com, emailAddress = info@wolfssl.com
         Subject Public Key Info:
             Public Key Algorithm: rsaEncryption
@@ -37,7 +37,7 @@ Certificate:
             X509v3 Authority Key Identifier: 
                 keyid:27:8E:67:11:74:C3:26:1D:3F:ED:33:63:B3:A4:D8:1D:30:E5:E8:D5
                 DirName:/C=US/ST=Montana/L=Bozeman/O=Sawtooth/OU=Consulting/CN=www.wolfssl.com/emailAddress=info@wolfssl.com
-                serial:AA:D3:3F:AC:18:0A:37:4D
+                serial:7D:94:70:88:BA:07:42:8D:AA:AF:4F:BE:C2:1A:48:F0:D1:40:E6:42
 
             X509v3 Basic Constraints: 
                 CA:FALSE, pathlen:0
@@ -46,27 +46,27 @@ Certificate:
             X509v3 Extended Key Usage: 
                 TLS Web Client Authentication, TLS Web Server Authentication
     Signature Algorithm: sha256WithRSAEncryption
-         0a:bc:55:13:b4:2d:a2:39:ca:a9:d0:82:6e:96:f1:c3:d7:91:
-         13:01:3d:e9:a8:2b:e0:8e:e9:5c:e9:b7:0d:fa:f1:86:84:e4:
-         1c:0b:75:19:4b:a0:3a:62:e0:32:d2:18:27:d4:3c:55:84:35:
-         ba:42:db:a0:5e:78:e5:94:26:69:fd:cb:c0:b2:d4:7d:da:b1:
-         7f:dc:1d:34:22:32:8c:81:e1:9c:1c:99:3a:39:10:62:25:c3:
-         f2:38:d8:78:ae:09:51:ce:57:1c:8b:b4:23:67:a5:74:59:0d:
-         68:e6:2b:8b:f0:ba:86:c3:db:f8:b6:fd:0c:21:d6:0b:ab:76:
-         8a:1a:02:d0:8f:ce:a0:bb:00:38:52:c1:04:f4:6b:0f:27:45:
-         98:1e:79:e7:07:6a:06:83:ab:2e:f7:5b:72:61:a0:f3:06:26:
-         36:fc:cc:09:da:fe:de:5a:7d:ca:5f:b0:7f:7a:aa:ef:5f:9d:
-         ea:f5:79:ed:f3:9a:34:58:1f:ae:6d:10:12:b0:5c:df:e4:6b:
-         6b:fe:5a:55:53:a0:ca:43:2f:ce:80:9f:d4:39:20:4e:02:ba:
-         be:40:5c:b4:60:17:49:50:e8:b0:c9:0f:80:c6:3c:99:70:f2:
-         63:31:d1:b4:5d:b3:df:93:17:b2:51:55:f7:c0:af:02:05:6c:
-         11:b0:02:d2
+         53:5e:64:a2:ac:e9:1a:84:a6:2f:4e:7c:11:0b:d7:9b:4a:bb:
+         cb:2f:4b:f6:3f:09:33:46:4e:74:21:6d:6e:e5:a0:1a:69:f8:
+         83:9a:c6:14:f6:45:12:e7:f8:a0:43:25:c8:2f:37:39:12:48:
+         b9:e5:d8:50:08:d6:65:48:55:3f:f6:02:8a:b5:22:5b:5d:19:
+         6a:7f:d3:e4:86:73:6c:99:21:64:87:af:37:4a:00:6f:c9:29:
+         6a:60:1a:dc:57:65:be:77:af:f3:e1:cf:7e:bc:23:b6:e0:61:
+         be:2b:e0:12:f1:7c:c1:3d:5d:17:7f:de:69:5c:82:89:0a:69:
+         ad:1f:37:a3:91:84:c8:f2:eb:ae:c4:e6:62:37:f0:a5:f9:60:
+         0c:79:01:68:93:14:ec:a5:6d:ed:ec:0e:fa:ea:a3:e0:5a:f6:
+         97:a7:2c:18:20:72:db:2c:92:63:14:ee:a0:3f:d4:22:59:12:
+         89:47:82:2a:2f:4d:11:d5:4b:fe:50:6d:77:d8:8f:1e:ff:fb:
+         ef:af:83:96:ad:53:de:eb:cd:fc:d5:15:37:a7:6e:3d:7e:ef:
+         b9:3d:39:0c:da:f5:86:ba:8c:3b:d0:46:b4:b2:c7:0b:34:d4:
+         8b:8c:87:f2:7c:02:d0:eb:8f:34:69:3f:93:51:dc:f2:56:56:
+         72:cc:5d:e3
 -----BEGIN CERTIFICATE-----
-MIIEzTCCA7WgAwIBAgIBATANBgkqhkiG9w0BAQsFADCBlDELMAkGA1UEBhMCVVMx
+MIIE2DCCA8CgAwIBAgIBATANBgkqhkiG9w0BAQsFADCBlDELMAkGA1UEBhMCVVMx
 EDAOBgNVBAgMB01vbnRhbmExEDAOBgNVBAcMB0JvemVtYW4xETAPBgNVBAoMCFNh
 d3Rvb3RoMRMwEQYDVQQLDApDb25zdWx0aW5nMRgwFgYDVQQDDA93d3cud29sZnNz
-bC5jb20xHzAdBgkqhkiG9w0BCQEWEGluZm9Ad29sZnNzbC5jb20wHhcNMjEwNzAy
-MTU1NTA4WhcNMjQwMzI4MTU1NTA4WjCBkTELMAkGA1UEBhMCVVMxEDAOBgNVBAgM
+bC5jb20xHzAdBgkqhkiG9w0BCQEWEGluZm9Ad29sZnNzbC5jb20wHhcNMjExMjIw
+MjMwNzI1WhcNMjQwOTE1MjMwNzI1WjCBkTELMAkGA1UEBhMCVVMxEDAOBgNVBAgM
 B01vbnRhbmExEDAOBgNVBAcMB0JvemVtYW4xEDAOBgNVBAoMB3dvbGZTU0wxETAP
 BgNVBAsMCE5vQ2FCb29sMRgwFgYDVQQDDA93d3cud29sZnNzbC5jb20xHzAdBgkq
 hkiG9w0BCQEWEGluZm9Ad29sZnNzbC5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IB
@@ -75,30 +75,30 @@ HVcEnpxW/2aveEuFfHG8a3mpYyH0iB5vuVNYsE2TtaflnIA72fv0R/5G8ed+WR3n
 IRFrlqDXO966BmHrA9R0t7ST9Dg0259Y3Nf67v5WabiXr1vKVkAwERwmQKYfHLvW
 4P8epFc143SrSaGHlS+KdwqxZaCP01qsBJPMUINCZKsS+i6vK+qxc3vOM8NoIyfw
 dfQLgh6uIQBP/CYXdYSb4DHeWYOqRfmCyz7dIu7OfAwG3MxhJX56ZOnFBlfTwWFT
-WYIyxs8dcIdEPbdS5VZn4xZ7u0iYjVTBhapXAgMBAAGjggEpMIIBJTAdBgNVHQ4E
-FgQU7/SLhs5179zh+CMeGrg7jZgJiOcwgckGA1UdIwSBwTCBvoAUJ45nEXTDJh0/
+WYIyxs8dcIdEPbdS5VZn4xZ7u0iYjVTBhapXAgMBAAGjggE0MIIBMDAdBgNVHQ4E
+FgQU7/SLhs5179zh+CMeGrg7jZgJiOcwgdQGA1UdIwSBzDCByYAUJ45nEXTDJh0/
 7TNjs6TYHTDl6NWhgZqkgZcwgZQxCzAJBgNVBAYTAlVTMRAwDgYDVQQIDAdNb250
 YW5hMRAwDgYDVQQHDAdCb3plbWFuMREwDwYDVQQKDAhTYXd0b290aDETMBEGA1UE
 CwwKQ29uc3VsdGluZzEYMBYGA1UEAwwPd3d3LndvbGZzc2wuY29tMR8wHQYJKoZI
-hvcNAQkBFhBpbmZvQHdvbGZzc2wuY29tggkAqtM/rBgKN00wDAYDVR0TBAUwAwIB
-ADALBgNVHQ8EBAMCB4AwHQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUFBwMBMA0G
-CSqGSIb3DQEBCwUAA4IBAQAKvFUTtC2iOcqp0IJulvHD15ETAT3pqCvgjulc6bcN
-+vGGhOQcC3UZS6A6YuAy0hgn1DxVhDW6QtugXnjllCZp/cvAstR92rF/3B00IjKM
-geGcHJk6ORBiJcPyONh4rglRzlcci7QjZ6V0WQ1o5iuL8LqGw9v4tv0MIdYLq3aK
-GgLQj86guwA4UsEE9GsPJ0WYHnnnB2oGg6su91tyYaDzBiY2/MwJ2v7eWn3KX7B/
-eqrvX53q9Xnt85o0WB+ubRASsFzf5Gtr/lpVU6DKQy/OgJ/UOSBOArq+QFy0YBdJ
-UOiwyQ+AxjyZcPJjMdG0XbPfkxeyUVX3wK8CBWwRsALS
+hvcNAQkBFhBpbmZvQHdvbGZzc2wuY29tghR9lHCIugdCjaqvT77CGkjw0UDmQjAM
+BgNVHRMEBTADAgEAMAsGA1UdDwQEAwIHgDAdBgNVHSUEFjAUBggrBgEFBQcDAgYI
+KwYBBQUHAwEwDQYJKoZIhvcNAQELBQADggEBAFNeZKKs6RqEpi9OfBEL15tKu8sv
+S/Y/CTNGTnQhbW7loBpp+IOaxhT2RRLn+KBDJcgvNzkSSLnl2FAI1mVIVT/2Aoq1
+IltdGWp/0+SGc2yZIWSHrzdKAG/JKWpgGtxXZb53r/Phz368I7bgYb4r4BLxfME9
+XRd/3mlcgokKaa0fN6ORhMjy667E5mI38KX5YAx5AWiTFOylbe3sDvrqo+Ba9pen
+LBggctsskmMU7qA/1CJZEolHgiovTRHVS/5QbXfYjx7/+++vg5atU97rzfzVFTen
+bj1+77k9OQza9Ya6jDvQRrSyxws01IuMh/J8AtDrjzRpP5NR3PJWVnLMXeM=
 -----END CERTIFICATE-----
 Certificate:
     Data:
         Version: 3 (0x2)
         Serial Number:
-            aa:d3:3f:ac:18:0a:37:4d
+            7d:94:70:88:ba:07:42:8d:aa:af:4f:be:c2:1a:48:f0:d1:40:e6:42
         Signature Algorithm: sha256WithRSAEncryption
         Issuer: C = US, ST = Montana, L = Bozeman, O = Sawtooth, OU = Consulting, CN = www.wolfssl.com, emailAddress = info@wolfssl.com
         Validity
-            Not Before: Feb 10 19:49:52 2021 GMT
-            Not After : Nov  7 19:49:52 2023 GMT
+            Not Before: Dec 20 23:07:24 2021 GMT
+            Not After : Sep 15 23:07:24 2024 GMT
         Subject: C = US, ST = Montana, L = Bozeman, O = Sawtooth, OU = Consulting, CN = www.wolfssl.com, emailAddress = info@wolfssl.com
         Subject Public Key Info:
             Public Key Algorithm: rsaEncryption
@@ -129,7 +129,7 @@ Certificate:
             X509v3 Authority Key Identifier: 
                 keyid:27:8E:67:11:74:C3:26:1D:3F:ED:33:63:B3:A4:D8:1D:30:E5:E8:D5
                 DirName:/C=US/ST=Montana/L=Bozeman/O=Sawtooth/OU=Consulting/CN=www.wolfssl.com/emailAddress=info@wolfssl.com
-                serial:AA:D3:3F:AC:18:0A:37:4D
+                serial:7D:94:70:88:BA:07:42:8D:AA:AF:4F:BE:C2:1A:48:F0:D1:40:E6:42
 
             X509v3 Basic Constraints: 
                 CA:TRUE
@@ -138,47 +138,47 @@ Certificate:
             X509v3 Extended Key Usage: 
                 TLS Web Server Authentication, TLS Web Client Authentication
     Signature Algorithm: sha256WithRSAEncryption
-         62:98:c8:58:cf:56:03:86:5b:1b:71:49:7d:05:03:5d:e0:08:
-         86:ad:db:4a:de:ab:22:96:a8:c3:59:68:c1:37:90:40:df:bd:
-         89:d0:bc:da:8e:ef:87:b2:c2:62:52:e1:1a:29:17:6a:96:99:
-         c8:4e:d8:32:fe:b8:d1:5c:3b:0a:c2:3c:5f:a1:1e:98:7f:ce:
-         89:26:21:1f:64:9c:15:7a:9c:ef:fb:1d:85:6a:fa:98:ce:a8:
-         a9:ab:c3:a2:c0:eb:87:ed:bc:21:df:f3:07:5b:ae:fd:40:d4:
-         ae:20:d0:76:8a:31:0a:a2:62:7c:61:0d:ce:5d:9a:1e:e4:20:
-         88:51:49:fb:77:a9:cd:4d:c6:bf:54:99:33:ef:4b:a0:73:70:
-         6d:2e:d9:3d:08:f6:12:39:31:68:c6:61:5c:41:b5:1b:f4:38:
-         7d:fc:be:73:66:2d:f7:ca:5b:2c:5b:31:aa:cf:f6:7f:30:e4:
-         12:2c:8e:d6:38:51:e6:45:ee:d5:da:c3:83:d6:ed:5e:ec:d6:
-         b6:14:b3:93:59:e1:55:4a:7f:04:df:ce:65:d4:df:18:4f:dd:
-         b4:45:7f:a6:56:30:c4:05:44:98:9d:4f:26:6d:84:80:a0:5e:
-         ed:23:d1:48:87:0e:05:06:91:3b:b0:3c:bb:8c:8f:3c:7b:4c:
-         4f:a1:ca:98
+         b0:71:bb:ba:45:5a:80:25:02:a4:7e:88:0b:a9:7b:fd:b0:bb:
+         f6:46:b5:ba:f4:c7:e3:61:20:8c:03:15:66:f5:e4:54:82:ef:
+         13:80:97:22:67:c1:d1:88:5d:e2:2d:57:f6:e0:9f:69:d6:b1:
+         5c:b6:e8:e0:98:89:c8:14:12:d6:b6:89:8d:6c:b9:a0:59:4f:
+         92:ee:11:53:6b:7d:93:4a:69:0a:85:d9:d5:d2:62:e8:c9:b5:
+         c6:4e:17:f5:0a:e8:f3:2d:86:61:0b:eb:c4:c4:c6:67:75:ed:
+         9a:9f:53:a0:71:1e:a0:90:0d:f9:03:b4:bc:86:19:6e:f0:3b:
+         4f:e8:ed:68:f6:e7:23:43:3b:36:83:83:4b:46:a0:9a:01:d0:
+         c7:85:bb:7d:94:a0:21:3d:7e:3c:6a:3d:81:db:41:7b:46:d8:
+         15:62:d5:8f:4d:3d:c0:db:9a:c5:81:a8:ac:da:87:99:c7:dd:
+         b9:f1:14:af:d1:93:e3:f3:42:d7:a2:04:51:21:54:29:c3:45:
+         f6:be:5c:fa:cd:db:bf:2f:79:81:42:e5:8f:47:0b:d4:54:01:
+         b5:c2:4a:46:d6:a8:31:2e:64:80:3f:48:61:91:29:f3:aa:43:
+         5c:69:6e:f1:01:b9:df:63:71:3d:b9:5a:fb:36:c0:11:a2:c3:
+         30:9d:95:c3
 -----BEGIN CERTIFICATE-----
-MIIE6TCCA9GgAwIBAgIJAKrTP6wYCjdNMA0GCSqGSIb3DQEBCwUAMIGUMQswCQYD
+MIIE/zCCA+egAwIBAgIUfZRwiLoHQo2qr0++whpI8NFA5kIwDQYJKoZIhvcNAQEL
+BQAwgZQxCzAJBgNVBAYTAlVTMRAwDgYDVQQIDAdNb250YW5hMRAwDgYDVQQHDAdC
+b3plbWFuMREwDwYDVQQKDAhTYXd0b290aDETMBEGA1UECwwKQ29uc3VsdGluZzEY
+MBYGA1UEAwwPd3d3LndvbGZzc2wuY29tMR8wHQYJKoZIhvcNAQkBFhBpbmZvQHdv
+bGZzc2wuY29tMB4XDTIxMTIyMDIzMDcyNFoXDTI0MDkxNTIzMDcyNFowgZQxCzAJ
+BgNVBAYTAlVTMRAwDgYDVQQIDAdNb250YW5hMRAwDgYDVQQHDAdCb3plbWFuMREw
+DwYDVQQKDAhTYXd0b290aDETMBEGA1UECwwKQ29uc3VsdGluZzEYMBYGA1UEAwwP
+d3d3LndvbGZzc2wuY29tMR8wHQYJKoZIhvcNAQkBFhBpbmZvQHdvbGZzc2wuY29t
+MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAvwzKLRSyHoRCW804H0ry
+TXUQ8bY1n9/KfQOY06zeA2buKvHYsH1uB1QLEJghTYDLEiDnzE/eRX3Jcncy6sqQ
+u2lSEAMvqPOVxfGLYlYb72dvpBBBla0Km+OlwLDScHZQMFuo6AgsfO2nonqNOCkc
+rMft8nyVsJWCfUlcOM13Je+9gHVTlDw9ymNbnxW10x0TLxnRPNt2Osy4fcnlwtfa
+QG/YIdxzG0ItU5z+Gvx9q3o2P5jehHwFZ85qFDiHqfGMtWjLaH9xICv1oGP1Vi+j
+JtK3b7FaF9c4mQj+k1hv/sMTSQgWC6dNZwBSMWcjTpjtUUUduQTZC+zYKLNLve02
+eQIDAQABo4IBRTCCAUEwHQYDVR0OBBYEFCeOZxF0wyYdP+0zY7Ok2B0w5ejVMIHU
+BgNVHSMEgcwwgcmAFCeOZxF0wyYdP+0zY7Ok2B0w5ejVoYGapIGXMIGUMQswCQYD
 VQQGEwJVUzEQMA4GA1UECAwHTW9udGFuYTEQMA4GA1UEBwwHQm96ZW1hbjERMA8G
 A1UECgwIU2F3dG9vdGgxEzARBgNVBAsMCkNvbnN1bHRpbmcxGDAWBgNVBAMMD3d3
-dy53b2xmc3NsLmNvbTEfMB0GCSqGSIb3DQEJARYQaW5mb0B3b2xmc3NsLmNvbTAe
-Fw0yMTAyMTAxOTQ5NTJaFw0yMzExMDcxOTQ5NTJaMIGUMQswCQYDVQQGEwJVUzEQ
-MA4GA1UECAwHTW9udGFuYTEQMA4GA1UEBwwHQm96ZW1hbjERMA8GA1UECgwIU2F3
-dG9vdGgxEzARBgNVBAsMCkNvbnN1bHRpbmcxGDAWBgNVBAMMD3d3dy53b2xmc3Ns
-LmNvbTEfMB0GCSqGSIb3DQEJARYQaW5mb0B3b2xmc3NsLmNvbTCCASIwDQYJKoZI
-hvcNAQEBBQADggEPADCCAQoCggEBAL8Myi0Ush6EQlvNOB9K8k11EPG2NZ/fyn0D
-mNOs3gNm7irx2LB9bgdUCxCYIU2AyxIg58xP3kV9yXJ3MurKkLtpUhADL6jzlcXx
-i2JWG+9nb6QQQZWtCpvjpcCw0nB2UDBbqOgILHztp6J6jTgpHKzH7fJ8lbCVgn1J
-XDjNdyXvvYB1U5Q8PcpjW58VtdMdEy8Z0TzbdjrMuH3J5cLX2kBv2CHccxtCLVOc
-/hr8fat6Nj+Y3oR8BWfOahQ4h6nxjLVoy2h/cSAr9aBj9VYvoybSt2+xWhfXOJkI
-/pNYb/7DE0kIFgunTWcAUjFnI06Y7VFFHbkE2Qvs2CizS73tNnkCAwEAAaOCATow
-ggE2MB0GA1UdDgQWBBQnjmcRdMMmHT/tM2OzpNgdMOXo1TCByQYDVR0jBIHBMIG+
-gBQnjmcRdMMmHT/tM2OzpNgdMOXo1aGBmqSBlzCBlDELMAkGA1UEBhMCVVMxEDAO
-BgNVBAgMB01vbnRhbmExEDAOBgNVBAcMB0JvemVtYW4xETAPBgNVBAoMCFNhd3Rv
-b3RoMRMwEQYDVQQLDApDb25zdWx0aW5nMRgwFgYDVQQDDA93d3cud29sZnNzbC5j
-b20xHzAdBgkqhkiG9w0BCQEWEGluZm9Ad29sZnNzbC5jb22CCQCq0z+sGAo3TTAM
-BgNVHRMEBTADAQH/MBwGA1UdEQQVMBOCC2V4YW1wbGUuY29thwR/AAABMB0GA1Ud
-JQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjANBgkqhkiG9w0BAQsFAAOCAQEAYpjI
-WM9WA4ZbG3FJfQUDXeAIhq3bSt6rIpaow1lowTeQQN+9idC82o7vh7LCYlLhGikX
-apaZyE7YMv640Vw7CsI8X6EemH/OiSYhH2ScFXqc7/sdhWr6mM6oqavDosDrh+28
-Id/zB1uu/UDUriDQdooxCqJifGENzl2aHuQgiFFJ+3epzU3Gv1SZM+9LoHNwbS7Z
-PQj2EjkxaMZhXEG1G/Q4ffy+c2Yt98pbLFsxqs/2fzDkEiyO1jhR5kXu1drDg9bt
-XuzWthSzk1nhVUp/BN/OZdTfGE/dtEV/plYwxAVEmJ1PJm2EgKBe7SPRSIcOBQaR
-O7A8u4yPPHtMT6HKmA==
+dy53b2xmc3NsLmNvbTEfMB0GCSqGSIb3DQEJARYQaW5mb0B3b2xmc3NsLmNvbYIU
+fZRwiLoHQo2qr0++whpI8NFA5kIwDAYDVR0TBAUwAwEB/zAcBgNVHREEFTATggtl
+eGFtcGxlLmNvbYcEfwAAATAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIw
+DQYJKoZIhvcNAQELBQADggEBALBxu7pFWoAlAqR+iAupe/2wu/ZGtbr0x+NhIIwD
+FWb15FSC7xOAlyJnwdGIXeItV/bgn2nWsVy26OCYicgUEta2iY1suaBZT5LuEVNr
+fZNKaQqF2dXSYujJtcZOF/UK6PMthmEL68TExmd17ZqfU6BxHqCQDfkDtLyGGW7w
+O0/o7Wj25yNDOzaDg0tGoJoB0MeFu32UoCE9fjxqPYHbQXtG2BVi1Y9NPcDbmsWB
+qKzah5nH3bnxFK/Rk+PzQteiBFEhVCnDRfa+XPrN278veYFC5Y9HC9RUAbXCSkbW
+qDEuZIA/SGGRKfOqQ1xpbvEBud9jcT25Wvs2wBGiwzCdlcM=
 -----END CERTIFICATE-----
diff --git a/certs/external/ca-google-root.pem b/certs/external/ca-google-root.pem
index fd4341df2..cc9dd0873 100644
--- a/certs/external/ca-google-root.pem
+++ b/certs/external/ca-google-root.pem
@@ -20,3 +20,24 @@ PnlUkiaY4IBIqDfv8NZ5YBberOgOzW6sRBc4L0na4UU+Krk2U886UAb3LujEV0ls
 YSEY1QSteDwsOoBrp+uvFRTp2InBuThs4pFsiv9kuXclVzDAGySj4dzp30d8tbQk
 CAUw7C29C79Fv1C5qfPrmAESrciIxpg0X40KPMbp1ZWVbd4=
 -----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIIDdTCCAl2gAwIBAgILBAAAAAABFUtaw5QwDQYJKoZIhvcNAQEFBQAwVzELMAkG
+A1UEBhMCQkUxGTAXBgNVBAoTEEdsb2JhbFNpZ24gbnYtc2ExEDAOBgNVBAsTB1Jv
+b3QgQ0ExGzAZBgNVBAMTEkdsb2JhbFNpZ24gUm9vdCBDQTAeFw05ODA5MDExMjAw
+MDBaFw0yODAxMjgxMjAwMDBaMFcxCzAJBgNVBAYTAkJFMRkwFwYDVQQKExBHbG9i
+YWxTaWduIG52LXNhMRAwDgYDVQQLEwdSb290IENBMRswGQYDVQQDExJHbG9iYWxT
+aWduIFJvb3QgQ0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDaDuaZ
+jc6j40+Kfvvxi4Mla+pIH/EqsLmVEQS98GPR4mdmzxzdzxtIK+6NiY6arymAZavp
+xy0Sy6scTHAHoT0KMM0VjU/43dSMUBUc71DuxC73/OlS8pF94G3VNTCOXkNz8kHp
+1Wrjsok6Vjk4bwY8iGlbKk3Fp1S4bInMm/k8yuX9ifUSPJJ4ltbcdG6TRGHRjcdG
+snUOhugZitVtbNV4FpWi6cgKOOvyJBNPc1STE4U6G7weNLWLBYy5d4ux2x8gkasJ
+U26Qzns3dLlwR5EiUWMWea6xrkEmCMgZK9FGqkjWZCrXgzT/LCrBbBlDSgeF59N8
+9iFo7+ryUp9/k5DPAgMBAAGjQjBAMA4GA1UdDwEB/wQEAwIBBjAPBgNVHRMBAf8E
+BTADAQH/MB0GA1UdDgQWBBRge2YaRQ2XyolQL30EzTSo//z9SzANBgkqhkiG9w0B
+AQUFAAOCAQEA1nPnfE920I2/7LqivjTFKDK1fPxsnCwrvQmeU79rXqoRSLblCKOz
+yj1hTdNGCbM+w6DjY1Ub8rrvrTnhQ7k4o+YviiY776BQVvnGCv04zcQLcFGUl5gE
+38NflNUVyRRBnMRddWQVDf9VMOyGj/8N7yy5Y0b2qvzfvGn9LhJIZJrglfCm7ymP
+AbEVtQwdpf5pLGkkeB6zpxxxYu7KyJesF12KwvhHhm4qxFYxldBniYUr+WymXUad
+DKqC5JlR3XC321Y9YeRq4VzW9v493kHMB65jUr9TU/Qr6cf9tveCX4XSQRjbgbME
+HMUfpIBvFSDJ3gyICh3WZlXi/EjJKSZp4A==
+-----END CERTIFICATE-----
diff --git a/certs/ocsp/intermediate1-ca-cert.pem b/certs/ocsp/intermediate1-ca-cert.pem
index 673f05678..d2907acca 100644
--- a/certs/ocsp/intermediate1-ca-cert.pem
+++ b/certs/ocsp/intermediate1-ca-cert.pem
@@ -2,15 +2,15 @@ Certificate:
     Data:
         Version: 3 (0x2)
         Serial Number: 1 (0x1)
-    Signature Algorithm: sha256WithRSAEncryption
-        Issuer: C=US, ST=Washington, L=Seattle, O=wolfSSL, OU=Engineering, CN=wolfSSL root CA/emailAddress=info@wolfssl.com
+        Signature Algorithm: sha256WithRSAEncryption
+        Issuer: C = US, ST = Washington, L = Seattle, O = wolfSSL, OU = Engineering, CN = wolfSSL root CA, emailAddress = info@wolfssl.com
         Validity
-            Not Before: Feb 10 19:49:53 2021 GMT
-            Not After : Nov  7 19:49:53 2023 GMT
-        Subject: C=US, ST=Washington, L=Seattle, O=wolfSSL, OU=Engineering, CN=wolfSSL intermediate CA 1/emailAddress=info@wolfssl.com
+            Not Before: Dec 20 23:07:25 2021 GMT
+            Not After : Sep 15 23:07:25 2024 GMT
+        Subject: C = US, ST = Washington, L = Seattle, O = wolfSSL, OU = Engineering, CN = wolfSSL intermediate CA 1, emailAddress = info@wolfssl.com
         Subject Public Key Info:
             Public Key Algorithm: rsaEncryption
-                Public-Key: (2048 bit)
+                RSA Public-Key: (2048 bit)
                 Modulus:
                     00:de:b4:c8:5c:77:e0:2d:b1:f5:b9:ad:16:47:35:
                     a0:35:65:65:c6:e1:40:ab:1e:b4:b9:13:b7:cb:8c:
@@ -47,27 +47,27 @@ Certificate:
                 OCSP - URI:http://127.0.0.1:22220
 
     Signature Algorithm: sha256WithRSAEncryption
-         1e:8f:fa:f5:32:ee:98:9e:ed:96:b4:a9:ea:d7:3c:05:74:36:
-         41:ef:1b:84:35:6a:3d:6c:c9:53:2a:50:f7:d1:80:d3:ec:99:
-         bc:4b:dd:86:69:e0:94:1c:c4:77:c9:6a:f7:ed:2c:0d:c5:17:
-         a7:15:75:25:14:2d:c6:14:8d:17:97:6d:e7:d7:38:88:d6:df:
-         ba:8c:aa:2a:f1:4e:ef:1f:4a:16:5a:fa:0c:50:ea:98:b1:4b:
-         36:97:24:21:ce:dc:e4:5c:ba:ae:e7:cb:2a:1d:f7:73:ff:17:
-         f3:9d:cf:26:4e:b7:cb:5c:8e:e4:9e:55:d2:00:f8:ca:53:c3:
-         53:3f:6d:65:aa:86:f4:f1:ed:26:1e:75:56:be:bd:80:f5:1c:
-         4e:4d:13:c3:1b:04:61:b9:c6:e2:6f:30:44:01:0e:63:d8:19:
-         ce:83:40:e9:c7:01:f2:51:d7:b7:cd:16:25:93:de:3e:7a:7d:
-         8d:72:1e:2b:66:76:91:df:b9:33:fa:04:b8:8c:c5:7a:ef:f6:
-         94:74:54:1e:96:4a:a8:f6:0d:59:f7:2f:f1:26:78:f6:c7:bf:
-         68:f9:b0:7f:a5:2d:1c:7b:fc:64:25:ed:a4:bb:e6:31:44:f9:
-         d5:5f:67:4d:01:29:84:b2:f8:fa:fb:6b:52:1e:66:c3:08:6b:
-         8e:d5:ad:b9
+         0e:11:5a:b6:3c:42:28:c2:62:1d:8e:85:b9:77:f6:d0:ee:72:
+         b7:77:66:1f:6e:4e:e1:fb:d2:a9:11:81:b7:30:d2:a8:07:84:
+         4d:72:19:d1:64:e4:8d:fa:36:6f:92:0c:51:8f:d8:b0:db:f8:
+         61:6c:9c:67:0f:7a:da:8a:fe:2b:c2:72:91:10:40:e6:fb:3d:
+         e3:d8:59:bf:d4:aa:e1:e1:6d:73:91:d7:0c:5a:15:73:c7:bb:
+         b1:71:dc:be:d6:80:c9:95:54:5e:1f:6a:d2:4c:b9:4f:3c:74:
+         fb:22:4d:aa:e7:0f:bc:83:9f:61:e0:d7:77:99:cf:7f:c9:5a:
+         89:8b:eb:85:67:02:b8:59:40:3b:3d:de:b6:80:41:69:1b:d5:
+         39:8c:e8:29:1c:ec:9b:81:7e:dd:57:1d:d7:7d:d5:8e:8f:1d:
+         dc:ef:34:9b:06:ee:67:bc:da:96:1d:04:24:95:e5:99:9d:ed:
+         1d:5a:50:a1:af:bc:34:0e:e3:45:52:65:97:88:85:07:38:87:
+         fd:1c:3f:37:20:fc:05:b4:81:98:0a:35:4d:87:e9:1d:c1:6f:
+         f9:33:ad:36:04:e5:c2:e8:46:1d:d4:d6:d8:ff:a3:ef:ed:13:
+         20:9f:07:fe:cc:5d:81:7f:7a:1e:24:6b:56:27:63:53:66:de:
+         78:50:81:0e
 -----BEGIN CERTIFICATE-----
 MIIE8DCCA9igAwIBAgIBATANBgkqhkiG9w0BAQsFADCBlzELMAkGA1UEBhMCVVMx
 EzARBgNVBAgMCldhc2hpbmd0b24xEDAOBgNVBAcMB1NlYXR0bGUxEDAOBgNVBAoM
 B3dvbGZTU0wxFDASBgNVBAsMC0VuZ2luZWVyaW5nMRgwFgYDVQQDDA93b2xmU1NM
-IHJvb3QgQ0ExHzAdBgkqhkiG9w0BCQEWEGluZm9Ad29sZnNzbC5jb20wHhcNMjEw
-MjEwMTk0OTUzWhcNMjMxMTA3MTk0OTUzWjCBoTELMAkGA1UEBhMCVVMxEzARBgNV
+IHJvb3QgQ0ExHzAdBgkqhkiG9w0BCQEWEGluZm9Ad29sZnNzbC5jb20wHhcNMjEx
+MjIwMjMwNzI1WhcNMjQwOTE1MjMwNzI1WjCBoTELMAkGA1UEBhMCVVMxEzARBgNV
 BAgMCldhc2hpbmd0b24xEDAOBgNVBAcMB1NlYXR0bGUxEDAOBgNVBAoMB3dvbGZT
 U0wxFDASBgNVBAsMC0VuZ2luZWVyaW5nMSIwIAYDVQQDDBl3b2xmU1NMIGludGVy
 bWVkaWF0ZSBDQSAxMR8wHQYJKoZIhvcNAQkBFhBpbmZvQHdvbGZzc2wuY29tMIIB
@@ -84,26 +84,26 @@ DAdTZWF0dGxlMRAwDgYDVQQKDAd3b2xmU1NMMRQwEgYDVQQLDAtFbmdpbmVlcmlu
 ZzEYMBYGA1UEAwwPd29sZlNTTCByb290IENBMR8wHQYJKoZIhvcNAQkBFhBpbmZv
 QHdvbGZzc2wuY29tggFjMAsGA1UdDwQEAwIBBjAyBggrBgEFBQcBAQQmMCQwIgYI
 KwYBBQUHMAGGFmh0dHA6Ly8xMjcuMC4wLjE6MjIyMjAwDQYJKoZIhvcNAQELBQAD
-ggEBAB6P+vUy7pie7Za0qerXPAV0NkHvG4Q1aj1syVMqUPfRgNPsmbxL3YZp4JQc
-xHfJavftLA3FF6cVdSUULcYUjReXbefXOIjW37qMqirxTu8fShZa+gxQ6pixSzaX
-JCHO3ORcuq7nyyod93P/F/OdzyZOt8tcjuSeVdIA+MpTw1M/bWWqhvTx7SYedVa+
-vYD1HE5NE8MbBGG5xuJvMEQBDmPYGc6DQOnHAfJR17fNFiWT3j56fY1yHitmdpHf
-uTP6BLiMxXrv9pR0VB6WSqj2DVn3L/EmePbHv2j5sH+lLRx7/GQl7aS75jFE+dVf
-Z00BKYSy+Pr7a1IeZsMIa47Vrbk=
+ggEBAA4RWrY8QijCYh2Ohbl39tDucrd3Zh9uTuH70qkRgbcw0qgHhE1yGdFk5I36
+Nm+SDFGP2LDb+GFsnGcPetqK/ivCcpEQQOb7PePYWb/UquHhbXOR1wxaFXPHu7Fx
+3L7WgMmVVF4fatJMuU88dPsiTarnD7yDn2Hg13eZz3/JWomL64VnArhZQDs93raA
+QWkb1TmM6Ckc7JuBft1XHdd91Y6PHdzvNJsG7me82pYdBCSV5Zmd7R1aUKGvvDQO
+40VSZZeIhQc4h/0cPzcg/AW0gZgKNU2H6R3Bb/kzrTYE5cLoRh3U1tj/o+/tEyCf
+B/7MXYF/eh4ka1YnY1Nm3nhQgQ4=
 -----END CERTIFICATE-----
 Certificate:
     Data:
         Version: 3 (0x2)
         Serial Number: 99 (0x63)
-    Signature Algorithm: sha256WithRSAEncryption
-        Issuer: C=US, ST=Washington, L=Seattle, O=wolfSSL, OU=Engineering, CN=wolfSSL root CA/emailAddress=info@wolfssl.com
+        Signature Algorithm: sha256WithRSAEncryption
+        Issuer: C = US, ST = Washington, L = Seattle, O = wolfSSL, OU = Engineering, CN = wolfSSL root CA, emailAddress = info@wolfssl.com
         Validity
-            Not Before: Feb 10 19:49:53 2021 GMT
-            Not After : Nov  7 19:49:53 2023 GMT
-        Subject: C=US, ST=Washington, L=Seattle, O=wolfSSL, OU=Engineering, CN=wolfSSL root CA/emailAddress=info@wolfssl.com
+            Not Before: Dec 20 23:07:25 2021 GMT
+            Not After : Sep 15 23:07:25 2024 GMT
+        Subject: C = US, ST = Washington, L = Seattle, O = wolfSSL, OU = Engineering, CN = wolfSSL root CA, emailAddress = info@wolfssl.com
         Subject Public Key Info:
             Public Key Algorithm: rsaEncryption
-                Public-Key: (2048 bit)
+                RSA Public-Key: (2048 bit)
                 Modulus:
                     00:ab:2c:b4:2f:1d:06:09:ef:4e:29:86:84:7e:cc:
                     bf:a6:79:7c:f0:c0:c1:64:25:8c:75:b7:10:05:ca:
@@ -140,27 +140,27 @@ Certificate:
                 OCSP - URI:http://127.0.0.1:22220
 
     Signature Algorithm: sha256WithRSAEncryption
-         3e:31:8d:ab:e8:39:25:0a:a0:01:53:03:10:e8:f9:d9:5e:51:
-         46:da:e2:e2:60:40:7c:ec:d7:c1:54:8f:5b:a1:1f:1b:43:64:
-         f5:b3:a5:b9:d1:9d:af:45:5a:53:00:ba:f7:53:63:5c:79:b5:
-         ad:0e:b3:0b:05:b0:2e:c7:ca:1f:52:13:47:38:9b:d0:cd:b5:
-         19:c1:f7:e6:1d:14:9b:81:8b:e7:ef:d9:70:32:b0:f1:96:b6:
-         ff:fe:fd:83:e7:fe:74:55:12:e4:93:3f:e3:54:7e:d3:d3:11:
-         ae:d4:e8:9b:70:97:64:7f:12:f3:38:26:62:38:c6:43:42:3b:
-         ea:87:67:80:e5:18:c5:28:54:f9:d3:33:4a:b9:33:1e:7c:45:
-         7a:e9:64:0f:50:fe:6d:b0:a3:aa:c4:98:7d:ef:53:2c:d1:0e:
-         d3:8b:2b:f3:3d:a4:df:26:50:b4:8b:ac:64:00:89:7b:5a:fb:
-         4f:b8:d3:f4:53:63:bd:e8:45:cc:2c:55:25:61:92:ff:41:b7:
-         27:6a:16:43:ff:0a:26:50:ef:31:9d:4f:6f:6e:ea:bd:1d:70:
-         69:c9:1f:ba:70:bf:b2:1d:4a:7d:57:d7:9e:a1:e8:86:34:e3:
-         fa:ee:3f:26:20:12:f5:15:83:53:a0:91:5d:a9:36:b3:02:a3:
-         42:94:c9:65
+         47:c1:c3:44:7c:3a:d0:65:5b:74:2c:63:3f:73:84:e5:6b:d9:
+         e7:45:33:0f:6a:80:49:2d:8f:23:92:b6:ef:22:e6:d5:07:4c:
+         c7:05:e0:d9:d5:29:b0:bf:a4:9f:b5:fa:c7:d5:79:aa:3f:2e:
+         9b:7d:c2:57:dc:41:cb:d7:63:27:28:8d:13:77:67:63:82:3d:
+         85:1a:06:7e:f9:4d:7c:3a:ca:b5:dd:50:b1:be:5f:d3:8c:0f:
+         73:90:5c:79:0f:c9:86:d4:fd:4b:fc:3e:8c:01:55:1b:2f:33:
+         6d:88:6e:0f:bd:21:38:64:96:7d:2d:95:9e:98:51:77:56:39:
+         6b:a8:2f:e0:9f:16:a4:1d:17:67:23:a3:8b:4f:1a:71:05:f0:
+         eb:e0:a7:7a:8f:ab:9f:f4:81:a8:12:f8:09:a3:f7:83:22:8c:
+         36:5d:45:7f:61:ea:9c:68:96:94:7b:d4:4d:8b:73:d0:65:20:
+         63:cf:75:9d:96:a2:bf:23:f3:2d:60:61:e5:7d:b3:2e:1b:11:
+         01:33:d6:58:6d:b2:c8:d2:5a:78:3a:df:56:fd:15:ac:13:33:
+         62:ce:ba:99:85:7c:00:05:69:d0:fd:ad:87:e5:4d:d3:16:43:
+         44:a6:49:84:74:c7:ea:f0:24:50:c9:c9:4a:5d:d8:be:66:fe:
+         00:47:3f:c0
 -----BEGIN CERTIFICATE-----
 MIIE5jCCA86gAwIBAgIBYzANBgkqhkiG9w0BAQsFADCBlzELMAkGA1UEBhMCVVMx
 EzARBgNVBAgMCldhc2hpbmd0b24xEDAOBgNVBAcMB1NlYXR0bGUxEDAOBgNVBAoM
 B3dvbGZTU0wxFDASBgNVBAsMC0VuZ2luZWVyaW5nMRgwFgYDVQQDDA93b2xmU1NM
-IHJvb3QgQ0ExHzAdBgkqhkiG9w0BCQEWEGluZm9Ad29sZnNzbC5jb20wHhcNMjEw
-MjEwMTk0OTUzWhcNMjMxMTA3MTk0OTUzWjCBlzELMAkGA1UEBhMCVVMxEzARBgNV
+IHJvb3QgQ0ExHzAdBgkqhkiG9w0BCQEWEGluZm9Ad29sZnNzbC5jb20wHhcNMjEx
+MjIwMjMwNzI1WhcNMjQwOTE1MjMwNzI1WjCBlzELMAkGA1UEBhMCVVMxEzARBgNV
 BAgMCldhc2hpbmd0b24xEDAOBgNVBAcMB1NlYXR0bGUxEDAOBgNVBAoMB3dvbGZT
 U0wxFDASBgNVBAsMC0VuZ2luZWVyaW5nMRgwFgYDVQQDDA93b2xmU1NMIHJvb3Qg
 Q0ExHzAdBgkqhkiG9w0BCQEWEGluZm9Ad29sZnNzbC5jb20wggEiMA0GCSqGSIb3
@@ -176,11 +176,11 @@ A1UEBhMCVVMxEzARBgNVBAgMCldhc2hpbmd0b24xEDAOBgNVBAcMB1NlYXR0bGUx
 EDAOBgNVBAoMB3dvbGZTU0wxFDASBgNVBAsMC0VuZ2luZWVyaW5nMRgwFgYDVQQD
 DA93b2xmU1NMIHJvb3QgQ0ExHzAdBgkqhkiG9w0BCQEWEGluZm9Ad29sZnNzbC5j
 b22CAWMwCwYDVR0PBAQDAgEGMDIGCCsGAQUFBwEBBCYwJDAiBggrBgEFBQcwAYYW
-aHR0cDovLzEyNy4wLjAuMToyMjIyMDANBgkqhkiG9w0BAQsFAAOCAQEAPjGNq+g5
-JQqgAVMDEOj52V5RRtri4mBAfOzXwVSPW6EfG0Nk9bOludGdr0VaUwC691NjXHm1
-rQ6zCwWwLsfKH1ITRzib0M21GcH35h0Um4GL5+/ZcDKw8Za2//79g+f+dFUS5JM/
-41R+09MRrtTom3CXZH8S8zgmYjjGQ0I76odngOUYxShU+dMzSrkzHnxFeulkD1D+
-bbCjqsSYfe9TLNEO04sr8z2k3yZQtIusZACJe1r7T7jT9FNjvehFzCxVJWGS/0G3
-J2oWQ/8KJlDvMZ1Pb27qvR1wackfunC/sh1KfVfXnqHohjTj+u4/JiAS9RWDU6CR
-Xak2swKjQpTJZQ==
+aHR0cDovLzEyNy4wLjAuMToyMjIyMDANBgkqhkiG9w0BAQsFAAOCAQEAR8HDRHw6
+0GVbdCxjP3OE5WvZ50UzD2qASS2PI5K27yLm1QdMxwXg2dUpsL+kn7X6x9V5qj8u
+m33CV9xBy9djJyiNE3dnY4I9hRoGfvlNfDrKtd1Qsb5f04wPc5BceQ/JhtT9S/w+
+jAFVGy8zbYhuD70hOGSWfS2VnphRd1Y5a6gv4J8WpB0XZyOji08acQXw6+Cneo+r
+n/SBqBL4CaP3gyKMNl1Ff2HqnGiWlHvUTYtz0GUgY891nZaivyPzLWBh5X2zLhsR
+ATPWWG2yyNJaeDrfVv0VrBMzYs66mYV8AAVp0P2th+VN0xZDRKZJhHTH6vAkUMnJ
+Sl3Yvmb+AEc/wA==
 -----END CERTIFICATE-----
diff --git a/certs/ocsp/intermediate2-ca-cert.pem b/certs/ocsp/intermediate2-ca-cert.pem
index 243782ed2..c01f1497b 100644
--- a/certs/ocsp/intermediate2-ca-cert.pem
+++ b/certs/ocsp/intermediate2-ca-cert.pem
@@ -2,15 +2,15 @@ Certificate:
     Data:
         Version: 3 (0x2)
         Serial Number: 2 (0x2)
-    Signature Algorithm: sha256WithRSAEncryption
-        Issuer: C=US, ST=Washington, L=Seattle, O=wolfSSL, OU=Engineering, CN=wolfSSL root CA/emailAddress=info@wolfssl.com
+        Signature Algorithm: sha256WithRSAEncryption
+        Issuer: C = US, ST = Washington, L = Seattle, O = wolfSSL, OU = Engineering, CN = wolfSSL root CA, emailAddress = info@wolfssl.com
         Validity
-            Not Before: Feb 10 19:49:54 2021 GMT
-            Not After : Nov  7 19:49:54 2023 GMT
-        Subject: C=US, ST=Washington, L=Seattle, O=wolfSSL, OU=Engineering, CN=wolfSSL intermediate CA 2/emailAddress=info@wolfssl.com
+            Not Before: Dec 20 23:07:25 2021 GMT
+            Not After : Sep 15 23:07:25 2024 GMT
+        Subject: C = US, ST = Washington, L = Seattle, O = wolfSSL, OU = Engineering, CN = wolfSSL intermediate CA 2, emailAddress = info@wolfssl.com
         Subject Public Key Info:
             Public Key Algorithm: rsaEncryption
-                Public-Key: (2048 bit)
+                RSA Public-Key: (2048 bit)
                 Modulus:
                     00:d0:20:3c:35:19:6f:2c:44:b4:7e:42:c7:75:b4:
                     6a:2b:a9:23:85:bf:87:b4:ee:ca:d7:4b:1f:31:d7:
@@ -47,27 +47,27 @@ Certificate:
                 OCSP - URI:http://127.0.0.1:22220
 
     Signature Algorithm: sha256WithRSAEncryption
-         0c:13:dc:c2:28:a2:be:bb:0b:8e:29:28:aa:7a:99:04:e5:88:
-         c6:67:7e:8d:3f:8a:68:3a:7f:c5:e2:d0:ed:c9:95:4c:40:f2:
-         7a:87:73:17:fb:f8:c4:bf:1b:ff:54:be:33:6d:15:e3:4f:70:
-         f4:60:27:b2:67:cd:0e:0f:2a:81:ee:dc:9d:48:37:74:8a:4c:
-         11:47:23:f0:5d:7c:c1:78:70:1d:c1:87:db:26:b0:86:a8:42:
-         3d:87:87:43:e7:d9:3a:a8:5c:c5:66:a4:d5:4e:9b:d9:44:b2:
-         41:30:10:94:3b:fd:00:dc:02:63:05:d7:a1:75:ad:54:28:9e:
-         e4:07:3c:af:68:89:9b:71:96:21:ff:d6:4e:1d:d0:02:d5:21:
-         7d:ae:d8:07:96:6c:1f:ca:a5:ef:54:13:92:be:3c:7d:c0:65:
-         bf:5c:bb:ff:46:c2:69:0f:4c:29:70:6d:b7:52:d5:ed:9e:e4:
-         89:dc:41:0d:0a:94:bc:69:b3:dc:8a:a9:45:25:f1:2c:9b:5b:
-         85:bc:69:fb:94:31:05:2c:17:fa:78:28:36:78:7f:f9:0c:4f:
-         22:36:05:fe:bf:59:9d:5d:1f:9a:5e:8e:d8:1d:62:4d:d6:2d:
-         73:d6:26:c1:a5:bc:e3:62:81:fc:1e:cb:7f:3e:c3:00:c9:b0:
-         e0:c6:1f:c3
+         33:da:33:9a:28:e3:e7:b0:25:c2:d9:94:9d:7e:46:98:3d:ac:
+         08:f4:30:15:04:e0:fc:e2:4a:19:f1:0e:82:07:59:43:cd:0c:
+         b5:0c:55:2c:01:d2:78:22:e3:cd:38:75:13:36:ce:66:7b:17:
+         86:ac:a3:98:e5:36:ae:37:4d:77:e6:02:e1:d8:77:d4:53:96:
+         74:57:ca:6a:40:a3:de:38:e2:70:21:72:be:43:72:69:a1:d7:
+         fb:6d:7a:d3:db:5a:21:aa:d1:d3:7e:e4:76:54:3b:d3:19:68:
+         7e:61:96:46:4f:de:d5:fe:f4:3b:8d:1c:24:b2:cb:4c:ff:8f:
+         ec:6a:13:28:ef:53:3b:12:f5:67:e1:d7:93:d2:eb:39:1d:72:
+         13:79:a0:63:70:12:51:67:0d:d7:d2:4d:37:c3:fc:4d:ed:45:
+         76:33:0e:82:af:d5:49:b8:f6:2f:fe:0e:93:d3:b7:6a:ab:e6:
+         e3:11:4f:04:50:5f:f8:13:4a:30:82:f4:56:c0:1d:ed:de:19:
+         2c:62:a3:f2:1b:6a:8b:a1:b5:1a:cb:0a:e6:3c:b4:67:1a:2a:
+         82:b4:78:a8:5f:a0:5d:22:34:dc:1c:3c:a8:77:6f:23:e0:6f:
+         b7:3e:36:52:21:64:89:1e:50:85:59:a7:cf:2b:f5:13:37:26:
+         62:27:85:34
 -----BEGIN CERTIFICATE-----
 MIIE8DCCA9igAwIBAgIBAjANBgkqhkiG9w0BAQsFADCBlzELMAkGA1UEBhMCVVMx
 EzARBgNVBAgMCldhc2hpbmd0b24xEDAOBgNVBAcMB1NlYXR0bGUxEDAOBgNVBAoM
 B3dvbGZTU0wxFDASBgNVBAsMC0VuZ2luZWVyaW5nMRgwFgYDVQQDDA93b2xmU1NM
-IHJvb3QgQ0ExHzAdBgkqhkiG9w0BCQEWEGluZm9Ad29sZnNzbC5jb20wHhcNMjEw
-MjEwMTk0OTU0WhcNMjMxMTA3MTk0OTU0WjCBoTELMAkGA1UEBhMCVVMxEzARBgNV
+IHJvb3QgQ0ExHzAdBgkqhkiG9w0BCQEWEGluZm9Ad29sZnNzbC5jb20wHhcNMjEx
+MjIwMjMwNzI1WhcNMjQwOTE1MjMwNzI1WjCBoTELMAkGA1UEBhMCVVMxEzARBgNV
 BAgMCldhc2hpbmd0b24xEDAOBgNVBAcMB1NlYXR0bGUxEDAOBgNVBAoMB3dvbGZT
 U0wxFDASBgNVBAsMC0VuZ2luZWVyaW5nMSIwIAYDVQQDDBl3b2xmU1NMIGludGVy
 bWVkaWF0ZSBDQSAyMR8wHQYJKoZIhvcNAQkBFhBpbmZvQHdvbGZzc2wuY29tMIIB
@@ -84,26 +84,26 @@ DAdTZWF0dGxlMRAwDgYDVQQKDAd3b2xmU1NMMRQwEgYDVQQLDAtFbmdpbmVlcmlu
 ZzEYMBYGA1UEAwwPd29sZlNTTCByb290IENBMR8wHQYJKoZIhvcNAQkBFhBpbmZv
 QHdvbGZzc2wuY29tggFjMAsGA1UdDwQEAwIBBjAyBggrBgEFBQcBAQQmMCQwIgYI
 KwYBBQUHMAGGFmh0dHA6Ly8xMjcuMC4wLjE6MjIyMjAwDQYJKoZIhvcNAQELBQAD
-ggEBAAwT3MIoor67C44pKKp6mQTliMZnfo0/img6f8Xi0O3JlUxA8nqHcxf7+MS/
-G/9UvjNtFeNPcPRgJ7JnzQ4PKoHu3J1IN3SKTBFHI/BdfMF4cB3Bh9smsIaoQj2H
-h0Pn2TqoXMVmpNVOm9lEskEwEJQ7/QDcAmMF16F1rVQonuQHPK9oiZtxliH/1k4d
-0ALVIX2u2AeWbB/Kpe9UE5K+PH3AZb9cu/9GwmkPTClwbbdS1e2e5IncQQ0KlLxp
-s9yKqUUl8SybW4W8afuUMQUsF/p4KDZ4f/kMTyI2Bf6/WZ1dH5pejtgdYk3WLXPW
-JsGlvONigfwey38+wwDJsODGH8M=
+ggEBADPaM5oo4+ewJcLZlJ1+Rpg9rAj0MBUE4PziShnxDoIHWUPNDLUMVSwB0ngi
+4804dRM2zmZ7F4aso5jlNq43TXfmAuHYd9RTlnRXympAo9444nAhcr5Dcmmh1/tt
+etPbWiGq0dN+5HZUO9MZaH5hlkZP3tX+9DuNHCSyy0z/j+xqEyjvUzsS9Wfh15PS
+6zkdchN5oGNwElFnDdfSTTfD/E3tRXYzDoKv1Um49i/+DpPTt2qr5uMRTwRQX/gT
+SjCC9FbAHe3eGSxio/IbaouhtRrLCuY8tGcaKoK0eKhfoF0iNNwcPKh3byPgb7c+
+NlIhZIkeUIVZp88r9RM3JmInhTQ=
 -----END CERTIFICATE-----
 Certificate:
     Data:
         Version: 3 (0x2)
         Serial Number: 99 (0x63)
-    Signature Algorithm: sha256WithRSAEncryption
-        Issuer: C=US, ST=Washington, L=Seattle, O=wolfSSL, OU=Engineering, CN=wolfSSL root CA/emailAddress=info@wolfssl.com
+        Signature Algorithm: sha256WithRSAEncryption
+        Issuer: C = US, ST = Washington, L = Seattle, O = wolfSSL, OU = Engineering, CN = wolfSSL root CA, emailAddress = info@wolfssl.com
         Validity
-            Not Before: Feb 10 19:49:53 2021 GMT
-            Not After : Nov  7 19:49:53 2023 GMT
-        Subject: C=US, ST=Washington, L=Seattle, O=wolfSSL, OU=Engineering, CN=wolfSSL root CA/emailAddress=info@wolfssl.com
+            Not Before: Dec 20 23:07:25 2021 GMT
+            Not After : Sep 15 23:07:25 2024 GMT
+        Subject: C = US, ST = Washington, L = Seattle, O = wolfSSL, OU = Engineering, CN = wolfSSL root CA, emailAddress = info@wolfssl.com
         Subject Public Key Info:
             Public Key Algorithm: rsaEncryption
-                Public-Key: (2048 bit)
+                RSA Public-Key: (2048 bit)
                 Modulus:
                     00:ab:2c:b4:2f:1d:06:09:ef:4e:29:86:84:7e:cc:
                     bf:a6:79:7c:f0:c0:c1:64:25:8c:75:b7:10:05:ca:
@@ -140,27 +140,27 @@ Certificate:
                 OCSP - URI:http://127.0.0.1:22220
 
     Signature Algorithm: sha256WithRSAEncryption
-         3e:31:8d:ab:e8:39:25:0a:a0:01:53:03:10:e8:f9:d9:5e:51:
-         46:da:e2:e2:60:40:7c:ec:d7:c1:54:8f:5b:a1:1f:1b:43:64:
-         f5:b3:a5:b9:d1:9d:af:45:5a:53:00:ba:f7:53:63:5c:79:b5:
-         ad:0e:b3:0b:05:b0:2e:c7:ca:1f:52:13:47:38:9b:d0:cd:b5:
-         19:c1:f7:e6:1d:14:9b:81:8b:e7:ef:d9:70:32:b0:f1:96:b6:
-         ff:fe:fd:83:e7:fe:74:55:12:e4:93:3f:e3:54:7e:d3:d3:11:
-         ae:d4:e8:9b:70:97:64:7f:12:f3:38:26:62:38:c6:43:42:3b:
-         ea:87:67:80:e5:18:c5:28:54:f9:d3:33:4a:b9:33:1e:7c:45:
-         7a:e9:64:0f:50:fe:6d:b0:a3:aa:c4:98:7d:ef:53:2c:d1:0e:
-         d3:8b:2b:f3:3d:a4:df:26:50:b4:8b:ac:64:00:89:7b:5a:fb:
-         4f:b8:d3:f4:53:63:bd:e8:45:cc:2c:55:25:61:92:ff:41:b7:
-         27:6a:16:43:ff:0a:26:50:ef:31:9d:4f:6f:6e:ea:bd:1d:70:
-         69:c9:1f:ba:70:bf:b2:1d:4a:7d:57:d7:9e:a1:e8:86:34:e3:
-         fa:ee:3f:26:20:12:f5:15:83:53:a0:91:5d:a9:36:b3:02:a3:
-         42:94:c9:65
+         47:c1:c3:44:7c:3a:d0:65:5b:74:2c:63:3f:73:84:e5:6b:d9:
+         e7:45:33:0f:6a:80:49:2d:8f:23:92:b6:ef:22:e6:d5:07:4c:
+         c7:05:e0:d9:d5:29:b0:bf:a4:9f:b5:fa:c7:d5:79:aa:3f:2e:
+         9b:7d:c2:57:dc:41:cb:d7:63:27:28:8d:13:77:67:63:82:3d:
+         85:1a:06:7e:f9:4d:7c:3a:ca:b5:dd:50:b1:be:5f:d3:8c:0f:
+         73:90:5c:79:0f:c9:86:d4:fd:4b:fc:3e:8c:01:55:1b:2f:33:
+         6d:88:6e:0f:bd:21:38:64:96:7d:2d:95:9e:98:51:77:56:39:
+         6b:a8:2f:e0:9f:16:a4:1d:17:67:23:a3:8b:4f:1a:71:05:f0:
+         eb:e0:a7:7a:8f:ab:9f:f4:81:a8:12:f8:09:a3:f7:83:22:8c:
+         36:5d:45:7f:61:ea:9c:68:96:94:7b:d4:4d:8b:73:d0:65:20:
+         63:cf:75:9d:96:a2:bf:23:f3:2d:60:61:e5:7d:b3:2e:1b:11:
+         01:33:d6:58:6d:b2:c8:d2:5a:78:3a:df:56:fd:15:ac:13:33:
+         62:ce:ba:99:85:7c:00:05:69:d0:fd:ad:87:e5:4d:d3:16:43:
+         44:a6:49:84:74:c7:ea:f0:24:50:c9:c9:4a:5d:d8:be:66:fe:
+         00:47:3f:c0
 -----BEGIN CERTIFICATE-----
 MIIE5jCCA86gAwIBAgIBYzANBgkqhkiG9w0BAQsFADCBlzELMAkGA1UEBhMCVVMx
 EzARBgNVBAgMCldhc2hpbmd0b24xEDAOBgNVBAcMB1NlYXR0bGUxEDAOBgNVBAoM
 B3dvbGZTU0wxFDASBgNVBAsMC0VuZ2luZWVyaW5nMRgwFgYDVQQDDA93b2xmU1NM
-IHJvb3QgQ0ExHzAdBgkqhkiG9w0BCQEWEGluZm9Ad29sZnNzbC5jb20wHhcNMjEw
-MjEwMTk0OTUzWhcNMjMxMTA3MTk0OTUzWjCBlzELMAkGA1UEBhMCVVMxEzARBgNV
+IHJvb3QgQ0ExHzAdBgkqhkiG9w0BCQEWEGluZm9Ad29sZnNzbC5jb20wHhcNMjEx
+MjIwMjMwNzI1WhcNMjQwOTE1MjMwNzI1WjCBlzELMAkGA1UEBhMCVVMxEzARBgNV
 BAgMCldhc2hpbmd0b24xEDAOBgNVBAcMB1NlYXR0bGUxEDAOBgNVBAoMB3dvbGZT
 U0wxFDASBgNVBAsMC0VuZ2luZWVyaW5nMRgwFgYDVQQDDA93b2xmU1NMIHJvb3Qg
 Q0ExHzAdBgkqhkiG9w0BCQEWEGluZm9Ad29sZnNzbC5jb20wggEiMA0GCSqGSIb3
@@ -176,11 +176,11 @@ A1UEBhMCVVMxEzARBgNVBAgMCldhc2hpbmd0b24xEDAOBgNVBAcMB1NlYXR0bGUx
 EDAOBgNVBAoMB3dvbGZTU0wxFDASBgNVBAsMC0VuZ2luZWVyaW5nMRgwFgYDVQQD
 DA93b2xmU1NMIHJvb3QgQ0ExHzAdBgkqhkiG9w0BCQEWEGluZm9Ad29sZnNzbC5j
 b22CAWMwCwYDVR0PBAQDAgEGMDIGCCsGAQUFBwEBBCYwJDAiBggrBgEFBQcwAYYW
-aHR0cDovLzEyNy4wLjAuMToyMjIyMDANBgkqhkiG9w0BAQsFAAOCAQEAPjGNq+g5
-JQqgAVMDEOj52V5RRtri4mBAfOzXwVSPW6EfG0Nk9bOludGdr0VaUwC691NjXHm1
-rQ6zCwWwLsfKH1ITRzib0M21GcH35h0Um4GL5+/ZcDKw8Za2//79g+f+dFUS5JM/
-41R+09MRrtTom3CXZH8S8zgmYjjGQ0I76odngOUYxShU+dMzSrkzHnxFeulkD1D+
-bbCjqsSYfe9TLNEO04sr8z2k3yZQtIusZACJe1r7T7jT9FNjvehFzCxVJWGS/0G3
-J2oWQ/8KJlDvMZ1Pb27qvR1wackfunC/sh1KfVfXnqHohjTj+u4/JiAS9RWDU6CR
-Xak2swKjQpTJZQ==
+aHR0cDovLzEyNy4wLjAuMToyMjIyMDANBgkqhkiG9w0BAQsFAAOCAQEAR8HDRHw6
+0GVbdCxjP3OE5WvZ50UzD2qASS2PI5K27yLm1QdMxwXg2dUpsL+kn7X6x9V5qj8u
+m33CV9xBy9djJyiNE3dnY4I9hRoGfvlNfDrKtd1Qsb5f04wPc5BceQ/JhtT9S/w+
+jAFVGy8zbYhuD70hOGSWfS2VnphRd1Y5a6gv4J8WpB0XZyOji08acQXw6+Cneo+r
+n/SBqBL4CaP3gyKMNl1Ff2HqnGiWlHvUTYtz0GUgY891nZaivyPzLWBh5X2zLhsR
+ATPWWG2yyNJaeDrfVv0VrBMzYs66mYV8AAVp0P2th+VN0xZDRKZJhHTH6vAkUMnJ
+Sl3Yvmb+AEc/wA==
 -----END CERTIFICATE-----
diff --git a/certs/ocsp/intermediate3-ca-cert.pem b/certs/ocsp/intermediate3-ca-cert.pem
index d9971e437..4ebee880d 100644
--- a/certs/ocsp/intermediate3-ca-cert.pem
+++ b/certs/ocsp/intermediate3-ca-cert.pem
@@ -2,15 +2,15 @@ Certificate:
     Data:
         Version: 3 (0x2)
         Serial Number: 3 (0x3)
-    Signature Algorithm: sha256WithRSAEncryption
-        Issuer: C=US, ST=Washington, L=Seattle, O=wolfSSL, OU=Engineering, CN=wolfSSL root CA/emailAddress=info@wolfssl.com
+        Signature Algorithm: sha256WithRSAEncryption
+        Issuer: C = US, ST = Washington, L = Seattle, O = wolfSSL, OU = Engineering, CN = wolfSSL root CA, emailAddress = info@wolfssl.com
         Validity
-            Not Before: Feb 10 19:49:54 2021 GMT
-            Not After : Nov  7 19:49:54 2023 GMT
-        Subject: C=US, ST=Washington, L=Seattle, O=wolfSSL, OU=Engineering, CN=wolfSSL REVOKED intermediate CA/emailAddress=info@wolfssl.com
+            Not Before: Dec 20 23:07:25 2021 GMT
+            Not After : Sep 15 23:07:25 2024 GMT
+        Subject: C = US, ST = Washington, L = Seattle, O = wolfSSL, OU = Engineering, CN = wolfSSL REVOKED intermediate CA, emailAddress = info@wolfssl.com
         Subject Public Key Info:
             Public Key Algorithm: rsaEncryption
-                Public-Key: (2048 bit)
+                RSA Public-Key: (2048 bit)
                 Modulus:
                     00:de:c5:04:10:7d:c2:21:e9:12:45:da:d5:ba:28:
                     fd:a6:f4:30:44:a0:df:f9:70:5e:17:26:97:59:5c:
@@ -47,27 +47,27 @@ Certificate:
                 OCSP - URI:http://127.0.0.1:22220
 
     Signature Algorithm: sha256WithRSAEncryption
-         9d:2f:66:43:34:cc:a4:d7:ae:09:81:ec:ca:bf:9e:e0:d6:28:
-         a0:25:63:5e:16:0a:e9:60:2c:c1:e6:36:5d:92:f0:7c:4a:22:
-         10:94:9b:1a:c6:8f:c3:a9:bb:69:53:b8:aa:30:91:c5:32:19:
-         35:7a:3e:86:af:f9:39:74:44:6e:5c:39:f6:b6:62:0c:33:8e:
-         f6:b9:d2:a7:e0:22:df:a3:4f:48:e4:04:f1:f7:20:f5:36:55:
-         a1:3d:08:ae:a9:12:eb:a8:97:59:6f:a0:b8:f0:ab:73:22:01:
-         cc:cc:96:29:ae:5f:46:ac:4e:47:1a:b9:8d:06:7e:88:67:5e:
-         16:12:64:37:85:2a:d8:f3:27:cd:fa:86:fc:84:4b:51:3a:f1:
-         c7:1a:27:8d:54:49:e6:cb:82:bb:7c:b3:3f:2f:10:d5:3a:74:
-         e5:36:7b:b5:c4:58:a4:48:35:af:35:ad:3d:44:74:44:83:99:
-         d0:a1:c6:2f:5f:f3:58:1a:33:2f:6c:4e:8e:44:ce:2a:ba:e9:
-         c6:7d:9f:22:12:44:05:38:f7:87:54:4d:8d:ac:72:1c:5a:2a:
-         74:9d:3b:30:31:d6:a9:39:d4:d6:0e:63:f8:46:07:ab:7f:01:
-         31:cc:85:91:72:10:37:94:c4:ec:f9:9d:7f:81:25:cb:ce:55:
-         48:85:86:2e
+         4f:75:6b:7a:dc:f9:b0:8a:03:c2:b6:7b:d8:b7:39:d2:97:35:
+         5b:b7:f7:fa:01:a5:a4:a8:e6:33:ef:99:1f:c4:36:6b:9a:f4:
+         50:8f:70:9a:c8:82:6d:fd:28:80:45:eb:13:60:cb:67:81:29:
+         f3:63:c5:8b:4a:96:a6:62:62:24:86:ad:f3:6b:49:a9:e1:9b:
+         8c:cd:fa:b5:53:1b:fb:0d:a1:c4:e2:b7:64:b4:50:18:8b:aa:
+         84:21:0f:26:e0:c7:0f:b2:4e:1e:70:14:0d:e9:1e:e2:b7:a0:
+         d6:4f:e8:ed:77:cd:bc:dd:63:3c:cf:67:4b:27:b5:f1:91:b7:
+         c2:7a:0a:ca:3a:87:7a:f4:50:8a:6a:19:f7:f6:a0:c1:76:78:
+         d9:27:c1:33:10:02:1c:96:ae:d5:ca:f8:08:15:cc:2a:64:b6:
+         37:cf:05:37:4b:c5:f3:8a:ef:b2:cb:07:b5:04:48:c9:c5:00:
+         05:8f:f6:fc:3b:89:6a:57:f6:15:ea:93:85:8b:0a:e7:71:0e:
+         32:fa:90:4a:74:6f:71:25:f1:c5:5a:1d:5e:10:e0:25:43:3f:
+         8d:76:d4:f5:70:68:50:76:20:d7:f1:4e:eb:75:06:f7:81:20:
+         19:5c:03:cb:25:fe:36:93:6c:68:16:e0:64:c9:86:47:5c:44:
+         b3:96:6b:e9
 -----BEGIN CERTIFICATE-----
 MIIE9jCCA96gAwIBAgIBAzANBgkqhkiG9w0BAQsFADCBlzELMAkGA1UEBhMCVVMx
 EzARBgNVBAgMCldhc2hpbmd0b24xEDAOBgNVBAcMB1NlYXR0bGUxEDAOBgNVBAoM
 B3dvbGZTU0wxFDASBgNVBAsMC0VuZ2luZWVyaW5nMRgwFgYDVQQDDA93b2xmU1NM
-IHJvb3QgQ0ExHzAdBgkqhkiG9w0BCQEWEGluZm9Ad29sZnNzbC5jb20wHhcNMjEw
-MjEwMTk0OTU0WhcNMjMxMTA3MTk0OTU0WjCBpzELMAkGA1UEBhMCVVMxEzARBgNV
+IHJvb3QgQ0ExHzAdBgkqhkiG9w0BCQEWEGluZm9Ad29sZnNzbC5jb20wHhcNMjEx
+MjIwMjMwNzI1WhcNMjQwOTE1MjMwNzI1WjCBpzELMAkGA1UEBhMCVVMxEzARBgNV
 BAgMCldhc2hpbmd0b24xEDAOBgNVBAcMB1NlYXR0bGUxEDAOBgNVBAoMB3dvbGZT
 U0wxFDASBgNVBAsMC0VuZ2luZWVyaW5nMSgwJgYDVQQDDB93b2xmU1NMIFJFVk9L
 RUQgaW50ZXJtZWRpYXRlIENBMR8wHQYJKoZIhvcNAQkBFhBpbmZvQHdvbGZzc2wu
@@ -84,26 +84,26 @@ DgYDVQQHDAdTZWF0dGxlMRAwDgYDVQQKDAd3b2xmU1NMMRQwEgYDVQQLDAtFbmdp
 bmVlcmluZzEYMBYGA1UEAwwPd29sZlNTTCByb290IENBMR8wHQYJKoZIhvcNAQkB
 FhBpbmZvQHdvbGZzc2wuY29tggFjMAsGA1UdDwQEAwIBBjAyBggrBgEFBQcBAQQm
 MCQwIgYIKwYBBQUHMAGGFmh0dHA6Ly8xMjcuMC4wLjE6MjIyMjAwDQYJKoZIhvcN
-AQELBQADggEBAJ0vZkM0zKTXrgmB7Mq/nuDWKKAlY14WCulgLMHmNl2S8HxKIhCU
-mxrGj8Opu2lTuKowkcUyGTV6Poav+Tl0RG5cOfa2Ygwzjva50qfgIt+jT0jkBPH3
-IPU2VaE9CK6pEuuol1lvoLjwq3MiAczMlimuX0asTkcauY0GfohnXhYSZDeFKtjz
-J836hvyES1E68ccaJ41USebLgrt8sz8vENU6dOU2e7XEWKRINa81rT1EdESDmdCh
-xi9f81gaMy9sTo5Eziq66cZ9nyISRAU494dUTY2schxaKnSdOzAx1qk51NYOY/hG
-B6t/ATHMhZFyEDeUxOz5nX+BJcvOVUiFhi4=
+AQELBQADggEBAE91a3rc+bCKA8K2e9i3OdKXNVu39/oBpaSo5jPvmR/ENmua9FCP
+cJrIgm39KIBF6xNgy2eBKfNjxYtKlqZiYiSGrfNrSanhm4zN+rVTG/sNocTit2S0
+UBiLqoQhDybgxw+yTh5wFA3pHuK3oNZP6O13zbzdYzzPZ0sntfGRt8J6Cso6h3r0
+UIpqGff2oMF2eNknwTMQAhyWrtXK+AgVzCpktjfPBTdLxfOK77LLB7UESMnFAAWP
+9vw7iWpX9hXqk4WLCudxDjL6kEp0b3El8cVaHV4Q4CVDP4121PVwaFB2INfxTut1
+BveBIBlcA8sl/jaTbGgW4GTJhkdcRLOWa+k=
 -----END CERTIFICATE-----
 Certificate:
     Data:
         Version: 3 (0x2)
         Serial Number: 99 (0x63)
-    Signature Algorithm: sha256WithRSAEncryption
-        Issuer: C=US, ST=Washington, L=Seattle, O=wolfSSL, OU=Engineering, CN=wolfSSL root CA/emailAddress=info@wolfssl.com
+        Signature Algorithm: sha256WithRSAEncryption
+        Issuer: C = US, ST = Washington, L = Seattle, O = wolfSSL, OU = Engineering, CN = wolfSSL root CA, emailAddress = info@wolfssl.com
         Validity
-            Not Before: Feb 10 19:49:53 2021 GMT
-            Not After : Nov  7 19:49:53 2023 GMT
-        Subject: C=US, ST=Washington, L=Seattle, O=wolfSSL, OU=Engineering, CN=wolfSSL root CA/emailAddress=info@wolfssl.com
+            Not Before: Dec 20 23:07:25 2021 GMT
+            Not After : Sep 15 23:07:25 2024 GMT
+        Subject: C = US, ST = Washington, L = Seattle, O = wolfSSL, OU = Engineering, CN = wolfSSL root CA, emailAddress = info@wolfssl.com
         Subject Public Key Info:
             Public Key Algorithm: rsaEncryption
-                Public-Key: (2048 bit)
+                RSA Public-Key: (2048 bit)
                 Modulus:
                     00:ab:2c:b4:2f:1d:06:09:ef:4e:29:86:84:7e:cc:
                     bf:a6:79:7c:f0:c0:c1:64:25:8c:75:b7:10:05:ca:
@@ -140,27 +140,27 @@ Certificate:
                 OCSP - URI:http://127.0.0.1:22220
 
     Signature Algorithm: sha256WithRSAEncryption
-         3e:31:8d:ab:e8:39:25:0a:a0:01:53:03:10:e8:f9:d9:5e:51:
-         46:da:e2:e2:60:40:7c:ec:d7:c1:54:8f:5b:a1:1f:1b:43:64:
-         f5:b3:a5:b9:d1:9d:af:45:5a:53:00:ba:f7:53:63:5c:79:b5:
-         ad:0e:b3:0b:05:b0:2e:c7:ca:1f:52:13:47:38:9b:d0:cd:b5:
-         19:c1:f7:e6:1d:14:9b:81:8b:e7:ef:d9:70:32:b0:f1:96:b6:
-         ff:fe:fd:83:e7:fe:74:55:12:e4:93:3f:e3:54:7e:d3:d3:11:
-         ae:d4:e8:9b:70:97:64:7f:12:f3:38:26:62:38:c6:43:42:3b:
-         ea:87:67:80:e5:18:c5:28:54:f9:d3:33:4a:b9:33:1e:7c:45:
-         7a:e9:64:0f:50:fe:6d:b0:a3:aa:c4:98:7d:ef:53:2c:d1:0e:
-         d3:8b:2b:f3:3d:a4:df:26:50:b4:8b:ac:64:00:89:7b:5a:fb:
-         4f:b8:d3:f4:53:63:bd:e8:45:cc:2c:55:25:61:92:ff:41:b7:
-         27:6a:16:43:ff:0a:26:50:ef:31:9d:4f:6f:6e:ea:bd:1d:70:
-         69:c9:1f:ba:70:bf:b2:1d:4a:7d:57:d7:9e:a1:e8:86:34:e3:
-         fa:ee:3f:26:20:12:f5:15:83:53:a0:91:5d:a9:36:b3:02:a3:
-         42:94:c9:65
+         47:c1:c3:44:7c:3a:d0:65:5b:74:2c:63:3f:73:84:e5:6b:d9:
+         e7:45:33:0f:6a:80:49:2d:8f:23:92:b6:ef:22:e6:d5:07:4c:
+         c7:05:e0:d9:d5:29:b0:bf:a4:9f:b5:fa:c7:d5:79:aa:3f:2e:
+         9b:7d:c2:57:dc:41:cb:d7:63:27:28:8d:13:77:67:63:82:3d:
+         85:1a:06:7e:f9:4d:7c:3a:ca:b5:dd:50:b1:be:5f:d3:8c:0f:
+         73:90:5c:79:0f:c9:86:d4:fd:4b:fc:3e:8c:01:55:1b:2f:33:
+         6d:88:6e:0f:bd:21:38:64:96:7d:2d:95:9e:98:51:77:56:39:
+         6b:a8:2f:e0:9f:16:a4:1d:17:67:23:a3:8b:4f:1a:71:05:f0:
+         eb:e0:a7:7a:8f:ab:9f:f4:81:a8:12:f8:09:a3:f7:83:22:8c:
+         36:5d:45:7f:61:ea:9c:68:96:94:7b:d4:4d:8b:73:d0:65:20:
+         63:cf:75:9d:96:a2:bf:23:f3:2d:60:61:e5:7d:b3:2e:1b:11:
+         01:33:d6:58:6d:b2:c8:d2:5a:78:3a:df:56:fd:15:ac:13:33:
+         62:ce:ba:99:85:7c:00:05:69:d0:fd:ad:87:e5:4d:d3:16:43:
+         44:a6:49:84:74:c7:ea:f0:24:50:c9:c9:4a:5d:d8:be:66:fe:
+         00:47:3f:c0
 -----BEGIN CERTIFICATE-----
 MIIE5jCCA86gAwIBAgIBYzANBgkqhkiG9w0BAQsFADCBlzELMAkGA1UEBhMCVVMx
 EzARBgNVBAgMCldhc2hpbmd0b24xEDAOBgNVBAcMB1NlYXR0bGUxEDAOBgNVBAoM
 B3dvbGZTU0wxFDASBgNVBAsMC0VuZ2luZWVyaW5nMRgwFgYDVQQDDA93b2xmU1NM
-IHJvb3QgQ0ExHzAdBgkqhkiG9w0BCQEWEGluZm9Ad29sZnNzbC5jb20wHhcNMjEw
-MjEwMTk0OTUzWhcNMjMxMTA3MTk0OTUzWjCBlzELMAkGA1UEBhMCVVMxEzARBgNV
+IHJvb3QgQ0ExHzAdBgkqhkiG9w0BCQEWEGluZm9Ad29sZnNzbC5jb20wHhcNMjEx
+MjIwMjMwNzI1WhcNMjQwOTE1MjMwNzI1WjCBlzELMAkGA1UEBhMCVVMxEzARBgNV
 BAgMCldhc2hpbmd0b24xEDAOBgNVBAcMB1NlYXR0bGUxEDAOBgNVBAoMB3dvbGZT
 U0wxFDASBgNVBAsMC0VuZ2luZWVyaW5nMRgwFgYDVQQDDA93b2xmU1NMIHJvb3Qg
 Q0ExHzAdBgkqhkiG9w0BCQEWEGluZm9Ad29sZnNzbC5jb20wggEiMA0GCSqGSIb3
@@ -176,11 +176,11 @@ A1UEBhMCVVMxEzARBgNVBAgMCldhc2hpbmd0b24xEDAOBgNVBAcMB1NlYXR0bGUx
 EDAOBgNVBAoMB3dvbGZTU0wxFDASBgNVBAsMC0VuZ2luZWVyaW5nMRgwFgYDVQQD
 DA93b2xmU1NMIHJvb3QgQ0ExHzAdBgkqhkiG9w0BCQEWEGluZm9Ad29sZnNzbC5j
 b22CAWMwCwYDVR0PBAQDAgEGMDIGCCsGAQUFBwEBBCYwJDAiBggrBgEFBQcwAYYW
-aHR0cDovLzEyNy4wLjAuMToyMjIyMDANBgkqhkiG9w0BAQsFAAOCAQEAPjGNq+g5
-JQqgAVMDEOj52V5RRtri4mBAfOzXwVSPW6EfG0Nk9bOludGdr0VaUwC691NjXHm1
-rQ6zCwWwLsfKH1ITRzib0M21GcH35h0Um4GL5+/ZcDKw8Za2//79g+f+dFUS5JM/
-41R+09MRrtTom3CXZH8S8zgmYjjGQ0I76odngOUYxShU+dMzSrkzHnxFeulkD1D+
-bbCjqsSYfe9TLNEO04sr8z2k3yZQtIusZACJe1r7T7jT9FNjvehFzCxVJWGS/0G3
-J2oWQ/8KJlDvMZ1Pb27qvR1wackfunC/sh1KfVfXnqHohjTj+u4/JiAS9RWDU6CR
-Xak2swKjQpTJZQ==
+aHR0cDovLzEyNy4wLjAuMToyMjIyMDANBgkqhkiG9w0BAQsFAAOCAQEAR8HDRHw6
+0GVbdCxjP3OE5WvZ50UzD2qASS2PI5K27yLm1QdMxwXg2dUpsL+kn7X6x9V5qj8u
+m33CV9xBy9djJyiNE3dnY4I9hRoGfvlNfDrKtd1Qsb5f04wPc5BceQ/JhtT9S/w+
+jAFVGy8zbYhuD70hOGSWfS2VnphRd1Y5a6gv4J8WpB0XZyOji08acQXw6+Cneo+r
+n/SBqBL4CaP3gyKMNl1Ff2HqnGiWlHvUTYtz0GUgY891nZaivyPzLWBh5X2zLhsR
+ATPWWG2yyNJaeDrfVv0VrBMzYs66mYV8AAVp0P2th+VN0xZDRKZJhHTH6vAkUMnJ
+Sl3Yvmb+AEc/wA==
 -----END CERTIFICATE-----
diff --git a/certs/ocsp/ocsp-responder-cert.pem b/certs/ocsp/ocsp-responder-cert.pem
index b7e5a6753..c8478f3e8 100644
--- a/certs/ocsp/ocsp-responder-cert.pem
+++ b/certs/ocsp/ocsp-responder-cert.pem
@@ -2,15 +2,15 @@ Certificate:
     Data:
         Version: 3 (0x2)
         Serial Number: 4 (0x4)
-    Signature Algorithm: sha256WithRSAEncryption
-        Issuer: C=US, ST=Washington, L=Seattle, O=wolfSSL, OU=Engineering, CN=wolfSSL root CA/emailAddress=info@wolfssl.com
+        Signature Algorithm: sha256WithRSAEncryption
+        Issuer: C = US, ST = Washington, L = Seattle, O = wolfSSL, OU = Engineering, CN = wolfSSL root CA, emailAddress = info@wolfssl.com
         Validity
-            Not Before: Feb 10 19:49:54 2021 GMT
-            Not After : Nov  7 19:49:54 2023 GMT
-        Subject: C=US, ST=Washington, L=Seattle, O=wolfSSL, OU=Engineering, CN=wolfSSL OCSP Responder/emailAddress=info@wolfssl.com
+            Not Before: Dec 20 23:07:25 2021 GMT
+            Not After : Sep 15 23:07:25 2024 GMT
+        Subject: C = US, ST = Washington, L = Seattle, O = wolfSSL, OU = Engineering, CN = wolfSSL OCSP Responder, emailAddress = info@wolfssl.com
         Subject Public Key Info:
             Public Key Algorithm: rsaEncryption
-                Public-Key: (2048 bit)
+                RSA Public-Key: (2048 bit)
                 Modulus:
                     00:b8:ba:23:b4:f6:c3:7b:14:c3:a4:f5:1d:61:a1:
                     f5:1e:63:b9:85:23:34:50:6d:f8:7c:a2:8a:04:8b:
@@ -44,27 +44,27 @@ Certificate:
             X509v3 Extended Key Usage: 
                 OCSP Signing
     Signature Algorithm: sha256WithRSAEncryption
-         07:ca:a6:a1:9f:bf:af:92:41:35:66:51:ac:bc:2c:ec:e7:8d:
-         65:7e:e9:40:fe:5a:ab:8a:1d:3d:13:db:b4:43:2c:9a:36:98:
-         21:a5:e8:ca:a9:4d:fc:e3:f7:45:88:cd:33:bf:8a:62:10:2f:
-         b2:b7:04:ef:26:43:51:1d:43:62:7d:1e:50:c8:d5:98:94:71:
-         8f:3b:23:26:f1:71:8e:1e:3d:3f:21:fd:b7:2d:65:e4:07:65:
-         ac:3c:fc:c0:47:a9:32:f6:da:26:93:10:b2:d1:6d:c8:81:31:
-         7c:b0:6b:c5:22:8d:b3:fa:be:82:ea:41:42:c4:c0:ef:e3:84:
-         0f:6f:9a:03:63:b3:30:e0:31:81:2a:16:b3:47:d9:5b:38:93:
-         07:d0:6e:79:52:2c:e5:50:84:79:10:e7:f6:31:7a:3e:48:a2:
-         38:21:90:7a:f2:5f:48:a4:46:93:87:dd:5c:83:64:ea:b5:99:
-         a2:e9:01:40:fe:f0:48:66:4f:96:f7:83:52:f8:6d:f8:5f:ed:
-         0c:bb:be:d0:69:10:4b:99:8f:f8:61:53:9d:12:ca:86:aa:b1:
-         80:b4:a6:c1:cb:b7:48:f7:9f:55:b4:6e:ab:d3:a1:aa:4b:a7:
-         21:6e:16:7f:ad:bb:ea:0f:41:80:9b:7f:d6:46:a2:c0:61:72:
-         59:59:a0:07
+         59:f9:27:0e:01:0a:bc:99:65:c1:32:bc:90:f8:12:32:a1:9f:
+         00:4b:33:d0:b4:54:fb:8e:13:e8:ab:79:bd:f0:9f:47:e1:88:
+         88:b3:e2:84:f5:6f:0e:49:8e:76:92:72:0b:32:c1:42:34:1f:
+         f5:bd:bc:1e:df:60:45:bb:7e:4c:78:b8:a3:53:be:b1:a8:ab:
+         97:36:1e:22:be:f4:7d:2c:98:d9:ae:0e:7c:0b:9c:e0:4c:29:
+         72:8c:1d:bd:32:6b:f9:42:d9:14:d7:4b:c0:30:97:39:a7:54:
+         6f:67:27:ca:9d:f0:c4:03:fb:34:16:6f:c2:d4:a7:d5:55:ac:
+         a7:ce:dd:fc:66:67:f3:b7:79:c6:b1:a6:c8:22:ad:84:43:c2:
+         0e:4d:a0:1f:58:24:45:21:c0:f7:68:11:49:dd:72:9c:77:3c:
+         4d:ee:cd:d1:86:e7:1c:ae:62:72:4d:a6:ae:56:2c:f8:48:68:
+         54:de:d5:68:10:3b:97:bd:f6:1f:74:98:5f:11:a9:60:b8:53:
+         75:31:37:e1:75:77:9b:e3:76:ed:b5:c7:00:35:4e:24:6a:70:
+         d9:5c:aa:0b:76:07:65:a1:08:fc:ac:76:0c:a5:c5:65:a2:50:
+         55:d7:d6:6a:0e:95:09:8d:35:bd:f4:fc:e6:12:77:70:98:f0:
+         5d:92:d1:30
 -----BEGIN CERTIFICATE-----
 MIIEvjCCA6agAwIBAgIBBDANBgkqhkiG9w0BAQsFADCBlzELMAkGA1UEBhMCVVMx
 EzARBgNVBAgMCldhc2hpbmd0b24xEDAOBgNVBAcMB1NlYXR0bGUxEDAOBgNVBAoM
 B3dvbGZTU0wxFDASBgNVBAsMC0VuZ2luZWVyaW5nMRgwFgYDVQQDDA93b2xmU1NM
-IHJvb3QgQ0ExHzAdBgkqhkiG9w0BCQEWEGluZm9Ad29sZnNzbC5jb20wHhcNMjEw
-MjEwMTk0OTU0WhcNMjMxMTA3MTk0OTU0WjCBnjELMAkGA1UEBhMCVVMxEzARBgNV
+IHJvb3QgQ0ExHzAdBgkqhkiG9w0BCQEWEGluZm9Ad29sZnNzbC5jb20wHhcNMjEx
+MjIwMjMwNzI1WhcNMjQwOTE1MjMwNzI1WjCBnjELMAkGA1UEBhMCVVMxEzARBgNV
 BAgMCldhc2hpbmd0b24xEDAOBgNVBAcMB1NlYXR0bGUxEDAOBgNVBAoMB3dvbGZT
 U0wxFDASBgNVBAsMC0VuZ2luZWVyaW5nMR8wHQYDVQQDDBZ3b2xmU1NMIE9DU1Ag
 UmVzcG9uZGVyMR8wHQYJKoZIhvcNAQkBFhBpbmZvQHdvbGZzc2wuY29tMIIBIjAN
@@ -80,26 +80,26 @@ CzAJBgNVBAYTAlVTMRMwEQYDVQQIDApXYXNoaW5ndG9uMRAwDgYDVQQHDAdTZWF0
 dGxlMRAwDgYDVQQKDAd3b2xmU1NMMRQwEgYDVQQLDAtFbmdpbmVlcmluZzEYMBYG
 A1UEAwwPd29sZlNTTCByb290IENBMR8wHQYJKoZIhvcNAQkBFhBpbmZvQHdvbGZz
 c2wuY29tggFjMBMGA1UdJQQMMAoGCCsGAQUFBwMJMA0GCSqGSIb3DQEBCwUAA4IB
-AQAHyqahn7+vkkE1ZlGsvCzs541lfulA/lqrih09E9u0QyyaNpghpejKqU384/dF
-iM0zv4piEC+ytwTvJkNRHUNifR5QyNWYlHGPOyMm8XGOHj0/If23LWXkB2WsPPzA
-R6ky9tomkxCy0W3IgTF8sGvFIo2z+r6C6kFCxMDv44QPb5oDY7Mw4DGBKhazR9lb
-OJMH0G55UizlUIR5EOf2MXo+SKI4IZB68l9IpEaTh91cg2TqtZmi6QFA/vBIZk+W
-94NS+G34X+0Mu77QaRBLmY/4YVOdEsqGqrGAtKbBy7dI959VtG6r06GqS6chbhZ/
-rbvqD0GAm3/WRqLAYXJZWaAH
+AQBZ+ScOAQq8mWXBMryQ+BIyoZ8ASzPQtFT7jhPoq3m98J9H4YiIs+KE9W8OSY52
+knILMsFCNB/1vbwe32BFu35MeLijU76xqKuXNh4ivvR9LJjZrg58C5zgTClyjB29
+Mmv5QtkU10vAMJc5p1RvZyfKnfDEA/s0Fm/C1KfVVaynzt38Zmfzt3nGsabIIq2E
+Q8IOTaAfWCRFIcD3aBFJ3XKcdzxN7s3RhuccrmJyTaauViz4SGhU3tVoEDuXvfYf
+dJhfEalguFN1MTfhdXeb43bttccANU4kanDZXKoLdgdloQj8rHYMpcVlolBV19Zq
+DpUJjTW99PzmEndwmPBdktEw
 -----END CERTIFICATE-----
 Certificate:
     Data:
         Version: 3 (0x2)
         Serial Number: 99 (0x63)
-    Signature Algorithm: sha256WithRSAEncryption
-        Issuer: C=US, ST=Washington, L=Seattle, O=wolfSSL, OU=Engineering, CN=wolfSSL root CA/emailAddress=info@wolfssl.com
+        Signature Algorithm: sha256WithRSAEncryption
+        Issuer: C = US, ST = Washington, L = Seattle, O = wolfSSL, OU = Engineering, CN = wolfSSL root CA, emailAddress = info@wolfssl.com
         Validity
-            Not Before: Feb 10 19:49:53 2021 GMT
-            Not After : Nov  7 19:49:53 2023 GMT
-        Subject: C=US, ST=Washington, L=Seattle, O=wolfSSL, OU=Engineering, CN=wolfSSL root CA/emailAddress=info@wolfssl.com
+            Not Before: Dec 20 23:07:25 2021 GMT
+            Not After : Sep 15 23:07:25 2024 GMT
+        Subject: C = US, ST = Washington, L = Seattle, O = wolfSSL, OU = Engineering, CN = wolfSSL root CA, emailAddress = info@wolfssl.com
         Subject Public Key Info:
             Public Key Algorithm: rsaEncryption
-                Public-Key: (2048 bit)
+                RSA Public-Key: (2048 bit)
                 Modulus:
                     00:ab:2c:b4:2f:1d:06:09:ef:4e:29:86:84:7e:cc:
                     bf:a6:79:7c:f0:c0:c1:64:25:8c:75:b7:10:05:ca:
@@ -136,27 +136,27 @@ Certificate:
                 OCSP - URI:http://127.0.0.1:22220
 
     Signature Algorithm: sha256WithRSAEncryption
-         3e:31:8d:ab:e8:39:25:0a:a0:01:53:03:10:e8:f9:d9:5e:51:
-         46:da:e2:e2:60:40:7c:ec:d7:c1:54:8f:5b:a1:1f:1b:43:64:
-         f5:b3:a5:b9:d1:9d:af:45:5a:53:00:ba:f7:53:63:5c:79:b5:
-         ad:0e:b3:0b:05:b0:2e:c7:ca:1f:52:13:47:38:9b:d0:cd:b5:
-         19:c1:f7:e6:1d:14:9b:81:8b:e7:ef:d9:70:32:b0:f1:96:b6:
-         ff:fe:fd:83:e7:fe:74:55:12:e4:93:3f:e3:54:7e:d3:d3:11:
-         ae:d4:e8:9b:70:97:64:7f:12:f3:38:26:62:38:c6:43:42:3b:
-         ea:87:67:80:e5:18:c5:28:54:f9:d3:33:4a:b9:33:1e:7c:45:
-         7a:e9:64:0f:50:fe:6d:b0:a3:aa:c4:98:7d:ef:53:2c:d1:0e:
-         d3:8b:2b:f3:3d:a4:df:26:50:b4:8b:ac:64:00:89:7b:5a:fb:
-         4f:b8:d3:f4:53:63:bd:e8:45:cc:2c:55:25:61:92:ff:41:b7:
-         27:6a:16:43:ff:0a:26:50:ef:31:9d:4f:6f:6e:ea:bd:1d:70:
-         69:c9:1f:ba:70:bf:b2:1d:4a:7d:57:d7:9e:a1:e8:86:34:e3:
-         fa:ee:3f:26:20:12:f5:15:83:53:a0:91:5d:a9:36:b3:02:a3:
-         42:94:c9:65
+         47:c1:c3:44:7c:3a:d0:65:5b:74:2c:63:3f:73:84:e5:6b:d9:
+         e7:45:33:0f:6a:80:49:2d:8f:23:92:b6:ef:22:e6:d5:07:4c:
+         c7:05:e0:d9:d5:29:b0:bf:a4:9f:b5:fa:c7:d5:79:aa:3f:2e:
+         9b:7d:c2:57:dc:41:cb:d7:63:27:28:8d:13:77:67:63:82:3d:
+         85:1a:06:7e:f9:4d:7c:3a:ca:b5:dd:50:b1:be:5f:d3:8c:0f:
+         73:90:5c:79:0f:c9:86:d4:fd:4b:fc:3e:8c:01:55:1b:2f:33:
+         6d:88:6e:0f:bd:21:38:64:96:7d:2d:95:9e:98:51:77:56:39:
+         6b:a8:2f:e0:9f:16:a4:1d:17:67:23:a3:8b:4f:1a:71:05:f0:
+         eb:e0:a7:7a:8f:ab:9f:f4:81:a8:12:f8:09:a3:f7:83:22:8c:
+         36:5d:45:7f:61:ea:9c:68:96:94:7b:d4:4d:8b:73:d0:65:20:
+         63:cf:75:9d:96:a2:bf:23:f3:2d:60:61:e5:7d:b3:2e:1b:11:
+         01:33:d6:58:6d:b2:c8:d2:5a:78:3a:df:56:fd:15:ac:13:33:
+         62:ce:ba:99:85:7c:00:05:69:d0:fd:ad:87:e5:4d:d3:16:43:
+         44:a6:49:84:74:c7:ea:f0:24:50:c9:c9:4a:5d:d8:be:66:fe:
+         00:47:3f:c0
 -----BEGIN CERTIFICATE-----
 MIIE5jCCA86gAwIBAgIBYzANBgkqhkiG9w0BAQsFADCBlzELMAkGA1UEBhMCVVMx
 EzARBgNVBAgMCldhc2hpbmd0b24xEDAOBgNVBAcMB1NlYXR0bGUxEDAOBgNVBAoM
 B3dvbGZTU0wxFDASBgNVBAsMC0VuZ2luZWVyaW5nMRgwFgYDVQQDDA93b2xmU1NM
-IHJvb3QgQ0ExHzAdBgkqhkiG9w0BCQEWEGluZm9Ad29sZnNzbC5jb20wHhcNMjEw
-MjEwMTk0OTUzWhcNMjMxMTA3MTk0OTUzWjCBlzELMAkGA1UEBhMCVVMxEzARBgNV
+IHJvb3QgQ0ExHzAdBgkqhkiG9w0BCQEWEGluZm9Ad29sZnNzbC5jb20wHhcNMjEx
+MjIwMjMwNzI1WhcNMjQwOTE1MjMwNzI1WjCBlzELMAkGA1UEBhMCVVMxEzARBgNV
 BAgMCldhc2hpbmd0b24xEDAOBgNVBAcMB1NlYXR0bGUxEDAOBgNVBAoMB3dvbGZT
 U0wxFDASBgNVBAsMC0VuZ2luZWVyaW5nMRgwFgYDVQQDDA93b2xmU1NMIHJvb3Qg
 Q0ExHzAdBgkqhkiG9w0BCQEWEGluZm9Ad29sZnNzbC5jb20wggEiMA0GCSqGSIb3
@@ -172,11 +172,11 @@ A1UEBhMCVVMxEzARBgNVBAgMCldhc2hpbmd0b24xEDAOBgNVBAcMB1NlYXR0bGUx
 EDAOBgNVBAoMB3dvbGZTU0wxFDASBgNVBAsMC0VuZ2luZWVyaW5nMRgwFgYDVQQD
 DA93b2xmU1NMIHJvb3QgQ0ExHzAdBgkqhkiG9w0BCQEWEGluZm9Ad29sZnNzbC5j
 b22CAWMwCwYDVR0PBAQDAgEGMDIGCCsGAQUFBwEBBCYwJDAiBggrBgEFBQcwAYYW
-aHR0cDovLzEyNy4wLjAuMToyMjIyMDANBgkqhkiG9w0BAQsFAAOCAQEAPjGNq+g5
-JQqgAVMDEOj52V5RRtri4mBAfOzXwVSPW6EfG0Nk9bOludGdr0VaUwC691NjXHm1
-rQ6zCwWwLsfKH1ITRzib0M21GcH35h0Um4GL5+/ZcDKw8Za2//79g+f+dFUS5JM/
-41R+09MRrtTom3CXZH8S8zgmYjjGQ0I76odngOUYxShU+dMzSrkzHnxFeulkD1D+
-bbCjqsSYfe9TLNEO04sr8z2k3yZQtIusZACJe1r7T7jT9FNjvehFzCxVJWGS/0G3
-J2oWQ/8KJlDvMZ1Pb27qvR1wackfunC/sh1KfVfXnqHohjTj+u4/JiAS9RWDU6CR
-Xak2swKjQpTJZQ==
+aHR0cDovLzEyNy4wLjAuMToyMjIyMDANBgkqhkiG9w0BAQsFAAOCAQEAR8HDRHw6
+0GVbdCxjP3OE5WvZ50UzD2qASS2PI5K27yLm1QdMxwXg2dUpsL+kn7X6x9V5qj8u
+m33CV9xBy9djJyiNE3dnY4I9hRoGfvlNfDrKtd1Qsb5f04wPc5BceQ/JhtT9S/w+
+jAFVGy8zbYhuD70hOGSWfS2VnphRd1Y5a6gv4J8WpB0XZyOji08acQXw6+Cneo+r
+n/SBqBL4CaP3gyKMNl1Ff2HqnGiWlHvUTYtz0GUgY891nZaivyPzLWBh5X2zLhsR
+ATPWWG2yyNJaeDrfVv0VrBMzYs66mYV8AAVp0P2th+VN0xZDRKZJhHTH6vAkUMnJ
+Sl3Yvmb+AEc/wA==
 -----END CERTIFICATE-----
diff --git a/certs/ocsp/root-ca-cert.pem b/certs/ocsp/root-ca-cert.pem
index 7c6de4bfc..917b114d6 100644
--- a/certs/ocsp/root-ca-cert.pem
+++ b/certs/ocsp/root-ca-cert.pem
@@ -2,15 +2,15 @@ Certificate:
     Data:
         Version: 3 (0x2)
         Serial Number: 99 (0x63)
-    Signature Algorithm: sha256WithRSAEncryption
-        Issuer: C=US, ST=Washington, L=Seattle, O=wolfSSL, OU=Engineering, CN=wolfSSL root CA/emailAddress=info@wolfssl.com
+        Signature Algorithm: sha256WithRSAEncryption
+        Issuer: C = US, ST = Washington, L = Seattle, O = wolfSSL, OU = Engineering, CN = wolfSSL root CA, emailAddress = info@wolfssl.com
         Validity
-            Not Before: Feb 10 19:49:53 2021 GMT
-            Not After : Nov  7 19:49:53 2023 GMT
-        Subject: C=US, ST=Washington, L=Seattle, O=wolfSSL, OU=Engineering, CN=wolfSSL root CA/emailAddress=info@wolfssl.com
+            Not Before: Dec 20 23:07:25 2021 GMT
+            Not After : Sep 15 23:07:25 2024 GMT
+        Subject: C = US, ST = Washington, L = Seattle, O = wolfSSL, OU = Engineering, CN = wolfSSL root CA, emailAddress = info@wolfssl.com
         Subject Public Key Info:
             Public Key Algorithm: rsaEncryption
-                Public-Key: (2048 bit)
+                RSA Public-Key: (2048 bit)
                 Modulus:
                     00:ab:2c:b4:2f:1d:06:09:ef:4e:29:86:84:7e:cc:
                     bf:a6:79:7c:f0:c0:c1:64:25:8c:75:b7:10:05:ca:
@@ -47,27 +47,27 @@ Certificate:
                 OCSP - URI:http://127.0.0.1:22220
 
     Signature Algorithm: sha256WithRSAEncryption
-         3e:31:8d:ab:e8:39:25:0a:a0:01:53:03:10:e8:f9:d9:5e:51:
-         46:da:e2:e2:60:40:7c:ec:d7:c1:54:8f:5b:a1:1f:1b:43:64:
-         f5:b3:a5:b9:d1:9d:af:45:5a:53:00:ba:f7:53:63:5c:79:b5:
-         ad:0e:b3:0b:05:b0:2e:c7:ca:1f:52:13:47:38:9b:d0:cd:b5:
-         19:c1:f7:e6:1d:14:9b:81:8b:e7:ef:d9:70:32:b0:f1:96:b6:
-         ff:fe:fd:83:e7:fe:74:55:12:e4:93:3f:e3:54:7e:d3:d3:11:
-         ae:d4:e8:9b:70:97:64:7f:12:f3:38:26:62:38:c6:43:42:3b:
-         ea:87:67:80:e5:18:c5:28:54:f9:d3:33:4a:b9:33:1e:7c:45:
-         7a:e9:64:0f:50:fe:6d:b0:a3:aa:c4:98:7d:ef:53:2c:d1:0e:
-         d3:8b:2b:f3:3d:a4:df:26:50:b4:8b:ac:64:00:89:7b:5a:fb:
-         4f:b8:d3:f4:53:63:bd:e8:45:cc:2c:55:25:61:92:ff:41:b7:
-         27:6a:16:43:ff:0a:26:50:ef:31:9d:4f:6f:6e:ea:bd:1d:70:
-         69:c9:1f:ba:70:bf:b2:1d:4a:7d:57:d7:9e:a1:e8:86:34:e3:
-         fa:ee:3f:26:20:12:f5:15:83:53:a0:91:5d:a9:36:b3:02:a3:
-         42:94:c9:65
+         47:c1:c3:44:7c:3a:d0:65:5b:74:2c:63:3f:73:84:e5:6b:d9:
+         e7:45:33:0f:6a:80:49:2d:8f:23:92:b6:ef:22:e6:d5:07:4c:
+         c7:05:e0:d9:d5:29:b0:bf:a4:9f:b5:fa:c7:d5:79:aa:3f:2e:
+         9b:7d:c2:57:dc:41:cb:d7:63:27:28:8d:13:77:67:63:82:3d:
+         85:1a:06:7e:f9:4d:7c:3a:ca:b5:dd:50:b1:be:5f:d3:8c:0f:
+         73:90:5c:79:0f:c9:86:d4:fd:4b:fc:3e:8c:01:55:1b:2f:33:
+         6d:88:6e:0f:bd:21:38:64:96:7d:2d:95:9e:98:51:77:56:39:
+         6b:a8:2f:e0:9f:16:a4:1d:17:67:23:a3:8b:4f:1a:71:05:f0:
+         eb:e0:a7:7a:8f:ab:9f:f4:81:a8:12:f8:09:a3:f7:83:22:8c:
+         36:5d:45:7f:61:ea:9c:68:96:94:7b:d4:4d:8b:73:d0:65:20:
+         63:cf:75:9d:96:a2:bf:23:f3:2d:60:61:e5:7d:b3:2e:1b:11:
+         01:33:d6:58:6d:b2:c8:d2:5a:78:3a:df:56:fd:15:ac:13:33:
+         62:ce:ba:99:85:7c:00:05:69:d0:fd:ad:87:e5:4d:d3:16:43:
+         44:a6:49:84:74:c7:ea:f0:24:50:c9:c9:4a:5d:d8:be:66:fe:
+         00:47:3f:c0
 -----BEGIN CERTIFICATE-----
 MIIE5jCCA86gAwIBAgIBYzANBgkqhkiG9w0BAQsFADCBlzELMAkGA1UEBhMCVVMx
 EzARBgNVBAgMCldhc2hpbmd0b24xEDAOBgNVBAcMB1NlYXR0bGUxEDAOBgNVBAoM
 B3dvbGZTU0wxFDASBgNVBAsMC0VuZ2luZWVyaW5nMRgwFgYDVQQDDA93b2xmU1NM
-IHJvb3QgQ0ExHzAdBgkqhkiG9w0BCQEWEGluZm9Ad29sZnNzbC5jb20wHhcNMjEw
-MjEwMTk0OTUzWhcNMjMxMTA3MTk0OTUzWjCBlzELMAkGA1UEBhMCVVMxEzARBgNV
+IHJvb3QgQ0ExHzAdBgkqhkiG9w0BCQEWEGluZm9Ad29sZnNzbC5jb20wHhcNMjEx
+MjIwMjMwNzI1WhcNMjQwOTE1MjMwNzI1WjCBlzELMAkGA1UEBhMCVVMxEzARBgNV
 BAgMCldhc2hpbmd0b24xEDAOBgNVBAcMB1NlYXR0bGUxEDAOBgNVBAoMB3dvbGZT
 U0wxFDASBgNVBAsMC0VuZ2luZWVyaW5nMRgwFgYDVQQDDA93b2xmU1NMIHJvb3Qg
 Q0ExHzAdBgkqhkiG9w0BCQEWEGluZm9Ad29sZnNzbC5jb20wggEiMA0GCSqGSIb3
@@ -83,11 +83,11 @@ A1UEBhMCVVMxEzARBgNVBAgMCldhc2hpbmd0b24xEDAOBgNVBAcMB1NlYXR0bGUx
 EDAOBgNVBAoMB3dvbGZTU0wxFDASBgNVBAsMC0VuZ2luZWVyaW5nMRgwFgYDVQQD
 DA93b2xmU1NMIHJvb3QgQ0ExHzAdBgkqhkiG9w0BCQEWEGluZm9Ad29sZnNzbC5j
 b22CAWMwCwYDVR0PBAQDAgEGMDIGCCsGAQUFBwEBBCYwJDAiBggrBgEFBQcwAYYW
-aHR0cDovLzEyNy4wLjAuMToyMjIyMDANBgkqhkiG9w0BAQsFAAOCAQEAPjGNq+g5
-JQqgAVMDEOj52V5RRtri4mBAfOzXwVSPW6EfG0Nk9bOludGdr0VaUwC691NjXHm1
-rQ6zCwWwLsfKH1ITRzib0M21GcH35h0Um4GL5+/ZcDKw8Za2//79g+f+dFUS5JM/
-41R+09MRrtTom3CXZH8S8zgmYjjGQ0I76odngOUYxShU+dMzSrkzHnxFeulkD1D+
-bbCjqsSYfe9TLNEO04sr8z2k3yZQtIusZACJe1r7T7jT9FNjvehFzCxVJWGS/0G3
-J2oWQ/8KJlDvMZ1Pb27qvR1wackfunC/sh1KfVfXnqHohjTj+u4/JiAS9RWDU6CR
-Xak2swKjQpTJZQ==
+aHR0cDovLzEyNy4wLjAuMToyMjIyMDANBgkqhkiG9w0BAQsFAAOCAQEAR8HDRHw6
+0GVbdCxjP3OE5WvZ50UzD2qASS2PI5K27yLm1QdMxwXg2dUpsL+kn7X6x9V5qj8u
+m33CV9xBy9djJyiNE3dnY4I9hRoGfvlNfDrKtd1Qsb5f04wPc5BceQ/JhtT9S/w+
+jAFVGy8zbYhuD70hOGSWfS2VnphRd1Y5a6gv4J8WpB0XZyOji08acQXw6+Cneo+r
+n/SBqBL4CaP3gyKMNl1Ff2HqnGiWlHvUTYtz0GUgY891nZaivyPzLWBh5X2zLhsR
+ATPWWG2yyNJaeDrfVv0VrBMzYs66mYV8AAVp0P2th+VN0xZDRKZJhHTH6vAkUMnJ
+Sl3Yvmb+AEc/wA==
 -----END CERTIFICATE-----
diff --git a/certs/ocsp/server1-cert.pem b/certs/ocsp/server1-cert.pem
index 872c38337..de2d5bd1a 100644
--- a/certs/ocsp/server1-cert.pem
+++ b/certs/ocsp/server1-cert.pem
@@ -2,15 +2,15 @@ Certificate:
     Data:
         Version: 3 (0x2)
         Serial Number: 5 (0x5)
-    Signature Algorithm: sha256WithRSAEncryption
-        Issuer: C=US, ST=Washington, L=Seattle, O=wolfSSL, OU=Engineering, CN=wolfSSL intermediate CA 1/emailAddress=info@wolfssl.com
+        Signature Algorithm: sha256WithRSAEncryption
+        Issuer: C = US, ST = Washington, L = Seattle, O = wolfSSL, OU = Engineering, CN = wolfSSL intermediate CA 1, emailAddress = info@wolfssl.com
         Validity
-            Not Before: Feb 10 19:49:54 2021 GMT
-            Not After : Nov  7 19:49:54 2023 GMT
-        Subject: C=US, ST=Washington, L=Seattle, O=wolfSSL, OU=Engineering, CN=www1.wolfssl.com/emailAddress=info@wolfssl.com
+            Not Before: Dec 20 23:07:25 2021 GMT
+            Not After : Sep 15 23:07:25 2024 GMT
+        Subject: C = US, ST = Washington, L = Seattle, O = wolfSSL, OU = Engineering, CN = www1.wolfssl.com, emailAddress = info@wolfssl.com
         Subject Public Key Info:
             Public Key Algorithm: rsaEncryption
-                Public-Key: (2048 bit)
+                RSA Public-Key: (2048 bit)
                 Modulus:
                     00:e6:96:55:75:cf:8a:97:68:8c:b6:38:f6:7a:05:
                     be:33:b6:51:47:37:8a:f7:db:91:be:92:6b:b7:00:
@@ -47,27 +47,27 @@ Certificate:
                 OCSP - URI:http://127.0.0.1:22221
 
     Signature Algorithm: sha256WithRSAEncryption
-         78:2e:01:bd:b4:60:d9:68:ab:4d:47:a1:a2:97:00:5d:46:44:
-         6f:4f:d0:7c:23:ff:52:36:28:b5:72:1c:40:8c:16:1b:a1:4d:
-         d5:1a:0d:92:48:57:7d:5f:11:b6:07:1d:b1:c5:47:82:f1:16:
-         57:49:10:78:12:ef:16:86:8b:97:52:3a:5b:9d:58:4d:df:df:
-         e1:a0:9c:8b:8b:31:75:9c:81:0f:87:7c:13:c6:1d:e9:5d:d0:
-         c1:1e:b0:70:e5:b0:8f:cd:57:bc:3e:68:49:58:23:da:b8:ed:
-         10:c3:ae:5c:d1:85:b3:8d:85:5c:ec:01:a1:6a:4a:e1:bd:d8:
-         16:98:2f:a6:7c:a1:cb:57:11:d0:9a:50:8e:dc:1c:67:e2:9f:
-         a5:96:f7:51:52:d1:76:be:5b:c9:e2:af:e6:cb:df:00:64:44:
-         fb:ef:96:ae:3f:6d:d9:85:39:fc:86:42:a4:52:34:3e:a6:96:
-         0e:c9:34:28:11:77:1e:ac:e5:78:5f:96:e7:8c:78:b8:db:dd:
-         f7:ca:c6:68:c7:1b:b1:70:eb:6d:51:fd:6d:93:60:e4:18:ff:
-         c8:84:92:ad:f5:f0:a5:ea:f2:80:42:c9:a7:e0:ef:bf:b8:98:
-         b6:3a:91:86:40:4c:d1:90:e5:8d:57:0f:98:b0:ce:d9:a9:e2:
-         29:9d:a8:2a
+         71:bc:f8:43:d7:55:11:bf:86:ea:46:05:0d:ea:63:05:52:e1:
+         84:53:99:38:8f:7a:5b:22:e5:d3:81:bb:9d:9d:98:37:3d:12:
+         e0:5c:00:cf:de:c3:bb:44:a2:63:c4:10:d2:2a:ba:e4:43:12:
+         33:0b:d8:90:c5:e2:c2:ae:e0:5f:b9:79:86:f6:90:92:54:43:
+         88:e1:d0:cf:f4:27:fc:3d:fd:43:7c:16:e3:2e:9b:94:8d:11:
+         9a:9b:86:ed:7f:fe:36:d8:da:0a:17:3e:c8:2b:e4:d4:ea:de:
+         e8:5b:57:66:57:a7:23:8e:33:ae:ce:5d:47:fc:d0:c3:de:48:
+         b7:39:b9:1c:a8:37:fa:2d:a9:b3:a3:b8:ea:4b:96:11:47:fa:
+         d4:2b:8a:2c:e9:bc:e9:6e:90:40:6e:c5:ce:a5:e1:da:c3:cc:
+         08:24:f0:37:f6:1f:4a:ca:01:d9:aa:45:60:f8:dc:20:f7:2a:
+         ec:2a:f3:d5:82:2a:45:45:2a:f7:7a:71:72:1c:7b:04:a0:fa:
+         5f:dc:af:5f:30:2b:be:c4:f8:a2:fc:b8:d9:0d:70:98:1f:9f:
+         61:f5:3f:d1:0f:85:5e:83:6f:dc:14:4c:0c:14:da:54:aa:a2:
+         aa:7c:c9:62:b1:75:62:e4:a3:95:f2:30:0c:23:3d:c7:e6:bc:
+         44:f1:6f:dc
 -----BEGIN CERTIFICATE-----
 MIIE7jCCA9agAwIBAgIBBTANBgkqhkiG9w0BAQsFADCBoTELMAkGA1UEBhMCVVMx
 EzARBgNVBAgMCldhc2hpbmd0b24xEDAOBgNVBAcMB1NlYXR0bGUxEDAOBgNVBAoM
 B3dvbGZTU0wxFDASBgNVBAsMC0VuZ2luZWVyaW5nMSIwIAYDVQQDDBl3b2xmU1NM
 IGludGVybWVkaWF0ZSBDQSAxMR8wHQYJKoZIhvcNAQkBFhBpbmZvQHdvbGZzc2wu
-Y29tMB4XDTIxMDIxMDE5NDk1NFoXDTIzMTEwNzE5NDk1NFowgZgxCzAJBgNVBAYT
+Y29tMB4XDTIxMTIyMDIzMDcyNVoXDTI0MDkxNTIzMDcyNVowgZgxCzAJBgNVBAYT
 AlVTMRMwEQYDVQQIDApXYXNoaW5ndG9uMRAwDgYDVQQHDAdTZWF0dGxlMRAwDgYD
 VQQKDAd3b2xmU1NMMRQwEgYDVQQLDAtFbmdpbmVlcmluZzEZMBcGA1UEAwwQd3d3
 MS53b2xmc3NsLmNvbTEfMB0GCSqGSIb3DQEJARYQaW5mb0B3b2xmc3NsLmNvbTCC
@@ -84,26 +84,26 @@ U2VhdHRsZTEQMA4GA1UECgwHd29sZlNTTDEUMBIGA1UECwwLRW5naW5lZXJpbmcx
 GDAWBgNVBAMMD3dvbGZTU0wgcm9vdCBDQTEfMB0GCSqGSIb3DQEJARYQaW5mb0B3
 b2xmc3NsLmNvbYIBATALBgNVHQ8EBAMCBeAwMgYIKwYBBQUHAQEEJjAkMCIGCCsG
 AQUFBzABhhZodHRwOi8vMTI3LjAuMC4xOjIyMjIxMA0GCSqGSIb3DQEBCwUAA4IB
-AQB4LgG9tGDZaKtNR6GilwBdRkRvT9B8I/9SNii1chxAjBYboU3VGg2SSFd9XxG2
-Bx2xxUeC8RZXSRB4Eu8WhouXUjpbnVhN39/hoJyLizF1nIEPh3wTxh3pXdDBHrBw
-5bCPzVe8PmhJWCPauO0Qw65c0YWzjYVc7AGhakrhvdgWmC+mfKHLVxHQmlCO3Bxn
-4p+llvdRUtF2vlvJ4q/my98AZET775auP23ZhTn8hkKkUjQ+ppYOyTQoEXcerOV4
-X5bnjHi42933ysZoxxuxcOttUf1tk2DkGP/IhJKt9fCl6vKAQsmn4O+/uJi2OpGG
-QEzRkOWNVw+YsM7ZqeIpnagq
+AQBxvPhD11URv4bqRgUN6mMFUuGEU5k4j3pbIuXTgbudnZg3PRLgXADP3sO7RKJj
+xBDSKrrkQxIzC9iQxeLCruBfuXmG9pCSVEOI4dDP9Cf8Pf1DfBbjLpuUjRGam4bt
+f/422NoKFz7IK+TU6t7oW1dmV6cjjjOuzl1H/NDD3ki3ObkcqDf6Lamzo7jqS5YR
+R/rUK4os6bzpbpBAbsXOpeHaw8wIJPA39h9KygHZqkVg+Nwg9yrsKvPVgipFRSr3
+enFyHHsEoPpf3K9fMCu+xPii/LjZDXCYH59h9T/RD4Veg2/cFEwMFNpUqqKqfMli
+sXVi5KOV8jAMIz3H5rxE8W/c
 -----END CERTIFICATE-----
 Certificate:
     Data:
         Version: 3 (0x2)
         Serial Number: 1 (0x1)
-    Signature Algorithm: sha256WithRSAEncryption
-        Issuer: C=US, ST=Washington, L=Seattle, O=wolfSSL, OU=Engineering, CN=wolfSSL root CA/emailAddress=info@wolfssl.com
+        Signature Algorithm: sha256WithRSAEncryption
+        Issuer: C = US, ST = Washington, L = Seattle, O = wolfSSL, OU = Engineering, CN = wolfSSL root CA, emailAddress = info@wolfssl.com
         Validity
-            Not Before: Feb 10 19:49:53 2021 GMT
-            Not After : Nov  7 19:49:53 2023 GMT
-        Subject: C=US, ST=Washington, L=Seattle, O=wolfSSL, OU=Engineering, CN=wolfSSL intermediate CA 1/emailAddress=info@wolfssl.com
+            Not Before: Dec 20 23:07:25 2021 GMT
+            Not After : Sep 15 23:07:25 2024 GMT
+        Subject: C = US, ST = Washington, L = Seattle, O = wolfSSL, OU = Engineering, CN = wolfSSL intermediate CA 1, emailAddress = info@wolfssl.com
         Subject Public Key Info:
             Public Key Algorithm: rsaEncryption
-                Public-Key: (2048 bit)
+                RSA Public-Key: (2048 bit)
                 Modulus:
                     00:de:b4:c8:5c:77:e0:2d:b1:f5:b9:ad:16:47:35:
                     a0:35:65:65:c6:e1:40:ab:1e:b4:b9:13:b7:cb:8c:
@@ -140,27 +140,27 @@ Certificate:
                 OCSP - URI:http://127.0.0.1:22220
 
     Signature Algorithm: sha256WithRSAEncryption
-         1e:8f:fa:f5:32:ee:98:9e:ed:96:b4:a9:ea:d7:3c:05:74:36:
-         41:ef:1b:84:35:6a:3d:6c:c9:53:2a:50:f7:d1:80:d3:ec:99:
-         bc:4b:dd:86:69:e0:94:1c:c4:77:c9:6a:f7:ed:2c:0d:c5:17:
-         a7:15:75:25:14:2d:c6:14:8d:17:97:6d:e7:d7:38:88:d6:df:
-         ba:8c:aa:2a:f1:4e:ef:1f:4a:16:5a:fa:0c:50:ea:98:b1:4b:
-         36:97:24:21:ce:dc:e4:5c:ba:ae:e7:cb:2a:1d:f7:73:ff:17:
-         f3:9d:cf:26:4e:b7:cb:5c:8e:e4:9e:55:d2:00:f8:ca:53:c3:
-         53:3f:6d:65:aa:86:f4:f1:ed:26:1e:75:56:be:bd:80:f5:1c:
-         4e:4d:13:c3:1b:04:61:b9:c6:e2:6f:30:44:01:0e:63:d8:19:
-         ce:83:40:e9:c7:01:f2:51:d7:b7:cd:16:25:93:de:3e:7a:7d:
-         8d:72:1e:2b:66:76:91:df:b9:33:fa:04:b8:8c:c5:7a:ef:f6:
-         94:74:54:1e:96:4a:a8:f6:0d:59:f7:2f:f1:26:78:f6:c7:bf:
-         68:f9:b0:7f:a5:2d:1c:7b:fc:64:25:ed:a4:bb:e6:31:44:f9:
-         d5:5f:67:4d:01:29:84:b2:f8:fa:fb:6b:52:1e:66:c3:08:6b:
-         8e:d5:ad:b9
+         0e:11:5a:b6:3c:42:28:c2:62:1d:8e:85:b9:77:f6:d0:ee:72:
+         b7:77:66:1f:6e:4e:e1:fb:d2:a9:11:81:b7:30:d2:a8:07:84:
+         4d:72:19:d1:64:e4:8d:fa:36:6f:92:0c:51:8f:d8:b0:db:f8:
+         61:6c:9c:67:0f:7a:da:8a:fe:2b:c2:72:91:10:40:e6:fb:3d:
+         e3:d8:59:bf:d4:aa:e1:e1:6d:73:91:d7:0c:5a:15:73:c7:bb:
+         b1:71:dc:be:d6:80:c9:95:54:5e:1f:6a:d2:4c:b9:4f:3c:74:
+         fb:22:4d:aa:e7:0f:bc:83:9f:61:e0:d7:77:99:cf:7f:c9:5a:
+         89:8b:eb:85:67:02:b8:59:40:3b:3d:de:b6:80:41:69:1b:d5:
+         39:8c:e8:29:1c:ec:9b:81:7e:dd:57:1d:d7:7d:d5:8e:8f:1d:
+         dc:ef:34:9b:06:ee:67:bc:da:96:1d:04:24:95:e5:99:9d:ed:
+         1d:5a:50:a1:af:bc:34:0e:e3:45:52:65:97:88:85:07:38:87:
+         fd:1c:3f:37:20:fc:05:b4:81:98:0a:35:4d:87:e9:1d:c1:6f:
+         f9:33:ad:36:04:e5:c2:e8:46:1d:d4:d6:d8:ff:a3:ef:ed:13:
+         20:9f:07:fe:cc:5d:81:7f:7a:1e:24:6b:56:27:63:53:66:de:
+         78:50:81:0e
 -----BEGIN CERTIFICATE-----
 MIIE8DCCA9igAwIBAgIBATANBgkqhkiG9w0BAQsFADCBlzELMAkGA1UEBhMCVVMx
 EzARBgNVBAgMCldhc2hpbmd0b24xEDAOBgNVBAcMB1NlYXR0bGUxEDAOBgNVBAoM
 B3dvbGZTU0wxFDASBgNVBAsMC0VuZ2luZWVyaW5nMRgwFgYDVQQDDA93b2xmU1NM
-IHJvb3QgQ0ExHzAdBgkqhkiG9w0BCQEWEGluZm9Ad29sZnNzbC5jb20wHhcNMjEw
-MjEwMTk0OTUzWhcNMjMxMTA3MTk0OTUzWjCBoTELMAkGA1UEBhMCVVMxEzARBgNV
+IHJvb3QgQ0ExHzAdBgkqhkiG9w0BCQEWEGluZm9Ad29sZnNzbC5jb20wHhcNMjEx
+MjIwMjMwNzI1WhcNMjQwOTE1MjMwNzI1WjCBoTELMAkGA1UEBhMCVVMxEzARBgNV
 BAgMCldhc2hpbmd0b24xEDAOBgNVBAcMB1NlYXR0bGUxEDAOBgNVBAoMB3dvbGZT
 U0wxFDASBgNVBAsMC0VuZ2luZWVyaW5nMSIwIAYDVQQDDBl3b2xmU1NMIGludGVy
 bWVkaWF0ZSBDQSAxMR8wHQYJKoZIhvcNAQkBFhBpbmZvQHdvbGZzc2wuY29tMIIB
@@ -177,26 +177,26 @@ DAdTZWF0dGxlMRAwDgYDVQQKDAd3b2xmU1NMMRQwEgYDVQQLDAtFbmdpbmVlcmlu
 ZzEYMBYGA1UEAwwPd29sZlNTTCByb290IENBMR8wHQYJKoZIhvcNAQkBFhBpbmZv
 QHdvbGZzc2wuY29tggFjMAsGA1UdDwQEAwIBBjAyBggrBgEFBQcBAQQmMCQwIgYI
 KwYBBQUHMAGGFmh0dHA6Ly8xMjcuMC4wLjE6MjIyMjAwDQYJKoZIhvcNAQELBQAD
-ggEBAB6P+vUy7pie7Za0qerXPAV0NkHvG4Q1aj1syVMqUPfRgNPsmbxL3YZp4JQc
-xHfJavftLA3FF6cVdSUULcYUjReXbefXOIjW37qMqirxTu8fShZa+gxQ6pixSzaX
-JCHO3ORcuq7nyyod93P/F/OdzyZOt8tcjuSeVdIA+MpTw1M/bWWqhvTx7SYedVa+
-vYD1HE5NE8MbBGG5xuJvMEQBDmPYGc6DQOnHAfJR17fNFiWT3j56fY1yHitmdpHf
-uTP6BLiMxXrv9pR0VB6WSqj2DVn3L/EmePbHv2j5sH+lLRx7/GQl7aS75jFE+dVf
-Z00BKYSy+Pr7a1IeZsMIa47Vrbk=
+ggEBAA4RWrY8QijCYh2Ohbl39tDucrd3Zh9uTuH70qkRgbcw0qgHhE1yGdFk5I36
+Nm+SDFGP2LDb+GFsnGcPetqK/ivCcpEQQOb7PePYWb/UquHhbXOR1wxaFXPHu7Fx
+3L7WgMmVVF4fatJMuU88dPsiTarnD7yDn2Hg13eZz3/JWomL64VnArhZQDs93raA
+QWkb1TmM6Ckc7JuBft1XHdd91Y6PHdzvNJsG7me82pYdBCSV5Zmd7R1aUKGvvDQO
+40VSZZeIhQc4h/0cPzcg/AW0gZgKNU2H6R3Bb/kzrTYE5cLoRh3U1tj/o+/tEyCf
+B/7MXYF/eh4ka1YnY1Nm3nhQgQ4=
 -----END CERTIFICATE-----
 Certificate:
     Data:
         Version: 3 (0x2)
         Serial Number: 99 (0x63)
-    Signature Algorithm: sha256WithRSAEncryption
-        Issuer: C=US, ST=Washington, L=Seattle, O=wolfSSL, OU=Engineering, CN=wolfSSL root CA/emailAddress=info@wolfssl.com
+        Signature Algorithm: sha256WithRSAEncryption
+        Issuer: C = US, ST = Washington, L = Seattle, O = wolfSSL, OU = Engineering, CN = wolfSSL root CA, emailAddress = info@wolfssl.com
         Validity
-            Not Before: Feb 10 19:49:53 2021 GMT
-            Not After : Nov  7 19:49:53 2023 GMT
-        Subject: C=US, ST=Washington, L=Seattle, O=wolfSSL, OU=Engineering, CN=wolfSSL root CA/emailAddress=info@wolfssl.com
+            Not Before: Dec 20 23:07:25 2021 GMT
+            Not After : Sep 15 23:07:25 2024 GMT
+        Subject: C = US, ST = Washington, L = Seattle, O = wolfSSL, OU = Engineering, CN = wolfSSL root CA, emailAddress = info@wolfssl.com
         Subject Public Key Info:
             Public Key Algorithm: rsaEncryption
-                Public-Key: (2048 bit)
+                RSA Public-Key: (2048 bit)
                 Modulus:
                     00:ab:2c:b4:2f:1d:06:09:ef:4e:29:86:84:7e:cc:
                     bf:a6:79:7c:f0:c0:c1:64:25:8c:75:b7:10:05:ca:
@@ -233,27 +233,27 @@ Certificate:
                 OCSP - URI:http://127.0.0.1:22220
 
     Signature Algorithm: sha256WithRSAEncryption
-         3e:31:8d:ab:e8:39:25:0a:a0:01:53:03:10:e8:f9:d9:5e:51:
-         46:da:e2:e2:60:40:7c:ec:d7:c1:54:8f:5b:a1:1f:1b:43:64:
-         f5:b3:a5:b9:d1:9d:af:45:5a:53:00:ba:f7:53:63:5c:79:b5:
-         ad:0e:b3:0b:05:b0:2e:c7:ca:1f:52:13:47:38:9b:d0:cd:b5:
-         19:c1:f7:e6:1d:14:9b:81:8b:e7:ef:d9:70:32:b0:f1:96:b6:
-         ff:fe:fd:83:e7:fe:74:55:12:e4:93:3f:e3:54:7e:d3:d3:11:
-         ae:d4:e8:9b:70:97:64:7f:12:f3:38:26:62:38:c6:43:42:3b:
-         ea:87:67:80:e5:18:c5:28:54:f9:d3:33:4a:b9:33:1e:7c:45:
-         7a:e9:64:0f:50:fe:6d:b0:a3:aa:c4:98:7d:ef:53:2c:d1:0e:
-         d3:8b:2b:f3:3d:a4:df:26:50:b4:8b:ac:64:00:89:7b:5a:fb:
-         4f:b8:d3:f4:53:63:bd:e8:45:cc:2c:55:25:61:92:ff:41:b7:
-         27:6a:16:43:ff:0a:26:50:ef:31:9d:4f:6f:6e:ea:bd:1d:70:
-         69:c9:1f:ba:70:bf:b2:1d:4a:7d:57:d7:9e:a1:e8:86:34:e3:
-         fa:ee:3f:26:20:12:f5:15:83:53:a0:91:5d:a9:36:b3:02:a3:
-         42:94:c9:65
+         47:c1:c3:44:7c:3a:d0:65:5b:74:2c:63:3f:73:84:e5:6b:d9:
+         e7:45:33:0f:6a:80:49:2d:8f:23:92:b6:ef:22:e6:d5:07:4c:
+         c7:05:e0:d9:d5:29:b0:bf:a4:9f:b5:fa:c7:d5:79:aa:3f:2e:
+         9b:7d:c2:57:dc:41:cb:d7:63:27:28:8d:13:77:67:63:82:3d:
+         85:1a:06:7e:f9:4d:7c:3a:ca:b5:dd:50:b1:be:5f:d3:8c:0f:
+         73:90:5c:79:0f:c9:86:d4:fd:4b:fc:3e:8c:01:55:1b:2f:33:
+         6d:88:6e:0f:bd:21:38:64:96:7d:2d:95:9e:98:51:77:56:39:
+         6b:a8:2f:e0:9f:16:a4:1d:17:67:23:a3:8b:4f:1a:71:05:f0:
+         eb:e0:a7:7a:8f:ab:9f:f4:81:a8:12:f8:09:a3:f7:83:22:8c:
+         36:5d:45:7f:61:ea:9c:68:96:94:7b:d4:4d:8b:73:d0:65:20:
+         63:cf:75:9d:96:a2:bf:23:f3:2d:60:61:e5:7d:b3:2e:1b:11:
+         01:33:d6:58:6d:b2:c8:d2:5a:78:3a:df:56:fd:15:ac:13:33:
+         62:ce:ba:99:85:7c:00:05:69:d0:fd:ad:87:e5:4d:d3:16:43:
+         44:a6:49:84:74:c7:ea:f0:24:50:c9:c9:4a:5d:d8:be:66:fe:
+         00:47:3f:c0
 -----BEGIN CERTIFICATE-----
 MIIE5jCCA86gAwIBAgIBYzANBgkqhkiG9w0BAQsFADCBlzELMAkGA1UEBhMCVVMx
 EzARBgNVBAgMCldhc2hpbmd0b24xEDAOBgNVBAcMB1NlYXR0bGUxEDAOBgNVBAoM
 B3dvbGZTU0wxFDASBgNVBAsMC0VuZ2luZWVyaW5nMRgwFgYDVQQDDA93b2xmU1NM
-IHJvb3QgQ0ExHzAdBgkqhkiG9w0BCQEWEGluZm9Ad29sZnNzbC5jb20wHhcNMjEw
-MjEwMTk0OTUzWhcNMjMxMTA3MTk0OTUzWjCBlzELMAkGA1UEBhMCVVMxEzARBgNV
+IHJvb3QgQ0ExHzAdBgkqhkiG9w0BCQEWEGluZm9Ad29sZnNzbC5jb20wHhcNMjEx
+MjIwMjMwNzI1WhcNMjQwOTE1MjMwNzI1WjCBlzELMAkGA1UEBhMCVVMxEzARBgNV
 BAgMCldhc2hpbmd0b24xEDAOBgNVBAcMB1NlYXR0bGUxEDAOBgNVBAoMB3dvbGZT
 U0wxFDASBgNVBAsMC0VuZ2luZWVyaW5nMRgwFgYDVQQDDA93b2xmU1NMIHJvb3Qg
 Q0ExHzAdBgkqhkiG9w0BCQEWEGluZm9Ad29sZnNzbC5jb20wggEiMA0GCSqGSIb3
@@ -269,11 +269,11 @@ A1UEBhMCVVMxEzARBgNVBAgMCldhc2hpbmd0b24xEDAOBgNVBAcMB1NlYXR0bGUx
 EDAOBgNVBAoMB3dvbGZTU0wxFDASBgNVBAsMC0VuZ2luZWVyaW5nMRgwFgYDVQQD
 DA93b2xmU1NMIHJvb3QgQ0ExHzAdBgkqhkiG9w0BCQEWEGluZm9Ad29sZnNzbC5j
 b22CAWMwCwYDVR0PBAQDAgEGMDIGCCsGAQUFBwEBBCYwJDAiBggrBgEFBQcwAYYW
-aHR0cDovLzEyNy4wLjAuMToyMjIyMDANBgkqhkiG9w0BAQsFAAOCAQEAPjGNq+g5
-JQqgAVMDEOj52V5RRtri4mBAfOzXwVSPW6EfG0Nk9bOludGdr0VaUwC691NjXHm1
-rQ6zCwWwLsfKH1ITRzib0M21GcH35h0Um4GL5+/ZcDKw8Za2//79g+f+dFUS5JM/
-41R+09MRrtTom3CXZH8S8zgmYjjGQ0I76odngOUYxShU+dMzSrkzHnxFeulkD1D+
-bbCjqsSYfe9TLNEO04sr8z2k3yZQtIusZACJe1r7T7jT9FNjvehFzCxVJWGS/0G3
-J2oWQ/8KJlDvMZ1Pb27qvR1wackfunC/sh1KfVfXnqHohjTj+u4/JiAS9RWDU6CR
-Xak2swKjQpTJZQ==
+aHR0cDovLzEyNy4wLjAuMToyMjIyMDANBgkqhkiG9w0BAQsFAAOCAQEAR8HDRHw6
+0GVbdCxjP3OE5WvZ50UzD2qASS2PI5K27yLm1QdMxwXg2dUpsL+kn7X6x9V5qj8u
+m33CV9xBy9djJyiNE3dnY4I9hRoGfvlNfDrKtd1Qsb5f04wPc5BceQ/JhtT9S/w+
+jAFVGy8zbYhuD70hOGSWfS2VnphRd1Y5a6gv4J8WpB0XZyOji08acQXw6+Cneo+r
+n/SBqBL4CaP3gyKMNl1Ff2HqnGiWlHvUTYtz0GUgY891nZaivyPzLWBh5X2zLhsR
+ATPWWG2yyNJaeDrfVv0VrBMzYs66mYV8AAVp0P2th+VN0xZDRKZJhHTH6vAkUMnJ
+Sl3Yvmb+AEc/wA==
 -----END CERTIFICATE-----
diff --git a/certs/ocsp/server2-cert.pem b/certs/ocsp/server2-cert.pem
index db1783e23..bff6c7098 100644
--- a/certs/ocsp/server2-cert.pem
+++ b/certs/ocsp/server2-cert.pem
@@ -2,15 +2,15 @@ Certificate:
     Data:
         Version: 3 (0x2)
         Serial Number: 6 (0x6)
-    Signature Algorithm: sha256WithRSAEncryption
-        Issuer: C=US, ST=Washington, L=Seattle, O=wolfSSL, OU=Engineering, CN=wolfSSL intermediate CA 1/emailAddress=info@wolfssl.com
+        Signature Algorithm: sha256WithRSAEncryption
+        Issuer: C = US, ST = Washington, L = Seattle, O = wolfSSL, OU = Engineering, CN = wolfSSL intermediate CA 1, emailAddress = info@wolfssl.com
         Validity
-            Not Before: Feb 10 19:49:54 2021 GMT
-            Not After : Nov  7 19:49:54 2023 GMT
-        Subject: C=US, ST=Washington, L=Seattle, O=wolfSSL, OU=Engineering, CN=www2.wolfssl.com/emailAddress=info@wolfssl.com
+            Not Before: Dec 20 23:07:25 2021 GMT
+            Not After : Sep 15 23:07:25 2024 GMT
+        Subject: C = US, ST = Washington, L = Seattle, O = wolfSSL, OU = Engineering, CN = www2.wolfssl.com, emailAddress = info@wolfssl.com
         Subject Public Key Info:
             Public Key Algorithm: rsaEncryption
-                Public-Key: (2048 bit)
+                RSA Public-Key: (2048 bit)
                 Modulus:
                     00:c6:35:8a:e8:aa:bd:33:c9:5e:84:43:67:42:65:
                     2a:3c:e3:89:b4:a6:67:a1:3b:ee:6d:85:d1:d3:2b:
@@ -47,27 +47,27 @@ Certificate:
                 OCSP - URI:http://127.0.0.1:22221
 
     Signature Algorithm: sha256WithRSAEncryption
-         35:db:bd:7c:8c:c2:f1:83:77:3c:dd:bf:b4:5b:0c:6e:95:29:
-         30:a5:03:bb:54:45:47:88:cd:d4:46:80:94:bc:82:3f:8f:9c:
-         3e:3d:09:48:9c:77:91:b0:70:54:70:23:41:8c:2f:cb:0b:8f:
-         df:08:fe:ce:0d:76:38:c8:80:15:6f:ab:d8:fc:26:8f:02:55:
-         1b:e8:08:4c:c6:6f:38:23:8b:8b:52:fd:76:04:44:fb:5d:47:
-         31:83:87:2e:7f:a9:d1:34:db:7d:9c:73:9d:63:fc:2e:86:b2:
-         22:4b:5c:ef:95:d4:b3:0f:17:80:6c:67:5d:b3:c4:2a:7d:be:
-         22:b9:40:b7:82:d9:c7:38:e4:9b:2b:c9:a0:ef:53:ba:7a:1e:
-         a9:9c:b6:91:1e:e8:3d:2e:7f:d6:1f:35:db:72:56:ea:8f:0a:
-         7f:0a:64:91:c9:8d:79:75:63:45:e3:3b:2e:dc:01:12:ca:6c:
-         47:da:97:40:7e:9e:3e:16:1a:64:8b:3e:cd:b7:bd:ec:61:9e:
-         63:a9:0f:7a:cd:1c:e0:e0:2b:a9:74:ef:88:72:58:17:0c:ac:
-         ad:75:9e:6a:2e:a3:66:9e:79:a0:52:d1:77:cf:33:93:72:1a:
-         b8:0d:ab:9e:8f:32:34:52:9c:15:91:73:c3:a2:19:a4:21:96:
-         05:8c:0b:d0
+         19:03:a2:5d:78:b9:24:6b:c8:a2:09:82:de:a1:0a:93:a4:e7:
+         b5:7f:13:65:df:f4:ff:5d:40:45:85:c8:59:c8:81:99:6b:c4:
+         61:f7:06:ba:19:5b:81:c9:e9:39:63:3a:91:c5:14:58:c9:5c:
+         b7:ca:40:97:4d:e2:a2:9c:72:ff:f1:f3:f4:a0:b9:a8:a2:d5:
+         00:f5:af:6d:34:20:b9:71:ea:ac:09:dd:25:d2:09:3b:c0:62:
+         62:4f:36:73:74:cc:22:d2:16:14:aa:af:68:4c:2b:94:72:6a:
+         4c:6b:38:75:2f:b1:c6:c2:ca:57:66:43:7d:0a:7f:ae:35:1f:
+         ed:37:a0:aa:59:4a:ff:d8:e4:74:a8:b8:28:ba:4e:1f:ff:31:
+         4e:aa:82:e8:0d:d8:f4:22:b5:6f:f0:b4:d8:c7:b2:0b:b1:e4:
+         a5:1d:bb:7c:14:61:30:d9:f8:cd:69:67:1e:0e:d9:6f:2f:86:
+         c5:f2:ee:79:c8:50:f1:a3:dc:97:6f:05:68:85:63:74:24:11:
+         3b:4f:48:66:aa:1e:36:44:de:e0:e3:ea:b5:01:78:83:de:13:
+         7e:25:f4:66:66:b5:da:c6:34:79:3b:9f:73:99:49:e4:ca:37:
+         e8:92:ca:6e:a1:ac:c3:ea:d1:67:08:cd:33:49:18:05:8b:7e:
+         fd:c6:6b:ae
 -----BEGIN CERTIFICATE-----
 MIIE7jCCA9agAwIBAgIBBjANBgkqhkiG9w0BAQsFADCBoTELMAkGA1UEBhMCVVMx
 EzARBgNVBAgMCldhc2hpbmd0b24xEDAOBgNVBAcMB1NlYXR0bGUxEDAOBgNVBAoM
 B3dvbGZTU0wxFDASBgNVBAsMC0VuZ2luZWVyaW5nMSIwIAYDVQQDDBl3b2xmU1NM
 IGludGVybWVkaWF0ZSBDQSAxMR8wHQYJKoZIhvcNAQkBFhBpbmZvQHdvbGZzc2wu
-Y29tMB4XDTIxMDIxMDE5NDk1NFoXDTIzMTEwNzE5NDk1NFowgZgxCzAJBgNVBAYT
+Y29tMB4XDTIxMTIyMDIzMDcyNVoXDTI0MDkxNTIzMDcyNVowgZgxCzAJBgNVBAYT
 AlVTMRMwEQYDVQQIDApXYXNoaW5ndG9uMRAwDgYDVQQHDAdTZWF0dGxlMRAwDgYD
 VQQKDAd3b2xmU1NMMRQwEgYDVQQLDAtFbmdpbmVlcmluZzEZMBcGA1UEAwwQd3d3
 Mi53b2xmc3NsLmNvbTEfMB0GCSqGSIb3DQEJARYQaW5mb0B3b2xmc3NsLmNvbTCC
@@ -84,26 +84,26 @@ U2VhdHRsZTEQMA4GA1UECgwHd29sZlNTTDEUMBIGA1UECwwLRW5naW5lZXJpbmcx
 GDAWBgNVBAMMD3dvbGZTU0wgcm9vdCBDQTEfMB0GCSqGSIb3DQEJARYQaW5mb0B3
 b2xmc3NsLmNvbYIBATALBgNVHQ8EBAMCBeAwMgYIKwYBBQUHAQEEJjAkMCIGCCsG
 AQUFBzABhhZodHRwOi8vMTI3LjAuMC4xOjIyMjIxMA0GCSqGSIb3DQEBCwUAA4IB
-AQA12718jMLxg3c83b+0WwxulSkwpQO7VEVHiM3URoCUvII/j5w+PQlInHeRsHBU
-cCNBjC/LC4/fCP7ODXY4yIAVb6vY/CaPAlUb6AhMxm84I4uLUv12BET7XUcxg4cu
-f6nRNNt9nHOdY/wuhrIiS1zvldSzDxeAbGdds8Qqfb4iuUC3gtnHOOSbK8mg71O6
-eh6pnLaRHug9Ln/WHzXbclbqjwp/CmSRyY15dWNF4zsu3AESymxH2pdAfp4+Fhpk
-iz7Nt73sYZ5jqQ96zRzg4CupdO+IclgXDKytdZ5qLqNmnnmgUtF3zzOTchq4Daue
-jzI0UpwVkXPDohmkIZYFjAvQ
+AQAZA6JdeLkka8iiCYLeoQqTpOe1fxNl3/T/XUBFhchZyIGZa8Rh9wa6GVuByek5
+YzqRxRRYyVy3ykCXTeKinHL/8fP0oLmootUA9a9tNCC5ceqsCd0l0gk7wGJiTzZz
+dMwi0hYUqq9oTCuUcmpMazh1L7HGwspXZkN9Cn+uNR/tN6CqWUr/2OR0qLgouk4f
+/zFOqoLoDdj0IrVv8LTYx7ILseSlHbt8FGEw2fjNaWceDtlvL4bF8u55yFDxo9yX
+bwVohWN0JBE7T0hmqh42RN7g4+q1AXiD3hN+JfRmZrXaxjR5O59zmUnkyjfokspu
+oazD6tFnCM0zSRgFi379xmuu
 -----END CERTIFICATE-----
 Certificate:
     Data:
         Version: 3 (0x2)
         Serial Number: 1 (0x1)
-    Signature Algorithm: sha256WithRSAEncryption
-        Issuer: C=US, ST=Washington, L=Seattle, O=wolfSSL, OU=Engineering, CN=wolfSSL root CA/emailAddress=info@wolfssl.com
+        Signature Algorithm: sha256WithRSAEncryption
+        Issuer: C = US, ST = Washington, L = Seattle, O = wolfSSL, OU = Engineering, CN = wolfSSL root CA, emailAddress = info@wolfssl.com
         Validity
-            Not Before: Feb 10 19:49:53 2021 GMT
-            Not After : Nov  7 19:49:53 2023 GMT
-        Subject: C=US, ST=Washington, L=Seattle, O=wolfSSL, OU=Engineering, CN=wolfSSL intermediate CA 1/emailAddress=info@wolfssl.com
+            Not Before: Dec 20 23:07:25 2021 GMT
+            Not After : Sep 15 23:07:25 2024 GMT
+        Subject: C = US, ST = Washington, L = Seattle, O = wolfSSL, OU = Engineering, CN = wolfSSL intermediate CA 1, emailAddress = info@wolfssl.com
         Subject Public Key Info:
             Public Key Algorithm: rsaEncryption
-                Public-Key: (2048 bit)
+                RSA Public-Key: (2048 bit)
                 Modulus:
                     00:de:b4:c8:5c:77:e0:2d:b1:f5:b9:ad:16:47:35:
                     a0:35:65:65:c6:e1:40:ab:1e:b4:b9:13:b7:cb:8c:
@@ -140,27 +140,27 @@ Certificate:
                 OCSP - URI:http://127.0.0.1:22220
 
     Signature Algorithm: sha256WithRSAEncryption
-         1e:8f:fa:f5:32:ee:98:9e:ed:96:b4:a9:ea:d7:3c:05:74:36:
-         41:ef:1b:84:35:6a:3d:6c:c9:53:2a:50:f7:d1:80:d3:ec:99:
-         bc:4b:dd:86:69:e0:94:1c:c4:77:c9:6a:f7:ed:2c:0d:c5:17:
-         a7:15:75:25:14:2d:c6:14:8d:17:97:6d:e7:d7:38:88:d6:df:
-         ba:8c:aa:2a:f1:4e:ef:1f:4a:16:5a:fa:0c:50:ea:98:b1:4b:
-         36:97:24:21:ce:dc:e4:5c:ba:ae:e7:cb:2a:1d:f7:73:ff:17:
-         f3:9d:cf:26:4e:b7:cb:5c:8e:e4:9e:55:d2:00:f8:ca:53:c3:
-         53:3f:6d:65:aa:86:f4:f1:ed:26:1e:75:56:be:bd:80:f5:1c:
-         4e:4d:13:c3:1b:04:61:b9:c6:e2:6f:30:44:01:0e:63:d8:19:
-         ce:83:40:e9:c7:01:f2:51:d7:b7:cd:16:25:93:de:3e:7a:7d:
-         8d:72:1e:2b:66:76:91:df:b9:33:fa:04:b8:8c:c5:7a:ef:f6:
-         94:74:54:1e:96:4a:a8:f6:0d:59:f7:2f:f1:26:78:f6:c7:bf:
-         68:f9:b0:7f:a5:2d:1c:7b:fc:64:25:ed:a4:bb:e6:31:44:f9:
-         d5:5f:67:4d:01:29:84:b2:f8:fa:fb:6b:52:1e:66:c3:08:6b:
-         8e:d5:ad:b9
+         0e:11:5a:b6:3c:42:28:c2:62:1d:8e:85:b9:77:f6:d0:ee:72:
+         b7:77:66:1f:6e:4e:e1:fb:d2:a9:11:81:b7:30:d2:a8:07:84:
+         4d:72:19:d1:64:e4:8d:fa:36:6f:92:0c:51:8f:d8:b0:db:f8:
+         61:6c:9c:67:0f:7a:da:8a:fe:2b:c2:72:91:10:40:e6:fb:3d:
+         e3:d8:59:bf:d4:aa:e1:e1:6d:73:91:d7:0c:5a:15:73:c7:bb:
+         b1:71:dc:be:d6:80:c9:95:54:5e:1f:6a:d2:4c:b9:4f:3c:74:
+         fb:22:4d:aa:e7:0f:bc:83:9f:61:e0:d7:77:99:cf:7f:c9:5a:
+         89:8b:eb:85:67:02:b8:59:40:3b:3d:de:b6:80:41:69:1b:d5:
+         39:8c:e8:29:1c:ec:9b:81:7e:dd:57:1d:d7:7d:d5:8e:8f:1d:
+         dc:ef:34:9b:06:ee:67:bc:da:96:1d:04:24:95:e5:99:9d:ed:
+         1d:5a:50:a1:af:bc:34:0e:e3:45:52:65:97:88:85:07:38:87:
+         fd:1c:3f:37:20:fc:05:b4:81:98:0a:35:4d:87:e9:1d:c1:6f:
+         f9:33:ad:36:04:e5:c2:e8:46:1d:d4:d6:d8:ff:a3:ef:ed:13:
+         20:9f:07:fe:cc:5d:81:7f:7a:1e:24:6b:56:27:63:53:66:de:
+         78:50:81:0e
 -----BEGIN CERTIFICATE-----
 MIIE8DCCA9igAwIBAgIBATANBgkqhkiG9w0BAQsFADCBlzELMAkGA1UEBhMCVVMx
 EzARBgNVBAgMCldhc2hpbmd0b24xEDAOBgNVBAcMB1NlYXR0bGUxEDAOBgNVBAoM
 B3dvbGZTU0wxFDASBgNVBAsMC0VuZ2luZWVyaW5nMRgwFgYDVQQDDA93b2xmU1NM
-IHJvb3QgQ0ExHzAdBgkqhkiG9w0BCQEWEGluZm9Ad29sZnNzbC5jb20wHhcNMjEw
-MjEwMTk0OTUzWhcNMjMxMTA3MTk0OTUzWjCBoTELMAkGA1UEBhMCVVMxEzARBgNV
+IHJvb3QgQ0ExHzAdBgkqhkiG9w0BCQEWEGluZm9Ad29sZnNzbC5jb20wHhcNMjEx
+MjIwMjMwNzI1WhcNMjQwOTE1MjMwNzI1WjCBoTELMAkGA1UEBhMCVVMxEzARBgNV
 BAgMCldhc2hpbmd0b24xEDAOBgNVBAcMB1NlYXR0bGUxEDAOBgNVBAoMB3dvbGZT
 U0wxFDASBgNVBAsMC0VuZ2luZWVyaW5nMSIwIAYDVQQDDBl3b2xmU1NMIGludGVy
 bWVkaWF0ZSBDQSAxMR8wHQYJKoZIhvcNAQkBFhBpbmZvQHdvbGZzc2wuY29tMIIB
@@ -177,26 +177,26 @@ DAdTZWF0dGxlMRAwDgYDVQQKDAd3b2xmU1NMMRQwEgYDVQQLDAtFbmdpbmVlcmlu
 ZzEYMBYGA1UEAwwPd29sZlNTTCByb290IENBMR8wHQYJKoZIhvcNAQkBFhBpbmZv
 QHdvbGZzc2wuY29tggFjMAsGA1UdDwQEAwIBBjAyBggrBgEFBQcBAQQmMCQwIgYI
 KwYBBQUHMAGGFmh0dHA6Ly8xMjcuMC4wLjE6MjIyMjAwDQYJKoZIhvcNAQELBQAD
-ggEBAB6P+vUy7pie7Za0qerXPAV0NkHvG4Q1aj1syVMqUPfRgNPsmbxL3YZp4JQc
-xHfJavftLA3FF6cVdSUULcYUjReXbefXOIjW37qMqirxTu8fShZa+gxQ6pixSzaX
-JCHO3ORcuq7nyyod93P/F/OdzyZOt8tcjuSeVdIA+MpTw1M/bWWqhvTx7SYedVa+
-vYD1HE5NE8MbBGG5xuJvMEQBDmPYGc6DQOnHAfJR17fNFiWT3j56fY1yHitmdpHf
-uTP6BLiMxXrv9pR0VB6WSqj2DVn3L/EmePbHv2j5sH+lLRx7/GQl7aS75jFE+dVf
-Z00BKYSy+Pr7a1IeZsMIa47Vrbk=
+ggEBAA4RWrY8QijCYh2Ohbl39tDucrd3Zh9uTuH70qkRgbcw0qgHhE1yGdFk5I36
+Nm+SDFGP2LDb+GFsnGcPetqK/ivCcpEQQOb7PePYWb/UquHhbXOR1wxaFXPHu7Fx
+3L7WgMmVVF4fatJMuU88dPsiTarnD7yDn2Hg13eZz3/JWomL64VnArhZQDs93raA
+QWkb1TmM6Ckc7JuBft1XHdd91Y6PHdzvNJsG7me82pYdBCSV5Zmd7R1aUKGvvDQO
+40VSZZeIhQc4h/0cPzcg/AW0gZgKNU2H6R3Bb/kzrTYE5cLoRh3U1tj/o+/tEyCf
+B/7MXYF/eh4ka1YnY1Nm3nhQgQ4=
 -----END CERTIFICATE-----
 Certificate:
     Data:
         Version: 3 (0x2)
         Serial Number: 99 (0x63)
-    Signature Algorithm: sha256WithRSAEncryption
-        Issuer: C=US, ST=Washington, L=Seattle, O=wolfSSL, OU=Engineering, CN=wolfSSL root CA/emailAddress=info@wolfssl.com
+        Signature Algorithm: sha256WithRSAEncryption
+        Issuer: C = US, ST = Washington, L = Seattle, O = wolfSSL, OU = Engineering, CN = wolfSSL root CA, emailAddress = info@wolfssl.com
         Validity
-            Not Before: Feb 10 19:49:53 2021 GMT
-            Not After : Nov  7 19:49:53 2023 GMT
-        Subject: C=US, ST=Washington, L=Seattle, O=wolfSSL, OU=Engineering, CN=wolfSSL root CA/emailAddress=info@wolfssl.com
+            Not Before: Dec 20 23:07:25 2021 GMT
+            Not After : Sep 15 23:07:25 2024 GMT
+        Subject: C = US, ST = Washington, L = Seattle, O = wolfSSL, OU = Engineering, CN = wolfSSL root CA, emailAddress = info@wolfssl.com
         Subject Public Key Info:
             Public Key Algorithm: rsaEncryption
-                Public-Key: (2048 bit)
+                RSA Public-Key: (2048 bit)
                 Modulus:
                     00:ab:2c:b4:2f:1d:06:09:ef:4e:29:86:84:7e:cc:
                     bf:a6:79:7c:f0:c0:c1:64:25:8c:75:b7:10:05:ca:
@@ -233,27 +233,27 @@ Certificate:
                 OCSP - URI:http://127.0.0.1:22220
 
     Signature Algorithm: sha256WithRSAEncryption
-         3e:31:8d:ab:e8:39:25:0a:a0:01:53:03:10:e8:f9:d9:5e:51:
-         46:da:e2:e2:60:40:7c:ec:d7:c1:54:8f:5b:a1:1f:1b:43:64:
-         f5:b3:a5:b9:d1:9d:af:45:5a:53:00:ba:f7:53:63:5c:79:b5:
-         ad:0e:b3:0b:05:b0:2e:c7:ca:1f:52:13:47:38:9b:d0:cd:b5:
-         19:c1:f7:e6:1d:14:9b:81:8b:e7:ef:d9:70:32:b0:f1:96:b6:
-         ff:fe:fd:83:e7:fe:74:55:12:e4:93:3f:e3:54:7e:d3:d3:11:
-         ae:d4:e8:9b:70:97:64:7f:12:f3:38:26:62:38:c6:43:42:3b:
-         ea:87:67:80:e5:18:c5:28:54:f9:d3:33:4a:b9:33:1e:7c:45:
-         7a:e9:64:0f:50:fe:6d:b0:a3:aa:c4:98:7d:ef:53:2c:d1:0e:
-         d3:8b:2b:f3:3d:a4:df:26:50:b4:8b:ac:64:00:89:7b:5a:fb:
-         4f:b8:d3:f4:53:63:bd:e8:45:cc:2c:55:25:61:92:ff:41:b7:
-         27:6a:16:43:ff:0a:26:50:ef:31:9d:4f:6f:6e:ea:bd:1d:70:
-         69:c9:1f:ba:70:bf:b2:1d:4a:7d:57:d7:9e:a1:e8:86:34:e3:
-         fa:ee:3f:26:20:12:f5:15:83:53:a0:91:5d:a9:36:b3:02:a3:
-         42:94:c9:65
+         47:c1:c3:44:7c:3a:d0:65:5b:74:2c:63:3f:73:84:e5:6b:d9:
+         e7:45:33:0f:6a:80:49:2d:8f:23:92:b6:ef:22:e6:d5:07:4c:
+         c7:05:e0:d9:d5:29:b0:bf:a4:9f:b5:fa:c7:d5:79:aa:3f:2e:
+         9b:7d:c2:57:dc:41:cb:d7:63:27:28:8d:13:77:67:63:82:3d:
+         85:1a:06:7e:f9:4d:7c:3a:ca:b5:dd:50:b1:be:5f:d3:8c:0f:
+         73:90:5c:79:0f:c9:86:d4:fd:4b:fc:3e:8c:01:55:1b:2f:33:
+         6d:88:6e:0f:bd:21:38:64:96:7d:2d:95:9e:98:51:77:56:39:
+         6b:a8:2f:e0:9f:16:a4:1d:17:67:23:a3:8b:4f:1a:71:05:f0:
+         eb:e0:a7:7a:8f:ab:9f:f4:81:a8:12:f8:09:a3:f7:83:22:8c:
+         36:5d:45:7f:61:ea:9c:68:96:94:7b:d4:4d:8b:73:d0:65:20:
+         63:cf:75:9d:96:a2:bf:23:f3:2d:60:61:e5:7d:b3:2e:1b:11:
+         01:33:d6:58:6d:b2:c8:d2:5a:78:3a:df:56:fd:15:ac:13:33:
+         62:ce:ba:99:85:7c:00:05:69:d0:fd:ad:87:e5:4d:d3:16:43:
+         44:a6:49:84:74:c7:ea:f0:24:50:c9:c9:4a:5d:d8:be:66:fe:
+         00:47:3f:c0
 -----BEGIN CERTIFICATE-----
 MIIE5jCCA86gAwIBAgIBYzANBgkqhkiG9w0BAQsFADCBlzELMAkGA1UEBhMCVVMx
 EzARBgNVBAgMCldhc2hpbmd0b24xEDAOBgNVBAcMB1NlYXR0bGUxEDAOBgNVBAoM
 B3dvbGZTU0wxFDASBgNVBAsMC0VuZ2luZWVyaW5nMRgwFgYDVQQDDA93b2xmU1NM
-IHJvb3QgQ0ExHzAdBgkqhkiG9w0BCQEWEGluZm9Ad29sZnNzbC5jb20wHhcNMjEw
-MjEwMTk0OTUzWhcNMjMxMTA3MTk0OTUzWjCBlzELMAkGA1UEBhMCVVMxEzARBgNV
+IHJvb3QgQ0ExHzAdBgkqhkiG9w0BCQEWEGluZm9Ad29sZnNzbC5jb20wHhcNMjEx
+MjIwMjMwNzI1WhcNMjQwOTE1MjMwNzI1WjCBlzELMAkGA1UEBhMCVVMxEzARBgNV
 BAgMCldhc2hpbmd0b24xEDAOBgNVBAcMB1NlYXR0bGUxEDAOBgNVBAoMB3dvbGZT
 U0wxFDASBgNVBAsMC0VuZ2luZWVyaW5nMRgwFgYDVQQDDA93b2xmU1NMIHJvb3Qg
 Q0ExHzAdBgkqhkiG9w0BCQEWEGluZm9Ad29sZnNzbC5jb20wggEiMA0GCSqGSIb3
@@ -269,11 +269,11 @@ A1UEBhMCVVMxEzARBgNVBAgMCldhc2hpbmd0b24xEDAOBgNVBAcMB1NlYXR0bGUx
 EDAOBgNVBAoMB3dvbGZTU0wxFDASBgNVBAsMC0VuZ2luZWVyaW5nMRgwFgYDVQQD
 DA93b2xmU1NMIHJvb3QgQ0ExHzAdBgkqhkiG9w0BCQEWEGluZm9Ad29sZnNzbC5j
 b22CAWMwCwYDVR0PBAQDAgEGMDIGCCsGAQUFBwEBBCYwJDAiBggrBgEFBQcwAYYW
-aHR0cDovLzEyNy4wLjAuMToyMjIyMDANBgkqhkiG9w0BAQsFAAOCAQEAPjGNq+g5
-JQqgAVMDEOj52V5RRtri4mBAfOzXwVSPW6EfG0Nk9bOludGdr0VaUwC691NjXHm1
-rQ6zCwWwLsfKH1ITRzib0M21GcH35h0Um4GL5+/ZcDKw8Za2//79g+f+dFUS5JM/
-41R+09MRrtTom3CXZH8S8zgmYjjGQ0I76odngOUYxShU+dMzSrkzHnxFeulkD1D+
-bbCjqsSYfe9TLNEO04sr8z2k3yZQtIusZACJe1r7T7jT9FNjvehFzCxVJWGS/0G3
-J2oWQ/8KJlDvMZ1Pb27qvR1wackfunC/sh1KfVfXnqHohjTj+u4/JiAS9RWDU6CR
-Xak2swKjQpTJZQ==
+aHR0cDovLzEyNy4wLjAuMToyMjIyMDANBgkqhkiG9w0BAQsFAAOCAQEAR8HDRHw6
+0GVbdCxjP3OE5WvZ50UzD2qASS2PI5K27yLm1QdMxwXg2dUpsL+kn7X6x9V5qj8u
+m33CV9xBy9djJyiNE3dnY4I9hRoGfvlNfDrKtd1Qsb5f04wPc5BceQ/JhtT9S/w+
+jAFVGy8zbYhuD70hOGSWfS2VnphRd1Y5a6gv4J8WpB0XZyOji08acQXw6+Cneo+r
+n/SBqBL4CaP3gyKMNl1Ff2HqnGiWlHvUTYtz0GUgY891nZaivyPzLWBh5X2zLhsR
+ATPWWG2yyNJaeDrfVv0VrBMzYs66mYV8AAVp0P2th+VN0xZDRKZJhHTH6vAkUMnJ
+Sl3Yvmb+AEc/wA==
 -----END CERTIFICATE-----
diff --git a/certs/ocsp/server3-cert.pem b/certs/ocsp/server3-cert.pem
index bbc70fa1c..1ddebb950 100644
--- a/certs/ocsp/server3-cert.pem
+++ b/certs/ocsp/server3-cert.pem
@@ -2,15 +2,15 @@ Certificate:
     Data:
         Version: 3 (0x2)
         Serial Number: 7 (0x7)
-    Signature Algorithm: sha256WithRSAEncryption
-        Issuer: C=US, ST=Washington, L=Seattle, O=wolfSSL, OU=Engineering, CN=wolfSSL intermediate CA 2/emailAddress=info@wolfssl.com
+        Signature Algorithm: sha256WithRSAEncryption
+        Issuer: C = US, ST = Washington, L = Seattle, O = wolfSSL, OU = Engineering, CN = wolfSSL intermediate CA 2, emailAddress = info@wolfssl.com
         Validity
-            Not Before: Feb 10 19:49:54 2021 GMT
-            Not After : Nov  7 19:49:54 2023 GMT
-        Subject: C=US, ST=Washington, L=Seattle, O=wolfSSL, OU=Engineering, CN=www3.wolfssl.com/emailAddress=info@wolfssl.com
+            Not Before: Dec 20 23:07:25 2021 GMT
+            Not After : Sep 15 23:07:25 2024 GMT
+        Subject: C = US, ST = Washington, L = Seattle, O = wolfSSL, OU = Engineering, CN = www3.wolfssl.com, emailAddress = info@wolfssl.com
         Subject Public Key Info:
             Public Key Algorithm: rsaEncryption
-                Public-Key: (2048 bit)
+                RSA Public-Key: (2048 bit)
                 Modulus:
                     00:be:19:65:1e:17:39:d4:33:fc:97:64:69:80:51:
                     fb:6c:7c:ca:e1:ba:2a:ab:d2:dd:30:61:f3:2e:47:
@@ -47,27 +47,27 @@ Certificate:
                 OCSP - URI:http://127.0.0.1:22222
 
     Signature Algorithm: sha256WithRSAEncryption
-         8f:08:2b:50:a2:26:49:28:c1:f1:bf:d8:5e:75:e3:37:cf:e0:
-         48:c3:e3:fa:8b:ec:6f:f7:06:39:cc:12:6a:94:97:01:f1:3b:
-         71:9d:08:85:40:ae:de:ab:33:68:ab:af:d6:a4:b3:90:f4:8f:
-         12:31:31:52:98:6b:c8:bb:1e:5f:58:1a:31:5d:37:43:91:38:
-         be:b9:5b:17:cd:25:f1:49:09:76:19:57:fb:08:67:43:3e:d3:
-         20:e2:b6:bc:17:cc:21:9d:45:cf:1c:5c:dc:54:fd:22:b6:b4:
-         b2:91:b8:8f:c3:93:95:02:52:a0:49:ef:fb:f4:86:61:82:e8:
-         c0:fc:2b:b7:82:32:74:81:68:c3:85:4a:e5:e4:d4:4c:2d:22:
-         81:34:89:ca:aa:75:78:4d:5b:90:c2:a1:4f:ba:da:3a:f1:4e:
-         12:21:ac:b6:23:3b:e3:e5:50:b6:69:3b:94:d7:64:37:57:a4:
-         cd:a7:53:1e:e5:27:8f:3d:b7:3e:85:34:9e:db:54:a6:d5:b8:
-         cb:9d:df:41:e9:b2:16:5c:a6:38:31:fb:64:9e:cb:4b:9d:b7:
-         f9:cb:52:ed:87:fe:f7:04:bb:a3:6b:07:66:57:5c:1c:cd:c4:
-         f2:60:94:97:38:0f:52:a4:aa:bc:5d:b5:09:d1:75:bd:24:ab:
-         06:91:7e:24
+         bf:5f:6a:7a:38:34:ca:36:cf:e9:65:53:f0:3b:3e:f5:c0:87:
+         60:89:45:5d:70:24:67:b3:d2:23:97:d7:71:66:5f:f6:23:27:
+         8f:f3:fe:72:a0:7b:61:3c:4c:2a:cb:de:78:97:f8:a9:87:78:
+         22:1f:ca:96:7a:95:c2:de:07:16:d6:b5:3e:1d:f8:7c:06:ff:
+         c7:0d:1d:0b:2b:86:50:c3:90:a1:73:9f:cb:d8:25:11:d5:62:
+         1d:ed:61:fc:6a:dd:cc:f0:74:91:b5:19:ce:c2:a1:9c:46:ba:
+         d5:70:b7:54:25:b8:d0:dc:7e:02:dd:bb:1e:ec:a5:f5:85:63:
+         61:ef:64:a9:29:44:8b:62:1e:19:19:eb:7b:6c:dd:7b:c5:45:
+         17:2c:a1:65:43:85:82:23:24:22:97:c9:26:cb:42:09:45:31:
+         7b:c7:ff:2c:14:d6:8d:a1:54:e3:78:03:8b:79:cf:fc:c0:90:
+         d9:26:14:16:79:49:2d:31:b5:4c:f2:9f:8b:be:4a:46:32:8e:
+         9b:27:a5:ca:8f:3f:4e:53:da:42:e7:b5:cb:95:4e:d9:d7:71:
+         a4:ae:7b:0e:14:df:57:09:b7:e7:5a:f5:c7:8d:e1:68:fb:0a:
+         ea:20:37:d4:88:c6:8b:4a:d8:10:cd:d1:b5:04:ca:8c:79:ad:
+         44:e5:14:90
 -----BEGIN CERTIFICATE-----
 MIIE7jCCA9agAwIBAgIBBzANBgkqhkiG9w0BAQsFADCBoTELMAkGA1UEBhMCVVMx
 EzARBgNVBAgMCldhc2hpbmd0b24xEDAOBgNVBAcMB1NlYXR0bGUxEDAOBgNVBAoM
 B3dvbGZTU0wxFDASBgNVBAsMC0VuZ2luZWVyaW5nMSIwIAYDVQQDDBl3b2xmU1NM
 IGludGVybWVkaWF0ZSBDQSAyMR8wHQYJKoZIhvcNAQkBFhBpbmZvQHdvbGZzc2wu
-Y29tMB4XDTIxMDIxMDE5NDk1NFoXDTIzMTEwNzE5NDk1NFowgZgxCzAJBgNVBAYT
+Y29tMB4XDTIxMTIyMDIzMDcyNVoXDTI0MDkxNTIzMDcyNVowgZgxCzAJBgNVBAYT
 AlVTMRMwEQYDVQQIDApXYXNoaW5ndG9uMRAwDgYDVQQHDAdTZWF0dGxlMRAwDgYD
 VQQKDAd3b2xmU1NMMRQwEgYDVQQLDAtFbmdpbmVlcmluZzEZMBcGA1UEAwwQd3d3
 My53b2xmc3NsLmNvbTEfMB0GCSqGSIb3DQEJARYQaW5mb0B3b2xmc3NsLmNvbTCC
@@ -84,26 +84,26 @@ U2VhdHRsZTEQMA4GA1UECgwHd29sZlNTTDEUMBIGA1UECwwLRW5naW5lZXJpbmcx
 GDAWBgNVBAMMD3dvbGZTU0wgcm9vdCBDQTEfMB0GCSqGSIb3DQEJARYQaW5mb0B3
 b2xmc3NsLmNvbYIBAjALBgNVHQ8EBAMCBeAwMgYIKwYBBQUHAQEEJjAkMCIGCCsG
 AQUFBzABhhZodHRwOi8vMTI3LjAuMC4xOjIyMjIyMA0GCSqGSIb3DQEBCwUAA4IB
-AQCPCCtQoiZJKMHxv9hedeM3z+BIw+P6i+xv9wY5zBJqlJcB8TtxnQiFQK7eqzNo
-q6/WpLOQ9I8SMTFSmGvIux5fWBoxXTdDkTi+uVsXzSXxSQl2GVf7CGdDPtMg4ra8
-F8whnUXPHFzcVP0itrSykbiPw5OVAlKgSe/79IZhgujA/Cu3gjJ0gWjDhUrl5NRM
-LSKBNInKqnV4TVuQwqFPuto68U4SIay2Izvj5VC2aTuU12Q3V6TNp1Me5SePPbc+
-hTSe21Sm1bjLnd9B6bIWXKY4MftknstLnbf5y1Lth/73BLujawdmV1wczcTyYJSX
-OA9SpKq8XbUJ0XW9JKsGkX4k
+AQC/X2p6ODTKNs/pZVPwOz71wIdgiUVdcCRns9Ijl9dxZl/2IyeP8/5yoHthPEwq
+y954l/iph3giH8qWepXC3gcW1rU+Hfh8Bv/HDR0LK4ZQw5Chc5/L2CUR1WId7WH8
+at3M8HSRtRnOwqGcRrrVcLdUJbjQ3H4C3bse7KX1hWNh72SpKUSLYh4ZGet7bN17
+xUUXLKFlQ4WCIyQil8kmy0IJRTF7x/8sFNaNoVTjeAOLec/8wJDZJhQWeUktMbVM
+8p+LvkpGMo6bJ6XKjz9OU9pC57XLlU7Z13GkrnsOFN9XCbfnWvXHjeFo+wrqIDfU
+iMaLStgQzdG1BMqMea1E5RSQ
 -----END CERTIFICATE-----
 Certificate:
     Data:
         Version: 3 (0x2)
         Serial Number: 2 (0x2)
-    Signature Algorithm: sha256WithRSAEncryption
-        Issuer: C=US, ST=Washington, L=Seattle, O=wolfSSL, OU=Engineering, CN=wolfSSL root CA/emailAddress=info@wolfssl.com
+        Signature Algorithm: sha256WithRSAEncryption
+        Issuer: C = US, ST = Washington, L = Seattle, O = wolfSSL, OU = Engineering, CN = wolfSSL root CA, emailAddress = info@wolfssl.com
         Validity
-            Not Before: Feb 10 19:49:54 2021 GMT
-            Not After : Nov  7 19:49:54 2023 GMT
-        Subject: C=US, ST=Washington, L=Seattle, O=wolfSSL, OU=Engineering, CN=wolfSSL intermediate CA 2/emailAddress=info@wolfssl.com
+            Not Before: Dec 20 23:07:25 2021 GMT
+            Not After : Sep 15 23:07:25 2024 GMT
+        Subject: C = US, ST = Washington, L = Seattle, O = wolfSSL, OU = Engineering, CN = wolfSSL intermediate CA 2, emailAddress = info@wolfssl.com
         Subject Public Key Info:
             Public Key Algorithm: rsaEncryption
-                Public-Key: (2048 bit)
+                RSA Public-Key: (2048 bit)
                 Modulus:
                     00:d0:20:3c:35:19:6f:2c:44:b4:7e:42:c7:75:b4:
                     6a:2b:a9:23:85:bf:87:b4:ee:ca:d7:4b:1f:31:d7:
@@ -140,27 +140,27 @@ Certificate:
                 OCSP - URI:http://127.0.0.1:22220
 
     Signature Algorithm: sha256WithRSAEncryption
-         0c:13:dc:c2:28:a2:be:bb:0b:8e:29:28:aa:7a:99:04:e5:88:
-         c6:67:7e:8d:3f:8a:68:3a:7f:c5:e2:d0:ed:c9:95:4c:40:f2:
-         7a:87:73:17:fb:f8:c4:bf:1b:ff:54:be:33:6d:15:e3:4f:70:
-         f4:60:27:b2:67:cd:0e:0f:2a:81:ee:dc:9d:48:37:74:8a:4c:
-         11:47:23:f0:5d:7c:c1:78:70:1d:c1:87:db:26:b0:86:a8:42:
-         3d:87:87:43:e7:d9:3a:a8:5c:c5:66:a4:d5:4e:9b:d9:44:b2:
-         41:30:10:94:3b:fd:00:dc:02:63:05:d7:a1:75:ad:54:28:9e:
-         e4:07:3c:af:68:89:9b:71:96:21:ff:d6:4e:1d:d0:02:d5:21:
-         7d:ae:d8:07:96:6c:1f:ca:a5:ef:54:13:92:be:3c:7d:c0:65:
-         bf:5c:bb:ff:46:c2:69:0f:4c:29:70:6d:b7:52:d5:ed:9e:e4:
-         89:dc:41:0d:0a:94:bc:69:b3:dc:8a:a9:45:25:f1:2c:9b:5b:
-         85:bc:69:fb:94:31:05:2c:17:fa:78:28:36:78:7f:f9:0c:4f:
-         22:36:05:fe:bf:59:9d:5d:1f:9a:5e:8e:d8:1d:62:4d:d6:2d:
-         73:d6:26:c1:a5:bc:e3:62:81:fc:1e:cb:7f:3e:c3:00:c9:b0:
-         e0:c6:1f:c3
+         33:da:33:9a:28:e3:e7:b0:25:c2:d9:94:9d:7e:46:98:3d:ac:
+         08:f4:30:15:04:e0:fc:e2:4a:19:f1:0e:82:07:59:43:cd:0c:
+         b5:0c:55:2c:01:d2:78:22:e3:cd:38:75:13:36:ce:66:7b:17:
+         86:ac:a3:98:e5:36:ae:37:4d:77:e6:02:e1:d8:77:d4:53:96:
+         74:57:ca:6a:40:a3:de:38:e2:70:21:72:be:43:72:69:a1:d7:
+         fb:6d:7a:d3:db:5a:21:aa:d1:d3:7e:e4:76:54:3b:d3:19:68:
+         7e:61:96:46:4f:de:d5:fe:f4:3b:8d:1c:24:b2:cb:4c:ff:8f:
+         ec:6a:13:28:ef:53:3b:12:f5:67:e1:d7:93:d2:eb:39:1d:72:
+         13:79:a0:63:70:12:51:67:0d:d7:d2:4d:37:c3:fc:4d:ed:45:
+         76:33:0e:82:af:d5:49:b8:f6:2f:fe:0e:93:d3:b7:6a:ab:e6:
+         e3:11:4f:04:50:5f:f8:13:4a:30:82:f4:56:c0:1d:ed:de:19:
+         2c:62:a3:f2:1b:6a:8b:a1:b5:1a:cb:0a:e6:3c:b4:67:1a:2a:
+         82:b4:78:a8:5f:a0:5d:22:34:dc:1c:3c:a8:77:6f:23:e0:6f:
+         b7:3e:36:52:21:64:89:1e:50:85:59:a7:cf:2b:f5:13:37:26:
+         62:27:85:34
 -----BEGIN CERTIFICATE-----
 MIIE8DCCA9igAwIBAgIBAjANBgkqhkiG9w0BAQsFADCBlzELMAkGA1UEBhMCVVMx
 EzARBgNVBAgMCldhc2hpbmd0b24xEDAOBgNVBAcMB1NlYXR0bGUxEDAOBgNVBAoM
 B3dvbGZTU0wxFDASBgNVBAsMC0VuZ2luZWVyaW5nMRgwFgYDVQQDDA93b2xmU1NM
-IHJvb3QgQ0ExHzAdBgkqhkiG9w0BCQEWEGluZm9Ad29sZnNzbC5jb20wHhcNMjEw
-MjEwMTk0OTU0WhcNMjMxMTA3MTk0OTU0WjCBoTELMAkGA1UEBhMCVVMxEzARBgNV
+IHJvb3QgQ0ExHzAdBgkqhkiG9w0BCQEWEGluZm9Ad29sZnNzbC5jb20wHhcNMjEx
+MjIwMjMwNzI1WhcNMjQwOTE1MjMwNzI1WjCBoTELMAkGA1UEBhMCVVMxEzARBgNV
 BAgMCldhc2hpbmd0b24xEDAOBgNVBAcMB1NlYXR0bGUxEDAOBgNVBAoMB3dvbGZT
 U0wxFDASBgNVBAsMC0VuZ2luZWVyaW5nMSIwIAYDVQQDDBl3b2xmU1NMIGludGVy
 bWVkaWF0ZSBDQSAyMR8wHQYJKoZIhvcNAQkBFhBpbmZvQHdvbGZzc2wuY29tMIIB
@@ -177,26 +177,26 @@ DAdTZWF0dGxlMRAwDgYDVQQKDAd3b2xmU1NMMRQwEgYDVQQLDAtFbmdpbmVlcmlu
 ZzEYMBYGA1UEAwwPd29sZlNTTCByb290IENBMR8wHQYJKoZIhvcNAQkBFhBpbmZv
 QHdvbGZzc2wuY29tggFjMAsGA1UdDwQEAwIBBjAyBggrBgEFBQcBAQQmMCQwIgYI
 KwYBBQUHMAGGFmh0dHA6Ly8xMjcuMC4wLjE6MjIyMjAwDQYJKoZIhvcNAQELBQAD
-ggEBAAwT3MIoor67C44pKKp6mQTliMZnfo0/img6f8Xi0O3JlUxA8nqHcxf7+MS/
-G/9UvjNtFeNPcPRgJ7JnzQ4PKoHu3J1IN3SKTBFHI/BdfMF4cB3Bh9smsIaoQj2H
-h0Pn2TqoXMVmpNVOm9lEskEwEJQ7/QDcAmMF16F1rVQonuQHPK9oiZtxliH/1k4d
-0ALVIX2u2AeWbB/Kpe9UE5K+PH3AZb9cu/9GwmkPTClwbbdS1e2e5IncQQ0KlLxp
-s9yKqUUl8SybW4W8afuUMQUsF/p4KDZ4f/kMTyI2Bf6/WZ1dH5pejtgdYk3WLXPW
-JsGlvONigfwey38+wwDJsODGH8M=
+ggEBADPaM5oo4+ewJcLZlJ1+Rpg9rAj0MBUE4PziShnxDoIHWUPNDLUMVSwB0ngi
+4804dRM2zmZ7F4aso5jlNq43TXfmAuHYd9RTlnRXympAo9444nAhcr5Dcmmh1/tt
+etPbWiGq0dN+5HZUO9MZaH5hlkZP3tX+9DuNHCSyy0z/j+xqEyjvUzsS9Wfh15PS
+6zkdchN5oGNwElFnDdfSTTfD/E3tRXYzDoKv1Um49i/+DpPTt2qr5uMRTwRQX/gT
+SjCC9FbAHe3eGSxio/IbaouhtRrLCuY8tGcaKoK0eKhfoF0iNNwcPKh3byPgb7c+
+NlIhZIkeUIVZp88r9RM3JmInhTQ=
 -----END CERTIFICATE-----
 Certificate:
     Data:
         Version: 3 (0x2)
         Serial Number: 99 (0x63)
-    Signature Algorithm: sha256WithRSAEncryption
-        Issuer: C=US, ST=Washington, L=Seattle, O=wolfSSL, OU=Engineering, CN=wolfSSL root CA/emailAddress=info@wolfssl.com
+        Signature Algorithm: sha256WithRSAEncryption
+        Issuer: C = US, ST = Washington, L = Seattle, O = wolfSSL, OU = Engineering, CN = wolfSSL root CA, emailAddress = info@wolfssl.com
         Validity
-            Not Before: Feb 10 19:49:53 2021 GMT
-            Not After : Nov  7 19:49:53 2023 GMT
-        Subject: C=US, ST=Washington, L=Seattle, O=wolfSSL, OU=Engineering, CN=wolfSSL root CA/emailAddress=info@wolfssl.com
+            Not Before: Dec 20 23:07:25 2021 GMT
+            Not After : Sep 15 23:07:25 2024 GMT
+        Subject: C = US, ST = Washington, L = Seattle, O = wolfSSL, OU = Engineering, CN = wolfSSL root CA, emailAddress = info@wolfssl.com
         Subject Public Key Info:
             Public Key Algorithm: rsaEncryption
-                Public-Key: (2048 bit)
+                RSA Public-Key: (2048 bit)
                 Modulus:
                     00:ab:2c:b4:2f:1d:06:09:ef:4e:29:86:84:7e:cc:
                     bf:a6:79:7c:f0:c0:c1:64:25:8c:75:b7:10:05:ca:
@@ -233,27 +233,27 @@ Certificate:
                 OCSP - URI:http://127.0.0.1:22220
 
     Signature Algorithm: sha256WithRSAEncryption
-         3e:31:8d:ab:e8:39:25:0a:a0:01:53:03:10:e8:f9:d9:5e:51:
-         46:da:e2:e2:60:40:7c:ec:d7:c1:54:8f:5b:a1:1f:1b:43:64:
-         f5:b3:a5:b9:d1:9d:af:45:5a:53:00:ba:f7:53:63:5c:79:b5:
-         ad:0e:b3:0b:05:b0:2e:c7:ca:1f:52:13:47:38:9b:d0:cd:b5:
-         19:c1:f7:e6:1d:14:9b:81:8b:e7:ef:d9:70:32:b0:f1:96:b6:
-         ff:fe:fd:83:e7:fe:74:55:12:e4:93:3f:e3:54:7e:d3:d3:11:
-         ae:d4:e8:9b:70:97:64:7f:12:f3:38:26:62:38:c6:43:42:3b:
-         ea:87:67:80:e5:18:c5:28:54:f9:d3:33:4a:b9:33:1e:7c:45:
-         7a:e9:64:0f:50:fe:6d:b0:a3:aa:c4:98:7d:ef:53:2c:d1:0e:
-         d3:8b:2b:f3:3d:a4:df:26:50:b4:8b:ac:64:00:89:7b:5a:fb:
-         4f:b8:d3:f4:53:63:bd:e8:45:cc:2c:55:25:61:92:ff:41:b7:
-         27:6a:16:43:ff:0a:26:50:ef:31:9d:4f:6f:6e:ea:bd:1d:70:
-         69:c9:1f:ba:70:bf:b2:1d:4a:7d:57:d7:9e:a1:e8:86:34:e3:
-         fa:ee:3f:26:20:12:f5:15:83:53:a0:91:5d:a9:36:b3:02:a3:
-         42:94:c9:65
+         47:c1:c3:44:7c:3a:d0:65:5b:74:2c:63:3f:73:84:e5:6b:d9:
+         e7:45:33:0f:6a:80:49:2d:8f:23:92:b6:ef:22:e6:d5:07:4c:
+         c7:05:e0:d9:d5:29:b0:bf:a4:9f:b5:fa:c7:d5:79:aa:3f:2e:
+         9b:7d:c2:57:dc:41:cb:d7:63:27:28:8d:13:77:67:63:82:3d:
+         85:1a:06:7e:f9:4d:7c:3a:ca:b5:dd:50:b1:be:5f:d3:8c:0f:
+         73:90:5c:79:0f:c9:86:d4:fd:4b:fc:3e:8c:01:55:1b:2f:33:
+         6d:88:6e:0f:bd:21:38:64:96:7d:2d:95:9e:98:51:77:56:39:
+         6b:a8:2f:e0:9f:16:a4:1d:17:67:23:a3:8b:4f:1a:71:05:f0:
+         eb:e0:a7:7a:8f:ab:9f:f4:81:a8:12:f8:09:a3:f7:83:22:8c:
+         36:5d:45:7f:61:ea:9c:68:96:94:7b:d4:4d:8b:73:d0:65:20:
+         63:cf:75:9d:96:a2:bf:23:f3:2d:60:61:e5:7d:b3:2e:1b:11:
+         01:33:d6:58:6d:b2:c8:d2:5a:78:3a:df:56:fd:15:ac:13:33:
+         62:ce:ba:99:85:7c:00:05:69:d0:fd:ad:87:e5:4d:d3:16:43:
+         44:a6:49:84:74:c7:ea:f0:24:50:c9:c9:4a:5d:d8:be:66:fe:
+         00:47:3f:c0
 -----BEGIN CERTIFICATE-----
 MIIE5jCCA86gAwIBAgIBYzANBgkqhkiG9w0BAQsFADCBlzELMAkGA1UEBhMCVVMx
 EzARBgNVBAgMCldhc2hpbmd0b24xEDAOBgNVBAcMB1NlYXR0bGUxEDAOBgNVBAoM
 B3dvbGZTU0wxFDASBgNVBAsMC0VuZ2luZWVyaW5nMRgwFgYDVQQDDA93b2xmU1NM
-IHJvb3QgQ0ExHzAdBgkqhkiG9w0BCQEWEGluZm9Ad29sZnNzbC5jb20wHhcNMjEw
-MjEwMTk0OTUzWhcNMjMxMTA3MTk0OTUzWjCBlzELMAkGA1UEBhMCVVMxEzARBgNV
+IHJvb3QgQ0ExHzAdBgkqhkiG9w0BCQEWEGluZm9Ad29sZnNzbC5jb20wHhcNMjEx
+MjIwMjMwNzI1WhcNMjQwOTE1MjMwNzI1WjCBlzELMAkGA1UEBhMCVVMxEzARBgNV
 BAgMCldhc2hpbmd0b24xEDAOBgNVBAcMB1NlYXR0bGUxEDAOBgNVBAoMB3dvbGZT
 U0wxFDASBgNVBAsMC0VuZ2luZWVyaW5nMRgwFgYDVQQDDA93b2xmU1NMIHJvb3Qg
 Q0ExHzAdBgkqhkiG9w0BCQEWEGluZm9Ad29sZnNzbC5jb20wggEiMA0GCSqGSIb3
@@ -269,11 +269,11 @@ A1UEBhMCVVMxEzARBgNVBAgMCldhc2hpbmd0b24xEDAOBgNVBAcMB1NlYXR0bGUx
 EDAOBgNVBAoMB3dvbGZTU0wxFDASBgNVBAsMC0VuZ2luZWVyaW5nMRgwFgYDVQQD
 DA93b2xmU1NMIHJvb3QgQ0ExHzAdBgkqhkiG9w0BCQEWEGluZm9Ad29sZnNzbC5j
 b22CAWMwCwYDVR0PBAQDAgEGMDIGCCsGAQUFBwEBBCYwJDAiBggrBgEFBQcwAYYW
-aHR0cDovLzEyNy4wLjAuMToyMjIyMDANBgkqhkiG9w0BAQsFAAOCAQEAPjGNq+g5
-JQqgAVMDEOj52V5RRtri4mBAfOzXwVSPW6EfG0Nk9bOludGdr0VaUwC691NjXHm1
-rQ6zCwWwLsfKH1ITRzib0M21GcH35h0Um4GL5+/ZcDKw8Za2//79g+f+dFUS5JM/
-41R+09MRrtTom3CXZH8S8zgmYjjGQ0I76odngOUYxShU+dMzSrkzHnxFeulkD1D+
-bbCjqsSYfe9TLNEO04sr8z2k3yZQtIusZACJe1r7T7jT9FNjvehFzCxVJWGS/0G3
-J2oWQ/8KJlDvMZ1Pb27qvR1wackfunC/sh1KfVfXnqHohjTj+u4/JiAS9RWDU6CR
-Xak2swKjQpTJZQ==
+aHR0cDovLzEyNy4wLjAuMToyMjIyMDANBgkqhkiG9w0BAQsFAAOCAQEAR8HDRHw6
+0GVbdCxjP3OE5WvZ50UzD2qASS2PI5K27yLm1QdMxwXg2dUpsL+kn7X6x9V5qj8u
+m33CV9xBy9djJyiNE3dnY4I9hRoGfvlNfDrKtd1Qsb5f04wPc5BceQ/JhtT9S/w+
+jAFVGy8zbYhuD70hOGSWfS2VnphRd1Y5a6gv4J8WpB0XZyOji08acQXw6+Cneo+r
+n/SBqBL4CaP3gyKMNl1Ff2HqnGiWlHvUTYtz0GUgY891nZaivyPzLWBh5X2zLhsR
+ATPWWG2yyNJaeDrfVv0VrBMzYs66mYV8AAVp0P2th+VN0xZDRKZJhHTH6vAkUMnJ
+Sl3Yvmb+AEc/wA==
 -----END CERTIFICATE-----
diff --git a/certs/ocsp/server4-cert.pem b/certs/ocsp/server4-cert.pem
index 363e12c3d..8d32928f8 100644
--- a/certs/ocsp/server4-cert.pem
+++ b/certs/ocsp/server4-cert.pem
@@ -2,15 +2,15 @@ Certificate:
     Data:
         Version: 3 (0x2)
         Serial Number: 8 (0x8)
-    Signature Algorithm: sha256WithRSAEncryption
-        Issuer: C=US, ST=Washington, L=Seattle, O=wolfSSL, OU=Engineering, CN=wolfSSL intermediate CA 2/emailAddress=info@wolfssl.com
+        Signature Algorithm: sha256WithRSAEncryption
+        Issuer: C = US, ST = Washington, L = Seattle, O = wolfSSL, OU = Engineering, CN = wolfSSL intermediate CA 2, emailAddress = info@wolfssl.com
         Validity
-            Not Before: Feb 10 19:49:54 2021 GMT
-            Not After : Nov  7 19:49:54 2023 GMT
-        Subject: C=US, ST=Washington, L=Seattle, O=wolfSSL, OU=Engineering, CN=www4.wolfssl.com/emailAddress=info@wolfssl.com
+            Not Before: Dec 20 23:07:25 2021 GMT
+            Not After : Sep 15 23:07:25 2024 GMT
+        Subject: C = US, ST = Washington, L = Seattle, O = wolfSSL, OU = Engineering, CN = www4.wolfssl.com, emailAddress = info@wolfssl.com
         Subject Public Key Info:
             Public Key Algorithm: rsaEncryption
-                Public-Key: (2048 bit)
+                RSA Public-Key: (2048 bit)
                 Modulus:
                     00:9c:ef:8a:7e:84:4d:58:7a:b1:91:c8:cb:68:76:
                     df:fe:0a:29:fe:7f:74:35:d5:c3:fd:43:be:d7:89:
@@ -47,27 +47,27 @@ Certificate:
                 OCSP - URI:http://127.0.0.1:22222
 
     Signature Algorithm: sha256WithRSAEncryption
-         41:bd:96:38:c0:f7:87:a4:73:f5:bb:e8:4e:9d:83:45:03:17:
-         19:b8:02:55:73:4f:f7:4e:c8:07:b1:7c:24:97:e8:f1:7c:22:
-         43:ab:52:42:08:8b:d7:64:4d:30:99:e2:84:e8:f0:59:65:65:
-         fa:f4:84:da:b2:9f:84:37:e9:19:5a:0f:7c:4c:a7:6c:ef:81:
-         7d:da:ca:d2:3e:2a:3b:82:99:50:02:2f:39:09:e8:7a:d8:f2:
-         d5:7e:f6:77:bf:6b:f2:33:78:0e:f0:fc:d4:15:2b:04:e8:ea:
-         d6:1d:97:0b:7e:60:17:c1:f7:f0:cb:65:51:a1:65:0c:c0:22:
-         cd:f5:18:bb:20:82:6c:f8:16:79:30:3e:f5:67:a7:9e:8a:7e:
-         ae:f5:49:a1:e6:01:8a:d3:b4:92:8e:b6:ce:18:aa:00:67:f1:
-         19:7d:55:af:3c:5c:29:c3:04:a5:a5:e7:f5:67:af:d9:ca:75:
-         84:3d:6d:74:4e:d5:c8:25:d5:fb:f7:24:5c:83:32:9a:6a:5d:
-         de:20:c3:3c:47:91:6f:2e:39:b7:17:12:fc:b0:93:d2:d6:23:
-         44:c1:71:f4:33:80:21:f1:63:68:26:f7:ad:e4:35:86:3a:5b:
-         26:d6:9d:0e:cf:38:b8:3d:80:30:34:ee:9e:b8:b6:37:19:3c:
-         2d:ed:a3:63
+         78:64:9c:df:50:51:2f:9c:af:d1:32:f5:bd:49:65:84:22:3c:
+         26:3b:90:c9:9e:4c:21:ab:b2:85:35:d3:fc:75:7f:88:46:93:
+         69:d8:62:8b:3e:da:57:d7:f3:07:76:f1:02:33:ea:90:c5:d7:
+         5f:ee:f3:d6:11:8f:59:12:79:7d:f0:ac:cf:28:65:e7:d3:87:
+         86:2e:bf:b7:5b:7b:f8:23:5b:57:a2:85:0b:86:4c:34:db:1f:
+         29:8d:bf:02:df:49:f8:e8:25:3e:72:89:f1:b0:c6:a6:cb:90:
+         d4:29:ef:16:1c:5a:4f:bc:47:e6:dc:ef:68:00:0c:9c:8a:e0:
+         91:56:65:5a:56:f0:16:2d:f5:2c:84:95:c1:ca:07:67:14:a6:
+         f9:9a:df:a5:f4:65:f7:30:5a:d0:a6:14:d4:e7:02:d4:c1:d2:
+         a3:01:0e:52:e8:a1:ac:90:8b:45:ad:d4:3c:d7:27:e5:31:0e:
+         ec:9d:f4:f5:ae:dd:99:85:95:df:b8:07:f3:44:51:b0:4c:37:
+         84:4b:c2:31:f4:82:24:30:d1:93:6f:26:9b:26:d0:02:2c:53:
+         20:b7:c4:1a:c9:1b:1d:82:62:37:fd:f5:ec:ed:13:f1:75:52:
+         a8:ad:d2:f8:56:68:06:df:b4:4a:14:e0:f1:31:5b:b2:be:39:
+         78:0a:b2:9b
 -----BEGIN CERTIFICATE-----
 MIIE7jCCA9agAwIBAgIBCDANBgkqhkiG9w0BAQsFADCBoTELMAkGA1UEBhMCVVMx
 EzARBgNVBAgMCldhc2hpbmd0b24xEDAOBgNVBAcMB1NlYXR0bGUxEDAOBgNVBAoM
 B3dvbGZTU0wxFDASBgNVBAsMC0VuZ2luZWVyaW5nMSIwIAYDVQQDDBl3b2xmU1NM
 IGludGVybWVkaWF0ZSBDQSAyMR8wHQYJKoZIhvcNAQkBFhBpbmZvQHdvbGZzc2wu
-Y29tMB4XDTIxMDIxMDE5NDk1NFoXDTIzMTEwNzE5NDk1NFowgZgxCzAJBgNVBAYT
+Y29tMB4XDTIxMTIyMDIzMDcyNVoXDTI0MDkxNTIzMDcyNVowgZgxCzAJBgNVBAYT
 AlVTMRMwEQYDVQQIDApXYXNoaW5ndG9uMRAwDgYDVQQHDAdTZWF0dGxlMRAwDgYD
 VQQKDAd3b2xmU1NMMRQwEgYDVQQLDAtFbmdpbmVlcmluZzEZMBcGA1UEAwwQd3d3
 NC53b2xmc3NsLmNvbTEfMB0GCSqGSIb3DQEJARYQaW5mb0B3b2xmc3NsLmNvbTCC
@@ -84,26 +84,26 @@ U2VhdHRsZTEQMA4GA1UECgwHd29sZlNTTDEUMBIGA1UECwwLRW5naW5lZXJpbmcx
 GDAWBgNVBAMMD3dvbGZTU0wgcm9vdCBDQTEfMB0GCSqGSIb3DQEJARYQaW5mb0B3
 b2xmc3NsLmNvbYIBAjALBgNVHQ8EBAMCBeAwMgYIKwYBBQUHAQEEJjAkMCIGCCsG
 AQUFBzABhhZodHRwOi8vMTI3LjAuMC4xOjIyMjIyMA0GCSqGSIb3DQEBCwUAA4IB
-AQBBvZY4wPeHpHP1u+hOnYNFAxcZuAJVc0/3TsgHsXwkl+jxfCJDq1JCCIvXZE0w
-meKE6PBZZWX69ITasp+EN+kZWg98TKds74F92srSPio7gplQAi85Ceh62PLVfvZ3
-v2vyM3gO8PzUFSsE6OrWHZcLfmAXwffwy2VRoWUMwCLN9Ri7IIJs+BZ5MD71Z6ee
-in6u9Umh5gGK07SSjrbOGKoAZ/EZfVWvPFwpwwSlpef1Z6/ZynWEPW10TtXIJdX7
-9yRcgzKaal3eIMM8R5FvLjm3FxL8sJPS1iNEwXH0M4Ah8WNoJvet5DWGOlsm1p0O
-zzi4PYAwNO6euLY3GTwt7aNj
+AQB4ZJzfUFEvnK/RMvW9SWWEIjwmO5DJnkwhq7KFNdP8dX+IRpNp2GKLPtpX1/MH
+dvECM+qQxddf7vPWEY9ZEnl98KzPKGXn04eGLr+3W3v4I1tXooULhkw02x8pjb8C
+30n46CU+conxsMamy5DUKe8WHFpPvEfm3O9oAAyciuCRVmVaVvAWLfUshJXBygdn
+FKb5mt+l9GX3MFrQphTU5wLUwdKjAQ5S6KGskItFrdQ81yflMQ7snfT1rt2ZhZXf
+uAfzRFGwTDeES8Ix9IIkMNGTbyabJtACLFMgt8QayRsdgmI3/fXs7RPxdVKordL4
+VmgG37RKFODxMVuyvjl4CrKb
 -----END CERTIFICATE-----
 Certificate:
     Data:
         Version: 3 (0x2)
         Serial Number: 2 (0x2)
-    Signature Algorithm: sha256WithRSAEncryption
-        Issuer: C=US, ST=Washington, L=Seattle, O=wolfSSL, OU=Engineering, CN=wolfSSL root CA/emailAddress=info@wolfssl.com
+        Signature Algorithm: sha256WithRSAEncryption
+        Issuer: C = US, ST = Washington, L = Seattle, O = wolfSSL, OU = Engineering, CN = wolfSSL root CA, emailAddress = info@wolfssl.com
         Validity
-            Not Before: Feb 10 19:49:54 2021 GMT
-            Not After : Nov  7 19:49:54 2023 GMT
-        Subject: C=US, ST=Washington, L=Seattle, O=wolfSSL, OU=Engineering, CN=wolfSSL intermediate CA 2/emailAddress=info@wolfssl.com
+            Not Before: Dec 20 23:07:25 2021 GMT
+            Not After : Sep 15 23:07:25 2024 GMT
+        Subject: C = US, ST = Washington, L = Seattle, O = wolfSSL, OU = Engineering, CN = wolfSSL intermediate CA 2, emailAddress = info@wolfssl.com
         Subject Public Key Info:
             Public Key Algorithm: rsaEncryption
-                Public-Key: (2048 bit)
+                RSA Public-Key: (2048 bit)
                 Modulus:
                     00:d0:20:3c:35:19:6f:2c:44:b4:7e:42:c7:75:b4:
                     6a:2b:a9:23:85:bf:87:b4:ee:ca:d7:4b:1f:31:d7:
@@ -140,27 +140,27 @@ Certificate:
                 OCSP - URI:http://127.0.0.1:22220
 
     Signature Algorithm: sha256WithRSAEncryption
-         0c:13:dc:c2:28:a2:be:bb:0b:8e:29:28:aa:7a:99:04:e5:88:
-         c6:67:7e:8d:3f:8a:68:3a:7f:c5:e2:d0:ed:c9:95:4c:40:f2:
-         7a:87:73:17:fb:f8:c4:bf:1b:ff:54:be:33:6d:15:e3:4f:70:
-         f4:60:27:b2:67:cd:0e:0f:2a:81:ee:dc:9d:48:37:74:8a:4c:
-         11:47:23:f0:5d:7c:c1:78:70:1d:c1:87:db:26:b0:86:a8:42:
-         3d:87:87:43:e7:d9:3a:a8:5c:c5:66:a4:d5:4e:9b:d9:44:b2:
-         41:30:10:94:3b:fd:00:dc:02:63:05:d7:a1:75:ad:54:28:9e:
-         e4:07:3c:af:68:89:9b:71:96:21:ff:d6:4e:1d:d0:02:d5:21:
-         7d:ae:d8:07:96:6c:1f:ca:a5:ef:54:13:92:be:3c:7d:c0:65:
-         bf:5c:bb:ff:46:c2:69:0f:4c:29:70:6d:b7:52:d5:ed:9e:e4:
-         89:dc:41:0d:0a:94:bc:69:b3:dc:8a:a9:45:25:f1:2c:9b:5b:
-         85:bc:69:fb:94:31:05:2c:17:fa:78:28:36:78:7f:f9:0c:4f:
-         22:36:05:fe:bf:59:9d:5d:1f:9a:5e:8e:d8:1d:62:4d:d6:2d:
-         73:d6:26:c1:a5:bc:e3:62:81:fc:1e:cb:7f:3e:c3:00:c9:b0:
-         e0:c6:1f:c3
+         33:da:33:9a:28:e3:e7:b0:25:c2:d9:94:9d:7e:46:98:3d:ac:
+         08:f4:30:15:04:e0:fc:e2:4a:19:f1:0e:82:07:59:43:cd:0c:
+         b5:0c:55:2c:01:d2:78:22:e3:cd:38:75:13:36:ce:66:7b:17:
+         86:ac:a3:98:e5:36:ae:37:4d:77:e6:02:e1:d8:77:d4:53:96:
+         74:57:ca:6a:40:a3:de:38:e2:70:21:72:be:43:72:69:a1:d7:
+         fb:6d:7a:d3:db:5a:21:aa:d1:d3:7e:e4:76:54:3b:d3:19:68:
+         7e:61:96:46:4f:de:d5:fe:f4:3b:8d:1c:24:b2:cb:4c:ff:8f:
+         ec:6a:13:28:ef:53:3b:12:f5:67:e1:d7:93:d2:eb:39:1d:72:
+         13:79:a0:63:70:12:51:67:0d:d7:d2:4d:37:c3:fc:4d:ed:45:
+         76:33:0e:82:af:d5:49:b8:f6:2f:fe:0e:93:d3:b7:6a:ab:e6:
+         e3:11:4f:04:50:5f:f8:13:4a:30:82:f4:56:c0:1d:ed:de:19:
+         2c:62:a3:f2:1b:6a:8b:a1:b5:1a:cb:0a:e6:3c:b4:67:1a:2a:
+         82:b4:78:a8:5f:a0:5d:22:34:dc:1c:3c:a8:77:6f:23:e0:6f:
+         b7:3e:36:52:21:64:89:1e:50:85:59:a7:cf:2b:f5:13:37:26:
+         62:27:85:34
 -----BEGIN CERTIFICATE-----
 MIIE8DCCA9igAwIBAgIBAjANBgkqhkiG9w0BAQsFADCBlzELMAkGA1UEBhMCVVMx
 EzARBgNVBAgMCldhc2hpbmd0b24xEDAOBgNVBAcMB1NlYXR0bGUxEDAOBgNVBAoM
 B3dvbGZTU0wxFDASBgNVBAsMC0VuZ2luZWVyaW5nMRgwFgYDVQQDDA93b2xmU1NM
-IHJvb3QgQ0ExHzAdBgkqhkiG9w0BCQEWEGluZm9Ad29sZnNzbC5jb20wHhcNMjEw
-MjEwMTk0OTU0WhcNMjMxMTA3MTk0OTU0WjCBoTELMAkGA1UEBhMCVVMxEzARBgNV
+IHJvb3QgQ0ExHzAdBgkqhkiG9w0BCQEWEGluZm9Ad29sZnNzbC5jb20wHhcNMjEx
+MjIwMjMwNzI1WhcNMjQwOTE1MjMwNzI1WjCBoTELMAkGA1UEBhMCVVMxEzARBgNV
 BAgMCldhc2hpbmd0b24xEDAOBgNVBAcMB1NlYXR0bGUxEDAOBgNVBAoMB3dvbGZT
 U0wxFDASBgNVBAsMC0VuZ2luZWVyaW5nMSIwIAYDVQQDDBl3b2xmU1NMIGludGVy
 bWVkaWF0ZSBDQSAyMR8wHQYJKoZIhvcNAQkBFhBpbmZvQHdvbGZzc2wuY29tMIIB
@@ -177,26 +177,26 @@ DAdTZWF0dGxlMRAwDgYDVQQKDAd3b2xmU1NMMRQwEgYDVQQLDAtFbmdpbmVlcmlu
 ZzEYMBYGA1UEAwwPd29sZlNTTCByb290IENBMR8wHQYJKoZIhvcNAQkBFhBpbmZv
 QHdvbGZzc2wuY29tggFjMAsGA1UdDwQEAwIBBjAyBggrBgEFBQcBAQQmMCQwIgYI
 KwYBBQUHMAGGFmh0dHA6Ly8xMjcuMC4wLjE6MjIyMjAwDQYJKoZIhvcNAQELBQAD
-ggEBAAwT3MIoor67C44pKKp6mQTliMZnfo0/img6f8Xi0O3JlUxA8nqHcxf7+MS/
-G/9UvjNtFeNPcPRgJ7JnzQ4PKoHu3J1IN3SKTBFHI/BdfMF4cB3Bh9smsIaoQj2H
-h0Pn2TqoXMVmpNVOm9lEskEwEJQ7/QDcAmMF16F1rVQonuQHPK9oiZtxliH/1k4d
-0ALVIX2u2AeWbB/Kpe9UE5K+PH3AZb9cu/9GwmkPTClwbbdS1e2e5IncQQ0KlLxp
-s9yKqUUl8SybW4W8afuUMQUsF/p4KDZ4f/kMTyI2Bf6/WZ1dH5pejtgdYk3WLXPW
-JsGlvONigfwey38+wwDJsODGH8M=
+ggEBADPaM5oo4+ewJcLZlJ1+Rpg9rAj0MBUE4PziShnxDoIHWUPNDLUMVSwB0ngi
+4804dRM2zmZ7F4aso5jlNq43TXfmAuHYd9RTlnRXympAo9444nAhcr5Dcmmh1/tt
+etPbWiGq0dN+5HZUO9MZaH5hlkZP3tX+9DuNHCSyy0z/j+xqEyjvUzsS9Wfh15PS
+6zkdchN5oGNwElFnDdfSTTfD/E3tRXYzDoKv1Um49i/+DpPTt2qr5uMRTwRQX/gT
+SjCC9FbAHe3eGSxio/IbaouhtRrLCuY8tGcaKoK0eKhfoF0iNNwcPKh3byPgb7c+
+NlIhZIkeUIVZp88r9RM3JmInhTQ=
 -----END CERTIFICATE-----
 Certificate:
     Data:
         Version: 3 (0x2)
         Serial Number: 99 (0x63)
-    Signature Algorithm: sha256WithRSAEncryption
-        Issuer: C=US, ST=Washington, L=Seattle, O=wolfSSL, OU=Engineering, CN=wolfSSL root CA/emailAddress=info@wolfssl.com
+        Signature Algorithm: sha256WithRSAEncryption
+        Issuer: C = US, ST = Washington, L = Seattle, O = wolfSSL, OU = Engineering, CN = wolfSSL root CA, emailAddress = info@wolfssl.com
         Validity
-            Not Before: Feb 10 19:49:53 2021 GMT
-            Not After : Nov  7 19:49:53 2023 GMT
-        Subject: C=US, ST=Washington, L=Seattle, O=wolfSSL, OU=Engineering, CN=wolfSSL root CA/emailAddress=info@wolfssl.com
+            Not Before: Dec 20 23:07:25 2021 GMT
+            Not After : Sep 15 23:07:25 2024 GMT
+        Subject: C = US, ST = Washington, L = Seattle, O = wolfSSL, OU = Engineering, CN = wolfSSL root CA, emailAddress = info@wolfssl.com
         Subject Public Key Info:
             Public Key Algorithm: rsaEncryption
-                Public-Key: (2048 bit)
+                RSA Public-Key: (2048 bit)
                 Modulus:
                     00:ab:2c:b4:2f:1d:06:09:ef:4e:29:86:84:7e:cc:
                     bf:a6:79:7c:f0:c0:c1:64:25:8c:75:b7:10:05:ca:
@@ -233,27 +233,27 @@ Certificate:
                 OCSP - URI:http://127.0.0.1:22220
 
     Signature Algorithm: sha256WithRSAEncryption
-         3e:31:8d:ab:e8:39:25:0a:a0:01:53:03:10:e8:f9:d9:5e:51:
-         46:da:e2:e2:60:40:7c:ec:d7:c1:54:8f:5b:a1:1f:1b:43:64:
-         f5:b3:a5:b9:d1:9d:af:45:5a:53:00:ba:f7:53:63:5c:79:b5:
-         ad:0e:b3:0b:05:b0:2e:c7:ca:1f:52:13:47:38:9b:d0:cd:b5:
-         19:c1:f7:e6:1d:14:9b:81:8b:e7:ef:d9:70:32:b0:f1:96:b6:
-         ff:fe:fd:83:e7:fe:74:55:12:e4:93:3f:e3:54:7e:d3:d3:11:
-         ae:d4:e8:9b:70:97:64:7f:12:f3:38:26:62:38:c6:43:42:3b:
-         ea:87:67:80:e5:18:c5:28:54:f9:d3:33:4a:b9:33:1e:7c:45:
-         7a:e9:64:0f:50:fe:6d:b0:a3:aa:c4:98:7d:ef:53:2c:d1:0e:
-         d3:8b:2b:f3:3d:a4:df:26:50:b4:8b:ac:64:00:89:7b:5a:fb:
-         4f:b8:d3:f4:53:63:bd:e8:45:cc:2c:55:25:61:92:ff:41:b7:
-         27:6a:16:43:ff:0a:26:50:ef:31:9d:4f:6f:6e:ea:bd:1d:70:
-         69:c9:1f:ba:70:bf:b2:1d:4a:7d:57:d7:9e:a1:e8:86:34:e3:
-         fa:ee:3f:26:20:12:f5:15:83:53:a0:91:5d:a9:36:b3:02:a3:
-         42:94:c9:65
+         47:c1:c3:44:7c:3a:d0:65:5b:74:2c:63:3f:73:84:e5:6b:d9:
+         e7:45:33:0f:6a:80:49:2d:8f:23:92:b6:ef:22:e6:d5:07:4c:
+         c7:05:e0:d9:d5:29:b0:bf:a4:9f:b5:fa:c7:d5:79:aa:3f:2e:
+         9b:7d:c2:57:dc:41:cb:d7:63:27:28:8d:13:77:67:63:82:3d:
+         85:1a:06:7e:f9:4d:7c:3a:ca:b5:dd:50:b1:be:5f:d3:8c:0f:
+         73:90:5c:79:0f:c9:86:d4:fd:4b:fc:3e:8c:01:55:1b:2f:33:
+         6d:88:6e:0f:bd:21:38:64:96:7d:2d:95:9e:98:51:77:56:39:
+         6b:a8:2f:e0:9f:16:a4:1d:17:67:23:a3:8b:4f:1a:71:05:f0:
+         eb:e0:a7:7a:8f:ab:9f:f4:81:a8:12:f8:09:a3:f7:83:22:8c:
+         36:5d:45:7f:61:ea:9c:68:96:94:7b:d4:4d:8b:73:d0:65:20:
+         63:cf:75:9d:96:a2:bf:23:f3:2d:60:61:e5:7d:b3:2e:1b:11:
+         01:33:d6:58:6d:b2:c8:d2:5a:78:3a:df:56:fd:15:ac:13:33:
+         62:ce:ba:99:85:7c:00:05:69:d0:fd:ad:87:e5:4d:d3:16:43:
+         44:a6:49:84:74:c7:ea:f0:24:50:c9:c9:4a:5d:d8:be:66:fe:
+         00:47:3f:c0
 -----BEGIN CERTIFICATE-----
 MIIE5jCCA86gAwIBAgIBYzANBgkqhkiG9w0BAQsFADCBlzELMAkGA1UEBhMCVVMx
 EzARBgNVBAgMCldhc2hpbmd0b24xEDAOBgNVBAcMB1NlYXR0bGUxEDAOBgNVBAoM
 B3dvbGZTU0wxFDASBgNVBAsMC0VuZ2luZWVyaW5nMRgwFgYDVQQDDA93b2xmU1NM
-IHJvb3QgQ0ExHzAdBgkqhkiG9w0BCQEWEGluZm9Ad29sZnNzbC5jb20wHhcNMjEw
-MjEwMTk0OTUzWhcNMjMxMTA3MTk0OTUzWjCBlzELMAkGA1UEBhMCVVMxEzARBgNV
+IHJvb3QgQ0ExHzAdBgkqhkiG9w0BCQEWEGluZm9Ad29sZnNzbC5jb20wHhcNMjEx
+MjIwMjMwNzI1WhcNMjQwOTE1MjMwNzI1WjCBlzELMAkGA1UEBhMCVVMxEzARBgNV
 BAgMCldhc2hpbmd0b24xEDAOBgNVBAcMB1NlYXR0bGUxEDAOBgNVBAoMB3dvbGZT
 U0wxFDASBgNVBAsMC0VuZ2luZWVyaW5nMRgwFgYDVQQDDA93b2xmU1NMIHJvb3Qg
 Q0ExHzAdBgkqhkiG9w0BCQEWEGluZm9Ad29sZnNzbC5jb20wggEiMA0GCSqGSIb3
@@ -269,11 +269,11 @@ A1UEBhMCVVMxEzARBgNVBAgMCldhc2hpbmd0b24xEDAOBgNVBAcMB1NlYXR0bGUx
 EDAOBgNVBAoMB3dvbGZTU0wxFDASBgNVBAsMC0VuZ2luZWVyaW5nMRgwFgYDVQQD
 DA93b2xmU1NMIHJvb3QgQ0ExHzAdBgkqhkiG9w0BCQEWEGluZm9Ad29sZnNzbC5j
 b22CAWMwCwYDVR0PBAQDAgEGMDIGCCsGAQUFBwEBBCYwJDAiBggrBgEFBQcwAYYW
-aHR0cDovLzEyNy4wLjAuMToyMjIyMDANBgkqhkiG9w0BAQsFAAOCAQEAPjGNq+g5
-JQqgAVMDEOj52V5RRtri4mBAfOzXwVSPW6EfG0Nk9bOludGdr0VaUwC691NjXHm1
-rQ6zCwWwLsfKH1ITRzib0M21GcH35h0Um4GL5+/ZcDKw8Za2//79g+f+dFUS5JM/
-41R+09MRrtTom3CXZH8S8zgmYjjGQ0I76odngOUYxShU+dMzSrkzHnxFeulkD1D+
-bbCjqsSYfe9TLNEO04sr8z2k3yZQtIusZACJe1r7T7jT9FNjvehFzCxVJWGS/0G3
-J2oWQ/8KJlDvMZ1Pb27qvR1wackfunC/sh1KfVfXnqHohjTj+u4/JiAS9RWDU6CR
-Xak2swKjQpTJZQ==
+aHR0cDovLzEyNy4wLjAuMToyMjIyMDANBgkqhkiG9w0BAQsFAAOCAQEAR8HDRHw6
+0GVbdCxjP3OE5WvZ50UzD2qASS2PI5K27yLm1QdMxwXg2dUpsL+kn7X6x9V5qj8u
+m33CV9xBy9djJyiNE3dnY4I9hRoGfvlNfDrKtd1Qsb5f04wPc5BceQ/JhtT9S/w+
+jAFVGy8zbYhuD70hOGSWfS2VnphRd1Y5a6gv4J8WpB0XZyOji08acQXw6+Cneo+r
+n/SBqBL4CaP3gyKMNl1Ff2HqnGiWlHvUTYtz0GUgY891nZaivyPzLWBh5X2zLhsR
+ATPWWG2yyNJaeDrfVv0VrBMzYs66mYV8AAVp0P2th+VN0xZDRKZJhHTH6vAkUMnJ
+Sl3Yvmb+AEc/wA==
 -----END CERTIFICATE-----
diff --git a/certs/ocsp/server5-cert.pem b/certs/ocsp/server5-cert.pem
index 5db230d70..243328f5f 100644
--- a/certs/ocsp/server5-cert.pem
+++ b/certs/ocsp/server5-cert.pem
@@ -2,15 +2,15 @@ Certificate:
     Data:
         Version: 3 (0x2)
         Serial Number: 9 (0x9)
-    Signature Algorithm: sha256WithRSAEncryption
-        Issuer: C=US, ST=Washington, L=Seattle, O=wolfSSL, OU=Engineering, CN=wolfSSL REVOKED intermediate CA/emailAddress=info@wolfssl.com
+        Signature Algorithm: sha256WithRSAEncryption
+        Issuer: C = US, ST = Washington, L = Seattle, O = wolfSSL, OU = Engineering, CN = wolfSSL REVOKED intermediate CA, emailAddress = info@wolfssl.com
         Validity
-            Not Before: Feb 10 19:49:54 2021 GMT
-            Not After : Nov  7 19:49:54 2023 GMT
-        Subject: C=US, ST=Washington, L=Seattle, O=wolfSSL, OU=Engineering, CN=www5.wolfssl.com/emailAddress=info@wolfssl.com
+            Not Before: Dec 20 23:07:25 2021 GMT
+            Not After : Sep 15 23:07:25 2024 GMT
+        Subject: C = US, ST = Washington, L = Seattle, O = wolfSSL, OU = Engineering, CN = www5.wolfssl.com, emailAddress = info@wolfssl.com
         Subject Public Key Info:
             Public Key Algorithm: rsaEncryption
-                Public-Key: (2048 bit)
+                RSA Public-Key: (2048 bit)
                 Modulus:
                     00:ac:73:6d:e9:fa:8c:36:72:3e:89:3b:52:29:bd:
                     14:70:a2:00:b4:08:58:b6:c6:c0:bf:80:6a:1f:a5:
@@ -47,27 +47,27 @@ Certificate:
                 OCSP - URI:http://127.0.0.1:22223
 
     Signature Algorithm: sha256WithRSAEncryption
-         82:34:f3:94:21:59:85:fb:8f:9e:ae:df:bb:ab:ba:4b:80:75:
-         c2:eb:1b:58:5d:45:d4:df:6c:a6:8a:8f:84:00:7a:da:00:71:
-         a3:89:07:52:78:04:05:ba:3d:aa:fd:0b:1e:82:22:12:a1:98:
-         39:fb:b8:91:92:dc:4a:a6:33:f9:fd:3b:a7:7d:96:63:ec:cd:
-         5c:ac:db:9d:dd:5c:0c:70:1e:31:61:e1:1c:38:b6:e4:d7:e1:
-         98:44:8e:20:ae:36:2c:e8:be:8b:82:38:f6:2e:46:46:a2:43:
-         51:e1:cd:fb:1d:f5:fe:14:57:fe:b4:55:6d:0c:55:45:3f:96:
-         96:7a:3c:be:40:31:27:69:d7:18:d2:7b:af:be:a9:7f:fe:fe:
-         75:b4:8c:ae:d8:48:9c:f6:60:ba:69:dd:1a:fe:ec:04:53:5e:
-         a9:04:91:46:89:4b:5d:01:79:36:66:ea:25:1c:af:fe:44:59:
-         90:3f:b0:4d:51:a4:ec:d9:c2:d1:35:12:79:26:ea:a4:99:b2:
-         ac:e6:7b:bc:bd:d1:06:d3:fe:5b:35:2e:58:46:30:bf:8c:1f:
-         15:da:e9:7e:3a:68:4c:85:89:38:2a:a2:6c:6d:14:25:17:32:
-         d2:96:0b:67:b9:c5:7b:de:ef:1a:13:b8:8a:d7:8f:db:b7:73:
-         cd:5b:d8:fc
+         ad:33:0c:6b:85:02:09:19:f8:19:dc:f8:ae:ac:25:c5:59:44:
+         72:f4:9b:da:ef:3c:54:35:4c:73:f8:8f:c5:53:e1:fe:63:a4:
+         b2:05:ea:01:bc:50:35:d0:10:70:31:9a:6c:df:92:1d:25:d2:
+         8f:2d:12:e1:f1:41:4d:c5:45:65:35:81:7d:ea:88:5d:77:d7:
+         73:96:ec:eb:90:7c:c9:43:bb:8f:80:24:ca:99:65:2d:ef:40:
+         12:54:27:e1:65:3b:88:45:bc:3e:0f:37:ec:d2:84:d7:80:9d:
+         15:f4:9b:64:c2:d7:73:60:10:00:98:9e:61:9b:c8:32:33:cc:
+         1b:d4:75:be:c1:63:c7:78:ef:72:70:4a:ba:df:c2:70:49:c7:
+         ea:19:74:76:51:72:3f:48:65:3c:58:f8:12:85:52:b1:ed:67:
+         0f:71:0e:a3:cf:b8:7a:9e:af:f4:92:ed:bf:7f:f0:b8:1d:ac:
+         d9:62:13:98:82:7c:a3:51:30:9e:f2:a7:21:ab:33:6c:8e:be:
+         28:2b:29:d5:62:f3:c5:6e:87:f2:cd:88:d3:50:c4:6a:54:c6:
+         fa:fb:0a:29:4c:93:c2:e2:fb:02:86:2a:66:a9:d1:6f:c5:6c:
+         91:3f:88:79:52:c1:b0:e1:29:00:3b:d5:9e:07:05:83:1e:b0:
+         2c:ed:1b:89
 -----BEGIN CERTIFICATE-----
 MIIE9DCCA9ygAwIBAgIBCTANBgkqhkiG9w0BAQsFADCBpzELMAkGA1UEBhMCVVMx
 EzARBgNVBAgMCldhc2hpbmd0b24xEDAOBgNVBAcMB1NlYXR0bGUxEDAOBgNVBAoM
 B3dvbGZTU0wxFDASBgNVBAsMC0VuZ2luZWVyaW5nMSgwJgYDVQQDDB93b2xmU1NM
 IFJFVk9LRUQgaW50ZXJtZWRpYXRlIENBMR8wHQYJKoZIhvcNAQkBFhBpbmZvQHdv
-bGZzc2wuY29tMB4XDTIxMDIxMDE5NDk1NFoXDTIzMTEwNzE5NDk1NFowgZgxCzAJ
+bGZzc2wuY29tMB4XDTIxMTIyMDIzMDcyNVoXDTI0MDkxNTIzMDcyNVowgZgxCzAJ
 BgNVBAYTAlVTMRMwEQYDVQQIDApXYXNoaW5ndG9uMRAwDgYDVQQHDAdTZWF0dGxl
 MRAwDgYDVQQKDAd3b2xmU1NMMRQwEgYDVQQLDAtFbmdpbmVlcmluZzEZMBcGA1UE
 AwwQd3d3NS53b2xmc3NsLmNvbTEfMB0GCSqGSIb3DQEJARYQaW5mb0B3b2xmc3Ns
@@ -84,26 +84,26 @@ A1UEBwwHU2VhdHRsZTEQMA4GA1UECgwHd29sZlNTTDEUMBIGA1UECwwLRW5naW5l
 ZXJpbmcxGDAWBgNVBAMMD3dvbGZTU0wgcm9vdCBDQTEfMB0GCSqGSIb3DQEJARYQ
 aW5mb0B3b2xmc3NsLmNvbYIBAzALBgNVHQ8EBAMCBeAwMgYIKwYBBQUHAQEEJjAk
 MCIGCCsGAQUFBzABhhZodHRwOi8vMTI3LjAuMC4xOjIyMjIzMA0GCSqGSIb3DQEB
-CwUAA4IBAQCCNPOUIVmF+4+ert+7q7pLgHXC6xtYXUXU32ymio+EAHraAHGjiQdS
-eAQFuj2q/QsegiISoZg5+7iRktxKpjP5/TunfZZj7M1crNud3VwMcB4xYeEcOLbk
-1+GYRI4grjYs6L6Lgjj2LkZGokNR4c37HfX+FFf+tFVtDFVFP5aWejy+QDEnadcY
-0nuvvql//v51tIyu2Eic9mC6ad0a/uwEU16pBJFGiUtdAXk2ZuolHK/+RFmQP7BN
-UaTs2cLRNRJ5JuqkmbKs5nu8vdEG0/5bNS5YRjC/jB8V2ul+OmhMhYk4KqJsbRQl
-FzLSlgtnucV73u8aE7iK14/bt3PNW9j8
+CwUAA4IBAQCtMwxrhQIJGfgZ3PiurCXFWURy9Jva7zxUNUxz+I/FU+H+Y6SyBeoB
+vFA10BBwMZps35IdJdKPLRLh8UFNxUVlNYF96ohdd9dzluzrkHzJQ7uPgCTKmWUt
+70ASVCfhZTuIRbw+Dzfs0oTXgJ0V9JtkwtdzYBAAmJ5hm8gyM8wb1HW+wWPHeO9y
+cEq638JwScfqGXR2UXI/SGU8WPgShVKx7WcPcQ6jz7h6nq/0ku2/f/C4HazZYhOY
+gnyjUTCe8qchqzNsjr4oKynVYvPFbofyzYjTUMRqVMb6+wopTJPC4vsChipmqdFv
+xWyRP4h5UsGw4SkAO9WeBwWDHrAs7RuJ
 -----END CERTIFICATE-----
 Certificate:
     Data:
         Version: 3 (0x2)
         Serial Number: 3 (0x3)
-    Signature Algorithm: sha256WithRSAEncryption
-        Issuer: C=US, ST=Washington, L=Seattle, O=wolfSSL, OU=Engineering, CN=wolfSSL root CA/emailAddress=info@wolfssl.com
+        Signature Algorithm: sha256WithRSAEncryption
+        Issuer: C = US, ST = Washington, L = Seattle, O = wolfSSL, OU = Engineering, CN = wolfSSL root CA, emailAddress = info@wolfssl.com
         Validity
-            Not Before: Feb 10 19:49:54 2021 GMT
-            Not After : Nov  7 19:49:54 2023 GMT
-        Subject: C=US, ST=Washington, L=Seattle, O=wolfSSL, OU=Engineering, CN=wolfSSL REVOKED intermediate CA/emailAddress=info@wolfssl.com
+            Not Before: Dec 20 23:07:25 2021 GMT
+            Not After : Sep 15 23:07:25 2024 GMT
+        Subject: C = US, ST = Washington, L = Seattle, O = wolfSSL, OU = Engineering, CN = wolfSSL REVOKED intermediate CA, emailAddress = info@wolfssl.com
         Subject Public Key Info:
             Public Key Algorithm: rsaEncryption
-                Public-Key: (2048 bit)
+                RSA Public-Key: (2048 bit)
                 Modulus:
                     00:de:c5:04:10:7d:c2:21:e9:12:45:da:d5:ba:28:
                     fd:a6:f4:30:44:a0:df:f9:70:5e:17:26:97:59:5c:
@@ -140,27 +140,27 @@ Certificate:
                 OCSP - URI:http://127.0.0.1:22220
 
     Signature Algorithm: sha256WithRSAEncryption
-         9d:2f:66:43:34:cc:a4:d7:ae:09:81:ec:ca:bf:9e:e0:d6:28:
-         a0:25:63:5e:16:0a:e9:60:2c:c1:e6:36:5d:92:f0:7c:4a:22:
-         10:94:9b:1a:c6:8f:c3:a9:bb:69:53:b8:aa:30:91:c5:32:19:
-         35:7a:3e:86:af:f9:39:74:44:6e:5c:39:f6:b6:62:0c:33:8e:
-         f6:b9:d2:a7:e0:22:df:a3:4f:48:e4:04:f1:f7:20:f5:36:55:
-         a1:3d:08:ae:a9:12:eb:a8:97:59:6f:a0:b8:f0:ab:73:22:01:
-         cc:cc:96:29:ae:5f:46:ac:4e:47:1a:b9:8d:06:7e:88:67:5e:
-         16:12:64:37:85:2a:d8:f3:27:cd:fa:86:fc:84:4b:51:3a:f1:
-         c7:1a:27:8d:54:49:e6:cb:82:bb:7c:b3:3f:2f:10:d5:3a:74:
-         e5:36:7b:b5:c4:58:a4:48:35:af:35:ad:3d:44:74:44:83:99:
-         d0:a1:c6:2f:5f:f3:58:1a:33:2f:6c:4e:8e:44:ce:2a:ba:e9:
-         c6:7d:9f:22:12:44:05:38:f7:87:54:4d:8d:ac:72:1c:5a:2a:
-         74:9d:3b:30:31:d6:a9:39:d4:d6:0e:63:f8:46:07:ab:7f:01:
-         31:cc:85:91:72:10:37:94:c4:ec:f9:9d:7f:81:25:cb:ce:55:
-         48:85:86:2e
+         4f:75:6b:7a:dc:f9:b0:8a:03:c2:b6:7b:d8:b7:39:d2:97:35:
+         5b:b7:f7:fa:01:a5:a4:a8:e6:33:ef:99:1f:c4:36:6b:9a:f4:
+         50:8f:70:9a:c8:82:6d:fd:28:80:45:eb:13:60:cb:67:81:29:
+         f3:63:c5:8b:4a:96:a6:62:62:24:86:ad:f3:6b:49:a9:e1:9b:
+         8c:cd:fa:b5:53:1b:fb:0d:a1:c4:e2:b7:64:b4:50:18:8b:aa:
+         84:21:0f:26:e0:c7:0f:b2:4e:1e:70:14:0d:e9:1e:e2:b7:a0:
+         d6:4f:e8:ed:77:cd:bc:dd:63:3c:cf:67:4b:27:b5:f1:91:b7:
+         c2:7a:0a:ca:3a:87:7a:f4:50:8a:6a:19:f7:f6:a0:c1:76:78:
+         d9:27:c1:33:10:02:1c:96:ae:d5:ca:f8:08:15:cc:2a:64:b6:
+         37:cf:05:37:4b:c5:f3:8a:ef:b2:cb:07:b5:04:48:c9:c5:00:
+         05:8f:f6:fc:3b:89:6a:57:f6:15:ea:93:85:8b:0a:e7:71:0e:
+         32:fa:90:4a:74:6f:71:25:f1:c5:5a:1d:5e:10:e0:25:43:3f:
+         8d:76:d4:f5:70:68:50:76:20:d7:f1:4e:eb:75:06:f7:81:20:
+         19:5c:03:cb:25:fe:36:93:6c:68:16:e0:64:c9:86:47:5c:44:
+         b3:96:6b:e9
 -----BEGIN CERTIFICATE-----
 MIIE9jCCA96gAwIBAgIBAzANBgkqhkiG9w0BAQsFADCBlzELMAkGA1UEBhMCVVMx
 EzARBgNVBAgMCldhc2hpbmd0b24xEDAOBgNVBAcMB1NlYXR0bGUxEDAOBgNVBAoM
 B3dvbGZTU0wxFDASBgNVBAsMC0VuZ2luZWVyaW5nMRgwFgYDVQQDDA93b2xmU1NM
-IHJvb3QgQ0ExHzAdBgkqhkiG9w0BCQEWEGluZm9Ad29sZnNzbC5jb20wHhcNMjEw
-MjEwMTk0OTU0WhcNMjMxMTA3MTk0OTU0WjCBpzELMAkGA1UEBhMCVVMxEzARBgNV
+IHJvb3QgQ0ExHzAdBgkqhkiG9w0BCQEWEGluZm9Ad29sZnNzbC5jb20wHhcNMjEx
+MjIwMjMwNzI1WhcNMjQwOTE1MjMwNzI1WjCBpzELMAkGA1UEBhMCVVMxEzARBgNV
 BAgMCldhc2hpbmd0b24xEDAOBgNVBAcMB1NlYXR0bGUxEDAOBgNVBAoMB3dvbGZT
 U0wxFDASBgNVBAsMC0VuZ2luZWVyaW5nMSgwJgYDVQQDDB93b2xmU1NMIFJFVk9L
 RUQgaW50ZXJtZWRpYXRlIENBMR8wHQYJKoZIhvcNAQkBFhBpbmZvQHdvbGZzc2wu
@@ -177,26 +177,26 @@ DgYDVQQHDAdTZWF0dGxlMRAwDgYDVQQKDAd3b2xmU1NMMRQwEgYDVQQLDAtFbmdp
 bmVlcmluZzEYMBYGA1UEAwwPd29sZlNTTCByb290IENBMR8wHQYJKoZIhvcNAQkB
 FhBpbmZvQHdvbGZzc2wuY29tggFjMAsGA1UdDwQEAwIBBjAyBggrBgEFBQcBAQQm
 MCQwIgYIKwYBBQUHMAGGFmh0dHA6Ly8xMjcuMC4wLjE6MjIyMjAwDQYJKoZIhvcN
-AQELBQADggEBAJ0vZkM0zKTXrgmB7Mq/nuDWKKAlY14WCulgLMHmNl2S8HxKIhCU
-mxrGj8Opu2lTuKowkcUyGTV6Poav+Tl0RG5cOfa2Ygwzjva50qfgIt+jT0jkBPH3
-IPU2VaE9CK6pEuuol1lvoLjwq3MiAczMlimuX0asTkcauY0GfohnXhYSZDeFKtjz
-J836hvyES1E68ccaJ41USebLgrt8sz8vENU6dOU2e7XEWKRINa81rT1EdESDmdCh
-xi9f81gaMy9sTo5Eziq66cZ9nyISRAU494dUTY2schxaKnSdOzAx1qk51NYOY/hG
-B6t/ATHMhZFyEDeUxOz5nX+BJcvOVUiFhi4=
+AQELBQADggEBAE91a3rc+bCKA8K2e9i3OdKXNVu39/oBpaSo5jPvmR/ENmua9FCP
+cJrIgm39KIBF6xNgy2eBKfNjxYtKlqZiYiSGrfNrSanhm4zN+rVTG/sNocTit2S0
+UBiLqoQhDybgxw+yTh5wFA3pHuK3oNZP6O13zbzdYzzPZ0sntfGRt8J6Cso6h3r0
+UIpqGff2oMF2eNknwTMQAhyWrtXK+AgVzCpktjfPBTdLxfOK77LLB7UESMnFAAWP
+9vw7iWpX9hXqk4WLCudxDjL6kEp0b3El8cVaHV4Q4CVDP4121PVwaFB2INfxTut1
+BveBIBlcA8sl/jaTbGgW4GTJhkdcRLOWa+k=
 -----END CERTIFICATE-----
 Certificate:
     Data:
         Version: 3 (0x2)
         Serial Number: 99 (0x63)
-    Signature Algorithm: sha256WithRSAEncryption
-        Issuer: C=US, ST=Washington, L=Seattle, O=wolfSSL, OU=Engineering, CN=wolfSSL root CA/emailAddress=info@wolfssl.com
+        Signature Algorithm: sha256WithRSAEncryption
+        Issuer: C = US, ST = Washington, L = Seattle, O = wolfSSL, OU = Engineering, CN = wolfSSL root CA, emailAddress = info@wolfssl.com
         Validity
-            Not Before: Feb 10 19:49:53 2021 GMT
-            Not After : Nov  7 19:49:53 2023 GMT
-        Subject: C=US, ST=Washington, L=Seattle, O=wolfSSL, OU=Engineering, CN=wolfSSL root CA/emailAddress=info@wolfssl.com
+            Not Before: Dec 20 23:07:25 2021 GMT
+            Not After : Sep 15 23:07:25 2024 GMT
+        Subject: C = US, ST = Washington, L = Seattle, O = wolfSSL, OU = Engineering, CN = wolfSSL root CA, emailAddress = info@wolfssl.com
         Subject Public Key Info:
             Public Key Algorithm: rsaEncryption
-                Public-Key: (2048 bit)
+                RSA Public-Key: (2048 bit)
                 Modulus:
                     00:ab:2c:b4:2f:1d:06:09:ef:4e:29:86:84:7e:cc:
                     bf:a6:79:7c:f0:c0:c1:64:25:8c:75:b7:10:05:ca:
@@ -233,27 +233,27 @@ Certificate:
                 OCSP - URI:http://127.0.0.1:22220
 
     Signature Algorithm: sha256WithRSAEncryption
-         3e:31:8d:ab:e8:39:25:0a:a0:01:53:03:10:e8:f9:d9:5e:51:
-         46:da:e2:e2:60:40:7c:ec:d7:c1:54:8f:5b:a1:1f:1b:43:64:
-         f5:b3:a5:b9:d1:9d:af:45:5a:53:00:ba:f7:53:63:5c:79:b5:
-         ad:0e:b3:0b:05:b0:2e:c7:ca:1f:52:13:47:38:9b:d0:cd:b5:
-         19:c1:f7:e6:1d:14:9b:81:8b:e7:ef:d9:70:32:b0:f1:96:b6:
-         ff:fe:fd:83:e7:fe:74:55:12:e4:93:3f:e3:54:7e:d3:d3:11:
-         ae:d4:e8:9b:70:97:64:7f:12:f3:38:26:62:38:c6:43:42:3b:
-         ea:87:67:80:e5:18:c5:28:54:f9:d3:33:4a:b9:33:1e:7c:45:
-         7a:e9:64:0f:50:fe:6d:b0:a3:aa:c4:98:7d:ef:53:2c:d1:0e:
-         d3:8b:2b:f3:3d:a4:df:26:50:b4:8b:ac:64:00:89:7b:5a:fb:
-         4f:b8:d3:f4:53:63:bd:e8:45:cc:2c:55:25:61:92:ff:41:b7:
-         27:6a:16:43:ff:0a:26:50:ef:31:9d:4f:6f:6e:ea:bd:1d:70:
-         69:c9:1f:ba:70:bf:b2:1d:4a:7d:57:d7:9e:a1:e8:86:34:e3:
-         fa:ee:3f:26:20:12:f5:15:83:53:a0:91:5d:a9:36:b3:02:a3:
-         42:94:c9:65
+         47:c1:c3:44:7c:3a:d0:65:5b:74:2c:63:3f:73:84:e5:6b:d9:
+         e7:45:33:0f:6a:80:49:2d:8f:23:92:b6:ef:22:e6:d5:07:4c:
+         c7:05:e0:d9:d5:29:b0:bf:a4:9f:b5:fa:c7:d5:79:aa:3f:2e:
+         9b:7d:c2:57:dc:41:cb:d7:63:27:28:8d:13:77:67:63:82:3d:
+         85:1a:06:7e:f9:4d:7c:3a:ca:b5:dd:50:b1:be:5f:d3:8c:0f:
+         73:90:5c:79:0f:c9:86:d4:fd:4b:fc:3e:8c:01:55:1b:2f:33:
+         6d:88:6e:0f:bd:21:38:64:96:7d:2d:95:9e:98:51:77:56:39:
+         6b:a8:2f:e0:9f:16:a4:1d:17:67:23:a3:8b:4f:1a:71:05:f0:
+         eb:e0:a7:7a:8f:ab:9f:f4:81:a8:12:f8:09:a3:f7:83:22:8c:
+         36:5d:45:7f:61:ea:9c:68:96:94:7b:d4:4d:8b:73:d0:65:20:
+         63:cf:75:9d:96:a2:bf:23:f3:2d:60:61:e5:7d:b3:2e:1b:11:
+         01:33:d6:58:6d:b2:c8:d2:5a:78:3a:df:56:fd:15:ac:13:33:
+         62:ce:ba:99:85:7c:00:05:69:d0:fd:ad:87:e5:4d:d3:16:43:
+         44:a6:49:84:74:c7:ea:f0:24:50:c9:c9:4a:5d:d8:be:66:fe:
+         00:47:3f:c0
 -----BEGIN CERTIFICATE-----
 MIIE5jCCA86gAwIBAgIBYzANBgkqhkiG9w0BAQsFADCBlzELMAkGA1UEBhMCVVMx
 EzARBgNVBAgMCldhc2hpbmd0b24xEDAOBgNVBAcMB1NlYXR0bGUxEDAOBgNVBAoM
 B3dvbGZTU0wxFDASBgNVBAsMC0VuZ2luZWVyaW5nMRgwFgYDVQQDDA93b2xmU1NM
-IHJvb3QgQ0ExHzAdBgkqhkiG9w0BCQEWEGluZm9Ad29sZnNzbC5jb20wHhcNMjEw
-MjEwMTk0OTUzWhcNMjMxMTA3MTk0OTUzWjCBlzELMAkGA1UEBhMCVVMxEzARBgNV
+IHJvb3QgQ0ExHzAdBgkqhkiG9w0BCQEWEGluZm9Ad29sZnNzbC5jb20wHhcNMjEx
+MjIwMjMwNzI1WhcNMjQwOTE1MjMwNzI1WjCBlzELMAkGA1UEBhMCVVMxEzARBgNV
 BAgMCldhc2hpbmd0b24xEDAOBgNVBAcMB1NlYXR0bGUxEDAOBgNVBAoMB3dvbGZT
 U0wxFDASBgNVBAsMC0VuZ2luZWVyaW5nMRgwFgYDVQQDDA93b2xmU1NMIHJvb3Qg
 Q0ExHzAdBgkqhkiG9w0BCQEWEGluZm9Ad29sZnNzbC5jb20wggEiMA0GCSqGSIb3
@@ -269,11 +269,11 @@ A1UEBhMCVVMxEzARBgNVBAgMCldhc2hpbmd0b24xEDAOBgNVBAcMB1NlYXR0bGUx
 EDAOBgNVBAoMB3dvbGZTU0wxFDASBgNVBAsMC0VuZ2luZWVyaW5nMRgwFgYDVQQD
 DA93b2xmU1NMIHJvb3QgQ0ExHzAdBgkqhkiG9w0BCQEWEGluZm9Ad29sZnNzbC5j
 b22CAWMwCwYDVR0PBAQDAgEGMDIGCCsGAQUFBwEBBCYwJDAiBggrBgEFBQcwAYYW
-aHR0cDovLzEyNy4wLjAuMToyMjIyMDANBgkqhkiG9w0BAQsFAAOCAQEAPjGNq+g5
-JQqgAVMDEOj52V5RRtri4mBAfOzXwVSPW6EfG0Nk9bOludGdr0VaUwC691NjXHm1
-rQ6zCwWwLsfKH1ITRzib0M21GcH35h0Um4GL5+/ZcDKw8Za2//79g+f+dFUS5JM/
-41R+09MRrtTom3CXZH8S8zgmYjjGQ0I76odngOUYxShU+dMzSrkzHnxFeulkD1D+
-bbCjqsSYfe9TLNEO04sr8z2k3yZQtIusZACJe1r7T7jT9FNjvehFzCxVJWGS/0G3
-J2oWQ/8KJlDvMZ1Pb27qvR1wackfunC/sh1KfVfXnqHohjTj+u4/JiAS9RWDU6CR
-Xak2swKjQpTJZQ==
+aHR0cDovLzEyNy4wLjAuMToyMjIyMDANBgkqhkiG9w0BAQsFAAOCAQEAR8HDRHw6
+0GVbdCxjP3OE5WvZ50UzD2qASS2PI5K27yLm1QdMxwXg2dUpsL+kn7X6x9V5qj8u
+m33CV9xBy9djJyiNE3dnY4I9hRoGfvlNfDrKtd1Qsb5f04wPc5BceQ/JhtT9S/w+
+jAFVGy8zbYhuD70hOGSWfS2VnphRd1Y5a6gv4J8WpB0XZyOji08acQXw6+Cneo+r
+n/SBqBL4CaP3gyKMNl1Ff2HqnGiWlHvUTYtz0GUgY891nZaivyPzLWBh5X2zLhsR
+ATPWWG2yyNJaeDrfVv0VrBMzYs66mYV8AAVp0P2th+VN0xZDRKZJhHTH6vAkUMnJ
+Sl3Yvmb+AEc/wA==
 -----END CERTIFICATE-----
diff --git a/certs/p521/ca-p521.der b/certs/p521/ca-p521.der
index 8b4a6c3c5..6fa345bab 100644
Binary files a/certs/p521/ca-p521.der and b/certs/p521/ca-p521.der differ
diff --git a/certs/p521/ca-p521.pem b/certs/p521/ca-p521.pem
index 0cb238d4f..4a0c9ef5d 100644
--- a/certs/p521/ca-p521.pem
+++ b/certs/p521/ca-p521.pem
@@ -2,16 +2,16 @@ Certificate:
     Data:
         Version: 3 (0x2)
         Serial Number: 1 (0x1)
-    Signature Algorithm: ecdsa-with-SHA256
-        Issuer: C=US, ST=Montana, L=Bozeman, O=wolfSSL_P521, OU=Root-P521, CN=www.wolfssl.com/emailAddress=info@wolfssl.com
+        Signature Algorithm: ecdsa-with-SHA256
+        Issuer: C = US, ST = Montana, L = Bozeman, O = wolfSSL_P521, OU = Root-P521, CN = www.wolfssl.com, emailAddress = info@wolfssl.com
         Validity
-            Not Before: Feb 10 19:49:53 2021 GMT
-            Not After : Nov  7 19:49:53 2023 GMT
-        Subject: C=US, ST=Montana, L=Bozeman, O=wolfSSL_p521, OU=CA-p521, CN=www.wolfssl.com/emailAddress=info@wolfssl.com
+            Not Before: Dec 20 23:07:25 2021 GMT
+            Not After : Sep 15 23:07:25 2024 GMT
+        Subject: C = US, ST = Montana, L = Bozeman, O = wolfSSL_p521, OU = CA-p521, CN = www.wolfssl.com, emailAddress = info@wolfssl.com
         Subject Public Key Info:
             Public Key Algorithm: id-ecPublicKey
                 Public-Key: (521 bit)
-                pub: 
+                pub:
                     04:00:2d:18:24:2d:e4:db:6c:c3:69:9b:db:18:67:
                     33:f1:60:68:94:14:cd:91:4a:57:65:ef:36:fa:24:
                     82:88:ec:c7:f0:cb:48:45:6e:96:5f:7f:eb:76:be:
@@ -34,20 +34,20 @@ Certificate:
             X509v3 Key Usage: critical
                 Digital Signature, Certificate Sign, CRL Sign
     Signature Algorithm: ecdsa-with-SHA256
-         30:81:88:02:42:01:c4:4b:30:70:d8:b3:34:56:15:6a:b2:dc:
-         09:af:f9:f8:a2:b8:6b:e7:46:8c:5e:95:77:d0:db:92:6a:d4:
-         05:33:4b:94:66:eb:6c:02:50:c0:11:21:65:d8:47:c2:0c:6d:
-         10:c4:3b:93:97:66:ca:71:b0:a4:51:3d:e1:e9:71:c7:87:02:
-         42:00:a1:73:18:75:c7:aa:77:88:49:cd:5f:e6:7b:f5:c3:b0:
-         77:27:ed:23:08:7c:aa:ba:a0:40:21:69:98:6b:95:fe:97:fb:
-         26:70:5b:6b:52:1f:42:9b:7d:8c:81:91:bc:2a:b6:eb:b7:3a:
-         99:20:c7:17:44:61:ee:50:f2:e9:8d:ca:21
+         30:81:87:02:42:00:a3:76:dd:2a:a5:1f:c4:b6:11:fe:8c:62:
+         a2:7a:fe:a0:9b:04:3a:11:f5:6e:ef:ad:86:54:5a:cd:4d:dd:
+         8c:27:f3:1f:9c:c4:7f:b5:8f:f5:5b:f7:60:31:6e:d9:a3:c6:
+         41:29:43:0b:14:15:75:56:ef:ca:bd:30:6d:41:91:71:f4:02:
+         41:14:2e:c9:57:8a:41:0c:af:a0:bc:3c:21:bd:4b:ea:08:fc:
+         61:61:f7:85:92:d1:42:1e:3a:92:40:73:18:45:df:ff:d8:fe:
+         eb:cd:61:30:66:ef:60:31:04:bc:e0:4d:1e:c1:95:df:eb:eb:
+         cd:08:70:76:4c:5c:f3:bf:f6:ac:0d:7d
 -----BEGIN CERTIFICATE-----
-MIIDCDCCAmmgAwIBAgIBATAKBggqhkjOPQQDAjCBlzELMAkGA1UEBhMCVVMxEDAO
+MIIDBzCCAmmgAwIBAgIBATAKBggqhkjOPQQDAjCBlzELMAkGA1UEBhMCVVMxEDAO
 BgNVBAgMB01vbnRhbmExEDAOBgNVBAcMB0JvemVtYW4xFTATBgNVBAoMDHdvbGZT
 U0xfUDUyMTESMBAGA1UECwwJUm9vdC1QNTIxMRgwFgYDVQQDDA93d3cud29sZnNz
-bC5jb20xHzAdBgkqhkiG9w0BCQEWEGluZm9Ad29sZnNzbC5jb20wHhcNMjEwMjEw
-MTk0OTUzWhcNMjMxMTA3MTk0OTUzWjCBlTELMAkGA1UEBhMCVVMxEDAOBgNVBAgM
+bC5jb20xHzAdBgkqhkiG9w0BCQEWEGluZm9Ad29sZnNzbC5jb20wHhcNMjExMjIw
+MjMwNzI1WhcNMjQwOTE1MjMwNzI1WjCBlTELMAkGA1UEBhMCVVMxEDAOBgNVBAgM
 B01vbnRhbmExEDAOBgNVBAcMB0JvemVtYW4xFTATBgNVBAoMDHdvbGZTU0xfcDUy
 MTEQMA4GA1UECwwHQ0EtcDUyMTEYMBYGA1UEAwwPd3d3LndvbGZzc2wuY29tMR8w
 HQYJKoZIhvcNAQkBFhBpbmZvQHdvbGZzc2wuY29tMIGbMBAGByqGSM49AgEGBSuB
@@ -56,8 +56,8 @@ f+t2vkRAwxnAM2jEBgSOwiWxloMiDnvHsvwBhpHtQ1044AwljbPbsdzetyGAz4fe
 ZPQhPi2veb320ABLgXn69xCqGc1A1x51NFMpA+1IVCHlj5W1m0GNX91y0lqjYzBh
 MB0GA1UdDgQWBBRAiR0wXgxu1T3G1SWQ2rZCZ+3pgjAfBgNVHSMEGDAWgBRkp2iV
 UzMYoiCSvGRVpqvKdmibyDAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIB
-hjAKBggqhkjOPQQDAgOBjAAwgYgCQgHESzBw2LM0VhVqstwJr/n4orhr50aMXpV3
-0NuSatQFM0uUZutsAlDAESFl2EfCDG0QxDuTl2bKcbCkUT3h6XHHhwJCAKFzGHXH
-qneISc1f5nv1w7B3J+0jCHyquqBAIWmYa5X+l/smcFtrUh9Cm32MgZG8KrbrtzqZ
-IMcXRGHuUPLpjcoh
+hjAKBggqhkjOPQQDAgOBiwAwgYcCQgCjdt0qpR/EthH+jGKiev6gmwQ6EfVu762G
+VFrNTd2MJ/MfnMR/tY/1W/dgMW7Zo8ZBKUMLFBV1Vu/KvTBtQZFx9AJBFC7JV4pB
+DK+gvDwhvUvqCPxhYfeFktFCHjqSQHMYRd//2P7rzWEwZu9gMQS84E0ewZXf6+vN
+CHB2TFzzv/asDX0=
 -----END CERTIFICATE-----
diff --git a/certs/p521/client-p521.der b/certs/p521/client-p521.der
index 0d702148a..13b4a14fe 100644
Binary files a/certs/p521/client-p521.der and b/certs/p521/client-p521.der differ
diff --git a/certs/p521/client-p521.pem b/certs/p521/client-p521.pem
index 686d42ad9..b41f70339 100644
--- a/certs/p521/client-p521.pem
+++ b/certs/p521/client-p521.pem
@@ -1,17 +1,18 @@
 Certificate:
     Data:
         Version: 3 (0x2)
-        Serial Number: 12773897163527651161 (0xb145ffca8d6f7f59)
-    Signature Algorithm: ecdsa-with-SHA256
-        Issuer: C=US, ST=Montana, L=Bozeman, O=wolfSSL_p521, OU=Client-p521, CN=www.wolfssl.com/emailAddress=info@wolfssl.com
+        Serial Number:
+            41:d5:90:0a:8b:ab:9e:c5:35:4c:33:94:58:48:fd:04:38:10:b7:ac
+        Signature Algorithm: ecdsa-with-SHA256
+        Issuer: C = US, ST = Montana, L = Bozeman, O = wolfSSL_p521, OU = Client-p521, CN = www.wolfssl.com, emailAddress = info@wolfssl.com
         Validity
-            Not Before: Feb 10 19:49:53 2021 GMT
-            Not After : Nov  7 19:49:53 2023 GMT
-        Subject: C=US, ST=Montana, L=Bozeman, O=wolfSSL_p521, OU=Client-p521, CN=www.wolfssl.com/emailAddress=info@wolfssl.com
+            Not Before: Dec 20 23:07:25 2021 GMT
+            Not After : Sep 15 23:07:25 2024 GMT
+        Subject: C = US, ST = Montana, L = Bozeman, O = wolfSSL_p521, OU = Client-p521, CN = www.wolfssl.com, emailAddress = info@wolfssl.com
         Subject Public Key Info:
             Public Key Algorithm: id-ecPublicKey
                 Public-Key: (521 bit)
-                pub: 
+                pub:
                     04:01:62:6e:f1:00:ec:d8:99:58:9b:80:6b:fe:2c:
                     f1:b2:f0:c8:48:df:ac:d2:3b:71:29:ab:f0:66:63:
                     d8:8e:b5:c8:c2:fc:99:44:e2:45:b1:5a:7b:b9:73:
@@ -29,7 +30,7 @@ Certificate:
             X509v3 Authority Key Identifier: 
                 keyid:20:E1:BF:57:E5:F3:C3:0C:72:84:6A:C6:DF:BC:22:D0:B7:25:E5:A4
                 DirName:/C=US/ST=Montana/L=Bozeman/O=wolfSSL_p521/OU=Client-p521/CN=www.wolfssl.com/emailAddress=info@wolfssl.com
-                serial:B1:45:FF:CA:8D:6F:7F:59
+                serial:41:D5:90:0A:8B:AB:9E:C5:35:4C:33:94:58:48:FD:04:38:10:B7:AC
 
             X509v3 Basic Constraints: 
                 CA:TRUE
@@ -38,35 +39,35 @@ Certificate:
             X509v3 Extended Key Usage: 
                 TLS Web Server Authentication, TLS Web Client Authentication
     Signature Algorithm: ecdsa-with-SHA256
-         30:81:88:02:42:00:b5:3e:42:5d:77:b3:41:07:f0:82:b1:00:
-         e9:d4:a7:12:bb:53:c8:8e:27:b5:1c:94:87:ab:41:02:fb:11:
-         a5:ce:6e:5d:6b:b6:61:eb:66:a3:40:78:cb:71:a7:77:fc:d6:
-         df:83:dd:07:85:3c:f4:32:4f:d2:78:41:39:96:7d:8f:47:02:
-         42:00:8a:cb:77:0c:8f:60:3b:48:cd:55:44:f1:c2:7d:b2:53:
-         d0:59:45:d2:89:4a:67:fd:b8:64:c2:f8:83:5e:17:52:4d:83:
-         b4:77:81:77:21:3b:82:1e:a4:3a:61:ba:a3:49:32:3a:af:60:
-         c5:4e:bf:77:95:1e:7b:21:6b:1c:3a:c7:c3
+         30:81:87:02:41:5e:95:d3:c6:5c:d1:15:37:81:57:e3:ab:ea:
+         78:20:06:9d:5a:c3:53:c6:df:a7:2c:a3:91:14:f2:49:f1:7c:
+         65:e0:62:1a:d3:c3:19:5b:1e:6c:d7:2c:01:d8:01:b9:2a:2d:
+         ac:ad:e0:18:cb:3d:a2:8b:bc:96:ea:8c:78:e0:ea:44:02:42:
+         01:69:c9:f9:f5:8b:82:d6:8e:77:4e:c6:14:8b:ba:c4:e2:8b:
+         a5:a7:59:08:e1:b4:48:e2:21:ec:1d:61:d8:32:94:fd:3e:5c:
+         b8:97:4a:e5:ef:f4:04:16:09:22:fc:c4:4c:af:e8:13:37:fe:
+         68:a1:5f:e6:49:ba:fc:9b:13:3b:f7:2c
 -----BEGIN CERTIFICATE-----
-MIID9DCCA1WgAwIBAgIJALFF/8qNb39ZMAoGCCqGSM49BAMCMIGZMQswCQYDVQQG
-EwJVUzEQMA4GA1UECAwHTW9udGFuYTEQMA4GA1UEBwwHQm96ZW1hbjEVMBMGA1UE
-CgwMd29sZlNTTF9wNTIxMRQwEgYDVQQLDAtDbGllbnQtcDUyMTEYMBYGA1UEAwwP
-d3d3LndvbGZzc2wuY29tMR8wHQYJKoZIhvcNAQkBFhBpbmZvQHdvbGZzc2wuY29t
-MB4XDTIxMDIxMDE5NDk1M1oXDTIzMTEwNzE5NDk1M1owgZkxCzAJBgNVBAYTAlVT
-MRAwDgYDVQQIDAdNb250YW5hMRAwDgYDVQQHDAdCb3plbWFuMRUwEwYDVQQKDAx3
-b2xmU1NMX3A1MjExFDASBgNVBAsMC0NsaWVudC1wNTIxMRgwFgYDVQQDDA93d3cu
-d29sZnNzbC5jb20xHzAdBgkqhkiG9w0BCQEWEGluZm9Ad29sZnNzbC5jb20wgZsw
-EAYHKoZIzj0CAQYFK4EEACMDgYYABAFibvEA7NiZWJuAa/4s8bLwyEjfrNI7cSmr
-8GZj2I61yML8mUTiRbFae7lzAdp57JwmJzRFJtWJS0T+aU5yFOOLvAAPCaIDw1rc
-lYL2+fac/7VrdZVLpChdnpAE0cAe1f1Dnh6DwBErKwdtqXoQ12fnUTck2L8DDYu1
-QFxP1hNzQryR2aOCAT8wggE7MB0GA1UdDgQWBBQg4b9X5fPDDHKEasbfvCLQtyXl
-pDCBzgYDVR0jBIHGMIHDgBQg4b9X5fPDDHKEasbfvCLQtyXlpKGBn6SBnDCBmTEL
+MIIECTCCA2ugAwIBAgIUQdWQCournsU1TDOUWEj9BDgQt6wwCgYIKoZIzj0EAwIw
+gZkxCzAJBgNVBAYTAlVTMRAwDgYDVQQIDAdNb250YW5hMRAwDgYDVQQHDAdCb3pl
+bWFuMRUwEwYDVQQKDAx3b2xmU1NMX3A1MjExFDASBgNVBAsMC0NsaWVudC1wNTIx
+MRgwFgYDVQQDDA93d3cud29sZnNzbC5jb20xHzAdBgkqhkiG9w0BCQEWEGluZm9A
+d29sZnNzbC5jb20wHhcNMjExMjIwMjMwNzI1WhcNMjQwOTE1MjMwNzI1WjCBmTEL
 MAkGA1UEBhMCVVMxEDAOBgNVBAgMB01vbnRhbmExEDAOBgNVBAcMB0JvemVtYW4x
 FTATBgNVBAoMDHdvbGZTU0xfcDUyMTEUMBIGA1UECwwLQ2xpZW50LXA1MjExGDAW
 BgNVBAMMD3d3dy53b2xmc3NsLmNvbTEfMB0GCSqGSIb3DQEJARYQaW5mb0B3b2xm
-c3NsLmNvbYIJALFF/8qNb39ZMAwGA1UdEwQFMAMBAf8wHAYDVR0RBBUwE4ILZXhh
-bXBsZS5jb22HBH8AAAEwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMAoG
-CCqGSM49BAMCA4GMADCBiAJCALU+Ql13s0EH8IKxAOnUpxK7U8iOJ7UclIerQQL7
-EaXObl1rtmHrZqNAeMtxp3f81t+D3QeFPPQyT9J4QTmWfY9HAkIAist3DI9gO0jN
-VUTxwn2yU9BZRdKJSmf9uGTC+INeF1JNg7R3gXchO4IepDphuqNJMjqvYMVOv3eV
-Hnshaxw6x8M=
+c3NsLmNvbTCBmzAQBgcqhkjOPQIBBgUrgQQAIwOBhgAEAWJu8QDs2JlYm4Br/izx
+svDISN+s0jtxKavwZmPYjrXIwvyZROJFsVp7uXMB2nnsnCYnNEUm1YlLRP5pTnIU
+44u8AA8JogPDWtyVgvb59pz/tWt1lUukKF2ekATRwB7V/UOeHoPAESsrB22pehDX
+Z+dRNyTYvwMNi7VAXE/WE3NCvJHZo4IBSjCCAUYwHQYDVR0OBBYEFCDhv1fl88MM
+coRqxt+8ItC3JeWkMIHZBgNVHSMEgdEwgc6AFCDhv1fl88MMcoRqxt+8ItC3JeWk
+oYGfpIGcMIGZMQswCQYDVQQGEwJVUzEQMA4GA1UECAwHTW9udGFuYTEQMA4GA1UE
+BwwHQm96ZW1hbjEVMBMGA1UECgwMd29sZlNTTF9wNTIxMRQwEgYDVQQLDAtDbGll
+bnQtcDUyMTEYMBYGA1UEAwwPd3d3LndvbGZzc2wuY29tMR8wHQYJKoZIhvcNAQkB
+FhBpbmZvQHdvbGZzc2wuY29tghRB1ZAKi6uexTVMM5RYSP0EOBC3rDAMBgNVHRME
+BTADAQH/MBwGA1UdEQQVMBOCC2V4YW1wbGUuY29thwR/AAABMB0GA1UdJQQWMBQG
+CCsGAQUFBwMBBggrBgEFBQcDAjAKBggqhkjOPQQDAgOBiwAwgYcCQV6V08Zc0RU3
+gVfjq+p4IAadWsNTxt+nLKORFPJJ8Xxl4GIa08MZWx5s1ywB2AG5Ki2sreAYyz2i
+i7yW6ox44OpEAkIBacn59YuC1o53TsYUi7rE4oulp1kI4bRI4iHsHWHYMpT9Ply4
+l0rl7/QEFgki/MRMr+gTN/5ooV/mSbr8mxM79yw=
 -----END CERTIFICATE-----
diff --git a/certs/p521/root-p521.der b/certs/p521/root-p521.der
index 49734f654..5f5be681b 100644
Binary files a/certs/p521/root-p521.der and b/certs/p521/root-p521.der differ
diff --git a/certs/p521/root-p521.pem b/certs/p521/root-p521.pem
index 17425bb86..d3311c526 100644
--- a/certs/p521/root-p521.pem
+++ b/certs/p521/root-p521.pem
@@ -1,17 +1,18 @@
 Certificate:
     Data:
         Version: 3 (0x2)
-        Serial Number: 9354390136921551540 (0x81d1784491a072b4)
-    Signature Algorithm: ecdsa-with-SHA256
-        Issuer: C=US, ST=Montana, L=Bozeman, O=wolfSSL_P521, OU=Root-P521, CN=www.wolfssl.com/emailAddress=info@wolfssl.com
+        Serial Number:
+            64:bd:93:4d:73:a4:89:b6:a5:4a:ef:23:28:a3:65:2e:fc:66:9f:a5
+        Signature Algorithm: ecdsa-with-SHA256
+        Issuer: C = US, ST = Montana, L = Bozeman, O = wolfSSL_P521, OU = Root-P521, CN = www.wolfssl.com, emailAddress = info@wolfssl.com
         Validity
-            Not Before: Feb 10 19:49:53 2021 GMT
-            Not After : Nov  7 19:49:53 2023 GMT
-        Subject: C=US, ST=Montana, L=Bozeman, O=wolfSSL_P521, OU=Root-P521, CN=www.wolfssl.com/emailAddress=info@wolfssl.com
+            Not Before: Dec 20 23:07:25 2021 GMT
+            Not After : Sep 15 23:07:25 2024 GMT
+        Subject: C = US, ST = Montana, L = Bozeman, O = wolfSSL_P521, OU = Root-P521, CN = www.wolfssl.com, emailAddress = info@wolfssl.com
         Subject Public Key Info:
             Public Key Algorithm: id-ecPublicKey
                 Public-Key: (521 bit)
-                pub: 
+                pub:
                     04:01:41:60:d4:e5:cc:37:db:f4:4c:12:cc:f6:7a:
                     32:cc:f2:1c:b7:53:15:bd:5f:53:ef:cb:73:a9:c8:
                     14:6c:6f:7d:c5:7c:b4:bb:8e:56:c2:43:45:fb:58:
@@ -34,30 +35,30 @@ Certificate:
             X509v3 Key Usage: critical
                 Digital Signature, Certificate Sign, CRL Sign
     Signature Algorithm: ecdsa-with-SHA256
-         30:81:88:02:42:01:fe:f6:e7:a7:3f:87:c3:c1:5b:b7:8e:3c:
-         f6:cc:3b:d8:8f:47:26:e7:95:00:3a:42:d3:44:68:84:eb:3c:
-         6f:4f:6f:f6:29:00:9b:92:34:b1:39:47:83:cf:7e:e0:83:2b:
-         75:b6:e1:b6:44:a5:34:af:9d:a8:a2:96:ea:af:ca:32:9d:02:
-         42:01:6f:d2:1a:e1:6f:56:95:d5:a7:04:ac:78:42:1a:c5:06:
-         11:e1:7c:52:1f:11:ee:e5:a7:3a:29:cc:2d:57:5b:a5:41:e3:
-         02:0c:10:2b:3a:53:69:96:97:73:72:6e:60:06:5e:c6:75:3f:
-         74:10:55:66:c3:f6:d3:99:2f:ba:de:13:aa
+         30:81:88:02:42:00:8c:f2:37:8c:fd:9e:7e:51:9e:13:db:15:
+         41:33:37:64:12:dd:87:aa:69:74:a4:10:76:a5:16:aa:9e:d0:
+         f5:75:6c:80:5f:c4:6e:ab:2d:e0:03:92:7e:ed:15:5f:50:f3:
+         ea:e4:71:f9:80:1f:d1:ae:79:9a:55:dc:f7:95:8c:3c:80:02:
+         42:01:d7:79:e2:a2:85:cc:95:27:e8:b7:a4:66:9c:73:d1:f6:
+         a1:56:12:94:75:6a:8d:ec:59:ba:11:75:f1:b1:3e:2b:48:16:
+         ea:38:ff:1b:29:94:3e:bc:74:a9:28:93:c2:a0:92:18:55:01:
+         0c:de:86:4d:f3:34:39:b8:02:5d:c4:4b:13
 -----BEGIN CERTIFICATE-----
-MIIDEjCCAnOgAwIBAgIJAIHReESRoHK0MAoGCCqGSM49BAMCMIGXMQswCQYDVQQG
-EwJVUzEQMA4GA1UECAwHTW9udGFuYTEQMA4GA1UEBwwHQm96ZW1hbjEVMBMGA1UE
-CgwMd29sZlNTTF9QNTIxMRIwEAYDVQQLDAlSb290LVA1MjExGDAWBgNVBAMMD3d3
-dy53b2xmc3NsLmNvbTEfMB0GCSqGSIb3DQEJARYQaW5mb0B3b2xmc3NsLmNvbTAe
-Fw0yMTAyMTAxOTQ5NTNaFw0yMzExMDcxOTQ5NTNaMIGXMQswCQYDVQQGEwJVUzEQ
-MA4GA1UECAwHTW9udGFuYTEQMA4GA1UEBwwHQm96ZW1hbjEVMBMGA1UECgwMd29s
-ZlNTTF9QNTIxMRIwEAYDVQQLDAlSb290LVA1MjExGDAWBgNVBAMMD3d3dy53b2xm
-c3NsLmNvbTEfMB0GCSqGSIb3DQEJARYQaW5mb0B3b2xmc3NsLmNvbTCBmzAQBgcq
-hkjOPQIBBgUrgQQAIwOBhgAEAUFg1OXMN9v0TBLM9noyzPIct1MVvV9T78tzqcgU
-bG99xXy0u45WwkNF+1gcxkU9f+VOgMxEwQZ6deFpyYqoAXrfAERJc5wvUD+DoB6L
-0ar7CAyQBQ0MFzFRPtaFOwkSgtGmCM3IT2payIyOXb/azFuVoehaKXgisrpJoYXG
-SIpxU42Jo2MwYTAdBgNVHQ4EFgQUZKdolVMzGKIgkrxkVaarynZom8gwHwYDVR0j
-BBgwFoAUZKdolVMzGKIgkrxkVaarynZom8gwDwYDVR0TAQH/BAUwAwEB/zAOBgNV
-HQ8BAf8EBAMCAYYwCgYIKoZIzj0EAwIDgYwAMIGIAkIB/vbnpz+Hw8Fbt4489sw7
-2I9HJueVADpC00RohOs8b09v9ikAm5I0sTlHg89+4IMrdbbhtkSlNK+dqKKW6q/K
-Mp0CQgFv0hrhb1aV1acErHhCGsUGEeF8Uh8R7uWnOinMLVdbpUHjAgwQKzpTaZaX
-c3JuYAZexnU/dBBVZsP205kvut4Tqg==
+MIIDHTCCAn6gAwIBAgIUZL2TTXOkibalSu8jKKNlLvxmn6UwCgYIKoZIzj0EAwIw
+gZcxCzAJBgNVBAYTAlVTMRAwDgYDVQQIDAdNb250YW5hMRAwDgYDVQQHDAdCb3pl
+bWFuMRUwEwYDVQQKDAx3b2xmU1NMX1A1MjExEjAQBgNVBAsMCVJvb3QtUDUyMTEY
+MBYGA1UEAwwPd3d3LndvbGZzc2wuY29tMR8wHQYJKoZIhvcNAQkBFhBpbmZvQHdv
+bGZzc2wuY29tMB4XDTIxMTIyMDIzMDcyNVoXDTI0MDkxNTIzMDcyNVowgZcxCzAJ
+BgNVBAYTAlVTMRAwDgYDVQQIDAdNb250YW5hMRAwDgYDVQQHDAdCb3plbWFuMRUw
+EwYDVQQKDAx3b2xmU1NMX1A1MjExEjAQBgNVBAsMCVJvb3QtUDUyMTEYMBYGA1UE
+AwwPd3d3LndvbGZzc2wuY29tMR8wHQYJKoZIhvcNAQkBFhBpbmZvQHdvbGZzc2wu
+Y29tMIGbMBAGByqGSM49AgEGBSuBBAAjA4GGAAQBQWDU5cw32/RMEsz2ejLM8hy3
+UxW9X1Pvy3OpyBRsb33FfLS7jlbCQ0X7WBzGRT1/5U6AzETBBnp14WnJiqgBet8A
+RElznC9QP4OgHovRqvsIDJAFDQwXMVE+1oU7CRKC0aYIzchPalrIjI5dv9rMW5Wh
+6FopeCKyukmhhcZIinFTjYmjYzBhMB0GA1UdDgQWBBRkp2iVUzMYoiCSvGRVpqvK
+dmibyDAfBgNVHSMEGDAWgBRkp2iVUzMYoiCSvGRVpqvKdmibyDAPBgNVHRMBAf8E
+BTADAQH/MA4GA1UdDwEB/wQEAwIBhjAKBggqhkjOPQQDAgOBjAAwgYgCQgCM8jeM
+/Z5+UZ4T2xVBMzdkEt2Hqml0pBB2pRaqntD1dWyAX8Ruqy3gA5J+7RVfUPPq5HH5
+gB/RrnmaVdz3lYw8gAJCAdd54qKFzJUn6LekZpxz0fahVhKUdWqN7Fm6EXXxsT4r
+SBbqOP8bKZQ+vHSpKJPCoJIYVQEM3oZN8zQ5uAJdxEsT
 -----END CERTIFICATE-----
diff --git a/certs/p521/server-p521-cert.pem b/certs/p521/server-p521-cert.pem
index 6c0c7d69e..28c3a6c8f 100644
--- a/certs/p521/server-p521-cert.pem
+++ b/certs/p521/server-p521-cert.pem
@@ -2,16 +2,16 @@ Certificate:
     Data:
         Version: 3 (0x2)
         Serial Number: 1 (0x1)
-    Signature Algorithm: ecdsa-with-SHA256
-        Issuer: C=US, ST=Montana, L=Bozeman, O=wolfSSL_p521, OU=CA-p521, CN=www.wolfssl.com/emailAddress=info@wolfssl.com
+        Signature Algorithm: ecdsa-with-SHA256
+        Issuer: C = US, ST = Montana, L = Bozeman, O = wolfSSL_p521, OU = CA-p521, CN = www.wolfssl.com, emailAddress = info@wolfssl.com
         Validity
-            Not Before: Feb 10 19:49:53 2021 GMT
-            Not After : Nov  7 19:49:53 2023 GMT
-        Subject: C=US, ST=Montana, L=Bozeman, O=wolfSSL_p521, OU=Server-p521, CN=www.wolfssl.com/emailAddress=info@wolfssl.com
+            Not Before: Dec 20 23:07:25 2021 GMT
+            Not After : Sep 15 23:07:25 2024 GMT
+        Subject: C = US, ST = Montana, L = Bozeman, O = wolfSSL_p521, OU = Server-p521, CN = www.wolfssl.com, emailAddress = info@wolfssl.com
         Subject Public Key Info:
             Public Key Algorithm: id-ecPublicKey
                 Public-Key: (521 bit)
-                pub: 
+                pub:
                     04:00:de:70:69:f6:d1:9e:c4:fe:5f:82:52:98:ce:
                     52:c1:6a:4c:12:22:0f:76:88:22:11:a5:0d:a6:02:
                     47:91:ab:79:8d:f6:08:70:2d:20:14:15:df:1b:57:
@@ -38,20 +38,20 @@ Certificate:
             Netscape Cert Type: 
                 SSL Server
     Signature Algorithm: ecdsa-with-SHA256
-         30:81:88:02:42:01:47:61:fe:54:a4:3f:84:c7:04:12:32:5f:
-         c7:3b:0e:eb:9a:0d:46:be:d4:17:f0:df:e1:6b:a6:a3:00:0a:
-         b5:cb:ec:27:c0:f4:4a:5b:50:a9:1c:08:42:83:fa:37:ae:54:
-         f6:38:07:aa:46:8b:b4:c1:60:15:c7:e3:da:05:0e:8f:4b:02:
-         42:01:9e:ee:b3:90:5f:ff:7a:2e:c7:5c:10:d4:6d:b7:25:55:
-         dc:04:96:bd:0a:11:63:fa:26:66:4d:59:68:a1:04:7f:88:29:
-         d9:4b:3c:93:21:22:cd:65:b6:a3:b5:74:fd:d5:de:71:07:5b:
-         fa:5a:49:ae:e6:da:21:93:fb:f5:90:06:e4
+         30:81:88:02:42:01:1a:79:13:f5:86:d5:2c:a7:58:be:8d:43:
+         b9:c4:ce:58:12:d2:22:76:43:2b:79:35:20:86:6d:26:83:7c:
+         e7:8b:77:10:c7:e4:d5:fc:92:bf:0b:ce:ee:26:09:e0:fb:fb:
+         d6:01:74:18:cf:af:57:f0:6b:7d:ef:72:78:e8:f0:97:7a:02:
+         42:01:a0:9b:22:53:92:4d:09:8c:76:42:e7:5d:29:f5:b9:ad:
+         36:6d:27:81:98:b1:db:aa:0f:ba:96:01:a8:c6:af:bb:43:8e:
+         67:ce:d6:8c:1f:5f:90:ef:86:b7:1b:8e:45:16:7d:9e:42:5c:
+         30:23:a2:f0:3d:2c:9b:9a:b8:78:42:84:d1
 -----BEGIN CERTIFICATE-----
 MIIDMTCCApKgAwIBAgIBATAKBggqhkjOPQQDAjCBlTELMAkGA1UEBhMCVVMxEDAO
 BgNVBAgMB01vbnRhbmExEDAOBgNVBAcMB0JvemVtYW4xFTATBgNVBAoMDHdvbGZT
 U0xfcDUyMTEQMA4GA1UECwwHQ0EtcDUyMTEYMBYGA1UEAwwPd3d3LndvbGZzc2wu
-Y29tMR8wHQYJKoZIhvcNAQkBFhBpbmZvQHdvbGZzc2wuY29tMB4XDTIxMDIxMDE5
-NDk1M1oXDTIzMTEwNzE5NDk1M1owgZkxCzAJBgNVBAYTAlVTMRAwDgYDVQQIDAdN
+Y29tMR8wHQYJKoZIhvcNAQkBFhBpbmZvQHdvbGZzc2wuY29tMB4XDTIxMTIyMDIz
+MDcyNVoXDTI0MDkxNTIzMDcyNVowgZkxCzAJBgNVBAYTAlVTMRAwDgYDVQQIDAdN
 b250YW5hMRAwDgYDVQQHDAdCb3plbWFuMRUwEwYDVQQKDAx3b2xmU1NMX3A1MjEx
 FDASBgNVBAsMC1NlcnZlci1wNTIxMRgwFgYDVQQDDA93d3cud29sZnNzbC5jb20x
 HzAdBgkqhkiG9w0BCQEWEGluZm9Ad29sZnNzbC5jb20wgZswEAYHKoZIzj0CAQYF
@@ -61,8 +61,8 @@ H9VgY6YufY3qP+Bb5chuH6fZo1nllici9AIrr1t4HxOoIovsrgF9wGETpDUKIaOB
 iTCBhjAdBgNVHQ4EFgQUhYafrnNflHcnOxUVxnkHqEJLHvMwHwYDVR0jBBgwFoAU
 QIkdMF4MbtU9xtUlkNq2Qmft6YIwDAYDVR0TAQH/BAIwADAOBgNVHQ8BAf8EBAMC
 A6gwEwYDVR0lBAwwCgYIKwYBBQUHAwEwEQYJYIZIAYb4QgEBBAQDAgZAMAoGCCqG
-SM49BAMCA4GMADCBiAJCAUdh/lSkP4THBBIyX8c7DuuaDUa+1Bfw3+FrpqMACrXL
-7CfA9EpbUKkcCEKD+jeuVPY4B6pGi7TBYBXH49oFDo9LAkIBnu6zkF//ei7HXBDU
-bbclVdwElr0KEWP6JmZNWWihBH+IKdlLPJMhIs1ltqO1dP3V3nEHW/paSa7m2iGT
-+/WQBuQ=
+SM49BAMCA4GMADCBiAJCARp5E/WG1SynWL6NQ7nEzlgS0iJ2Qyt5NSCGbSaDfOeL
+dxDH5NX8kr8Lzu4mCeD7+9YBdBjPr1fwa33vcnjo8Jd6AkIBoJsiU5JNCYx2Qudd
+KfW5rTZtJ4GYsduqD7qWAajGr7tDjmfO1owfX5DvhrcbjkUWfZ5CXDAjovA9LJua
+uHhChNE=
 -----END CERTIFICATE-----
diff --git a/certs/p521/server-p521.der b/certs/p521/server-p521.der
index e95602267..cc375bd30 100644
Binary files a/certs/p521/server-p521.der and b/certs/p521/server-p521.der differ
diff --git a/certs/p521/server-p521.pem b/certs/p521/server-p521.pem
index ec7169a5b..862328fba 100644
--- a/certs/p521/server-p521.pem
+++ b/certs/p521/server-p521.pem
@@ -2,16 +2,16 @@ Certificate:
     Data:
         Version: 3 (0x2)
         Serial Number: 1 (0x1)
-    Signature Algorithm: ecdsa-with-SHA256
-        Issuer: C=US, ST=Montana, L=Bozeman, O=wolfSSL_p521, OU=CA-p521, CN=www.wolfssl.com/emailAddress=info@wolfssl.com
+        Signature Algorithm: ecdsa-with-SHA256
+        Issuer: C = US, ST = Montana, L = Bozeman, O = wolfSSL_p521, OU = CA-p521, CN = www.wolfssl.com, emailAddress = info@wolfssl.com
         Validity
-            Not Before: Feb 10 19:49:53 2021 GMT
-            Not After : Nov  7 19:49:53 2023 GMT
-        Subject: C=US, ST=Montana, L=Bozeman, O=wolfSSL_p521, OU=Server-p521, CN=www.wolfssl.com/emailAddress=info@wolfssl.com
+            Not Before: Dec 20 23:07:25 2021 GMT
+            Not After : Sep 15 23:07:25 2024 GMT
+        Subject: C = US, ST = Montana, L = Bozeman, O = wolfSSL_p521, OU = Server-p521, CN = www.wolfssl.com, emailAddress = info@wolfssl.com
         Subject Public Key Info:
             Public Key Algorithm: id-ecPublicKey
                 Public-Key: (521 bit)
-                pub: 
+                pub:
                     04:00:de:70:69:f6:d1:9e:c4:fe:5f:82:52:98:ce:
                     52:c1:6a:4c:12:22:0f:76:88:22:11:a5:0d:a6:02:
                     47:91:ab:79:8d:f6:08:70:2d:20:14:15:df:1b:57:
@@ -38,20 +38,20 @@ Certificate:
             Netscape Cert Type: 
                 SSL Server
     Signature Algorithm: ecdsa-with-SHA256
-         30:81:88:02:42:01:47:61:fe:54:a4:3f:84:c7:04:12:32:5f:
-         c7:3b:0e:eb:9a:0d:46:be:d4:17:f0:df:e1:6b:a6:a3:00:0a:
-         b5:cb:ec:27:c0:f4:4a:5b:50:a9:1c:08:42:83:fa:37:ae:54:
-         f6:38:07:aa:46:8b:b4:c1:60:15:c7:e3:da:05:0e:8f:4b:02:
-         42:01:9e:ee:b3:90:5f:ff:7a:2e:c7:5c:10:d4:6d:b7:25:55:
-         dc:04:96:bd:0a:11:63:fa:26:66:4d:59:68:a1:04:7f:88:29:
-         d9:4b:3c:93:21:22:cd:65:b6:a3:b5:74:fd:d5:de:71:07:5b:
-         fa:5a:49:ae:e6:da:21:93:fb:f5:90:06:e4
+         30:81:88:02:42:01:1a:79:13:f5:86:d5:2c:a7:58:be:8d:43:
+         b9:c4:ce:58:12:d2:22:76:43:2b:79:35:20:86:6d:26:83:7c:
+         e7:8b:77:10:c7:e4:d5:fc:92:bf:0b:ce:ee:26:09:e0:fb:fb:
+         d6:01:74:18:cf:af:57:f0:6b:7d:ef:72:78:e8:f0:97:7a:02:
+         42:01:a0:9b:22:53:92:4d:09:8c:76:42:e7:5d:29:f5:b9:ad:
+         36:6d:27:81:98:b1:db:aa:0f:ba:96:01:a8:c6:af:bb:43:8e:
+         67:ce:d6:8c:1f:5f:90:ef:86:b7:1b:8e:45:16:7d:9e:42:5c:
+         30:23:a2:f0:3d:2c:9b:9a:b8:78:42:84:d1
 -----BEGIN CERTIFICATE-----
 MIIDMTCCApKgAwIBAgIBATAKBggqhkjOPQQDAjCBlTELMAkGA1UEBhMCVVMxEDAO
 BgNVBAgMB01vbnRhbmExEDAOBgNVBAcMB0JvemVtYW4xFTATBgNVBAoMDHdvbGZT
 U0xfcDUyMTEQMA4GA1UECwwHQ0EtcDUyMTEYMBYGA1UEAwwPd3d3LndvbGZzc2wu
-Y29tMR8wHQYJKoZIhvcNAQkBFhBpbmZvQHdvbGZzc2wuY29tMB4XDTIxMDIxMDE5
-NDk1M1oXDTIzMTEwNzE5NDk1M1owgZkxCzAJBgNVBAYTAlVTMRAwDgYDVQQIDAdN
+Y29tMR8wHQYJKoZIhvcNAQkBFhBpbmZvQHdvbGZzc2wuY29tMB4XDTIxMTIyMDIz
+MDcyNVoXDTI0MDkxNTIzMDcyNVowgZkxCzAJBgNVBAYTAlVTMRAwDgYDVQQIDAdN
 b250YW5hMRAwDgYDVQQHDAdCb3plbWFuMRUwEwYDVQQKDAx3b2xmU1NMX3A1MjEx
 FDASBgNVBAsMC1NlcnZlci1wNTIxMRgwFgYDVQQDDA93d3cud29sZnNzbC5jb20x
 HzAdBgkqhkiG9w0BCQEWEGluZm9Ad29sZnNzbC5jb20wgZswEAYHKoZIzj0CAQYF
@@ -61,25 +61,25 @@ H9VgY6YufY3qP+Bb5chuH6fZo1nllici9AIrr1t4HxOoIovsrgF9wGETpDUKIaOB
 iTCBhjAdBgNVHQ4EFgQUhYafrnNflHcnOxUVxnkHqEJLHvMwHwYDVR0jBBgwFoAU
 QIkdMF4MbtU9xtUlkNq2Qmft6YIwDAYDVR0TAQH/BAIwADAOBgNVHQ8BAf8EBAMC
 A6gwEwYDVR0lBAwwCgYIKwYBBQUHAwEwEQYJYIZIAYb4QgEBBAQDAgZAMAoGCCqG
-SM49BAMCA4GMADCBiAJCAUdh/lSkP4THBBIyX8c7DuuaDUa+1Bfw3+FrpqMACrXL
-7CfA9EpbUKkcCEKD+jeuVPY4B6pGi7TBYBXH49oFDo9LAkIBnu6zkF//ei7HXBDU
-bbclVdwElr0KEWP6JmZNWWihBH+IKdlLPJMhIs1ltqO1dP3V3nEHW/paSa7m2iGT
-+/WQBuQ=
+SM49BAMCA4GMADCBiAJCARp5E/WG1SynWL6NQ7nEzlgS0iJ2Qyt5NSCGbSaDfOeL
+dxDH5NX8kr8Lzu4mCeD7+9YBdBjPr1fwa33vcnjo8Jd6AkIBoJsiU5JNCYx2Qudd
+KfW5rTZtJ4GYsduqD7qWAajGr7tDjmfO1owfX5DvhrcbjkUWfZ5CXDAjovA9LJua
+uHhChNE=
 -----END CERTIFICATE-----
 Certificate:
     Data:
         Version: 3 (0x2)
         Serial Number: 1 (0x1)
-    Signature Algorithm: ecdsa-with-SHA256
-        Issuer: C=US, ST=Montana, L=Bozeman, O=wolfSSL_P521, OU=Root-P521, CN=www.wolfssl.com/emailAddress=info@wolfssl.com
+        Signature Algorithm: ecdsa-with-SHA256
+        Issuer: C = US, ST = Montana, L = Bozeman, O = wolfSSL_P521, OU = Root-P521, CN = www.wolfssl.com, emailAddress = info@wolfssl.com
         Validity
-            Not Before: Feb 10 19:49:53 2021 GMT
-            Not After : Nov  7 19:49:53 2023 GMT
-        Subject: C=US, ST=Montana, L=Bozeman, O=wolfSSL_p521, OU=CA-p521, CN=www.wolfssl.com/emailAddress=info@wolfssl.com
+            Not Before: Dec 20 23:07:25 2021 GMT
+            Not After : Sep 15 23:07:25 2024 GMT
+        Subject: C = US, ST = Montana, L = Bozeman, O = wolfSSL_p521, OU = CA-p521, CN = www.wolfssl.com, emailAddress = info@wolfssl.com
         Subject Public Key Info:
             Public Key Algorithm: id-ecPublicKey
                 Public-Key: (521 bit)
-                pub: 
+                pub:
                     04:00:2d:18:24:2d:e4:db:6c:c3:69:9b:db:18:67:
                     33:f1:60:68:94:14:cd:91:4a:57:65:ef:36:fa:24:
                     82:88:ec:c7:f0:cb:48:45:6e:96:5f:7f:eb:76:be:
@@ -102,20 +102,20 @@ Certificate:
             X509v3 Key Usage: critical
                 Digital Signature, Certificate Sign, CRL Sign
     Signature Algorithm: ecdsa-with-SHA256
-         30:81:88:02:42:01:c4:4b:30:70:d8:b3:34:56:15:6a:b2:dc:
-         09:af:f9:f8:a2:b8:6b:e7:46:8c:5e:95:77:d0:db:92:6a:d4:
-         05:33:4b:94:66:eb:6c:02:50:c0:11:21:65:d8:47:c2:0c:6d:
-         10:c4:3b:93:97:66:ca:71:b0:a4:51:3d:e1:e9:71:c7:87:02:
-         42:00:a1:73:18:75:c7:aa:77:88:49:cd:5f:e6:7b:f5:c3:b0:
-         77:27:ed:23:08:7c:aa:ba:a0:40:21:69:98:6b:95:fe:97:fb:
-         26:70:5b:6b:52:1f:42:9b:7d:8c:81:91:bc:2a:b6:eb:b7:3a:
-         99:20:c7:17:44:61:ee:50:f2:e9:8d:ca:21
+         30:81:87:02:42:00:a3:76:dd:2a:a5:1f:c4:b6:11:fe:8c:62:
+         a2:7a:fe:a0:9b:04:3a:11:f5:6e:ef:ad:86:54:5a:cd:4d:dd:
+         8c:27:f3:1f:9c:c4:7f:b5:8f:f5:5b:f7:60:31:6e:d9:a3:c6:
+         41:29:43:0b:14:15:75:56:ef:ca:bd:30:6d:41:91:71:f4:02:
+         41:14:2e:c9:57:8a:41:0c:af:a0:bc:3c:21:bd:4b:ea:08:fc:
+         61:61:f7:85:92:d1:42:1e:3a:92:40:73:18:45:df:ff:d8:fe:
+         eb:cd:61:30:66:ef:60:31:04:bc:e0:4d:1e:c1:95:df:eb:eb:
+         cd:08:70:76:4c:5c:f3:bf:f6:ac:0d:7d
 -----BEGIN CERTIFICATE-----
-MIIDCDCCAmmgAwIBAgIBATAKBggqhkjOPQQDAjCBlzELMAkGA1UEBhMCVVMxEDAO
+MIIDBzCCAmmgAwIBAgIBATAKBggqhkjOPQQDAjCBlzELMAkGA1UEBhMCVVMxEDAO
 BgNVBAgMB01vbnRhbmExEDAOBgNVBAcMB0JvemVtYW4xFTATBgNVBAoMDHdvbGZT
 U0xfUDUyMTESMBAGA1UECwwJUm9vdC1QNTIxMRgwFgYDVQQDDA93d3cud29sZnNz
-bC5jb20xHzAdBgkqhkiG9w0BCQEWEGluZm9Ad29sZnNzbC5jb20wHhcNMjEwMjEw
-MTk0OTUzWhcNMjMxMTA3MTk0OTUzWjCBlTELMAkGA1UEBhMCVVMxEDAOBgNVBAgM
+bC5jb20xHzAdBgkqhkiG9w0BCQEWEGluZm9Ad29sZnNzbC5jb20wHhcNMjExMjIw
+MjMwNzI1WhcNMjQwOTE1MjMwNzI1WjCBlTELMAkGA1UEBhMCVVMxEDAOBgNVBAgM
 B01vbnRhbmExEDAOBgNVBAcMB0JvemVtYW4xFTATBgNVBAoMDHdvbGZTU0xfcDUy
 MTEQMA4GA1UECwwHQ0EtcDUyMTEYMBYGA1UEAwwPd3d3LndvbGZzc2wuY29tMR8w
 HQYJKoZIhvcNAQkBFhBpbmZvQHdvbGZzc2wuY29tMIGbMBAGByqGSM49AgEGBSuB
@@ -124,8 +124,8 @@ f+t2vkRAwxnAM2jEBgSOwiWxloMiDnvHsvwBhpHtQ1044AwljbPbsdzetyGAz4fe
 ZPQhPi2veb320ABLgXn69xCqGc1A1x51NFMpA+1IVCHlj5W1m0GNX91y0lqjYzBh
 MB0GA1UdDgQWBBRAiR0wXgxu1T3G1SWQ2rZCZ+3pgjAfBgNVHSMEGDAWgBRkp2iV
 UzMYoiCSvGRVpqvKdmibyDAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIB
-hjAKBggqhkjOPQQDAgOBjAAwgYgCQgHESzBw2LM0VhVqstwJr/n4orhr50aMXpV3
-0NuSatQFM0uUZutsAlDAESFl2EfCDG0QxDuTl2bKcbCkUT3h6XHHhwJCAKFzGHXH
-qneISc1f5nv1w7B3J+0jCHyquqBAIWmYa5X+l/smcFtrUh9Cm32MgZG8KrbrtzqZ
-IMcXRGHuUPLpjcoh
+hjAKBggqhkjOPQQDAgOBiwAwgYcCQgCjdt0qpR/EthH+jGKiev6gmwQ6EfVu762G
+VFrNTd2MJ/MfnMR/tY/1W/dgMW7Zo8ZBKUMLFBV1Vu/KvTBtQZFx9AJBFC7JV4pB
+DK+gvDwhvUvqCPxhYfeFktFCHjqSQHMYRd//2P7rzWEwZu9gMQS84E0ewZXf6+vN
+CHB2TFzzv/asDX0=
 -----END CERTIFICATE-----
diff --git a/certs/renewcerts.sh b/certs/renewcerts.sh
index 7c546cbff..ebef14a7f 100755
--- a/certs/renewcerts.sh
+++ b/certs/renewcerts.sh
@@ -59,6 +59,11 @@ check_result(){
 
 #the function that will be called when we are ready to renew the certs.
 run_renewcerts(){
+
+    #call update for some ecc certs
+    ./certs/ecc/genecc.sh
+    check_result $? "Step 0"
+
     cd certs/ || { echo "Couldn't cd to certs directory"; exit 1; }
     echo ""
 
@@ -125,6 +130,27 @@ run_renewcerts(){
     echo "End of section"
     echo "---------------------------------------------------------------------"
     ############################################################
+    #### update the self-signed (2048-bit) client-cert-ext.pem
+    ############################################################
+    echo "Updating 2048-bit client-cert-ext.pem"
+    echo ""
+    #pipe the following arguments to openssl req...
+    echo -e "US\\nMontana\\nBozeman\\nwolfSSL_2048\\nProgramming-2048\\nwww.wolfssl.com\\ninfo@wolfssl.com\\n.\\n.\\n" | openssl req -new -key client-key.pem -config ./wolfssl.cnf -nodes -out client-cert.csr
+    check_result $? "Step 1"
+
+
+    openssl x509 -req -in client-cert.csr -days 1000 -extfile wolfssl.cnf -extensions client_cert_ext -signkey client-key.pem -out client-cert-ext.pem
+    check_result $? "Step 2"
+    rm client-cert.csr
+
+    openssl x509 -in client-cert-ext.pem -outform DER -out client-cert-ext.der
+    check_result $? "Step 3"
+    openssl x509 -in client-cert-ext.pem -text > tmp.pem
+    check_result $? "Step 4"
+    mv tmp.pem client-cert-ext.pem
+    echo "End of section"
+    echo "---------------------------------------------------------------------"
+    ############################################################
     #### update the self-signed (2048-bit) client-crl-dist.pem
     ############################################################
     echo "Updating 2048-bit client-crl-dist.pem"
@@ -799,6 +825,10 @@ else
     make clean
     check_result $? "make clean"
 
+    run_renewcerts
+    cd ../ || exit 1
+    rm ./certs/wolfssl.cnf
+
     # restore previous configure state
     restore_config
     check_result $? "restoring old configuration"
diff --git a/certs/renewcerts/wolfssl.cnf b/certs/renewcerts/wolfssl.cnf
index 6c5efb25f..f85b31de2 100644
--- a/certs/renewcerts/wolfssl.cnf
+++ b/certs/renewcerts/wolfssl.cnf
@@ -300,6 +300,14 @@ authorityKeyIdentifier=keyid:always,issuer:always
 basicConstraints=CA:false
 subjectAltName=URI:../relative/page.html
 
+# client cert ext
+[ client_cert_ext ]
+subjectKeyIdentifier=hash
+authorityKeyIdentifier=keyid:always,issuer:always
+basicConstraints=CA:true
+subjectAltName=DNS:example.com
+keyUsage=critical, digitalSignature, keyCertSign, cRLSign
+
 # test CRL distribution points
 [ crl_dist_points ]
 crlDistributionPoints=URI:http://www.wolfssl.com/crl.pem
diff --git a/certs/server-cert-chain.der b/certs/server-cert-chain.der
index 5f357103a..86422ddbf 100644
Binary files a/certs/server-cert-chain.der and b/certs/server-cert-chain.der differ
diff --git a/certs/server-cert.der b/certs/server-cert.der
index 041eba291..0a6804462 100644
Binary files a/certs/server-cert.der and b/certs/server-cert.der differ
diff --git a/certs/server-cert.pem b/certs/server-cert.pem
index 54dd74e32..9e5186ecf 100644
--- a/certs/server-cert.pem
+++ b/certs/server-cert.pem
@@ -2,15 +2,15 @@ Certificate:
     Data:
         Version: 3 (0x2)
         Serial Number: 1 (0x1)
-    Signature Algorithm: sha256WithRSAEncryption
-        Issuer: C=US, ST=Montana, L=Bozeman, O=Sawtooth, OU=Consulting, CN=www.wolfssl.com/emailAddress=info@wolfssl.com
+        Signature Algorithm: sha256WithRSAEncryption
+        Issuer: C = US, ST = Montana, L = Bozeman, O = Sawtooth, OU = Consulting, CN = www.wolfssl.com, emailAddress = info@wolfssl.com
         Validity
-            Not Before: Feb 10 19:49:53 2021 GMT
-            Not After : Nov  7 19:49:53 2023 GMT
-        Subject: C=US, ST=Montana, L=Bozeman, O=wolfSSL, OU=Support, CN=www.wolfssl.com/emailAddress=info@wolfssl.com
+            Not Before: Dec 20 23:07:25 2021 GMT
+            Not After : Sep 15 23:07:25 2024 GMT
+        Subject: C = US, ST = Montana, L = Bozeman, O = wolfSSL, OU = Support, CN = www.wolfssl.com, emailAddress = info@wolfssl.com
         Subject Public Key Info:
             Public Key Algorithm: rsaEncryption
-                Public-Key: (2048 bit)
+                RSA Public-Key: (2048 bit)
                 Modulus:
                     00:c0:95:08:e1:57:41:f2:71:6d:b7:d2:45:41:27:
                     01:65:c6:45:ae:f2:bc:24:30:b8:95:ce:2f:4e:d6:
@@ -37,7 +37,7 @@ Certificate:
             X509v3 Authority Key Identifier: 
                 keyid:27:8E:67:11:74:C3:26:1D:3F:ED:33:63:B3:A4:D8:1D:30:E5:E8:D5
                 DirName:/C=US/ST=Montana/L=Bozeman/O=Sawtooth/OU=Consulting/CN=www.wolfssl.com/emailAddress=info@wolfssl.com
-                serial:AA:D3:3F:AC:18:0A:37:4D
+                serial:7D:94:70:88:BA:07:42:8D:AA:AF:4F:BE:C2:1A:48:F0:D1:40:E6:42
 
             X509v3 Basic Constraints: 
                 CA:TRUE
@@ -46,27 +46,27 @@ Certificate:
             X509v3 Extended Key Usage: 
                 TLS Web Server Authentication, TLS Web Client Authentication
     Signature Algorithm: sha256WithRSAEncryption
-         1b:0d:a6:44:93:0d:0e:0c:35:28:26:40:31:d2:eb:26:4c:47:
-         5b:19:fb:ad:fe:3a:f5:30:3a:28:d7:aa:69:a4:15:e7:26:6e:
-         b7:33:56:ac:8f:34:3d:f3:21:2f:53:58:91:d0:3e:b4:39:48:
-         bf:93:11:74:36:d3:87:49:c3:34:0d:30:30:ab:f4:4c:27:19:
-         d5:c4:0c:ad:49:bd:91:f8:da:9e:c8:2d:2a:ac:e2:75:8e:aa:
-         08:d9:bf:65:ff:a3:b1:4f:f0:60:6f:4d:95:c4:06:7f:af:66:
-         6a:23:3b:3a:a4:61:b6:6c:ca:be:e1:b0:77:f3:ec:83:d5:8c:
-         1d:85:7f:8d:74:c8:ec:1e:49:ec:57:4a:cc:fd:e2:3a:3e:54:
-         50:ae:67:cd:17:b0:67:a5:53:7f:c3:0e:3e:a7:58:e8:df:d5:
-         0c:f2:64:f3:ad:12:70:e3:b9:42:bc:08:60:76:d5:0c:a5:31:
-         77:50:e0:c8:f3:3a:3d:45:cf:32:75:ef:10:dd:b5:ed:6e:d2:
-         2d:57:82:95:38:bc:7d:54:c4:84:5e:fb:7e:83:f5:f1:2d:9c:
-         98:ac:73:e3:a7:d2:02:30:d6:1f:06:1e:d0:dc:3a:ac:f4:c2:
-         c2:be:72:40:9a:ea:cf:35:21:3b:56:6d:e1:52:f2:80:d7:35:
-         83:97:07:cc
+         73:59:6f:55:94:e1:38:e7:20:5a:11:46:47:a8:29:11:17:06:
+         19:16:78:22:af:54:f8:d9:32:61:26:3f:39:ab:a4:df:ef:ae:
+         d0:0b:cc:2b:af:95:70:90:97:53:cc:19:6d:f2:4d:4c:fa:e4:
+         9d:7c:54:e0:5b:3b:1f:1e:52:46:7f:d9:ba:a0:90:ba:6d:df:
+         3d:67:f0:9f:52:44:c3:e1:66:36:dc:61:58:11:ba:4c:0c:c2:
+         29:da:f7:13:45:60:b2:11:79:91:ed:7c:9f:b7:7f:5c:e2:29:
+         c6:1e:bf:78:da:bf:d1:bd:9c:f7:4e:23:e0:c3:ef:6f:b6:67:
+         7c:d7:4c:02:d5:bd:67:ee:7e:0c:e3:89:db:79:61:1e:d0:5f:
+         f5:e8:66:48:3a:55:54:d5:16:12:30:00:c9:86:75:e0:c9:ff:
+         38:74:ce:c8:c7:fd:ef:96:d8:55:96:71:35:62:db:34:c5:2f:
+         07:84:8a:aa:1b:1e:77:50:0a:20:3b:21:4b:06:14:af:78:11:
+         a2:41:c6:5d:0c:70:e0:52:b4:9e:4c:86:ab:5b:a3:e0:8f:a2:
+         c2:1a:69:70:80:3b:bd:50:23:26:72:4f:fa:fd:df:ed:85:32:
+         2c:e4:ab:3e:f3:a6:d0:1d:db:33:6b:69:8d:99:b9:b4:34:4b:
+         79:a8:16:68
 -----BEGIN CERTIFICATE-----
-MIIE3TCCA8WgAwIBAgIBATANBgkqhkiG9w0BAQsFADCBlDELMAkGA1UEBhMCVVMx
+MIIE6DCCA9CgAwIBAgIBATANBgkqhkiG9w0BAQsFADCBlDELMAkGA1UEBhMCVVMx
 EDAOBgNVBAgMB01vbnRhbmExEDAOBgNVBAcMB0JvemVtYW4xETAPBgNVBAoMCFNh
 d3Rvb3RoMRMwEQYDVQQLDApDb25zdWx0aW5nMRgwFgYDVQQDDA93d3cud29sZnNz
-bC5jb20xHzAdBgkqhkiG9w0BCQEWEGluZm9Ad29sZnNzbC5jb20wHhcNMjEwMjEw
-MTk0OTUzWhcNMjMxMTA3MTk0OTUzWjCBkDELMAkGA1UEBhMCVVMxEDAOBgNVBAgM
+bC5jb20xHzAdBgkqhkiG9w0BCQEWEGluZm9Ad29sZnNzbC5jb20wHhcNMjExMjIw
+MjMwNzI1WhcNMjQwOTE1MjMwNzI1WjCBkDELMAkGA1UEBhMCVVMxEDAOBgNVBAgM
 B01vbnRhbmExEDAOBgNVBAcMB0JvemVtYW4xEDAOBgNVBAoMB3dvbGZTU0wxEDAO
 BgNVBAsMB1N1cHBvcnQxGDAWBgNVBAMMD3d3dy53b2xmc3NsLmNvbTEfMB0GCSqG
 SIb3DQEJARYQaW5mb0B3b2xmc3NsLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEP
@@ -75,34 +75,35 @@ f/5cnFF194rKB+c1L4/hvXvAL3yrZKgX/Mpde7rgIeVyLm8uhtiVc9qsG1O5Xz/X
 GQ0lT+FjY1GLC2Q/rUO4pRxcNLOuAKBjxfZ/C1loeHOmjBipAm2vwxkBLrgQ48bM
 QLRpo0YzaYduxLsXpvPo3a1zvHsvIbX9ZlEMvVSz4W1fHLwjc9EJA4kU0hC5ZMMq
 0KGWSrzh1Bpbx6DAwWN4D0Q3MDKWgDIjlaF3uhPSl3PiXSXJag3DOWCktLBpQkIJ
-6dgIvDMgs1gip6rrxOHmYYPF0pbf2dBPrdcCAwEAAaOCATowggE2MB0GA1UdDgQW
-BBSzETLJkpiE4sn40DtuA0LKHw6OPDCByQYDVR0jBIHBMIG+gBQnjmcRdMMmHT/t
+6dgIvDMgs1gip6rrxOHmYYPF0pbf2dBPrdcCAwEAAaOCAUUwggFBMB0GA1UdDgQW
+BBSzETLJkpiE4sn40DtuA0LKHw6OPDCB1AYDVR0jBIHMMIHJgBQnjmcRdMMmHT/t
 M2OzpNgdMOXo1aGBmqSBlzCBlDELMAkGA1UEBhMCVVMxEDAOBgNVBAgMB01vbnRh
 bmExEDAOBgNVBAcMB0JvemVtYW4xETAPBgNVBAoMCFNhd3Rvb3RoMRMwEQYDVQQL
 DApDb25zdWx0aW5nMRgwFgYDVQQDDA93d3cud29sZnNzbC5jb20xHzAdBgkqhkiG
-9w0BCQEWEGluZm9Ad29sZnNzbC5jb22CCQCq0z+sGAo3TTAMBgNVHRMEBTADAQH/
-MBwGA1UdEQQVMBOCC2V4YW1wbGUuY29thwR/AAABMB0GA1UdJQQWMBQGCCsGAQUF
-BwMBBggrBgEFBQcDAjANBgkqhkiG9w0BAQsFAAOCAQEAGw2mRJMNDgw1KCZAMdLr
-JkxHWxn7rf469TA6KNeqaaQV5yZutzNWrI80PfMhL1NYkdA+tDlIv5MRdDbTh0nD
-NA0wMKv0TCcZ1cQMrUm9kfjansgtKqzidY6qCNm/Zf+jsU/wYG9NlcQGf69maiM7
-OqRhtmzKvuGwd/Psg9WMHYV/jXTI7B5J7FdKzP3iOj5UUK5nzRewZ6VTf8MOPqdY
-6N/VDPJk860ScOO5QrwIYHbVDKUxd1DgyPM6PUXPMnXvEN217W7SLVeClTi8fVTE
-hF77foP18S2cmKxz46fSAjDWHwYe0Nw6rPTCwr5yQJrqzzUhO1Zt4VLygNc1g5cH
-zA==
+9w0BCQEWEGluZm9Ad29sZnNzbC5jb22CFH2UcIi6B0KNqq9PvsIaSPDRQOZCMAwG
+A1UdEwQFMAMBAf8wHAYDVR0RBBUwE4ILZXhhbXBsZS5jb22HBH8AAAEwHQYDVR0l
+BBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMA0GCSqGSIb3DQEBCwUAA4IBAQBzWW9V
+lOE45yBaEUZHqCkRFwYZFngir1T42TJhJj85q6Tf767QC8wrr5VwkJdTzBlt8k1M
++uSdfFTgWzsfHlJGf9m6oJC6bd89Z/CfUkTD4WY23GFYEbpMDMIp2vcTRWCyEXmR
+7Xyft39c4inGHr942r/RvZz3TiPgw+9vtmd810wC1b1n7n4M44nbeWEe0F/16GZI
+OlVU1RYSMADJhnXgyf84dM7Ix/3vlthVlnE1Yts0xS8HhIqqGx53UAogOyFLBhSv
+eBGiQcZdDHDgUrSeTIarW6Pgj6LCGmlwgDu9UCMmck/6/d/thTIs5Ks+86bQHdsz
+a2mNmbm0NEt5qBZo
 -----END CERTIFICATE-----
 Certificate:
     Data:
         Version: 3 (0x2)
-        Serial Number: 12309252214903945037 (0xaad33fac180a374d)
-    Signature Algorithm: sha256WithRSAEncryption
-        Issuer: C=US, ST=Montana, L=Bozeman, O=Sawtooth, OU=Consulting, CN=www.wolfssl.com/emailAddress=info@wolfssl.com
+        Serial Number:
+            7d:94:70:88:ba:07:42:8d:aa:af:4f:be:c2:1a:48:f0:d1:40:e6:42
+        Signature Algorithm: sha256WithRSAEncryption
+        Issuer: C = US, ST = Montana, L = Bozeman, O = Sawtooth, OU = Consulting, CN = www.wolfssl.com, emailAddress = info@wolfssl.com
         Validity
-            Not Before: Feb 10 19:49:52 2021 GMT
-            Not After : Nov  7 19:49:52 2023 GMT
-        Subject: C=US, ST=Montana, L=Bozeman, O=Sawtooth, OU=Consulting, CN=www.wolfssl.com/emailAddress=info@wolfssl.com
+            Not Before: Dec 20 23:07:24 2021 GMT
+            Not After : Sep 15 23:07:24 2024 GMT
+        Subject: C = US, ST = Montana, L = Bozeman, O = Sawtooth, OU = Consulting, CN = www.wolfssl.com, emailAddress = info@wolfssl.com
         Subject Public Key Info:
             Public Key Algorithm: rsaEncryption
-                Public-Key: (2048 bit)
+                RSA Public-Key: (2048 bit)
                 Modulus:
                     00:bf:0c:ca:2d:14:b2:1e:84:42:5b:cd:38:1f:4a:
                     f2:4d:75:10:f1:b6:35:9f:df:ca:7d:03:98:d3:ac:
@@ -129,7 +130,7 @@ Certificate:
             X509v3 Authority Key Identifier: 
                 keyid:27:8E:67:11:74:C3:26:1D:3F:ED:33:63:B3:A4:D8:1D:30:E5:E8:D5
                 DirName:/C=US/ST=Montana/L=Bozeman/O=Sawtooth/OU=Consulting/CN=www.wolfssl.com/emailAddress=info@wolfssl.com
-                serial:AA:D3:3F:AC:18:0A:37:4D
+                serial:7D:94:70:88:BA:07:42:8D:AA:AF:4F:BE:C2:1A:48:F0:D1:40:E6:42
 
             X509v3 Basic Constraints: 
                 CA:TRUE
@@ -138,47 +139,47 @@ Certificate:
             X509v3 Extended Key Usage: 
                 TLS Web Server Authentication, TLS Web Client Authentication
     Signature Algorithm: sha256WithRSAEncryption
-         62:98:c8:58:cf:56:03:86:5b:1b:71:49:7d:05:03:5d:e0:08:
-         86:ad:db:4a:de:ab:22:96:a8:c3:59:68:c1:37:90:40:df:bd:
-         89:d0:bc:da:8e:ef:87:b2:c2:62:52:e1:1a:29:17:6a:96:99:
-         c8:4e:d8:32:fe:b8:d1:5c:3b:0a:c2:3c:5f:a1:1e:98:7f:ce:
-         89:26:21:1f:64:9c:15:7a:9c:ef:fb:1d:85:6a:fa:98:ce:a8:
-         a9:ab:c3:a2:c0:eb:87:ed:bc:21:df:f3:07:5b:ae:fd:40:d4:
-         ae:20:d0:76:8a:31:0a:a2:62:7c:61:0d:ce:5d:9a:1e:e4:20:
-         88:51:49:fb:77:a9:cd:4d:c6:bf:54:99:33:ef:4b:a0:73:70:
-         6d:2e:d9:3d:08:f6:12:39:31:68:c6:61:5c:41:b5:1b:f4:38:
-         7d:fc:be:73:66:2d:f7:ca:5b:2c:5b:31:aa:cf:f6:7f:30:e4:
-         12:2c:8e:d6:38:51:e6:45:ee:d5:da:c3:83:d6:ed:5e:ec:d6:
-         b6:14:b3:93:59:e1:55:4a:7f:04:df:ce:65:d4:df:18:4f:dd:
-         b4:45:7f:a6:56:30:c4:05:44:98:9d:4f:26:6d:84:80:a0:5e:
-         ed:23:d1:48:87:0e:05:06:91:3b:b0:3c:bb:8c:8f:3c:7b:4c:
-         4f:a1:ca:98
+         b0:71:bb:ba:45:5a:80:25:02:a4:7e:88:0b:a9:7b:fd:b0:bb:
+         f6:46:b5:ba:f4:c7:e3:61:20:8c:03:15:66:f5:e4:54:82:ef:
+         13:80:97:22:67:c1:d1:88:5d:e2:2d:57:f6:e0:9f:69:d6:b1:
+         5c:b6:e8:e0:98:89:c8:14:12:d6:b6:89:8d:6c:b9:a0:59:4f:
+         92:ee:11:53:6b:7d:93:4a:69:0a:85:d9:d5:d2:62:e8:c9:b5:
+         c6:4e:17:f5:0a:e8:f3:2d:86:61:0b:eb:c4:c4:c6:67:75:ed:
+         9a:9f:53:a0:71:1e:a0:90:0d:f9:03:b4:bc:86:19:6e:f0:3b:
+         4f:e8:ed:68:f6:e7:23:43:3b:36:83:83:4b:46:a0:9a:01:d0:
+         c7:85:bb:7d:94:a0:21:3d:7e:3c:6a:3d:81:db:41:7b:46:d8:
+         15:62:d5:8f:4d:3d:c0:db:9a:c5:81:a8:ac:da:87:99:c7:dd:
+         b9:f1:14:af:d1:93:e3:f3:42:d7:a2:04:51:21:54:29:c3:45:
+         f6:be:5c:fa:cd:db:bf:2f:79:81:42:e5:8f:47:0b:d4:54:01:
+         b5:c2:4a:46:d6:a8:31:2e:64:80:3f:48:61:91:29:f3:aa:43:
+         5c:69:6e:f1:01:b9:df:63:71:3d:b9:5a:fb:36:c0:11:a2:c3:
+         30:9d:95:c3
 -----BEGIN CERTIFICATE-----
-MIIE6TCCA9GgAwIBAgIJAKrTP6wYCjdNMA0GCSqGSIb3DQEBCwUAMIGUMQswCQYD
+MIIE/zCCA+egAwIBAgIUfZRwiLoHQo2qr0++whpI8NFA5kIwDQYJKoZIhvcNAQEL
+BQAwgZQxCzAJBgNVBAYTAlVTMRAwDgYDVQQIDAdNb250YW5hMRAwDgYDVQQHDAdC
+b3plbWFuMREwDwYDVQQKDAhTYXd0b290aDETMBEGA1UECwwKQ29uc3VsdGluZzEY
+MBYGA1UEAwwPd3d3LndvbGZzc2wuY29tMR8wHQYJKoZIhvcNAQkBFhBpbmZvQHdv
+bGZzc2wuY29tMB4XDTIxMTIyMDIzMDcyNFoXDTI0MDkxNTIzMDcyNFowgZQxCzAJ
+BgNVBAYTAlVTMRAwDgYDVQQIDAdNb250YW5hMRAwDgYDVQQHDAdCb3plbWFuMREw
+DwYDVQQKDAhTYXd0b290aDETMBEGA1UECwwKQ29uc3VsdGluZzEYMBYGA1UEAwwP
+d3d3LndvbGZzc2wuY29tMR8wHQYJKoZIhvcNAQkBFhBpbmZvQHdvbGZzc2wuY29t
+MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAvwzKLRSyHoRCW804H0ry
+TXUQ8bY1n9/KfQOY06zeA2buKvHYsH1uB1QLEJghTYDLEiDnzE/eRX3Jcncy6sqQ
+u2lSEAMvqPOVxfGLYlYb72dvpBBBla0Km+OlwLDScHZQMFuo6AgsfO2nonqNOCkc
+rMft8nyVsJWCfUlcOM13Je+9gHVTlDw9ymNbnxW10x0TLxnRPNt2Osy4fcnlwtfa
+QG/YIdxzG0ItU5z+Gvx9q3o2P5jehHwFZ85qFDiHqfGMtWjLaH9xICv1oGP1Vi+j
+JtK3b7FaF9c4mQj+k1hv/sMTSQgWC6dNZwBSMWcjTpjtUUUduQTZC+zYKLNLve02
+eQIDAQABo4IBRTCCAUEwHQYDVR0OBBYEFCeOZxF0wyYdP+0zY7Ok2B0w5ejVMIHU
+BgNVHSMEgcwwgcmAFCeOZxF0wyYdP+0zY7Ok2B0w5ejVoYGapIGXMIGUMQswCQYD
 VQQGEwJVUzEQMA4GA1UECAwHTW9udGFuYTEQMA4GA1UEBwwHQm96ZW1hbjERMA8G
 A1UECgwIU2F3dG9vdGgxEzARBgNVBAsMCkNvbnN1bHRpbmcxGDAWBgNVBAMMD3d3
-dy53b2xmc3NsLmNvbTEfMB0GCSqGSIb3DQEJARYQaW5mb0B3b2xmc3NsLmNvbTAe
-Fw0yMTAyMTAxOTQ5NTJaFw0yMzExMDcxOTQ5NTJaMIGUMQswCQYDVQQGEwJVUzEQ
-MA4GA1UECAwHTW9udGFuYTEQMA4GA1UEBwwHQm96ZW1hbjERMA8GA1UECgwIU2F3
-dG9vdGgxEzARBgNVBAsMCkNvbnN1bHRpbmcxGDAWBgNVBAMMD3d3dy53b2xmc3Ns
-LmNvbTEfMB0GCSqGSIb3DQEJARYQaW5mb0B3b2xmc3NsLmNvbTCCASIwDQYJKoZI
-hvcNAQEBBQADggEPADCCAQoCggEBAL8Myi0Ush6EQlvNOB9K8k11EPG2NZ/fyn0D
-mNOs3gNm7irx2LB9bgdUCxCYIU2AyxIg58xP3kV9yXJ3MurKkLtpUhADL6jzlcXx
-i2JWG+9nb6QQQZWtCpvjpcCw0nB2UDBbqOgILHztp6J6jTgpHKzH7fJ8lbCVgn1J
-XDjNdyXvvYB1U5Q8PcpjW58VtdMdEy8Z0TzbdjrMuH3J5cLX2kBv2CHccxtCLVOc
-/hr8fat6Nj+Y3oR8BWfOahQ4h6nxjLVoy2h/cSAr9aBj9VYvoybSt2+xWhfXOJkI
-/pNYb/7DE0kIFgunTWcAUjFnI06Y7VFFHbkE2Qvs2CizS73tNnkCAwEAAaOCATow
-ggE2MB0GA1UdDgQWBBQnjmcRdMMmHT/tM2OzpNgdMOXo1TCByQYDVR0jBIHBMIG+
-gBQnjmcRdMMmHT/tM2OzpNgdMOXo1aGBmqSBlzCBlDELMAkGA1UEBhMCVVMxEDAO
-BgNVBAgMB01vbnRhbmExEDAOBgNVBAcMB0JvemVtYW4xETAPBgNVBAoMCFNhd3Rv
-b3RoMRMwEQYDVQQLDApDb25zdWx0aW5nMRgwFgYDVQQDDA93d3cud29sZnNzbC5j
-b20xHzAdBgkqhkiG9w0BCQEWEGluZm9Ad29sZnNzbC5jb22CCQCq0z+sGAo3TTAM
-BgNVHRMEBTADAQH/MBwGA1UdEQQVMBOCC2V4YW1wbGUuY29thwR/AAABMB0GA1Ud
-JQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjANBgkqhkiG9w0BAQsFAAOCAQEAYpjI
-WM9WA4ZbG3FJfQUDXeAIhq3bSt6rIpaow1lowTeQQN+9idC82o7vh7LCYlLhGikX
-apaZyE7YMv640Vw7CsI8X6EemH/OiSYhH2ScFXqc7/sdhWr6mM6oqavDosDrh+28
-Id/zB1uu/UDUriDQdooxCqJifGENzl2aHuQgiFFJ+3epzU3Gv1SZM+9LoHNwbS7Z
-PQj2EjkxaMZhXEG1G/Q4ffy+c2Yt98pbLFsxqs/2fzDkEiyO1jhR5kXu1drDg9bt
-XuzWthSzk1nhVUp/BN/OZdTfGE/dtEV/plYwxAVEmJ1PJm2EgKBe7SPRSIcOBQaR
-O7A8u4yPPHtMT6HKmA==
+dy53b2xmc3NsLmNvbTEfMB0GCSqGSIb3DQEJARYQaW5mb0B3b2xmc3NsLmNvbYIU
+fZRwiLoHQo2qr0++whpI8NFA5kIwDAYDVR0TBAUwAwEB/zAcBgNVHREEFTATggtl
+eGFtcGxlLmNvbYcEfwAAATAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIw
+DQYJKoZIhvcNAQELBQADggEBALBxu7pFWoAlAqR+iAupe/2wu/ZGtbr0x+NhIIwD
+FWb15FSC7xOAlyJnwdGIXeItV/bgn2nWsVy26OCYicgUEta2iY1suaBZT5LuEVNr
+fZNKaQqF2dXSYujJtcZOF/UK6PMthmEL68TExmd17ZqfU6BxHqCQDfkDtLyGGW7w
+O0/o7Wj25yNDOzaDg0tGoJoB0MeFu32UoCE9fjxqPYHbQXtG2BVi1Y9NPcDbmsWB
+qKzah5nH3bnxFK/Rk+PzQteiBFEhVCnDRfa+XPrN278veYFC5Y9HC9RUAbXCSkbW
+qDEuZIA/SGGRKfOqQ1xpbvEBud9jcT25Wvs2wBGiwzCdlcM=
 -----END CERTIFICATE-----
diff --git a/certs/server-ecc-comp.der b/certs/server-ecc-comp.der
index d654e7999..c172693f7 100644
Binary files a/certs/server-ecc-comp.der and b/certs/server-ecc-comp.der differ
diff --git a/certs/server-ecc-comp.pem b/certs/server-ecc-comp.pem
index 4f6cd8d95..285f42d50 100644
--- a/certs/server-ecc-comp.pem
+++ b/certs/server-ecc-comp.pem
@@ -1,17 +1,18 @@
 Certificate:
     Data:
         Version: 3 (0x2)
-        Serial Number: 16552530592849642901 (0xe5b666e00896c595)
-    Signature Algorithm: ecdsa-with-SHA256
-        Issuer: C=US, ST=Montana, L=Bozeman, O=Elliptic - comp, OU=Server ECC-comp, CN=www.wolfssl.com/emailAddress=info@wolfssl.com
+        Serial Number:
+            29:74:77:ee:40:f1:03:bc:b3:d0:b6:01:1d:f5:56:4a:c5:cc:7b:04
+        Signature Algorithm: ecdsa-with-SHA256
+        Issuer: C = US, ST = Montana, L = Bozeman, O = Elliptic - comp, OU = Server ECC-comp, CN = www.wolfssl.com, emailAddress = info@wolfssl.com
         Validity
-            Not Before: Feb 10 19:49:53 2021 GMT
-            Not After : Nov  7 19:49:53 2023 GMT
-        Subject: C=US, ST=Montana, L=Bozeman, O=Elliptic - comp, OU=Server ECC-comp, CN=www.wolfssl.com/emailAddress=info@wolfssl.com
+            Not Before: Dec 20 23:07:25 2021 GMT
+            Not After : Sep 15 23:07:25 2024 GMT
+        Subject: C = US, ST = Montana, L = Bozeman, O = Elliptic - comp, OU = Server ECC-comp, CN = www.wolfssl.com, emailAddress = info@wolfssl.com
         Subject Public Key Info:
             Public Key Algorithm: id-ecPublicKey
                 Public-Key: (256 bit)
-                pub: 
+                pub:
                     02:bb:33:ac:4c:27:50:4a:c6:4a:a5:04:c3:3c:de:
                     9f:36:db:72:2d:ce:94:ea:2b:fa:cb:20:09:39:2c:
                     16:e8:61
@@ -23,7 +24,7 @@ Certificate:
             X509v3 Authority Key Identifier: 
                 keyid:8C:38:3A:6B:B8:24:B7:DF:6E:F4:59:AC:56:4E:AA:E2:58:A6:5A:18
                 DirName:/C=US/ST=Montana/L=Bozeman/O=Elliptic - comp/OU=Server ECC-comp/CN=www.wolfssl.com/emailAddress=info@wolfssl.com
-                serial:E5:B6:66:E0:08:96:C5:95
+                serial:29:74:77:EE:40:F1:03:BC:B3:D0:B6:01:1D:F5:56:4A:C5:CC:7B:04
 
             X509v3 Basic Constraints: 
                 CA:TRUE
@@ -32,28 +33,28 @@ Certificate:
             X509v3 Extended Key Usage: 
                 TLS Web Server Authentication, TLS Web Client Authentication
     Signature Algorithm: ecdsa-with-SHA256
-         30:45:02:21:00:ae:80:d7:f5:4d:76:79:5c:01:14:8b:fd:80:
-         79:fb:9b:fe:8f:0d:9c:c3:7c:e6:80:4c:a6:54:16:3f:ed:1d:
-         5e:02:20:09:61:2d:84:e9:04:4f:79:0e:e7:f0:cc:52:d3:2f:
-         e0:89:cf:be:9b:9f:86:23:2f:e4:cb:43:16:bb:09:8d:87
+         30:46:02:21:00:ed:07:48:d5:31:e3:1f:80:6a:ce:a9:aa:6d:
+         ac:a3:f9:d4:46:b8:3e:19:5e:11:d7:21:8f:dc:25:dd:6a:7b:
+         58:02:21:00:84:53:e6:f0:18:0a:84:29:d2:ad:34:b2:7c:0b:
+         90:33:fb:b0:41:51:69:cc:08:97:a2:38:f8:21:31:32:c6:c1
 -----BEGIN CERTIFICATE-----
-MIIDYTCCAwegAwIBAgIJAOW2ZuAIlsWVMAoGCCqGSM49BAMCMIGgMQswCQYDVQQG
-EwJVUzEQMA4GA1UECAwHTW9udGFuYTEQMA4GA1UEBwwHQm96ZW1hbjEYMBYGA1UE
-CgwPRWxsaXB0aWMgLSBjb21wMRgwFgYDVQQLDA9TZXJ2ZXIgRUNDLWNvbXAxGDAW
-BgNVBAMMD3d3dy53b2xmc3NsLmNvbTEfMB0GCSqGSIb3DQEJARYQaW5mb0B3b2xm
-c3NsLmNvbTAeFw0yMTAyMTAxOTQ5NTNaFw0yMzExMDcxOTQ5NTNaMIGgMQswCQYD
-VQQGEwJVUzEQMA4GA1UECAwHTW9udGFuYTEQMA4GA1UEBwwHQm96ZW1hbjEYMBYG
-A1UECgwPRWxsaXB0aWMgLSBjb21wMRgwFgYDVQQLDA9TZXJ2ZXIgRUNDLWNvbXAx
-GDAWBgNVBAMMD3d3dy53b2xmc3NsLmNvbTEfMB0GCSqGSIb3DQEJARYQaW5mb0B3
-b2xmc3NsLmNvbTA5MBMGByqGSM49AgEGCCqGSM49AwEHAyIAArszrEwnUErGSqUE
-wzzenzbbci3OlOor+ssgCTksFuhho4IBRjCCAUIwHQYDVR0OBBYEFIw4Omu4JLff
-bvRZrFZOquJYploYMIHVBgNVHSMEgc0wgcqAFIw4Omu4JLffbvRZrFZOquJYploY
-oYGmpIGjMIGgMQswCQYDVQQGEwJVUzEQMA4GA1UECAwHTW9udGFuYTEQMA4GA1UE
-BwwHQm96ZW1hbjEYMBYGA1UECgwPRWxsaXB0aWMgLSBjb21wMRgwFgYDVQQLDA9T
-ZXJ2ZXIgRUNDLWNvbXAxGDAWBgNVBAMMD3d3dy53b2xmc3NsLmNvbTEfMB0GCSqG
-SIb3DQEJARYQaW5mb0B3b2xmc3NsLmNvbYIJAOW2ZuAIlsWVMAwGA1UdEwQFMAMB
-Af8wHAYDVR0RBBUwE4ILZXhhbXBsZS5jb22HBH8AAAEwHQYDVR0lBBYwFAYIKwYB
-BQUHAwEGCCsGAQUFBwMCMAoGCCqGSM49BAMCA0gAMEUCIQCugNf1TXZ5XAEUi/2A
-efub/o8NnMN85oBMplQWP+0dXgIgCWEthOkET3kO5/DMUtMv4InPvpufhiMv5MtD
-FrsJjYc=
+MIIDeDCCAx2gAwIBAgIUKXR37kDxA7yz0LYBHfVWSsXMewQwCgYIKoZIzj0EAwIw
+gaAxCzAJBgNVBAYTAlVTMRAwDgYDVQQIDAdNb250YW5hMRAwDgYDVQQHDAdCb3pl
+bWFuMRgwFgYDVQQKDA9FbGxpcHRpYyAtIGNvbXAxGDAWBgNVBAsMD1NlcnZlciBF
+Q0MtY29tcDEYMBYGA1UEAwwPd3d3LndvbGZzc2wuY29tMR8wHQYJKoZIhvcNAQkB
+FhBpbmZvQHdvbGZzc2wuY29tMB4XDTIxMTIyMDIzMDcyNVoXDTI0MDkxNTIzMDcy
+NVowgaAxCzAJBgNVBAYTAlVTMRAwDgYDVQQIDAdNb250YW5hMRAwDgYDVQQHDAdC
+b3plbWFuMRgwFgYDVQQKDA9FbGxpcHRpYyAtIGNvbXAxGDAWBgNVBAsMD1NlcnZl
+ciBFQ0MtY29tcDEYMBYGA1UEAwwPd3d3LndvbGZzc2wuY29tMR8wHQYJKoZIhvcN
+AQkBFhBpbmZvQHdvbGZzc2wuY29tMDkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDIgAC
+uzOsTCdQSsZKpQTDPN6fNttyLc6U6iv6yyAJOSwW6GGjggFRMIIBTTAdBgNVHQ4E
+FgQUjDg6a7gkt99u9FmsVk6q4limWhgwgeAGA1UdIwSB2DCB1YAUjDg6a7gkt99u
+9FmsVk6q4limWhihgaakgaMwgaAxCzAJBgNVBAYTAlVTMRAwDgYDVQQIDAdNb250
+YW5hMRAwDgYDVQQHDAdCb3plbWFuMRgwFgYDVQQKDA9FbGxpcHRpYyAtIGNvbXAx
+GDAWBgNVBAsMD1NlcnZlciBFQ0MtY29tcDEYMBYGA1UEAwwPd3d3LndvbGZzc2wu
+Y29tMR8wHQYJKoZIhvcNAQkBFhBpbmZvQHdvbGZzc2wuY29tghQpdHfuQPEDvLPQ
+tgEd9VZKxcx7BDAMBgNVHRMEBTADAQH/MBwGA1UdEQQVMBOCC2V4YW1wbGUuY29t
+hwR/AAABMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAKBggqhkjOPQQD
+AgNJADBGAiEA7QdI1THjH4Bqzqmqbayj+dRGuD4ZXhHXIY/cJd1qe1gCIQCEU+bw
+GAqEKdKtNLJ8C5Az+7BBUWnMCJeiOPghMTLGwQ==
 -----END CERTIFICATE-----
diff --git a/certs/server-ecc-rsa.der b/certs/server-ecc-rsa.der
index debf33e93..f7822bdcd 100644
Binary files a/certs/server-ecc-rsa.der and b/certs/server-ecc-rsa.der differ
diff --git a/certs/server-ecc-rsa.pem b/certs/server-ecc-rsa.pem
index 0a33de157..bb884e851 100644
--- a/certs/server-ecc-rsa.pem
+++ b/certs/server-ecc-rsa.pem
@@ -2,16 +2,16 @@ Certificate:
     Data:
         Version: 3 (0x2)
         Serial Number: 1 (0x1)
-    Signature Algorithm: sha256WithRSAEncryption
-        Issuer: C=US, ST=Montana, L=Bozeman, O=Sawtooth, OU=Consulting, CN=www.wolfssl.com/emailAddress=info@wolfssl.com
+        Signature Algorithm: sha256WithRSAEncryption
+        Issuer: C = US, ST = Montana, L = Bozeman, O = Sawtooth, OU = Consulting, CN = www.wolfssl.com, emailAddress = info@wolfssl.com
         Validity
-            Not Before: Feb 10 19:49:53 2021 GMT
-            Not After : Nov  7 19:49:53 2023 GMT
-        Subject: C=US, ST=Montana, L=Bozeman, O=Elliptic - RSAsig, OU=ECC-RSAsig, CN=www.wolfssl.com/emailAddress=info@wolfssl.com
+            Not Before: Dec 20 23:07:25 2021 GMT
+            Not After : Sep 15 23:07:25 2024 GMT
+        Subject: C = US, ST = Montana, L = Bozeman, O = Elliptic - RSAsig, OU = ECC-RSAsig, CN = www.wolfssl.com, emailAddress = info@wolfssl.com
         Subject Public Key Info:
             Public Key Algorithm: id-ecPublicKey
                 Public-Key: (256 bit)
-                pub: 
+                pub:
                     04:bb:33:ac:4c:27:50:4a:c6:4a:a5:04:c3:3c:de:
                     9f:36:db:72:2d:ce:94:ea:2b:fa:cb:20:09:39:2c:
                     16:e8:61:02:e9:af:4d:d3:02:93:9a:31:5b:97:92:
@@ -25,7 +25,7 @@ Certificate:
             X509v3 Authority Key Identifier: 
                 keyid:27:8E:67:11:74:C3:26:1D:3F:ED:33:63:B3:A4:D8:1D:30:E5:E8:D5
                 DirName:/C=US/ST=Montana/L=Bozeman/O=Sawtooth/OU=Consulting/CN=www.wolfssl.com/emailAddress=info@wolfssl.com
-                serial:AA:D3:3F:AC:18:0A:37:4D
+                serial:7D:94:70:88:BA:07:42:8D:AA:AF:4F:BE:C2:1A:48:F0:D1:40:E6:42
 
             X509v3 Basic Constraints: 
                 CA:TRUE
@@ -34,43 +34,43 @@ Certificate:
             X509v3 Extended Key Usage: 
                 TLS Web Server Authentication, TLS Web Client Authentication
     Signature Algorithm: sha256WithRSAEncryption
-         4b:cd:c5:8f:fc:bb:c3:36:c5:d4:4d:71:04:13:53:a0:3c:a3:
-         4e:2a:dd:0d:d3:a7:62:31:0d:c6:32:07:31:d4:6b:0f:8b:55:
-         a2:2f:2c:b3:ae:46:91:8a:09:be:7e:ff:e2:67:46:f2:7e:d4:
-         6f:be:5d:57:42:fd:3a:56:b0:e8:0e:4d:12:fd:f5:00:ca:6f:
-         bd:88:0c:04:47:1a:ec:5d:96:3f:b6:a5:8b:9d:47:a6:4f:82:
-         07:33:9d:11:0a:3d:38:1d:21:4f:d4:1e:1d:a6:d7:6b:72:1c:
-         51:e1:7a:7a:6c:76:2c:98:14:48:fd:f1:d1:7c:53:86:ed:8c:
-         5f:4f:0f:27:5d:45:be:ed:26:90:d2:51:04:4d:06:5b:64:1c:
-         5e:31:63:cc:d4:d5:0b:28:cc:e2:29:40:75:87:21:64:8e:8b:
-         87:ef:90:bb:46:91:91:f9:63:f8:b0:a7:5e:8d:e8:20:c6:b7:
-         5a:d9:0e:35:fb:ba:d1:09:d1:98:a6:61:25:e2:0d:97:c4:1b:
-         0f:bc:b6:ec:e7:96:80:b8:e5:55:03:1e:7f:b5:fd:40:06:cc:
-         aa:7b:f0:b3:81:2e:e1:4e:3a:52:e3:f3:c4:d3:8c:78:49:00:
-         3a:57:df:0e:aa:2f:14:52:3f:c8:fa:82:b9:bf:27:f8:9c:42:
-         b7:44:36:68
+         b3:bc:8c:f8:0f:8f:63:4e:cd:73:62:fe:46:e9:fd:de:74:b8:
+         74:e2:9c:af:f1:b5:ce:48:d0:c6:56:e9:fe:38:a5:91:23:c0:
+         5f:f1:5d:e4:fd:6d:b3:87:f3:7e:fc:e0:c3:8b:ff:94:fb:f8:
+         43:09:f6:71:34:bb:cc:ba:43:54:8c:4e:69:b2:75:e1:a2:d0:
+         b7:b0:cb:2b:ed:0f:9c:d4:e6:cb:03:37:b4:86:92:4c:8c:fc:
+         30:5c:71:e0:3c:58:44:25:fa:3a:04:08:4e:27:14:d7:5b:aa:
+         75:e7:2b:13:1a:2c:60:9f:ad:43:e0:48:5d:02:88:84:a6:72:
+         36:56:a5:1e:82:8c:f2:75:fd:7c:8e:af:92:44:9f:78:3e:a1:
+         dc:ea:7d:19:ef:08:b4:28:5b:76:d4:90:73:a7:e9:ba:41:bd:
+         44:fc:a6:d9:33:06:15:f8:2c:8f:ca:2b:fa:21:bd:4a:4c:a6:
+         9f:4e:5b:97:bd:97:cf:d7:74:a6:42:ac:c0:4f:f4:92:2a:b8:
+         a6:26:8e:fe:32:4b:4d:fc:37:84:d8:1b:7c:0b:ac:ec:5c:96:
+         12:02:d4:4c:3b:f0:ea:4c:5a:ce:3d:57:e5:e6:8a:b5:82:b7:
+         9f:f8:cb:20:fb:db:98:04:91:30:e2:57:cb:22:f3:07:fd:43:
+         07:c7:62:32
 -----BEGIN CERTIFICATE-----
-MIIEHzCCAwegAwIBAgIBATANBgkqhkiG9w0BAQsFADCBlDELMAkGA1UEBhMCVVMx
+MIIEKjCCAxKgAwIBAgIBATANBgkqhkiG9w0BAQsFADCBlDELMAkGA1UEBhMCVVMx
 EDAOBgNVBAgMB01vbnRhbmExEDAOBgNVBAcMB0JvemVtYW4xETAPBgNVBAoMCFNh
 d3Rvb3RoMRMwEQYDVQQLDApDb25zdWx0aW5nMRgwFgYDVQQDDA93d3cud29sZnNz
-bC5jb20xHzAdBgkqhkiG9w0BCQEWEGluZm9Ad29sZnNzbC5jb20wHhcNMjEwMjEw
-MTk0OTUzWhcNMjMxMTA3MTk0OTUzWjCBnTELMAkGA1UEBhMCVVMxEDAOBgNVBAgM
+bC5jb20xHzAdBgkqhkiG9w0BCQEWEGluZm9Ad29sZnNzbC5jb20wHhcNMjExMjIw
+MjMwNzI1WhcNMjQwOTE1MjMwNzI1WjCBnTELMAkGA1UEBhMCVVMxEDAOBgNVBAgM
 B01vbnRhbmExEDAOBgNVBAcMB0JvemVtYW4xGjAYBgNVBAoMEUVsbGlwdGljIC0g
 UlNBc2lnMRMwEQYDVQQLDApFQ0MtUlNBc2lnMRgwFgYDVQQDDA93d3cud29sZnNz
 bC5jb20xHzAdBgkqhkiG9w0BCQEWEGluZm9Ad29sZnNzbC5jb20wWTATBgcqhkjO
 PQIBBggqhkjOPQMBBwNCAAS7M6xMJ1BKxkqlBMM83p8223ItzpTqK/rLIAk5LBbo
-YQLpr03TApOaMVuXkiF/8M8Y2pERAjSG6CBYMwuANInYo4IBOjCCATYwHQYDVR0O
-BBYEFF1dJu+sfjb5m3YVK0olAiPvsokwMIHJBgNVHSMEgcEwgb6AFCeOZxF0wyYd
+YQLpr03TApOaMVuXkiF/8M8Y2pERAjSG6CBYMwuANInYo4IBRTCCAUEwHQYDVR0O
+BBYEFF1dJu+sfjb5m3YVK0olAiPvsokwMIHUBgNVHSMEgcwwgcmAFCeOZxF0wyYd
 P+0zY7Ok2B0w5ejVoYGapIGXMIGUMQswCQYDVQQGEwJVUzEQMA4GA1UECAwHTW9u
 dGFuYTEQMA4GA1UEBwwHQm96ZW1hbjERMA8GA1UECgwIU2F3dG9vdGgxEzARBgNV
 BAsMCkNvbnN1bHRpbmcxGDAWBgNVBAMMD3d3dy53b2xmc3NsLmNvbTEfMB0GCSqG
-SIb3DQEJARYQaW5mb0B3b2xmc3NsLmNvbYIJAKrTP6wYCjdNMAwGA1UdEwQFMAMB
-Af8wHAYDVR0RBBUwE4ILZXhhbXBsZS5jb22HBH8AAAEwHQYDVR0lBBYwFAYIKwYB
-BQUHAwEGCCsGAQUFBwMCMA0GCSqGSIb3DQEBCwUAA4IBAQBLzcWP/LvDNsXUTXEE
-E1OgPKNOKt0N06diMQ3GMgcx1GsPi1WiLyyzrkaRigm+fv/iZ0byftRvvl1XQv06
-VrDoDk0S/fUAym+9iAwERxrsXZY/tqWLnUemT4IHM50RCj04HSFP1B4dptdrchxR
-4Xp6bHYsmBRI/fHRfFOG7YxfTw8nXUW+7SaQ0lEETQZbZBxeMWPM1NULKMziKUB1
-hyFkjouH75C7RpGR+WP4sKdejeggxrda2Q41+7rRCdGYpmEl4g2XxBsPvLbs55aA
-uOVVAx5/tf1ABsyqe/CzgS7hTjpS4/PE04x4SQA6V98Oqi8UUj/I+oK5vyf4nEK3
-RDZo
+SIb3DQEJARYQaW5mb0B3b2xmc3NsLmNvbYIUfZRwiLoHQo2qr0++whpI8NFA5kIw
+DAYDVR0TBAUwAwEB/zAcBgNVHREEFTATggtleGFtcGxlLmNvbYcEfwAAATAdBgNV
+HSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwDQYJKoZIhvcNAQELBQADggEBALO8
+jPgPj2NOzXNi/kbp/d50uHTinK/xtc5I0MZW6f44pZEjwF/xXeT9bbOH83784MOL
+/5T7+EMJ9nE0u8y6Q1SMTmmydeGi0LewyyvtD5zU5ssDN7SGkkyM/DBcceA8WEQl
++joECE4nFNdbqnXnKxMaLGCfrUPgSF0CiISmcjZWpR6CjPJ1/XyOr5JEn3g+odzq
+fRnvCLQoW3bUkHOn6bpBvUT8ptkzBhX4LI/KK/ohvUpMpp9OW5e9l8/XdKZCrMBP
+9JIquKYmjv4yS038N4TYG3wLrOxclhIC1Ew78OpMWs49V+XmirWCt5/4yyD725gE
+kTDiV8si8wf9QwfHYjI=
 -----END CERTIFICATE-----
diff --git a/certs/server-ecc-self.der b/certs/server-ecc-self.der
index 396d884d1..0cdbbb947 100644
Binary files a/certs/server-ecc-self.der and b/certs/server-ecc-self.der differ
diff --git a/certs/server-ecc-self.pem b/certs/server-ecc-self.pem
index 06c0e913f..79a122f8f 100644
--- a/certs/server-ecc-self.pem
+++ b/certs/server-ecc-self.pem
@@ -1,17 +1,18 @@
 Certificate:
     Data:
         Version: 3 (0x2)
-        Serial Number: 13895948352942430886 (0xc0d85367324edaa6)
-    Signature Algorithm: ecdsa-with-SHA256
-        Issuer: C=US, ST=Washington, L=Seattle, O=Eliptic, OU=ECC, CN=www.wolfssl.com/emailAddress=info@wolfssl.com
+        Serial Number:
+            5c:da:f4:04:76:f3:be:6d:f4:9a:5b:7c:a2:c8:21:de:f6:04:ee:ac
+        Signature Algorithm: ecdsa-with-SHA256
+        Issuer: C = US, ST = Washington, L = Seattle, O = Eliptic, OU = ECC, CN = www.wolfssl.com, emailAddress = info@wolfssl.com
         Validity
-            Not Before: Jul 18 17:12:20 2019 GMT
-            Not After : Apr 13 17:12:20 2022 GMT
-        Subject: C=US, ST=Washington, L=Seattle, O=Eliptic, OU=ECC, CN=www.wolfssl.com/emailAddress=info@wolfssl.com
+            Not Before: Dec 20 23:07:24 2021 GMT
+            Not After : Dec 18 23:07:24 2031 GMT
+        Subject: C = US, ST = Washington, L = Seattle, O = Eliptic, OU = ECC, CN = www.wolfssl.com, emailAddress = info@wolfssl.com
         Subject Public Key Info:
             Public Key Algorithm: id-ecPublicKey
                 Public-Key: (256 bit)
-                pub: 
+                pub:
                     04:bb:33:ac:4c:27:50:4a:c6:4a:a5:04:c3:3c:de:
                     9f:36:db:72:2d:ce:94:ea:2b:fa:cb:20:09:39:2c:
                     16:e8:61:02:e9:af:4d:d3:02:93:9a:31:5b:97:92:
@@ -20,36 +21,43 @@ Certificate:
                 ASN1 OID: prime256v1
                 NIST CURVE: P-256
         X509v3 extensions:
+            X509v3 Basic Constraints: 
+                CA:FALSE
+            Netscape Cert Type: 
+                SSL Server
             X509v3 Subject Key Identifier: 
                 5D:5D:26:EF:AC:7E:36:F9:9B:76:15:2B:4A:25:02:23:EF:B2:89:30
             X509v3 Authority Key Identifier: 
                 keyid:5D:5D:26:EF:AC:7E:36:F9:9B:76:15:2B:4A:25:02:23:EF:B2:89:30
                 DirName:/C=US/ST=Washington/L=Seattle/O=Eliptic/OU=ECC/CN=www.wolfssl.com/emailAddress=info@wolfssl.com
-                serial:C0:D8:53:67:32:4E:DA:A6
+                serial:5C:DA:F4:04:76:F3:BE:6D:F4:9A:5B:7C:A2:C8:21:DE:F6:04:EE:AC
 
-            X509v3 Basic Constraints: 
-                CA:TRUE
+            X509v3 Key Usage: critical
+                Digital Signature, Key Encipherment, Key Agreement
+            X509v3 Extended Key Usage: 
+                TLS Web Server Authentication
     Signature Algorithm: ecdsa-with-SHA256
-         30:45:02:20:01:0e:83:d8:81:53:76:e4:ce:4b:51:69:a4:bc:
-         50:2e:46:02:e1:27:d6:04:e4:76:36:e9:fe:4a:ed:87:d1:72:
-         02:21:00:97:87:68:62:34:53:45:41:7a:e1:a9:f1:80:c4:51:
-         27:e0:e4:6a:0e:54:c4:22:39:ec:85:c0:54:b5:57:62:8c
+         30:45:02:21:00:ad:f8:66:6b:e5:b8:13:01:42:b3:83:7f:cf:
+         e2:00:b3:dc:c8:d9:b6:f2:27:42:8e:30:51:bb:f8:36:12:19:
+         56:02:20:39:58:98:f2:ac:a7:6d:9b:d4:4f:6d:e1:01:e1:4a:
+         72:8a:e3:bf:e6:d0:f1:cc:fa:31:9b:a0:b6:a7:dd:96:29
 -----BEGIN CERTIFICATE-----
-MIIDDzCCArWgAwIBAgIJAMDYU2cyTtqmMAoGCCqGSM49BAMCMIGPMQswCQYDVQQG
-EwJVUzETMBEGA1UECAwKV2FzaGluZ3RvbjEQMA4GA1UEBwwHU2VhdHRsZTEQMA4G
-A1UECgwHRWxpcHRpYzEMMAoGA1UECwwDRUNDMRgwFgYDVQQDDA93d3cud29sZnNz
-bC5jb20xHzAdBgkqhkiG9w0BCQEWEGluZm9Ad29sZnNzbC5jb20wHhcNMTkwNzE4
-MTcxMjIwWhcNMjIwNDEzMTcxMjIwWjCBjzELMAkGA1UEBhMCVVMxEzARBgNVBAgM
-Cldhc2hpbmd0b24xEDAOBgNVBAcMB1NlYXR0bGUxEDAOBgNVBAoMB0VsaXB0aWMx
-DDAKBgNVBAsMA0VDQzEYMBYGA1UEAwwPd3d3LndvbGZzc2wuY29tMR8wHQYJKoZI
-hvcNAQkBFhBpbmZvQHdvbGZzc2wuY29tMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcD
-QgAEuzOsTCdQSsZKpQTDPN6fNttyLc6U6iv6yyAJOSwW6GEC6a9N0wKTmjFbl5Ih
-f/DPGNqREQI0huggWDMLgDSJ2KOB9zCB9DAdBgNVHQ4EFgQUXV0m76x+NvmbdhUr
-SiUCI++yiTAwgcQGA1UdIwSBvDCBuYAUXV0m76x+NvmbdhUrSiUCI++yiTChgZWk
-gZIwgY8xCzAJBgNVBAYTAlVTMRMwEQYDVQQIDApXYXNoaW5ndG9uMRAwDgYDVQQH
-DAdTZWF0dGxlMRAwDgYDVQQKDAdFbGlwdGljMQwwCgYDVQQLDANFQ0MxGDAWBgNV
-BAMMD3d3dy53b2xmc3NsLmNvbTEfMB0GCSqGSIb3DQEJARYQaW5mb0B3b2xmc3Ns
-LmNvbYIJAMDYU2cyTtqmMAwGA1UdEwQFMAMBAf8wCgYIKoZIzj0EAwIDSAAwRQIg
-AQ6D2IFTduTOS1FppLxQLkYC4SfWBOR2Nun+Su2H0XICIQCXh2hiNFNFQXrhqfGA
-xFEn4ORqDlTEIjnshcBUtVdijA==
+MIIDXDCCAwKgAwIBAgIUXNr0BHbzvm30mlt8osgh3vYE7qwwCgYIKoZIzj0EAwIw
+gY8xCzAJBgNVBAYTAlVTMRMwEQYDVQQIDApXYXNoaW5ndG9uMRAwDgYDVQQHDAdT
+ZWF0dGxlMRAwDgYDVQQKDAdFbGlwdGljMQwwCgYDVQQLDANFQ0MxGDAWBgNVBAMM
+D3d3dy53b2xmc3NsLmNvbTEfMB0GCSqGSIb3DQEJARYQaW5mb0B3b2xmc3NsLmNv
+bTAeFw0yMTEyMjAyMzA3MjRaFw0zMTEyMTgyMzA3MjRaMIGPMQswCQYDVQQGEwJV
+UzETMBEGA1UECAwKV2FzaGluZ3RvbjEQMA4GA1UEBwwHU2VhdHRsZTEQMA4GA1UE
+CgwHRWxpcHRpYzEMMAoGA1UECwwDRUNDMRgwFgYDVQQDDA93d3cud29sZnNzbC5j
+b20xHzAdBgkqhkiG9w0BCQEWEGluZm9Ad29sZnNzbC5jb20wWTATBgcqhkjOPQIB
+BggqhkjOPQMBBwNCAAS7M6xMJ1BKxkqlBMM83p8223ItzpTqK/rLIAk5LBboYQLp
+r03TApOaMVuXkiF/8M8Y2pERAjSG6CBYMwuANInYo4IBODCCATQwCQYDVR0TBAIw
+ADARBglghkgBhvhCAQEEBAMCBkAwHQYDVR0OBBYEFF1dJu+sfjb5m3YVK0olAiPv
+sokwMIHPBgNVHSMEgccwgcSAFF1dJu+sfjb5m3YVK0olAiPvsokwoYGVpIGSMIGP
+MQswCQYDVQQGEwJVUzETMBEGA1UECAwKV2FzaGluZ3RvbjEQMA4GA1UEBwwHU2Vh
+dHRsZTEQMA4GA1UECgwHRWxpcHRpYzEMMAoGA1UECwwDRUNDMRgwFgYDVQQDDA93
+d3cud29sZnNzbC5jb20xHzAdBgkqhkiG9w0BCQEWEGluZm9Ad29sZnNzbC5jb22C
+FFza9AR2875t9JpbfKLIId72BO6sMA4GA1UdDwEB/wQEAwIDqDATBgNVHSUEDDAK
+BggrBgEFBQcDATAKBggqhkjOPQQDAgNIADBFAiEArfhma+W4EwFCs4N/z+IAs9zI
+2bbyJ0KOMFG7+DYSGVYCIDlYmPKsp22b1E9t4QHhSnKK47/m0PHM+jGboLan3ZYp
 -----END CERTIFICATE-----
diff --git a/certs/server-ecc.der b/certs/server-ecc.der
index e775970c9..fcecf41af 100644
Binary files a/certs/server-ecc.der and b/certs/server-ecc.der differ
diff --git a/certs/server-ecc.pem b/certs/server-ecc.pem
index 7d0e27bf5..444644b0e 100644
--- a/certs/server-ecc.pem
+++ b/certs/server-ecc.pem
@@ -2,16 +2,16 @@ Certificate:
     Data:
         Version: 3 (0x2)
         Serial Number: 3 (0x3)
-    Signature Algorithm: ecdsa-with-SHA256
-        Issuer: C=US, ST=Washington, L=Seattle, O=wolfSSL, OU=Development, CN=www.wolfssl.com/emailAddress=info@wolfssl.com
+        Signature Algorithm: ecdsa-with-SHA256
+        Issuer: C = US, ST = Washington, L = Seattle, O = wolfSSL, OU = Development, CN = www.wolfssl.com, emailAddress = info@wolfssl.com
         Validity
-            Not Before: Feb 10 19:49:53 2021 GMT
-            Not After : Nov  7 19:49:53 2023 GMT
-        Subject: C=US, ST=Washington, L=Seattle, O=Eliptic, OU=ECC, CN=www.wolfssl.com/emailAddress=info@wolfssl.com
+            Not Before: Dec 20 23:07:25 2021 GMT
+            Not After : Sep 15 23:07:25 2024 GMT
+        Subject: C = US, ST = Washington, L = Seattle, O = Eliptic, OU = ECC, CN = www.wolfssl.com, emailAddress = info@wolfssl.com
         Subject Public Key Info:
             Public Key Algorithm: id-ecPublicKey
                 Public-Key: (256 bit)
-                pub: 
+                pub:
                     04:bb:33:ac:4c:27:50:4a:c6:4a:a5:04:c3:3c:de:
                     9f:36:db:72:2d:ce:94:ea:2b:fa:cb:20:09:39:2c:
                     16:e8:61:02:e9:af:4d:d3:02:93:9a:31:5b:97:92:
@@ -34,16 +34,16 @@ Certificate:
             Netscape Cert Type: 
                 SSL Server
     Signature Algorithm: ecdsa-with-SHA256
-         30:45:02:20:61:6f:e8:b9:ad:cc:c9:1a:81:17:02:64:07:c3:
-         18:44:01:81:76:18:9d:6d:3d:7d:cb:c1:5a:76:4a:ad:71:55:
-         02:21:00:cd:22:35:04:19:c2:23:21:02:88:4b:51:da:db:51:
-         ab:54:8c:cb:38:ac:8e:bb:ee:18:07:bf:88:36:88:ff:d5
+         30:44:02:20:5a:67:b9:ee:02:34:27:1b:d4:c4:35:7b:ed:59:
+         8e:63:c4:8a:b7:e9:92:c1:8a:76:b0:8b:cd:24:49:78:ba:ef:
+         02:20:29:b8:b6:5f:83:f7:56:6a:f1:4d:d9:9f:52:2a:f9:8f:
+         53:14:49:8b:5f:5e:87:af:7f:ca:2e:e0:d8:e7:75:0c
 -----BEGIN CERTIFICATE-----
-MIICoTCCAkegAwIBAgIBAzAKBggqhkjOPQQDAjCBlzELMAkGA1UEBhMCVVMxEzAR
+MIICoDCCAkegAwIBAgIBAzAKBggqhkjOPQQDAjCBlzELMAkGA1UEBhMCVVMxEzAR
 BgNVBAgMCldhc2hpbmd0b24xEDAOBgNVBAcMB1NlYXR0bGUxEDAOBgNVBAoMB3dv
 bGZTU0wxFDASBgNVBAsMC0RldmVsb3BtZW50MRgwFgYDVQQDDA93d3cud29sZnNz
-bC5jb20xHzAdBgkqhkiG9w0BCQEWEGluZm9Ad29sZnNzbC5jb20wHhcNMjEwMjEw
-MTk0OTUzWhcNMjMxMTA3MTk0OTUzWjCBjzELMAkGA1UEBhMCVVMxEzARBgNVBAgM
+bC5jb20xHzAdBgkqhkiG9w0BCQEWEGluZm9Ad29sZnNzbC5jb20wHhcNMjExMjIw
+MjMwNzI1WhcNMjQwOTE1MjMwNzI1WjCBjzELMAkGA1UEBhMCVVMxEzARBgNVBAgM
 Cldhc2hpbmd0b24xEDAOBgNVBAcMB1NlYXR0bGUxEDAOBgNVBAoMB0VsaXB0aWMx
 DDAKBgNVBAsMA0VDQzEYMBYGA1UEAwwPd3d3LndvbGZzc2wuY29tMR8wHQYJKoZI
 hvcNAQkBFhBpbmZvQHdvbGZzc2wuY29tMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcD
@@ -51,7 +51,7 @@ QgAEuzOsTCdQSsZKpQTDPN6fNttyLc6U6iv6yyAJOSwW6GEC6a9N0wKTmjFbl5Ih
 f/DPGNqREQI0huggWDMLgDSJ2KOBiTCBhjAdBgNVHQ4EFgQUXV0m76x+NvmbdhUr
 SiUCI++yiTAwHwYDVR0jBBgwFoAUVo6aw/BC3hi5RVVu+ZPP6sPzpSEwDAYDVR0T
 AQH/BAIwADAOBgNVHQ8BAf8EBAMCA6gwEwYDVR0lBAwwCgYIKwYBBQUHAwEwEQYJ
-YIZIAYb4QgEBBAQDAgZAMAoGCCqGSM49BAMCA0gAMEUCIGFv6LmtzMkagRcCZAfD
-GEQBgXYYnW09fcvBWnZKrXFVAiEAzSI1BBnCIyECiEtR2ttRq1SMyzisjrvuGAe/
-iDaI/9U=
+YIZIAYb4QgEBBAQDAgZAMAoGCCqGSM49BAMCA0cAMEQCIFpnue4CNCcb1MQ1e+1Z
+jmPEirfpksGKdrCLzSRJeLrvAiApuLZfg/dWavFN2Z9SKvmPUxRJi19eh69/yi7g
+2Od1DA==
 -----END CERTIFICATE-----
diff --git a/certs/server-ecc384-cert.der b/certs/server-ecc384-cert.der
index ea466cb11..4d7d5b848 100644
Binary files a/certs/server-ecc384-cert.der and b/certs/server-ecc384-cert.der differ
diff --git a/certs/server-ecc384-cert.pem b/certs/server-ecc384-cert.pem
index ed415bf8e..35f295d79 100644
--- a/certs/server-ecc384-cert.pem
+++ b/certs/server-ecc384-cert.pem
@@ -1,22 +1,22 @@
 -----BEGIN CERTIFICATE-----
-MIIDkjCCAxigAwIBAgICEAAwCgYIKoZIzj0EAwMwgZcxCzAJBgNVBAYTAlVTMRMw
+MIIDoDCCAyWgAwIBAgICEAEwCgYIKoZIzj0EAwMwgZcxCzAJBgNVBAYTAlVTMRMw
 EQYDVQQIDApXYXNoaW5ndG9uMRAwDgYDVQQHDAdTZWF0dGxlMRAwDgYDVQQKDAd3
 b2xmU1NMMRQwEgYDVQQLDAtEZXZlbG9wbWVudDEYMBYGA1UEAwwPd3d3LndvbGZz
-c2wuY29tMR8wHQYJKoZIhvcNAQkBFhBpbmZvQHdvbGZzc2wuY29tMB4XDTE4MTAx
-OTEzNDA0M1oXDTQ4MTAxMTEzNDA0M1owgZUxCzAJBgNVBAYTAlVTMRMwEQYDVQQI
-DApXYXNoaW5ndG9uMRAwDgYDVQQHDAdTZWF0dGxlMRAwDgYDVQQKDAdFbGlwdGlj
-MRIwEAYDVQQLDAlFQ0MzODRTcnYxGDAWBgNVBAMMD3d3dy53b2xmc3NsLmNvbTEf
-MB0GCSqGSIb3DQEJARYQaW5mb0B3b2xmc3NsLmNvbTB2MBAGByqGSM49AgEGBSuB
-BAAiA2IABOrPk08sCbs5FA9WZMNAtN8OY67lcUsAzASX/+HpOJa7X5Gyasy1OV+P
-cFnxAfZaKwFsaAvPVSWvbZhICqh0yakXoAzD+9MjaP4EPGNQiDu5T3xnNPc7qXPn
-G8NRXiIY7KOCATUwggExMAkGA1UdEwQCMAAwEQYJYIZIAYb4QgEBBAQDAgZAMB0G
-A1UdDgQWBBSCO/JlL/O0AMa8Bv15QnVLZdHOvDCBzAYDVR0jBIHEMIHBgBSr4MMm
-TBjUcrvShIycCgWSgBJTUqGBnaSBmjCBlzELMAkGA1UEBhMCVVMxEzARBgNVBAgM
-Cldhc2hpbmd0b24xEDAOBgNVBAcMB1NlYXR0bGUxEDAOBgNVBAoMB3dvbGZTU0wx
-FDASBgNVBAsMC0RldmVsb3BtZW50MRgwFgYDVQQDDA93d3cud29sZnNzbC5jb20x
-HzAdBgkqhkiG9w0BCQEWEGluZm9Ad29sZnNzbC5jb22CCQD8OQSkDqVshzAOBgNV
-HQ8BAf8EBAMCA6gwEwYDVR0lBAwwCgYIKwYBBQUHAwEwCgYIKoZIzj0EAwMDaAAw
-ZQIxAOia1gUcnnky9I/5RZ4A7r19gJvqudLrnujFOsHcaqvmGVe4tg1QSS2TDfzH
-t5uKyQIwUAkNmwgdmhfE5ytISptkpxyWq3z8NWWPefjOmUpzBG/gVxX1Wvn+Wc2Z
-WeMuU92v
+c2wuY29tMR8wHQYJKoZIhvcNAQkBFhBpbmZvQHdvbGZzc2wuY29tMCAXDTIxMTIy
+MDIzMDcyNFoYDzIwNTExMjEzMjMwNzI0WjCBlTELMAkGA1UEBhMCVVMxEzARBgNV
+BAgMCldhc2hpbmd0b24xEDAOBgNVBAcMB1NlYXR0bGUxEDAOBgNVBAoMB0VsaXB0
+aWMxEjAQBgNVBAsMCUVDQzM4NFNydjEYMBYGA1UEAwwPd3d3LndvbGZzc2wuY29t
+MR8wHQYJKoZIhvcNAQkBFhBpbmZvQHdvbGZzc2wuY29tMHYwEAYHKoZIzj0CAQYF
+K4EEACIDYgAE6s+TTywJuzkUD1Zkw0C03w5jruVxSwDMBJf/4ek4lrtfkbJqzLU5
+X49wWfEB9lorAWxoC89VJa9tmEgKqHTJqRegDMP70yNo/gQ8Y1CIO7lPfGc09zup
+c+cbw1FeIhjso4IBQDCCATwwCQYDVR0TBAIwADARBglghkgBhvhCAQEEBAMCBkAw
+HQYDVR0OBBYEFII78mUv87QAxrwG/XlCdUtl0c68MIHXBgNVHSMEgc8wgcyAFKvg
+wyZMGNRyu9KEjJwKBZKAElNSoYGdpIGaMIGXMQswCQYDVQQGEwJVUzETMBEGA1UE
+CAwKV2FzaGluZ3RvbjEQMA4GA1UEBwwHU2VhdHRsZTEQMA4GA1UECgwHd29sZlNT
+TDEUMBIGA1UECwwLRGV2ZWxvcG1lbnQxGDAWBgNVBAMMD3d3dy53b2xmc3NsLmNv
+bTEfMB0GCSqGSIb3DQEJARYQaW5mb0B3b2xmc3NsLmNvbYIUdr7uVtr3lC/NN2C7
+19ooOJeRlF8wDgYDVR0PAQH/BAQDAgOoMBMGA1UdJQQMMAoGCCsGAQUFBwMBMAoG
+CCqGSM49BAMDA2kAMGYCMQC1/h53gwa3d35hpt6LG2RllyPikiQ/cl1JNegz72aj
+kQM0I8V2eaiz+WnqNtug51ECMQDT6mLRR9d1mCPhVhFD9MC4GlVlsfgnGi9E7pfA
+MTm/7JuGlq849Ngn/HcfoW1fTAA=
 -----END CERTIFICATE-----
diff --git a/certs/server-revoked-cert.pem b/certs/server-revoked-cert.pem
index 559cc34c4..000810f38 100644
--- a/certs/server-revoked-cert.pem
+++ b/certs/server-revoked-cert.pem
@@ -2,15 +2,15 @@ Certificate:
     Data:
         Version: 3 (0x2)
         Serial Number: 2 (0x2)
-    Signature Algorithm: sha256WithRSAEncryption
-        Issuer: C=US, ST=Montana, L=Bozeman, O=Sawtooth, OU=Consulting, CN=www.wolfssl.com/emailAddress=info@wolfssl.com
+        Signature Algorithm: sha256WithRSAEncryption
+        Issuer: C = US, ST = Montana, L = Bozeman, O = Sawtooth, OU = Consulting, CN = www.wolfssl.com, emailAddress = info@wolfssl.com
         Validity
-            Not Before: Feb 10 19:49:53 2021 GMT
-            Not After : Nov  7 19:49:53 2023 GMT
-        Subject: C=US, ST=Montana, L=Bozeman, O=wolfSSL_revoked, OU=Support_revoked, CN=www.wolfssl.com/emailAddress=info@wolfssl.com
+            Not Before: Dec 20 23:07:25 2021 GMT
+            Not After : Sep 15 23:07:25 2024 GMT
+        Subject: C = US, ST = Montana, L = Bozeman, O = wolfSSL_revoked, OU = Support_revoked, CN = www.wolfssl.com, emailAddress = info@wolfssl.com
         Subject Public Key Info:
             Public Key Algorithm: rsaEncryption
-                Public-Key: (2048 bit)
+                RSA Public-Key: (2048 bit)
                 Modulus:
                     00:b0:14:16:3a:43:dd:e1:50:45:4f:cf:80:b3:dd:
                     66:96:c7:e9:f4:dc:de:b6:6b:24:1b:76:48:ac:c6:
@@ -37,7 +37,7 @@ Certificate:
             X509v3 Authority Key Identifier: 
                 keyid:27:8E:67:11:74:C3:26:1D:3F:ED:33:63:B3:A4:D8:1D:30:E5:E8:D5
                 DirName:/C=US/ST=Montana/L=Bozeman/O=Sawtooth/OU=Consulting/CN=www.wolfssl.com/emailAddress=info@wolfssl.com
-                serial:AA:D3:3F:AC:18:0A:37:4D
+                serial:7D:94:70:88:BA:07:42:8D:AA:AF:4F:BE:C2:1A:48:F0:D1:40:E6:42
 
             X509v3 Basic Constraints: 
                 CA:TRUE
@@ -46,27 +46,27 @@ Certificate:
             X509v3 Extended Key Usage: 
                 TLS Web Server Authentication, TLS Web Client Authentication
     Signature Algorithm: sha256WithRSAEncryption
-         5b:7a:eb:22:2a:8e:c1:fb:43:81:66:af:cb:bb:6b:d9:d6:2a:
-         90:23:4e:8e:35:cc:8b:ec:88:fb:96:c0:48:63:c6:e7:d9:51:
-         75:2d:b1:87:2a:5d:ca:56:86:8c:75:f7:d4:51:46:8d:77:3b:
-         02:9b:49:2c:cf:f7:a5:da:9e:92:4e:13:0a:fd:48:01:27:44:
-         8b:55:a7:76:3b:8f:8f:0b:8b:9a:53:39:21:c0:6a:e9:9c:77:
-         b1:0a:66:0c:a2:e3:56:3e:bd:4a:b6:a2:d1:b2:07:9f:ab:91:
-         83:fa:9b:d3:5d:2c:26:7b:ee:02:e0:1f:f2:00:8c:99:58:d1:
-         57:61:b2:6c:34:1a:1e:1a:c4:e8:87:ad:85:89:a1:ac:d6:b0:
-         45:f4:97:0e:f2:c9:ed:5f:47:0c:f8:68:8e:04:f0:af:85:44:
-         83:5f:dc:05:65:14:8d:83:1b:15:96:e6:09:6f:1f:96:3a:86:
-         eb:36:9b:fe:a0:b4:aa:05:5a:94:8f:dc:ac:28:97:1e:5b:5a:
-         2d:94:5e:e1:1d:8a:2b:e8:ce:b3:be:27:c4:20:78:5c:cd:5d:
-         76:9c:83:1f:4d:f3:a6:2e:a4:e3:7b:f0:58:cc:eb:95:c2:c9:
-         94:23:fb:71:07:b5:91:de:98:ee:9f:81:d7:ba:ff:00:bb:83:
-         3c:60:c5:73
+         48:1c:0d:ff:b1:2b:ef:94:14:a8:26:89:0a:f7:ef:08:9f:21:
+         1e:de:56:28:b3:d8:9b:dc:80:10:6f:f6:47:e9:2b:a1:04:ed:
+         07:43:6d:91:19:f5:c5:7f:57:7d:a8:dd:01:8c:76:7f:ed:c1:
+         a4:3e:ea:34:c0:89:5e:63:9e:b4:f2:0f:d3:2f:d9:da:56:72:
+         13:6e:dc:fb:0f:bb:ed:84:b7:ef:08:94:ac:94:41:db:de:6b:
+         4e:b0:d5:2e:19:37:7f:db:88:4a:8b:95:1c:f7:a6:7f:e6:83:
+         3a:ac:23:89:a7:bf:db:6c:e6:85:9a:77:39:62:57:e5:5d:2c:
+         bd:b6:e8:e1:61:22:dc:7b:8b:dd:e4:41:44:1d:10:e8:5a:19:
+         cd:3b:74:5d:f7:0d:64:2f:1d:ae:51:ac:76:1a:d5:aa:e1:21:
+         07:78:ef:1a:5b:be:5c:69:6d:4e:65:2f:a7:9e:da:16:31:6d:
+         50:98:f2:78:d5:5b:f7:60:b6:40:8d:db:48:a0:90:63:12:6d:
+         ce:5b:b8:b9:37:20:9f:80:f3:0a:cb:f6:72:5d:cd:0b:04:59:
+         76:1e:52:64:83:6f:6a:97:74:8a:55:2e:ce:e1:b5:93:46:c8:
+         91:8c:63:26:96:1e:1c:53:26:40:6d:4f:49:b1:48:9e:48:95:
+         54:bb:ec:38
 -----BEGIN CERTIFICATE-----
-MIIE7TCCA9WgAwIBAgIBAjANBgkqhkiG9w0BAQsFADCBlDELMAkGA1UEBhMCVVMx
+MIIE+DCCA+CgAwIBAgIBAjANBgkqhkiG9w0BAQsFADCBlDELMAkGA1UEBhMCVVMx
 EDAOBgNVBAgMB01vbnRhbmExEDAOBgNVBAcMB0JvemVtYW4xETAPBgNVBAoMCFNh
 d3Rvb3RoMRMwEQYDVQQLDApDb25zdWx0aW5nMRgwFgYDVQQDDA93d3cud29sZnNz
-bC5jb20xHzAdBgkqhkiG9w0BCQEWEGluZm9Ad29sZnNzbC5jb20wHhcNMjEwMjEw
-MTk0OTUzWhcNMjMxMTA3MTk0OTUzWjCBoDELMAkGA1UEBhMCVVMxEDAOBgNVBAgM
+bC5jb20xHzAdBgkqhkiG9w0BCQEWEGluZm9Ad29sZnNzbC5jb20wHhcNMjExMjIw
+MjMwNzI1WhcNMjQwOTE1MjMwNzI1WjCBoDELMAkGA1UEBhMCVVMxEDAOBgNVBAgM
 B01vbnRhbmExEDAOBgNVBAcMB0JvemVtYW4xGDAWBgNVBAoMD3dvbGZTU0xfcmV2
 b2tlZDEYMBYGA1UECwwPU3VwcG9ydF9yZXZva2VkMRgwFgYDVQQDDA93d3cud29s
 ZnNzbC5jb20xHzAdBgkqhkiG9w0BCQEWEGluZm9Ad29sZnNzbC5jb20wggEiMA0G
@@ -76,33 +76,34 @@ ayQbdkisxiOlp+QFGb239t76/+1bPHmKqdXx++vIseSyq1JyiZMiXLrNijYqLNFA
 Hf3mQ8cbM7j05RtZORI4TS2bZGiY/I1yEpHyJCVsTEpIV5IAzH7Y1D24HfKe6rIj
 D1EPEUEc9ScAGwh6EjoFWwMk/rF7IPrkqFjGys5/vpUBEp0F5jkTG8A+Vi4rn3Y3
 3t6b4A16Yw2nIljbMcf3tEZcurZLSLEYmmizY0f9rxJfL/4Qy1grM2iFAgMBAAGj
-ggE6MIIBNjAdBgNVHQ4EFgQU2AkrWeEq7tnuQKqcq/BdKAlPIrswgckGA1UdIwSB
-wTCBvoAUJ45nEXTDJh0/7TNjs6TYHTDl6NWhgZqkgZcwgZQxCzAJBgNVBAYTAlVT
+ggFFMIIBQTAdBgNVHQ4EFgQU2AkrWeEq7tnuQKqcq/BdKAlPIrswgdQGA1UdIwSB
+zDCByYAUJ45nEXTDJh0/7TNjs6TYHTDl6NWhgZqkgZcwgZQxCzAJBgNVBAYTAlVT
 MRAwDgYDVQQIDAdNb250YW5hMRAwDgYDVQQHDAdCb3plbWFuMREwDwYDVQQKDAhT
 YXd0b290aDETMBEGA1UECwwKQ29uc3VsdGluZzEYMBYGA1UEAwwPd3d3LndvbGZz
-c2wuY29tMR8wHQYJKoZIhvcNAQkBFhBpbmZvQHdvbGZzc2wuY29tggkAqtM/rBgK
-N00wDAYDVR0TBAUwAwEB/zAcBgNVHREEFTATggtleGFtcGxlLmNvbYcEfwAAATAd
-BgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwDQYJKoZIhvcNAQELBQADggEB
-AFt66yIqjsH7Q4Fmr8u7a9nWKpAjTo41zIvsiPuWwEhjxufZUXUtsYcqXcpWhox1
-99RRRo13OwKbSSzP96XanpJOEwr9SAEnRItVp3Y7j48Li5pTOSHAaumcd7EKZgyi
-41Y+vUq2otGyB5+rkYP6m9NdLCZ77gLgH/IAjJlY0Vdhsmw0Gh4axOiHrYWJoazW
-sEX0lw7yye1fRwz4aI4E8K+FRINf3AVlFI2DGxWW5glvH5Y6hus2m/6gtKoFWpSP
-3Kwolx5bWi2UXuEdiivozrO+J8QgeFzNXXacgx9N86YupON78FjM65XCyZQj+3EH
-tZHemO6fgde6/wC7gzxgxXM=
+c2wuY29tMR8wHQYJKoZIhvcNAQkBFhBpbmZvQHdvbGZzc2wuY29tghR9lHCIugdC
+jaqvT77CGkjw0UDmQjAMBgNVHRMEBTADAQH/MBwGA1UdEQQVMBOCC2V4YW1wbGUu
+Y29thwR/AAABMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjANBgkqhkiG
+9w0BAQsFAAOCAQEASBwN/7Er75QUqCaJCvfvCJ8hHt5WKLPYm9yAEG/2R+kroQTt
+B0NtkRn1xX9XfajdAYx2f+3BpD7qNMCJXmOetPIP0y/Z2lZyE27c+w+77YS37wiU
+rJRB295rTrDVLhk3f9uISouVHPemf+aDOqwjiae/22zmhZp3OWJX5V0svbbo4WEi
+3HuL3eRBRB0Q6FoZzTt0XfcNZC8drlGsdhrVquEhB3jvGlu+XGltTmUvp57aFjFt
+UJjyeNVb92C2QI3bSKCQYxJtzlu4uTcgn4DzCsv2cl3NCwRZdh5SZINvapd0ilUu
+zuG1k0bIkYxjJpYeHFMmQG1PSbFInkiVVLvsOA==
 -----END CERTIFICATE-----
 Certificate:
     Data:
         Version: 3 (0x2)
-        Serial Number: 12309252214903945037 (0xaad33fac180a374d)
-    Signature Algorithm: sha256WithRSAEncryption
-        Issuer: C=US, ST=Montana, L=Bozeman, O=Sawtooth, OU=Consulting, CN=www.wolfssl.com/emailAddress=info@wolfssl.com
+        Serial Number:
+            7d:94:70:88:ba:07:42:8d:aa:af:4f:be:c2:1a:48:f0:d1:40:e6:42
+        Signature Algorithm: sha256WithRSAEncryption
+        Issuer: C = US, ST = Montana, L = Bozeman, O = Sawtooth, OU = Consulting, CN = www.wolfssl.com, emailAddress = info@wolfssl.com
         Validity
-            Not Before: Feb 10 19:49:52 2021 GMT
-            Not After : Nov  7 19:49:52 2023 GMT
-        Subject: C=US, ST=Montana, L=Bozeman, O=Sawtooth, OU=Consulting, CN=www.wolfssl.com/emailAddress=info@wolfssl.com
+            Not Before: Dec 20 23:07:24 2021 GMT
+            Not After : Sep 15 23:07:24 2024 GMT
+        Subject: C = US, ST = Montana, L = Bozeman, O = Sawtooth, OU = Consulting, CN = www.wolfssl.com, emailAddress = info@wolfssl.com
         Subject Public Key Info:
             Public Key Algorithm: rsaEncryption
-                Public-Key: (2048 bit)
+                RSA Public-Key: (2048 bit)
                 Modulus:
                     00:bf:0c:ca:2d:14:b2:1e:84:42:5b:cd:38:1f:4a:
                     f2:4d:75:10:f1:b6:35:9f:df:ca:7d:03:98:d3:ac:
@@ -129,7 +130,7 @@ Certificate:
             X509v3 Authority Key Identifier: 
                 keyid:27:8E:67:11:74:C3:26:1D:3F:ED:33:63:B3:A4:D8:1D:30:E5:E8:D5
                 DirName:/C=US/ST=Montana/L=Bozeman/O=Sawtooth/OU=Consulting/CN=www.wolfssl.com/emailAddress=info@wolfssl.com
-                serial:AA:D3:3F:AC:18:0A:37:4D
+                serial:7D:94:70:88:BA:07:42:8D:AA:AF:4F:BE:C2:1A:48:F0:D1:40:E6:42
 
             X509v3 Basic Constraints: 
                 CA:TRUE
@@ -138,47 +139,47 @@ Certificate:
             X509v3 Extended Key Usage: 
                 TLS Web Server Authentication, TLS Web Client Authentication
     Signature Algorithm: sha256WithRSAEncryption
-         62:98:c8:58:cf:56:03:86:5b:1b:71:49:7d:05:03:5d:e0:08:
-         86:ad:db:4a:de:ab:22:96:a8:c3:59:68:c1:37:90:40:df:bd:
-         89:d0:bc:da:8e:ef:87:b2:c2:62:52:e1:1a:29:17:6a:96:99:
-         c8:4e:d8:32:fe:b8:d1:5c:3b:0a:c2:3c:5f:a1:1e:98:7f:ce:
-         89:26:21:1f:64:9c:15:7a:9c:ef:fb:1d:85:6a:fa:98:ce:a8:
-         a9:ab:c3:a2:c0:eb:87:ed:bc:21:df:f3:07:5b:ae:fd:40:d4:
-         ae:20:d0:76:8a:31:0a:a2:62:7c:61:0d:ce:5d:9a:1e:e4:20:
-         88:51:49:fb:77:a9:cd:4d:c6:bf:54:99:33:ef:4b:a0:73:70:
-         6d:2e:d9:3d:08:f6:12:39:31:68:c6:61:5c:41:b5:1b:f4:38:
-         7d:fc:be:73:66:2d:f7:ca:5b:2c:5b:31:aa:cf:f6:7f:30:e4:
-         12:2c:8e:d6:38:51:e6:45:ee:d5:da:c3:83:d6:ed:5e:ec:d6:
-         b6:14:b3:93:59:e1:55:4a:7f:04:df:ce:65:d4:df:18:4f:dd:
-         b4:45:7f:a6:56:30:c4:05:44:98:9d:4f:26:6d:84:80:a0:5e:
-         ed:23:d1:48:87:0e:05:06:91:3b:b0:3c:bb:8c:8f:3c:7b:4c:
-         4f:a1:ca:98
+         b0:71:bb:ba:45:5a:80:25:02:a4:7e:88:0b:a9:7b:fd:b0:bb:
+         f6:46:b5:ba:f4:c7:e3:61:20:8c:03:15:66:f5:e4:54:82:ef:
+         13:80:97:22:67:c1:d1:88:5d:e2:2d:57:f6:e0:9f:69:d6:b1:
+         5c:b6:e8:e0:98:89:c8:14:12:d6:b6:89:8d:6c:b9:a0:59:4f:
+         92:ee:11:53:6b:7d:93:4a:69:0a:85:d9:d5:d2:62:e8:c9:b5:
+         c6:4e:17:f5:0a:e8:f3:2d:86:61:0b:eb:c4:c4:c6:67:75:ed:
+         9a:9f:53:a0:71:1e:a0:90:0d:f9:03:b4:bc:86:19:6e:f0:3b:
+         4f:e8:ed:68:f6:e7:23:43:3b:36:83:83:4b:46:a0:9a:01:d0:
+         c7:85:bb:7d:94:a0:21:3d:7e:3c:6a:3d:81:db:41:7b:46:d8:
+         15:62:d5:8f:4d:3d:c0:db:9a:c5:81:a8:ac:da:87:99:c7:dd:
+         b9:f1:14:af:d1:93:e3:f3:42:d7:a2:04:51:21:54:29:c3:45:
+         f6:be:5c:fa:cd:db:bf:2f:79:81:42:e5:8f:47:0b:d4:54:01:
+         b5:c2:4a:46:d6:a8:31:2e:64:80:3f:48:61:91:29:f3:aa:43:
+         5c:69:6e:f1:01:b9:df:63:71:3d:b9:5a:fb:36:c0:11:a2:c3:
+         30:9d:95:c3
 -----BEGIN CERTIFICATE-----
-MIIE6TCCA9GgAwIBAgIJAKrTP6wYCjdNMA0GCSqGSIb3DQEBCwUAMIGUMQswCQYD
+MIIE/zCCA+egAwIBAgIUfZRwiLoHQo2qr0++whpI8NFA5kIwDQYJKoZIhvcNAQEL
+BQAwgZQxCzAJBgNVBAYTAlVTMRAwDgYDVQQIDAdNb250YW5hMRAwDgYDVQQHDAdC
+b3plbWFuMREwDwYDVQQKDAhTYXd0b290aDETMBEGA1UECwwKQ29uc3VsdGluZzEY
+MBYGA1UEAwwPd3d3LndvbGZzc2wuY29tMR8wHQYJKoZIhvcNAQkBFhBpbmZvQHdv
+bGZzc2wuY29tMB4XDTIxMTIyMDIzMDcyNFoXDTI0MDkxNTIzMDcyNFowgZQxCzAJ
+BgNVBAYTAlVTMRAwDgYDVQQIDAdNb250YW5hMRAwDgYDVQQHDAdCb3plbWFuMREw
+DwYDVQQKDAhTYXd0b290aDETMBEGA1UECwwKQ29uc3VsdGluZzEYMBYGA1UEAwwP
+d3d3LndvbGZzc2wuY29tMR8wHQYJKoZIhvcNAQkBFhBpbmZvQHdvbGZzc2wuY29t
+MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAvwzKLRSyHoRCW804H0ry
+TXUQ8bY1n9/KfQOY06zeA2buKvHYsH1uB1QLEJghTYDLEiDnzE/eRX3Jcncy6sqQ
+u2lSEAMvqPOVxfGLYlYb72dvpBBBla0Km+OlwLDScHZQMFuo6AgsfO2nonqNOCkc
+rMft8nyVsJWCfUlcOM13Je+9gHVTlDw9ymNbnxW10x0TLxnRPNt2Osy4fcnlwtfa
+QG/YIdxzG0ItU5z+Gvx9q3o2P5jehHwFZ85qFDiHqfGMtWjLaH9xICv1oGP1Vi+j
+JtK3b7FaF9c4mQj+k1hv/sMTSQgWC6dNZwBSMWcjTpjtUUUduQTZC+zYKLNLve02
+eQIDAQABo4IBRTCCAUEwHQYDVR0OBBYEFCeOZxF0wyYdP+0zY7Ok2B0w5ejVMIHU
+BgNVHSMEgcwwgcmAFCeOZxF0wyYdP+0zY7Ok2B0w5ejVoYGapIGXMIGUMQswCQYD
 VQQGEwJVUzEQMA4GA1UECAwHTW9udGFuYTEQMA4GA1UEBwwHQm96ZW1hbjERMA8G
 A1UECgwIU2F3dG9vdGgxEzARBgNVBAsMCkNvbnN1bHRpbmcxGDAWBgNVBAMMD3d3
-dy53b2xmc3NsLmNvbTEfMB0GCSqGSIb3DQEJARYQaW5mb0B3b2xmc3NsLmNvbTAe
-Fw0yMTAyMTAxOTQ5NTJaFw0yMzExMDcxOTQ5NTJaMIGUMQswCQYDVQQGEwJVUzEQ
-MA4GA1UECAwHTW9udGFuYTEQMA4GA1UEBwwHQm96ZW1hbjERMA8GA1UECgwIU2F3
-dG9vdGgxEzARBgNVBAsMCkNvbnN1bHRpbmcxGDAWBgNVBAMMD3d3dy53b2xmc3Ns
-LmNvbTEfMB0GCSqGSIb3DQEJARYQaW5mb0B3b2xmc3NsLmNvbTCCASIwDQYJKoZI
-hvcNAQEBBQADggEPADCCAQoCggEBAL8Myi0Ush6EQlvNOB9K8k11EPG2NZ/fyn0D
-mNOs3gNm7irx2LB9bgdUCxCYIU2AyxIg58xP3kV9yXJ3MurKkLtpUhADL6jzlcXx
-i2JWG+9nb6QQQZWtCpvjpcCw0nB2UDBbqOgILHztp6J6jTgpHKzH7fJ8lbCVgn1J
-XDjNdyXvvYB1U5Q8PcpjW58VtdMdEy8Z0TzbdjrMuH3J5cLX2kBv2CHccxtCLVOc
-/hr8fat6Nj+Y3oR8BWfOahQ4h6nxjLVoy2h/cSAr9aBj9VYvoybSt2+xWhfXOJkI
-/pNYb/7DE0kIFgunTWcAUjFnI06Y7VFFHbkE2Qvs2CizS73tNnkCAwEAAaOCATow
-ggE2MB0GA1UdDgQWBBQnjmcRdMMmHT/tM2OzpNgdMOXo1TCByQYDVR0jBIHBMIG+
-gBQnjmcRdMMmHT/tM2OzpNgdMOXo1aGBmqSBlzCBlDELMAkGA1UEBhMCVVMxEDAO
-BgNVBAgMB01vbnRhbmExEDAOBgNVBAcMB0JvemVtYW4xETAPBgNVBAoMCFNhd3Rv
-b3RoMRMwEQYDVQQLDApDb25zdWx0aW5nMRgwFgYDVQQDDA93d3cud29sZnNzbC5j
-b20xHzAdBgkqhkiG9w0BCQEWEGluZm9Ad29sZnNzbC5jb22CCQCq0z+sGAo3TTAM
-BgNVHRMEBTADAQH/MBwGA1UdEQQVMBOCC2V4YW1wbGUuY29thwR/AAABMB0GA1Ud
-JQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjANBgkqhkiG9w0BAQsFAAOCAQEAYpjI
-WM9WA4ZbG3FJfQUDXeAIhq3bSt6rIpaow1lowTeQQN+9idC82o7vh7LCYlLhGikX
-apaZyE7YMv640Vw7CsI8X6EemH/OiSYhH2ScFXqc7/sdhWr6mM6oqavDosDrh+28
-Id/zB1uu/UDUriDQdooxCqJifGENzl2aHuQgiFFJ+3epzU3Gv1SZM+9LoHNwbS7Z
-PQj2EjkxaMZhXEG1G/Q4ffy+c2Yt98pbLFsxqs/2fzDkEiyO1jhR5kXu1drDg9bt
-XuzWthSzk1nhVUp/BN/OZdTfGE/dtEV/plYwxAVEmJ1PJm2EgKBe7SPRSIcOBQaR
-O7A8u4yPPHtMT6HKmA==
+dy53b2xmc3NsLmNvbTEfMB0GCSqGSIb3DQEJARYQaW5mb0B3b2xmc3NsLmNvbYIU
+fZRwiLoHQo2qr0++whpI8NFA5kIwDAYDVR0TBAUwAwEB/zAcBgNVHREEFTATggtl
+eGFtcGxlLmNvbYcEfwAAATAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIw
+DQYJKoZIhvcNAQELBQADggEBALBxu7pFWoAlAqR+iAupe/2wu/ZGtbr0x+NhIIwD
+FWb15FSC7xOAlyJnwdGIXeItV/bgn2nWsVy26OCYicgUEta2iY1suaBZT5LuEVNr
+fZNKaQqF2dXSYujJtcZOF/UK6PMthmEL68TExmd17ZqfU6BxHqCQDfkDtLyGGW7w
+O0/o7Wj25yNDOzaDg0tGoJoB0MeFu32UoCE9fjxqPYHbQXtG2BVi1Y9NPcDbmsWB
+qKzah5nH3bnxFK/Rk+PzQteiBFEhVCnDRfa+XPrN278veYFC5Y9HC9RUAbXCSkbW
+qDEuZIA/SGGRKfOqQ1xpbvEBud9jcT25Wvs2wBGiwzCdlcM=
 -----END CERTIFICATE-----
diff --git a/certs/test-degenerate.p7b b/certs/test-degenerate.p7b
index 80ea23567..cfae86d60 100644
Binary files a/certs/test-degenerate.p7b and b/certs/test-degenerate.p7b differ
diff --git a/certs/test-pathlen/chainA-ICA1-pathlen0.pem b/certs/test-pathlen/chainA-ICA1-pathlen0.pem
index ee98dc58d..2b9c28cce 100644
--- a/certs/test-pathlen/chainA-ICA1-pathlen0.pem
+++ b/certs/test-pathlen/chainA-ICA1-pathlen0.pem
@@ -2,15 +2,15 @@ Certificate:
     Data:
         Version: 3 (0x2)
         Serial Number: 100 (0x64)
-    Signature Algorithm: sha256WithRSAEncryption
-        Issuer: C=US, ST=Montana, L=Bozeman, O=Sawtooth, OU=Consulting, CN=www.wolfssl.com/emailAddress=info@wolfssl.com
+        Signature Algorithm: sha256WithRSAEncryption
+        Issuer: C = US, ST = Montana, L = Bozeman, O = Sawtooth, OU = Consulting, CN = www.wolfssl.com, emailAddress = info@wolfssl.com
         Validity
-            Not Before: Feb 10 19:49:54 2021 GMT
-            Not After : Nov  7 19:49:54 2023 GMT
-        Subject: C=US, ST=Washington, L=Seattle, O=wolfSSL Inc., OU=Engineering, CN=chainA-ICA1-pathlen0/emailAddress=info@wolfssl.com
+            Not Before: Dec 20 23:07:25 2021 GMT
+            Not After : Sep 15 23:07:25 2024 GMT
+        Subject: C = US, ST = Washington, L = Seattle, O = wolfSSL Inc., OU = Engineering, CN = chainA-ICA1-pathlen0, emailAddress = info@wolfssl.com
         Subject Public Key Info:
             Public Key Algorithm: rsaEncryption
-                Public-Key: (2048 bit)
+                RSA Public-Key: (2048 bit)
                 Modulus:
                     00:b2:2b:a1:3f:be:c0:58:bd:3a:bc:0d:19:ac:ca:
                     7f:b9:3b:f0:8c:30:ff:04:b1:34:7e:26:86:96:36:
@@ -37,34 +37,34 @@ Certificate:
             X509v3 Authority Key Identifier: 
                 keyid:27:8E:67:11:74:C3:26:1D:3F:ED:33:63:B3:A4:D8:1D:30:E5:E8:D5
                 DirName:/C=US/ST=Montana/L=Bozeman/O=Sawtooth/OU=Consulting/CN=www.wolfssl.com/emailAddress=info@wolfssl.com
-                serial:AA:D3:3F:AC:18:0A:37:4D
+                serial:7D:94:70:88:BA:07:42:8D:AA:AF:4F:BE:C2:1A:48:F0:D1:40:E6:42
 
             X509v3 Basic Constraints: 
                 CA:TRUE, pathlen:0
             X509v3 Key Usage: 
                 Certificate Sign, CRL Sign
     Signature Algorithm: sha256WithRSAEncryption
-         b6:5c:0c:f0:48:f3:14:fe:91:0f:f5:a4:36:ec:6b:aa:8b:7e:
-         b4:98:7d:66:dc:6f:40:25:a1:cc:01:ae:6c:5e:2c:bd:4a:dc:
-         5a:6e:eb:f7:84:aa:59:3b:63:b8:52:95:a2:d8:5e:1d:a8:c4:
-         e5:68:86:ea:de:83:25:9d:32:05:4e:4b:7a:f3:db:17:bc:1d:
-         39:af:07:24:06:46:79:19:30:d3:22:de:d3:e9:e8:e7:b6:7d:
-         e3:1c:24:76:22:47:b1:5a:d7:2e:5b:8a:f7:a6:9f:54:7b:cf:
-         88:a2:e8:45:f9:6a:c4:b5:e6:55:d8:ee:63:86:8b:6f:47:a5:
-         84:1e:71:e2:2a:7c:0c:51:72:12:23:0c:ed:81:ef:7f:ab:da:
-         47:5a:7b:f2:ee:6c:73:e2:2c:c2:6c:be:cf:4d:9c:3c:af:0f:
-         1e:8c:45:2e:02:78:e5:38:0e:31:f6:bf:7f:69:69:4e:57:b6:
-         bb:62:81:26:3a:bd:27:84:fc:77:a1:98:67:78:5e:2c:4f:b2:
-         36:ba:95:bf:19:3f:1e:50:b8:27:74:91:5b:40:15:be:59:56:
-         a2:79:15:c6:dc:b2:84:01:f4:39:56:28:b1:11:6e:4a:35:05:
-         85:4b:09:c9:4b:fa:5d:c6:c5:3b:da:41:04:85:a6:89:cc:d1:
-         b4:12:03:b7
+         2c:8a:79:a0:f6:0a:84:52:92:f3:2b:4b:b1:99:2c:09:cd:a1:
+         bc:20:32:34:98:dc:8a:10:ec:f2:3b:01:ef:40:40:b2:17:cd:
+         12:0a:c1:e0:3f:68:0d:25:9b:d4:df:39:72:11:fe:60:5e:eb:
+         56:8b:8e:bf:2d:5d:47:65:1e:41:da:4a:30:e3:26:99:62:9f:
+         73:39:93:11:92:e4:9e:66:6d:99:fb:55:a5:3f:2f:94:2e:1e:
+         ae:3b:90:00:42:75:9f:31:a7:ae:a5:f9:09:f8:c0:6c:ad:df:
+         6b:94:c7:ae:43:b1:fd:0f:95:ee:69:5e:19:df:21:b9:05:62:
+         54:9b:19:59:08:01:d9:00:c6:a4:1e:6d:8d:f4:4a:f0:41:53:
+         31:4d:ff:40:20:ba:93:9b:96:fd:2b:b5:92:d8:b2:36:4d:e0:
+         c5:7b:a2:9d:91:d3:8e:73:bc:27:0a:cc:d8:b5:09:bb:a4:57:
+         46:b1:9e:b6:80:36:95:63:a5:eb:6a:fe:d4:c9:75:75:1f:f8:
+         6d:3e:a4:45:82:39:9e:8d:da:53:e6:25:02:60:c0:12:f0:20:
+         9c:19:29:ae:7e:4c:c1:27:25:28:e2:c1:7f:0b:b0:c3:56:80:
+         9a:7b:d8:40:36:3f:83:9f:1a:81:f3:be:69:ca:fd:b1:08:37:
+         a3:ad:f4:11
 -----BEGIN CERTIFICATE-----
-MIIEwTCCA6mgAwIBAgIBZDANBgkqhkiG9w0BAQsFADCBlDELMAkGA1UEBhMCVVMx
+MIIEzDCCA7SgAwIBAgIBZDANBgkqhkiG9w0BAQsFADCBlDELMAkGA1UEBhMCVVMx
 EDAOBgNVBAgMB01vbnRhbmExEDAOBgNVBAcMB0JvemVtYW4xETAPBgNVBAoMCFNh
 d3Rvb3RoMRMwEQYDVQQLDApDb25zdWx0aW5nMRgwFgYDVQQDDA93d3cud29sZnNz
-bC5jb20xHzAdBgkqhkiG9w0BCQEWEGluZm9Ad29sZnNzbC5jb20wHhcNMjEwMjEw
-MTk0OTU0WhcNMjMxMTA3MTk0OTU0WjCBoTELMAkGA1UEBhMCVVMxEzARBgNVBAgM
+bC5jb20xHzAdBgkqhkiG9w0BCQEWEGluZm9Ad29sZnNzbC5jb20wHhcNMjExMjIw
+MjMwNzI1WhcNMjQwOTE1MjMwNzI1WjCBoTELMAkGA1UEBhMCVVMxEzARBgNVBAgM
 Cldhc2hpbmd0b24xEDAOBgNVBAcMB1NlYXR0bGUxFTATBgNVBAoMDHdvbGZTU0wg
 SW5jLjEUMBIGA1UECwwLRW5naW5lZXJpbmcxHTAbBgNVBAMMFGNoYWluQS1JQ0Ex
 LXBhdGhsZW4wMR8wHQYJKoZIhvcNAQkBFhBpbmZvQHdvbGZzc2wuY29tMIIBIjAN
@@ -74,16 +74,16 @@ nWIkme23/8tNnUBU1eOqRaam2/5zQpRCwdAyXMQhrpyTALdKH56VpihtS9jAZeft
 o23KGLP638lnGnUjYIOlA19hveXWjZ0FRyN+oI3Rf0JOOKzOcLy/ewVbD4ICsJqN
 wBTK0EVelxDRoeEj2txpnM5TzGiJxkBNabyrT8cRXmKi3+KlNHw5NidnNBEELCqz
 FtuO/dd7HZNfM8LKliIqQ4KKSEYHE/9sHLC6C/DNP0zcNBePInBpnSLXxwIDAQAB
-o4IBDTCCAQkwHQYDVR0OBBYEFKgQ6sjvTwDN43nD69/2yIadRGwmMIHJBgNVHSME
-gcEwgb6AFCeOZxF0wyYdP+0zY7Ok2B0w5ejVoYGapIGXMIGUMQswCQYDVQQGEwJV
+o4IBGDCCARQwHQYDVR0OBBYEFKgQ6sjvTwDN43nD69/2yIadRGwmMIHUBgNVHSME
+gcwwgcmAFCeOZxF0wyYdP+0zY7Ok2B0w5ejVoYGapIGXMIGUMQswCQYDVQQGEwJV
 UzEQMA4GA1UECAwHTW9udGFuYTEQMA4GA1UEBwwHQm96ZW1hbjERMA8GA1UECgwI
 U2F3dG9vdGgxEzARBgNVBAsMCkNvbnN1bHRpbmcxGDAWBgNVBAMMD3d3dy53b2xm
-c3NsLmNvbTEfMB0GCSqGSIb3DQEJARYQaW5mb0B3b2xmc3NsLmNvbYIJAKrTP6wY
-CjdNMA8GA1UdEwQIMAYBAf8CAQAwCwYDVR0PBAQDAgEGMA0GCSqGSIb3DQEBCwUA
-A4IBAQC2XAzwSPMU/pEP9aQ27Guqi360mH1m3G9AJaHMAa5sXiy9Stxabuv3hKpZ
-O2O4UpWi2F4dqMTlaIbq3oMlnTIFTkt689sXvB05rwckBkZ5GTDTIt7T6ejntn3j
-HCR2IkexWtcuW4r3pp9Ue8+IouhF+WrEteZV2O5jhotvR6WEHnHiKnwMUXISIwzt
-ge9/q9pHWnvy7mxz4izCbL7PTZw8rw8ejEUuAnjlOA4x9r9/aWlOV7a7YoEmOr0n
-hPx3oZhneF4sT7I2upW/GT8eULgndJFbQBW+WVaieRXG3LKEAfQ5ViixEW5KNQWF
-SwnJS/pdxsU72kEEhaaJzNG0EgO3
+c3NsLmNvbTEfMB0GCSqGSIb3DQEJARYQaW5mb0B3b2xmc3NsLmNvbYIUfZRwiLoH
+Qo2qr0++whpI8NFA5kIwDwYDVR0TBAgwBgEB/wIBADALBgNVHQ8EBAMCAQYwDQYJ
+KoZIhvcNAQELBQADggEBACyKeaD2CoRSkvMrS7GZLAnNobwgMjSY3IoQ7PI7Ae9A
+QLIXzRIKweA/aA0lm9TfOXIR/mBe61aLjr8tXUdlHkHaSjDjJplin3M5kxGS5J5m
+bZn7VaU/L5QuHq47kABCdZ8xp66l+Qn4wGyt32uUx65Dsf0Ple5pXhnfIbkFYlSb
+GVkIAdkAxqQebY30SvBBUzFN/0AgupOblv0rtZLYsjZN4MV7op2R045zvCcKzNi1
+CbukV0axnraANpVjpetq/tTJdXUf+G0+pEWCOZ6N2lPmJQJgwBLwIJwZKa5+TMEn
+JSjiwX8LsMNWgJp72EA2P4OfGoHzvmnK/bEIN6Ot9BE=
 -----END CERTIFICATE-----
diff --git a/certs/test-pathlen/chainA-assembled.pem b/certs/test-pathlen/chainA-assembled.pem
index f84721e47..b4b90db23 100644
--- a/certs/test-pathlen/chainA-assembled.pem
+++ b/certs/test-pathlen/chainA-assembled.pem
@@ -2,15 +2,15 @@ Certificate:
     Data:
         Version: 3 (0x2)
         Serial Number: 101 (0x65)
-    Signature Algorithm: sha256WithRSAEncryption
-        Issuer: C=US, ST=Washington, L=Seattle, O=wolfSSL Inc., OU=Engineering, CN=chainA-ICA1-pathlen0/emailAddress=info@wolfssl.com
+        Signature Algorithm: sha256WithRSAEncryption
+        Issuer: C = US, ST = Washington, L = Seattle, O = wolfSSL Inc., OU = Engineering, CN = chainA-ICA1-pathlen0, emailAddress = info@wolfssl.com
         Validity
-            Not Before: Feb 10 19:49:54 2021 GMT
-            Not After : Nov  7 19:49:54 2023 GMT
-        Subject: C=US, ST=Washington, L=Seattle, O=wolfSSL Inc., OU=Engineering, CN=chainA-entity/emailAddress=info@wolfssl.com
+            Not Before: Dec 20 23:07:25 2021 GMT
+            Not After : Sep 15 23:07:25 2024 GMT
+        Subject: C = US, ST = Washington, L = Seattle, O = wolfSSL Inc., OU = Engineering, CN = chainA-entity, emailAddress = info@wolfssl.com
         Subject Public Key Info:
             Public Key Algorithm: rsaEncryption
-                Public-Key: (2048 bit)
+                RSA Public-Key: (2048 bit)
                 Modulus:
                     00:d0:7a:d8:c8:6c:4f:a5:cd:72:25:87:ff:12:a3:
                     65:0e:1d:1f:78:b2:d7:1a:65:a1:e7:4e:bd:05:b5:
@@ -42,27 +42,27 @@ Certificate:
             X509v3 Basic Constraints: 
                 CA:FALSE
     Signature Algorithm: sha256WithRSAEncryption
-         4d:0a:88:23:df:df:9b:11:0f:88:a8:a9:47:e1:eb:97:fd:8a:
-         26:d0:d7:1b:a9:f5:2a:06:cc:2f:c6:37:f7:be:e5:bb:05:40:
-         7d:93:df:7c:b9:b3:f4:21:d8:d7:66:eb:72:42:af:99:aa:13:
-         0d:30:e1:00:fa:91:7b:54:4a:2c:8a:13:84:c6:a9:6f:38:7e:
-         2b:ab:05:44:f0:dd:86:49:8a:b6:ad:43:d5:ba:be:f6:3c:f9:
-         20:fd:b8:5e:f5:82:89:7d:0e:53:e1:85:58:4b:40:d2:57:69:
-         37:a8:37:3c:4f:bb:ca:02:a1:dc:50:7f:ee:d5:3c:16:54:d9:
-         90:63:ee:eb:b1:1d:35:e7:8a:f3:b8:38:05:a0:a5:18:e5:71:
-         ab:e8:4f:11:e2:0b:26:d1:0d:14:d9:92:28:5b:a0:87:ac:21:
-         b4:ca:45:4c:e0:e3:aa:f4:b7:a8:32:0f:74:8c:05:e4:64:54:
-         22:d3:78:a9:bd:c8:7d:83:b2:48:3a:54:b9:12:66:d5:e0:a2:
-         85:49:27:06:65:70:e2:30:2e:1c:81:6d:d4:92:a8:24:ff:f6:
-         2d:f8:38:ca:89:b6:b3:85:14:83:bc:b5:38:e3:93:1c:70:c2:
-         02:98:05:2b:b1:a6:7f:7e:97:dd:07:2b:bd:7c:10:03:a9:c5:
-         1a:8e:dd:11
+         5e:c1:52:23:b1:8c:4b:a1:27:8f:a1:61:35:2d:62:20:5d:35:
+         4d:da:bf:77:94:cc:38:f3:8a:c7:a0:cf:d1:4c:3c:3c:a7:fd:
+         98:66:e2:b0:9e:4a:af:59:1f:13:af:d4:3a:04:9c:1d:7b:b5:
+         5a:81:62:29:a8:1e:dd:7f:d8:4d:b4:14:8d:e7:15:03:95:12:
+         34:46:68:35:57:b1:75:f8:30:99:5e:3b:b8:88:46:7f:0c:1e:
+         9f:05:2e:85:d9:f3:ea:bd:3f:16:ef:50:0e:78:07:ae:e7:64:
+         04:5e:b8:e8:2e:cf:bc:be:3c:33:2f:e5:c6:81:79:8d:ed:fc:
+         ea:50:d9:98:75:3a:28:be:64:c6:df:8a:09:35:bc:31:aa:da:
+         d6:ff:5c:01:80:ad:1d:da:4d:30:4f:4f:04:de:08:8d:dc:e9:
+         9e:cf:2a:4c:cd:47:db:76:3f:9a:72:5f:2c:14:2e:9a:b3:59:
+         7f:2d:5f:61:97:19:c2:a7:93:b4:98:9f:51:f6:95:f3:e5:fb:
+         23:6e:2c:99:c9:69:86:13:35:5f:3d:7b:f3:de:3b:ed:3f:6b:
+         48:83:17:03:08:a3:9d:08:bf:5e:7e:f4:31:e2:74:ae:f3:35:
+         6a:f3:3d:ab:c8:de:0a:58:62:2e:35:bf:19:19:a7:46:de:a2:
+         d9:61:ae:5b
 -----BEGIN CERTIFICATE-----
 MIIEqjCCA5KgAwIBAgIBZTANBgkqhkiG9w0BAQsFADCBoTELMAkGA1UEBhMCVVMx
 EzARBgNVBAgMCldhc2hpbmd0b24xEDAOBgNVBAcMB1NlYXR0bGUxFTATBgNVBAoM
 DHdvbGZTU0wgSW5jLjEUMBIGA1UECwwLRW5naW5lZXJpbmcxHTAbBgNVBAMMFGNo
 YWluQS1JQ0ExLXBhdGhsZW4wMR8wHQYJKoZIhvcNAQkBFhBpbmZvQHdvbGZzc2wu
-Y29tMB4XDTIxMDIxMDE5NDk1NFoXDTIzMTEwNzE5NDk1NFowgZoxCzAJBgNVBAYT
+Y29tMB4XDTIxMTIyMDIzMDcyNVoXDTI0MDkxNTIzMDcyNVowgZoxCzAJBgNVBAYT
 AlVTMRMwEQYDVQQIDApXYXNoaW5ndG9uMRAwDgYDVQQHDAdTZWF0dGxlMRUwEwYD
 VQQKDAx3b2xmU1NMIEluYy4xFDASBgNVBAsMC0VuZ2luZWVyaW5nMRYwFAYDVQQD
 DA1jaGFpbkEtZW50aXR5MR8wHQYJKoZIhvcNAQkBFhBpbmZvQHdvbGZzc2wuY29t
@@ -77,26 +77,26 @@ VR0jBIG5MIG2gBSoEOrI708AzeN5w+vf9siGnURsJqGBmqSBlzCBlDELMAkGA1UE
 BhMCVVMxEDAOBgNVBAgMB01vbnRhbmExEDAOBgNVBAcMB0JvemVtYW4xETAPBgNV
 BAoMCFNhd3Rvb3RoMRMwEQYDVQQLDApDb25zdWx0aW5nMRgwFgYDVQQDDA93d3cu
 d29sZnNzbC5jb20xHzAdBgkqhkiG9w0BCQEWEGluZm9Ad29sZnNzbC5jb22CAWQw
-CQYDVR0TBAIwADANBgkqhkiG9w0BAQsFAAOCAQEATQqII9/fmxEPiKipR+Hrl/2K
-JtDXG6n1KgbML8Y3977luwVAfZPffLmz9CHY12brckKvmaoTDTDhAPqRe1RKLIoT
-hMapbzh+K6sFRPDdhkmKtq1D1bq+9jz5IP24XvWCiX0OU+GFWEtA0ldpN6g3PE+7
-ygKh3FB/7tU8FlTZkGPu67EdNeeK87g4BaClGOVxq+hPEeILJtENFNmSKFugh6wh
-tMpFTODjqvS3qDIPdIwF5GRUItN4qb3IfYOySDpUuRJm1eCihUknBmVw4jAuHIFt
-1JKoJP/2Lfg4yom2s4UUg7y1OOOTHHDCApgFK7Gmf36X3QcrvXwQA6nFGo7dEQ==
+CQYDVR0TBAIwADANBgkqhkiG9w0BAQsFAAOCAQEAXsFSI7GMS6Enj6FhNS1iIF01
+Tdq/d5TMOPOKx6DP0Uw8PKf9mGbisJ5Kr1kfE6/UOgScHXu1WoFiKage3X/YTbQU
+jecVA5USNEZoNVexdfgwmV47uIhGfwwenwUuhdnz6r0/Fu9QDngHrudkBF646C7P
+vL48My/lxoF5je386lDZmHU6KL5kxt+KCTW8Mara1v9cAYCtHdpNME9PBN4Ijdzp
+ns8qTM1H23Y/mnJfLBQumrNZfy1fYZcZwqeTtJifUfaV8+X7I24smclphhM1Xz17
+89477T9rSIMXAwijnQi/Xn70MeJ0rvM1avM9q8jeClhiLjW/GRmnRt6i2WGuWw==
 -----END CERTIFICATE-----
 Certificate:
     Data:
         Version: 3 (0x2)
         Serial Number: 100 (0x64)
-    Signature Algorithm: sha256WithRSAEncryption
-        Issuer: C=US, ST=Montana, L=Bozeman, O=Sawtooth, OU=Consulting, CN=www.wolfssl.com/emailAddress=info@wolfssl.com
+        Signature Algorithm: sha256WithRSAEncryption
+        Issuer: C = US, ST = Montana, L = Bozeman, O = Sawtooth, OU = Consulting, CN = www.wolfssl.com, emailAddress = info@wolfssl.com
         Validity
-            Not Before: Feb 10 19:49:54 2021 GMT
-            Not After : Nov  7 19:49:54 2023 GMT
-        Subject: C=US, ST=Washington, L=Seattle, O=wolfSSL Inc., OU=Engineering, CN=chainA-ICA1-pathlen0/emailAddress=info@wolfssl.com
+            Not Before: Dec 20 23:07:25 2021 GMT
+            Not After : Sep 15 23:07:25 2024 GMT
+        Subject: C = US, ST = Washington, L = Seattle, O = wolfSSL Inc., OU = Engineering, CN = chainA-ICA1-pathlen0, emailAddress = info@wolfssl.com
         Subject Public Key Info:
             Public Key Algorithm: rsaEncryption
-                Public-Key: (2048 bit)
+                RSA Public-Key: (2048 bit)
                 Modulus:
                     00:b2:2b:a1:3f:be:c0:58:bd:3a:bc:0d:19:ac:ca:
                     7f:b9:3b:f0:8c:30:ff:04:b1:34:7e:26:86:96:36:
@@ -123,34 +123,34 @@ Certificate:
             X509v3 Authority Key Identifier: 
                 keyid:27:8E:67:11:74:C3:26:1D:3F:ED:33:63:B3:A4:D8:1D:30:E5:E8:D5
                 DirName:/C=US/ST=Montana/L=Bozeman/O=Sawtooth/OU=Consulting/CN=www.wolfssl.com/emailAddress=info@wolfssl.com
-                serial:AA:D3:3F:AC:18:0A:37:4D
+                serial:7D:94:70:88:BA:07:42:8D:AA:AF:4F:BE:C2:1A:48:F0:D1:40:E6:42
 
             X509v3 Basic Constraints: 
                 CA:TRUE, pathlen:0
             X509v3 Key Usage: 
                 Certificate Sign, CRL Sign
     Signature Algorithm: sha256WithRSAEncryption
-         b6:5c:0c:f0:48:f3:14:fe:91:0f:f5:a4:36:ec:6b:aa:8b:7e:
-         b4:98:7d:66:dc:6f:40:25:a1:cc:01:ae:6c:5e:2c:bd:4a:dc:
-         5a:6e:eb:f7:84:aa:59:3b:63:b8:52:95:a2:d8:5e:1d:a8:c4:
-         e5:68:86:ea:de:83:25:9d:32:05:4e:4b:7a:f3:db:17:bc:1d:
-         39:af:07:24:06:46:79:19:30:d3:22:de:d3:e9:e8:e7:b6:7d:
-         e3:1c:24:76:22:47:b1:5a:d7:2e:5b:8a:f7:a6:9f:54:7b:cf:
-         88:a2:e8:45:f9:6a:c4:b5:e6:55:d8:ee:63:86:8b:6f:47:a5:
-         84:1e:71:e2:2a:7c:0c:51:72:12:23:0c:ed:81:ef:7f:ab:da:
-         47:5a:7b:f2:ee:6c:73:e2:2c:c2:6c:be:cf:4d:9c:3c:af:0f:
-         1e:8c:45:2e:02:78:e5:38:0e:31:f6:bf:7f:69:69:4e:57:b6:
-         bb:62:81:26:3a:bd:27:84:fc:77:a1:98:67:78:5e:2c:4f:b2:
-         36:ba:95:bf:19:3f:1e:50:b8:27:74:91:5b:40:15:be:59:56:
-         a2:79:15:c6:dc:b2:84:01:f4:39:56:28:b1:11:6e:4a:35:05:
-         85:4b:09:c9:4b:fa:5d:c6:c5:3b:da:41:04:85:a6:89:cc:d1:
-         b4:12:03:b7
+         2c:8a:79:a0:f6:0a:84:52:92:f3:2b:4b:b1:99:2c:09:cd:a1:
+         bc:20:32:34:98:dc:8a:10:ec:f2:3b:01:ef:40:40:b2:17:cd:
+         12:0a:c1:e0:3f:68:0d:25:9b:d4:df:39:72:11:fe:60:5e:eb:
+         56:8b:8e:bf:2d:5d:47:65:1e:41:da:4a:30:e3:26:99:62:9f:
+         73:39:93:11:92:e4:9e:66:6d:99:fb:55:a5:3f:2f:94:2e:1e:
+         ae:3b:90:00:42:75:9f:31:a7:ae:a5:f9:09:f8:c0:6c:ad:df:
+         6b:94:c7:ae:43:b1:fd:0f:95:ee:69:5e:19:df:21:b9:05:62:
+         54:9b:19:59:08:01:d9:00:c6:a4:1e:6d:8d:f4:4a:f0:41:53:
+         31:4d:ff:40:20:ba:93:9b:96:fd:2b:b5:92:d8:b2:36:4d:e0:
+         c5:7b:a2:9d:91:d3:8e:73:bc:27:0a:cc:d8:b5:09:bb:a4:57:
+         46:b1:9e:b6:80:36:95:63:a5:eb:6a:fe:d4:c9:75:75:1f:f8:
+         6d:3e:a4:45:82:39:9e:8d:da:53:e6:25:02:60:c0:12:f0:20:
+         9c:19:29:ae:7e:4c:c1:27:25:28:e2:c1:7f:0b:b0:c3:56:80:
+         9a:7b:d8:40:36:3f:83:9f:1a:81:f3:be:69:ca:fd:b1:08:37:
+         a3:ad:f4:11
 -----BEGIN CERTIFICATE-----
-MIIEwTCCA6mgAwIBAgIBZDANBgkqhkiG9w0BAQsFADCBlDELMAkGA1UEBhMCVVMx
+MIIEzDCCA7SgAwIBAgIBZDANBgkqhkiG9w0BAQsFADCBlDELMAkGA1UEBhMCVVMx
 EDAOBgNVBAgMB01vbnRhbmExEDAOBgNVBAcMB0JvemVtYW4xETAPBgNVBAoMCFNh
 d3Rvb3RoMRMwEQYDVQQLDApDb25zdWx0aW5nMRgwFgYDVQQDDA93d3cud29sZnNz
-bC5jb20xHzAdBgkqhkiG9w0BCQEWEGluZm9Ad29sZnNzbC5jb20wHhcNMjEwMjEw
-MTk0OTU0WhcNMjMxMTA3MTk0OTU0WjCBoTELMAkGA1UEBhMCVVMxEzARBgNVBAgM
+bC5jb20xHzAdBgkqhkiG9w0BCQEWEGluZm9Ad29sZnNzbC5jb20wHhcNMjExMjIw
+MjMwNzI1WhcNMjQwOTE1MjMwNzI1WjCBoTELMAkGA1UEBhMCVVMxEzARBgNVBAgM
 Cldhc2hpbmd0b24xEDAOBgNVBAcMB1NlYXR0bGUxFTATBgNVBAoMDHdvbGZTU0wg
 SW5jLjEUMBIGA1UECwwLRW5naW5lZXJpbmcxHTAbBgNVBAMMFGNoYWluQS1JQ0Ex
 LXBhdGhsZW4wMR8wHQYJKoZIhvcNAQkBFhBpbmZvQHdvbGZzc2wuY29tMIIBIjAN
@@ -160,16 +160,16 @@ nWIkme23/8tNnUBU1eOqRaam2/5zQpRCwdAyXMQhrpyTALdKH56VpihtS9jAZeft
 o23KGLP638lnGnUjYIOlA19hveXWjZ0FRyN+oI3Rf0JOOKzOcLy/ewVbD4ICsJqN
 wBTK0EVelxDRoeEj2txpnM5TzGiJxkBNabyrT8cRXmKi3+KlNHw5NidnNBEELCqz
 FtuO/dd7HZNfM8LKliIqQ4KKSEYHE/9sHLC6C/DNP0zcNBePInBpnSLXxwIDAQAB
-o4IBDTCCAQkwHQYDVR0OBBYEFKgQ6sjvTwDN43nD69/2yIadRGwmMIHJBgNVHSME
-gcEwgb6AFCeOZxF0wyYdP+0zY7Ok2B0w5ejVoYGapIGXMIGUMQswCQYDVQQGEwJV
+o4IBGDCCARQwHQYDVR0OBBYEFKgQ6sjvTwDN43nD69/2yIadRGwmMIHUBgNVHSME
+gcwwgcmAFCeOZxF0wyYdP+0zY7Ok2B0w5ejVoYGapIGXMIGUMQswCQYDVQQGEwJV
 UzEQMA4GA1UECAwHTW9udGFuYTEQMA4GA1UEBwwHQm96ZW1hbjERMA8GA1UECgwI
 U2F3dG9vdGgxEzARBgNVBAsMCkNvbnN1bHRpbmcxGDAWBgNVBAMMD3d3dy53b2xm
-c3NsLmNvbTEfMB0GCSqGSIb3DQEJARYQaW5mb0B3b2xmc3NsLmNvbYIJAKrTP6wY
-CjdNMA8GA1UdEwQIMAYBAf8CAQAwCwYDVR0PBAQDAgEGMA0GCSqGSIb3DQEBCwUA
-A4IBAQC2XAzwSPMU/pEP9aQ27Guqi360mH1m3G9AJaHMAa5sXiy9Stxabuv3hKpZ
-O2O4UpWi2F4dqMTlaIbq3oMlnTIFTkt689sXvB05rwckBkZ5GTDTIt7T6ejntn3j
-HCR2IkexWtcuW4r3pp9Ue8+IouhF+WrEteZV2O5jhotvR6WEHnHiKnwMUXISIwzt
-ge9/q9pHWnvy7mxz4izCbL7PTZw8rw8ejEUuAnjlOA4x9r9/aWlOV7a7YoEmOr0n
-hPx3oZhneF4sT7I2upW/GT8eULgndJFbQBW+WVaieRXG3LKEAfQ5ViixEW5KNQWF
-SwnJS/pdxsU72kEEhaaJzNG0EgO3
+c3NsLmNvbTEfMB0GCSqGSIb3DQEJARYQaW5mb0B3b2xmc3NsLmNvbYIUfZRwiLoH
+Qo2qr0++whpI8NFA5kIwDwYDVR0TBAgwBgEB/wIBADALBgNVHQ8EBAMCAQYwDQYJ
+KoZIhvcNAQELBQADggEBACyKeaD2CoRSkvMrS7GZLAnNobwgMjSY3IoQ7PI7Ae9A
+QLIXzRIKweA/aA0lm9TfOXIR/mBe61aLjr8tXUdlHkHaSjDjJplin3M5kxGS5J5m
+bZn7VaU/L5QuHq47kABCdZ8xp66l+Qn4wGyt32uUx65Dsf0Ple5pXhnfIbkFYlSb
+GVkIAdkAxqQebY30SvBBUzFN/0AgupOblv0rtZLYsjZN4MV7op2R045zvCcKzNi1
+CbukV0axnraANpVjpetq/tTJdXUf+G0+pEWCOZ6N2lPmJQJgwBLwIJwZKa5+TMEn
+JSjiwX8LsMNWgJp72EA2P4OfGoHzvmnK/bEIN6Ot9BE=
 -----END CERTIFICATE-----
diff --git a/certs/test-pathlen/chainA-entity.pem b/certs/test-pathlen/chainA-entity.pem
index 1a87ce1e4..0562b5799 100644
--- a/certs/test-pathlen/chainA-entity.pem
+++ b/certs/test-pathlen/chainA-entity.pem
@@ -2,15 +2,15 @@ Certificate:
     Data:
         Version: 3 (0x2)
         Serial Number: 101 (0x65)
-    Signature Algorithm: sha256WithRSAEncryption
-        Issuer: C=US, ST=Washington, L=Seattle, O=wolfSSL Inc., OU=Engineering, CN=chainA-ICA1-pathlen0/emailAddress=info@wolfssl.com
+        Signature Algorithm: sha256WithRSAEncryption
+        Issuer: C = US, ST = Washington, L = Seattle, O = wolfSSL Inc., OU = Engineering, CN = chainA-ICA1-pathlen0, emailAddress = info@wolfssl.com
         Validity
-            Not Before: Feb 10 19:49:54 2021 GMT
-            Not After : Nov  7 19:49:54 2023 GMT
-        Subject: C=US, ST=Washington, L=Seattle, O=wolfSSL Inc., OU=Engineering, CN=chainA-entity/emailAddress=info@wolfssl.com
+            Not Before: Dec 20 23:07:25 2021 GMT
+            Not After : Sep 15 23:07:25 2024 GMT
+        Subject: C = US, ST = Washington, L = Seattle, O = wolfSSL Inc., OU = Engineering, CN = chainA-entity, emailAddress = info@wolfssl.com
         Subject Public Key Info:
             Public Key Algorithm: rsaEncryption
-                Public-Key: (2048 bit)
+                RSA Public-Key: (2048 bit)
                 Modulus:
                     00:d0:7a:d8:c8:6c:4f:a5:cd:72:25:87:ff:12:a3:
                     65:0e:1d:1f:78:b2:d7:1a:65:a1:e7:4e:bd:05:b5:
@@ -42,27 +42,27 @@ Certificate:
             X509v3 Basic Constraints: 
                 CA:FALSE
     Signature Algorithm: sha256WithRSAEncryption
-         4d:0a:88:23:df:df:9b:11:0f:88:a8:a9:47:e1:eb:97:fd:8a:
-         26:d0:d7:1b:a9:f5:2a:06:cc:2f:c6:37:f7:be:e5:bb:05:40:
-         7d:93:df:7c:b9:b3:f4:21:d8:d7:66:eb:72:42:af:99:aa:13:
-         0d:30:e1:00:fa:91:7b:54:4a:2c:8a:13:84:c6:a9:6f:38:7e:
-         2b:ab:05:44:f0:dd:86:49:8a:b6:ad:43:d5:ba:be:f6:3c:f9:
-         20:fd:b8:5e:f5:82:89:7d:0e:53:e1:85:58:4b:40:d2:57:69:
-         37:a8:37:3c:4f:bb:ca:02:a1:dc:50:7f:ee:d5:3c:16:54:d9:
-         90:63:ee:eb:b1:1d:35:e7:8a:f3:b8:38:05:a0:a5:18:e5:71:
-         ab:e8:4f:11:e2:0b:26:d1:0d:14:d9:92:28:5b:a0:87:ac:21:
-         b4:ca:45:4c:e0:e3:aa:f4:b7:a8:32:0f:74:8c:05:e4:64:54:
-         22:d3:78:a9:bd:c8:7d:83:b2:48:3a:54:b9:12:66:d5:e0:a2:
-         85:49:27:06:65:70:e2:30:2e:1c:81:6d:d4:92:a8:24:ff:f6:
-         2d:f8:38:ca:89:b6:b3:85:14:83:bc:b5:38:e3:93:1c:70:c2:
-         02:98:05:2b:b1:a6:7f:7e:97:dd:07:2b:bd:7c:10:03:a9:c5:
-         1a:8e:dd:11
+         5e:c1:52:23:b1:8c:4b:a1:27:8f:a1:61:35:2d:62:20:5d:35:
+         4d:da:bf:77:94:cc:38:f3:8a:c7:a0:cf:d1:4c:3c:3c:a7:fd:
+         98:66:e2:b0:9e:4a:af:59:1f:13:af:d4:3a:04:9c:1d:7b:b5:
+         5a:81:62:29:a8:1e:dd:7f:d8:4d:b4:14:8d:e7:15:03:95:12:
+         34:46:68:35:57:b1:75:f8:30:99:5e:3b:b8:88:46:7f:0c:1e:
+         9f:05:2e:85:d9:f3:ea:bd:3f:16:ef:50:0e:78:07:ae:e7:64:
+         04:5e:b8:e8:2e:cf:bc:be:3c:33:2f:e5:c6:81:79:8d:ed:fc:
+         ea:50:d9:98:75:3a:28:be:64:c6:df:8a:09:35:bc:31:aa:da:
+         d6:ff:5c:01:80:ad:1d:da:4d:30:4f:4f:04:de:08:8d:dc:e9:
+         9e:cf:2a:4c:cd:47:db:76:3f:9a:72:5f:2c:14:2e:9a:b3:59:
+         7f:2d:5f:61:97:19:c2:a7:93:b4:98:9f:51:f6:95:f3:e5:fb:
+         23:6e:2c:99:c9:69:86:13:35:5f:3d:7b:f3:de:3b:ed:3f:6b:
+         48:83:17:03:08:a3:9d:08:bf:5e:7e:f4:31:e2:74:ae:f3:35:
+         6a:f3:3d:ab:c8:de:0a:58:62:2e:35:bf:19:19:a7:46:de:a2:
+         d9:61:ae:5b
 -----BEGIN CERTIFICATE-----
 MIIEqjCCA5KgAwIBAgIBZTANBgkqhkiG9w0BAQsFADCBoTELMAkGA1UEBhMCVVMx
 EzARBgNVBAgMCldhc2hpbmd0b24xEDAOBgNVBAcMB1NlYXR0bGUxFTATBgNVBAoM
 DHdvbGZTU0wgSW5jLjEUMBIGA1UECwwLRW5naW5lZXJpbmcxHTAbBgNVBAMMFGNo
 YWluQS1JQ0ExLXBhdGhsZW4wMR8wHQYJKoZIhvcNAQkBFhBpbmZvQHdvbGZzc2wu
-Y29tMB4XDTIxMDIxMDE5NDk1NFoXDTIzMTEwNzE5NDk1NFowgZoxCzAJBgNVBAYT
+Y29tMB4XDTIxMTIyMDIzMDcyNVoXDTI0MDkxNTIzMDcyNVowgZoxCzAJBgNVBAYT
 AlVTMRMwEQYDVQQIDApXYXNoaW5ndG9uMRAwDgYDVQQHDAdTZWF0dGxlMRUwEwYD
 VQQKDAx3b2xmU1NMIEluYy4xFDASBgNVBAsMC0VuZ2luZWVyaW5nMRYwFAYDVQQD
 DA1jaGFpbkEtZW50aXR5MR8wHQYJKoZIhvcNAQkBFhBpbmZvQHdvbGZzc2wuY29t
@@ -77,10 +77,10 @@ VR0jBIG5MIG2gBSoEOrI708AzeN5w+vf9siGnURsJqGBmqSBlzCBlDELMAkGA1UE
 BhMCVVMxEDAOBgNVBAgMB01vbnRhbmExEDAOBgNVBAcMB0JvemVtYW4xETAPBgNV
 BAoMCFNhd3Rvb3RoMRMwEQYDVQQLDApDb25zdWx0aW5nMRgwFgYDVQQDDA93d3cu
 d29sZnNzbC5jb20xHzAdBgkqhkiG9w0BCQEWEGluZm9Ad29sZnNzbC5jb22CAWQw
-CQYDVR0TBAIwADANBgkqhkiG9w0BAQsFAAOCAQEATQqII9/fmxEPiKipR+Hrl/2K
-JtDXG6n1KgbML8Y3977luwVAfZPffLmz9CHY12brckKvmaoTDTDhAPqRe1RKLIoT
-hMapbzh+K6sFRPDdhkmKtq1D1bq+9jz5IP24XvWCiX0OU+GFWEtA0ldpN6g3PE+7
-ygKh3FB/7tU8FlTZkGPu67EdNeeK87g4BaClGOVxq+hPEeILJtENFNmSKFugh6wh
-tMpFTODjqvS3qDIPdIwF5GRUItN4qb3IfYOySDpUuRJm1eCihUknBmVw4jAuHIFt
-1JKoJP/2Lfg4yom2s4UUg7y1OOOTHHDCApgFK7Gmf36X3QcrvXwQA6nFGo7dEQ==
+CQYDVR0TBAIwADANBgkqhkiG9w0BAQsFAAOCAQEAXsFSI7GMS6Enj6FhNS1iIF01
+Tdq/d5TMOPOKx6DP0Uw8PKf9mGbisJ5Kr1kfE6/UOgScHXu1WoFiKage3X/YTbQU
+jecVA5USNEZoNVexdfgwmV47uIhGfwwenwUuhdnz6r0/Fu9QDngHrudkBF646C7P
+vL48My/lxoF5je386lDZmHU6KL5kxt+KCTW8Mara1v9cAYCtHdpNME9PBN4Ijdzp
+ns8qTM1H23Y/mnJfLBQumrNZfy1fYZcZwqeTtJifUfaV8+X7I24smclphhM1Xz17
+89477T9rSIMXAwijnQi/Xn70MeJ0rvM1avM9q8jeClhiLjW/GRmnRt6i2WGuWw==
 -----END CERTIFICATE-----
diff --git a/certs/test-pathlen/chainB-ICA1-pathlen0.pem b/certs/test-pathlen/chainB-ICA1-pathlen0.pem
index 44735d35e..d10ff6ab7 100644
--- a/certs/test-pathlen/chainB-ICA1-pathlen0.pem
+++ b/certs/test-pathlen/chainB-ICA1-pathlen0.pem
@@ -2,15 +2,15 @@ Certificate:
     Data:
         Version: 3 (0x2)
         Serial Number: 100 (0x64)
-    Signature Algorithm: sha256WithRSAEncryption
-        Issuer: C=US, ST=Washington, L=Seattle, O=wolfSSL Inc., OU=Engineering, CN=chainB-ICA2-pathlen1/emailAddress=info@wolfssl.com
+        Signature Algorithm: sha256WithRSAEncryption
+        Issuer: C = US, ST = Washington, L = Seattle, O = wolfSSL Inc., OU = Engineering, CN = chainB-ICA2-pathlen1, emailAddress = info@wolfssl.com
         Validity
-            Not Before: Feb 10 19:49:54 2021 GMT
-            Not After : Nov  7 19:49:54 2023 GMT
-        Subject: C=US, ST=Washington, L=Seattle, O=wolfSSL Inc., OU=Engineering, CN=chainB-ICA1-pathlen0/emailAddress=info@wolfssl.com
+            Not Before: Dec 20 23:07:25 2021 GMT
+            Not After : Sep 15 23:07:25 2024 GMT
+        Subject: C = US, ST = Washington, L = Seattle, O = wolfSSL Inc., OU = Engineering, CN = chainB-ICA1-pathlen0, emailAddress = info@wolfssl.com
         Subject Public Key Info:
             Public Key Algorithm: rsaEncryption
-                Public-Key: (2048 bit)
+                RSA Public-Key: (2048 bit)
                 Modulus:
                     00:b2:f7:aa:ae:91:d1:24:41:52:a1:22:e0:d3:97:
                     9b:e0:0c:94:9c:4a:e4:b3:85:ae:a9:43:9f:ec:7a:
@@ -44,27 +44,27 @@ Certificate:
             X509v3 Key Usage: 
                 Certificate Sign, CRL Sign
     Signature Algorithm: sha256WithRSAEncryption
-         95:41:25:30:aa:2e:b1:65:ab:9c:d0:00:7d:9e:cd:d7:df:c8:
-         02:9e:9c:57:9b:f7:1b:f5:d0:0d:11:19:5f:86:bd:fd:e9:87:
-         f5:ca:4a:7b:06:cc:e5:5a:c2:d8:85:79:0e:ef:c8:27:42:c9:
-         2f:62:2b:58:62:36:3c:90:40:cc:40:b3:28:34:9e:84:19:48:
-         ed:dd:e6:71:84:48:02:15:e5:f7:ce:0e:68:d0:86:1a:03:49:
-         f9:03:82:be:bb:0c:8e:b0:88:b4:44:82:19:c0:f4:04:41:3c:
-         f5:c4:a9:44:75:a5:e7:96:f5:a9:54:bd:da:34:d2:a9:4a:d3:
-         72:a0:95:d3:2b:65:cb:58:ec:b8:a5:98:22:94:f6:b6:af:eb:
-         0b:04:75:52:41:22:3c:1b:7f:4b:90:07:15:13:0d:22:c0:ac:
-         1a:8a:fa:43:a9:61:32:6c:ed:1c:65:bb:69:61:8d:5d:22:a1:
-         d1:2d:d3:88:37:2b:ec:a0:eb:19:89:29:5f:95:22:ff:39:04:
-         21:dd:a0:59:d1:fa:18:e8:a0:3c:85:24:cb:42:dd:e3:28:9b:
-         82:91:50:18:64:6f:3a:e6:5e:58:e8:2b:9f:ce:a7:d5:1b:4e:
-         82:ce:4f:70:76:ec:c4:dc:aa:34:8d:de:a8:23:3a:04:31:96:
-         b4:50:27:5d
+         30:65:c9:85:15:6a:5d:e2:ba:d7:22:7f:f8:98:15:f0:3f:0d:
+         a0:c7:e8:33:72:57:1c:cc:54:3f:df:c6:64:72:2d:87:83:44:
+         f1:3d:8a:ef:52:c9:a9:9c:56:07:88:bd:25:4f:0a:b4:bd:a3:
+         1b:d7:39:0b:bd:7e:3d:09:7f:65:ad:b2:21:23:74:80:1b:a5:
+         4d:65:61:f4:9a:19:63:5a:37:f9:a9:6d:3d:1d:b0:9f:43:e3:
+         be:78:cf:b2:5f:62:f1:1f:f6:e2:f4:a5:e6:e4:0a:8c:d8:4b:
+         05:3c:c0:8f:37:41:ad:b9:6a:fa:02:1c:35:12:8c:29:c6:6b:
+         6e:e2:30:76:f0:63:39:fe:38:96:3d:51:58:eb:c0:6c:ad:eb:
+         35:14:fe:ff:1c:70:b8:86:92:ae:ca:74:ad:90:ac:ae:c5:d8:
+         a2:4e:7f:8c:3d:53:74:98:ed:05:b2:83:27:22:3e:19:89:60:
+         0c:2c:f6:f7:d2:f6:ac:76:7a:5c:9d:bb:26:c6:90:ad:29:b5:
+         28:ac:f1:49:86:28:82:1a:d5:f8:4e:50:d5:51:8f:90:86:0b:
+         98:fb:c1:1f:a9:3f:73:72:a2:08:9e:f8:28:8b:25:3d:37:38:
+         fb:d9:d8:1a:00:3b:23:88:a1:06:14:19:95:b9:e8:24:11:84:
+         18:cc:88:21
 -----BEGIN CERTIFICATE-----
 MIIExjCCA66gAwIBAgIBZDANBgkqhkiG9w0BAQsFADCBoTELMAkGA1UEBhMCVVMx
 EzARBgNVBAgMCldhc2hpbmd0b24xEDAOBgNVBAcMB1NlYXR0bGUxFTATBgNVBAoM
 DHdvbGZTU0wgSW5jLjEUMBIGA1UECwwLRW5naW5lZXJpbmcxHTAbBgNVBAMMFGNo
 YWluQi1JQ0EyLXBhdGhsZW4xMR8wHQYJKoZIhvcNAQkBFhBpbmZvQHdvbGZzc2wu
-Y29tMB4XDTIxMDIxMDE5NDk1NFoXDTIzMTEwNzE5NDk1NFowgaExCzAJBgNVBAYT
+Y29tMB4XDTIxMTIyMDIzMDcyNVoXDTI0MDkxNTIzMDcyNVowgaExCzAJBgNVBAYT
 AlVTMRMwEQYDVQQIDApXYXNoaW5ndG9uMRAwDgYDVQQHDAdTZWF0dGxlMRUwEwYD
 VQQKDAx3b2xmU1NMIEluYy4xFDASBgNVBAsMC0VuZ2luZWVyaW5nMR0wGwYDVQQD
 DBRjaGFpbkItSUNBMS1wYXRobGVuMDEfMB0GCSqGSIb3DQEJARYQaW5mb0B3b2xm
@@ -80,10 +80,10 @@ lDELMAkGA1UEBhMCVVMxEDAOBgNVBAgMB01vbnRhbmExEDAOBgNVBAcMB0JvemVt
 YW4xETAPBgNVBAoMCFNhd3Rvb3RoMRMwEQYDVQQLDApDb25zdWx0aW5nMRgwFgYD
 VQQDDA93d3cud29sZnNzbC5jb20xHzAdBgkqhkiG9w0BCQEWEGluZm9Ad29sZnNz
 bC5jb22CAWQwDwYDVR0TBAgwBgEB/wIBADALBgNVHQ8EBAMCAQYwDQYJKoZIhvcN
-AQELBQADggEBAJVBJTCqLrFlq5zQAH2ezdffyAKenFeb9xv10A0RGV+Gvf3ph/XK
-SnsGzOVawtiFeQ7vyCdCyS9iK1hiNjyQQMxAsyg0noQZSO3d5nGESAIV5ffODmjQ
-hhoDSfkDgr67DI6wiLREghnA9ARBPPXEqUR1peeW9alUvdo00qlK03KgldMrZctY
-7LilmCKU9rav6wsEdVJBIjwbf0uQBxUTDSLArBqK+kOpYTJs7Rxlu2lhjV0iodEt
-04g3K+yg6xmJKV+VIv85BCHdoFnR+hjooDyFJMtC3eMom4KRUBhkbzrmXljoK5/O
-p9UbToLOT3B27MTcqjSN3qgjOgQxlrRQJ10=
+AQELBQADggEBADBlyYUVal3iutcif/iYFfA/DaDH6DNyVxzMVD/fxmRyLYeDRPE9
+iu9SyamcVgeIvSVPCrS9oxvXOQu9fj0Jf2WtsiEjdIAbpU1lYfSaGWNaN/mpbT0d
+sJ9D4754z7JfYvEf9uL0pebkCozYSwU8wI83Qa25avoCHDUSjCnGa27iMHbwYzn+
+OJY9UVjrwGyt6zUU/v8ccLiGkq7KdK2QrK7F2KJOf4w9U3SY7QWygyciPhmJYAws
+9vfS9qx2elyduybGkK0ptSis8UmGKIIa1fhOUNVRj5CGC5j7wR+pP3Nyogie+CiL
+JT03OPvZ2BoAOyOIoQYUGZW56CQRhBjMiCE=
 -----END CERTIFICATE-----
diff --git a/certs/test-pathlen/chainB-ICA2-pathlen1.pem b/certs/test-pathlen/chainB-ICA2-pathlen1.pem
index 1ea89956e..685c3fb54 100644
--- a/certs/test-pathlen/chainB-ICA2-pathlen1.pem
+++ b/certs/test-pathlen/chainB-ICA2-pathlen1.pem
@@ -2,15 +2,15 @@ Certificate:
     Data:
         Version: 3 (0x2)
         Serial Number: 100 (0x64)
-    Signature Algorithm: sha256WithRSAEncryption
-        Issuer: C=US, ST=Montana, L=Bozeman, O=Sawtooth, OU=Consulting, CN=www.wolfssl.com/emailAddress=info@wolfssl.com
+        Signature Algorithm: sha256WithRSAEncryption
+        Issuer: C = US, ST = Montana, L = Bozeman, O = Sawtooth, OU = Consulting, CN = www.wolfssl.com, emailAddress = info@wolfssl.com
         Validity
-            Not Before: Feb 10 19:49:54 2021 GMT
-            Not After : Nov  7 19:49:54 2023 GMT
-        Subject: C=US, ST=Washington, L=Seattle, O=wolfSSL Inc., OU=Engineering, CN=chainB-ICA2-pathlen1/emailAddress=info@wolfssl.com
+            Not Before: Dec 20 23:07:25 2021 GMT
+            Not After : Sep 15 23:07:25 2024 GMT
+        Subject: C = US, ST = Washington, L = Seattle, O = wolfSSL Inc., OU = Engineering, CN = chainB-ICA2-pathlen1, emailAddress = info@wolfssl.com
         Subject Public Key Info:
             Public Key Algorithm: rsaEncryption
-                Public-Key: (2048 bit)
+                RSA Public-Key: (2048 bit)
                 Modulus:
                     00:d0:7f:82:05:9d:5b:c4:49:e0:3e:1f:87:6e:17:
                     05:eb:e2:0a:d1:d1:a5:f5:cc:be:1d:46:d8:cd:a8:
@@ -37,34 +37,34 @@ Certificate:
             X509v3 Authority Key Identifier: 
                 keyid:27:8E:67:11:74:C3:26:1D:3F:ED:33:63:B3:A4:D8:1D:30:E5:E8:D5
                 DirName:/C=US/ST=Montana/L=Bozeman/O=Sawtooth/OU=Consulting/CN=www.wolfssl.com/emailAddress=info@wolfssl.com
-                serial:AA:D3:3F:AC:18:0A:37:4D
+                serial:7D:94:70:88:BA:07:42:8D:AA:AF:4F:BE:C2:1A:48:F0:D1:40:E6:42
 
             X509v3 Basic Constraints: 
                 CA:TRUE, pathlen:1
             X509v3 Key Usage: 
                 Certificate Sign, CRL Sign
     Signature Algorithm: sha256WithRSAEncryption
-         12:dd:3f:c6:8a:bb:1e:a0:0b:68:c4:bf:9e:34:09:b0:e9:1a:
-         32:f5:c3:6c:59:7a:ec:c6:ba:42:b8:57:05:21:8a:6b:99:dd:
-         d7:7e:13:8e:1b:20:e5:ff:f9:67:23:ec:3c:fe:bb:07:e7:12:
-         ca:cb:74:03:01:5b:82:2d:3c:2c:e7:de:c5:00:6c:3b:6e:a3:
-         91:73:e4:b3:ef:bd:5b:89:ce:f4:aa:f7:78:c6:a7:60:57:5a:
-         4e:f4:f7:64:e1:78:24:0b:c1:49:fc:be:e2:7e:b6:d7:dd:f2:
-         8d:5c:85:b0:1c:9a:2d:28:ea:54:08:a9:d2:80:aa:9f:9d:50:
-         83:f4:f6:ce:70:2f:f4:83:0a:f4:39:81:a4:92:76:69:15:74:
-         3b:01:46:4e:e1:95:87:d2:0e:f5:a2:b1:cd:8a:dc:d8:c7:12:
-         6c:1a:04:74:e8:89:2f:48:bc:64:16:2e:d5:4b:21:78:d5:b2:
-         17:93:57:de:94:fe:a4:28:db:f1:6e:5b:df:2b:83:a9:89:a1:
-         59:09:1d:5b:64:1d:e6:09:65:41:a9:ef:1c:6d:92:98:50:8c:
-         af:aa:8e:89:d2:c5:88:2e:d5:a2:0e:1b:1e:7d:11:25:90:de:
-         4f:49:ff:37:9c:71:3f:68:2a:da:15:60:20:c1:a0:2a:0e:ed:
-         fd:f9:92:e7
+         27:15:71:ae:36:f4:cd:a0:70:78:44:74:e8:17:7f:f4:cf:eb:
+         d8:bc:5d:6a:b3:91:79:ab:d1:d4:ef:72:b7:64:30:c2:49:96:
+         9c:a3:d8:05:66:a7:e5:7b:96:8e:ff:bd:3f:3a:d6:36:f5:01:
+         06:6b:a8:83:d2:23:dc:48:ff:a7:66:f6:27:a8:99:82:dd:d0:
+         a4:c4:a9:92:f0:d6:f2:1a:d0:cb:c3:0b:65:63:31:30:46:92:
+         65:84:fe:0b:da:fa:9e:b6:70:24:9a:b0:69:d0:90:cb:c1:ec:
+         9e:99:10:74:19:5b:78:e1:17:64:d5:74:5d:85:11:92:bd:94:
+         b5:18:11:ae:82:c2:78:36:4c:eb:11:e8:a3:95:42:07:cd:9d:
+         5d:36:14:03:3c:d6:46:0d:7c:19:8c:7c:13:51:e3:5c:c2:a4:
+         ed:0c:a0:cc:71:08:a6:ec:0f:18:13:bd:59:e5:e3:96:c7:d8:
+         04:77:00:7f:45:90:ca:e4:de:63:d7:83:3a:94:e3:01:98:d2:
+         6d:cd:22:2a:cb:31:b7:08:29:15:e3:a2:f8:46:98:56:07:6d:
+         b2:0b:91:38:a0:ea:20:c9:63:6f:41:df:b6:3a:bd:58:f4:8b:
+         d3:62:ae:1b:b5:64:d3:c0:49:b6:63:20:a4:6b:39:e6:66:48:
+         f5:c9:81:9c
 -----BEGIN CERTIFICATE-----
-MIIEwTCCA6mgAwIBAgIBZDANBgkqhkiG9w0BAQsFADCBlDELMAkGA1UEBhMCVVMx
+MIIEzDCCA7SgAwIBAgIBZDANBgkqhkiG9w0BAQsFADCBlDELMAkGA1UEBhMCVVMx
 EDAOBgNVBAgMB01vbnRhbmExEDAOBgNVBAcMB0JvemVtYW4xETAPBgNVBAoMCFNh
 d3Rvb3RoMRMwEQYDVQQLDApDb25zdWx0aW5nMRgwFgYDVQQDDA93d3cud29sZnNz
-bC5jb20xHzAdBgkqhkiG9w0BCQEWEGluZm9Ad29sZnNzbC5jb20wHhcNMjEwMjEw
-MTk0OTU0WhcNMjMxMTA3MTk0OTU0WjCBoTELMAkGA1UEBhMCVVMxEzARBgNVBAgM
+bC5jb20xHzAdBgkqhkiG9w0BCQEWEGluZm9Ad29sZnNzbC5jb20wHhcNMjExMjIw
+MjMwNzI1WhcNMjQwOTE1MjMwNzI1WjCBoTELMAkGA1UEBhMCVVMxEzARBgNVBAgM
 Cldhc2hpbmd0b24xEDAOBgNVBAcMB1NlYXR0bGUxFTATBgNVBAoMDHdvbGZTU0wg
 SW5jLjEUMBIGA1UECwwLRW5naW5lZXJpbmcxHTAbBgNVBAMMFGNoYWluQi1JQ0Ey
 LXBhdGhsZW4xMR8wHQYJKoZIhvcNAQkBFhBpbmZvQHdvbGZzc2wuY29tMIIBIjAN
@@ -74,16 +74,16 @@ wt+hVv6Vl1ZeW/502fIuyn7bUHda0ZDcItb+S8BXocY7SrqtBRTJJGh2teIm1ctQ
 /dB3DowMuV73pJpFNWxiyuk41BCaXDClTyZHAwNzVoWMvvXQwAkGPg7o5X3QGVTt
 V+xRz7yVFZHP0JqE3YpQfDPCGmFwMZoZFyizjNpfuNIGa4I/tmooKYa0IMulr3Nm
 5Dc2gfA/rb8FuNsuxCLi60aH9GDRpn/unEGn86rpN93a1vDNSKxR0XeNoQIDAQAB
-o4IBDTCCAQkwHQYDVR0OBBYEFO5ZnVYLfApFROMVV+Ky8x1kb696MIHJBgNVHSME
-gcEwgb6AFCeOZxF0wyYdP+0zY7Ok2B0w5ejVoYGapIGXMIGUMQswCQYDVQQGEwJV
+o4IBGDCCARQwHQYDVR0OBBYEFO5ZnVYLfApFROMVV+Ky8x1kb696MIHUBgNVHSME
+gcwwgcmAFCeOZxF0wyYdP+0zY7Ok2B0w5ejVoYGapIGXMIGUMQswCQYDVQQGEwJV
 UzEQMA4GA1UECAwHTW9udGFuYTEQMA4GA1UEBwwHQm96ZW1hbjERMA8GA1UECgwI
 U2F3dG9vdGgxEzARBgNVBAsMCkNvbnN1bHRpbmcxGDAWBgNVBAMMD3d3dy53b2xm
-c3NsLmNvbTEfMB0GCSqGSIb3DQEJARYQaW5mb0B3b2xmc3NsLmNvbYIJAKrTP6wY
-CjdNMA8GA1UdEwQIMAYBAf8CAQEwCwYDVR0PBAQDAgEGMA0GCSqGSIb3DQEBCwUA
-A4IBAQAS3T/GirseoAtoxL+eNAmw6Roy9cNsWXrsxrpCuFcFIYprmd3XfhOOGyDl
-//lnI+w8/rsH5xLKy3QDAVuCLTws597FAGw7bqORc+Sz771bic70qvd4xqdgV1pO
-9Pdk4XgkC8FJ/L7ifrbX3fKNXIWwHJotKOpUCKnSgKqfnVCD9PbOcC/0gwr0OYGk
-knZpFXQ7AUZO4ZWH0g71orHNitzYxxJsGgR06IkvSLxkFi7VSyF41bIXk1felP6k
-KNvxblvfK4OpiaFZCR1bZB3mCWVBqe8cbZKYUIyvqo6J0sWILtWiDhsefRElkN5P
-Sf83nHE/aCraFWAgwaAqDu39+ZLn
+c3NsLmNvbTEfMB0GCSqGSIb3DQEJARYQaW5mb0B3b2xmc3NsLmNvbYIUfZRwiLoH
+Qo2qr0++whpI8NFA5kIwDwYDVR0TBAgwBgEB/wIBATALBgNVHQ8EBAMCAQYwDQYJ
+KoZIhvcNAQELBQADggEBACcVca429M2gcHhEdOgXf/TP69i8XWqzkXmr0dTvcrdk
+MMJJlpyj2AVmp+V7lo7/vT861jb1AQZrqIPSI9xI/6dm9ieomYLd0KTEqZLw1vIa
+0MvDC2VjMTBGkmWE/gva+p62cCSasGnQkMvB7J6ZEHQZW3jhF2TVdF2FEZK9lLUY
+Ea6Cwng2TOsR6KOVQgfNnV02FAM81kYNfBmMfBNR41zCpO0MoMxxCKbsDxgTvVnl
+45bH2AR3AH9FkMrk3mPXgzqU4wGY0m3NIirLMbcIKRXjovhGmFYHbbILkTig6iDJ
+Y29B37Y6vVj0i9Nirhu1ZNPASbZjIKRrOeZmSPXJgZw=
 -----END CERTIFICATE-----
diff --git a/certs/test-pathlen/chainB-assembled.pem b/certs/test-pathlen/chainB-assembled.pem
index a7000713d..bd043db47 100644
--- a/certs/test-pathlen/chainB-assembled.pem
+++ b/certs/test-pathlen/chainB-assembled.pem
@@ -2,15 +2,15 @@ Certificate:
     Data:
         Version: 3 (0x2)
         Serial Number: 101 (0x65)
-    Signature Algorithm: sha256WithRSAEncryption
-        Issuer: C=US, ST=Washington, L=Seattle, O=wolfSSL Inc., OU=Engineering, CN=chainB-ICA1-pathlen0/emailAddress=info@wolfssl.com
+        Signature Algorithm: sha256WithRSAEncryption
+        Issuer: C = US, ST = Washington, L = Seattle, O = wolfSSL Inc., OU = Engineering, CN = chainB-ICA1-pathlen0, emailAddress = info@wolfssl.com
         Validity
-            Not Before: Feb 10 19:49:54 2021 GMT
-            Not After : Nov  7 19:49:54 2023 GMT
-        Subject: C=US, ST=Washington, L=Seattle, O=wolfSSL Inc., OU=Engineering, CN=chainB-entity/emailAddress=info@wolfssl.com
+            Not Before: Dec 20 23:07:25 2021 GMT
+            Not After : Sep 15 23:07:25 2024 GMT
+        Subject: C = US, ST = Washington, L = Seattle, O = wolfSSL Inc., OU = Engineering, CN = chainB-entity, emailAddress = info@wolfssl.com
         Subject Public Key Info:
             Public Key Algorithm: rsaEncryption
-                Public-Key: (2048 bit)
+                RSA Public-Key: (2048 bit)
                 Modulus:
                     00:d7:5f:d9:3d:d7:5b:11:aa:3e:53:31:d0:32:78:
                     87:fb:c0:8e:80:6d:fc:68:73:1f:9c:77:66:16:35:
@@ -42,27 +42,27 @@ Certificate:
             X509v3 Basic Constraints: 
                 CA:FALSE
     Signature Algorithm: sha256WithRSAEncryption
-         78:1a:2d:43:61:05:f3:48:03:80:1d:15:25:c6:df:5f:94:86:
-         de:a3:60:53:fb:6c:6d:3d:f3:db:6e:01:8c:8c:73:44:4b:91:
-         7d:7a:3c:57:e5:9f:ae:ab:b5:d0:44:e6:84:b5:f6:a3:1f:14:
-         f1:18:3d:4a:1f:c5:27:75:20:ae:b0:5a:26:33:cf:32:bd:1a:
-         ea:03:82:09:18:f6:7f:37:a6:f5:73:79:7e:69:45:67:d5:ba:
-         68:0a:b9:cf:8d:f5:9c:56:26:e2:e3:0e:4e:1f:db:de:30:9b:
-         36:6c:4d:8b:f6:52:ea:2c:99:78:68:35:dd:c6:e1:cb:d3:ba:
-         74:b9:1e:3e:db:98:d4:16:6e:6e:ca:ea:0a:99:45:25:2b:56:
-         50:89:31:12:b6:ef:5f:44:e6:35:7d:ff:6c:19:cc:6a:d7:1d:
-         70:71:80:e8:01:7c:f2:ef:f2:e4:b5:f3:38:f1:78:65:72:38:
-         e9:c9:b1:93:0b:4c:49:b6:29:64:bc:d8:c4:30:3f:2c:8b:a3:
-         fc:19:c0:06:6e:2d:05:fe:c9:12:5d:d3:f8:c3:83:fb:d8:1e:
-         2d:79:da:13:9c:ff:e6:ea:2f:ee:39:96:84:9a:5e:59:5d:a8:
-         fd:26:26:2b:36:b4:5d:9b:42:d8:3a:2f:41:03:47:fe:7d:e2:
-         b4:ce:2e:5d
+         6a:04:9e:c8:1b:03:38:96:f6:a2:7c:70:54:65:0a:d8:b7:24:
+         34:92:2a:92:95:c5:66:26:96:2b:e3:23:27:14:2c:73:26:b3:
+         01:ef:f0:6a:fd:24:71:49:00:1a:1f:31:33:6d:0e:3d:61:36:
+         b1:07:46:ae:8c:51:3a:77:4c:15:0c:90:63:68:e3:ea:ad:60:
+         cd:53:d2:a3:9b:6d:8d:16:61:c5:5a:74:b7:4e:ac:97:f0:f9:
+         02:7c:01:5e:25:50:23:87:4c:2c:59:d5:b1:66:30:31:b8:e6:
+         e3:b8:72:80:03:97:91:b1:ee:15:6d:92:20:69:d4:a4:aa:c6:
+         88:42:11:7f:f9:55:4e:10:78:53:53:f7:86:79:a0:7a:08:34:
+         3e:f7:9c:5b:90:e7:8c:ed:ab:10:c1:c0:ec:e0:b7:5d:4e:39:
+         c6:91:aa:83:1b:73:5b:02:c4:6a:39:2d:4c:c8:51:3c:f9:67:
+         db:b7:2d:ab:ac:2f:14:1a:6b:9e:24:e6:a6:ce:f3:bb:ff:33:
+         f8:b4:71:9f:cc:85:6c:1c:41:0a:37:0a:5c:b2:a3:ca:25:8c:
+         05:52:1b:d0:2f:de:29:d9:8d:3a:98:fd:1d:57:8b:f7:ee:70:
+         5b:be:ab:f3:fc:c8:83:1d:14:eb:55:58:70:c3:17:d2:cd:c9:
+         4e:ac:05:6c
 -----BEGIN CERTIFICATE-----
 MIIEtzCCA5+gAwIBAgIBZTANBgkqhkiG9w0BAQsFADCBoTELMAkGA1UEBhMCVVMx
 EzARBgNVBAgMCldhc2hpbmd0b24xEDAOBgNVBAcMB1NlYXR0bGUxFTATBgNVBAoM
 DHdvbGZTU0wgSW5jLjEUMBIGA1UECwwLRW5naW5lZXJpbmcxHTAbBgNVBAMMFGNo
 YWluQi1JQ0ExLXBhdGhsZW4wMR8wHQYJKoZIhvcNAQkBFhBpbmZvQHdvbGZzc2wu
-Y29tMB4XDTIxMDIxMDE5NDk1NFoXDTIzMTEwNzE5NDk1NFowgZoxCzAJBgNVBAYT
+Y29tMB4XDTIxMTIyMDIzMDcyNVoXDTI0MDkxNTIzMDcyNVowgZoxCzAJBgNVBAYT
 AlVTMRMwEQYDVQQIDApXYXNoaW5ndG9uMRAwDgYDVQQHDAdTZWF0dGxlMRUwEwYD
 VQQKDAx3b2xmU1NMIEluYy4xFDASBgNVBAsMC0VuZ2luZWVyaW5nMRYwFAYDVQQD
 DA1jaGFpbkItZW50aXR5MR8wHQYJKoZIhvcNAQkBFhBpbmZvQHdvbGZzc2wuY29t
@@ -77,27 +77,27 @@ VR0jBIHGMIHDgBTXkOSGWST5K7gGjrGPM+UsY/EDFqGBp6SBpDCBoTELMAkGA1UE
 BhMCVVMxEzARBgNVBAgMCldhc2hpbmd0b24xEDAOBgNVBAcMB1NlYXR0bGUxFTAT
 BgNVBAoMDHdvbGZTU0wgSW5jLjEUMBIGA1UECwwLRW5naW5lZXJpbmcxHTAbBgNV
 BAMMFGNoYWluQi1JQ0EyLXBhdGhsZW4xMR8wHQYJKoZIhvcNAQkBFhBpbmZvQHdv
-bGZzc2wuY29tggFkMAkGA1UdEwQCMAAwDQYJKoZIhvcNAQELBQADggEBAHgaLUNh
-BfNIA4AdFSXG31+Uht6jYFP7bG0989tuAYyMc0RLkX16PFfln66rtdBE5oS19qMf
-FPEYPUofxSd1IK6wWiYzzzK9GuoDggkY9n83pvVzeX5pRWfVumgKuc+N9ZxWJuLj
-Dk4f294wmzZsTYv2UuosmXhoNd3G4cvTunS5Hj7bmNQWbm7K6gqZRSUrVlCJMRK2
-719E5jV9/2wZzGrXHXBxgOgBfPLv8uS18zjxeGVyOOnJsZMLTEm2KWS82MQwPyyL
-o/wZwAZuLQX+yRJd0/jDg/vYHi152hOc/+bqL+45loSaXlldqP0mJis2tF2bQtg6
-L0EDR/594rTOLl0=
+bGZzc2wuY29tggFkMAkGA1UdEwQCMAAwDQYJKoZIhvcNAQELBQADggEBAGoEnsgb
+AziW9qJ8cFRlCti3JDSSKpKVxWYmlivjIycULHMmswHv8Gr9JHFJABofMTNtDj1h
+NrEHRq6MUTp3TBUMkGNo4+qtYM1T0qObbY0WYcVadLdOrJfw+QJ8AV4lUCOHTCxZ
+1bFmMDG45uO4coADl5Gx7hVtkiBp1KSqxohCEX/5VU4QeFNT94Z5oHoIND73nFuQ
+54ztqxDBwOzgt11OOcaRqoMbc1sCxGo5LUzIUTz5Z9u3LausLxQaa54k5qbO87v/
+M/i0cZ/MhWwcQQo3Clyyo8oljAVSG9Av3inZjTqY/R1Xi/fucFu+q/P8yIMdFOtV
+WHDDF9LNyU6sBWw=
 -----END CERTIFICATE-----
 Certificate:
     Data:
         Version: 3 (0x2)
         Serial Number: 100 (0x64)
-    Signature Algorithm: sha256WithRSAEncryption
-        Issuer: C=US, ST=Washington, L=Seattle, O=wolfSSL Inc., OU=Engineering, CN=chainB-ICA2-pathlen1/emailAddress=info@wolfssl.com
+        Signature Algorithm: sha256WithRSAEncryption
+        Issuer: C = US, ST = Washington, L = Seattle, O = wolfSSL Inc., OU = Engineering, CN = chainB-ICA2-pathlen1, emailAddress = info@wolfssl.com
         Validity
-            Not Before: Feb 10 19:49:54 2021 GMT
-            Not After : Nov  7 19:49:54 2023 GMT
-        Subject: C=US, ST=Washington, L=Seattle, O=wolfSSL Inc., OU=Engineering, CN=chainB-ICA1-pathlen0/emailAddress=info@wolfssl.com
+            Not Before: Dec 20 23:07:25 2021 GMT
+            Not After : Sep 15 23:07:25 2024 GMT
+        Subject: C = US, ST = Washington, L = Seattle, O = wolfSSL Inc., OU = Engineering, CN = chainB-ICA1-pathlen0, emailAddress = info@wolfssl.com
         Subject Public Key Info:
             Public Key Algorithm: rsaEncryption
-                Public-Key: (2048 bit)
+                RSA Public-Key: (2048 bit)
                 Modulus:
                     00:b2:f7:aa:ae:91:d1:24:41:52:a1:22:e0:d3:97:
                     9b:e0:0c:94:9c:4a:e4:b3:85:ae:a9:43:9f:ec:7a:
@@ -131,27 +131,27 @@ Certificate:
             X509v3 Key Usage: 
                 Certificate Sign, CRL Sign
     Signature Algorithm: sha256WithRSAEncryption
-         95:41:25:30:aa:2e:b1:65:ab:9c:d0:00:7d:9e:cd:d7:df:c8:
-         02:9e:9c:57:9b:f7:1b:f5:d0:0d:11:19:5f:86:bd:fd:e9:87:
-         f5:ca:4a:7b:06:cc:e5:5a:c2:d8:85:79:0e:ef:c8:27:42:c9:
-         2f:62:2b:58:62:36:3c:90:40:cc:40:b3:28:34:9e:84:19:48:
-         ed:dd:e6:71:84:48:02:15:e5:f7:ce:0e:68:d0:86:1a:03:49:
-         f9:03:82:be:bb:0c:8e:b0:88:b4:44:82:19:c0:f4:04:41:3c:
-         f5:c4:a9:44:75:a5:e7:96:f5:a9:54:bd:da:34:d2:a9:4a:d3:
-         72:a0:95:d3:2b:65:cb:58:ec:b8:a5:98:22:94:f6:b6:af:eb:
-         0b:04:75:52:41:22:3c:1b:7f:4b:90:07:15:13:0d:22:c0:ac:
-         1a:8a:fa:43:a9:61:32:6c:ed:1c:65:bb:69:61:8d:5d:22:a1:
-         d1:2d:d3:88:37:2b:ec:a0:eb:19:89:29:5f:95:22:ff:39:04:
-         21:dd:a0:59:d1:fa:18:e8:a0:3c:85:24:cb:42:dd:e3:28:9b:
-         82:91:50:18:64:6f:3a:e6:5e:58:e8:2b:9f:ce:a7:d5:1b:4e:
-         82:ce:4f:70:76:ec:c4:dc:aa:34:8d:de:a8:23:3a:04:31:96:
-         b4:50:27:5d
+         30:65:c9:85:15:6a:5d:e2:ba:d7:22:7f:f8:98:15:f0:3f:0d:
+         a0:c7:e8:33:72:57:1c:cc:54:3f:df:c6:64:72:2d:87:83:44:
+         f1:3d:8a:ef:52:c9:a9:9c:56:07:88:bd:25:4f:0a:b4:bd:a3:
+         1b:d7:39:0b:bd:7e:3d:09:7f:65:ad:b2:21:23:74:80:1b:a5:
+         4d:65:61:f4:9a:19:63:5a:37:f9:a9:6d:3d:1d:b0:9f:43:e3:
+         be:78:cf:b2:5f:62:f1:1f:f6:e2:f4:a5:e6:e4:0a:8c:d8:4b:
+         05:3c:c0:8f:37:41:ad:b9:6a:fa:02:1c:35:12:8c:29:c6:6b:
+         6e:e2:30:76:f0:63:39:fe:38:96:3d:51:58:eb:c0:6c:ad:eb:
+         35:14:fe:ff:1c:70:b8:86:92:ae:ca:74:ad:90:ac:ae:c5:d8:
+         a2:4e:7f:8c:3d:53:74:98:ed:05:b2:83:27:22:3e:19:89:60:
+         0c:2c:f6:f7:d2:f6:ac:76:7a:5c:9d:bb:26:c6:90:ad:29:b5:
+         28:ac:f1:49:86:28:82:1a:d5:f8:4e:50:d5:51:8f:90:86:0b:
+         98:fb:c1:1f:a9:3f:73:72:a2:08:9e:f8:28:8b:25:3d:37:38:
+         fb:d9:d8:1a:00:3b:23:88:a1:06:14:19:95:b9:e8:24:11:84:
+         18:cc:88:21
 -----BEGIN CERTIFICATE-----
 MIIExjCCA66gAwIBAgIBZDANBgkqhkiG9w0BAQsFADCBoTELMAkGA1UEBhMCVVMx
 EzARBgNVBAgMCldhc2hpbmd0b24xEDAOBgNVBAcMB1NlYXR0bGUxFTATBgNVBAoM
 DHdvbGZTU0wgSW5jLjEUMBIGA1UECwwLRW5naW5lZXJpbmcxHTAbBgNVBAMMFGNo
 YWluQi1JQ0EyLXBhdGhsZW4xMR8wHQYJKoZIhvcNAQkBFhBpbmZvQHdvbGZzc2wu
-Y29tMB4XDTIxMDIxMDE5NDk1NFoXDTIzMTEwNzE5NDk1NFowgaExCzAJBgNVBAYT
+Y29tMB4XDTIxMTIyMDIzMDcyNVoXDTI0MDkxNTIzMDcyNVowgaExCzAJBgNVBAYT
 AlVTMRMwEQYDVQQIDApXYXNoaW5ndG9uMRAwDgYDVQQHDAdTZWF0dGxlMRUwEwYD
 VQQKDAx3b2xmU1NMIEluYy4xFDASBgNVBAsMC0VuZ2luZWVyaW5nMR0wGwYDVQQD
 DBRjaGFpbkItSUNBMS1wYXRobGVuMDEfMB0GCSqGSIb3DQEJARYQaW5mb0B3b2xm
@@ -167,26 +167,26 @@ lDELMAkGA1UEBhMCVVMxEDAOBgNVBAgMB01vbnRhbmExEDAOBgNVBAcMB0JvemVt
 YW4xETAPBgNVBAoMCFNhd3Rvb3RoMRMwEQYDVQQLDApDb25zdWx0aW5nMRgwFgYD
 VQQDDA93d3cud29sZnNzbC5jb20xHzAdBgkqhkiG9w0BCQEWEGluZm9Ad29sZnNz
 bC5jb22CAWQwDwYDVR0TBAgwBgEB/wIBADALBgNVHQ8EBAMCAQYwDQYJKoZIhvcN
-AQELBQADggEBAJVBJTCqLrFlq5zQAH2ezdffyAKenFeb9xv10A0RGV+Gvf3ph/XK
-SnsGzOVawtiFeQ7vyCdCyS9iK1hiNjyQQMxAsyg0noQZSO3d5nGESAIV5ffODmjQ
-hhoDSfkDgr67DI6wiLREghnA9ARBPPXEqUR1peeW9alUvdo00qlK03KgldMrZctY
-7LilmCKU9rav6wsEdVJBIjwbf0uQBxUTDSLArBqK+kOpYTJs7Rxlu2lhjV0iodEt
-04g3K+yg6xmJKV+VIv85BCHdoFnR+hjooDyFJMtC3eMom4KRUBhkbzrmXljoK5/O
-p9UbToLOT3B27MTcqjSN3qgjOgQxlrRQJ10=
+AQELBQADggEBADBlyYUVal3iutcif/iYFfA/DaDH6DNyVxzMVD/fxmRyLYeDRPE9
+iu9SyamcVgeIvSVPCrS9oxvXOQu9fj0Jf2WtsiEjdIAbpU1lYfSaGWNaN/mpbT0d
+sJ9D4754z7JfYvEf9uL0pebkCozYSwU8wI83Qa25avoCHDUSjCnGa27iMHbwYzn+
+OJY9UVjrwGyt6zUU/v8ccLiGkq7KdK2QrK7F2KJOf4w9U3SY7QWygyciPhmJYAws
+9vfS9qx2elyduybGkK0ptSis8UmGKIIa1fhOUNVRj5CGC5j7wR+pP3Nyogie+CiL
+JT03OPvZ2BoAOyOIoQYUGZW56CQRhBjMiCE=
 -----END CERTIFICATE-----
 Certificate:
     Data:
         Version: 3 (0x2)
         Serial Number: 100 (0x64)
-    Signature Algorithm: sha256WithRSAEncryption
-        Issuer: C=US, ST=Montana, L=Bozeman, O=Sawtooth, OU=Consulting, CN=www.wolfssl.com/emailAddress=info@wolfssl.com
+        Signature Algorithm: sha256WithRSAEncryption
+        Issuer: C = US, ST = Montana, L = Bozeman, O = Sawtooth, OU = Consulting, CN = www.wolfssl.com, emailAddress = info@wolfssl.com
         Validity
-            Not Before: Feb 10 19:49:54 2021 GMT
-            Not After : Nov  7 19:49:54 2023 GMT
-        Subject: C=US, ST=Washington, L=Seattle, O=wolfSSL Inc., OU=Engineering, CN=chainB-ICA2-pathlen1/emailAddress=info@wolfssl.com
+            Not Before: Dec 20 23:07:25 2021 GMT
+            Not After : Sep 15 23:07:25 2024 GMT
+        Subject: C = US, ST = Washington, L = Seattle, O = wolfSSL Inc., OU = Engineering, CN = chainB-ICA2-pathlen1, emailAddress = info@wolfssl.com
         Subject Public Key Info:
             Public Key Algorithm: rsaEncryption
-                Public-Key: (2048 bit)
+                RSA Public-Key: (2048 bit)
                 Modulus:
                     00:d0:7f:82:05:9d:5b:c4:49:e0:3e:1f:87:6e:17:
                     05:eb:e2:0a:d1:d1:a5:f5:cc:be:1d:46:d8:cd:a8:
@@ -213,34 +213,34 @@ Certificate:
             X509v3 Authority Key Identifier: 
                 keyid:27:8E:67:11:74:C3:26:1D:3F:ED:33:63:B3:A4:D8:1D:30:E5:E8:D5
                 DirName:/C=US/ST=Montana/L=Bozeman/O=Sawtooth/OU=Consulting/CN=www.wolfssl.com/emailAddress=info@wolfssl.com
-                serial:AA:D3:3F:AC:18:0A:37:4D
+                serial:7D:94:70:88:BA:07:42:8D:AA:AF:4F:BE:C2:1A:48:F0:D1:40:E6:42
 
             X509v3 Basic Constraints: 
                 CA:TRUE, pathlen:1
             X509v3 Key Usage: 
                 Certificate Sign, CRL Sign
     Signature Algorithm: sha256WithRSAEncryption
-         12:dd:3f:c6:8a:bb:1e:a0:0b:68:c4:bf:9e:34:09:b0:e9:1a:
-         32:f5:c3:6c:59:7a:ec:c6:ba:42:b8:57:05:21:8a:6b:99:dd:
-         d7:7e:13:8e:1b:20:e5:ff:f9:67:23:ec:3c:fe:bb:07:e7:12:
-         ca:cb:74:03:01:5b:82:2d:3c:2c:e7:de:c5:00:6c:3b:6e:a3:
-         91:73:e4:b3:ef:bd:5b:89:ce:f4:aa:f7:78:c6:a7:60:57:5a:
-         4e:f4:f7:64:e1:78:24:0b:c1:49:fc:be:e2:7e:b6:d7:dd:f2:
-         8d:5c:85:b0:1c:9a:2d:28:ea:54:08:a9:d2:80:aa:9f:9d:50:
-         83:f4:f6:ce:70:2f:f4:83:0a:f4:39:81:a4:92:76:69:15:74:
-         3b:01:46:4e:e1:95:87:d2:0e:f5:a2:b1:cd:8a:dc:d8:c7:12:
-         6c:1a:04:74:e8:89:2f:48:bc:64:16:2e:d5:4b:21:78:d5:b2:
-         17:93:57:de:94:fe:a4:28:db:f1:6e:5b:df:2b:83:a9:89:a1:
-         59:09:1d:5b:64:1d:e6:09:65:41:a9:ef:1c:6d:92:98:50:8c:
-         af:aa:8e:89:d2:c5:88:2e:d5:a2:0e:1b:1e:7d:11:25:90:de:
-         4f:49:ff:37:9c:71:3f:68:2a:da:15:60:20:c1:a0:2a:0e:ed:
-         fd:f9:92:e7
+         27:15:71:ae:36:f4:cd:a0:70:78:44:74:e8:17:7f:f4:cf:eb:
+         d8:bc:5d:6a:b3:91:79:ab:d1:d4:ef:72:b7:64:30:c2:49:96:
+         9c:a3:d8:05:66:a7:e5:7b:96:8e:ff:bd:3f:3a:d6:36:f5:01:
+         06:6b:a8:83:d2:23:dc:48:ff:a7:66:f6:27:a8:99:82:dd:d0:
+         a4:c4:a9:92:f0:d6:f2:1a:d0:cb:c3:0b:65:63:31:30:46:92:
+         65:84:fe:0b:da:fa:9e:b6:70:24:9a:b0:69:d0:90:cb:c1:ec:
+         9e:99:10:74:19:5b:78:e1:17:64:d5:74:5d:85:11:92:bd:94:
+         b5:18:11:ae:82:c2:78:36:4c:eb:11:e8:a3:95:42:07:cd:9d:
+         5d:36:14:03:3c:d6:46:0d:7c:19:8c:7c:13:51:e3:5c:c2:a4:
+         ed:0c:a0:cc:71:08:a6:ec:0f:18:13:bd:59:e5:e3:96:c7:d8:
+         04:77:00:7f:45:90:ca:e4:de:63:d7:83:3a:94:e3:01:98:d2:
+         6d:cd:22:2a:cb:31:b7:08:29:15:e3:a2:f8:46:98:56:07:6d:
+         b2:0b:91:38:a0:ea:20:c9:63:6f:41:df:b6:3a:bd:58:f4:8b:
+         d3:62:ae:1b:b5:64:d3:c0:49:b6:63:20:a4:6b:39:e6:66:48:
+         f5:c9:81:9c
 -----BEGIN CERTIFICATE-----
-MIIEwTCCA6mgAwIBAgIBZDANBgkqhkiG9w0BAQsFADCBlDELMAkGA1UEBhMCVVMx
+MIIEzDCCA7SgAwIBAgIBZDANBgkqhkiG9w0BAQsFADCBlDELMAkGA1UEBhMCVVMx
 EDAOBgNVBAgMB01vbnRhbmExEDAOBgNVBAcMB0JvemVtYW4xETAPBgNVBAoMCFNh
 d3Rvb3RoMRMwEQYDVQQLDApDb25zdWx0aW5nMRgwFgYDVQQDDA93d3cud29sZnNz
-bC5jb20xHzAdBgkqhkiG9w0BCQEWEGluZm9Ad29sZnNzbC5jb20wHhcNMjEwMjEw
-MTk0OTU0WhcNMjMxMTA3MTk0OTU0WjCBoTELMAkGA1UEBhMCVVMxEzARBgNVBAgM
+bC5jb20xHzAdBgkqhkiG9w0BCQEWEGluZm9Ad29sZnNzbC5jb20wHhcNMjExMjIw
+MjMwNzI1WhcNMjQwOTE1MjMwNzI1WjCBoTELMAkGA1UEBhMCVVMxEzARBgNVBAgM
 Cldhc2hpbmd0b24xEDAOBgNVBAcMB1NlYXR0bGUxFTATBgNVBAoMDHdvbGZTU0wg
 SW5jLjEUMBIGA1UECwwLRW5naW5lZXJpbmcxHTAbBgNVBAMMFGNoYWluQi1JQ0Ey
 LXBhdGhsZW4xMR8wHQYJKoZIhvcNAQkBFhBpbmZvQHdvbGZzc2wuY29tMIIBIjAN
@@ -250,16 +250,16 @@ wt+hVv6Vl1ZeW/502fIuyn7bUHda0ZDcItb+S8BXocY7SrqtBRTJJGh2teIm1ctQ
 /dB3DowMuV73pJpFNWxiyuk41BCaXDClTyZHAwNzVoWMvvXQwAkGPg7o5X3QGVTt
 V+xRz7yVFZHP0JqE3YpQfDPCGmFwMZoZFyizjNpfuNIGa4I/tmooKYa0IMulr3Nm
 5Dc2gfA/rb8FuNsuxCLi60aH9GDRpn/unEGn86rpN93a1vDNSKxR0XeNoQIDAQAB
-o4IBDTCCAQkwHQYDVR0OBBYEFO5ZnVYLfApFROMVV+Ky8x1kb696MIHJBgNVHSME
-gcEwgb6AFCeOZxF0wyYdP+0zY7Ok2B0w5ejVoYGapIGXMIGUMQswCQYDVQQGEwJV
+o4IBGDCCARQwHQYDVR0OBBYEFO5ZnVYLfApFROMVV+Ky8x1kb696MIHUBgNVHSME
+gcwwgcmAFCeOZxF0wyYdP+0zY7Ok2B0w5ejVoYGapIGXMIGUMQswCQYDVQQGEwJV
 UzEQMA4GA1UECAwHTW9udGFuYTEQMA4GA1UEBwwHQm96ZW1hbjERMA8GA1UECgwI
 U2F3dG9vdGgxEzARBgNVBAsMCkNvbnN1bHRpbmcxGDAWBgNVBAMMD3d3dy53b2xm
-c3NsLmNvbTEfMB0GCSqGSIb3DQEJARYQaW5mb0B3b2xmc3NsLmNvbYIJAKrTP6wY
-CjdNMA8GA1UdEwQIMAYBAf8CAQEwCwYDVR0PBAQDAgEGMA0GCSqGSIb3DQEBCwUA
-A4IBAQAS3T/GirseoAtoxL+eNAmw6Roy9cNsWXrsxrpCuFcFIYprmd3XfhOOGyDl
-//lnI+w8/rsH5xLKy3QDAVuCLTws597FAGw7bqORc+Sz771bic70qvd4xqdgV1pO
-9Pdk4XgkC8FJ/L7ifrbX3fKNXIWwHJotKOpUCKnSgKqfnVCD9PbOcC/0gwr0OYGk
-knZpFXQ7AUZO4ZWH0g71orHNitzYxxJsGgR06IkvSLxkFi7VSyF41bIXk1felP6k
-KNvxblvfK4OpiaFZCR1bZB3mCWVBqe8cbZKYUIyvqo6J0sWILtWiDhsefRElkN5P
-Sf83nHE/aCraFWAgwaAqDu39+ZLn
+c3NsLmNvbTEfMB0GCSqGSIb3DQEJARYQaW5mb0B3b2xmc3NsLmNvbYIUfZRwiLoH
+Qo2qr0++whpI8NFA5kIwDwYDVR0TBAgwBgEB/wIBATALBgNVHQ8EBAMCAQYwDQYJ
+KoZIhvcNAQELBQADggEBACcVca429M2gcHhEdOgXf/TP69i8XWqzkXmr0dTvcrdk
+MMJJlpyj2AVmp+V7lo7/vT861jb1AQZrqIPSI9xI/6dm9ieomYLd0KTEqZLw1vIa
+0MvDC2VjMTBGkmWE/gva+p62cCSasGnQkMvB7J6ZEHQZW3jhF2TVdF2FEZK9lLUY
+Ea6Cwng2TOsR6KOVQgfNnV02FAM81kYNfBmMfBNR41zCpO0MoMxxCKbsDxgTvVnl
+45bH2AR3AH9FkMrk3mPXgzqU4wGY0m3NIirLMbcIKRXjovhGmFYHbbILkTig6iDJ
+Y29B37Y6vVj0i9Nirhu1ZNPASbZjIKRrOeZmSPXJgZw=
 -----END CERTIFICATE-----
diff --git a/certs/test-pathlen/chainB-entity.pem b/certs/test-pathlen/chainB-entity.pem
index 9b091fb7e..4bbd1b119 100644
--- a/certs/test-pathlen/chainB-entity.pem
+++ b/certs/test-pathlen/chainB-entity.pem
@@ -2,15 +2,15 @@ Certificate:
     Data:
         Version: 3 (0x2)
         Serial Number: 101 (0x65)
-    Signature Algorithm: sha256WithRSAEncryption
-        Issuer: C=US, ST=Washington, L=Seattle, O=wolfSSL Inc., OU=Engineering, CN=chainB-ICA1-pathlen0/emailAddress=info@wolfssl.com
+        Signature Algorithm: sha256WithRSAEncryption
+        Issuer: C = US, ST = Washington, L = Seattle, O = wolfSSL Inc., OU = Engineering, CN = chainB-ICA1-pathlen0, emailAddress = info@wolfssl.com
         Validity
-            Not Before: Feb 10 19:49:54 2021 GMT
-            Not After : Nov  7 19:49:54 2023 GMT
-        Subject: C=US, ST=Washington, L=Seattle, O=wolfSSL Inc., OU=Engineering, CN=chainB-entity/emailAddress=info@wolfssl.com
+            Not Before: Dec 20 23:07:25 2021 GMT
+            Not After : Sep 15 23:07:25 2024 GMT
+        Subject: C = US, ST = Washington, L = Seattle, O = wolfSSL Inc., OU = Engineering, CN = chainB-entity, emailAddress = info@wolfssl.com
         Subject Public Key Info:
             Public Key Algorithm: rsaEncryption
-                Public-Key: (2048 bit)
+                RSA Public-Key: (2048 bit)
                 Modulus:
                     00:d7:5f:d9:3d:d7:5b:11:aa:3e:53:31:d0:32:78:
                     87:fb:c0:8e:80:6d:fc:68:73:1f:9c:77:66:16:35:
@@ -42,27 +42,27 @@ Certificate:
             X509v3 Basic Constraints: 
                 CA:FALSE
     Signature Algorithm: sha256WithRSAEncryption
-         78:1a:2d:43:61:05:f3:48:03:80:1d:15:25:c6:df:5f:94:86:
-         de:a3:60:53:fb:6c:6d:3d:f3:db:6e:01:8c:8c:73:44:4b:91:
-         7d:7a:3c:57:e5:9f:ae:ab:b5:d0:44:e6:84:b5:f6:a3:1f:14:
-         f1:18:3d:4a:1f:c5:27:75:20:ae:b0:5a:26:33:cf:32:bd:1a:
-         ea:03:82:09:18:f6:7f:37:a6:f5:73:79:7e:69:45:67:d5:ba:
-         68:0a:b9:cf:8d:f5:9c:56:26:e2:e3:0e:4e:1f:db:de:30:9b:
-         36:6c:4d:8b:f6:52:ea:2c:99:78:68:35:dd:c6:e1:cb:d3:ba:
-         74:b9:1e:3e:db:98:d4:16:6e:6e:ca:ea:0a:99:45:25:2b:56:
-         50:89:31:12:b6:ef:5f:44:e6:35:7d:ff:6c:19:cc:6a:d7:1d:
-         70:71:80:e8:01:7c:f2:ef:f2:e4:b5:f3:38:f1:78:65:72:38:
-         e9:c9:b1:93:0b:4c:49:b6:29:64:bc:d8:c4:30:3f:2c:8b:a3:
-         fc:19:c0:06:6e:2d:05:fe:c9:12:5d:d3:f8:c3:83:fb:d8:1e:
-         2d:79:da:13:9c:ff:e6:ea:2f:ee:39:96:84:9a:5e:59:5d:a8:
-         fd:26:26:2b:36:b4:5d:9b:42:d8:3a:2f:41:03:47:fe:7d:e2:
-         b4:ce:2e:5d
+         6a:04:9e:c8:1b:03:38:96:f6:a2:7c:70:54:65:0a:d8:b7:24:
+         34:92:2a:92:95:c5:66:26:96:2b:e3:23:27:14:2c:73:26:b3:
+         01:ef:f0:6a:fd:24:71:49:00:1a:1f:31:33:6d:0e:3d:61:36:
+         b1:07:46:ae:8c:51:3a:77:4c:15:0c:90:63:68:e3:ea:ad:60:
+         cd:53:d2:a3:9b:6d:8d:16:61:c5:5a:74:b7:4e:ac:97:f0:f9:
+         02:7c:01:5e:25:50:23:87:4c:2c:59:d5:b1:66:30:31:b8:e6:
+         e3:b8:72:80:03:97:91:b1:ee:15:6d:92:20:69:d4:a4:aa:c6:
+         88:42:11:7f:f9:55:4e:10:78:53:53:f7:86:79:a0:7a:08:34:
+         3e:f7:9c:5b:90:e7:8c:ed:ab:10:c1:c0:ec:e0:b7:5d:4e:39:
+         c6:91:aa:83:1b:73:5b:02:c4:6a:39:2d:4c:c8:51:3c:f9:67:
+         db:b7:2d:ab:ac:2f:14:1a:6b:9e:24:e6:a6:ce:f3:bb:ff:33:
+         f8:b4:71:9f:cc:85:6c:1c:41:0a:37:0a:5c:b2:a3:ca:25:8c:
+         05:52:1b:d0:2f:de:29:d9:8d:3a:98:fd:1d:57:8b:f7:ee:70:
+         5b:be:ab:f3:fc:c8:83:1d:14:eb:55:58:70:c3:17:d2:cd:c9:
+         4e:ac:05:6c
 -----BEGIN CERTIFICATE-----
 MIIEtzCCA5+gAwIBAgIBZTANBgkqhkiG9w0BAQsFADCBoTELMAkGA1UEBhMCVVMx
 EzARBgNVBAgMCldhc2hpbmd0b24xEDAOBgNVBAcMB1NlYXR0bGUxFTATBgNVBAoM
 DHdvbGZTU0wgSW5jLjEUMBIGA1UECwwLRW5naW5lZXJpbmcxHTAbBgNVBAMMFGNo
 YWluQi1JQ0ExLXBhdGhsZW4wMR8wHQYJKoZIhvcNAQkBFhBpbmZvQHdvbGZzc2wu
-Y29tMB4XDTIxMDIxMDE5NDk1NFoXDTIzMTEwNzE5NDk1NFowgZoxCzAJBgNVBAYT
+Y29tMB4XDTIxMTIyMDIzMDcyNVoXDTI0MDkxNTIzMDcyNVowgZoxCzAJBgNVBAYT
 AlVTMRMwEQYDVQQIDApXYXNoaW5ndG9uMRAwDgYDVQQHDAdTZWF0dGxlMRUwEwYD
 VQQKDAx3b2xmU1NMIEluYy4xFDASBgNVBAsMC0VuZ2luZWVyaW5nMRYwFAYDVQQD
 DA1jaGFpbkItZW50aXR5MR8wHQYJKoZIhvcNAQkBFhBpbmZvQHdvbGZzc2wuY29t
@@ -77,11 +77,11 @@ VR0jBIHGMIHDgBTXkOSGWST5K7gGjrGPM+UsY/EDFqGBp6SBpDCBoTELMAkGA1UE
 BhMCVVMxEzARBgNVBAgMCldhc2hpbmd0b24xEDAOBgNVBAcMB1NlYXR0bGUxFTAT
 BgNVBAoMDHdvbGZTU0wgSW5jLjEUMBIGA1UECwwLRW5naW5lZXJpbmcxHTAbBgNV
 BAMMFGNoYWluQi1JQ0EyLXBhdGhsZW4xMR8wHQYJKoZIhvcNAQkBFhBpbmZvQHdv
-bGZzc2wuY29tggFkMAkGA1UdEwQCMAAwDQYJKoZIhvcNAQELBQADggEBAHgaLUNh
-BfNIA4AdFSXG31+Uht6jYFP7bG0989tuAYyMc0RLkX16PFfln66rtdBE5oS19qMf
-FPEYPUofxSd1IK6wWiYzzzK9GuoDggkY9n83pvVzeX5pRWfVumgKuc+N9ZxWJuLj
-Dk4f294wmzZsTYv2UuosmXhoNd3G4cvTunS5Hj7bmNQWbm7K6gqZRSUrVlCJMRK2
-719E5jV9/2wZzGrXHXBxgOgBfPLv8uS18zjxeGVyOOnJsZMLTEm2KWS82MQwPyyL
-o/wZwAZuLQX+yRJd0/jDg/vYHi152hOc/+bqL+45loSaXlldqP0mJis2tF2bQtg6
-L0EDR/594rTOLl0=
+bGZzc2wuY29tggFkMAkGA1UdEwQCMAAwDQYJKoZIhvcNAQELBQADggEBAGoEnsgb
+AziW9qJ8cFRlCti3JDSSKpKVxWYmlivjIycULHMmswHv8Gr9JHFJABofMTNtDj1h
+NrEHRq6MUTp3TBUMkGNo4+qtYM1T0qObbY0WYcVadLdOrJfw+QJ8AV4lUCOHTCxZ
+1bFmMDG45uO4coADl5Gx7hVtkiBp1KSqxohCEX/5VU4QeFNT94Z5oHoIND73nFuQ
+54ztqxDBwOzgt11OOcaRqoMbc1sCxGo5LUzIUTz5Z9u3LausLxQaa54k5qbO87v/
+M/i0cZ/MhWwcQQo3Clyyo8oljAVSG9Av3inZjTqY/R1Xi/fucFu+q/P8yIMdFOtV
+WHDDF9LNyU6sBWw=
 -----END CERTIFICATE-----
diff --git a/certs/test-pathlen/chainC-ICA1-pathlen1.pem b/certs/test-pathlen/chainC-ICA1-pathlen1.pem
index 81f67f54f..f74b341c2 100644
--- a/certs/test-pathlen/chainC-ICA1-pathlen1.pem
+++ b/certs/test-pathlen/chainC-ICA1-pathlen1.pem
@@ -2,15 +2,15 @@ Certificate:
     Data:
         Version: 3 (0x2)
         Serial Number: 100 (0x64)
-    Signature Algorithm: sha256WithRSAEncryption
-        Issuer: C=US, ST=Montana, L=Bozeman, O=Sawtooth, OU=Consulting, CN=www.wolfssl.com/emailAddress=info@wolfssl.com
+        Signature Algorithm: sha256WithRSAEncryption
+        Issuer: C = US, ST = Montana, L = Bozeman, O = Sawtooth, OU = Consulting, CN = www.wolfssl.com, emailAddress = info@wolfssl.com
         Validity
-            Not Before: Feb 10 19:49:54 2021 GMT
-            Not After : Nov  7 19:49:54 2023 GMT
-        Subject: C=US, ST=Washington, L=Seattle, O=wolfSSL Inc., OU=Engineering, CN=chainC-ICA1-pathlen1/emailAddress=info@wolfssl.com
+            Not Before: Dec 20 23:07:25 2021 GMT
+            Not After : Sep 15 23:07:25 2024 GMT
+        Subject: C = US, ST = Washington, L = Seattle, O = wolfSSL Inc., OU = Engineering, CN = chainC-ICA1-pathlen1, emailAddress = info@wolfssl.com
         Subject Public Key Info:
             Public Key Algorithm: rsaEncryption
-                Public-Key: (2048 bit)
+                RSA Public-Key: (2048 bit)
                 Modulus:
                     00:bb:1a:6c:c1:bd:bb:9b:29:ca:35:3d:63:a3:29:
                     cd:a6:65:c4:9e:a3:c5:50:99:ad:51:90:0a:9a:9b:
@@ -37,34 +37,34 @@ Certificate:
             X509v3 Authority Key Identifier: 
                 keyid:27:8E:67:11:74:C3:26:1D:3F:ED:33:63:B3:A4:D8:1D:30:E5:E8:D5
                 DirName:/C=US/ST=Montana/L=Bozeman/O=Sawtooth/OU=Consulting/CN=www.wolfssl.com/emailAddress=info@wolfssl.com
-                serial:AA:D3:3F:AC:18:0A:37:4D
+                serial:7D:94:70:88:BA:07:42:8D:AA:AF:4F:BE:C2:1A:48:F0:D1:40:E6:42
 
             X509v3 Basic Constraints: 
                 CA:TRUE, pathlen:1
             X509v3 Key Usage: 
                 Certificate Sign, CRL Sign
     Signature Algorithm: sha256WithRSAEncryption
-         b2:28:df:aa:26:d1:ba:a6:18:a9:c3:36:29:c1:11:4f:40:e0:
-         dc:5b:cd:18:3d:f4:b8:b2:79:c7:03:93:71:91:fb:0b:cd:d9:
-         07:21:76:f2:48:29:28:c8:18:88:df:79:26:04:69:5e:ba:e8:
-         d6:b9:4e:38:b2:9b:e9:bf:50:91:f6:cb:6f:e0:a6:36:dc:2a:
-         27:6b:ca:62:3f:03:e7:cf:24:98:97:a9:c3:7a:b1:79:b3:db:
-         2d:4e:38:3e:6d:d9:1d:66:cc:8e:d1:c9:9e:3e:92:8a:76:6d:
-         60:53:e6:c3:27:29:dd:f0:7b:17:a5:eb:66:83:40:6c:2f:8d:
-         95:d8:91:b6:08:27:1a:ef:96:10:0d:75:76:86:fa:4a:17:e4:
-         10:46:16:38:42:65:8c:5e:2c:4c:c0:3f:c7:9d:29:63:53:0b:
-         2e:86:44:4c:79:da:c7:2b:af:1a:92:69:43:cb:85:af:79:98:
-         fc:01:88:b0:5a:f9:3a:de:f0:bb:7e:fa:37:95:9b:04:5b:eb:
-         40:9d:ee:2d:cd:50:48:17:19:28:12:66:c7:d7:77:fa:ba:4c:
-         c7:d1:f0:d9:2e:f4:63:40:14:87:48:03:32:99:13:ea:d7:7b:
-         4b:c9:ef:16:ca:14:14:79:ed:fe:d7:f5:6f:4c:db:4c:95:a6:
-         36:3d:02:0f
+         11:c4:12:09:e2:a7:bd:3e:94:bf:60:69:43:07:e9:0e:a5:48:
+         57:63:ba:aa:62:fb:1b:cb:b3:61:69:45:34:f1:60:b0:7b:4f:
+         69:b9:f4:e4:99:99:48:a8:4a:5c:84:21:6f:cc:49:4e:0c:2b:
+         52:dc:01:bd:fe:d3:ee:66:b4:d4:3e:2b:d5:56:42:58:b2:06:
+         34:24:74:ad:0d:50:3c:d8:fd:89:20:58:ff:f5:58:b0:3b:cc:
+         47:2b:1d:82:2c:81:1a:a2:ad:26:be:ae:c2:fb:04:f4:c1:08:
+         6a:e2:c3:97:17:23:a6:d3:18:69:cf:7f:b6:b1:39:ba:06:de:
+         20:1a:ed:e3:3b:11:11:11:f6:f3:da:f0:4f:29:36:fa:d2:71:
+         1b:b5:7a:3e:fa:d4:0e:5f:54:cc:f1:1b:95:b2:a6:06:85:61:
+         e6:06:dc:02:8a:d1:ad:11:fe:85:8e:04:ac:dd:f1:24:90:72:
+         5a:45:d5:6c:69:ef:c0:4f:d6:2f:46:bd:45:bb:51:f9:9d:d2:
+         fb:c0:53:8e:62:4e:64:17:14:e6:9a:18:6d:a9:33:94:af:2a:
+         21:e0:95:84:2d:73:3a:15:87:2f:c8:8c:25:5d:e6:ca:1a:0b:
+         e2:1f:d8:b0:29:c1:86:d0:72:27:26:40:19:ea:8e:ec:7a:c4:
+         83:e8:66:6d
 -----BEGIN CERTIFICATE-----
-MIIEwTCCA6mgAwIBAgIBZDANBgkqhkiG9w0BAQsFADCBlDELMAkGA1UEBhMCVVMx
+MIIEzDCCA7SgAwIBAgIBZDANBgkqhkiG9w0BAQsFADCBlDELMAkGA1UEBhMCVVMx
 EDAOBgNVBAgMB01vbnRhbmExEDAOBgNVBAcMB0JvemVtYW4xETAPBgNVBAoMCFNh
 d3Rvb3RoMRMwEQYDVQQLDApDb25zdWx0aW5nMRgwFgYDVQQDDA93d3cud29sZnNz
-bC5jb20xHzAdBgkqhkiG9w0BCQEWEGluZm9Ad29sZnNzbC5jb20wHhcNMjEwMjEw
-MTk0OTU0WhcNMjMxMTA3MTk0OTU0WjCBoTELMAkGA1UEBhMCVVMxEzARBgNVBAgM
+bC5jb20xHzAdBgkqhkiG9w0BCQEWEGluZm9Ad29sZnNzbC5jb20wHhcNMjExMjIw
+MjMwNzI1WhcNMjQwOTE1MjMwNzI1WjCBoTELMAkGA1UEBhMCVVMxEzARBgNVBAgM
 Cldhc2hpbmd0b24xEDAOBgNVBAcMB1NlYXR0bGUxFTATBgNVBAoMDHdvbGZTU0wg
 SW5jLjEUMBIGA1UECwwLRW5naW5lZXJpbmcxHTAbBgNVBAMMFGNoYWluQy1JQ0Ex
 LXBhdGhsZW4xMR8wHQYJKoZIhvcNAQkBFhBpbmZvQHdvbGZzc2wuY29tMIIBIjAN
@@ -74,16 +74,16 @@ T/w3Jk5UedcXOVB5bqMpmQetnVzY4QLnM37k2qQFvGID059qkZJm3SnQlfsvP/BZ
 uHBbJVR7oAqfMwlk7fvUHC2WVEXjUJj/sX+axs8Jo9rpV60dBY8edXXn0gcz3tp9
 QtgOlP6ux5vDtZ7zayGfdMSzMnwoTg+8FTO6nAk8wUAGeLuxID9hFfYeSXNRiZUt
 lb801sKp0TQdjSFtT6Nu7/wjonb80CVTDkN2O+2C7NgjyzPvPJ2h3uZ6rQIDAQAB
-o4IBDTCCAQkwHQYDVR0OBBYEFJQdLgc3xi9Swex5axPOCZBf9MRRMIHJBgNVHSME
-gcEwgb6AFCeOZxF0wyYdP+0zY7Ok2B0w5ejVoYGapIGXMIGUMQswCQYDVQQGEwJV
+o4IBGDCCARQwHQYDVR0OBBYEFJQdLgc3xi9Swex5axPOCZBf9MRRMIHUBgNVHSME
+gcwwgcmAFCeOZxF0wyYdP+0zY7Ok2B0w5ejVoYGapIGXMIGUMQswCQYDVQQGEwJV
 UzEQMA4GA1UECAwHTW9udGFuYTEQMA4GA1UEBwwHQm96ZW1hbjERMA8GA1UECgwI
 U2F3dG9vdGgxEzARBgNVBAsMCkNvbnN1bHRpbmcxGDAWBgNVBAMMD3d3dy53b2xm
-c3NsLmNvbTEfMB0GCSqGSIb3DQEJARYQaW5mb0B3b2xmc3NsLmNvbYIJAKrTP6wY
-CjdNMA8GA1UdEwQIMAYBAf8CAQEwCwYDVR0PBAQDAgEGMA0GCSqGSIb3DQEBCwUA
-A4IBAQCyKN+qJtG6phipwzYpwRFPQODcW80YPfS4snnHA5NxkfsLzdkHIXbySCko
-yBiI33kmBGleuujWuU44spvpv1CR9stv4KY23Cona8piPwPnzySYl6nDerF5s9st
-Tjg+bdkdZsyO0cmePpKKdm1gU+bDJynd8HsXpetmg0BsL42V2JG2CCca75YQDXV2
-hvpKF+QQRhY4QmWMXixMwD/HnSljUwsuhkRMedrHK68akmlDy4WveZj8AYiwWvk6
-3vC7fvo3lZsEW+tAne4tzVBIFxkoEmbH13f6ukzH0fDZLvRjQBSHSAMymRPq13tL
-ye8WyhQUee3+1/VvTNtMlaY2PQIP
+c3NsLmNvbTEfMB0GCSqGSIb3DQEJARYQaW5mb0B3b2xmc3NsLmNvbYIUfZRwiLoH
+Qo2qr0++whpI8NFA5kIwDwYDVR0TBAgwBgEB/wIBATALBgNVHQ8EBAMCAQYwDQYJ
+KoZIhvcNAQELBQADggEBABHEEgnip70+lL9gaUMH6Q6lSFdjuqpi+xvLs2FpRTTx
+YLB7T2m59OSZmUioSlyEIW/MSU4MK1LcAb3+0+5mtNQ+K9VWQliyBjQkdK0NUDzY
+/YkgWP/1WLA7zEcrHYIsgRqirSa+rsL7BPTBCGriw5cXI6bTGGnPf7axOboG3iAa
+7eM7ERER9vPa8E8pNvrScRu1ej761A5fVMzxG5WypgaFYeYG3AKK0a0R/oWOBKzd
+8SSQclpF1Wxp78BP1i9GvUW7Ufmd0vvAU45iTmQXFOaaGG2pM5SvKiHglYQtczoV
+hy/IjCVd5soaC+If2LApwYbQcicmQBnqjux6xIPoZm0=
 -----END CERTIFICATE-----
diff --git a/certs/test-pathlen/chainC-assembled.pem b/certs/test-pathlen/chainC-assembled.pem
index e1691d453..ff2ec64a7 100644
--- a/certs/test-pathlen/chainC-assembled.pem
+++ b/certs/test-pathlen/chainC-assembled.pem
@@ -2,15 +2,15 @@ Certificate:
     Data:
         Version: 3 (0x2)
         Serial Number: 101 (0x65)
-    Signature Algorithm: sha256WithRSAEncryption
-        Issuer: C=US, ST=Washington, L=Seattle, O=wolfSSL Inc., OU=Engineering, CN=chainC-ICA1-pathlen1/emailAddress=info@wolfssl.com
+        Signature Algorithm: sha256WithRSAEncryption
+        Issuer: C = US, ST = Washington, L = Seattle, O = wolfSSL Inc., OU = Engineering, CN = chainC-ICA1-pathlen1, emailAddress = info@wolfssl.com
         Validity
-            Not Before: Feb 10 19:49:54 2021 GMT
-            Not After : Nov  7 19:49:54 2023 GMT
-        Subject: C=US, ST=Washington, L=Seattle, O=wolfSSL Inc., OU=Engineering, CN=chainC-entity/emailAddress=info@wolfssl.com
+            Not Before: Dec 20 23:07:25 2021 GMT
+            Not After : Sep 15 23:07:25 2024 GMT
+        Subject: C = US, ST = Washington, L = Seattle, O = wolfSSL Inc., OU = Engineering, CN = chainC-entity, emailAddress = info@wolfssl.com
         Subject Public Key Info:
             Public Key Algorithm: rsaEncryption
-                Public-Key: (2048 bit)
+                RSA Public-Key: (2048 bit)
                 Modulus:
                     00:bf:34:e1:1c:2c:2d:a4:93:b5:c4:fc:65:40:fa:
                     94:68:74:24:ff:52:a4:df:3e:f1:7c:92:14:f0:f0:
@@ -42,27 +42,27 @@ Certificate:
             X509v3 Basic Constraints: 
                 CA:FALSE
     Signature Algorithm: sha256WithRSAEncryption
-         3d:59:ea:2a:2e:ce:c6:6d:eb:52:08:01:5c:bc:cb:0f:e1:6a:
-         26:22:25:ad:8c:0f:34:c0:65:23:e0:6b:34:3d:6d:8d:1b:df:
-         e1:57:84:92:5d:f6:cd:27:18:49:9c:58:9a:d8:ac:96:fd:44:
-         fa:b9:d9:77:d2:7a:22:f7:6d:9e:3d:86:97:95:af:0c:c8:0e:
-         df:78:df:3c:2f:7d:3f:85:e0:e4:03:b2:b6:32:ed:7d:53:7a:
-         3f:1f:84:6c:3b:28:61:80:7e:5b:50:c8:59:a8:0f:b3:12:26:
-         6a:fd:12:8f:fa:d5:12:02:43:85:c2:f4:cc:02:0d:4f:ff:cc:
-         56:0f:a7:f2:7f:64:e8:77:8d:fb:21:42:6c:20:2a:99:da:a5:
-         72:0c:1a:0d:ea:e0:91:3d:5a:bc:4e:96:b7:7d:50:0e:ce:1c:
-         f9:7d:1f:9a:39:25:33:28:e5:45:8f:27:02:68:97:8d:f5:f0:
-         3f:21:83:ff:b7:29:09:4f:46:9c:8d:ab:49:43:45:8f:4a:3b:
-         1b:ae:b1:d3:9a:d8:47:1c:9b:67:3a:e4:5a:18:29:55:8d:ee:
-         fd:ed:88:e7:f4:38:6c:f1:36:12:d9:d0:ee:4b:4b:17:df:74:
-         18:ea:96:64:1d:84:3a:ed:38:7a:9f:95:3b:c2:5b:93:80:41:
-         e1:c5:4e:19
+         ae:e3:75:41:90:9d:0b:8a:bf:15:d5:3c:dd:08:31:a7:b5:92:
+         e2:3e:53:73:a7:20:27:4a:6b:2a:ef:99:a8:15:42:c9:79:4b:
+         b7:bb:3a:ba:9d:f0:b3:cf:37:34:64:63:7c:0a:f1:91:04:30:
+         6b:ca:66:39:d3:a0:26:23:34:28:5b:a9:57:91:0c:fa:cf:84:
+         42:79:28:23:21:ba:ff:04:4c:c4:06:1f:9e:a5:1d:37:e9:5c:
+         6a:75:84:b7:f9:d3:24:80:91:95:ab:df:1a:cc:7c:a7:7d:ac:
+         95:fc:02:77:b2:8e:e2:77:da:96:30:48:84:44:2a:b0:af:5b:
+         9d:7d:67:8a:a5:13:3d:4c:ed:df:cb:2a:6b:8a:1a:ad:18:f0:
+         1f:50:9e:4d:c3:31:58:31:f2:9b:05:c0:7e:a3:6a:80:28:5c:
+         22:78:fd:32:66:6a:9c:31:fc:d2:db:42:43:e8:b8:35:41:36:
+         00:8d:26:4b:e9:02:c3:2d:72:c0:4f:8f:4a:cf:5d:7c:5c:ae:
+         16:0b:0c:37:a9:34:d8:19:91:cd:3a:af:55:ae:bc:6b:2a:85:
+         ef:f0:0f:8d:30:b3:90:d7:56:39:47:d6:5a:3d:e3:f3:d1:b9:
+         75:74:8b:27:4f:c7:b6:af:ff:e4:6b:af:5c:b6:c4:6f:19:89:
+         44:41:f6:41
 -----BEGIN CERTIFICATE-----
 MIIEqjCCA5KgAwIBAgIBZTANBgkqhkiG9w0BAQsFADCBoTELMAkGA1UEBhMCVVMx
 EzARBgNVBAgMCldhc2hpbmd0b24xEDAOBgNVBAcMB1NlYXR0bGUxFTATBgNVBAoM
 DHdvbGZTU0wgSW5jLjEUMBIGA1UECwwLRW5naW5lZXJpbmcxHTAbBgNVBAMMFGNo
 YWluQy1JQ0ExLXBhdGhsZW4xMR8wHQYJKoZIhvcNAQkBFhBpbmZvQHdvbGZzc2wu
-Y29tMB4XDTIxMDIxMDE5NDk1NFoXDTIzMTEwNzE5NDk1NFowgZoxCzAJBgNVBAYT
+Y29tMB4XDTIxMTIyMDIzMDcyNVoXDTI0MDkxNTIzMDcyNVowgZoxCzAJBgNVBAYT
 AlVTMRMwEQYDVQQIDApXYXNoaW5ndG9uMRAwDgYDVQQHDAdTZWF0dGxlMRUwEwYD
 VQQKDAx3b2xmU1NMIEluYy4xFDASBgNVBAsMC0VuZ2luZWVyaW5nMRYwFAYDVQQD
 DA1jaGFpbkMtZW50aXR5MR8wHQYJKoZIhvcNAQkBFhBpbmZvQHdvbGZzc2wuY29t
@@ -77,26 +77,26 @@ VR0jBIG5MIG2gBSUHS4HN8YvUsHseWsTzgmQX/TEUaGBmqSBlzCBlDELMAkGA1UE
 BhMCVVMxEDAOBgNVBAgMB01vbnRhbmExEDAOBgNVBAcMB0JvemVtYW4xETAPBgNV
 BAoMCFNhd3Rvb3RoMRMwEQYDVQQLDApDb25zdWx0aW5nMRgwFgYDVQQDDA93d3cu
 d29sZnNzbC5jb20xHzAdBgkqhkiG9w0BCQEWEGluZm9Ad29sZnNzbC5jb22CAWQw
-CQYDVR0TBAIwADANBgkqhkiG9w0BAQsFAAOCAQEAPVnqKi7Oxm3rUggBXLzLD+Fq
-JiIlrYwPNMBlI+BrND1tjRvf4VeEkl32zScYSZxYmtislv1E+rnZd9J6Ivdtnj2G
-l5WvDMgO33jfPC99P4Xg5AOytjLtfVN6Px+EbDsoYYB+W1DIWagPsxImav0Sj/rV
-EgJDhcL0zAINT//MVg+n8n9k6HeN+yFCbCAqmdqlcgwaDergkT1avE6Wt31QDs4c
-+X0fmjklMyjlRY8nAmiXjfXwPyGD/7cpCU9GnI2rSUNFj0o7G66x05rYRxybZzrk
-WhgpVY3u/e2I5/Q4bPE2EtnQ7ktLF990GOqWZB2EOu04ep+VO8Jbk4BB4cVOGQ==
+CQYDVR0TBAIwADANBgkqhkiG9w0BAQsFAAOCAQEAruN1QZCdC4q/FdU83Qgxp7WS
+4j5Tc6cgJ0prKu+ZqBVCyXlLt7s6up3ws883NGRjfArxkQQwa8pmOdOgJiM0KFup
+V5EM+s+EQnkoIyG6/wRMxAYfnqUdN+lcanWEt/nTJICRlavfGsx8p32slfwCd7KO
+4nfaljBIhEQqsK9bnX1niqUTPUzt38sqa4oarRjwH1CeTcMxWDHymwXAfqNqgChc
+Inj9MmZqnDH80ttCQ+i4NUE2AI0mS+kCwy1ywE+PSs9dfFyuFgsMN6k02BmRzTqv
+Va68ayqF7/APjTCzkNdWOUfWWj3j89G5dXSLJ0/Htq//5GuvXLbEbxmJREH2QQ==
 -----END CERTIFICATE-----
 Certificate:
     Data:
         Version: 3 (0x2)
         Serial Number: 100 (0x64)
-    Signature Algorithm: sha256WithRSAEncryption
-        Issuer: C=US, ST=Montana, L=Bozeman, O=Sawtooth, OU=Consulting, CN=www.wolfssl.com/emailAddress=info@wolfssl.com
+        Signature Algorithm: sha256WithRSAEncryption
+        Issuer: C = US, ST = Montana, L = Bozeman, O = Sawtooth, OU = Consulting, CN = www.wolfssl.com, emailAddress = info@wolfssl.com
         Validity
-            Not Before: Feb 10 19:49:54 2021 GMT
-            Not After : Nov  7 19:49:54 2023 GMT
-        Subject: C=US, ST=Washington, L=Seattle, O=wolfSSL Inc., OU=Engineering, CN=chainC-ICA1-pathlen1/emailAddress=info@wolfssl.com
+            Not Before: Dec 20 23:07:25 2021 GMT
+            Not After : Sep 15 23:07:25 2024 GMT
+        Subject: C = US, ST = Washington, L = Seattle, O = wolfSSL Inc., OU = Engineering, CN = chainC-ICA1-pathlen1, emailAddress = info@wolfssl.com
         Subject Public Key Info:
             Public Key Algorithm: rsaEncryption
-                Public-Key: (2048 bit)
+                RSA Public-Key: (2048 bit)
                 Modulus:
                     00:bb:1a:6c:c1:bd:bb:9b:29:ca:35:3d:63:a3:29:
                     cd:a6:65:c4:9e:a3:c5:50:99:ad:51:90:0a:9a:9b:
@@ -123,34 +123,34 @@ Certificate:
             X509v3 Authority Key Identifier: 
                 keyid:27:8E:67:11:74:C3:26:1D:3F:ED:33:63:B3:A4:D8:1D:30:E5:E8:D5
                 DirName:/C=US/ST=Montana/L=Bozeman/O=Sawtooth/OU=Consulting/CN=www.wolfssl.com/emailAddress=info@wolfssl.com
-                serial:AA:D3:3F:AC:18:0A:37:4D
+                serial:7D:94:70:88:BA:07:42:8D:AA:AF:4F:BE:C2:1A:48:F0:D1:40:E6:42
 
             X509v3 Basic Constraints: 
                 CA:TRUE, pathlen:1
             X509v3 Key Usage: 
                 Certificate Sign, CRL Sign
     Signature Algorithm: sha256WithRSAEncryption
-         b2:28:df:aa:26:d1:ba:a6:18:a9:c3:36:29:c1:11:4f:40:e0:
-         dc:5b:cd:18:3d:f4:b8:b2:79:c7:03:93:71:91:fb:0b:cd:d9:
-         07:21:76:f2:48:29:28:c8:18:88:df:79:26:04:69:5e:ba:e8:
-         d6:b9:4e:38:b2:9b:e9:bf:50:91:f6:cb:6f:e0:a6:36:dc:2a:
-         27:6b:ca:62:3f:03:e7:cf:24:98:97:a9:c3:7a:b1:79:b3:db:
-         2d:4e:38:3e:6d:d9:1d:66:cc:8e:d1:c9:9e:3e:92:8a:76:6d:
-         60:53:e6:c3:27:29:dd:f0:7b:17:a5:eb:66:83:40:6c:2f:8d:
-         95:d8:91:b6:08:27:1a:ef:96:10:0d:75:76:86:fa:4a:17:e4:
-         10:46:16:38:42:65:8c:5e:2c:4c:c0:3f:c7:9d:29:63:53:0b:
-         2e:86:44:4c:79:da:c7:2b:af:1a:92:69:43:cb:85:af:79:98:
-         fc:01:88:b0:5a:f9:3a:de:f0:bb:7e:fa:37:95:9b:04:5b:eb:
-         40:9d:ee:2d:cd:50:48:17:19:28:12:66:c7:d7:77:fa:ba:4c:
-         c7:d1:f0:d9:2e:f4:63:40:14:87:48:03:32:99:13:ea:d7:7b:
-         4b:c9:ef:16:ca:14:14:79:ed:fe:d7:f5:6f:4c:db:4c:95:a6:
-         36:3d:02:0f
+         11:c4:12:09:e2:a7:bd:3e:94:bf:60:69:43:07:e9:0e:a5:48:
+         57:63:ba:aa:62:fb:1b:cb:b3:61:69:45:34:f1:60:b0:7b:4f:
+         69:b9:f4:e4:99:99:48:a8:4a:5c:84:21:6f:cc:49:4e:0c:2b:
+         52:dc:01:bd:fe:d3:ee:66:b4:d4:3e:2b:d5:56:42:58:b2:06:
+         34:24:74:ad:0d:50:3c:d8:fd:89:20:58:ff:f5:58:b0:3b:cc:
+         47:2b:1d:82:2c:81:1a:a2:ad:26:be:ae:c2:fb:04:f4:c1:08:
+         6a:e2:c3:97:17:23:a6:d3:18:69:cf:7f:b6:b1:39:ba:06:de:
+         20:1a:ed:e3:3b:11:11:11:f6:f3:da:f0:4f:29:36:fa:d2:71:
+         1b:b5:7a:3e:fa:d4:0e:5f:54:cc:f1:1b:95:b2:a6:06:85:61:
+         e6:06:dc:02:8a:d1:ad:11:fe:85:8e:04:ac:dd:f1:24:90:72:
+         5a:45:d5:6c:69:ef:c0:4f:d6:2f:46:bd:45:bb:51:f9:9d:d2:
+         fb:c0:53:8e:62:4e:64:17:14:e6:9a:18:6d:a9:33:94:af:2a:
+         21:e0:95:84:2d:73:3a:15:87:2f:c8:8c:25:5d:e6:ca:1a:0b:
+         e2:1f:d8:b0:29:c1:86:d0:72:27:26:40:19:ea:8e:ec:7a:c4:
+         83:e8:66:6d
 -----BEGIN CERTIFICATE-----
-MIIEwTCCA6mgAwIBAgIBZDANBgkqhkiG9w0BAQsFADCBlDELMAkGA1UEBhMCVVMx
+MIIEzDCCA7SgAwIBAgIBZDANBgkqhkiG9w0BAQsFADCBlDELMAkGA1UEBhMCVVMx
 EDAOBgNVBAgMB01vbnRhbmExEDAOBgNVBAcMB0JvemVtYW4xETAPBgNVBAoMCFNh
 d3Rvb3RoMRMwEQYDVQQLDApDb25zdWx0aW5nMRgwFgYDVQQDDA93d3cud29sZnNz
-bC5jb20xHzAdBgkqhkiG9w0BCQEWEGluZm9Ad29sZnNzbC5jb20wHhcNMjEwMjEw
-MTk0OTU0WhcNMjMxMTA3MTk0OTU0WjCBoTELMAkGA1UEBhMCVVMxEzARBgNVBAgM
+bC5jb20xHzAdBgkqhkiG9w0BCQEWEGluZm9Ad29sZnNzbC5jb20wHhcNMjExMjIw
+MjMwNzI1WhcNMjQwOTE1MjMwNzI1WjCBoTELMAkGA1UEBhMCVVMxEzARBgNVBAgM
 Cldhc2hpbmd0b24xEDAOBgNVBAcMB1NlYXR0bGUxFTATBgNVBAoMDHdvbGZTU0wg
 SW5jLjEUMBIGA1UECwwLRW5naW5lZXJpbmcxHTAbBgNVBAMMFGNoYWluQy1JQ0Ex
 LXBhdGhsZW4xMR8wHQYJKoZIhvcNAQkBFhBpbmZvQHdvbGZzc2wuY29tMIIBIjAN
@@ -160,16 +160,16 @@ T/w3Jk5UedcXOVB5bqMpmQetnVzY4QLnM37k2qQFvGID059qkZJm3SnQlfsvP/BZ
 uHBbJVR7oAqfMwlk7fvUHC2WVEXjUJj/sX+axs8Jo9rpV60dBY8edXXn0gcz3tp9
 QtgOlP6ux5vDtZ7zayGfdMSzMnwoTg+8FTO6nAk8wUAGeLuxID9hFfYeSXNRiZUt
 lb801sKp0TQdjSFtT6Nu7/wjonb80CVTDkN2O+2C7NgjyzPvPJ2h3uZ6rQIDAQAB
-o4IBDTCCAQkwHQYDVR0OBBYEFJQdLgc3xi9Swex5axPOCZBf9MRRMIHJBgNVHSME
-gcEwgb6AFCeOZxF0wyYdP+0zY7Ok2B0w5ejVoYGapIGXMIGUMQswCQYDVQQGEwJV
+o4IBGDCCARQwHQYDVR0OBBYEFJQdLgc3xi9Swex5axPOCZBf9MRRMIHUBgNVHSME
+gcwwgcmAFCeOZxF0wyYdP+0zY7Ok2B0w5ejVoYGapIGXMIGUMQswCQYDVQQGEwJV
 UzEQMA4GA1UECAwHTW9udGFuYTEQMA4GA1UEBwwHQm96ZW1hbjERMA8GA1UECgwI
 U2F3dG9vdGgxEzARBgNVBAsMCkNvbnN1bHRpbmcxGDAWBgNVBAMMD3d3dy53b2xm
-c3NsLmNvbTEfMB0GCSqGSIb3DQEJARYQaW5mb0B3b2xmc3NsLmNvbYIJAKrTP6wY
-CjdNMA8GA1UdEwQIMAYBAf8CAQEwCwYDVR0PBAQDAgEGMA0GCSqGSIb3DQEBCwUA
-A4IBAQCyKN+qJtG6phipwzYpwRFPQODcW80YPfS4snnHA5NxkfsLzdkHIXbySCko
-yBiI33kmBGleuujWuU44spvpv1CR9stv4KY23Cona8piPwPnzySYl6nDerF5s9st
-Tjg+bdkdZsyO0cmePpKKdm1gU+bDJynd8HsXpetmg0BsL42V2JG2CCca75YQDXV2
-hvpKF+QQRhY4QmWMXixMwD/HnSljUwsuhkRMedrHK68akmlDy4WveZj8AYiwWvk6
-3vC7fvo3lZsEW+tAne4tzVBIFxkoEmbH13f6ukzH0fDZLvRjQBSHSAMymRPq13tL
-ye8WyhQUee3+1/VvTNtMlaY2PQIP
+c3NsLmNvbTEfMB0GCSqGSIb3DQEJARYQaW5mb0B3b2xmc3NsLmNvbYIUfZRwiLoH
+Qo2qr0++whpI8NFA5kIwDwYDVR0TBAgwBgEB/wIBATALBgNVHQ8EBAMCAQYwDQYJ
+KoZIhvcNAQELBQADggEBABHEEgnip70+lL9gaUMH6Q6lSFdjuqpi+xvLs2FpRTTx
+YLB7T2m59OSZmUioSlyEIW/MSU4MK1LcAb3+0+5mtNQ+K9VWQliyBjQkdK0NUDzY
+/YkgWP/1WLA7zEcrHYIsgRqirSa+rsL7BPTBCGriw5cXI6bTGGnPf7axOboG3iAa
+7eM7ERER9vPa8E8pNvrScRu1ej761A5fVMzxG5WypgaFYeYG3AKK0a0R/oWOBKzd
+8SSQclpF1Wxp78BP1i9GvUW7Ufmd0vvAU45iTmQXFOaaGG2pM5SvKiHglYQtczoV
+hy/IjCVd5soaC+If2LApwYbQcicmQBnqjux6xIPoZm0=
 -----END CERTIFICATE-----
diff --git a/certs/test-pathlen/chainC-entity.pem b/certs/test-pathlen/chainC-entity.pem
index bb74064ea..42fc36f2d 100644
--- a/certs/test-pathlen/chainC-entity.pem
+++ b/certs/test-pathlen/chainC-entity.pem
@@ -2,15 +2,15 @@ Certificate:
     Data:
         Version: 3 (0x2)
         Serial Number: 101 (0x65)
-    Signature Algorithm: sha256WithRSAEncryption
-        Issuer: C=US, ST=Washington, L=Seattle, O=wolfSSL Inc., OU=Engineering, CN=chainC-ICA1-pathlen1/emailAddress=info@wolfssl.com
+        Signature Algorithm: sha256WithRSAEncryption
+        Issuer: C = US, ST = Washington, L = Seattle, O = wolfSSL Inc., OU = Engineering, CN = chainC-ICA1-pathlen1, emailAddress = info@wolfssl.com
         Validity
-            Not Before: Feb 10 19:49:54 2021 GMT
-            Not After : Nov  7 19:49:54 2023 GMT
-        Subject: C=US, ST=Washington, L=Seattle, O=wolfSSL Inc., OU=Engineering, CN=chainC-entity/emailAddress=info@wolfssl.com
+            Not Before: Dec 20 23:07:25 2021 GMT
+            Not After : Sep 15 23:07:25 2024 GMT
+        Subject: C = US, ST = Washington, L = Seattle, O = wolfSSL Inc., OU = Engineering, CN = chainC-entity, emailAddress = info@wolfssl.com
         Subject Public Key Info:
             Public Key Algorithm: rsaEncryption
-                Public-Key: (2048 bit)
+                RSA Public-Key: (2048 bit)
                 Modulus:
                     00:bf:34:e1:1c:2c:2d:a4:93:b5:c4:fc:65:40:fa:
                     94:68:74:24:ff:52:a4:df:3e:f1:7c:92:14:f0:f0:
@@ -42,27 +42,27 @@ Certificate:
             X509v3 Basic Constraints: 
                 CA:FALSE
     Signature Algorithm: sha256WithRSAEncryption
-         3d:59:ea:2a:2e:ce:c6:6d:eb:52:08:01:5c:bc:cb:0f:e1:6a:
-         26:22:25:ad:8c:0f:34:c0:65:23:e0:6b:34:3d:6d:8d:1b:df:
-         e1:57:84:92:5d:f6:cd:27:18:49:9c:58:9a:d8:ac:96:fd:44:
-         fa:b9:d9:77:d2:7a:22:f7:6d:9e:3d:86:97:95:af:0c:c8:0e:
-         df:78:df:3c:2f:7d:3f:85:e0:e4:03:b2:b6:32:ed:7d:53:7a:
-         3f:1f:84:6c:3b:28:61:80:7e:5b:50:c8:59:a8:0f:b3:12:26:
-         6a:fd:12:8f:fa:d5:12:02:43:85:c2:f4:cc:02:0d:4f:ff:cc:
-         56:0f:a7:f2:7f:64:e8:77:8d:fb:21:42:6c:20:2a:99:da:a5:
-         72:0c:1a:0d:ea:e0:91:3d:5a:bc:4e:96:b7:7d:50:0e:ce:1c:
-         f9:7d:1f:9a:39:25:33:28:e5:45:8f:27:02:68:97:8d:f5:f0:
-         3f:21:83:ff:b7:29:09:4f:46:9c:8d:ab:49:43:45:8f:4a:3b:
-         1b:ae:b1:d3:9a:d8:47:1c:9b:67:3a:e4:5a:18:29:55:8d:ee:
-         fd:ed:88:e7:f4:38:6c:f1:36:12:d9:d0:ee:4b:4b:17:df:74:
-         18:ea:96:64:1d:84:3a:ed:38:7a:9f:95:3b:c2:5b:93:80:41:
-         e1:c5:4e:19
+         ae:e3:75:41:90:9d:0b:8a:bf:15:d5:3c:dd:08:31:a7:b5:92:
+         e2:3e:53:73:a7:20:27:4a:6b:2a:ef:99:a8:15:42:c9:79:4b:
+         b7:bb:3a:ba:9d:f0:b3:cf:37:34:64:63:7c:0a:f1:91:04:30:
+         6b:ca:66:39:d3:a0:26:23:34:28:5b:a9:57:91:0c:fa:cf:84:
+         42:79:28:23:21:ba:ff:04:4c:c4:06:1f:9e:a5:1d:37:e9:5c:
+         6a:75:84:b7:f9:d3:24:80:91:95:ab:df:1a:cc:7c:a7:7d:ac:
+         95:fc:02:77:b2:8e:e2:77:da:96:30:48:84:44:2a:b0:af:5b:
+         9d:7d:67:8a:a5:13:3d:4c:ed:df:cb:2a:6b:8a:1a:ad:18:f0:
+         1f:50:9e:4d:c3:31:58:31:f2:9b:05:c0:7e:a3:6a:80:28:5c:
+         22:78:fd:32:66:6a:9c:31:fc:d2:db:42:43:e8:b8:35:41:36:
+         00:8d:26:4b:e9:02:c3:2d:72:c0:4f:8f:4a:cf:5d:7c:5c:ae:
+         16:0b:0c:37:a9:34:d8:19:91:cd:3a:af:55:ae:bc:6b:2a:85:
+         ef:f0:0f:8d:30:b3:90:d7:56:39:47:d6:5a:3d:e3:f3:d1:b9:
+         75:74:8b:27:4f:c7:b6:af:ff:e4:6b:af:5c:b6:c4:6f:19:89:
+         44:41:f6:41
 -----BEGIN CERTIFICATE-----
 MIIEqjCCA5KgAwIBAgIBZTANBgkqhkiG9w0BAQsFADCBoTELMAkGA1UEBhMCVVMx
 EzARBgNVBAgMCldhc2hpbmd0b24xEDAOBgNVBAcMB1NlYXR0bGUxFTATBgNVBAoM
 DHdvbGZTU0wgSW5jLjEUMBIGA1UECwwLRW5naW5lZXJpbmcxHTAbBgNVBAMMFGNo
 YWluQy1JQ0ExLXBhdGhsZW4xMR8wHQYJKoZIhvcNAQkBFhBpbmZvQHdvbGZzc2wu
-Y29tMB4XDTIxMDIxMDE5NDk1NFoXDTIzMTEwNzE5NDk1NFowgZoxCzAJBgNVBAYT
+Y29tMB4XDTIxMTIyMDIzMDcyNVoXDTI0MDkxNTIzMDcyNVowgZoxCzAJBgNVBAYT
 AlVTMRMwEQYDVQQIDApXYXNoaW5ndG9uMRAwDgYDVQQHDAdTZWF0dGxlMRUwEwYD
 VQQKDAx3b2xmU1NMIEluYy4xFDASBgNVBAsMC0VuZ2luZWVyaW5nMRYwFAYDVQQD
 DA1jaGFpbkMtZW50aXR5MR8wHQYJKoZIhvcNAQkBFhBpbmZvQHdvbGZzc2wuY29t
@@ -77,10 +77,10 @@ VR0jBIG5MIG2gBSUHS4HN8YvUsHseWsTzgmQX/TEUaGBmqSBlzCBlDELMAkGA1UE
 BhMCVVMxEDAOBgNVBAgMB01vbnRhbmExEDAOBgNVBAcMB0JvemVtYW4xETAPBgNV
 BAoMCFNhd3Rvb3RoMRMwEQYDVQQLDApDb25zdWx0aW5nMRgwFgYDVQQDDA93d3cu
 d29sZnNzbC5jb20xHzAdBgkqhkiG9w0BCQEWEGluZm9Ad29sZnNzbC5jb22CAWQw
-CQYDVR0TBAIwADANBgkqhkiG9w0BAQsFAAOCAQEAPVnqKi7Oxm3rUggBXLzLD+Fq
-JiIlrYwPNMBlI+BrND1tjRvf4VeEkl32zScYSZxYmtislv1E+rnZd9J6Ivdtnj2G
-l5WvDMgO33jfPC99P4Xg5AOytjLtfVN6Px+EbDsoYYB+W1DIWagPsxImav0Sj/rV
-EgJDhcL0zAINT//MVg+n8n9k6HeN+yFCbCAqmdqlcgwaDergkT1avE6Wt31QDs4c
-+X0fmjklMyjlRY8nAmiXjfXwPyGD/7cpCU9GnI2rSUNFj0o7G66x05rYRxybZzrk
-WhgpVY3u/e2I5/Q4bPE2EtnQ7ktLF990GOqWZB2EOu04ep+VO8Jbk4BB4cVOGQ==
+CQYDVR0TBAIwADANBgkqhkiG9w0BAQsFAAOCAQEAruN1QZCdC4q/FdU83Qgxp7WS
+4j5Tc6cgJ0prKu+ZqBVCyXlLt7s6up3ws883NGRjfArxkQQwa8pmOdOgJiM0KFup
+V5EM+s+EQnkoIyG6/wRMxAYfnqUdN+lcanWEt/nTJICRlavfGsx8p32slfwCd7KO
+4nfaljBIhEQqsK9bnX1niqUTPUzt38sqa4oarRjwH1CeTcMxWDHymwXAfqNqgChc
+Inj9MmZqnDH80ttCQ+i4NUE2AI0mS+kCwy1ywE+PSs9dfFyuFgsMN6k02BmRzTqv
+Va68ayqF7/APjTCzkNdWOUfWWj3j89G5dXSLJ0/Htq//5GuvXLbEbxmJREH2QQ==
 -----END CERTIFICATE-----
diff --git a/certs/test-pathlen/chainD-ICA1-pathlen127.pem b/certs/test-pathlen/chainD-ICA1-pathlen127.pem
index b55b0cdbc..87677632f 100644
--- a/certs/test-pathlen/chainD-ICA1-pathlen127.pem
+++ b/certs/test-pathlen/chainD-ICA1-pathlen127.pem
@@ -2,15 +2,15 @@ Certificate:
     Data:
         Version: 3 (0x2)
         Serial Number: 100 (0x64)
-    Signature Algorithm: sha256WithRSAEncryption
-        Issuer: C=US, ST=Montana, L=Bozeman, O=Sawtooth, OU=Consulting, CN=www.wolfssl.com/emailAddress=info@wolfssl.com
+        Signature Algorithm: sha256WithRSAEncryption
+        Issuer: C = US, ST = Montana, L = Bozeman, O = Sawtooth, OU = Consulting, CN = www.wolfssl.com, emailAddress = info@wolfssl.com
         Validity
-            Not Before: Feb 10 19:49:54 2021 GMT
-            Not After : Nov  7 19:49:54 2023 GMT
-        Subject: C=US, ST=Washington, L=Seattle, O=wolfSSL Inc., OU=Engineering, CN=chainD-ICA1-pathlen127/emailAddress=info@wolfssl.com
+            Not Before: Dec 20 23:07:25 2021 GMT
+            Not After : Sep 15 23:07:25 2024 GMT
+        Subject: C = US, ST = Washington, L = Seattle, O = wolfSSL Inc., OU = Engineering, CN = chainD-ICA1-pathlen127, emailAddress = info@wolfssl.com
         Subject Public Key Info:
             Public Key Algorithm: rsaEncryption
-                Public-Key: (2048 bit)
+                RSA Public-Key: (2048 bit)
                 Modulus:
                     00:d7:81:78:a9:19:99:12:d1:cf:3d:51:54:1d:d3:
                     14:94:ed:3e:de:ff:e0:23:e4:f7:23:fc:5c:49:24:
@@ -37,34 +37,34 @@ Certificate:
             X509v3 Authority Key Identifier: 
                 keyid:27:8E:67:11:74:C3:26:1D:3F:ED:33:63:B3:A4:D8:1D:30:E5:E8:D5
                 DirName:/C=US/ST=Montana/L=Bozeman/O=Sawtooth/OU=Consulting/CN=www.wolfssl.com/emailAddress=info@wolfssl.com
-                serial:AA:D3:3F:AC:18:0A:37:4D
+                serial:7D:94:70:88:BA:07:42:8D:AA:AF:4F:BE:C2:1A:48:F0:D1:40:E6:42
 
             X509v3 Basic Constraints: 
                 CA:TRUE, pathlen:127
             X509v3 Key Usage: 
                 Certificate Sign, CRL Sign
     Signature Algorithm: sha256WithRSAEncryption
-         33:03:d0:c5:e2:4c:91:4f:7d:1a:1b:2d:31:a5:48:bf:bc:86:
-         6c:f5:0c:28:2f:61:12:80:c8:7e:45:d6:f9:86:7f:c4:e5:f6:
-         3f:04:79:e5:33:5d:48:15:94:c6:1e:2e:75:7d:45:2f:33:75:
-         54:d1:29:cf:88:6a:37:91:aa:29:41:69:46:ab:ba:e6:6f:81:
-         5c:cf:44:59:50:4f:f0:49:d4:8f:b9:a4:9c:8c:7b:49:9f:43:
-         c9:96:02:fb:c8:1d:f3:13:96:12:b5:e9:17:8f:f4:43:c2:f9:
-         25:4c:59:53:12:cc:f0:f5:55:48:99:e9:cc:80:1b:54:e6:ad:
-         db:fb:60:48:08:8a:79:02:db:d2:33:bd:a7:f3:27:83:75:d5:
-         6e:31:d4:a8:67:67:08:30:b8:2f:a1:61:0e:2f:5a:77:bf:2b:
-         d1:94:9b:9f:f8:af:fb:54:eb:ab:6f:bc:9c:74:5b:e2:c4:ce:
-         2b:98:ea:83:3c:75:b4:ce:5a:96:0a:ee:2b:f8:72:d9:04:30:
-         95:fe:3d:5d:1b:5f:6f:40:12:de:d2:c2:1b:0e:9c:29:fe:13:
-         53:ae:49:25:1c:6d:db:4c:e3:74:0d:f7:6d:7d:0a:a1:80:83:
-         a5:e9:cc:cb:d4:22:32:03:74:48:b1:5c:b0:aa:07:f3:63:3d:
-         97:34:b3:17
+         92:5a:c3:d5:88:88:3f:0d:b5:b6:87:4a:6d:0d:4d:f0:34:ea:
+         0c:b9:73:30:b3:5e:83:3e:6c:16:63:13:dc:d1:d4:6a:c3:86:
+         42:93:5c:85:55:41:5b:5d:42:8c:65:f4:bf:63:6b:7e:2f:f8:
+         66:5e:a3:1b:6c:0c:29:47:f7:fb:d9:74:8c:62:de:7d:13:26:
+         81:0a:ea:03:d9:e0:25:6e:40:6d:5e:a1:12:ef:8e:97:f0:97:
+         64:2f:84:3d:24:27:bb:25:89:94:51:d8:c6:d4:e3:15:83:5b:
+         be:4a:a9:61:1a:d1:2f:79:f5:25:3a:a2:e2:d0:92:bf:6f:05:
+         09:1d:d5:a8:a8:51:19:70:c4:08:d3:6a:72:08:75:1f:e2:08:
+         1e:40:93:93:8c:54:22:ec:a1:2d:37:b3:ab:07:13:88:2b:bf:
+         94:be:66:03:ba:e6:2a:69:5d:18:86:c4:4e:06:b5:7a:23:8e:
+         82:b8:45:fa:2f:91:b4:04:b5:b8:ef:ad:95:da:9b:70:fe:b5:
+         61:cf:9e:ee:51:84:41:35:8a:ef:65:23:a3:8c:30:7f:37:a8:
+         0b:5d:94:43:35:0a:2e:1e:19:4e:00:ee:d4:a0:57:ad:5c:25:
+         9c:fe:57:75:0e:6b:42:fa:73:5f:92:f0:25:7d:63:cc:1c:59:
+         02:96:ba:dd
 -----BEGIN CERTIFICATE-----
-MIIEwzCCA6ugAwIBAgIBZDANBgkqhkiG9w0BAQsFADCBlDELMAkGA1UEBhMCVVMx
+MIIEzjCCA7agAwIBAgIBZDANBgkqhkiG9w0BAQsFADCBlDELMAkGA1UEBhMCVVMx
 EDAOBgNVBAgMB01vbnRhbmExEDAOBgNVBAcMB0JvemVtYW4xETAPBgNVBAoMCFNh
 d3Rvb3RoMRMwEQYDVQQLDApDb25zdWx0aW5nMRgwFgYDVQQDDA93d3cud29sZnNz
-bC5jb20xHzAdBgkqhkiG9w0BCQEWEGluZm9Ad29sZnNzbC5jb20wHhcNMjEwMjEw
-MTk0OTU0WhcNMjMxMTA3MTk0OTU0WjCBozELMAkGA1UEBhMCVVMxEzARBgNVBAgM
+bC5jb20xHzAdBgkqhkiG9w0BCQEWEGluZm9Ad29sZnNzbC5jb20wHhcNMjExMjIw
+MjMwNzI1WhcNMjQwOTE1MjMwNzI1WjCBozELMAkGA1UEBhMCVVMxEzARBgNVBAgM
 Cldhc2hpbmd0b24xEDAOBgNVBAcMB1NlYXR0bGUxFTATBgNVBAoMDHdvbGZTU0wg
 SW5jLjEUMBIGA1UECwwLRW5naW5lZXJpbmcxHzAdBgNVBAMMFmNoYWluRC1JQ0Ex
 LXBhdGhsZW4xMjcxHzAdBgkqhkiG9w0BCQEWEGluZm9Ad29sZnNzbC5jb20wggEi
@@ -74,16 +74,16 @@ sr1DzFh/HdtLl6WDXIdem3OHyB0rR5JV5Nu+UdXrdsKqWXJ79icvvsDb3Dzy4hnJ
 sDC7LqKVSAa9jp29jGtexppzS2ywIJZHRNMJa2or+oZfHQunYiJy1VYcqpeMzlej
 D+a8zWNUVWCHUOv6jOkVcLNcTQ4nYP0HbozsP6AlxQFZo/wtgEuETBC1yKdrseXF
 wZqw1kswIbpCZeA/Wc9/SUs7z2IG9ImuW4FdFWP7fCmmtc/ztbVmBk+j2mc5AgMB
-AAGjggENMIIBCTAdBgNVHQ4EFgQUZ3j5rRxTQR9GvUmbcy583FwtC/swgckGA1Ud
-IwSBwTCBvoAUJ45nEXTDJh0/7TNjs6TYHTDl6NWhgZqkgZcwgZQxCzAJBgNVBAYT
+AAGjggEYMIIBFDAdBgNVHQ4EFgQUZ3j5rRxTQR9GvUmbcy583FwtC/swgdQGA1Ud
+IwSBzDCByYAUJ45nEXTDJh0/7TNjs6TYHTDl6NWhgZqkgZcwgZQxCzAJBgNVBAYT
 AlVTMRAwDgYDVQQIDAdNb250YW5hMRAwDgYDVQQHDAdCb3plbWFuMREwDwYDVQQK
 DAhTYXd0b290aDETMBEGA1UECwwKQ29uc3VsdGluZzEYMBYGA1UEAwwPd3d3Lndv
-bGZzc2wuY29tMR8wHQYJKoZIhvcNAQkBFhBpbmZvQHdvbGZzc2wuY29tggkAqtM/
-rBgKN00wDwYDVR0TBAgwBgEB/wIBfzALBgNVHQ8EBAMCAQYwDQYJKoZIhvcNAQEL
-BQADggEBADMD0MXiTJFPfRobLTGlSL+8hmz1DCgvYRKAyH5F1vmGf8Tl9j8EeeUz
-XUgVlMYeLnV9RS8zdVTRKc+IajeRqilBaUaruuZvgVzPRFlQT/BJ1I+5pJyMe0mf
-Q8mWAvvIHfMTlhK16ReP9EPC+SVMWVMSzPD1VUiZ6cyAG1Tmrdv7YEgIinkC29Iz
-vafzJ4N11W4x1KhnZwgwuC+hYQ4vWne/K9GUm5/4r/tU66tvvJx0W+LEziuY6oM8
-dbTOWpYK7iv4ctkEMJX+PV0bX29AEt7SwhsOnCn+E1OuSSUcbdtM43QN9219CqGA
-g6XpzMvUIjIDdEixXLCqB/NjPZc0sxc=
+bGZzc2wuY29tMR8wHQYJKoZIhvcNAQkBFhBpbmZvQHdvbGZzc2wuY29tghR9lHCI
+ugdCjaqvT77CGkjw0UDmQjAPBgNVHRMECDAGAQH/AgF/MAsGA1UdDwQEAwIBBjAN
+BgkqhkiG9w0BAQsFAAOCAQEAklrD1YiIPw21todKbQ1N8DTqDLlzMLNegz5sFmMT
+3NHUasOGQpNchVVBW11CjGX0v2Nrfi/4Zl6jG2wMKUf3+9l0jGLefRMmgQrqA9ng
+JW5AbV6hEu+Ol/CXZC+EPSQnuyWJlFHYxtTjFYNbvkqpYRrRL3n1JTqi4tCSv28F
+CR3VqKhRGXDECNNqcgh1H+IIHkCTk4xUIuyhLTezqwcTiCu/lL5mA7rmKmldGIbE
+Tga1eiOOgrhF+i+RtAS1uO+tldqbcP61Yc+e7lGEQTWK72Ujo4wwfzeoC12UQzUK
+Lh4ZTgDu1KBXrVwlnP5XdQ5rQvpzX5LwJX1jzBxZApa63Q==
 -----END CERTIFICATE-----
diff --git a/certs/test-pathlen/chainD-assembled.pem b/certs/test-pathlen/chainD-assembled.pem
index 72fb7c792..a797f2d84 100644
--- a/certs/test-pathlen/chainD-assembled.pem
+++ b/certs/test-pathlen/chainD-assembled.pem
@@ -2,15 +2,15 @@ Certificate:
     Data:
         Version: 3 (0x2)
         Serial Number: 101 (0x65)
-    Signature Algorithm: sha256WithRSAEncryption
-        Issuer: C=US, ST=Washington, L=Seattle, O=wolfSSL Inc., OU=Engineering, CN=chainD-ICA1-pathlen127/emailAddress=info@wolfssl.com
+        Signature Algorithm: sha256WithRSAEncryption
+        Issuer: C = US, ST = Washington, L = Seattle, O = wolfSSL Inc., OU = Engineering, CN = chainD-ICA1-pathlen127, emailAddress = info@wolfssl.com
         Validity
-            Not Before: Feb 10 19:49:54 2021 GMT
-            Not After : Nov  7 19:49:54 2023 GMT
-        Subject: C=US, ST=Washington, L=Seattle, O=wolfSSL Inc., OU=Engineering, CN=chainD-entity/emailAddress=info@wolfssl.com
+            Not Before: Dec 20 23:07:25 2021 GMT
+            Not After : Sep 15 23:07:25 2024 GMT
+        Subject: C = US, ST = Washington, L = Seattle, O = wolfSSL Inc., OU = Engineering, CN = chainD-entity, emailAddress = info@wolfssl.com
         Subject Public Key Info:
             Public Key Algorithm: rsaEncryption
-                Public-Key: (2048 bit)
+                RSA Public-Key: (2048 bit)
                 Modulus:
                     00:e2:5d:f4:bd:06:b6:a1:21:3a:2d:7f:cc:f2:5a:
                     15:36:28:0a:f2:bb:16:b5:ec:f9:e7:5b:92:ec:17:
@@ -42,27 +42,27 @@ Certificate:
             X509v3 Basic Constraints: 
                 CA:FALSE
     Signature Algorithm: sha256WithRSAEncryption
-         5e:12:77:cf:93:0c:dd:b4:11:e3:d6:70:70:af:d7:50:01:ea:
-         9f:39:4c:7c:06:67:44:dd:1a:25:ee:46:ff:21:8e:7d:3c:24:
-         52:42:91:57:eb:5b:63:26:85:30:67:18:22:42:19:cc:e0:1c:
-         f1:71:22:da:2f:b4:5e:6f:ed:e1:30:5c:db:e9:07:a7:d6:36:
-         94:52:ce:e5:05:a3:9e:d4:b2:2b:be:d3:fc:56:e3:7c:d2:06:
-         61:0a:61:91:59:44:24:85:e8:3d:0d:e1:09:7e:4f:91:87:2c:
-         26:85:2e:5d:c3:b1:53:96:91:40:64:16:82:7e:b8:4f:c1:60:
-         0d:86:5d:99:eb:49:be:9d:63:16:ff:3e:08:4e:fa:c6:18:8f:
-         0b:79:92:24:89:bb:74:23:65:53:64:da:d6:d9:f7:06:7b:8d:
-         d7:50:ba:16:03:04:b2:eb:6e:7b:18:c6:00:7a:38:b4:bf:77:
-         c8:27:bc:c9:ab:a4:9c:96:df:f8:90:4f:7f:cd:06:5b:97:41:
-         48:cd:9f:66:05:a5:3e:56:44:6d:e1:89:0d:d3:e4:31:22:35:
-         2c:7b:8a:ca:49:22:c2:bc:68:43:fc:db:31:fe:cd:cf:be:8c:
-         fa:cc:12:59:82:94:9d:96:7a:fb:e9:55:1b:e5:c4:3d:86:43:
-         82:10:2c:ba
+         2d:bb:9e:a1:9a:9a:f9:33:11:a7:2e:07:e1:b1:68:a0:7e:ac:
+         38:a5:d3:1a:03:61:36:67:88:66:81:5d:6a:72:52:26:7a:0c:
+         79:48:53:f1:78:59:6f:d8:53:5e:cd:3b:14:d2:86:18:2e:41:
+         56:b7:5e:3b:3f:6a:e1:e1:15:d8:de:e4:eb:5b:54:79:a6:47:
+         f0:c8:3f:b6:30:a4:ee:83:39:20:bc:7c:a0:af:06:95:a2:03:
+         cb:63:f3:3d:1f:43:b0:8d:64:75:17:d2:a7:0d:be:4e:5e:35:
+         59:a0:9e:64:88:92:21:eb:4c:62:ea:49:9c:a6:9d:30:4e:9d:
+         55:5a:4f:d2:e0:79:3c:57:80:41:66:d6:b8:58:72:03:65:4b:
+         f7:f8:3e:45:d0:e4:b6:40:33:66:b2:2b:54:87:33:dc:6f:43:
+         80:cb:b9:0c:7f:8d:26:92:6b:86:18:d2:14:20:61:a4:a8:05:
+         bc:73:7f:e2:1d:54:b8:54:c9:67:7f:7d:26:5f:4d:3c:bb:d3:
+         58:f4:60:5b:ef:c8:6f:ad:57:d2:a1:64:01:80:b8:3e:90:0a:
+         1d:4f:33:aa:33:3a:8d:9b:8a:62:91:98:e4:c9:88:0a:ff:e4:
+         69:fa:62:ae:f8:ec:c7:de:53:59:c9:25:e2:69:82:3b:0e:6e:
+         1c:12:15:a3
 -----BEGIN CERTIFICATE-----
 MIIErDCCA5SgAwIBAgIBZTANBgkqhkiG9w0BAQsFADCBozELMAkGA1UEBhMCVVMx
 EzARBgNVBAgMCldhc2hpbmd0b24xEDAOBgNVBAcMB1NlYXR0bGUxFTATBgNVBAoM
 DHdvbGZTU0wgSW5jLjEUMBIGA1UECwwLRW5naW5lZXJpbmcxHzAdBgNVBAMMFmNo
 YWluRC1JQ0ExLXBhdGhsZW4xMjcxHzAdBgkqhkiG9w0BCQEWEGluZm9Ad29sZnNz
-bC5jb20wHhcNMjEwMjEwMTk0OTU0WhcNMjMxMTA3MTk0OTU0WjCBmjELMAkGA1UE
+bC5jb20wHhcNMjExMjIwMjMwNzI1WhcNMjQwOTE1MjMwNzI1WjCBmjELMAkGA1UE
 BhMCVVMxEzARBgNVBAgMCldhc2hpbmd0b24xEDAOBgNVBAcMB1NlYXR0bGUxFTAT
 BgNVBAoMDHdvbGZTU0wgSW5jLjEUMBIGA1UECwwLRW5naW5lZXJpbmcxFjAUBgNV
 BAMMDWNoYWluRC1lbnRpdHkxHzAdBgkqhkiG9w0BCQEWEGluZm9Ad29sZnNzbC5j
@@ -77,26 +77,26 @@ BgNVHSMEgbkwgbaAFGd4+a0cU0EfRr1Jm3MufNxcLQv7oYGapIGXMIGUMQswCQYD
 VQQGEwJVUzEQMA4GA1UECAwHTW9udGFuYTEQMA4GA1UEBwwHQm96ZW1hbjERMA8G
 A1UECgwIU2F3dG9vdGgxEzARBgNVBAsMCkNvbnN1bHRpbmcxGDAWBgNVBAMMD3d3
 dy53b2xmc3NsLmNvbTEfMB0GCSqGSIb3DQEJARYQaW5mb0B3b2xmc3NsLmNvbYIB
-ZDAJBgNVHRMEAjAAMA0GCSqGSIb3DQEBCwUAA4IBAQBeEnfPkwzdtBHj1nBwr9dQ
-AeqfOUx8BmdE3Rol7kb/IY59PCRSQpFX61tjJoUwZxgiQhnM4BzxcSLaL7Reb+3h
-MFzb6Qen1jaUUs7lBaOe1LIrvtP8VuN80gZhCmGRWUQkheg9DeEJfk+RhywmhS5d
-w7FTlpFAZBaCfrhPwWANhl2Z60m+nWMW/z4ITvrGGI8LeZIkibt0I2VTZNrW2fcG
-e43XULoWAwSy6257GMYAeji0v3fIJ7zJq6Sclt/4kE9/zQZbl0FIzZ9mBaU+VkRt
-4YkN0+QxIjUse4rKSSLCvGhD/Nsx/s3Pvoz6zBJZgpSdlnr76VUb5cQ9hkOCECy6
+ZDAJBgNVHRMEAjAAMA0GCSqGSIb3DQEBCwUAA4IBAQAtu56hmpr5MxGnLgfhsWig
+fqw4pdMaA2E2Z4hmgV1qclImegx5SFPxeFlv2FNezTsU0oYYLkFWt147P2rh4RXY
+3uTrW1R5pkfwyD+2MKTugzkgvHygrwaVogPLY/M9H0OwjWR1F9KnDb5OXjVZoJ5k
+iJIh60xi6kmcpp0wTp1VWk/S4Hk8V4BBZta4WHIDZUv3+D5F0OS2QDNmsitUhzPc
+b0OAy7kMf40mkmuGGNIUIGGkqAW8c3/iHVS4VMlnf30mX008u9NY9GBb78hvrVfS
+oWQBgLg+kAodTzOqMzqNm4pikZjkyYgK/+Rp+mKu+OzH3lNZySXiaYI7Dm4cEhWj
 -----END CERTIFICATE-----
 Certificate:
     Data:
         Version: 3 (0x2)
         Serial Number: 100 (0x64)
-    Signature Algorithm: sha256WithRSAEncryption
-        Issuer: C=US, ST=Montana, L=Bozeman, O=Sawtooth, OU=Consulting, CN=www.wolfssl.com/emailAddress=info@wolfssl.com
+        Signature Algorithm: sha256WithRSAEncryption
+        Issuer: C = US, ST = Montana, L = Bozeman, O = Sawtooth, OU = Consulting, CN = www.wolfssl.com, emailAddress = info@wolfssl.com
         Validity
-            Not Before: Feb 10 19:49:54 2021 GMT
-            Not After : Nov  7 19:49:54 2023 GMT
-        Subject: C=US, ST=Washington, L=Seattle, O=wolfSSL Inc., OU=Engineering, CN=chainD-ICA1-pathlen127/emailAddress=info@wolfssl.com
+            Not Before: Dec 20 23:07:25 2021 GMT
+            Not After : Sep 15 23:07:25 2024 GMT
+        Subject: C = US, ST = Washington, L = Seattle, O = wolfSSL Inc., OU = Engineering, CN = chainD-ICA1-pathlen127, emailAddress = info@wolfssl.com
         Subject Public Key Info:
             Public Key Algorithm: rsaEncryption
-                Public-Key: (2048 bit)
+                RSA Public-Key: (2048 bit)
                 Modulus:
                     00:d7:81:78:a9:19:99:12:d1:cf:3d:51:54:1d:d3:
                     14:94:ed:3e:de:ff:e0:23:e4:f7:23:fc:5c:49:24:
@@ -123,34 +123,34 @@ Certificate:
             X509v3 Authority Key Identifier: 
                 keyid:27:8E:67:11:74:C3:26:1D:3F:ED:33:63:B3:A4:D8:1D:30:E5:E8:D5
                 DirName:/C=US/ST=Montana/L=Bozeman/O=Sawtooth/OU=Consulting/CN=www.wolfssl.com/emailAddress=info@wolfssl.com
-                serial:AA:D3:3F:AC:18:0A:37:4D
+                serial:7D:94:70:88:BA:07:42:8D:AA:AF:4F:BE:C2:1A:48:F0:D1:40:E6:42
 
             X509v3 Basic Constraints: 
                 CA:TRUE, pathlen:127
             X509v3 Key Usage: 
                 Certificate Sign, CRL Sign
     Signature Algorithm: sha256WithRSAEncryption
-         33:03:d0:c5:e2:4c:91:4f:7d:1a:1b:2d:31:a5:48:bf:bc:86:
-         6c:f5:0c:28:2f:61:12:80:c8:7e:45:d6:f9:86:7f:c4:e5:f6:
-         3f:04:79:e5:33:5d:48:15:94:c6:1e:2e:75:7d:45:2f:33:75:
-         54:d1:29:cf:88:6a:37:91:aa:29:41:69:46:ab:ba:e6:6f:81:
-         5c:cf:44:59:50:4f:f0:49:d4:8f:b9:a4:9c:8c:7b:49:9f:43:
-         c9:96:02:fb:c8:1d:f3:13:96:12:b5:e9:17:8f:f4:43:c2:f9:
-         25:4c:59:53:12:cc:f0:f5:55:48:99:e9:cc:80:1b:54:e6:ad:
-         db:fb:60:48:08:8a:79:02:db:d2:33:bd:a7:f3:27:83:75:d5:
-         6e:31:d4:a8:67:67:08:30:b8:2f:a1:61:0e:2f:5a:77:bf:2b:
-         d1:94:9b:9f:f8:af:fb:54:eb:ab:6f:bc:9c:74:5b:e2:c4:ce:
-         2b:98:ea:83:3c:75:b4:ce:5a:96:0a:ee:2b:f8:72:d9:04:30:
-         95:fe:3d:5d:1b:5f:6f:40:12:de:d2:c2:1b:0e:9c:29:fe:13:
-         53:ae:49:25:1c:6d:db:4c:e3:74:0d:f7:6d:7d:0a:a1:80:83:
-         a5:e9:cc:cb:d4:22:32:03:74:48:b1:5c:b0:aa:07:f3:63:3d:
-         97:34:b3:17
+         92:5a:c3:d5:88:88:3f:0d:b5:b6:87:4a:6d:0d:4d:f0:34:ea:
+         0c:b9:73:30:b3:5e:83:3e:6c:16:63:13:dc:d1:d4:6a:c3:86:
+         42:93:5c:85:55:41:5b:5d:42:8c:65:f4:bf:63:6b:7e:2f:f8:
+         66:5e:a3:1b:6c:0c:29:47:f7:fb:d9:74:8c:62:de:7d:13:26:
+         81:0a:ea:03:d9:e0:25:6e:40:6d:5e:a1:12:ef:8e:97:f0:97:
+         64:2f:84:3d:24:27:bb:25:89:94:51:d8:c6:d4:e3:15:83:5b:
+         be:4a:a9:61:1a:d1:2f:79:f5:25:3a:a2:e2:d0:92:bf:6f:05:
+         09:1d:d5:a8:a8:51:19:70:c4:08:d3:6a:72:08:75:1f:e2:08:
+         1e:40:93:93:8c:54:22:ec:a1:2d:37:b3:ab:07:13:88:2b:bf:
+         94:be:66:03:ba:e6:2a:69:5d:18:86:c4:4e:06:b5:7a:23:8e:
+         82:b8:45:fa:2f:91:b4:04:b5:b8:ef:ad:95:da:9b:70:fe:b5:
+         61:cf:9e:ee:51:84:41:35:8a:ef:65:23:a3:8c:30:7f:37:a8:
+         0b:5d:94:43:35:0a:2e:1e:19:4e:00:ee:d4:a0:57:ad:5c:25:
+         9c:fe:57:75:0e:6b:42:fa:73:5f:92:f0:25:7d:63:cc:1c:59:
+         02:96:ba:dd
 -----BEGIN CERTIFICATE-----
-MIIEwzCCA6ugAwIBAgIBZDANBgkqhkiG9w0BAQsFADCBlDELMAkGA1UEBhMCVVMx
+MIIEzjCCA7agAwIBAgIBZDANBgkqhkiG9w0BAQsFADCBlDELMAkGA1UEBhMCVVMx
 EDAOBgNVBAgMB01vbnRhbmExEDAOBgNVBAcMB0JvemVtYW4xETAPBgNVBAoMCFNh
 d3Rvb3RoMRMwEQYDVQQLDApDb25zdWx0aW5nMRgwFgYDVQQDDA93d3cud29sZnNz
-bC5jb20xHzAdBgkqhkiG9w0BCQEWEGluZm9Ad29sZnNzbC5jb20wHhcNMjEwMjEw
-MTk0OTU0WhcNMjMxMTA3MTk0OTU0WjCBozELMAkGA1UEBhMCVVMxEzARBgNVBAgM
+bC5jb20xHzAdBgkqhkiG9w0BCQEWEGluZm9Ad29sZnNzbC5jb20wHhcNMjExMjIw
+MjMwNzI1WhcNMjQwOTE1MjMwNzI1WjCBozELMAkGA1UEBhMCVVMxEzARBgNVBAgM
 Cldhc2hpbmd0b24xEDAOBgNVBAcMB1NlYXR0bGUxFTATBgNVBAoMDHdvbGZTU0wg
 SW5jLjEUMBIGA1UECwwLRW5naW5lZXJpbmcxHzAdBgNVBAMMFmNoYWluRC1JQ0Ex
 LXBhdGhsZW4xMjcxHzAdBgkqhkiG9w0BCQEWEGluZm9Ad29sZnNzbC5jb20wggEi
@@ -160,16 +160,16 @@ sr1DzFh/HdtLl6WDXIdem3OHyB0rR5JV5Nu+UdXrdsKqWXJ79icvvsDb3Dzy4hnJ
 sDC7LqKVSAa9jp29jGtexppzS2ywIJZHRNMJa2or+oZfHQunYiJy1VYcqpeMzlej
 D+a8zWNUVWCHUOv6jOkVcLNcTQ4nYP0HbozsP6AlxQFZo/wtgEuETBC1yKdrseXF
 wZqw1kswIbpCZeA/Wc9/SUs7z2IG9ImuW4FdFWP7fCmmtc/ztbVmBk+j2mc5AgMB
-AAGjggENMIIBCTAdBgNVHQ4EFgQUZ3j5rRxTQR9GvUmbcy583FwtC/swgckGA1Ud
-IwSBwTCBvoAUJ45nEXTDJh0/7TNjs6TYHTDl6NWhgZqkgZcwgZQxCzAJBgNVBAYT
+AAGjggEYMIIBFDAdBgNVHQ4EFgQUZ3j5rRxTQR9GvUmbcy583FwtC/swgdQGA1Ud
+IwSBzDCByYAUJ45nEXTDJh0/7TNjs6TYHTDl6NWhgZqkgZcwgZQxCzAJBgNVBAYT
 AlVTMRAwDgYDVQQIDAdNb250YW5hMRAwDgYDVQQHDAdCb3plbWFuMREwDwYDVQQK
 DAhTYXd0b290aDETMBEGA1UECwwKQ29uc3VsdGluZzEYMBYGA1UEAwwPd3d3Lndv
-bGZzc2wuY29tMR8wHQYJKoZIhvcNAQkBFhBpbmZvQHdvbGZzc2wuY29tggkAqtM/
-rBgKN00wDwYDVR0TBAgwBgEB/wIBfzALBgNVHQ8EBAMCAQYwDQYJKoZIhvcNAQEL
-BQADggEBADMD0MXiTJFPfRobLTGlSL+8hmz1DCgvYRKAyH5F1vmGf8Tl9j8EeeUz
-XUgVlMYeLnV9RS8zdVTRKc+IajeRqilBaUaruuZvgVzPRFlQT/BJ1I+5pJyMe0mf
-Q8mWAvvIHfMTlhK16ReP9EPC+SVMWVMSzPD1VUiZ6cyAG1Tmrdv7YEgIinkC29Iz
-vafzJ4N11W4x1KhnZwgwuC+hYQ4vWne/K9GUm5/4r/tU66tvvJx0W+LEziuY6oM8
-dbTOWpYK7iv4ctkEMJX+PV0bX29AEt7SwhsOnCn+E1OuSSUcbdtM43QN9219CqGA
-g6XpzMvUIjIDdEixXLCqB/NjPZc0sxc=
+bGZzc2wuY29tMR8wHQYJKoZIhvcNAQkBFhBpbmZvQHdvbGZzc2wuY29tghR9lHCI
+ugdCjaqvT77CGkjw0UDmQjAPBgNVHRMECDAGAQH/AgF/MAsGA1UdDwQEAwIBBjAN
+BgkqhkiG9w0BAQsFAAOCAQEAklrD1YiIPw21todKbQ1N8DTqDLlzMLNegz5sFmMT
+3NHUasOGQpNchVVBW11CjGX0v2Nrfi/4Zl6jG2wMKUf3+9l0jGLefRMmgQrqA9ng
+JW5AbV6hEu+Ol/CXZC+EPSQnuyWJlFHYxtTjFYNbvkqpYRrRL3n1JTqi4tCSv28F
+CR3VqKhRGXDECNNqcgh1H+IIHkCTk4xUIuyhLTezqwcTiCu/lL5mA7rmKmldGIbE
+Tga1eiOOgrhF+i+RtAS1uO+tldqbcP61Yc+e7lGEQTWK72Ujo4wwfzeoC12UQzUK
+Lh4ZTgDu1KBXrVwlnP5XdQ5rQvpzX5LwJX1jzBxZApa63Q==
 -----END CERTIFICATE-----
diff --git a/certs/test-pathlen/chainD-entity.pem b/certs/test-pathlen/chainD-entity.pem
index 97f04041b..9f2ae0678 100644
--- a/certs/test-pathlen/chainD-entity.pem
+++ b/certs/test-pathlen/chainD-entity.pem
@@ -2,15 +2,15 @@ Certificate:
     Data:
         Version: 3 (0x2)
         Serial Number: 101 (0x65)
-    Signature Algorithm: sha256WithRSAEncryption
-        Issuer: C=US, ST=Washington, L=Seattle, O=wolfSSL Inc., OU=Engineering, CN=chainD-ICA1-pathlen127/emailAddress=info@wolfssl.com
+        Signature Algorithm: sha256WithRSAEncryption
+        Issuer: C = US, ST = Washington, L = Seattle, O = wolfSSL Inc., OU = Engineering, CN = chainD-ICA1-pathlen127, emailAddress = info@wolfssl.com
         Validity
-            Not Before: Feb 10 19:49:54 2021 GMT
-            Not After : Nov  7 19:49:54 2023 GMT
-        Subject: C=US, ST=Washington, L=Seattle, O=wolfSSL Inc., OU=Engineering, CN=chainD-entity/emailAddress=info@wolfssl.com
+            Not Before: Dec 20 23:07:25 2021 GMT
+            Not After : Sep 15 23:07:25 2024 GMT
+        Subject: C = US, ST = Washington, L = Seattle, O = wolfSSL Inc., OU = Engineering, CN = chainD-entity, emailAddress = info@wolfssl.com
         Subject Public Key Info:
             Public Key Algorithm: rsaEncryption
-                Public-Key: (2048 bit)
+                RSA Public-Key: (2048 bit)
                 Modulus:
                     00:e2:5d:f4:bd:06:b6:a1:21:3a:2d:7f:cc:f2:5a:
                     15:36:28:0a:f2:bb:16:b5:ec:f9:e7:5b:92:ec:17:
@@ -42,27 +42,27 @@ Certificate:
             X509v3 Basic Constraints: 
                 CA:FALSE
     Signature Algorithm: sha256WithRSAEncryption
-         5e:12:77:cf:93:0c:dd:b4:11:e3:d6:70:70:af:d7:50:01:ea:
-         9f:39:4c:7c:06:67:44:dd:1a:25:ee:46:ff:21:8e:7d:3c:24:
-         52:42:91:57:eb:5b:63:26:85:30:67:18:22:42:19:cc:e0:1c:
-         f1:71:22:da:2f:b4:5e:6f:ed:e1:30:5c:db:e9:07:a7:d6:36:
-         94:52:ce:e5:05:a3:9e:d4:b2:2b:be:d3:fc:56:e3:7c:d2:06:
-         61:0a:61:91:59:44:24:85:e8:3d:0d:e1:09:7e:4f:91:87:2c:
-         26:85:2e:5d:c3:b1:53:96:91:40:64:16:82:7e:b8:4f:c1:60:
-         0d:86:5d:99:eb:49:be:9d:63:16:ff:3e:08:4e:fa:c6:18:8f:
-         0b:79:92:24:89:bb:74:23:65:53:64:da:d6:d9:f7:06:7b:8d:
-         d7:50:ba:16:03:04:b2:eb:6e:7b:18:c6:00:7a:38:b4:bf:77:
-         c8:27:bc:c9:ab:a4:9c:96:df:f8:90:4f:7f:cd:06:5b:97:41:
-         48:cd:9f:66:05:a5:3e:56:44:6d:e1:89:0d:d3:e4:31:22:35:
-         2c:7b:8a:ca:49:22:c2:bc:68:43:fc:db:31:fe:cd:cf:be:8c:
-         fa:cc:12:59:82:94:9d:96:7a:fb:e9:55:1b:e5:c4:3d:86:43:
-         82:10:2c:ba
+         2d:bb:9e:a1:9a:9a:f9:33:11:a7:2e:07:e1:b1:68:a0:7e:ac:
+         38:a5:d3:1a:03:61:36:67:88:66:81:5d:6a:72:52:26:7a:0c:
+         79:48:53:f1:78:59:6f:d8:53:5e:cd:3b:14:d2:86:18:2e:41:
+         56:b7:5e:3b:3f:6a:e1:e1:15:d8:de:e4:eb:5b:54:79:a6:47:
+         f0:c8:3f:b6:30:a4:ee:83:39:20:bc:7c:a0:af:06:95:a2:03:
+         cb:63:f3:3d:1f:43:b0:8d:64:75:17:d2:a7:0d:be:4e:5e:35:
+         59:a0:9e:64:88:92:21:eb:4c:62:ea:49:9c:a6:9d:30:4e:9d:
+         55:5a:4f:d2:e0:79:3c:57:80:41:66:d6:b8:58:72:03:65:4b:
+         f7:f8:3e:45:d0:e4:b6:40:33:66:b2:2b:54:87:33:dc:6f:43:
+         80:cb:b9:0c:7f:8d:26:92:6b:86:18:d2:14:20:61:a4:a8:05:
+         bc:73:7f:e2:1d:54:b8:54:c9:67:7f:7d:26:5f:4d:3c:bb:d3:
+         58:f4:60:5b:ef:c8:6f:ad:57:d2:a1:64:01:80:b8:3e:90:0a:
+         1d:4f:33:aa:33:3a:8d:9b:8a:62:91:98:e4:c9:88:0a:ff:e4:
+         69:fa:62:ae:f8:ec:c7:de:53:59:c9:25:e2:69:82:3b:0e:6e:
+         1c:12:15:a3
 -----BEGIN CERTIFICATE-----
 MIIErDCCA5SgAwIBAgIBZTANBgkqhkiG9w0BAQsFADCBozELMAkGA1UEBhMCVVMx
 EzARBgNVBAgMCldhc2hpbmd0b24xEDAOBgNVBAcMB1NlYXR0bGUxFTATBgNVBAoM
 DHdvbGZTU0wgSW5jLjEUMBIGA1UECwwLRW5naW5lZXJpbmcxHzAdBgNVBAMMFmNo
 YWluRC1JQ0ExLXBhdGhsZW4xMjcxHzAdBgkqhkiG9w0BCQEWEGluZm9Ad29sZnNz
-bC5jb20wHhcNMjEwMjEwMTk0OTU0WhcNMjMxMTA3MTk0OTU0WjCBmjELMAkGA1UE
+bC5jb20wHhcNMjExMjIwMjMwNzI1WhcNMjQwOTE1MjMwNzI1WjCBmjELMAkGA1UE
 BhMCVVMxEzARBgNVBAgMCldhc2hpbmd0b24xEDAOBgNVBAcMB1NlYXR0bGUxFTAT
 BgNVBAoMDHdvbGZTU0wgSW5jLjEUMBIGA1UECwwLRW5naW5lZXJpbmcxFjAUBgNV
 BAMMDWNoYWluRC1lbnRpdHkxHzAdBgkqhkiG9w0BCQEWEGluZm9Ad29sZnNzbC5j
@@ -77,10 +77,10 @@ BgNVHSMEgbkwgbaAFGd4+a0cU0EfRr1Jm3MufNxcLQv7oYGapIGXMIGUMQswCQYD
 VQQGEwJVUzEQMA4GA1UECAwHTW9udGFuYTEQMA4GA1UEBwwHQm96ZW1hbjERMA8G
 A1UECgwIU2F3dG9vdGgxEzARBgNVBAsMCkNvbnN1bHRpbmcxGDAWBgNVBAMMD3d3
 dy53b2xmc3NsLmNvbTEfMB0GCSqGSIb3DQEJARYQaW5mb0B3b2xmc3NsLmNvbYIB
-ZDAJBgNVHRMEAjAAMA0GCSqGSIb3DQEBCwUAA4IBAQBeEnfPkwzdtBHj1nBwr9dQ
-AeqfOUx8BmdE3Rol7kb/IY59PCRSQpFX61tjJoUwZxgiQhnM4BzxcSLaL7Reb+3h
-MFzb6Qen1jaUUs7lBaOe1LIrvtP8VuN80gZhCmGRWUQkheg9DeEJfk+RhywmhS5d
-w7FTlpFAZBaCfrhPwWANhl2Z60m+nWMW/z4ITvrGGI8LeZIkibt0I2VTZNrW2fcG
-e43XULoWAwSy6257GMYAeji0v3fIJ7zJq6Sclt/4kE9/zQZbl0FIzZ9mBaU+VkRt
-4YkN0+QxIjUse4rKSSLCvGhD/Nsx/s3Pvoz6zBJZgpSdlnr76VUb5cQ9hkOCECy6
+ZDAJBgNVHRMEAjAAMA0GCSqGSIb3DQEBCwUAA4IBAQAtu56hmpr5MxGnLgfhsWig
+fqw4pdMaA2E2Z4hmgV1qclImegx5SFPxeFlv2FNezTsU0oYYLkFWt147P2rh4RXY
+3uTrW1R5pkfwyD+2MKTugzkgvHygrwaVogPLY/M9H0OwjWR1F9KnDb5OXjVZoJ5k
+iJIh60xi6kmcpp0wTp1VWk/S4Hk8V4BBZta4WHIDZUv3+D5F0OS2QDNmsitUhzPc
+b0OAy7kMf40mkmuGGNIUIGGkqAW8c3/iHVS4VMlnf30mX008u9NY9GBb78hvrVfS
+oWQBgLg+kAodTzOqMzqNm4pikZjkyYgK/+Rp+mKu+OzH3lNZySXiaYI7Dm4cEhWj
 -----END CERTIFICATE-----
diff --git a/certs/test-pathlen/chainE-ICA1-pathlen128.pem b/certs/test-pathlen/chainE-ICA1-pathlen128.pem
index cc7b89606..62567cac7 100644
--- a/certs/test-pathlen/chainE-ICA1-pathlen128.pem
+++ b/certs/test-pathlen/chainE-ICA1-pathlen128.pem
@@ -2,15 +2,15 @@ Certificate:
     Data:
         Version: 3 (0x2)
         Serial Number: 100 (0x64)
-    Signature Algorithm: sha256WithRSAEncryption
-        Issuer: C=US, ST=Montana, L=Bozeman, O=Sawtooth, OU=Consulting, CN=www.wolfssl.com/emailAddress=info@wolfssl.com
+        Signature Algorithm: sha256WithRSAEncryption
+        Issuer: C = US, ST = Montana, L = Bozeman, O = Sawtooth, OU = Consulting, CN = www.wolfssl.com, emailAddress = info@wolfssl.com
         Validity
-            Not Before: Feb 10 19:49:54 2021 GMT
-            Not After : Nov  7 19:49:54 2023 GMT
-        Subject: C=US, ST=Washington, L=Seattle, O=wolfSSL Inc., OU=Engineering, CN=chainE-ICA1-pathlen128/emailAddress=info@wolfssl.com
+            Not Before: Dec 20 23:07:25 2021 GMT
+            Not After : Sep 15 23:07:25 2024 GMT
+        Subject: C = US, ST = Washington, L = Seattle, O = wolfSSL Inc., OU = Engineering, CN = chainE-ICA1-pathlen128, emailAddress = info@wolfssl.com
         Subject Public Key Info:
             Public Key Algorithm: rsaEncryption
-                Public-Key: (2048 bit)
+                RSA Public-Key: (2048 bit)
                 Modulus:
                     00:d6:f3:6f:b8:db:10:df:89:df:3b:d9:2e:7a:c1:
                     34:1a:56:97:6c:73:04:fc:15:50:04:93:66:cb:17:
@@ -37,34 +37,34 @@ Certificate:
             X509v3 Authority Key Identifier: 
                 keyid:27:8E:67:11:74:C3:26:1D:3F:ED:33:63:B3:A4:D8:1D:30:E5:E8:D5
                 DirName:/C=US/ST=Montana/L=Bozeman/O=Sawtooth/OU=Consulting/CN=www.wolfssl.com/emailAddress=info@wolfssl.com
-                serial:AA:D3:3F:AC:18:0A:37:4D
+                serial:7D:94:70:88:BA:07:42:8D:AA:AF:4F:BE:C2:1A:48:F0:D1:40:E6:42
 
             X509v3 Basic Constraints: 
                 CA:TRUE, pathlen:128
             X509v3 Key Usage: 
                 Certificate Sign, CRL Sign
     Signature Algorithm: sha256WithRSAEncryption
-         b7:fd:94:b5:b8:71:1f:16:21:7c:b0:82:d3:9f:b4:e3:00:97:
-         42:df:2a:fd:80:ea:2b:9c:30:7c:4c:fd:91:25:4a:e5:0e:fc:
-         4a:c9:dd:65:0e:8e:9c:bb:6c:c1:1d:78:9f:0d:af:8a:80:79:
-         29:64:3a:d8:76:a1:f2:6d:8a:ed:e8:d7:50:ab:6b:26:da:e1:
-         62:6f:67:17:85:70:0f:d0:16:57:19:71:90:8f:49:de:43:af:
-         aa:60:61:b5:46:62:0d:92:bb:56:d6:38:b9:1a:77:fc:02:73:
-         2f:75:2c:70:40:f0:82:ca:5b:80:aa:b5:72:c8:24:45:91:a2:
-         2d:50:f2:b2:2a:33:8d:8b:28:d7:f7:ad:cc:19:d8:e6:0d:81:
-         d6:ce:6e:74:70:49:6e:d6:b9:d8:86:c1:dc:d8:15:68:9c:7d:
-         6b:06:71:3f:64:da:34:9e:88:30:fb:ab:88:32:92:57:4c:17:
-         3c:07:46:f0:b3:a7:3f:d1:77:49:5a:6e:49:a9:39:93:c5:a8:
-         1e:5b:5c:99:24:96:fe:79:ac:46:f1:c0:60:eb:61:30:df:04:
-         a2:0e:7e:8d:39:15:20:b2:05:e5:3d:17:ab:65:dc:be:3c:68:
-         ef:a6:3b:c5:23:03:8a:12:2b:11:4d:03:28:87:f5:49:fe:72:
-         2d:41:bc:c3
+         39:35:81:fd:34:59:cf:56:ba:78:6f:a5:c1:8d:84:43:33:93:
+         e9:c0:49:db:51:b5:f6:e3:5a:c8:6e:20:51:cf:46:80:a4:c7:
+         47:0f:f2:e9:34:d4:9b:96:f9:2a:aa:e9:cf:e4:f6:b9:9b:a7:
+         bb:ec:45:3a:33:e0:8a:c0:5a:bd:8d:f9:f0:b2:39:5a:08:b0:
+         98:47:96:bf:c6:9c:14:22:c5:6c:71:59:95:ef:5e:86:46:8c:
+         46:37:aa:68:b5:3a:8f:57:48:bb:24:30:00:9e:d5:47:95:bf:
+         ea:0b:e1:76:c6:6d:89:a2:c0:25:0f:60:bd:ee:59:22:1b:77:
+         9a:7f:b9:9f:3e:1c:13:80:92:49:40:ee:5e:1a:79:0f:b4:1c:
+         fe:00:84:67:d4:f1:c9:0d:88:cf:1f:20:10:bd:79:f7:8c:ee:
+         96:48:ab:aa:3e:7d:e4:a1:40:10:37:6d:d7:f8:c6:31:32:7e:
+         3d:6a:3d:9b:1a:bf:e8:8f:73:bd:d9:2b:d6:9a:37:aa:57:c8:
+         5c:63:9f:82:cb:c6:53:58:21:34:43:87:77:ec:50:99:61:a3:
+         d3:81:1a:3e:01:ee:f5:e6:ff:6b:97:fc:ce:74:a4:c5:6d:b5:
+         f5:4f:ea:06:da:da:4d:e1:fd:52:af:7a:43:32:b5:b8:c2:73:
+         59:c3:66:f2
 -----BEGIN CERTIFICATE-----
-MIIExDCCA6ygAwIBAgIBZDANBgkqhkiG9w0BAQsFADCBlDELMAkGA1UEBhMCVVMx
+MIIEzzCCA7egAwIBAgIBZDANBgkqhkiG9w0BAQsFADCBlDELMAkGA1UEBhMCVVMx
 EDAOBgNVBAgMB01vbnRhbmExEDAOBgNVBAcMB0JvemVtYW4xETAPBgNVBAoMCFNh
 d3Rvb3RoMRMwEQYDVQQLDApDb25zdWx0aW5nMRgwFgYDVQQDDA93d3cud29sZnNz
-bC5jb20xHzAdBgkqhkiG9w0BCQEWEGluZm9Ad29sZnNzbC5jb20wHhcNMjEwMjEw
-MTk0OTU0WhcNMjMxMTA3MTk0OTU0WjCBozELMAkGA1UEBhMCVVMxEzARBgNVBAgM
+bC5jb20xHzAdBgkqhkiG9w0BCQEWEGluZm9Ad29sZnNzbC5jb20wHhcNMjExMjIw
+MjMwNzI1WhcNMjQwOTE1MjMwNzI1WjCBozELMAkGA1UEBhMCVVMxEzARBgNVBAgM
 Cldhc2hpbmd0b24xEDAOBgNVBAcMB1NlYXR0bGUxFTATBgNVBAoMDHdvbGZTU0wg
 SW5jLjEUMBIGA1UECwwLRW5naW5lZXJpbmcxHzAdBgNVBAMMFmNoYWluRS1JQ0Ex
 LXBhdGhsZW4xMjgxHzAdBgkqhkiG9w0BCQEWEGluZm9Ad29sZnNzbC5jb20wggEi
@@ -74,16 +74,16 @@ F/1WuDrPz+33kGpzbAaZ7w6PZdzQ6Nt7wehNbWGezFog3oY6WIH6sdRfPHRDRWE2
 LP6kNa7iOcf93bOD1hfc9Zk/Zw7BYNFpjTz5YumDrmYQqkCRYwsq5cGoH46KmxGf
 v6ZF+xZw7WwbFJiAaQTDvRMi59kzSJ2KbA+cOQgpkoN7c6PahtZKAA+nwnu/rA8q
 YpZbO++f4Qi7RLrEmU+guV5Ny3Nz/u6CaU+vx1laNoFExuNQO7+NFO9+lu/BAgMB
-AAGjggEOMIIBCjAdBgNVHQ4EFgQURHsAfJwcl5+XqmvyXuaBfA6u5iswgckGA1Ud
-IwSBwTCBvoAUJ45nEXTDJh0/7TNjs6TYHTDl6NWhgZqkgZcwgZQxCzAJBgNVBAYT
+AAGjggEZMIIBFTAdBgNVHQ4EFgQURHsAfJwcl5+XqmvyXuaBfA6u5iswgdQGA1Ud
+IwSBzDCByYAUJ45nEXTDJh0/7TNjs6TYHTDl6NWhgZqkgZcwgZQxCzAJBgNVBAYT
 AlVTMRAwDgYDVQQIDAdNb250YW5hMRAwDgYDVQQHDAdCb3plbWFuMREwDwYDVQQK
 DAhTYXd0b290aDETMBEGA1UECwwKQ29uc3VsdGluZzEYMBYGA1UEAwwPd3d3Lndv
-bGZzc2wuY29tMR8wHQYJKoZIhvcNAQkBFhBpbmZvQHdvbGZzc2wuY29tggkAqtM/
-rBgKN00wEAYDVR0TBAkwBwEB/wICAIAwCwYDVR0PBAQDAgEGMA0GCSqGSIb3DQEB
-CwUAA4IBAQC3/ZS1uHEfFiF8sILTn7TjAJdC3yr9gOornDB8TP2RJUrlDvxKyd1l
-Do6cu2zBHXifDa+KgHkpZDrYdqHybYrt6NdQq2sm2uFib2cXhXAP0BZXGXGQj0ne
-Q6+qYGG1RmINkrtW1ji5Gnf8AnMvdSxwQPCCyluAqrVyyCRFkaItUPKyKjONiyjX
-963MGdjmDYHWzm50cElu1rnYhsHc2BVonH1rBnE/ZNo0nogw+6uIMpJXTBc8B0bw
-s6c/0XdJWm5JqTmTxageW1yZJJb+eaxG8cBg62Ew3wSiDn6NORUgsgXlPRerZdy+
-PGjvpjvFIwOKEisRTQMoh/VJ/nItQbzD
+bGZzc2wuY29tMR8wHQYJKoZIhvcNAQkBFhBpbmZvQHdvbGZzc2wuY29tghR9lHCI
+ugdCjaqvT77CGkjw0UDmQjAQBgNVHRMECTAHAQH/AgIAgDALBgNVHQ8EBAMCAQYw
+DQYJKoZIhvcNAQELBQADggEBADk1gf00Wc9WunhvpcGNhEMzk+nASdtRtfbjWshu
+IFHPRoCkx0cP8uk01JuW+Sqq6c/k9rmbp7vsRToz4IrAWr2N+fCyOVoIsJhHlr/G
+nBQixWxxWZXvXoZGjEY3qmi1Oo9XSLskMACe1UeVv+oL4XbGbYmiwCUPYL3uWSIb
+d5p/uZ8+HBOAkklA7l4aeQ+0HP4AhGfU8ckNiM8fIBC9efeM7pZIq6o+feShQBA3
+bdf4xjEyfj1qPZsav+iPc73ZK9aaN6pXyFxjn4LLxlNYITRDh3fsUJlho9OBGj4B
+7vXm/2uX/M50pMVttfVP6gba2k3h/VKvekMytbjCc1nDZvI=
 -----END CERTIFICATE-----
diff --git a/certs/test-pathlen/chainE-assembled.pem b/certs/test-pathlen/chainE-assembled.pem
index f44749c5f..dffe69020 100644
--- a/certs/test-pathlen/chainE-assembled.pem
+++ b/certs/test-pathlen/chainE-assembled.pem
@@ -2,15 +2,15 @@ Certificate:
     Data:
         Version: 3 (0x2)
         Serial Number: 101 (0x65)
-    Signature Algorithm: sha256WithRSAEncryption
-        Issuer: C=US, ST=Washington, L=Seattle, O=wolfSSL Inc., OU=Engineering, CN=chainE-ICA1-pathlen128/emailAddress=info@wolfssl.com
+        Signature Algorithm: sha256WithRSAEncryption
+        Issuer: C = US, ST = Washington, L = Seattle, O = wolfSSL Inc., OU = Engineering, CN = chainE-ICA1-pathlen128, emailAddress = info@wolfssl.com
         Validity
-            Not Before: Feb 10 19:49:54 2021 GMT
-            Not After : Nov  7 19:49:54 2023 GMT
-        Subject: C=US, ST=Washington, L=Seattle, O=wolfSSL Inc., OU=Engineering, CN=chainE-entity/emailAddress=info@wolfssl.com
+            Not Before: Dec 20 23:07:25 2021 GMT
+            Not After : Sep 15 23:07:25 2024 GMT
+        Subject: C = US, ST = Washington, L = Seattle, O = wolfSSL Inc., OU = Engineering, CN = chainE-entity, emailAddress = info@wolfssl.com
         Subject Public Key Info:
             Public Key Algorithm: rsaEncryption
-                Public-Key: (2048 bit)
+                RSA Public-Key: (2048 bit)
                 Modulus:
                     00:d8:6f:49:bb:56:ea:34:4c:25:a6:8c:44:f6:c9:
                     75:8f:6b:83:b8:8b:ec:c6:f6:d3:c7:40:e2:d1:b2:
@@ -42,27 +42,27 @@ Certificate:
             X509v3 Basic Constraints: 
                 CA:FALSE
     Signature Algorithm: sha256WithRSAEncryption
-         2d:35:05:3b:41:51:cb:b0:57:33:0a:09:f2:46:12:13:cc:9b:
-         e8:31:70:5c:86:0d:ea:63:be:9d:db:9b:fb:d5:f1:a2:fe:d1:
-         8c:3f:04:28:69:25:bd:c2:a4:19:16:f4:aa:0f:43:dc:b0:51:
-         8c:4e:5e:a0:a9:6e:56:67:be:4d:eb:18:de:37:99:51:fc:20:
-         e4:38:cc:c6:c3:cb:1e:fa:97:8c:96:e3:62:85:e7:77:48:4f:
-         1d:3f:ba:c0:ba:4c:40:6f:d1:2c:3f:0d:ce:03:f7:12:64:07:
-         1f:51:b9:d6:88:5b:bc:b0:59:16:94:54:cb:cb:c2:33:98:15:
-         c8:80:00:27:25:d3:f8:aa:97:c1:0e:6c:8c:4c:86:0e:5f:66:
-         73:a6:1d:83:db:66:87:55:f5:3f:66:c0:66:bb:de:3e:f2:64:
-         98:ab:ea:be:56:9b:b3:64:bb:10:60:75:05:9b:34:62:02:45:
-         f3:eb:2b:76:2f:4a:fc:c3:bc:b0:fe:2e:40:9b:ed:44:35:07:
-         31:da:fa:7c:48:85:a3:8c:83:e2:d6:9a:54:95:a1:19:51:1e:
-         ce:4d:a7:fc:1b:56:c0:3b:a3:36:d0:83:2d:f4:fb:4c:d1:3e:
-         59:fa:47:44:a0:16:93:02:b1:0a:38:b0:8b:12:3d:87:ab:34:
-         1f:2e:5d:ea
+         ca:df:49:e3:ff:ab:df:ff:1a:f7:32:01:38:cb:c6:be:7b:69:
+         ce:90:91:20:0f:9f:53:60:1f:c8:92:c1:8a:65:a9:13:ee:c9:
+         42:dc:c4:cd:83:3b:9c:43:85:52:88:64:aa:fb:67:dc:a9:e8:
+         27:f9:b5:11:f8:c8:56:02:ef:04:08:32:70:5d:de:e7:10:16:
+         0f:ea:d4:4c:63:97:c4:d5:d2:a0:27:fb:68:3c:34:e6:36:d5:
+         bb:d7:f3:bb:fd:cb:8b:6f:cb:8c:f2:95:b6:c4:bc:d5:b2:00:
+         89:37:d6:67:84:1c:cc:59:2b:c1:25:04:b2:b6:00:17:ab:de:
+         cc:88:29:19:da:8f:f1:e9:c9:54:51:ba:37:82:00:ff:98:fa:
+         16:89:31:0d:06:e9:e1:d7:04:f2:b3:b8:ae:25:6b:01:42:91:
+         32:13:b8:48:ab:58:2a:07:9a:f2:fe:c8:57:d5:48:00:db:96:
+         19:b9:ac:b5:db:27:80:b6:bd:22:53:42:27:a8:19:31:d2:c1:
+         8e:78:73:4c:83:d7:a0:19:cb:ee:8c:67:0f:0f:63:03:ed:bc:
+         1b:e9:9c:3e:ed:56:df:b3:d7:da:c1:ce:f7:e0:b2:af:43:da:
+         26:0a:e9:02:25:d2:6a:3b:40:bf:29:9e:8e:51:33:c2:73:fa:
+         d6:ee:21:a6
 -----BEGIN CERTIFICATE-----
 MIIErDCCA5SgAwIBAgIBZTANBgkqhkiG9w0BAQsFADCBozELMAkGA1UEBhMCVVMx
 EzARBgNVBAgMCldhc2hpbmd0b24xEDAOBgNVBAcMB1NlYXR0bGUxFTATBgNVBAoM
 DHdvbGZTU0wgSW5jLjEUMBIGA1UECwwLRW5naW5lZXJpbmcxHzAdBgNVBAMMFmNo
 YWluRS1JQ0ExLXBhdGhsZW4xMjgxHzAdBgkqhkiG9w0BCQEWEGluZm9Ad29sZnNz
-bC5jb20wHhcNMjEwMjEwMTk0OTU0WhcNMjMxMTA3MTk0OTU0WjCBmjELMAkGA1UE
+bC5jb20wHhcNMjExMjIwMjMwNzI1WhcNMjQwOTE1MjMwNzI1WjCBmjELMAkGA1UE
 BhMCVVMxEzARBgNVBAgMCldhc2hpbmd0b24xEDAOBgNVBAcMB1NlYXR0bGUxFTAT
 BgNVBAoMDHdvbGZTU0wgSW5jLjEUMBIGA1UECwwLRW5naW5lZXJpbmcxFjAUBgNV
 BAMMDWNoYWluRS1lbnRpdHkxHzAdBgkqhkiG9w0BCQEWEGluZm9Ad29sZnNzbC5j
@@ -77,26 +77,26 @@ BgNVHSMEgbkwgbaAFER7AHycHJefl6pr8l7mgXwOruYroYGapIGXMIGUMQswCQYD
 VQQGEwJVUzEQMA4GA1UECAwHTW9udGFuYTEQMA4GA1UEBwwHQm96ZW1hbjERMA8G
 A1UECgwIU2F3dG9vdGgxEzARBgNVBAsMCkNvbnN1bHRpbmcxGDAWBgNVBAMMD3d3
 dy53b2xmc3NsLmNvbTEfMB0GCSqGSIb3DQEJARYQaW5mb0B3b2xmc3NsLmNvbYIB
-ZDAJBgNVHRMEAjAAMA0GCSqGSIb3DQEBCwUAA4IBAQAtNQU7QVHLsFczCgnyRhIT
-zJvoMXBchg3qY76d25v71fGi/tGMPwQoaSW9wqQZFvSqD0PcsFGMTl6gqW5WZ75N
-6xjeN5lR/CDkOMzGw8se+peMluNihed3SE8dP7rAukxAb9EsPw3OA/cSZAcfUbnW
-iFu8sFkWlFTLy8IzmBXIgAAnJdP4qpfBDmyMTIYOX2Zzph2D22aHVfU/ZsBmu94+
-8mSYq+q+VpuzZLsQYHUFmzRiAkXz6yt2L0r8w7yw/i5Am+1ENQcx2vp8SIWjjIPi
-1ppUlaEZUR7OTaf8G1bAO6M20IMt9PtM0T5Z+kdEoBaTArEKOLCLEj2HqzQfLl3q
+ZDAJBgNVHRMEAjAAMA0GCSqGSIb3DQEBCwUAA4IBAQDK30nj/6vf/xr3MgE4y8a+
+e2nOkJEgD59TYB/IksGKZakT7slC3MTNgzucQ4VSiGSq+2fcqegn+bUR+MhWAu8E
+CDJwXd7nEBYP6tRMY5fE1dKgJ/toPDTmNtW71/O7/cuLb8uM8pW2xLzVsgCJN9Zn
+hBzMWSvBJQSytgAXq97MiCkZ2o/x6clUUbo3ggD/mPoWiTENBunh1wTys7iuJWsB
+QpEyE7hIq1gqB5ry/shX1UgA25YZuay12yeAtr0iU0InqBkx0sGOeHNMg9egGcvu
+jGcPD2MD7bwb6Zw+7Vbfs9fawc734LKvQ9omCukCJdJqO0C/KZ6OUTPCc/rW7iGm
 -----END CERTIFICATE-----
 Certificate:
     Data:
         Version: 3 (0x2)
         Serial Number: 100 (0x64)
-    Signature Algorithm: sha256WithRSAEncryption
-        Issuer: C=US, ST=Montana, L=Bozeman, O=Sawtooth, OU=Consulting, CN=www.wolfssl.com/emailAddress=info@wolfssl.com
+        Signature Algorithm: sha256WithRSAEncryption
+        Issuer: C = US, ST = Montana, L = Bozeman, O = Sawtooth, OU = Consulting, CN = www.wolfssl.com, emailAddress = info@wolfssl.com
         Validity
-            Not Before: Feb 10 19:49:54 2021 GMT
-            Not After : Nov  7 19:49:54 2023 GMT
-        Subject: C=US, ST=Washington, L=Seattle, O=wolfSSL Inc., OU=Engineering, CN=chainE-ICA1-pathlen128/emailAddress=info@wolfssl.com
+            Not Before: Dec 20 23:07:25 2021 GMT
+            Not After : Sep 15 23:07:25 2024 GMT
+        Subject: C = US, ST = Washington, L = Seattle, O = wolfSSL Inc., OU = Engineering, CN = chainE-ICA1-pathlen128, emailAddress = info@wolfssl.com
         Subject Public Key Info:
             Public Key Algorithm: rsaEncryption
-                Public-Key: (2048 bit)
+                RSA Public-Key: (2048 bit)
                 Modulus:
                     00:d6:f3:6f:b8:db:10:df:89:df:3b:d9:2e:7a:c1:
                     34:1a:56:97:6c:73:04:fc:15:50:04:93:66:cb:17:
@@ -123,34 +123,34 @@ Certificate:
             X509v3 Authority Key Identifier: 
                 keyid:27:8E:67:11:74:C3:26:1D:3F:ED:33:63:B3:A4:D8:1D:30:E5:E8:D5
                 DirName:/C=US/ST=Montana/L=Bozeman/O=Sawtooth/OU=Consulting/CN=www.wolfssl.com/emailAddress=info@wolfssl.com
-                serial:AA:D3:3F:AC:18:0A:37:4D
+                serial:7D:94:70:88:BA:07:42:8D:AA:AF:4F:BE:C2:1A:48:F0:D1:40:E6:42
 
             X509v3 Basic Constraints: 
                 CA:TRUE, pathlen:128
             X509v3 Key Usage: 
                 Certificate Sign, CRL Sign
     Signature Algorithm: sha256WithRSAEncryption
-         b7:fd:94:b5:b8:71:1f:16:21:7c:b0:82:d3:9f:b4:e3:00:97:
-         42:df:2a:fd:80:ea:2b:9c:30:7c:4c:fd:91:25:4a:e5:0e:fc:
-         4a:c9:dd:65:0e:8e:9c:bb:6c:c1:1d:78:9f:0d:af:8a:80:79:
-         29:64:3a:d8:76:a1:f2:6d:8a:ed:e8:d7:50:ab:6b:26:da:e1:
-         62:6f:67:17:85:70:0f:d0:16:57:19:71:90:8f:49:de:43:af:
-         aa:60:61:b5:46:62:0d:92:bb:56:d6:38:b9:1a:77:fc:02:73:
-         2f:75:2c:70:40:f0:82:ca:5b:80:aa:b5:72:c8:24:45:91:a2:
-         2d:50:f2:b2:2a:33:8d:8b:28:d7:f7:ad:cc:19:d8:e6:0d:81:
-         d6:ce:6e:74:70:49:6e:d6:b9:d8:86:c1:dc:d8:15:68:9c:7d:
-         6b:06:71:3f:64:da:34:9e:88:30:fb:ab:88:32:92:57:4c:17:
-         3c:07:46:f0:b3:a7:3f:d1:77:49:5a:6e:49:a9:39:93:c5:a8:
-         1e:5b:5c:99:24:96:fe:79:ac:46:f1:c0:60:eb:61:30:df:04:
-         a2:0e:7e:8d:39:15:20:b2:05:e5:3d:17:ab:65:dc:be:3c:68:
-         ef:a6:3b:c5:23:03:8a:12:2b:11:4d:03:28:87:f5:49:fe:72:
-         2d:41:bc:c3
+         39:35:81:fd:34:59:cf:56:ba:78:6f:a5:c1:8d:84:43:33:93:
+         e9:c0:49:db:51:b5:f6:e3:5a:c8:6e:20:51:cf:46:80:a4:c7:
+         47:0f:f2:e9:34:d4:9b:96:f9:2a:aa:e9:cf:e4:f6:b9:9b:a7:
+         bb:ec:45:3a:33:e0:8a:c0:5a:bd:8d:f9:f0:b2:39:5a:08:b0:
+         98:47:96:bf:c6:9c:14:22:c5:6c:71:59:95:ef:5e:86:46:8c:
+         46:37:aa:68:b5:3a:8f:57:48:bb:24:30:00:9e:d5:47:95:bf:
+         ea:0b:e1:76:c6:6d:89:a2:c0:25:0f:60:bd:ee:59:22:1b:77:
+         9a:7f:b9:9f:3e:1c:13:80:92:49:40:ee:5e:1a:79:0f:b4:1c:
+         fe:00:84:67:d4:f1:c9:0d:88:cf:1f:20:10:bd:79:f7:8c:ee:
+         96:48:ab:aa:3e:7d:e4:a1:40:10:37:6d:d7:f8:c6:31:32:7e:
+         3d:6a:3d:9b:1a:bf:e8:8f:73:bd:d9:2b:d6:9a:37:aa:57:c8:
+         5c:63:9f:82:cb:c6:53:58:21:34:43:87:77:ec:50:99:61:a3:
+         d3:81:1a:3e:01:ee:f5:e6:ff:6b:97:fc:ce:74:a4:c5:6d:b5:
+         f5:4f:ea:06:da:da:4d:e1:fd:52:af:7a:43:32:b5:b8:c2:73:
+         59:c3:66:f2
 -----BEGIN CERTIFICATE-----
-MIIExDCCA6ygAwIBAgIBZDANBgkqhkiG9w0BAQsFADCBlDELMAkGA1UEBhMCVVMx
+MIIEzzCCA7egAwIBAgIBZDANBgkqhkiG9w0BAQsFADCBlDELMAkGA1UEBhMCVVMx
 EDAOBgNVBAgMB01vbnRhbmExEDAOBgNVBAcMB0JvemVtYW4xETAPBgNVBAoMCFNh
 d3Rvb3RoMRMwEQYDVQQLDApDb25zdWx0aW5nMRgwFgYDVQQDDA93d3cud29sZnNz
-bC5jb20xHzAdBgkqhkiG9w0BCQEWEGluZm9Ad29sZnNzbC5jb20wHhcNMjEwMjEw
-MTk0OTU0WhcNMjMxMTA3MTk0OTU0WjCBozELMAkGA1UEBhMCVVMxEzARBgNVBAgM
+bC5jb20xHzAdBgkqhkiG9w0BCQEWEGluZm9Ad29sZnNzbC5jb20wHhcNMjExMjIw
+MjMwNzI1WhcNMjQwOTE1MjMwNzI1WjCBozELMAkGA1UEBhMCVVMxEzARBgNVBAgM
 Cldhc2hpbmd0b24xEDAOBgNVBAcMB1NlYXR0bGUxFTATBgNVBAoMDHdvbGZTU0wg
 SW5jLjEUMBIGA1UECwwLRW5naW5lZXJpbmcxHzAdBgNVBAMMFmNoYWluRS1JQ0Ex
 LXBhdGhsZW4xMjgxHzAdBgkqhkiG9w0BCQEWEGluZm9Ad29sZnNzbC5jb20wggEi
@@ -160,16 +160,16 @@ F/1WuDrPz+33kGpzbAaZ7w6PZdzQ6Nt7wehNbWGezFog3oY6WIH6sdRfPHRDRWE2
 LP6kNa7iOcf93bOD1hfc9Zk/Zw7BYNFpjTz5YumDrmYQqkCRYwsq5cGoH46KmxGf
 v6ZF+xZw7WwbFJiAaQTDvRMi59kzSJ2KbA+cOQgpkoN7c6PahtZKAA+nwnu/rA8q
 YpZbO++f4Qi7RLrEmU+guV5Ny3Nz/u6CaU+vx1laNoFExuNQO7+NFO9+lu/BAgMB
-AAGjggEOMIIBCjAdBgNVHQ4EFgQURHsAfJwcl5+XqmvyXuaBfA6u5iswgckGA1Ud
-IwSBwTCBvoAUJ45nEXTDJh0/7TNjs6TYHTDl6NWhgZqkgZcwgZQxCzAJBgNVBAYT
+AAGjggEZMIIBFTAdBgNVHQ4EFgQURHsAfJwcl5+XqmvyXuaBfA6u5iswgdQGA1Ud
+IwSBzDCByYAUJ45nEXTDJh0/7TNjs6TYHTDl6NWhgZqkgZcwgZQxCzAJBgNVBAYT
 AlVTMRAwDgYDVQQIDAdNb250YW5hMRAwDgYDVQQHDAdCb3plbWFuMREwDwYDVQQK
 DAhTYXd0b290aDETMBEGA1UECwwKQ29uc3VsdGluZzEYMBYGA1UEAwwPd3d3Lndv
-bGZzc2wuY29tMR8wHQYJKoZIhvcNAQkBFhBpbmZvQHdvbGZzc2wuY29tggkAqtM/
-rBgKN00wEAYDVR0TBAkwBwEB/wICAIAwCwYDVR0PBAQDAgEGMA0GCSqGSIb3DQEB
-CwUAA4IBAQC3/ZS1uHEfFiF8sILTn7TjAJdC3yr9gOornDB8TP2RJUrlDvxKyd1l
-Do6cu2zBHXifDa+KgHkpZDrYdqHybYrt6NdQq2sm2uFib2cXhXAP0BZXGXGQj0ne
-Q6+qYGG1RmINkrtW1ji5Gnf8AnMvdSxwQPCCyluAqrVyyCRFkaItUPKyKjONiyjX
-963MGdjmDYHWzm50cElu1rnYhsHc2BVonH1rBnE/ZNo0nogw+6uIMpJXTBc8B0bw
-s6c/0XdJWm5JqTmTxageW1yZJJb+eaxG8cBg62Ew3wSiDn6NORUgsgXlPRerZdy+
-PGjvpjvFIwOKEisRTQMoh/VJ/nItQbzD
+bGZzc2wuY29tMR8wHQYJKoZIhvcNAQkBFhBpbmZvQHdvbGZzc2wuY29tghR9lHCI
+ugdCjaqvT77CGkjw0UDmQjAQBgNVHRMECTAHAQH/AgIAgDALBgNVHQ8EBAMCAQYw
+DQYJKoZIhvcNAQELBQADggEBADk1gf00Wc9WunhvpcGNhEMzk+nASdtRtfbjWshu
+IFHPRoCkx0cP8uk01JuW+Sqq6c/k9rmbp7vsRToz4IrAWr2N+fCyOVoIsJhHlr/G
+nBQixWxxWZXvXoZGjEY3qmi1Oo9XSLskMACe1UeVv+oL4XbGbYmiwCUPYL3uWSIb
+d5p/uZ8+HBOAkklA7l4aeQ+0HP4AhGfU8ckNiM8fIBC9efeM7pZIq6o+feShQBA3
+bdf4xjEyfj1qPZsav+iPc73ZK9aaN6pXyFxjn4LLxlNYITRDh3fsUJlho9OBGj4B
+7vXm/2uX/M50pMVttfVP6gba2k3h/VKvekMytbjCc1nDZvI=
 -----END CERTIFICATE-----
diff --git a/certs/test-pathlen/chainE-entity.pem b/certs/test-pathlen/chainE-entity.pem
index 05a7b31a2..3f6df339e 100644
--- a/certs/test-pathlen/chainE-entity.pem
+++ b/certs/test-pathlen/chainE-entity.pem
@@ -2,15 +2,15 @@ Certificate:
     Data:
         Version: 3 (0x2)
         Serial Number: 101 (0x65)
-    Signature Algorithm: sha256WithRSAEncryption
-        Issuer: C=US, ST=Washington, L=Seattle, O=wolfSSL Inc., OU=Engineering, CN=chainE-ICA1-pathlen128/emailAddress=info@wolfssl.com
+        Signature Algorithm: sha256WithRSAEncryption
+        Issuer: C = US, ST = Washington, L = Seattle, O = wolfSSL Inc., OU = Engineering, CN = chainE-ICA1-pathlen128, emailAddress = info@wolfssl.com
         Validity
-            Not Before: Feb 10 19:49:54 2021 GMT
-            Not After : Nov  7 19:49:54 2023 GMT
-        Subject: C=US, ST=Washington, L=Seattle, O=wolfSSL Inc., OU=Engineering, CN=chainE-entity/emailAddress=info@wolfssl.com
+            Not Before: Dec 20 23:07:25 2021 GMT
+            Not After : Sep 15 23:07:25 2024 GMT
+        Subject: C = US, ST = Washington, L = Seattle, O = wolfSSL Inc., OU = Engineering, CN = chainE-entity, emailAddress = info@wolfssl.com
         Subject Public Key Info:
             Public Key Algorithm: rsaEncryption
-                Public-Key: (2048 bit)
+                RSA Public-Key: (2048 bit)
                 Modulus:
                     00:d8:6f:49:bb:56:ea:34:4c:25:a6:8c:44:f6:c9:
                     75:8f:6b:83:b8:8b:ec:c6:f6:d3:c7:40:e2:d1:b2:
@@ -42,27 +42,27 @@ Certificate:
             X509v3 Basic Constraints: 
                 CA:FALSE
     Signature Algorithm: sha256WithRSAEncryption
-         2d:35:05:3b:41:51:cb:b0:57:33:0a:09:f2:46:12:13:cc:9b:
-         e8:31:70:5c:86:0d:ea:63:be:9d:db:9b:fb:d5:f1:a2:fe:d1:
-         8c:3f:04:28:69:25:bd:c2:a4:19:16:f4:aa:0f:43:dc:b0:51:
-         8c:4e:5e:a0:a9:6e:56:67:be:4d:eb:18:de:37:99:51:fc:20:
-         e4:38:cc:c6:c3:cb:1e:fa:97:8c:96:e3:62:85:e7:77:48:4f:
-         1d:3f:ba:c0:ba:4c:40:6f:d1:2c:3f:0d:ce:03:f7:12:64:07:
-         1f:51:b9:d6:88:5b:bc:b0:59:16:94:54:cb:cb:c2:33:98:15:
-         c8:80:00:27:25:d3:f8:aa:97:c1:0e:6c:8c:4c:86:0e:5f:66:
-         73:a6:1d:83:db:66:87:55:f5:3f:66:c0:66:bb:de:3e:f2:64:
-         98:ab:ea:be:56:9b:b3:64:bb:10:60:75:05:9b:34:62:02:45:
-         f3:eb:2b:76:2f:4a:fc:c3:bc:b0:fe:2e:40:9b:ed:44:35:07:
-         31:da:fa:7c:48:85:a3:8c:83:e2:d6:9a:54:95:a1:19:51:1e:
-         ce:4d:a7:fc:1b:56:c0:3b:a3:36:d0:83:2d:f4:fb:4c:d1:3e:
-         59:fa:47:44:a0:16:93:02:b1:0a:38:b0:8b:12:3d:87:ab:34:
-         1f:2e:5d:ea
+         ca:df:49:e3:ff:ab:df:ff:1a:f7:32:01:38:cb:c6:be:7b:69:
+         ce:90:91:20:0f:9f:53:60:1f:c8:92:c1:8a:65:a9:13:ee:c9:
+         42:dc:c4:cd:83:3b:9c:43:85:52:88:64:aa:fb:67:dc:a9:e8:
+         27:f9:b5:11:f8:c8:56:02:ef:04:08:32:70:5d:de:e7:10:16:
+         0f:ea:d4:4c:63:97:c4:d5:d2:a0:27:fb:68:3c:34:e6:36:d5:
+         bb:d7:f3:bb:fd:cb:8b:6f:cb:8c:f2:95:b6:c4:bc:d5:b2:00:
+         89:37:d6:67:84:1c:cc:59:2b:c1:25:04:b2:b6:00:17:ab:de:
+         cc:88:29:19:da:8f:f1:e9:c9:54:51:ba:37:82:00:ff:98:fa:
+         16:89:31:0d:06:e9:e1:d7:04:f2:b3:b8:ae:25:6b:01:42:91:
+         32:13:b8:48:ab:58:2a:07:9a:f2:fe:c8:57:d5:48:00:db:96:
+         19:b9:ac:b5:db:27:80:b6:bd:22:53:42:27:a8:19:31:d2:c1:
+         8e:78:73:4c:83:d7:a0:19:cb:ee:8c:67:0f:0f:63:03:ed:bc:
+         1b:e9:9c:3e:ed:56:df:b3:d7:da:c1:ce:f7:e0:b2:af:43:da:
+         26:0a:e9:02:25:d2:6a:3b:40:bf:29:9e:8e:51:33:c2:73:fa:
+         d6:ee:21:a6
 -----BEGIN CERTIFICATE-----
 MIIErDCCA5SgAwIBAgIBZTANBgkqhkiG9w0BAQsFADCBozELMAkGA1UEBhMCVVMx
 EzARBgNVBAgMCldhc2hpbmd0b24xEDAOBgNVBAcMB1NlYXR0bGUxFTATBgNVBAoM
 DHdvbGZTU0wgSW5jLjEUMBIGA1UECwwLRW5naW5lZXJpbmcxHzAdBgNVBAMMFmNo
 YWluRS1JQ0ExLXBhdGhsZW4xMjgxHzAdBgkqhkiG9w0BCQEWEGluZm9Ad29sZnNz
-bC5jb20wHhcNMjEwMjEwMTk0OTU0WhcNMjMxMTA3MTk0OTU0WjCBmjELMAkGA1UE
+bC5jb20wHhcNMjExMjIwMjMwNzI1WhcNMjQwOTE1MjMwNzI1WjCBmjELMAkGA1UE
 BhMCVVMxEzARBgNVBAgMCldhc2hpbmd0b24xEDAOBgNVBAcMB1NlYXR0bGUxFTAT
 BgNVBAoMDHdvbGZTU0wgSW5jLjEUMBIGA1UECwwLRW5naW5lZXJpbmcxFjAUBgNV
 BAMMDWNoYWluRS1lbnRpdHkxHzAdBgkqhkiG9w0BCQEWEGluZm9Ad29sZnNzbC5j
@@ -77,10 +77,10 @@ BgNVHSMEgbkwgbaAFER7AHycHJefl6pr8l7mgXwOruYroYGapIGXMIGUMQswCQYD
 VQQGEwJVUzEQMA4GA1UECAwHTW9udGFuYTEQMA4GA1UEBwwHQm96ZW1hbjERMA8G
 A1UECgwIU2F3dG9vdGgxEzARBgNVBAsMCkNvbnN1bHRpbmcxGDAWBgNVBAMMD3d3
 dy53b2xmc3NsLmNvbTEfMB0GCSqGSIb3DQEJARYQaW5mb0B3b2xmc3NsLmNvbYIB
-ZDAJBgNVHRMEAjAAMA0GCSqGSIb3DQEBCwUAA4IBAQAtNQU7QVHLsFczCgnyRhIT
-zJvoMXBchg3qY76d25v71fGi/tGMPwQoaSW9wqQZFvSqD0PcsFGMTl6gqW5WZ75N
-6xjeN5lR/CDkOMzGw8se+peMluNihed3SE8dP7rAukxAb9EsPw3OA/cSZAcfUbnW
-iFu8sFkWlFTLy8IzmBXIgAAnJdP4qpfBDmyMTIYOX2Zzph2D22aHVfU/ZsBmu94+
-8mSYq+q+VpuzZLsQYHUFmzRiAkXz6yt2L0r8w7yw/i5Am+1ENQcx2vp8SIWjjIPi
-1ppUlaEZUR7OTaf8G1bAO6M20IMt9PtM0T5Z+kdEoBaTArEKOLCLEj2HqzQfLl3q
+ZDAJBgNVHRMEAjAAMA0GCSqGSIb3DQEBCwUAA4IBAQDK30nj/6vf/xr3MgE4y8a+
+e2nOkJEgD59TYB/IksGKZakT7slC3MTNgzucQ4VSiGSq+2fcqegn+bUR+MhWAu8E
+CDJwXd7nEBYP6tRMY5fE1dKgJ/toPDTmNtW71/O7/cuLb8uM8pW2xLzVsgCJN9Zn
+hBzMWSvBJQSytgAXq97MiCkZ2o/x6clUUbo3ggD/mPoWiTENBunh1wTys7iuJWsB
+QpEyE7hIq1gqB5ry/shX1UgA25YZuay12yeAtr0iU0InqBkx0sGOeHNMg9egGcvu
+jGcPD2MD7bwb6Zw+7Vbfs9fawc734LKvQ9omCukCJdJqO0C/KZ6OUTPCc/rW7iGm
 -----END CERTIFICATE-----
diff --git a/certs/test-pathlen/chainF-ICA1-pathlen1.pem b/certs/test-pathlen/chainF-ICA1-pathlen1.pem
index def0e807e..88e935765 100644
--- a/certs/test-pathlen/chainF-ICA1-pathlen1.pem
+++ b/certs/test-pathlen/chainF-ICA1-pathlen1.pem
@@ -2,15 +2,15 @@ Certificate:
     Data:
         Version: 3 (0x2)
         Serial Number: 100 (0x64)
-    Signature Algorithm: sha256WithRSAEncryption
-        Issuer: C=US, ST=Washington, L=Seattle, O=wolfSSL Inc., OU=Engineering, CN=chainF-ICA2-pathlen0/emailAddress=info@wolfssl.com
+        Signature Algorithm: sha256WithRSAEncryption
+        Issuer: C = US, ST = Washington, L = Seattle, O = wolfSSL Inc., OU = Engineering, CN = chainF-ICA2-pathlen0, emailAddress = info@wolfssl.com
         Validity
-            Not Before: Feb 10 19:49:54 2021 GMT
-            Not After : Nov  7 19:49:54 2023 GMT
-        Subject: C=US, ST=Washington, L=Seattle, O=wolfSSL Inc., OU=Engineering, CN=chainF-ICA1-pathlen1/emailAddress=info@wolfssl.com
+            Not Before: Dec 20 23:07:25 2021 GMT
+            Not After : Sep 15 23:07:25 2024 GMT
+        Subject: C = US, ST = Washington, L = Seattle, O = wolfSSL Inc., OU = Engineering, CN = chainF-ICA1-pathlen1, emailAddress = info@wolfssl.com
         Subject Public Key Info:
             Public Key Algorithm: rsaEncryption
-                Public-Key: (2048 bit)
+                RSA Public-Key: (2048 bit)
                 Modulus:
                     00:e0:13:c9:b0:8e:9d:3f:88:d4:30:4a:b4:e8:11:
                     21:93:5c:20:45:08:f8:7a:91:b9:2c:ad:ff:60:aa:
@@ -44,27 +44,27 @@ Certificate:
             X509v3 Key Usage: 
                 Certificate Sign, CRL Sign
     Signature Algorithm: sha256WithRSAEncryption
-         0f:ec:d6:db:15:a4:df:0a:0c:0d:e0:08:20:5d:a6:c5:26:67:
-         89:91:20:cb:a5:d3:91:cf:c7:45:62:7b:b0:67:a7:0f:fe:03:
-         16:d2:40:a4:a1:4b:00:a0:14:88:7c:31:f6:33:61:3a:b1:7a:
-         6d:c7:fb:f1:19:37:67:a1:2b:8e:99:0f:0c:71:95:6e:8d:69:
-         85:f4:ed:f8:69:ce:05:cf:9d:a7:da:72:42:6b:0d:99:f1:91:
-         c5:a8:45:80:5c:6c:cf:08:af:9b:02:c2:ca:85:06:59:cb:6c:
-         34:4e:87:94:8c:b9:c2:e1:74:66:c7:6b:60:ab:c7:0d:c3:69:
-         b8:e4:76:0b:07:3e:6a:2c:12:c3:46:23:6f:74:5b:a5:6f:4f:
-         e7:7e:51:90:20:73:9b:b6:dd:b4:95:8b:fb:13:02:b3:86:cc:
-         d3:0c:53:25:4d:a1:e7:ab:cc:7e:a6:11:2c:17:35:f2:d4:94:
-         97:7e:0f:a9:5d:41:13:98:a8:b1:34:fe:6e:fe:86:74:b2:27:
-         53:4a:75:07:46:02:9c:41:b7:1e:9c:83:64:1a:8f:4b:50:e0:
-         7c:81:e3:f3:87:58:50:b9:37:9a:27:32:d6:b5:cf:0f:cc:6d:
-         71:54:30:b4:56:54:f2:7f:95:38:8e:f1:d2:a7:81:42:b5:47:
-         0a:01:9c:e6
+         cf:af:61:bb:fd:70:42:0e:4d:e1:94:94:12:c3:61:ad:2e:4a:
+         70:91:09:00:ef:43:c3:52:e7:61:5d:89:7e:8c:fb:68:0e:1f:
+         ee:ac:1f:e6:c6:83:18:fa:05:0c:51:27:ce:69:71:5b:22:b9:
+         65:2f:f4:51:2e:db:fb:5c:76:02:14:d3:58:4f:7a:ac:ec:66:
+         f4:d6:62:32:7d:6d:3e:e9:c9:00:51:0b:3f:8d:bc:6d:20:3c:
+         25:28:1c:30:32:b1:cc:61:06:76:b6:0a:e3:4a:49:b2:85:e3:
+         f7:db:4d:97:48:d2:4a:3a:34:81:24:fd:d0:9f:7b:ac:58:09:
+         3e:40:27:1b:70:c8:05:b5:0e:54:be:01:b8:38:e2:b3:8b:c6:
+         c0:36:b8:ab:1e:d0:30:aa:1d:35:3d:93:0c:4f:9b:e4:71:8e:
+         21:d5:f2:f1:1f:b6:f5:fe:95:8b:29:a2:9c:99:4c:9e:cd:9a:
+         dc:41:0a:7b:85:61:fd:6e:5c:b2:d4:79:b3:46:1c:22:e6:65:
+         d9:c5:99:fe:de:4d:b6:d2:9f:a4:26:07:b0:dd:31:13:a0:8b:
+         01:cc:ab:b9:7e:9f:34:58:65:fb:48:ed:16:07:88:11:93:20:
+         25:56:b0:dc:58:99:e0:6e:6e:71:be:58:77:13:96:e3:7c:60:
+         7a:1f:64:83
 -----BEGIN CERTIFICATE-----
 MIIExjCCA66gAwIBAgIBZDANBgkqhkiG9w0BAQsFADCBoTELMAkGA1UEBhMCVVMx
 EzARBgNVBAgMCldhc2hpbmd0b24xEDAOBgNVBAcMB1NlYXR0bGUxFTATBgNVBAoM
 DHdvbGZTU0wgSW5jLjEUMBIGA1UECwwLRW5naW5lZXJpbmcxHTAbBgNVBAMMFGNo
 YWluRi1JQ0EyLXBhdGhsZW4wMR8wHQYJKoZIhvcNAQkBFhBpbmZvQHdvbGZzc2wu
-Y29tMB4XDTIxMDIxMDE5NDk1NFoXDTIzMTEwNzE5NDk1NFowgaExCzAJBgNVBAYT
+Y29tMB4XDTIxMTIyMDIzMDcyNVoXDTI0MDkxNTIzMDcyNVowgaExCzAJBgNVBAYT
 AlVTMRMwEQYDVQQIDApXYXNoaW5ndG9uMRAwDgYDVQQHDAdTZWF0dGxlMRUwEwYD
 VQQKDAx3b2xmU1NMIEluYy4xFDASBgNVBAsMC0VuZ2luZWVyaW5nMR0wGwYDVQQD
 DBRjaGFpbkYtSUNBMS1wYXRobGVuMTEfMB0GCSqGSIb3DQEJARYQaW5mb0B3b2xm
@@ -80,10 +80,10 @@ lDELMAkGA1UEBhMCVVMxEDAOBgNVBAgMB01vbnRhbmExEDAOBgNVBAcMB0JvemVt
 YW4xETAPBgNVBAoMCFNhd3Rvb3RoMRMwEQYDVQQLDApDb25zdWx0aW5nMRgwFgYD
 VQQDDA93d3cud29sZnNzbC5jb20xHzAdBgkqhkiG9w0BCQEWEGluZm9Ad29sZnNz
 bC5jb22CAWQwDwYDVR0TBAgwBgEB/wIBATALBgNVHQ8EBAMCAQYwDQYJKoZIhvcN
-AQELBQADggEBAA/s1tsVpN8KDA3gCCBdpsUmZ4mRIMul05HPx0Vie7Bnpw/+AxbS
-QKShSwCgFIh8MfYzYTqxem3H+/EZN2ehK46ZDwxxlW6NaYX07fhpzgXPnafackJr
-DZnxkcWoRYBcbM8Ir5sCwsqFBlnLbDROh5SMucLhdGbHa2Crxw3DabjkdgsHPmos
-EsNGI290W6VvT+d+UZAgc5u23bSVi/sTArOGzNMMUyVNoeerzH6mESwXNfLUlJd+
-D6ldQROYqLE0/m7+hnSyJ1NKdQdGApxBtx6cg2Qaj0tQ4HyB4/OHWFC5N5onMta1
-zw/MbXFUMLRWVPJ/lTiO8dKngUK1RwoBnOY=
+AQELBQADggEBAM+vYbv9cEIOTeGUlBLDYa0uSnCRCQDvQ8NS52FdiX6M+2gOH+6s
+H+bGgxj6BQxRJ85pcVsiuWUv9FEu2/tcdgIU01hPeqzsZvTWYjJ9bT7pyQBRCz+N
+vG0gPCUoHDAyscxhBna2CuNKSbKF4/fbTZdI0ko6NIEk/dCfe6xYCT5AJxtwyAW1
+DlS+Abg44rOLxsA2uKse0DCqHTU9kwxPm+RxjiHV8vEftvX+lYspopyZTJ7NmtxB
+CnuFYf1uXLLUebNGHCLmZdnFmf7eTbbSn6QmB7DdMROgiwHMq7l+nzRYZftI7RYH
+iBGTICVWsNxYmeBubnG+WHcTluN8YHofZIM=
 -----END CERTIFICATE-----
diff --git a/certs/test-pathlen/chainF-ICA2-pathlen0.pem b/certs/test-pathlen/chainF-ICA2-pathlen0.pem
index a0bfc71bb..0fa9fd16d 100644
--- a/certs/test-pathlen/chainF-ICA2-pathlen0.pem
+++ b/certs/test-pathlen/chainF-ICA2-pathlen0.pem
@@ -2,15 +2,15 @@ Certificate:
     Data:
         Version: 3 (0x2)
         Serial Number: 100 (0x64)
-    Signature Algorithm: sha256WithRSAEncryption
-        Issuer: C=US, ST=Montana, L=Bozeman, O=Sawtooth, OU=Consulting, CN=www.wolfssl.com/emailAddress=info@wolfssl.com
+        Signature Algorithm: sha256WithRSAEncryption
+        Issuer: C = US, ST = Montana, L = Bozeman, O = Sawtooth, OU = Consulting, CN = www.wolfssl.com, emailAddress = info@wolfssl.com
         Validity
-            Not Before: Feb 10 19:49:54 2021 GMT
-            Not After : Nov  7 19:49:54 2023 GMT
-        Subject: C=US, ST=Washington, L=Seattle, O=wolfSSL Inc., OU=Engineering, CN=chainF-ICA2-pathlen0/emailAddress=info@wolfssl.com
+            Not Before: Dec 20 23:07:25 2021 GMT
+            Not After : Sep 15 23:07:25 2024 GMT
+        Subject: C = US, ST = Washington, L = Seattle, O = wolfSSL Inc., OU = Engineering, CN = chainF-ICA2-pathlen0, emailAddress = info@wolfssl.com
         Subject Public Key Info:
             Public Key Algorithm: rsaEncryption
-                Public-Key: (2048 bit)
+                RSA Public-Key: (2048 bit)
                 Modulus:
                     00:da:3a:22:65:f8:6d:1c:b7:1c:87:dd:27:f4:d7:
                     75:aa:7c:1c:37:31:b4:d6:a5:34:4b:36:40:ea:55:
@@ -37,34 +37,34 @@ Certificate:
             X509v3 Authority Key Identifier: 
                 keyid:27:8E:67:11:74:C3:26:1D:3F:ED:33:63:B3:A4:D8:1D:30:E5:E8:D5
                 DirName:/C=US/ST=Montana/L=Bozeman/O=Sawtooth/OU=Consulting/CN=www.wolfssl.com/emailAddress=info@wolfssl.com
-                serial:AA:D3:3F:AC:18:0A:37:4D
+                serial:7D:94:70:88:BA:07:42:8D:AA:AF:4F:BE:C2:1A:48:F0:D1:40:E6:42
 
             X509v3 Basic Constraints: 
                 CA:TRUE, pathlen:0
             X509v3 Key Usage: 
                 Certificate Sign, CRL Sign
     Signature Algorithm: sha256WithRSAEncryption
-         57:b9:16:18:c5:f0:4a:fc:14:4f:f7:53:a5:05:ea:88:48:e1:
-         54:ec:c1:a6:02:8e:5a:7a:80:90:7d:fe:6d:a7:b8:c5:fb:22:
-         d9:a5:9f:80:fa:63:2f:e4:a7:c3:57:b4:0a:1f:55:d1:f9:30:
-         36:aa:e3:39:8c:00:f9:44:1e:ba:d1:84:f9:0d:11:b1:42:96:
-         ee:94:92:c2:8f:ef:36:47:54:48:03:74:5b:d3:28:d8:ac:e4:
-         e0:1a:b1:1c:6a:95:a1:f2:7b:bc:33:6c:c4:6d:91:8f:2e:95:
-         26:97:a2:a2:45:19:ce:25:03:8a:0e:99:0f:64:d4:2e:06:ed:
-         36:d0:58:bd:8f:6d:23:e2:82:3e:d0:b5:d5:29:91:1a:49:04:
-         10:9d:6a:4f:ba:19:60:45:ee:a9:41:ae:84:05:6d:77:2f:72:
-         da:7c:19:3a:19:3f:c1:44:0c:c0:35:34:98:36:28:e0:3f:d2:
-         b9:8e:07:24:e6:1f:7c:0c:ce:7d:c0:89:bb:01:9f:50:49:09:
-         89:fa:9c:4b:4d:5c:8d:53:60:f3:19:44:44:15:50:e0:86:ec:
-         47:ba:22:c3:dc:d9:56:84:f3:8d:9c:03:98:4e:f2:0d:e1:98:
-         e0:f2:0a:48:a1:0e:db:42:74:3e:c5:fd:ed:fe:2b:91:1d:98:
-         d7:5d:07:e4
+         06:b2:fa:bd:93:a8:a0:f5:e5:7c:cd:a6:58:8e:c7:c0:84:69:
+         96:d1:ae:90:e9:d4:c7:62:56:00:73:0b:d9:b2:f4:0a:a7:90:
+         c1:60:53:6d:14:e3:fe:5e:46:18:a2:68:a1:37:7e:b0:2e:98:
+         9d:a5:e9:68:8b:8d:5a:fc:6d:ac:e9:1f:1b:47:af:fe:23:e7:
+         2f:62:c1:ae:94:78:89:13:72:92:bb:f7:e5:38:93:a0:a3:a4:
+         d8:5a:cd:27:a5:20:51:b6:43:9b:19:23:d9:61:5b:da:c5:d6:
+         e2:89:c4:db:08:f0:90:ee:76:8c:31:fb:9e:2c:61:66:29:03:
+         48:0a:d6:47:8d:6f:05:bd:df:a4:65:5b:80:8a:31:54:e3:af:
+         ee:9d:f8:d0:aa:59:0c:a8:6f:d9:c1:9b:54:81:a3:6d:d2:1b:
+         90:6d:2d:3b:de:60:ef:8d:15:76:c1:c0:6e:40:02:92:a1:21:
+         da:41:ac:e7:4f:55:c3:b7:6d:0e:93:98:d7:60:c5:02:6e:c8:
+         de:9f:4c:b3:af:ce:ab:7a:ca:9a:2b:6e:41:84:8b:6b:9f:95:
+         8d:5a:f0:76:46:3d:49:38:40:5c:b2:a3:28:6c:f5:01:a2:c6:
+         74:6b:aa:43:1f:70:e5:09:f5:63:4d:88:e3:8a:b0:10:ed:58:
+         a5:ea:cd:f6
 -----BEGIN CERTIFICATE-----
-MIIEwTCCA6mgAwIBAgIBZDANBgkqhkiG9w0BAQsFADCBlDELMAkGA1UEBhMCVVMx
+MIIEzDCCA7SgAwIBAgIBZDANBgkqhkiG9w0BAQsFADCBlDELMAkGA1UEBhMCVVMx
 EDAOBgNVBAgMB01vbnRhbmExEDAOBgNVBAcMB0JvemVtYW4xETAPBgNVBAoMCFNh
 d3Rvb3RoMRMwEQYDVQQLDApDb25zdWx0aW5nMRgwFgYDVQQDDA93d3cud29sZnNz
-bC5jb20xHzAdBgkqhkiG9w0BCQEWEGluZm9Ad29sZnNzbC5jb20wHhcNMjEwMjEw
-MTk0OTU0WhcNMjMxMTA3MTk0OTU0WjCBoTELMAkGA1UEBhMCVVMxEzARBgNVBAgM
+bC5jb20xHzAdBgkqhkiG9w0BCQEWEGluZm9Ad29sZnNzbC5jb20wHhcNMjExMjIw
+MjMwNzI1WhcNMjQwOTE1MjMwNzI1WjCBoTELMAkGA1UEBhMCVVMxEzARBgNVBAgM
 Cldhc2hpbmd0b24xEDAOBgNVBAcMB1NlYXR0bGUxFTATBgNVBAoMDHdvbGZTU0wg
 SW5jLjEUMBIGA1UECwwLRW5naW5lZXJpbmcxHTAbBgNVBAMMFGNoYWluRi1JQ0Ey
 LXBhdGhsZW4wMR8wHQYJKoZIhvcNAQkBFhBpbmZvQHdvbGZzc2wuY29tMIIBIjAN
@@ -74,16 +74,16 @@ bHhY4fbPRorWpXlNR4jKbGlOKNSNhKjhbB3TNn4j42TVCqP8NomQCv9+i/ouZvvH
 M0SS3w9DsuskfiuusEOprVOC+N4XGSZfyoysDB8kvRXtT12C6hDrBXBPA2DZI20h
 B00SnPNk7nb7nfnD2Bo7bqmCey0usHS3E9ZligbyJXTCJulxZlRh/io0JwfJje+g
 ooaTQUdzCAEHzE3s/oCIk/uutJEW+oOWhGZTzfNS2tQl4QkVIOIQ6t057wIDAQAB
-o4IBDTCCAQkwHQYDVR0OBBYEFEpTSrcweDWRtMvdyCJ0ia+AD39oMIHJBgNVHSME
-gcEwgb6AFCeOZxF0wyYdP+0zY7Ok2B0w5ejVoYGapIGXMIGUMQswCQYDVQQGEwJV
+o4IBGDCCARQwHQYDVR0OBBYEFEpTSrcweDWRtMvdyCJ0ia+AD39oMIHUBgNVHSME
+gcwwgcmAFCeOZxF0wyYdP+0zY7Ok2B0w5ejVoYGapIGXMIGUMQswCQYDVQQGEwJV
 UzEQMA4GA1UECAwHTW9udGFuYTEQMA4GA1UEBwwHQm96ZW1hbjERMA8GA1UECgwI
 U2F3dG9vdGgxEzARBgNVBAsMCkNvbnN1bHRpbmcxGDAWBgNVBAMMD3d3dy53b2xm
-c3NsLmNvbTEfMB0GCSqGSIb3DQEJARYQaW5mb0B3b2xmc3NsLmNvbYIJAKrTP6wY
-CjdNMA8GA1UdEwQIMAYBAf8CAQAwCwYDVR0PBAQDAgEGMA0GCSqGSIb3DQEBCwUA
-A4IBAQBXuRYYxfBK/BRP91OlBeqISOFU7MGmAo5aeoCQff5tp7jF+yLZpZ+A+mMv
-5KfDV7QKH1XR+TA2quM5jAD5RB660YT5DRGxQpbulJLCj+82R1RIA3Rb0yjYrOTg
-GrEcapWh8nu8M2zEbZGPLpUml6KiRRnOJQOKDpkPZNQuBu020Fi9j20j4oI+0LXV
-KZEaSQQQnWpPuhlgRe6pQa6EBW13L3LafBk6GT/BRAzANTSYNijgP9K5jgck5h98
-DM59wIm7AZ9QSQmJ+pxLTVyNU2DzGUREFVDghuxHuiLD3NlWhPONnAOYTvIN4Zjg
-8gpIoQ7bQnQ+xf3t/iuRHZjXXQfk
+c3NsLmNvbTEfMB0GCSqGSIb3DQEJARYQaW5mb0B3b2xmc3NsLmNvbYIUfZRwiLoH
+Qo2qr0++whpI8NFA5kIwDwYDVR0TBAgwBgEB/wIBADALBgNVHQ8EBAMCAQYwDQYJ
+KoZIhvcNAQELBQADggEBAAay+r2TqKD15XzNpliOx8CEaZbRrpDp1MdiVgBzC9my
+9AqnkMFgU20U4/5eRhiiaKE3frAumJ2l6WiLjVr8bazpHxtHr/4j5y9iwa6UeIkT
+cpK79+U4k6CjpNhazSelIFG2Q5sZI9lhW9rF1uKJxNsI8JDudowx+54sYWYpA0gK
+1keNbwW936RlW4CKMVTjr+6d+NCqWQyob9nBm1SBo23SG5BtLTveYO+NFXbBwG5A
+ApKhIdpBrOdPVcO3bQ6TmNdgxQJuyN6fTLOvzqt6yporbkGEi2uflY1a8HZGPUk4
+QFyyoyhs9QGixnRrqkMfcOUJ9WNNiOOKsBDtWKXqzfY=
 -----END CERTIFICATE-----
diff --git a/certs/test-pathlen/chainF-assembled.pem b/certs/test-pathlen/chainF-assembled.pem
index 847a954e1..bd84c8885 100644
--- a/certs/test-pathlen/chainF-assembled.pem
+++ b/certs/test-pathlen/chainF-assembled.pem
@@ -2,15 +2,15 @@ Certificate:
     Data:
         Version: 3 (0x2)
         Serial Number: 101 (0x65)
-    Signature Algorithm: sha256WithRSAEncryption
-        Issuer: C=US, ST=Washington, L=Seattle, O=wolfSSL Inc., OU=Engineering, CN=chainF-ICA1-pathlen1/emailAddress=info@wolfssl.com
+        Signature Algorithm: sha256WithRSAEncryption
+        Issuer: C = US, ST = Washington, L = Seattle, O = wolfSSL Inc., OU = Engineering, CN = chainF-ICA1-pathlen1, emailAddress = info@wolfssl.com
         Validity
-            Not Before: Feb 10 19:49:54 2021 GMT
-            Not After : Nov  7 19:49:54 2023 GMT
-        Subject: C=US, ST=Washington, L=Seattle, O=wolfSSL Inc., OU=Engineering, CN=chainF-entity/emailAddress=info@wolfssl.com
+            Not Before: Dec 20 23:07:25 2021 GMT
+            Not After : Sep 15 23:07:25 2024 GMT
+        Subject: C = US, ST = Washington, L = Seattle, O = wolfSSL Inc., OU = Engineering, CN = chainF-entity, emailAddress = info@wolfssl.com
         Subject Public Key Info:
             Public Key Algorithm: rsaEncryption
-                Public-Key: (2048 bit)
+                RSA Public-Key: (2048 bit)
                 Modulus:
                     00:c9:f8:2c:ad:25:a9:65:3b:72:13:5d:aa:7f:5b:
                     71:f5:e0:43:c4:3a:b3:36:0d:34:61:35:86:77:a0:
@@ -42,27 +42,27 @@ Certificate:
             X509v3 Basic Constraints: 
                 CA:FALSE
     Signature Algorithm: sha256WithRSAEncryption
-         2a:cd:93:cf:48:f6:8e:7b:ec:b6:a1:1b:3a:52:46:fb:e0:8d:
-         a3:14:63:b1:20:b8:a4:ee:69:ca:7b:d4:1d:53:f4:ab:a2:b2:
-         0d:7b:65:23:c1:97:34:b2:62:aa:31:4b:67:5a:1e:01:7e:6a:
-         64:65:b5:dd:02:d2:d0:85:4f:28:64:57:43:4d:8f:f1:d4:23:
-         da:e9:1e:7c:28:7c:75:24:9d:19:d5:60:b3:e0:bc:32:6c:2a:
-         a7:80:c3:2a:05:d2:86:46:47:64:f2:63:bd:68:8d:60:99:a2:
-         a5:cb:b2:ad:d4:0b:fc:a0:d0:44:e0:0d:50:83:b2:84:c5:08:
-         12:34:c5:8c:39:e3:75:9f:5a:81:f5:ad:ce:e6:1c:70:0b:e2:
-         be:30:f7:0c:f8:a7:f3:96:22:74:7f:31:b1:5d:f5:77:a8:e0:
-         c0:0d:9e:7a:20:1f:68:6a:e0:4f:33:00:5a:05:bd:c3:3d:aa:
-         b5:8d:36:8d:53:44:08:3e:5e:59:d3:ce:79:54:5e:5b:e9:ca:
-         6d:2b:95:e9:77:14:94:c9:a0:9a:7d:28:9a:e4:1c:cd:22:94:
-         d1:a9:f8:03:38:b5:f0:a2:8d:09:7c:13:0e:d5:85:ef:03:a0:
-         1f:a9:5d:29:e3:ff:4e:be:10:58:54:78:a4:04:0c:5a:8d:13:
-         ae:bd:48:db
+         08:a8:7f:6c:b7:c4:65:ce:c3:c5:1e:af:dd:d8:42:19:e1:f5:
+         f8:26:8b:c8:78:05:57:d6:71:3b:6a:4f:88:c6:4c:ea:33:0b:
+         39:19:c0:fb:e8:e4:9a:be:38:11:a9:e4:6f:a7:db:54:80:b4:
+         ab:cf:d2:04:f4:41:f6:05:c5:65:a3:42:c5:d1:50:33:3f:27:
+         5d:8a:b0:b4:37:4e:7f:32:dd:7a:cb:2c:ba:ab:ef:5f:3c:38:
+         ea:ca:cb:28:2a:7b:0d:a6:f4:46:cc:d1:77:b5:51:70:b1:bb:
+         18:e9:66:92:45:af:55:a3:de:3e:dd:65:44:c4:5f:de:38:b6:
+         8e:45:ed:36:07:36:cb:72:14:d2:ff:1d:78:a7:4f:c5:0b:51:
+         07:e3:61:bd:99:58:e7:64:fb:d5:33:59:d9:50:7d:4b:39:0e:
+         6c:66:46:63:aa:34:d8:d4:df:46:da:ed:d1:01:cc:da:6b:d6:
+         b8:cd:07:23:b2:07:32:bc:6a:38:88:1d:04:00:f0:dc:ef:99:
+         22:76:68:ba:4a:3f:cb:11:fb:4b:49:c7:4c:6e:b3:34:05:6f:
+         71:24:da:d6:2e:5e:67:30:42:82:aa:4f:07:e8:24:3b:0f:3c:
+         bf:64:0c:76:96:20:c0:16:87:31:a6:d5:c4:76:ca:f2:fc:74:
+         e2:41:ea:9c
 -----BEGIN CERTIFICATE-----
 MIIEtzCCA5+gAwIBAgIBZTANBgkqhkiG9w0BAQsFADCBoTELMAkGA1UEBhMCVVMx
 EzARBgNVBAgMCldhc2hpbmd0b24xEDAOBgNVBAcMB1NlYXR0bGUxFTATBgNVBAoM
 DHdvbGZTU0wgSW5jLjEUMBIGA1UECwwLRW5naW5lZXJpbmcxHTAbBgNVBAMMFGNo
 YWluRi1JQ0ExLXBhdGhsZW4xMR8wHQYJKoZIhvcNAQkBFhBpbmZvQHdvbGZzc2wu
-Y29tMB4XDTIxMDIxMDE5NDk1NFoXDTIzMTEwNzE5NDk1NFowgZoxCzAJBgNVBAYT
+Y29tMB4XDTIxMTIyMDIzMDcyNVoXDTI0MDkxNTIzMDcyNVowgZoxCzAJBgNVBAYT
 AlVTMRMwEQYDVQQIDApXYXNoaW5ndG9uMRAwDgYDVQQHDAdTZWF0dGxlMRUwEwYD
 VQQKDAx3b2xmU1NMIEluYy4xFDASBgNVBAsMC0VuZ2luZWVyaW5nMRYwFAYDVQQD
 DA1jaGFpbkYtZW50aXR5MR8wHQYJKoZIhvcNAQkBFhBpbmZvQHdvbGZzc2wuY29t
@@ -77,27 +77,27 @@ VR0jBIHGMIHDgBR1MiEFK2D+RBevGGWGhRmCP/lkg6GBp6SBpDCBoTELMAkGA1UE
 BhMCVVMxEzARBgNVBAgMCldhc2hpbmd0b24xEDAOBgNVBAcMB1NlYXR0bGUxFTAT
 BgNVBAoMDHdvbGZTU0wgSW5jLjEUMBIGA1UECwwLRW5naW5lZXJpbmcxHTAbBgNV
 BAMMFGNoYWluRi1JQ0EyLXBhdGhsZW4wMR8wHQYJKoZIhvcNAQkBFhBpbmZvQHdv
-bGZzc2wuY29tggFkMAkGA1UdEwQCMAAwDQYJKoZIhvcNAQELBQADggEBACrNk89I
-9o577LahGzpSRvvgjaMUY7EguKTuacp71B1T9Kuisg17ZSPBlzSyYqoxS2daHgF+
-amRltd0C0tCFTyhkV0NNj/HUI9rpHnwofHUknRnVYLPgvDJsKqeAwyoF0oZGR2Ty
-Y71ojWCZoqXLsq3UC/yg0ETgDVCDsoTFCBI0xYw543WfWoH1rc7mHHAL4r4w9wz4
-p/OWInR/MbFd9Xeo4MANnnogH2hq4E8zAFoFvcM9qrWNNo1TRAg+XlnTznlUXlvp
-ym0rlel3FJTJoJp9KJrkHM0ilNGp+AM4tfCijQl8Ew7Vhe8DoB+pXSnj/06+EFhU
-eKQEDFqNE669SNs=
+bGZzc2wuY29tggFkMAkGA1UdEwQCMAAwDQYJKoZIhvcNAQELBQADggEBAAiof2y3
+xGXOw8Uer93YQhnh9fgmi8h4BVfWcTtqT4jGTOozCzkZwPvo5Jq+OBGp5G+n21SA
+tKvP0gT0QfYFxWWjQsXRUDM/J12KsLQ3Tn8y3XrLLLqr7188OOrKyygqew2m9EbM
+0Xe1UXCxuxjpZpJFr1Wj3j7dZUTEX944to5F7TYHNstyFNL/HXinT8ULUQfjYb2Z
+WOdk+9UzWdlQfUs5DmxmRmOqNNjU30ba7dEBzNpr1rjNByOyBzK8ajiIHQQA8Nzv
+mSJ2aLpKP8sR+0tJx0xuszQFb3Ek2tYuXmcwQoKqTwfoJDsPPL9kDHaWIMAWhzGm
+1cR2yvL8dOJB6pw=
 -----END CERTIFICATE-----
 Certificate:
     Data:
         Version: 3 (0x2)
         Serial Number: 100 (0x64)
-    Signature Algorithm: sha256WithRSAEncryption
-        Issuer: C=US, ST=Washington, L=Seattle, O=wolfSSL Inc., OU=Engineering, CN=chainF-ICA2-pathlen0/emailAddress=info@wolfssl.com
+        Signature Algorithm: sha256WithRSAEncryption
+        Issuer: C = US, ST = Washington, L = Seattle, O = wolfSSL Inc., OU = Engineering, CN = chainF-ICA2-pathlen0, emailAddress = info@wolfssl.com
         Validity
-            Not Before: Feb 10 19:49:54 2021 GMT
-            Not After : Nov  7 19:49:54 2023 GMT
-        Subject: C=US, ST=Washington, L=Seattle, O=wolfSSL Inc., OU=Engineering, CN=chainF-ICA1-pathlen1/emailAddress=info@wolfssl.com
+            Not Before: Dec 20 23:07:25 2021 GMT
+            Not After : Sep 15 23:07:25 2024 GMT
+        Subject: C = US, ST = Washington, L = Seattle, O = wolfSSL Inc., OU = Engineering, CN = chainF-ICA1-pathlen1, emailAddress = info@wolfssl.com
         Subject Public Key Info:
             Public Key Algorithm: rsaEncryption
-                Public-Key: (2048 bit)
+                RSA Public-Key: (2048 bit)
                 Modulus:
                     00:e0:13:c9:b0:8e:9d:3f:88:d4:30:4a:b4:e8:11:
                     21:93:5c:20:45:08:f8:7a:91:b9:2c:ad:ff:60:aa:
@@ -131,27 +131,27 @@ Certificate:
             X509v3 Key Usage: 
                 Certificate Sign, CRL Sign
     Signature Algorithm: sha256WithRSAEncryption
-         0f:ec:d6:db:15:a4:df:0a:0c:0d:e0:08:20:5d:a6:c5:26:67:
-         89:91:20:cb:a5:d3:91:cf:c7:45:62:7b:b0:67:a7:0f:fe:03:
-         16:d2:40:a4:a1:4b:00:a0:14:88:7c:31:f6:33:61:3a:b1:7a:
-         6d:c7:fb:f1:19:37:67:a1:2b:8e:99:0f:0c:71:95:6e:8d:69:
-         85:f4:ed:f8:69:ce:05:cf:9d:a7:da:72:42:6b:0d:99:f1:91:
-         c5:a8:45:80:5c:6c:cf:08:af:9b:02:c2:ca:85:06:59:cb:6c:
-         34:4e:87:94:8c:b9:c2:e1:74:66:c7:6b:60:ab:c7:0d:c3:69:
-         b8:e4:76:0b:07:3e:6a:2c:12:c3:46:23:6f:74:5b:a5:6f:4f:
-         e7:7e:51:90:20:73:9b:b6:dd:b4:95:8b:fb:13:02:b3:86:cc:
-         d3:0c:53:25:4d:a1:e7:ab:cc:7e:a6:11:2c:17:35:f2:d4:94:
-         97:7e:0f:a9:5d:41:13:98:a8:b1:34:fe:6e:fe:86:74:b2:27:
-         53:4a:75:07:46:02:9c:41:b7:1e:9c:83:64:1a:8f:4b:50:e0:
-         7c:81:e3:f3:87:58:50:b9:37:9a:27:32:d6:b5:cf:0f:cc:6d:
-         71:54:30:b4:56:54:f2:7f:95:38:8e:f1:d2:a7:81:42:b5:47:
-         0a:01:9c:e6
+         cf:af:61:bb:fd:70:42:0e:4d:e1:94:94:12:c3:61:ad:2e:4a:
+         70:91:09:00:ef:43:c3:52:e7:61:5d:89:7e:8c:fb:68:0e:1f:
+         ee:ac:1f:e6:c6:83:18:fa:05:0c:51:27:ce:69:71:5b:22:b9:
+         65:2f:f4:51:2e:db:fb:5c:76:02:14:d3:58:4f:7a:ac:ec:66:
+         f4:d6:62:32:7d:6d:3e:e9:c9:00:51:0b:3f:8d:bc:6d:20:3c:
+         25:28:1c:30:32:b1:cc:61:06:76:b6:0a:e3:4a:49:b2:85:e3:
+         f7:db:4d:97:48:d2:4a:3a:34:81:24:fd:d0:9f:7b:ac:58:09:
+         3e:40:27:1b:70:c8:05:b5:0e:54:be:01:b8:38:e2:b3:8b:c6:
+         c0:36:b8:ab:1e:d0:30:aa:1d:35:3d:93:0c:4f:9b:e4:71:8e:
+         21:d5:f2:f1:1f:b6:f5:fe:95:8b:29:a2:9c:99:4c:9e:cd:9a:
+         dc:41:0a:7b:85:61:fd:6e:5c:b2:d4:79:b3:46:1c:22:e6:65:
+         d9:c5:99:fe:de:4d:b6:d2:9f:a4:26:07:b0:dd:31:13:a0:8b:
+         01:cc:ab:b9:7e:9f:34:58:65:fb:48:ed:16:07:88:11:93:20:
+         25:56:b0:dc:58:99:e0:6e:6e:71:be:58:77:13:96:e3:7c:60:
+         7a:1f:64:83
 -----BEGIN CERTIFICATE-----
 MIIExjCCA66gAwIBAgIBZDANBgkqhkiG9w0BAQsFADCBoTELMAkGA1UEBhMCVVMx
 EzARBgNVBAgMCldhc2hpbmd0b24xEDAOBgNVBAcMB1NlYXR0bGUxFTATBgNVBAoM
 DHdvbGZTU0wgSW5jLjEUMBIGA1UECwwLRW5naW5lZXJpbmcxHTAbBgNVBAMMFGNo
 YWluRi1JQ0EyLXBhdGhsZW4wMR8wHQYJKoZIhvcNAQkBFhBpbmZvQHdvbGZzc2wu
-Y29tMB4XDTIxMDIxMDE5NDk1NFoXDTIzMTEwNzE5NDk1NFowgaExCzAJBgNVBAYT
+Y29tMB4XDTIxMTIyMDIzMDcyNVoXDTI0MDkxNTIzMDcyNVowgaExCzAJBgNVBAYT
 AlVTMRMwEQYDVQQIDApXYXNoaW5ndG9uMRAwDgYDVQQHDAdTZWF0dGxlMRUwEwYD
 VQQKDAx3b2xmU1NMIEluYy4xFDASBgNVBAsMC0VuZ2luZWVyaW5nMR0wGwYDVQQD
 DBRjaGFpbkYtSUNBMS1wYXRobGVuMTEfMB0GCSqGSIb3DQEJARYQaW5mb0B3b2xm
@@ -167,26 +167,26 @@ lDELMAkGA1UEBhMCVVMxEDAOBgNVBAgMB01vbnRhbmExEDAOBgNVBAcMB0JvemVt
 YW4xETAPBgNVBAoMCFNhd3Rvb3RoMRMwEQYDVQQLDApDb25zdWx0aW5nMRgwFgYD
 VQQDDA93d3cud29sZnNzbC5jb20xHzAdBgkqhkiG9w0BCQEWEGluZm9Ad29sZnNz
 bC5jb22CAWQwDwYDVR0TBAgwBgEB/wIBATALBgNVHQ8EBAMCAQYwDQYJKoZIhvcN
-AQELBQADggEBAA/s1tsVpN8KDA3gCCBdpsUmZ4mRIMul05HPx0Vie7Bnpw/+AxbS
-QKShSwCgFIh8MfYzYTqxem3H+/EZN2ehK46ZDwxxlW6NaYX07fhpzgXPnafackJr
-DZnxkcWoRYBcbM8Ir5sCwsqFBlnLbDROh5SMucLhdGbHa2Crxw3DabjkdgsHPmos
-EsNGI290W6VvT+d+UZAgc5u23bSVi/sTArOGzNMMUyVNoeerzH6mESwXNfLUlJd+
-D6ldQROYqLE0/m7+hnSyJ1NKdQdGApxBtx6cg2Qaj0tQ4HyB4/OHWFC5N5onMta1
-zw/MbXFUMLRWVPJ/lTiO8dKngUK1RwoBnOY=
+AQELBQADggEBAM+vYbv9cEIOTeGUlBLDYa0uSnCRCQDvQ8NS52FdiX6M+2gOH+6s
+H+bGgxj6BQxRJ85pcVsiuWUv9FEu2/tcdgIU01hPeqzsZvTWYjJ9bT7pyQBRCz+N
+vG0gPCUoHDAyscxhBna2CuNKSbKF4/fbTZdI0ko6NIEk/dCfe6xYCT5AJxtwyAW1
+DlS+Abg44rOLxsA2uKse0DCqHTU9kwxPm+RxjiHV8vEftvX+lYspopyZTJ7NmtxB
+CnuFYf1uXLLUebNGHCLmZdnFmf7eTbbSn6QmB7DdMROgiwHMq7l+nzRYZftI7RYH
+iBGTICVWsNxYmeBubnG+WHcTluN8YHofZIM=
 -----END CERTIFICATE-----
 Certificate:
     Data:
         Version: 3 (0x2)
         Serial Number: 100 (0x64)
-    Signature Algorithm: sha256WithRSAEncryption
-        Issuer: C=US, ST=Montana, L=Bozeman, O=Sawtooth, OU=Consulting, CN=www.wolfssl.com/emailAddress=info@wolfssl.com
+        Signature Algorithm: sha256WithRSAEncryption
+        Issuer: C = US, ST = Montana, L = Bozeman, O = Sawtooth, OU = Consulting, CN = www.wolfssl.com, emailAddress = info@wolfssl.com
         Validity
-            Not Before: Feb 10 19:49:54 2021 GMT
-            Not After : Nov  7 19:49:54 2023 GMT
-        Subject: C=US, ST=Washington, L=Seattle, O=wolfSSL Inc., OU=Engineering, CN=chainF-ICA2-pathlen0/emailAddress=info@wolfssl.com
+            Not Before: Dec 20 23:07:25 2021 GMT
+            Not After : Sep 15 23:07:25 2024 GMT
+        Subject: C = US, ST = Washington, L = Seattle, O = wolfSSL Inc., OU = Engineering, CN = chainF-ICA2-pathlen0, emailAddress = info@wolfssl.com
         Subject Public Key Info:
             Public Key Algorithm: rsaEncryption
-                Public-Key: (2048 bit)
+                RSA Public-Key: (2048 bit)
                 Modulus:
                     00:da:3a:22:65:f8:6d:1c:b7:1c:87:dd:27:f4:d7:
                     75:aa:7c:1c:37:31:b4:d6:a5:34:4b:36:40:ea:55:
@@ -213,34 +213,34 @@ Certificate:
             X509v3 Authority Key Identifier: 
                 keyid:27:8E:67:11:74:C3:26:1D:3F:ED:33:63:B3:A4:D8:1D:30:E5:E8:D5
                 DirName:/C=US/ST=Montana/L=Bozeman/O=Sawtooth/OU=Consulting/CN=www.wolfssl.com/emailAddress=info@wolfssl.com
-                serial:AA:D3:3F:AC:18:0A:37:4D
+                serial:7D:94:70:88:BA:07:42:8D:AA:AF:4F:BE:C2:1A:48:F0:D1:40:E6:42
 
             X509v3 Basic Constraints: 
                 CA:TRUE, pathlen:0
             X509v3 Key Usage: 
                 Certificate Sign, CRL Sign
     Signature Algorithm: sha256WithRSAEncryption
-         57:b9:16:18:c5:f0:4a:fc:14:4f:f7:53:a5:05:ea:88:48:e1:
-         54:ec:c1:a6:02:8e:5a:7a:80:90:7d:fe:6d:a7:b8:c5:fb:22:
-         d9:a5:9f:80:fa:63:2f:e4:a7:c3:57:b4:0a:1f:55:d1:f9:30:
-         36:aa:e3:39:8c:00:f9:44:1e:ba:d1:84:f9:0d:11:b1:42:96:
-         ee:94:92:c2:8f:ef:36:47:54:48:03:74:5b:d3:28:d8:ac:e4:
-         e0:1a:b1:1c:6a:95:a1:f2:7b:bc:33:6c:c4:6d:91:8f:2e:95:
-         26:97:a2:a2:45:19:ce:25:03:8a:0e:99:0f:64:d4:2e:06:ed:
-         36:d0:58:bd:8f:6d:23:e2:82:3e:d0:b5:d5:29:91:1a:49:04:
-         10:9d:6a:4f:ba:19:60:45:ee:a9:41:ae:84:05:6d:77:2f:72:
-         da:7c:19:3a:19:3f:c1:44:0c:c0:35:34:98:36:28:e0:3f:d2:
-         b9:8e:07:24:e6:1f:7c:0c:ce:7d:c0:89:bb:01:9f:50:49:09:
-         89:fa:9c:4b:4d:5c:8d:53:60:f3:19:44:44:15:50:e0:86:ec:
-         47:ba:22:c3:dc:d9:56:84:f3:8d:9c:03:98:4e:f2:0d:e1:98:
-         e0:f2:0a:48:a1:0e:db:42:74:3e:c5:fd:ed:fe:2b:91:1d:98:
-         d7:5d:07:e4
+         06:b2:fa:bd:93:a8:a0:f5:e5:7c:cd:a6:58:8e:c7:c0:84:69:
+         96:d1:ae:90:e9:d4:c7:62:56:00:73:0b:d9:b2:f4:0a:a7:90:
+         c1:60:53:6d:14:e3:fe:5e:46:18:a2:68:a1:37:7e:b0:2e:98:
+         9d:a5:e9:68:8b:8d:5a:fc:6d:ac:e9:1f:1b:47:af:fe:23:e7:
+         2f:62:c1:ae:94:78:89:13:72:92:bb:f7:e5:38:93:a0:a3:a4:
+         d8:5a:cd:27:a5:20:51:b6:43:9b:19:23:d9:61:5b:da:c5:d6:
+         e2:89:c4:db:08:f0:90:ee:76:8c:31:fb:9e:2c:61:66:29:03:
+         48:0a:d6:47:8d:6f:05:bd:df:a4:65:5b:80:8a:31:54:e3:af:
+         ee:9d:f8:d0:aa:59:0c:a8:6f:d9:c1:9b:54:81:a3:6d:d2:1b:
+         90:6d:2d:3b:de:60:ef:8d:15:76:c1:c0:6e:40:02:92:a1:21:
+         da:41:ac:e7:4f:55:c3:b7:6d:0e:93:98:d7:60:c5:02:6e:c8:
+         de:9f:4c:b3:af:ce:ab:7a:ca:9a:2b:6e:41:84:8b:6b:9f:95:
+         8d:5a:f0:76:46:3d:49:38:40:5c:b2:a3:28:6c:f5:01:a2:c6:
+         74:6b:aa:43:1f:70:e5:09:f5:63:4d:88:e3:8a:b0:10:ed:58:
+         a5:ea:cd:f6
 -----BEGIN CERTIFICATE-----
-MIIEwTCCA6mgAwIBAgIBZDANBgkqhkiG9w0BAQsFADCBlDELMAkGA1UEBhMCVVMx
+MIIEzDCCA7SgAwIBAgIBZDANBgkqhkiG9w0BAQsFADCBlDELMAkGA1UEBhMCVVMx
 EDAOBgNVBAgMB01vbnRhbmExEDAOBgNVBAcMB0JvemVtYW4xETAPBgNVBAoMCFNh
 d3Rvb3RoMRMwEQYDVQQLDApDb25zdWx0aW5nMRgwFgYDVQQDDA93d3cud29sZnNz
-bC5jb20xHzAdBgkqhkiG9w0BCQEWEGluZm9Ad29sZnNzbC5jb20wHhcNMjEwMjEw
-MTk0OTU0WhcNMjMxMTA3MTk0OTU0WjCBoTELMAkGA1UEBhMCVVMxEzARBgNVBAgM
+bC5jb20xHzAdBgkqhkiG9w0BCQEWEGluZm9Ad29sZnNzbC5jb20wHhcNMjExMjIw
+MjMwNzI1WhcNMjQwOTE1MjMwNzI1WjCBoTELMAkGA1UEBhMCVVMxEzARBgNVBAgM
 Cldhc2hpbmd0b24xEDAOBgNVBAcMB1NlYXR0bGUxFTATBgNVBAoMDHdvbGZTU0wg
 SW5jLjEUMBIGA1UECwwLRW5naW5lZXJpbmcxHTAbBgNVBAMMFGNoYWluRi1JQ0Ey
 LXBhdGhsZW4wMR8wHQYJKoZIhvcNAQkBFhBpbmZvQHdvbGZzc2wuY29tMIIBIjAN
@@ -250,16 +250,16 @@ bHhY4fbPRorWpXlNR4jKbGlOKNSNhKjhbB3TNn4j42TVCqP8NomQCv9+i/ouZvvH
 M0SS3w9DsuskfiuusEOprVOC+N4XGSZfyoysDB8kvRXtT12C6hDrBXBPA2DZI20h
 B00SnPNk7nb7nfnD2Bo7bqmCey0usHS3E9ZligbyJXTCJulxZlRh/io0JwfJje+g
 ooaTQUdzCAEHzE3s/oCIk/uutJEW+oOWhGZTzfNS2tQl4QkVIOIQ6t057wIDAQAB
-o4IBDTCCAQkwHQYDVR0OBBYEFEpTSrcweDWRtMvdyCJ0ia+AD39oMIHJBgNVHSME
-gcEwgb6AFCeOZxF0wyYdP+0zY7Ok2B0w5ejVoYGapIGXMIGUMQswCQYDVQQGEwJV
+o4IBGDCCARQwHQYDVR0OBBYEFEpTSrcweDWRtMvdyCJ0ia+AD39oMIHUBgNVHSME
+gcwwgcmAFCeOZxF0wyYdP+0zY7Ok2B0w5ejVoYGapIGXMIGUMQswCQYDVQQGEwJV
 UzEQMA4GA1UECAwHTW9udGFuYTEQMA4GA1UEBwwHQm96ZW1hbjERMA8GA1UECgwI
 U2F3dG9vdGgxEzARBgNVBAsMCkNvbnN1bHRpbmcxGDAWBgNVBAMMD3d3dy53b2xm
-c3NsLmNvbTEfMB0GCSqGSIb3DQEJARYQaW5mb0B3b2xmc3NsLmNvbYIJAKrTP6wY
-CjdNMA8GA1UdEwQIMAYBAf8CAQAwCwYDVR0PBAQDAgEGMA0GCSqGSIb3DQEBCwUA
-A4IBAQBXuRYYxfBK/BRP91OlBeqISOFU7MGmAo5aeoCQff5tp7jF+yLZpZ+A+mMv
-5KfDV7QKH1XR+TA2quM5jAD5RB660YT5DRGxQpbulJLCj+82R1RIA3Rb0yjYrOTg
-GrEcapWh8nu8M2zEbZGPLpUml6KiRRnOJQOKDpkPZNQuBu020Fi9j20j4oI+0LXV
-KZEaSQQQnWpPuhlgRe6pQa6EBW13L3LafBk6GT/BRAzANTSYNijgP9K5jgck5h98
-DM59wIm7AZ9QSQmJ+pxLTVyNU2DzGUREFVDghuxHuiLD3NlWhPONnAOYTvIN4Zjg
-8gpIoQ7bQnQ+xf3t/iuRHZjXXQfk
+c3NsLmNvbTEfMB0GCSqGSIb3DQEJARYQaW5mb0B3b2xmc3NsLmNvbYIUfZRwiLoH
+Qo2qr0++whpI8NFA5kIwDwYDVR0TBAgwBgEB/wIBADALBgNVHQ8EBAMCAQYwDQYJ
+KoZIhvcNAQELBQADggEBAAay+r2TqKD15XzNpliOx8CEaZbRrpDp1MdiVgBzC9my
+9AqnkMFgU20U4/5eRhiiaKE3frAumJ2l6WiLjVr8bazpHxtHr/4j5y9iwa6UeIkT
+cpK79+U4k6CjpNhazSelIFG2Q5sZI9lhW9rF1uKJxNsI8JDudowx+54sYWYpA0gK
+1keNbwW936RlW4CKMVTjr+6d+NCqWQyob9nBm1SBo23SG5BtLTveYO+NFXbBwG5A
+ApKhIdpBrOdPVcO3bQ6TmNdgxQJuyN6fTLOvzqt6yporbkGEi2uflY1a8HZGPUk4
+QFyyoyhs9QGixnRrqkMfcOUJ9WNNiOOKsBDtWKXqzfY=
 -----END CERTIFICATE-----
diff --git a/certs/test-pathlen/chainF-entity.pem b/certs/test-pathlen/chainF-entity.pem
index 94403cded..d54f9d18d 100644
--- a/certs/test-pathlen/chainF-entity.pem
+++ b/certs/test-pathlen/chainF-entity.pem
@@ -2,15 +2,15 @@ Certificate:
     Data:
         Version: 3 (0x2)
         Serial Number: 101 (0x65)
-    Signature Algorithm: sha256WithRSAEncryption
-        Issuer: C=US, ST=Washington, L=Seattle, O=wolfSSL Inc., OU=Engineering, CN=chainF-ICA1-pathlen1/emailAddress=info@wolfssl.com
+        Signature Algorithm: sha256WithRSAEncryption
+        Issuer: C = US, ST = Washington, L = Seattle, O = wolfSSL Inc., OU = Engineering, CN = chainF-ICA1-pathlen1, emailAddress = info@wolfssl.com
         Validity
-            Not Before: Feb 10 19:49:54 2021 GMT
-            Not After : Nov  7 19:49:54 2023 GMT
-        Subject: C=US, ST=Washington, L=Seattle, O=wolfSSL Inc., OU=Engineering, CN=chainF-entity/emailAddress=info@wolfssl.com
+            Not Before: Dec 20 23:07:25 2021 GMT
+            Not After : Sep 15 23:07:25 2024 GMT
+        Subject: C = US, ST = Washington, L = Seattle, O = wolfSSL Inc., OU = Engineering, CN = chainF-entity, emailAddress = info@wolfssl.com
         Subject Public Key Info:
             Public Key Algorithm: rsaEncryption
-                Public-Key: (2048 bit)
+                RSA Public-Key: (2048 bit)
                 Modulus:
                     00:c9:f8:2c:ad:25:a9:65:3b:72:13:5d:aa:7f:5b:
                     71:f5:e0:43:c4:3a:b3:36:0d:34:61:35:86:77:a0:
@@ -42,27 +42,27 @@ Certificate:
             X509v3 Basic Constraints: 
                 CA:FALSE
     Signature Algorithm: sha256WithRSAEncryption
-         2a:cd:93:cf:48:f6:8e:7b:ec:b6:a1:1b:3a:52:46:fb:e0:8d:
-         a3:14:63:b1:20:b8:a4:ee:69:ca:7b:d4:1d:53:f4:ab:a2:b2:
-         0d:7b:65:23:c1:97:34:b2:62:aa:31:4b:67:5a:1e:01:7e:6a:
-         64:65:b5:dd:02:d2:d0:85:4f:28:64:57:43:4d:8f:f1:d4:23:
-         da:e9:1e:7c:28:7c:75:24:9d:19:d5:60:b3:e0:bc:32:6c:2a:
-         a7:80:c3:2a:05:d2:86:46:47:64:f2:63:bd:68:8d:60:99:a2:
-         a5:cb:b2:ad:d4:0b:fc:a0:d0:44:e0:0d:50:83:b2:84:c5:08:
-         12:34:c5:8c:39:e3:75:9f:5a:81:f5:ad:ce:e6:1c:70:0b:e2:
-         be:30:f7:0c:f8:a7:f3:96:22:74:7f:31:b1:5d:f5:77:a8:e0:
-         c0:0d:9e:7a:20:1f:68:6a:e0:4f:33:00:5a:05:bd:c3:3d:aa:
-         b5:8d:36:8d:53:44:08:3e:5e:59:d3:ce:79:54:5e:5b:e9:ca:
-         6d:2b:95:e9:77:14:94:c9:a0:9a:7d:28:9a:e4:1c:cd:22:94:
-         d1:a9:f8:03:38:b5:f0:a2:8d:09:7c:13:0e:d5:85:ef:03:a0:
-         1f:a9:5d:29:e3:ff:4e:be:10:58:54:78:a4:04:0c:5a:8d:13:
-         ae:bd:48:db
+         08:a8:7f:6c:b7:c4:65:ce:c3:c5:1e:af:dd:d8:42:19:e1:f5:
+         f8:26:8b:c8:78:05:57:d6:71:3b:6a:4f:88:c6:4c:ea:33:0b:
+         39:19:c0:fb:e8:e4:9a:be:38:11:a9:e4:6f:a7:db:54:80:b4:
+         ab:cf:d2:04:f4:41:f6:05:c5:65:a3:42:c5:d1:50:33:3f:27:
+         5d:8a:b0:b4:37:4e:7f:32:dd:7a:cb:2c:ba:ab:ef:5f:3c:38:
+         ea:ca:cb:28:2a:7b:0d:a6:f4:46:cc:d1:77:b5:51:70:b1:bb:
+         18:e9:66:92:45:af:55:a3:de:3e:dd:65:44:c4:5f:de:38:b6:
+         8e:45:ed:36:07:36:cb:72:14:d2:ff:1d:78:a7:4f:c5:0b:51:
+         07:e3:61:bd:99:58:e7:64:fb:d5:33:59:d9:50:7d:4b:39:0e:
+         6c:66:46:63:aa:34:d8:d4:df:46:da:ed:d1:01:cc:da:6b:d6:
+         b8:cd:07:23:b2:07:32:bc:6a:38:88:1d:04:00:f0:dc:ef:99:
+         22:76:68:ba:4a:3f:cb:11:fb:4b:49:c7:4c:6e:b3:34:05:6f:
+         71:24:da:d6:2e:5e:67:30:42:82:aa:4f:07:e8:24:3b:0f:3c:
+         bf:64:0c:76:96:20:c0:16:87:31:a6:d5:c4:76:ca:f2:fc:74:
+         e2:41:ea:9c
 -----BEGIN CERTIFICATE-----
 MIIEtzCCA5+gAwIBAgIBZTANBgkqhkiG9w0BAQsFADCBoTELMAkGA1UEBhMCVVMx
 EzARBgNVBAgMCldhc2hpbmd0b24xEDAOBgNVBAcMB1NlYXR0bGUxFTATBgNVBAoM
 DHdvbGZTU0wgSW5jLjEUMBIGA1UECwwLRW5naW5lZXJpbmcxHTAbBgNVBAMMFGNo
 YWluRi1JQ0ExLXBhdGhsZW4xMR8wHQYJKoZIhvcNAQkBFhBpbmZvQHdvbGZzc2wu
-Y29tMB4XDTIxMDIxMDE5NDk1NFoXDTIzMTEwNzE5NDk1NFowgZoxCzAJBgNVBAYT
+Y29tMB4XDTIxMTIyMDIzMDcyNVoXDTI0MDkxNTIzMDcyNVowgZoxCzAJBgNVBAYT
 AlVTMRMwEQYDVQQIDApXYXNoaW5ndG9uMRAwDgYDVQQHDAdTZWF0dGxlMRUwEwYD
 VQQKDAx3b2xmU1NMIEluYy4xFDASBgNVBAsMC0VuZ2luZWVyaW5nMRYwFAYDVQQD
 DA1jaGFpbkYtZW50aXR5MR8wHQYJKoZIhvcNAQkBFhBpbmZvQHdvbGZzc2wuY29t
@@ -77,11 +77,11 @@ VR0jBIHGMIHDgBR1MiEFK2D+RBevGGWGhRmCP/lkg6GBp6SBpDCBoTELMAkGA1UE
 BhMCVVMxEzARBgNVBAgMCldhc2hpbmd0b24xEDAOBgNVBAcMB1NlYXR0bGUxFTAT
 BgNVBAoMDHdvbGZTU0wgSW5jLjEUMBIGA1UECwwLRW5naW5lZXJpbmcxHTAbBgNV
 BAMMFGNoYWluRi1JQ0EyLXBhdGhsZW4wMR8wHQYJKoZIhvcNAQkBFhBpbmZvQHdv
-bGZzc2wuY29tggFkMAkGA1UdEwQCMAAwDQYJKoZIhvcNAQELBQADggEBACrNk89I
-9o577LahGzpSRvvgjaMUY7EguKTuacp71B1T9Kuisg17ZSPBlzSyYqoxS2daHgF+
-amRltd0C0tCFTyhkV0NNj/HUI9rpHnwofHUknRnVYLPgvDJsKqeAwyoF0oZGR2Ty
-Y71ojWCZoqXLsq3UC/yg0ETgDVCDsoTFCBI0xYw543WfWoH1rc7mHHAL4r4w9wz4
-p/OWInR/MbFd9Xeo4MANnnogH2hq4E8zAFoFvcM9qrWNNo1TRAg+XlnTznlUXlvp
-ym0rlel3FJTJoJp9KJrkHM0ilNGp+AM4tfCijQl8Ew7Vhe8DoB+pXSnj/06+EFhU
-eKQEDFqNE669SNs=
+bGZzc2wuY29tggFkMAkGA1UdEwQCMAAwDQYJKoZIhvcNAQELBQADggEBAAiof2y3
+xGXOw8Uer93YQhnh9fgmi8h4BVfWcTtqT4jGTOozCzkZwPvo5Jq+OBGp5G+n21SA
+tKvP0gT0QfYFxWWjQsXRUDM/J12KsLQ3Tn8y3XrLLLqr7188OOrKyygqew2m9EbM
+0Xe1UXCxuxjpZpJFr1Wj3j7dZUTEX944to5F7TYHNstyFNL/HXinT8ULUQfjYb2Z
+WOdk+9UzWdlQfUs5DmxmRmOqNNjU30ba7dEBzNpr1rjNByOyBzK8ajiIHQQA8Nzv
+mSJ2aLpKP8sR+0tJx0xuszQFb3Ek2tYuXmcwQoKqTwfoJDsPPL9kDHaWIMAWhzGm
+1cR2yvL8dOJB6pw=
 -----END CERTIFICATE-----
diff --git a/certs/test-pathlen/chainG-ICA1-pathlen0.pem b/certs/test-pathlen/chainG-ICA1-pathlen0.pem
index 99bb03162..fef792cfd 100644
--- a/certs/test-pathlen/chainG-ICA1-pathlen0.pem
+++ b/certs/test-pathlen/chainG-ICA1-pathlen0.pem
@@ -2,15 +2,15 @@ Certificate:
     Data:
         Version: 3 (0x2)
         Serial Number: 100 (0x64)
-    Signature Algorithm: sha256WithRSAEncryption
-        Issuer: C=US, ST=Washington, L=Seattle, O=wolfSSL Inc., OU=Engineering, CN=chainG-ICA2-pathlen1/emailAddress=info@wolfssl.com
+        Signature Algorithm: sha256WithRSAEncryption
+        Issuer: C = US, ST = Washington, L = Seattle, O = wolfSSL Inc., OU = Engineering, CN = chainG-ICA2-pathlen1, emailAddress = info@wolfssl.com
         Validity
-            Not Before: Feb 10 19:49:54 2021 GMT
-            Not After : Nov  7 19:49:54 2023 GMT
-        Subject: C=US, ST=Washington, L=Seattle, O=wolfSSL Inc., OU=Engineering, CN=chainG-ICA1-pathlen0/emailAddress=info@wolfssl.com
+            Not Before: Dec 20 23:07:25 2021 GMT
+            Not After : Sep 15 23:07:25 2024 GMT
+        Subject: C = US, ST = Washington, L = Seattle, O = wolfSSL Inc., OU = Engineering, CN = chainG-ICA1-pathlen0, emailAddress = info@wolfssl.com
         Subject Public Key Info:
             Public Key Algorithm: rsaEncryption
-                Public-Key: (2048 bit)
+                RSA Public-Key: (2048 bit)
                 Modulus:
                     00:d2:26:be:51:98:42:e0:1f:ae:fc:c2:cb:ba:d5:
                     0f:44:3b:0b:60:d8:49:ec:03:43:6b:06:ce:f2:28:
@@ -44,27 +44,27 @@ Certificate:
             X509v3 Key Usage: 
                 Certificate Sign, CRL Sign
     Signature Algorithm: sha256WithRSAEncryption
-         8c:c9:7e:79:a8:29:4e:81:7f:e2:78:bc:91:6c:33:08:67:01:
-         d0:76:f6:51:04:ad:a2:34:4d:59:4f:ab:b7:e5:80:60:01:1e:
-         16:20:60:a9:ef:a5:27:01:36:7a:20:1d:76:1f:fb:ef:fc:7f:
-         00:b0:96:d0:41:c8:d8:f0:1c:de:dc:c8:0b:09:57:85:f4:2b:
-         8e:49:76:6b:32:ea:0d:87:79:15:63:80:ec:0a:f2:3e:7e:e1:
-         ec:71:ee:32:57:77:9b:85:a7:fb:3b:1c:b9:be:59:d4:14:f8:
-         84:63:a8:f9:46:1a:18:4b:18:9c:08:90:4f:7d:ba:ec:4c:b5:
-         e8:a9:65:81:fa:ac:8c:2c:77:09:78:a7:44:7b:18:01:93:e6:
-         bb:f5:ed:40:90:04:b3:78:b7:dd:70:9b:c6:bd:a3:58:a9:a7:
-         57:f9:e5:0d:1f:ad:87:04:ca:d5:45:62:5c:4f:fa:9e:d4:19:
-         83:0a:73:5f:f6:c2:65:7d:6e:96:6e:f6:66:3b:8d:90:0a:28:
-         0a:89:17:2f:12:ba:3a:da:6a:0d:21:f8:04:44:ae:bf:49:eb:
-         98:00:c6:cb:c3:5a:01:2a:de:74:39:99:43:34:98:94:76:dc:
-         cb:e3:96:10:3b:08:15:0e:60:8d:0c:95:99:68:a4:38:cf:1f:
-         5a:9f:7f:97
+         79:c2:90:26:d1:a8:0c:b0:e5:f8:5f:6b:29:06:17:bf:df:32:
+         5e:08:c4:27:18:2d:83:14:30:63:3b:40:89:2a:68:d2:65:4d:
+         68:a7:d6:a5:6c:c6:62:9d:14:ba:99:c5:a7:ea:28:34:dc:82:
+         f0:fd:f0:02:c9:be:f8:a6:75:87:bf:7e:bb:3b:5d:c4:c6:7e:
+         aa:af:97:a1:5e:ac:51:f8:5e:62:e5:57:a0:df:f2:8a:a8:e3:
+         db:2c:c0:ae:40:65:3a:19:6a:d5:65:30:3d:97:1f:10:ef:e7:
+         7e:d1:81:e5:b0:76:25:70:52:22:51:f7:45:17:13:7f:e6:f1:
+         76:4f:ef:a6:fd:d9:45:a1:e5:ab:1b:b8:73:bd:7d:51:e3:61:
+         72:e5:c3:87:51:c1:b7:82:d0:08:63:21:f5:cd:c4:0a:bc:0d:
+         9b:f0:d8:5a:63:00:f8:51:48:14:f8:5e:8c:e7:a5:f9:63:85:
+         ca:9d:09:62:7a:3d:1c:bb:90:72:6d:39:f3:b8:62:fa:2b:c4:
+         31:fa:86:45:eb:2b:7d:5d:09:88:58:79:ba:ba:0f:64:2c:1c:
+         21:12:52:51:0f:05:f0:b3:c2:53:df:66:3c:14:59:82:35:ee:
+         ef:65:15:61:8c:00:f8:3a:b3:a7:8a:d5:4d:6a:c9:4f:9f:1f:
+         f9:1e:5e:0d
 -----BEGIN CERTIFICATE-----
 MIIE1DCCA7ygAwIBAgIBZDANBgkqhkiG9w0BAQsFADCBoTELMAkGA1UEBhMCVVMx
 EzARBgNVBAgMCldhc2hpbmd0b24xEDAOBgNVBAcMB1NlYXR0bGUxFTATBgNVBAoM
 DHdvbGZTU0wgSW5jLjEUMBIGA1UECwwLRW5naW5lZXJpbmcxHTAbBgNVBAMMFGNo
 YWluRy1JQ0EyLXBhdGhsZW4xMR8wHQYJKoZIhvcNAQkBFhBpbmZvQHdvbGZzc2wu
-Y29tMB4XDTIxMDIxMDE5NDk1NFoXDTIzMTEwNzE5NDk1NFowgaExCzAJBgNVBAYT
+Y29tMB4XDTIxMTIyMDIzMDcyNVoXDTI0MDkxNTIzMDcyNVowgaExCzAJBgNVBAYT
 AlVTMRMwEQYDVQQIDApXYXNoaW5ndG9uMRAwDgYDVQQHDAdTZWF0dGxlMRUwEwYD
 VQQKDAx3b2xmU1NMIEluYy4xFDASBgNVBAsMC0VuZ2luZWVyaW5nMR0wGwYDVQQD
 DBRjaGFpbkctSUNBMS1wYXRobGVuMDEfMB0GCSqGSIb3DQEJARYQaW5mb0B3b2xm
@@ -80,10 +80,10 @@ ojELMAkGA1UEBhMCVVMxEzARBgNVBAgMCldhc2hpbmd0b24xEDAOBgNVBAcMB1Nl
 YXR0bGUxFTATBgNVBAoMDHdvbGZTU0wgSW5jLjEUMBIGA1UECwwLRW5naW5lZXJp
 bmcxHjAcBgNVBAMMFWNoYWluRy1JQ0EzLXBhdGhsZW45OTEfMB0GCSqGSIb3DQEJ
 ARYQaW5mb0B3b2xmc3NsLmNvbYIBZDAPBgNVHRMECDAGAQH/AgEAMAsGA1UdDwQE
-AwIBBjANBgkqhkiG9w0BAQsFAAOCAQEAjMl+eagpToF/4ni8kWwzCGcB0Hb2UQSt
-ojRNWU+rt+WAYAEeFiBgqe+lJwE2eiAddh/77/x/ALCW0EHI2PAc3tzICwlXhfQr
-jkl2azLqDYd5FWOA7AryPn7h7HHuMld3m4Wn+zscub5Z1BT4hGOo+UYaGEsYnAiQ
-T3267Ey16KllgfqsjCx3CXinRHsYAZPmu/XtQJAEs3i33XCbxr2jWKmnV/nlDR+t
-hwTK1UViXE/6ntQZgwpzX/bCZX1ulm72ZjuNkAooCokXLxK6OtpqDSH4BESuv0nr
-mADGy8NaASredDmZQzSYlHbcy+OWEDsIFQ5gjQyVmWikOM8fWp9/lw==
+AwIBBjANBgkqhkiG9w0BAQsFAAOCAQEAecKQJtGoDLDl+F9rKQYXv98yXgjEJxgt
+gxQwYztAiSpo0mVNaKfWpWzGYp0UupnFp+ooNNyC8P3wAsm++KZ1h79+uztdxMZ+
+qq+XoV6sUfheYuVXoN/yiqjj2yzArkBlOhlq1WUwPZcfEO/nftGB5bB2JXBSIlH3
+RRcTf+bxdk/vpv3ZRaHlqxu4c719UeNhcuXDh1HBt4LQCGMh9c3ECrwNm/DYWmMA
++FFIFPhejOel+WOFyp0JYno9HLuQcm0587hi+ivEMfqGResrfV0JiFh5uroPZCwc
+IRJSUQ8F8LPCU99mPBRZgjXu72UVYYwA+Dqzp4rVTWrJT58f+R5eDQ==
 -----END CERTIFICATE-----
diff --git a/certs/test-pathlen/chainG-ICA2-pathlen1.pem b/certs/test-pathlen/chainG-ICA2-pathlen1.pem
index 77f262920..8292b7e26 100644
--- a/certs/test-pathlen/chainG-ICA2-pathlen1.pem
+++ b/certs/test-pathlen/chainG-ICA2-pathlen1.pem
@@ -2,15 +2,15 @@ Certificate:
     Data:
         Version: 3 (0x2)
         Serial Number: 100 (0x64)
-    Signature Algorithm: sha256WithRSAEncryption
-        Issuer: C=US, ST=Washington, L=Seattle, O=wolfSSL Inc., OU=Engineering, CN=chainG-ICA3-pathlen99/emailAddress=info@wolfssl.com
+        Signature Algorithm: sha256WithRSAEncryption
+        Issuer: C = US, ST = Washington, L = Seattle, O = wolfSSL Inc., OU = Engineering, CN = chainG-ICA3-pathlen99, emailAddress = info@wolfssl.com
         Validity
-            Not Before: Feb 10 19:49:54 2021 GMT
-            Not After : Nov  7 19:49:54 2023 GMT
-        Subject: C=US, ST=Washington, L=Seattle, O=wolfSSL Inc., OU=Engineering, CN=chainG-ICA2-pathlen1/emailAddress=info@wolfssl.com
+            Not Before: Dec 20 23:07:25 2021 GMT
+            Not After : Sep 15 23:07:25 2024 GMT
+        Subject: C = US, ST = Washington, L = Seattle, O = wolfSSL Inc., OU = Engineering, CN = chainG-ICA2-pathlen1, emailAddress = info@wolfssl.com
         Subject Public Key Info:
             Public Key Algorithm: rsaEncryption
-                Public-Key: (2048 bit)
+                RSA Public-Key: (2048 bit)
                 Modulus:
                     00:d7:3e:de:b9:f9:a9:d7:8e:7a:4b:f2:f1:8c:f9:
                     3b:1c:ce:59:31:4c:57:0c:2e:8a:0f:90:f0:dc:27:
@@ -44,27 +44,27 @@ Certificate:
             X509v3 Key Usage: 
                 Certificate Sign, CRL Sign
     Signature Algorithm: sha256WithRSAEncryption
-         a1:c0:5b:84:8c:71:03:de:30:a6:b7:22:98:7d:83:a6:48:46:
-         45:db:8a:e1:35:f9:41:28:9e:7c:0a:e0:20:f4:00:75:6a:91:
-         be:6b:57:96:60:15:46:71:ce:b4:b4:e0:a6:62:f1:a7:6a:3d:
-         7c:a5:94:16:09:a4:89:3b:51:86:f7:87:eb:a6:fb:1d:e1:f6:
-         50:8d:68:88:d7:1a:99:6d:3d:5d:ca:53:bc:28:c0:83:d2:f0:
-         50:4f:33:63:a8:5b:e6:62:4e:e6:af:d5:b2:5d:45:5b:33:04:
-         1f:ec:4c:a6:af:f7:be:dd:c9:2b:58:e0:09:a6:5c:4d:c1:a5:
-         ad:eb:fb:72:31:6c:3d:6f:65:de:02:db:39:ee:02:06:57:b1:
-         28:05:2c:97:2f:04:9b:37:d4:b6:cd:95:27:f0:c9:be:56:9d:
-         69:77:fe:45:7a:22:c2:29:29:5f:a6:be:7d:ab:3c:d5:dd:08:
-         b7:89:d9:0c:09:15:66:f7:a8:f6:77:57:94:5f:94:ab:4e:c7:
-         54:b7:ee:8a:9b:d2:4b:9e:fa:33:2b:90:f6:05:dd:db:d0:f2:
-         de:45:b9:e5:ca:51:9d:73:03:d6:bb:c4:d3:9a:3d:15:4a:f7:
-         c1:58:3a:64:00:90:57:1e:1a:6b:40:50:3c:a3:b4:46:05:26:
-         26:50:01:e1
+         61:25:84:4e:d6:3d:e5:bf:37:0f:b8:04:2b:62:fb:1d:83:fc:
+         31:27:f9:1a:07:26:b7:72:12:09:ab:3c:d6:59:7c:31:66:67:
+         6e:8e:c5:bd:60:9a:16:f4:08:58:77:c4:50:cf:75:67:65:88:
+         42:d7:eb:f9:12:44:cc:5d:1a:89:c8:4d:54:87:63:0c:12:37:
+         94:3f:71:b1:8d:69:58:03:20:10:b9:96:6f:c0:5e:59:02:e2:
+         f6:e7:b4:63:0d:e4:b9:7a:89:1f:e1:6e:53:4d:30:37:f0:cf:
+         e4:98:5f:6e:10:83:dc:43:bb:77:58:18:0e:a5:10:48:3c:cc:
+         a0:7f:59:bc:a4:ce:12:28:9e:52:02:5c:71:79:14:b9:96:5f:
+         d8:10:41:6f:91:49:b6:c2:91:d4:b0:b8:25:4c:ff:49:0f:9b:
+         74:38:e0:a4:f8:52:5a:3b:a0:4d:c1:68:76:b1:2e:90:6a:94:
+         0f:c0:00:4e:af:19:5d:a5:ed:32:29:49:56:0d:91:8b:3c:3d:
+         72:6a:50:58:c7:e1:77:3f:3a:8b:c0:e2:d6:63:4a:fa:2a:28:
+         7b:35:3a:18:98:12:b4:e5:a0:7c:23:c1:62:d9:64:e0:99:db:
+         27:de:24:d2:92:78:9d:c1:6a:38:81:18:0a:4a:98:60:c4:75:
+         c0:4e:d1:7c
 -----BEGIN CERTIFICATE-----
 MIIE1DCCA7ygAwIBAgIBZDANBgkqhkiG9w0BAQsFADCBojELMAkGA1UEBhMCVVMx
 EzARBgNVBAgMCldhc2hpbmd0b24xEDAOBgNVBAcMB1NlYXR0bGUxFTATBgNVBAoM
 DHdvbGZTU0wgSW5jLjEUMBIGA1UECwwLRW5naW5lZXJpbmcxHjAcBgNVBAMMFWNo
 YWluRy1JQ0EzLXBhdGhsZW45OTEfMB0GCSqGSIb3DQEJARYQaW5mb0B3b2xmc3Ns
-LmNvbTAeFw0yMTAyMTAxOTQ5NTRaFw0yMzExMDcxOTQ5NTRaMIGhMQswCQYDVQQG
+LmNvbTAeFw0yMTEyMjAyMzA3MjVaFw0yNDA5MTUyMzA3MjVaMIGhMQswCQYDVQQG
 EwJVUzETMBEGA1UECAwKV2FzaGluZ3RvbjEQMA4GA1UEBwwHU2VhdHRsZTEVMBMG
 A1UECgwMd29sZlNTTCBJbmMuMRQwEgYDVQQLDAtFbmdpbmVlcmluZzEdMBsGA1UE
 AwwUY2hhaW5HLUlDQTItcGF0aGxlbjExHzAdBgkqhkiG9w0BCQEWEGluZm9Ad29s
@@ -80,10 +80,10 @@ gaExCzAJBgNVBAYTAlVTMRMwEQYDVQQIDApXYXNoaW5ndG9uMRAwDgYDVQQHDAdT
 ZWF0dGxlMRUwEwYDVQQKDAx3b2xmU1NMIEluYy4xFDASBgNVBAsMC0VuZ2luZWVy
 aW5nMR0wGwYDVQQDDBRjaGFpbkctSUNBNC1wYXRobGVuNTEfMB0GCSqGSIb3DQEJ
 ARYQaW5mb0B3b2xmc3NsLmNvbYIBZDAPBgNVHRMECDAGAQH/AgEBMAsGA1UdDwQE
-AwIBBjANBgkqhkiG9w0BAQsFAAOCAQEAocBbhIxxA94wprcimH2DpkhGRduK4TX5
-QSiefArgIPQAdWqRvmtXlmAVRnHOtLTgpmLxp2o9fKWUFgmkiTtRhveH66b7HeH2
-UI1oiNcamW09XcpTvCjAg9LwUE8zY6hb5mJO5q/Vsl1FWzMEH+xMpq/3vt3JK1jg
-CaZcTcGlrev7cjFsPW9l3gLbOe4CBlexKAUsly8EmzfUts2VJ/DJvladaXf+RXoi
-wikpX6a+fas81d0It4nZDAkVZveo9ndXlF+Uq07HVLfuipvSS576MyuQ9gXd29Dy
-3kW55cpRnXMD1rvE05o9FUr3wVg6ZACQVx4aa0BQPKO0RgUmJlAB4Q==
+AwIBBjANBgkqhkiG9w0BAQsFAAOCAQEAYSWETtY95b83D7gEK2L7HYP8MSf5Ggcm
+t3ISCas81ll8MWZnbo7FvWCaFvQIWHfEUM91Z2WIQtfr+RJEzF0aichNVIdjDBI3
+lD9xsY1pWAMgELmWb8BeWQLi9ue0Yw3kuXqJH+FuU00wN/DP5JhfbhCD3EO7d1gY
+DqUQSDzMoH9ZvKTOEiieUgJccXkUuZZf2BBBb5FJtsKR1LC4JUz/SQ+bdDjgpPhS
+WjugTcFodrEukGqUD8AATq8ZXaXtMilJVg2Rizw9cmpQWMfhdz86i8Di1mNK+ioo
+ezU6GJgStOWgfCPBYtlk4JnbJ94k0pJ4ncFqOIEYCkqYYMR1wE7RfA==
 -----END CERTIFICATE-----
diff --git a/certs/test-pathlen/chainG-ICA3-pathlen99.pem b/certs/test-pathlen/chainG-ICA3-pathlen99.pem
index 4bf51f905..da5a61183 100644
--- a/certs/test-pathlen/chainG-ICA3-pathlen99.pem
+++ b/certs/test-pathlen/chainG-ICA3-pathlen99.pem
@@ -2,15 +2,15 @@ Certificate:
     Data:
         Version: 3 (0x2)
         Serial Number: 100 (0x64)
-    Signature Algorithm: sha256WithRSAEncryption
-        Issuer: C=US, ST=Washington, L=Seattle, O=wolfSSL Inc., OU=Engineering, CN=chainG-ICA4-pathlen5/emailAddress=info@wolfssl.com
+        Signature Algorithm: sha256WithRSAEncryption
+        Issuer: C = US, ST = Washington, L = Seattle, O = wolfSSL Inc., OU = Engineering, CN = chainG-ICA4-pathlen5, emailAddress = info@wolfssl.com
         Validity
-            Not Before: Feb 10 19:49:54 2021 GMT
-            Not After : Nov  7 19:49:54 2023 GMT
-        Subject: C=US, ST=Washington, L=Seattle, O=wolfSSL Inc., OU=Engineering, CN=chainG-ICA3-pathlen99/emailAddress=info@wolfssl.com
+            Not Before: Dec 20 23:07:25 2021 GMT
+            Not After : Sep 15 23:07:25 2024 GMT
+        Subject: C = US, ST = Washington, L = Seattle, O = wolfSSL Inc., OU = Engineering, CN = chainG-ICA3-pathlen99, emailAddress = info@wolfssl.com
         Subject Public Key Info:
             Public Key Algorithm: rsaEncryption
-                Public-Key: (2048 bit)
+                RSA Public-Key: (2048 bit)
                 Modulus:
                     00:ac:f1:39:65:f7:9c:9d:f6:f0:d2:b7:18:16:24:
                     81:32:b7:a5:29:d6:f7:4e:31:38:a7:54:d6:eb:07:
@@ -44,27 +44,27 @@ Certificate:
             X509v3 Key Usage: 
                 Certificate Sign, CRL Sign
     Signature Algorithm: sha256WithRSAEncryption
-         69:05:fe:91:03:94:51:f1:c0:60:19:98:dc:ed:ad:20:22:35:
-         ff:49:1d:02:25:86:df:b2:3d:fa:da:97:af:04:95:c4:d8:4f:
-         f6:46:9d:48:e7:e5:f3:87:97:5b:33:6d:f5:22:d3:cf:04:fc:
-         e1:5f:66:00:89:90:1b:80:1e:5d:46:35:28:47:b1:b8:c5:68:
-         91:bd:a1:fa:19:b2:f8:bc:d0:ce:48:65:76:7a:32:ff:6b:55:
-         94:d5:a6:3f:34:ba:09:18:6c:93:e3:2d:fa:4c:f9:6d:ef:5b:
-         db:a2:cf:cb:86:62:86:cb:72:d6:3e:b0:2f:6a:85:ae:a3:5e:
-         84:de:04:c0:ed:90:2f:51:20:e0:34:00:09:a8:b8:b0:24:47:
-         23:5c:82:3c:dc:d4:1a:67:67:38:20:bc:c2:c9:f7:03:b0:f1:
-         f8:c6:b1:29:42:ae:34:fc:f0:79:81:8c:5b:e7:e2:2c:79:e9:
-         6d:bc:89:81:64:ae:ec:e3:33:c0:7c:9a:f9:f4:3b:d6:a9:88:
-         8b:cf:8c:c8:76:58:03:2b:2a:98:c2:b9:c0:8b:23:05:68:0d:
-         1c:b3:d9:06:00:a7:d7:c5:5e:28:a6:46:3f:d6:64:0e:9b:a5:
-         0e:5b:11:18:3a:0b:17:36:ba:e9:28:94:41:d9:d8:3b:b2:4f:
-         32:8f:93:d9
+         28:1f:8c:fa:52:d4:c8:b6:02:c3:e2:b9:4f:36:16:50:e5:78:
+         0a:82:87:d3:d1:d1:28:0d:e6:d3:73:4d:51:19:24:0e:84:a8:
+         f5:73:b9:ad:93:4f:89:6e:df:c6:4f:76:0e:80:d9:26:34:4c:
+         63:6d:d7:ee:f9:27:e6:43:6a:2d:32:51:6e:f2:6f:8d:79:21:
+         9e:f8:e9:be:9c:ff:56:88:58:5c:2a:cc:80:af:34:bf:52:86:
+         0c:b5:61:83:72:c7:91:88:2c:07:66:9c:99:17:2e:d1:50:d5:
+         cf:9b:a9:68:5c:35:ea:c4:af:7f:02:ba:fb:9a:9b:34:9e:41:
+         ce:57:e3:00:b7:94:0c:ed:a5:73:7f:bf:df:4a:bc:a4:44:59:
+         db:8a:f4:a9:fc:9f:ee:2a:d7:4c:76:af:8a:4e:24:c6:00:75:
+         6a:ee:5a:89:e3:71:5f:5f:71:7a:6b:80:ab:71:58:b1:2a:2a:
+         87:1a:d5:ca:e2:03:77:23:52:f9:0f:ab:fb:fd:a5:3f:cd:86:
+         eb:76:65:8b:47:ba:4d:4d:cb:93:c4:ba:a3:e9:d2:7b:55:71:
+         64:d5:06:c6:a7:31:1d:30:cf:a5:1b:27:02:59:15:b9:78:d9:
+         bd:89:ea:06:4f:2f:24:02:51:11:77:ba:8f:c3:b6:92:9d:2f:
+         68:d4:3f:42
 -----BEGIN CERTIFICATE-----
 MIIE1TCCA72gAwIBAgIBZDANBgkqhkiG9w0BAQsFADCBoTELMAkGA1UEBhMCVVMx
 EzARBgNVBAgMCldhc2hpbmd0b24xEDAOBgNVBAcMB1NlYXR0bGUxFTATBgNVBAoM
 DHdvbGZTU0wgSW5jLjEUMBIGA1UECwwLRW5naW5lZXJpbmcxHTAbBgNVBAMMFGNo
 YWluRy1JQ0E0LXBhdGhsZW41MR8wHQYJKoZIhvcNAQkBFhBpbmZvQHdvbGZzc2wu
-Y29tMB4XDTIxMDIxMDE5NDk1NFoXDTIzMTEwNzE5NDk1NFowgaIxCzAJBgNVBAYT
+Y29tMB4XDTIxMTIyMDIzMDcyNVoXDTI0MDkxNTIzMDcyNVowgaIxCzAJBgNVBAYT
 AlVTMRMwEQYDVQQIDApXYXNoaW5ndG9uMRAwDgYDVQQHDAdTZWF0dGxlMRUwEwYD
 VQQKDAx3b2xmU1NMIEluYy4xFDASBgNVBAsMC0VuZ2luZWVyaW5nMR4wHAYDVQQD
 DBVjaGFpbkctSUNBMy1wYXRobGVuOTkxHzAdBgkqhkiG9w0BCQEWEGluZm9Ad29s
@@ -80,10 +80,10 @@ gaIxCzAJBgNVBAYTAlVTMRMwEQYDVQQIDApXYXNoaW5ndG9uMRAwDgYDVQQHDAdT
 ZWF0dGxlMRUwEwYDVQQKDAx3b2xmU1NMIEluYy4xFDASBgNVBAsMC0VuZ2luZWVy
 aW5nMR4wHAYDVQQDDBVjaGFpbkctSUNBNS1wYXRobGVuMjAxHzAdBgkqhkiG9w0B
 CQEWEGluZm9Ad29sZnNzbC5jb22CAWQwDwYDVR0TBAgwBgEB/wIBYzALBgNVHQ8E
-BAMCAQYwDQYJKoZIhvcNAQELBQADggEBAGkF/pEDlFHxwGAZmNztrSAiNf9JHQIl
-ht+yPfral68ElcTYT/ZGnUjn5fOHl1szbfUi088E/OFfZgCJkBuAHl1GNShHsbjF
-aJG9ofoZsvi80M5IZXZ6Mv9rVZTVpj80ugkYbJPjLfpM+W3vW9uiz8uGYobLctY+
-sC9qha6jXoTeBMDtkC9RIOA0AAmouLAkRyNcgjzc1BpnZzggvMLJ9wOw8fjGsSlC
-rjT88HmBjFvn4ix56W28iYFkruzjM8B8mvn0O9apiIvPjMh2WAMrKpjCucCLIwVo
-DRyz2QYAp9fFXiimRj/WZA6bpQ5bERg6Cxc2uukolEHZ2DuyTzKPk9k=
+BAMCAQYwDQYJKoZIhvcNAQELBQADggEBACgfjPpS1Mi2AsPiuU82FlDleAqCh9PR
+0SgN5tNzTVEZJA6EqPVzua2TT4lu38ZPdg6A2SY0TGNt1+75J+ZDai0yUW7yb415
+IZ746b6c/1aIWFwqzICvNL9Shgy1YYNyx5GILAdmnJkXLtFQ1c+bqWhcNerEr38C
+uvuamzSeQc5X4wC3lAztpXN/v99KvKREWduK9Kn8n+4q10x2r4pOJMYAdWruWonj
+cV9fcXprgKtxWLEqKoca1criA3cjUvkPq/v9pT/Nhut2ZYtHuk1Ny5PEuqPp0ntV
+cWTVBsanMR0wz6UbJwJZFbl42b2J6gZPLyQCURF3uo/DtpKdL2jUP0I=
 -----END CERTIFICATE-----
diff --git a/certs/test-pathlen/chainG-ICA4-pathlen5.pem b/certs/test-pathlen/chainG-ICA4-pathlen5.pem
index fb4723c4f..abcfa3100 100644
--- a/certs/test-pathlen/chainG-ICA4-pathlen5.pem
+++ b/certs/test-pathlen/chainG-ICA4-pathlen5.pem
@@ -2,15 +2,15 @@ Certificate:
     Data:
         Version: 3 (0x2)
         Serial Number: 100 (0x64)
-    Signature Algorithm: sha256WithRSAEncryption
-        Issuer: C=US, ST=Washington, L=Seattle, O=wolfSSL Inc., OU=Engineering, CN=chainG-ICA5-pathlen20/emailAddress=info@wolfssl.com
+        Signature Algorithm: sha256WithRSAEncryption
+        Issuer: C = US, ST = Washington, L = Seattle, O = wolfSSL Inc., OU = Engineering, CN = chainG-ICA5-pathlen20, emailAddress = info@wolfssl.com
         Validity
-            Not Before: Feb 10 19:49:54 2021 GMT
-            Not After : Nov  7 19:49:54 2023 GMT
-        Subject: C=US, ST=Washington, L=Seattle, O=wolfSSL Inc., OU=Engineering, CN=chainG-ICA4-pathlen5/emailAddress=info@wolfssl.com
+            Not Before: Dec 20 23:07:25 2021 GMT
+            Not After : Sep 15 23:07:25 2024 GMT
+        Subject: C = US, ST = Washington, L = Seattle, O = wolfSSL Inc., OU = Engineering, CN = chainG-ICA4-pathlen5, emailAddress = info@wolfssl.com
         Subject Public Key Info:
             Public Key Algorithm: rsaEncryption
-                Public-Key: (2048 bit)
+                RSA Public-Key: (2048 bit)
                 Modulus:
                     00:c9:4b:a0:77:b8:42:43:96:e1:f4:8d:1d:a6:2c:
                     d8:12:a2:40:49:11:eb:5f:fb:6c:1d:15:3e:af:dd:
@@ -44,27 +44,27 @@ Certificate:
             X509v3 Key Usage: 
                 Certificate Sign, CRL Sign
     Signature Algorithm: sha256WithRSAEncryption
-         b0:8e:1a:de:7d:55:b1:c3:4e:4e:df:a0:bb:0a:a7:41:78:11:
-         47:17:0a:c1:85:2f:7a:0c:2a:f5:79:e5:b9:c7:a3:cf:a4:03:
-         8a:ec:db:4b:ac:31:e0:b1:b2:d2:74:09:a6:70:90:30:01:68:
-         c7:07:a0:28:b0:0b:b7:0e:9c:d6:de:4c:f0:62:69:a4:82:f1:
-         80:79:e6:65:15:09:88:26:ae:4d:7e:fd:7b:9f:7a:e8:3b:d6:
-         11:fe:7c:9d:c4:de:90:14:1a:1a:29:7c:a4:80:e9:55:1d:17:
-         18:d3:45:84:ec:5f:42:35:ea:09:b2:67:f0:5f:71:b9:12:d5:
-         88:2a:20:e3:7f:e5:c3:ac:d7:6e:4c:97:3c:aa:ca:f2:ba:d7:
-         37:6b:ba:b8:e7:1a:f5:60:2b:41:7a:f4:68:50:91:ff:00:ab:
-         73:05:ad:0f:b3:48:c5:73:dd:44:3f:16:1f:11:3b:ab:78:8c:
-         e3:20:2a:24:31:ad:8d:3f:74:2b:2c:c1:08:75:9a:c8:6c:6b:
-         43:62:cb:e1:6d:70:ce:f5:64:7c:31:60:c1:6c:fc:37:2f:1b:
-         59:bc:28:97:11:de:df:50:5b:38:5d:a6:dd:b6:1c:f0:f3:dd:
-         07:c4:4b:fa:f9:3a:fd:06:b1:64:64:fa:46:2f:93:52:3f:19:
-         eb:e0:2b:7a
+         2f:a8:0b:e3:eb:e0:fe:e8:82:f8:b7:2d:c2:14:e6:e8:59:8d:
+         e1:6d:50:f7:45:65:d5:4f:7b:6d:1e:d9:44:86:25:a7:56:55:
+         07:46:e0:3f:d9:00:24:f2:61:e2:6a:4f:a8:df:7e:29:41:d0:
+         31:3e:2d:b6:31:09:4e:f5:59:c7:0f:8c:c1:ba:b4:c0:39:2f:
+         ec:d6:a4:4a:0b:6f:bd:87:45:6d:33:2c:b1:14:2c:bc:9e:30:
+         ca:57:57:bc:b8:ec:fd:76:fd:ab:f5:63:3d:ef:16:cf:e8:cb:
+         59:d5:28:0e:8c:36:a8:8d:d7:b8:0f:2a:33:5e:d3:53:19:86:
+         12:64:b3:dc:b6:b8:c9:e3:54:73:7f:0a:ea:c3:ce:95:c4:c1:
+         72:0c:58:ff:4f:2e:ae:f5:27:60:0b:c3:c9:19:3e:94:65:64:
+         2a:1a:bc:03:a4:86:1a:c4:a2:98:c4:9e:63:42:f7:cd:eb:d0:
+         04:f3:33:96:8a:a3:df:36:4c:ff:37:c3:4e:58:61:3a:c4:79:
+         cd:5f:0a:09:d0:15:69:22:2d:8b:c7:27:3e:ab:5c:15:83:96:
+         25:bf:7b:00:7e:34:fa:9e:1a:65:13:eb:cd:4e:22:5e:15:8d:
+         6f:74:c9:31:f9:0e:b0:55:54:72:02:38:3f:92:43:01:d9:57:
+         51:50:03:d9
 -----BEGIN CERTIFICATE-----
 MIIE1TCCA72gAwIBAgIBZDANBgkqhkiG9w0BAQsFADCBojELMAkGA1UEBhMCVVMx
 EzARBgNVBAgMCldhc2hpbmd0b24xEDAOBgNVBAcMB1NlYXR0bGUxFTATBgNVBAoM
 DHdvbGZTU0wgSW5jLjEUMBIGA1UECwwLRW5naW5lZXJpbmcxHjAcBgNVBAMMFWNo
 YWluRy1JQ0E1LXBhdGhsZW4yMDEfMB0GCSqGSIb3DQEJARYQaW5mb0B3b2xmc3Ns
-LmNvbTAeFw0yMTAyMTAxOTQ5NTRaFw0yMzExMDcxOTQ5NTRaMIGhMQswCQYDVQQG
+LmNvbTAeFw0yMTEyMjAyMzA3MjVaFw0yNDA5MTUyMzA3MjVaMIGhMQswCQYDVQQG
 EwJVUzETMBEGA1UECAwKV2FzaGluZ3RvbjEQMA4GA1UEBwwHU2VhdHRsZTEVMBMG
 A1UECgwMd29sZlNTTCBJbmMuMRQwEgYDVQQLDAtFbmdpbmVlcmluZzEdMBsGA1UE
 AwwUY2hhaW5HLUlDQTQtcGF0aGxlbjUxHzAdBgkqhkiG9w0BCQEWEGluZm9Ad29s
@@ -80,10 +80,10 @@ gaIxCzAJBgNVBAYTAlVTMRMwEQYDVQQIDApXYXNoaW5ndG9uMRAwDgYDVQQHDAdT
 ZWF0dGxlMRUwEwYDVQQKDAx3b2xmU1NMIEluYy4xFDASBgNVBAsMC0VuZ2luZWVy
 aW5nMR4wHAYDVQQDDBVjaGFpbkctSUNBNi1wYXRobGVuMTAxHzAdBgkqhkiG9w0B
 CQEWEGluZm9Ad29sZnNzbC5jb22CAWQwDwYDVR0TBAgwBgEB/wIBBTALBgNVHQ8E
-BAMCAQYwDQYJKoZIhvcNAQELBQADggEBALCOGt59VbHDTk7foLsKp0F4EUcXCsGF
-L3oMKvV55bnHo8+kA4rs20usMeCxstJ0CaZwkDABaMcHoCiwC7cOnNbeTPBiaaSC
-8YB55mUVCYgmrk1+/Xufeug71hH+fJ3E3pAUGhopfKSA6VUdFxjTRYTsX0I16gmy
-Z/BfcbkS1YgqION/5cOs125MlzyqyvK61zdrurjnGvVgK0F69GhQkf8Aq3MFrQ+z
-SMVz3UQ/Fh8RO6t4jOMgKiQxrY0/dCsswQh1mshsa0Niy+FtcM71ZHwxYMFs/Dcv
-G1m8KJcR3t9QWzhdpt22HPDz3QfES/r5Ov0GsWRk+kYvk1I/GevgK3o=
+BAMCAQYwDQYJKoZIhvcNAQELBQADggEBAC+oC+Pr4P7ogvi3LcIU5uhZjeFtUPdF
+ZdVPe20e2USGJadWVQdG4D/ZACTyYeJqT6jffilB0DE+LbYxCU71WccPjMG6tMA5
+L+zWpEoLb72HRW0zLLEULLyeMMpXV7y47P12/av1Yz3vFs/oy1nVKA6MNqiN17gP
+KjNe01MZhhJks9y2uMnjVHN/CurDzpXEwXIMWP9PLq71J2ALw8kZPpRlZCoavAOk
+hhrEopjEnmNC983r0ATzM5aKo982TP83w05YYTrEec1fCgnQFWkiLYvHJz6rXBWD
+liW/ewB+NPqeGmUT681OIl4VjW90yTH5DrBVVHICOD+SQwHZV1FQA9k=
 -----END CERTIFICATE-----
diff --git a/certs/test-pathlen/chainG-ICA5-pathlen20.pem b/certs/test-pathlen/chainG-ICA5-pathlen20.pem
index d8224fcc6..247061724 100644
--- a/certs/test-pathlen/chainG-ICA5-pathlen20.pem
+++ b/certs/test-pathlen/chainG-ICA5-pathlen20.pem
@@ -2,15 +2,15 @@ Certificate:
     Data:
         Version: 3 (0x2)
         Serial Number: 100 (0x64)
-    Signature Algorithm: sha256WithRSAEncryption
-        Issuer: C=US, ST=Washington, L=Seattle, O=wolfSSL Inc., OU=Engineering, CN=chainG-ICA6-pathlen10/emailAddress=info@wolfssl.com
+        Signature Algorithm: sha256WithRSAEncryption
+        Issuer: C = US, ST = Washington, L = Seattle, O = wolfSSL Inc., OU = Engineering, CN = chainG-ICA6-pathlen10, emailAddress = info@wolfssl.com
         Validity
-            Not Before: Feb 10 19:49:54 2021 GMT
-            Not After : Nov  7 19:49:54 2023 GMT
-        Subject: C=US, ST=Washington, L=Seattle, O=wolfSSL Inc., OU=Engineering, CN=chainG-ICA5-pathlen20/emailAddress=info@wolfssl.com
+            Not Before: Dec 20 23:07:25 2021 GMT
+            Not After : Sep 15 23:07:25 2024 GMT
+        Subject: C = US, ST = Washington, L = Seattle, O = wolfSSL Inc., OU = Engineering, CN = chainG-ICA5-pathlen20, emailAddress = info@wolfssl.com
         Subject Public Key Info:
             Public Key Algorithm: rsaEncryption
-                Public-Key: (2048 bit)
+                RSA Public-Key: (2048 bit)
                 Modulus:
                     00:be:9d:98:a2:41:ca:64:1f:a2:34:dc:51:7d:49:
                     2b:f7:f8:7a:fc:1a:22:8d:3a:17:8e:00:9c:74:06:
@@ -44,27 +44,27 @@ Certificate:
             X509v3 Key Usage: 
                 Certificate Sign, CRL Sign
     Signature Algorithm: sha256WithRSAEncryption
-         c5:55:81:ae:d8:a9:00:b6:65:0b:41:2a:7c:7b:de:6a:24:15:
-         36:b8:8f:dd:c6:70:0d:ee:fd:a7:f1:55:c1:c2:77:1c:e7:2f:
-         cc:e0:78:81:57:2f:8f:c6:a6:c0:70:5d:aa:b1:2b:4d:30:2f:
-         f0:42:4e:be:06:7c:53:2d:65:c7:58:ae:02:d8:87:80:a0:48:
-         e5:4d:df:e6:de:c7:51:14:26:58:0d:9a:f7:f4:c4:32:95:98:
-         b7:9c:a0:92:a4:a6:c7:28:04:c0:1c:52:d3:ff:bb:f2:4f:08:
-         64:98:04:34:f1:ac:9f:ca:b2:a7:99:45:eb:a3:c9:b5:74:54:
-         c3:0e:fa:ba:fd:d2:a4:70:c4:ff:f2:f9:93:3a:1f:c8:95:ac:
-         42:de:45:e0:08:a9:5a:a8:3d:99:50:c3:f0:bb:c6:14:b6:68:
-         62:dd:f4:df:36:74:10:39:6f:18:de:4b:a7:64:fa:62:17:2f:
-         ba:e8:58:b8:7c:9d:2f:5d:43:c4:02:a9:03:69:8c:1a:ce:a8:
-         98:7b:53:72:a6:de:de:76:aa:4b:0b:4d:fd:7b:79:74:da:73:
-         a9:4f:79:1c:c5:8a:39:ee:90:c1:25:00:29:fa:d3:b1:13:4b:
-         3a:51:4e:8e:63:ee:4b:57:af:2f:29:91:98:c1:27:88:e0:69:
-         fc:3d:8b:91
+         29:ff:da:ab:a9:62:4b:ef:6b:0b:d4:a9:a1:96:83:21:2d:df:
+         20:7b:76:4d:be:4a:63:12:a7:54:af:c1:e4:38:75:6b:7a:47:
+         de:85:a0:c3:c4:a1:17:78:de:cc:15:d2:78:81:f4:ed:b7:f1:
+         42:88:be:b6:95:f6:7f:1d:dc:93:74:9a:8c:9b:0d:77:b4:3b:
+         86:f8:ef:ed:27:8a:d0:db:f0:08:b9:29:23:2c:25:27:80:81:
+         14:c3:7a:50:d6:88:77:64:a7:25:55:85:16:10:9f:3d:fb:83:
+         0f:75:8a:1d:6e:c6:23:6e:41:87:1e:98:f0:a9:1c:b7:6d:ab:
+         79:08:8d:42:63:3a:42:1f:a3:9e:97:93:04:2b:de:c6:fb:bc:
+         cb:03:af:77:17:61:a0:03:96:d0:1b:38:37:c3:d3:ba:90:7d:
+         2d:05:24:a0:af:62:8c:a9:7e:c2:88:59:ce:e6:c0:2f:1c:33:
+         92:cd:e9:ce:41:7a:a6:9d:e4:ba:bc:07:1f:9d:84:79:ca:e0:
+         63:cb:ed:34:c7:3c:a8:13:df:57:ce:8e:9a:13:5f:2d:31:72:
+         6e:81:65:53:62:a9:39:11:94:de:2c:c8:c5:94:66:d1:0e:4b:
+         84:ca:32:46:82:f8:c0:98:94:3b:bd:d4:be:f8:c2:f7:af:13:
+         e4:db:57:fa
 -----BEGIN CERTIFICATE-----
 MIIE1zCCA7+gAwIBAgIBZDANBgkqhkiG9w0BAQsFADCBojELMAkGA1UEBhMCVVMx
 EzARBgNVBAgMCldhc2hpbmd0b24xEDAOBgNVBAcMB1NlYXR0bGUxFTATBgNVBAoM
 DHdvbGZTU0wgSW5jLjEUMBIGA1UECwwLRW5naW5lZXJpbmcxHjAcBgNVBAMMFWNo
 YWluRy1JQ0E2LXBhdGhsZW4xMDEfMB0GCSqGSIb3DQEJARYQaW5mb0B3b2xmc3Ns
-LmNvbTAeFw0yMTAyMTAxOTQ5NTRaFw0yMzExMDcxOTQ5NTRaMIGiMQswCQYDVQQG
+LmNvbTAeFw0yMTEyMjAyMzA3MjVaFw0yNDA5MTUyMzA3MjVaMIGiMQswCQYDVQQG
 EwJVUzETMBEGA1UECAwKV2FzaGluZ3RvbjEQMA4GA1UEBwwHU2VhdHRsZTEVMBMG
 A1UECgwMd29sZlNTTCBJbmMuMRQwEgYDVQQLDAtFbmdpbmVlcmluZzEeMBwGA1UE
 AwwVY2hhaW5HLUlDQTUtcGF0aGxlbjIwMR8wHQYJKoZIhvcNAQkBFhBpbmZvQHdv
@@ -80,10 +80,10 @@ MIGjMQswCQYDVQQGEwJVUzETMBEGA1UECAwKV2FzaGluZ3RvbjEQMA4GA1UEBwwH
 U2VhdHRsZTEVMBMGA1UECgwMd29sZlNTTCBJbmMuMRQwEgYDVQQLDAtFbmdpbmVl
 cmluZzEfMB0GA1UEAwwWY2hhaW5HLUlDQTctcGF0aGxlbjEwMDEfMB0GCSqGSIb3
 DQEJARYQaW5mb0B3b2xmc3NsLmNvbYIBZDAPBgNVHRMECDAGAQH/AgEUMAsGA1Ud
-DwQEAwIBBjANBgkqhkiG9w0BAQsFAAOCAQEAxVWBrtipALZlC0EqfHveaiQVNriP
-3cZwDe79p/FVwcJ3HOcvzOB4gVcvj8amwHBdqrErTTAv8EJOvgZ8Uy1lx1iuAtiH
-gKBI5U3f5t7HURQmWA2a9/TEMpWYt5ygkqSmxygEwBxS0/+78k8IZJgENPGsn8qy
-p5lF66PJtXRUww76uv3SpHDE//L5kzofyJWsQt5F4AipWqg9mVDD8LvGFLZoYt30
-3zZ0EDlvGN5Lp2T6YhcvuuhYuHydL11DxAKpA2mMGs6omHtTcqbe3naqSwtN/Xt5
-dNpzqU95HMWKOe6QwSUAKfrTsRNLOlFOjmPuS1evLymRmMEniOBp/D2LkQ==
+DwQEAwIBBjANBgkqhkiG9w0BAQsFAAOCAQEAKf/aq6liS+9rC9SpoZaDIS3fIHt2
+Tb5KYxKnVK/B5Dh1a3pH3oWgw8ShF3jezBXSeIH07bfxQoi+tpX2fx3ck3SajJsN
+d7Q7hvjv7SeK0NvwCLkpIywlJ4CBFMN6UNaId2SnJVWFFhCfPfuDD3WKHW7GI25B
+hx6Y8Kkct22reQiNQmM6Qh+jnpeTBCvexvu8ywOvdxdhoAOW0Bs4N8PTupB9LQUk
+oK9ijKl+wohZzubALxwzks3pzkF6pp3kurwHH52EecrgY8vtNMc8qBPfV86OmhNf
+LTFyboFlU2KpORGU3izIxZRm0Q5LhMoyRoL4wJiUO73UvvjC968T5NtX+g==
 -----END CERTIFICATE-----
diff --git a/certs/test-pathlen/chainG-ICA6-pathlen10.pem b/certs/test-pathlen/chainG-ICA6-pathlen10.pem
index 43dc4ff78..a50908d0a 100644
--- a/certs/test-pathlen/chainG-ICA6-pathlen10.pem
+++ b/certs/test-pathlen/chainG-ICA6-pathlen10.pem
@@ -2,15 +2,15 @@ Certificate:
     Data:
         Version: 3 (0x2)
         Serial Number: 100 (0x64)
-    Signature Algorithm: sha256WithRSAEncryption
-        Issuer: C=US, ST=Washington, L=Seattle, O=wolfSSL Inc., OU=Engineering, CN=chainG-ICA7-pathlen100/emailAddress=info@wolfssl.com
+        Signature Algorithm: sha256WithRSAEncryption
+        Issuer: C = US, ST = Washington, L = Seattle, O = wolfSSL Inc., OU = Engineering, CN = chainG-ICA7-pathlen100, emailAddress = info@wolfssl.com
         Validity
-            Not Before: Feb 10 19:49:54 2021 GMT
-            Not After : Nov  7 19:49:54 2023 GMT
-        Subject: C=US, ST=Washington, L=Seattle, O=wolfSSL Inc., OU=Engineering, CN=chainG-ICA6-pathlen10/emailAddress=info@wolfssl.com
+            Not Before: Dec 20 23:07:25 2021 GMT
+            Not After : Sep 15 23:07:25 2024 GMT
+        Subject: C = US, ST = Washington, L = Seattle, O = wolfSSL Inc., OU = Engineering, CN = chainG-ICA6-pathlen10, emailAddress = info@wolfssl.com
         Subject Public Key Info:
             Public Key Algorithm: rsaEncryption
-                Public-Key: (2048 bit)
+                RSA Public-Key: (2048 bit)
                 Modulus:
                     00:e1:4f:c9:e7:30:ea:06:ff:65:cb:2b:6c:f1:a8:
                     ac:f6:cf:10:6b:80:7a:af:5e:42:0a:0d:61:be:6f:
@@ -44,27 +44,27 @@ Certificate:
             X509v3 Key Usage: 
                 Certificate Sign, CRL Sign
     Signature Algorithm: sha256WithRSAEncryption
-         73:70:e1:67:aa:a1:e6:31:8c:6b:c3:bd:0e:99:9f:f8:8c:18:
-         b4:40:c7:0c:2d:0f:03:66:92:0e:5e:91:1e:37:f3:4f:68:66:
-         3e:d4:4a:30:19:fe:44:fe:bb:11:22:23:10:db:8d:91:8a:45:
-         f8:71:48:b7:97:3d:9e:3d:c4:7c:3b:da:51:23:6e:76:3f:b5:
-         1c:a8:db:80:2f:fa:15:16:ea:f8:9b:1d:86:1d:02:94:cd:4a:
-         f2:7d:6d:c1:40:0d:2f:d0:f9:65:dc:39:41:93:e1:e2:ab:7b:
-         1f:c4:37:5f:3f:6e:af:4b:cb:d8:b2:21:e6:b4:73:13:8f:b6:
-         d6:e3:81:b5:e4:85:e3:3c:1a:ae:4b:79:86:29:a5:1b:ba:7d:
-         4a:4e:a3:22:94:33:49:64:46:ff:44:99:02:f7:f6:82:d6:76:
-         f0:a6:ff:5d:b3:58:df:a8:c4:00:00:33:8c:1e:17:72:8c:84:
-         d7:bd:17:7f:ff:2a:7a:7b:71:63:34:21:ad:3a:88:3c:2c:cf:
-         9b:77:c0:0c:ce:7d:d6:2d:56:0f:6f:6b:98:54:5e:0c:92:40:
-         eb:43:2e:4c:08:14:48:af:c9:80:34:59:ee:f8:e3:5f:3e:68:
-         aa:52:65:91:6f:ed:56:21:ff:1b:dc:d0:33:39:c4:e0:39:c7:
-         97:70:0e:8f
+         33:53:88:2d:1e:0e:04:6c:69:d4:b6:08:23:73:d1:31:02:7b:
+         a2:ed:ce:c6:58:8e:6a:fd:0e:1e:c7:73:8e:0e:b5:46:02:15:
+         c3:55:bf:96:8d:a7:cf:f3:3b:80:d9:8c:5d:a8:df:4e:f2:63:
+         e0:9b:04:8c:76:f5:fc:a7:7e:43:e9:da:a5:9a:31:3e:ae:a3:
+         f7:ae:20:14:e2:f8:a0:a0:18:74:2e:95:f7:30:24:b3:28:10:
+         7f:85:23:e7:6c:5d:9d:e5:a3:f0:75:63:a6:ae:62:aa:7b:3d:
+         e3:c9:27:4a:35:29:85:83:9a:ac:c0:f8:21:1e:8b:c4:b9:90:
+         2e:83:6a:07:de:4c:3a:24:2a:2b:32:33:8d:85:d9:e1:97:a0:
+         ae:8c:ae:10:f2:77:87:f6:73:7a:21:0f:4a:6b:7a:8e:82:bc:
+         85:10:78:12:37:7c:ab:46:3c:78:32:bf:7a:1c:85:7c:b9:81:
+         e0:b8:32:41:c9:af:db:f6:3c:8c:5d:01:f2:8a:d2:0c:42:1c:
+         d2:05:ee:f1:a5:1a:42:d6:c5:d9:93:38:e0:f6:d3:25:55:6b:
+         81:4a:1e:10:68:6a:29:d9:59:49:14:b9:84:46:99:c5:d6:fc:
+         c7:ec:75:38:30:08:5a:58:96:cf:3c:43:6b:73:21:1d:f6:d8:
+         01:2d:28:5a
 -----BEGIN CERTIFICATE-----
 MIIEyTCCA7GgAwIBAgIBZDANBgkqhkiG9w0BAQsFADCBozELMAkGA1UEBhMCVVMx
 EzARBgNVBAgMCldhc2hpbmd0b24xEDAOBgNVBAcMB1NlYXR0bGUxFTATBgNVBAoM
 DHdvbGZTU0wgSW5jLjEUMBIGA1UECwwLRW5naW5lZXJpbmcxHzAdBgNVBAMMFmNo
 YWluRy1JQ0E3LXBhdGhsZW4xMDAxHzAdBgkqhkiG9w0BCQEWEGluZm9Ad29sZnNz
-bC5jb20wHhcNMjEwMjEwMTk0OTU0WhcNMjMxMTA3MTk0OTU0WjCBojELMAkGA1UE
+bC5jb20wHhcNMjExMjIwMjMwNzI1WhcNMjQwOTE1MjMwNzI1WjCBojELMAkGA1UE
 BhMCVVMxEzARBgNVBAgMCldhc2hpbmd0b24xEDAOBgNVBAcMB1NlYXR0bGUxFTAT
 BgNVBAoMDHdvbGZTU0wgSW5jLjEUMBIGA1UECwwLRW5naW5lZXJpbmcxHjAcBgNV
 BAMMFWNoYWluRy1JQ0E2LXBhdGhsZW4xMDEfMB0GCSqGSIb3DQEJARYQaW5mb0B3
@@ -80,10 +80,10 @@ lzCBlDELMAkGA1UEBhMCVVMxEDAOBgNVBAgMB01vbnRhbmExEDAOBgNVBAcMB0Jv
 emVtYW4xETAPBgNVBAoMCFNhd3Rvb3RoMRMwEQYDVQQLDApDb25zdWx0aW5nMRgw
 FgYDVQQDDA93d3cud29sZnNzbC5jb20xHzAdBgkqhkiG9w0BCQEWEGluZm9Ad29s
 ZnNzbC5jb22CAWQwDwYDVR0TBAgwBgEB/wIBCjALBgNVHQ8EBAMCAQYwDQYJKoZI
-hvcNAQELBQADggEBAHNw4WeqoeYxjGvDvQ6Zn/iMGLRAxwwtDwNmkg5ekR43809o
-Zj7USjAZ/kT+uxEiIxDbjZGKRfhxSLeXPZ49xHw72lEjbnY/tRyo24Av+hUW6vib
-HYYdApTNSvJ9bcFADS/Q+WXcOUGT4eKrex/EN18/bq9Ly9iyIea0cxOPttbjgbXk
-heM8Gq5LeYYppRu6fUpOoyKUM0lkRv9EmQL39oLWdvCm/12zWN+oxAAAM4weF3KM
-hNe9F3//Knp7cWM0Ia06iDwsz5t3wAzOfdYtVg9va5hUXgySQOtDLkwIFEivyYA0
-We74418+aKpSZZFv7VYh/xvc0DM5xOA5x5dwDo8=
+hvcNAQELBQADggEBADNTiC0eDgRsadS2CCNz0TECe6LtzsZYjmr9Dh7Hc44OtUYC
+FcNVv5aNp8/zO4DZjF2o307yY+CbBIx29fynfkPp2qWaMT6uo/euIBTi+KCgGHQu
+lfcwJLMoEH+FI+dsXZ3lo/B1Y6auYqp7PePJJ0o1KYWDmqzA+CEei8S5kC6Dagfe
+TDokKisyM42F2eGXoK6MrhDyd4f2c3ohD0preo6CvIUQeBI3fKtGPHgyv3ochXy5
+geC4MkHJr9v2PIxdAfKK0gxCHNIF7vGlGkLWxdmTOOD20yVVa4FKHhBoainZWUkU
+uYRGmcXW/MfsdTgwCFpYls88Q2tzIR322AEtKFo=
 -----END CERTIFICATE-----
diff --git a/certs/test-pathlen/chainG-ICA7-pathlen100.pem b/certs/test-pathlen/chainG-ICA7-pathlen100.pem
index e072feaa6..edac83949 100644
--- a/certs/test-pathlen/chainG-ICA7-pathlen100.pem
+++ b/certs/test-pathlen/chainG-ICA7-pathlen100.pem
@@ -2,15 +2,15 @@ Certificate:
     Data:
         Version: 3 (0x2)
         Serial Number: 100 (0x64)
-    Signature Algorithm: sha256WithRSAEncryption
-        Issuer: C=US, ST=Montana, L=Bozeman, O=Sawtooth, OU=Consulting, CN=www.wolfssl.com/emailAddress=info@wolfssl.com
+        Signature Algorithm: sha256WithRSAEncryption
+        Issuer: C = US, ST = Montana, L = Bozeman, O = Sawtooth, OU = Consulting, CN = www.wolfssl.com, emailAddress = info@wolfssl.com
         Validity
-            Not Before: Feb 10 19:49:54 2021 GMT
-            Not After : Nov  7 19:49:54 2023 GMT
-        Subject: C=US, ST=Washington, L=Seattle, O=wolfSSL Inc., OU=Engineering, CN=chainG-ICA7-pathlen100/emailAddress=info@wolfssl.com
+            Not Before: Dec 20 23:07:25 2021 GMT
+            Not After : Sep 15 23:07:25 2024 GMT
+        Subject: C = US, ST = Washington, L = Seattle, O = wolfSSL Inc., OU = Engineering, CN = chainG-ICA7-pathlen100, emailAddress = info@wolfssl.com
         Subject Public Key Info:
             Public Key Algorithm: rsaEncryption
-                Public-Key: (2048 bit)
+                RSA Public-Key: (2048 bit)
                 Modulus:
                     00:d6:8c:d6:c4:29:20:60:9d:15:3d:0c:2a:fb:24:
                     2f:38:89:ed:37:c4:fc:57:67:2a:50:d8:eb:e2:6a:
@@ -37,34 +37,34 @@ Certificate:
             X509v3 Authority Key Identifier: 
                 keyid:27:8E:67:11:74:C3:26:1D:3F:ED:33:63:B3:A4:D8:1D:30:E5:E8:D5
                 DirName:/C=US/ST=Montana/L=Bozeman/O=Sawtooth/OU=Consulting/CN=www.wolfssl.com/emailAddress=info@wolfssl.com
-                serial:AA:D3:3F:AC:18:0A:37:4D
+                serial:7D:94:70:88:BA:07:42:8D:AA:AF:4F:BE:C2:1A:48:F0:D1:40:E6:42
 
             X509v3 Basic Constraints: 
                 CA:TRUE, pathlen:100
             X509v3 Key Usage: 
                 Certificate Sign, CRL Sign
     Signature Algorithm: sha256WithRSAEncryption
-         26:72:76:89:e5:6a:e9:31:30:3d:c1:cf:15:f4:3f:dd:43:f0:
-         6d:53:94:8b:90:fe:ea:94:93:bf:57:60:84:b5:a9:39:8b:a6:
-         89:65:82:ce:f7:77:1e:ee:7a:65:a8:5d:dc:6f:13:5d:55:94:
-         b5:ac:d2:24:ff:f1:f7:8e:49:91:da:86:b9:b6:c7:03:39:e9:
-         a1:9b:78:f8:86:85:ab:a6:77:23:e5:02:33:83:e4:a1:c2:e7:
-         ae:36:22:4c:2e:a3:81:44:2a:bf:ad:a5:a3:05:c0:7a:3f:c8:
-         bc:e9:72:4b:04:1a:82:72:18:6a:8b:4d:2b:c2:53:dd:28:a5:
-         d5:5d:b1:87:8a:a2:a7:3a:31:43:c2:79:45:27:61:a7:c1:9d:
-         ae:8c:b7:cb:05:6f:04:2a:d7:1f:64:52:dd:ad:9a:b7:69:12:
-         2e:82:d2:93:32:f2:03:df:3d:6c:07:6f:13:1d:28:af:ef:86:
-         04:de:d6:15:3f:31:37:ff:42:32:8f:9c:64:d5:4f:55:81:3e:
-         c8:01:95:51:cd:18:2d:57:9f:30:5c:b5:a8:bc:2e:3e:63:57:
-         07:48:ea:ad:23:9f:25:8d:8b:3e:de:8c:6f:a1:52:79:37:a1:
-         99:6f:df:0d:84:d9:8d:d8:db:d1:34:60:9e:3b:36:12:df:7b:
-         f5:fb:59:1a
+         4f:97:12:76:60:f0:fd:24:ca:f2:c4:89:6a:90:28:86:fe:1b:
+         19:f8:fc:f8:b9:89:8e:8c:06:56:d5:89:a8:73:6a:11:b2:6f:
+         ce:f1:35:e4:3e:3c:8f:d5:a4:95:b9:24:16:41:2b:0b:04:29:
+         df:03:52:3f:82:2b:be:fb:74:29:b6:36:6e:dd:28:56:e8:e3:
+         85:c4:94:5b:9c:4e:09:0f:c0:bd:79:2a:08:a6:b6:54:0c:24:
+         d6:00:d8:29:d8:ff:d8:44:57:30:25:b3:28:24:f8:25:36:b6:
+         e6:44:6c:72:0a:7a:fc:0d:b4:9e:77:b8:80:36:49:e6:47:7a:
+         dd:c9:e5:27:57:11:52:f1:44:96:a0:9c:6f:f4:3f:35:bd:81:
+         4d:a6:61:ed:ef:43:95:13:a3:57:19:1a:70:34:5e:7c:a9:b9:
+         c6:c6:a0:7c:35:d5:5f:98:9f:9b:33:f3:d2:fd:57:08:db:80:
+         bd:fa:2a:0b:44:f8:3b:97:75:9f:e6:83:50:92:6c:82:02:7f:
+         32:ed:7b:52:4d:2d:c1:cf:0c:c1:09:6f:3f:63:49:9b:e1:25:
+         7c:c5:33:49:f6:68:e4:7e:67:33:67:54:1c:49:99:8c:bf:3a:
+         aa:1c:ee:0d:d1:7b:29:6a:70:b4:47:cb:b4:d9:95:57:cf:59:
+         44:85:19:54
 -----BEGIN CERTIFICATE-----
-MIIEwzCCA6ugAwIBAgIBZDANBgkqhkiG9w0BAQsFADCBlDELMAkGA1UEBhMCVVMx
+MIIEzjCCA7agAwIBAgIBZDANBgkqhkiG9w0BAQsFADCBlDELMAkGA1UEBhMCVVMx
 EDAOBgNVBAgMB01vbnRhbmExEDAOBgNVBAcMB0JvemVtYW4xETAPBgNVBAoMCFNh
 d3Rvb3RoMRMwEQYDVQQLDApDb25zdWx0aW5nMRgwFgYDVQQDDA93d3cud29sZnNz
-bC5jb20xHzAdBgkqhkiG9w0BCQEWEGluZm9Ad29sZnNzbC5jb20wHhcNMjEwMjEw
-MTk0OTU0WhcNMjMxMTA3MTk0OTU0WjCBozELMAkGA1UEBhMCVVMxEzARBgNVBAgM
+bC5jb20xHzAdBgkqhkiG9w0BCQEWEGluZm9Ad29sZnNzbC5jb20wHhcNMjExMjIw
+MjMwNzI1WhcNMjQwOTE1MjMwNzI1WjCBozELMAkGA1UEBhMCVVMxEzARBgNVBAgM
 Cldhc2hpbmd0b24xEDAOBgNVBAcMB1NlYXR0bGUxFTATBgNVBAoMDHdvbGZTU0wg
 SW5jLjEUMBIGA1UECwwLRW5naW5lZXJpbmcxHzAdBgNVBAMMFmNoYWluRy1JQ0E3
 LXBhdGhsZW4xMDAxHzAdBgkqhkiG9w0BCQEWEGluZm9Ad29sZnNzbC5jb20wggEi
@@ -74,16 +74,16 @@ xPxXZypQ2OviahxZBvJtPrlP/knFIcAW+ClvUQzqeNcOFUHaWssL4FTWg/0P6E4w
 /RYKOrjHI0uv4M0SXp9PYhPwyOTiqAHTN7AIIdMPbOTYwQRR6UzFsW3MYyOXMO7w
 Hqtt6pPKrVZvHu0arowbkQTqq50bO1anwcwvOS+zuowW/V4QEJ4k6kCXdLa05RzA
 0195LARDOo70sVa9xyVjXDRQTb0t8Qi9jD7Sb/rkBKFR69DQkJGXe0bGEJKvAgMB
-AAGjggENMIIBCTAdBgNVHQ4EFgQUEuSkGYWuhbfW62ME1bmwfldfDBYwgckGA1Ud
-IwSBwTCBvoAUJ45nEXTDJh0/7TNjs6TYHTDl6NWhgZqkgZcwgZQxCzAJBgNVBAYT
+AAGjggEYMIIBFDAdBgNVHQ4EFgQUEuSkGYWuhbfW62ME1bmwfldfDBYwgdQGA1Ud
+IwSBzDCByYAUJ45nEXTDJh0/7TNjs6TYHTDl6NWhgZqkgZcwgZQxCzAJBgNVBAYT
 AlVTMRAwDgYDVQQIDAdNb250YW5hMRAwDgYDVQQHDAdCb3plbWFuMREwDwYDVQQK
 DAhTYXd0b290aDETMBEGA1UECwwKQ29uc3VsdGluZzEYMBYGA1UEAwwPd3d3Lndv
-bGZzc2wuY29tMR8wHQYJKoZIhvcNAQkBFhBpbmZvQHdvbGZzc2wuY29tggkAqtM/
-rBgKN00wDwYDVR0TBAgwBgEB/wIBZDALBgNVHQ8EBAMCAQYwDQYJKoZIhvcNAQEL
-BQADggEBACZydonlaukxMD3BzxX0P91D8G1TlIuQ/uqUk79XYIS1qTmLpollgs73
-dx7uemWoXdxvE11VlLWs0iT/8feOSZHahrm2xwM56aGbePiGhaumdyPlAjOD5KHC
-5642Ikwuo4FEKr+tpaMFwHo/yLzpcksEGoJyGGqLTSvCU90opdVdsYeKoqc6MUPC
-eUUnYafBna6Mt8sFbwQq1x9kUt2tmrdpEi6C0pMy8gPfPWwHbxMdKK/vhgTe1hU/
-MTf/QjKPnGTVT1WBPsgBlVHNGC1XnzBctai8Lj5jVwdI6q0jnyWNiz7ejG+hUnk3
-oZlv3w2E2Y3Y29E0YJ47NhLfe/X7WRo=
+bGZzc2wuY29tMR8wHQYJKoZIhvcNAQkBFhBpbmZvQHdvbGZzc2wuY29tghR9lHCI
+ugdCjaqvT77CGkjw0UDmQjAPBgNVHRMECDAGAQH/AgFkMAsGA1UdDwQEAwIBBjAN
+BgkqhkiG9w0BAQsFAAOCAQEAT5cSdmDw/STK8sSJapAohv4bGfj8+LmJjowGVtWJ
+qHNqEbJvzvE15D48j9WklbkkFkErCwQp3wNSP4Irvvt0KbY2bt0oVujjhcSUW5xO
+CQ/AvXkqCKa2VAwk1gDYKdj/2ERXMCWzKCT4JTa25kRscgp6/A20nne4gDZJ5kd6
+3cnlJ1cRUvFElqCcb/Q/Nb2BTaZh7e9DlROjVxkacDRefKm5xsagfDXVX5ifmzPz
+0v1XCNuAvfoqC0T4O5d1n+aDUJJsggJ/Mu17Uk0twc8MwQlvP2NJm+ElfMUzSfZo
+5H5nM2dUHEmZjL86qhzuDdF7KWpwtEfLtNmVV89ZRIUZVA==
 -----END CERTIFICATE-----
diff --git a/certs/test-pathlen/chainG-assembled.pem b/certs/test-pathlen/chainG-assembled.pem
index 0ab84a773..a3a1e521a 100644
--- a/certs/test-pathlen/chainG-assembled.pem
+++ b/certs/test-pathlen/chainG-assembled.pem
@@ -2,15 +2,15 @@ Certificate:
     Data:
         Version: 3 (0x2)
         Serial Number: 101 (0x65)
-    Signature Algorithm: sha256WithRSAEncryption
-        Issuer: C=US, ST=Washington, L=Seattle, O=wolfSSL Inc., OU=Engineering, CN=chainG-ICA1-pathlen0/emailAddress=info@wolfssl.com
+        Signature Algorithm: sha256WithRSAEncryption
+        Issuer: C = US, ST = Washington, L = Seattle, O = wolfSSL Inc., OU = Engineering, CN = chainG-ICA1-pathlen0, emailAddress = info@wolfssl.com
         Validity
-            Not Before: Feb 10 19:49:55 2021 GMT
-            Not After : Nov  7 19:49:55 2023 GMT
-        Subject: C=US, ST=Washington, L=Seattle, O=wolfSSL Inc., OU=Engineering, CN=chainG-entity/emailAddress=info@wolfssl.com
+            Not Before: Dec 20 23:07:25 2021 GMT
+            Not After : Sep 15 23:07:25 2024 GMT
+        Subject: C = US, ST = Washington, L = Seattle, O = wolfSSL Inc., OU = Engineering, CN = chainG-entity, emailAddress = info@wolfssl.com
         Subject Public Key Info:
             Public Key Algorithm: rsaEncryption
-                Public-Key: (2048 bit)
+                RSA Public-Key: (2048 bit)
                 Modulus:
                     00:bb:7b:82:23:a2:34:e7:cb:89:4e:64:cc:f2:98:
                     c8:65:8f:e2:69:55:54:4b:3c:8b:c0:1f:67:37:7f:
@@ -42,27 +42,27 @@ Certificate:
             X509v3 Basic Constraints: 
                 CA:FALSE
     Signature Algorithm: sha256WithRSAEncryption
-         43:1d:31:61:87:f5:7b:0d:77:84:eb:8b:be:45:c6:9f:a9:f8:
-         a0:af:a8:46:16:88:d7:08:0f:96:54:39:f7:ee:f5:6a:f4:11:
-         f7:49:a5:f4:36:36:8c:4d:95:07:87:35:d7:c9:07:3e:95:4f:
-         4e:aa:2f:f4:2f:2c:ea:4a:e7:5b:d9:54:19:a0:d5:da:16:e8:
-         ed:e4:0b:30:4a:1a:1d:12:c2:0f:12:ed:cb:53:ac:37:96:00:
-         c2:16:3b:9e:2e:96:2b:a0:fb:72:13:9c:5b:d8:34:ff:0f:d9:
-         ed:1f:1c:db:26:66:84:86:f4:23:9c:ea:76:39:4f:a7:0f:65:
-         af:f5:9e:2f:c8:7c:b6:57:71:14:e8:8a:61:73:f0:01:8a:e0:
-         96:f4:5b:cb:cb:e2:ed:d1:9c:42:f1:3d:b5:01:4f:bb:bc:46:
-         d8:af:ef:55:17:de:4b:2a:17:2b:e1:fd:86:b6:aa:65:0c:88:
-         7b:b9:6f:1f:9b:0d:15:28:a7:b3:7f:20:4c:c4:59:80:eb:ee:
-         72:fb:09:ad:cd:3e:40:d0:dc:69:7c:3f:09:77:f8:3f:65:28:
-         21:3d:12:c0:56:c9:50:a0:3c:29:9f:45:5b:7b:c1:24:a3:3c:
-         88:32:24:85:28:bd:b1:f1:ff:0e:33:75:b0:74:cf:d5:46:37:
-         d5:c8:aa:13
+         ca:65:da:90:a0:ff:8b:98:db:33:6e:3c:4d:f1:43:81:53:a7:
+         99:fb:d5:84:2c:30:9d:88:e6:2e:cb:1d:d7:69:a5:8b:c3:c7:
+         25:52:4d:60:d2:48:d8:fa:82:ef:a2:d4:77:ff:e2:67:28:fa:
+         4e:e8:ec:39:39:61:c4:93:d7:5e:7e:75:5c:68:00:15:c0:0e:
+         08:60:18:03:d8:ff:a7:a5:dc:39:03:61:44:3a:04:04:57:40:
+         b7:a5:0e:50:02:1d:98:1a:77:99:a9:0d:9c:0e:e5:96:ad:07:
+         24:0c:b9:29:cc:ad:7e:41:a7:54:a8:ab:6c:6a:47:2f:90:b4:
+         46:7f:9e:21:64:76:b5:27:f6:11:7f:5b:75:75:d9:e0:d8:5f:
+         f2:fa:0a:03:91:eb:58:a2:20:35:d4:e9:91:0e:2e:c2:94:b0:
+         06:d5:1e:a0:35:b9:35:2b:e3:c6:2b:72:6c:cc:bd:dc:5b:3f:
+         0b:55:b6:9b:57:49:7c:29:7e:a5:40:4a:58:ce:87:2f:db:aa:
+         1e:c0:34:fe:fc:cc:85:c6:e2:25:43:5e:2b:df:4a:ca:eb:74:
+         4f:59:93:df:ff:8e:93:32:45:19:27:58:6b:9d:d9:9b:bf:0b:
+         31:14:5d:c7:8b:05:a4:05:85:c8:f4:1c:24:df:8e:5f:cb:09:
+         ca:af:68:82
 -----BEGIN CERTIFICATE-----
 MIIEtzCCA5+gAwIBAgIBZTANBgkqhkiG9w0BAQsFADCBoTELMAkGA1UEBhMCVVMx
 EzARBgNVBAgMCldhc2hpbmd0b24xEDAOBgNVBAcMB1NlYXR0bGUxFTATBgNVBAoM
 DHdvbGZTU0wgSW5jLjEUMBIGA1UECwwLRW5naW5lZXJpbmcxHTAbBgNVBAMMFGNo
 YWluRy1JQ0ExLXBhdGhsZW4wMR8wHQYJKoZIhvcNAQkBFhBpbmZvQHdvbGZzc2wu
-Y29tMB4XDTIxMDIxMDE5NDk1NVoXDTIzMTEwNzE5NDk1NVowgZoxCzAJBgNVBAYT
+Y29tMB4XDTIxMTIyMDIzMDcyNVoXDTI0MDkxNTIzMDcyNVowgZoxCzAJBgNVBAYT
 AlVTMRMwEQYDVQQIDApXYXNoaW5ndG9uMRAwDgYDVQQHDAdTZWF0dGxlMRUwEwYD
 VQQKDAx3b2xmU1NMIEluYy4xFDASBgNVBAsMC0VuZ2luZWVyaW5nMRYwFAYDVQQD
 DA1jaGFpbkctZW50aXR5MR8wHQYJKoZIhvcNAQkBFhBpbmZvQHdvbGZzc2wuY29t
@@ -77,27 +77,27 @@ VR0jBIHGMIHDgBRHwBlL7cTal7Fg6loKQm2l09glMaGBp6SBpDCBoTELMAkGA1UE
 BhMCVVMxEzARBgNVBAgMCldhc2hpbmd0b24xEDAOBgNVBAcMB1NlYXR0bGUxFTAT
 BgNVBAoMDHdvbGZTU0wgSW5jLjEUMBIGA1UECwwLRW5naW5lZXJpbmcxHTAbBgNV
 BAMMFGNoYWluRy1JQ0EyLXBhdGhsZW4xMR8wHQYJKoZIhvcNAQkBFhBpbmZvQHdv
-bGZzc2wuY29tggFkMAkGA1UdEwQCMAAwDQYJKoZIhvcNAQELBQADggEBAEMdMWGH
-9XsNd4Tri75Fxp+p+KCvqEYWiNcID5ZUOffu9Wr0EfdJpfQ2NoxNlQeHNdfJBz6V
-T06qL/QvLOpK51vZVBmg1doW6O3kCzBKGh0Swg8S7ctTrDeWAMIWO54uliug+3IT
-nFvYNP8P2e0fHNsmZoSG9COc6nY5T6cPZa/1ni/IfLZXcRToimFz8AGK4Jb0W8vL
-4u3RnELxPbUBT7u8Rtiv71UX3ksqFyvh/Ya2qmUMiHu5bx+bDRUop7N/IEzEWYDr
-7nL7Ca3NPkDQ3Gl8Pwl3+D9lKCE9EsBWyVCgPCmfRVt7wSSjPIgyJIUovbHx/w4z
-dbB0z9VGN9XIqhM=
+bGZzc2wuY29tggFkMAkGA1UdEwQCMAAwDQYJKoZIhvcNAQELBQADggEBAMpl2pCg
+/4uY2zNuPE3xQ4FTp5n71YQsMJ2I5i7LHddppYvDxyVSTWDSSNj6gu+i1Hf/4mco
++k7o7Dk5YcST115+dVxoABXADghgGAPY/6el3DkDYUQ6BARXQLelDlACHZgad5mp
+DZwO5ZatByQMuSnMrX5Bp1Soq2xqRy+QtEZ/niFkdrUn9hF/W3V12eDYX/L6CgOR
+61iiIDXU6ZEOLsKUsAbVHqA1uTUr48YrcmzMvdxbPwtVtptXSXwpfqVASljOhy/b
+qh7ANP78zIXG4iVDXivfSsrrdE9Zk9//jpMyRRknWGud2Zu/CzEUXceLBaQFhcj0
+HCTfjl/LCcqvaII=
 -----END CERTIFICATE-----
 Certificate:
     Data:
         Version: 3 (0x2)
         Serial Number: 100 (0x64)
-    Signature Algorithm: sha256WithRSAEncryption
-        Issuer: C=US, ST=Washington, L=Seattle, O=wolfSSL Inc., OU=Engineering, CN=chainG-ICA2-pathlen1/emailAddress=info@wolfssl.com
+        Signature Algorithm: sha256WithRSAEncryption
+        Issuer: C = US, ST = Washington, L = Seattle, O = wolfSSL Inc., OU = Engineering, CN = chainG-ICA2-pathlen1, emailAddress = info@wolfssl.com
         Validity
-            Not Before: Feb 10 19:49:54 2021 GMT
-            Not After : Nov  7 19:49:54 2023 GMT
-        Subject: C=US, ST=Washington, L=Seattle, O=wolfSSL Inc., OU=Engineering, CN=chainG-ICA1-pathlen0/emailAddress=info@wolfssl.com
+            Not Before: Dec 20 23:07:25 2021 GMT
+            Not After : Sep 15 23:07:25 2024 GMT
+        Subject: C = US, ST = Washington, L = Seattle, O = wolfSSL Inc., OU = Engineering, CN = chainG-ICA1-pathlen0, emailAddress = info@wolfssl.com
         Subject Public Key Info:
             Public Key Algorithm: rsaEncryption
-                Public-Key: (2048 bit)
+                RSA Public-Key: (2048 bit)
                 Modulus:
                     00:d2:26:be:51:98:42:e0:1f:ae:fc:c2:cb:ba:d5:
                     0f:44:3b:0b:60:d8:49:ec:03:43:6b:06:ce:f2:28:
@@ -131,27 +131,27 @@ Certificate:
             X509v3 Key Usage: 
                 Certificate Sign, CRL Sign
     Signature Algorithm: sha256WithRSAEncryption
-         8c:c9:7e:79:a8:29:4e:81:7f:e2:78:bc:91:6c:33:08:67:01:
-         d0:76:f6:51:04:ad:a2:34:4d:59:4f:ab:b7:e5:80:60:01:1e:
-         16:20:60:a9:ef:a5:27:01:36:7a:20:1d:76:1f:fb:ef:fc:7f:
-         00:b0:96:d0:41:c8:d8:f0:1c:de:dc:c8:0b:09:57:85:f4:2b:
-         8e:49:76:6b:32:ea:0d:87:79:15:63:80:ec:0a:f2:3e:7e:e1:
-         ec:71:ee:32:57:77:9b:85:a7:fb:3b:1c:b9:be:59:d4:14:f8:
-         84:63:a8:f9:46:1a:18:4b:18:9c:08:90:4f:7d:ba:ec:4c:b5:
-         e8:a9:65:81:fa:ac:8c:2c:77:09:78:a7:44:7b:18:01:93:e6:
-         bb:f5:ed:40:90:04:b3:78:b7:dd:70:9b:c6:bd:a3:58:a9:a7:
-         57:f9:e5:0d:1f:ad:87:04:ca:d5:45:62:5c:4f:fa:9e:d4:19:
-         83:0a:73:5f:f6:c2:65:7d:6e:96:6e:f6:66:3b:8d:90:0a:28:
-         0a:89:17:2f:12:ba:3a:da:6a:0d:21:f8:04:44:ae:bf:49:eb:
-         98:00:c6:cb:c3:5a:01:2a:de:74:39:99:43:34:98:94:76:dc:
-         cb:e3:96:10:3b:08:15:0e:60:8d:0c:95:99:68:a4:38:cf:1f:
-         5a:9f:7f:97
+         79:c2:90:26:d1:a8:0c:b0:e5:f8:5f:6b:29:06:17:bf:df:32:
+         5e:08:c4:27:18:2d:83:14:30:63:3b:40:89:2a:68:d2:65:4d:
+         68:a7:d6:a5:6c:c6:62:9d:14:ba:99:c5:a7:ea:28:34:dc:82:
+         f0:fd:f0:02:c9:be:f8:a6:75:87:bf:7e:bb:3b:5d:c4:c6:7e:
+         aa:af:97:a1:5e:ac:51:f8:5e:62:e5:57:a0:df:f2:8a:a8:e3:
+         db:2c:c0:ae:40:65:3a:19:6a:d5:65:30:3d:97:1f:10:ef:e7:
+         7e:d1:81:e5:b0:76:25:70:52:22:51:f7:45:17:13:7f:e6:f1:
+         76:4f:ef:a6:fd:d9:45:a1:e5:ab:1b:b8:73:bd:7d:51:e3:61:
+         72:e5:c3:87:51:c1:b7:82:d0:08:63:21:f5:cd:c4:0a:bc:0d:
+         9b:f0:d8:5a:63:00:f8:51:48:14:f8:5e:8c:e7:a5:f9:63:85:
+         ca:9d:09:62:7a:3d:1c:bb:90:72:6d:39:f3:b8:62:fa:2b:c4:
+         31:fa:86:45:eb:2b:7d:5d:09:88:58:79:ba:ba:0f:64:2c:1c:
+         21:12:52:51:0f:05:f0:b3:c2:53:df:66:3c:14:59:82:35:ee:
+         ef:65:15:61:8c:00:f8:3a:b3:a7:8a:d5:4d:6a:c9:4f:9f:1f:
+         f9:1e:5e:0d
 -----BEGIN CERTIFICATE-----
 MIIE1DCCA7ygAwIBAgIBZDANBgkqhkiG9w0BAQsFADCBoTELMAkGA1UEBhMCVVMx
 EzARBgNVBAgMCldhc2hpbmd0b24xEDAOBgNVBAcMB1NlYXR0bGUxFTATBgNVBAoM
 DHdvbGZTU0wgSW5jLjEUMBIGA1UECwwLRW5naW5lZXJpbmcxHTAbBgNVBAMMFGNo
 YWluRy1JQ0EyLXBhdGhsZW4xMR8wHQYJKoZIhvcNAQkBFhBpbmZvQHdvbGZzc2wu
-Y29tMB4XDTIxMDIxMDE5NDk1NFoXDTIzMTEwNzE5NDk1NFowgaExCzAJBgNVBAYT
+Y29tMB4XDTIxMTIyMDIzMDcyNVoXDTI0MDkxNTIzMDcyNVowgaExCzAJBgNVBAYT
 AlVTMRMwEQYDVQQIDApXYXNoaW5ndG9uMRAwDgYDVQQHDAdTZWF0dGxlMRUwEwYD
 VQQKDAx3b2xmU1NMIEluYy4xFDASBgNVBAsMC0VuZ2luZWVyaW5nMR0wGwYDVQQD
 DBRjaGFpbkctSUNBMS1wYXRobGVuMDEfMB0GCSqGSIb3DQEJARYQaW5mb0B3b2xm
@@ -167,26 +167,26 @@ ojELMAkGA1UEBhMCVVMxEzARBgNVBAgMCldhc2hpbmd0b24xEDAOBgNVBAcMB1Nl
 YXR0bGUxFTATBgNVBAoMDHdvbGZTU0wgSW5jLjEUMBIGA1UECwwLRW5naW5lZXJp
 bmcxHjAcBgNVBAMMFWNoYWluRy1JQ0EzLXBhdGhsZW45OTEfMB0GCSqGSIb3DQEJ
 ARYQaW5mb0B3b2xmc3NsLmNvbYIBZDAPBgNVHRMECDAGAQH/AgEAMAsGA1UdDwQE
-AwIBBjANBgkqhkiG9w0BAQsFAAOCAQEAjMl+eagpToF/4ni8kWwzCGcB0Hb2UQSt
-ojRNWU+rt+WAYAEeFiBgqe+lJwE2eiAddh/77/x/ALCW0EHI2PAc3tzICwlXhfQr
-jkl2azLqDYd5FWOA7AryPn7h7HHuMld3m4Wn+zscub5Z1BT4hGOo+UYaGEsYnAiQ
-T3267Ey16KllgfqsjCx3CXinRHsYAZPmu/XtQJAEs3i33XCbxr2jWKmnV/nlDR+t
-hwTK1UViXE/6ntQZgwpzX/bCZX1ulm72ZjuNkAooCokXLxK6OtpqDSH4BESuv0nr
-mADGy8NaASredDmZQzSYlHbcy+OWEDsIFQ5gjQyVmWikOM8fWp9/lw==
+AwIBBjANBgkqhkiG9w0BAQsFAAOCAQEAecKQJtGoDLDl+F9rKQYXv98yXgjEJxgt
+gxQwYztAiSpo0mVNaKfWpWzGYp0UupnFp+ooNNyC8P3wAsm++KZ1h79+uztdxMZ+
+qq+XoV6sUfheYuVXoN/yiqjj2yzArkBlOhlq1WUwPZcfEO/nftGB5bB2JXBSIlH3
+RRcTf+bxdk/vpv3ZRaHlqxu4c719UeNhcuXDh1HBt4LQCGMh9c3ECrwNm/DYWmMA
++FFIFPhejOel+WOFyp0JYno9HLuQcm0587hi+ivEMfqGResrfV0JiFh5uroPZCwc
+IRJSUQ8F8LPCU99mPBRZgjXu72UVYYwA+Dqzp4rVTWrJT58f+R5eDQ==
 -----END CERTIFICATE-----
 Certificate:
     Data:
         Version: 3 (0x2)
         Serial Number: 100 (0x64)
-    Signature Algorithm: sha256WithRSAEncryption
-        Issuer: C=US, ST=Washington, L=Seattle, O=wolfSSL Inc., OU=Engineering, CN=chainG-ICA3-pathlen99/emailAddress=info@wolfssl.com
+        Signature Algorithm: sha256WithRSAEncryption
+        Issuer: C = US, ST = Washington, L = Seattle, O = wolfSSL Inc., OU = Engineering, CN = chainG-ICA3-pathlen99, emailAddress = info@wolfssl.com
         Validity
-            Not Before: Feb 10 19:49:54 2021 GMT
-            Not After : Nov  7 19:49:54 2023 GMT
-        Subject: C=US, ST=Washington, L=Seattle, O=wolfSSL Inc., OU=Engineering, CN=chainG-ICA2-pathlen1/emailAddress=info@wolfssl.com
+            Not Before: Dec 20 23:07:25 2021 GMT
+            Not After : Sep 15 23:07:25 2024 GMT
+        Subject: C = US, ST = Washington, L = Seattle, O = wolfSSL Inc., OU = Engineering, CN = chainG-ICA2-pathlen1, emailAddress = info@wolfssl.com
         Subject Public Key Info:
             Public Key Algorithm: rsaEncryption
-                Public-Key: (2048 bit)
+                RSA Public-Key: (2048 bit)
                 Modulus:
                     00:d7:3e:de:b9:f9:a9:d7:8e:7a:4b:f2:f1:8c:f9:
                     3b:1c:ce:59:31:4c:57:0c:2e:8a:0f:90:f0:dc:27:
@@ -220,27 +220,27 @@ Certificate:
             X509v3 Key Usage: 
                 Certificate Sign, CRL Sign
     Signature Algorithm: sha256WithRSAEncryption
-         a1:c0:5b:84:8c:71:03:de:30:a6:b7:22:98:7d:83:a6:48:46:
-         45:db:8a:e1:35:f9:41:28:9e:7c:0a:e0:20:f4:00:75:6a:91:
-         be:6b:57:96:60:15:46:71:ce:b4:b4:e0:a6:62:f1:a7:6a:3d:
-         7c:a5:94:16:09:a4:89:3b:51:86:f7:87:eb:a6:fb:1d:e1:f6:
-         50:8d:68:88:d7:1a:99:6d:3d:5d:ca:53:bc:28:c0:83:d2:f0:
-         50:4f:33:63:a8:5b:e6:62:4e:e6:af:d5:b2:5d:45:5b:33:04:
-         1f:ec:4c:a6:af:f7:be:dd:c9:2b:58:e0:09:a6:5c:4d:c1:a5:
-         ad:eb:fb:72:31:6c:3d:6f:65:de:02:db:39:ee:02:06:57:b1:
-         28:05:2c:97:2f:04:9b:37:d4:b6:cd:95:27:f0:c9:be:56:9d:
-         69:77:fe:45:7a:22:c2:29:29:5f:a6:be:7d:ab:3c:d5:dd:08:
-         b7:89:d9:0c:09:15:66:f7:a8:f6:77:57:94:5f:94:ab:4e:c7:
-         54:b7:ee:8a:9b:d2:4b:9e:fa:33:2b:90:f6:05:dd:db:d0:f2:
-         de:45:b9:e5:ca:51:9d:73:03:d6:bb:c4:d3:9a:3d:15:4a:f7:
-         c1:58:3a:64:00:90:57:1e:1a:6b:40:50:3c:a3:b4:46:05:26:
-         26:50:01:e1
+         61:25:84:4e:d6:3d:e5:bf:37:0f:b8:04:2b:62:fb:1d:83:fc:
+         31:27:f9:1a:07:26:b7:72:12:09:ab:3c:d6:59:7c:31:66:67:
+         6e:8e:c5:bd:60:9a:16:f4:08:58:77:c4:50:cf:75:67:65:88:
+         42:d7:eb:f9:12:44:cc:5d:1a:89:c8:4d:54:87:63:0c:12:37:
+         94:3f:71:b1:8d:69:58:03:20:10:b9:96:6f:c0:5e:59:02:e2:
+         f6:e7:b4:63:0d:e4:b9:7a:89:1f:e1:6e:53:4d:30:37:f0:cf:
+         e4:98:5f:6e:10:83:dc:43:bb:77:58:18:0e:a5:10:48:3c:cc:
+         a0:7f:59:bc:a4:ce:12:28:9e:52:02:5c:71:79:14:b9:96:5f:
+         d8:10:41:6f:91:49:b6:c2:91:d4:b0:b8:25:4c:ff:49:0f:9b:
+         74:38:e0:a4:f8:52:5a:3b:a0:4d:c1:68:76:b1:2e:90:6a:94:
+         0f:c0:00:4e:af:19:5d:a5:ed:32:29:49:56:0d:91:8b:3c:3d:
+         72:6a:50:58:c7:e1:77:3f:3a:8b:c0:e2:d6:63:4a:fa:2a:28:
+         7b:35:3a:18:98:12:b4:e5:a0:7c:23:c1:62:d9:64:e0:99:db:
+         27:de:24:d2:92:78:9d:c1:6a:38:81:18:0a:4a:98:60:c4:75:
+         c0:4e:d1:7c
 -----BEGIN CERTIFICATE-----
 MIIE1DCCA7ygAwIBAgIBZDANBgkqhkiG9w0BAQsFADCBojELMAkGA1UEBhMCVVMx
 EzARBgNVBAgMCldhc2hpbmd0b24xEDAOBgNVBAcMB1NlYXR0bGUxFTATBgNVBAoM
 DHdvbGZTU0wgSW5jLjEUMBIGA1UECwwLRW5naW5lZXJpbmcxHjAcBgNVBAMMFWNo
 YWluRy1JQ0EzLXBhdGhsZW45OTEfMB0GCSqGSIb3DQEJARYQaW5mb0B3b2xmc3Ns
-LmNvbTAeFw0yMTAyMTAxOTQ5NTRaFw0yMzExMDcxOTQ5NTRaMIGhMQswCQYDVQQG
+LmNvbTAeFw0yMTEyMjAyMzA3MjVaFw0yNDA5MTUyMzA3MjVaMIGhMQswCQYDVQQG
 EwJVUzETMBEGA1UECAwKV2FzaGluZ3RvbjEQMA4GA1UEBwwHU2VhdHRsZTEVMBMG
 A1UECgwMd29sZlNTTCBJbmMuMRQwEgYDVQQLDAtFbmdpbmVlcmluZzEdMBsGA1UE
 AwwUY2hhaW5HLUlDQTItcGF0aGxlbjExHzAdBgkqhkiG9w0BCQEWEGluZm9Ad29s
@@ -256,26 +256,26 @@ gaExCzAJBgNVBAYTAlVTMRMwEQYDVQQIDApXYXNoaW5ndG9uMRAwDgYDVQQHDAdT
 ZWF0dGxlMRUwEwYDVQQKDAx3b2xmU1NMIEluYy4xFDASBgNVBAsMC0VuZ2luZWVy
 aW5nMR0wGwYDVQQDDBRjaGFpbkctSUNBNC1wYXRobGVuNTEfMB0GCSqGSIb3DQEJ
 ARYQaW5mb0B3b2xmc3NsLmNvbYIBZDAPBgNVHRMECDAGAQH/AgEBMAsGA1UdDwQE
-AwIBBjANBgkqhkiG9w0BAQsFAAOCAQEAocBbhIxxA94wprcimH2DpkhGRduK4TX5
-QSiefArgIPQAdWqRvmtXlmAVRnHOtLTgpmLxp2o9fKWUFgmkiTtRhveH66b7HeH2
-UI1oiNcamW09XcpTvCjAg9LwUE8zY6hb5mJO5q/Vsl1FWzMEH+xMpq/3vt3JK1jg
-CaZcTcGlrev7cjFsPW9l3gLbOe4CBlexKAUsly8EmzfUts2VJ/DJvladaXf+RXoi
-wikpX6a+fas81d0It4nZDAkVZveo9ndXlF+Uq07HVLfuipvSS576MyuQ9gXd29Dy
-3kW55cpRnXMD1rvE05o9FUr3wVg6ZACQVx4aa0BQPKO0RgUmJlAB4Q==
+AwIBBjANBgkqhkiG9w0BAQsFAAOCAQEAYSWETtY95b83D7gEK2L7HYP8MSf5Ggcm
+t3ISCas81ll8MWZnbo7FvWCaFvQIWHfEUM91Z2WIQtfr+RJEzF0aichNVIdjDBI3
+lD9xsY1pWAMgELmWb8BeWQLi9ue0Yw3kuXqJH+FuU00wN/DP5JhfbhCD3EO7d1gY
+DqUQSDzMoH9ZvKTOEiieUgJccXkUuZZf2BBBb5FJtsKR1LC4JUz/SQ+bdDjgpPhS
+WjugTcFodrEukGqUD8AATq8ZXaXtMilJVg2Rizw9cmpQWMfhdz86i8Di1mNK+ioo
+ezU6GJgStOWgfCPBYtlk4JnbJ94k0pJ4ncFqOIEYCkqYYMR1wE7RfA==
 -----END CERTIFICATE-----
 Certificate:
     Data:
         Version: 3 (0x2)
         Serial Number: 100 (0x64)
-    Signature Algorithm: sha256WithRSAEncryption
-        Issuer: C=US, ST=Washington, L=Seattle, O=wolfSSL Inc., OU=Engineering, CN=chainG-ICA4-pathlen5/emailAddress=info@wolfssl.com
+        Signature Algorithm: sha256WithRSAEncryption
+        Issuer: C = US, ST = Washington, L = Seattle, O = wolfSSL Inc., OU = Engineering, CN = chainG-ICA4-pathlen5, emailAddress = info@wolfssl.com
         Validity
-            Not Before: Feb 10 19:49:54 2021 GMT
-            Not After : Nov  7 19:49:54 2023 GMT
-        Subject: C=US, ST=Washington, L=Seattle, O=wolfSSL Inc., OU=Engineering, CN=chainG-ICA3-pathlen99/emailAddress=info@wolfssl.com
+            Not Before: Dec 20 23:07:25 2021 GMT
+            Not After : Sep 15 23:07:25 2024 GMT
+        Subject: C = US, ST = Washington, L = Seattle, O = wolfSSL Inc., OU = Engineering, CN = chainG-ICA3-pathlen99, emailAddress = info@wolfssl.com
         Subject Public Key Info:
             Public Key Algorithm: rsaEncryption
-                Public-Key: (2048 bit)
+                RSA Public-Key: (2048 bit)
                 Modulus:
                     00:ac:f1:39:65:f7:9c:9d:f6:f0:d2:b7:18:16:24:
                     81:32:b7:a5:29:d6:f7:4e:31:38:a7:54:d6:eb:07:
@@ -309,27 +309,27 @@ Certificate:
             X509v3 Key Usage: 
                 Certificate Sign, CRL Sign
     Signature Algorithm: sha256WithRSAEncryption
-         69:05:fe:91:03:94:51:f1:c0:60:19:98:dc:ed:ad:20:22:35:
-         ff:49:1d:02:25:86:df:b2:3d:fa:da:97:af:04:95:c4:d8:4f:
-         f6:46:9d:48:e7:e5:f3:87:97:5b:33:6d:f5:22:d3:cf:04:fc:
-         e1:5f:66:00:89:90:1b:80:1e:5d:46:35:28:47:b1:b8:c5:68:
-         91:bd:a1:fa:19:b2:f8:bc:d0:ce:48:65:76:7a:32:ff:6b:55:
-         94:d5:a6:3f:34:ba:09:18:6c:93:e3:2d:fa:4c:f9:6d:ef:5b:
-         db:a2:cf:cb:86:62:86:cb:72:d6:3e:b0:2f:6a:85:ae:a3:5e:
-         84:de:04:c0:ed:90:2f:51:20:e0:34:00:09:a8:b8:b0:24:47:
-         23:5c:82:3c:dc:d4:1a:67:67:38:20:bc:c2:c9:f7:03:b0:f1:
-         f8:c6:b1:29:42:ae:34:fc:f0:79:81:8c:5b:e7:e2:2c:79:e9:
-         6d:bc:89:81:64:ae:ec:e3:33:c0:7c:9a:f9:f4:3b:d6:a9:88:
-         8b:cf:8c:c8:76:58:03:2b:2a:98:c2:b9:c0:8b:23:05:68:0d:
-         1c:b3:d9:06:00:a7:d7:c5:5e:28:a6:46:3f:d6:64:0e:9b:a5:
-         0e:5b:11:18:3a:0b:17:36:ba:e9:28:94:41:d9:d8:3b:b2:4f:
-         32:8f:93:d9
+         28:1f:8c:fa:52:d4:c8:b6:02:c3:e2:b9:4f:36:16:50:e5:78:
+         0a:82:87:d3:d1:d1:28:0d:e6:d3:73:4d:51:19:24:0e:84:a8:
+         f5:73:b9:ad:93:4f:89:6e:df:c6:4f:76:0e:80:d9:26:34:4c:
+         63:6d:d7:ee:f9:27:e6:43:6a:2d:32:51:6e:f2:6f:8d:79:21:
+         9e:f8:e9:be:9c:ff:56:88:58:5c:2a:cc:80:af:34:bf:52:86:
+         0c:b5:61:83:72:c7:91:88:2c:07:66:9c:99:17:2e:d1:50:d5:
+         cf:9b:a9:68:5c:35:ea:c4:af:7f:02:ba:fb:9a:9b:34:9e:41:
+         ce:57:e3:00:b7:94:0c:ed:a5:73:7f:bf:df:4a:bc:a4:44:59:
+         db:8a:f4:a9:fc:9f:ee:2a:d7:4c:76:af:8a:4e:24:c6:00:75:
+         6a:ee:5a:89:e3:71:5f:5f:71:7a:6b:80:ab:71:58:b1:2a:2a:
+         87:1a:d5:ca:e2:03:77:23:52:f9:0f:ab:fb:fd:a5:3f:cd:86:
+         eb:76:65:8b:47:ba:4d:4d:cb:93:c4:ba:a3:e9:d2:7b:55:71:
+         64:d5:06:c6:a7:31:1d:30:cf:a5:1b:27:02:59:15:b9:78:d9:
+         bd:89:ea:06:4f:2f:24:02:51:11:77:ba:8f:c3:b6:92:9d:2f:
+         68:d4:3f:42
 -----BEGIN CERTIFICATE-----
 MIIE1TCCA72gAwIBAgIBZDANBgkqhkiG9w0BAQsFADCBoTELMAkGA1UEBhMCVVMx
 EzARBgNVBAgMCldhc2hpbmd0b24xEDAOBgNVBAcMB1NlYXR0bGUxFTATBgNVBAoM
 DHdvbGZTU0wgSW5jLjEUMBIGA1UECwwLRW5naW5lZXJpbmcxHTAbBgNVBAMMFGNo
 YWluRy1JQ0E0LXBhdGhsZW41MR8wHQYJKoZIhvcNAQkBFhBpbmZvQHdvbGZzc2wu
-Y29tMB4XDTIxMDIxMDE5NDk1NFoXDTIzMTEwNzE5NDk1NFowgaIxCzAJBgNVBAYT
+Y29tMB4XDTIxMTIyMDIzMDcyNVoXDTI0MDkxNTIzMDcyNVowgaIxCzAJBgNVBAYT
 AlVTMRMwEQYDVQQIDApXYXNoaW5ndG9uMRAwDgYDVQQHDAdTZWF0dGxlMRUwEwYD
 VQQKDAx3b2xmU1NMIEluYy4xFDASBgNVBAsMC0VuZ2luZWVyaW5nMR4wHAYDVQQD
 DBVjaGFpbkctSUNBMy1wYXRobGVuOTkxHzAdBgkqhkiG9w0BCQEWEGluZm9Ad29s
@@ -345,26 +345,26 @@ gaIxCzAJBgNVBAYTAlVTMRMwEQYDVQQIDApXYXNoaW5ndG9uMRAwDgYDVQQHDAdT
 ZWF0dGxlMRUwEwYDVQQKDAx3b2xmU1NMIEluYy4xFDASBgNVBAsMC0VuZ2luZWVy
 aW5nMR4wHAYDVQQDDBVjaGFpbkctSUNBNS1wYXRobGVuMjAxHzAdBgkqhkiG9w0B
 CQEWEGluZm9Ad29sZnNzbC5jb22CAWQwDwYDVR0TBAgwBgEB/wIBYzALBgNVHQ8E
-BAMCAQYwDQYJKoZIhvcNAQELBQADggEBAGkF/pEDlFHxwGAZmNztrSAiNf9JHQIl
-ht+yPfral68ElcTYT/ZGnUjn5fOHl1szbfUi088E/OFfZgCJkBuAHl1GNShHsbjF
-aJG9ofoZsvi80M5IZXZ6Mv9rVZTVpj80ugkYbJPjLfpM+W3vW9uiz8uGYobLctY+
-sC9qha6jXoTeBMDtkC9RIOA0AAmouLAkRyNcgjzc1BpnZzggvMLJ9wOw8fjGsSlC
-rjT88HmBjFvn4ix56W28iYFkruzjM8B8mvn0O9apiIvPjMh2WAMrKpjCucCLIwVo
-DRyz2QYAp9fFXiimRj/WZA6bpQ5bERg6Cxc2uukolEHZ2DuyTzKPk9k=
+BAMCAQYwDQYJKoZIhvcNAQELBQADggEBACgfjPpS1Mi2AsPiuU82FlDleAqCh9PR
+0SgN5tNzTVEZJA6EqPVzua2TT4lu38ZPdg6A2SY0TGNt1+75J+ZDai0yUW7yb415
+IZ746b6c/1aIWFwqzICvNL9Shgy1YYNyx5GILAdmnJkXLtFQ1c+bqWhcNerEr38C
+uvuamzSeQc5X4wC3lAztpXN/v99KvKREWduK9Kn8n+4q10x2r4pOJMYAdWruWonj
+cV9fcXprgKtxWLEqKoca1criA3cjUvkPq/v9pT/Nhut2ZYtHuk1Ny5PEuqPp0ntV
+cWTVBsanMR0wz6UbJwJZFbl42b2J6gZPLyQCURF3uo/DtpKdL2jUP0I=
 -----END CERTIFICATE-----
 Certificate:
     Data:
         Version: 3 (0x2)
         Serial Number: 100 (0x64)
-    Signature Algorithm: sha256WithRSAEncryption
-        Issuer: C=US, ST=Washington, L=Seattle, O=wolfSSL Inc., OU=Engineering, CN=chainG-ICA5-pathlen20/emailAddress=info@wolfssl.com
+        Signature Algorithm: sha256WithRSAEncryption
+        Issuer: C = US, ST = Washington, L = Seattle, O = wolfSSL Inc., OU = Engineering, CN = chainG-ICA5-pathlen20, emailAddress = info@wolfssl.com
         Validity
-            Not Before: Feb 10 19:49:54 2021 GMT
-            Not After : Nov  7 19:49:54 2023 GMT
-        Subject: C=US, ST=Washington, L=Seattle, O=wolfSSL Inc., OU=Engineering, CN=chainG-ICA4-pathlen5/emailAddress=info@wolfssl.com
+            Not Before: Dec 20 23:07:25 2021 GMT
+            Not After : Sep 15 23:07:25 2024 GMT
+        Subject: C = US, ST = Washington, L = Seattle, O = wolfSSL Inc., OU = Engineering, CN = chainG-ICA4-pathlen5, emailAddress = info@wolfssl.com
         Subject Public Key Info:
             Public Key Algorithm: rsaEncryption
-                Public-Key: (2048 bit)
+                RSA Public-Key: (2048 bit)
                 Modulus:
                     00:c9:4b:a0:77:b8:42:43:96:e1:f4:8d:1d:a6:2c:
                     d8:12:a2:40:49:11:eb:5f:fb:6c:1d:15:3e:af:dd:
@@ -398,27 +398,27 @@ Certificate:
             X509v3 Key Usage: 
                 Certificate Sign, CRL Sign
     Signature Algorithm: sha256WithRSAEncryption
-         b0:8e:1a:de:7d:55:b1:c3:4e:4e:df:a0:bb:0a:a7:41:78:11:
-         47:17:0a:c1:85:2f:7a:0c:2a:f5:79:e5:b9:c7:a3:cf:a4:03:
-         8a:ec:db:4b:ac:31:e0:b1:b2:d2:74:09:a6:70:90:30:01:68:
-         c7:07:a0:28:b0:0b:b7:0e:9c:d6:de:4c:f0:62:69:a4:82:f1:
-         80:79:e6:65:15:09:88:26:ae:4d:7e:fd:7b:9f:7a:e8:3b:d6:
-         11:fe:7c:9d:c4:de:90:14:1a:1a:29:7c:a4:80:e9:55:1d:17:
-         18:d3:45:84:ec:5f:42:35:ea:09:b2:67:f0:5f:71:b9:12:d5:
-         88:2a:20:e3:7f:e5:c3:ac:d7:6e:4c:97:3c:aa:ca:f2:ba:d7:
-         37:6b:ba:b8:e7:1a:f5:60:2b:41:7a:f4:68:50:91:ff:00:ab:
-         73:05:ad:0f:b3:48:c5:73:dd:44:3f:16:1f:11:3b:ab:78:8c:
-         e3:20:2a:24:31:ad:8d:3f:74:2b:2c:c1:08:75:9a:c8:6c:6b:
-         43:62:cb:e1:6d:70:ce:f5:64:7c:31:60:c1:6c:fc:37:2f:1b:
-         59:bc:28:97:11:de:df:50:5b:38:5d:a6:dd:b6:1c:f0:f3:dd:
-         07:c4:4b:fa:f9:3a:fd:06:b1:64:64:fa:46:2f:93:52:3f:19:
-         eb:e0:2b:7a
+         2f:a8:0b:e3:eb:e0:fe:e8:82:f8:b7:2d:c2:14:e6:e8:59:8d:
+         e1:6d:50:f7:45:65:d5:4f:7b:6d:1e:d9:44:86:25:a7:56:55:
+         07:46:e0:3f:d9:00:24:f2:61:e2:6a:4f:a8:df:7e:29:41:d0:
+         31:3e:2d:b6:31:09:4e:f5:59:c7:0f:8c:c1:ba:b4:c0:39:2f:
+         ec:d6:a4:4a:0b:6f:bd:87:45:6d:33:2c:b1:14:2c:bc:9e:30:
+         ca:57:57:bc:b8:ec:fd:76:fd:ab:f5:63:3d:ef:16:cf:e8:cb:
+         59:d5:28:0e:8c:36:a8:8d:d7:b8:0f:2a:33:5e:d3:53:19:86:
+         12:64:b3:dc:b6:b8:c9:e3:54:73:7f:0a:ea:c3:ce:95:c4:c1:
+         72:0c:58:ff:4f:2e:ae:f5:27:60:0b:c3:c9:19:3e:94:65:64:
+         2a:1a:bc:03:a4:86:1a:c4:a2:98:c4:9e:63:42:f7:cd:eb:d0:
+         04:f3:33:96:8a:a3:df:36:4c:ff:37:c3:4e:58:61:3a:c4:79:
+         cd:5f:0a:09:d0:15:69:22:2d:8b:c7:27:3e:ab:5c:15:83:96:
+         25:bf:7b:00:7e:34:fa:9e:1a:65:13:eb:cd:4e:22:5e:15:8d:
+         6f:74:c9:31:f9:0e:b0:55:54:72:02:38:3f:92:43:01:d9:57:
+         51:50:03:d9
 -----BEGIN CERTIFICATE-----
 MIIE1TCCA72gAwIBAgIBZDANBgkqhkiG9w0BAQsFADCBojELMAkGA1UEBhMCVVMx
 EzARBgNVBAgMCldhc2hpbmd0b24xEDAOBgNVBAcMB1NlYXR0bGUxFTATBgNVBAoM
 DHdvbGZTU0wgSW5jLjEUMBIGA1UECwwLRW5naW5lZXJpbmcxHjAcBgNVBAMMFWNo
 YWluRy1JQ0E1LXBhdGhsZW4yMDEfMB0GCSqGSIb3DQEJARYQaW5mb0B3b2xmc3Ns
-LmNvbTAeFw0yMTAyMTAxOTQ5NTRaFw0yMzExMDcxOTQ5NTRaMIGhMQswCQYDVQQG
+LmNvbTAeFw0yMTEyMjAyMzA3MjVaFw0yNDA5MTUyMzA3MjVaMIGhMQswCQYDVQQG
 EwJVUzETMBEGA1UECAwKV2FzaGluZ3RvbjEQMA4GA1UEBwwHU2VhdHRsZTEVMBMG
 A1UECgwMd29sZlNTTCBJbmMuMRQwEgYDVQQLDAtFbmdpbmVlcmluZzEdMBsGA1UE
 AwwUY2hhaW5HLUlDQTQtcGF0aGxlbjUxHzAdBgkqhkiG9w0BCQEWEGluZm9Ad29s
@@ -434,26 +434,26 @@ gaIxCzAJBgNVBAYTAlVTMRMwEQYDVQQIDApXYXNoaW5ndG9uMRAwDgYDVQQHDAdT
 ZWF0dGxlMRUwEwYDVQQKDAx3b2xmU1NMIEluYy4xFDASBgNVBAsMC0VuZ2luZWVy
 aW5nMR4wHAYDVQQDDBVjaGFpbkctSUNBNi1wYXRobGVuMTAxHzAdBgkqhkiG9w0B
 CQEWEGluZm9Ad29sZnNzbC5jb22CAWQwDwYDVR0TBAgwBgEB/wIBBTALBgNVHQ8E
-BAMCAQYwDQYJKoZIhvcNAQELBQADggEBALCOGt59VbHDTk7foLsKp0F4EUcXCsGF
-L3oMKvV55bnHo8+kA4rs20usMeCxstJ0CaZwkDABaMcHoCiwC7cOnNbeTPBiaaSC
-8YB55mUVCYgmrk1+/Xufeug71hH+fJ3E3pAUGhopfKSA6VUdFxjTRYTsX0I16gmy
-Z/BfcbkS1YgqION/5cOs125MlzyqyvK61zdrurjnGvVgK0F69GhQkf8Aq3MFrQ+z
-SMVz3UQ/Fh8RO6t4jOMgKiQxrY0/dCsswQh1mshsa0Niy+FtcM71ZHwxYMFs/Dcv
-G1m8KJcR3t9QWzhdpt22HPDz3QfES/r5Ov0GsWRk+kYvk1I/GevgK3o=
+BAMCAQYwDQYJKoZIhvcNAQELBQADggEBAC+oC+Pr4P7ogvi3LcIU5uhZjeFtUPdF
+ZdVPe20e2USGJadWVQdG4D/ZACTyYeJqT6jffilB0DE+LbYxCU71WccPjMG6tMA5
+L+zWpEoLb72HRW0zLLEULLyeMMpXV7y47P12/av1Yz3vFs/oy1nVKA6MNqiN17gP
+KjNe01MZhhJks9y2uMnjVHN/CurDzpXEwXIMWP9PLq71J2ALw8kZPpRlZCoavAOk
+hhrEopjEnmNC983r0ATzM5aKo982TP83w05YYTrEec1fCgnQFWkiLYvHJz6rXBWD
+liW/ewB+NPqeGmUT681OIl4VjW90yTH5DrBVVHICOD+SQwHZV1FQA9k=
 -----END CERTIFICATE-----
 Certificate:
     Data:
         Version: 3 (0x2)
         Serial Number: 100 (0x64)
-    Signature Algorithm: sha256WithRSAEncryption
-        Issuer: C=US, ST=Washington, L=Seattle, O=wolfSSL Inc., OU=Engineering, CN=chainG-ICA6-pathlen10/emailAddress=info@wolfssl.com
+        Signature Algorithm: sha256WithRSAEncryption
+        Issuer: C = US, ST = Washington, L = Seattle, O = wolfSSL Inc., OU = Engineering, CN = chainG-ICA6-pathlen10, emailAddress = info@wolfssl.com
         Validity
-            Not Before: Feb 10 19:49:54 2021 GMT
-            Not After : Nov  7 19:49:54 2023 GMT
-        Subject: C=US, ST=Washington, L=Seattle, O=wolfSSL Inc., OU=Engineering, CN=chainG-ICA5-pathlen20/emailAddress=info@wolfssl.com
+            Not Before: Dec 20 23:07:25 2021 GMT
+            Not After : Sep 15 23:07:25 2024 GMT
+        Subject: C = US, ST = Washington, L = Seattle, O = wolfSSL Inc., OU = Engineering, CN = chainG-ICA5-pathlen20, emailAddress = info@wolfssl.com
         Subject Public Key Info:
             Public Key Algorithm: rsaEncryption
-                Public-Key: (2048 bit)
+                RSA Public-Key: (2048 bit)
                 Modulus:
                     00:be:9d:98:a2:41:ca:64:1f:a2:34:dc:51:7d:49:
                     2b:f7:f8:7a:fc:1a:22:8d:3a:17:8e:00:9c:74:06:
@@ -487,27 +487,27 @@ Certificate:
             X509v3 Key Usage: 
                 Certificate Sign, CRL Sign
     Signature Algorithm: sha256WithRSAEncryption
-         c5:55:81:ae:d8:a9:00:b6:65:0b:41:2a:7c:7b:de:6a:24:15:
-         36:b8:8f:dd:c6:70:0d:ee:fd:a7:f1:55:c1:c2:77:1c:e7:2f:
-         cc:e0:78:81:57:2f:8f:c6:a6:c0:70:5d:aa:b1:2b:4d:30:2f:
-         f0:42:4e:be:06:7c:53:2d:65:c7:58:ae:02:d8:87:80:a0:48:
-         e5:4d:df:e6:de:c7:51:14:26:58:0d:9a:f7:f4:c4:32:95:98:
-         b7:9c:a0:92:a4:a6:c7:28:04:c0:1c:52:d3:ff:bb:f2:4f:08:
-         64:98:04:34:f1:ac:9f:ca:b2:a7:99:45:eb:a3:c9:b5:74:54:
-         c3:0e:fa:ba:fd:d2:a4:70:c4:ff:f2:f9:93:3a:1f:c8:95:ac:
-         42:de:45:e0:08:a9:5a:a8:3d:99:50:c3:f0:bb:c6:14:b6:68:
-         62:dd:f4:df:36:74:10:39:6f:18:de:4b:a7:64:fa:62:17:2f:
-         ba:e8:58:b8:7c:9d:2f:5d:43:c4:02:a9:03:69:8c:1a:ce:a8:
-         98:7b:53:72:a6:de:de:76:aa:4b:0b:4d:fd:7b:79:74:da:73:
-         a9:4f:79:1c:c5:8a:39:ee:90:c1:25:00:29:fa:d3:b1:13:4b:
-         3a:51:4e:8e:63:ee:4b:57:af:2f:29:91:98:c1:27:88:e0:69:
-         fc:3d:8b:91
+         29:ff:da:ab:a9:62:4b:ef:6b:0b:d4:a9:a1:96:83:21:2d:df:
+         20:7b:76:4d:be:4a:63:12:a7:54:af:c1:e4:38:75:6b:7a:47:
+         de:85:a0:c3:c4:a1:17:78:de:cc:15:d2:78:81:f4:ed:b7:f1:
+         42:88:be:b6:95:f6:7f:1d:dc:93:74:9a:8c:9b:0d:77:b4:3b:
+         86:f8:ef:ed:27:8a:d0:db:f0:08:b9:29:23:2c:25:27:80:81:
+         14:c3:7a:50:d6:88:77:64:a7:25:55:85:16:10:9f:3d:fb:83:
+         0f:75:8a:1d:6e:c6:23:6e:41:87:1e:98:f0:a9:1c:b7:6d:ab:
+         79:08:8d:42:63:3a:42:1f:a3:9e:97:93:04:2b:de:c6:fb:bc:
+         cb:03:af:77:17:61:a0:03:96:d0:1b:38:37:c3:d3:ba:90:7d:
+         2d:05:24:a0:af:62:8c:a9:7e:c2:88:59:ce:e6:c0:2f:1c:33:
+         92:cd:e9:ce:41:7a:a6:9d:e4:ba:bc:07:1f:9d:84:79:ca:e0:
+         63:cb:ed:34:c7:3c:a8:13:df:57:ce:8e:9a:13:5f:2d:31:72:
+         6e:81:65:53:62:a9:39:11:94:de:2c:c8:c5:94:66:d1:0e:4b:
+         84:ca:32:46:82:f8:c0:98:94:3b:bd:d4:be:f8:c2:f7:af:13:
+         e4:db:57:fa
 -----BEGIN CERTIFICATE-----
 MIIE1zCCA7+gAwIBAgIBZDANBgkqhkiG9w0BAQsFADCBojELMAkGA1UEBhMCVVMx
 EzARBgNVBAgMCldhc2hpbmd0b24xEDAOBgNVBAcMB1NlYXR0bGUxFTATBgNVBAoM
 DHdvbGZTU0wgSW5jLjEUMBIGA1UECwwLRW5naW5lZXJpbmcxHjAcBgNVBAMMFWNo
 YWluRy1JQ0E2LXBhdGhsZW4xMDEfMB0GCSqGSIb3DQEJARYQaW5mb0B3b2xmc3Ns
-LmNvbTAeFw0yMTAyMTAxOTQ5NTRaFw0yMzExMDcxOTQ5NTRaMIGiMQswCQYDVQQG
+LmNvbTAeFw0yMTEyMjAyMzA3MjVaFw0yNDA5MTUyMzA3MjVaMIGiMQswCQYDVQQG
 EwJVUzETMBEGA1UECAwKV2FzaGluZ3RvbjEQMA4GA1UEBwwHU2VhdHRsZTEVMBMG
 A1UECgwMd29sZlNTTCBJbmMuMRQwEgYDVQQLDAtFbmdpbmVlcmluZzEeMBwGA1UE
 AwwVY2hhaW5HLUlDQTUtcGF0aGxlbjIwMR8wHQYJKoZIhvcNAQkBFhBpbmZvQHdv
@@ -523,26 +523,26 @@ MIGjMQswCQYDVQQGEwJVUzETMBEGA1UECAwKV2FzaGluZ3RvbjEQMA4GA1UEBwwH
 U2VhdHRsZTEVMBMGA1UECgwMd29sZlNTTCBJbmMuMRQwEgYDVQQLDAtFbmdpbmVl
 cmluZzEfMB0GA1UEAwwWY2hhaW5HLUlDQTctcGF0aGxlbjEwMDEfMB0GCSqGSIb3
 DQEJARYQaW5mb0B3b2xmc3NsLmNvbYIBZDAPBgNVHRMECDAGAQH/AgEUMAsGA1Ud
-DwQEAwIBBjANBgkqhkiG9w0BAQsFAAOCAQEAxVWBrtipALZlC0EqfHveaiQVNriP
-3cZwDe79p/FVwcJ3HOcvzOB4gVcvj8amwHBdqrErTTAv8EJOvgZ8Uy1lx1iuAtiH
-gKBI5U3f5t7HURQmWA2a9/TEMpWYt5ygkqSmxygEwBxS0/+78k8IZJgENPGsn8qy
-p5lF66PJtXRUww76uv3SpHDE//L5kzofyJWsQt5F4AipWqg9mVDD8LvGFLZoYt30
-3zZ0EDlvGN5Lp2T6YhcvuuhYuHydL11DxAKpA2mMGs6omHtTcqbe3naqSwtN/Xt5
-dNpzqU95HMWKOe6QwSUAKfrTsRNLOlFOjmPuS1evLymRmMEniOBp/D2LkQ==
+DwQEAwIBBjANBgkqhkiG9w0BAQsFAAOCAQEAKf/aq6liS+9rC9SpoZaDIS3fIHt2
+Tb5KYxKnVK/B5Dh1a3pH3oWgw8ShF3jezBXSeIH07bfxQoi+tpX2fx3ck3SajJsN
+d7Q7hvjv7SeK0NvwCLkpIywlJ4CBFMN6UNaId2SnJVWFFhCfPfuDD3WKHW7GI25B
+hx6Y8Kkct22reQiNQmM6Qh+jnpeTBCvexvu8ywOvdxdhoAOW0Bs4N8PTupB9LQUk
+oK9ijKl+wohZzubALxwzks3pzkF6pp3kurwHH52EecrgY8vtNMc8qBPfV86OmhNf
+LTFyboFlU2KpORGU3izIxZRm0Q5LhMoyRoL4wJiUO73UvvjC968T5NtX+g==
 -----END CERTIFICATE-----
 Certificate:
     Data:
         Version: 3 (0x2)
         Serial Number: 100 (0x64)
-    Signature Algorithm: sha256WithRSAEncryption
-        Issuer: C=US, ST=Washington, L=Seattle, O=wolfSSL Inc., OU=Engineering, CN=chainG-ICA7-pathlen100/emailAddress=info@wolfssl.com
+        Signature Algorithm: sha256WithRSAEncryption
+        Issuer: C = US, ST = Washington, L = Seattle, O = wolfSSL Inc., OU = Engineering, CN = chainG-ICA7-pathlen100, emailAddress = info@wolfssl.com
         Validity
-            Not Before: Feb 10 19:49:54 2021 GMT
-            Not After : Nov  7 19:49:54 2023 GMT
-        Subject: C=US, ST=Washington, L=Seattle, O=wolfSSL Inc., OU=Engineering, CN=chainG-ICA6-pathlen10/emailAddress=info@wolfssl.com
+            Not Before: Dec 20 23:07:25 2021 GMT
+            Not After : Sep 15 23:07:25 2024 GMT
+        Subject: C = US, ST = Washington, L = Seattle, O = wolfSSL Inc., OU = Engineering, CN = chainG-ICA6-pathlen10, emailAddress = info@wolfssl.com
         Subject Public Key Info:
             Public Key Algorithm: rsaEncryption
-                Public-Key: (2048 bit)
+                RSA Public-Key: (2048 bit)
                 Modulus:
                     00:e1:4f:c9:e7:30:ea:06:ff:65:cb:2b:6c:f1:a8:
                     ac:f6:cf:10:6b:80:7a:af:5e:42:0a:0d:61:be:6f:
@@ -576,27 +576,27 @@ Certificate:
             X509v3 Key Usage: 
                 Certificate Sign, CRL Sign
     Signature Algorithm: sha256WithRSAEncryption
-         73:70:e1:67:aa:a1:e6:31:8c:6b:c3:bd:0e:99:9f:f8:8c:18:
-         b4:40:c7:0c:2d:0f:03:66:92:0e:5e:91:1e:37:f3:4f:68:66:
-         3e:d4:4a:30:19:fe:44:fe:bb:11:22:23:10:db:8d:91:8a:45:
-         f8:71:48:b7:97:3d:9e:3d:c4:7c:3b:da:51:23:6e:76:3f:b5:
-         1c:a8:db:80:2f:fa:15:16:ea:f8:9b:1d:86:1d:02:94:cd:4a:
-         f2:7d:6d:c1:40:0d:2f:d0:f9:65:dc:39:41:93:e1:e2:ab:7b:
-         1f:c4:37:5f:3f:6e:af:4b:cb:d8:b2:21:e6:b4:73:13:8f:b6:
-         d6:e3:81:b5:e4:85:e3:3c:1a:ae:4b:79:86:29:a5:1b:ba:7d:
-         4a:4e:a3:22:94:33:49:64:46:ff:44:99:02:f7:f6:82:d6:76:
-         f0:a6:ff:5d:b3:58:df:a8:c4:00:00:33:8c:1e:17:72:8c:84:
-         d7:bd:17:7f:ff:2a:7a:7b:71:63:34:21:ad:3a:88:3c:2c:cf:
-         9b:77:c0:0c:ce:7d:d6:2d:56:0f:6f:6b:98:54:5e:0c:92:40:
-         eb:43:2e:4c:08:14:48:af:c9:80:34:59:ee:f8:e3:5f:3e:68:
-         aa:52:65:91:6f:ed:56:21:ff:1b:dc:d0:33:39:c4:e0:39:c7:
-         97:70:0e:8f
+         33:53:88:2d:1e:0e:04:6c:69:d4:b6:08:23:73:d1:31:02:7b:
+         a2:ed:ce:c6:58:8e:6a:fd:0e:1e:c7:73:8e:0e:b5:46:02:15:
+         c3:55:bf:96:8d:a7:cf:f3:3b:80:d9:8c:5d:a8:df:4e:f2:63:
+         e0:9b:04:8c:76:f5:fc:a7:7e:43:e9:da:a5:9a:31:3e:ae:a3:
+         f7:ae:20:14:e2:f8:a0:a0:18:74:2e:95:f7:30:24:b3:28:10:
+         7f:85:23:e7:6c:5d:9d:e5:a3:f0:75:63:a6:ae:62:aa:7b:3d:
+         e3:c9:27:4a:35:29:85:83:9a:ac:c0:f8:21:1e:8b:c4:b9:90:
+         2e:83:6a:07:de:4c:3a:24:2a:2b:32:33:8d:85:d9:e1:97:a0:
+         ae:8c:ae:10:f2:77:87:f6:73:7a:21:0f:4a:6b:7a:8e:82:bc:
+         85:10:78:12:37:7c:ab:46:3c:78:32:bf:7a:1c:85:7c:b9:81:
+         e0:b8:32:41:c9:af:db:f6:3c:8c:5d:01:f2:8a:d2:0c:42:1c:
+         d2:05:ee:f1:a5:1a:42:d6:c5:d9:93:38:e0:f6:d3:25:55:6b:
+         81:4a:1e:10:68:6a:29:d9:59:49:14:b9:84:46:99:c5:d6:fc:
+         c7:ec:75:38:30:08:5a:58:96:cf:3c:43:6b:73:21:1d:f6:d8:
+         01:2d:28:5a
 -----BEGIN CERTIFICATE-----
 MIIEyTCCA7GgAwIBAgIBZDANBgkqhkiG9w0BAQsFADCBozELMAkGA1UEBhMCVVMx
 EzARBgNVBAgMCldhc2hpbmd0b24xEDAOBgNVBAcMB1NlYXR0bGUxFTATBgNVBAoM
 DHdvbGZTU0wgSW5jLjEUMBIGA1UECwwLRW5naW5lZXJpbmcxHzAdBgNVBAMMFmNo
 YWluRy1JQ0E3LXBhdGhsZW4xMDAxHzAdBgkqhkiG9w0BCQEWEGluZm9Ad29sZnNz
-bC5jb20wHhcNMjEwMjEwMTk0OTU0WhcNMjMxMTA3MTk0OTU0WjCBojELMAkGA1UE
+bC5jb20wHhcNMjExMjIwMjMwNzI1WhcNMjQwOTE1MjMwNzI1WjCBojELMAkGA1UE
 BhMCVVMxEzARBgNVBAgMCldhc2hpbmd0b24xEDAOBgNVBAcMB1NlYXR0bGUxFTAT
 BgNVBAoMDHdvbGZTU0wgSW5jLjEUMBIGA1UECwwLRW5naW5lZXJpbmcxHjAcBgNV
 BAMMFWNoYWluRy1JQ0E2LXBhdGhsZW4xMDEfMB0GCSqGSIb3DQEJARYQaW5mb0B3
@@ -612,26 +612,26 @@ lzCBlDELMAkGA1UEBhMCVVMxEDAOBgNVBAgMB01vbnRhbmExEDAOBgNVBAcMB0Jv
 emVtYW4xETAPBgNVBAoMCFNhd3Rvb3RoMRMwEQYDVQQLDApDb25zdWx0aW5nMRgw
 FgYDVQQDDA93d3cud29sZnNzbC5jb20xHzAdBgkqhkiG9w0BCQEWEGluZm9Ad29s
 ZnNzbC5jb22CAWQwDwYDVR0TBAgwBgEB/wIBCjALBgNVHQ8EBAMCAQYwDQYJKoZI
-hvcNAQELBQADggEBAHNw4WeqoeYxjGvDvQ6Zn/iMGLRAxwwtDwNmkg5ekR43809o
-Zj7USjAZ/kT+uxEiIxDbjZGKRfhxSLeXPZ49xHw72lEjbnY/tRyo24Av+hUW6vib
-HYYdApTNSvJ9bcFADS/Q+WXcOUGT4eKrex/EN18/bq9Ly9iyIea0cxOPttbjgbXk
-heM8Gq5LeYYppRu6fUpOoyKUM0lkRv9EmQL39oLWdvCm/12zWN+oxAAAM4weF3KM
-hNe9F3//Knp7cWM0Ia06iDwsz5t3wAzOfdYtVg9va5hUXgySQOtDLkwIFEivyYA0
-We74418+aKpSZZFv7VYh/xvc0DM5xOA5x5dwDo8=
+hvcNAQELBQADggEBADNTiC0eDgRsadS2CCNz0TECe6LtzsZYjmr9Dh7Hc44OtUYC
+FcNVv5aNp8/zO4DZjF2o307yY+CbBIx29fynfkPp2qWaMT6uo/euIBTi+KCgGHQu
+lfcwJLMoEH+FI+dsXZ3lo/B1Y6auYqp7PePJJ0o1KYWDmqzA+CEei8S5kC6Dagfe
+TDokKisyM42F2eGXoK6MrhDyd4f2c3ohD0preo6CvIUQeBI3fKtGPHgyv3ochXy5
+geC4MkHJr9v2PIxdAfKK0gxCHNIF7vGlGkLWxdmTOOD20yVVa4FKHhBoainZWUkU
+uYRGmcXW/MfsdTgwCFpYls88Q2tzIR322AEtKFo=
 -----END CERTIFICATE-----
 Certificate:
     Data:
         Version: 3 (0x2)
         Serial Number: 100 (0x64)
-    Signature Algorithm: sha256WithRSAEncryption
-        Issuer: C=US, ST=Montana, L=Bozeman, O=Sawtooth, OU=Consulting, CN=www.wolfssl.com/emailAddress=info@wolfssl.com
+        Signature Algorithm: sha256WithRSAEncryption
+        Issuer: C = US, ST = Montana, L = Bozeman, O = Sawtooth, OU = Consulting, CN = www.wolfssl.com, emailAddress = info@wolfssl.com
         Validity
-            Not Before: Feb 10 19:49:54 2021 GMT
-            Not After : Nov  7 19:49:54 2023 GMT
-        Subject: C=US, ST=Washington, L=Seattle, O=wolfSSL Inc., OU=Engineering, CN=chainG-ICA7-pathlen100/emailAddress=info@wolfssl.com
+            Not Before: Dec 20 23:07:25 2021 GMT
+            Not After : Sep 15 23:07:25 2024 GMT
+        Subject: C = US, ST = Washington, L = Seattle, O = wolfSSL Inc., OU = Engineering, CN = chainG-ICA7-pathlen100, emailAddress = info@wolfssl.com
         Subject Public Key Info:
             Public Key Algorithm: rsaEncryption
-                Public-Key: (2048 bit)
+                RSA Public-Key: (2048 bit)
                 Modulus:
                     00:d6:8c:d6:c4:29:20:60:9d:15:3d:0c:2a:fb:24:
                     2f:38:89:ed:37:c4:fc:57:67:2a:50:d8:eb:e2:6a:
@@ -658,34 +658,34 @@ Certificate:
             X509v3 Authority Key Identifier: 
                 keyid:27:8E:67:11:74:C3:26:1D:3F:ED:33:63:B3:A4:D8:1D:30:E5:E8:D5
                 DirName:/C=US/ST=Montana/L=Bozeman/O=Sawtooth/OU=Consulting/CN=www.wolfssl.com/emailAddress=info@wolfssl.com
-                serial:AA:D3:3F:AC:18:0A:37:4D
+                serial:7D:94:70:88:BA:07:42:8D:AA:AF:4F:BE:C2:1A:48:F0:D1:40:E6:42
 
             X509v3 Basic Constraints: 
                 CA:TRUE, pathlen:100
             X509v3 Key Usage: 
                 Certificate Sign, CRL Sign
     Signature Algorithm: sha256WithRSAEncryption
-         26:72:76:89:e5:6a:e9:31:30:3d:c1:cf:15:f4:3f:dd:43:f0:
-         6d:53:94:8b:90:fe:ea:94:93:bf:57:60:84:b5:a9:39:8b:a6:
-         89:65:82:ce:f7:77:1e:ee:7a:65:a8:5d:dc:6f:13:5d:55:94:
-         b5:ac:d2:24:ff:f1:f7:8e:49:91:da:86:b9:b6:c7:03:39:e9:
-         a1:9b:78:f8:86:85:ab:a6:77:23:e5:02:33:83:e4:a1:c2:e7:
-         ae:36:22:4c:2e:a3:81:44:2a:bf:ad:a5:a3:05:c0:7a:3f:c8:
-         bc:e9:72:4b:04:1a:82:72:18:6a:8b:4d:2b:c2:53:dd:28:a5:
-         d5:5d:b1:87:8a:a2:a7:3a:31:43:c2:79:45:27:61:a7:c1:9d:
-         ae:8c:b7:cb:05:6f:04:2a:d7:1f:64:52:dd:ad:9a:b7:69:12:
-         2e:82:d2:93:32:f2:03:df:3d:6c:07:6f:13:1d:28:af:ef:86:
-         04:de:d6:15:3f:31:37:ff:42:32:8f:9c:64:d5:4f:55:81:3e:
-         c8:01:95:51:cd:18:2d:57:9f:30:5c:b5:a8:bc:2e:3e:63:57:
-         07:48:ea:ad:23:9f:25:8d:8b:3e:de:8c:6f:a1:52:79:37:a1:
-         99:6f:df:0d:84:d9:8d:d8:db:d1:34:60:9e:3b:36:12:df:7b:
-         f5:fb:59:1a
+         4f:97:12:76:60:f0:fd:24:ca:f2:c4:89:6a:90:28:86:fe:1b:
+         19:f8:fc:f8:b9:89:8e:8c:06:56:d5:89:a8:73:6a:11:b2:6f:
+         ce:f1:35:e4:3e:3c:8f:d5:a4:95:b9:24:16:41:2b:0b:04:29:
+         df:03:52:3f:82:2b:be:fb:74:29:b6:36:6e:dd:28:56:e8:e3:
+         85:c4:94:5b:9c:4e:09:0f:c0:bd:79:2a:08:a6:b6:54:0c:24:
+         d6:00:d8:29:d8:ff:d8:44:57:30:25:b3:28:24:f8:25:36:b6:
+         e6:44:6c:72:0a:7a:fc:0d:b4:9e:77:b8:80:36:49:e6:47:7a:
+         dd:c9:e5:27:57:11:52:f1:44:96:a0:9c:6f:f4:3f:35:bd:81:
+         4d:a6:61:ed:ef:43:95:13:a3:57:19:1a:70:34:5e:7c:a9:b9:
+         c6:c6:a0:7c:35:d5:5f:98:9f:9b:33:f3:d2:fd:57:08:db:80:
+         bd:fa:2a:0b:44:f8:3b:97:75:9f:e6:83:50:92:6c:82:02:7f:
+         32:ed:7b:52:4d:2d:c1:cf:0c:c1:09:6f:3f:63:49:9b:e1:25:
+         7c:c5:33:49:f6:68:e4:7e:67:33:67:54:1c:49:99:8c:bf:3a:
+         aa:1c:ee:0d:d1:7b:29:6a:70:b4:47:cb:b4:d9:95:57:cf:59:
+         44:85:19:54
 -----BEGIN CERTIFICATE-----
-MIIEwzCCA6ugAwIBAgIBZDANBgkqhkiG9w0BAQsFADCBlDELMAkGA1UEBhMCVVMx
+MIIEzjCCA7agAwIBAgIBZDANBgkqhkiG9w0BAQsFADCBlDELMAkGA1UEBhMCVVMx
 EDAOBgNVBAgMB01vbnRhbmExEDAOBgNVBAcMB0JvemVtYW4xETAPBgNVBAoMCFNh
 d3Rvb3RoMRMwEQYDVQQLDApDb25zdWx0aW5nMRgwFgYDVQQDDA93d3cud29sZnNz
-bC5jb20xHzAdBgkqhkiG9w0BCQEWEGluZm9Ad29sZnNzbC5jb20wHhcNMjEwMjEw
-MTk0OTU0WhcNMjMxMTA3MTk0OTU0WjCBozELMAkGA1UEBhMCVVMxEzARBgNVBAgM
+bC5jb20xHzAdBgkqhkiG9w0BCQEWEGluZm9Ad29sZnNzbC5jb20wHhcNMjExMjIw
+MjMwNzI1WhcNMjQwOTE1MjMwNzI1WjCBozELMAkGA1UEBhMCVVMxEzARBgNVBAgM
 Cldhc2hpbmd0b24xEDAOBgNVBAcMB1NlYXR0bGUxFTATBgNVBAoMDHdvbGZTU0wg
 SW5jLjEUMBIGA1UECwwLRW5naW5lZXJpbmcxHzAdBgNVBAMMFmNoYWluRy1JQ0E3
 LXBhdGhsZW4xMDAxHzAdBgkqhkiG9w0BCQEWEGluZm9Ad29sZnNzbC5jb20wggEi
@@ -695,16 +695,16 @@ xPxXZypQ2OviahxZBvJtPrlP/knFIcAW+ClvUQzqeNcOFUHaWssL4FTWg/0P6E4w
 /RYKOrjHI0uv4M0SXp9PYhPwyOTiqAHTN7AIIdMPbOTYwQRR6UzFsW3MYyOXMO7w
 Hqtt6pPKrVZvHu0arowbkQTqq50bO1anwcwvOS+zuowW/V4QEJ4k6kCXdLa05RzA
 0195LARDOo70sVa9xyVjXDRQTb0t8Qi9jD7Sb/rkBKFR69DQkJGXe0bGEJKvAgMB
-AAGjggENMIIBCTAdBgNVHQ4EFgQUEuSkGYWuhbfW62ME1bmwfldfDBYwgckGA1Ud
-IwSBwTCBvoAUJ45nEXTDJh0/7TNjs6TYHTDl6NWhgZqkgZcwgZQxCzAJBgNVBAYT
+AAGjggEYMIIBFDAdBgNVHQ4EFgQUEuSkGYWuhbfW62ME1bmwfldfDBYwgdQGA1Ud
+IwSBzDCByYAUJ45nEXTDJh0/7TNjs6TYHTDl6NWhgZqkgZcwgZQxCzAJBgNVBAYT
 AlVTMRAwDgYDVQQIDAdNb250YW5hMRAwDgYDVQQHDAdCb3plbWFuMREwDwYDVQQK
 DAhTYXd0b290aDETMBEGA1UECwwKQ29uc3VsdGluZzEYMBYGA1UEAwwPd3d3Lndv
-bGZzc2wuY29tMR8wHQYJKoZIhvcNAQkBFhBpbmZvQHdvbGZzc2wuY29tggkAqtM/
-rBgKN00wDwYDVR0TBAgwBgEB/wIBZDALBgNVHQ8EBAMCAQYwDQYJKoZIhvcNAQEL
-BQADggEBACZydonlaukxMD3BzxX0P91D8G1TlIuQ/uqUk79XYIS1qTmLpollgs73
-dx7uemWoXdxvE11VlLWs0iT/8feOSZHahrm2xwM56aGbePiGhaumdyPlAjOD5KHC
-5642Ikwuo4FEKr+tpaMFwHo/yLzpcksEGoJyGGqLTSvCU90opdVdsYeKoqc6MUPC
-eUUnYafBna6Mt8sFbwQq1x9kUt2tmrdpEi6C0pMy8gPfPWwHbxMdKK/vhgTe1hU/
-MTf/QjKPnGTVT1WBPsgBlVHNGC1XnzBctai8Lj5jVwdI6q0jnyWNiz7ejG+hUnk3
-oZlv3w2E2Y3Y29E0YJ47NhLfe/X7WRo=
+bGZzc2wuY29tMR8wHQYJKoZIhvcNAQkBFhBpbmZvQHdvbGZzc2wuY29tghR9lHCI
+ugdCjaqvT77CGkjw0UDmQjAPBgNVHRMECDAGAQH/AgFkMAsGA1UdDwQEAwIBBjAN
+BgkqhkiG9w0BAQsFAAOCAQEAT5cSdmDw/STK8sSJapAohv4bGfj8+LmJjowGVtWJ
+qHNqEbJvzvE15D48j9WklbkkFkErCwQp3wNSP4Irvvt0KbY2bt0oVujjhcSUW5xO
+CQ/AvXkqCKa2VAwk1gDYKdj/2ERXMCWzKCT4JTa25kRscgp6/A20nne4gDZJ5kd6
+3cnlJ1cRUvFElqCcb/Q/Nb2BTaZh7e9DlROjVxkacDRefKm5xsagfDXVX5ifmzPz
+0v1XCNuAvfoqC0T4O5d1n+aDUJJsggJ/Mu17Uk0twc8MwQlvP2NJm+ElfMUzSfZo
+5H5nM2dUHEmZjL86qhzuDdF7KWpwtEfLtNmVV89ZRIUZVA==
 -----END CERTIFICATE-----
diff --git a/certs/test-pathlen/chainG-entity.pem b/certs/test-pathlen/chainG-entity.pem
index b5c191c75..d9d72c845 100644
--- a/certs/test-pathlen/chainG-entity.pem
+++ b/certs/test-pathlen/chainG-entity.pem
@@ -2,15 +2,15 @@ Certificate:
     Data:
         Version: 3 (0x2)
         Serial Number: 101 (0x65)
-    Signature Algorithm: sha256WithRSAEncryption
-        Issuer: C=US, ST=Washington, L=Seattle, O=wolfSSL Inc., OU=Engineering, CN=chainG-ICA1-pathlen0/emailAddress=info@wolfssl.com
+        Signature Algorithm: sha256WithRSAEncryption
+        Issuer: C = US, ST = Washington, L = Seattle, O = wolfSSL Inc., OU = Engineering, CN = chainG-ICA1-pathlen0, emailAddress = info@wolfssl.com
         Validity
-            Not Before: Feb 10 19:49:55 2021 GMT
-            Not After : Nov  7 19:49:55 2023 GMT
-        Subject: C=US, ST=Washington, L=Seattle, O=wolfSSL Inc., OU=Engineering, CN=chainG-entity/emailAddress=info@wolfssl.com
+            Not Before: Dec 20 23:07:25 2021 GMT
+            Not After : Sep 15 23:07:25 2024 GMT
+        Subject: C = US, ST = Washington, L = Seattle, O = wolfSSL Inc., OU = Engineering, CN = chainG-entity, emailAddress = info@wolfssl.com
         Subject Public Key Info:
             Public Key Algorithm: rsaEncryption
-                Public-Key: (2048 bit)
+                RSA Public-Key: (2048 bit)
                 Modulus:
                     00:bb:7b:82:23:a2:34:e7:cb:89:4e:64:cc:f2:98:
                     c8:65:8f:e2:69:55:54:4b:3c:8b:c0:1f:67:37:7f:
@@ -42,27 +42,27 @@ Certificate:
             X509v3 Basic Constraints: 
                 CA:FALSE
     Signature Algorithm: sha256WithRSAEncryption
-         43:1d:31:61:87:f5:7b:0d:77:84:eb:8b:be:45:c6:9f:a9:f8:
-         a0:af:a8:46:16:88:d7:08:0f:96:54:39:f7:ee:f5:6a:f4:11:
-         f7:49:a5:f4:36:36:8c:4d:95:07:87:35:d7:c9:07:3e:95:4f:
-         4e:aa:2f:f4:2f:2c:ea:4a:e7:5b:d9:54:19:a0:d5:da:16:e8:
-         ed:e4:0b:30:4a:1a:1d:12:c2:0f:12:ed:cb:53:ac:37:96:00:
-         c2:16:3b:9e:2e:96:2b:a0:fb:72:13:9c:5b:d8:34:ff:0f:d9:
-         ed:1f:1c:db:26:66:84:86:f4:23:9c:ea:76:39:4f:a7:0f:65:
-         af:f5:9e:2f:c8:7c:b6:57:71:14:e8:8a:61:73:f0:01:8a:e0:
-         96:f4:5b:cb:cb:e2:ed:d1:9c:42:f1:3d:b5:01:4f:bb:bc:46:
-         d8:af:ef:55:17:de:4b:2a:17:2b:e1:fd:86:b6:aa:65:0c:88:
-         7b:b9:6f:1f:9b:0d:15:28:a7:b3:7f:20:4c:c4:59:80:eb:ee:
-         72:fb:09:ad:cd:3e:40:d0:dc:69:7c:3f:09:77:f8:3f:65:28:
-         21:3d:12:c0:56:c9:50:a0:3c:29:9f:45:5b:7b:c1:24:a3:3c:
-         88:32:24:85:28:bd:b1:f1:ff:0e:33:75:b0:74:cf:d5:46:37:
-         d5:c8:aa:13
+         ca:65:da:90:a0:ff:8b:98:db:33:6e:3c:4d:f1:43:81:53:a7:
+         99:fb:d5:84:2c:30:9d:88:e6:2e:cb:1d:d7:69:a5:8b:c3:c7:
+         25:52:4d:60:d2:48:d8:fa:82:ef:a2:d4:77:ff:e2:67:28:fa:
+         4e:e8:ec:39:39:61:c4:93:d7:5e:7e:75:5c:68:00:15:c0:0e:
+         08:60:18:03:d8:ff:a7:a5:dc:39:03:61:44:3a:04:04:57:40:
+         b7:a5:0e:50:02:1d:98:1a:77:99:a9:0d:9c:0e:e5:96:ad:07:
+         24:0c:b9:29:cc:ad:7e:41:a7:54:a8:ab:6c:6a:47:2f:90:b4:
+         46:7f:9e:21:64:76:b5:27:f6:11:7f:5b:75:75:d9:e0:d8:5f:
+         f2:fa:0a:03:91:eb:58:a2:20:35:d4:e9:91:0e:2e:c2:94:b0:
+         06:d5:1e:a0:35:b9:35:2b:e3:c6:2b:72:6c:cc:bd:dc:5b:3f:
+         0b:55:b6:9b:57:49:7c:29:7e:a5:40:4a:58:ce:87:2f:db:aa:
+         1e:c0:34:fe:fc:cc:85:c6:e2:25:43:5e:2b:df:4a:ca:eb:74:
+         4f:59:93:df:ff:8e:93:32:45:19:27:58:6b:9d:d9:9b:bf:0b:
+         31:14:5d:c7:8b:05:a4:05:85:c8:f4:1c:24:df:8e:5f:cb:09:
+         ca:af:68:82
 -----BEGIN CERTIFICATE-----
 MIIEtzCCA5+gAwIBAgIBZTANBgkqhkiG9w0BAQsFADCBoTELMAkGA1UEBhMCVVMx
 EzARBgNVBAgMCldhc2hpbmd0b24xEDAOBgNVBAcMB1NlYXR0bGUxFTATBgNVBAoM
 DHdvbGZTU0wgSW5jLjEUMBIGA1UECwwLRW5naW5lZXJpbmcxHTAbBgNVBAMMFGNo
 YWluRy1JQ0ExLXBhdGhsZW4wMR8wHQYJKoZIhvcNAQkBFhBpbmZvQHdvbGZzc2wu
-Y29tMB4XDTIxMDIxMDE5NDk1NVoXDTIzMTEwNzE5NDk1NVowgZoxCzAJBgNVBAYT
+Y29tMB4XDTIxMTIyMDIzMDcyNVoXDTI0MDkxNTIzMDcyNVowgZoxCzAJBgNVBAYT
 AlVTMRMwEQYDVQQIDApXYXNoaW5ndG9uMRAwDgYDVQQHDAdTZWF0dGxlMRUwEwYD
 VQQKDAx3b2xmU1NMIEluYy4xFDASBgNVBAsMC0VuZ2luZWVyaW5nMRYwFAYDVQQD
 DA1jaGFpbkctZW50aXR5MR8wHQYJKoZIhvcNAQkBFhBpbmZvQHdvbGZzc2wuY29t
@@ -77,11 +77,11 @@ VR0jBIHGMIHDgBRHwBlL7cTal7Fg6loKQm2l09glMaGBp6SBpDCBoTELMAkGA1UE
 BhMCVVMxEzARBgNVBAgMCldhc2hpbmd0b24xEDAOBgNVBAcMB1NlYXR0bGUxFTAT
 BgNVBAoMDHdvbGZTU0wgSW5jLjEUMBIGA1UECwwLRW5naW5lZXJpbmcxHTAbBgNV
 BAMMFGNoYWluRy1JQ0EyLXBhdGhsZW4xMR8wHQYJKoZIhvcNAQkBFhBpbmZvQHdv
-bGZzc2wuY29tggFkMAkGA1UdEwQCMAAwDQYJKoZIhvcNAQELBQADggEBAEMdMWGH
-9XsNd4Tri75Fxp+p+KCvqEYWiNcID5ZUOffu9Wr0EfdJpfQ2NoxNlQeHNdfJBz6V
-T06qL/QvLOpK51vZVBmg1doW6O3kCzBKGh0Swg8S7ctTrDeWAMIWO54uliug+3IT
-nFvYNP8P2e0fHNsmZoSG9COc6nY5T6cPZa/1ni/IfLZXcRToimFz8AGK4Jb0W8vL
-4u3RnELxPbUBT7u8Rtiv71UX3ksqFyvh/Ya2qmUMiHu5bx+bDRUop7N/IEzEWYDr
-7nL7Ca3NPkDQ3Gl8Pwl3+D9lKCE9EsBWyVCgPCmfRVt7wSSjPIgyJIUovbHx/w4z
-dbB0z9VGN9XIqhM=
+bGZzc2wuY29tggFkMAkGA1UdEwQCMAAwDQYJKoZIhvcNAQELBQADggEBAMpl2pCg
+/4uY2zNuPE3xQ4FTp5n71YQsMJ2I5i7LHddppYvDxyVSTWDSSNj6gu+i1Hf/4mco
++k7o7Dk5YcST115+dVxoABXADghgGAPY/6el3DkDYUQ6BARXQLelDlACHZgad5mp
+DZwO5ZatByQMuSnMrX5Bp1Soq2xqRy+QtEZ/niFkdrUn9hF/W3V12eDYX/L6CgOR
+61iiIDXU6ZEOLsKUsAbVHqA1uTUr48YrcmzMvdxbPwtVtptXSXwpfqVASljOhy/b
+qh7ANP78zIXG4iVDXivfSsrrdE9Zk9//jpMyRRknWGud2Zu/CzEUXceLBaQFhcj0
+HCTfjl/LCcqvaII=
 -----END CERTIFICATE-----
diff --git a/certs/test-pathlen/chainH-ICA1-pathlen0.pem b/certs/test-pathlen/chainH-ICA1-pathlen0.pem
index 4e0743db9..893bba3bc 100644
--- a/certs/test-pathlen/chainH-ICA1-pathlen0.pem
+++ b/certs/test-pathlen/chainH-ICA1-pathlen0.pem
@@ -2,15 +2,15 @@ Certificate:
     Data:
         Version: 3 (0x2)
         Serial Number: 100 (0x64)
-    Signature Algorithm: sha256WithRSAEncryption
-        Issuer: C=US, ST=Washington, L=Seattle, O=wolfSSL Inc., OU=Engineering, CN=chainH-ICA2-pathlen2/emailAddress=info@wolfssl.com
+        Signature Algorithm: sha256WithRSAEncryption
+        Issuer: C = US, ST = Washington, L = Seattle, O = wolfSSL Inc., OU = Engineering, CN = chainH-ICA2-pathlen2, emailAddress = info@wolfssl.com
         Validity
-            Not Before: Feb 10 19:49:55 2021 GMT
-            Not After : Nov  7 19:49:55 2023 GMT
-        Subject: C=US, ST=Washington, L=Seattle, O=wolfSSL Inc., OU=Engineering, CN=chainH-ICA1-pathlen0/emailAddress=info@wolfssl.com
+            Not Before: Dec 20 23:07:25 2021 GMT
+            Not After : Sep 15 23:07:25 2024 GMT
+        Subject: C = US, ST = Washington, L = Seattle, O = wolfSSL Inc., OU = Engineering, CN = chainH-ICA1-pathlen0, emailAddress = info@wolfssl.com
         Subject Public Key Info:
             Public Key Algorithm: rsaEncryption
-                Public-Key: (2048 bit)
+                RSA Public-Key: (2048 bit)
                 Modulus:
                     00:c7:f4:a6:7e:f2:cb:4f:6e:04:18:d3:53:d5:cf:
                     bf:7e:97:d1:74:94:fe:db:ad:61:3f:12:20:67:f3:
@@ -44,27 +44,27 @@ Certificate:
             X509v3 Key Usage: 
                 Certificate Sign, CRL Sign
     Signature Algorithm: sha256WithRSAEncryption
-         9f:9b:2c:00:4d:4c:62:f6:75:de:56:fe:15:df:1e:74:11:1c:
-         33:0e:84:40:04:4a:d3:9b:20:3a:1c:b2:c0:20:2f:71:f5:d6:
-         f6:71:f3:a9:9e:f3:a3:e3:0f:fe:d8:97:24:bc:18:0b:54:38:
-         d2:e5:d4:1d:74:d3:f9:19:a1:e5:5d:7e:61:bb:fb:cd:8b:aa:
-         8b:dc:9a:47:5a:ed:e3:57:46:a7:cc:32:5e:71:1d:9b:2b:ad:
-         a1:60:43:b3:be:80:31:a1:7d:2a:ab:a7:d8:3a:b5:62:95:c5:
-         31:24:87:30:1f:fc:41:72:d7:b0:99:df:6c:b5:4c:14:dc:d9:
-         4b:0b:a0:90:8b:11:a6:e5:4d:43:17:54:db:a7:4b:fe:1e:65:
-         37:f2:1d:f3:6d:f0:6d:1e:13:d3:d0:a9:0c:39:f5:34:07:51:
-         d2:19:f2:8e:a9:51:77:c7:b0:69:05:dc:44:66:0e:25:e6:78:
-         9f:4c:4a:8d:c9:f4:66:4a:e4:60:fd:fa:13:73:2a:46:ce:3b:
-         aa:f2:89:0d:68:68:75:78:d3:f5:a0:c2:72:16:6c:3c:82:bd:
-         dd:1c:f7:65:dc:52:00:0e:24:d6:42:df:f5:60:24:9d:06:e6:
-         1c:1d:e1:81:23:47:8b:66:a3:c2:49:c1:15:df:13:8b:83:3f:
-         89:1d:42:ba
+         c6:28:f9:c3:81:a4:93:be:43:7c:95:db:e5:cf:fe:0b:1a:1f:
+         d3:f4:e5:d8:35:77:ee:35:69:16:c9:b5:9c:5a:9b:82:70:41:
+         f4:c2:e5:ea:dc:9f:3c:06:6e:2e:71:e6:ff:50:42:39:50:57:
+         1a:2d:d3:d7:58:83:08:5d:5b:77:58:13:11:f0:66:2b:2c:2a:
+         e8:1e:e2:a5:d7:e7:c3:3e:83:ae:29:86:ef:29:78:c5:58:b1:
+         ef:8f:3f:6d:2f:d4:a0:2f:4f:1f:e7:34:33:c9:b5:57:f4:e8:
+         be:45:4b:c1:ed:a2:89:c3:05:08:d8:a9:37:df:13:b0:78:ad:
+         eb:18:d1:be:24:f4:1d:64:a1:87:f6:9a:53:48:bc:20:79:49:
+         0b:b6:93:db:0b:6f:f5:18:d5:89:ae:39:18:32:a0:a7:e8:65:
+         98:75:46:b9:15:1c:f4:11:c2:de:65:10:17:c3:24:b9:d1:fa:
+         e8:e6:99:cc:aa:fe:1b:17:0a:9c:a1:72:63:4c:4e:99:57:24:
+         cf:b9:df:ad:7b:1a:a7:63:53:aa:85:c5:68:64:6c:e0:29:e8:
+         ad:1e:a3:d2:74:7d:10:03:6d:11:48:6a:f0:60:39:69:7f:01:
+         0a:a3:e4:0d:f2:64:2c:59:3d:20:19:d1:b1:27:8d:cd:d5:eb:
+         fe:b2:97:09
 -----BEGIN CERTIFICATE-----
 MIIE0zCCA7ugAwIBAgIBZDANBgkqhkiG9w0BAQsFADCBoTELMAkGA1UEBhMCVVMx
 EzARBgNVBAgMCldhc2hpbmd0b24xEDAOBgNVBAcMB1NlYXR0bGUxFTATBgNVBAoM
 DHdvbGZTU0wgSW5jLjEUMBIGA1UECwwLRW5naW5lZXJpbmcxHTAbBgNVBAMMFGNo
 YWluSC1JQ0EyLXBhdGhsZW4yMR8wHQYJKoZIhvcNAQkBFhBpbmZvQHdvbGZzc2wu
-Y29tMB4XDTIxMDIxMDE5NDk1NVoXDTIzMTEwNzE5NDk1NVowgaExCzAJBgNVBAYT
+Y29tMB4XDTIxMTIyMDIzMDcyNVoXDTI0MDkxNTIzMDcyNVowgaExCzAJBgNVBAYT
 AlVTMRMwEQYDVQQIDApXYXNoaW5ndG9uMRAwDgYDVQQHDAdTZWF0dGxlMRUwEwYD
 VQQKDAx3b2xmU1NMIEluYy4xFDASBgNVBAsMC0VuZ2luZWVyaW5nMR0wGwYDVQQD
 DBRjaGFpbkgtSUNBMS1wYXRobGVuMDEfMB0GCSqGSIb3DQEJARYQaW5mb0B3b2xm
@@ -80,10 +80,10 @@ oTELMAkGA1UEBhMCVVMxEzARBgNVBAgMCldhc2hpbmd0b24xEDAOBgNVBAcMB1Nl
 YXR0bGUxFTATBgNVBAoMDHdvbGZTU0wgSW5jLjEUMBIGA1UECwwLRW5naW5lZXJp
 bmcxHTAbBgNVBAMMFGNoYWluSC1JQ0EzLXBhdGhsZW4yMR8wHQYJKoZIhvcNAQkB
 FhBpbmZvQHdvbGZzc2wuY29tggFkMA8GA1UdEwQIMAYBAf8CAQAwCwYDVR0PBAQD
-AgEGMA0GCSqGSIb3DQEBCwUAA4IBAQCfmywATUxi9nXeVv4V3x50ERwzDoRABErT
-myA6HLLAIC9x9db2cfOpnvOj4w/+2JckvBgLVDjS5dQddNP5GaHlXX5hu/vNi6qL
-3JpHWu3jV0anzDJecR2bK62hYEOzvoAxoX0qq6fYOrVilcUxJIcwH/xBctewmd9s
-tUwU3NlLC6CQixGm5U1DF1Tbp0v+HmU38h3zbfBtHhPT0KkMOfU0B1HSGfKOqVF3
-x7BpBdxEZg4l5nifTEqNyfRmSuRg/foTcypGzjuq8okNaGh1eNP1oMJyFmw8gr3d
-HPdl3FIADiTWQt/1YCSdBuYcHeGBI0eLZqPCScEV3xOLgz+JHUK6
+AgEGMA0GCSqGSIb3DQEBCwUAA4IBAQDGKPnDgaSTvkN8ldvlz/4LGh/T9OXYNXfu
+NWkWybWcWpuCcEH0wuXq3J88Bm4uceb/UEI5UFcaLdPXWIMIXVt3WBMR8GYrLCro
+HuKl1+fDPoOuKYbvKXjFWLHvjz9tL9SgL08f5zQzybVX9Oi+RUvB7aKJwwUI2Kk3
+3xOweK3rGNG+JPQdZKGH9ppTSLwgeUkLtpPbC2/1GNWJrjkYMqCn6GWYdUa5FRz0
+EcLeZRAXwyS50fro5pnMqv4bFwqcoXJjTE6ZVyTPud+texqnY1OqhcVoZGzgKeit
+HqPSdH0QA20RSGrwYDlpfwEKo+QN8mQsWT0gGdGxJ43N1ev+spcJ
 -----END CERTIFICATE-----
diff --git a/certs/test-pathlen/chainH-ICA2-pathlen2.pem b/certs/test-pathlen/chainH-ICA2-pathlen2.pem
index 19cc738cd..ec3fb24de 100644
--- a/certs/test-pathlen/chainH-ICA2-pathlen2.pem
+++ b/certs/test-pathlen/chainH-ICA2-pathlen2.pem
@@ -2,15 +2,15 @@ Certificate:
     Data:
         Version: 3 (0x2)
         Serial Number: 100 (0x64)
-    Signature Algorithm: sha256WithRSAEncryption
-        Issuer: C=US, ST=Washington, L=Seattle, O=wolfSSL Inc., OU=Engineering, CN=chainH-ICA3-pathlen2/emailAddress=info@wolfssl.com
+        Signature Algorithm: sha256WithRSAEncryption
+        Issuer: C = US, ST = Washington, L = Seattle, O = wolfSSL Inc., OU = Engineering, CN = chainH-ICA3-pathlen2, emailAddress = info@wolfssl.com
         Validity
-            Not Before: Feb 10 19:49:55 2021 GMT
-            Not After : Nov  7 19:49:55 2023 GMT
-        Subject: C=US, ST=Washington, L=Seattle, O=wolfSSL Inc., OU=Engineering, CN=chainH-ICA2-pathlen2/emailAddress=info@wolfssl.com
+            Not Before: Dec 20 23:07:25 2021 GMT
+            Not After : Sep 15 23:07:25 2024 GMT
+        Subject: C = US, ST = Washington, L = Seattle, O = wolfSSL Inc., OU = Engineering, CN = chainH-ICA2-pathlen2, emailAddress = info@wolfssl.com
         Subject Public Key Info:
             Public Key Algorithm: rsaEncryption
-                Public-Key: (2048 bit)
+                RSA Public-Key: (2048 bit)
                 Modulus:
                     00:d9:b5:af:4b:ba:83:03:23:df:50:28:a8:c2:0c:
                     2c:f0:04:cb:2d:04:9b:1e:f5:f4:68:bc:d4:8e:b4:
@@ -44,27 +44,27 @@ Certificate:
             X509v3 Key Usage: 
                 Certificate Sign, CRL Sign
     Signature Algorithm: sha256WithRSAEncryption
-         19:a6:e8:27:a0:39:d2:86:54:63:76:85:91:3d:3d:97:65:4f:
-         e2:96:f1:cb:64:7b:07:b3:b4:3a:09:f0:8d:9f:cb:9c:6f:ab:
-         cc:69:4a:3d:b4:26:01:c0:37:a3:23:56:a0:99:51:9d:a3:33:
-         23:58:65:bc:8b:08:be:52:62:ef:8e:74:ed:c8:d0:88:ee:b6:
-         14:c0:0a:63:f3:03:6c:df:f9:92:4b:b6:53:6c:86:39:3b:31:
-         3e:69:b7:ed:ae:0c:df:2f:00:eb:8f:ed:01:ef:94:f4:8d:ca:
-         a9:0f:eb:1c:07:1f:56:01:4a:16:69:a0:81:51:a4:08:75:89:
-         cf:97:e7:6f:03:77:ed:21:ec:8c:2a:78:4a:8a:73:31:63:c2:
-         4f:b8:43:ad:d8:5e:60:3d:1c:7f:89:f0:08:d1:65:9a:7b:be:
-         22:fb:74:a9:25:6c:38:c2:f8:66:22:af:37:da:c6:58:99:cc:
-         62:c2:44:8e:07:70:9f:64:64:bc:52:54:f6:5e:23:da:b5:84:
-         45:d3:4c:00:22:0a:43:f1:4d:f0:50:77:78:fa:01:4c:23:08:
-         26:ac:d3:70:99:db:ee:0d:cc:57:aa:27:aa:5f:6d:ed:3b:2a:
-         8f:9b:7a:fa:82:e7:f9:41:6d:e4:61:3a:75:2c:4e:f3:2c:7c:
-         b9:c2:0f:23
+         5a:18:36:0e:02:33:b8:aa:7d:a2:67:a2:30:22:b0:f1:d0:69:
+         d9:d9:13:53:4f:74:b1:8d:6f:b7:d9:62:78:5c:e6:97:51:02:
+         ac:3f:54:02:bc:db:7e:b1:31:0c:e5:bf:7e:ff:bf:ee:d5:73:
+         d0:a5:41:c7:bc:98:4b:35:86:44:b4:cb:eb:d8:ae:17:c5:55:
+         46:5d:66:c1:06:97:be:28:e7:23:dc:60:d0:dd:14:fc:17:fd:
+         1e:ed:61:f7:1c:44:de:e7:19:52:2a:a3:ec:8e:47:7e:10:66:
+         f3:b9:e4:d5:ee:2f:d5:cf:a3:58:06:72:99:3b:27:2b:f5:fe:
+         46:ed:17:ae:76:85:36:39:5c:c7:a7:f5:08:c5:df:39:e1:a7:
+         6e:20:d4:5a:34:9e:f1:c5:97:eb:d7:99:2e:15:c6:35:64:2b:
+         e1:f9:22:73:c6:83:30:4c:5b:0a:9f:0d:6a:48:da:6d:b0:5d:
+         b4:7b:9d:37:ac:67:61:f7:e0:53:cc:15:24:e5:81:8b:9f:01:
+         62:91:48:52:36:94:1a:fa:ec:d2:e0:c6:5b:22:52:42:80:ab:
+         4b:0a:d4:9a:cb:60:7c:bb:d0:d2:3e:73:88:4d:97:21:e9:fb:
+         43:80:bf:59:96:8f:b1:52:65:13:db:4a:4e:22:6a:8e:af:f2:
+         91:e3:6c:4c
 -----BEGIN CERTIFICATE-----
 MIIE0zCCA7ugAwIBAgIBZDANBgkqhkiG9w0BAQsFADCBoTELMAkGA1UEBhMCVVMx
 EzARBgNVBAgMCldhc2hpbmd0b24xEDAOBgNVBAcMB1NlYXR0bGUxFTATBgNVBAoM
 DHdvbGZTU0wgSW5jLjEUMBIGA1UECwwLRW5naW5lZXJpbmcxHTAbBgNVBAMMFGNo
 YWluSC1JQ0EzLXBhdGhsZW4yMR8wHQYJKoZIhvcNAQkBFhBpbmZvQHdvbGZzc2wu
-Y29tMB4XDTIxMDIxMDE5NDk1NVoXDTIzMTEwNzE5NDk1NVowgaExCzAJBgNVBAYT
+Y29tMB4XDTIxMTIyMDIzMDcyNVoXDTI0MDkxNTIzMDcyNVowgaExCzAJBgNVBAYT
 AlVTMRMwEQYDVQQIDApXYXNoaW5ndG9uMRAwDgYDVQQHDAdTZWF0dGxlMRUwEwYD
 VQQKDAx3b2xmU1NMIEluYy4xFDASBgNVBAsMC0VuZ2luZWVyaW5nMR0wGwYDVQQD
 DBRjaGFpbkgtSUNBMi1wYXRobGVuMjEfMB0GCSqGSIb3DQEJARYQaW5mb0B3b2xm
@@ -80,10 +80,10 @@ oTELMAkGA1UEBhMCVVMxEzARBgNVBAgMCldhc2hpbmd0b24xEDAOBgNVBAcMB1Nl
 YXR0bGUxFTATBgNVBAoMDHdvbGZTU0wgSW5jLjEUMBIGA1UECwwLRW5naW5lZXJp
 bmcxHTAbBgNVBAMMFGNoYWluSC1JQ0E0LXBhdGhsZW4yMR8wHQYJKoZIhvcNAQkB
 FhBpbmZvQHdvbGZzc2wuY29tggFkMA8GA1UdEwQIMAYBAf8CAQIwCwYDVR0PBAQD
-AgEGMA0GCSqGSIb3DQEBCwUAA4IBAQAZpugnoDnShlRjdoWRPT2XZU/ilvHLZHsH
-s7Q6CfCNn8ucb6vMaUo9tCYBwDejI1agmVGdozMjWGW8iwi+UmLvjnTtyNCI7rYU
-wApj8wNs3/mSS7ZTbIY5OzE+abftrgzfLwDrj+0B75T0jcqpD+scBx9WAUoWaaCB
-UaQIdYnPl+dvA3ftIeyMKnhKinMxY8JPuEOt2F5gPRx/ifAI0WWae74i+3SpJWw4
-wvhmIq832sZYmcxiwkSOB3CfZGS8UlT2XiPatYRF00wAIgpD8U3wUHd4+gFMIwgm
-rNNwmdvuDcxXqieqX23tOyqPm3r6guf5QW3kYTp1LE7zLHy5wg8j
+AgEGMA0GCSqGSIb3DQEBCwUAA4IBAQBaGDYOAjO4qn2iZ6IwIrDx0GnZ2RNTT3Sx
+jW+32WJ4XOaXUQKsP1QCvNt+sTEM5b9+/7/u1XPQpUHHvJhLNYZEtMvr2K4XxVVG
+XWbBBpe+KOcj3GDQ3RT8F/0e7WH3HETe5xlSKqPsjkd+EGbzueTV7i/Vz6NYBnKZ
+Oycr9f5G7ReudoU2OVzHp/UIxd854aduINRaNJ7xxZfr15kuFcY1ZCvh+SJzxoMw
+TFsKnw1qSNptsF20e503rGdh9+BTzBUk5YGLnwFikUhSNpQa+uzS4MZbIlJCgKtL
+CtSay2B8u9DSPnOITZch6ftDgL9Zlo+xUmUT20pOImqOr/KR42xM
 -----END CERTIFICATE-----
diff --git a/certs/test-pathlen/chainH-ICA3-pathlen2.pem b/certs/test-pathlen/chainH-ICA3-pathlen2.pem
index 836af52b2..20b6e7ebd 100644
--- a/certs/test-pathlen/chainH-ICA3-pathlen2.pem
+++ b/certs/test-pathlen/chainH-ICA3-pathlen2.pem
@@ -2,15 +2,15 @@ Certificate:
     Data:
         Version: 3 (0x2)
         Serial Number: 100 (0x64)
-    Signature Algorithm: sha256WithRSAEncryption
-        Issuer: C=US, ST=Washington, L=Seattle, O=wolfSSL Inc., OU=Engineering, CN=chainH-ICA4-pathlen2/emailAddress=info@wolfssl.com
+        Signature Algorithm: sha256WithRSAEncryption
+        Issuer: C = US, ST = Washington, L = Seattle, O = wolfSSL Inc., OU = Engineering, CN = chainH-ICA4-pathlen2, emailAddress = info@wolfssl.com
         Validity
-            Not Before: Feb 10 19:49:55 2021 GMT
-            Not After : Nov  7 19:49:55 2023 GMT
-        Subject: C=US, ST=Washington, L=Seattle, O=wolfSSL Inc., OU=Engineering, CN=chainH-ICA3-pathlen2/emailAddress=info@wolfssl.com
+            Not Before: Dec 20 23:07:25 2021 GMT
+            Not After : Sep 15 23:07:25 2024 GMT
+        Subject: C = US, ST = Washington, L = Seattle, O = wolfSSL Inc., OU = Engineering, CN = chainH-ICA3-pathlen2, emailAddress = info@wolfssl.com
         Subject Public Key Info:
             Public Key Algorithm: rsaEncryption
-                Public-Key: (2048 bit)
+                RSA Public-Key: (2048 bit)
                 Modulus:
                     00:b7:b3:1a:1b:4a:80:1b:a2:e5:95:14:bc:55:e4:
                     77:dc:f3:7b:8a:9f:34:7c:93:db:c9:c9:d0:8b:b8:
@@ -44,27 +44,27 @@ Certificate:
             X509v3 Key Usage: 
                 Certificate Sign, CRL Sign
     Signature Algorithm: sha256WithRSAEncryption
-         31:21:a9:63:af:5f:5d:49:3f:34:d3:19:1b:f9:88:c1:a9:87:
-         88:4e:60:9d:72:d3:7f:be:6a:54:73:46:4a:84:7c:ce:8d:7d:
-         3b:d5:7d:e9:43:69:35:dc:d8:65:2e:49:5b:cd:10:33:20:40:
-         9a:ba:71:64:6e:7a:50:f5:49:82:5f:75:31:66:77:11:d2:78:
-         7b:26:ec:ed:12:e0:44:e1:c4:ae:36:d1:ed:f6:40:51:84:14:
-         22:2d:7b:23:27:eb:ee:76:b0:84:57:61:46:58:f0:46:74:94:
-         36:49:e4:f0:cb:6a:a5:c8:68:db:76:f5:f1:e0:4b:98:18:d7:
-         2d:ad:f6:6b:38:f6:af:c1:e5:d9:b0:d4:af:ce:d0:09:af:14:
-         99:b1:e9:e7:4c:c2:ea:3a:75:a3:e1:04:20:35:bd:41:e3:73:
-         bc:5a:b4:d5:a5:d6:87:c4:89:20:1e:27:98:90:80:81:3f:45:
-         10:5d:35:ee:d1:6d:2c:c3:d7:27:35:6b:56:6c:cb:b2:21:b7:
-         fc:15:c4:ea:24:84:2e:ba:60:98:ed:7c:0c:93:dc:a7:59:d7:
-         b5:d2:8a:05:7f:42:f5:bc:0b:92:6c:99:08:eb:8a:30:3b:d8:
-         1a:a2:c4:f4:6e:c3:a5:1d:83:a0:40:47:35:0e:21:59:0d:bf:
-         8a:be:ae:dd
+         6b:f3:44:8b:f9:5d:a8:c0:26:49:f1:51:f0:be:72:53:5d:73:
+         d7:a2:a2:58:e0:6c:93:68:03:3d:cc:0b:70:27:48:6c:c7:34:
+         0e:6b:32:02:d0:c1:65:99:c0:ed:b4:b0:ef:f1:09:0c:8e:5c:
+         b0:3b:79:7d:eb:a3:7c:a7:4c:8e:01:b2:b3:f5:53:64:3d:9b:
+         2d:35:89:2e:7b:68:df:f2:86:e5:f5:50:f8:e0:57:80:ac:b1:
+         96:7d:5f:84:f1:88:07:bb:eb:be:c8:a0:26:9d:88:9b:f5:45:
+         2f:e5:75:01:77:55:fd:46:d6:7a:a1:85:26:a2:4c:43:cd:7b:
+         30:4a:e2:8f:62:ed:e0:32:0f:21:3c:94:67:89:5c:81:d9:bb:
+         9d:d6:c5:ca:95:86:e5:b9:b1:67:94:2e:e7:64:cd:14:65:0e:
+         da:13:54:85:53:c4:e8:01:e5:54:e3:52:8c:ac:17:cf:01:02:
+         90:c7:92:c0:1a:cb:c4:05:38:08:aa:27:e7:bd:6a:89:28:e4:
+         a8:b4:17:30:72:0a:18:a7:20:91:fc:27:74:66:c4:5d:14:6e:
+         b1:6c:94:dd:74:67:f8:7e:c2:a2:0e:a6:38:7d:3f:ba:ae:ec:
+         e6:b1:81:6c:46:49:2c:06:66:ca:56:9c:a9:27:36:a1:a3:3d:
+         ba:4c:7d:d5
 -----BEGIN CERTIFICATE-----
 MIIExjCCA66gAwIBAgIBZDANBgkqhkiG9w0BAQsFADCBoTELMAkGA1UEBhMCVVMx
 EzARBgNVBAgMCldhc2hpbmd0b24xEDAOBgNVBAcMB1NlYXR0bGUxFTATBgNVBAoM
 DHdvbGZTU0wgSW5jLjEUMBIGA1UECwwLRW5naW5lZXJpbmcxHTAbBgNVBAMMFGNo
 YWluSC1JQ0E0LXBhdGhsZW4yMR8wHQYJKoZIhvcNAQkBFhBpbmZvQHdvbGZzc2wu
-Y29tMB4XDTIxMDIxMDE5NDk1NVoXDTIzMTEwNzE5NDk1NVowgaExCzAJBgNVBAYT
+Y29tMB4XDTIxMTIyMDIzMDcyNVoXDTI0MDkxNTIzMDcyNVowgaExCzAJBgNVBAYT
 AlVTMRMwEQYDVQQIDApXYXNoaW5ndG9uMRAwDgYDVQQHDAdTZWF0dGxlMRUwEwYD
 VQQKDAx3b2xmU1NMIEluYy4xFDASBgNVBAsMC0VuZ2luZWVyaW5nMR0wGwYDVQQD
 DBRjaGFpbkgtSUNBMy1wYXRobGVuMjEfMB0GCSqGSIb3DQEJARYQaW5mb0B3b2xm
@@ -80,10 +80,10 @@ lDELMAkGA1UEBhMCVVMxEDAOBgNVBAgMB01vbnRhbmExEDAOBgNVBAcMB0JvemVt
 YW4xETAPBgNVBAoMCFNhd3Rvb3RoMRMwEQYDVQQLDApDb25zdWx0aW5nMRgwFgYD
 VQQDDA93d3cud29sZnNzbC5jb20xHzAdBgkqhkiG9w0BCQEWEGluZm9Ad29sZnNz
 bC5jb22CAWQwDwYDVR0TBAgwBgEB/wIBAjALBgNVHQ8EBAMCAQYwDQYJKoZIhvcN
-AQELBQADggEBADEhqWOvX11JPzTTGRv5iMGph4hOYJ1y03++alRzRkqEfM6NfTvV
-felDaTXc2GUuSVvNEDMgQJq6cWRuelD1SYJfdTFmdxHSeHsm7O0S4EThxK420e32
-QFGEFCIteyMn6+52sIRXYUZY8EZ0lDZJ5PDLaqXIaNt29fHgS5gY1y2t9ms49q/B
-5dmw1K/O0AmvFJmx6edMwuo6daPhBCA1vUHjc7xatNWl1ofEiSAeJ5iQgIE/RRBd
-Ne7RbSzD1yc1a1Zsy7Iht/wVxOokhC66YJjtfAyT3KdZ17XSigV/QvW8C5JsmQjr
-ijA72BqixPRuw6Udg6BARzUOIVkNv4q+rt0=
+AQELBQADggEBAGvzRIv5XajAJknxUfC+clNdc9eioljgbJNoAz3MC3AnSGzHNA5r
+MgLQwWWZwO20sO/xCQyOXLA7eX3ro3ynTI4BsrP1U2Q9my01iS57aN/yhuX1UPjg
+V4CssZZ9X4TxiAe7677IoCadiJv1RS/ldQF3Vf1G1nqhhSaiTEPNezBK4o9i7eAy
+DyE8lGeJXIHZu53WxcqVhuW5sWeULudkzRRlDtoTVIVTxOgB5VTjUoysF88BApDH
+ksAay8QFOAiqJ+e9aoko5Ki0FzByChinIJH8J3RmxF0UbrFslN10Z/h+wqIOpjh9
+P7qu7OaxgWxGSSwGZspWnKknNqGjPbpMfdU=
 -----END CERTIFICATE-----
diff --git a/certs/test-pathlen/chainH-ICA4-pathlen2.pem b/certs/test-pathlen/chainH-ICA4-pathlen2.pem
index e243cbd55..b92e8dc6b 100644
--- a/certs/test-pathlen/chainH-ICA4-pathlen2.pem
+++ b/certs/test-pathlen/chainH-ICA4-pathlen2.pem
@@ -2,15 +2,15 @@ Certificate:
     Data:
         Version: 3 (0x2)
         Serial Number: 100 (0x64)
-    Signature Algorithm: sha256WithRSAEncryption
-        Issuer: C=US, ST=Montana, L=Bozeman, O=Sawtooth, OU=Consulting, CN=www.wolfssl.com/emailAddress=info@wolfssl.com
+        Signature Algorithm: sha256WithRSAEncryption
+        Issuer: C = US, ST = Montana, L = Bozeman, O = Sawtooth, OU = Consulting, CN = www.wolfssl.com, emailAddress = info@wolfssl.com
         Validity
-            Not Before: Feb 10 19:49:55 2021 GMT
-            Not After : Nov  7 19:49:55 2023 GMT
-        Subject: C=US, ST=Washington, L=Seattle, O=wolfSSL Inc., OU=Engineering, CN=chainH-ICA4-pathlen2/emailAddress=info@wolfssl.com
+            Not Before: Dec 20 23:07:25 2021 GMT
+            Not After : Sep 15 23:07:25 2024 GMT
+        Subject: C = US, ST = Washington, L = Seattle, O = wolfSSL Inc., OU = Engineering, CN = chainH-ICA4-pathlen2, emailAddress = info@wolfssl.com
         Subject Public Key Info:
             Public Key Algorithm: rsaEncryption
-                Public-Key: (2048 bit)
+                RSA Public-Key: (2048 bit)
                 Modulus:
                     00:bb:f3:2f:8a:cd:9e:87:f1:01:f3:a4:c0:2d:66:
                     36:d7:11:2e:64:08:e8:f1:99:fa:a6:9c:f4:bd:3b:
@@ -37,34 +37,34 @@ Certificate:
             X509v3 Authority Key Identifier: 
                 keyid:27:8E:67:11:74:C3:26:1D:3F:ED:33:63:B3:A4:D8:1D:30:E5:E8:D5
                 DirName:/C=US/ST=Montana/L=Bozeman/O=Sawtooth/OU=Consulting/CN=www.wolfssl.com/emailAddress=info@wolfssl.com
-                serial:AA:D3:3F:AC:18:0A:37:4D
+                serial:7D:94:70:88:BA:07:42:8D:AA:AF:4F:BE:C2:1A:48:F0:D1:40:E6:42
 
             X509v3 Basic Constraints: 
                 CA:TRUE, pathlen:2
             X509v3 Key Usage: 
                 Certificate Sign, CRL Sign
     Signature Algorithm: sha256WithRSAEncryption
-         49:c6:df:ce:fc:71:3e:a5:1b:27:1c:e4:9e:bb:04:fa:93:17:
-         6d:79:c8:8f:ee:08:6e:59:57:b6:f9:5a:a2:21:1a:3e:a7:a1:
-         0c:0d:3f:30:70:57:15:55:4c:95:e4:e1:3e:99:ce:9e:4a:a6:
-         c3:56:22:1d:a1:23:bc:fc:25:c8:5a:84:74:a1:0e:dd:70:59:
-         a8:36:29:14:bf:ff:ce:c5:6e:12:c4:2d:fb:13:63:66:29:63:
-         63:83:f3:ab:a0:7f:12:aa:5c:58:70:3a:9d:ae:26:ec:ec:d3:
-         31:07:41:17:cc:14:15:8e:d5:45:49:d8:f2:ec:4d:46:db:2b:
-         69:15:c5:99:23:6b:dc:31:c7:d6:53:b3:d2:65:fc:17:f5:19:
-         ae:d9:95:aa:1e:9b:1b:cf:18:61:c9:e1:17:d4:fa:d7:e1:a3:
-         cf:b5:09:ce:ed:9b:3c:41:c8:88:99:a2:ab:f0:55:86:78:8d:
-         07:44:25:c5:23:11:6e:fe:db:92:6f:35:96:ba:a1:01:f9:ab:
-         da:d2:29:c8:70:d0:b9:fe:c1:8d:72:67:ec:0a:d0:75:e5:01:
-         9d:d3:f9:01:ea:06:27:6f:21:99:e5:46:d8:fc:65:0d:9c:72:
-         25:82:1e:f6:43:d6:e8:08:b1:8f:d2:a9:c8:bf:05:ab:5c:80:
-         72:6c:ac:a4
+         38:88:02:e8:dd:ee:7e:5a:33:74:e7:46:eb:9f:39:d3:10:a9:
+         07:59:53:54:d7:47:57:7d:6a:47:1e:c4:09:7e:b2:33:72:39:
+         e6:11:32:ec:1e:15:18:63:23:07:e9:34:b7:82:55:45:d4:63:
+         d5:7b:d2:60:06:b2:d5:9d:00:7f:0d:55:07:78:57:ab:b5:65:
+         0a:4d:f8:73:04:41:aa:0d:0d:bf:61:7b:4c:89:91:a9:15:9e:
+         fa:07:76:1c:20:3c:43:28:7b:91:f0:cf:70:a7:38:ae:b3:d0:
+         63:ea:90:b6:ee:09:92:70:26:47:11:3d:f2:26:a4:de:7e:81:
+         f2:f4:e5:4d:1b:a5:93:72:13:4c:3c:73:98:02:5e:b3:9f:95:
+         22:80:c0:65:f6:d6:0d:6d:93:95:bf:05:4b:ae:a8:59:4c:e1:
+         b1:79:41:98:cf:15:23:11:f5:d1:ee:95:d3:26:f0:37:05:33:
+         3f:d9:0b:7b:ac:b4:d3:fa:39:f8:4c:7d:4b:33:fd:14:2d:33:
+         cf:60:65:4f:ec:f7:02:b9:48:65:76:49:6a:5c:5f:ea:08:3f:
+         3c:bd:f2:97:37:04:23:4a:06:41:83:ea:14:44:b4:93:65:61:
+         ac:d6:e8:f6:e7:13:55:62:c9:70:1e:e0:fe:fb:ea:2d:57:c0:
+         75:b7:36:40
 -----BEGIN CERTIFICATE-----
-MIIEwTCCA6mgAwIBAgIBZDANBgkqhkiG9w0BAQsFADCBlDELMAkGA1UEBhMCVVMx
+MIIEzDCCA7SgAwIBAgIBZDANBgkqhkiG9w0BAQsFADCBlDELMAkGA1UEBhMCVVMx
 EDAOBgNVBAgMB01vbnRhbmExEDAOBgNVBAcMB0JvemVtYW4xETAPBgNVBAoMCFNh
 d3Rvb3RoMRMwEQYDVQQLDApDb25zdWx0aW5nMRgwFgYDVQQDDA93d3cud29sZnNz
-bC5jb20xHzAdBgkqhkiG9w0BCQEWEGluZm9Ad29sZnNzbC5jb20wHhcNMjEwMjEw
-MTk0OTU1WhcNMjMxMTA3MTk0OTU1WjCBoTELMAkGA1UEBhMCVVMxEzARBgNVBAgM
+bC5jb20xHzAdBgkqhkiG9w0BCQEWEGluZm9Ad29sZnNzbC5jb20wHhcNMjExMjIw
+MjMwNzI1WhcNMjQwOTE1MjMwNzI1WjCBoTELMAkGA1UEBhMCVVMxEzARBgNVBAgM
 Cldhc2hpbmd0b24xEDAOBgNVBAcMB1NlYXR0bGUxFTATBgNVBAoMDHdvbGZTU0wg
 SW5jLjEUMBIGA1UECwwLRW5naW5lZXJpbmcxHTAbBgNVBAMMFGNoYWluSC1JQ0E0
 LXBhdGhsZW4yMR8wHQYJKoZIhvcNAQkBFhBpbmZvQHdvbGZzc2wuY29tMIIBIjAN
@@ -74,16 +74,16 @@ N6kYdo3+ywlUP0+7X6u6cOm0oV6gaX5FP8DMeOnydGR5wmoW0JgwgkRKs5ksZjCs
 mYIEKr8PYIkENvop0whWYWqoM0CaU30gqFFvm6DZPtyaix03nq3J/VOnBNwfNj7T
 ZVKEJGHQTuJBYL/7/bIEsz/rFJlevOh96WXRP/4ESeW7oy3j25bf2YGgMtcBubgC
 jrmiHwrUJBc6GQ9tOhBfXH24VoLHf0DwLYdjwbHYZMc8JxNKY4IhsfI56QIDAQAB
-o4IBDTCCAQkwHQYDVR0OBBYEFBhtRIPuH+y0IvCc61QeShVYAaoTMIHJBgNVHSME
-gcEwgb6AFCeOZxF0wyYdP+0zY7Ok2B0w5ejVoYGapIGXMIGUMQswCQYDVQQGEwJV
+o4IBGDCCARQwHQYDVR0OBBYEFBhtRIPuH+y0IvCc61QeShVYAaoTMIHUBgNVHSME
+gcwwgcmAFCeOZxF0wyYdP+0zY7Ok2B0w5ejVoYGapIGXMIGUMQswCQYDVQQGEwJV
 UzEQMA4GA1UECAwHTW9udGFuYTEQMA4GA1UEBwwHQm96ZW1hbjERMA8GA1UECgwI
 U2F3dG9vdGgxEzARBgNVBAsMCkNvbnN1bHRpbmcxGDAWBgNVBAMMD3d3dy53b2xm
-c3NsLmNvbTEfMB0GCSqGSIb3DQEJARYQaW5mb0B3b2xmc3NsLmNvbYIJAKrTP6wY
-CjdNMA8GA1UdEwQIMAYBAf8CAQIwCwYDVR0PBAQDAgEGMA0GCSqGSIb3DQEBCwUA
-A4IBAQBJxt/O/HE+pRsnHOSeuwT6kxdteciP7ghuWVe2+VqiIRo+p6EMDT8wcFcV
-VUyV5OE+mc6eSqbDViIdoSO8/CXIWoR0oQ7dcFmoNikUv//OxW4SxC37E2NmKWNj
-g/OroH8SqlxYcDqdribs7NMxB0EXzBQVjtVFSdjy7E1G2ytpFcWZI2vcMcfWU7PS
-ZfwX9Rmu2ZWqHpsbzxhhyeEX1PrX4aPPtQnO7Zs8QciImaKr8FWGeI0HRCXFIxFu
-/tuSbzWWuqEB+ava0inIcNC5/sGNcmfsCtB15QGd0/kB6gYnbyGZ5UbY/GUNnHIl
-gh72Q9boCLGP0qnIvwWrXIBybKyk
+c3NsLmNvbTEfMB0GCSqGSIb3DQEJARYQaW5mb0B3b2xmc3NsLmNvbYIUfZRwiLoH
+Qo2qr0++whpI8NFA5kIwDwYDVR0TBAgwBgEB/wIBAjALBgNVHQ8EBAMCAQYwDQYJ
+KoZIhvcNAQELBQADggEBADiIAujd7n5aM3TnRuufOdMQqQdZU1TXR1d9akcexAl+
+sjNyOeYRMuweFRhjIwfpNLeCVUXUY9V70mAGstWdAH8NVQd4V6u1ZQpN+HMEQaoN
+Db9he0yJkakVnvoHdhwgPEMoe5Hwz3CnOK6z0GPqkLbuCZJwJkcRPfImpN5+gfL0
+5U0bpZNyE0w8c5gCXrOflSKAwGX21g1tk5W/BUuuqFlM4bF5QZjPFSMR9dHuldMm
+8DcFMz/ZC3ustNP6OfhMfUsz/RQtM89gZU/s9wK5SGV2SWpcX+oIPzy98pc3BCNK
+BkGD6hREtJNlYazW6PbnE1ViyXAe4P776i1XwHW3NkA=
 -----END CERTIFICATE-----
diff --git a/certs/test-pathlen/chainH-assembled.pem b/certs/test-pathlen/chainH-assembled.pem
index 7fd29d571..ddb3edfa3 100644
--- a/certs/test-pathlen/chainH-assembled.pem
+++ b/certs/test-pathlen/chainH-assembled.pem
@@ -2,15 +2,15 @@ Certificate:
     Data:
         Version: 3 (0x2)
         Serial Number: 101 (0x65)
-    Signature Algorithm: sha256WithRSAEncryption
-        Issuer: C=US, ST=Washington, L=Seattle, O=wolfSSL Inc., OU=Engineering, CN=chainH-ICA1-pathlen0/emailAddress=info@wolfssl.com
+        Signature Algorithm: sha256WithRSAEncryption
+        Issuer: C = US, ST = Washington, L = Seattle, O = wolfSSL Inc., OU = Engineering, CN = chainH-ICA1-pathlen0, emailAddress = info@wolfssl.com
         Validity
-            Not Before: Feb 10 19:49:55 2021 GMT
-            Not After : Nov  7 19:49:55 2023 GMT
-        Subject: C=US, ST=Washington, L=Seattle, O=wolfSSL Inc., OU=Engineering, CN=chainH-entity/emailAddress=info@wolfssl.com
+            Not Before: Dec 20 23:07:25 2021 GMT
+            Not After : Sep 15 23:07:25 2024 GMT
+        Subject: C = US, ST = Washington, L = Seattle, O = wolfSSL Inc., OU = Engineering, CN = chainH-entity, emailAddress = info@wolfssl.com
         Subject Public Key Info:
             Public Key Algorithm: rsaEncryption
-                Public-Key: (2048 bit)
+                RSA Public-Key: (2048 bit)
                 Modulus:
                     00:ba:ed:ab:c0:0d:92:6c:10:e4:50:9f:7c:98:cc:
                     87:fd:28:34:77:c0:58:28:52:2c:28:97:80:ec:78:
@@ -42,27 +42,27 @@ Certificate:
             X509v3 Basic Constraints: 
                 CA:FALSE
     Signature Algorithm: sha256WithRSAEncryption
-         14:a2:2d:29:5a:25:93:ee:26:f8:bc:57:3b:40:a9:f8:b1:1f:
-         73:15:57:e9:9b:1c:0b:ee:97:7d:a5:f1:51:7c:93:9e:ec:d4:
-         aa:5d:65:16:20:a2:71:2c:61:32:5d:1e:0d:c2:cd:b2:ba:8b:
-         ad:c5:ae:77:1a:e5:ff:72:3f:af:4f:37:0d:8b:2b:00:08:39:
-         d4:08:eb:68:0b:42:4f:7d:2a:12:b9:bb:f7:f0:14:48:c4:49:
-         44:a9:77:81:34:74:28:b4:bd:6d:ce:0a:ad:d3:72:48:66:d6:
-         80:b1:b5:ed:6a:66:11:eb:2a:18:ed:da:67:1e:f8:31:33:77:
-         a9:a6:b4:14:8d:ac:2b:a0:46:79:38:75:1c:82:43:e3:d5:10:
-         f1:7f:87:44:c2:40:a4:2b:0b:eb:cb:9b:bf:7e:fb:cb:9d:c7:
-         86:f8:95:a9:42:ef:58:be:f8:7e:94:51:15:94:57:88:34:60:
-         2e:2e:75:d9:20:95:a1:72:eb:87:8c:c3:63:02:7c:f5:17:c9:
-         dd:39:06:b0:a8:8b:fb:bf:32:5c:e6:8d:32:4a:9f:b9:ba:19:
-         6b:6e:98:36:0a:80:5a:06:9f:6a:7d:68:f6:5c:e7:89:7f:d3:
-         32:b8:35:04:91:5a:41:1e:dc:41:fc:63:bd:5a:36:42:25:a7:
-         92:8b:2c:a7
+         3e:3a:7a:1f:07:bd:a2:e5:5c:7b:66:5a:bd:e0:c1:0d:5e:41:
+         13:fe:75:6c:a5:e8:50:13:04:02:26:f0:ab:fe:0e:4e:f1:8a:
+         1b:21:0a:5a:a4:4c:1c:3a:0d:92:37:63:46:b5:57:77:89:ba:
+         b0:33:44:a8:05:a4:52:d9:19:7c:15:f7:1d:c9:dc:3c:70:7f:
+         d4:99:1e:00:82:00:06:3b:4b:5f:2a:aa:4a:74:06:40:c9:2b:
+         18:3d:d1:8c:05:76:69:39:f7:55:20:88:64:94:71:95:9d:f3:
+         ab:98:3e:71:c5:6f:0b:22:9f:70:d6:f9:03:cf:5b:18:0d:01:
+         60:db:22:e8:36:48:9b:4f:1e:b5:83:20:6f:96:db:72:bc:a3:
+         fc:b7:6b:25:04:df:42:d2:94:5f:b0:f3:c8:26:2a:6a:d9:74:
+         fc:46:0a:68:66:bc:c3:1f:0b:52:b3:2a:d9:25:97:f4:b6:72:
+         db:95:29:92:c3:1e:dc:43:90:d3:f0:2b:49:ac:e0:cb:dc:ca:
+         39:2b:a1:c9:61:5a:8b:4d:7e:3c:8e:50:8a:0d:f2:d9:2d:8d:
+         b7:76:18:ac:94:38:a5:ac:d7:99:f0:1f:cb:6d:66:53:14:97:
+         b5:07:fd:c8:12:68:f6:43:96:ec:c7:59:55:fe:f0:5d:ba:2b:
+         70:c1:2d:ee
 -----BEGIN CERTIFICATE-----
 MIIEtzCCA5+gAwIBAgIBZTANBgkqhkiG9w0BAQsFADCBoTELMAkGA1UEBhMCVVMx
 EzARBgNVBAgMCldhc2hpbmd0b24xEDAOBgNVBAcMB1NlYXR0bGUxFTATBgNVBAoM
 DHdvbGZTU0wgSW5jLjEUMBIGA1UECwwLRW5naW5lZXJpbmcxHTAbBgNVBAMMFGNo
 YWluSC1JQ0ExLXBhdGhsZW4wMR8wHQYJKoZIhvcNAQkBFhBpbmZvQHdvbGZzc2wu
-Y29tMB4XDTIxMDIxMDE5NDk1NVoXDTIzMTEwNzE5NDk1NVowgZoxCzAJBgNVBAYT
+Y29tMB4XDTIxMTIyMDIzMDcyNVoXDTI0MDkxNTIzMDcyNVowgZoxCzAJBgNVBAYT
 AlVTMRMwEQYDVQQIDApXYXNoaW5ndG9uMRAwDgYDVQQHDAdTZWF0dGxlMRUwEwYD
 VQQKDAx3b2xmU1NMIEluYy4xFDASBgNVBAsMC0VuZ2luZWVyaW5nMRYwFAYDVQQD
 DA1jaGFpbkgtZW50aXR5MR8wHQYJKoZIhvcNAQkBFhBpbmZvQHdvbGZzc2wuY29t
@@ -77,27 +77,27 @@ VR0jBIHGMIHDgBRIgIco7+YoDwOb3zNIEKDlILNpUKGBp6SBpDCBoTELMAkGA1UE
 BhMCVVMxEzARBgNVBAgMCldhc2hpbmd0b24xEDAOBgNVBAcMB1NlYXR0bGUxFTAT
 BgNVBAoMDHdvbGZTU0wgSW5jLjEUMBIGA1UECwwLRW5naW5lZXJpbmcxHTAbBgNV
 BAMMFGNoYWluSC1JQ0EyLXBhdGhsZW4yMR8wHQYJKoZIhvcNAQkBFhBpbmZvQHdv
-bGZzc2wuY29tggFkMAkGA1UdEwQCMAAwDQYJKoZIhvcNAQELBQADggEBABSiLSla
-JZPuJvi8VztAqfixH3MVV+mbHAvul32l8VF8k57s1KpdZRYgonEsYTJdHg3CzbK6
-i63Frnca5f9yP69PNw2LKwAIOdQI62gLQk99KhK5u/fwFEjESUSpd4E0dCi0vW3O
-Cq3Tckhm1oCxte1qZhHrKhjt2mce+DEzd6mmtBSNrCugRnk4dRyCQ+PVEPF/h0TC
-QKQrC+vLm79++8udx4b4lalC71i++H6UURWUV4g0YC4uddkglaFy64eMw2MCfPUX
-yd05BrCoi/u/MlzmjTJKn7m6GWtumDYKgFoGn2p9aPZc54l/0zK4NQSRWkEe3EH8
-Y71aNkIlp5KLLKc=
+bGZzc2wuY29tggFkMAkGA1UdEwQCMAAwDQYJKoZIhvcNAQELBQADggEBAD46eh8H
+vaLlXHtmWr3gwQ1eQRP+dWyl6FATBAIm8Kv+Dk7xihshClqkTBw6DZI3Y0a1V3eJ
+urAzRKgFpFLZGXwV9x3J3Dxwf9SZHgCCAAY7S18qqkp0BkDJKxg90YwFdmk591Ug
+iGSUcZWd86uYPnHFbwsin3DW+QPPWxgNAWDbIug2SJtPHrWDIG+W23K8o/y3ayUE
+30LSlF+w88gmKmrZdPxGCmhmvMMfC1KzKtkll/S2ctuVKZLDHtxDkNPwK0ms4Mvc
+yjkroclhWotNfjyOUIoN8tktjbd2GKyUOKWs15nwH8ttZlMUl7UH/cgSaPZDluzH
+WVX+8F26K3DBLe4=
 -----END CERTIFICATE-----
 Certificate:
     Data:
         Version: 3 (0x2)
         Serial Number: 100 (0x64)
-    Signature Algorithm: sha256WithRSAEncryption
-        Issuer: C=US, ST=Washington, L=Seattle, O=wolfSSL Inc., OU=Engineering, CN=chainH-ICA2-pathlen2/emailAddress=info@wolfssl.com
+        Signature Algorithm: sha256WithRSAEncryption
+        Issuer: C = US, ST = Washington, L = Seattle, O = wolfSSL Inc., OU = Engineering, CN = chainH-ICA2-pathlen2, emailAddress = info@wolfssl.com
         Validity
-            Not Before: Feb 10 19:49:55 2021 GMT
-            Not After : Nov  7 19:49:55 2023 GMT
-        Subject: C=US, ST=Washington, L=Seattle, O=wolfSSL Inc., OU=Engineering, CN=chainH-ICA1-pathlen0/emailAddress=info@wolfssl.com
+            Not Before: Dec 20 23:07:25 2021 GMT
+            Not After : Sep 15 23:07:25 2024 GMT
+        Subject: C = US, ST = Washington, L = Seattle, O = wolfSSL Inc., OU = Engineering, CN = chainH-ICA1-pathlen0, emailAddress = info@wolfssl.com
         Subject Public Key Info:
             Public Key Algorithm: rsaEncryption
-                Public-Key: (2048 bit)
+                RSA Public-Key: (2048 bit)
                 Modulus:
                     00:c7:f4:a6:7e:f2:cb:4f:6e:04:18:d3:53:d5:cf:
                     bf:7e:97:d1:74:94:fe:db:ad:61:3f:12:20:67:f3:
@@ -131,27 +131,27 @@ Certificate:
             X509v3 Key Usage: 
                 Certificate Sign, CRL Sign
     Signature Algorithm: sha256WithRSAEncryption
-         9f:9b:2c:00:4d:4c:62:f6:75:de:56:fe:15:df:1e:74:11:1c:
-         33:0e:84:40:04:4a:d3:9b:20:3a:1c:b2:c0:20:2f:71:f5:d6:
-         f6:71:f3:a9:9e:f3:a3:e3:0f:fe:d8:97:24:bc:18:0b:54:38:
-         d2:e5:d4:1d:74:d3:f9:19:a1:e5:5d:7e:61:bb:fb:cd:8b:aa:
-         8b:dc:9a:47:5a:ed:e3:57:46:a7:cc:32:5e:71:1d:9b:2b:ad:
-         a1:60:43:b3:be:80:31:a1:7d:2a:ab:a7:d8:3a:b5:62:95:c5:
-         31:24:87:30:1f:fc:41:72:d7:b0:99:df:6c:b5:4c:14:dc:d9:
-         4b:0b:a0:90:8b:11:a6:e5:4d:43:17:54:db:a7:4b:fe:1e:65:
-         37:f2:1d:f3:6d:f0:6d:1e:13:d3:d0:a9:0c:39:f5:34:07:51:
-         d2:19:f2:8e:a9:51:77:c7:b0:69:05:dc:44:66:0e:25:e6:78:
-         9f:4c:4a:8d:c9:f4:66:4a:e4:60:fd:fa:13:73:2a:46:ce:3b:
-         aa:f2:89:0d:68:68:75:78:d3:f5:a0:c2:72:16:6c:3c:82:bd:
-         dd:1c:f7:65:dc:52:00:0e:24:d6:42:df:f5:60:24:9d:06:e6:
-         1c:1d:e1:81:23:47:8b:66:a3:c2:49:c1:15:df:13:8b:83:3f:
-         89:1d:42:ba
+         c6:28:f9:c3:81:a4:93:be:43:7c:95:db:e5:cf:fe:0b:1a:1f:
+         d3:f4:e5:d8:35:77:ee:35:69:16:c9:b5:9c:5a:9b:82:70:41:
+         f4:c2:e5:ea:dc:9f:3c:06:6e:2e:71:e6:ff:50:42:39:50:57:
+         1a:2d:d3:d7:58:83:08:5d:5b:77:58:13:11:f0:66:2b:2c:2a:
+         e8:1e:e2:a5:d7:e7:c3:3e:83:ae:29:86:ef:29:78:c5:58:b1:
+         ef:8f:3f:6d:2f:d4:a0:2f:4f:1f:e7:34:33:c9:b5:57:f4:e8:
+         be:45:4b:c1:ed:a2:89:c3:05:08:d8:a9:37:df:13:b0:78:ad:
+         eb:18:d1:be:24:f4:1d:64:a1:87:f6:9a:53:48:bc:20:79:49:
+         0b:b6:93:db:0b:6f:f5:18:d5:89:ae:39:18:32:a0:a7:e8:65:
+         98:75:46:b9:15:1c:f4:11:c2:de:65:10:17:c3:24:b9:d1:fa:
+         e8:e6:99:cc:aa:fe:1b:17:0a:9c:a1:72:63:4c:4e:99:57:24:
+         cf:b9:df:ad:7b:1a:a7:63:53:aa:85:c5:68:64:6c:e0:29:e8:
+         ad:1e:a3:d2:74:7d:10:03:6d:11:48:6a:f0:60:39:69:7f:01:
+         0a:a3:e4:0d:f2:64:2c:59:3d:20:19:d1:b1:27:8d:cd:d5:eb:
+         fe:b2:97:09
 -----BEGIN CERTIFICATE-----
 MIIE0zCCA7ugAwIBAgIBZDANBgkqhkiG9w0BAQsFADCBoTELMAkGA1UEBhMCVVMx
 EzARBgNVBAgMCldhc2hpbmd0b24xEDAOBgNVBAcMB1NlYXR0bGUxFTATBgNVBAoM
 DHdvbGZTU0wgSW5jLjEUMBIGA1UECwwLRW5naW5lZXJpbmcxHTAbBgNVBAMMFGNo
 YWluSC1JQ0EyLXBhdGhsZW4yMR8wHQYJKoZIhvcNAQkBFhBpbmZvQHdvbGZzc2wu
-Y29tMB4XDTIxMDIxMDE5NDk1NVoXDTIzMTEwNzE5NDk1NVowgaExCzAJBgNVBAYT
+Y29tMB4XDTIxMTIyMDIzMDcyNVoXDTI0MDkxNTIzMDcyNVowgaExCzAJBgNVBAYT
 AlVTMRMwEQYDVQQIDApXYXNoaW5ndG9uMRAwDgYDVQQHDAdTZWF0dGxlMRUwEwYD
 VQQKDAx3b2xmU1NMIEluYy4xFDASBgNVBAsMC0VuZ2luZWVyaW5nMR0wGwYDVQQD
 DBRjaGFpbkgtSUNBMS1wYXRobGVuMDEfMB0GCSqGSIb3DQEJARYQaW5mb0B3b2xm
@@ -167,26 +167,26 @@ oTELMAkGA1UEBhMCVVMxEzARBgNVBAgMCldhc2hpbmd0b24xEDAOBgNVBAcMB1Nl
 YXR0bGUxFTATBgNVBAoMDHdvbGZTU0wgSW5jLjEUMBIGA1UECwwLRW5naW5lZXJp
 bmcxHTAbBgNVBAMMFGNoYWluSC1JQ0EzLXBhdGhsZW4yMR8wHQYJKoZIhvcNAQkB
 FhBpbmZvQHdvbGZzc2wuY29tggFkMA8GA1UdEwQIMAYBAf8CAQAwCwYDVR0PBAQD
-AgEGMA0GCSqGSIb3DQEBCwUAA4IBAQCfmywATUxi9nXeVv4V3x50ERwzDoRABErT
-myA6HLLAIC9x9db2cfOpnvOj4w/+2JckvBgLVDjS5dQddNP5GaHlXX5hu/vNi6qL
-3JpHWu3jV0anzDJecR2bK62hYEOzvoAxoX0qq6fYOrVilcUxJIcwH/xBctewmd9s
-tUwU3NlLC6CQixGm5U1DF1Tbp0v+HmU38h3zbfBtHhPT0KkMOfU0B1HSGfKOqVF3
-x7BpBdxEZg4l5nifTEqNyfRmSuRg/foTcypGzjuq8okNaGh1eNP1oMJyFmw8gr3d
-HPdl3FIADiTWQt/1YCSdBuYcHeGBI0eLZqPCScEV3xOLgz+JHUK6
+AgEGMA0GCSqGSIb3DQEBCwUAA4IBAQDGKPnDgaSTvkN8ldvlz/4LGh/T9OXYNXfu
+NWkWybWcWpuCcEH0wuXq3J88Bm4uceb/UEI5UFcaLdPXWIMIXVt3WBMR8GYrLCro
+HuKl1+fDPoOuKYbvKXjFWLHvjz9tL9SgL08f5zQzybVX9Oi+RUvB7aKJwwUI2Kk3
+3xOweK3rGNG+JPQdZKGH9ppTSLwgeUkLtpPbC2/1GNWJrjkYMqCn6GWYdUa5FRz0
+EcLeZRAXwyS50fro5pnMqv4bFwqcoXJjTE6ZVyTPud+texqnY1OqhcVoZGzgKeit
+HqPSdH0QA20RSGrwYDlpfwEKo+QN8mQsWT0gGdGxJ43N1ev+spcJ
 -----END CERTIFICATE-----
 Certificate:
     Data:
         Version: 3 (0x2)
         Serial Number: 100 (0x64)
-    Signature Algorithm: sha256WithRSAEncryption
-        Issuer: C=US, ST=Washington, L=Seattle, O=wolfSSL Inc., OU=Engineering, CN=chainH-ICA3-pathlen2/emailAddress=info@wolfssl.com
+        Signature Algorithm: sha256WithRSAEncryption
+        Issuer: C = US, ST = Washington, L = Seattle, O = wolfSSL Inc., OU = Engineering, CN = chainH-ICA3-pathlen2, emailAddress = info@wolfssl.com
         Validity
-            Not Before: Feb 10 19:49:55 2021 GMT
-            Not After : Nov  7 19:49:55 2023 GMT
-        Subject: C=US, ST=Washington, L=Seattle, O=wolfSSL Inc., OU=Engineering, CN=chainH-ICA2-pathlen2/emailAddress=info@wolfssl.com
+            Not Before: Dec 20 23:07:25 2021 GMT
+            Not After : Sep 15 23:07:25 2024 GMT
+        Subject: C = US, ST = Washington, L = Seattle, O = wolfSSL Inc., OU = Engineering, CN = chainH-ICA2-pathlen2, emailAddress = info@wolfssl.com
         Subject Public Key Info:
             Public Key Algorithm: rsaEncryption
-                Public-Key: (2048 bit)
+                RSA Public-Key: (2048 bit)
                 Modulus:
                     00:d9:b5:af:4b:ba:83:03:23:df:50:28:a8:c2:0c:
                     2c:f0:04:cb:2d:04:9b:1e:f5:f4:68:bc:d4:8e:b4:
@@ -220,27 +220,27 @@ Certificate:
             X509v3 Key Usage: 
                 Certificate Sign, CRL Sign
     Signature Algorithm: sha256WithRSAEncryption
-         19:a6:e8:27:a0:39:d2:86:54:63:76:85:91:3d:3d:97:65:4f:
-         e2:96:f1:cb:64:7b:07:b3:b4:3a:09:f0:8d:9f:cb:9c:6f:ab:
-         cc:69:4a:3d:b4:26:01:c0:37:a3:23:56:a0:99:51:9d:a3:33:
-         23:58:65:bc:8b:08:be:52:62:ef:8e:74:ed:c8:d0:88:ee:b6:
-         14:c0:0a:63:f3:03:6c:df:f9:92:4b:b6:53:6c:86:39:3b:31:
-         3e:69:b7:ed:ae:0c:df:2f:00:eb:8f:ed:01:ef:94:f4:8d:ca:
-         a9:0f:eb:1c:07:1f:56:01:4a:16:69:a0:81:51:a4:08:75:89:
-         cf:97:e7:6f:03:77:ed:21:ec:8c:2a:78:4a:8a:73:31:63:c2:
-         4f:b8:43:ad:d8:5e:60:3d:1c:7f:89:f0:08:d1:65:9a:7b:be:
-         22:fb:74:a9:25:6c:38:c2:f8:66:22:af:37:da:c6:58:99:cc:
-         62:c2:44:8e:07:70:9f:64:64:bc:52:54:f6:5e:23:da:b5:84:
-         45:d3:4c:00:22:0a:43:f1:4d:f0:50:77:78:fa:01:4c:23:08:
-         26:ac:d3:70:99:db:ee:0d:cc:57:aa:27:aa:5f:6d:ed:3b:2a:
-         8f:9b:7a:fa:82:e7:f9:41:6d:e4:61:3a:75:2c:4e:f3:2c:7c:
-         b9:c2:0f:23
+         5a:18:36:0e:02:33:b8:aa:7d:a2:67:a2:30:22:b0:f1:d0:69:
+         d9:d9:13:53:4f:74:b1:8d:6f:b7:d9:62:78:5c:e6:97:51:02:
+         ac:3f:54:02:bc:db:7e:b1:31:0c:e5:bf:7e:ff:bf:ee:d5:73:
+         d0:a5:41:c7:bc:98:4b:35:86:44:b4:cb:eb:d8:ae:17:c5:55:
+         46:5d:66:c1:06:97:be:28:e7:23:dc:60:d0:dd:14:fc:17:fd:
+         1e:ed:61:f7:1c:44:de:e7:19:52:2a:a3:ec:8e:47:7e:10:66:
+         f3:b9:e4:d5:ee:2f:d5:cf:a3:58:06:72:99:3b:27:2b:f5:fe:
+         46:ed:17:ae:76:85:36:39:5c:c7:a7:f5:08:c5:df:39:e1:a7:
+         6e:20:d4:5a:34:9e:f1:c5:97:eb:d7:99:2e:15:c6:35:64:2b:
+         e1:f9:22:73:c6:83:30:4c:5b:0a:9f:0d:6a:48:da:6d:b0:5d:
+         b4:7b:9d:37:ac:67:61:f7:e0:53:cc:15:24:e5:81:8b:9f:01:
+         62:91:48:52:36:94:1a:fa:ec:d2:e0:c6:5b:22:52:42:80:ab:
+         4b:0a:d4:9a:cb:60:7c:bb:d0:d2:3e:73:88:4d:97:21:e9:fb:
+         43:80:bf:59:96:8f:b1:52:65:13:db:4a:4e:22:6a:8e:af:f2:
+         91:e3:6c:4c
 -----BEGIN CERTIFICATE-----
 MIIE0zCCA7ugAwIBAgIBZDANBgkqhkiG9w0BAQsFADCBoTELMAkGA1UEBhMCVVMx
 EzARBgNVBAgMCldhc2hpbmd0b24xEDAOBgNVBAcMB1NlYXR0bGUxFTATBgNVBAoM
 DHdvbGZTU0wgSW5jLjEUMBIGA1UECwwLRW5naW5lZXJpbmcxHTAbBgNVBAMMFGNo
 YWluSC1JQ0EzLXBhdGhsZW4yMR8wHQYJKoZIhvcNAQkBFhBpbmZvQHdvbGZzc2wu
-Y29tMB4XDTIxMDIxMDE5NDk1NVoXDTIzMTEwNzE5NDk1NVowgaExCzAJBgNVBAYT
+Y29tMB4XDTIxMTIyMDIzMDcyNVoXDTI0MDkxNTIzMDcyNVowgaExCzAJBgNVBAYT
 AlVTMRMwEQYDVQQIDApXYXNoaW5ndG9uMRAwDgYDVQQHDAdTZWF0dGxlMRUwEwYD
 VQQKDAx3b2xmU1NMIEluYy4xFDASBgNVBAsMC0VuZ2luZWVyaW5nMR0wGwYDVQQD
 DBRjaGFpbkgtSUNBMi1wYXRobGVuMjEfMB0GCSqGSIb3DQEJARYQaW5mb0B3b2xm
@@ -256,26 +256,26 @@ oTELMAkGA1UEBhMCVVMxEzARBgNVBAgMCldhc2hpbmd0b24xEDAOBgNVBAcMB1Nl
 YXR0bGUxFTATBgNVBAoMDHdvbGZTU0wgSW5jLjEUMBIGA1UECwwLRW5naW5lZXJp
 bmcxHTAbBgNVBAMMFGNoYWluSC1JQ0E0LXBhdGhsZW4yMR8wHQYJKoZIhvcNAQkB
 FhBpbmZvQHdvbGZzc2wuY29tggFkMA8GA1UdEwQIMAYBAf8CAQIwCwYDVR0PBAQD
-AgEGMA0GCSqGSIb3DQEBCwUAA4IBAQAZpugnoDnShlRjdoWRPT2XZU/ilvHLZHsH
-s7Q6CfCNn8ucb6vMaUo9tCYBwDejI1agmVGdozMjWGW8iwi+UmLvjnTtyNCI7rYU
-wApj8wNs3/mSS7ZTbIY5OzE+abftrgzfLwDrj+0B75T0jcqpD+scBx9WAUoWaaCB
-UaQIdYnPl+dvA3ftIeyMKnhKinMxY8JPuEOt2F5gPRx/ifAI0WWae74i+3SpJWw4
-wvhmIq832sZYmcxiwkSOB3CfZGS8UlT2XiPatYRF00wAIgpD8U3wUHd4+gFMIwgm
-rNNwmdvuDcxXqieqX23tOyqPm3r6guf5QW3kYTp1LE7zLHy5wg8j
+AgEGMA0GCSqGSIb3DQEBCwUAA4IBAQBaGDYOAjO4qn2iZ6IwIrDx0GnZ2RNTT3Sx
+jW+32WJ4XOaXUQKsP1QCvNt+sTEM5b9+/7/u1XPQpUHHvJhLNYZEtMvr2K4XxVVG
+XWbBBpe+KOcj3GDQ3RT8F/0e7WH3HETe5xlSKqPsjkd+EGbzueTV7i/Vz6NYBnKZ
+Oycr9f5G7ReudoU2OVzHp/UIxd854aduINRaNJ7xxZfr15kuFcY1ZCvh+SJzxoMw
+TFsKnw1qSNptsF20e503rGdh9+BTzBUk5YGLnwFikUhSNpQa+uzS4MZbIlJCgKtL
+CtSay2B8u9DSPnOITZch6ftDgL9Zlo+xUmUT20pOImqOr/KR42xM
 -----END CERTIFICATE-----
 Certificate:
     Data:
         Version: 3 (0x2)
         Serial Number: 100 (0x64)
-    Signature Algorithm: sha256WithRSAEncryption
-        Issuer: C=US, ST=Washington, L=Seattle, O=wolfSSL Inc., OU=Engineering, CN=chainH-ICA4-pathlen2/emailAddress=info@wolfssl.com
+        Signature Algorithm: sha256WithRSAEncryption
+        Issuer: C = US, ST = Washington, L = Seattle, O = wolfSSL Inc., OU = Engineering, CN = chainH-ICA4-pathlen2, emailAddress = info@wolfssl.com
         Validity
-            Not Before: Feb 10 19:49:55 2021 GMT
-            Not After : Nov  7 19:49:55 2023 GMT
-        Subject: C=US, ST=Washington, L=Seattle, O=wolfSSL Inc., OU=Engineering, CN=chainH-ICA3-pathlen2/emailAddress=info@wolfssl.com
+            Not Before: Dec 20 23:07:25 2021 GMT
+            Not After : Sep 15 23:07:25 2024 GMT
+        Subject: C = US, ST = Washington, L = Seattle, O = wolfSSL Inc., OU = Engineering, CN = chainH-ICA3-pathlen2, emailAddress = info@wolfssl.com
         Subject Public Key Info:
             Public Key Algorithm: rsaEncryption
-                Public-Key: (2048 bit)
+                RSA Public-Key: (2048 bit)
                 Modulus:
                     00:b7:b3:1a:1b:4a:80:1b:a2:e5:95:14:bc:55:e4:
                     77:dc:f3:7b:8a:9f:34:7c:93:db:c9:c9:d0:8b:b8:
@@ -309,27 +309,27 @@ Certificate:
             X509v3 Key Usage: 
                 Certificate Sign, CRL Sign
     Signature Algorithm: sha256WithRSAEncryption
-         31:21:a9:63:af:5f:5d:49:3f:34:d3:19:1b:f9:88:c1:a9:87:
-         88:4e:60:9d:72:d3:7f:be:6a:54:73:46:4a:84:7c:ce:8d:7d:
-         3b:d5:7d:e9:43:69:35:dc:d8:65:2e:49:5b:cd:10:33:20:40:
-         9a:ba:71:64:6e:7a:50:f5:49:82:5f:75:31:66:77:11:d2:78:
-         7b:26:ec:ed:12:e0:44:e1:c4:ae:36:d1:ed:f6:40:51:84:14:
-         22:2d:7b:23:27:eb:ee:76:b0:84:57:61:46:58:f0:46:74:94:
-         36:49:e4:f0:cb:6a:a5:c8:68:db:76:f5:f1:e0:4b:98:18:d7:
-         2d:ad:f6:6b:38:f6:af:c1:e5:d9:b0:d4:af:ce:d0:09:af:14:
-         99:b1:e9:e7:4c:c2:ea:3a:75:a3:e1:04:20:35:bd:41:e3:73:
-         bc:5a:b4:d5:a5:d6:87:c4:89:20:1e:27:98:90:80:81:3f:45:
-         10:5d:35:ee:d1:6d:2c:c3:d7:27:35:6b:56:6c:cb:b2:21:b7:
-         fc:15:c4:ea:24:84:2e:ba:60:98:ed:7c:0c:93:dc:a7:59:d7:
-         b5:d2:8a:05:7f:42:f5:bc:0b:92:6c:99:08:eb:8a:30:3b:d8:
-         1a:a2:c4:f4:6e:c3:a5:1d:83:a0:40:47:35:0e:21:59:0d:bf:
-         8a:be:ae:dd
+         6b:f3:44:8b:f9:5d:a8:c0:26:49:f1:51:f0:be:72:53:5d:73:
+         d7:a2:a2:58:e0:6c:93:68:03:3d:cc:0b:70:27:48:6c:c7:34:
+         0e:6b:32:02:d0:c1:65:99:c0:ed:b4:b0:ef:f1:09:0c:8e:5c:
+         b0:3b:79:7d:eb:a3:7c:a7:4c:8e:01:b2:b3:f5:53:64:3d:9b:
+         2d:35:89:2e:7b:68:df:f2:86:e5:f5:50:f8:e0:57:80:ac:b1:
+         96:7d:5f:84:f1:88:07:bb:eb:be:c8:a0:26:9d:88:9b:f5:45:
+         2f:e5:75:01:77:55:fd:46:d6:7a:a1:85:26:a2:4c:43:cd:7b:
+         30:4a:e2:8f:62:ed:e0:32:0f:21:3c:94:67:89:5c:81:d9:bb:
+         9d:d6:c5:ca:95:86:e5:b9:b1:67:94:2e:e7:64:cd:14:65:0e:
+         da:13:54:85:53:c4:e8:01:e5:54:e3:52:8c:ac:17:cf:01:02:
+         90:c7:92:c0:1a:cb:c4:05:38:08:aa:27:e7:bd:6a:89:28:e4:
+         a8:b4:17:30:72:0a:18:a7:20:91:fc:27:74:66:c4:5d:14:6e:
+         b1:6c:94:dd:74:67:f8:7e:c2:a2:0e:a6:38:7d:3f:ba:ae:ec:
+         e6:b1:81:6c:46:49:2c:06:66:ca:56:9c:a9:27:36:a1:a3:3d:
+         ba:4c:7d:d5
 -----BEGIN CERTIFICATE-----
 MIIExjCCA66gAwIBAgIBZDANBgkqhkiG9w0BAQsFADCBoTELMAkGA1UEBhMCVVMx
 EzARBgNVBAgMCldhc2hpbmd0b24xEDAOBgNVBAcMB1NlYXR0bGUxFTATBgNVBAoM
 DHdvbGZTU0wgSW5jLjEUMBIGA1UECwwLRW5naW5lZXJpbmcxHTAbBgNVBAMMFGNo
 YWluSC1JQ0E0LXBhdGhsZW4yMR8wHQYJKoZIhvcNAQkBFhBpbmZvQHdvbGZzc2wu
-Y29tMB4XDTIxMDIxMDE5NDk1NVoXDTIzMTEwNzE5NDk1NVowgaExCzAJBgNVBAYT
+Y29tMB4XDTIxMTIyMDIzMDcyNVoXDTI0MDkxNTIzMDcyNVowgaExCzAJBgNVBAYT
 AlVTMRMwEQYDVQQIDApXYXNoaW5ndG9uMRAwDgYDVQQHDAdTZWF0dGxlMRUwEwYD
 VQQKDAx3b2xmU1NMIEluYy4xFDASBgNVBAsMC0VuZ2luZWVyaW5nMR0wGwYDVQQD
 DBRjaGFpbkgtSUNBMy1wYXRobGVuMjEfMB0GCSqGSIb3DQEJARYQaW5mb0B3b2xm
@@ -345,26 +345,26 @@ lDELMAkGA1UEBhMCVVMxEDAOBgNVBAgMB01vbnRhbmExEDAOBgNVBAcMB0JvemVt
 YW4xETAPBgNVBAoMCFNhd3Rvb3RoMRMwEQYDVQQLDApDb25zdWx0aW5nMRgwFgYD
 VQQDDA93d3cud29sZnNzbC5jb20xHzAdBgkqhkiG9w0BCQEWEGluZm9Ad29sZnNz
 bC5jb22CAWQwDwYDVR0TBAgwBgEB/wIBAjALBgNVHQ8EBAMCAQYwDQYJKoZIhvcN
-AQELBQADggEBADEhqWOvX11JPzTTGRv5iMGph4hOYJ1y03++alRzRkqEfM6NfTvV
-felDaTXc2GUuSVvNEDMgQJq6cWRuelD1SYJfdTFmdxHSeHsm7O0S4EThxK420e32
-QFGEFCIteyMn6+52sIRXYUZY8EZ0lDZJ5PDLaqXIaNt29fHgS5gY1y2t9ms49q/B
-5dmw1K/O0AmvFJmx6edMwuo6daPhBCA1vUHjc7xatNWl1ofEiSAeJ5iQgIE/RRBd
-Ne7RbSzD1yc1a1Zsy7Iht/wVxOokhC66YJjtfAyT3KdZ17XSigV/QvW8C5JsmQjr
-ijA72BqixPRuw6Udg6BARzUOIVkNv4q+rt0=
+AQELBQADggEBAGvzRIv5XajAJknxUfC+clNdc9eioljgbJNoAz3MC3AnSGzHNA5r
+MgLQwWWZwO20sO/xCQyOXLA7eX3ro3ynTI4BsrP1U2Q9my01iS57aN/yhuX1UPjg
+V4CssZZ9X4TxiAe7677IoCadiJv1RS/ldQF3Vf1G1nqhhSaiTEPNezBK4o9i7eAy
+DyE8lGeJXIHZu53WxcqVhuW5sWeULudkzRRlDtoTVIVTxOgB5VTjUoysF88BApDH
+ksAay8QFOAiqJ+e9aoko5Ki0FzByChinIJH8J3RmxF0UbrFslN10Z/h+wqIOpjh9
+P7qu7OaxgWxGSSwGZspWnKknNqGjPbpMfdU=
 -----END CERTIFICATE-----
 Certificate:
     Data:
         Version: 3 (0x2)
         Serial Number: 100 (0x64)
-    Signature Algorithm: sha256WithRSAEncryption
-        Issuer: C=US, ST=Montana, L=Bozeman, O=Sawtooth, OU=Consulting, CN=www.wolfssl.com/emailAddress=info@wolfssl.com
+        Signature Algorithm: sha256WithRSAEncryption
+        Issuer: C = US, ST = Montana, L = Bozeman, O = Sawtooth, OU = Consulting, CN = www.wolfssl.com, emailAddress = info@wolfssl.com
         Validity
-            Not Before: Feb 10 19:49:55 2021 GMT
-            Not After : Nov  7 19:49:55 2023 GMT
-        Subject: C=US, ST=Washington, L=Seattle, O=wolfSSL Inc., OU=Engineering, CN=chainH-ICA4-pathlen2/emailAddress=info@wolfssl.com
+            Not Before: Dec 20 23:07:25 2021 GMT
+            Not After : Sep 15 23:07:25 2024 GMT
+        Subject: C = US, ST = Washington, L = Seattle, O = wolfSSL Inc., OU = Engineering, CN = chainH-ICA4-pathlen2, emailAddress = info@wolfssl.com
         Subject Public Key Info:
             Public Key Algorithm: rsaEncryption
-                Public-Key: (2048 bit)
+                RSA Public-Key: (2048 bit)
                 Modulus:
                     00:bb:f3:2f:8a:cd:9e:87:f1:01:f3:a4:c0:2d:66:
                     36:d7:11:2e:64:08:e8:f1:99:fa:a6:9c:f4:bd:3b:
@@ -391,34 +391,34 @@ Certificate:
             X509v3 Authority Key Identifier: 
                 keyid:27:8E:67:11:74:C3:26:1D:3F:ED:33:63:B3:A4:D8:1D:30:E5:E8:D5
                 DirName:/C=US/ST=Montana/L=Bozeman/O=Sawtooth/OU=Consulting/CN=www.wolfssl.com/emailAddress=info@wolfssl.com
-                serial:AA:D3:3F:AC:18:0A:37:4D
+                serial:7D:94:70:88:BA:07:42:8D:AA:AF:4F:BE:C2:1A:48:F0:D1:40:E6:42
 
             X509v3 Basic Constraints: 
                 CA:TRUE, pathlen:2
             X509v3 Key Usage: 
                 Certificate Sign, CRL Sign
     Signature Algorithm: sha256WithRSAEncryption
-         49:c6:df:ce:fc:71:3e:a5:1b:27:1c:e4:9e:bb:04:fa:93:17:
-         6d:79:c8:8f:ee:08:6e:59:57:b6:f9:5a:a2:21:1a:3e:a7:a1:
-         0c:0d:3f:30:70:57:15:55:4c:95:e4:e1:3e:99:ce:9e:4a:a6:
-         c3:56:22:1d:a1:23:bc:fc:25:c8:5a:84:74:a1:0e:dd:70:59:
-         a8:36:29:14:bf:ff:ce:c5:6e:12:c4:2d:fb:13:63:66:29:63:
-         63:83:f3:ab:a0:7f:12:aa:5c:58:70:3a:9d:ae:26:ec:ec:d3:
-         31:07:41:17:cc:14:15:8e:d5:45:49:d8:f2:ec:4d:46:db:2b:
-         69:15:c5:99:23:6b:dc:31:c7:d6:53:b3:d2:65:fc:17:f5:19:
-         ae:d9:95:aa:1e:9b:1b:cf:18:61:c9:e1:17:d4:fa:d7:e1:a3:
-         cf:b5:09:ce:ed:9b:3c:41:c8:88:99:a2:ab:f0:55:86:78:8d:
-         07:44:25:c5:23:11:6e:fe:db:92:6f:35:96:ba:a1:01:f9:ab:
-         da:d2:29:c8:70:d0:b9:fe:c1:8d:72:67:ec:0a:d0:75:e5:01:
-         9d:d3:f9:01:ea:06:27:6f:21:99:e5:46:d8:fc:65:0d:9c:72:
-         25:82:1e:f6:43:d6:e8:08:b1:8f:d2:a9:c8:bf:05:ab:5c:80:
-         72:6c:ac:a4
+         38:88:02:e8:dd:ee:7e:5a:33:74:e7:46:eb:9f:39:d3:10:a9:
+         07:59:53:54:d7:47:57:7d:6a:47:1e:c4:09:7e:b2:33:72:39:
+         e6:11:32:ec:1e:15:18:63:23:07:e9:34:b7:82:55:45:d4:63:
+         d5:7b:d2:60:06:b2:d5:9d:00:7f:0d:55:07:78:57:ab:b5:65:
+         0a:4d:f8:73:04:41:aa:0d:0d:bf:61:7b:4c:89:91:a9:15:9e:
+         fa:07:76:1c:20:3c:43:28:7b:91:f0:cf:70:a7:38:ae:b3:d0:
+         63:ea:90:b6:ee:09:92:70:26:47:11:3d:f2:26:a4:de:7e:81:
+         f2:f4:e5:4d:1b:a5:93:72:13:4c:3c:73:98:02:5e:b3:9f:95:
+         22:80:c0:65:f6:d6:0d:6d:93:95:bf:05:4b:ae:a8:59:4c:e1:
+         b1:79:41:98:cf:15:23:11:f5:d1:ee:95:d3:26:f0:37:05:33:
+         3f:d9:0b:7b:ac:b4:d3:fa:39:f8:4c:7d:4b:33:fd:14:2d:33:
+         cf:60:65:4f:ec:f7:02:b9:48:65:76:49:6a:5c:5f:ea:08:3f:
+         3c:bd:f2:97:37:04:23:4a:06:41:83:ea:14:44:b4:93:65:61:
+         ac:d6:e8:f6:e7:13:55:62:c9:70:1e:e0:fe:fb:ea:2d:57:c0:
+         75:b7:36:40
 -----BEGIN CERTIFICATE-----
-MIIEwTCCA6mgAwIBAgIBZDANBgkqhkiG9w0BAQsFADCBlDELMAkGA1UEBhMCVVMx
+MIIEzDCCA7SgAwIBAgIBZDANBgkqhkiG9w0BAQsFADCBlDELMAkGA1UEBhMCVVMx
 EDAOBgNVBAgMB01vbnRhbmExEDAOBgNVBAcMB0JvemVtYW4xETAPBgNVBAoMCFNh
 d3Rvb3RoMRMwEQYDVQQLDApDb25zdWx0aW5nMRgwFgYDVQQDDA93d3cud29sZnNz
-bC5jb20xHzAdBgkqhkiG9w0BCQEWEGluZm9Ad29sZnNzbC5jb20wHhcNMjEwMjEw
-MTk0OTU1WhcNMjMxMTA3MTk0OTU1WjCBoTELMAkGA1UEBhMCVVMxEzARBgNVBAgM
+bC5jb20xHzAdBgkqhkiG9w0BCQEWEGluZm9Ad29sZnNzbC5jb20wHhcNMjExMjIw
+MjMwNzI1WhcNMjQwOTE1MjMwNzI1WjCBoTELMAkGA1UEBhMCVVMxEzARBgNVBAgM
 Cldhc2hpbmd0b24xEDAOBgNVBAcMB1NlYXR0bGUxFTATBgNVBAoMDHdvbGZTU0wg
 SW5jLjEUMBIGA1UECwwLRW5naW5lZXJpbmcxHTAbBgNVBAMMFGNoYWluSC1JQ0E0
 LXBhdGhsZW4yMR8wHQYJKoZIhvcNAQkBFhBpbmZvQHdvbGZzc2wuY29tMIIBIjAN
@@ -428,16 +428,16 @@ N6kYdo3+ywlUP0+7X6u6cOm0oV6gaX5FP8DMeOnydGR5wmoW0JgwgkRKs5ksZjCs
 mYIEKr8PYIkENvop0whWYWqoM0CaU30gqFFvm6DZPtyaix03nq3J/VOnBNwfNj7T
 ZVKEJGHQTuJBYL/7/bIEsz/rFJlevOh96WXRP/4ESeW7oy3j25bf2YGgMtcBubgC
 jrmiHwrUJBc6GQ9tOhBfXH24VoLHf0DwLYdjwbHYZMc8JxNKY4IhsfI56QIDAQAB
-o4IBDTCCAQkwHQYDVR0OBBYEFBhtRIPuH+y0IvCc61QeShVYAaoTMIHJBgNVHSME
-gcEwgb6AFCeOZxF0wyYdP+0zY7Ok2B0w5ejVoYGapIGXMIGUMQswCQYDVQQGEwJV
+o4IBGDCCARQwHQYDVR0OBBYEFBhtRIPuH+y0IvCc61QeShVYAaoTMIHUBgNVHSME
+gcwwgcmAFCeOZxF0wyYdP+0zY7Ok2B0w5ejVoYGapIGXMIGUMQswCQYDVQQGEwJV
 UzEQMA4GA1UECAwHTW9udGFuYTEQMA4GA1UEBwwHQm96ZW1hbjERMA8GA1UECgwI
 U2F3dG9vdGgxEzARBgNVBAsMCkNvbnN1bHRpbmcxGDAWBgNVBAMMD3d3dy53b2xm
-c3NsLmNvbTEfMB0GCSqGSIb3DQEJARYQaW5mb0B3b2xmc3NsLmNvbYIJAKrTP6wY
-CjdNMA8GA1UdEwQIMAYBAf8CAQIwCwYDVR0PBAQDAgEGMA0GCSqGSIb3DQEBCwUA
-A4IBAQBJxt/O/HE+pRsnHOSeuwT6kxdteciP7ghuWVe2+VqiIRo+p6EMDT8wcFcV
-VUyV5OE+mc6eSqbDViIdoSO8/CXIWoR0oQ7dcFmoNikUv//OxW4SxC37E2NmKWNj
-g/OroH8SqlxYcDqdribs7NMxB0EXzBQVjtVFSdjy7E1G2ytpFcWZI2vcMcfWU7PS
-ZfwX9Rmu2ZWqHpsbzxhhyeEX1PrX4aPPtQnO7Zs8QciImaKr8FWGeI0HRCXFIxFu
-/tuSbzWWuqEB+ava0inIcNC5/sGNcmfsCtB15QGd0/kB6gYnbyGZ5UbY/GUNnHIl
-gh72Q9boCLGP0qnIvwWrXIBybKyk
+c3NsLmNvbTEfMB0GCSqGSIb3DQEJARYQaW5mb0B3b2xmc3NsLmNvbYIUfZRwiLoH
+Qo2qr0++whpI8NFA5kIwDwYDVR0TBAgwBgEB/wIBAjALBgNVHQ8EBAMCAQYwDQYJ
+KoZIhvcNAQELBQADggEBADiIAujd7n5aM3TnRuufOdMQqQdZU1TXR1d9akcexAl+
+sjNyOeYRMuweFRhjIwfpNLeCVUXUY9V70mAGstWdAH8NVQd4V6u1ZQpN+HMEQaoN
+Db9he0yJkakVnvoHdhwgPEMoe5Hwz3CnOK6z0GPqkLbuCZJwJkcRPfImpN5+gfL0
+5U0bpZNyE0w8c5gCXrOflSKAwGX21g1tk5W/BUuuqFlM4bF5QZjPFSMR9dHuldMm
+8DcFMz/ZC3ustNP6OfhMfUsz/RQtM89gZU/s9wK5SGV2SWpcX+oIPzy98pc3BCNK
+BkGD6hREtJNlYazW6PbnE1ViyXAe4P776i1XwHW3NkA=
 -----END CERTIFICATE-----
diff --git a/certs/test-pathlen/chainH-entity.pem b/certs/test-pathlen/chainH-entity.pem
index b7fb67aee..d8ffb3c47 100644
--- a/certs/test-pathlen/chainH-entity.pem
+++ b/certs/test-pathlen/chainH-entity.pem
@@ -2,15 +2,15 @@ Certificate:
     Data:
         Version: 3 (0x2)
         Serial Number: 101 (0x65)
-    Signature Algorithm: sha256WithRSAEncryption
-        Issuer: C=US, ST=Washington, L=Seattle, O=wolfSSL Inc., OU=Engineering, CN=chainH-ICA1-pathlen0/emailAddress=info@wolfssl.com
+        Signature Algorithm: sha256WithRSAEncryption
+        Issuer: C = US, ST = Washington, L = Seattle, O = wolfSSL Inc., OU = Engineering, CN = chainH-ICA1-pathlen0, emailAddress = info@wolfssl.com
         Validity
-            Not Before: Feb 10 19:49:55 2021 GMT
-            Not After : Nov  7 19:49:55 2023 GMT
-        Subject: C=US, ST=Washington, L=Seattle, O=wolfSSL Inc., OU=Engineering, CN=chainH-entity/emailAddress=info@wolfssl.com
+            Not Before: Dec 20 23:07:25 2021 GMT
+            Not After : Sep 15 23:07:25 2024 GMT
+        Subject: C = US, ST = Washington, L = Seattle, O = wolfSSL Inc., OU = Engineering, CN = chainH-entity, emailAddress = info@wolfssl.com
         Subject Public Key Info:
             Public Key Algorithm: rsaEncryption
-                Public-Key: (2048 bit)
+                RSA Public-Key: (2048 bit)
                 Modulus:
                     00:ba:ed:ab:c0:0d:92:6c:10:e4:50:9f:7c:98:cc:
                     87:fd:28:34:77:c0:58:28:52:2c:28:97:80:ec:78:
@@ -42,27 +42,27 @@ Certificate:
             X509v3 Basic Constraints: 
                 CA:FALSE
     Signature Algorithm: sha256WithRSAEncryption
-         14:a2:2d:29:5a:25:93:ee:26:f8:bc:57:3b:40:a9:f8:b1:1f:
-         73:15:57:e9:9b:1c:0b:ee:97:7d:a5:f1:51:7c:93:9e:ec:d4:
-         aa:5d:65:16:20:a2:71:2c:61:32:5d:1e:0d:c2:cd:b2:ba:8b:
-         ad:c5:ae:77:1a:e5:ff:72:3f:af:4f:37:0d:8b:2b:00:08:39:
-         d4:08:eb:68:0b:42:4f:7d:2a:12:b9:bb:f7:f0:14:48:c4:49:
-         44:a9:77:81:34:74:28:b4:bd:6d:ce:0a:ad:d3:72:48:66:d6:
-         80:b1:b5:ed:6a:66:11:eb:2a:18:ed:da:67:1e:f8:31:33:77:
-         a9:a6:b4:14:8d:ac:2b:a0:46:79:38:75:1c:82:43:e3:d5:10:
-         f1:7f:87:44:c2:40:a4:2b:0b:eb:cb:9b:bf:7e:fb:cb:9d:c7:
-         86:f8:95:a9:42:ef:58:be:f8:7e:94:51:15:94:57:88:34:60:
-         2e:2e:75:d9:20:95:a1:72:eb:87:8c:c3:63:02:7c:f5:17:c9:
-         dd:39:06:b0:a8:8b:fb:bf:32:5c:e6:8d:32:4a:9f:b9:ba:19:
-         6b:6e:98:36:0a:80:5a:06:9f:6a:7d:68:f6:5c:e7:89:7f:d3:
-         32:b8:35:04:91:5a:41:1e:dc:41:fc:63:bd:5a:36:42:25:a7:
-         92:8b:2c:a7
+         3e:3a:7a:1f:07:bd:a2:e5:5c:7b:66:5a:bd:e0:c1:0d:5e:41:
+         13:fe:75:6c:a5:e8:50:13:04:02:26:f0:ab:fe:0e:4e:f1:8a:
+         1b:21:0a:5a:a4:4c:1c:3a:0d:92:37:63:46:b5:57:77:89:ba:
+         b0:33:44:a8:05:a4:52:d9:19:7c:15:f7:1d:c9:dc:3c:70:7f:
+         d4:99:1e:00:82:00:06:3b:4b:5f:2a:aa:4a:74:06:40:c9:2b:
+         18:3d:d1:8c:05:76:69:39:f7:55:20:88:64:94:71:95:9d:f3:
+         ab:98:3e:71:c5:6f:0b:22:9f:70:d6:f9:03:cf:5b:18:0d:01:
+         60:db:22:e8:36:48:9b:4f:1e:b5:83:20:6f:96:db:72:bc:a3:
+         fc:b7:6b:25:04:df:42:d2:94:5f:b0:f3:c8:26:2a:6a:d9:74:
+         fc:46:0a:68:66:bc:c3:1f:0b:52:b3:2a:d9:25:97:f4:b6:72:
+         db:95:29:92:c3:1e:dc:43:90:d3:f0:2b:49:ac:e0:cb:dc:ca:
+         39:2b:a1:c9:61:5a:8b:4d:7e:3c:8e:50:8a:0d:f2:d9:2d:8d:
+         b7:76:18:ac:94:38:a5:ac:d7:99:f0:1f:cb:6d:66:53:14:97:
+         b5:07:fd:c8:12:68:f6:43:96:ec:c7:59:55:fe:f0:5d:ba:2b:
+         70:c1:2d:ee
 -----BEGIN CERTIFICATE-----
 MIIEtzCCA5+gAwIBAgIBZTANBgkqhkiG9w0BAQsFADCBoTELMAkGA1UEBhMCVVMx
 EzARBgNVBAgMCldhc2hpbmd0b24xEDAOBgNVBAcMB1NlYXR0bGUxFTATBgNVBAoM
 DHdvbGZTU0wgSW5jLjEUMBIGA1UECwwLRW5naW5lZXJpbmcxHTAbBgNVBAMMFGNo
 YWluSC1JQ0ExLXBhdGhsZW4wMR8wHQYJKoZIhvcNAQkBFhBpbmZvQHdvbGZzc2wu
-Y29tMB4XDTIxMDIxMDE5NDk1NVoXDTIzMTEwNzE5NDk1NVowgZoxCzAJBgNVBAYT
+Y29tMB4XDTIxMTIyMDIzMDcyNVoXDTI0MDkxNTIzMDcyNVowgZoxCzAJBgNVBAYT
 AlVTMRMwEQYDVQQIDApXYXNoaW5ndG9uMRAwDgYDVQQHDAdTZWF0dGxlMRUwEwYD
 VQQKDAx3b2xmU1NMIEluYy4xFDASBgNVBAsMC0VuZ2luZWVyaW5nMRYwFAYDVQQD
 DA1jaGFpbkgtZW50aXR5MR8wHQYJKoZIhvcNAQkBFhBpbmZvQHdvbGZzc2wuY29t
@@ -77,11 +77,11 @@ VR0jBIHGMIHDgBRIgIco7+YoDwOb3zNIEKDlILNpUKGBp6SBpDCBoTELMAkGA1UE
 BhMCVVMxEzARBgNVBAgMCldhc2hpbmd0b24xEDAOBgNVBAcMB1NlYXR0bGUxFTAT
 BgNVBAoMDHdvbGZTU0wgSW5jLjEUMBIGA1UECwwLRW5naW5lZXJpbmcxHTAbBgNV
 BAMMFGNoYWluSC1JQ0EyLXBhdGhsZW4yMR8wHQYJKoZIhvcNAQkBFhBpbmZvQHdv
-bGZzc2wuY29tggFkMAkGA1UdEwQCMAAwDQYJKoZIhvcNAQELBQADggEBABSiLSla
-JZPuJvi8VztAqfixH3MVV+mbHAvul32l8VF8k57s1KpdZRYgonEsYTJdHg3CzbK6
-i63Frnca5f9yP69PNw2LKwAIOdQI62gLQk99KhK5u/fwFEjESUSpd4E0dCi0vW3O
-Cq3Tckhm1oCxte1qZhHrKhjt2mce+DEzd6mmtBSNrCugRnk4dRyCQ+PVEPF/h0TC
-QKQrC+vLm79++8udx4b4lalC71i++H6UURWUV4g0YC4uddkglaFy64eMw2MCfPUX
-yd05BrCoi/u/MlzmjTJKn7m6GWtumDYKgFoGn2p9aPZc54l/0zK4NQSRWkEe3EH8
-Y71aNkIlp5KLLKc=
+bGZzc2wuY29tggFkMAkGA1UdEwQCMAAwDQYJKoZIhvcNAQELBQADggEBAD46eh8H
+vaLlXHtmWr3gwQ1eQRP+dWyl6FATBAIm8Kv+Dk7xihshClqkTBw6DZI3Y0a1V3eJ
+urAzRKgFpFLZGXwV9x3J3Dxwf9SZHgCCAAY7S18qqkp0BkDJKxg90YwFdmk591Ug
+iGSUcZWd86uYPnHFbwsin3DW+QPPWxgNAWDbIug2SJtPHrWDIG+W23K8o/y3ayUE
+30LSlF+w88gmKmrZdPxGCmhmvMMfC1KzKtkll/S2ctuVKZLDHtxDkNPwK0ms4Mvc
+yjkroclhWotNfjyOUIoN8tktjbd2GKyUOKWs15nwH8ttZlMUl7UH/cgSaPZDluzH
+WVX+8F26K3DBLe4=
 -----END CERTIFICATE-----
diff --git a/certs/test-pathlen/chainI-ICA1-no_pathlen.pem b/certs/test-pathlen/chainI-ICA1-no_pathlen.pem
index c8cfd0d92..8a23611d7 100644
--- a/certs/test-pathlen/chainI-ICA1-no_pathlen.pem
+++ b/certs/test-pathlen/chainI-ICA1-no_pathlen.pem
@@ -2,15 +2,15 @@ Certificate:
     Data:
         Version: 3 (0x2)
         Serial Number: 100 (0x64)
-    Signature Algorithm: sha256WithRSAEncryption
-        Issuer: C=US, ST=Washington, L=Seattle, O=wolfSSL Inc., OU=Engineering, CN=chainI-ICA2-no_pathlen/emailAddress=info@wolfssl.com
+        Signature Algorithm: sha256WithRSAEncryption
+        Issuer: C = US, ST = Washington, L = Seattle, O = wolfSSL Inc., OU = Engineering, CN = chainI-ICA2-no_pathlen, emailAddress = info@wolfssl.com
         Validity
-            Not Before: Feb 10 19:49:55 2021 GMT
-            Not After : Nov  7 19:49:55 2023 GMT
-        Subject: C=US, ST=Washington, L=Seattle, O=wolfSSL Inc., OU=Engineering, CN=chainI-ICA1-no_pathlen/emailAddress=info@wolfssl.com
+            Not Before: Dec 20 23:07:25 2021 GMT
+            Not After : Sep 15 23:07:25 2024 GMT
+        Subject: C = US, ST = Washington, L = Seattle, O = wolfSSL Inc., OU = Engineering, CN = chainI-ICA1-no_pathlen, emailAddress = info@wolfssl.com
         Subject Public Key Info:
             Public Key Algorithm: rsaEncryption
-                Public-Key: (2048 bit)
+                RSA Public-Key: (2048 bit)
                 Modulus:
                     00:bb:ba:06:ad:13:cf:da:fb:d1:cb:65:fe:26:58:
                     49:6a:01:14:a6:78:b2:2c:1d:ba:ba:d0:bd:27:38:
@@ -44,27 +44,27 @@ Certificate:
             X509v3 Key Usage: 
                 Certificate Sign, CRL Sign
     Signature Algorithm: sha256WithRSAEncryption
-         5c:9d:46:b6:82:50:18:af:da:a3:05:8a:ef:78:f7:8f:2a:72:
-         3d:08:30:9e:60:bf:01:8d:bc:71:b2:15:85:aa:61:3b:14:8f:
-         60:0c:ad:1f:a1:a2:db:62:5f:31:5a:44:36:d8:c1:34:d3:c4:
-         d7:04:d6:33:d1:3e:4b:81:73:df:5e:41:1e:56:7d:4d:12:a6:
-         c0:94:92:9d:cc:8c:ff:a2:02:8d:ce:9a:d4:00:69:66:06:7e:
-         ab:1f:29:1e:b9:0b:ae:31:0c:0d:b5:44:a1:46:3e:f6:18:cb:
-         fe:f9:9b:e6:0e:82:7c:49:63:08:34:08:ff:9c:0f:1c:28:cf:
-         89:78:2b:53:00:b4:4b:f6:98:48:df:40:59:99:8d:69:f3:f9:
-         6f:88:73:b1:63:4a:3b:11:c7:89:75:fa:33:8e:1d:2d:7f:c2:
-         19:13:8a:fd:8a:5a:39:e1:c8:6e:55:43:54:df:da:c4:d3:1b:
-         79:83:d2:63:f7:d6:85:b5:be:7d:53:98:26:68:cb:37:25:70:
-         36:6d:ba:7d:08:54:a5:03:70:97:dc:a0:7c:f3:ce:44:47:9d:
-         5a:53:63:ed:7e:07:bc:5f:4e:b2:53:a0:40:1e:d8:a8:19:22:
-         c5:2d:74:5a:02:32:0d:58:37:a6:36:b3:bf:57:1a:3c:24:c1:
-         7b:f4:b1:71
+         36:af:a0:d5:be:f3:a5:07:f1:ac:be:df:d1:c4:e9:e2:08:62:
+         40:7d:16:6a:26:ca:63:22:39:57:d5:36:11:ea:48:65:48:f6:
+         a3:86:8d:f3:34:d6:62:c0:e5:f2:5e:5a:d8:ac:1e:5d:cc:8c:
+         ef:9e:ac:b3:ea:f9:a9:08:63:68:da:c9:b5:1a:42:62:5b:0c:
+         19:d5:f8:c0:24:ae:87:42:66:32:6d:49:e6:af:99:53:3f:2a:
+         6f:89:d6:14:3c:50:14:9f:b0:4f:eb:25:71:6c:a7:75:25:57:
+         db:dc:c4:e9:2a:06:26:b3:85:b7:c6:22:94:b9:d7:b9:21:e8:
+         a1:39:d7:2c:6e:fa:29:97:a5:48:7e:f6:7c:3b:62:51:d4:96:
+         65:f0:88:d8:e5:45:7a:22:dd:2c:0d:1a:d3:4b:3a:0a:3d:71:
+         07:6e:0b:b6:5a:93:ff:ae:db:0b:b7:f0:20:88:3a:af:75:04:
+         aa:ab:d4:4e:73:1b:f9:a6:69:cd:c3:21:bc:f3:b3:2b:ef:47:
+         3c:86:30:2b:1d:10:1c:68:b9:99:4d:79:a0:23:3f:ca:3d:c7:
+         f0:d7:57:86:1f:12:2b:73:83:0d:64:bd:51:4d:b7:2d:17:8a:
+         47:b1:3a:2c:35:f9:fd:d4:3b:0a:fd:0e:4a:dd:c1:f7:90:de:
+         d0:42:ba:9d
 -----BEGIN CERTIFICATE-----
 MIIE1DCCA7ygAwIBAgIBZDANBgkqhkiG9w0BAQsFADCBozELMAkGA1UEBhMCVVMx
 EzARBgNVBAgMCldhc2hpbmd0b24xEDAOBgNVBAcMB1NlYXR0bGUxFTATBgNVBAoM
 DHdvbGZTU0wgSW5jLjEUMBIGA1UECwwLRW5naW5lZXJpbmcxHzAdBgNVBAMMFmNo
 YWluSS1JQ0EyLW5vX3BhdGhsZW4xHzAdBgkqhkiG9w0BCQEWEGluZm9Ad29sZnNz
-bC5jb20wHhcNMjEwMjEwMTk0OTU1WhcNMjMxMTA3MTk0OTU1WjCBozELMAkGA1UE
+bC5jb20wHhcNMjExMjIwMjMwNzI1WhcNMjQwOTE1MjMwNzI1WjCBozELMAkGA1UE
 BhMCVVMxEzARBgNVBAgMCldhc2hpbmd0b24xEDAOBgNVBAcMB1NlYXR0bGUxFTAT
 BgNVBAoMDHdvbGZTU0wgSW5jLjEUMBIGA1UECwwLRW5naW5lZXJpbmcxHzAdBgNV
 BAMMFmNoYWluSS1JQ0ExLW5vX3BhdGhsZW4xHzAdBgkqhkiG9w0BCQEWEGluZm9A
@@ -80,10 +80,10 @@ gaQwgaExCzAJBgNVBAYTAlVTMRMwEQYDVQQIDApXYXNoaW5ndG9uMRAwDgYDVQQH
 DAdTZWF0dGxlMRUwEwYDVQQKDAx3b2xmU1NMIEluYy4xFDASBgNVBAsMC0VuZ2lu
 ZWVyaW5nMR0wGwYDVQQDDBRjaGFpbkktSUNBMy1wYXRobGVuMjEfMB0GCSqGSIb3
 DQEJARYQaW5mb0B3b2xmc3NsLmNvbYIBZDAMBgNVHRMEBTADAQH/MAsGA1UdDwQE
-AwIBBjANBgkqhkiG9w0BAQsFAAOCAQEAXJ1GtoJQGK/aowWK73j3jypyPQgwnmC/
-AY28cbIVhaphOxSPYAytH6Gi22JfMVpENtjBNNPE1wTWM9E+S4Fz315BHlZ9TRKm
-wJSSncyM/6ICjc6a1ABpZgZ+qx8pHrkLrjEMDbVEoUY+9hjL/vmb5g6CfEljCDQI
-/5wPHCjPiXgrUwC0S/aYSN9AWZmNafP5b4hzsWNKOxHHiXX6M44dLX/CGROK/Ypa
-OeHIblVDVN/axNMbeYPSY/fWhbW+fVOYJmjLNyVwNm26fQhUpQNwl9ygfPPOREed
-WlNj7X4HvF9OslOgQB7YqBkixS10WgIyDVg3pjazv1caPCTBe/SxcQ==
+AwIBBjANBgkqhkiG9w0BAQsFAAOCAQEANq+g1b7zpQfxrL7f0cTp4ghiQH0WaibK
+YyI5V9U2EepIZUj2o4aN8zTWYsDl8l5a2KweXcyM756ss+r5qQhjaNrJtRpCYlsM
+GdX4wCSuh0JmMm1J5q+ZUz8qb4nWFDxQFJ+wT+slcWyndSVX29zE6SoGJrOFt8Yi
+lLnXuSHooTnXLG76KZelSH72fDtiUdSWZfCI2OVFeiLdLA0a00s6Cj1xB24LtlqT
+/67bC7fwIIg6r3UEqqvUTnMb+aZpzcMhvPOzK+9HPIYwKx0QHGi5mU15oCM/yj3H
+8NdXhh8SK3ODDWS9UU23LReKR7E6LDX5/dQ7Cv0OSt3B95De0EK6nQ==
 -----END CERTIFICATE-----
diff --git a/certs/test-pathlen/chainI-ICA2-no_pathlen.pem b/certs/test-pathlen/chainI-ICA2-no_pathlen.pem
index 468d48eee..b964fa7e3 100644
--- a/certs/test-pathlen/chainI-ICA2-no_pathlen.pem
+++ b/certs/test-pathlen/chainI-ICA2-no_pathlen.pem
@@ -2,15 +2,15 @@ Certificate:
     Data:
         Version: 3 (0x2)
         Serial Number: 100 (0x64)
-    Signature Algorithm: sha256WithRSAEncryption
-        Issuer: C=US, ST=Washington, L=Seattle, O=wolfSSL Inc., OU=Engineering, CN=chainI-ICA3-pathlen2/emailAddress=info@wolfssl.com
+        Signature Algorithm: sha256WithRSAEncryption
+        Issuer: C = US, ST = Washington, L = Seattle, O = wolfSSL Inc., OU = Engineering, CN = chainI-ICA3-pathlen2, emailAddress = info@wolfssl.com
         Validity
-            Not Before: Feb 10 19:49:55 2021 GMT
-            Not After : Nov  7 19:49:55 2023 GMT
-        Subject: C=US, ST=Washington, L=Seattle, O=wolfSSL Inc., OU=Engineering, CN=chainI-ICA2-no_pathlen/emailAddress=info@wolfssl.com
+            Not Before: Dec 20 23:07:25 2021 GMT
+            Not After : Sep 15 23:07:25 2024 GMT
+        Subject: C = US, ST = Washington, L = Seattle, O = wolfSSL Inc., OU = Engineering, CN = chainI-ICA2-no_pathlen, emailAddress = info@wolfssl.com
         Subject Public Key Info:
             Public Key Algorithm: rsaEncryption
-                Public-Key: (2048 bit)
+                RSA Public-Key: (2048 bit)
                 Modulus:
                     00:de:1e:08:66:12:fe:20:07:10:1b:a1:27:0d:f9:
                     22:30:81:9b:ce:62:b1:a6:6d:49:d4:ed:b8:2d:4b:
@@ -44,27 +44,27 @@ Certificate:
             X509v3 Key Usage: 
                 Certificate Sign, CRL Sign
     Signature Algorithm: sha256WithRSAEncryption
-         92:01:86:22:0c:3e:a5:4f:fb:c5:5e:16:96:9e:a0:e1:1c:58:
-         2e:d7:6c:13:44:5e:55:97:3b:35:a6:17:b2:26:1a:ea:2e:b3:
-         06:e6:2e:92:ce:c2:56:7e:a3:3b:26:0d:8f:9a:91:9b:cf:84:
-         90:e3:55:b8:84:4d:78:c0:ba:f1:76:d0:ad:cc:31:e5:53:18:
-         6f:61:27:6e:fe:c7:9d:ea:a2:99:76:83:8c:b8:44:7c:f2:f5:
-         3c:b0:49:f3:b3:a9:9c:33:b6:2b:1b:e0:4b:1f:bf:fe:34:1a:
-         cd:e3:31:ae:a1:0b:91:3e:0a:e5:3e:68:da:28:66:53:14:cc:
-         9b:d1:d5:ab:ed:2b:bf:bc:c3:33:68:08:a9:44:e1:4a:ba:5d:
-         2b:bd:b7:f5:e9:36:36:61:98:fb:b1:35:0d:ee:30:ec:ed:7d:
-         fe:dd:d0:a6:46:a6:7f:0e:ac:91:7b:7d:8e:a2:0d:77:81:20:
-         77:a2:4e:98:1d:97:0d:9e:4a:c5:fe:0a:e0:e4:75:86:b1:e9:
-         f8:b4:42:31:a3:87:70:7c:bd:0d:79:fa:70:40:8e:b5:12:c7:
-         c5:be:b9:6b:7c:9e:ec:47:f0:3a:39:47:42:81:de:11:cf:4a:
-         72:51:a1:36:e8:57:e7:d9:e5:f5:b0:c6:ca:bb:d2:c3:9d:73:
-         b5:80:a2:1c
+         98:63:ad:48:55:94:8f:37:2d:a1:38:e1:1a:99:cd:2a:34:9b:
+         43:b7:d3:ac:1b:67:1e:61:bf:4d:ab:21:32:63:61:6a:3e:0e:
+         2d:8e:b9:2f:99:5e:a0:1d:94:4c:5c:ce:d5:6c:85:db:9a:4e:
+         94:ab:f2:73:02:cc:62:90:a1:5b:a4:6c:ee:92:55:05:87:9f:
+         4a:3b:11:21:b8:b5:68:03:89:4d:ed:33:17:53:a1:8d:ec:aa:
+         66:0a:7b:18:3c:00:8c:75:b9:82:fb:66:63:81:cd:42:e6:b1:
+         95:5d:33:0a:04:42:20:51:e3:19:89:fa:00:1d:96:87:17:e3:
+         57:f8:da:09:9b:6a:1e:e4:57:bf:9d:d1:a5:39:18:a3:1f:99:
+         9a:cd:80:d7:52:b7:e0:bf:ba:9c:ef:6e:fa:b1:dc:d7:29:58:
+         15:05:c2:98:49:18:2b:23:24:a5:c4:ce:9e:f3:6b:3e:3e:a6:
+         16:6e:82:89:0f:a7:af:53:a0:be:20:8c:90:4b:f0:31:54:79:
+         64:ed:6b:b3:86:66:83:b9:fb:9a:f8:e6:5e:08:44:8c:5e:a9:
+         b2:94:12:ee:eb:f1:21:e2:64:3c:59:bc:89:91:d9:01:bd:87:
+         c7:94:30:d2:95:cf:34:f6:49:ea:ee:e1:34:05:48:27:a9:c6:
+         2a:cc:eb:9b
 -----BEGIN CERTIFICATE-----
 MIIExDCCA6ygAwIBAgIBZDANBgkqhkiG9w0BAQsFADCBoTELMAkGA1UEBhMCVVMx
 EzARBgNVBAgMCldhc2hpbmd0b24xEDAOBgNVBAcMB1NlYXR0bGUxFTATBgNVBAoM
 DHdvbGZTU0wgSW5jLjEUMBIGA1UECwwLRW5naW5lZXJpbmcxHTAbBgNVBAMMFGNo
 YWluSS1JQ0EzLXBhdGhsZW4yMR8wHQYJKoZIhvcNAQkBFhBpbmZvQHdvbGZzc2wu
-Y29tMB4XDTIxMDIxMDE5NDk1NVoXDTIzMTEwNzE5NDk1NVowgaMxCzAJBgNVBAYT
+Y29tMB4XDTIxMTIyMDIzMDcyNVoXDTI0MDkxNTIzMDcyNVowgaMxCzAJBgNVBAYT
 AlVTMRMwEQYDVQQIDApXYXNoaW5ndG9uMRAwDgYDVQQHDAdTZWF0dGxlMRUwEwYD
 VQQKDAx3b2xmU1NMIEluYy4xFDASBgNVBAsMC0VuZ2luZWVyaW5nMR8wHQYDVQQD
 DBZjaGFpbkktSUNBMi1ub19wYXRobGVuMR8wHQYJKoZIhvcNAQkBFhBpbmZvQHdv
@@ -80,10 +80,10 @@ gZQxCzAJBgNVBAYTAlVTMRAwDgYDVQQIDAdNb250YW5hMRAwDgYDVQQHDAdCb3pl
 bWFuMREwDwYDVQQKDAhTYXd0b290aDETMBEGA1UECwwKQ29uc3VsdGluZzEYMBYG
 A1UEAwwPd3d3LndvbGZzc2wuY29tMR8wHQYJKoZIhvcNAQkBFhBpbmZvQHdvbGZz
 c2wuY29tggFkMAwGA1UdEwQFMAMBAf8wCwYDVR0PBAQDAgEGMA0GCSqGSIb3DQEB
-CwUAA4IBAQCSAYYiDD6lT/vFXhaWnqDhHFgu12wTRF5Vlzs1pheyJhrqLrMG5i6S
-zsJWfqM7Jg2PmpGbz4SQ41W4hE14wLrxdtCtzDHlUxhvYSdu/sed6qKZdoOMuER8
-8vU8sEnzs6mcM7YrG+BLH7/+NBrN4zGuoQuRPgrlPmjaKGZTFMyb0dWr7Su/vMMz
-aAipROFKul0rvbf16TY2YZj7sTUN7jDs7X3+3dCmRqZ/DqyRe32Oog13gSB3ok6Y
-HZcNnkrF/grg5HWGsen4tEIxo4dwfL0NefpwQI61EsfFvrlrfJ7sR/A6OUdCgd4R
-z0pyUaE26Ffn2eX1sMbKu9LDnXO1gKIc
+CwUAA4IBAQCYY61IVZSPNy2hOOEamc0qNJtDt9OsG2ceYb9NqyEyY2FqPg4tjrkv
+mV6gHZRMXM7VbIXbmk6Uq/JzAsxikKFbpGzuklUFh59KOxEhuLVoA4lN7TMXU6GN
+7KpmCnsYPACMdbmC+2Zjgc1C5rGVXTMKBEIgUeMZifoAHZaHF+NX+NoJm2oe5Fe/
+ndGlORijH5mazYDXUrfgv7qc7276sdzXKVgVBcKYSRgrIySlxM6e82s+PqYWboKJ
+D6evU6C+IIyQS/AxVHlk7WuzhmaDufua+OZeCESMXqmylBLu6/Eh4mQ8WbyJkdkB
+vYfHlDDSlc809knq7uE0BUgnqcYqzOub
 -----END CERTIFICATE-----
diff --git a/certs/test-pathlen/chainI-ICA3-pathlen2.pem b/certs/test-pathlen/chainI-ICA3-pathlen2.pem
index f6370b449..6b30c7f3b 100644
--- a/certs/test-pathlen/chainI-ICA3-pathlen2.pem
+++ b/certs/test-pathlen/chainI-ICA3-pathlen2.pem
@@ -2,15 +2,15 @@ Certificate:
     Data:
         Version: 3 (0x2)
         Serial Number: 100 (0x64)
-    Signature Algorithm: sha256WithRSAEncryption
-        Issuer: C=US, ST=Montana, L=Bozeman, O=Sawtooth, OU=Consulting, CN=www.wolfssl.com/emailAddress=info@wolfssl.com
+        Signature Algorithm: sha256WithRSAEncryption
+        Issuer: C = US, ST = Montana, L = Bozeman, O = Sawtooth, OU = Consulting, CN = www.wolfssl.com, emailAddress = info@wolfssl.com
         Validity
-            Not Before: Feb 10 19:49:55 2021 GMT
-            Not After : Nov  7 19:49:55 2023 GMT
-        Subject: C=US, ST=Washington, L=Seattle, O=wolfSSL Inc., OU=Engineering, CN=chainI-ICA3-pathlen2/emailAddress=info@wolfssl.com
+            Not Before: Dec 20 23:07:25 2021 GMT
+            Not After : Sep 15 23:07:25 2024 GMT
+        Subject: C = US, ST = Washington, L = Seattle, O = wolfSSL Inc., OU = Engineering, CN = chainI-ICA3-pathlen2, emailAddress = info@wolfssl.com
         Subject Public Key Info:
             Public Key Algorithm: rsaEncryption
-                Public-Key: (2048 bit)
+                RSA Public-Key: (2048 bit)
                 Modulus:
                     00:b8:36:0c:66:a9:06:ce:ac:e0:7c:86:a1:69:9d:
                     be:28:cf:a3:81:f3:b4:dc:5f:c8:92:9d:f2:07:c0:
@@ -37,34 +37,34 @@ Certificate:
             X509v3 Authority Key Identifier: 
                 keyid:27:8E:67:11:74:C3:26:1D:3F:ED:33:63:B3:A4:D8:1D:30:E5:E8:D5
                 DirName:/C=US/ST=Montana/L=Bozeman/O=Sawtooth/OU=Consulting/CN=www.wolfssl.com/emailAddress=info@wolfssl.com
-                serial:AA:D3:3F:AC:18:0A:37:4D
+                serial:7D:94:70:88:BA:07:42:8D:AA:AF:4F:BE:C2:1A:48:F0:D1:40:E6:42
 
             X509v3 Basic Constraints: 
                 CA:TRUE, pathlen:2
             X509v3 Key Usage: 
                 Certificate Sign, CRL Sign
     Signature Algorithm: sha256WithRSAEncryption
-         6f:ba:0f:86:af:8b:12:74:05:b4:74:01:31:bd:fa:54:af:e2:
-         2a:19:5d:c2:a2:eb:de:1e:50:00:77:da:17:d2:ff:52:80:3d:
-         f5:e5:81:b6:17:00:f7:62:b8:e4:a8:3c:44:99:46:02:09:fa:
-         38:bd:ea:dd:1b:29:06:79:e1:a7:e8:0c:de:8d:58:0a:fd:98:
-         74:84:05:78:ec:50:e4:a7:3a:38:67:2d:90:57:35:28:b6:89:
-         f4:41:0e:c3:b9:70:3c:eb:f3:b3:eb:27:14:a2:bc:2e:3a:bb:
-         82:9b:5e:2e:bb:bd:9f:ae:ff:27:1b:07:35:a3:b2:05:f7:4d:
-         8e:33:ee:93:16:b9:89:2e:ea:e0:dd:52:21:5d:bf:11:70:a7:
-         5c:36:e7:7b:81:d0:47:e6:97:f4:2b:72:ce:03:12:0f:08:1e:
-         89:da:cf:88:e1:74:4d:1b:0d:72:7b:16:bf:bc:f9:8f:03:8a:
-         03:df:ad:db:14:83:cf:31:36:72:cb:ff:7d:ba:8b:71:28:bc:
-         23:26:d4:50:9c:64:20:ee:e8:34:ce:a9:ee:b5:32:e7:1a:ef:
-         e6:2e:76:9b:b4:15:33:3f:ed:af:c0:01:a6:1b:81:1e:18:da:
-         b6:88:15:59:d5:37:03:f2:31:2c:69:0e:30:66:66:7b:cc:16:
-         1f:96:5d:ff
+         74:07:c0:d6:4e:74:54:c7:76:ae:b9:0c:0c:90:89:9a:0c:e3:
+         96:09:5d:df:d4:2a:0c:c3:0d:a0:e8:8d:a6:1f:8c:15:df:76:
+         29:1d:45:72:26:01:95:da:0a:dd:75:bd:59:ed:53:d0:ec:f6:
+         a4:5c:43:65:cb:62:1b:96:5f:28:07:5b:fd:4f:f4:fb:3f:a5:
+         08:dd:ec:2e:ab:37:83:90:1f:d2:bf:6c:cd:e5:c6:40:46:b1:
+         d0:f4:c1:68:aa:28:64:07:20:97:a5:56:4e:54:fe:52:58:05:
+         28:9c:64:fa:29:6f:b7:88:1b:ef:9d:4d:91:44:9e:f5:2f:73:
+         c0:a7:0d:d0:a5:07:55:c0:cc:85:bb:3a:85:5d:03:a9:b1:2f:
+         55:cd:f0:bf:67:0b:90:b4:0d:78:12:ea:bb:62:bd:2b:16:77:
+         2f:02:1a:12:fd:d8:fa:52:ab:8c:c0:d4:d2:e2:cd:b8:62:69:
+         ac:30:50:d6:44:35:01:b9:50:8d:35:84:9f:b9:d6:ca:0c:0b:
+         d2:f3:5e:1e:42:7f:83:79:b6:48:04:3a:80:b1:97:87:b1:93:
+         6a:a3:57:6e:86:fd:ef:2b:95:c8:24:d0:66:a2:0b:f1:9b:6d:
+         a6:6b:6d:83:2d:c1:5f:25:dd:4a:d0:f7:4c:94:b0:c3:6f:bc:
+         ca:ef:c1:4a
 -----BEGIN CERTIFICATE-----
-MIIEwTCCA6mgAwIBAgIBZDANBgkqhkiG9w0BAQsFADCBlDELMAkGA1UEBhMCVVMx
+MIIEzDCCA7SgAwIBAgIBZDANBgkqhkiG9w0BAQsFADCBlDELMAkGA1UEBhMCVVMx
 EDAOBgNVBAgMB01vbnRhbmExEDAOBgNVBAcMB0JvemVtYW4xETAPBgNVBAoMCFNh
 d3Rvb3RoMRMwEQYDVQQLDApDb25zdWx0aW5nMRgwFgYDVQQDDA93d3cud29sZnNz
-bC5jb20xHzAdBgkqhkiG9w0BCQEWEGluZm9Ad29sZnNzbC5jb20wHhcNMjEwMjEw
-MTk0OTU1WhcNMjMxMTA3MTk0OTU1WjCBoTELMAkGA1UEBhMCVVMxEzARBgNVBAgM
+bC5jb20xHzAdBgkqhkiG9w0BCQEWEGluZm9Ad29sZnNzbC5jb20wHhcNMjExMjIw
+MjMwNzI1WhcNMjQwOTE1MjMwNzI1WjCBoTELMAkGA1UEBhMCVVMxEzARBgNVBAgM
 Cldhc2hpbmd0b24xEDAOBgNVBAcMB1NlYXR0bGUxFTATBgNVBAoMDHdvbGZTU0wg
 SW5jLjEUMBIGA1UECwwLRW5naW5lZXJpbmcxHTAbBgNVBAMMFGNoYWluSS1JQ0Ez
 LXBhdGhsZW4yMR8wHQYJKoZIhvcNAQkBFhBpbmZvQHdvbGZzc2wuY29tMIIBIjAN
@@ -74,16 +74,16 @@ dTmJcCqcAOAubHx0Jxg0/SmYQ4PW4VGzE0EcvCnciy+TCJWLkCJL5Jj11nAqm4tk
 5kkGYqQjCGBol4mpssCUjk85HCU7D+TFHX2JiV7GAmlo/BNVtYBrd/dZVwscfsbt
 RsZw+zShKByCscKrpsHwExt9C7waOSM85x3uyO4vaV+hMT8aL5hdU9dCk9tJrNZ6
 Ei6dDcmw70DRpAJeUuj71JIHmLF22RYP5Ive3Ihl4P1SHYvi4+0IN9AR9wIDAQAB
-o4IBDTCCAQkwHQYDVR0OBBYEFO43pvJA0O/9IsejtGxXR0C5mfmNMIHJBgNVHSME
-gcEwgb6AFCeOZxF0wyYdP+0zY7Ok2B0w5ejVoYGapIGXMIGUMQswCQYDVQQGEwJV
+o4IBGDCCARQwHQYDVR0OBBYEFO43pvJA0O/9IsejtGxXR0C5mfmNMIHUBgNVHSME
+gcwwgcmAFCeOZxF0wyYdP+0zY7Ok2B0w5ejVoYGapIGXMIGUMQswCQYDVQQGEwJV
 UzEQMA4GA1UECAwHTW9udGFuYTEQMA4GA1UEBwwHQm96ZW1hbjERMA8GA1UECgwI
 U2F3dG9vdGgxEzARBgNVBAsMCkNvbnN1bHRpbmcxGDAWBgNVBAMMD3d3dy53b2xm
-c3NsLmNvbTEfMB0GCSqGSIb3DQEJARYQaW5mb0B3b2xmc3NsLmNvbYIJAKrTP6wY
-CjdNMA8GA1UdEwQIMAYBAf8CAQIwCwYDVR0PBAQDAgEGMA0GCSqGSIb3DQEBCwUA
-A4IBAQBvug+Gr4sSdAW0dAExvfpUr+IqGV3CouveHlAAd9oX0v9SgD315YG2FwD3
-YrjkqDxEmUYCCfo4verdGykGeeGn6AzejVgK/Zh0hAV47FDkpzo4Zy2QVzUoton0
-QQ7DuXA86/Oz6ycUorwuOruCm14uu72frv8nGwc1o7IF902OM+6TFrmJLurg3VIh
-Xb8RcKdcNud7gdBH5pf0K3LOAxIPCB6J2s+I4XRNGw1yexa/vPmPA4oD363bFIPP
-MTZyy/99uotxKLwjJtRQnGQg7ug0zqnutTLnGu/mLnabtBUzP+2vwAGmG4EeGNq2
-iBVZ1TcD8jEsaQ4wZmZ7zBYfll3/
+c3NsLmNvbTEfMB0GCSqGSIb3DQEJARYQaW5mb0B3b2xmc3NsLmNvbYIUfZRwiLoH
+Qo2qr0++whpI8NFA5kIwDwYDVR0TBAgwBgEB/wIBAjALBgNVHQ8EBAMCAQYwDQYJ
+KoZIhvcNAQELBQADggEBAHQHwNZOdFTHdq65DAyQiZoM45YJXd/UKgzDDaDojaYf
+jBXfdikdRXImAZXaCt11vVntU9Ds9qRcQ2XLYhuWXygHW/1P9Ps/pQjd7C6rN4OQ
+H9K/bM3lxkBGsdD0wWiqKGQHIJelVk5U/lJYBSicZPopb7eIG++dTZFEnvUvc8Cn
+DdClB1XAzIW7OoVdA6mxL1XN8L9nC5C0DXgS6rtivSsWdy8CGhL92PpSq4zA1NLi
+zbhiaawwUNZENQG5UI01hJ+51soMC9LzXh5Cf4N5tkgEOoCxl4exk2qjV26G/e8r
+lcgk0GaiC/GbbaZrbYMtwV8l3UrQ90yUsMNvvMrvwUo=
 -----END CERTIFICATE-----
diff --git a/certs/test-pathlen/chainI-assembled.pem b/certs/test-pathlen/chainI-assembled.pem
index 27b81d462..10e047cbc 100644
--- a/certs/test-pathlen/chainI-assembled.pem
+++ b/certs/test-pathlen/chainI-assembled.pem
@@ -2,15 +2,15 @@ Certificate:
     Data:
         Version: 3 (0x2)
         Serial Number: 101 (0x65)
-    Signature Algorithm: sha256WithRSAEncryption
-        Issuer: C=US, ST=Washington, L=Seattle, O=wolfSSL Inc., OU=Engineering, CN=chainI-ICA1-no_pathlen/emailAddress=info@wolfssl.com
+        Signature Algorithm: sha256WithRSAEncryption
+        Issuer: C = US, ST = Washington, L = Seattle, O = wolfSSL Inc., OU = Engineering, CN = chainI-ICA1-no_pathlen, emailAddress = info@wolfssl.com
         Validity
-            Not Before: Feb 10 19:49:55 2021 GMT
-            Not After : Nov  7 19:49:55 2023 GMT
-        Subject: C=US, ST=Washington, L=Seattle, O=wolfSSL Inc., OU=Engineering, CN=chainI-entity/emailAddress=info@wolfssl.com
+            Not Before: Dec 20 23:07:25 2021 GMT
+            Not After : Sep 15 23:07:25 2024 GMT
+        Subject: C = US, ST = Washington, L = Seattle, O = wolfSSL Inc., OU = Engineering, CN = chainI-entity, emailAddress = info@wolfssl.com
         Subject Public Key Info:
             Public Key Algorithm: rsaEncryption
-                Public-Key: (2048 bit)
+                RSA Public-Key: (2048 bit)
                 Modulus:
                     00:f3:ac:32:8f:52:af:a9:cf:9e:23:a4:96:8e:e9:
                     e8:0a:3a:b7:6a:7b:ba:70:85:68:e2:52:f3:38:39:
@@ -42,27 +42,27 @@ Certificate:
             X509v3 Basic Constraints: 
                 CA:FALSE
     Signature Algorithm: sha256WithRSAEncryption
-         84:1b:07:96:79:b0:eb:77:83:c4:7a:f7:ee:c0:9a:32:15:47:
-         1f:33:26:d7:17:c7:0f:69:09:e0:8f:50:d1:b9:c1:99:f4:0a:
-         24:2d:18:1a:14:14:29:91:d6:cf:bb:11:92:80:74:a6:92:16:
-         54:ed:ad:01:b4:97:71:67:59:53:43:37:14:dd:a8:1d:5b:96:
-         35:b1:80:ff:41:0e:ae:f7:da:2f:d2:01:bd:4b:73:50:fb:f0:
-         8e:2b:58:f8:43:c6:7a:5b:95:14:51:a2:36:f9:09:ec:83:1a:
-         13:44:53:58:2a:f2:83:71:64:5d:99:7c:b8:c7:28:16:7e:8e:
-         b6:31:e3:1f:fa:35:35:8e:96:4a:58:b3:48:2f:7b:c3:1f:43:
-         95:8d:13:b1:1a:25:93:a1:17:64:bb:3b:1c:26:c6:37:b3:14:
-         9f:ae:2d:73:f3:e5:8c:2e:3d:b5:0a:90:72:90:86:f7:4d:4d:
-         27:91:e1:e8:2c:65:7a:a4:4a:ce:cf:c7:6e:12:16:31:f2:dc:
-         1c:51:34:60:16:ff:56:06:f8:93:5c:bb:96:03:2b:13:64:00:
-         23:94:d8:e1:a1:66:37:c8:b1:db:36:86:93:e6:96:77:82:37:
-         20:40:1f:38:f4:1e:13:de:1a:97:ed:69:db:ca:17:09:83:d5:
-         05:62:fb:fd
+         17:b3:bc:12:8f:96:ee:c8:f1:36:75:6a:b6:d7:79:bd:1b:08:
+         06:ef:5a:47:7d:bc:4b:dc:54:9c:1b:cf:81:9c:e7:e2:43:6d:
+         87:61:35:07:44:4b:4e:3d:e9:53:8a:28:69:60:41:c9:f3:e8:
+         8d:a4:6b:7e:2e:1b:5c:88:26:00:ef:6a:18:df:99:03:59:c4:
+         0a:6c:1e:ef:ce:b5:f3:ca:e3:57:56:ae:8b:41:4e:66:d7:b6:
+         35:d1:ab:2f:bd:5b:9d:a0:55:57:95:2d:2d:d2:f0:02:2e:f5:
+         db:cd:3c:50:bf:f0:cd:51:98:27:cd:1b:5f:8d:0f:2b:ae:67:
+         38:e1:5c:af:1c:b1:9d:8f:f2:b0:24:ff:f2:8b:b7:0c:4a:1e:
+         ee:dd:55:b2:43:70:f4:b0:05:ba:b0:ad:e4:7c:cd:0b:05:d5:
+         db:97:13:37:13:d0:33:b4:0e:2c:0f:95:17:11:cd:95:1a:1c:
+         2d:8b:28:53:bf:bc:5a:46:77:6e:23:71:e1:9e:59:cd:48:8f:
+         19:cf:67:ac:63:a2:2d:d6:db:a8:6e:70:d0:5f:e3:42:00:c3:
+         99:a8:d6:43:35:74:16:6a:05:fb:11:88:9e:5f:5c:98:e5:5e:
+         b1:04:a2:61:36:ae:2d:2f:e8:b1:1e:26:f4:49:74:ae:c2:29:
+         b8:6d:41:27
 -----BEGIN CERTIFICATE-----
 MIIEvDCCA6SgAwIBAgIBZTANBgkqhkiG9w0BAQsFADCBozELMAkGA1UEBhMCVVMx
 EzARBgNVBAgMCldhc2hpbmd0b24xEDAOBgNVBAcMB1NlYXR0bGUxFTATBgNVBAoM
 DHdvbGZTU0wgSW5jLjEUMBIGA1UECwwLRW5naW5lZXJpbmcxHzAdBgNVBAMMFmNo
 YWluSS1JQ0ExLW5vX3BhdGhsZW4xHzAdBgkqhkiG9w0BCQEWEGluZm9Ad29sZnNz
-bC5jb20wHhcNMjEwMjEwMTk0OTU1WhcNMjMxMTA3MTk0OTU1WjCBmjELMAkGA1UE
+bC5jb20wHhcNMjExMjIwMjMwNzI1WhcNMjQwOTE1MjMwNzI1WjCBmjELMAkGA1UE
 BhMCVVMxEzARBgNVBAgMCldhc2hpbmd0b24xEDAOBgNVBAcMB1NlYXR0bGUxFTAT
 BgNVBAoMDHdvbGZTU0wgSW5jLjEUMBIGA1UECwwLRW5naW5lZXJpbmcxFjAUBgNV
 BAMMDWNoYWluSS1lbnRpdHkxHzAdBgkqhkiG9w0BCQEWEGluZm9Ad29sZnNzbC5j
@@ -78,26 +78,26 @@ A1UEBhMCVVMxEzARBgNVBAgMCldhc2hpbmd0b24xEDAOBgNVBAcMB1NlYXR0bGUx
 FTATBgNVBAoMDHdvbGZTU0wgSW5jLjEUMBIGA1UECwwLRW5naW5lZXJpbmcxHzAd
 BgNVBAMMFmNoYWluSS1JQ0EyLW5vX3BhdGhsZW4xHzAdBgkqhkiG9w0BCQEWEGlu
 Zm9Ad29sZnNzbC5jb22CAWQwCQYDVR0TBAIwADANBgkqhkiG9w0BAQsFAAOCAQEA
-hBsHlnmw63eDxHr37sCaMhVHHzMm1xfHD2kJ4I9Q0bnBmfQKJC0YGhQUKZHWz7sR
-koB0ppIWVO2tAbSXcWdZU0M3FN2oHVuWNbGA/0EOrvfaL9IBvUtzUPvwjitY+EPG
-eluVFFGiNvkJ7IMaE0RTWCryg3FkXZl8uMcoFn6OtjHjH/o1NY6WSlizSC97wx9D
-lY0TsRolk6EXZLs7HCbGN7MUn64tc/PljC49tQqQcpCG901NJ5Hh6CxleqRKzs/H
-bhIWMfLcHFE0YBb/Vgb4k1y7lgMrE2QAI5TY4aFmN8ix2zaGk+aWd4I3IEAfOPQe
-E94al+1p28oXCYPVBWL7/Q==
+F7O8Eo+W7sjxNnVqttd5vRsIBu9aR328S9xUnBvPgZzn4kNth2E1B0RLTj3pU4oo
+aWBByfPojaRrfi4bXIgmAO9qGN+ZA1nECmwe786188rjV1aui0FOZte2NdGrL71b
+naBVV5UtLdLwAi712808UL/wzVGYJ80bX40PK65nOOFcrxyxnY/ysCT/8ou3DEoe
+7t1VskNw9LAFurCt5HzNCwXV25cTNxPQM7QOLA+VFxHNlRocLYsoU7+8WkZ3biNx
+4Z5ZzUiPGc9nrGOiLdbbqG5w0F/jQgDDmajWQzV0FmoF+xGInl9cmOVesQSiYTau
+LS/osR4m9El0rsIpuG1BJw==
 -----END CERTIFICATE-----
 Certificate:
     Data:
         Version: 3 (0x2)
         Serial Number: 100 (0x64)
-    Signature Algorithm: sha256WithRSAEncryption
-        Issuer: C=US, ST=Washington, L=Seattle, O=wolfSSL Inc., OU=Engineering, CN=chainI-ICA2-no_pathlen/emailAddress=info@wolfssl.com
+        Signature Algorithm: sha256WithRSAEncryption
+        Issuer: C = US, ST = Washington, L = Seattle, O = wolfSSL Inc., OU = Engineering, CN = chainI-ICA2-no_pathlen, emailAddress = info@wolfssl.com
         Validity
-            Not Before: Feb 10 19:49:55 2021 GMT
-            Not After : Nov  7 19:49:55 2023 GMT
-        Subject: C=US, ST=Washington, L=Seattle, O=wolfSSL Inc., OU=Engineering, CN=chainI-ICA1-no_pathlen/emailAddress=info@wolfssl.com
+            Not Before: Dec 20 23:07:25 2021 GMT
+            Not After : Sep 15 23:07:25 2024 GMT
+        Subject: C = US, ST = Washington, L = Seattle, O = wolfSSL Inc., OU = Engineering, CN = chainI-ICA1-no_pathlen, emailAddress = info@wolfssl.com
         Subject Public Key Info:
             Public Key Algorithm: rsaEncryption
-                Public-Key: (2048 bit)
+                RSA Public-Key: (2048 bit)
                 Modulus:
                     00:bb:ba:06:ad:13:cf:da:fb:d1:cb:65:fe:26:58:
                     49:6a:01:14:a6:78:b2:2c:1d:ba:ba:d0:bd:27:38:
@@ -131,27 +131,27 @@ Certificate:
             X509v3 Key Usage: 
                 Certificate Sign, CRL Sign
     Signature Algorithm: sha256WithRSAEncryption
-         5c:9d:46:b6:82:50:18:af:da:a3:05:8a:ef:78:f7:8f:2a:72:
-         3d:08:30:9e:60:bf:01:8d:bc:71:b2:15:85:aa:61:3b:14:8f:
-         60:0c:ad:1f:a1:a2:db:62:5f:31:5a:44:36:d8:c1:34:d3:c4:
-         d7:04:d6:33:d1:3e:4b:81:73:df:5e:41:1e:56:7d:4d:12:a6:
-         c0:94:92:9d:cc:8c:ff:a2:02:8d:ce:9a:d4:00:69:66:06:7e:
-         ab:1f:29:1e:b9:0b:ae:31:0c:0d:b5:44:a1:46:3e:f6:18:cb:
-         fe:f9:9b:e6:0e:82:7c:49:63:08:34:08:ff:9c:0f:1c:28:cf:
-         89:78:2b:53:00:b4:4b:f6:98:48:df:40:59:99:8d:69:f3:f9:
-         6f:88:73:b1:63:4a:3b:11:c7:89:75:fa:33:8e:1d:2d:7f:c2:
-         19:13:8a:fd:8a:5a:39:e1:c8:6e:55:43:54:df:da:c4:d3:1b:
-         79:83:d2:63:f7:d6:85:b5:be:7d:53:98:26:68:cb:37:25:70:
-         36:6d:ba:7d:08:54:a5:03:70:97:dc:a0:7c:f3:ce:44:47:9d:
-         5a:53:63:ed:7e:07:bc:5f:4e:b2:53:a0:40:1e:d8:a8:19:22:
-         c5:2d:74:5a:02:32:0d:58:37:a6:36:b3:bf:57:1a:3c:24:c1:
-         7b:f4:b1:71
+         36:af:a0:d5:be:f3:a5:07:f1:ac:be:df:d1:c4:e9:e2:08:62:
+         40:7d:16:6a:26:ca:63:22:39:57:d5:36:11:ea:48:65:48:f6:
+         a3:86:8d:f3:34:d6:62:c0:e5:f2:5e:5a:d8:ac:1e:5d:cc:8c:
+         ef:9e:ac:b3:ea:f9:a9:08:63:68:da:c9:b5:1a:42:62:5b:0c:
+         19:d5:f8:c0:24:ae:87:42:66:32:6d:49:e6:af:99:53:3f:2a:
+         6f:89:d6:14:3c:50:14:9f:b0:4f:eb:25:71:6c:a7:75:25:57:
+         db:dc:c4:e9:2a:06:26:b3:85:b7:c6:22:94:b9:d7:b9:21:e8:
+         a1:39:d7:2c:6e:fa:29:97:a5:48:7e:f6:7c:3b:62:51:d4:96:
+         65:f0:88:d8:e5:45:7a:22:dd:2c:0d:1a:d3:4b:3a:0a:3d:71:
+         07:6e:0b:b6:5a:93:ff:ae:db:0b:b7:f0:20:88:3a:af:75:04:
+         aa:ab:d4:4e:73:1b:f9:a6:69:cd:c3:21:bc:f3:b3:2b:ef:47:
+         3c:86:30:2b:1d:10:1c:68:b9:99:4d:79:a0:23:3f:ca:3d:c7:
+         f0:d7:57:86:1f:12:2b:73:83:0d:64:bd:51:4d:b7:2d:17:8a:
+         47:b1:3a:2c:35:f9:fd:d4:3b:0a:fd:0e:4a:dd:c1:f7:90:de:
+         d0:42:ba:9d
 -----BEGIN CERTIFICATE-----
 MIIE1DCCA7ygAwIBAgIBZDANBgkqhkiG9w0BAQsFADCBozELMAkGA1UEBhMCVVMx
 EzARBgNVBAgMCldhc2hpbmd0b24xEDAOBgNVBAcMB1NlYXR0bGUxFTATBgNVBAoM
 DHdvbGZTU0wgSW5jLjEUMBIGA1UECwwLRW5naW5lZXJpbmcxHzAdBgNVBAMMFmNo
 YWluSS1JQ0EyLW5vX3BhdGhsZW4xHzAdBgkqhkiG9w0BCQEWEGluZm9Ad29sZnNz
-bC5jb20wHhcNMjEwMjEwMTk0OTU1WhcNMjMxMTA3MTk0OTU1WjCBozELMAkGA1UE
+bC5jb20wHhcNMjExMjIwMjMwNzI1WhcNMjQwOTE1MjMwNzI1WjCBozELMAkGA1UE
 BhMCVVMxEzARBgNVBAgMCldhc2hpbmd0b24xEDAOBgNVBAcMB1NlYXR0bGUxFTAT
 BgNVBAoMDHdvbGZTU0wgSW5jLjEUMBIGA1UECwwLRW5naW5lZXJpbmcxHzAdBgNV
 BAMMFmNoYWluSS1JQ0ExLW5vX3BhdGhsZW4xHzAdBgkqhkiG9w0BCQEWEGluZm9A
@@ -167,26 +167,26 @@ gaQwgaExCzAJBgNVBAYTAlVTMRMwEQYDVQQIDApXYXNoaW5ndG9uMRAwDgYDVQQH
 DAdTZWF0dGxlMRUwEwYDVQQKDAx3b2xmU1NMIEluYy4xFDASBgNVBAsMC0VuZ2lu
 ZWVyaW5nMR0wGwYDVQQDDBRjaGFpbkktSUNBMy1wYXRobGVuMjEfMB0GCSqGSIb3
 DQEJARYQaW5mb0B3b2xmc3NsLmNvbYIBZDAMBgNVHRMEBTADAQH/MAsGA1UdDwQE
-AwIBBjANBgkqhkiG9w0BAQsFAAOCAQEAXJ1GtoJQGK/aowWK73j3jypyPQgwnmC/
-AY28cbIVhaphOxSPYAytH6Gi22JfMVpENtjBNNPE1wTWM9E+S4Fz315BHlZ9TRKm
-wJSSncyM/6ICjc6a1ABpZgZ+qx8pHrkLrjEMDbVEoUY+9hjL/vmb5g6CfEljCDQI
-/5wPHCjPiXgrUwC0S/aYSN9AWZmNafP5b4hzsWNKOxHHiXX6M44dLX/CGROK/Ypa
-OeHIblVDVN/axNMbeYPSY/fWhbW+fVOYJmjLNyVwNm26fQhUpQNwl9ygfPPOREed
-WlNj7X4HvF9OslOgQB7YqBkixS10WgIyDVg3pjazv1caPCTBe/SxcQ==
+AwIBBjANBgkqhkiG9w0BAQsFAAOCAQEANq+g1b7zpQfxrL7f0cTp4ghiQH0WaibK
+YyI5V9U2EepIZUj2o4aN8zTWYsDl8l5a2KweXcyM756ss+r5qQhjaNrJtRpCYlsM
+GdX4wCSuh0JmMm1J5q+ZUz8qb4nWFDxQFJ+wT+slcWyndSVX29zE6SoGJrOFt8Yi
+lLnXuSHooTnXLG76KZelSH72fDtiUdSWZfCI2OVFeiLdLA0a00s6Cj1xB24LtlqT
+/67bC7fwIIg6r3UEqqvUTnMb+aZpzcMhvPOzK+9HPIYwKx0QHGi5mU15oCM/yj3H
+8NdXhh8SK3ODDWS9UU23LReKR7E6LDX5/dQ7Cv0OSt3B95De0EK6nQ==
 -----END CERTIFICATE-----
 Certificate:
     Data:
         Version: 3 (0x2)
         Serial Number: 100 (0x64)
-    Signature Algorithm: sha256WithRSAEncryption
-        Issuer: C=US, ST=Washington, L=Seattle, O=wolfSSL Inc., OU=Engineering, CN=chainI-ICA3-pathlen2/emailAddress=info@wolfssl.com
+        Signature Algorithm: sha256WithRSAEncryption
+        Issuer: C = US, ST = Washington, L = Seattle, O = wolfSSL Inc., OU = Engineering, CN = chainI-ICA3-pathlen2, emailAddress = info@wolfssl.com
         Validity
-            Not Before: Feb 10 19:49:55 2021 GMT
-            Not After : Nov  7 19:49:55 2023 GMT
-        Subject: C=US, ST=Washington, L=Seattle, O=wolfSSL Inc., OU=Engineering, CN=chainI-ICA2-no_pathlen/emailAddress=info@wolfssl.com
+            Not Before: Dec 20 23:07:25 2021 GMT
+            Not After : Sep 15 23:07:25 2024 GMT
+        Subject: C = US, ST = Washington, L = Seattle, O = wolfSSL Inc., OU = Engineering, CN = chainI-ICA2-no_pathlen, emailAddress = info@wolfssl.com
         Subject Public Key Info:
             Public Key Algorithm: rsaEncryption
-                Public-Key: (2048 bit)
+                RSA Public-Key: (2048 bit)
                 Modulus:
                     00:de:1e:08:66:12:fe:20:07:10:1b:a1:27:0d:f9:
                     22:30:81:9b:ce:62:b1:a6:6d:49:d4:ed:b8:2d:4b:
@@ -220,27 +220,27 @@ Certificate:
             X509v3 Key Usage: 
                 Certificate Sign, CRL Sign
     Signature Algorithm: sha256WithRSAEncryption
-         92:01:86:22:0c:3e:a5:4f:fb:c5:5e:16:96:9e:a0:e1:1c:58:
-         2e:d7:6c:13:44:5e:55:97:3b:35:a6:17:b2:26:1a:ea:2e:b3:
-         06:e6:2e:92:ce:c2:56:7e:a3:3b:26:0d:8f:9a:91:9b:cf:84:
-         90:e3:55:b8:84:4d:78:c0:ba:f1:76:d0:ad:cc:31:e5:53:18:
-         6f:61:27:6e:fe:c7:9d:ea:a2:99:76:83:8c:b8:44:7c:f2:f5:
-         3c:b0:49:f3:b3:a9:9c:33:b6:2b:1b:e0:4b:1f:bf:fe:34:1a:
-         cd:e3:31:ae:a1:0b:91:3e:0a:e5:3e:68:da:28:66:53:14:cc:
-         9b:d1:d5:ab:ed:2b:bf:bc:c3:33:68:08:a9:44:e1:4a:ba:5d:
-         2b:bd:b7:f5:e9:36:36:61:98:fb:b1:35:0d:ee:30:ec:ed:7d:
-         fe:dd:d0:a6:46:a6:7f:0e:ac:91:7b:7d:8e:a2:0d:77:81:20:
-         77:a2:4e:98:1d:97:0d:9e:4a:c5:fe:0a:e0:e4:75:86:b1:e9:
-         f8:b4:42:31:a3:87:70:7c:bd:0d:79:fa:70:40:8e:b5:12:c7:
-         c5:be:b9:6b:7c:9e:ec:47:f0:3a:39:47:42:81:de:11:cf:4a:
-         72:51:a1:36:e8:57:e7:d9:e5:f5:b0:c6:ca:bb:d2:c3:9d:73:
-         b5:80:a2:1c
+         98:63:ad:48:55:94:8f:37:2d:a1:38:e1:1a:99:cd:2a:34:9b:
+         43:b7:d3:ac:1b:67:1e:61:bf:4d:ab:21:32:63:61:6a:3e:0e:
+         2d:8e:b9:2f:99:5e:a0:1d:94:4c:5c:ce:d5:6c:85:db:9a:4e:
+         94:ab:f2:73:02:cc:62:90:a1:5b:a4:6c:ee:92:55:05:87:9f:
+         4a:3b:11:21:b8:b5:68:03:89:4d:ed:33:17:53:a1:8d:ec:aa:
+         66:0a:7b:18:3c:00:8c:75:b9:82:fb:66:63:81:cd:42:e6:b1:
+         95:5d:33:0a:04:42:20:51:e3:19:89:fa:00:1d:96:87:17:e3:
+         57:f8:da:09:9b:6a:1e:e4:57:bf:9d:d1:a5:39:18:a3:1f:99:
+         9a:cd:80:d7:52:b7:e0:bf:ba:9c:ef:6e:fa:b1:dc:d7:29:58:
+         15:05:c2:98:49:18:2b:23:24:a5:c4:ce:9e:f3:6b:3e:3e:a6:
+         16:6e:82:89:0f:a7:af:53:a0:be:20:8c:90:4b:f0:31:54:79:
+         64:ed:6b:b3:86:66:83:b9:fb:9a:f8:e6:5e:08:44:8c:5e:a9:
+         b2:94:12:ee:eb:f1:21:e2:64:3c:59:bc:89:91:d9:01:bd:87:
+         c7:94:30:d2:95:cf:34:f6:49:ea:ee:e1:34:05:48:27:a9:c6:
+         2a:cc:eb:9b
 -----BEGIN CERTIFICATE-----
 MIIExDCCA6ygAwIBAgIBZDANBgkqhkiG9w0BAQsFADCBoTELMAkGA1UEBhMCVVMx
 EzARBgNVBAgMCldhc2hpbmd0b24xEDAOBgNVBAcMB1NlYXR0bGUxFTATBgNVBAoM
 DHdvbGZTU0wgSW5jLjEUMBIGA1UECwwLRW5naW5lZXJpbmcxHTAbBgNVBAMMFGNo
 YWluSS1JQ0EzLXBhdGhsZW4yMR8wHQYJKoZIhvcNAQkBFhBpbmZvQHdvbGZzc2wu
-Y29tMB4XDTIxMDIxMDE5NDk1NVoXDTIzMTEwNzE5NDk1NVowgaMxCzAJBgNVBAYT
+Y29tMB4XDTIxMTIyMDIzMDcyNVoXDTI0MDkxNTIzMDcyNVowgaMxCzAJBgNVBAYT
 AlVTMRMwEQYDVQQIDApXYXNoaW5ndG9uMRAwDgYDVQQHDAdTZWF0dGxlMRUwEwYD
 VQQKDAx3b2xmU1NMIEluYy4xFDASBgNVBAsMC0VuZ2luZWVyaW5nMR8wHQYDVQQD
 DBZjaGFpbkktSUNBMi1ub19wYXRobGVuMR8wHQYJKoZIhvcNAQkBFhBpbmZvQHdv
@@ -256,26 +256,26 @@ gZQxCzAJBgNVBAYTAlVTMRAwDgYDVQQIDAdNb250YW5hMRAwDgYDVQQHDAdCb3pl
 bWFuMREwDwYDVQQKDAhTYXd0b290aDETMBEGA1UECwwKQ29uc3VsdGluZzEYMBYG
 A1UEAwwPd3d3LndvbGZzc2wuY29tMR8wHQYJKoZIhvcNAQkBFhBpbmZvQHdvbGZz
 c2wuY29tggFkMAwGA1UdEwQFMAMBAf8wCwYDVR0PBAQDAgEGMA0GCSqGSIb3DQEB
-CwUAA4IBAQCSAYYiDD6lT/vFXhaWnqDhHFgu12wTRF5Vlzs1pheyJhrqLrMG5i6S
-zsJWfqM7Jg2PmpGbz4SQ41W4hE14wLrxdtCtzDHlUxhvYSdu/sed6qKZdoOMuER8
-8vU8sEnzs6mcM7YrG+BLH7/+NBrN4zGuoQuRPgrlPmjaKGZTFMyb0dWr7Su/vMMz
-aAipROFKul0rvbf16TY2YZj7sTUN7jDs7X3+3dCmRqZ/DqyRe32Oog13gSB3ok6Y
-HZcNnkrF/grg5HWGsen4tEIxo4dwfL0NefpwQI61EsfFvrlrfJ7sR/A6OUdCgd4R
-z0pyUaE26Ffn2eX1sMbKu9LDnXO1gKIc
+CwUAA4IBAQCYY61IVZSPNy2hOOEamc0qNJtDt9OsG2ceYb9NqyEyY2FqPg4tjrkv
+mV6gHZRMXM7VbIXbmk6Uq/JzAsxikKFbpGzuklUFh59KOxEhuLVoA4lN7TMXU6GN
+7KpmCnsYPACMdbmC+2Zjgc1C5rGVXTMKBEIgUeMZifoAHZaHF+NX+NoJm2oe5Fe/
+ndGlORijH5mazYDXUrfgv7qc7276sdzXKVgVBcKYSRgrIySlxM6e82s+PqYWboKJ
+D6evU6C+IIyQS/AxVHlk7WuzhmaDufua+OZeCESMXqmylBLu6/Eh4mQ8WbyJkdkB
+vYfHlDDSlc809knq7uE0BUgnqcYqzOub
 -----END CERTIFICATE-----
 Certificate:
     Data:
         Version: 3 (0x2)
         Serial Number: 100 (0x64)
-    Signature Algorithm: sha256WithRSAEncryption
-        Issuer: C=US, ST=Montana, L=Bozeman, O=Sawtooth, OU=Consulting, CN=www.wolfssl.com/emailAddress=info@wolfssl.com
+        Signature Algorithm: sha256WithRSAEncryption
+        Issuer: C = US, ST = Montana, L = Bozeman, O = Sawtooth, OU = Consulting, CN = www.wolfssl.com, emailAddress = info@wolfssl.com
         Validity
-            Not Before: Feb 10 19:49:55 2021 GMT
-            Not After : Nov  7 19:49:55 2023 GMT
-        Subject: C=US, ST=Washington, L=Seattle, O=wolfSSL Inc., OU=Engineering, CN=chainI-ICA3-pathlen2/emailAddress=info@wolfssl.com
+            Not Before: Dec 20 23:07:25 2021 GMT
+            Not After : Sep 15 23:07:25 2024 GMT
+        Subject: C = US, ST = Washington, L = Seattle, O = wolfSSL Inc., OU = Engineering, CN = chainI-ICA3-pathlen2, emailAddress = info@wolfssl.com
         Subject Public Key Info:
             Public Key Algorithm: rsaEncryption
-                Public-Key: (2048 bit)
+                RSA Public-Key: (2048 bit)
                 Modulus:
                     00:b8:36:0c:66:a9:06:ce:ac:e0:7c:86:a1:69:9d:
                     be:28:cf:a3:81:f3:b4:dc:5f:c8:92:9d:f2:07:c0:
@@ -302,34 +302,34 @@ Certificate:
             X509v3 Authority Key Identifier: 
                 keyid:27:8E:67:11:74:C3:26:1D:3F:ED:33:63:B3:A4:D8:1D:30:E5:E8:D5
                 DirName:/C=US/ST=Montana/L=Bozeman/O=Sawtooth/OU=Consulting/CN=www.wolfssl.com/emailAddress=info@wolfssl.com
-                serial:AA:D3:3F:AC:18:0A:37:4D
+                serial:7D:94:70:88:BA:07:42:8D:AA:AF:4F:BE:C2:1A:48:F0:D1:40:E6:42
 
             X509v3 Basic Constraints: 
                 CA:TRUE, pathlen:2
             X509v3 Key Usage: 
                 Certificate Sign, CRL Sign
     Signature Algorithm: sha256WithRSAEncryption
-         6f:ba:0f:86:af:8b:12:74:05:b4:74:01:31:bd:fa:54:af:e2:
-         2a:19:5d:c2:a2:eb:de:1e:50:00:77:da:17:d2:ff:52:80:3d:
-         f5:e5:81:b6:17:00:f7:62:b8:e4:a8:3c:44:99:46:02:09:fa:
-         38:bd:ea:dd:1b:29:06:79:e1:a7:e8:0c:de:8d:58:0a:fd:98:
-         74:84:05:78:ec:50:e4:a7:3a:38:67:2d:90:57:35:28:b6:89:
-         f4:41:0e:c3:b9:70:3c:eb:f3:b3:eb:27:14:a2:bc:2e:3a:bb:
-         82:9b:5e:2e:bb:bd:9f:ae:ff:27:1b:07:35:a3:b2:05:f7:4d:
-         8e:33:ee:93:16:b9:89:2e:ea:e0:dd:52:21:5d:bf:11:70:a7:
-         5c:36:e7:7b:81:d0:47:e6:97:f4:2b:72:ce:03:12:0f:08:1e:
-         89:da:cf:88:e1:74:4d:1b:0d:72:7b:16:bf:bc:f9:8f:03:8a:
-         03:df:ad:db:14:83:cf:31:36:72:cb:ff:7d:ba:8b:71:28:bc:
-         23:26:d4:50:9c:64:20:ee:e8:34:ce:a9:ee:b5:32:e7:1a:ef:
-         e6:2e:76:9b:b4:15:33:3f:ed:af:c0:01:a6:1b:81:1e:18:da:
-         b6:88:15:59:d5:37:03:f2:31:2c:69:0e:30:66:66:7b:cc:16:
-         1f:96:5d:ff
+         74:07:c0:d6:4e:74:54:c7:76:ae:b9:0c:0c:90:89:9a:0c:e3:
+         96:09:5d:df:d4:2a:0c:c3:0d:a0:e8:8d:a6:1f:8c:15:df:76:
+         29:1d:45:72:26:01:95:da:0a:dd:75:bd:59:ed:53:d0:ec:f6:
+         a4:5c:43:65:cb:62:1b:96:5f:28:07:5b:fd:4f:f4:fb:3f:a5:
+         08:dd:ec:2e:ab:37:83:90:1f:d2:bf:6c:cd:e5:c6:40:46:b1:
+         d0:f4:c1:68:aa:28:64:07:20:97:a5:56:4e:54:fe:52:58:05:
+         28:9c:64:fa:29:6f:b7:88:1b:ef:9d:4d:91:44:9e:f5:2f:73:
+         c0:a7:0d:d0:a5:07:55:c0:cc:85:bb:3a:85:5d:03:a9:b1:2f:
+         55:cd:f0:bf:67:0b:90:b4:0d:78:12:ea:bb:62:bd:2b:16:77:
+         2f:02:1a:12:fd:d8:fa:52:ab:8c:c0:d4:d2:e2:cd:b8:62:69:
+         ac:30:50:d6:44:35:01:b9:50:8d:35:84:9f:b9:d6:ca:0c:0b:
+         d2:f3:5e:1e:42:7f:83:79:b6:48:04:3a:80:b1:97:87:b1:93:
+         6a:a3:57:6e:86:fd:ef:2b:95:c8:24:d0:66:a2:0b:f1:9b:6d:
+         a6:6b:6d:83:2d:c1:5f:25:dd:4a:d0:f7:4c:94:b0:c3:6f:bc:
+         ca:ef:c1:4a
 -----BEGIN CERTIFICATE-----
-MIIEwTCCA6mgAwIBAgIBZDANBgkqhkiG9w0BAQsFADCBlDELMAkGA1UEBhMCVVMx
+MIIEzDCCA7SgAwIBAgIBZDANBgkqhkiG9w0BAQsFADCBlDELMAkGA1UEBhMCVVMx
 EDAOBgNVBAgMB01vbnRhbmExEDAOBgNVBAcMB0JvemVtYW4xETAPBgNVBAoMCFNh
 d3Rvb3RoMRMwEQYDVQQLDApDb25zdWx0aW5nMRgwFgYDVQQDDA93d3cud29sZnNz
-bC5jb20xHzAdBgkqhkiG9w0BCQEWEGluZm9Ad29sZnNzbC5jb20wHhcNMjEwMjEw
-MTk0OTU1WhcNMjMxMTA3MTk0OTU1WjCBoTELMAkGA1UEBhMCVVMxEzARBgNVBAgM
+bC5jb20xHzAdBgkqhkiG9w0BCQEWEGluZm9Ad29sZnNzbC5jb20wHhcNMjExMjIw
+MjMwNzI1WhcNMjQwOTE1MjMwNzI1WjCBoTELMAkGA1UEBhMCVVMxEzARBgNVBAgM
 Cldhc2hpbmd0b24xEDAOBgNVBAcMB1NlYXR0bGUxFTATBgNVBAoMDHdvbGZTU0wg
 SW5jLjEUMBIGA1UECwwLRW5naW5lZXJpbmcxHTAbBgNVBAMMFGNoYWluSS1JQ0Ez
 LXBhdGhsZW4yMR8wHQYJKoZIhvcNAQkBFhBpbmZvQHdvbGZzc2wuY29tMIIBIjAN
@@ -339,16 +339,16 @@ dTmJcCqcAOAubHx0Jxg0/SmYQ4PW4VGzE0EcvCnciy+TCJWLkCJL5Jj11nAqm4tk
 5kkGYqQjCGBol4mpssCUjk85HCU7D+TFHX2JiV7GAmlo/BNVtYBrd/dZVwscfsbt
 RsZw+zShKByCscKrpsHwExt9C7waOSM85x3uyO4vaV+hMT8aL5hdU9dCk9tJrNZ6
 Ei6dDcmw70DRpAJeUuj71JIHmLF22RYP5Ive3Ihl4P1SHYvi4+0IN9AR9wIDAQAB
-o4IBDTCCAQkwHQYDVR0OBBYEFO43pvJA0O/9IsejtGxXR0C5mfmNMIHJBgNVHSME
-gcEwgb6AFCeOZxF0wyYdP+0zY7Ok2B0w5ejVoYGapIGXMIGUMQswCQYDVQQGEwJV
+o4IBGDCCARQwHQYDVR0OBBYEFO43pvJA0O/9IsejtGxXR0C5mfmNMIHUBgNVHSME
+gcwwgcmAFCeOZxF0wyYdP+0zY7Ok2B0w5ejVoYGapIGXMIGUMQswCQYDVQQGEwJV
 UzEQMA4GA1UECAwHTW9udGFuYTEQMA4GA1UEBwwHQm96ZW1hbjERMA8GA1UECgwI
 U2F3dG9vdGgxEzARBgNVBAsMCkNvbnN1bHRpbmcxGDAWBgNVBAMMD3d3dy53b2xm
-c3NsLmNvbTEfMB0GCSqGSIb3DQEJARYQaW5mb0B3b2xmc3NsLmNvbYIJAKrTP6wY
-CjdNMA8GA1UdEwQIMAYBAf8CAQIwCwYDVR0PBAQDAgEGMA0GCSqGSIb3DQEBCwUA
-A4IBAQBvug+Gr4sSdAW0dAExvfpUr+IqGV3CouveHlAAd9oX0v9SgD315YG2FwD3
-YrjkqDxEmUYCCfo4verdGykGeeGn6AzejVgK/Zh0hAV47FDkpzo4Zy2QVzUoton0
-QQ7DuXA86/Oz6ycUorwuOruCm14uu72frv8nGwc1o7IF902OM+6TFrmJLurg3VIh
-Xb8RcKdcNud7gdBH5pf0K3LOAxIPCB6J2s+I4XRNGw1yexa/vPmPA4oD363bFIPP
-MTZyy/99uotxKLwjJtRQnGQg7ug0zqnutTLnGu/mLnabtBUzP+2vwAGmG4EeGNq2
-iBVZ1TcD8jEsaQ4wZmZ7zBYfll3/
+c3NsLmNvbTEfMB0GCSqGSIb3DQEJARYQaW5mb0B3b2xmc3NsLmNvbYIUfZRwiLoH
+Qo2qr0++whpI8NFA5kIwDwYDVR0TBAgwBgEB/wIBAjALBgNVHQ8EBAMCAQYwDQYJ
+KoZIhvcNAQELBQADggEBAHQHwNZOdFTHdq65DAyQiZoM45YJXd/UKgzDDaDojaYf
+jBXfdikdRXImAZXaCt11vVntU9Ds9qRcQ2XLYhuWXygHW/1P9Ps/pQjd7C6rN4OQ
+H9K/bM3lxkBGsdD0wWiqKGQHIJelVk5U/lJYBSicZPopb7eIG++dTZFEnvUvc8Cn
+DdClB1XAzIW7OoVdA6mxL1XN8L9nC5C0DXgS6rtivSsWdy8CGhL92PpSq4zA1NLi
+zbhiaawwUNZENQG5UI01hJ+51soMC9LzXh5Cf4N5tkgEOoCxl4exk2qjV26G/e8r
+lcgk0GaiC/GbbaZrbYMtwV8l3UrQ90yUsMNvvMrvwUo=
 -----END CERTIFICATE-----
diff --git a/certs/test-pathlen/chainI-entity.pem b/certs/test-pathlen/chainI-entity.pem
index 3ecb511ab..3bcbba061 100644
--- a/certs/test-pathlen/chainI-entity.pem
+++ b/certs/test-pathlen/chainI-entity.pem
@@ -2,15 +2,15 @@ Certificate:
     Data:
         Version: 3 (0x2)
         Serial Number: 101 (0x65)
-    Signature Algorithm: sha256WithRSAEncryption
-        Issuer: C=US, ST=Washington, L=Seattle, O=wolfSSL Inc., OU=Engineering, CN=chainI-ICA1-no_pathlen/emailAddress=info@wolfssl.com
+        Signature Algorithm: sha256WithRSAEncryption
+        Issuer: C = US, ST = Washington, L = Seattle, O = wolfSSL Inc., OU = Engineering, CN = chainI-ICA1-no_pathlen, emailAddress = info@wolfssl.com
         Validity
-            Not Before: Feb 10 19:49:55 2021 GMT
-            Not After : Nov  7 19:49:55 2023 GMT
-        Subject: C=US, ST=Washington, L=Seattle, O=wolfSSL Inc., OU=Engineering, CN=chainI-entity/emailAddress=info@wolfssl.com
+            Not Before: Dec 20 23:07:25 2021 GMT
+            Not After : Sep 15 23:07:25 2024 GMT
+        Subject: C = US, ST = Washington, L = Seattle, O = wolfSSL Inc., OU = Engineering, CN = chainI-entity, emailAddress = info@wolfssl.com
         Subject Public Key Info:
             Public Key Algorithm: rsaEncryption
-                Public-Key: (2048 bit)
+                RSA Public-Key: (2048 bit)
                 Modulus:
                     00:f3:ac:32:8f:52:af:a9:cf:9e:23:a4:96:8e:e9:
                     e8:0a:3a:b7:6a:7b:ba:70:85:68:e2:52:f3:38:39:
@@ -42,27 +42,27 @@ Certificate:
             X509v3 Basic Constraints: 
                 CA:FALSE
     Signature Algorithm: sha256WithRSAEncryption
-         84:1b:07:96:79:b0:eb:77:83:c4:7a:f7:ee:c0:9a:32:15:47:
-         1f:33:26:d7:17:c7:0f:69:09:e0:8f:50:d1:b9:c1:99:f4:0a:
-         24:2d:18:1a:14:14:29:91:d6:cf:bb:11:92:80:74:a6:92:16:
-         54:ed:ad:01:b4:97:71:67:59:53:43:37:14:dd:a8:1d:5b:96:
-         35:b1:80:ff:41:0e:ae:f7:da:2f:d2:01:bd:4b:73:50:fb:f0:
-         8e:2b:58:f8:43:c6:7a:5b:95:14:51:a2:36:f9:09:ec:83:1a:
-         13:44:53:58:2a:f2:83:71:64:5d:99:7c:b8:c7:28:16:7e:8e:
-         b6:31:e3:1f:fa:35:35:8e:96:4a:58:b3:48:2f:7b:c3:1f:43:
-         95:8d:13:b1:1a:25:93:a1:17:64:bb:3b:1c:26:c6:37:b3:14:
-         9f:ae:2d:73:f3:e5:8c:2e:3d:b5:0a:90:72:90:86:f7:4d:4d:
-         27:91:e1:e8:2c:65:7a:a4:4a:ce:cf:c7:6e:12:16:31:f2:dc:
-         1c:51:34:60:16:ff:56:06:f8:93:5c:bb:96:03:2b:13:64:00:
-         23:94:d8:e1:a1:66:37:c8:b1:db:36:86:93:e6:96:77:82:37:
-         20:40:1f:38:f4:1e:13:de:1a:97:ed:69:db:ca:17:09:83:d5:
-         05:62:fb:fd
+         17:b3:bc:12:8f:96:ee:c8:f1:36:75:6a:b6:d7:79:bd:1b:08:
+         06:ef:5a:47:7d:bc:4b:dc:54:9c:1b:cf:81:9c:e7:e2:43:6d:
+         87:61:35:07:44:4b:4e:3d:e9:53:8a:28:69:60:41:c9:f3:e8:
+         8d:a4:6b:7e:2e:1b:5c:88:26:00:ef:6a:18:df:99:03:59:c4:
+         0a:6c:1e:ef:ce:b5:f3:ca:e3:57:56:ae:8b:41:4e:66:d7:b6:
+         35:d1:ab:2f:bd:5b:9d:a0:55:57:95:2d:2d:d2:f0:02:2e:f5:
+         db:cd:3c:50:bf:f0:cd:51:98:27:cd:1b:5f:8d:0f:2b:ae:67:
+         38:e1:5c:af:1c:b1:9d:8f:f2:b0:24:ff:f2:8b:b7:0c:4a:1e:
+         ee:dd:55:b2:43:70:f4:b0:05:ba:b0:ad:e4:7c:cd:0b:05:d5:
+         db:97:13:37:13:d0:33:b4:0e:2c:0f:95:17:11:cd:95:1a:1c:
+         2d:8b:28:53:bf:bc:5a:46:77:6e:23:71:e1:9e:59:cd:48:8f:
+         19:cf:67:ac:63:a2:2d:d6:db:a8:6e:70:d0:5f:e3:42:00:c3:
+         99:a8:d6:43:35:74:16:6a:05:fb:11:88:9e:5f:5c:98:e5:5e:
+         b1:04:a2:61:36:ae:2d:2f:e8:b1:1e:26:f4:49:74:ae:c2:29:
+         b8:6d:41:27
 -----BEGIN CERTIFICATE-----
 MIIEvDCCA6SgAwIBAgIBZTANBgkqhkiG9w0BAQsFADCBozELMAkGA1UEBhMCVVMx
 EzARBgNVBAgMCldhc2hpbmd0b24xEDAOBgNVBAcMB1NlYXR0bGUxFTATBgNVBAoM
 DHdvbGZTU0wgSW5jLjEUMBIGA1UECwwLRW5naW5lZXJpbmcxHzAdBgNVBAMMFmNo
 YWluSS1JQ0ExLW5vX3BhdGhsZW4xHzAdBgkqhkiG9w0BCQEWEGluZm9Ad29sZnNz
-bC5jb20wHhcNMjEwMjEwMTk0OTU1WhcNMjMxMTA3MTk0OTU1WjCBmjELMAkGA1UE
+bC5jb20wHhcNMjExMjIwMjMwNzI1WhcNMjQwOTE1MjMwNzI1WjCBmjELMAkGA1UE
 BhMCVVMxEzARBgNVBAgMCldhc2hpbmd0b24xEDAOBgNVBAcMB1NlYXR0bGUxFTAT
 BgNVBAoMDHdvbGZTU0wgSW5jLjEUMBIGA1UECwwLRW5naW5lZXJpbmcxFjAUBgNV
 BAMMDWNoYWluSS1lbnRpdHkxHzAdBgkqhkiG9w0BCQEWEGluZm9Ad29sZnNzbC5j
@@ -78,10 +78,10 @@ A1UEBhMCVVMxEzARBgNVBAgMCldhc2hpbmd0b24xEDAOBgNVBAcMB1NlYXR0bGUx
 FTATBgNVBAoMDHdvbGZTU0wgSW5jLjEUMBIGA1UECwwLRW5naW5lZXJpbmcxHzAd
 BgNVBAMMFmNoYWluSS1JQ0EyLW5vX3BhdGhsZW4xHzAdBgkqhkiG9w0BCQEWEGlu
 Zm9Ad29sZnNzbC5jb22CAWQwCQYDVR0TBAIwADANBgkqhkiG9w0BAQsFAAOCAQEA
-hBsHlnmw63eDxHr37sCaMhVHHzMm1xfHD2kJ4I9Q0bnBmfQKJC0YGhQUKZHWz7sR
-koB0ppIWVO2tAbSXcWdZU0M3FN2oHVuWNbGA/0EOrvfaL9IBvUtzUPvwjitY+EPG
-eluVFFGiNvkJ7IMaE0RTWCryg3FkXZl8uMcoFn6OtjHjH/o1NY6WSlizSC97wx9D
-lY0TsRolk6EXZLs7HCbGN7MUn64tc/PljC49tQqQcpCG901NJ5Hh6CxleqRKzs/H
-bhIWMfLcHFE0YBb/Vgb4k1y7lgMrE2QAI5TY4aFmN8ix2zaGk+aWd4I3IEAfOPQe
-E94al+1p28oXCYPVBWL7/Q==
+F7O8Eo+W7sjxNnVqttd5vRsIBu9aR328S9xUnBvPgZzn4kNth2E1B0RLTj3pU4oo
+aWBByfPojaRrfi4bXIgmAO9qGN+ZA1nECmwe786188rjV1aui0FOZte2NdGrL71b
+naBVV5UtLdLwAi712808UL/wzVGYJ80bX40PK65nOOFcrxyxnY/ysCT/8ou3DEoe
+7t1VskNw9LAFurCt5HzNCwXV25cTNxPQM7QOLA+VFxHNlRocLYsoU7+8WkZ3biNx
+4Z5ZzUiPGc9nrGOiLdbbqG5w0F/jQgDDmajWQzV0FmoF+xGInl9cmOVesQSiYTau
+LS/osR4m9El0rsIpuG1BJw==
 -----END CERTIFICATE-----
diff --git a/certs/test-pathlen/chainJ-ICA1-no_pathlen.pem b/certs/test-pathlen/chainJ-ICA1-no_pathlen.pem
index 7103a6fc9..c08db4241 100644
--- a/certs/test-pathlen/chainJ-ICA1-no_pathlen.pem
+++ b/certs/test-pathlen/chainJ-ICA1-no_pathlen.pem
@@ -2,15 +2,15 @@ Certificate:
     Data:
         Version: 3 (0x2)
         Serial Number: 100 (0x64)
-    Signature Algorithm: sha256WithRSAEncryption
-        Issuer: C=US, ST=Washington, L=Seattle, O=wolfSSL Inc., OU=Engineering, CN=chainJ-ICA2-no_pathlen/emailAddress=info@wolfssl.com
+        Signature Algorithm: sha256WithRSAEncryption
+        Issuer: C = US, ST = Washington, L = Seattle, O = wolfSSL Inc., OU = Engineering, CN = chainJ-ICA2-no_pathlen, emailAddress = info@wolfssl.com
         Validity
-            Not Before: Feb 10 19:49:55 2021 GMT
-            Not After : Nov  7 19:49:55 2023 GMT
-        Subject: C=US, ST=Washington, L=Seattle, O=wolfSSL Inc., OU=Engineering, CN=chainJ-ICA1-no_pathlen/emailAddress=info@wolfssl.com
+            Not Before: Dec 20 23:07:25 2021 GMT
+            Not After : Sep 15 23:07:25 2024 GMT
+        Subject: C = US, ST = Washington, L = Seattle, O = wolfSSL Inc., OU = Engineering, CN = chainJ-ICA1-no_pathlen, emailAddress = info@wolfssl.com
         Subject Public Key Info:
             Public Key Algorithm: rsaEncryption
-                Public-Key: (2048 bit)
+                RSA Public-Key: (2048 bit)
                 Modulus:
                     00:a7:6f:44:c2:11:cc:2c:f4:2a:a5:a8:08:53:4b:
                     0e:cd:96:23:bb:15:4a:2a:dd:f9:a7:19:2b:91:28:
@@ -44,27 +44,27 @@ Certificate:
             X509v3 Key Usage: 
                 Certificate Sign, CRL Sign
     Signature Algorithm: sha256WithRSAEncryption
-         1b:bc:90:0e:7d:7e:8c:da:bb:5c:81:c5:86:8a:da:4e:c9:98:
-         a6:0c:e5:8b:ab:a1:a6:9d:94:68:af:18:34:3f:b3:39:e8:0a:
-         3f:8f:67:a2:b4:f5:41:eb:ca:ab:93:8f:29:9f:7d:1c:50:7e:
-         85:4f:a8:01:11:ea:08:fd:a1:e6:ec:10:4e:84:b3:4d:a0:20:
-         c8:32:5a:40:d8:8b:78:41:ea:19:8d:e2:5e:03:72:ee:9b:a0:
-         84:bc:87:32:e9:31:24:37:b5:33:78:7a:aa:5a:d4:bb:aa:e1:
-         b3:10:c8:98:90:e3:92:23:54:86:0e:2a:04:23:cc:d9:a8:7a:
-         c9:1b:17:c1:08:d5:2b:09:e9:9b:ac:07:9f:e0:34:05:eb:01:
-         e8:15:c5:7d:69:89:17:15:cc:dc:3b:84:1c:aa:53:e0:06:fa:
-         2b:7f:82:07:0d:eb:cb:be:43:8c:7e:9e:2b:62:08:44:32:e8:
-         68:48:4e:e0:44:8f:7a:d2:4a:3c:6d:25:56:ce:2b:6a:54:8e:
-         67:8e:1e:ef:bb:92:9b:47:7c:95:3d:c5:9b:bf:28:e0:a8:2e:
-         e5:17:4d:01:1a:71:1a:d4:0c:4d:d4:c8:f4:df:09:85:1d:36:
-         b6:47:9a:f9:83:1a:74:98:23:aa:96:a1:31:c1:67:c7:db:69:
-         9a:fe:44:aa
+         34:2e:4c:ef:fb:6f:f2:6d:64:aa:c8:fb:93:23:af:12:d4:6d:
+         ad:26:34:48:f7:bb:db:51:c0:d5:20:5c:cf:86:3c:7a:7a:9f:
+         f7:16:c0:10:42:07:bb:d2:e5:ee:f8:9c:50:b3:fa:56:41:0f:
+         48:b8:d1:91:54:4b:bf:b5:cb:35:66:b6:94:a8:8e:ff:f1:d1:
+         3a:07:d4:df:19:e8:5c:10:ff:93:ed:3e:9b:f5:d2:dd:20:32:
+         35:5f:79:7c:9e:55:7b:1f:9a:b5:3c:90:3e:06:9f:7a:7b:f0:
+         08:9f:ec:61:3c:88:07:9d:b8:36:6e:23:0a:d9:16:15:60:d6:
+         0c:de:e0:11:8d:92:3c:37:6f:bb:cf:5e:86:d7:61:26:cb:a0:
+         6a:bf:18:2d:08:dc:e9:8b:0f:02:a8:8e:a1:fd:89:cd:5c:ce:
+         df:8b:74:0e:b6:d4:8f:62:1a:e4:b2:e4:ca:40:4f:20:ed:50:
+         b2:c5:bf:e5:08:d3:d0:c4:f3:a2:87:f7:80:a2:fa:2a:4d:41:
+         1f:b4:a0:f9:10:8c:22:c6:5f:83:eb:51:9d:44:4a:83:fd:b5:
+         fd:93:42:ab:f7:49:c8:98:4e:34:14:d2:82:63:60:6d:53:d6:
+         7b:e2:00:8d:15:e2:e5:0d:53:94:76:d2:35:e7:57:2e:d0:a5:
+         d2:22:1b:f8
 -----BEGIN CERTIFICATE-----
 MIIE1jCCA76gAwIBAgIBZDANBgkqhkiG9w0BAQsFADCBozELMAkGA1UEBhMCVVMx
 EzARBgNVBAgMCldhc2hpbmd0b24xEDAOBgNVBAcMB1NlYXR0bGUxFTATBgNVBAoM
 DHdvbGZTU0wgSW5jLjEUMBIGA1UECwwLRW5naW5lZXJpbmcxHzAdBgNVBAMMFmNo
 YWluSi1JQ0EyLW5vX3BhdGhsZW4xHzAdBgkqhkiG9w0BCQEWEGluZm9Ad29sZnNz
-bC5jb20wHhcNMjEwMjEwMTk0OTU1WhcNMjMxMTA3MTk0OTU1WjCBozELMAkGA1UE
+bC5jb20wHhcNMjExMjIwMjMwNzI1WhcNMjQwOTE1MjMwNzI1WjCBozELMAkGA1UE
 BhMCVVMxEzARBgNVBAgMCldhc2hpbmd0b24xEDAOBgNVBAcMB1NlYXR0bGUxFTAT
 BgNVBAoMDHdvbGZTU0wgSW5jLjEUMBIGA1UECwwLRW5naW5lZXJpbmcxHzAdBgNV
 BAMMFmNoYWluSi1JQ0ExLW5vX3BhdGhsZW4xHzAdBgkqhkiG9w0BCQEWEGluZm9A
@@ -80,10 +80,10 @@ gaYwgaMxCzAJBgNVBAYTAlVTMRMwEQYDVQQIDApXYXNoaW5ndG9uMRAwDgYDVQQH
 DAdTZWF0dGxlMRUwEwYDVQQKDAx3b2xmU1NMIEluYy4xFDASBgNVBAsMC0VuZ2lu
 ZWVyaW5nMR8wHQYDVQQDDBZjaGFpbkotSUNBMy1ub19wYXRobGVuMR8wHQYJKoZI
 hvcNAQkBFhBpbmZvQHdvbGZzc2wuY29tggFkMAwGA1UdEwQFMAMBAf8wCwYDVR0P
-BAQDAgEGMA0GCSqGSIb3DQEBCwUAA4IBAQAbvJAOfX6M2rtcgcWGitpOyZimDOWL
-q6GmnZRorxg0P7M56Ao/j2eitPVB68qrk48pn30cUH6FT6gBEeoI/aHm7BBOhLNN
-oCDIMlpA2It4QeoZjeJeA3Lum6CEvIcy6TEkN7UzeHqqWtS7quGzEMiYkOOSI1SG
-DioEI8zZqHrJGxfBCNUrCembrAef4DQF6wHoFcV9aYkXFczcO4QcqlPgBvorf4IH
-DevLvkOMfp4rYghEMuhoSE7gRI960ko8bSVWzitqVI5njh7vu5KbR3yVPcWbvyjg
-qC7lF00BGnEa1AxN1Mj03wmFHTa2R5r5gxp0mCOqlqExwWfH22ma/kSq
+BAQDAgEGMA0GCSqGSIb3DQEBCwUAA4IBAQA0Lkzv+2/ybWSqyPuTI68S1G2tJjRI
+97vbUcDVIFzPhjx6ep/3FsAQQge70uXu+JxQs/pWQQ9IuNGRVEu/tcs1ZraUqI7/
+8dE6B9TfGehcEP+T7T6b9dLdIDI1X3l8nlV7H5q1PJA+Bp96e/AIn+xhPIgHnbg2
+biMK2RYVYNYM3uARjZI8N2+7z16G12Emy6BqvxgtCNzpiw8CqI6h/YnNXM7fi3QO
+ttSPYhrksuTKQE8g7VCyxb/lCNPQxPOih/eAovoqTUEftKD5EIwixl+D61GdREqD
+/bX9k0Kr90nImE40FNKCY2BtU9Z74gCNFeLlDVOUdtI151cu0KXSIhv4
 -----END CERTIFICATE-----
diff --git a/certs/test-pathlen/chainJ-ICA2-no_pathlen.pem b/certs/test-pathlen/chainJ-ICA2-no_pathlen.pem
index 7e69d63e7..cfbaf287e 100644
--- a/certs/test-pathlen/chainJ-ICA2-no_pathlen.pem
+++ b/certs/test-pathlen/chainJ-ICA2-no_pathlen.pem
@@ -2,15 +2,15 @@ Certificate:
     Data:
         Version: 3 (0x2)
         Serial Number: 100 (0x64)
-    Signature Algorithm: sha256WithRSAEncryption
-        Issuer: C=US, ST=Washington, L=Seattle, O=wolfSSL Inc., OU=Engineering, CN=chainJ-ICA3-no_pathlen/emailAddress=info@wolfssl.com
+        Signature Algorithm: sha256WithRSAEncryption
+        Issuer: C = US, ST = Washington, L = Seattle, O = wolfSSL Inc., OU = Engineering, CN = chainJ-ICA3-no_pathlen, emailAddress = info@wolfssl.com
         Validity
-            Not Before: Feb 10 19:49:55 2021 GMT
-            Not After : Nov  7 19:49:55 2023 GMT
-        Subject: C=US, ST=Washington, L=Seattle, O=wolfSSL Inc., OU=Engineering, CN=chainJ-ICA2-no_pathlen/emailAddress=info@wolfssl.com
+            Not Before: Dec 20 23:07:25 2021 GMT
+            Not After : Sep 15 23:07:25 2024 GMT
+        Subject: C = US, ST = Washington, L = Seattle, O = wolfSSL Inc., OU = Engineering, CN = chainJ-ICA2-no_pathlen, emailAddress = info@wolfssl.com
         Subject Public Key Info:
             Public Key Algorithm: rsaEncryption
-                Public-Key: (2048 bit)
+                RSA Public-Key: (2048 bit)
                 Modulus:
                     00:bb:29:fd:89:aa:82:e0:1d:04:78:69:ec:61:58:
                     51:52:84:7e:6b:55:69:2c:f4:23:d6:1f:d8:ed:ab:
@@ -44,27 +44,27 @@ Certificate:
             X509v3 Key Usage: 
                 Certificate Sign, CRL Sign
     Signature Algorithm: sha256WithRSAEncryption
-         b5:1a:a8:18:60:a0:55:56:bc:19:0c:0b:a6:fe:c1:a4:fb:b0:
-         f3:c2:7e:4f:86:62:c5:3d:a4:da:9f:df:de:57:a1:3d:9e:67:
-         d4:84:2d:bd:17:12:ad:9e:cd:7b:e5:43:c9:35:90:00:50:36:
-         97:dd:bc:86:86:3c:63:11:13:ed:4f:f2:66:b3:ea:fb:d2:a9:
-         71:00:d1:9d:be:c8:ae:00:44:40:a6:08:df:a3:ae:1e:85:34:
-         4d:cf:61:40:1e:1e:be:b1:e4:0a:33:ed:30:d0:fc:c1:26:c3:
-         5c:c9:c3:5d:02:87:88:49:2d:50:d2:7f:dd:5a:ac:26:8c:22:
-         79:62:0e:84:ac:5e:2a:83:47:b3:42:5e:c1:2a:98:8e:1d:40:
-         8f:4e:8c:2a:89:97:b6:91:8b:cf:12:5b:83:9b:81:0c:82:80:
-         90:70:fc:55:28:8b:f0:c1:74:85:a6:df:85:c6:69:e3:16:d8:
-         cb:ae:11:96:7a:16:b8:85:c4:d6:17:69:13:75:35:b5:40:4c:
-         31:02:cb:85:8b:75:38:32:f0:80:93:3c:75:20:5b:da:3a:c1:
-         40:dd:2a:9e:36:e4:f1:8d:8f:56:20:a0:ef:67:9d:ea:53:ec:
-         b2:f5:7c:4e:dd:41:57:26:96:1a:0b:2c:55:00:5f:10:87:e0:
-         41:e5:ce:51
+         26:7a:2c:3d:0c:70:00:99:4e:7b:48:06:5f:f9:0d:f2:ee:b1:
+         d2:3a:11:86:41:72:1d:d5:a2:89:fa:42:0b:f6:0c:7f:d6:8a:
+         93:b4:19:25:5b:99:17:45:ca:95:6b:45:3e:b1:53:f0:da:0c:
+         81:67:f4:7c:3d:2d:dd:68:bd:ab:44:d1:99:9b:63:9a:54:14:
+         28:e5:0d:a4:a6:a6:fa:a4:29:b0:85:96:c1:f5:ce:af:77:ba:
+         b8:36:ff:7c:62:9f:6b:57:5c:dd:34:14:17:a2:81:ce:40:b9:
+         10:c1:9e:cb:4e:67:9e:a3:7d:aa:80:d7:a7:d6:42:be:69:69:
+         d3:74:02:08:a9:32:a0:ea:22:3d:cb:c7:ee:57:f2:7f:99:6d:
+         79:9b:bb:4e:43:fa:d5:28:af:13:13:f2:c9:56:3e:ca:87:22:
+         d9:c5:30:44:27:3b:20:8c:ad:5e:29:79:1f:8d:e3:13:89:1d:
+         7b:eb:7c:3b:2e:04:51:43:68:70:dc:fc:be:aa:33:6e:b2:c4:
+         36:e1:79:33:2c:b7:b2:d5:75:f2:f0:66:51:a9:a6:de:4a:77:
+         d3:f7:bc:84:e7:ab:3c:7c:e6:33:59:86:1a:99:9b:36:24:51:
+         96:fb:c2:c0:88:2f:e6:35:6b:68:42:93:4c:09:22:23:06:7a:
+         be:16:14:a1
 -----BEGIN CERTIFICATE-----
 MIIE1DCCA7ygAwIBAgIBZDANBgkqhkiG9w0BAQsFADCBozELMAkGA1UEBhMCVVMx
 EzARBgNVBAgMCldhc2hpbmd0b24xEDAOBgNVBAcMB1NlYXR0bGUxFTATBgNVBAoM
 DHdvbGZTU0wgSW5jLjEUMBIGA1UECwwLRW5naW5lZXJpbmcxHzAdBgNVBAMMFmNo
 YWluSi1JQ0EzLW5vX3BhdGhsZW4xHzAdBgkqhkiG9w0BCQEWEGluZm9Ad29sZnNz
-bC5jb20wHhcNMjEwMjEwMTk0OTU1WhcNMjMxMTA3MTk0OTU1WjCBozELMAkGA1UE
+bC5jb20wHhcNMjExMjIwMjMwNzI1WhcNMjQwOTE1MjMwNzI1WjCBozELMAkGA1UE
 BhMCVVMxEzARBgNVBAgMCldhc2hpbmd0b24xEDAOBgNVBAcMB1NlYXR0bGUxFTAT
 BgNVBAoMDHdvbGZTU0wgSW5jLjEUMBIGA1UECwwLRW5naW5lZXJpbmcxHzAdBgNV
 BAMMFmNoYWluSi1JQ0EyLW5vX3BhdGhsZW4xHzAdBgkqhkiG9w0BCQEWEGluZm9A
@@ -80,10 +80,10 @@ gaQwgaExCzAJBgNVBAYTAlVTMRMwEQYDVQQIDApXYXNoaW5ndG9uMRAwDgYDVQQH
 DAdTZWF0dGxlMRUwEwYDVQQKDAx3b2xmU1NMIEluYy4xFDASBgNVBAsMC0VuZ2lu
 ZWVyaW5nMR0wGwYDVQQDDBRjaGFpbkotSUNBNC1wYXRobGVuMjEfMB0GCSqGSIb3
 DQEJARYQaW5mb0B3b2xmc3NsLmNvbYIBZDAMBgNVHRMEBTADAQH/MAsGA1UdDwQE
-AwIBBjANBgkqhkiG9w0BAQsFAAOCAQEAtRqoGGCgVVa8GQwLpv7BpPuw88J+T4Zi
-xT2k2p/f3lehPZ5n1IQtvRcSrZ7Ne+VDyTWQAFA2l928hoY8YxET7U/yZrPq+9Kp
-cQDRnb7IrgBEQKYI36OuHoU0Tc9hQB4evrHkCjPtMND8wSbDXMnDXQKHiEktUNJ/
-3VqsJowieWIOhKxeKoNHs0JewSqYjh1Aj06MKomXtpGLzxJbg5uBDIKAkHD8VSiL
-8MF0habfhcZp4xbYy64RlnoWuIXE1hdpE3U1tUBMMQLLhYt1ODLwgJM8dSBb2jrB
-QN0qnjbk8Y2PViCg72ed6lPssvV8Tt1BVyaWGgssVQBfEIfgQeXOUQ==
+AwIBBjANBgkqhkiG9w0BAQsFAAOCAQEAJnosPQxwAJlOe0gGX/kN8u6x0joRhkFy
+HdWiifpCC/YMf9aKk7QZJVuZF0XKlWtFPrFT8NoMgWf0fD0t3Wi9q0TRmZtjmlQU
+KOUNpKam+qQpsIWWwfXOr3e6uDb/fGKfa1dc3TQUF6KBzkC5EMGey05nnqN9qoDX
+p9ZCvmlp03QCCKkyoOoiPcvH7lfyf5lteZu7TkP61SivExPyyVY+yoci2cUwRCc7
+IIytXil5H43jE4kde+t8Oy4EUUNocNz8vqozbrLENuF5Myy3stV18vBmUamm3kp3
+0/e8hOerPHzmM1mGGpmbNiRRlvvCwIgv5jVraEKTTAkiIwZ6vhYUoQ==
 -----END CERTIFICATE-----
diff --git a/certs/test-pathlen/chainJ-ICA3-no_pathlen.pem b/certs/test-pathlen/chainJ-ICA3-no_pathlen.pem
index 75e7a63fa..4b2363dc7 100644
--- a/certs/test-pathlen/chainJ-ICA3-no_pathlen.pem
+++ b/certs/test-pathlen/chainJ-ICA3-no_pathlen.pem
@@ -2,15 +2,15 @@ Certificate:
     Data:
         Version: 3 (0x2)
         Serial Number: 100 (0x64)
-    Signature Algorithm: sha256WithRSAEncryption
-        Issuer: C=US, ST=Washington, L=Seattle, O=wolfSSL Inc., OU=Engineering, CN=chainJ-ICA4-pathlen2/emailAddress=info@wolfssl.com
+        Signature Algorithm: sha256WithRSAEncryption
+        Issuer: C = US, ST = Washington, L = Seattle, O = wolfSSL Inc., OU = Engineering, CN = chainJ-ICA4-pathlen2, emailAddress = info@wolfssl.com
         Validity
-            Not Before: Feb 10 19:49:55 2021 GMT
-            Not After : Nov  7 19:49:55 2023 GMT
-        Subject: C=US, ST=Washington, L=Seattle, O=wolfSSL Inc., OU=Engineering, CN=chainJ-ICA3-no_pathlen/emailAddress=info@wolfssl.com
+            Not Before: Dec 20 23:07:25 2021 GMT
+            Not After : Sep 15 23:07:25 2024 GMT
+        Subject: C = US, ST = Washington, L = Seattle, O = wolfSSL Inc., OU = Engineering, CN = chainJ-ICA3-no_pathlen, emailAddress = info@wolfssl.com
         Subject Public Key Info:
             Public Key Algorithm: rsaEncryption
-                Public-Key: (2048 bit)
+                RSA Public-Key: (2048 bit)
                 Modulus:
                     00:d8:aa:f6:05:95:70:5a:53:c7:66:10:aa:90:79:
                     3b:cb:78:2a:ef:5f:43:22:71:7c:6d:47:99:a7:8b:
@@ -44,27 +44,27 @@ Certificate:
             X509v3 Key Usage: 
                 Certificate Sign, CRL Sign
     Signature Algorithm: sha256WithRSAEncryption
-         1c:4a:61:8f:95:15:dc:f1:79:27:3d:bd:fb:30:05:37:da:62:
-         e9:ed:0c:e4:18:78:87:7c:aa:a7:0e:c6:b2:ff:04:25:a7:f1:
-         29:4e:ad:7e:86:47:67:f3:a8:a9:70:28:5f:2b:ab:34:a3:21:
-         30:7b:45:d3:5b:60:5f:84:86:01:cf:36:14:1a:86:09:00:d7:
-         b6:60:69:6a:0b:fc:9c:c4:9e:46:90:74:00:61:32:23:b6:73:
-         e8:58:c9:44:e6:6e:8a:b1:e4:a1:9c:a9:a0:db:2d:71:b2:a4:
-         4c:ea:f2:b3:28:46:8f:fd:61:70:c5:92:b3:ad:42:92:d4:dd:
-         2b:11:ce:a5:02:84:6a:a8:81:2c:00:29:2d:54:63:c3:18:79:
-         c0:a9:d0:d7:c1:12:65:6e:14:98:e5:09:1a:2e:ef:0a:e3:4a:
-         9c:3f:a8:01:44:6c:f2:31:90:b3:78:91:23:e5:6f:3e:13:54:
-         59:32:c2:11:1e:a2:2d:9d:39:95:25:c3:8d:c5:d7:b0:e4:b3:
-         f8:d7:d5:8c:ad:b7:f4:2f:44:f2:05:53:33:6b:52:a0:98:e5:
-         e4:ec:fb:51:e7:fa:d6:2b:c1:e8:c8:a6:a7:5c:44:aa:e4:61:
-         a7:43:5d:5f:eb:5e:d0:d5:fd:99:01:a3:0e:39:5d:0b:b4:9b:
-         8f:e8:a8:0e
+         56:36:8b:bd:1d:e4:df:d0:a4:fd:c3:b0:e8:fc:fd:00:89:6f:
+         24:b4:eb:a9:d1:1c:0d:d9:f3:f5:02:90:f0:30:76:f7:73:b8:
+         0c:da:7e:19:9c:b9:d7:0d:f9:46:cb:e3:4c:3f:f4:f4:fe:f8:
+         81:84:a9:da:c3:a4:83:58:ff:a6:78:6a:41:8f:62:8e:25:69:
+         ee:34:20:49:4d:da:8c:94:fd:52:d2:96:95:e6:be:d3:21:f8:
+         d4:23:65:4c:33:55:b8:a7:95:99:21:e4:f6:29:c8:36:db:d8:
+         84:d0:1f:5b:92:92:87:8c:50:5d:dd:04:46:30:1e:b6:04:93:
+         ee:4a:2a:04:b6:9b:f4:5f:fd:89:66:54:fa:e9:76:b0:78:3c:
+         71:7b:d3:93:90:b1:57:f4:f3:e3:90:48:e7:de:da:30:61:f2:
+         2f:79:0b:1a:e8:17:a6:e5:58:ab:18:25:68:b1:9d:af:5a:94:
+         fd:1e:fd:df:84:56:e4:4a:01:63:b5:36:b0:c3:61:0f:18:04:
+         b9:98:ca:75:87:26:ce:9f:71:c7:e7:60:f1:9a:b5:5b:91:0a:
+         ed:e4:e6:28:6d:ea:d0:e9:4f:14:64:c9:4c:67:ae:df:8d:a2:
+         5d:42:a5:14:5d:29:d4:4b:25:3e:1b:fe:2f:7c:13:4d:e4:72:
+         57:a4:fb:fb
 -----BEGIN CERTIFICATE-----
 MIIExDCCA6ygAwIBAgIBZDANBgkqhkiG9w0BAQsFADCBoTELMAkGA1UEBhMCVVMx
 EzARBgNVBAgMCldhc2hpbmd0b24xEDAOBgNVBAcMB1NlYXR0bGUxFTATBgNVBAoM
 DHdvbGZTU0wgSW5jLjEUMBIGA1UECwwLRW5naW5lZXJpbmcxHTAbBgNVBAMMFGNo
 YWluSi1JQ0E0LXBhdGhsZW4yMR8wHQYJKoZIhvcNAQkBFhBpbmZvQHdvbGZzc2wu
-Y29tMB4XDTIxMDIxMDE5NDk1NVoXDTIzMTEwNzE5NDk1NVowgaMxCzAJBgNVBAYT
+Y29tMB4XDTIxMTIyMDIzMDcyNVoXDTI0MDkxNTIzMDcyNVowgaMxCzAJBgNVBAYT
 AlVTMRMwEQYDVQQIDApXYXNoaW5ndG9uMRAwDgYDVQQHDAdTZWF0dGxlMRUwEwYD
 VQQKDAx3b2xmU1NMIEluYy4xFDASBgNVBAsMC0VuZ2luZWVyaW5nMR8wHQYDVQQD
 DBZjaGFpbkotSUNBMy1ub19wYXRobGVuMR8wHQYJKoZIhvcNAQkBFhBpbmZvQHdv
@@ -80,10 +80,10 @@ gZQxCzAJBgNVBAYTAlVTMRAwDgYDVQQIDAdNb250YW5hMRAwDgYDVQQHDAdCb3pl
 bWFuMREwDwYDVQQKDAhTYXd0b290aDETMBEGA1UECwwKQ29uc3VsdGluZzEYMBYG
 A1UEAwwPd3d3LndvbGZzc2wuY29tMR8wHQYJKoZIhvcNAQkBFhBpbmZvQHdvbGZz
 c2wuY29tggFkMAwGA1UdEwQFMAMBAf8wCwYDVR0PBAQDAgEGMA0GCSqGSIb3DQEB
-CwUAA4IBAQAcSmGPlRXc8XknPb37MAU32mLp7QzkGHiHfKqnDsay/wQlp/EpTq1+
-hkdn86ipcChfK6s0oyEwe0XTW2BfhIYBzzYUGoYJANe2YGlqC/ycxJ5GkHQAYTIj
-tnPoWMlE5m6KseShnKmg2y1xsqRM6vKzKEaP/WFwxZKzrUKS1N0rEc6lAoRqqIEs
-ACktVGPDGHnAqdDXwRJlbhSY5QkaLu8K40qcP6gBRGzyMZCzeJEj5W8+E1RZMsIR
-HqItnTmVJcONxdew5LP419WMrbf0L0TyBVMza1KgmOXk7PtR5/rWK8HoyKanXESq
-5GGnQ11f617Q1f2ZAaMOOV0LtJuP6KgO
+CwUAA4IBAQBWNou9HeTf0KT9w7Do/P0AiW8ktOup0RwN2fP1ApDwMHb3c7gM2n4Z
+nLnXDflGy+NMP/T0/viBhKnaw6SDWP+meGpBj2KOJWnuNCBJTdqMlP1S0paV5r7T
+IfjUI2VMM1W4p5WZIeT2Kcg229iE0B9bkpKHjFBd3QRGMB62BJPuSioEtpv0X/2J
+ZlT66XaweDxxe9OTkLFX9PPjkEjn3towYfIveQsa6Bem5VirGCVosZ2vWpT9Hv3f
+hFbkSgFjtTaww2EPGAS5mMp1hybOn3HH52DxmrVbkQrt5OYoberQ6U8UZMlMZ67f
+jaJdQqUUXSnUSyU+G/4vfBNN5HJXpPv7
 -----END CERTIFICATE-----
diff --git a/certs/test-pathlen/chainJ-ICA4-pathlen2.pem b/certs/test-pathlen/chainJ-ICA4-pathlen2.pem
index c1446e00d..13f078af1 100644
--- a/certs/test-pathlen/chainJ-ICA4-pathlen2.pem
+++ b/certs/test-pathlen/chainJ-ICA4-pathlen2.pem
@@ -2,15 +2,15 @@ Certificate:
     Data:
         Version: 3 (0x2)
         Serial Number: 100 (0x64)
-    Signature Algorithm: sha256WithRSAEncryption
-        Issuer: C=US, ST=Montana, L=Bozeman, O=Sawtooth, OU=Consulting, CN=www.wolfssl.com/emailAddress=info@wolfssl.com
+        Signature Algorithm: sha256WithRSAEncryption
+        Issuer: C = US, ST = Montana, L = Bozeman, O = Sawtooth, OU = Consulting, CN = www.wolfssl.com, emailAddress = info@wolfssl.com
         Validity
-            Not Before: Feb 10 19:49:55 2021 GMT
-            Not After : Nov  7 19:49:55 2023 GMT
-        Subject: C=US, ST=Washington, L=Seattle, O=wolfSSL Inc., OU=Engineering, CN=chainJ-ICA4-pathlen2/emailAddress=info@wolfssl.com
+            Not Before: Dec 20 23:07:25 2021 GMT
+            Not After : Sep 15 23:07:25 2024 GMT
+        Subject: C = US, ST = Washington, L = Seattle, O = wolfSSL Inc., OU = Engineering, CN = chainJ-ICA4-pathlen2, emailAddress = info@wolfssl.com
         Subject Public Key Info:
             Public Key Algorithm: rsaEncryption
-                Public-Key: (2048 bit)
+                RSA Public-Key: (2048 bit)
                 Modulus:
                     00:9d:4a:ee:6b:ff:b6:ec:88:21:23:84:03:b6:88:
                     bb:3e:5a:1b:95:03:2f:24:53:2d:57:3f:11:38:5d:
@@ -37,34 +37,34 @@ Certificate:
             X509v3 Authority Key Identifier: 
                 keyid:27:8E:67:11:74:C3:26:1D:3F:ED:33:63:B3:A4:D8:1D:30:E5:E8:D5
                 DirName:/C=US/ST=Montana/L=Bozeman/O=Sawtooth/OU=Consulting/CN=www.wolfssl.com/emailAddress=info@wolfssl.com
-                serial:AA:D3:3F:AC:18:0A:37:4D
+                serial:7D:94:70:88:BA:07:42:8D:AA:AF:4F:BE:C2:1A:48:F0:D1:40:E6:42
 
             X509v3 Basic Constraints: 
                 CA:TRUE, pathlen:2
             X509v3 Key Usage: 
                 Certificate Sign, CRL Sign
     Signature Algorithm: sha256WithRSAEncryption
-         0a:09:0b:51:1a:2d:fd:0f:3f:07:9b:9e:c8:17:d9:a5:40:e6:
-         08:a5:8a:f6:38:38:c1:b2:6a:a0:80:6e:b8:0f:15:94:80:ed:
-         1b:2d:79:f0:31:f3:9c:6a:1f:f5:51:d3:9d:6a:17:c7:20:14:
-         cf:74:b5:01:ef:ce:0c:d4:c4:e5:d2:f8:6c:ef:79:64:c0:7e:
-         50:7d:88:1f:5a:7d:a4:d0:e5:0b:ec:b9:54:ac:81:91:75:2c:
-         38:de:ff:73:8d:23:14:52:ce:c8:07:cd:e5:66:8b:79:90:ee:
-         e0:4e:91:ee:dd:14:74:58:89:04:ea:d7:f6:cf:65:b6:33:d8:
-         f8:ae:1c:3d:17:fc:5a:51:28:b9:a6:6e:c4:aa:e8:43:f8:9d:
-         6b:de:dd:e9:9c:9d:b1:43:8e:f1:b7:60:9b:0a:fa:3a:0b:80:
-         a8:01:7c:b5:63:d5:c5:11:23:9a:89:2f:0f:47:26:0d:78:26:
-         c1:61:64:c3:37:93:27:af:08:f8:4e:1a:f7:92:a6:c0:2b:32:
-         78:23:fc:71:71:8d:a1:1e:ec:7e:6f:62:27:1b:04:3c:0a:78:
-         23:9a:21:b2:ef:59:67:59:bd:9d:d3:49:72:0c:0b:c2:8f:d3:
-         ca:4e:81:ab:b3:5a:00:39:4a:86:ce:1e:e3:99:a8:1a:e3:ba:
-         79:a9:aa:68
+         4b:8f:32:25:21:a6:78:3e:85:35:66:bd:36:f4:7c:cc:4e:90:
+         74:19:b0:a6:35:bb:cc:59:a8:61:06:29:65:bf:75:7f:9f:a0:
+         84:84:18:c1:9a:2f:93:3c:12:4c:ec:89:e4:e9:a3:53:0f:0a:
+         00:e1:4b:00:e4:64:b6:4a:53:59:06:e7:0f:d5:cc:af:26:34:
+         31:86:fc:3c:9e:71:b1:10:4a:c1:db:a3:52:98:33:a2:ab:a0:
+         cc:24:3e:f8:bb:21:f4:24:c5:03:17:27:d2:21:09:02:a8:4e:
+         98:b8:63:ff:50:62:b2:c8:a6:b9:bc:cf:bd:a5:91:98:da:48:
+         6d:05:f0:fe:e6:77:7e:69:81:e5:2e:cb:01:dc:ce:e5:09:b6:
+         c9:05:8e:f0:e4:d5:2e:3f:23:92:6c:47:e1:75:fd:7a:49:74:
+         b9:85:65:a1:d5:52:64:9a:42:54:a3:14:5b:69:a0:c3:66:3a:
+         ea:ce:5a:47:65:d9:08:ff:d7:79:de:67:9a:45:6b:e7:13:5a:
+         57:60:dc:d2:65:06:19:a7:57:cf:48:87:80:39:ca:46:0c:1f:
+         90:bc:e6:7f:4d:5d:f2:83:b1:08:24:34:8d:96:94:5f:64:90:
+         f4:a6:1f:46:e3:5e:1f:fd:d8:fe:4d:aa:98:e4:93:af:32:72:
+         e5:fc:fa:b3
 -----BEGIN CERTIFICATE-----
-MIIEwTCCA6mgAwIBAgIBZDANBgkqhkiG9w0BAQsFADCBlDELMAkGA1UEBhMCVVMx
+MIIEzDCCA7SgAwIBAgIBZDANBgkqhkiG9w0BAQsFADCBlDELMAkGA1UEBhMCVVMx
 EDAOBgNVBAgMB01vbnRhbmExEDAOBgNVBAcMB0JvemVtYW4xETAPBgNVBAoMCFNh
 d3Rvb3RoMRMwEQYDVQQLDApDb25zdWx0aW5nMRgwFgYDVQQDDA93d3cud29sZnNz
-bC5jb20xHzAdBgkqhkiG9w0BCQEWEGluZm9Ad29sZnNzbC5jb20wHhcNMjEwMjEw
-MTk0OTU1WhcNMjMxMTA3MTk0OTU1WjCBoTELMAkGA1UEBhMCVVMxEzARBgNVBAgM
+bC5jb20xHzAdBgkqhkiG9w0BCQEWEGluZm9Ad29sZnNzbC5jb20wHhcNMjExMjIw
+MjMwNzI1WhcNMjQwOTE1MjMwNzI1WjCBoTELMAkGA1UEBhMCVVMxEzARBgNVBAgM
 Cldhc2hpbmd0b24xEDAOBgNVBAcMB1NlYXR0bGUxFTATBgNVBAoMDHdvbGZTU0wg
 SW5jLjEUMBIGA1UECwwLRW5naW5lZXJpbmcxHTAbBgNVBAMMFGNoYWluSi1JQ0E0
 LXBhdGhsZW4yMR8wHQYJKoZIhvcNAQkBFhBpbmZvQHdvbGZzc2wuY29tMIIBIjAN
@@ -74,16 +74,16 @@ Jo/8HgYX8N5Yh+8eppESOWilBfOMZ8nlmRik/JA/vabK8qbdteaTyxSJgzyIWjGr
 42YqG4fFhQNFsM7hD8EPknDXrGXqqAnB/h3bt+fdmNPGsRa0VFjBqrqhzxkUp+RV
 ptq7H57RhQDgjUrE0oYIdf3YHoUhbCePGNVEc1irlHVKNj2NTcZ6hp0A28W6vnAC
 g79u2DGJs/IWmL4n9hRa6dRyZ42p33YnvxmsIFkoWxtC2dVbbftuol7T6QIDAQAB
-o4IBDTCCAQkwHQYDVR0OBBYEFPwYE1K7M0rbHFvRgJg+QIaVWHL5MIHJBgNVHSME
-gcEwgb6AFCeOZxF0wyYdP+0zY7Ok2B0w5ejVoYGapIGXMIGUMQswCQYDVQQGEwJV
+o4IBGDCCARQwHQYDVR0OBBYEFPwYE1K7M0rbHFvRgJg+QIaVWHL5MIHUBgNVHSME
+gcwwgcmAFCeOZxF0wyYdP+0zY7Ok2B0w5ejVoYGapIGXMIGUMQswCQYDVQQGEwJV
 UzEQMA4GA1UECAwHTW9udGFuYTEQMA4GA1UEBwwHQm96ZW1hbjERMA8GA1UECgwI
 U2F3dG9vdGgxEzARBgNVBAsMCkNvbnN1bHRpbmcxGDAWBgNVBAMMD3d3dy53b2xm
-c3NsLmNvbTEfMB0GCSqGSIb3DQEJARYQaW5mb0B3b2xmc3NsLmNvbYIJAKrTP6wY
-CjdNMA8GA1UdEwQIMAYBAf8CAQIwCwYDVR0PBAQDAgEGMA0GCSqGSIb3DQEBCwUA
-A4IBAQAKCQtRGi39Dz8Hm57IF9mlQOYIpYr2ODjBsmqggG64DxWUgO0bLXnwMfOc
-ah/1UdOdahfHIBTPdLUB784M1MTl0vhs73lkwH5QfYgfWn2k0OUL7LlUrIGRdSw4
-3v9zjSMUUs7IB83lZot5kO7gTpHu3RR0WIkE6tf2z2W2M9j4rhw9F/xaUSi5pm7E
-quhD+J1r3t3pnJ2xQ47xt2CbCvo6C4CoAXy1Y9XFESOaiS8PRyYNeCbBYWTDN5Mn
-rwj4Thr3kqbAKzJ4I/xxcY2hHux+b2InGwQ8CngjmiGy71lnWb2d00lyDAvCj9PK
-ToGrs1oAOUqGzh7jmaga47p5qapo
+c3NsLmNvbTEfMB0GCSqGSIb3DQEJARYQaW5mb0B3b2xmc3NsLmNvbYIUfZRwiLoH
+Qo2qr0++whpI8NFA5kIwDwYDVR0TBAgwBgEB/wIBAjALBgNVHQ8EBAMCAQYwDQYJ
+KoZIhvcNAQELBQADggEBAEuPMiUhpng+hTVmvTb0fMxOkHQZsKY1u8xZqGEGKWW/
+dX+foISEGMGaL5M8EkzsieTpo1MPCgDhSwDkZLZKU1kG5w/VzK8mNDGG/DyecbEQ
+SsHbo1KYM6KroMwkPvi7IfQkxQMXJ9IhCQKoTpi4Y/9QYrLIprm8z72lkZjaSG0F
+8P7md35pgeUuywHczuUJtskFjvDk1S4/I5JsR+F1/XpJdLmFZaHVUmSaQlSjFFtp
+oMNmOurOWkdl2Qj/13neZ5pFa+cTWldg3NJlBhmnV89Ih4A5ykYMH5C85n9NXfKD
+sQgkNI2WlF9kkPSmH0bjXh/92P5Nqpjkk68ycuX8+rM=
 -----END CERTIFICATE-----
diff --git a/certs/test-pathlen/chainJ-assembled.pem b/certs/test-pathlen/chainJ-assembled.pem
index 18c0da0f7..f52dce9a5 100644
--- a/certs/test-pathlen/chainJ-assembled.pem
+++ b/certs/test-pathlen/chainJ-assembled.pem
@@ -2,15 +2,15 @@ Certificate:
     Data:
         Version: 3 (0x2)
         Serial Number: 101 (0x65)
-    Signature Algorithm: sha256WithRSAEncryption
-        Issuer: C=US, ST=Washington, L=Seattle, O=wolfSSL Inc., OU=Engineering, CN=chainJ-ICA1-no_pathlen/emailAddress=info@wolfssl.com
+        Signature Algorithm: sha256WithRSAEncryption
+        Issuer: C = US, ST = Washington, L = Seattle, O = wolfSSL Inc., OU = Engineering, CN = chainJ-ICA1-no_pathlen, emailAddress = info@wolfssl.com
         Validity
-            Not Before: Feb 10 19:49:55 2021 GMT
-            Not After : Nov  7 19:49:55 2023 GMT
-        Subject: C=US, ST=Washington, L=Seattle, O=wolfSSL Inc., OU=Engineering, CN=chainJ-entity/emailAddress=info@wolfssl.com
+            Not Before: Dec 20 23:07:25 2021 GMT
+            Not After : Sep 15 23:07:25 2024 GMT
+        Subject: C = US, ST = Washington, L = Seattle, O = wolfSSL Inc., OU = Engineering, CN = chainJ-entity, emailAddress = info@wolfssl.com
         Subject Public Key Info:
             Public Key Algorithm: rsaEncryption
-                Public-Key: (2048 bit)
+                RSA Public-Key: (2048 bit)
                 Modulus:
                     00:b3:fb:51:a0:ac:69:8b:35:06:bf:7a:ee:b4:a1:
                     8a:7e:ae:31:75:ad:e7:45:7b:e6:d9:bb:7c:e9:73:
@@ -42,27 +42,27 @@ Certificate:
             X509v3 Basic Constraints: 
                 CA:FALSE
     Signature Algorithm: sha256WithRSAEncryption
-         9c:16:1e:71:2c:cc:59:21:df:65:d5:f0:6a:07:d1:46:2a:cf:
-         10:5f:9c:e5:75:13:1b:d7:8e:a3:15:dc:85:b8:27:7b:87:d5:
-         c5:5f:29:03:92:48:0a:42:83:85:93:3c:1a:82:5b:0f:66:81:
-         09:6a:d6:9e:73:fa:4c:6e:c0:97:7d:b2:ad:14:5b:12:84:82:
-         62:19:a2:e4:07:15:48:3b:98:6c:31:f5:4a:8b:2d:88:e9:c2:
-         36:de:c2:7b:c8:62:7b:cf:67:63:97:40:0c:f0:b9:09:69:8f:
-         ce:55:b4:28:06:9d:a7:d8:1d:4b:8d:4c:57:ce:0e:0d:1b:9e:
-         85:0d:c9:48:a5:f8:f5:00:d1:77:e0:d5:91:cb:7b:68:2c:02:
-         58:aa:38:f5:09:9a:3e:01:3d:e7:b5:1e:0f:49:05:93:9f:30:
-         59:84:8b:06:e5:8a:be:93:98:29:5b:44:86:a6:d8:5e:14:d4:
-         22:79:36:b7:b0:9d:2d:c1:ec:5a:99:7f:a8:7a:f2:a1:48:42:
-         18:89:6e:22:a5:8d:fc:6e:b1:6c:62:3e:67:72:d6:f4:96:f8:
-         fb:fc:55:53:68:d8:d7:be:7e:d6:1b:75:0e:58:c8:f9:f1:d1:
-         5d:ba:e4:5e:ce:f6:a1:b7:cf:5e:d7:43:56:42:f5:58:88:9e:
-         21:de:6d:0b
+         1c:81:5f:34:60:dd:bb:0a:02:db:8c:9a:e6:a9:f0:49:5d:f4:
+         fb:22:25:12:60:b8:65:fc:d5:c2:6d:1a:06:e2:b3:a2:aa:cd:
+         e9:cb:9e:01:1f:96:2a:4b:e9:1c:c3:b2:23:b2:5a:2a:6b:2c:
+         57:d6:f0:45:d6:d8:a0:fa:2d:6f:38:92:8c:ae:19:fc:aa:ba:
+         06:b2:6c:fb:2c:81:a6:39:9b:36:92:54:a2:36:77:86:8e:dd:
+         fd:b1:88:15:d4:a2:6b:a7:bc:f4:e0:25:8c:75:e8:33:6a:bf:
+         b2:0c:6b:04:07:b2:2f:d5:c3:a5:24:48:b4:f2:76:31:df:89:
+         d7:56:ea:b9:b8:ab:d4:9e:d5:68:35:0a:70:9a:cc:9a:a1:47:
+         48:84:b9:0b:8e:f3:0f:3b:99:6a:ea:e7:00:39:ef:a2:36:55:
+         7b:bf:b8:d0:cd:a5:ce:6f:50:9a:fc:56:43:f7:64:8a:46:51:
+         f7:db:58:00:f7:5d:44:b1:7b:c0:22:ef:71:dd:8b:7c:c8:38:
+         fe:0f:22:ca:ca:d9:10:63:1e:88:b9:fa:24:ea:4f:85:72:79:
+         ce:57:d0:ec:d4:6b:ce:56:fc:b2:d1:85:79:6c:32:7c:05:77:
+         da:29:85:17:e1:56:f8:b1:ed:a0:8d:40:8d:54:7b:a1:2d:0b:
+         45:64:99:87
 -----BEGIN CERTIFICATE-----
 MIIEvDCCA6SgAwIBAgIBZTANBgkqhkiG9w0BAQsFADCBozELMAkGA1UEBhMCVVMx
 EzARBgNVBAgMCldhc2hpbmd0b24xEDAOBgNVBAcMB1NlYXR0bGUxFTATBgNVBAoM
 DHdvbGZTU0wgSW5jLjEUMBIGA1UECwwLRW5naW5lZXJpbmcxHzAdBgNVBAMMFmNo
 YWluSi1JQ0ExLW5vX3BhdGhsZW4xHzAdBgkqhkiG9w0BCQEWEGluZm9Ad29sZnNz
-bC5jb20wHhcNMjEwMjEwMTk0OTU1WhcNMjMxMTA3MTk0OTU1WjCBmjELMAkGA1UE
+bC5jb20wHhcNMjExMjIwMjMwNzI1WhcNMjQwOTE1MjMwNzI1WjCBmjELMAkGA1UE
 BhMCVVMxEzARBgNVBAgMCldhc2hpbmd0b24xEDAOBgNVBAcMB1NlYXR0bGUxFTAT
 BgNVBAoMDHdvbGZTU0wgSW5jLjEUMBIGA1UECwwLRW5naW5lZXJpbmcxFjAUBgNV
 BAMMDWNoYWluSi1lbnRpdHkxHzAdBgkqhkiG9w0BCQEWEGluZm9Ad29sZnNzbC5j
@@ -78,26 +78,26 @@ A1UEBhMCVVMxEzARBgNVBAgMCldhc2hpbmd0b24xEDAOBgNVBAcMB1NlYXR0bGUx
 FTATBgNVBAoMDHdvbGZTU0wgSW5jLjEUMBIGA1UECwwLRW5naW5lZXJpbmcxHzAd
 BgNVBAMMFmNoYWluSi1JQ0EyLW5vX3BhdGhsZW4xHzAdBgkqhkiG9w0BCQEWEGlu
 Zm9Ad29sZnNzbC5jb22CAWQwCQYDVR0TBAIwADANBgkqhkiG9w0BAQsFAAOCAQEA
-nBYecSzMWSHfZdXwagfRRirPEF+c5XUTG9eOoxXchbgne4fVxV8pA5JICkKDhZM8
-GoJbD2aBCWrWnnP6TG7Al32yrRRbEoSCYhmi5AcVSDuYbDH1SostiOnCNt7Ce8hi
-e89nY5dADPC5CWmPzlW0KAadp9gdS41MV84ODRuehQ3JSKX49QDRd+DVkct7aCwC
-WKo49QmaPgE957UeD0kFk58wWYSLBuWKvpOYKVtEhqbYXhTUInk2t7CdLcHsWpl/
-qHryoUhCGIluIqWN/G6xbGI+Z3LW9Jb4+/xVU2jY175+1ht1DljI+fHRXbrkXs72
-obfPXtdDVkL1WIieId5tCw==
+HIFfNGDduwoC24ya5qnwSV30+yIlEmC4ZfzVwm0aBuKzoqrN6cueAR+WKkvpHMOy
+I7JaKmssV9bwRdbYoPotbziSjK4Z/Kq6BrJs+yyBpjmbNpJUojZ3ho7d/bGIFdSi
+a6e89OAljHXoM2q/sgxrBAeyL9XDpSRItPJ2Md+J11bqubir1J7VaDUKcJrMmqFH
+SIS5C47zDzuZaurnADnvojZVe7+40M2lzm9QmvxWQ/dkikZR99tYAPddRLF7wCLv
+cd2LfMg4/g8iysrZEGMeiLn6JOpPhXJ5zlfQ7NRrzlb8stGFeWwyfAV32imFF+FW
++LHtoI1AjVR7oS0LRWSZhw==
 -----END CERTIFICATE-----
 Certificate:
     Data:
         Version: 3 (0x2)
         Serial Number: 100 (0x64)
-    Signature Algorithm: sha256WithRSAEncryption
-        Issuer: C=US, ST=Washington, L=Seattle, O=wolfSSL Inc., OU=Engineering, CN=chainJ-ICA2-no_pathlen/emailAddress=info@wolfssl.com
+        Signature Algorithm: sha256WithRSAEncryption
+        Issuer: C = US, ST = Washington, L = Seattle, O = wolfSSL Inc., OU = Engineering, CN = chainJ-ICA2-no_pathlen, emailAddress = info@wolfssl.com
         Validity
-            Not Before: Feb 10 19:49:55 2021 GMT
-            Not After : Nov  7 19:49:55 2023 GMT
-        Subject: C=US, ST=Washington, L=Seattle, O=wolfSSL Inc., OU=Engineering, CN=chainJ-ICA1-no_pathlen/emailAddress=info@wolfssl.com
+            Not Before: Dec 20 23:07:25 2021 GMT
+            Not After : Sep 15 23:07:25 2024 GMT
+        Subject: C = US, ST = Washington, L = Seattle, O = wolfSSL Inc., OU = Engineering, CN = chainJ-ICA1-no_pathlen, emailAddress = info@wolfssl.com
         Subject Public Key Info:
             Public Key Algorithm: rsaEncryption
-                Public-Key: (2048 bit)
+                RSA Public-Key: (2048 bit)
                 Modulus:
                     00:a7:6f:44:c2:11:cc:2c:f4:2a:a5:a8:08:53:4b:
                     0e:cd:96:23:bb:15:4a:2a:dd:f9:a7:19:2b:91:28:
@@ -131,27 +131,27 @@ Certificate:
             X509v3 Key Usage: 
                 Certificate Sign, CRL Sign
     Signature Algorithm: sha256WithRSAEncryption
-         1b:bc:90:0e:7d:7e:8c:da:bb:5c:81:c5:86:8a:da:4e:c9:98:
-         a6:0c:e5:8b:ab:a1:a6:9d:94:68:af:18:34:3f:b3:39:e8:0a:
-         3f:8f:67:a2:b4:f5:41:eb:ca:ab:93:8f:29:9f:7d:1c:50:7e:
-         85:4f:a8:01:11:ea:08:fd:a1:e6:ec:10:4e:84:b3:4d:a0:20:
-         c8:32:5a:40:d8:8b:78:41:ea:19:8d:e2:5e:03:72:ee:9b:a0:
-         84:bc:87:32:e9:31:24:37:b5:33:78:7a:aa:5a:d4:bb:aa:e1:
-         b3:10:c8:98:90:e3:92:23:54:86:0e:2a:04:23:cc:d9:a8:7a:
-         c9:1b:17:c1:08:d5:2b:09:e9:9b:ac:07:9f:e0:34:05:eb:01:
-         e8:15:c5:7d:69:89:17:15:cc:dc:3b:84:1c:aa:53:e0:06:fa:
-         2b:7f:82:07:0d:eb:cb:be:43:8c:7e:9e:2b:62:08:44:32:e8:
-         68:48:4e:e0:44:8f:7a:d2:4a:3c:6d:25:56:ce:2b:6a:54:8e:
-         67:8e:1e:ef:bb:92:9b:47:7c:95:3d:c5:9b:bf:28:e0:a8:2e:
-         e5:17:4d:01:1a:71:1a:d4:0c:4d:d4:c8:f4:df:09:85:1d:36:
-         b6:47:9a:f9:83:1a:74:98:23:aa:96:a1:31:c1:67:c7:db:69:
-         9a:fe:44:aa
+         34:2e:4c:ef:fb:6f:f2:6d:64:aa:c8:fb:93:23:af:12:d4:6d:
+         ad:26:34:48:f7:bb:db:51:c0:d5:20:5c:cf:86:3c:7a:7a:9f:
+         f7:16:c0:10:42:07:bb:d2:e5:ee:f8:9c:50:b3:fa:56:41:0f:
+         48:b8:d1:91:54:4b:bf:b5:cb:35:66:b6:94:a8:8e:ff:f1:d1:
+         3a:07:d4:df:19:e8:5c:10:ff:93:ed:3e:9b:f5:d2:dd:20:32:
+         35:5f:79:7c:9e:55:7b:1f:9a:b5:3c:90:3e:06:9f:7a:7b:f0:
+         08:9f:ec:61:3c:88:07:9d:b8:36:6e:23:0a:d9:16:15:60:d6:
+         0c:de:e0:11:8d:92:3c:37:6f:bb:cf:5e:86:d7:61:26:cb:a0:
+         6a:bf:18:2d:08:dc:e9:8b:0f:02:a8:8e:a1:fd:89:cd:5c:ce:
+         df:8b:74:0e:b6:d4:8f:62:1a:e4:b2:e4:ca:40:4f:20:ed:50:
+         b2:c5:bf:e5:08:d3:d0:c4:f3:a2:87:f7:80:a2:fa:2a:4d:41:
+         1f:b4:a0:f9:10:8c:22:c6:5f:83:eb:51:9d:44:4a:83:fd:b5:
+         fd:93:42:ab:f7:49:c8:98:4e:34:14:d2:82:63:60:6d:53:d6:
+         7b:e2:00:8d:15:e2:e5:0d:53:94:76:d2:35:e7:57:2e:d0:a5:
+         d2:22:1b:f8
 -----BEGIN CERTIFICATE-----
 MIIE1jCCA76gAwIBAgIBZDANBgkqhkiG9w0BAQsFADCBozELMAkGA1UEBhMCVVMx
 EzARBgNVBAgMCldhc2hpbmd0b24xEDAOBgNVBAcMB1NlYXR0bGUxFTATBgNVBAoM
 DHdvbGZTU0wgSW5jLjEUMBIGA1UECwwLRW5naW5lZXJpbmcxHzAdBgNVBAMMFmNo
 YWluSi1JQ0EyLW5vX3BhdGhsZW4xHzAdBgkqhkiG9w0BCQEWEGluZm9Ad29sZnNz
-bC5jb20wHhcNMjEwMjEwMTk0OTU1WhcNMjMxMTA3MTk0OTU1WjCBozELMAkGA1UE
+bC5jb20wHhcNMjExMjIwMjMwNzI1WhcNMjQwOTE1MjMwNzI1WjCBozELMAkGA1UE
 BhMCVVMxEzARBgNVBAgMCldhc2hpbmd0b24xEDAOBgNVBAcMB1NlYXR0bGUxFTAT
 BgNVBAoMDHdvbGZTU0wgSW5jLjEUMBIGA1UECwwLRW5naW5lZXJpbmcxHzAdBgNV
 BAMMFmNoYWluSi1JQ0ExLW5vX3BhdGhsZW4xHzAdBgkqhkiG9w0BCQEWEGluZm9A
@@ -167,26 +167,26 @@ gaYwgaMxCzAJBgNVBAYTAlVTMRMwEQYDVQQIDApXYXNoaW5ndG9uMRAwDgYDVQQH
 DAdTZWF0dGxlMRUwEwYDVQQKDAx3b2xmU1NMIEluYy4xFDASBgNVBAsMC0VuZ2lu
 ZWVyaW5nMR8wHQYDVQQDDBZjaGFpbkotSUNBMy1ub19wYXRobGVuMR8wHQYJKoZI
 hvcNAQkBFhBpbmZvQHdvbGZzc2wuY29tggFkMAwGA1UdEwQFMAMBAf8wCwYDVR0P
-BAQDAgEGMA0GCSqGSIb3DQEBCwUAA4IBAQAbvJAOfX6M2rtcgcWGitpOyZimDOWL
-q6GmnZRorxg0P7M56Ao/j2eitPVB68qrk48pn30cUH6FT6gBEeoI/aHm7BBOhLNN
-oCDIMlpA2It4QeoZjeJeA3Lum6CEvIcy6TEkN7UzeHqqWtS7quGzEMiYkOOSI1SG
-DioEI8zZqHrJGxfBCNUrCembrAef4DQF6wHoFcV9aYkXFczcO4QcqlPgBvorf4IH
-DevLvkOMfp4rYghEMuhoSE7gRI960ko8bSVWzitqVI5njh7vu5KbR3yVPcWbvyjg
-qC7lF00BGnEa1AxN1Mj03wmFHTa2R5r5gxp0mCOqlqExwWfH22ma/kSq
+BAQDAgEGMA0GCSqGSIb3DQEBCwUAA4IBAQA0Lkzv+2/ybWSqyPuTI68S1G2tJjRI
+97vbUcDVIFzPhjx6ep/3FsAQQge70uXu+JxQs/pWQQ9IuNGRVEu/tcs1ZraUqI7/
+8dE6B9TfGehcEP+T7T6b9dLdIDI1X3l8nlV7H5q1PJA+Bp96e/AIn+xhPIgHnbg2
+biMK2RYVYNYM3uARjZI8N2+7z16G12Emy6BqvxgtCNzpiw8CqI6h/YnNXM7fi3QO
+ttSPYhrksuTKQE8g7VCyxb/lCNPQxPOih/eAovoqTUEftKD5EIwixl+D61GdREqD
+/bX9k0Kr90nImE40FNKCY2BtU9Z74gCNFeLlDVOUdtI151cu0KXSIhv4
 -----END CERTIFICATE-----
 Certificate:
     Data:
         Version: 3 (0x2)
         Serial Number: 100 (0x64)
-    Signature Algorithm: sha256WithRSAEncryption
-        Issuer: C=US, ST=Washington, L=Seattle, O=wolfSSL Inc., OU=Engineering, CN=chainJ-ICA3-no_pathlen/emailAddress=info@wolfssl.com
+        Signature Algorithm: sha256WithRSAEncryption
+        Issuer: C = US, ST = Washington, L = Seattle, O = wolfSSL Inc., OU = Engineering, CN = chainJ-ICA3-no_pathlen, emailAddress = info@wolfssl.com
         Validity
-            Not Before: Feb 10 19:49:55 2021 GMT
-            Not After : Nov  7 19:49:55 2023 GMT
-        Subject: C=US, ST=Washington, L=Seattle, O=wolfSSL Inc., OU=Engineering, CN=chainJ-ICA2-no_pathlen/emailAddress=info@wolfssl.com
+            Not Before: Dec 20 23:07:25 2021 GMT
+            Not After : Sep 15 23:07:25 2024 GMT
+        Subject: C = US, ST = Washington, L = Seattle, O = wolfSSL Inc., OU = Engineering, CN = chainJ-ICA2-no_pathlen, emailAddress = info@wolfssl.com
         Subject Public Key Info:
             Public Key Algorithm: rsaEncryption
-                Public-Key: (2048 bit)
+                RSA Public-Key: (2048 bit)
                 Modulus:
                     00:bb:29:fd:89:aa:82:e0:1d:04:78:69:ec:61:58:
                     51:52:84:7e:6b:55:69:2c:f4:23:d6:1f:d8:ed:ab:
@@ -220,27 +220,27 @@ Certificate:
             X509v3 Key Usage: 
                 Certificate Sign, CRL Sign
     Signature Algorithm: sha256WithRSAEncryption
-         b5:1a:a8:18:60:a0:55:56:bc:19:0c:0b:a6:fe:c1:a4:fb:b0:
-         f3:c2:7e:4f:86:62:c5:3d:a4:da:9f:df:de:57:a1:3d:9e:67:
-         d4:84:2d:bd:17:12:ad:9e:cd:7b:e5:43:c9:35:90:00:50:36:
-         97:dd:bc:86:86:3c:63:11:13:ed:4f:f2:66:b3:ea:fb:d2:a9:
-         71:00:d1:9d:be:c8:ae:00:44:40:a6:08:df:a3:ae:1e:85:34:
-         4d:cf:61:40:1e:1e:be:b1:e4:0a:33:ed:30:d0:fc:c1:26:c3:
-         5c:c9:c3:5d:02:87:88:49:2d:50:d2:7f:dd:5a:ac:26:8c:22:
-         79:62:0e:84:ac:5e:2a:83:47:b3:42:5e:c1:2a:98:8e:1d:40:
-         8f:4e:8c:2a:89:97:b6:91:8b:cf:12:5b:83:9b:81:0c:82:80:
-         90:70:fc:55:28:8b:f0:c1:74:85:a6:df:85:c6:69:e3:16:d8:
-         cb:ae:11:96:7a:16:b8:85:c4:d6:17:69:13:75:35:b5:40:4c:
-         31:02:cb:85:8b:75:38:32:f0:80:93:3c:75:20:5b:da:3a:c1:
-         40:dd:2a:9e:36:e4:f1:8d:8f:56:20:a0:ef:67:9d:ea:53:ec:
-         b2:f5:7c:4e:dd:41:57:26:96:1a:0b:2c:55:00:5f:10:87:e0:
-         41:e5:ce:51
+         26:7a:2c:3d:0c:70:00:99:4e:7b:48:06:5f:f9:0d:f2:ee:b1:
+         d2:3a:11:86:41:72:1d:d5:a2:89:fa:42:0b:f6:0c:7f:d6:8a:
+         93:b4:19:25:5b:99:17:45:ca:95:6b:45:3e:b1:53:f0:da:0c:
+         81:67:f4:7c:3d:2d:dd:68:bd:ab:44:d1:99:9b:63:9a:54:14:
+         28:e5:0d:a4:a6:a6:fa:a4:29:b0:85:96:c1:f5:ce:af:77:ba:
+         b8:36:ff:7c:62:9f:6b:57:5c:dd:34:14:17:a2:81:ce:40:b9:
+         10:c1:9e:cb:4e:67:9e:a3:7d:aa:80:d7:a7:d6:42:be:69:69:
+         d3:74:02:08:a9:32:a0:ea:22:3d:cb:c7:ee:57:f2:7f:99:6d:
+         79:9b:bb:4e:43:fa:d5:28:af:13:13:f2:c9:56:3e:ca:87:22:
+         d9:c5:30:44:27:3b:20:8c:ad:5e:29:79:1f:8d:e3:13:89:1d:
+         7b:eb:7c:3b:2e:04:51:43:68:70:dc:fc:be:aa:33:6e:b2:c4:
+         36:e1:79:33:2c:b7:b2:d5:75:f2:f0:66:51:a9:a6:de:4a:77:
+         d3:f7:bc:84:e7:ab:3c:7c:e6:33:59:86:1a:99:9b:36:24:51:
+         96:fb:c2:c0:88:2f:e6:35:6b:68:42:93:4c:09:22:23:06:7a:
+         be:16:14:a1
 -----BEGIN CERTIFICATE-----
 MIIE1DCCA7ygAwIBAgIBZDANBgkqhkiG9w0BAQsFADCBozELMAkGA1UEBhMCVVMx
 EzARBgNVBAgMCldhc2hpbmd0b24xEDAOBgNVBAcMB1NlYXR0bGUxFTATBgNVBAoM
 DHdvbGZTU0wgSW5jLjEUMBIGA1UECwwLRW5naW5lZXJpbmcxHzAdBgNVBAMMFmNo
 YWluSi1JQ0EzLW5vX3BhdGhsZW4xHzAdBgkqhkiG9w0BCQEWEGluZm9Ad29sZnNz
-bC5jb20wHhcNMjEwMjEwMTk0OTU1WhcNMjMxMTA3MTk0OTU1WjCBozELMAkGA1UE
+bC5jb20wHhcNMjExMjIwMjMwNzI1WhcNMjQwOTE1MjMwNzI1WjCBozELMAkGA1UE
 BhMCVVMxEzARBgNVBAgMCldhc2hpbmd0b24xEDAOBgNVBAcMB1NlYXR0bGUxFTAT
 BgNVBAoMDHdvbGZTU0wgSW5jLjEUMBIGA1UECwwLRW5naW5lZXJpbmcxHzAdBgNV
 BAMMFmNoYWluSi1JQ0EyLW5vX3BhdGhsZW4xHzAdBgkqhkiG9w0BCQEWEGluZm9A
@@ -256,26 +256,26 @@ gaQwgaExCzAJBgNVBAYTAlVTMRMwEQYDVQQIDApXYXNoaW5ndG9uMRAwDgYDVQQH
 DAdTZWF0dGxlMRUwEwYDVQQKDAx3b2xmU1NMIEluYy4xFDASBgNVBAsMC0VuZ2lu
 ZWVyaW5nMR0wGwYDVQQDDBRjaGFpbkotSUNBNC1wYXRobGVuMjEfMB0GCSqGSIb3
 DQEJARYQaW5mb0B3b2xmc3NsLmNvbYIBZDAMBgNVHRMEBTADAQH/MAsGA1UdDwQE
-AwIBBjANBgkqhkiG9w0BAQsFAAOCAQEAtRqoGGCgVVa8GQwLpv7BpPuw88J+T4Zi
-xT2k2p/f3lehPZ5n1IQtvRcSrZ7Ne+VDyTWQAFA2l928hoY8YxET7U/yZrPq+9Kp
-cQDRnb7IrgBEQKYI36OuHoU0Tc9hQB4evrHkCjPtMND8wSbDXMnDXQKHiEktUNJ/
-3VqsJowieWIOhKxeKoNHs0JewSqYjh1Aj06MKomXtpGLzxJbg5uBDIKAkHD8VSiL
-8MF0habfhcZp4xbYy64RlnoWuIXE1hdpE3U1tUBMMQLLhYt1ODLwgJM8dSBb2jrB
-QN0qnjbk8Y2PViCg72ed6lPssvV8Tt1BVyaWGgssVQBfEIfgQeXOUQ==
+AwIBBjANBgkqhkiG9w0BAQsFAAOCAQEAJnosPQxwAJlOe0gGX/kN8u6x0joRhkFy
+HdWiifpCC/YMf9aKk7QZJVuZF0XKlWtFPrFT8NoMgWf0fD0t3Wi9q0TRmZtjmlQU
+KOUNpKam+qQpsIWWwfXOr3e6uDb/fGKfa1dc3TQUF6KBzkC5EMGey05nnqN9qoDX
+p9ZCvmlp03QCCKkyoOoiPcvH7lfyf5lteZu7TkP61SivExPyyVY+yoci2cUwRCc7
+IIytXil5H43jE4kde+t8Oy4EUUNocNz8vqozbrLENuF5Myy3stV18vBmUamm3kp3
+0/e8hOerPHzmM1mGGpmbNiRRlvvCwIgv5jVraEKTTAkiIwZ6vhYUoQ==
 -----END CERTIFICATE-----
 Certificate:
     Data:
         Version: 3 (0x2)
         Serial Number: 100 (0x64)
-    Signature Algorithm: sha256WithRSAEncryption
-        Issuer: C=US, ST=Washington, L=Seattle, O=wolfSSL Inc., OU=Engineering, CN=chainJ-ICA4-pathlen2/emailAddress=info@wolfssl.com
+        Signature Algorithm: sha256WithRSAEncryption
+        Issuer: C = US, ST = Washington, L = Seattle, O = wolfSSL Inc., OU = Engineering, CN = chainJ-ICA4-pathlen2, emailAddress = info@wolfssl.com
         Validity
-            Not Before: Feb 10 19:49:55 2021 GMT
-            Not After : Nov  7 19:49:55 2023 GMT
-        Subject: C=US, ST=Washington, L=Seattle, O=wolfSSL Inc., OU=Engineering, CN=chainJ-ICA3-no_pathlen/emailAddress=info@wolfssl.com
+            Not Before: Dec 20 23:07:25 2021 GMT
+            Not After : Sep 15 23:07:25 2024 GMT
+        Subject: C = US, ST = Washington, L = Seattle, O = wolfSSL Inc., OU = Engineering, CN = chainJ-ICA3-no_pathlen, emailAddress = info@wolfssl.com
         Subject Public Key Info:
             Public Key Algorithm: rsaEncryption
-                Public-Key: (2048 bit)
+                RSA Public-Key: (2048 bit)
                 Modulus:
                     00:d8:aa:f6:05:95:70:5a:53:c7:66:10:aa:90:79:
                     3b:cb:78:2a:ef:5f:43:22:71:7c:6d:47:99:a7:8b:
@@ -309,27 +309,27 @@ Certificate:
             X509v3 Key Usage: 
                 Certificate Sign, CRL Sign
     Signature Algorithm: sha256WithRSAEncryption
-         1c:4a:61:8f:95:15:dc:f1:79:27:3d:bd:fb:30:05:37:da:62:
-         e9:ed:0c:e4:18:78:87:7c:aa:a7:0e:c6:b2:ff:04:25:a7:f1:
-         29:4e:ad:7e:86:47:67:f3:a8:a9:70:28:5f:2b:ab:34:a3:21:
-         30:7b:45:d3:5b:60:5f:84:86:01:cf:36:14:1a:86:09:00:d7:
-         b6:60:69:6a:0b:fc:9c:c4:9e:46:90:74:00:61:32:23:b6:73:
-         e8:58:c9:44:e6:6e:8a:b1:e4:a1:9c:a9:a0:db:2d:71:b2:a4:
-         4c:ea:f2:b3:28:46:8f:fd:61:70:c5:92:b3:ad:42:92:d4:dd:
-         2b:11:ce:a5:02:84:6a:a8:81:2c:00:29:2d:54:63:c3:18:79:
-         c0:a9:d0:d7:c1:12:65:6e:14:98:e5:09:1a:2e:ef:0a:e3:4a:
-         9c:3f:a8:01:44:6c:f2:31:90:b3:78:91:23:e5:6f:3e:13:54:
-         59:32:c2:11:1e:a2:2d:9d:39:95:25:c3:8d:c5:d7:b0:e4:b3:
-         f8:d7:d5:8c:ad:b7:f4:2f:44:f2:05:53:33:6b:52:a0:98:e5:
-         e4:ec:fb:51:e7:fa:d6:2b:c1:e8:c8:a6:a7:5c:44:aa:e4:61:
-         a7:43:5d:5f:eb:5e:d0:d5:fd:99:01:a3:0e:39:5d:0b:b4:9b:
-         8f:e8:a8:0e
+         56:36:8b:bd:1d:e4:df:d0:a4:fd:c3:b0:e8:fc:fd:00:89:6f:
+         24:b4:eb:a9:d1:1c:0d:d9:f3:f5:02:90:f0:30:76:f7:73:b8:
+         0c:da:7e:19:9c:b9:d7:0d:f9:46:cb:e3:4c:3f:f4:f4:fe:f8:
+         81:84:a9:da:c3:a4:83:58:ff:a6:78:6a:41:8f:62:8e:25:69:
+         ee:34:20:49:4d:da:8c:94:fd:52:d2:96:95:e6:be:d3:21:f8:
+         d4:23:65:4c:33:55:b8:a7:95:99:21:e4:f6:29:c8:36:db:d8:
+         84:d0:1f:5b:92:92:87:8c:50:5d:dd:04:46:30:1e:b6:04:93:
+         ee:4a:2a:04:b6:9b:f4:5f:fd:89:66:54:fa:e9:76:b0:78:3c:
+         71:7b:d3:93:90:b1:57:f4:f3:e3:90:48:e7:de:da:30:61:f2:
+         2f:79:0b:1a:e8:17:a6:e5:58:ab:18:25:68:b1:9d:af:5a:94:
+         fd:1e:fd:df:84:56:e4:4a:01:63:b5:36:b0:c3:61:0f:18:04:
+         b9:98:ca:75:87:26:ce:9f:71:c7:e7:60:f1:9a:b5:5b:91:0a:
+         ed:e4:e6:28:6d:ea:d0:e9:4f:14:64:c9:4c:67:ae:df:8d:a2:
+         5d:42:a5:14:5d:29:d4:4b:25:3e:1b:fe:2f:7c:13:4d:e4:72:
+         57:a4:fb:fb
 -----BEGIN CERTIFICATE-----
 MIIExDCCA6ygAwIBAgIBZDANBgkqhkiG9w0BAQsFADCBoTELMAkGA1UEBhMCVVMx
 EzARBgNVBAgMCldhc2hpbmd0b24xEDAOBgNVBAcMB1NlYXR0bGUxFTATBgNVBAoM
 DHdvbGZTU0wgSW5jLjEUMBIGA1UECwwLRW5naW5lZXJpbmcxHTAbBgNVBAMMFGNo
 YWluSi1JQ0E0LXBhdGhsZW4yMR8wHQYJKoZIhvcNAQkBFhBpbmZvQHdvbGZzc2wu
-Y29tMB4XDTIxMDIxMDE5NDk1NVoXDTIzMTEwNzE5NDk1NVowgaMxCzAJBgNVBAYT
+Y29tMB4XDTIxMTIyMDIzMDcyNVoXDTI0MDkxNTIzMDcyNVowgaMxCzAJBgNVBAYT
 AlVTMRMwEQYDVQQIDApXYXNoaW5ndG9uMRAwDgYDVQQHDAdTZWF0dGxlMRUwEwYD
 VQQKDAx3b2xmU1NMIEluYy4xFDASBgNVBAsMC0VuZ2luZWVyaW5nMR8wHQYDVQQD
 DBZjaGFpbkotSUNBMy1ub19wYXRobGVuMR8wHQYJKoZIhvcNAQkBFhBpbmZvQHdv
@@ -345,26 +345,26 @@ gZQxCzAJBgNVBAYTAlVTMRAwDgYDVQQIDAdNb250YW5hMRAwDgYDVQQHDAdCb3pl
 bWFuMREwDwYDVQQKDAhTYXd0b290aDETMBEGA1UECwwKQ29uc3VsdGluZzEYMBYG
 A1UEAwwPd3d3LndvbGZzc2wuY29tMR8wHQYJKoZIhvcNAQkBFhBpbmZvQHdvbGZz
 c2wuY29tggFkMAwGA1UdEwQFMAMBAf8wCwYDVR0PBAQDAgEGMA0GCSqGSIb3DQEB
-CwUAA4IBAQAcSmGPlRXc8XknPb37MAU32mLp7QzkGHiHfKqnDsay/wQlp/EpTq1+
-hkdn86ipcChfK6s0oyEwe0XTW2BfhIYBzzYUGoYJANe2YGlqC/ycxJ5GkHQAYTIj
-tnPoWMlE5m6KseShnKmg2y1xsqRM6vKzKEaP/WFwxZKzrUKS1N0rEc6lAoRqqIEs
-ACktVGPDGHnAqdDXwRJlbhSY5QkaLu8K40qcP6gBRGzyMZCzeJEj5W8+E1RZMsIR
-HqItnTmVJcONxdew5LP419WMrbf0L0TyBVMza1KgmOXk7PtR5/rWK8HoyKanXESq
-5GGnQ11f617Q1f2ZAaMOOV0LtJuP6KgO
+CwUAA4IBAQBWNou9HeTf0KT9w7Do/P0AiW8ktOup0RwN2fP1ApDwMHb3c7gM2n4Z
+nLnXDflGy+NMP/T0/viBhKnaw6SDWP+meGpBj2KOJWnuNCBJTdqMlP1S0paV5r7T
+IfjUI2VMM1W4p5WZIeT2Kcg229iE0B9bkpKHjFBd3QRGMB62BJPuSioEtpv0X/2J
+ZlT66XaweDxxe9OTkLFX9PPjkEjn3towYfIveQsa6Bem5VirGCVosZ2vWpT9Hv3f
+hFbkSgFjtTaww2EPGAS5mMp1hybOn3HH52DxmrVbkQrt5OYoberQ6U8UZMlMZ67f
+jaJdQqUUXSnUSyU+G/4vfBNN5HJXpPv7
 -----END CERTIFICATE-----
 Certificate:
     Data:
         Version: 3 (0x2)
         Serial Number: 100 (0x64)
-    Signature Algorithm: sha256WithRSAEncryption
-        Issuer: C=US, ST=Montana, L=Bozeman, O=Sawtooth, OU=Consulting, CN=www.wolfssl.com/emailAddress=info@wolfssl.com
+        Signature Algorithm: sha256WithRSAEncryption
+        Issuer: C = US, ST = Montana, L = Bozeman, O = Sawtooth, OU = Consulting, CN = www.wolfssl.com, emailAddress = info@wolfssl.com
         Validity
-            Not Before: Feb 10 19:49:55 2021 GMT
-            Not After : Nov  7 19:49:55 2023 GMT
-        Subject: C=US, ST=Washington, L=Seattle, O=wolfSSL Inc., OU=Engineering, CN=chainJ-ICA4-pathlen2/emailAddress=info@wolfssl.com
+            Not Before: Dec 20 23:07:25 2021 GMT
+            Not After : Sep 15 23:07:25 2024 GMT
+        Subject: C = US, ST = Washington, L = Seattle, O = wolfSSL Inc., OU = Engineering, CN = chainJ-ICA4-pathlen2, emailAddress = info@wolfssl.com
         Subject Public Key Info:
             Public Key Algorithm: rsaEncryption
-                Public-Key: (2048 bit)
+                RSA Public-Key: (2048 bit)
                 Modulus:
                     00:9d:4a:ee:6b:ff:b6:ec:88:21:23:84:03:b6:88:
                     bb:3e:5a:1b:95:03:2f:24:53:2d:57:3f:11:38:5d:
@@ -391,34 +391,34 @@ Certificate:
             X509v3 Authority Key Identifier: 
                 keyid:27:8E:67:11:74:C3:26:1D:3F:ED:33:63:B3:A4:D8:1D:30:E5:E8:D5
                 DirName:/C=US/ST=Montana/L=Bozeman/O=Sawtooth/OU=Consulting/CN=www.wolfssl.com/emailAddress=info@wolfssl.com
-                serial:AA:D3:3F:AC:18:0A:37:4D
+                serial:7D:94:70:88:BA:07:42:8D:AA:AF:4F:BE:C2:1A:48:F0:D1:40:E6:42
 
             X509v3 Basic Constraints: 
                 CA:TRUE, pathlen:2
             X509v3 Key Usage: 
                 Certificate Sign, CRL Sign
     Signature Algorithm: sha256WithRSAEncryption
-         0a:09:0b:51:1a:2d:fd:0f:3f:07:9b:9e:c8:17:d9:a5:40:e6:
-         08:a5:8a:f6:38:38:c1:b2:6a:a0:80:6e:b8:0f:15:94:80:ed:
-         1b:2d:79:f0:31:f3:9c:6a:1f:f5:51:d3:9d:6a:17:c7:20:14:
-         cf:74:b5:01:ef:ce:0c:d4:c4:e5:d2:f8:6c:ef:79:64:c0:7e:
-         50:7d:88:1f:5a:7d:a4:d0:e5:0b:ec:b9:54:ac:81:91:75:2c:
-         38:de:ff:73:8d:23:14:52:ce:c8:07:cd:e5:66:8b:79:90:ee:
-         e0:4e:91:ee:dd:14:74:58:89:04:ea:d7:f6:cf:65:b6:33:d8:
-         f8:ae:1c:3d:17:fc:5a:51:28:b9:a6:6e:c4:aa:e8:43:f8:9d:
-         6b:de:dd:e9:9c:9d:b1:43:8e:f1:b7:60:9b:0a:fa:3a:0b:80:
-         a8:01:7c:b5:63:d5:c5:11:23:9a:89:2f:0f:47:26:0d:78:26:
-         c1:61:64:c3:37:93:27:af:08:f8:4e:1a:f7:92:a6:c0:2b:32:
-         78:23:fc:71:71:8d:a1:1e:ec:7e:6f:62:27:1b:04:3c:0a:78:
-         23:9a:21:b2:ef:59:67:59:bd:9d:d3:49:72:0c:0b:c2:8f:d3:
-         ca:4e:81:ab:b3:5a:00:39:4a:86:ce:1e:e3:99:a8:1a:e3:ba:
-         79:a9:aa:68
+         4b:8f:32:25:21:a6:78:3e:85:35:66:bd:36:f4:7c:cc:4e:90:
+         74:19:b0:a6:35:bb:cc:59:a8:61:06:29:65:bf:75:7f:9f:a0:
+         84:84:18:c1:9a:2f:93:3c:12:4c:ec:89:e4:e9:a3:53:0f:0a:
+         00:e1:4b:00:e4:64:b6:4a:53:59:06:e7:0f:d5:cc:af:26:34:
+         31:86:fc:3c:9e:71:b1:10:4a:c1:db:a3:52:98:33:a2:ab:a0:
+         cc:24:3e:f8:bb:21:f4:24:c5:03:17:27:d2:21:09:02:a8:4e:
+         98:b8:63:ff:50:62:b2:c8:a6:b9:bc:cf:bd:a5:91:98:da:48:
+         6d:05:f0:fe:e6:77:7e:69:81:e5:2e:cb:01:dc:ce:e5:09:b6:
+         c9:05:8e:f0:e4:d5:2e:3f:23:92:6c:47:e1:75:fd:7a:49:74:
+         b9:85:65:a1:d5:52:64:9a:42:54:a3:14:5b:69:a0:c3:66:3a:
+         ea:ce:5a:47:65:d9:08:ff:d7:79:de:67:9a:45:6b:e7:13:5a:
+         57:60:dc:d2:65:06:19:a7:57:cf:48:87:80:39:ca:46:0c:1f:
+         90:bc:e6:7f:4d:5d:f2:83:b1:08:24:34:8d:96:94:5f:64:90:
+         f4:a6:1f:46:e3:5e:1f:fd:d8:fe:4d:aa:98:e4:93:af:32:72:
+         e5:fc:fa:b3
 -----BEGIN CERTIFICATE-----
-MIIEwTCCA6mgAwIBAgIBZDANBgkqhkiG9w0BAQsFADCBlDELMAkGA1UEBhMCVVMx
+MIIEzDCCA7SgAwIBAgIBZDANBgkqhkiG9w0BAQsFADCBlDELMAkGA1UEBhMCVVMx
 EDAOBgNVBAgMB01vbnRhbmExEDAOBgNVBAcMB0JvemVtYW4xETAPBgNVBAoMCFNh
 d3Rvb3RoMRMwEQYDVQQLDApDb25zdWx0aW5nMRgwFgYDVQQDDA93d3cud29sZnNz
-bC5jb20xHzAdBgkqhkiG9w0BCQEWEGluZm9Ad29sZnNzbC5jb20wHhcNMjEwMjEw
-MTk0OTU1WhcNMjMxMTA3MTk0OTU1WjCBoTELMAkGA1UEBhMCVVMxEzARBgNVBAgM
+bC5jb20xHzAdBgkqhkiG9w0BCQEWEGluZm9Ad29sZnNzbC5jb20wHhcNMjExMjIw
+MjMwNzI1WhcNMjQwOTE1MjMwNzI1WjCBoTELMAkGA1UEBhMCVVMxEzARBgNVBAgM
 Cldhc2hpbmd0b24xEDAOBgNVBAcMB1NlYXR0bGUxFTATBgNVBAoMDHdvbGZTU0wg
 SW5jLjEUMBIGA1UECwwLRW5naW5lZXJpbmcxHTAbBgNVBAMMFGNoYWluSi1JQ0E0
 LXBhdGhsZW4yMR8wHQYJKoZIhvcNAQkBFhBpbmZvQHdvbGZzc2wuY29tMIIBIjAN
@@ -428,16 +428,16 @@ Jo/8HgYX8N5Yh+8eppESOWilBfOMZ8nlmRik/JA/vabK8qbdteaTyxSJgzyIWjGr
 42YqG4fFhQNFsM7hD8EPknDXrGXqqAnB/h3bt+fdmNPGsRa0VFjBqrqhzxkUp+RV
 ptq7H57RhQDgjUrE0oYIdf3YHoUhbCePGNVEc1irlHVKNj2NTcZ6hp0A28W6vnAC
 g79u2DGJs/IWmL4n9hRa6dRyZ42p33YnvxmsIFkoWxtC2dVbbftuol7T6QIDAQAB
-o4IBDTCCAQkwHQYDVR0OBBYEFPwYE1K7M0rbHFvRgJg+QIaVWHL5MIHJBgNVHSME
-gcEwgb6AFCeOZxF0wyYdP+0zY7Ok2B0w5ejVoYGapIGXMIGUMQswCQYDVQQGEwJV
+o4IBGDCCARQwHQYDVR0OBBYEFPwYE1K7M0rbHFvRgJg+QIaVWHL5MIHUBgNVHSME
+gcwwgcmAFCeOZxF0wyYdP+0zY7Ok2B0w5ejVoYGapIGXMIGUMQswCQYDVQQGEwJV
 UzEQMA4GA1UECAwHTW9udGFuYTEQMA4GA1UEBwwHQm96ZW1hbjERMA8GA1UECgwI
 U2F3dG9vdGgxEzARBgNVBAsMCkNvbnN1bHRpbmcxGDAWBgNVBAMMD3d3dy53b2xm
-c3NsLmNvbTEfMB0GCSqGSIb3DQEJARYQaW5mb0B3b2xmc3NsLmNvbYIJAKrTP6wY
-CjdNMA8GA1UdEwQIMAYBAf8CAQIwCwYDVR0PBAQDAgEGMA0GCSqGSIb3DQEBCwUA
-A4IBAQAKCQtRGi39Dz8Hm57IF9mlQOYIpYr2ODjBsmqggG64DxWUgO0bLXnwMfOc
-ah/1UdOdahfHIBTPdLUB784M1MTl0vhs73lkwH5QfYgfWn2k0OUL7LlUrIGRdSw4
-3v9zjSMUUs7IB83lZot5kO7gTpHu3RR0WIkE6tf2z2W2M9j4rhw9F/xaUSi5pm7E
-quhD+J1r3t3pnJ2xQ47xt2CbCvo6C4CoAXy1Y9XFESOaiS8PRyYNeCbBYWTDN5Mn
-rwj4Thr3kqbAKzJ4I/xxcY2hHux+b2InGwQ8CngjmiGy71lnWb2d00lyDAvCj9PK
-ToGrs1oAOUqGzh7jmaga47p5qapo
+c3NsLmNvbTEfMB0GCSqGSIb3DQEJARYQaW5mb0B3b2xmc3NsLmNvbYIUfZRwiLoH
+Qo2qr0++whpI8NFA5kIwDwYDVR0TBAgwBgEB/wIBAjALBgNVHQ8EBAMCAQYwDQYJ
+KoZIhvcNAQELBQADggEBAEuPMiUhpng+hTVmvTb0fMxOkHQZsKY1u8xZqGEGKWW/
+dX+foISEGMGaL5M8EkzsieTpo1MPCgDhSwDkZLZKU1kG5w/VzK8mNDGG/DyecbEQ
+SsHbo1KYM6KroMwkPvi7IfQkxQMXJ9IhCQKoTpi4Y/9QYrLIprm8z72lkZjaSG0F
+8P7md35pgeUuywHczuUJtskFjvDk1S4/I5JsR+F1/XpJdLmFZaHVUmSaQlSjFFtp
+oMNmOurOWkdl2Qj/13neZ5pFa+cTWldg3NJlBhmnV89Ih4A5ykYMH5C85n9NXfKD
+sQgkNI2WlF9kkPSmH0bjXh/92P5Nqpjkk68ycuX8+rM=
 -----END CERTIFICATE-----
diff --git a/certs/test-pathlen/chainJ-entity.pem b/certs/test-pathlen/chainJ-entity.pem
index 268139037..c516f29a3 100644
--- a/certs/test-pathlen/chainJ-entity.pem
+++ b/certs/test-pathlen/chainJ-entity.pem
@@ -2,15 +2,15 @@ Certificate:
     Data:
         Version: 3 (0x2)
         Serial Number: 101 (0x65)
-    Signature Algorithm: sha256WithRSAEncryption
-        Issuer: C=US, ST=Washington, L=Seattle, O=wolfSSL Inc., OU=Engineering, CN=chainJ-ICA1-no_pathlen/emailAddress=info@wolfssl.com
+        Signature Algorithm: sha256WithRSAEncryption
+        Issuer: C = US, ST = Washington, L = Seattle, O = wolfSSL Inc., OU = Engineering, CN = chainJ-ICA1-no_pathlen, emailAddress = info@wolfssl.com
         Validity
-            Not Before: Feb 10 19:49:55 2021 GMT
-            Not After : Nov  7 19:49:55 2023 GMT
-        Subject: C=US, ST=Washington, L=Seattle, O=wolfSSL Inc., OU=Engineering, CN=chainJ-entity/emailAddress=info@wolfssl.com
+            Not Before: Dec 20 23:07:25 2021 GMT
+            Not After : Sep 15 23:07:25 2024 GMT
+        Subject: C = US, ST = Washington, L = Seattle, O = wolfSSL Inc., OU = Engineering, CN = chainJ-entity, emailAddress = info@wolfssl.com
         Subject Public Key Info:
             Public Key Algorithm: rsaEncryption
-                Public-Key: (2048 bit)
+                RSA Public-Key: (2048 bit)
                 Modulus:
                     00:b3:fb:51:a0:ac:69:8b:35:06:bf:7a:ee:b4:a1:
                     8a:7e:ae:31:75:ad:e7:45:7b:e6:d9:bb:7c:e9:73:
@@ -42,27 +42,27 @@ Certificate:
             X509v3 Basic Constraints: 
                 CA:FALSE
     Signature Algorithm: sha256WithRSAEncryption
-         9c:16:1e:71:2c:cc:59:21:df:65:d5:f0:6a:07:d1:46:2a:cf:
-         10:5f:9c:e5:75:13:1b:d7:8e:a3:15:dc:85:b8:27:7b:87:d5:
-         c5:5f:29:03:92:48:0a:42:83:85:93:3c:1a:82:5b:0f:66:81:
-         09:6a:d6:9e:73:fa:4c:6e:c0:97:7d:b2:ad:14:5b:12:84:82:
-         62:19:a2:e4:07:15:48:3b:98:6c:31:f5:4a:8b:2d:88:e9:c2:
-         36:de:c2:7b:c8:62:7b:cf:67:63:97:40:0c:f0:b9:09:69:8f:
-         ce:55:b4:28:06:9d:a7:d8:1d:4b:8d:4c:57:ce:0e:0d:1b:9e:
-         85:0d:c9:48:a5:f8:f5:00:d1:77:e0:d5:91:cb:7b:68:2c:02:
-         58:aa:38:f5:09:9a:3e:01:3d:e7:b5:1e:0f:49:05:93:9f:30:
-         59:84:8b:06:e5:8a:be:93:98:29:5b:44:86:a6:d8:5e:14:d4:
-         22:79:36:b7:b0:9d:2d:c1:ec:5a:99:7f:a8:7a:f2:a1:48:42:
-         18:89:6e:22:a5:8d:fc:6e:b1:6c:62:3e:67:72:d6:f4:96:f8:
-         fb:fc:55:53:68:d8:d7:be:7e:d6:1b:75:0e:58:c8:f9:f1:d1:
-         5d:ba:e4:5e:ce:f6:a1:b7:cf:5e:d7:43:56:42:f5:58:88:9e:
-         21:de:6d:0b
+         1c:81:5f:34:60:dd:bb:0a:02:db:8c:9a:e6:a9:f0:49:5d:f4:
+         fb:22:25:12:60:b8:65:fc:d5:c2:6d:1a:06:e2:b3:a2:aa:cd:
+         e9:cb:9e:01:1f:96:2a:4b:e9:1c:c3:b2:23:b2:5a:2a:6b:2c:
+         57:d6:f0:45:d6:d8:a0:fa:2d:6f:38:92:8c:ae:19:fc:aa:ba:
+         06:b2:6c:fb:2c:81:a6:39:9b:36:92:54:a2:36:77:86:8e:dd:
+         fd:b1:88:15:d4:a2:6b:a7:bc:f4:e0:25:8c:75:e8:33:6a:bf:
+         b2:0c:6b:04:07:b2:2f:d5:c3:a5:24:48:b4:f2:76:31:df:89:
+         d7:56:ea:b9:b8:ab:d4:9e:d5:68:35:0a:70:9a:cc:9a:a1:47:
+         48:84:b9:0b:8e:f3:0f:3b:99:6a:ea:e7:00:39:ef:a2:36:55:
+         7b:bf:b8:d0:cd:a5:ce:6f:50:9a:fc:56:43:f7:64:8a:46:51:
+         f7:db:58:00:f7:5d:44:b1:7b:c0:22:ef:71:dd:8b:7c:c8:38:
+         fe:0f:22:ca:ca:d9:10:63:1e:88:b9:fa:24:ea:4f:85:72:79:
+         ce:57:d0:ec:d4:6b:ce:56:fc:b2:d1:85:79:6c:32:7c:05:77:
+         da:29:85:17:e1:56:f8:b1:ed:a0:8d:40:8d:54:7b:a1:2d:0b:
+         45:64:99:87
 -----BEGIN CERTIFICATE-----
 MIIEvDCCA6SgAwIBAgIBZTANBgkqhkiG9w0BAQsFADCBozELMAkGA1UEBhMCVVMx
 EzARBgNVBAgMCldhc2hpbmd0b24xEDAOBgNVBAcMB1NlYXR0bGUxFTATBgNVBAoM
 DHdvbGZTU0wgSW5jLjEUMBIGA1UECwwLRW5naW5lZXJpbmcxHzAdBgNVBAMMFmNo
 YWluSi1JQ0ExLW5vX3BhdGhsZW4xHzAdBgkqhkiG9w0BCQEWEGluZm9Ad29sZnNz
-bC5jb20wHhcNMjEwMjEwMTk0OTU1WhcNMjMxMTA3MTk0OTU1WjCBmjELMAkGA1UE
+bC5jb20wHhcNMjExMjIwMjMwNzI1WhcNMjQwOTE1MjMwNzI1WjCBmjELMAkGA1UE
 BhMCVVMxEzARBgNVBAgMCldhc2hpbmd0b24xEDAOBgNVBAcMB1NlYXR0bGUxFTAT
 BgNVBAoMDHdvbGZTU0wgSW5jLjEUMBIGA1UECwwLRW5naW5lZXJpbmcxFjAUBgNV
 BAMMDWNoYWluSi1lbnRpdHkxHzAdBgkqhkiG9w0BCQEWEGluZm9Ad29sZnNzbC5j
@@ -78,10 +78,10 @@ A1UEBhMCVVMxEzARBgNVBAgMCldhc2hpbmd0b24xEDAOBgNVBAcMB1NlYXR0bGUx
 FTATBgNVBAoMDHdvbGZTU0wgSW5jLjEUMBIGA1UECwwLRW5naW5lZXJpbmcxHzAd
 BgNVBAMMFmNoYWluSi1JQ0EyLW5vX3BhdGhsZW4xHzAdBgkqhkiG9w0BCQEWEGlu
 Zm9Ad29sZnNzbC5jb22CAWQwCQYDVR0TBAIwADANBgkqhkiG9w0BAQsFAAOCAQEA
-nBYecSzMWSHfZdXwagfRRirPEF+c5XUTG9eOoxXchbgne4fVxV8pA5JICkKDhZM8
-GoJbD2aBCWrWnnP6TG7Al32yrRRbEoSCYhmi5AcVSDuYbDH1SostiOnCNt7Ce8hi
-e89nY5dADPC5CWmPzlW0KAadp9gdS41MV84ODRuehQ3JSKX49QDRd+DVkct7aCwC
-WKo49QmaPgE957UeD0kFk58wWYSLBuWKvpOYKVtEhqbYXhTUInk2t7CdLcHsWpl/
-qHryoUhCGIluIqWN/G6xbGI+Z3LW9Jb4+/xVU2jY175+1ht1DljI+fHRXbrkXs72
-obfPXtdDVkL1WIieId5tCw==
+HIFfNGDduwoC24ya5qnwSV30+yIlEmC4ZfzVwm0aBuKzoqrN6cueAR+WKkvpHMOy
+I7JaKmssV9bwRdbYoPotbziSjK4Z/Kq6BrJs+yyBpjmbNpJUojZ3ho7d/bGIFdSi
+a6e89OAljHXoM2q/sgxrBAeyL9XDpSRItPJ2Md+J11bqubir1J7VaDUKcJrMmqFH
+SIS5C47zDzuZaurnADnvojZVe7+40M2lzm9QmvxWQ/dkikZR99tYAPddRLF7wCLv
+cd2LfMg4/g8iysrZEGMeiLn6JOpPhXJ5zlfQ7NRrzlb8stGFeWwyfAV32imFF+FW
++LHtoI1AjVR7oS0LRWSZhw==
 -----END CERTIFICATE-----
diff --git a/certs/test-servercert-rc2.p12 b/certs/test-servercert-rc2.p12
index c9f07ede4..4e95e2cc7 100644
Binary files a/certs/test-servercert-rc2.p12 and b/certs/test-servercert-rc2.p12 differ
diff --git a/certs/test-servercert.p12 b/certs/test-servercert.p12
index 4b481d061..596d129fa 100644
Binary files a/certs/test-servercert.p12 and b/certs/test-servercert.p12 differ
diff --git a/certs/test/cert-ext-ia.der b/certs/test/cert-ext-ia.der
index 742c68640..191cb1963 100644
Binary files a/certs/test/cert-ext-ia.der and b/certs/test/cert-ext-ia.der differ
diff --git a/certs/test/cert-ext-ia.pem b/certs/test/cert-ext-ia.pem
index aee9dcc45..63cf45c26 100644
--- a/certs/test/cert-ext-ia.pem
+++ b/certs/test/cert-ext-ia.pem
@@ -1,10 +1,10 @@
 -----BEGIN CERTIFICATE-----
-MIIEAzCCAuugAwIBAgIUSu44/nlA6ddYMKuTWT7jAAObXbwwDQYJKoZIhvcNAQEL
+MIIEAzCCAuugAwIBAgIUO61VGFGC4M0Dd5ZVshF1FC9iGG8wDQYJKoZIhvcNAQEL
 BQAwgZ8xCzAJBgNVBAYTAkFVMRMwEQYDVQQIDApRdWVlbnNsYW5kMREwDwYDVQQH
 DAhCcmlzYmFuZTEUMBIGA1UECgwLd29sZlNTTCBJbmMxFDASBgNVBAsMC0VuZ2lu
 ZWVyaW5nMRgwFgYDVQQDDA93d3cud29sZnNzbC5jb20xIjAgBgkqhkiG9w0BCQEW
-E3N1cHBvcnRAd29sZnNzbC5jb20wHhcNMjExMDI2MTMzMzAzWhcNMjQwNzIyMTMz
-MzAzWjCBnzELMAkGA1UEBhMCQVUxEzARBgNVBAgMClF1ZWVuc2xhbmQxETAPBgNV
+E3N1cHBvcnRAd29sZnNzbC5jb20wHhcNMjExMjIwMjMwNzI1WhcNMjQwOTE1MjMw
+NzI1WjCBnzELMAkGA1UEBhMCQVUxEzARBgNVBAgMClF1ZWVuc2xhbmQxETAPBgNV
 BAcMCEJyaXNiYW5lMRQwEgYDVQQKDAt3b2xmU1NMIEluYzEUMBIGA1UECwwLRW5n
 aW5lZXJpbmcxGDAWBgNVBAMMD3d3dy53b2xmc3NsLmNvbTEiMCAGCSqGSIb3DQEJ
 ARYTc3VwcG9ydEB3b2xmc3NsLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC
@@ -15,10 +15,10 @@ o0YzaYduxLsXpvPo3a1zvHsvIbX9ZlEMvVSz4W1fHLwjc9EJA4kU0hC5ZMMq0KGW
 Srzh1Bpbx6DAwWN4D0Q3MDKWgDIjlaF3uhPSl3PiXSXJag3DOWCktLBpQkIJ6dgI
 vDMgs1gip6rrxOHmYYPF0pbf2dBPrdcCAwEAAaM1MDMwDQYDVR02AQH/BAMCAQEw
 IgYJYIZIAYb4QgENBBUWE1Rlc3RpbmcgaW5oaWJpdCBhbnkwDQYJKoZIhvcNAQEL
-BQADggEBAEPJZmwD9Lr+f2zp4AT4Yq7C45EBvEjvYHyHqk+QzIhxVF+aT6+gsMtG
-irPW0GLjQEZtydpe9GeKvONvQRMEMovNJib/WuFiEKjRMgVGnRVNuL8Fya5RQgMy
-lHLOuufqGyw4zpm/BxItMx/ChTWCdLHS3LDxV8lheKaU4FdzgEhutHTGiVoJKbZX
-7lge6KTL8MtQ+A11dO5Eo6Yal5PoME/562AOe/0f0OZJQwW6t4XO1r+X5j7YX6dn
-MCfc8skCCpro0YM2xE1OYaBTEFXcRYJaEU7U6lvIbWu09lVlzXb1IRdyCxa5xenI
-i8/4jRVl9EDP3TBovy4o9BBhDXX4XZ8=
+BQADggEBAGaXZbEecHxFVHSQAy599GsWrWxPRTRkQ7VZGUbgW3HS9tkFhL7yEVrB
+9EzWf7fLwmq3MorAaPbvbjg1Kq0+ZP1+rPoysZHNHVaZJGDQ8tAHlQJE8ls/oLVl
+4PN8w/x3bRamHo2B5WpIBnKPW/IIa2FjNdfIKFE06oy/7X8BUS1EwPRssGg6NPIc
+e5VwtW0ZVq8Y8jHlTOObCADF/hjethq3aUjICZMerAejjhQMbJenlJqbOkhuWAyr
+gjyahxJ6xzbDf86aJGr8auN56PANHQXcn2TfzU+/1M15Q79Qul5sTA3rUZThM/qb
+Fy/BVHycpmYy8hHzzdE+D2nN9KWc304=
 -----END CERTIFICATE-----
diff --git a/certs/test/cert-ext-joi.der b/certs/test/cert-ext-joi.der
index 77c1f2407..ae47d816d 100644
Binary files a/certs/test/cert-ext-joi.der and b/certs/test/cert-ext-joi.der differ
diff --git a/certs/test/cert-ext-joi.pem b/certs/test/cert-ext-joi.pem
index 4a36256bf..44b12a090 100644
--- a/certs/test/cert-ext-joi.pem
+++ b/certs/test/cert-ext-joi.pem
@@ -1,10 +1,10 @@
 -----BEGIN CERTIFICATE-----
-MIIFXDCCBESgAwIBAgIUdtjq13Vf1QryOYup6Qniboz466gwDQYJKoZIhvcNAQEL
+MIIFXDCCBESgAwIBAgIUE+Chuc7E7cNOj9cdivYBmggX1TUwDQYJKoZIhvcNAQEL
 BQAwgccxCzAJBgNVBAYTAlVTMRAwDgYDVQQIDAdNb250YW5hMRAwDgYDVQQHDAdC
 b3plbWFuMREwDwYDVQQKDAhTYXd0b290aDETMBEGA1UECwwKQ29uc3VsdGluZzEY
 MBYGA1UEAwwPd3d3LndvbGZzc2wuY29tMSAwHgYJKoZIhvcNAQkBFhFpbmZvQHdv
 bGZzc3NsLmNvbTETMBEGCysGAQQBgjc8AgEDEwJVUzEbMBkGCysGAQQBgjc8AgEC
-DApDYWxpZm9ybmlhMB4XDTIxMTAyNjEzMzMwM1oXDTI0MDcyMjEzMzMwM1owgccx
+DApDYWxpZm9ybmlhMB4XDTIxMTIyMDIzMDcyNVoXDTI0MDkxNTIzMDcyNVowgccx
 CzAJBgNVBAYTAlVTMRAwDgYDVQQIDAdNb250YW5hMRAwDgYDVQQHDAdCb3plbWFu
 MREwDwYDVQQKDAhTYXd0b290aDETMBEGA1UECwwKQ29uc3VsdGluZzEYMBYGA1UE
 AwwPd3d3LndvbGZzc2wuY29tMSAwHgYJKoZIhvcNAQkBFhFpbmZvQHdvbGZzc3Ns
@@ -21,11 +21,11 @@ xzELMAkGA1UEBhMCVVMxEDAOBgNVBAgMB01vbnRhbmExEDAOBgNVBAcMB0JvemVt
 YW4xETAPBgNVBAoMCFNhd3Rvb3RoMRMwEQYDVQQLDApDb25zdWx0aW5nMRgwFgYD
 VQQDDA93d3cud29sZnNzbC5jb20xIDAeBgkqhkiG9w0BCQEWEWluZm9Ad29sZnNz
 c2wuY29tMRMwEQYLKwYBBAGCNzwCAQMTAlVTMRswGQYLKwYBBAGCNzwCAQIMCkNh
-bGlmb3JuaWGCFHbY6td1X9UK8jmLqekJ4m6M+OuoMAwGA1UdEwQFMAMBAf8wDQYJ
-KoZIhvcNAQELBQADggEBAKCwAqkAY84wjms5rRzLMdJSDBn3hnXyY+A1TctSMoxc
-9mgytzwEaYQnMzCpoyC4Dut1RCL7D5ws1MAfBLd3zeMdc4mpIEtqMy2n7UDEP/Kx
-6WCg6IRUTr+2ki0f+4egKrpZRdeJgZHhqn2rHP3MzxaLjWoGLbg5MDrX4xOwH+Kb
-/yhoHI4ukiWXjP9hUsg1SD6emlK9ws7QeTC8pw2w7ybzIAR6sz+Zc/edcQlpywu1
-FgqqhJ7n1zxrnda1j5Dd3qC5motPGtxigyn+pwEUHmguiwQFsZAePTdTzsdYHrNo
-y6g2C3CP8W7IdALiu8vxhMYXCs+6MCo8qkttJg/zoek=
+bGlmb3JuaWGCFBPgobnOxO3DTo/XHYr2AZoIF9U1MAwGA1UdEwQFMAMBAf8wDQYJ
+KoZIhvcNAQELBQADggEBAI0b4jz4MCrjhQtvmOo/v+asYvPUzk9oEun8DKigWDXQ
+McMUkdOFtK/nIsJy+wFwcRxUZJvAVzM8NTj83BcMekxg+ejEQktV2uVgBfQ4awMB
+uJR+WuzAEIGpZI7AMNc1mVreFEcNrFhYF5bKbSGxMvExFSd4izS2J/j5UMAgTNgg
+6dQLbOmuver3OiDLR5fLn0eWxq/KWcPo98T3B9Qe+xo43NSAdAlkDi2Z3GJJu8HU
+9eusRBsR7Af8qsHHyKu6Su25ZO2ABcrXMVTPqsGFGAooErBSP14Zs5EuaxKiAbb8
+Z5QoFLkRPyDtvxPnNIBfzwMZYufhg2CYN5rBVOzikTA=
 -----END CERTIFICATE-----
diff --git a/certs/test/cert-ext-mnc.der b/certs/test/cert-ext-mnc.der
index 796f4d4b6..29e5cbb48 100644
Binary files a/certs/test/cert-ext-mnc.der and b/certs/test/cert-ext-mnc.der differ
diff --git a/certs/test/cert-ext-multiple.der b/certs/test/cert-ext-multiple.der
index fb44e4c99..b57d126c0 100644
Binary files a/certs/test/cert-ext-multiple.der and b/certs/test/cert-ext-multiple.der differ
diff --git a/certs/test/cert-ext-multiple.pem b/certs/test/cert-ext-multiple.pem
index dfe4446bf..9409d86b2 100644
--- a/certs/test/cert-ext-multiple.pem
+++ b/certs/test/cert-ext-multiple.pem
@@ -1,10 +1,10 @@
 -----BEGIN CERTIFICATE-----
-MIIFmDCCBICgAwIBAgIUIYnKdgsnPTG1eUAZKAmpUcb9N/4wDQYJKoZIhvcNAQEL
+MIIFmDCCBICgAwIBAgIUWe7q0eCUKO84mznYS+Sz0AADsCYwDQYJKoZIhvcNAQEL
 BQAwgcIxCzAJBgNVBAYTAkFVMRMwEQYDVQQIDApRdWVlbnNsYW5kMREwDwYDVQQH
 DAhCcmlzYmFuZTEUMBIGA1UECgwLd29sZlNTTCBJbmMxFDASBgNVBAsMC0VuZ2lu
 ZWVyaW5nMRgwFgYDVQQDDA93d3cud29sZnNzbC5jb20xIjAgBgkqhkiG9w0BCQEW
 E3N1cHBvcnRAd29sZnNzbC5jb20xDzANBgNVBBEMBjU2LTEzMTEQMA4GA1UECQwH
-TWFpbiBTdDAeFw0yMTEwMjYxMzMzMDNaFw0yNDA3MjIxMzMzMDNaMIHCMQswCQYD
+TWFpbiBTdDAeFw0yMTEyMjAyMzA3MjVaFw0yNDA5MTUyMzA3MjVaMIHCMQswCQYD
 VQQGEwJBVTETMBEGA1UECAwKUXVlZW5zbGFuZDERMA8GA1UEBwwIQnJpc2JhbmUx
 FDASBgNVBAoMC3dvbGZTU0wgSW5jMRQwEgYDVQQLDAtFbmdpbmVlcmluZzEYMBYG
 A1UEAwwPd3d3LndvbGZzc2wuY29tMSIwIAYJKoZIhvcNAQkBFhNzdXBwb3J0QHdv
@@ -22,11 +22,11 @@ BwMBMB0GA1UdDgQWBBQnjmcRdMMmHT/tM2OzpNgdMOXo1TCCAQIGA1UdIwSB+jCB
 EQYDVQQIDApRdWVlbnNsYW5kMREwDwYDVQQHDAhCcmlzYmFuZTEUMBIGA1UECgwL
 d29sZlNTTCBJbmMxFDASBgNVBAsMC0VuZ2luZWVyaW5nMRgwFgYDVQQDDA93d3cu
 d29sZnNzbC5jb20xIjAgBgkqhkiG9w0BCQEWE3N1cHBvcnRAd29sZnNzbC5jb20x
-DzANBgNVBBEMBjU2LTEzMTEQMA4GA1UECQwHTWFpbiBTdIIUIYnKdgsnPTG1eUAZ
-KAmpUcb9N/4wDQYJKoZIhvcNAQELBQADggEBABYF8t1yWicD7C0ZktxBMPQ9yJ3I
-TBq/PdAJl18OthE33I9lyVmF65AEW4pJS8Xjss+WNs159IJLbKuT3tdiqmBA7V1H
-sV03vMnhfdBDF0+zWnsKZF0tw2Gb772P2LiN/YrBc4KktcDqJocEy8D+P4jRVNM6
-toMD7KkzBrv+FU3OjzhP8MfaiIlqsvb4u4qOqi+lLyy6jgUQzrDp99uU986SrybW
-ulnisYYRQGGZ0vyAKez8PzoKvodfTUg5lLkkqlBfITnCsI3gHcjyk+uT8F9nSDGy
-VZGdHNOS++/gbeWwPyJ97gyu65yotc3fL89iM8BrzDSTxADaS18i5afEZFI=
+DzANBgNVBBEMBjU2LTEzMTEQMA4GA1UECQwHTWFpbiBTdIIUWe7q0eCUKO84mznY
+S+Sz0AADsCYwDQYJKoZIhvcNAQELBQADggEBADqFkquUbVbQOhrUymxp9v9X1G4p
+JNcxl9q/9NTeZ62H9Shv3mt7lnK3D6HnVgqGqvtrKQ9tYwpNnG4Pp1cKorgNb1Ax
+mAEMTQyVqzqVdyA/rRSBamk8J9TtDa88bk8gtScFFz+zNQbSDBxXxEDBC0MoD8Q+
+R9LZ2jHdTK+PlhJzmFiQdIrP09w2EHwCVw2nsDMM+QVCBSF8OnH6V+GzumNnUXai
+I2rxFyXihWIXAOKIMC/xKE2jg9eI9TacC0zBHSaYbdOtgy2kg2NF7ofckk9Hw7kK
+Vw7HUO1lYuYKF8isI/jmNQeg+vVRtn+dYtKRWNwrzL0Pgo7ttUUetWwXf80=
 -----END CERTIFICATE-----
diff --git a/certs/test/cert-ext-nc.der b/certs/test/cert-ext-nc.der
index f143b7b1e..00ec9a561 100644
Binary files a/certs/test/cert-ext-nc.der and b/certs/test/cert-ext-nc.der differ
diff --git a/certs/test/cert-ext-nc.pem b/certs/test/cert-ext-nc.pem
index cded0d188..d06370536 100644
--- a/certs/test/cert-ext-nc.pem
+++ b/certs/test/cert-ext-nc.pem
@@ -1,9 +1,9 @@
 -----BEGIN CERTIFICATE-----
-MIIENTCCAx2gAwIBAgIUFtCwMsYG2mHNWoLk3+8pf7piWZowDQYJKoZIhvcNAQEL
+MIIENTCCAx2gAwIBAgIUFChPLR9H/ePNUaSQWExRci0MgQowDQYJKoZIhvcNAQEL
 BQAwezELMAkGA1UEBhMCQVUxEzARBgNVBAgMClF1ZWVuc2xhbmQxETAPBgNVBAcM
 CEJyaXNiYW5lMRQwEgYDVQQKDAt3b2xmU1NMIEluYzEUMBIGA1UECwwLRW5naW5l
-ZXJpbmcxGDAWBgNVBAMMD3d3dy53b2xmc3NsLmNvbTAeFw0yMTEwMjYxMzMzMDNa
-Fw0yNDA3MjIxMzMzMDNaMHsxCzAJBgNVBAYTAkFVMRMwEQYDVQQIDApRdWVlbnNs
+ZXJpbmcxGDAWBgNVBAMMD3d3dy53b2xmc3NsLmNvbTAeFw0yMTEyMjAyMzA3MjVa
+Fw0yNDA5MTUyMzA3MjVaMHsxCzAJBgNVBAYTAkFVMRMwEQYDVQQIDApRdWVlbnNs
 YW5kMREwDwYDVQQHDAhCcmlzYmFuZTEUMBIGA1UECgwLd29sZlNTTCBJbmMxFDAS
 BgNVBAsMC0VuZ2luZWVyaW5nMRgwFgYDVQQDDA93d3cud29sZnNzbC5jb20wggEi
 MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDAlQjhV0HycW230kVBJwFlxkWu
@@ -16,10 +16,10 @@ AAGjgbAwga0wHQYDVR0OBBYEFLMRMsmSmITiyfjQO24DQsofDo48MB8GA1UdIwQY
 MBaAFLMRMsmSmITiyfjQO24DQsofDo48MBIGA1UdEwEB/wQIMAYBAf8CAQAwDgYD
 VR0PAQH/BAQDAgGGMB4GA1UdHgEB/wQUMBKgEDAOgQwud29sZnNzbC5jb20wJwYJ
 YIZIAYb4QgENBBoWGFRlc3RpbmcgbmFtZSBjb25zdHJhaW50czANBgkqhkiG9w0B
-AQsFAAOCAQEAgD7lONgXq4cY/e/TP3hNok+ANPOTmwexPgQxYGr3p7lmV9veNLBD
-xJE9J6kNb3T4Fge1wuSFFamnJyT5FbOdNn6v/RsCxIOm5snTUM8bXuA5Vw/lCB7C
-hccGiOPmEhxD8K+IQqZ4a1Zp6HUHZuPrs99PRt+lWA3M5PJbzpCKzHMiFDGRpkib
-RzC466/+V76ln7AtBbOh3w1QXAiHdIA2V40d0iX+q5e+L1X8sFGDvlxeTy+KXLwV
-/7fNVLgtDfdP2XO+jwhkQJeoOmpNJDxsvwm7xhouK0L5G87QUtsaIwK9SnR07Aj5
-5LHpvNCgLQHO5nmJyJ13RlEUDfnnaGXCbA==
+AQsFAAOCAQEAs5DNaGVLk8BSwwj2fo6iH91quWLHaU8sf6s19pQR13ssQGCKRoY6
++roWyoUdu35aOzMzArcCiFMvNyZPnNdKyHyno0x0g0iAdZdYRZP4iVUtHMzTKR6f
+3qwHSr7v8m6fsWhQj2lCf+BiFImJZFzbYGFrjBPcGHqBJ0PCcN1ZQyIgMvIzyZ8w
+HKWKQ0XzIXcOTRgaF3r3qHmyq7Xt5dcOTYKACL4tVwO04wdhHvKYpEBNcgqf+5jQ
+hZ2oHME8BeGncvcn8i6OD7z3mRzE81t1SmOSq0duTCnJuscYX59iLpD5OS1eobMz
+FZGgPyHTjp0e865RDmR6D+GRLK9BA1AgZQ==
 -----END CERTIFICATE-----
diff --git a/certs/test/cert-ext-ncdns.der b/certs/test/cert-ext-ncdns.der
index 17f8007b9..5f163627c 100644
Binary files a/certs/test/cert-ext-ncdns.der and b/certs/test/cert-ext-ncdns.der differ
diff --git a/certs/test/cert-ext-ncmixed.der b/certs/test/cert-ext-ncmixed.der
index 2ad0ea079..9a85dd2be 100644
Binary files a/certs/test/cert-ext-ncmixed.der and b/certs/test/cert-ext-ncmixed.der differ
diff --git a/certs/test/cert-ext-nct.der b/certs/test/cert-ext-nct.der
index ad63f1c94..5ee66e27f 100644
Binary files a/certs/test/cert-ext-nct.der and b/certs/test/cert-ext-nct.der differ
diff --git a/certs/test/cert-ext-nct.pem b/certs/test/cert-ext-nct.pem
index 8337eb604..7909b4f75 100644
--- a/certs/test/cert-ext-nct.pem
+++ b/certs/test/cert-ext-nct.pem
@@ -1,10 +1,10 @@
 -----BEGIN CERTIFICATE-----
-MIIEGDCCAwCgAwIBAgIUN9zd5Z6FAMRqEkWPoS4D42402XowDQYJKoZIhvcNAQEL
+MIIEGDCCAwCgAwIBAgIUDXdhZxley+Xfrkvgvui3bJwnGVwwDQYJKoZIhvcNAQEL
 BQAwgZ8xCzAJBgNVBAYTAkFVMRMwEQYDVQQIDApRdWVlbnNsYW5kMREwDwYDVQQH
 DAhCcmlzYmFuZTEUMBIGA1UECgwLd29sZlNTTCBJbmMxFDASBgNVBAsMC0VuZ2lu
 ZWVyaW5nMRgwFgYDVQQDDA93d3cud29sZnNzbC5jb20xIjAgBgkqhkiG9w0BCQEW
-E3N1cHBvcnRAd29sZnNzbC5jb20wHhcNMjExMDI2MTMzMzAzWhcNMjQwNzIyMTMz
-MzAzWjCBnzELMAkGA1UEBhMCQVUxEzARBgNVBAgMClF1ZWVuc2xhbmQxETAPBgNV
+E3N1cHBvcnRAd29sZnNzbC5jb20wHhcNMjExMjIwMjMwNzI1WhcNMjQwOTE1MjMw
+NzI1WjCBnzELMAkGA1UEBhMCQVUxEzARBgNVBAgMClF1ZWVuc2xhbmQxETAPBgNV
 BAcMCEJyaXNiYW5lMRQwEgYDVQQKDAt3b2xmU1NMIEluYzEUMBIGA1UECwwLRW5n
 aW5lZXJpbmcxGDAWBgNVBAMMD3d3dy53b2xmc3NsLmNvbTEiMCAGCSqGSIb3DQEJ
 ARYTc3VwcG9ydEB3b2xmc3NsLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC
@@ -15,10 +15,10 @@ o0YzaYduxLsXpvPo3a1zvHsvIbX9ZlEMvVSz4W1fHLwjc9EJA4kU0hC5ZMMq0KGW
 Srzh1Bpbx6DAwWN4D0Q3MDKWgDIjlaF3uhPSl3PiXSXJag3DOWCktLBpQkIJ6dgI
 vDMgs1gip6rrxOHmYYPF0pbf2dBPrdcCAwEAAaNKMEgwFAYJYIZIAYb4QgEBAQH/
 BAQDAgZAMDAGCWCGSAGG+EIBDQQjFiFUZXN0aW5nIE5ldHNjYXBlIENlcnRpZmlj
-YXRlIFR5cGUwDQYJKoZIhvcNAQELBQADggEBADvSHYLUd9cwFnqktCMOVggvPEvi
-QwiCn0Pfw5niwidHbdHeVqfcoA8hYYoLNFwSwiRpnlxoA6KBPkzmkat5s9ea4ATR
-gTMdhicrTpldWldJtrm0ReR8vtxlEg8Ts8ZJrKOoyJ5MP5qPbZj+a0vyS2Qb8rnL
-obou6pz2qbMhBrOYVP6gWnhZRHJmLplPNo/WEZMBXDgL62dca6oUiXWBpAO8j2PI
-VShex+u2l6DNy/KvDlaUYvW88A5FwI1ThuoeRU76Y8QhB6zaC0wQttVVguzOcf3G
-3c9jNLtz1Ydp3sLDmSJfHnI7dO4rRWd8go98GsGLt8O2ZhWZ1D8dkzRZfv0=
+YXRlIFR5cGUwDQYJKoZIhvcNAQELBQADggEBABmJ+RBwwL+qfvcWI1OQZtPbX24W
+0hETHshfHeJjQMC68Ur3ESM6FVRj54k16eOyAb3lBtaMpHI4d3hAYlEKsf8so5q2
+w77cye6y5VmYpTTfjfI/tNGqmQ4ufwfm5AzfqkkAl6nN15/eV2ymQ/iT+2a1iIO4
+BAHqFqhDbZ3DqsJVrpAU7AR6eBl1sDBneAQ7Bgzk8j1KM0Vq1yMtmBZKHMQadD8z
+Hk1MMkHHO5BywEqttL6Fd51CJRW1XgeJVzQdiOeRH9HK1DKqw8FvAwD8OfSC8rlK
+RW5+p5TWKDTIbYP4QOYuBthHKPBrVQjGkGmnXW8R27lmlmI7UuN7d6eTiM4=
 -----END CERTIFICATE-----
diff --git a/certs/test/cert-ext-ndir-exc.der b/certs/test/cert-ext-ndir-exc.der
index 17fb2427f..38f60b256 100644
Binary files a/certs/test/cert-ext-ndir-exc.der and b/certs/test/cert-ext-ndir-exc.der differ
diff --git a/certs/test/cert-ext-ndir-exc.pem b/certs/test/cert-ext-ndir-exc.pem
index 69dd39566..eda286592 100644
--- a/certs/test/cert-ext-ndir-exc.pem
+++ b/certs/test/cert-ext-ndir-exc.pem
@@ -1,9 +1,9 @@
 -----BEGIN CERTIFICATE-----
-MIIE/TCCA+WgAwIBAgIUNPy5nImvNHMmLnekTFdBX87LWIcwDQYJKoZIhvcNAQEL
+MIIE/TCCA+WgAwIBAgIUM9awMAspUpiIVdq72fCHAfLMJGcwDQYJKoZIhvcNAQEL
 BQAwgZUxCzAJBgNVBAYTAlVTMRAwDgYDVQQIDAdNb250YW5hMRAwDgYDVQQHDAdC
 b3plbWFuMREwDwYDVQQKDAhTYXd0b290aDETMBEGA1UECwwKQ29uc3VsdGluZzEY
 MBYGA1UEAwwPd3d3LndvbGZzc2wuY29tMSAwHgYJKoZIhvcNAQkBFhFpbmZvQHdv
-bGZzc3NsLmNvbTAeFw0yMTEwMjYxMzMzMDNaFw0yNDA3MjIxMzMzMDNaMIGVMQsw
+bGZzc3NsLmNvbTAeFw0yMTEyMjAyMzA3MjVaFw0yNDA5MTUyMzA3MjVaMIGVMQsw
 CQYDVQQGEwJVUzEQMA4GA1UECAwHTW9udGFuYTEQMA4GA1UEBwwHQm96ZW1hbjER
 MA8GA1UECgwIU2F3dG9vdGgxEzARBgNVBAsMCkNvbnN1bHRpbmcxGDAWBgNVBAMM
 D3d3dy53b2xmc3NsLmNvbTEgMB4GCSqGSIb3DQEJARYRaW5mb0B3b2xmc3NzbC5j
@@ -18,12 +18,12 @@ gdUGA1UdIwSBzTCByoAUJ45nEXTDJh0/7TNjs6TYHTDl6NWhgZukgZgwgZUxCzAJ
 BgNVBAYTAlVTMRAwDgYDVQQIDAdNb250YW5hMRAwDgYDVQQHDAdCb3plbWFuMREw
 DwYDVQQKDAhTYXd0b290aDETMBEGA1UECwwKQ29uc3VsdGluZzEYMBYGA1UEAwwP
 d3d3LndvbGZzc2wuY29tMSAwHgYJKoZIhvcNAQkBFhFpbmZvQHdvbGZzc3NsLmNv
-bYIUNPy5nImvNHMmLnekTFdBX87LWIcwDAYDVR0TBAUwAwEB/zA2BgNVHR4BAf8E
+bYIUM9awMAspUpiIVdq72fCHAfLMJGcwDAYDVR0TBAUwAwEB/zA2BgNVHR4BAf8E
 LDAqoSgwJqQkMCIxCzAJBgNVBAYTAlVTMRMwEQYDVQQIDApDYWxpZm9ybmlhMA0G
-CSqGSIb3DQEBCwUAA4IBAQCOsVInwF8jwAT/YzOZppX9UfOVKxRkJSaXWLKyskDY
-NKsq2nY1bxn4QwZL7G/Blq0dBCpaW7wkpTrkeSOrYCtl+nkdNA+I40ek9W+M889L
-WoDTh5gbm1pN4w/Y9Sn5eJG0jzg7eUgQ8dCbAqoEP/6R33TccMJIxG3eT9VeZSag
-bra51uVAfZuU5ec1EHomC2QdFAW6ekf7Bk7mejkhkA4EtM0784Srjk7azYR3kc0n
-ow2o9qwtA6lQnGmrZO0AArXosFW/MuZzBEIJxRCkATF/ZxMpAVvYb9h26GguiDu2
-B+LV1qS/UnQfqE78jojSA5JZ/wIHiDHwBiTaBTBx5Ub4
+CSqGSIb3DQEBCwUAA4IBAQCbVBEy5LE93aKVrKDFikU+BeGc2sTBTB4K51PmN034
+4nIB6Y4D/+e076Jeoso6HNCIFtSCq139IKPsMSg1DxR1H1pPIW4DGU6ksI/XPEqI
+uwKJWHcFrLftzWEhW7r1MehxWlUEoET7W2Zt3LOdAhG8GGSAiUOpnBRpnDrklNTf
+eEgnyNyPPc7wDQSmQx9nGabx7sEf/UlOAovVi0+IWCs3Yd0dOceZE0kyBhISiwrt
+hUPNfTA+wQisRALpXMmGhdDwN8hGGUNRHyQx2fZiYLOOiOaQNbx+hDtanzxXCus7
++kYwvOCihtkvEKQdXg0ZxzMSbIdFSatItRZ8+/3Bwv/P
 -----END CERTIFICATE-----
diff --git a/certs/test/cert-ext-ndir.der b/certs/test/cert-ext-ndir.der
index 78fc774cb..e0d64e1d3 100644
Binary files a/certs/test/cert-ext-ndir.der and b/certs/test/cert-ext-ndir.der differ
diff --git a/certs/test/cert-ext-ndir.pem b/certs/test/cert-ext-ndir.pem
index c5a545194..acd8732ee 100644
--- a/certs/test/cert-ext-ndir.pem
+++ b/certs/test/cert-ext-ndir.pem
@@ -1,9 +1,9 @@
 -----BEGIN CERTIFICATE-----
-MIIE6DCCA9CgAwIBAgIUUjnwSvtRITn8DePk5BV3FpOSt/EwDQYJKoZIhvcNAQEL
+MIIE6DCCA9CgAwIBAgIUHPcNvQQcn4x0wu1vUeSMnNXZGCEwDQYJKoZIhvcNAQEL
 BQAwgZUxCzAJBgNVBAYTAlVTMRAwDgYDVQQIDAdNb250YW5hMRAwDgYDVQQHDAdC
 b3plbWFuMREwDwYDVQQKDAhTYXd0b290aDETMBEGA1UECwwKQ29uc3VsdGluZzEY
 MBYGA1UEAwwPd3d3LndvbGZzc2wuY29tMSAwHgYJKoZIhvcNAQkBFhFpbmZvQHdv
-bGZzc3NsLmNvbTAeFw0yMTEwMjYxMzMzMDNaFw0yNDA3MjIxMzMzMDNaMIGVMQsw
+bGZzc3NsLmNvbTAeFw0yMTEyMjAyMzA3MjVaFw0yNDA5MTUyMzA3MjVaMIGVMQsw
 CQYDVQQGEwJVUzEQMA4GA1UECAwHTW9udGFuYTEQMA4GA1UEBwwHQm96ZW1hbjER
 MA8GA1UECgwIU2F3dG9vdGgxEzARBgNVBAsMCkNvbnN1bHRpbmcxGDAWBgNVBAMM
 D3d3dy53b2xmc3NsLmNvbTEgMB4GCSqGSIb3DQEJARYRaW5mb0B3b2xmc3NzbC5j
@@ -18,12 +18,12 @@ gdUGA1UdIwSBzTCByoAUJ45nEXTDJh0/7TNjs6TYHTDl6NWhgZukgZgwgZUxCzAJ
 BgNVBAYTAlVTMRAwDgYDVQQIDAdNb250YW5hMRAwDgYDVQQHDAdCb3plbWFuMREw
 DwYDVQQKDAhTYXd0b290aDETMBEGA1UECwwKQ29uc3VsdGluZzEYMBYGA1UEAwwP
 d3d3LndvbGZzc2wuY29tMSAwHgYJKoZIhvcNAQkBFhFpbmZvQHdvbGZzc3NsLmNv
-bYIUUjnwSvtRITn8DePk5BV3FpOSt/EwDAYDVR0TBAUwAwEB/zAhBgNVHR4BAf8E
-FzAVoBMwEaQPMA0xCzAJBgNVBAYTAlVTMA0GCSqGSIb3DQEBCwUAA4IBAQCftSer
-x/DD+8l32zkBpvuVQtRcEpQ6w7Cl1PD8TaiXe0W9eqKeBmxOgJ+a0kyKIcYSJU5R
-K8enk17q1FFiqdgU0lEo3tdOdvfxFyLTbdCVz/Q0KRhhELU+9ZQRl0NOj3NSRR+/
-QI0tHo9UvsojdlRUW2LTaVdHAz8yBp5dC73KM/7Y3bS4q8MDjVvXD+TiJdfbcbQo
-1eBm5eEsmoYQoOqQAt8n9bmEAe6syFi/sBJU5PqBWuNlBVLlySxEzCA8vPXyvL95
-3eStUcicaHWFA3dljObenJ8m9UWLlZTf+XPA9BrUwXHSG3945Rb8/gAdPUgsIT67
-UQJbTMyGRwalE97X
+bYIUHPcNvQQcn4x0wu1vUeSMnNXZGCEwDAYDVR0TBAUwAwEB/zAhBgNVHR4BAf8E
+FzAVoBMwEaQPMA0xCzAJBgNVBAYTAlVTMA0GCSqGSIb3DQEBCwUAA4IBAQAy60gs
+xDDJmRelfBX6PkdrwrUs7rZilqrem/NZaddLPSSoPdcl9SZP2rtmULN9e272Ygn/
+zUhfM8S4zrb+IjFSRmLMsGIkOlGmtvhbRFUgicmhTN99f6zk7F5WpVS7GfQVVLOo
+EdH8Tf0Tal76p25ixMVwwHBPCwsEeZ4kKu2uchYgUUOcSoBisdKFKdGQef5txmt5
+QjEVC847CgJQh98armMpl2mTfk/Gvmk/UanFyI7wn1nnrt7TqFP848pirAXiUdSy
+4oOwQR5UrRRbLC7dS9HYCqXS5Q3ls9IB45saMVzhDDNlgyGN4hUgdN5aZhtPVzUk
+IR6c648yYQsJFEvx
 -----END CERTIFICATE-----
diff --git a/certs/test/digsigku.pem b/certs/test/digsigku.pem
index 5de4e8271..3becd8d89 100644
--- a/certs/test/digsigku.pem
+++ b/certs/test/digsigku.pem
@@ -1,17 +1,18 @@
 Certificate:
     Data:
         Version: 3 (0x2)
-        Serial Number: 16393466893990650224 (0xe3814b48a5706170)
-    Signature Algorithm: ecdsa-with-SHA1
-        Issuer: C=US, ST=Washington, L=Seattle, O=Foofarah, OU=Arglebargle, CN=foobarbaz/emailAddress=info@worlss.com
+        Serial Number:
+            e3:81:4b:48:a5:70:61:70
+        Signature Algorithm: ecdsa-with-SHA1
+        Issuer: C = US, ST = Washington, L = Seattle, O = Foofarah, OU = Arglebargle, CN = foobarbaz, emailAddress = info@worlss.com
         Validity
-            Not Before: Feb 10 19:49:53 2021 GMT
-            Not After : Nov  7 19:49:53 2023 GMT
-        Subject: C=US, ST=Washington, L=Seattle, O=Foofarah, OU=Arglebargle, CN=foobarbaz/emailAddress=info@worlss.com
+            Not Before: Dec 20 23:07:25 2021 GMT
+            Not After : Sep 15 23:07:25 2024 GMT
+        Subject: C = US, ST = Washington, L = Seattle, O = Foofarah, OU = Arglebargle, CN = foobarbaz, emailAddress = info@worlss.com
         Subject Public Key Info:
             Public Key Algorithm: id-ecPublicKey
                 Public-Key: (256 bit)
-                pub: 
+                pub:
                     04:bb:33:ac:4c:27:50:4a:c6:4a:a5:04:c3:3c:de:
                     9f:36:db:72:2d:ce:94:ea:2b:fa:cb:20:09:39:2c:
                     16:e8:61:02:e9:af:4d:d3:02:93:9a:31:5b:97:92:
@@ -32,16 +33,16 @@ Certificate:
             X509v3 Key Usage: critical
                 Non Repudiation, Key Encipherment
     Signature Algorithm: ecdsa-with-SHA1
-         30:45:02:20:1e:4a:b5:ea:29:e5:e2:da:d7:89:26:58:c4:43:
-         23:da:9d:bc:a9:7c:2d:28:db:e6:a0:41:63:a0:c3:3a:bf:65:
-         02:21:00:db:c0:7d:8f:e5:cc:0b:2b:08:57:c4:ba:dc:86:8c:
-         e6:da:ba:2e:b2:fa:7e:0c:b0:26:b8:c6:a4:94:12:93:2a
+         30:44:02:20:1a:aa:25:f0:ec:0d:82:58:6d:5f:fb:ad:5c:5b:
+         76:a7:03:94:6a:0a:29:b7:56:ed:32:fd:9e:21:e0:09:f5:08:
+         02:20:6e:0e:f3:d5:84:70:d4:89:64:e1:cc:87:1a:c1:e4:b5:
+         c3:96:fb:c6:a4:23:36:08:8d:47:48:cf:d3:fe:6b:c3
 -----BEGIN CERTIFICATE-----
-MIIDKDCCAs+gAwIBAgIJAOOBS0ilcGFwMAkGByqGSM49BAEwgZExCzAJBgNVBAYT
+MIIDJzCCAs+gAwIBAgIJAOOBS0ilcGFwMAkGByqGSM49BAEwgZExCzAJBgNVBAYT
 AlVTMRMwEQYDVQQIDApXYXNoaW5ndG9uMRAwDgYDVQQHDAdTZWF0dGxlMREwDwYD
 VQQKDAhGb29mYXJhaDEUMBIGA1UECwwLQXJnbGViYXJnbGUxEjAQBgNVBAMMCWZv
-b2JhcmJhejEeMBwGCSqGSIb3DQEJARYPaW5mb0B3b3Jsc3MuY29tMB4XDTIxMDIx
-MDE5NDk1M1oXDTIzMTEwNzE5NDk1M1owgZExCzAJBgNVBAYTAlVTMRMwEQYDVQQI
+b2JhcmJhejEeMBwGCSqGSIb3DQEJARYPaW5mb0B3b3Jsc3MuY29tMB4XDTIxMTIy
+MDIzMDcyNVoXDTI0MDkxNTIzMDcyNVowgZExCzAJBgNVBAYTAlVTMRMwEQYDVQQI
 DApXYXNoaW5ndG9uMRAwDgYDVQQHDAdTZWF0dGxlMREwDwYDVQQKDAhGb29mYXJh
 aDEUMBIGA1UECwwLQXJnbGViYXJnbGUxEjAQBgNVBAMMCWZvb2JhcmJhejEeMBwG
 CSqGSIb3DQEJARYPaW5mb0B3b3Jsc3MuY29tMFkwEwYHKoZIzj0CAQYIKoZIzj0D
@@ -52,6 +53,6 @@ MKGBl6SBlDCBkTELMAkGA1UEBhMCVVMxEzARBgNVBAgMCldhc2hpbmd0b24xEDAO
 BgNVBAcMB1NlYXR0bGUxETAPBgNVBAoMCEZvb2ZhcmFoMRQwEgYDVQQLDAtBcmds
 ZWJhcmdsZTESMBAGA1UEAwwJZm9vYmFyYmF6MR4wHAYJKoZIhvcNAQkBFg9pbmZv
 QHdvcmxzcy5jb22CCQDjgUtIpXBhcDAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB
-/wQEAwIFYDAJBgcqhkjOPQQBA0gAMEUCIB5Kteop5eLa14kmWMRDI9qdvKl8LSjb
-5qBBY6DDOr9lAiEA28B9j+XMCysIV8S63IaM5tq6LrL6fgywJrjGpJQSkyo=
+/wQEAwIFYDAJBgcqhkjOPQQBA0cAMEQCIBqqJfDsDYJYbV/7rVxbdqcDlGoKKbdW
+7TL9niHgCfUIAiBuDvPVhHDUiWThzIcaweS1w5b7xqQjNgiNR0jP0/5rww==
 -----END CERTIFICATE-----
diff --git a/certs/test/gen-ext-certs.sh b/certs/test/gen-ext-certs.sh
index cbaa010aa..badb1b4d3 100755
--- a/certs/test/gen-ext-certs.sh
+++ b/certs/test/gen-ext-certs.sh
@@ -76,6 +76,8 @@ nsComment       = "Testing name constraints"
 
 EOF
 gen_cert
+rm -f ./certs/test/cert-ext-mnc.cfg
+rm -f ./certs/test/cert-ext-mnc.pem
 
 
 OUT=certs/test/cert-ext-ncdns
@@ -105,6 +107,8 @@ nsComment       = "Testing name constraints"
 
 EOF
 gen_cert
+rm -f ./certs/test/cert-ext-ncdns.cfg
+rm -f ./certs/test/cert-ext-ncdns.pem
 
 OUT=certs/test/cert-ext-ncmixed
 KEYFILE=certs/test/cert-ext-ncmixed-key.der
@@ -133,6 +137,8 @@ nsComment       = "Testing name constraints"
 
 EOF
 gen_cert
+rm -f ./certs/test/cert-ext-ncmixed.cfg
+rm -f ./certs/test/cert-ext-ncmixed.pem
 
 OUT=certs/test/cert-ext-ia
 KEYFILE=certs/test/cert-ext-ia-key.der
diff --git a/certs/test/ktri-keyid-cms.msg b/certs/test/ktri-keyid-cms.msg
index 6418c523e..49b6e0a9f 100644
Binary files a/certs/test/ktri-keyid-cms.msg and b/certs/test/ktri-keyid-cms.msg differ
diff --git a/certs/test/server-badaltname.der b/certs/test/server-badaltname.der
index 4a1fef0a6..d76e09c16 100644
Binary files a/certs/test/server-badaltname.der and b/certs/test/server-badaltname.der differ
diff --git a/certs/test/server-badaltname.pem b/certs/test/server-badaltname.pem
index 9122ccb17..c1d3130be 100644
--- a/certs/test/server-badaltname.pem
+++ b/certs/test/server-badaltname.pem
@@ -2,12 +2,12 @@ Certificate:
     Data:
         Version: 3 (0x2)
         Serial Number:
-            6d:8b:3a:c3:b7:18:15:6d:43:02:95:5f:94:12:5d:7d:d1:35:ac:74
+            34:02:dc:97:39:1b:12:0e:0a:de:be:7f:43:a3:28:73:8c:ab:e5:ca
         Signature Algorithm: sha256WithRSAEncryption
         Issuer: C = US, ST = Montana, L = Bozeman, OU = Engineering, CN = www.nomatch.com, emailAddress = info@wolfssl.com
         Validity
-            Not Before: Jun 15 22:02:33 2021 GMT
-            Not After : Mar 11 22:02:33 2024 GMT
+            Not Before: Dec 20 23:07:25 2021 GMT
+            Not After : Sep 15 23:07:25 2024 GMT
         Subject: C = US, ST = Montana, L = Bozeman, OU = Engineering, CN = www.nomatch.com, emailAddress = info@wolfssl.com
         Subject Public Key Info:
             Public Key Algorithm: rsaEncryption
@@ -36,27 +36,27 @@ Certificate:
             X509v3 Subject Alternative Name: 
                 DNS:www.nomatch.com
     Signature Algorithm: sha256WithRSAEncryption
-         4f:8b:ef:6c:a6:c6:2c:af:b4:a7:c9:ed:4c:e1:8c:d0:83:40:
-         b1:ee:72:ba:f7:92:bb:4f:b6:e6:a3:3e:99:8c:af:8c:12:15:
-         c0:51:4c:46:a8:96:2a:72:a1:35:60:4f:e2:e2:e1:69:e2:f3:
-         c7:c7:b1:bb:01:54:3c:a8:5d:ac:76:1a:40:4e:8d:2a:68:6d:
-         58:70:ce:61:87:f5:3d:e6:21:03:85:8b:82:e5:6a:a1:c3:75:
-         06:7d:16:b0:38:71:de:5c:1e:b9:23:0b:09:8e:7a:d7:43:bf:
-         76:57:05:01:54:e2:b0:87:82:05:16:9b:ac:4c:98:ef:4f:76:
-         3a:e2:9d:b6:54:a4:f3:e8:f9:1f:11:65:2a:9d:65:a3:f6:80:
-         48:d0:f1:11:f3:86:a9:ce:8c:f9:33:19:ba:12:d7:7f:2d:48:
-         97:c5:12:c7:7f:fb:9a:41:41:05:84:7a:ec:4b:ca:fb:da:0e:
-         2d:7f:6b:3b:4b:22:0c:4d:92:7b:8a:3e:2b:99:7b:81:6c:2d:
-         2b:b2:68:36:99:1d:96:54:4d:86:79:80:df:3f:1e:c1:18:e2:
-         fd:ed:ab:b3:e9:27:32:f6:d1:64:b5:a6:34:ab:20:99:d0:10:
-         2b:4b:54:e5:c0:dd:ad:ac:5c:31:44:c5:e9:d2:c9:b8:4d:aa:
-         f0:7f:c3:e2
+         4f:ba:8e:61:30:f7:ae:20:b6:b8:ab:74:99:3b:89:e0:17:8f:
+         f4:8d:d3:81:92:4b:b5:fd:6c:aa:6e:77:bb:51:67:f2:e1:69:
+         08:b5:3f:79:63:2b:5c:85:09:2f:fe:23:36:29:3a:cd:2f:3a:
+         0e:d5:ff:23:6d:69:ec:f6:f4:49:2a:1a:ef:0a:5d:76:50:4b:
+         9c:04:b2:70:70:42:ae:eb:fc:ea:42:c8:df:5d:c9:7c:43:4f:
+         e7:4c:0c:90:3b:35:2f:3c:1c:cc:d0:4d:67:f6:47:db:c1:ec:
+         ca:07:29:dd:91:2c:0e:9c:4e:44:4b:13:5d:93:35:6a:02:43:
+         82:80:d9:59:dc:5c:5a:b1:63:11:62:d0:fa:55:85:ac:09:30:
+         f7:02:db:e2:01:b5:f1:30:f4:f5:b2:49:f2:40:cb:52:c0:24:
+         a3:19:72:c9:ac:d9:53:ef:12:77:0b:dc:d1:6e:1f:4d:0b:53:
+         6b:f9:9e:8e:21:55:d2:6e:f5:34:f2:03:6a:7b:0a:d0:df:b3:
+         ca:a8:8e:34:79:50:4e:f6:e2:e1:f0:4f:5a:e8:a6:e0:27:81:
+         e3:04:55:f3:ac:72:d5:7f:6f:da:51:cc:3b:30:5c:e6:a5:2f:
+         a4:88:f4:65:dc:56:d2:f1:37:32:84:5d:97:5c:24:40:9e:b5:
+         72:63:2c:b4
 -----BEGIN CERTIFICATE-----
-MIIDsjCCApqgAwIBAgIUbYs6w7cYFW1DApVflBJdfdE1rHQwDQYJKoZIhvcNAQEL
+MIIDsjCCApqgAwIBAgIUNALclzkbEg4K3r5/Q6Moc4yr5cowDQYJKoZIhvcNAQEL
 BQAwgYIxCzAJBgNVBAYTAlVTMRAwDgYDVQQIDAdNb250YW5hMRAwDgYDVQQHDAdC
 b3plbWFuMRQwEgYDVQQLDAtFbmdpbmVlcmluZzEYMBYGA1UEAwwPd3d3Lm5vbWF0
-Y2guY29tMR8wHQYJKoZIhvcNAQkBFhBpbmZvQHdvbGZzc2wuY29tMB4XDTIxMDYx
-NTIyMDIzM1oXDTI0MDMxMTIyMDIzM1owgYIxCzAJBgNVBAYTAlVTMRAwDgYDVQQI
+Y2guY29tMR8wHQYJKoZIhvcNAQkBFhBpbmZvQHdvbGZzc2wuY29tMB4XDTIxMTIy
+MDIzMDcyNVoXDTI0MDkxNTIzMDcyNVowgYIxCzAJBgNVBAYTAlVTMRAwDgYDVQQI
 DAdNb250YW5hMRAwDgYDVQQHDAdCb3plbWFuMRQwEgYDVQQLDAtFbmdpbmVlcmlu
 ZzEYMBYGA1UEAwwPd3d3Lm5vbWF0Y2guY29tMR8wHQYJKoZIhvcNAQkBFhBpbmZv
 QHdvbGZzc2wuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAwJUI
@@ -66,10 +66,10 @@ Q7ilHFw0s64AoGPF9n8LWWh4c6aMGKkCba/DGQEuuBDjxsxAtGmjRjNph27Euxem
 8+jdrXO8ey8htf1mUQy9VLPhbV8cvCNz0QkDiRTSELlkwyrQoZZKvOHUGlvHoMDB
 Y3gPRDcwMpaAMiOVoXe6E9KXc+JdJclqDcM5YKS0sGlCQgnp2Ai8MyCzWCKnquvE
 4eZhg8XSlt/Z0E+t1wIDAQABox4wHDAaBgNVHREEEzARgg93d3cubm9tYXRjaC5j
-b20wDQYJKoZIhvcNAQELBQADggEBAE+L72ymxiyvtKfJ7UzhjNCDQLHucrr3krtP
-tuajPpmMr4wSFcBRTEaolipyoTVgT+Li4Wni88fHsbsBVDyoXax2GkBOjSpobVhw
-zmGH9T3mIQOFi4LlaqHDdQZ9FrA4cd5cHrkjCwmOetdDv3ZXBQFU4rCHggUWm6xM
-mO9PdjrinbZUpPPo+R8RZSqdZaP2gEjQ8RHzhqnOjPkzGboS138tSJfFEsd/+5pB
-QQWEeuxLyvvaDi1/aztLIgxNknuKPiuZe4FsLSuyaDaZHZZUTYZ5gN8/HsEY4v3t
-q7PpJzL20WS1pjSrIJnQECtLVOXA3a2sXDFExenSybhNqvB/w+I=
+b20wDQYJKoZIhvcNAQELBQADggEBAE+6jmEw964gtrirdJk7ieAXj/SN04GSS7X9
+bKpud7tRZ/LhaQi1P3ljK1yFCS/+IzYpOs0vOg7V/yNtaez29EkqGu8KXXZQS5wE
+snBwQq7r/OpCyN9dyXxDT+dMDJA7NS88HMzQTWf2R9vB7MoHKd2RLA6cTkRLE12T
+NWoCQ4KA2VncXFqxYxFi0PpVhawJMPcC2+IBtfEw9PWySfJAy1LAJKMZcsms2VPv
+EncL3NFuH00LU2v5no4hVdJu9TTyA2p7CtDfs8qojjR5UE724uHwT1ropuAngeME
+VfOsctV/b9pRzDswXOalL6SI9GXcVtLxNzKEXZdcJECetXJjLLQ=
 -----END CERTIFICATE-----
diff --git a/certs/test/server-badaltnull.der b/certs/test/server-badaltnull.der
index 10e6385bf..6faf30867 100644
Binary files a/certs/test/server-badaltnull.der and b/certs/test/server-badaltnull.der differ
diff --git a/certs/test/server-badaltnull.pem b/certs/test/server-badaltnull.pem
index 4ef1fd994..052a83be7 100644
--- a/certs/test/server-badaltnull.pem
+++ b/certs/test/server-badaltnull.pem
@@ -2,12 +2,12 @@ Certificate:
     Data:
         Version: 3 (0x2)
         Serial Number:
-            63:8b:eb:7c:a5:8c:1a:1f:c0:4d:d2:f3:36:90:e1:89:6b:d8:95:a0
+            7d:7e:04:a2:9a:54:cf:b4:eb:a5:c2:da:a1:23:f2:2a:3a:f2:cb:12
         Signature Algorithm: sha256WithRSAEncryption
         Issuer: C = US, ST = Montana, L = Bozeman, OU = Engineering, CN = www.nomatch.com, emailAddress = info@wolfssl.com
         Validity
-            Not Before: Jun 15 22:02:33 2021 GMT
-            Not After : Mar 11 22:02:33 2024 GMT
+            Not Before: Dec 20 23:07:25 2021 GMT
+            Not After : Sep 15 23:07:25 2024 GMT
         Subject: C = US, ST = Montana, L = Bozeman, OU = Engineering, CN = www.nomatch.com, emailAddress = info@wolfssl.com
         Subject Public Key Info:
             Public Key Algorithm: rsaEncryption
@@ -36,27 +36,27 @@ Certificate:
             X509v3 Subject Alternative Name: 
                 DNS:DER:30:0d:82:0b:6c:6f:63:61:6c:68:6f:73:74:00:68
     Signature Algorithm: sha256WithRSAEncryption
-         80:b1:67:53:d5:5d:8d:f0:a1:2a:31:ce:ff:9c:16:01:93:f9:
-         10:37:8c:bf:e1:26:b7:13:20:d4:19:df:c5:b8:cd:2d:e3:36:
-         37:d3:9e:14:f8:16:35:eb:f3:85:ba:5a:65:3b:ec:19:c8:50:
-         51:3a:ff:d8:52:ab:6f:49:6d:12:af:81:45:c1:39:1a:24:67:
-         84:04:d4:6e:02:21:6b:10:28:e4:40:85:5b:dd:58:99:4e:d1:
-         e9:11:c9:d2:18:c2:4e:7c:e2:14:f8:cf:b4:7a:e0:7f:f6:e3:
-         af:d0:8a:de:e0:d4:da:65:35:92:72:17:e4:cc:18:61:8d:fd:
-         ef:9c:58:fc:1a:44:10:1b:29:50:82:f8:26:c4:ee:ab:8a:d8:
-         a8:bc:67:9e:99:83:37:cb:f0:dc:25:b0:ba:0d:c8:b4:32:d8:
-         95:dd:92:76:31:e2:20:0b:65:c0:a7:f2:17:11:3d:db:78:f3:
-         21:ea:68:8c:4e:97:2f:5b:b0:d4:e9:48:4a:5d:49:25:bc:20:
-         ee:a5:29:f4:29:97:8d:de:56:74:78:28:b5:e3:e3:66:95:aa:
-         41:b8:c0:44:88:e3:33:df:32:92:fd:04:a5:da:60:4f:c0:2f:
-         44:e8:bd:35:ce:72:d0:77:28:7b:1c:03:5c:03:ad:d8:52:6b:
-         d5:a0:ea:34
+         09:42:2d:4f:4f:37:f8:c9:15:e0:99:bf:46:ad:6a:86:5c:30:
+         4d:4e:40:13:3b:23:89:d9:56:0a:34:88:ba:c8:87:d9:04:81:
+         7a:f7:d8:59:6c:c7:fa:e5:48:52:6d:4d:f0:4a:e6:77:ac:44:
+         1c:82:12:ad:2b:ca:68:27:85:f8:07:34:85:02:28:91:97:45:
+         a0:ec:e9:ba:4a:35:1e:c6:c7:45:8c:00:d8:d5:80:89:ce:f4:
+         2d:4f:68:1a:10:dc:8b:5a:a3:5f:73:17:c3:44:1b:74:d2:a2:
+         ef:bb:1f:65:f9:56:50:ac:1e:44:1d:26:55:b9:ef:3c:e3:c6:
+         63:16:15:14:8f:7c:48:39:c6:d5:d3:41:48:90:7a:34:31:7f:
+         cd:6b:db:20:a6:72:1d:bd:46:da:b7:29:f5:cd:4f:77:67:85:
+         01:c2:2c:40:1e:e6:59:4c:a9:f3:1c:79:72:15:6f:12:4b:95:
+         c0:2d:5e:df:91:6c:5c:cb:76:86:04:b8:65:74:40:dd:af:1c:
+         49:b1:57:c5:31:f5:d3:7e:36:ea:bb:a4:fb:2c:08:ab:fe:fc:
+         0e:fb:d0:89:3c:6d:4b:01:60:e1:f3:47:9d:f2:49:6c:e2:61:
+         a0:ec:73:81:38:ef:48:86:6e:e9:ac:bf:4e:cb:7a:f7:f4:a4:
+         54:0c:24:8a
 -----BEGIN CERTIFICATE-----
-MIID0zCCArugAwIBAgIUY4vrfKWMGh/ATdLzNpDhiWvYlaAwDQYJKoZIhvcNAQEL
+MIID0zCCArugAwIBAgIUfX4EoppUz7TrpcLaoSPyKjryyxIwDQYJKoZIhvcNAQEL
 BQAwgYIxCzAJBgNVBAYTAlVTMRAwDgYDVQQIDAdNb250YW5hMRAwDgYDVQQHDAdC
 b3plbWFuMRQwEgYDVQQLDAtFbmdpbmVlcmluZzEYMBYGA1UEAwwPd3d3Lm5vbWF0
-Y2guY29tMR8wHQYJKoZIhvcNAQkBFhBpbmZvQHdvbGZzc2wuY29tMB4XDTIxMDYx
-NTIyMDIzM1oXDTI0MDMxMTIyMDIzM1owgYIxCzAJBgNVBAYTAlVTMRAwDgYDVQQI
+Y2guY29tMR8wHQYJKoZIhvcNAQkBFhBpbmZvQHdvbGZzc2wuY29tMB4XDTIxMTIy
+MDIzMDcyNVoXDTI0MDkxNTIzMDcyNVowgYIxCzAJBgNVBAYTAlVTMRAwDgYDVQQI
 DAdNb250YW5hMRAwDgYDVQQHDAdCb3plbWFuMRQwEgYDVQQLDAtFbmdpbmVlcmlu
 ZzEYMBYGA1UEAwwPd3d3Lm5vbWF0Y2guY29tMR8wHQYJKoZIhvcNAQkBFhBpbmZv
 QHdvbGZzc2wuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAwJUI
@@ -67,10 +67,10 @@ Q7ilHFw0s64AoGPF9n8LWWh4c6aMGKkCba/DGQEuuBDjxsxAtGmjRjNph27Euxem
 Y3gPRDcwMpaAMiOVoXe6E9KXc+JdJclqDcM5YKS0sGlCQgnp2Ai8MyCzWCKnquvE
 4eZhg8XSlt/Z0E+t1wIDAQABoz8wPTA7BgNVHREENDAygjBERVI6MzA6MGQ6ODI6
 MGI6NmM6NmY6NjM6NjE6NmM6Njg6NmY6NzM6NzQ6MDA6NjgwDQYJKoZIhvcNAQEL
-BQADggEBAICxZ1PVXY3woSoxzv+cFgGT+RA3jL/hJrcTINQZ38W4zS3jNjfTnhT4
-FjXr84W6WmU77BnIUFE6/9hSq29JbRKvgUXBORokZ4QE1G4CIWsQKORAhVvdWJlO
-0ekRydIYwk584hT4z7R64H/246/Qit7g1NplNZJyF+TMGGGN/e+cWPwaRBAbKVCC
-+CbE7quK2Ki8Z56ZgzfL8NwlsLoNyLQy2JXdknYx4iALZcCn8hcRPdt48yHqaIxO
-ly9bsNTpSEpdSSW8IO6lKfQpl43eVnR4KLXj42aVqkG4wESI4zPfMpL9BKXaYE/A
-L0TovTXOctB3KHscA1wDrdhSa9Wg6jQ=
+BQADggEBAAlCLU9PN/jJFeCZv0ataoZcME1OQBM7I4nZVgo0iLrIh9kEgXr32Fls
+x/rlSFJtTfBK5nesRByCEq0rymgnhfgHNIUCKJGXRaDs6bpKNR7Gx0WMANjVgInO
+9C1PaBoQ3Itao19zF8NEG3TSou+7H2X5VlCsHkQdJlW57zzjxmMWFRSPfEg5xtXT
+QUiQejQxf81r2yCmch29Rtq3KfXNT3dnhQHCLEAe5llMqfMceXIVbxJLlcAtXt+R
+bFzLdoYEuGV0QN2vHEmxV8Ux9dN+Nuq7pPssCKv+/A770Ik8bUsBYOHzR53ySWzi
+YaDsc4E470iGbumsv07Levf0pFQMJIo=
 -----END CERTIFICATE-----
diff --git a/certs/test/server-badcn.der b/certs/test/server-badcn.der
index 8cab7cefb..0d467e8cc 100644
Binary files a/certs/test/server-badcn.der and b/certs/test/server-badcn.der differ
diff --git a/certs/test/server-badcn.pem b/certs/test/server-badcn.pem
index 9aeb3846e..65691f911 100644
--- a/certs/test/server-badcn.pem
+++ b/certs/test/server-badcn.pem
@@ -2,12 +2,12 @@ Certificate:
     Data:
         Version: 3 (0x2)
         Serial Number:
-            0b:8f:fc:fa:c7:70:2a:92:f9:ba:32:4e:79:14:00:72:d9:ec:7d:b6
+            5b:0c:b9:6c:9b:24:9a:bc:9c:80:ca:7b:22:8c:2e:d4:7a:31:46:ae
         Signature Algorithm: sha256WithRSAEncryption
         Issuer: C = US, ST = Montana, L = Bozeman, OU = Engineering, CN = www.nomatch.com, emailAddress = info@wolfssl.com
         Validity
-            Not Before: Jun 15 22:02:33 2021 GMT
-            Not After : Mar 11 22:02:33 2024 GMT
+            Not Before: Dec 20 23:07:25 2021 GMT
+            Not After : Sep 15 23:07:25 2024 GMT
         Subject: C = US, ST = Montana, L = Bozeman, OU = Engineering, CN = www.nomatch.com, emailAddress = info@wolfssl.com
         Subject Public Key Info:
             Public Key Algorithm: rsaEncryption
@@ -33,27 +33,27 @@ Certificate:
                     ad:d7
                 Exponent: 65537 (0x10001)
     Signature Algorithm: sha256WithRSAEncryption
-         86:ba:df:88:f4:26:fc:ac:e6:a3:98:c6:4b:11:c6:f0:de:e8:
-         79:6b:84:09:bc:38:83:a1:23:bd:c7:50:9a:8e:a9:8f:e8:84:
-         77:68:94:a1:58:5a:5b:71:49:2d:d5:23:7c:67:1a:fe:8a:a6:
-         f6:9e:6a:e6:5a:65:73:e7:42:78:a9:10:8d:c4:69:bb:1d:7c:
-         1e:c0:b0:cf:d5:e4:3c:44:8d:85:a9:76:94:a2:b3:1b:b1:94:
-         42:7e:cd:ef:da:88:f1:62:a9:ed:d6:70:85:26:2b:2d:b2:e7:
-         e6:af:0d:76:0c:73:48:c6:ab:18:d4:97:cb:d8:bd:24:8f:bd:
-         c1:9a:79:aa:f4:1c:10:8c:6d:71:71:b9:1c:2e:49:21:2a:dc:
-         33:83:5b:2c:8a:d2:6b:06:9e:23:47:6b:72:12:b8:43:6a:94:
-         d6:c5:25:df:ae:77:7f:b4:4a:6c:39:b9:47:04:68:58:23:e1:
-         c1:24:f3:f2:e1:b8:72:27:fb:4a:3e:7f:bf:8b:bc:69:79:74:
-         28:8c:33:b0:9d:7a:cb:c4:5b:6b:82:43:60:53:85:87:db:0b:
-         1a:e4:83:bb:6c:a3:87:b9:87:42:a0:7f:ff:ec:db:ec:8e:89:
-         83:d6:af:f3:80:d0:5d:fe:e5:15:c1:7a:bc:d6:cf:14:b8:d5:
-         25:92:ef:b1
+         8f:f5:55:1c:7d:68:6f:d2:73:94:11:61:64:42:d1:8e:f9:ea:
+         0d:a5:0f:1f:e3:f4:f6:f0:4d:fd:9f:f6:b0:c5:34:e9:f5:3d:
+         5a:e2:da:60:47:ec:89:f0:c0:05:78:b1:06:a3:51:0e:c7:5f:
+         6a:76:c1:2d:6a:80:1a:e2:d4:11:28:16:3f:ce:55:a8:a1:38:
+         2e:3c:81:57:0b:46:c3:59:f3:f8:a9:f5:a3:4a:97:8a:5b:aa:
+         00:f5:05:92:bb:58:4e:8f:cd:8a:6f:fc:d1:71:58:95:05:36:
+         90:67:ae:0c:35:16:de:a3:c4:db:1e:7a:a4:e5:57:20:ce:f0:
+         e4:d2:7d:9a:d2:a0:46:bf:27:16:c0:4d:ab:a0:61:7d:c9:c2:
+         0c:42:39:6a:0a:e2:e4:46:94:53:92:34:56:84:09:20:35:77:
+         29:43:33:33:66:dd:ae:b5:24:a7:66:0f:d2:99:ee:76:2d:d0:
+         81:ff:41:87:3d:af:8a:ea:41:4c:43:62:15:d0:30:57:40:99:
+         41:f3:2b:31:16:a9:a2:eb:50:62:0e:d3:4d:84:cc:99:2f:16:
+         84:37:b7:c7:99:fc:0d:bd:6d:4d:bf:90:a5:eb:6b:a7:75:6c:
+         73:28:45:49:02:18:4c:af:d9:09:97:ac:80:64:9d:f4:dd:91:
+         a0:3a:74:7f
 -----BEGIN CERTIFICATE-----
-MIIDkjCCAnqgAwIBAgIUC4/8+sdwKpL5ujJOeRQActnsfbYwDQYJKoZIhvcNAQEL
+MIIDkjCCAnqgAwIBAgIUWwy5bJskmrycgMp7Iowu1HoxRq4wDQYJKoZIhvcNAQEL
 BQAwgYIxCzAJBgNVBAYTAlVTMRAwDgYDVQQIDAdNb250YW5hMRAwDgYDVQQHDAdC
 b3plbWFuMRQwEgYDVQQLDAtFbmdpbmVlcmluZzEYMBYGA1UEAwwPd3d3Lm5vbWF0
-Y2guY29tMR8wHQYJKoZIhvcNAQkBFhBpbmZvQHdvbGZzc2wuY29tMB4XDTIxMDYx
-NTIyMDIzM1oXDTI0MDMxMTIyMDIzM1owgYIxCzAJBgNVBAYTAlVTMRAwDgYDVQQI
+Y2guY29tMR8wHQYJKoZIhvcNAQkBFhBpbmZvQHdvbGZzc2wuY29tMB4XDTIxMTIy
+MDIzMDcyNVoXDTI0MDkxNTIzMDcyNVowgYIxCzAJBgNVBAYTAlVTMRAwDgYDVQQI
 DAdNb250YW5hMRAwDgYDVQQHDAdCb3plbWFuMRQwEgYDVQQLDAtFbmdpbmVlcmlu
 ZzEYMBYGA1UEAwwPd3d3Lm5vbWF0Y2guY29tMR8wHQYJKoZIhvcNAQkBFhBpbmZv
 QHdvbGZzc2wuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAwJUI
@@ -62,11 +62,11 @@ j+G9e8AvfKtkqBf8yl17uuAh5XIuby6G2JVz2qwbU7lfP9cZDSVP4WNjUYsLZD+t
 Q7ilHFw0s64AoGPF9n8LWWh4c6aMGKkCba/DGQEuuBDjxsxAtGmjRjNph27Euxem
 8+jdrXO8ey8htf1mUQy9VLPhbV8cvCNz0QkDiRTSELlkwyrQoZZKvOHUGlvHoMDB
 Y3gPRDcwMpaAMiOVoXe6E9KXc+JdJclqDcM5YKS0sGlCQgnp2Ai8MyCzWCKnquvE
-4eZhg8XSlt/Z0E+t1wIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQCGut+I9Cb8rOaj
-mMZLEcbw3uh5a4QJvDiDoSO9x1CajqmP6IR3aJShWFpbcUkt1SN8Zxr+iqb2nmrm
-WmVz50J4qRCNxGm7HXwewLDP1eQ8RI2FqXaUorMbsZRCfs3v2ojxYqnt1nCFJist
-sufmrw12DHNIxqsY1JfL2L0kj73Bmnmq9BwQjG1xcbkcLkkhKtwzg1ssitJrBp4j
-R2tyErhDapTWxSXfrnd/tEpsOblHBGhYI+HBJPPy4bhyJ/tKPn+/i7xpeXQojDOw
-nXrLxFtrgkNgU4WH2wsa5IO7bKOHuYdCoH//7NvsjomD1q/zgNBd/uUVwXq81s8U
-uNUlku+x
+4eZhg8XSlt/Z0E+t1wIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQCP9VUcfWhv0nOU
+EWFkQtGO+eoNpQ8f4/T28E39n/awxTTp9T1a4tpgR+yJ8MAFeLEGo1EOx19qdsEt
+aoAa4tQRKBY/zlWooTguPIFXC0bDWfP4qfWjSpeKW6oA9QWSu1hOj82Kb/zRcViV
+BTaQZ64MNRbeo8TbHnqk5VcgzvDk0n2a0qBGvycWwE2roGF9ycIMQjlqCuLkRpRT
+kjRWhAkgNXcpQzMzZt2utSSnZg/Sme52LdCB/0GHPa+K6kFMQ2IV0DBXQJlB8ysx
+Fqmi61BiDtNNhMyZLxaEN7fHmfwNvW1Nv5Cl62undWxzKEVJAhhMr9kJl6yAZJ30
+3ZGgOnR/
 -----END CERTIFICATE-----
diff --git a/certs/test/server-badcnnull.der b/certs/test/server-badcnnull.der
index e84fcc012..f49e48498 100644
Binary files a/certs/test/server-badcnnull.der and b/certs/test/server-badcnnull.der differ
diff --git a/certs/test/server-badcnnull.pem b/certs/test/server-badcnnull.pem
index 52d18641b..fa9faea9d 100644
--- a/certs/test/server-badcnnull.pem
+++ b/certs/test/server-badcnnull.pem
@@ -2,12 +2,12 @@ Certificate:
     Data:
         Version: 3 (0x2)
         Serial Number:
-            2f:dc:cf:8a:1c:ed:ad:f7:a4:ac:5f:24:68:1c:f5:dd:82:c5:59:1e
+            62:9e:92:00:8a:b6:e6:80:80:c6:d5:d6:bb:1a:9e:ee:1d:29:2e:2f
         Signature Algorithm: sha256WithRSAEncryption
         Issuer: C = US, ST = Montana, L = Bozeman, OU = Engineering, CN = DER:30:0d:82:0b:6c:6f:63:61:6c:68:6f:73:74:00:68, emailAddress = info@wolfssl.com
         Validity
-            Not Before: Jun 15 22:02:33 2021 GMT
-            Not After : Mar 11 22:02:33 2024 GMT
+            Not Before: Dec 20 23:07:25 2021 GMT
+            Not After : Sep 15 23:07:25 2024 GMT
         Subject: C = US, ST = Montana, L = Bozeman, OU = Engineering, CN = DER:30:0d:82:0b:6c:6f:63:61:6c:68:6f:73:74:00:68, emailAddress = info@wolfssl.com
         Subject Public Key Info:
             Public Key Algorithm: rsaEncryption
@@ -33,28 +33,28 @@ Certificate:
                     ad:d7
                 Exponent: 65537 (0x10001)
     Signature Algorithm: sha256WithRSAEncryption
-         ae:86:0e:c4:71:4f:75:f5:12:19:d8:60:b4:80:f8:e2:23:43:
-         cb:7f:38:16:97:b6:1e:57:58:d1:41:6b:7e:8b:4e:9a:10:3f:
-         24:fa:89:23:ba:76:28:ae:4a:d6:d9:35:52:c9:60:0b:70:5b:
-         fa:79:6d:0c:36:fb:cd:7e:16:8c:e4:7a:5b:6d:d2:c2:28:86:
-         d7:ea:b2:e1:d9:08:5c:a6:49:12:8c:8d:0c:1a:f5:a9:ce:35:
-         b4:05:d2:16:90:f1:42:0b:7f:35:40:ad:0e:77:f0:5e:aa:9c:
-         14:c9:2d:55:26:94:44:4a:23:d7:92:6f:f3:75:e4:96:5c:ee:
-         0b:25:39:a4:67:3c:58:f3:32:d9:12:c7:0f:18:89:4f:e6:42:
-         ba:22:1e:3d:c8:6a:2d:dc:cc:94:c8:bf:5f:6e:1d:35:cc:2d:
-         60:78:d5:a9:2a:52:28:65:c5:17:0f:bb:47:f7:0a:17:a1:dc:
-         4b:fa:a6:d9:b7:17:37:b6:d9:94:fd:3c:f0:a6:3d:c1:51:67:
-         11:c6:53:ce:db:e3:d7:fe:d3:d6:73:63:15:48:02:35:d1:df:
-         e8:e0:14:c2:f8:52:2c:a7:ff:15:8c:86:f2:4a:de:a3:61:b4:
-         ce:46:29:1e:3d:74:92:a3:f8:39:fc:d5:5c:12:01:d0:b9:46:
-         9f:b6:18:0d
+         64:e3:ba:6f:73:2f:d1:4e:7c:30:e7:8a:c6:97:45:1b:87:41:
+         82:31:7e:5e:69:7d:b5:de:3f:00:1f:cb:0d:cb:ec:94:24:aa:
+         10:0b:ec:6a:92:ff:3d:4c:47:7a:d0:f8:58:54:31:86:a5:ab:
+         f7:31:e1:18:93:cf:94:9b:40:df:7d:7e:9b:a9:b4:8b:3e:4f:
+         0c:90:26:a0:89:1f:46:95:8c:e3:5b:7b:b4:69:f8:7f:7d:33:
+         f8:1f:d6:db:53:4a:e1:52:86:76:0b:8e:e4:06:cf:1f:7f:3e:
+         0d:df:a2:9f:da:91:bb:a0:37:24:e5:88:f8:ec:69:84:76:b6:
+         3a:ee:01:38:f4:d4:f7:71:50:40:14:68:e8:1a:6f:52:84:ec:
+         36:46:40:78:65:e8:22:56:d3:22:33:53:df:88:78:8e:78:95:
+         a6:14:67:53:cc:40:d3:32:75:ea:07:e0:b3:90:4f:dc:69:a2:
+         b5:2c:b1:89:07:28:e5:a4:70:9b:a1:3a:80:83:31:04:d4:d8:
+         73:06:ca:b4:9d:ff:7e:b3:b3:83:dc:38:a4:39:d4:a8:cf:0a:
+         d4:97:8b:70:bc:45:b5:20:ad:8b:c7:b9:1b:f2:72:f5:05:2c:
+         31:76:1a:cb:a8:bb:d2:cb:40:f7:ec:2e:11:ac:cd:41:54:7a:
+         b2:04:5d:68
 -----BEGIN CERTIFICATE-----
-MIID1DCCArygAwIBAgIUL9zPihztrfekrF8kaBz13YLFWR4wDQYJKoZIhvcNAQEL
+MIID1DCCArygAwIBAgIUYp6SAIq25oCAxtXWuxqe7h0pLi8wDQYJKoZIhvcNAQEL
 BQAwgaMxCzAJBgNVBAYTAlVTMRAwDgYDVQQIDAdNb250YW5hMRAwDgYDVQQHDAdC
 b3plbWFuMRQwEgYDVQQLDAtFbmdpbmVlcmluZzE5MDcGA1UEAwwwREVSOjMwOjBk
 OjgyOjBiOjZjOjZmOjYzOjYxOjZjOjY4OjZmOjczOjc0OjAwOjY4MR8wHQYJKoZI
-hvcNAQkBFhBpbmZvQHdvbGZzc2wuY29tMB4XDTIxMDYxNTIyMDIzM1oXDTI0MDMx
-MTIyMDIzM1owgaMxCzAJBgNVBAYTAlVTMRAwDgYDVQQIDAdNb250YW5hMRAwDgYD
+hvcNAQkBFhBpbmZvQHdvbGZzc2wuY29tMB4XDTIxMTIyMDIzMDcyNVoXDTI0MDkx
+NTIzMDcyNVowgaMxCzAJBgNVBAYTAlVTMRAwDgYDVQQIDAdNb250YW5hMRAwDgYD
 VQQHDAdCb3plbWFuMRQwEgYDVQQLDAtFbmdpbmVlcmluZzE5MDcGA1UEAwwwREVS
 OjMwOjBkOjgyOjBiOjZjOjZmOjYzOjYxOjZjOjY4OjZmOjczOjc0OjAwOjY4MR8w
 HQYJKoZIhvcNAQkBFhBpbmZvQHdvbGZzc2wuY29tMIIBIjANBgkqhkiG9w0BAQEF
@@ -64,10 +64,10 @@ U7lfP9cZDSVP4WNjUYsLZD+tQ7ilHFw0s64AoGPF9n8LWWh4c6aMGKkCba/DGQEu
 uBDjxsxAtGmjRjNph27Euxem8+jdrXO8ey8htf1mUQy9VLPhbV8cvCNz0QkDiRTS
 ELlkwyrQoZZKvOHUGlvHoMDBY3gPRDcwMpaAMiOVoXe6E9KXc+JdJclqDcM5YKS0
 sGlCQgnp2Ai8MyCzWCKnquvE4eZhg8XSlt/Z0E+t1wIDAQABMA0GCSqGSIb3DQEB
-CwUAA4IBAQCuhg7EcU919RIZ2GC0gPjiI0PLfzgWl7YeV1jRQWt+i06aED8k+okj
-unYorkrW2TVSyWALcFv6eW0MNvvNfhaM5HpbbdLCKIbX6rLh2QhcpkkSjI0MGvWp
-zjW0BdIWkPFCC381QK0Od/BeqpwUyS1VJpRESiPXkm/zdeSWXO4LJTmkZzxY8zLZ
-EscPGIlP5kK6Ih49yGot3MyUyL9fbh01zC1geNWpKlIoZcUXD7tH9woXodxL+qbZ
-txc3ttmU/Tzwpj3BUWcRxlPO2+PX/tPWc2MVSAI10d/o4BTC+FIsp/8VjIbySt6j
-YbTORikePXSSo/g5/NVcEgHQuUafthgN
+CwUAA4IBAQBk47pvcy/RTnww54rGl0Ubh0GCMX5eaX213j8AH8sNy+yUJKoQC+xq
+kv89TEd60PhYVDGGpav3MeEYk8+Um0DffX6bqbSLPk8MkCagiR9GlYzjW3u0afh/
+fTP4H9bbU0rhUoZ2C47kBs8ffz4N36Kf2pG7oDck5Yj47GmEdrY67gE49NT3cVBA
+FGjoGm9ShOw2RkB4ZegiVtMiM1PfiHiOeJWmFGdTzEDTMnXqB+CzkE/caaK1LLGJ
+ByjlpHCboTqAgzEE1NhzBsq0nf9+s7OD3DikOdSozwrUl4twvEW1IK2Lx7kb8nL1
+BSwxdhrLqLvSy0D37C4RrM1BVHqyBF1o
 -----END CERTIFICATE-----
diff --git a/certs/test/server-cert-ecc-badsig.der b/certs/test/server-cert-ecc-badsig.der
index 401f5b5b3..c025bf90f 100644
Binary files a/certs/test/server-cert-ecc-badsig.der and b/certs/test/server-cert-ecc-badsig.der differ
diff --git a/certs/test/server-cert-ecc-badsig.pem b/certs/test/server-cert-ecc-badsig.pem
index 2a7cfed98..c29745fa4 100644
--- a/certs/test/server-cert-ecc-badsig.pem
+++ b/certs/test/server-cert-ecc-badsig.pem
@@ -2,16 +2,16 @@ Certificate:
     Data:
         Version: 3 (0x2)
         Serial Number: 3 (0x3)
-    Signature Algorithm: ecdsa-with-SHA256
-        Issuer: C=US, ST=Washington, L=Seattle, O=wolfSSL, OU=Development, CN=www.wolfssl.com/emailAddress=info@wolfssl.com
+        Signature Algorithm: ecdsa-with-SHA256
+        Issuer: C = US, ST = Washington, L = Seattle, O = wolfSSL, OU = Development, CN = www.wolfssl.com, emailAddress = info@wolfssl.com
         Validity
-            Not Before: Feb 10 19:49:53 2021 GMT
-            Not After : Nov  7 19:49:53 2023 GMT
-        Subject: C=US, ST=Washington, L=Seattle, O=Eliptic, OU=ECC, CN=www.wolfssl.com/emailAddress=info@wolfssl.com
+            Not Before: Dec 20 23:07:25 2021 GMT
+            Not After : Sep 15 23:07:25 2024 GMT
+        Subject: C = US, ST = Washington, L = Seattle, O = Eliptic, OU = ECC, CN = www.wolfssl.com, emailAddress = info@wolfssl.com
         Subject Public Key Info:
             Public Key Algorithm: id-ecPublicKey
                 Public-Key: (256 bit)
-                pub: 
+                pub:
                     04:bb:33:ac:4c:27:50:4a:c6:4a:a5:04:c3:3c:de:
                     9f:36:db:72:2d:ce:94:ea:2b:fa:cb:20:09:39:2c:
                     16:e8:61:02:e9:af:4d:d3:02:93:9a:31:5b:97:92:
@@ -34,16 +34,16 @@ Certificate:
             Netscape Cert Type: 
                 SSL Server
     Signature Algorithm: ecdsa-with-SHA256
-         30:45:02:20:61:6f:e8:b9:ad:cc:c9:1a:81:17:02:64:07:c3:
-         18:44:01:81:76:18:9d:6d:3d:7d:cb:c1:5a:76:4a:ad:71:55:
-         02:21:00:cd:22:35:04:19:c2:23:21:02:88:4b:51:da:db:51:
-         ab:54:8c:cb:38:ac:8e:bb:ee:18:07:bf:88:36:88:ff:d5
+         30:44:02:20:5a:67:b9:ee:02:34:27:1b:d4:c4:35:7b:ed:59:
+         8e:63:c4:8a:b7:e9:92:c1:8a:76:b0:8b:cd:24:49:78:ba:ef:
+         02:20:29:b8:b6:5f:83:f7:56:6a:f1:4d:d9:9f:52:2a:f9:8f:
+         53:14:49:8b:5f:5e:87:af:7f:ca:2e:e0:d8:e7:75:0c
 -----BEGIN CERTIFICATE-----
-MIICoTCCAkegAwIBAgIBAzAKBggqhkjOPQQDAjCBlzELMAkGA1UEBhMCVVMxEzAR
+MIICoDCCAkegAwIBAgIBAzAKBggqhkjOPQQDAjCBlzELMAkGA1UEBhMCVVMxEzAR
 BgNVBAgMCldhc2hpbmd0b24xEDAOBgNVBAcMB1NlYXR0bGUxEDAOBgNVBAoMB3dv
 bGZTU0wxFDASBgNVBAsMC0RldmVsb3BtZW50MRgwFgYDVQQDDA93d3cud29sZnNz
-bC5jb20xHzAdBgkqhkiG9w0BCQEWEGluZm9Ad29sZnNzbC5jb20wHhcNMjEwMjEw
-MTk0OTUzWhcNMjMxMTA3MTk0OTUzWjCBjzELMAkGA1UEBhMCVVMxEzARBgNVBAgM
+bC5jb20xHzAdBgkqhkiG9w0BCQEWEGluZm9Ad29sZnNzbC5jb20wHhcNMjExMjIw
+MjMwNzI1WhcNMjQwOTE1MjMwNzI1WjCBjzELMAkGA1UEBhMCVVMxEzARBgNVBAgM
 Cldhc2hpbmd0b24xEDAOBgNVBAcMB1NlYXR0bGUxEDAOBgNVBAoMB0VsaXB0aWMx
 DDAKBgNVBAsMA0VDQzEYMBYGA1UEAwwPd3d3LndvbGZzc2wuY29tMR8wHQYJKoZI
 hvcNAQkBFhBpbmZvQHdvbGZzc2wuY29tMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcD
@@ -51,7 +51,7 @@ QgAEuzOsTCdQSsZKpQTDPN6fNttyLc6U6iv6yyAJOSwW6GEC6a9N0wKTmjFbl5Ih
 f/DPGNqREQI0huggWDMLgDSJ2KOBiTCBhjAdBgNVHQ4EFgQUXV0m76x+NvmbdhUr
 SiUCI++yiTAwHwYDVR0jBBgwFoAUVo6aw/BC3hi5RVVu+ZPP6sPzpSEwDAYDVR0T
 AQH/BAIwADAOBgNVHQ8BAf8EBAMCA6gwEwYDVR0lBAwwCgYIKwYBBQUHAwEwEQYJ
-YIZIAYb4QgEBBAQDAgZAMAoGCCqGSM49BAMCA0gAMEUCIGFv6LmtzMkagRcCZAfD
-GEQBgXYYnW09fcvBWnZKrXFVAiEAzSI1BBnCIyECiEtR2ttRq1SMyzisjrvuGAe/
-iDaIx9U=
+YIZIAYb4QgEBBAQDAgZAMAoGCCqGSM49BAMCA0cAMEQCIFpnue4CNCcb1MQ1e+1Z
+jmPEirfpksGKdrCLzSRJeLrvAiApuLZfg/dWavFN2Z9SKvmPUxRJi19eh69/yi7g
+2Od1xA==
 -----END CERTIFICATE-----
diff --git a/certs/test/server-cert-rsa-badsig.der b/certs/test/server-cert-rsa-badsig.der
index 041eba291..0a6804462 100644
Binary files a/certs/test/server-cert-rsa-badsig.der and b/certs/test/server-cert-rsa-badsig.der differ
diff --git a/certs/test/server-cert-rsa-badsig.pem b/certs/test/server-cert-rsa-badsig.pem
index 26acc60e4..69de8f60c 100644
--- a/certs/test/server-cert-rsa-badsig.pem
+++ b/certs/test/server-cert-rsa-badsig.pem
@@ -2,15 +2,15 @@ Certificate:
     Data:
         Version: 3 (0x2)
         Serial Number: 1 (0x1)
-    Signature Algorithm: sha256WithRSAEncryption
-        Issuer: C=US, ST=Montana, L=Bozeman, O=Sawtooth, OU=Consulting, CN=www.wolfssl.com/emailAddress=info@wolfssl.com
+        Signature Algorithm: sha256WithRSAEncryption
+        Issuer: C = US, ST = Montana, L = Bozeman, O = Sawtooth, OU = Consulting, CN = www.wolfssl.com, emailAddress = info@wolfssl.com
         Validity
-            Not Before: Feb 10 19:49:53 2021 GMT
-            Not After : Nov  7 19:49:53 2023 GMT
-        Subject: C=US, ST=Montana, L=Bozeman, O=wolfSSL, OU=Support, CN=www.wolfssl.com/emailAddress=info@wolfssl.com
+            Not Before: Dec 20 23:07:25 2021 GMT
+            Not After : Sep 15 23:07:25 2024 GMT
+        Subject: C = US, ST = Montana, L = Bozeman, O = wolfSSL, OU = Support, CN = www.wolfssl.com, emailAddress = info@wolfssl.com
         Subject Public Key Info:
             Public Key Algorithm: rsaEncryption
-                Public-Key: (2048 bit)
+                RSA Public-Key: (2048 bit)
                 Modulus:
                     00:c0:95:08:e1:57:41:f2:71:6d:b7:d2:45:41:27:
                     01:65:c6:45:ae:f2:bc:24:30:b8:95:ce:2f:4e:d6:
@@ -37,7 +37,7 @@ Certificate:
             X509v3 Authority Key Identifier: 
                 keyid:27:8E:67:11:74:C3:26:1D:3F:ED:33:63:B3:A4:D8:1D:30:E5:E8:D5
                 DirName:/C=US/ST=Montana/L=Bozeman/O=Sawtooth/OU=Consulting/CN=www.wolfssl.com/emailAddress=info@wolfssl.com
-                serial:AA:D3:3F:AC:18:0A:37:4D
+                serial:7D:94:70:88:BA:07:42:8D:AA:AF:4F:BE:C2:1A:48:F0:D1:40:E6:42
 
             X509v3 Basic Constraints: 
                 CA:TRUE
@@ -46,27 +46,27 @@ Certificate:
             X509v3 Extended Key Usage: 
                 TLS Web Server Authentication, TLS Web Client Authentication
     Signature Algorithm: sha256WithRSAEncryption
-         1b:0d:a6:44:93:0d:0e:0c:35:28:26:40:31:d2:eb:26:4c:47:
-         5b:19:fb:ad:fe:3a:f5:30:3a:28:d7:aa:69:a4:15:e7:26:6e:
-         b7:33:56:ac:8f:34:3d:f3:21:2f:53:58:91:d0:3e:b4:39:48:
-         bf:93:11:74:36:d3:87:49:c3:34:0d:30:30:ab:f4:4c:27:19:
-         d5:c4:0c:ad:49:bd:91:f8:da:9e:c8:2d:2a:ac:e2:75:8e:aa:
-         08:d9:bf:65:ff:a3:b1:4f:f0:60:6f:4d:95:c4:06:7f:af:66:
-         6a:23:3b:3a:a4:61:b6:6c:ca:be:e1:b0:77:f3:ec:83:d5:8c:
-         1d:85:7f:8d:74:c8:ec:1e:49:ec:57:4a:cc:fd:e2:3a:3e:54:
-         50:ae:67:cd:17:b0:67:a5:53:7f:c3:0e:3e:a7:58:e8:df:d5:
-         0c:f2:64:f3:ad:12:70:e3:b9:42:bc:08:60:76:d5:0c:a5:31:
-         77:50:e0:c8:f3:3a:3d:45:cf:32:75:ef:10:dd:b5:ed:6e:d2:
-         2d:57:82:95:38:bc:7d:54:c4:84:5e:fb:7e:83:f5:f1:2d:9c:
-         98:ac:73:e3:a7:d2:02:30:d6:1f:06:1e:d0:dc:3a:ac:f4:c2:
-         c2:be:72:40:9a:ea:cf:35:21:3b:56:6d:e1:52:f2:80:d7:35:
-         83:97:07:cc
+         73:59:6f:55:94:e1:38:e7:20:5a:11:46:47:a8:29:11:17:06:
+         19:16:78:22:af:54:f8:d9:32:61:26:3f:39:ab:a4:df:ef:ae:
+         d0:0b:cc:2b:af:95:70:90:97:53:cc:19:6d:f2:4d:4c:fa:e4:
+         9d:7c:54:e0:5b:3b:1f:1e:52:46:7f:d9:ba:a0:90:ba:6d:df:
+         3d:67:f0:9f:52:44:c3:e1:66:36:dc:61:58:11:ba:4c:0c:c2:
+         29:da:f7:13:45:60:b2:11:79:91:ed:7c:9f:b7:7f:5c:e2:29:
+         c6:1e:bf:78:da:bf:d1:bd:9c:f7:4e:23:e0:c3:ef:6f:b6:67:
+         7c:d7:4c:02:d5:bd:67:ee:7e:0c:e3:89:db:79:61:1e:d0:5f:
+         f5:e8:66:48:3a:55:54:d5:16:12:30:00:c9:86:75:e0:c9:ff:
+         38:74:ce:c8:c7:fd:ef:96:d8:55:96:71:35:62:db:34:c5:2f:
+         07:84:8a:aa:1b:1e:77:50:0a:20:3b:21:4b:06:14:af:78:11:
+         a2:41:c6:5d:0c:70:e0:52:b4:9e:4c:86:ab:5b:a3:e0:8f:a2:
+         c2:1a:69:70:80:3b:bd:50:23:26:72:4f:fa:fd:df:ed:85:32:
+         2c:e4:ab:3e:f3:a6:d0:1d:db:33:6b:69:8d:99:b9:b4:34:4b:
+         79:a8:16:68
 -----BEGIN CERTIFICATE-----
-MIIE3TCCA8WgAwIBAgIBATANBgkqhkiG9w0BAQsFADCBlDELMAkGA1UEBhMCVVMx
+MIIE6DCCA9CgAwIBAgIBATANBgkqhkiG9w0BAQsFADCBlDELMAkGA1UEBhMCVVMx
 EDAOBgNVBAgMB01vbnRhbmExEDAOBgNVBAcMB0JvemVtYW4xETAPBgNVBAoMCFNh
 d3Rvb3RoMRMwEQYDVQQLDApDb25zdWx0aW5nMRgwFgYDVQQDDA93d3cud29sZnNz
-bC5jb20xHzAdBgkqhkiG9w0BCQEWEGluZm9Ad29sZnNzbC5jb20wHhcNMjEwMjEw
-MTk0OTUzWhcNMjMxMTA3MTk0OTUzWjCBkDELMAkGA1UEBhMCVVMxEDAOBgNVBAgM
+bC5jb20xHzAdBgkqhkiG9w0BCQEWEGluZm9Ad29sZnNzbC5jb20wHhcNMjExMjIw
+MjMwNzI1WhcNMjQwOTE1MjMwNzI1WjCBkDELMAkGA1UEBhMCVVMxEDAOBgNVBAgM
 B01vbnRhbmExEDAOBgNVBAcMB0JvemVtYW4xEDAOBgNVBAoMB3dvbGZTU0wxEDAO
 BgNVBAsMB1N1cHBvcnQxGDAWBgNVBAMMD3d3dy53b2xmc3NsLmNvbTEfMB0GCSqG
 SIb3DQEJARYQaW5mb0B3b2xmc3NsLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEP
@@ -75,34 +75,35 @@ f/5cnFF194rKB+c1L4/hvXvAL3yrZKgX/Mpde7rgIeVyLm8uhtiVc9qsG1O5Xz/X
 GQ0lT+FjY1GLC2Q/rUO4pRxcNLOuAKBjxfZ/C1loeHOmjBipAm2vwxkBLrgQ48bM
 QLRpo0YzaYduxLsXpvPo3a1zvHsvIbX9ZlEMvVSz4W1fHLwjc9EJA4kU0hC5ZMMq
 0KGWSrzh1Bpbx6DAwWN4D0Q3MDKWgDIjlaF3uhPSl3PiXSXJag3DOWCktLBpQkIJ
-6dgIvDMgs1gip6rrxOHmYYPF0pbf2dBPrdcCAwEAAaOCATowggE2MB0GA1UdDgQW
-BBSzETLJkpiE4sn40DtuA0LKHw6OPDCByQYDVR0jBIHBMIG+gBQnjmcRdMMmHT/t
+6dgIvDMgs1gip6rrxOHmYYPF0pbf2dBPrdcCAwEAAaOCAUUwggFBMB0GA1UdDgQW
+BBSzETLJkpiE4sn40DtuA0LKHw6OPDCB1AYDVR0jBIHMMIHJgBQnjmcRdMMmHT/t
 M2OzpNgdMOXo1aGBmqSBlzCBlDELMAkGA1UEBhMCVVMxEDAOBgNVBAgMB01vbnRh
 bmExEDAOBgNVBAcMB0JvemVtYW4xETAPBgNVBAoMCFNhd3Rvb3RoMRMwEQYDVQQL
 DApDb25zdWx0aW5nMRgwFgYDVQQDDA93d3cud29sZnNzbC5jb20xHzAdBgkqhkiG
-9w0BCQEWEGluZm9Ad29sZnNzbC5jb22CCQCq0z+sGAo3TTAMBgNVHRMEBTADAQH/
-MBwGA1UdEQQVMBOCC2V4YW1wbGUuY29thwR/AAABMB0GA1UdJQQWMBQGCCsGAQUF
-BwMBBggrBgEFBQcDAjANBgkqhkiG9w0BAQsFAAOCAQEAGw2mRJMNDgw1KCZAMdLr
-JkxHWxn7rf469TA6KNeqaaQV5yZutzNWrI80PfMhL1NYkdA+tDlIv5MRdDbTh0nD
-NA0wMKv0TCcZ1cQMrUm9kfjansgtKqzidY6qCNm/Zf+jsU/wYG9NlcQGf69maiM7
-OqRhtmzKvuGwd/Psg9WMHYV/jXTI7B5J7FdKzP3iOj5UUK5nzRewZ6VTf8MOPqdY
-6N/VDPJk860ScOO5QrwIYHbVDKUxd1DgyPM6PUXPMnXvEN217W7SLVeClTi8fVTE
-hF77foP18S2cmKxz46fSAjDWHwYe0Nw6rPTCwr5yQJrqzzUhO1Zt4VLygNc1g5cH
-zA==
+9w0BCQEWEGluZm9Ad29sZnNzbC5jb22CFH2UcIi6B0KNqq9PvsIaSPDRQOZCMAwG
+A1UdEwQFMAMBAf8wHAYDVR0RBBUwE4ILZXhhbXBsZS5jb22HBH8AAAEwHQYDVR0l
+BBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMA0GCSqGSIb3DQEBCwUAA4IBAQBzWW9V
+lOE45yBaEUZHqCkRFwYZFngir1T42TJhJj85q6Tf767QC8wrr5VwkJdTzBlt8k1M
++uSdfFTgWzsfHlJGf9m6oJC6bd89Z/CfUkTD4WY23GFYEbpMDMIp2vcTRWCyEXmR
+7Xyft39c4inGHr942r/RvZz3TiPgw+9vtmd810wC1b1n7n4M44nbeWEe0F/16GZI
+OlVU1RYSMADJhnXgyf84dM7Ix/3vlthVlnE1Yts0xS8HhIqqGx53UAogOyFLBhSv
+eBGiQcZdDHDgUrSeTIarW6Pgj6LCGmlwgDu9UCMmck/6/d/thTIs5Ks+86bQHdsz
+a2mNmbm0NEt5qBZo
 -----END CERTIFICATE-----
 Certificate:
     Data:
         Version: 3 (0x2)
-        Serial Number: 12309252214903945037 (0xaad33fac180a374d)
-    Signature Algorithm: sha256WithRSAEncryption
-        Issuer: C=US, ST=Montana, L=Bozeman, O=Sawtooth, OU=Consulting, CN=www.wolfssl.com/emailAddress=info@wolfssl.com
+        Serial Number:
+            7d:94:70:88:ba:07:42:8d:aa:af:4f:be:c2:1a:48:f0:d1:40:e6:42
+        Signature Algorithm: sha256WithRSAEncryption
+        Issuer: C = US, ST = Montana, L = Bozeman, O = Sawtooth, OU = Consulting, CN = www.wolfssl.com, emailAddress = info@wolfssl.com
         Validity
-            Not Before: Feb 10 19:49:52 2021 GMT
-            Not After : Nov  7 19:49:52 2023 GMT
-        Subject: C=US, ST=Montana, L=Bozeman, O=Sawtooth, OU=Consulting, CN=www.wolfssl.com/emailAddress=info@wolfssl.com
+            Not Before: Dec 20 23:07:24 2021 GMT
+            Not After : Sep 15 23:07:24 2024 GMT
+        Subject: C = US, ST = Montana, L = Bozeman, O = Sawtooth, OU = Consulting, CN = www.wolfssl.com, emailAddress = info@wolfssl.com
         Subject Public Key Info:
             Public Key Algorithm: rsaEncryption
-                Public-Key: (2048 bit)
+                RSA Public-Key: (2048 bit)
                 Modulus:
                     00:bf:0c:ca:2d:14:b2:1e:84:42:5b:cd:38:1f:4a:
                     f2:4d:75:10:f1:b6:35:9f:df:ca:7d:03:98:d3:ac:
@@ -129,7 +130,7 @@ Certificate:
             X509v3 Authority Key Identifier: 
                 keyid:27:8E:67:11:74:C3:26:1D:3F:ED:33:63:B3:A4:D8:1D:30:E5:E8:D5
                 DirName:/C=US/ST=Montana/L=Bozeman/O=Sawtooth/OU=Consulting/CN=www.wolfssl.com/emailAddress=info@wolfssl.com
-                serial:AA:D3:3F:AC:18:0A:37:4D
+                serial:7D:94:70:88:BA:07:42:8D:AA:AF:4F:BE:C2:1A:48:F0:D1:40:E6:42
 
             X509v3 Basic Constraints: 
                 CA:TRUE
@@ -138,47 +139,47 @@ Certificate:
             X509v3 Extended Key Usage: 
                 TLS Web Server Authentication, TLS Web Client Authentication
     Signature Algorithm: sha256WithRSAEncryption
-         62:98:c8:58:cf:56:03:86:5b:1b:71:49:7d:05:03:5d:e0:08:
-         86:ad:db:4a:de:ab:22:96:a8:c3:59:68:c1:37:90:40:df:bd:
-         89:d0:bc:da:8e:ef:87:b2:c2:62:52:e1:1a:29:17:6a:96:99:
-         c8:4e:d8:32:fe:b8:d1:5c:3b:0a:c2:3c:5f:a1:1e:98:7f:ce:
-         89:26:21:1f:64:9c:15:7a:9c:ef:fb:1d:85:6a:fa:98:ce:a8:
-         a9:ab:c3:a2:c0:eb:87:ed:bc:21:df:f3:07:5b:ae:fd:40:d4:
-         ae:20:d0:76:8a:31:0a:a2:62:7c:61:0d:ce:5d:9a:1e:e4:20:
-         88:51:49:fb:77:a9:cd:4d:c6:bf:54:99:33:ef:4b:a0:73:70:
-         6d:2e:d9:3d:08:f6:12:39:31:68:c6:61:5c:41:b5:1b:f4:38:
-         7d:fc:be:73:66:2d:f7:ca:5b:2c:5b:31:aa:cf:f6:7f:30:e4:
-         12:2c:8e:d6:38:51:e6:45:ee:d5:da:c3:83:d6:ed:5e:ec:d6:
-         b6:14:b3:93:59:e1:55:4a:7f:04:df:ce:65:d4:df:18:4f:dd:
-         b4:45:7f:a6:56:30:c4:05:44:98:9d:4f:26:6d:84:80:a0:5e:
-         ed:23:d1:48:87:0e:05:06:91:3b:b0:3c:bb:8c:8f:3c:7b:4c:
-         4f:a1:ca:98
+         b0:71:bb:ba:45:5a:80:25:02:a4:7e:88:0b:a9:7b:fd:b0:bb:
+         f6:46:b5:ba:f4:c7:e3:61:20:8c:03:15:66:f5:e4:54:82:ef:
+         13:80:97:22:67:c1:d1:88:5d:e2:2d:57:f6:e0:9f:69:d6:b1:
+         5c:b6:e8:e0:98:89:c8:14:12:d6:b6:89:8d:6c:b9:a0:59:4f:
+         92:ee:11:53:6b:7d:93:4a:69:0a:85:d9:d5:d2:62:e8:c9:b5:
+         c6:4e:17:f5:0a:e8:f3:2d:86:61:0b:eb:c4:c4:c6:67:75:ed:
+         9a:9f:53:a0:71:1e:a0:90:0d:f9:03:b4:bc:86:19:6e:f0:3b:
+         4f:e8:ed:68:f6:e7:23:43:3b:36:83:83:4b:46:a0:9a:01:d0:
+         c7:85:bb:7d:94:a0:21:3d:7e:3c:6a:3d:81:db:41:7b:46:d8:
+         15:62:d5:8f:4d:3d:c0:db:9a:c5:81:a8:ac:da:87:99:c7:dd:
+         b9:f1:14:af:d1:93:e3:f3:42:d7:a2:04:51:21:54:29:c3:45:
+         f6:be:5c:fa:cd:db:bf:2f:79:81:42:e5:8f:47:0b:d4:54:01:
+         b5:c2:4a:46:d6:a8:31:2e:64:80:3f:48:61:91:29:f3:aa:43:
+         5c:69:6e:f1:01:b9:df:63:71:3d:b9:5a:fb:36:c0:11:a2:c3:
+         30:9d:95:c3
 -----BEGIN CERTIFICATE-----
-MIIE6TCCA9GgAwIBAgIJAKrTP6wYCjdNMA0GCSqGSIb3DQEBCwUAMIGUMQswCQYD
+MIIE/zCCA+egAwIBAgIUfZRwiLoHQo2qr0++whpI8NFA5kIwDQYJKoZIhvcNAQEL
+BQAwgZQxCzAJBgNVBAYTAlVTMRAwDgYDVQQIDAdNb250YW5hMRAwDgYDVQQHDAdC
+b3plbWFuMREwDwYDVQQKDAhTYXd0b290aDETMBEGA1UECwwKQ29uc3VsdGluZzEY
+MBYGA1UEAwwPd3d3LndvbGZzc2wuY29tMR8wHQYJKoZIhvcNAQkBFhBpbmZvQHdv
+bGZzc2wuY29tMB4XDTIxMTIyMDIzMDcyNFoXDTI0MDkxNTIzMDcyNFowgZQxCzAJ
+BgNVBAYTAlVTMRAwDgYDVQQIDAdNb250YW5hMRAwDgYDVQQHDAdCb3plbWFuMREw
+DwYDVQQKDAhTYXd0b290aDETMBEGA1UECwwKQ29uc3VsdGluZzEYMBYGA1UEAwwP
+d3d3LndvbGZzc2wuY29tMR8wHQYJKoZIhvcNAQkBFhBpbmZvQHdvbGZzc2wuY29t
+MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAvwzKLRSyHoRCW804H0ry
+TXUQ8bY1n9/KfQOY06zeA2buKvHYsH1uB1QLEJghTYDLEiDnzE/eRX3Jcncy6sqQ
+u2lSEAMvqPOVxfGLYlYb72dvpBBBla0Km+OlwLDScHZQMFuo6AgsfO2nonqNOCkc
+rMft8nyVsJWCfUlcOM13Je+9gHVTlDw9ymNbnxW10x0TLxnRPNt2Osy4fcnlwtfa
+QG/YIdxzG0ItU5z+Gvx9q3o2P5jehHwFZ85qFDiHqfGMtWjLaH9xICv1oGP1Vi+j
+JtK3b7FaF9c4mQj+k1hv/sMTSQgWC6dNZwBSMWcjTpjtUUUduQTZC+zYKLNLve02
+eQIDAQABo4IBRTCCAUEwHQYDVR0OBBYEFCeOZxF0wyYdP+0zY7Ok2B0w5ejVMIHU
+BgNVHSMEgcwwgcmAFCeOZxF0wyYdP+0zY7Ok2B0w5ejVoYGapIGXMIGUMQswCQYD
 VQQGEwJVUzEQMA4GA1UECAwHTW9udGFuYTEQMA4GA1UEBwwHQm96ZW1hbjERMA8G
 A1UECgwIU2F3dG9vdGgxEzARBgNVBAsMCkNvbnN1bHRpbmcxGDAWBgNVBAMMD3d3
-dy53b2xmc3NsLmNvbTEfMB0GCSqGSIb3DQEJARYQaW5mb0B3b2xmc3NsLmNvbTAe
-Fw0yMTAyMTAxOTQ5NTJaFw0yMzExMDcxOTQ5NTJaMIGUMQswCQYDVQQGEwJVUzEQ
-MA4GA1UECAwHTW9udGFuYTEQMA4GA1UEBwwHQm96ZW1hbjERMA8GA1UECgwIU2F3
-dG9vdGgxEzARBgNVBAsMCkNvbnN1bHRpbmcxGDAWBgNVBAMMD3d3dy53b2xmc3Ns
-LmNvbTEfMB0GCSqGSIb3DQEJARYQaW5mb0B3b2xmc3NsLmNvbTCCASIwDQYJKoZI
-hvcNAQEBBQADggEPADCCAQoCggEBAL8Myi0Ush6EQlvNOB9K8k11EPG2NZ/fyn0D
-mNOs3gNm7irx2LB9bgdUCxCYIU2AyxIg58xP3kV9yXJ3MurKkLtpUhADL6jzlcXx
-i2JWG+9nb6QQQZWtCpvjpcCw0nB2UDBbqOgILHztp6J6jTgpHKzH7fJ8lbCVgn1J
-XDjNdyXvvYB1U5Q8PcpjW58VtdMdEy8Z0TzbdjrMuH3J5cLX2kBv2CHccxtCLVOc
-/hr8fat6Nj+Y3oR8BWfOahQ4h6nxjLVoy2h/cSAr9aBj9VYvoybSt2+xWhfXOJkI
-/pNYb/7DE0kIFgunTWcAUjFnI06Y7VFFHbkE2Qvs2CizS73tNnkCAwEAAaOCATow
-ggE2MB0GA1UdDgQWBBQnjmcRdMMmHT/tM2OzpNgdMOXo1TCByQYDVR0jBIHBMIG+
-gBQnjmcRdMMmHT/tM2OzpNgdMOXo1aGBmqSBlzCBlDELMAkGA1UEBhMCVVMxEDAO
-BgNVBAgMB01vbnRhbmExEDAOBgNVBAcMB0JvemVtYW4xETAPBgNVBAoMCFNhd3Rv
-b3RoMRMwEQYDVQQLDApDb25zdWx0aW5nMRgwFgYDVQQDDA93d3cud29sZnNzbC5j
-b20xHzAdBgkqhkiG9w0BCQEWEGluZm9Ad29sZnNzbC5jb22CCQCq0z+sGAo3TTAM
-BgNVHRMEBTADAQH/MBwGA1UdEQQVMBOCC2V4YW1wbGUuY29thwR/AAABMB0GA1Ud
-JQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjANBgkqhkiG9w0BAQsFAAOCAQEAYpjI
-WM9WA4ZbG3FJfQUDXeAIhq3bSt6rIpaow1lowTeQQN+9idC82o7vh7LCYlLhGikX
-apaZyE7YMv640Vw7CsI8X6EemH/OiSYhH2ScFXqc7/sdhWr6mM6oqavDosDrh+28
-Id/zB1uu/UDUriDQdooxCqJifGENzl2aHuQgiFFJ+3epzU3Gv1SZM+9LoHNwbS7Z
-PQj2EjkxaMZhXEG1G/Q4ffy+c2Yt98pbLFsxqs/2fzDkEiyO1jhR5kXu1drDg9bt
-XuzWthSzk1nhVUp/BN/OZdTfGE/dtEV/plYwxAVEmJ1PJm2EgKBe7SPRSIcOBQaR
-O7A8u4yPPHtMT6HKxA==
+dy53b2xmc3NsLmNvbTEfMB0GCSqGSIb3DQEJARYQaW5mb0B3b2xmc3NsLmNvbYIU
+fZRwiLoHQo2qr0++whpI8NFA5kIwDAYDVR0TBAUwAwEB/zAcBgNVHREEFTATggtl
+eGFtcGxlLmNvbYcEfwAAATAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIw
+DQYJKoZIhvcNAQELBQADggEBALBxu7pFWoAlAqR+iAupe/2wu/ZGtbr0x+NhIIwD
+FWb15FSC7xOAlyJnwdGIXeItV/bgn2nWsVy26OCYicgUEta2iY1suaBZT5LuEVNr
+fZNKaQqF2dXSYujJtcZOF/UK6PMthmEL68TExmd17ZqfU6BxHqCQDfkDtLyGGW7w
+O0/o7Wj25yNDOzaDg0tGoJoB0MeFu32UoCE9fjxqPYHbQXtG2BVi1Y9NPcDbmsWB
+qKzah5nH3bnxFK/Rk+PzQteiBFEhVCnDRfa+XPrN278veYFC5Y9HC9RUAbXCSkbW
+qDEuZIA/SGGRKfOqQ1xpbvEBud9jcT25Wvs2wBGiwzCdxcM=
 -----END CERTIFICATE-----
diff --git a/certs/test/server-duplicate-policy.pem b/certs/test/server-duplicate-policy.pem
index 50281d14a..6941973d8 100644
--- a/certs/test/server-duplicate-policy.pem
+++ b/certs/test/server-duplicate-policy.pem
@@ -2,15 +2,15 @@ Certificate:
     Data:
         Version: 3 (0x2)
         Serial Number: 2 (0x2)
-    Signature Algorithm: sha256WithRSAEncryption
-        Issuer: C=US, ST=Montana, L=Bozeman, O=Sawtooth, OU=Consulting, CN=www.wolfssl.com/emailAddress=info@wolfssl.com
+        Signature Algorithm: sha256WithRSAEncryption
+        Issuer: C = US, ST = Montana, L = Bozeman, O = Sawtooth, OU = Consulting, CN = www.wolfssl.com, emailAddress = info@wolfssl.com
         Validity
-            Not Before: Feb 10 19:49:53 2021 GMT
-            Not After : Nov  7 19:49:53 2023 GMT
-        Subject: C=US, ST=Montana, L=Bozeman, O=wolfSSL, OU=testing duplicate policy, CN=www.wolfssl.com/emailAddress=info@wolfssl.com
+            Not Before: Dec 20 23:07:25 2021 GMT
+            Not After : Sep 15 23:07:25 2024 GMT
+        Subject: C = US, ST = Montana, L = Bozeman, O = wolfSSL, OU = testing duplicate policy, CN = www.wolfssl.com, emailAddress = info@wolfssl.com
         Subject Public Key Info:
             Public Key Algorithm: rsaEncryption
-                Public-Key: (2048 bit)
+                RSA Public-Key: (2048 bit)
                 Modulus:
                     00:c0:95:08:e1:57:41:f2:71:6d:b7:d2:45:41:27:
                     01:65:c6:45:ae:f2:bc:24:30:b8:95:ce:2f:4e:d6:
@@ -37,7 +37,7 @@ Certificate:
             X509v3 Authority Key Identifier: 
                 keyid:27:8E:67:11:74:C3:26:1D:3F:ED:33:63:B3:A4:D8:1D:30:E5:E8:D5
                 DirName:/C=US/ST=Montana/L=Bozeman/O=Sawtooth/OU=Consulting/CN=www.wolfssl.com/emailAddress=info@wolfssl.com
-                serial:AA:D3:3F:AC:18:0A:37:4D
+                serial:7D:94:70:88:BA:07:42:8D:AA:AF:4F:BE:C2:1A:48:F0:D1:40:E6:42
 
             X509v3 Basic Constraints: 
                 CA:FALSE
@@ -49,27 +49,27 @@ Certificate:
                     Explicit Text: Test of duplicate OIDs with different qualifiers
 
     Signature Algorithm: sha256WithRSAEncryption
-         89:48:e9:bf:9d:98:fc:e3:b5:32:80:9c:b8:18:31:37:df:6b:
-         5b:f9:ca:f1:50:b2:10:d2:97:91:31:7b:3b:e0:f9:ec:d3:45:
-         83:47:c0:a6:86:e0:f9:a2:46:f8:7a:22:54:9e:37:b5:43:3d:
-         de:13:7f:a1:79:2b:1e:c9:a5:1f:96:23:fb:43:cb:94:7f:55:
-         37:9a:7e:4e:73:90:1f:aa:07:92:b7:86:f9:0d:36:c0:94:53:
-         91:86:ec:ed:b3:e7:44:b4:9e:27:d2:b7:ff:f8:d0:98:32:5e:
-         9d:24:9d:59:3a:06:82:3e:58:0f:93:f3:c5:85:23:ef:ec:1a:
-         05:a0:0c:db:ac:e1:7c:67:84:0c:92:0e:81:e3:57:4e:5a:8a:
-         a9:05:f2:38:73:78:c9:12:8a:45:c5:5a:f0:a6:2a:de:b9:29:
-         7d:9f:69:07:af:06:2a:e8:cc:3b:35:ea:7b:f3:43:2f:24:15:
-         1b:93:f2:3a:1d:0f:e5:e6:20:4c:a8:6a:42:32:71:5a:f8:3a:
-         41:5e:35:bb:0a:c3:4e:b5:12:6a:ae:e1:97:cb:94:b9:71:14:
-         a2:63:a4:f0:c4:07:31:57:6e:f8:f8:05:25:dd:36:bb:83:f8:
-         60:53:b2:4c:75:92:44:fc:24:21:1e:65:94:9e:0a:86:73:34:
-         45:f7:1b:88
+         2a:bd:46:4a:5f:f0:63:9c:49:90:7e:04:c9:aa:c5:1e:07:5c:
+         62:7a:33:cb:39:92:bc:dd:f6:1b:52:fc:d0:31:82:89:10:d0:
+         3a:c4:54:3a:79:ae:a7:e1:f1:d4:93:20:41:27:cc:2c:41:74:
+         7d:f8:35:e4:98:a2:52:c0:11:1f:68:4a:f0:b0:6d:94:7c:a5:
+         a9:5e:62:82:37:9f:5a:d2:72:58:d1:dd:dc:18:fd:63:f5:4a:
+         f8:d1:b7:56:63:9d:2c:df:0b:ae:00:b4:52:aa:6f:84:f2:ed:
+         25:35:39:b4:60:85:91:c1:80:87:a2:3d:34:be:80:b7:5a:ac:
+         db:5e:99:3e:88:98:a4:07:a8:86:0d:61:81:c6:3d:1e:78:2c:
+         40:b2:e2:d5:c4:b5:78:ac:ef:2c:86:f5:98:87:32:f6:f3:6f:
+         09:a4:a4:7c:20:db:c6:1b:3c:97:ff:5f:62:54:3e:24:80:63:
+         89:e4:0f:43:68:05:c7:d2:b4:bd:d2:b2:a0:3e:37:ae:43:34:
+         c1:21:c7:f3:36:9d:04:44:be:45:d0:7c:47:a1:6c:f4:e8:64:
+         8b:24:ff:18:9d:c2:77:79:de:2c:1e:0f:da:3f:25:8f:4c:87:
+         f3:db:dc:d4:ae:7d:25:cd:f2:73:b8:0f:35:6c:64:43:9a:7d:
+         d4:53:a5:0c
 -----BEGIN CERTIFICATE-----
-MIIFJjCCBA6gAwIBAgIBAjANBgkqhkiG9w0BAQsFADCBlDELMAkGA1UEBhMCVVMx
+MIIFMTCCBBmgAwIBAgIBAjANBgkqhkiG9w0BAQsFADCBlDELMAkGA1UEBhMCVVMx
 EDAOBgNVBAgMB01vbnRhbmExEDAOBgNVBAcMB0JvemVtYW4xETAPBgNVBAoMCFNh
 d3Rvb3RoMRMwEQYDVQQLDApDb25zdWx0aW5nMRgwFgYDVQQDDA93d3cud29sZnNz
-bC5jb20xHzAdBgkqhkiG9w0BCQEWEGluZm9Ad29sZnNzbC5jb20wHhcNMjEwMjEw
-MTk0OTUzWhcNMjMxMTA3MTk0OTUzWjCBoTELMAkGA1UEBhMCVVMxEDAOBgNVBAgM
+bC5jb20xHzAdBgkqhkiG9w0BCQEWEGluZm9Ad29sZnNzbC5jb20wHhcNMjExMjIw
+MjMwNzI1WhcNMjQwOTE1MjMwNzI1WjCBoTELMAkGA1UEBhMCVVMxEDAOBgNVBAgM
 B01vbnRhbmExEDAOBgNVBAcMB0JvemVtYW4xEDAOBgNVBAoMB3dvbGZTU0wxITAf
 BgNVBAsMGHRlc3RpbmcgZHVwbGljYXRlIHBvbGljeTEYMBYGA1UEAwwPd3d3Lndv
 bGZzc2wuY29tMR8wHQYJKoZIhvcNAQkBFhBpbmZvQHdvbGZzc2wuY29tMIIBIjAN
@@ -79,34 +79,35 @@ JDC4lc4vTtb2HIi8fJ/7qGd//lycUXX3isoH5zUvj+G9e8AvfKtkqBf8yl17uuAh
 c6aMGKkCba/DGQEuuBDjxsxAtGmjRjNph27Euxem8+jdrXO8ey8htf1mUQy9VLPh
 bV8cvCNz0QkDiRTSELlkwyrQoZZKvOHUGlvHoMDBY3gPRDcwMpaAMiOVoXe6E9KX
 c+JdJclqDcM5YKS0sGlCQgnp2Ai8MyCzWCKnquvE4eZhg8XSlt/Z0E+t1wIDAQAB
-o4IBcjCCAW4wHQYDVR0OBBYEFLMRMsmSmITiyfjQO24DQsofDo48MIHJBgNVHSME
-gcEwgb6AFCeOZxF0wyYdP+0zY7Ok2B0w5ejVoYGapIGXMIGUMQswCQYDVQQGEwJV
+o4IBfTCCAXkwHQYDVR0OBBYEFLMRMsmSmITiyfjQO24DQsofDo48MIHUBgNVHSME
+gcwwgcmAFCeOZxF0wyYdP+0zY7Ok2B0w5ejVoYGapIGXMIGUMQswCQYDVQQGEwJV
 UzEQMA4GA1UECAwHTW9udGFuYTEQMA4GA1UEBwwHQm96ZW1hbjERMA8GA1UECgwI
 U2F3dG9vdGgxEzARBgNVBAsMCkNvbnN1bHRpbmcxGDAWBgNVBAMMD3d3dy53b2xm
-c3NsLmNvbTEfMB0GCSqGSIb3DQEJARYQaW5mb0B3b2xmc3NsLmNvbYIJAKrTP6wY
-CjdNMAkGA1UdEwQCMAAwdgYDVR0gBG8wbTAFBgMqAwQwZAYDKgMEMF0wGwYIKwYB
-BQUHAgEWD3d3dy53b2xmc3NsLmNvbTA+BggrBgEFBQcCAjAyGjBUZXN0IG9mIGR1
-cGxpY2F0ZSBPSURzIHdpdGggZGlmZmVyZW50IHF1YWxpZmllcnMwDQYJKoZIhvcN
-AQELBQADggEBAIlI6b+dmPzjtTKAnLgYMTffa1v5yvFQshDSl5Exezvg+ezTRYNH
-wKaG4PmiRvh6IlSeN7VDPd4Tf6F5Kx7JpR+WI/tDy5R/VTeafk5zkB+qB5K3hvkN
-NsCUU5GG7O2z50S0nifSt//40JgyXp0knVk6BoI+WA+T88WFI+/sGgWgDNus4Xxn
-hAySDoHjV05aiqkF8jhzeMkSikXFWvCmKt65KX2faQevBirozDs16nvzQy8kFRuT
-8jodD+XmIEyoakIycVr4OkFeNbsKw061Emqu4ZfLlLlxFKJjpPDEBzFXbvj4BSXd
-NruD+GBTskx1kkT8JCEeZZSeCoZzNEX3G4g=
+c3NsLmNvbTEfMB0GCSqGSIb3DQEJARYQaW5mb0B3b2xmc3NsLmNvbYIUfZRwiLoH
+Qo2qr0++whpI8NFA5kIwCQYDVR0TBAIwADB2BgNVHSAEbzBtMAUGAyoDBDBkBgMq
+AwQwXTAbBggrBgEFBQcCARYPd3d3LndvbGZzc2wuY29tMD4GCCsGAQUFBwICMDIa
+MFRlc3Qgb2YgZHVwbGljYXRlIE9JRHMgd2l0aCBkaWZmZXJlbnQgcXVhbGlmaWVy
+czANBgkqhkiG9w0BAQsFAAOCAQEAKr1GSl/wY5xJkH4EyarFHgdcYnozyzmSvN32
+G1L80DGCiRDQOsRUOnmup+Hx1JMgQSfMLEF0ffg15JiiUsARH2hK8LBtlHylqV5i
+gjefWtJyWNHd3Bj9Y/VK+NG3VmOdLN8LrgC0UqpvhPLtJTU5tGCFkcGAh6I9NL6A
+t1qs216ZPoiYpAeohg1hgcY9HngsQLLi1cS1eKzvLIb1mIcy9vNvCaSkfCDbxhs8
+l/9fYlQ+JIBjieQPQ2gFx9K0vdKyoD43rkM0wSHH8zadBES+RdB8R6Fs9OhkiyT/
+GJ3Cd3neLB4P2j8lj0yH89vc1K59Jc3yc7gPNWxkQ5p91FOlDA==
 -----END CERTIFICATE-----
 Certificate:
     Data:
         Version: 3 (0x2)
-        Serial Number: 12309252214903945037 (0xaad33fac180a374d)
-    Signature Algorithm: sha256WithRSAEncryption
-        Issuer: C=US, ST=Montana, L=Bozeman, O=Sawtooth, OU=Consulting, CN=www.wolfssl.com/emailAddress=info@wolfssl.com
+        Serial Number:
+            7d:94:70:88:ba:07:42:8d:aa:af:4f:be:c2:1a:48:f0:d1:40:e6:42
+        Signature Algorithm: sha256WithRSAEncryption
+        Issuer: C = US, ST = Montana, L = Bozeman, O = Sawtooth, OU = Consulting, CN = www.wolfssl.com, emailAddress = info@wolfssl.com
         Validity
-            Not Before: Feb 10 19:49:52 2021 GMT
-            Not After : Nov  7 19:49:52 2023 GMT
-        Subject: C=US, ST=Montana, L=Bozeman, O=Sawtooth, OU=Consulting, CN=www.wolfssl.com/emailAddress=info@wolfssl.com
+            Not Before: Dec 20 23:07:24 2021 GMT
+            Not After : Sep 15 23:07:24 2024 GMT
+        Subject: C = US, ST = Montana, L = Bozeman, O = Sawtooth, OU = Consulting, CN = www.wolfssl.com, emailAddress = info@wolfssl.com
         Subject Public Key Info:
             Public Key Algorithm: rsaEncryption
-                Public-Key: (2048 bit)
+                RSA Public-Key: (2048 bit)
                 Modulus:
                     00:bf:0c:ca:2d:14:b2:1e:84:42:5b:cd:38:1f:4a:
                     f2:4d:75:10:f1:b6:35:9f:df:ca:7d:03:98:d3:ac:
@@ -133,7 +134,7 @@ Certificate:
             X509v3 Authority Key Identifier: 
                 keyid:27:8E:67:11:74:C3:26:1D:3F:ED:33:63:B3:A4:D8:1D:30:E5:E8:D5
                 DirName:/C=US/ST=Montana/L=Bozeman/O=Sawtooth/OU=Consulting/CN=www.wolfssl.com/emailAddress=info@wolfssl.com
-                serial:AA:D3:3F:AC:18:0A:37:4D
+                serial:7D:94:70:88:BA:07:42:8D:AA:AF:4F:BE:C2:1A:48:F0:D1:40:E6:42
 
             X509v3 Basic Constraints: 
                 CA:TRUE
@@ -142,47 +143,47 @@ Certificate:
             X509v3 Extended Key Usage: 
                 TLS Web Server Authentication, TLS Web Client Authentication
     Signature Algorithm: sha256WithRSAEncryption
-         62:98:c8:58:cf:56:03:86:5b:1b:71:49:7d:05:03:5d:e0:08:
-         86:ad:db:4a:de:ab:22:96:a8:c3:59:68:c1:37:90:40:df:bd:
-         89:d0:bc:da:8e:ef:87:b2:c2:62:52:e1:1a:29:17:6a:96:99:
-         c8:4e:d8:32:fe:b8:d1:5c:3b:0a:c2:3c:5f:a1:1e:98:7f:ce:
-         89:26:21:1f:64:9c:15:7a:9c:ef:fb:1d:85:6a:fa:98:ce:a8:
-         a9:ab:c3:a2:c0:eb:87:ed:bc:21:df:f3:07:5b:ae:fd:40:d4:
-         ae:20:d0:76:8a:31:0a:a2:62:7c:61:0d:ce:5d:9a:1e:e4:20:
-         88:51:49:fb:77:a9:cd:4d:c6:bf:54:99:33:ef:4b:a0:73:70:
-         6d:2e:d9:3d:08:f6:12:39:31:68:c6:61:5c:41:b5:1b:f4:38:
-         7d:fc:be:73:66:2d:f7:ca:5b:2c:5b:31:aa:cf:f6:7f:30:e4:
-         12:2c:8e:d6:38:51:e6:45:ee:d5:da:c3:83:d6:ed:5e:ec:d6:
-         b6:14:b3:93:59:e1:55:4a:7f:04:df:ce:65:d4:df:18:4f:dd:
-         b4:45:7f:a6:56:30:c4:05:44:98:9d:4f:26:6d:84:80:a0:5e:
-         ed:23:d1:48:87:0e:05:06:91:3b:b0:3c:bb:8c:8f:3c:7b:4c:
-         4f:a1:ca:98
+         b0:71:bb:ba:45:5a:80:25:02:a4:7e:88:0b:a9:7b:fd:b0:bb:
+         f6:46:b5:ba:f4:c7:e3:61:20:8c:03:15:66:f5:e4:54:82:ef:
+         13:80:97:22:67:c1:d1:88:5d:e2:2d:57:f6:e0:9f:69:d6:b1:
+         5c:b6:e8:e0:98:89:c8:14:12:d6:b6:89:8d:6c:b9:a0:59:4f:
+         92:ee:11:53:6b:7d:93:4a:69:0a:85:d9:d5:d2:62:e8:c9:b5:
+         c6:4e:17:f5:0a:e8:f3:2d:86:61:0b:eb:c4:c4:c6:67:75:ed:
+         9a:9f:53:a0:71:1e:a0:90:0d:f9:03:b4:bc:86:19:6e:f0:3b:
+         4f:e8:ed:68:f6:e7:23:43:3b:36:83:83:4b:46:a0:9a:01:d0:
+         c7:85:bb:7d:94:a0:21:3d:7e:3c:6a:3d:81:db:41:7b:46:d8:
+         15:62:d5:8f:4d:3d:c0:db:9a:c5:81:a8:ac:da:87:99:c7:dd:
+         b9:f1:14:af:d1:93:e3:f3:42:d7:a2:04:51:21:54:29:c3:45:
+         f6:be:5c:fa:cd:db:bf:2f:79:81:42:e5:8f:47:0b:d4:54:01:
+         b5:c2:4a:46:d6:a8:31:2e:64:80:3f:48:61:91:29:f3:aa:43:
+         5c:69:6e:f1:01:b9:df:63:71:3d:b9:5a:fb:36:c0:11:a2:c3:
+         30:9d:95:c3
 -----BEGIN CERTIFICATE-----
-MIIE6TCCA9GgAwIBAgIJAKrTP6wYCjdNMA0GCSqGSIb3DQEBCwUAMIGUMQswCQYD
+MIIE/zCCA+egAwIBAgIUfZRwiLoHQo2qr0++whpI8NFA5kIwDQYJKoZIhvcNAQEL
+BQAwgZQxCzAJBgNVBAYTAlVTMRAwDgYDVQQIDAdNb250YW5hMRAwDgYDVQQHDAdC
+b3plbWFuMREwDwYDVQQKDAhTYXd0b290aDETMBEGA1UECwwKQ29uc3VsdGluZzEY
+MBYGA1UEAwwPd3d3LndvbGZzc2wuY29tMR8wHQYJKoZIhvcNAQkBFhBpbmZvQHdv
+bGZzc2wuY29tMB4XDTIxMTIyMDIzMDcyNFoXDTI0MDkxNTIzMDcyNFowgZQxCzAJ
+BgNVBAYTAlVTMRAwDgYDVQQIDAdNb250YW5hMRAwDgYDVQQHDAdCb3plbWFuMREw
+DwYDVQQKDAhTYXd0b290aDETMBEGA1UECwwKQ29uc3VsdGluZzEYMBYGA1UEAwwP
+d3d3LndvbGZzc2wuY29tMR8wHQYJKoZIhvcNAQkBFhBpbmZvQHdvbGZzc2wuY29t
+MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAvwzKLRSyHoRCW804H0ry
+TXUQ8bY1n9/KfQOY06zeA2buKvHYsH1uB1QLEJghTYDLEiDnzE/eRX3Jcncy6sqQ
+u2lSEAMvqPOVxfGLYlYb72dvpBBBla0Km+OlwLDScHZQMFuo6AgsfO2nonqNOCkc
+rMft8nyVsJWCfUlcOM13Je+9gHVTlDw9ymNbnxW10x0TLxnRPNt2Osy4fcnlwtfa
+QG/YIdxzG0ItU5z+Gvx9q3o2P5jehHwFZ85qFDiHqfGMtWjLaH9xICv1oGP1Vi+j
+JtK3b7FaF9c4mQj+k1hv/sMTSQgWC6dNZwBSMWcjTpjtUUUduQTZC+zYKLNLve02
+eQIDAQABo4IBRTCCAUEwHQYDVR0OBBYEFCeOZxF0wyYdP+0zY7Ok2B0w5ejVMIHU
+BgNVHSMEgcwwgcmAFCeOZxF0wyYdP+0zY7Ok2B0w5ejVoYGapIGXMIGUMQswCQYD
 VQQGEwJVUzEQMA4GA1UECAwHTW9udGFuYTEQMA4GA1UEBwwHQm96ZW1hbjERMA8G
 A1UECgwIU2F3dG9vdGgxEzARBgNVBAsMCkNvbnN1bHRpbmcxGDAWBgNVBAMMD3d3
-dy53b2xmc3NsLmNvbTEfMB0GCSqGSIb3DQEJARYQaW5mb0B3b2xmc3NsLmNvbTAe
-Fw0yMTAyMTAxOTQ5NTJaFw0yMzExMDcxOTQ5NTJaMIGUMQswCQYDVQQGEwJVUzEQ
-MA4GA1UECAwHTW9udGFuYTEQMA4GA1UEBwwHQm96ZW1hbjERMA8GA1UECgwIU2F3
-dG9vdGgxEzARBgNVBAsMCkNvbnN1bHRpbmcxGDAWBgNVBAMMD3d3dy53b2xmc3Ns
-LmNvbTEfMB0GCSqGSIb3DQEJARYQaW5mb0B3b2xmc3NsLmNvbTCCASIwDQYJKoZI
-hvcNAQEBBQADggEPADCCAQoCggEBAL8Myi0Ush6EQlvNOB9K8k11EPG2NZ/fyn0D
-mNOs3gNm7irx2LB9bgdUCxCYIU2AyxIg58xP3kV9yXJ3MurKkLtpUhADL6jzlcXx
-i2JWG+9nb6QQQZWtCpvjpcCw0nB2UDBbqOgILHztp6J6jTgpHKzH7fJ8lbCVgn1J
-XDjNdyXvvYB1U5Q8PcpjW58VtdMdEy8Z0TzbdjrMuH3J5cLX2kBv2CHccxtCLVOc
-/hr8fat6Nj+Y3oR8BWfOahQ4h6nxjLVoy2h/cSAr9aBj9VYvoybSt2+xWhfXOJkI
-/pNYb/7DE0kIFgunTWcAUjFnI06Y7VFFHbkE2Qvs2CizS73tNnkCAwEAAaOCATow
-ggE2MB0GA1UdDgQWBBQnjmcRdMMmHT/tM2OzpNgdMOXo1TCByQYDVR0jBIHBMIG+
-gBQnjmcRdMMmHT/tM2OzpNgdMOXo1aGBmqSBlzCBlDELMAkGA1UEBhMCVVMxEDAO
-BgNVBAgMB01vbnRhbmExEDAOBgNVBAcMB0JvemVtYW4xETAPBgNVBAoMCFNhd3Rv
-b3RoMRMwEQYDVQQLDApDb25zdWx0aW5nMRgwFgYDVQQDDA93d3cud29sZnNzbC5j
-b20xHzAdBgkqhkiG9w0BCQEWEGluZm9Ad29sZnNzbC5jb22CCQCq0z+sGAo3TTAM
-BgNVHRMEBTADAQH/MBwGA1UdEQQVMBOCC2V4YW1wbGUuY29thwR/AAABMB0GA1Ud
-JQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjANBgkqhkiG9w0BAQsFAAOCAQEAYpjI
-WM9WA4ZbG3FJfQUDXeAIhq3bSt6rIpaow1lowTeQQN+9idC82o7vh7LCYlLhGikX
-apaZyE7YMv640Vw7CsI8X6EemH/OiSYhH2ScFXqc7/sdhWr6mM6oqavDosDrh+28
-Id/zB1uu/UDUriDQdooxCqJifGENzl2aHuQgiFFJ+3epzU3Gv1SZM+9LoHNwbS7Z
-PQj2EjkxaMZhXEG1G/Q4ffy+c2Yt98pbLFsxqs/2fzDkEiyO1jhR5kXu1drDg9bt
-XuzWthSzk1nhVUp/BN/OZdTfGE/dtEV/plYwxAVEmJ1PJm2EgKBe7SPRSIcOBQaR
-O7A8u4yPPHtMT6HKmA==
+dy53b2xmc3NsLmNvbTEfMB0GCSqGSIb3DQEJARYQaW5mb0B3b2xmc3NsLmNvbYIU
+fZRwiLoHQo2qr0++whpI8NFA5kIwDAYDVR0TBAUwAwEB/zAcBgNVHREEFTATggtl
+eGFtcGxlLmNvbYcEfwAAATAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIw
+DQYJKoZIhvcNAQELBQADggEBALBxu7pFWoAlAqR+iAupe/2wu/ZGtbr0x+NhIIwD
+FWb15FSC7xOAlyJnwdGIXeItV/bgn2nWsVy26OCYicgUEta2iY1suaBZT5LuEVNr
+fZNKaQqF2dXSYujJtcZOF/UK6PMthmEL68TExmd17ZqfU6BxHqCQDfkDtLyGGW7w
+O0/o7Wj25yNDOzaDg0tGoJoB0MeFu32UoCE9fjxqPYHbQXtG2BVi1Y9NPcDbmsWB
+qKzah5nH3bnxFK/Rk+PzQteiBFEhVCnDRfa+XPrN278veYFC5Y9HC9RUAbXCSkbW
+qDEuZIA/SGGRKfOqQ1xpbvEBud9jcT25Wvs2wBGiwzCdlcM=
 -----END CERTIFICATE-----
diff --git a/certs/test/server-garbage.der b/certs/test/server-garbage.der
index c8e7d7cec..6dbb41afd 100644
Binary files a/certs/test/server-garbage.der and b/certs/test/server-garbage.der differ
diff --git a/certs/test/server-garbage.pem b/certs/test/server-garbage.pem
index 32e1ed08d..381d7bc5d 100644
--- a/certs/test/server-garbage.pem
+++ b/certs/test/server-garbage.pem
@@ -2,12 +2,12 @@ Certificate:
     Data:
         Version: 3 (0x2)
         Serial Number:
-            5b:d1:6a:7d:d9:c4:9a:1a:c6:11:44:12:fc:ca:a1:f4:79:6b:1b:a2
+            79:41:0e:38:0a:5f:24:41:24:48:9a:ff:f5:5c:3d:5a:a1:01:4f:18
         Signature Algorithm: sha256WithRSAEncryption
         Issuer: C = US, ST = Montana, L = Bozeman, OU = Engineering, CN = localhost, emailAddress = info@wolfssl.com
         Validity
-            Not Before: Jun 15 22:02:34 2021 GMT
-            Not After : Mar 11 22:02:34 2024 GMT
+            Not Before: Dec 20 23:07:25 2021 GMT
+            Not After : Sep 15 23:07:25 2024 GMT
         Subject: C = US, ST = Montana, L = Bozeman, OU = Engineering, CN = localhost, emailAddress = info@wolfssl.com
         Subject Public Key Info:
             Public Key Algorithm: rsaEncryption
@@ -36,27 +36,27 @@ Certificate:
             X509v3 Subject Alternative Name: 
                 DNS:garbage
     Signature Algorithm: sha256WithRSAEncryption
-         b1:e4:67:79:4d:83:e3:5a:49:d3:8e:33:18:a2:ee:bd:c4:66:
-         40:d2:81:19:c8:fa:95:0a:e9:8f:dd:58:cd:10:8a:c3:43:fd:
-         62:2f:ca:2b:0d:e9:7d:28:4f:5f:45:3b:27:3b:7d:06:39:12:
-         75:c3:e7:2e:8e:82:f7:b1:28:7f:7f:76:83:db:f5:ea:d2:87:
-         5b:90:a4:b1:3e:4b:64:a3:3d:0a:d7:41:31:71:28:3b:54:89:
-         20:b5:17:65:20:c9:f8:1b:25:11:44:a3:0b:b5:60:37:f0:92:
-         fc:3b:1d:4a:03:ef:e1:b4:61:23:33:8c:48:2f:e8:dd:4b:f8:
-         3d:97:00:55:c7:49:be:35:6a:3f:e1:db:32:ef:7f:b3:6a:ab:
-         5d:8b:f1:fb:45:1e:75:1f:d1:e6:93:24:7f:b2:57:97:57:08:
-         27:3d:94:3b:b3:97:b4:07:c0:e7:ed:77:9a:e1:f7:90:2d:af:
-         1e:2f:15:7c:da:2c:d7:db:a2:b1:e5:4e:27:4c:0c:52:0c:54:
-         a1:d3:b9:31:aa:d1:1f:20:91:b6:c1:7f:72:43:02:63:f4:13:
-         1d:66:7b:80:7c:1e:b5:17:03:2b:95:53:47:eb:10:63:e6:8e:
-         23:ca:c7:2d:05:eb:ad:db:24:a4:e6:f0:2b:a2:7a:37:d7:20:
-         5c:ed:82:ce
+         93:85:54:0c:c7:ad:3f:ad:83:9d:a3:95:00:66:a1:8c:d8:56:
+         ca:07:79:14:2c:e2:20:e2:03:c8:67:2e:6b:47:95:8f:d8:ee:
+         e4:c4:33:b0:96:1d:04:52:85:7d:47:d8:a9:89:9b:9f:a3:c9:
+         e0:eb:be:e4:d2:89:9a:78:04:49:5a:30:0f:16:3e:b1:82:11:
+         33:e1:39:f0:42:a6:71:6f:f9:10:8f:7a:c4:1f:a3:a1:70:a3:
+         b8:8e:f8:52:25:e3:e7:11:67:54:6b:01:34:a8:9f:6b:5e:76:
+         86:75:a1:08:8b:fe:bd:ae:22:83:4b:cf:21:95:b6:2e:3d:c2:
+         f3:2e:a7:d7:16:b9:83:c4:ca:a8:02:65:5e:d2:77:09:a8:f3:
+         32:59:b0:94:56:cb:ad:14:08:fb:c0:98:db:25:6b:1b:cb:8b:
+         8f:a8:4c:10:12:74:a1:c1:ff:3d:ab:84:a2:cc:f3:f7:6a:f4:
+         58:52:0e:89:94:3d:1a:29:91:db:39:4c:95:7d:3d:14:b6:8a:
+         58:7a:45:05:8a:1d:95:44:ab:10:03:a9:4a:25:b8:0a:83:24:
+         aa:47:da:c9:15:47:ca:5a:1e:ee:f2:1c:68:7f:b1:02:b9:c6:
+         af:c1:0f:af:6f:58:49:da:1c:db:7b:3d:7a:4e:80:0f:1f:2f:
+         43:b5:68:43
 -----BEGIN CERTIFICATE-----
-MIIDnDCCAoSgAwIBAgIUW9FqfdnEmhrGEUQS/Mqh9HlrG6IwDQYJKoZIhvcNAQEL
+MIIDnDCCAoSgAwIBAgIUeUEOOApfJEEkSJr/9Vw9WqEBTxgwDQYJKoZIhvcNAQEL
 BQAwfDELMAkGA1UEBhMCVVMxEDAOBgNVBAgMB01vbnRhbmExEDAOBgNVBAcMB0Jv
 emVtYW4xFDASBgNVBAsMC0VuZ2luZWVyaW5nMRIwEAYDVQQDDAlsb2NhbGhvc3Qx
-HzAdBgkqhkiG9w0BCQEWEGluZm9Ad29sZnNzbC5jb20wHhcNMjEwNjE1MjIwMjM0
-WhcNMjQwMzExMjIwMjM0WjB8MQswCQYDVQQGEwJVUzEQMA4GA1UECAwHTW9udGFu
+HzAdBgkqhkiG9w0BCQEWEGluZm9Ad29sZnNzbC5jb20wHhcNMjExMjIwMjMwNzI1
+WhcNMjQwOTE1MjMwNzI1WjB8MQswCQYDVQQGEwJVUzEQMA4GA1UECAwHTW9udGFu
 YTEQMA4GA1UEBwwHQm96ZW1hbjEUMBIGA1UECwwLRW5naW5lZXJpbmcxEjAQBgNV
 BAMMCWxvY2FsaG9zdDEfMB0GCSqGSIb3DQEJARYQaW5mb0B3b2xmc3NsLmNvbTCC
 ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMCVCOFXQfJxbbfSRUEnAWXG
@@ -66,10 +66,10 @@ C1loeHOmjBipAm2vwxkBLrgQ48bMQLRpo0YzaYduxLsXpvPo3a1zvHsvIbX9ZlEM
 vVSz4W1fHLwjc9EJA4kU0hC5ZMMq0KGWSrzh1Bpbx6DAwWN4D0Q3MDKWgDIjlaF3
 uhPSl3PiXSXJag3DOWCktLBpQkIJ6dgIvDMgs1gip6rrxOHmYYPF0pbf2dBPrdcC
 AwEAAaMWMBQwEgYDVR0RBAswCYIHZ2FyYmFnZTANBgkqhkiG9w0BAQsFAAOCAQEA
-seRneU2D41pJ044zGKLuvcRmQNKBGcj6lQrpj91YzRCKw0P9Yi/KKw3pfShPX0U7
-Jzt9BjkSdcPnLo6C97Eof392g9v16tKHW5CksT5LZKM9CtdBMXEoO1SJILUXZSDJ
-+BslEUSjC7VgN/CS/DsdSgPv4bRhIzOMSC/o3Uv4PZcAVcdJvjVqP+HbMu9/s2qr
-XYvx+0UedR/R5pMkf7JXl1cIJz2UO7OXtAfA5+13muH3kC2vHi8VfNos19uiseVO
-J0wMUgxUodO5MarRHyCRtsF/ckMCY/QTHWZ7gHwetRcDK5VTR+sQY+aOI8rHLQXr
-rdskpObwK6J6N9cgXO2Czg==
+k4VUDMetP62DnaOVAGahjNhWygd5FCziIOIDyGcua0eVj9ju5MQzsJYdBFKFfUfY
+qYmbn6PJ4Ou+5NKJmngESVowDxY+sYIRM+E58EKmcW/5EI96xB+joXCjuI74UiXj
+5xFnVGsBNKifa152hnWhCIv+va4ig0vPIZW2Lj3C8y6n1xa5g8TKqAJlXtJ3Cajz
+MlmwlFbLrRQI+8CY2yVrG8uLj6hMEBJ0ocH/PauEoszz92r0WFIOiZQ9GimR2zlM
+lX09FLaKWHpFBYodlUSrEAOpSiW4CoMkqkfayRVHyloe7vIcaH+xArnGr8EPr29Y
+Sdoc23s9ek6ADx8vQ7VoQw==
 -----END CERTIFICATE-----
diff --git a/certs/test/server-goodalt.der b/certs/test/server-goodalt.der
index fa2afb567..418254873 100644
Binary files a/certs/test/server-goodalt.der and b/certs/test/server-goodalt.der differ
diff --git a/certs/test/server-goodalt.pem b/certs/test/server-goodalt.pem
index 7a393bee3..d9438287c 100644
--- a/certs/test/server-goodalt.pem
+++ b/certs/test/server-goodalt.pem
@@ -2,12 +2,12 @@ Certificate:
     Data:
         Version: 3 (0x2)
         Serial Number:
-            22:0f:95:6c:4d:29:a8:eb:a8:48:f9:16:e0:f7:9f:52:2c:3d:8c:74
+            71:a9:03:7e:a9:c5:45:28:67:c8:de:a2:78:01:ee:a0:ac:f9:e7:2a
         Signature Algorithm: sha256WithRSAEncryption
         Issuer: C = US, ST = Montana, L = Bozeman, OU = Engineering, CN = www.nomatch.com, emailAddress = info@wolfssl.com
         Validity
-            Not Before: Jun 15 22:02:33 2021 GMT
-            Not After : Mar 11 22:02:33 2024 GMT
+            Not Before: Dec 20 23:07:25 2021 GMT
+            Not After : Sep 15 23:07:25 2024 GMT
         Subject: C = US, ST = Montana, L = Bozeman, OU = Engineering, CN = www.nomatch.com, emailAddress = info@wolfssl.com
         Subject Public Key Info:
             Public Key Algorithm: rsaEncryption
@@ -36,27 +36,27 @@ Certificate:
             X509v3 Subject Alternative Name: 
                 DNS:localhost
     Signature Algorithm: sha256WithRSAEncryption
-         b3:56:1e:6c:00:74:10:74:01:e6:44:8f:61:f3:db:cb:57:3a:
-         e9:20:d7:09:ad:85:29:1f:dd:6e:2c:98:21:7b:46:51:10:56:
-         38:10:9b:7b:ad:f4:8c:6c:29:78:13:33:33:c3:17:7d:a6:d3:
-         45:1c:25:cf:dd:4b:4e:9e:19:62:86:6b:f8:6b:40:ec:96:09:
-         0f:6a:a5:2c:79:3b:1d:b5:87:78:f2:6c:31:1d:01:1e:1e:c1:
-         29:14:fe:85:e2:0f:bc:4c:bb:2d:93:be:41:b3:46:4f:ea:a4:
-         9d:35:bb:f4:fc:0c:9b:c4:ae:1d:94:76:7c:cc:7c:22:13:2c:
-         87:cf:ea:89:3f:de:c1:26:02:6f:68:58:47:df:94:e7:7e:56:
-         a8:9c:5e:99:15:d4:c2:d3:2e:a8:9f:d5:61:1c:7d:46:a7:57:
-         70:58:31:b7:aa:60:ae:5c:1d:4a:07:54:02:77:a7:f9:a8:b2:
-         8a:ca:6a:14:bf:83:e1:2f:e5:28:bf:d7:de:e7:fb:47:bc:f2:
-         84:78:11:f9:41:bf:33:d6:c8:17:1a:da:ff:eb:fd:32:75:cd:
-         08:47:78:0c:26:16:2e:dc:75:db:e8:44:f8:10:87:b1:94:16:
-         eb:c3:29:3d:fb:ae:46:5e:9a:42:4d:40:03:c1:58:50:67:ff:
-         e6:77:9c:9a
+         ac:1e:a6:79:4b:28:cb:c3:70:f7:66:ab:fb:44:9e:ca:20:b2:
+         43:61:93:cf:23:d6:2c:ec:f1:bf:01:1f:0f:f6:4e:08:00:50:
+         3c:b0:86:4c:29:7b:6f:f2:2c:e2:9f:47:97:4e:d7:1a:9e:02:
+         cb:cd:fa:d1:67:31:f0:99:10:82:d9:e6:53:4a:d6:71:07:10:
+         aa:f3:98:15:81:59:5a:2b:41:7f:79:fd:ae:bf:0f:4d:aa:c2:
+         68:36:5d:21:d4:25:e6:40:ff:b1:df:dd:eb:bb:ec:0a:04:2c:
+         2f:1a:08:39:6f:85:c7:53:39:35:36:13:4c:23:7b:24:d1:f3:
+         0b:88:8b:11:94:4c:ad:66:26:6e:d8:30:81:f2:c0:3e:fe:30:
+         ab:45:b9:10:88:d4:19:b1:a6:9d:5e:c1:3f:b0:8b:eb:44:fd:
+         ae:f0:46:44:23:04:f6:59:02:f4:66:47:15:07:7a:ed:41:a2:
+         11:46:87:78:06:5a:79:ef:58:68:8c:ae:81:34:c6:96:d5:64:
+         c8:45:31:a0:e9:0c:92:1e:90:67:c8:66:a4:df:70:7b:5d:ee:
+         b4:25:dc:8e:de:21:77:28:c9:c8:df:45:2c:6c:59:e8:5d:6f:
+         95:a6:b6:58:df:57:65:6b:5f:f3:f5:6e:e7:ad:71:04:c6:63:
+         fd:61:02:65
 -----BEGIN CERTIFICATE-----
-MIIDrDCCApSgAwIBAgIUIg+VbE0pqOuoSPkW4PefUiw9jHQwDQYJKoZIhvcNAQEL
+MIIDrDCCApSgAwIBAgIUcakDfqnFRShnyN6ieAHuoKz55yowDQYJKoZIhvcNAQEL
 BQAwgYIxCzAJBgNVBAYTAlVTMRAwDgYDVQQIDAdNb250YW5hMRAwDgYDVQQHDAdC
 b3plbWFuMRQwEgYDVQQLDAtFbmdpbmVlcmluZzEYMBYGA1UEAwwPd3d3Lm5vbWF0
-Y2guY29tMR8wHQYJKoZIhvcNAQkBFhBpbmZvQHdvbGZzc2wuY29tMB4XDTIxMDYx
-NTIyMDIzM1oXDTI0MDMxMTIyMDIzM1owgYIxCzAJBgNVBAYTAlVTMRAwDgYDVQQI
+Y2guY29tMR8wHQYJKoZIhvcNAQkBFhBpbmZvQHdvbGZzc2wuY29tMB4XDTIxMTIy
+MDIzMDcyNVoXDTI0MDkxNTIzMDcyNVowgYIxCzAJBgNVBAYTAlVTMRAwDgYDVQQI
 DAdNb250YW5hMRAwDgYDVQQHDAdCb3plbWFuMRQwEgYDVQQLDAtFbmdpbmVlcmlu
 ZzEYMBYGA1UEAwwPd3d3Lm5vbWF0Y2guY29tMR8wHQYJKoZIhvcNAQkBFhBpbmZv
 QHdvbGZzc2wuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAwJUI
@@ -66,10 +66,10 @@ Q7ilHFw0s64AoGPF9n8LWWh4c6aMGKkCba/DGQEuuBDjxsxAtGmjRjNph27Euxem
 8+jdrXO8ey8htf1mUQy9VLPhbV8cvCNz0QkDiRTSELlkwyrQoZZKvOHUGlvHoMDB
 Y3gPRDcwMpaAMiOVoXe6E9KXc+JdJclqDcM5YKS0sGlCQgnp2Ai8MyCzWCKnquvE
 4eZhg8XSlt/Z0E+t1wIDAQABoxgwFjAUBgNVHREEDTALgglsb2NhbGhvc3QwDQYJ
-KoZIhvcNAQELBQADggEBALNWHmwAdBB0AeZEj2Hz28tXOukg1wmthSkf3W4smCF7
-RlEQVjgQm3ut9IxsKXgTMzPDF32m00UcJc/dS06eGWKGa/hrQOyWCQ9qpSx5Ox21
-h3jybDEdAR4ewSkU/oXiD7xMuy2TvkGzRk/qpJ01u/T8DJvErh2UdnzMfCITLIfP
-6ok/3sEmAm9oWEfflOd+VqicXpkV1MLTLqif1WEcfUanV3BYMbeqYK5cHUoHVAJ3
-p/mosorKahS/g+Ev5Si/197n+0e88oR4EflBvzPWyBca2v/r/TJ1zQhHeAwmFi7c
-ddvoRPgQh7GUFuvDKT37rkZemkJNQAPBWFBn/+Z3nJo=
+KoZIhvcNAQELBQADggEBAKwepnlLKMvDcPdmq/tEnsogskNhk88j1izs8b8BHw/2
+TggAUDywhkwpe2/yLOKfR5dO1xqeAsvN+tFnMfCZEILZ5lNK1nEHEKrzmBWBWVor
+QX95/a6/D02qwmg2XSHUJeZA/7Hf3eu77AoELC8aCDlvhcdTOTU2E0wjeyTR8wuI
+ixGUTK1mJm7YMIHywD7+MKtFuRCI1Bmxpp1ewT+wi+tE/a7wRkQjBPZZAvRmRxUH
+eu1BohFGh3gGWnnvWGiMroE0xpbVZMhFMaDpDJIekGfIZqTfcHtd7rQl3I7eIXco
+ycjfRSxsWehdb5WmtljfV2VrX/P1buetcQTGY/1hAmU=
 -----END CERTIFICATE-----
diff --git a/certs/test/server-goodaltwild.der b/certs/test/server-goodaltwild.der
index 67fa3a9c8..fb899ec76 100644
Binary files a/certs/test/server-goodaltwild.der and b/certs/test/server-goodaltwild.der differ
diff --git a/certs/test/server-goodaltwild.pem b/certs/test/server-goodaltwild.pem
index dd2620d0e..8b7579e8c 100644
--- a/certs/test/server-goodaltwild.pem
+++ b/certs/test/server-goodaltwild.pem
@@ -2,12 +2,12 @@ Certificate:
     Data:
         Version: 3 (0x2)
         Serial Number:
-            51:c8:76:f6:e4:03:7b:88:d2:98:fb:66:35:aa:83:d3:f3:c7:c4:01
+            64:f2:d4:d2:af:4e:fb:8a:b2:32:ff:0c:ab:80:ee:5a:5c:47:52:6b
         Signature Algorithm: sha256WithRSAEncryption
         Issuer: C = US, ST = Montana, L = Bozeman, OU = Engineering, CN = www.nomatch.com, emailAddress = info@wolfssl.com
         Validity
-            Not Before: Jun 15 22:02:33 2021 GMT
-            Not After : Mar 11 22:02:33 2024 GMT
+            Not Before: Dec 20 23:07:25 2021 GMT
+            Not After : Sep 15 23:07:25 2024 GMT
         Subject: C = US, ST = Montana, L = Bozeman, OU = Engineering, CN = www.nomatch.com, emailAddress = info@wolfssl.com
         Subject Public Key Info:
             Public Key Algorithm: rsaEncryption
@@ -36,27 +36,27 @@ Certificate:
             X509v3 Subject Alternative Name: 
                 DNS:*localhost
     Signature Algorithm: sha256WithRSAEncryption
-         bd:57:16:44:c4:39:a1:e6:12:50:8b:f9:2f:53:74:92:b6:42:
-         6c:34:2d:9e:82:7b:f3:e5:c5:9b:93:a7:26:a2:3b:2c:eb:99:
-         cf:f0:2e:af:de:ac:8a:a7:0c:a5:d6:fb:0c:65:be:4c:ea:39:
-         7d:60:4a:d3:1e:fb:48:0d:4c:90:12:1d:41:96:f5:80:be:52:
-         e3:57:23:5a:4d:4d:03:6c:82:7c:75:0e:8a:ec:2c:ee:f3:05:
-         80:84:7a:58:a2:d6:58:05:31:27:ae:8f:6b:52:c3:93:eb:66:
-         23:0b:15:d0:5f:cc:fd:ca:af:f9:94:6b:4d:0d:05:6b:65:22:
-         35:d2:0c:ed:bf:82:02:52:bf:28:08:b4:6e:7e:7f:9e:eb:37:
-         93:89:b8:1d:4a:17:eb:f7:e3:8c:1f:6f:8a:00:6c:85:57:c3:
-         17:86:94:d4:50:fd:a1:74:01:41:92:cc:16:52:5a:8e:fc:30:
-         2e:fd:13:3f:0a:a6:fc:89:e1:4c:83:30:b7:82:76:7a:ee:c4:
-         57:77:e6:2f:75:27:b8:28:76:f4:9f:db:13:4b:de:9c:6c:ce:
-         b7:d9:39:7c:2a:f9:52:59:e2:ba:10:33:86:73:f6:a8:52:f2:
-         58:0c:bd:11:e5:fd:b1:3d:ab:10:33:a1:56:84:5e:af:ad:23:
-         44:99:30:19
+         4d:6d:8a:2d:3f:12:f3:09:c1:a5:19:1c:62:33:f9:5c:f9:6e:
+         3c:78:5f:cd:73:be:f5:a9:43:54:44:85:2d:17:62:e3:24:ce:
+         11:dc:83:89:41:d3:f1:24:0c:e4:76:01:8c:e4:7a:94:e5:cc:
+         d8:5e:6d:91:f9:c4:76:a8:c9:6c:dc:1d:a6:74:29:a8:9e:87:
+         a7:f1:16:08:51:fb:eb:a7:34:e0:2c:f5:ee:d7:1c:09:11:c9:
+         a5:78:55:ba:e4:57:95:b8:13:8c:e4:40:44:da:eb:4e:e6:de:
+         74:4c:b1:d9:c7:60:e3:a1:d1:c6:d5:de:52:ec:7e:92:3e:0b:
+         a9:e6:c7:46:73:ad:4b:f6:45:2b:4e:f2:4f:be:9c:fb:59:8f:
+         b4:0d:66:36:bb:27:54:cc:bb:3f:10:44:b0:ce:b8:b3:fd:fb:
+         7e:63:5d:1f:cb:85:cf:af:35:62:df:a6:08:6e:34:a8:00:53:
+         09:da:79:7d:e2:b5:60:55:ec:42:43:df:58:72:c1:f4:b6:ae:
+         0f:70:c9:83:96:7a:61:b5:e9:d3:17:7c:51:20:7c:1a:1a:d9:
+         bc:9f:d3:b1:aa:86:17:86:1c:91:cd:53:c9:a7:2c:dd:b3:dd:
+         42:3b:cc:c7:c8:0a:2d:88:cb:93:a0:33:ea:87:38:31:25:87:
+         b6:85:a1:af
 -----BEGIN CERTIFICATE-----
-MIIDrTCCApWgAwIBAgIUUch29uQDe4jSmPtmNaqD0/PHxAEwDQYJKoZIhvcNAQEL
+MIIDrTCCApWgAwIBAgIUZPLU0q9O+4qyMv8Mq4DuWlxHUmswDQYJKoZIhvcNAQEL
 BQAwgYIxCzAJBgNVBAYTAlVTMRAwDgYDVQQIDAdNb250YW5hMRAwDgYDVQQHDAdC
 b3plbWFuMRQwEgYDVQQLDAtFbmdpbmVlcmluZzEYMBYGA1UEAwwPd3d3Lm5vbWF0
-Y2guY29tMR8wHQYJKoZIhvcNAQkBFhBpbmZvQHdvbGZzc2wuY29tMB4XDTIxMDYx
-NTIyMDIzM1oXDTI0MDMxMTIyMDIzM1owgYIxCzAJBgNVBAYTAlVTMRAwDgYDVQQI
+Y2guY29tMR8wHQYJKoZIhvcNAQkBFhBpbmZvQHdvbGZzc2wuY29tMB4XDTIxMTIy
+MDIzMDcyNVoXDTI0MDkxNTIzMDcyNVowgYIxCzAJBgNVBAYTAlVTMRAwDgYDVQQI
 DAdNb250YW5hMRAwDgYDVQQHDAdCb3plbWFuMRQwEgYDVQQLDAtFbmdpbmVlcmlu
 ZzEYMBYGA1UEAwwPd3d3Lm5vbWF0Y2guY29tMR8wHQYJKoZIhvcNAQkBFhBpbmZv
 QHdvbGZzc2wuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAwJUI
@@ -66,10 +66,10 @@ Q7ilHFw0s64AoGPF9n8LWWh4c6aMGKkCba/DGQEuuBDjxsxAtGmjRjNph27Euxem
 8+jdrXO8ey8htf1mUQy9VLPhbV8cvCNz0QkDiRTSELlkwyrQoZZKvOHUGlvHoMDB
 Y3gPRDcwMpaAMiOVoXe6E9KXc+JdJclqDcM5YKS0sGlCQgnp2Ai8MyCzWCKnquvE
 4eZhg8XSlt/Z0E+t1wIDAQABoxkwFzAVBgNVHREEDjAMggoqbG9jYWxob3N0MA0G
-CSqGSIb3DQEBCwUAA4IBAQC9VxZExDmh5hJQi/kvU3SStkJsNC2egnvz5cWbk6cm
-ojss65nP8C6v3qyKpwyl1vsMZb5M6jl9YErTHvtIDUyQEh1BlvWAvlLjVyNaTU0D
-bIJ8dQ6K7Czu8wWAhHpYotZYBTEnro9rUsOT62YjCxXQX8z9yq/5lGtNDQVrZSI1
-0gztv4ICUr8oCLRufn+e6zeTibgdShfr9+OMH2+KAGyFV8MXhpTUUP2hdAFBkswW
-UlqO/DAu/RM/Cqb8ieFMgzC3gnZ67sRXd+YvdSe4KHb0n9sTS96cbM632Tl8KvlS
-WeK6EDOGc/aoUvJYDL0R5f2xPasQM6FWhF6vrSNEmTAZ
+CSqGSIb3DQEBCwUAA4IBAQBNbYotPxLzCcGlGRxiM/lc+W48eF/Nc771qUNURIUt
+F2LjJM4R3IOJQdPxJAzkdgGM5HqU5czYXm2R+cR2qMls3B2mdCmonoen8RYIUfvr
+pzTgLPXu1xwJEcmleFW65FeVuBOM5EBE2utO5t50TLHZx2DjodHG1d5S7H6SPgup
+5sdGc61L9kUrTvJPvpz7WY+0DWY2uydUzLs/EESwzriz/ft+Y10fy4XPrzVi36YI
+bjSoAFMJ2nl94rVgVexCQ99YcsH0tq4PcMmDlnphtenTF3xRIHwaGtm8n9OxqoYX
+hhyRzVPJpyzds91CO8zHyAotiMuToDPqhzgxJYe2haGv
 -----END CERTIFICATE-----
diff --git a/certs/test/server-goodcn.der b/certs/test/server-goodcn.der
index 87bb4e792..dd16112db 100644
Binary files a/certs/test/server-goodcn.der and b/certs/test/server-goodcn.der differ
diff --git a/certs/test/server-goodcn.pem b/certs/test/server-goodcn.pem
index e7beeae77..f1c82e348 100644
--- a/certs/test/server-goodcn.pem
+++ b/certs/test/server-goodcn.pem
@@ -2,12 +2,12 @@ Certificate:
     Data:
         Version: 3 (0x2)
         Serial Number:
-            71:8f:a1:ae:aa:b4:f3:7c:c3:2c:f9:3a:31:06:28:a3:78:f4:fe:1c
+            02:17:be:98:88:b8:ac:3f:f9:f3:e3:55:4a:f8:57:4b:73:62:6c:e5
         Signature Algorithm: sha256WithRSAEncryption
         Issuer: C = US, ST = Montana, L = Bozeman, OU = Engineering, CN = localhost, emailAddress = info@wolfssl.com
         Validity
-            Not Before: Jun 15 22:02:33 2021 GMT
-            Not After : Mar 11 22:02:33 2024 GMT
+            Not Before: Dec 20 23:07:25 2021 GMT
+            Not After : Sep 15 23:07:25 2024 GMT
         Subject: C = US, ST = Montana, L = Bozeman, OU = Engineering, CN = localhost, emailAddress = info@wolfssl.com
         Subject Public Key Info:
             Public Key Algorithm: rsaEncryption
@@ -33,27 +33,27 @@ Certificate:
                     ad:d7
                 Exponent: 65537 (0x10001)
     Signature Algorithm: sha256WithRSAEncryption
-         94:fb:ed:5e:58:16:79:bd:08:1c:6c:04:eb:00:59:b2:f8:2f:
-         cf:8f:d3:22:80:4c:df:ad:6d:ef:42:0a:f7:70:ce:4a:2f:9a:
-         69:33:05:de:1f:0e:f5:55:a5:55:de:e0:da:82:28:da:bc:b5:
-         8f:22:d9:fe:bf:5d:37:6c:a0:13:1b:f0:94:ff:ee:90:2a:6c:
-         9c:bc:ff:7b:cd:85:65:59:f1:08:8e:fc:10:f3:38:8b:7e:37:
-         b0:82:71:24:0f:b9:02:94:61:21:d1:cd:7e:a3:ba:e9:59:80:
-         32:ac:42:f3:81:92:22:ac:bf:6c:3f:be:5b:c3:72:30:cc:89:
-         f8:34:0c:fb:cd:28:94:3d:8c:c5:2b:64:77:73:94:6f:4e:bb:
-         ce:ab:68:77:70:b0:6d:88:5f:3c:9f:dd:8e:94:44:02:87:8c:
-         33:64:44:a6:a5:b2:d0:5e:d6:cf:1b:92:7b:de:7d:97:6f:4a:
-         cd:d1:d2:75:86:1d:85:d1:24:7d:33:e0:58:8f:d8:0f:cf:b3:
-         2b:22:00:25:d8:7d:e5:94:19:b6:33:c5:c0:89:a5:d2:b9:3b:
-         27:3f:57:f9:1b:9e:40:16:2a:d1:9e:3b:ed:61:53:9a:38:58:
-         bf:0c:68:ce:e5:f8:4d:a3:fa:98:1b:81:74:7d:ae:5d:c3:11:
-         f8:55:2d:11
+         70:02:b0:eb:28:06:0d:32:9e:0c:9d:da:7a:79:67:f6:ea:77:
+         f1:e8:6b:fe:d0:30:bf:38:8c:40:71:27:d4:b9:13:ac:94:59:
+         63:b4:81:f3:d9:cf:65:7a:09:3f:ab:87:35:35:cb:1f:84:a2:
+         18:26:4a:7e:3b:59:04:34:c1:3b:b4:df:92:76:2e:d3:16:09:
+         e7:cf:de:05:e5:39:27:ff:ed:55:fc:c5:66:81:07:d3:ac:e7:
+         45:7f:9c:37:2f:4d:44:d1:09:9f:98:1f:27:17:5f:cf:7d:bc:
+         47:90:94:97:4f:47:d3:d3:8a:ea:09:61:8d:11:a6:0f:f8:90:
+         48:f8:c7:a6:35:4c:c6:f9:be:70:aa:ae:88:af:03:77:62:9c:
+         d0:a1:20:f5:f8:33:d9:63:53:07:93:65:3b:d9:8e:17:9a:67:
+         26:26:9e:c5:1e:25:f7:b9:66:39:4b:39:fe:85:17:e7:94:1c:
+         2a:4e:82:22:c5:46:19:70:5b:55:e6:7c:b1:9d:64:c4:d2:6a:
+         34:99:43:7f:df:d8:c6:43:e9:77:e2:f0:5a:3e:73:ab:30:b7:
+         8f:d5:c6:5a:41:66:fd:5a:a4:c4:27:9a:5e:99:83:1d:cc:8c:
+         e1:91:9b:fd:9d:f4:a0:b4:0f:22:cc:7d:29:cd:43:18:3a:4d:
+         f0:bb:9c:82
 -----BEGIN CERTIFICATE-----
-MIIDhDCCAmygAwIBAgIUcY+hrqq083zDLPk6MQYoo3j0/hwwDQYJKoZIhvcNAQEL
+MIIDhDCCAmygAwIBAgIUAhe+mIi4rD/58+NVSvhXS3NibOUwDQYJKoZIhvcNAQEL
 BQAwfDELMAkGA1UEBhMCVVMxEDAOBgNVBAgMB01vbnRhbmExEDAOBgNVBAcMB0Jv
 emVtYW4xFDASBgNVBAsMC0VuZ2luZWVyaW5nMRIwEAYDVQQDDAlsb2NhbGhvc3Qx
-HzAdBgkqhkiG9w0BCQEWEGluZm9Ad29sZnNzbC5jb20wHhcNMjEwNjE1MjIwMjMz
-WhcNMjQwMzExMjIwMjMzWjB8MQswCQYDVQQGEwJVUzEQMA4GA1UECAwHTW9udGFu
+HzAdBgkqhkiG9w0BCQEWEGluZm9Ad29sZnNzbC5jb20wHhcNMjExMjIwMjMwNzI1
+WhcNMjQwOTE1MjMwNzI1WjB8MQswCQYDVQQGEwJVUzEQMA4GA1UECAwHTW9udGFu
 YTEQMA4GA1UEBwwHQm96ZW1hbjEUMBIGA1UECwwLRW5naW5lZXJpbmcxEjAQBgNV
 BAMMCWxvY2FsaG9zdDEfMB0GCSqGSIb3DQEJARYQaW5mb0B3b2xmc3NsLmNvbTCC
 ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMCVCOFXQfJxbbfSRUEnAWXG
@@ -62,10 +62,10 @@ e7rgIeVyLm8uhtiVc9qsG1O5Xz/XGQ0lT+FjY1GLC2Q/rUO4pRxcNLOuAKBjxfZ/
 C1loeHOmjBipAm2vwxkBLrgQ48bMQLRpo0YzaYduxLsXpvPo3a1zvHsvIbX9ZlEM
 vVSz4W1fHLwjc9EJA4kU0hC5ZMMq0KGWSrzh1Bpbx6DAwWN4D0Q3MDKWgDIjlaF3
 uhPSl3PiXSXJag3DOWCktLBpQkIJ6dgIvDMgs1gip6rrxOHmYYPF0pbf2dBPrdcC
-AwEAATANBgkqhkiG9w0BAQsFAAOCAQEAlPvtXlgWeb0IHGwE6wBZsvgvz4/TIoBM
-361t70IK93DOSi+aaTMF3h8O9VWlVd7g2oIo2ry1jyLZ/r9dN2ygExvwlP/ukCps
-nLz/e82FZVnxCI78EPM4i343sIJxJA+5ApRhIdHNfqO66VmAMqxC84GSIqy/bD++
-W8NyMMyJ+DQM+80olD2MxStkd3OUb067zqtod3CwbYhfPJ/djpREAoeMM2REpqWy
-0F7WzxuSe959l29KzdHSdYYdhdEkfTPgWI/YD8+zKyIAJdh95ZQZtjPFwIml0rk7
-Jz9X+RueQBYq0Z477WFTmjhYvwxozuX4TaP6mBuBdH2uXcMR+FUtEQ==
+AwEAATANBgkqhkiG9w0BAQsFAAOCAQEAcAKw6ygGDTKeDJ3aenln9up38ehr/tAw
+vziMQHEn1LkTrJRZY7SB89nPZXoJP6uHNTXLH4SiGCZKfjtZBDTBO7TfknYu0xYJ
+58/eBeU5J//tVfzFZoEH06znRX+cNy9NRNEJn5gfJxdfz328R5CUl09H09OK6glh
+jRGmD/iQSPjHpjVMxvm+cKquiK8Dd2Kc0KEg9fgz2WNTB5NlO9mOF5pnJiaexR4l
+97lmOUs5/oUX55QcKk6CIsVGGXBbVeZ8sZ1kxNJqNJlDf9/YxkPpd+LwWj5zqzC3
+j9XGWkFm/VqkxCeaXpmDHcyM4ZGb/Z30oLQPIsx9Kc1DGDpN8Lucgg==
 -----END CERTIFICATE-----
diff --git a/certs/test/server-goodcnwild.der b/certs/test/server-goodcnwild.der
index 70248b786..86b22538b 100644
Binary files a/certs/test/server-goodcnwild.der and b/certs/test/server-goodcnwild.der differ
diff --git a/certs/test/server-goodcnwild.pem b/certs/test/server-goodcnwild.pem
index 8f5821d6d..900f84cb9 100644
--- a/certs/test/server-goodcnwild.pem
+++ b/certs/test/server-goodcnwild.pem
@@ -2,12 +2,12 @@ Certificate:
     Data:
         Version: 3 (0x2)
         Serial Number:
-            54:28:61:98:f6:94:1e:cd:01:47:65:7a:64:cd:f6:1e:37:0a:e4:f3
+            7c:8e:3e:2b:1c:d9:dc:8c:61:59:63:e6:86:64:11:59:c6:76:5d:46
         Signature Algorithm: sha256WithRSAEncryption
         Issuer: C = US, ST = Montana, L = Bozeman, OU = Engineering, CN = *localhost, emailAddress = info@wolfssl.com
         Validity
-            Not Before: Jun 15 22:02:33 2021 GMT
-            Not After : Mar 11 22:02:33 2024 GMT
+            Not Before: Dec 20 23:07:25 2021 GMT
+            Not After : Sep 15 23:07:25 2024 GMT
         Subject: C = US, ST = Montana, L = Bozeman, OU = Engineering, CN = *localhost, emailAddress = info@wolfssl.com
         Subject Public Key Info:
             Public Key Algorithm: rsaEncryption
@@ -33,27 +33,27 @@ Certificate:
                     ad:d7
                 Exponent: 65537 (0x10001)
     Signature Algorithm: sha256WithRSAEncryption
-         56:75:ba:9c:6f:c1:b8:3a:4b:a9:11:53:19:78:a8:92:8d:69:
-         b1:30:d8:54:70:dc:db:c8:e2:87:66:f0:a3:82:8c:c7:8a:1a:
-         7b:7b:c7:07:25:ad:ed:7b:7d:21:9b:32:64:54:6b:37:70:ce:
-         fa:f9:86:dc:44:a9:3b:47:4b:90:e6:91:67:29:a1:80:85:74:
-         5c:80:8b:27:87:84:7d:eb:af:96:0a:a5:3d:88:aa:db:0a:8c:
-         ec:6f:4f:bc:ab:f3:8e:bf:13:03:b0:25:87:e4:da:81:ef:06:
-         4c:dd:bf:d4:8b:96:a4:a4:cd:ce:1e:17:98:ac:ed:44:92:82:
-         48:0e:67:c2:8f:2f:cb:3e:e8:cd:9b:80:1c:5a:ed:83:51:be:
-         78:ec:ab:e7:e8:f1:4c:af:50:aa:5b:47:68:31:21:de:88:32:
-         af:cb:74:d4:ba:86:bb:db:5a:78:1e:27:4b:b8:16:53:83:20:
-         84:a4:df:67:68:c0:a1:ab:59:3c:14:8b:3c:f5:37:41:60:d8:
-         7c:bf:bf:fe:d1:72:d2:a5:0b:f5:fc:97:ce:c4:c4:d9:ce:6f:
-         cb:ee:27:7c:a0:9a:d0:ae:0d:a6:85:3e:ed:a6:3e:90:09:c7:
-         5e:df:e9:89:fb:44:dc:64:a9:c1:1b:ef:d7:1f:98:c1:28:0b:
-         f5:33:d3:25
+         bc:c3:20:df:70:21:0a:a0:c4:a2:dd:2e:0c:40:d9:fb:c9:14:
+         9f:9f:90:65:64:38:b2:c6:71:53:7b:e5:00:6f:b9:74:ee:0f:
+         93:c9:e1:bf:d9:e4:ea:77:15:35:ba:35:08:7b:b1:cf:ec:09:
+         e2:ff:b8:8f:a0:03:1c:42:18:66:a5:84:63:29:d3:f8:80:12:
+         d3:3b:31:8d:85:73:ac:08:f8:5c:ee:0f:7f:6a:71:3d:3a:cc:
+         9f:53:b2:27:36:0a:d1:6f:eb:86:f4:fd:cd:ec:81:25:47:4a:
+         85:ca:d8:fa:32:fa:60:a0:1d:c6:68:77:39:0e:96:6e:6b:04:
+         23:84:41:fc:a9:11:26:74:1e:5b:8b:cf:38:27:4a:03:aa:2f:
+         01:36:cd:bd:4a:2e:67:67:c6:3c:fc:35:c4:58:47:b4:56:89:
+         f1:e2:2c:d4:d0:af:26:9c:9c:a1:c0:8c:de:eb:cc:12:f9:cf:
+         09:c5:0b:3d:a8:2f:74:ca:5d:d9:2c:a8:e2:05:f5:f1:43:42:
+         92:72:68:96:fc:c1:14:83:ec:e6:85:b6:31:32:0c:5f:8b:36:
+         8b:78:ad:e0:e3:ed:ba:62:4c:1c:20:c4:4e:5d:77:dc:73:89:
+         c3:b9:5a:7b:60:30:fd:ca:c1:16:c8:46:df:ad:b6:59:0a:f3:
+         98:bc:fb:9c
 -----BEGIN CERTIFICATE-----
-MIIDhjCCAm6gAwIBAgIUVChhmPaUHs0BR2V6ZM32HjcK5PMwDQYJKoZIhvcNAQEL
+MIIDhjCCAm6gAwIBAgIUfI4+KxzZ3IxhWWPmhmQRWcZ2XUYwDQYJKoZIhvcNAQEL
 BQAwfTELMAkGA1UEBhMCVVMxEDAOBgNVBAgMB01vbnRhbmExEDAOBgNVBAcMB0Jv
 emVtYW4xFDASBgNVBAsMC0VuZ2luZWVyaW5nMRMwEQYDVQQDDAoqbG9jYWxob3N0
-MR8wHQYJKoZIhvcNAQkBFhBpbmZvQHdvbGZzc2wuY29tMB4XDTIxMDYxNTIyMDIz
-M1oXDTI0MDMxMTIyMDIzM1owfTELMAkGA1UEBhMCVVMxEDAOBgNVBAgMB01vbnRh
+MR8wHQYJKoZIhvcNAQkBFhBpbmZvQHdvbGZzc2wuY29tMB4XDTIxMTIyMDIzMDcy
+NVoXDTI0MDkxNTIzMDcyNVowfTELMAkGA1UEBhMCVVMxEDAOBgNVBAgMB01vbnRh
 bmExEDAOBgNVBAcMB0JvemVtYW4xFDASBgNVBAsMC0VuZ2luZWVyaW5nMRMwEQYD
 VQQDDAoqbG9jYWxob3N0MR8wHQYJKoZIhvcNAQkBFhBpbmZvQHdvbGZzc2wuY29t
 MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAwJUI4VdB8nFtt9JFQScB
@@ -62,10 +62,10 @@ yl17uuAh5XIuby6G2JVz2qwbU7lfP9cZDSVP4WNjUYsLZD+tQ7ilHFw0s64AoGPF
 9n8LWWh4c6aMGKkCba/DGQEuuBDjxsxAtGmjRjNph27Euxem8+jdrXO8ey8htf1m
 UQy9VLPhbV8cvCNz0QkDiRTSELlkwyrQoZZKvOHUGlvHoMDBY3gPRDcwMpaAMiOV
 oXe6E9KXc+JdJclqDcM5YKS0sGlCQgnp2Ai8MyCzWCKnquvE4eZhg8XSlt/Z0E+t
-1wIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQBWdbqcb8G4OkupEVMZeKiSjWmxMNhU
-cNzbyOKHZvCjgozHihp7e8cHJa3te30hmzJkVGs3cM76+YbcRKk7R0uQ5pFnKaGA
-hXRcgIsnh4R966+WCqU9iKrbCozsb0+8q/OOvxMDsCWH5NqB7wZM3b/Ui5akpM3O
-HheYrO1EkoJIDmfCjy/LPujNm4AcWu2DUb547Kvn6PFMr1CqW0doMSHeiDKvy3TU
-uoa721p4HidLuBZTgyCEpN9naMChq1k8FIs89TdBYNh8v7/+0XLSpQv1/JfOxMTZ
-zm/L7id8oJrQrg2mhT7tpj6QCcde3+mJ+0TcZKnBG+/XH5jBKAv1M9Ml
+1wIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQC8wyDfcCEKoMSi3S4MQNn7yRSfn5Bl
+ZDiyxnFTe+UAb7l07g+TyeG/2eTqdxU1ujUIe7HP7Ani/7iPoAMcQhhmpYRjKdP4
+gBLTOzGNhXOsCPhc7g9/anE9OsyfU7InNgrRb+uG9P3N7IElR0qFytj6MvpgoB3G
+aHc5DpZuawQjhEH8qREmdB5bi884J0oDqi8BNs29Si5nZ8Y8/DXEWEe0Vonx4izU
+0K8mnJyhwIze68wS+c8JxQs9qC90yl3ZLKjiBfXxQ0KScmiW/MEUg+zmhbYxMgxf
+izaLeK3g4+26YkwcIMROXXfcc4nDuVp7YDD9ysEWyEbfrbZZCvOYvPuc
 -----END CERTIFICATE-----
diff --git a/certs/test/server-localhost.der b/certs/test/server-localhost.der
index e7e28d6de..7d439dd45 100644
Binary files a/certs/test/server-localhost.der and b/certs/test/server-localhost.der differ
diff --git a/certs/test/server-localhost.pem b/certs/test/server-localhost.pem
index ae0f7da90..ccfe6f203 100644
--- a/certs/test/server-localhost.pem
+++ b/certs/test/server-localhost.pem
@@ -2,12 +2,12 @@ Certificate:
     Data:
         Version: 3 (0x2)
         Serial Number:
-            5f:cb:7b:57:73:63:6d:62:69:9f:72:e0:66:15:00:27:fa:b6:b6:b6
+            19:ad:b5:3e:0f:9b:4a:6a:0b:15:a8:5a:f1:ac:02:39:8f:6d:77:1c
         Signature Algorithm: sha256WithRSAEncryption
         Issuer: C = US, ST = Montana, L = Bozeman, OU = Engineering, CN = localhost, emailAddress = info@wolfssl.com
         Validity
-            Not Before: Jun 15 22:02:34 2021 GMT
-            Not After : Mar 11 22:02:34 2024 GMT
+            Not Before: Dec 20 23:07:25 2021 GMT
+            Not After : Sep 15 23:07:25 2024 GMT
         Subject: C = US, ST = Montana, L = Bozeman, OU = Engineering, CN = localhost, emailAddress = info@wolfssl.com
         Subject Public Key Info:
             Public Key Algorithm: rsaEncryption
@@ -36,27 +36,27 @@ Certificate:
             X509v3 Subject Alternative Name: 
                 DNS:localhost
     Signature Algorithm: sha256WithRSAEncryption
-         40:4f:9f:fa:37:67:e7:64:8a:6a:0b:fd:68:ab:39:09:96:ae:
-         98:b8:9a:16:ab:30:84:ba:6a:89:0f:e5:fd:d1:a0:3f:f5:8f:
-         b8:13:2f:4c:1c:a1:a6:8d:59:f0:ab:61:f2:c8:af:0b:e2:fc:
-         b5:14:17:f9:a5:b6:ba:ad:d8:70:01:0b:9a:d4:3e:c2:04:06:
-         65:f1:25:4f:de:36:ef:52:3e:a9:27:77:5d:89:5d:7a:7b:ef:
-         3d:28:ad:0f:2e:6e:74:4f:67:41:7c:37:17:c9:8a:71:05:10:
-         66:11:b0:f6:15:b5:59:0f:29:dc:0c:93:cc:bd:3c:6d:93:40:
-         28:a4:59:de:7b:f4:f5:31:1c:0b:b1:db:c8:39:00:70:39:3a:
-         3b:31:fc:de:02:e2:00:1e:e1:35:cf:8a:ca:0b:15:ae:ac:63:
-         92:d2:33:77:54:0e:56:6f:b7:1b:84:f9:e5:fc:4e:2e:db:26:
-         5f:bd:51:a0:bb:d7:23:0b:8f:d7:24:4d:ab:df:74:46:fe:9f:
-         17:55:23:0d:a7:9a:ea:56:d7:a7:a9:cd:3e:18:60:14:d2:fd:
-         9a:b7:61:4c:0b:6f:60:ac:9c:e9:81:db:e1:13:4f:4b:80:43:
-         57:c1:05:86:a6:23:6e:b7:61:ed:76:58:d3:65:dc:6b:eb:92:
-         ac:35:fa:0a
+         31:f1:f2:e1:ea:37:cb:0b:cc:13:9c:75:3a:b1:5d:fe:e4:e6:
+         cc:08:99:52:cf:25:96:78:bb:6a:4b:92:6b:b8:16:47:a6:b1:
+         4c:73:05:0b:33:e2:58:b6:a0:5d:84:46:3b:a6:b2:37:f8:97:
+         cc:8b:de:ac:12:0c:94:4c:9a:9d:46:0a:29:22:24:c4:ae:20:
+         24:1c:a9:e6:3c:79:fe:27:fb:3d:bb:d0:6c:b5:f7:db:a5:1c:
+         da:77:64:84:f0:54:ff:cc:b8:ae:8d:46:8e:6d:56:43:cd:4a:
+         e5:79:a6:eb:01:2d:58:ee:d3:2d:ca:d9:c9:9d:55:99:dc:c0:
+         88:ef:63:cc:0a:75:9d:60:ba:5a:10:43:e7:db:82:e0:3b:b4:
+         d3:f4:1a:e0:09:44:8a:da:29:7b:c4:68:01:f7:0b:92:5f:30:
+         2a:68:ed:a8:96:bf:a7:29:92:d2:14:1d:f5:5b:26:0d:fa:13:
+         dc:38:07:95:c5:90:dc:e1:c9:f5:fc:aa:02:2c:d6:a4:7b:80:
+         f9:00:ee:13:15:81:05:33:9f:54:bf:a4:38:fe:fb:c6:29:35:
+         28:97:39:8f:f2:60:b8:c8:a9:10:bb:ab:bd:bd:fb:d5:8d:e0:
+         e2:9e:84:44:15:ff:8d:d7:b1:1c:4b:3e:bd:fc:3c:02:b0:b4:
+         a4:27:ef:2b
 -----BEGIN CERTIFICATE-----
-MIIDnjCCAoagAwIBAgIUX8t7V3NjbWJpn3LgZhUAJ/q2trYwDQYJKoZIhvcNAQEL
+MIIDnjCCAoagAwIBAgIUGa21Pg+bSmoLFaha8awCOY9tdxwwDQYJKoZIhvcNAQEL
 BQAwfDELMAkGA1UEBhMCVVMxEDAOBgNVBAgMB01vbnRhbmExEDAOBgNVBAcMB0Jv
 emVtYW4xFDASBgNVBAsMC0VuZ2luZWVyaW5nMRIwEAYDVQQDDAlsb2NhbGhvc3Qx
-HzAdBgkqhkiG9w0BCQEWEGluZm9Ad29sZnNzbC5jb20wHhcNMjEwNjE1MjIwMjM0
-WhcNMjQwMzExMjIwMjM0WjB8MQswCQYDVQQGEwJVUzEQMA4GA1UECAwHTW9udGFu
+HzAdBgkqhkiG9w0BCQEWEGluZm9Ad29sZnNzbC5jb20wHhcNMjExMjIwMjMwNzI1
+WhcNMjQwOTE1MjMwNzI1WjB8MQswCQYDVQQGEwJVUzEQMA4GA1UECAwHTW9udGFu
 YTEQMA4GA1UEBwwHQm96ZW1hbjEUMBIGA1UECwwLRW5naW5lZXJpbmcxEjAQBgNV
 BAMMCWxvY2FsaG9zdDEfMB0GCSqGSIb3DQEJARYQaW5mb0B3b2xmc3NsLmNvbTCC
 ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMCVCOFXQfJxbbfSRUEnAWXG
@@ -66,10 +66,10 @@ C1loeHOmjBipAm2vwxkBLrgQ48bMQLRpo0YzaYduxLsXpvPo3a1zvHsvIbX9ZlEM
 vVSz4W1fHLwjc9EJA4kU0hC5ZMMq0KGWSrzh1Bpbx6DAwWN4D0Q3MDKWgDIjlaF3
 uhPSl3PiXSXJag3DOWCktLBpQkIJ6dgIvDMgs1gip6rrxOHmYYPF0pbf2dBPrdcC
 AwEAAaMYMBYwFAYDVR0RBA0wC4IJbG9jYWxob3N0MA0GCSqGSIb3DQEBCwUAA4IB
-AQBAT5/6N2fnZIpqC/1oqzkJlq6YuJoWqzCEumqJD+X90aA/9Y+4Ey9MHKGmjVnw
-q2HyyK8L4vy1FBf5pba6rdhwAQua1D7CBAZl8SVP3jbvUj6pJ3ddiV16e+89KK0P
-Lm50T2dBfDcXyYpxBRBmEbD2FbVZDyncDJPMvTxtk0AopFnee/T1MRwLsdvIOQBw
-OTo7MfzeAuIAHuE1z4rKCxWurGOS0jN3VA5Wb7cbhPnl/E4u2yZfvVGgu9cjC4/X
-JE2r33RG/p8XVSMNp5rqVtenqc0+GGAU0v2at2FMC29grJzpgdvhE09LgENXwQWG
-piNut2HtdljTZdxr65KsNfoK
+AQAx8fLh6jfLC8wTnHU6sV3+5ObMCJlSzyWWeLtqS5JruBZHprFMcwULM+JYtqBd
+hEY7prI3+JfMi96sEgyUTJqdRgopIiTEriAkHKnmPHn+J/s9u9BstffbpRzad2SE
+8FT/zLiujUaObVZDzUrleabrAS1Y7tMtytnJnVWZ3MCI72PMCnWdYLpaEEPn24Lg
+O7TT9BrgCUSK2il7xGgB9wuSXzAqaO2olr+nKZLSFB31WyYN+hPcOAeVxZDc4cn1
+/KoCLNake4D5AO4TFYEFM59Uv6Q4/vvGKTUolzmP8mC4yKkQu6u9vfvVjeDinoRE
+Ff+N17EcSz69/DwCsLSkJ+8r
 -----END CERTIFICATE-----
diff --git a/configure.ac b/configure.ac
index 6a85eeebb..ef20fc2f1 100644
--- a/configure.ac
+++ b/configure.ac
@@ -4773,7 +4773,8 @@ fi
 
 if test "$ENABLED_KRB" = "yes"
 then
-    AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_KRB -DWOLFSSL_AES_DIRECT"
+    AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_KRB -DWOLFSSL_AES_DIRECT -DWOLFSSL_DES_ECB"
+    AM_CFLAGS="$AM_CFLAGS -DHAVE_EX_DATA"
 
     # Requires PKCS7
     if test "x$ENABLED_PKCS7" = "xno"
diff --git a/examples/benchmark/tls_bench.c b/examples/benchmark/tls_bench.c
index 3521cf744..2294cd08f 100644
--- a/examples/benchmark/tls_bench.c
+++ b/examples/benchmark/tls_bench.c
@@ -271,7 +271,7 @@ static struct group_info groups[] = {
     { WOLFSSL_FFDHE_4096, "FFDHE_4096" },
     { WOLFSSL_FFDHE_6144, "FFDHE_6144" },
     { WOLFSSL_FFDHE_8192, "FFDHE_8192" },
-#ifdef HAVE_LIBOQS
+#ifdef HAVE_PQC
     { WOLFSSL_NTRU_HPS_LEVEL1, "NTRU_HPS_LEVEL1" },
     { WOLFSSL_NTRU_HPS_LEVEL3, "NTRU_HPS_LEVEL3" },
     { WOLFSSL_NTRU_HPS_LEVEL5, "NTRU_HPS_LEVEL5" },
diff --git a/examples/client/client.c b/examples/client/client.c
index 68cf8017d..93f3cc48c 100644
--- a/examples/client/client.c
+++ b/examples/client/client.c
@@ -286,7 +286,7 @@ static void ShowVersions(void)
 #if defined(WOLFSSL_TLS13) && defined(HAVE_SUPPORTED_CURVES)
 #define MAX_GROUP_NUMBER 4
 static void SetKeyShare(WOLFSSL* ssl, int onlyKeyShare, int useX25519,
-                        int useX448, int useLibOqs, char* oqsAlg, int setGroups)
+                        int useX448, int usePqc, char* pqcAlg, int setGroups)
 {
     int ret;
     int groups[MAX_GROUP_NUMBER] = {0};
@@ -294,8 +294,8 @@ static void SetKeyShare(WOLFSSL* ssl, int onlyKeyShare, int useX25519,
 
     (void)useX25519;
     (void)useX448;
-    (void)useLibOqs;
-    (void)oqsAlg;
+    (void)usePqc;
+    (void)pqcAlg;
 
     WOLFSSL_START(WC_FUNC_CLIENT_KEY_EXCHANGE_SEND);
     if (onlyKeyShare == 0 || onlyKeyShare == 2) {
@@ -362,120 +362,120 @@ static void SetKeyShare(WOLFSSL* ssl, int onlyKeyShare, int useX25519,
         } while (ret == WC_PENDING_E);
     #endif
     }
-    #ifdef HAVE_LIBOQS
+    #ifdef HAVE_PQC
     if (onlyKeyShare == 0 || onlyKeyShare == 3) {
-        if (useLibOqs) {
+        if (usePqc) {
             int group = 0;
 
-            if (XSTRNCMP(oqsAlg, "KYBER_LEVEL1", XSTRLEN("KYBER_LEVEL1")) == 0) {
+            if (XSTRNCMP(pqcAlg, "KYBER_LEVEL1", XSTRLEN("KYBER_LEVEL1")) == 0) {
                 group = WOLFSSL_KYBER_LEVEL1;
             }
-            else if (XSTRNCMP(oqsAlg, "KYBER_LEVEL3",
+            else if (XSTRNCMP(pqcAlg, "KYBER_LEVEL3",
                                 XSTRLEN("KYBER_LEVEL3")) == 0) {
                 group = WOLFSSL_KYBER_LEVEL3;
             }
-            else if (XSTRNCMP(oqsAlg, "KYBER_LEVEL5",
+            else if (XSTRNCMP(pqcAlg, "KYBER_LEVEL5",
                                 XSTRLEN("KYBER_LEVEL5")) == 0) {
                 group = WOLFSSL_KYBER_LEVEL5;
             }
-            else if (XSTRNCMP(oqsAlg, "NTRU_HPS_LEVEL1",
+            else if (XSTRNCMP(pqcAlg, "NTRU_HPS_LEVEL1",
                                 XSTRLEN("NTRU_HPS_LEVEL1")) == 0) {
                 group = WOLFSSL_NTRU_HPS_LEVEL1;
             }
-            else if (XSTRNCMP(oqsAlg, "NTRU_HPS_LEVEL3",
+            else if (XSTRNCMP(pqcAlg, "NTRU_HPS_LEVEL3",
                                 XSTRLEN("NTRU_HPS_LEVEL3")) == 0) {
                 group = WOLFSSL_NTRU_HPS_LEVEL3;
             }
-            else if (XSTRNCMP(oqsAlg, "NTRU_HPS_LEVEL5",
+            else if (XSTRNCMP(pqcAlg, "NTRU_HPS_LEVEL5",
                                 XSTRLEN("NTRU_HPS_LEVEL5")) == 0) {
                 group = WOLFSSL_NTRU_HPS_LEVEL5;
             }
-            else if (XSTRNCMP(oqsAlg, "NTRU_HRSS_LEVEL3",
+            else if (XSTRNCMP(pqcAlg, "NTRU_HRSS_LEVEL3",
                                 XSTRLEN("NTRU_HRSS_LEVEL3")) == 0) {
                 group = WOLFSSL_NTRU_HRSS_LEVEL3;
             }
-            else if (XSTRNCMP(oqsAlg, "SABER_LEVEL1",
+            else if (XSTRNCMP(pqcAlg, "SABER_LEVEL1",
                                 XSTRLEN("SABER_LEVEL1")) == 0) {
                 group = WOLFSSL_SABER_LEVEL1;
             }
-            else if (XSTRNCMP(oqsAlg, "SABER_LEVEL3",
+            else if (XSTRNCMP(pqcAlg, "SABER_LEVEL3",
                                 XSTRLEN("SABER_LEVEL3")) == 0) {
                 group = WOLFSSL_SABER_LEVEL3;
             }
-            else if (XSTRNCMP(oqsAlg, "SABER_LEVEL5",
+            else if (XSTRNCMP(pqcAlg, "SABER_LEVEL5",
                                 XSTRLEN("SABER_LEVEL5")) == 0) {
                 group = WOLFSSL_SABER_LEVEL5;
             }
-            else if (XSTRNCMP(oqsAlg, "KYBER_90S_LEVEL1",
+            else if (XSTRNCMP(pqcAlg, "KYBER_90S_LEVEL1",
                                 XSTRLEN("KYBER_90S_LEVEL1")) == 0) {
                 group = WOLFSSL_KYBER_90S_LEVEL1;
             }
-            else if (XSTRNCMP(oqsAlg, "KYBER_90S_LEVEL3",
+            else if (XSTRNCMP(pqcAlg, "KYBER_90S_LEVEL3",
                                 XSTRLEN("KYBER_90S_LEVEL3")) == 0) {
                 group = WOLFSSL_KYBER_90S_LEVEL3;
             }
-            else if (XSTRNCMP(oqsAlg, "KYBER_90S_LEVEL5",
+            else if (XSTRNCMP(pqcAlg, "KYBER_90S_LEVEL5",
                                 XSTRLEN("KYBER_90S_LEVEL5")) == 0) {
                 group = WOLFSSL_KYBER_90S_LEVEL5;
             }
-            else if (XSTRNCMP(oqsAlg, "P256_NTRU_HPS_LEVEL1",
+            else if (XSTRNCMP(pqcAlg, "P256_NTRU_HPS_LEVEL1",
                                 XSTRLEN("P256_NTRU_HPS_LEVEL1")) == 0) {
                 group = WOLFSSL_P256_NTRU_HPS_LEVEL1;
             }
-            else if (XSTRNCMP(oqsAlg, "P384_NTRU_HPS_LEVEL3",
+            else if (XSTRNCMP(pqcAlg, "P384_NTRU_HPS_LEVEL3",
                                 XSTRLEN("P384_NTRU_HPS_LEVEL3")) == 0) {
                 group = WOLFSSL_P384_NTRU_HPS_LEVEL3;
             }
-            else if (XSTRNCMP(oqsAlg, "P521_NTRU_HPS_LEVEL5",
+            else if (XSTRNCMP(pqcAlg, "P521_NTRU_HPS_LEVEL5",
                                 XSTRLEN("P521_NTRU_HPS_LEVEL5")) == 0) {
                 group = WOLFSSL_P521_NTRU_HPS_LEVEL5;
             }
-            else if (XSTRNCMP(oqsAlg, "P384_NTRU_HRSS_LEVEL3",
+            else if (XSTRNCMP(pqcAlg, "P384_NTRU_HRSS_LEVEL3",
                                 XSTRLEN("P384_NTRU_HRSS_LEVEL3")) == 0) {
                 group = WOLFSSL_P384_NTRU_HRSS_LEVEL3;
             }
-            else if (XSTRNCMP(oqsAlg, "P256_SABER_LEVEL1",
+            else if (XSTRNCMP(pqcAlg, "P256_SABER_LEVEL1",
                                 XSTRLEN("P256_SABER_LEVEL1")) == 0) {
                 group = WOLFSSL_P256_SABER_LEVEL1;
             }
-            else if (XSTRNCMP(oqsAlg, "P384_SABER_LEVEL3",
+            else if (XSTRNCMP(pqcAlg, "P384_SABER_LEVEL3",
                                 XSTRLEN("P384_SABER_LEVEL3")) == 0) {
                 group = WOLFSSL_P384_SABER_LEVEL3;
             }
-            else if (XSTRNCMP(oqsAlg, "P521_SABER_LEVEL5",
+            else if (XSTRNCMP(pqcAlg, "P521_SABER_LEVEL5",
                                 XSTRLEN("P521_SABER_LEVEL5")) == 0) {
                 group = WOLFSSL_P521_SABER_LEVEL5;
             }
-            else if (XSTRNCMP(oqsAlg, "P256_KYBER_LEVEL1",
+            else if (XSTRNCMP(pqcAlg, "P256_KYBER_LEVEL1",
                                 XSTRLEN("P256_KYBER_LEVEL1")) == 0) {
                 group = WOLFSSL_P256_KYBER_LEVEL1;
             }
-            else if (XSTRNCMP(oqsAlg, "P384_KYBER_LEVEL3",
+            else if (XSTRNCMP(pqcAlg, "P384_KYBER_LEVEL3",
                                 XSTRLEN("P384_KYBER_LEVEL3")) == 0) {
                 group = WOLFSSL_P384_KYBER_LEVEL3;
             }
-            else if (XSTRNCMP(oqsAlg, "P521_KYBER_LEVEL5",
+            else if (XSTRNCMP(pqcAlg, "P521_KYBER_LEVEL5",
                                 XSTRLEN("P521_KYBER_LEVEL5")) == 0) {
                 group = WOLFSSL_P521_KYBER_LEVEL5;
             }
-            else if (XSTRNCMP(oqsAlg, "P256_KYBER_90S_LEVEL1",
+            else if (XSTRNCMP(pqcAlg, "P256_KYBER_90S_LEVEL1",
                                 XSTRLEN("P256_KYBER_90S_LEVEL1")) == 0) {
                 group = WOLFSSL_P256_KYBER_90S_LEVEL1;
             }
-            else if (XSTRNCMP(oqsAlg, "P384_KYBER_90S_LEVEL3",
+            else if (XSTRNCMP(pqcAlg, "P384_KYBER_90S_LEVEL3",
                                 XSTRLEN("P384_KYBER_90S_LEVEL3")) == 0) {
                 group = WOLFSSL_P384_KYBER_90S_LEVEL3;
             }
-            else if (XSTRNCMP(oqsAlg, "P521_KYBER_90S_LEVEL5",
+            else if (XSTRNCMP(pqcAlg, "P521_KYBER_90S_LEVEL5",
                                 XSTRLEN("P521_KYBER_90S_LEVEL5")) == 0) {
                 group = WOLFSSL_P521_KYBER_90S_LEVEL5;
             } else {
-                err_sys("invalid OQS KEM specified");
+                err_sys("invalid post-quantum KEM specified");
             }
 
-            printf("Using OQS KEM: %s\n", oqsAlg);
+            printf("Using Post-Quantum KEM: %s\n", pqcAlg);
             if (wolfSSL_UseKeyShare(ssl, group) != WOLFSSL_SUCCESS) {
-                err_sys("unable to use oqs KEM");
+                err_sys("unable to use post-quantum KEM");
             }
         }
     }
@@ -560,7 +560,7 @@ static const char* client_bench_conmsg[][5] = {
 
 static int ClientBenchmarkConnections(WOLFSSL_CTX* ctx, char* host, word16 port,
     int dtlsUDP, int dtlsSCTP, int benchmark, int resumeSession, int useX25519,
-    int useX448, int useLibOqs, char* oqsAlg, int helloRetry, int onlyKeyShare,
+    int useX448, int usePqc, char* pqcAlg, int helloRetry, int onlyKeyShare,
     int version, int earlyData)
 {
     /* time passed in number of connects give average */
@@ -578,8 +578,8 @@ static int ClientBenchmarkConnections(WOLFSSL_CTX* ctx, char* host, word16 port,
     (void)resumeSession;
     (void)useX25519;
     (void)useX448;
-    (void)useLibOqs;
-    (void)oqsAlg;
+    (void)usePqc;
+    (void)pqcAlg;
     (void)helloRetry;
     (void)onlyKeyShare;
     (void)version;
@@ -610,7 +610,7 @@ static int ClientBenchmarkConnections(WOLFSSL_CTX* ctx, char* host, word16 port,
             else if (version >= 4) {
                 if (!helloRetry)
                     SetKeyShare(ssl, onlyKeyShare, useX25519, useX448,
-                                useLibOqs, oqsAlg, 1);
+                                usePqc, pqcAlg, 1);
                 else
                     wolfSSL_NoKeyShares(ssl);
             }
@@ -694,7 +694,7 @@ static int ClientBenchmarkConnections(WOLFSSL_CTX* ctx, char* host, word16 port,
 /* Measures throughput in mbps. Throughput = number of bytes */
 static int ClientBenchmarkThroughput(WOLFSSL_CTX* ctx, char* host, word16 port,
     int dtlsUDP, int dtlsSCTP, int block, size_t throughput, int useX25519,
-    int useX448, int useLibOqs, char* oqsAlg, int exitWithRet, int version,
+    int useX448, int usePqc, char* pqcAlg, int exitWithRet, int version,
     int onlyKeyShare)
 {
     double start, conn_time = 0, tx_time = 0, rx_time = 0;
@@ -714,14 +714,14 @@ static int ClientBenchmarkThroughput(WOLFSSL_CTX* ctx, char* host, word16 port,
 
     (void)useX25519;
     (void)useX448;
-    (void)useLibOqs;
-    (void)oqsAlg;
+    (void)usePqc;
+    (void)pqcAlg;
     (void)version;
     (void)onlyKeyShare;
 #if defined(WOLFSSL_TLS13) && defined(HAVE_SUPPORTED_CURVES)
     if (version >= 4) {
-        SetKeyShare(ssl, onlyKeyShare, useX25519, useX448, useLibOqs,
-                    oqsAlg, 1);
+        SetKeyShare(ssl, onlyKeyShare, useX25519, useX448, usePqc,
+                    pqcAlg, 1);
     }
 #endif
 
@@ -1303,8 +1303,8 @@ static const char* client_usage_msg[][70] = {
         "-7          Set minimum downgrade protocol version [0-4] "
         " SSLv3(0) - TLS1.3(4)\n",                  /* 69 */
 #endif
-#ifdef HAVE_LIBOQS
-        "--oqs <alg> Key Share with specified liboqs algorithm only [KYBER_LEVEL1, KYBER_LEVEL3,\n",
+#ifdef HAVE_PQC
+        "--pqc <alg> Key Share with specified post-quantum algorithm only [KYBER_LEVEL1, KYBER_LEVEL3,\n",
         "            KYBER_LEVEL5, KYBER_90S_LEVEL1, KYBER_90S_LEVEL3, KYBER_90S_LEVEL5,\n",
         "            NTRU_HPS_LEVEL1, NTRU_HPS_LEVEL3, NTRU_HPS_LEVEL5, NTRU_HRSS_LEVEL3,\n",
         "            SABER_LEVEL1, SABER_LEVEL3, SABER_LEVEL5, P256_NTRU_HPS_LEVEL1,\n"
@@ -1513,8 +1513,8 @@ static const char* client_usage_msg[][70] = {
         "-7          最小ダウングレード可能なプロトコルバージョンを設定します [0-4] "
         " SSLv3(0) - TLS1.3(4)\n",                            /* 69 */
 #endif
-#ifdef HAVE_LIBOQS
-        "--oqs <alg> liboqs 名前付きグループとの鍵共有のみ\n",
+#ifdef HAVE_PQC
+        "--pqc <alg> post-quantum 名前付きグループとの鍵共有のみ\n",
         "[KYBER_LEVEL1, KYBER_LEVEL3, KYBER_LEVEL5, KYBER_90S_LEVEL1, KYBER_90S_LEVEL3, KYBER_90S_LEVEL5,\n",
         " NTRU_HPS_LEVEL1, NTRU_HPS_LEVEL3, NTRU_HPS_LEVEL5, NTRU_HRSS_LEVEL3,\n",
         " LIGHTSABER, SABER, FIRESABER, P256_NTRU_HPS_LEVEL1,\n"
@@ -1740,11 +1740,11 @@ static void Usage(void)
 #endif
     printf("%s", msg[++msgid]); /* -7 */
     printf("%s", msg[++msgid]); /* Examples repo link */
-#ifdef HAVE_LIBOQS
-    printf("%s", msg[++msgid]);     /* --oqs */
-    printf("%s", msg[++msgid]);     /* --oqs options */
-    printf("%s", msg[++msgid]);     /* more --oqs options */
-    printf("%s", msg[++msgid]);     /* more --oqs options */
+#ifdef HAVE_PQC
+    printf("%s", msg[++msgid]);     /* --pqc */
+    printf("%s", msg[++msgid]);     /* --pqc options */
+    printf("%s", msg[++msgid]);     /* more --pqc options */
+    printf("%s", msg[++msgid]);     /* more --pqc options */
 #endif
 }
 
@@ -1784,8 +1784,8 @@ THREAD_RETURN WOLFSSL_THREAD client_test(void* args)
 #endif
         { "help", 0, 257 },
         { "ヘルプ", 0, 258 },
-#if defined(HAVE_LIBOQS)
-        { "oqs", 1, 259 },
+#if defined(HAVE_PQC)
+        { "pqc", 1, 259 },
 #endif
         { 0, 0, 0 }
     };
@@ -1891,8 +1891,8 @@ THREAD_RETURN WOLFSSL_THREAD client_test(void* args)
 #endif
     int useX25519 = 0;
     int useX448 = 0;
-    int useLibOqs = 0;
-    char* oqsAlg = NULL;
+    int usePqc = 0;
+    char* pqcAlg = NULL;
     int exitWithRet = 0;
     int loadCertKeyIntoSSLObj = 0;
 
@@ -1981,8 +1981,8 @@ THREAD_RETURN WOLFSSL_THREAD client_test(void* args)
     (void)onlyKeyShare;
     (void)useSupCurve;
     (void)loadCertKeyIntoSSLObj;
-    (void)useLibOqs;
-    (void)oqsAlg;
+    (void)usePqc;
+    (void)pqcAlg;
     StackTrap();
 
     /* Reinitialize the global myVerifyAction. */
@@ -2541,11 +2541,11 @@ THREAD_RETURN WOLFSSL_THREAD client_test(void* args)
 #endif
 
 #if defined(WOLFSSL_TLS13) &&  defined(HAVE_SUPPORTED_CURVES) && \
-    defined(HAVE_LIBOQS)
+    defined(HAVE_PQC)
             case 259:
-                useLibOqs = 1;
+                usePqc = 1;
                 onlyKeyShare = 3;
-                oqsAlg = myoptarg;
+                pqcAlg = myoptarg;
                 break;
 #endif
             default:
@@ -2664,14 +2664,14 @@ THREAD_RETURN WOLFSSL_THREAD client_test(void* args)
         err_sys("can't load whitewood net random config file");
 #endif
 
-#ifdef HAVE_LIBOQS
-    if (useLibOqs) {
+#ifdef HAVE_PQC
+    if (usePqc) {
         if (version == CLIENT_DOWNGRADE_VERSION ||
             version == EITHER_DOWNGRADE_VERSION)
             printf("WARNING: If a TLS 1.3 connection is not negotiated, you "
-                   "will not be using a liboqs group.\n");
+                   "will not be using a post-quantum group.\n");
         else if (version != 4)
-            err_sys("can only use liboqs groups with TLS 1.3");
+            err_sys("can only use post-quantum groups with TLS 1.3");
     }
 #endif
 
@@ -3205,7 +3205,7 @@ THREAD_RETURN WOLFSSL_THREAD client_test(void* args)
         ((func_args*)args)->return_code =
             ClientBenchmarkConnections(ctx, host, port, dtlsUDP, dtlsSCTP,
                                        benchmark, resumeSession, useX25519,
-                                       useX448, useLibOqs, oqsAlg, helloRetry,
+                                       useX448, usePqc, pqcAlg, helloRetry,
                                        onlyKeyShare, version, earlyData);
         wolfSSL_CTX_free(ctx); ctx = NULL;
         XEXIT_T(EXIT_SUCCESS);
@@ -3215,7 +3215,7 @@ THREAD_RETURN WOLFSSL_THREAD client_test(void* args)
         ((func_args*)args)->return_code =
             ClientBenchmarkThroughput(ctx, host, port, dtlsUDP, dtlsSCTP,
                                       block, throughput, useX25519, useX448,
-                                      useLibOqs, oqsAlg, exitWithRet, version,
+                                      usePqc, pqcAlg, exitWithRet, version,
                                       onlyKeyShare);
         wolfSSL_CTX_free(ctx); ctx = NULL;
         if (((func_args*)args)->return_code != EXIT_SUCCESS && !exitWithRet)
@@ -3340,8 +3340,8 @@ THREAD_RETURN WOLFSSL_THREAD client_test(void* args)
 
 #if defined(WOLFSSL_TLS13) && defined(HAVE_SUPPORTED_CURVES)
     if (!helloRetry && version >= 4) {
-        SetKeyShare(ssl, onlyKeyShare, useX25519, useX448, useLibOqs,
-                    oqsAlg, 0);
+        SetKeyShare(ssl, onlyKeyShare, useX25519, useX448, usePqc,
+                    pqcAlg, 0);
     }
     else {
         wolfSSL_NoKeyShares(ssl);
diff --git a/examples/server/server.c b/examples/server/server.c
index c28f9ac18..378c360e1 100644
--- a/examples/server/server.c
+++ b/examples/server/server.c
@@ -586,7 +586,7 @@ static void ServerWrite(WOLFSSL* ssl, const char* output, int outputLen)
 #if defined(WOLFSSL_TLS13) && defined(HAVE_SUPPORTED_CURVES)
 #define MAX_GROUP_NUMBER 4
 static void SetKeyShare(WOLFSSL* ssl, int onlyKeyShare, int useX25519,
-                        int useX448, int useLibOqs, char* oqsAlg)
+                        int useX448, int usePqc, char* pqcAlg)
 {
     int ret;
     int groups[MAX_GROUP_NUMBER] = {0};
@@ -594,8 +594,8 @@ static void SetKeyShare(WOLFSSL* ssl, int onlyKeyShare, int useX25519,
 
     (void)useX25519;
     (void)useX448;
-    (void)useLibOqs;
-    (void)oqsAlg;
+    (void)usePqc;
+    (void)pqcAlg;
 
     WOLFSSL_START(WC_FUNC_CLIENT_KEY_EXCHANGE_SEND);
     if (onlyKeyShare == 2) {
@@ -629,124 +629,124 @@ static void SetKeyShare(WOLFSSL* ssl, int onlyKeyShare, int useX25519,
             } while (ret == WC_PENDING_E);
     #endif
         }
-        else if (useLibOqs == 1) {
-    #ifdef HAVE_LIBOQS
+        else if (usePqc == 1) {
+    #ifdef HAVE_PQC
             groups[count] = 0;
-            if (XSTRNCMP(oqsAlg, "KYBER_LEVEL1", XSTRLEN("KYBER_LEVEL1")) == 0) {
+            if (XSTRNCMP(pqcAlg, "KYBER_LEVEL1", XSTRLEN("KYBER_LEVEL1")) == 0) {
                 groups[count] = WOLFSSL_KYBER_LEVEL1;
             }
-            else if (XSTRNCMP(oqsAlg, "KYBER_LEVEL3",
+            else if (XSTRNCMP(pqcAlg, "KYBER_LEVEL3",
                                 XSTRLEN("KYBER_LEVEL3")) == 0) {
                 groups[count] = WOLFSSL_KYBER_LEVEL3;
             }
-            else if (XSTRNCMP(oqsAlg, "KYBER_LEVEL5",
+            else if (XSTRNCMP(pqcAlg, "KYBER_LEVEL5",
                                 XSTRLEN("KYBER_LEVEL5")) == 0) {
                 groups[count] = WOLFSSL_KYBER_LEVEL5;
             }
-            else if (XSTRNCMP(oqsAlg, "NTRU_HPS_LEVEL1",
+            else if (XSTRNCMP(pqcAlg, "NTRU_HPS_LEVEL1",
                                 XSTRLEN("NTRU_HPS_LEVEL1")) == 0)  {
                 groups[count] = WOLFSSL_NTRU_HPS_LEVEL1;
             }
-            else if (XSTRNCMP(oqsAlg, "NTRU_HPS_LEVEL3",
+            else if (XSTRNCMP(pqcAlg, "NTRU_HPS_LEVEL3",
                                 XSTRLEN("NTRU_HPS_LEVEL3")) == 0) {
                 groups[count] = WOLFSSL_NTRU_HPS_LEVEL3;
             }
-            else if (XSTRNCMP(oqsAlg, "NTRU_HPS_LEVEL5",
+            else if (XSTRNCMP(pqcAlg, "NTRU_HPS_LEVEL5",
                                 XSTRLEN("NTRU_HPS_LEVEL5")) == 0) {
                 groups[count] = WOLFSSL_NTRU_HPS_LEVEL5;
             }
-            else if (XSTRNCMP(oqsAlg, "NTRU_HRSS_LEVEL3",
+            else if (XSTRNCMP(pqcAlg, "NTRU_HRSS_LEVEL3",
                                 XSTRLEN("NTRU_HRSS_LEVEL3")) == 0) {
                 groups[count] = WOLFSSL_NTRU_HRSS_LEVEL3;
             }
-            else if (XSTRNCMP(oqsAlg, "SABER_LEVEL1",
+            else if (XSTRNCMP(pqcAlg, "SABER_LEVEL1",
                                 XSTRLEN("SABER_LEVEL1")) == 0) {
                 groups[count] = WOLFSSL_SABER_LEVEL1;
             }
-            else if (XSTRNCMP(oqsAlg, "SABER_LEVEL3",
+            else if (XSTRNCMP(pqcAlg, "SABER_LEVEL3",
                                 XSTRLEN("SABER_LEVEL3")) == 0) {
                 groups[count] = WOLFSSL_SABER_LEVEL3;
             }
-            else if (XSTRNCMP(oqsAlg, "SABER_LEVEL5",
+            else if (XSTRNCMP(pqcAlg, "SABER_LEVEL5",
                                 XSTRLEN("SABER_LEVEL5")) == 0) {
                 groups[count] = WOLFSSL_SABER_LEVEL5;
             }
-            else if (XSTRNCMP(oqsAlg, "KYBER_90S_LEVEL1",
+            else if (XSTRNCMP(pqcAlg, "KYBER_90S_LEVEL1",
                                 XSTRLEN("KYBER_90S_LEVEL1")) == 0) {
                 groups[count] = WOLFSSL_KYBER_90S_LEVEL1;
             }
-            else if (XSTRNCMP(oqsAlg, "KYBER_90S_LEVEL3",
+            else if (XSTRNCMP(pqcAlg, "KYBER_90S_LEVEL3",
                                 XSTRLEN("KYBER_90S_LEVEL3")) == 0) {
                 groups[count] = WOLFSSL_KYBER_90S_LEVEL3;
             }
-            else if (XSTRNCMP(oqsAlg, "KYBER_90S_LEVEL5",
+            else if (XSTRNCMP(pqcAlg, "KYBER_90S_LEVEL5",
                                 XSTRLEN("KYBER_90S_LEVEL5")) == 0) {
                 groups[count] = WOLFSSL_KYBER_90S_LEVEL5;
             }
-            else if (XSTRNCMP(oqsAlg, "P256_NTRU_HPS_LEVEL1",
+            else if (XSTRNCMP(pqcAlg, "P256_NTRU_HPS_LEVEL1",
                                 XSTRLEN("P256_NTRU_HPS_LEVEL1")) == 0) {
                 groups[count] = WOLFSSL_P256_NTRU_HPS_LEVEL1;
             }
-            else if (XSTRNCMP(oqsAlg, "P384_NTRU_HPS_LEVEL3",
+            else if (XSTRNCMP(pqcAlg, "P384_NTRU_HPS_LEVEL3",
                                 XSTRLEN("P384_NTRU_HPS_LEVEL3")) == 0) {
                 groups[count] = WOLFSSL_P384_NTRU_HPS_LEVEL3;
             }
-            else if (XSTRNCMP(oqsAlg, "P521_NTRU_HPS_LEVEL5",
+            else if (XSTRNCMP(pqcAlg, "P521_NTRU_HPS_LEVEL5",
                                 XSTRLEN("P521_NTRU_HPS_LEVEL5")) == 0) {
                 groups[count] = WOLFSSL_P521_NTRU_HPS_LEVEL5;
             }
-            else if (XSTRNCMP(oqsAlg, "P384_NTRU_HRSS_LEVEL3",
+            else if (XSTRNCMP(pqcAlg, "P384_NTRU_HRSS_LEVEL3",
                                 XSTRLEN("P384_NTRU_HRSS_LEVEL3")) == 0) {
                 groups[count] = WOLFSSL_P384_NTRU_HRSS_LEVEL3;
             }
-            else if (XSTRNCMP(oqsAlg, "P256_SABER_LEVEL1",
+            else if (XSTRNCMP(pqcAlg, "P256_SABER_LEVEL1",
                                 XSTRLEN("P256_SABER_LEVEL1")) == 0) {
                 groups[count] = WOLFSSL_P256_SABER_LEVEL1;
             }
-            else if (XSTRNCMP(oqsAlg, "P384_SABER_LEVEL3",
+            else if (XSTRNCMP(pqcAlg, "P384_SABER_LEVEL3",
                                 XSTRLEN("P384_SABER_LEVEL3")) == 0) {
                 groups[count] = WOLFSSL_P384_SABER_LEVEL3;
             }
-            else if (XSTRNCMP(oqsAlg, "P521_SABER_LEVEL5",
+            else if (XSTRNCMP(pqcAlg, "P521_SABER_LEVEL5",
                                 XSTRLEN("P521_SABER_LEVEL5")) == 0) {
                 groups[count] = WOLFSSL_P521_SABER_LEVEL5;
             }
-            else if (XSTRNCMP(oqsAlg, "P256_KYBER_LEVEL1",
+            else if (XSTRNCMP(pqcAlg, "P256_KYBER_LEVEL1",
                                 XSTRLEN("P256_KYBER_LEVEL1")) == 0) {
                 groups[count] = WOLFSSL_P256_KYBER_LEVEL1;
             }
-            else if (XSTRNCMP(oqsAlg, "P384_KYBER_LEVEL3",
+            else if (XSTRNCMP(pqcAlg, "P384_KYBER_LEVEL3",
                                 XSTRLEN("P384_KYBER_LEVEL3")) == 0) {
                 groups[count] = WOLFSSL_P384_KYBER_LEVEL3;
             }
-            else if (XSTRNCMP(oqsAlg, "P521_KYBER_LEVEL5",
+            else if (XSTRNCMP(pqcAlg, "P521_KYBER_LEVEL5",
                                 XSTRLEN("P521_KYBER_LEVEL5")) == 0) {
                 groups[count] = WOLFSSL_P521_KYBER_LEVEL5;
             }
-            else if (XSTRNCMP(oqsAlg, "P256_KYBER_90S_LEVEL1",
+            else if (XSTRNCMP(pqcAlg, "P256_KYBER_90S_LEVEL1",
                                 XSTRLEN("P256_KYBER_90S_LEVEL1")) == 0) {
                 groups[count] = WOLFSSL_P256_KYBER_90S_LEVEL1;
             }
-            else if (XSTRNCMP(oqsAlg, "P384_KYBER_90S_LEVEL3",
+            else if (XSTRNCMP(pqcAlg, "P384_KYBER_90S_LEVEL3",
                                 XSTRLEN("P384_KYBER_90S_LEVEL3")) == 0) {
                 groups[count] = WOLFSSL_P384_KYBER_90S_LEVEL3;
             }
-            else if (XSTRNCMP(oqsAlg, "P521_KYBER_90S_LEVEL5",
+            else if (XSTRNCMP(pqcAlg, "P521_KYBER_90S_LEVEL5",
                                 XSTRLEN("P521_KYBER_90S_LEVEL5")) == 0) {
                 groups[count] = WOLFSSL_P521_KYBER_90S_LEVEL5;
             }
 
             if (groups[count] == 0) {
-                err_sys("invalid OQS KEM specified");
+                err_sys("invalid post-quantum KEM specified");
             }
             else {
                 if (wolfSSL_UseKeyShare(ssl, groups[count]) == WOLFSSL_SUCCESS) {
-                    printf("Using OQS KEM: %s\n", oqsAlg);
+                    printf("Using Post-Quantum KEM: %s\n", pqcAlg);
                     count++;
                 }
                 else {
                     groups[count] = 0;
-                    err_sys("unable to use oqs algorithm");
+                    err_sys("unable to use post-quantum algorithm");
                 }
             }
     #endif
@@ -945,8 +945,8 @@ static const char* server_usage_msg[][60] = {
         "-7          Set minimum downgrade protocol version [0-4] "
         " SSLv3(0) - TLS1.3(4)\n",                          /* 59 */
 #endif
-#ifdef HAVE_LIBOQS
-        "--oqs <alg> Key Share with specified liboqs algorithm only [KYBER_LEVEL1, KYBER_LEVEL3,\n",
+#ifdef HAVE_PQC
+        "--pqc <alg> Key Share with specified post-quantum algorithm only [KYBER_LEVEL1, KYBER_LEVEL3,\n",
         "            KYBER_LEVEL5, KYBER_90S_LEVEL1, KYBER_90S_LEVEL3, KYBER_90S_LEVEL5,\n",
         "            NTRU_HPS_LEVEL1, NTRU_HPS_LEVEL3, NTRU_HPS_LEVEL5, NTRU_HRSS_LEVEL3,\n",
         "            SABER_LEVEL1, SABER_LEVEL3, SABER_LEVEL5, P256_NTRU_HPS_LEVEL1,\n"
@@ -1109,8 +1109,8 @@ static const char* server_usage_msg[][60] = {
         "-7          最小ダウングレード可能なプロトコルバージョンを設定します [0-4] "
         " SSLv3(0) - TLS1.3(4)\n",                          /* 59 */
 #endif
-#ifdef HAVE_LIBOQS
-        "--oqs <alg>  liboqs 名前付きグループとの鍵共有のみ\n",
+#ifdef HAVE_PQC
+        "--pqc <alg>  post-quantum 名前付きグループとの鍵共有のみ\n",
         "[KYBER_LEVEL1, KYBER_LEVEL3, KYBER_LEVEL5, KYBER_90S_LEVEL1, KYBER_90S_LEVEL3, KYBER_90S_LEVEL5,\n",
         " NTRU_HPS_LEVEL1, NTRU_HPS_LEVEL3, NTRU_HPS_LEVEL5, NTRU_HRSS_LEVEL3,\n",
         " SABER_LEVEL1, SABER_LEVEL3, SABER_LEVEL5, P256_NTRU_HPS_LEVEL1,\n"
@@ -1260,11 +1260,11 @@ static void Usage(void)
 #endif
     printf("%s", msg[++msgId]); /* -7 */
     printf("%s", msg[++msgId]); /* Examples repo link */
-#ifdef HAVE_LIBOQS
-    printf("%s", msg[++msgId]);     /* --oqs */
-    printf("%s", msg[++msgId]);     /* --oqs options */
-    printf("%s", msg[++msgId]);     /* more --oqs options */
-    printf("%s", msg[++msgId]);     /* more --oqs options */
+#ifdef HAVE_PQC
+    printf("%s", msg[++msgId]);     /* --pqc */
+    printf("%s", msg[++msgId]);     /* --pqc options */
+    printf("%s", msg[++msgId]);     /* more --pqc options */
+    printf("%s", msg[++msgId]);     /* more --pqc options */
 #endif
 }
 
@@ -1293,8 +1293,8 @@ THREAD_RETURN WOLFSSL_THREAD server_test(void* args)
 #endif
         { "help", 0, 257 },
         { "ヘルプ", 0, 258 },
-#if defined(HAVE_LIBOQS)
-        { "oqs", 1, 259 },
+#if defined(HAVE_PQC)
+        { "pqc", 1, 259 },
 #endif
         { 0, 0, 0 }
     };
@@ -1447,8 +1447,8 @@ THREAD_RETURN WOLFSSL_THREAD server_test(void* args)
 #endif
     int useX25519 = 0;
     int useX448 = 0;
-    int useLibOqs = 0;
-    char* oqsAlg = NULL;
+    int usePqc = 0;
+    char* pqcAlg = NULL;
     int exitWithRet = 0;
     int loadCertKeyIntoSSLObj = 0;
 
@@ -1508,8 +1508,8 @@ THREAD_RETURN WOLFSSL_THREAD server_test(void* args)
     (void)mcastID;
     (void)loadCertKeyIntoSSLObj;
     (void)nonBlocking;
-    (void)oqsAlg;
-    (void)useLibOqs;
+    (void)pqcAlg;
+    (void)usePqc;
 
 #ifdef WOLFSSL_TIRTOS
     fdOpenSession(Task_self());
@@ -2022,11 +2022,11 @@ THREAD_RETURN WOLFSSL_THREAD server_test(void* args)
                 break;
 #endif
 
-#ifdef HAVE_LIBOQS
+#ifdef HAVE_PQC
             case 259:
-                useLibOqs = 1;
+                usePqc = 1;
                 onlyKeyShare = 2;
-                oqsAlg = myoptarg;
+                pqcAlg = myoptarg;
                 break;
 #endif
 
@@ -2070,14 +2070,14 @@ THREAD_RETURN WOLFSSL_THREAD server_test(void* args)
                    "file");
 #endif
 
-#ifdef HAVE_LIBOQS
-    if (useLibOqs) {
+#ifdef HAVE_PQC
+    if (usePqc) {
         if (version == SERVER_DOWNGRADE_VERSION ||
             version == EITHER_DOWNGRADE_VERSION) {
             printf("WARNING: If a TLS 1.3 connection is not negotiated, you "
-                   "will not be using a liboqs group.\n");
+                   "will not be using a post-quantum group.\n");
         } else if (version != 4) {
-            err_sys("can only use liboqs groups with TLS 1.3");
+            err_sys("can only use post-quantum groups with TLS 1.3");
         }
     }
 #endif
@@ -2775,8 +2775,8 @@ THREAD_RETURN WOLFSSL_THREAD server_test(void* args)
 
     #if defined(WOLFSSL_TLS13) && defined(HAVE_SUPPORTED_CURVES)
         if (version >= 4) {
-            SetKeyShare(ssl, onlyKeyShare, useX25519, useX448, useLibOqs,
-                        oqsAlg);
+            SetKeyShare(ssl, onlyKeyShare, useX25519, useX448, usePqc,
+                        pqcAlg);
         }
     #endif
 
diff --git a/gencertbuf.pl b/gencertbuf.pl
index 06f90e8b6..fb84eb2b3 100755
--- a/gencertbuf.pl
+++ b/gencertbuf.pl
@@ -99,7 +99,7 @@ my @fileList_4096 = (
         );
 
 #Falcon Post-Quantum Keys
-#Used with HAVE_LIBOQS
+#Used with HAVE_PQC
 my @fileList_falcon = (
         ["certs/falcon/bench_falcon_level1_key.der", "bench_falcon_level1_key" ],
         ["certs/falcon/bench_falcon_level5_key.der", "bench_falcon_level5_key" ],
@@ -194,7 +194,7 @@ for (my $i = 0; $i < $num_4096; $i++) {
 print OUT_FILE "#endif /* USE_CERT_BUFFERS_4096 */\n\n";
 
 # convert and print falcon keys
-print OUT_FILE "#ifdef HAVE_LIBOQS\n\n";
+print OUT_FILE "#ifdef HAVE_PQC\n\n";
 for (my $i = 0; $i < $num_falcon; $i++) {
 
     my $fname = $fileList_falcon[$i][0];
@@ -208,7 +208,7 @@ for (my $i = 0; $i < $num_falcon; $i++) {
     print OUT_FILE "static const int sizeof_$sname = sizeof($sname);\n\n";
 }
 
-print OUT_FILE "#endif /* HAVE_LIBOQS */\n\n";
+print OUT_FILE "#endif /* HAVE_PQC */\n\n";
 
 # convert and print 256-bit cert/keys
 print OUT_FILE "#if defined(HAVE_ECC) && defined(USE_CERT_BUFFERS_256)\n\n";
diff --git a/scripts/ocsp.test b/scripts/ocsp.test
index e89ecbe77..acedc254e 100755
--- a/scripts/ocsp.test
+++ b/scripts/ocsp.test
@@ -35,6 +35,7 @@ if [ "$OUTPUT" = "SNI is: ON" ]; then
 
     if [ $RESULT -eq 0 ]; then
         # client test against the server
+        echo "./examples/client/client -X -C -h $server -p 443 -A "$ca" -g -o -N -v d -S $server"
         ./examples/client/client -X -C -h $server -p 443 -A "$ca" -g -o -N -v d -S $server
         GL_RESULT=$?
         [ $GL_RESULT -ne 0 ] && printf '\n\n%s\n' "Client connection failed"
@@ -54,6 +55,7 @@ ${SCRIPT_DIR}/ping.test $server 2
 RESULT=$?
 if [ $RESULT -eq 0 ]; then
     # client test against the server
+    echo "./examples/client/client -X -C -h $server -p 443 -A "$ca" -g -o -N"
     ./examples/client/client -X -C -h $server -p 443 -A "$ca" -g -o -N
     GR_RESULT=$?
     [ $GR_RESULT -ne 0 ] && printf '\n\n%s\n' "Client connection failed"
diff --git a/scripts/resume.test b/scripts/resume.test
index f811e34b2..129f7a669 100755
--- a/scripts/resume.test
+++ b/scripts/resume.test
@@ -69,6 +69,7 @@ do_test() {
     esac
 
     remove_ready_file
+    echo "./examples/server/server -r -R "$ready_file" -p $resume_port"
     ./examples/server/server -r -R "$ready_file" -p $resume_port &
     server_pid=$!
 
@@ -92,6 +93,7 @@ do_test() {
     # get created port 0 ephemeral port
     resume_port=`cat "$ready_file"`
 
+    echo "./examples/client/client $1 -r -p $resume_port"
     capture_out=$(./examples/client/client $1 -r -p $resume_port 2>&1)
     client_result=$?
 
diff --git a/src/internal.c b/src/internal.c
index cc0edc8d0..65ac2d73b 100644
--- a/src/internal.c
+++ b/src/internal.c
@@ -2012,7 +2012,7 @@ int InitSSL_Side(WOLFSSL* ssl, word16 side)
         ssl->options.haveECC  = 1;      /* server turns on with ECC key cert */
     }
 #endif
-#ifdef HAVE_LIBOQS
+#ifdef HAVE_PQC
     if (ssl->options.side == WOLFSSL_CLIENT_END) {
         ssl->options.haveFalconSig  = 1; /* always on client side */
     }
@@ -2080,7 +2080,7 @@ int InitSSL_Ctx(WOLFSSL_CTX* ctx, WOLFSSL_METHOD* method, void* heap)
     ctx->minEccKeySz  = MIN_ECCKEY_SZ;
     ctx->eccTempKeySz = ECDHE_SIZE;
 #endif
-#ifdef HAVE_LIBOQS
+#ifdef HAVE_PQC
     ctx->minFalconKeySz = MIN_FALCONKEY_SZ;
 #endif
     ctx->verifyDepth = MAX_CHAIN_DEPTH;
@@ -2140,7 +2140,7 @@ int InitSSL_Ctx(WOLFSSL_CTX* ctx, WOLFSSL_METHOD* method, void* heap)
     ctx->CBIOSend = GNRC_SendTo;
 #endif
 
-#ifdef HAVE_LIBOQS
+#ifdef HAVE_PQC
     if (method->side == WOLFSSL_CLIENT_END)
         ctx->haveFalconSig = 1;        /* always on client side */
                                        /* server can turn on by loading key */
@@ -2683,7 +2683,7 @@ static WC_INLINE void AddSuiteHashSigAlgo(Suites* suites, byte macAlgo,
         }
         else
     #endif
-    #ifdef HAVE_LIBOQS
+    #ifdef HAVE_PQC
         if (sigAlgo == falcon_level1_sa_algo) {
             suites->hashSigAlgo[*inOutIdx] = FALCON_LEVEL1_SA_MAJOR;
             *inOutIdx += 1;
@@ -2760,10 +2760,10 @@ void InitSuitesHashSigAlgo(Suites* suites, int haveECDSAsig, int haveRSAsig,
     }
 #endif /* HAVE_ECC || HAVE_ED25519 || HAVE_ED448 */
     if (haveFalconSig) {
-#if defined(HAVE_LIBOQS)
+#if defined(HAVE_PQC)
         AddSuiteHashSigAlgo(suites, no_mac, falcon_level1_sa_algo, keySz, &idx);
         AddSuiteHashSigAlgo(suites, no_mac, falcon_level5_sa_algo, keySz, &idx);
-#endif /* HAVE_LIBOQS */
+#endif /* HAVE_PQC */
     }
     if (haveRSAsig) {
     #ifdef WC_RSA_PSS
@@ -3830,8 +3830,8 @@ static WC_INLINE void DecodeSigAlg(const byte* input, byte* hashAlgo, byte* hsTy
                 *hashAlgo = input[1];
             }
             break;
-#ifdef HAVE_LIBOQS
-        case OQS_SA_MAJOR:
+#ifdef HAVE_PQC
+        case PQC_SA_MAJOR:
             if (input[1] == FALCON_LEVEL1_SA_MINOR) {
                 *hsType = falcon_level1_sa_algo;
                 /* Hash performed as part of sign/verify operation. */
@@ -6000,7 +6000,7 @@ int SetSSL_CTX(WOLFSSL* ssl, WOLFSSL_CTX* ctx, int writeDup)
 #ifdef HAVE_ECC
     ssl->options.minEccKeySz = ctx->minEccKeySz;
 #endif
-#ifdef HAVE_LIBOQS
+#ifdef HAVE_PQC
     ssl->options.minFalconKeySz = ctx->minFalconKeySz;
 #endif
 #if defined(OPENSSL_EXTRA) || defined(OPENSSL_EXTRA_X509_SMALL)
@@ -6736,11 +6736,11 @@ void FreeKey(WOLFSSL* ssl, int type, void** pKey)
                 wc_curve448_free((curve448_key*)*pKey);
                 break;
         #endif /* HAVE_CURVE448 */
-        #ifdef HAVE_LIBOQS
+        #ifdef HAVE_PQC
             case DYNAMIC_TYPE_FALCON:
                 wc_falcon_free((falcon_key*)*pKey);
                 break;
-        #endif /* HAVE_LIBOQS */
+        #endif /* HAVE_PQC */
         #ifndef NO_DH
             case DYNAMIC_TYPE_DH:
                 wc_FreeDhKey((DhKey*)*pKey);
@@ -6803,11 +6803,11 @@ int AllocKey(WOLFSSL* ssl, int type, void** pKey)
             sz = sizeof(curve448_key);
             break;
     #endif /* HAVE_CURVE448 */
-    #ifdef HAVE_LIBOQS
+    #ifdef HAVE_PQC
         case DYNAMIC_TYPE_FALCON:
             sz = sizeof(falcon_key);
             break;
-    #endif /* HAVE_LIBOQS */
+    #endif /* HAVE_PQC */
     #ifndef NO_DH
         case DYNAMIC_TYPE_DH:
             sz = sizeof(DhKey);
@@ -6853,7 +6853,7 @@ int AllocKey(WOLFSSL* ssl, int type, void** pKey)
             ret = 0;
             break;
     #endif /* HAVE_CURVE448 */
-    #ifdef HAVE_LIBOQS
+    #ifdef HAVE_PQC
         case DYNAMIC_TYPE_FALCON:
             wc_falcon_init((falcon_key*)*pKey);
             ret = 0;
@@ -6884,7 +6884,7 @@ int AllocKey(WOLFSSL* ssl, int type, void** pKey)
 
 #if !defined(NO_RSA) || defined(HAVE_ECC) || defined(HAVE_ED25519) || \
     defined(HAVE_CURVE25519) || defined(HAVE_ED448) || \
-    defined(HAVE_CURVE448) || defined(HAVE_LIBOQS)
+    defined(HAVE_CURVE448) || defined(HAVE_PQC)
 static int ReuseKey(WOLFSSL* ssl, int type, void* pKey)
 {
     int ret = 0;
@@ -6930,12 +6930,12 @@ static int ReuseKey(WOLFSSL* ssl, int type, void* pKey)
             ret = wc_curve448_init((curve448_key*)pKey);
             break;
     #endif /* HAVE_CURVE448 */
-    #ifdef HAVE_LIBOQS
+    #ifdef HAVE_PQC
         case DYNAMIC_TYPE_FALCON:
             wc_falcon_free((falcon_key*)pKey);
             ret = wc_falcon_init((falcon_key*)pKey);
             break;
-    #endif /* HAVE_LIBOQS */
+    #endif /* HAVE_PQC */
     #ifndef NO_DH
         case DYNAMIC_TYPE_DH:
             wc_FreeDhKey((DhKey*)pKey);
@@ -7173,7 +7173,7 @@ void SSL_ResourceFree(WOLFSSL* ssl)
         }
     #endif
 #endif
-#ifdef HAVE_LIBOQS
+#ifdef HAVE_PQC
     FreeKey(ssl, DYNAMIC_TYPE_FALCON, (void**)&ssl->peerFalconKey);
     ssl->peerFalconKeyPresent = 0;
 #endif
@@ -7396,10 +7396,10 @@ void FreeHandshakeResources(WOLFSSL* ssl)
         FreeKey(ssl, DYNAMIC_TYPE_ED448, (void**)&ssl->peerEd448Key);
         ssl->peerEd448KeyPresent = 0;
 #endif /* HAVE_ED448 */
-#ifdef HAVE_LIBOQS
+#ifdef HAVE_PQC
         FreeKey(ssl, DYNAMIC_TYPE_FALCON, (void**)&ssl->peerFalconKey);
         ssl->peerFalconKeyPresent = 0;
-#endif /* HAVE_LIBOQS */
+#endif /* HAVE_PQC */
     }
 
 #ifdef HAVE_ECC
@@ -11860,7 +11860,7 @@ static int ProcessPeerCertCheckKey(WOLFSSL* ssl, ProcPeerCertArgs* args)
             }
             break;
     #endif /* HAVE_ED448 */
-    #ifdef HAVE_LIBOQS
+    #ifdef HAVE_PQC
         case FALCON_LEVEL1k:
             if (ssl->options.minFalconKeySz < 0 ||
                  FALCON_LEVEL1_KEY_SIZE < (word16)ssl->options.minFalconKeySz) {
@@ -11877,7 +11877,7 @@ static int ProcessPeerCertCheckKey(WOLFSSL* ssl, ProcPeerCertArgs* args)
                 ret = FALCON_KEY_SIZE_E;
             }
             break;
-    #endif /* HAVE_LIBOQS */
+    #endif /* HAVE_PQC */
         default:
             WOLFSSL_MSG("Key size not checked");
             /* key not being checked for size if not in
@@ -13080,7 +13080,7 @@ int ProcessPeerCerts(WOLFSSL* ssl, byte* input, word32* inOutIdx,
                         break;
                     }
                 #endif /* HAVE_ED448 && HAVE_ED448_KEY_IMPORT */
-                #ifdef HAVE_LIBOQS
+                #ifdef HAVE_PQC
                     case FALCON_LEVEL1k:
                     case FALCON_LEVEL5k:
                     {
@@ -13125,7 +13125,7 @@ int ProcessPeerCerts(WOLFSSL* ssl, byte* input, word32* inOutIdx,
                             WOLFSSL_MSG("Peer Falcon key is too small");
                         }
                     }
-                #endif /* HAVE_LIBOQS */
+                #endif /* HAVE_PQC */
                     default:
                         break;
                 }
@@ -21703,7 +21703,7 @@ int SetCipherList(WOLFSSL_CTX* ctx, Suites* suites, const char* list)
                                                              defined(HAVE_ED448)
                     haveECDSAsig = 1;
                 #endif
-                #if defined(HAVE_LIBOQS)
+                #if defined(HAVE_PQC)
                     haveFalconSig = 1;
                 #endif
                 }
@@ -21922,7 +21922,7 @@ static int MatchSigAlgo(WOLFSSL* ssl, int sigAlgo)
         return sigAlgo == ed448_sa_algo;
     }
 #endif
-#ifdef HAVE_LIBOQS
+#ifdef HAVE_PQC
     if (ssl->pkCurveOID == CTC_FALCON_LEVEL1) {
         /* Certificate has Falcon level 1 key, only match with Falcon level 1
          * sig alg  */
@@ -22036,7 +22036,7 @@ int PickHashSigAlgo(WOLFSSL* ssl, const byte* hashSigAlgo, word32 hashSigAlgoSz)
             break;
         }
     #endif
-    #if defined(HAVE_LIBOQS)
+    #if defined(HAVE_PQC)
         if (ssl->pkCurveOID == CTC_FALCON_LEVEL1 ||
             ssl->pkCurveOID == CTC_FALCON_LEVEL5 ) {
             /* Matched Falcon - set chosen and finished. */
@@ -22702,7 +22702,7 @@ int DecodePrivateKey(WOLFSSL *ssl, word16* length)
         }
     }
 #endif /* HAVE_ED448 && HAVE_ED448_KEY_IMPORT */
-#ifdef HAVE_LIBOQS
+#ifdef HAVE_PQC
     if (ssl->buffers.keyType == falcon_level1_sa_algo ||
         ssl->buffers.keyType == falcon_level5_sa_algo ||
         ssl->buffers.keyType == 0) {
@@ -22762,7 +22762,7 @@ int DecodePrivateKey(WOLFSSL *ssl, word16* length)
             goto exit_dpk;
         }
     }
-#endif /* HAVE_LIBOQS */
+#endif /* HAVE_PQC */
 
     (void)idx;
     (void)keySz;
diff --git a/src/ssl.c b/src/ssl.c
index 924e0a921..435130577 100644
--- a/src/ssl.c
+++ b/src/ssl.c
@@ -117,7 +117,7 @@
     #include <wolfssl/wolfcrypt/curve25519.h>
     #include <wolfssl/wolfcrypt/ed25519.h>
     #include <wolfssl/wolfcrypt/curve448.h>
-    #if defined(HAVE_LIBOQS)
+    #if defined(HAVE_PQC)
         #include <wolfssl/wolfcrypt/falcon.h>
     #endif
     #if defined(OPENSSL_ALL) || defined(HAVE_STUNNEL)
@@ -208,7 +208,7 @@ const WOLF_EC_NIST_NAME kNistCurves[] = {
     {XSTR_SIZEOF("B-320"),   "B-320",   NID_brainpoolP320r1},
     {XSTR_SIZEOF("B-384"),   "B-384",   NID_brainpoolP384r1},
     {XSTR_SIZEOF("B-512"),   "B-512",   NID_brainpoolP512r1},
-#ifdef HAVE_LIBOQS
+#ifdef HAVE_PQC
     {XSTR_SIZEOF("KYBER_LEVEL1"), "KYBER_LEVEL1", WOLFSSL_KYBER_LEVEL1},
     {XSTR_SIZEOF("KYBER_LEVEL3"), "KYBER_LEVEL3", WOLFSSL_KYBER_LEVEL3},
     {XSTR_SIZEOF("KYBER_LEVEL5"), "KYBER_LEVEL5", WOLFSSL_KYBER_LEVEL5},
@@ -447,6 +447,7 @@ int wolfSSL_send_session(WOLFSSL* ssl)
 /* prevent multiple mutex initializations */
 static volatile WOLFSSL_GLOBAL int initRefCount = 0;
 static WOLFSSL_GLOBAL wolfSSL_Mutex count_mutex;   /* init ref count mutex */
+static WOLFSSL_GLOBAL int count_mutex_valid = 0;
 
 /* Create a new WOLFSSL_CTX struct and return the pointer to created struct.
    WOLFSSL_METHOD pointer passed in is given to ctx to manage.
@@ -2615,7 +2616,7 @@ static int isValidCurveGroup(word16 name)
         case WOLFSSL_FFDHE_6144:
         case WOLFSSL_FFDHE_8192:
 
-#ifdef HAVE_LIBOQS
+#ifdef HAVE_PQC
         case WOLFSSL_KYBER_LEVEL1:
         case WOLFSSL_KYBER_LEVEL3:
         case WOLFSSL_KYBER_LEVEL5:
@@ -3939,7 +3940,7 @@ WOLFSSL_CERT_MANAGER* wolfSSL_CertManagerNew_ex(void* heap)
         #ifdef HAVE_ECC
             cm->minEccKeySz = MIN_ECCKEY_SZ;
         #endif
-        #ifdef HAVE_LIBOQS
+        #ifdef HAVE_PQC
             cm->minFalconKeySz = MIN_FALCONKEY_SZ;
         #endif
 
@@ -4887,7 +4888,7 @@ int AddCA(WOLFSSL_CERT_MANAGER* cm, DerBuffer** pDer, int type, int verify)
                 }
                 break;
             #endif /* HAVE_ED448 */
-            #ifdef HAVE_LIBOQS
+            #ifdef HAVE_PQC
             case FALCON_LEVEL1k:
                 if (cm->minFalconKeySz < 0 ||
                           FALCON_LEVEL1_KEY_SIZE < (word16)cm->minFalconKeySz) {
@@ -4902,7 +4903,7 @@ int AddCA(WOLFSSL_CERT_MANAGER* cm, DerBuffer** pDer, int type, int verify)
                     WOLFSSL_MSG("\tCA Falcon level 5 key size error");
                 }
                 break;
-            #endif /* HAVE_LIBOQS */
+            #endif /* HAVE_PQC */
 
             default:
                 WOLFSSL_MSG("\tNo key size check done on CA");
@@ -5098,6 +5099,7 @@ int AddCA(WOLFSSL_CERT_MANAGER* cm, DerBuffer** pDer, int type, int verify)
     #ifdef ENABLE_SESSION_CACHE_ROW_LOCK
         /* not included in import/export */
         wolfSSL_Mutex row_mutex;
+        int mutex_valid;
     #endif
     } SessionRow;
     #define SIZEOF_SESSION_ROW (sizeof(WOLFSSL_SESSION) + (sizeof(int) * 2))
@@ -5113,6 +5115,7 @@ int AddCA(WOLFSSL_CERT_MANAGER* cm, DerBuffer** pDer, int type, int verify)
     #define SESSION_ROW_UNLOCK(row) wc_UnLockMutex(&(row)->row_mutex);
     #else
     static WOLFSSL_GLOBAL wolfSSL_Mutex session_mutex; /* SessionCache mutex */
+    static WOLFSSL_GLOBAL int session_mutex_valid = 0;
     #define SESSION_ROW_LOCK(row)   wc_LockMutex(&session_mutex)
     #define SESSION_ROW_UNLOCK(row) wc_UnLockMutex(&session_mutex);
     #endif
@@ -5135,6 +5138,7 @@ int AddCA(WOLFSSL_CERT_MANAGER* cm, DerBuffer** pDer, int type, int verify)
                                                      /* uses session mutex */
 
         static WOLFSSL_GLOBAL wolfSSL_Mutex clisession_mutex; /* ClientCache mutex */
+        static WOLFSSL_GLOBAL int clisession_mutex_valid = 0;
     #endif /* !NO_CLIENT_CACHE */
 
 #endif /* !NO_SESSION_CACHE */
@@ -5146,6 +5150,7 @@ int AddCA(WOLFSSL_CERT_MANAGER* cm, DerBuffer** pDer, int type, int verify)
     static WC_RNG globalRNG;
     static int initGlobalRNG = 0;
     static wolfSSL_Mutex globalRNGMutex;
+    static int globalRNGMutex_valid = 0;
 #endif
 
 #if defined(OPENSSL_EXTRA) && !defined(WOLFSSL_NO_OPENSSL_RAND_CB)
@@ -5165,6 +5170,7 @@ static void AtExitCleanup(void)
 WOLFSSL_ABI
 int wolfSSL_Init(void)
 {
+    int ret = WOLFSSL_SUCCESS;
 #if !defined(NO_SESSION_CACHE) && defined(ENABLE_SESSION_CACHE_ROW_LOCK)
     int i;
 #endif
@@ -5175,72 +5181,98 @@ int wolfSSL_Init(void)
         /* Initialize crypto for use with TLS connection */
         if (wolfCrypt_Init() != 0) {
             WOLFSSL_MSG("Bad wolfCrypt Init");
-            return WC_INIT_E;
+            ret = WC_INIT_E;
         }
 
 #ifdef HAVE_GLOBAL_RNG
-        if (wc_InitMutex(&globalRNGMutex) != 0) {
+        if ((ret == WOLFSSL_SUCCESS) && (wc_InitMutex(&globalRNGMutex) != 0)) {
             WOLFSSL_MSG("Bad Init Mutex rng");
-            return BAD_MUTEX_E;
+            ret = BAD_MUTEX_E;
+        }
+        else {
+            globalRNGMutex_valid = 1;
         }
 #endif
 
 #ifdef OPENSSL_EXTRA
-    #ifdef HAVE_ATEXIT
-        /* OpenSSL registers cleanup using atexit */
-        if (atexit(AtExitCleanup) != 0) {
-            WOLFSSL_MSG("Bad atexit registration");
-            return WC_INIT_E;
-        }
-    #endif
-
     #ifndef WOLFSSL_NO_OPENSSL_RAND_CB
-        if (wolfSSL_RAND_InitMutex() != 0) {
-            return BAD_MUTEX_E;
+        if ((ret == WOLFSSL_SUCCESS) && (wolfSSL_RAND_InitMutex() != 0)) {
+            ret = BAD_MUTEX_E;
         }
     #endif
-        if (wolfSSL_RAND_seed(NULL, 0) != WOLFSSL_SUCCESS) {
+        if ((ret == WOLFSSL_SUCCESS) &&
+            (wolfSSL_RAND_seed(NULL, 0) != WOLFSSL_SUCCESS)) {
             WOLFSSL_MSG("wolfSSL_RAND_Seed failed");
-            return WC_INIT_E;
+            ret = WC_INIT_E;
         }
 #endif
 
 #ifndef NO_SESSION_CACHE
     #ifdef ENABLE_SESSION_CACHE_ROW_LOCK
         for (i = 0; i < SESSION_ROWS; ++i) {
+            SessionCache[i].mutex_valid = 0;
+        }
+        for (i = 0; (ret == WOLFSSL_SUCCESS) && (i < SESSION_ROWS); ++i) {
             if (wc_InitMutex(&SessionCache[i].row_mutex) != 0) {
                 WOLFSSL_MSG("Bad Init Mutex session");
-                return BAD_MUTEX_E;
+                ret = BAD_MUTEX_E;
+            }
+            else {
+                SessionCache[i].mutex_valid = 1;
             }
         }
     #else
-        if (wc_InitMutex(&session_mutex) != 0) {
+        if ((ret == WOLFSSL_SUCCESS) && (wc_InitMutex(&session_mutex) != 0)) {
             WOLFSSL_MSG("Bad Init Mutex session");
-            return BAD_MUTEX_E;
+            ret = BAD_MUTEX_E;
+        }
+        else {
+            session_mutex_valid = 1;
         }
     #endif
     #ifndef NO_CLIENT_CACHE
-        if (wc_InitMutex(&clisession_mutex) != 0) {
+        if ((ret == WOLFSSL_SUCCESS) &&
+            (wc_InitMutex(&clisession_mutex) != 0)) {
             WOLFSSL_MSG("Bad Init Mutex session");
-            return BAD_MUTEX_E;
+            ret = BAD_MUTEX_E;
+        }
+        else {
+            clisession_mutex_valid = 1;
         }
     #endif
 #endif
-        if (wc_InitMutex(&count_mutex) != 0) {
+        if ((ret == WOLFSSL_SUCCESS) && (wc_InitMutex(&count_mutex) != 0)) {
             WOLFSSL_MSG("Bad Init Mutex count");
-            return BAD_MUTEX_E;
+            ret = BAD_MUTEX_E;
         }
+        else {
+            count_mutex_valid = 1;
+        }
+
+#if defined(OPENSSL_EXTRA) && defined(HAVE_ATEXIT)
+        /* OpenSSL registers cleanup using atexit */
+        if ((ret == WOLFSSL_SUCCESS) && (atexit(AtExitCleanup) != 0)) {
+            WOLFSSL_MSG("Bad atexit registration");
+            ret = WC_INIT_E;
+        }
+#endif
     }
 
-    if (wc_LockMutex(&count_mutex) != 0) {
+    if ((ret == WOLFSSL_SUCCESS) && (wc_LockMutex(&count_mutex) != 0)) {
         WOLFSSL_MSG("Bad Lock Mutex count");
-        return BAD_MUTEX_E;
+        ret = BAD_MUTEX_E;
+    }
+    else {
+        initRefCount++;
+        wc_UnLockMutex(&count_mutex);
     }
 
-    initRefCount++;
-    wc_UnLockMutex(&count_mutex);
+    if (ret != WOLFSSL_SUCCESS) {
+        initRefCount = 1; /* Force cleanup */
+        (void)wolfSSL_Cleanup(); /* Ignore any error from cleanup */
+    }
 
-    return WOLFSSL_SUCCESS;
+    return ret;
 }
 
 
@@ -5442,7 +5474,7 @@ static int ProcessBufferTryDecode(WOLFSSL_CTX* ctx, WOLFSSL* ssl, DerBuffer* der
         #endif
             if (ret != 0) {
             #if !defined(HAVE_ECC) && !defined(HAVE_ED25519) && \
-                !defined(HAVE_ED448) && !defined(HAVE_LIBOQS)
+                !defined(HAVE_ED448) && !defined(HAVE_PQC)
                 WOLFSSL_MSG("RSA decode failed and other algorithms "
                             "not enabled to try");
                 ret = WOLFSSL_BAD_FILE;
@@ -5675,7 +5707,7 @@ static int ProcessBufferTryDecode(WOLFSSL_CTX* ctx, WOLFSSL* ssl, DerBuffer* der
     #endif
     }
 #endif /* HAVE_ED448 && HAVE_ED448_KEY_IMPORT */
-#ifdef HAVE_LIBOQS
+#ifdef HAVE_PQC
     if (ret == 0 && ((*keyFormat == 0) || (*keyFormat == FALCON_LEVEL1k) ||
                      (*keyFormat == FALCON_LEVEL5k))) {
         /* make sure Falcon key can be used */
@@ -5739,7 +5771,7 @@ static int ProcessBufferTryDecode(WOLFSSL_CTX* ctx, WOLFSSL* ssl, DerBuffer* der
         }
         XFREE(key, heap, DYNAMIC_TYPE_FALCON);
     }
-#endif /* HAVE_LIBOQS */
+#endif /* HAVE_PQC */
     return ret;
 }
 
@@ -6087,7 +6119,7 @@ int ProcessBuffer(WOLFSSL_CTX* ctx, const unsigned char* buff,
         }
 
     #if defined(HAVE_ECC) || defined(HAVE_ED25519) || defined(HAVE_ED448) || \
-        defined(HAVE_LIBOQS)
+        defined(HAVE_PQC)
         if (ssl) {
             ssl->pkCurveOID = cert->pkCurveOID;
         #ifndef WC_STRICT_SIG
@@ -6104,7 +6136,7 @@ int ProcessBuffer(WOLFSSL_CTX* ctx, const unsigned char* buff,
                     ssl->options.haveECC = 1;
                 }
             #endif
-            #ifdef HAVE_LIBOQS
+            #ifdef HAVE_PQC
                 else if (cert->keyOID == FALCON_LEVEL1k ||
                          cert->keyOID == FALCON_LEVEL5k) {
                     ssl->options.haveFalconSig = 1;
@@ -6130,7 +6162,7 @@ int ProcessBuffer(WOLFSSL_CTX* ctx, const unsigned char* buff,
                     ctx->haveECC = 1;
                 }
             #endif
-            #ifdef HAVE_LIBOQS
+            #ifdef HAVE_PQC
                 else if (cert->keyOID == FALCON_LEVEL1k ||
                          cert->keyOID == FALCON_LEVEL5k) {
                     ctx->haveFalconSig = 1;
@@ -6243,7 +6275,7 @@ int ProcessBuffer(WOLFSSL_CTX* ctx, const unsigned char* buff,
                 }
                 break;
         #endif /* HAVE_ED448 */
-        #ifdef HAVE_LIBOQS
+        #ifdef HAVE_PQC
             case FALCON_LEVEL1k:
             case FALCON_LEVEL5k:
                 /* Falcon is fixed key size */
@@ -6263,7 +6295,7 @@ int ProcessBuffer(WOLFSSL_CTX* ctx, const unsigned char* buff,
                     }
                 }
                 break;
-        #endif /* HAVE_LIBOQS */
+        #endif /* HAVE_PQC */
 
             default:
                 WOLFSSL_MSG("No key size check done on certificate");
@@ -8524,7 +8556,7 @@ static WOLFSSL_EVP_PKEY* d2iGenericKey(WOLFSSL_EVP_PKEY** out,
     #endif /* !HAVE_FIPS || HAVE_FIPS_VERSION > 2 */
     #endif /* !NO_DH &&  OPENSSL_EXTRA && WOLFSSL_DH_EXTRA */
 
-    #ifdef HAVE_LIBOQS
+    #ifdef HAVE_PQC
     {
         int isFalcon = 0;
     #ifdef WOLFSSL_SMALL_STACK
@@ -8584,7 +8616,7 @@ static WOLFSSL_EVP_PKEY* d2iGenericKey(WOLFSSL_EVP_PKEY** out,
         }
 
     }
-    #endif /* HAVE_LIBOQS */
+    #endif /* HAVE_PQC */
 
     if (pkey == NULL) {
         WOLFSSL_MSG("wolfSSL_d2i_PUBKEY couldn't determine key type");
@@ -14770,7 +14802,7 @@ int wolfSSL_SetHsDoneCb(WOLFSSL* ssl, HandShakeDoneCb cb, void* user_ctx)
 WOLFSSL_ABI
 int wolfSSL_Cleanup(void)
 {
-    int ret = WOLFSSL_SUCCESS;
+    int ret = WOLFSSL_SUCCESS; /* Only the first error will be returned */
     int release = 0;
 #if !defined(NO_SESSION_CACHE) && defined(ENABLE_SESSION_CACHE_ROW_LOCK)
     int i;
@@ -14781,16 +14813,18 @@ int wolfSSL_Cleanup(void)
     if (initRefCount == 0)
         return ret;  /* possibly no init yet, but not failure either way */
 
-    if (wc_LockMutex(&count_mutex) != 0) {
+    if ((count_mutex_valid == 1) && (wc_LockMutex(&count_mutex) != 0)) {
         WOLFSSL_MSG("Bad Lock Mutex count");
-        return BAD_MUTEX_E;
+        ret = BAD_MUTEX_E;
     }
 
     release = initRefCount-- == 1;
     if (initRefCount < 0)
         initRefCount = 0;
 
-    wc_UnLockMutex(&count_mutex);
+    if (count_mutex_valid == 1) {
+        wc_UnLockMutex(&count_mutex);
+    }
 
     if (!release)
         return ret;
@@ -14805,21 +14839,35 @@ int wolfSSL_Cleanup(void)
 #ifndef NO_SESSION_CACHE
     #ifdef ENABLE_SESSION_CACHE_ROW_LOCK
     for (i = 0; i < SESSION_ROWS; ++i) {
-        if (wc_FreeMutex(&SessionCache[i].row_mutex) != 0)
-            ret = BAD_MUTEX_E;
+        if ((SessionCache[i].mutex_valid == 1) &&
+            (wc_FreeMutex(&SessionCache[i].row_mutex) != 0)) {
+            if (ret == WOLFSSL_SUCCESS)
+                ret = BAD_MUTEX_E;
+        }
+        SessionCache[i].mutex_valid = 0;
     }
     #else
-    if (wc_FreeMutex(&session_mutex) != 0)
-        ret = BAD_MUTEX_E;
+    if ((session_mutex_valid == 1) && (wc_FreeMutex(&session_mutex) != 0)) {
+        if (ret == WOLFSSL_SUCCESS)
+            ret = BAD_MUTEX_E;
+    }
+    session_mutex_valid = 0;
     #endif
     #ifndef NO_CLIENT_CACHE
-        if (wc_FreeMutex(&clisession_mutex) != 0)
+    if ((clisession_mutex_valid == 1) &&
+        (wc_FreeMutex(&clisession_mutex) != 0)) {
+        if (ret == WOLFSSL_SUCCESS)
             ret = BAD_MUTEX_E;
+    }
+    clisession_mutex_valid = 0;
     #endif
 #endif /* !NO_SESSION_CACHE */
 
-    if (wc_FreeMutex(&count_mutex) != 0)
-        ret = BAD_MUTEX_E;
+    if ((count_mutex_valid == 1) && (wc_FreeMutex(&count_mutex) != 0)) {
+        if (ret == WOLFSSL_SUCCESS)
+            ret = BAD_MUTEX_E;
+    }
+    count_mutex_valid = 0;
 
 #ifdef OPENSSL_EXTRA
     wolfSSL_RAND_Cleanup();
@@ -14827,13 +14875,16 @@ int wolfSSL_Cleanup(void)
 
     if (wolfCrypt_Cleanup() != 0) {
         WOLFSSL_MSG("Error with wolfCrypt_Cleanup call");
-        ret = WC_CLEANUP_E;
+        if (ret == WOLFSSL_SUCCESS)
+            ret = WC_CLEANUP_E;
     }
 
 #ifdef HAVE_GLOBAL_RNG
-    if (wc_FreeMutex(&globalRNGMutex) != 0) {
-        ret = BAD_MUTEX_E;
+    if ((globalRNGMutex_valid == 1) && (wc_FreeMutex(&globalRNGMutex) != 0)) {
+        if (ret == WOLFSSL_SUCCESS)
+            ret = BAD_MUTEX_E;
     }
+    globalRNGMutex_valid = 0;
 #endif
     return ret;
 }
@@ -27665,6 +27716,11 @@ WOLFSSL_ASN1_TIME *wolfSSL_X509_time_adj(WOLFSSL_ASN1_TIME *asnTime,
 {
     return wolfSSL_X509_time_adj_ex(asnTime, 0, offset_sec, in_tm);
 }
+
+WOLFSSL_ASN1_TIME* wolfSSL_X509_gmtime_adj(WOLFSSL_ASN1_TIME *s, long adj)
+{
+    return wolfSSL_X509_time_adj(s, adj, NULL);
+}
 #endif
 
 #ifndef NO_WOLFSSL_STUB
@@ -28979,11 +29035,6 @@ WOLFSSL_API long wolfSSL_set_tlsext_status_exts(WOLFSSL *s, void *arg)
     WOLFSSL_STUB("wolfSSL_set_tlsext_status_exts");
     return WOLFSSL_FAILURE;
 }
-
-WOLFSSL_ASN1_TIME* wolfSSL_X509_gmtime_adj(WOLFSSL_ASN1_TIME *s, long adj)
-{
-    return wolfSSL_X509_time_adj(s, adj, NULL);
-}
 #endif
 
 /*** TBD ***/
@@ -32216,7 +32267,7 @@ const WOLFSSL_ObjectInfo wolfssl_object_info[] = {
     #ifdef HAVE_ED25519
         { NID_ED25519, ED25519k,  oidKeyType, "ED25519", "ED25519"},
     #endif
-    #ifdef HAVE_LIBOQS
+    #ifdef HAVE_PQC
         { CTC_FALCON_LEVEL1, FALCON_LEVEL1k,  oidKeyType, "Falcon Level 1",
                                                           "Falcon Level 1"},
         { CTC_FALCON_LEVEL5, FALCON_LEVEL5k,  oidKeyType, "Falcon Level 5",
@@ -36959,7 +37010,7 @@ struct WOLFSSL_HashSigInfo {
 #ifdef HAVE_ED448
     { no_mac, ed448_sa_algo, CTC_ED448 },
 #endif
-#ifdef HAVE_LIBOQS
+#ifdef HAVE_PQC
     { no_mac, falcon_level1_sa_algo, CTC_FALCON_LEVEL1 },
     { no_mac, falcon_level5_sa_algo, CTC_FALCON_LEVEL5 },
 #endif
diff --git a/src/tls.c b/src/tls.c
index ed1466b8d..af3ec880b 100644
--- a/src/tls.c
+++ b/src/tls.c
@@ -48,9 +48,11 @@
 #ifdef HAVE_CURVE448
     #include <wolfssl/wolfcrypt/curve448.h>
 #endif
+#ifdef HAVE_PQC
 #ifdef HAVE_LIBOQS
     #include <oqs/kem.h>
 #endif
+#endif
 
 #if defined(WOLFSSL_TLS13) && defined(HAVE_SUPPORTED_CURVES)
 static int TLSX_KeyShare_IsSupported(int namedGroup);
@@ -3800,7 +3802,7 @@ int TLSX_UseCertificateStatusRequestV2(TLSX** extensions, byte status_type,
 #ifdef HAVE_SUPPORTED_CURVES
 
 #if !defined(HAVE_ECC) && !defined(HAVE_CURVE25519) && !defined(HAVE_CURVE448) \
-                       && !defined(HAVE_FFDHE) && !defined(HAVE_LIBOQS)
+                       && !defined(HAVE_FFDHE) && !defined(HAVE_PQC)
 #error Elliptic Curves Extension requires Elliptic Curve Cryptography or liboqs groups. \
        Use --enable-ecc and/or --enable-liboqs in the configure script or \
        define HAVE_ECC. Alternatively use FFDHE for DH ciphersuites.
@@ -6633,6 +6635,7 @@ static int TLSX_KeyShare_GenEccKey(WOLFSSL *ssl, KeyShareEntry* kse)
     return ret;
 }
 
+#ifdef HAVE_PQC
 #ifdef HAVE_LIBOQS
 /* Transform a group ID into an OQS Algorithm name as a string. */
 static const char* OQS_ID2name(int id)
@@ -6655,73 +6658,75 @@ static const char* OQS_ID2name(int id)
     }
     return NULL;
 }
+#endif /* HAVE_LIBOQS */
 
-typedef struct OqsHybridMapping {
+typedef struct PqcHybridMapping {
     int hybrid;
     int ecc;
-    int oqs;
-} OqsHybridMapping;
+    int pqc;
+} PqcHybridMapping;
 
-static const OqsHybridMapping oqs_hybrid_mapping[] = {
-    {.hybrid = WOLFSSL_P256_NTRU_HPS_LEVEL1, .ecc = WOLFSSL_ECC_SECP256R1,
-     .oqs = WOLFSSL_NTRU_HPS_LEVEL1},
-    {.hybrid = WOLFSSL_P384_NTRU_HPS_LEVEL3, .ecc = WOLFSSL_ECC_SECP384R1,
-     .oqs = WOLFSSL_NTRU_HPS_LEVEL3},
-    {.hybrid = WOLFSSL_P521_NTRU_HPS_LEVEL5, .ecc = WOLFSSL_ECC_SECP521R1,
-     .oqs = WOLFSSL_NTRU_HPS_LEVEL5},
-    {.hybrid = WOLFSSL_P384_NTRU_HRSS_LEVEL3,    .ecc = WOLFSSL_ECC_SECP384R1,
-     .oqs = WOLFSSL_NTRU_HRSS_LEVEL3},
-    {.hybrid = WOLFSSL_P256_SABER_LEVEL1,      .ecc = WOLFSSL_ECC_SECP256R1,
-     .oqs = WOLFSSL_SABER_LEVEL1},
-    {.hybrid = WOLFSSL_P384_SABER_LEVEL3,           .ecc = WOLFSSL_ECC_SECP384R1,
-     .oqs = WOLFSSL_SABER_LEVEL3},
-    {.hybrid = WOLFSSL_P521_SABER_LEVEL5,       .ecc = WOLFSSL_ECC_SECP521R1,
-     .oqs = WOLFSSL_SABER_LEVEL5},
-    {.hybrid = WOLFSSL_P256_KYBER_LEVEL1,        .ecc = WOLFSSL_ECC_SECP256R1,
-     .oqs = WOLFSSL_KYBER_LEVEL1},
-    {.hybrid = WOLFSSL_P384_KYBER_LEVEL3,        .ecc = WOLFSSL_ECC_SECP384R1,
-     .oqs = WOLFSSL_KYBER_LEVEL3},
-    {.hybrid = WOLFSSL_P521_KYBER_LEVEL5,       .ecc = WOLFSSL_ECC_SECP521R1,
-     .oqs = WOLFSSL_KYBER_LEVEL5},
-    {.hybrid = WOLFSSL_P256_KYBER_90S_LEVEL1,     .ecc = WOLFSSL_ECC_SECP256R1,
-     .oqs = WOLFSSL_KYBER_90S_LEVEL1},
-    {.hybrid = WOLFSSL_P384_KYBER_90S_LEVEL3,     .ecc = WOLFSSL_ECC_SECP384R1,
-     .oqs = WOLFSSL_KYBER_90S_LEVEL3},
-    {.hybrid = WOLFSSL_P521_KYBER_90S_LEVEL5,    .ecc = WOLFSSL_ECC_SECP521R1,
-     .oqs = WOLFSSL_KYBER_90S_LEVEL5},
-    {.hybrid = 0, .ecc = 0, .oqs = 0}
+static const PqcHybridMapping pqc_hybrid_mapping[] = {
+    {.hybrid = WOLFSSL_P256_NTRU_HPS_LEVEL1,  .ecc = WOLFSSL_ECC_SECP256R1,
+     .pqc = WOLFSSL_NTRU_HPS_LEVEL1},
+    {.hybrid = WOLFSSL_P384_NTRU_HPS_LEVEL3,  .ecc = WOLFSSL_ECC_SECP384R1,
+     .pqc = WOLFSSL_NTRU_HPS_LEVEL3},
+    {.hybrid = WOLFSSL_P521_NTRU_HPS_LEVEL5,  .ecc = WOLFSSL_ECC_SECP521R1,
+     .pqc = WOLFSSL_NTRU_HPS_LEVEL5},
+    {.hybrid = WOLFSSL_P384_NTRU_HRSS_LEVEL3, .ecc = WOLFSSL_ECC_SECP384R1,
+     .pqc = WOLFSSL_NTRU_HRSS_LEVEL3},
+    {.hybrid = WOLFSSL_P256_SABER_LEVEL1,     .ecc = WOLFSSL_ECC_SECP256R1,
+     .pqc = WOLFSSL_SABER_LEVEL1},
+    {.hybrid = WOLFSSL_P384_SABER_LEVEL3,     .ecc = WOLFSSL_ECC_SECP384R1,
+     .pqc = WOLFSSL_SABER_LEVEL3},
+    {.hybrid = WOLFSSL_P521_SABER_LEVEL5,     .ecc = WOLFSSL_ECC_SECP521R1,
+     .pqc = WOLFSSL_SABER_LEVEL5},
+    {.hybrid = WOLFSSL_P256_KYBER_LEVEL1,     .ecc = WOLFSSL_ECC_SECP256R1,
+     .pqc = WOLFSSL_KYBER_LEVEL1},
+    {.hybrid = WOLFSSL_P384_KYBER_LEVEL3,     .ecc = WOLFSSL_ECC_SECP384R1,
+     .pqc = WOLFSSL_KYBER_LEVEL3},
+    {.hybrid = WOLFSSL_P521_KYBER_LEVEL5,     .ecc = WOLFSSL_ECC_SECP521R1,
+     .pqc = WOLFSSL_KYBER_LEVEL5},
+    {.hybrid = WOLFSSL_P256_KYBER_90S_LEVEL1, .ecc = WOLFSSL_ECC_SECP256R1,
+     .pqc = WOLFSSL_KYBER_90S_LEVEL1},
+    {.hybrid = WOLFSSL_P384_KYBER_90S_LEVEL3, .ecc = WOLFSSL_ECC_SECP384R1,
+     .pqc = WOLFSSL_KYBER_90S_LEVEL3},
+    {.hybrid = WOLFSSL_P521_KYBER_90S_LEVEL5, .ecc = WOLFSSL_ECC_SECP521R1,
+     .pqc = WOLFSSL_KYBER_90S_LEVEL5},
+    {.hybrid = 0, .ecc = 0, .pqc = 0}
 };
 
-/* This will map an ecc-oqs hybrid group into its ecc group and oqs group.
- * If it cannot find a mapping then *oqs is set to group. ecc is optional. */
-static void findEccOqs(int *ecc, int *oqs, int group)
+/* This will map an ecc-pqs hybrid group into its ecc group and pqc kem group.
+ * If it cannot find a mapping then *pqc is set to group. ecc is optional. */
+static void findEccPqc(int *ecc, int *pqc, int group)
 {
     int i;
-    if (oqs == NULL) {
+    if (pqc == NULL) {
         return;
     }
 
-    *oqs = 0;
+    *pqc = 0;
     if (ecc != NULL) {
         *ecc = 0;
     }
 
-    for (i = 0; oqs_hybrid_mapping[i].hybrid != 0; i++) {
-        if (oqs_hybrid_mapping[i].hybrid == group) {
-            *oqs = oqs_hybrid_mapping[i].oqs;
+    for (i = 0; pqc_hybrid_mapping[i].hybrid != 0; i++) {
+        if (pqc_hybrid_mapping[i].hybrid == group) {
+            *pqc = pqc_hybrid_mapping[i].pqc;
             if (ecc != NULL) {
-                *ecc = oqs_hybrid_mapping[i].ecc;
+                *ecc = pqc_hybrid_mapping[i].ecc;
             }
             break;
         }
     }
 
-    if (*oqs == 0) {
+    if (*pqc == 0) {
         /* It is not a hybrid, so maybe its simple. */
-        *oqs = group;
+        *pqc = group;
     }
 }
 
+#ifdef HAVE_LIBOQS
 /* Create a key share entry using liboqs parameters group.
  * Generates a key pair.
  *
@@ -6740,7 +6745,7 @@ static int TLSX_KeyShare_GenOqsKey(WOLFSSL *ssl, KeyShareEntry* kse)
     int oqs_group = 0;
     int ecc_group = 0;
 
-    findEccOqs(&ecc_group, &oqs_group, kse->group);
+    findEccPqc(&ecc_group, &oqs_group, kse->group);
     algName = OQS_ID2name(oqs_group);
     if (algName == NULL) {
         WOLFSSL_MSG("Invalid OQS algorithm specified.");
@@ -6830,7 +6835,8 @@ static int TLSX_KeyShare_GenOqsKey(WOLFSSL *ssl, KeyShareEntry* kse)
 
     return ret;
 }
-#endif
+#endif /* HAVE_LIBOQS */
+#endif /* HAVE_PQC */
 
 /* Generate a secret/key using the key share entry.
  *
@@ -6847,9 +6853,11 @@ static int TLSX_KeyShare_GenKey(WOLFSSL *ssl, KeyShareEntry *kse)
         ret = TLSX_KeyShare_GenX25519Key(ssl, kse);
     else if (kse->group == WOLFSSL_ECC_X448)
         ret = TLSX_KeyShare_GenX448Key(ssl, kse);
+#ifdef HAVE_PQC
 #ifdef HAVE_LIBOQS
-    else if (kse->group >= WOLFSSL_OQS_MIN && kse->group <= WOLFSSL_OQS_MAX)
+    else if (kse->group >= WOLFSSL_PQC_MIN && kse->group <= WOLFSSL_PQC_MAX)
         ret = TLSX_KeyShare_GenOqsKey(ssl, kse);
+#endif
 #endif
     else
         ret = TLSX_KeyShare_GenEccKey(ssl, kse);
@@ -6886,9 +6894,9 @@ static void TLSX_KeyShare_FreeAll(KeyShareEntry* list, void* heap)
             wc_curve448_free((curve448_key*)current->key);
 #endif
         }
-#ifdef HAVE_LIBOQS
-        else if (current->group >= WOLFSSL_OQS_MIN &&
-                 current->group <= WOLFSSL_OQS_MAX &&
+#ifdef HAVE_PQC
+        else if (current->group >= WOLFSSL_PQC_MIN &&
+                 current->group <= WOLFSSL_PQC_MAX &&
                  current->key != NULL) {
             ForceZero((byte*)current->key, current->keyLen);
         }
@@ -7408,6 +7416,7 @@ static int TLSX_KeyShare_ProcessEcc(WOLFSSL* ssl, KeyShareEntry* keyShareEntry)
     return ret;
 }
 
+#ifdef HAVE_PQC
 #ifdef HAVE_LIBOQS
 /* Process the liboqs key share extension on the client side.
  *
@@ -7450,7 +7459,7 @@ static int TLSX_KeyShare_ProcessOqs(WOLFSSL* ssl, KeyShareEntry* keyShareEntry)
     }
 
     /* I am the client, the ciphertext is in keyShareEntry->ke */
-    findEccOqs(&ecc_group, &oqs_group, keyShareEntry->group);
+    findEccPqc(&ecc_group, &oqs_group, keyShareEntry->group);
 
     algName = OQS_ID2name(oqs_group);
     if (algName == NULL) {
@@ -7559,6 +7568,7 @@ static int TLSX_KeyShare_ProcessOqs(WOLFSSL* ssl, KeyShareEntry* keyShareEntry)
     return ret;
 }
 #endif
+#endif
 
 /* Process the key share extension on the client side.
  *
@@ -7581,10 +7591,12 @@ static int TLSX_KeyShare_Process(WOLFSSL* ssl, KeyShareEntry* keyShareEntry)
         ret = TLSX_KeyShare_ProcessX25519(ssl, keyShareEntry);
     else if (keyShareEntry->group == WOLFSSL_ECC_X448)
         ret = TLSX_KeyShare_ProcessX448(ssl, keyShareEntry);
+#ifdef HAVE_PQC
 #ifdef HAVE_LIBOQS
-    else if (keyShareEntry->group >= WOLFSSL_OQS_MIN &&
-             keyShareEntry->group <= WOLFSSL_OQS_MAX)
+    else if (keyShareEntry->group >= WOLFSSL_PQC_MIN &&
+             keyShareEntry->group <= WOLFSSL_PQC_MAX)
         ret = TLSX_KeyShare_ProcessOqs(ssl, keyShareEntry);
+#endif
 #endif
     else
         ret = TLSX_KeyShare_ProcessEcc(ssl, keyShareEntry);
@@ -7633,9 +7645,9 @@ static int TLSX_KeyShareEntry_Parse(WOLFSSL* ssl, const byte* input,
     if (keLen > length - offset)
         return BUFFER_ERROR;
 
-#ifdef HAVE_LIBOQS
-    if (group >= WOLFSSL_OQS_MIN &&
-        group <= WOLFSSL_OQS_MAX &&
+#ifdef HAVE_PQC
+    if (group >= WOLFSSL_PQC_MIN &&
+        group <= WOLFSSL_PQC_MAX &&
         ssl->options.side == WOLFSSL_SERVER_END) {
         /* For KEMs, the public key is not stored. Casting away const because
          * we know for KEMs, it will be read-only.*/
@@ -7800,7 +7812,7 @@ static int TLSX_KeyShare_Parse(WOLFSSL* ssl, const byte* input, word16 length,
 
         /* Not in list sent if there isn't a private key. */
         if (keyShareEntry == NULL || (keyShareEntry->key == NULL
-        #if !defined(NO_DH) || defined(HAVE_LIBOQS)
+        #if !defined(NO_DH) || defined(HAVE_PQC)
             && keyShareEntry->privKey == NULL
         #endif
         )) {
@@ -7838,9 +7850,9 @@ static int TLSX_KeyShare_Parse(WOLFSSL* ssl, const byte* input, word16 length,
                 return ret;
         }
 
-#ifdef HAVE_LIBOQS
-        /* For oqs groups, do this in TLSX_PopulateExtensions(). */
-        if (group < WOLFSSL_OQS_MIN || group > WOLFSSL_OQS_MAX)
+#ifdef HAVE_PQC
+        /* For post-quantum groups, do this in TLSX_PopulateExtensions(). */
+        if (group < WOLFSSL_PQC_MIN || group > WOLFSSL_PQC_MAX)
 #endif
             ret = TLSX_KeyShare_Use(ssl, group, 0, NULL, NULL);
     }
@@ -7888,6 +7900,7 @@ static int TLSX_KeyShare_New(KeyShareEntry** list, int group, void *heap,
     return 0;
 }
 
+#ifdef HAVE_PQC
 #ifdef HAVE_LIBOQS
 static int server_generate_oqs_ciphertext(WOLFSSL* ssl,
                                           KeyShareEntry* keyShareEntry,
@@ -7908,7 +7921,7 @@ static int server_generate_oqs_ciphertext(WOLFSSL* ssl,
     ecc_key eccpubkey;
     word32 outlen = 0;
 
-    findEccOqs(&ecc_group, &oqs_group, keyShareEntry->group);
+    findEccPqc(&ecc_group, &oqs_group, keyShareEntry->group);
     algName = OQS_ID2name(oqs_group);
     if (algName == NULL) {
         WOLFSSL_MSG("Invalid OQS algorithm specified.");
@@ -8034,6 +8047,7 @@ static int server_generate_oqs_ciphertext(WOLFSSL* ssl,
     return ret;
 }
 #endif
+#endif
 
 /* Use the data to create a new key share object in the extensions.
  *
@@ -8082,9 +8096,10 @@ int TLSX_KeyShare_Use(WOLFSSL* ssl, word16 group, word16 len, byte* data,
     }
 
 
+#ifdef HAVE_PQC
 #ifdef HAVE_LIBOQS
-    if (group >= WOLFSSL_OQS_MIN &&
-        group <= WOLFSSL_OQS_MAX &&
+    if (group >= WOLFSSL_PQC_MIN &&
+        group <= WOLFSSL_PQC_MAX &&
         ssl->options.side == WOLFSSL_SERVER_END) {
         ret = server_generate_oqs_ciphertext(ssl, keyShareEntry, data,
                                              len);
@@ -8092,6 +8107,7 @@ int TLSX_KeyShare_Use(WOLFSSL* ssl, word16 group, word16 len, byte* data,
             return ret;
     }
     else
+#endif
 #endif
     if (data != NULL) {
         if (keyShareEntry->ke != NULL) {
@@ -8243,7 +8259,7 @@ static int TLSX_KeyShare_IsSupported(int namedGroup)
             break;
         #endif
     #endif
-    #ifdef HAVE_LIBOQS
+    #ifdef HAVE_PQC
         case WOLFSSL_KYBER_LEVEL1:
         case WOLFSSL_KYBER_LEVEL3:
         case WOLFSSL_KYBER_LEVEL5:
@@ -8270,10 +8286,12 @@ static int TLSX_KeyShare_IsSupported(int namedGroup)
         case WOLFSSL_P256_KYBER_90S_LEVEL1:
         case WOLFSSL_P384_KYBER_90S_LEVEL3:
         case WOLFSSL_P521_KYBER_90S_LEVEL5:
-            findEccOqs(NULL, &namedGroup, namedGroup);
+    #ifdef HAVE_LIBOQS
+            findEccPqc(NULL, &namedGroup, namedGroup);
             if (! OQS_KEM_alg_is_enabled(OQS_ID2name(namedGroup))) {
                 return 0;
             }
+    #endif
             break;
     #endif
         default:
@@ -8341,7 +8359,7 @@ static int TLSX_KeyShare_GroupRank(WOLFSSL* ssl, int group)
         #ifdef HAVE_FFDHE_8192
             ssl->group[ssl->numGroups++] = WOLFSSL_FFDHE_8192;
         #endif
-#ifdef HAVE_LIBOQS
+#ifdef HAVE_PQC
             /* For the liboqs groups we need to do a runtime check because
              * liboqs could be compiled to make an algorithm unavailable.
              */
@@ -8524,9 +8542,9 @@ int TLSX_KeyShare_Establish(WOLFSSL *ssl, int* doHelloRetry)
             clientKSE->group > MAX_FFHDE_GROUP) {
             /* Check max value supported. */
             if (clientKSE->group > WOLFSSL_ECC_MAX) {
-#ifdef HAVE_LIBOQS
-                if (clientKSE->group < WOLFSSL_OQS_MIN ||
-                    clientKSE->group > WOLFSSL_OQS_MAX )
+#ifdef HAVE_PQC
+                if (clientKSE->group < WOLFSSL_PQC_MIN ||
+                    clientKSE->group > WOLFSSL_PQC_MAX )
 #endif
                     continue;
             }
@@ -8566,9 +8584,9 @@ int TLSX_KeyShare_Establish(WOLFSSL *ssl, int* doHelloRetry)
         return ret;
 
     if (clientKSE->key == NULL) {
-#ifdef HAVE_LIBOQS
-        if (clientKSE->group >= WOLFSSL_OQS_MIN &&
-            clientKSE->group <= WOLFSSL_OQS_MAX ) {
+#ifdef HAVE_PQC
+        if (clientKSE->group >= WOLFSSL_PQC_MIN &&
+            clientKSE->group <= WOLFSSL_PQC_MAX ) {
             /* Going to need the public key (AKA ciphertext). */
             serverKSE->pubKey = clientKSE->pubKey;
             clientKSE->pubKey = NULL;
@@ -10220,7 +10238,7 @@ static int TLSX_PopulateSupportedGroups(WOLFSSL* ssl, TLSX** extensions)
         #endif
 #endif
 
-#ifdef HAVE_LIBOQS
+#ifdef HAVE_PQC
     ret = TLSX_UseSupportedCurve(extensions, WOLFSSL_KYBER_LEVEL1, ssl->heap);
     if (ret == WOLFSSL_SUCCESS)
         ret = TLSX_UseSupportedCurve(extensions, WOLFSSL_KYBER_LEVEL3,
@@ -10298,7 +10316,7 @@ static int TLSX_PopulateSupportedGroups(WOLFSSL* ssl, TLSX** extensions)
         ret = TLSX_UseSupportedCurve(extensions, WOLFSSL_P521_KYBER_90S_LEVEL5,
                                      ssl->heap);
 
-#endif /* HAVE_LIBOQS */
+#endif /* HAVE_PQC */
 
     (void)ssl;
     (void)extensions;
@@ -10469,9 +10487,9 @@ int TLSX_PopulateExtensions(WOLFSSL* ssl, byte isServer)
                     namedGroup = kse->group;
             }
             if (namedGroup > 0) {
-#ifdef HAVE_LIBOQS
+#ifdef HAVE_PQC
                 /* For KEMs, the key share has already been generated. */
-                if (namedGroup < WOLFSSL_OQS_MIN || namedGroup > WOLFSSL_OQS_MAX)
+                if (namedGroup < WOLFSSL_PQC_MIN || namedGroup > WOLFSSL_PQC_MAX)
 #endif
                     ret = TLSX_KeyShare_Use(ssl, namedGroup, 0, NULL, NULL);
                 if (ret != 0)
diff --git a/src/tls13.c b/src/tls13.c
index 08e2adefb..b70df4ad8 100644
--- a/src/tls13.c
+++ b/src/tls13.c
@@ -5241,7 +5241,7 @@ static int SendTls13CertificateRequest(WOLFSSL* ssl, byte* reqCtx,
 
 #ifndef NO_CERTS
 #if !defined(NO_RSA) || defined(HAVE_ECC) || defined(HAVE_ED25519) || \
-    defined(HAVE_ED448) || defined(HAVE_LIBOQS)
+    defined(HAVE_ED448) || defined(HAVE_PQC)
 /* Encode the signature algorithm into buffer.
  *
  * hashalgo  The hash algorithm.
@@ -5280,7 +5280,7 @@ static WC_INLINE void EncodeSigAlg(byte hashAlgo, byte hsType, byte* output)
             output[1] = hashAlgo;
             break;
 #endif
-#ifdef HAVE_LIBOQS
+#ifdef HAVE_PQC
         case falcon_level1_sa_algo:
             output[0] = FALCON_LEVEL1_SA_MAJOR;
             output[1] = FALCON_LEVEL1_SA_MINOR;
@@ -5333,8 +5333,8 @@ static WC_INLINE int DecodeTls13SigAlg(byte* input, byte* hashAlgo,
             else
                 ret = INVALID_PARAMETER;
             break;
-#ifdef HAVE_LIBOQS
-        case OQS_SA_MAJOR:
+#ifdef HAVE_PQC
+        case PQC_SA_MAJOR:
             if (input[1] == FALCON_LEVEL1_SA_MINOR) {
                 *hsType = falcon_level1_sa_algo;
                 /* Hash performed as part of sign/verify operation. */
@@ -5967,7 +5967,7 @@ static int SendTls13Certificate(WOLFSSL* ssl)
 }
 
 #if (!defined(NO_RSA) || defined(HAVE_ECC) || defined(HAVE_ED25519) || \
-     defined(HAVE_ED448) || defined(HAVE_LIBOQS)) && \
+     defined(HAVE_ED448) || defined(HAVE_PQC)) && \
     (!defined(NO_WOLFSSL_SERVER) || !defined(WOLFSSL_NO_CLIENT_AUTH))
 typedef struct Scv13Args {
     byte*  output; /* not allocated */
@@ -6112,7 +6112,7 @@ static int SendTls13CertificateVerify(WOLFSSL* ssl)
             else if (ssl->hsType == DYNAMIC_TYPE_ED448)
                 args->sigAlgo = ed448_sa_algo;
         #endif
-        #ifdef HAVE_LIBOQS
+        #ifdef HAVE_PQC
             else if (ssl->hsType == DYNAMIC_TYPE_FALCON) {
                 falcon_key* fkey = (falcon_key*)ssl->hsKey;
                 byte level = 0;
@@ -6206,11 +6206,11 @@ static int SendTls13CertificateVerify(WOLFSSL* ssl)
                 sig->length = ED448_SIG_SIZE;
             }
         #endif /* HAVE_ED448 */
-        #ifdef HAVE_LIBOQS
+        #ifdef HAVE_PQC
             if (ssl->hsType == DYNAMIC_TYPE_FALCON) {
                 sig->length = FALCON_MAX_SIG_SIZE;
             }
-        #endif /* HAVE_LIBOQS */
+        #endif /* HAVE_PQC */
 
             /* Advance state and proceed */
             ssl->options.asyncState = TLS_ASYNC_DO;
@@ -6262,7 +6262,7 @@ static int SendTls13CertificateVerify(WOLFSSL* ssl)
                 args->length = (word16)sig->length;
             }
         #endif
-        #ifdef HAVE_LIBOQS
+        #ifdef HAVE_PQC
             if (ssl->hsType == DYNAMIC_TYPE_FALCON) {
                 ret = wc_falcon_sign_msg(args->sigData, args->sigDataSz,
                                          args->verify + HASH_SIG_SIZE +
@@ -6270,7 +6270,7 @@ static int SendTls13CertificateVerify(WOLFSSL* ssl)
                                          (falcon_key*)ssl->hsKey);
                 args->length = (word16)sig->length;
             }
-        #endif /* HAVE_LIBOQS */
+        #endif /* HAVE_PQC */
         #ifndef NO_RSA
             if (ssl->hsType == DYNAMIC_TYPE_RSA) {
                 ret = RsaSign(ssl, sig->buffer, (word32)sig->length,
@@ -6581,7 +6581,7 @@ static int DoTls13CertificateVerify(WOLFSSL* ssl, byte* input,
                 goto exit_dcv;
             }
         #endif
-        #ifdef HAVE_LIBOQS
+        #ifdef HAVE_PQC
             if (args->sigAlgo == falcon_level1_sa_algo && !ssl->peerFalconKeyPresent) {
                 WOLFSSL_MSG("Peer sent Falcon Level 1 sig but different cert");
                 ret = SIG_VERIFY_E;
@@ -6664,7 +6664,7 @@ static int DoTls13CertificateVerify(WOLFSSL* ssl, byte* input,
                 ret = 0;
             }
        #endif
-       #ifdef HAVE_LIBOQS
+       #ifdef HAVE_PQC
             if (ssl->peerFalconKeyPresent) {
                 WOLFSSL_MSG("Doing Falcon peer cert verify");
 
@@ -6758,7 +6758,7 @@ static int DoTls13CertificateVerify(WOLFSSL* ssl, byte* input,
                 }
             }
         #endif
-        #ifdef HAVE_LIBOQS
+        #ifdef HAVE_PQC
             if (ssl->peerFalconKeyPresent) {
                 int res = 0;
                 WOLFSSL_MSG("Doing Falcon peer cert verify");
@@ -8141,7 +8141,7 @@ int DoTls13HandShakeMsgType(WOLFSSL* ssl, byte* input, word32* inOutIdx,
 #endif
 
 #if !defined(NO_RSA) || defined(HAVE_ECC) || defined(HAVE_ED25519) || \
-    defined(HAVE_ED448) || defined(HAVE_LIBOQS)
+    defined(HAVE_ED448) || defined(HAVE_PQC)
     case certificate_verify:
         WOLFSSL_MSG("processing certificate verify");
         ret = DoTls13CertificateVerify(ssl, input, inOutIdx, size);
@@ -8579,7 +8579,7 @@ int wolfSSL_connect_TLSv13(WOLFSSL* ssl)
         case FIRST_REPLY_THIRD:
         #if (!defined(NO_CERTS) && (!defined(NO_RSA) || defined(HAVE_ECC) || \
              defined(HAVE_ED25519) || defined(HAVE_ED448) || \
-             defined(HAVE_LIBOQS))) && (!defined(NO_WOLFSSL_SERVER) || \
+             defined(HAVE_PQC))) && (!defined(NO_WOLFSSL_SERVER) || \
              !defined(WOLFSSL_NO_CLIENT_AUTH))
             if (!ssl->options.resuming && ssl->options.sendVerify) {
                 ssl->error = SendTls13CertificateVerify(ssl);
@@ -8740,9 +8740,9 @@ int wolfSSL_UseKeyShare(WOLFSSL* ssl, word16 group)
     }
 #endif
 
-#ifdef HAVE_LIBOQS
-    if (group >= WOLFSSL_OQS_MIN &&
-        group <= WOLFSSL_OQS_MAX) {
+#ifdef HAVE_PQC
+    if (group >= WOLFSSL_PQC_MIN &&
+        group <= WOLFSSL_PQC_MAX) {
 
         if (ssl->ctx != NULL && ssl->ctx->method != NULL &&
             ssl->ctx->method->version.minor != TLSv1_3_MINOR) {
@@ -9525,7 +9525,7 @@ int wolfSSL_accept_TLSv13(WOLFSSL* ssl)
 
         case TLS13_CERT_SENT :
 #if !defined(NO_CERTS) && (!defined(NO_RSA) || defined(HAVE_ECC) || \
-     defined(HAVE_ED25519) || defined(HAVE_ED448) || defined(HAVE_LIBOQS))
+     defined(HAVE_ED25519) || defined(HAVE_ED448) || defined(HAVE_PQC))
             if (!ssl->options.resuming && ssl->options.sendVerify) {
                 if ((ssl->error = SendTls13CertificateVerify(ssl)) != 0) {
                     WOLFSSL_ERROR(ssl->error);
diff --git a/tests/api.c b/tests/api.c
index 733a3b0dd..8cb037311 100644
--- a/tests/api.c
+++ b/tests/api.c
@@ -1463,8 +1463,9 @@ static int test_wolfSSL_CertManagerSetVerify(void)
 
 #if !defined(NO_FILESYSTEM) && defined(OPENSSL_EXTRA) && \
     defined(DEBUG_UNIT_TEST_CERTS)
-/* used when debugging name constraint tests */
-static void DEBUG_WRITE_CERT_X509(WOLFSSL_X509* x509, const char* fileName)
+/* Used when debugging name constraint tests. Not static to allow use in
+ * multiple locations with complex define guards. */
+void DEBUG_WRITE_CERT_X509(WOLFSSL_X509* x509, const char* fileName)
 {
     BIO* out = BIO_new(BIO_s_file());
     if (out != NULL) {
@@ -1474,7 +1475,7 @@ static void DEBUG_WRITE_CERT_X509(WOLFSSL_X509* x509, const char* fileName)
         BIO_free(out);
     }
 }
-static void DEBUG_WRITE_CERT_DER(const byte* der, int derSz, const char* fileName)
+void DEBUG_WRITE_DER(const byte* der, int derSz, const char* fileName)
 {
     BIO* out = BIO_new(BIO_s_file());
     if (out != NULL) {
@@ -1486,7 +1487,7 @@ static void DEBUG_WRITE_CERT_DER(const byte* der, int derSz, const char* fileNam
 }
 #else
 #define DEBUG_WRITE_CERT_X509(x509, fileName)
-#define DEBUG_WRITE_CERT_DER(der, derSz, fileName)
+#define DEBUG_WRITE_DER(der, derSz, fileName)
 #endif
 
 
@@ -1572,7 +1573,7 @@ static void test_wolfSSL_CertManagerNameConstraint(void)
                 WOLFSSL_FILETYPE_ASN1));
 
     AssertNotNull((der = (byte*)wolfSSL_X509_get_der(ca, &derSz)));
-    DEBUG_WRITE_CERT_DER(der, derSz, "ca.der");
+    DEBUG_WRITE_DER(der, derSz, "ca.der");
 
     AssertIntEQ(wolfSSL_CertManagerLoadCABuffer(cm, der, derSz,
                 WOLFSSL_FILETYPE_ASN1), WOLFSSL_SUCCESS);
@@ -1853,7 +1854,7 @@ static void test_wolfSSL_CertManagerNameConstraint3(void)
     AssertNotNull(ca = wolfSSL_X509_load_certificate_file(ca_cert,
                 WOLFSSL_FILETYPE_ASN1));
     AssertNotNull((der = (byte*)wolfSSL_X509_get_der(ca, &derSz)));
-    DEBUG_WRITE_CERT_DER(der, derSz, "ca.der");
+    DEBUG_WRITE_DER(der, derSz, "ca.der");
 
     AssertIntEQ(wolfSSL_CertManagerLoadCABuffer(cm, der, derSz,
                 WOLFSSL_FILETYPE_ASN1), WOLFSSL_SUCCESS);
@@ -1968,7 +1969,7 @@ static void test_wolfSSL_CertManagerNameConstraint4(void)
     AssertNotNull(ca = wolfSSL_X509_load_certificate_file(ca_cert,
                 WOLFSSL_FILETYPE_ASN1));
     AssertNotNull((der = (byte*)wolfSSL_X509_get_der(ca, &derSz)));
-    DEBUG_WRITE_CERT_DER(der, derSz, "ca.der");
+    DEBUG_WRITE_DER(der, derSz, "ca.der");
 
     AssertIntEQ(wolfSSL_CertManagerLoadCABuffer(cm, der, derSz,
                 WOLFSSL_FILETYPE_ASN1), WOLFSSL_SUCCESS);
@@ -2124,7 +2125,7 @@ static void test_wolfSSL_CertManagerNameConstraint5(void)
     AssertNotNull(ca = wolfSSL_X509_load_certificate_file(ca_cert,
                 WOLFSSL_FILETYPE_ASN1));
     AssertNotNull((der = (byte*)wolfSSL_X509_get_der(ca, &derSz)));
-    DEBUG_WRITE_CERT_DER(der, derSz, "ca.der");
+    DEBUG_WRITE_DER(der, derSz, "ca.der");
 
     AssertIntEQ(wolfSSL_CertManagerLoadCABuffer(cm, der, derSz,
                 WOLFSSL_FILETYPE_ASN1), WOLFSSL_SUCCESS);
@@ -8689,7 +8690,7 @@ static void test_wolfSSL_TBS(void)
     AssertNull(tbs = wolfSSL_X509_get_tbs(NULL, &tbsSz));
     AssertNull(tbs = wolfSSL_X509_get_tbs(x509, NULL));
     AssertNotNull(tbs = wolfSSL_X509_get_tbs(x509, &tbsSz));
-    AssertIntEQ(tbsSz, 981);
+    AssertIntEQ(tbsSz, 1003);
 
     wolfSSL_FreeX509(x509);
 
@@ -18500,7 +18501,7 @@ static int test_RsaDecryptBoundsCheck(void)
         mp_init_copy(&c, &key.n);
         mp_sub_d(&c, 1, &c);
         mp_to_unsigned_bin(&c, flatC);
-        ret = wc_RsaDirect(flatC, sizeof(flatC), out, &outSz, &key,
+        ret = wc_RsaDirect(flatC, flatCSz, out, &outSz, &key,
                            RSA_PRIVATE_DECRYPT, NULL);
         mp_clear(&c);
     }
@@ -20619,6 +20620,20 @@ static int test_wc_DsaKeyToPublicDer(void)
         word32 idx = 0;
         ret = wc_DsaPublicKeyDecode(der, &idx, &genKey, sz);
     }
+    /* Test without the SubjectPublicKeyInfo header */
+    if (ret == 0) {
+        ret = wc_SetDsaPublicKey(der, &genKey, ONEK_BUF, 0);
+        if (ret >= 0) {
+            sz = ret;
+            ret = 0;
+        } else {
+            ret = WOLFSSL_FATAL_ERROR;
+        }
+    }
+    if (ret == 0) {
+        word32 idx = 0;
+        ret = wc_DsaPublicKeyDecode(der, &idx, &genKey, sz);
+    }
 
     /* Test bad args. */
     if (ret == 0) {
@@ -30688,7 +30703,7 @@ static void test_wolfSSL_ASN1_TIME_print(void)
                 sizeof_client_cert_der_2048, WOLFSSL_FILETYPE_ASN1));
     AssertIntEQ(ASN1_TIME_print(bio, X509_get_notBefore(x509)), 1);
     AssertIntEQ(BIO_read(bio, buf, sizeof(buf)), 24);
-    AssertIntEQ(XMEMCMP(buf, "Feb 10 19:49:52 2021 GMT", sizeof(buf) - 1), 0);
+    AssertIntEQ(XMEMCMP(buf, "Dec 20 23:07:24 2021 GMT", sizeof(buf) - 1), 0);
 
     /* create a bad time and test results */
     AssertNotNull(t = X509_get_notAfter(x509));
@@ -36070,208 +36085,115 @@ static void test_wolfSSL_X509_sign2(void)
     time_t t;
 
     const unsigned char expected[] = {
-#ifdef WOLFSSL_AKID_NAME
-        0x30, 0x82, 0x04, 0xfd, 0x30, 0x82, 0x03, 0xe5, 0xa0, 0x03, 0x02, 0x01,
-        0x02, 0x02, 0x09, 0x00, 0xf1, 0x5c, 0x99, 0x43, 0x66, 0x3d, 0x96, 0x04,
-        0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01,
-        0x0b, 0x05, 0x00, 0x30, 0x81, 0x94, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03,
-        0x55, 0x04, 0x06, 0x13, 0x02, 0x55, 0x53, 0x31, 0x10, 0x30, 0x0e, 0x06,
-        0x03, 0x55, 0x04, 0x08, 0x0c, 0x07, 0x4d, 0x6f, 0x6e, 0x74, 0x61, 0x6e,
-        0x61, 0x31, 0x10, 0x30, 0x0e, 0x06, 0x03, 0x55, 0x04, 0x07, 0x0c, 0x07,
-        0x42, 0x6f, 0x7a, 0x65, 0x6d, 0x61, 0x6e, 0x31, 0x11, 0x30, 0x0f, 0x06,
-        0x03, 0x55, 0x04, 0x0a, 0x0c, 0x08, 0x53, 0x61, 0x77, 0x74, 0x6f, 0x6f,
-        0x74, 0x68, 0x31, 0x13, 0x30, 0x11, 0x06, 0x03, 0x55, 0x04, 0x0b, 0x0c,
-        0x0a, 0x43, 0x6f, 0x6e, 0x73, 0x75, 0x6c, 0x74, 0x69, 0x6e, 0x67, 0x31,
+        0x30, 0x82, 0x05, 0x13, 0x30, 0x82, 0x03, 0xfb, 0xa0, 0x03, 0x02, 0x01,
+        0x02, 0x02, 0x14, 0x53, 0x16, 0x7c, 0xa0, 0x56, 0x50, 0x46, 0x27, 0x82,
+        0xed, 0x60, 0xb4, 0xda, 0x33, 0xd8, 0x6a, 0xc0, 0xea, 0xdc, 0x31, 0x30,
+        0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x0b,
+        0x05, 0x00, 0x30, 0x81, 0x94, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55,
+        0x04, 0x06, 0x13, 0x02, 0x55, 0x53, 0x31, 0x10, 0x30, 0x0e, 0x06, 0x03,
+        0x55, 0x04, 0x08, 0x0c, 0x07, 0x4d, 0x6f, 0x6e, 0x74, 0x61, 0x6e, 0x61,
+        0x31, 0x10, 0x30, 0x0e, 0x06, 0x03, 0x55, 0x04, 0x07, 0x0c, 0x07, 0x42,
+        0x6f, 0x7a, 0x65, 0x6d, 0x61, 0x6e, 0x31, 0x11, 0x30, 0x0f, 0x06, 0x03,
+        0x55, 0x04, 0x0a, 0x0c, 0x08, 0x53, 0x61, 0x77, 0x74, 0x6f, 0x6f, 0x74,
+        0x68, 0x31, 0x13, 0x30, 0x11, 0x06, 0x03, 0x55, 0x04, 0x0b, 0x0c, 0x0a,
+        0x43, 0x6f, 0x6e, 0x73, 0x75, 0x6c, 0x74, 0x69, 0x6e, 0x67, 0x31, 0x18,
+        0x30, 0x16, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0c, 0x0f, 0x77, 0x77, 0x77,
+        0x2e, 0x77, 0x6f, 0x6c, 0x66, 0x73, 0x73, 0x6c, 0x2e, 0x63, 0x6f, 0x6d,
+        0x31, 0x1f, 0x30, 0x1d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d,
+        0x01, 0x09, 0x01, 0x16, 0x10, 0x69, 0x6e, 0x66, 0x6f, 0x40, 0x77, 0x6f,
+        0x6c, 0x66, 0x73, 0x73, 0x6c, 0x2e, 0x63, 0x6f, 0x6d, 0x30, 0x1e, 0x17,
+        0x0d, 0x30, 0x30, 0x30, 0x32, 0x31, 0x35, 0x32, 0x30, 0x33, 0x30, 0x30,
+        0x30, 0x5a, 0x17, 0x0d, 0x30, 0x31, 0x30, 0x32, 0x31, 0x34, 0x32, 0x30,
+        0x33, 0x30, 0x30, 0x30, 0x5a, 0x30, 0x81, 0x9e, 0x31, 0x0b, 0x30, 0x09,
+        0x06, 0x03, 0x55, 0x04, 0x06, 0x13, 0x02, 0x55, 0x53, 0x31, 0x10, 0x30,
+        0x0e, 0x06, 0x03, 0x55, 0x04, 0x08, 0x0c, 0x07, 0x4d, 0x6f, 0x6e, 0x74,
+        0x61, 0x6e, 0x61, 0x31, 0x10, 0x30, 0x0e, 0x06, 0x03, 0x55, 0x04, 0x07,
+        0x0c, 0x07, 0x42, 0x6f, 0x7a, 0x65, 0x6d, 0x61, 0x6e, 0x31, 0x15, 0x30,
+        0x13, 0x06, 0x03, 0x55, 0x04, 0x0a, 0x0c, 0x0c, 0x77, 0x6f, 0x6c, 0x66,
+        0x53, 0x53, 0x4c, 0x5f, 0x32, 0x30, 0x34, 0x38, 0x31, 0x19, 0x30, 0x17,
+        0x06, 0x03, 0x55, 0x04, 0x0b, 0x0c, 0x10, 0x50, 0x72, 0x6f, 0x67, 0x72,
+        0x61, 0x6d, 0x6d, 0x69, 0x6e, 0x67, 0x2d, 0x32, 0x30, 0x34, 0x38, 0x31,
         0x18, 0x30, 0x16, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0c, 0x0f, 0x77, 0x77,
         0x77, 0x2e, 0x77, 0x6f, 0x6c, 0x66, 0x73, 0x73, 0x6c, 0x2e, 0x63, 0x6f,
         0x6d, 0x31, 0x1f, 0x30, 0x1d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7,
         0x0d, 0x01, 0x09, 0x01, 0x16, 0x10, 0x69, 0x6e, 0x66, 0x6f, 0x40, 0x77,
-        0x6f, 0x6c, 0x66, 0x73, 0x73, 0x6c, 0x2e, 0x63, 0x6f, 0x6d, 0x30, 0x1e,
-        0x17, 0x0d, 0x30, 0x30, 0x30, 0x32, 0x31, 0x35, 0x32, 0x30, 0x33, 0x30,
-        0x30, 0x30, 0x5a, 0x17, 0x0d, 0x30, 0x31, 0x30, 0x32, 0x31, 0x34, 0x32,
-        0x30, 0x33, 0x30, 0x30, 0x30, 0x5a, 0x30, 0x81, 0x9e, 0x31, 0x0b, 0x30,
-        0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13, 0x02, 0x55, 0x53, 0x31, 0x10,
-        0x30, 0x0e, 0x06, 0x03, 0x55, 0x04, 0x08, 0x0c, 0x07, 0x4d, 0x6f, 0x6e,
-        0x74, 0x61, 0x6e, 0x61, 0x31, 0x10, 0x30, 0x0e, 0x06, 0x03, 0x55, 0x04,
-        0x07, 0x0c, 0x07, 0x42, 0x6f, 0x7a, 0x65, 0x6d, 0x61, 0x6e, 0x31, 0x15,
-        0x30, 0x13, 0x06, 0x03, 0x55, 0x04, 0x0a, 0x0c, 0x0c, 0x77, 0x6f, 0x6c,
-        0x66, 0x53, 0x53, 0x4c, 0x5f, 0x32, 0x30, 0x34, 0x38, 0x31, 0x19, 0x30,
-        0x17, 0x06, 0x03, 0x55, 0x04, 0x0b, 0x0c, 0x10, 0x50, 0x72, 0x6f, 0x67,
-        0x72, 0x61, 0x6d, 0x6d, 0x69, 0x6e, 0x67, 0x2d, 0x32, 0x30, 0x34, 0x38,
-        0x31, 0x18, 0x30, 0x16, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0c, 0x0f, 0x77,
-        0x77, 0x77, 0x2e, 0x77, 0x6f, 0x6c, 0x66, 0x73, 0x73, 0x6c, 0x2e, 0x63,
-        0x6f, 0x6d, 0x31, 0x1f, 0x30, 0x1d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86,
-        0xf7, 0x0d, 0x01, 0x09, 0x01, 0x16, 0x10, 0x69, 0x6e, 0x66, 0x6f, 0x40,
-        0x77, 0x6f, 0x6c, 0x66, 0x73, 0x73, 0x6c, 0x2e, 0x63, 0x6f, 0x6d, 0x30,
-        0x82, 0x01, 0x22, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7,
-        0x0d, 0x01, 0x01, 0x01, 0x05, 0x00, 0x03, 0x82, 0x01, 0x0f, 0x00, 0x30,
-        0x82, 0x01, 0x0a, 0x02, 0x82, 0x01, 0x01, 0x00, 0xc3, 0x03, 0xd1, 0x2b,
-        0xfe, 0x39, 0xa4, 0x32, 0x45, 0x3b, 0x53, 0xc8, 0x84, 0x2b, 0x2a, 0x7c,
-        0x74, 0x9a, 0xbd, 0xaa, 0x2a, 0x52, 0x07, 0x47, 0xd6, 0xa6, 0x36, 0xb2,
-        0x07, 0x32, 0x8e, 0xd0, 0xba, 0x69, 0x7b, 0xc6, 0xc3, 0x44, 0x9e, 0xd4,
-        0x81, 0x48, 0xfd, 0x2d, 0x68, 0xa2, 0x8b, 0x67, 0xbb, 0xa1, 0x75, 0xc8,
-        0x36, 0x2c, 0x4a, 0xd2, 0x1b, 0xf7, 0x8b, 0xba, 0xcf, 0x0d, 0xf9, 0xef,
-        0xec, 0xf1, 0x81, 0x1e, 0x7b, 0x9b, 0x03, 0x47, 0x9a, 0xbf, 0x65, 0xcc,
-        0x7f, 0x65, 0x24, 0x69, 0xa6, 0xe8, 0x14, 0x89, 0x5b, 0xe4, 0x34, 0xf7,
-        0xc5, 0xb0, 0x14, 0x93, 0xf5, 0x67, 0x7b, 0x3a, 0x7a, 0x78, 0xe1, 0x01,
-        0x56, 0x56, 0x91, 0xa6, 0x13, 0x42, 0x8d, 0xd2, 0x3c, 0x40, 0x9c, 0x4c,
-        0xef, 0xd1, 0x86, 0xdf, 0x37, 0x51, 0x1b, 0x0c, 0xa1, 0x3b, 0xf5, 0xf1,
-        0xa3, 0x4a, 0x35, 0xe4, 0xe1, 0xce, 0x96, 0xdf, 0x1b, 0x7e, 0xbf, 0x4e,
-        0x97, 0xd0, 0x10, 0xe8, 0xa8, 0x08, 0x30, 0x81, 0xaf, 0x20, 0x0b, 0x43,
-        0x14, 0xc5, 0x74, 0x67, 0xb4, 0x32, 0x82, 0x6f, 0x8d, 0x86, 0xc2, 0x88,
-        0x40, 0x99, 0x36, 0x83, 0xba, 0x1e, 0x40, 0x72, 0x22, 0x17, 0xd7, 0x52,
-        0x65, 0x24, 0x73, 0xb0, 0xce, 0xef, 0x19, 0xcd, 0xae, 0xff, 0x78, 0x6c,
-        0x7b, 0xc0, 0x12, 0x03, 0xd4, 0x4e, 0x72, 0x0d, 0x50, 0x6d, 0x3b, 0xa3,
-        0x3b, 0xa3, 0x99, 0x5e, 0x9d, 0xc8, 0xd9, 0x0c, 0x85, 0xb3, 0xd9, 0x8a,
-        0xd9, 0x54, 0x26, 0xdb, 0x6d, 0xfa, 0xac, 0xbb, 0xff, 0x25, 0x4c, 0xc4,
-        0xd1, 0x79, 0xf4, 0x71, 0xd3, 0x86, 0x40, 0x18, 0x13, 0xb0, 0x63, 0xb5,
-        0x72, 0x4e, 0x30, 0xc4, 0x97, 0x84, 0x86, 0x2d, 0x56, 0x2f, 0xd7, 0x15,
-        0xf7, 0x7f, 0xc0, 0xae, 0xf5, 0xfc, 0x5b, 0xe5, 0xfb, 0xa1, 0xba, 0xd3,
-        0x02, 0x03, 0x01, 0x00, 0x01, 0xa3, 0x82, 0x01, 0x44, 0x30, 0x82, 0x01,
-        0x40, 0x30, 0x0c, 0x06, 0x03, 0x55, 0x1d, 0x13, 0x04, 0x05, 0x30, 0x03,
-        0x01, 0x01, 0xff, 0x30, 0x1c, 0x06, 0x03, 0x55, 0x1d, 0x11, 0x04, 0x15,
-        0x30, 0x13, 0x82, 0x0b, 0x65, 0x78, 0x61, 0x6d, 0x70, 0x6c, 0x65, 0x2e,
-        0x63, 0x6f, 0x6d, 0x87, 0x04, 0x7f, 0x00, 0x00, 0x01, 0x30, 0x1d, 0x06,
-        0x03, 0x55, 0x1d, 0x0e, 0x04, 0x16, 0x04, 0x14, 0x33, 0xd8, 0x45, 0x66,
-        0xd7, 0x68, 0x87, 0x18, 0x7e, 0x54, 0x0d, 0x70, 0x27, 0x91, 0xc7, 0x26,
-        0xd7, 0x85, 0x65, 0xc0, 0x30, 0x81, 0xd3, 0x06, 0x03, 0x55, 0x1d, 0x23,
-        0x04, 0x81, 0xcb, 0x30, 0x81, 0xc8, 0x80, 0x14, 0x33, 0xd8, 0x45, 0x66,
-        0xd7, 0x68, 0x87, 0x18, 0x7e, 0x54, 0x0d, 0x70, 0x27, 0x91, 0xc7, 0x26,
-        0xd7, 0x85, 0x65, 0xc0, 0xa1, 0x81, 0xa4, 0xa4, 0x81, 0xa1, 0x30, 0x81,
-        0x9e, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13, 0x02,
-        0x55, 0x53, 0x31, 0x10, 0x30, 0x0e, 0x06, 0x03, 0x55, 0x04, 0x08, 0x0c,
-        0x07, 0x4d, 0x6f, 0x6e, 0x74, 0x61, 0x6e, 0x61, 0x31, 0x10, 0x30, 0x0e,
-        0x06, 0x03, 0x55, 0x04, 0x07, 0x0c, 0x07, 0x42, 0x6f, 0x7a, 0x65, 0x6d,
-        0x61, 0x6e, 0x31, 0x15, 0x30, 0x13, 0x06, 0x03, 0x55, 0x04, 0x0a, 0x0c,
-        0x0c, 0x77, 0x6f, 0x6c, 0x66, 0x53, 0x53, 0x4c, 0x5f, 0x32, 0x30, 0x34,
-        0x38, 0x31, 0x19, 0x30, 0x17, 0x06, 0x03, 0x55, 0x04, 0x0b, 0x0c, 0x10,
-        0x50, 0x72, 0x6f, 0x67, 0x72, 0x61, 0x6d, 0x6d, 0x69, 0x6e, 0x67, 0x2d,
-        0x32, 0x30, 0x34, 0x38, 0x31, 0x18, 0x30, 0x16, 0x06, 0x03, 0x55, 0x04,
-        0x03, 0x0c, 0x0f, 0x77, 0x77, 0x77, 0x2e, 0x77, 0x6f, 0x6c, 0x66, 0x73,
-        0x73, 0x6c, 0x2e, 0x63, 0x6f, 0x6d, 0x31, 0x1f, 0x30, 0x1d, 0x06, 0x09,
-        0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x09, 0x01, 0x16, 0x10, 0x69,
-        0x6e, 0x66, 0x6f, 0x40, 0x77, 0x6f, 0x6c, 0x66, 0x73, 0x73, 0x6c, 0x2e,
-        0x63, 0x6f, 0x6d, 0x82, 0x09, 0x00, 0xf1, 0x5c, 0x99, 0x43, 0x66, 0x3d,
-        0x96, 0x04, 0x30, 0x1d, 0x06, 0x03, 0x55, 0x1d, 0x25, 0x04, 0x16, 0x30,
-        0x14, 0x06, 0x08, 0x2b, 0x06, 0x01, 0x05, 0x05, 0x07, 0x03, 0x01, 0x06,
-        0x08, 0x2b, 0x06, 0x01, 0x05, 0x05, 0x07, 0x03, 0x02, 0x30, 0x0d, 0x06,
-        0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x0b, 0x05, 0x00,
-        0x03, 0x82, 0x01, 0x01, 0x00, 0x59, 0x2e, 0xd1, 0xec, 0xbc, 0x99, 0xfe,
-        0x50, 0x38, 0x47, 0x47, 0x88, 0x51, 0xcf, 0xe4, 0x88, 0x76, 0xdf, 0x89,
-        0x8f, 0xea, 0x91, 0xbc, 0xd6, 0xc6, 0x91, 0xc9, 0xcc, 0x33, 0x77, 0x5d,
-        0xdd, 0x4b, 0xc9, 0xf6, 0x10, 0x54, 0xe2, 0x04, 0x89, 0x51, 0xdb, 0xe1,
-        0x00, 0x0c, 0x61, 0x03, 0x26, 0x86, 0x35, 0xac, 0x96, 0x23, 0x9d, 0xef,
-        0xd9, 0x95, 0xe4, 0xb4, 0x83, 0x9e, 0x0f, 0x47, 0x30, 0x08, 0x96, 0x28,
-        0x7f, 0x2d, 0xe3, 0x23, 0x30, 0x3b, 0xb0, 0x46, 0xe8, 0x21, 0x78, 0xb4,
-        0xc0, 0xbc, 0x9f, 0x60, 0x02, 0xd4, 0x16, 0x2d, 0xe5, 0x5a, 0x00, 0x65,
-        0x15, 0x95, 0x81, 0x93, 0x80, 0x06, 0x3e, 0xf7, 0xdf, 0x0c, 0x2b, 0x3f,
-        0x14, 0xfc, 0xc3, 0x79, 0xfd, 0x59, 0x5c, 0xa7, 0xc3, 0xe0, 0xa8, 0xd4,
-        0x53, 0x4f, 0x13, 0x0a, 0xa3, 0xfe, 0x1d, 0x63, 0x4e, 0x84, 0xb2, 0x98,
-        0x19, 0x06, 0xe0, 0x60, 0x3a, 0xc9, 0x49, 0x73, 0x00, 0xe3, 0x72, 0x2f,
-        0x68, 0x27, 0x9f, 0x14, 0x18, 0xb7, 0x57, 0xb9, 0x1d, 0xa8, 0xb3, 0x05,
-        0x6c, 0xf5, 0x4b, 0x0e, 0xac, 0x26, 0x7a, 0xfe, 0xc1, 0xab, 0x1f, 0x27,
-        0xf1, 0x1e, 0x21, 0x33, 0x31, 0xb6, 0x43, 0xb0, 0xf8, 0x74, 0x69, 0x6a,
-        0xb1, 0x9b, 0xcb, 0xe4, 0xd3, 0xa2, 0x8e, 0x8a, 0x55, 0xef, 0x81, 0xf3,
-        0x4a, 0x44, 0x90, 0x4d, 0x08, 0xb8, 0x31, 0x90, 0x1a, 0x82, 0x52, 0x56,
-        0xeb, 0xf0, 0x50, 0x5b, 0x9f, 0x87, 0x98, 0x54, 0xfe, 0x6a, 0x60, 0x41,
-        0x16, 0xdb, 0xdc, 0xff, 0x89, 0x4c, 0x98, 0x00, 0xb1, 0x87, 0x6c, 0xe7,
-        0xec, 0xba, 0x3b, 0xa4, 0xfe, 0xa1, 0xfd, 0x26, 0x19, 0x7c, 0x2d, 0x14,
-        0x91, 0x91, 0x61, 0x30, 0x3e, 0xf4, 0x5c, 0x97, 0x4c, 0x06, 0x84, 0xab,
-        0x94, 0xa8, 0x17, 0x6c, 0xec, 0x19, 0xc0, 0x87, 0xd0
-#else
-        0x30, 0x82, 0x04, 0x46, 0x30, 0x82, 0x03, 0x2e, 0xa0, 0x03, 0x02, 0x01,
-        0x02, 0x02, 0x09, 0x00, 0xf1, 0x5c, 0x99, 0x43, 0x66, 0x3d, 0x96, 0x04,
-        0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01,
-        0x0b, 0x05, 0x00, 0x30, 0x81, 0x94, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03,
-        0x55, 0x04, 0x06, 0x13, 0x02, 0x55, 0x53, 0x31, 0x10, 0x30, 0x0e, 0x06,
-        0x03, 0x55, 0x04, 0x08, 0x0c, 0x07, 0x4d, 0x6f, 0x6e, 0x74, 0x61, 0x6e,
-        0x61, 0x31, 0x10, 0x30, 0x0e, 0x06, 0x03, 0x55, 0x04, 0x07, 0x0c, 0x07,
-        0x42, 0x6f, 0x7a, 0x65, 0x6d, 0x61, 0x6e, 0x31, 0x11, 0x30, 0x0f, 0x06,
-        0x03, 0x55, 0x04, 0x0a, 0x0c, 0x08, 0x53, 0x61, 0x77, 0x74, 0x6f, 0x6f,
-        0x74, 0x68, 0x31, 0x13, 0x30, 0x11, 0x06, 0x03, 0x55, 0x04, 0x0b, 0x0c,
-        0x0a, 0x43, 0x6f, 0x6e, 0x73, 0x75, 0x6c, 0x74, 0x69, 0x6e, 0x67, 0x31,
-        0x18, 0x30, 0x16, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0c, 0x0f, 0x77, 0x77,
-        0x77, 0x2e, 0x77, 0x6f, 0x6c, 0x66, 0x73, 0x73, 0x6c, 0x2e, 0x63, 0x6f,
-        0x6d, 0x31, 0x1f, 0x30, 0x1d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7,
-        0x0d, 0x01, 0x09, 0x01, 0x16, 0x10, 0x69, 0x6e, 0x66, 0x6f, 0x40, 0x77,
-        0x6f, 0x6c, 0x66, 0x73, 0x73, 0x6c, 0x2e, 0x63, 0x6f, 0x6d, 0x30, 0x1e,
-        0x17, 0x0d, 0x30, 0x30, 0x30, 0x32, 0x31, 0x35, 0x32, 0x30, 0x33, 0x30,
-        0x30, 0x30, 0x5a, 0x17, 0x0d, 0x30, 0x31, 0x30, 0x32, 0x31, 0x34, 0x32,
-        0x30, 0x33, 0x30, 0x30, 0x30, 0x5a, 0x30, 0x81, 0x9e, 0x31, 0x0b, 0x30,
-        0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13, 0x02, 0x55, 0x53, 0x31, 0x10,
-        0x30, 0x0e, 0x06, 0x03, 0x55, 0x04, 0x08, 0x0c, 0x07, 0x4d, 0x6f, 0x6e,
-        0x74, 0x61, 0x6e, 0x61, 0x31, 0x10, 0x30, 0x0e, 0x06, 0x03, 0x55, 0x04,
-        0x07, 0x0c, 0x07, 0x42, 0x6f, 0x7a, 0x65, 0x6d, 0x61, 0x6e, 0x31, 0x15,
-        0x30, 0x13, 0x06, 0x03, 0x55, 0x04, 0x0a, 0x0c, 0x0c, 0x77, 0x6f, 0x6c,
-        0x66, 0x53, 0x53, 0x4c, 0x5f, 0x32, 0x30, 0x34, 0x38, 0x31, 0x19, 0x30,
-        0x17, 0x06, 0x03, 0x55, 0x04, 0x0b, 0x0c, 0x10, 0x50, 0x72, 0x6f, 0x67,
-        0x72, 0x61, 0x6d, 0x6d, 0x69, 0x6e, 0x67, 0x2d, 0x32, 0x30, 0x34, 0x38,
-        0x31, 0x18, 0x30, 0x16, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0c, 0x0f, 0x77,
-        0x77, 0x77, 0x2e, 0x77, 0x6f, 0x6c, 0x66, 0x73, 0x73, 0x6c, 0x2e, 0x63,
-        0x6f, 0x6d, 0x31, 0x1f, 0x30, 0x1d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86,
-        0xf7, 0x0d, 0x01, 0x09, 0x01, 0x16, 0x10, 0x69, 0x6e, 0x66, 0x6f, 0x40,
-        0x77, 0x6f, 0x6c, 0x66, 0x73, 0x73, 0x6c, 0x2e, 0x63, 0x6f, 0x6d, 0x30,
-        0x82, 0x01, 0x22, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7,
-        0x0d, 0x01, 0x01, 0x01, 0x05, 0x00, 0x03, 0x82, 0x01, 0x0f, 0x00, 0x30,
-        0x82, 0x01, 0x0a, 0x02, 0x82, 0x01, 0x01, 0x00, 0xc3, 0x03, 0xd1, 0x2b,
-        0xfe, 0x39, 0xa4, 0x32, 0x45, 0x3b, 0x53, 0xc8, 0x84, 0x2b, 0x2a, 0x7c,
-        0x74, 0x9a, 0xbd, 0xaa, 0x2a, 0x52, 0x07, 0x47, 0xd6, 0xa6, 0x36, 0xb2,
-        0x07, 0x32, 0x8e, 0xd0, 0xba, 0x69, 0x7b, 0xc6, 0xc3, 0x44, 0x9e, 0xd4,
-        0x81, 0x48, 0xfd, 0x2d, 0x68, 0xa2, 0x8b, 0x67, 0xbb, 0xa1, 0x75, 0xc8,
-        0x36, 0x2c, 0x4a, 0xd2, 0x1b, 0xf7, 0x8b, 0xba, 0xcf, 0x0d, 0xf9, 0xef,
-        0xec, 0xf1, 0x81, 0x1e, 0x7b, 0x9b, 0x03, 0x47, 0x9a, 0xbf, 0x65, 0xcc,
-        0x7f, 0x65, 0x24, 0x69, 0xa6, 0xe8, 0x14, 0x89, 0x5b, 0xe4, 0x34, 0xf7,
-        0xc5, 0xb0, 0x14, 0x93, 0xf5, 0x67, 0x7b, 0x3a, 0x7a, 0x78, 0xe1, 0x01,
-        0x56, 0x56, 0x91, 0xa6, 0x13, 0x42, 0x8d, 0xd2, 0x3c, 0x40, 0x9c, 0x4c,
-        0xef, 0xd1, 0x86, 0xdf, 0x37, 0x51, 0x1b, 0x0c, 0xa1, 0x3b, 0xf5, 0xf1,
-        0xa3, 0x4a, 0x35, 0xe4, 0xe1, 0xce, 0x96, 0xdf, 0x1b, 0x7e, 0xbf, 0x4e,
-        0x97, 0xd0, 0x10, 0xe8, 0xa8, 0x08, 0x30, 0x81, 0xaf, 0x20, 0x0b, 0x43,
-        0x14, 0xc5, 0x74, 0x67, 0xb4, 0x32, 0x82, 0x6f, 0x8d, 0x86, 0xc2, 0x88,
-        0x40, 0x99, 0x36, 0x83, 0xba, 0x1e, 0x40, 0x72, 0x22, 0x17, 0xd7, 0x52,
-        0x65, 0x24, 0x73, 0xb0, 0xce, 0xef, 0x19, 0xcd, 0xae, 0xff, 0x78, 0x6c,
-        0x7b, 0xc0, 0x12, 0x03, 0xd4, 0x4e, 0x72, 0x0d, 0x50, 0x6d, 0x3b, 0xa3,
-        0x3b, 0xa3, 0x99, 0x5e, 0x9d, 0xc8, 0xd9, 0x0c, 0x85, 0xb3, 0xd9, 0x8a,
-        0xd9, 0x54, 0x26, 0xdb, 0x6d, 0xfa, 0xac, 0xbb, 0xff, 0x25, 0x4c, 0xc4,
-        0xd1, 0x79, 0xf4, 0x71, 0xd3, 0x86, 0x40, 0x18, 0x13, 0xb0, 0x63, 0xb5,
-        0x72, 0x4e, 0x30, 0xc4, 0x97, 0x84, 0x86, 0x2d, 0x56, 0x2f, 0xd7, 0x15,
-        0xf7, 0x7f, 0xc0, 0xae, 0xf5, 0xfc, 0x5b, 0xe5, 0xfb, 0xa1, 0xba, 0xd3,
-        0x02, 0x03, 0x01, 0x00, 0x01, 0xa3, 0x81, 0x8e, 0x30, 0x81, 0x8b, 0x30,
-        0x0c, 0x06, 0x03, 0x55, 0x1d, 0x13, 0x04, 0x05, 0x30, 0x03, 0x01, 0x01,
-        0xff, 0x30, 0x1c, 0x06, 0x03, 0x55, 0x1d, 0x11, 0x04, 0x15, 0x30, 0x13,
-        0x82, 0x0b, 0x65, 0x78, 0x61, 0x6d, 0x70, 0x6c, 0x65, 0x2e, 0x63, 0x6f,
-        0x6d, 0x87, 0x04, 0x7f, 0x00, 0x00, 0x01, 0x30, 0x1d, 0x06, 0x03, 0x55,
-        0x1d, 0x0e, 0x04, 0x16, 0x04, 0x14, 0x33, 0xd8, 0x45, 0x66, 0xd7, 0x68,
-        0x87, 0x18, 0x7e, 0x54, 0x0d, 0x70, 0x27, 0x91, 0xc7, 0x26, 0xd7, 0x85,
-        0x65, 0xc0, 0x30, 0x1f, 0x06, 0x03, 0x55, 0x1d, 0x23, 0x04, 0x18, 0x30,
-        0x16, 0x80, 0x14, 0x33, 0xd8, 0x45, 0x66, 0xd7, 0x68, 0x87, 0x18, 0x7e,
-        0x54, 0x0d, 0x70, 0x27, 0x91, 0xc7, 0x26, 0xd7, 0x85, 0x65, 0xc0, 0x30,
-        0x1d, 0x06, 0x03, 0x55, 0x1d, 0x25, 0x04, 0x16, 0x30, 0x14, 0x06, 0x08,
-        0x2b, 0x06, 0x01, 0x05, 0x05, 0x07, 0x03, 0x01, 0x06, 0x08, 0x2b, 0x06,
-        0x01, 0x05, 0x05, 0x07, 0x03, 0x02, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86,
-        0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x0b, 0x05, 0x00, 0x03, 0x82, 0x01,
-        0x01, 0x00, 0x98, 0x2a, 0x3d, 0x94, 0x37, 0xae, 0xd6, 0x28, 0x12, 0xed,
-        0x6d, 0x95, 0xc9, 0x05, 0x89, 0x4b, 0x5c, 0x5e, 0x88, 0xed, 0x9e, 0x14,
-        0x89, 0x79, 0x65, 0x7b, 0x5c, 0xdb, 0xcd, 0x21, 0xc5, 0xfc, 0x7a, 0x05,
-        0xd2, 0x33, 0x54, 0xa1, 0x1b, 0xb2, 0xc6, 0xd8, 0x3e, 0x88, 0x7d, 0x58,
-        0xfd, 0xd0, 0xca, 0x71, 0x58, 0xd5, 0x37, 0x81, 0xe0, 0xef, 0x65, 0xfc,
-        0x1b, 0xf1, 0x5d, 0xdd, 0x26, 0x68, 0x12, 0xfb, 0x12, 0x24, 0xd5, 0x45,
-        0x4f, 0x41, 0xad, 0xee, 0x3f, 0x16, 0x40, 0xb2, 0x59, 0xe6, 0x5b, 0x76,
-        0xe7, 0x47, 0x11, 0xa4, 0xe1, 0x2f, 0x0d, 0xe8, 0x13, 0x13, 0x49, 0xb0,
-        0x01, 0x11, 0x15, 0xb5, 0xb3, 0x93, 0x4f, 0x28, 0xdc, 0xd0, 0x30, 0x03,
-        0x48, 0x02, 0x95, 0x2d, 0xd9, 0x26, 0x87, 0x1f, 0x19, 0xa1, 0x03, 0x5c,
-        0x7c, 0xde, 0x54, 0xd4, 0x98, 0x85, 0x34, 0xcc, 0x54, 0xf1, 0x24, 0x43,
-        0xa6, 0x87, 0xfa, 0xb6, 0x62, 0xee, 0xa3, 0x4a, 0xb3, 0xce, 0x1c, 0x2e,
-        0xbf, 0x94, 0xef, 0x4c, 0x75, 0x75, 0x55, 0x1d, 0xc9, 0xc2, 0xe4, 0xe5,
-        0x24, 0xb2, 0x0a, 0x93, 0xf0, 0xff, 0x2e, 0x43, 0x99, 0xad, 0x4e, 0x83,
-        0x11, 0x52, 0xf4, 0xb9, 0x92, 0x30, 0xe1, 0x02, 0x2f, 0xa5, 0xf2, 0x21,
-        0xb1, 0xf4, 0xe9, 0x57, 0xbd, 0xba, 0x17, 0x56, 0xd7, 0x31, 0xcb, 0x63,
-        0xa3, 0xd5, 0xcf, 0xc9, 0xd9, 0xa6, 0x4f, 0x51, 0x6c, 0x52, 0x4c, 0x53,
-        0x88, 0x9a, 0x2e, 0xb9, 0x72, 0x02, 0x6e, 0x1b, 0x21, 0x93, 0xa1, 0x88,
-        0x1b, 0x35, 0x0e, 0x9e, 0x2b, 0x63, 0x81, 0xba, 0xb4, 0x6b, 0x28, 0x01,
-        0x56, 0xe1, 0x0e, 0x13, 0x73, 0xf6, 0xd6, 0xa0, 0xd2, 0xfd, 0xc9, 0x4d,
-        0xbd, 0xa8, 0xa9, 0x22, 0x9e, 0xc7, 0x13, 0x76, 0x5a, 0x9c, 0xd3, 0x9a,
-        0xf4, 0x0c, 0x52, 0xe6, 0x47, 0xcb
-#endif
+        0x6f, 0x6c, 0x66, 0x73, 0x73, 0x6c, 0x2e, 0x63, 0x6f, 0x6d, 0x30, 0x82,
+        0x01, 0x22, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d,
+        0x01, 0x01, 0x01, 0x05, 0x00, 0x03, 0x82, 0x01, 0x0f, 0x00, 0x30, 0x82,
+        0x01, 0x0a, 0x02, 0x82, 0x01, 0x01, 0x00, 0xc3, 0x03, 0xd1, 0x2b, 0xfe,
+        0x39, 0xa4, 0x32, 0x45, 0x3b, 0x53, 0xc8, 0x84, 0x2b, 0x2a, 0x7c, 0x74,
+        0x9a, 0xbd, 0xaa, 0x2a, 0x52, 0x07, 0x47, 0xd6, 0xa6, 0x36, 0xb2, 0x07,
+        0x32, 0x8e, 0xd0, 0xba, 0x69, 0x7b, 0xc6, 0xc3, 0x44, 0x9e, 0xd4, 0x81,
+        0x48, 0xfd, 0x2d, 0x68, 0xa2, 0x8b, 0x67, 0xbb, 0xa1, 0x75, 0xc8, 0x36,
+        0x2c, 0x4a, 0xd2, 0x1b, 0xf7, 0x8b, 0xba, 0xcf, 0x0d, 0xf9, 0xef, 0xec,
+        0xf1, 0x81, 0x1e, 0x7b, 0x9b, 0x03, 0x47, 0x9a, 0xbf, 0x65, 0xcc, 0x7f,
+        0x65, 0x24, 0x69, 0xa6, 0xe8, 0x14, 0x89, 0x5b, 0xe4, 0x34, 0xf7, 0xc5,
+        0xb0, 0x14, 0x93, 0xf5, 0x67, 0x7b, 0x3a, 0x7a, 0x78, 0xe1, 0x01, 0x56,
+        0x56, 0x91, 0xa6, 0x13, 0x42, 0x8d, 0xd2, 0x3c, 0x40, 0x9c, 0x4c, 0xef,
+        0xd1, 0x86, 0xdf, 0x37, 0x51, 0x1b, 0x0c, 0xa1, 0x3b, 0xf5, 0xf1, 0xa3,
+        0x4a, 0x35, 0xe4, 0xe1, 0xce, 0x96, 0xdf, 0x1b, 0x7e, 0xbf, 0x4e, 0x97,
+        0xd0, 0x10, 0xe8, 0xa8, 0x08, 0x30, 0x81, 0xaf, 0x20, 0x0b, 0x43, 0x14,
+        0xc5, 0x74, 0x67, 0xb4, 0x32, 0x82, 0x6f, 0x8d, 0x86, 0xc2, 0x88, 0x40,
+        0x99, 0x36, 0x83, 0xba, 0x1e, 0x40, 0x72, 0x22, 0x17, 0xd7, 0x52, 0x65,
+        0x24, 0x73, 0xb0, 0xce, 0xef, 0x19, 0xcd, 0xae, 0xff, 0x78, 0x6c, 0x7b,
+        0xc0, 0x12, 0x03, 0xd4, 0x4e, 0x72, 0x0d, 0x50, 0x6d, 0x3b, 0xa3, 0x3b,
+        0xa3, 0x99, 0x5e, 0x9d, 0xc8, 0xd9, 0x0c, 0x85, 0xb3, 0xd9, 0x8a, 0xd9,
+        0x54, 0x26, 0xdb, 0x6d, 0xfa, 0xac, 0xbb, 0xff, 0x25, 0x4c, 0xc4, 0xd1,
+        0x79, 0xf4, 0x71, 0xd3, 0x86, 0x40, 0x18, 0x13, 0xb0, 0x63, 0xb5, 0x72,
+        0x4e, 0x30, 0xc4, 0x97, 0x84, 0x86, 0x2d, 0x56, 0x2f, 0xd7, 0x15, 0xf7,
+        0x7f, 0xc0, 0xae, 0xf5, 0xfc, 0x5b, 0xe5, 0xfb, 0xa1, 0xba, 0xd3, 0x02,
+        0x03, 0x01, 0x00, 0x01, 0xa3, 0x82, 0x01, 0x4f, 0x30, 0x82, 0x01, 0x4b,
+        0x30, 0x0c, 0x06, 0x03, 0x55, 0x1d, 0x13, 0x04, 0x05, 0x30, 0x03, 0x01,
+        0x01, 0xff, 0x30, 0x1c, 0x06, 0x03, 0x55, 0x1d, 0x11, 0x04, 0x15, 0x30,
+        0x13, 0x82, 0x0b, 0x65, 0x78, 0x61, 0x6d, 0x70, 0x6c, 0x65, 0x2e, 0x63,
+        0x6f, 0x6d, 0x87, 0x04, 0x7f, 0x00, 0x00, 0x01, 0x30, 0x1d, 0x06, 0x03,
+        0x55, 0x1d, 0x0e, 0x04, 0x16, 0x04, 0x14, 0x33, 0xd8, 0x45, 0x66, 0xd7,
+        0x68, 0x87, 0x18, 0x7e, 0x54, 0x0d, 0x70, 0x27, 0x91, 0xc7, 0x26, 0xd7,
+        0x85, 0x65, 0xc0, 0x30, 0x81, 0xde, 0x06, 0x03, 0x55, 0x1d, 0x23, 0x04,
+        0x81, 0xd6, 0x30, 0x81, 0xd3, 0x80, 0x14, 0x33, 0xd8, 0x45, 0x66, 0xd7,
+        0x68, 0x87, 0x18, 0x7e, 0x54, 0x0d, 0x70, 0x27, 0x91, 0xc7, 0x26, 0xd7,
+        0x85, 0x65, 0xc0, 0xa1, 0x81, 0xa4, 0xa4, 0x81, 0xa1, 0x30, 0x81, 0x9e,
+        0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13, 0x02, 0x55,
+        0x53, 0x31, 0x10, 0x30, 0x0e, 0x06, 0x03, 0x55, 0x04, 0x08, 0x0c, 0x07,
+        0x4d, 0x6f, 0x6e, 0x74, 0x61, 0x6e, 0x61, 0x31, 0x10, 0x30, 0x0e, 0x06,
+        0x03, 0x55, 0x04, 0x07, 0x0c, 0x07, 0x42, 0x6f, 0x7a, 0x65, 0x6d, 0x61,
+        0x6e, 0x31, 0x15, 0x30, 0x13, 0x06, 0x03, 0x55, 0x04, 0x0a, 0x0c, 0x0c,
+        0x77, 0x6f, 0x6c, 0x66, 0x53, 0x53, 0x4c, 0x5f, 0x32, 0x30, 0x34, 0x38,
+        0x31, 0x19, 0x30, 0x17, 0x06, 0x03, 0x55, 0x04, 0x0b, 0x0c, 0x10, 0x50,
+        0x72, 0x6f, 0x67, 0x72, 0x61, 0x6d, 0x6d, 0x69, 0x6e, 0x67, 0x2d, 0x32,
+        0x30, 0x34, 0x38, 0x31, 0x18, 0x30, 0x16, 0x06, 0x03, 0x55, 0x04, 0x03,
+        0x0c, 0x0f, 0x77, 0x77, 0x77, 0x2e, 0x77, 0x6f, 0x6c, 0x66, 0x73, 0x73,
+        0x6c, 0x2e, 0x63, 0x6f, 0x6d, 0x31, 0x1f, 0x30, 0x1d, 0x06, 0x09, 0x2a,
+        0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x09, 0x01, 0x16, 0x10, 0x69, 0x6e,
+        0x66, 0x6f, 0x40, 0x77, 0x6f, 0x6c, 0x66, 0x73, 0x73, 0x6c, 0x2e, 0x63,
+        0x6f, 0x6d, 0x82, 0x14, 0x53, 0x16, 0x7c, 0xa0, 0x56, 0x50, 0x46, 0x27,
+        0x82, 0xed, 0x60, 0xb4, 0xda, 0x33, 0xd8, 0x6a, 0xc0, 0xea, 0xdc, 0x31,
+        0x30, 0x1d, 0x06, 0x03, 0x55, 0x1d, 0x25, 0x04, 0x16, 0x30, 0x14, 0x06,
+        0x08, 0x2b, 0x06, 0x01, 0x05, 0x05, 0x07, 0x03, 0x01, 0x06, 0x08, 0x2b,
+        0x06, 0x01, 0x05, 0x05, 0x07, 0x03, 0x02, 0x30, 0x0d, 0x06, 0x09, 0x2a,
+        0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x0b, 0x05, 0x00, 0x03, 0x82,
+        0x01, 0x01, 0x00, 0x53, 0xba, 0xa1, 0xe4, 0x1b, 0x63, 0xea, 0x3d, 0x7a,
+        0x6c, 0x21, 0xfb, 0x08, 0xb4, 0x42, 0x1d, 0xbc, 0xe6, 0x16, 0xd5, 0x3a,
+        0x66, 0x1f, 0x8b, 0x7f, 0x9d, 0x89, 0x6b, 0xcc, 0x7e, 0xa6, 0x13, 0x95,
+        0x94, 0x3f, 0xff, 0x0a, 0x0c, 0xca, 0xde, 0xa1, 0xf3, 0x97, 0xb4, 0xf9,
+        0xf8, 0x2b, 0x5f, 0x02, 0x6a, 0xbb, 0x65, 0xd1, 0x49, 0x6c, 0xaf, 0x99,
+        0xeb, 0x24, 0x7a, 0xd5, 0x4d, 0x8e, 0x7f, 0x12, 0xbc, 0x9b, 0x45, 0x38,
+        0x76, 0x5e, 0xe5, 0x3e, 0x84, 0x49, 0x8d, 0xa4, 0xdb, 0xa5, 0x70, 0x15,
+        0xc7, 0xc5, 0x9d, 0x5a, 0xac, 0xfb, 0x9e, 0x00, 0xf5, 0xde, 0xa2, 0x3d,
+        0x10, 0x64, 0x60, 0xeb, 0x15, 0x9e, 0x70, 0x7e, 0xf9, 0x05, 0xe2, 0x71,
+        0xaf, 0xe8, 0xf0, 0x98, 0xa6, 0x57, 0x0b, 0xfd, 0x63, 0x58, 0xa2, 0xf7,
+        0x71, 0xdd, 0xb1, 0xc6, 0x76, 0x85, 0x12, 0x2b, 0x38, 0x18, 0xc9, 0x90,
+        0x77, 0x78, 0x2a, 0xc1, 0x22, 0x88, 0x5e, 0xab, 0xbb, 0xcf, 0xf5, 0xe0,
+        0x67, 0x1c, 0x2f, 0x62, 0x18, 0x1d, 0x9d, 0x22, 0x08, 0x87, 0x31, 0x77,
+        0x47, 0x8b, 0x5e, 0x94, 0x3a, 0xb6, 0x99, 0xb4, 0x9d, 0x52, 0x8d, 0xb1,
+        0xdc, 0xbe, 0x9c, 0x46, 0xde, 0xbe, 0xb1, 0xd8, 0xef, 0x65, 0x9c, 0xe3,
+        0xcb, 0xea, 0x0b, 0xec, 0x36, 0xf6, 0xbb, 0x9c, 0x5f, 0x64, 0x9f, 0xfc,
+        0x55, 0xc3, 0xf5, 0xab, 0x44, 0xd1, 0x89, 0x2f, 0x92, 0x9b, 0xa1, 0x93,
+        0x46, 0x8c, 0xbe, 0xcf, 0x03, 0xff, 0x24, 0x74, 0x37, 0xdd, 0x30, 0x82,
+        0xf6, 0x9f, 0xba, 0x15, 0xfe, 0xb5, 0x62, 0x83, 0x20, 0x9d, 0x3a, 0x26,
+        0x11, 0x1b, 0xa0, 0xcd, 0xa1, 0x43, 0x28, 0xc7, 0x06, 0x55, 0x69, 0x26,
+        0x90, 0x57, 0xb7, 0xd0, 0x5b, 0x8d, 0xee, 0x2e, 0x82, 0xee, 0x3f, 0xe7,
+        0xe2, 0x47, 0x25, 0x98, 0x9c, 0x83, 0x10
     };
 
     printf(testingFmt, "wolfSSL_X509_sign2");
@@ -36414,9 +36336,12 @@ static void test_wolfSSL_X509_sign(void)
 
     AssertIntEQ(wolfSSL_X509_get_serial_number(x509, sn, &snSz),
                 WOLFSSL_SUCCESS);
-    DEBUG_WRITE_CERT_X509(x509, "signed.der");
+    DEBUG_WRITE_CERT_X509(x509, "signed.pem");
 
-    /* Variation in size depends on ASN.1 encoding when MSB is set */
+    /* Variation in size depends on ASN.1 encoding when MSB is set.
+     * WOLFSSL_ASN_TEMPLATE code does not generate a serial number
+     * with the MSB set. See GenerateInteger in asn.c */
+#ifndef USE_CERT_BUFFERS_1024
 #ifndef WOLFSSL_ALT_NAMES
     /* Valid case - size should be 798-797 with 16 byte serial number */
     AssertTrue((ret == 781 + snSz) || (ret == 782 + snSz));
@@ -36426,6 +36351,18 @@ static void test_wolfSSL_X509_sign(void)
 #else
     /* Valid case - size should be 926-927 with 16 byte serial number */
     AssertTrue((ret == 910 + snSz) || (ret == 911 + snSz));
+#endif
+#else
+#ifndef WOLFSSL_ALT_NAMES
+    /* Valid case - size should be 537-538 with 16 byte serial number */
+    AssertTrue((ret == 521 + snSz) || (ret == 522 + snSz));
+#elif defined(OPENSSL_ALL) || defined(WOLFSSL_IP_ALT_NAME)
+    /* Valid case - size should be 695-696 with 16 byte serial number */
+    AssertTrue((ret == 679 + snSz) || (ret == 680 + snSz));
+#else
+    /* Valid case - size should be 666-667 with 16 byte serial number */
+    AssertTrue((ret == 650 + snSz) || (ret == 651 + snSz));
+#endif
 #endif
     /* check that issuer name is as expected after signature */
     InitDecodedCert(&dCert, certIssuer, (word32)certIssuerSz, 0);
@@ -36852,6 +36789,7 @@ static void test_wolfSSL_X509_PUBKEY_DSA(void)
     AssertIntEQ(pptype, V_ASN1_SEQUENCE);
     AssertIntEQ(OBJ_obj2nid(pa_oid), EVP_PKEY_DSA);
     str = (ASN1_STRING *)pval;
+    DEBUG_WRITE_DER(ASN1_STRING_data(str), ASN1_STRING_length(str), "str.der");
 #ifdef USE_CERT_BUFFERS_1024
     AssertIntEQ(ASN1_STRING_length(str), 291);
 #else
@@ -42839,12 +42777,12 @@ static void test_wolfSSL_EVP_PKEY_set1_get1_DSA(void)
     word32  bytes;
     int     answer;
 #ifdef USE_CERT_BUFFERS_1024
-    const unsigned char* dsaKeyDer = dsa_key_der1024;
+    const unsigned char* dsaKeyDer = dsa_key_der_1024;
     int dsaKeySz  = sizeof_dsa_key_der_1024;
     byte    tmp[ONEK_BUF];
     XMEMSET(tmp, 0, sizeof(tmp));
     XMEMCPY(tmp, dsaKeyDer , dsaKeySz);
-    bytes = dsa_key_der_sz;
+    bytes = dsaKeySz;
 #elif defined(USE_CERT_BUFFERS_2048)
     const unsigned char* dsaKeyDer = dsa_key_der_2048;
     int dsaKeySz  = sizeof_dsa_key_der_2048;
@@ -42853,16 +42791,15 @@ static void test_wolfSSL_EVP_PKEY_set1_get1_DSA(void)
     XMEMCPY(tmp, dsaKeyDer , dsaKeySz);
     bytes = dsaKeySz;
 #else
-    const unsigned char* dsaKeyDer = dsa_key_der_2048;
-    int dsaKeySz  = sizeof_dsa_key_der_2048;
     byte    tmp[TWOK_BUF];
+    const unsigned char* dsaKeyDer = (const unsigned char*)tmp;
+    int dsaKeySz;
     XMEMSET(tmp, 0, sizeof(tmp));
-    XMEMCPY(tmp, dsaKeyDer , dsaKeySz);
-    XFILE fp = XOPEN("./certs/dsa2048.der", "rb");
+    XFILE fp = XFOPEN("./certs/dsa2048.der", "rb");
     if (fp == XBADFILE) {
         return WOLFSSL_BAD_FILE;
     }
-    bytes = (word32) XFREAD(tmp, 1, sizeof(tmp), fp);
+    dsaKeySz = bytes = (word32) XFREAD(tmp, 1, sizeof(tmp), fp);
     XFCLOSE(fp);
 #endif /* END USE_CERT_BUFFERS_1024 */
 
@@ -42886,7 +42823,11 @@ static void test_wolfSSL_EVP_PKEY_set1_get1_DSA(void)
     AssertNotNull(dsa = EVP_PKEY_get0_DSA(pkey));
     AssertNotNull(dsa = EVP_PKEY_get1_DSA(pkey));
 
+#ifdef USE_CERT_BUFFERS_1024
+    AssertIntEQ(DSA_bits(dsa), 1024);
+#else
     AssertIntEQ(DSA_bits(dsa), 2048);
+#endif
 
     /* Sign */
     AssertIntEQ(wolfSSL_DSA_do_sign(hash, signature, dsa), WOLFSSL_SUCCESS);
@@ -46591,6 +46532,7 @@ static void test_X509_REQ(void)
     EVP_PKEY* priv;
     EVP_PKEY* pub;
     unsigned char* der = NULL;
+    int len;
 #endif
 #ifndef NO_RSA
     EVP_MD_CTX *mctx = NULL;
@@ -46606,7 +46548,6 @@ static void test_X509_REQ(void)
 #ifdef HAVE_ECC
     const unsigned char* ecPriv = (const unsigned char*)ecc_clikey_der_256;
     const unsigned char* ecPub = (unsigned char*)ecc_clikeypub_der_256;
-    int len;
 #endif
 
     AssertNotNull(name = X509_NAME_new());
@@ -46633,7 +46574,13 @@ static void test_X509_REQ(void)
     AssertIntEQ(X509_REQ_sign(req, NULL, EVP_sha256()), WOLFSSL_FAILURE);
     AssertIntEQ(X509_REQ_sign(req, priv, NULL), WOLFSSL_FAILURE);
     AssertIntEQ(X509_REQ_sign(req, priv, EVP_sha256()), WOLFSSL_SUCCESS);
-    AssertIntEQ(i2d_X509_REQ(req, &der), 643);
+    len = i2d_X509_REQ(req, &der);
+    DEBUG_WRITE_DER(der, len, "req.der");
+#ifdef USE_CERT_BUFFERS_1024
+    AssertIntEQ(len, 381);
+#else
+    AssertIntEQ(len, 643);
+#endif
     XFREE(der, NULL, DYNAMIC_TYPE_OPENSSL);
     der = NULL;
 
@@ -46723,7 +46670,7 @@ static void test_wolfssl_PKCS7(void)
     pkcs7->hashOID = SHAh;
     AssertNotNull(bio = BIO_new(BIO_s_mem()));
     AssertIntEQ(i2d_PKCS7_bio(bio, pkcs7), 1);
-    AssertIntEQ(i2d_PKCS7(pkcs7, &out), 644);
+    AssertIntEQ(i2d_PKCS7(pkcs7, &out), 655);
     XFREE(out, NULL, DYNAMIC_TYPE_TMP_BUFFER);
     BIO_free(bio);
 #endif
@@ -47079,7 +47026,7 @@ static int test_tls13_apis(void)
 #endif
 #if defined(HAVE_ECC) && defined(HAVE_SUPPORTED_CURVES)
     int          groups[2] = { WOLFSSL_ECC_SECP256R1,
-#ifdef HAVE_LIBOQS
+#ifdef HAVE_PQC
                                WOLFSSL_SABER_LEVEL3
 #else
                                WOLFSSL_ECC_SECP256R1
@@ -47099,11 +47046,11 @@ static int test_tls13_apis(void)
 #endif
 #if (!defined(NO_ECC256)  || defined(HAVE_ALL_CURVES)) && ECC_MIN_KEY_SZ <= 256
             "P-256"
-#ifdef HAVE_LIBOQS
+#ifdef HAVE_PQC
             ":P256_SABER_LEVEL1"
 #endif
 #endif
-#ifdef HAVE_LIBOQS
+#ifdef HAVE_PQC
             ":KYBER_LEVEL1"
 #endif
             "";
@@ -47209,7 +47156,7 @@ static int test_tls13_apis(void)
 #endif
 #endif
 
-#if defined(HAVE_LIBOQS)
+#if defined(HAVE_PQC)
     AssertIntEQ(wolfSSL_UseKeyShare(NULL, WOLFSSL_KYBER_LEVEL3), BAD_FUNC_ARG);
 #ifndef NO_WOLFSSL_SERVER
     AssertIntEQ(wolfSSL_UseKeyShare(serverSsl, WOLFSSL_KYBER_LEVEL3),
@@ -49520,13 +49467,13 @@ static void test_wolfSSL_ASN1_get_object(void)
     /* Read a couple TLV triplets and make sure they match the expected values */
 
     AssertIntEQ(ASN1_get_object(&derBuf, &asnLen, &tag, &cls, len) & 0x80, 0);
-    AssertIntEQ(asnLen, 841);
+    AssertIntEQ(asnLen, 862);
     AssertIntEQ(tag, 0x10);
     AssertIntEQ(cls, 0);
 
     AssertIntEQ(ASN1_get_object(&derBuf, &asnLen, &tag, &cls,
             len - (derBuf - cliecc_cert_der_256)) & 0x80, 0);
-    AssertIntEQ(asnLen, 750);
+    AssertIntEQ(asnLen, 772);
     AssertIntEQ(tag, 0x10);
     AssertIntEQ(cls, 0);
 
@@ -49545,7 +49492,7 @@ static void test_wolfSSL_ASN1_get_object(void)
 
     AssertIntEQ(ASN1_get_object(&derBuf, &asnLen, &tag, &cls,
             len - (derBuf - cliecc_cert_der_256)) & 0x80, 0);
-    AssertIntEQ(asnLen, 9);
+    AssertIntEQ(asnLen, 20);
     AssertIntEQ(tag, 0x2);
     AssertIntEQ(cls, 0);
     derBuf += asnLen;
diff --git a/tests/suites.c b/tests/suites.c
index 68755c33b..f410fb5d6 100644
--- a/tests/suites.c
+++ b/tests/suites.c
@@ -877,7 +877,7 @@ int SuiteTest(int argc, char** argv)
         goto exit;
     }
     #endif
-    #ifdef HAVE_LIBOQS
+    #ifdef HAVE_PQC
     /* add TLSv13 pq tests */
     strcpy(argv0[1], "tests/test-tls13-pq.conf");
     printf("starting TLSv13 post-quantum groups tests\n");
diff --git a/tests/test-tls13-pq.conf b/tests/test-tls13-pq.conf
index 0d2baecc1..a3f2a6af8 100644
--- a/tests/test-tls13-pq.conf
+++ b/tests/test-tls13-pq.conf
@@ -1,260 +1,260 @@
 # server TLSv1.3 with post-quantum group
 -v 4
 -l TLS13-AES256-GCM-SHA384
---oqs KYBER_LEVEL1
+--pqc KYBER_LEVEL1
 
 # client TLSv1.3 with post-quantum group
 -v 4
 -l TLS13-AES256-GCM-SHA384
---oqs KYBER_LEVEL1
+--pqc KYBER_LEVEL1
 
 # server TLSv1.3 with post-quantum group
 -v 4
 -l TLS13-AES256-GCM-SHA384
---oqs KYBER_LEVEL3
+--pqc KYBER_LEVEL3
 
 # client TLSv1.3 with post-quantum group
 -v 4
 -l TLS13-AES256-GCM-SHA384
---oqs KYBER_LEVEL3
+--pqc KYBER_LEVEL3
 
 # server TLSv1.3 with post-quantum group
 -v 4
 -l TLS13-AES256-GCM-SHA384
---oqs KYBER_LEVEL5
+--pqc KYBER_LEVEL5
 
 # client TLSv1.3 with post-quantum group
 -v 4
 -l TLS13-AES256-GCM-SHA384
---oqs KYBER_LEVEL5
+--pqc KYBER_LEVEL5
 
 # server TLSv1.3 with post-quantum group
 -v 4
 -l TLS13-AES256-GCM-SHA384
---oqs KYBER_90S_LEVEL1
+--pqc KYBER_90S_LEVEL1
 
 # client TLSv1.3 with post-quantum group
 -v 4
 -l TLS13-AES256-GCM-SHA384
---oqs KYBER_90S_LEVEL1
+--pqc KYBER_90S_LEVEL1
 
 # server TLSv1.3 with post-quantum group
 -v 4
 -l TLS13-AES256-GCM-SHA384
---oqs KYBER_90S_LEVEL3
+--pqc KYBER_90S_LEVEL3
 
 # client TLSv1.3 with post-quantum group
 -v 4
 -l TLS13-AES256-GCM-SHA384
---oqs KYBER_90S_LEVEL3
+--pqc KYBER_90S_LEVEL3
 
 # server TLSv1.3 with post-quantum group
 -v 4
 -l TLS13-AES256-GCM-SHA384
---oqs KYBER_90S_LEVEL5
+--pqc KYBER_90S_LEVEL5
 
 # client TLSv1.3 with post-quantum group
 -v 4
 -l TLS13-AES256-GCM-SHA384
---oqs KYBER_90S_LEVEL5
+--pqc KYBER_90S_LEVEL5
 
 # server TLSv1.3 with post-quantum group
 -v 4
 -l TLS13-AES256-GCM-SHA384
---oqs NTRU_HPS_LEVEL1
+--pqc NTRU_HPS_LEVEL1
 
 # client TLSv1.3 with post-quantum group
 -v 4
 -l TLS13-AES256-GCM-SHA384
---oqs NTRU_HPS_LEVEL1
+--pqc NTRU_HPS_LEVEL1
 
 # server TLSv1.3 with post-quantum group
 -v 4
 -l TLS13-AES256-GCM-SHA384
---oqs NTRU_HPS_LEVEL3
+--pqc NTRU_HPS_LEVEL3
 
 # client TLSv1.3 with post-quantum group
 -v 4
 -l TLS13-AES256-GCM-SHA384
---oqs NTRU_HPS_LEVEL3
+--pqc NTRU_HPS_LEVEL3
 
 # server TLSv1.3 with post-quantum group
 -v 4
 -l TLS13-AES256-GCM-SHA384
---oqs NTRU_HPS_LEVEL5
+--pqc NTRU_HPS_LEVEL5
 
 # client TLSv1.3 with post-quantum group
 -v 4
 -l TLS13-AES256-GCM-SHA384
---oqs NTRU_HPS_LEVEL5
+--pqc NTRU_HPS_LEVEL5
 
 # server TLSv1.3 with post-quantum group
 -v 4
 -l TLS13-AES256-GCM-SHA384
---oqs NTRU_HRSS_LEVEL3
+--pqc NTRU_HRSS_LEVEL3
 
 # client TLSv1.3 with post-quantum group
 -v 4
 -l TLS13-AES256-GCM-SHA384
---oqs NTRU_HRSS_LEVEL3
+--pqc NTRU_HRSS_LEVEL3
 
 # server TLSv1.3 with post-quantum group
 -v 4
 -l TLS13-AES256-GCM-SHA384
---oqs SABER_LEVEL1
+--pqc SABER_LEVEL1
 
 # client TLSv1.3 with post-quantum group
 -v 4
 -l TLS13-AES256-GCM-SHA384
---oqs SABER_LEVEL1
+--pqc SABER_LEVEL1
 
 # server TLSv1.3 with post-quantum group
 -v 4
 -l TLS13-AES256-GCM-SHA384
---oqs SABER_LEVEL3
+--pqc SABER_LEVEL3
 
 # client TLSv1.3 with post-quantum group
 -v 4
 -l TLS13-AES256-GCM-SHA384
---oqs SABER_LEVEL3
+--pqc SABER_LEVEL3
 
 # server TLSv1.3 with post-quantum group
 -v 4
 -l TLS13-AES256-GCM-SHA384
---oqs SABER_LEVEL5
+--pqc SABER_LEVEL5
 
 # client TLSv1.3 with post-quantum group
 -v 4
 -l TLS13-AES256-GCM-SHA384
---oqs SABER_LEVEL5
+--pqc SABER_LEVEL5
 
 # server TLSv1.3 with post-quantum group
 -v 4
 -l TLS13-AES256-GCM-SHA384
---oqs P256_NTRU_HPS_LEVEL1
+--pqc P256_NTRU_HPS_LEVEL1
 
 # client TLSv1.3 with post-quantum group
 -v 4
 -l TLS13-AES256-GCM-SHA384
---oqs P256_NTRU_HPS_LEVEL1
+--pqc P256_NTRU_HPS_LEVEL1
 
 # server TLSv1.3 with post-quantum group
 -v 4
 -l TLS13-AES256-GCM-SHA384
---oqs P384_NTRU_HPS_LEVEL3
+--pqc P384_NTRU_HPS_LEVEL3
 
 # client TLSv1.3 with post-quantum group
 -v 4
 -l TLS13-AES256-GCM-SHA384
---oqs P384_NTRU_HPS_LEVEL3
+--pqc P384_NTRU_HPS_LEVEL3
 
 # server TLSv1.3 with post-quantum group
 -v 4
 -l TLS13-AES256-GCM-SHA384
---oqs P521_NTRU_HPS_LEVEL5
+--pqc P521_NTRU_HPS_LEVEL5
 
 # client TLSv1.3 with post-quantum group
 -v 4
 -l TLS13-AES256-GCM-SHA384
---oqs P521_NTRU_HPS_LEVEL5
+--pqc P521_NTRU_HPS_LEVEL5
 
 # server TLSv1.3 with post-quantum group
 -v 4
 -l TLS13-AES256-GCM-SHA384
---oqs P384_NTRU_HRSS_LEVEL3
+--pqc P384_NTRU_HRSS_LEVEL3
 
 # client TLSv1.3 with post-quantum group
 -v 4
 -l TLS13-AES256-GCM-SHA384
---oqs P384_NTRU_HRSS_LEVEL3
+--pqc P384_NTRU_HRSS_LEVEL3
 
 # server TLSv1.3 with post-quantum group
 -v 4
 -l TLS13-AES256-GCM-SHA384
---oqs P256_SABER_LEVEL1
+--pqc P256_SABER_LEVEL1
 
 # client TLSv1.3 with post-quantum group
 -v 4
 -l TLS13-AES256-GCM-SHA384
---oqs P256_SABER_LEVEL1
+--pqc P256_SABER_LEVEL1
 
 # server TLSv1.3 with post-quantum group
 -v 4
 -l TLS13-AES256-GCM-SHA384
---oqs P384_SABER_LEVEL3
+--pqc P384_SABER_LEVEL3
 
 # client TLSv1.3 with post-quantum group
 -v 4
 -l TLS13-AES256-GCM-SHA384
---oqs P384_SABER_LEVEL3
+--pqc P384_SABER_LEVEL3
 
 # server TLSv1.3 with post-quantum group
 -v 4
 -l TLS13-AES256-GCM-SHA384
---oqs P521_SABER_LEVEL5
+--pqc P521_SABER_LEVEL5
 
 # client TLSv1.3 with post-quantum group
 -v 4
 -l TLS13-AES256-GCM-SHA384
---oqs P521_SABER_LEVEL5
+--pqc P521_SABER_LEVEL5
 
 # server TLSv1.3 with post-quantum group
 -v 4
 -l TLS13-AES256-GCM-SHA384
---oqs P256_KYBER_LEVEL1
+--pqc P256_KYBER_LEVEL1
 
 # client TLSv1.3 with post-quantum group
 -v 4
 -l TLS13-AES256-GCM-SHA384
---oqs P256_KYBER_LEVEL1
+--pqc P256_KYBER_LEVEL1
 
 # server TLSv1.3 with post-quantum group
 -v 4
 -l TLS13-AES256-GCM-SHA384
---oqs P384_KYBER_LEVEL3
+--pqc P384_KYBER_LEVEL3
 
 # client TLSv1.3 with post-quantum group
 -v 4
 -l TLS13-AES256-GCM-SHA384
---oqs P384_KYBER_LEVEL3
+--pqc P384_KYBER_LEVEL3
 
 # server TLSv1.3 with post-quantum group
 -v 4
 -l TLS13-AES256-GCM-SHA384
---oqs P521_KYBER_LEVEL5
+--pqc P521_KYBER_LEVEL5
 
 # client TLSv1.3 with post-quantum group
 -v 4
 -l TLS13-AES256-GCM-SHA384
---oqs P521_KYBER_LEVEL5
+--pqc P521_KYBER_LEVEL5
 
 # server TLSv1.3 with post-quantum group
 -v 4
 -l TLS13-AES256-GCM-SHA384
---oqs P256_KYBER_90S_LEVEL1
+--pqc P256_KYBER_90S_LEVEL1
 
 # client TLSv1.3 with post-quantum group
 -v 4
 -l TLS13-AES256-GCM-SHA384
---oqs P256_KYBER_90S_LEVEL1
+--pqc P256_KYBER_90S_LEVEL1
 
 # server TLSv1.3 with post-quantum group
 -v 4
 -l TLS13-AES256-GCM-SHA384
---oqs P384_KYBER_90S_LEVEL3
+--pqc P384_KYBER_90S_LEVEL3
 
 # client TLSv1.3 with post-quantum group
 -v 4
 -l TLS13-AES256-GCM-SHA384
---oqs P384_KYBER_90S_LEVEL3
+--pqc P384_KYBER_90S_LEVEL3
 
 # server TLSv1.3 with post-quantum group
 -v 4
 -l TLS13-AES256-GCM-SHA384
---oqs P521_KYBER_90S_LEVEL5
+--pqc P521_KYBER_90S_LEVEL5
 
 # client TLSv1.3 with post-quantum group
 -v 4
 -l TLS13-AES256-GCM-SHA384
---oqs P521_KYBER_90S_LEVEL5
+--pqc P521_KYBER_90S_LEVEL5
 
diff --git a/wolfcrypt/benchmark/benchmark.c b/wolfcrypt/benchmark/benchmark.c
index e29802bf9..f4b13ad4b 100644
--- a/wolfcrypt/benchmark/benchmark.c
+++ b/wolfcrypt/benchmark/benchmark.c
@@ -200,6 +200,8 @@
 #endif
 #ifdef HAVE_LIBOQS
     #include <oqs/kem.h>
+#endif
+#ifdef HAVE_PQC
     #include <wolfssl/wolfcrypt/falcon.h>
 #endif
 
@@ -612,7 +614,7 @@ typedef struct bench_pq_alg {
     const char* str;
     /* Bit values to set. */
     word32 val;
-    const char* oqs_name;
+    const char* pqc_name;
 } bench_pq_alg;
 
 /* All recognized post-quantum asymmetric algorithm choosing command line
@@ -1500,7 +1502,7 @@ static void bench_stats_asym_finish(const char* algo, int strength,
 }
 #endif
 
-#if defined(HAVE_LIBOQS)
+#if defined(HAVE_PQC)
 static void bench_stats_pq_asym_finish(const char* algo, int doAsync, int count,
                                        double start, int ret)
 {
@@ -2160,63 +2162,63 @@ static void* benchmarks_do(void* args)
     #endif
 #endif
 
-#ifdef HAVE_LIBOQS
+#ifdef HAVE_PQC
     if (bench_all || (bench_pq_asym_algs & BENCH_FALCON_LEVEL1_SIGN))
         bench_falconKeySign(1);
     if (bench_all || (bench_pq_asym_algs & BENCH_FALCON_LEVEL5_SIGN))
         bench_falconKeySign(5);
     if (bench_all || (bench_pq_asym_algs & BENCH_KYBER_LEVEL1_KEYGEN))
-        bench_oqsKemKeygen(BENCH_KYBER_LEVEL1_KEYGEN);
+        bench_pqcKemKeygen(BENCH_KYBER_LEVEL1_KEYGEN);
     if (bench_all || (bench_pq_asym_algs & BENCH_KYBER_LEVEL1_ENCAP))
-        bench_oqsKemEncapDecap(BENCH_KYBER_LEVEL1_ENCAP);
+        bench_pqcKemEncapDecap(BENCH_KYBER_LEVEL1_ENCAP);
     if (bench_all || (bench_pq_asym_algs & BENCH_KYBER_LEVEL3_KEYGEN))
-        bench_oqsKemKeygen(BENCH_KYBER_LEVEL3_KEYGEN);
+        bench_pqcKemKeygen(BENCH_KYBER_LEVEL3_KEYGEN);
     if (bench_all || (bench_pq_asym_algs & BENCH_KYBER_LEVEL3_ENCAP))
-        bench_oqsKemEncapDecap(BENCH_KYBER_LEVEL3_ENCAP);
+        bench_pqcKemEncapDecap(BENCH_KYBER_LEVEL3_ENCAP);
     if (bench_all || (bench_pq_asym_algs & BENCH_KYBER_LEVEL5_KEYGEN))
-        bench_oqsKemKeygen(BENCH_KYBER_LEVEL5_KEYGEN);
+        bench_pqcKemKeygen(BENCH_KYBER_LEVEL5_KEYGEN);
     if (bench_all || (bench_pq_asym_algs & BENCH_KYBER_LEVEL5_ENCAP))
-        bench_oqsKemEncapDecap(BENCH_KYBER_LEVEL5_ENCAP);
+        bench_pqcKemEncapDecap(BENCH_KYBER_LEVEL5_ENCAP);
     if (bench_all || (bench_pq_asym_algs & BENCH_KYBER90S_LEVEL1_KEYGEN))
-        bench_oqsKemKeygen(BENCH_KYBER90S_LEVEL1_KEYGEN);
+        bench_pqcKemKeygen(BENCH_KYBER90S_LEVEL1_KEYGEN);
     if (bench_all || (bench_pq_asym_algs & BENCH_KYBER90S_LEVEL1_ENCAP))
-        bench_oqsKemEncapDecap(BENCH_KYBER90S_LEVEL1_ENCAP);
+        bench_pqcKemEncapDecap(BENCH_KYBER90S_LEVEL1_ENCAP);
     if (bench_all || (bench_pq_asym_algs & BENCH_KYBER90S_LEVEL3_KEYGEN))
-        bench_oqsKemKeygen(BENCH_KYBER90S_LEVEL3_KEYGEN);
+        bench_pqcKemKeygen(BENCH_KYBER90S_LEVEL3_KEYGEN);
     if (bench_all || (bench_pq_asym_algs & BENCH_KYBER90S_LEVEL3_ENCAP))
-        bench_oqsKemEncapDecap(BENCH_KYBER90S_LEVEL3_ENCAP);
+        bench_pqcKemEncapDecap(BENCH_KYBER90S_LEVEL3_ENCAP);
     if (bench_all || (bench_pq_asym_algs & BENCH_KYBER90S_LEVEL5_KEYGEN))
-        bench_oqsKemKeygen(BENCH_KYBER90S_LEVEL5_KEYGEN);
+        bench_pqcKemKeygen(BENCH_KYBER90S_LEVEL5_KEYGEN);
     if (bench_all || (bench_pq_asym_algs & BENCH_KYBER90S_LEVEL5_ENCAP))
-        bench_oqsKemEncapDecap(BENCH_KYBER90S_LEVEL5_ENCAP);
+        bench_pqcKemEncapDecap(BENCH_KYBER90S_LEVEL5_ENCAP);
     if (bench_all || (bench_pq_asym_algs & BENCH_SABER_LEVEL1_KEYGEN))
-        bench_oqsKemKeygen(BENCH_SABER_LEVEL1_KEYGEN);
+        bench_pqcKemKeygen(BENCH_SABER_LEVEL1_KEYGEN);
     if (bench_all || (bench_pq_asym_algs & BENCH_SABER_LEVEL1_ENCAP))
-        bench_oqsKemEncapDecap(BENCH_SABER_LEVEL1_ENCAP);
+        bench_pqcKemEncapDecap(BENCH_SABER_LEVEL1_ENCAP);
     if (bench_all || (bench_pq_asym_algs & BENCH_SABER_LEVEL3_KEYGEN))
-        bench_oqsKemKeygen(BENCH_SABER_LEVEL3_KEYGEN);
+        bench_pqcKemKeygen(BENCH_SABER_LEVEL3_KEYGEN);
     if (bench_all || (bench_pq_asym_algs & BENCH_SABER_LEVEL3_ENCAP))
-        bench_oqsKemEncapDecap(BENCH_SABER_LEVEL3_ENCAP);
+        bench_pqcKemEncapDecap(BENCH_SABER_LEVEL3_ENCAP);
     if (bench_all || (bench_pq_asym_algs & BENCH_SABER_LEVEL5_KEYGEN))
-        bench_oqsKemKeygen(BENCH_SABER_LEVEL5_KEYGEN);
+        bench_pqcKemKeygen(BENCH_SABER_LEVEL5_KEYGEN);
     if (bench_all || (bench_pq_asym_algs & BENCH_SABER_LEVEL5_ENCAP))
-        bench_oqsKemEncapDecap(BENCH_SABER_LEVEL5_ENCAP);
+        bench_pqcKemEncapDecap(BENCH_SABER_LEVEL5_ENCAP);
     if (bench_all || (bench_pq_asym_algs & BENCH_NTRUHPS_LEVEL1_KEYGEN))
-        bench_oqsKemKeygen(BENCH_NTRUHPS_LEVEL1_KEYGEN);
+        bench_pqcKemKeygen(BENCH_NTRUHPS_LEVEL1_KEYGEN);
     if (bench_all || (bench_pq_asym_algs & BENCH_NTRUHPS_LEVEL1_ENCAP))
-        bench_oqsKemEncapDecap(BENCH_NTRUHPS_LEVEL1_ENCAP);
+        bench_pqcKemEncapDecap(BENCH_NTRUHPS_LEVEL1_ENCAP);
     if (bench_all || (bench_pq_asym_algs & BENCH_NTRUHPS_LEVEL3_KEYGEN))
-        bench_oqsKemKeygen(BENCH_NTRUHPS_LEVEL3_KEYGEN);
+        bench_pqcKemKeygen(BENCH_NTRUHPS_LEVEL3_KEYGEN);
     if (bench_all || (bench_pq_asym_algs & BENCH_NTRUHPS_LEVEL3_ENCAP))
-        bench_oqsKemEncapDecap(BENCH_NTRUHPS_LEVEL3_ENCAP);
+        bench_pqcKemEncapDecap(BENCH_NTRUHPS_LEVEL3_ENCAP);
     if (bench_all || (bench_pq_asym_algs & BENCH_NTRUHPS_LEVEL5_KEYGEN))
-        bench_oqsKemKeygen(BENCH_NTRUHPS_LEVEL5_KEYGEN);
+        bench_pqcKemKeygen(BENCH_NTRUHPS_LEVEL5_KEYGEN);
     if (bench_all || (bench_pq_asym_algs & BENCH_NTRUHPS_LEVEL5_ENCAP))
-        bench_oqsKemEncapDecap(BENCH_NTRUHPS_LEVEL5_ENCAP);
+        bench_pqcKemEncapDecap(BENCH_NTRUHPS_LEVEL5_ENCAP);
     if (bench_all || (bench_pq_asym_algs & BENCH_NTRUHRSS_LEVEL3_KEYGEN))
-        bench_oqsKemKeygen(BENCH_NTRUHRSS_LEVEL3_KEYGEN);
+        bench_pqcKemKeygen(BENCH_NTRUHRSS_LEVEL3_KEYGEN);
     if (bench_all || (bench_pq_asym_algs & BENCH_NTRUHRSS_LEVEL3_ENCAP))
-        bench_oqsKemEncapDecap(BENCH_NTRUHRSS_LEVEL3_ENCAP);
+        bench_pqcKemEncapDecap(BENCH_NTRUHRSS_LEVEL3_ENCAP);
 #endif
 
 #ifdef WOLFCRYPT_HAVE_SAKKE
@@ -6656,34 +6658,36 @@ void bench_sakke(void)
 #endif /* WOLFCRYPT_SAKKE_CLIENT */
 #endif /* WOLFCRYPT_HAVE_SAKKE */
 
-#ifdef HAVE_LIBOQS
-static void bench_oqsKemInit(word32 alg, byte **priv_key, byte **pub_key,
+#ifdef HAVE_PQC
+static void bench_pqcKemInit(word32 alg, byte **priv_key, byte **pub_key,
                    const char **wolf_name, OQS_KEM **kem)
 {
     int i;
-    const char *oqs_name = NULL;
+    const char *pqc_name = NULL;
 
     *pub_key = NULL;
     *priv_key = NULL;
 
     for (i=0; bench_pq_asym_opt[i].str != NULL; i++) {
         if (alg ==  bench_pq_asym_opt[i].val) {
-            oqs_name = bench_pq_asym_opt[i].oqs_name;
+            pqc_name = bench_pq_asym_opt[i].pqc_name;
             *wolf_name = bench_pq_asym_opt[i].str;
             break;
         }
     }
 
-    if (oqs_name == NULL) {
+    if (pqc_name == NULL) {
         printf("Bad OQS Alg specified\n");
         return;
     }
 
-    *kem = OQS_KEM_new(oqs_name);
+#ifdef HAVE_LIBOQS
+    *kem = OQS_KEM_new(pqc_name);
     if (*kem == NULL) {
         printf("OQS_KEM_new() failed\n");
         return;
     }
+#endif
 
     *pub_key = (byte*)XMALLOC((*kem)->length_public_key, HEAP_HINT,
                               DYNAMIC_TYPE_TMP_BUFFER);
@@ -6694,7 +6698,7 @@ static void bench_oqsKemInit(word32 alg, byte **priv_key, byte **pub_key,
 
 }
 
-void bench_oqsKemKeygen(word32 alg)
+void bench_pqcKemKeygen(word32 alg)
 {
     const char *wolf_name = NULL;
     OQS_KEM* kem = NULL;
@@ -6703,22 +6707,24 @@ void bench_oqsKemKeygen(word32 alg)
     byte *priv_key;
     byte *pub_key;
 
-    bench_oqsKemInit(alg, &priv_key, &pub_key, &wolf_name, &kem);
+    bench_pqcKemInit(alg, &priv_key, &pub_key, &wolf_name, &kem);
 
     if (wolf_name == NULL || kem == NULL || pub_key == NULL ||
         priv_key == NULL) {
-        printf("bench_oqsKemInit() failed\n");
+        printf("bench_pqcKemInit() failed\n");
         goto exit;
     }
 
     bench_stats_start(&count, &start);
     do {
         for (i = 0; i < genTimes; i++) {
+#ifdef HAVE_LIBOQS
             ret = OQS_KEM_keypair(kem, pub_key, priv_key);
             if (ret != OQS_SUCCESS) {
                 printf("OQS_KEM_keypair() failed: %d\n", ret);
                 goto exit;
             }
+#endif
         }
         count += i;
     } while (bench_stats_sym_check(start));
@@ -6733,7 +6739,7 @@ exit:
 
 }
 
-void bench_oqsKemEncapDecap(word32 alg)
+void bench_pqcKemEncapDecap(word32 alg)
 {
     const char *wolf_name = NULL;
     OQS_KEM* kem = NULL;
@@ -6744,19 +6750,21 @@ void bench_oqsKemEncapDecap(word32 alg)
     byte *ciphertext = NULL;
     byte *shared_secret = NULL;
 
-    bench_oqsKemInit(alg, &priv_key, &pub_key, &wolf_name, &kem);
+    bench_pqcKemInit(alg, &priv_key, &pub_key, &wolf_name, &kem);
 
     if (wolf_name == NULL || kem == NULL || pub_key == NULL ||
         priv_key == NULL) {
-        printf("bench_oqsKemInit() failed\n");
+        printf("bench_pqcKemInit() failed\n");
         goto exit;
     }
 
+#ifdef HAVE_LIBOQS
     ret = OQS_KEM_keypair(kem, pub_key, priv_key);
     if (ret != OQS_SUCCESS) {
         printf("OQS_KEM_keypair() failed: %d\n", ret);
         goto exit;
     }
+#endif
 
     shared_secret = (byte*)XMALLOC(kem->length_shared_secret, HEAP_HINT,
                                    DYNAMIC_TYPE_TMP_BUFFER);
@@ -6773,6 +6781,7 @@ void bench_oqsKemEncapDecap(word32 alg)
         bench_stats_start(&count, &start);
         do {
             for (i = 0; i < agreeTimes; i++) {
+#ifdef HAVE_LIBOQS
                 ret = OQS_KEM_encaps(kem, ciphertext, shared_secret, pub_key);
                 if (ret != OQS_SUCCESS) {
                     printf("OQS_KEM_encaps() failed: %d\n", ret);
@@ -6784,6 +6793,7 @@ void bench_oqsKemEncapDecap(word32 alg)
                     printf("OQS_KEM_decaps() failed: %d\n", ret);
                     goto exit;
                 }
+#endif
             }
             count += i;
         } while (bench_stats_sym_check(start));
@@ -6898,7 +6908,7 @@ void bench_falconKeySign(byte level)
 
     wc_falcon_free(&key);
 }
-#endif /* HAVE_LIBOQS */
+#endif /* HAVE_PQC */
 
 #ifndef HAVE_STACK_SIZE
 #if defined(_WIN32) && !defined(INTIME_RTOS)
diff --git a/wolfcrypt/benchmark/benchmark.h b/wolfcrypt/benchmark/benchmark.h
index 15a33da1b..34380ba02 100644
--- a/wolfcrypt/benchmark/benchmark.h
+++ b/wolfcrypt/benchmark/benchmark.h
@@ -107,8 +107,8 @@ void bench_blake2b(void);
 void bench_blake2s(void);
 void bench_pbkdf2(void);
 void bench_falconKeySign(byte level);
-void bench_oqsKemKeygen(word32 alg);
-void bench_oqsKemEncapDecap(word32 alg);
+void bench_pqcKemKeygen(word32 alg);
+void bench_pqcKemEncapDecap(word32 alg);
 
 void bench_stats_print(void);
 
diff --git a/wolfcrypt/src/asn.c b/wolfcrypt/src/asn.c
index 1c8bbe038..c757ccd9d 100644
--- a/wolfcrypt/src/asn.c
+++ b/wolfcrypt/src/asn.c
@@ -133,7 +133,7 @@ ASN Options:
     #include <wolfssl/wolfcrypt/curve448.h>
 #endif
 
-#ifdef HAVE_LIBOQS
+#ifdef HAVE_PQC
     #include <wolfssl/wolfcrypt/falcon.h>
 #endif
 
@@ -701,7 +701,15 @@ int SizeASN_Items(const ASNItem* asn, ASNSetData *data, int count, int* encSz)
                     if (data[i].data.buffer.data != NULL) {
                         /* Force all child nodes to be ignored. Buffer
                          * overwrites children. */
-                        SetASNItem_NoOutBelow(data, asn, i, count);
+                        {
+                            int ii;
+                            for (ii = i + 1; ii < count; ii++) {
+                                if (asn[ii].depth <= asn[i].depth)
+                                    break;
+                                sz -= data[ii].length;
+                                data[ii].noOut = 1;
+                            }
+                        }
                     }
                     else {
                         /* Calculate data length from items below if no buffer
@@ -2829,7 +2837,10 @@ static int SetASNIntRSA(void* n, byte* output)
 #ifdef WOLFSSL_ASN_TEMPLATE
 /* ASN.1 template for an INTEGER. */
 static const ASNItem intASN[] = {
-    { 0, ASN_INTEGER, 0, 0, 0 }
+/* INT */ { 0, ASN_INTEGER, 0, 0, 0 }
+};
+enum {
+    INTASN_IDX_INT = 0
 };
 
 /* Number of items in ASN.1 template for an INTEGER. */
@@ -2879,7 +2890,7 @@ int GetMyVersion(const byte* input, word32* inOutIdx,
 
     /* Clear dynamic data and set the version number variable. */
     XMEMSET(dataASN, 0, sizeof(dataASN));
-    GetASN_Int8Bit(&dataASN[0], &num);
+    GetASN_Int8Bit(&dataASN[INTASN_IDX_INT], &num);
     /* Decode the version (INTEGER). */
     ret = GetASN_Items(intASN, dataASN, intASN_Length, 0, input, inOutIdx,
                        maxIdx);
@@ -2946,7 +2957,7 @@ int GetShortInt(const byte* input, word32* inOutIdx, int* number, word32 maxIdx)
 
     /* Clear dynamic data and set the 32-bit number variable. */
     XMEMSET(dataASN, 0, sizeof(dataASN));
-    GetASN_Int32Bit(&dataASN[0], &num);
+    GetASN_Int32Bit(&dataASN[INTASN_IDX_INT], &num);
     /* Decode the short int (INTEGER). */
     ret = GetASN_Items(intASN, dataASN, intASN_Length, 0, input, inOutIdx,
                        maxIdx);
@@ -3092,7 +3103,7 @@ int GetInt(mp_int* mpi, const byte* input, word32* inOutIdx, word32 maxIdx)
 
     /* Clear dynamic data and set the mp_int to fill with value. */
     XMEMSET(dataASN, 0, sizeof(dataASN));
-    GetASN_MP_PosNeg(&dataASN[0], mpi);
+    GetASN_MP_PosNeg(&dataASN[INTASN_IDX_INT], mpi);
     /* Decode the big number (INTEGER). */
     return GetASN_Items(intASN, dataASN, intASN_Length, 0, input, inOutIdx,
                         maxIdx);
@@ -3124,7 +3135,10 @@ static int SkipInt(const byte* input, word32* inOutIdx, word32 maxIdx)
 #ifdef WOLFSSL_ASN_TEMPLATE
 /* ASN.1 template for a BIT_STRING. */
 static const ASNItem bitStringASN[] = {
-    { 0, ASN_BIT_STRING, 0, 1, 0 }
+/* BIT_STR */ { 0, ASN_BIT_STRING, 0, 1, 0 }
+};
+enum {
+    BITSTRINGASN_IDX_BIT_STR = 0
 };
 
 /* Number of items in ASN.1 template for a BIT_STRING. */
@@ -3207,7 +3221,7 @@ int CheckBitString(const byte* input, word32* inOutIdx, int* len,
             inOutIdx, maxIdx);
     if (ret == 0) {
         /* Get unused bits from dynamic ASN.1 data. */
-        bits = GetASNItem_UnusedBits(dataASN[0]);
+        bits = GetASNItem_UnusedBits(dataASN[BITSTRINGASN_IDX_BIT_STR]);
         /* Check unused bits is 0 when expected. */
         if (zeroBits && (bits != 0)) {
             ret = ASN_EXPECT_0_E;
@@ -3216,7 +3230,7 @@ int CheckBitString(const byte* input, word32* inOutIdx, int* len,
     if (ret == 0) {
         /* Return length of data and unused bits if required. */
         if (len != NULL) {
-            *len = dataASN[0].data.ref.length;
+            *len = dataASN[BITSTRINGASN_IDX_BIT_STR].data.ref.length;
         }
         if (unusedBits != NULL) {
             *unusedBits = bits;
@@ -3822,13 +3836,13 @@ static word32 SetBitString16Bit(word16 val, byte* output)
 #ifdef HAVE_ED448
     static const byte sigEd448Oid[] = {43, 101, 113};
 #endif /* HAVE_ED448 */
-#ifdef HAVE_LIBOQS
+#ifdef HAVE_PQC
     /* Falcon Level 1: 1 3 9999 3 1 */
     static const byte sigFalcon_Level1Oid[] = {43, 206, 15, 3, 1};
 
     /* Falcon Level 5: 1 3 9999 3 4 */
     static const byte sigFalcon_Level5Oid[] = {43, 206, 15, 3, 4};
-#endif /* HAVE_LIBOQS */
+#endif /* HAVE_PQC */
 
 /* keyType */
 #ifndef NO_DSA
@@ -3855,13 +3869,13 @@ static word32 SetBitString16Bit(word16 val, byte* output)
 #ifndef NO_DH
     static const byte keyDhOid[] = {42, 134, 72, 134, 247, 13, 1, 3, 1};
 #endif /* !NO_DH */
-#ifdef HAVE_LIBOQS
+#ifdef HAVE_PQC
     /* Falcon Level 1: 1 3 9999 3 1 */
     static const byte keyFalcon_Level1Oid[] = {43, 206, 15, 3, 1};
 
     /* Falcon Level 5: 1 3 9999 3 4 */
     static const byte keyFalcon_Level5Oid[] = {43, 206, 15, 3, 4};
-#endif /* HAVE_LIBOQS */
+#endif /* HAVE_PQC */
 
 /* curveType */
 #ifdef HAVE_ECC
@@ -4286,7 +4300,7 @@ const byte* OidFromId(word32 id, word32 type, word32* oidSz)
                     *oidSz = sizeof(sigEd448Oid);
                     break;
                 #endif
-                #ifdef HAVE_LIBOQS
+                #ifdef HAVE_PQC
                 case CTC_FALCON_LEVEL1:
                     oid = sigFalcon_Level1Oid;
                     *oidSz = sizeof(sigFalcon_Level1Oid);
@@ -4351,7 +4365,7 @@ const byte* OidFromId(word32 id, word32 type, word32* oidSz)
                     *oidSz = sizeof(keyDhOid);
                     break;
                 #endif /* !NO_DH */
-                #ifdef HAVE_LIBOQS
+                #ifdef HAVE_PQC
                 case FALCON_LEVEL1k:
                     oid = keyFalcon_Level1Oid;
                     *oidSz = sizeof(keyFalcon_Level1Oid);
@@ -5179,7 +5193,10 @@ static int GetOID(const byte* input, word32* inOutIdx, word32* oid,
 #ifdef WOLFSSL_ASN_TEMPLATE
 /* ASN.1 template for an OBJECT_ID. */
 static const ASNItem objectIdASN[] = {
-    { 0, ASN_OBJECT_ID, 0, 0, 0 }
+/* OID */ { 0, ASN_OBJECT_ID, 0, 0, 0 }
+};
+enum {
+    OBJECTIDASN_IDX_OID = 0
 };
 
 /* Number of items in ASN.1 template for an OBJECT_ID. */
@@ -5219,13 +5236,13 @@ int GetObjectId(const byte* input, word32* inOutIdx, word32* oid,
 
     /* Clear dynamic data and set OID type expected. */
     XMEMSET(dataASN, 0, sizeof(dataASN));
-    GetASN_OID(&dataASN[0], oidType);
+    GetASN_OID(&dataASN[OBJECTIDASN_IDX_OID], oidType);
     /* Decode OBJECT_ID. */
     ret = GetASN_Items(objectIdASN, dataASN, objectIdASN_Length, 0, input,
                        inOutIdx, maxIdx);
     if (ret == 0) {
         /* Return the id/sum. */
-        *oid = dataASN[0].data.oid.sum;
+        *oid = dataASN[OBJECTIDASN_IDX_OID].data.oid.sum;
     }
     return ret;
 #endif /* WOLFSSL_ASN_TEMPLATE */
@@ -5252,9 +5269,14 @@ static int SkipObjectId(const byte* input, word32* inOutIdx, word32 maxIdx)
 #ifdef WOLFSSL_ASN_TEMPLATE
 /* ASN.1 template for an algorithm identifier. */
 static const ASNItem algoIdASN[] = {
-/*  0 */    { 0, ASN_SEQUENCE, 1, 1, 0 },
-/*  1 */        { 1, ASN_OBJECT_ID, 0, 0, 0 },
-/*  2 */        { 1, ASN_TAG_NULL, 0, 0, 1 },
+/*  SEQ  */    { 0, ASN_SEQUENCE, 1, 1, 0 },
+/*  OID  */        { 1, ASN_OBJECT_ID, 0, 0, 0 },
+/*  NULL */        { 1, ASN_TAG_NULL, 0, 0, 1 },
+};
+enum {
+    ALGOIDASN_IDX_SEQ = 0,
+    ALGOIDASN_IDX_OID,
+    ALGOIDASN_IDX_NULL
 };
 
 /* Number of items in ASN.1 template for an algorithm identifier. */
@@ -5310,22 +5332,25 @@ int GetAlgoId(const byte* input, word32* inOutIdx, word32* oid,
 
     return 0;
 #else
-    ASNGetData dataASN[algoIdASN_Length];
-    int ret;
+    DECL_ASNGETDATA(dataASN, algoIdASN_Length);
+    int ret = 0;
 
     WOLFSSL_ENTER("GetAlgoId");
 
-    /* Clear dynamic data and set OID type expected. */
-    XMEMSET(dataASN, 0, sizeof(*dataASN) * algoIdASN_Length);
-    GetASN_OID(&dataASN[1], oidType);
-    /* Decode the algorithm identifier. */
-    ret = GetASN_Items(algoIdASN, dataASN, algoIdASN_Length, 0, input, inOutIdx,
-                       maxIdx);
+    CALLOC_ASNGETDATA(dataASN, algoIdASN_Length, ret, NULL);
+    if (ret == 0) {
+        /* Set OID type expected. */
+        GetASN_OID(&dataASN[ALGOIDASN_IDX_OID], oidType);
+        /* Decode the algorithm identifier. */
+        ret = GetASN_Items(algoIdASN, dataASN, algoIdASN_Length, 0, input, inOutIdx,
+                           maxIdx);
+    }
     if (ret == 0) {
         /* Return the OID id/sum. */
-        *oid = dataASN[1].data.oid.sum;
+        *oid = dataASN[ALGOIDASN_IDX_OID].data.oid.sum;
     }
 
+    FREE_ASNGETDATA(dataASN, NULL);
     return ret;
 #endif /* WOLFSSL_ASN_TEMPLATE */
 }
@@ -5372,21 +5397,39 @@ static mp_int* GetRsaInt(RsaKey* key, byte idx)
  * PKCS #1: RFC 8017, A.1.2 - RSAPrivateKey
  */
 static const ASNItem rsaKeyASN[] = {
-/*  0 */    { 0, ASN_SEQUENCE, 1, 1, 0 },
-/*  1 */        { 1, ASN_INTEGER, 0, 0, 0 },
-/*  2 */        { 1, ASN_INTEGER, 0, 0, 0 },
-/*  3 */        { 1, ASN_INTEGER, 0, 0, 0 },
+/*  SEQ */    { 0, ASN_SEQUENCE, 1, 1, 0 },
+/*  VER */        { 1, ASN_INTEGER, 0, 0, 0 },
+                /* Integers need to be in this specific order
+                 * as asn code depends on this. */
+/*  N   */        { 1, ASN_INTEGER, 0, 0, 0 },
+/*  E   */        { 1, ASN_INTEGER, 0, 0, 0 },
 #if !defined(WOLFSSL_RSA_PUBLIC_ONLY) || defined(WOLFSSL_KEY_GEN)
-/*  4 */        { 1, ASN_INTEGER, 0, 0, 0 },
-/*  5 */        { 1, ASN_INTEGER, 0, 0, 0 },
-/*  6 */        { 1, ASN_INTEGER, 0, 0, 0 },
-/*  7 */        { 1, ASN_INTEGER, 0, 0, 0 },
-/*  8 */        { 1, ASN_INTEGER, 0, 0, 0 },
-/*  9 */        { 1, ASN_INTEGER, 0, 0, 0 },
+/*  D   */        { 1, ASN_INTEGER, 0, 0, 0 },
+/*  P   */        { 1, ASN_INTEGER, 0, 0, 0 },
+/*  Q   */        { 1, ASN_INTEGER, 0, 0, 0 },
+/*  DP  */        { 1, ASN_INTEGER, 0, 0, 0 },
+/*  DQ  */        { 1, ASN_INTEGER, 0, 0, 0 },
+/*  U   */        { 1, ASN_INTEGER, 0, 0, 0 },
                 /* otherPrimeInfos  OtherPrimeInfos OPTIONAL
                  * v2 - multiprime */
 #endif
 };
+enum {
+    RSAKEYASN_IDX_SEQ = 0,
+    RSAKEYASN_IDX_VER,
+    /* Integers need to be in this specific order
+     * as asn code depends on this. */
+    RSAKEYASN_IDX_N,
+    RSAKEYASN_IDX_E,
+#if !defined(WOLFSSL_RSA_PUBLIC_ONLY) || defined(WOLFSSL_KEY_GEN)
+    RSAKEYASN_IDX_D,
+    RSAKEYASN_IDX_P,
+    RSAKEYASN_IDX_Q,
+    RSAKEYASN_IDX_DP,
+    RSAKEYASN_IDX_DQ,
+    RSAKEYASN_IDX_U,
+#endif
+};
 
 /* Number of items in ASN.1 template for an RSA private key. */
 #define rsaKeyASN_Length (sizeof(rsaKeyASN) / sizeof(ASNItem))
@@ -5496,19 +5539,19 @@ int wc_RsaPrivateKeyDecode(const byte* input, word32* inOutIdx, RsaKey* key,
 
     if (ret == 0) {
         /* Register variable to hold version field. */
-        GetASN_Int8Bit(&dataASN[1], &version);
+        GetASN_Int8Bit(&dataASN[RSAKEYASN_IDX_VER], &version);
         /* Setup data to store INTEGER data in mp_int's in RSA object. */
     #if defined(WOLFSSL_RSA_PUBLIC_ONLY)
         /* Extract all public fields. */
         for (i = 0; i < RSA_PUB_INTS; i++) {
-            GetASN_MP(&dataASN[2 + i], GetRsaInt(key, i));
+            GetASN_MP(&dataASN[(byte)RSAKEYASN_IDX_N + i], GetRsaInt(key, i));
         }
         /* Not extracting all data from BER encoding. */
         #define RSA_ASN_COMPLETE    0
     #else
         /* Extract all private fields. */
         for (i = 0; i < RSA_INTS; i++) {
-            GetASN_MP(&dataASN[2 + i], GetRsaInt(key, i));
+            GetASN_MP(&dataASN[(byte)RSAKEYASN_IDX_N + i], GetRsaInt(key, i));
         }
         /* Extracting all data from BER encoding. */
         #define RSA_ASN_COMPLETE    1
@@ -5552,16 +5595,25 @@ int wc_RsaPrivateKeyDecode(const byte* input, word32* inOutIdx, RsaKey* key,
  * PKCS #8: RFC 5958, 2 - PrivateKeyInfo
  */
 static const ASNItem pkcs8KeyASN[] = {
-/*  0 */    { 0, ASN_SEQUENCE, 1, 1, 0 },
-/*  1 */        { 1, ASN_INTEGER, 0, 0, 0 },
-/*  2 */        { 1, ASN_SEQUENCE, 1, 1, 0 },
-/*  3 */            { 2, ASN_OBJECT_ID, 0, 0, 0 },
-/*  4 */            { 2, ASN_OBJECT_ID, 0, 0, 1 },
-/*  5 */            { 2, ASN_TAG_NULL, 0, 0, 1 },
-/*  6 */        { 1, ASN_OCTET_STRING, 0, 0, 0 },
+/*  SEQ                 */    { 0, ASN_SEQUENCE, 1, 1, 0 },
+/*  VER                 */        { 1, ASN_INTEGER, 0, 0, 0 },
+/*  PKEY_ALGO_SEQ       */        { 1, ASN_SEQUENCE, 1, 1, 0 },
+/*  PKEY_ALGO_OID_KEY   */            { 2, ASN_OBJECT_ID, 0, 0, 0 },
+/*  PKEY_ALGO_OID_CURVE */            { 2, ASN_OBJECT_ID, 0, 0, 1 },
+/*  PKEY_ALGO_NULL      */            { 2, ASN_TAG_NULL, 0, 0, 1 },
+/*  PKEY_DATA           */        { 1, ASN_OCTET_STRING, 0, 0, 0 },
                 /* attributes            [0] Attributes OPTIONAL */
                 /* [[2: publicKey        [1] PublicKey OPTIONAL ]] */
 };
+enum {
+    PKCS8KEYASN_IDX_SEQ = 0,
+    PKCS8KEYASN_IDX_VER,
+    PKCS8KEYASN_IDX_PKEY_ALGO_SEQ,
+    PKCS8KEYASN_IDX_PKEY_ALGO_OID_KEY,
+    PKCS8KEYASN_IDX_PKEY_ALGO_OID_CURVE,
+    PKCS8KEYASN_IDX_PKEY_ALGO_NULL,
+    PKCS8KEYASN_IDX_PKEY_DATA,
+};
 
 /* Number of items in ASN.1 template for a PKCS #8 key. */
 #define pkcs8KeyASN_Length (sizeof(pkcs8KeyASN) / sizeof(ASNItem))
@@ -5641,9 +5693,9 @@ int ToTraditionalInline_ex(const byte* input, word32* inOutIdx, word32 sz,
 
     if (ret == 0) {
         /* Get version, check key type and curve type. */
-        GetASN_Int8Bit(&dataASN[1], &version);
-        GetASN_OID(&dataASN[3], oidKeyType);
-        GetASN_OID(&dataASN[4], oidCurveType);
+        GetASN_Int8Bit(&dataASN[PKCS8KEYASN_IDX_VER], &version);
+        GetASN_OID(&dataASN[PKCS8KEYASN_IDX_PKEY_ALGO_OID_KEY], oidKeyType);
+        GetASN_OID(&dataASN[PKCS8KEYASN_IDX_PKEY_ALGO_OID_CURVE], oidCurveType);
         /* Parse data. */
         ret = GetASN_Items(pkcs8KeyASN, dataASN, pkcs8KeyASN_Length, 1, input,
                            &idx, sz);
@@ -5651,7 +5703,7 @@ int ToTraditionalInline_ex(const byte* input, word32* inOutIdx, word32 sz,
 
     if (ret == 0) {
         /* Key type OID. */
-        oid = dataASN[3].data.oid.sum;
+        oid = dataASN[PKCS8KEYASN_IDX_PKEY_ALGO_OID_KEY].data.oid.sum;
 
         /* Version 1 includes an optional public key.
          * If public key is included then the parsing will fail as it did not
@@ -5666,8 +5718,8 @@ int ToTraditionalInline_ex(const byte* input, word32* inOutIdx, word32 sz,
         #ifndef NO_RSA
             case RSAk:
                 /* Must have NULL item but not OBJECT_ID item. */
-                if ((dataASN[5].tag == 0) ||
-                    (dataASN[4].tag != 0)) {
+                if ((dataASN[PKCS8KEYASN_IDX_PKEY_ALGO_NULL].tag == 0) ||
+                    (dataASN[PKCS8KEYASN_IDX_PKEY_ALGO_OID_CURVE].tag != 0)) {
                     ret = ASN_PARSE_E;
                 }
                 break;
@@ -5675,7 +5727,7 @@ int ToTraditionalInline_ex(const byte* input, word32* inOutIdx, word32 sz,
         #ifdef HAVE_ECC
             case ECDSAk:
                 /* Must not have NULL item. */
-                if (dataASN[5].tag != 0) {
+                if (dataASN[PKCS8KEYASN_IDX_PKEY_ALGO_NULL].tag != 0) {
                     ret = ASN_PARSE_E;
                 }
                 break;
@@ -5683,8 +5735,8 @@ int ToTraditionalInline_ex(const byte* input, word32* inOutIdx, word32 sz,
         #ifdef HAVE_ED25519
             case ED25519k:
                 /* Neither NULL item nor OBJECT_ID item allowed. */
-                if ((dataASN[5].tag != 0) ||
-                    (dataASN[4].tag != 0)) {
+                if ((dataASN[PKCS8KEYASN_IDX_PKEY_ALGO_NULL].tag != 0) ||
+                    (dataASN[PKCS8KEYASN_IDX_PKEY_ALGO_OID_CURVE].tag != 0)) {
                     ret = ASN_PARSE_E;
                 }
                 break;
@@ -5692,8 +5744,8 @@ int ToTraditionalInline_ex(const byte* input, word32* inOutIdx, word32 sz,
         #ifdef HAVE_CURVE25519
             case X25519k:
                 /* Neither NULL item nor OBJECT_ID item allowed. */
-                if ((dataASN[5].tag != 0) ||
-                    (dataASN[4].tag != 0)) {
+                if ((dataASN[PKCS8KEYASN_IDX_PKEY_ALGO_NULL].tag != 0) ||
+                    (dataASN[PKCS8KEYASN_IDX_PKEY_ALGO_OID_CURVE].tag != 0)) {
                     ret = ASN_PARSE_E;
                 }
                 break;
@@ -5701,8 +5753,8 @@ int ToTraditionalInline_ex(const byte* input, word32* inOutIdx, word32 sz,
         #ifdef HAVE_ED448
             case ED448k:
                 /* Neither NULL item nor OBJECT_ID item allowed. */
-                if ((dataASN[5].tag != 0) ||
-                    (dataASN[4].tag != 0)) {
+                if ((dataASN[PKCS8KEYASN_IDX_PKEY_ALGO_NULL].tag != 0) ||
+                    (dataASN[PKCS8KEYASN_IDX_PKEY_ALGO_OID_CURVE].tag != 0)) {
                     ret = ASN_PARSE_E;
                 }
                 break;
@@ -5710,8 +5762,8 @@ int ToTraditionalInline_ex(const byte* input, word32* inOutIdx, word32 sz,
         #ifdef HAVE_CURVE448
             case X448k:
                 /* Neither NULL item nor OBJECT_ID item allowed. */
-                if ((dataASN[5].tag != 0) ||
-                    (dataASN[4].tag != 0)) {
+                if ((dataASN[PKCS8KEYASN_IDX_PKEY_ALGO_NULL].tag != 0) ||
+                    (dataASN[PKCS8KEYASN_IDX_PKEY_ALGO_OID_CURVE].tag != 0)) {
                     ret = ASN_PARSE_E;
                 }
                 break;
@@ -5726,9 +5778,9 @@ int ToTraditionalInline_ex(const byte* input, word32* inOutIdx, word32 sz,
         /* Return algorithm id of internal key. */
         *algId = oid;
         /* Return index to start of internal key. */
-        *inOutIdx = GetASNItem_DataIdx(dataASN[6], input);
+        *inOutIdx = GetASNItem_DataIdx(dataASN[PKCS8KEYASN_IDX_PKEY_DATA], input);
         /* Return value is length of internal key. */
-        ret = dataASN[6].data.ref.length;
+        ret = dataASN[PKCS8KEYASN_IDX_PKEY_DATA].data.ref.length;
     }
 
     FREE_ASNGETDATA(dataASN, NULL);
@@ -5906,21 +5958,21 @@ int wc_CreatePKCS8Key(byte* out, word32* outSz, byte* key, word32 keySz,
 
     if (ret == 0) {
         /* Only support default PKCS #8 format - v0. */
-        SetASN_Int8Bit(&dataASN[1], PKCS8v0);
+        SetASN_Int8Bit(&dataASN[PKCS8KEYASN_IDX_VER], PKCS8v0);
         /* Set key OID that corresponds to key data. */
-        SetASN_OID(&dataASN[3], algoID, oidKeyType);
+        SetASN_OID(&dataASN[PKCS8KEYASN_IDX_PKEY_ALGO_OID_KEY], algoID, oidKeyType);
         if (curveOID != NULL && oidSz > 0) {
             /* ECC key and curveOID set to write. */
-            SetASN_Buffer(&dataASN[4], curveOID, oidSz);
+            SetASN_Buffer(&dataASN[PKCS8KEYASN_IDX_PKEY_ALGO_OID_CURVE], curveOID, oidSz);
         }
         else {
             /* EC curve OID to encode. */
-            dataASN[4].noOut = 1;
+            dataASN[PKCS8KEYASN_IDX_PKEY_ALGO_OID_CURVE].noOut = 1;
         }
         /* Only RSA keys have NULL tagged item after OID. */
-        dataASN[5].noOut = (algoID != RSAk);
+        dataASN[PKCS8KEYASN_IDX_PKEY_ALGO_NULL].noOut = (algoID != RSAk);
         /* Set key data to encode. */
-        SetASN_Buffer(&dataASN[6], key, keySz);
+        SetASN_Buffer(&dataASN[PKCS8KEYASN_IDX_PKEY_DATA], key, keySz);
 
         /* Get the size of the DER encoding. */
         ret = SizeASN_Items(pkcs8KeyASN, dataASN, pkcs8KeyASN_Length, &sz);
@@ -6189,7 +6241,7 @@ int wc_CheckPrivateKey(const byte* privKey, word32 privKeySz,
     }
     else
     #endif /* HAVE_ED448 && HAVE_ED448_KEY_IMPORT && !NO_ASN_CRYPT */
-    #if defined(HAVE_LIBOQS)
+    #if defined(HAVE_PQC)
     if ((ks == FALCON_LEVEL1k) || (ks == FALCON_LEVEL5k)) {
     #ifdef WOLFSSL_SMALL_STACK
         falcon_key* key_pair = NULL;
@@ -6242,7 +6294,7 @@ int wc_CheckPrivateKey(const byte* privKey, word32 privKeySz,
     #endif
     }
     else
-    #endif /* HAVE_LIBOQS */
+    #endif /* HAVE_PQC */
     {
         ret = 0;
     }
@@ -6544,7 +6596,7 @@ int wc_GetKeyOID(byte* key, word32 keySz, const byte** curveOID, word32* oidSz,
         XFREE(ed448, heap, DYNAMIC_TYPE_TMP_BUFFER);
     }
 #endif /* HAVE_ED448 && HAVE_ED448_KEY_IMPORT && !NO_ASN_CRYPT */
-#if defined(HAVE_LIBOQS)
+#if defined(HAVE_PQC)
     if (*algoID == 0) {
         falcon_key *falcon = (falcon_key *)XMALLOC(sizeof(*falcon), heap,
             DYNAMIC_TYPE_TMP_BUFFER);
@@ -6578,7 +6630,7 @@ int wc_GetKeyOID(byte* key, word32 keySz, const byte** curveOID, word32* oidSz,
         }
         XFREE(falcon, heap, DYNAMIC_TYPE_TMP_BUFFER);
     }
-#endif /* HAVE_LIBOQS */
+#endif /* HAVE_PQC */
 
     /* if flag is not set then this is not a key that we understand. */
     if (*algoID == 0) {
@@ -6603,27 +6655,42 @@ int wc_GetKeyOID(byte* key, word32 keySz, const byte** curveOID, word32* oidSz,
  * PKCS #5: RFC 8018, A.4 - PBES2-params without outer SEQUENCE
  *                    A.2 - PBKDF2-params
  *                    B.2 - Encryption schemes
+ *                    C   - AlgorithmIdentifier
  */
 static const ASNItem pbes2ParamsASN[] = {
-/*  0 */    { 0, ASN_SEQUENCE, 1, 1, 0 },
-                /* PBKDF2 */
-/*  1 */        { 1, ASN_OBJECT_ID, 0, 0, 0 },
-/*  2 */        { 1, ASN_SEQUENCE, 1, 1, 0 },
-                    /* Salt */
-/*  3 */            { 2, ASN_OCTET_STRING, 0, 0, 0 },
-                    /* Iteration count */
-/*  4 */            { 2, ASN_INTEGER, 0, 0, 0 },
-                    /* Key length */
-/*  5 */            { 2, ASN_INTEGER, 0, 0, 1 },
-                    /* PRF - default is HMAC-SHA1 */
-/*  6 */            { 2, ASN_SEQUENCE, 1, 1, 1 },
-/*  7 */                { 3, ASN_OBJECT_ID, 0, 0, 0 },
-/*  8 */                { 3, ASN_TAG_NULL, 0, 0, 1 },
-/*  9 */    { 0, ASN_SEQUENCE, 1, 1, 0 },
-               /* Encryption algorithm */
-/* 10 */       { 1, ASN_OBJECT_ID, 0, 0, 0 },
-               /* IV for CBC */
-/* 11 */       { 1, ASN_OCTET_STRING, 0, 0, 0 },
+/* KDF_SEQ                */ { 0, ASN_SEQUENCE, 1, 1, 0 },
+               /* PBKDF2 */
+/* KDF_OID                */     { 1, ASN_OBJECT_ID, 0, 0, 0 },
+/* PBKDF2_PARAMS_SEQ      */     { 1, ASN_SEQUENCE, 1, 1, 0 },
+                   /* Salt */
+/* PBKDF2_PARAMS_SALT     */         { 2, ASN_OCTET_STRING, 0, 0, 0 },
+                   /* Iteration count */
+/* PBKDF2_PARAMS_ITER     */         { 2, ASN_INTEGER, 0, 0, 0 },
+                   /* Key length */
+/* PBKDF2_PARAMS_KEYLEN   */         { 2, ASN_INTEGER, 0, 0, 1 },
+                   /* PRF - default is HMAC-SHA1 */
+/* PBKDF2_PARAMS_PRF      */         { 2, ASN_SEQUENCE, 1, 1, 1 },
+/* PBKDF2_PARAMS_PRF_OID  */             { 3, ASN_OBJECT_ID, 0, 0, 0 },
+/* PBKDF2_PARAMS_PRF_NULL */             { 3, ASN_TAG_NULL, 0, 0, 1 },
+/* ENCS_SEQ               */ { 0, ASN_SEQUENCE, 1, 1, 0 },
+                   /* Encryption algorithm */
+/* ENCS_OID               */   { 1, ASN_OBJECT_ID, 0, 0, 0 },
+                   /* IV for CBC */
+/* ENCS_PARAMS            */   { 1, ASN_OCTET_STRING, 0, 0, 0 },
+};
+enum {
+    PBES2PARAMSASN_IDX_KDF_SEQ = 0,
+    PBES2PARAMSASN_IDX_KDF_OID,
+    PBES2PARAMSASN_IDX_PBKDF2_PARAMS_SEQ,
+    PBES2PARAMSASN_IDX_PBKDF2_PARAMS_SALT,
+    PBES2PARAMSASN_IDX_PBKDF2_PARAMS_ITER,
+    PBES2PARAMSASN_IDX_PBKDF2_PARAMS_KEYLEN,
+    PBES2PARAMSASN_IDX_PBKDF2_PARAMS_PRF,
+    PBES2PARAMSASN_IDX_PBKDF2_PARAMS_PRF_OID,
+    PBES2PARAMSASN_IDX_PBKDF2_PARAMS_PRF_NULL,
+    PBES2PARAMSASN_IDX_ENCS_SEQ,
+    PBES2PARAMSASN_IDX_ENCS_OID,
+    PBES2PARAMSASN_IDX_ENCS_PARAMS,
 };
 
 /* Number of items in ASN.1 template for PBES2 parameters. */
@@ -6634,9 +6701,13 @@ static const ASNItem pbes2ParamsASN[] = {
  */
 static const ASNItem pbes1ParamsASN[] = {
             /* Salt */
-/*  0 */    { 0, ASN_OCTET_STRING, 0, 0, 0 },
+/* SALT */    { 0, ASN_OCTET_STRING, 0, 0, 0 },
             /* Iteration count */
-/*  1 */    { 0, ASN_INTEGER, 0, 0, 0 },
+/* ITER */    { 0, ASN_INTEGER, 0, 0, 0 },
+};
+enum {
+    PBES1PARAMSASN_IDX_SALT = 0,
+    PBES1PARAMSASN_IDX_ITER,
 };
 
 /* Number of items in ASN.1 template for PBES1 parameters. */
@@ -6983,13 +7054,21 @@ int wc_CreateEncryptedPKCS8Key(byte* key, word32 keySz, byte* out,
  * PKCS #7: RFC 2315, 10.1 - EncryptedContentInfo without outer SEQUENCE
  */
 static const ASNItem pkcs8DecASN[] = {
-/*  0 */    { 1, ASN_SEQUENCE, 1, 1, 0 },
-/*  1 */        { 2, ASN_OBJECT_ID, 0, 0, 0 },
-/*  2 */        { 2, ASN_SEQUENCE, 1, 0, 0 },
+/* ENCALGO_SEQ    */ { 1, ASN_SEQUENCE, 1, 1, 0 },
+/* ENCALGO_OID    */     { 2, ASN_OBJECT_ID, 0, 0, 0 },
+/* ENCALGO_PARAMS */     { 2, ASN_SEQUENCE, 1, 0, 0 },
             /* PKCS #7 */
-/*  3 */    { 1, ASN_CONTEXT_SPECIFIC | 0, 0, 0, 2 },
+/* ENCCONTENT     */ { 1, ASN_CONTEXT_SPECIFIC | ASN_ENC_CONTENT,
+                                       0, 0, 2 },
             /* PKCS #8 */
-/*  4 */    { 1, ASN_OCTET_STRING, 0, 0, 2 },
+/* ENCDATA        */ { 1, ASN_OCTET_STRING, 0, 0, 2 },
+};
+enum {
+    PKCS8DECASN_IDX_ENCALGO_SEQ = 0,
+    PKCS8DECASN_IDX_ENCALGO_OID,
+    PKCS8DECASN_IDX_ENCALGO_PARAMS,
+    PKCS8DECASN_IDX_ENCCONTENT,
+    PKCS8DECASN_IDX_ENCDATA,
 };
 
 /* Number of items in ASN.1 template for PKCS #8/#7 encrypted key. */
@@ -7192,43 +7271,43 @@ exit_dc:
 
     WOLFSSL_ENTER("DecryptContent");
 
-    ALLOC_ASNGETDATA(dataASN, pbes2ParamsASN_Length, ret, NULL);
+    CALLOC_ASNGETDATA(dataASN, pbes2ParamsASN_Length, ret, NULL);
 
     if (ret == 0) {
         /* Check OID is a PBE Type */
-        XMEMSET(dataASN, 0, sizeof(*dataASN) * pkcs8DecASN_Length);
-        GetASN_OID(&dataASN[1], oidPBEType);
+        GetASN_OID(&dataASN[PKCS8DECASN_IDX_ENCALGO_OID], oidPBEType);
         ret = GetASN_Items(pkcs8DecASN, dataASN, pkcs8DecASN_Length, 0, input,
                            &idx, sz);
     }
     if (ret == 0) {
         /* Check the PBE algorithm and get the version and id. */
-        idx = dataASN[1].data.oid.length;
+        idx = dataASN[PKCS8DECASN_IDX_ENCALGO_OID].data.oid.length;
         /* Second last byte: 1 (PKCS #12 PBE Id) or 5 (PKCS #5)
          * Last byte: Alg or PBES2 */
-        CheckAlgo(dataASN[1].data.oid.data[idx - 2],
-                  dataASN[1].data.oid.data[idx - 1], &id, &version, NULL);
+        CheckAlgo(dataASN[PKCS8DECASN_IDX_ENCALGO_OID].data.oid.data[idx - 2],
+                  dataASN[PKCS8DECASN_IDX_ENCALGO_OID].data.oid.data[idx - 1],
+                  &id, &version, NULL);
 
         /* Get the parameters data. */
-        GetASN_GetRef(&dataASN[2], &params, &sz);
+        GetASN_GetRef(&dataASN[PKCS8DECASN_IDX_ENCALGO_PARAMS], &params, &sz);
         /* Having a numbered choice means none or both will have errored out. */
-        if (dataASN[3].tag != 0)
-            GetASN_GetRef(&dataASN[3], &key, &keySz);
-        else if (dataASN[4].tag != 0)
-            GetASN_GetRef(&dataASN[4], &key, &keySz);
+        if (dataASN[PKCS8DECASN_IDX_ENCCONTENT].tag != 0)
+            GetASN_GetRef(&dataASN[PKCS8DECASN_IDX_ENCCONTENT], &key, &keySz);
+        else if (dataASN[PKCS8DECASN_IDX_ENCDATA].tag != 0)
+            GetASN_GetRef(&dataASN[PKCS8DECASN_IDX_ENCDATA], &key, &keySz);
     }
 
     if (ret == 0) {
         if (version != PKCS5v2) {
             /* Initialize for PBES1 parameters and put iterations in var. */
             XMEMSET(dataASN, 0, sizeof(*dataASN) * pbes1ParamsASN_Length);
-            GetASN_Int32Bit(&dataASN[1], &iterations);
+            GetASN_Int32Bit(&dataASN[PBES1PARAMSASN_IDX_ITER], &iterations);
             /* Parse the PBES1 parameters. */
             ret = GetASN_Items(pbes1ParamsASN, dataASN, pbes1ParamsASN_Length,
                                0, params, &pIdx, sz);
             if (ret == 0) {
                 /* Get the salt data. */
-                GetASN_GetRef(&dataASN[0], &salt, &saltSz);
+                GetASN_GetRef(&dataASN[PBES1PARAMSASN_IDX_SALT], &salt, &saltSz);
             }
         }
         else {
@@ -7237,20 +7316,20 @@ exit_dc:
             /* Initialize for PBES2 parameters. Put iterations in var; match
              * KDF, HMAC and cipher, and copy CBC into buffer. */
             XMEMSET(dataASN, 0, sizeof(*dataASN) * pbes2ParamsASN_Length);
-            GetASN_ExpBuffer(&dataASN[1], pbkdf2Oid, sizeof(pbkdf2Oid));
-            GetASN_Int32Bit(&dataASN[4], &iterations);
-            GetASN_OID(&dataASN[7], oidHmacType);
-            GetASN_OID(&dataASN[10], oidBlkType);
-            GetASN_Buffer(&dataASN[11], cbcIv, &ivSz);
+            GetASN_ExpBuffer(&dataASN[PBES2PARAMSASN_IDX_KDF_OID], pbkdf2Oid, sizeof(pbkdf2Oid));
+            GetASN_Int32Bit(&dataASN[PBES2PARAMSASN_IDX_PBKDF2_PARAMS_ITER], &iterations);
+            GetASN_OID(&dataASN[PBES2PARAMSASN_IDX_PBKDF2_PARAMS_PRF_OID], oidHmacType);
+            GetASN_OID(&dataASN[PBES2PARAMSASN_IDX_ENCS_OID], oidBlkType);
+            GetASN_Buffer(&dataASN[PBES2PARAMSASN_IDX_ENCS_PARAMS], cbcIv, &ivSz);
             /* Parse the PBES2 parameters  */
             ret = GetASN_Items(pbes2ParamsASN, dataASN, pbes2ParamsASN_Length,
                                0, params, &pIdx, sz);
             if (ret == 0) {
                 /* Get the salt data. */
-                GetASN_GetRef(&dataASN[3], &salt, &saltSz);
+                GetASN_GetRef(&dataASN[PBES2PARAMSASN_IDX_PBKDF2_PARAMS_SALT], &salt, &saltSz);
                 /* Get the digest and encryption algorithm id. */
-                shaOid = dataASN[7].data.oid.sum; /* Default HMAC-SHA1 */
-                id     = dataASN[10].data.oid.sum;
+                shaOid = dataASN[PBES2PARAMSASN_IDX_PBKDF2_PARAMS_PRF_OID].data.oid.sum; /* Default HMAC-SHA1 */
+                id     = dataASN[PBES2PARAMSASN_IDX_ENCS_OID].data.oid.sum;
                 /* Convert encryption algorithm to a PBE algorithm if needed. */
                 CheckAlgoV2(id, &id, NULL);
             }
@@ -7337,16 +7416,25 @@ static int Pkcs8Pad(byte* buf, int sz, int blockSz)
  * PKCS #5: RFC 8018, A.3 - PBEParameter
  */
 static const ASNItem p8EncPbes1ASN[] = {
-/*  0 */    { 0, ASN_SEQUENCE, 1, 1, 0 },
-/*  1 */        { 1, ASN_SEQUENCE, 1, 1, 0 },
+/* SEQ                   */ { 0, ASN_SEQUENCE, 1, 1, 0 },
+/* ENCALGO_SEQ           */     { 1, ASN_SEQUENCE, 1, 1, 0 },
                     /* PBE algorithm */
-/*  2 */            { 2, ASN_OBJECT_ID, 0, 0, 0 },
-/*  3 */            { 2, ASN_SEQUENCE, 1, 1, 0 },
+/* ENCALGO_OID           */         { 2, ASN_OBJECT_ID, 0, 0, 0 },
+/* ENCALGO_PBEPARAM_SEQ  */         { 2, ASN_SEQUENCE, 1, 1, 0 },
                         /* Salt */
-/*  4 */                { 3, ASN_OCTET_STRING, 0, 0, 0 },
+/* ENCALGO_PBEPARAM_SALT */             { 3, ASN_OCTET_STRING, 0, 0, 0 },
                         /* Iteration Count */
-/*  5 */                { 3, ASN_INTEGER, 0, 0, 0 },
-/*  6 */        { 1, ASN_OCTET_STRING, 0, 0, 0 },
+/* ENCALGO_PBEPARAM_ITER */             { 3, ASN_INTEGER, 0, 0, 0 },
+/* ENCDATA               */     { 1, ASN_OCTET_STRING, 0, 0, 0 },
+};
+enum {
+    P8ENCPBES1ASN_IDX_SEQ = 0,
+    P8ENCPBES1ASN_IDX_ENCALGO_SEQ,
+    P8ENCPBES1ASN_IDX_ENCALGO_OID,
+    P8ENCPBES1ASN_IDX_ENCALGO_PBEPARAM_SEQ,
+    P8ENCPBES1ASN_IDX_ENCALGO_PBEPARAM_SALT,
+    P8ENCPBES1ASN_IDX_ENCALGO_PBEPARAM_ITER,
+    P8ENCPBES1ASN_IDX_ENCDATA,
 };
 
 #define p8EncPbes1ASN_Length (sizeof(p8EncPbes1ASN) / sizeof(ASNItem))
@@ -7603,20 +7691,23 @@ int EncryptContent(byte* input, word32 inputSz, byte* out, word32* outSz,
     if (ret == 0) {
         /* Setup data to go into encoding including PBE algorithm, salt,
          * iteration count, and padded key length. */
-        SetASN_OID(&dataASN[2], id, oidPBEType);
+        SetASN_OID(&dataASN[P8ENCPBES1ASN_IDX_ENCALGO_OID], id, oidPBEType);
         if (salt == NULL || saltSz == 0) {
             salt = NULL;
             saltSz = PKCS5_SALT_SZ;
             /* Salt generated into encoding below. */
         }
-        SetASN_Buffer(&dataASN[4], salt, saltSz);
-        SetASN_Int16Bit(&dataASN[5], itt);
+        SetASN_Buffer(&dataASN[P8ENCPBES1ASN_IDX_ENCALGO_PBEPARAM_SALT],
+                salt, saltSz);
+        SetASN_Int16Bit(&dataASN[P8ENCPBES1ASN_IDX_ENCALGO_PBEPARAM_ITER], itt);
         pkcs8Sz = Pkcs8Pad(NULL, inputSz, blockSz);
-        SetASN_Buffer(&dataASN[6], NULL, pkcs8Sz);
+        SetASN_Buffer(&dataASN[P8ENCPBES1ASN_IDX_ENCDATA], NULL, pkcs8Sz);
 
         /* Calculate size of encoding. */
-        ret = SizeASN_Items(p8EncPbes1ASN + 1, dataASN + 1,
-                            p8EncPbes1ASN_Length - 1, &sz);
+        ret = SizeASN_Items(p8EncPbes1ASN + P8ENCPBES1ASN_IDX_ENCALGO_SEQ,
+                dataASN + P8ENCPBES1ASN_IDX_ENCALGO_SEQ,
+                (int)(p8EncPbes1ASN_Length - P8ENCPBES1ASN_IDX_ENCALGO_SEQ),
+                &sz);
     }
     /* Return size when no output buffer. */
     if ((ret == 0) && (out == NULL)) {
@@ -7629,19 +7720,22 @@ int EncryptContent(byte* input, word32 inputSz, byte* out, word32* outSz,
     }
     if (ret == 0) {
         /* Encode PKCS#8 key. */
-        SetASN_Items(p8EncPbes1ASN + 1, dataASN + 1, p8EncPbes1ASN_Length - 1,
-                     out);
+        SetASN_Items(p8EncPbes1ASN + P8ENCPBES1ASN_IDX_ENCALGO_SEQ,
+                 dataASN + P8ENCPBES1ASN_IDX_ENCALGO_SEQ,
+                 (int)(p8EncPbes1ASN_Length - P8ENCPBES1ASN_IDX_ENCALGO_SEQ),
+                 out);
 
         if (salt == NULL) {
             /* Generate salt into encoding. */
-            salt = (byte*)dataASN[4].data.buffer.data;
+            salt = (byte*)dataASN[P8ENCPBES1ASN_IDX_ENCALGO_PBEPARAM_SALT].data.buffer.data;
             ret = wc_RNG_GenerateBlock(rng, salt, saltSz);
         }
     }
     if (ret == 0) {
         /* Store PKCS#8 key in output buffer. */
-        pkcs8 = (byte*)dataASN[6].data.buffer.data;
+        pkcs8 = (byte*)dataASN[P8ENCPBES1ASN_IDX_ENCDATA].data.buffer.data;
         XMEMCPY(pkcs8, input, inputSz);
+        Pkcs8Pad(pkcs8, inputSz, blockSz);
 
         /* Encrypt PKCS#8 key inline. */
         ret = wc_CryptKey(password, passwordSz, salt, saltSz, itt, id, pkcs8,
@@ -7748,15 +7842,25 @@ static int RsaPublicKeyDecodeRawIndex(const byte* input, word32* inOutIdx,
  * PKCS #1: RFC 8017, A.1.1 - RSAPublicKey
  */
 static const ASNItem rsaPublicKeyASN[] = {
-/*  0 */    { 0, ASN_SEQUENCE, 1, 1, 0 },
-/*  1 */        { 1, ASN_SEQUENCE, 1, 1, 0 },
-/*  2 */            { 2, ASN_OBJECT_ID, 0, 0, 0 },
-/*  3 */            { 2, ASN_TAG_NULL, 0, 0, 1 },
-/*  4 */        { 1, ASN_BIT_STRING, 0, 1, 0 },
-                    /* RSAPublicKey */
-/*  5 */            { 2, ASN_SEQUENCE, 1, 1, 0 },
-/*  6 */                { 3, ASN_INTEGER, 0, 0, 0 },
-/*  7 */                { 3, ASN_INTEGER, 0, 0, 0 },
+/*  SEQ            */ { 0, ASN_SEQUENCE, 1, 1, 0 },
+/*  ALGOID_SEQ     */     { 1, ASN_SEQUENCE, 1, 1, 0 },
+/*  ALGOID_OID     */         { 2, ASN_OBJECT_ID, 0, 0, 0 },
+/*  ALGOID_NULL    */         { 2, ASN_TAG_NULL, 0, 0, 1 },
+/*  PUBKEY         */     { 1, ASN_BIT_STRING, 0, 1, 0 },
+                                                  /* RSAPublicKey */
+/*  PUBKEY_RSA_SEQ */         { 2, ASN_SEQUENCE, 1, 1, 0 },
+/*  PUBKEY_RSA_N   */             { 3, ASN_INTEGER, 0, 0, 0 },
+/*  PUBKEY_RSA_E   */             { 3, ASN_INTEGER, 0, 0, 0 },
+};
+enum {
+    RSAPUBLICKEYASN_IDX_SEQ = 0,
+    RSAPUBLICKEYASN_IDX_ALGOID_SEQ,
+    RSAPUBLICKEYASN_IDX_ALGOID_OID,
+    RSAPUBLICKEYASN_IDX_ALGOID_NULL,
+    RSAPUBLICKEYASN_IDX_PUBKEY,
+    RSAPUBLICKEYASN_IDX_PUBKEY_RSA_SEQ,
+    RSAPUBLICKEYASN_IDX_PUBKEY_RSA_N,
+    RSAPUBLICKEYASN_IDX_PUBKEY_RSA_E,
 };
 
 /* Number of items in ASN.1 template for an RSA public key. */
@@ -7877,13 +7981,15 @@ int wc_RsaPublicKeyDecode_ex(const byte* input, word32* inOutIdx, word32 inSz,
 
     if (ret == 0) {
         /* Try decoding PKCS #1 public key by ignoring rest of ASN.1. */
-        ret = GetASN_Items(&rsaPublicKeyASN[5], &dataASN[5],
-                           rsaPublicKeyASN_Length - 5, 0, input, inOutIdx,
-                           inSz);
+        ret = GetASN_Items(&rsaPublicKeyASN[RSAPUBLICKEYASN_IDX_PUBKEY_RSA_SEQ],
+           &dataASN[RSAPUBLICKEYASN_IDX_PUBKEY_RSA_SEQ],
+           (int)(rsaPublicKeyASN_Length - RSAPUBLICKEYASN_IDX_PUBKEY_RSA_SEQ),
+           0, input, inOutIdx, inSz);
         if (ret != 0) {
             /* Didn't work - try whole SubjectKeyInfo instead. */
             /* Set the OID to expect. */
-            GetASN_ExpBuffer(&dataASN[2], keyRsaOid, sizeof(keyRsaOid));
+            GetASN_ExpBuffer(&dataASN[RSAPUBLICKEYASN_IDX_ALGOID_OID],
+                    keyRsaOid, sizeof(keyRsaOid));
             /* Decode SubjectKeyInfo. */
             ret = GetASN_Items(rsaPublicKeyASN, dataASN,
                                rsaPublicKeyASN_Length, 1, input, inOutIdx,
@@ -7893,16 +7999,16 @@ int wc_RsaPublicKeyDecode_ex(const byte* input, word32* inOutIdx, word32 inSz,
     if (ret == 0) {
         /* Return the buffers and lengths asked for. */
         if (n != NULL) {
-            *n   = dataASN[6].data.ref.data;
+            *n   = dataASN[RSAPUBLICKEYASN_IDX_PUBKEY_RSA_N].data.ref.data;
         }
         if (nSz != NULL) {
-            *nSz = dataASN[6].data.ref.length;
+            *nSz = dataASN[RSAPUBLICKEYASN_IDX_PUBKEY_RSA_N].data.ref.length;
         }
         if (e != NULL) {
-            *e   = dataASN[7].data.ref.data;
+            *e   = dataASN[RSAPUBLICKEYASN_IDX_PUBKEY_RSA_E].data.ref.data;
         }
         if (eSz != NULL) {
-            *eSz = dataASN[7].data.ref.length;
+            *eSz = dataASN[RSAPUBLICKEYASN_IDX_PUBKEY_RSA_E].data.ref.length;
         }
     }
 
@@ -7961,16 +8067,18 @@ int wc_RsaPublicKeyDecode(const byte* input, word32* inOutIdx, RsaKey* key,
 
     if (ret == 0) {
         /* Set mp_ints to fill with modulus and exponent data. */
-        GetASN_MP(&dataASN[6], &key->n);
-        GetASN_MP(&dataASN[7], &key->e);
+        GetASN_MP(&dataASN[RSAPUBLICKEYASN_IDX_PUBKEY_RSA_N], &key->n);
+        GetASN_MP(&dataASN[RSAPUBLICKEYASN_IDX_PUBKEY_RSA_E], &key->e);
         /* Try decoding PKCS #1 public key by ignoring rest of ASN.1. */
-        ret = GetASN_Items(&rsaPublicKeyASN[5], &dataASN[5],
-                           rsaPublicKeyASN_Length - 5, 0, input, inOutIdx,
-                           inSz);
+        ret = GetASN_Items(&rsaPublicKeyASN[RSAPUBLICKEYASN_IDX_PUBKEY_RSA_SEQ],
+               &dataASN[RSAPUBLICKEYASN_IDX_PUBKEY_RSA_SEQ],
+               (int)(rsaPublicKeyASN_Length - RSAPUBLICKEYASN_IDX_PUBKEY_RSA_SEQ),
+               0, input, inOutIdx, inSz);
         if (ret != 0) {
             /* Didn't work - try whole SubjectKeyInfo instead. */
             /* Set the OID to expect. */
-            GetASN_ExpBuffer(&dataASN[2], keyRsaOid, sizeof(keyRsaOid));
+            GetASN_ExpBuffer(&dataASN[RSAPUBLICKEYASN_IDX_ALGOID_OID],
+                    keyRsaOid, sizeof(keyRsaOid));
             /* Decode SubjectKeyInfo. */
             ret = GetASN_Items(rsaPublicKeyASN, dataASN,
                                rsaPublicKeyASN_Length, 1, input, inOutIdx,
@@ -8096,13 +8204,19 @@ int wc_DhPublicKeyDecode(const byte* input, word32* inOutIdx,
  * (Also in: RFC 2786, 3)
  */
 static const ASNItem dhParamASN[] = {
-/*  0 */    { 0, ASN_SEQUENCE, 1, 1, 0 },
+/* SEQ     */    { 0, ASN_SEQUENCE, 1, 1, 0 },
                 /* prime */
-/*  1 */        { 1, ASN_INTEGER, 0, 0, 0 },
+/* PRIME   */        { 1, ASN_INTEGER, 0, 0, 0 },
                 /* base */
-/*  2 */        { 1, ASN_INTEGER, 0, 0, 0 },
+/* BASE    */        { 1, ASN_INTEGER, 0, 0, 0 },
                 /* privateValueLength */
-/*  3 */        { 1, ASN_INTEGER, 0, 0, 1 },
+/* PRIVLEN */        { 1, ASN_INTEGER, 0, 0, 1 },
+};
+enum {
+    DHPARAMASN_IDX_SEQ = 0,
+    DHPARAMASN_IDX_PRIME,
+    DHPARAMASN_IDX_BASE,
+    DHPARAMASN_IDX_PRIVLEN,
 };
 
 /* Number of items in ASN.1 template for DH key. */
@@ -8112,30 +8226,47 @@ static const ASNItem dhParamASN[] = {
 /* ASN.1 template for DH key wrapped in PKCS #8 or SubjectPublicKeyInfo.
  * PKCS #8: RFC 5208, 5 - PrivateKeyInfo
  * X.509: RFC 5280, 4.1 - SubjectPublicKeyInfo
- * RFC 3279, 2.3.2 - DH in SubjectPublicKeyInfo
+ * RFC 3279, 2.3.3 - DH in SubjectPublicKeyInfo
  */
 static const ASNItem dhKeyPkcs8ASN[] = {
-/*  0 */    { 0, ASN_SEQUENCE, 1, 1, 0 },
-/*  1 */        { 1, ASN_INTEGER, 0, 0, 1 },
-/*  2 */        { 1, ASN_SEQUENCE, 1, 1, 0 },
-/*  3 */            { 2, ASN_OBJECT_ID, 0, 0, 0 },
-                    /* DHParameter */
-/*  4 */            { 2, ASN_SEQUENCE, 1, 1, 0 },
-                        /* p */
-/*  5 */                { 3, ASN_INTEGER, 0, 0, 0 },
-                        /* g */
-/*  6 */                { 3, ASN_INTEGER, 0, 0, 0 },
-                        /* q - factor of p-1 */
-/*  7 */                { 3, ASN_INTEGER, 0, 0, 1 },
-                        /* j - subgroup factor */
-/*  8 */                { 3, ASN_INTEGER, 0, 0, 1 },
-/*  9 */                { 3, ASN_SEQUENCE, 0, 0, 1 },
-                /* PrivateKey - PKCS #8 */
-/* 10 */        { 1, ASN_OCTET_STRING, 0, 1, 2 },
-/* 11 */            { 2, ASN_INTEGER, 0, 0, 0 },
-                /* PublicKey - SubjectPublicKeyInfo. */
-/* 12 */        { 1, ASN_BIT_STRING, 0, 1, 2 },
-/* 13 */            { 2, ASN_INTEGER, 0, 0, 0 },
+/* SEQ                  */ { 0, ASN_SEQUENCE, 1, 1, 0 },
+/* VER                  */     { 1, ASN_INTEGER, 0, 0, 1 },
+/* PKEYALGO_SEQ         */     { 1, ASN_SEQUENCE, 1, 1, 0 },
+/* PKEYALGO_OID         */         { 2, ASN_OBJECT_ID, 0, 0, 0 },
+                                                     /* DHParameter */
+/* PKEYALGO_PARAM_SEQ   */         { 2, ASN_SEQUENCE, 1, 1, 0 },
+                                                         /* p */
+/* PKEYALGO_PARAM_P     */             { 3, ASN_INTEGER, 0, 0, 0 },
+                                                         /* g */
+/* PKEYALGO_PARAM_G     */             { 3, ASN_INTEGER, 0, 0, 0 },
+                                                         /* q - factor of p-1 */
+/* PKEYALGO_PARAM_Q     */             { 3, ASN_INTEGER, 0, 0, 1 },
+                                                         /* j - subgroup factor */
+/* PKEYALGO_PARAM_J     */             { 3, ASN_INTEGER, 0, 0, 1 },
+                                                         /* ValidationParms */
+/* PKEYALGO_PARAM_VALID */             { 3, ASN_SEQUENCE, 0, 0, 1 },
+                                                 /* PrivateKey - PKCS #8 */
+/* PKEY_STR             */     { 1, ASN_OCTET_STRING, 0, 1, 2 },
+/* PKEY_INT             */         { 2, ASN_INTEGER, 0, 0, 0 },
+                                                 /* PublicKey - SubjectPublicKeyInfo. */
+/* PUBKEY_STR           */     { 1, ASN_BIT_STRING, 0, 1, 2 },
+/* PUBKEY_INT           */         { 2, ASN_INTEGER, 0, 0, 0 },
+};
+enum {
+    DHKEYPKCS8ASN_IDX_SEQ = 0,
+    DHKEYPKCS8ASN_IDX_VER,
+    DHKEYPKCS8ASN_IDX_PKEYALGO_SEQ,
+    DHKEYPKCS8ASN_IDX_PKEYALGO_OID,
+    DHKEYPKCS8ASN_IDX_PKEYALGO_PARAM_SEQ,
+    DHKEYPKCS8ASN_IDX_PKEYALGO_PARAM_P,
+    DHKEYPKCS8ASN_IDX_PKEYALGO_PARAM_G,
+    DHKEYPKCS8ASN_IDX_PKEYALGO_PARAM_Q,
+    DHKEYPKCS8ASN_IDX_PKEYALGO_PARAM_J,
+    DHKEYPKCS8ASN_IDX_PKEYALGO_PARAM_VALID,
+    DHKEYPKCS8ASN_IDX_PKEY_STR,
+    DHKEYPKCS8ASN_IDX_PKEY_INT,
+    DHKEYPKCS8ASN_IDX_PUBKEY_STR,
+    DHKEYPKCS8ASN_IDX_PUBKEY_INT,
 };
 
 #define dhKeyPkcs8ASN_Length (sizeof(dhKeyPkcs8ASN) / sizeof(ASNItem))
@@ -8287,8 +8418,8 @@ int wc_DhKeyDecode(const byte* input, word32* inOutIdx, DhKey* key, word32 inSz)
     if (ret == 0) {
         /* Initialize data and set mp_ints to hold p and g. */
         XMEMSET(dataASN, 0, sizeof(*dataASN) * dhParamASN_Length);
-        GetASN_MP(&dataASN[1], &key->p);
-        GetASN_MP(&dataASN[2], &key->g);
+        GetASN_MP(&dataASN[DHPARAMASN_IDX_PRIME], &key->p);
+        GetASN_MP(&dataASN[DHPARAMASN_IDX_BASE], &key->g);
         /* Try simple PKCS #3 template. */
         ret = GetASN_Items(dhParamASN, dataASN, dhParamASN_Length, 1, input,
                            inOutIdx, inSz);
@@ -8296,21 +8427,24 @@ int wc_DhKeyDecode(const byte* input, word32* inOutIdx, DhKey* key, word32 inSz)
         if (ret != 0) {
             /* Initialize data and set mp_ints to hold p, g, q, priv and pub. */
             XMEMSET(dataASN, 0, sizeof(*dataASN) * dhKeyPkcs8ASN_Length);
-            GetASN_ExpBuffer(&dataASN[3], keyDhOid, sizeof(keyDhOid));
-            GetASN_MP(&dataASN[5], &key->p);
-            GetASN_MP(&dataASN[6], &key->g);
-            GetASN_MP(&dataASN[7], &key->q);
-            GetASN_MP(&dataASN[11], &key->priv);
-            GetASN_MP(&dataASN[13], &key->pub);
+            GetASN_ExpBuffer(&dataASN[DHKEYPKCS8ASN_IDX_PKEYALGO_OID],
+                    keyDhOid, sizeof(keyDhOid));
+            GetASN_MP(&dataASN[DHKEYPKCS8ASN_IDX_PKEYALGO_PARAM_P], &key->p);
+            GetASN_MP(&dataASN[DHKEYPKCS8ASN_IDX_PKEYALGO_PARAM_G], &key->g);
+            GetASN_MP(&dataASN[DHKEYPKCS8ASN_IDX_PKEYALGO_PARAM_Q], &key->q);
+            GetASN_MP(&dataASN[DHKEYPKCS8ASN_IDX_PKEY_INT], &key->priv);
+            GetASN_MP(&dataASN[DHKEYPKCS8ASN_IDX_PUBKEY_INT], &key->pub);
             /* Try PKCS #8 wrapped template. */
             ret = GetASN_Items(dhKeyPkcs8ASN, dataASN, dhKeyPkcs8ASN_Length, 1,
                                input, inOutIdx, inSz);
             if (ret == 0) {
-                if ((dataASN[11].length != 0) && (dataASN[1].length == 0)) {
+                /* VERSION only present in PKCS #8 private key structure */
+                if ((dataASN[DHKEYPKCS8ASN_IDX_PKEY_INT].length != 0) &&
+                        (dataASN[DHKEYPKCS8ASN_IDX_VER].length == 0)) {
                     ret = ASN_PARSE_E;
                 }
-                else if ((dataASN[13].length != 0) &&
-                                                     (dataASN[1].length != 0)) {
+                else if ((dataASN[DHKEYPKCS8ASN_IDX_PUBKEY_INT].length != 0) &&
+                        (dataASN[DHKEYPKCS8ASN_IDX_VER].length != 0)) {
                     ret = ASN_PARSE_E;
                 }
             }
@@ -8422,25 +8556,25 @@ int wc_DhKeyToDer(DhKey* key, byte* output, word32* outSz, int exportPriv)
     WOLFSSL_ENTER("wc_DhKeyToDer");
 
     XMEMSET(dataASN, 0, sizeof(dataASN));
-    SetASN_Int8Bit(&dataASN[1], 0);
-    SetASN_OID(&dataASN[3], DHk, oidKeyType);
+    SetASN_Int8Bit(&dataASN[DHKEYPKCS8ASN_IDX_VER], 0);
+    SetASN_OID(&dataASN[DHKEYPKCS8ASN_IDX_PKEYALGO_OID], DHk, oidKeyType);
     /* Set mp_int containing p and g. */
-    SetASN_MP(&dataASN[5], &key->p);
-    SetASN_MP(&dataASN[6], &key->g);
-    dataASN[7].noOut = 1;
-    dataASN[8].noOut = 1;
-    dataASN[9].noOut = 1;
+    SetASN_MP(&dataASN[DHKEYPKCS8ASN_IDX_PKEYALGO_PARAM_P], &key->p);
+    SetASN_MP(&dataASN[DHKEYPKCS8ASN_IDX_PKEYALGO_PARAM_G], &key->g);
+    dataASN[DHKEYPKCS8ASN_IDX_PKEYALGO_PARAM_Q].noOut = 1;
+    dataASN[DHKEYPKCS8ASN_IDX_PKEYALGO_PARAM_J].noOut = 1;
+    dataASN[DHKEYPKCS8ASN_IDX_PKEYALGO_PARAM_VALID].noOut = 1;
 
     if (exportPriv) {
-        SetASN_MP(&dataASN[11], &key->priv);
-        dataASN[12].noOut = 1;
-        dataASN[13].noOut = 1;
+        SetASN_MP(&dataASN[DHKEYPKCS8ASN_IDX_PKEY_INT], &key->priv);
+        dataASN[DHKEYPKCS8ASN_IDX_PUBKEY_STR].noOut = 1;
+        dataASN[DHKEYPKCS8ASN_IDX_PUBKEY_INT].noOut = 1;
     }
     else {
-        dataASN[1].noOut = 1;
-        dataASN[10].noOut = 1;
-        dataASN[11].noOut = 1;
-        SetASN_MP(&dataASN[13], &key->pub);
+        dataASN[DHKEYPKCS8ASN_IDX_VER].noOut = 1;
+        dataASN[DHKEYPKCS8ASN_IDX_PKEY_STR].noOut = 1;
+        dataASN[DHKEYPKCS8ASN_IDX_PKEY_INT].noOut = 1;
+        SetASN_MP(&dataASN[DHKEYPKCS8ASN_IDX_PUBKEY_INT], &key->pub);
     }
 
     /* Calculate the size of the DH parameters. */
@@ -8536,10 +8670,10 @@ int wc_DhParamsToDer(DhKey* key, byte* output, word32* outSz)
     if (ret == 0) {
         XMEMSET(dataASN, 0, sizeof(dataASN));
         /* Set mp_int containing p and g. */
-        SetASN_MP(&dataASN[1], &key->p);
-        SetASN_MP(&dataASN[2], &key->g);
+        SetASN_MP(&dataASN[DHPARAMASN_IDX_PRIME], &key->p);
+        SetASN_MP(&dataASN[DHPARAMASN_IDX_BASE], &key->g);
         /* privateValueLength not encoded. */
-        dataASN[3].noOut = 1;
+        dataASN[DHPARAMASN_IDX_PRIVLEN].noOut = 1;
 
         /* Calculate the size of the DH parameters. */
         ret = SizeASN_Items(dhParamASN, dataASN, dhParamASN_Length, &sz);
@@ -8640,8 +8774,8 @@ int wc_DhParamsLoad(const byte* input, word32 inSz, byte* p, word32* pInOutSz,
 
     if (ret == 0) {
         /* Set the buffers to copy p and g into. */
-        GetASN_Buffer(&dataASN[1], p, pInOutSz);
-        GetASN_Buffer(&dataASN[2], g, gInOutSz);
+        GetASN_Buffer(&dataASN[DHPARAMASN_IDX_PRIME], p, pInOutSz);
+        GetASN_Buffer(&dataASN[DHPARAMASN_IDX_BASE], g, gInOutSz);
         /* Decode the DH Parameters. */
         ret = GetASN_Items(dhParamASN, dataASN, dhParamASN_Length, 1, input,
                            &idx, inSz);
@@ -8679,13 +8813,22 @@ static mp_int* GetDsaInt(DsaKey* key, int idx)
  * RFC 3279, 2.3.2 - DSA in SubjectPublicKeyInfo
  */
 static const ASNItem dsaKeyASN[] = {
-/*  0 */    { 0, ASN_SEQUENCE, 1, 1, 0 },
-/*  1 */        { 1, ASN_INTEGER, 0, 0, 0 },
-/*  2 */        { 1, ASN_INTEGER, 0, 0, 0 },
-/*  3 */        { 1, ASN_INTEGER, 0, 0, 0 },
-/*  4 */        { 1, ASN_INTEGER, 0, 0, 0 },
-/*  5 */        { 1, ASN_INTEGER, 0, 0, 0 },
-/*  6 */        { 1, ASN_INTEGER, 0, 0, 0 },
+/* SEQ */    { 0, ASN_SEQUENCE, 1, 1, 0 },
+/* VER */        { 1, ASN_INTEGER, 0, 0, 0 },
+/* P   */        { 1, ASN_INTEGER, 0, 0, 0 },
+/* Q   */        { 1, ASN_INTEGER, 0, 0, 0 },
+/* G   */        { 1, ASN_INTEGER, 0, 0, 0 },
+/* Y   */        { 1, ASN_INTEGER, 0, 0, 0 },
+/* X   */        { 1, ASN_INTEGER, 0, 0, 0 },
+};
+enum {
+    DSAKEYASN_IDX_SEQ = 0,
+    DSAKEYASN_IDX_VER,
+    DSAKEYASN_IDX_P,
+    DSAKEYASN_IDX_Q,
+    DSAKEYASN_IDX_G,
+    DSAKEYASN_IDX_Y,
+    DSAKEYASN_IDX_X,
 };
 
 /* Number of items in ASN.1 template for DSA private key. */
@@ -8698,19 +8841,30 @@ static const ASNItem dsaKeyASN[] = {
  * RFC 3279, 2.3.2 - DSA in SubjectPublicKeyInfo
  */
 static const ASNItem dsaPubKeyASN[] = {
-/*  0 */    { 0, ASN_SEQUENCE, 1, 1, 0 },
-/*  1 */        { 1, ASN_SEQUENCE, 1, 1, 0 },
-/*  2 */            { 2, ASN_OBJECT_ID, 0, 0, 0 },
-/*  3 */            { 2, ASN_SEQUENCE, 1, 1, 0 },
-                        /* p */
-/*  4 */                { 3, ASN_INTEGER, 0, 0, 0 },
-                        /* q */
-/*  5 */                { 3, ASN_INTEGER, 0, 0, 0 },
-                        /* g */
-/*  6 */                { 3, ASN_INTEGER, 0, 0, 0 },
-/*  7 */        { 1, ASN_BIT_STRING, 0, 1, 1 },
-                    /* y */
-/*  8 */            { 2, ASN_INTEGER, 0, 0, 0 },
+/* SEQ             */ { 0, ASN_SEQUENCE, 1, 1, 0 },
+/* ALGOID_SEQ      */     { 1, ASN_SEQUENCE, 1, 1, 0 },
+/* ALGOID_OID      */         { 2, ASN_OBJECT_ID, 0, 0, 0 },
+/* ALGOID_PARAMS   */         { 2, ASN_SEQUENCE, 1, 1, 0 },
+                                                   /* p */
+/* ALGOID_PARAMS_P */             { 3, ASN_INTEGER, 0, 0, 0 },
+                                                   /* q */
+/* ALGOID_PARAMS_Q */             { 3, ASN_INTEGER, 0, 0, 0 },
+                                                   /* g */
+/* ALGOID_PARAMS_G */             { 3, ASN_INTEGER, 0, 0, 0 },
+/* PUBKEY_STR      */     { 1, ASN_BIT_STRING, 0, 1, 1 },
+                                               /* y */
+/* PUBKEY_Y        */         { 2, ASN_INTEGER, 0, 0, 0 },
+};
+enum {
+    DSAPUBKEYASN_IDX_SEQ = 0,
+    DSAPUBKEYASN_IDX_ALGOID_SEQ,
+    DSAPUBKEYASN_IDX_ALGOID_OID,
+    DSAPUBKEYASN_IDX_ALGOID_PARAMS,
+    DSAPUBKEYASN_IDX_ALGOID_PARAMS_P,
+    DSAPUBKEYASN_IDX_ALGOID_PARAMS_Q,
+    DSAPUBKEYASN_IDX_ALGOID_PARAMS_G,
+    DSAPUBKEYASN_IDX_PUBKEY_STR,
+    DSAPUBKEYASN_IDX_PUBKEY_Y,
 };
 
 /* Number of items in ASN.1 template for PublicKeyInfo with DSA. */
@@ -8802,9 +8956,11 @@ int wc_DsaPublicKeyDecode(const byte* input, word32* inOutIdx, DsaKey* key,
     if (ret == 0) {
         /* Clear dynamic data items. */
         XMEMSET(dataASN, 0, sizeof(ASNGetData) * dsaPublicKeyASN_Length);
-        /* p, q, g, y */
+        /* seq
+         *   p, q, g, y
+         * Start DSA ints from DSAKEYASN_IDX_VER instead of DSAKEYASN_IDX_P */
         for (i = 0; i < DSA_INTS - 1; i++)
-            GetASN_MP(&dataASN[1 + i], GetDsaInt(key, i));
+            GetASN_MP(&dataASN[(int)DSAKEYASN_IDX_VER + i], GetDsaInt(key, i));
         /* Parse as simple form. */
         ret = GetASN_Items(dsaKeyASN, dataASN, dsaPublicKeyASN_Length, 1, input,
                            inOutIdx, inSz);
@@ -8812,12 +8968,14 @@ int wc_DsaPublicKeyDecode(const byte* input, word32* inOutIdx, DsaKey* key,
             /* Clear dynamic data items. */
             XMEMSET(dataASN, 0, sizeof(ASNGetData) * dsaPubKeyASN_Length);
             /* Set DSA OID to expect. */
-            GetASN_ExpBuffer(&dataASN[2], keyDsaOid, sizeof(keyDsaOid));
+            GetASN_ExpBuffer(&dataASN[DSAPUBKEYASN_IDX_ALGOID_OID],
+                    keyDsaOid, sizeof(keyDsaOid));
             /* p, q, g */
             for (i = 0; i < DSA_INTS - 2; i++)
-                GetASN_MP(&dataASN[4 + i], GetDsaInt(key, i));
+                GetASN_MP(&dataASN[(int)DSAPUBKEYASN_IDX_ALGOID_PARAMS_P + i],
+                        GetDsaInt(key, i));
             /* y */
-            GetASN_MP(&dataASN[8], GetDsaInt(key, i));
+            GetASN_MP(&dataASN[DSAPUBKEYASN_IDX_PUBKEY_Y], GetDsaInt(key, i));
             /* Parse as SubjectPublicKeyInfo. */
             ret = GetASN_Items(dsaPubKeyASN, dataASN, dsaPubKeyASN_Length, 1,
                 input, inOutIdx, inSz);
@@ -8859,17 +9017,25 @@ int wc_DsaParamsDecode(const byte* input, word32* inOutIdx, DsaKey* key,
 #ifdef WOLFSSL_ASN_TEMPLATE
 /* ASN.1 template for a DSA key holding private key in an OCTET_STRING. */
 static const ASNItem dsaKeyOctASN[] = {
-/*  0 */    { 0, ASN_SEQUENCE, 1, 1, 0 },
+/*  SEQ      */ { 0, ASN_SEQUENCE, 1, 1, 0 },
                 /* p */
-/*  1 */        { 1, ASN_INTEGER, 0, 0, 0 },
+/*  P        */     { 1, ASN_INTEGER, 0, 0, 0 },
                 /* q */
-/*  2 */        { 1, ASN_INTEGER, 0, 0, 0 },
+/*  Q        */     { 1, ASN_INTEGER, 0, 0, 0 },
                 /* g */
-/*  3 */        { 1, ASN_INTEGER, 0, 0, 0 },
+/*  G        */     { 1, ASN_INTEGER, 0, 0, 0 },
                 /* Private key */
-/*  4 */        { 1, ASN_OCTET_STRING, 0, 1, 0 },
+/*  PKEY_STR */     { 1, ASN_OCTET_STRING, 0, 1, 0 },
                     /* x */
-/*  5 */            { 2, ASN_INTEGER, 0, 0, 0 },
+/*  X        */         { 2, ASN_INTEGER, 0, 0, 0 },
+};
+enum {
+    DSAKEYOCTASN_IDX_SEQ = 0,
+    DSAKEYOCTASN_IDX_P,
+    DSAKEYOCTASN_IDX_Q,
+    DSAKEYOCTASN_IDX_G,
+    DSAKEYOCTASN_IDX_PKEY_STR,
+    DSAKEYOCTASN_IDX_X,
 };
 
 /* Number of items in ASN.1 template for a DSA key (OCTET_STRING version). */
@@ -8982,27 +9148,26 @@ int wc_DsaPrivateKeyDecode(const byte* input, word32* inOutIdx, DsaKey* key,
         ret = BAD_FUNC_ARG;
     }
 
-    ALLOC_ASNGETDATA(dataASN, dsaKeyASN_Length, ret, key->heap);
+    CALLOC_ASNGETDATA(dataASN, dsaKeyASN_Length, ret, key->heap);
 
     if (ret == 0) {
-        /* Initialize key data and set mp_ints for params and priv/pub. */
-        XMEMSET(dataASN, 0, sizeof(*dataASN) * dsaKeyOctASN_Length);
-        GetASN_Int8Bit(&dataASN[1], &version);
+        /* Try dsaKeyOctASN */
+        /* Initialize key data and set mp_ints for params */
         for (i = 0; i < DSA_INTS - 2; i++) {
-            GetASN_MP(&dataASN[1 + i], GetDsaInt(key, i));
+            GetASN_MP(&dataASN[(int)DSAKEYOCTASN_IDX_P + i], GetDsaInt(key, i));
         }
-        GetASN_MP(&dataASN[2 + i], GetDsaInt(key, i));
+        /* and priv */
+        GetASN_MP(&dataASN[DSAKEYOCTASN_IDX_X], GetDsaInt(key, i));
         /* Try simple form. */
         ret = GetASN_Items(dsaKeyOctASN, dataASN, dsaKeyOctASN_Length, 1, input,
                            inOutIdx, inSz);
-        if ((ret == 0) && (version != 0)) {
-            ret = ASN_PARSE_E;
-        }
-        else if (ret != 0) {
-            /* Initialize key data and set mp_ints for params and priv/pub. */
+
+        if (ret != 0) {
+            /* Try dsaKeyASN */
             XMEMSET(dataASN, 0, sizeof(*dataASN) * dsaKeyASN_Length);
+            GetASN_Int8Bit(&dataASN[DSAKEYASN_IDX_VER], &version);
             for (i = 0; i < DSA_INTS; i++) {
-                GetASN_MP(&dataASN[2 + i], GetDsaInt(key, i));
+                GetASN_MP(&dataASN[(int)DSAKEYASN_IDX_P + i], GetDsaInt(key, i));
             }
 
             /* Try simple OCTET_STRING form. */
@@ -9136,20 +9301,6 @@ int wc_SetDsaPublicKey(byte* output, DsaKey* key, int outLen, int with_header)
         return ySz;
     }
 
-    innerSeqSz  = SetSequence(pSz + qSz + gSz, innerSeq);
-
-    /* check output size */
-    if ((innerSeqSz + pSz + qSz + gSz) > outLen) {
-#ifdef WOLFSSL_SMALL_STACK
-        XFREE(p,    key->heap, DYNAMIC_TYPE_TMP_BUFFER);
-        XFREE(q,    key->heap, DYNAMIC_TYPE_TMP_BUFFER);
-        XFREE(g,    key->heap, DYNAMIC_TYPE_TMP_BUFFER);
-        XFREE(y,    key->heap, DYNAMIC_TYPE_TMP_BUFFER);
-#endif
-        WOLFSSL_MSG("Error, output size smaller than outlen");
-        return BUFFER_E;
-    }
-
     if (with_header) {
         int algoSz;
 #ifdef WOLFSSL_SMALL_STACK
@@ -9166,6 +9317,7 @@ int wc_SetDsaPublicKey(byte* output, DsaKey* key, int outLen, int with_header)
 #else
         byte algo[MAX_ALGO_SZ];
 #endif
+        innerSeqSz  = SetSequence(pSz + qSz + gSz, innerSeq);
         algoSz = SetAlgoID(DSAk, algo, oidKeyType, 0);
         bitStringSz  = SetBitString(ySz, 0, bitString);
         outerSeqSz = SetSequence(algoSz + innerSeqSz + pSz + qSz + gSz,
@@ -9198,6 +9350,20 @@ int wc_SetDsaPublicKey(byte* output, DsaKey* key, int outLen, int with_header)
         XFREE(algo, key->heap, DYNAMIC_TYPE_TMP_BUFFER);
 #endif
     } else {
+        innerSeqSz  = SetSequence(pSz + qSz + gSz + ySz, innerSeq);
+
+        /* check output size */
+        if ((innerSeqSz + pSz + qSz + gSz + ySz) > outLen) {
+    #ifdef WOLFSSL_SMALL_STACK
+            XFREE(p,    key->heap, DYNAMIC_TYPE_TMP_BUFFER);
+            XFREE(q,    key->heap, DYNAMIC_TYPE_TMP_BUFFER);
+            XFREE(g,    key->heap, DYNAMIC_TYPE_TMP_BUFFER);
+            XFREE(y,    key->heap, DYNAMIC_TYPE_TMP_BUFFER);
+    #endif
+            WOLFSSL_MSG("Error, output size smaller than outlen");
+            return BUFFER_E;
+        }
+
         idx = 0;
     }
 
@@ -9234,7 +9400,8 @@ int wc_SetDsaPublicKey(byte* output, DsaKey* key, int outLen, int with_header)
     int ret = 0;
     int i;
     int sz;
-    int o;
+    const ASNItem *data = NULL;
+    int count = 0;
 
     WOLFSSL_ENTER("wc_SetDsaPublicKey");
 
@@ -9245,38 +9412,40 @@ int wc_SetDsaPublicKey(byte* output, DsaKey* key, int outLen, int with_header)
     CALLOC_ASNSETDATA(dataASN, dsaPubKeyASN_Length, ret, key->heap);
 
     if (ret == 0) {
-        /* With header - include the SubjectPublicKeyInfo wrapping. */
         if (with_header) {
-            o = 0;
+            /* Using dsaPubKeyASN */
+            data = dsaPubKeyASN;
+            count = dsaPubKeyASN_Length;
             /* Set the algorithm OID to write out. */
-            SetASN_OID(&dataASN[2], DSAk, oidKeyType);
+            SetASN_OID(&dataASN[DSAPUBKEYASN_IDX_ALGOID_OID], DSAk, oidKeyType);
+            /* Set the mp_ints to encode - parameters and public value. */
+            for (i = 0; i < DSA_INTS - 2; i++) {
+                SetASN_MP(&dataASN[(int)DSAPUBKEYASN_IDX_ALGOID_PARAMS_P + i],
+                        GetDsaInt(key, i));
+            }
+            SetASN_MP(&dataASN[DSAPUBKEYASN_IDX_PUBKEY_Y], GetDsaInt(key, i));
         }
         else {
-            o = 3;
-            /* Skip BIT_STRING but include 'y'. */
-            dataASN[7].noOut = 1;
+            /* Using dsaKeyASN */
+            data = dsaKeyASN;
+            count = dsaPublicKeyASN_Length;
+            /* Set the mp_ints to encode - parameters and public value. */
+            for (i = 0; i < DSA_INTS - 1; i++) {
+                /* Move all DSA ints up one slot (ignore VERSION so now
+                 * it means P) */
+                SetASN_MP(&dataASN[(int)DSAKEYASN_IDX_VER + i],
+                        GetDsaInt(key, i));
+            }
         }
-        /* Set the mp_ints to encode - parameters and public value. */
-        for (i = 0; i < DSA_INTS - 2; i++) {
-            SetASN_MP(&dataASN[4 + i], GetDsaInt(key, i));
-        }
-        SetASN_MP(&dataASN[5 + i], GetDsaInt(key, i));
-        /* Calculate size of the encoding. */
-        ret = SizeASN_Items(dsaPubKeyASN + o, dataASN, dsaPubKeyASN_Length - o,
-                            &sz);
+        ret = SizeASN_Items(data, dataASN, count, &sz);
     }
     /* Check buffer is big enough for encoding. */
     if ((ret == 0) && (sz > (int)outLen)) {
         ret = BAD_FUNC_ARG;
     }
+    /* Encode the DSA public key into output buffer. */
     if (ret == 0) {
-        /* Encode the DSA public key into output buffer.
-         * 'o' indicates offset when no header.
-         */
-        SetASN_Items(dsaPubKeyASN + o, dataASN, dsaPubKeyASN_Length - o,
-                     output);
-        /* Return the size of the encoding. */
-        ret = sz;
+        ret = SetASN_Items(data, dataASN, count, output);
     }
 
     FREE_ASNSETDATA(dataASN, key->heap);
@@ -9397,16 +9566,19 @@ static int DsaKeyIntsToDer(DsaKey* key, byte* output, word32* inLen,
     if (ret == 0) {
         if (includeVersion) {
             /* Set the version. */
-            SetASN_Int8Bit(&dataASN[1], 0);
+            SetASN_Int8Bit(&dataASN[DSAKEYASN_IDX_VER], 0);
         }
         else {
-            dataASN[1].noOut = 1;
+            dataASN[DSAKEYASN_IDX_VER].noOut = 1;
         }
-        dataASN[5].noOut = mp_iszero(&key->y);
-        dataASN[6].noOut = mp_iszero(&key->x);
+        dataASN[DSAKEYASN_IDX_Y].noOut = mp_iszero(&key->y);
+        dataASN[DSAKEYASN_IDX_X].noOut = mp_iszero(&key->x);
         /* Set the mp_ints to encode - params, public and private value. */
         for (i = 0; i < DSA_INTS; i++) {
-            SetASN_MP(&dataASN[2 + i], GetDsaInt(key, i));
+            if (i < ints)
+                SetASN_MP(&dataASN[(int)DSAKEYASN_IDX_P + i], GetDsaInt(key, i));
+            else
+                dataASN[(int)DSAKEYASN_IDX_P + i].noOut = 1;
         }
         /* Calculate size of the encoding. */
         ret = SizeASN_Items(dsaKeyASN, dataASN, dsaKeyASN_Length, &sz);
@@ -9657,7 +9829,7 @@ static int GetCertHeader(DecodedCert* cert)
 }
 #endif
 
-#if defined(HAVE_ED25519) || defined(HAVE_ED448) || defined(HAVE_LIBOQS)
+#if defined(HAVE_ED25519) || defined(HAVE_ED448) || defined(HAVE_PQC)
 /* Store the key data under the BIT_STRING in dynamicly allocated data.
  *
  * @param [in, out] cert    Certificate object.
@@ -9702,8 +9874,12 @@ static int StoreKey(DecodedCert* cert, const byte* source, word32* srcIdx,
 #ifdef WOLFSSL_ASN_TEMPLATE
 /* ASN.1 template for header before RSA key in certificate. */
 static const ASNItem rsaCertKeyASN[] = {
-/*  0 */    { 0, ASN_BIT_STRING, 0, 1, 0 },
-/*  1 */        { 1, ASN_SEQUENCE, 1, 0, 0 },
+/* STR */ { 0, ASN_BIT_STRING, 0, 1, 0 },
+/* SEQ */     { 1, ASN_SEQUENCE, 1, 0, 0 },
+};
+enum {
+    RSACERTKEYASN_IDX_STR = 0,
+    RSACERTKEYASN_IDX_SEQ,
 };
 
 /* Number of items in ASN.1 template for header before RSA key in cert. */
@@ -9765,12 +9941,13 @@ static int StoreRsaKey(DecodedCert* cert, const byte* source, word32* srcIdx,
     if (ret == 0) {
         /* Store the pointer and length in certificate object starting at
          * SEQUENCE. */
-        GetASN_GetConstRef(&dataASN[0], &cert->publicKey, &cert->pubKeySize);
+        GetASN_GetConstRef(&dataASN[RSACERTKEYASN_IDX_STR],
+                &cert->publicKey, &cert->pubKeySize);
 
     #if defined(WOLFSSL_RENESAS_TSIP) || defined(WOLFSSL_RENESAS_SCEPROTECT)
         /* Start of SEQUENCE. */
         cert->sigCtx.CertAtt.pubkey_n_start =
-            cert->sigCtx.CertAtt.pubkey_e_start = dataASN[1].offset;
+            cert->sigCtx.CertAtt.pubkey_e_start = dataASN[RSACERTKEYASN_IDX_SEQ].offset;
     #endif
     #ifdef HAVE_OCSP
         /* Calculate the hash of the public key for OCSP. */
@@ -9789,9 +9966,16 @@ static int StoreRsaKey(DecodedCert* cert, const byte* source, word32* srcIdx,
 #ifdef WOLFSSL_ASN_TEMPLATE
 /* ASN.1 template for header before ECC key in certificate. */
 static const ASNItem eccCertKeyASN[] = {
-/*  0 */        { 1, ASN_OBJECT_ID, 0, 0, 2 },
-/*  1 */        { 1, ASN_SEQUENCE, 1, 0, 2 },
-/*  2 */    { 0, ASN_BIT_STRING, 0, 0, 0 },
+/* OID        */     { 1, ASN_OBJECT_ID, 0, 0, 2 },
+                            /* Algo parameters */
+/* PARAMS     */     { 1, ASN_SEQUENCE, 1, 0, 2 },
+                            /* Subject public key */
+/* SUBJPUBKEY */ { 0, ASN_BIT_STRING, 0, 0, 0 },
+};
+enum {
+    ECCCERTKEYASN_IDX_OID = 0,
+    ECCCERTKEYASN_IDX_PARAMS,
+    ECCCERTKEYASN_IDX_SUBJPUBKEY,
 };
 
 /* Number of items in ASN.1 template for header before ECC key in cert. */
@@ -9877,26 +10061,29 @@ static int StoreEccKey(DecodedCert* cert, const byte* source, word32* srcIdx,
 
     return 0;
 #else
-    ASNGetData dataASN[eccCertKeyASN_Length];
-    int ret;
+    int ret = 0;
+    DECL_ASNGETDATA(dataASN, eccCertKeyASN_Length);
     byte* publicKey;
 
     /* Clear dynamic data and check OID is a curve. */
-    XMEMSET(dataASN, 0, sizeof(dataASN));
-    GetASN_OID(&dataASN[0], oidCurveType);
-    /* Parse ECC public key header. */
-    ret = GetASN_Items(eccCertKeyASN, dataASN, eccCertKeyASN_Length, 1, source,
-                       srcIdx, maxIdx);
+    CALLOC_ASNGETDATA(dataASN, eccCertKeyASN_Length, ret, cert->heap);
     if (ret == 0) {
-        if (dataASN[0].tag != 0) {
+        GetASN_OID(&dataASN[ECCCERTKEYASN_IDX_OID], oidCurveType);
+        /* Parse ECC public key header. */
+        ret = GetASN_Items(eccCertKeyASN, dataASN, eccCertKeyASN_Length, 1,
+                source, srcIdx, maxIdx);
+    }
+    if (ret == 0) {
+        if (dataASN[ECCCERTKEYASN_IDX_OID].tag != 0) {
             /* Store curve OID. */
-            cert->pkCurveOID = dataASN[0].data.oid.sum;
+            cert->pkCurveOID = dataASN[ECCCERTKEYASN_IDX_OID].data.oid.sum;
         }
         /* Ignore explicit parameters. */
 
     #ifdef HAVE_OCSP
         /* Calculate the hash of the subject public key for OCSP. */
-        ret = CalcHashId(dataASN[2].data.ref.data, dataASN[2].data.ref.length,
+        ret = CalcHashId(dataASN[ECCCERTKEYASN_IDX_SUBJPUBKEY].data.ref.data,
+                         dataASN[ECCCERTKEYASN_IDX_SUBJPUBKEY].data.ref.length,
                          cert->subjectKeyHash);
     }
     if (ret == 0) {
@@ -9918,6 +10105,7 @@ static int StoreEccKey(DecodedCert* cert, const byte* source, word32* srcIdx,
             cert->pubKeyStored = 1;
         }
     }
+    FREE_ASNGETDATA(dataASN, cert->heap);
 
     return ret;
 #endif /* WOLFSSL_ASN_TEMPLATE */
@@ -10087,7 +10275,7 @@ static int GetCertKey(DecodedCert* cert, const byte* source, word32* inOutIdx,
             ret = StoreKey(cert, source, &srcIdx, maxIdx);
             break;
     #endif /* HAVE_ED448 */
-    #ifdef HAVE_LIBOQS
+    #ifdef HAVE_PQC
         case FALCON_LEVEL1k:
             cert->pkCurveOID = FALCON_LEVEL1k;
             ret = StoreKey(cert, source, &srcIdx, maxIdx);
@@ -10096,7 +10284,7 @@ static int GetCertKey(DecodedCert* cert, const byte* source, word32* inOutIdx,
             cert->pkCurveOID = FALCON_LEVEL5k;
             ret = StoreKey(cert, source, &srcIdx, maxIdx);
             break;
-    #endif /* HAVE_LIBOQS */
+    #endif /* HAVE_PQC */
     #ifndef NO_DSA
         case DSAk:
             cert->publicKey = source + pubIdx;
@@ -10443,10 +10631,14 @@ static const CertNameData certNameSubject[] = {
     /* Street Address */
     {
         "/street=", 8,
-#ifdef WOLFSSL_CERT_GEN
+#ifdef WOLFSSL_CERT_EXT
         OFFSETOF(DecodedCert, subjectStreet),
         OFFSETOF(DecodedCert, subjectStreetLen),
         OFFSETOF(DecodedCert, subjectStreetEnc),
+#else
+        0,
+        0,
+        0,
 #endif
 #ifdef WOLFSSL_X509_NAME_AVAILABLE
         NID_streetAddress
@@ -10569,13 +10761,19 @@ static const int certNameSubjectSz =
  * X.509: RFC 5280, 4.1.2.4 - RelativeDistinguishedName
  */
 static const ASNItem rdnASN[] = {
-/*  0 */        { 1, ASN_SET, 1, 1, 0 },
-                    /* AttributeTypeAndValue */
-/*  1 */            { 2, ASN_SEQUENCE, 1, 1, 0 },
-                        /* AttributeType */
-/*  2 */                { 3, ASN_OBJECT_ID, 0, 0, 0 },
-                        /* AttributeValue: Choice of tags - rdnChoice. */
-/*  3 */                { 3, 0, 0, 0, 0 },
+/* SET       */ { 1, ASN_SET, 1, 1, 0 },
+                           /* AttributeTypeAndValue */
+/* ATTR_SEQ  */     { 2, ASN_SEQUENCE, 1, 1, 0 },
+                                   /* AttributeType */
+/* ATTR_TYPE */         { 3, ASN_OBJECT_ID, 0, 0, 0 },
+                           /* AttributeValue: Choice of tags - rdnChoice. */
+/* ATTR_VAL  */         { 3, 0, 0, 0, 0 },
+};
+enum {
+    RDNASN_IDX_SET = 0,
+    RDNASN_IDX_ATTR_SEQ,
+    RDNASN_IDX_ATTR_TYPE,
+    RDNASN_IDX_ATTR_VAL,
 };
 
 /* Number of items in ASN.1 template for an RDN. */
@@ -10787,7 +10985,7 @@ static int SetSubject(DecodedCert* cert, int id, byte* str, word32 strLen,
  * @param [in, out] idx        Index int full name to place next component.
  * @param [in, out] nid        NID of component type.
  * @param [in]      isSubject  Whether this data is for a subject name.
- * @param [in]      dataASN    Decoded data of RDN.
+ * @param [in]      dataASN    Decoded data of RDN. Expected rdnASN type.
  * @return  0 on success.
  * @return  MEMORY_E when dynamic memory allocation fails.
  * @return  ASN_PARSE_E when type not supported.
@@ -10805,7 +11003,7 @@ static int GetRDN(DecodedCert* cert, char* full, word32* idx, int* nid,
     (void)nid;
 
     /* Get name type OID from data items. */
-    GetASN_OIDData(&dataASN[2], &oid, &oidSz);
+    GetASN_OIDData(&dataASN[RDNASN_IDX_ATTR_TYPE], &oid, &oidSz);
 
     /* v1 name types */
     if ((oidSz == 3) && (oid[0] == 0x55) && (oid[1] == 0x04)) {
@@ -10881,10 +11079,10 @@ static int GetRDN(DecodedCert* cert, char* full, word32* idx, int* nid,
         /* OID type to store for subject name and add to full string. */
         byte*  str;
         word32 strLen;
-        byte   tag = dataASN[3].tag;
+        byte   tag = dataASN[RDNASN_IDX_ATTR_VAL].tag;
 
         /* Get the string reference and length. */
-        GetASN_GetRef(&dataASN[3], &str, &strLen);
+        GetASN_GetRef(&dataASN[RDNASN_IDX_ATTR_VAL], &str, &strLen);
 
         if (isSubject) {
             /* Store subject field components. */
@@ -11491,7 +11689,7 @@ static int GetCertName(DecodedCert* cert, char* full, byte* hash, int nameType,
         ret = ASN_PARSE_E;
     }
 
-    ALLOC_ASNGETDATA(dataASN, rdnASN_Length, ret, cert->heap);
+    CALLOC_ASNGETDATA(dataASN, rdnASN_Length, ret, cert->heap);
 
 #ifdef WOLFSSL_X509_NAME_AVAILABLE
     if (ret == 0) {
@@ -11528,10 +11726,9 @@ static int GetCertName(DecodedCert* cert, char* full, byte* hash, int nameType,
             int nid = 0;
 
             /* Initialize for data and setup RDN choice. */
-            XMEMSET(dataASN, 0, sizeof(*dataASN) * rdnASN_Length);
-            GetASN_Choice(&dataASN[3], rdnChoice);
+            GetASN_Choice(&dataASN[RDNASN_IDX_ATTR_VAL], rdnChoice);
             /* Ignore type OID as too many to store in table. */
-            GetASN_OID(&dataASN[2], oidIgnoreType);
+            GetASN_OID(&dataASN[RDNASN_IDX_ATTR_TYPE], oidIgnoreType);
             /* Parse RDN. */
             ret = GetASN_Items(rdnASN, dataASN, rdnASN_Length, 1, input,
                                &srcIdx, maxIdx);
@@ -11547,10 +11744,10 @@ static int GetCertName(DecodedCert* cert, char* full, byte* hash, int nameType,
                 int enc;
                 byte*  str;
                 word32 strLen;
-                byte   tag = dataASN[3].tag;
+                byte   tag = dataASN[RDNASN_IDX_ATTR_VAL].tag;
 
                 /* Get string reference. */
-                GetASN_GetRef(&dataASN[3], &str, &strLen);
+                GetASN_GetRef(&dataASN[RDNASN_IDX_ATTR_VAL], &str, &strLen);
 
                 /* Convert BER tag to a OpenSSL type. */
                 switch (tag) {
@@ -11614,8 +11811,12 @@ static int GetCertName(DecodedCert* cert, char* full, byte* hash, int nameType,
 #ifdef WOLFSSL_ASN_TEMPLATE
 /* ASN.1 template for certificate name. */
 static const ASNItem certNameASN[] = {
-/*  0 */    { 0, ASN_OBJECT_ID, 0, 0, 1 },
-/*  1 */    { 0, ASN_SEQUENCE, 1, 0, 0 },
+/* OID  */ { 0, ASN_OBJECT_ID, 0, 0, 1 },
+/* NAME */ { 0, ASN_SEQUENCE, 1, 0, 0 },
+};
+enum {
+    CERTNAMEASN_IDX_OID = 0,
+    CERTNAMEASN_IDX_NAME,
 };
 
 /* Number of items in ASN.1 template for certificate name. */
@@ -11689,20 +11890,20 @@ int GetName(DecodedCert* cert, int nameType, int maxIdx)
 #else
     ASNGetData dataASN[certNameASN_Length];
     word32 idx = cert->srcIdx;
-    int    ret;
+    int    ret = 0;
     char*  full;
     byte*  hash;
 
     WOLFSSL_MSG("Getting Cert Name");
 
-    /* Initialize for data and don't check optional prefix OID. */
     XMEMSET(dataASN, 0, sizeof(dataASN));
-    GetASN_OID(&dataASN[0], oidIgnoreType);
+    /* Initialize for data and don't check optional prefix OID. */
+    GetASN_OID(&dataASN[CERTNAMEASN_IDX_OID], oidIgnoreType);
     ret = GetASN_Items(certNameASN, dataASN, certNameASN_Length, 0,
                        cert->source, &idx, maxIdx);
     if (ret == 0) {
         /* Store offset of SEQUENCE that is start of name. */
-        cert->srcIdx = dataASN[1].offset;
+        cert->srcIdx = dataASN[CERTNAMEASN_IDX_NAME].offset;
 
         /* Get fields to fill in based on name type. */
         if (nameType == ISSUER) {
@@ -12109,8 +12310,12 @@ int wc_GetTime(void* timePtr, word32 timeSize)
 /* TODO: use a CHOICE instead of two items? */
 /* ASN.1 template for a date - either UTC or Generalized Time. */
 static const ASNItem dateASN[] = {
-/*  0 */    { 0, ASN_UTC_TIME, 0, 0, 2 },
-/*  1 */    { 0, ASN_GENERALIZED_TIME, 0, 0, 2 },
+/* UTC */ { 0, ASN_UTC_TIME, 0, 0, 2 },
+/* GT  */ { 0, ASN_GENERALIZED_TIME, 0, 0, 2 },
+};
+enum {
+    DATEASN_IDX_UTC = 0,
+    DATEASN_IDX_GT,
 };
 
 /* Number of items in ASN.1 template for a date. */
@@ -12185,7 +12390,8 @@ static int GetDateInfo(const byte* source, word32* idx, const byte** pDate,
     }
     if (ret == 0) {
         /* Determine which tag was seen. */
-        i = (dataASN[0].tag != 0) ? 0 : 1;
+        i = (dataASN[DATEASN_IDX_UTC].tag != 0) ? DATEASN_IDX_UTC
+                                                : DATEASN_IDX_GT;
         /* Return data from seen item. */
         if (pFormat != NULL) {
             *pFormat = dataASN[i].tag;
@@ -12710,7 +12916,7 @@ static WC_INLINE int IsSigAlgoECC(int algoOID)
         #ifdef HAVE_CURVE448
               || (algoOID == X448k)
         #endif
-        #ifdef HAVE_LIBOQS
+        #ifdef HAVE_PQC
               || (algoOID == FALCON_LEVEL1k)
               || (algoOID == FALCON_LEVEL5k)
         #endif
@@ -12780,13 +12986,13 @@ word32 SetAlgoID(int algoOID, byte* output, int type, int curveSz)
     CALLOC_ASNSETDATA(dataASN, algoIdASN_Length, ret, NULL);
 
     /* Set the OID and OID type to encode. */
-    SetASN_OID(&dataASN[1], algoOID, type);
+    SetASN_OID(&dataASN[ALGOIDASN_IDX_OID], algoOID, type);
     /* Hashes, signatures not ECC and keys not RSA put put NULL tag. */
     if (!(type == oidHashType ||
              (type == oidSigType && !IsSigAlgoECC(algoOID)) ||
              (type == oidKeyType && algoOID == RSAk))) {
         /* Don't put out NULL DER item. */
-        dataASN[2].noOut = 1;
+        dataASN[ALGOIDASN_IDX_NULL].noOut = 1;
     }
     if (algoOID == DSAk) {
         /* Don't include SEQUENCE for DSA keys. */
@@ -12794,10 +13000,10 @@ word32 SetAlgoID(int algoOID, byte* output, int type, int curveSz)
     }
     else if (curveSz > 0) {
         /* Don't put out NULL DER item. */
-        dataASN[2].noOut = 0;
+        dataASN[ALGOIDASN_IDX_NULL].noOut = 0;
         /* Include space for extra data of length curveSz.
          * Subtract 1 for sequence and 1 for length encoding. */
-        SetASN_Buffer(&dataASN[2], NULL, curveSz - 2);
+        SetASN_Buffer(&dataASN[ALGOIDASN_IDX_NULL], NULL, curveSz - 2);
     }
 
     /* Calculate size of encoding. */
@@ -12807,7 +13013,7 @@ word32 SetAlgoID(int algoOID, byte* output, int type, int curveSz)
         SetASN_Items(algoIdASN + o, dataASN + o, algoIdASN_Length - o, output);
         if (curveSz > 0) {
             /* Return size excluding curve data. */
-            sz = dataASN[o].offset - dataASN[2].offset;
+            sz = dataASN[o].offset - dataASN[ALGOIDASN_IDX_NULL].offset;
         }
     }
 
@@ -12831,13 +13037,20 @@ word32 SetAlgoID(int algoOID, byte* output, int type, int curveSz)
  * PKCS#1 v2.2: RFC 8017, A.2.4 - DigestInfo
  */
 static const ASNItem digestInfoASN[] = {
-/*  0 */    { 0, ASN_SEQUENCE, 1, 1, 0 },
-                /* digestAlgorithm */
-/*  1 */        { 1, ASN_SEQUENCE, 1, 1, 0 },
-/*  2 */            { 2, ASN_OBJECT_ID, 0, 0, 0 },
-/*  3 */            { 2, ASN_TAG_NULL, 0, 0, 0 },
-                /* digest */
-/*  4 */        { 1, ASN_OCTET_STRING, 0, 0, 0 }
+/* SEQ          */ { 0, ASN_SEQUENCE, 1, 1, 0 },
+                                         /* digestAlgorithm */
+/* DIGALGO_SEQ  */     { 1, ASN_SEQUENCE, 1, 1, 0 },
+/* DIGALGO_OID  */         { 2, ASN_OBJECT_ID, 0, 0, 0 },
+/* DIGALGO_NULL */         { 2, ASN_TAG_NULL, 0, 0, 0 },
+                                         /* digest */
+/* DIGEST       */     { 1, ASN_OCTET_STRING, 0, 0, 0 }
+};
+enum {
+    DIGESTINFOASN_IDX_SEQ = 0,
+    DIGESTINFOASN_IDX_DIGALGO_SEQ,
+    DIGESTINFOASN_IDX_DIGALGO_OID,
+    DIGESTINFOASN_IDX_DIGALGO_NULL,
+    DIGESTINFOASN_IDX_DIGEST,
 };
 
 /* Number of items in ASN.1 template for DigestInfo for RSA. */
@@ -12879,9 +13092,9 @@ word32 wc_EncodeSignature(byte* out, const byte* digest, word32 digSz,
 
     if (ret == 0) {
         /* Set hash OID and type. */
-        SetASN_OID(&dataASN[2], hashOID, oidHashType);
+        SetASN_OID(&dataASN[DIGESTINFOASN_IDX_DIGALGO_OID], hashOID, oidHashType);
         /* Set digest. */
-        SetASN_Buffer(&dataASN[4], digest, digSz);
+        SetASN_Buffer(&dataASN[DIGESTINFOASN_IDX_DIGEST], digest, digSz);
 
         /* Calculate size of encoding. */
         ret = SizeASN_Items(digestInfoASN, dataASN, digestInfoASN_Length, &sz);
@@ -12992,7 +13205,7 @@ void FreeSignatureCtx(SignatureCtx* sigCtx)
                 sigCtx->key.ed448 = NULL;
                 break;
         #endif /* HAVE_ED448 */
-        #ifdef HAVE_LIBOQS
+        #ifdef HAVE_PQC
             case FALCON_LEVEL1k:
             case FALCON_LEVEL5k:
                 wc_falcon_free(sigCtx->key.falcon);
@@ -13000,7 +13213,7 @@ void FreeSignatureCtx(SignatureCtx* sigCtx)
                       DYNAMIC_TYPE_FALCON);
                 sigCtx->key.falcon = NULL;
                 break;
-        #endif /* HAVE_LIBOQS */
+        #endif /* HAVE_PQC */
             default:
                 break;
         } /* switch (keyOID) */
@@ -13138,7 +13351,7 @@ static int HashForSignature(const byte* buf, word32 bufSz, word32 sigOID,
              */
             break;
     #endif
-    #ifdef HAVE_LIBOQS
+    #ifdef HAVE_PQC
         case CTC_FALCON_LEVEL1:
         case CTC_FALCON_LEVEL5:
             /* Hashes done in signing operation. */
@@ -13444,7 +13657,7 @@ static int ConfirmSignature(SignatureCtx* sigCtx,
                     break;
                 }
             #endif
-            #if defined(HAVE_LIBOQS)
+            #if defined(HAVE_PQC)
                 case FALCON_LEVEL1k:
                 {
                     sigCtx->verify = 0;
@@ -13614,7 +13827,7 @@ static int ConfirmSignature(SignatureCtx* sigCtx,
                     break;
                 }
             #endif
-            #if defined(HAVE_LIBOQS)
+            #if defined(HAVE_PQC)
                 case FALCON_LEVEL1k:
                 case FALCON_LEVEL5k:
                 {
@@ -13737,7 +13950,7 @@ static int ConfirmSignature(SignatureCtx* sigCtx,
                     break;
                 }
             #endif /* HAVE_ED448 */
-            #ifdef HAVE_LIBOQS
+            #ifdef HAVE_PQC
                 case FALCON_LEVEL1k:
                 {
                     if (sigCtx->verify == 1) {
@@ -13760,7 +13973,7 @@ static int ConfirmSignature(SignatureCtx* sigCtx,
                     }
                     break;
                 }
-            #endif /* HAVE_LIBOQS */
+            #endif /* HAVE_PQC */
                 default:
                     break;
             }  /* switch (keyOID) */
@@ -13998,14 +14211,22 @@ static void AddAltName(DecodedCert* cert, DNS_entry* dnsEntry)
 #ifdef WOLFSSL_SEP
 /* ASN.1 template for OtherName of an X.509 certificate.
  * X.509: RFC 5280, 4.2.1.6 - OtherName (without implicit outer SEQUENCE).
+ * HW Name: RFC 4108, 5 - Hardware Module Name
  * Only support HW Name where the type is a HW serial number.
  */
 static const ASNItem otherNameASN[] = {
-/*  0 */    { 0, ASN_OBJECT_ID, 0, 0, 0 },
-/*  1 */    { 0, ASN_CONTEXT_SPECIFIC | 0, 1, 0, 0 },
-/*  2 */        { 1, ASN_SEQUENCE, 1, 0, 0 },
-/*  3 */            { 2, ASN_OBJECT_ID, 0, 0, 0 },
-/*  4 */            { 2, ASN_OCTET_STRING, 0, 0, 0 }
+/* TYPEID   */ { 0, ASN_OBJECT_ID, 0, 0, 0 },
+/* VALUE    */ { 0, ASN_CONTEXT_SPECIFIC | ASN_OTHERNAME_VALUE, 1, 0, 0 },
+/* HWN_SEQ  */     { 1, ASN_SEQUENCE, 1, 0, 0 },
+/* HWN_TYPE */         { 2, ASN_OBJECT_ID, 0, 0, 0 },
+/* HWN_NUM  */         { 2, ASN_OCTET_STRING, 0, 0, 0 }
+};
+enum {
+    OTHERNAMEASN_IDX_TYPEID = 0,
+    OTHERNAMEASN_IDX_VALUE,
+    OTHERNAMEASN_IDX_HWN_SEQ,
+    OTHERNAMEASN_IDX_HWN_TYPE,
+    OTHERNAMEASN_IDX_HWN_NUM,
 };
 
 /* Number of items in ASN.1 template for OtherName of an X.509 certificate. */
@@ -14037,24 +14258,24 @@ static int DecodeOtherName(DecodedCert* cert, const byte* input,
 
     if (ret == 0) {
         /* Check the first OID is a recognized Alt Cert Name type. */
-        GetASN_OID(&dataASN[0], oidCertAltNameType);
+        GetASN_OID(&dataASN[OTHERNAMEASN_IDX_TYPEID], oidCertAltNameType);
         /* Only support HW serial number. */
-        GetASN_OID(&dataASN[3], oidIgnoreType);
+        GetASN_OID(&dataASN[OTHERNAMEASN_IDX_HWN_TYPE], oidIgnoreType);
         /* Parse OtherName. */
         ret = GetASN_Items(otherNameASN, dataASN, otherNameASN_Length, 1, input,
                            inOutIdx, maxIdx);
     }
     if (ret == 0) {
         /* Ensure expected OID. */
-        if (dataASN[0].data.oid.sum != HW_NAME_OID) {
-            WOLFSSL_MSG("\tincorrect OID");
+        if (dataASN[OTHERNAMEASN_IDX_TYPEID].data.oid.sum != HW_NAME_OID) {
+            WOLFSSL_MSG("\tunsupported OID");
             ret = ASN_PARSE_E;
         }
     }
 
     if (ret == 0) {
-        oidLen = dataASN[3].data.oid.length;
-        serialLen = dataASN[4].data.ref.length;
+        oidLen = dataASN[OTHERNAMEASN_IDX_HWN_TYPE].data.oid.length;
+        serialLen = dataASN[OTHERNAMEASN_IDX_HWN_NUM].data.ref.length;
 
         /* Allocate space for HW type OID. */
         cert->hwType = (byte*)XMALLOC(oidLen, cert->heap,
@@ -14064,7 +14285,8 @@ static int DecodeOtherName(DecodedCert* cert, const byte* input,
     }
     if (ret == 0) {
         /* Copy, into cert HW type OID */
-        XMEMCPY(cert->hwType, dataASN[3].data.oid.data, oidLen);
+        XMEMCPY(cert->hwType,
+                dataASN[OTHERNAMEASN_IDX_HWN_TYPE].data.oid.data, oidLen);
         cert->hwTypeSz = oidLen;
         /* TODO: check this is the HW serial number OID - no test data. */
 
@@ -14078,7 +14300,8 @@ static int DecodeOtherName(DecodedCert* cert, const byte* input,
     }
     if (ret == 0) {
         /* Copy into cert HW serial number. */
-        XMEMCPY(cert->hwSerialNum, dataASN[4].data.ref.data, serialLen);
+        XMEMCPY(cert->hwSerialNum,
+                dataASN[OTHERNAMEASN_IDX_HWN_NUM].data.ref.data, serialLen);
         cert->hwSerialNum[serialLen] = '\0';
         cert->hwSerialNumSz = serialLen;
     }
@@ -14235,6 +14458,9 @@ static const byte generalNameChoice[] = {
 static const ASNItem altNameASN[] = {
     { 0, ASN_CONTEXT_SPECIFIC | 0, 0, 1, 0 }
 };
+enum {
+    ALTNAMEASN_IDX_GN = 0,
+};
 
 /* Number of items in ASN.1 template for GeneralName. */
 #define altNameASN_Length (sizeof(altNameASN) / sizeof(ASNItem))
@@ -14657,13 +14883,13 @@ static int DecodeAltNames(const byte* input, int sz, DecodedCert* cert)
         /* Clear dynamic data items. */
         XMEMSET(dataASN, 0, sizeof(dataASN));
         /* Parse GeneralName with the choices supported. */
-        GetASN_Choice(&dataASN[0], generalNameChoice);
+        GetASN_Choice(&dataASN[ALTNAMEASN_IDX_GN], generalNameChoice);
         /* Decode a GeneralName choice. */
         ret = GetASN_Items(altNameASN, dataASN, altNameASN_Length, 0, input,
                            &idx, sz);
         if (ret == 0) {
-            ret = DecodeGeneralName(input, &idx, dataASN[0].tag,
-                dataASN[0].length, cert);
+            ret = DecodeGeneralName(input, &idx, dataASN[ALTNAMEASN_IDX_GN].tag,
+                dataASN[ALTNAMEASN_IDX_GN].length, cert);
         }
     }
 
@@ -14676,9 +14902,14 @@ static int DecodeAltNames(const byte* input, int sz, DecodedCert* cert)
  * X.509: RFC 5280, 4.2.1.9 - BasicConstraints.
  */
 static const ASNItem basicConsASN[] = {
-/*  0 */    { 0, ASN_SEQUENCE, 1, 1, 0 },
-/*  1 */        { 1, ASN_BOOLEAN, 0, 0, 1 },
-/*  2 */        { 1, ASN_INTEGER, 0, 0, 1 }
+/* SEQ  */ { 0, ASN_SEQUENCE, 1, 1, 0 },
+/* CA   */     { 1, ASN_BOOLEAN, 0, 0, 1 },
+/* PLEN */     { 1, ASN_INTEGER, 0, 0, 1 }
+};
+enum {
+    BASICCONSASN_IDX_SEQ = 0,
+    BASICCONSASN_IDX_CA,
+    BASICCONSASN_IDX_PLEN,
 };
 
 /* Number of items in ASN.1 template for BasicContraints. */
@@ -14760,18 +14991,18 @@ static int DecodeBasicCaConstraint(const byte* input, int sz, DecodedCert* cert)
 
     if (ret == 0) {
         /* Get the CA boolean and path length when present. */
-        GetASN_Boolean(&dataASN[1], &isCA);
-        GetASN_Int8Bit(&dataASN[2], &cert->pathLength);
+        GetASN_Boolean(&dataASN[BASICCONSASN_IDX_CA], &isCA);
+        GetASN_Int8Bit(&dataASN[BASICCONSASN_IDX_PLEN], &cert->pathLength);
 
         ret = GetASN_Items(basicConsASN, dataASN, basicConsASN_Length, 1, input,
                            &idx, sz);
     }
 
     /* Empty SEQUENCE is OK - nothing to store. */
-    if ((ret == 0) && (dataASN[0].length != 0)) {
+    if ((ret == 0) && (dataASN[BASICCONSASN_IDX_SEQ].length != 0)) {
         /* Bad encoding when CA Boolean is false
          * (default when not present). */
-        if ((dataASN[1].length != 0) && (!isCA)) {
+        if ((dataASN[BASICCONSASN_IDX_CA].length != 0) && (!isCA)) {
             ret = ASN_PARSE_E;
         }
         /* Path length must be a 7-bit value. */
@@ -14782,7 +15013,7 @@ static int DecodeBasicCaConstraint(const byte* input, int sz, DecodedCert* cert)
         if (ret == 0) {
             /* isCA in certificate is a 1 bit of a byte. */
             cert->isCA = isCA;
-            cert->pathLengthSet = (dataASN[2].length > 0);
+            cert->pathLengthSet = (dataASN[BASICCONSASN_IDX_PLEN].length > 0);
         }
     }
 
@@ -14862,19 +15093,29 @@ static int DecodePolicyConstraints(const byte* input, int sz, DecodedCert* cert)
  * X.509: RFC 5280, 4.2.1.13 - CRL Distribution Points.
  */
 static const ASNItem crlDistASN[] = {
-/*  0 */    { 0, ASN_SEQUENCE, 1, 1, 0 },
-/*  1 */        { 1, ASN_SEQUENCE, 1, 1, 0 },
-                    /* Distribution point name */
-/*  2 */            { 2, DISTRIBUTION_POINT, 1, 1, 1 },
-                        /* fullName */
-/*  3 */                { 3, CRLDP_FULL_NAME, 1, 1, 2 },
-/*  4 */                    { 4, GENERALNAME_URI, 0, 0, 0 },
-                        /* nameRelativeToCRLIssuer */
-/*  5 */                { 3, ASN_CONTEXT_SPECIFIC | 1, 1, 0, 2 },
-                    /* reasons: IMPLICIT BIT STRING */
-/*  6 */            { 2, ASN_CONTEXT_SPECIFIC | 1, 1, 0, 1 },
-                    /* cRLIssuer */
-/*  7 */            { 2, ASN_CONTEXT_SPECIFIC | 2, 1, 0, 1 },
+/* SEQ                */ { 0, ASN_SEQUENCE, 1, 1, 0 },
+/* DP_SEQ             */     { 1, ASN_SEQUENCE, 1, 1, 0 },
+                                                /* Distribution point name */
+/* DP_DISTPOINT       */         { 2, DISTRIBUTION_POINT, 1, 1, 1 },
+                                                    /* fullName */
+/* DP_DISTPOINT_FN    */             { 3, CRLDP_FULL_NAME, 1, 1, 2 },
+/* DP_DISTPOINT_FN_GN */                 { 4, GENERALNAME_URI, 0, 0, 0 },
+                                                    /* nameRelativeToCRLIssuer */
+/* DP_DISTPOINT_RN    */             { 3, ASN_CONTEXT_SPECIFIC | 1, 1, 0, 2 },
+                                                /* reasons: IMPLICIT BIT STRING */
+/* DP_REASONS         */         { 2, ASN_CONTEXT_SPECIFIC | 1, 1, 0, 1 },
+                                                /* cRLIssuer */
+/* DP_CRLISSUER       */         { 2, ASN_CONTEXT_SPECIFIC | 2, 1, 0, 1 },
+};
+enum {
+    CRLDISTASN_IDX_SEQ = 0,
+    CRLDISTASN_IDX_DP_SEQ,
+    CRLDISTASN_IDX_DP_DISTPOINT,
+    CRLDISTASN_IDX_DP_DISTPOINT_FN,
+    CRLDISTASN_IDX_DP_DISTPOINT_FN_GN,
+    CRLDISTASN_IDX_DP_DISTPOINT_RN, /* Relative name */
+    CRLDISTASN_IDX_DP_REASONS,
+    CRLDISTASN_IDX_DP_CRLISSUER,
 };
 
 /* Number of items in ASN.1 template for CRL distribution points. */
@@ -15006,24 +15247,26 @@ static int DecodeCrlDist(const byte* input, int sz, DecodedCert* cert)
 
     if  (ret == 0) {
         /* Get the GeneralName choice */
-        GetASN_Choice(&dataASN[4], generalNameChoice);
-        /* Parse CRL distribution point. */
+        GetASN_Choice(&dataASN[CRLDISTASN_IDX_DP_DISTPOINT_FN_GN], generalNameChoice);
+        /* Parse CRL distribtion point. */
         ret = GetASN_Items(crlDistASN, dataASN, crlDistASN_Length, 0, input,
                            &idx, sz);
     }
     if (ret == 0) {
         /* If the choice was a URI, store it in certificate. */
-        if (dataASN[4].tag == GENERALNAME_URI) {
+        if (dataASN[CRLDISTASN_IDX_DP_DISTPOINT_FN_GN].tag == GENERALNAME_URI) {
             word32 sz32;
-            GetASN_GetConstRef(&dataASN[4], &cert->extCrlInfo, &sz32);
+            GetASN_GetConstRef(&dataASN[CRLDISTASN_IDX_DP_DISTPOINT_FN_GN],
+                    &cert->extCrlInfo, &sz32);
             cert->extCrlInfoSz = sz32;
         }
 
     #ifdef CRLDP_VALIDATE_DATA
-        if (dataASN[6].data.ref.data != NULL) {
+        if (dataASN[CRLDISTASN_IDX_DP_REASONS].data.ref.data != NULL) {
              /* TODO: test case */
              /* Validate ReasonFlags. */
-             ret = GetASN_BitString_Int16Bit(&dataASN[6], &reason);
+             ret = GetASN_BitString_Int16Bit(&dataASN[CRLDISTASN_IDX_DP_REASONS],
+                     &reason);
              /* First bit (LSB) unused and eight other bits defined. */
              if ((ret == 0) && ((reason >> 9) || (reason & 0x01))) {
                 ret = ASN_PARSE_E;
@@ -15049,11 +15292,16 @@ static int DecodeCrlDist(const byte* input, int sz, DecodedCert* cert)
  * X.509: RFC 5280, 4.2.2.1 - Authority Information Access.
  */
 static const ASNItem accessDescASN[] = {
-/*  0 */    { 0, ASN_SEQUENCE, 1, 1, 0 },
-                /* accessMethod */
-/*  1 */        { 1, ASN_OBJECT_ID, 0, 0, 0 },
-                /* accessLocation: GeneralName */
-/*  2 */        { 1, ASN_CONTEXT_SPECIFIC | 0, 0, 0, 0 },
+/* SEQ  */ { 0, ASN_SEQUENCE, 1, 1, 0 },
+                                 /* accessMethod */
+/* METH */     { 1, ASN_OBJECT_ID, 0, 0, 0 },
+                                 /* accessLocation: GeneralName */
+/* LOC  */     { 1, ASN_CONTEXT_SPECIFIC | 0, 0, 0, 0 },
+};
+enum {
+    ACCESSDESCASN_IDX_SEQ = 0,
+    ACCESSDESCASN_IDX_METH,
+    ACCESSDESCASN_IDX_LOC,
 };
 
 /* Number of items in ASN.1 template for the access description. */
@@ -15150,17 +15398,18 @@ static int DecodeAuthInfo(const byte* input, int sz, DecodedCert* cert)
 
         /* Clear dynamic data and retrieve OID and name. */
         XMEMSET(dataASN, 0, sizeof(dataASN));
-        GetASN_OID(&dataASN[1], oidCertAuthInfoType);
-        GetASN_Choice(&dataASN[2], generalNameChoice);
+        GetASN_OID(&dataASN[ACCESSDESCASN_IDX_METH], oidCertAuthInfoType);
+        GetASN_Choice(&dataASN[ACCESSDESCASN_IDX_LOC], generalNameChoice);
         /* Parse AccessDescription. */
         ret = GetASN_Items(accessDescASN, dataASN, accessDescASN_Length, 0,
                            input, &idx, sz);
         if (ret == 0) {
             /* Check we have OCSP and URI. */
-            if ((dataASN[1].data.oid.sum == AIA_OCSP_OID) &&
-                    (dataASN[2].tag == GENERALNAME_URI)) {
+            if ((dataASN[ACCESSDESCASN_IDX_METH].data.oid.sum == AIA_OCSP_OID) &&
+                    (dataASN[ACCESSDESCASN_IDX_LOC].tag == GENERALNAME_URI)) {
                 /* Store URI for OCSP lookup. */
-                GetASN_GetConstRef(&dataASN[2], &cert->extAuthInfo, &sz32);
+                GetASN_GetConstRef(&dataASN[ACCESSDESCASN_IDX_LOC],
+                        &cert->extAuthInfo, &sz32);
                 cert->extAuthInfoSz = sz32;
                 count++;
             #if !defined(OPENSSL_ALL) || !defined(WOLFSSL_QT)
@@ -15169,11 +15418,12 @@ static int DecodeAuthInfo(const byte* input, int sz, DecodedCert* cert)
             }
             #if defined(OPENSSL_ALL) || defined(WOLFSSL_QT)
             /* Check we have CA Issuer and URI. */
-            else if ((dataASN[1].data.oid.sum == AIA_CA_ISSUER_OID) &&
-                    (dataASN[2].tag == GENERALNAME_URI)) {
+            else if ((dataASN[ACCESSDESCASN_IDX_METH].data.oid.sum ==
+                        AIA_CA_ISSUER_OID) &&
+                    (dataASN[ACCESSDESCASN_IDX_LOC].tag == GENERALNAME_URI)) {
                 /* Set CaIssuers entry */
-                GetASN_GetConstRef(&dataASN[2], &cert->extAuthInfoCaIssuer,
-                                   &sz32);
+                GetASN_GetConstRef(&dataASN[ACCESSDESCASN_IDX_LOC],
+                        &cert->extAuthInfoCaIssuer, &sz32);
                 cert->extAuthInfoCaIssuerSz = sz32;
                 count++;
             }
@@ -15192,13 +15442,19 @@ static int DecodeAuthInfo(const byte* input, int sz, DecodedCert* cert)
  * X.509: RFC 5280, 4.2.1.1 - Authority Key Identifier.
  */
 static const ASNItem authKeyIdASN[] = {
-/*  0 */    { 0, ASN_SEQUENCE, 1, 1, 0 },
-                /* keyIdentifier */
-/*  1 */        { 1, ASN_CONTEXT_SPECIFIC | 0, 0, 0, 1 },
-                /* authorityCertIssuer */
-/*  2 */        { 1, ASN_CONTEXT_SPECIFIC | 1, 1, 0, 1 },
-                /* authorityCertSerialNumber */
-/*  3 */        { 1, ASN_CONTEXT_SPECIFIC | 2, 0, 0, 1 },
+/* SEQ    */    { 0, ASN_SEQUENCE, 1, 1, 0 },
+                                     /* keyIdentifier */
+/* KEYID  */        { 1, ASN_CONTEXT_SPECIFIC | ASN_AUTHKEYID_KEYID, 0, 0, 1 },
+                                     /* authorityCertIssuer */
+/* ISSUER */        { 1, ASN_CONTEXT_SPECIFIC | ASN_AUTHKEYID_ISSUER, 1, 0, 1 },
+                                     /* authorityCertSerialNumber */
+/* SERIAL */        { 1, ASN_CONTEXT_SPECIFIC | ASN_AUTHKEYID_SERIAL, 0, 0, 1 },
+};
+enum {
+    AUTHKEYIDASN_IDX_SEQ = 0,
+    AUTHKEYIDASN_IDX_KEYID,
+    AUTHKEYIDASN_IDX_ISSUER,
+    AUTHKEYIDASN_IDX_SERIAL,
 };
 
 /* Number of items in ASN.1 template for AuthorityKeyIdentifier. */
@@ -15273,7 +15529,7 @@ static int DecodeAuthKeyId(const byte* input, int sz, DecodedCert* cert)
     }
     if (ret == 0) {
         /* Key id is optional. */
-        if (dataASN[1].data.ref.data == NULL) {
+        if (dataASN[AUTHKEYIDASN_IDX_KEYID].data.ref.data == NULL) {
             WOLFSSL_MSG("\tinfo: OPTIONAL item 0, not available");
         }
         else {
@@ -15283,13 +15539,14 @@ static int DecodeAuthKeyId(const byte* input, int sz, DecodedCert* cert)
             cert->extRawAuthKeyIdSrc = input;
             cert->extRawAuthKeyIdSz = sz;
 #endif
-            GetASN_GetConstRef(&dataASN[1], &cert->extAuthKeyIdSrc,
+            GetASN_GetConstRef(&dataASN[AUTHKEYIDASN_IDX_KEYID], &cert->extAuthKeyIdSrc,
                                &cert->extAuthKeyIdSz);
 #endif /* OPENSSL_EXTRA */
 
             /* Get the hash or hash of the hash if wrong size. */
-            ret = GetHashId(dataASN[1].data.ref.data,
-                        dataASN[1].data.ref.length, cert->extAuthKeyId);
+            ret = GetHashId(dataASN[AUTHKEYIDASN_IDX_KEYID].data.ref.data,
+                        dataASN[AUTHKEYIDASN_IDX_KEYID].data.ref.length,
+                        cert->extAuthKeyId);
         }
     }
 
@@ -15342,7 +15599,10 @@ static int DecodeSubjKeyId(const byte* input, int sz, DecodedCert* cert)
  * X.509: RFC 5280, 4.2.1.3 - Key Usage.
  */
 static const ASNItem keyUsageASN[] = {
-/*  0 */    { 0, ASN_BIT_STRING, 0, 0, 0 },
+/* STR */ { 0, ASN_BIT_STRING, 0, 0, 0 },
+};
+enum {
+    KEYUSAGEASN_IDX_STR = 0,
 };
 
 /* Number of items in ASN.1 template for KeyUsage. */
@@ -15389,7 +15649,7 @@ static int DecodeKeyUsage(const byte* input, int sz, DecodedCert* cert)
 
     /* Clear dynamic data and set where to store extended key usage. */
     XMEMSET(dataASN, 0, sizeof(dataASN));
-    GetASN_Int16Bit(&dataASN[0], &cert->extKeyUsage);
+    GetASN_Int16Bit(&dataASN[KEYUSAGEASN_IDX_STR], &cert->extKeyUsage);
     /* Parse key usage. */
     return GetASN_Items(keyUsageASN, dataASN, keyUsageASN_Length, 0, input,
                         &idx, sz);
@@ -15401,7 +15661,10 @@ static int DecodeKeyUsage(const byte* input, int sz, DecodedCert* cert)
  * X.509: RFC 5280, 4.2.1.12 - Extended Key Usage.
  */
 static const ASNItem keyPurposeIdASN[] = {
-/*  0 */    { 0, ASN_OBJECT_ID, 0, 0, 0 },
+/* OID */ { 0, ASN_OBJECT_ID, 0, 0, 0 },
+};
+enum {
+    KEYPURPOSEIDASN_IDX_OID = 0,
 };
 
 /* Number of items in ASN.1 template for KeyPurposeId. */
@@ -15505,7 +15768,7 @@ static int DecodeExtKeyUsage(const byte* input, int sz, DecodedCert* cert)
 
         /* Clear dynamic data items and set OID type expected. */
         XMEMSET(dataASN, 0, sizeof(dataASN));
-        GetASN_OID(&dataASN[0], oidCertKeyUseType);
+        GetASN_OID(&dataASN[KEYPURPOSEIDASN_IDX_OID], oidCertKeyUseType);
         /* Decode KeyPurposeId. */
         ret = GetASN_Items(keyPurposeIdASN, dataASN, keyPurposeIdASN_Length, 0,
                            input, &idx, sz);
@@ -15515,7 +15778,7 @@ static int DecodeExtKeyUsage(const byte* input, int sz, DecodedCert* cert)
         }
         else if (ret == 0) {
             /* Store the bit for the OID. */
-            switch (dataASN[0].data.oid.sum) {
+            switch (dataASN[KEYPURPOSEIDASN_IDX_OID].data.oid.sum) {
                 case EKU_ANY_OID:
                     cert->extExtKeyUsage |= EXTKEYUSE_ANY;
                     break;
@@ -15577,13 +15840,19 @@ static int DecodeNsCertType(const byte* input, int sz, DecodedCert* cert)
  * X.509: RFC 5280, 4.2.1.10 - Name Constraints.
  */
 static const ASNItem subTreeASN[] = {
-/*  0 */    { 0, ASN_SEQUENCE, 1, 1, 0 },
-                /* base     GeneralName */
-/*  1 */        { 1, ASN_CONTEXT_SPECIFIC | 0, 0, 0, 0 },
-                /* minimum  BaseDistance DEFAULT 0*/
-/*  2 */        { 1, ASN_CONTEXT_SPECIFIC | 0, 0, 0, 1 },
-                /* maximum  BaseDistance OPTIONAL  */
-/*  3 */        { 1, ASN_CONTEXT_SPECIFIC | 1, 0, 0, 1 },
+/* SEQ  */ { 0, ASN_SEQUENCE, 1, 1, 0 },
+                              /* base     GeneralName */
+/* BASE */     { 1, ASN_CONTEXT_SPECIFIC | 0, 0, 0, 0 },
+                              /* minimum  BaseDistance DEFAULT 0*/
+/* MIN  */     { 1, ASN_CONTEXT_SPECIFIC | ASN_SUBTREE_MIN, 0, 0, 1 },
+                              /* maximum  BaseDistance OPTIONAL  */
+/* MAX  */     { 1, ASN_CONTEXT_SPECIFIC | ASN_SUBTREE_MAX, 0, 0, 1 },
+};
+enum {
+    SUBTREEASN_IDX_SEQ = 0,
+    SUBTREEASN_IDX_BASE,
+    SUBTREEASN_IDX_MIN,
+    SUBTREEASN_IDX_MAX,
 };
 
 /* Number of items in ASN.1 template for GeneralSubtree. */
@@ -15755,14 +16024,14 @@ static int DecodeSubtree(const byte* input, int sz, Base_entry** head,
          * store minimum and maximum.
          */
         XMEMSET(dataASN, 0, sizeof(*dataASN) * subTreeASN_Length);
-        GetASN_Choice(&dataASN[1], generalNameChoice);
-        GetASN_Int8Bit(&dataASN[2], &minVal);
-        GetASN_Int8Bit(&dataASN[3], &maxVal);
+        GetASN_Choice(&dataASN[SUBTREEASN_IDX_BASE], generalNameChoice);
+        GetASN_Int8Bit(&dataASN[SUBTREEASN_IDX_MIN], &minVal);
+        GetASN_Int8Bit(&dataASN[SUBTREEASN_IDX_MAX], &maxVal);
         /* Parse GeneralSubtree. */
         ret = GetASN_Items(subTreeASN, dataASN, subTreeASN_Length, 0, input,
                            &idx, sz);
         if (ret == 0) {
-            byte t = dataASN[1].tag;
+            byte t = dataASN[SUBTREEASN_IDX_BASE].tag;
 
             /* Check GeneralName tag is one of the types we can handle. */
             if (t == (ASN_CONTEXT_SPECIFIC | ASN_DNS_TYPE) ||
@@ -15770,8 +16039,8 @@ static int DecodeSubtree(const byte* input, int sz, Base_entry** head,
                 t == (ASN_CONTEXT_SPECIFIC | ASN_CONSTRUCTED | ASN_DIR_TYPE)) {
                 /* Parse the general name and store a new entry. */
                 ret = DecodeSubtreeGeneralName(input +
-                    GetASNItem_DataIdx(dataASN[1], input),
-                    dataASN[1].length, t, head, heap);
+                    GetASNItem_DataIdx(dataASN[SUBTREEASN_IDX_BASE], input),
+                    dataASN[SUBTREEASN_IDX_BASE].length, t, head, heap);
             }
             /* Skip entry. */
         }
@@ -15787,11 +16056,16 @@ static int DecodeSubtree(const byte* input, int sz, Base_entry** head,
  * X.509: RFC 5280, 4.2.1.10 - Name Contraints.
  */
 static const ASNItem nameConstraintsASN[] = {
-/*  0 */    { 0, ASN_SEQUENCE, 1, 1, 0 },
-                /* permittedSubtrees */
-/*  1 */        { 1, ASN_CONTEXT_SPECIFIC | 0, 1, 0, 1 },
-                /* excludededSubtrees */
-/*  2 */        { 1, ASN_CONTEXT_SPECIFIC | 1, 1, 0, 1 },
+/* SEQ     */ { 0, ASN_SEQUENCE, 1, 1, 0 },
+                                         /* permittedSubtrees */
+/* PERMIT  */     { 1, ASN_CONTEXT_SPECIFIC | 0, 1, 0, 1 },
+                                         /* excludededSubtrees */
+/* EXCLUDE */     { 1, ASN_CONTEXT_SPECIFIC | 1, 1, 0, 1 },
+};
+enum {
+    NAMECONSTRAINTSASN_IDX_SEQ = 0,
+    NAMECONSTRAINTSASN_IDX_PERMIT,
+    NAMECONSTRAINTSASN_IDX_EXCLUDE,
 };
 
 /* Number of items in ASN.1 template for NameConstraints. */
@@ -15851,27 +16125,33 @@ static int DecodeNameConstraints(const byte* input, int sz, DecodedCert* cert)
 
     return 0;
 #else
-    ASNGetData dataASN[nameConstraintsASN_Length];
+    DECL_ASNGETDATA(dataASN, nameConstraintsASN_Length);
     word32 idx = 0;
     int    ret = 0;
 
-    /* Clear dynamic data. */
-    XMEMSET(dataASN, 0, sizeof(dataASN));
-    /* Parse NameConstraints. */
-    ret = GetASN_Items(nameConstraintsASN, dataASN, nameConstraintsASN_Length,
-                       1, input, &idx, sz);
+    CALLOC_ASNGETDATA(dataASN, nameConstraintsASN_Length, ret, cert->heap);
+
+    if (ret == 0) {
+        /* Parse NameConstraints. */
+        ret = GetASN_Items(nameConstraintsASN, dataASN, nameConstraintsASN_Length,
+                           1, input, &idx, sz);
+    }
     if (ret == 0) {
         /* If there was a permittedSubtrees then parse it. */
-        if (dataASN[1].data.ref.data != NULL) {
-            ret = DecodeSubtree(dataASN[1].data.ref.data,
-                dataASN[1].data.ref.length, &cert->permittedNames, cert->heap);
+        if (dataASN[NAMECONSTRAINTSASN_IDX_PERMIT].data.ref.data != NULL) {
+            ret = DecodeSubtree(
+                    dataASN[NAMECONSTRAINTSASN_IDX_PERMIT].data.ref.data,
+                    dataASN[NAMECONSTRAINTSASN_IDX_PERMIT].data.ref.length,
+                    &cert->permittedNames, cert->heap);
         }
     }
     if (ret == 0) {
         /* If there was a excludedSubtrees then parse it. */
-        if (dataASN[2].data.ref.data != NULL) {
-            ret = DecodeSubtree(dataASN[2].data.ref.data,
-                dataASN[2].data.ref.length, &cert->excludedNames, cert->heap);
+        if (dataASN[NAMECONSTRAINTSASN_IDX_EXCLUDE].data.ref.data != NULL) {
+            ret = DecodeSubtree(
+                    dataASN[NAMECONSTRAINTSASN_IDX_EXCLUDE].data.ref.data,
+                    dataASN[NAMECONSTRAINTSASN_IDX_EXCLUDE].data.ref.length,
+                    &cert->excludedNames, cert->heap);
         }
     }
 
@@ -15941,11 +16221,16 @@ exit:
      * X.509: RFC 5280, 4.2.1.4 - Certificate Policies.
      */
     static const ASNItem policyInfoASN[] = {
-    /*  0 */    { 0, ASN_SEQUENCE, 1, 1, 0 },
-                    /* policyIdentifier */
-    /*  1 */        { 1, ASN_OBJECT_ID, 0, 0, 0 },
-                    /* policyQualifiers */
-    /*  2 */        { 1, ASN_SEQUENCE, 1, 0, 1 },
+    /* SEQ   */ { 0, ASN_SEQUENCE, 1, 1, 0 },
+                                      /* policyIdentifier */
+    /* ID    */     { 1, ASN_OBJECT_ID, 0, 0, 0 },
+                                      /* policyQualifiers */
+    /* QUALI */     { 1, ASN_SEQUENCE, 1, 0, 1 },
+    };
+    enum {
+        POLICYINFOASN_IDX_SEQ = 0,
+        POLICYINFOASN_IDX_ID,
+        POLICYINFOASN_IDX_QUALI,
     };
 
     /* Number of items in ASN.1 template for PolicyInformation. */
@@ -16101,12 +16386,12 @@ exit:
 
             /* Clear dynamic data and check OID is a cert policy type. */
             XMEMSET(dataASN, 0, sizeof(dataASN));
-            GetASN_OID(&dataASN[1], oidCertPolicyType);
+            GetASN_OID(&dataASN[POLICYINFOASN_IDX_ID], oidCertPolicyType);
             ret = GetASN_Items(policyInfoASN, dataASN, policyInfoASN_Length, 1,
                                input, &idx, sz);
             if (ret == 0) {
                 /* Get the OID. */
-                GetASN_OIDData(&dataASN[1], &data, &length);
+                GetASN_OIDData(&dataASN[POLICYINFOASN_IDX_ID], &data, &length);
                 if (length == 0) {
                     ret = ASN_PARSE_E;
                 }
@@ -16426,8 +16711,12 @@ static int DecodeExtensionType(const byte* input, int length, word32 oid,
  * X.509: RFC 5280, 4.1 - Basic Certificate Fields.
  */
 static const ASNItem certExtHdrASN[] = {
-/*  0 */    { 0, ASN_CONTEXT_SPECIFIC | 3, 1, 1, 0 },
-/*  1 */        { 1, ASN_SEQUENCE, 1, 1, 0 },
+/* EXTTAG */ { 0, ASN_CONTEXT_SPECIFIC | 3, 1, 1, 0 },
+/* EXTSEQ */     { 1, ASN_SEQUENCE, 1, 1, 0 },
+};
+enum {
+    CERTEXTHDRASN_IDX_EXTTAG = 0,
+    CERTEXTHDRASN_IDX_EXTSEQ,
 };
 
 /* Number of itesm in ASN.1 template for extensions. */
@@ -16437,13 +16726,19 @@ static const ASNItem certExtHdrASN[] = {
  * X.509: RFC 5280, 4.1 - Basic Certificate Fields.
  */
 static const ASNItem certExtASN[] = {
-/*  0 */    { 0, ASN_SEQUENCE, 1, 1, 0 },
-                /* Extension object id */
-/*  1 */        { 1, ASN_OBJECT_ID, 0, 0, 0 },
-                /* critical - when true, must be parseable. */
-/*  2 */        { 1, ASN_BOOLEAN, 0, 0, 1 },
-                /* Data for extension - leave index at start of data. */
-/*  3 */        { 1, ASN_OCTET_STRING, 0, 1, 0 },
+/* SEQ  */ { 0, ASN_SEQUENCE, 1, 1, 0 },
+                              /* Extension object id */
+/* OID  */     { 1, ASN_OBJECT_ID, 0, 0, 0 },
+                              /* critical - when true, must be parseable. */
+/* CRIT */     { 1, ASN_BOOLEAN, 0, 0, 1 },
+                              /* Data for extension - leave index at start of data. */
+/* VAL  */     { 1, ASN_OCTET_STRING, 0, 1, 0 },
+};
+enum {
+    CERTEXTASN_IDX_SEQ = 0,
+    CERTEXTASN_IDX_OID,
+    CERTEXTASN_IDX_CRIT,
+    CERTEXTASN_IDX_VAL,
 };
 
 /* Number of items in ASN.1 template for Extension. */
@@ -16569,7 +16864,7 @@ end:
 
 #ifdef WOLFSSL_CERT_REQ
     if (cert->isCSR) {
-        offset = 1;
+        offset = CERTEXTHDRASN_IDX_EXTSEQ;
     }
 #endif
     if (ret == 0) {
@@ -16586,15 +16881,15 @@ end:
         /* Clear dynamic data. */
         XMEMSET(dataASN, 0, sizeof(*dataASN) * certExtASN_Length);
         /* Ensure OID is an extention type. */
-        GetASN_OID(&dataASN[1], oidCertExtType);
+        GetASN_OID(&dataASN[CERTEXTASN_IDX_OID], oidCertExtType);
         /* Set criticality variable. */
-        GetASN_Int8Bit(&dataASN[2], &critical);
+        GetASN_Int8Bit(&dataASN[CERTEXTASN_IDX_CRIT], &critical);
         /* Parse extension wrapper. */
         ret = GetASN_Items(certExtASN, dataASN, certExtASN_Length, 0, input,
                            &idx, sz);
         if (ret == 0) {
-            word32 oid = dataASN[1].data.oid.sum;
-            int length = dataASN[3].length;
+            word32 oid = dataASN[CERTEXTASN_IDX_OID].data.oid.sum;
+            int length = dataASN[CERTEXTASN_IDX_VAL].length;
 
             /* Decode the extension by type. */
             ret = DecodeExtensionType(input + idx, length, oid, critical, cert);
@@ -16625,66 +16920,98 @@ end:
  */
 static const ASNItem x509CertASN[] = {
         /* Certificate ::= SEQUENCE */
-/*  0 */    { 0, ASN_SEQUENCE, 1, 1, 0 },
-        /* tbsCertificate       TBSCertificate */
-        /* TBSCertificate ::= SEQUENCE */
-/*  1 */        { 1, ASN_SEQUENCE, 1, 1, 0 },
-        /* version         [0]  EXPLICT Version DEFAULT v1 */
-/*  2 */            { 2, ASN_CONTEXT_SPECIFIC | 0, 1, 1, 1 },
-        /* Version ::= INTEGER { v1(0), v2(1), v3(2) */
-/*  3 */                { 3, ASN_INTEGER, 0, 0, 0 },
-        /* serialNumber         CertificateSerialNumber */
-        /* CetificateSerialNumber ::= INTEGER */
-/*  4 */            { 2, ASN_INTEGER, 0, 0, 0 },
-        /* signature            AlgorithmIdentifier */
-        /* AlgorithmIdentifier ::= SEQUENCE */
-/*  5 */            { 2, ASN_SEQUENCE, 1, 1, 0 },
-        /* Algorithm    OBJECT IDENTIFIER */
-/*  6 */                { 3, ASN_OBJECT_ID, 0, 0, 0 },
-        /* parameters   ANY defined by algorithm OPTIONAL */
-/*  7 */                { 3, ASN_TAG_NULL, 0, 0, 1 },
-        /* issuer               Name */
-/*  8 */            { 2, ASN_SEQUENCE, 1, 0, 0 },
-        /* validity             Validity */
-        /* Validity ::= SEQUENCE */
-/*  9 */            { 2, ASN_SEQUENCE, 1, 1, 0 },
-        /* notBefore   Time */
-        /* Time :: CHOICE { UTCTime, GeneralizedTime } */
-/* 10 */                { 3, ASN_UTC_TIME, 0, 0, 2 },
-/* 11 */                { 3, ASN_GENERALIZED_TIME, 0, 0, 2 },
-        /* notAfter   Time */
-        /* Time :: CHOICE { UTCTime, GeneralizedTime } */
-/* 12 */                { 3, ASN_UTC_TIME, 0, 0, 3 },
-/* 13 */                { 3, ASN_GENERALIZED_TIME, 0, 0, 3 },
-        /* subject              Name */
-/* 14 */            { 2, ASN_SEQUENCE, 1, 0, 0 },
-        /* subjectPublicKeyInfo SubjectPublicKeyInfo */
-/* 15 */            { 2, ASN_SEQUENCE, 1, 1, 0 },
-        /* algorithm          AlgorithmIdentifier */
-        /* AlgorithmIdentifier ::= SEQUENCE */
-/* 16 */                { 3, ASN_SEQUENCE, 1, 1, 0 },
-        /* Algorithm    OBJECT IDENTIFIER */
-/* 17 */                    { 4, ASN_OBJECT_ID, 0, 0, 0 },
-        /* parameters   ANY defined by algorithm OPTIONAL */
-/* 18 */                    { 4, ASN_TAG_NULL, 0, 0, 1 },
-/* 19 */                    { 4, ASN_OBJECT_ID, 0, 0, 1 },
-        /* subjectPublicKey   BIT STRING */
-/* 20 */                { 3, ASN_BIT_STRING, 0, 0, 0 },
-        /* issuerUniqueID       UniqueIdentfier OPTIONAL */
-/* 21 */            { 2, ASN_CONTEXT_SPECIFIC | 1, 0, 0, 1 },
-        /* subjectUniqueID      UniqueIdentfier OPTIONAL */
-/* 22 */            { 2, ASN_CONTEXT_SPECIFIC | 2, 0, 0, 1 },
-        /* extensions           Extensions OPTIONAL */
-/* 23 */            { 2, ASN_CONTEXT_SPECIFIC | 3, 1, 0, 1 },
-        /* signatureAlgorithm   AlgorithmIdentifier */
-        /* AlgorithmIdentifier ::= SEQUENCE */
-/* 24 */        { 1, ASN_SEQUENCE, 1, 1, 0 },
-        /* Algorithm    OBJECT IDENTIFIER */
-/* 25 */            { 2, ASN_OBJECT_ID, 0, 0, 0 },
-        /* parameters   ANY defined by algorithm OPTIONAL */
-/* 26 */            { 2, ASN_TAG_NULL, 0, 0, 1 },
-        /* signature            BIT STRING */
-/* 27 */        { 1, ASN_BIT_STRING, 0, 0, 0 },
+/* SEQ                           */    { 0, ASN_SEQUENCE, 1, 1, 0 },
+                                                   /* tbsCertificate       TBSCertificate */
+                                                   /* TBSCertificate ::= SEQUENCE */
+/* TBS_SEQ                       */        { 1, ASN_SEQUENCE, 1, 1, 0 },
+                                                   /* version         [0]  EXPLICT Version DEFAULT v1 */
+/* TBS_VER                       */            { 2, ASN_CONTEXT_SPECIFIC | ASN_X509_CERT_VERSION, 1, 1, 1 },
+                                                   /* Version ::= INTEGER { v1(0), v2(1), v3(2) */
+/* TBS_VER_INT                   */                { 3, ASN_INTEGER, 0, 0, 0 },
+                                                   /* serialNumber         CertificateSerialNumber */
+                                                   /* CetificateSerialNumber ::= INTEGER */
+/* TBS_SERIAL                    */            { 2, ASN_INTEGER, 0, 0, 0 },
+                                                   /* signature            AlgorithmIdentifier */
+                                                   /* AlgorithmIdentifier ::= SEQUENCE */
+/* TBS_ALGOID_SEQ                */            { 2, ASN_SEQUENCE, 1, 1, 0 },
+                                                   /* Algorithm    OBJECT IDENTIFIER */
+/* TBS_ALGOID_OID                */                { 3, ASN_OBJECT_ID, 0, 0, 0 },
+                                                   /* parameters   ANY defined by algorithm OPTIONAL */
+/* TBS_ALGOID_PARAMS             */                { 3, ASN_TAG_NULL, 0, 0, 1 },
+                                                   /* issuer               Name */
+/* TBS_ISSUER_SEQ                */            { 2, ASN_SEQUENCE, 1, 0, 0 },
+                                                   /* validity             Validity */
+                                                   /* Validity ::= SEQUENCE */
+/* TBS_VALIDITY_SEQ              */            { 2, ASN_SEQUENCE, 1, 1, 0 },
+                                                   /* notBefore   Time */
+                                                   /* Time :: CHOICE { UTCTime, GeneralizedTime } */
+/* TBS_VALIDITY_NOTB_UTC         */                { 3, ASN_UTC_TIME, 0, 0, 2 },
+/* TBS_VALIDITY_NOTB_GT          */                { 3, ASN_GENERALIZED_TIME, 0, 0, 2 },
+                                                   /* notAfter   Time */
+                                                   /* Time :: CHOICE { UTCTime, GeneralizedTime } */
+/* TBS_VALIDITY_NOTA_UTC         */                { 3, ASN_UTC_TIME, 0, 0, 3 },
+/* TBS_VALIDITY_NOTA_GT          */                { 3, ASN_GENERALIZED_TIME, 0, 0, 3 },
+                                                   /* subject              Name */
+/* TBS_SUBJECT_SEQ               */            { 2, ASN_SEQUENCE, 1, 0, 0 },
+                                                   /* subjectPublicKeyInfo SubjectPublicKeyInfo */
+/* TBS_SPUBKEYINFO_SEQ           */            { 2, ASN_SEQUENCE, 1, 1, 0 },
+                                                   /* algorithm          AlgorithmIdentifier */
+                                                   /* AlgorithmIdentifier ::= SEQUENCE */
+/* TBS_SPUBKEYINFO_ALGO_SEQ      */                { 3, ASN_SEQUENCE, 1, 1, 0 },
+                                                   /* Algorithm    OBJECT IDENTIFIER */
+/* TBS_SPUBKEYINFO_ALGO_OID      */                    { 4, ASN_OBJECT_ID, 0, 0, 0 },
+                                                   /* parameters   ANY defined by algorithm OPTIONAL */
+/* TBS_SPUBKEYINFO_ALGO_NOPARAMS */                    { 4, ASN_TAG_NULL, 0, 0, 1 },
+/* TBS_SPUBKEYINFO_ALGO_CURVEID  */                    { 4, ASN_OBJECT_ID, 0, 0, 1 },
+                                                   /* subjectPublicKey   BIT STRING */
+/* TBS_SPUBKEYINFO_PUBKEY        */                { 3, ASN_BIT_STRING, 0, 0, 0 },
+                                                   /* issuerUniqueID       UniqueIdentfier OPTIONAL */
+/* TBS_ISSUERUID                 */            { 2, ASN_CONTEXT_SPECIFIC | 1, 0, 0, 1 },
+                                                   /* subjectUniqueID      UniqueIdentfier OPTIONAL */
+/* TBS_SUBJECTUID                */            { 2, ASN_CONTEXT_SPECIFIC | 2, 0, 0, 1 },
+                                                   /* extensions           Extensions OPTIONAL */
+/* TBS_EXT                       */            { 2, ASN_CONTEXT_SPECIFIC | 3, 1, 1, 1 },
+/* TBS_EXT_SEQ                   */                { 3, ASN_SEQUENCE, 1, 0, 0 },
+                                                   /* signatureAlgorithm   AlgorithmIdentifier */
+                                                   /* AlgorithmIdentifier ::= SEQUENCE */
+/* SIGALGO_SEQ                   */        { 1, ASN_SEQUENCE, 1, 1, 0 },
+                                                   /* Algorithm    OBJECT IDENTIFIER */
+/* SIGALGO_OID                   */            { 2, ASN_OBJECT_ID, 0, 0, 0 },
+                                                   /* parameters   ANY defined by algorithm OPTIONAL */
+/* SIGALGO_PARAMS                */            { 2, ASN_TAG_NULL, 0, 0, 1 },
+                                                   /* signature            BIT STRING */
+/* SIGNATURE                     */        { 1, ASN_BIT_STRING, 0, 0, 0 },
+};
+enum {
+    X509CERTASN_IDX_SEQ = 0,
+    X509CERTASN_IDX_TBS_SEQ,
+    X509CERTASN_IDX_TBS_VER,
+    X509CERTASN_IDX_TBS_VER_INT,
+    X509CERTASN_IDX_TBS_SERIAL,
+    X509CERTASN_IDX_TBS_ALGOID_SEQ,
+    X509CERTASN_IDX_TBS_ALGOID_OID,
+    X509CERTASN_IDX_TBS_ALGOID_PARAMS,
+    X509CERTASN_IDX_TBS_ISSUER_SEQ,
+    X509CERTASN_IDX_TBS_VALIDITY_SEQ,
+    X509CERTASN_IDX_TBS_VALIDITY_NOTB_UTC,
+    X509CERTASN_IDX_TBS_VALIDITY_NOTB_GT,
+    X509CERTASN_IDX_TBS_VALIDITY_NOTA_UTC,
+    X509CERTASN_IDX_TBS_VALIDITY_NOTA_GT,
+    X509CERTASN_IDX_TBS_SUBJECT_SEQ,
+    X509CERTASN_IDX_TBS_SPUBKEYINFO_SEQ,
+    X509CERTASN_IDX_TBS_SPUBKEYINFO_ALGO_SEQ,
+    X509CERTASN_IDX_TBS_SPUBKEYINFO_ALGO_OID,
+    X509CERTASN_IDX_TBS_SPUBKEYINFO_ALGO_NOPARAMS,
+    X509CERTASN_IDX_TBS_SPUBKEYINFO_ALGO_CURVEID,
+    X509CERTASN_IDX_TBS_SPUBKEYINFO_PUBKEY,
+    X509CERTASN_IDX_TBS_ISSUERUID,
+    X509CERTASN_IDX_TBS_SUBJECTUID,
+    X509CERTASN_IDX_TBS_EXT,
+    X509CERTASN_IDX_TBS_EXT_SEQ,
+    X509CERTASN_IDX_SIGALGO_SEQ,
+    X509CERTASN_IDX_SIGALGO_OID,
+    X509CERTASN_IDX_SIGALGO_PARAMS,
+    X509CERTASN_IDX_SIGNATURE,
 };
 
 /* Number of items in ASN template for an X509 certificate. */
@@ -16775,13 +17102,16 @@ static int DecodeCertInternal(DecodedCert* cert, int verify, int* criticalExt,
         serialSz = EXTERNAL_SERIAL_SIZE;
 
         /* Get the version and put the serial number into the buffer. */
-        GetASN_Int8Bit(&dataASN[3], &version);
-        GetASN_Buffer(&dataASN[4], cert->serial, &serialSz);
+        GetASN_Int8Bit(&dataASN[X509CERTASN_IDX_TBS_VER_INT], &version);
+        GetASN_Buffer(&dataASN[X509CERTASN_IDX_TBS_SERIAL], cert->serial,
+                &serialSz);
         /* Check OID types for signature, algorithm, ECC curve and sigAlg. */
-        GetASN_OID(&dataASN[6], oidSigType);
-        GetASN_OID(&dataASN[17], oidKeyType);
-        GetASN_OID(&dataASN[19], oidCurveType);
-        GetASN_OID(&dataASN[25], oidSigType);
+        GetASN_OID(&dataASN[X509CERTASN_IDX_TBS_ALGOID_OID], oidSigType);
+        GetASN_OID(&dataASN[X509CERTASN_IDX_TBS_SPUBKEYINFO_ALGO_OID],
+                oidKeyType);
+        GetASN_OID(&dataASN[X509CERTASN_IDX_TBS_SPUBKEYINFO_ALGO_CURVEID],
+                oidCurveType);
+        GetASN_OID(&dataASN[X509CERTASN_IDX_SIGALGO_OID], oidSigType);
         /* Parse the X509 certificate. */
         ret = GetASN_Items(x509CertASN, dataASN, x509CertASN_Length, 1,
                            cert->source, &cert->srcIdx, cert->maxIdx);
@@ -16795,14 +17125,16 @@ static int DecodeCertInternal(DecodedCert* cert, int verify, int* criticalExt,
         /* Set fields extracted from data. */
         cert->version = version;
         cert->serialSz = serialSz;
-        cert->signatureOID = dataASN[6].data.oid.sum;
-        cert->keyOID = dataASN[17].data.oid.sum;
-        cert->certBegin = dataASN[1].offset;
+        cert->signatureOID = dataASN[X509CERTASN_IDX_TBS_ALGOID_OID].data.oid.sum;
+        cert->keyOID = dataASN[X509CERTASN_IDX_TBS_SPUBKEYINFO_ALGO_OID].data.oid.sum;
+        cert->certBegin = dataASN[X509CERTASN_IDX_TBS_SEQ].offset;
 
         /* No bad date error - don't always care. */
         badDate = 0;
         /* Find the item with the BEFORE date and check it. */
-        i = (dataASN[10].tag != 0) ? 10 : 11;
+        i = (dataASN[X509CERTASN_IDX_TBS_VALIDITY_NOTB_UTC].tag != 0)
+                ? X509CERTASN_IDX_TBS_VALIDITY_NOTB_UTC
+                : X509CERTASN_IDX_TBS_VALIDITY_NOTB_GT;
         if ((CheckDate(&dataASN[i], BEFORE) < 0) && verify) {
             badDate = ASN_BEFORE_DATE_E;
         }
@@ -16811,7 +17143,9 @@ static int DecodeCertInternal(DecodedCert* cert, int verify, int* criticalExt,
         cert->beforeDateLen = GetASNItem_Length(dataASN[i], cert->source);
 
         /* Find the item with the AFTER date and check it. */
-        i = (dataASN[12].tag != 0) ? 12 : 13;
+        i = (dataASN[X509CERTASN_IDX_TBS_VALIDITY_NOTA_UTC].tag != 0)
+                ? X509CERTASN_IDX_TBS_VALIDITY_NOTA_UTC
+                : X509CERTASN_IDX_TBS_VALIDITY_NOTA_GT;
         if ((CheckDate(&dataASN[i], AFTER) < 0) && verify) {
             badDate = ASN_AFTER_DATE_E;
         }
@@ -16820,37 +17154,40 @@ static int DecodeCertInternal(DecodedCert* cert, int verify, int* criticalExt,
         cert->afterDateLen = GetASNItem_Length(dataASN[i], cert->source);
 
         /* Get the issuer name and calculate hash. */
-        idx = dataASN[8].offset;
+        idx = dataASN[X509CERTASN_IDX_TBS_ISSUER_SEQ].offset;
         ret = GetCertName(cert, cert->issuer, cert->issuerHash, ISSUER,
-                          cert->source, &idx, dataASN[9].offset);
+                          cert->source, &idx,
+                          dataASN[X509CERTASN_IDX_TBS_VALIDITY_SEQ].offset);
     }
     if (ret == 0) {
         /* Get the subject name and calculate hash. */
-        idx = dataASN[14].offset;
+        idx = dataASN[X509CERTASN_IDX_TBS_SUBJECT_SEQ].offset;
         ret = GetCertName(cert, cert->subject, cert->subjectHash, SUBJECT,
-                          cert->source, &idx, dataASN[15].offset);
+                          cert->source, &idx,
+                          dataASN[X509CERTASN_IDX_TBS_SPUBKEYINFO_SEQ].offset);
     }
     if (ret == 0) {
-        /* Determine if self signed by comparig issuer and subject hashes. */
+        /* Determine if self signed by comparing issuer and subject hashes. */
         cert->selfSigned = XMEMCMP(cert->issuerHash, cert->subjectHash,
                                    KEYID_SIZE) == 0 ? 1 : 0;
 
         if (stopAtPubKey) {
-            /* Return any bad date error through badDateRed and return offset of
+            /* Return any bad date error through badDateRet and return offset of
              * subjectPublicKeyInfo.
              */
             if (badDateRet != NULL) {
                 *badDateRet = badDate;
             }
-            ret = dataASN[15].offset;
+            ret = dataASN[X509CERTASN_IDX_TBS_SPUBKEYINFO_SEQ].offset;
             done = 1;
         }
     }
 
     if ((ret == 0) && (!done)) {
         /* Parse the public key. */
-        idx = dataASN[15].offset;
-        ret = GetCertKey(cert, cert->source, &idx, dataASN[21].offset);
+        idx = dataASN[X509CERTASN_IDX_TBS_SPUBKEYINFO_SEQ].offset;
+        ret = GetCertKey(cert, cert->source, &idx,
+                dataASN[X509CERTASN_IDX_TBS_ISSUERUID].offset);
         if ((ret == 0) && stopAfterPubKey) {
             /* Return any bad date error through badDateRed and return offset
              * after subjectPublicKeyInfo.
@@ -16861,7 +17198,8 @@ static int DecodeCertInternal(DecodedCert* cert, int verify, int* criticalExt,
             done = 1;
         }
     }
-    if ((ret == 0) && (!done) && (dataASN[23].data.ref.data != NULL)) {
+    if ((ret == 0) && (!done) &&
+            (dataASN[X509CERTASN_IDX_TBS_EXT_SEQ].data.ref.data != NULL)) {
     #ifndef ALLOW_V1_EXTENSIONS
         /* Certificate extensions were only defined in version 2. */
         if (cert->version < 2) {
@@ -16871,9 +17209,11 @@ static int DecodeCertInternal(DecodedCert* cert, int verify, int* criticalExt,
     #endif
         if (ret == 0) {
             /* Save references to extension data. */
-            cert->extensions    = GetASNItem_Addr(dataASN[23], cert->source);
-            cert->extensionsSz  = GetASNItem_Length(dataASN[23], cert->source);
-            cert->extensionsIdx = dataASN[23].offset;
+            cert->extensions    = GetASNItem_Addr(
+                    dataASN[X509CERTASN_IDX_TBS_EXT], cert->source);
+            cert->extensionsSz  = GetASNItem_Length(
+                    dataASN[X509CERTASN_IDX_TBS_EXT], cert->source);
+            cert->extensionsIdx = dataASN[X509CERTASN_IDX_TBS_EXT].offset;
 
             /* Decode the extension data starting at [3]. */
             ret = DecodeCertExtensions(cert);
@@ -16891,20 +17231,23 @@ static int DecodeCertInternal(DecodedCert* cert, int verify, int* criticalExt,
         }
         if (ret == 0) {
             /* Advance past extensions. */
-            cert->srcIdx = dataASN[24].offset;
+            cert->srcIdx = dataASN[X509CERTASN_IDX_SIGALGO_SEQ].offset;
         }
     }
 
     if ((ret == 0) && (!done)) {
         /* Store the signature information. */
-        cert->sigIndex = dataASN[24].offset;
-        GetASN_GetConstRef(&dataASN[27], &cert->signature, &cert->sigLength);
+        cert->sigIndex = dataASN[X509CERTASN_IDX_SIGALGO_SEQ].offset;
+        GetASN_GetConstRef(&dataASN[X509CERTASN_IDX_SIGNATURE],
+                &cert->signature, &cert->sigLength);
         /* Make sure 'signature' and 'signatureAlgorithm' are the same. */
-        if (dataASN[25].data.oid.sum != cert->signatureOID) {
+        if (dataASN[X509CERTASN_IDX_SIGALGO_OID].data.oid.sum
+                != cert->signatureOID) {
             ret = ASN_SIG_OID_E;
         }
         /* NULL tagged item not allowed after ECDSA or EdDSA algorithm OID. */
-        if (IsSigAlgoECC(cert->signatureOID) && (dataASN[26].tag != 0)) {
+        if (IsSigAlgoECC(cert->signatureOID) &&
+                (dataASN[X509CERTASN_IDX_SIGALGO_PARAMS].tag != 0)) {
             ret = ASN_PARSE_E;
         }
     }
@@ -16950,11 +17293,16 @@ int DecodeCert(DecodedCert* cert, int verify, int* criticalExt)
  * PKCS #10: RFC 2986, 4.1 - CertificationRequestInfo
  */
 static const ASNItem reqAttrASN[] = {
-/*  0 */    { 0, ASN_SEQUENCE, 1, 1, 0 },
-                /* type */
-/*  1 */        { 1, ASN_OBJECT_ID, 0, 0, 0 },
-                /* values */
-/*  2 */        { 1, ASN_SET, 1, 0, 0 },
+/* SEQ  */ { 0, ASN_SEQUENCE, 1, 1, 0 },
+                              /* type */
+/* TYPE */     { 1, ASN_OBJECT_ID, 0, 0, 0 },
+                              /* values */
+/* VALS */     { 1, ASN_SET, 1, 0, 0 },
+};
+enum {
+    REQATTRASN_IDX_SEQ = 0,
+    REQATTRASN_IDX_TYPE,
+    REQATTRASN_IDX_VALS,
 };
 
 /* Number of items in ASN.1 template for certificate request Attribute. */
@@ -16964,6 +17312,9 @@ static const ASNItem reqAttrASN[] = {
 static const ASNItem strAttrASN[] = {
     { 0, 0, 0, 0, 0 },
 };
+enum {
+    STRATTRASN_IDX_STR = 0,
+};
 
 /* Number of items in ASN.1 template for a string choice. */
 #define strAttrASN_Length (sizeof(strAttrASN) / sizeof(ASNItem))
@@ -16996,14 +17347,16 @@ static int DecodeCertReqAttrValue(DecodedCert* cert, int* criticalExt,
         case PKCS9_CONTENT_TYPE_OID:
             /* Clear dynamic data and specify choices acceptable. */
             XMEMSET(strDataASN, 0, sizeof(strDataASN));
-            GetASN_Choice(&strDataASN[0], strAttrChoice);
+            GetASN_Choice(&strDataASN[STRATTRASN_IDX_STR], strAttrChoice);
             /* Parse a string. */
             ret = GetASN_Items(strAttrASN, strDataASN, strAttrASN_Length,
                                1, input, &idx, maxIdx);
             if (ret == 0) {
                 /* Store references to password data. */
-                cert->contentType = (char*)strDataASN[0].data.ref.data;
-                cert->contentTypeLen = strDataASN[0].data.ref.length;
+                cert->contentType =
+                        (char*)strDataASN[STRATTRASN_IDX_STR].data.ref.data;
+                cert->contentTypeLen =
+                        strDataASN[STRATTRASN_IDX_STR].data.ref.length;
             }
             break;
 
@@ -17013,14 +17366,15 @@ static int DecodeCertReqAttrValue(DecodedCert* cert, int* criticalExt,
         case CHALLENGE_PASSWORD_OID:
             /* Clear dynamic data and specify choices acceptable. */
             XMEMSET(strDataASN, 0, sizeof(strDataASN));
-            GetASN_Choice(&strDataASN[0], strAttrChoice);
+            GetASN_Choice(&strDataASN[STRATTRASN_IDX_STR], strAttrChoice);
             /* Parse a string. */
             ret = GetASN_Items(strAttrASN, strDataASN, strAttrASN_Length,
                                1, input, &idx, maxIdx);
             if (ret == 0) {
                 /* Store references to password data. */
-                cert->cPwd = (char*)strDataASN[0].data.ref.data;
-                cert->cPwdLen = strDataASN[0].data.ref.length;
+                cert->cPwd =
+                        (char*)strDataASN[STRATTRASN_IDX_STR].data.ref.data;
+                cert->cPwdLen = strDataASN[STRATTRASN_IDX_STR].data.ref.length;
             }
             break;
 
@@ -17031,14 +17385,15 @@ static int DecodeCertReqAttrValue(DecodedCert* cert, int* criticalExt,
         case SERIAL_NUMBER_OID:
             /* Clear dynamic data and specify choices acceptable. */
             XMEMSET(strDataASN, 0, sizeof(strDataASN));
-            GetASN_Choice(&strDataASN[0], strAttrChoice);
+            GetASN_Choice(&strDataASN[STRATTRASN_IDX_STR], strAttrChoice);
             /* Parse a string. */
             ret = GetASN_Items(strAttrASN, strDataASN, strAttrASN_Length,
                                1, input, &idx, maxIdx);
             if (ret == 0) {
                 /* Store references to serial number. */
-                cert->sNum = (char*)strDataASN[0].data.ref.data;
-                cert->sNumLen = strDataASN[0].data.ref.length;
+                cert->sNum =
+                        (char*)strDataASN[STRATTRASN_IDX_STR].data.ref.data;
+                cert->sNumLen = strDataASN[STRATTRASN_IDX_STR].data.ref.length;
                 /* Store serial number if small enough. */
                 if (cert->sNumLen <= EXTERNAL_SERIAL_SIZE) {
                     XMEMCPY(cert->serial, cert->sNum, cert->sNumLen);
@@ -17111,7 +17466,7 @@ static int DecodeCertReqAttributes(DecodedCert* cert, int* criticalExt,
     while ((ret == 0) && (idx < maxIdx)) {
         /* Clear dynamic data. */
         XMEMSET(dataASN, 0, sizeof(ASNGetData) * reqAttrASN_Length);
-        GetASN_OID(&dataASN[1], oidIgnoreType);
+        GetASN_OID(&dataASN[REQATTRASN_IDX_TYPE], oidIgnoreType);
 
         /* Parse an attribute. */
         ret = GetASN_Items(reqAttrASN, dataASN, reqAttrASN_Length, 0,
@@ -17119,9 +17474,10 @@ static int DecodeCertReqAttributes(DecodedCert* cert, int* criticalExt,
         /* idx is now at end of attribute data. */
         if (ret == 0) {
             ret = DecodeCertReqAttrValue(cert, criticalExt,
-                dataASN[1].data.oid.sum,
-                GetASNItem_DataIdx(dataASN[2], cert->source),
-                dataASN[2].data.ref.data, dataASN[2].data.ref.length);
+                dataASN[REQATTRASN_IDX_TYPE].data.oid.sum,
+                GetASNItem_DataIdx(dataASN[REQATTRASN_IDX_VALS], cert->source),
+                dataASN[REQATTRASN_IDX_VALS].data.ref.data,
+                dataASN[REQATTRASN_IDX_VALS].data.ref.length);
         }
     }
 
@@ -17131,36 +17487,57 @@ static int DecodeCertReqAttributes(DecodedCert* cert, int* criticalExt,
 
 /* ASN.1 template for a certificate request.
  * PKCS#10: RFC 2986, 4.1 - CertificationRequestInfo
+ * PKCS#10: RFC 2986, 4.2 - CertificationRequest
  */
 static const ASNItem certReqASN[] = {
-/*  0 */    { 0, ASN_SEQUENCE, 1, 1, 0 },
-/*  1 */        { 1, ASN_SEQUENCE, 1, 1, 0 },
-                    /* version              INTEGER { v1(0), v2(1), v3(2) */
-/*  2 */            { 2, ASN_INTEGER, 0, 0, 0 },
-                    /* subject              Name */
-/*  3 */            { 2, ASN_SEQUENCE, 1, 0, 0 },
-                    /* subjectPublicKeyInfo SubjectPublicKeyInfo */
-/*  4 */            { 2, ASN_SEQUENCE, 1, 1, 0 },
-                        /* algorithm          AlgorithmIdentifier */
-/*  5 */                { 3, ASN_SEQUENCE, 1, 1, 0 },
-                            /* Algorithm    OBJECT IDENTIFIER */
-/*  6 */                    { 4, ASN_OBJECT_ID, 0, 0, 0 },
-                            /* parameters   ANY defined by algorithm OPTIONAL */
-/*  7 */                    { 4, ASN_TAG_NULL, 0, 0, 1 },
-/*  8 */                    { 4, ASN_OBJECT_ID, 0, 0, 1 },
-/*  9 */                    { 4, ASN_SEQUENCE, 1, 0, 1 },
-                        /* subjectPublicKey   BIT STRING */
-/* 10 */                { 3, ASN_BIT_STRING, 0, 0, 0 },
-                    /* attributes       [0] Attributes */
-/* 11 */            { 2, ASN_CONTEXT_SPECIFIC | 0, 1, 0, 1 },
-                /* signatureAlgorithm   AlgorithmIdentifier */
-/* 12 */        { 1, ASN_SEQUENCE, 1, 1, 0 },
-                    /* Algorithm    OBJECT IDENTIFIER */
-/* 13 */            { 2, ASN_OBJECT_ID, 0, 0, 0 },
-                    /* parameters   ANY defined by algorithm OPTIONAL */
-/* 14 */            { 2, ASN_TAG_NULL, 0, 0, 1 },
-                /* signature            BIT STRING */
-/* 15 */        { 1, ASN_BIT_STRING, 0, 0, 0 },
+            /* CertificationRequest */
+/* SEQ                              */ { 0, ASN_SEQUENCE, 1, 1, 0 },
+                                                          /* CertificationRequestInfo */
+/* INFO_SEQ                         */     { 1, ASN_SEQUENCE, 1, 1, 0 },
+                                                              /* version              INTEGER { v1(0), v2(1), v3(2) */
+/* INFO_VER                         */         { 2, ASN_INTEGER, 0, 0, 0 },
+                                                              /* subject              Name */
+/* INFO_SUBJ_SEQ                    */         { 2, ASN_SEQUENCE, 1, 0, 0 },
+                                                              /* subjectPublicKeyInfo SubjectPublicKeyInfo */
+/* INFO_SPUBKEYINFO_SEQ             */         { 2, ASN_SEQUENCE, 1, 1, 0 },
+                                                                  /* algorithm          AlgorithmIdentifier */
+/* INFO_SPUBKEYINFO_ALGOID_SEQ      */             { 3, ASN_SEQUENCE, 1, 1, 0 },
+                                                                      /* Algorithm    OBJECT IDENTIFIER */
+/* INFO_SPUBKEYINFO_ALGOID_OID      */                 { 4, ASN_OBJECT_ID, 0, 0, 0 },
+                                                                      /* parameters   ANY defined by algorithm OPTIONAL */
+/* INFO_SPUBKEYINFO_ALGOID_NOPARAMS */                 { 4, ASN_TAG_NULL, 0, 0, 1 },
+/* INFO_SPUBKEYINFO_ALGOID_CURVEID  */                 { 4, ASN_OBJECT_ID, 0, 0, 1 },
+/* INFO_SPUBKEYINFO_ALGOID_PARAMS   */                 { 4, ASN_SEQUENCE, 1, 0, 1 },
+                                                                  /* subjectPublicKey   BIT STRING */
+/* INFO_SPUBKEYINFO_PUBKEY          */             { 3, ASN_BIT_STRING, 0, 0, 0 },
+                                                              /* attributes       [0] Attributes */
+/* INFO_ATTRS                       */         { 2, ASN_CONTEXT_SPECIFIC | 0, 1, 0, 1 },
+                                                          /* signatureAlgorithm   AlgorithmIdentifier */
+/* INFO_SIGALGO_SEQ                 */     { 1, ASN_SEQUENCE, 1, 1, 0 },
+                                                              /* Algorithm    OBJECT IDENTIFIER */
+/* INFO_SIGALGO_OID                 */         { 2, ASN_OBJECT_ID, 0, 0, 0 },
+                                                              /* parameters   ANY defined by algorithm OPTIONAL */
+/* INFO_SIGALGO_NOPARAMS            */         { 2, ASN_TAG_NULL, 0, 0, 1 },
+                                                          /* signature            BIT STRING */
+/* INFO_SIGNATURE                   */     { 1, ASN_BIT_STRING, 0, 0, 0 },
+};
+enum {
+    CERTREQASN_IDX_SEQ = 0,
+    CERTREQASN_IDX_INFO_SEQ,
+    CERTREQASN_IDX_INFO_VER,
+    CERTREQASN_IDX_INFO_SUBJ_SEQ,
+    CERTREQASN_IDX_INFO_SPUBKEYINFO_SEQ,
+    CERTREQASN_IDX_INFO_SPUBKEYINFO_ALGOID_SEQ,
+    CERTREQASN_IDX_INFO_SPUBKEYINFO_ALGOID_OID,
+    CERTREQASN_IDX_INFO_SPUBKEYINFO_ALGOID_NOPARAMS,
+    CERTREQASN_IDX_INFO_SPUBKEYINFO_ALGOID_CURVEID,
+    CERTREQASN_IDX_INFO_SPUBKEYINFO_ALGOID_PARAMS,
+    CERTREQASN_IDX_INFO_SPUBKEYINFO_PUBKEY,
+    CERTREQASN_IDX_INFO_ATTRS,
+    CERTREQASN_IDX_INFO_SIGALGO_SEQ,
+    CERTREQASN_IDX_INFO_SIGALGO_OID,
+    CERTREQASN_IDX_INFO_SIGALGO_NOPARAMS,
+    CERTREQASN_IDX_INFO_SIGNATURE,
 };
 
 /* Number of items in ASN.1 template for a certificate request. */
@@ -17197,10 +17574,12 @@ static int DecodeCertReq(DecodedCert* cert, int* criticalExt)
         version = 0;
 
         /* Set version var and OID types to expect. */
-        GetASN_Int8Bit(&dataASN[2], &version);
-        GetASN_OID(&dataASN[6], oidKeyType);
-        GetASN_OID(&dataASN[8], oidCurveType);
-        GetASN_OID(&dataASN[13], oidSigType);
+        GetASN_Int8Bit(&dataASN[CERTREQASN_IDX_INFO_VER], &version);
+        GetASN_OID(&dataASN[CERTREQASN_IDX_INFO_SPUBKEYINFO_ALGOID_OID],
+                oidKeyType);
+        GetASN_OID(&dataASN[CERTREQASN_IDX_INFO_SPUBKEYINFO_ALGOID_CURVEID],
+                oidCurveType);
+        GetASN_OID(&dataASN[CERTREQASN_IDX_INFO_SIGALGO_OID], oidSigType);
         /* Parse a certificate request. */
         ret = GetASN_Items(certReqASN, dataASN, certReqASN_Length, 1,
                            cert->source, &cert->srcIdx, cert->maxIdx);
@@ -17213,29 +17592,36 @@ static int DecodeCertReq(DecodedCert* cert, int* criticalExt)
     if (ret == 0) {
         /* Set fields of certificate request. */
         cert->version = version;
-        cert->signatureOID = dataASN[13].data.oid.sum;
-        cert->keyOID = dataASN[6].data.oid.sum;
-        cert->certBegin = dataASN[1].offset;
+        cert->signatureOID =
+              dataASN[CERTREQASN_IDX_INFO_SIGALGO_OID].data.oid.sum;
+        cert->keyOID =
+              dataASN[CERTREQASN_IDX_INFO_SPUBKEYINFO_ALGOID_OID].data.oid.sum;
+        cert->certBegin = dataASN[CERTREQASN_IDX_INFO_SEQ].offset;
 
         /* Parse the subject name. */
-        idx = dataASN[3].offset;
+        idx = dataASN[CERTREQASN_IDX_INFO_SUBJ_SEQ].offset;
         ret = GetCertName(cert, cert->subject, cert->subjectHash, SUBJECT,
-                          cert->source, &idx, dataASN[4].offset);
+                          cert->source, &idx,
+                          dataASN[CERTREQASN_IDX_INFO_SPUBKEYINFO_SEQ].offset);
     }
     if (ret == 0) {
         /* Parse the certificate request Attributes. */
         ret = DecodeCertReqAttributes(cert, criticalExt,
-            GetASNItem_DataIdx(dataASN[11], cert->source), dataASN[12].offset);
+                GetASNItem_DataIdx(dataASN[CERTREQASN_IDX_INFO_ATTRS],
+                        cert->source),
+                dataASN[CERTREQASN_IDX_INFO_SIGALGO_SEQ].offset);
     }
     if (ret == 0) {
         /* Parse the certificate request's key. */
-        idx = dataASN[4].offset;
-        ret = GetCertKey(cert, cert->source, &idx, dataASN[11].offset);
+        idx = dataASN[CERTREQASN_IDX_INFO_SPUBKEYINFO_SEQ].offset;
+        ret = GetCertKey(cert, cert->source, &idx,
+                dataASN[CERTREQASN_IDX_INFO_ATTRS].offset);
     }
     if (ret == 0) {
         /* Store references to signature. */
-        cert->sigIndex = dataASN[12].offset;
-        GetASN_GetConstRef(&dataASN[15], &cert->signature, &cert->sigLength);
+        cert->sigIndex = dataASN[CERTREQASN_IDX_INFO_SIGALGO_SEQ].offset;
+        GetASN_GetConstRef(&dataASN[CERTREQASN_IDX_INFO_SIGNATURE],
+                &cert->signature, &cert->sigLength);
     }
 
     FREE_ASNGETDATA(dataASN, cert->heap);
@@ -17373,7 +17759,6 @@ static int GetAKIHash(const byte* input, word32 maxIdx, byte* hash, int* set,
     DECL_ASNGETDATA(dataASN, certExtASN_Length);
     int ret = 0;
     word32 idx = 0;
-    int extLen = 0;
     word32 extEndIdx;
     byte* extData;
     word32 extDataSz;
@@ -17382,30 +17767,26 @@ static int GetAKIHash(const byte* input, word32 maxIdx, byte* hash, int* set,
     ALLOC_ASNGETDATA(dataASN, certExtASN_Length, ret, heap);
     (void)heap;
 
-    /* Parse the outer SEQUENCE and calculate end index of extensions. */
-    if ((ret == 0) && (GetASN_Sequence(input, &idx, &extLen, maxIdx, 1) < 0)) {
-        ret = ASN_PARSE_E;
-    }
-    extEndIdx = idx + extLen;
+    extEndIdx = idx + maxIdx;
 
     /* Step through each extension looking for AKI. */
     while ((ret == 0) && (idx < extEndIdx)) {
         /* Clear dynamic data and check for certificate extension type OIDs. */
         XMEMSET(dataASN, 0, sizeof(*dataASN) * certExtASN_Length);
-        GetASN_OID(&dataASN[1], oidCertExtType);
+        GetASN_OID(&dataASN[CERTEXTASN_IDX_OID], oidCertExtType);
         /* Set criticality variable. */
-        GetASN_Int8Bit(&dataASN[2], &critical);
+        GetASN_Int8Bit(&dataASN[CERTEXTASN_IDX_CRIT], &critical);
         /* Parse an extension. */
         ret = GetASN_Items(certExtASN, dataASN, certExtASN_Length, 0, input,
                 &idx, extEndIdx);
         if (ret == 0) {
             /* Get reference to extension data and move index on past this
              * extension. */
-            GetASN_GetRef(&dataASN[3], &extData, &extDataSz);
+            GetASN_GetRef(&dataASN[CERTEXTASN_IDX_VAL], &extData, &extDataSz);
             idx += extDataSz;
 
             /* Check whether we have the AKI extension. */
-            if (dataASN[1].data.oid.sum == AUTH_KEY_OID) {
+            if (dataASN[CERTEXTASN_IDX_OID].data.oid.sum == AUTH_KEY_OID) {
                 /* Clear dynamic data. */
                 XMEMSET(dataASN, 0, sizeof(*dataASN) * authKeyIdASN_Length);
                 /* Start parsing extension data from the start. */
@@ -17413,12 +17794,16 @@ static int GetAKIHash(const byte* input, word32 maxIdx, byte* hash, int* set,
                 /* Parse AKI extension data. */
                 ret = GetASN_Items(authKeyIdASN, dataASN, authKeyIdASN_Length,
                         1, extData, &idx, extDataSz);
-                if ((ret == 0) && (dataASN[1].data.ref.data != NULL)) {
+                if ((ret == 0) &&
+                        (dataASN[AUTHKEYIDASN_IDX_KEYID].data.ref.data
+                                != NULL)) {
                     /* We parsed successfully and have data. */
                     *set = 1;
                     /* Get the hash or hash of the hash if wrong size. */
-                    ret = GetHashId(dataASN[1].data.ref.data,
-                            dataASN[1].data.ref.length, hash);
+                    ret = GetHashId(
+                            dataASN[AUTHKEYIDASN_IDX_KEYID].data.ref.data,
+                            dataASN[AUTHKEYIDASN_IDX_KEYID].data.ref.length,
+                            hash);
                 }
                 break;
             }
@@ -17794,26 +18179,31 @@ static int CheckCertSignature_ex(const byte* cert, word32 certSz, void* heap,
         /* Clear dynamic data for certificate items. */
         XMEMSET(dataASN, 0, sizeof(ASNGetData) * x509CertASN_Length);
         /* Set OID types expected for signature and public key. */
-        GetASN_OID(&dataASN[6], oidSigType);
-        GetASN_OID(&dataASN[17], oidKeyType);
-        GetASN_OID(&dataASN[19], oidCurveType);
-        GetASN_OID(&dataASN[25], oidSigType);
+        GetASN_OID(&dataASN[X509CERTASN_IDX_TBS_ALGOID_OID], oidSigType);
+        GetASN_OID(&dataASN[X509CERTASN_IDX_TBS_SPUBKEYINFO_ALGO_OID],
+                oidKeyType);
+        GetASN_OID(&dataASN[X509CERTASN_IDX_TBS_SPUBKEYINFO_ALGO_CURVEID],
+                oidCurveType);
+        GetASN_OID(&dataASN[X509CERTASN_IDX_SIGALGO_OID], oidSigType);
         /* Parse certificate. */
         ret = GetASN_Items(x509CertASN, dataASN, x509CertASN_Length, 1, cert,
                            &idx, certSz);
 
         /* Check signature OIDs match. */
-        if ((ret == 0) && dataASN[6].data.oid.sum != dataASN[25].data.oid.sum) {
+        if ((ret == 0) && dataASN[X509CERTASN_IDX_TBS_ALGOID_OID].data.oid.sum
+                != dataASN[X509CERTASN_IDX_SIGALGO_OID].data.oid.sum) {
             ret = ASN_SIG_OID_E;
         }
         /* Store the data for verification in the certificate. */
         if (ret == 0) {
-            tbs = GetASNItem_Addr(dataASN[1], cert);
-            tbsSz = GetASNItem_Length(dataASN[1], cert);
-            caName = GetASNItem_Addr(dataASN[8], cert);
-            caNameLen = GetASNItem_Length(dataASN[8], cert);
-            sigOID = dataASN[25].data.oid.sum;
-            GetASN_GetConstRef(&dataASN[27], &sig, &sigSz);
+            tbs = GetASNItem_Addr(dataASN[X509CERTASN_IDX_TBS_SEQ], cert);
+            tbsSz = GetASNItem_Length(dataASN[X509CERTASN_IDX_TBS_SEQ], cert);
+            caName = GetASNItem_Addr(dataASN[X509CERTASN_IDX_TBS_ISSUER_SEQ],
+                    cert);
+            caNameLen = GetASNItem_Length(dataASN[X509CERTASN_IDX_TBS_ISSUER_SEQ],
+                    cert);
+            sigOID = dataASN[X509CERTASN_IDX_SIGALGO_OID].data.oid.sum;
+            GetASN_GetConstRef(&dataASN[X509CERTASN_IDX_SIGNATURE], &sig, &sigSz);
         }
     }
     else if (ret == 0) {
@@ -17823,20 +18213,25 @@ static int CheckCertSignature_ex(const byte* cert, word32 certSz, void* heap,
         /* Clear dynamic data for certificate request items. */
         XMEMSET(dataASN, 0, sizeof(ASNGetData) * certReqASN_Length);
         /* Set OID types expected for signature and public key. */
-        GetASN_OID(&dataASN[6], oidKeyType);
-        GetASN_OID(&dataASN[8], oidCurveType);
-        GetASN_OID(&dataASN[13], oidSigType);
+        GetASN_OID(&dataASN[CERTREQASN_IDX_INFO_SPUBKEYINFO_ALGOID_OID],
+                oidKeyType);
+        GetASN_OID(&dataASN[CERTREQASN_IDX_INFO_SPUBKEYINFO_ALGOID_CURVEID],
+                oidCurveType);
+        GetASN_OID(&dataASN[CERTREQASN_IDX_INFO_SIGALGO_OID], oidSigType);
         /* Parse certificate request. */
         ret = GetASN_Items(certReqASN, dataASN, certReqASN_Length, 1, cert,
                            &idx, certSz);
         if (ret == 0) {
             /* Store the data for verification in the certificate. */
-            tbs = GetASNItem_Addr(dataASN[1], cert);
-            tbsSz = GetASNItem_Length(dataASN[1], cert);
-            caName = GetASNItem_Addr(dataASN[3], cert);
-            caNameLen = GetASNItem_Length(dataASN[3], cert);
-            sigOID = dataASN[13].data.oid.sum;
-            GetASN_GetConstRef(&dataASN[15], &sig, &sigSz);
+            tbs = GetASNItem_Addr(dataASN[CERTREQASN_IDX_INFO_SEQ], cert);
+            tbsSz = GetASNItem_Length(dataASN[CERTREQASN_IDX_INFO_SEQ], cert);
+            caName = GetASNItem_Addr(
+                    dataASN[CERTREQASN_IDX_INFO_SUBJ_SEQ], cert);
+            caNameLen = GetASNItem_Length(
+                    dataASN[CERTREQASN_IDX_INFO_SUBJ_SEQ], cert);
+            sigOID = dataASN[CERTREQASN_IDX_INFO_SIGALGO_OID].data.oid.sum;
+            GetASN_GetConstRef(&dataASN[CERTREQASN_IDX_INFO_SIGNATURE], &sig,
+                    &sigSz);
         }
 #endif
     }
@@ -17845,11 +18240,12 @@ static int CheckCertSignature_ex(const byte* cert, word32 certSz, void* heap,
     if ((ret == 0) && (pubKey == NULL)) {
 #ifndef NO_SKID
         /* Find the AKI extension in list of extensions and get hash. */
-        if ((ret == 0) && (!req) && (dataASN[23].data.ref.data != NULL)) {
+        if ((!req) &&
+                (dataASN[X509CERTASN_IDX_TBS_EXT_SEQ].data.ref.data != NULL)) {
             /* TODO: test case */
-            ret = GetAKIHash(dataASN[23].data.ref.data,
-                             dataASN[23].data.ref.length, hash,
-                             &extAuthKeyIdSet, heap);
+            ret = GetAKIHash(dataASN[X509CERTASN_IDX_TBS_EXT_SEQ].data.ref.data,
+                             dataASN[X509CERTASN_IDX_TBS_EXT_SEQ].data.ref.length,
+                             hash, &extAuthKeyIdSet, heap);
         }
 
         /* Get the CA by hash one was found. */
@@ -18741,7 +19137,7 @@ wcchar END_PUB_KEY          = "-----END PUBLIC KEY-----";
     wcchar BEGIN_EDDSA_PRIV = "-----BEGIN EDDSA PRIVATE KEY-----";
     wcchar END_EDDSA_PRIV   = "-----END EDDSA PRIVATE KEY-----";
 #endif
-#if defined(HAVE_LIBOQS)
+#if defined(HAVE_PQC)
     wcchar BEGIN_FALCON_LEVEL1_PRIV  = "-----BEGIN FALCON_LEVEL1 PRIVATE KEY-----";
     wcchar END_FALCON_LEVEL1_PRIV    = "-----END FALCON_LEVEL1 PRIVATE KEY-----";
     wcchar BEGIN_FALCON_LEVEL5_PRIV = "-----BEGIN FALCON_LEVEL5 PRIVATE KEY-----";
@@ -18841,7 +19237,7 @@ int wc_PemGetHeaderFooter(int type, const char** header, const char** footer)
             ret = 0;
             break;
     #endif
-#ifdef HAVE_LIBOQS
+#ifdef HAVE_PQC
         case FALCON_LEVEL1_TYPE:
             if (header) *header = BEGIN_FALCON_LEVEL1_PRIV;
             if (footer) *footer = END_FALCON_LEVEL1_PRIV;
@@ -20133,17 +20529,17 @@ static int SetRsaPublicKey(byte* output, RsaKey* key, int outLen,
     if (ret == 0) {
         if (!with_header) {
             /* Start encoding with items after header. */
-            o = 5;
+            o = RSAPUBLICKEYASN_IDX_PUBKEY_RSA_SEQ;
         }
         /* Set OID for RSA key. */
-        SetASN_OID(&dataASN[2], RSAk, oidKeyType);
+        SetASN_OID(&dataASN[RSAPUBLICKEYASN_IDX_ALGOID_OID], RSAk, oidKeyType);
         /* Set public key mp_ints. */
     #ifdef HAVE_USER_RSA
-        SetASN_MP(&dataASN[6], key->n);
-        SetASN_MP(&dataASN[7], key->e);
+        SetASN_MP(&dataASN[RSAPUBLICKEYASN_IDX_PUBKEY_RSA_N], key->n);
+        SetASN_MP(&dataASN[RSAPUBLICKEYASN_IDX_PUBKEY_RSA_E], key->e);
     #else
-        SetASN_MP(&dataASN[6], &key->n);
-        SetASN_MP(&dataASN[7], &key->e);
+        SetASN_MP(&dataASN[RSAPUBLICKEYASN_IDX_PUBKEY_RSA_N], &key->n);
+        SetASN_MP(&dataASN[RSAPUBLICKEYASN_IDX_PUBKEY_RSA_E], &key->e);
     #endif
         /* Calculate size of RSA public key. */
         ret = SizeASN_Items(rsaPublicKeyASN + o, dataASN + o,
@@ -20292,10 +20688,10 @@ int wc_RsaKeyToDer(RsaKey* key, byte* output, word32 inLen)
 
     if (ret == 0) {
         /* Set the version. */
-        SetASN_Int8Bit(&dataASN[1], 0);
+        SetASN_Int8Bit(&dataASN[RSAKEYASN_IDX_VER], 0);
         /* Set all the mp_ints in private key. */
         for (i = 0; i < RSA_INTS; i++) {
-            SetASN_MP(&dataASN[2 + i], GetRsaInt(key, i));
+            SetASN_MP(&dataASN[(byte)RSAKEYASN_IDX_N + i], GetRsaInt(key, i));
         }
 
         /* Calculate size of RSA private key encoding. */
@@ -20569,17 +20965,25 @@ static int wc_SetCert_LoadDer(Cert* cert, const byte* der, word32 derSz)
  * See ASN.1 template 'eccSpecifiedASN' for specifiedCurve.
  */
 static const ASNItem eccPublicKeyASN[] = {
-/*  0 */    { 0, ASN_SEQUENCE, 1, 1, 0 },
-                /* AlgorithmIdentifier */
-/*  1 */        { 1, ASN_SEQUENCE, 1, 1, 0 },
-                    /* algorithm */
-/*  2 */            { 2, ASN_OBJECT_ID, 0, 0, 0 },
-                    /* namedCurve */
-/*  3 */            { 2, ASN_OBJECT_ID, 0, 0, 2 },
-                    /* specifiedCurve - explicit parameters */
-/*  4 */            { 2, ASN_SEQUENCE, 1, 0, 2 },
-                /*  */
-/*  5 */        { 1, ASN_BIT_STRING, 0, 0, 0 },
+/* SEQ            */ { 0, ASN_SEQUENCE, 1, 1, 0 },
+                                             /* AlgorithmIdentifier */
+/* ALGOID_SEQ     */     { 1, ASN_SEQUENCE, 1, 1, 0 },
+                                                 /* algorithm */
+/* ALGOID_OID     */         { 2, ASN_OBJECT_ID, 0, 0, 0 },
+                                                 /* namedCurve */
+/* ALGOID_CURVEID */         { 2, ASN_OBJECT_ID, 0, 0, 2 },
+                                                 /* specifiedCurve - explicit parameters */
+/* ALGOID_PARAMS  */         { 2, ASN_SEQUENCE, 1, 0, 2 },
+                                             /* Public Key */
+/* PUBKEY         */     { 1, ASN_BIT_STRING, 0, 0, 0 },
+};
+enum {
+    ECCPUBLICKEYASN_IDX_SEQ = 0,
+    ECCPUBLICKEYASN_IDX_ALGOID_SEQ,
+    ECCPUBLICKEYASN_IDX_ALGOID_OID,
+    ECCPUBLICKEYASN_IDX_ALGOID_CURVEID,
+    ECCPUBLICKEYASN_IDX_ALGOID_PARAMS,
+    ECCPUBLICKEYASN_IDX_PUBKEY,
 };
 
 /* Number of items in ASN.1 template for ECC public key. */
@@ -20742,13 +21146,15 @@ static int SetEccPublicKey(byte* output, ecc_key* key, int outLen,
 
         if (ret == 0) {
             /* Set the key type OID. */
-            SetASN_OID(&dataASN[2], ECDSAk, oidKeyType);
+            SetASN_OID(&dataASN[ECCPUBLICKEYASN_IDX_ALGOID_OID], ECDSAk,
+                    oidKeyType);
             /* Set the curve OID. */
-            SetASN_Buffer(&dataASN[3], key->dp->oid, key->dp->oidSz);
+            SetASN_Buffer(&dataASN[ECCPUBLICKEYASN_IDX_ALGOID_CURVEID],
+                    key->dp->oid, key->dp->oidSz);
             /* Don't try to write out explicit parameters. */
-            dataASN[4].noOut = 1;
+            dataASN[ECCPUBLICKEYASN_IDX_ALGOID_PARAMS].noOut = 1;
             /* Set size of public point to ensure space is made for it. */
-            SetASN_Buffer(&dataASN[5], NULL, pubSz);
+            SetASN_Buffer(&dataASN[ECCPUBLICKEYASN_IDX_PUBKEY], NULL, pubSz);
             /* Calculate size of ECC public key. */
             ret = SizeASN_Items(eccPublicKeyASN, dataASN,
                                 eccPublicKeyASN_Length, &sz);
@@ -20875,13 +21281,19 @@ int wc_EccPublicKeyDerSize(ecc_key* key, int with_AlgCurve)
  */
 static const ASNItem edPubKeyASN[] = {
             /* SubjectPublicKeyInfo */
-/*  0 */    { 0, ASN_SEQUENCE, 1, 1, 0 },
-                /* AlgorithmIdentifier */
-/*  1 */        { 1, ASN_SEQUENCE, 1, 1, 0 },
-                    /* Ed25519/Ed448 OID */
-/*  2 */            { 2, ASN_OBJECT_ID, 0, 0, 1 },
-                /* Public key stream */
-/*  3 */        { 1, ASN_BIT_STRING, 0, 0, 0 },
+/* SEQ        */ { 0, ASN_SEQUENCE, 1, 1, 0 },
+                                     /* AlgorithmIdentifier */
+/* ALGOID_SEQ */     { 1, ASN_SEQUENCE, 1, 1, 0 },
+                                         /* Ed25519/Ed448 OID */
+/* ALGOID_OID */         { 2, ASN_OBJECT_ID, 0, 0, 1 },
+                                     /* Public key stream */
+/* PUBKEY     */     { 1, ASN_BIT_STRING, 0, 0, 0 },
+};
+enum {
+    EDPUBKEYASN_IDX_SEQ = 0,
+    EDPUBKEYASN_IDX_ALGOID_SEQ,
+    EDPUBKEYASN_IDX_ALGOID_OID,
+    EDPUBKEYASN_IDX_PUBKEY,
 };
 
 /* Number of items in ASN.1 template for Ed25519 and Ed448 public key. */
@@ -20967,9 +21379,10 @@ static int SetAsymKeyDerPublic(const byte* pubKey, word32 pubKeyLen,
 
         if (ret == 0) {
             /* Set the OID. */
-            SetASN_OID(&dataASN[2], keyType, oidKeyType);
+            SetASN_OID(&dataASN[EDPUBKEYASN_IDX_ALGOID_OID], keyType,
+                    oidKeyType);
             /* Leave space for public point. */
-            SetASN_Buffer(&dataASN[3], NULL, pubKeyLen);
+            SetASN_Buffer(&dataASN[EDPUBKEYASN_IDX_PUBKEY], NULL, pubKeyLen);
             /* Calculate size of public key encoding. */
             ret = SizeASN_Items(edPubKeyASN, dataASN, edPubKeyASN_Length, &sz);
         }
@@ -20980,7 +21393,7 @@ static int SetAsymKeyDerPublic(const byte* pubKey, word32 pubKeyLen,
             /* Encode public key. */
             SetASN_Items(edPubKeyASN, dataASN, edPubKeyASN_Length, output);
             /* Set location to encode public point. */
-            output = (byte*)dataASN[3].data.buffer.data;
+            output = (byte*)dataASN[EDPUBKEYASN_IDX_PUBKEY].data.buffer.data;
         }
 
         FREE_ASNSETDATA(dataASN, NULL);
@@ -21070,7 +21483,7 @@ int wc_Ed448PublicKeyToDer(ed448_key* key, byte* output, word32 inLen,
 }
 #endif /* HAVE_ED448 && HAVE_ED448_KEY_EXPORT */
 
-#if defined(HAVE_LIBOQS)
+#if defined(HAVE_PQC)
 /* Encode the public part of an Falcon key in DER.
  *
  * Pass NULL for output to get the size of the encoding.
@@ -21113,7 +21526,7 @@ int wc_Falcon_PublicKeyToDer(falcon_key* key, byte* output, word32 inLen,
 
     return ret;
 }
-#endif /* HAVE_LIBOQS */
+#endif /* HAVE_PQC */
 
 #ifdef WOLFSSL_CERT_GEN
 
@@ -21541,8 +21954,12 @@ static int SetOjectIdValue(byte* output, word32 outSz, int* idx,
  * Dynamic creation of template for encoding.
  */
 static const ASNItem ekuASN[] = {
-/*  0 */    { 0, ASN_SEQUENCE, 1, 1, 0 },
-/*  1 */        { 1, ASN_OBJECT_ID, 0, 0, 0 },
+/* SEQ */ { 0, ASN_SEQUENCE, 1, 1, 0 },
+/* OID */     { 1, ASN_OBJECT_ID, 0, 0, 0 },
+};
+enum {
+    EKUASN_IDX_SEQ = 0,
+    EKUASN_IDX_OID,
 };
 
 /* OIDs corresponding to extended key usage. */
@@ -21672,7 +22089,7 @@ static int SetExtKeyUsage(Cert* cert, byte* output, word32 outSz, byte input)
 
     if (ret == 0) {
         /* Copy Sequence into dynamic ASN.1 template. */
-        XMEMCPY(&extKuASN[0], ekuASN, sizeof(ASNItem));
+        XMEMCPY(&extKuASN[EKUASN_IDX_SEQ], ekuASN, sizeof(ASNItem));
         /* Clear dynamic data. */
         XMEMSET(dataASN, 0, cnt * sizeof(ASNSetData));
 
@@ -21680,7 +22097,8 @@ static int SetExtKeyUsage(Cert* cert, byte* output, word32 outSz, byte input)
         /* If 'any' set, then just use it. */
         if ((input & EXTKEYUSE_ANY) == EXTKEYUSE_ANY) {
             /* Set template item. */
-            XMEMCPY(&extKuASN[1], &ekuASN[1], sizeof(ASNItem));
+            XMEMCPY(&extKuASN[EKUASN_IDX_OID], &ekuASN[EKUASN_IDX_OID],
+                    sizeof(ASNItem));
             /* Set data item. */
             SetASN_Buffer(&dataASN[asnIdx], extExtKeyUsageAnyOid,
                 sizeof(extExtKeyUsageAnyOid));
@@ -21691,7 +22109,8 @@ static int SetExtKeyUsage(Cert* cert, byte* output, word32 outSz, byte input)
             for (i = EKU_OID_LO; i <= EKU_OID_HI; i++) {
                 if ((input & (1 << i)) != 0) {
                     /* Set template item. */
-                    XMEMCPY(&extKuASN[asnIdx], &ekuASN[1], sizeof(ASNItem));
+                    XMEMCPY(&extKuASN[asnIdx], &ekuASN[EKUASN_IDX_OID],
+                            sizeof(ASNItem));
                     /* Set data item. */
                     SetASN_Buffer(&dataASN[asnIdx], ekuOid[i - 1].oid,
                         ekuOid[i - 1].oidSz);
@@ -21705,7 +22124,8 @@ static int SetExtKeyUsage(Cert* cert, byte* output, word32 outSz, byte input)
                     int sz = cert->extKeyUsageOIDSz[i];
                     if (sz > 0) {
                         /* Set template item. */
-                        XMEMCPY(&extKuASN[asnIdx], &ekuASN[1], sizeof(ASNItem));
+                        XMEMCPY(&extKuASN[asnIdx], &ekuASN[EKUASN_IDX_OID],
+                                sizeof(ASNItem));
                         /* Set data item. */
                         SetASN_Buffer(&dataASN[asnIdx], cert->extKeyUsageOID[i],
                             sz);
@@ -21902,12 +22322,12 @@ static int SetCertificatePolicies(byte *output,
 
         oidSz = sizeof(oid);
         XMEMSET(oid, 0, oidSz);
-        dataASN[2].noOut = 1;
+        dataASN[POLICYINFOASN_IDX_QUALI].noOut = 1;
 
         ret = EncodePolicyOID(oid, &oidSz, input[i], heap);
         if (ret == 0) {
             XMEMSET(dataASN, 0, sizeof(dataASN));
-            SetASN_Buffer(&dataASN[1], oid, oidSz);
+            SetASN_Buffer(&dataASN[POLICYINFOASN_IDX_ID], oid, oidSz);
             ret = SizeASN_Items(policyInfoASN, dataASN, policyInfoASN_Length,
                                 &piSz);
         }
@@ -22188,7 +22608,7 @@ static int EncodeName(EncodedName* name, const char* nameStr,
 
     return idx;
 #else
-    ASNSetData dataASN[rdnASN_Length];
+    DECL_ASNSETDATA(dataASN, rdnASN_Length);
     ASNItem namesASN[rdnASN_Length];
     byte dnOid[DN_OID_SZ] = { 0x55, 0x04, 0x00 };
     int ret = 0;
@@ -22202,14 +22622,12 @@ static int EncodeName(EncodedName* name, const char* nameStr,
         ret = BAD_FUNC_ARG;
     }
 
+    CALLOC_ASNSETDATA(dataASN, rdnASN_Length, ret, NULL);
     if (ret == 0) {
         nameSz = (word32)XSTRLEN(nameStr);
-
-        /* Clear data to use when encoding. */
-        XMEMSET(dataASN, 0, rdnASN_Length * sizeof(ASNSetData));
         /* Copy the RDN encoding template. ASN.1 tag for the name string is set
          * based on type. */
-        XMEMCPY(namesASN, rdnASN, rdnASN_Length * sizeof(ASNItem));
+        XMEMCPY(namesASN, rdnASN, sizeof(namesASN));
 
         /* Set OID and ASN.1 tag for name depending on type. */
         switch (type) {
@@ -22241,11 +22659,11 @@ static int EncodeName(EncodedName* name, const char* nameStr,
         }
 
         /* Set OID corresponding to the name type. */
-        SetASN_Buffer(&dataASN[2], oid, oidSz);
+        SetASN_Buffer(&dataASN[RDNASN_IDX_ATTR_TYPE], oid, oidSz);
         /* Set name string. */
-        SetASN_Buffer(&dataASN[3], (const byte *)nameStr, nameSz);
+        SetASN_Buffer(&dataASN[RDNASN_IDX_ATTR_VAL], (const byte *)nameStr, nameSz);
         /* Set the ASN.1 tag for the name string. */
-        namesASN[3].tag = nameTag;
+        namesASN[RDNASN_IDX_ATTR_VAL].tag = nameTag;
 
         /* Calculate size of encoded name and indexes of components. */
         ret = SizeASN_Items(namesASN, dataASN, rdnASN_Length, &sz);
@@ -22267,6 +22685,7 @@ static int EncodeName(EncodedName* name, const char* nameStr,
     }
     (void)cname;
 
+    FREE_ASNSETDATA(dataASN, NULL);
     return ret;
 #endif /* WOLFSSL_ASN_TEMPLATE */
 }
@@ -22309,9 +22728,9 @@ static void SetRdnItems(ASNItem* namesASN, ASNSetData* dataASN, const byte* oid,
     int oidSz, byte tag, const byte* data, int sz)
 {
     XMEMCPY(namesASN, rdnASN, sizeof(rdnASN));
-    SetASN_Buffer(&dataASN[2], oid, oidSz);
-    namesASN[3].tag = tag;
-    SetASN_Buffer(&dataASN[3], data, sz);
+    SetASN_Buffer(&dataASN[RDNASN_IDX_ATTR_TYPE], oid, oidSz);
+    namesASN[RDNASN_IDX_ATTR_VAL].tag = tag;
+    SetASN_Buffer(&dataASN[RDNASN_IDX_ATTR_VAL], data, sz);
 }
 
 #ifdef WOLFSSL_MULTI_ATTRIB
@@ -22337,9 +22756,111 @@ static int FindMultiAttrib(CertName* name, int id, int* idx)
 static const ASNItem nameASN[] = {
     { 0, ASN_SEQUENCE, 1, 1, 0 },
 };
+enum {
+    NAMEASN_IDX_SEQ = 0,
+};
 
 /* Number of items in ASN.1 template for the SEQUENCE around the RDNs. */
 #define nameASN_Length (sizeof(nameASN) / sizeof(ASNItem))
+
+static int SetNameRdnItems(ASNSetData* dataASN, ASNItem* namesASN,
+        int maxIdx, CertName* name)
+{
+    int         i;
+    int         idx;
+    int         ret = 0;
+    int         nameLen[NAME_ENTRIES];
+#ifdef WOLFSSL_MULTI_ATTRIB
+    int         j;
+#endif
+
+    for (i = 0; i < NAME_ENTRIES; i++) {
+        /* Keep name length to identify component is to be encoded. */
+        const char* nameStr = GetOneCertName(name, i);
+        nameLen[i] = nameStr ? (int)XSTRLEN(nameStr) : 0;
+    }
+
+    idx = nameASN_Length;
+    for (i = 0; i < NAME_ENTRIES; i++) {
+        int type = GetCertNameId(i);
+
+    #ifdef WOLFSSL_MULTI_ATTRIB
+        j = -1;
+        /* Put DomainComponents before OrgUnitName. */
+        while (FindMultiAttrib(name, type, &j)) {
+            if (dataASN != NULL && namesASN != NULL) {
+                if (idx > maxIdx - (int)rdnASN_Length) {
+                    WOLFSSL_MSG("Wanted to write more ASN than allocated");
+                    ret = BUFFER_E;
+                    break;
+                }
+                /* Copy data into dynamic vars. */
+                SetRdnItems(namesASN + idx, dataASN + idx, dcOid,
+                    sizeof(dcOid), name->name[j].type,
+                    (byte*)name->name[j].value, name->name[j].sz);
+            }
+            idx += rdnASN_Length;
+        }
+        if (ret != 0)
+            break;
+    #endif
+
+        if (nameLen[i] > 0) {
+            if (dataASN != NULL && nameASN != NULL) {
+                if (idx > maxIdx - (int)rdnASN_Length) {
+                    WOLFSSL_MSG("Wanted to write more ASN than allocated");
+                    ret = BUFFER_E;
+                    break;
+                }
+                /* Write out first instance of attribute type. */
+                if (type == ASN_EMAIL_NAME) {
+                    /* Copy email data into dynamic vars. */
+                    SetRdnItems(namesASN + idx, dataASN + idx, attrEmailOid,
+                        sizeof(attrEmailOid), ASN_IA5_STRING,
+                        (const byte*)GetOneCertName(name, i), nameLen[i]);
+                }
+                else if (type == ASN_CUSTOM_NAME) {
+                #ifdef WOLFSSL_CUSTOM_OID
+                    SetRdnItems(namesASN + idx, dataASN + idx, name->custom.oid,
+                        name->custom.oidSz, name->custom.enc,
+                        name->custom.val, name->custom.valSz);
+                #endif
+                }
+                else {
+                    /* Copy name data into dynamic vars. */
+                    SetRdnItems(namesASN + idx, dataASN + idx, nameOid[i],
+                        NAME_OID_SZ, GetNameType(name, i),
+                        (const byte*)GetOneCertName(name, i), nameLen[i]);
+                }
+            }
+            idx += rdnASN_Length;
+        }
+
+    #ifdef WOLFSSL_MULTI_ATTRIB
+        j = -1;
+        /* Write all other attributes of this type. */
+        while (FindMultiAttrib(name, type, &j)) {
+            if (dataASN != NULL && namesASN != NULL) {
+                if (idx > maxIdx - (int)rdnASN_Length) {
+                    WOLFSSL_MSG("Wanted to write more ASN than allocated");
+                    ret = BUFFER_E;
+                    break;
+                }
+                /* Copy data into dynamic vars. */
+                SetRdnItems(namesASN + idx, dataASN + idx, nameOid[type],
+                    NAME_OID_SZ, name->name[j].type,
+                    (byte*)name->name[j].value, name->name[j].sz);
+            }
+            idx += rdnASN_Length;
+        }
+        if (ret != 0)
+            break;
+    #endif
+    }
+    if (ret == 0)
+        ret = idx;
+    return ret;
+}
 #endif
 
 /* encode CertName into output, return total bytes written */
@@ -22459,44 +22980,28 @@ int SetNameEx(byte* output, word32 outputSz, CertName* name, void* heap)
 #else
     /* TODO: consider calculating size of entries, putting length into
      * SEQUENCE, encode SEQUENCE, encode entries into buffer.  */
-    ASNSetData* dataASN;
-    ASNItem*    namesASN;
-    int         i;
-    int         idx;
+    ASNSetData* dataASN = NULL; /* Can't use DECL_ASNSETDATA. Always dynamic. */
+    ASNItem*    namesASN = NULL;
+    int         items;
     int         ret = 0;
     int         sz;
-    int         nameLen[NAME_ENTRIES];
-#ifdef WOLFSSL_MULTI_ATTRIB
-    int         j;
-#endif
 
     /* Calculate length of name entries and size for allocating. */
-    idx = nameASN_Length;
-    for (i = 0; i < NAME_ENTRIES; i++) {
-        /* Keep name length to identify component is to be encoded. */
-        const char* nameStr = GetOneCertName(name, i);
-        nameLen[i] = nameStr ? (int)XSTRLEN(nameStr) : 0;
-        if (nameLen[i] > 0) {
-            idx += rdnASN_Length;
-        }
+    ret = SetNameRdnItems(NULL, NULL, 0, name);
+    if (ret > 0) {
+        items = ret;
+        ret = 0;
     }
-    #ifdef WOLFSSL_MULTI_ATTRIB
-    /* Count the extra attributes too. */
-    for (i = 0; i < CTC_MAX_ATTRIB; i++) {
-        if (name->name[i].sz > 0)
-            idx += rdnASN_Length;
-    }
-    #endif
 
     /* Allocate dynamic data items. */
-    dataASN = (ASNSetData*)XMALLOC(idx * sizeof(ASNSetData), heap,
+    dataASN = (ASNSetData*)XMALLOC(items * sizeof(ASNSetData), heap,
                                    DYNAMIC_TYPE_TMP_BUFFER);
     if (dataASN == NULL) {
         ret = MEMORY_E;
     }
     else {
         /* Allocate dynamic ASN.1 template items. */
-        namesASN = (ASNItem*)XMALLOC(idx * sizeof(ASNItem), heap,
+        namesASN = (ASNItem*)XMALLOC(items * sizeof(ASNItem), heap,
                                      DYNAMIC_TYPE_TMP_BUFFER);
         if (namesASN == NULL) {
             ret = MEMORY_E;
@@ -22505,81 +23010,41 @@ int SetNameEx(byte* output, word32 outputSz, CertName* name, void* heap)
 
     if (ret == 0) {
         /* Clear the dynamic data. */
-        XMEMSET(dataASN, 0, idx * sizeof(ASNSetData));
+        XMEMSET(dataASN, 0, items * sizeof(ASNSetData));
         /* Copy in the outer sequence. */
         XMEMCPY(namesASN, nameASN, sizeof(nameASN));
 
-        idx = nameASN_Length;
-        for (i = 0; i < NAME_ENTRIES; i++) {
-            int type = GetCertNameId(i);
-
-        #ifdef WOLFSSL_MULTI_ATTRIB
-            j = -1;
-            /* Put DomainComponents before OrgUnitName. */
-            while (FindMultiAttrib(name, type, &j)) {
-                /* Copy data into dynamic vars. */
-                SetRdnItems(namesASN + idx, dataASN + idx, dcOid,
-                    sizeof(dcOid), name->name[j].type,
-                    (byte*)name->name[j].value, name->name[j].sz);
-                idx += rdnASN_Length;
-            }
-        #endif
-
-            if (nameLen[i] > 0) {
-                /* Write out first instance of attribute type. */
-                if (type == ASN_EMAIL_NAME) {
-                    /* Copy email data into dynamic vars. */
-                    SetRdnItems(namesASN + idx, dataASN + idx, attrEmailOid,
-                        sizeof(attrEmailOid), ASN_IA5_STRING,
-                        (const byte*)GetOneCertName(name, i), nameLen[i]);
-                }
-                else if (type == ASN_CUSTOM_NAME) {
-                #ifdef WOLFSSL_CUSTOM_OID
-                    SetRdnItems(namesASN + idx, dataASN + idx, name->custom.oid,
-                        name->custom.oidSz, name->custom.enc,
-                        name->custom.val, name->custom.valSz);
-                #endif
-                }
-                else {
-                    /* Copy name data into dynamic vars. */
-                    SetRdnItems(namesASN + idx, dataASN + idx, nameOid[i],
-                        NAME_OID_SZ, GetNameType(name, i),
-                        (const byte*)GetOneCertName(name, i), nameLen[i]);
-                }
-                idx += rdnASN_Length;
-            }
-
-        #ifdef WOLFSSL_MULTI_ATTRIB
-            j = -1;
-            /* Write all other attributes of this type. */
-            while (FindMultiAttrib(name, type, &j)) {
-                /* Copy data into dynamic vars. */
-                SetRdnItems(namesASN + idx, dataASN + idx, nameOid[type],
-                    NAME_OID_SZ, name->name[j].type,
-                    (byte*)name->name[j].value, name->name[j].sz);
-                idx += rdnASN_Length;
-            }
-        #endif
+        ret = SetNameRdnItems(dataASN, namesASN, items, name);
+        if (ret == items)
+            ret = 0;
+        else if (ret > 0) {
+            WOLFSSL_MSG("SetNameRdnItems returned different length");
+            ret = BUFFER_E;
         }
-
-        /* Calculate size of encoding. */
-        ret = SizeASN_Items(namesASN, dataASN, idx, &sz);
-    }
-    /* Check buffer size if passed in. */
-    if ((ret == 0) && (output != NULL) && (sz > (int)outputSz)) {
-        ret = BUFFER_E;
-    }
-    if ((ret == 0) && (output != NULL)) {
-        /* Encode Name. */
-        SetASN_Items(namesASN, dataASN, idx, output);
     }
     if (ret == 0) {
-        /* Return the encoding size. */
-        ret = sz;
+        /* Calculate size of encoding. */
+        ret = SizeASN_Items(namesASN, dataASN, items, &sz);
+    }
+    /* Check buffer size if passed in. */
+    if (ret == 0 && output != NULL && sz > (int)outputSz) {
+        ret = BUFFER_E;
+    }
+    if (ret == 0) {
+        if (output != NULL) {
+            /* Encode Name. */
+            ret = SetASN_Items(namesASN, dataASN, items, output);
+        }
+        else {
+            /* Return the encoding size. */
+            ret = sz;
+        }
     }
 
-    XFREE(namesASN, heap, DYNAMIC_TYPE_TMP_BUFFER);
-    XFREE(dataASN, heap, DYNAMIC_TYPE_TMP_BUFFER);
+    if (namesASN != NULL)
+        XFREE(namesASN, heap, DYNAMIC_TYPE_TMP_BUFFER);
+    if (dataASN != NULL)
+        XFREE(dataASN, heap, DYNAMIC_TYPE_TMP_BUFFER);
     (void)heap;
     return ret;
 #endif
@@ -22651,60 +23116,102 @@ static int EncodePublicKey(int keyType, byte* output, int outLen,
  */
 static const ASNItem certExtsASN[] = {
             /* Basic Constraints Extension - 4.2.1.9 */
-/*  0 */    { 0, ASN_SEQUENCE, 1, 1, 0 },
-/*  1 */        { 1, ASN_OBJECT_ID, 0, 0, 0 },
-/*  2 */        { 1, ASN_OCTET_STRING, 0, 1, 0 },
-/*  3 */            { 2, ASN_SEQUENCE, 1, 1, 0 },
-                        /* cA */
-/*  4 */                { 3, ASN_BOOLEAN, 0, 0, 0 },
-                        /* pathLenConstraint */
-/*  5 */                { 3, ASN_INTEGER, 0, 0, 1 },
-            /* Subject Alternative Name - 4.2.1.6  */
-/*  6 */    { 0, ASN_SEQUENCE, 1, 1, 0 },
-/*  7 */       { 1, ASN_OBJECT_ID, 0, 0, 0 },
-/*  8 */       { 1, ASN_OCTET_STRING, 0, 0, 0 },
+/* BC_SEQ        */    { 0, ASN_SEQUENCE, 1, 1, 0 },
+/* BC_OID        */        { 1, ASN_OBJECT_ID, 0, 0, 0 },
+/* BC_STR        */        { 1, ASN_OCTET_STRING, 0, 1, 0 },
+/* BC_STR_SEQ    */            { 2, ASN_SEQUENCE, 1, 1, 0 },
+                                                   /* cA */
+/* BC_CA         */                { 3, ASN_BOOLEAN, 0, 0, 0 },
+                                                   /* pathLenConstraint */
+/* BC_PATHLEN    */                { 3, ASN_INTEGER, 0, 0, 1 },
+                                       /* Subject Alternative Name - 4.2.1.6  */
+/* SAN_SEQ       */    { 0, ASN_SEQUENCE, 1, 1, 0 },
+/* SAN_OID       */       { 1, ASN_OBJECT_ID, 0, 0, 0 },
+/* SAN_STR       */       { 1, ASN_OCTET_STRING, 0, 0, 0 },
 #ifdef WOLFSSL_CERT_EXT
             /* Subject Key Identifier - 4.2.1.2 */
-/*  9 */    { 0, ASN_SEQUENCE, 1, 1, 0 },
-/* 10 */        { 1, ASN_OBJECT_ID, 0, 0, 0 },
-/* 11 */        { 1, ASN_OCTET_STRING, 0, 1, 0 },
-/* 12 */            { 2, ASN_OCTET_STRING, 0, 0, 0 },
-            /* Authority Key Identifier - 4.2.1.1 */
-/* 13 */    { 0, ASN_SEQUENCE, 1, 1, 0 },
-/* 14 */        { 1, ASN_OBJECT_ID, 0, 0, 0 },
-/* 15 */        { 1, ASN_OCTET_STRING, 0, 1, 0 },
-/* 16 */            { 2, ASN_SEQUENCE, 1, 1, 0 },
-/* 17 */                { 3, ASN_CONTEXT_SPECIFIC | 0, 0, 0, 0 },
-            /* Key Usage - 4.2.1.3 */
-/* 18 */    { 0, ASN_SEQUENCE, 1, 1, 0 },
-/* 19 */        { 1, ASN_OBJECT_ID, 0, 0, 0 },
-/* 20 */        { 1, ASN_BOOLEAN, 0, 0, 0 },
-/* 21 */        { 1, ASN_OCTET_STRING, 0, 1, 0 },
-/* 22 */            { 2, ASN_BIT_STRING, 0, 0, 0 },
-            /* Extended Key Usage - 4,2,1,12 */
-/* 23 */    { 0, ASN_SEQUENCE, 1, 1, 0 },
-/* 24 */        { 1, ASN_OBJECT_ID, 0, 0, 0 },
-/* 25 */        { 1, ASN_OCTET_STRING, 0, 0, 0 },
-            /* Certificate Policies - 4.2.1.4 */
-/* 26 */    { 0, ASN_SEQUENCE, 1, 1, 0 },
-/* 27 */        { 1, ASN_OBJECT_ID, 0, 0, 0 },
-/* 28 */        { 1, ASN_OCTET_STRING, 0, 1, 0 },
-/* 29 */            { 2, ASN_SEQUENCE, 0, 0, 0 },
-            /* Netscape Certificate Type */
-/* 30 */    { 0, ASN_SEQUENCE, 1, 1, 0 },
-/* 31 */        { 1, ASN_OBJECT_ID, 0, 0, 0 },
-/* 32 */        { 1, ASN_OCTET_STRING, 0, 1, 0 },
-/* 33 */            { 2, ASN_BIT_STRING, 0, 0, 0 },
-/* 34 */    { 0, ASN_SEQUENCE, 1, 1, 0 },
-/* 35 */        { 1, ASN_OBJECT_ID, 0, 0, 0 },
-/* 36 */        { 1, ASN_OCTET_STRING, 0, 0, 0 },
+/* SKID_SEQ      */    { 0, ASN_SEQUENCE, 1, 1, 0 },
+/* SKID_OID      */        { 1, ASN_OBJECT_ID, 0, 0, 0 },
+/* SKID_STR      */        { 1, ASN_OCTET_STRING, 0, 1, 0 },
+/* SKID_KEYID    */            { 2, ASN_OCTET_STRING, 0, 0, 0 },
+                                       /* Authority Key Identifier - 4.2.1.1 */
+/* AKID_SEQ      */    { 0, ASN_SEQUENCE, 1, 1, 0 },
+/* AKID_OID      */        { 1, ASN_OBJECT_ID, 0, 0, 0 },
+/* AKID_STR      */        { 1, ASN_OCTET_STRING, 0, 1, 0 },
+/* AKID_STR_SEQ, */            { 2, ASN_SEQUENCE, 1, 1, 0 },
+/* AKID_KEYID    */                { 3, ASN_CONTEXT_SPECIFIC | 0, 0, 0, 0 },
+                                       /* Key Usage - 4.2.1.3 */
+/* KU_SEQ        */    { 0, ASN_SEQUENCE, 1, 1, 0 },
+/* KU_OID        */        { 1, ASN_OBJECT_ID, 0, 0, 0 },
+/* KU_CRIT       */        { 1, ASN_BOOLEAN, 0, 0, 0 },
+/* KU_STR        */        { 1, ASN_OCTET_STRING, 0, 1, 0 },
+/* KU_USAGE      */            { 2, ASN_BIT_STRING, 0, 0, 0 },
+                                       /* Extended Key Usage - 4,2,1,12 */
+/* EKU_SEQ       */    { 0, ASN_SEQUENCE, 1, 1, 0 },
+/* EKU_OID       */        { 1, ASN_OBJECT_ID, 0, 0, 0 },
+/* EKU_STR       */        { 1, ASN_OCTET_STRING, 0, 0, 0 },
+                                       /* Certificate Policies - 4.2.1.4 */
+/* POLICIES_SEQ, */    { 0, ASN_SEQUENCE, 1, 1, 0 },
+/* POLICIES_OID, */        { 1, ASN_OBJECT_ID, 0, 0, 0 },
+/* POLICIES_STR, */        { 1, ASN_OCTET_STRING, 0, 1, 0 },
+/* POLICIES_INFO */            { 2, ASN_SEQUENCE, 0, 0, 0 },
+                                       /* Netscape Certificate Type */
+/* NSTYPE_SEQ    */    { 0, ASN_SEQUENCE, 1, 1, 0 },
+/* NSTYPE_OID    */        { 1, ASN_OBJECT_ID, 0, 0, 0 },
+/* NSTYPE_STR    */        { 1, ASN_OCTET_STRING, 0, 1, 0 },
+/* NSTYPE_USAGE, */            { 2, ASN_BIT_STRING, 0, 0, 0 },
+/* CRLINFO_SEQ   */    { 0, ASN_SEQUENCE, 1, 1, 0 },
+/* CRLINFO_OID   */        { 1, ASN_OBJECT_ID, 0, 0, 0 },
+/* CRLINFO_STR   */        { 1, ASN_OCTET_STRING, 0, 0, 0 },
 #endif /* WOLFSSL_CERT_EXT */
 #ifdef WOLFSSL_CUSTOM_OID
-/* 37 */    { 0, ASN_SEQUENCE, 1, 1, 0 },
-/* 38 */        { 1, ASN_OBJECT_ID, 0, 0, 0 },
-/* 39 */        { 1, ASN_OCTET_STRING, 0, 0, 0 },
+/* CUSTOM_SEQ    */    { 0, ASN_SEQUENCE, 1, 1, 0 },
+/* CUSTOM_OID    */        { 1, ASN_OBJECT_ID, 0, 0, 0 },
+/* CUSTOM_STR    */        { 1, ASN_OCTET_STRING, 0, 0, 0 },
 #endif
 };
+enum {
+    CERTEXTSASN_IDX_BC_SEQ = 0,
+    CERTEXTSASN_IDX_BC_OID,
+    CERTEXTSASN_IDX_BC_STR,
+    CERTEXTSASN_IDX_BC_STR_SEQ,
+    CERTEXTSASN_IDX_BC_CA,
+    CERTEXTSASN_IDX_BC_PATHLEN,
+    CERTEXTSASN_IDX_SAN_SEQ,
+    CERTEXTSASN_IDX_SAN_OID,
+    CERTEXTSASN_IDX_SAN_STR,
+    CERTEXTSASN_IDX_SKID_SEQ,
+    CERTEXTSASN_IDX_SKID_OID,
+    CERTEXTSASN_IDX_SKID_STR,
+    CERTEXTSASN_IDX_SKID_KEYID,
+    CERTEXTSASN_IDX_AKID_SEQ,
+    CERTEXTSASN_IDX_AKID_OID,
+    CERTEXTSASN_IDX_AKID_STR,
+    CERTEXTSASN_IDX_AKID_STR_SEQ,
+    CERTEXTSASN_IDX_AKID_KEYID,
+    CERTEXTSASN_IDX_KU_SEQ,
+    CERTEXTSASN_IDX_KU_OID,
+    CERTEXTSASN_IDX_KU_CRIT,
+    CERTEXTSASN_IDX_KU_STR,
+    CERTEXTSASN_IDX_KU_USAGE,
+    CERTEXTSASN_IDX_EKU_SEQ,
+    CERTEXTSASN_IDX_EKU_OID,
+    CERTEXTSASN_IDX_EKU_STR,
+    CERTEXTSASN_IDX_POLICIES_SEQ,
+    CERTEXTSASN_IDX_POLICIES_OID,
+    CERTEXTSASN_IDX_POLICIES_STR,
+    CERTEXTSASN_IDX_POLICIES_INFO,
+    CERTEXTSASN_IDX_NSTYPE_SEQ,
+    CERTEXTSASN_IDX_NSTYPE_OID,
+    CERTEXTSASN_IDX_NSTYPE_STR,
+    CERTEXTSASN_IDX_NSTYPE_USAGE,
+    CERTEXTSASN_IDX_CRLINFO_SEQ,
+    CERTEXTSASN_IDX_CRLINFO_OID,
+    CERTEXTSASN_IDX_CRLINFO_STR,
+    CERTEXTSASN_IDX_CUSTOM_SEQ,
+    CERTEXTSASN_IDX_CUSTOM_OID,
+    CERTEXTSASN_IDX_CUSTOM_STR,
+};
 
 /* Number of items in ASN.1 template for certificate extensions. */
 #define certExtsASN_Length (sizeof(certExtsASN) / sizeof(ASNItem))
@@ -22737,66 +23244,80 @@ static int EncodeExtensions(Cert* cert, byte* output, word32 maxSz,
     if (ret == 0) {
         if (cert->isCA) {
             /* Set Basic Constraints to be a Certificate Authority. */
-            SetASN_Boolean(&dataASN[4], 1);
-            SetASN_Buffer(&dataASN[1], bcOID, sizeof(bcOID));
+            SetASN_Boolean(&dataASN[CERTEXTSASN_IDX_BC_CA], 1);
+            SetASN_Buffer(&dataASN[CERTEXTSASN_IDX_BC_OID], bcOID, sizeof(bcOID));
             /* TODO: consider adding path length field in Cert. */
-            dataASN[5].noOut = 1;
+            dataASN[CERTEXTSASN_IDX_BC_PATHLEN].noOut = 1;
         }
         else {
             /* Don't write out Basic Constraints extension items. */
-            SetASNItem_NoOut(dataASN, 0, 5);
+            SetASNItem_NoOut(dataASN, CERTEXTSASN_IDX_BC_SEQ,
+                    CERTEXTSASN_IDX_BC_PATHLEN);
         }
     #ifdef WOLFSSL_ALT_NAMES
         if (!forRequest && cert->altNamesSz > 0) {
             /* Set Subject Alternative Name OID and data. */
-            SetASN_Buffer(&dataASN[7], sanOID, sizeof(sanOID));
-            SetASN_Buffer(&dataASN[8], cert->altNames, cert->altNamesSz);
+            SetASN_Buffer(&dataASN[CERTEXTSASN_IDX_SAN_OID],
+                    sanOID, sizeof(sanOID));
+            SetASN_Buffer(&dataASN[CERTEXTSASN_IDX_SAN_STR],
+                    cert->altNames, cert->altNamesSz);
         }
         else
     #endif
         {
             /* Don't write out Subject Alternative Name extension items. */
-            SetASNItem_NoOut(dataASN, 6, 8);
+            SetASNItem_NoOut(dataASN, CERTEXTSASN_IDX_SAN_SEQ,
+                    CERTEXTSASN_IDX_SAN_STR);
         }
     #ifdef WOLFSSL_CERT_EXT
         if (cert->skidSz > 0) {
             /* Set Subject Key Identifier OID and data. */
-            SetASN_Buffer(&dataASN[10], skidOID, sizeof(skidOID));
-            SetASN_Buffer(&dataASN[12], cert->skid, cert->skidSz);
+            SetASN_Buffer(&dataASN[CERTEXTSASN_IDX_SKID_OID],
+                    skidOID, sizeof(skidOID));
+            SetASN_Buffer(&dataASN[CERTEXTSASN_IDX_SKID_KEYID],
+                    cert->skid, cert->skidSz);
         }
         else {
             /* Don't write out Subject Key Identifier extension items. */
-            SetASNItem_NoOut(dataASN, 9, 12);
+            SetASNItem_NoOut(dataASN, CERTEXTSASN_IDX_SKID_SEQ,
+                    CERTEXTSASN_IDX_SKID_KEYID);
         }
         if (cert->akidSz > 0) {
             /* Set Authority Key Identifier OID and data. */
-            SetASN_Buffer(&dataASN[14], akidOID, sizeof(akidOID));
+            SetASN_Buffer(&dataASN[CERTEXTSASN_IDX_AKID_OID],
+                    akidOID, sizeof(akidOID));
         #ifdef WOLFSSL_AKID_NAME
             if (cert->rawAkid) {
-                SetASN_Buffer(&dataASN[15], cert->akid, cert->akidSz);
+                SetASN_Buffer(&dataASN[CERTEXTSASN_IDX_AKID_STR],
+                        cert->akid, cert->akidSz);
                 /* cert->akid contains the internal ext structure */
-                SetASNItem_NoOutBelow(dataASN, certExtsASN, 15,
-                        certExtsASN_Length);
+                SetASNItem_NoOutBelow(dataASN, certExtsASN,
+                        CERTEXTSASN_IDX_AKID_STR, certExtsASN_Length);
             }
             else
         #endif
             {
-                SetASN_Buffer(&dataASN[17], cert->akid, cert->akidSz);
+                SetASN_Buffer(&dataASN[CERTEXTSASN_IDX_AKID_KEYID],
+                        cert->akid, cert->akidSz);
             }
         }
         else {
             /* Don't write out Authority Key Identifier extension items. */
-            SetASNItem_NoOut(dataASN, 13, 17);
+            SetASNItem_NoOut(dataASN, CERTEXTSASN_IDX_AKID_SEQ,
+                    CERTEXTSASN_IDX_AKID_KEYID);
         }
         if (cert->keyUsage != 0) {
             /* Set Key Usage OID, critical and value. */
-            SetASN_Buffer(&dataASN[19], kuOID, sizeof(kuOID));
-            SetASN_Boolean(&dataASN[20], 1);
-            SetASN_Int16Bit(&dataASN[22], cert->keyUsage);
+            SetASN_Buffer(&dataASN[CERTEXTSASN_IDX_KU_OID],
+                    kuOID, sizeof(kuOID));
+            SetASN_Boolean(&dataASN[CERTEXTSASN_IDX_KU_CRIT], 1);
+            SetASN_Int16Bit(&dataASN[CERTEXTSASN_IDX_KU_USAGE],
+                    cert->keyUsage);
         }
         else {
             /* Don't write out Key Usage extension items. */
-            SetASNItem_NoOut(dataASN, 18, 22);
+            SetASNItem_NoOut(dataASN, CERTEXTSASN_IDX_KU_SEQ,
+                    CERTEXTSASN_IDX_KU_USAGE);
         }
         if (cert->extKeyUsage != 0) {
             /* Calculate size of Extended Key Usage data. */
@@ -22805,12 +23326,15 @@ static int EncodeExtensions(Cert* cert, byte* output, word32 maxSz,
                 ret = KEYUSAGE_E;
             }
             /* Set Extended Key Usage OID and data. */
-            SetASN_Buffer(&dataASN[24], ekuOID, sizeof(ekuOID));
-            SetASN_Buffer(&dataASN[25], NULL, sz);
+            SetASN_Buffer(&dataASN[CERTEXTSASN_IDX_EKU_OID],
+                    ekuOID, sizeof(ekuOID));
+            SetASN_Buffer(&dataASN[CERTEXTSASN_IDX_EKU_STR],
+                    NULL, sz);
         }
         else {
             /* Don't write out Extended Key Usage extension items. */
-            SetASNItem_NoOut(dataASN, 23, 25);
+            SetASNItem_NoOut(dataASN, CERTEXTSASN_IDX_EKU_SEQ,
+                    CERTEXTSASN_IDX_EKU_STR);
         }
 
         if ((!forRequest) && (cert->certPoliciesNb > 0)) {
@@ -22819,9 +23343,11 @@ static int EncodeExtensions(Cert* cert, byte* output, word32 maxSz,
                     cert->certPoliciesNb, cert->heap);
             if (sz > 0) {
                 /* Set Certificate Policies OID. */
-                SetASN_Buffer(&dataASN[27], cpOID, sizeof(cpOID));
+                SetASN_Buffer(&dataASN[CERTEXTSASN_IDX_POLICIES_OID],
+                        cpOID, sizeof(cpOID));
                 /* Make space for data. */
-                SetASN_Buffer(&dataASN[29], NULL, sz);
+                SetASN_Buffer(&dataASN[CERTEXTSASN_IDX_POLICIES_INFO],
+                        NULL, sz);
             }
             else {
                 ret = CERTPOLICIES_E;
@@ -22829,29 +23355,36 @@ static int EncodeExtensions(Cert* cert, byte* output, word32 maxSz,
         }
         else {
             /* Don't write out Certificate Policies extension items. */
-            SetASNItem_NoOut(dataASN, 26, 29);
+            SetASNItem_NoOut(dataASN, CERTEXTSASN_IDX_POLICIES_SEQ,
+                    CERTEXTSASN_IDX_POLICIES_INFO);
         }
     #ifndef IGNORE_NETSCAPE_CERT_TYPE
         /* Netscape Certificate Type */
         if (cert->nsCertType != 0) {
             /* Set Netscape Certificate Type OID and data. */
-            SetASN_Buffer(&dataASN[31], nsCertOID, sizeof(nsCertOID));
-            SetASN_Buffer(&dataASN[33], &cert->nsCertType, 1);
+            SetASN_Buffer(&dataASN[CERTEXTSASN_IDX_NSTYPE_OID],
+                    nsCertOID, sizeof(nsCertOID));
+            SetASN_Buffer(&dataASN[CERTEXTSASN_IDX_NSTYPE_USAGE],
+                    &cert->nsCertType, 1);
         }
         else
     #endif
         {
             /* Don't write out Netscape Certificate Type. */
-            SetASNItem_NoOut(dataASN, 30, 33);
+            SetASNItem_NoOut(dataASN, CERTEXTSASN_IDX_NSTYPE_SEQ,
+                    CERTEXTSASN_IDX_NSTYPE_USAGE);
         }
         if (cert->crlInfoSz > 0) {
             /* Set CRL Distribution Points OID and data. */
-            SetASN_Buffer(&dataASN[35], crlInfoOID, sizeof(crlInfoOID));
-            SetASN_Buffer(&dataASN[36], cert->crlInfo, cert->crlInfoSz);
+            SetASN_Buffer(&dataASN[CERTEXTSASN_IDX_CRLINFO_OID],
+                    crlInfoOID, sizeof(crlInfoOID));
+            SetASN_Buffer(&dataASN[CERTEXTSASN_IDX_CRLINFO_STR],
+                    cert->crlInfo, cert->crlInfoSz);
         }
         else {
             /* Don't write out CRL Distribution Points. */
-            SetASNItem_NoOut(dataASN, 34, 36);
+            SetASNItem_NoOut(dataASN, CERTEXTSASN_IDX_CRLINFO_SEQ,
+                    CERTEXTSASN_IDX_CRLINFO_STR);
         }
     #endif /* WOLFSSL_CERT_EXT */
 
@@ -22859,12 +23392,15 @@ static int EncodeExtensions(Cert* cert, byte* output, word32 maxSz,
         /* encode a custom oid and value */
         if (cert->extCustom.oidSz > 0) {
             /* Set CRL Distribution Points OID and data. */
-            SetASN_Buffer(&dataASN[38], cert->extCustom.oid, cert->extCustom.oidSz);
-            SetASN_Buffer(&dataASN[39], cert->extCustom.val, cert->extCustom.valSz);
+            SetASN_Buffer(&dataASN[CERTEXTSASN_IDX_CUSTOM_OID],
+                    cert->extCustom.oid, cert->extCustom.oidSz);
+            SetASN_Buffer(&dataASN[CERTEXTSASN_IDX_CUSTOM_STR],
+                    cert->extCustom.val, cert->extCustom.valSz);
         }
         else {
             /* Don't write out custom OID. */
-            SetASNItem_NoOut(dataASN, 37, 39);
+            SetASNItem_NoOut(dataASN, CERTEXTSASN_IDX_CUSTOM_SEQ,
+                    CERTEXTSASN_IDX_CUSTOM_STR);
         }
     #endif
     }
@@ -22891,16 +23427,19 @@ static int EncodeExtensions(Cert* cert, byte* output, word32 maxSz,
     #ifdef WOLFSSL_CERT_EXT
         if (cert->extKeyUsage != 0){
             /* Encode Extended Key Usage into space provided. */
-            if (SetExtKeyUsage(cert, (byte*)dataASN[26].data.buffer.data,
-                dataASN[26].data.buffer.length, cert->extKeyUsage) <= 0) {
+            if (SetExtKeyUsage(cert,
+                    (byte*)dataASN[CERTEXTSASN_IDX_EKU_STR].data.buffer.data,
+                    dataASN[CERTEXTSASN_IDX_EKU_STR].data.buffer.length,
+                    cert->extKeyUsage) <= 0) {
                 ret = KEYUSAGE_E;
             }
         }
         if ((!forRequest) && (cert->certPoliciesNb > 0)) {
             /* Encode Certificate Policies into space provided. */
-            if (SetCertificatePolicies((byte*)dataASN[30].data.buffer.data,
-                    dataASN[30].data.buffer.length, cert->certPolicies,
-                    cert->certPoliciesNb, cert->heap) <= 0) {
+            if (SetCertificatePolicies(
+                    (byte*)dataASN[CERTEXTSASN_IDX_POLICIES_INFO].data.buffer.data,
+                    dataASN[CERTEXTSASN_IDX_POLICIES_INFO].data.buffer.length,
+                    cert->certPolicies, cert->certPoliciesNb, cert->heap) <= 0) {
                 ret = CERTPOLICIES_E;
             }
         }
@@ -23149,7 +23688,7 @@ static int EncodeCert(Cert* cert, DerCert* der, RsaKey* rsaKey, ecc_key* eccKey,
     }
 #endif
 
-#if defined(HAVE_LIBOQS)
+#if defined(HAVE_PQC)
     if ((cert->keyType == FALCON_LEVEL1_KEY) ||
         (cert->keyType == FALCON_LEVEL5_KEY)) {
         if (falconKey == NULL)
@@ -23627,14 +24166,14 @@ static int MakeSignature(CertSignCtx* certSignCtx, const byte* buf, int sz,
         }
     #endif /* HAVE_ED448 && HAVE_ED448_SIGN */
 
-    #if defined(HAVE_LIBOQS)
+    #if defined(HAVE_PQC)
         if (!rsaKey && !eccKey && !ed25519Key && !ed448Key && falconKey) {
             word32 outSz = sigSz;
             ret = wc_falcon_sign_msg(buf, sz, sig, &outSz, falconKey);
             if (ret == 0)
                 ret = outSz;
         }
-    #endif /* HAVE_LIBOQS */
+    #endif /* HAVE_PQC */
 
         break;
     }
@@ -23706,15 +24245,23 @@ static int GenerateInteger(WC_RNG* rng, byte* out, int len)
  * X.509: RFC 5280, 4.1 - Basic Certificate Fields.
  */
 static const ASNItem sigASN[] = {
-/*  0 */    { 0, ASN_SEQUENCE, 1, 1, 0 },
-                /* tbsCertificate */
-/*  1 */        { 1, ASN_SEQUENCE, 1, 0, 0 },
-                /* signatureAlgorithm */
-/*  2 */        { 1, ASN_SEQUENCE, 1, 1, 0 },
-/*  3 */            { 2, ASN_OBJECT_ID, 0, 0, 0 },
-/*  4 */            { 2, ASN_TAG_NULL, 0, 0, 0 },
-                /* signatureValue */
-/*  5 */        { 1, ASN_BIT_STRING, 0, 0, 0 },
+/* SEQ          */    { 0, ASN_SEQUENCE, 1, 1, 0 },
+                                     /* tbsCertificate */
+/* TBS_SEQ      */        { 1, ASN_SEQUENCE, 1, 0, 0 },
+                                     /* signatureAlgorithm */
+/* SIGALGO_SEQ  */        { 1, ASN_SEQUENCE, 1, 1, 0 },
+/* SIGALGO_OID  */            { 2, ASN_OBJECT_ID, 0, 0, 0 },
+/* SIGALGO_NULL */            { 2, ASN_TAG_NULL, 0, 0, 0 },
+                                     /* signatureValue */
+/* SIGNATURE    */        { 1, ASN_BIT_STRING, 0, 0, 0 },
+};
+enum {
+    SIGASN_IDX_SEQ = 0,
+    SIGASN_IDX_TBS_SEQ,
+    SIGASN_IDX_SIGALGO_SEQ,
+    SIGASN_IDX_SIGALGO_OID,
+    SIGASN_IDX_SIGALGO_NULL,
+    SIGASN_IDX_SIGNATURE,
 };
 
 /* Number of items in ASN.1 template for a Certificate. */
@@ -23758,14 +24305,15 @@ int AddSignature(byte* buf, int bodySz, const byte* sig, int sigSz,
     /* In place, put body between SEQUENCE and signature. */
     if (ret == 0) {
         /* Set sigature OID and signature data. */
-        SetASN_OID(&dataASN[3], sigAlgoType, oidSigType);
+        SetASN_OID(&dataASN[SIGASN_IDX_SIGALGO_OID], sigAlgoType, oidSigType);
         if (IsSigAlgoECC(sigAlgoType)) {
             /* ECDSA and EdDSA doesn't have NULL tagged item. */
-            dataASN[4].noOut = 1;
+            dataASN[SIGASN_IDX_SIGALGO_NULL].noOut = 1;
         }
-        SetASN_Buffer(&dataASN[5], sig, sigSz);
+        SetASN_Buffer(&dataASN[SIGASN_IDX_SIGNATURE], sig, sigSz);
         /* Calcuate size of signature data. */
-        ret = SizeASN_Items(&sigASN[2], &dataASN[2], sigASN_Length - 2, &sz);
+        ret = SizeASN_Items(&sigASN[SIGASN_IDX_SIGALGO_SEQ],
+                &dataASN[SIGASN_IDX_SIGALGO_SEQ], sigASN_Length - 2, &sz);
     }
     if (ret == 0) {
         /* Calculate size of outer sequence by calculating size of the encoded
@@ -23776,7 +24324,7 @@ int AddSignature(byte* buf, int bodySz, const byte* sig, int sigSz,
             XMEMMOVE(buf + seqSz, buf, bodySz);
         }
         /* Leave space for body in encoding. */
-        SetASN_ReplaceBuffer(&dataASN[1], NULL, bodySz);
+        SetASN_ReplaceBuffer(&dataASN[SIGASN_IDX_TBS_SEQ], NULL, bodySz);
 
         /* Calculate overall size and put in offsets and lengths. */
         ret = SizeASN_Items(sigASN, dataASN, sigASN_Length, &sz);
@@ -23824,7 +24372,7 @@ static int MakeAnyCert(Cert* cert, byte* derBuffer, word32 derSz,
         cert->keyType = ED25519_KEY;
     else if (ed448Key)
         cert->keyType = ED448_KEY;
-#ifdef HAVE_LIBOQS
+#ifdef HAVE_PQC
     else if ((falconKey != NULL) && (falconKey->level == 1))
         cert->keyType = FALCON_LEVEL1_KEY;
     else if ((falconKey != NULL) && (falconKey->level == 5))
@@ -23865,6 +24413,7 @@ static int MakeAnyCert(Cert* cert, byte* derBuffer, word32 derSz,
     word32 issRawLen = 0;
     word32 sbjRawLen = 0;
 
+    (void)falconKey; /* Unused without OQS */
     CALLOC_ASNSETDATA(dataASN, x509CertASN_Length, ret, cert->heap);
 
     if (ret == 0) {
@@ -23885,7 +24434,7 @@ static int MakeAnyCert(Cert* cert, byte* derBuffer, word32 derSz,
             cert->keyType = ED448_KEY;
         }
         else if (falconKey != NULL) {
-        #ifdef HAVE_LIBOQS
+        #ifdef HAVE_PQC
             if (falconKey->level == 1)
                 cert->keyType = FALCON_LEVEL1_KEY;
             else if (falconKey->level == 5)
@@ -23944,96 +24493,110 @@ static int MakeAnyCert(Cert* cert, byte* derBuffer, word32 derSz,
     }
     if (ret >= 0) {
         /* Don't write out outer sequence - only doing body. */
-        dataASN[0].noOut = 1;
+        dataASN[X509CERTASN_IDX_SEQ].noOut = 1;
         /* Set version, serial number and signature OID */
-        SetASN_Int8Bit(&dataASN[3], cert->version);
-        SetASN_Buffer(&dataASN[4], cert->serial, cert->serialSz);
-        SetASN_OID(&dataASN[6], cert->sigType, oidSigType);
+        SetASN_Int8Bit(&dataASN[X509CERTASN_IDX_TBS_VER_INT], cert->version);
+        SetASN_Buffer(&dataASN[X509CERTASN_IDX_TBS_SERIAL], cert->serial,
+                cert->serialSz);
+        SetASN_OID(&dataASN[X509CERTASN_IDX_TBS_ALGOID_OID], cert->sigType,
+                oidSigType);
         if (IsSigAlgoECC(cert->sigType)) {
             /* No NULL tagged item with ECDSA and EdDSA signature OIDs. */
-            dataASN[7].noOut = 1;
+            dataASN[X509CERTASN_IDX_TBS_ALGOID_PARAMS].noOut = 1;
         }
         if (issRawLen > 0) {
     #if defined(WOLFSSL_CERT_EXT) || defined(OPENSSL_EXTRA) || \
         defined(WOLFSSL_CERT_REQ)
             /* Put in encoded issuer name. */
-            SetASN_Buffer(&dataASN[8], cert->issRaw, issuerSz);
+            SetASN_Buffer(&dataASN[X509CERTASN_IDX_TBS_ISSUER_SEQ],
+                    cert->issRaw, issuerSz);
     #endif
         }
         else {
             /* Leave space for issuer name. */
-            SetASN_ReplaceBuffer(&dataASN[8], NULL, issuerSz);
+            SetASN_ReplaceBuffer(&dataASN[X509CERTASN_IDX_TBS_ISSUER_SEQ],
+                    NULL, issuerSz);
         }
 
 #ifdef WOLFSSL_ALT_NAMES
         if (cert->beforeDateSz && cert->afterDateSz) {
             if (cert->beforeDate[0] == ASN_UTC_TIME) {
                 /* Make space for before date data. */
-                SetASN_Buffer(&dataASN[10], cert->beforeDate + 2,
-                    ASN_UTC_TIME_SIZE - 1);
+                SetASN_Buffer(&dataASN[X509CERTASN_IDX_TBS_VALIDITY_NOTB_UTC],
+                        cert->beforeDate + 2, ASN_UTC_TIME_SIZE - 1);
                 /* Don't put out Generalized Time before data. */
-                dataASN[11].noOut = 1;
+                dataASN[X509CERTASN_IDX_TBS_VALIDITY_NOTB_GT].noOut = 1;
             }
             else {
                 /* Don't put out UTC before data. */
-                dataASN[10].noOut = 1;
+                dataASN[X509CERTASN_IDX_TBS_VALIDITY_NOTB_UTC].noOut = 1;
                 /* Make space for before date data. */
-                SetASN_Buffer(&dataASN[11], cert->beforeDate + 2,
-                    ASN_GEN_TIME_SZ);
+                SetASN_Buffer(&dataASN[X509CERTASN_IDX_TBS_VALIDITY_NOTB_GT],
+                        cert->beforeDate + 2, ASN_GEN_TIME_SZ);
             }
             if (cert->afterDate[0] == ASN_UTC_TIME) {
                 /* Make space for after date data. */
-                SetASN_Buffer(&dataASN[12], cert->afterDate + 2,
-                    ASN_UTC_TIME_SIZE - 1);
+                SetASN_Buffer(&dataASN[X509CERTASN_IDX_TBS_VALIDITY_NOTA_UTC],
+                        cert->afterDate + 2, ASN_UTC_TIME_SIZE - 1);
                 /* Don't put out UTC Generalized Time after data. */
-                dataASN[13].noOut = 1;
+                dataASN[X509CERTASN_IDX_TBS_VALIDITY_NOTA_GT].noOut = 1;
             }
             else {
                 /* Don't put out UTC after data. */
-                dataASN[12].noOut = 1;
+                dataASN[X509CERTASN_IDX_TBS_VALIDITY_NOTA_UTC].noOut = 1;
                 /* Make space for after date data. */
-                SetASN_Buffer(&dataASN[13], cert->afterDate + 2,
-                    ASN_GEN_TIME_SZ);
+                SetASN_Buffer(&dataASN[X509CERTASN_IDX_TBS_VALIDITY_NOTA_GT],
+                        cert->afterDate + 2, ASN_GEN_TIME_SZ);
             }
         }
         else
 #endif
         {
             /* Don't put out UTC before data. */
-            dataASN[10].noOut = 1;
+            dataASN[X509CERTASN_IDX_TBS_VALIDITY_NOTB_UTC].noOut = 1;
             /* Make space for before date data. */
-            SetASN_Buffer(&dataASN[11], NULL, ASN_GEN_TIME_SZ);
+            SetASN_Buffer(&dataASN[X509CERTASN_IDX_TBS_VALIDITY_NOTB_GT],
+                    NULL, ASN_GEN_TIME_SZ);
             /* Don't put out UTC after data. */
-            dataASN[12].noOut = 1;
+            dataASN[X509CERTASN_IDX_TBS_VALIDITY_NOTA_UTC].noOut = 1;
             /* Make space for after date data. */
-            SetASN_Buffer(&dataASN[13], NULL, ASN_GEN_TIME_SZ);
+            SetASN_Buffer(&dataASN[X509CERTASN_IDX_TBS_VALIDITY_NOTA_GT],
+                    NULL, ASN_GEN_TIME_SZ);
         }
         if (sbjRawLen > 0) {
             /* Put in encoded subject name. */
     #if defined(WOLFSSL_CERT_EXT) || defined(OPENSSL_EXTRA) || \
         defined(WOLFSSL_CERT_REQ)
-            SetASN_Buffer(&dataASN[14], cert->sbjRaw, subjectSz);
+            SetASN_Buffer(&dataASN[X509CERTASN_IDX_TBS_SUBJECT_SEQ],
+                    cert->sbjRaw, subjectSz);
     #endif
         }
         else {
             /* Leave space for subject name. */
-            SetASN_ReplaceBuffer(&dataASN[14], NULL, subjectSz);
+            SetASN_ReplaceBuffer(&dataASN[X509CERTASN_IDX_TBS_SUBJECT_SEQ],
+                    NULL, subjectSz);
         }
         /* Leave space for public key. */
-        SetASN_ReplaceBuffer(&dataASN[15], NULL, publicKeySz);
+        SetASN_ReplaceBuffer(&dataASN[X509CERTASN_IDX_TBS_SPUBKEYINFO_SEQ],
+                NULL, publicKeySz);
         /* Replacement buffer instead of algorithm identifier items. */
-        SetASNItem_NoOut(dataASN, 16, 20);
+        SetASNItem_NoOut(dataASN,
+                X509CERTASN_IDX_TBS_SPUBKEYINFO_ALGO_SEQ,
+                X509CERTASN_IDX_TBS_SPUBKEYINFO_PUBKEY);
         /* issuerUniqueID and subjectUniqueID not supported. */
-        dataASN[21].noOut = dataASN[22].noOut = 1;
+        dataASN[X509CERTASN_IDX_TBS_ISSUERUID].noOut = 1;
+        dataASN[X509CERTASN_IDX_TBS_SUBJECTUID].noOut = 1;
         /* Leave space for extensions if any set into certificate object. */
         if (extSz > 0) {
-            SetASN_Buffer(&dataASN[23], NULL, extSz);
+            SetASN_Buffer(&dataASN[X509CERTASN_IDX_TBS_EXT_SEQ], NULL, extSz);
         }
         else {
-            dataASN[23].noOut = 1;
+            SetASNItem_NoOutNode(dataASN, x509CertASN,
+                    X509CERTASN_IDX_TBS_EXT, x509CertASN_Length);
         }
         /* No signature - added later. */
-        SetASNItem_NoOut(dataASN, 24, 27);
+        SetASNItem_NoOut(dataASN, X509CERTASN_IDX_SIGALGO_SEQ,
+                X509CERTASN_IDX_SIGNATURE);
 
         /* Calculate encoded certificate body size. */
         ret = SizeASN_Items(x509CertASN, dataASN, x509CertASN_Length, &sz);
@@ -24048,14 +24611,18 @@ static int MakeAnyCert(Cert* cert, byte* derBuffer, word32 derSz,
 
         if (issRawLen == 0) {
             /* Encode issuer name into buffer. */
-            ret = SetNameEx((byte*)dataASN[8].data.buffer.data,
-                dataASN[8].data.buffer.length, &cert->issuer, cert->heap);
+            ret = SetNameEx(
+                (byte*)dataASN[X509CERTASN_IDX_TBS_ISSUER_SEQ].data.buffer.data,
+                dataASN[X509CERTASN_IDX_TBS_ISSUER_SEQ].data.buffer.length,
+                &cert->issuer, cert->heap);
         }
     }
     if ((ret >= 0) && (sbjRawLen == 0)) {
         /* Encode subject name into buffer. */
-        ret = SetNameEx((byte*)dataASN[14].data.buffer.data,
-            dataASN[14].data.buffer.length, &cert->subject, cert->heap);
+        ret = SetNameEx(
+            (byte*)dataASN[X509CERTASN_IDX_TBS_SUBJECT_SEQ].data.buffer.data,
+            dataASN[X509CERTASN_IDX_TBS_SUBJECT_SEQ].data.buffer.length,
+            &cert->subject, cert->heap);
     }
     if (ret >= 0) {
 #ifdef WOLFSSL_ALT_NAMES
@@ -24063,20 +24630,27 @@ static int MakeAnyCert(Cert* cert, byte* derBuffer, word32 derSz,
 #endif
         {
             /* Encode validity into buffer. */
-            ret = SetValidity((byte*)dataASN[11].data.buffer.data,
-                (byte*)dataASN[13].data.buffer.data, cert->daysValid);
+            ret = SetValidity(
+                (byte*)dataASN[X509CERTASN_IDX_TBS_VALIDITY_NOTB_GT]
+                               .data.buffer.data,
+                (byte*)dataASN[X509CERTASN_IDX_TBS_VALIDITY_NOTA_GT]
+                               .data.buffer.data, cert->daysValid);
         }
     }
     if (ret >= 0) {
         /* Encode public key into buffer. */
         ret = EncodePublicKey(cert->keyType,
-            (byte*)dataASN[15].data.buffer.data, dataASN[15].data.buffer.length,
+            (byte*)dataASN[X509CERTASN_IDX_TBS_SPUBKEYINFO_SEQ]
+                           .data.buffer.data,
+            dataASN[X509CERTASN_IDX_TBS_SPUBKEYINFO_SEQ]
+                           .data.buffer.length,
             rsaKey, eccKey, ed25519Key, ed448Key, dsaKey);
     }
-    if ((ret >= 0) && (!dataASN[23].noOut)) {
+    if ((ret >= 0) && (!dataASN[X509CERTASN_IDX_TBS_EXT_SEQ].noOut)) {
         /* Encode extensions into buffer. */
-        ret = EncodeExtensions(cert, (byte*)dataASN[23].data.buffer.data,
-            dataASN[23].data.buffer.length, 0);
+        ret = EncodeExtensions(cert,
+                (byte*)dataASN[X509CERTASN_IDX_TBS_EXT_SEQ].data.buffer.data,
+                dataASN[X509CERTASN_IDX_TBS_EXT_SEQ].data.buffer.length, 0);
     }
     if (ret >= 0) {
         /* Store encoded certifcate body size. */
@@ -24353,7 +24927,7 @@ static int EncodeCertReq(Cert* cert, DerCert* der, RsaKey* rsaKey,
             (word32)sizeof(der->publicKey), 1);
     }
 #endif
-#if defined(HAVE_LIBOQS)
+#if defined(HAVE_PQC)
     if ((cert->keyType == FALCON_LEVEL1_KEY) ||
         (cert->keyType == FALCON_LEVEL5_KEY)) {
         if (falconKey == NULL)
@@ -24577,26 +25151,42 @@ static int WriteCertReqBody(DerCert* der, byte* buf)
  * PKCS #10: RFC 2986, 4.1 - CertificationRequestInfo
  */
 static const ASNItem certReqBodyASN[] = {
-/*  0 */    { 0, ASN_SEQUENCE, 1, 1, 0 },
-                /* version */
-/*  1 */        { 1, ASN_INTEGER, 0, 0, 0 },
-                /* subject */
-/*  2 */        { 1, ASN_SEQUENCE, 1, 0, 0 },
-                /* subjectPKInfo */
-/*  3 */        { 1, ASN_SEQUENCE, 1, 0, 0 },
-                /*  attributes*/
-/*  4 */        { 1, ASN_CONTEXT_SPECIFIC | 0, 1, 1, 1 },
-                    /* Challenge Password Attribute */
-/*  5 */            { 2, ASN_SEQUENCE, 1, 1, 1 },
-/*  6 */                { 3, ASN_OBJECT_ID, 0, 0, 0 },
-/*  7 */                { 3, ASN_SET, 1, 1, 0 },
-/*  8 */                    { 4, ASN_PRINTABLE_STRING, 0, 0, 0 },
-/*  9 */                    { 4, ASN_UTF8STRING, 0, 0, 0 },
-                    /* Extensions Attribute */
-/* 10 */            { 2, ASN_SEQUENCE, 1, 1, 1 },
-/* 11 */                { 3, ASN_OBJECT_ID, 0, 0, 0 },
-/* 12 */                { 3, ASN_SET, 1, 1, 0 },
-/* 13 */                    { 4, ASN_SEQUENCE, 1, 0, 0 },
+/* SEQ             */ { 0, ASN_SEQUENCE, 1, 1, 0 },
+                                             /* version */
+/* VER             */     { 1, ASN_INTEGER, 0, 0, 0 },
+                                             /* subject */
+/* SUBJ_SEQ        */     { 1, ASN_SEQUENCE, 1, 0, 0 },
+                                             /* subjectPKInfo */
+/* SPUBKEYINFO_SEQ */     { 1, ASN_SEQUENCE, 1, 0, 0 },
+                                             /*  attributes*/
+/* ATTRS           */     { 1, ASN_CONTEXT_SPECIFIC | 0, 1, 1, 1 },
+                                                 /* Challenge Password Attribute */
+/* ATTRS_CPW_SEQ   */         { 2, ASN_SEQUENCE, 1, 1, 1 },
+/* ATTRS_CPW_OID   */             { 3, ASN_OBJECT_ID, 0, 0, 0 },
+/* ATTRS_CPW_SET   */             { 3, ASN_SET, 1, 1, 0 },
+/* ATTRS_CPW_PS    */                 { 4, ASN_PRINTABLE_STRING, 0, 0, 0 },
+/* ATTRS_CPW_UTF   */                 { 4, ASN_UTF8STRING, 0, 0, 0 },
+                                                 /* Extensions Attribute */
+/* EXT_SEQ         */         { 2, ASN_SEQUENCE, 1, 1, 1 },
+/* EXT_OID         */             { 3, ASN_OBJECT_ID, 0, 0, 0 },
+/* EXT_SET         */             { 3, ASN_SET, 1, 1, 0 },
+/* EXT_BODY        */                 { 4, ASN_SEQUENCE, 1, 0, 0 },
+};
+enum {
+    CERTREQBODYASN_IDX_SEQ = 0,
+    CERTREQBODYASN_IDX_VER,
+    CERTREQBODYASN_IDX_SUBJ_SEQ,
+    CERTREQBODYASN_IDX_SPUBKEYINFO_SEQ,
+    CERTREQBODYASN_IDX_ATTRS,
+    CERTREQBODYASN_IDX_ATTRS_CPW_SEQ,
+    CERTREQBODYASN_IDX_ATTRS_CPW_OID,
+    CERTREQBODYASN_IDX_ATTRS_CPW_SET,
+    CERTREQBODYASN_IDX_ATTRS_CPW_PS,
+    CERTREQBODYASN_IDX_ATTRS_CPW_UTF,
+    CERTREQBODYASN_IDX_EXT_SEQ,
+    CERTREQBODYASN_IDX_EXT_OID,
+    CERTREQBODYASN_IDX_EXT_SET,
+    CERTREQBODYASN_IDX_EXT_BODY,
 };
 
 /* Number of items in ASN.1 template for Certificate Request body. */
@@ -24626,7 +25216,7 @@ static int MakeCertReq(Cert* cert, byte* derBuffer, word32 derSz,
         cert->keyType = ED25519_KEY;
     else if (ed448Key)
         cert->keyType = ED448_KEY;
-#ifdef HAVE_LIBOQS
+#ifdef HAVE_PQC
     else if ((falconKey != NULL) && (falconKey->level == 1))
         cert->keyType = FALCON_LEVEL1_KEY;
     else if ((falconKey != NULL) && (falconKey->level == 5))
@@ -24666,6 +25256,7 @@ static int MakeCertReq(Cert* cert, byte* derBuffer, word32 derSz,
     word32 sbjRawSz;
 #endif
 
+    (void)falconKey; /* Unused without OQS */
     CALLOC_ASNSETDATA(dataASN, certReqBodyASN_Length, ret, cert->heap);
 
     if (ret == 0) {
@@ -24686,7 +25277,7 @@ static int MakeCertReq(Cert* cert, byte* derBuffer, word32 derSz,
             cert->keyType = ED448_KEY;
         }
         else if (falconKey != NULL) {
-        #ifdef HAVE_LIBOQS
+        #ifdef HAVE_PQC
             if (falconKey->level == 1)
                 cert->keyType = FALCON_LEVEL1_KEY;
             else if (falconKey->level == 5)
@@ -24722,55 +25313,62 @@ static int MakeCertReq(Cert* cert, byte* derBuffer, word32 derSz,
     }
     if (ret >= 0) {
         /* Set version. */
-        SetASN_Int8Bit(&dataASN[1], cert->version);
+        SetASN_Int8Bit(&dataASN[CERTREQBODYASN_IDX_VER], cert->version);
     #if defined(WOLFSSL_CERT_EXT) || defined(OPENSSL_EXTRA)
         if (sbjRawSz > 0) {
             /* Put in encoded subject name. */
-            SetASN_Buffer(&dataASN[2], cert->sbjRaw, subjectSz);
+            SetASN_Buffer(&dataASN[CERTREQBODYASN_IDX_SUBJ_SEQ], cert->sbjRaw,
+                    subjectSz);
         }
         else
     #endif
         {
             /* Leave space for subject name. */
-            SetASN_ReplaceBuffer(&dataASN[2], NULL, subjectSz);
+            SetASN_ReplaceBuffer(&dataASN[CERTREQBODYASN_IDX_SUBJ_SEQ], NULL,
+                    subjectSz);
         }
         /* Leave space for public key. */
-        SetASN_ReplaceBuffer(&dataASN[3], NULL, publicKeySz);
+        SetASN_ReplaceBuffer(&dataASN[CERTREQBODYASN_IDX_SPUBKEYINFO_SEQ],
+                NULL, publicKeySz);
         if (cert->challengePw[0] != '\0') {
             /* Add challenge password attribute. */
             /* Set challenge password OID. */
-            SetASN_Buffer(&dataASN[6], attrChallengePasswordOid,
+            SetASN_Buffer(&dataASN[CERTREQBODYASN_IDX_ATTRS_CPW_OID], attrChallengePasswordOid,
                 sizeof(attrChallengePasswordOid));
             /* Enable the ASN template item with the appropriate tag. */
             if (cert->challengePwPrintableString) {
                 /* PRINTABLE_STRING - set buffer */
-                SetASN_Buffer(&dataASN[8], (byte*)cert->challengePw,
-                              (word32)XSTRLEN(cert->challengePw));
+                SetASN_Buffer(&dataASN[CERTREQBODYASN_IDX_ATTRS_CPW_PS],
+                        (byte*)cert->challengePw,
+                        (word32)XSTRLEN(cert->challengePw));
                 /* UTF8STRING - don't encode */
-                dataASN[9].noOut = 1;
+                dataASN[CERTREQBODYASN_IDX_ATTRS_CPW_UTF].noOut = 1;
             }
             else {
                 /* PRINTABLE_STRING - don't encode */
-                dataASN[8].noOut = 1;
+                dataASN[CERTREQBODYASN_IDX_ATTRS_CPW_PS].noOut = 1;
                 /* UTF8STRING - set buffer */
-                SetASN_Buffer(&dataASN[9], (byte*)cert->challengePw,
-                              (word32)XSTRLEN(cert->challengePw));
+                SetASN_Buffer(&dataASN[CERTREQBODYASN_IDX_ATTRS_CPW_UTF],
+                        (byte*)cert->challengePw,
+                        (word32)XSTRLEN(cert->challengePw));
             }
         }
         else {
             /* Leave out challenge password attribute items. */
-            SetASNItem_NoOut(dataASN, 5, 9);
+            SetASNItem_NoOutNode(dataASN, certReqBodyASN,
+                    CERTREQBODYASN_IDX_ATTRS_CPW_SEQ, certReqBodyASN_Length);
         }
         if (extSz > 0) {
             /* Set extension attribute OID. */
-            SetASN_Buffer(&dataASN[11], attrExtensionRequestOid,
+            SetASN_Buffer(&dataASN[CERTREQBODYASN_IDX_EXT_OID], attrExtensionRequestOid,
                 sizeof(attrExtensionRequestOid));
             /* Leave space for data. */
-            SetASN_Buffer(&dataASN[13], NULL, extSz);
+            SetASN_Buffer(&dataASN[CERTREQBODYASN_IDX_EXT_BODY], NULL, extSz);
         }
         else {
             /* Leave out extension attribute items. */
-            SetASNItem_NoOut(dataASN, 10, 13);
+            SetASNItem_NoOutNode(dataASN, certReqBodyASN,
+                    CERTREQBODYASN_IDX_EXT_SEQ, certReqBodyASN_Length);
         }
 
         /* Calculate size of encoded certificate request body. */
@@ -24791,20 +25389,24 @@ static int MakeCertReq(Cert* cert, byte* derBuffer, word32 derSz,
     #endif
         {
             /* Encode subject name into space in buffer. */
-            ret = SetNameEx((byte*)dataASN[2].data.buffer.data,
-                    dataASN[2].data.buffer.length, &cert->subject, cert->heap);
+            ret = SetNameEx(
+                (byte*)dataASN[CERTREQBODYASN_IDX_SUBJ_SEQ].data.buffer.data,
+                dataASN[CERTREQBODYASN_IDX_SUBJ_SEQ].data.buffer.length,
+                &cert->subject, cert->heap);
         }
     }
     if (ret >= 0) {
         /* Encode public key into space in buffer. */
-        ret = EncodePublicKey(cert->keyType, (byte*)dataASN[3].data.buffer.data,
-            dataASN[3].data.buffer.length, rsaKey, eccKey, ed25519Key, ed448Key,
-            dsaKey);
+        ret = EncodePublicKey(cert->keyType,
+            (byte*)dataASN[CERTREQBODYASN_IDX_SPUBKEYINFO_SEQ].data.buffer.data,
+            dataASN[CERTREQBODYASN_IDX_SPUBKEYINFO_SEQ].data.buffer.length,
+            rsaKey, eccKey, ed25519Key, ed448Key, dsaKey);
     }
-    if ((ret >= 0) && (!dataASN[13].noOut)) {
+    if ((ret >= 0) && (!dataASN[CERTREQBODYASN_IDX_EXT_BODY].noOut)) {
         /* Encode extensions into space in buffer. */
-        ret = EncodeExtensions(cert, (byte*)dataASN[13].data.buffer.data,
-            dataASN[13].data.buffer.length, 1);
+        ret = EncodeExtensions(cert,
+                (byte*)dataASN[CERTREQBODYASN_IDX_EXT_BODY].data.buffer.data,
+                dataASN[CERTREQBODYASN_IDX_EXT_BODY].data.buffer.length, 1);
     }
     if (ret >= 0) {
         /* Store encoded certifcate request body size. */
@@ -25040,7 +25642,7 @@ static int SetKeyIdFromPublicKey(Cert *cert, RsaKey *rsakey, ecc_key *eckey,
         bufferSz = wc_Ed448PublicKeyToDer(ed448Key, buf, MAX_PUBLIC_KEY_SZ, 0);
     }
 #endif
-#if defined(HAVE_LIBOQS)
+#if defined(HAVE_PQC)
     if (falconKey != NULL) {
         bufferSz = wc_Falcon_PublicKeyToDer(falconKey, buf, MAX_PUBLIC_KEY_SZ,
                                             0);
@@ -26054,10 +26656,10 @@ int StoreDHparams(byte* out, word32* outLen, mp_int* p, mp_int* g)
     if (ret == 0) {
         XMEMSET(dataASN, 0, sizeof(dataASN));
         /* Set mp_int containing p and g. */
-        SetASN_MP(&dataASN[1], p);
-        SetASN_MP(&dataASN[2], g);
+        SetASN_MP(&dataASN[DHPARAMASN_IDX_PRIME], p);
+        SetASN_MP(&dataASN[DHPARAMASN_IDX_BASE], g);
         /* privateValueLength not encoded. */
-        dataASN[3].noOut = 1;
+        dataASN[DHPARAMASN_IDX_PRIVLEN].noOut = 1;
 
         /* Calculate the size of the DH parameters. */
         ret = SizeASN_Items(dhParamASN, dataASN, dhParamASN_Length, &sz);
@@ -26085,11 +26687,16 @@ int StoreDHparams(byte* out, word32* outLen, mp_int* p, mp_int* g)
  * RFC 5912, 6 - DSA-Sig-Value
  */
 static const ASNItem dsaSigASN[] = {
-/*  0 */    { 0, ASN_SEQUENCE, 1, 1, 0 },
-                /* r */
-/*  1 */        { 1, ASN_INTEGER, 0, 0, 0 },
-                /* s */
-/*  2 */        { 1, ASN_INTEGER, 0, 0, 0 },
+/* SEQ */ { 0, ASN_SEQUENCE, 1, 1, 0 },
+                            /* r */
+/* R   */     { 1, ASN_INTEGER, 0, 0, 0 },
+                            /* s */
+/* S   */     { 1, ASN_INTEGER, 0, 0, 0 },
+};
+enum {
+    DSASIGASN_IDX_SEQ = 0,
+    DSASIGASN_IDX_R,
+    DSASIGASN_IDX_S,
 };
 
 #define dsaSigASN_Length (sizeof(dsaSigASN) / sizeof(ASNItem))
@@ -26138,8 +26745,8 @@ int StoreECC_DSA_Sig(byte* out, word32* outLen, mp_int* r, mp_int* s)
 
     /* Clear dynamic data and set mp_ints r and s */
     XMEMSET(dataASN, 0, sizeof(dataASN));
-    SetASN_MP(&dataASN[1], r);
-    SetASN_MP(&dataASN[2], s);
+    SetASN_MP(&dataASN[DSASIGASN_IDX_R], r);
+    SetASN_MP(&dataASN[DSASIGASN_IDX_S], s);
 
     /* Calculate size of encoding. */
     ret = SizeASN_Items(dsaSigASN, dataASN, dsaSigASN_Length, &sz);
@@ -26240,8 +26847,8 @@ int StoreECC_DSA_Sig_Bin(byte* out, word32* outLen, const byte* r, word32 rLen,
 
     /* Clear dynamic data and set buffers for r and s */
     XMEMSET(dataASN, 0, sizeof(dataASN));
-    SetASN_Buffer(&dataASN[1], r, rLen);
-    SetASN_Buffer(&dataASN[2], s, sLen);
+    SetASN_Buffer(&dataASN[DSASIGASN_IDX_R], r, rLen);
+    SetASN_Buffer(&dataASN[DSASIGASN_IDX_S], s, sLen);
 
     /* Calculate size of encoding. */
     ret = SizeASN_Items(dsaSigASN, dataASN, dsaSigASN_Length, &sz);
@@ -26318,8 +26925,8 @@ int DecodeECC_DSA_Sig_Bin(const byte* sig, word32 sigLen, byte* r, word32* rLen,
 
     /* Clear dynamic data and set buffers to put r and s into. */
     XMEMSET(dataASN, 0, sizeof(dataASN));
-    GetASN_Buffer(&dataASN[1], r, rLen);
-    GetASN_Buffer(&dataASN[2], s, sLen);
+    GetASN_Buffer(&dataASN[DSASIGASN_IDX_R], r, rLen);
+    GetASN_Buffer(&dataASN[DSASIGASN_IDX_S], s, sLen);
 
     /* Decode the DSA signature. */
     return GetASN_Items(dsaSigASN, dataASN, dsaSigASN_Length, 1, sig, &idx,
@@ -26375,8 +26982,8 @@ int DecodeECC_DSA_Sig(const byte* sig, word32 sigLen, mp_int* r, mp_int* s)
 
     /* Clear dynamic data and set mp_ints to put r and s into. */
     XMEMSET(dataASN, 0, sizeof(dataASN));
-    GetASN_MP(&dataASN[1], r);
-    GetASN_MP(&dataASN[2], s);
+    GetASN_MP(&dataASN[DSASIGASN_IDX_R], r);
+    GetASN_MP(&dataASN[DSASIGASN_IDX_S], s);
 
     /* Decode the DSA signature. */
     return GetASN_Items(dsaSigASN, dataASN, dsaSigASN_Length, 1, sig, &idx,
@@ -26451,29 +27058,43 @@ static int DataToHexStringAlloc(const byte* input, word32 inSz, char** out,
  * NOTE: characteristic-two-field not supported. */
 static const ASNItem eccSpecifiedASN[] = {
             /* version */
-/*  0 */    { 0, ASN_INTEGER, 0, 0, 0 },
-            /* fieldID */
-/*  1 */    { 0, ASN_SEQUENCE, 1, 1, 0 },
-                /* prime-field or characteristic-two-field */
-/*  2 */        { 1, ASN_OBJECT_ID, 0, 0, 0 },
-                /* Prime-p */
-/*  3 */        { 1, ASN_INTEGER, 0, 0, 0 },
-            /* fieldID */
-/*  4 */    { 0, ASN_SEQUENCE, 1, 1, 0 },
-                /* a */
-/*  5 */        { 1, ASN_OCTET_STRING, 0, 0, 0 },
-                /* b */
-/*  6 */        { 1, ASN_OCTET_STRING, 0, 0, 0 },
-                /* seed */
-/*  7 */        { 1, ASN_BIT_STRING, 0, 0, 1 },
-            /* base */
-/*  8 */    { 0, ASN_OCTET_STRING, 0, 0, 0 },
-            /* order */
-/*  9 */    { 0, ASN_INTEGER, 0, 0, 0 },
-            /* cofactor */
-/* 10 */    { 0, ASN_INTEGER, 0, 0, 1 },
-            /* hash */
-/* 11 */    { 0, ASN_SEQUENCE, 0, 0, 1 },
+/* VER        */ { 0, ASN_INTEGER, 0, 0, 0 },
+                                     /* fieldID */
+/* PRIME_SEQ  */ { 0, ASN_SEQUENCE, 1, 1, 0 },
+                                         /* prime-field or characteristic-two-field */
+/* PRIME_OID  */     { 1, ASN_OBJECT_ID, 0, 0, 0 },
+                                         /* Prime-p */
+/* PRIME_P    */     { 1, ASN_INTEGER, 0, 0, 0 },
+                                     /* fieldID */
+/* PARAM_SEQ, */ { 0, ASN_SEQUENCE, 1, 1, 0 },
+                                         /* a */
+/* PARAM_A    */     { 1, ASN_OCTET_STRING, 0, 0, 0 },
+                                         /* b */
+/* PARAM_B    */     { 1, ASN_OCTET_STRING, 0, 0, 0 },
+                                         /* seed */
+/* PARAM_SEED */     { 1, ASN_BIT_STRING, 0, 0, 1 },
+                                     /* base */
+/* BASE       */ { 0, ASN_OCTET_STRING, 0, 0, 0 },
+                                     /* order */
+/* ORDER      */ { 0, ASN_INTEGER, 0, 0, 0 },
+                                     /* cofactor */
+/* COFACTOR   */ { 0, ASN_INTEGER, 0, 0, 1 },
+                                     /* hash */
+/* HASH_SEQ   */ { 0, ASN_SEQUENCE, 0, 0, 1 },
+};
+enum {
+    ECCSPECIFIEDASN_IDX_VER = 0,
+    ECCSPECIFIEDASN_IDX_PRIME_SEQ,
+    ECCSPECIFIEDASN_IDX_PRIME_OID,
+    ECCSPECIFIEDASN_IDX_PRIME_P,
+    ECCSPECIFIEDASN_IDX_PARAM_SEQ,
+    ECCSPECIFIEDASN_IDX_PARAM_A,
+    ECCSPECIFIEDASN_IDX_PARAM_B,
+    ECCSPECIFIEDASN_IDX_PARAM_SEED,
+    ECCSPECIFIEDASN_IDX_BASE,
+    ECCSPECIFIEDASN_IDX_ORDER,
+    ECCSPECIFIEDASN_IDX_COFACTOR,
+    ECCSPECIFIEDASN_IDX_HASH_SEQ,
 };
 
 /* Number of items in ASN.1 template for SpecifiedECDomain. */
@@ -26518,9 +27139,10 @@ static int EccSpecifiedECDomainDecode(const byte* input, word32 inSz,
         curve->id = ECC_CURVE_CUSTOM;
 
         /* Get version, must have prime field OID and get co-factor. */
-        GetASN_Int8Bit(&dataASN[0], &version);
-        GetASN_ExpBuffer(&dataASN[2], primeFieldOID, sizeof(primeFieldOID));
-        GetASN_Int8Bit(&dataASN[10], &cofactor);
+        GetASN_Int8Bit(&dataASN[ECCSPECIFIEDASN_IDX_VER], &version);
+        GetASN_ExpBuffer(&dataASN[ECCSPECIFIEDASN_IDX_PRIME_OID],
+                primeFieldOID, sizeof(primeFieldOID));
+        GetASN_Int8Bit(&dataASN[ECCSPECIFIEDASN_IDX_COFACTOR], &cofactor);
         /* Decode the explicit parameters. */
         ret = GetASN_Items(eccSpecifiedASN, dataASN, eccSpecifiedASN_Length, 1,
                            input, &idx, inSz);
@@ -26530,22 +27152,26 @@ static int EccSpecifiedECDomainDecode(const byte* input, word32 inSz,
         ret = ASN_PARSE_E;
     }
     /* Only version 2 and above can have a seed. */
-    if ((ret == 0) && (dataASN[7].tag != 0) && (version < 2)) {
+    if ((ret == 0) && (dataASN[ECCSPECIFIEDASN_IDX_PARAM_SEED].tag != 0) &&
+            (version < 2)) {
         ret = ASN_PARSE_E;
     }
     /* Only version 2 and above can have a hash algorithm. */
-    if ((ret == 0) && (dataASN[11].tag != 0) && (version < 2)) {
+    if ((ret == 0) && (dataASN[ECCSPECIFIEDASN_IDX_HASH_SEQ].tag != 0) &&
+            (version < 2)) {
         ret = ASN_PARSE_E;
     }
-    if ((ret == 0) && (dataASN[10].tag != 0)) {
+    if ((ret == 0) && (dataASN[ECCSPECIFIEDASN_IDX_COFACTOR].tag != 0)) {
         /* Store optional co-factor. */
         curve->cofactor = cofactor;
     }
     if (ret == 0) {
         /* Length of the prime in bytes is the curve size. */
-        curve->size = (int)dataASN[3].data.ref.length;
+        curve->size =
+                (int)dataASN[ECCSPECIFIEDASN_IDX_PRIME_P].data.ref.length;
         /* Base point: 0x04 <x> <y> (must be uncompressed). */
-        GetASN_GetConstRef(&dataASN[8], &base, &baseLen);
+        GetASN_GetConstRef(&dataASN[ECCSPECIFIEDASN_IDX_BASE], &base,
+                &baseLen);
         if ((baseLen < (word32)curve->size * 2 + 1) || (base[0] != 0x4)) {
             ret = ASN_PARSE_E;
         }
@@ -26569,31 +27195,31 @@ static int EccSpecifiedECDomainDecode(const byte* input, word32 inSz,
     }
     if (ret == 0) {
         /* Prime */
-        ret = DataToHexStringAlloc(dataASN[3].data.ref.data,
-                                   dataASN[3].data.ref.length,
-                                   (char**)&curve->prime, key->heap,
-                                   DYNAMIC_TYPE_ECC_BUFFER);
+        ret = DataToHexStringAlloc(
+                dataASN[ECCSPECIFIEDASN_IDX_PRIME_P].data.ref.data,
+                dataASN[ECCSPECIFIEDASN_IDX_PRIME_P].data.ref.length,
+                (char**)&curve->prime, key->heap, DYNAMIC_TYPE_ECC_BUFFER);
     }
     if (ret == 0) {
         /* Parameter A */
-        ret = DataToHexStringAlloc(dataASN[5].data.ref.data,
-                                   dataASN[5].data.ref.length,
-                                   (char**)&curve->Af, key->heap,
-                                   DYNAMIC_TYPE_ECC_BUFFER);
+        ret = DataToHexStringAlloc(
+                dataASN[ECCSPECIFIEDASN_IDX_PARAM_A].data.ref.data,
+                dataASN[ECCSPECIFIEDASN_IDX_PARAM_A].data.ref.length,
+                (char**)&curve->Af, key->heap, DYNAMIC_TYPE_ECC_BUFFER);
     }
     if (ret == 0) {
         /* Parameter B */
-        ret = DataToHexStringAlloc(dataASN[6].data.ref.data,
-                                   dataASN[6].data.ref.length,
-                                   (char**)&curve->Bf, key->heap,
-                                   DYNAMIC_TYPE_ECC_BUFFER);
+        ret = DataToHexStringAlloc(
+                dataASN[ECCSPECIFIEDASN_IDX_PARAM_B].data.ref.data,
+                dataASN[ECCSPECIFIEDASN_IDX_PARAM_B].data.ref.length,
+                (char**)&curve->Bf, key->heap, DYNAMIC_TYPE_ECC_BUFFER);
     }
     if (ret == 0) {
         /* Order of curve */
-        ret = DataToHexStringAlloc(dataASN[9].data.ref.data,
-                                   dataASN[9].data.ref.length,
-                                   (char**)&curve->order, key->heap,
-                                   DYNAMIC_TYPE_ECC_BUFFER);
+        ret = DataToHexStringAlloc(
+                dataASN[ECCSPECIFIEDASN_IDX_ORDER].data.ref.data,
+                dataASN[ECCSPECIFIEDASN_IDX_ORDER].data.ref.length,
+                (char**)&curve->order, key->heap, DYNAMIC_TYPE_ECC_BUFFER);
     }
     #else
     if (ret == 0) {
@@ -26602,16 +27228,20 @@ static int EccSpecifiedECDomainDecode(const byte* input, word32 inSz,
         /* Base Y-ordinate */
         DataToHexString(base + 1 + curve->size, curve->size, curve->Gy);
         /* Prime */
-        DataToHexString(dataASN[3].data.ref.data, dataASN[3].data.ref.length,
+        DataToHexString(dataASN[ECCSPECIFIEDASN_IDX_PRIME_P].data.ref.data,
+                        dataASN[ECCSPECIFIEDASN_IDX_PRIME_P].data.ref.length,
                         curve->prime);
         /* Parameter A */
-        DataToHexString(dataASN[5].data.ref.data, dataASN[5].data.ref.length,
+        DataToHexString(dataASN[ECCSPECIFIEDASN_IDX_PARAM_A].data.ref.data,
+                        dataASN[ECCSPECIFIEDASN_IDX_PARAM_A].data.ref.length,
                         curve->Af);
         /* Parameter B */
-        DataToHexString(dataASN[6].data.ref.data, dataASN[6].data.ref.length,
+        DataToHexString(dataASN[ECCSPECIFIEDASN_IDX_PARAM_B].data.ref.data,
+                        dataASN[ECCSPECIFIEDASN_IDX_PARAM_B].data.ref.length,
                         curve->Bf);
         /* Order of curve */
-        DataToHexString(dataASN[9].data.ref.data, dataASN[9].data.ref.length,
+        DataToHexString(dataASN[ECCSPECIFIEDASN_IDX_ORDER].data.ref.data,
+                        dataASN[ECCSPECIFIEDASN_IDX_ORDER].data.ref.length,
                         curve->order);
     }
     #endif /* WOLFSSL_ECC_CURVE_STATIC */
@@ -26643,21 +27273,31 @@ static int EccSpecifiedECDomainDecode(const byte* input, word32 inSz,
  * SEC.1 Ver 2.0, C.4 - Syntax for Elliptic Curve Private Keys
  */
 static const ASNItem eccKeyASN[] = {
-/*  0 */    { 0, ASN_SEQUENCE, 1, 1, 0 },
-                /* version */
-/*  1 */        { 1, ASN_INTEGER, 0, 0, 0 },
-                /* privateKey */
-/*  2 */        { 1, ASN_OCTET_STRING, 0, 0, 0 },
-                /* parameters */
-/*  3 */        { 1, ASN_CONTEXT_SPECIFIC | 0, 1, 1, 1 },
-                    /* named */
-/*  4 */            { 2, ASN_OBJECT_ID, 0, 0, 2 },
-                    /* specified */
-/*  5 */            { 2, ASN_SEQUENCE, 1, 0, 2 },
-                /* publicKey */
-/*  6 */        { 1, ASN_CONTEXT_SPECIFIC | 1, 1, 1, 1 },
-                    /* Uncompressed point - X9.62. */
-/*  7 */            { 2, ASN_BIT_STRING, 0, 0, 0 },
+/* SEQ         */    { 0, ASN_SEQUENCE, 1, 1, 0 },
+                                       /* version */
+/* VER         */        { 1, ASN_INTEGER, 0, 0, 0 },
+                                       /* privateKey */
+/* PKEY        */        { 1, ASN_OCTET_STRING, 0, 0, 0 },
+                                       /* parameters */
+/* PARAMS      */        { 1, ASN_CONTEXT_SPECIFIC | ASN_ECC_PARAMS, 1, 1, 1 },
+                                           /* named */
+/* CURVEID     */            { 2, ASN_OBJECT_ID, 0, 0, 2 },
+                                           /* specified */
+/* CURVEPARAMS */            { 2, ASN_SEQUENCE, 1, 0, 2 },
+                                       /* publicKey */
+/* PUBKEY      */        { 1, ASN_CONTEXT_SPECIFIC | ASN_ECC_PUBKEY, 1, 1, 1 },
+                                           /* Uncompressed point - X9.62. */
+/* PUBKEY_VAL, */            { 2, ASN_BIT_STRING, 0, 0, 0 },
+};
+enum {
+    ECCKEYASN_IDX_SEQ = 0,
+    ECCKEYASN_IDX_VER,
+    ECCKEYASN_IDX_PKEY,
+    ECCKEYASN_IDX_PARAMS,
+    ECCKEYASN_IDX_CURVEID,
+    ECCKEYASN_IDX_CURVEPARAMS,
+    ECCKEYASN_IDX_PUBKEY,
+    ECCKEYASN_IDX_PUBKEY_VAL,
 };
 
 /* Number of items in ASN.1 template for ECC private key. */
@@ -26820,8 +27460,8 @@ int wc_EccPrivateKeyDecode(const byte* input, word32* inOutIdx, ecc_key* key,
 
     if (ret == 0) {
         /* Get the version and set the expected OID type. */
-        GetASN_Int8Bit(&dataASN[1], &version);
-        GetASN_OID(&dataASN[4], oidCurveType);
+        GetASN_Int8Bit(&dataASN[ECCKEYASN_IDX_VER], &version);
+        GetASN_OID(&dataASN[ECCKEYASN_IDX_CURVEID], oidCurveType);
         /* Decode the private ECC key. */
         ret = GetASN_Items(eccKeyASN, dataASN, eccKeyASN_Length, 1, input,
                            inOutIdx, inSz);
@@ -26831,10 +27471,10 @@ int wc_EccPrivateKeyDecode(const byte* input, word32* inOutIdx, ecc_key* key,
         ret = ASN_PARSE_E;
     }
     /* Curve Parameters are optional. */
-    if ((ret == 0) && (dataASN[3].tag != 0)) {
-        if (dataASN[4].tag != 0) {
+    if ((ret == 0) && (dataASN[ECCKEYASN_IDX_PARAMS].tag != 0)) {
+        if (dataASN[ECCKEYASN_IDX_CURVEID].tag != 0) {
             /* Named curve - check and get id. */
-            curve_id = CheckCurve(dataASN[4].data.oid.sum);
+            curve_id = CheckCurve(dataASN[ECCKEYASN_IDX_CURVEID].data.oid.sum);
             if (curve_id < 0) {
                 ret = ECC_CURVE_OID_E;
             }
@@ -26842,8 +27482,9 @@ int wc_EccPrivateKeyDecode(const byte* input, word32* inOutIdx, ecc_key* key,
         else {
     #ifdef WOLFSSL_CUSTOM_CURVES
             /* Parse explicit parameters. */
-            ret = EccSpecifiedECDomainDecode(dataASN[5].data.ref.data,
-                    dataASN[5].data.ref.length, key);
+            ret = EccSpecifiedECDomainDecode(
+                    dataASN[ECCKEYASN_IDX_CURVEPARAMS].data.ref.data,
+                    dataASN[ECCKEYASN_IDX_CURVEPARAMS].data.ref.length, key);
     #else
             /* Explicit parameters not supported in build configuration. */
             ret = ASN_PARSE_E;
@@ -26852,9 +27493,12 @@ int wc_EccPrivateKeyDecode(const byte* input, word32* inOutIdx, ecc_key* key,
     }
     if (ret == 0) {
         /* Import private key value and public point (may be NULL). */
-        ret = wc_ecc_import_private_key_ex(dataASN[2].data.ref.data,
-                dataASN[2].data.ref.length, dataASN[7].data.ref.data,
-                dataASN[7].data.ref.length, key, curve_id);
+        ret = wc_ecc_import_private_key_ex(
+                dataASN[ECCKEYASN_IDX_PKEY].data.ref.data,
+                dataASN[ECCKEYASN_IDX_PKEY].data.ref.length,
+                dataASN[ECCKEYASN_IDX_PUBKEY_VAL].data.ref.data,
+                dataASN[ECCKEYASN_IDX_PUBKEY_VAL].data.ref.length,
+                key, curve_id);
     }
 
     FREE_ASNGETDATA(dataASN, key->heap);
@@ -27184,11 +27828,11 @@ int wc_EccPublicKeyDecode(const byte* input, word32* inOutIdx,
     DECL_ASNGETDATA(dataASN, eccKeyASN_Length);
     int ret = 0;
     int curve_id = ECC_CURVE_DEF;
-    int oidIdx = 3;
+    int oidIdx = ECCPUBLICKEYASN_IDX_ALGOID_CURVEID;
 #ifdef WOLFSSL_CUSTOM_CURVES
-    int specIdx = 4;
+    int specIdx = ECCPUBLICKEYASN_IDX_ALGOID_PARAMS;
 #endif
-    int pubIdx = 5;
+    int pubIdx = ECCPUBLICKEYASN_IDX_PUBKEY;
 
     if ((input == NULL) || (inOutIdx == NULL) || (key == NULL) || (inSz == 0)) {
         ret = BAD_FUNC_ARG;
@@ -27200,17 +27844,18 @@ int wc_EccPublicKeyDecode(const byte* input, word32* inOutIdx,
         /* Clear dynamic data for ECC public key. */
         XMEMSET(dataASN, 0, sizeof(*dataASN) * eccPublicKeyASN_Length);
         /* Set required ECDSA OID and ignore the curve OID type. */
-        GetASN_ExpBuffer(&dataASN[2], keyEcdsaOid, sizeof(keyEcdsaOid));
+        GetASN_ExpBuffer(&dataASN[ECCPUBLICKEYASN_IDX_ALGOID_OID], keyEcdsaOid,
+                sizeof(keyEcdsaOid));
         GetASN_OID(&dataASN[oidIdx], oidIgnoreType);
         /* Decode the public ECC key. */
         ret = GetASN_Items(eccPublicKeyASN, dataASN, eccPublicKeyASN_Length, 1,
                            input, inOutIdx, inSz);
         if (ret != 0) {
-            oidIdx = 4;
+            oidIdx = ECCKEYASN_IDX_CURVEID;
         #ifdef WOLFSSL_CUSTOM_CURVES
-            specIdx = 5;
+            specIdx = ECCKEYASN_IDX_CURVEPARAMS;
         #endif
-            pubIdx = 7;
+            pubIdx = ECCKEYASN_IDX_PUBKEY_VAL;
 
             /* Clear dynamic data for ECC private key. */
             XMEMSET(dataASN, 0, sizeof(*dataASN) * eccKeyASN_Length);
@@ -27466,26 +28111,28 @@ static int wc_BuildEccKeyDer(ecc_key* key, byte* output, word32 *inLen,
     }
     if (ret == 0) {
         /* Version: 1 */
-        SetASN_Int8Bit(&dataASN[1], 1);
+        SetASN_Int8Bit(&dataASN[ECCKEYASN_IDX_VER], 1);
         /* Leave space for private key. */
-        SetASN_Buffer(&dataASN[2], NULL, privSz);
+        SetASN_Buffer(&dataASN[ECCKEYASN_IDX_PKEY], NULL, privSz);
         if (curveIn) {
             /* Curve OID */
-            SetASN_Buffer(&dataASN[4], key->dp->oid, key->dp->oidSz);
+            SetASN_Buffer(&dataASN[ECCKEYASN_IDX_CURVEID], key->dp->oid,
+                    key->dp->oidSz);
+            /* TODO: add support for SpecifiedECDomain curve. */
+            dataASN[ECCKEYASN_IDX_CURVEPARAMS].noOut = 1;
         }
         else {
-             dataASN[3].noOut = 1;
-             dataASN[4].noOut = 1;
+            SetASNItem_NoOutNode(dataASN, eccKeyASN, ECCKEYASN_IDX_PARAMS,
+                    eccKeyASN_Length);
         }
-        /* TODO: add support for SpecifiedECDomain curve. */
-        dataASN[5].noOut = 1;
         if (pubIn) {
             /* Leave space for public key. */
-            SetASN_Buffer(&dataASN[7], NULL, pubSz);
+            SetASN_Buffer(&dataASN[ECCKEYASN_IDX_PUBKEY_VAL], NULL, pubSz);
         }
         else {
             /* Don't write out public key. */
-            dataASN[6].noOut = dataASN[7].noOut = 1;
+            SetASNItem_NoOutNode(dataASN, eccKeyASN, ECCKEYASN_IDX_PUBKEY,
+                    eccKeyASN_Length);
         }
         /* Calculate size of the private key encoding. */
         ret = SizeASN_Items(eccKeyASN, dataASN, eccKeyASN_Length, &sz);
@@ -27505,11 +28152,12 @@ static int wc_BuildEccKeyDer(ecc_key* key, byte* output, word32 *inLen,
 
         /* Export the private value into the buffer. */
         ret = wc_ecc_export_private_only(key,
-                (byte*)dataASN[2].data.buffer.data, &privSz);
+                (byte*)dataASN[ECCKEYASN_IDX_PKEY].data.buffer.data, &privSz);
         if ((ret == 0) && pubIn) {
             /* Export the public point into the buffer. */
             PRIVATE_KEY_UNLOCK();
-            ret = wc_ecc_export_x963(key, (byte*)dataASN[7].data.buffer.data,
+            ret = wc_ecc_export_x963(key,
+                    (byte*)dataASN[ECCKEYASN_IDX_PUBKEY_VAL].data.buffer.data,
                     &pubSz);
             PRIVATE_KEY_LOCK();
         }
@@ -27674,22 +28322,33 @@ int wc_EccKeyToPKCS8(ecc_key* key, byte* output,
  * RFC 8410, 7 - Private Key Format (but public value is EXPLICIT OCTET_STRING)
  */
 static const ASNItem edKeyASN[] = {
-/*  0 */    { 0, ASN_SEQUENCE, 1, 1, 0 },
-                /* Version */
-/*  1 */        { 1, ASN_INTEGER, 0, 0, 0 },
-                /* privateKeyAlgorithm */
-/*  2 */        { 1, ASN_SEQUENCE, 1, 1, 0 },
-/*  3 */            { 2, ASN_OBJECT_ID, 0, 0, 1 },
-                /* privateKey */
-/*  4 */        { 1, ASN_OCTET_STRING, 0, 1, 0 },
-                    /* CurvePrivateKey */
-/*  5 */            { 2, ASN_OCTET_STRING, 0, 0, 0 },
-                /* attributes */
-/*  6 */        { 1, ASN_CONTEXT_SPECIFIC | 0, 1, 1, 1 },
-                /* publicKey */
-/*  7 */        { 1, ASN_CONTEXT_SPECIFIC | 1, 1, 1, 1 },
-                    /* Public value */
-/*  8 */            { 2, ASN_OCTET_STRING, 0, 0, 0 }
+/* SEQ            */    { 0, ASN_SEQUENCE, 1, 1, 0 },
+                                         /* Version */
+/* VER            */        { 1, ASN_INTEGER, 0, 0, 0 },
+                                         /* privateKeyAlgorithm */
+/* PKEYALGO_SEQ   */        { 1, ASN_SEQUENCE, 1, 1, 0 },
+/* PKEYALGO_OID   */            { 2, ASN_OBJECT_ID, 0, 0, 1 },
+                                         /* privateKey */
+/* PKEY           */        { 1, ASN_OCTET_STRING, 0, 1, 0 },
+                                             /* CurvePrivateKey */
+/* PKEY_CURVEPKEY */            { 2, ASN_OCTET_STRING, 0, 0, 0 },
+                                         /* attributes */
+/* ATTRS          */        { 1, ASN_CONTEXT_SPECIFIC | ASN_ASYMKEY_ATTRS, 1, 1, 1 },
+                                         /* publicKey */
+/* PUBKEY         */        { 1, ASN_CONTEXT_SPECIFIC | ASN_ASYMKEY_PUBKEY, 1, 1, 1 },
+                                             /* Public value */
+/* PUBKEY_VAL     */            { 2, ASN_OCTET_STRING, 0, 0, 0 }
+};
+enum {
+    EDKEYASN_IDX_SEQ = 0,
+    EDKEYASN_IDX_VER,
+    EDKEYASN_IDX_PKEYALGO_SEQ,
+    EDKEYASN_IDX_PKEYALGO_OID,
+    EDKEYASN_IDX_PKEY,
+    EDKEYASN_IDX_PKEY_CURVEPKEY,
+    EDKEYASN_IDX_ATTRS,
+    EDKEYASN_IDX_PUBKEY,
+    EDKEYASN_IDX_PUBKEY_VAL,
 };
 
 /* Number of items in ASN.1 template for Ed25519 and Ed448 private key. */
@@ -27795,41 +28454,46 @@ static int DecodeAsymKey(const byte* input, word32* inOutIdx, word32 inSz,
         /* Require OID. */
         word32 oidSz;
         const byte* oid = OidFromId(keyType, oidKeyType, &oidSz);
-        GetASN_ExpBuffer(&dataASN[3], oid, oidSz);
+        GetASN_ExpBuffer(&dataASN[EDKEYASN_IDX_PKEYALGO_OID], oid, oidSz);
         /* Parse full private key. */
         ret = GetASN_Items(edKeyASN, dataASN, edKeyASN_Length, 1, input,
                 inOutIdx, inSz);
         if (ret != 0) {
             /* Parse just the OCTET_STRING. */
-            ret = GetASN_Items(&edKeyASN[5], &dataASN[5], 1, 0, input, inOutIdx,
-                    inSz);
+            ret = GetASN_Items(&edKeyASN[EDKEYASN_IDX_PKEY_CURVEPKEY],
+                    &dataASN[EDKEYASN_IDX_PKEY_CURVEPKEY], 1, 0, input,
+                    inOutIdx, inSz);
             if (ret != 0) {
                 ret = ASN_PARSE_E;
             }
         }
     }
     /* Check the private value length is correct. */
-    if ((ret == 0) && dataASN[5].data.ref.length > *privKeyLen) {
+    if ((ret == 0) && dataASN[EDKEYASN_IDX_PKEY_CURVEPKEY].data.ref.length
+            > *privKeyLen) {
         ret = ASN_PARSE_E;
     }
-    if ((ret == 0) && dataASN[7].tag == 0) {
-        *privKeyLen = dataASN[5].data.ref.length;
-        XMEMCPY(privKey, dataASN[5].data.ref.data, *privKeyLen);
+    if ((ret == 0) && dataASN[EDKEYASN_IDX_PUBKEY].tag == 0) {
+        *privKeyLen = dataASN[EDKEYASN_IDX_PKEY_CURVEPKEY].data.ref.length;
+        XMEMCPY(privKey, dataASN[EDKEYASN_IDX_PKEY_CURVEPKEY].data.ref.data,
+                *privKeyLen);
         if (pubKeyLen != NULL)
             *pubKeyLen = 0;
     }
     else if ((ret == 0) &&
-             (dataASN[8].data.ref.length > *pubKeyLen)) {
+             (dataASN[EDKEYASN_IDX_PUBKEY_VAL].data.ref.length > *pubKeyLen)) {
         ret = ASN_PARSE_E;
     }
     else if (ret == 0) {
         /* Import private and public value. */
-        *privKeyLen = dataASN[5].data.ref.length;
-        XMEMCPY(privKey, dataASN[5].data.ref.data, *privKeyLen);
+        *privKeyLen = dataASN[EDKEYASN_IDX_PKEY_CURVEPKEY].data.ref.length;
+        XMEMCPY(privKey, dataASN[EDKEYASN_IDX_PKEY_CURVEPKEY].data.ref.data,
+                *privKeyLen);
         if (pubKeyLen != NULL)
-            *pubKeyLen = dataASN[8].data.ref.length;
+            *pubKeyLen = dataASN[EDKEYASN_IDX_PUBKEY_VAL].data.ref.length;
         if (pubKey != NULL && pubKeyLen != NULL)
-            XMEMCPY(pubKey, dataASN[8].data.ref.data, *pubKeyLen);
+            XMEMCPY(pubKey, dataASN[EDKEYASN_IDX_PUBKEY_VAL].data.ref.data,
+                    *pubKeyLen);
     }
 
     FREE_ASNGETDATA(dataASN, NULL);
@@ -27892,7 +28556,7 @@ static int DecodeAsymKeyPublic(const byte* input, word32* inOutIdx, word32 inSz,
         word32 oidSz;
         const byte* oid = OidFromId(keyType, oidKeyType, &oidSz);
 
-        GetASN_ExpBuffer(&dataASN[2], oid, oidSz);
+        GetASN_ExpBuffer(&dataASN[EDPUBKEYASN_IDX_ALGOID_OID], oid, oidSz);
         /* Decode Ed25519 private key. */
         ret = GetASN_Items(edPubKeyASN, dataASN, edPubKeyASN_Length, 1, input,
                 inOutIdx, inSz);
@@ -27903,16 +28567,19 @@ static int DecodeAsymKeyPublic(const byte* input, word32* inOutIdx, word32 inSz,
             ret = ASN_PARSE_E;
     }
     /* Check the public value length is correct. */
-    if ((ret == 0) && (dataASN[3].data.ref.length > *pubKeyLen)) {
+    if ((ret == 0) &&
+            (dataASN[EDPUBKEYASN_IDX_PUBKEY].data.ref.length > *pubKeyLen)) {
         ret = ASN_PARSE_E;
     }
     /* Check that the all the buffer was used. */
-    if ((ret == 0) && (GetASNItem_Length(dataASN[0], input) != len)) {
+    if ((ret == 0) &&
+            (GetASNItem_Length(dataASN[EDPUBKEYASN_IDX_SEQ], input) != len)) {
         ret = ASN_PARSE_E;
     }
     if (ret == 0) {
-        *pubKeyLen = dataASN[3].data.ref.length;
-        XMEMCPY(pubKey, dataASN[3].data.ref.data, *pubKeyLen);
+        *pubKeyLen = dataASN[EDPUBKEYASN_IDX_PUBKEY].data.ref.length;
+        XMEMCPY(pubKey, dataASN[EDPUBKEYASN_IDX_PUBKEY].data.ref.data,
+                *pubKeyLen);
     }
 
     FREE_ASNGETDATA(dataASN, NULL);
@@ -28092,20 +28759,21 @@ static int SetAsymKeyDer(const byte* privKey, word32 privKeyLen,
 
     if (ret == 0) {
         /* Set version = 0 */
-        SetASN_Int8Bit(&dataASN[1], 0);
+        SetASN_Int8Bit(&dataASN[EDKEYASN_IDX_VER], 0);
         /* Set OID. */
-        SetASN_OID(&dataASN[3], keyType, oidKeyType);
+        SetASN_OID(&dataASN[EDKEYASN_IDX_PKEYALGO_OID], keyType, oidKeyType);
         /* Leave space for private key. */
-        SetASN_Buffer(&dataASN[5], NULL, privKeyLen);
+        SetASN_Buffer(&dataASN[EDKEYASN_IDX_PKEY_CURVEPKEY], NULL, privKeyLen);
         /* Don't write out attributes. */
-        dataASN[6].noOut = 1;
+        dataASN[EDKEYASN_IDX_ATTRS].noOut = 1;
         if (pubKey) {
             /* Leave space for public key. */
-            SetASN_Buffer(&dataASN[8], NULL, pubKeyLen);
+            SetASN_Buffer(&dataASN[EDKEYASN_IDX_PUBKEY_VAL], NULL, pubKeyLen);
         }
         else {
             /* Don't put out public part. */
-            dataASN[7].noOut = dataASN[8].noOut = 1;
+            SetASNItem_NoOutNode(dataASN, edKeyASN, EDKEYASN_IDX_PUBKEY,
+                    edKeyASN_Length);
         }
 
         /* Calculate the size of encoding. */
@@ -28121,11 +28789,13 @@ static int SetAsymKeyDer(const byte* privKey, word32 privKeyLen,
         SetASN_Items(edKeyASN, dataASN, edKeyASN_Length, output);
 
         /* Put private value into space provided. */
-        XMEMCPY((byte*)dataASN[5].data.buffer.data, privKey, privKeyLen);
+        XMEMCPY((byte*)dataASN[EDKEYASN_IDX_PKEY_CURVEPKEY].data.buffer.data,
+                privKey, privKeyLen);
 
         if (pubKey != NULL) {
             /* Put public value into space provided. */
-            XMEMCPY((byte*)dataASN[8].data.buffer.data, pubKey, pubKeyLen);
+            XMEMCPY((byte*)dataASN[EDKEYASN_IDX_PUBKEY_VAL].data.buffer.data,
+                    pubKey, pubKeyLen);
         }
 
         /* Return size of encoding. */
@@ -28252,7 +28922,7 @@ int wc_Ed448PublicKeyDecode(const byte* input, word32* inOutIdx,
 }
 #endif /* HAVE_ED448 && HAVE_ED448_KEY_IMPORT */
 
-#if defined(HAVE_LIBOQS)
+#if defined(HAVE_PQC)
 int wc_Falcon_PrivateKeyDecode(const byte* input, word32* inOutIdx,
                                      falcon_key* key, word32 inSz)
 {
@@ -28319,7 +28989,7 @@ int wc_Falcon_PublicKeyDecode(const byte* input, word32* inOutIdx,
     }
     return ret;
 }
-#endif /* HAVE_LIBOQS */
+#endif /* HAVE_PQC */
 
 #if defined(HAVE_CURVE448) && defined(HAVE_CURVE448_KEY_IMPORT)
 int wc_Curve448PrivateKeyDecode(const byte* input, word32* inOutIdx,
@@ -28386,7 +29056,7 @@ int wc_Ed448PrivateKeyToDer(ed448_key* key, byte* output, word32 inLen)
 
 #endif /* HAVE_ED448 && HAVE_ED448_KEY_EXPORT */
 
-#if defined(HAVE_LIBOQS)
+#if defined(HAVE_PQC)
 int wc_Falcon_KeyToDer(falcon_key* key, byte* output, word32 inLen)
 {
     if (key == NULL) {
@@ -28425,7 +29095,7 @@ int wc_Falcon_PrivateKeyToDer(falcon_key* key, byte* output, word32 inLen)
     return BAD_FUNC_ARG;
 }
 
-#endif /* HAVE_LIBOQS */
+#endif /* HAVE_PQC */
 
 #if defined(HAVE_CURVE448) && defined(HAVE_CURVE448_KEY_EXPORT)
 /* Write private Curve448 key to DER format,
@@ -28538,40 +29208,60 @@ static int GetEnumerated(const byte* input, word32* inOutIdx, int *value,
  * RFC 6960, 4.2.1 - ASN.1 Specification of the OCSP Response
  */
 static const ASNItem singleResponseASN[] = {
-/*  0 */    { 0, ASN_SEQUENCE, 1, 1, 0 },
-                /* certId */
-/*  1 */        { 1, ASN_SEQUENCE, 1, 1, 0 },
-                    /* hashAlgorithm */
-/*  2 */            { 2, ASN_SEQUENCE, 1, 1, 0 },
-/*  3 */                { 3, ASN_OBJECT_ID, 0, 0, 0 },
-/*  4 */                { 3, ASN_TAG_NULL, 0, 0, 1 },
-                    /* issuerNameHash */
-/*  5 */            { 2, ASN_OCTET_STRING, 0, 0, 0 },
-                    /* issuerKeyHash */
-/*  6 */            { 2, ASN_OCTET_STRING, 0, 0, 0 },
-                    /* serialNumber */
-/*  7 */            { 2, ASN_INTEGER, 0, 0, 0 },
-                /* certStatus - CHOICE */
-                /* good              [0] IMPLICIT NULL */
-/*  8 */        { 1, ASN_CONTEXT_SPECIFIC | 0, 0, 0, 2 },
-                /* revoked           [1] IMPLICIT RevokedInfo */
-/*  9 */        { 1, ASN_CONTEXT_SPECIFIC | 1, 1, 1, 2 },
-                    /* revocationTime */
-/* 10 */            { 2, ASN_GENERALIZED_TIME, 0, 0, 0 },
-                    /* revocationReason  [0] EXPLICIT CRLReason OPTIONAL */
-/* 11 */            { 2, ASN_CONTEXT_SPECIFIC | 0, 0, 1, 1 },
-                        /* crlReason */
-/* 12 */                { 3, ASN_ENUMERATED, 0, 0, 0 },
-                /* unknown           [2] IMPLICIT UnknownInfo ::= NULL */
-/* 13 */        { 1, ASN_CONTEXT_SPECIFIC | 2, 0, 0, 2 },
+/* SEQ                   */ { 0, ASN_SEQUENCE, 1, 1, 0 },
+                                                      /* certId */
+/* CID_SEQ               */     { 1, ASN_SEQUENCE, 1, 1, 0 },
+                                                          /* hashAlgorithm */
+/* CID_HASHALGO_SEQ      */         { 2, ASN_SEQUENCE, 1, 1, 0 },
+/* CID_HASHALGO_OID      */             { 3, ASN_OBJECT_ID, 0, 0, 0 },
+/* CID_HASHALGO_NULL     */             { 3, ASN_TAG_NULL, 0, 0, 1 },
+                                                          /* issuerNameHash */
+/* CID_ISSUERHASH        */         { 2, ASN_OCTET_STRING, 0, 0, 0 },
+                                                          /* issuerKeyHash */
+/* CID_ISSUERKEYHASH     */         { 2, ASN_OCTET_STRING, 0, 0, 0 },
+                                                          /* serialNumber */
+/* CID_SERIAL            */         { 2, ASN_INTEGER, 0, 0, 0 },
+                                                      /* certStatus - CHOICE */
+                                                      /* good              [0] IMPLICIT NULL */
+/* CS_GOOD               */     { 1, ASN_CONTEXT_SPECIFIC | 0, 0, 0, 2 },
+                                                      /* revoked           [1] IMPLICIT RevokedInfo */
+/* CS_REVOKED            */     { 1, ASN_CONTEXT_SPECIFIC | 1, 1, 1, 2 },
+                                                          /* revocationTime */
+/* CS_REVOKED_TIME       */         { 2, ASN_GENERALIZED_TIME, 0, 0, 0 },
+                                                          /* revocationReason  [0] EXPLICIT CRLReason OPTIONAL */
+/* CS_REVOKED_REASON     */         { 2, ASN_CONTEXT_SPECIFIC | 0, 0, 1, 1 },
+                                                              /* crlReason */
+/* CS_REVOKED_REASON_VAL */             { 3, ASN_ENUMERATED, 0, 0, 0 },
+                                                      /* unknown           [2] IMPLICIT UnknownInfo ::= NULL */
+/* UNKNOWN               */     { 1, ASN_CONTEXT_SPECIFIC | 2, 0, 0, 2 },
 
-                /* thisUpdate */
-/* 14 */        { 1, ASN_GENERALIZED_TIME, 0, 0, 0 },
-                /* nextUpdate */
-/* 15 */        { 1, ASN_CONTEXT_SPECIFIC | 0, 1, 1, 1 },
-/* 16 */            { 2, ASN_GENERALIZED_TIME, 0, 0, 0 },
-                /* singleExtensions */
-/* 17 */        { 1, ASN_CONTEXT_SPECIFIC | 1, 1, 0, 1 },
+                                                      /* thisUpdate */
+/* THISUPDATE_GT         */     { 1, ASN_GENERALIZED_TIME, 0, 0, 0 },
+                                                      /* nextUpdate */
+/* NEXTUPDATE            */     { 1, ASN_CONTEXT_SPECIFIC | 0, 1, 1, 1 },
+/* NEXTUPDATE_GT         */         { 2, ASN_GENERALIZED_TIME, 0, 0, 0 },
+                                                      /* singleExtensions */
+/* EXT                   */     { 1, ASN_CONTEXT_SPECIFIC | 1, 1, 0, 1 },
+};
+enum {
+    SINGLERESPONSEASN_IDX_SEQ = 0,
+    SINGLERESPONSEASN_IDX_CID_SEQ,
+    SINGLERESPONSEASN_IDX_CID_HASHALGO_SEQ,
+    SINGLERESPONSEASN_IDX_CID_HASHALGO_OID,
+    SINGLERESPONSEASN_IDX_CID_HASHALGO_NULL,
+    SINGLERESPONSEASN_IDX_CID_ISSUERHASH,
+    SINGLERESPONSEASN_IDX_CID_ISSUERKEYHASH,
+    SINGLERESPONSEASN_IDX_CID_SERIAL,
+    SINGLERESPONSEASN_IDX_CS_GOOD,
+    SINGLERESPONSEASN_IDX_CS_REVOKED,
+    SINGLERESPONSEASN_IDX_CS_REVOKED_TIME,
+    SINGLERESPONSEASN_IDX_CS_REVOKED_REASON,
+    SINGLERESPONSEASN_IDX_CS_REVOKED_REASON_VAL,
+    SINGLERESPONSEASN_IDX_UNKNOWN,
+    SINGLERESPONSEASN_IDX_THISUPDATE_GT,
+    SINGLERESPONSEASN_IDX_NEXTUPDATE,
+    SINGLERESPONSEASN_IDX_NEXTUPDATE_GT,
+    SINGLERESPONSEASN_IDX_EXT,
 };
 
 /* Number of items in ASN.1 template for OCSP single response. */
@@ -28753,12 +29443,18 @@ static int DecodeSingleResponse(byte* source, word32* ioIndex, word32 size,
         nextDateLen      = MAX_DATE_SIZE;
 
         /* Set OID type, buffers to hold data and variables to hold size. */
-        GetASN_OID(&dataASN[3], oidHashType);
-        GetASN_Buffer(&dataASN[5], single->issuerHash, &issuerHashLen);
-        GetASN_Buffer(&dataASN[6], single->issuerKeyHash, &issuerKeyHashLen);
-        GetASN_Buffer(&dataASN[7], cs->serial, &serialSz);
-        GetASN_Buffer(&dataASN[14], cs->thisDate, &thisDateLen);
-        GetASN_Buffer(&dataASN[16], cs->nextDate, &nextDateLen);
+        GetASN_OID(&dataASN[SINGLERESPONSEASN_IDX_CID_HASHALGO_OID],
+                oidHashType);
+        GetASN_Buffer(&dataASN[SINGLERESPONSEASN_IDX_CID_ISSUERHASH],
+                single->issuerHash, &issuerHashLen);
+        GetASN_Buffer(&dataASN[SINGLERESPONSEASN_IDX_CID_ISSUERKEYHASH],
+                single->issuerKeyHash, &issuerKeyHashLen);
+        GetASN_Buffer(&dataASN[SINGLERESPONSEASN_IDX_CID_SERIAL], cs->serial,
+                &serialSz);
+        GetASN_Buffer(&dataASN[SINGLERESPONSEASN_IDX_THISUPDATE_GT],
+                cs->thisDate, &thisDateLen);
+        GetASN_Buffer(&dataASN[SINGLERESPONSEASN_IDX_NEXTUPDATE_GT],
+                cs->nextDate, &nextDateLen);
         /* TODO: decode revoked time and reason. */
         /* Decode OCSP single response. */
         ret = GetASN_Items(singleResponseASN, dataASN, singleResponseASN_Length,
@@ -28777,13 +29473,13 @@ static int DecodeSingleResponse(byte* source, word32* ioIndex, word32 size,
         cs->serialSz = serialSz;
 
         /* Determine status by which item was found. */
-        if (dataASN[8].tag != 0) {
+        if (dataASN[SINGLERESPONSEASN_IDX_CS_GOOD].tag != 0) {
             cs->status = CERT_GOOD;
         }
-        if (dataASN[9].tag != 0) {
+        if (dataASN[SINGLERESPONSEASN_IDX_CS_REVOKED].tag != 0) {
             cs->status = CERT_REVOKED;
         }
-        if (dataASN[13].tag != 0) {
+        if (dataASN[SINGLERESPONSEASN_IDX_UNKNOWN].tag != 0) {
             cs->status = CERT_UNKNOWN;
         }
 
@@ -28800,14 +29496,16 @@ static int DecodeSingleResponse(byte* source, word32* ioIndex, word32 size,
     #if defined(OPENSSL_ALL) || defined(WOLFSSL_NGINX) || \
         defined(WOLFSSL_HAPROXY) || defined(HAVE_LIGHTY)
         /* Store ASN.1 version of thisDate. */
-        cs->thisDateAsn = GetASNItem_Addr(dataASN[14], source);
+        cs->thisDateAsn = GetASNItem_Addr(
+                dataASN[SINGLERESPONSEASN_IDX_THISUPDATE_GT], source);
         at = &cs->thisDateParsed;
         at->type = ASN_GENERALIZED_TIME;
         XMEMCPY(at->data, cs->thisDate, thisDateLen);
         at->length = thisDateLen;
     #endif
     }
-    if ((ret == 0) && (dataASN[16].tag != 0)) {
+    if ((ret == 0) &&
+            (dataASN[SINGLERESPONSEASN_IDX_NEXTUPDATE_GT].tag != 0)) {
         /* Store the nextDate format - only one possible. */
         cs->nextDateFormat = ASN_GENERALIZED_TIME;
     #if !defined(NO_ASN_TIME) && !defined(WOLFSSL_NO_OCSP_DATE_CHECK)
@@ -28816,12 +29514,14 @@ static int DecodeSingleResponse(byte* source, word32* ioIndex, word32 size,
             ret = ASN_AFTER_DATE_E;
         }
     }
-    if ((ret == 0) && (dataASN[16].tag != 0)) {
+    if ((ret == 0) &&
+            (dataASN[SINGLERESPONSEASN_IDX_NEXTUPDATE_GT].tag != 0)) {
     #endif
     #if defined(OPENSSL_ALL) || defined(WOLFSSL_NGINX) || \
         defined(WOLFSSL_HAPROXY) || defined(HAVE_LIGHTY)
         /* Store ASN.1 version of thisDate. */
-        cs->nextDateAsn = GetASNItem_Addr(dataASN[16], source);
+        cs->nextDateAsn = GetASNItem_Addr(
+                dataASN[SINGLERESPONSEASN_IDX_NEXTUPDATE_GT], source);
         at = &cs->nextDateParsed;
         at->type = ASN_GENERALIZED_TIME;
         XMEMCPY(at->data, cs->nextDate, nextDateLen);
@@ -28843,10 +29543,14 @@ static int DecodeSingleResponse(byte* source, word32* ioIndex, word32 size,
  * RFC 6960, 4.2.1 - ASN.1 Specification of the OCSP Response
  */
 static const ASNItem respExtHdrASN[] = {
-            /* responseExtensions */
-/*  0 */    { 0, ASN_CONTEXT_SPECIFIC | 1, 1, 1, 0 },
-                /* extensions */
-/*  1 */        { 1, ASN_SEQUENCE, 1, 1, 0 },
+                                   /* responseExtensions */
+/* EXT     */    { 0, ASN_CONTEXT_SPECIFIC | 1, 1, 1, 0 },
+                                       /* extensions */
+/* EXT_SEQ */        { 1, ASN_SEQUENCE, 1, 1, 0 },
+};
+enum {
+    RESPEXTHDRASN_IDX_EXT = 0,
+    RESPEXTHDRASN_IDX_EXT_SEQ,
 };
 
 /* Number of items in ASN.1 template for OCSP response extension header. */
@@ -28939,29 +29643,30 @@ static int DecodeOcspRespExtensions(byte* source, word32* ioIndex,
 
     WOLFSSL_ENTER("DecodeOcspRespExtensions");
 
-    ALLOC_ASNGETDATA(dataASN, certExtASN_Length, ret, resp->heap);
+    CALLOC_ASNGETDATA(dataASN, certExtASN_Length, ret, resp->heap);
 
-    /* Check for header and move past. */
-    XMEMSET(dataASN, 0, sizeof(*dataASN) * respExtHdrASN_Length);
-    ret = GetASN_Items(respExtHdrASN, dataASN, respExtHdrASN_Length, 0,
-        source, &idx, sz);
+    if (ret == 0) {
+        /* Check for header and move past. */
+        ret = GetASN_Items(respExtHdrASN, dataASN, respExtHdrASN_Length, 0,
+            source, &idx, sz);
+    }
     if (ret == 0) {
         /* Keep end extensions index for total length check. */
-        maxIdx = idx + dataASN[1].length;
+        maxIdx = idx + dataASN[RESPEXTHDRASN_IDX_EXT_SEQ].length;
     }
 
     /* Step through all extensions. */
     while ((ret == 0) && (idx < maxIdx)) {
         /* Clear dynamic data, set OID type to expect. */
         XMEMSET(dataASN, 0, sizeof(*dataASN) * certExtASN_Length);
-        GetASN_OID(&dataASN[1], oidOcspType);
+        GetASN_OID(&dataASN[CERTEXTASN_IDX_OID], oidOcspType);
         /* TODO: check criticality. */
         /* Decode OCSP response extension. */
         ret = GetASN_Items(certExtASN, dataASN, certExtASN_Length, 0,
                            source, &idx, sz);
         if (ret == 0) {
-            word32 oid = dataASN[1].data.oid.sum;
-            int length = dataASN[3].length;
+            word32 oid = dataASN[CERTEXTASN_IDX_OID].data.oid.sum;
+            int length = dataASN[CERTEXTASN_IDX_VAL].length;
 
             if (oid == OCSP_NONCE_OID) {
                 /* Extract nonce data. */
@@ -28993,20 +29698,30 @@ static int DecodeOcspRespExtensions(byte* source, word32* ioIndex,
  * RFC 6960, 4.2.1 - ASN.1 Specification of the OCSP Response
  */
 static const ASNItem ocspRespDataASN[] = {
-/*  0 */    { 0, ASN_SEQUENCE, 1, 1, 0 },
-                /* version DEFAULT v1 */
-/*  1 */        { 1, ASN_CONTEXT_SPECIFIC | 0, 1, 1, 1 },
-/*  2 */            { 2, ASN_INTEGER, 1, 0, 0 },
-                /* byName */
-/*  3 */        { 1, ASN_CONTEXT_SPECIFIC | 1, 1, 0, 2 },
-                /* byKey */
-/*  4 */        { 1, ASN_CONTEXT_SPECIFIC | 2, 1, 0, 2 },
-                /* producedAt */
-/*  5 */        { 1, ASN_GENERALIZED_TIME, 0, 0, 0, },
-                /* responses */
-/*  6 */        { 1, ASN_SEQUENCE, 1, 0, 0 },
-                /* responseExtensions */
-/*  7 */        { 1, ASN_CONTEXT_SPECIFIC | 1, 1, 0, 1 }
+/* SEQ         */    { 0, ASN_SEQUENCE, 1, 1, 0 },
+                                             /* version DEFAULT v1 */
+/* VER_PRESENT */        { 1, ASN_CONTEXT_SPECIFIC | 0, 1, 1, 1 },
+/* VER         */            { 2, ASN_INTEGER, 1, 0, 0 },
+                                             /* byName */
+/* BYNAME      */        { 1, ASN_CONTEXT_SPECIFIC | 1, 1, 0, 2 },
+                                             /* byKey */
+/* BYKEY       */        { 1, ASN_CONTEXT_SPECIFIC | 2, 1, 0, 2 },
+                                             /* producedAt */
+/* PA          */        { 1, ASN_GENERALIZED_TIME, 0, 0, 0, },
+                                             /* responses */
+/* RESP        */        { 1, ASN_SEQUENCE, 1, 0, 0 },
+                                             /* responseExtensions */
+/* RESPEXT     */        { 1, ASN_CONTEXT_SPECIFIC | 1, 1, 0, 1 }
+};
+enum {
+    OCSPRESPDATAASN_IDX_SEQ = 0,
+    OCSPRESPDATAASN_IDX_VER_PRESENT,
+    OCSPRESPDATAASN_IDX_VER,
+    OCSPRESPDATAASN_IDX_BYNAME,
+    OCSPRESPDATAASN_IDX_BYKEY,
+    OCSPRESPDATAASN_IDX_PA,
+    OCSPRESPDATAASN_IDX_RESP,
+    OCSPRESPDATAASN_IDX_RESPEXT,
 };
 
 /* Number of items in ASN.1 template for OCSP ResponseData. */
@@ -29127,8 +29842,9 @@ static int DecodeResponseData(byte* source, word32* ioIndex,
         dateSz = MAX_DATE_SIZE;
 
         /* Set the where to put version an produced date. */
-        GetASN_Int8Bit(&dataASN[2], &version);
-        GetASN_Buffer(&dataASN[5], resp->producedDate, &dateSz);
+        GetASN_Int8Bit(&dataASN[OCSPRESPDATAASN_IDX_VER], &version);
+        GetASN_Buffer(&dataASN[OCSPRESPDATAASN_IDX_PA], resp->producedDate,
+                &dateSz);
         /* Decode the ResponseData. */
         ret = GetASN_Items(ocspRespDataASN, dataASN, ocspRespDataASN_Length,
                 1, source, ioIndex, size);
@@ -29146,14 +29862,14 @@ static int DecodeResponseData(byte* source, word32* ioIndex,
         /* Store size of response. */
         resp->responseSz = *ioIndex - idx;
         /* Store date format/tag. */
-        resp->producedDateFormat = dataASN[5].tag;
+        resp->producedDateFormat = dataASN[OCSPRESPDATAASN_IDX_PA].tag;
 
         /* Get the index of the responses SEQUENCE. */
-        idx = GetASNItem_DataIdx(dataASN[6], source);
+        idx = GetASNItem_DataIdx(dataASN[OCSPRESPDATAASN_IDX_RESP], source);
         /* Start with the pre-existing OcspEntry. */
         single = resp->single;
     }
-    while ((ret == 0) && (idx < dataASN[7].offset)) {
+    while ((ret == 0) && (idx < dataASN[OCSPRESPDATAASN_IDX_RESPEXT].offset)) {
         /* Allocate and use a new OCSP entry if this is used. */
         if (single->used) {
             single->next = (OcspEntry*)XMALLOC(sizeof(OcspEntry), resp->heap,
@@ -29184,16 +29900,18 @@ static int DecodeResponseData(byte* source, word32* ioIndex,
         }
         if (ret == 0) {
             /* Decode SingleResponse into OcspEntry. */
-            ret = DecodeSingleResponse(source, &idx, dataASN[7].offset,
-                    dataASN[6].length, single);
+            ret = DecodeSingleResponse(source, &idx,
+                    dataASN[OCSPRESPDATAASN_IDX_RESPEXT].offset,
+                    dataASN[OCSPRESPDATAASN_IDX_RESP].length, single);
             /* single->used set on successful decode. */
         }
     }
 
     /* Check if there were extensions. */
-    if ((ret == 0) && (dataASN[7].data.buffer.data != NULL)) {
+    if ((ret == 0) &&
+            (dataASN[OCSPRESPDATAASN_IDX_RESPEXT].data.buffer.data != NULL)) {
         /* Get index of [1] */
-        idx = dataASN[7].offset;
+        idx = dataASN[OCSPRESPDATAASN_IDX_RESPEXT].offset;
         /* Decode the response extensions. */
         if (DecodeOcspRespExtensions(source, &idx, resp, *ioIndex) < 0) {
             ret = ASN_PARSE_E;
@@ -29247,18 +29965,28 @@ static int DecodeCerts(byte* source,
  * RFC 6960, 4.2.1 - ASN.1 Specification of the OCSP Response
  */
 static const ASNItem ocspBasicRespASN[] = {
-/*  0 */    { 0, ASN_SEQUENCE, 1, 1, 0 },
-                /* tbsResponseData */
-/*  1 */        { 1, ASN_SEQUENCE, 1, 0, 0, },
-                /* signatureAlgorithm */
-/*  2 */        { 1, ASN_SEQUENCE, 1, 1, 0, },
-/*  3 */            { 2, ASN_OBJECT_ID, 0, 0, 0 },
-/*  4 */            { 2, ASN_TAG_NULL, 0, 0, 1 },
-                /* signature */
-/*  5 */        { 1, ASN_BIT_STRING, 0, 0, 0 },
-                /* certs */
-/*  6 */        { 1, ASN_CONTEXT_SPECIFIC | 0, 1, 1, 1 },
-/*  7 */            { 2, ASN_SEQUENCE, 1, 0, 0, },
+/* SEQ          */ { 0, ASN_SEQUENCE, 1, 1, 0 },
+                                            /* tbsResponseData */
+/* TBS_SEQ      */     { 1, ASN_SEQUENCE, 1, 0, 0, },
+                                            /* signatureAlgorithm */
+/* SIGALGO      */     { 1, ASN_SEQUENCE, 1, 1, 0, },
+/* SIGALGO_OID  */         { 2, ASN_OBJECT_ID, 0, 0, 0 },
+/* SIGALGO_NULL */         { 2, ASN_TAG_NULL, 0, 0, 1 },
+                                            /* signature */
+/* SIGNATURE    */     { 1, ASN_BIT_STRING, 0, 0, 0 },
+                                            /* certs */
+/* CERTS        */     { 1, ASN_CONTEXT_SPECIFIC | 0, 1, 1, 1 },
+/* CERTS_SEQ    */         { 2, ASN_SEQUENCE, 1, 0, 0, },
+};
+enum {
+    OCSPBASICRESPASN_IDX_SEQ = 0,
+    OCSPBASICRESPASN_IDX_TBS_SEQ,
+    OCSPBASICRESPASN_IDX_SIGALGO,
+    OCSPBASICRESPASN_IDX_SIGALGO_OID,
+    OCSPBASICRESPASN_IDX_SIGALGO_NULL,
+    OCSPBASICRESPASN_IDX_SIGNATURE,
+    OCSPBASICRESPASN_IDX_CERTS,
+    OCSPBASICRESPASN_IDX_CERTS_SEQ,
 };
 
 /* Number of items in ASN.1 template for BasicOCSPResponse. */
@@ -29405,7 +30133,7 @@ static int DecodeBasicOcspResponse(byte* source, word32* ioIndex,
 
     if (ret == 0) {
         /* Set expecting signature OID. */
-        GetASN_OID(&dataASN[3], oidSigType);
+        GetASN_OID(&dataASN[OCSPBASICRESPASN_IDX_SIGALGO_OID], oidSigType);
         /* Decode BasicOCSPResponse. */
         ret = GetASN_Items(ocspBasicRespASN, dataASN, ocspBasicRespASN_Length,
                 1, source, &idx, size);
@@ -29413,21 +30141,27 @@ static int DecodeBasicOcspResponse(byte* source, word32* ioIndex,
     if (ret == 0) {
         word32 dataIdx = 0;
         /* Decode the response data. */
-        if (DecodeResponseData(GetASNItem_Addr(dataASN[1], source), &dataIdx,
-                resp, GetASNItem_Length(dataASN[1], source)) < 0) {
+        if (DecodeResponseData(
+                GetASNItem_Addr(dataASN[OCSPBASICRESPASN_IDX_TBS_SEQ], source),
+                &dataIdx, resp,
+                GetASNItem_Length(dataASN[OCSPBASICRESPASN_IDX_TBS_SEQ], source)
+                ) < 0) {
             ret = ASN_PARSE_E;
         }
     }
     if (ret == 0) {
         /* Get the signature OID and signature. */
-        resp->sigOID = dataASN[3].data.oid.sum;
-        GetASN_GetRef(&dataASN[5], &resp->sig, &resp->sigSz);
+        resp->sigOID = dataASN[OCSPBASICRESPASN_IDX_SIGALGO_OID].data.oid.sum;
+        GetASN_GetRef(&dataASN[OCSPBASICRESPASN_IDX_SIGNATURE], &resp->sig,
+                &resp->sigSz);
     }
 #ifndef WOLFSSL_NO_OCSP_OPTIONAL_CERTS
-    if ((ret == 0) && (dataASN[7].data.ref.data != NULL)) {
+    if ((ret == 0) &&
+            (dataASN[OCSPBASICRESPASN_IDX_CERTS_SEQ].data.ref.data != NULL)) {
         /* TODO: support more than one certificate. */
         /* Store reference to certificate BER data. */
-        GetASN_GetRef(&dataASN[7], &resp->cert, &resp->certSz);
+        GetASN_GetRef(&dataASN[OCSPBASICRESPASN_IDX_CERTS_SEQ], &resp->cert,
+                &resp->certSz);
 
         /* Allocate a certificate object to decode cert into. */
     #ifdef WOLFSSL_SMALL_STACK
@@ -29437,7 +30171,8 @@ static int DecodeBasicOcspResponse(byte* source, word32* ioIndex,
             ret = MEMORY_E;
         }
     }
-    if ((ret == 0) && (dataASN[7].data.ref.data != NULL)) {
+    if ((ret == 0) &&
+            (dataASN[OCSPBASICRESPASN_IDX_CERTS_SEQ].data.ref.data != NULL)) {
     #endif
         /* Initialize the crtificate object. */
         InitDecodedCert(cert, resp->cert, resp->certSz, heap);
@@ -29450,7 +30185,8 @@ static int DecodeBasicOcspResponse(byte* source, word32* ioIndex,
             WOLFSSL_MSG("\tOCSP Responder certificate parsing failed");
         }
     }
-    if ((ret == 0) && (dataASN[7].data.ref.data != NULL)) {
+    if ((ret == 0) &&
+            (dataASN[OCSPBASICRESPASN_IDX_CERTS_SEQ].data.ref.data != NULL)) {
         /* TODO: ConfirmSignature is blocking here */
         /* Check the signature of the response. */
         ret = ConfirmSignature(&cert->sigCtx, resp->response, resp->responseSz,
@@ -29461,7 +30197,8 @@ static int DecodeBasicOcspResponse(byte* source, word32* ioIndex,
             ret = ASN_OCSP_CONFIRM_E;
         }
     }
-    if ((ret == 0) && (dataASN[7].data.ref.data == NULL))
+    if ((ret == 0) &&
+            (dataASN[OCSPBASICRESPASN_IDX_CERTS_SEQ].data.ref.data == NULL))
 #else
     if (ret == 0)
 #endif /* WOLFSSL_NO_OCSP_OPTIONAL_CERTS */
@@ -29549,18 +30286,31 @@ void FreeOcspResponse(OcspResponse* resp)
  * RFC 6960, 4.2.1 - ASN.1 Specification of the OCSP Response
  */
 static const ASNItem ocspResponseASN[] = {
-            /* OCSPResponse ::= SEQUENCE */
-/*  0 */    { 0, ASN_SEQUENCE, 1, 1, 0 },
-                /* responseStatus      OCSPResponseStatus */
-/*  1 */        { 1, ASN_ENUMERATED, 0, 0, 0, },
-                /* responseBytes   [0] EXPLICIT ResponseBytes OPTIONAL */
-/*  2 */        { 1, ASN_CONTEXT_SPECIFIC | 0, 1, 1, 1 },
-                    /* ResponseBytes ::= SEQUENCE */
-/*  3 */            { 2, ASN_SEQUENCE, 1, 1, 0 },
-                       /* responseType   OBJECT IDENTIFIER */
-/*  4 */               { 3, ASN_OBJECT_ID, 0, 0, 0 },
-                       /* response       OCTET STRING */
-/*  5 */               { 3, ASN_OCTET_STRING, 0, 0, 0 },
+                                     /* OCSPResponse ::= SEQUENCE */
+/* SEQ        */ { 0, ASN_SEQUENCE, 1, 1, 0 },
+                                         /* responseStatus      OCSPResponseStatus */
+/* STATUS     */     { 1, ASN_ENUMERATED, 0, 0, 0, },
+                                         /* responseBytes   [0] EXPLICIT ResponseBytes OPTIONAL */
+/* BYTES      */     { 1, ASN_CONTEXT_SPECIFIC | 0, 1, 1, 1 },
+                                             /* ResponseBytes ::= SEQUENCE */
+/* BYTES_SEQ  */         { 2, ASN_SEQUENCE, 1, 1, 0 },
+                                                /* responseType   OBJECT IDENTIFIER */
+/* BYTES_TYPE */            { 3, ASN_OBJECT_ID, 0, 0, 0 },
+                                                /* response       OCTET STRING */
+/* BYTES_VAL  */            { 3, ASN_OCTET_STRING, 0, 0, 0 },
+};
+enum {
+    OCSPRESPONSEASN_IDX_SEQ = 0,
+
+    OCSPRESPONSEASN_IDX_STATUS,
+
+    OCSPRESPONSEASN_IDX_BYTES,
+
+    OCSPRESPONSEASN_IDX_BYTES_SEQ,
+
+    OCSPRESPONSEASN_IDX_BYTES_TYPE,
+
+    OCSPRESPONSEASN_IDX_BYTES_VAL,
 };
 
 /* Number of items in ASN.1 template for OCSPResponse. */
@@ -29659,8 +30409,8 @@ int OcspResponseDecode(OcspResponse* resp, void* cm, void* heap, int noVerify)
 
     if (ret == 0) {
         /* Set variable to put status in and expect OCSP OID. */
-        GetASN_Int8Bit(&dataASN[1], &status);
-        GetASN_OID(&dataASN[4], oidOcspType);
+        GetASN_Int8Bit(&dataASN[OCSPRESPONSEASN_IDX_STATUS], &status);
+        GetASN_OID(&dataASN[OCSPRESPONSEASN_IDX_BYTES_TYPE], oidOcspType);
         /* Decode OCSPResponse (and ResponseBytes). */
         ret = GetASN_Items(ocspResponseASN, dataASN, ocspResponseASN_Length, 1,
             source, &idx, size);
@@ -29668,9 +30418,11 @@ int OcspResponseDecode(OcspResponse* resp, void* cm, void* heap, int noVerify)
     if (ret == 0) {
         /* Get response. */
         resp->responseStatus = status;
-        if (dataASN[4].data.oid.sum == OCSP_BASIC_OID) {
+        if (dataASN[OCSPRESPONSEASN_IDX_BYTES_TYPE].data.oid.sum
+                == OCSP_BASIC_OID) {
             /* Get reference to BasicOCSPResponse. */
-            GetASN_GetRef(&dataASN[5], &basic, &basicSz);
+            GetASN_GetRef(&dataASN[OCSPRESPONSEASN_IDX_BYTES_VAL], &basic,
+                    &basicSz);
             idx = 0;
             /* Decode BasicOCSPResponse. */
             ret = DecodeBasicOcspResponse(basic, &idx, resp, basicSz, cm, heap,
@@ -29694,16 +30446,23 @@ int OcspResponseDecode(OcspResponse* resp, void* cm, void* heap, int noVerify)
  * X.509: RFC 5280, 4.1 - Basic Certificate Fields. (Extension)
  */
 static const ASNItem ocspNonceExtASN[] = {
-/*  0 */    { 0, ASN_SEQUENCE, 1, 1, 0 },
-                /* Extension */
-/*  1 */        { 1, ASN_SEQUENCE, 1, 1, 0 },
-                   /* extnId */
-/*  2 */           {2, ASN_OBJECT_ID, 0, 0, 0 },
-                   /* critcal not encoded. */
-                   /* extnValue */
-/*  3 */           {2, ASN_OCTET_STRING, 0, 1, 0 },
-                       /* nonce */
-/*  4 */               {3, ASN_OCTET_STRING, 0, 0, 0 },
+/* SEQ       */ { 0, ASN_SEQUENCE, 1, 1, 0 },
+                                     /* Extension */
+/* EXT       */     { 1, ASN_SEQUENCE, 1, 1, 0 },
+                                        /* extnId */
+/* EXT_OID   */        {2, ASN_OBJECT_ID, 0, 0, 0 },
+                                        /* critcal not encoded. */
+                                        /* extnValue */
+/* EXT_VAL   */        {2, ASN_OCTET_STRING, 0, 1, 0 },
+                                               /* nonce */
+/* EXT_NONCE */            {3, ASN_OCTET_STRING, 0, 0, 0 },
+};
+enum {
+    OCSPNONCEEXTASN_IDX_SEQ = 0,
+    OCSPNONCEEXTASN_IDX_EXT,
+    OCSPNONCEEXTASN_IDX_EXT_OID,
+    OCSPNONCEEXTASN_IDX_EXT_VAL,
+    OCSPNONCEEXTASN_IDX_EXT_NONCE,
 };
 
 /* Number of items in ASN.1 template for OCSP nonce extension. */
@@ -29770,8 +30529,10 @@ word32 EncodeOcspRequestExtensions(OcspRequest* req, byte* output, word32 size)
         CALLOC_ASNSETDATA(dataASN, ocspNonceExtASN_Length, ret, req->heap);
 
         /* Set nonce extension OID and nonce. */
-        SetASN_Buffer(&dataASN[2], NonceObjId, sizeof(NonceObjId));
-        SetASN_Buffer(&dataASN[4], req->nonce, req->nonceSz);
+        SetASN_Buffer(&dataASN[OCSPNONCEEXTASN_IDX_EXT_OID], NonceObjId,
+                sizeof(NonceObjId));
+        SetASN_Buffer(&dataASN[OCSPNONCEEXTASN_IDX_EXT_NONCE], req->nonce,
+                req->nonceSz);
         /* Calculate size of nonce extension. */
         ret = SizeASN_Items(ocspNonceExtASN, dataASN, ocspNonceExtASN_Length,
                             &sz);
@@ -29802,30 +30563,43 @@ word32 EncodeOcspRequestExtensions(OcspRequest* req, byte* output, word32 size)
  * RFC 6960, 4.1.1 - ASN.1 Specification of the OCSP Request
  */
 static const ASNItem ocspRequestASN[] = {
-            /* OCSPRequest */
-/*  0 */    { 0, ASN_SEQUENCE, 1, 1, 0 },
-                /* tbsRequest */
-/*  1 */        { 1, ASN_SEQUENCE, 1, 1, 0 },
-                    /* version not written - v1 */
-                    /* requestorName not written */
-                    /* requestList */
-/*  2 */            { 2, ASN_SEQUENCE, 1, 1, 0 },
-                        /* Request */
-/*  3 */                { 3, ASN_SEQUENCE, 1, 1, 0 },
-                            /* reqCert */
-/*  4 */                    { 4, ASN_SEQUENCE, 1, 1, 0 },
-                                /* hashAlgorithm */
-/*  5 */                        { 5, ASN_SEQUENCE, 1, 1, 0 },
-/*  6 */                            { 6, ASN_OBJECT_ID, 0, 0, 0 },
-                                /* issuerNameHash */
-/*  7 */                        { 5, ASN_OCTET_STRING, 0, 0, 0 },
-                                /* issuerKeyHash */
-/*  8 */                        { 5, ASN_OCTET_STRING, 0, 0, 0 },
-                                /* serialNumber */
-/*  9 */                        { 5, ASN_INTEGER, 0, 0, 0 },
-                    /* requestExtensions */
-/* 10 */            { 2, ASN_CONTEXT_SPECIFIC | 2, 1, 0, 0 },
-                /* optionalSignature not written. */
+                                              /* OCSPRequest */
+/* SEQ               */    { 0, ASN_SEQUENCE, 1, 1, 0 },
+                                                  /* tbsRequest */
+/* TBS               */        { 1, ASN_SEQUENCE, 1, 1, 0 },
+                                                      /* version not written - v1 */
+                                                      /* requestorName not written */
+                                                      /* requestList */
+/* TBS_SEQ           */            { 2, ASN_SEQUENCE, 1, 1, 0 },
+                                                          /* Request */
+/* TBS_LIST          */                { 3, ASN_SEQUENCE, 1, 1, 0 },
+                                                              /* reqCert */
+/* TBS_REQ_CID       */                    { 4, ASN_SEQUENCE, 1, 1, 0 },
+                                                                  /* hashAlgorithm */
+/* TBS_REQ_HASH      */                        { 5, ASN_SEQUENCE, 1, 1, 0 },
+/* TBS_REQ_HASH_OID  */                            { 6, ASN_OBJECT_ID, 0, 0, 0 },
+                                                                  /* issuerNameHash */
+/* TBS_REQ_ISSUER    */                        { 5, ASN_OCTET_STRING, 0, 0, 0 },
+                                                                  /* issuerKeyHash */
+/* TBS_REQ_ISSUERKEY */                        { 5, ASN_OCTET_STRING, 0, 0, 0 },
+                                                                  /* serialNumber */
+/* TBS_REQ_SERIAL    */                        { 5, ASN_INTEGER, 0, 0, 0 },
+                                                      /* requestExtensions */
+/* TBS_REQEXT        */            { 2, ASN_CONTEXT_SPECIFIC | 2, 1, 0, 0 },
+                                                  /* optionalSignature not written. */
+};
+enum {
+    OCSPREQUESTASN_IDX_SEQ = 0,
+    OCSPREQUESTASN_IDX_TBS,
+    OCSPREQUESTASN_IDX_TBS_SEQ,
+    OCSPREQUESTASN_IDX_TBS_LIST,
+    OCSPREQUESTASN_IDX_TBS_REQ_CID,
+    OCSPREQUESTASN_IDX_TBS_REQ_HASH,
+    OCSPREQUESTASN_IDX_TBS_REQ_HASH_OID,
+    OCSPREQUESTASN_IDX_TBS_REQ_ISSUER,
+    OCSPREQUESTASN_IDX_TBS_REQ_ISSUERKEY,
+    OCSPREQUESTASN_IDX_TBS_REQ_SERIAL,
+    OCSPREQUESTASN_IDX_TBS_REQEXT,
 };
 
 /* Number of items in ASN.1 template for OCSPRequest. */
@@ -29920,27 +30694,32 @@ int EncodeOcspRequest(OcspRequest* req, byte* output, word32 size)
     if (ret == 0) {
         /* Set OID of hash algorithm use on issuer and key. */
     #ifdef NO_SHA
-        SetASN_OID(&dataASN[6], SHA256h, oidHashType);
+        SetASN_OID(&dataASN[OCSPREQUESTASN_IDX_TBS_REQ_HASH_OID], SHA256h,
+                oidHashType);
     #else
-        SetASN_OID(&dataASN[6], SHAh, oidHashType);
+        SetASN_OID(&dataASN[OCSPREQUESTASN_IDX_TBS_REQ_HASH_OID], SHAh,
+                oidHashType);
     #endif
         /* Set issuer, issuer key hash and serial number of certificate being
          * checked. */
-        SetASN_Buffer(&dataASN[7], req->issuerHash, KEYID_SIZE);
-        SetASN_Buffer(&dataASN[8], req->issuerKeyHash, KEYID_SIZE);
-        SetASN_Buffer(&dataASN[9], req->serial, req->serialSz);
+        SetASN_Buffer(&dataASN[OCSPREQUESTASN_IDX_TBS_REQ_ISSUER],
+                req->issuerHash, KEYID_SIZE);
+        SetASN_Buffer(&dataASN[OCSPREQUESTASN_IDX_TBS_REQ_ISSUERKEY],
+                req->issuerKeyHash, KEYID_SIZE);
+        SetASN_Buffer(&dataASN[OCSPREQUESTASN_IDX_TBS_REQ_SERIAL],
+                req->serial, req->serialSz);
         /* Only extension to write is nonce - check if one to encode. */
         if (req->nonceSz) {
             /* Get size of extensions and leave space for them in encoding. */
             ret = extSz = EncodeOcspRequestExtensions(req, NULL, 0);
-            SetASN_Buffer(&dataASN[10], NULL, extSz);
+            SetASN_Buffer(&dataASN[OCSPREQUESTASN_IDX_TBS_REQEXT], NULL, extSz);
             if (ret > 0) {
                 ret = 0;
             }
         }
         else {
             /* Don't write out extensions. */
-            dataASN[10].noOut = 1;
+            dataASN[OCSPREQUESTASN_IDX_TBS_REQEXT].noOut = 1;
         }
     }
     if (ret == 0) {
@@ -29958,7 +30737,8 @@ int EncodeOcspRequest(OcspRequest* req, byte* output, word32 size)
         if (req->nonceSz) {
             /* Encode extensions into space provided. */
             ret = EncodeOcspRequestExtensions(req,
-                (byte*)dataASN[10].data.buffer.data, extSz);
+                (byte*)dataASN[OCSPREQUESTASN_IDX_TBS_REQEXT].data.buffer.data,
+                extSz);
             if (ret > 0) {
                 ret = 0;
             }
@@ -30137,8 +30917,12 @@ int CompareOcspReqResp(OcspRequest* req, OcspResponse* resp)
 #ifdef WOLFSSL_ASN_TEMPLATE
 /* ASN.1 template for certificate name hash. */
 static const ASNItem nameHashASN[] = {
-/*  0 */    { 0, ASN_OBJECT_ID, 0, 0, 1 },
-/*  1 */    { 0, ASN_SEQUENCE, 1, 0, 0 },
+/* OID  */ { 0, ASN_OBJECT_ID, 0, 0, 1 },
+/* NAME */ { 0, ASN_SEQUENCE, 1, 0, 0 },
+};
+enum {
+    NAMEHASHASN_IDX_OID = 0,
+    NAMEHASHASN_IDX_NAME,
 };
 
 /* Number of items in ASN.1 template for certificate name hash. */
@@ -30185,7 +30969,7 @@ int GetNameHash(const byte* source, word32* idx, byte* hash, int maxIdx)
 
     XMEMSET(dataASN, 0, sizeof(dataASN));
     /* Ignore the OID even when present. */
-    GetASN_OID(&dataASN[0], oidIgnoreType);
+    GetASN_OID(&dataASN[NAMEHASHASN_IDX_OID], oidIgnoreType);
     /* Decode certificate name. */
     ret = GetASN_Items(nameHashASN, dataASN, nameHashASN_Length, 0, source, idx,
            maxIdx);
@@ -30194,8 +30978,10 @@ int GetNameHash(const byte* source, word32* idx, byte* hash, int maxIdx)
          * calculated over the entire DER encoding of the Name field, including
          * the tag and length. */
         /* Calculate hash of complete name including SEQUENCE. */
-        ret = CalcHashId(GetASNItem_Addr(dataASN[1], source),
-                         GetASNItem_Length(dataASN[1], source), hash);
+        ret = CalcHashId(
+                GetASNItem_Addr(dataASN[NAMEHASHASN_IDX_NAME], source),
+                GetASNItem_Length(dataASN[NAMEHASHASN_IDX_NAME], source),
+                hash);
     }
 
     return ret;
@@ -30238,14 +31024,21 @@ void FreeDecodedCRL(DecodedCRL* dcrl)
  * X.509: RFC 5280, 5.1 - CRL Fields
  */
 static const ASNItem revokedASN[] = {
-/*  0 */    { 0, ASN_SEQUENCE, 1, 1, 0 },
-                /* userCertificate    CertificateSerialNumber */
-/*  1 */        { 1, ASN_INTEGER, 0, 0, 0 },
-                /* revocationDate     Time */
-/*  2 */        { 1, ASN_UTC_TIME, 0, 0, 2 },
-/*  3 */        { 1, ASN_GENERALIZED_TIME, 0, 0, 2 },
-                /* crlEntryExensions  Extensions */
-/*  4 */        { 1, ASN_SEQUENCE, 1, 0, 1 },
+/* SEQ      */    { 0, ASN_SEQUENCE, 1, 1, 0 },
+                                     /* userCertificate    CertificateSerialNumber */
+/* CERT     */        { 1, ASN_INTEGER, 0, 0, 0 },
+                                     /* revocationDate     Time */
+/* TIME_UTC */        { 1, ASN_UTC_TIME, 0, 0, 2 },
+/* TIME_GT  */        { 1, ASN_GENERALIZED_TIME, 0, 0, 2 },
+                                     /* crlEntryExensions  Extensions */
+/* TIME_EXT */        { 1, ASN_SEQUENCE, 1, 0, 1 },
+};
+enum {
+    REVOKEDASN_IDX_SEQ = 0,
+    REVOKEDASN_IDX_CERT,
+    REVOKEDASN_IDX_TIME_UTC,
+    REVOKEDASN_IDX_TIME_GT,
+    REVOKEDASN_IDX_TIME_EXT,
 };
 
 /* Number of items in ASN.1 template for revoked certificates. */
@@ -30315,7 +31108,8 @@ static int GetRevoked(const byte* buff, word32* idx, DecodedCRL* dcrl,
 
     if (ret == 0) {
         /* Set buffer to place serial number into. */
-        GetASN_Buffer(&dataASN[1], rc->serialNumber, &serialSz);
+        GetASN_Buffer(&dataASN[REVOKEDASN_IDX_CERT], rc->serialNumber,
+                &serialSz);
         /* Decode the Revoked */
         ret = GetASN_Items(revokedASN, dataASN, revokedASN_Length, 1, buff, idx,
                 maxIdx);
@@ -30603,13 +31397,14 @@ static int ParseCRL_AuthKeyIdExt(const byte* input, int sz, DecodedCRL* dcrl)
     }
     if (ret == 0) {
         /* Key id is optional. */
-        if (dataASN[1].data.ref.data == NULL) {
+        if (dataASN[AUTHKEYIDASN_IDX_KEYID].data.ref.data == NULL) {
             WOLFSSL_MSG("\tinfo: OPTIONAL item 0, not available");
         }
         else {
             /* Get the hash or hash of the hash if wrong size. */
-            ret = GetHashId(dataASN[1].data.ref.data,
-                dataASN[1].data.ref.length, dcrl->extAuthKeyId);
+            ret = GetHashId(dataASN[AUTHKEYIDASN_IDX_KEYID].data.ref.data,
+                dataASN[AUTHKEYIDASN_IDX_KEYID].data.ref.length,
+                dcrl->extAuthKeyId);
         }
     }
 
@@ -30732,17 +31527,17 @@ static int ParseCRL_Extensions(DecodedCRL* dcrl, const byte* buf, word32 idx,
         /* Clear dynamic data. */
         XMEMSET(dataASN, 0, sizeof(*dataASN) * certExtASN_Length);
         /* Ensure OID is an extention type. */
-        GetASN_OID(&dataASN[1], oidCertExtType);
+        GetASN_OID(&dataASN[CERTEXTASN_IDX_OID], oidCertExtType);
         /* Set criticality variable. */
-        dataASN[2].data.u8 = &critical;
+        GetASN_Int8Bit(&dataASN[CERTEXTASN_IDX_CRIT], &critical);
         /* Parse extension wrapper. */
         ret = GetASN_Items(certExtASN, dataASN, certExtASN_Length, 0, buf, &idx,
                 maxIdx);
         if (ret == 0) {
             /* OID in extension. */
-            word32 oid = dataASN[1].data.oid.sum;
+            word32 oid = dataASN[CERTEXTASN_IDX_OID].data.oid.sum;
             /* Length of extension data. */
-            int length = dataASN[3].length;
+            int length = dataASN[CERTEXTASN_IDX_VAL].length;
 
             if (oid == AUTH_KEY_OID) {
             #ifndef NO_SKID
@@ -30774,35 +31569,55 @@ static int ParseCRL_Extensions(DecodedCRL* dcrl, const byte* buf, word32 idx,
  * X.509: RFC 5280, 5.1 - CRL Fields
  */
 static const ASNItem crlASN[] = {
-            /* CertificateList */
-/*  0 */    { 0, ASN_SEQUENCE, 1, 1, 0 },
-                /* tbsCertList */
-/*  1 */        { 1, ASN_SEQUENCE, 1, 1, 0 },
-                    /* version     Version OPTIONAL if present must be v2 */
-/*  2 */            { 2, ASN_INTEGER, 0, 0, 1 },
-                    /* signature */
-/*  3 */            { 2, ASN_SEQUENCE, 1, 1, 0 },
-/*  4 */                { 3, ASN_OBJECT_ID, 0, 0, 0 },
-/*  5 */                { 3, ASN_TAG_NULL, 0, 0, 1 },
-                    /* issuer */
-/*  6 */            { 2, ASN_SEQUENCE, 1, 0, 0 },
-                    /* thisUpdate */
-/*  7 */            { 2, ASN_UTC_TIME, 0, 0, 2 },
-/*  8 */            { 2, ASN_GENERALIZED_TIME, 0, 0, 2 },
-                    /* nextUpdate */
-/*  9 */            { 2, ASN_UTC_TIME, 0, 0, 3 },
-/* 10 */            { 2, ASN_GENERALIZED_TIME, 0, 0, 3 },
-                    /* revokedCertificates */
-/* 11 */            { 2, ASN_SEQUENCE, 1, 0, 1 },
-                    /* crlExtensions */
-/* 12 */            { 2, ASN_CONTEXT_SPECIFIC | 0, 1, 1, 1 },
-/* 13 */                { 3, ASN_SEQUENCE, 1, 0, 0 },
-                /* signatureAlgorithm */
-/* 14 */        { 1, ASN_SEQUENCE, 1, 1, 0 },
-/* 15 */            { 2, ASN_OBJECT_ID, 0, 0, 0 },
-/* 16 */            { 2, ASN_TAG_NULL, 0, 0, 1 },
-                /* signatureValue */
-/* 17 */        { 1, ASN_BIT_STRING, 0, 0, 0 },
+                                       /* CertificateList */
+/* SEQ                */    { 0, ASN_SEQUENCE, 1, 1, 0 },
+                                           /* tbsCertList */
+/* TBS                */        { 1, ASN_SEQUENCE, 1, 1, 0 },
+                                               /* version     Version OPTIONAL if present must be v2 */
+/* TBS_VER            */            { 2, ASN_INTEGER, 0, 0, 1 },
+                                               /* signature */
+/* TBS_SIGALGO        */            { 2, ASN_SEQUENCE, 1, 1, 0 },
+/* TBS_SIGALGO_OID    */                { 3, ASN_OBJECT_ID, 0, 0, 0 },
+/* TBS_SIGALGO_NULL   */                { 3, ASN_TAG_NULL, 0, 0, 1 },
+                                               /* issuer */
+/* TBS_ISSUER         */            { 2, ASN_SEQUENCE, 1, 0, 0 },
+                                               /* thisUpdate */
+/* TBS_THISUPDATE_UTC */            { 2, ASN_UTC_TIME, 0, 0, 2 },
+/* TBS_THISUPDATE_GT  */            { 2, ASN_GENERALIZED_TIME, 0, 0, 2 },
+                                               /* nextUpdate */
+/* TBS_NEXTUPDATE_UTC */            { 2, ASN_UTC_TIME, 0, 0, 3 },
+/* TBS_NEXTUPDATE_GT  */            { 2, ASN_GENERALIZED_TIME, 0, 0, 3 },
+                                               /* revokedCertificates */
+/* TBS_REVOKEDCERTS   */            { 2, ASN_SEQUENCE, 1, 0, 1 },
+                                               /* crlExtensions */
+/* TBS_EXT            */            { 2, ASN_CONTEXT_SPECIFIC | 0, 1, 1, 1 },
+/* TBS_EXT_SEQ        */                { 3, ASN_SEQUENCE, 1, 0, 0 },
+                                           /* signatureAlgorithm */
+/* SIGALGO            */        { 1, ASN_SEQUENCE, 1, 1, 0 },
+/* SIGALGO_OID        */            { 2, ASN_OBJECT_ID, 0, 0, 0 },
+/* SIGALGO_NULL       */            { 2, ASN_TAG_NULL, 0, 0, 1 },
+                                           /* signatureValue */
+/* SIGNATURE          */        { 1, ASN_BIT_STRING, 0, 0, 0 },
+};
+enum {
+    CRLASN_IDX_SEQ = 0,
+    CRLASN_IDX_TBS,
+    CRLASN_IDX_TBS_VER,
+    CRLASN_IDX_TBS_SIGALGO,
+    CRLASN_IDX_TBS_SIGALGO_OID,
+    CRLASN_IDX_TBS_SIGALGO_NULL,
+    CRLASN_IDX_TBS_ISSUER,
+    CRLASN_IDX_TBS_THISUPDATE_UTC,
+    CRLASN_IDX_TBS_THISUPDATE_GT,
+    CRLASN_IDX_TBS_NEXTUPDATE_UTC,
+    CRLASN_IDX_TBS_NEXTUPDATE_GT,
+    CRLASN_IDX_TBS_REVOKEDCERTS,
+    CRLASN_IDX_TBS_EXT,
+    CRLASN_IDX_TBS_EXT_SEQ,
+    CRLASN_IDX_SIGALGO,
+    CRLASN_IDX_SIGALGO_OID,
+    CRLASN_IDX_SIGALGO_NULL,
+    CRLASN_IDX_SIGNATURE,
 };
 
 /* Number of items in ASN.1 template for a CRL- CertificateList. */
@@ -30907,21 +31722,26 @@ end:
 
     if (ret == 0) {
         /* Set variable to store version. */
-        GetASN_Int8Bit(&dataASN[2], &version);
+        GetASN_Int8Bit(&dataASN[CRLASN_IDX_TBS_VER], &version);
         /* Set expecting signature OID. */
-        GetASN_OID(&dataASN[4], oidSigType);
+        GetASN_OID(&dataASN[CRLASN_IDX_TBS_SIGALGO_OID], oidSigType);
         /* Set buffer to put last and next date into. */
-        GetASN_Buffer(&dataASN[7], dcrl->lastDate, &lastDateSz);
-        GetASN_Buffer(&dataASN[8], dcrl->lastDate, &lastDateSz);
-        GetASN_Buffer(&dataASN[9], dcrl->nextDate, &nextDateSz);
-        GetASN_Buffer(&dataASN[10], dcrl->nextDate, &nextDateSz);
+        GetASN_Buffer(&dataASN[CRLASN_IDX_TBS_THISUPDATE_UTC], dcrl->lastDate,
+                &lastDateSz);
+        GetASN_Buffer(&dataASN[CRLASN_IDX_TBS_THISUPDATE_GT], dcrl->lastDate,
+                &lastDateSz);
+        GetASN_Buffer(&dataASN[CRLASN_IDX_TBS_NEXTUPDATE_UTC], dcrl->nextDate,
+                &nextDateSz);
+        GetASN_Buffer(&dataASN[CRLASN_IDX_TBS_NEXTUPDATE_GT], dcrl->nextDate,
+                &nextDateSz);
         /* Set expecting signature OID. */
-        GetASN_OID(&dataASN[14], oidSigType);
+        GetASN_OID(&dataASN[CRLASN_IDX_SIGALGO_OID], oidSigType);
         /* Decode the CRL. */
         ret = GetASN_Items(crlASN, dataASN, crlASN_Length, 1, buff, &idx, sz);
     }
     /* Version must be v2 = 1 if present. */
-    if ((ret == 0) && (dataASN[2].tag != 0) && (version != 1)) {
+    if ((ret == 0) && (dataASN[CRLASN_IDX_TBS_VER].tag != 0) &&
+            (version != 1)) {
         ret = ASN_PARSE_E;
     }
     /* Check minimum size of last date. */
@@ -30933,23 +31753,27 @@ end:
         ret = ASN_PARSE_E;
     }
     /* 'signatureAlgorithm' OID must be the same as 'signature' OID. */
-    if ((ret == 0) && (dataASN[15].data.oid.sum != dataASN[4].data.oid.sum)) {
+    if ((ret == 0) && (dataASN[CRLASN_IDX_SIGALGO_OID].data.oid.sum !=
+            dataASN[CRLASN_IDX_TBS_SIGALGO_OID].data.oid.sum)) {
         ret = ASN_PARSE_E;
     }
     if (ret == 0) {
         /* Store offset of to be signed part. */
-        dcrl->certBegin = dataASN[1].offset;
+        dcrl->certBegin = dataASN[CRLASN_IDX_TBS].offset;
         /* Store index of signature. */
-        dcrl->sigIndex = dataASN[14].offset;
+        dcrl->sigIndex = dataASN[CRLASN_IDX_SIGALGO].offset;
         /* Store address and length of signature data. */
-        GetASN_GetRef(&dataASN[17], &dcrl->signature, &dcrl->sigLength);
+        GetASN_GetRef(&dataASN[CRLASN_IDX_SIGNATURE], &dcrl->signature,
+                &dcrl->sigLength);
         /* Get the signature OID. */
-        dcrl->signatureOID = dataASN[15].data.oid.sum;
+        dcrl->signatureOID = dataASN[CRLASN_IDX_SIGALGO_OID].data.oid.sum;
         /* Get the format/tag of the last and next date. */
-        dcrl->lastDateFormat = (dataASN[7].tag != 0) ? dataASN[7].tag
-                                                     : dataASN[8].tag;
-        dcrl->nextDateFormat = (dataASN[9].tag != 0) ? dataASN[9].tag
-                                                     : dataASN[10].tag;
+        dcrl->lastDateFormat = (dataASN[CRLASN_IDX_TBS_THISUPDATE_UTC].tag != 0)
+                ? dataASN[CRLASN_IDX_TBS_THISUPDATE_UTC].tag
+                : dataASN[CRLASN_IDX_TBS_THISUPDATE_GT].tag;
+        dcrl->nextDateFormat = (dataASN[CRLASN_IDX_TBS_NEXTUPDATE_UTC].tag != 0)
+                ? dataASN[CRLASN_IDX_TBS_NEXTUPDATE_UTC].tag
+                : dataASN[CRLASN_IDX_TBS_NEXTUPDATE_GT].tag;
     #ifndef NO_ASN_TIME
         if (dcrl->nextDateFormat != 0) {
             /* Next date was set, so validate it. */
@@ -30962,23 +31786,24 @@ end:
     if (ret == 0) {
     #endif
         /* Calculate the Hash id from the issuer name. */
-        ret = CalcHashId(GetASNItem_Addr(dataASN[6], buff),
-                         GetASNItem_Length(dataASN[6], buff), dcrl->issuerHash);
+        ret = CalcHashId(GetASNItem_Addr(dataASN[CRLASN_IDX_TBS_ISSUER], buff),
+                GetASNItem_Length(dataASN[CRLASN_IDX_TBS_ISSUER], buff),
+                dcrl->issuerHash);
         if (ret < 0) {
             ret = ASN_PARSE_E;
         }
     }
-    if ((ret == 0) && (dataASN[11].tag != 0)) {
+    if ((ret == 0) && (dataASN[CRLASN_IDX_TBS_REVOKEDCERTS].tag != 0)) {
         /* Parse revoked cerificates - starting after SEQUENCE OF. */
         ret = ParseCRL_RevokedCerts(dcrl, buff,
-            GetASNItem_DataIdx(dataASN[11], buff),
-            GetASNItem_EndIdx(dataASN[11], buff));
+            GetASNItem_DataIdx(dataASN[CRLASN_IDX_TBS_REVOKEDCERTS], buff),
+            GetASNItem_EndIdx(dataASN[CRLASN_IDX_TBS_REVOKEDCERTS], buff));
     }
     if (ret == 0) {
         /* Parse the extensions - starting after SEQUENCE OF. */
         ret = ParseCRL_Extensions(dcrl, buff,
-            GetASNItem_DataIdx(dataASN[13], buff),
-            GetASNItem_EndIdx(dataASN[13], buff));
+            GetASNItem_DataIdx(dataASN[CRLASN_IDX_TBS_EXT_SEQ], buff),
+            GetASNItem_EndIdx(dataASN[CRLASN_IDX_TBS_EXT_SEQ], buff));
     }
     if (ret == 0) {
         /* Find signer and verify signature. */
@@ -30999,22 +31824,33 @@ end:
 #ifdef WOLFSSL_ASN_TEMPLATE
 /* Template for PIV. */
 static const ASNItem pivASN[] = {
-/*  0 */    { 0, ASN_PIV_CERT, 0, 0, 0 },
-/*  1 */    { 0, ASN_PIV_NONCE, 0, 0, 1 },
-/*  2 */    { 0, ASN_PIV_SIGNED_NONCE, 0, 0, 1 },
+/* CERT        */ { 0, ASN_PIV_CERT, 0, 0, 0 },
+/* NONCE       */ { 0, ASN_PIV_NONCE, 0, 0, 1 },
+/* SIGNEDNONCE */ { 0, ASN_PIV_SIGNED_NONCE, 0, 0, 1 },
+};
+enum {
+    PIVASN_IDX_CERT = 0,
+    PIVASN_IDX_NONCE,
+    PIVASN_IDX_SIGNEDNONCE,
 };
 
 #define pivASN_Length (sizeof(pivASN) / sizeof(ASNItem))
 
 static const ASNItem pivCertASN[] = {
-                /* 0x53 = 0x40 | 0x13 */
-/*  0 */        { 1, ASN_APPLICATION | 0x13, 0, 1, 0 },
-                     /* 0x70 = 0x40 | 0x10 + 0x20 (CONSTRUCTED) */
-/*  1 */             { 2, ASN_APPLICATION | 0x10, 1, 0, 0 },
-                     /* 0x71 = 0x40 | 0x11 + 0x20 (CONSTRUCTED) */
-/*  2 */             { 2, ASN_APPLICATION | 0x11, 1, 0, 1 },
-                     /* 0xFE = 0xC0 | 0x1E + 0x20 (CONSTRUCTED) */
-/*  3 */             { 2, ASN_PRIVATE | 0x1e, 1, 0, 1 },
+                          /* 0x53 = 0x40 | 0x13 */
+/* CERT */ { 1, ASN_APPLICATION | 0x13, 0, 1, 0 },
+                               /* 0x70 = 0x40 | 0x10 + 0x20 (CONSTRUCTED) */
+/* X509 */      { 2, ASN_APPLICATION | 0x10, 1, 0, 0 },
+                               /* 0x71 = 0x40 | 0x11 + 0x20 (CONSTRUCTED) */
+/* INFO */      { 2, ASN_APPLICATION | 0x11, 1, 0, 1 },
+                               /* 0xFE = 0xC0 | 0x1E + 0x20 (CONSTRUCTED) */
+/* ERR */      { 2, ASN_PRIVATE | 0x1e, 1, 0, 1 },
+};
+enum {
+    PIVCERTASN_IDX_CERT,
+    PIVCERTASN_IDX_X509,
+    PIVCERTASN_IDX_INFO,
+    PIVCERTASN_IDX_ERR,
 };
 
 #define pivCertASN_Length (sizeof(pivCertASN) / sizeof(ASNItem))
@@ -31119,23 +31955,24 @@ int wc_ParseCertPIV(wc_CertPIV* piv, const byte* buf, word32 totalSz)
             /* Identiv wrapper found. */
             piv->isIdentiv = 1;
             /* Get nonce reference. */
-            if (dataASN[1].tag != 0) {
-                GetASN_GetConstRef(&dataASN[1], &piv->nonce, &piv->nonceSz);
+            if (dataASN[PIVASN_IDX_NONCE].tag != 0) {
+                GetASN_GetConstRef(&dataASN[PIVASN_IDX_NONCE], &piv->nonce,
+                        &piv->nonceSz);
             }
             /* Get signedNonce reference. */
-            if (dataASN[2].tag != 0) {
-                GetASN_GetConstRef(&dataASN[2], &piv->signedNonce,
-                    &piv->signedNonceSz);
+            if (dataASN[PIVASN_IDX_SIGNEDNONCE].tag != 0) {
+                GetASN_GetConstRef(&dataASN[PIVASN_IDX_SIGNEDNONCE],
+                        &piv->signedNonce, &piv->signedNonceSz);
             }
             /* Get the certificate data for parsing. */
-            GetASN_GetConstRef(&dataASN[0], &buf, &totalSz);
+            GetASN_GetConstRef(&dataASN[PIVASN_IDX_CERT], &buf, &totalSz);
         }
         ret = 0;
     }
     if (ret == 0) {
         /* Clear dynamic data and set variable to put cert info into. */
         XMEMSET(dataASN, 0, sizeof(*dataASN) * pivCertASN_Length);
-        GetASN_Int8Bit(&dataASN[2], &info);
+        GetASN_Int8Bit(&dataASN[PIVCERTASN_IDX_INFO], &info);
         /* Start parsing from start of buffer. */
         idx = 0;
         /* Parse PIV cetificate data. */
@@ -31143,16 +31980,17 @@ int wc_ParseCertPIV(wc_CertPIV* piv, const byte* buf, word32 totalSz)
                 totalSz);
         if (ret == 0) {
             /* Get X.509 certificate reference. */
-            GetASN_GetConstRef(&dataASN[1], &piv->cert, &piv->certSz);
+            GetASN_GetConstRef(&dataASN[PIVCERTASN_IDX_X509], &piv->cert,
+                    &piv->certSz);
             /* Set the certificate info if available. */
-            if (dataASN[2].tag != 0) {
+            if (dataASN[PIVCERTASN_IDX_INFO].tag != 0) {
                 /* Bits 1 and 2 are compression. */
                 piv->compression = info & ASN_PIV_CERT_INFO_COMPRESSED;
                 /* Bits 3 is X509 flag. */
                 piv->isX509 = ((info & ASN_PIV_CERT_INFO_ISX509) != 0);
             }
-            /* Get X.509 certificate error detecton reference. */
-            GetASN_GetConstRef(&dataASN[3], &piv->certErrDet,
+            /* Get X.509 certificate error detection reference. */
+            GetASN_GetConstRef(&dataASN[PIVCERTASN_IDX_ERR], &piv->certErrDet,
                      &piv->certErrDetSz);
         }
         ret = 0;
diff --git a/wolfcrypt/src/ecc.c b/wolfcrypt/src/ecc.c
index 10175157b..bbdb2f6e2 100644
--- a/wolfcrypt/src/ecc.c
+++ b/wolfcrypt/src/ecc.c
@@ -87,6 +87,11 @@ Possible ECC enable options:
  *                      the variant macro is used the bits2octets operation on
  *                      the hash is removed.
  *                                                              default: off
+ *
+ * WC_PROTECT_ENCRYPTED_MEM:
+ *                      Enables implementations that protect data that is in
+ *                      encrypted memory.
+ *                                                              default: off
  */
 
 /*
@@ -2762,6 +2767,7 @@ static int wc_ecc_gen_z(WC_RNG* rng, int size, ecc_point* p,
     return err;
 }
 
+#ifndef WC_PROTECT_ENCRYPTED_MEM
 #define M_POINTS 3
 
 /* Joye double-add ladder.
@@ -2925,6 +2931,183 @@ static int ecc_mulmod(const mp_int* k, ecc_point* P, ecc_point* Q,
     return err;
 }
 
+#else
+/* Number of points to allocate for use during scalar multiplication. */
+#define M_POINTS        5
+/* Last of the points is used as a temporary during calculations. */
+#define TMP_IDX         M_POINTS - 1
+
+static void mp_cond_swap_into_ct(mp_int* ra, mp_int* rb, mp_int* a, mp_int* b,
+    int digits, int m)
+{
+    int i;
+
+#if !defined(WOLFSSL_SP_MATH_ALL) || defined(WOLFSSL_SP_INT_NEGATIVE)
+    /* Only using positive numbers in ECC operations. */
+    ra->sign = 0;
+    rb->sign = 0;
+#endif
+    /* Don't store 0 when mask is 0, it will be in a register. */
+    ra->used = (int)(((a->used ^ b->used) & ((mp_digit)0 - (m & 1))) ^ a->used);
+    rb->used = (int)(((a->used ^ b->used) & ((mp_digit)0 - (m & 1))) ^ b->used);
+    for (i = 0; i < digits; i++) {
+        ra->dp[i] = ((a->dp[i] ^ b->dp[i]) & ((mp_digit)0 - (m & 1))) ^
+                    a->dp[i];
+        rb->dp[i] = ((a->dp[i] ^ b->dp[i]) & ((mp_digit)0 - (m & 1))) ^
+                    b->dp[i];
+    }
+}
+
+static void ecc_cond_swap_into_ct(ecc_point* ra, ecc_point* rb, ecc_point* a,
+    ecc_point* b, int digits, int m)
+{
+    /* Conditionally swap each ordinate. */
+    mp_cond_swap_into_ct(ra->x, rb->x, a->x, b->x, digits, m);
+    mp_cond_swap_into_ct(ra->y, rb->y, a->y, b->y, digits, m);
+    mp_cond_swap_into_ct(ra->z, rb->z, a->z, b->z, digits, m);
+}
+
+/* Joye double-add ladder.
+ * "Highly Regular Right-to-Left Algorithms for Scalar Multiplication"
+ * by Marc Joye (2007)
+ *
+ * Algorithm 1':
+ *   Input: P element of curve, k = (k[t-1],..., k[0]) base 2
+ *   Output: Q = kP
+ *   1: R[0] = P; R[1] = P
+ *   2: for j = 1 to t-1 do
+ *   3:   b = 1 - k[j]; R[b] = 2*R[b] + R[k[j]]
+ *   4: end for
+ *   5: b = k[0]; R[b] = R[b] - P
+ *   6: return R[0]
+ *
+ * Assumes: k < order.
+ */
+static int ecc_mulmod(const mp_int* k, ecc_point* P, ecc_point* Q,
+    ecc_point** R, mp_int* a, mp_int* modulus, mp_digit mp, WC_RNG* rng)
+{
+    int          err = MP_OKAY;
+    int          bytes = (mp_count_bits(modulus) + 7) / 8;
+    int          i;
+    int          j = 1;
+    int          cnt;
+    int          t = 0;
+    mp_int*      kt = R[TMP_IDX]->x;
+    /* First bit always 1 (fix at end) and swap equals first bit */
+    register int swap = 1;
+    /* Which pair of points has current value. R[0,1] or R[2,3] */
+    int          set = 0;
+    int          infinity;
+
+    /* Step 1: R[0] = P; R[1] = P */
+    /* R[0] = P */
+    if (err == MP_OKAY)
+        err = mp_copy(P->x, R[0]->x);
+    if (err == MP_OKAY)
+        err = mp_copy(P->y, R[0]->y);
+    if (err == MP_OKAY)
+        err = mp_copy(P->z, R[0]->z);
+
+    /* R[1] = P */
+    if (err == MP_OKAY)
+        err = mp_copy(P->x, R[1]->x);
+    if (err == MP_OKAY)
+        err = mp_copy(P->y, R[1]->y);
+    if (err == MP_OKAY)
+        err = mp_copy(P->z, R[1]->z);
+
+    /* Randomize z ordinates to obfuscate timing. */
+    if ((err == MP_OKAY) && (rng != NULL))
+        err = wc_ecc_gen_z(rng, bytes, R[0], modulus, mp, R[TMP_IDX]->x,
+                           R[TMP_IDX]->y);
+    if ((err == MP_OKAY) && (rng != NULL))
+        err = wc_ecc_gen_z(rng, bytes, R[1], modulus, mp, R[TMP_IDX]->x,
+                           R[TMP_IDX]->y);
+
+    if (err == MP_OKAY) {
+        /* Order could be one greater than the size of the modulus. */
+        t = mp_count_bits(modulus) + 1;
+        err = mp_copy(k, kt);
+    }
+    if (err == MP_OKAY) {
+        err = mp_grow(kt, modulus->used + 1);
+    }
+    /* Step 2: for j = 1 to t-1 do */
+    for (i = 1, j = 0, cnt = 0; (err == MP_OKAY) && (i < t); i++) {
+        if (++cnt == DIGIT_BIT) {
+            j++;
+            cnt = 0;
+        }
+
+        /* Step 3: b = 1 - k[j]; R[b] = 2*R[b] + R[k[j]] */
+        /* Swap R[0] and R[1] if other index is needed. */
+        /* Ensure 'swap' changes when shifted word is 0. */
+        swap += (kt->dp[j] >> cnt) + 2;
+        ecc_cond_swap_into_ct(R[(2 - set) + 0], R[(2 - set) + 1],
+                              R[set + 0], R[set + 1], modulus->used, swap);
+        /* Change to operate on set copied into. */
+        set = 2 - set;
+        /* Ensure 'swap' changes to a previously unseen value. */
+        swap += (kt->dp[j] >> cnt) + swap;
+
+        err = ecc_projective_dbl_point_safe(R[set + 0], R[set + 0], a, modulus,
+                                            mp);
+        if (err == MP_OKAY) {
+            err = ecc_projective_add_point_safe(R[set + 0], R[set + 1],
+                                         R[set + 0], a, modulus, mp, &infinity);
+        }
+    }
+    /* Step 4: end for */
+    /* Swap back if last bit is 0. */
+    /* Ensure 'swap' changes. */
+    swap += 1;
+    if (err == MP_OKAY) {
+        ecc_cond_swap_into_ct(R[(2 - set) + 0], R[(2 - set) + 1],
+                              R[set + 0], R[set + 1], modulus->used, swap);
+        set = 2 - set;
+    }
+
+    /* Step 5: b = k[0]; R[b] = R[b] - P */
+    /* R[TMP_IDX] = -P */
+    if (err == MP_OKAY)
+        err = mp_copy(P->x, R[TMP_IDX]->x);
+    if (err == MP_OKAY)
+        err = mp_sub(modulus, P->y, R[TMP_IDX]->y);
+    if (err == MP_OKAY)
+        err = mp_copy(P->z, R[TMP_IDX]->z);
+    /* Subtract point by adding negative. */
+    if (err == MP_OKAY) {
+        /* Swap R[0] and R[1], if necessary, to operate on the one we want.
+         * Last bit of k->dp[0] is being used to make decision to swap.
+         */
+        ecc_cond_swap_into_ct(R[(2 - set) + 0], R[(2 - set) + 1],
+                              R[set + 0], R[set + 1], modulus->used,
+                              (int)k->dp[0]);
+        set = 2 - set;
+        err = ecc_projective_add_point_safe(R[set + 0], R[TMP_IDX], R[set + 0],
+                                            a, modulus, mp, &infinity);
+        /* Swap back if necessary. */
+        if (err == MP_OKAY) {
+            ecc_cond_swap_into_ct(R[(2 - set) + 0], R[(2 - set) + 1],
+                                  R[set + 0], R[set + 1], modulus->used,
+                                  (int)k->dp[0]);
+            set = 2 - set;
+        }
+    }
+
+    /* Step 6: return R[0] */
+    if (err == MP_OKAY)
+        err = mp_copy(R[set + 0]->x, Q->x);
+    if (err == MP_OKAY)
+        err = mp_copy(R[set + 0]->y, Q->y);
+    if (err == MP_OKAY)
+        err = mp_copy(R[set + 0]->z, Q->z);
+
+    return err;
+}
+
+#endif
+
 #endif
 
 /* Convert the point to montgomery form.
diff --git a/wolfcrypt/src/falcon.c b/wolfcrypt/src/falcon.c
index a18442331..165aa5ac9 100644
--- a/wolfcrypt/src/falcon.c
+++ b/wolfcrypt/src/falcon.c
@@ -25,15 +25,16 @@
     #include <config.h>
 #endif
 
-/* in case user set HAVE_LIBOQS there */
+/* in case user set HAVE_PQC there */
 #include <wolfssl/wolfcrypt/settings.h>
 
 #include <wolfssl/wolfcrypt/asn.h>
 
+#ifdef HAVE_PQC
+
 #ifdef HAVE_LIBOQS
-
 #include <oqs/oqs.h>
-
+#endif
 
 #include <wolfssl/wolfcrypt/falcon.h>
 #include <wolfssl/wolfcrypt/error-crypt.h>
@@ -61,6 +62,7 @@ int wc_falcon_sign_msg(const byte* in, word32 inLen,
                               falcon_key* key)
 {
     int ret = 0;
+#ifdef HAVE_LIBOQS
     OQS_SIG *oqssig = NULL;
     size_t localOutLen = 0;
 
@@ -112,7 +114,7 @@ int wc_falcon_sign_msg(const byte* in, word32 inLen,
     if (oqssig != NULL) {
         OQS_SIG_free(oqssig);
     }
-
+#endif
     return ret;
 }
 
@@ -132,6 +134,7 @@ int wc_falcon_verify_msg(const byte* sig, word32 sigLen, const byte* msg,
                         word32 msgLen, int* res, falcon_key* key)
 {
     int ret = 0;
+#ifdef HAVE_LIBOQS
     OQS_SIG *oqssig = NULL;
 
     if (key == NULL || sig == NULL || msg == NULL || res == NULL) {
@@ -168,6 +171,7 @@ int wc_falcon_verify_msg(const byte* sig, word32 sigLen, const byte* msg,
     if (oqssig != NULL) {
         OQS_SIG_free(oqssig);
     }
+#endif
 
     return ret;
 }
@@ -683,4 +687,4 @@ int wc_falcon_sig_size(falcon_key* key)
 
     return BAD_FUNC_ARG;
 }
-#endif /* HAVE_LIBOQS */
+#endif /* HAVE_PQC */
diff --git a/wolfcrypt/src/port/kcapi/kcapi_ecc.c b/wolfcrypt/src/port/kcapi/kcapi_ecc.c
index 5a64596ef..90b883db1 100644
--- a/wolfcrypt/src/port/kcapi/kcapi_ecc.c
+++ b/wolfcrypt/src/port/kcapi/kcapi_ecc.c
@@ -179,6 +179,10 @@ int KcapiEcc_Sign(ecc_key* key, const byte* hash, word32 hashLen, byte* sig,
                   word32* sigLen)
 {
     int ret = 0;
+    unsigned char* buf_aligned = NULL;
+    unsigned char* hash_aligned = NULL;
+    unsigned char* sig_aligned = NULL;
+    size_t pageSz = (size_t)sysconf(_SC_PAGESIZE);
 
     if (key->handle == NULL) {
         ret = kcapi_akcipher_init(&key->handle, WC_NAME_ECDSA, 0);
@@ -190,13 +194,38 @@ int KcapiEcc_Sign(ecc_key* key, const byte* hash, word32 hashLen, byte* sig,
         }
     }
     if (ret == 0) {
-        ret = kcapi_akcipher_sign(key->handle, hash, hashLen, sig, *sigLen,
+        if (((size_t)sig % pageSz != 0) || ((size_t)hash % pageSz != 0)) {
+            ret = posix_memalign((void*)&buf_aligned, pageSz, pageSz * 2);
+            if (ret < 0) {
+                ret = MEMORY_E;
+            }
+        }
+    }
+    if (ret == 0) {
+        sig_aligned = ((size_t)sig % pageSz == 0) ? sig : buf_aligned;
+        if ((size_t)hash % pageSz == 0) {
+            hash_aligned = (unsigned char*)hash;
+        }
+        else {
+            hash_aligned = buf_aligned + pageSz;
+            XMEMCPY(hash_aligned, hash, hashLen);
+        }
+        ret = kcapi_akcipher_sign(key->handle, hash_aligned, hashLen,
+                                  sig_aligned, *sigLen,
                                   KCAPI_ACCESS_HEURISTIC);
         if (ret >= 0) {
             *sigLen = ret;
             ret = 0;
+            if (sig_aligned != sig) {
+                XMEMCPY(sig, sig_aligned, ret);
+            }
         }
     }
+    /* Using free as this is in an environment that will have it
+     * available along with posix_memalign. */
+    if (buf_aligned != NULL) {
+        free(buf_aligned);
+    }
 
     return ret;
 }
@@ -225,7 +254,8 @@ int KcapiEcc_Verify(ecc_key* key, const byte* hash, word32 hashLen, byte* sig,
                     word32 sigLen)
 {
     int ret = 0;
-    unsigned char* sigHash = NULL;
+    unsigned char* sigHash_aligned = NULL;
+    size_t pageSz = (size_t)sysconf(_SC_PAGESIZE);
 
     if (key->handle == NULL) {
         ret = kcapi_akcipher_init(&key->handle, WC_NAME_ECDSA, 0);
@@ -238,25 +268,26 @@ int KcapiEcc_Verify(ecc_key* key, const byte* hash, word32 hashLen, byte* sig,
     }
 
     if (ret == 0) {
-        sigHash = (unsigned char*)XMALLOC(sigLen + hashLen, key->heap,
-                                          DYNAMIC_TYPE_TMP_BUFFER);
-        if (sigHash == NULL) {
+        ret = posix_memalign((void*)&sigHash_aligned, pageSz, sigLen + hashLen);
+        if (ret < 0) {
             ret = MEMORY_E;
         }
     }
     if (ret == 0) {
-        XMEMCPY(sigHash, sig, sigLen);
-        XMEMCPY(sigHash + sigLen, hash, hashLen);
+        XMEMCPY(sigHash_aligned, sig, sigLen);
+        XMEMCPY(sigHash_aligned + sigLen, hash, hashLen);
 
-        ret = kcapi_akcipher_verify(key->handle, sigHash, sigLen + hashLen,
-                                    NULL, hashLen, KCAPI_ACCESS_HEURISTIC);
+        ret = kcapi_akcipher_verify(key->handle, sigHash_aligned,
+                sigLen + hashLen, NULL, hashLen, KCAPI_ACCESS_HEURISTIC);
         if (ret >= 0) {
             ret = 0;
         }
     }
 
-    if (sigHash != NULL) {
-        XFREE(sigHash, key->heap, DYNAMIC_TYPE_TMP_BUFFER);
+    /* Using free as this is in an environment that will have it
+     * available along with posix_memalign. */
+    if (sigHash_aligned != NULL) {
+        free(sigHash_aligned);
     }
     return ret;
 }
diff --git a/wolfcrypt/src/sp_arm32.c b/wolfcrypt/src/sp_arm32.c
index 95ae9d550..6a9cb09fe 100644
--- a/wolfcrypt/src/sp_arm32.c
+++ b/wolfcrypt/src/sp_arm32.c
@@ -37574,6 +37574,19 @@ static WC_INLINE int sp_256_mod_8(sp_digit* r, const sp_digit* a, const sp_digit
 
 #endif
 #if defined(HAVE_ECC_SIGN) || defined(HAVE_ECC_VERIFY)
+/* Multiply two number mod the order of P256 curve. (r = a * b mod order)
+ *
+ * r  Result of the multiplication.
+ * a  First operand of the multiplication.
+ * b  Second operand of the multiplication.
+ */
+static void sp_256_mont_mul_order_8(sp_digit* r, const sp_digit* a, const sp_digit* b)
+{
+    sp_256_mul_8(r, a, b);
+    sp_256_mont_reduce_order_8(r, p256_order, p256_mp_order);
+}
+
+#if defined(HAVE_ECC_SIGN) || (defined(HAVE_ECC_VERIFY) && defined(WOLFSSL_SP_SMALL))
 #ifdef WOLFSSL_SP_SMALL
 /* Order-2 for the P256 curve. */
 static const uint32_t p256_order_minus_2[8] = {
@@ -37587,18 +37600,6 @@ static const sp_int_digit p256_order_low[4] = {
 };
 #endif /* WOLFSSL_SP_SMALL */
 
-/* Multiply two number mod the order of P256 curve. (r = a * b mod order)
- *
- * r  Result of the multiplication.
- * a  First operand of the multiplication.
- * b  Second operand of the multiplication.
- */
-static void sp_256_mont_mul_order_8(sp_digit* r, const sp_digit* a, const sp_digit* b)
-{
-    sp_256_mul_8(r, a, b);
-    sp_256_mont_reduce_order_8(r, p256_order, p256_mp_order);
-}
-
 /* Square number mod the order of P256 curve. (r = a * a mod order)
  *
  * r  Result of the squaring.
@@ -37769,6 +37770,7 @@ static void sp_256_mont_inv_order_8(sp_digit* r, const sp_digit* a,
 #endif /* WOLFSSL_SP_SMALL */
 }
 
+#endif /* HAVE_ECC_SIGN || (HAVE_ECC_VERIFY && WOLFSSL_SP_SMALL) */
 #endif /* HAVE_ECC_SIGN | HAVE_ECC_VERIFY */
 #ifdef HAVE_ECC_SIGN
 #ifndef SP_ECC_MAX_SIG_GEN
@@ -46840,6 +46842,19 @@ static WC_INLINE int sp_384_mod_12(sp_digit* r, const sp_digit* a, const sp_digi
 
 #endif
 #if defined(HAVE_ECC_SIGN) || defined(HAVE_ECC_VERIFY)
+/* Multiply two number mod the order of P384 curve. (r = a * b mod order)
+ *
+ * r  Result of the multiplication.
+ * a  First operand of the multiplication.
+ * b  Second operand of the multiplication.
+ */
+static void sp_384_mont_mul_order_12(sp_digit* r, const sp_digit* a, const sp_digit* b)
+{
+    sp_384_mul_12(r, a, b);
+    sp_384_mont_reduce_order_12(r, p384_order, p384_mp_order);
+}
+
+#if defined(HAVE_ECC_SIGN) || (defined(HAVE_ECC_VERIFY) && defined(WOLFSSL_SP_SMALL))
 #ifdef WOLFSSL_SP_SMALL
 /* Order-2 for the P384 curve. */
 static const uint32_t p384_order_minus_2[12] = {
@@ -46853,18 +46868,6 @@ static const uint32_t p384_order_low[6] = {
 };
 #endif /* WOLFSSL_SP_SMALL */
 
-/* Multiply two number mod the order of P384 curve. (r = a * b mod order)
- *
- * r  Result of the multiplication.
- * a  First operand of the multiplication.
- * b  Second operand of the multiplication.
- */
-static void sp_384_mont_mul_order_12(sp_digit* r, const sp_digit* a, const sp_digit* b)
-{
-    sp_384_mul_12(r, a, b);
-    sp_384_mont_reduce_order_12(r, p384_order, p384_mp_order);
-}
-
 /* Square number mod the order of P384 curve. (r = a * a mod order)
  *
  * r  Result of the squaring.
@@ -47006,6 +47009,7 @@ static void sp_384_mont_inv_order_12(sp_digit* r, const sp_digit* a,
 #endif /* WOLFSSL_SP_SMALL */
 }
 
+#endif /* HAVE_ECC_SIGN || (HAVE_ECC_VERIFY && WOLFSSL_SP_SMALL) */
 #endif /* HAVE_ECC_SIGN | HAVE_ECC_VERIFY */
 #ifdef HAVE_ECC_SIGN
 #ifndef SP_ECC_MAX_SIG_GEN
diff --git a/wolfcrypt/src/sp_arm64.c b/wolfcrypt/src/sp_arm64.c
index 9ae209f04..adab94b4b 100644
--- a/wolfcrypt/src/sp_arm64.c
+++ b/wolfcrypt/src/sp_arm64.c
@@ -37759,6 +37759,19 @@ static WC_INLINE int sp_256_mod_4(sp_digit* r, const sp_digit* a, const sp_digit
 
 #endif
 #if defined(HAVE_ECC_SIGN) || defined(HAVE_ECC_VERIFY)
+/* Multiply two number mod the order of P256 curve. (r = a * b mod order)
+ *
+ * r  Result of the multiplication.
+ * a  First operand of the multiplication.
+ * b  Second operand of the multiplication.
+ */
+static void sp_256_mont_mul_order_4(sp_digit* r, const sp_digit* a, const sp_digit* b)
+{
+    sp_256_mul_4(r, a, b);
+    sp_256_mont_reduce_order_4(r, p256_order, p256_mp_order);
+}
+
+#if defined(HAVE_ECC_SIGN) || (defined(HAVE_ECC_VERIFY) && defined(WOLFSSL_SP_SMALL))
 #ifdef WOLFSSL_SP_SMALL
 /* Order-2 for the P256 curve. */
 static const uint64_t p256_order_minus_2[4] = {
@@ -37772,18 +37785,6 @@ static const sp_int_digit p256_order_low[2] = {
 };
 #endif /* WOLFSSL_SP_SMALL */
 
-/* Multiply two number mod the order of P256 curve. (r = a * b mod order)
- *
- * r  Result of the multiplication.
- * a  First operand of the multiplication.
- * b  Second operand of the multiplication.
- */
-static void sp_256_mont_mul_order_4(sp_digit* r, const sp_digit* a, const sp_digit* b)
-{
-    sp_256_mul_4(r, a, b);
-    sp_256_mont_reduce_order_4(r, p256_order, p256_mp_order);
-}
-
 /* Square number mod the order of P256 curve. (r = a * a mod order)
  *
  * r  Result of the squaring.
@@ -37954,6 +37955,7 @@ static void sp_256_mont_inv_order_4(sp_digit* r, const sp_digit* a,
 #endif /* WOLFSSL_SP_SMALL */
 }
 
+#endif /* HAVE_ECC_SIGN || (HAVE_ECC_VERIFY && WOLFSSL_SP_SMALL) */
 #endif /* HAVE_ECC_SIGN | HAVE_ECC_VERIFY */
 #ifdef HAVE_ECC_SIGN
 #ifndef SP_ECC_MAX_SIG_GEN
@@ -40525,8 +40527,6 @@ static void sp_384_cond_copy_6(sp_digit* r, const sp_digit* a, sp_digit m)
     );
 }
 
-#define sp_384_mont_reduce_order_6    sp_384_mont_reduce_6
-
 /* Reduce the number back to 384 bits using Montgomery reduction.
  *
  * a   A single precision number to reduce in place.
@@ -40536,6 +40536,143 @@ static void sp_384_cond_copy_6(sp_digit* r, const sp_digit* a, sp_digit m)
 SP_NOINLINE static void sp_384_mont_reduce_6(sp_digit* a, const sp_digit* m,
         sp_digit mp)
 {
+    __asm__ __volatile__ (
+        "ldp	x7, x8, [%[a], #0]\n\t"
+        "ldp	x9, x10, [%[a], #16]\n\t"
+        "ldp	x11, x12, [%[a], #32]\n\t"
+        "mov	x6, xzr\n\t"
+        "# a[0-7] += m[0-5] * mu[0..1] = m[0-5] * (a[0..1] * mp)\n\t"
+        "ldp	x13, x14, [%[a], #48]\n\t"
+        "lsl	x2, x8, 32\n\t"
+        "lsl	x1, x7, 32\n\t"
+        "orr	x2, x2, x7, lsr 32\n\t"
+        "adds	x1, x1, x7\n\t"
+        "adc	x2, x2, x8\n\t"
+        "add	x2, x2, x7\n\t"
+        "lsl	x3, x1, 32\n\t"
+        "lsl	x4, x2, 32\n\t"
+        "orr	x4, x4, x1, lsr 32\n\t"
+        "lsr	x5, x2, 32\n\t"
+        "adds	x7, x7, x3\n\t"
+        "adcs	x8, x8, x4\n\t"
+        "adcs	x9, x9, x5\n\t"
+        "adcs	x10, x10, xzr\n\t"
+        "adcs	x11, x11, xzr\n\t"
+        "adcs	x12, x12, xzr\n\t"
+        "adcs	x13, x13, x1\n\t"
+        "adcs	x14, x14, x2\n\t"
+        "adcs	x6, x6, xzr\n\t"
+        "adds	x3, x3, x2\n\t"
+        "adcs	x4, x4, x1\n\t"
+        "adcs	x5, x5, x2\n\t"
+        "adcs	x2, xzr, xzr\n\t"
+        "subs	x9, x9, x4\n\t"
+        "sbcs	x10, x10, x5\n\t"
+        "sbcs	x11, x11, x2\n\t"
+        "sbcs	x12, x12, xzr\n\t"
+        "sbcs	x13, x13, xzr\n\t"
+        "sbcs	x14, x14, xzr\n\t"
+        "sbc	x6, x6, xzr\n\t"
+        "# a[2-9] += m[0-5] * mu[0..1] = m[0-5] * (a[2..3] * mp)\n\t"
+        "ldp	x7, x8, [%[a], #64]\n\t"
+        "lsl	x2, x10, 32\n\t"
+        "lsl	x1, x9, 32\n\t"
+        "orr	x2, x2, x9, lsr 32\n\t"
+        "adds	x1, x1, x9\n\t"
+        "adc	x2, x2, x10\n\t"
+        "add	x2, x2, x9\n\t"
+        "lsl	x3, x1, 32\n\t"
+        "lsl	x4, x2, 32\n\t"
+        "orr	x4, x4, x1, lsr 32\n\t"
+        "lsr	x5, x2, 32\n\t"
+        "adds	x7, x7, x6\n\t"
+        "adcs	x8, x8, xzr\n\t"
+        "adc	x6, xzr, xzr\n\t"
+        "adds	x9, x9, x3\n\t"
+        "adcs	x10, x10, x4\n\t"
+        "adcs	x11, x11, x5\n\t"
+        "adcs	x12, x12, xzr\n\t"
+        "adcs	x13, x13, xzr\n\t"
+        "adcs	x14, x14, xzr\n\t"
+        "adcs	x7, x7, x1\n\t"
+        "adcs	x8, x8, x2\n\t"
+        "adcs	x6, x6, xzr\n\t"
+        "adds	x3, x3, x2\n\t"
+        "adcs	x4, x4, x1\n\t"
+        "adcs	x5, x5, x2\n\t"
+        "adcs	x2, xzr, xzr\n\t"
+        "subs	x11, x11, x4\n\t"
+        "sbcs	x12, x12, x5\n\t"
+        "sbcs	x13, x13, x2\n\t"
+        "sbcs	x14, x14, xzr\n\t"
+        "sbcs	x7, x7, xzr\n\t"
+        "sbcs	x8, x8, xzr\n\t"
+        "sbc	x6, x6, xzr\n\t"
+        "# a[4-11] += m[0-5] * mu[0..1] = m[0-5] * (a[4..5] * mp)\n\t"
+        "ldp	x9, x10, [%[a], #80]\n\t"
+        "lsl	x2, x12, 32\n\t"
+        "lsl	x1, x11, 32\n\t"
+        "orr	x2, x2, x11, lsr 32\n\t"
+        "adds	x1, x1, x11\n\t"
+        "adc	x2, x2, x12\n\t"
+        "add	x2, x2, x11\n\t"
+        "lsl	x3, x1, 32\n\t"
+        "lsl	x4, x2, 32\n\t"
+        "orr	x4, x4, x1, lsr 32\n\t"
+        "lsr	x5, x2, 32\n\t"
+        "adds	x9, x9, x6\n\t"
+        "adcs	x10, x10, xzr\n\t"
+        "adc	x6, xzr, xzr\n\t"
+        "adds	x11, x11, x3\n\t"
+        "adcs	x12, x12, x4\n\t"
+        "adcs	x13, x13, x5\n\t"
+        "adcs	x14, x14, xzr\n\t"
+        "adcs	x7, x7, xzr\n\t"
+        "adcs	x8, x8, xzr\n\t"
+        "adcs	x9, x9, x1\n\t"
+        "adcs	x10, x10, x2\n\t"
+        "adcs	x6, x6, xzr\n\t"
+        "adds	x3, x3, x2\n\t"
+        "adcs	x4, x4, x1\n\t"
+        "adcs	x5, x5, x2\n\t"
+        "adcs	x2, xzr, xzr\n\t"
+        "subs	x13, x13, x4\n\t"
+        "sbcs	x14, x14, x5\n\t"
+        "sbcs	x7, x7, x2\n\t"
+        "sbcs	x8, x8, xzr\n\t"
+        "sbcs	x9, x9, xzr\n\t"
+        "sbcs	x10, x10, xzr\n\t"
+        "sbc	x6, x6, xzr\n\t"
+        "# Subtract mod if carry\n\t"
+        "neg	x6, x6\n\t"
+        "mov	x5, -2\n\t"
+        "lsr	x3, x6, 32\n\t"
+        "lsl	x4, x6, 32\n\t"
+        "and	x5, x5, x6\n\t"
+        "subs	x13, x13, x3\n\t"
+        "sbcs	x14, x14, x4\n\t"
+        "sbcs	x7, x7, x5\n\t"
+        "sbcs	x8, x8, x6\n\t"
+        "sbcs	x9, x9, x6\n\t"
+        "sbc	x10, x10, x6\n\t"
+        "stp	x13, x14, [%[a], #0]\n\t"
+        "stp	x7, x8, [%[a], #16]\n\t"
+        "stp	x9, x10, [%[a], #32]\n\t"
+        :
+        : [a] "r" (a), [m] "r" (m), [mp] "r" (mp)
+        : "memory", "x1", "x2", "x3", "x4", "x5", "x6", "x7", "x8", "x9", "x10", "x11", "x12", "x13", "x14"
+    );
+}
+
+/* Reduce the number back to 384 bits using Montgomery reduction.
+ *
+ * a   A single precision number to reduce in place.
+ * m   The single precision number representing the modulus.
+ * mp  The digit representing the negative inverse of m mod 2^n.
+ */
+SP_NOINLINE static void sp_384_mont_reduce_order_6(sp_digit* a, const sp_digit* m,
+        sp_digit mp)
+{
 
     __asm__ __volatile__ (
         "ldp	x14, x15, [%[m], 0]\n\t"
@@ -63546,6 +63683,19 @@ static WC_INLINE int sp_384_mod_6(sp_digit* r, const sp_digit* a, const sp_digit
 
 #endif
 #if defined(HAVE_ECC_SIGN) || defined(HAVE_ECC_VERIFY)
+/* Multiply two number mod the order of P384 curve. (r = a * b mod order)
+ *
+ * r  Result of the multiplication.
+ * a  First operand of the multiplication.
+ * b  Second operand of the multiplication.
+ */
+static void sp_384_mont_mul_order_6(sp_digit* r, const sp_digit* a, const sp_digit* b)
+{
+    sp_384_mul_6(r, a, b);
+    sp_384_mont_reduce_order_6(r, p384_order, p384_mp_order);
+}
+
+#if defined(HAVE_ECC_SIGN) || (defined(HAVE_ECC_VERIFY) && defined(WOLFSSL_SP_SMALL))
 #ifdef WOLFSSL_SP_SMALL
 /* Order-2 for the P384 curve. */
 static const uint64_t p384_order_minus_2[6] = {
@@ -63559,18 +63709,6 @@ static const uint64_t p384_order_low[3] = {
 };
 #endif /* WOLFSSL_SP_SMALL */
 
-/* Multiply two number mod the order of P384 curve. (r = a * b mod order)
- *
- * r  Result of the multiplication.
- * a  First operand of the multiplication.
- * b  Second operand of the multiplication.
- */
-static void sp_384_mont_mul_order_6(sp_digit* r, const sp_digit* a, const sp_digit* b)
-{
-    sp_384_mul_6(r, a, b);
-    sp_384_mont_reduce_order_6(r, p384_order, p384_mp_order);
-}
-
 /* Square number mod the order of P384 curve. (r = a * a mod order)
  *
  * r  Result of the squaring.
@@ -63712,6 +63850,7 @@ static void sp_384_mont_inv_order_6(sp_digit* r, const sp_digit* a,
 #endif /* WOLFSSL_SP_SMALL */
 }
 
+#endif /* HAVE_ECC_SIGN || (HAVE_ECC_VERIFY && WOLFSSL_SP_SMALL) */
 #endif /* HAVE_ECC_SIGN | HAVE_ECC_VERIFY */
 #ifdef HAVE_ECC_SIGN
 #ifndef SP_ECC_MAX_SIG_GEN
diff --git a/wolfcrypt/src/sp_armthumb.c b/wolfcrypt/src/sp_armthumb.c
index 5e68ab8c9..8a45d68d4 100644
--- a/wolfcrypt/src/sp_armthumb.c
+++ b/wolfcrypt/src/sp_armthumb.c
@@ -104222,6 +104222,19 @@ static WC_INLINE int sp_256_mod_8(sp_digit* r, const sp_digit* a, const sp_digit
 
 #endif
 #if defined(HAVE_ECC_SIGN) || defined(HAVE_ECC_VERIFY)
+/* Multiply two number mod the order of P256 curve. (r = a * b mod order)
+ *
+ * r  Result of the multiplication.
+ * a  First operand of the multiplication.
+ * b  Second operand of the multiplication.
+ */
+static void sp_256_mont_mul_order_8(sp_digit* r, const sp_digit* a, const sp_digit* b)
+{
+    sp_256_mul_8(r, a, b);
+    sp_256_mont_reduce_order_8(r, p256_order, p256_mp_order);
+}
+
+#if defined(HAVE_ECC_SIGN) || (defined(HAVE_ECC_VERIFY) && defined(WOLFSSL_SP_SMALL))
 #ifdef WOLFSSL_SP_SMALL
 /* Order-2 for the P256 curve. */
 static const uint32_t p256_order_minus_2[8] = {
@@ -104235,18 +104248,6 @@ static const sp_int_digit p256_order_low[4] = {
 };
 #endif /* WOLFSSL_SP_SMALL */
 
-/* Multiply two number mod the order of P256 curve. (r = a * b mod order)
- *
- * r  Result of the multiplication.
- * a  First operand of the multiplication.
- * b  Second operand of the multiplication.
- */
-static void sp_256_mont_mul_order_8(sp_digit* r, const sp_digit* a, const sp_digit* b)
-{
-    sp_256_mul_8(r, a, b);
-    sp_256_mont_reduce_order_8(r, p256_order, p256_mp_order);
-}
-
 /* Square number mod the order of P256 curve. (r = a * a mod order)
  *
  * r  Result of the squaring.
@@ -104417,6 +104418,7 @@ static void sp_256_mont_inv_order_8(sp_digit* r, const sp_digit* a,
 #endif /* WOLFSSL_SP_SMALL */
 }
 
+#endif /* HAVE_ECC_SIGN || (HAVE_ECC_VERIFY && WOLFSSL_SP_SMALL) */
 #endif /* HAVE_ECC_SIGN | HAVE_ECC_VERIFY */
 #ifdef HAVE_ECC_SIGN
 #ifndef SP_ECC_MAX_SIG_GEN
@@ -114742,6 +114744,19 @@ static WC_INLINE int sp_384_mod_12(sp_digit* r, const sp_digit* a, const sp_digi
 
 #endif
 #if defined(HAVE_ECC_SIGN) || defined(HAVE_ECC_VERIFY)
+/* Multiply two number mod the order of P384 curve. (r = a * b mod order)
+ *
+ * r  Result of the multiplication.
+ * a  First operand of the multiplication.
+ * b  Second operand of the multiplication.
+ */
+static void sp_384_mont_mul_order_12(sp_digit* r, const sp_digit* a, const sp_digit* b)
+{
+    sp_384_mul_12(r, a, b);
+    sp_384_mont_reduce_order_12(r, p384_order, p384_mp_order);
+}
+
+#if defined(HAVE_ECC_SIGN) || (defined(HAVE_ECC_VERIFY) && defined(WOLFSSL_SP_SMALL))
 #ifdef WOLFSSL_SP_SMALL
 /* Order-2 for the P384 curve. */
 static const uint32_t p384_order_minus_2[12] = {
@@ -114755,18 +114770,6 @@ static const uint32_t p384_order_low[6] = {
 };
 #endif /* WOLFSSL_SP_SMALL */
 
-/* Multiply two number mod the order of P384 curve. (r = a * b mod order)
- *
- * r  Result of the multiplication.
- * a  First operand of the multiplication.
- * b  Second operand of the multiplication.
- */
-static void sp_384_mont_mul_order_12(sp_digit* r, const sp_digit* a, const sp_digit* b)
-{
-    sp_384_mul_12(r, a, b);
-    sp_384_mont_reduce_order_12(r, p384_order, p384_mp_order);
-}
-
 /* Square number mod the order of P384 curve. (r = a * a mod order)
  *
  * r  Result of the squaring.
@@ -114908,6 +114911,7 @@ static void sp_384_mont_inv_order_12(sp_digit* r, const sp_digit* a,
 #endif /* WOLFSSL_SP_SMALL */
 }
 
+#endif /* HAVE_ECC_SIGN || (HAVE_ECC_VERIFY && WOLFSSL_SP_SMALL) */
 #endif /* HAVE_ECC_SIGN | HAVE_ECC_VERIFY */
 #ifdef HAVE_ECC_SIGN
 #ifndef SP_ECC_MAX_SIG_GEN
diff --git a/wolfcrypt/src/sp_c32.c b/wolfcrypt/src/sp_c32.c
index 70ffb49c4..cb14d9028 100644
--- a/wolfcrypt/src/sp_c32.c
+++ b/wolfcrypt/src/sp_c32.c
@@ -20958,8 +20958,6 @@ static int sp_256_point_to_ecc_point_9(const sp_point_256* p, ecc_point* pm)
     return err;
 }
 
-#define sp_256_mont_reduce_order_9         sp_256_mont_reduce_9
-
 /* Compare a with b in constant time.
  *
  * a  A single precision integer.
@@ -21169,40 +21167,89 @@ static void sp_256_mont_shift_9(sp_digit* r, const sp_digit* a)
  * m   The single precision number representing the modulus.
  * mp  The digit representing the negative inverse of m mod 2^n.
  */
-static void sp_256_mont_reduce_9(sp_digit* a, const sp_digit* m, sp_digit mp)
+static void sp_256_mont_reduce_order_9(sp_digit* a, const sp_digit* m, sp_digit mp)
 {
     int i;
     sp_digit mu;
 
-    if (mp != 1) {
-        for (i=0; i<8; i++) {
-            mu = (a[i] * mp) & 0x1fffffff;
-            sp_256_mul_add_9(a+i, m, mu);
-            a[i+1] += a[i] >> 29;
-        }
-        mu = (a[i] * mp) & 0xffffffL;
+    sp_256_norm_9(a + 9);
+
+    for (i=0; i<8; i++) {
+        mu = (a[i] * mp) & 0x1fffffff;
         sp_256_mul_add_9(a+i, m, mu);
         a[i+1] += a[i] >> 29;
-        a[i] &= 0x1fffffff;
     }
-    else {
-        for (i=0; i<8; i++) {
-            mu = a[i] & 0x1fffffff;
-            sp_256_mul_add_9(a+i, p256_mod, mu);
-            a[i+1] += a[i] >> 29;
-        }
-        mu = a[i] & 0xffffffL;
-        sp_256_mul_add_9(a+i, p256_mod, mu);
-        a[i+1] += a[i] >> 29;
-        a[i] &= 0x1fffffff;
-    }
-
+    mu = (a[i] * mp) & 0xffffffL;
+    sp_256_mul_add_9(a+i, m, mu);
+    a[i+1] += a[i] >> 29;
+    a[i] &= 0x1fffffff;
     sp_256_mont_shift_9(a, a);
     sp_256_cond_sub_9(a, a, m, 0 - (((a[8] >> 24) > 0) ?
             (sp_digit)1 : (sp_digit)0));
     sp_256_norm_9(a);
 }
 
+/* Reduce the number back to 256 bits using Montgomery reduction.
+ *
+ * a   A single precision number to reduce in place.
+ * m   The single precision number representing the modulus.
+ * mp  The digit representing the negative inverse of m mod 2^n.
+ */
+static void sp_256_mont_reduce_9(sp_digit* a, const sp_digit* m, sp_digit mp)
+{
+    int i;
+    sp_digit am;
+
+    (void)m;
+    (void)mp;
+
+    for (i = 0; i < 8; i++) {
+        am = a[i] & 0x1fffffff;
+        a[i + 3] += (am << 9) & 0x1fffffff;
+        a[i + 4] += am >> 20;
+        a[i + 6] += (am << 18) & 0x1fffffff;
+        a[i + 7] += (am >> 11) - ((am << 21) & 0x1fffffff);
+        a[i + 8] += -(am >> 8) + ((am << 24) & 0x1fffffff);
+        a[i + 9] += am >> 5;
+
+        a[i+1] += a[i] >> 29;
+    }
+    am = a[8] & 0xffffff;
+    a[8 + 3] += (am << 9) & 0x1fffffff;
+    a[8 + 4] += am >> 20;
+    a[8 + 6] += (am << 18) & 0x1fffffff;
+    a[8 + 7] += (am >> 11) - ((am << 21) & 0x1fffffff);
+    a[8 + 8] += -(am >> 8) + ((am << 24) & 0x1fffffff);
+    a[8 + 9] += am >> 5;
+
+    a[0] = (a[ 8] >> 24) + ((a[ 9] << 5) & 0x1fffffff);
+    a[1] = (a[ 9] >> 24) + ((a[10] << 5) & 0x1fffffff);
+    a[2] = (a[10] >> 24) + ((a[11] << 5) & 0x1fffffff);
+    a[3] = (a[11] >> 24) + ((a[12] << 5) & 0x1fffffff);
+    a[4] = (a[12] >> 24) + ((a[13] << 5) & 0x1fffffff);
+    a[5] = (a[13] >> 24) + ((a[14] << 5) & 0x1fffffff);
+    a[6] = (a[14] >> 24) + ((a[15] << 5) & 0x1fffffff);
+    a[7] = (a[15] >> 24) + ((a[16] << 5) & 0x1fffffff);
+    a[8] = (a[16] >> 24) +  (a[17] << 5);
+
+    /* Get the bit over, if any. */
+    am = a[8] >> 24;
+    /* Create mask. */
+    am = 0 - am;
+
+    a[0] -= 0x1fffffff & am;
+    a[1] -= 0x1fffffff & am;
+    a[2] -= 0x1fffffff & am;
+    a[3] -= 0x000001ff & am;
+    /* p256_mod[4] is zero */
+    /* p256_mod[5] is zero */
+    a[6] -= 0x00040000 & am;
+    a[7] -= 0x1fe00000 & am;
+    a[8] -= 0x00ffffff & am;
+
+    sp_256_norm_9(a);
+}
+
 /* Multiply two Montgomery form numbers mod the modulus (prime).
  * (r = a * b mod m)
  *
@@ -25559,6 +25606,19 @@ static int sp_256_mod_9(sp_digit* r, const sp_digit* a, const sp_digit* m)
 
 #endif
 #if defined(HAVE_ECC_SIGN) || defined(HAVE_ECC_VERIFY)
+/* Multiply two number mod the order of P256 curve. (r = a * b mod order)
+ *
+ * r  Result of the multiplication.
+ * a  First operand of the multiplication.
+ * b  Second operand of the multiplication.
+ */
+static void sp_256_mont_mul_order_9(sp_digit* r, const sp_digit* a, const sp_digit* b)
+{
+    sp_256_mul_9(r, a, b);
+    sp_256_mont_reduce_order_9(r, p256_order, p256_mp_order);
+}
+
+#if defined(HAVE_ECC_SIGN) || (defined(HAVE_ECC_VERIFY) && defined(WOLFSSL_SP_SMALL))
 #ifdef WOLFSSL_SP_SMALL
 /* Order-2 for the P256 curve. */
 static const uint32_t p256_order_minus_2[8] = {
@@ -25572,18 +25632,6 @@ static const sp_int_digit p256_order_low[4] = {
 };
 #endif /* WOLFSSL_SP_SMALL */
 
-/* Multiply two number mod the order of P256 curve. (r = a * b mod order)
- *
- * r  Result of the multiplication.
- * a  First operand of the multiplication.
- * b  Second operand of the multiplication.
- */
-static void sp_256_mont_mul_order_9(sp_digit* r, const sp_digit* a, const sp_digit* b)
-{
-    sp_256_mul_9(r, a, b);
-    sp_256_mont_reduce_order_9(r, p256_order, p256_mp_order);
-}
-
 /* Square number mod the order of P256 curve. (r = a * a mod order)
  *
  * r  Result of the squaring.
@@ -25754,6 +25802,7 @@ static void sp_256_mont_inv_order_9(sp_digit* r, const sp_digit* a,
 #endif /* WOLFSSL_SP_SMALL */
 }
 
+#endif /* HAVE_ECC_SIGN || (HAVE_ECC_VERIFY && WOLFSSL_SP_SMALL) */
 #endif /* HAVE_ECC_SIGN | HAVE_ECC_VERIFY */
 #ifdef HAVE_ECC_SIGN
 #ifndef SP_ECC_MAX_SIG_GEN
@@ -28075,8 +28124,6 @@ static int sp_384_point_to_ecc_point_15(const sp_point_384* p, ecc_point* pm)
     return err;
 }
 
-#define sp_384_mont_reduce_order_15         sp_384_mont_reduce_15
-
 /* Compare a with b in constant time.
  *
  * a  A single precision integer.
@@ -28302,7 +28349,7 @@ static void sp_384_mont_shift_15(sp_digit* r, const sp_digit* a)
  * m   The single precision number representing the modulus.
  * mp  The digit representing the negative inverse of m mod 2^n.
  */
-static void sp_384_mont_reduce_15(sp_digit* a, const sp_digit* m, sp_digit mp)
+static void sp_384_mont_reduce_order_15(sp_digit* a, const sp_digit* m, sp_digit mp)
 {
     int i;
     sp_digit mu;
@@ -28324,6 +28371,83 @@ static void sp_384_mont_reduce_15(sp_digit* a, const sp_digit* m, sp_digit mp)
     sp_384_norm_15(a);
 }
 
+/* Reduce the number back to 384 bits using Montgomery reduction.
+ *
+ * a   A single precision number to reduce in place.
+ * m   The single precision number representing the modulus.
+ * mp  The digit representing the negative inverse of m mod 2^n.
+ */
+static void sp_384_mont_reduce_15(sp_digit* a, const sp_digit* m, sp_digit mp)
+{
+    int i;
+    sp_digit am;
+
+    (void)m;
+    (void)mp;
+
+    for (i = 0; i < 14; i++) {
+        am = (a[i] * 0x1) & 0x3ffffff;
+        a[i +  1] += (am << 6) & 0x3ffffff;
+        a[i +  2] += am >> 20;
+        a[i +  3] -= (am << 18) & 0x3ffffff;
+        a[i +  4] -= am >> 8;
+        a[i +  4] -= (am << 24) & 0x3ffffff;
+        a[i +  5] -= am >> 2;
+        a[i + 14] += (am << 20) & 0x3ffffff;
+        a[i + 15] += am >> 6;
+
+        a[i+1] += a[i] >> 26;
+    }
+    am = (a[14] * 0x1) & 0xfffff;
+    a[14 +  1] += (am << 6) & 0x3ffffff;
+    a[14 +  2] += am >> 20;
+    a[14 +  3] -= (am << 18) & 0x3ffffff;
+    a[14 +  4] -= am >> 8;
+    a[14 +  4] -= (am << 24) & 0x3ffffff;
+    a[14 +  5] -= am >> 2;
+    a[14 + 14] += (am << 20) & 0x3ffffff;
+    a[14 + 15] += am >> 6;
+
+    a[0] = (a[14] >> 20) + ((a[15] << 6) & 0x3ffffff);
+    a[1] = (a[15] >> 20) + ((a[16] << 6) & 0x3ffffff);
+    a[2] = (a[16] >> 20) + ((a[17] << 6) & 0x3ffffff);
+    a[3] = (a[17] >> 20) + ((a[18] << 6) & 0x3ffffff);
+    a[4] = (a[18] >> 20) + ((a[19] << 6) & 0x3ffffff);
+    a[5] = (a[19] >> 20) + ((a[20] << 6) & 0x3ffffff);
+    a[6] = (a[20] >> 20) + ((a[21] << 6) & 0x3ffffff);
+    a[7] = (a[21] >> 20) + ((a[22] << 6) & 0x3ffffff);
+    a[8] = (a[22] >> 20) + ((a[23] << 6) & 0x3ffffff);
+    a[9] = (a[23] >> 20) + ((a[24] << 6) & 0x3ffffff);
+    a[10] = (a[24] >> 20) + ((a[25] << 6) & 0x3ffffff);
+    a[11] = (a[25] >> 20) + ((a[26] << 6) & 0x3ffffff);
+    a[12] = (a[26] >> 20) + ((a[27] << 6) & 0x3ffffff);
+    a[13] = (a[27] >> 20) + ((a[28] << 6) & 0x3ffffff);
+    a[14] = (a[14 + 14] >> 20) +  (a[29] << 6);
+
+    /* Get the bit over, if any. */
+    am = a[14] >> 20;
+    /* Create mask. */
+    am = 0 - am;
+
+    a[0] -= 0x03ffffff & am;
+    a[1] -= 0x0000003f & am;
+    /* p384_mod[2] is zero */
+    a[3] -= 0x03fc0000 & am;
+    a[4] -= 0x02ffffff & am;
+    a[5] -= 0x03ffffff & am;
+    a[6] -= 0x03ffffff & am;
+    a[7] -= 0x03ffffff & am;
+    a[8] -= 0x03ffffff & am;
+    a[9] -= 0x03ffffff & am;
+    a[10] -= 0x03ffffff & am;
+    a[11] -= 0x03ffffff & am;
+    a[12] -= 0x03ffffff & am;
+    a[13] -= 0x03ffffff & am;
+    a[14] -= 0x000fffff & am;
+
+    sp_384_norm_15(a);
+}
+
 /* Multiply two Montgomery form numbers mod the modulus (prime).
  * (r = a * b mod m)
  *
@@ -33372,6 +33496,19 @@ static int sp_384_mod_15(sp_digit* r, const sp_digit* a, const sp_digit* m)
 
 #endif
 #if defined(HAVE_ECC_SIGN) || defined(HAVE_ECC_VERIFY)
+/* Multiply two number mod the order of P384 curve. (r = a * b mod order)
+ *
+ * r  Result of the multiplication.
+ * a  First operand of the multiplication.
+ * b  Second operand of the multiplication.
+ */
+static void sp_384_mont_mul_order_15(sp_digit* r, const sp_digit* a, const sp_digit* b)
+{
+    sp_384_mul_15(r, a, b);
+    sp_384_mont_reduce_order_15(r, p384_order, p384_mp_order);
+}
+
+#if defined(HAVE_ECC_SIGN) || (defined(HAVE_ECC_VERIFY) && defined(WOLFSSL_SP_SMALL))
 #ifdef WOLFSSL_SP_SMALL
 /* Order-2 for the P384 curve. */
 static const uint32_t p384_order_minus_2[12] = {
@@ -33385,18 +33522,6 @@ static const uint32_t p384_order_low[6] = {
 };
 #endif /* WOLFSSL_SP_SMALL */
 
-/* Multiply two number mod the order of P384 curve. (r = a * b mod order)
- *
- * r  Result of the multiplication.
- * a  First operand of the multiplication.
- * b  Second operand of the multiplication.
- */
-static void sp_384_mont_mul_order_15(sp_digit* r, const sp_digit* a, const sp_digit* b)
-{
-    sp_384_mul_15(r, a, b);
-    sp_384_mont_reduce_order_15(r, p384_order, p384_mp_order);
-}
-
 /* Square number mod the order of P384 curve. (r = a * a mod order)
  *
  * r  Result of the squaring.
@@ -33538,6 +33663,7 @@ static void sp_384_mont_inv_order_15(sp_digit* r, const sp_digit* a,
 #endif /* WOLFSSL_SP_SMALL */
 }
 
+#endif /* HAVE_ECC_SIGN || (HAVE_ECC_VERIFY && WOLFSSL_SP_SMALL) */
 #endif /* HAVE_ECC_SIGN | HAVE_ECC_VERIFY */
 #ifdef HAVE_ECC_SIGN
 #ifndef SP_ECC_MAX_SIG_GEN
@@ -35777,7 +35903,6 @@ static void sp_1024_cond_add_42(sp_digit* r, const sp_digit* a,
         r[i + 7] = a[i + 7] + (b[i + 7] & m);
     }
     r[40] = a[40] + (b[40] & m);
-    r[41] = a[41] + (b[41] & m);
 #endif /* WOLFSSL_SP_SMALL */
 }
 
diff --git a/wolfcrypt/src/sp_c64.c b/wolfcrypt/src/sp_c64.c
index 1d8e6f2f4..f9998a813 100644
--- a/wolfcrypt/src/sp_c64.c
+++ b/wolfcrypt/src/sp_c64.c
@@ -22364,8 +22364,6 @@ static int sp_256_point_to_ecc_point_5(const sp_point_256* p, ecc_point* pm)
     return err;
 }
 
-#define sp_256_mont_reduce_order_5         sp_256_mont_reduce_5
-
 /* Compare a with b in constant time.
  *
  * a  A single precision integer.
@@ -22527,40 +22525,86 @@ static void sp_256_mont_shift_5(sp_digit* r, const sp_digit* a)
  * m   The single precision number representing the modulus.
  * mp  The digit representing the negative inverse of m mod 2^n.
  */
-static void sp_256_mont_reduce_5(sp_digit* a, const sp_digit* m, sp_digit mp)
+static void sp_256_mont_reduce_order_5(sp_digit* a, const sp_digit* m, sp_digit mp)
 {
     int i;
     sp_digit mu;
 
-    if (mp != 1) {
-        for (i=0; i<4; i++) {
-            mu = (a[i] * mp) & 0xfffffffffffffL;
-            sp_256_mul_add_5(a+i, m, mu);
-            a[i+1] += a[i] >> 52;
-        }
-        mu = (a[i] * mp) & 0xffffffffffffL;
+    sp_256_norm_5(a + 5);
+
+    for (i=0; i<4; i++) {
+        mu = (a[i] * mp) & 0xfffffffffffffL;
         sp_256_mul_add_5(a+i, m, mu);
         a[i+1] += a[i] >> 52;
-        a[i] &= 0xfffffffffffffL;
     }
-    else {
-        for (i=0; i<4; i++) {
-            mu = a[i] & 0xfffffffffffffL;
-            sp_256_mul_add_5(a+i, p256_mod, mu);
-            a[i+1] += a[i] >> 52;
-        }
-        mu = a[i] & 0xffffffffffffL;
-        sp_256_mul_add_5(a+i, p256_mod, mu);
-        a[i+1] += a[i] >> 52;
-        a[i] &= 0xfffffffffffffL;
-    }
-
+    mu = (a[i] * mp) & 0xffffffffffffL;
+    sp_256_mul_add_5(a+i, m, mu);
+    a[i+1] += a[i] >> 52;
+    a[i] &= 0xfffffffffffffL;
     sp_256_mont_shift_5(a, a);
     sp_256_cond_sub_5(a, a, m, 0 - (((a[4] >> 48) > 0) ?
             (sp_digit)1 : (sp_digit)0));
     sp_256_norm_5(a);
 }
 
+/* Reduce the number back to 256 bits using Montgomery reduction.
+ *
+ * a   A single precision number to reduce in place.
+ * m   The single precision number representing the modulus.
+ * mp  The digit representing the negative inverse of m mod 2^n.
+ */
+static void sp_256_mont_reduce_5(sp_digit* a, const sp_digit* m, sp_digit mp)
+{
+    int i;
+    sp_int128 t;
+    sp_digit am;
+
+    (void)m;
+    (void)mp;
+
+    for (i = 0; i < 4; i++) {
+        am = a[i] & 0xfffffffffffffL;
+        /* Fifth word of modulus word */
+        t = am; t *= 0x0ffffffff0000L;
+
+        a[i+1] += (am << 44) & 0xfffffffffffffL;
+        a[i+2] += am >> 8;
+        a[i+3] += (am << 36) & 0xfffffffffffffL;
+        a[i+4] += (am >> 16) + (t & 0xfffffffffffffL);
+        a[i+5] +=  t >> 52;
+
+        a[i+1] += a[i] >> 52;
+    }
+    am = a[4] & 0xffffffffffff;
+    /* Fifth word of modulus word */
+    t = am; t *= 0x0ffffffff0000L;
+
+    a[4+1] += (am << 44) & 0xfffffffffffffL;
+    a[4+2] += am >> 8;
+    a[4+3] += (am << 36) & 0xfffffffffffffL;
+    a[4+4] += (am >> 16) + (t & 0xfffffffffffffL);
+    a[4+5] +=  t >> 52;
+
+    a[0] = (a[4] >> 48) + ((a[5] << 4) & 0xfffffffffffffL);
+    a[1] = (a[5] >> 48) + ((a[6] << 4) & 0xfffffffffffffL);
+    a[2] = (a[6] >> 48) + ((a[7] << 4) & 0xfffffffffffffL);
+    a[3] = (a[7] >> 48) + ((a[8] << 4) & 0xfffffffffffffL);
+    a[4] = (a[8] >> 48) +  (a[9] << 4);
+
+    /* Get the bit over, if any. */
+    am = a[4] >> 48;
+    /* Create mask. */
+    am = 0 - am;
+
+    a[0] -= 0x000fffffffffffffL & am;
+    a[1] -= 0x00000fffffffffffL & am;
+    /* p256_mod[2] is zero */
+    a[3] -= 0x0000001000000000L & am;
+    a[4] -= 0x0000ffffffff0000L & am;
+
+    sp_256_norm_5(a);
+}
+
 /* Multiply two Montgomery form numbers mod the modulus (prime).
  * (r = a * b mod m)
  *
@@ -26822,6 +26866,19 @@ static int sp_256_mod_5(sp_digit* r, const sp_digit* a, const sp_digit* m)
 
 #endif
 #if defined(HAVE_ECC_SIGN) || defined(HAVE_ECC_VERIFY)
+/* Multiply two number mod the order of P256 curve. (r = a * b mod order)
+ *
+ * r  Result of the multiplication.
+ * a  First operand of the multiplication.
+ * b  Second operand of the multiplication.
+ */
+static void sp_256_mont_mul_order_5(sp_digit* r, const sp_digit* a, const sp_digit* b)
+{
+    sp_256_mul_5(r, a, b);
+    sp_256_mont_reduce_order_5(r, p256_order, p256_mp_order);
+}
+
+#if defined(HAVE_ECC_SIGN) || (defined(HAVE_ECC_VERIFY) && defined(WOLFSSL_SP_SMALL))
 #ifdef WOLFSSL_SP_SMALL
 /* Order-2 for the P256 curve. */
 static const uint64_t p256_order_minus_2[4] = {
@@ -26835,18 +26892,6 @@ static const sp_int_digit p256_order_low[2] = {
 };
 #endif /* WOLFSSL_SP_SMALL */
 
-/* Multiply two number mod the order of P256 curve. (r = a * b mod order)
- *
- * r  Result of the multiplication.
- * a  First operand of the multiplication.
- * b  Second operand of the multiplication.
- */
-static void sp_256_mont_mul_order_5(sp_digit* r, const sp_digit* a, const sp_digit* b)
-{
-    sp_256_mul_5(r, a, b);
-    sp_256_mont_reduce_order_5(r, p256_order, p256_mp_order);
-}
-
 /* Square number mod the order of P256 curve. (r = a * a mod order)
  *
  * r  Result of the squaring.
@@ -27017,6 +27062,7 @@ static void sp_256_mont_inv_order_5(sp_digit* r, const sp_digit* a,
 #endif /* WOLFSSL_SP_SMALL */
 }
 
+#endif /* HAVE_ECC_SIGN || (HAVE_ECC_VERIFY && WOLFSSL_SP_SMALL) */
 #endif /* HAVE_ECC_SIGN | HAVE_ECC_VERIFY */
 #ifdef HAVE_ECC_SIGN
 #ifndef SP_ECC_MAX_SIG_GEN
@@ -29011,8 +29057,6 @@ static int sp_384_point_to_ecc_point_7(const sp_point_384* p, ecc_point* pm)
     return err;
 }
 
-#define sp_384_mont_reduce_order_7         sp_384_mont_reduce_7
-
 /* Compare a with b in constant time.
  *
  * a  A single precision integer.
@@ -29192,7 +29236,7 @@ static void sp_384_mont_shift_7(sp_digit* r, const sp_digit* a)
  * m   The single precision number representing the modulus.
  * mp  The digit representing the negative inverse of m mod 2^n.
  */
-static void sp_384_mont_reduce_7(sp_digit* a, const sp_digit* m, sp_digit mp)
+static void sp_384_mont_reduce_order_7(sp_digit* a, const sp_digit* m, sp_digit mp)
 {
     int i;
     sp_digit mu;
@@ -29214,6 +29258,63 @@ static void sp_384_mont_reduce_7(sp_digit* a, const sp_digit* m, sp_digit mp)
     sp_384_norm_7(a);
 }
 
+/* Reduce the number back to 384 bits using Montgomery reduction.
+ *
+ * a   A single precision number to reduce in place.
+ * m   The single precision number representing the modulus.
+ * mp  The digit representing the negative inverse of m mod 2^n.
+ */
+static void sp_384_mont_reduce_7(sp_digit* a, const sp_digit* m, sp_digit mp)
+{
+    int i;
+    sp_digit am;
+
+    (void)m;
+    (void)mp;
+
+    for (i = 0; i < 6; i++) {
+        am = (a[i] * 0x100000001) & 0x7fffffffffffffL;
+        a[i + 0] += (am << 32) & 0x7fffffffffffffL;
+        a[i + 1] += (am >> 23) - ((am << 41) & 0x7fffffffffffffL);
+        a[i + 2] += -(am >> 14) - ((am << 18) & 0x7fffffffffffffL);
+        a[i + 3] += -(am >> 37);
+        a[i + 6] += (am << 54) & 0x7fffffffffffffL;
+        a[i + 7] += am >> 1;
+
+        a[i+1] += a[i] >> 55;
+    }
+    am = (a[6] * 0x100000001) & 0x3fffffffffffff;
+    a[6 + 0] += (am << 32) & 0x7fffffffffffffL;
+    a[6 + 1] += (am >> 23) - ((am << 41) & 0x7fffffffffffffL);
+    a[6 + 2] += -(am >> 14) - ((am << 18) & 0x7fffffffffffffL);
+    a[6 + 3] += -(am >> 37);
+    a[6 + 6] += (am << 54) & 0x7fffffffffffffL;
+    a[6 + 7] += am >> 1;
+
+    a[0] = (a[6] >> 54) + ((a[7] << 1) & 0x7fffffffffffffL);
+    a[1] = (a[7] >> 54) + ((a[8] << 1) & 0x7fffffffffffffL);
+    a[2] = (a[8] >> 54) + ((a[9] << 1) & 0x7fffffffffffffL);
+    a[3] = (a[9] >> 54) + ((a[10] << 1) & 0x7fffffffffffffL);
+    a[4] = (a[10] >> 54) + ((a[11] << 1) & 0x7fffffffffffffL);
+    a[5] = (a[11] >> 54) + ((a[12] << 1) & 0x7fffffffffffffL);
+    a[6] = (a[12] >> 54) +  (a[13] << 1);
+
+    /* Get the bit over, if any. */
+    am = a[6] >> 54;
+    /* Create mask. */
+    am = 0 - am;
+
+    a[0] -= 0x00000000ffffffffL & am;
+    a[1] -= 0x007ffe0000000000L & am;
+    a[2] -= 0x007ffffffffbffffL & am;
+    a[3] -= 0x007fffffffffffffL & am;
+    a[4] -= 0x007fffffffffffffL & am;
+    a[5] -= 0x007fffffffffffffL & am;
+    a[6] -= 0x003fffffffffffffL & am;
+
+    sp_384_norm_7(a);
+}
+
 /* Multiply two Montgomery form numbers mod the modulus (prime).
  * (r = a * b mod m)
  *
@@ -34070,6 +34171,19 @@ static int sp_384_mod_7(sp_digit* r, const sp_digit* a, const sp_digit* m)
 
 #endif
 #if defined(HAVE_ECC_SIGN) || defined(HAVE_ECC_VERIFY)
+/* Multiply two number mod the order of P384 curve. (r = a * b mod order)
+ *
+ * r  Result of the multiplication.
+ * a  First operand of the multiplication.
+ * b  Second operand of the multiplication.
+ */
+static void sp_384_mont_mul_order_7(sp_digit* r, const sp_digit* a, const sp_digit* b)
+{
+    sp_384_mul_7(r, a, b);
+    sp_384_mont_reduce_order_7(r, p384_order, p384_mp_order);
+}
+
+#if defined(HAVE_ECC_SIGN) || (defined(HAVE_ECC_VERIFY) && defined(WOLFSSL_SP_SMALL))
 #ifdef WOLFSSL_SP_SMALL
 /* Order-2 for the P384 curve. */
 static const uint64_t p384_order_minus_2[6] = {
@@ -34083,18 +34197,6 @@ static const uint64_t p384_order_low[3] = {
 };
 #endif /* WOLFSSL_SP_SMALL */
 
-/* Multiply two number mod the order of P384 curve. (r = a * b mod order)
- *
- * r  Result of the multiplication.
- * a  First operand of the multiplication.
- * b  Second operand of the multiplication.
- */
-static void sp_384_mont_mul_order_7(sp_digit* r, const sp_digit* a, const sp_digit* b)
-{
-    sp_384_mul_7(r, a, b);
-    sp_384_mont_reduce_order_7(r, p384_order, p384_mp_order);
-}
-
 /* Square number mod the order of P384 curve. (r = a * a mod order)
  *
  * r  Result of the squaring.
@@ -34236,6 +34338,7 @@ static void sp_384_mont_inv_order_7(sp_digit* r, const sp_digit* a,
 #endif /* WOLFSSL_SP_SMALL */
 }
 
+#endif /* HAVE_ECC_SIGN || (HAVE_ECC_VERIFY && WOLFSSL_SP_SMALL) */
 #endif /* HAVE_ECC_SIGN | HAVE_ECC_VERIFY */
 #ifdef HAVE_ECC_SIGN
 #ifndef SP_ECC_MAX_SIG_GEN
diff --git a/wolfcrypt/src/sp_cortexm.c b/wolfcrypt/src/sp_cortexm.c
index 00cd8ea99..6b1493148 100644
--- a/wolfcrypt/src/sp_cortexm.c
+++ b/wolfcrypt/src/sp_cortexm.c
@@ -22954,6 +22954,19 @@ static WC_INLINE int sp_256_mod_8(sp_digit* r, const sp_digit* a, const sp_digit
 
 #endif
 #if defined(HAVE_ECC_SIGN) || defined(HAVE_ECC_VERIFY)
+/* Multiply two number mod the order of P256 curve. (r = a * b mod order)
+ *
+ * r  Result of the multiplication.
+ * a  First operand of the multiplication.
+ * b  Second operand of the multiplication.
+ */
+static void sp_256_mont_mul_order_8(sp_digit* r, const sp_digit* a, const sp_digit* b)
+{
+    sp_256_mul_8(r, a, b);
+    sp_256_mont_reduce_order_8(r, p256_order, p256_mp_order);
+}
+
+#if defined(HAVE_ECC_SIGN) || (defined(HAVE_ECC_VERIFY) && defined(WOLFSSL_SP_SMALL))
 #ifdef WOLFSSL_SP_SMALL
 /* Order-2 for the P256 curve. */
 static const uint32_t p256_order_minus_2[8] = {
@@ -22967,18 +22980,6 @@ static const sp_int_digit p256_order_low[4] = {
 };
 #endif /* WOLFSSL_SP_SMALL */
 
-/* Multiply two number mod the order of P256 curve. (r = a * b mod order)
- *
- * r  Result of the multiplication.
- * a  First operand of the multiplication.
- * b  Second operand of the multiplication.
- */
-static void sp_256_mont_mul_order_8(sp_digit* r, const sp_digit* a, const sp_digit* b)
-{
-    sp_256_mul_8(r, a, b);
-    sp_256_mont_reduce_order_8(r, p256_order, p256_mp_order);
-}
-
 /* Square number mod the order of P256 curve. (r = a * a mod order)
  *
  * r  Result of the squaring.
@@ -23149,6 +23150,7 @@ static void sp_256_mont_inv_order_8(sp_digit* r, const sp_digit* a,
 #endif /* WOLFSSL_SP_SMALL */
 }
 
+#endif /* HAVE_ECC_SIGN || (HAVE_ECC_VERIFY && WOLFSSL_SP_SMALL) */
 #endif /* HAVE_ECC_SIGN | HAVE_ECC_VERIFY */
 #ifdef HAVE_ECC_SIGN
 #ifndef SP_ECC_MAX_SIG_GEN
@@ -30165,6 +30167,19 @@ static WC_INLINE int sp_384_mod_12(sp_digit* r, const sp_digit* a, const sp_digi
 
 #endif
 #if defined(HAVE_ECC_SIGN) || defined(HAVE_ECC_VERIFY)
+/* Multiply two number mod the order of P384 curve. (r = a * b mod order)
+ *
+ * r  Result of the multiplication.
+ * a  First operand of the multiplication.
+ * b  Second operand of the multiplication.
+ */
+static void sp_384_mont_mul_order_12(sp_digit* r, const sp_digit* a, const sp_digit* b)
+{
+    sp_384_mul_12(r, a, b);
+    sp_384_mont_reduce_order_12(r, p384_order, p384_mp_order);
+}
+
+#if defined(HAVE_ECC_SIGN) || (defined(HAVE_ECC_VERIFY) && defined(WOLFSSL_SP_SMALL))
 #ifdef WOLFSSL_SP_SMALL
 /* Order-2 for the P384 curve. */
 static const uint32_t p384_order_minus_2[12] = {
@@ -30178,18 +30193,6 @@ static const uint32_t p384_order_low[6] = {
 };
 #endif /* WOLFSSL_SP_SMALL */
 
-/* Multiply two number mod the order of P384 curve. (r = a * b mod order)
- *
- * r  Result of the multiplication.
- * a  First operand of the multiplication.
- * b  Second operand of the multiplication.
- */
-static void sp_384_mont_mul_order_12(sp_digit* r, const sp_digit* a, const sp_digit* b)
-{
-    sp_384_mul_12(r, a, b);
-    sp_384_mont_reduce_order_12(r, p384_order, p384_mp_order);
-}
-
 /* Square number mod the order of P384 curve. (r = a * a mod order)
  *
  * r  Result of the squaring.
@@ -30331,6 +30334,7 @@ static void sp_384_mont_inv_order_12(sp_digit* r, const sp_digit* a,
 #endif /* WOLFSSL_SP_SMALL */
 }
 
+#endif /* HAVE_ECC_SIGN || (HAVE_ECC_VERIFY && WOLFSSL_SP_SMALL) */
 #endif /* HAVE_ECC_SIGN | HAVE_ECC_VERIFY */
 #ifdef HAVE_ECC_SIGN
 #ifndef SP_ECC_MAX_SIG_GEN
diff --git a/wolfcrypt/src/sp_int.c b/wolfcrypt/src/sp_int.c
index c4a307de5..e11628fcd 100644
--- a/wolfcrypt/src/sp_int.c
+++ b/wolfcrypt/src/sp_int.c
@@ -4615,6 +4615,10 @@ int sp_div(sp_int* a, sp_int* d, sp_int* r, sp_int* rem)
     if ((err == MP_OKAY) && (rem != NULL) && (rem->size < a->used + 1)) {
         err = MP_VAL;
     }
+    /* May need to shift number being divided left into a new word. */
+    if ((err == MP_OKAY) && (a->used == SP_INT_DIGITS)) {
+        err = MP_VAL;
+    }
 
     #if 0
     if (err == MP_OKAY) {
diff --git a/wolfcrypt/src/sp_x86_64.c b/wolfcrypt/src/sp_x86_64.c
index bbe1873c1..387d3d6da 100644
--- a/wolfcrypt/src/sp_x86_64.c
+++ b/wolfcrypt/src/sp_x86_64.c
@@ -23641,19 +23641,6 @@ static WC_INLINE int sp_256_mod_4(sp_digit* r, const sp_digit* a,
 
 #endif
 #if defined(HAVE_ECC_SIGN) || defined(HAVE_ECC_VERIFY)
-#ifdef WOLFSSL_SP_SMALL
-/* Order-2 for the P256 curve. */
-static const uint64_t p256_order_minus_2[4] = {
-    0xf3b9cac2fc63254fU,0xbce6faada7179e84U,0xffffffffffffffffU,
-    0xffffffff00000000U
-};
-#else
-/* The low half of the order-2 of the P256 curve. */
-static const uint64_t p256_order_low[2] = {
-    0xf3b9cac2fc63254fU,0xbce6faada7179e84U
-};
-#endif /* WOLFSSL_SP_SMALL */
-
 /* Multiply two number mod the order of P256 curve. (r = a * b mod order)
  *
  * r  Result of the multiplication.
@@ -23667,6 +23654,20 @@ static void sp_256_mont_mul_order_4(sp_digit* r, const sp_digit* a, const sp_dig
     sp_256_mont_reduce_order_4(r, p256_order, p256_mp_order);
 }
 
+#if defined(HAVE_ECC_SIGN) || (defined(HAVE_ECC_VERIFY) && defined(WOLFSSL_SP_SMALL))
+#ifdef WOLFSSL_SP_SMALL
+/* Order-2 for the P256 curve. */
+static const uint64_t p256_order_minus_2[4] = {
+    0xf3b9cac2fc63254fU,0xbce6faada7179e84U,0xffffffffffffffffU,
+    0xffffffff00000000U
+};
+#else
+/* The low half of the order-2 of the P256 curve. */
+static const uint64_t p256_order_low[2] = {
+    0xf3b9cac2fc63254fU,0xbce6faada7179e84U
+};
+#endif /* WOLFSSL_SP_SMALL */
+
 /* Square number mod the order of P256 curve. (r = a * a mod order)
  *
  * r  Result of the squaring.
@@ -23853,8 +23854,10 @@ static void sp_256_mont_inv_order_4(sp_digit* r, const sp_digit* a,
 #endif /* WOLFSSL_SP_SMALL */
 }
 
+#endif /* HAVE_ECC_SIGN || (HAVE_ECC_VERIFY && WOLFSSL_SP_SMALL) */
 #ifdef HAVE_INTEL_AVX2
 extern void sp_256_mont_mul_order_avx2_4(sp_digit* r, const sp_digit* a, const sp_digit* b);
+#if defined(HAVE_ECC_SIGN) || (defined(HAVE_ECC_VERIFY) && defined(WOLFSSL_SP_SMALL))
 extern void sp_256_mont_sqr_order_avx2_4(sp_digit* r, const sp_digit* a);
 
 #ifndef WOLFSSL_SP_SMALL
@@ -24031,6 +24034,7 @@ static void sp_256_mont_inv_order_avx2_4(sp_digit* r, const sp_digit* a,
 #endif /* WOLFSSL_SP_SMALL */
 }
 
+#endif /* HAVE_ECC_SIGN || (HAVE_ECC_VERIFY && WOLFSSL_SP_SMALL) */
 #endif /* HAVE_INTEL_AVX2 */
 #endif /* HAVE_ECC_SIGN | HAVE_ECC_VERIFY */
 #ifdef HAVE_ECC_SIGN
@@ -48232,6 +48236,19 @@ static WC_INLINE int sp_384_mod_6(sp_digit* r, const sp_digit* a,
 
 #endif
 #if defined(HAVE_ECC_SIGN) || defined(HAVE_ECC_VERIFY)
+/* Multiply two number mod the order of P384 curve. (r = a * b mod order)
+ *
+ * r  Result of the multiplication.
+ * a  First operand of the multiplication.
+ * b  Second operand of the multiplication.
+ */
+static void sp_384_mont_mul_order_6(sp_digit* r, const sp_digit* a, const sp_digit* b)
+{
+    sp_384_mul_6(r, a, b);
+    sp_384_mont_reduce_order_6(r, p384_order, p384_mp_order);
+}
+
+#if defined(HAVE_ECC_SIGN) || (defined(HAVE_ECC_VERIFY) && defined(WOLFSSL_SP_SMALL))
 #ifdef WOLFSSL_SP_SMALL
 /* Order-2 for the P384 curve. */
 static const uint64_t p384_order_minus_2[6] = {
@@ -48245,18 +48262,6 @@ static const uint64_t p384_order_low[3] = {
 };
 #endif /* WOLFSSL_SP_SMALL */
 
-/* Multiply two number mod the order of P384 curve. (r = a * b mod order)
- *
- * r  Result of the multiplication.
- * a  First operand of the multiplication.
- * b  Second operand of the multiplication.
- */
-static void sp_384_mont_mul_order_6(sp_digit* r, const sp_digit* a, const sp_digit* b)
-{
-    sp_384_mul_6(r, a, b);
-    sp_384_mont_reduce_order_6(r, p384_order, p384_mp_order);
-}
-
 /* Square number mod the order of P384 curve. (r = a * a mod order)
  *
  * r  Result of the squaring.
@@ -48398,6 +48403,7 @@ static void sp_384_mont_inv_order_6(sp_digit* r, const sp_digit* a,
 #endif /* WOLFSSL_SP_SMALL */
 }
 
+#endif /* HAVE_ECC_SIGN || (HAVE_ECC_VERIFY && WOLFSSL_SP_SMALL) */
 #ifdef HAVE_INTEL_AVX2
 /* Multiply two number mod the order of P384 curve. (r = a * b mod order)
  *
@@ -48411,6 +48417,7 @@ static void sp_384_mont_mul_order_avx2_6(sp_digit* r, const sp_digit* a, const s
     sp_384_mont_reduce_order_avx2_6(r, p384_order, p384_mp_order);
 }
 
+#if defined(HAVE_ECC_SIGN) || (defined(HAVE_ECC_VERIFY) && defined(WOLFSSL_SP_SMALL))
 /* Square number mod the order of P384 curve. (r = a * a mod order)
  *
  * r  Result of the squaring.
@@ -48552,6 +48559,7 @@ static void sp_384_mont_inv_order_avx2_6(sp_digit* r, const sp_digit* a,
 #endif /* WOLFSSL_SP_SMALL */
 }
 
+#endif /* HAVE_ECC_SIGN || (HAVE_ECC_VERIFY && WOLFSSL_SP_SMALL) */
 #endif /* HAVE_INTEL_AVX2 */
 #endif /* HAVE_ECC_SIGN | HAVE_ECC_VERIFY */
 #ifdef HAVE_ECC_SIGN
diff --git a/wolfcrypt/test/test.c b/wolfcrypt/test/test.c
index 4b6c80bb5..801ed5e4e 100644
--- a/wolfcrypt/test/test.c
+++ b/wolfcrypt/test/test.c
@@ -22976,7 +22976,8 @@ static int ecc_def_curve_test(WC_RNG *rng)
 #else
     ecc_key key[1];
 #endif
-#if defined(HAVE_ECC_KEY_IMPORT) && defined(HAVE_ECC_KEY_EXPORT)
+#if (defined(HAVE_ECC_KEY_IMPORT) && defined(HAVE_ECC_KEY_EXPORT)) || \
+    (defined(HAVE_ECC_KEY_IMPORT) && !defined(WOLFSSL_VALIDATE_ECC_IMPORT))
     word32 idx = 0;
 #endif
 
@@ -32723,9 +32724,15 @@ static int verifyBundle(byte* derBuf, word32 derSz, int keyHint)
     int  decodedSz = FOURK_BUF/2;
 
     WOLFSSL_SMALL_STACK_STATIC const byte expectedSid[] = {
+#ifdef USE_CERT_BUFFERS_1024
+        0x81, 0x69, 0x0f, 0xf8, 0xdf, 0xdd, 0xcf, 0x34,
+        0x29, 0xd5, 0x67, 0x75, 0x71, 0x85, 0xc7, 0x75,
+        0x10, 0x69, 0x59, 0xec,
+#else
         0x33, 0xD8, 0x45, 0x66, 0xD7, 0x68, 0x87, 0x18,
         0x7E, 0x54, 0x0D, 0x70, 0x27, 0x91, 0xC7, 0x26,
         0xD7, 0x85, 0x65, 0xC0
+#endif
     };
 
     decoded = (byte *)XMALLOC(decodedSz, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
diff --git a/wolfssl/certs_test.h b/wolfssl/certs_test.h
index 7183fd2e2..b5f33ebb0 100644
--- a/wolfssl/certs_test.h
+++ b/wolfssl/certs_test.h
@@ -98,110 +98,112 @@ static const int sizeof_client_keypub_der_1024 = sizeof(client_keypub_der_1024);
 /* ./certs/1024/client-cert.der, 1024-bit */
 static const unsigned char client_cert_der_1024[] =
 {
-        0x30, 0x82, 0x04, 0x02, 0x30, 0x82, 0x03, 0x6B, 0xA0, 0x03,
-        0x02, 0x01, 0x02, 0x02, 0x09, 0x00, 0xC5, 0x19, 0x90, 0xA1,
-        0xC9, 0x01, 0x0F, 0xB9, 0x30, 0x0D, 0x06, 0x09, 0x2A, 0x86,
-        0x48, 0x86, 0xF7, 0x0D, 0x01, 0x01, 0x0B, 0x05, 0x00, 0x30,
-        0x81, 0x9E, 0x31, 0x0B, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04,
-        0x06, 0x13, 0x02, 0x55, 0x53, 0x31, 0x10, 0x30, 0x0E, 0x06,
-        0x03, 0x55, 0x04, 0x08, 0x0C, 0x07, 0x4D, 0x6F, 0x6E, 0x74,
-        0x61, 0x6E, 0x61, 0x31, 0x10, 0x30, 0x0E, 0x06, 0x03, 0x55,
-        0x04, 0x07, 0x0C, 0x07, 0x42, 0x6F, 0x7A, 0x65, 0x6D, 0x61,
-        0x6E, 0x31, 0x15, 0x30, 0x13, 0x06, 0x03, 0x55, 0x04, 0x0A,
-        0x0C, 0x0C, 0x77, 0x6F, 0x6C, 0x66, 0x53, 0x53, 0x4C, 0x5F,
-        0x31, 0x30, 0x32, 0x34, 0x31, 0x19, 0x30, 0x17, 0x06, 0x03,
-        0x55, 0x04, 0x0B, 0x0C, 0x10, 0x50, 0x72, 0x6F, 0x67, 0x72,
-        0x61, 0x6D, 0x6D, 0x69, 0x6E, 0x67, 0x2D, 0x31, 0x30, 0x32,
-        0x34, 0x31, 0x18, 0x30, 0x16, 0x06, 0x03, 0x55, 0x04, 0x03,
-        0x0C, 0x0F, 0x77, 0x77, 0x77, 0x2E, 0x77, 0x6F, 0x6C, 0x66,
-        0x73, 0x73, 0x6C, 0x2E, 0x63, 0x6F, 0x6D, 0x31, 0x1F, 0x30,
-        0x1D, 0x06, 0x09, 0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D, 0x01,
-        0x09, 0x01, 0x16, 0x10, 0x69, 0x6E, 0x66, 0x6F, 0x40, 0x77,
-        0x6F, 0x6C, 0x66, 0x73, 0x73, 0x6C, 0x2E, 0x63, 0x6F, 0x6D,
-        0x30, 0x1E, 0x17, 0x0D, 0x32, 0x31, 0x30, 0x32, 0x31, 0x30,
-        0x31, 0x39, 0x34, 0x39, 0x35, 0x32, 0x5A, 0x17, 0x0D, 0x32,
-        0x33, 0x31, 0x31, 0x30, 0x37, 0x31, 0x39, 0x34, 0x39, 0x35,
-        0x32, 0x5A, 0x30, 0x81, 0x9E, 0x31, 0x0B, 0x30, 0x09, 0x06,
-        0x03, 0x55, 0x04, 0x06, 0x13, 0x02, 0x55, 0x53, 0x31, 0x10,
-        0x30, 0x0E, 0x06, 0x03, 0x55, 0x04, 0x08, 0x0C, 0x07, 0x4D,
-        0x6F, 0x6E, 0x74, 0x61, 0x6E, 0x61, 0x31, 0x10, 0x30, 0x0E,
-        0x06, 0x03, 0x55, 0x04, 0x07, 0x0C, 0x07, 0x42, 0x6F, 0x7A,
-        0x65, 0x6D, 0x61, 0x6E, 0x31, 0x15, 0x30, 0x13, 0x06, 0x03,
-        0x55, 0x04, 0x0A, 0x0C, 0x0C, 0x77, 0x6F, 0x6C, 0x66, 0x53,
-        0x53, 0x4C, 0x5F, 0x31, 0x30, 0x32, 0x34, 0x31, 0x19, 0x30,
-        0x17, 0x06, 0x03, 0x55, 0x04, 0x0B, 0x0C, 0x10, 0x50, 0x72,
-        0x6F, 0x67, 0x72, 0x61, 0x6D, 0x6D, 0x69, 0x6E, 0x67, 0x2D,
-        0x31, 0x30, 0x32, 0x34, 0x31, 0x18, 0x30, 0x16, 0x06, 0x03,
-        0x55, 0x04, 0x03, 0x0C, 0x0F, 0x77, 0x77, 0x77, 0x2E, 0x77,
-        0x6F, 0x6C, 0x66, 0x73, 0x73, 0x6C, 0x2E, 0x63, 0x6F, 0x6D,
-        0x31, 0x1F, 0x30, 0x1D, 0x06, 0x09, 0x2A, 0x86, 0x48, 0x86,
-        0xF7, 0x0D, 0x01, 0x09, 0x01, 0x16, 0x10, 0x69, 0x6E, 0x66,
-        0x6F, 0x40, 0x77, 0x6F, 0x6C, 0x66, 0x73, 0x73, 0x6C, 0x2E,
-        0x63, 0x6F, 0x6D, 0x30, 0x81, 0x9F, 0x30, 0x0D, 0x06, 0x09,
-        0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D, 0x01, 0x01, 0x01, 0x05,
-        0x00, 0x03, 0x81, 0x8D, 0x00, 0x30, 0x81, 0x89, 0x02, 0x81,
-        0x81, 0x00, 0xBC, 0x73, 0x0E, 0xA8, 0x49, 0xF3, 0x74, 0xA2,
-        0xA9, 0xEF, 0x18, 0xA5, 0xDA, 0x55, 0x99, 0x21, 0xF9, 0xC8,
-        0xEC, 0xB3, 0x6D, 0x48, 0xE5, 0x35, 0x35, 0x75, 0x77, 0x37,
-        0xEC, 0xD1, 0x61, 0x90, 0x5F, 0x3E, 0xD9, 0xE4, 0xD5, 0xDF,
-        0x94, 0xCA, 0xC1, 0xA9, 0xD7, 0x19, 0xDA, 0x86, 0xC9, 0xE8,
-        0x4D, 0xC4, 0x61, 0x36, 0x82, 0xFE, 0xAB, 0xAD, 0x7E, 0x77,
-        0x25, 0xBB, 0x8D, 0x11, 0xA5, 0xBC, 0x62, 0x3A, 0xA8, 0x38,
-        0xCC, 0x39, 0xA2, 0x04, 0x66, 0xB4, 0xF7, 0xF7, 0xF3, 0xAA,
-        0xDA, 0x4D, 0x02, 0x0E, 0xBB, 0x5E, 0x8D, 0x69, 0x48, 0xDC,
-        0x77, 0xC9, 0x28, 0x0E, 0x22, 0xE9, 0x6B, 0xA4, 0x26, 0xBA,
-        0x4C, 0xE8, 0xC1, 0xFD, 0x4A, 0x6F, 0x2B, 0x1F, 0xEF, 0x8A,
-        0xAE, 0xF6, 0x90, 0x62, 0xE5, 0x64, 0x1E, 0xEB, 0x2B, 0x3C,
-        0x67, 0xC8, 0xDC, 0x27, 0x00, 0xF6, 0x91, 0x68, 0x65, 0xA9,
-        0x02, 0x03, 0x01, 0x00, 0x01, 0xA3, 0x82, 0x01, 0x44, 0x30,
-        0x82, 0x01, 0x40, 0x30, 0x1D, 0x06, 0x03, 0x55, 0x1D, 0x0E,
-        0x04, 0x16, 0x04, 0x14, 0x81, 0x69, 0x0F, 0xF8, 0xDF, 0xDD,
-        0xCF, 0x34, 0x29, 0xD5, 0x67, 0x75, 0x71, 0x85, 0xC7, 0x75,
-        0x10, 0x69, 0x59, 0xEC, 0x30, 0x81, 0xD3, 0x06, 0x03, 0x55,
-        0x1D, 0x23, 0x04, 0x81, 0xCB, 0x30, 0x81, 0xC8, 0x80, 0x14,
-        0x81, 0x69, 0x0F, 0xF8, 0xDF, 0xDD, 0xCF, 0x34, 0x29, 0xD5,
-        0x67, 0x75, 0x71, 0x85, 0xC7, 0x75, 0x10, 0x69, 0x59, 0xEC,
-        0xA1, 0x81, 0xA4, 0xA4, 0x81, 0xA1, 0x30, 0x81, 0x9E, 0x31,
-        0x0B, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13, 0x02,
-        0x55, 0x53, 0x31, 0x10, 0x30, 0x0E, 0x06, 0x03, 0x55, 0x04,
-        0x08, 0x0C, 0x07, 0x4D, 0x6F, 0x6E, 0x74, 0x61, 0x6E, 0x61,
-        0x31, 0x10, 0x30, 0x0E, 0x06, 0x03, 0x55, 0x04, 0x07, 0x0C,
-        0x07, 0x42, 0x6F, 0x7A, 0x65, 0x6D, 0x61, 0x6E, 0x31, 0x15,
-        0x30, 0x13, 0x06, 0x03, 0x55, 0x04, 0x0A, 0x0C, 0x0C, 0x77,
-        0x6F, 0x6C, 0x66, 0x53, 0x53, 0x4C, 0x5F, 0x31, 0x30, 0x32,
-        0x34, 0x31, 0x19, 0x30, 0x17, 0x06, 0x03, 0x55, 0x04, 0x0B,
-        0x0C, 0x10, 0x50, 0x72, 0x6F, 0x67, 0x72, 0x61, 0x6D, 0x6D,
-        0x69, 0x6E, 0x67, 0x2D, 0x31, 0x30, 0x32, 0x34, 0x31, 0x18,
-        0x30, 0x16, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0C, 0x0F, 0x77,
-        0x77, 0x77, 0x2E, 0x77, 0x6F, 0x6C, 0x66, 0x73, 0x73, 0x6C,
-        0x2E, 0x63, 0x6F, 0x6D, 0x31, 0x1F, 0x30, 0x1D, 0x06, 0x09,
-        0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D, 0x01, 0x09, 0x01, 0x16,
-        0x10, 0x69, 0x6E, 0x66, 0x6F, 0x40, 0x77, 0x6F, 0x6C, 0x66,
-        0x73, 0x73, 0x6C, 0x2E, 0x63, 0x6F, 0x6D, 0x82, 0x09, 0x00,
-        0xC5, 0x19, 0x90, 0xA1, 0xC9, 0x01, 0x0F, 0xB9, 0x30, 0x0C,
-        0x06, 0x03, 0x55, 0x1D, 0x13, 0x04, 0x05, 0x30, 0x03, 0x01,
-        0x01, 0xFF, 0x30, 0x1C, 0x06, 0x03, 0x55, 0x1D, 0x11, 0x04,
-        0x15, 0x30, 0x13, 0x82, 0x0B, 0x65, 0x78, 0x61, 0x6D, 0x70,
-        0x6C, 0x65, 0x2E, 0x63, 0x6F, 0x6D, 0x87, 0x04, 0x7F, 0x00,
-        0x00, 0x01, 0x30, 0x1D, 0x06, 0x03, 0x55, 0x1D, 0x25, 0x04,
-        0x16, 0x30, 0x14, 0x06, 0x08, 0x2B, 0x06, 0x01, 0x05, 0x05,
-        0x07, 0x03, 0x01, 0x06, 0x08, 0x2B, 0x06, 0x01, 0x05, 0x05,
-        0x07, 0x03, 0x02, 0x30, 0x0D, 0x06, 0x09, 0x2A, 0x86, 0x48,
-        0x86, 0xF7, 0x0D, 0x01, 0x01, 0x0B, 0x05, 0x00, 0x03, 0x81,
-        0x81, 0x00, 0x30, 0xCE, 0x46, 0x43, 0x6D, 0x70, 0xE1, 0x6D,
-        0xBB, 0x8F, 0x4A, 0x05, 0x64, 0xF7, 0x2C, 0x8D, 0x0E, 0xD6,
-        0xF9, 0x1E, 0xB6, 0x2A, 0x8E, 0xED, 0x52, 0xE1, 0x7C, 0x44,
-        0xBF, 0x59, 0x54, 0xDA, 0x2D, 0x31, 0x4D, 0xE6, 0x79, 0xD2,
-        0xD0, 0xD8, 0xB4, 0xCF, 0x5B, 0x16, 0x0A, 0x16, 0xA1, 0xBE,
-        0x62, 0x9F, 0x6C, 0x24, 0x46, 0x7B, 0xB8, 0xDD, 0xB8, 0x8D,
-        0x7F, 0xFE, 0xF1, 0xAC, 0x62, 0x94, 0xE0, 0x34, 0xCE, 0x4C,
-        0x59, 0x3A, 0xC5, 0x5A, 0xE6, 0x40, 0xD5, 0x60, 0x7E, 0x20,
-        0x5D, 0xED, 0x43, 0x92, 0xD3, 0xF3, 0xEA, 0xE0, 0xD1, 0x57,
-        0xC8, 0xCE, 0x41, 0x79, 0xDB, 0x81, 0x41, 0xC6, 0xF0, 0x0E,
-        0x35, 0xD4, 0x6F, 0x92, 0x58, 0x2D, 0xD6, 0xB2, 0xEC, 0xF1,
-        0x88, 0xFF, 0x6D, 0xCA, 0x63, 0xD6, 0x4A, 0x8D, 0x10, 0xA6,
-        0x23, 0x06, 0x77, 0x9A, 0xD5, 0xAB, 0x9D, 0x64, 0x46, 0x02
-
+        0x30, 0x82, 0x04, 0x18, 0x30, 0x82, 0x03, 0x81, 0xA0, 0x03,
+        0x02, 0x01, 0x02, 0x02, 0x14, 0x61, 0x8C, 0xAF, 0x82, 0x14,
+        0x94, 0x51, 0xC0, 0x98, 0xD3, 0xA8, 0x3B, 0xA3, 0x90, 0x85,
+        0x20, 0x97, 0xBA, 0x62, 0x18, 0x30, 0x0D, 0x06, 0x09, 0x2A,
+        0x86, 0x48, 0x86, 0xF7, 0x0D, 0x01, 0x01, 0x0B, 0x05, 0x00,
+        0x30, 0x81, 0x9E, 0x31, 0x0B, 0x30, 0x09, 0x06, 0x03, 0x55,
+        0x04, 0x06, 0x13, 0x02, 0x55, 0x53, 0x31, 0x10, 0x30, 0x0E,
+        0x06, 0x03, 0x55, 0x04, 0x08, 0x0C, 0x07, 0x4D, 0x6F, 0x6E,
+        0x74, 0x61, 0x6E, 0x61, 0x31, 0x10, 0x30, 0x0E, 0x06, 0x03,
+        0x55, 0x04, 0x07, 0x0C, 0x07, 0x42, 0x6F, 0x7A, 0x65, 0x6D,
+        0x61, 0x6E, 0x31, 0x15, 0x30, 0x13, 0x06, 0x03, 0x55, 0x04,
+        0x0A, 0x0C, 0x0C, 0x77, 0x6F, 0x6C, 0x66, 0x53, 0x53, 0x4C,
+        0x5F, 0x31, 0x30, 0x32, 0x34, 0x31, 0x19, 0x30, 0x17, 0x06,
+        0x03, 0x55, 0x04, 0x0B, 0x0C, 0x10, 0x50, 0x72, 0x6F, 0x67,
+        0x72, 0x61, 0x6D, 0x6D, 0x69, 0x6E, 0x67, 0x2D, 0x31, 0x30,
+        0x32, 0x34, 0x31, 0x18, 0x30, 0x16, 0x06, 0x03, 0x55, 0x04,
+        0x03, 0x0C, 0x0F, 0x77, 0x77, 0x77, 0x2E, 0x77, 0x6F, 0x6C,
+        0x66, 0x73, 0x73, 0x6C, 0x2E, 0x63, 0x6F, 0x6D, 0x31, 0x1F,
+        0x30, 0x1D, 0x06, 0x09, 0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D,
+        0x01, 0x09, 0x01, 0x16, 0x10, 0x69, 0x6E, 0x66, 0x6F, 0x40,
+        0x77, 0x6F, 0x6C, 0x66, 0x73, 0x73, 0x6C, 0x2E, 0x63, 0x6F,
+        0x6D, 0x30, 0x1E, 0x17, 0x0D, 0x32, 0x31, 0x31, 0x32, 0x32,
+        0x30, 0x32, 0x33, 0x30, 0x37, 0x32, 0x34, 0x5A, 0x17, 0x0D,
+        0x32, 0x34, 0x30, 0x39, 0x31, 0x35, 0x32, 0x33, 0x30, 0x37,
+        0x32, 0x34, 0x5A, 0x30, 0x81, 0x9E, 0x31, 0x0B, 0x30, 0x09,
+        0x06, 0x03, 0x55, 0x04, 0x06, 0x13, 0x02, 0x55, 0x53, 0x31,
+        0x10, 0x30, 0x0E, 0x06, 0x03, 0x55, 0x04, 0x08, 0x0C, 0x07,
+        0x4D, 0x6F, 0x6E, 0x74, 0x61, 0x6E, 0x61, 0x31, 0x10, 0x30,
+        0x0E, 0x06, 0x03, 0x55, 0x04, 0x07, 0x0C, 0x07, 0x42, 0x6F,
+        0x7A, 0x65, 0x6D, 0x61, 0x6E, 0x31, 0x15, 0x30, 0x13, 0x06,
+        0x03, 0x55, 0x04, 0x0A, 0x0C, 0x0C, 0x77, 0x6F, 0x6C, 0x66,
+        0x53, 0x53, 0x4C, 0x5F, 0x31, 0x30, 0x32, 0x34, 0x31, 0x19,
+        0x30, 0x17, 0x06, 0x03, 0x55, 0x04, 0x0B, 0x0C, 0x10, 0x50,
+        0x72, 0x6F, 0x67, 0x72, 0x61, 0x6D, 0x6D, 0x69, 0x6E, 0x67,
+        0x2D, 0x31, 0x30, 0x32, 0x34, 0x31, 0x18, 0x30, 0x16, 0x06,
+        0x03, 0x55, 0x04, 0x03, 0x0C, 0x0F, 0x77, 0x77, 0x77, 0x2E,
+        0x77, 0x6F, 0x6C, 0x66, 0x73, 0x73, 0x6C, 0x2E, 0x63, 0x6F,
+        0x6D, 0x31, 0x1F, 0x30, 0x1D, 0x06, 0x09, 0x2A, 0x86, 0x48,
+        0x86, 0xF7, 0x0D, 0x01, 0x09, 0x01, 0x16, 0x10, 0x69, 0x6E,
+        0x66, 0x6F, 0x40, 0x77, 0x6F, 0x6C, 0x66, 0x73, 0x73, 0x6C,
+        0x2E, 0x63, 0x6F, 0x6D, 0x30, 0x81, 0x9F, 0x30, 0x0D, 0x06,
+        0x09, 0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D, 0x01, 0x01, 0x01,
+        0x05, 0x00, 0x03, 0x81, 0x8D, 0x00, 0x30, 0x81, 0x89, 0x02,
+        0x81, 0x81, 0x00, 0xBC, 0x73, 0x0E, 0xA8, 0x49, 0xF3, 0x74,
+        0xA2, 0xA9, 0xEF, 0x18, 0xA5, 0xDA, 0x55, 0x99, 0x21, 0xF9,
+        0xC8, 0xEC, 0xB3, 0x6D, 0x48, 0xE5, 0x35, 0x35, 0x75, 0x77,
+        0x37, 0xEC, 0xD1, 0x61, 0x90, 0x5F, 0x3E, 0xD9, 0xE4, 0xD5,
+        0xDF, 0x94, 0xCA, 0xC1, 0xA9, 0xD7, 0x19, 0xDA, 0x86, 0xC9,
+        0xE8, 0x4D, 0xC4, 0x61, 0x36, 0x82, 0xFE, 0xAB, 0xAD, 0x7E,
+        0x77, 0x25, 0xBB, 0x8D, 0x11, 0xA5, 0xBC, 0x62, 0x3A, 0xA8,
+        0x38, 0xCC, 0x39, 0xA2, 0x04, 0x66, 0xB4, 0xF7, 0xF7, 0xF3,
+        0xAA, 0xDA, 0x4D, 0x02, 0x0E, 0xBB, 0x5E, 0x8D, 0x69, 0x48,
+        0xDC, 0x77, 0xC9, 0x28, 0x0E, 0x22, 0xE9, 0x6B, 0xA4, 0x26,
+        0xBA, 0x4C, 0xE8, 0xC1, 0xFD, 0x4A, 0x6F, 0x2B, 0x1F, 0xEF,
+        0x8A, 0xAE, 0xF6, 0x90, 0x62, 0xE5, 0x64, 0x1E, 0xEB, 0x2B,
+        0x3C, 0x67, 0xC8, 0xDC, 0x27, 0x00, 0xF6, 0x91, 0x68, 0x65,
+        0xA9, 0x02, 0x03, 0x01, 0x00, 0x01, 0xA3, 0x82, 0x01, 0x4F,
+        0x30, 0x82, 0x01, 0x4B, 0x30, 0x1D, 0x06, 0x03, 0x55, 0x1D,
+        0x0E, 0x04, 0x16, 0x04, 0x14, 0x81, 0x69, 0x0F, 0xF8, 0xDF,
+        0xDD, 0xCF, 0x34, 0x29, 0xD5, 0x67, 0x75, 0x71, 0x85, 0xC7,
+        0x75, 0x10, 0x69, 0x59, 0xEC, 0x30, 0x81, 0xDE, 0x06, 0x03,
+        0x55, 0x1D, 0x23, 0x04, 0x81, 0xD6, 0x30, 0x81, 0xD3, 0x80,
+        0x14, 0x81, 0x69, 0x0F, 0xF8, 0xDF, 0xDD, 0xCF, 0x34, 0x29,
+        0xD5, 0x67, 0x75, 0x71, 0x85, 0xC7, 0x75, 0x10, 0x69, 0x59,
+        0xEC, 0xA1, 0x81, 0xA4, 0xA4, 0x81, 0xA1, 0x30, 0x81, 0x9E,
+        0x31, 0x0B, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13,
+        0x02, 0x55, 0x53, 0x31, 0x10, 0x30, 0x0E, 0x06, 0x03, 0x55,
+        0x04, 0x08, 0x0C, 0x07, 0x4D, 0x6F, 0x6E, 0x74, 0x61, 0x6E,
+        0x61, 0x31, 0x10, 0x30, 0x0E, 0x06, 0x03, 0x55, 0x04, 0x07,
+        0x0C, 0x07, 0x42, 0x6F, 0x7A, 0x65, 0x6D, 0x61, 0x6E, 0x31,
+        0x15, 0x30, 0x13, 0x06, 0x03, 0x55, 0x04, 0x0A, 0x0C, 0x0C,
+        0x77, 0x6F, 0x6C, 0x66, 0x53, 0x53, 0x4C, 0x5F, 0x31, 0x30,
+        0x32, 0x34, 0x31, 0x19, 0x30, 0x17, 0x06, 0x03, 0x55, 0x04,
+        0x0B, 0x0C, 0x10, 0x50, 0x72, 0x6F, 0x67, 0x72, 0x61, 0x6D,
+        0x6D, 0x69, 0x6E, 0x67, 0x2D, 0x31, 0x30, 0x32, 0x34, 0x31,
+        0x18, 0x30, 0x16, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0C, 0x0F,
+        0x77, 0x77, 0x77, 0x2E, 0x77, 0x6F, 0x6C, 0x66, 0x73, 0x73,
+        0x6C, 0x2E, 0x63, 0x6F, 0x6D, 0x31, 0x1F, 0x30, 0x1D, 0x06,
+        0x09, 0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D, 0x01, 0x09, 0x01,
+        0x16, 0x10, 0x69, 0x6E, 0x66, 0x6F, 0x40, 0x77, 0x6F, 0x6C,
+        0x66, 0x73, 0x73, 0x6C, 0x2E, 0x63, 0x6F, 0x6D, 0x82, 0x14,
+        0x61, 0x8C, 0xAF, 0x82, 0x14, 0x94, 0x51, 0xC0, 0x98, 0xD3,
+        0xA8, 0x3B, 0xA3, 0x90, 0x85, 0x20, 0x97, 0xBA, 0x62, 0x18,
+        0x30, 0x0C, 0x06, 0x03, 0x55, 0x1D, 0x13, 0x04, 0x05, 0x30,
+        0x03, 0x01, 0x01, 0xFF, 0x30, 0x1C, 0x06, 0x03, 0x55, 0x1D,
+        0x11, 0x04, 0x15, 0x30, 0x13, 0x82, 0x0B, 0x65, 0x78, 0x61,
+        0x6D, 0x70, 0x6C, 0x65, 0x2E, 0x63, 0x6F, 0x6D, 0x87, 0x04,
+        0x7F, 0x00, 0x00, 0x01, 0x30, 0x1D, 0x06, 0x03, 0x55, 0x1D,
+        0x25, 0x04, 0x16, 0x30, 0x14, 0x06, 0x08, 0x2B, 0x06, 0x01,
+        0x05, 0x05, 0x07, 0x03, 0x01, 0x06, 0x08, 0x2B, 0x06, 0x01,
+        0x05, 0x05, 0x07, 0x03, 0x02, 0x30, 0x0D, 0x06, 0x09, 0x2A,
+        0x86, 0x48, 0x86, 0xF7, 0x0D, 0x01, 0x01, 0x0B, 0x05, 0x00,
+        0x03, 0x81, 0x81, 0x00, 0xA4, 0x2F, 0xC5, 0x53, 0x22, 0x35,
+        0xF9, 0xC3, 0x21, 0xB9, 0x85, 0x3B, 0x7D, 0xA4, 0x8E, 0xA0,
+        0xF3, 0x9C, 0x2B, 0x2A, 0xE3, 0x35, 0x7A, 0x62, 0x4F, 0x1C,
+        0x73, 0x61, 0xF6, 0xFE, 0x85, 0x05, 0xAF, 0x55, 0x17, 0xC0,
+        0x13, 0xEA, 0x4D, 0x8E, 0x0B, 0x20, 0xDD, 0x29, 0x7C, 0xFC,
+        0x48, 0x9B, 0x47, 0x3D, 0x6E, 0x05, 0xF9, 0x9F, 0x1F, 0xFC,
+        0x70, 0xAF, 0x0A, 0x5C, 0x30, 0x58, 0x6E, 0x4D, 0x51, 0x2D,
+        0x93, 0xDE, 0x7E, 0x1B, 0x10, 0xB2, 0xED, 0xA2, 0x5E, 0xBE,
+        0xA1, 0x8C, 0x69, 0x60, 0x37, 0xE8, 0xB0, 0xC9, 0x35, 0x4F,
+        0x4E, 0x2A, 0xCD, 0x9E, 0xE9, 0xDE, 0x35, 0xF0, 0x85, 0x98,
+        0x41, 0xC9, 0x39, 0x64, 0x0E, 0x52, 0x21, 0x6E, 0x45, 0xDF,
+        0x58, 0xE9, 0xE0, 0x95, 0x51, 0x22, 0x4D, 0xE1, 0xEE, 0xE5,
+        0x58, 0x57, 0x7B, 0x71, 0x89, 0x31, 0x89, 0x5F, 0xE0, 0x84,
+        0xDB, 0x4B
 };
 static const int sizeof_client_cert_der_1024 = sizeof(client_cert_der_1024);
 
@@ -414,29 +416,70 @@ static const int sizeof_ca_key_der_1024 = sizeof(ca_key_der_1024);
 /* ./certs/1024/ca-cert.der, 1024-bit */
 static const unsigned char ca_cert_der_1024[] =
 {
-        0x30, 0x82, 0x03, 0xF3, 0x30, 0x82, 0x03, 0x5C, 0xA0, 0x03,
-        0x02, 0x01, 0x02, 0x02, 0x09, 0x00, 0x97, 0x1D, 0x33, 0x11,
-        0xE8, 0x40, 0x6E, 0x95, 0x30, 0x0D, 0x06, 0x09, 0x2A, 0x86,
-        0x48, 0x86, 0xF7, 0x0D, 0x01, 0x01, 0x0B, 0x05, 0x00, 0x30,
-        0x81, 0x99, 0x31, 0x0B, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04,
-        0x06, 0x13, 0x02, 0x55, 0x53, 0x31, 0x10, 0x30, 0x0E, 0x06,
-        0x03, 0x55, 0x04, 0x08, 0x0C, 0x07, 0x4D, 0x6F, 0x6E, 0x74,
-        0x61, 0x6E, 0x61, 0x31, 0x10, 0x30, 0x0E, 0x06, 0x03, 0x55,
-        0x04, 0x07, 0x0C, 0x07, 0x42, 0x6F, 0x7A, 0x65, 0x6D, 0x61,
-        0x6E, 0x31, 0x11, 0x30, 0x0F, 0x06, 0x03, 0x55, 0x04, 0x0A,
-        0x0C, 0x08, 0x53, 0x61, 0x77, 0x74, 0x6F, 0x6F, 0x74, 0x68,
-        0x31, 0x18, 0x30, 0x16, 0x06, 0x03, 0x55, 0x04, 0x0B, 0x0C,
-        0x0F, 0x43, 0x6F, 0x6E, 0x73, 0x75, 0x6C, 0x74, 0x69, 0x6E,
-        0x67, 0x5F, 0x31, 0x30, 0x32, 0x34, 0x31, 0x18, 0x30, 0x16,
-        0x06, 0x03, 0x55, 0x04, 0x03, 0x0C, 0x0F, 0x77, 0x77, 0x77,
-        0x2E, 0x77, 0x6F, 0x6C, 0x66, 0x73, 0x73, 0x6C, 0x2E, 0x63,
-        0x6F, 0x6D, 0x31, 0x1F, 0x30, 0x1D, 0x06, 0x09, 0x2A, 0x86,
-        0x48, 0x86, 0xF7, 0x0D, 0x01, 0x09, 0x01, 0x16, 0x10, 0x69,
-        0x6E, 0x66, 0x6F, 0x40, 0x77, 0x6F, 0x6C, 0x66, 0x73, 0x73,
-        0x6C, 0x2E, 0x63, 0x6F, 0x6D, 0x30, 0x1E, 0x17, 0x0D, 0x32,
-        0x31, 0x30, 0x32, 0x31, 0x30, 0x31, 0x39, 0x34, 0x39, 0x35,
-        0x33, 0x5A, 0x17, 0x0D, 0x32, 0x33, 0x31, 0x31, 0x30, 0x37,
-        0x31, 0x39, 0x34, 0x39, 0x35, 0x33, 0x5A, 0x30, 0x81, 0x99,
+        0x30, 0x82, 0x04, 0x09, 0x30, 0x82, 0x03, 0x72, 0xA0, 0x03,
+        0x02, 0x01, 0x02, 0x02, 0x14, 0x28, 0x91, 0x57, 0x80, 0x6F,
+        0x78, 0x1E, 0x99, 0x86, 0x3B, 0xFD, 0x1B, 0x95, 0xFC, 0x06,
+        0xE2, 0x1D, 0x62, 0xB2, 0x14, 0x30, 0x0D, 0x06, 0x09, 0x2A,
+        0x86, 0x48, 0x86, 0xF7, 0x0D, 0x01, 0x01, 0x0B, 0x05, 0x00,
+        0x30, 0x81, 0x99, 0x31, 0x0B, 0x30, 0x09, 0x06, 0x03, 0x55,
+        0x04, 0x06, 0x13, 0x02, 0x55, 0x53, 0x31, 0x10, 0x30, 0x0E,
+        0x06, 0x03, 0x55, 0x04, 0x08, 0x0C, 0x07, 0x4D, 0x6F, 0x6E,
+        0x74, 0x61, 0x6E, 0x61, 0x31, 0x10, 0x30, 0x0E, 0x06, 0x03,
+        0x55, 0x04, 0x07, 0x0C, 0x07, 0x42, 0x6F, 0x7A, 0x65, 0x6D,
+        0x61, 0x6E, 0x31, 0x11, 0x30, 0x0F, 0x06, 0x03, 0x55, 0x04,
+        0x0A, 0x0C, 0x08, 0x53, 0x61, 0x77, 0x74, 0x6F, 0x6F, 0x74,
+        0x68, 0x31, 0x18, 0x30, 0x16, 0x06, 0x03, 0x55, 0x04, 0x0B,
+        0x0C, 0x0F, 0x43, 0x6F, 0x6E, 0x73, 0x75, 0x6C, 0x74, 0x69,
+        0x6E, 0x67, 0x5F, 0x31, 0x30, 0x32, 0x34, 0x31, 0x18, 0x30,
+        0x16, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0C, 0x0F, 0x77, 0x77,
+        0x77, 0x2E, 0x77, 0x6F, 0x6C, 0x66, 0x73, 0x73, 0x6C, 0x2E,
+        0x63, 0x6F, 0x6D, 0x31, 0x1F, 0x30, 0x1D, 0x06, 0x09, 0x2A,
+        0x86, 0x48, 0x86, 0xF7, 0x0D, 0x01, 0x09, 0x01, 0x16, 0x10,
+        0x69, 0x6E, 0x66, 0x6F, 0x40, 0x77, 0x6F, 0x6C, 0x66, 0x73,
+        0x73, 0x6C, 0x2E, 0x63, 0x6F, 0x6D, 0x30, 0x1E, 0x17, 0x0D,
+        0x32, 0x31, 0x31, 0x32, 0x32, 0x30, 0x32, 0x33, 0x30, 0x37,
+        0x32, 0x35, 0x5A, 0x17, 0x0D, 0x32, 0x34, 0x30, 0x39, 0x31,
+        0x35, 0x32, 0x33, 0x30, 0x37, 0x32, 0x35, 0x5A, 0x30, 0x81,
+        0x99, 0x31, 0x0B, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06,
+        0x13, 0x02, 0x55, 0x53, 0x31, 0x10, 0x30, 0x0E, 0x06, 0x03,
+        0x55, 0x04, 0x08, 0x0C, 0x07, 0x4D, 0x6F, 0x6E, 0x74, 0x61,
+        0x6E, 0x61, 0x31, 0x10, 0x30, 0x0E, 0x06, 0x03, 0x55, 0x04,
+        0x07, 0x0C, 0x07, 0x42, 0x6F, 0x7A, 0x65, 0x6D, 0x61, 0x6E,
+        0x31, 0x11, 0x30, 0x0F, 0x06, 0x03, 0x55, 0x04, 0x0A, 0x0C,
+        0x08, 0x53, 0x61, 0x77, 0x74, 0x6F, 0x6F, 0x74, 0x68, 0x31,
+        0x18, 0x30, 0x16, 0x06, 0x03, 0x55, 0x04, 0x0B, 0x0C, 0x0F,
+        0x43, 0x6F, 0x6E, 0x73, 0x75, 0x6C, 0x74, 0x69, 0x6E, 0x67,
+        0x5F, 0x31, 0x30, 0x32, 0x34, 0x31, 0x18, 0x30, 0x16, 0x06,
+        0x03, 0x55, 0x04, 0x03, 0x0C, 0x0F, 0x77, 0x77, 0x77, 0x2E,
+        0x77, 0x6F, 0x6C, 0x66, 0x73, 0x73, 0x6C, 0x2E, 0x63, 0x6F,
+        0x6D, 0x31, 0x1F, 0x30, 0x1D, 0x06, 0x09, 0x2A, 0x86, 0x48,
+        0x86, 0xF7, 0x0D, 0x01, 0x09, 0x01, 0x16, 0x10, 0x69, 0x6E,
+        0x66, 0x6F, 0x40, 0x77, 0x6F, 0x6C, 0x66, 0x73, 0x73, 0x6C,
+        0x2E, 0x63, 0x6F, 0x6D, 0x30, 0x81, 0x9F, 0x30, 0x0D, 0x06,
+        0x09, 0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D, 0x01, 0x01, 0x01,
+        0x05, 0x00, 0x03, 0x81, 0x8D, 0x00, 0x30, 0x81, 0x89, 0x02,
+        0x81, 0x81, 0x00, 0xCD, 0xAC, 0xDD, 0x47, 0xEC, 0xBE, 0xB7,
+        0x24, 0xC3, 0x63, 0x1B, 0x54, 0x98, 0x79, 0xE1, 0xC7, 0x31,
+        0x16, 0x59, 0xD6, 0x9D, 0x77, 0x9D, 0x8D, 0xE2, 0x8B, 0xED,
+        0x04, 0x17, 0xB2, 0xC6, 0xEB, 0xE4, 0x9B, 0x91, 0xBE, 0x31,
+        0x50, 0x62, 0x97, 0x58, 0xB5, 0x7F, 0x29, 0xDE, 0xB3, 0x71,
+        0x24, 0x0B, 0xBF, 0x97, 0x09, 0x7F, 0x26, 0xDC, 0x2D, 0xEC,
+        0xA8, 0x2E, 0xB2, 0x64, 0x2B, 0x7A, 0x2B, 0x35, 0x19, 0x2D,
+        0xA2, 0x80, 0xCB, 0x99, 0xFD, 0x94, 0x71, 0x1B, 0x23, 0x8D,
+        0x54, 0xDB, 0x2E, 0x62, 0x8D, 0x81, 0x08, 0x2D, 0xF4, 0x24,
+        0x72, 0x27, 0x6C, 0xF9, 0xC9, 0x8E, 0xDB, 0x4C, 0x75, 0xBA,
+        0x9B, 0x01, 0xF8, 0x3F, 0x18, 0xF4, 0xE6, 0x7F, 0xFB, 0x57,
+        0x94, 0x92, 0xCC, 0x88, 0xC4, 0xB4, 0x00, 0xC2, 0xAA, 0xD4,
+        0xE5, 0x88, 0x18, 0xB3, 0x11, 0x2F, 0x73, 0xC0, 0xD6, 0x29,
+        0x09, 0x02, 0x03, 0x01, 0x00, 0x01, 0xA3, 0x82, 0x01, 0x4A,
+        0x30, 0x82, 0x01, 0x46, 0x30, 0x1D, 0x06, 0x03, 0x55, 0x1D,
+        0x0E, 0x04, 0x16, 0x04, 0x14, 0xD3, 0x22, 0x8F, 0x28, 0x2C,
+        0xE0, 0x05, 0xEE, 0xD3, 0xED, 0xC3, 0x71, 0x3D, 0xC9, 0xB2,
+        0x36, 0x3A, 0x1D, 0xBF, 0xA8, 0x30, 0x81, 0xD9, 0x06, 0x03,
+        0x55, 0x1D, 0x23, 0x04, 0x81, 0xD1, 0x30, 0x81, 0xCE, 0x80,
+        0x14, 0xD3, 0x22, 0x8F, 0x28, 0x2C, 0xE0, 0x05, 0xEE, 0xD3,
+        0xED, 0xC3, 0x71, 0x3D, 0xC9, 0xB2, 0x36, 0x3A, 0x1D, 0xBF,
+        0xA8, 0xA1, 0x81, 0x9F, 0xA4, 0x81, 0x9C, 0x30, 0x81, 0x99,
         0x31, 0x0B, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13,
         0x02, 0x55, 0x53, 0x31, 0x10, 0x30, 0x0E, 0x06, 0x03, 0x55,
         0x04, 0x08, 0x0C, 0x07, 0x4D, 0x6F, 0x6E, 0x74, 0x61, 0x6E,
@@ -452,70 +495,31 @@ static const unsigned char ca_cert_der_1024[] =
         0x31, 0x1F, 0x30, 0x1D, 0x06, 0x09, 0x2A, 0x86, 0x48, 0x86,
         0xF7, 0x0D, 0x01, 0x09, 0x01, 0x16, 0x10, 0x69, 0x6E, 0x66,
         0x6F, 0x40, 0x77, 0x6F, 0x6C, 0x66, 0x73, 0x73, 0x6C, 0x2E,
-        0x63, 0x6F, 0x6D, 0x30, 0x81, 0x9F, 0x30, 0x0D, 0x06, 0x09,
-        0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D, 0x01, 0x01, 0x01, 0x05,
-        0x00, 0x03, 0x81, 0x8D, 0x00, 0x30, 0x81, 0x89, 0x02, 0x81,
-        0x81, 0x00, 0xCD, 0xAC, 0xDD, 0x47, 0xEC, 0xBE, 0xB7, 0x24,
-        0xC3, 0x63, 0x1B, 0x54, 0x98, 0x79, 0xE1, 0xC7, 0x31, 0x16,
-        0x59, 0xD6, 0x9D, 0x77, 0x9D, 0x8D, 0xE2, 0x8B, 0xED, 0x04,
-        0x17, 0xB2, 0xC6, 0xEB, 0xE4, 0x9B, 0x91, 0xBE, 0x31, 0x50,
-        0x62, 0x97, 0x58, 0xB5, 0x7F, 0x29, 0xDE, 0xB3, 0x71, 0x24,
-        0x0B, 0xBF, 0x97, 0x09, 0x7F, 0x26, 0xDC, 0x2D, 0xEC, 0xA8,
-        0x2E, 0xB2, 0x64, 0x2B, 0x7A, 0x2B, 0x35, 0x19, 0x2D, 0xA2,
-        0x80, 0xCB, 0x99, 0xFD, 0x94, 0x71, 0x1B, 0x23, 0x8D, 0x54,
-        0xDB, 0x2E, 0x62, 0x8D, 0x81, 0x08, 0x2D, 0xF4, 0x24, 0x72,
-        0x27, 0x6C, 0xF9, 0xC9, 0x8E, 0xDB, 0x4C, 0x75, 0xBA, 0x9B,
-        0x01, 0xF8, 0x3F, 0x18, 0xF4, 0xE6, 0x7F, 0xFB, 0x57, 0x94,
-        0x92, 0xCC, 0x88, 0xC4, 0xB4, 0x00, 0xC2, 0xAA, 0xD4, 0xE5,
-        0x88, 0x18, 0xB3, 0x11, 0x2F, 0x73, 0xC0, 0xD6, 0x29, 0x09,
-        0x02, 0x03, 0x01, 0x00, 0x01, 0xA3, 0x82, 0x01, 0x3F, 0x30,
-        0x82, 0x01, 0x3B, 0x30, 0x1D, 0x06, 0x03, 0x55, 0x1D, 0x0E,
-        0x04, 0x16, 0x04, 0x14, 0xD3, 0x22, 0x8F, 0x28, 0x2C, 0xE0,
-        0x05, 0xEE, 0xD3, 0xED, 0xC3, 0x71, 0x3D, 0xC9, 0xB2, 0x36,
-        0x3A, 0x1D, 0xBF, 0xA8, 0x30, 0x81, 0xCE, 0x06, 0x03, 0x55,
-        0x1D, 0x23, 0x04, 0x81, 0xC6, 0x30, 0x81, 0xC3, 0x80, 0x14,
-        0xD3, 0x22, 0x8F, 0x28, 0x2C, 0xE0, 0x05, 0xEE, 0xD3, 0xED,
-        0xC3, 0x71, 0x3D, 0xC9, 0xB2, 0x36, 0x3A, 0x1D, 0xBF, 0xA8,
-        0xA1, 0x81, 0x9F, 0xA4, 0x81, 0x9C, 0x30, 0x81, 0x99, 0x31,
-        0x0B, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13, 0x02,
-        0x55, 0x53, 0x31, 0x10, 0x30, 0x0E, 0x06, 0x03, 0x55, 0x04,
-        0x08, 0x0C, 0x07, 0x4D, 0x6F, 0x6E, 0x74, 0x61, 0x6E, 0x61,
-        0x31, 0x10, 0x30, 0x0E, 0x06, 0x03, 0x55, 0x04, 0x07, 0x0C,
-        0x07, 0x42, 0x6F, 0x7A, 0x65, 0x6D, 0x61, 0x6E, 0x31, 0x11,
-        0x30, 0x0F, 0x06, 0x03, 0x55, 0x04, 0x0A, 0x0C, 0x08, 0x53,
-        0x61, 0x77, 0x74, 0x6F, 0x6F, 0x74, 0x68, 0x31, 0x18, 0x30,
-        0x16, 0x06, 0x03, 0x55, 0x04, 0x0B, 0x0C, 0x0F, 0x43, 0x6F,
-        0x6E, 0x73, 0x75, 0x6C, 0x74, 0x69, 0x6E, 0x67, 0x5F, 0x31,
-        0x30, 0x32, 0x34, 0x31, 0x18, 0x30, 0x16, 0x06, 0x03, 0x55,
-        0x04, 0x03, 0x0C, 0x0F, 0x77, 0x77, 0x77, 0x2E, 0x77, 0x6F,
-        0x6C, 0x66, 0x73, 0x73, 0x6C, 0x2E, 0x63, 0x6F, 0x6D, 0x31,
-        0x1F, 0x30, 0x1D, 0x06, 0x09, 0x2A, 0x86, 0x48, 0x86, 0xF7,
-        0x0D, 0x01, 0x09, 0x01, 0x16, 0x10, 0x69, 0x6E, 0x66, 0x6F,
-        0x40, 0x77, 0x6F, 0x6C, 0x66, 0x73, 0x73, 0x6C, 0x2E, 0x63,
-        0x6F, 0x6D, 0x82, 0x09, 0x00, 0x97, 0x1D, 0x33, 0x11, 0xE8,
-        0x40, 0x6E, 0x95, 0x30, 0x0C, 0x06, 0x03, 0x55, 0x1D, 0x13,
-        0x04, 0x05, 0x30, 0x03, 0x01, 0x01, 0xFF, 0x30, 0x1C, 0x06,
-        0x03, 0x55, 0x1D, 0x11, 0x04, 0x15, 0x30, 0x13, 0x82, 0x0B,
-        0x65, 0x78, 0x61, 0x6D, 0x70, 0x6C, 0x65, 0x2E, 0x63, 0x6F,
-        0x6D, 0x87, 0x04, 0x7F, 0x00, 0x00, 0x01, 0x30, 0x1D, 0x06,
-        0x03, 0x55, 0x1D, 0x25, 0x04, 0x16, 0x30, 0x14, 0x06, 0x08,
-        0x2B, 0x06, 0x01, 0x05, 0x05, 0x07, 0x03, 0x01, 0x06, 0x08,
-        0x2B, 0x06, 0x01, 0x05, 0x05, 0x07, 0x03, 0x02, 0x30, 0x0D,
-        0x06, 0x09, 0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D, 0x01, 0x01,
-        0x0B, 0x05, 0x00, 0x03, 0x81, 0x81, 0x00, 0x4E, 0xB1, 0x39,
-        0x6A, 0x23, 0xA3, 0x65, 0x17, 0x14, 0xB6, 0x52, 0x2E, 0x86,
-        0x46, 0xD5, 0x4F, 0x7C, 0xD5, 0x6C, 0xBB, 0xFA, 0x66, 0xB1,
-        0x71, 0x54, 0xA1, 0xAD, 0x0E, 0xA2, 0xB7, 0xBA, 0x59, 0x65,
-        0x8B, 0xD5, 0x87, 0x5D, 0x51, 0xD0, 0x65, 0xDE, 0x74, 0x04,
-        0x80, 0x7C, 0xDA, 0x3A, 0x52, 0x57, 0x7A, 0x1D, 0x5D, 0x46,
-        0x7A, 0x06, 0x79, 0x75, 0xE5, 0x31, 0xDD, 0x1D, 0xF6, 0x54,
-        0x77, 0xFC, 0x40, 0x13, 0xA1, 0x5B, 0xFD, 0x9E, 0x7D, 0x1C,
-        0xFD, 0x04, 0x4F, 0x7C, 0xEE, 0x92, 0xA2, 0x80, 0x55, 0x3C,
-        0x3F, 0x2A, 0x1C, 0xBD, 0x3A, 0x37, 0x12, 0x0E, 0xFD, 0x52,
-        0x60, 0x66, 0x19, 0xD5, 0x4B, 0xF6, 0x35, 0x50, 0xA3, 0x59,
-        0xD3, 0x7F, 0x6D, 0x95, 0xD7, 0x56, 0x10, 0xC6, 0x86, 0x28,
-        0xF4, 0x6E, 0x6D, 0xDA, 0x4E, 0x1C, 0xB4, 0xE9, 0x0B, 0x4C,
-        0xED, 0x62, 0x0F, 0x64, 0x06
+        0x63, 0x6F, 0x6D, 0x82, 0x14, 0x28, 0x91, 0x57, 0x80, 0x6F,
+        0x78, 0x1E, 0x99, 0x86, 0x3B, 0xFD, 0x1B, 0x95, 0xFC, 0x06,
+        0xE2, 0x1D, 0x62, 0xB2, 0x14, 0x30, 0x0C, 0x06, 0x03, 0x55,
+        0x1D, 0x13, 0x04, 0x05, 0x30, 0x03, 0x01, 0x01, 0xFF, 0x30,
+        0x1C, 0x06, 0x03, 0x55, 0x1D, 0x11, 0x04, 0x15, 0x30, 0x13,
+        0x82, 0x0B, 0x65, 0x78, 0x61, 0x6D, 0x70, 0x6C, 0x65, 0x2E,
+        0x63, 0x6F, 0x6D, 0x87, 0x04, 0x7F, 0x00, 0x00, 0x01, 0x30,
+        0x1D, 0x06, 0x03, 0x55, 0x1D, 0x25, 0x04, 0x16, 0x30, 0x14,
+        0x06, 0x08, 0x2B, 0x06, 0x01, 0x05, 0x05, 0x07, 0x03, 0x01,
+        0x06, 0x08, 0x2B, 0x06, 0x01, 0x05, 0x05, 0x07, 0x03, 0x02,
+        0x30, 0x0D, 0x06, 0x09, 0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D,
+        0x01, 0x01, 0x0B, 0x05, 0x00, 0x03, 0x81, 0x81, 0x00, 0x0E,
+        0x9F, 0xA6, 0xC0, 0x6F, 0xCF, 0xA4, 0x5F, 0xEC, 0x4A, 0x18,
+        0x4D, 0x67, 0x1A, 0x8E, 0x37, 0xCC, 0x9D, 0x97, 0xDC, 0x31,
+        0x9C, 0xD8, 0xC5, 0x08, 0x70, 0xFC, 0x55, 0x67, 0x24, 0x3F,
+        0xEF, 0x47, 0x80, 0x03, 0x54, 0x5E, 0x6C, 0x91, 0xFA, 0xBA,
+        0x71, 0x1F, 0x12, 0x91, 0x8F, 0xF9, 0x51, 0xDF, 0x51, 0xCD,
+        0xFF, 0x59, 0xBC, 0xED, 0xB7, 0xAC, 0xE3, 0x7C, 0x53, 0x48,
+        0x73, 0xCD, 0x85, 0x88, 0xF2, 0x23, 0xAA, 0xA9, 0x6C, 0x09,
+        0x30, 0x6A, 0x7B, 0xA2, 0x66, 0x2E, 0x1A, 0xAD, 0x12, 0x5E,
+        0xA8, 0xEF, 0x1E, 0xA9, 0x3F, 0xF0, 0xF9, 0x44, 0x64, 0x24,
+        0x1E, 0x0E, 0x80, 0x92, 0x20, 0x37, 0xF9, 0xE2, 0x4F, 0xD6,
+        0x65, 0xE3, 0xBA, 0xB3, 0x55, 0x99, 0xAD, 0x0E, 0xCA, 0x7A,
+        0x4C, 0x3D, 0x42, 0xF6, 0x7F, 0xC7, 0x23, 0x6A, 0x15, 0xAE,
+        0xB2, 0x88, 0x6E, 0x45, 0xA0, 0xA8, 0x8E
 };
 static const int sizeof_ca_cert_der_1024 = sizeof(ca_cert_der_1024);
 
@@ -589,7 +593,7 @@ static const int sizeof_server_key_der_1024 = sizeof(server_key_der_1024);
 /* ./certs/1024/server-cert.der, 1024-bit */
 static const unsigned char server_cert_der_1024[] =
 {
-        0x30, 0x82, 0x03, 0xE7, 0x30, 0x82, 0x03, 0x50, 0xA0, 0x03,
+        0x30, 0x82, 0x03, 0xF2, 0x30, 0x82, 0x03, 0x5B, 0xA0, 0x03,
         0x02, 0x01, 0x02, 0x02, 0x01, 0x01, 0x30, 0x0D, 0x06, 0x09,
         0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D, 0x01, 0x01, 0x0B, 0x05,
         0x00, 0x30, 0x81, 0x99, 0x31, 0x0B, 0x30, 0x09, 0x06, 0x03,
@@ -608,9 +612,9 @@ static const unsigned char server_cert_der_1024[] =
         0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D, 0x01, 0x09, 0x01, 0x16,
         0x10, 0x69, 0x6E, 0x66, 0x6F, 0x40, 0x77, 0x6F, 0x6C, 0x66,
         0x73, 0x73, 0x6C, 0x2E, 0x63, 0x6F, 0x6D, 0x30, 0x1E, 0x17,
-        0x0D, 0x32, 0x31, 0x30, 0x32, 0x31, 0x30, 0x31, 0x39, 0x34,
-        0x39, 0x35, 0x33, 0x5A, 0x17, 0x0D, 0x32, 0x33, 0x31, 0x31,
-        0x30, 0x37, 0x31, 0x39, 0x34, 0x39, 0x35, 0x33, 0x5A, 0x30,
+        0x0D, 0x32, 0x31, 0x31, 0x32, 0x32, 0x30, 0x32, 0x33, 0x30,
+        0x37, 0x32, 0x35, 0x5A, 0x17, 0x0D, 0x32, 0x34, 0x30, 0x39,
+        0x31, 0x35, 0x32, 0x33, 0x30, 0x37, 0x32, 0x35, 0x5A, 0x30,
         0x81, 0x95, 0x31, 0x0B, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04,
         0x06, 0x13, 0x02, 0x55, 0x53, 0x31, 0x10, 0x30, 0x0E, 0x06,
         0x03, 0x55, 0x04, 0x08, 0x0C, 0x07, 0x4D, 0x6F, 0x6E, 0x74,
@@ -642,12 +646,12 @@ static const unsigned char server_cert_der_1024[] =
         0xAD, 0xFD, 0x5C, 0x86, 0x73, 0xAA, 0x6B, 0x47, 0xD8, 0x8B,
         0x2E, 0x58, 0x4B, 0x69, 0x12, 0x82, 0x26, 0x55, 0xE6, 0x14,
         0xBF, 0x55, 0x70, 0x88, 0xFE, 0xF9, 0x75, 0xE1, 0x02, 0x03,
-        0x01, 0x00, 0x01, 0xA3, 0x82, 0x01, 0x3F, 0x30, 0x82, 0x01,
-        0x3B, 0x30, 0x1D, 0x06, 0x03, 0x55, 0x1D, 0x0E, 0x04, 0x16,
+        0x01, 0x00, 0x01, 0xA3, 0x82, 0x01, 0x4A, 0x30, 0x82, 0x01,
+        0x46, 0x30, 0x1D, 0x06, 0x03, 0x55, 0x1D, 0x0E, 0x04, 0x16,
         0x04, 0x14, 0xD9, 0x3C, 0x35, 0xEA, 0x74, 0x0E, 0x23, 0xBE,
         0x9C, 0xFC, 0xFA, 0x29, 0x90, 0x09, 0xC1, 0xE7, 0x84, 0x16,
-        0x9F, 0x7C, 0x30, 0x81, 0xCE, 0x06, 0x03, 0x55, 0x1D, 0x23,
-        0x04, 0x81, 0xC6, 0x30, 0x81, 0xC3, 0x80, 0x14, 0xD3, 0x22,
+        0x9F, 0x7C, 0x30, 0x81, 0xD9, 0x06, 0x03, 0x55, 0x1D, 0x23,
+        0x04, 0x81, 0xD1, 0x30, 0x81, 0xCE, 0x80, 0x14, 0xD3, 0x22,
         0x8F, 0x28, 0x2C, 0xE0, 0x05, 0xEE, 0xD3, 0xED, 0xC3, 0x71,
         0x3D, 0xC9, 0xB2, 0x36, 0x3A, 0x1D, 0xBF, 0xA8, 0xA1, 0x81,
         0x9F, 0xA4, 0x81, 0x9C, 0x30, 0x81, 0x99, 0x31, 0x0B, 0x30,
@@ -666,30 +670,31 @@ static const unsigned char server_cert_der_1024[] =
         0x1D, 0x06, 0x09, 0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D, 0x01,
         0x09, 0x01, 0x16, 0x10, 0x69, 0x6E, 0x66, 0x6F, 0x40, 0x77,
         0x6F, 0x6C, 0x66, 0x73, 0x73, 0x6C, 0x2E, 0x63, 0x6F, 0x6D,
-        0x82, 0x09, 0x00, 0x97, 0x1D, 0x33, 0x11, 0xE8, 0x40, 0x6E,
-        0x95, 0x30, 0x0C, 0x06, 0x03, 0x55, 0x1D, 0x13, 0x04, 0x05,
-        0x30, 0x03, 0x01, 0x01, 0xFF, 0x30, 0x1C, 0x06, 0x03, 0x55,
-        0x1D, 0x11, 0x04, 0x15, 0x30, 0x13, 0x82, 0x0B, 0x65, 0x78,
-        0x61, 0x6D, 0x70, 0x6C, 0x65, 0x2E, 0x63, 0x6F, 0x6D, 0x87,
-        0x04, 0x7F, 0x00, 0x00, 0x01, 0x30, 0x1D, 0x06, 0x03, 0x55,
-        0x1D, 0x25, 0x04, 0x16, 0x30, 0x14, 0x06, 0x08, 0x2B, 0x06,
-        0x01, 0x05, 0x05, 0x07, 0x03, 0x01, 0x06, 0x08, 0x2B, 0x06,
-        0x01, 0x05, 0x05, 0x07, 0x03, 0x02, 0x30, 0x0D, 0x06, 0x09,
-        0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D, 0x01, 0x01, 0x0B, 0x05,
-        0x00, 0x03, 0x81, 0x81, 0x00, 0x27, 0x0A, 0x4E, 0x08, 0x8C,
-        0xBA, 0x73, 0xD0, 0x05, 0xF2, 0xEA, 0xF9, 0x51, 0x8C, 0x7E,
-        0x29, 0x14, 0x23, 0x8E, 0x9E, 0x9A, 0xFC, 0x46, 0x6F, 0x10,
-        0x68, 0x59, 0xD9, 0xA0, 0xEA, 0x53, 0x19, 0xBD, 0x28, 0x89,
-        0xE1, 0x97, 0x1E, 0x4C, 0xB8, 0x1E, 0xBE, 0x0F, 0x4D, 0x9D,
-        0x1D, 0x76, 0x57, 0x17, 0x31, 0x95, 0xC2, 0x80, 0xBE, 0x04,
-        0xD0, 0xC2, 0xE9, 0x5C, 0xE0, 0xF4, 0x81, 0x3F, 0xC4, 0xB0,
-        0xC5, 0x86, 0xAE, 0x58, 0x68, 0xB9, 0xAE, 0x0F, 0x88, 0xE8,
-        0x63, 0x6F, 0xB9, 0x08, 0xF1, 0x1B, 0x56, 0x90, 0xFB, 0x1F,
-        0x2E, 0xCC, 0xE5, 0x69, 0x1F, 0x7C, 0x02, 0x4F, 0xED, 0xB0,
-        0x45, 0x7C, 0x2D, 0xA8, 0x59, 0x11, 0xA5, 0x95, 0x51, 0xC7,
-        0x50, 0xD8, 0x89, 0xC2, 0x90, 0x63, 0x68, 0xA8, 0x41, 0x6F,
-        0xD0, 0x37, 0x26, 0x6F, 0xC8, 0x0E, 0xB5, 0xA0, 0x15, 0x9D,
-        0xA5, 0xE6, 0xD2
+        0x82, 0x14, 0x28, 0x91, 0x57, 0x80, 0x6F, 0x78, 0x1E, 0x99,
+        0x86, 0x3B, 0xFD, 0x1B, 0x95, 0xFC, 0x06, 0xE2, 0x1D, 0x62,
+        0xB2, 0x14, 0x30, 0x0C, 0x06, 0x03, 0x55, 0x1D, 0x13, 0x04,
+        0x05, 0x30, 0x03, 0x01, 0x01, 0xFF, 0x30, 0x1C, 0x06, 0x03,
+        0x55, 0x1D, 0x11, 0x04, 0x15, 0x30, 0x13, 0x82, 0x0B, 0x65,
+        0x78, 0x61, 0x6D, 0x70, 0x6C, 0x65, 0x2E, 0x63, 0x6F, 0x6D,
+        0x87, 0x04, 0x7F, 0x00, 0x00, 0x01, 0x30, 0x1D, 0x06, 0x03,
+        0x55, 0x1D, 0x25, 0x04, 0x16, 0x30, 0x14, 0x06, 0x08, 0x2B,
+        0x06, 0x01, 0x05, 0x05, 0x07, 0x03, 0x01, 0x06, 0x08, 0x2B,
+        0x06, 0x01, 0x05, 0x05, 0x07, 0x03, 0x02, 0x30, 0x0D, 0x06,
+        0x09, 0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D, 0x01, 0x01, 0x0B,
+        0x05, 0x00, 0x03, 0x81, 0x81, 0x00, 0x22, 0x80, 0xE9, 0x9F,
+        0x1C, 0x36, 0xD8, 0x96, 0xD9, 0x8F, 0x2C, 0x7B, 0xAF, 0x6E,
+        0xCC, 0xF8, 0xB5, 0xB4, 0x59, 0xAC, 0x05, 0x45, 0xB9, 0x01,
+        0x00, 0xB9, 0x82, 0x23, 0x82, 0x7A, 0xA5, 0x30, 0x3C, 0x55,
+        0x09, 0x01, 0xE1, 0x14, 0xA0, 0xFC, 0x88, 0x2E, 0x47, 0xC8,
+        0x5E, 0xE5, 0x75, 0xD2, 0x89, 0x43, 0xFA, 0x13, 0x1E, 0xEA,
+        0x6F, 0x50, 0x3E, 0x1B, 0x60, 0xFE, 0xBC, 0xDF, 0x9B, 0xE3,
+        0x38, 0x0D, 0xDD, 0xCF, 0x17, 0x1A, 0xD6, 0x07, 0x1A, 0x41,
+        0xA4, 0xC4, 0xAC, 0x3B, 0x10, 0xAC, 0x55, 0x61, 0xAF, 0xFE,
+        0xC7, 0x53, 0xCF, 0x29, 0xC6, 0x5B, 0x7A, 0xC9, 0x65, 0xDA,
+        0xC3, 0x94, 0x02, 0x7C, 0xAA, 0x5E, 0x16, 0xA3, 0x64, 0xCE,
+        0x68, 0x5E, 0x74, 0x91, 0xC5, 0x8B, 0x60, 0xB5, 0xBF, 0x9D,
+        0x63, 0x0B, 0x11, 0xD5, 0x40, 0x74, 0x7D, 0x64, 0x12, 0x98,
+        0x3B, 0x10, 0x31, 0xFD
 };
 static const int sizeof_server_cert_der_1024 = sizeof(server_cert_der_1024);
 
@@ -862,10 +867,84 @@ static const int sizeof_client_keypub_der_2048 = sizeof(client_keypub_der_2048);
 /* ./certs/client-cert.der, 2048-bit */
 static const unsigned char client_cert_der_2048[] =
 {
-        0x30, 0x82, 0x05, 0x07, 0x30, 0x82, 0x03, 0xEF, 0xA0, 0x03,
-        0x02, 0x01, 0x02, 0x02, 0x09, 0x00, 0xF1, 0x5C, 0x99, 0x43,
-        0x66, 0x3D, 0x96, 0x04, 0x30, 0x0D, 0x06, 0x09, 0x2A, 0x86,
-        0x48, 0x86, 0xF7, 0x0D, 0x01, 0x01, 0x0B, 0x05, 0x00, 0x30,
+        0x30, 0x82, 0x05, 0x1D, 0x30, 0x82, 0x04, 0x05, 0xA0, 0x03,
+        0x02, 0x01, 0x02, 0x02, 0x14, 0x53, 0x16, 0x7C, 0xA0, 0x56,
+        0x50, 0x46, 0x27, 0x82, 0xED, 0x60, 0xB4, 0xDA, 0x33, 0xD8,
+        0x6A, 0xC0, 0xEA, 0xDC, 0x31, 0x30, 0x0D, 0x06, 0x09, 0x2A,
+        0x86, 0x48, 0x86, 0xF7, 0x0D, 0x01, 0x01, 0x0B, 0x05, 0x00,
+        0x30, 0x81, 0x9E, 0x31, 0x0B, 0x30, 0x09, 0x06, 0x03, 0x55,
+        0x04, 0x06, 0x13, 0x02, 0x55, 0x53, 0x31, 0x10, 0x30, 0x0E,
+        0x06, 0x03, 0x55, 0x04, 0x08, 0x0C, 0x07, 0x4D, 0x6F, 0x6E,
+        0x74, 0x61, 0x6E, 0x61, 0x31, 0x10, 0x30, 0x0E, 0x06, 0x03,
+        0x55, 0x04, 0x07, 0x0C, 0x07, 0x42, 0x6F, 0x7A, 0x65, 0x6D,
+        0x61, 0x6E, 0x31, 0x15, 0x30, 0x13, 0x06, 0x03, 0x55, 0x04,
+        0x0A, 0x0C, 0x0C, 0x77, 0x6F, 0x6C, 0x66, 0x53, 0x53, 0x4C,
+        0x5F, 0x32, 0x30, 0x34, 0x38, 0x31, 0x19, 0x30, 0x17, 0x06,
+        0x03, 0x55, 0x04, 0x0B, 0x0C, 0x10, 0x50, 0x72, 0x6F, 0x67,
+        0x72, 0x61, 0x6D, 0x6D, 0x69, 0x6E, 0x67, 0x2D, 0x32, 0x30,
+        0x34, 0x38, 0x31, 0x18, 0x30, 0x16, 0x06, 0x03, 0x55, 0x04,
+        0x03, 0x0C, 0x0F, 0x77, 0x77, 0x77, 0x2E, 0x77, 0x6F, 0x6C,
+        0x66, 0x73, 0x73, 0x6C, 0x2E, 0x63, 0x6F, 0x6D, 0x31, 0x1F,
+        0x30, 0x1D, 0x06, 0x09, 0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D,
+        0x01, 0x09, 0x01, 0x16, 0x10, 0x69, 0x6E, 0x66, 0x6F, 0x40,
+        0x77, 0x6F, 0x6C, 0x66, 0x73, 0x73, 0x6C, 0x2E, 0x63, 0x6F,
+        0x6D, 0x30, 0x1E, 0x17, 0x0D, 0x32, 0x31, 0x31, 0x32, 0x32,
+        0x30, 0x32, 0x33, 0x30, 0x37, 0x32, 0x34, 0x5A, 0x17, 0x0D,
+        0x32, 0x34, 0x30, 0x39, 0x31, 0x35, 0x32, 0x33, 0x30, 0x37,
+        0x32, 0x34, 0x5A, 0x30, 0x81, 0x9E, 0x31, 0x0B, 0x30, 0x09,
+        0x06, 0x03, 0x55, 0x04, 0x06, 0x13, 0x02, 0x55, 0x53, 0x31,
+        0x10, 0x30, 0x0E, 0x06, 0x03, 0x55, 0x04, 0x08, 0x0C, 0x07,
+        0x4D, 0x6F, 0x6E, 0x74, 0x61, 0x6E, 0x61, 0x31, 0x10, 0x30,
+        0x0E, 0x06, 0x03, 0x55, 0x04, 0x07, 0x0C, 0x07, 0x42, 0x6F,
+        0x7A, 0x65, 0x6D, 0x61, 0x6E, 0x31, 0x15, 0x30, 0x13, 0x06,
+        0x03, 0x55, 0x04, 0x0A, 0x0C, 0x0C, 0x77, 0x6F, 0x6C, 0x66,
+        0x53, 0x53, 0x4C, 0x5F, 0x32, 0x30, 0x34, 0x38, 0x31, 0x19,
+        0x30, 0x17, 0x06, 0x03, 0x55, 0x04, 0x0B, 0x0C, 0x10, 0x50,
+        0x72, 0x6F, 0x67, 0x72, 0x61, 0x6D, 0x6D, 0x69, 0x6E, 0x67,
+        0x2D, 0x32, 0x30, 0x34, 0x38, 0x31, 0x18, 0x30, 0x16, 0x06,
+        0x03, 0x55, 0x04, 0x03, 0x0C, 0x0F, 0x77, 0x77, 0x77, 0x2E,
+        0x77, 0x6F, 0x6C, 0x66, 0x73, 0x73, 0x6C, 0x2E, 0x63, 0x6F,
+        0x6D, 0x31, 0x1F, 0x30, 0x1D, 0x06, 0x09, 0x2A, 0x86, 0x48,
+        0x86, 0xF7, 0x0D, 0x01, 0x09, 0x01, 0x16, 0x10, 0x69, 0x6E,
+        0x66, 0x6F, 0x40, 0x77, 0x6F, 0x6C, 0x66, 0x73, 0x73, 0x6C,
+        0x2E, 0x63, 0x6F, 0x6D, 0x30, 0x82, 0x01, 0x22, 0x30, 0x0D,
+        0x06, 0x09, 0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D, 0x01, 0x01,
+        0x01, 0x05, 0x00, 0x03, 0x82, 0x01, 0x0F, 0x00, 0x30, 0x82,
+        0x01, 0x0A, 0x02, 0x82, 0x01, 0x01, 0x00, 0xC3, 0x03, 0xD1,
+        0x2B, 0xFE, 0x39, 0xA4, 0x32, 0x45, 0x3B, 0x53, 0xC8, 0x84,
+        0x2B, 0x2A, 0x7C, 0x74, 0x9A, 0xBD, 0xAA, 0x2A, 0x52, 0x07,
+        0x47, 0xD6, 0xA6, 0x36, 0xB2, 0x07, 0x32, 0x8E, 0xD0, 0xBA,
+        0x69, 0x7B, 0xC6, 0xC3, 0x44, 0x9E, 0xD4, 0x81, 0x48, 0xFD,
+        0x2D, 0x68, 0xA2, 0x8B, 0x67, 0xBB, 0xA1, 0x75, 0xC8, 0x36,
+        0x2C, 0x4A, 0xD2, 0x1B, 0xF7, 0x8B, 0xBA, 0xCF, 0x0D, 0xF9,
+        0xEF, 0xEC, 0xF1, 0x81, 0x1E, 0x7B, 0x9B, 0x03, 0x47, 0x9A,
+        0xBF, 0x65, 0xCC, 0x7F, 0x65, 0x24, 0x69, 0xA6, 0xE8, 0x14,
+        0x89, 0x5B, 0xE4, 0x34, 0xF7, 0xC5, 0xB0, 0x14, 0x93, 0xF5,
+        0x67, 0x7B, 0x3A, 0x7A, 0x78, 0xE1, 0x01, 0x56, 0x56, 0x91,
+        0xA6, 0x13, 0x42, 0x8D, 0xD2, 0x3C, 0x40, 0x9C, 0x4C, 0xEF,
+        0xD1, 0x86, 0xDF, 0x37, 0x51, 0x1B, 0x0C, 0xA1, 0x3B, 0xF5,
+        0xF1, 0xA3, 0x4A, 0x35, 0xE4, 0xE1, 0xCE, 0x96, 0xDF, 0x1B,
+        0x7E, 0xBF, 0x4E, 0x97, 0xD0, 0x10, 0xE8, 0xA8, 0x08, 0x30,
+        0x81, 0xAF, 0x20, 0x0B, 0x43, 0x14, 0xC5, 0x74, 0x67, 0xB4,
+        0x32, 0x82, 0x6F, 0x8D, 0x86, 0xC2, 0x88, 0x40, 0x99, 0x36,
+        0x83, 0xBA, 0x1E, 0x40, 0x72, 0x22, 0x17, 0xD7, 0x52, 0x65,
+        0x24, 0x73, 0xB0, 0xCE, 0xEF, 0x19, 0xCD, 0xAE, 0xFF, 0x78,
+        0x6C, 0x7B, 0xC0, 0x12, 0x03, 0xD4, 0x4E, 0x72, 0x0D, 0x50,
+        0x6D, 0x3B, 0xA3, 0x3B, 0xA3, 0x99, 0x5E, 0x9D, 0xC8, 0xD9,
+        0x0C, 0x85, 0xB3, 0xD9, 0x8A, 0xD9, 0x54, 0x26, 0xDB, 0x6D,
+        0xFA, 0xAC, 0xBB, 0xFF, 0x25, 0x4C, 0xC4, 0xD1, 0x79, 0xF4,
+        0x71, 0xD3, 0x86, 0x40, 0x18, 0x13, 0xB0, 0x63, 0xB5, 0x72,
+        0x4E, 0x30, 0xC4, 0x97, 0x84, 0x86, 0x2D, 0x56, 0x2F, 0xD7,
+        0x15, 0xF7, 0x7F, 0xC0, 0xAE, 0xF5, 0xFC, 0x5B, 0xE5, 0xFB,
+        0xA1, 0xBA, 0xD3, 0x02, 0x03, 0x01, 0x00, 0x01, 0xA3, 0x82,
+        0x01, 0x4F, 0x30, 0x82, 0x01, 0x4B, 0x30, 0x1D, 0x06, 0x03,
+        0x55, 0x1D, 0x0E, 0x04, 0x16, 0x04, 0x14, 0x33, 0xD8, 0x45,
+        0x66, 0xD7, 0x68, 0x87, 0x18, 0x7E, 0x54, 0x0D, 0x70, 0x27,
+        0x91, 0xC7, 0x26, 0xD7, 0x85, 0x65, 0xC0, 0x30, 0x81, 0xDE,
+        0x06, 0x03, 0x55, 0x1D, 0x23, 0x04, 0x81, 0xD6, 0x30, 0x81,
+        0xD3, 0x80, 0x14, 0x33, 0xD8, 0x45, 0x66, 0xD7, 0x68, 0x87,
+        0x18, 0x7E, 0x54, 0x0D, 0x70, 0x27, 0x91, 0xC7, 0x26, 0xD7,
+        0x85, 0x65, 0xC0, 0xA1, 0x81, 0xA4, 0xA4, 0x81, 0xA1, 0x30,
         0x81, 0x9E, 0x31, 0x0B, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04,
         0x06, 0x13, 0x02, 0x55, 0x53, 0x31, 0x10, 0x30, 0x0E, 0x06,
         0x03, 0x55, 0x04, 0x08, 0x0C, 0x07, 0x4D, 0x6F, 0x6E, 0x74,
@@ -882,116 +961,44 @@ static const unsigned char client_cert_der_2048[] =
         0x1D, 0x06, 0x09, 0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D, 0x01,
         0x09, 0x01, 0x16, 0x10, 0x69, 0x6E, 0x66, 0x6F, 0x40, 0x77,
         0x6F, 0x6C, 0x66, 0x73, 0x73, 0x6C, 0x2E, 0x63, 0x6F, 0x6D,
-        0x30, 0x1E, 0x17, 0x0D, 0x32, 0x31, 0x30, 0x32, 0x31, 0x30,
-        0x31, 0x39, 0x34, 0x39, 0x35, 0x32, 0x5A, 0x17, 0x0D, 0x32,
-        0x33, 0x31, 0x31, 0x30, 0x37, 0x31, 0x39, 0x34, 0x39, 0x35,
-        0x32, 0x5A, 0x30, 0x81, 0x9E, 0x31, 0x0B, 0x30, 0x09, 0x06,
-        0x03, 0x55, 0x04, 0x06, 0x13, 0x02, 0x55, 0x53, 0x31, 0x10,
-        0x30, 0x0E, 0x06, 0x03, 0x55, 0x04, 0x08, 0x0C, 0x07, 0x4D,
-        0x6F, 0x6E, 0x74, 0x61, 0x6E, 0x61, 0x31, 0x10, 0x30, 0x0E,
-        0x06, 0x03, 0x55, 0x04, 0x07, 0x0C, 0x07, 0x42, 0x6F, 0x7A,
-        0x65, 0x6D, 0x61, 0x6E, 0x31, 0x15, 0x30, 0x13, 0x06, 0x03,
-        0x55, 0x04, 0x0A, 0x0C, 0x0C, 0x77, 0x6F, 0x6C, 0x66, 0x53,
-        0x53, 0x4C, 0x5F, 0x32, 0x30, 0x34, 0x38, 0x31, 0x19, 0x30,
-        0x17, 0x06, 0x03, 0x55, 0x04, 0x0B, 0x0C, 0x10, 0x50, 0x72,
-        0x6F, 0x67, 0x72, 0x61, 0x6D, 0x6D, 0x69, 0x6E, 0x67, 0x2D,
-        0x32, 0x30, 0x34, 0x38, 0x31, 0x18, 0x30, 0x16, 0x06, 0x03,
-        0x55, 0x04, 0x03, 0x0C, 0x0F, 0x77, 0x77, 0x77, 0x2E, 0x77,
-        0x6F, 0x6C, 0x66, 0x73, 0x73, 0x6C, 0x2E, 0x63, 0x6F, 0x6D,
-        0x31, 0x1F, 0x30, 0x1D, 0x06, 0x09, 0x2A, 0x86, 0x48, 0x86,
-        0xF7, 0x0D, 0x01, 0x09, 0x01, 0x16, 0x10, 0x69, 0x6E, 0x66,
-        0x6F, 0x40, 0x77, 0x6F, 0x6C, 0x66, 0x73, 0x73, 0x6C, 0x2E,
-        0x63, 0x6F, 0x6D, 0x30, 0x82, 0x01, 0x22, 0x30, 0x0D, 0x06,
-        0x09, 0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D, 0x01, 0x01, 0x01,
-        0x05, 0x00, 0x03, 0x82, 0x01, 0x0F, 0x00, 0x30, 0x82, 0x01,
-        0x0A, 0x02, 0x82, 0x01, 0x01, 0x00, 0xC3, 0x03, 0xD1, 0x2B,
-        0xFE, 0x39, 0xA4, 0x32, 0x45, 0x3B, 0x53, 0xC8, 0x84, 0x2B,
-        0x2A, 0x7C, 0x74, 0x9A, 0xBD, 0xAA, 0x2A, 0x52, 0x07, 0x47,
-        0xD6, 0xA6, 0x36, 0xB2, 0x07, 0x32, 0x8E, 0xD0, 0xBA, 0x69,
-        0x7B, 0xC6, 0xC3, 0x44, 0x9E, 0xD4, 0x81, 0x48, 0xFD, 0x2D,
-        0x68, 0xA2, 0x8B, 0x67, 0xBB, 0xA1, 0x75, 0xC8, 0x36, 0x2C,
-        0x4A, 0xD2, 0x1B, 0xF7, 0x8B, 0xBA, 0xCF, 0x0D, 0xF9, 0xEF,
-        0xEC, 0xF1, 0x81, 0x1E, 0x7B, 0x9B, 0x03, 0x47, 0x9A, 0xBF,
-        0x65, 0xCC, 0x7F, 0x65, 0x24, 0x69, 0xA6, 0xE8, 0x14, 0x89,
-        0x5B, 0xE4, 0x34, 0xF7, 0xC5, 0xB0, 0x14, 0x93, 0xF5, 0x67,
-        0x7B, 0x3A, 0x7A, 0x78, 0xE1, 0x01, 0x56, 0x56, 0x91, 0xA6,
-        0x13, 0x42, 0x8D, 0xD2, 0x3C, 0x40, 0x9C, 0x4C, 0xEF, 0xD1,
-        0x86, 0xDF, 0x37, 0x51, 0x1B, 0x0C, 0xA1, 0x3B, 0xF5, 0xF1,
-        0xA3, 0x4A, 0x35, 0xE4, 0xE1, 0xCE, 0x96, 0xDF, 0x1B, 0x7E,
-        0xBF, 0x4E, 0x97, 0xD0, 0x10, 0xE8, 0xA8, 0x08, 0x30, 0x81,
-        0xAF, 0x20, 0x0B, 0x43, 0x14, 0xC5, 0x74, 0x67, 0xB4, 0x32,
-        0x82, 0x6F, 0x8D, 0x86, 0xC2, 0x88, 0x40, 0x99, 0x36, 0x83,
-        0xBA, 0x1E, 0x40, 0x72, 0x22, 0x17, 0xD7, 0x52, 0x65, 0x24,
-        0x73, 0xB0, 0xCE, 0xEF, 0x19, 0xCD, 0xAE, 0xFF, 0x78, 0x6C,
-        0x7B, 0xC0, 0x12, 0x03, 0xD4, 0x4E, 0x72, 0x0D, 0x50, 0x6D,
-        0x3B, 0xA3, 0x3B, 0xA3, 0x99, 0x5E, 0x9D, 0xC8, 0xD9, 0x0C,
-        0x85, 0xB3, 0xD9, 0x8A, 0xD9, 0x54, 0x26, 0xDB, 0x6D, 0xFA,
-        0xAC, 0xBB, 0xFF, 0x25, 0x4C, 0xC4, 0xD1, 0x79, 0xF4, 0x71,
-        0xD3, 0x86, 0x40, 0x18, 0x13, 0xB0, 0x63, 0xB5, 0x72, 0x4E,
-        0x30, 0xC4, 0x97, 0x84, 0x86, 0x2D, 0x56, 0x2F, 0xD7, 0x15,
-        0xF7, 0x7F, 0xC0, 0xAE, 0xF5, 0xFC, 0x5B, 0xE5, 0xFB, 0xA1,
-        0xBA, 0xD3, 0x02, 0x03, 0x01, 0x00, 0x01, 0xA3, 0x82, 0x01,
-        0x44, 0x30, 0x82, 0x01, 0x40, 0x30, 0x1D, 0x06, 0x03, 0x55,
-        0x1D, 0x0E, 0x04, 0x16, 0x04, 0x14, 0x33, 0xD8, 0x45, 0x66,
-        0xD7, 0x68, 0x87, 0x18, 0x7E, 0x54, 0x0D, 0x70, 0x27, 0x91,
-        0xC7, 0x26, 0xD7, 0x85, 0x65, 0xC0, 0x30, 0x81, 0xD3, 0x06,
-        0x03, 0x55, 0x1D, 0x23, 0x04, 0x81, 0xCB, 0x30, 0x81, 0xC8,
-        0x80, 0x14, 0x33, 0xD8, 0x45, 0x66, 0xD7, 0x68, 0x87, 0x18,
-        0x7E, 0x54, 0x0D, 0x70, 0x27, 0x91, 0xC7, 0x26, 0xD7, 0x85,
-        0x65, 0xC0, 0xA1, 0x81, 0xA4, 0xA4, 0x81, 0xA1, 0x30, 0x81,
-        0x9E, 0x31, 0x0B, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06,
-        0x13, 0x02, 0x55, 0x53, 0x31, 0x10, 0x30, 0x0E, 0x06, 0x03,
-        0x55, 0x04, 0x08, 0x0C, 0x07, 0x4D, 0x6F, 0x6E, 0x74, 0x61,
-        0x6E, 0x61, 0x31, 0x10, 0x30, 0x0E, 0x06, 0x03, 0x55, 0x04,
-        0x07, 0x0C, 0x07, 0x42, 0x6F, 0x7A, 0x65, 0x6D, 0x61, 0x6E,
-        0x31, 0x15, 0x30, 0x13, 0x06, 0x03, 0x55, 0x04, 0x0A, 0x0C,
-        0x0C, 0x77, 0x6F, 0x6C, 0x66, 0x53, 0x53, 0x4C, 0x5F, 0x32,
-        0x30, 0x34, 0x38, 0x31, 0x19, 0x30, 0x17, 0x06, 0x03, 0x55,
-        0x04, 0x0B, 0x0C, 0x10, 0x50, 0x72, 0x6F, 0x67, 0x72, 0x61,
-        0x6D, 0x6D, 0x69, 0x6E, 0x67, 0x2D, 0x32, 0x30, 0x34, 0x38,
-        0x31, 0x18, 0x30, 0x16, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0C,
-        0x0F, 0x77, 0x77, 0x77, 0x2E, 0x77, 0x6F, 0x6C, 0x66, 0x73,
-        0x73, 0x6C, 0x2E, 0x63, 0x6F, 0x6D, 0x31, 0x1F, 0x30, 0x1D,
-        0x06, 0x09, 0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D, 0x01, 0x09,
-        0x01, 0x16, 0x10, 0x69, 0x6E, 0x66, 0x6F, 0x40, 0x77, 0x6F,
-        0x6C, 0x66, 0x73, 0x73, 0x6C, 0x2E, 0x63, 0x6F, 0x6D, 0x82,
-        0x09, 0x00, 0xF1, 0x5C, 0x99, 0x43, 0x66, 0x3D, 0x96, 0x04,
-        0x30, 0x0C, 0x06, 0x03, 0x55, 0x1D, 0x13, 0x04, 0x05, 0x30,
-        0x03, 0x01, 0x01, 0xFF, 0x30, 0x1C, 0x06, 0x03, 0x55, 0x1D,
-        0x11, 0x04, 0x15, 0x30, 0x13, 0x82, 0x0B, 0x65, 0x78, 0x61,
-        0x6D, 0x70, 0x6C, 0x65, 0x2E, 0x63, 0x6F, 0x6D, 0x87, 0x04,
-        0x7F, 0x00, 0x00, 0x01, 0x30, 0x1D, 0x06, 0x03, 0x55, 0x1D,
-        0x25, 0x04, 0x16, 0x30, 0x14, 0x06, 0x08, 0x2B, 0x06, 0x01,
-        0x05, 0x05, 0x07, 0x03, 0x01, 0x06, 0x08, 0x2B, 0x06, 0x01,
-        0x05, 0x05, 0x07, 0x03, 0x02, 0x30, 0x0D, 0x06, 0x09, 0x2A,
-        0x86, 0x48, 0x86, 0xF7, 0x0D, 0x01, 0x01, 0x0B, 0x05, 0x00,
-        0x03, 0x82, 0x01, 0x01, 0x00, 0xBA, 0x2B, 0x48, 0xD1, 0xA8,
-        0xE3, 0xC2, 0x84, 0x42, 0x96, 0xA1, 0x7C, 0xE5, 0xF1, 0x46,
-        0xBA, 0x4C, 0xF7, 0x87, 0x57, 0xC7, 0x78, 0xC8, 0xC1, 0x32,
-        0xC4, 0x69, 0xFF, 0x85, 0xBB, 0x5D, 0x6A, 0xDD, 0xC9, 0x87,
-        0x7E, 0xFE, 0xBB, 0xF4, 0xFD, 0x15, 0x0A, 0x4C, 0x94, 0x95,
-        0x80, 0x30, 0x90, 0x45, 0x03, 0xF8, 0x33, 0x87, 0xCA, 0x5F,
-        0x74, 0x38, 0xA4, 0xD0, 0x5A, 0xC7, 0x65, 0x38, 0xC3, 0xB0,
-        0xE8, 0x87, 0xB1, 0x49, 0x32, 0xB9, 0xAC, 0xE9, 0xFB, 0xD3,
-        0x08, 0x1D, 0xA4, 0x51, 0x7B, 0xD7, 0xD9, 0x4B, 0x79, 0x35,
-        0xA2, 0x3A, 0x0B, 0xE4, 0x0C, 0xA0, 0x02, 0x9C, 0xA1, 0x68,
-        0xE1, 0x5D, 0x6C, 0x8E, 0x2E, 0x3A, 0x24, 0xDE, 0xBB, 0xD6,
-        0x1C, 0xA7, 0xAC, 0x2E, 0xCD, 0x57, 0x44, 0x48, 0xF6, 0x72,
-        0xE0, 0xC7, 0x5B, 0x93, 0xDC, 0x7D, 0x5B, 0x64, 0x0E, 0x17,
-        0x84, 0x68, 0x2C, 0x95, 0x1D, 0x2C, 0x86, 0xD6, 0xB0, 0x74,
-        0x67, 0x51, 0x6E, 0x7B, 0xF4, 0xD5, 0x61, 0x38, 0x51, 0xB3,
-        0x18, 0xE3, 0x10, 0x16, 0x73, 0x4B, 0x36, 0x8A, 0x8A, 0x62,
-        0x05, 0xF5, 0x56, 0x8A, 0xBE, 0x21, 0xE1, 0x78, 0x7D, 0xBF,
-        0xAD, 0x45, 0xF9, 0x0B, 0xF5, 0xAF, 0xA0, 0x62, 0x01, 0xFD,
-        0x3F, 0x49, 0xDF, 0x39, 0x3C, 0xFF, 0x46, 0xE8, 0x0A, 0xFE,
-        0x5C, 0x6B, 0xBB, 0x41, 0xA5, 0x64, 0xF1, 0x5C, 0x9B, 0x51,
-        0x4C, 0xBC, 0x6D, 0x9F, 0xA3, 0x20, 0xED, 0xE9, 0x48, 0xE1,
-        0xA9, 0xBE, 0x08, 0x2D, 0x85, 0x42, 0x59, 0xD6, 0x43, 0x7D,
-        0x47, 0x22, 0xA5, 0xFA, 0x1F, 0xA2, 0x58, 0x76, 0x0B, 0x70,
-        0x1C, 0x1D, 0x59, 0x1D, 0xAA, 0xBE, 0x5D, 0x2D, 0x25, 0x7C,
-        0xB1, 0x06, 0xB6, 0xC0, 0xAA, 0x28, 0xAA, 0x93, 0x7C, 0xD0,
-        0xBD, 0x43, 0xAD, 0x91, 0x50, 0x1C, 0x7B, 0x4D, 0xF3, 0xE4,
-        0xD7
+        0x82, 0x14, 0x53, 0x16, 0x7C, 0xA0, 0x56, 0x50, 0x46, 0x27,
+        0x82, 0xED, 0x60, 0xB4, 0xDA, 0x33, 0xD8, 0x6A, 0xC0, 0xEA,
+        0xDC, 0x31, 0x30, 0x0C, 0x06, 0x03, 0x55, 0x1D, 0x13, 0x04,
+        0x05, 0x30, 0x03, 0x01, 0x01, 0xFF, 0x30, 0x1C, 0x06, 0x03,
+        0x55, 0x1D, 0x11, 0x04, 0x15, 0x30, 0x13, 0x82, 0x0B, 0x65,
+        0x78, 0x61, 0x6D, 0x70, 0x6C, 0x65, 0x2E, 0x63, 0x6F, 0x6D,
+        0x87, 0x04, 0x7F, 0x00, 0x00, 0x01, 0x30, 0x1D, 0x06, 0x03,
+        0x55, 0x1D, 0x25, 0x04, 0x16, 0x30, 0x14, 0x06, 0x08, 0x2B,
+        0x06, 0x01, 0x05, 0x05, 0x07, 0x03, 0x01, 0x06, 0x08, 0x2B,
+        0x06, 0x01, 0x05, 0x05, 0x07, 0x03, 0x02, 0x30, 0x0D, 0x06,
+        0x09, 0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D, 0x01, 0x01, 0x0B,
+        0x05, 0x00, 0x03, 0x82, 0x01, 0x01, 0x00, 0xB8, 0xE8, 0xE3,
+        0x2A, 0x48, 0x6C, 0x04, 0x8B, 0xF8, 0x81, 0x14, 0x1A, 0xCE,
+        0x14, 0xED, 0xC7, 0xF0, 0xD3, 0xCB, 0x9A, 0x91, 0xD9, 0x2C,
+        0x1D, 0x6E, 0x73, 0x36, 0x8F, 0xA3, 0x61, 0xC4, 0x1F, 0xDA,
+        0xD1, 0x4B, 0xB6, 0x40, 0xD0, 0x6A, 0xC4, 0x2B, 0x43, 0xC8,
+        0x2F, 0xFB, 0xEE, 0x5A, 0xC9, 0x41, 0x9D, 0x2B, 0x6F, 0xF3,
+        0x39, 0x67, 0x20, 0xEC, 0x7C, 0xD6, 0xA0, 0x7F, 0x06, 0x79,
+        0xCD, 0x52, 0x2C, 0xC9, 0x3C, 0x5B, 0xBF, 0xE5, 0x01, 0x47,
+        0x90, 0xF0, 0x82, 0x88, 0xF1, 0x3D, 0x45, 0x25, 0xF4, 0xD1,
+        0x4B, 0xEC, 0xAC, 0x3F, 0x1B, 0xCE, 0xA1, 0x0E, 0x61, 0xA0,
+        0x29, 0x41, 0xF6, 0x21, 0x0E, 0x9F, 0x73, 0xB3, 0x39, 0x34,
+        0xC4, 0x1E, 0x55, 0x5F, 0x9F, 0xE7, 0x42, 0xCA, 0xAB, 0x8F,
+        0x3C, 0x62, 0x86, 0x26, 0x94, 0xB5, 0xB7, 0x8B, 0x7C, 0x65,
+        0x4C, 0x3E, 0xB7, 0xAC, 0xF5, 0x51, 0x0D, 0xA5, 0x14, 0x0F,
+        0x6F, 0x2B, 0xFE, 0x62, 0x95, 0x26, 0x1E, 0x10, 0x52, 0xAE,
+        0x44, 0x58, 0x95, 0xDC, 0xB4, 0xC4, 0x76, 0x2F, 0x14, 0x28,
+        0x64, 0x45, 0xAA, 0x94, 0x61, 0xDA, 0x1A, 0xD0, 0xCF, 0xB3,
+        0x3A, 0x83, 0xC8, 0x66, 0xFB, 0xE8, 0x58, 0xDC, 0xD4, 0x91,
+        0x4A, 0x9A, 0xE7, 0xC8, 0xB6, 0xEA, 0xF9, 0x52, 0x19, 0xB2,
+        0x3D, 0x5F, 0x95, 0x29, 0xAC, 0x8B, 0xCF, 0x9B, 0x5C, 0xD6,
+        0xDD, 0xCD, 0x6B, 0xF2, 0x71, 0xFD, 0xB6, 0x4D, 0x18, 0x98,
+        0x08, 0x5B, 0x8A, 0xE7, 0x2B, 0xCB, 0xBD, 0x68, 0x97, 0x1C,
+        0x02, 0xAA, 0x41, 0x59, 0x0D, 0xF8, 0x0E, 0x50, 0xD7, 0x48,
+        0x6F, 0x81, 0xC4, 0x00, 0x70, 0x56, 0x67, 0x64, 0x1A, 0xB3,
+        0x56, 0xFC, 0x23, 0xF4, 0x84, 0x49, 0x36, 0xF7, 0x7F, 0x38,
+        0x94, 0x38, 0xDA, 0x40, 0x81, 0xC0, 0xB9, 0xB0, 0xAD, 0xEA,
+        0xCE, 0x38, 0xF2
 };
 static const int sizeof_client_cert_der_2048 = sizeof(client_cert_der_2048);
 
@@ -1526,10 +1533,82 @@ static const int sizeof_ca_key_der_2048 = sizeof(ca_key_der_2048);
 /* ./certs/ca-cert.der, 2048-bit */
 static const unsigned char ca_cert_der_2048[] =
 {
-        0x30, 0x82, 0x04, 0xE9, 0x30, 0x82, 0x03, 0xD1, 0xA0, 0x03,
-        0x02, 0x01, 0x02, 0x02, 0x09, 0x00, 0xAA, 0xD3, 0x3F, 0xAC,
-        0x18, 0x0A, 0x37, 0x4D, 0x30, 0x0D, 0x06, 0x09, 0x2A, 0x86,
-        0x48, 0x86, 0xF7, 0x0D, 0x01, 0x01, 0x0B, 0x05, 0x00, 0x30,
+        0x30, 0x82, 0x04, 0xFF, 0x30, 0x82, 0x03, 0xE7, 0xA0, 0x03,
+        0x02, 0x01, 0x02, 0x02, 0x14, 0x7D, 0x94, 0x70, 0x88, 0xBA,
+        0x07, 0x42, 0x8D, 0xAA, 0xAF, 0x4F, 0xBE, 0xC2, 0x1A, 0x48,
+        0xF0, 0xD1, 0x40, 0xE6, 0x42, 0x30, 0x0D, 0x06, 0x09, 0x2A,
+        0x86, 0x48, 0x86, 0xF7, 0x0D, 0x01, 0x01, 0x0B, 0x05, 0x00,
+        0x30, 0x81, 0x94, 0x31, 0x0B, 0x30, 0x09, 0x06, 0x03, 0x55,
+        0x04, 0x06, 0x13, 0x02, 0x55, 0x53, 0x31, 0x10, 0x30, 0x0E,
+        0x06, 0x03, 0x55, 0x04, 0x08, 0x0C, 0x07, 0x4D, 0x6F, 0x6E,
+        0x74, 0x61, 0x6E, 0x61, 0x31, 0x10, 0x30, 0x0E, 0x06, 0x03,
+        0x55, 0x04, 0x07, 0x0C, 0x07, 0x42, 0x6F, 0x7A, 0x65, 0x6D,
+        0x61, 0x6E, 0x31, 0x11, 0x30, 0x0F, 0x06, 0x03, 0x55, 0x04,
+        0x0A, 0x0C, 0x08, 0x53, 0x61, 0x77, 0x74, 0x6F, 0x6F, 0x74,
+        0x68, 0x31, 0x13, 0x30, 0x11, 0x06, 0x03, 0x55, 0x04, 0x0B,
+        0x0C, 0x0A, 0x43, 0x6F, 0x6E, 0x73, 0x75, 0x6C, 0x74, 0x69,
+        0x6E, 0x67, 0x31, 0x18, 0x30, 0x16, 0x06, 0x03, 0x55, 0x04,
+        0x03, 0x0C, 0x0F, 0x77, 0x77, 0x77, 0x2E, 0x77, 0x6F, 0x6C,
+        0x66, 0x73, 0x73, 0x6C, 0x2E, 0x63, 0x6F, 0x6D, 0x31, 0x1F,
+        0x30, 0x1D, 0x06, 0x09, 0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D,
+        0x01, 0x09, 0x01, 0x16, 0x10, 0x69, 0x6E, 0x66, 0x6F, 0x40,
+        0x77, 0x6F, 0x6C, 0x66, 0x73, 0x73, 0x6C, 0x2E, 0x63, 0x6F,
+        0x6D, 0x30, 0x1E, 0x17, 0x0D, 0x32, 0x31, 0x31, 0x32, 0x32,
+        0x30, 0x32, 0x33, 0x30, 0x37, 0x32, 0x34, 0x5A, 0x17, 0x0D,
+        0x32, 0x34, 0x30, 0x39, 0x31, 0x35, 0x32, 0x33, 0x30, 0x37,
+        0x32, 0x34, 0x5A, 0x30, 0x81, 0x94, 0x31, 0x0B, 0x30, 0x09,
+        0x06, 0x03, 0x55, 0x04, 0x06, 0x13, 0x02, 0x55, 0x53, 0x31,
+        0x10, 0x30, 0x0E, 0x06, 0x03, 0x55, 0x04, 0x08, 0x0C, 0x07,
+        0x4D, 0x6F, 0x6E, 0x74, 0x61, 0x6E, 0x61, 0x31, 0x10, 0x30,
+        0x0E, 0x06, 0x03, 0x55, 0x04, 0x07, 0x0C, 0x07, 0x42, 0x6F,
+        0x7A, 0x65, 0x6D, 0x61, 0x6E, 0x31, 0x11, 0x30, 0x0F, 0x06,
+        0x03, 0x55, 0x04, 0x0A, 0x0C, 0x08, 0x53, 0x61, 0x77, 0x74,
+        0x6F, 0x6F, 0x74, 0x68, 0x31, 0x13, 0x30, 0x11, 0x06, 0x03,
+        0x55, 0x04, 0x0B, 0x0C, 0x0A, 0x43, 0x6F, 0x6E, 0x73, 0x75,
+        0x6C, 0x74, 0x69, 0x6E, 0x67, 0x31, 0x18, 0x30, 0x16, 0x06,
+        0x03, 0x55, 0x04, 0x03, 0x0C, 0x0F, 0x77, 0x77, 0x77, 0x2E,
+        0x77, 0x6F, 0x6C, 0x66, 0x73, 0x73, 0x6C, 0x2E, 0x63, 0x6F,
+        0x6D, 0x31, 0x1F, 0x30, 0x1D, 0x06, 0x09, 0x2A, 0x86, 0x48,
+        0x86, 0xF7, 0x0D, 0x01, 0x09, 0x01, 0x16, 0x10, 0x69, 0x6E,
+        0x66, 0x6F, 0x40, 0x77, 0x6F, 0x6C, 0x66, 0x73, 0x73, 0x6C,
+        0x2E, 0x63, 0x6F, 0x6D, 0x30, 0x82, 0x01, 0x22, 0x30, 0x0D,
+        0x06, 0x09, 0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D, 0x01, 0x01,
+        0x01, 0x05, 0x00, 0x03, 0x82, 0x01, 0x0F, 0x00, 0x30, 0x82,
+        0x01, 0x0A, 0x02, 0x82, 0x01, 0x01, 0x00, 0xBF, 0x0C, 0xCA,
+        0x2D, 0x14, 0xB2, 0x1E, 0x84, 0x42, 0x5B, 0xCD, 0x38, 0x1F,
+        0x4A, 0xF2, 0x4D, 0x75, 0x10, 0xF1, 0xB6, 0x35, 0x9F, 0xDF,
+        0xCA, 0x7D, 0x03, 0x98, 0xD3, 0xAC, 0xDE, 0x03, 0x66, 0xEE,
+        0x2A, 0xF1, 0xD8, 0xB0, 0x7D, 0x6E, 0x07, 0x54, 0x0B, 0x10,
+        0x98, 0x21, 0x4D, 0x80, 0xCB, 0x12, 0x20, 0xE7, 0xCC, 0x4F,
+        0xDE, 0x45, 0x7D, 0xC9, 0x72, 0x77, 0x32, 0xEA, 0xCA, 0x90,
+        0xBB, 0x69, 0x52, 0x10, 0x03, 0x2F, 0xA8, 0xF3, 0x95, 0xC5,
+        0xF1, 0x8B, 0x62, 0x56, 0x1B, 0xEF, 0x67, 0x6F, 0xA4, 0x10,
+        0x41, 0x95, 0xAD, 0x0A, 0x9B, 0xE3, 0xA5, 0xC0, 0xB0, 0xD2,
+        0x70, 0x76, 0x50, 0x30, 0x5B, 0xA8, 0xE8, 0x08, 0x2C, 0x7C,
+        0xED, 0xA7, 0xA2, 0x7A, 0x8D, 0x38, 0x29, 0x1C, 0xAC, 0xC7,
+        0xED, 0xF2, 0x7C, 0x95, 0xB0, 0x95, 0x82, 0x7D, 0x49, 0x5C,
+        0x38, 0xCD, 0x77, 0x25, 0xEF, 0xBD, 0x80, 0x75, 0x53, 0x94,
+        0x3C, 0x3D, 0xCA, 0x63, 0x5B, 0x9F, 0x15, 0xB5, 0xD3, 0x1D,
+        0x13, 0x2F, 0x19, 0xD1, 0x3C, 0xDB, 0x76, 0x3A, 0xCC, 0xB8,
+        0x7D, 0xC9, 0xE5, 0xC2, 0xD7, 0xDA, 0x40, 0x6F, 0xD8, 0x21,
+        0xDC, 0x73, 0x1B, 0x42, 0x2D, 0x53, 0x9C, 0xFE, 0x1A, 0xFC,
+        0x7D, 0xAB, 0x7A, 0x36, 0x3F, 0x98, 0xDE, 0x84, 0x7C, 0x05,
+        0x67, 0xCE, 0x6A, 0x14, 0x38, 0x87, 0xA9, 0xF1, 0x8C, 0xB5,
+        0x68, 0xCB, 0x68, 0x7F, 0x71, 0x20, 0x2B, 0xF5, 0xA0, 0x63,
+        0xF5, 0x56, 0x2F, 0xA3, 0x26, 0xD2, 0xB7, 0x6F, 0xB1, 0x5A,
+        0x17, 0xD7, 0x38, 0x99, 0x08, 0xFE, 0x93, 0x58, 0x6F, 0xFE,
+        0xC3, 0x13, 0x49, 0x08, 0x16, 0x0B, 0xA7, 0x4D, 0x67, 0x00,
+        0x52, 0x31, 0x67, 0x23, 0x4E, 0x98, 0xED, 0x51, 0x45, 0x1D,
+        0xB9, 0x04, 0xD9, 0x0B, 0xEC, 0xD8, 0x28, 0xB3, 0x4B, 0xBD,
+        0xED, 0x36, 0x79, 0x02, 0x03, 0x01, 0x00, 0x01, 0xA3, 0x82,
+        0x01, 0x45, 0x30, 0x82, 0x01, 0x41, 0x30, 0x1D, 0x06, 0x03,
+        0x55, 0x1D, 0x0E, 0x04, 0x16, 0x04, 0x14, 0x27, 0x8E, 0x67,
+        0x11, 0x74, 0xC3, 0x26, 0x1D, 0x3F, 0xED, 0x33, 0x63, 0xB3,
+        0xA4, 0xD8, 0x1D, 0x30, 0xE5, 0xE8, 0xD5, 0x30, 0x81, 0xD4,
+        0x06, 0x03, 0x55, 0x1D, 0x23, 0x04, 0x81, 0xCC, 0x30, 0x81,
+        0xC9, 0x80, 0x14, 0x27, 0x8E, 0x67, 0x11, 0x74, 0xC3, 0x26,
+        0x1D, 0x3F, 0xED, 0x33, 0x63, 0xB3, 0xA4, 0xD8, 0x1D, 0x30,
+        0xE5, 0xE8, 0xD5, 0xA1, 0x81, 0x9A, 0xA4, 0x81, 0x97, 0x30,
         0x81, 0x94, 0x31, 0x0B, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04,
         0x06, 0x13, 0x02, 0x55, 0x53, 0x31, 0x10, 0x30, 0x0E, 0x06,
         0x03, 0x55, 0x04, 0x08, 0x0C, 0x07, 0x4D, 0x6F, 0x6E, 0x74,
@@ -1545,78 +1624,130 @@ static const unsigned char ca_cert_der_2048[] =
         0x1D, 0x06, 0x09, 0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D, 0x01,
         0x09, 0x01, 0x16, 0x10, 0x69, 0x6E, 0x66, 0x6F, 0x40, 0x77,
         0x6F, 0x6C, 0x66, 0x73, 0x73, 0x6C, 0x2E, 0x63, 0x6F, 0x6D,
-        0x30, 0x1E, 0x17, 0x0D, 0x32, 0x31, 0x30, 0x32, 0x31, 0x30,
-        0x31, 0x39, 0x34, 0x39, 0x35, 0x32, 0x5A, 0x17, 0x0D, 0x32,
-        0x33, 0x31, 0x31, 0x30, 0x37, 0x31, 0x39, 0x34, 0x39, 0x35,
-        0x32, 0x5A, 0x30, 0x81, 0x94, 0x31, 0x0B, 0x30, 0x09, 0x06,
-        0x03, 0x55, 0x04, 0x06, 0x13, 0x02, 0x55, 0x53, 0x31, 0x10,
-        0x30, 0x0E, 0x06, 0x03, 0x55, 0x04, 0x08, 0x0C, 0x07, 0x4D,
-        0x6F, 0x6E, 0x74, 0x61, 0x6E, 0x61, 0x31, 0x10, 0x30, 0x0E,
-        0x06, 0x03, 0x55, 0x04, 0x07, 0x0C, 0x07, 0x42, 0x6F, 0x7A,
-        0x65, 0x6D, 0x61, 0x6E, 0x31, 0x11, 0x30, 0x0F, 0x06, 0x03,
-        0x55, 0x04, 0x0A, 0x0C, 0x08, 0x53, 0x61, 0x77, 0x74, 0x6F,
-        0x6F, 0x74, 0x68, 0x31, 0x13, 0x30, 0x11, 0x06, 0x03, 0x55,
-        0x04, 0x0B, 0x0C, 0x0A, 0x43, 0x6F, 0x6E, 0x73, 0x75, 0x6C,
-        0x74, 0x69, 0x6E, 0x67, 0x31, 0x18, 0x30, 0x16, 0x06, 0x03,
-        0x55, 0x04, 0x03, 0x0C, 0x0F, 0x77, 0x77, 0x77, 0x2E, 0x77,
-        0x6F, 0x6C, 0x66, 0x73, 0x73, 0x6C, 0x2E, 0x63, 0x6F, 0x6D,
-        0x31, 0x1F, 0x30, 0x1D, 0x06, 0x09, 0x2A, 0x86, 0x48, 0x86,
-        0xF7, 0x0D, 0x01, 0x09, 0x01, 0x16, 0x10, 0x69, 0x6E, 0x66,
-        0x6F, 0x40, 0x77, 0x6F, 0x6C, 0x66, 0x73, 0x73, 0x6C, 0x2E,
-        0x63, 0x6F, 0x6D, 0x30, 0x82, 0x01, 0x22, 0x30, 0x0D, 0x06,
+        0x82, 0x14, 0x7D, 0x94, 0x70, 0x88, 0xBA, 0x07, 0x42, 0x8D,
+        0xAA, 0xAF, 0x4F, 0xBE, 0xC2, 0x1A, 0x48, 0xF0, 0xD1, 0x40,
+        0xE6, 0x42, 0x30, 0x0C, 0x06, 0x03, 0x55, 0x1D, 0x13, 0x04,
+        0x05, 0x30, 0x03, 0x01, 0x01, 0xFF, 0x30, 0x1C, 0x06, 0x03,
+        0x55, 0x1D, 0x11, 0x04, 0x15, 0x30, 0x13, 0x82, 0x0B, 0x65,
+        0x78, 0x61, 0x6D, 0x70, 0x6C, 0x65, 0x2E, 0x63, 0x6F, 0x6D,
+        0x87, 0x04, 0x7F, 0x00, 0x00, 0x01, 0x30, 0x1D, 0x06, 0x03,
+        0x55, 0x1D, 0x25, 0x04, 0x16, 0x30, 0x14, 0x06, 0x08, 0x2B,
+        0x06, 0x01, 0x05, 0x05, 0x07, 0x03, 0x01, 0x06, 0x08, 0x2B,
+        0x06, 0x01, 0x05, 0x05, 0x07, 0x03, 0x02, 0x30, 0x0D, 0x06,
+        0x09, 0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D, 0x01, 0x01, 0x0B,
+        0x05, 0x00, 0x03, 0x82, 0x01, 0x01, 0x00, 0xB0, 0x71, 0xBB,
+        0xBA, 0x45, 0x5A, 0x80, 0x25, 0x02, 0xA4, 0x7E, 0x88, 0x0B,
+        0xA9, 0x7B, 0xFD, 0xB0, 0xBB, 0xF6, 0x46, 0xB5, 0xBA, 0xF4,
+        0xC7, 0xE3, 0x61, 0x20, 0x8C, 0x03, 0x15, 0x66, 0xF5, 0xE4,
+        0x54, 0x82, 0xEF, 0x13, 0x80, 0x97, 0x22, 0x67, 0xC1, 0xD1,
+        0x88, 0x5D, 0xE2, 0x2D, 0x57, 0xF6, 0xE0, 0x9F, 0x69, 0xD6,
+        0xB1, 0x5C, 0xB6, 0xE8, 0xE0, 0x98, 0x89, 0xC8, 0x14, 0x12,
+        0xD6, 0xB6, 0x89, 0x8D, 0x6C, 0xB9, 0xA0, 0x59, 0x4F, 0x92,
+        0xEE, 0x11, 0x53, 0x6B, 0x7D, 0x93, 0x4A, 0x69, 0x0A, 0x85,
+        0xD9, 0xD5, 0xD2, 0x62, 0xE8, 0xC9, 0xB5, 0xC6, 0x4E, 0x17,
+        0xF5, 0x0A, 0xE8, 0xF3, 0x2D, 0x86, 0x61, 0x0B, 0xEB, 0xC4,
+        0xC4, 0xC6, 0x67, 0x75, 0xED, 0x9A, 0x9F, 0x53, 0xA0, 0x71,
+        0x1E, 0xA0, 0x90, 0x0D, 0xF9, 0x03, 0xB4, 0xBC, 0x86, 0x19,
+        0x6E, 0xF0, 0x3B, 0x4F, 0xE8, 0xED, 0x68, 0xF6, 0xE7, 0x23,
+        0x43, 0x3B, 0x36, 0x83, 0x83, 0x4B, 0x46, 0xA0, 0x9A, 0x01,
+        0xD0, 0xC7, 0x85, 0xBB, 0x7D, 0x94, 0xA0, 0x21, 0x3D, 0x7E,
+        0x3C, 0x6A, 0x3D, 0x81, 0xDB, 0x41, 0x7B, 0x46, 0xD8, 0x15,
+        0x62, 0xD5, 0x8F, 0x4D, 0x3D, 0xC0, 0xDB, 0x9A, 0xC5, 0x81,
+        0xA8, 0xAC, 0xDA, 0x87, 0x99, 0xC7, 0xDD, 0xB9, 0xF1, 0x14,
+        0xAF, 0xD1, 0x93, 0xE3, 0xF3, 0x42, 0xD7, 0xA2, 0x04, 0x51,
+        0x21, 0x54, 0x29, 0xC3, 0x45, 0xF6, 0xBE, 0x5C, 0xFA, 0xCD,
+        0xDB, 0xBF, 0x2F, 0x79, 0x81, 0x42, 0xE5, 0x8F, 0x47, 0x0B,
+        0xD4, 0x54, 0x01, 0xB5, 0xC2, 0x4A, 0x46, 0xD6, 0xA8, 0x31,
+        0x2E, 0x64, 0x80, 0x3F, 0x48, 0x61, 0x91, 0x29, 0xF3, 0xAA,
+        0x43, 0x5C, 0x69, 0x6E, 0xF1, 0x01, 0xB9, 0xDF, 0x63, 0x71,
+        0x3D, 0xB9, 0x5A, 0xFB, 0x36, 0xC0, 0x11, 0xA2, 0xC3, 0x30,
+        0x9D, 0x95, 0xC3
+};
+static const int sizeof_ca_cert_der_2048 = sizeof(ca_cert_der_2048);
+
+/* ./certs/ca-cert-chain.der, 2048-bit */
+static const unsigned char ca_cert_chain_der[] =
+{
+        0x30, 0x82, 0x03, 0xFA, 0x30, 0x82, 0x03, 0x63, 0xA0, 0x03,
+        0x02, 0x01, 0x02, 0x02, 0x14, 0x42, 0xCC, 0xF9, 0x3D, 0xC3,
+        0x98, 0x9D, 0xB9, 0x6A, 0xD0, 0x05, 0x23, 0x52, 0xB1, 0x87,
+        0x2F, 0xBE, 0xA5, 0x0A, 0xE9, 0x30, 0x0D, 0x06, 0x09, 0x2A,
+        0x86, 0x48, 0x86, 0xF7, 0x0D, 0x01, 0x01, 0x0B, 0x05, 0x00,
+        0x30, 0x81, 0x94, 0x31, 0x0B, 0x30, 0x09, 0x06, 0x03, 0x55,
+        0x04, 0x06, 0x13, 0x02, 0x55, 0x53, 0x31, 0x10, 0x30, 0x0E,
+        0x06, 0x03, 0x55, 0x04, 0x08, 0x0C, 0x07, 0x4D, 0x6F, 0x6E,
+        0x74, 0x61, 0x6E, 0x61, 0x31, 0x10, 0x30, 0x0E, 0x06, 0x03,
+        0x55, 0x04, 0x07, 0x0C, 0x07, 0x42, 0x6F, 0x7A, 0x65, 0x6D,
+        0x61, 0x6E, 0x31, 0x11, 0x30, 0x0F, 0x06, 0x03, 0x55, 0x04,
+        0x0A, 0x0C, 0x08, 0x53, 0x61, 0x77, 0x74, 0x6F, 0x6F, 0x74,
+        0x68, 0x31, 0x13, 0x30, 0x11, 0x06, 0x03, 0x55, 0x04, 0x0B,
+        0x0C, 0x0A, 0x43, 0x6F, 0x6E, 0x73, 0x75, 0x6C, 0x74, 0x69,
+        0x6E, 0x67, 0x31, 0x18, 0x30, 0x16, 0x06, 0x03, 0x55, 0x04,
+        0x03, 0x0C, 0x0F, 0x77, 0x77, 0x77, 0x2E, 0x77, 0x6F, 0x6C,
+        0x66, 0x73, 0x73, 0x6C, 0x2E, 0x63, 0x6F, 0x6D, 0x31, 0x1F,
+        0x30, 0x1D, 0x06, 0x09, 0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D,
+        0x01, 0x09, 0x01, 0x16, 0x10, 0x69, 0x6E, 0x66, 0x6F, 0x40,
+        0x77, 0x6F, 0x6C, 0x66, 0x73, 0x73, 0x6C, 0x2E, 0x63, 0x6F,
+        0x6D, 0x30, 0x1E, 0x17, 0x0D, 0x32, 0x31, 0x31, 0x32, 0x32,
+        0x30, 0x32, 0x33, 0x30, 0x37, 0x32, 0x34, 0x5A, 0x17, 0x0D,
+        0x32, 0x34, 0x30, 0x39, 0x31, 0x35, 0x32, 0x33, 0x30, 0x37,
+        0x32, 0x34, 0x5A, 0x30, 0x81, 0x94, 0x31, 0x0B, 0x30, 0x09,
+        0x06, 0x03, 0x55, 0x04, 0x06, 0x13, 0x02, 0x55, 0x53, 0x31,
+        0x10, 0x30, 0x0E, 0x06, 0x03, 0x55, 0x04, 0x08, 0x0C, 0x07,
+        0x4D, 0x6F, 0x6E, 0x74, 0x61, 0x6E, 0x61, 0x31, 0x10, 0x30,
+        0x0E, 0x06, 0x03, 0x55, 0x04, 0x07, 0x0C, 0x07, 0x42, 0x6F,
+        0x7A, 0x65, 0x6D, 0x61, 0x6E, 0x31, 0x11, 0x30, 0x0F, 0x06,
+        0x03, 0x55, 0x04, 0x0A, 0x0C, 0x08, 0x53, 0x61, 0x77, 0x74,
+        0x6F, 0x6F, 0x74, 0x68, 0x31, 0x13, 0x30, 0x11, 0x06, 0x03,
+        0x55, 0x04, 0x0B, 0x0C, 0x0A, 0x43, 0x6F, 0x6E, 0x73, 0x75,
+        0x6C, 0x74, 0x69, 0x6E, 0x67, 0x31, 0x18, 0x30, 0x16, 0x06,
+        0x03, 0x55, 0x04, 0x03, 0x0C, 0x0F, 0x77, 0x77, 0x77, 0x2E,
+        0x77, 0x6F, 0x6C, 0x66, 0x73, 0x73, 0x6C, 0x2E, 0x63, 0x6F,
+        0x6D, 0x31, 0x1F, 0x30, 0x1D, 0x06, 0x09, 0x2A, 0x86, 0x48,
+        0x86, 0xF7, 0x0D, 0x01, 0x09, 0x01, 0x16, 0x10, 0x69, 0x6E,
+        0x66, 0x6F, 0x40, 0x77, 0x6F, 0x6C, 0x66, 0x73, 0x73, 0x6C,
+        0x2E, 0x63, 0x6F, 0x6D, 0x30, 0x81, 0x9F, 0x30, 0x0D, 0x06,
         0x09, 0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D, 0x01, 0x01, 0x01,
-        0x05, 0x00, 0x03, 0x82, 0x01, 0x0F, 0x00, 0x30, 0x82, 0x01,
-        0x0A, 0x02, 0x82, 0x01, 0x01, 0x00, 0xBF, 0x0C, 0xCA, 0x2D,
-        0x14, 0xB2, 0x1E, 0x84, 0x42, 0x5B, 0xCD, 0x38, 0x1F, 0x4A,
-        0xF2, 0x4D, 0x75, 0x10, 0xF1, 0xB6, 0x35, 0x9F, 0xDF, 0xCA,
-        0x7D, 0x03, 0x98, 0xD3, 0xAC, 0xDE, 0x03, 0x66, 0xEE, 0x2A,
-        0xF1, 0xD8, 0xB0, 0x7D, 0x6E, 0x07, 0x54, 0x0B, 0x10, 0x98,
-        0x21, 0x4D, 0x80, 0xCB, 0x12, 0x20, 0xE7, 0xCC, 0x4F, 0xDE,
-        0x45, 0x7D, 0xC9, 0x72, 0x77, 0x32, 0xEA, 0xCA, 0x90, 0xBB,
-        0x69, 0x52, 0x10, 0x03, 0x2F, 0xA8, 0xF3, 0x95, 0xC5, 0xF1,
-        0x8B, 0x62, 0x56, 0x1B, 0xEF, 0x67, 0x6F, 0xA4, 0x10, 0x41,
-        0x95, 0xAD, 0x0A, 0x9B, 0xE3, 0xA5, 0xC0, 0xB0, 0xD2, 0x70,
-        0x76, 0x50, 0x30, 0x5B, 0xA8, 0xE8, 0x08, 0x2C, 0x7C, 0xED,
-        0xA7, 0xA2, 0x7A, 0x8D, 0x38, 0x29, 0x1C, 0xAC, 0xC7, 0xED,
-        0xF2, 0x7C, 0x95, 0xB0, 0x95, 0x82, 0x7D, 0x49, 0x5C, 0x38,
-        0xCD, 0x77, 0x25, 0xEF, 0xBD, 0x80, 0x75, 0x53, 0x94, 0x3C,
-        0x3D, 0xCA, 0x63, 0x5B, 0x9F, 0x15, 0xB5, 0xD3, 0x1D, 0x13,
-        0x2F, 0x19, 0xD1, 0x3C, 0xDB, 0x76, 0x3A, 0xCC, 0xB8, 0x7D,
-        0xC9, 0xE5, 0xC2, 0xD7, 0xDA, 0x40, 0x6F, 0xD8, 0x21, 0xDC,
-        0x73, 0x1B, 0x42, 0x2D, 0x53, 0x9C, 0xFE, 0x1A, 0xFC, 0x7D,
-        0xAB, 0x7A, 0x36, 0x3F, 0x98, 0xDE, 0x84, 0x7C, 0x05, 0x67,
-        0xCE, 0x6A, 0x14, 0x38, 0x87, 0xA9, 0xF1, 0x8C, 0xB5, 0x68,
-        0xCB, 0x68, 0x7F, 0x71, 0x20, 0x2B, 0xF5, 0xA0, 0x63, 0xF5,
-        0x56, 0x2F, 0xA3, 0x26, 0xD2, 0xB7, 0x6F, 0xB1, 0x5A, 0x17,
-        0xD7, 0x38, 0x99, 0x08, 0xFE, 0x93, 0x58, 0x6F, 0xFE, 0xC3,
-        0x13, 0x49, 0x08, 0x16, 0x0B, 0xA7, 0x4D, 0x67, 0x00, 0x52,
-        0x31, 0x67, 0x23, 0x4E, 0x98, 0xED, 0x51, 0x45, 0x1D, 0xB9,
-        0x04, 0xD9, 0x0B, 0xEC, 0xD8, 0x28, 0xB3, 0x4B, 0xBD, 0xED,
-        0x36, 0x79, 0x02, 0x03, 0x01, 0x00, 0x01, 0xA3, 0x82, 0x01,
-        0x3A, 0x30, 0x82, 0x01, 0x36, 0x30, 0x1D, 0x06, 0x03, 0x55,
-        0x1D, 0x0E, 0x04, 0x16, 0x04, 0x14, 0x27, 0x8E, 0x67, 0x11,
-        0x74, 0xC3, 0x26, 0x1D, 0x3F, 0xED, 0x33, 0x63, 0xB3, 0xA4,
-        0xD8, 0x1D, 0x30, 0xE5, 0xE8, 0xD5, 0x30, 0x81, 0xC9, 0x06,
-        0x03, 0x55, 0x1D, 0x23, 0x04, 0x81, 0xC1, 0x30, 0x81, 0xBE,
-        0x80, 0x14, 0x27, 0x8E, 0x67, 0x11, 0x74, 0xC3, 0x26, 0x1D,
-        0x3F, 0xED, 0x33, 0x63, 0xB3, 0xA4, 0xD8, 0x1D, 0x30, 0xE5,
-        0xE8, 0xD5, 0xA1, 0x81, 0x9A, 0xA4, 0x81, 0x97, 0x30, 0x81,
-        0x94, 0x31, 0x0B, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06,
-        0x13, 0x02, 0x55, 0x53, 0x31, 0x10, 0x30, 0x0E, 0x06, 0x03,
-        0x55, 0x04, 0x08, 0x0C, 0x07, 0x4D, 0x6F, 0x6E, 0x74, 0x61,
-        0x6E, 0x61, 0x31, 0x10, 0x30, 0x0E, 0x06, 0x03, 0x55, 0x04,
-        0x07, 0x0C, 0x07, 0x42, 0x6F, 0x7A, 0x65, 0x6D, 0x61, 0x6E,
-        0x31, 0x11, 0x30, 0x0F, 0x06, 0x03, 0x55, 0x04, 0x0A, 0x0C,
-        0x08, 0x53, 0x61, 0x77, 0x74, 0x6F, 0x6F, 0x74, 0x68, 0x31,
-        0x13, 0x30, 0x11, 0x06, 0x03, 0x55, 0x04, 0x0B, 0x0C, 0x0A,
-        0x43, 0x6F, 0x6E, 0x73, 0x75, 0x6C, 0x74, 0x69, 0x6E, 0x67,
-        0x31, 0x18, 0x30, 0x16, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0C,
-        0x0F, 0x77, 0x77, 0x77, 0x2E, 0x77, 0x6F, 0x6C, 0x66, 0x73,
-        0x73, 0x6C, 0x2E, 0x63, 0x6F, 0x6D, 0x31, 0x1F, 0x30, 0x1D,
-        0x06, 0x09, 0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D, 0x01, 0x09,
-        0x01, 0x16, 0x10, 0x69, 0x6E, 0x66, 0x6F, 0x40, 0x77, 0x6F,
-        0x6C, 0x66, 0x73, 0x73, 0x6C, 0x2E, 0x63, 0x6F, 0x6D, 0x82,
-        0x09, 0x00, 0xAA, 0xD3, 0x3F, 0xAC, 0x18, 0x0A, 0x37, 0x4D,
+        0x05, 0x00, 0x03, 0x81, 0x8D, 0x00, 0x30, 0x81, 0x89, 0x02,
+        0x81, 0x81, 0x00, 0xCD, 0xAC, 0xDD, 0x47, 0xEC, 0xBE, 0xB7,
+        0x24, 0xC3, 0x63, 0x1B, 0x54, 0x98, 0x79, 0xE1, 0xC7, 0x31,
+        0x16, 0x59, 0xD6, 0x9D, 0x77, 0x9D, 0x8D, 0xE2, 0x8B, 0xED,
+        0x04, 0x17, 0xB2, 0xC6, 0xEB, 0xE4, 0x9B, 0x91, 0xBE, 0x31,
+        0x50, 0x62, 0x97, 0x58, 0xB5, 0x7F, 0x29, 0xDE, 0xB3, 0x71,
+        0x24, 0x0B, 0xBF, 0x97, 0x09, 0x7F, 0x26, 0xDC, 0x2D, 0xEC,
+        0xA8, 0x2E, 0xB2, 0x64, 0x2B, 0x7A, 0x2B, 0x35, 0x19, 0x2D,
+        0xA2, 0x80, 0xCB, 0x99, 0xFD, 0x94, 0x71, 0x1B, 0x23, 0x8D,
+        0x54, 0xDB, 0x2E, 0x62, 0x8D, 0x81, 0x08, 0x2D, 0xF4, 0x24,
+        0x72, 0x27, 0x6C, 0xF9, 0xC9, 0x8E, 0xDB, 0x4C, 0x75, 0xBA,
+        0x9B, 0x01, 0xF8, 0x3F, 0x18, 0xF4, 0xE6, 0x7F, 0xFB, 0x57,
+        0x94, 0x92, 0xCC, 0x88, 0xC4, 0xB4, 0x00, 0xC2, 0xAA, 0xD4,
+        0xE5, 0x88, 0x18, 0xB3, 0x11, 0x2F, 0x73, 0xC0, 0xD6, 0x29,
+        0x09, 0x02, 0x03, 0x01, 0x00, 0x01, 0xA3, 0x82, 0x01, 0x45,
+        0x30, 0x82, 0x01, 0x41, 0x30, 0x1D, 0x06, 0x03, 0x55, 0x1D,
+        0x0E, 0x04, 0x16, 0x04, 0x14, 0xD3, 0x22, 0x8F, 0x28, 0x2C,
+        0xE0, 0x05, 0xEE, 0xD3, 0xED, 0xC3, 0x71, 0x3D, 0xC9, 0xB2,
+        0x36, 0x3A, 0x1D, 0xBF, 0xA8, 0x30, 0x81, 0xD4, 0x06, 0x03,
+        0x55, 0x1D, 0x23, 0x04, 0x81, 0xCC, 0x30, 0x81, 0xC9, 0x80,
+        0x14, 0xD3, 0x22, 0x8F, 0x28, 0x2C, 0xE0, 0x05, 0xEE, 0xD3,
+        0xED, 0xC3, 0x71, 0x3D, 0xC9, 0xB2, 0x36, 0x3A, 0x1D, 0xBF,
+        0xA8, 0xA1, 0x81, 0x9A, 0xA4, 0x81, 0x97, 0x30, 0x81, 0x94,
+        0x31, 0x0B, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13,
+        0x02, 0x55, 0x53, 0x31, 0x10, 0x30, 0x0E, 0x06, 0x03, 0x55,
+        0x04, 0x08, 0x0C, 0x07, 0x4D, 0x6F, 0x6E, 0x74, 0x61, 0x6E,
+        0x61, 0x31, 0x10, 0x30, 0x0E, 0x06, 0x03, 0x55, 0x04, 0x07,
+        0x0C, 0x07, 0x42, 0x6F, 0x7A, 0x65, 0x6D, 0x61, 0x6E, 0x31,
+        0x11, 0x30, 0x0F, 0x06, 0x03, 0x55, 0x04, 0x0A, 0x0C, 0x08,
+        0x53, 0x61, 0x77, 0x74, 0x6F, 0x6F, 0x74, 0x68, 0x31, 0x13,
+        0x30, 0x11, 0x06, 0x03, 0x55, 0x04, 0x0B, 0x0C, 0x0A, 0x43,
+        0x6F, 0x6E, 0x73, 0x75, 0x6C, 0x74, 0x69, 0x6E, 0x67, 0x31,
+        0x18, 0x30, 0x16, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0C, 0x0F,
+        0x77, 0x77, 0x77, 0x2E, 0x77, 0x6F, 0x6C, 0x66, 0x73, 0x73,
+        0x6C, 0x2E, 0x63, 0x6F, 0x6D, 0x31, 0x1F, 0x30, 0x1D, 0x06,
+        0x09, 0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D, 0x01, 0x09, 0x01,
+        0x16, 0x10, 0x69, 0x6E, 0x66, 0x6F, 0x40, 0x77, 0x6F, 0x6C,
+        0x66, 0x73, 0x73, 0x6C, 0x2E, 0x63, 0x6F, 0x6D, 0x82, 0x14,
+        0x42, 0xCC, 0xF9, 0x3D, 0xC3, 0x98, 0x9D, 0xB9, 0x6A, 0xD0,
+        0x05, 0x23, 0x52, 0xB1, 0x87, 0x2F, 0xBE, 0xA5, 0x0A, 0xE9,
         0x30, 0x0C, 0x06, 0x03, 0x55, 0x1D, 0x13, 0x04, 0x05, 0x30,
         0x03, 0x01, 0x01, 0xFF, 0x30, 0x1C, 0x06, 0x03, 0x55, 0x1D,
         0x11, 0x04, 0x15, 0x30, 0x13, 0x82, 0x0B, 0x65, 0x78, 0x61,
@@ -1626,140 +1757,20 @@ static const unsigned char ca_cert_der_2048[] =
         0x05, 0x05, 0x07, 0x03, 0x01, 0x06, 0x08, 0x2B, 0x06, 0x01,
         0x05, 0x05, 0x07, 0x03, 0x02, 0x30, 0x0D, 0x06, 0x09, 0x2A,
         0x86, 0x48, 0x86, 0xF7, 0x0D, 0x01, 0x01, 0x0B, 0x05, 0x00,
-        0x03, 0x82, 0x01, 0x01, 0x00, 0x62, 0x98, 0xC8, 0x58, 0xCF,
-        0x56, 0x03, 0x86, 0x5B, 0x1B, 0x71, 0x49, 0x7D, 0x05, 0x03,
-        0x5D, 0xE0, 0x08, 0x86, 0xAD, 0xDB, 0x4A, 0xDE, 0xAB, 0x22,
-        0x96, 0xA8, 0xC3, 0x59, 0x68, 0xC1, 0x37, 0x90, 0x40, 0xDF,
-        0xBD, 0x89, 0xD0, 0xBC, 0xDA, 0x8E, 0xEF, 0x87, 0xB2, 0xC2,
-        0x62, 0x52, 0xE1, 0x1A, 0x29, 0x17, 0x6A, 0x96, 0x99, 0xC8,
-        0x4E, 0xD8, 0x32, 0xFE, 0xB8, 0xD1, 0x5C, 0x3B, 0x0A, 0xC2,
-        0x3C, 0x5F, 0xA1, 0x1E, 0x98, 0x7F, 0xCE, 0x89, 0x26, 0x21,
-        0x1F, 0x64, 0x9C, 0x15, 0x7A, 0x9C, 0xEF, 0xFB, 0x1D, 0x85,
-        0x6A, 0xFA, 0x98, 0xCE, 0xA8, 0xA9, 0xAB, 0xC3, 0xA2, 0xC0,
-        0xEB, 0x87, 0xED, 0xBC, 0x21, 0xDF, 0xF3, 0x07, 0x5B, 0xAE,
-        0xFD, 0x40, 0xD4, 0xAE, 0x20, 0xD0, 0x76, 0x8A, 0x31, 0x0A,
-        0xA2, 0x62, 0x7C, 0x61, 0x0D, 0xCE, 0x5D, 0x9A, 0x1E, 0xE4,
-        0x20, 0x88, 0x51, 0x49, 0xFB, 0x77, 0xA9, 0xCD, 0x4D, 0xC6,
-        0xBF, 0x54, 0x99, 0x33, 0xEF, 0x4B, 0xA0, 0x73, 0x70, 0x6D,
-        0x2E, 0xD9, 0x3D, 0x08, 0xF6, 0x12, 0x39, 0x31, 0x68, 0xC6,
-        0x61, 0x5C, 0x41, 0xB5, 0x1B, 0xF4, 0x38, 0x7D, 0xFC, 0xBE,
-        0x73, 0x66, 0x2D, 0xF7, 0xCA, 0x5B, 0x2C, 0x5B, 0x31, 0xAA,
-        0xCF, 0xF6, 0x7F, 0x30, 0xE4, 0x12, 0x2C, 0x8E, 0xD6, 0x38,
-        0x51, 0xE6, 0x45, 0xEE, 0xD5, 0xDA, 0xC3, 0x83, 0xD6, 0xED,
-        0x5E, 0xEC, 0xD6, 0xB6, 0x14, 0xB3, 0x93, 0x59, 0xE1, 0x55,
-        0x4A, 0x7F, 0x04, 0xDF, 0xCE, 0x65, 0xD4, 0xDF, 0x18, 0x4F,
-        0xDD, 0xB4, 0x45, 0x7F, 0xA6, 0x56, 0x30, 0xC4, 0x05, 0x44,
-        0x98, 0x9D, 0x4F, 0x26, 0x6D, 0x84, 0x80, 0xA0, 0x5E, 0xED,
-        0x23, 0xD1, 0x48, 0x87, 0x0E, 0x05, 0x06, 0x91, 0x3B, 0xB0,
-        0x3C, 0xBB, 0x8C, 0x8F, 0x3C, 0x7B, 0x4C, 0x4F, 0xA1, 0xCA,
-        0x98
-};
-static const int sizeof_ca_cert_der_2048 = sizeof(ca_cert_der_2048);
-
-/* ./certs/ca-cert-chain.der, 2048-bit */
-static const unsigned char ca_cert_chain_der[] =
-{
-        0x30, 0x82, 0x03, 0xE4, 0x30, 0x82, 0x03, 0x4D, 0xA0, 0x03,
-        0x02, 0x01, 0x02, 0x02, 0x09, 0x00, 0xE9, 0x2F, 0xDA, 0xA8,
-        0x53, 0xBD, 0xBD, 0xD5, 0x30, 0x0D, 0x06, 0x09, 0x2A, 0x86,
-        0x48, 0x86, 0xF7, 0x0D, 0x01, 0x01, 0x0B, 0x05, 0x00, 0x30,
-        0x81, 0x94, 0x31, 0x0B, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04,
-        0x06, 0x13, 0x02, 0x55, 0x53, 0x31, 0x10, 0x30, 0x0E, 0x06,
-        0x03, 0x55, 0x04, 0x08, 0x0C, 0x07, 0x4D, 0x6F, 0x6E, 0x74,
-        0x61, 0x6E, 0x61, 0x31, 0x10, 0x30, 0x0E, 0x06, 0x03, 0x55,
-        0x04, 0x07, 0x0C, 0x07, 0x42, 0x6F, 0x7A, 0x65, 0x6D, 0x61,
-        0x6E, 0x31, 0x11, 0x30, 0x0F, 0x06, 0x03, 0x55, 0x04, 0x0A,
-        0x0C, 0x08, 0x53, 0x61, 0x77, 0x74, 0x6F, 0x6F, 0x74, 0x68,
-        0x31, 0x13, 0x30, 0x11, 0x06, 0x03, 0x55, 0x04, 0x0B, 0x0C,
-        0x0A, 0x43, 0x6F, 0x6E, 0x73, 0x75, 0x6C, 0x74, 0x69, 0x6E,
-        0x67, 0x31, 0x18, 0x30, 0x16, 0x06, 0x03, 0x55, 0x04, 0x03,
-        0x0C, 0x0F, 0x77, 0x77, 0x77, 0x2E, 0x77, 0x6F, 0x6C, 0x66,
-        0x73, 0x73, 0x6C, 0x2E, 0x63, 0x6F, 0x6D, 0x31, 0x1F, 0x30,
-        0x1D, 0x06, 0x09, 0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D, 0x01,
-        0x09, 0x01, 0x16, 0x10, 0x69, 0x6E, 0x66, 0x6F, 0x40, 0x77,
-        0x6F, 0x6C, 0x66, 0x73, 0x73, 0x6C, 0x2E, 0x63, 0x6F, 0x6D,
-        0x30, 0x1E, 0x17, 0x0D, 0x32, 0x31, 0x30, 0x32, 0x31, 0x30,
-        0x31, 0x39, 0x34, 0x39, 0x35, 0x32, 0x5A, 0x17, 0x0D, 0x32,
-        0x33, 0x31, 0x31, 0x30, 0x37, 0x31, 0x39, 0x34, 0x39, 0x35,
-        0x32, 0x5A, 0x30, 0x81, 0x94, 0x31, 0x0B, 0x30, 0x09, 0x06,
-        0x03, 0x55, 0x04, 0x06, 0x13, 0x02, 0x55, 0x53, 0x31, 0x10,
-        0x30, 0x0E, 0x06, 0x03, 0x55, 0x04, 0x08, 0x0C, 0x07, 0x4D,
-        0x6F, 0x6E, 0x74, 0x61, 0x6E, 0x61, 0x31, 0x10, 0x30, 0x0E,
-        0x06, 0x03, 0x55, 0x04, 0x07, 0x0C, 0x07, 0x42, 0x6F, 0x7A,
-        0x65, 0x6D, 0x61, 0x6E, 0x31, 0x11, 0x30, 0x0F, 0x06, 0x03,
-        0x55, 0x04, 0x0A, 0x0C, 0x08, 0x53, 0x61, 0x77, 0x74, 0x6F,
-        0x6F, 0x74, 0x68, 0x31, 0x13, 0x30, 0x11, 0x06, 0x03, 0x55,
-        0x04, 0x0B, 0x0C, 0x0A, 0x43, 0x6F, 0x6E, 0x73, 0x75, 0x6C,
-        0x74, 0x69, 0x6E, 0x67, 0x31, 0x18, 0x30, 0x16, 0x06, 0x03,
-        0x55, 0x04, 0x03, 0x0C, 0x0F, 0x77, 0x77, 0x77, 0x2E, 0x77,
-        0x6F, 0x6C, 0x66, 0x73, 0x73, 0x6C, 0x2E, 0x63, 0x6F, 0x6D,
-        0x31, 0x1F, 0x30, 0x1D, 0x06, 0x09, 0x2A, 0x86, 0x48, 0x86,
-        0xF7, 0x0D, 0x01, 0x09, 0x01, 0x16, 0x10, 0x69, 0x6E, 0x66,
-        0x6F, 0x40, 0x77, 0x6F, 0x6C, 0x66, 0x73, 0x73, 0x6C, 0x2E,
-        0x63, 0x6F, 0x6D, 0x30, 0x81, 0x9F, 0x30, 0x0D, 0x06, 0x09,
-        0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D, 0x01, 0x01, 0x01, 0x05,
-        0x00, 0x03, 0x81, 0x8D, 0x00, 0x30, 0x81, 0x89, 0x02, 0x81,
-        0x81, 0x00, 0xCD, 0xAC, 0xDD, 0x47, 0xEC, 0xBE, 0xB7, 0x24,
-        0xC3, 0x63, 0x1B, 0x54, 0x98, 0x79, 0xE1, 0xC7, 0x31, 0x16,
-        0x59, 0xD6, 0x9D, 0x77, 0x9D, 0x8D, 0xE2, 0x8B, 0xED, 0x04,
-        0x17, 0xB2, 0xC6, 0xEB, 0xE4, 0x9B, 0x91, 0xBE, 0x31, 0x50,
-        0x62, 0x97, 0x58, 0xB5, 0x7F, 0x29, 0xDE, 0xB3, 0x71, 0x24,
-        0x0B, 0xBF, 0x97, 0x09, 0x7F, 0x26, 0xDC, 0x2D, 0xEC, 0xA8,
-        0x2E, 0xB2, 0x64, 0x2B, 0x7A, 0x2B, 0x35, 0x19, 0x2D, 0xA2,
-        0x80, 0xCB, 0x99, 0xFD, 0x94, 0x71, 0x1B, 0x23, 0x8D, 0x54,
-        0xDB, 0x2E, 0x62, 0x8D, 0x81, 0x08, 0x2D, 0xF4, 0x24, 0x72,
-        0x27, 0x6C, 0xF9, 0xC9, 0x8E, 0xDB, 0x4C, 0x75, 0xBA, 0x9B,
-        0x01, 0xF8, 0x3F, 0x18, 0xF4, 0xE6, 0x7F, 0xFB, 0x57, 0x94,
-        0x92, 0xCC, 0x88, 0xC4, 0xB4, 0x00, 0xC2, 0xAA, 0xD4, 0xE5,
-        0x88, 0x18, 0xB3, 0x11, 0x2F, 0x73, 0xC0, 0xD6, 0x29, 0x09,
-        0x02, 0x03, 0x01, 0x00, 0x01, 0xA3, 0x82, 0x01, 0x3A, 0x30,
-        0x82, 0x01, 0x36, 0x30, 0x1D, 0x06, 0x03, 0x55, 0x1D, 0x0E,
-        0x04, 0x16, 0x04, 0x14, 0xD3, 0x22, 0x8F, 0x28, 0x2C, 0xE0,
-        0x05, 0xEE, 0xD3, 0xED, 0xC3, 0x71, 0x3D, 0xC9, 0xB2, 0x36,
-        0x3A, 0x1D, 0xBF, 0xA8, 0x30, 0x81, 0xC9, 0x06, 0x03, 0x55,
-        0x1D, 0x23, 0x04, 0x81, 0xC1, 0x30, 0x81, 0xBE, 0x80, 0x14,
-        0xD3, 0x22, 0x8F, 0x28, 0x2C, 0xE0, 0x05, 0xEE, 0xD3, 0xED,
-        0xC3, 0x71, 0x3D, 0xC9, 0xB2, 0x36, 0x3A, 0x1D, 0xBF, 0xA8,
-        0xA1, 0x81, 0x9A, 0xA4, 0x81, 0x97, 0x30, 0x81, 0x94, 0x31,
-        0x0B, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13, 0x02,
-        0x55, 0x53, 0x31, 0x10, 0x30, 0x0E, 0x06, 0x03, 0x55, 0x04,
-        0x08, 0x0C, 0x07, 0x4D, 0x6F, 0x6E, 0x74, 0x61, 0x6E, 0x61,
-        0x31, 0x10, 0x30, 0x0E, 0x06, 0x03, 0x55, 0x04, 0x07, 0x0C,
-        0x07, 0x42, 0x6F, 0x7A, 0x65, 0x6D, 0x61, 0x6E, 0x31, 0x11,
-        0x30, 0x0F, 0x06, 0x03, 0x55, 0x04, 0x0A, 0x0C, 0x08, 0x53,
-        0x61, 0x77, 0x74, 0x6F, 0x6F, 0x74, 0x68, 0x31, 0x13, 0x30,
-        0x11, 0x06, 0x03, 0x55, 0x04, 0x0B, 0x0C, 0x0A, 0x43, 0x6F,
-        0x6E, 0x73, 0x75, 0x6C, 0x74, 0x69, 0x6E, 0x67, 0x31, 0x18,
-        0x30, 0x16, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0C, 0x0F, 0x77,
-        0x77, 0x77, 0x2E, 0x77, 0x6F, 0x6C, 0x66, 0x73, 0x73, 0x6C,
-        0x2E, 0x63, 0x6F, 0x6D, 0x31, 0x1F, 0x30, 0x1D, 0x06, 0x09,
-        0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D, 0x01, 0x09, 0x01, 0x16,
-        0x10, 0x69, 0x6E, 0x66, 0x6F, 0x40, 0x77, 0x6F, 0x6C, 0x66,
-        0x73, 0x73, 0x6C, 0x2E, 0x63, 0x6F, 0x6D, 0x82, 0x09, 0x00,
-        0xE9, 0x2F, 0xDA, 0xA8, 0x53, 0xBD, 0xBD, 0xD5, 0x30, 0x0C,
-        0x06, 0x03, 0x55, 0x1D, 0x13, 0x04, 0x05, 0x30, 0x03, 0x01,
-        0x01, 0xFF, 0x30, 0x1C, 0x06, 0x03, 0x55, 0x1D, 0x11, 0x04,
-        0x15, 0x30, 0x13, 0x82, 0x0B, 0x65, 0x78, 0x61, 0x6D, 0x70,
-        0x6C, 0x65, 0x2E, 0x63, 0x6F, 0x6D, 0x87, 0x04, 0x7F, 0x00,
-        0x00, 0x01, 0x30, 0x1D, 0x06, 0x03, 0x55, 0x1D, 0x25, 0x04,
-        0x16, 0x30, 0x14, 0x06, 0x08, 0x2B, 0x06, 0x01, 0x05, 0x05,
-        0x07, 0x03, 0x01, 0x06, 0x08, 0x2B, 0x06, 0x01, 0x05, 0x05,
-        0x07, 0x03, 0x02, 0x30, 0x0D, 0x06, 0x09, 0x2A, 0x86, 0x48,
-        0x86, 0xF7, 0x0D, 0x01, 0x01, 0x0B, 0x05, 0x00, 0x03, 0x81,
-        0x81, 0x00, 0xB3, 0xE9, 0x88, 0x6A, 0xEA, 0x5F, 0x35, 0x7C,
-        0x6C, 0xFD, 0x93, 0xFE, 0x9A, 0x98, 0xE7, 0x1C, 0xBC, 0xD1,
-        0xC8, 0x7A, 0x15, 0xC5, 0x69, 0xE1, 0xFB, 0x35, 0x1B, 0xEC,
-        0x92, 0x3F, 0xD1, 0x3E, 0x69, 0x2A, 0x11, 0x95, 0x44, 0x3D,
-        0x3F, 0x7C, 0xFF, 0xF6, 0x64, 0xD8, 0xE4, 0x1D, 0xEC, 0x86,
-        0x95, 0x69, 0x48, 0x3D, 0x5B, 0x6D, 0x39, 0xE7, 0x7E, 0x51,
-        0x12, 0x15, 0x4B, 0x90, 0xA8, 0xFA, 0x1E, 0xAA, 0x81, 0x53,
-        0xDE, 0x85, 0x29, 0x4D, 0x79, 0x6C, 0x08, 0xC2, 0xC4, 0x5E,
-        0x4D, 0x39, 0xA6, 0x09, 0xA4, 0x67, 0xAC, 0xDC, 0xF0, 0xCD,
-        0xB7, 0x4E, 0xE5, 0xF9, 0x72, 0xC3, 0x25, 0x1C, 0x8D, 0xE0,
-        0x03, 0x30, 0x19, 0x5A, 0xA5, 0x63, 0xA6, 0xBA, 0xEC, 0x12,
-        0x87, 0xEF, 0x6D, 0x56, 0x22, 0xA7, 0x42, 0x4A, 0x8F, 0x3B,
-        0xFD, 0x20, 0xAB, 0xEF, 0x29, 0x5E, 0x3D, 0x16, 0xD7, 0xAC
-
+        0x03, 0x81, 0x81, 0x00, 0x97, 0xF4, 0x5A, 0x19, 0x52, 0xA6,
+        0x12, 0xFC, 0x95, 0x1F, 0xB8, 0xCB, 0x3E, 0x73, 0x4B, 0x3E,
+        0xCB, 0xC2, 0x83, 0x92, 0x4F, 0x64, 0x76, 0x3B, 0x0D, 0xAF,
+        0x72, 0x8C, 0xD3, 0x79, 0x6A, 0x6E, 0xE0, 0x5B, 0x48, 0x4E,
+        0x2C, 0x25, 0xDC, 0xB4, 0xBB, 0xCA, 0x1A, 0x45, 0x90, 0x91,
+        0x9E, 0x47, 0x82, 0xFC, 0xB9, 0xC3, 0xFA, 0x52, 0x6D, 0x8F,
+        0x86, 0x97, 0xBE, 0x58, 0x4B, 0xE7, 0x35, 0x75, 0xD4, 0xB9,
+        0x37, 0xBA, 0xC5, 0x2A, 0xDB, 0xF1, 0x60, 0x29, 0x4F, 0x6E,
+        0xB0, 0x12, 0xAA, 0x3F, 0x9F, 0x56, 0x30, 0xE5, 0xB4, 0x90,
+        0x04, 0xCC, 0x1D, 0x6C, 0xA3, 0xE6, 0xE2, 0x16, 0x5D, 0x94,
+        0x52, 0x91, 0x23, 0x2C, 0xBA, 0x9C, 0x67, 0x83, 0xAA, 0x15,
+        0x80, 0xF1, 0x39, 0xF9, 0xD7, 0xA8, 0x02, 0x7D, 0x87, 0x21,
+        0xAB, 0xEF, 0x57, 0x8D, 0x06, 0x49, 0xCB, 0xC9, 0xCD, 0x6F,
+        0xD7, 0x4E
 };
 static const int sizeof_ca_cert_chain_der = sizeof(ca_cert_chain_der);
 
@@ -1892,7 +1903,7 @@ static const int sizeof_server_key_der_2048 = sizeof(server_key_der_2048);
 /* ./certs/server-cert.der, 2048-bit */
 static const unsigned char server_cert_der_2048[] =
 {
-        0x30, 0x82, 0x04, 0xDD, 0x30, 0x82, 0x03, 0xC5, 0xA0, 0x03,
+        0x30, 0x82, 0x04, 0xE8, 0x30, 0x82, 0x03, 0xD0, 0xA0, 0x03,
         0x02, 0x01, 0x02, 0x02, 0x01, 0x01, 0x30, 0x0D, 0x06, 0x09,
         0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D, 0x01, 0x01, 0x0B, 0x05,
         0x00, 0x30, 0x81, 0x94, 0x31, 0x0B, 0x30, 0x09, 0x06, 0x03,
@@ -1910,10 +1921,10 @@ static const unsigned char server_cert_der_2048[] =
         0x1F, 0x30, 0x1D, 0x06, 0x09, 0x2A, 0x86, 0x48, 0x86, 0xF7,
         0x0D, 0x01, 0x09, 0x01, 0x16, 0x10, 0x69, 0x6E, 0x66, 0x6F,
         0x40, 0x77, 0x6F, 0x6C, 0x66, 0x73, 0x73, 0x6C, 0x2E, 0x63,
-        0x6F, 0x6D, 0x30, 0x1E, 0x17, 0x0D, 0x32, 0x31, 0x30, 0x32,
-        0x31, 0x30, 0x31, 0x39, 0x34, 0x39, 0x35, 0x33, 0x5A, 0x17,
-        0x0D, 0x32, 0x33, 0x31, 0x31, 0x30, 0x37, 0x31, 0x39, 0x34,
-        0x39, 0x35, 0x33, 0x5A, 0x30, 0x81, 0x90, 0x31, 0x0B, 0x30,
+        0x6F, 0x6D, 0x30, 0x1E, 0x17, 0x0D, 0x32, 0x31, 0x31, 0x32,
+        0x32, 0x30, 0x32, 0x33, 0x30, 0x37, 0x32, 0x35, 0x5A, 0x17,
+        0x0D, 0x32, 0x34, 0x30, 0x39, 0x31, 0x35, 0x32, 0x33, 0x30,
+        0x37, 0x32, 0x35, 0x5A, 0x30, 0x81, 0x90, 0x31, 0x0B, 0x30,
         0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13, 0x02, 0x55, 0x53,
         0x31, 0x10, 0x30, 0x0E, 0x06, 0x03, 0x55, 0x04, 0x08, 0x0C,
         0x07, 0x4D, 0x6F, 0x6E, 0x74, 0x61, 0x6E, 0x61, 0x31, 0x10,
@@ -1957,12 +1968,12 @@ static const unsigned char server_cert_der_2048[] =
         0x69, 0x42, 0x42, 0x09, 0xE9, 0xD8, 0x08, 0xBC, 0x33, 0x20,
         0xB3, 0x58, 0x22, 0xA7, 0xAA, 0xEB, 0xC4, 0xE1, 0xE6, 0x61,
         0x83, 0xC5, 0xD2, 0x96, 0xDF, 0xD9, 0xD0, 0x4F, 0xAD, 0xD7,
-        0x02, 0x03, 0x01, 0x00, 0x01, 0xA3, 0x82, 0x01, 0x3A, 0x30,
-        0x82, 0x01, 0x36, 0x30, 0x1D, 0x06, 0x03, 0x55, 0x1D, 0x0E,
+        0x02, 0x03, 0x01, 0x00, 0x01, 0xA3, 0x82, 0x01, 0x45, 0x30,
+        0x82, 0x01, 0x41, 0x30, 0x1D, 0x06, 0x03, 0x55, 0x1D, 0x0E,
         0x04, 0x16, 0x04, 0x14, 0xB3, 0x11, 0x32, 0xC9, 0x92, 0x98,
         0x84, 0xE2, 0xC9, 0xF8, 0xD0, 0x3B, 0x6E, 0x03, 0x42, 0xCA,
-        0x1F, 0x0E, 0x8E, 0x3C, 0x30, 0x81, 0xC9, 0x06, 0x03, 0x55,
-        0x1D, 0x23, 0x04, 0x81, 0xC1, 0x30, 0x81, 0xBE, 0x80, 0x14,
+        0x1F, 0x0E, 0x8E, 0x3C, 0x30, 0x81, 0xD4, 0x06, 0x03, 0x55,
+        0x1D, 0x23, 0x04, 0x81, 0xCC, 0x30, 0x81, 0xC9, 0x80, 0x14,
         0x27, 0x8E, 0x67, 0x11, 0x74, 0xC3, 0x26, 0x1D, 0x3F, 0xED,
         0x33, 0x63, 0xB3, 0xA4, 0xD8, 0x1D, 0x30, 0xE5, 0xE8, 0xD5,
         0xA1, 0x81, 0x9A, 0xA4, 0x81, 0x97, 0x30, 0x81, 0x94, 0x31,
@@ -1980,43 +1991,45 @@ static const unsigned char server_cert_der_2048[] =
         0x2E, 0x63, 0x6F, 0x6D, 0x31, 0x1F, 0x30, 0x1D, 0x06, 0x09,
         0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D, 0x01, 0x09, 0x01, 0x16,
         0x10, 0x69, 0x6E, 0x66, 0x6F, 0x40, 0x77, 0x6F, 0x6C, 0x66,
-        0x73, 0x73, 0x6C, 0x2E, 0x63, 0x6F, 0x6D, 0x82, 0x09, 0x00,
-        0xAA, 0xD3, 0x3F, 0xAC, 0x18, 0x0A, 0x37, 0x4D, 0x30, 0x0C,
-        0x06, 0x03, 0x55, 0x1D, 0x13, 0x04, 0x05, 0x30, 0x03, 0x01,
-        0x01, 0xFF, 0x30, 0x1C, 0x06, 0x03, 0x55, 0x1D, 0x11, 0x04,
-        0x15, 0x30, 0x13, 0x82, 0x0B, 0x65, 0x78, 0x61, 0x6D, 0x70,
-        0x6C, 0x65, 0x2E, 0x63, 0x6F, 0x6D, 0x87, 0x04, 0x7F, 0x00,
-        0x00, 0x01, 0x30, 0x1D, 0x06, 0x03, 0x55, 0x1D, 0x25, 0x04,
-        0x16, 0x30, 0x14, 0x06, 0x08, 0x2B, 0x06, 0x01, 0x05, 0x05,
-        0x07, 0x03, 0x01, 0x06, 0x08, 0x2B, 0x06, 0x01, 0x05, 0x05,
-        0x07, 0x03, 0x02, 0x30, 0x0D, 0x06, 0x09, 0x2A, 0x86, 0x48,
-        0x86, 0xF7, 0x0D, 0x01, 0x01, 0x0B, 0x05, 0x00, 0x03, 0x82,
-        0x01, 0x01, 0x00, 0x1B, 0x0D, 0xA6, 0x44, 0x93, 0x0D, 0x0E,
-        0x0C, 0x35, 0x28, 0x26, 0x40, 0x31, 0xD2, 0xEB, 0x26, 0x4C,
-        0x47, 0x5B, 0x19, 0xFB, 0xAD, 0xFE, 0x3A, 0xF5, 0x30, 0x3A,
-        0x28, 0xD7, 0xAA, 0x69, 0xA4, 0x15, 0xE7, 0x26, 0x6E, 0xB7,
-        0x33, 0x56, 0xAC, 0x8F, 0x34, 0x3D, 0xF3, 0x21, 0x2F, 0x53,
-        0x58, 0x91, 0xD0, 0x3E, 0xB4, 0x39, 0x48, 0xBF, 0x93, 0x11,
-        0x74, 0x36, 0xD3, 0x87, 0x49, 0xC3, 0x34, 0x0D, 0x30, 0x30,
-        0xAB, 0xF4, 0x4C, 0x27, 0x19, 0xD5, 0xC4, 0x0C, 0xAD, 0x49,
-        0xBD, 0x91, 0xF8, 0xDA, 0x9E, 0xC8, 0x2D, 0x2A, 0xAC, 0xE2,
-        0x75, 0x8E, 0xAA, 0x08, 0xD9, 0xBF, 0x65, 0xFF, 0xA3, 0xB1,
-        0x4F, 0xF0, 0x60, 0x6F, 0x4D, 0x95, 0xC4, 0x06, 0x7F, 0xAF,
-        0x66, 0x6A, 0x23, 0x3B, 0x3A, 0xA4, 0x61, 0xB6, 0x6C, 0xCA,
-        0xBE, 0xE1, 0xB0, 0x77, 0xF3, 0xEC, 0x83, 0xD5, 0x8C, 0x1D,
-        0x85, 0x7F, 0x8D, 0x74, 0xC8, 0xEC, 0x1E, 0x49, 0xEC, 0x57,
-        0x4A, 0xCC, 0xFD, 0xE2, 0x3A, 0x3E, 0x54, 0x50, 0xAE, 0x67,
-        0xCD, 0x17, 0xB0, 0x67, 0xA5, 0x53, 0x7F, 0xC3, 0x0E, 0x3E,
-        0xA7, 0x58, 0xE8, 0xDF, 0xD5, 0x0C, 0xF2, 0x64, 0xF3, 0xAD,
-        0x12, 0x70, 0xE3, 0xB9, 0x42, 0xBC, 0x08, 0x60, 0x76, 0xD5,
-        0x0C, 0xA5, 0x31, 0x77, 0x50, 0xE0, 0xC8, 0xF3, 0x3A, 0x3D,
-        0x45, 0xCF, 0x32, 0x75, 0xEF, 0x10, 0xDD, 0xB5, 0xED, 0x6E,
-        0xD2, 0x2D, 0x57, 0x82, 0x95, 0x38, 0xBC, 0x7D, 0x54, 0xC4,
-        0x84, 0x5E, 0xFB, 0x7E, 0x83, 0xF5, 0xF1, 0x2D, 0x9C, 0x98,
-        0xAC, 0x73, 0xE3, 0xA7, 0xD2, 0x02, 0x30, 0xD6, 0x1F, 0x06,
-        0x1E, 0xD0, 0xDC, 0x3A, 0xAC, 0xF4, 0xC2, 0xC2, 0xBE, 0x72,
-        0x40, 0x9A, 0xEA, 0xCF, 0x35, 0x21, 0x3B, 0x56, 0x6D, 0xE1,
-        0x52, 0xF2, 0x80, 0xD7, 0x35, 0x83, 0x97, 0x07, 0xCC
+        0x73, 0x73, 0x6C, 0x2E, 0x63, 0x6F, 0x6D, 0x82, 0x14, 0x7D,
+        0x94, 0x70, 0x88, 0xBA, 0x07, 0x42, 0x8D, 0xAA, 0xAF, 0x4F,
+        0xBE, 0xC2, 0x1A, 0x48, 0xF0, 0xD1, 0x40, 0xE6, 0x42, 0x30,
+        0x0C, 0x06, 0x03, 0x55, 0x1D, 0x13, 0x04, 0x05, 0x30, 0x03,
+        0x01, 0x01, 0xFF, 0x30, 0x1C, 0x06, 0x03, 0x55, 0x1D, 0x11,
+        0x04, 0x15, 0x30, 0x13, 0x82, 0x0B, 0x65, 0x78, 0x61, 0x6D,
+        0x70, 0x6C, 0x65, 0x2E, 0x63, 0x6F, 0x6D, 0x87, 0x04, 0x7F,
+        0x00, 0x00, 0x01, 0x30, 0x1D, 0x06, 0x03, 0x55, 0x1D, 0x25,
+        0x04, 0x16, 0x30, 0x14, 0x06, 0x08, 0x2B, 0x06, 0x01, 0x05,
+        0x05, 0x07, 0x03, 0x01, 0x06, 0x08, 0x2B, 0x06, 0x01, 0x05,
+        0x05, 0x07, 0x03, 0x02, 0x30, 0x0D, 0x06, 0x09, 0x2A, 0x86,
+        0x48, 0x86, 0xF7, 0x0D, 0x01, 0x01, 0x0B, 0x05, 0x00, 0x03,
+        0x82, 0x01, 0x01, 0x00, 0x73, 0x59, 0x6F, 0x55, 0x94, 0xE1,
+        0x38, 0xE7, 0x20, 0x5A, 0x11, 0x46, 0x47, 0xA8, 0x29, 0x11,
+        0x17, 0x06, 0x19, 0x16, 0x78, 0x22, 0xAF, 0x54, 0xF8, 0xD9,
+        0x32, 0x61, 0x26, 0x3F, 0x39, 0xAB, 0xA4, 0xDF, 0xEF, 0xAE,
+        0xD0, 0x0B, 0xCC, 0x2B, 0xAF, 0x95, 0x70, 0x90, 0x97, 0x53,
+        0xCC, 0x19, 0x6D, 0xF2, 0x4D, 0x4C, 0xFA, 0xE4, 0x9D, 0x7C,
+        0x54, 0xE0, 0x5B, 0x3B, 0x1F, 0x1E, 0x52, 0x46, 0x7F, 0xD9,
+        0xBA, 0xA0, 0x90, 0xBA, 0x6D, 0xDF, 0x3D, 0x67, 0xF0, 0x9F,
+        0x52, 0x44, 0xC3, 0xE1, 0x66, 0x36, 0xDC, 0x61, 0x58, 0x11,
+        0xBA, 0x4C, 0x0C, 0xC2, 0x29, 0xDA, 0xF7, 0x13, 0x45, 0x60,
+        0xB2, 0x11, 0x79, 0x91, 0xED, 0x7C, 0x9F, 0xB7, 0x7F, 0x5C,
+        0xE2, 0x29, 0xC6, 0x1E, 0xBF, 0x78, 0xDA, 0xBF, 0xD1, 0xBD,
+        0x9C, 0xF7, 0x4E, 0x23, 0xE0, 0xC3, 0xEF, 0x6F, 0xB6, 0x67,
+        0x7C, 0xD7, 0x4C, 0x02, 0xD5, 0xBD, 0x67, 0xEE, 0x7E, 0x0C,
+        0xE3, 0x89, 0xDB, 0x79, 0x61, 0x1E, 0xD0, 0x5F, 0xF5, 0xE8,
+        0x66, 0x48, 0x3A, 0x55, 0x54, 0xD5, 0x16, 0x12, 0x30, 0x00,
+        0xC9, 0x86, 0x75, 0xE0, 0xC9, 0xFF, 0x38, 0x74, 0xCE, 0xC8,
+        0xC7, 0xFD, 0xEF, 0x96, 0xD8, 0x55, 0x96, 0x71, 0x35, 0x62,
+        0xDB, 0x34, 0xC5, 0x2F, 0x07, 0x84, 0x8A, 0xAA, 0x1B, 0x1E,
+        0x77, 0x50, 0x0A, 0x20, 0x3B, 0x21, 0x4B, 0x06, 0x14, 0xAF,
+        0x78, 0x11, 0xA2, 0x41, 0xC6, 0x5D, 0x0C, 0x70, 0xE0, 0x52,
+        0xB4, 0x9E, 0x4C, 0x86, 0xAB, 0x5B, 0xA3, 0xE0, 0x8F, 0xA2,
+        0xC2, 0x1A, 0x69, 0x70, 0x80, 0x3B, 0xBD, 0x50, 0x23, 0x26,
+        0x72, 0x4F, 0xFA, 0xFD, 0xDF, 0xED, 0x85, 0x32, 0x2C, 0xE4,
+        0xAB, 0x3E, 0xF3, 0xA6, 0xD0, 0x1D, 0xDB, 0x33, 0x6B, 0x69,
+        0x8D, 0x99, 0xB9, 0xB4, 0x34, 0x4B, 0x79, 0xA8, 0x16, 0x68
+
 };
 static const int sizeof_server_cert_der_2048 = sizeof(server_cert_der_2048);
 
@@ -2619,161 +2632,163 @@ static const int sizeof_client_keypub_der_3072 = sizeof(client_keypub_der_3072);
 /* ./certs/3072/client-cert.der, 3072-bit */
 static const unsigned char client_cert_der_3072[] =
 {
-        0x30, 0x82, 0x06, 0x07, 0x30, 0x82, 0x04, 0x6F, 0xA0, 0x03,
-        0x02, 0x01, 0x02, 0x02, 0x09, 0x00, 0xA4, 0xE0, 0xAA, 0xF3,
-        0x29, 0x50, 0x39, 0x8A, 0x30, 0x0D, 0x06, 0x09, 0x2A, 0x86,
-        0x48, 0x86, 0xF7, 0x0D, 0x01, 0x01, 0x0B, 0x05, 0x00, 0x30,
-        0x81, 0x9E, 0x31, 0x0B, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04,
-        0x06, 0x13, 0x02, 0x55, 0x53, 0x31, 0x10, 0x30, 0x0E, 0x06,
-        0x03, 0x55, 0x04, 0x08, 0x0C, 0x07, 0x4D, 0x6F, 0x6E, 0x74,
-        0x61, 0x6E, 0x61, 0x31, 0x10, 0x30, 0x0E, 0x06, 0x03, 0x55,
-        0x04, 0x07, 0x0C, 0x07, 0x42, 0x6F, 0x7A, 0x65, 0x6D, 0x61,
-        0x6E, 0x31, 0x15, 0x30, 0x13, 0x06, 0x03, 0x55, 0x04, 0x0A,
-        0x0C, 0x0C, 0x77, 0x6F, 0x6C, 0x66, 0x53, 0x53, 0x4C, 0x5F,
-        0x33, 0x30, 0x37, 0x32, 0x31, 0x19, 0x30, 0x17, 0x06, 0x03,
-        0x55, 0x04, 0x0B, 0x0C, 0x10, 0x50, 0x72, 0x6F, 0x67, 0x72,
-        0x61, 0x6D, 0x6D, 0x69, 0x6E, 0x67, 0x2D, 0x33, 0x30, 0x37,
-        0x32, 0x31, 0x18, 0x30, 0x16, 0x06, 0x03, 0x55, 0x04, 0x03,
-        0x0C, 0x0F, 0x77, 0x77, 0x77, 0x2E, 0x77, 0x6F, 0x6C, 0x66,
-        0x73, 0x73, 0x6C, 0x2E, 0x63, 0x6F, 0x6D, 0x31, 0x1F, 0x30,
-        0x1D, 0x06, 0x09, 0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D, 0x01,
-        0x09, 0x01, 0x16, 0x10, 0x69, 0x6E, 0x66, 0x6F, 0x40, 0x77,
-        0x6F, 0x6C, 0x66, 0x73, 0x73, 0x6C, 0x2E, 0x63, 0x6F, 0x6D,
-        0x30, 0x1E, 0x17, 0x0D, 0x32, 0x31, 0x30, 0x32, 0x31, 0x30,
-        0x31, 0x39, 0x34, 0x39, 0x35, 0x32, 0x5A, 0x17, 0x0D, 0x32,
-        0x33, 0x31, 0x31, 0x30, 0x37, 0x31, 0x39, 0x34, 0x39, 0x35,
-        0x32, 0x5A, 0x30, 0x81, 0x9E, 0x31, 0x0B, 0x30, 0x09, 0x06,
-        0x03, 0x55, 0x04, 0x06, 0x13, 0x02, 0x55, 0x53, 0x31, 0x10,
-        0x30, 0x0E, 0x06, 0x03, 0x55, 0x04, 0x08, 0x0C, 0x07, 0x4D,
-        0x6F, 0x6E, 0x74, 0x61, 0x6E, 0x61, 0x31, 0x10, 0x30, 0x0E,
-        0x06, 0x03, 0x55, 0x04, 0x07, 0x0C, 0x07, 0x42, 0x6F, 0x7A,
-        0x65, 0x6D, 0x61, 0x6E, 0x31, 0x15, 0x30, 0x13, 0x06, 0x03,
-        0x55, 0x04, 0x0A, 0x0C, 0x0C, 0x77, 0x6F, 0x6C, 0x66, 0x53,
-        0x53, 0x4C, 0x5F, 0x33, 0x30, 0x37, 0x32, 0x31, 0x19, 0x30,
-        0x17, 0x06, 0x03, 0x55, 0x04, 0x0B, 0x0C, 0x10, 0x50, 0x72,
-        0x6F, 0x67, 0x72, 0x61, 0x6D, 0x6D, 0x69, 0x6E, 0x67, 0x2D,
-        0x33, 0x30, 0x37, 0x32, 0x31, 0x18, 0x30, 0x16, 0x06, 0x03,
-        0x55, 0x04, 0x03, 0x0C, 0x0F, 0x77, 0x77, 0x77, 0x2E, 0x77,
-        0x6F, 0x6C, 0x66, 0x73, 0x73, 0x6C, 0x2E, 0x63, 0x6F, 0x6D,
-        0x31, 0x1F, 0x30, 0x1D, 0x06, 0x09, 0x2A, 0x86, 0x48, 0x86,
-        0xF7, 0x0D, 0x01, 0x09, 0x01, 0x16, 0x10, 0x69, 0x6E, 0x66,
-        0x6F, 0x40, 0x77, 0x6F, 0x6C, 0x66, 0x73, 0x73, 0x6C, 0x2E,
-        0x63, 0x6F, 0x6D, 0x30, 0x82, 0x01, 0xA2, 0x30, 0x0D, 0x06,
-        0x09, 0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D, 0x01, 0x01, 0x01,
-        0x05, 0x00, 0x03, 0x82, 0x01, 0x8F, 0x00, 0x30, 0x82, 0x01,
-        0x8A, 0x02, 0x82, 0x01, 0x81, 0x00, 0xAC, 0x39, 0x50, 0x68,
-        0x8F, 0x78, 0xF8, 0x10, 0x9B, 0x68, 0x96, 0xD3, 0xE1, 0x9C,
-        0x56, 0x68, 0x5A, 0x41, 0x62, 0xE3, 0xB3, 0x41, 0xB0, 0x55,
-        0x80, 0x17, 0xB0, 0x88, 0x16, 0x9B, 0xE0, 0x97, 0x74, 0x5F,
-        0x42, 0x79, 0x73, 0x42, 0xDF, 0x93, 0xF3, 0xAA, 0x9D, 0xEE,
-        0x2D, 0x6F, 0xAA, 0xBC, 0x27, 0x90, 0x84, 0xC0, 0x5D, 0xC7,
-        0xEC, 0x49, 0xEA, 0x5C, 0x66, 0x1D, 0x70, 0x9C, 0x53, 0x5C,
-        0xBA, 0xA1, 0xB3, 0x58, 0xC9, 0x3E, 0x8E, 0x9B, 0x72, 0x3D,
-        0x6E, 0x02, 0x02, 0x00, 0x9C, 0x65, 0x56, 0x82, 0xA3, 0x22,
-        0xB4, 0x08, 0x5F, 0x2A, 0xEF, 0xDF, 0x9A, 0xD0, 0xE7, 0x31,
-        0x59, 0x26, 0x5B, 0x0B, 0x1C, 0x63, 0x61, 0xFF, 0xD5, 0x69,
-        0x32, 0x19, 0x06, 0x7E, 0x0F, 0x40, 0x3C, 0x7A, 0x1E, 0xC8,
-        0xFC, 0x58, 0x6C, 0x64, 0xAE, 0x10, 0x3D, 0xA8, 0x23, 0xFF,
-        0x8E, 0x1A, 0xCA, 0x6A, 0x82, 0xE2, 0xF9, 0x01, 0x64, 0x2C,
-        0x97, 0xA0, 0x1A, 0x89, 0xA0, 0x74, 0xD3, 0xB6, 0x05, 0x11,
-        0xF2, 0x62, 0x06, 0x48, 0x2A, 0xF7, 0x66, 0xCE, 0xC1, 0x85,
-        0xE1, 0xD2, 0x27, 0xEA, 0xCA, 0x12, 0xA5, 0x91, 0x97, 0x3E,
-        0xFC, 0x94, 0x06, 0x59, 0x51, 0xC0, 0xE7, 0x13, 0xB6, 0x87,
-        0x7B, 0x5F, 0xD2, 0xC0, 0x56, 0x2F, 0x5E, 0x1D, 0x02, 0xC3,
-        0x11, 0x2C, 0xDF, 0xF7, 0x01, 0xDA, 0xBD, 0x85, 0x54, 0x35,
-        0x32, 0x5F, 0xC5, 0xC8, 0xF9, 0x7A, 0x9F, 0x89, 0xF7, 0x03,
-        0x0E, 0x7E, 0x79, 0x5D, 0x04, 0x82, 0x35, 0x10, 0xFE, 0x6D,
-        0x9B, 0xBF, 0xB8, 0xEE, 0xE2, 0x62, 0x87, 0x26, 0x5E, 0x2F,
-        0x50, 0x2F, 0x78, 0x0C, 0xE8, 0x73, 0x4F, 0x88, 0x6A, 0xD6,
-        0x26, 0xA4, 0xC9, 0xFC, 0xFA, 0x1E, 0x8A, 0xB0, 0xF4, 0x32,
-        0xCF, 0x57, 0xCD, 0xA1, 0x58, 0x8A, 0x49, 0x0F, 0xBB, 0xA9,
-        0x1D, 0x86, 0xAB, 0xB9, 0x8F, 0x8D, 0x57, 0x19, 0xB2, 0x5A,
-        0x7E, 0xA4, 0xEA, 0xCC, 0xB7, 0x96, 0x7A, 0x3B, 0x38, 0xCD,
-        0xDE, 0xE0, 0x61, 0xFC, 0xC9, 0x06, 0x8F, 0x93, 0x5A, 0xCE,
-        0xAD, 0x2A, 0xE3, 0x2D, 0x3E, 0x39, 0x5D, 0x41, 0x83, 0x01,
-        0x1F, 0x0F, 0xE1, 0x7F, 0x76, 0xC7, 0x28, 0xDA, 0x56, 0xEF,
-        0xBF, 0xDC, 0x26, 0x35, 0x40, 0xBE, 0xAD, 0xC7, 0x38, 0xAD,
-        0xA4, 0x06, 0xAC, 0xCA, 0xE8, 0x51, 0xEB, 0xC0, 0xF8, 0x68,
-        0x02, 0x2C, 0x9B, 0xA1, 0x14, 0xBC, 0xF8, 0x61, 0x86, 0xD7,
-        0x56, 0xD7, 0x73, 0xF4, 0xAB, 0xBB, 0x6A, 0x21, 0xD3, 0x88,
-        0x22, 0xB4, 0xE7, 0x6F, 0x7F, 0x91, 0xE5, 0x0E, 0xC6, 0x08,
-        0x49, 0xDE, 0xEA, 0x13, 0x58, 0x72, 0xA0, 0xAA, 0x3A, 0xF9,
-        0x36, 0x03, 0x45, 0x57, 0x5E, 0x87, 0xD2, 0x73, 0x65, 0xC4,
-        0x8C, 0xA3, 0xEE, 0xC9, 0xD6, 0x73, 0x7C, 0x96, 0x41, 0x93,
-        0x02, 0x03, 0x01, 0x00, 0x01, 0xA3, 0x82, 0x01, 0x44, 0x30,
-        0x82, 0x01, 0x40, 0x30, 0x1D, 0x06, 0x03, 0x55, 0x1D, 0x0E,
-        0x04, 0x16, 0x04, 0x14, 0x3D, 0xD1, 0x84, 0xC2, 0xAF, 0xB0,
-        0x20, 0x49, 0xBC, 0x74, 0x87, 0x41, 0x38, 0xAB, 0xBA, 0xD2,
-        0xD4, 0x0C, 0xA3, 0xA8, 0x30, 0x81, 0xD3, 0x06, 0x03, 0x55,
-        0x1D, 0x23, 0x04, 0x81, 0xCB, 0x30, 0x81, 0xC8, 0x80, 0x14,
-        0x3D, 0xD1, 0x84, 0xC2, 0xAF, 0xB0, 0x20, 0x49, 0xBC, 0x74,
-        0x87, 0x41, 0x38, 0xAB, 0xBA, 0xD2, 0xD4, 0x0C, 0xA3, 0xA8,
-        0xA1, 0x81, 0xA4, 0xA4, 0x81, 0xA1, 0x30, 0x81, 0x9E, 0x31,
-        0x0B, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13, 0x02,
-        0x55, 0x53, 0x31, 0x10, 0x30, 0x0E, 0x06, 0x03, 0x55, 0x04,
-        0x08, 0x0C, 0x07, 0x4D, 0x6F, 0x6E, 0x74, 0x61, 0x6E, 0x61,
-        0x31, 0x10, 0x30, 0x0E, 0x06, 0x03, 0x55, 0x04, 0x07, 0x0C,
-        0x07, 0x42, 0x6F, 0x7A, 0x65, 0x6D, 0x61, 0x6E, 0x31, 0x15,
-        0x30, 0x13, 0x06, 0x03, 0x55, 0x04, 0x0A, 0x0C, 0x0C, 0x77,
-        0x6F, 0x6C, 0x66, 0x53, 0x53, 0x4C, 0x5F, 0x33, 0x30, 0x37,
-        0x32, 0x31, 0x19, 0x30, 0x17, 0x06, 0x03, 0x55, 0x04, 0x0B,
-        0x0C, 0x10, 0x50, 0x72, 0x6F, 0x67, 0x72, 0x61, 0x6D, 0x6D,
-        0x69, 0x6E, 0x67, 0x2D, 0x33, 0x30, 0x37, 0x32, 0x31, 0x18,
-        0x30, 0x16, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0C, 0x0F, 0x77,
-        0x77, 0x77, 0x2E, 0x77, 0x6F, 0x6C, 0x66, 0x73, 0x73, 0x6C,
-        0x2E, 0x63, 0x6F, 0x6D, 0x31, 0x1F, 0x30, 0x1D, 0x06, 0x09,
-        0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D, 0x01, 0x09, 0x01, 0x16,
-        0x10, 0x69, 0x6E, 0x66, 0x6F, 0x40, 0x77, 0x6F, 0x6C, 0x66,
-        0x73, 0x73, 0x6C, 0x2E, 0x63, 0x6F, 0x6D, 0x82, 0x09, 0x00,
-        0xA4, 0xE0, 0xAA, 0xF3, 0x29, 0x50, 0x39, 0x8A, 0x30, 0x0C,
-        0x06, 0x03, 0x55, 0x1D, 0x13, 0x04, 0x05, 0x30, 0x03, 0x01,
-        0x01, 0xFF, 0x30, 0x1C, 0x06, 0x03, 0x55, 0x1D, 0x11, 0x04,
-        0x15, 0x30, 0x13, 0x82, 0x0B, 0x65, 0x78, 0x61, 0x6D, 0x70,
-        0x6C, 0x65, 0x2E, 0x63, 0x6F, 0x6D, 0x87, 0x04, 0x7F, 0x00,
-        0x00, 0x01, 0x30, 0x1D, 0x06, 0x03, 0x55, 0x1D, 0x25, 0x04,
-        0x16, 0x30, 0x14, 0x06, 0x08, 0x2B, 0x06, 0x01, 0x05, 0x05,
-        0x07, 0x03, 0x01, 0x06, 0x08, 0x2B, 0x06, 0x01, 0x05, 0x05,
-        0x07, 0x03, 0x02, 0x30, 0x0D, 0x06, 0x09, 0x2A, 0x86, 0x48,
-        0x86, 0xF7, 0x0D, 0x01, 0x01, 0x0B, 0x05, 0x00, 0x03, 0x82,
-        0x01, 0x81, 0x00, 0x57, 0x21, 0xC0, 0xAD, 0x6E, 0x16, 0x74,
-        0xD5, 0xB1, 0x8B, 0x19, 0x55, 0x49, 0x7A, 0xA4, 0x5E, 0xD6,
-        0x18, 0xF9, 0x03, 0x80, 0x4B, 0xC2, 0x71, 0xD1, 0x04, 0x47,
-        0x9C, 0xB3, 0x73, 0x9C, 0x4F, 0x62, 0x4A, 0x3A, 0x9A, 0xD4,
-        0x48, 0xE4, 0x81, 0xDB, 0x8D, 0x15, 0xDF, 0x5D, 0x0F, 0x08,
-        0x13, 0x28, 0x28, 0xD7, 0x05, 0x44, 0xC1, 0xB9, 0x6D, 0xF1,
-        0x75, 0x60, 0x74, 0xD0, 0x44, 0xAE, 0x91, 0x0F, 0x3A, 0x7C,
-        0xF4, 0xEE, 0xEA, 0x6F, 0x06, 0x3A, 0x41, 0xAE, 0x6B, 0x5C,
-        0x8A, 0x0D, 0x85, 0x6B, 0xB3, 0xFB, 0xB1, 0x5F, 0x70, 0xF7,
-        0x9B, 0x32, 0x57, 0xFB, 0xC4, 0x6B, 0xCE, 0x90, 0x86, 0x0C,
-        0x96, 0x8A, 0x41, 0x4E, 0x61, 0xF3, 0xA1, 0x3F, 0x55, 0xE8,
-        0x94, 0x56, 0x12, 0x6D, 0x9E, 0x46, 0x2C, 0x31, 0xBD, 0x3F,
-        0x8A, 0x70, 0xC8, 0x20, 0xA4, 0xFB, 0xFA, 0xC6, 0x53, 0x58,
-        0xBB, 0x05, 0x28, 0xBA, 0x89, 0x0C, 0xB1, 0x5F, 0x21, 0xAC,
-        0x1E, 0xF1, 0x35, 0xFD, 0x6B, 0x14, 0xC1, 0x69, 0x08, 0xE9,
-        0x37, 0x14, 0xD8, 0x76, 0x50, 0x2A, 0xFC, 0xAA, 0x94, 0x7F,
-        0x39, 0x52, 0x3A, 0xA7, 0x3C, 0x0A, 0x53, 0x5E, 0xE0, 0x13,
-        0x1A, 0x00, 0xCA, 0xAC, 0xAA, 0x7E, 0xF7, 0x09, 0x68, 0x78,
-        0x60, 0x11, 0x73, 0xAB, 0x7D, 0x58, 0xFE, 0x03, 0x9F, 0xE6,
-        0x84, 0xEA, 0x51, 0x58, 0x40, 0x82, 0xA5, 0xFF, 0xA7, 0x2C,
-        0xEA, 0x42, 0xA5, 0x4C, 0xB6, 0x3B, 0x5C, 0x6B, 0xAB, 0xCF,
-        0x56, 0x8A, 0x8C, 0xEC, 0x3C, 0xF0, 0xAE, 0xD3, 0xCA, 0x0E,
-        0x09, 0x71, 0xCF, 0x79, 0x96, 0x72, 0x63, 0x4B, 0x24, 0x7A,
-        0xF3, 0x79, 0xCA, 0x69, 0x75, 0xC9, 0xB2, 0xA4, 0x54, 0xB8,
-        0x84, 0x40, 0x2B, 0x8F, 0x24, 0x27, 0x6A, 0xED, 0x8F, 0x53,
-        0xE0, 0x55, 0x9B, 0x35, 0x91, 0x18, 0x11, 0xCF, 0xB0, 0x3B,
-        0xB8, 0x65, 0x3C, 0xC6, 0xEF, 0xB0, 0x78, 0x7C, 0x43, 0x26,
-        0xF1, 0x12, 0x84, 0x6B, 0x2B, 0xF0, 0x7D, 0x3C, 0x7F, 0xDC,
-        0x67, 0xA4, 0x17, 0x89, 0x75, 0x00, 0x86, 0x1A, 0xEA, 0xCD,
-        0x1A, 0xCF, 0xDA, 0x11, 0x64, 0xCC, 0xBD, 0x10, 0x26, 0xEF,
-        0x6B, 0x1B, 0x93, 0xB3, 0x37, 0x14, 0x7F, 0x12, 0x80, 0x81,
-        0xB6, 0xFD, 0x8A, 0x8A, 0xD8, 0x95, 0x5F, 0xF9, 0x1E, 0xA5,
-        0x1E, 0x65, 0x5F, 0x75, 0x8D, 0x90, 0x2A, 0x0D, 0xB1, 0xAB,
-        0x26, 0x16, 0x31, 0xB2, 0x06, 0x64, 0x6F, 0x2B, 0x7E, 0x4A,
-        0xF4, 0xDE, 0xE9, 0x7A, 0xEC, 0x67, 0x35, 0xF3, 0x40, 0x71,
-        0x75, 0x37, 0xB3, 0xE1, 0x1D, 0xEF, 0x7D, 0xE2, 0x92, 0xEC,
-        0xD5, 0xE5, 0xBB, 0x99, 0x79, 0x50, 0x11, 0xB2, 0x8A, 0x57,
-        0x1B, 0x30, 0x2E, 0xB7, 0x16, 0x4C, 0xC8, 0xA6, 0x99, 0xB1,
-        0x01, 0x34, 0x08, 0x9D, 0xD8, 0xDF, 0xAF
+        0x30, 0x82, 0x06, 0x1D, 0x30, 0x82, 0x04, 0x85, 0xA0, 0x03,
+        0x02, 0x01, 0x02, 0x02, 0x14, 0x7F, 0x8B, 0xFD, 0x1A, 0x02,
+        0x4E, 0x04, 0x53, 0x8C, 0x0D, 0x42, 0xCC, 0x8D, 0xE9, 0xBC,
+        0xDE, 0x23, 0x18, 0x35, 0x4B, 0x30, 0x0D, 0x06, 0x09, 0x2A,
+        0x86, 0x48, 0x86, 0xF7, 0x0D, 0x01, 0x01, 0x0B, 0x05, 0x00,
+        0x30, 0x81, 0x9E, 0x31, 0x0B, 0x30, 0x09, 0x06, 0x03, 0x55,
+        0x04, 0x06, 0x13, 0x02, 0x55, 0x53, 0x31, 0x10, 0x30, 0x0E,
+        0x06, 0x03, 0x55, 0x04, 0x08, 0x0C, 0x07, 0x4D, 0x6F, 0x6E,
+        0x74, 0x61, 0x6E, 0x61, 0x31, 0x10, 0x30, 0x0E, 0x06, 0x03,
+        0x55, 0x04, 0x07, 0x0C, 0x07, 0x42, 0x6F, 0x7A, 0x65, 0x6D,
+        0x61, 0x6E, 0x31, 0x15, 0x30, 0x13, 0x06, 0x03, 0x55, 0x04,
+        0x0A, 0x0C, 0x0C, 0x77, 0x6F, 0x6C, 0x66, 0x53, 0x53, 0x4C,
+        0x5F, 0x33, 0x30, 0x37, 0x32, 0x31, 0x19, 0x30, 0x17, 0x06,
+        0x03, 0x55, 0x04, 0x0B, 0x0C, 0x10, 0x50, 0x72, 0x6F, 0x67,
+        0x72, 0x61, 0x6D, 0x6D, 0x69, 0x6E, 0x67, 0x2D, 0x33, 0x30,
+        0x37, 0x32, 0x31, 0x18, 0x30, 0x16, 0x06, 0x03, 0x55, 0x04,
+        0x03, 0x0C, 0x0F, 0x77, 0x77, 0x77, 0x2E, 0x77, 0x6F, 0x6C,
+        0x66, 0x73, 0x73, 0x6C, 0x2E, 0x63, 0x6F, 0x6D, 0x31, 0x1F,
+        0x30, 0x1D, 0x06, 0x09, 0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D,
+        0x01, 0x09, 0x01, 0x16, 0x10, 0x69, 0x6E, 0x66, 0x6F, 0x40,
+        0x77, 0x6F, 0x6C, 0x66, 0x73, 0x73, 0x6C, 0x2E, 0x63, 0x6F,
+        0x6D, 0x30, 0x1E, 0x17, 0x0D, 0x32, 0x31, 0x31, 0x32, 0x32,
+        0x30, 0x32, 0x33, 0x30, 0x37, 0x32, 0x34, 0x5A, 0x17, 0x0D,
+        0x32, 0x34, 0x30, 0x39, 0x31, 0x35, 0x32, 0x33, 0x30, 0x37,
+        0x32, 0x34, 0x5A, 0x30, 0x81, 0x9E, 0x31, 0x0B, 0x30, 0x09,
+        0x06, 0x03, 0x55, 0x04, 0x06, 0x13, 0x02, 0x55, 0x53, 0x31,
+        0x10, 0x30, 0x0E, 0x06, 0x03, 0x55, 0x04, 0x08, 0x0C, 0x07,
+        0x4D, 0x6F, 0x6E, 0x74, 0x61, 0x6E, 0x61, 0x31, 0x10, 0x30,
+        0x0E, 0x06, 0x03, 0x55, 0x04, 0x07, 0x0C, 0x07, 0x42, 0x6F,
+        0x7A, 0x65, 0x6D, 0x61, 0x6E, 0x31, 0x15, 0x30, 0x13, 0x06,
+        0x03, 0x55, 0x04, 0x0A, 0x0C, 0x0C, 0x77, 0x6F, 0x6C, 0x66,
+        0x53, 0x53, 0x4C, 0x5F, 0x33, 0x30, 0x37, 0x32, 0x31, 0x19,
+        0x30, 0x17, 0x06, 0x03, 0x55, 0x04, 0x0B, 0x0C, 0x10, 0x50,
+        0x72, 0x6F, 0x67, 0x72, 0x61, 0x6D, 0x6D, 0x69, 0x6E, 0x67,
+        0x2D, 0x33, 0x30, 0x37, 0x32, 0x31, 0x18, 0x30, 0x16, 0x06,
+        0x03, 0x55, 0x04, 0x03, 0x0C, 0x0F, 0x77, 0x77, 0x77, 0x2E,
+        0x77, 0x6F, 0x6C, 0x66, 0x73, 0x73, 0x6C, 0x2E, 0x63, 0x6F,
+        0x6D, 0x31, 0x1F, 0x30, 0x1D, 0x06, 0x09, 0x2A, 0x86, 0x48,
+        0x86, 0xF7, 0x0D, 0x01, 0x09, 0x01, 0x16, 0x10, 0x69, 0x6E,
+        0x66, 0x6F, 0x40, 0x77, 0x6F, 0x6C, 0x66, 0x73, 0x73, 0x6C,
+        0x2E, 0x63, 0x6F, 0x6D, 0x30, 0x82, 0x01, 0xA2, 0x30, 0x0D,
+        0x06, 0x09, 0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D, 0x01, 0x01,
+        0x01, 0x05, 0x00, 0x03, 0x82, 0x01, 0x8F, 0x00, 0x30, 0x82,
+        0x01, 0x8A, 0x02, 0x82, 0x01, 0x81, 0x00, 0xAC, 0x39, 0x50,
+        0x68, 0x8F, 0x78, 0xF8, 0x10, 0x9B, 0x68, 0x96, 0xD3, 0xE1,
+        0x9C, 0x56, 0x68, 0x5A, 0x41, 0x62, 0xE3, 0xB3, 0x41, 0xB0,
+        0x55, 0x80, 0x17, 0xB0, 0x88, 0x16, 0x9B, 0xE0, 0x97, 0x74,
+        0x5F, 0x42, 0x79, 0x73, 0x42, 0xDF, 0x93, 0xF3, 0xAA, 0x9D,
+        0xEE, 0x2D, 0x6F, 0xAA, 0xBC, 0x27, 0x90, 0x84, 0xC0, 0x5D,
+        0xC7, 0xEC, 0x49, 0xEA, 0x5C, 0x66, 0x1D, 0x70, 0x9C, 0x53,
+        0x5C, 0xBA, 0xA1, 0xB3, 0x58, 0xC9, 0x3E, 0x8E, 0x9B, 0x72,
+        0x3D, 0x6E, 0x02, 0x02, 0x00, 0x9C, 0x65, 0x56, 0x82, 0xA3,
+        0x22, 0xB4, 0x08, 0x5F, 0x2A, 0xEF, 0xDF, 0x9A, 0xD0, 0xE7,
+        0x31, 0x59, 0x26, 0x5B, 0x0B, 0x1C, 0x63, 0x61, 0xFF, 0xD5,
+        0x69, 0x32, 0x19, 0x06, 0x7E, 0x0F, 0x40, 0x3C, 0x7A, 0x1E,
+        0xC8, 0xFC, 0x58, 0x6C, 0x64, 0xAE, 0x10, 0x3D, 0xA8, 0x23,
+        0xFF, 0x8E, 0x1A, 0xCA, 0x6A, 0x82, 0xE2, 0xF9, 0x01, 0x64,
+        0x2C, 0x97, 0xA0, 0x1A, 0x89, 0xA0, 0x74, 0xD3, 0xB6, 0x05,
+        0x11, 0xF2, 0x62, 0x06, 0x48, 0x2A, 0xF7, 0x66, 0xCE, 0xC1,
+        0x85, 0xE1, 0xD2, 0x27, 0xEA, 0xCA, 0x12, 0xA5, 0x91, 0x97,
+        0x3E, 0xFC, 0x94, 0x06, 0x59, 0x51, 0xC0, 0xE7, 0x13, 0xB6,
+        0x87, 0x7B, 0x5F, 0xD2, 0xC0, 0x56, 0x2F, 0x5E, 0x1D, 0x02,
+        0xC3, 0x11, 0x2C, 0xDF, 0xF7, 0x01, 0xDA, 0xBD, 0x85, 0x54,
+        0x35, 0x32, 0x5F, 0xC5, 0xC8, 0xF9, 0x7A, 0x9F, 0x89, 0xF7,
+        0x03, 0x0E, 0x7E, 0x79, 0x5D, 0x04, 0x82, 0x35, 0x10, 0xFE,
+        0x6D, 0x9B, 0xBF, 0xB8, 0xEE, 0xE2, 0x62, 0x87, 0x26, 0x5E,
+        0x2F, 0x50, 0x2F, 0x78, 0x0C, 0xE8, 0x73, 0x4F, 0x88, 0x6A,
+        0xD6, 0x26, 0xA4, 0xC9, 0xFC, 0xFA, 0x1E, 0x8A, 0xB0, 0xF4,
+        0x32, 0xCF, 0x57, 0xCD, 0xA1, 0x58, 0x8A, 0x49, 0x0F, 0xBB,
+        0xA9, 0x1D, 0x86, 0xAB, 0xB9, 0x8F, 0x8D, 0x57, 0x19, 0xB2,
+        0x5A, 0x7E, 0xA4, 0xEA, 0xCC, 0xB7, 0x96, 0x7A, 0x3B, 0x38,
+        0xCD, 0xDE, 0xE0, 0x61, 0xFC, 0xC9, 0x06, 0x8F, 0x93, 0x5A,
+        0xCE, 0xAD, 0x2A, 0xE3, 0x2D, 0x3E, 0x39, 0x5D, 0x41, 0x83,
+        0x01, 0x1F, 0x0F, 0xE1, 0x7F, 0x76, 0xC7, 0x28, 0xDA, 0x56,
+        0xEF, 0xBF, 0xDC, 0x26, 0x35, 0x40, 0xBE, 0xAD, 0xC7, 0x38,
+        0xAD, 0xA4, 0x06, 0xAC, 0xCA, 0xE8, 0x51, 0xEB, 0xC0, 0xF8,
+        0x68, 0x02, 0x2C, 0x9B, 0xA1, 0x14, 0xBC, 0xF8, 0x61, 0x86,
+        0xD7, 0x56, 0xD7, 0x73, 0xF4, 0xAB, 0xBB, 0x6A, 0x21, 0xD3,
+        0x88, 0x22, 0xB4, 0xE7, 0x6F, 0x7F, 0x91, 0xE5, 0x0E, 0xC6,
+        0x08, 0x49, 0xDE, 0xEA, 0x13, 0x58, 0x72, 0xA0, 0xAA, 0x3A,
+        0xF9, 0x36, 0x03, 0x45, 0x57, 0x5E, 0x87, 0xD2, 0x73, 0x65,
+        0xC4, 0x8C, 0xA3, 0xEE, 0xC9, 0xD6, 0x73, 0x7C, 0x96, 0x41,
+        0x93, 0x02, 0x03, 0x01, 0x00, 0x01, 0xA3, 0x82, 0x01, 0x4F,
+        0x30, 0x82, 0x01, 0x4B, 0x30, 0x1D, 0x06, 0x03, 0x55, 0x1D,
+        0x0E, 0x04, 0x16, 0x04, 0x14, 0x3D, 0xD1, 0x84, 0xC2, 0xAF,
+        0xB0, 0x20, 0x49, 0xBC, 0x74, 0x87, 0x41, 0x38, 0xAB, 0xBA,
+        0xD2, 0xD4, 0x0C, 0xA3, 0xA8, 0x30, 0x81, 0xDE, 0x06, 0x03,
+        0x55, 0x1D, 0x23, 0x04, 0x81, 0xD6, 0x30, 0x81, 0xD3, 0x80,
+        0x14, 0x3D, 0xD1, 0x84, 0xC2, 0xAF, 0xB0, 0x20, 0x49, 0xBC,
+        0x74, 0x87, 0x41, 0x38, 0xAB, 0xBA, 0xD2, 0xD4, 0x0C, 0xA3,
+        0xA8, 0xA1, 0x81, 0xA4, 0xA4, 0x81, 0xA1, 0x30, 0x81, 0x9E,
+        0x31, 0x0B, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13,
+        0x02, 0x55, 0x53, 0x31, 0x10, 0x30, 0x0E, 0x06, 0x03, 0x55,
+        0x04, 0x08, 0x0C, 0x07, 0x4D, 0x6F, 0x6E, 0x74, 0x61, 0x6E,
+        0x61, 0x31, 0x10, 0x30, 0x0E, 0x06, 0x03, 0x55, 0x04, 0x07,
+        0x0C, 0x07, 0x42, 0x6F, 0x7A, 0x65, 0x6D, 0x61, 0x6E, 0x31,
+        0x15, 0x30, 0x13, 0x06, 0x03, 0x55, 0x04, 0x0A, 0x0C, 0x0C,
+        0x77, 0x6F, 0x6C, 0x66, 0x53, 0x53, 0x4C, 0x5F, 0x33, 0x30,
+        0x37, 0x32, 0x31, 0x19, 0x30, 0x17, 0x06, 0x03, 0x55, 0x04,
+        0x0B, 0x0C, 0x10, 0x50, 0x72, 0x6F, 0x67, 0x72, 0x61, 0x6D,
+        0x6D, 0x69, 0x6E, 0x67, 0x2D, 0x33, 0x30, 0x37, 0x32, 0x31,
+        0x18, 0x30, 0x16, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0C, 0x0F,
+        0x77, 0x77, 0x77, 0x2E, 0x77, 0x6F, 0x6C, 0x66, 0x73, 0x73,
+        0x6C, 0x2E, 0x63, 0x6F, 0x6D, 0x31, 0x1F, 0x30, 0x1D, 0x06,
+        0x09, 0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D, 0x01, 0x09, 0x01,
+        0x16, 0x10, 0x69, 0x6E, 0x66, 0x6F, 0x40, 0x77, 0x6F, 0x6C,
+        0x66, 0x73, 0x73, 0x6C, 0x2E, 0x63, 0x6F, 0x6D, 0x82, 0x14,
+        0x7F, 0x8B, 0xFD, 0x1A, 0x02, 0x4E, 0x04, 0x53, 0x8C, 0x0D,
+        0x42, 0xCC, 0x8D, 0xE9, 0xBC, 0xDE, 0x23, 0x18, 0x35, 0x4B,
+        0x30, 0x0C, 0x06, 0x03, 0x55, 0x1D, 0x13, 0x04, 0x05, 0x30,
+        0x03, 0x01, 0x01, 0xFF, 0x30, 0x1C, 0x06, 0x03, 0x55, 0x1D,
+        0x11, 0x04, 0x15, 0x30, 0x13, 0x82, 0x0B, 0x65, 0x78, 0x61,
+        0x6D, 0x70, 0x6C, 0x65, 0x2E, 0x63, 0x6F, 0x6D, 0x87, 0x04,
+        0x7F, 0x00, 0x00, 0x01, 0x30, 0x1D, 0x06, 0x03, 0x55, 0x1D,
+        0x25, 0x04, 0x16, 0x30, 0x14, 0x06, 0x08, 0x2B, 0x06, 0x01,
+        0x05, 0x05, 0x07, 0x03, 0x01, 0x06, 0x08, 0x2B, 0x06, 0x01,
+        0x05, 0x05, 0x07, 0x03, 0x02, 0x30, 0x0D, 0x06, 0x09, 0x2A,
+        0x86, 0x48, 0x86, 0xF7, 0x0D, 0x01, 0x01, 0x0B, 0x05, 0x00,
+        0x03, 0x82, 0x01, 0x81, 0x00, 0x43, 0xDC, 0xB3, 0x5C, 0x82,
+        0xC4, 0x77, 0x4B, 0xE0, 0xD9, 0x2B, 0xBB, 0xC5, 0x4A, 0xCC,
+        0x7A, 0x0B, 0x9C, 0xDA, 0x44, 0x5E, 0xC5, 0x42, 0xDC, 0xBC,
+        0x6F, 0xFE, 0x75, 0xFC, 0x12, 0x18, 0x01, 0x61, 0x3C, 0x6D,
+        0x5D, 0x30, 0x4D, 0x67, 0x24, 0x94, 0x3E, 0x4A, 0xD3, 0xDA,
+        0xA8, 0xBA, 0xB7, 0xDB, 0x3C, 0xE9, 0xBD, 0xBF, 0x8F, 0xE8,
+        0xBE, 0x81, 0x9A, 0xE4, 0xBF, 0x94, 0xA2, 0xAE, 0x4D, 0x3E,
+        0x90, 0x45, 0x27, 0xF2, 0x22, 0xBB, 0x6A, 0x9B, 0x04, 0x91,
+        0xDB, 0xFD, 0x61, 0x0C, 0xCA, 0x6D, 0xF1, 0x78, 0x94, 0x9E,
+        0x57, 0xAB, 0x2E, 0xF6, 0x99, 0xDA, 0x9A, 0x55, 0xE7, 0x07,
+        0x87, 0x01, 0x8C, 0x9A, 0x7C, 0x90, 0xAD, 0xF2, 0xBC, 0x2C,
+        0x2F, 0x5A, 0xA3, 0xCC, 0xC9, 0xE2, 0xEC, 0x67, 0xA9, 0x1F,
+        0xB7, 0x2C, 0x7B, 0xB5, 0xB4, 0xAE, 0x56, 0xF3, 0x86, 0xF3,
+        0x21, 0x06, 0x71, 0x3C, 0x5F, 0x3C, 0x16, 0x44, 0x24, 0xF1,
+        0xF7, 0xDD, 0x78, 0xC2, 0xFD, 0xB6, 0xEF, 0x90, 0xC1, 0xFD,
+        0xB2, 0xA5, 0x57, 0x15, 0x04, 0xB6, 0x90, 0x3F, 0x53, 0xA8,
+        0x4E, 0xE0, 0x49, 0x22, 0x09, 0x08, 0x35, 0xDA, 0xAF, 0x2C,
+        0x8C, 0xD1, 0x4B, 0x28, 0x26, 0x9E, 0xD1, 0x03, 0x07, 0x28,
+        0x95, 0xB6, 0x4B, 0xB1, 0x41, 0xF2, 0x94, 0x2F, 0x4C, 0x3B,
+        0xB3, 0x0D, 0x94, 0x6B, 0xCC, 0x25, 0xFC, 0x5A, 0x47, 0x57,
+        0xE5, 0x6D, 0xBD, 0x8E, 0x02, 0xE9, 0x19, 0x3F, 0xE4, 0x51,
+        0x08, 0x5A, 0xC8, 0xFB, 0x6C, 0x01, 0xE0, 0x7D, 0x8A, 0x95,
+        0x9E, 0x1B, 0xA6, 0xE1, 0x0E, 0xDA, 0x3C, 0x1E, 0x69, 0xF2,
+        0x31, 0xC8, 0xF5, 0xAA, 0x72, 0xA4, 0xB5, 0x01, 0x5D, 0xFF,
+        0xA4, 0x2B, 0x2D, 0x1C, 0x34, 0x72, 0x80, 0xA8, 0x73, 0x5F,
+        0x98, 0xA6, 0x8D, 0x69, 0x2F, 0x5F, 0x7B, 0xE8, 0x7F, 0x91,
+        0x87, 0x87, 0xC5, 0x61, 0xCD, 0xC7, 0xC3, 0x78, 0x0C, 0xAA,
+        0x53, 0x3E, 0xFA, 0x5D, 0x8E, 0x2F, 0x05, 0x11, 0x36, 0xFB,
+        0xC0, 0xB0, 0x87, 0xDF, 0x8A, 0xBE, 0x5B, 0xAD, 0x43, 0x4B,
+        0x0F, 0x77, 0xEA, 0x69, 0xCD, 0xED, 0x31, 0xF7, 0x48, 0x96,
+        0x09, 0xD7, 0x91, 0x64, 0x63, 0x88, 0x22, 0xE3, 0xB8, 0x2C,
+        0x72, 0x98, 0x92, 0x34, 0x2A, 0x0A, 0xFE, 0x06, 0x47, 0xF6,
+        0xAD, 0x25, 0x49, 0x12, 0x19, 0x1D, 0x4D, 0x6F, 0xE7, 0xAD,
+        0x94, 0x08, 0x2B, 0x3B, 0x6A, 0xD2, 0xD7, 0x99, 0x5E, 0x2F,
+        0x77, 0x11, 0x91, 0x46, 0x37, 0x7B, 0x5D, 0x54, 0x81, 0x3C,
+        0x6E, 0x09, 0xDC, 0x95, 0x22, 0x88, 0x24, 0xDD, 0x84, 0xF7,
+        0x89, 0x40, 0x76, 0x51, 0x52, 0x81, 0xC6, 0x41, 0x1F, 0xCE,
+        0x66, 0x47, 0x54, 0x3F, 0xFD, 0x79, 0xF9, 0xAF, 0x16, 0x42,
+        0xA2, 0x39, 0xC5, 0xA6, 0x3B, 0x6E, 0x00, 0x5D, 0x81
 };
 static const int sizeof_client_cert_der_3072 = sizeof(client_cert_der_3072);
 
@@ -3087,187 +3102,189 @@ static const int sizeof_client_keypub_der_4096 = sizeof(client_keypub_der_4096);
 /* ./certs/4096/client-cert.der, 4096-bit */
 static const unsigned char client_cert_der_4096[] =
 {
-        0x30, 0x82, 0x07, 0x07, 0x30, 0x82, 0x04, 0xEF, 0xA0, 0x03,
-        0x02, 0x01, 0x02, 0x02, 0x09, 0x00, 0xA0, 0x3E, 0xDB, 0xCF,
-        0x97, 0x9A, 0x72, 0x8C, 0x30, 0x0D, 0x06, 0x09, 0x2A, 0x86,
-        0x48, 0x86, 0xF7, 0x0D, 0x01, 0x01, 0x0B, 0x05, 0x00, 0x30,
-        0x81, 0x9E, 0x31, 0x0B, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04,
-        0x06, 0x13, 0x02, 0x55, 0x53, 0x31, 0x10, 0x30, 0x0E, 0x06,
-        0x03, 0x55, 0x04, 0x08, 0x0C, 0x07, 0x4D, 0x6F, 0x6E, 0x74,
-        0x61, 0x6E, 0x61, 0x31, 0x10, 0x30, 0x0E, 0x06, 0x03, 0x55,
-        0x04, 0x07, 0x0C, 0x07, 0x42, 0x6F, 0x7A, 0x65, 0x6D, 0x61,
-        0x6E, 0x31, 0x15, 0x30, 0x13, 0x06, 0x03, 0x55, 0x04, 0x0A,
-        0x0C, 0x0C, 0x77, 0x6F, 0x6C, 0x66, 0x53, 0x53, 0x4C, 0x5F,
-        0x34, 0x30, 0x39, 0x36, 0x31, 0x19, 0x30, 0x17, 0x06, 0x03,
-        0x55, 0x04, 0x0B, 0x0C, 0x10, 0x50, 0x72, 0x6F, 0x67, 0x72,
-        0x61, 0x6D, 0x6D, 0x69, 0x6E, 0x67, 0x2D, 0x34, 0x30, 0x39,
-        0x36, 0x31, 0x18, 0x30, 0x16, 0x06, 0x03, 0x55, 0x04, 0x03,
-        0x0C, 0x0F, 0x77, 0x77, 0x77, 0x2E, 0x77, 0x6F, 0x6C, 0x66,
-        0x73, 0x73, 0x6C, 0x2E, 0x63, 0x6F, 0x6D, 0x31, 0x1F, 0x30,
-        0x1D, 0x06, 0x09, 0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D, 0x01,
-        0x09, 0x01, 0x16, 0x10, 0x69, 0x6E, 0x66, 0x6F, 0x40, 0x77,
-        0x6F, 0x6C, 0x66, 0x73, 0x73, 0x6C, 0x2E, 0x63, 0x6F, 0x6D,
-        0x30, 0x1E, 0x17, 0x0D, 0x32, 0x31, 0x30, 0x32, 0x31, 0x30,
-        0x31, 0x39, 0x34, 0x39, 0x35, 0x32, 0x5A, 0x17, 0x0D, 0x32,
-        0x33, 0x31, 0x31, 0x30, 0x37, 0x31, 0x39, 0x34, 0x39, 0x35,
-        0x32, 0x5A, 0x30, 0x81, 0x9E, 0x31, 0x0B, 0x30, 0x09, 0x06,
-        0x03, 0x55, 0x04, 0x06, 0x13, 0x02, 0x55, 0x53, 0x31, 0x10,
-        0x30, 0x0E, 0x06, 0x03, 0x55, 0x04, 0x08, 0x0C, 0x07, 0x4D,
-        0x6F, 0x6E, 0x74, 0x61, 0x6E, 0x61, 0x31, 0x10, 0x30, 0x0E,
-        0x06, 0x03, 0x55, 0x04, 0x07, 0x0C, 0x07, 0x42, 0x6F, 0x7A,
-        0x65, 0x6D, 0x61, 0x6E, 0x31, 0x15, 0x30, 0x13, 0x06, 0x03,
-        0x55, 0x04, 0x0A, 0x0C, 0x0C, 0x77, 0x6F, 0x6C, 0x66, 0x53,
-        0x53, 0x4C, 0x5F, 0x34, 0x30, 0x39, 0x36, 0x31, 0x19, 0x30,
-        0x17, 0x06, 0x03, 0x55, 0x04, 0x0B, 0x0C, 0x10, 0x50, 0x72,
-        0x6F, 0x67, 0x72, 0x61, 0x6D, 0x6D, 0x69, 0x6E, 0x67, 0x2D,
-        0x34, 0x30, 0x39, 0x36, 0x31, 0x18, 0x30, 0x16, 0x06, 0x03,
-        0x55, 0x04, 0x03, 0x0C, 0x0F, 0x77, 0x77, 0x77, 0x2E, 0x77,
-        0x6F, 0x6C, 0x66, 0x73, 0x73, 0x6C, 0x2E, 0x63, 0x6F, 0x6D,
-        0x31, 0x1F, 0x30, 0x1D, 0x06, 0x09, 0x2A, 0x86, 0x48, 0x86,
-        0xF7, 0x0D, 0x01, 0x09, 0x01, 0x16, 0x10, 0x69, 0x6E, 0x66,
-        0x6F, 0x40, 0x77, 0x6F, 0x6C, 0x66, 0x73, 0x73, 0x6C, 0x2E,
-        0x63, 0x6F, 0x6D, 0x30, 0x82, 0x02, 0x22, 0x30, 0x0D, 0x06,
-        0x09, 0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D, 0x01, 0x01, 0x01,
-        0x05, 0x00, 0x03, 0x82, 0x02, 0x0F, 0x00, 0x30, 0x82, 0x02,
-        0x0A, 0x02, 0x82, 0x02, 0x01, 0x00, 0xF5, 0xD0, 0x31, 0xE4,
-        0x71, 0x59, 0x58, 0xB3, 0x07, 0x50, 0xDD, 0x16, 0x79, 0xFC,
-        0xC6, 0x95, 0x50, 0xFC, 0x46, 0x0E, 0x57, 0x12, 0x86, 0x71,
-        0x8D, 0xE3, 0x9B, 0x4A, 0x33, 0xEA, 0x4F, 0xD9, 0x17, 0x13,
-        0x6D, 0x48, 0x69, 0xDF, 0x59, 0x11, 0x08, 0x02, 0x9D, 0xAF,
-        0x2B, 0xC7, 0x30, 0xBE, 0x0C, 0xDC, 0x87, 0xD4, 0x5A, 0x12,
-        0x09, 0x23, 0x5D, 0xE1, 0x76, 0x5A, 0x62, 0x37, 0x46, 0x74,
-        0xEF, 0x03, 0x05, 0xBB, 0x1E, 0x6D, 0x29, 0x75, 0x6C, 0x2E,
-        0x9D, 0x87, 0x0D, 0x8F, 0x87, 0xCB, 0x14, 0x95, 0x9B, 0xBE,
-        0x17, 0x6B, 0x51, 0xD1, 0x4C, 0xDA, 0xD7, 0x91, 0x66, 0xC5,
-        0x36, 0xEB, 0xE0, 0x07, 0x1A, 0x76, 0x4D, 0xB0, 0xFB, 0xC1,
-        0xF5, 0x5E, 0x05, 0xDB, 0xBA, 0xCB, 0x25, 0xD9, 0x99, 0x13,
-        0x1C, 0xC0, 0x35, 0xDC, 0x40, 0xE9, 0x36, 0xCD, 0xC4, 0xD5,
-        0x7A, 0x41, 0x70, 0x0F, 0x36, 0xEB, 0xA5, 0x4E, 0x17, 0x05,
-        0xD5, 0x75, 0x1B, 0x64, 0x62, 0x7A, 0x3F, 0x0D, 0x28, 0x48,
-        0x6A, 0xE3, 0xAC, 0x9C, 0xA8, 0x8F, 0xE9, 0xED, 0xF7, 0xCD,
-        0x24, 0xA0, 0xB1, 0xA0, 0x03, 0xAC, 0xE3, 0x03, 0xF5, 0x3F,
-        0xD1, 0x96, 0xFF, 0x2A, 0x7E, 0x08, 0xB1, 0xD3, 0xE0, 0x18,
-        0x14, 0xEC, 0x65, 0x37, 0x50, 0x43, 0xC2, 0x6A, 0x8C, 0xF4,
-        0x5B, 0xFE, 0xC4, 0xCB, 0x8D, 0x3F, 0x81, 0x02, 0xF7, 0xC2,
-        0xDD, 0xE4, 0xC1, 0x8E, 0x80, 0x0C, 0x04, 0x25, 0x2D, 0x80,
-        0x5A, 0x2E, 0x0F, 0x22, 0x35, 0x4A, 0xF4, 0x85, 0xED, 0x51,
-        0xD8, 0xAB, 0x6D, 0x8F, 0xA2, 0x3B, 0x24, 0x00, 0x6E, 0x81,
-        0xE2, 0x1E, 0x76, 0xD6, 0xAC, 0x31, 0x12, 0xDB, 0xF3, 0x8E,
-        0x07, 0xA1, 0xDE, 0x89, 0x4A, 0x39, 0x60, 0x77, 0xC5, 0xAA,
-        0xF1, 0x51, 0xE6, 0x06, 0xF1, 0x95, 0x56, 0x2A, 0xE1, 0x8E,
-        0x92, 0x30, 0x9F, 0xFE, 0x58, 0x44, 0xAC, 0x46, 0xF2, 0xFD,
-        0x9A, 0xFC, 0xA8, 0x1D, 0xA1, 0xD3, 0x55, 0x37, 0x4A, 0x8B,
-        0xFC, 0x9C, 0x33, 0xF8, 0xA7, 0x61, 0x48, 0x41, 0x7C, 0x9C,
-        0x77, 0x3F, 0xF5, 0x80, 0x23, 0x7D, 0x43, 0xB4, 0xD5, 0x88,
-        0x0A, 0xC9, 0x75, 0xD7, 0x44, 0x19, 0x4D, 0x77, 0x6C, 0x0B,
-        0x0A, 0x49, 0xAA, 0x1C, 0x2F, 0xD6, 0x5A, 0x44, 0xA6, 0x47,
-        0x4D, 0xE5, 0x36, 0x96, 0x40, 0x99, 0x2C, 0x56, 0x26, 0xB1,
-        0xF2, 0x92, 0x31, 0x59, 0xD7, 0x2C, 0xD4, 0xB4, 0x21, 0xD6,
-        0x65, 0x13, 0x0B, 0x3E, 0xFB, 0xFF, 0x04, 0xEB, 0xB9, 0x85,
-        0xB9, 0xD8, 0xD8, 0x28, 0x4F, 0x5C, 0x17, 0x96, 0xA3, 0x51,
-        0xBE, 0xFE, 0x7D, 0x0B, 0x1B, 0x48, 0x40, 0x25, 0x76, 0x94,
-        0xDC, 0x41, 0xFB, 0xBF, 0x73, 0x76, 0xDA, 0xEB, 0xB3, 0x62,
-        0xE7, 0xC1, 0xC8, 0x54, 0x6A, 0x93, 0xE1, 0x8D, 0x31, 0xE8,
-        0x3E, 0x3E, 0xDF, 0xBC, 0x87, 0x02, 0x30, 0x22, 0x57, 0xC4,
-        0xE0, 0x18, 0x7A, 0xD3, 0xAE, 0xE4, 0x02, 0x9B, 0xAA, 0xBD,
-        0x4E, 0x49, 0x47, 0x72, 0xE9, 0x8D, 0x13, 0x2D, 0x54, 0x9B,
-        0x00, 0xA7, 0x91, 0x61, 0x71, 0xC9, 0xCC, 0x48, 0x4F, 0xEE,
-        0xDF, 0x5E, 0x1B, 0x1A, 0xDF, 0x67, 0xD3, 0x20, 0xE6, 0x44,
-        0x45, 0x98, 0x7E, 0xE7, 0x0E, 0x63, 0x16, 0x83, 0xC9, 0x26,
-        0x5D, 0x90, 0xC1, 0xE5, 0x2A, 0x5C, 0x45, 0x54, 0x13, 0xB2,
-        0x81, 0x18, 0x06, 0x20, 0x2E, 0x2E, 0x66, 0x5A, 0xB5, 0x7B,
-        0x6E, 0xD6, 0x0C, 0x4E, 0x89, 0x01, 0x56, 0x70, 0xBB, 0xAE,
-        0xDE, 0xE9, 0x99, 0x5E, 0xD1, 0xB9, 0x3A, 0xB7, 0x6C, 0x17,
-        0xB6, 0x03, 0xA9, 0x08, 0xDD, 0x9C, 0xF4, 0x14, 0xC9, 0xC9,
-        0x59, 0x39, 0x72, 0xD4, 0x7E, 0x02, 0x37, 0x31, 0xCD, 0x0E,
-        0xA7, 0x3D, 0xF8, 0xF2, 0xCF, 0x6B, 0x15, 0xAB, 0x02, 0x03,
-        0x01, 0x00, 0x01, 0xA3, 0x82, 0x01, 0x44, 0x30, 0x82, 0x01,
-        0x40, 0x30, 0x1D, 0x06, 0x03, 0x55, 0x1D, 0x0E, 0x04, 0x16,
-        0x04, 0x14, 0xFA, 0x54, 0x89, 0x67, 0xE5, 0x5F, 0xB7, 0x31,
-        0x40, 0xEA, 0xFD, 0xE7, 0xF6, 0xA3, 0xC6, 0x5A, 0x56, 0x16,
-        0xA5, 0x6E, 0x30, 0x81, 0xD3, 0x06, 0x03, 0x55, 0x1D, 0x23,
-        0x04, 0x81, 0xCB, 0x30, 0x81, 0xC8, 0x80, 0x14, 0xFA, 0x54,
-        0x89, 0x67, 0xE5, 0x5F, 0xB7, 0x31, 0x40, 0xEA, 0xFD, 0xE7,
-        0xF6, 0xA3, 0xC6, 0x5A, 0x56, 0x16, 0xA5, 0x6E, 0xA1, 0x81,
-        0xA4, 0xA4, 0x81, 0xA1, 0x30, 0x81, 0x9E, 0x31, 0x0B, 0x30,
-        0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13, 0x02, 0x55, 0x53,
-        0x31, 0x10, 0x30, 0x0E, 0x06, 0x03, 0x55, 0x04, 0x08, 0x0C,
-        0x07, 0x4D, 0x6F, 0x6E, 0x74, 0x61, 0x6E, 0x61, 0x31, 0x10,
-        0x30, 0x0E, 0x06, 0x03, 0x55, 0x04, 0x07, 0x0C, 0x07, 0x42,
-        0x6F, 0x7A, 0x65, 0x6D, 0x61, 0x6E, 0x31, 0x15, 0x30, 0x13,
-        0x06, 0x03, 0x55, 0x04, 0x0A, 0x0C, 0x0C, 0x77, 0x6F, 0x6C,
-        0x66, 0x53, 0x53, 0x4C, 0x5F, 0x34, 0x30, 0x39, 0x36, 0x31,
-        0x19, 0x30, 0x17, 0x06, 0x03, 0x55, 0x04, 0x0B, 0x0C, 0x10,
-        0x50, 0x72, 0x6F, 0x67, 0x72, 0x61, 0x6D, 0x6D, 0x69, 0x6E,
-        0x67, 0x2D, 0x34, 0x30, 0x39, 0x36, 0x31, 0x18, 0x30, 0x16,
-        0x06, 0x03, 0x55, 0x04, 0x03, 0x0C, 0x0F, 0x77, 0x77, 0x77,
-        0x2E, 0x77, 0x6F, 0x6C, 0x66, 0x73, 0x73, 0x6C, 0x2E, 0x63,
-        0x6F, 0x6D, 0x31, 0x1F, 0x30, 0x1D, 0x06, 0x09, 0x2A, 0x86,
-        0x48, 0x86, 0xF7, 0x0D, 0x01, 0x09, 0x01, 0x16, 0x10, 0x69,
-        0x6E, 0x66, 0x6F, 0x40, 0x77, 0x6F, 0x6C, 0x66, 0x73, 0x73,
-        0x6C, 0x2E, 0x63, 0x6F, 0x6D, 0x82, 0x09, 0x00, 0xA0, 0x3E,
-        0xDB, 0xCF, 0x97, 0x9A, 0x72, 0x8C, 0x30, 0x0C, 0x06, 0x03,
-        0x55, 0x1D, 0x13, 0x04, 0x05, 0x30, 0x03, 0x01, 0x01, 0xFF,
-        0x30, 0x1C, 0x06, 0x03, 0x55, 0x1D, 0x11, 0x04, 0x15, 0x30,
-        0x13, 0x82, 0x0B, 0x65, 0x78, 0x61, 0x6D, 0x70, 0x6C, 0x65,
-        0x2E, 0x63, 0x6F, 0x6D, 0x87, 0x04, 0x7F, 0x00, 0x00, 0x01,
-        0x30, 0x1D, 0x06, 0x03, 0x55, 0x1D, 0x25, 0x04, 0x16, 0x30,
-        0x14, 0x06, 0x08, 0x2B, 0x06, 0x01, 0x05, 0x05, 0x07, 0x03,
-        0x01, 0x06, 0x08, 0x2B, 0x06, 0x01, 0x05, 0x05, 0x07, 0x03,
-        0x02, 0x30, 0x0D, 0x06, 0x09, 0x2A, 0x86, 0x48, 0x86, 0xF7,
-        0x0D, 0x01, 0x01, 0x0B, 0x05, 0x00, 0x03, 0x82, 0x02, 0x01,
-        0x00, 0x17, 0xAB, 0x22, 0x61, 0x05, 0x6D, 0x3A, 0xC0, 0x0D,
-        0x6B, 0xD9, 0x15, 0x82, 0x11, 0xCF, 0xE7, 0xF8, 0x65, 0xDA,
-        0xC7, 0xEF, 0xDA, 0x0F, 0x50, 0x75, 0xBD, 0x55, 0xCF, 0x3D,
-        0x50, 0xDD, 0xD4, 0x0D, 0x2C, 0x04, 0x48, 0xA8, 0x25, 0x3A,
-        0xB9, 0xC4, 0xCE, 0x48, 0x7E, 0xB8, 0x63, 0xCD, 0xCD, 0xCE,
-        0xBC, 0x50, 0x26, 0xDC, 0x6D, 0xC2, 0x1E, 0xD1, 0x71, 0x3A,
-        0x2F, 0xDB, 0xE5, 0x03, 0x6B, 0x73, 0x55, 0x23, 0x70, 0x76,
-        0x1E, 0x08, 0x2A, 0x92, 0x7B, 0xD6, 0x6A, 0xEF, 0x17, 0xA0,
-        0xF3, 0x8C, 0xEA, 0xEB, 0xC4, 0x2E, 0xCB, 0xD4, 0xD9, 0xD5,
-        0xAB, 0xF7, 0xE6, 0x8D, 0xEC, 0xD9, 0x97, 0xA1, 0x56, 0xA7,
-        0x0B, 0x5D, 0xE5, 0x3F, 0x1F, 0x5E, 0x6A, 0x7A, 0xA4, 0x64,
-        0xD7, 0xB2, 0x42, 0x1A, 0x1E, 0x49, 0x37, 0x93, 0xBC, 0xBE,
-        0x13, 0xA8, 0xFB, 0xB1, 0x93, 0x7B, 0xA8, 0x2B, 0x49, 0x90,
-        0x43, 0x84, 0x24, 0x60, 0x44, 0xFC, 0x32, 0x74, 0x85, 0x0E,
-        0x1B, 0xF8, 0x3A, 0x92, 0x3D, 0xAA, 0x25, 0x1B, 0x9F, 0x97,
-        0x31, 0x95, 0x97, 0xC5, 0x3D, 0x51, 0xDD, 0xB6, 0xD5, 0x4A,
-        0x7E, 0x41, 0xB3, 0x90, 0x83, 0x7C, 0x98, 0xFA, 0xCB, 0x22,
-        0x33, 0xA5, 0xF4, 0x32, 0x74, 0xBD, 0x3E, 0xB1, 0x3B, 0x34,
-        0xF9, 0xC3, 0x3F, 0xBE, 0xDB, 0x0E, 0xD9, 0x2F, 0x1A, 0xF9,
-        0xD2, 0x4F, 0x14, 0x53, 0x63, 0xF2, 0x21, 0xA3, 0xE9, 0xC3,
-        0xAD, 0x04, 0x6E, 0xE7, 0xAD, 0x1F, 0x6B, 0xCE, 0x4E, 0x35,
-        0x4A, 0x61, 0x84, 0xB9, 0x61, 0x65, 0x1D, 0xA2, 0xD7, 0xA1,
-        0xE6, 0x74, 0x08, 0x15, 0x38, 0x75, 0xB0, 0x23, 0x70, 0x22,
-        0x15, 0x59, 0x2C, 0x48, 0xF0, 0xDA, 0x9A, 0x99, 0xD4, 0x2B,
-        0x83, 0xDF, 0x9A, 0x93, 0x78, 0x45, 0xB9, 0x84, 0x5C, 0x7E,
-        0x71, 0x90, 0xDA, 0x56, 0x1C, 0x9F, 0x57, 0xED, 0x76, 0xF7,
-        0x17, 0xE5, 0xD2, 0x01, 0x90, 0x99, 0x5F, 0x4C, 0x07, 0x49,
-        0x07, 0x82, 0x75, 0x92, 0x44, 0x7A, 0xFE, 0x9B, 0xA7, 0x4D,
-        0xEC, 0xC8, 0xDC, 0x46, 0x67, 0x28, 0x04, 0x8B, 0x08, 0x17,
-        0x94, 0x13, 0xE9, 0xA0, 0xD2, 0xB2, 0x26, 0x56, 0x27, 0x60,
-        0x94, 0x5A, 0x50, 0x5C, 0xCF, 0x34, 0x4D, 0x3F, 0x35, 0xE7,
-        0x12, 0x5D, 0xC5, 0x32, 0x00, 0x2F, 0xE0, 0x1D, 0x09, 0xE5,
-        0x36, 0x8D, 0x77, 0x93, 0xF6, 0xE5, 0x62, 0xB4, 0xA3, 0x9B,
-        0xC6, 0x7C, 0xE6, 0x3D, 0xD5, 0x38, 0x33, 0x5F, 0x23, 0x5B,
-        0x81, 0x2E, 0x24, 0x26, 0x9E, 0x98, 0xA8, 0xAF, 0x04, 0x3D,
-        0x65, 0x3F, 0x71, 0x88, 0x48, 0x44, 0x5C, 0x1A, 0x11, 0x0E,
-        0x1B, 0xE1, 0x81, 0xB1, 0xB6, 0x66, 0xE6, 0x3C, 0x13, 0x67,
-        0xD6, 0x6B, 0xA3, 0xF3, 0xB7, 0xF6, 0x9F, 0x14, 0xA6, 0x87,
-        0x7F, 0x2B, 0x14, 0x31, 0x22, 0x7A, 0xF5, 0x0D, 0x44, 0xE6,
-        0xA3, 0x1A, 0xD6, 0xD2, 0xDC, 0x88, 0x71, 0x37, 0x28, 0x11,
-        0x6C, 0xEF, 0x95, 0xAB, 0x1D, 0xC5, 0xC3, 0x9A, 0xEF, 0x1A,
-        0x54, 0x11, 0x92, 0x8E, 0x89, 0x43, 0x03, 0x26, 0xD0, 0xE9,
-        0x63, 0x33, 0xFE, 0x79, 0x4C, 0xA6, 0x6F, 0xC4, 0x58, 0x58,
-        0x2E, 0xB6, 0xAB, 0x57, 0xA0, 0x39, 0x4D, 0xFF, 0x88, 0xC0,
-        0x23, 0x2C, 0x3B, 0xE3, 0x9A, 0xDF, 0x48, 0xD3, 0x17, 0x45,
-        0x5D, 0x36, 0x4E, 0x00, 0x58, 0x72, 0xC3, 0xEF, 0xE7, 0x76,
-        0x0B, 0xF8, 0x19, 0xA8, 0x5F, 0xF6, 0x53, 0x98, 0x49, 0x2B,
-        0x52, 0xB5, 0x8E, 0xA5, 0xD8, 0x73, 0x6E, 0x3C, 0x23, 0x23,
-        0x06, 0x86, 0x25, 0x6B, 0x0D, 0x3B, 0xF2, 0x9A, 0x17, 0x33,
-        0xA4, 0x4E, 0xF5, 0x6B, 0xDE, 0xB3, 0x64, 0x20, 0x58, 0xC6,
-        0x6D, 0x22, 0xA9, 0xAE, 0xF4, 0x09, 0x9D, 0x0D, 0x6E, 0x9F,
-        0x96, 0x2A, 0x9E
+        0x30, 0x82, 0x07, 0x1D, 0x30, 0x82, 0x05, 0x05, 0xA0, 0x03,
+        0x02, 0x01, 0x02, 0x02, 0x14, 0x07, 0x91, 0x84, 0x28, 0x88,
+        0x1F, 0x29, 0xD0, 0x53, 0xFD, 0xED, 0x42, 0x1F, 0xCF, 0x88,
+        0x4C, 0x15, 0xD1, 0xF1, 0xA4, 0x30, 0x0D, 0x06, 0x09, 0x2A,
+        0x86, 0x48, 0x86, 0xF7, 0x0D, 0x01, 0x01, 0x0B, 0x05, 0x00,
+        0x30, 0x81, 0x9E, 0x31, 0x0B, 0x30, 0x09, 0x06, 0x03, 0x55,
+        0x04, 0x06, 0x13, 0x02, 0x55, 0x53, 0x31, 0x10, 0x30, 0x0E,
+        0x06, 0x03, 0x55, 0x04, 0x08, 0x0C, 0x07, 0x4D, 0x6F, 0x6E,
+        0x74, 0x61, 0x6E, 0x61, 0x31, 0x10, 0x30, 0x0E, 0x06, 0x03,
+        0x55, 0x04, 0x07, 0x0C, 0x07, 0x42, 0x6F, 0x7A, 0x65, 0x6D,
+        0x61, 0x6E, 0x31, 0x15, 0x30, 0x13, 0x06, 0x03, 0x55, 0x04,
+        0x0A, 0x0C, 0x0C, 0x77, 0x6F, 0x6C, 0x66, 0x53, 0x53, 0x4C,
+        0x5F, 0x34, 0x30, 0x39, 0x36, 0x31, 0x19, 0x30, 0x17, 0x06,
+        0x03, 0x55, 0x04, 0x0B, 0x0C, 0x10, 0x50, 0x72, 0x6F, 0x67,
+        0x72, 0x61, 0x6D, 0x6D, 0x69, 0x6E, 0x67, 0x2D, 0x34, 0x30,
+        0x39, 0x36, 0x31, 0x18, 0x30, 0x16, 0x06, 0x03, 0x55, 0x04,
+        0x03, 0x0C, 0x0F, 0x77, 0x77, 0x77, 0x2E, 0x77, 0x6F, 0x6C,
+        0x66, 0x73, 0x73, 0x6C, 0x2E, 0x63, 0x6F, 0x6D, 0x31, 0x1F,
+        0x30, 0x1D, 0x06, 0x09, 0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D,
+        0x01, 0x09, 0x01, 0x16, 0x10, 0x69, 0x6E, 0x66, 0x6F, 0x40,
+        0x77, 0x6F, 0x6C, 0x66, 0x73, 0x73, 0x6C, 0x2E, 0x63, 0x6F,
+        0x6D, 0x30, 0x1E, 0x17, 0x0D, 0x32, 0x31, 0x31, 0x32, 0x32,
+        0x30, 0x32, 0x33, 0x30, 0x37, 0x32, 0x34, 0x5A, 0x17, 0x0D,
+        0x32, 0x34, 0x30, 0x39, 0x31, 0x35, 0x32, 0x33, 0x30, 0x37,
+        0x32, 0x34, 0x5A, 0x30, 0x81, 0x9E, 0x31, 0x0B, 0x30, 0x09,
+        0x06, 0x03, 0x55, 0x04, 0x06, 0x13, 0x02, 0x55, 0x53, 0x31,
+        0x10, 0x30, 0x0E, 0x06, 0x03, 0x55, 0x04, 0x08, 0x0C, 0x07,
+        0x4D, 0x6F, 0x6E, 0x74, 0x61, 0x6E, 0x61, 0x31, 0x10, 0x30,
+        0x0E, 0x06, 0x03, 0x55, 0x04, 0x07, 0x0C, 0x07, 0x42, 0x6F,
+        0x7A, 0x65, 0x6D, 0x61, 0x6E, 0x31, 0x15, 0x30, 0x13, 0x06,
+        0x03, 0x55, 0x04, 0x0A, 0x0C, 0x0C, 0x77, 0x6F, 0x6C, 0x66,
+        0x53, 0x53, 0x4C, 0x5F, 0x34, 0x30, 0x39, 0x36, 0x31, 0x19,
+        0x30, 0x17, 0x06, 0x03, 0x55, 0x04, 0x0B, 0x0C, 0x10, 0x50,
+        0x72, 0x6F, 0x67, 0x72, 0x61, 0x6D, 0x6D, 0x69, 0x6E, 0x67,
+        0x2D, 0x34, 0x30, 0x39, 0x36, 0x31, 0x18, 0x30, 0x16, 0x06,
+        0x03, 0x55, 0x04, 0x03, 0x0C, 0x0F, 0x77, 0x77, 0x77, 0x2E,
+        0x77, 0x6F, 0x6C, 0x66, 0x73, 0x73, 0x6C, 0x2E, 0x63, 0x6F,
+        0x6D, 0x31, 0x1F, 0x30, 0x1D, 0x06, 0x09, 0x2A, 0x86, 0x48,
+        0x86, 0xF7, 0x0D, 0x01, 0x09, 0x01, 0x16, 0x10, 0x69, 0x6E,
+        0x66, 0x6F, 0x40, 0x77, 0x6F, 0x6C, 0x66, 0x73, 0x73, 0x6C,
+        0x2E, 0x63, 0x6F, 0x6D, 0x30, 0x82, 0x02, 0x22, 0x30, 0x0D,
+        0x06, 0x09, 0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D, 0x01, 0x01,
+        0x01, 0x05, 0x00, 0x03, 0x82, 0x02, 0x0F, 0x00, 0x30, 0x82,
+        0x02, 0x0A, 0x02, 0x82, 0x02, 0x01, 0x00, 0xF5, 0xD0, 0x31,
+        0xE4, 0x71, 0x59, 0x58, 0xB3, 0x07, 0x50, 0xDD, 0x16, 0x79,
+        0xFC, 0xC6, 0x95, 0x50, 0xFC, 0x46, 0x0E, 0x57, 0x12, 0x86,
+        0x71, 0x8D, 0xE3, 0x9B, 0x4A, 0x33, 0xEA, 0x4F, 0xD9, 0x17,
+        0x13, 0x6D, 0x48, 0x69, 0xDF, 0x59, 0x11, 0x08, 0x02, 0x9D,
+        0xAF, 0x2B, 0xC7, 0x30, 0xBE, 0x0C, 0xDC, 0x87, 0xD4, 0x5A,
+        0x12, 0x09, 0x23, 0x5D, 0xE1, 0x76, 0x5A, 0x62, 0x37, 0x46,
+        0x74, 0xEF, 0x03, 0x05, 0xBB, 0x1E, 0x6D, 0x29, 0x75, 0x6C,
+        0x2E, 0x9D, 0x87, 0x0D, 0x8F, 0x87, 0xCB, 0x14, 0x95, 0x9B,
+        0xBE, 0x17, 0x6B, 0x51, 0xD1, 0x4C, 0xDA, 0xD7, 0x91, 0x66,
+        0xC5, 0x36, 0xEB, 0xE0, 0x07, 0x1A, 0x76, 0x4D, 0xB0, 0xFB,
+        0xC1, 0xF5, 0x5E, 0x05, 0xDB, 0xBA, 0xCB, 0x25, 0xD9, 0x99,
+        0x13, 0x1C, 0xC0, 0x35, 0xDC, 0x40, 0xE9, 0x36, 0xCD, 0xC4,
+        0xD5, 0x7A, 0x41, 0x70, 0x0F, 0x36, 0xEB, 0xA5, 0x4E, 0x17,
+        0x05, 0xD5, 0x75, 0x1B, 0x64, 0x62, 0x7A, 0x3F, 0x0D, 0x28,
+        0x48, 0x6A, 0xE3, 0xAC, 0x9C, 0xA8, 0x8F, 0xE9, 0xED, 0xF7,
+        0xCD, 0x24, 0xA0, 0xB1, 0xA0, 0x03, 0xAC, 0xE3, 0x03, 0xF5,
+        0x3F, 0xD1, 0x96, 0xFF, 0x2A, 0x7E, 0x08, 0xB1, 0xD3, 0xE0,
+        0x18, 0x14, 0xEC, 0x65, 0x37, 0x50, 0x43, 0xC2, 0x6A, 0x8C,
+        0xF4, 0x5B, 0xFE, 0xC4, 0xCB, 0x8D, 0x3F, 0x81, 0x02, 0xF7,
+        0xC2, 0xDD, 0xE4, 0xC1, 0x8E, 0x80, 0x0C, 0x04, 0x25, 0x2D,
+        0x80, 0x5A, 0x2E, 0x0F, 0x22, 0x35, 0x4A, 0xF4, 0x85, 0xED,
+        0x51, 0xD8, 0xAB, 0x6D, 0x8F, 0xA2, 0x3B, 0x24, 0x00, 0x6E,
+        0x81, 0xE2, 0x1E, 0x76, 0xD6, 0xAC, 0x31, 0x12, 0xDB, 0xF3,
+        0x8E, 0x07, 0xA1, 0xDE, 0x89, 0x4A, 0x39, 0x60, 0x77, 0xC5,
+        0xAA, 0xF1, 0x51, 0xE6, 0x06, 0xF1, 0x95, 0x56, 0x2A, 0xE1,
+        0x8E, 0x92, 0x30, 0x9F, 0xFE, 0x58, 0x44, 0xAC, 0x46, 0xF2,
+        0xFD, 0x9A, 0xFC, 0xA8, 0x1D, 0xA1, 0xD3, 0x55, 0x37, 0x4A,
+        0x8B, 0xFC, 0x9C, 0x33, 0xF8, 0xA7, 0x61, 0x48, 0x41, 0x7C,
+        0x9C, 0x77, 0x3F, 0xF5, 0x80, 0x23, 0x7D, 0x43, 0xB4, 0xD5,
+        0x88, 0x0A, 0xC9, 0x75, 0xD7, 0x44, 0x19, 0x4D, 0x77, 0x6C,
+        0x0B, 0x0A, 0x49, 0xAA, 0x1C, 0x2F, 0xD6, 0x5A, 0x44, 0xA6,
+        0x47, 0x4D, 0xE5, 0x36, 0x96, 0x40, 0x99, 0x2C, 0x56, 0x26,
+        0xB1, 0xF2, 0x92, 0x31, 0x59, 0xD7, 0x2C, 0xD4, 0xB4, 0x21,
+        0xD6, 0x65, 0x13, 0x0B, 0x3E, 0xFB, 0xFF, 0x04, 0xEB, 0xB9,
+        0x85, 0xB9, 0xD8, 0xD8, 0x28, 0x4F, 0x5C, 0x17, 0x96, 0xA3,
+        0x51, 0xBE, 0xFE, 0x7D, 0x0B, 0x1B, 0x48, 0x40, 0x25, 0x76,
+        0x94, 0xDC, 0x41, 0xFB, 0xBF, 0x73, 0x76, 0xDA, 0xEB, 0xB3,
+        0x62, 0xE7, 0xC1, 0xC8, 0x54, 0x6A, 0x93, 0xE1, 0x8D, 0x31,
+        0xE8, 0x3E, 0x3E, 0xDF, 0xBC, 0x87, 0x02, 0x30, 0x22, 0x57,
+        0xC4, 0xE0, 0x18, 0x7A, 0xD3, 0xAE, 0xE4, 0x02, 0x9B, 0xAA,
+        0xBD, 0x4E, 0x49, 0x47, 0x72, 0xE9, 0x8D, 0x13, 0x2D, 0x54,
+        0x9B, 0x00, 0xA7, 0x91, 0x61, 0x71, 0xC9, 0xCC, 0x48, 0x4F,
+        0xEE, 0xDF, 0x5E, 0x1B, 0x1A, 0xDF, 0x67, 0xD3, 0x20, 0xE6,
+        0x44, 0x45, 0x98, 0x7E, 0xE7, 0x0E, 0x63, 0x16, 0x83, 0xC9,
+        0x26, 0x5D, 0x90, 0xC1, 0xE5, 0x2A, 0x5C, 0x45, 0x54, 0x13,
+        0xB2, 0x81, 0x18, 0x06, 0x20, 0x2E, 0x2E, 0x66, 0x5A, 0xB5,
+        0x7B, 0x6E, 0xD6, 0x0C, 0x4E, 0x89, 0x01, 0x56, 0x70, 0xBB,
+        0xAE, 0xDE, 0xE9, 0x99, 0x5E, 0xD1, 0xB9, 0x3A, 0xB7, 0x6C,
+        0x17, 0xB6, 0x03, 0xA9, 0x08, 0xDD, 0x9C, 0xF4, 0x14, 0xC9,
+        0xC9, 0x59, 0x39, 0x72, 0xD4, 0x7E, 0x02, 0x37, 0x31, 0xCD,
+        0x0E, 0xA7, 0x3D, 0xF8, 0xF2, 0xCF, 0x6B, 0x15, 0xAB, 0x02,
+        0x03, 0x01, 0x00, 0x01, 0xA3, 0x82, 0x01, 0x4F, 0x30, 0x82,
+        0x01, 0x4B, 0x30, 0x1D, 0x06, 0x03, 0x55, 0x1D, 0x0E, 0x04,
+        0x16, 0x04, 0x14, 0xFA, 0x54, 0x89, 0x67, 0xE5, 0x5F, 0xB7,
+        0x31, 0x40, 0xEA, 0xFD, 0xE7, 0xF6, 0xA3, 0xC6, 0x5A, 0x56,
+        0x16, 0xA5, 0x6E, 0x30, 0x81, 0xDE, 0x06, 0x03, 0x55, 0x1D,
+        0x23, 0x04, 0x81, 0xD6, 0x30, 0x81, 0xD3, 0x80, 0x14, 0xFA,
+        0x54, 0x89, 0x67, 0xE5, 0x5F, 0xB7, 0x31, 0x40, 0xEA, 0xFD,
+        0xE7, 0xF6, 0xA3, 0xC6, 0x5A, 0x56, 0x16, 0xA5, 0x6E, 0xA1,
+        0x81, 0xA4, 0xA4, 0x81, 0xA1, 0x30, 0x81, 0x9E, 0x31, 0x0B,
+        0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13, 0x02, 0x55,
+        0x53, 0x31, 0x10, 0x30, 0x0E, 0x06, 0x03, 0x55, 0x04, 0x08,
+        0x0C, 0x07, 0x4D, 0x6F, 0x6E, 0x74, 0x61, 0x6E, 0x61, 0x31,
+        0x10, 0x30, 0x0E, 0x06, 0x03, 0x55, 0x04, 0x07, 0x0C, 0x07,
+        0x42, 0x6F, 0x7A, 0x65, 0x6D, 0x61, 0x6E, 0x31, 0x15, 0x30,
+        0x13, 0x06, 0x03, 0x55, 0x04, 0x0A, 0x0C, 0x0C, 0x77, 0x6F,
+        0x6C, 0x66, 0x53, 0x53, 0x4C, 0x5F, 0x34, 0x30, 0x39, 0x36,
+        0x31, 0x19, 0x30, 0x17, 0x06, 0x03, 0x55, 0x04, 0x0B, 0x0C,
+        0x10, 0x50, 0x72, 0x6F, 0x67, 0x72, 0x61, 0x6D, 0x6D, 0x69,
+        0x6E, 0x67, 0x2D, 0x34, 0x30, 0x39, 0x36, 0x31, 0x18, 0x30,
+        0x16, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0C, 0x0F, 0x77, 0x77,
+        0x77, 0x2E, 0x77, 0x6F, 0x6C, 0x66, 0x73, 0x73, 0x6C, 0x2E,
+        0x63, 0x6F, 0x6D, 0x31, 0x1F, 0x30, 0x1D, 0x06, 0x09, 0x2A,
+        0x86, 0x48, 0x86, 0xF7, 0x0D, 0x01, 0x09, 0x01, 0x16, 0x10,
+        0x69, 0x6E, 0x66, 0x6F, 0x40, 0x77, 0x6F, 0x6C, 0x66, 0x73,
+        0x73, 0x6C, 0x2E, 0x63, 0x6F, 0x6D, 0x82, 0x14, 0x07, 0x91,
+        0x84, 0x28, 0x88, 0x1F, 0x29, 0xD0, 0x53, 0xFD, 0xED, 0x42,
+        0x1F, 0xCF, 0x88, 0x4C, 0x15, 0xD1, 0xF1, 0xA4, 0x30, 0x0C,
+        0x06, 0x03, 0x55, 0x1D, 0x13, 0x04, 0x05, 0x30, 0x03, 0x01,
+        0x01, 0xFF, 0x30, 0x1C, 0x06, 0x03, 0x55, 0x1D, 0x11, 0x04,
+        0x15, 0x30, 0x13, 0x82, 0x0B, 0x65, 0x78, 0x61, 0x6D, 0x70,
+        0x6C, 0x65, 0x2E, 0x63, 0x6F, 0x6D, 0x87, 0x04, 0x7F, 0x00,
+        0x00, 0x01, 0x30, 0x1D, 0x06, 0x03, 0x55, 0x1D, 0x25, 0x04,
+        0x16, 0x30, 0x14, 0x06, 0x08, 0x2B, 0x06, 0x01, 0x05, 0x05,
+        0x07, 0x03, 0x01, 0x06, 0x08, 0x2B, 0x06, 0x01, 0x05, 0x05,
+        0x07, 0x03, 0x02, 0x30, 0x0D, 0x06, 0x09, 0x2A, 0x86, 0x48,
+        0x86, 0xF7, 0x0D, 0x01, 0x01, 0x0B, 0x05, 0x00, 0x03, 0x82,
+        0x02, 0x01, 0x00, 0x97, 0x3A, 0x5C, 0x65, 0x88, 0xD6, 0xBD,
+        0xD6, 0x80, 0x4A, 0xA3, 0xA4, 0x13, 0x99, 0xD8, 0x7F, 0xDB,
+        0x6D, 0x68, 0xF6, 0x32, 0xC8, 0xEF, 0x7A, 0x70, 0xDB, 0x1B,
+        0xC2, 0x11, 0x7A, 0x21, 0x2B, 0xE4, 0xDF, 0x1E, 0x78, 0x08,
+        0x0B, 0x51, 0x6D, 0x0C, 0xC4, 0xCC, 0xA8, 0xE6, 0xAD, 0xEE,
+        0x7D, 0x67, 0x6B, 0xCE, 0x74, 0x3A, 0x90, 0x4C, 0xC0, 0x33,
+        0x18, 0xC4, 0xB4, 0xEF, 0x27, 0xAA, 0x73, 0xE3, 0x92, 0xD7,
+        0xF5, 0x31, 0x6F, 0x6B, 0x62, 0x57, 0x22, 0xE2, 0x69, 0x05,
+        0x0F, 0xC0, 0x99, 0x8E, 0xC2, 0xFF, 0xBE, 0x99, 0xBF, 0x05,
+        0x93, 0x05, 0x0B, 0x19, 0x8D, 0x0D, 0xBA, 0x92, 0xC9, 0xDD,
+        0x68, 0x1F, 0x3E, 0xE2, 0x24, 0xB7, 0x34, 0x13, 0x32, 0x0B,
+        0x92, 0xDD, 0x85, 0xA1, 0xFC, 0x38, 0x89, 0x03, 0x4D, 0x96,
+        0x4D, 0xBF, 0x1F, 0xA2, 0x7B, 0xB1, 0x9F, 0x4C, 0xDE, 0xA2,
+        0x7C, 0xE3, 0x1D, 0x33, 0x05, 0xEA, 0xF0, 0x91, 0x5E, 0xE5,
+        0x90, 0xCD, 0x62, 0x06, 0xB0, 0x98, 0x73, 0xF4, 0x74, 0xBC,
+        0xF7, 0x1D, 0x10, 0x43, 0x6D, 0xD0, 0x85, 0xC8, 0x15, 0xCA,
+        0x43, 0x6A, 0xDF, 0xDE, 0xBC, 0xFA, 0x3C, 0xE7, 0x03, 0x6E,
+        0xD4, 0xAA, 0x46, 0xDB, 0xFE, 0x18, 0x1B, 0xD0, 0xCA, 0x94,
+        0x7E, 0x7A, 0xE4, 0xD4, 0x21, 0xC4, 0x15, 0x27, 0xB9, 0x46,
+        0x7B, 0x1F, 0xB6, 0xCD, 0x03, 0xAE, 0x8D, 0xA3, 0xCF, 0x14,
+        0xDF, 0x54, 0x4F, 0x4A, 0xF6, 0x58, 0x4E, 0xB1, 0xBF, 0x5E,
+        0xD6, 0x7C, 0x21, 0x73, 0xC9, 0x4E, 0xC9, 0x0D, 0x0F, 0xB8,
+        0xD1, 0xA1, 0x80, 0x9E, 0xE6, 0xF3, 0x4B, 0x8E, 0xCB, 0xB7,
+        0xBB, 0x19, 0x5D, 0xF6, 0x16, 0x67, 0x5E, 0x01, 0x97, 0x17,
+        0x59, 0x71, 0x59, 0xCA, 0xEB, 0x3B, 0xEA, 0x70, 0x8E, 0x8F,
+        0x58, 0x1F, 0x5C, 0xD0, 0xAC, 0x12, 0xB5, 0xE4, 0xDE, 0xF6,
+        0xB0, 0x7F, 0xE7, 0x86, 0xFC, 0xAB, 0xD0, 0x78, 0x6C, 0xE6,
+        0xBA, 0xF4, 0xFA, 0x7F, 0x42, 0xCD, 0x4E, 0x7F, 0x43, 0xED,
+        0x39, 0xB7, 0x50, 0x1B, 0x34, 0x39, 0xC6, 0x30, 0xBC, 0xD7,
+        0x7E, 0x5C, 0x59, 0xBA, 0x6B, 0x7A, 0x90, 0x49, 0xA0, 0xDE,
+        0xF8, 0x43, 0x00, 0x82, 0x6D, 0x6B, 0x82, 0x01, 0x06, 0x01,
+        0xB0, 0x04, 0x49, 0xFE, 0xBD, 0x8B, 0x2D, 0xC6, 0x10, 0x9F,
+        0xD3, 0xFB, 0x1D, 0x56, 0x3A, 0xBF, 0x28, 0xA2, 0xA5, 0xBD,
+        0xC7, 0x6B, 0xA7, 0x0C, 0x01, 0xBF, 0x18, 0x4E, 0x75, 0x77,
+        0x49, 0x86, 0xAC, 0x44, 0x16, 0x2F, 0x9E, 0xFA, 0xE6, 0x4E,
+        0xF5, 0x81, 0x00, 0xE7, 0xE9, 0x49, 0x6D, 0xEE, 0x1E, 0xC2,
+        0x0C, 0x91, 0x3E, 0xFC, 0x14, 0x07, 0xCD, 0xDE, 0x08, 0xDC,
+        0xCB, 0x9A, 0x3C, 0x2C, 0x9A, 0x3E, 0x32, 0x03, 0xBA, 0x1E,
+        0x42, 0x17, 0x3B, 0x63, 0x8C, 0xCE, 0xDA, 0xFD, 0x6C, 0xD5,
+        0x55, 0x3A, 0x28, 0xA5, 0x35, 0x1D, 0x5F, 0x41, 0xF8, 0x1C,
+        0xFD, 0xF5, 0x73, 0xA1, 0x24, 0xC5, 0xA9, 0x40, 0xAB, 0xAE,
+        0xD0, 0x4B, 0xD3, 0xD3, 0xB1, 0x23, 0x64, 0x2B, 0x64, 0xBE,
+        0xC4, 0x3B, 0x39, 0xDC, 0x46, 0xD6, 0xF4, 0x9F, 0xF9, 0x4A,
+        0x74, 0xA1, 0x14, 0x58, 0x8E, 0xD7, 0x8F, 0x04, 0xE5, 0xCD,
+        0xFB, 0x35, 0xA2, 0x16, 0x86, 0xED, 0x95, 0xEA, 0x7A, 0xF5,
+        0xB5, 0x0F, 0x9B, 0xBD, 0x0C, 0xDC, 0x61, 0x4A, 0xA0, 0xD3,
+        0xCF, 0x51, 0xF5, 0xBE, 0xFD, 0x3B, 0xE7, 0x66, 0x41, 0x37,
+        0x6C, 0x89, 0xD1, 0x40, 0xE0, 0x2F, 0x65, 0xB6, 0x03, 0xA1,
+        0xA9, 0x57, 0x4C, 0x9F, 0x93, 0x95, 0x95, 0x97, 0xCA, 0x4F,
+        0x5A, 0x71, 0x92, 0x98, 0x5C, 0x39, 0xED, 0x24, 0xAC, 0x35,
+        0xCA, 0x51, 0xB7, 0x32, 0x74, 0x1E, 0xF9, 0x83, 0xE8, 0x6B,
+        0x4E, 0xBE, 0xD4, 0x75, 0x85
 };
 static const int sizeof_client_cert_der_4096 = sizeof(client_cert_der_4096);
 
@@ -3332,7 +3349,7 @@ static const int sizeof_dh_key_der_4096 = sizeof(dh_key_der_4096);
 
 #endif /* USE_CERT_BUFFERS_4096 */
 
-#ifdef HAVE_LIBOQS
+#ifdef HAVE_PQC
 
 /* certs/falcon/bench_falcon_level1_key.der */
 static const unsigned char bench_falcon_level1_key[] =
@@ -3980,7 +3997,7 @@ static const unsigned char bench_falcon_level5_key[] =
 };
 static const int sizeof_bench_falcon_level5_key = sizeof(bench_falcon_level5_key);
 
-#endif /* HAVE_LIBOQS */
+#endif /* HAVE_PQC */
 
 #if defined(HAVE_ECC) && defined(USE_CERT_BUFFERS_256)
 
@@ -4022,91 +4039,93 @@ static const int sizeof_ecc_clikeypub_der_256 = sizeof(ecc_clikeypub_der_256);
 /* ./certs/client-ecc-cert.der, ECC */
 static const unsigned char cliecc_cert_der_256[] =
 {
-        0x30, 0x82, 0x03, 0x49, 0x30, 0x82, 0x02, 0xEE, 0xA0, 0x03,
-        0x02, 0x01, 0x02, 0x02, 0x09, 0x00, 0xE7, 0x4A, 0x4F, 0xE5,
-        0x56, 0x97, 0xCA, 0xC3, 0x30, 0x0A, 0x06, 0x08, 0x2A, 0x86,
-        0x48, 0xCE, 0x3D, 0x04, 0x03, 0x02, 0x30, 0x81, 0x8D, 0x31,
-        0x0B, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13, 0x02,
-        0x55, 0x53, 0x31, 0x0F, 0x30, 0x0D, 0x06, 0x03, 0x55, 0x04,
-        0x08, 0x0C, 0x06, 0x4F, 0x72, 0x65, 0x67, 0x6F, 0x6E, 0x31,
-        0x0E, 0x30, 0x0C, 0x06, 0x03, 0x55, 0x04, 0x07, 0x0C, 0x05,
-        0x53, 0x61, 0x6C, 0x65, 0x6D, 0x31, 0x13, 0x30, 0x11, 0x06,
-        0x03, 0x55, 0x04, 0x0A, 0x0C, 0x0A, 0x43, 0x6C, 0x69, 0x65,
-        0x6E, 0x74, 0x20, 0x45, 0x43, 0x43, 0x31, 0x0D, 0x30, 0x0B,
-        0x06, 0x03, 0x55, 0x04, 0x0B, 0x0C, 0x04, 0x46, 0x61, 0x73,
-        0x74, 0x31, 0x18, 0x30, 0x16, 0x06, 0x03, 0x55, 0x04, 0x03,
-        0x0C, 0x0F, 0x77, 0x77, 0x77, 0x2E, 0x77, 0x6F, 0x6C, 0x66,
-        0x73, 0x73, 0x6C, 0x2E, 0x63, 0x6F, 0x6D, 0x31, 0x1F, 0x30,
-        0x1D, 0x06, 0x09, 0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D, 0x01,
-        0x09, 0x01, 0x16, 0x10, 0x69, 0x6E, 0x66, 0x6F, 0x40, 0x77,
+        0x30, 0x82, 0x03, 0x5E, 0x30, 0x82, 0x03, 0x04, 0xA0, 0x03,
+        0x02, 0x01, 0x02, 0x02, 0x14, 0x3E, 0x8D, 0x40, 0xA1, 0x0B,
+        0xE2, 0x5F, 0xD9, 0x7F, 0xB1, 0xF3, 0xAE, 0x73, 0x40, 0x92,
+        0xC1, 0xD8, 0xAA, 0xF0, 0x65, 0x30, 0x0A, 0x06, 0x08, 0x2A,
+        0x86, 0x48, 0xCE, 0x3D, 0x04, 0x03, 0x02, 0x30, 0x81, 0x8D,
+        0x31, 0x0B, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13,
+        0x02, 0x55, 0x53, 0x31, 0x0F, 0x30, 0x0D, 0x06, 0x03, 0x55,
+        0x04, 0x08, 0x0C, 0x06, 0x4F, 0x72, 0x65, 0x67, 0x6F, 0x6E,
+        0x31, 0x0E, 0x30, 0x0C, 0x06, 0x03, 0x55, 0x04, 0x07, 0x0C,
+        0x05, 0x53, 0x61, 0x6C, 0x65, 0x6D, 0x31, 0x13, 0x30, 0x11,
+        0x06, 0x03, 0x55, 0x04, 0x0A, 0x0C, 0x0A, 0x43, 0x6C, 0x69,
+        0x65, 0x6E, 0x74, 0x20, 0x45, 0x43, 0x43, 0x31, 0x0D, 0x30,
+        0x0B, 0x06, 0x03, 0x55, 0x04, 0x0B, 0x0C, 0x04, 0x46, 0x61,
+        0x73, 0x74, 0x31, 0x18, 0x30, 0x16, 0x06, 0x03, 0x55, 0x04,
+        0x03, 0x0C, 0x0F, 0x77, 0x77, 0x77, 0x2E, 0x77, 0x6F, 0x6C,
+        0x66, 0x73, 0x73, 0x6C, 0x2E, 0x63, 0x6F, 0x6D, 0x31, 0x1F,
+        0x30, 0x1D, 0x06, 0x09, 0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D,
+        0x01, 0x09, 0x01, 0x16, 0x10, 0x69, 0x6E, 0x66, 0x6F, 0x40,
+        0x77, 0x6F, 0x6C, 0x66, 0x73, 0x73, 0x6C, 0x2E, 0x63, 0x6F,
+        0x6D, 0x30, 0x1E, 0x17, 0x0D, 0x32, 0x31, 0x31, 0x32, 0x32,
+        0x30, 0x32, 0x33, 0x30, 0x37, 0x32, 0x35, 0x5A, 0x17, 0x0D,
+        0x32, 0x34, 0x30, 0x39, 0x31, 0x35, 0x32, 0x33, 0x30, 0x37,
+        0x32, 0x35, 0x5A, 0x30, 0x81, 0x8D, 0x31, 0x0B, 0x30, 0x09,
+        0x06, 0x03, 0x55, 0x04, 0x06, 0x13, 0x02, 0x55, 0x53, 0x31,
+        0x0F, 0x30, 0x0D, 0x06, 0x03, 0x55, 0x04, 0x08, 0x0C, 0x06,
+        0x4F, 0x72, 0x65, 0x67, 0x6F, 0x6E, 0x31, 0x0E, 0x30, 0x0C,
+        0x06, 0x03, 0x55, 0x04, 0x07, 0x0C, 0x05, 0x53, 0x61, 0x6C,
+        0x65, 0x6D, 0x31, 0x13, 0x30, 0x11, 0x06, 0x03, 0x55, 0x04,
+        0x0A, 0x0C, 0x0A, 0x43, 0x6C, 0x69, 0x65, 0x6E, 0x74, 0x20,
+        0x45, 0x43, 0x43, 0x31, 0x0D, 0x30, 0x0B, 0x06, 0x03, 0x55,
+        0x04, 0x0B, 0x0C, 0x04, 0x46, 0x61, 0x73, 0x74, 0x31, 0x18,
+        0x30, 0x16, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0C, 0x0F, 0x77,
+        0x77, 0x77, 0x2E, 0x77, 0x6F, 0x6C, 0x66, 0x73, 0x73, 0x6C,
+        0x2E, 0x63, 0x6F, 0x6D, 0x31, 0x1F, 0x30, 0x1D, 0x06, 0x09,
+        0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D, 0x01, 0x09, 0x01, 0x16,
+        0x10, 0x69, 0x6E, 0x66, 0x6F, 0x40, 0x77, 0x6F, 0x6C, 0x66,
+        0x73, 0x73, 0x6C, 0x2E, 0x63, 0x6F, 0x6D, 0x30, 0x59, 0x30,
+        0x13, 0x06, 0x07, 0x2A, 0x86, 0x48, 0xCE, 0x3D, 0x02, 0x01,
+        0x06, 0x08, 0x2A, 0x86, 0x48, 0xCE, 0x3D, 0x03, 0x01, 0x07,
+        0x03, 0x42, 0x00, 0x04, 0x55, 0xBF, 0xF4, 0x0F, 0x44, 0x50,
+        0x9A, 0x3D, 0xCE, 0x9B, 0xB7, 0xF0, 0xC5, 0x4D, 0xF5, 0x70,
+        0x7B, 0xD4, 0xEC, 0x24, 0x8E, 0x19, 0x80, 0xEC, 0x5A, 0x4C,
+        0xA2, 0x24, 0x03, 0x62, 0x2C, 0x9B, 0xDA, 0xEF, 0xA2, 0x35,
+        0x12, 0x43, 0x84, 0x76, 0x16, 0xC6, 0x56, 0x95, 0x06, 0xCC,
+        0x01, 0xA9, 0xBD, 0xF6, 0x75, 0x1A, 0x42, 0xF7, 0xBD, 0xA9,
+        0xB2, 0x36, 0x22, 0x5F, 0xC7, 0x5D, 0x7F, 0xB4, 0xA3, 0x82,
+        0x01, 0x3E, 0x30, 0x82, 0x01, 0x3A, 0x30, 0x1D, 0x06, 0x03,
+        0x55, 0x1D, 0x0E, 0x04, 0x16, 0x04, 0x14, 0xEB, 0xD4, 0x4B,
+        0x59, 0x6B, 0x95, 0x61, 0x3F, 0x51, 0x57, 0xB6, 0x04, 0x4D,
+        0x89, 0x41, 0x88, 0x44, 0x5C, 0xAB, 0xF2, 0x30, 0x81, 0xCD,
+        0x06, 0x03, 0x55, 0x1D, 0x23, 0x04, 0x81, 0xC5, 0x30, 0x81,
+        0xC2, 0x80, 0x14, 0xEB, 0xD4, 0x4B, 0x59, 0x6B, 0x95, 0x61,
+        0x3F, 0x51, 0x57, 0xB6, 0x04, 0x4D, 0x89, 0x41, 0x88, 0x44,
+        0x5C, 0xAB, 0xF2, 0xA1, 0x81, 0x93, 0xA4, 0x81, 0x90, 0x30,
+        0x81, 0x8D, 0x31, 0x0B, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04,
+        0x06, 0x13, 0x02, 0x55, 0x53, 0x31, 0x0F, 0x30, 0x0D, 0x06,
+        0x03, 0x55, 0x04, 0x08, 0x0C, 0x06, 0x4F, 0x72, 0x65, 0x67,
+        0x6F, 0x6E, 0x31, 0x0E, 0x30, 0x0C, 0x06, 0x03, 0x55, 0x04,
+        0x07, 0x0C, 0x05, 0x53, 0x61, 0x6C, 0x65, 0x6D, 0x31, 0x13,
+        0x30, 0x11, 0x06, 0x03, 0x55, 0x04, 0x0A, 0x0C, 0x0A, 0x43,
+        0x6C, 0x69, 0x65, 0x6E, 0x74, 0x20, 0x45, 0x43, 0x43, 0x31,
+        0x0D, 0x30, 0x0B, 0x06, 0x03, 0x55, 0x04, 0x0B, 0x0C, 0x04,
+        0x46, 0x61, 0x73, 0x74, 0x31, 0x18, 0x30, 0x16, 0x06, 0x03,
+        0x55, 0x04, 0x03, 0x0C, 0x0F, 0x77, 0x77, 0x77, 0x2E, 0x77,
         0x6F, 0x6C, 0x66, 0x73, 0x73, 0x6C, 0x2E, 0x63, 0x6F, 0x6D,
-        0x30, 0x1E, 0x17, 0x0D, 0x32, 0x31, 0x30, 0x32, 0x31, 0x30,
-        0x31, 0x39, 0x34, 0x39, 0x35, 0x33, 0x5A, 0x17, 0x0D, 0x32,
-        0x33, 0x31, 0x31, 0x30, 0x37, 0x31, 0x39, 0x34, 0x39, 0x35,
-        0x33, 0x5A, 0x30, 0x81, 0x8D, 0x31, 0x0B, 0x30, 0x09, 0x06,
-        0x03, 0x55, 0x04, 0x06, 0x13, 0x02, 0x55, 0x53, 0x31, 0x0F,
-        0x30, 0x0D, 0x06, 0x03, 0x55, 0x04, 0x08, 0x0C, 0x06, 0x4F,
-        0x72, 0x65, 0x67, 0x6F, 0x6E, 0x31, 0x0E, 0x30, 0x0C, 0x06,
-        0x03, 0x55, 0x04, 0x07, 0x0C, 0x05, 0x53, 0x61, 0x6C, 0x65,
-        0x6D, 0x31, 0x13, 0x30, 0x11, 0x06, 0x03, 0x55, 0x04, 0x0A,
-        0x0C, 0x0A, 0x43, 0x6C, 0x69, 0x65, 0x6E, 0x74, 0x20, 0x45,
-        0x43, 0x43, 0x31, 0x0D, 0x30, 0x0B, 0x06, 0x03, 0x55, 0x04,
-        0x0B, 0x0C, 0x04, 0x46, 0x61, 0x73, 0x74, 0x31, 0x18, 0x30,
-        0x16, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0C, 0x0F, 0x77, 0x77,
-        0x77, 0x2E, 0x77, 0x6F, 0x6C, 0x66, 0x73, 0x73, 0x6C, 0x2E,
-        0x63, 0x6F, 0x6D, 0x31, 0x1F, 0x30, 0x1D, 0x06, 0x09, 0x2A,
-        0x86, 0x48, 0x86, 0xF7, 0x0D, 0x01, 0x09, 0x01, 0x16, 0x10,
-        0x69, 0x6E, 0x66, 0x6F, 0x40, 0x77, 0x6F, 0x6C, 0x66, 0x73,
-        0x73, 0x6C, 0x2E, 0x63, 0x6F, 0x6D, 0x30, 0x59, 0x30, 0x13,
-        0x06, 0x07, 0x2A, 0x86, 0x48, 0xCE, 0x3D, 0x02, 0x01, 0x06,
-        0x08, 0x2A, 0x86, 0x48, 0xCE, 0x3D, 0x03, 0x01, 0x07, 0x03,
-        0x42, 0x00, 0x04, 0x55, 0xBF, 0xF4, 0x0F, 0x44, 0x50, 0x9A,
-        0x3D, 0xCE, 0x9B, 0xB7, 0xF0, 0xC5, 0x4D, 0xF5, 0x70, 0x7B,
-        0xD4, 0xEC, 0x24, 0x8E, 0x19, 0x80, 0xEC, 0x5A, 0x4C, 0xA2,
-        0x24, 0x03, 0x62, 0x2C, 0x9B, 0xDA, 0xEF, 0xA2, 0x35, 0x12,
-        0x43, 0x84, 0x76, 0x16, 0xC6, 0x56, 0x95, 0x06, 0xCC, 0x01,
-        0xA9, 0xBD, 0xF6, 0x75, 0x1A, 0x42, 0xF7, 0xBD, 0xA9, 0xB2,
-        0x36, 0x22, 0x5F, 0xC7, 0x5D, 0x7F, 0xB4, 0xA3, 0x82, 0x01,
-        0x33, 0x30, 0x82, 0x01, 0x2F, 0x30, 0x1D, 0x06, 0x03, 0x55,
-        0x1D, 0x0E, 0x04, 0x16, 0x04, 0x14, 0xEB, 0xD4, 0x4B, 0x59,
-        0x6B, 0x95, 0x61, 0x3F, 0x51, 0x57, 0xB6, 0x04, 0x4D, 0x89,
-        0x41, 0x88, 0x44, 0x5C, 0xAB, 0xF2, 0x30, 0x81, 0xC2, 0x06,
-        0x03, 0x55, 0x1D, 0x23, 0x04, 0x81, 0xBA, 0x30, 0x81, 0xB7,
-        0x80, 0x14, 0xEB, 0xD4, 0x4B, 0x59, 0x6B, 0x95, 0x61, 0x3F,
-        0x51, 0x57, 0xB6, 0x04, 0x4D, 0x89, 0x41, 0x88, 0x44, 0x5C,
-        0xAB, 0xF2, 0xA1, 0x81, 0x93, 0xA4, 0x81, 0x90, 0x30, 0x81,
-        0x8D, 0x31, 0x0B, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06,
-        0x13, 0x02, 0x55, 0x53, 0x31, 0x0F, 0x30, 0x0D, 0x06, 0x03,
-        0x55, 0x04, 0x08, 0x0C, 0x06, 0x4F, 0x72, 0x65, 0x67, 0x6F,
-        0x6E, 0x31, 0x0E, 0x30, 0x0C, 0x06, 0x03, 0x55, 0x04, 0x07,
-        0x0C, 0x05, 0x53, 0x61, 0x6C, 0x65, 0x6D, 0x31, 0x13, 0x30,
-        0x11, 0x06, 0x03, 0x55, 0x04, 0x0A, 0x0C, 0x0A, 0x43, 0x6C,
-        0x69, 0x65, 0x6E, 0x74, 0x20, 0x45, 0x43, 0x43, 0x31, 0x0D,
-        0x30, 0x0B, 0x06, 0x03, 0x55, 0x04, 0x0B, 0x0C, 0x04, 0x46,
-        0x61, 0x73, 0x74, 0x31, 0x18, 0x30, 0x16, 0x06, 0x03, 0x55,
-        0x04, 0x03, 0x0C, 0x0F, 0x77, 0x77, 0x77, 0x2E, 0x77, 0x6F,
-        0x6C, 0x66, 0x73, 0x73, 0x6C, 0x2E, 0x63, 0x6F, 0x6D, 0x31,
-        0x1F, 0x30, 0x1D, 0x06, 0x09, 0x2A, 0x86, 0x48, 0x86, 0xF7,
-        0x0D, 0x01, 0x09, 0x01, 0x16, 0x10, 0x69, 0x6E, 0x66, 0x6F,
-        0x40, 0x77, 0x6F, 0x6C, 0x66, 0x73, 0x73, 0x6C, 0x2E, 0x63,
-        0x6F, 0x6D, 0x82, 0x09, 0x00, 0xE7, 0x4A, 0x4F, 0xE5, 0x56,
-        0x97, 0xCA, 0xC3, 0x30, 0x0C, 0x06, 0x03, 0x55, 0x1D, 0x13,
-        0x04, 0x05, 0x30, 0x03, 0x01, 0x01, 0xFF, 0x30, 0x1C, 0x06,
-        0x03, 0x55, 0x1D, 0x11, 0x04, 0x15, 0x30, 0x13, 0x82, 0x0B,
-        0x65, 0x78, 0x61, 0x6D, 0x70, 0x6C, 0x65, 0x2E, 0x63, 0x6F,
-        0x6D, 0x87, 0x04, 0x7F, 0x00, 0x00, 0x01, 0x30, 0x1D, 0x06,
-        0x03, 0x55, 0x1D, 0x25, 0x04, 0x16, 0x30, 0x14, 0x06, 0x08,
-        0x2B, 0x06, 0x01, 0x05, 0x05, 0x07, 0x03, 0x01, 0x06, 0x08,
-        0x2B, 0x06, 0x01, 0x05, 0x05, 0x07, 0x03, 0x02, 0x30, 0x0A,
-        0x06, 0x08, 0x2A, 0x86, 0x48, 0xCE, 0x3D, 0x04, 0x03, 0x02,
-        0x03, 0x49, 0x00, 0x30, 0x46, 0x02, 0x21, 0x00, 0xE3, 0xBB,
-        0xCA, 0x0E, 0x31, 0x2D, 0x39, 0x1D, 0x94, 0x25, 0x81, 0x90,
-        0xD5, 0x11, 0xF9, 0x09, 0x6D, 0x58, 0x16, 0x23, 0xBE, 0x9F,
-        0xA9, 0x18, 0x64, 0x83, 0x3C, 0x25, 0x03, 0x58, 0x58, 0x39,
-        0x02, 0x21, 0x00, 0xA4, 0xAA, 0xB3, 0xF0, 0x09, 0xC9, 0x0C,
-        0x2F, 0xF7, 0xB1, 0xD4, 0x8E, 0x9F, 0xA6, 0xB6, 0xAB, 0x1A,
-        0xC7, 0x37, 0xED, 0x70, 0x4D, 0x34, 0x04, 0xA0, 0x9B, 0x3D,
-        0x84, 0x86, 0x10, 0xA0, 0xF0
+        0x31, 0x1F, 0x30, 0x1D, 0x06, 0x09, 0x2A, 0x86, 0x48, 0x86,
+        0xF7, 0x0D, 0x01, 0x09, 0x01, 0x16, 0x10, 0x69, 0x6E, 0x66,
+        0x6F, 0x40, 0x77, 0x6F, 0x6C, 0x66, 0x73, 0x73, 0x6C, 0x2E,
+        0x63, 0x6F, 0x6D, 0x82, 0x14, 0x3E, 0x8D, 0x40, 0xA1, 0x0B,
+        0xE2, 0x5F, 0xD9, 0x7F, 0xB1, 0xF3, 0xAE, 0x73, 0x40, 0x92,
+        0xC1, 0xD8, 0xAA, 0xF0, 0x65, 0x30, 0x0C, 0x06, 0x03, 0x55,
+        0x1D, 0x13, 0x04, 0x05, 0x30, 0x03, 0x01, 0x01, 0xFF, 0x30,
+        0x1C, 0x06, 0x03, 0x55, 0x1D, 0x11, 0x04, 0x15, 0x30, 0x13,
+        0x82, 0x0B, 0x65, 0x78, 0x61, 0x6D, 0x70, 0x6C, 0x65, 0x2E,
+        0x63, 0x6F, 0x6D, 0x87, 0x04, 0x7F, 0x00, 0x00, 0x01, 0x30,
+        0x1D, 0x06, 0x03, 0x55, 0x1D, 0x25, 0x04, 0x16, 0x30, 0x14,
+        0x06, 0x08, 0x2B, 0x06, 0x01, 0x05, 0x05, 0x07, 0x03, 0x01,
+        0x06, 0x08, 0x2B, 0x06, 0x01, 0x05, 0x05, 0x07, 0x03, 0x02,
+        0x30, 0x0A, 0x06, 0x08, 0x2A, 0x86, 0x48, 0xCE, 0x3D, 0x04,
+        0x03, 0x02, 0x03, 0x48, 0x00, 0x30, 0x45, 0x02, 0x21, 0x00,
+        0xDD, 0xA7, 0xDD, 0x14, 0xAC, 0x16, 0x24, 0x2F, 0x39, 0x34,
+        0x83, 0xA2, 0x28, 0xE8, 0xBA, 0x73, 0x2A, 0x24, 0xD3, 0x56,
+        0xCF, 0x3D, 0x3B, 0xC9, 0x46, 0x91, 0x4E, 0x72, 0x6C, 0x62,
+        0x9A, 0xC7, 0x02, 0x20, 0x5F, 0x02, 0xF5, 0xA4, 0xD1, 0xF1,
+        0xF8, 0x9C, 0x03, 0x8E, 0xFE, 0xC5, 0x4E, 0xDC, 0xD5, 0xB0,
+        0xF9, 0xEB, 0xAD, 0x44, 0x0F, 0x26, 0x35, 0x93, 0x0E, 0xA3,
+        0x76, 0xEC, 0xE0, 0xA6, 0x8B, 0xFF
 };
 static const int sizeof_cliecc_cert_der_256 = sizeof(cliecc_cert_der_256);
 
@@ -4148,100 +4167,103 @@ static const int sizeof_ecc_key_pub_der_256 = sizeof(ecc_key_pub_der_256);
 /* ./certs/server-ecc-comp.der, ECC */
 static const unsigned char serv_ecc_comp_der_256[] =
 {
-        0x30, 0x82, 0x03, 0x61, 0x30, 0x82, 0x03, 0x07, 0xA0, 0x03,
-        0x02, 0x01, 0x02, 0x02, 0x09, 0x00, 0xE5, 0xB6, 0x66, 0xE0,
-        0x08, 0x96, 0xC5, 0x95, 0x30, 0x0A, 0x06, 0x08, 0x2A, 0x86,
-        0x48, 0xCE, 0x3D, 0x04, 0x03, 0x02, 0x30, 0x81, 0xA0, 0x31,
-        0x0B, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13, 0x02,
-        0x55, 0x53, 0x31, 0x10, 0x30, 0x0E, 0x06, 0x03, 0x55, 0x04,
-        0x08, 0x0C, 0x07, 0x4D, 0x6F, 0x6E, 0x74, 0x61, 0x6E, 0x61,
-        0x31, 0x10, 0x30, 0x0E, 0x06, 0x03, 0x55, 0x04, 0x07, 0x0C,
-        0x07, 0x42, 0x6F, 0x7A, 0x65, 0x6D, 0x61, 0x6E, 0x31, 0x18,
-        0x30, 0x16, 0x06, 0x03, 0x55, 0x04, 0x0A, 0x0C, 0x0F, 0x45,
-        0x6C, 0x6C, 0x69, 0x70, 0x74, 0x69, 0x63, 0x20, 0x2D, 0x20,
-        0x63, 0x6F, 0x6D, 0x70, 0x31, 0x18, 0x30, 0x16, 0x06, 0x03,
-        0x55, 0x04, 0x0B, 0x0C, 0x0F, 0x53, 0x65, 0x72, 0x76, 0x65,
-        0x72, 0x20, 0x45, 0x43, 0x43, 0x2D, 0x63, 0x6F, 0x6D, 0x70,
-        0x31, 0x18, 0x30, 0x16, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0C,
-        0x0F, 0x77, 0x77, 0x77, 0x2E, 0x77, 0x6F, 0x6C, 0x66, 0x73,
-        0x73, 0x6C, 0x2E, 0x63, 0x6F, 0x6D, 0x31, 0x1F, 0x30, 0x1D,
-        0x06, 0x09, 0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D, 0x01, 0x09,
-        0x01, 0x16, 0x10, 0x69, 0x6E, 0x66, 0x6F, 0x40, 0x77, 0x6F,
-        0x6C, 0x66, 0x73, 0x73, 0x6C, 0x2E, 0x63, 0x6F, 0x6D, 0x30,
-        0x1E, 0x17, 0x0D, 0x32, 0x31, 0x30, 0x32, 0x31, 0x30, 0x31,
-        0x39, 0x34, 0x39, 0x35, 0x33, 0x5A, 0x17, 0x0D, 0x32, 0x33,
-        0x31, 0x31, 0x30, 0x37, 0x31, 0x39, 0x34, 0x39, 0x35, 0x33,
-        0x5A, 0x30, 0x81, 0xA0, 0x31, 0x0B, 0x30, 0x09, 0x06, 0x03,
-        0x55, 0x04, 0x06, 0x13, 0x02, 0x55, 0x53, 0x31, 0x10, 0x30,
-        0x0E, 0x06, 0x03, 0x55, 0x04, 0x08, 0x0C, 0x07, 0x4D, 0x6F,
-        0x6E, 0x74, 0x61, 0x6E, 0x61, 0x31, 0x10, 0x30, 0x0E, 0x06,
-        0x03, 0x55, 0x04, 0x07, 0x0C, 0x07, 0x42, 0x6F, 0x7A, 0x65,
-        0x6D, 0x61, 0x6E, 0x31, 0x18, 0x30, 0x16, 0x06, 0x03, 0x55,
-        0x04, 0x0A, 0x0C, 0x0F, 0x45, 0x6C, 0x6C, 0x69, 0x70, 0x74,
-        0x69, 0x63, 0x20, 0x2D, 0x20, 0x63, 0x6F, 0x6D, 0x70, 0x31,
-        0x18, 0x30, 0x16, 0x06, 0x03, 0x55, 0x04, 0x0B, 0x0C, 0x0F,
-        0x53, 0x65, 0x72, 0x76, 0x65, 0x72, 0x20, 0x45, 0x43, 0x43,
-        0x2D, 0x63, 0x6F, 0x6D, 0x70, 0x31, 0x18, 0x30, 0x16, 0x06,
-        0x03, 0x55, 0x04, 0x03, 0x0C, 0x0F, 0x77, 0x77, 0x77, 0x2E,
-        0x77, 0x6F, 0x6C, 0x66, 0x73, 0x73, 0x6C, 0x2E, 0x63, 0x6F,
-        0x6D, 0x31, 0x1F, 0x30, 0x1D, 0x06, 0x09, 0x2A, 0x86, 0x48,
-        0x86, 0xF7, 0x0D, 0x01, 0x09, 0x01, 0x16, 0x10, 0x69, 0x6E,
-        0x66, 0x6F, 0x40, 0x77, 0x6F, 0x6C, 0x66, 0x73, 0x73, 0x6C,
-        0x2E, 0x63, 0x6F, 0x6D, 0x30, 0x39, 0x30, 0x13, 0x06, 0x07,
-        0x2A, 0x86, 0x48, 0xCE, 0x3D, 0x02, 0x01, 0x06, 0x08, 0x2A,
-        0x86, 0x48, 0xCE, 0x3D, 0x03, 0x01, 0x07, 0x03, 0x22, 0x00,
-        0x02, 0xBB, 0x33, 0xAC, 0x4C, 0x27, 0x50, 0x4A, 0xC6, 0x4A,
-        0xA5, 0x04, 0xC3, 0x3C, 0xDE, 0x9F, 0x36, 0xDB, 0x72, 0x2D,
-        0xCE, 0x94, 0xEA, 0x2B, 0xFA, 0xCB, 0x20, 0x09, 0x39, 0x2C,
-        0x16, 0xE8, 0x61, 0xA3, 0x82, 0x01, 0x46, 0x30, 0x82, 0x01,
-        0x42, 0x30, 0x1D, 0x06, 0x03, 0x55, 0x1D, 0x0E, 0x04, 0x16,
-        0x04, 0x14, 0x8C, 0x38, 0x3A, 0x6B, 0xB8, 0x24, 0xB7, 0xDF,
-        0x6E, 0xF4, 0x59, 0xAC, 0x56, 0x4E, 0xAA, 0xE2, 0x58, 0xA6,
-        0x5A, 0x18, 0x30, 0x81, 0xD5, 0x06, 0x03, 0x55, 0x1D, 0x23,
-        0x04, 0x81, 0xCD, 0x30, 0x81, 0xCA, 0x80, 0x14, 0x8C, 0x38,
-        0x3A, 0x6B, 0xB8, 0x24, 0xB7, 0xDF, 0x6E, 0xF4, 0x59, 0xAC,
-        0x56, 0x4E, 0xAA, 0xE2, 0x58, 0xA6, 0x5A, 0x18, 0xA1, 0x81,
-        0xA6, 0xA4, 0x81, 0xA3, 0x30, 0x81, 0xA0, 0x31, 0x0B, 0x30,
-        0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13, 0x02, 0x55, 0x53,
-        0x31, 0x10, 0x30, 0x0E, 0x06, 0x03, 0x55, 0x04, 0x08, 0x0C,
-        0x07, 0x4D, 0x6F, 0x6E, 0x74, 0x61, 0x6E, 0x61, 0x31, 0x10,
-        0x30, 0x0E, 0x06, 0x03, 0x55, 0x04, 0x07, 0x0C, 0x07, 0x42,
-        0x6F, 0x7A, 0x65, 0x6D, 0x61, 0x6E, 0x31, 0x18, 0x30, 0x16,
-        0x06, 0x03, 0x55, 0x04, 0x0A, 0x0C, 0x0F, 0x45, 0x6C, 0x6C,
-        0x69, 0x70, 0x74, 0x69, 0x63, 0x20, 0x2D, 0x20, 0x63, 0x6F,
-        0x6D, 0x70, 0x31, 0x18, 0x30, 0x16, 0x06, 0x03, 0x55, 0x04,
-        0x0B, 0x0C, 0x0F, 0x53, 0x65, 0x72, 0x76, 0x65, 0x72, 0x20,
-        0x45, 0x43, 0x43, 0x2D, 0x63, 0x6F, 0x6D, 0x70, 0x31, 0x18,
-        0x30, 0x16, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0C, 0x0F, 0x77,
-        0x77, 0x77, 0x2E, 0x77, 0x6F, 0x6C, 0x66, 0x73, 0x73, 0x6C,
-        0x2E, 0x63, 0x6F, 0x6D, 0x31, 0x1F, 0x30, 0x1D, 0x06, 0x09,
-        0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D, 0x01, 0x09, 0x01, 0x16,
-        0x10, 0x69, 0x6E, 0x66, 0x6F, 0x40, 0x77, 0x6F, 0x6C, 0x66,
-        0x73, 0x73, 0x6C, 0x2E, 0x63, 0x6F, 0x6D, 0x82, 0x09, 0x00,
-        0xE5, 0xB6, 0x66, 0xE0, 0x08, 0x96, 0xC5, 0x95, 0x30, 0x0C,
-        0x06, 0x03, 0x55, 0x1D, 0x13, 0x04, 0x05, 0x30, 0x03, 0x01,
-        0x01, 0xFF, 0x30, 0x1C, 0x06, 0x03, 0x55, 0x1D, 0x11, 0x04,
-        0x15, 0x30, 0x13, 0x82, 0x0B, 0x65, 0x78, 0x61, 0x6D, 0x70,
-        0x6C, 0x65, 0x2E, 0x63, 0x6F, 0x6D, 0x87, 0x04, 0x7F, 0x00,
-        0x00, 0x01, 0x30, 0x1D, 0x06, 0x03, 0x55, 0x1D, 0x25, 0x04,
-        0x16, 0x30, 0x14, 0x06, 0x08, 0x2B, 0x06, 0x01, 0x05, 0x05,
-        0x07, 0x03, 0x01, 0x06, 0x08, 0x2B, 0x06, 0x01, 0x05, 0x05,
-        0x07, 0x03, 0x02, 0x30, 0x0A, 0x06, 0x08, 0x2A, 0x86, 0x48,
-        0xCE, 0x3D, 0x04, 0x03, 0x02, 0x03, 0x48, 0x00, 0x30, 0x45,
-        0x02, 0x21, 0x00, 0xAE, 0x80, 0xD7, 0xF5, 0x4D, 0x76, 0x79,
-        0x5C, 0x01, 0x14, 0x8B, 0xFD, 0x80, 0x79, 0xFB, 0x9B, 0xFE,
-        0x8F, 0x0D, 0x9C, 0xC3, 0x7C, 0xE6, 0x80, 0x4C, 0xA6, 0x54,
-        0x16, 0x3F, 0xED, 0x1D, 0x5E, 0x02, 0x20, 0x09, 0x61, 0x2D,
-        0x84, 0xE9, 0x04, 0x4F, 0x79, 0x0E, 0xE7, 0xF0, 0xCC, 0x52,
-        0xD3, 0x2F, 0xE0, 0x89, 0xCF, 0xBE, 0x9B, 0x9F, 0x86, 0x23,
-        0x2F, 0xE4, 0xCB, 0x43, 0x16, 0xBB, 0x09, 0x8D, 0x87
+        0x30, 0x82, 0x03, 0x78, 0x30, 0x82, 0x03, 0x1D, 0xA0, 0x03,
+        0x02, 0x01, 0x02, 0x02, 0x14, 0x29, 0x74, 0x77, 0xEE, 0x40,
+        0xF1, 0x03, 0xBC, 0xB3, 0xD0, 0xB6, 0x01, 0x1D, 0xF5, 0x56,
+        0x4A, 0xC5, 0xCC, 0x7B, 0x04, 0x30, 0x0A, 0x06, 0x08, 0x2A,
+        0x86, 0x48, 0xCE, 0x3D, 0x04, 0x03, 0x02, 0x30, 0x81, 0xA0,
+        0x31, 0x0B, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13,
+        0x02, 0x55, 0x53, 0x31, 0x10, 0x30, 0x0E, 0x06, 0x03, 0x55,
+        0x04, 0x08, 0x0C, 0x07, 0x4D, 0x6F, 0x6E, 0x74, 0x61, 0x6E,
+        0x61, 0x31, 0x10, 0x30, 0x0E, 0x06, 0x03, 0x55, 0x04, 0x07,
+        0x0C, 0x07, 0x42, 0x6F, 0x7A, 0x65, 0x6D, 0x61, 0x6E, 0x31,
+        0x18, 0x30, 0x16, 0x06, 0x03, 0x55, 0x04, 0x0A, 0x0C, 0x0F,
+        0x45, 0x6C, 0x6C, 0x69, 0x70, 0x74, 0x69, 0x63, 0x20, 0x2D,
+        0x20, 0x63, 0x6F, 0x6D, 0x70, 0x31, 0x18, 0x30, 0x16, 0x06,
+        0x03, 0x55, 0x04, 0x0B, 0x0C, 0x0F, 0x53, 0x65, 0x72, 0x76,
+        0x65, 0x72, 0x20, 0x45, 0x43, 0x43, 0x2D, 0x63, 0x6F, 0x6D,
+        0x70, 0x31, 0x18, 0x30, 0x16, 0x06, 0x03, 0x55, 0x04, 0x03,
+        0x0C, 0x0F, 0x77, 0x77, 0x77, 0x2E, 0x77, 0x6F, 0x6C, 0x66,
+        0x73, 0x73, 0x6C, 0x2E, 0x63, 0x6F, 0x6D, 0x31, 0x1F, 0x30,
+        0x1D, 0x06, 0x09, 0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D, 0x01,
+        0x09, 0x01, 0x16, 0x10, 0x69, 0x6E, 0x66, 0x6F, 0x40, 0x77,
+        0x6F, 0x6C, 0x66, 0x73, 0x73, 0x6C, 0x2E, 0x63, 0x6F, 0x6D,
+        0x30, 0x1E, 0x17, 0x0D, 0x32, 0x31, 0x31, 0x32, 0x32, 0x30,
+        0x32, 0x33, 0x30, 0x37, 0x32, 0x35, 0x5A, 0x17, 0x0D, 0x32,
+        0x34, 0x30, 0x39, 0x31, 0x35, 0x32, 0x33, 0x30, 0x37, 0x32,
+        0x35, 0x5A, 0x30, 0x81, 0xA0, 0x31, 0x0B, 0x30, 0x09, 0x06,
+        0x03, 0x55, 0x04, 0x06, 0x13, 0x02, 0x55, 0x53, 0x31, 0x10,
+        0x30, 0x0E, 0x06, 0x03, 0x55, 0x04, 0x08, 0x0C, 0x07, 0x4D,
+        0x6F, 0x6E, 0x74, 0x61, 0x6E, 0x61, 0x31, 0x10, 0x30, 0x0E,
+        0x06, 0x03, 0x55, 0x04, 0x07, 0x0C, 0x07, 0x42, 0x6F, 0x7A,
+        0x65, 0x6D, 0x61, 0x6E, 0x31, 0x18, 0x30, 0x16, 0x06, 0x03,
+        0x55, 0x04, 0x0A, 0x0C, 0x0F, 0x45, 0x6C, 0x6C, 0x69, 0x70,
+        0x74, 0x69, 0x63, 0x20, 0x2D, 0x20, 0x63, 0x6F, 0x6D, 0x70,
+        0x31, 0x18, 0x30, 0x16, 0x06, 0x03, 0x55, 0x04, 0x0B, 0x0C,
+        0x0F, 0x53, 0x65, 0x72, 0x76, 0x65, 0x72, 0x20, 0x45, 0x43,
+        0x43, 0x2D, 0x63, 0x6F, 0x6D, 0x70, 0x31, 0x18, 0x30, 0x16,
+        0x06, 0x03, 0x55, 0x04, 0x03, 0x0C, 0x0F, 0x77, 0x77, 0x77,
+        0x2E, 0x77, 0x6F, 0x6C, 0x66, 0x73, 0x73, 0x6C, 0x2E, 0x63,
+        0x6F, 0x6D, 0x31, 0x1F, 0x30, 0x1D, 0x06, 0x09, 0x2A, 0x86,
+        0x48, 0x86, 0xF7, 0x0D, 0x01, 0x09, 0x01, 0x16, 0x10, 0x69,
+        0x6E, 0x66, 0x6F, 0x40, 0x77, 0x6F, 0x6C, 0x66, 0x73, 0x73,
+        0x6C, 0x2E, 0x63, 0x6F, 0x6D, 0x30, 0x39, 0x30, 0x13, 0x06,
+        0x07, 0x2A, 0x86, 0x48, 0xCE, 0x3D, 0x02, 0x01, 0x06, 0x08,
+        0x2A, 0x86, 0x48, 0xCE, 0x3D, 0x03, 0x01, 0x07, 0x03, 0x22,
+        0x00, 0x02, 0xBB, 0x33, 0xAC, 0x4C, 0x27, 0x50, 0x4A, 0xC6,
+        0x4A, 0xA5, 0x04, 0xC3, 0x3C, 0xDE, 0x9F, 0x36, 0xDB, 0x72,
+        0x2D, 0xCE, 0x94, 0xEA, 0x2B, 0xFA, 0xCB, 0x20, 0x09, 0x39,
+        0x2C, 0x16, 0xE8, 0x61, 0xA3, 0x82, 0x01, 0x51, 0x30, 0x82,
+        0x01, 0x4D, 0x30, 0x1D, 0x06, 0x03, 0x55, 0x1D, 0x0E, 0x04,
+        0x16, 0x04, 0x14, 0x8C, 0x38, 0x3A, 0x6B, 0xB8, 0x24, 0xB7,
+        0xDF, 0x6E, 0xF4, 0x59, 0xAC, 0x56, 0x4E, 0xAA, 0xE2, 0x58,
+        0xA6, 0x5A, 0x18, 0x30, 0x81, 0xE0, 0x06, 0x03, 0x55, 0x1D,
+        0x23, 0x04, 0x81, 0xD8, 0x30, 0x81, 0xD5, 0x80, 0x14, 0x8C,
+        0x38, 0x3A, 0x6B, 0xB8, 0x24, 0xB7, 0xDF, 0x6E, 0xF4, 0x59,
+        0xAC, 0x56, 0x4E, 0xAA, 0xE2, 0x58, 0xA6, 0x5A, 0x18, 0xA1,
+        0x81, 0xA6, 0xA4, 0x81, 0xA3, 0x30, 0x81, 0xA0, 0x31, 0x0B,
+        0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13, 0x02, 0x55,
+        0x53, 0x31, 0x10, 0x30, 0x0E, 0x06, 0x03, 0x55, 0x04, 0x08,
+        0x0C, 0x07, 0x4D, 0x6F, 0x6E, 0x74, 0x61, 0x6E, 0x61, 0x31,
+        0x10, 0x30, 0x0E, 0x06, 0x03, 0x55, 0x04, 0x07, 0x0C, 0x07,
+        0x42, 0x6F, 0x7A, 0x65, 0x6D, 0x61, 0x6E, 0x31, 0x18, 0x30,
+        0x16, 0x06, 0x03, 0x55, 0x04, 0x0A, 0x0C, 0x0F, 0x45, 0x6C,
+        0x6C, 0x69, 0x70, 0x74, 0x69, 0x63, 0x20, 0x2D, 0x20, 0x63,
+        0x6F, 0x6D, 0x70, 0x31, 0x18, 0x30, 0x16, 0x06, 0x03, 0x55,
+        0x04, 0x0B, 0x0C, 0x0F, 0x53, 0x65, 0x72, 0x76, 0x65, 0x72,
+        0x20, 0x45, 0x43, 0x43, 0x2D, 0x63, 0x6F, 0x6D, 0x70, 0x31,
+        0x18, 0x30, 0x16, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0C, 0x0F,
+        0x77, 0x77, 0x77, 0x2E, 0x77, 0x6F, 0x6C, 0x66, 0x73, 0x73,
+        0x6C, 0x2E, 0x63, 0x6F, 0x6D, 0x31, 0x1F, 0x30, 0x1D, 0x06,
+        0x09, 0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D, 0x01, 0x09, 0x01,
+        0x16, 0x10, 0x69, 0x6E, 0x66, 0x6F, 0x40, 0x77, 0x6F, 0x6C,
+        0x66, 0x73, 0x73, 0x6C, 0x2E, 0x63, 0x6F, 0x6D, 0x82, 0x14,
+        0x29, 0x74, 0x77, 0xEE, 0x40, 0xF1, 0x03, 0xBC, 0xB3, 0xD0,
+        0xB6, 0x01, 0x1D, 0xF5, 0x56, 0x4A, 0xC5, 0xCC, 0x7B, 0x04,
+        0x30, 0x0C, 0x06, 0x03, 0x55, 0x1D, 0x13, 0x04, 0x05, 0x30,
+        0x03, 0x01, 0x01, 0xFF, 0x30, 0x1C, 0x06, 0x03, 0x55, 0x1D,
+        0x11, 0x04, 0x15, 0x30, 0x13, 0x82, 0x0B, 0x65, 0x78, 0x61,
+        0x6D, 0x70, 0x6C, 0x65, 0x2E, 0x63, 0x6F, 0x6D, 0x87, 0x04,
+        0x7F, 0x00, 0x00, 0x01, 0x30, 0x1D, 0x06, 0x03, 0x55, 0x1D,
+        0x25, 0x04, 0x16, 0x30, 0x14, 0x06, 0x08, 0x2B, 0x06, 0x01,
+        0x05, 0x05, 0x07, 0x03, 0x01, 0x06, 0x08, 0x2B, 0x06, 0x01,
+        0x05, 0x05, 0x07, 0x03, 0x02, 0x30, 0x0A, 0x06, 0x08, 0x2A,
+        0x86, 0x48, 0xCE, 0x3D, 0x04, 0x03, 0x02, 0x03, 0x49, 0x00,
+        0x30, 0x46, 0x02, 0x21, 0x00, 0xED, 0x07, 0x48, 0xD5, 0x31,
+        0xE3, 0x1F, 0x80, 0x6A, 0xCE, 0xA9, 0xAA, 0x6D, 0xAC, 0xA3,
+        0xF9, 0xD4, 0x46, 0xB8, 0x3E, 0x19, 0x5E, 0x11, 0xD7, 0x21,
+        0x8F, 0xDC, 0x25, 0xDD, 0x6A, 0x7B, 0x58, 0x02, 0x21, 0x00,
+        0x84, 0x53, 0xE6, 0xF0, 0x18, 0x0A, 0x84, 0x29, 0xD2, 0xAD,
+        0x34, 0xB2, 0x7C, 0x0B, 0x90, 0x33, 0xFB, 0xB0, 0x41, 0x51,
+        0x69, 0xCC, 0x08, 0x97, 0xA2, 0x38, 0xF8, 0x21, 0x31, 0x32,
+        0xC6, 0xC1
 };
 static const int sizeof_serv_ecc_comp_der_256 = sizeof(serv_ecc_comp_der_256);
 
 /* ./certs/server-ecc-rsa.der, ECC */
 static const unsigned char serv_ecc_rsa_der_256[] =
 {
-        0x30, 0x82, 0x04, 0x1F, 0x30, 0x82, 0x03, 0x07, 0xA0, 0x03,
+        0x30, 0x82, 0x04, 0x2A, 0x30, 0x82, 0x03, 0x12, 0xA0, 0x03,
         0x02, 0x01, 0x02, 0x02, 0x01, 0x01, 0x30, 0x0D, 0x06, 0x09,
         0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D, 0x01, 0x01, 0x0B, 0x05,
         0x00, 0x30, 0x81, 0x94, 0x31, 0x0B, 0x30, 0x09, 0x06, 0x03,
@@ -4259,10 +4281,10 @@ static const unsigned char serv_ecc_rsa_der_256[] =
         0x1F, 0x30, 0x1D, 0x06, 0x09, 0x2A, 0x86, 0x48, 0x86, 0xF7,
         0x0D, 0x01, 0x09, 0x01, 0x16, 0x10, 0x69, 0x6E, 0x66, 0x6F,
         0x40, 0x77, 0x6F, 0x6C, 0x66, 0x73, 0x73, 0x6C, 0x2E, 0x63,
-        0x6F, 0x6D, 0x30, 0x1E, 0x17, 0x0D, 0x32, 0x31, 0x30, 0x32,
-        0x31, 0x30, 0x31, 0x39, 0x34, 0x39, 0x35, 0x33, 0x5A, 0x17,
-        0x0D, 0x32, 0x33, 0x31, 0x31, 0x30, 0x37, 0x31, 0x39, 0x34,
-        0x39, 0x35, 0x33, 0x5A, 0x30, 0x81, 0x9D, 0x31, 0x0B, 0x30,
+        0x6F, 0x6D, 0x30, 0x1E, 0x17, 0x0D, 0x32, 0x31, 0x31, 0x32,
+        0x32, 0x30, 0x32, 0x33, 0x30, 0x37, 0x32, 0x35, 0x5A, 0x17,
+        0x0D, 0x32, 0x34, 0x30, 0x39, 0x31, 0x35, 0x32, 0x33, 0x30,
+        0x37, 0x32, 0x35, 0x5A, 0x30, 0x81, 0x9D, 0x31, 0x0B, 0x30,
         0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13, 0x02, 0x55, 0x53,
         0x31, 0x10, 0x30, 0x0E, 0x06, 0x03, 0x55, 0x04, 0x08, 0x0C,
         0x07, 0x4D, 0x6F, 0x6E, 0x74, 0x61, 0x6E, 0x61, 0x31, 0x10,
@@ -4287,12 +4309,12 @@ static const unsigned char serv_ecc_rsa_der_256[] =
         0x16, 0xE8, 0x61, 0x02, 0xE9, 0xAF, 0x4D, 0xD3, 0x02, 0x93,
         0x9A, 0x31, 0x5B, 0x97, 0x92, 0x21, 0x7F, 0xF0, 0xCF, 0x18,
         0xDA, 0x91, 0x11, 0x02, 0x34, 0x86, 0xE8, 0x20, 0x58, 0x33,
-        0x0B, 0x80, 0x34, 0x89, 0xD8, 0xA3, 0x82, 0x01, 0x3A, 0x30,
-        0x82, 0x01, 0x36, 0x30, 0x1D, 0x06, 0x03, 0x55, 0x1D, 0x0E,
+        0x0B, 0x80, 0x34, 0x89, 0xD8, 0xA3, 0x82, 0x01, 0x45, 0x30,
+        0x82, 0x01, 0x41, 0x30, 0x1D, 0x06, 0x03, 0x55, 0x1D, 0x0E,
         0x04, 0x16, 0x04, 0x14, 0x5D, 0x5D, 0x26, 0xEF, 0xAC, 0x7E,
         0x36, 0xF9, 0x9B, 0x76, 0x15, 0x2B, 0x4A, 0x25, 0x02, 0x23,
-        0xEF, 0xB2, 0x89, 0x30, 0x30, 0x81, 0xC9, 0x06, 0x03, 0x55,
-        0x1D, 0x23, 0x04, 0x81, 0xC1, 0x30, 0x81, 0xBE, 0x80, 0x14,
+        0xEF, 0xB2, 0x89, 0x30, 0x30, 0x81, 0xD4, 0x06, 0x03, 0x55,
+        0x1D, 0x23, 0x04, 0x81, 0xCC, 0x30, 0x81, 0xC9, 0x80, 0x14,
         0x27, 0x8E, 0x67, 0x11, 0x74, 0xC3, 0x26, 0x1D, 0x3F, 0xED,
         0x33, 0x63, 0xB3, 0xA4, 0xD8, 0x1D, 0x30, 0xE5, 0xE8, 0xD5,
         0xA1, 0x81, 0x9A, 0xA4, 0x81, 0x97, 0x30, 0x81, 0x94, 0x31,
@@ -4310,50 +4332,52 @@ static const unsigned char serv_ecc_rsa_der_256[] =
         0x2E, 0x63, 0x6F, 0x6D, 0x31, 0x1F, 0x30, 0x1D, 0x06, 0x09,
         0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D, 0x01, 0x09, 0x01, 0x16,
         0x10, 0x69, 0x6E, 0x66, 0x6F, 0x40, 0x77, 0x6F, 0x6C, 0x66,
-        0x73, 0x73, 0x6C, 0x2E, 0x63, 0x6F, 0x6D, 0x82, 0x09, 0x00,
-        0xAA, 0xD3, 0x3F, 0xAC, 0x18, 0x0A, 0x37, 0x4D, 0x30, 0x0C,
-        0x06, 0x03, 0x55, 0x1D, 0x13, 0x04, 0x05, 0x30, 0x03, 0x01,
-        0x01, 0xFF, 0x30, 0x1C, 0x06, 0x03, 0x55, 0x1D, 0x11, 0x04,
-        0x15, 0x30, 0x13, 0x82, 0x0B, 0x65, 0x78, 0x61, 0x6D, 0x70,
-        0x6C, 0x65, 0x2E, 0x63, 0x6F, 0x6D, 0x87, 0x04, 0x7F, 0x00,
-        0x00, 0x01, 0x30, 0x1D, 0x06, 0x03, 0x55, 0x1D, 0x25, 0x04,
-        0x16, 0x30, 0x14, 0x06, 0x08, 0x2B, 0x06, 0x01, 0x05, 0x05,
-        0x07, 0x03, 0x01, 0x06, 0x08, 0x2B, 0x06, 0x01, 0x05, 0x05,
-        0x07, 0x03, 0x02, 0x30, 0x0D, 0x06, 0x09, 0x2A, 0x86, 0x48,
-        0x86, 0xF7, 0x0D, 0x01, 0x01, 0x0B, 0x05, 0x00, 0x03, 0x82,
-        0x01, 0x01, 0x00, 0x4B, 0xCD, 0xC5, 0x8F, 0xFC, 0xBB, 0xC3,
-        0x36, 0xC5, 0xD4, 0x4D, 0x71, 0x04, 0x13, 0x53, 0xA0, 0x3C,
-        0xA3, 0x4E, 0x2A, 0xDD, 0x0D, 0xD3, 0xA7, 0x62, 0x31, 0x0D,
-        0xC6, 0x32, 0x07, 0x31, 0xD4, 0x6B, 0x0F, 0x8B, 0x55, 0xA2,
-        0x2F, 0x2C, 0xB3, 0xAE, 0x46, 0x91, 0x8A, 0x09, 0xBE, 0x7E,
-        0xFF, 0xE2, 0x67, 0x46, 0xF2, 0x7E, 0xD4, 0x6F, 0xBE, 0x5D,
-        0x57, 0x42, 0xFD, 0x3A, 0x56, 0xB0, 0xE8, 0x0E, 0x4D, 0x12,
-        0xFD, 0xF5, 0x00, 0xCA, 0x6F, 0xBD, 0x88, 0x0C, 0x04, 0x47,
-        0x1A, 0xEC, 0x5D, 0x96, 0x3F, 0xB6, 0xA5, 0x8B, 0x9D, 0x47,
-        0xA6, 0x4F, 0x82, 0x07, 0x33, 0x9D, 0x11, 0x0A, 0x3D, 0x38,
-        0x1D, 0x21, 0x4F, 0xD4, 0x1E, 0x1D, 0xA6, 0xD7, 0x6B, 0x72,
-        0x1C, 0x51, 0xE1, 0x7A, 0x7A, 0x6C, 0x76, 0x2C, 0x98, 0x14,
-        0x48, 0xFD, 0xF1, 0xD1, 0x7C, 0x53, 0x86, 0xED, 0x8C, 0x5F,
-        0x4F, 0x0F, 0x27, 0x5D, 0x45, 0xBE, 0xED, 0x26, 0x90, 0xD2,
-        0x51, 0x04, 0x4D, 0x06, 0x5B, 0x64, 0x1C, 0x5E, 0x31, 0x63,
-        0xCC, 0xD4, 0xD5, 0x0B, 0x28, 0xCC, 0xE2, 0x29, 0x40, 0x75,
-        0x87, 0x21, 0x64, 0x8E, 0x8B, 0x87, 0xEF, 0x90, 0xBB, 0x46,
-        0x91, 0x91, 0xF9, 0x63, 0xF8, 0xB0, 0xA7, 0x5E, 0x8D, 0xE8,
-        0x20, 0xC6, 0xB7, 0x5A, 0xD9, 0x0E, 0x35, 0xFB, 0xBA, 0xD1,
-        0x09, 0xD1, 0x98, 0xA6, 0x61, 0x25, 0xE2, 0x0D, 0x97, 0xC4,
-        0x1B, 0x0F, 0xBC, 0xB6, 0xEC, 0xE7, 0x96, 0x80, 0xB8, 0xE5,
-        0x55, 0x03, 0x1E, 0x7F, 0xB5, 0xFD, 0x40, 0x06, 0xCC, 0xAA,
-        0x7B, 0xF0, 0xB3, 0x81, 0x2E, 0xE1, 0x4E, 0x3A, 0x52, 0xE3,
-        0xF3, 0xC4, 0xD3, 0x8C, 0x78, 0x49, 0x00, 0x3A, 0x57, 0xDF,
-        0x0E, 0xAA, 0x2F, 0x14, 0x52, 0x3F, 0xC8, 0xFA, 0x82, 0xB9,
-        0xBF, 0x27, 0xF8, 0x9C, 0x42, 0xB7, 0x44, 0x36, 0x68
+        0x73, 0x73, 0x6C, 0x2E, 0x63, 0x6F, 0x6D, 0x82, 0x14, 0x7D,
+        0x94, 0x70, 0x88, 0xBA, 0x07, 0x42, 0x8D, 0xAA, 0xAF, 0x4F,
+        0xBE, 0xC2, 0x1A, 0x48, 0xF0, 0xD1, 0x40, 0xE6, 0x42, 0x30,
+        0x0C, 0x06, 0x03, 0x55, 0x1D, 0x13, 0x04, 0x05, 0x30, 0x03,
+        0x01, 0x01, 0xFF, 0x30, 0x1C, 0x06, 0x03, 0x55, 0x1D, 0x11,
+        0x04, 0x15, 0x30, 0x13, 0x82, 0x0B, 0x65, 0x78, 0x61, 0x6D,
+        0x70, 0x6C, 0x65, 0x2E, 0x63, 0x6F, 0x6D, 0x87, 0x04, 0x7F,
+        0x00, 0x00, 0x01, 0x30, 0x1D, 0x06, 0x03, 0x55, 0x1D, 0x25,
+        0x04, 0x16, 0x30, 0x14, 0x06, 0x08, 0x2B, 0x06, 0x01, 0x05,
+        0x05, 0x07, 0x03, 0x01, 0x06, 0x08, 0x2B, 0x06, 0x01, 0x05,
+        0x05, 0x07, 0x03, 0x02, 0x30, 0x0D, 0x06, 0x09, 0x2A, 0x86,
+        0x48, 0x86, 0xF7, 0x0D, 0x01, 0x01, 0x0B, 0x05, 0x00, 0x03,
+        0x82, 0x01, 0x01, 0x00, 0xB3, 0xBC, 0x8C, 0xF8, 0x0F, 0x8F,
+        0x63, 0x4E, 0xCD, 0x73, 0x62, 0xFE, 0x46, 0xE9, 0xFD, 0xDE,
+        0x74, 0xB8, 0x74, 0xE2, 0x9C, 0xAF, 0xF1, 0xB5, 0xCE, 0x48,
+        0xD0, 0xC6, 0x56, 0xE9, 0xFE, 0x38, 0xA5, 0x91, 0x23, 0xC0,
+        0x5F, 0xF1, 0x5D, 0xE4, 0xFD, 0x6D, 0xB3, 0x87, 0xF3, 0x7E,
+        0xFC, 0xE0, 0xC3, 0x8B, 0xFF, 0x94, 0xFB, 0xF8, 0x43, 0x09,
+        0xF6, 0x71, 0x34, 0xBB, 0xCC, 0xBA, 0x43, 0x54, 0x8C, 0x4E,
+        0x69, 0xB2, 0x75, 0xE1, 0xA2, 0xD0, 0xB7, 0xB0, 0xCB, 0x2B,
+        0xED, 0x0F, 0x9C, 0xD4, 0xE6, 0xCB, 0x03, 0x37, 0xB4, 0x86,
+        0x92, 0x4C, 0x8C, 0xFC, 0x30, 0x5C, 0x71, 0xE0, 0x3C, 0x58,
+        0x44, 0x25, 0xFA, 0x3A, 0x04, 0x08, 0x4E, 0x27, 0x14, 0xD7,
+        0x5B, 0xAA, 0x75, 0xE7, 0x2B, 0x13, 0x1A, 0x2C, 0x60, 0x9F,
+        0xAD, 0x43, 0xE0, 0x48, 0x5D, 0x02, 0x88, 0x84, 0xA6, 0x72,
+        0x36, 0x56, 0xA5, 0x1E, 0x82, 0x8C, 0xF2, 0x75, 0xFD, 0x7C,
+        0x8E, 0xAF, 0x92, 0x44, 0x9F, 0x78, 0x3E, 0xA1, 0xDC, 0xEA,
+        0x7D, 0x19, 0xEF, 0x08, 0xB4, 0x28, 0x5B, 0x76, 0xD4, 0x90,
+        0x73, 0xA7, 0xE9, 0xBA, 0x41, 0xBD, 0x44, 0xFC, 0xA6, 0xD9,
+        0x33, 0x06, 0x15, 0xF8, 0x2C, 0x8F, 0xCA, 0x2B, 0xFA, 0x21,
+        0xBD, 0x4A, 0x4C, 0xA6, 0x9F, 0x4E, 0x5B, 0x97, 0xBD, 0x97,
+        0xCF, 0xD7, 0x74, 0xA6, 0x42, 0xAC, 0xC0, 0x4F, 0xF4, 0x92,
+        0x2A, 0xB8, 0xA6, 0x26, 0x8E, 0xFE, 0x32, 0x4B, 0x4D, 0xFC,
+        0x37, 0x84, 0xD8, 0x1B, 0x7C, 0x0B, 0xAC, 0xEC, 0x5C, 0x96,
+        0x12, 0x02, 0xD4, 0x4C, 0x3B, 0xF0, 0xEA, 0x4C, 0x5A, 0xCE,
+        0x3D, 0x57, 0xE5, 0xE6, 0x8A, 0xB5, 0x82, 0xB7, 0x9F, 0xF8,
+        0xCB, 0x20, 0xFB, 0xDB, 0x98, 0x04, 0x91, 0x30, 0xE2, 0x57,
+        0xCB, 0x22, 0xF3, 0x07, 0xFD, 0x43, 0x07, 0xC7, 0x62, 0x32
+
 };
 static const int sizeof_serv_ecc_rsa_der_256 = sizeof(serv_ecc_rsa_der_256);
 
 /* ./certs/server-ecc.der, ECC */
 static const unsigned char serv_ecc_der_256[] =
 {
-        0x30, 0x82, 0x02, 0xA1, 0x30, 0x82, 0x02, 0x47, 0xA0, 0x03,
+        0x30, 0x82, 0x02, 0xA0, 0x30, 0x82, 0x02, 0x47, 0xA0, 0x03,
         0x02, 0x01, 0x02, 0x02, 0x01, 0x03, 0x30, 0x0A, 0x06, 0x08,
         0x2A, 0x86, 0x48, 0xCE, 0x3D, 0x04, 0x03, 0x02, 0x30, 0x81,
         0x97, 0x31, 0x0B, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06,
@@ -4371,10 +4395,10 @@ static const unsigned char serv_ecc_der_256[] =
         0x1F, 0x30, 0x1D, 0x06, 0x09, 0x2A, 0x86, 0x48, 0x86, 0xF7,
         0x0D, 0x01, 0x09, 0x01, 0x16, 0x10, 0x69, 0x6E, 0x66, 0x6F,
         0x40, 0x77, 0x6F, 0x6C, 0x66, 0x73, 0x73, 0x6C, 0x2E, 0x63,
-        0x6F, 0x6D, 0x30, 0x1E, 0x17, 0x0D, 0x32, 0x31, 0x30, 0x32,
-        0x31, 0x30, 0x31, 0x39, 0x34, 0x39, 0x35, 0x33, 0x5A, 0x17,
-        0x0D, 0x32, 0x33, 0x31, 0x31, 0x30, 0x37, 0x31, 0x39, 0x34,
-        0x39, 0x35, 0x33, 0x5A, 0x30, 0x81, 0x8F, 0x31, 0x0B, 0x30,
+        0x6F, 0x6D, 0x30, 0x1E, 0x17, 0x0D, 0x32, 0x31, 0x31, 0x32,
+        0x32, 0x30, 0x32, 0x33, 0x30, 0x37, 0x32, 0x35, 0x5A, 0x17,
+        0x0D, 0x32, 0x34, 0x30, 0x39, 0x31, 0x35, 0x32, 0x33, 0x30,
+        0x37, 0x32, 0x35, 0x5A, 0x30, 0x81, 0x8F, 0x31, 0x0B, 0x30,
         0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13, 0x02, 0x55, 0x53,
         0x31, 0x13, 0x30, 0x11, 0x06, 0x03, 0x55, 0x04, 0x08, 0x0C,
         0x0A, 0x57, 0x61, 0x73, 0x68, 0x69, 0x6E, 0x67, 0x74, 0x6F,
@@ -4413,14 +4437,14 @@ static const unsigned char serv_ecc_der_256[] =
         0x03, 0x01, 0x30, 0x11, 0x06, 0x09, 0x60, 0x86, 0x48, 0x01,
         0x86, 0xF8, 0x42, 0x01, 0x01, 0x04, 0x04, 0x03, 0x02, 0x06,
         0x40, 0x30, 0x0A, 0x06, 0x08, 0x2A, 0x86, 0x48, 0xCE, 0x3D,
-        0x04, 0x03, 0x02, 0x03, 0x48, 0x00, 0x30, 0x45, 0x02, 0x20,
-        0x61, 0x6F, 0xE8, 0xB9, 0xAD, 0xCC, 0xC9, 0x1A, 0x81, 0x17,
-        0x02, 0x64, 0x07, 0xC3, 0x18, 0x44, 0x01, 0x81, 0x76, 0x18,
-        0x9D, 0x6D, 0x3D, 0x7D, 0xCB, 0xC1, 0x5A, 0x76, 0x4A, 0xAD,
-        0x71, 0x55, 0x02, 0x21, 0x00, 0xCD, 0x22, 0x35, 0x04, 0x19,
-        0xC2, 0x23, 0x21, 0x02, 0x88, 0x4B, 0x51, 0xDA, 0xDB, 0x51,
-        0xAB, 0x54, 0x8C, 0xCB, 0x38, 0xAC, 0x8E, 0xBB, 0xEE, 0x18,
-        0x07, 0xBF, 0x88, 0x36, 0x88, 0xFF, 0xD5
+        0x04, 0x03, 0x02, 0x03, 0x47, 0x00, 0x30, 0x44, 0x02, 0x20,
+        0x5A, 0x67, 0xB9, 0xEE, 0x02, 0x34, 0x27, 0x1B, 0xD4, 0xC4,
+        0x35, 0x7B, 0xED, 0x59, 0x8E, 0x63, 0xC4, 0x8A, 0xB7, 0xE9,
+        0x92, 0xC1, 0x8A, 0x76, 0xB0, 0x8B, 0xCD, 0x24, 0x49, 0x78,
+        0xBA, 0xEF, 0x02, 0x20, 0x29, 0xB8, 0xB6, 0x5F, 0x83, 0xF7,
+        0x56, 0x6A, 0xF1, 0x4D, 0xD9, 0x9F, 0x52, 0x2A, 0xF9, 0x8F,
+        0x53, 0x14, 0x49, 0x8B, 0x5F, 0x5E, 0x87, 0xAF, 0x7F, 0xCA,
+        0x2E, 0xE0, 0xD8, 0xE7, 0x75, 0x0C
 };
 static const int sizeof_serv_ecc_der_256 = sizeof(serv_ecc_der_256);
 
@@ -4446,72 +4470,73 @@ static const int sizeof_ca_ecc_key_der_256 = sizeof(ca_ecc_key_der_256);
 /* ./certs/ca-ecc-cert.der, ECC */
 static const unsigned char ca_ecc_cert_der_256[] =
 {
-        0x30, 0x82, 0x02, 0x8A, 0x30, 0x82, 0x02, 0x30, 0xA0, 0x03,
-        0x02, 0x01, 0x02, 0x02, 0x09, 0x00, 0x83, 0x47, 0x7C, 0x81,
-        0xD6, 0x0D, 0x1C, 0x4E, 0x30, 0x0A, 0x06, 0x08, 0x2A, 0x86,
-        0x48, 0xCE, 0x3D, 0x04, 0x03, 0x02, 0x30, 0x81, 0x97, 0x31,
-        0x0B, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13, 0x02,
-        0x55, 0x53, 0x31, 0x13, 0x30, 0x11, 0x06, 0x03, 0x55, 0x04,
-        0x08, 0x0C, 0x0A, 0x57, 0x61, 0x73, 0x68, 0x69, 0x6E, 0x67,
-        0x74, 0x6F, 0x6E, 0x31, 0x10, 0x30, 0x0E, 0x06, 0x03, 0x55,
-        0x04, 0x07, 0x0C, 0x07, 0x53, 0x65, 0x61, 0x74, 0x74, 0x6C,
-        0x65, 0x31, 0x10, 0x30, 0x0E, 0x06, 0x03, 0x55, 0x04, 0x0A,
-        0x0C, 0x07, 0x77, 0x6F, 0x6C, 0x66, 0x53, 0x53, 0x4C, 0x31,
-        0x14, 0x30, 0x12, 0x06, 0x03, 0x55, 0x04, 0x0B, 0x0C, 0x0B,
-        0x44, 0x65, 0x76, 0x65, 0x6C, 0x6F, 0x70, 0x6D, 0x65, 0x6E,
-        0x74, 0x31, 0x18, 0x30, 0x16, 0x06, 0x03, 0x55, 0x04, 0x03,
-        0x0C, 0x0F, 0x77, 0x77, 0x77, 0x2E, 0x77, 0x6F, 0x6C, 0x66,
-        0x73, 0x73, 0x6C, 0x2E, 0x63, 0x6F, 0x6D, 0x31, 0x1F, 0x30,
-        0x1D, 0x06, 0x09, 0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D, 0x01,
-        0x09, 0x01, 0x16, 0x10, 0x69, 0x6E, 0x66, 0x6F, 0x40, 0x77,
-        0x6F, 0x6C, 0x66, 0x73, 0x73, 0x6C, 0x2E, 0x63, 0x6F, 0x6D,
-        0x30, 0x1E, 0x17, 0x0D, 0x32, 0x31, 0x30, 0x32, 0x31, 0x30,
-        0x31, 0x39, 0x34, 0x39, 0x35, 0x33, 0x5A, 0x17, 0x0D, 0x32,
-        0x33, 0x31, 0x31, 0x30, 0x37, 0x31, 0x39, 0x34, 0x39, 0x35,
-        0x33, 0x5A, 0x30, 0x81, 0x97, 0x31, 0x0B, 0x30, 0x09, 0x06,
-        0x03, 0x55, 0x04, 0x06, 0x13, 0x02, 0x55, 0x53, 0x31, 0x13,
-        0x30, 0x11, 0x06, 0x03, 0x55, 0x04, 0x08, 0x0C, 0x0A, 0x57,
-        0x61, 0x73, 0x68, 0x69, 0x6E, 0x67, 0x74, 0x6F, 0x6E, 0x31,
-        0x10, 0x30, 0x0E, 0x06, 0x03, 0x55, 0x04, 0x07, 0x0C, 0x07,
-        0x53, 0x65, 0x61, 0x74, 0x74, 0x6C, 0x65, 0x31, 0x10, 0x30,
-        0x0E, 0x06, 0x03, 0x55, 0x04, 0x0A, 0x0C, 0x07, 0x77, 0x6F,
-        0x6C, 0x66, 0x53, 0x53, 0x4C, 0x31, 0x14, 0x30, 0x12, 0x06,
-        0x03, 0x55, 0x04, 0x0B, 0x0C, 0x0B, 0x44, 0x65, 0x76, 0x65,
-        0x6C, 0x6F, 0x70, 0x6D, 0x65, 0x6E, 0x74, 0x31, 0x18, 0x30,
-        0x16, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0C, 0x0F, 0x77, 0x77,
-        0x77, 0x2E, 0x77, 0x6F, 0x6C, 0x66, 0x73, 0x73, 0x6C, 0x2E,
-        0x63, 0x6F, 0x6D, 0x31, 0x1F, 0x30, 0x1D, 0x06, 0x09, 0x2A,
-        0x86, 0x48, 0x86, 0xF7, 0x0D, 0x01, 0x09, 0x01, 0x16, 0x10,
-        0x69, 0x6E, 0x66, 0x6F, 0x40, 0x77, 0x6F, 0x6C, 0x66, 0x73,
-        0x73, 0x6C, 0x2E, 0x63, 0x6F, 0x6D, 0x30, 0x59, 0x30, 0x13,
-        0x06, 0x07, 0x2A, 0x86, 0x48, 0xCE, 0x3D, 0x02, 0x01, 0x06,
-        0x08, 0x2A, 0x86, 0x48, 0xCE, 0x3D, 0x03, 0x01, 0x07, 0x03,
-        0x42, 0x00, 0x04, 0x02, 0xD3, 0xD9, 0x6E, 0xD6, 0x01, 0x8E,
-        0x45, 0xC8, 0xB9, 0x90, 0x31, 0xE5, 0xC0, 0x4C, 0xE3, 0x9E,
-        0xAD, 0x29, 0x38, 0x98, 0xBA, 0x10, 0xD6, 0xE9, 0x09, 0x2A,
-        0x80, 0xA9, 0x2E, 0x17, 0x2A, 0xB9, 0x8A, 0xBF, 0x33, 0x83,
-        0x46, 0xE3, 0x95, 0x0B, 0xE4, 0x77, 0x40, 0xB5, 0x3B, 0x43,
-        0x45, 0x33, 0x0F, 0x61, 0x53, 0x7C, 0x37, 0x44, 0xC1, 0xCB,
-        0xFC, 0x80, 0xCA, 0xE8, 0x43, 0xEA, 0xA7, 0xA3, 0x63, 0x30,
-        0x61, 0x30, 0x1D, 0x06, 0x03, 0x55, 0x1D, 0x0E, 0x04, 0x16,
-        0x04, 0x14, 0x56, 0x8E, 0x9A, 0xC3, 0xF0, 0x42, 0xDE, 0x18,
-        0xB9, 0x45, 0x55, 0x6E, 0xF9, 0x93, 0xCF, 0xEA, 0xC3, 0xF3,
-        0xA5, 0x21, 0x30, 0x1F, 0x06, 0x03, 0x55, 0x1D, 0x23, 0x04,
-        0x18, 0x30, 0x16, 0x80, 0x14, 0x56, 0x8E, 0x9A, 0xC3, 0xF0,
-        0x42, 0xDE, 0x18, 0xB9, 0x45, 0x55, 0x6E, 0xF9, 0x93, 0xCF,
-        0xEA, 0xC3, 0xF3, 0xA5, 0x21, 0x30, 0x0F, 0x06, 0x03, 0x55,
-        0x1D, 0x13, 0x01, 0x01, 0xFF, 0x04, 0x05, 0x30, 0x03, 0x01,
-        0x01, 0xFF, 0x30, 0x0E, 0x06, 0x03, 0x55, 0x1D, 0x0F, 0x01,
-        0x01, 0xFF, 0x04, 0x04, 0x03, 0x02, 0x01, 0x86, 0x30, 0x0A,
-        0x06, 0x08, 0x2A, 0x86, 0x48, 0xCE, 0x3D, 0x04, 0x03, 0x02,
-        0x03, 0x48, 0x00, 0x30, 0x45, 0x02, 0x21, 0x00, 0xC5, 0x83,
-        0xFF, 0x1E, 0x51, 0xF7, 0xA1, 0xE9, 0xF1, 0x42, 0xC4, 0xBE,
-        0xED, 0x38, 0xBD, 0x38, 0x32, 0x8F, 0xAE, 0x3F, 0xC7, 0x6D,
-        0x11, 0x90, 0xE9, 0x99, 0xAB, 0x61, 0xA2, 0xDB, 0xA7, 0x4B,
-        0x02, 0x20, 0x28, 0x40, 0xD9, 0xBA, 0x45, 0xCC, 0xA6, 0xEA,
-        0xFA, 0x3F, 0x3E, 0x71, 0x44, 0x8E, 0x02, 0x03, 0x2F, 0x41,
-        0x0B, 0x56, 0x78, 0x2D, 0xA6, 0xE8, 0x5E, 0xF6, 0xFF, 0xDA,
-        0x62, 0x8C, 0xF9, 0xDF
+        0x30, 0x82, 0x02, 0x95, 0x30, 0x82, 0x02, 0x3B, 0xA0, 0x03,
+        0x02, 0x01, 0x02, 0x02, 0x14, 0x2F, 0xC0, 0x2C, 0xFE, 0x1F,
+        0x6A, 0x5A, 0x0B, 0xDD, 0xF6, 0x08, 0x63, 0x99, 0x42, 0x7E,
+        0x19, 0x92, 0xFA, 0xDC, 0x32, 0x30, 0x0A, 0x06, 0x08, 0x2A,
+        0x86, 0x48, 0xCE, 0x3D, 0x04, 0x03, 0x02, 0x30, 0x81, 0x97,
+        0x31, 0x0B, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13,
+        0x02, 0x55, 0x53, 0x31, 0x13, 0x30, 0x11, 0x06, 0x03, 0x55,
+        0x04, 0x08, 0x0C, 0x0A, 0x57, 0x61, 0x73, 0x68, 0x69, 0x6E,
+        0x67, 0x74, 0x6F, 0x6E, 0x31, 0x10, 0x30, 0x0E, 0x06, 0x03,
+        0x55, 0x04, 0x07, 0x0C, 0x07, 0x53, 0x65, 0x61, 0x74, 0x74,
+        0x6C, 0x65, 0x31, 0x10, 0x30, 0x0E, 0x06, 0x03, 0x55, 0x04,
+        0x0A, 0x0C, 0x07, 0x77, 0x6F, 0x6C, 0x66, 0x53, 0x53, 0x4C,
+        0x31, 0x14, 0x30, 0x12, 0x06, 0x03, 0x55, 0x04, 0x0B, 0x0C,
+        0x0B, 0x44, 0x65, 0x76, 0x65, 0x6C, 0x6F, 0x70, 0x6D, 0x65,
+        0x6E, 0x74, 0x31, 0x18, 0x30, 0x16, 0x06, 0x03, 0x55, 0x04,
+        0x03, 0x0C, 0x0F, 0x77, 0x77, 0x77, 0x2E, 0x77, 0x6F, 0x6C,
+        0x66, 0x73, 0x73, 0x6C, 0x2E, 0x63, 0x6F, 0x6D, 0x31, 0x1F,
+        0x30, 0x1D, 0x06, 0x09, 0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D,
+        0x01, 0x09, 0x01, 0x16, 0x10, 0x69, 0x6E, 0x66, 0x6F, 0x40,
+        0x77, 0x6F, 0x6C, 0x66, 0x73, 0x73, 0x6C, 0x2E, 0x63, 0x6F,
+        0x6D, 0x30, 0x1E, 0x17, 0x0D, 0x32, 0x31, 0x31, 0x32, 0x32,
+        0x30, 0x32, 0x33, 0x30, 0x37, 0x32, 0x34, 0x5A, 0x17, 0x0D,
+        0x32, 0x34, 0x30, 0x39, 0x31, 0x35, 0x32, 0x33, 0x30, 0x37,
+        0x32, 0x34, 0x5A, 0x30, 0x81, 0x97, 0x31, 0x0B, 0x30, 0x09,
+        0x06, 0x03, 0x55, 0x04, 0x06, 0x13, 0x02, 0x55, 0x53, 0x31,
+        0x13, 0x30, 0x11, 0x06, 0x03, 0x55, 0x04, 0x08, 0x0C, 0x0A,
+        0x57, 0x61, 0x73, 0x68, 0x69, 0x6E, 0x67, 0x74, 0x6F, 0x6E,
+        0x31, 0x10, 0x30, 0x0E, 0x06, 0x03, 0x55, 0x04, 0x07, 0x0C,
+        0x07, 0x53, 0x65, 0x61, 0x74, 0x74, 0x6C, 0x65, 0x31, 0x10,
+        0x30, 0x0E, 0x06, 0x03, 0x55, 0x04, 0x0A, 0x0C, 0x07, 0x77,
+        0x6F, 0x6C, 0x66, 0x53, 0x53, 0x4C, 0x31, 0x14, 0x30, 0x12,
+        0x06, 0x03, 0x55, 0x04, 0x0B, 0x0C, 0x0B, 0x44, 0x65, 0x76,
+        0x65, 0x6C, 0x6F, 0x70, 0x6D, 0x65, 0x6E, 0x74, 0x31, 0x18,
+        0x30, 0x16, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0C, 0x0F, 0x77,
+        0x77, 0x77, 0x2E, 0x77, 0x6F, 0x6C, 0x66, 0x73, 0x73, 0x6C,
+        0x2E, 0x63, 0x6F, 0x6D, 0x31, 0x1F, 0x30, 0x1D, 0x06, 0x09,
+        0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D, 0x01, 0x09, 0x01, 0x16,
+        0x10, 0x69, 0x6E, 0x66, 0x6F, 0x40, 0x77, 0x6F, 0x6C, 0x66,
+        0x73, 0x73, 0x6C, 0x2E, 0x63, 0x6F, 0x6D, 0x30, 0x59, 0x30,
+        0x13, 0x06, 0x07, 0x2A, 0x86, 0x48, 0xCE, 0x3D, 0x02, 0x01,
+        0x06, 0x08, 0x2A, 0x86, 0x48, 0xCE, 0x3D, 0x03, 0x01, 0x07,
+        0x03, 0x42, 0x00, 0x04, 0x02, 0xD3, 0xD9, 0x6E, 0xD6, 0x01,
+        0x8E, 0x45, 0xC8, 0xB9, 0x90, 0x31, 0xE5, 0xC0, 0x4C, 0xE3,
+        0x9E, 0xAD, 0x29, 0x38, 0x98, 0xBA, 0x10, 0xD6, 0xE9, 0x09,
+        0x2A, 0x80, 0xA9, 0x2E, 0x17, 0x2A, 0xB9, 0x8A, 0xBF, 0x33,
+        0x83, 0x46, 0xE3, 0x95, 0x0B, 0xE4, 0x77, 0x40, 0xB5, 0x3B,
+        0x43, 0x45, 0x33, 0x0F, 0x61, 0x53, 0x7C, 0x37, 0x44, 0xC1,
+        0xCB, 0xFC, 0x80, 0xCA, 0xE8, 0x43, 0xEA, 0xA7, 0xA3, 0x63,
+        0x30, 0x61, 0x30, 0x1D, 0x06, 0x03, 0x55, 0x1D, 0x0E, 0x04,
+        0x16, 0x04, 0x14, 0x56, 0x8E, 0x9A, 0xC3, 0xF0, 0x42, 0xDE,
+        0x18, 0xB9, 0x45, 0x55, 0x6E, 0xF9, 0x93, 0xCF, 0xEA, 0xC3,
+        0xF3, 0xA5, 0x21, 0x30, 0x1F, 0x06, 0x03, 0x55, 0x1D, 0x23,
+        0x04, 0x18, 0x30, 0x16, 0x80, 0x14, 0x56, 0x8E, 0x9A, 0xC3,
+        0xF0, 0x42, 0xDE, 0x18, 0xB9, 0x45, 0x55, 0x6E, 0xF9, 0x93,
+        0xCF, 0xEA, 0xC3, 0xF3, 0xA5, 0x21, 0x30, 0x0F, 0x06, 0x03,
+        0x55, 0x1D, 0x13, 0x01, 0x01, 0xFF, 0x04, 0x05, 0x30, 0x03,
+        0x01, 0x01, 0xFF, 0x30, 0x0E, 0x06, 0x03, 0x55, 0x1D, 0x0F,
+        0x01, 0x01, 0xFF, 0x04, 0x04, 0x03, 0x02, 0x01, 0x86, 0x30,
+        0x0A, 0x06, 0x08, 0x2A, 0x86, 0x48, 0xCE, 0x3D, 0x04, 0x03,
+        0x02, 0x03, 0x48, 0x00, 0x30, 0x45, 0x02, 0x21, 0x00, 0xF2,
+        0xA0, 0x7A, 0x0F, 0x66, 0x05, 0xEC, 0x81, 0xA2, 0x94, 0x6A,
+        0x31, 0xE0, 0x0D, 0xEE, 0x8F, 0x6A, 0xED, 0x63, 0x33, 0x0E,
+        0x27, 0x31, 0xB3, 0xCF, 0xC8, 0xA0, 0x0E, 0x5B, 0x88, 0x51,
+        0xFA, 0x02, 0x20, 0x51, 0x0F, 0x26, 0x46, 0x95, 0x37, 0x8E,
+        0x49, 0x4E, 0xB0, 0x4D, 0xCD, 0xB1, 0x65, 0xFE, 0x2D, 0x43,
+        0xAB, 0x20, 0xC7, 0x83, 0x70, 0x44, 0x11, 0x13, 0x86, 0xA5,
+        0x9B, 0x3B, 0x34, 0x24, 0xF2
 };
 static const int sizeof_ca_ecc_cert_der_256 = sizeof(ca_ecc_cert_der_256);
 
@@ -4541,78 +4566,79 @@ static const int sizeof_ca_ecc_key_der_384 = sizeof(ca_ecc_key_der_384);
 /* ./certs/ca-ecc384-cert.der, ECC */
 static const unsigned char ca_ecc_cert_der_384[] =
 {
-        0x30, 0x82, 0x02, 0xC7, 0x30, 0x82, 0x02, 0x4D, 0xA0, 0x03,
-        0x02, 0x01, 0x02, 0x02, 0x09, 0x00, 0xA8, 0x60, 0xFD, 0x75,
-        0x07, 0x98, 0x55, 0x6A, 0x30, 0x0A, 0x06, 0x08, 0x2A, 0x86,
-        0x48, 0xCE, 0x3D, 0x04, 0x03, 0x03, 0x30, 0x81, 0x97, 0x31,
-        0x0B, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13, 0x02,
-        0x55, 0x53, 0x31, 0x13, 0x30, 0x11, 0x06, 0x03, 0x55, 0x04,
-        0x08, 0x0C, 0x0A, 0x57, 0x61, 0x73, 0x68, 0x69, 0x6E, 0x67,
-        0x74, 0x6F, 0x6E, 0x31, 0x10, 0x30, 0x0E, 0x06, 0x03, 0x55,
-        0x04, 0x07, 0x0C, 0x07, 0x53, 0x65, 0x61, 0x74, 0x74, 0x6C,
-        0x65, 0x31, 0x10, 0x30, 0x0E, 0x06, 0x03, 0x55, 0x04, 0x0A,
-        0x0C, 0x07, 0x77, 0x6F, 0x6C, 0x66, 0x53, 0x53, 0x4C, 0x31,
-        0x14, 0x30, 0x12, 0x06, 0x03, 0x55, 0x04, 0x0B, 0x0C, 0x0B,
-        0x44, 0x65, 0x76, 0x65, 0x6C, 0x6F, 0x70, 0x6D, 0x65, 0x6E,
-        0x74, 0x31, 0x18, 0x30, 0x16, 0x06, 0x03, 0x55, 0x04, 0x03,
-        0x0C, 0x0F, 0x77, 0x77, 0x77, 0x2E, 0x77, 0x6F, 0x6C, 0x66,
-        0x73, 0x73, 0x6C, 0x2E, 0x63, 0x6F, 0x6D, 0x31, 0x1F, 0x30,
-        0x1D, 0x06, 0x09, 0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D, 0x01,
-        0x09, 0x01, 0x16, 0x10, 0x69, 0x6E, 0x66, 0x6F, 0x40, 0x77,
-        0x6F, 0x6C, 0x66, 0x73, 0x73, 0x6C, 0x2E, 0x63, 0x6F, 0x6D,
-        0x30, 0x1E, 0x17, 0x0D, 0x32, 0x31, 0x30, 0x32, 0x31, 0x30,
-        0x31, 0x39, 0x34, 0x39, 0x35, 0x33, 0x5A, 0x17, 0x0D, 0x32,
-        0x33, 0x31, 0x31, 0x30, 0x37, 0x31, 0x39, 0x34, 0x39, 0x35,
-        0x33, 0x5A, 0x30, 0x81, 0x97, 0x31, 0x0B, 0x30, 0x09, 0x06,
-        0x03, 0x55, 0x04, 0x06, 0x13, 0x02, 0x55, 0x53, 0x31, 0x13,
-        0x30, 0x11, 0x06, 0x03, 0x55, 0x04, 0x08, 0x0C, 0x0A, 0x57,
-        0x61, 0x73, 0x68, 0x69, 0x6E, 0x67, 0x74, 0x6F, 0x6E, 0x31,
-        0x10, 0x30, 0x0E, 0x06, 0x03, 0x55, 0x04, 0x07, 0x0C, 0x07,
-        0x53, 0x65, 0x61, 0x74, 0x74, 0x6C, 0x65, 0x31, 0x10, 0x30,
-        0x0E, 0x06, 0x03, 0x55, 0x04, 0x0A, 0x0C, 0x07, 0x77, 0x6F,
-        0x6C, 0x66, 0x53, 0x53, 0x4C, 0x31, 0x14, 0x30, 0x12, 0x06,
-        0x03, 0x55, 0x04, 0x0B, 0x0C, 0x0B, 0x44, 0x65, 0x76, 0x65,
-        0x6C, 0x6F, 0x70, 0x6D, 0x65, 0x6E, 0x74, 0x31, 0x18, 0x30,
-        0x16, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0C, 0x0F, 0x77, 0x77,
-        0x77, 0x2E, 0x77, 0x6F, 0x6C, 0x66, 0x73, 0x73, 0x6C, 0x2E,
-        0x63, 0x6F, 0x6D, 0x31, 0x1F, 0x30, 0x1D, 0x06, 0x09, 0x2A,
-        0x86, 0x48, 0x86, 0xF7, 0x0D, 0x01, 0x09, 0x01, 0x16, 0x10,
-        0x69, 0x6E, 0x66, 0x6F, 0x40, 0x77, 0x6F, 0x6C, 0x66, 0x73,
-        0x73, 0x6C, 0x2E, 0x63, 0x6F, 0x6D, 0x30, 0x76, 0x30, 0x10,
-        0x06, 0x07, 0x2A, 0x86, 0x48, 0xCE, 0x3D, 0x02, 0x01, 0x06,
-        0x05, 0x2B, 0x81, 0x04, 0x00, 0x22, 0x03, 0x62, 0x00, 0x04,
-        0xEE, 0x82, 0xD4, 0x39, 0x9A, 0xB1, 0x27, 0x82, 0xF4, 0xD7,
-        0xEA, 0xC6, 0xBC, 0x03, 0x1D, 0x4D, 0x83, 0x61, 0xF4, 0x03,
-        0xAE, 0x7E, 0xBD, 0xD8, 0x5A, 0xA5, 0xB9, 0xF0, 0x8E, 0xA2,
-        0xA5, 0xDA, 0xCE, 0x87, 0x3B, 0x5A, 0xAB, 0x44, 0x16, 0x9C,
-        0xF5, 0x9F, 0x62, 0xDD, 0xF6, 0x20, 0xCD, 0x9C, 0x76, 0x3C,
-        0x40, 0xB1, 0x3F, 0x97, 0x17, 0xDF, 0x59, 0xF6, 0xCD, 0xDE,
-        0xCD, 0x46, 0x35, 0xC0, 0xED, 0x5E, 0x2E, 0x48, 0xB6, 0x66,
-        0x91, 0x71, 0x74, 0xB7, 0x0C, 0x3F, 0xB9, 0x9A, 0xB7, 0x83,
-        0xBD, 0x93, 0x3F, 0x5F, 0x50, 0x2D, 0x70, 0x3F, 0xDE, 0x35,
-        0x25, 0xE1, 0x90, 0x3B, 0x86, 0xE0, 0xA3, 0x63, 0x30, 0x61,
-        0x30, 0x1D, 0x06, 0x03, 0x55, 0x1D, 0x0E, 0x04, 0x16, 0x04,
-        0x14, 0xAB, 0xE0, 0xC3, 0x26, 0x4C, 0x18, 0xD4, 0x72, 0xBB,
-        0xD2, 0x84, 0x8C, 0x9C, 0x0A, 0x05, 0x92, 0x80, 0x12, 0x53,
-        0x52, 0x30, 0x1F, 0x06, 0x03, 0x55, 0x1D, 0x23, 0x04, 0x18,
-        0x30, 0x16, 0x80, 0x14, 0xAB, 0xE0, 0xC3, 0x26, 0x4C, 0x18,
-        0xD4, 0x72, 0xBB, 0xD2, 0x84, 0x8C, 0x9C, 0x0A, 0x05, 0x92,
-        0x80, 0x12, 0x53, 0x52, 0x30, 0x0F, 0x06, 0x03, 0x55, 0x1D,
-        0x13, 0x01, 0x01, 0xFF, 0x04, 0x05, 0x30, 0x03, 0x01, 0x01,
-        0xFF, 0x30, 0x0E, 0x06, 0x03, 0x55, 0x1D, 0x0F, 0x01, 0x01,
-        0xFF, 0x04, 0x04, 0x03, 0x02, 0x01, 0x86, 0x30, 0x0A, 0x06,
-        0x08, 0x2A, 0x86, 0x48, 0xCE, 0x3D, 0x04, 0x03, 0x03, 0x03,
-        0x68, 0x00, 0x30, 0x65, 0x02, 0x30, 0x47, 0xA2, 0x36, 0x33,
-        0xF4, 0x27, 0xBD, 0xD0, 0x5C, 0xE6, 0x8D, 0x3E, 0x31, 0xA9,
-        0x4E, 0x51, 0x57, 0xA9, 0x93, 0x28, 0x72, 0x0A, 0x72, 0xAB,
-        0x6E, 0xF9, 0x56, 0xC0, 0xF5, 0x70, 0x02, 0x9F, 0x9C, 0xB2,
-        0x4A, 0x9C, 0x3E, 0x9F, 0xFB, 0xC5, 0x64, 0x26, 0x7A, 0x88,
-        0xDC, 0x4A, 0x2A, 0x25, 0x02, 0x31, 0x00, 0x88, 0xF8, 0xE2,
-        0xD5, 0x20, 0x82, 0xF2, 0xDE, 0x7B, 0xCB, 0x13, 0xAC, 0xCD,
-        0xFF, 0xE8, 0x1E, 0x4E, 0x84, 0x3D, 0x9C, 0xAF, 0x5D, 0xF9,
-        0x01, 0xE7, 0x4F, 0xD4, 0x03, 0x09, 0x84, 0x3D, 0x7B, 0x2B,
-        0x83, 0xE2, 0xAE, 0x08, 0x68, 0x2E, 0x5B, 0x85, 0x6F, 0x43,
-        0xF5, 0x41, 0xE0, 0xC7, 0xC9
+        0x30, 0x82, 0x02, 0xD2, 0x30, 0x82, 0x02, 0x58, 0xA0, 0x03,
+        0x02, 0x01, 0x02, 0x02, 0x14, 0x1A, 0x57, 0x7F, 0x62, 0xDE,
+        0x7E, 0xF2, 0x6D, 0x93, 0xD2, 0x83, 0x35, 0x86, 0x82, 0x7F,
+        0x09, 0x5A, 0x8B, 0xA4, 0x09, 0x30, 0x0A, 0x06, 0x08, 0x2A,
+        0x86, 0x48, 0xCE, 0x3D, 0x04, 0x03, 0x03, 0x30, 0x81, 0x97,
+        0x31, 0x0B, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13,
+        0x02, 0x55, 0x53, 0x31, 0x13, 0x30, 0x11, 0x06, 0x03, 0x55,
+        0x04, 0x08, 0x0C, 0x0A, 0x57, 0x61, 0x73, 0x68, 0x69, 0x6E,
+        0x67, 0x74, 0x6F, 0x6E, 0x31, 0x10, 0x30, 0x0E, 0x06, 0x03,
+        0x55, 0x04, 0x07, 0x0C, 0x07, 0x53, 0x65, 0x61, 0x74, 0x74,
+        0x6C, 0x65, 0x31, 0x10, 0x30, 0x0E, 0x06, 0x03, 0x55, 0x04,
+        0x0A, 0x0C, 0x07, 0x77, 0x6F, 0x6C, 0x66, 0x53, 0x53, 0x4C,
+        0x31, 0x14, 0x30, 0x12, 0x06, 0x03, 0x55, 0x04, 0x0B, 0x0C,
+        0x0B, 0x44, 0x65, 0x76, 0x65, 0x6C, 0x6F, 0x70, 0x6D, 0x65,
+        0x6E, 0x74, 0x31, 0x18, 0x30, 0x16, 0x06, 0x03, 0x55, 0x04,
+        0x03, 0x0C, 0x0F, 0x77, 0x77, 0x77, 0x2E, 0x77, 0x6F, 0x6C,
+        0x66, 0x73, 0x73, 0x6C, 0x2E, 0x63, 0x6F, 0x6D, 0x31, 0x1F,
+        0x30, 0x1D, 0x06, 0x09, 0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D,
+        0x01, 0x09, 0x01, 0x16, 0x10, 0x69, 0x6E, 0x66, 0x6F, 0x40,
+        0x77, 0x6F, 0x6C, 0x66, 0x73, 0x73, 0x6C, 0x2E, 0x63, 0x6F,
+        0x6D, 0x30, 0x1E, 0x17, 0x0D, 0x32, 0x31, 0x31, 0x32, 0x32,
+        0x30, 0x32, 0x33, 0x30, 0x37, 0x32, 0x34, 0x5A, 0x17, 0x0D,
+        0x32, 0x34, 0x30, 0x39, 0x31, 0x35, 0x32, 0x33, 0x30, 0x37,
+        0x32, 0x34, 0x5A, 0x30, 0x81, 0x97, 0x31, 0x0B, 0x30, 0x09,
+        0x06, 0x03, 0x55, 0x04, 0x06, 0x13, 0x02, 0x55, 0x53, 0x31,
+        0x13, 0x30, 0x11, 0x06, 0x03, 0x55, 0x04, 0x08, 0x0C, 0x0A,
+        0x57, 0x61, 0x73, 0x68, 0x69, 0x6E, 0x67, 0x74, 0x6F, 0x6E,
+        0x31, 0x10, 0x30, 0x0E, 0x06, 0x03, 0x55, 0x04, 0x07, 0x0C,
+        0x07, 0x53, 0x65, 0x61, 0x74, 0x74, 0x6C, 0x65, 0x31, 0x10,
+        0x30, 0x0E, 0x06, 0x03, 0x55, 0x04, 0x0A, 0x0C, 0x07, 0x77,
+        0x6F, 0x6C, 0x66, 0x53, 0x53, 0x4C, 0x31, 0x14, 0x30, 0x12,
+        0x06, 0x03, 0x55, 0x04, 0x0B, 0x0C, 0x0B, 0x44, 0x65, 0x76,
+        0x65, 0x6C, 0x6F, 0x70, 0x6D, 0x65, 0x6E, 0x74, 0x31, 0x18,
+        0x30, 0x16, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0C, 0x0F, 0x77,
+        0x77, 0x77, 0x2E, 0x77, 0x6F, 0x6C, 0x66, 0x73, 0x73, 0x6C,
+        0x2E, 0x63, 0x6F, 0x6D, 0x31, 0x1F, 0x30, 0x1D, 0x06, 0x09,
+        0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D, 0x01, 0x09, 0x01, 0x16,
+        0x10, 0x69, 0x6E, 0x66, 0x6F, 0x40, 0x77, 0x6F, 0x6C, 0x66,
+        0x73, 0x73, 0x6C, 0x2E, 0x63, 0x6F, 0x6D, 0x30, 0x76, 0x30,
+        0x10, 0x06, 0x07, 0x2A, 0x86, 0x48, 0xCE, 0x3D, 0x02, 0x01,
+        0x06, 0x05, 0x2B, 0x81, 0x04, 0x00, 0x22, 0x03, 0x62, 0x00,
+        0x04, 0xEE, 0x82, 0xD4, 0x39, 0x9A, 0xB1, 0x27, 0x82, 0xF4,
+        0xD7, 0xEA, 0xC6, 0xBC, 0x03, 0x1D, 0x4D, 0x83, 0x61, 0xF4,
+        0x03, 0xAE, 0x7E, 0xBD, 0xD8, 0x5A, 0xA5, 0xB9, 0xF0, 0x8E,
+        0xA2, 0xA5, 0xDA, 0xCE, 0x87, 0x3B, 0x5A, 0xAB, 0x44, 0x16,
+        0x9C, 0xF5, 0x9F, 0x62, 0xDD, 0xF6, 0x20, 0xCD, 0x9C, 0x76,
+        0x3C, 0x40, 0xB1, 0x3F, 0x97, 0x17, 0xDF, 0x59, 0xF6, 0xCD,
+        0xDE, 0xCD, 0x46, 0x35, 0xC0, 0xED, 0x5E, 0x2E, 0x48, 0xB6,
+        0x66, 0x91, 0x71, 0x74, 0xB7, 0x0C, 0x3F, 0xB9, 0x9A, 0xB7,
+        0x83, 0xBD, 0x93, 0x3F, 0x5F, 0x50, 0x2D, 0x70, 0x3F, 0xDE,
+        0x35, 0x25, 0xE1, 0x90, 0x3B, 0x86, 0xE0, 0xA3, 0x63, 0x30,
+        0x61, 0x30, 0x1D, 0x06, 0x03, 0x55, 0x1D, 0x0E, 0x04, 0x16,
+        0x04, 0x14, 0xAB, 0xE0, 0xC3, 0x26, 0x4C, 0x18, 0xD4, 0x72,
+        0xBB, 0xD2, 0x84, 0x8C, 0x9C, 0x0A, 0x05, 0x92, 0x80, 0x12,
+        0x53, 0x52, 0x30, 0x1F, 0x06, 0x03, 0x55, 0x1D, 0x23, 0x04,
+        0x18, 0x30, 0x16, 0x80, 0x14, 0xAB, 0xE0, 0xC3, 0x26, 0x4C,
+        0x18, 0xD4, 0x72, 0xBB, 0xD2, 0x84, 0x8C, 0x9C, 0x0A, 0x05,
+        0x92, 0x80, 0x12, 0x53, 0x52, 0x30, 0x0F, 0x06, 0x03, 0x55,
+        0x1D, 0x13, 0x01, 0x01, 0xFF, 0x04, 0x05, 0x30, 0x03, 0x01,
+        0x01, 0xFF, 0x30, 0x0E, 0x06, 0x03, 0x55, 0x1D, 0x0F, 0x01,
+        0x01, 0xFF, 0x04, 0x04, 0x03, 0x02, 0x01, 0x86, 0x30, 0x0A,
+        0x06, 0x08, 0x2A, 0x86, 0x48, 0xCE, 0x3D, 0x04, 0x03, 0x03,
+        0x03, 0x68, 0x00, 0x30, 0x65, 0x02, 0x30, 0x78, 0xDA, 0x52,
+        0x4F, 0x11, 0xFA, 0x4F, 0xA9, 0x7B, 0x02, 0xAF, 0x63, 0x40,
+        0xA7, 0x54, 0xBF, 0x08, 0x8B, 0xCB, 0xE4, 0xCE, 0x7D, 0x35,
+        0x38, 0x46, 0xD9, 0x90, 0x40, 0xF5, 0xF1, 0x16, 0x42, 0xE5,
+        0xEF, 0x7B, 0xB0, 0x8F, 0x3D, 0xB0, 0xA0, 0x07, 0xA6, 0x23,
+        0x3E, 0x8F, 0xA3, 0xBE, 0x57, 0x02, 0x31, 0x00, 0xDE, 0xD2,
+        0x23, 0x84, 0x4C, 0x71, 0x6A, 0x2E, 0xD0, 0x17, 0x73, 0x55,
+        0xB2, 0x8B, 0xE7, 0xAC, 0x4F, 0x83, 0x21, 0xF8, 0xF1, 0x7A,
+        0x9A, 0xF5, 0x8B, 0xA5, 0x17, 0x7B, 0x06, 0x03, 0xDC, 0x7E,
+        0x90, 0x29, 0x81, 0x3E, 0x6F, 0x70, 0xE7, 0x50, 0xF0, 0xD4,
+        0xA6, 0x96, 0xDC, 0x28, 0x51, 0x96
 };
 static const int sizeof_ca_ecc_cert_der_384 = sizeof(ca_ecc_cert_der_384);
 
@@ -4640,49 +4666,6 @@ static const unsigned char dh_g[] =
   0x02,
 };
 
-/* dh2048 p */
-static const unsigned char dh2048_p[] =
-{
-    0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
-    0xAD, 0xF8, 0x54, 0x58, 0xA2, 0xBB, 0x4A, 0x9A,
-    0xAF, 0xDC, 0x56, 0x20, 0x27, 0x3D, 0x3C, 0xF1,
-    0xD8, 0xB9, 0xC5, 0x83, 0xCE, 0x2D, 0x36, 0x95,
-    0xA9, 0xE1, 0x36, 0x41, 0x14, 0x64, 0x33, 0xFB,
-    0xCC, 0x93, 0x9D, 0xCE, 0x24, 0x9B, 0x3E, 0xF9,
-    0x7D, 0x2F, 0xE3, 0x63, 0x63, 0x0C, 0x75, 0xD8,
-    0xF6, 0x81, 0xB2, 0x02, 0xAE, 0xC4, 0x61, 0x7A,
-    0xD3, 0xDF, 0x1E, 0xD5, 0xD5, 0xFD, 0x65, 0x61,
-    0x24, 0x33, 0xF5, 0x1F, 0x5F, 0x06, 0x6E, 0xD0,
-    0x85, 0x63, 0x65, 0x55, 0x3D, 0xED, 0x1A, 0xF3,
-    0xB5, 0x57, 0x13, 0x5E, 0x7F, 0x57, 0xC9, 0x35,
-    0x98, 0x4F, 0x0C, 0x70, 0xE0, 0xE6, 0x8B, 0x77,
-    0xE2, 0xA6, 0x89, 0xDA, 0xF3, 0xEF, 0xE8, 0x72,
-    0x1D, 0xF1, 0x58, 0xA1, 0x36, 0xAD, 0xE7, 0x35,
-    0x30, 0xAC, 0xCA, 0x4F, 0x48, 0x3A, 0x79, 0x7A,
-    0xBC, 0x0A, 0xB1, 0x82, 0xB3, 0x24, 0xFB, 0x61,
-    0xD1, 0x08, 0xA9, 0x4B, 0xB2, 0xC8, 0xE3, 0xFB,
-    0xB9, 0x6A, 0xDA, 0xB7, 0x60, 0xD7, 0xF4, 0x68,
-    0x1D, 0x4F, 0x42, 0xA3, 0xDE, 0x39, 0x4D, 0xF4,
-    0xAE, 0x56, 0xED, 0xE7, 0x63, 0x72, 0xBB, 0x19,
-    0x0B, 0x07, 0xA7, 0xC8, 0xEE, 0x0A, 0x6D, 0x70,
-    0x9E, 0x02, 0xFC, 0xE1, 0xCD, 0xF7, 0xE2, 0xEC,
-    0xC0, 0x34, 0x04, 0xCD, 0x28, 0x34, 0x2F, 0x61,
-    0x91, 0x72, 0xFE, 0x9C, 0xE9, 0x85, 0x83, 0xFF,
-    0x8E, 0x4F, 0x12, 0x32, 0xEE, 0xF2, 0x81, 0x83,
-    0xC3, 0xFE, 0x3B, 0x1B, 0x4C, 0x6F, 0xAD, 0x73,
-    0x3B, 0xB5, 0xFC, 0xBC, 0x2E, 0xC2, 0x20, 0x05,
-    0xC5, 0x8E, 0xF1, 0x83, 0x7D, 0x16, 0x83, 0xB2,
-    0xC6, 0xF3, 0x4A, 0x26, 0xC1, 0xB2, 0xEF, 0xFA,
-    0x88, 0x6B, 0x42, 0x38, 0x61, 0x28, 0x5C, 0x97,
-    0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF
-};
-
-/* dh2048 g */
-static const unsigned char dh2048_g[] =
-{
-  0x02,
-};
-
 #if defined(HAVE_ED25519)
 
 /* ./certs/ed25519/server-ed25519.der, ED25519 */
@@ -4706,10 +4689,10 @@ static const unsigned char server_ed25519_cert[] =
         0x30, 0x1D, 0x06, 0x09, 0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D,
         0x01, 0x09, 0x01, 0x16, 0x10, 0x69, 0x6E, 0x66, 0x6F, 0x40,
         0x77, 0x6F, 0x6C, 0x66, 0x73, 0x73, 0x6C, 0x2E, 0x63, 0x6F,
-        0x6D, 0x30, 0x1E, 0x17, 0x0D, 0x32, 0x31, 0x30, 0x33, 0x31,
-        0x30, 0x30, 0x36, 0x34, 0x39, 0x30, 0x33, 0x5A, 0x17, 0x0D,
-        0x32, 0x33, 0x31, 0x32, 0x30, 0x35, 0x30, 0x36, 0x34, 0x39,
-        0x30, 0x33, 0x5A, 0x30, 0x81, 0x9F, 0x31, 0x0B, 0x30, 0x09,
+        0x6D, 0x30, 0x1E, 0x17, 0x0D, 0x32, 0x31, 0x31, 0x32, 0x32,
+        0x31, 0x31, 0x36, 0x34, 0x39, 0x33, 0x35, 0x5A, 0x17, 0x0D,
+        0x32, 0x34, 0x30, 0x39, 0x31, 0x36, 0x31, 0x36, 0x34, 0x39,
+        0x33, 0x35, 0x5A, 0x30, 0x81, 0x9F, 0x31, 0x0B, 0x30, 0x09,
         0x06, 0x03, 0x55, 0x04, 0x06, 0x13, 0x02, 0x55, 0x53, 0x31,
         0x10, 0x30, 0x0E, 0x06, 0x03, 0x55, 0x04, 0x08, 0x0C, 0x07,
         0x4D, 0x6F, 0x6E, 0x74, 0x61, 0x6E, 0x61, 0x31, 0x10, 0x30,
@@ -4744,14 +4727,14 @@ static const unsigned char server_ed25519_cert[] =
         0x06, 0x08, 0x2B, 0x06, 0x01, 0x05, 0x05, 0x07, 0x03, 0x01,
         0x30, 0x11, 0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x86, 0xF8,
         0x42, 0x01, 0x01, 0x04, 0x04, 0x03, 0x02, 0x06, 0x40, 0x30,
-        0x05, 0x06, 0x03, 0x2B, 0x65, 0x70, 0x03, 0x41, 0x00, 0xF3,
-        0xC2, 0xEF, 0x8B, 0x55, 0x65, 0x4F, 0xBC, 0xE3, 0xDF, 0xFC,
-        0xD8, 0xA1, 0xAD, 0x8E, 0x43, 0x07, 0x73, 0xC8, 0x58, 0xC3,
-        0x46, 0x0A, 0xC1, 0xF1, 0x4D, 0x3F, 0xFB, 0x3D, 0x78, 0xE6,
-        0x76, 0x58, 0x26, 0xCE, 0xD7, 0x59, 0x55, 0xEC, 0xC5, 0xB5,
-        0xB4, 0x05, 0xED, 0xF9, 0xD4, 0x97, 0x69, 0x66, 0xD6, 0x2C,
-        0x1B, 0x43, 0x5A, 0x51, 0x5C, 0xBE, 0x10, 0x28, 0x95, 0xC4,
-        0x96, 0xAF, 0x00
+        0x05, 0x06, 0x03, 0x2B, 0x65, 0x70, 0x03, 0x41, 0x00, 0x64,
+        0x65, 0xB1, 0x5A, 0x3B, 0x18, 0x07, 0x36, 0x42, 0xEA, 0x95,
+        0xC9, 0xDE, 0x96, 0x59, 0x04, 0xCC, 0x65, 0x8A, 0x5A, 0x97,
+        0xEE, 0xA5, 0x94, 0x06, 0x66, 0xF6, 0xB8, 0x78, 0x68, 0xD1,
+        0xC1, 0x9F, 0x3F, 0x5C, 0x71, 0x4D, 0x81, 0x1E, 0x80, 0xEC,
+        0xC2, 0x52, 0x44, 0xB4, 0x1F, 0xD7, 0x90, 0xAD, 0x84, 0x37,
+        0xA1, 0xDD, 0xC1, 0xF8, 0xAE, 0xFA, 0xC2, 0x92, 0x4F, 0x38,
+        0x7D, 0xB0, 0x0C
 };
 static const int sizeof_server_ed25519_cert = sizeof(server_ed25519_cert);
 
@@ -4787,10 +4770,10 @@ static const unsigned char ca_ed25519_cert[] =
         0x31, 0x1F, 0x30, 0x1D, 0x06, 0x09, 0x2A, 0x86, 0x48, 0x86,
         0xF7, 0x0D, 0x01, 0x09, 0x01, 0x16, 0x10, 0x69, 0x6E, 0x66,
         0x6F, 0x40, 0x77, 0x6F, 0x6C, 0x66, 0x73, 0x73, 0x6C, 0x2E,
-        0x63, 0x6F, 0x6D, 0x30, 0x1E, 0x17, 0x0D, 0x32, 0x31, 0x30,
-        0x33, 0x31, 0x30, 0x30, 0x36, 0x34, 0x39, 0x30, 0x33, 0x5A,
-        0x17, 0x0D, 0x32, 0x33, 0x31, 0x32, 0x30, 0x35, 0x30, 0x36,
-        0x34, 0x39, 0x30, 0x33, 0x5A, 0x30, 0x81, 0x9B, 0x31, 0x0B,
+        0x63, 0x6F, 0x6D, 0x30, 0x1E, 0x17, 0x0D, 0x32, 0x31, 0x31,
+        0x32, 0x32, 0x31, 0x31, 0x36, 0x34, 0x39, 0x33, 0x35, 0x5A,
+        0x17, 0x0D, 0x32, 0x34, 0x30, 0x39, 0x31, 0x36, 0x31, 0x36,
+        0x34, 0x39, 0x33, 0x35, 0x5A, 0x30, 0x81, 0x9B, 0x31, 0x0B,
         0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13, 0x02, 0x55,
         0x53, 0x31, 0x10, 0x30, 0x0E, 0x06, 0x03, 0x55, 0x04, 0x08,
         0x0C, 0x07, 0x4D, 0x6F, 0x6E, 0x74, 0x61, 0x6E, 0x61, 0x31,
@@ -4821,14 +4804,14 @@ static const unsigned char ca_ed25519_cert[] =
         0x1D, 0x13, 0x01, 0x01, 0xFF, 0x04, 0x05, 0x30, 0x03, 0x01,
         0x01, 0xFF, 0x30, 0x0E, 0x06, 0x03, 0x55, 0x1D, 0x0F, 0x01,
         0x01, 0xFF, 0x04, 0x04, 0x03, 0x02, 0x01, 0x86, 0x30, 0x05,
-        0x06, 0x03, 0x2B, 0x65, 0x70, 0x03, 0x41, 0x00, 0xDA, 0xFE,
-        0x58, 0x53, 0x89, 0x43, 0x85, 0x98, 0x35, 0xDC, 0x13, 0x1C,
-        0xA3, 0xF1, 0x1F, 0x8D, 0x26, 0xBE, 0xB6, 0xA2, 0xFC, 0xB7,
-        0xFE, 0x9C, 0xB9, 0x35, 0x69, 0x31, 0x7E, 0xD4, 0xB9, 0x11,
-        0x45, 0x16, 0xA2, 0x29, 0x35, 0xA9, 0x74, 0xA7, 0x97, 0xDA,
-        0x7E, 0x71, 0x4F, 0xB1, 0x72, 0x5D, 0x75, 0x17, 0xAC, 0xE3,
-        0xF6, 0xB8, 0xCE, 0x1E, 0xE4, 0x8A, 0x95, 0xBA, 0xCD, 0x1D,
-        0xCE, 0x0D
+        0x06, 0x03, 0x2B, 0x65, 0x70, 0x03, 0x41, 0x00, 0x71, 0x66,
+        0xFF, 0xA7, 0xFC, 0xB9, 0xFA, 0x03, 0x85, 0x13, 0x28, 0x80,
+        0x46, 0x5B, 0x22, 0x84, 0x1C, 0xA2, 0xB8, 0xF1, 0xF4, 0x85,
+        0x83, 0x66, 0x4B, 0xA2, 0x44, 0x8C, 0x63, 0x04, 0xBA, 0x3F,
+        0x59, 0xE1, 0xBA, 0xB3, 0x03, 0x16, 0x70, 0x85, 0x05, 0x5D,
+        0x50, 0x20, 0x29, 0x69, 0x7C, 0x5B, 0x82, 0x25, 0x31, 0xC3,
+        0x79, 0x7E, 0x9A, 0xEB, 0x86, 0xBE, 0xDC, 0x33, 0xE1, 0xE0,
+        0x57, 0x0E
 };
 static const int sizeof_ca_ed25519_cert = sizeof(ca_ed25519_cert);
 
@@ -4836,9 +4819,9 @@ static const int sizeof_ca_ed25519_cert = sizeof(ca_ed25519_cert);
 static const unsigned char client_ed25519_cert[] =
 {
         0x30, 0x82, 0x03, 0x54, 0x30, 0x82, 0x03, 0x06, 0xA0, 0x03,
-        0x02, 0x01, 0x02, 0x02, 0x14, 0x40, 0x66, 0xC6, 0x11, 0xBC,
-        0x00, 0xF8, 0x51, 0xF9, 0xE4, 0x4B, 0xBB, 0x0B, 0xAD, 0xC1,
-        0x09, 0x38, 0xB0, 0x4A, 0xE4, 0x30, 0x05, 0x06, 0x03, 0x2B,
+        0x02, 0x01, 0x02, 0x02, 0x14, 0x07, 0xFF, 0x95, 0xE7, 0x9E,
+        0x2D, 0x2D, 0x16, 0x1A, 0x5D, 0xBC, 0x8E, 0x44, 0x4C, 0x1E,
+        0x0F, 0x7C, 0xC1, 0x1B, 0x73, 0x30, 0x05, 0x06, 0x03, 0x2B,
         0x65, 0x70, 0x30, 0x81, 0x9F, 0x31, 0x0B, 0x30, 0x09, 0x06,
         0x03, 0x55, 0x04, 0x06, 0x13, 0x02, 0x55, 0x53, 0x31, 0x10,
         0x30, 0x0E, 0x06, 0x03, 0x55, 0x04, 0x08, 0x0C, 0x07, 0x4D,
@@ -4856,9 +4839,9 @@ static const unsigned char client_ed25519_cert[] =
         0x86, 0xF7, 0x0D, 0x01, 0x09, 0x01, 0x16, 0x10, 0x69, 0x6E,
         0x66, 0x6F, 0x40, 0x77, 0x6F, 0x6C, 0x66, 0x73, 0x73, 0x6C,
         0x2E, 0x63, 0x6F, 0x6D, 0x30, 0x1E, 0x17, 0x0D, 0x32, 0x31,
-        0x30, 0x33, 0x31, 0x30, 0x30, 0x36, 0x34, 0x39, 0x30, 0x33,
-        0x5A, 0x17, 0x0D, 0x32, 0x33, 0x31, 0x32, 0x30, 0x35, 0x30,
-        0x36, 0x34, 0x39, 0x30, 0x33, 0x5A, 0x30, 0x81, 0x9F, 0x31,
+        0x31, 0x32, 0x32, 0x31, 0x31, 0x36, 0x34, 0x39, 0x33, 0x35,
+        0x5A, 0x17, 0x0D, 0x32, 0x34, 0x30, 0x39, 0x31, 0x36, 0x31,
+        0x36, 0x34, 0x39, 0x33, 0x35, 0x5A, 0x30, 0x81, 0x9F, 0x31,
         0x0B, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13, 0x02,
         0x55, 0x53, 0x31, 0x10, 0x30, 0x0E, 0x06, 0x03, 0x55, 0x04,
         0x08, 0x0C, 0x07, 0x4D, 0x6F, 0x6E, 0x74, 0x61, 0x6E, 0x61,
@@ -4903,9 +4886,9 @@ static const unsigned char client_ed25519_cert[] =
         0x6F, 0x6D, 0x31, 0x1F, 0x30, 0x1D, 0x06, 0x09, 0x2A, 0x86,
         0x48, 0x86, 0xF7, 0x0D, 0x01, 0x09, 0x01, 0x16, 0x10, 0x69,
         0x6E, 0x66, 0x6F, 0x40, 0x77, 0x6F, 0x6C, 0x66, 0x73, 0x73,
-        0x6C, 0x2E, 0x63, 0x6F, 0x6D, 0x82, 0x14, 0x40, 0x66, 0xC6,
-        0x11, 0xBC, 0x00, 0xF8, 0x51, 0xF9, 0xE4, 0x4B, 0xBB, 0x0B,
-        0xAD, 0xC1, 0x09, 0x38, 0xB0, 0x4A, 0xE4, 0x30, 0x0C, 0x06,
+        0x6C, 0x2E, 0x63, 0x6F, 0x6D, 0x82, 0x14, 0x07, 0xFF, 0x95,
+        0xE7, 0x9E, 0x2D, 0x2D, 0x16, 0x1A, 0x5D, 0xBC, 0x8E, 0x44,
+        0x4C, 0x1E, 0x0F, 0x7C, 0xC1, 0x1B, 0x73, 0x30, 0x0C, 0x06,
         0x03, 0x55, 0x1D, 0x13, 0x04, 0x05, 0x30, 0x03, 0x01, 0x01,
         0xFF, 0x30, 0x1C, 0x06, 0x03, 0x55, 0x1D, 0x11, 0x04, 0x15,
         0x30, 0x13, 0x82, 0x0B, 0x65, 0x78, 0x61, 0x6D, 0x70, 0x6C,
@@ -4914,13 +4897,13 @@ static const unsigned char client_ed25519_cert[] =
         0x30, 0x14, 0x06, 0x08, 0x2B, 0x06, 0x01, 0x05, 0x05, 0x07,
         0x03, 0x01, 0x06, 0x08, 0x2B, 0x06, 0x01, 0x05, 0x05, 0x07,
         0x03, 0x02, 0x30, 0x05, 0x06, 0x03, 0x2B, 0x65, 0x70, 0x03,
-        0x41, 0x00, 0xE0, 0x87, 0xE2, 0xCE, 0xD3, 0x87, 0x77, 0x9D,
-        0xF7, 0x44, 0xC0, 0x73, 0x00, 0xFF, 0x07, 0x6D, 0x2E, 0x90,
-        0x90, 0x5C, 0xBF, 0x30, 0x46, 0x9C, 0x75, 0xA9, 0x48, 0x50,
-        0x8A, 0xDA, 0x09, 0x0F, 0xA8, 0xA8, 0x04, 0xB4, 0x33, 0xC8,
-        0xF4, 0x28, 0x61, 0x9E, 0xC2, 0xA5, 0x19, 0xB7, 0x70, 0x1E,
-        0x69, 0xCD, 0x49, 0x5C, 0x9A, 0xF3, 0x81, 0xE0, 0xDE, 0x38,
-        0xB3, 0x37, 0xFF, 0x33, 0xBB, 0x07
+        0x41, 0x00, 0x56, 0x16, 0xBB, 0xD9, 0xA4, 0x39, 0x84, 0x64,
+        0x21, 0xAD, 0xCA, 0x36, 0xAA, 0x3F, 0x01, 0x97, 0x7D, 0x6D,
+        0x9B, 0x49, 0x8B, 0x5B, 0xCE, 0xF0, 0xF1, 0x66, 0x81, 0xFB,
+        0xF2, 0x3F, 0x86, 0x02, 0xF3, 0xDA, 0xEA, 0x20, 0x76, 0xED,
+        0x5B, 0x08, 0x28, 0xC9, 0xA9, 0xC1, 0xAF, 0x82, 0x3F, 0xBB,
+        0xFE, 0x24, 0x04, 0x6E, 0x5D, 0xF7, 0xBD, 0xB7, 0xBB, 0x52,
+        0xCD, 0x79, 0xA3, 0xED, 0xAA, 0x01
 };
 static const int sizeof_client_ed25519_cert = sizeof(client_ed25519_cert);
 
diff --git a/wolfssl/internal.h b/wolfssl/internal.h
index 0312e517b..7d3823bd4 100644
--- a/wolfssl/internal.h
+++ b/wolfssl/internal.h
@@ -116,7 +116,7 @@
 #ifdef HAVE_CURVE448
     #include <wolfssl/wolfcrypt/curve448.h>
 #endif
-#ifdef HAVE_LIBOQS
+#ifdef HAVE_PQC
     #include <wolfssl/wolfcrypt/falcon.h>
 #endif
 #ifdef HAVE_HKDF
@@ -1235,7 +1235,7 @@ enum Misc {
     HELLO_EXT_EXTMS = 0x0017,   /* ID for the extended master secret ext */
     SECRET_LEN      = WOLFSSL_MAX_MASTER_KEY_LENGTH,
                                 /* pre RSA and all master */
-#ifdef HAVE_LIBOQS
+#ifdef HAVE_PQC
     ENCRYPT_LEN     = 1500,     /* allow 1500 bit static buffer for falcon */
 #else
 #if defined(WOLFSSL_MYSQL_COMPATIBLE) || \
@@ -1458,7 +1458,7 @@ enum Misc {
     ED448_SA_MAJOR      = 8,   /* Most significant byte for ED448 */
     ED448_SA_MINOR      = 8,   /* Least significant byte for ED448 */
 
-    OQS_SA_MAJOR        = 0xFE,/* Most significant byte used with OQS sig algos
+    PQC_SA_MAJOR        = 0xFE,/* Most significant byte used with PQC sig algos
 */
     /* These match what OQS has defined in their OpenSSL fork. */
     FALCON_LEVEL1_SA_MAJOR = 0xFE,
@@ -1470,7 +1470,7 @@ enum Misc {
     MIN_RSA_SHA512_PSS_BITS = 512 * 2 + 8 * 8, /* Min key size */
     MIN_RSA_SHA384_PSS_BITS = 384 * 2 + 8 * 8, /* Min key size */
 
-#if defined(HAVE_LIBOQS)
+#if defined(HAVE_PQC)
     MAX_CERT_VERIFY_SZ = 1600,            /* For Falcon */
 #elif !defined(NO_RSA)
     MAX_CERT_VERIFY_SZ = WOLFSSL_MAX_RSA_BITS / 8, /* max RSA bytes */
@@ -1501,7 +1501,7 @@ enum Misc {
     MAX_WOLFSSL_FILE_SIZE = 1024ul * 1024ul * 4,  /* 4 mb file size alloc limit */
 #endif
 
-#if defined(HAVE_LIBOQS)
+#if defined(HAVE_PQC)
     MAX_X509_SIZE      = 5120, /* max static x509 buffer size; falcon is big */
 #elif defined(WOLFSSL_HAPROXY)
     MAX_X509_SIZE      = 3072, /* max static x509 buffer size */
@@ -1572,7 +1572,7 @@ enum Misc {
 #endif
 #define MIN_ECCKEY_SZ (WOLFSSL_MIN_ECC_BITS / 8)
 
-#ifdef HAVE_LIBOQS
+#ifdef HAVE_PQC
 /* set minimum Falcon key size allowed */
 #ifndef MIN_FALCONKEY_SZ
     #define MIN_FALCONKEY_SZ    897
@@ -2123,7 +2123,7 @@ struct WOLFSSL_CERT_MANAGER {
     wolfSSL_Mutex   refMutex;   /* reference count mutex */
 #endif
     int             refCount;         /* reference count */
-#ifdef HAVE_LIBOQS
+#ifdef HAVE_PQC
     short           minFalconKeySz;      /* minimum allowed Falcon key size */
 #endif
 
@@ -2622,7 +2622,7 @@ typedef struct KeyShareEntry {
     word32                keyLen;    /* Key size (bytes)                  */
     byte*                 pubKey;    /* Public key                        */
     word32                pubKeyLen; /* Public key length                 */
-#if !defined(NO_DH) || defined(HAVE_LIBOQS)
+#if !defined(NO_DH) || defined(HAVE_PQC)
     byte*                 privKey;   /* Private key - DH ond PQ KEMs only */
 #endif
 #ifdef WOLFSSL_ASYNC_CRYPT
@@ -2873,7 +2873,7 @@ struct WOLFSSL_CTX {
 #if defined(HAVE_ECC) || defined(HAVE_ED25519) || defined(HAVE_ED448)
     short       minEccKeySz;      /* minimum ECC key size */
 #endif
-#ifdef HAVE_LIBOQS
+#ifdef HAVE_PQC
     short       minFalconKeySz;   /* minimum Falcon key size */
 #endif
     unsigned long     mask;             /* store SSL_OP_ flags */
@@ -3070,7 +3070,9 @@ struct WOLFSSL_CTX {
     CallbackGenSessionKey       GenSessionKeyCb;    /* Use generate session key handler */
     CallbackEncryptKeys         EncryptKeysCb;/* Use setting encrypt keys handler */
     CallbackTlsFinished         TlsFinishedCb;      /* Use Tls finished handler */
+#if !defined(WOLFSSL_NO_TLS12) && !defined(WOLFSSL_AEAD_ONLY)
     CallbackVerifyMac           VerifyMacCb;        /* Use Verify mac handler */
+#endif
 #endif /* HAVE_PK_CALLBACKS */
 #ifdef HAVE_WOLF_EVENT
     WOLF_EVENT_QUEUE event_queue;
@@ -3733,7 +3735,7 @@ typedef struct Options {
 #if defined(HAVE_ECC) || defined(HAVE_ED25519) || defined(HAVE_ED448)
     short           minEccKeySz;      /* minimum ECC key size */
 #endif
-#if defined(HAVE_LIBOQS)
+#if defined(HAVE_PQC)
     short           minFalconKeySz;   /* minimum Falcon key size */
 #endif
 #if defined(OPENSSL_EXTRA) || defined(OPENSSL_EXTRA_X509_SMALL)
@@ -3908,9 +3910,9 @@ struct WOLFSSL_X509 {
     int              pubKeyOID;
     DNS_entry*       altNamesNext;                   /* hint for retrieval */
 #if defined(HAVE_ECC) || defined(HAVE_ED25519) || defined(HAVE_ED448) || \
-    defined(HAVE_LIBOQS)
+    defined(HAVE_PQC)
     word32       pkCurveOID;
-#endif /* HAVE_ECC || HAVE_LIBOQS */
+#endif /* HAVE_ECC || HAVE_PQC */
 #ifndef NO_CERTS
     DerBuffer*   derCert;                            /* may need  */
 #endif
@@ -4318,7 +4320,7 @@ struct WOLFSSL {
     curve448_key*   peerX448Key;
     byte            peerX448KeyPresent;
 #endif
-#ifdef HAVE_LIBOQS
+#ifdef HAVE_PQC
     falcon_key*     peerFalconKey;
     byte            peerFalconKeyPresent;
 #endif
@@ -4695,7 +4697,7 @@ extern const WOLF_EC_NIST_NAME kNistCurves[];
 /* This is the longest and shortest curve name in the kNistCurves list. Note we
  * also have quantum-safe group names as well. */
 #define kNistCurves_MIN_NAME_LEN 5
-#ifdef HAVE_LIBOQS
+#ifdef HAVE_PQC
 #define kNistCurves_MAX_NAME_LEN 32
 #else
 #define kNistCurves_MAX_NAME_LEN 7
diff --git a/wolfssl/openssl/camellia.h b/wolfssl/openssl/camellia.h
new file mode 100644
index 000000000..024b4e337
--- /dev/null
+++ b/wolfssl/openssl/camellia.h
@@ -0,0 +1,27 @@
+/* camellia.h
+ *
+ * Copyright (C) 2006-2021 wolfSSL Inc.
+ *
+ * This file is part of wolfSSL.
+ *
+ * wolfSSL is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * wolfSSL is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA
+ */
+
+#ifndef WOLFSSL_CAMELLIA_H_
+#define WOLFSSL_CAMELLIA_H_
+
+#include <wolfssl/wolfcrypt/camellia.h>
+
+#endif /* WOLFSSL_CAMELLIA_H_ */
diff --git a/wolfssl/openssl/include.am b/wolfssl/openssl/include.am
index e1da39845..e4ae651cd 100644
--- a/wolfssl/openssl/include.am
+++ b/wolfssl/openssl/include.am
@@ -8,6 +8,7 @@ nobase_include_HEADERS+= \
                          wolfssl/openssl/bio.h \
                          wolfssl/openssl/bn.h \
                          wolfssl/openssl/buffer.h \
+                         wolfssl/openssl/camellia.h \
                          wolfssl/openssl/cmac.h \
                          wolfssl/openssl/cms.h \
                          wolfssl/openssl/compat_types.h \
diff --git a/wolfssl/ssl.h b/wolfssl/ssl.h
index 1544c5294..0b4d7866d 100644
--- a/wolfssl/ssl.h
+++ b/wolfssl/ssl.h
@@ -794,7 +794,7 @@ enum SNICbReturn {
 /* Maximum master key length (SECRET_LEN) */
 #define WOLFSSL_MAX_MASTER_KEY_LENGTH 48
 /* Maximum number of groups that can be set */
-#ifdef HAVE_LIBOQS
+#ifdef HAVE_PQC
 #define WOLFSSL_MAX_GROUP_COUNT       36
 #else
 #define WOLFSSL_MAX_GROUP_COUNT       10
@@ -3638,8 +3638,8 @@ enum {
     WOLFSSL_FFDHE_6144    = 259,
     WOLFSSL_FFDHE_8192    = 260,
 
-#ifdef HAVE_LIBOQS
-    /* These group numbers were taken from liboqs' openssl fork, see:
+#ifdef HAVE_PQC
+    /* These group numbers were taken from OQS's openssl fork, see:
      * https://github.com/open-quantum-safe/openssl/blob/OQS-OpenSSL_1_1_1-stable/
      * oqs-template/oqs-kem-info.md.
      *
@@ -3655,8 +3655,8 @@ enum {
      * algorithms have LEVEL2 and LEVEL4 because none of these submissions
      * included them. */
 
-    WOLFSSL_OQS_MIN               = 532,
-    WOLFSSL_OQS_SIMPLE_MIN        = 532,
+    WOLFSSL_PQC_MIN               = 532,
+    WOLFSSL_PQC_SIMPLE_MIN        = 532,
     WOLFSSL_NTRU_HPS_LEVEL1       = 532, /* NTRU_HPS2048509 */
     WOLFSSL_NTRU_HPS_LEVEL3       = 533, /* NTRU_HPS2048677 */
     WOLFSSL_NTRU_HPS_LEVEL5       = 534, /* NTRU_HPS4096821 */
@@ -3670,9 +3670,9 @@ enum {
     WOLFSSL_KYBER_90S_LEVEL1      = 574, /* KYBER_90S_512 */
     WOLFSSL_KYBER_90S_LEVEL3      = 575, /* KYBER_90S_768 */
     WOLFSSL_KYBER_90S_LEVEL5      = 576, /* KYBER_90S_1024 */
-    WOLFSSL_OQS_SIMPLE_MAX        = 576,
+    WOLFSSL_PQC_SIMPLE_MAX        = 576,
 
-    WOLFSSL_OQS_HYBRID_MIN        = 12052,
+    WOLFSSL_PQC_HYBRID_MIN        = 12052,
     WOLFSSL_P256_NTRU_HPS_LEVEL1  = 12052,
     WOLFSSL_P384_NTRU_HPS_LEVEL3  = 12053,
     WOLFSSL_P521_NTRU_HPS_LEVEL5  = 12054,
@@ -3686,8 +3686,8 @@ enum {
     WOLFSSL_P256_KYBER_90S_LEVEL1 = 12094,
     WOLFSSL_P384_KYBER_90S_LEVEL3 = 12095,
     WOLFSSL_P521_KYBER_90S_LEVEL5 = 12096,
-    WOLFSSL_OQS_HYBRID_MAX        = 12096,
-    WOLFSSL_OQS_MAX               = 12096,
+    WOLFSSL_PQC_HYBRID_MAX        = 12096,
+    WOLFSSL_PQC_MAX               = 12096,
 #endif
 };
 
diff --git a/wolfssl/test.h b/wolfssl/test.h
index 05d1fc60c..8753df920 100644
--- a/wolfssl/test.h
+++ b/wolfssl/test.h
@@ -5176,4 +5176,11 @@ static WC_INLINE void EarlyDataStatus(WOLFSSL* ssl)
 }
 #endif /* WOLFSSL_EARLY_DATA */
 
+
+#if !defined(NO_FILESYSTEM) && defined(OPENSSL_EXTRA) && \
+    defined(DEBUG_UNIT_TEST_CERTS)
+void DEBUG_WRITE_CERT_X509(WOLFSSL_X509* x509, const char* fileName);
+void DEBUG_WRITE_DER(const byte* der, int derSz, const char* fileName);
+#endif
+
 #endif /* wolfSSL_TEST_H */
diff --git a/wolfssl/wolfcrypt/asn.h b/wolfssl/wolfcrypt/asn.h
index fa4ef70d9..0094e9191 100644
--- a/wolfssl/wolfcrypt/asn.h
+++ b/wolfssl/wolfcrypt/asn.h
@@ -127,6 +127,33 @@ enum ASN_Tags {
     ASN_DIR_TYPE          = 0x04,
     ASN_URI_TYPE          = 0x06, /* the value 6 is from GeneralName OID */
     ASN_IP_TYPE           = 0x07, /* the value 7 is from GeneralName OID */
+
+    /* PKCS #7 types */
+    ASN_ENC_CONTENT       = 0x00,
+    ASN_OTHERNAME_VALUE   = 0x00,
+
+    /* AuthorityKeyIdentifier fields */
+    ASN_AUTHKEYID_KEYID   = 0x00,
+    ASN_AUTHKEYID_ISSUER  = 0x01,
+    ASN_AUTHKEYID_SERIAL  = 0x02,
+
+    /* GeneralSubtree fields */
+    ASN_SUBTREE_MIN       = 0x00,
+    ASN_SUBTREE_MAX       = 0x01,
+
+    /* x509 Cert Fields */
+    ASN_X509_CERT_VERSION = 0x00,
+
+    /* x509 Cert Extension Fields */
+    ASN_AKID_KEYID        = 0x00,
+
+    /* ECC Key Fields */
+    ASN_ECC_PARAMS        = 0x00,
+    ASN_ECC_PUBKEY        = 0x01,
+
+    /* OneAsymmetricKey Fields */
+    ASN_ASYMKEY_ATTRS     = 0x00,
+    ASN_ASYMKEY_PUBKEY    = 0x01,
 };
 
 #define ASN_UTC_TIME_SIZE 14
@@ -606,6 +633,25 @@ WOLFSSL_LOCAL void SetASN_OID(ASNSetData *dataASN, int oid, int oidType);
     }                                                                  \
     while (0)
 
+/* Set the node and all nodes below to not be encoded.
+ *
+ * @param [in] dataASN  Dynamic ASN data item.
+ * @param [in] node     Node which should not be encoded. Child nodes will
+ *                      also not be encoded.
+ * @param [in] dataASNLen Number of items in dataASN.
+ */
+#define SetASNItem_NoOutNode(dataASN, asn, node, dataASNLen)           \
+    do {                                                               \
+        int ii;                                                        \
+        dataASN[node].noOut = 1;                                       \
+        for (ii = node + 1; ii < (int)(dataASNLen); ii++) {            \
+            if (asn[ii].depth <= asn[node].depth)                      \
+                break;                                                 \
+            dataASN[ii].noOut = 1;                                     \
+        }                                                              \
+    }                                                                  \
+    while (0)
+
 #endif /* WOLFSSL_ASN_TEMPLATE */
 
 
@@ -791,7 +837,7 @@ enum ECC_TYPES
 
 #ifndef WC_ASN_NAME_MAX
     #ifdef OPENSSL_EXTRA
-        #define WC_ASN_NAME_MAX 300
+        #define WC_ASN_NAME_MAX 330
     #else
         #define WC_ASN_NAME_MAX 256
     #endif
@@ -923,7 +969,11 @@ enum Misc_ASN {
 
 #ifndef WC_MAX_NAME_ENTRIES
     /* entries added to x509 name struct */
+    #ifdef OPENSSL_EXTRA
+    #define WC_MAX_NAME_ENTRIES 15
+    #else
     #define WC_MAX_NAME_ENTRIES 13
+    #endif
 #endif
 #define MAX_NAME_ENTRIES WC_MAX_NAME_ENTRIES
 
@@ -1262,7 +1312,7 @@ struct SignatureCtx {
     #ifdef HAVE_ED448
         struct ed448_key* ed448;
     #endif
-    #ifdef HAVE_LIBOQS
+    #ifdef HAVE_PQC
         struct falcon_key* falcon;
     #endif
         void* ptr;
diff --git a/wolfssl/wolfcrypt/asn_public.h b/wolfssl/wolfcrypt/asn_public.h
index 61de72216..4c96ca3a9 100644
--- a/wolfssl/wolfcrypt/asn_public.h
+++ b/wolfssl/wolfcrypt/asn_public.h
@@ -640,7 +640,7 @@ WOLFSSL_API int wc_DhPrivKeyToDer(DhKey* key, byte* out, word32* outSz);
      (defined(HAVE_CURVE25519) && defined(HAVE_CURVE25519_KEY_EXPORT)) || \
      (defined(HAVE_ED448)      && defined(HAVE_ED448_KEY_EXPORT)) || \
      (defined(HAVE_CURVE448)   && defined(HAVE_CURVE448_KEY_EXPORT)) || \
-     (defined(HAVE_LIBOQS)))
+     (defined(HAVE_PQC)))
     #define WC_ENABLE_ASYM_KEY_EXPORT
 #endif
 
@@ -649,7 +649,7 @@ WOLFSSL_API int wc_DhPrivKeyToDer(DhKey* key, byte* out, word32* outSz);
      (defined(HAVE_CURVE25519) && defined(HAVE_CURVE25519_KEY_IMPORT)) || \
      (defined(HAVE_ED448)      && defined(HAVE_ED448_KEY_IMPORT)) || \
      (defined(HAVE_CURVE448)   && defined(HAVE_CURVE448_KEY_IMPORT)) || \
-     (defined(HAVE_LIBOQS)))
+     (defined(HAVE_PQC)))
     #define WC_ENABLE_ASYM_KEY_IMPORT
 #endif
 
@@ -688,13 +688,13 @@ WOLFSSL_API int wc_Ed448PublicKeyToDer(ed448_key*, byte*, word32, int);
 #endif
 #endif /* HAVE_ED448 */
 
-#ifdef HAVE_LIBOQS
+#ifdef HAVE_PQC
 WOLFSSL_API int wc_Falcon_PrivateKeyDecode(const byte*, word32*, falcon_key*, word32);
 WOLFSSL_API int wc_Falcon_PublicKeyDecode(const byte*, word32*, falcon_key*, word32);
 WOLFSSL_API int wc_Falcon_KeyToDer(falcon_key*, byte*, word32);
 WOLFSSL_API int wc_Falcon_PrivateKeyToDer(falcon_key*, byte*, word32);
 WOLFSSL_API int wc_Falcon_PublicKeyToDer(falcon_key*, byte*, word32, int);
-#endif /* HAVE_LIBOQS */
+#endif /* HAVE_PQC */
 
 #ifdef HAVE_CURVE448
 #ifdef HAVE_CURVE448_KEY_IMPORT
diff --git a/wolfssl/wolfcrypt/falcon.h b/wolfssl/wolfcrypt/falcon.h
index 56c459b84..136976e3f 100644
--- a/wolfssl/wolfcrypt/falcon.h
+++ b/wolfssl/wolfcrypt/falcon.h
@@ -31,9 +31,11 @@
 
 #include <wolfssl/wolfcrypt/types.h>
 
-#ifdef HAVE_LIBOQS
+#ifdef HAVE_PQC
 
+#ifdef HAVE_LIBOQS
 #include <oqs/oqs.h>
+#endif
 
 #ifdef __cplusplus
     extern "C" {
@@ -41,6 +43,7 @@
 
 /* Macros Definitions */
 
+#ifdef HAVE_LIBOQS
 #define FALCON_LEVEL1_KEY_SIZE     OQS_SIG_falcon_512_length_secret_key
 #define FALCON_LEVEL1_SIG_SIZE     OQS_SIG_falcon_512_length_signature
 #define FALCON_LEVEL1_PUB_KEY_SIZE OQS_SIG_falcon_512_length_public_key
@@ -50,6 +53,7 @@
 #define FALCON_LEVEL5_SIG_SIZE     OQS_SIG_falcon_1024_length_signature
 #define FALCON_LEVEL5_PUB_KEY_SIZE OQS_SIG_falcon_1024_length_public_key
 #define FALCON_LEVEL5_PRV_KEY_SIZE (FALCON_LEVEL5_PUB_KEY_SIZE+FALCON_LEVEL5_KEY_SIZE)
+#endif
 
 #define FALCON_MAX_KEY_SIZE     FALCON_LEVEL5_PRV_KEY_SIZE
 #define FALCON_MAX_SIG_SIZE     FALCON_LEVEL5_SIG_SIZE
@@ -125,5 +129,5 @@ int wc_falcon_sig_size(falcon_key* key);
     }    /* extern "C" */
 #endif
 
-#endif /* HAVE_LIBOQS */
+#endif /* HAVE_PQC */
 #endif /* WOLF_CRYPT_FALCON_H */
diff --git a/wolfssl/wolfcrypt/settings.h b/wolfssl/wolfcrypt/settings.h
index 1c7cd8afa..0724489e0 100644
--- a/wolfssl/wolfcrypt/settings.h
+++ b/wolfssl/wolfcrypt/settings.h
@@ -2585,6 +2585,15 @@ extern void uITRON4_free(void *p) ;
     #endif
 #endif
 
+/* Enable Post-Quantum Cryptography if we have liboqs from the OpenQuantumSafe
+ * group */
+#ifdef HAVE_LIBOQS
+#define HAVE_PQC
+#endif
+
+#if defined(HAVE_PQC) && !defined(HAVE_LIBOQS)
+#error "You must have a post-quantum cryptography implementation to use PQC."
+#endif
 
 /* ---------------------------------------------------------------------------
  * Depricated Algorithm Handling