heimdal: Vendor import 7.7.0vendor/heimdal/7.7.0

449 files changed, 5361 insertions, 2399 deletions

diff --git a/NEWS b/NEWS
index 3d796b801bfa..0f3061795eef 100644
--- a/NEWS
+++ b/NEWS
@@ -1,3 +1,133 @@
+Release Notes - Heimdal - Version Heimdal 7.7
+
+ Bug fixes
+
+ - PKCS#11 hcrypto back-end
+   . initialize the p11_module_load function list
+   . verify that not only is a mechanism present but that its mechanism
+     info states that it offers the required encryption, decryption or
+     digest services
+ - krb5:
+   . Starting with 7.6, Heimdal permitted requesting authenticated
+     anonymous tickets.  However, it did not verify that a KDC in fact
+     returned an anonymous ticket when one was requested.
+   - Cease setting the KDCOption reaquest_anonymous flag when issuing
+     S4UProxy (constrained delegation) TGS requests.
+   . when the Win2K PKINIT compatibility option is set, do
+     not require krbtgt otherName to match when validating KDC
+     certificate.
+   . set PKINIT_BTMM flag per Apple implementation
+   . use memset_s() instead of memset()
+ - kdc:
+   . When generating KRB5SignedPath in the AS, use the reply client name
+     rather than the one from the request, so validation will work
+     correctly in the TGS.
+   . allow checksum of PA-FOR-USER to be HMAC_MD5.  Even if tgt used
+     an enctype with a different checksum.  Per [MS-SFU] 2.2.1
+     PA-FOR-USER the checksum is always HMAC_MD5, and that's what
+     Windows and MIT clients send.
+
+     In heimdal both the client and kdc use instead the
+     checksum of the tgt, and therefore work with each other
+     but Windows and MIT clients fail against heimdal KDC.
+
+     Both Windows and MIT KDCs would allow any keyed checksum
+     to be used so Heimdal client interoperates with them.
+
+     Change Heimdal KDC to allow HMAC_MD5 even for non RC4
+     based tgt in order to support per-spec clients.
+   . use memset_s() instead of memset().
+   - Detect Heimdal 1.0 through 7.6 clients that issue S4UProxy
+     (constrained delegation) TGS Requests with the request
+     anonymous flag set.  These requests will be treated as
+     S4UProxy requests and not anonymous requests.
+ - HDB:
+   . Set SQLite3 backend default page size to 8KB.
+   . Add hdb_set_sync() method
+ - kadmind:
+   . disable HDB sync during database load avoiding unnecessary disk i/o.
+ - ipropd:
+   . disable HDB sync during receive_everything.  Doing an fsync
+     per-record when receiving the complete HDB is a performance
+     disaster.  Among other things, if the HDB is very large, then
+     one slave receving a full HDB can cause other slaves to timeout
+     and, if HDB write activity is high enough to cause iprop log
+     truncation, then also need full syncs, which leads to a cycle of
+     full syncs for all slaves until HDB write activity drops.
+     Allowing the iprop log to be larger helps, but improving
+     receive_everything() performance helps even more.
+ - kinit:
+   . Anonymous PKINIT tickets discard the realm information used
+     to locate the issuing AS. Store the issuing realm in the
+     credentials cache in order to locate a KDC which can renew them.
+   . Do not leak the result of krb5_cc_get_config() when determining
+     anonymous PKINIT start realm.
+  - klist:
+    . Show transited-policy-checked, ok-as-delegate and anonymous
+      flags when listing credentials.
+ - tests:
+   . Regenerate certs so that they expire before the 2038 armageddon
+     so the test suite will pass on 32-bit operating systems until the
+     underlying issues can be resolved.
+ - Solaris:
+   . Define _STDC_C11_BCI for memset_s prototype
+ - build tooling:
+   . Convert from python 2 to python 3
+ - documentation
+   . rename verify-password to verify-password-quality
+   . hprop default mode is encrypt
+   . kadmind "all" permission does not include "get-keys"
+   . verify-password-quality might not be stateless
+
+Release Notes - Heimdal - Version Heimdal 7.6
+
+ Security
+
+ - CVE-2018-16860 Heimdal KDC: Reject PA-S4U2Self with unkeyed checksum
+
+    When the Heimdal KDC checks the checksum that is placed on the
+    S4U2Self packet by the server to protect the requested principal
+    against modification, it does not confirm that the checksum
+    algorithm that protects the user name (principal) in the request
+    is keyed.  This allows a man-in-the-middle attacker who can
+    intercept the request to the KDC to modify the packet by replacing
+    the user name (principal) in the request with any desired user
+    name (principal) that exists in the KDC and replace the checksum
+    protecting that name with a CRC32 checksum (which requires no
+    prior knowledge to compute).
+
+    This would allow a S4U2Self ticket requested on behalf of user
+    name (principal) user@EXAMPLE.COM to any service to be changed
+    to a S4U2Self ticket with a user name (principal) of
+    Administrator@EXAMPLE.COM. This ticket would then contain the
+    PAC of the modified user name (principal).
+
+ - CVE-2019-12098, client-only:
+
+    RFC8062 Section 7 requires verification of the PA-PKINIT-KX key excahnge
+    when anonymous PKINIT is used.  Failure to do so can permit an active
+    attacker to become a man-in-the-middle.
+
+ Bug fixes
+     
+ - Happy eyeballs: Don't wait for responses from known-unreachable KDCs.
+ - kdc: check return copy_Realm, copy_PrincipalName, copy_EncryptionKey
+ - kinit:
+   . cleanup temporary ccaches
+   . see man page for "kinit --anonymous" command line syntax change
+ - kdc: Make anonymous AS-requests more RFC8062-compliant.
+ - Updated expired test certificates
+ - Solaris:
+   . PKCS#11 hcrypto backend broken since 7.0.1
+   . Building with Sun Pro C
+
+ Features
+
+ - kuser: support authenticated anonymous AS-REQs in kinit
+ - kdc: support for anonymous TGS-REQs
+ - kgetcred support for anonymous service tickets
+ - Support builds with OpenSSL 1.1.1
+
 Release Notes - Heimdal - Version Heimdal 7.5
 
  Security
diff --git a/appl/dceutils/k5dcecon.c b/appl/dceutils/k5dcecon.c
index 88cdf281fe71..b8fb2a7ee980 100644
--- a/appl/dceutils/k5dcecon.c
+++ b/appl/dceutils/k5dcecon.c
@@ -473,7 +473,7 @@ int k5dcecon(luid, luser, pname)
 
   /*
    * Destroy the Kerberos5 cred cache file.
-   * but dont care aout the return code.
+   * but don't care about the return code.
    */
 
   DEEDEBUG("Destroying the old cache\n");
diff --git a/appl/su/su.c b/appl/su/su.c
index b6cb89cc136e..c7b0b2bc43bc 100644
--- a/appl/su/su.c
+++ b/appl/su/su.c
@@ -303,7 +303,7 @@ verify_unix(struct passwd *login, struct passwd *su)
 	if(r != 0)
 	    exit(0);
 	pw = crypt(pw_buf, su->pw_passwd);
-	memset(pw_buf, 0, sizeof(pw_buf));
+	memset_s(pw_buf, sizeof(pw_buf), 0, sizeof(pw_buf));
 	if(strcmp(pw, su->pw_passwd) != 0) {
 	    syslog (LOG_ERR | LOG_AUTH, "%s to %s: incorrect password",
 		    login->pw_name, su->pw_name);
diff --git a/autogen.sh b/autogen.sh
index fc504dca28b3..fc504dca28b3 100644..100755
--- a/autogen.sh
+++ b/autogen.sh
diff --git a/cf/._ltoptions.m4 b/cf/._ltoptions.m4
new file mode 100644
index 000000000000..3d07a38fae18
--- /dev/null
+++ b/cf/._ltoptions.m4
diff --git a/cf/._ltsugar.m4 b/cf/._ltsugar.m4
new file mode 100644
index 000000000000..bc3a28965b68
--- /dev/null
+++ b/cf/._ltsugar.m4
diff --git a/cf/._lt~obsolete.m4 b/cf/._lt~obsolete.m4
new file mode 100644
index 000000000000..a5ff0951ff89
--- /dev/null
+++ b/cf/._lt~obsolete.m4
diff --git a/cf/install-catman.sh b/cf/install-catman.sh
index f1a258185b65..f1a258185b65 100755..100644
--- a/cf/install-catman.sh
+++ b/cf/install-catman.sh
diff --git a/cf/roken-h-process.pl b/cf/roken-h-process.pl
index e797dd224e33..e797dd224e33 100755..100644
--- a/cf/roken-h-process.pl
+++ b/cf/roken-h-process.pl
diff --git a/cf/sunos.m4 b/cf/sunos.m4
index 57a244e90e8b..938fc3a5ec8a 100644
--- a/cf/sunos.m4
+++ b/cf/sunos.m4
@@ -11,6 +11,8 @@ case "$host" in
 *-*-solaris2.1[[1-9]])
 	AC_DEFINE([__EXTENSIONS__], [1],
 		  [Enable general extensions on Solaris.])
+	AC_DEFINE([_STDC_C11_BCI], [1],
+		[Enable C11 prototypes for memset_s and friends])
 	sunos=511
 	;;
 *-*-solaris2.[[89]] | *-*-solaris2.10)
diff --git a/cf/w32-check-exported-symbols.pl b/cf/w32-check-exported-symbols.pl
index 641b5aed6a6d..641b5aed6a6d 100755..100644
--- a/cf/w32-check-exported-symbols.pl
+++ b/cf/w32-check-exported-symbols.pl
diff --git a/cf/w32-def-from-dll.pl b/cf/w32-def-from-dll.pl
index 77fb4d9a747c..77fb4d9a747c 100755..100644
--- a/cf/w32-def-from-dll.pl
+++ b/cf/w32-def-from-dll.pl
diff --git a/cf/w32-detect-vc-version.pl b/cf/w32-detect-vc-version.pl
index 213ca29c8d0a..213ca29c8d0a 100755..100644
--- a/cf/w32-detect-vc-version.pl
+++ b/cf/w32-detect-vc-version.pl
diff --git a/cf/w32-hh-toc-from-info.pl b/cf/w32-hh-toc-from-info.pl
index 2207c5cf411c..2207c5cf411c 100755..100644
--- a/cf/w32-hh-toc-from-info.pl
+++ b/cf/w32-hh-toc-from-info.pl
diff --git a/cf/w32-list-externs-from-objs.pl b/cf/w32-list-externs-from-objs.pl
index 9712120e9f1f..9712120e9f1f 100755..100644
--- a/cf/w32-list-externs-from-objs.pl
+++ b/cf/w32-list-externs-from-objs.pl
diff --git a/configure b/configure
index 90e2a6741cfd..4cefc4338d8c 100755
--- a/configure
+++ b/configure
@@ -1,7 +1,7 @@
 #! /bin/sh
 # From configure.ac Revision.
 # Guess values for system-dependent variables and create Makefiles.
-# Generated by GNU Autoconf 2.69 for Heimdal 7.5.0.
+# Generated by GNU Autoconf 2.69 for Heimdal 7.7.0.
 #
 # Report bugs to <https://github.com/heimdal/heimdal/issues>.
 #
@@ -591,8 +591,8 @@ MAKEFLAGS=
 # Identity of this package.
 PACKAGE_NAME='Heimdal'
 PACKAGE_TARNAME='heimdal'
-PACKAGE_VERSION='7.5.0'
-PACKAGE_STRING='Heimdal 7.5.0'
+PACKAGE_VERSION='7.7.0'
+PACKAGE_STRING='Heimdal 7.7.0'
 PACKAGE_BUGREPORT='https://github.com/heimdal/heimdal/issues'
 PACKAGE_URL=''
 
@@ -1571,7 +1571,7 @@ if test "$ac_init_help" = "long"; then
   # Omit some internal or obsolete options to make the list less imposing.
   # This message is too long to be a string in the A/UX 3.1 sh.
   cat <<_ACEOF
-\`configure' configures Heimdal 7.5.0 to adapt to many kinds of systems.
+\`configure' configures Heimdal 7.7.0 to adapt to many kinds of systems.
 
 Usage: $0 [OPTION]... [VAR=VALUE]...
 
@@ -1641,7 +1641,7 @@ fi
 
 if test -n "$ac_init_help"; then
   case $ac_init_help in
-     short | recursive ) echo "Configuration of Heimdal 7.5.0:";;
+     short | recursive ) echo "Configuration of Heimdal 7.7.0:";;
    esac
   cat <<\_ACEOF
 
@@ -1845,7 +1845,7 @@ fi
 test -n "$ac_init_help" && exit $ac_status
 if $ac_init_version; then
   cat <<\_ACEOF
-Heimdal configure 7.5.0
+Heimdal configure 7.7.0
 generated by GNU Autoconf 2.69
 
 Copyright (C) 2012 Free Software Foundation, Inc.
@@ -2297,7 +2297,7 @@ cat >config.log <<_ACEOF
 This file contains any messages produced by compilers while
 running configure, to aid debugging if configure makes a mistake.
 
-It was created by Heimdal $as_me 7.5.0, which was
+It was created by Heimdal $as_me 7.7.0, which was
 generated by GNU Autoconf 2.69.  Invocation command line was
 
   $ $0 $@
@@ -3168,7 +3168,7 @@ fi
 
 # Define the identity of the package.
  PACKAGE='heimdal'
- VERSION='7.5.0'
+ VERSION='7.7.0'
 
 
 cat >>confdefs.h <<_ACEOF
@@ -14117,6 +14117,9 @@ case "$host" in
 
 $as_echo "#define __EXTENSIONS__ 1" >>confdefs.h
 
+
+$as_echo "#define _STDC_C11_BCI 1" >>confdefs.h
+
 	sunos=511
 	;;
 *-*-solaris2.[89] | *-*-solaris2.10)
@@ -29704,7 +29707,7 @@ cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1
 # report actual input values of CONFIG_FILES etc. instead of their
 # values after options handling.
 ac_log="
-This file was extended by Heimdal $as_me 7.5.0, which was
+This file was extended by Heimdal $as_me 7.7.0, which was
 generated by GNU Autoconf 2.69.  Invocation command line was
 
   CONFIG_FILES    = $CONFIG_FILES
@@ -29770,7 +29773,7 @@ _ACEOF
 cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1
 ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`"
 ac_cs_version="\\
-Heimdal config.status 7.5.0
+Heimdal config.status 7.7.0
 configured by $0, generated by GNU Autoconf 2.69,
   with options \\"\$ac_cs_config\\"
 
@@ -31666,7 +31669,7 @@ cat > include/newversion.h.in <<EOF
 #define VERSION_HIDDEN
 #endif
 VERSION_HIDDEN const char *heimdal_long_version = "@(#)\$Version: $PACKAGE_STRING by @USER@ on @HOST@ ($host) @DATE@ \$";
-VERSION_HIDDEN const char *heimdal_version = "Heimdal 7.5.0";
+VERSION_HIDDEN const char *heimdal_version = "Heimdal 7.7.0";
 EOF
 
 if test -f include/version.h && cmp -s include/newversion.h.in include/version.h.in; then
diff --git a/configure.ac b/configure.ac
index 6e037f6d367c..838f94fd8acf 100644
--- a/configure.ac
+++ b/configure.ac
@@ -2,7 +2,7 @@ dnl Process this file with autoconf to produce a configure script.
 AC_REVISION($Revision$)
 AC_PREREQ(2.62)
 test -z "$CFLAGS" && CFLAGS="-g"
-AC_INIT([Heimdal],[7.5.0],[https://github.com/heimdal/heimdal/issues])
+AC_INIT([Heimdal],[7.7.0],[https://github.com/heimdal/heimdal/issues])
 AC_CONFIG_SRCDIR([kuser/kinit.c])
 AC_CONFIG_HEADERS(include/config.h)
 AC_CONFIG_MACRO_DIR([cf])
diff --git a/doc/doxyout/base/html/graph_legend.html b/doc/doxyout/base/html/graph_legend.html
index 21148d1fd6ce..9e3376bda820 100644
--- a/doc/doxyout/base/html/graph_legend.html
+++ b/doc/doxyout/base/html/graph_legend.html
@@ -54,6 +54,6 @@ A yellow dashed arrow denotes a relation between a template instance and the tem
 </ul>
 </div><!-- contents -->
 <hr size="1"><address style="text-align: right;"><small>
-Generated on Fri Dec 8 2017 03:48:57 for Heimdalbaselibrary by&nbsp;<a href="http://www.doxygen.org/index.html"><img src="doxygen.png" alt="doxygen" align="middle" border="0"></a> 1.8.13</small></address>
+Generated on Fri Jun 7 2019 02:49:54 for Heimdalbaselibrary by&nbsp;<a href="http://www.doxygen.org/index.html"><img src="doxygen.png" alt="doxygen" align="middle" border="0"></a> 1.8.13</small></address>
 </body>
 </html>
diff --git a/doc/doxyout/base/html/graph_legend.png b/doc/doxyout/base/html/graph_legend.png
index 881e40f9c0a2..d1fdf389c3b6 100644
--- a/doc/doxyout/base/html/graph_legend.png
+++ b/doc/doxyout/base/html/graph_legend.png
diff --git a/doc/doxyout/base/html/group__heimbase.html b/doc/doxyout/base/html/group__heimbase.html
index 35ed5c54071e..5d397fcf0bd4 100644
--- a/doc/doxyout/base/html/group__heimbase.html
+++ b/doc/doxyout/base/html/group__heimbase.html
@@ -226,6 +226,6 @@ $(function() {
 </dl>
 </div><!-- contents -->
 <hr size="1"><address style="text-align: right;"><small>
-Generated on Fri Dec 8 2017 03:48:57 for Heimdalbaselibrary by&nbsp;<a href="http://www.doxygen.org/index.html"><img src="doxygen.png" alt="doxygen" align="middle" border="0"></a> 1.8.13</small></address>
+Generated on Fri Jun 7 2019 02:49:54 for Heimdalbaselibrary by&nbsp;<a href="http://www.doxygen.org/index.html"><img src="doxygen.png" alt="doxygen" align="middle" border="0"></a> 1.8.13</small></address>
 </body>
 </html>
diff --git a/doc/doxyout/base/html/index.html b/doc/doxyout/base/html/index.html
index a972416d57ea..74f4db2129f6 100644
--- a/doc/doxyout/base/html/index.html
+++ b/doc/doxyout/base/html/index.html
@@ -25,6 +25,6 @@ $(function() {
 <div class="contents">
 </div><!-- contents -->
 <hr size="1"><address style="text-align: right;"><small>
-Generated on Fri Dec 8 2017 03:48:57 for Heimdalbaselibrary by&nbsp;<a href="http://www.doxygen.org/index.html"><img src="doxygen.png" alt="doxygen" align="middle" border="0"></a> 1.8.13</small></address>
+Generated on Fri Jun 7 2019 02:49:54 for Heimdalbaselibrary by&nbsp;<a href="http://www.doxygen.org/index.html"><img src="doxygen.png" alt="doxygen" align="middle" border="0"></a> 1.8.13</small></address>
 </body>
 </html>
diff --git a/doc/doxyout/base/html/modules.html b/doc/doxyout/base/html/modules.html
index b144695e1cf6..e7555d913f51 100644
--- a/doc/doxyout/base/html/modules.html
+++ b/doc/doxyout/base/html/modules.html
@@ -30,6 +30,6 @@ $(function() {
 </div><!-- directory -->
 </div><!-- contents -->
 <hr size="1"><address style="text-align: right;"><small>
-Generated on Fri Dec 8 2017 03:48:57 for Heimdalbaselibrary by&nbsp;<a href="http://www.doxygen.org/index.html"><img src="doxygen.png" alt="doxygen" align="middle" border="0"></a> 1.8.13</small></address>
+Generated on Fri Jun 7 2019 02:49:54 for Heimdalbaselibrary by&nbsp;<a href="http://www.doxygen.org/index.html"><img src="doxygen.png" alt="doxygen" align="middle" border="0"></a> 1.8.13</small></address>
 </body>
 </html>
diff --git a/doc/doxyout/base/man/man3/heimbase.3 b/doc/doxyout/base/man/man3/heimbase.3
index ebb63a535b68..d985dfa2c826 100644
--- a/doc/doxyout/base/man/man3/heimbase.3
+++ b/doc/doxyout/base/man/man3/heimbase.3
@@ -1,4 +1,4 @@
-.TH "heimbase" 3 "Fri Dec 8 2017" "Version 7.5.0" "Heimdalbaselibrary" \" -*- nroff -*-
+.TH "heimbase" 3 "Fri Jun 7 2019" "Version 7.7.0" "Heimdalbaselibrary" \" -*- nroff -*-
 .ad l
 .nh
 .SH NAME
diff --git a/doc/doxyout/gssapi/html/graph_legend.html b/doc/doxyout/gssapi/html/graph_legend.html
index 0b316149c379..908346add718 100644
--- a/doc/doxyout/gssapi/html/graph_legend.html
+++ b/doc/doxyout/gssapi/html/graph_legend.html
@@ -54,6 +54,6 @@ A yellow dashed arrow denotes a relation between a template instance and the tem
 </ul>
 </div><!-- contents -->
 <hr size="1"><address style="text-align: right;"><small>
-Generated on Fri Dec 8 2017 03:48:58 for HeimdalGSS-APIlibrary by&nbsp;<a href="http://www.doxygen.org/index.html"><img src="doxygen.png" alt="doxygen" align="middle" border="0"></a> 1.8.13</small></address>
+Generated on Fri Jun 7 2019 02:49:55 for HeimdalGSS-APIlibrary by&nbsp;<a href="http://www.doxygen.org/index.html"><img src="doxygen.png" alt="doxygen" align="middle" border="0"></a> 1.8.13</small></address>
 </body>
 </html>
diff --git a/doc/doxyout/gssapi/html/graph_legend.png b/doc/doxyout/gssapi/html/graph_legend.png
index 881e40f9c0a2..d1fdf389c3b6 100644
--- a/doc/doxyout/gssapi/html/graph_legend.png
+++ b/doc/doxyout/gssapi/html/graph_legend.png
diff --git a/doc/doxyout/gssapi/html/group__gssapi.html b/doc/doxyout/gssapi/html/group__gssapi.html
index 3ba73bf37136..9ce2435c2cac 100644
--- a/doc/doxyout/gssapi/html/group__gssapi.html
+++ b/doc/doxyout/gssapi/html/group__gssapi.html
@@ -998,6 +998,6 @@ Variables</h2></td></tr>
 </div>
 </div><!-- contents -->
 <hr size="1"><address style="text-align: right;"><small>
-Generated on Fri Dec 8 2017 03:48:58 for HeimdalGSS-APIlibrary by&nbsp;<a href="http://www.doxygen.org/index.html"><img src="doxygen.png" alt="doxygen" align="middle" border="0"></a> 1.8.13</small></address>
+Generated on Fri Jun 7 2019 02:49:55 for HeimdalGSS-APIlibrary by&nbsp;<a href="http://www.doxygen.org/index.html"><img src="doxygen.png" alt="doxygen" align="middle" border="0"></a> 1.8.13</small></address>
 </body>
 </html>
diff --git a/doc/doxyout/gssapi/html/gssapi_mechs_intro.html b/doc/doxyout/gssapi/html/gssapi_mechs_intro.html
index 8dc4dc867309..932e85b69a26 100644
--- a/doc/doxyout/gssapi/html/gssapi_mechs_intro.html
+++ b/doc/doxyout/gssapi/html/gssapi_mechs_intro.html
@@ -32,6 +32,6 @@ GSS-API mechanisms</h1>
 </ul>
 </div></div><!-- contents -->
 <hr size="1"><address style="text-align: right;"><small>
-Generated on Fri Dec 8 2017 03:48:58 for HeimdalGSS-APIlibrary by&nbsp;<a href="http://www.doxygen.org/index.html"><img src="doxygen.png" alt="doxygen" align="middle" border="0"></a> 1.8.13</small></address>
+Generated on Fri Jun 7 2019 02:49:55 for HeimdalGSS-APIlibrary by&nbsp;<a href="http://www.doxygen.org/index.html"><img src="doxygen.png" alt="doxygen" align="middle" border="0"></a> 1.8.13</small></address>
 </body>
 </html>
diff --git a/doc/doxyout/gssapi/html/gssapi_services_intro.html b/doc/doxyout/gssapi/html/gssapi_services_intro.html
index 3a4713933796..1f9155c99b77 100644
--- a/doc/doxyout/gssapi/html/gssapi_services_intro.html
+++ b/doc/doxyout/gssapi/html/gssapi_services_intro.html
@@ -65,6 +65,6 @@ Per-message services</h2>
 </ul>
 </div></div><!-- contents -->
 <hr size="1"><address style="text-align: right;"><small>
-Generated on Fri Dec 8 2017 03:48:58 for HeimdalGSS-APIlibrary by&nbsp;<a href="http://www.doxygen.org/index.html"><img src="doxygen.png" alt="doxygen" align="middle" border="0"></a> 1.8.13</small></address>
+Generated on Fri Jun 7 2019 02:49:55 for HeimdalGSS-APIlibrary by&nbsp;<a href="http://www.doxygen.org/index.html"><img src="doxygen.png" alt="doxygen" align="middle" border="0"></a> 1.8.13</small></address>
 </body>
 </html>
diff --git a/doc/doxyout/gssapi/html/index.html b/doc/doxyout/gssapi/html/index.html
index 683bd855d30b..b18d17ae9b11 100644
--- a/doc/doxyout/gssapi/html/index.html
+++ b/doc/doxyout/gssapi/html/index.html
@@ -38,6 +38,6 @@ $(function() {
 </ul>
 </div></div><!-- contents -->
 <hr size="1"><address style="text-align: right;"><small>
-Generated on Fri Dec 8 2017 03:48:58 for HeimdalGSS-APIlibrary by&nbsp;<a href="http://www.doxygen.org/index.html"><img src="doxygen.png" alt="doxygen" align="middle" border="0"></a> 1.8.13</small></address>
+Generated on Fri Jun 7 2019 02:49:55 for HeimdalGSS-APIlibrary by&nbsp;<a href="http://www.doxygen.org/index.html"><img src="doxygen.png" alt="doxygen" align="middle" border="0"></a> 1.8.13</small></address>
 </body>
 </html>
diff --git a/doc/doxyout/gssapi/html/internal_v_smechname.html b/doc/doxyout/gssapi/html/internal_v_smechname.html
index 5f94e5683680..4e403675cb9f 100644
--- a/doc/doxyout/gssapi/html/internal_v_smechname.html
+++ b/doc/doxyout/gssapi/html/internal_v_smechname.html
@@ -35,6 +35,6 @@ Name forms</h1>
 token", "internal", and "MN"). </p>
 </div></div><!-- contents -->
 <hr size="1"><address style="text-align: right;"><small>
-Generated on Fri Dec 8 2017 03:48:58 for HeimdalGSS-APIlibrary by&nbsp;<a href="http://www.doxygen.org/index.html"><img src="doxygen.png" alt="doxygen" align="middle" border="0"></a> 1.8.13</small></address>
+Generated on Fri Jun 7 2019 02:49:55 for HeimdalGSS-APIlibrary by&nbsp;<a href="http://www.doxygen.org/index.html"><img src="doxygen.png" alt="doxygen" align="middle" border="0"></a> 1.8.13</small></address>
 </body>
 </html>
diff --git a/doc/doxyout/gssapi/html/modules.html b/doc/doxyout/gssapi/html/modules.html
index b94726690c3e..347c09365fb0 100644
--- a/doc/doxyout/gssapi/html/modules.html
+++ b/doc/doxyout/gssapi/html/modules.html
@@ -30,6 +30,6 @@ $(function() {
 </div><!-- directory -->
 </div><!-- contents -->
 <hr size="1"><address style="text-align: right;"><small>
-Generated on Fri Dec 8 2017 03:48:58 for HeimdalGSS-APIlibrary by&nbsp;<a href="http://www.doxygen.org/index.html"><img src="doxygen.png" alt="doxygen" align="middle" border="0"></a> 1.8.13</small></address>
+Generated on Fri Jun 7 2019 02:49:55 for HeimdalGSS-APIlibrary by&nbsp;<a href="http://www.doxygen.org/index.html"><img src="doxygen.png" alt="doxygen" align="middle" border="0"></a> 1.8.13</small></address>
 </body>
 </html>
diff --git a/doc/doxyout/gssapi/html/pages.html b/doc/doxyout/gssapi/html/pages.html
index dc928cb9d61a..74a8dd6f1f98 100644
--- a/doc/doxyout/gssapi/html/pages.html
+++ b/doc/doxyout/gssapi/html/pages.html
@@ -32,6 +32,6 @@ $(function() {
 </div><!-- directory -->
 </div><!-- contents -->
 <hr size="1"><address style="text-align: right;"><small>
-Generated on Fri Dec 8 2017 03:48:58 for HeimdalGSS-APIlibrary by&nbsp;<a href="http://www.doxygen.org/index.html"><img src="doxygen.png" alt="doxygen" align="middle" border="0"></a> 1.8.13</small></address>
+Generated on Fri Jun 7 2019 02:49:55 for HeimdalGSS-APIlibrary by&nbsp;<a href="http://www.doxygen.org/index.html"><img src="doxygen.png" alt="doxygen" align="middle" border="0"></a> 1.8.13</small></address>
 </body>
 </html>
diff --git a/doc/doxyout/gssapi/man/man3/gssapi.3 b/doc/doxyout/gssapi/man/man3/gssapi.3
index e477c02407df..4f13d97fb908 100644
--- a/doc/doxyout/gssapi/man/man3/gssapi.3
+++ b/doc/doxyout/gssapi/man/man3/gssapi.3
@@ -1,4 +1,4 @@
-.TH "gssapi" 3 "Fri Dec 8 2017" "Version 7.5.0" "HeimdalGSS-APIlibrary" \" -*- nroff -*-
+.TH "gssapi" 3 "Fri Jun 7 2019" "Version 7.7.0" "HeimdalGSS-APIlibrary" \" -*- nroff -*-
 .ad l
 .nh
 .SH NAME
diff --git a/doc/doxyout/gssapi/man/man3/gssapi_mechs_intro.3 b/doc/doxyout/gssapi/man/man3/gssapi_mechs_intro.3
index a1476ede8cd1..7c488172be46 100644
--- a/doc/doxyout/gssapi/man/man3/gssapi_mechs_intro.3
+++ b/doc/doxyout/gssapi/man/man3/gssapi_mechs_intro.3
@@ -1,4 +1,4 @@
-.TH "gssapi_mechs_intro" 3 "Fri Dec 8 2017" "Version 7.5.0" "HeimdalGSS-APIlibrary" \" -*- nroff -*-
+.TH "gssapi_mechs_intro" 3 "Fri Jun 7 2019" "Version 7.7.0" "HeimdalGSS-APIlibrary" \" -*- nroff -*-
 .ad l
 .nh
 .SH NAME
diff --git a/doc/doxyout/gssapi/man/man3/gssapi_services_intro.3 b/doc/doxyout/gssapi/man/man3/gssapi_services_intro.3
index 986b75adffd7..9df1aac7c6d9 100644
--- a/doc/doxyout/gssapi/man/man3/gssapi_services_intro.3
+++ b/doc/doxyout/gssapi/man/man3/gssapi_services_intro.3
@@ -1,4 +1,4 @@
-.TH "gssapi_services_intro" 3 "Fri Dec 8 2017" "Version 7.5.0" "HeimdalGSS-APIlibrary" \" -*- nroff -*-
+.TH "gssapi_services_intro" 3 "Fri Jun 7 2019" "Version 7.7.0" "HeimdalGSS-APIlibrary" \" -*- nroff -*-
 .ad l
 .nh
 .SH NAME
diff --git a/doc/doxyout/gssapi/man/man3/internal_v_smechname.3 b/doc/doxyout/gssapi/man/man3/internal_v_smechname.3
index 51dbb3b74a95..b45a757b936e 100644
--- a/doc/doxyout/gssapi/man/man3/internal_v_smechname.3
+++ b/doc/doxyout/gssapi/man/man3/internal_v_smechname.3
@@ -1,4 +1,4 @@
-.TH "internal_v_smechname" 3 "Fri Dec 8 2017" "Version 7.5.0" "HeimdalGSS-APIlibrary" \" -*- nroff -*-
+.TH "internal_v_smechname" 3 "Fri Jun 7 2019" "Version 7.7.0" "HeimdalGSS-APIlibrary" \" -*- nroff -*-
 .ad l
 .nh
 .SH NAME
diff --git a/doc/doxyout/hcrypto/html/example_evp_cipher_8c-example.html b/doc/doxyout/hcrypto/html/example_evp_cipher_8c-example.html
index 33d7824e6b61..0d96ac2cc42f 100644
--- a/doc/doxyout/hcrypto/html/example_evp_cipher_8c-example.html
+++ b/doc/doxyout/hcrypto/html/example_evp_cipher_8c-example.html
@@ -26,6 +26,6 @@ $(function() {
 <p>This is an example how to use <a class="el" href="group__hcrypto__evp.html#ga98da5a5c1aa25d9cb2e4717fa11314bd">EVP_CipherInit_ex()</a>, <a class="el" href="group__hcrypto__evp.html#ga863349e1001b36cfd6c4afedddd12862">EVP_CipherUpdate()</a> and <a class="el" href="group__hcrypto__evp.html#ga714eef7d737fd68171d852043a4995de">EVP_CipherFinal_ex()</a>.</p>
 <div class="fragment"><div class="line"><span class="comment">/*</span></div><div class="line"><span class="comment"> * Copyright (c) 2008 Kungliga Tekniska Högskolan</span></div><div class="line"><span class="comment"> * (Royal Institute of Technology, Stockholm, Sweden).</span></div><div class="line"><span class="comment"> * All rights reserved.</span></div><div class="line"><span class="comment"> *</span></div><div class="line"><span class="comment"> * Redistribution and use in source and binary forms, with or without</span></div><div class="line"><span class="comment"> * modification, are permitted provided that the following conditions</span></div><div class="line"><span class="comment"> * are met:</span></div><div class="line"><span class="comment"> *</span></div><div class="line"><span class="comment"> * 1. Redistributions of source code must retain the above copyright</span></div><div class="line"><span class="comment"> *    notice, this list of conditions and the following disclaimer.</span></div><div class="line"><span class="comment"> *</span></div><div class="line"><span class="comment"> * 2. Redistributions in binary form must reproduce the above copyright</span></div><div class="line"><span class="comment"> *    notice, this list of conditions and the following disclaimer in the</span></div><div class="line"><span class="comment"> *    documentation and/or other materials provided with the distribution.</span></div><div class="line"><span class="comment"> *</span></div><div class="line"><span class="comment"> * 3. Neither the name of the Institute nor the names of its contributors</span></div><div class="line"><span class="comment"> *    may be used to endorse or promote products derived from this software</span></div><div class="line"><span class="comment"> *    without specific prior written permission.</span></div><div class="line"><span class="comment"> *</span></div><div class="line"><span class="comment"> * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS&#39;&#39; AND</span></div><div class="line"><span class="comment"> * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE</span></div><div class="line"><span class="comment"> * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE</span></div><div class="line"><span class="comment"> * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE</span></div><div class="line"><span class="comment"> * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL</span></div><div class="line"><span class="comment"> * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS</span></div><div class="line"><span class="comment"> * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)</span></div><div class="line"><span class="comment"> * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT</span></div><div class="line"><span class="comment"> * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY</span></div><div class="line"><span class="comment"> * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF</span></div><div class="line"><span class="comment"> * SUCH DAMAGE.</span></div><div class="line"><span class="comment"> */</span></div><div class="line"></div><div class="line"><span class="preprocessor">#include &lt;config.h&gt;</span></div><div class="line"><span class="preprocessor">#include &lt;roken.h&gt;</span></div><div class="line"></div><div class="line"><span class="preprocessor">#include &lt;krb5-types.h&gt;</span> <span class="comment">/* should really be stdint.h */</span></div><div class="line"><span class="preprocessor">#include &lt;hcrypto/evp.h&gt;</span></div><div class="line"><span class="preprocessor">#include &lt;hcrypto/evp-pkcs11.h&gt;</span></div><div class="line"><span class="preprocessor">#ifdef __APPLE__</span></div><div class="line"><span class="preprocessor">#include &lt;hcrypto/evp-cc.h&gt;</span></div><div class="line"><span class="preprocessor">#endif</span></div><div class="line"><span class="preprocessor">#ifdef _WIN32</span></div><div class="line"><span class="preprocessor">#include &lt;hcrypto/evp-w32.h&gt;</span></div><div class="line"><span class="preprocessor">#endif</span></div><div class="line"></div><div class="line"><span class="preprocessor">#include &lt;err.h&gt;</span></div><div class="line"><span class="preprocessor">#include &lt;assert.h&gt;</span></div><div class="line"></div><div class="line"><span class="comment">/* key and initial vector */</span></div><div class="line"><span class="keyword">static</span> <span class="keywordtype">char</span> key[16] =</div><div class="line">    <span class="stringliteral">&quot;\xaa\xbb\x45\xd4\xaa\xbb\x45\xd4&quot;</span></div><div class="line">    <span class="stringliteral">&quot;\xaa\xbb\x45\xd4\xaa\xbb\x45\xd4&quot;</span>;</div><div class="line"><span class="keyword">static</span> <span class="keywordtype">char</span> ivec[16] =</div><div class="line">    <span class="stringliteral">&quot;\xaa\xbb\x45\xd4\xaa\xbb\x45\xd4&quot;</span></div><div class="line">    <span class="stringliteral">&quot;\xaa\xbb\x45\xd4\xaa\xbb\x45\xd4&quot;</span>;</div><div class="line"></div><div class="line"><span class="keyword">static</span> <span class="keywordtype">void</span></div><div class="line">usage(<span class="keywordtype">int</span> exit_code) __attribute__((noreturn));</div><div class="line"></div><div class="line"><span class="keyword">static</span> <span class="keywordtype">void</span></div><div class="line">usage(<span class="keywordtype">int</span> exit_code)</div><div class="line">{</div><div class="line">    printf(<span class="stringliteral">&quot;usage: %s in out [pkcs11 | cc | w32]\n&quot;</span>, getprogname());</div><div class="line">    exit(exit_code);</div><div class="line">}</div><div class="line"></div><div class="line"></div><div class="line"><span class="keywordtype">int</span></div><div class="line">main(<span class="keywordtype">int</span> argc, <span class="keywordtype">char</span> **argv)</div><div class="line">{</div><div class="line">    <span class="keywordtype">int</span> encryptp = 1;</div><div class="line">    <span class="keyword">const</span> <span class="keywordtype">char</span> *ifn = NULL, *ofn = NULL;</div><div class="line">    FILE *in, *out;</div><div class="line">    <span class="keywordtype">void</span> *ibuf, *obuf;</div><div class="line">    <span class="keywordtype">int</span> ilen, olen;</div><div class="line">    <span class="keywordtype">size_t</span> block_size = 0;</div><div class="line">    <span class="keyword">const</span> EVP_CIPHER *c = <a name="a0"></a><a class="code" href="group__hcrypto__evp.html#ga2747bac943db15c97167ac37fdc2af43">EVP_aes_128_cbc</a>();</div><div class="line">    EVP_CIPHER_CTX ctx;</div><div class="line">    <span class="keywordtype">int</span> ret;</div><div class="line"></div><div class="line">    setprogname(argv[0]);</div><div class="line"></div><div class="line">    <span class="keywordflow">if</span> (argc == 2) {</div><div class="line">        <span class="keywordflow">if</span> (strcmp(argv[1], <span class="stringliteral">&quot;--version&quot;</span>) == 0) {</div><div class="line">            printf(<span class="stringliteral">&quot;version&quot;</span>);</div><div class="line">            exit(0);</div><div class="line">        }</div><div class="line">        <span class="keywordflow">if</span> (strcmp(argv[1], <span class="stringliteral">&quot;--help&quot;</span>) == 0)</div><div class="line">            usage(0);</div><div class="line">        usage(1);</div><div class="line">    } <span class="keywordflow">else</span> <span class="keywordflow">if</span> (argc == 4 || argc == 5) {</div><div class="line">        block_size = atoi(argv[1]);</div><div class="line">        <span class="keywordflow">if</span> (block_size == 0)</div><div class="line">            errx(1, <span class="stringliteral">&quot;invalid blocksize %s&quot;</span>, argv[1]);</div><div class="line">        ifn = argv[2];</div><div class="line">        ofn = argv[3];</div><div class="line">        <span class="keywordflow">if</span> (argc == 5) {</div><div class="line">            <span class="keywordflow">if</span> (strcmp(argv[4], <span class="stringliteral">&quot;pkcs11&quot;</span>) == 0)</div><div class="line">                c = hc_EVP_pkcs11_aes_128_cbc();</div><div class="line"><span class="preprocessor">#ifdef __APPLE__</span></div><div class="line">            <span class="keywordflow">else</span> <span class="keywordflow">if</span> (strcmp(argv[4], <span class="stringliteral">&quot;cc&quot;</span>) == 0)</div><div class="line">                c = hc_EVP_cc_aes_128_cbc();</div><div class="line"><span class="preprocessor">#endif</span></div><div class="line"><span class="preprocessor">#ifdef _WIN32</span></div><div class="line">            <span class="keywordflow">else</span> <span class="keywordflow">if</span> (strcmp(argv[4], <span class="stringliteral">&quot;w32&quot;</span>) == 0)</div><div class="line">                c = hc_EVP_w32crypto_aes_128_cbc();</div><div class="line"><span class="preprocessor">#endif</span></div><div class="line">            <span class="keywordflow">else</span></div><div class="line">                usage(1);</div><div class="line">        }</div><div class="line">    } <span class="keywordflow">else</span></div><div class="line">        usage(1);</div><div class="line"></div><div class="line">    in = fopen(ifn, <span class="stringliteral">&quot;r&quot;</span>);</div><div class="line">    <span class="keywordflow">if</span> (in == NULL)</div><div class="line">        errx(1, <span class="stringliteral">&quot;failed to open input file&quot;</span>);</div><div class="line">    out = fopen(ofn, <span class="stringliteral">&quot;w+&quot;</span>);</div><div class="line">    <span class="keywordflow">if</span> (out == NULL)</div><div class="line">        errx(1, <span class="stringliteral">&quot;failed to open output file&quot;</span>);</div><div class="line"></div><div class="line">    <span class="comment">/* Check that key and ivec are long enough */</span></div><div class="line">    assert(<a name="a1"></a><a class="code" href="group__hcrypto__evp.html#ga4793a9e130da86ac42c497b19395b748">EVP_CIPHER_key_length</a>(c) &lt;= <span class="keyword">sizeof</span>(key));</div><div class="line">    assert(<a name="a2"></a><a class="code" href="group__hcrypto__evp.html#ga7edebe76d19dee11686a6698d24f19f5">EVP_CIPHER_iv_length</a>(c) &lt;= <span class="keyword">sizeof</span>(ivec));</div><div class="line"></div><div class="line">    <span class="comment">/*</span></div><div class="line"><span class="comment">     * Allocate buffer, the output buffer is at least</span></div><div class="line"><span class="comment">     * EVP_CIPHER_block_size() longer</span></div><div class="line"><span class="comment">     */</span></div><div class="line">    ibuf = malloc(block_size);</div><div class="line">    obuf = malloc(block_size + <a name="a3"></a><a class="code" href="group__hcrypto__evp.html#ga3123ff4b426783dd972538249b9e9d4d">EVP_CIPHER_block_size</a>(c));</div><div class="line"></div><div class="line">    <span class="comment">/*</span></div><div class="line"><span class="comment">     * Init the memory used for EVP_CIPHER_CTX and set the key and</span></div><div class="line"><span class="comment">     * ivec.</span></div><div class="line"><span class="comment">     */</span></div><div class="line">    <a name="a4"></a><a class="code" href="group__hcrypto__evp.html#ga13d0ff0e87312566cb6b3591157f9754">EVP_CIPHER_CTX_init</a>(&amp;ctx);</div><div class="line">    <a name="a5"></a><a class="code" href="group__hcrypto__evp.html#ga98da5a5c1aa25d9cb2e4717fa11314bd">EVP_CipherInit_ex</a>(&amp;ctx, c, NULL, key, ivec, encryptp);</div><div class="line"></div><div class="line">    <span class="comment">/* read in buffer */</span></div><div class="line">    <span class="keywordflow">while</span> ((ilen = fread(ibuf, 1, block_size, in)) &gt; 0) {</div><div class="line">        <span class="comment">/* encrypto/decrypt */</span></div><div class="line">        ret = <a name="a6"></a><a class="code" href="group__hcrypto__evp.html#ga863349e1001b36cfd6c4afedddd12862">EVP_CipherUpdate</a>(&amp;ctx, obuf, &amp;olen, ibuf, ilen);</div><div class="line">        <span class="keywordflow">if</span> (ret != 1) {</div><div class="line">            <a name="a7"></a><a class="code" href="group__hcrypto__evp.html#gac16dd3987cd90c8bcdbad5290c558359">EVP_CIPHER_CTX_cleanup</a>(&amp;ctx);</div><div class="line">            errx(1, <span class="stringliteral">&quot;EVP_CipherUpdate failed&quot;</span>);</div><div class="line">        }</div><div class="line">        <span class="comment">/* write out to output file */</span></div><div class="line">        fwrite(obuf, 1, olen, out);</div><div class="line">    }</div><div class="line">    <span class="comment">/* done reading */</span></div><div class="line">    fclose(in);</div><div class="line"></div><div class="line">    <span class="comment">/* clear up any last bytes left in the output buffer */</span></div><div class="line">    ret = <a name="a8"></a><a class="code" href="group__hcrypto__evp.html#ga714eef7d737fd68171d852043a4995de">EVP_CipherFinal_ex</a>(&amp;ctx, obuf, &amp;olen);</div><div class="line">    <a class="code" href="group__hcrypto__evp.html#gac16dd3987cd90c8bcdbad5290c558359">EVP_CIPHER_CTX_cleanup</a>(&amp;ctx);</div><div class="line">    <span class="keywordflow">if</span> (ret != 1)</div><div class="line">        errx(1, <span class="stringliteral">&quot;EVP_CipherFinal_ex failed&quot;</span>);</div><div class="line"></div><div class="line">    <span class="comment">/* write the last bytes out and close */</span></div><div class="line">    fwrite(obuf, 1, olen, out);</div><div class="line">    fclose(out);</div><div class="line"></div><div class="line">    <span class="keywordflow">return</span> 0;</div><div class="line">}</div></div><!-- fragment --> </div><!-- contents -->
 <hr size="1"><address style="text-align: right;"><small>
-Generated on Fri Dec 8 2017 03:49:01 for Heimdal crypto library by&nbsp;<a href="http://www.doxygen.org/index.html"><img src="doxygen.png" alt="doxygen" align="middle" border="0"></a> 1.8.13</small></address>
+Generated on Fri Jun 7 2019 02:49:57 for Heimdal crypto library by&nbsp;<a href="http://www.doxygen.org/index.html"><img src="doxygen.png" alt="doxygen" align="middle" border="0"></a> 1.8.13</small></address>
 </body>
 </html>
diff --git a/doc/doxyout/hcrypto/html/examples.html b/doc/doxyout/hcrypto/html/examples.html
index 1991d47ea192..3fa08b262314 100644
--- a/doc/doxyout/hcrypto/html/examples.html
+++ b/doc/doxyout/hcrypto/html/examples.html
@@ -29,6 +29,6 @@ $(function() {
 </ul>
 </div><!-- contents -->
 <hr size="1"><address style="text-align: right;"><small>
-Generated on Fri Dec 8 2017 03:49:01 for Heimdal crypto library by&nbsp;<a href="http://www.doxygen.org/index.html"><img src="doxygen.png" alt="doxygen" align="middle" border="0"></a> 1.8.13</small></address>
+Generated on Fri Jun 7 2019 02:49:57 for Heimdal crypto library by&nbsp;<a href="http://www.doxygen.org/index.html"><img src="doxygen.png" alt="doxygen" align="middle" border="0"></a> 1.8.13</small></address>
 </body>
 </html>
diff --git a/doc/doxyout/hcrypto/html/graph_legend.html b/doc/doxyout/hcrypto/html/graph_legend.html
index fcace4454453..792d3a93348c 100644
--- a/doc/doxyout/hcrypto/html/graph_legend.html
+++ b/doc/doxyout/hcrypto/html/graph_legend.html
@@ -54,6 +54,6 @@ A yellow dashed arrow denotes a relation between a template instance and the tem
 </ul>
 </div><!-- contents -->
 <hr size="1"><address style="text-align: right;"><small>
-Generated on Fri Dec 8 2017 03:49:01 for Heimdal crypto library by&nbsp;<a href="http://www.doxygen.org/index.html"><img src="doxygen.png" alt="doxygen" align="middle" border="0"></a> 1.8.13</small></address>
+Generated on Fri Jun 7 2019 02:49:57 for Heimdal crypto library by&nbsp;<a href="http://www.doxygen.org/index.html"><img src="doxygen.png" alt="doxygen" align="middle" border="0"></a> 1.8.13</small></address>
 </body>
 </html>
diff --git a/doc/doxyout/hcrypto/html/graph_legend.png b/doc/doxyout/hcrypto/html/graph_legend.png
index 881e40f9c0a2..d1fdf389c3b6 100644
--- a/doc/doxyout/hcrypto/html/graph_legend.png
+++ b/doc/doxyout/hcrypto/html/graph_legend.png
diff --git a/doc/doxyout/hcrypto/html/group__hcrypto__core.html b/doc/doxyout/hcrypto/html/group__hcrypto__core.html
index 5b3a446a31c4..34bb9de84c73 100644
--- a/doc/doxyout/hcrypto/html/group__hcrypto__core.html
+++ b/doc/doxyout/hcrypto/html/group__hcrypto__core.html
@@ -188,6 +188,6 @@ Functions</h2></td></tr>
 </div>
 </div><!-- contents -->
 <hr size="1"><address style="text-align: right;"><small>
-Generated on Fri Dec 8 2017 03:49:01 for Heimdal crypto library by&nbsp;<a href="http://www.doxygen.org/index.html"><img src="doxygen.png" alt="doxygen" align="middle" border="0"></a> 1.8.13</small></address>
+Generated on Fri Jun 7 2019 02:49:57 for Heimdal crypto library by&nbsp;<a href="http://www.doxygen.org/index.html"><img src="doxygen.png" alt="doxygen" align="middle" border="0"></a> 1.8.13</small></address>
 </body>
 </html>
diff --git a/doc/doxyout/hcrypto/html/group__hcrypto__des.html b/doc/doxyout/hcrypto/html/group__hcrypto__des.html
index d12da9a7aab3..af86c1000850 100644
--- a/doc/doxyout/hcrypto/html/group__hcrypto__des.html
+++ b/doc/doxyout/hcrypto/html/group__hcrypto__des.html
@@ -906,6 +906,6 @@ Functions</h2></td></tr>
 </div>
 </div><!-- contents -->
 <hr size="1"><address style="text-align: right;"><small>
-Generated on Fri Dec 8 2017 03:49:01 for Heimdal crypto library by&nbsp;<a href="http://www.doxygen.org/index.html"><img src="doxygen.png" alt="doxygen" align="middle" border="0"></a> 1.8.13</small></address>
+Generated on Fri Jun 7 2019 02:49:57 for Heimdal crypto library by&nbsp;<a href="http://www.doxygen.org/index.html"><img src="doxygen.png" alt="doxygen" align="middle" border="0"></a> 1.8.13</small></address>
 </body>
 </html>
diff --git a/doc/doxyout/hcrypto/html/group__hcrypto__dh.html b/doc/doxyout/hcrypto/html/group__hcrypto__dh.html
index e8f00d202b7b..54442b73646a 100644
--- a/doc/doxyout/hcrypto/html/group__hcrypto__dh.html
+++ b/doc/doxyout/hcrypto/html/group__hcrypto__dh.html
@@ -563,6 +563,6 @@ Functions</h2></td></tr>
 </div>
 </div><!-- contents -->
 <hr size="1"><address style="text-align: right;"><small>
-Generated on Fri Dec 8 2017 03:49:01 for Heimdal crypto library by&nbsp;<a href="http://www.doxygen.org/index.html"><img src="doxygen.png" alt="doxygen" align="middle" border="0"></a> 1.8.13</small></address>
+Generated on Fri Jun 7 2019 02:49:57 for Heimdal crypto library by&nbsp;<a href="http://www.doxygen.org/index.html"><img src="doxygen.png" alt="doxygen" align="middle" border="0"></a> 1.8.13</small></address>
 </body>
 </html>
diff --git a/doc/doxyout/hcrypto/html/group__hcrypto__evp.html b/doc/doxyout/hcrypto/html/group__hcrypto__evp.html
index 9312451d7d70..0aa5fe9684e7 100644
--- a/doc/doxyout/hcrypto/html/group__hcrypto__evp.html
+++ b/doc/doxyout/hcrypto/html/group__hcrypto__evp.html
@@ -3132,6 +3132,6 @@ the RC4 EVP_CIPHER pointer. </dd></dl>
 </div>
 </div><!-- contents -->
 <hr size="1"><address style="text-align: right;"><small>
-Generated on Fri Dec 8 2017 03:49:01 for Heimdal crypto library by&nbsp;<a href="http://www.doxygen.org/index.html"><img src="doxygen.png" alt="doxygen" align="middle" border="0"></a> 1.8.13</small></address>
+Generated on Fri Jun 7 2019 02:49:57 for Heimdal crypto library by&nbsp;<a href="http://www.doxygen.org/index.html"><img src="doxygen.png" alt="doxygen" align="middle" border="0"></a> 1.8.13</small></address>
 </body>
 </html>
diff --git a/doc/doxyout/hcrypto/html/group__hcrypto__misc.html b/doc/doxyout/hcrypto/html/group__hcrypto__misc.html
index 6a0b126cb69e..d583ee6fa20d 100644
--- a/doc/doxyout/hcrypto/html/group__hcrypto__misc.html
+++ b/doc/doxyout/hcrypto/html/group__hcrypto__misc.html
@@ -188,6 +188,6 @@ Functions</h2></td></tr>
 </div>
 </div><!-- contents -->
 <hr size="1"><address style="text-align: right;"><small>
-Generated on Fri Dec 8 2017 03:49:01 for Heimdal crypto library by&nbsp;<a href="http://www.doxygen.org/index.html"><img src="doxygen.png" alt="doxygen" align="middle" border="0"></a> 1.8.13</small></address>
+Generated on Fri Jun 7 2019 02:49:57 for Heimdal crypto library by&nbsp;<a href="http://www.doxygen.org/index.html"><img src="doxygen.png" alt="doxygen" align="middle" border="0"></a> 1.8.13</small></address>
 </body>
 </html>
diff --git a/doc/doxyout/hcrypto/html/group__hcrypto__rand.html b/doc/doxyout/hcrypto/html/group__hcrypto__rand.html
index a923251e9e7e..425b754ff4af 100644
--- a/doc/doxyout/hcrypto/html/group__hcrypto__rand.html
+++ b/doc/doxyout/hcrypto/html/group__hcrypto__rand.html
@@ -422,6 +422,6 @@ Functions</h2></td></tr>
 </div>
 </div><!-- contents -->
 <hr size="1"><address style="text-align: right;"><small>
-Generated on Fri Dec 8 2017 03:49:01 for Heimdal crypto library by&nbsp;<a href="http://www.doxygen.org/index.html"><img src="doxygen.png" alt="doxygen" align="middle" border="0"></a> 1.8.13</small></address>
+Generated on Fri Jun 7 2019 02:49:57 for Heimdal crypto library by&nbsp;<a href="http://www.doxygen.org/index.html"><img src="doxygen.png" alt="doxygen" align="middle" border="0"></a> 1.8.13</small></address>
 </body>
 </html>
diff --git a/doc/doxyout/hcrypto/html/group__hcrypto__rsa.html b/doc/doxyout/hcrypto/html/group__hcrypto__rsa.html
index 880db5a33a95..db2421d066c1 100644
--- a/doc/doxyout/hcrypto/html/group__hcrypto__rsa.html
+++ b/doc/doxyout/hcrypto/html/group__hcrypto__rsa.html
@@ -273,6 +273,6 @@ Functions</h2></td></tr>
 </div>
 </div><!-- contents -->
 <hr size="1"><address style="text-align: right;"><small>
-Generated on Fri Dec 8 2017 03:49:01 for Heimdal crypto library by&nbsp;<a href="http://www.doxygen.org/index.html"><img src="doxygen.png" alt="doxygen" align="middle" border="0"></a> 1.8.13</small></address>
+Generated on Fri Jun 7 2019 02:49:57 for Heimdal crypto library by&nbsp;<a href="http://www.doxygen.org/index.html"><img src="doxygen.png" alt="doxygen" align="middle" border="0"></a> 1.8.13</small></address>
 </body>
 </html>
diff --git a/doc/doxyout/hcrypto/html/index.html b/doc/doxyout/hcrypto/html/index.html
index d2c15762a14e..f2753313a73e 100644
--- a/doc/doxyout/hcrypto/html/index.html
+++ b/doc/doxyout/hcrypto/html/index.html
@@ -52,6 +52,6 @@ History</h2>
 <p>libhcrypto is an independent implementation with no code decended from ssleay/openssl. Both includes some common imported code, for example the AES implementation. </p>
 </div></div><!-- contents -->
 <hr size="1"><address style="text-align: right;"><small>
-Generated on Fri Dec 8 2017 03:49:01 for Heimdal crypto library by&nbsp;<a href="http://www.doxygen.org/index.html"><img src="doxygen.png" alt="doxygen" align="middle" border="0"></a> 1.8.13</small></address>
+Generated on Fri Jun 7 2019 02:49:57 for Heimdal crypto library by&nbsp;<a href="http://www.doxygen.org/index.html"><img src="doxygen.png" alt="doxygen" align="middle" border="0"></a> 1.8.13</small></address>
 </body>
 </html>
diff --git a/doc/doxyout/hcrypto/html/modules.html b/doc/doxyout/hcrypto/html/modules.html
index c928c0e9b413..9cca5e311f40 100644
--- a/doc/doxyout/hcrypto/html/modules.html
+++ b/doc/doxyout/hcrypto/html/modules.html
@@ -36,6 +36,6 @@ $(function() {
 </div><!-- directory -->
 </div><!-- contents -->
 <hr size="1"><address style="text-align: right;"><small>
-Generated on Fri Dec 8 2017 03:49:01 for Heimdal crypto library by&nbsp;<a href="http://www.doxygen.org/index.html"><img src="doxygen.png" alt="doxygen" align="middle" border="0"></a> 1.8.13</small></address>
+Generated on Fri Jun 7 2019 02:49:57 for Heimdal crypto library by&nbsp;<a href="http://www.doxygen.org/index.html"><img src="doxygen.png" alt="doxygen" align="middle" border="0"></a> 1.8.13</small></address>
 </body>
 </html>
diff --git a/doc/doxyout/hcrypto/html/page_des.html b/doc/doxyout/hcrypto/html/page_des.html
index c3902a3d8925..deca0af6ecd6 100644
--- a/doc/doxyout/hcrypto/html/page_des.html
+++ b/doc/doxyout/hcrypto/html/page_des.html
@@ -43,6 +43,6 @@ Implementation of the Data Encryption Standard" by Dag Arne Osvik. I never got t
 <p>The core DES function (SBOX + P transformation) is from Richard Outerbridge public domain DES implementation. My sanity is saved thanks to his work. Thank you Richard. </p>
 </div></div><!-- contents -->
 <hr size="1"><address style="text-align: right;"><small>
-Generated on Fri Dec 8 2017 03:49:01 for Heimdal crypto library by&nbsp;<a href="http://www.doxygen.org/index.html"><img src="doxygen.png" alt="doxygen" align="middle" border="0"></a> 1.8.13</small></address>
+Generated on Fri Jun 7 2019 02:49:57 for Heimdal crypto library by&nbsp;<a href="http://www.doxygen.org/index.html"><img src="doxygen.png" alt="doxygen" align="middle" border="0"></a> 1.8.13</small></address>
 </body>
 </html>
diff --git a/doc/doxyout/hcrypto/html/page_dh.html b/doc/doxyout/hcrypto/html/page_dh.html
index ca5a61db099a..2dcd77229fab 100644
--- a/doc/doxyout/hcrypto/html/page_dh.html
+++ b/doc/doxyout/hcrypto/html/page_dh.html
@@ -32,6 +32,6 @@ $(function() {
 <p>See the library functions here: <a class="el" href="group__hcrypto__dh.html">Diffie-Hellman functions</a> </p>
 </div></div><!-- contents -->
 <hr size="1"><address style="text-align: right;"><small>
-Generated on Fri Dec 8 2017 03:49:01 for Heimdal crypto library by&nbsp;<a href="http://www.doxygen.org/index.html"><img src="doxygen.png" alt="doxygen" align="middle" border="0"></a> 1.8.13</small></address>
+Generated on Fri Jun 7 2019 02:49:57 for Heimdal crypto library by&nbsp;<a href="http://www.doxygen.org/index.html"><img src="doxygen.png" alt="doxygen" align="middle" border="0"></a> 1.8.13</small></address>
 </body>
 </html>
diff --git a/doc/doxyout/hcrypto/html/page_evp.html b/doc/doxyout/hcrypto/html/page_evp.html
index 8d405db5d294..f46769473241 100644
--- a/doc/doxyout/hcrypto/html/page_evp.html
+++ b/doc/doxyout/hcrypto/html/page_evp.html
@@ -33,6 +33,6 @@ EVP Cipher</h1>
 <p>The use of <a class="el" href="group__hcrypto__evp.html#ga98da5a5c1aa25d9cb2e4717fa11314bd">EVP_CipherInit_ex()</a> and EVP_Cipher() is pretty easy to understand forward, then <a class="el" href="group__hcrypto__evp.html#ga863349e1001b36cfd6c4afedddd12862">EVP_CipherUpdate()</a> and <a class="el" href="group__hcrypto__evp.html#ga714eef7d737fd68171d852043a4995de">EVP_CipherFinal_ex()</a> really needs an example to explain <a class="el" href="example_evp_cipher_8c-example.html">example_evp_cipher.c</a> . </p>
 </div></div><!-- contents -->
 <hr size="1"><address style="text-align: right;"><small>
-Generated on Fri Dec 8 2017 03:49:01 for Heimdal crypto library by&nbsp;<a href="http://www.doxygen.org/index.html"><img src="doxygen.png" alt="doxygen" align="middle" border="0"></a> 1.8.13</small></address>
+Generated on Fri Jun 7 2019 02:49:57 for Heimdal crypto library by&nbsp;<a href="http://www.doxygen.org/index.html"><img src="doxygen.png" alt="doxygen" align="middle" border="0"></a> 1.8.13</small></address>
 </body>
 </html>
diff --git a/doc/doxyout/hcrypto/html/page_rand.html b/doc/doxyout/hcrypto/html/page_rand.html
index c874c4bb0eec..d1ac06fc1897 100644
--- a/doc/doxyout/hcrypto/html/page_rand.html
+++ b/doc/doxyout/hcrypto/html/page_rand.html
@@ -30,6 +30,6 @@ $(function() {
 <div class="textblock"><p>See the library functions here: <a class="el" href="group__hcrypto__rand.html">RAND crypto functions</a> </p>
 </div></div><!-- contents -->
 <hr size="1"><address style="text-align: right;"><small>
-Generated on Fri Dec 8 2017 03:49:01 for Heimdal crypto library by&nbsp;<a href="http://www.doxygen.org/index.html"><img src="doxygen.png" alt="doxygen" align="middle" border="0"></a> 1.8.13</small></address>
+Generated on Fri Jun 7 2019 02:49:57 for Heimdal crypto library by&nbsp;<a href="http://www.doxygen.org/index.html"><img src="doxygen.png" alt="doxygen" align="middle" border="0"></a> 1.8.13</small></address>
 </body>
 </html>
diff --git a/doc/doxyout/hcrypto/html/page_rsa.html b/doc/doxyout/hcrypto/html/page_rsa.html
index 00381fe1826a..75b79f31d7ff 100644
--- a/doc/doxyout/hcrypto/html/page_rsa.html
+++ b/doc/doxyout/hcrypto/html/page_rsa.html
@@ -34,6 +34,6 @@ $(function() {
 <p>See the library functions here: <a class="el" href="group__hcrypto__rsa.html">RSA functions</a> </p>
 </div></div><!-- contents -->
 <hr size="1"><address style="text-align: right;"><small>
-Generated on Fri Dec 8 2017 03:49:01 for Heimdal crypto library by&nbsp;<a href="http://www.doxygen.org/index.html"><img src="doxygen.png" alt="doxygen" align="middle" border="0"></a> 1.8.13</small></address>
+Generated on Fri Jun 7 2019 02:49:57 for Heimdal crypto library by&nbsp;<a href="http://www.doxygen.org/index.html"><img src="doxygen.png" alt="doxygen" align="middle" border="0"></a> 1.8.13</small></address>
 </body>
 </html>
diff --git a/doc/doxyout/hcrypto/html/pages.html b/doc/doxyout/hcrypto/html/pages.html
index ec09e18e28ed..5717e2084d02 100644
--- a/doc/doxyout/hcrypto/html/pages.html
+++ b/doc/doxyout/hcrypto/html/pages.html
@@ -29,6 +29,6 @@ $(function() {
 </div><!-- directory -->
 </div><!-- contents -->
 <hr size="1"><address style="text-align: right;"><small>
-Generated on Fri Dec 8 2017 03:49:01 for Heimdal crypto library by&nbsp;<a href="http://www.doxygen.org/index.html"><img src="doxygen.png" alt="doxygen" align="middle" border="0"></a> 1.8.13</small></address>
+Generated on Fri Jun 7 2019 02:49:57 for Heimdal crypto library by&nbsp;<a href="http://www.doxygen.org/index.html"><img src="doxygen.png" alt="doxygen" align="middle" border="0"></a> 1.8.13</small></address>
 </body>
 </html>
diff --git a/doc/doxyout/hcrypto/man/man3/hcrypto_core.3 b/doc/doxyout/hcrypto/man/man3/hcrypto_core.3
index dbb50b0fab84..44c0f7407638 100644
--- a/doc/doxyout/hcrypto/man/man3/hcrypto_core.3
+++ b/doc/doxyout/hcrypto/man/man3/hcrypto_core.3
@@ -1,4 +1,4 @@
-.TH "hcrypto_core" 3 "Fri Dec 8 2017" "Version 7.5.0" "Heimdal crypto library" \" -*- nroff -*-
+.TH "hcrypto_core" 3 "Fri Jun 7 2019" "Version 7.7.0" "Heimdal crypto library" \" -*- nroff -*-
 .ad l
 .nh
 .SH NAME
diff --git a/doc/doxyout/hcrypto/man/man3/hcrypto_des.3 b/doc/doxyout/hcrypto/man/man3/hcrypto_des.3
index 5459961fb3ca..cd3a379dddd6 100644
--- a/doc/doxyout/hcrypto/man/man3/hcrypto_des.3
+++ b/doc/doxyout/hcrypto/man/man3/hcrypto_des.3
@@ -1,4 +1,4 @@
-.TH "hcrypto_des" 3 "Fri Dec 8 2017" "Version 7.5.0" "Heimdal crypto library" \" -*- nroff -*-
+.TH "hcrypto_des" 3 "Fri Jun 7 2019" "Version 7.7.0" "Heimdal crypto library" \" -*- nroff -*-
 .ad l
 .nh
 .SH NAME
diff --git a/doc/doxyout/hcrypto/man/man3/hcrypto_dh.3 b/doc/doxyout/hcrypto/man/man3/hcrypto_dh.3
index 8be0607585e3..709dcfe3f934 100644
--- a/doc/doxyout/hcrypto/man/man3/hcrypto_dh.3
+++ b/doc/doxyout/hcrypto/man/man3/hcrypto_dh.3
@@ -1,4 +1,4 @@
-.TH "hcrypto_dh" 3 "Fri Dec 8 2017" "Version 7.5.0" "Heimdal crypto library" \" -*- nroff -*-
+.TH "hcrypto_dh" 3 "Fri Jun 7 2019" "Version 7.7.0" "Heimdal crypto library" \" -*- nroff -*-
 .ad l
 .nh
 .SH NAME
diff --git a/doc/doxyout/hcrypto/man/man3/hcrypto_evp.3 b/doc/doxyout/hcrypto/man/man3/hcrypto_evp.3
index bc5487706999..b6cf2c72094f 100644
--- a/doc/doxyout/hcrypto/man/man3/hcrypto_evp.3
+++ b/doc/doxyout/hcrypto/man/man3/hcrypto_evp.3
@@ -1,4 +1,4 @@
-.TH "hcrypto_evp" 3 "Fri Dec 8 2017" "Version 7.5.0" "Heimdal crypto library" \" -*- nroff -*-
+.TH "hcrypto_evp" 3 "Fri Jun 7 2019" "Version 7.7.0" "Heimdal crypto library" \" -*- nroff -*-
 .ad l
 .nh
 .SH NAME
diff --git a/doc/doxyout/hcrypto/man/man3/hcrypto_misc.3 b/doc/doxyout/hcrypto/man/man3/hcrypto_misc.3
index c93ac5761a63..863971e9d277 100644
--- a/doc/doxyout/hcrypto/man/man3/hcrypto_misc.3
+++ b/doc/doxyout/hcrypto/man/man3/hcrypto_misc.3
@@ -1,4 +1,4 @@
-.TH "hcrypto_misc" 3 "Fri Dec 8 2017" "Version 7.5.0" "Heimdal crypto library" \" -*- nroff -*-
+.TH "hcrypto_misc" 3 "Fri Jun 7 2019" "Version 7.7.0" "Heimdal crypto library" \" -*- nroff -*-
 .ad l
 .nh
 .SH NAME
diff --git a/doc/doxyout/hcrypto/man/man3/hcrypto_rand.3 b/doc/doxyout/hcrypto/man/man3/hcrypto_rand.3
index e7505bc06afa..610f79c9c6a6 100644
--- a/doc/doxyout/hcrypto/man/man3/hcrypto_rand.3
+++ b/doc/doxyout/hcrypto/man/man3/hcrypto_rand.3
@@ -1,4 +1,4 @@
-.TH "hcrypto_rand" 3 "Fri Dec 8 2017" "Version 7.5.0" "Heimdal crypto library" \" -*- nroff -*-
+.TH "hcrypto_rand" 3 "Fri Jun 7 2019" "Version 7.7.0" "Heimdal crypto library" \" -*- nroff -*-
 .ad l
 .nh
 .SH NAME
diff --git a/doc/doxyout/hcrypto/man/man3/hcrypto_rsa.3 b/doc/doxyout/hcrypto/man/man3/hcrypto_rsa.3
index 96c1330a1f96..5fa2c5cd36a9 100644
--- a/doc/doxyout/hcrypto/man/man3/hcrypto_rsa.3
+++ b/doc/doxyout/hcrypto/man/man3/hcrypto_rsa.3
@@ -1,4 +1,4 @@
-.TH "hcrypto_rsa" 3 "Fri Dec 8 2017" "Version 7.5.0" "Heimdal crypto library" \" -*- nroff -*-
+.TH "hcrypto_rsa" 3 "Fri Jun 7 2019" "Version 7.7.0" "Heimdal crypto library" \" -*- nroff -*-
 .ad l
 .nh
 .SH NAME
diff --git a/doc/doxyout/hcrypto/man/man3/page_des.3 b/doc/doxyout/hcrypto/man/man3/page_des.3
index b5066afc336b..bf532f7b5578 100644
--- a/doc/doxyout/hcrypto/man/man3/page_des.3
+++ b/doc/doxyout/hcrypto/man/man3/page_des.3
@@ -1,4 +1,4 @@
-.TH "page_des" 3 "Fri Dec 8 2017" "Version 7.5.0" "Heimdal crypto library" \" -*- nroff -*-
+.TH "page_des" 3 "Fri Jun 7 2019" "Version 7.7.0" "Heimdal crypto library" \" -*- nroff -*-
 .ad l
 .nh
 .SH NAME
diff --git a/doc/doxyout/hcrypto/man/man3/page_dh.3 b/doc/doxyout/hcrypto/man/man3/page_dh.3
index 8dad9d2f737a..9828a495c95d 100644
--- a/doc/doxyout/hcrypto/man/man3/page_dh.3
+++ b/doc/doxyout/hcrypto/man/man3/page_dh.3
@@ -1,4 +1,4 @@
-.TH "page_dh" 3 "Fri Dec 8 2017" "Version 7.5.0" "Heimdal crypto library" \" -*- nroff -*-
+.TH "page_dh" 3 "Fri Jun 7 2019" "Version 7.7.0" "Heimdal crypto library" \" -*- nroff -*-
 .ad l
 .nh
 .SH NAME
diff --git a/doc/doxyout/hcrypto/man/man3/page_evp.3 b/doc/doxyout/hcrypto/man/man3/page_evp.3
index c97d894714c7..f152be1b4da1 100644
--- a/doc/doxyout/hcrypto/man/man3/page_evp.3
+++ b/doc/doxyout/hcrypto/man/man3/page_evp.3
@@ -1,4 +1,4 @@
-.TH "page_evp" 3 "Fri Dec 8 2017" "Version 7.5.0" "Heimdal crypto library" \" -*- nroff -*-
+.TH "page_evp" 3 "Fri Jun 7 2019" "Version 7.7.0" "Heimdal crypto library" \" -*- nroff -*-
 .ad l
 .nh
 .SH NAME
diff --git a/doc/doxyout/hcrypto/man/man3/page_rand.3 b/doc/doxyout/hcrypto/man/man3/page_rand.3
index c4051f083889..fd66b5341cde 100644
--- a/doc/doxyout/hcrypto/man/man3/page_rand.3
+++ b/doc/doxyout/hcrypto/man/man3/page_rand.3
@@ -1,4 +1,4 @@
-.TH "page_rand" 3 "Fri Dec 8 2017" "Version 7.5.0" "Heimdal crypto library" \" -*- nroff -*-
+.TH "page_rand" 3 "Fri Jun 7 2019" "Version 7.7.0" "Heimdal crypto library" \" -*- nroff -*-
 .ad l
 .nh
 .SH NAME
diff --git a/doc/doxyout/hcrypto/man/man3/page_rsa.3 b/doc/doxyout/hcrypto/man/man3/page_rsa.3
index bc257ec59d87..c8372abb71e5 100644
--- a/doc/doxyout/hcrypto/man/man3/page_rsa.3
+++ b/doc/doxyout/hcrypto/man/man3/page_rsa.3
@@ -1,4 +1,4 @@
-.TH "page_rsa" 3 "Fri Dec 8 2017" "Version 7.5.0" "Heimdal crypto library" \" -*- nroff -*-
+.TH "page_rsa" 3 "Fri Jun 7 2019" "Version 7.7.0" "Heimdal crypto library" \" -*- nroff -*-
 .ad l
 .nh
 .SH NAME
diff --git a/doc/doxyout/hdb/html/annotated.html b/doc/doxyout/hdb/html/annotated.html
index c1ad4ed68d0e..1543f6a78bb5 100644
--- a/doc/doxyout/hdb/html/annotated.html
+++ b/doc/doxyout/hdb/html/annotated.html
@@ -31,6 +31,6 @@ $(function() {
 </div><!-- directory -->
 </div><!-- contents -->
 <hr size="1"><address style="text-align: right;"><small>
-Generated on Fri Dec 8 2017 03:48:57 for Heimdalhdblibrary by&nbsp;<a href="http://www.doxygen.org/index.html"><img src="doxygen.png" alt="doxygen" align="middle" border="0"></a> 1.8.13</small></address>
+Generated on Fri Jun 7 2019 02:49:54 for Heimdalhdblibrary by&nbsp;<a href="http://www.doxygen.org/index.html"><img src="doxygen.png" alt="doxygen" align="middle" border="0"></a> 1.8.13</small></address>
 </body>
 </html>
diff --git a/doc/doxyout/hdb/html/classes.html b/doc/doxyout/hdb/html/classes.html
index 822dc362efce..8c2e704ad6fd 100644
--- a/doc/doxyout/hdb/html/classes.html
+++ b/doc/doxyout/hdb/html/classes.html
@@ -34,6 +34,6 @@ $(function() {
 <div class="qindex"><a class="qindex" href="#letter_h">h</a></div>
 </div><!-- contents -->
 <hr size="1"><address style="text-align: right;"><small>
-Generated on Fri Dec 8 2017 03:48:57 for Heimdalhdblibrary by&nbsp;<a href="http://www.doxygen.org/index.html"><img src="doxygen.png" alt="doxygen" align="middle" border="0"></a> 1.8.13</small></address>
+Generated on Fri Jun 7 2019 02:49:54 for Heimdalhdblibrary by&nbsp;<a href="http://www.doxygen.org/index.html"><img src="doxygen.png" alt="doxygen" align="middle" border="0"></a> 1.8.13</small></address>
 </body>
 </html>
diff --git a/doc/doxyout/hdb/html/functions.html b/doc/doxyout/hdb/html/functions.html
index deb69962a10f..52194727b42c 100644
--- a/doc/doxyout/hdb/html/functions.html
+++ b/doc/doxyout/hdb/html/functions.html
@@ -80,6 +80,9 @@ $(function() {
 <li>hdb_rename
 : <a class="el" href="struct_h_d_b.html#a6a6411230ae97787e3cab4d4ba493a3a">HDB</a>
 </li>
+<li>hdb_set_sync
+: <a class="el" href="struct_h_d_b.html#a5095640648b5f15b030ee15318881422">HDB</a>
+</li>
 <li>hdb_store
 : <a class="el" href="struct_h_d_b.html#ace37bcc785b39826a25043302aaad7d4">HDB</a>
 </li>
@@ -89,6 +92,6 @@ $(function() {
 </ul>
 </div><!-- contents -->
 <hr size="1"><address style="text-align: right;"><small>
-Generated on Fri Dec 8 2017 03:48:57 for Heimdalhdblibrary by&nbsp;<a href="http://www.doxygen.org/index.html"><img src="doxygen.png" alt="doxygen" align="middle" border="0"></a> 1.8.13</small></address>
+Generated on Fri Jun 7 2019 02:49:54 for Heimdalhdblibrary by&nbsp;<a href="http://www.doxygen.org/index.html"><img src="doxygen.png" alt="doxygen" align="middle" border="0"></a> 1.8.13</small></address>
 </body>
 </html>
diff --git a/doc/doxyout/hdb/html/functions_vars.html b/doc/doxyout/hdb/html/functions_vars.html
index 4107e6d72612..77f0430ad46d 100644
--- a/doc/doxyout/hdb/html/functions_vars.html
+++ b/doc/doxyout/hdb/html/functions_vars.html
@@ -80,6 +80,9 @@ $(function() {
 <li>hdb_rename
 : <a class="el" href="struct_h_d_b.html#a6a6411230ae97787e3cab4d4ba493a3a">HDB</a>
 </li>
+<li>hdb_set_sync
+: <a class="el" href="struct_h_d_b.html#a5095640648b5f15b030ee15318881422">HDB</a>
+</li>
 <li>hdb_store
 : <a class="el" href="struct_h_d_b.html#ace37bcc785b39826a25043302aaad7d4">HDB</a>
 </li>
@@ -89,6 +92,6 @@ $(function() {
 </ul>
 </div><!-- contents -->
 <hr size="1"><address style="text-align: right;"><small>
-Generated on Fri Dec 8 2017 03:48:57 for Heimdalhdblibrary by&nbsp;<a href="http://www.doxygen.org/index.html"><img src="doxygen.png" alt="doxygen" align="middle" border="0"></a> 1.8.13</small></address>
+Generated on Fri Jun 7 2019 02:49:54 for Heimdalhdblibrary by&nbsp;<a href="http://www.doxygen.org/index.html"><img src="doxygen.png" alt="doxygen" align="middle" border="0"></a> 1.8.13</small></address>
 </body>
 </html>
diff --git a/doc/doxyout/hdb/html/graph_legend.html b/doc/doxyout/hdb/html/graph_legend.html
index c1b27d2c7b4c..c587faceddf2 100644
--- a/doc/doxyout/hdb/html/graph_legend.html
+++ b/doc/doxyout/hdb/html/graph_legend.html
@@ -54,6 +54,6 @@ A yellow dashed arrow denotes a relation between a template instance and the tem
 </ul>
 </div><!-- contents -->
 <hr size="1"><address style="text-align: right;"><small>
-Generated on Fri Dec 8 2017 03:48:57 for Heimdalhdblibrary by&nbsp;<a href="http://www.doxygen.org/index.html"><img src="doxygen.png" alt="doxygen" align="middle" border="0"></a> 1.8.13</small></address>
+Generated on Fri Jun 7 2019 02:49:54 for Heimdalhdblibrary by&nbsp;<a href="http://www.doxygen.org/index.html"><img src="doxygen.png" alt="doxygen" align="middle" border="0"></a> 1.8.13</small></address>
 </body>
 </html>
diff --git a/doc/doxyout/hdb/html/graph_legend.png b/doc/doxyout/hdb/html/graph_legend.png
index 881e40f9c0a2..d1fdf389c3b6 100644
--- a/doc/doxyout/hdb/html/graph_legend.png
+++ b/doc/doxyout/hdb/html/graph_legend.png
diff --git a/doc/doxyout/hdb/html/index.html b/doc/doxyout/hdb/html/index.html
index 0678a8d794a3..835954e23274 100644
--- a/doc/doxyout/hdb/html/index.html
+++ b/doc/doxyout/hdb/html/index.html
@@ -36,6 +36,6 @@ Introduction</h1>
 <p>The project web page: <a href="http://www.h5l.org/">http://www.h5l.org/</a> </p>
 </div></div><!-- contents -->
 <hr size="1"><address style="text-align: right;"><small>
-Generated on Fri Dec 8 2017 03:48:57 for Heimdalhdblibrary by&nbsp;<a href="http://www.doxygen.org/index.html"><img src="doxygen.png" alt="doxygen" align="middle" border="0"></a> 1.8.13</small></address>
+Generated on Fri Jun 7 2019 02:49:54 for Heimdalhdblibrary by&nbsp;<a href="http://www.doxygen.org/index.html"><img src="doxygen.png" alt="doxygen" align="middle" border="0"></a> 1.8.13</small></address>
 </body>
 </html>
diff --git a/doc/doxyout/hdb/html/struct_h_d_b.html b/doc/doxyout/hdb/html/struct_h_d_b.html
index e67aba59d70b..5650b77cfd62 100644
--- a/doc/doxyout/hdb/html/struct_h_d_b.html
+++ b/doc/doxyout/hdb/html/struct_h_d_b.html
@@ -74,6 +74,8 @@ Data Fields</h2></td></tr>
 <tr class="separator:a74e50836e2b6032c53e079e24f37bd3b"><td class="memSeparator" colspan="2">&#160;</td></tr>
 <tr class="memitem:a54cc9eb48be2209ca7761764bdffb747"><td class="memItemLeft" align="right" valign="top">krb5_error_code(*&#160;</td><td class="memItemRight" valign="bottom"><a class="el" href="struct_h_d_b.html#a54cc9eb48be2209ca7761764bdffb747">hdb_check_s4u2self</a> )(krb5_context, struct <a class="el" href="struct_h_d_b.html">HDB</a> *, <a class="el" href="structhdb__entry__ex.html">hdb_entry_ex</a> *, krb5_const_principal)</td></tr>
 <tr class="separator:a54cc9eb48be2209ca7761764bdffb747"><td class="memSeparator" colspan="2">&#160;</td></tr>
+<tr class="memitem:a5095640648b5f15b030ee15318881422"><td class="memItemLeft" align="right" valign="top">krb5_error_code(*&#160;</td><td class="memItemRight" valign="bottom"><a class="el" href="struct_h_d_b.html#a5095640648b5f15b030ee15318881422">hdb_set_sync</a> )(krb5_context, struct <a class="el" href="struct_h_d_b.html">HDB</a> *, int)</td></tr>
+<tr class="separator:a5095640648b5f15b030ee15318881422"><td class="memSeparator" colspan="2">&#160;</td></tr>
 </table>
 <a name="details" id="details"></a><h2 class="groupheader">Detailed Description</h2>
 <div class="textblock"><p><a class="el" href="struct_h_d_b.html">HDB</a> backend function pointer structure</p>
@@ -395,6 +397,22 @@ Data Fields</h2></td></tr>
 
 </div>
 </div>
+<a id="a5095640648b5f15b030ee15318881422"></a>
+<h2 class="memtitle"><span class="permalink"><a href="#a5095640648b5f15b030ee15318881422">&#9670;&nbsp;</a></span>hdb_set_sync</h2>
+
+<div class="memitem">
+<div class="memproto">
+      <table class="memname">
+        <tr>
+          <td class="memname">krb5_error_code(* HDB::hdb_set_sync) (krb5_context, struct <a class="el" href="struct_h_d_b.html">HDB</a> *, int)</td>
+        </tr>
+      </table>
+</div><div class="memdoc">
+<p>Enable/disable synchronous updates</p>
+<p>Calling this with 0 disables sync. Calling it with non-zero enables sync and does an fsync(). </p>
+
+</div>
+</div>
 <a id="ace37bcc785b39826a25043302aaad7d4"></a>
 <h2 class="memtitle"><span class="permalink"><a href="#ace37bcc785b39826a25043302aaad7d4">&#9670;&nbsp;</a></span>hdb_store</h2>
 
@@ -430,6 +448,6 @@ Data Fields</h2></td></tr>
 </ul>
 </div><!-- contents -->
 <hr size="1"><address style="text-align: right;"><small>
-Generated on Fri Dec 8 2017 03:48:57 for Heimdalhdblibrary by&nbsp;<a href="http://www.doxygen.org/index.html"><img src="doxygen.png" alt="doxygen" align="middle" border="0"></a> 1.8.13</small></address>
+Generated on Fri Jun 7 2019 02:49:54 for Heimdalhdblibrary by&nbsp;<a href="http://www.doxygen.org/index.html"><img src="doxygen.png" alt="doxygen" align="middle" border="0"></a> 1.8.13</small></address>
 </body>
 </html>
diff --git a/doc/doxyout/hdb/html/structhdb__entry__ex.html b/doc/doxyout/hdb/html/structhdb__entry__ex.html
index 955571e8e835..54f608c12832 100644
--- a/doc/doxyout/hdb/html/structhdb__entry__ex.html
+++ b/doc/doxyout/hdb/html/structhdb__entry__ex.html
@@ -32,6 +32,6 @@ $(function() {
 </ul>
 </div><!-- contents -->
 <hr size="1"><address style="text-align: right;"><small>
-Generated on Fri Dec 8 2017 03:48:57 for Heimdalhdblibrary by&nbsp;<a href="http://www.doxygen.org/index.html"><img src="doxygen.png" alt="doxygen" align="middle" border="0"></a> 1.8.13</small></address>
+Generated on Fri Jun 7 2019 02:49:54 for Heimdalhdblibrary by&nbsp;<a href="http://www.doxygen.org/index.html"><img src="doxygen.png" alt="doxygen" align="middle" border="0"></a> 1.8.13</small></address>
 </body>
 </html>
diff --git a/doc/doxyout/hdb/man/man3/HDB.3 b/doc/doxyout/hdb/man/man3/HDB.3
index 92cd66efe941..e6798dec4af8 100644
--- a/doc/doxyout/hdb/man/man3/HDB.3
+++ b/doc/doxyout/hdb/man/man3/HDB.3
@@ -1,4 +1,4 @@
-.TH "HDB" 3 "Fri Dec 8 2017" "Version 7.5.0" "Heimdalhdblibrary" \" -*- nroff -*-
+.TH "HDB" 3 "Fri Jun 7 2019" "Version 7.7.0" "Heimdalhdblibrary" \" -*- nroff -*-
 .ad l
 .nh
 .SH NAME
@@ -77,6 +77,9 @@ HDB
 .ti -1c
 .RI "krb5_error_code(* \fBhdb_check_s4u2self\fP )(krb5_context, struct \fBHDB\fP *, \fBhdb_entry_ex\fP *, krb5_const_principal)"
 .br
+.ti -1c
+.RI "krb5_error_code(* \fBhdb_set_sync\fP )(krb5_context, struct \fBHDB\fP *, int)"
+.br
 .in -1c
 .SH "Detailed Description"
 .PP 
@@ -157,6 +160,10 @@ Remove an entry from the database\&.
 Rename the data base\&.
 .PP
 Assume that the database is not hdb_open'ed and not locked\&. 
+.SS "krb5_error_code(* HDB::hdb_set_sync) (krb5_context, struct \fBHDB\fP *, int)"
+Enable/disable synchronous updates
+.PP
+Calling this with 0 disables sync\&. Calling it with non-zero enables sync and does an fsync()\&. 
 .SS "krb5_error_code(* HDB::hdb_store) (krb5_context, struct \fBHDB\fP *, unsigned, \fBhdb_entry_ex\fP *)"
 Store an entry to database 
 .SS "krb5_error_code(* HDB::hdb_unlock) (krb5_context, struct \fBHDB\fP *)"
diff --git a/doc/doxyout/hdb/man/man3/hdb_entry_ex.3 b/doc/doxyout/hdb/man/man3/hdb_entry_ex.3
index 8f955ba9a5bc..f71b46453929 100644
--- a/doc/doxyout/hdb/man/man3/hdb_entry_ex.3
+++ b/doc/doxyout/hdb/man/man3/hdb_entry_ex.3
@@ -1,4 +1,4 @@
-.TH "hdb_entry_ex" 3 "Fri Dec 8 2017" "Version 7.5.0" "Heimdalhdblibrary" \" -*- nroff -*-
+.TH "hdb_entry_ex" 3 "Fri Jun 7 2019" "Version 7.7.0" "Heimdalhdblibrary" \" -*- nroff -*-
 .ad l
 .nh
 .SH NAME
diff --git a/doc/doxyout/hdb/man/man3/hdb_set_sync.3 b/doc/doxyout/hdb/man/man3/hdb_set_sync.3
new file mode 100644
index 000000000000..46f8e91739a1
--- /dev/null
+++ b/doc/doxyout/hdb/man/man3/hdb_set_sync.3
@@ -0,0 +1 @@
+.so man3/HDB.3
diff --git a/doc/doxyout/hdb/manpages b/doc/doxyout/hdb/manpages
index 75a9fd0e1b28..880271bcdedf 100644
--- a/doc/doxyout/hdb/manpages
+++ b/doc/doxyout/hdb/manpages
@@ -9,6 +9,7 @@ hdb/man/man3/hdb_check_s4u2self.3
 hdb/man/man3/hdb_lock.3
 hdb/man/man3/hdb_remove.3
 hdb/man/man3/hdb_open.3
+hdb/man/man3/hdb_set_sync.3
 hdb/man/man3/hdb__get.3
 hdb/man/man3/hdb_firstkey.3
 hdb/man/man3/hdb_get_realms.3
diff --git a/doc/doxyout/hx509/html/graph_legend.html b/doc/doxyout/hx509/html/graph_legend.html
index d059cff62db9..92cdf041f399 100644
--- a/doc/doxyout/hx509/html/graph_legend.html
+++ b/doc/doxyout/hx509/html/graph_legend.html
@@ -54,6 +54,6 @@ A yellow dashed arrow denotes a relation between a template instance and the tem
 </ul>
 </div><!-- contents -->
 <hr size="1"><address style="text-align: right;"><small>
-Generated on Fri Dec 8 2017 03:48:58 for Heimdalx509library by&nbsp;<a href="http://www.doxygen.org/index.html"><img src="doxygen.png" alt="doxygen" align="middle" border="0"></a> 1.8.13</small></address>
+Generated on Fri Jun 7 2019 02:49:55 for Heimdalx509library by&nbsp;<a href="http://www.doxygen.org/index.html"><img src="doxygen.png" alt="doxygen" align="middle" border="0"></a> 1.8.13</small></address>
 </body>
 </html>
diff --git a/doc/doxyout/hx509/html/graph_legend.png b/doc/doxyout/hx509/html/graph_legend.png
index 881e40f9c0a2..d1fdf389c3b6 100644
--- a/doc/doxyout/hx509/html/graph_legend.png
+++ b/doc/doxyout/hx509/html/graph_legend.png
diff --git a/doc/doxyout/hx509/html/group__hx509.html b/doc/doxyout/hx509/html/group__hx509.html
index afa0936a24e7..aa0198d3b7b6 100644
--- a/doc/doxyout/hx509/html/group__hx509.html
+++ b/doc/doxyout/hx509/html/group__hx509.html
@@ -88,6 +88,6 @@ Functions</h2></td></tr>
 </div>
 </div><!-- contents -->
 <hr size="1"><address style="text-align: right;"><small>
-Generated on Fri Dec 8 2017 03:48:58 for Heimdalx509library by&nbsp;<a href="http://www.doxygen.org/index.html"><img src="doxygen.png" alt="doxygen" align="middle" border="0"></a> 1.8.13</small></address>
+Generated on Fri Jun 7 2019 02:49:55 for Heimdalx509library by&nbsp;<a href="http://www.doxygen.org/index.html"><img src="doxygen.png" alt="doxygen" align="middle" border="0"></a> 1.8.13</small></address>
 </body>
 </html>
diff --git a/doc/doxyout/hx509/html/group__hx509__ca.html b/doc/doxyout/hx509/html/group__hx509__ca.html
index 79f9e43ee797..4069b618e305 100644
--- a/doc/doxyout/hx509/html/group__hx509__ca.html
+++ b/doc/doxyout/hx509/html/group__hx509__ca.html
@@ -1225,6 +1225,6 @@ Functions</h2></td></tr>
 </div>
 </div><!-- contents -->
 <hr size="1"><address style="text-align: right;"><small>
-Generated on Fri Dec 8 2017 03:48:58 for Heimdalx509library by&nbsp;<a href="http://www.doxygen.org/index.html"><img src="doxygen.png" alt="doxygen" align="middle" border="0"></a> 1.8.13</small></address>
+Generated on Fri Jun 7 2019 02:49:55 for Heimdalx509library by&nbsp;<a href="http://www.doxygen.org/index.html"><img src="doxygen.png" alt="doxygen" align="middle" border="0"></a> 1.8.13</small></address>
 </body>
 </html>
diff --git a/doc/doxyout/hx509/html/group__hx509__cert.html b/doc/doxyout/hx509/html/group__hx509__cert.html
index 5532a2c69d6b..fa4723384d21 100644
--- a/doc/doxyout/hx509/html/group__hx509__cert.html
+++ b/doc/doxyout/hx509/html/group__hx509__cert.html
@@ -1425,6 +1425,6 @@ Functions</h2></td></tr>
 </div>
 </div><!-- contents -->
 <hr size="1"><address style="text-align: right;"><small>
-Generated on Fri Dec 8 2017 03:48:58 for Heimdalx509library by&nbsp;<a href="http://www.doxygen.org/index.html"><img src="doxygen.png" alt="doxygen" align="middle" border="0"></a> 1.8.13</small></address>
+Generated on Fri Jun 7 2019 02:49:55 for Heimdalx509library by&nbsp;<a href="http://www.doxygen.org/index.html"><img src="doxygen.png" alt="doxygen" align="middle" border="0"></a> 1.8.13</small></address>
 </body>
 </html>
diff --git a/doc/doxyout/hx509/html/group__hx509__cms.html b/doc/doxyout/hx509/html/group__hx509__cms.html
index fc8d99c94d18..69c5cb87971f 100644
--- a/doc/doxyout/hx509/html/group__hx509__cms.html
+++ b/doc/doxyout/hx509/html/group__hx509__cms.html
@@ -211,7 +211,7 @@ Functions</h2></td></tr>
   <table class="params">
     <tr><td class="paramname">context</td><td>A hx509 context. </td></tr>
     <tr><td class="paramname">flags</td><td>flags to control the behavior.<ul>
-<li>HX509_CMS_EV_NO_KU_CHECK - Dont check KU on certificate</li>
+<li>HX509_CMS_EV_NO_KU_CHECK - Don't check KU on certificate</li>
 <li>HX509_CMS_EV_ALLOW_WEAK - Allow weak crytpo</li>
 <li>HX509_CMS_EV_ID_NAME - prefer issuer name and serial number </li>
 </ul>
@@ -515,6 +515,6 @@ Functions</h2></td></tr>
 </div>
 </div><!-- contents -->
 <hr size="1"><address style="text-align: right;"><small>
-Generated on Fri Dec 8 2017 03:48:58 for Heimdalx509library by&nbsp;<a href="http://www.doxygen.org/index.html"><img src="doxygen.png" alt="doxygen" align="middle" border="0"></a> 1.8.13</small></address>
+Generated on Fri Jun 7 2019 02:49:55 for Heimdalx509library by&nbsp;<a href="http://www.doxygen.org/index.html"><img src="doxygen.png" alt="doxygen" align="middle" border="0"></a> 1.8.13</small></address>
 </body>
 </html>
diff --git a/doc/doxyout/hx509/html/group__hx509__crypto.html b/doc/doxyout/hx509/html/group__hx509__crypto.html
index 8f91866762ce..15cfe39ab274 100644
--- a/doc/doxyout/hx509/html/group__hx509__crypto.html
+++ b/doc/doxyout/hx509/html/group__hx509__crypto.html
@@ -93,6 +93,6 @@ Functions</h2></td></tr>
 </div>
 </div><!-- contents -->
 <hr size="1"><address style="text-align: right;"><small>
-Generated on Fri Dec 8 2017 03:48:58 for Heimdalx509library by&nbsp;<a href="http://www.doxygen.org/index.html"><img src="doxygen.png" alt="doxygen" align="middle" border="0"></a> 1.8.13</small></address>
+Generated on Fri Jun 7 2019 02:49:55 for Heimdalx509library by&nbsp;<a href="http://www.doxygen.org/index.html"><img src="doxygen.png" alt="doxygen" align="middle" border="0"></a> 1.8.13</small></address>
 </body>
 </html>
diff --git a/doc/doxyout/hx509/html/group__hx509__env.html b/doc/doxyout/hx509/html/group__hx509__env.html
index 156952706241..17cd7b513971 100644
--- a/doc/doxyout/hx509/html/group__hx509__env.html
+++ b/doc/doxyout/hx509/html/group__hx509__env.html
@@ -311,6 +311,6 @@ Functions</h2></td></tr>
 </div>
 </div><!-- contents -->
 <hr size="1"><address style="text-align: right;"><small>
-Generated on Fri Dec 8 2017 03:48:58 for Heimdalx509library by&nbsp;<a href="http://www.doxygen.org/index.html"><img src="doxygen.png" alt="doxygen" align="middle" border="0"></a> 1.8.13</small></address>
+Generated on Fri Jun 7 2019 02:49:55 for Heimdalx509library by&nbsp;<a href="http://www.doxygen.org/index.html"><img src="doxygen.png" alt="doxygen" align="middle" border="0"></a> 1.8.13</small></address>
 </body>
 </html>
diff --git a/doc/doxyout/hx509/html/group__hx509__error.html b/doc/doxyout/hx509/html/group__hx509__error.html
index 40b4e9de19cb..8523e0813e6b 100644
--- a/doc/doxyout/hx509/html/group__hx509__error.html
+++ b/doc/doxyout/hx509/html/group__hx509__error.html
@@ -310,6 +310,6 @@ Functions</h2></td></tr>
 </div>
 </div><!-- contents -->
 <hr size="1"><address style="text-align: right;"><small>
-Generated on Fri Dec 8 2017 03:48:58 for Heimdalx509library by&nbsp;<a href="http://www.doxygen.org/index.html"><img src="doxygen.png" alt="doxygen" align="middle" border="0"></a> 1.8.13</small></address>
+Generated on Fri Jun 7 2019 02:49:55 for Heimdalx509library by&nbsp;<a href="http://www.doxygen.org/index.html"><img src="doxygen.png" alt="doxygen" align="middle" border="0"></a> 1.8.13</small></address>
 </body>
 </html>
diff --git a/doc/doxyout/hx509/html/group__hx509__keyset.html b/doc/doxyout/hx509/html/group__hx509__keyset.html
index e31f314d77ec..687f61833b10 100644
--- a/doc/doxyout/hx509/html/group__hx509__keyset.html
+++ b/doc/doxyout/hx509/html/group__hx509__keyset.html
@@ -775,6 +775,6 @@ Functions</h2></td></tr>
 </div>
 </div><!-- contents -->
 <hr size="1"><address style="text-align: right;"><small>
-Generated on Fri Dec 8 2017 03:48:58 for Heimdalx509library by&nbsp;<a href="http://www.doxygen.org/index.html"><img src="doxygen.png" alt="doxygen" align="middle" border="0"></a> 1.8.13</small></address>
+Generated on Fri Jun 7 2019 02:49:55 for Heimdalx509library by&nbsp;<a href="http://www.doxygen.org/index.html"><img src="doxygen.png" alt="doxygen" align="middle" border="0"></a> 1.8.13</small></address>
 </body>
 </html>
diff --git a/doc/doxyout/hx509/html/group__hx509__lock.html b/doc/doxyout/hx509/html/group__hx509__lock.html
index 4b4731a571d9..82dd290b3bce 100644
--- a/doc/doxyout/hx509/html/group__hx509__lock.html
+++ b/doc/doxyout/hx509/html/group__hx509__lock.html
@@ -26,6 +26,6 @@ $(function() {
 <p>See the <a class="el" href="page_lock.html">Locking and unlocking certificates and encrypted data.</a> for description and examples. </p>
 </div><!-- contents -->
 <hr size="1"><address style="text-align: right;"><small>
-Generated on Fri Dec 8 2017 03:48:58 for Heimdalx509library by&nbsp;<a href="http://www.doxygen.org/index.html"><img src="doxygen.png" alt="doxygen" align="middle" border="0"></a> 1.8.13</small></address>
+Generated on Fri Jun 7 2019 02:49:55 for Heimdalx509library by&nbsp;<a href="http://www.doxygen.org/index.html"><img src="doxygen.png" alt="doxygen" align="middle" border="0"></a> 1.8.13</small></address>
 </body>
 </html>
diff --git a/doc/doxyout/hx509/html/group__hx509__misc.html b/doc/doxyout/hx509/html/group__hx509__misc.html
index bd5f1b02231d..b0b795951177 100644
--- a/doc/doxyout/hx509/html/group__hx509__misc.html
+++ b/doc/doxyout/hx509/html/group__hx509__misc.html
@@ -87,6 +87,6 @@ Functions</h2></td></tr>
 </div>
 </div><!-- contents -->
 <hr size="1"><address style="text-align: right;"><small>
-Generated on Fri Dec 8 2017 03:48:58 for Heimdalx509library by&nbsp;<a href="http://www.doxygen.org/index.html"><img src="doxygen.png" alt="doxygen" align="middle" border="0"></a> 1.8.13</small></address>
+Generated on Fri Jun 7 2019 02:49:55 for Heimdalx509library by&nbsp;<a href="http://www.doxygen.org/index.html"><img src="doxygen.png" alt="doxygen" align="middle" border="0"></a> 1.8.13</small></address>
 </body>
 </html>
diff --git a/doc/doxyout/hx509/html/group__hx509__name.html b/doc/doxyout/hx509/html/group__hx509__name.html
index 78cfd6b8817e..92dcb2b3c231 100644
--- a/doc/doxyout/hx509/html/group__hx509__name.html
+++ b/doc/doxyout/hx509/html/group__hx509__name.html
@@ -469,6 +469,6 @@ Functions</h2></td></tr>
 </div>
 </div><!-- contents -->
 <hr size="1"><address style="text-align: right;"><small>
-Generated on Fri Dec 8 2017 03:48:58 for Heimdalx509library by&nbsp;<a href="http://www.doxygen.org/index.html"><img src="doxygen.png" alt="doxygen" align="middle" border="0"></a> 1.8.13</small></address>
+Generated on Fri Jun 7 2019 02:49:55 for Heimdalx509library by&nbsp;<a href="http://www.doxygen.org/index.html"><img src="doxygen.png" alt="doxygen" align="middle" border="0"></a> 1.8.13</small></address>
 </body>
 </html>
diff --git a/doc/doxyout/hx509/html/group__hx509__peer.html b/doc/doxyout/hx509/html/group__hx509__peer.html
index b266208f53c7..fead610c9734 100644
--- a/doc/doxyout/hx509/html/group__hx509__peer.html
+++ b/doc/doxyout/hx509/html/group__hx509__peer.html
@@ -237,6 +237,6 @@ Functions</h2></td></tr>
 </div>
 </div><!-- contents -->
 <hr size="1"><address style="text-align: right;"><small>
-Generated on Fri Dec 8 2017 03:48:58 for Heimdalx509library by&nbsp;<a href="http://www.doxygen.org/index.html"><img src="doxygen.png" alt="doxygen" align="middle" border="0"></a> 1.8.13</small></address>
+Generated on Fri Jun 7 2019 02:49:55 for Heimdalx509library by&nbsp;<a href="http://www.doxygen.org/index.html"><img src="doxygen.png" alt="doxygen" align="middle" border="0"></a> 1.8.13</small></address>
 </body>
 </html>
diff --git a/doc/doxyout/hx509/html/group__hx509__print.html b/doc/doxyout/hx509/html/group__hx509__print.html
index 72278f6861f8..0555fbd18047 100644
--- a/doc/doxyout/hx509/html/group__hx509__print.html
+++ b/doc/doxyout/hx509/html/group__hx509__print.html
@@ -454,6 +454,6 @@ Functions</h2></td></tr>
 </div>
 </div><!-- contents -->
 <hr size="1"><address style="text-align: right;"><small>
-Generated on Fri Dec 8 2017 03:48:58 for Heimdalx509library by&nbsp;<a href="http://www.doxygen.org/index.html"><img src="doxygen.png" alt="doxygen" align="middle" border="0"></a> 1.8.13</small></address>
+Generated on Fri Jun 7 2019 02:49:55 for Heimdalx509library by&nbsp;<a href="http://www.doxygen.org/index.html"><img src="doxygen.png" alt="doxygen" align="middle" border="0"></a> 1.8.13</small></address>
 </body>
 </html>
diff --git a/doc/doxyout/hx509/html/group__hx509__query.html b/doc/doxyout/hx509/html/group__hx509__query.html
index 637968c5d499..bec28a13b375 100644
--- a/doc/doxyout/hx509/html/group__hx509__query.html
+++ b/doc/doxyout/hx509/html/group__hx509__query.html
@@ -25,6 +25,6 @@ $(function() {
 <div class="contents">
 </div><!-- contents -->
 <hr size="1"><address style="text-align: right;"><small>
-Generated on Fri Dec 8 2017 03:48:58 for Heimdalx509library by&nbsp;<a href="http://www.doxygen.org/index.html"><img src="doxygen.png" alt="doxygen" align="middle" border="0"></a> 1.8.13</small></address>
+Generated on Fri Jun 7 2019 02:49:55 for Heimdalx509library by&nbsp;<a href="http://www.doxygen.org/index.html"><img src="doxygen.png" alt="doxygen" align="middle" border="0"></a> 1.8.13</small></address>
 </body>
 </html>
diff --git a/doc/doxyout/hx509/html/group__hx509__revoke.html b/doc/doxyout/hx509/html/group__hx509__revoke.html
index 8677aa51b5d3..f03c1164f4b0 100644
--- a/doc/doxyout/hx509/html/group__hx509__revoke.html
+++ b/doc/doxyout/hx509/html/group__hx509__revoke.html
@@ -379,6 +379,6 @@ Functions</h2></td></tr>
 </div>
 </div><!-- contents -->
 <hr size="1"><address style="text-align: right;"><small>
-Generated on Fri Dec 8 2017 03:48:58 for Heimdalx509library by&nbsp;<a href="http://www.doxygen.org/index.html"><img src="doxygen.png" alt="doxygen" align="middle" border="0"></a> 1.8.13</small></address>
+Generated on Fri Jun 7 2019 02:49:55 for Heimdalx509library by&nbsp;<a href="http://www.doxygen.org/index.html"><img src="doxygen.png" alt="doxygen" align="middle" border="0"></a> 1.8.13</small></address>
 </body>
 </html>
diff --git a/doc/doxyout/hx509/html/group__hx509__verify.html b/doc/doxyout/hx509/html/group__hx509__verify.html
index 37bcf1eb8532..2f7f6e78dce6 100644
--- a/doc/doxyout/hx509/html/group__hx509__verify.html
+++ b/doc/doxyout/hx509/html/group__hx509__verify.html
@@ -714,6 +714,6 @@ Functions</h2></td></tr>
 </div>
 </div><!-- contents -->
 <hr size="1"><address style="text-align: right;"><small>
-Generated on Fri Dec 8 2017 03:48:58 for Heimdalx509library by&nbsp;<a href="http://www.doxygen.org/index.html"><img src="doxygen.png" alt="doxygen" align="middle" border="0"></a> 1.8.13</small></address>
+Generated on Fri Jun 7 2019 02:49:55 for Heimdalx509library by&nbsp;<a href="http://www.doxygen.org/index.html"><img src="doxygen.png" alt="doxygen" align="middle" border="0"></a> 1.8.13</small></address>
 </body>
 </html>
diff --git a/doc/doxyout/hx509/html/index.html b/doc/doxyout/hx509/html/index.html
index a52301912b0d..6d9694d1d867 100644
--- a/doc/doxyout/hx509/html/index.html
+++ b/doc/doxyout/hx509/html/index.html
@@ -42,6 +42,6 @@ Introduction</h1>
 <p>The project web page: <a href="http://www.h5l.org/">http://www.h5l.org/</a> </p>
 </div></div><!-- contents -->
 <hr size="1"><address style="text-align: right;"><small>
-Generated on Fri Dec 8 2017 03:48:58 for Heimdalx509library by&nbsp;<a href="http://www.doxygen.org/index.html"><img src="doxygen.png" alt="doxygen" align="middle" border="0"></a> 1.8.13</small></address>
+Generated on Fri Jun 7 2019 02:49:55 for Heimdalx509library by&nbsp;<a href="http://www.doxygen.org/index.html"><img src="doxygen.png" alt="doxygen" align="middle" border="0"></a> 1.8.13</small></address>
 </body>
 </html>
diff --git a/doc/doxyout/hx509/html/modules.html b/doc/doxyout/hx509/html/modules.html
index ef8a0484ecf9..e1577c1c401c 100644
--- a/doc/doxyout/hx509/html/modules.html
+++ b/doc/doxyout/hx509/html/modules.html
@@ -45,6 +45,6 @@ $(function() {
 </div><!-- directory -->
 </div><!-- contents -->
 <hr size="1"><address style="text-align: right;"><small>
-Generated on Fri Dec 8 2017 03:48:58 for Heimdalx509library by&nbsp;<a href="http://www.doxygen.org/index.html"><img src="doxygen.png" alt="doxygen" align="middle" border="0"></a> 1.8.13</small></address>
+Generated on Fri Jun 7 2019 02:49:55 for Heimdalx509library by&nbsp;<a href="http://www.doxygen.org/index.html"><img src="doxygen.png" alt="doxygen" align="middle" border="0"></a> 1.8.13</small></address>
 </body>
 </html>
diff --git a/doc/doxyout/hx509/html/page_ca.html b/doc/doxyout/hx509/html/page_ca.html
index ec5d7358c294..6c058daaae1c 100644
--- a/doc/doxyout/hx509/html/page_ca.html
+++ b/doc/doxyout/hx509/html/page_ca.html
@@ -26,6 +26,6 @@ $(function() {
 <div class="textblock"><p>See the library functions here: <a class="el" href="group__hx509__ca.html">hx509 CA functions</a> </p>
 </div></div><!-- contents -->
 <hr size="1"><address style="text-align: right;"><small>
-Generated on Fri Dec 8 2017 03:48:58 for Heimdalx509library by&nbsp;<a href="http://www.doxygen.org/index.html"><img src="doxygen.png" alt="doxygen" align="middle" border="0"></a> 1.8.13</small></address>
+Generated on Fri Jun 7 2019 02:49:55 for Heimdalx509library by&nbsp;<a href="http://www.doxygen.org/index.html"><img src="doxygen.png" alt="doxygen" align="middle" border="0"></a> 1.8.13</small></address>
 </body>
 </html>
diff --git a/doc/doxyout/hx509/html/page_cert.html b/doc/doxyout/hx509/html/page_cert.html
index 8525d7322c7e..7c70265a4329 100644
--- a/doc/doxyout/hx509/html/page_cert.html
+++ b/doc/doxyout/hx509/html/page_cert.html
@@ -28,6 +28,6 @@ $(function() {
 <p>See the library functions here: <a class="el" href="group__hx509__cert.html">hx509 certificate functions</a> </p>
 </div></div><!-- contents -->
 <hr size="1"><address style="text-align: right;"><small>
-Generated on Fri Dec 8 2017 03:48:58 for Heimdalx509library by&nbsp;<a href="http://www.doxygen.org/index.html"><img src="doxygen.png" alt="doxygen" align="middle" border="0"></a> 1.8.13</small></address>
+Generated on Fri Jun 7 2019 02:49:55 for Heimdalx509library by&nbsp;<a href="http://www.doxygen.org/index.html"><img src="doxygen.png" alt="doxygen" align="middle" border="0"></a> 1.8.13</small></address>
 </body>
 </html>
diff --git a/doc/doxyout/hx509/html/page_cms.html b/doc/doxyout/hx509/html/page_cms.html
index 986756a0b5a5..929f7cb49ed6 100644
--- a/doc/doxyout/hx509/html/page_cms.html
+++ b/doc/doxyout/hx509/html/page_cms.html
@@ -33,6 +33,6 @@ $(function() {
 <p>See the library functions here: <a class="el" href="group__hx509__cms.html">hx509 CMS/pkcs7 functions</a> </p>
 </div></div><!-- contents -->
 <hr size="1"><address style="text-align: right;"><small>
-Generated on Fri Dec 8 2017 03:48:58 for Heimdalx509library by&nbsp;<a href="http://www.doxygen.org/index.html"><img src="doxygen.png" alt="doxygen" align="middle" border="0"></a> 1.8.13</small></address>
+Generated on Fri Jun 7 2019 02:49:55 for Heimdalx509library by&nbsp;<a href="http://www.doxygen.org/index.html"><img src="doxygen.png" alt="doxygen" align="middle" border="0"></a> 1.8.13</small></address>
 </body>
 </html>
diff --git a/doc/doxyout/hx509/html/page_env.html b/doc/doxyout/hx509/html/page_env.html
index 1aac8b0d5f51..2bed0e251bd8 100644
--- a/doc/doxyout/hx509/html/page_env.html
+++ b/doc/doxyout/hx509/html/page_env.html
@@ -26,6 +26,6 @@ $(function() {
 <div class="textblock"><p>See the library functions here: <a class="el" href="group__hx509__env.html">hx509 environment functions</a> </p>
 </div></div><!-- contents -->
 <hr size="1"><address style="text-align: right;"><small>
-Generated on Fri Dec 8 2017 03:48:58 for Heimdalx509library by&nbsp;<a href="http://www.doxygen.org/index.html"><img src="doxygen.png" alt="doxygen" align="middle" border="0"></a> 1.8.13</small></address>
+Generated on Fri Jun 7 2019 02:49:55 for Heimdalx509library by&nbsp;<a href="http://www.doxygen.org/index.html"><img src="doxygen.png" alt="doxygen" align="middle" border="0"></a> 1.8.13</small></address>
 </body>
 </html>
diff --git a/doc/doxyout/hx509/html/page_error.html b/doc/doxyout/hx509/html/page_error.html
index 748ba9dd0d20..8a1816038d54 100644
--- a/doc/doxyout/hx509/html/page_error.html
+++ b/doc/doxyout/hx509/html/page_error.html
@@ -26,6 +26,6 @@ $(function() {
 <div class="textblock"><p>See the library functions here: <a class="el" href="group__hx509__error.html">hx509 error functions</a> </p>
 </div></div><!-- contents -->
 <hr size="1"><address style="text-align: right;"><small>
-Generated on Fri Dec 8 2017 03:48:58 for Heimdalx509library by&nbsp;<a href="http://www.doxygen.org/index.html"><img src="doxygen.png" alt="doxygen" align="middle" border="0"></a> 1.8.13</small></address>
+Generated on Fri Jun 7 2019 02:49:55 for Heimdalx509library by&nbsp;<a href="http://www.doxygen.org/index.html"><img src="doxygen.png" alt="doxygen" align="middle" border="0"></a> 1.8.13</small></address>
 </body>
 </html>
diff --git a/doc/doxyout/hx509/html/page_keyset.html b/doc/doxyout/hx509/html/page_keyset.html
index 70209227f46e..b76bf77fa983 100644
--- a/doc/doxyout/hx509/html/page_keyset.html
+++ b/doc/doxyout/hx509/html/page_keyset.html
@@ -36,6 +36,6 @@ $(function() {
 <p>See the library functions here: <a class="el" href="group__hx509__keyset.html">hx509 certificate store functions</a> </p>
 </div></div><!-- contents -->
 <hr size="1"><address style="text-align: right;"><small>
-Generated on Fri Dec 8 2017 03:48:58 for Heimdalx509library by&nbsp;<a href="http://www.doxygen.org/index.html"><img src="doxygen.png" alt="doxygen" align="middle" border="0"></a> 1.8.13</small></address>
+Generated on Fri Jun 7 2019 02:49:55 for Heimdalx509library by&nbsp;<a href="http://www.doxygen.org/index.html"><img src="doxygen.png" alt="doxygen" align="middle" border="0"></a> 1.8.13</small></address>
 </body>
 </html>
diff --git a/doc/doxyout/hx509/html/page_lock.html b/doc/doxyout/hx509/html/page_lock.html
index 5e38608217ae..7183a3f022c4 100644
--- a/doc/doxyout/hx509/html/page_lock.html
+++ b/doc/doxyout/hx509/html/page_lock.html
@@ -26,6 +26,6 @@ $(function() {
 <div class="textblock"><p>See the library functions here: <a class="el" href="group__hx509__lock.html">hx509 lock functions</a> </p>
 </div></div><!-- contents -->
 <hr size="1"><address style="text-align: right;"><small>
-Generated on Fri Dec 8 2017 03:48:58 for Heimdalx509library by&nbsp;<a href="http://www.doxygen.org/index.html"><img src="doxygen.png" alt="doxygen" align="middle" border="0"></a> 1.8.13</small></address>
+Generated on Fri Jun 7 2019 02:49:55 for Heimdalx509library by&nbsp;<a href="http://www.doxygen.org/index.html"><img src="doxygen.png" alt="doxygen" align="middle" border="0"></a> 1.8.13</small></address>
 </body>
 </html>
diff --git a/doc/doxyout/hx509/html/page_name.html b/doc/doxyout/hx509/html/page_name.html
index e33567acf503..e43abf8da66d 100644
--- a/doc/doxyout/hx509/html/page_name.html
+++ b/doc/doxyout/hx509/html/page_name.html
@@ -32,6 +32,6 @@ $(function() {
 <p>See the library functions here: <a class="el" href="group__hx509__name.html">hx509 name functions</a> </p>
 </div></div><!-- contents -->
 <hr size="1"><address style="text-align: right;"><small>
-Generated on Fri Dec 8 2017 03:48:58 for Heimdalx509library by&nbsp;<a href="http://www.doxygen.org/index.html"><img src="doxygen.png" alt="doxygen" align="middle" border="0"></a> 1.8.13</small></address>
+Generated on Fri Jun 7 2019 02:49:55 for Heimdalx509library by&nbsp;<a href="http://www.doxygen.org/index.html"><img src="doxygen.png" alt="doxygen" align="middle" border="0"></a> 1.8.13</small></address>
 </body>
 </html>
diff --git a/doc/doxyout/hx509/html/page_peer.html b/doc/doxyout/hx509/html/page_peer.html
index 4a67ba640afd..a4106d18ed8d 100644
--- a/doc/doxyout/hx509/html/page_peer.html
+++ b/doc/doxyout/hx509/html/page_peer.html
@@ -27,6 +27,6 @@ $(function() {
 <p>See the library functions here: <a class="el" href="group__hx509__peer.html">hx509 certificate selecting functions</a> </p>
 </div></div><!-- contents -->
 <hr size="1"><address style="text-align: right;"><small>
-Generated on Fri Dec 8 2017 03:48:58 for Heimdalx509library by&nbsp;<a href="http://www.doxygen.org/index.html"><img src="doxygen.png" alt="doxygen" align="middle" border="0"></a> 1.8.13</small></address>
+Generated on Fri Jun 7 2019 02:49:55 for Heimdalx509library by&nbsp;<a href="http://www.doxygen.org/index.html"><img src="doxygen.png" alt="doxygen" align="middle" border="0"></a> 1.8.13</small></address>
 </body>
 </html>
diff --git a/doc/doxyout/hx509/html/page_print.html b/doc/doxyout/hx509/html/page_print.html
index 3024cbdbc881..abd39d3bda47 100644
--- a/doc/doxyout/hx509/html/page_print.html
+++ b/doc/doxyout/hx509/html/page_print.html
@@ -26,6 +26,6 @@ $(function() {
 <div class="textblock"><p>See the library functions here: <a class="el" href="group__hx509__print.html">hx509 printing functions</a> </p>
 </div></div><!-- contents -->
 <hr size="1"><address style="text-align: right;"><small>
-Generated on Fri Dec 8 2017 03:48:58 for Heimdalx509library by&nbsp;<a href="http://www.doxygen.org/index.html"><img src="doxygen.png" alt="doxygen" align="middle" border="0"></a> 1.8.13</small></address>
+Generated on Fri Jun 7 2019 02:49:55 for Heimdalx509library by&nbsp;<a href="http://www.doxygen.org/index.html"><img src="doxygen.png" alt="doxygen" align="middle" border="0"></a> 1.8.13</small></address>
 </body>
 </html>
diff --git a/doc/doxyout/hx509/html/page_revoke.html b/doc/doxyout/hx509/html/page_revoke.html
index 8cd7ca95170b..c1726ff07d4b 100644
--- a/doc/doxyout/hx509/html/page_revoke.html
+++ b/doc/doxyout/hx509/html/page_revoke.html
@@ -28,6 +28,6 @@ $(function() {
 <p>OCSP is an online checking method where the requestor sends a list of certificates to the OCSP server to return a signed reply if they are valid or not. Some services sends a OCSP reply as part of the hand-shake to make the revoktion decision simpler/faster for the client. </p>
 </div></div><!-- contents -->
 <hr size="1"><address style="text-align: right;"><small>
-Generated on Fri Dec 8 2017 03:48:58 for Heimdalx509library by&nbsp;<a href="http://www.doxygen.org/index.html"><img src="doxygen.png" alt="doxygen" align="middle" border="0"></a> 1.8.13</small></address>
+Generated on Fri Jun 7 2019 02:49:55 for Heimdalx509library by&nbsp;<a href="http://www.doxygen.org/index.html"><img src="doxygen.png" alt="doxygen" align="middle" border="0"></a> 1.8.13</small></address>
 </body>
 </html>
diff --git a/doc/doxyout/hx509/html/pages.html b/doc/doxyout/hx509/html/pages.html
index a96a80e2b539..70cff97ef5d3 100644
--- a/doc/doxyout/hx509/html/pages.html
+++ b/doc/doxyout/hx509/html/pages.html
@@ -40,6 +40,6 @@ $(function() {
 </div><!-- directory -->
 </div><!-- contents -->
 <hr size="1"><address style="text-align: right;"><small>
-Generated on Fri Dec 8 2017 03:48:58 for Heimdalx509library by&nbsp;<a href="http://www.doxygen.org/index.html"><img src="doxygen.png" alt="doxygen" align="middle" border="0"></a> 1.8.13</small></address>
+Generated on Fri Jun 7 2019 02:49:55 for Heimdalx509library by&nbsp;<a href="http://www.doxygen.org/index.html"><img src="doxygen.png" alt="doxygen" align="middle" border="0"></a> 1.8.13</small></address>
 </body>
 </html>
diff --git a/doc/doxyout/hx509/man/man3/hx509.3 b/doc/doxyout/hx509/man/man3/hx509.3
index 0c11eaf222b8..d3dbc949fe37 100644
--- a/doc/doxyout/hx509/man/man3/hx509.3
+++ b/doc/doxyout/hx509/man/man3/hx509.3
@@ -1,4 +1,4 @@
-.TH "hx509" 3 "Fri Dec 8 2017" "Version 7.5.0" "Heimdalx509library" \" -*- nroff -*-
+.TH "hx509" 3 "Fri Jun 7 2019" "Version 7.7.0" "Heimdalx509library" \" -*- nroff -*-
 .ad l
 .nh
 .SH NAME
diff --git a/doc/doxyout/hx509/man/man3/hx509_ca.3 b/doc/doxyout/hx509/man/man3/hx509_ca.3
index d3414f0977e8..826807307a1f 100644
--- a/doc/doxyout/hx509/man/man3/hx509_ca.3
+++ b/doc/doxyout/hx509/man/man3/hx509_ca.3
@@ -1,4 +1,4 @@
-.TH "hx509_ca" 3 "Fri Dec 8 2017" "Version 7.5.0" "Heimdalx509library" \" -*- nroff -*-
+.TH "hx509_ca" 3 "Fri Jun 7 2019" "Version 7.7.0" "Heimdalx509library" \" -*- nroff -*-
 .ad l
 .nh
 .SH NAME
diff --git a/doc/doxyout/hx509/man/man3/hx509_cert.3 b/doc/doxyout/hx509/man/man3/hx509_cert.3
index 3e647aeb6af2..90910c0aff87 100644
--- a/doc/doxyout/hx509/man/man3/hx509_cert.3
+++ b/doc/doxyout/hx509/man/man3/hx509_cert.3
@@ -1,4 +1,4 @@
-.TH "hx509_cert" 3 "Fri Dec 8 2017" "Version 7.5.0" "Heimdalx509library" \" -*- nroff -*-
+.TH "hx509_cert" 3 "Fri Jun 7 2019" "Version 7.7.0" "Heimdalx509library" \" -*- nroff -*-
 .ad l
 .nh
 .SH NAME
diff --git a/doc/doxyout/hx509/man/man3/hx509_cms.3 b/doc/doxyout/hx509/man/man3/hx509_cms.3
index 764ed9fca7b5..b251aee7d27f 100644
--- a/doc/doxyout/hx509/man/man3/hx509_cms.3
+++ b/doc/doxyout/hx509/man/man3/hx509_cms.3
@@ -1,4 +1,4 @@
-.TH "hx509_cms" 3 "Fri Dec 8 2017" "Version 7.5.0" "Heimdalx509library" \" -*- nroff -*-
+.TH "hx509_cms" 3 "Fri Jun 7 2019" "Version 7.7.0" "Heimdalx509library" \" -*- nroff -*-
 .ad l
 .nh
 .SH NAME
@@ -78,7 +78,7 @@ Encrypt and encode EnvelopedData\&. The data is encrypted with a random key and
 .br
 \fIflags\fP flags to control the behavior\&.
 .IP "\(bu" 2
-HX509_CMS_EV_NO_KU_CHECK - Dont check KU on certificate
+HX509_CMS_EV_NO_KU_CHECK - Don't check KU on certificate
 .IP "\(bu" 2
 HX509_CMS_EV_ALLOW_WEAK - Allow weak crytpo
 .IP "\(bu" 2
diff --git a/doc/doxyout/hx509/man/man3/hx509_crypto.3 b/doc/doxyout/hx509/man/man3/hx509_crypto.3
index 29e28bdca055..55d2efff6edf 100644
--- a/doc/doxyout/hx509/man/man3/hx509_crypto.3
+++ b/doc/doxyout/hx509/man/man3/hx509_crypto.3
@@ -1,4 +1,4 @@
-.TH "hx509_crypto" 3 "Fri Dec 8 2017" "Version 7.5.0" "Heimdalx509library" \" -*- nroff -*-
+.TH "hx509_crypto" 3 "Fri Jun 7 2019" "Version 7.7.0" "Heimdalx509library" \" -*- nroff -*-
 .ad l
 .nh
 .SH NAME
diff --git a/doc/doxyout/hx509/man/man3/hx509_env.3 b/doc/doxyout/hx509/man/man3/hx509_env.3
index c86bf946f854..1b6d89fe247d 100644
--- a/doc/doxyout/hx509/man/man3/hx509_env.3
+++ b/doc/doxyout/hx509/man/man3/hx509_env.3
@@ -1,4 +1,4 @@
-.TH "hx509_env" 3 "Fri Dec 8 2017" "Version 7.5.0" "Heimdalx509library" \" -*- nroff -*-
+.TH "hx509_env" 3 "Fri Jun 7 2019" "Version 7.7.0" "Heimdalx509library" \" -*- nroff -*-
 .ad l
 .nh
 .SH NAME
diff --git a/doc/doxyout/hx509/man/man3/hx509_error.3 b/doc/doxyout/hx509/man/man3/hx509_error.3
index 74721de71b3b..62e255444588 100644
--- a/doc/doxyout/hx509/man/man3/hx509_error.3
+++ b/doc/doxyout/hx509/man/man3/hx509_error.3
@@ -1,4 +1,4 @@
-.TH "hx509_error" 3 "Fri Dec 8 2017" "Version 7.5.0" "Heimdalx509library" \" -*- nroff -*-
+.TH "hx509_error" 3 "Fri Jun 7 2019" "Version 7.7.0" "Heimdalx509library" \" -*- nroff -*-
 .ad l
 .nh
 .SH NAME
diff --git a/doc/doxyout/hx509/man/man3/hx509_keyset.3 b/doc/doxyout/hx509/man/man3/hx509_keyset.3
index 4b8495d9bfbe..46e6e7a57a79 100644
--- a/doc/doxyout/hx509/man/man3/hx509_keyset.3
+++ b/doc/doxyout/hx509/man/man3/hx509_keyset.3
@@ -1,4 +1,4 @@
-.TH "hx509_keyset" 3 "Fri Dec 8 2017" "Version 7.5.0" "Heimdalx509library" \" -*- nroff -*-
+.TH "hx509_keyset" 3 "Fri Jun 7 2019" "Version 7.7.0" "Heimdalx509library" \" -*- nroff -*-
 .ad l
 .nh
 .SH NAME
diff --git a/doc/doxyout/hx509/man/man3/hx509_lock.3 b/doc/doxyout/hx509/man/man3/hx509_lock.3
index 2f7498acca09..a5af103dac38 100644
--- a/doc/doxyout/hx509/man/man3/hx509_lock.3
+++ b/doc/doxyout/hx509/man/man3/hx509_lock.3
@@ -1,4 +1,4 @@
-.TH "hx509_lock" 3 "Fri Dec 8 2017" "Version 7.5.0" "Heimdalx509library" \" -*- nroff -*-
+.TH "hx509_lock" 3 "Fri Jun 7 2019" "Version 7.7.0" "Heimdalx509library" \" -*- nroff -*-
 .ad l
 .nh
 .SH NAME
diff --git a/doc/doxyout/hx509/man/man3/hx509_misc.3 b/doc/doxyout/hx509/man/man3/hx509_misc.3
index b8c9f076a77d..49cb3059a4b7 100644
--- a/doc/doxyout/hx509/man/man3/hx509_misc.3
+++ b/doc/doxyout/hx509/man/man3/hx509_misc.3
@@ -1,4 +1,4 @@
-.TH "hx509_misc" 3 "Fri Dec 8 2017" "Version 7.5.0" "Heimdalx509library" \" -*- nroff -*-
+.TH "hx509_misc" 3 "Fri Jun 7 2019" "Version 7.7.0" "Heimdalx509library" \" -*- nroff -*-
 .ad l
 .nh
 .SH NAME
diff --git a/doc/doxyout/hx509/man/man3/hx509_name.3 b/doc/doxyout/hx509/man/man3/hx509_name.3
index ea62b3ed3147..ba2cde726c7f 100644
--- a/doc/doxyout/hx509/man/man3/hx509_name.3
+++ b/doc/doxyout/hx509/man/man3/hx509_name.3
@@ -1,4 +1,4 @@
-.TH "hx509_name" 3 "Fri Dec 8 2017" "Version 7.5.0" "Heimdalx509library" \" -*- nroff -*-
+.TH "hx509_name" 3 "Fri Jun 7 2019" "Version 7.7.0" "Heimdalx509library" \" -*- nroff -*-
 .ad l
 .nh
 .SH NAME
diff --git a/doc/doxyout/hx509/man/man3/hx509_peer.3 b/doc/doxyout/hx509/man/man3/hx509_peer.3
index ca1347e6a852..7d0733c5b579 100644
--- a/doc/doxyout/hx509/man/man3/hx509_peer.3
+++ b/doc/doxyout/hx509/man/man3/hx509_peer.3
@@ -1,4 +1,4 @@
-.TH "hx509_peer" 3 "Fri Dec 8 2017" "Version 7.5.0" "Heimdalx509library" \" -*- nroff -*-
+.TH "hx509_peer" 3 "Fri Jun 7 2019" "Version 7.7.0" "Heimdalx509library" \" -*- nroff -*-
 .ad l
 .nh
 .SH NAME
diff --git a/doc/doxyout/hx509/man/man3/hx509_print.3 b/doc/doxyout/hx509/man/man3/hx509_print.3
index ce82df7dae98..17d3aa4285b2 100644
--- a/doc/doxyout/hx509/man/man3/hx509_print.3
+++ b/doc/doxyout/hx509/man/man3/hx509_print.3
@@ -1,4 +1,4 @@
-.TH "hx509_print" 3 "Fri Dec 8 2017" "Version 7.5.0" "Heimdalx509library" \" -*- nroff -*-
+.TH "hx509_print" 3 "Fri Jun 7 2019" "Version 7.7.0" "Heimdalx509library" \" -*- nroff -*-
 .ad l
 .nh
 .SH NAME
diff --git a/doc/doxyout/hx509/man/man3/hx509_query.3 b/doc/doxyout/hx509/man/man3/hx509_query.3
index 7f79ddd30af3..592c969eb47c 100644
--- a/doc/doxyout/hx509/man/man3/hx509_query.3
+++ b/doc/doxyout/hx509/man/man3/hx509_query.3
@@ -1,4 +1,4 @@
-.TH "hx509_query" 3 "Fri Dec 8 2017" "Version 7.5.0" "Heimdalx509library" \" -*- nroff -*-
+.TH "hx509_query" 3 "Fri Jun 7 2019" "Version 7.7.0" "Heimdalx509library" \" -*- nroff -*-
 .ad l
 .nh
 .SH NAME
diff --git a/doc/doxyout/hx509/man/man3/hx509_revoke.3 b/doc/doxyout/hx509/man/man3/hx509_revoke.3
index b437ea952e0c..914fbf4e2d3f 100644
--- a/doc/doxyout/hx509/man/man3/hx509_revoke.3
+++ b/doc/doxyout/hx509/man/man3/hx509_revoke.3
@@ -1,4 +1,4 @@
-.TH "hx509_revoke" 3 "Fri Dec 8 2017" "Version 7.5.0" "Heimdalx509library" \" -*- nroff -*-
+.TH "hx509_revoke" 3 "Fri Jun 7 2019" "Version 7.7.0" "Heimdalx509library" \" -*- nroff -*-
 .ad l
 .nh
 .SH NAME
diff --git a/doc/doxyout/hx509/man/man3/hx509_verify.3 b/doc/doxyout/hx509/man/man3/hx509_verify.3
index f683437acda8..e2cdc9a50d34 100644
--- a/doc/doxyout/hx509/man/man3/hx509_verify.3
+++ b/doc/doxyout/hx509/man/man3/hx509_verify.3
@@ -1,4 +1,4 @@
-.TH "hx509_verify" 3 "Fri Dec 8 2017" "Version 7.5.0" "Heimdalx509library" \" -*- nroff -*-
+.TH "hx509_verify" 3 "Fri Jun 7 2019" "Version 7.7.0" "Heimdalx509library" \" -*- nroff -*-
 .ad l
 .nh
 .SH NAME
diff --git a/doc/doxyout/hx509/man/man3/page_ca.3 b/doc/doxyout/hx509/man/man3/page_ca.3
index 55dbbf4c88a3..061e1a5173f9 100644
--- a/doc/doxyout/hx509/man/man3/page_ca.3
+++ b/doc/doxyout/hx509/man/man3/page_ca.3
@@ -1,4 +1,4 @@
-.TH "page_ca" 3 "Fri Dec 8 2017" "Version 7.5.0" "Heimdalx509library" \" -*- nroff -*-
+.TH "page_ca" 3 "Fri Jun 7 2019" "Version 7.7.0" "Heimdalx509library" \" -*- nroff -*-
 .ad l
 .nh
 .SH NAME
diff --git a/doc/doxyout/hx509/man/man3/page_cert.3 b/doc/doxyout/hx509/man/man3/page_cert.3
index 965b541bfa09..e6ef082b1434 100644
--- a/doc/doxyout/hx509/man/man3/page_cert.3
+++ b/doc/doxyout/hx509/man/man3/page_cert.3
@@ -1,4 +1,4 @@
-.TH "page_cert" 3 "Fri Dec 8 2017" "Version 7.5.0" "Heimdalx509library" \" -*- nroff -*-
+.TH "page_cert" 3 "Fri Jun 7 2019" "Version 7.7.0" "Heimdalx509library" \" -*- nroff -*-
 .ad l
 .nh
 .SH NAME
diff --git a/doc/doxyout/hx509/man/man3/page_cms.3 b/doc/doxyout/hx509/man/man3/page_cms.3
index 00050995d35d..1f36ab586be5 100644
--- a/doc/doxyout/hx509/man/man3/page_cms.3
+++ b/doc/doxyout/hx509/man/man3/page_cms.3
@@ -1,4 +1,4 @@
-.TH "page_cms" 3 "Fri Dec 8 2017" "Version 7.5.0" "Heimdalx509library" \" -*- nroff -*-
+.TH "page_cms" 3 "Fri Jun 7 2019" "Version 7.7.0" "Heimdalx509library" \" -*- nroff -*-
 .ad l
 .nh
 .SH NAME
diff --git a/doc/doxyout/hx509/man/man3/page_env.3 b/doc/doxyout/hx509/man/man3/page_env.3
index e56ed7b6af71..285f5ca45d83 100644
--- a/doc/doxyout/hx509/man/man3/page_env.3
+++ b/doc/doxyout/hx509/man/man3/page_env.3
@@ -1,4 +1,4 @@
-.TH "page_env" 3 "Fri Dec 8 2017" "Version 7.5.0" "Heimdalx509library" \" -*- nroff -*-
+.TH "page_env" 3 "Fri Jun 7 2019" "Version 7.7.0" "Heimdalx509library" \" -*- nroff -*-
 .ad l
 .nh
 .SH NAME
diff --git a/doc/doxyout/hx509/man/man3/page_error.3 b/doc/doxyout/hx509/man/man3/page_error.3
index 0c73d7777a74..3bc5565db91b 100644
--- a/doc/doxyout/hx509/man/man3/page_error.3
+++ b/doc/doxyout/hx509/man/man3/page_error.3
@@ -1,4 +1,4 @@
-.TH "page_error" 3 "Fri Dec 8 2017" "Version 7.5.0" "Heimdalx509library" \" -*- nroff -*-
+.TH "page_error" 3 "Fri Jun 7 2019" "Version 7.7.0" "Heimdalx509library" \" -*- nroff -*-
 .ad l
 .nh
 .SH NAME
diff --git a/doc/doxyout/hx509/man/man3/page_keyset.3 b/doc/doxyout/hx509/man/man3/page_keyset.3
index 8156a2d94e20..a6b73b1d5c37 100644
--- a/doc/doxyout/hx509/man/man3/page_keyset.3
+++ b/doc/doxyout/hx509/man/man3/page_keyset.3
@@ -1,4 +1,4 @@
-.TH "page_keyset" 3 "Fri Dec 8 2017" "Version 7.5.0" "Heimdalx509library" \" -*- nroff -*-
+.TH "page_keyset" 3 "Fri Jun 7 2019" "Version 7.7.0" "Heimdalx509library" \" -*- nroff -*-
 .ad l
 .nh
 .SH NAME
diff --git a/doc/doxyout/hx509/man/man3/page_lock.3 b/doc/doxyout/hx509/man/man3/page_lock.3
index bd81a8f3135a..c4808fee2c9b 100644
--- a/doc/doxyout/hx509/man/man3/page_lock.3
+++ b/doc/doxyout/hx509/man/man3/page_lock.3
@@ -1,4 +1,4 @@
-.TH "page_lock" 3 "Fri Dec 8 2017" "Version 7.5.0" "Heimdalx509library" \" -*- nroff -*-
+.TH "page_lock" 3 "Fri Jun 7 2019" "Version 7.7.0" "Heimdalx509library" \" -*- nroff -*-
 .ad l
 .nh
 .SH NAME
diff --git a/doc/doxyout/hx509/man/man3/page_name.3 b/doc/doxyout/hx509/man/man3/page_name.3
index a43eeb17ffb9..d5d68588353d 100644
--- a/doc/doxyout/hx509/man/man3/page_name.3
+++ b/doc/doxyout/hx509/man/man3/page_name.3
@@ -1,4 +1,4 @@
-.TH "page_name" 3 "Fri Dec 8 2017" "Version 7.5.0" "Heimdalx509library" \" -*- nroff -*-
+.TH "page_name" 3 "Fri Jun 7 2019" "Version 7.7.0" "Heimdalx509library" \" -*- nroff -*-
 .ad l
 .nh
 .SH NAME
diff --git a/doc/doxyout/hx509/man/man3/page_peer.3 b/doc/doxyout/hx509/man/man3/page_peer.3
index 0c9ff824273d..0150a3421665 100644
--- a/doc/doxyout/hx509/man/man3/page_peer.3
+++ b/doc/doxyout/hx509/man/man3/page_peer.3
@@ -1,4 +1,4 @@
-.TH "page_peer" 3 "Fri Dec 8 2017" "Version 7.5.0" "Heimdalx509library" \" -*- nroff -*-
+.TH "page_peer" 3 "Fri Jun 7 2019" "Version 7.7.0" "Heimdalx509library" \" -*- nroff -*-
 .ad l
 .nh
 .SH NAME
diff --git a/doc/doxyout/hx509/man/man3/page_print.3 b/doc/doxyout/hx509/man/man3/page_print.3
index 3f1a5f2cb990..68c8daf9edaf 100644
--- a/doc/doxyout/hx509/man/man3/page_print.3
+++ b/doc/doxyout/hx509/man/man3/page_print.3
@@ -1,4 +1,4 @@
-.TH "page_print" 3 "Fri Dec 8 2017" "Version 7.5.0" "Heimdalx509library" \" -*- nroff -*-
+.TH "page_print" 3 "Fri Jun 7 2019" "Version 7.7.0" "Heimdalx509library" \" -*- nroff -*-
 .ad l
 .nh
 .SH NAME
diff --git a/doc/doxyout/hx509/man/man3/page_revoke.3 b/doc/doxyout/hx509/man/man3/page_revoke.3
index 33dd9a9d1821..13169d5eb631 100644
--- a/doc/doxyout/hx509/man/man3/page_revoke.3
+++ b/doc/doxyout/hx509/man/man3/page_revoke.3
@@ -1,4 +1,4 @@
-.TH "page_revoke" 3 "Fri Dec 8 2017" "Version 7.5.0" "Heimdalx509library" \" -*- nroff -*-
+.TH "page_revoke" 3 "Fri Jun 7 2019" "Version 7.7.0" "Heimdalx509library" \" -*- nroff -*-
 .ad l
 .nh
 .SH NAME
diff --git a/doc/doxyout/krb5/html/annotated.html b/doc/doxyout/krb5/html/annotated.html
index 0aad08250679..d9c90114a536 100644
--- a/doc/doxyout/krb5/html/annotated.html
+++ b/doc/doxyout/krb5/html/annotated.html
@@ -33,6 +33,6 @@ $(function() {
 </div><!-- directory -->
 </div><!-- contents -->
 <hr size="1"><address style="text-align: right;"><small>
-Generated on Fri Dec 8 2017 03:48:59 for HeimdalKerberos5library by&nbsp;<a href="http://www.doxygen.org/index.html"><img src="doxygen.png" alt="doxygen" align="middle" border="0"></a> 1.8.13</small></address>
+Generated on Fri Jun 7 2019 02:49:56 for HeimdalKerberos5library by&nbsp;<a href="http://www.doxygen.org/index.html"><img src="doxygen.png" alt="doxygen" align="middle" border="0"></a> 1.8.13</small></address>
 </body>
 </html>
diff --git a/doc/doxyout/krb5/html/classes.html b/doc/doxyout/krb5/html/classes.html
index 36a41d791cd2..6ad1847eb080 100644
--- a/doc/doxyout/krb5/html/classes.html
+++ b/doc/doxyout/krb5/html/classes.html
@@ -34,6 +34,6 @@ $(function() {
 <div class="qindex"><a class="qindex" href="#letter_k">k</a></div>
 </div><!-- contents -->
 <hr size="1"><address style="text-align: right;"><small>
-Generated on Fri Dec 8 2017 03:48:59 for HeimdalKerberos5library by&nbsp;<a href="http://www.doxygen.org/index.html"><img src="doxygen.png" alt="doxygen" align="middle" border="0"></a> 1.8.13</small></address>
+Generated on Fri Jun 7 2019 02:49:56 for HeimdalKerberos5library by&nbsp;<a href="http://www.doxygen.org/index.html"><img src="doxygen.png" alt="doxygen" align="middle" border="0"></a> 1.8.13</small></address>
 </body>
 </html>
diff --git a/doc/doxyout/krb5/html/graph_legend.html b/doc/doxyout/krb5/html/graph_legend.html
index 6c4d24f0d46b..a281b0a88743 100644
--- a/doc/doxyout/krb5/html/graph_legend.html
+++ b/doc/doxyout/krb5/html/graph_legend.html
@@ -54,6 +54,6 @@ A yellow dashed arrow denotes a relation between a template instance and the tem
 </ul>
 </div><!-- contents -->
 <hr size="1"><address style="text-align: right;"><small>
-Generated on Fri Dec 8 2017 03:48:59 for HeimdalKerberos5library by&nbsp;<a href="http://www.doxygen.org/index.html"><img src="doxygen.png" alt="doxygen" align="middle" border="0"></a> 1.8.13</small></address>
+Generated on Fri Jun 7 2019 02:49:56 for HeimdalKerberos5library by&nbsp;<a href="http://www.doxygen.org/index.html"><img src="doxygen.png" alt="doxygen" align="middle" border="0"></a> 1.8.13</small></address>
 </body>
 </html>
diff --git a/doc/doxyout/krb5/html/graph_legend.png b/doc/doxyout/krb5/html/graph_legend.png
index 881e40f9c0a2..d1fdf389c3b6 100644
--- a/doc/doxyout/krb5/html/graph_legend.png
+++ b/doc/doxyout/krb5/html/graph_legend.png
diff --git a/doc/doxyout/krb5/html/group__krb5.html b/doc/doxyout/krb5/html/group__krb5.html
index 35aba87ad950..d584f02016b5 100644
--- a/doc/doxyout/krb5/html/group__krb5.html
+++ b/doc/doxyout/krb5/html/group__krb5.html
@@ -2216,6 +2216,6 @@ Functions</h2></td></tr>
 </div>
 </div><!-- contents -->
 <hr size="1"><address style="text-align: right;"><small>
-Generated on Fri Dec 8 2017 03:48:59 for HeimdalKerberos5library by&nbsp;<a href="http://www.doxygen.org/index.html"><img src="doxygen.png" alt="doxygen" align="middle" border="0"></a> 1.8.13</small></address>
+Generated on Fri Jun 7 2019 02:49:56 for HeimdalKerberos5library by&nbsp;<a href="http://www.doxygen.org/index.html"><img src="doxygen.png" alt="doxygen" align="middle" border="0"></a> 1.8.13</small></address>
 </body>
 </html>
diff --git a/doc/doxyout/krb5/html/group__krb5__address.html b/doc/doxyout/krb5/html/group__krb5__address.html
index 357ea1278f3b..7278e5a963bd 100644
--- a/doc/doxyout/krb5/html/group__krb5__address.html
+++ b/doc/doxyout/krb5/html/group__krb5__address.html
@@ -981,6 +981,6 @@ Functions</h2></td></tr>
 </div>
 </div><!-- contents -->
 <hr size="1"><address style="text-align: right;"><small>
-Generated on Fri Dec 8 2017 03:48:59 for HeimdalKerberos5library by&nbsp;<a href="http://www.doxygen.org/index.html"><img src="doxygen.png" alt="doxygen" align="middle" border="0"></a> 1.8.13</small></address>
+Generated on Fri Jun 7 2019 02:49:56 for HeimdalKerberos5library by&nbsp;<a href="http://www.doxygen.org/index.html"><img src="doxygen.png" alt="doxygen" align="middle" border="0"></a> 1.8.13</small></address>
 </body>
 </html>
diff --git a/doc/doxyout/krb5/html/group__krb5__auth.html b/doc/doxyout/krb5/html/group__krb5__auth.html
index 84dfe61b8416..6d60591d7ba9 100644
--- a/doc/doxyout/krb5/html/group__krb5__auth.html
+++ b/doc/doxyout/krb5/html/group__krb5__auth.html
@@ -314,6 +314,6 @@ Functions</h2></td></tr>
 </div>
 </div><!-- contents -->
 <hr size="1"><address style="text-align: right;"><small>
-Generated on Fri Dec 8 2017 03:48:59 for HeimdalKerberos5library by&nbsp;<a href="http://www.doxygen.org/index.html"><img src="doxygen.png" alt="doxygen" align="middle" border="0"></a> 1.8.13</small></address>
+Generated on Fri Jun 7 2019 02:49:56 for HeimdalKerberos5library by&nbsp;<a href="http://www.doxygen.org/index.html"><img src="doxygen.png" alt="doxygen" align="middle" border="0"></a> 1.8.13</small></address>
 </body>
 </html>
diff --git a/doc/doxyout/krb5/html/group__krb5__ccache.html b/doc/doxyout/krb5/html/group__krb5__ccache.html
index 0deabcbe67e9..818398824bd0 100644
--- a/doc/doxyout/krb5/html/group__krb5__ccache.html
+++ b/doc/doxyout/krb5/html/group__krb5__ccache.html
@@ -2134,6 +2134,6 @@ Variables</h2></td></tr>
 </div>
 </div><!-- contents -->
 <hr size="1"><address style="text-align: right;"><small>
-Generated on Fri Dec 8 2017 03:48:59 for HeimdalKerberos5library by&nbsp;<a href="http://www.doxygen.org/index.html"><img src="doxygen.png" alt="doxygen" align="middle" border="0"></a> 1.8.13</small></address>
+Generated on Fri Jun 7 2019 02:49:56 for HeimdalKerberos5library by&nbsp;<a href="http://www.doxygen.org/index.html"><img src="doxygen.png" alt="doxygen" align="middle" border="0"></a> 1.8.13</small></address>
 </body>
 </html>
diff --git a/doc/doxyout/krb5/html/group__krb5__credential.html b/doc/doxyout/krb5/html/group__krb5__credential.html
index 7bb90e4360e3..57e8b2efcfc1 100644
--- a/doc/doxyout/krb5/html/group__krb5__credential.html
+++ b/doc/doxyout/krb5/html/group__krb5__credential.html
@@ -841,6 +841,6 @@ Functions</h2></td></tr>
 </div>
 </div><!-- contents -->
 <hr size="1"><address style="text-align: right;"><small>
-Generated on Fri Dec 8 2017 03:48:59 for HeimdalKerberos5library by&nbsp;<a href="http://www.doxygen.org/index.html"><img src="doxygen.png" alt="doxygen" align="middle" border="0"></a> 1.8.13</small></address>
+Generated on Fri Jun 7 2019 02:49:56 for HeimdalKerberos5library by&nbsp;<a href="http://www.doxygen.org/index.html"><img src="doxygen.png" alt="doxygen" align="middle" border="0"></a> 1.8.13</small></address>
 </body>
 </html>
diff --git a/doc/doxyout/krb5/html/group__krb5__crypto.html b/doc/doxyout/krb5/html/group__krb5__crypto.html
index 54ac12bb97c1..10e372b65bc4 100644
--- a/doc/doxyout/krb5/html/group__krb5__crypto.html
+++ b/doc/doxyout/krb5/html/group__krb5__crypto.html
@@ -1469,6 +1469,6 @@ Functions</h2></td></tr>
 </div>
 </div><!-- contents -->
 <hr size="1"><address style="text-align: right;"><small>
-Generated on Fri Dec 8 2017 03:48:59 for HeimdalKerberos5library by&nbsp;<a href="http://www.doxygen.org/index.html"><img src="doxygen.png" alt="doxygen" align="middle" border="0"></a> 1.8.13</small></address>
+Generated on Fri Jun 7 2019 02:49:56 for HeimdalKerberos5library by&nbsp;<a href="http://www.doxygen.org/index.html"><img src="doxygen.png" alt="doxygen" align="middle" border="0"></a> 1.8.13</small></address>
 </body>
 </html>
diff --git a/doc/doxyout/krb5/html/group__krb5__deprecated.html b/doc/doxyout/krb5/html/group__krb5__deprecated.html
index 1f0a03e59910..3ecdc66f8aa3 100644
--- a/doc/doxyout/krb5/html/group__krb5__deprecated.html
+++ b/doc/doxyout/krb5/html/group__krb5__deprecated.html
@@ -1261,6 +1261,6 @@ Functions</h2></td></tr>
 </div>
 </div><!-- contents -->
 <hr size="1"><address style="text-align: right;"><small>
-Generated on Fri Dec 8 2017 03:48:59 for HeimdalKerberos5library by&nbsp;<a href="http://www.doxygen.org/index.html"><img src="doxygen.png" alt="doxygen" align="middle" border="0"></a> 1.8.13</small></address>
+Generated on Fri Jun 7 2019 02:49:56 for HeimdalKerberos5library by&nbsp;<a href="http://www.doxygen.org/index.html"><img src="doxygen.png" alt="doxygen" align="middle" border="0"></a> 1.8.13</small></address>
 </body>
 </html>
diff --git a/doc/doxyout/krb5/html/group__krb5__digest.html b/doc/doxyout/krb5/html/group__krb5__digest.html
index 7a26a50c711d..70da5a7ababf 100644
--- a/doc/doxyout/krb5/html/group__krb5__digest.html
+++ b/doc/doxyout/krb5/html/group__krb5__digest.html
@@ -86,6 +86,6 @@ Functions</h2></td></tr>
 </div>
 </div><!-- contents -->
 <hr size="1"><address style="text-align: right;"><small>
-Generated on Fri Dec 8 2017 03:48:59 for HeimdalKerberos5library by&nbsp;<a href="http://www.doxygen.org/index.html"><img src="doxygen.png" alt="doxygen" align="middle" border="0"></a> 1.8.13</small></address>
+Generated on Fri Jun 7 2019 02:49:56 for HeimdalKerberos5library by&nbsp;<a href="http://www.doxygen.org/index.html"><img src="doxygen.png" alt="doxygen" align="middle" border="0"></a> 1.8.13</small></address>
 </body>
 </html>
diff --git a/doc/doxyout/krb5/html/group__krb5__error.html b/doc/doxyout/krb5/html/group__krb5__error.html
index 38ee265277ac..c0f4654f62b5 100644
--- a/doc/doxyout/krb5/html/group__krb5__error.html
+++ b/doc/doxyout/krb5/html/group__krb5__error.html
@@ -1017,6 +1017,6 @@ Functions</h2></td></tr>
 </div>
 </div><!-- contents -->
 <hr size="1"><address style="text-align: right;"><small>
-Generated on Fri Dec 8 2017 03:48:59 for HeimdalKerberos5library by&nbsp;<a href="http://www.doxygen.org/index.html"><img src="doxygen.png" alt="doxygen" align="middle" border="0"></a> 1.8.13</small></address>
+Generated on Fri Jun 7 2019 02:49:56 for HeimdalKerberos5library by&nbsp;<a href="http://www.doxygen.org/index.html"><img src="doxygen.png" alt="doxygen" align="middle" border="0"></a> 1.8.13</small></address>
 </body>
 </html>
diff --git a/doc/doxyout/krb5/html/group__krb5__keytab.html b/doc/doxyout/krb5/html/group__krb5__keytab.html
index 76ff3712b7a3..e98ff7d98d35 100644
--- a/doc/doxyout/krb5/html/group__krb5__keytab.html
+++ b/doc/doxyout/krb5/html/group__krb5__keytab.html
@@ -1034,6 +1034,6 @@ Functions</h2></td></tr>
 </div>
 </div><!-- contents -->
 <hr size="1"><address style="text-align: right;"><small>
-Generated on Fri Dec 8 2017 03:48:59 for HeimdalKerberos5library by&nbsp;<a href="http://www.doxygen.org/index.html"><img src="doxygen.png" alt="doxygen" align="middle" border="0"></a> 1.8.13</small></address>
+Generated on Fri Jun 7 2019 02:49:56 for HeimdalKerberos5library by&nbsp;<a href="http://www.doxygen.org/index.html"><img src="doxygen.png" alt="doxygen" align="middle" border="0"></a> 1.8.13</small></address>
 </body>
 </html>
diff --git a/doc/doxyout/krb5/html/group__krb5__pac.html b/doc/doxyout/krb5/html/group__krb5__pac.html
index ac9a69fe6e80..682d9cbb22f4 100644
--- a/doc/doxyout/krb5/html/group__krb5__pac.html
+++ b/doc/doxyout/krb5/html/group__krb5__pac.html
@@ -153,6 +153,6 @@ Functions</h2></td></tr>
 </div>
 </div><!-- contents -->
 <hr size="1"><address style="text-align: right;"><small>
-Generated on Fri Dec 8 2017 03:48:59 for HeimdalKerberos5library by&nbsp;<a href="http://www.doxygen.org/index.html"><img src="doxygen.png" alt="doxygen" align="middle" border="0"></a> 1.8.13</small></address>
+Generated on Fri Jun 7 2019 02:49:56 for HeimdalKerberos5library by&nbsp;<a href="http://www.doxygen.org/index.html"><img src="doxygen.png" alt="doxygen" align="middle" border="0"></a> 1.8.13</small></address>
 </body>
 </html>
diff --git a/doc/doxyout/krb5/html/group__krb5__principal.html b/doc/doxyout/krb5/html/group__krb5__principal.html
index 7bef4e7a2d77..92c3926bc412 100644
--- a/doc/doxyout/krb5/html/group__krb5__principal.html
+++ b/doc/doxyout/krb5/html/group__krb5__principal.html
@@ -86,6 +86,8 @@ Functions</h2></td></tr>
 <tr class="separator:gac02e16cbed909d4535fd030b5651c978"><td class="memSeparator" colspan="2">&#160;</td></tr>
 <tr class="memitem:ga2c4425068eb189d876e4e0747636f628"><td class="memItemLeft" align="right" valign="top">krb5_boolean KRB5_LIB_FUNCTION&#160;</td><td class="memItemRight" valign="bottom"><a class="el" href="group__krb5__principal.html#ga2c4425068eb189d876e4e0747636f628">krb5_principal_is_root_krbtgt</a> (krb5_context context, krb5_const_principal p)</td></tr>
 <tr class="separator:ga2c4425068eb189d876e4e0747636f628"><td class="memSeparator" colspan="2">&#160;</td></tr>
+<tr class="memitem:ga2e7740d323d81838d5e00dfd4bf408ff"><td class="memItemLeft" align="right" valign="top">KRB5_LIB_FUNCTION krb5_boolean KRB5_LIB_CALL&#160;</td><td class="memItemRight" valign="bottom"><a class="el" href="group__krb5__principal.html#ga2e7740d323d81838d5e00dfd4bf408ff">krb5_principal_is_anonymous</a> (krb5_context context, krb5_const_principal p, unsigned int flags)</td></tr>
+<tr class="separator:ga2e7740d323d81838d5e00dfd4bf408ff"><td class="memSeparator" colspan="2">&#160;</td></tr>
 <tr class="memitem:ga8be0f5000da6ee0d4bd5dcaf3cb01d08"><td class="memItemLeft" align="right" valign="top">KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL&#160;</td><td class="memItemRight" valign="bottom"><a class="el" href="group__krb5__principal.html#ga8be0f5000da6ee0d4bd5dcaf3cb01d08">krb5_sname_to_principal</a> (krb5_context context, const char *hostname, const char *sname, int32_t type, krb5_principal *ret_princ)</td></tr>
 <tr class="separator:ga8be0f5000da6ee0d4bd5dcaf3cb01d08"><td class="memSeparator" colspan="2">&#160;</td></tr>
 </table>
@@ -615,6 +617,41 @@ Functions</h2></td></tr>
 
 </div>
 </div>
+<a id="ga2e7740d323d81838d5e00dfd4bf408ff"></a>
+<h2 class="memtitle"><span class="permalink"><a href="#ga2e7740d323d81838d5e00dfd4bf408ff">&#9670;&nbsp;</a></span>krb5_principal_is_anonymous()</h2>
+
+<div class="memitem">
+<div class="memproto">
+      <table class="memname">
+        <tr>
+          <td class="memname">KRB5_LIB_FUNCTION krb5_boolean KRB5_LIB_CALL krb5_principal_is_anonymous </td>
+          <td>(</td>
+          <td class="paramtype">krb5_context&#160;</td>
+          <td class="paramname"><em>context</em>, </td>
+        </tr>
+        <tr>
+          <td class="paramkey"></td>
+          <td></td>
+          <td class="paramtype">krb5_const_principal&#160;</td>
+          <td class="paramname"><em>p</em>, </td>
+        </tr>
+        <tr>
+          <td class="paramkey"></td>
+          <td></td>
+          <td class="paramtype">unsigned int&#160;</td>
+          <td class="paramname"><em>flags</em>&#160;</td>
+        </tr>
+        <tr>
+          <td></td>
+          <td>)</td>
+          <td></td><td></td>
+        </tr>
+      </table>
+</div><div class="memdoc">
+<p>Returns true iff name is WELLKNOWN/ANONYMOUS </p>
+
+</div>
+</div>
 <a id="gac02e16cbed909d4535fd030b5651c978"></a>
 <h2 class="memtitle"><span class="permalink"><a href="#gac02e16cbed909d4535fd030b5651c978">&#9670;&nbsp;</a></span>krb5_principal_is_gss_hostbased_service()</h2>
 
@@ -1337,6 +1374,6 @@ Functions</h2></td></tr>
 </div>
 </div><!-- contents -->
 <hr size="1"><address style="text-align: right;"><small>
-Generated on Fri Dec 8 2017 03:48:59 for HeimdalKerberos5library by&nbsp;<a href="http://www.doxygen.org/index.html"><img src="doxygen.png" alt="doxygen" align="middle" border="0"></a> 1.8.13</small></address>
+Generated on Fri Jun 7 2019 02:49:56 for HeimdalKerberos5library by&nbsp;<a href="http://www.doxygen.org/index.html"><img src="doxygen.png" alt="doxygen" align="middle" border="0"></a> 1.8.13</small></address>
 </body>
 </html>
diff --git a/doc/doxyout/krb5/html/group__krb5__storage.html b/doc/doxyout/krb5/html/group__krb5__storage.html
index b48b7850678f..fbb33fff7055 100644
--- a/doc/doxyout/krb5/html/group__krb5__storage.html
+++ b/doc/doxyout/krb5/html/group__krb5__storage.html
@@ -2266,6 +2266,6 @@ Functions</h2></td></tr>
 </div>
 </div><!-- contents -->
 <hr size="1"><address style="text-align: right;"><small>
-Generated on Fri Dec 8 2017 03:48:59 for HeimdalKerberos5library by&nbsp;<a href="http://www.doxygen.org/index.html"><img src="doxygen.png" alt="doxygen" align="middle" border="0"></a> 1.8.13</small></address>
+Generated on Fri Jun 7 2019 02:49:56 for HeimdalKerberos5library by&nbsp;<a href="http://www.doxygen.org/index.html"><img src="doxygen.png" alt="doxygen" align="middle" border="0"></a> 1.8.13</small></address>
 </body>
 </html>
diff --git a/doc/doxyout/krb5/html/group__krb5__support.html b/doc/doxyout/krb5/html/group__krb5__support.html
index 317268978fcc..f528b46202f8 100644
--- a/doc/doxyout/krb5/html/group__krb5__support.html
+++ b/doc/doxyout/krb5/html/group__krb5__support.html
@@ -1349,6 +1349,6 @@ Functions</h2></td></tr>
 </div>
 </div><!-- contents -->
 <hr size="1"><address style="text-align: right;"><small>
-Generated on Fri Dec 8 2017 03:48:59 for HeimdalKerberos5library by&nbsp;<a href="http://www.doxygen.org/index.html"><img src="doxygen.png" alt="doxygen" align="middle" border="0"></a> 1.8.13</small></address>
+Generated on Fri Jun 7 2019 02:49:56 for HeimdalKerberos5library by&nbsp;<a href="http://www.doxygen.org/index.html"><img src="doxygen.png" alt="doxygen" align="middle" border="0"></a> 1.8.13</small></address>
 </body>
 </html>
diff --git a/doc/doxyout/krb5/html/group__krb5__ticket.html b/doc/doxyout/krb5/html/group__krb5__ticket.html
index b0c901db11f3..2212103de09b 100644
--- a/doc/doxyout/krb5/html/group__krb5__ticket.html
+++ b/doc/doxyout/krb5/html/group__krb5__ticket.html
@@ -72,6 +72,6 @@ Functions</h2></td></tr>
 </div>
 </div><!-- contents -->
 <hr size="1"><address style="text-align: right;"><small>
-Generated on Fri Dec 8 2017 03:48:59 for HeimdalKerberos5library by&nbsp;<a href="http://www.doxygen.org/index.html"><img src="doxygen.png" alt="doxygen" align="middle" border="0"></a> 1.8.13</small></address>
+Generated on Fri Jun 7 2019 02:49:56 for HeimdalKerberos5library by&nbsp;<a href="http://www.doxygen.org/index.html"><img src="doxygen.png" alt="doxygen" align="middle" border="0"></a> 1.8.13</small></address>
 </body>
 </html>
diff --git a/doc/doxyout/krb5/html/group__krb5__v4compat.html b/doc/doxyout/krb5/html/group__krb5__v4compat.html
index 342a192e837f..dc07ab3f7c23 100644
--- a/doc/doxyout/krb5/html/group__krb5__v4compat.html
+++ b/doc/doxyout/krb5/html/group__krb5__v4compat.html
@@ -132,6 +132,6 @@ Functions</h2></td></tr>
 </div>
 </div><!-- contents -->
 <hr size="1"><address style="text-align: right;"><small>
-Generated on Fri Dec 8 2017 03:48:59 for HeimdalKerberos5library by&nbsp;<a href="http://www.doxygen.org/index.html"><img src="doxygen.png" alt="doxygen" align="middle" border="0"></a> 1.8.13</small></address>
+Generated on Fri Jun 7 2019 02:49:56 for HeimdalKerberos5library by&nbsp;<a href="http://www.doxygen.org/index.html"><img src="doxygen.png" alt="doxygen" align="middle" border="0"></a> 1.8.13</small></address>
 </body>
 </html>
diff --git a/doc/doxyout/krb5/html/index.html b/doc/doxyout/krb5/html/index.html
index 9e3ea434966a..9733b99c9cad 100644
--- a/doc/doxyout/krb5/html/index.html
+++ b/doc/doxyout/krb5/html/index.html
@@ -37,6 +37,6 @@ Introduction</h1>
 <p>The project web page: <a href="http://www.h5l.org/">http://www.h5l.org/</a> </p>
 </div></div><!-- contents -->
 <hr size="1"><address style="text-align: right;"><small>
-Generated on Fri Dec 8 2017 03:48:59 for HeimdalKerberos5library by&nbsp;<a href="http://www.doxygen.org/index.html"><img src="doxygen.png" alt="doxygen" align="middle" border="0"></a> 1.8.13</small></address>
+Generated on Fri Jun 7 2019 02:49:56 for HeimdalKerberos5library by&nbsp;<a href="http://www.doxygen.org/index.html"><img src="doxygen.png" alt="doxygen" align="middle" border="0"></a> 1.8.13</small></address>
 </body>
 </html>
diff --git a/doc/doxyout/krb5/html/krb5_ccache_intro.html b/doc/doxyout/krb5/html/krb5_ccache_intro.html
index 92f850c3f5ad..1ee11fea3c17 100644
--- a/doc/doxyout/krb5/html/krb5_ccache_intro.html
+++ b/doc/doxyout/krb5/html/krb5_ccache_intro.html
@@ -38,6 +38,6 @@ Kerberos credential caches</h1>
 Example</h2>
 <p>This is a minimalistic version of klist: </p><div class="fragment"><div class="line"><span class="preprocessor">#include &lt;krb5.h&gt;</span></div><div class="line"></div><div class="line"><span class="keywordtype">int</span></div><div class="line">main (<span class="keywordtype">int</span> argc, <span class="keywordtype">char</span> **argv)</div><div class="line">{</div><div class="line">    krb5_context context;</div><div class="line">    krb5_cc_cursor cursor;</div><div class="line">    krb5_error_code ret;</div><div class="line">    krb5_ccache id;</div><div class="line">    krb5_creds creds;</div><div class="line"></div><div class="line">    <span class="keywordflow">if</span> (<a class="code" href="group__krb5.html#gabd94206e186c58a093975424a4a567a8">krb5_init_context</a> (&amp;context) != 0)</div><div class="line">        errx(1, <span class="stringliteral">&quot;krb5_context&quot;</span>);</div><div class="line"></div><div class="line">    ret = <a class="code" href="group__krb5__ccache.html#gad7d54822ef022f3e27f7f0f457d9c751">krb5_cc_default</a> (context, &amp;<span class="keywordtype">id</span>);</div><div class="line">    <span class="keywordflow">if</span> (ret)</div><div class="line">        <a class="code" href="group__krb5__error.html#gad75c268bcf26225ee8d4a39c178131a1">krb5_err</a>(context, 1, ret, <span class="stringliteral">&quot;krb5_cc_default&quot;</span>);</div><div class="line"></div><div class="line">    ret = <a class="code" href="group__krb5__ccache.html#gacbf766cea6b49dd64b76628c7708b979">krb5_cc_start_seq_get</a>(context, <span class="keywordtype">id</span>, &amp;cursor);</div><div class="line">    <span class="keywordflow">if</span> (ret)</div><div class="line">        <a class="code" href="group__krb5__error.html#gad75c268bcf26225ee8d4a39c178131a1">krb5_err</a>(context, 1, ret, <span class="stringliteral">&quot;krb5_cc_start_seq_get&quot;</span>);</div><div class="line"></div><div class="line">    <span class="keywordflow">while</span>((ret = <a class="code" href="group__krb5__ccache.html#gad9cd0ebcc7bdf3ca2b0ed166ea2f8df6">krb5_cc_next_cred</a>(context, <span class="keywordtype">id</span>, &amp;cursor, &amp;creds)) == 0){</div><div class="line">        <span class="keywordtype">char</span> *principal;</div><div class="line"></div><div class="line">        <a class="code" href="group__krb5__principal.html#gaac881051ed59fe0dcd08cee62280b332">krb5_unparse_name</a>(context, creds.server, &amp;principal);</div><div class="line">        printf(<span class="stringliteral">&quot;principal: %s\\n&quot;</span>, principal);</div><div class="line">        free(principal);</div><div class="line">        <a class="code" href="group__krb5.html#gad89c4c7b633646c39e4a34a7230c94e1">krb5_free_cred_contents</a> (context, &amp;creds);</div><div class="line">    }</div><div class="line">    ret = <a class="code" href="group__krb5__ccache.html#ga024ce036ebf277f918354d4681bd0550">krb5_cc_end_seq_get</a>(context, <span class="keywordtype">id</span>, &amp;cursor);</div><div class="line">    <span class="keywordflow">if</span> (ret)</div><div class="line">        <a class="code" href="group__krb5__error.html#gad75c268bcf26225ee8d4a39c178131a1">krb5_err</a>(context, 1, ret, <span class="stringliteral">&quot;krb5_cc_end_seq_get&quot;</span>);</div><div class="line"></div><div class="line">    <a class="code" href="group__krb5__ccache.html#gaebc0dd2a77529c05fb49e27235da7017">krb5_cc_close</a>(context, <span class="keywordtype">id</span>);</div><div class="line"></div><div class="line">    <a class="code" href="group__krb5.html#gae51d83f5d5f589883f1cd10887892777">krb5_free_context</a>(context);</div><div class="line">    <span class="keywordflow">return</span> 0;</div><div class="line">}</div></div><!-- fragment --> </div></div><!-- contents -->
 <hr size="1"><address style="text-align: right;"><small>
-Generated on Fri Dec 8 2017 03:48:59 for HeimdalKerberos5library by&nbsp;<a href="http://www.doxygen.org/index.html"><img src="doxygen.png" alt="doxygen" align="middle" border="0"></a> 1.8.13</small></address>
+Generated on Fri Jun 7 2019 02:49:56 for HeimdalKerberos5library by&nbsp;<a href="http://www.doxygen.org/index.html"><img src="doxygen.png" alt="doxygen" align="middle" border="0"></a> 1.8.13</small></address>
 </body>
 </html>
diff --git a/doc/doxyout/krb5/html/krb5_fileformats.html b/doc/doxyout/krb5/html/krb5_fileformats.html
index 8438a9235529..6ab5605a42bb 100644
--- a/doc/doxyout/krb5/html/krb5_fileformats.html
+++ b/doc/doxyout/krb5/html/krb5_fileformats.html
@@ -94,6 +94,6 @@ Heimdal database dump file</h2>
 <div class="fragment"><div class="line">first-hex-encoded-HDB-Extension[:second-...]</div></div><!-- fragment --><p>HDB-extension is encoded the DER encoded HDB-Extension from lib/hdb/hdb.asn1. Consumers HDB extensions should be aware that unknown entires needs to be preserved even thought the ASN.1 data content might be unknown. There is a critical flag in the data to show to the KDC that the entry MUST be understod if the entry is to be used. </p>
 </div></div><!-- contents -->
 <hr size="1"><address style="text-align: right;"><small>
-Generated on Fri Dec 8 2017 03:48:59 for HeimdalKerberos5library by&nbsp;<a href="http://www.doxygen.org/index.html"><img src="doxygen.png" alt="doxygen" align="middle" border="0"></a> 1.8.13</small></address>
+Generated on Fri Jun 7 2019 02:49:56 for HeimdalKerberos5library by&nbsp;<a href="http://www.doxygen.org/index.html"><img src="doxygen.png" alt="doxygen" align="middle" border="0"></a> 1.8.13</small></address>
 </body>
 </html>
diff --git a/doc/doxyout/krb5/html/krb5_init_creds_intro.html b/doc/doxyout/krb5/html/krb5_init_creds_intro.html
index 7466060f924d..839047d52e57 100644
--- a/doc/doxyout/krb5/html/krb5_init_creds_intro.html
+++ b/doc/doxyout/krb5/html/krb5_init_creds_intro.html
@@ -28,6 +28,6 @@ Initial credential</h1>
 <p>Functions to get initial credentials: <a class="el" href="group__krb5__credential.html">Heimdal Kerberos 5 credential handing functions</a> . </p>
 </div></div><!-- contents -->
 <hr size="1"><address style="text-align: right;"><small>
-Generated on Fri Dec 8 2017 03:48:59 for HeimdalKerberos5library by&nbsp;<a href="http://www.doxygen.org/index.html"><img src="doxygen.png" alt="doxygen" align="middle" border="0"></a> 1.8.13</small></address>
+Generated on Fri Jun 7 2019 02:49:56 for HeimdalKerberos5library by&nbsp;<a href="http://www.doxygen.org/index.html"><img src="doxygen.png" alt="doxygen" align="middle" border="0"></a> 1.8.13</small></address>
 </body>
 </html>
diff --git a/doc/doxyout/krb5/html/krb5_introduction.html b/doc/doxyout/krb5/html/krb5_introduction.html
index a55d7e83adde..aec79a42d39f 100644
--- a/doc/doxyout/krb5/html/krb5_introduction.html
+++ b/doc/doxyout/krb5/html/krb5_introduction.html
@@ -97,6 +97,6 @@ Error messages</h2>
 <p>Heimdal uses a threadsafe(r) version of the com_err interface; the global com_err table isn't initialised. Then error_message returns quite a boring error string (just the error code itself). </p>
 </div></div><!-- contents -->
 <hr size="1"><address style="text-align: right;"><small>
-Generated on Fri Dec 8 2017 03:48:59 for HeimdalKerberos5library by&nbsp;<a href="http://www.doxygen.org/index.html"><img src="doxygen.png" alt="doxygen" align="middle" border="0"></a> 1.8.13</small></address>
+Generated on Fri Jun 7 2019 02:49:56 for HeimdalKerberos5library by&nbsp;<a href="http://www.doxygen.org/index.html"><img src="doxygen.png" alt="doxygen" align="middle" border="0"></a> 1.8.13</small></address>
 </body>
 </html>
diff --git a/doc/doxyout/krb5/html/krb5_keytab_intro.html b/doc/doxyout/krb5/html/krb5_keytab_intro.html
index 02b2ceae9620..70daebce21a1 100644
--- a/doc/doxyout/krb5/html/krb5_keytab_intro.html
+++ b/doc/doxyout/krb5/html/krb5_keytab_intro.html
@@ -43,6 +43,6 @@ Keytab example</h2>
 <pre class="fragment">This is a minimalistic version of ktutil.
 </pre><div class="fragment"><div class="line"><span class="keywordtype">int</span></div><div class="line">main (<span class="keywordtype">int</span> argc, <span class="keywordtype">char</span> **argv)</div><div class="line">{</div><div class="line">    krb5_context context;</div><div class="line">    krb5_keytab keytab;</div><div class="line">    krb5_kt_cursor cursor;</div><div class="line">    krb5_keytab_entry entry;</div><div class="line">    krb5_error_code ret;</div><div class="line">    <span class="keywordtype">char</span> *principal;</div><div class="line"></div><div class="line">    <span class="keywordflow">if</span> (<a class="code" href="group__krb5.html#gabd94206e186c58a093975424a4a567a8">krb5_init_context</a> (&amp;context) != 0)</div><div class="line">        errx(1, <span class="stringliteral">&quot;krb5_context&quot;</span>);</div><div class="line"></div><div class="line">    ret = <a class="code" href="group__krb5__keytab.html#gafcd059883c79dbd99a179bc4225d16b5">krb5_kt_default</a> (context, &amp;keytab);</div><div class="line">    <span class="keywordflow">if</span> (ret)</div><div class="line">        <a class="code" href="group__krb5__error.html#gad75c268bcf26225ee8d4a39c178131a1">krb5_err</a>(context, 1, ret, <span class="stringliteral">&quot;krb5_kt_default&quot;</span>);</div><div class="line"></div><div class="line">    ret = <a class="code" href="group__krb5__keytab.html#ga1efd8ee48d6e3caa31cad475423b8917">krb5_kt_start_seq_get</a>(context, keytab, &amp;cursor);</div><div class="line">    <span class="keywordflow">if</span> (ret)</div><div class="line">        <a class="code" href="group__krb5__error.html#gad75c268bcf26225ee8d4a39c178131a1">krb5_err</a>(context, 1, ret, <span class="stringliteral">&quot;krb5_kt_start_seq_get&quot;</span>);</div><div class="line">    <span class="keywordflow">while</span>((ret = <a class="code" href="group__krb5__keytab.html#gac40140c41333a86d3c40426f50b4e1b0">krb5_kt_next_entry</a>(context, keytab, &amp;entry, &amp;cursor)) == 0){</div><div class="line">        <a class="code" href="group__krb5__principal.html#gaac881051ed59fe0dcd08cee62280b332">krb5_unparse_name</a>(context, entry.principal, &amp;principal);</div><div class="line">        printf(<span class="stringliteral">&quot;principal: %s\n&quot;</span>, principal);</div><div class="line">        free(principal);</div><div class="line">        <a class="code" href="group__krb5__keytab.html#gac0774ab1407eaaaa0e5998478de246e2">krb5_kt_free_entry</a>(context, &amp;entry);</div><div class="line">    }</div><div class="line">    ret = <a class="code" href="group__krb5__keytab.html#ga11289efb407d93a1f84d5c64731a4bd1">krb5_kt_end_seq_get</a>(context, keytab, &amp;cursor);</div><div class="line">    <span class="keywordflow">if</span> (ret)</div><div class="line">        <a class="code" href="group__krb5__error.html#gad75c268bcf26225ee8d4a39c178131a1">krb5_err</a>(context, 1, ret, <span class="stringliteral">&quot;krb5_kt_end_seq_get&quot;</span>);</div><div class="line">    ret = <a class="code" href="group__krb5__keytab.html#gab67f5ae0a7c4b87d193218b842cad590">krb5_kt_close</a>(context, keytab);</div><div class="line">    <span class="keywordflow">if</span> (ret)</div><div class="line">        <a class="code" href="group__krb5__error.html#gad75c268bcf26225ee8d4a39c178131a1">krb5_err</a>(context, 1, ret, <span class="stringliteral">&quot;krb5_kt_close&quot;</span>);</div><div class="line">    <a class="code" href="group__krb5.html#gae51d83f5d5f589883f1cd10887892777">krb5_free_context</a>(context);</div><div class="line">    <span class="keywordflow">return</span> 0;</div><div class="line">}</div></div><!-- fragment --> </div></div><!-- contents -->
 <hr size="1"><address style="text-align: right;"><small>
-Generated on Fri Dec 8 2017 03:48:59 for HeimdalKerberos5library by&nbsp;<a href="http://www.doxygen.org/index.html"><img src="doxygen.png" alt="doxygen" align="middle" border="0"></a> 1.8.13</small></address>
+Generated on Fri Jun 7 2019 02:49:56 for HeimdalKerberos5library by&nbsp;<a href="http://www.doxygen.org/index.html"><img src="doxygen.png" alt="doxygen" align="middle" border="0"></a> 1.8.13</small></address>
 </body>
 </html>
diff --git a/doc/doxyout/krb5/html/krb5_principal_intro.html b/doc/doxyout/krb5/html/krb5_principal_intro.html
index 57212fde7e72..c724f25ffa05 100644
--- a/doc/doxyout/krb5/html/krb5_principal_intro.html
+++ b/doc/doxyout/krb5/html/krb5_principal_intro.html
@@ -29,6 +29,6 @@ host/admin@H5L.ORG
 </pre><p>See the library functions here: <a class="el" href="group__krb5__principal.html">Heimdal Kerberos 5 principal functions</a> </p>
 </div></div><!-- contents -->
 <hr size="1"><address style="text-align: right;"><small>
-Generated on Fri Dec 8 2017 03:48:59 for HeimdalKerberos5library by&nbsp;<a href="http://www.doxygen.org/index.html"><img src="doxygen.png" alt="doxygen" align="middle" border="0"></a> 1.8.13</small></address>
+Generated on Fri Jun 7 2019 02:49:56 for HeimdalKerberos5library by&nbsp;<a href="http://www.doxygen.org/index.html"><img src="doxygen.png" alt="doxygen" align="middle" border="0"></a> 1.8.13</small></address>
 </body>
 </html>
diff --git a/doc/doxyout/krb5/html/modules.html b/doc/doxyout/krb5/html/modules.html
index 39d06da08ea8..8faf32df1ce0 100644
--- a/doc/doxyout/krb5/html/modules.html
+++ b/doc/doxyout/krb5/html/modules.html
@@ -45,6 +45,6 @@ $(function() {
 </div><!-- directory -->
 </div><!-- contents -->
 <hr size="1"><address style="text-align: right;"><small>
-Generated on Fri Dec 8 2017 03:48:59 for HeimdalKerberos5library by&nbsp;<a href="http://www.doxygen.org/index.html"><img src="doxygen.png" alt="doxygen" align="middle" border="0"></a> 1.8.13</small></address>
+Generated on Fri Jun 7 2019 02:49:56 for HeimdalKerberos5library by&nbsp;<a href="http://www.doxygen.org/index.html"><img src="doxygen.png" alt="doxygen" align="middle" border="0"></a> 1.8.13</small></address>
 </body>
 </html>
diff --git a/doc/doxyout/krb5/html/pages.html b/doc/doxyout/krb5/html/pages.html
index 1104d68b0708..a09633dd4e58 100644
--- a/doc/doxyout/krb5/html/pages.html
+++ b/doc/doxyout/krb5/html/pages.html
@@ -35,6 +35,6 @@ $(function() {
 </div><!-- directory -->
 </div><!-- contents -->
 <hr size="1"><address style="text-align: right;"><small>
-Generated on Fri Dec 8 2017 03:48:59 for HeimdalKerberos5library by&nbsp;<a href="http://www.doxygen.org/index.html"><img src="doxygen.png" alt="doxygen" align="middle" border="0"></a> 1.8.13</small></address>
+Generated on Fri Jun 7 2019 02:49:56 for HeimdalKerberos5library by&nbsp;<a href="http://www.doxygen.org/index.html"><img src="doxygen.png" alt="doxygen" align="middle" border="0"></a> 1.8.13</small></address>
 </body>
 </html>
diff --git a/doc/doxyout/krb5/html/structkrb5__crypto__iov.html b/doc/doxyout/krb5/html/structkrb5__crypto__iov.html
index 947339afc10d..832416214b73 100644
--- a/doc/doxyout/krb5/html/structkrb5__crypto__iov.html
+++ b/doc/doxyout/krb5/html/structkrb5__crypto__iov.html
@@ -32,6 +32,6 @@ $(function() {
 </ul>
 </div><!-- contents -->
 <hr size="1"><address style="text-align: right;"><small>
-Generated on Fri Dec 8 2017 03:48:59 for HeimdalKerberos5library by&nbsp;<a href="http://www.doxygen.org/index.html"><img src="doxygen.png" alt="doxygen" align="middle" border="0"></a> 1.8.13</small></address>
+Generated on Fri Jun 7 2019 02:49:56 for HeimdalKerberos5library by&nbsp;<a href="http://www.doxygen.org/index.html"><img src="doxygen.png" alt="doxygen" align="middle" border="0"></a> 1.8.13</small></address>
 </body>
 </html>
diff --git a/doc/doxyout/krb5/html/structkrb5plugin__an2ln__ftable__desc.html b/doc/doxyout/krb5/html/structkrb5plugin__an2ln__ftable__desc.html
index 4c3d3c2f1ec8..3b3e5b2df797 100644
--- a/doc/doxyout/krb5/html/structkrb5plugin__an2ln__ftable__desc.html
+++ b/doc/doxyout/krb5/html/structkrb5plugin__an2ln__ftable__desc.html
@@ -56,6 +56,6 @@ $(function() {
 </ul>
 </div><!-- contents -->
 <hr size="1"><address style="text-align: right;"><small>
-Generated on Fri Dec 8 2017 03:48:59 for HeimdalKerberos5library by&nbsp;<a href="http://www.doxygen.org/index.html"><img src="doxygen.png" alt="doxygen" align="middle" border="0"></a> 1.8.13</small></address>
+Generated on Fri Jun 7 2019 02:49:56 for HeimdalKerberos5library by&nbsp;<a href="http://www.doxygen.org/index.html"><img src="doxygen.png" alt="doxygen" align="middle" border="0"></a> 1.8.13</small></address>
 </body>
 </html>
diff --git a/doc/doxyout/krb5/html/structkrb5plugin__db__ftable__desc.html b/doc/doxyout/krb5/html/structkrb5plugin__db__ftable__desc.html
index 5580e662a797..3e72c91f6c9e 100644
--- a/doc/doxyout/krb5/html/structkrb5plugin__db__ftable__desc.html
+++ b/doc/doxyout/krb5/html/structkrb5plugin__db__ftable__desc.html
@@ -46,6 +46,6 @@ $(function() {
 </ul>
 </div><!-- contents -->
 <hr size="1"><address style="text-align: right;"><small>
-Generated on Fri Dec 8 2017 03:48:59 for HeimdalKerberos5library by&nbsp;<a href="http://www.doxygen.org/index.html"><img src="doxygen.png" alt="doxygen" align="middle" border="0"></a> 1.8.13</small></address>
+Generated on Fri Jun 7 2019 02:49:56 for HeimdalKerberos5library by&nbsp;<a href="http://www.doxygen.org/index.html"><img src="doxygen.png" alt="doxygen" align="middle" border="0"></a> 1.8.13</small></address>
 </body>
 </html>
diff --git a/doc/doxyout/krb5/html/structkrb5plugin__kuserok__ftable__desc.html b/doc/doxyout/krb5/html/structkrb5plugin__kuserok__ftable__desc.html
index 060c59632e31..0674637a8a1f 100644
--- a/doc/doxyout/krb5/html/structkrb5plugin__kuserok__ftable__desc.html
+++ b/doc/doxyout/krb5/html/structkrb5plugin__kuserok__ftable__desc.html
@@ -58,6 +58,6 @@ $(function() {
 </ul>
 </div><!-- contents -->
 <hr size="1"><address style="text-align: right;"><small>
-Generated on Fri Dec 8 2017 03:48:59 for HeimdalKerberos5library by&nbsp;<a href="http://www.doxygen.org/index.html"><img src="doxygen.png" alt="doxygen" align="middle" border="0"></a> 1.8.13</small></address>
+Generated on Fri Jun 7 2019 02:49:56 for HeimdalKerberos5library by&nbsp;<a href="http://www.doxygen.org/index.html"><img src="doxygen.png" alt="doxygen" align="middle" border="0"></a> 1.8.13</small></address>
 </body>
 </html>
diff --git a/doc/doxyout/krb5/man/man3/krb5.3 b/doc/doxyout/krb5/man/man3/krb5.3
index 13e0b8d09b2b..f213a9114c8f 100644
--- a/doc/doxyout/krb5/man/man3/krb5.3
+++ b/doc/doxyout/krb5/man/man3/krb5.3
@@ -1,4 +1,4 @@
-.TH "krb5" 3 "Fri Dec 8 2017" "Version 7.5.0" "HeimdalKerberos5library" \" -*- nroff -*-
+.TH "krb5" 3 "Fri Jun 7 2019" "Version 7.7.0" "HeimdalKerberos5library" \" -*- nroff -*-
 .ad l
 .nh
 .SH NAME
diff --git a/doc/doxyout/krb5/man/man3/krb5_address.3 b/doc/doxyout/krb5/man/man3/krb5_address.3
index 74a26c12d487..824c8ac79d87 100644
--- a/doc/doxyout/krb5/man/man3/krb5_address.3
+++ b/doc/doxyout/krb5/man/man3/krb5_address.3
@@ -1,4 +1,4 @@
-.TH "krb5_address" 3 "Fri Dec 8 2017" "Version 7.5.0" "HeimdalKerberos5library" \" -*- nroff -*-
+.TH "krb5_address" 3 "Fri Jun 7 2019" "Version 7.7.0" "HeimdalKerberos5library" \" -*- nroff -*-
 .ad l
 .nh
 .SH NAME
diff --git a/doc/doxyout/krb5/man/man3/krb5_auth.3 b/doc/doxyout/krb5/man/man3/krb5_auth.3
index 89ef06c509c4..661663f0c939 100644
--- a/doc/doxyout/krb5/man/man3/krb5_auth.3
+++ b/doc/doxyout/krb5/man/man3/krb5_auth.3
@@ -1,4 +1,4 @@
-.TH "krb5_auth" 3 "Fri Dec 8 2017" "Version 7.5.0" "HeimdalKerberos5library" \" -*- nroff -*-
+.TH "krb5_auth" 3 "Fri Jun 7 2019" "Version 7.7.0" "HeimdalKerberos5library" \" -*- nroff -*-
 .ad l
 .nh
 .SH NAME
diff --git a/doc/doxyout/krb5/man/man3/krb5_ccache.3 b/doc/doxyout/krb5/man/man3/krb5_ccache.3
index c3c3e36d4b3a..f239a70c388a 100644
--- a/doc/doxyout/krb5/man/man3/krb5_ccache.3
+++ b/doc/doxyout/krb5/man/man3/krb5_ccache.3
@@ -1,4 +1,4 @@
-.TH "krb5_ccache" 3 "Fri Dec 8 2017" "Version 7.5.0" "HeimdalKerberos5library" \" -*- nroff -*-
+.TH "krb5_ccache" 3 "Fri Jun 7 2019" "Version 7.7.0" "HeimdalKerberos5library" \" -*- nroff -*-
 .ad l
 .nh
 .SH NAME
diff --git a/doc/doxyout/krb5/man/man3/krb5_ccache_intro.3 b/doc/doxyout/krb5/man/man3/krb5_ccache_intro.3
index 5ff2ad059ff9..781165821b2b 100644
--- a/doc/doxyout/krb5/man/man3/krb5_ccache_intro.3
+++ b/doc/doxyout/krb5/man/man3/krb5_ccache_intro.3
@@ -1,4 +1,4 @@
-.TH "krb5_ccache_intro" 3 "Fri Dec 8 2017" "Version 7.5.0" "HeimdalKerberos5library" \" -*- nroff -*-
+.TH "krb5_ccache_intro" 3 "Fri Jun 7 2019" "Version 7.7.0" "HeimdalKerberos5library" \" -*- nroff -*-
 .ad l
 .nh
 .SH NAME
diff --git a/doc/doxyout/krb5/man/man3/krb5_credential.3 b/doc/doxyout/krb5/man/man3/krb5_credential.3
index af601191d16a..0f0be790116b 100644
--- a/doc/doxyout/krb5/man/man3/krb5_credential.3
+++ b/doc/doxyout/krb5/man/man3/krb5_credential.3
@@ -1,4 +1,4 @@
-.TH "krb5_credential" 3 "Fri Dec 8 2017" "Version 7.5.0" "HeimdalKerberos5library" \" -*- nroff -*-
+.TH "krb5_credential" 3 "Fri Jun 7 2019" "Version 7.7.0" "HeimdalKerberos5library" \" -*- nroff -*-
 .ad l
 .nh
 .SH NAME
diff --git a/doc/doxyout/krb5/man/man3/krb5_crypto.3 b/doc/doxyout/krb5/man/man3/krb5_crypto.3
index 8e4a1391a539..032195dbfab7 100644
--- a/doc/doxyout/krb5/man/man3/krb5_crypto.3
+++ b/doc/doxyout/krb5/man/man3/krb5_crypto.3
@@ -1,4 +1,4 @@
-.TH "krb5_crypto" 3 "Fri Dec 8 2017" "Version 7.5.0" "HeimdalKerberos5library" \" -*- nroff -*-
+.TH "krb5_crypto" 3 "Fri Jun 7 2019" "Version 7.7.0" "HeimdalKerberos5library" \" -*- nroff -*-
 .ad l
 .nh
 .SH NAME
diff --git a/doc/doxyout/krb5/man/man3/krb5_crypto_iov.3 b/doc/doxyout/krb5/man/man3/krb5_crypto_iov.3
index 24e21fa14466..8f0a53c80972 100644
--- a/doc/doxyout/krb5/man/man3/krb5_crypto_iov.3
+++ b/doc/doxyout/krb5/man/man3/krb5_crypto_iov.3
@@ -1,4 +1,4 @@
-.TH "krb5_crypto_iov" 3 "Fri Dec 8 2017" "Version 7.5.0" "HeimdalKerberos5library" \" -*- nroff -*-
+.TH "krb5_crypto_iov" 3 "Fri Jun 7 2019" "Version 7.7.0" "HeimdalKerberos5library" \" -*- nroff -*-
 .ad l
 .nh
 .SH NAME
diff --git a/doc/doxyout/krb5/man/man3/krb5_deprecated.3 b/doc/doxyout/krb5/man/man3/krb5_deprecated.3
index d507566c79d4..923e121575a5 100644
--- a/doc/doxyout/krb5/man/man3/krb5_deprecated.3
+++ b/doc/doxyout/krb5/man/man3/krb5_deprecated.3
@@ -1,4 +1,4 @@
-.TH "krb5_deprecated" 3 "Fri Dec 8 2017" "Version 7.5.0" "HeimdalKerberos5library" \" -*- nroff -*-
+.TH "krb5_deprecated" 3 "Fri Jun 7 2019" "Version 7.7.0" "HeimdalKerberos5library" \" -*- nroff -*-
 .ad l
 .nh
 .SH NAME
diff --git a/doc/doxyout/krb5/man/man3/krb5_digest.3 b/doc/doxyout/krb5/man/man3/krb5_digest.3
index 828894f433d3..4715dd1802fd 100644
--- a/doc/doxyout/krb5/man/man3/krb5_digest.3
+++ b/doc/doxyout/krb5/man/man3/krb5_digest.3
@@ -1,4 +1,4 @@
-.TH "krb5_digest" 3 "Fri Dec 8 2017" "Version 7.5.0" "HeimdalKerberos5library" \" -*- nroff -*-
+.TH "krb5_digest" 3 "Fri Jun 7 2019" "Version 7.7.0" "HeimdalKerberos5library" \" -*- nroff -*-
 .ad l
 .nh
 .SH NAME
diff --git a/doc/doxyout/krb5/man/man3/krb5_error.3 b/doc/doxyout/krb5/man/man3/krb5_error.3
index b10f06236ea6..f828f1b9fa99 100644
--- a/doc/doxyout/krb5/man/man3/krb5_error.3
+++ b/doc/doxyout/krb5/man/man3/krb5_error.3
@@ -1,4 +1,4 @@
-.TH "krb5_error" 3 "Fri Dec 8 2017" "Version 7.5.0" "HeimdalKerberos5library" \" -*- nroff -*-
+.TH "krb5_error" 3 "Fri Jun 7 2019" "Version 7.7.0" "HeimdalKerberos5library" \" -*- nroff -*-
 .ad l
 .nh
 .SH NAME
diff --git a/doc/doxyout/krb5/man/man3/krb5_fileformats.3 b/doc/doxyout/krb5/man/man3/krb5_fileformats.3
index 07fb36d5fc0d..74af34ca24a6 100644
--- a/doc/doxyout/krb5/man/man3/krb5_fileformats.3
+++ b/doc/doxyout/krb5/man/man3/krb5_fileformats.3
@@ -1,4 +1,4 @@
-.TH "krb5_fileformats" 3 "Fri Dec 8 2017" "Version 7.5.0" "HeimdalKerberos5library" \" -*- nroff -*-
+.TH "krb5_fileformats" 3 "Fri Jun 7 2019" "Version 7.7.0" "HeimdalKerberos5library" \" -*- nroff -*-
 .ad l
 .nh
 .SH NAME
diff --git a/doc/doxyout/krb5/man/man3/krb5_init_creds_intro.3 b/doc/doxyout/krb5/man/man3/krb5_init_creds_intro.3
index c71cf8c7402a..20d8a149a3ae 100644
--- a/doc/doxyout/krb5/man/man3/krb5_init_creds_intro.3
+++ b/doc/doxyout/krb5/man/man3/krb5_init_creds_intro.3
@@ -1,4 +1,4 @@
-.TH "krb5_init_creds_intro" 3 "Fri Dec 8 2017" "Version 7.5.0" "HeimdalKerberos5library" \" -*- nroff -*-
+.TH "krb5_init_creds_intro" 3 "Fri Jun 7 2019" "Version 7.7.0" "HeimdalKerberos5library" \" -*- nroff -*-
 .ad l
 .nh
 .SH NAME
diff --git a/doc/doxyout/krb5/man/man3/krb5_introduction.3 b/doc/doxyout/krb5/man/man3/krb5_introduction.3
index e3a6dd22c57d..531b0acd5555 100644
--- a/doc/doxyout/krb5/man/man3/krb5_introduction.3
+++ b/doc/doxyout/krb5/man/man3/krb5_introduction.3
@@ -1,4 +1,4 @@
-.TH "krb5_introduction" 3 "Fri Dec 8 2017" "Version 7.5.0" "HeimdalKerberos5library" \" -*- nroff -*-
+.TH "krb5_introduction" 3 "Fri Jun 7 2019" "Version 7.7.0" "HeimdalKerberos5library" \" -*- nroff -*-
 .ad l
 .nh
 .SH NAME
diff --git a/doc/doxyout/krb5/man/man3/krb5_keytab.3 b/doc/doxyout/krb5/man/man3/krb5_keytab.3
index a2cdef1f2d59..0439732015ef 100644
--- a/doc/doxyout/krb5/man/man3/krb5_keytab.3
+++ b/doc/doxyout/krb5/man/man3/krb5_keytab.3
@@ -1,4 +1,4 @@
-.TH "krb5_keytab" 3 "Fri Dec 8 2017" "Version 7.5.0" "HeimdalKerberos5library" \" -*- nroff -*-
+.TH "krb5_keytab" 3 "Fri Jun 7 2019" "Version 7.7.0" "HeimdalKerberos5library" \" -*- nroff -*-
 .ad l
 .nh
 .SH NAME
diff --git a/doc/doxyout/krb5/man/man3/krb5_keytab_intro.3 b/doc/doxyout/krb5/man/man3/krb5_keytab_intro.3
index 3257b25c08c6..9816f66b761b 100644
--- a/doc/doxyout/krb5/man/man3/krb5_keytab_intro.3
+++ b/doc/doxyout/krb5/man/man3/krb5_keytab_intro.3
@@ -1,4 +1,4 @@
-.TH "krb5_keytab_intro" 3 "Fri Dec 8 2017" "Version 7.5.0" "HeimdalKerberos5library" \" -*- nroff -*-
+.TH "krb5_keytab_intro" 3 "Fri Jun 7 2019" "Version 7.7.0" "HeimdalKerberos5library" \" -*- nroff -*-
 .ad l
 .nh
 .SH NAME
diff --git a/doc/doxyout/krb5/man/man3/krb5_pac.3 b/doc/doxyout/krb5/man/man3/krb5_pac.3
index 5e1e70e298ea..6f81be4eb257 100644
--- a/doc/doxyout/krb5/man/man3/krb5_pac.3
+++ b/doc/doxyout/krb5/man/man3/krb5_pac.3
@@ -1,4 +1,4 @@
-.TH "krb5_pac" 3 "Fri Dec 8 2017" "Version 7.5.0" "HeimdalKerberos5library" \" -*- nroff -*-
+.TH "krb5_pac" 3 "Fri Jun 7 2019" "Version 7.7.0" "HeimdalKerberos5library" \" -*- nroff -*-
 .ad l
 .nh
 .SH NAME
diff --git a/doc/doxyout/krb5/man/man3/krb5_principal.3 b/doc/doxyout/krb5/man/man3/krb5_principal.3
index bf81ec0daf8c..1322e70f0ec7 100644
--- a/doc/doxyout/krb5/man/man3/krb5_principal.3
+++ b/doc/doxyout/krb5/man/man3/krb5_principal.3
@@ -1,4 +1,4 @@
-.TH "krb5_principal" 3 "Fri Dec 8 2017" "Version 7.5.0" "HeimdalKerberos5library" \" -*- nroff -*-
+.TH "krb5_principal" 3 "Fri Jun 7 2019" "Version 7.7.0" "HeimdalKerberos5library" \" -*- nroff -*-
 .ad l
 .nh
 .SH NAME
@@ -97,6 +97,9 @@ krb5_principal
 .RI "krb5_boolean KRB5_LIB_FUNCTION \fBkrb5_principal_is_root_krbtgt\fP (krb5_context context, krb5_const_principal p)"
 .br
 .ti -1c
+.RI "KRB5_LIB_FUNCTION krb5_boolean KRB5_LIB_CALL \fBkrb5_principal_is_anonymous\fP (krb5_context context, krb5_const_principal p, unsigned int flags)"
+.br
+.ti -1c
 .RI "KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL \fBkrb5_sname_to_principal\fP (krb5_context context, const char *hostname, const char *sname, int32_t type, krb5_principal *ret_princ)"
 .br
 .in -1c
@@ -314,6 +317,8 @@ the type of principal
 .RE
 .PP
 
+.SS "KRB5_LIB_FUNCTION krb5_boolean KRB5_LIB_CALL krb5_principal_is_anonymous (krb5_context context, krb5_const_principal p, unsigned int flags)"
+Returns true iff name is WELLKNOWN/ANONYMOUS 
 .SS "krb5_boolean KRB5_LIB_FUNCTION krb5_principal_is_gss_hostbased_service (krb5_context context, krb5_const_principal principal)"
 Returns true iff name is an WELLKNOWN:ORG\&.H5L\&.HOSTBASED-SERVICE 
 .SS "KRB5_LIB_FUNCTION krb5_boolean KRB5_LIB_CALL krb5_principal_is_krbtgt (krb5_context context, krb5_const_principal p)"
diff --git a/doc/doxyout/krb5/man/man3/krb5_principal_intro.3 b/doc/doxyout/krb5/man/man3/krb5_principal_intro.3
index 9e5b49d5ce95..b7b9adc0895f 100644
--- a/doc/doxyout/krb5/man/man3/krb5_principal_intro.3
+++ b/doc/doxyout/krb5/man/man3/krb5_principal_intro.3
@@ -1,4 +1,4 @@
-.TH "krb5_principal_intro" 3 "Fri Dec 8 2017" "Version 7.5.0" "HeimdalKerberos5library" \" -*- nroff -*-
+.TH "krb5_principal_intro" 3 "Fri Jun 7 2019" "Version 7.7.0" "HeimdalKerberos5library" \" -*- nroff -*-
 .ad l
 .nh
 .SH NAME
diff --git a/doc/doxyout/krb5/man/man3/krb5_principal_is_anonymous.3 b/doc/doxyout/krb5/man/man3/krb5_principal_is_anonymous.3
new file mode 100644
index 000000000000..86ad45a98b4c
--- /dev/null
+++ b/doc/doxyout/krb5/man/man3/krb5_principal_is_anonymous.3
@@ -0,0 +1 @@
+.so man3/krb5_principal.3
diff --git a/doc/doxyout/krb5/man/man3/krb5_storage.3 b/doc/doxyout/krb5/man/man3/krb5_storage.3
index e199430eee84..55aeb127ec77 100644
--- a/doc/doxyout/krb5/man/man3/krb5_storage.3
+++ b/doc/doxyout/krb5/man/man3/krb5_storage.3
@@ -1,4 +1,4 @@
-.TH "krb5_storage" 3 "Fri Dec 8 2017" "Version 7.5.0" "HeimdalKerberos5library" \" -*- nroff -*-
+.TH "krb5_storage" 3 "Fri Jun 7 2019" "Version 7.7.0" "HeimdalKerberos5library" \" -*- nroff -*-
 .ad l
 .nh
 .SH NAME
diff --git a/doc/doxyout/krb5/man/man3/krb5_support.3 b/doc/doxyout/krb5/man/man3/krb5_support.3
index 64264d9666a6..8a1ffb17d708 100644
--- a/doc/doxyout/krb5/man/man3/krb5_support.3
+++ b/doc/doxyout/krb5/man/man3/krb5_support.3
@@ -1,4 +1,4 @@
-.TH "krb5_support" 3 "Fri Dec 8 2017" "Version 7.5.0" "HeimdalKerberos5library" \" -*- nroff -*-
+.TH "krb5_support" 3 "Fri Jun 7 2019" "Version 7.7.0" "HeimdalKerberos5library" \" -*- nroff -*-
 .ad l
 .nh
 .SH NAME
diff --git a/doc/doxyout/krb5/man/man3/krb5_ticket.3 b/doc/doxyout/krb5/man/man3/krb5_ticket.3
index 363170b7cfb0..65bd0d22127e 100644
--- a/doc/doxyout/krb5/man/man3/krb5_ticket.3
+++ b/doc/doxyout/krb5/man/man3/krb5_ticket.3
@@ -1,4 +1,4 @@
-.TH "krb5_ticket" 3 "Fri Dec 8 2017" "Version 7.5.0" "HeimdalKerberos5library" \" -*- nroff -*-
+.TH "krb5_ticket" 3 "Fri Jun 7 2019" "Version 7.7.0" "HeimdalKerberos5library" \" -*- nroff -*-
 .ad l
 .nh
 .SH NAME
diff --git a/doc/doxyout/krb5/man/man3/krb5_v4compat.3 b/doc/doxyout/krb5/man/man3/krb5_v4compat.3
index bd6e8f710a37..7dbaed927b16 100644
--- a/doc/doxyout/krb5/man/man3/krb5_v4compat.3
+++ b/doc/doxyout/krb5/man/man3/krb5_v4compat.3
@@ -1,4 +1,4 @@
-.TH "krb5_v4compat" 3 "Fri Dec 8 2017" "Version 7.5.0" "HeimdalKerberos5library" \" -*- nroff -*-
+.TH "krb5_v4compat" 3 "Fri Jun 7 2019" "Version 7.7.0" "HeimdalKerberos5library" \" -*- nroff -*-
 .ad l
 .nh
 .SH NAME
diff --git a/doc/doxyout/krb5/man/man3/krb5plugin_an2ln_ftable_desc.3 b/doc/doxyout/krb5/man/man3/krb5plugin_an2ln_ftable_desc.3
index e5928cc1662f..ba2e1eb68471 100644
--- a/doc/doxyout/krb5/man/man3/krb5plugin_an2ln_ftable_desc.3
+++ b/doc/doxyout/krb5/man/man3/krb5plugin_an2ln_ftable_desc.3
@@ -1,4 +1,4 @@
-.TH "krb5plugin_an2ln_ftable_desc" 3 "Fri Dec 8 2017" "Version 7.5.0" "HeimdalKerberos5library" \" -*- nroff -*-
+.TH "krb5plugin_an2ln_ftable_desc" 3 "Fri Jun 7 2019" "Version 7.7.0" "HeimdalKerberos5library" \" -*- nroff -*-
 .ad l
 .nh
 .SH NAME
diff --git a/doc/doxyout/krb5/man/man3/krb5plugin_db_ftable_desc.3 b/doc/doxyout/krb5/man/man3/krb5plugin_db_ftable_desc.3
index 7c516d9f2166..f1ad5e2cf1e8 100644
--- a/doc/doxyout/krb5/man/man3/krb5plugin_db_ftable_desc.3
+++ b/doc/doxyout/krb5/man/man3/krb5plugin_db_ftable_desc.3
@@ -1,4 +1,4 @@
-.TH "krb5plugin_db_ftable_desc" 3 "Fri Dec 8 2017" "Version 7.5.0" "HeimdalKerberos5library" \" -*- nroff -*-
+.TH "krb5plugin_db_ftable_desc" 3 "Fri Jun 7 2019" "Version 7.7.0" "HeimdalKerberos5library" \" -*- nroff -*-
 .ad l
 .nh
 .SH NAME
diff --git a/doc/doxyout/krb5/man/man3/krb5plugin_kuserok_ftable_desc.3 b/doc/doxyout/krb5/man/man3/krb5plugin_kuserok_ftable_desc.3
index ffa6e650ab57..b5614ad18458 100644
--- a/doc/doxyout/krb5/man/man3/krb5plugin_kuserok_ftable_desc.3
+++ b/doc/doxyout/krb5/man/man3/krb5plugin_kuserok_ftable_desc.3
@@ -1,4 +1,4 @@
-.TH "krb5plugin_kuserok_ftable_desc" 3 "Fri Dec 8 2017" "Version 7.5.0" "HeimdalKerberos5library" \" -*- nroff -*-
+.TH "krb5plugin_kuserok_ftable_desc" 3 "Fri Jun 7 2019" "Version 7.7.0" "HeimdalKerberos5library" \" -*- nroff -*-
 .ad l
 .nh
 .SH NAME
diff --git a/doc/doxyout/krb5/manpages b/doc/doxyout/krb5/manpages
index b47e61ab0f72..7b614e87f4c6 100644
--- a/doc/doxyout/krb5/manpages
+++ b/doc/doxyout/krb5/manpages
@@ -263,6 +263,7 @@ krb5/man/man3/krb5_v4compat.3
 krb5/man/man3/krb5_principal_is_null.3
 krb5/man/man3/krb5_ret_string.3
 krb5/man/man3/krb5_get_kdc_sec_offset.3
+krb5/man/man3/krb5_principal_is_anonymous.3
 krb5/man/man3/krb5_ccache.3
 krb5/man/man3/krb5_init_creds_intro.3
 krb5/man/man3/krb5_parse_name_flags.3
diff --git a/doc/doxyout/ntlm/html/annotated.html b/doc/doxyout/ntlm/html/annotated.html
index 87cbf8a843bc..d9a23d7fba97 100644
--- a/doc/doxyout/ntlm/html/annotated.html
+++ b/doc/doxyout/ntlm/html/annotated.html
@@ -33,6 +33,6 @@ $(function() {
 </div><!-- directory -->
 </div><!-- contents -->
 <hr size="1"><address style="text-align: right;"><small>
-Generated on Fri Dec 8 2017 03:49:00 for Heimdalntlmlibrary by&nbsp;<a href="http://www.doxygen.org/index.html"><img src="doxygen.png" alt="doxygen" align="middle" border="0"></a> 1.8.13</small></address>
+Generated on Fri Jun 7 2019 02:49:56 for Heimdalntlmlibrary by&nbsp;<a href="http://www.doxygen.org/index.html"><img src="doxygen.png" alt="doxygen" align="middle" border="0"></a> 1.8.13</small></address>
 </body>
 </html>
diff --git a/doc/doxyout/ntlm/html/classes.html b/doc/doxyout/ntlm/html/classes.html
index d30d6b91001d..19ea669ea111 100644
--- a/doc/doxyout/ntlm/html/classes.html
+++ b/doc/doxyout/ntlm/html/classes.html
@@ -34,6 +34,6 @@ $(function() {
 <div class="qindex"><a class="qindex" href="#letter_n">n</a></div>
 </div><!-- contents -->
 <hr size="1"><address style="text-align: right;"><small>
-Generated on Fri Dec 8 2017 03:49:00 for Heimdalntlmlibrary by&nbsp;<a href="http://www.doxygen.org/index.html"><img src="doxygen.png" alt="doxygen" align="middle" border="0"></a> 1.8.13</small></address>
+Generated on Fri Jun 7 2019 02:49:56 for Heimdalntlmlibrary by&nbsp;<a href="http://www.doxygen.org/index.html"><img src="doxygen.png" alt="doxygen" align="middle" border="0"></a> 1.8.13</small></address>
 </body>
 </html>
diff --git a/doc/doxyout/ntlm/html/examples.html b/doc/doxyout/ntlm/html/examples.html
index 8135402acaad..665f206443a5 100644
--- a/doc/doxyout/ntlm/html/examples.html
+++ b/doc/doxyout/ntlm/html/examples.html
@@ -29,6 +29,6 @@ $(function() {
 </ul>
 </div><!-- contents -->
 <hr size="1"><address style="text-align: right;"><small>
-Generated on Fri Dec 8 2017 03:49:00 for Heimdalntlmlibrary by&nbsp;<a href="http://www.doxygen.org/index.html"><img src="doxygen.png" alt="doxygen" align="middle" border="0"></a> 1.8.13</small></address>
+Generated on Fri Jun 7 2019 02:49:56 for Heimdalntlmlibrary by&nbsp;<a href="http://www.doxygen.org/index.html"><img src="doxygen.png" alt="doxygen" align="middle" border="0"></a> 1.8.13</small></address>
 </body>
 </html>
diff --git a/doc/doxyout/ntlm/html/functions.html b/doc/doxyout/ntlm/html/functions.html
index 577ec73a78cd..2524238301b3 100644
--- a/doc/doxyout/ntlm/html/functions.html
+++ b/doc/doxyout/ntlm/html/functions.html
@@ -29,6 +29,6 @@ $(function() {
 </ul>
 </div><!-- contents -->
 <hr size="1"><address style="text-align: right;"><small>
-Generated on Fri Dec 8 2017 03:49:00 for Heimdalntlmlibrary by&nbsp;<a href="http://www.doxygen.org/index.html"><img src="doxygen.png" alt="doxygen" align="middle" border="0"></a> 1.8.13</small></address>
+Generated on Fri Jun 7 2019 02:49:56 for Heimdalntlmlibrary by&nbsp;<a href="http://www.doxygen.org/index.html"><img src="doxygen.png" alt="doxygen" align="middle" border="0"></a> 1.8.13</small></address>
 </body>
 </html>
diff --git a/doc/doxyout/ntlm/html/functions_vars.html b/doc/doxyout/ntlm/html/functions_vars.html
index bff10abefd60..b3059e86bca7 100644
--- a/doc/doxyout/ntlm/html/functions_vars.html
+++ b/doc/doxyout/ntlm/html/functions_vars.html
@@ -29,6 +29,6 @@ $(function() {
 </ul>
 </div><!-- contents -->
 <hr size="1"><address style="text-align: right;"><small>
-Generated on Fri Dec 8 2017 03:49:00 for Heimdalntlmlibrary by&nbsp;<a href="http://www.doxygen.org/index.html"><img src="doxygen.png" alt="doxygen" align="middle" border="0"></a> 1.8.13</small></address>
+Generated on Fri Jun 7 2019 02:49:56 for Heimdalntlmlibrary by&nbsp;<a href="http://www.doxygen.org/index.html"><img src="doxygen.png" alt="doxygen" align="middle" border="0"></a> 1.8.13</small></address>
 </body>
 </html>
diff --git a/doc/doxyout/ntlm/html/graph_legend.html b/doc/doxyout/ntlm/html/graph_legend.html
index f4724de236a4..c04747289836 100644
--- a/doc/doxyout/ntlm/html/graph_legend.html
+++ b/doc/doxyout/ntlm/html/graph_legend.html
@@ -54,6 +54,6 @@ A yellow dashed arrow denotes a relation between a template instance and the tem
 </ul>
 </div><!-- contents -->
 <hr size="1"><address style="text-align: right;"><small>
-Generated on Fri Dec 8 2017 03:49:00 for Heimdalntlmlibrary by&nbsp;<a href="http://www.doxygen.org/index.html"><img src="doxygen.png" alt="doxygen" align="middle" border="0"></a> 1.8.13</small></address>
+Generated on Fri Jun 7 2019 02:49:56 for Heimdalntlmlibrary by&nbsp;<a href="http://www.doxygen.org/index.html"><img src="doxygen.png" alt="doxygen" align="middle" border="0"></a> 1.8.13</small></address>
 </body>
 </html>
diff --git a/doc/doxyout/ntlm/html/graph_legend.png b/doc/doxyout/ntlm/html/graph_legend.png
index 881e40f9c0a2..d1fdf389c3b6 100644
--- a/doc/doxyout/ntlm/html/graph_legend.png
+++ b/doc/doxyout/ntlm/html/graph_legend.png
diff --git a/doc/doxyout/ntlm/html/group__ntlm__core.html b/doc/doxyout/ntlm/html/group__ntlm__core.html
index 00267126e0ec..6f9319707d9f 100644
--- a/doc/doxyout/ntlm/html/group__ntlm__core.html
+++ b/doc/doxyout/ntlm/html/group__ntlm__core.html
@@ -963,6 +963,6 @@ Functions</h2></td></tr>
 </div>
 </div><!-- contents -->
 <hr size="1"><address style="text-align: right;"><small>
-Generated on Fri Dec 8 2017 03:49:00 for Heimdalntlmlibrary by&nbsp;<a href="http://www.doxygen.org/index.html"><img src="doxygen.png" alt="doxygen" align="middle" border="0"></a> 1.8.13</small></address>
+Generated on Fri Jun 7 2019 02:49:56 for Heimdalntlmlibrary by&nbsp;<a href="http://www.doxygen.org/index.html"><img src="doxygen.png" alt="doxygen" align="middle" border="0"></a> 1.8.13</small></address>
 </body>
 </html>
diff --git a/doc/doxyout/ntlm/html/index.html b/doc/doxyout/ntlm/html/index.html
index 3327c9134141..e9f5f0838b5f 100644
--- a/doc/doxyout/ntlm/html/index.html
+++ b/doc/doxyout/ntlm/html/index.html
@@ -35,6 +35,6 @@ NTLM Example</h1>
 <p>Example to to use <a class="el" href="test_ntlm_8c-example.html">test_ntlm.c</a> . </p>
 </div></div><!-- contents -->
 <hr size="1"><address style="text-align: right;"><small>
-Generated on Fri Dec 8 2017 03:49:00 for Heimdalntlmlibrary by&nbsp;<a href="http://www.doxygen.org/index.html"><img src="doxygen.png" alt="doxygen" align="middle" border="0"></a> 1.8.13</small></address>
+Generated on Fri Jun 7 2019 02:49:56 for Heimdalntlmlibrary by&nbsp;<a href="http://www.doxygen.org/index.html"><img src="doxygen.png" alt="doxygen" align="middle" border="0"></a> 1.8.13</small></address>
 </body>
 </html>
diff --git a/doc/doxyout/ntlm/html/modules.html b/doc/doxyout/ntlm/html/modules.html
index f6d7f809f562..15821305c0a5 100644
--- a/doc/doxyout/ntlm/html/modules.html
+++ b/doc/doxyout/ntlm/html/modules.html
@@ -30,6 +30,6 @@ $(function() {
 </div><!-- directory -->
 </div><!-- contents -->
 <hr size="1"><address style="text-align: right;"><small>
-Generated on Fri Dec 8 2017 03:49:00 for Heimdalntlmlibrary by&nbsp;<a href="http://www.doxygen.org/index.html"><img src="doxygen.png" alt="doxygen" align="middle" border="0"></a> 1.8.13</small></address>
+Generated on Fri Jun 7 2019 02:49:56 for Heimdalntlmlibrary by&nbsp;<a href="http://www.doxygen.org/index.html"><img src="doxygen.png" alt="doxygen" align="middle" border="0"></a> 1.8.13</small></address>
 </body>
 </html>
diff --git a/doc/doxyout/ntlm/html/structntlm__buf.html b/doc/doxyout/ntlm/html/structntlm__buf.html
index c789acf95b6e..90e5aa28b2e4 100644
--- a/doc/doxyout/ntlm/html/structntlm__buf.html
+++ b/doc/doxyout/ntlm/html/structntlm__buf.html
@@ -76,6 +76,6 @@ Data Fields</h2></td></tr>
 </ul>
 </div><!-- contents -->
 <hr size="1"><address style="text-align: right;"><small>
-Generated on Fri Dec 8 2017 03:49:00 for Heimdalntlmlibrary by&nbsp;<a href="http://www.doxygen.org/index.html"><img src="doxygen.png" alt="doxygen" align="middle" border="0"></a> 1.8.13</small></address>
+Generated on Fri Jun 7 2019 02:49:56 for Heimdalntlmlibrary by&nbsp;<a href="http://www.doxygen.org/index.html"><img src="doxygen.png" alt="doxygen" align="middle" border="0"></a> 1.8.13</small></address>
 </body>
 </html>
diff --git a/doc/doxyout/ntlm/html/structntlm__type1.html b/doc/doxyout/ntlm/html/structntlm__type1.html
index 797a8173928c..8a5b70afbb1f 100644
--- a/doc/doxyout/ntlm/html/structntlm__type1.html
+++ b/doc/doxyout/ntlm/html/structntlm__type1.html
@@ -33,6 +33,6 @@ $(function() {
 </ul>
 </div><!-- contents -->
 <hr size="1"><address style="text-align: right;"><small>
-Generated on Fri Dec 8 2017 03:49:00 for Heimdalntlmlibrary by&nbsp;<a href="http://www.doxygen.org/index.html"><img src="doxygen.png" alt="doxygen" align="middle" border="0"></a> 1.8.13</small></address>
+Generated on Fri Jun 7 2019 02:49:56 for Heimdalntlmlibrary by&nbsp;<a href="http://www.doxygen.org/index.html"><img src="doxygen.png" alt="doxygen" align="middle" border="0"></a> 1.8.13</small></address>
 </body>
 </html>
diff --git a/doc/doxyout/ntlm/html/structntlm__type2.html b/doc/doxyout/ntlm/html/structntlm__type2.html
index 81cf09fe80fd..6cf2ec16cd7e 100644
--- a/doc/doxyout/ntlm/html/structntlm__type2.html
+++ b/doc/doxyout/ntlm/html/structntlm__type2.html
@@ -41,6 +41,6 @@ Collaboration diagram for ntlm_type2:</div>
 </ul>
 </div><!-- contents -->
 <hr size="1"><address style="text-align: right;"><small>
-Generated on Fri Dec 8 2017 03:49:00 for Heimdalntlmlibrary by&nbsp;<a href="http://www.doxygen.org/index.html"><img src="doxygen.png" alt="doxygen" align="middle" border="0"></a> 1.8.13</small></address>
+Generated on Fri Jun 7 2019 02:49:56 for Heimdalntlmlibrary by&nbsp;<a href="http://www.doxygen.org/index.html"><img src="doxygen.png" alt="doxygen" align="middle" border="0"></a> 1.8.13</small></address>
 </body>
 </html>
diff --git a/doc/doxyout/ntlm/html/structntlm__type2__coll__graph.png b/doc/doxyout/ntlm/html/structntlm__type2__coll__graph.png
index f02bb92a6a14..639257a0e15c 100644
--- a/doc/doxyout/ntlm/html/structntlm__type2__coll__graph.png
+++ b/doc/doxyout/ntlm/html/structntlm__type2__coll__graph.png
diff --git a/doc/doxyout/ntlm/html/structntlm__type3.html b/doc/doxyout/ntlm/html/structntlm__type3.html
index f5be00a29a5d..e273edfd1620 100644
--- a/doc/doxyout/ntlm/html/structntlm__type3.html
+++ b/doc/doxyout/ntlm/html/structntlm__type3.html
@@ -41,6 +41,6 @@ Collaboration diagram for ntlm_type3:</div>
 </ul>
 </div><!-- contents -->
 <hr size="1"><address style="text-align: right;"><small>
-Generated on Fri Dec 8 2017 03:49:00 for Heimdalntlmlibrary by&nbsp;<a href="http://www.doxygen.org/index.html"><img src="doxygen.png" alt="doxygen" align="middle" border="0"></a> 1.8.13</small></address>
+Generated on Fri Jun 7 2019 02:49:56 for Heimdalntlmlibrary by&nbsp;<a href="http://www.doxygen.org/index.html"><img src="doxygen.png" alt="doxygen" align="middle" border="0"></a> 1.8.13</small></address>
 </body>
 </html>
diff --git a/doc/doxyout/ntlm/html/structntlm__type3__coll__graph.png b/doc/doxyout/ntlm/html/structntlm__type3__coll__graph.png
index 24b7d07154da..ebfc9034e91b 100644
--- a/doc/doxyout/ntlm/html/structntlm__type3__coll__graph.png
+++ b/doc/doxyout/ntlm/html/structntlm__type3__coll__graph.png
diff --git a/doc/doxyout/ntlm/html/test_ntlm_8c-example.html b/doc/doxyout/ntlm/html/test_ntlm_8c-example.html
index 8c895b09c7fe..7ea4abf32663 100644
--- a/doc/doxyout/ntlm/html/test_ntlm_8c-example.html
+++ b/doc/doxyout/ntlm/html/test_ntlm_8c-example.html
@@ -26,6 +26,6 @@ $(function() {
 <p>Example how to use the NTLM primitives.</p>
 <div class="fragment"><div class="line"><span class="comment">/*</span></div><div class="line"><span class="comment"> * Copyright (c) 2006 - 2007 Kungliga Tekniska Högskolan</span></div><div class="line"><span class="comment"> * (Royal Institute of Technology, Stockholm, Sweden).</span></div><div class="line"><span class="comment"> * All rights reserved.</span></div><div class="line"><span class="comment"> *</span></div><div class="line"><span class="comment"> * Redistribution and use in source and binary forms, with or without</span></div><div class="line"><span class="comment"> * modification, are permitted provided that the following conditions</span></div><div class="line"><span class="comment"> * are met:</span></div><div class="line"><span class="comment"> *</span></div><div class="line"><span class="comment"> * 1. Redistributions of source code must retain the above copyright</span></div><div class="line"><span class="comment"> *    notice, this list of conditions and the following disclaimer.</span></div><div class="line"><span class="comment"> *</span></div><div class="line"><span class="comment"> * 2. Redistributions in binary form must reproduce the above copyright</span></div><div class="line"><span class="comment"> *    notice, this list of conditions and the following disclaimer in the</span></div><div class="line"><span class="comment"> *    documentation and/or other materials provided with the distribution.</span></div><div class="line"><span class="comment"> *</span></div><div class="line"><span class="comment"> * 3. Neither the name of KTH nor the names of its contributors may be</span></div><div class="line"><span class="comment"> *    used to endorse or promote products derived from this software without</span></div><div class="line"><span class="comment"> *    specific prior written permission.</span></div><div class="line"><span class="comment"> *</span></div><div class="line"><span class="comment"> * THIS SOFTWARE IS PROVIDED BY KTH AND ITS CONTRIBUTORS ``AS IS&#39;&#39; AND ANY</span></div><div class="line"><span class="comment"> * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE</span></div><div class="line"><span class="comment"> * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR</span></div><div class="line"><span class="comment"> * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL KTH OR ITS CONTRIBUTORS BE</span></div><div class="line"><span class="comment"> * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR</span></div><div class="line"><span class="comment"> * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF</span></div><div class="line"><span class="comment"> * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR</span></div><div class="line"><span class="comment"> * BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,</span></div><div class="line"><span class="comment"> * WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR</span></div><div class="line"><span class="comment"> * OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF</span></div><div class="line"><span class="comment"> * ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.</span></div><div class="line"><span class="comment"> */</span></div><div class="line"></div><div class="line"><span class="preprocessor">#include &quot;config.h&quot;</span></div><div class="line"></div><div class="line"><span class="preprocessor">#include &lt;stdio.h&gt;</span></div><div class="line"><span class="preprocessor">#include &lt;err.h&gt;</span></div><div class="line"><span class="preprocessor">#include &lt;roken.h&gt;</span></div><div class="line"><span class="preprocessor">#include &lt;getarg.h&gt;</span></div><div class="line"></div><div class="line"><span class="preprocessor">#include &lt;krb5-types.h&gt;</span> <span class="comment">/* or &lt;inttypes.h&gt; */</span></div><div class="line"><span class="preprocessor">#include &lt;heimntlm.h&gt;</span></div><div class="line"></div><div class="line"><span class="keyword">static</span> <span class="keywordtype">int</span> dumpdata_flag;</div><div class="line"></div><div class="line"><span class="keyword">static</span> <span class="keywordtype">int</span></div><div class="line">test_parse(<span class="keywordtype">void</span>)</div><div class="line">{</div><div class="line">    <span class="keyword">const</span> <span class="keywordtype">char</span> *user = <span class="stringliteral">&quot;foo&quot;</span>,</div><div class="line">        *domain = <span class="stringliteral">&quot;mydomain&quot;</span>,</div><div class="line">        *hostname = <span class="stringliteral">&quot;myhostname&quot;</span>,</div><div class="line">        *password = <span class="stringliteral">&quot;digestpassword&quot;</span>,</div><div class="line">        *target = <span class="stringliteral">&quot;DOMAIN&quot;</span>;</div><div class="line">    <span class="keyword">struct </span><a name="_a0"></a><a class="code" href="structntlm__type1.html">ntlm_type1</a> type1;</div><div class="line">    <span class="keyword">struct </span><a name="_a1"></a><a class="code" href="structntlm__type2.html">ntlm_type2</a> type2;</div><div class="line">    <span class="keyword">struct </span><a name="_a2"></a><a class="code" href="structntlm__type3.html">ntlm_type3</a> type3;</div><div class="line">    <span class="keyword">struct </span><a name="_a3"></a><a class="code" href="structntlm__buf.html">ntlm_buf</a> data;</div><div class="line">    <span class="keywordtype">int</span> ret, flags;</div><div class="line"></div><div class="line">    memset(&amp;type1, 0, <span class="keyword">sizeof</span>(type1));</div><div class="line"></div><div class="line">    type1.<a name="a4"></a>flags = NTLM_NEG_UNICODE|NTLM_NEG_TARGET|NTLM_NEG_NTLM|NTLM_NEG_VERSION;</div><div class="line">    type1.<a name="a5"></a>domain = rk_UNCONST(domain);</div><div class="line">    type1.<a name="a6"></a>hostname = rk_UNCONST(hostname);</div><div class="line">    type1.<a name="a7"></a>os[0] = 0;</div><div class="line">    type1.os[1] = 0;</div><div class="line"></div><div class="line">    ret = <a name="a8"></a><a class="code" href="group__ntlm__core.html#ga0107727234287ac61a8801b0faff9dff">heim_ntlm_encode_type1</a>(&amp;type1, &amp;data);</div><div class="line">    <span class="keywordflow">if</span> (ret)</div><div class="line">        errx(1, <span class="stringliteral">&quot;heim_ntlm_encode_type1&quot;</span>);</div><div class="line"></div><div class="line">    memset(&amp;type1, 0, <span class="keyword">sizeof</span>(type1));</div><div class="line"></div><div class="line">    <span class="keywordflow">if</span> (dumpdata_flag)</div><div class="line">        rk_dumpdata(<span class="stringliteral">&quot;ntlm-type1&quot;</span>, data.<a name="a9"></a><a class="code" href="structntlm__buf.html#a0cb7caf04f8f80326491b45edcdd2687">data</a>, data.<a name="a10"></a><a class="code" href="structntlm__buf.html#a1ca1856fd5b4ac0197320d7723c73bd0">length</a>);</div><div class="line"></div><div class="line">    ret = heim_ntlm_decode_type1(&amp;data, &amp;type1);</div><div class="line">    free(data.<a class="code" href="structntlm__buf.html#a0cb7caf04f8f80326491b45edcdd2687">data</a>);</div><div class="line">    <span class="keywordflow">if</span> (ret)</div><div class="line">        errx(1, <span class="stringliteral">&quot;heim_ntlm_encode_type1&quot;</span>);</div><div class="line"></div><div class="line">    <span class="keywordflow">if</span> (strcmp(type1.domain, domain) != 0)</div><div class="line">        errx(1, <span class="stringliteral">&quot;parser got domain wrong: %s&quot;</span>, type1.domain);</div><div class="line"></div><div class="line">    <span class="keywordflow">if</span> (strcmp(type1.hostname, hostname) != 0)</div><div class="line">        errx(1, <span class="stringliteral">&quot;parser got hostname wrong: %s&quot;</span>, type1.hostname);</div><div class="line"></div><div class="line">    <a name="a11"></a><a class="code" href="group__ntlm__core.html#ga76fa6caf3f539e24008e31613f5eb663">heim_ntlm_free_type1</a>(&amp;type1);</div><div class="line"></div><div class="line">    <span class="comment">/*</span></div><div class="line"><span class="comment">     *</span></div><div class="line"><span class="comment">     */</span></div><div class="line"></div><div class="line">    memset(&amp;type2, 0, <span class="keyword">sizeof</span>(type2));</div><div class="line"></div><div class="line">    flags = NTLM_NEG_UNICODE | NTLM_NEG_NTLM | NTLM_TARGET_DOMAIN;</div><div class="line">    type2.<a name="a12"></a>flags = flags;</div><div class="line"></div><div class="line">    memset(type2.<a name="a13"></a>challenge, 0x7f, <span class="keyword">sizeof</span>(type2.challenge));</div><div class="line">    type2.<a name="a14"></a>targetname = rk_UNCONST(target);</div><div class="line">    type2.<a name="a15"></a>targetinfo.<a class="code" href="structntlm__buf.html#a0cb7caf04f8f80326491b45edcdd2687">data</a> = NULL;</div><div class="line">    type2.targetinfo.<a class="code" href="structntlm__buf.html#a1ca1856fd5b4ac0197320d7723c73bd0">length</a> = 0;</div><div class="line"></div><div class="line">    ret = <a name="a16"></a><a class="code" href="group__ntlm__core.html#ga2860c6f6d497255eb433adc8cacc49dd">heim_ntlm_encode_type2</a>(&amp;type2, &amp;data);</div><div class="line">    <span class="keywordflow">if</span> (ret)</div><div class="line">        errx(1, <span class="stringliteral">&quot;heim_ntlm_encode_type2&quot;</span>);</div><div class="line"></div><div class="line">    memset(&amp;type2, 0, <span class="keyword">sizeof</span>(type2));</div><div class="line"></div><div class="line">    <span class="keywordflow">if</span> (dumpdata_flag)</div><div class="line">        rk_dumpdata(<span class="stringliteral">&quot;ntlm-type2&quot;</span>, data.<a class="code" href="structntlm__buf.html#a0cb7caf04f8f80326491b45edcdd2687">data</a>, data.<a class="code" href="structntlm__buf.html#a1ca1856fd5b4ac0197320d7723c73bd0">length</a>);</div><div class="line"></div><div class="line">    ret = heim_ntlm_decode_type2(&amp;data, &amp;type2);</div><div class="line">    free(data.<a class="code" href="structntlm__buf.html#a0cb7caf04f8f80326491b45edcdd2687">data</a>);</div><div class="line">    <span class="keywordflow">if</span> (ret)</div><div class="line">        errx(1, <span class="stringliteral">&quot;heim_ntlm_decode_type2&quot;</span>);</div><div class="line"></div><div class="line">    <a name="a17"></a><a class="code" href="group__ntlm__core.html#ga8fde84c86f1c7c9f730f7fb4acedcb43">heim_ntlm_free_type2</a>(&amp;type2);</div><div class="line"></div><div class="line">    <span class="comment">/*</span></div><div class="line"><span class="comment">     *</span></div><div class="line"><span class="comment">     */</span></div><div class="line"></div><div class="line">    memset(&amp;type3, 0, <span class="keyword">sizeof</span>(type3));</div><div class="line"></div><div class="line">    type3.<a name="a18"></a>flags = flags;</div><div class="line">    type3.<a name="a19"></a>username = rk_UNCONST(user);</div><div class="line">    type3.<a name="a20"></a>targetname = rk_UNCONST(target);</div><div class="line">    type3.<a name="a21"></a>ws = rk_UNCONST(<span class="stringliteral">&quot;workstation&quot;</span>);</div><div class="line"></div><div class="line">    {</div><div class="line">        <span class="keyword">struct </span><a class="code" href="structntlm__buf.html">ntlm_buf</a> key;</div><div class="line">        <a name="a22"></a><a class="code" href="group__ntlm__core.html#ga254ee0a4d5a2594833e36697ad575d7e">heim_ntlm_nt_key</a>(password, &amp;key);</div><div class="line"></div><div class="line">        <a name="a23"></a><a class="code" href="group__ntlm__core.html#gae3b634802ef94233a175291abd2ea14d">heim_ntlm_calculate_ntlm1</a>(key.<a class="code" href="structntlm__buf.html#a0cb7caf04f8f80326491b45edcdd2687">data</a>, key.<a class="code" href="structntlm__buf.html#a1ca1856fd5b4ac0197320d7723c73bd0">length</a>,</div><div class="line">                                  type2.challenge,</div><div class="line">                                  &amp;type3.<a name="a24"></a>ntlm);</div><div class="line">        free(key.<a class="code" href="structntlm__buf.html#a0cb7caf04f8f80326491b45edcdd2687">data</a>);</div><div class="line">    }</div><div class="line"></div><div class="line">    ret = <a name="a25"></a><a class="code" href="group__ntlm__core.html#gade200095bfa40a73cfd4154010cc6e76">heim_ntlm_encode_type3</a>(&amp;type3, &amp;data, NULL);</div><div class="line">    <span class="keywordflow">if</span> (ret)</div><div class="line">        errx(1, <span class="stringliteral">&quot;heim_ntlm_encode_type3&quot;</span>);</div><div class="line"></div><div class="line">    free(type3.ntlm.<a class="code" href="structntlm__buf.html#a0cb7caf04f8f80326491b45edcdd2687">data</a>);</div><div class="line"></div><div class="line">    memset(&amp;type3, 0, <span class="keyword">sizeof</span>(type3));</div><div class="line"></div><div class="line">    <span class="keywordflow">if</span> (dumpdata_flag)</div><div class="line">        rk_dumpdata(<span class="stringliteral">&quot;ntlm-type3&quot;</span>, data.<a class="code" href="structntlm__buf.html#a0cb7caf04f8f80326491b45edcdd2687">data</a>, data.<a class="code" href="structntlm__buf.html#a1ca1856fd5b4ac0197320d7723c73bd0">length</a>);</div><div class="line"></div><div class="line">    ret = heim_ntlm_decode_type3(&amp;data, 1, &amp;type3);</div><div class="line">    free(data.<a class="code" href="structntlm__buf.html#a0cb7caf04f8f80326491b45edcdd2687">data</a>);</div><div class="line">    <span class="keywordflow">if</span> (ret)</div><div class="line">        errx(1, <span class="stringliteral">&quot;heim_ntlm_decode_type3&quot;</span>);</div><div class="line"></div><div class="line">    <span class="keywordflow">if</span> (strcmp(<span class="stringliteral">&quot;workstation&quot;</span>, type3.ws) != 0)</div><div class="line">        errx(1, <span class="stringliteral">&quot;type3 ws wrong&quot;</span>);</div><div class="line"></div><div class="line">    <span class="keywordflow">if</span> (strcmp(target, type3.targetname) != 0)</div><div class="line">        errx(1, <span class="stringliteral">&quot;type3 targetname wrong&quot;</span>);</div><div class="line"></div><div class="line">    <span class="keywordflow">if</span> (strcmp(user, type3.username) != 0)</div><div class="line">        errx(1, <span class="stringliteral">&quot;type3 username wrong&quot;</span>);</div><div class="line"></div><div class="line"></div><div class="line">    <a name="a26"></a><a class="code" href="group__ntlm__core.html#gac4e6d01e5247b8540d41ccbbf1031319">heim_ntlm_free_type3</a>(&amp;type3);</div><div class="line"></div><div class="line">    <span class="comment">/*</span></div><div class="line"><span class="comment">     * NTLMv2</span></div><div class="line"><span class="comment">     */</span></div><div class="line"></div><div class="line">    memset(&amp;type2, 0, <span class="keyword">sizeof</span>(type2));</div><div class="line"></div><div class="line">    flags = NTLM_NEG_UNICODE | NTLM_NEG_NTLM | NTLM_TARGET_DOMAIN;</div><div class="line">    type2.flags = flags;</div><div class="line"></div><div class="line">    memset(type2.challenge, 0x7f, <span class="keyword">sizeof</span>(type2.challenge));</div><div class="line">    type2.targetname = rk_UNCONST(target);</div><div class="line">    type2.targetinfo.<a class="code" href="structntlm__buf.html#a0cb7caf04f8f80326491b45edcdd2687">data</a> = <span class="stringliteral">&quot;\x00\x00&quot;</span>;</div><div class="line">    type2.targetinfo.<a class="code" href="structntlm__buf.html#a1ca1856fd5b4ac0197320d7723c73bd0">length</a> = 2;</div><div class="line"></div><div class="line">    ret = <a class="code" href="group__ntlm__core.html#ga2860c6f6d497255eb433adc8cacc49dd">heim_ntlm_encode_type2</a>(&amp;type2, &amp;data);</div><div class="line">    <span class="keywordflow">if</span> (ret)</div><div class="line">        errx(1, <span class="stringliteral">&quot;heim_ntlm_encode_type2&quot;</span>);</div><div class="line"></div><div class="line">    memset(&amp;type2, 0, <span class="keyword">sizeof</span>(type2));</div><div class="line"></div><div class="line">    ret = heim_ntlm_decode_type2(&amp;data, &amp;type2);</div><div class="line">    free(data.<a class="code" href="structntlm__buf.html#a0cb7caf04f8f80326491b45edcdd2687">data</a>);</div><div class="line">    <span class="keywordflow">if</span> (ret)</div><div class="line">        errx(1, <span class="stringliteral">&quot;heim_ntlm_decode_type2&quot;</span>);</div><div class="line"></div><div class="line">    <a class="code" href="group__ntlm__core.html#ga8fde84c86f1c7c9f730f7fb4acedcb43">heim_ntlm_free_type2</a>(&amp;type2);</div><div class="line"></div><div class="line">    <span class="keywordflow">return</span> 0;</div><div class="line">}</div><div class="line"></div><div class="line"><span class="keyword">static</span> <span class="keywordtype">int</span></div><div class="line">test_keys(<span class="keywordtype">void</span>)</div><div class="line">{</div><div class="line">    <span class="keyword">const</span> <span class="keywordtype">char</span></div><div class="line">        *username = <span class="stringliteral">&quot;test&quot;</span>,</div><div class="line">        *password = <span class="stringliteral">&quot;test1234&quot;</span>,</div><div class="line">        *target = <span class="stringliteral">&quot;TESTNT&quot;</span>;</div><div class="line">    <span class="keyword">const</span> <span class="keywordtype">unsigned</span> <span class="keywordtype">char</span></div><div class="line">        serverchallenge[8] = <span class="stringliteral">&quot;\x67\x7f\x1c\x55\x7a\x5e\xe9\x6c&quot;</span>;</div><div class="line">    <span class="keyword">struct </span><a class="code" href="structntlm__buf.html">ntlm_buf</a> infotarget, infotarget2, answer, key;</div><div class="line">    <span class="keywordtype">unsigned</span> <span class="keywordtype">char</span> ntlmv2[16], ntlmv2_1[16];</div><div class="line">    <span class="keywordtype">int</span> ret;</div><div class="line"></div><div class="line">    infotarget.<a class="code" href="structntlm__buf.html#a1ca1856fd5b4ac0197320d7723c73bd0">length</a> = 70;</div><div class="line">    infotarget.<a class="code" href="structntlm__buf.html#a0cb7caf04f8f80326491b45edcdd2687">data</a> =</div><div class="line">        <span class="stringliteral">&quot;\x02\x00\x0c\x00\x54\x00\x45\x00\x53\x00\x54\x00\x4e\x00\x54\x00&quot;</span></div><div class="line">        <span class="stringliteral">&quot;\x01\x00\x0c\x00\x4d\x00\x45\x00\x4d\x00\x42\x00\x45\x00\x52\x00&quot;</span></div><div class="line">        <span class="stringliteral">&quot;\x03\x00\x1e\x00\x6d\x00\x65\x00\x6d\x00\x62\x00\x65\x00\x72\x00&quot;</span></div><div class="line">            <span class="stringliteral">&quot;\x2e\x00\x74\x00\x65\x00\x73\x00\x74\x00\x2e\x00\x63\x00\x6f&quot;</span></div><div class="line">            <span class="stringliteral">&quot;\x00\x6d\x00&quot;</span></div><div class="line">        <span class="stringliteral">&quot;\x00\x00\x00\x00&quot;</span>;</div><div class="line"></div><div class="line">    answer.<a class="code" href="structntlm__buf.html#a1ca1856fd5b4ac0197320d7723c73bd0">length</a> = 0;</div><div class="line">    answer.<a class="code" href="structntlm__buf.html#a0cb7caf04f8f80326491b45edcdd2687">data</a> = NULL;</div><div class="line"></div><div class="line">    <a class="code" href="group__ntlm__core.html#ga254ee0a4d5a2594833e36697ad575d7e">heim_ntlm_nt_key</a>(password, &amp;key);</div><div class="line"></div><div class="line">    ret = <a name="a27"></a><a class="code" href="group__ntlm__core.html#gaa8f07fb71a0d5f095cde3fb9fb40d10c">heim_ntlm_calculate_ntlm2</a>(key.<a class="code" href="structntlm__buf.html#a0cb7caf04f8f80326491b45edcdd2687">data</a>,</div><div class="line">                                    key.<a class="code" href="structntlm__buf.html#a1ca1856fd5b4ac0197320d7723c73bd0">length</a>,</div><div class="line">                                    username,</div><div class="line">                                    target,</div><div class="line">                                    serverchallenge,</div><div class="line">                                    &amp;infotarget,</div><div class="line">                                    ntlmv2,</div><div class="line">                                    &amp;answer);</div><div class="line">    <span class="keywordflow">if</span> (ret)</div><div class="line">        errx(1, <span class="stringliteral">&quot;heim_ntlm_calculate_ntlm2&quot;</span>);</div><div class="line"></div><div class="line">    ret = <a name="a28"></a><a class="code" href="group__ntlm__core.html#ga3b3d6a5187cab6bfe656afa7a8273ca6">heim_ntlm_verify_ntlm2</a>(key.<a class="code" href="structntlm__buf.html#a0cb7caf04f8f80326491b45edcdd2687">data</a>,</div><div class="line">                                 key.<a class="code" href="structntlm__buf.html#a1ca1856fd5b4ac0197320d7723c73bd0">length</a>,</div><div class="line">                                 username,</div><div class="line">                                 target,</div><div class="line">                                 0,</div><div class="line">                                 serverchallenge,</div><div class="line">                                 &amp;answer,</div><div class="line">                                 &amp;infotarget2,</div><div class="line">                                 ntlmv2_1);</div><div class="line">    <span class="keywordflow">if</span> (ret)</div><div class="line">        errx(1, <span class="stringliteral">&quot;heim_ntlm_verify_ntlm2&quot;</span>);</div><div class="line"></div><div class="line">    <span class="keywordflow">if</span> (memcmp(ntlmv2, ntlmv2_1, <span class="keyword">sizeof</span>(ntlmv2)) != 0)</div><div class="line">        errx(1, <span class="stringliteral">&quot;ntlm master key not same&quot;</span>);</div><div class="line"></div><div class="line">    <span class="keywordflow">if</span> (infotarget.<a class="code" href="structntlm__buf.html#a1ca1856fd5b4ac0197320d7723c73bd0">length</a> &gt; infotarget2.<a class="code" href="structntlm__buf.html#a1ca1856fd5b4ac0197320d7723c73bd0">length</a>)</div><div class="line">        errx(1, <span class="stringliteral">&quot;infotarget length&quot;</span>);</div><div class="line"></div><div class="line">    <span class="keywordflow">if</span> (memcmp(infotarget.<a class="code" href="structntlm__buf.html#a0cb7caf04f8f80326491b45edcdd2687">data</a>, infotarget2.<a class="code" href="structntlm__buf.html#a0cb7caf04f8f80326491b45edcdd2687">data</a>, infotarget.<a class="code" href="structntlm__buf.html#a1ca1856fd5b4ac0197320d7723c73bd0">length</a>) != 0)</div><div class="line">        errx(1, <span class="stringliteral">&quot;infotarget not the same&quot;</span>);</div><div class="line"></div><div class="line">    free(key.<a class="code" href="structntlm__buf.html#a0cb7caf04f8f80326491b45edcdd2687">data</a>);</div><div class="line">    free(answer.<a class="code" href="structntlm__buf.html#a0cb7caf04f8f80326491b45edcdd2687">data</a>);</div><div class="line">    free(infotarget2.<a class="code" href="structntlm__buf.html#a0cb7caf04f8f80326491b45edcdd2687">data</a>);</div><div class="line"></div><div class="line">    <span class="keywordflow">return</span> 0;</div><div class="line">}</div><div class="line"></div><div class="line"><span class="keyword">static</span> <span class="keywordtype">int</span></div><div class="line">test_ntlm2_session_resp(<span class="keywordtype">void</span>)</div><div class="line">{</div><div class="line">    <span class="keywordtype">int</span> ret;</div><div class="line">    <span class="keyword">struct </span><a class="code" href="structntlm__buf.html">ntlm_buf</a> lm, ntlm;</div><div class="line"></div><div class="line">    <span class="keyword">const</span> <span class="keywordtype">unsigned</span> <span class="keywordtype">char</span> lm_resp[24] =</div><div class="line">        <span class="stringliteral">&quot;\xff\xff\xff\x00\x11\x22\x33\x44&quot;</span></div><div class="line">        <span class="stringliteral">&quot;\x00\x00\x00\x00\x00\x00\x00\x00&quot;</span></div><div class="line">        <span class="stringliteral">&quot;\x00\x00\x00\x00\x00\x00\x00\x00&quot;</span>;</div><div class="line">    <span class="keyword">const</span> <span class="keywordtype">unsigned</span> <span class="keywordtype">char</span> ntlm2_sess_resp[24] =</div><div class="line">        <span class="stringliteral">&quot;\x10\xd5\x50\x83\x2d\x12\xb2\xcc&quot;</span></div><div class="line">        <span class="stringliteral">&quot;\xb7\x9d\x5a\xd1\xf4\xee\xd3\xdf&quot;</span></div><div class="line">        <span class="stringliteral">&quot;\x82\xac\xa4\xc3\x68\x1d\xd4\x55&quot;</span>;</div><div class="line"></div><div class="line">    <span class="keyword">const</span> <span class="keywordtype">unsigned</span> <span class="keywordtype">char</span> client_nonce[8] =</div><div class="line">        <span class="stringliteral">&quot;\xff\xff\xff\x00\x11\x22\x33\x44&quot;</span>;</div><div class="line">    <span class="keyword">const</span> <span class="keywordtype">unsigned</span> <span class="keywordtype">char</span> server_challenge[8] =</div><div class="line">        <span class="stringliteral">&quot;\x01\x23\x45\x67\x89\xab\xcd\xef&quot;</span>;</div><div class="line"></div><div class="line">    <span class="keyword">const</span> <span class="keywordtype">unsigned</span> <span class="keywordtype">char</span> ntlm_hash[16] =</div><div class="line">        <span class="stringliteral">&quot;\xcd\x06\xca\x7c\x7e\x10\xc9\x9b&quot;</span></div><div class="line">        <span class="stringliteral">&quot;\x1d\x33\xb7\x48\x5a\x2e\xd8\x08&quot;</span>;</div><div class="line"></div><div class="line">    ret = heim_ntlm_calculate_ntlm2_sess(client_nonce,</div><div class="line">                                         server_challenge,</div><div class="line">                                         ntlm_hash,</div><div class="line">                                         &amp;lm,</div><div class="line">                                         &amp;ntlm);</div><div class="line">    <span class="keywordflow">if</span> (ret)</div><div class="line">        errx(1, <span class="stringliteral">&quot;heim_ntlm_calculate_ntlm2_sess_resp&quot;</span>);</div><div class="line"></div><div class="line">    <span class="keywordflow">if</span> (lm.<a class="code" href="structntlm__buf.html#a1ca1856fd5b4ac0197320d7723c73bd0">length</a> != 24 || memcmp(lm.<a class="code" href="structntlm__buf.html#a0cb7caf04f8f80326491b45edcdd2687">data</a>, lm_resp, 24) != 0)</div><div class="line">        errx(1, <span class="stringliteral">&quot;lm_resp wrong&quot;</span>);</div><div class="line">    <span class="keywordflow">if</span> (ntlm.<a class="code" href="structntlm__buf.html#a1ca1856fd5b4ac0197320d7723c73bd0">length</a> != 24 || memcmp(ntlm.<a class="code" href="structntlm__buf.html#a0cb7caf04f8f80326491b45edcdd2687">data</a>, ntlm2_sess_resp, 24) != 0)</div><div class="line">        errx(1, <span class="stringliteral">&quot;ntlm2_sess_resp wrong&quot;</span>);</div><div class="line"></div><div class="line">    free(lm.<a class="code" href="structntlm__buf.html#a0cb7caf04f8f80326491b45edcdd2687">data</a>);</div><div class="line">    free(ntlm.<a class="code" href="structntlm__buf.html#a0cb7caf04f8f80326491b45edcdd2687">data</a>);</div><div class="line"></div><div class="line"></div><div class="line">    <span class="keywordflow">return</span> 0;</div><div class="line">}</div><div class="line"></div><div class="line"><span class="keyword">static</span> <span class="keywordtype">int</span></div><div class="line">test_ntlmv2(<span class="keywordtype">void</span>)</div><div class="line">{</div><div class="line">    <span class="keywordtype">unsigned</span> <span class="keywordtype">char</span> type3[413] = </div><div class="line">        <span class="stringliteral">&quot;\x4e\x54\x4c\x4d\x53\x53\x50\x00\x03\x00\x00\x00\x18\x00\x18\x00&quot;</span></div><div class="line">        <span class="stringliteral">&quot;\x80\x00\x00\x00\x9e\x00\x9e\x00\x98\x00\x00\x00\x14\x00\x14\x00&quot;</span></div><div class="line">        <span class="stringliteral">&quot;\x48\x00\x00\x00\x10\x00\x10\x00\x5c\x00\x00\x00\x14\x00\x14\x00&quot;</span></div><div class="line">        <span class="stringliteral">&quot;\x6c\x00\x00\x00\x00\x00\x00\x00\x36\x01\x00\x00\x05\x82\x88\xa2&quot;</span></div><div class="line">        <span class="stringliteral">&quot;\x05\x01\x28\x0a\x00\x00\x00\x0f\x43\x00\x4f\x00\x4c\x00\x4c\x00&quot;</span></div><div class="line">        <span class="stringliteral">&quot;\x45\x00\x59\x00\x2d\x00\x58\x00\x50\x00\x34\x00\x54\x00\x45\x00&quot;</span></div><div class="line">        <span class="stringliteral">&quot;\x53\x00\x54\x00\x55\x00\x53\x00\x45\x00\x52\x00\x43\x00\x4f\x00&quot;</span></div><div class="line">        <span class="stringliteral">&quot;\x4c\x00\x4c\x00\x45\x00\x59\x00\x2d\x00\x58\x00\x50\x00\x34\x00&quot;</span></div><div class="line">        <span class="stringliteral">&quot;\x2f\x96\xec\x0a\xf7\x9f\x2e\x24\xba\x09\x48\x10\xa5\x22\xd4\xe1&quot;</span></div><div class="line">        <span class="stringliteral">&quot;\x16\x6a\xca\x58\x74\x9a\xc1\x4f\x54\x6f\xee\x40\x96\xce\x43\x6e&quot;</span></div><div class="line">        <span class="stringliteral">&quot;\xdf\x99\x20\x71\x6c\x9a\xda\x2a\x01\x01\x00\x00\x00\x00\x00\x00&quot;</span></div><div class="line">        <span class="stringliteral">&quot;\x8d\xc0\x57\xc9\x79\x5e\xcb\x01\x16\x6a\xca\x58\x74\x9a\xc1\x4f&quot;</span></div><div class="line">        <span class="stringliteral">&quot;\x00\x00\x00\x00\x02\x00\x14\x00\x4e\x00\x55\x00\x54\x00\x43\x00&quot;</span></div><div class="line">        <span class="stringliteral">&quot;\x52\x00\x41\x00\x43\x00\x4b\x00\x45\x00\x52\x00\x01\x00\x14\x00&quot;</span></div><div class="line">        <span class="stringliteral">&quot;\x4e\x00\x55\x00\x54\x00\x43\x00\x52\x00\x41\x00\x43\x00\x4b\x00&quot;</span></div><div class="line">        <span class="stringliteral">&quot;\x45\x00\x52\x00\x04\x00\x12\x00\x61\x00\x70\x00\x70\x00\x6c\x00&quot;</span></div><div class="line">        <span class="stringliteral">&quot;\x65\x00\x2e\x00\x63\x00\x6f\x00\x6d\x00\x03\x00\x20\x00\x68\x00&quot;</span></div><div class="line">        <span class="stringliteral">&quot;\x75\x00\x6d\x00\x6d\x00\x65\x00\x6c\x00\x2e\x00\x61\x00\x70\x00&quot;</span></div><div class="line">        <span class="stringliteral">&quot;\x70\x00\x6c\x00\x65\x00\x2e\x00\x63\x00\x6f\x00\x6d\x00\x00\x00&quot;</span></div><div class="line">        <span class="stringliteral">&quot;\x00\x00\x00\x00\x00\x00\x00\x57\x00\x69\x00\x6e\x00\x64\x00\x6f&quot;</span></div><div class="line">        <span class="stringliteral">&quot;\x00\x77\x00\x73\x00\x20\x00\x32\x00\x30\x00\x30\x00\x32\x00\x20&quot;</span></div><div class="line">        <span class="stringliteral">&quot;\x00\x53\x00\x65\x00\x72\x00\x76\x00\x69\x00\x63\x00\x65\x00\x20&quot;</span></div><div class="line">        <span class="stringliteral">&quot;\x00\x50\x00\x61\x00\x63\x00\x6b\x00\x20\x00\x33\x00\x20\x00\x32&quot;</span></div><div class="line">        <span class="stringliteral">&quot;\x00\x36\x00\x30\x00\x30\x00\x00\x00\x57\x00\x69\x00\x6e\x00\x64&quot;</span></div><div class="line">        <span class="stringliteral">&quot;\x00\x6f\x00\x77\x00\x73\x00\x20\x00\x32\x00\x30\x00\x30\x00\x32&quot;</span></div><div class="line">        <span class="stringliteral">&quot;\x00\x20\x00\x35\x00\x2e\x00\x31\x00\x00\x00\x00\x00&quot;</span>;</div><div class="line">    <span class="keyword">const</span> <span class="keywordtype">unsigned</span> <span class="keywordtype">char</span> challenge[8] = </div><div class="line">        <span class="stringliteral">&quot;\xe4\x9c\x6a\x12\xe1\xbd\xde\x6a&quot;</span>;</div><div class="line">    <span class="keywordtype">unsigned</span> <span class="keywordtype">char</span> sessionkey[16];</div><div class="line"></div><div class="line">    <span class="keyword">const</span> <span class="keywordtype">char</span> key[16] = <span class="stringliteral">&quot;\xD1\x83\x98\x3E\xAE\xA7\xBE\x99\x59\xC8\xF4\xC1\x98\xED\x0E\x68&quot;</span>;</div><div class="line"></div><div class="line">    <span class="keyword">struct </span><a class="code" href="structntlm__buf.html">ntlm_buf</a> data;</div><div class="line">    <span class="keyword">struct </span><a class="code" href="structntlm__type3.html">ntlm_type3</a> t3;</div><div class="line">    <span class="keywordtype">int</span> ret;</div><div class="line"></div><div class="line">    <span class="keyword">struct </span>ntlm_targetinfo ti;</div><div class="line"></div><div class="line">    <span class="keywordtype">unsigned</span> <span class="keywordtype">char</span> timsg[114] = </div><div class="line">        <span class="stringliteral">&quot;\002\000\024\000N\000U\000T\000C\000R\000A\000C\000K\000E\000R\000\001\000\024\000N\000U\000T\000C\000R\000A\000C\000K\000E\000R\000\004\000\022\000a\000p\000p\000l\000e\000.\000c\000o\000m\000\003\000 \000h\000u\000m\000m\000e\000l\000.\000a\000p\000p\000l\000e\000.\000c\000o\000m\000\000\000\000\000\000\000\000&quot;</span>;</div><div class="line"></div><div class="line"></div><div class="line">    data.<a class="code" href="structntlm__buf.html#a0cb7caf04f8f80326491b45edcdd2687">data</a> = type3;</div><div class="line">    data.<a class="code" href="structntlm__buf.html#a1ca1856fd5b4ac0197320d7723c73bd0">length</a> = <span class="keyword">sizeof</span>(type3);</div><div class="line"></div><div class="line">    ret = heim_ntlm_decode_type3(&amp;data, 1, &amp;t3);</div><div class="line">    <span class="keywordflow">if</span> (ret)</div><div class="line">        errx(1, <span class="stringliteral">&quot;heim_ntlm_decode_type3&quot;</span>);</div><div class="line">    </div><div class="line">    memset(&amp;ti, 0, <span class="keyword">sizeof</span>(ti));</div><div class="line"></div><div class="line">    data.<a class="code" href="structntlm__buf.html#a0cb7caf04f8f80326491b45edcdd2687">data</a> = timsg;</div><div class="line">    data.<a class="code" href="structntlm__buf.html#a1ca1856fd5b4ac0197320d7723c73bd0">length</a> = <span class="keyword">sizeof</span>(timsg);</div><div class="line"></div><div class="line">    ret = <a name="a29"></a><a class="code" href="group__ntlm__core.html#gaf1d4de2faec8b1c1070a55fd2e6e630f">heim_ntlm_decode_targetinfo</a>(&amp;data, 1, &amp;ti);</div><div class="line">    <span class="keywordflow">if</span> (ret)</div><div class="line">        <span class="keywordflow">return</span> ret;</div><div class="line"></div><div class="line">    ret = <a class="code" href="group__ntlm__core.html#ga3b3d6a5187cab6bfe656afa7a8273ca6">heim_ntlm_verify_ntlm2</a>(key, <span class="keyword">sizeof</span>(key),</div><div class="line">                                 t3.username,</div><div class="line">                                 t3.targetname,</div><div class="line">                                 1285615547,</div><div class="line">                                 challenge,</div><div class="line">                                 &amp;t3.ntlm,</div><div class="line">                                 &amp;data,</div><div class="line">                                 sessionkey);</div><div class="line">    <span class="keywordflow">if</span> (ret)</div><div class="line">        errx(1, <span class="stringliteral">&quot;verify_ntlmv2&quot;</span>);</div><div class="line"></div><div class="line">    <span class="keywordflow">if</span> (<span class="keyword">sizeof</span>(timsg) != data.<a class="code" href="structntlm__buf.html#a1ca1856fd5b4ac0197320d7723c73bd0">length</a> || memcmp(timsg, data.<a class="code" href="structntlm__buf.html#a0cb7caf04f8f80326491b45edcdd2687">data</a>, <span class="keyword">sizeof</span>(timsg)) != 0)</div><div class="line">        errx(1, <span class="stringliteral">&quot;target info wrong: %d != %d&quot;</span>,</div><div class="line">             (<span class="keywordtype">int</span>)<span class="keyword">sizeof</span>(timsg), (<span class="keywordtype">int</span>)data.<a class="code" href="structntlm__buf.html#a1ca1856fd5b4ac0197320d7723c73bd0">length</a>);</div><div class="line"></div><div class="line">    <a class="code" href="group__ntlm__core.html#gac4e6d01e5247b8540d41ccbbf1031319">heim_ntlm_free_type3</a>(&amp;t3);</div><div class="line">    <a name="a30"></a><a class="code" href="group__ntlm__core.html#ga704ec8c5dba05ef57186d242ff165565">heim_ntlm_free_targetinfo</a>(&amp;ti);</div><div class="line"></div><div class="line">    <span class="keywordflow">return</span> 0;</div><div class="line">}</div><div class="line"></div><div class="line"><span class="keyword">static</span> <span class="keywordtype">int</span></div><div class="line">test_targetinfo(<span class="keywordtype">void</span>)</div><div class="line">{</div><div class="line">    <span class="keyword">struct </span>ntlm_targetinfo ti;</div><div class="line">    <span class="keyword">struct </span><a class="code" href="structntlm__buf.html">ntlm_buf</a> buf;</div><div class="line">    <span class="keyword">const</span> <span class="keywordtype">char</span> *dnsservername = <span class="stringliteral">&quot;dnsservername&quot;</span>;</div><div class="line">    <span class="keyword">const</span> <span class="keywordtype">char</span> *targetname = <span class="stringliteral">&quot;targetname&quot;</span>;</div><div class="line">    <span class="keyword">const</span> <span class="keywordtype">char</span> z16[16] = { 0 };</div><div class="line">    <span class="keywordtype">int</span> ret;</div><div class="line"></div><div class="line">    memset(&amp;ti, 0, <span class="keyword">sizeof</span>(ti));</div><div class="line"></div><div class="line">    ti.dnsservername = rk_UNCONST(dnsservername);</div><div class="line">    ti.avflags = 1;</div><div class="line">    ti.targetname = rk_UNCONST(targetname);</div><div class="line">    ti.channel_bindings.data = rk_UNCONST(z16);</div><div class="line">    ti.channel_bindings.length = <span class="keyword">sizeof</span>(z16);</div><div class="line"></div><div class="line">    ret = <a name="a31"></a><a class="code" href="group__ntlm__core.html#ga2881747fad2ac2979a28d3bd050b0fa8">heim_ntlm_encode_targetinfo</a>(&amp;ti, 1, &amp;buf);</div><div class="line">    <span class="keywordflow">if</span> (ret)</div><div class="line">        <span class="keywordflow">return</span> ret;</div><div class="line"></div><div class="line">    memset(&amp;ti, 0, <span class="keyword">sizeof</span>(ti));</div><div class="line"></div><div class="line">    ret = <a class="code" href="group__ntlm__core.html#gaf1d4de2faec8b1c1070a55fd2e6e630f">heim_ntlm_decode_targetinfo</a>(&amp;buf, 1, &amp;ti);</div><div class="line">    <span class="keywordflow">if</span> (ret)</div><div class="line">        <span class="keywordflow">return</span> ret;</div><div class="line"></div><div class="line">    <span class="keywordflow">if</span> (ti.dnsservername == NULL ||</div><div class="line">        strcmp(ti.dnsservername, dnsservername) != 0)</div><div class="line">        errx(1, <span class="stringliteral">&quot;ti.dnshostname != %s&quot;</span>, dnsservername);</div><div class="line">    <span class="keywordflow">if</span> (ti.avflags != 1)</div><div class="line">        errx(1, <span class="stringliteral">&quot;ti.avflags != 1&quot;</span>);</div><div class="line">    <span class="keywordflow">if</span> (ti.targetname == NULL ||</div><div class="line">        strcmp(ti.targetname, targetname) != 0)</div><div class="line">        errx(1, <span class="stringliteral">&quot;ti.targetname != %s&quot;</span>, targetname);</div><div class="line"></div><div class="line">    <span class="keywordflow">if</span> (ti.channel_bindings.length != <span class="keyword">sizeof</span>(z16) ||</div><div class="line">        memcmp(ti.channel_bindings.data, z16, <span class="keyword">sizeof</span>(z16)) != 0)</div><div class="line">        errx(1, <span class="stringliteral">&quot;ti.channel_bindings != Z(16)&quot;</span>);</div><div class="line"></div><div class="line">    <a class="code" href="group__ntlm__core.html#ga704ec8c5dba05ef57186d242ff165565">heim_ntlm_free_targetinfo</a>(&amp;ti);</div><div class="line"></div><div class="line">    <span class="keywordflow">return</span> 0;</div><div class="line">}</div><div class="line"></div><div class="line"><span class="keyword">static</span> <span class="keywordtype">int</span></div><div class="line">test_string2key(<span class="keywordtype">void</span>)</div><div class="line">{</div><div class="line">    <span class="keyword">const</span> <span class="keywordtype">char</span> *pw = <span class="stringliteral">&quot;山田&quot;</span>;</div><div class="line">    <span class="keyword">struct </span><a class="code" href="structntlm__buf.html">ntlm_buf</a> buf;</div><div class="line"></div><div class="line">    <span class="keywordtype">unsigned</span> <span class="keywordtype">char</span> key[16] = {</div><div class="line">        0xc6, 0x5d, 0xc7, 0x61, 0xa1, 0x34, 0x17, 0xa1,</div><div class="line">        0x17, 0x08, 0x9c, 0x1b, 0xb0, 0x0d, 0x0f, 0x19</div><div class="line">    };</div><div class="line"></div><div class="line">    <span class="keywordflow">if</span> (<a class="code" href="group__ntlm__core.html#ga254ee0a4d5a2594833e36697ad575d7e">heim_ntlm_nt_key</a>(pw, &amp;buf) != 0)</div><div class="line">        errx(1, <span class="stringliteral">&quot;heim_ntlmv_nt_key(jp)&quot;</span>);</div><div class="line"></div><div class="line">    <span class="keywordflow">if</span> (buf.<a class="code" href="structntlm__buf.html#a1ca1856fd5b4ac0197320d7723c73bd0">length</a> != 16 || memcmp(buf.<a class="code" href="structntlm__buf.html#a0cb7caf04f8f80326491b45edcdd2687">data</a>, key, 16) != 0)</div><div class="line">        errx(1, <span class="stringliteral">&quot;compare failed&quot;</span>);</div><div class="line"></div><div class="line">    <a name="a32"></a><a class="code" href="group__ntlm__core.html#ga5f6c313a3a7258cda5f09bb44f8d1776">heim_ntlm_free_buf</a>(&amp;buf);</div><div class="line"></div><div class="line">    <span class="keywordflow">return</span> 0;</div><div class="line">}</div><div class="line"></div><div class="line"><span class="keyword">static</span> <span class="keywordtype">int</span></div><div class="line">test_jp(<span class="keywordtype">void</span>)</div><div class="line">{</div><div class="line">    <span class="keywordtype">char</span> buf2[220] =</div><div class="line">        <span class="stringliteral">&quot;\x4e\x54\x4c\x4d\x53\x53\x50\x00\x02\x00\x00\x00\x06\x00\x06\x00&quot;</span></div><div class="line">        <span class="stringliteral">&quot;\x38\x00\x00\x00\x05\x02\x89\x62\x62\x94\xb1\xf3\x56\x80\xb0\xf9&quot;</span></div><div class="line">        <span class="stringliteral">&quot;\x00\x00\x00\x00\x00\x00\x00\x00\x9e\x00\x9e\x00\x3e\x00\x00\x00&quot;</span></div><div class="line">        <span class="stringliteral">&quot;\x06\x01\xb0\x1d\x00\x00\x00\x0f\x43\x00\x4f\x00\x53\x00\x02\x00&quot;</span></div><div class="line">        <span class="stringliteral">&quot;\x06\x00\x43\x00\x4f\x00\x53\x00\x01\x00\x12\x00\x43\x00\x4f\x00&quot;</span></div><div class="line">        <span class="stringliteral">&quot;\x53\x00\x57\x00\x49\x00\x4e\x00\x37\x00\x4a\x00\x50\x00\x04\x00&quot;</span></div><div class="line">        <span class="stringliteral">&quot;\x1a\x00\x63\x00\x6f\x00\x73\x00\x2e\x00\x61\x00\x70\x00\x70\x00&quot;</span></div><div class="line">        <span class="stringliteral">&quot;\x6c\x00\x65\x00\x2e\x00\x63\x00\x6f\x00\x6d\x00\x03\x00\x2e\x00&quot;</span></div><div class="line">        <span class="stringliteral">&quot;\x63\x00\x6f\x00\x73\x00\x77\x00\x69\x00\x6e\x00\x37\x00\x6a\x00&quot;</span></div><div class="line">        <span class="stringliteral">&quot;\x70\x00\x2e\x00\x63\x00\x6f\x00\x73\x00\x2e\x00\x61\x00\x70\x00&quot;</span></div><div class="line">        <span class="stringliteral">&quot;\x70\x00\x6c\x00\x65\x00\x2e\x00\x63\x00\x6f\x00\x6d\x00\x05\x00&quot;</span></div><div class="line">        <span class="stringliteral">&quot;\x1a\x00\x63\x00\x6f\x00\x73\x00\x2e\x00\x61\x00\x70\x00\x70\x00&quot;</span></div><div class="line">        <span class="stringliteral">&quot;\x6c\x00\x65\x00\x2e\x00\x63\x00\x6f\x00\x6d\x00\x07\x00\x08\x00&quot;</span></div><div class="line">        <span class="stringliteral">&quot;\x94\x51\xf0\xbd\xdc\x61\xcb\x01\x00\x00\x00\x00&quot;</span>;</div><div class="line"></div><div class="line">    <span class="keywordtype">char</span> buf3[362] =</div><div class="line">        <span class="stringliteral">&quot;\x4e\x54\x4c\x4d\x53\x53\x50\x00\x03\x00\x00\x00\x18\x00\x18\x00&quot;</span></div><div class="line">        <span class="stringliteral">&quot;\x74\x00\x00\x00\xce\x00\xce\x00\x8c\x00\x00\x00\x1a\x00\x1a\x00&quot;</span></div><div class="line">        <span class="stringliteral">&quot;\x40\x00\x00\x00\x04\x00\x04\x00\x5a\x00\x00\x00\x16\x00\x16\x00&quot;</span></div><div class="line">        <span class="stringliteral">&quot;\x5e\x00\x00\x00\x10\x00\x10\x00\x5a\x01\x00\x00\x05\x02\x89\x62&quot;</span></div><div class="line">        <span class="stringliteral">&quot;\x31\x00\x37\x00\x2e\x00\x32\x00\x30\x00\x31\x00\x2e\x00\x35\x00&quot;</span></div><div class="line">        <span class="stringliteral">&quot;\x37\x00\x2e\x00\x31\x00\x32\x00\x31\x00\x71\x5c\x30\x75\x77\x00&quot;</span></div><div class="line">        <span class="stringliteral">&quot;\x6f\x00\x72\x00\x6b\x00\x73\x00\x74\x00\x61\x00\x74\x00\x69\x00&quot;</span></div><div class="line">        <span class="stringliteral">&quot;\x6f\x00\x6e\x00\xab\xad\xeb\x72\x01\xd4\x5f\xdf\x59\x07\x5f\xa9&quot;</span></div><div class="line">        <span class="stringliteral">&quot;\xfd\x54\x98\x2d\xfa\x17\xbb\xf1\x3c\x8f\xf5\x20\xe6\x8f\xd7\x0a&quot;</span></div><div class="line">        <span class="stringliteral">&quot;\xc9\x19\x3e\x94\x61\x31\xdb\x0f\x55\xe8\xe2\x53\x01\x01\x00\x00&quot;</span></div><div class="line">        <span class="stringliteral">&quot;\x00\x00\x00\x00\x00\x06\x3e\x30\xe4\x61\xcb\x01\x71\x98\x10\x6b&quot;</span></div><div class="line">        <span class="stringliteral">&quot;\x4c\x82\xec\xb3\x00\x00\x00\x00\x02\x00\x06\x00\x43\x00\x4f\x00&quot;</span></div><div class="line">        <span class="stringliteral">&quot;\x53\x00\x01\x00\x12\x00\x43\x00\x4f\x00\x53\x00\x57\x00\x49\x00&quot;</span></div><div class="line">        <span class="stringliteral">&quot;\x4e\x00\x37\x00\x4a\x00\x50\x00\x04\x00\x1a\x00\x63\x00\x6f\x00&quot;</span></div><div class="line">        <span class="stringliteral">&quot;\x73\x00\x2e\x00\x61\x00\x70\x00\x70\x00\x6c\x00\x65\x00\x2e\x00&quot;</span></div><div class="line">        <span class="stringliteral">&quot;\x63\x00\x6f\x00\x6d\x00\x03\x00\x2e\x00\x63\x00\x6f\x00\x73\x00&quot;</span></div><div class="line">        <span class="stringliteral">&quot;\x77\x00\x69\x00\x6e\x00\x37\x00\x6a\x00\x70\x00\x2e\x00\x63\x00&quot;</span></div><div class="line">        <span class="stringliteral">&quot;\x6f\x00\x73\x00\x2e\x00\x61\x00\x70\x00\x70\x00\x6c\x00\x65\x00&quot;</span></div><div class="line">        <span class="stringliteral">&quot;\x2e\x00\x63\x00\x6f\x00\x6d\x00\x05\x00\x1a\x00\x63\x00\x6f\x00&quot;</span></div><div class="line">        <span class="stringliteral">&quot;\x73\x00\x2e\x00\x61\x00\x70\x00\x70\x00\x6c\x00\x65\x00\x2e\x00&quot;</span></div><div class="line">        <span class="stringliteral">&quot;\x63\x00\x6f\x00\x6d\x00\x07\x00\x08\x00\xab\xec\xcc\x30\xe4\x61&quot;</span></div><div class="line">        <span class="stringliteral">&quot;\xcb\x01\x00\x00\x00\x00\x00\x00\x00\x00\xbc\x2e\xba\x3f\xd1\xb1&quot;</span></div><div class="line">        <span class="stringliteral">&quot;\xa7\x70\x00\x9d\x55\xa0\x59\x74\x2b\x78&quot;</span>;</div><div class="line"></div><div class="line"></div><div class="line">    <span class="keyword">struct </span><a class="code" href="structntlm__type2.html">ntlm_type2</a> type2;</div><div class="line">    <span class="keyword">struct </span><a class="code" href="structntlm__type3.html">ntlm_type3</a> type3;</div><div class="line">    <span class="keyword">struct </span><a class="code" href="structntlm__buf.html">ntlm_buf</a> data;</div><div class="line">    <span class="keywordtype">int</span> ret;</div><div class="line"></div><div class="line">    data.<a class="code" href="structntlm__buf.html#a1ca1856fd5b4ac0197320d7723c73bd0">length</a> = <span class="keyword">sizeof</span>(buf2);</div><div class="line">    data.<a class="code" href="structntlm__buf.html#a0cb7caf04f8f80326491b45edcdd2687">data</a> = buf2;</div><div class="line"></div><div class="line">    memset(&amp;type2, 0, <span class="keyword">sizeof</span>(type2));</div><div class="line"></div><div class="line">    ret = heim_ntlm_decode_type2(&amp;data, &amp;type2);</div><div class="line">    <span class="keywordflow">if</span> (ret)</div><div class="line">        errx(1, <span class="stringliteral">&quot;heim_ntlm_decode_type2(jp): %d&quot;</span>, ret);</div><div class="line"></div><div class="line">    data.<a class="code" href="structntlm__buf.html#a0cb7caf04f8f80326491b45edcdd2687">data</a> = NULL;</div><div class="line">    data.<a class="code" href="structntlm__buf.html#a1ca1856fd5b4ac0197320d7723c73bd0">length</a> = 0;</div><div class="line"></div><div class="line">    ret = <a class="code" href="group__ntlm__core.html#ga2860c6f6d497255eb433adc8cacc49dd">heim_ntlm_encode_type2</a>(&amp;type2, &amp;data);</div><div class="line">    <span class="keywordflow">if</span> (ret)</div><div class="line">        errx(1, <span class="stringliteral">&quot;heim_ntlm_encode_type2(jp): %d&quot;</span>, ret);</div><div class="line"></div><div class="line">    <a class="code" href="group__ntlm__core.html#ga8fde84c86f1c7c9f730f7fb4acedcb43">heim_ntlm_free_type2</a>(&amp;type2);</div><div class="line">    <a class="code" href="group__ntlm__core.html#ga5f6c313a3a7258cda5f09bb44f8d1776">heim_ntlm_free_buf</a>(&amp;data);</div><div class="line"></div><div class="line">    data.<a class="code" href="structntlm__buf.html#a1ca1856fd5b4ac0197320d7723c73bd0">length</a> = <span class="keyword">sizeof</span>(buf3);</div><div class="line">    data.<a class="code" href="structntlm__buf.html#a0cb7caf04f8f80326491b45edcdd2687">data</a> = buf3;</div><div class="line"></div><div class="line">    memset(&amp;type3, 0, <span class="keyword">sizeof</span>(type3));</div><div class="line"></div><div class="line">    ret = heim_ntlm_decode_type3(&amp;data, 1, &amp;type3);</div><div class="line">    <span class="keywordflow">if</span> (ret)</div><div class="line">        errx(1, <span class="stringliteral">&quot;heim_ntlm_decode_type2(jp): %d&quot;</span>, ret);</div><div class="line"></div><div class="line">    data.<a class="code" href="structntlm__buf.html#a0cb7caf04f8f80326491b45edcdd2687">data</a> = NULL;</div><div class="line">    data.<a class="code" href="structntlm__buf.html#a1ca1856fd5b4ac0197320d7723c73bd0">length</a> = 0;</div><div class="line"></div><div class="line">    ret = <a class="code" href="group__ntlm__core.html#gade200095bfa40a73cfd4154010cc6e76">heim_ntlm_encode_type3</a>(&amp;type3, &amp;data, NULL);</div><div class="line">    <span class="keywordflow">if</span> (ret)</div><div class="line">        errx(1, <span class="stringliteral">&quot;heim_ntlm_decode_type2(jp): %d&quot;</span>, ret);</div><div class="line"></div><div class="line">    <a class="code" href="group__ntlm__core.html#gac4e6d01e5247b8540d41ccbbf1031319">heim_ntlm_free_type3</a>(&amp;type3);</div><div class="line">    <a class="code" href="group__ntlm__core.html#ga5f6c313a3a7258cda5f09bb44f8d1776">heim_ntlm_free_buf</a>(&amp;data);</div><div class="line"></div><div class="line">    <span class="keywordflow">return</span> 0;</div><div class="line">}</div><div class="line"></div><div class="line"></div><div class="line"><span class="keyword">static</span> <span class="keywordtype">int</span> verbose_flag = 0;</div><div class="line"><span class="keyword">static</span> <span class="keywordtype">int</span> version_flag = 0;</div><div class="line"><span class="keyword">static</span> <span class="keywordtype">int</span> help_flag    = 0;</div><div class="line"></div><div class="line"><span class="keyword">static</span> <span class="keyword">struct </span>getargs args[] = {</div><div class="line">    {<span class="stringliteral">&quot;verbose&quot;</span>, 0,      arg_flag,       &amp;verbose_flag, <span class="stringliteral">&quot;verbose printing&quot;</span>, NULL },</div><div class="line">    {<span class="stringliteral">&quot;version&quot;</span>, 0,      arg_flag,       &amp;version_flag, <span class="stringliteral">&quot;print version&quot;</span>, NULL },</div><div class="line">    {<span class="stringliteral">&quot;help&quot;</span>,    0,      arg_flag,       &amp;help_flag,  NULL, NULL }</div><div class="line">};</div><div class="line"></div><div class="line"><span class="keyword">static</span> <span class="keywordtype">void</span></div><div class="line">usage (<span class="keywordtype">int</span> ret)</div><div class="line">{</div><div class="line">    arg_printusage (args, <span class="keyword">sizeof</span>(args)/<span class="keyword">sizeof</span>(*args),</div><div class="line">                    NULL, <span class="stringliteral">&quot;&quot;</span>);</div><div class="line">    exit (ret);</div><div class="line">}</div><div class="line"></div><div class="line"><span class="keywordtype">int</span></div><div class="line">main(<span class="keywordtype">int</span> argc, <span class="keywordtype">char</span> **argv)</div><div class="line">{</div><div class="line">    <span class="keywordtype">int</span> ret = 0, optidx = 0;</div><div class="line"></div><div class="line">    setprogname(argv[0]);</div><div class="line"></div><div class="line">    <span class="keywordflow">if</span>(getarg(args, <span class="keyword">sizeof</span>(args) / <span class="keyword">sizeof</span>(args[0]), argc, argv, &amp;optidx))</div><div class="line">        usage(1);</div><div class="line"></div><div class="line">    <span class="keywordflow">if</span> (help_flag)</div><div class="line">        usage (0);</div><div class="line"></div><div class="line">    <span class="keywordflow">if</span>(version_flag){</div><div class="line">        print_version(NULL);</div><div class="line">        exit(0);</div><div class="line">    }</div><div class="line"></div><div class="line">    <span class="keywordflow">if</span> (verbose_flag)</div><div class="line">        printf(<span class="stringliteral">&quot;test_parse\n&quot;</span>);</div><div class="line">    ret |= test_parse();</div><div class="line"></div><div class="line">    <span class="keywordflow">if</span> (verbose_flag)</div><div class="line">        printf(<span class="stringliteral">&quot;test_keys\n&quot;</span>);</div><div class="line">    ret |= test_keys();</div><div class="line"></div><div class="line">    <span class="keywordflow">if</span> (verbose_flag)</div><div class="line">        printf(<span class="stringliteral">&quot;test_ntlm2_session_resp\n&quot;</span>);</div><div class="line">    ret |= test_ntlm2_session_resp();</div><div class="line"></div><div class="line">    <span class="keywordflow">if</span> (verbose_flag)</div><div class="line">        printf(<span class="stringliteral">&quot;test_targetinfo\n&quot;</span>);</div><div class="line">    ret |= test_targetinfo();</div><div class="line">        </div><div class="line">    <span class="keywordflow">if</span> (verbose_flag)</div><div class="line">        printf(<span class="stringliteral">&quot;test_ntlmv2\n&quot;</span>);</div><div class="line">    ret |= test_ntlmv2();</div><div class="line"></div><div class="line">    <span class="keywordflow">if</span> (verbose_flag)</div><div class="line">        printf(<span class="stringliteral">&quot;test_string2key\n&quot;</span>);</div><div class="line">    ret |= test_string2key();</div><div class="line"></div><div class="line">    <span class="keywordflow">if</span> (verbose_flag)</div><div class="line">        printf(<span class="stringliteral">&quot;test_jp\n&quot;</span>);</div><div class="line">    ret |= test_jp();</div><div class="line"></div><div class="line">    <span class="keywordflow">return</span> ret;</div><div class="line">}</div></div><!-- fragment --> </div><!-- contents -->
 <hr size="1"><address style="text-align: right;"><small>
-Generated on Fri Dec 8 2017 03:49:00 for Heimdalntlmlibrary by&nbsp;<a href="http://www.doxygen.org/index.html"><img src="doxygen.png" alt="doxygen" align="middle" border="0"></a> 1.8.13</small></address>
+Generated on Fri Jun 7 2019 02:49:56 for Heimdalntlmlibrary by&nbsp;<a href="http://www.doxygen.org/index.html"><img src="doxygen.png" alt="doxygen" align="middle" border="0"></a> 1.8.13</small></address>
 </body>
 </html>
diff --git a/doc/doxyout/ntlm/man/man3/ntlm_buf.3 b/doc/doxyout/ntlm/man/man3/ntlm_buf.3
index 270e5a50e0bd..cec8db55efdb 100644
--- a/doc/doxyout/ntlm/man/man3/ntlm_buf.3
+++ b/doc/doxyout/ntlm/man/man3/ntlm_buf.3
@@ -1,4 +1,4 @@
-.TH "ntlm_buf" 3 "Fri Dec 8 2017" "Version 7.5.0" "Heimdalntlmlibrary" \" -*- nroff -*-
+.TH "ntlm_buf" 3 "Fri Jun 7 2019" "Version 7.7.0" "Heimdalntlmlibrary" \" -*- nroff -*-
 .ad l
 .nh
 .SH NAME
diff --git a/doc/doxyout/ntlm/man/man3/ntlm_core.3 b/doc/doxyout/ntlm/man/man3/ntlm_core.3
index 5a9f5fafe8bb..fd3bfe89112d 100644
--- a/doc/doxyout/ntlm/man/man3/ntlm_core.3
+++ b/doc/doxyout/ntlm/man/man3/ntlm_core.3
@@ -1,4 +1,4 @@
-.TH "ntlm_core" 3 "Fri Dec 8 2017" "Version 7.5.0" "Heimdalntlmlibrary" \" -*- nroff -*-
+.TH "ntlm_core" 3 "Fri Jun 7 2019" "Version 7.7.0" "Heimdalntlmlibrary" \" -*- nroff -*-
 .ad l
 .nh
 .SH NAME
diff --git a/doc/doxyout/ntlm/man/man3/ntlm_type1.3 b/doc/doxyout/ntlm/man/man3/ntlm_type1.3
index e45171ce6fdd..f2c8821e55ed 100644
--- a/doc/doxyout/ntlm/man/man3/ntlm_type1.3
+++ b/doc/doxyout/ntlm/man/man3/ntlm_type1.3
@@ -1,4 +1,4 @@
-.TH "ntlm_type1" 3 "Fri Dec 8 2017" "Version 7.5.0" "Heimdalntlmlibrary" \" -*- nroff -*-
+.TH "ntlm_type1" 3 "Fri Jun 7 2019" "Version 7.7.0" "Heimdalntlmlibrary" \" -*- nroff -*-
 .ad l
 .nh
 .SH NAME
diff --git a/doc/doxyout/ntlm/man/man3/ntlm_type2.3 b/doc/doxyout/ntlm/man/man3/ntlm_type2.3
index 0408096ea222..69d5710bae8a 100644
--- a/doc/doxyout/ntlm/man/man3/ntlm_type2.3
+++ b/doc/doxyout/ntlm/man/man3/ntlm_type2.3
@@ -1,4 +1,4 @@
-.TH "ntlm_type2" 3 "Fri Dec 8 2017" "Version 7.5.0" "Heimdalntlmlibrary" \" -*- nroff -*-
+.TH "ntlm_type2" 3 "Fri Jun 7 2019" "Version 7.7.0" "Heimdalntlmlibrary" \" -*- nroff -*-
 .ad l
 .nh
 .SH NAME
diff --git a/doc/doxyout/ntlm/man/man3/ntlm_type3.3 b/doc/doxyout/ntlm/man/man3/ntlm_type3.3
index af4d572640ec..1d5df7c04550 100644
--- a/doc/doxyout/ntlm/man/man3/ntlm_type3.3
+++ b/doc/doxyout/ntlm/man/man3/ntlm_type3.3
@@ -1,4 +1,4 @@
-.TH "ntlm_type3" 3 "Fri Dec 8 2017" "Version 7.5.0" "Heimdalntlmlibrary" \" -*- nroff -*-
+.TH "ntlm_type3" 3 "Fri Jun 7 2019" "Version 7.7.0" "Heimdalntlmlibrary" \" -*- nroff -*-
 .ad l
 .nh
 .SH NAME
diff --git a/doc/doxyout/wind/html/graph_legend.html b/doc/doxyout/wind/html/graph_legend.html
index 429f7a0f8a14..f48125683b7d 100644
--- a/doc/doxyout/wind/html/graph_legend.html
+++ b/doc/doxyout/wind/html/graph_legend.html
@@ -54,6 +54,6 @@ A yellow dashed arrow denotes a relation between a template instance and the tem
 </ul>
 </div><!-- contents -->
 <hr size="1"><address style="text-align: right;"><small>
-Generated on Fri Dec 8 2017 03:49:00 for Heimdalwindlibrary by&nbsp;<a href="http://www.doxygen.org/index.html"><img src="doxygen.png" alt="doxygen" align="middle" border="0"></a> 1.8.13</small></address>
+Generated on Fri Jun 7 2019 02:49:57 for Heimdalwindlibrary by&nbsp;<a href="http://www.doxygen.org/index.html"><img src="doxygen.png" alt="doxygen" align="middle" border="0"></a> 1.8.13</small></address>
 </body>
 </html>
diff --git a/doc/doxyout/wind/html/graph_legend.png b/doc/doxyout/wind/html/graph_legend.png
index 881e40f9c0a2..d1fdf389c3b6 100644
--- a/doc/doxyout/wind/html/graph_legend.png
+++ b/doc/doxyout/wind/html/graph_legend.png
diff --git a/doc/doxyout/wind/html/group__wind.html b/doc/doxyout/wind/html/group__wind.html
index 4664721e70b7..2c2b776cc36d 100644
--- a/doc/doxyout/wind/html/group__wind.html
+++ b/doc/doxyout/wind/html/group__wind.html
@@ -680,6 +680,6 @@ Functions</h2></td></tr>
 </div>
 </div><!-- contents -->
 <hr size="1"><address style="text-align: right;"><small>
-Generated on Fri Dec 8 2017 03:49:00 for Heimdalwindlibrary by&nbsp;<a href="http://www.doxygen.org/index.html"><img src="doxygen.png" alt="doxygen" align="middle" border="0"></a> 1.8.13</small></address>
+Generated on Fri Jun 7 2019 02:49:57 for Heimdalwindlibrary by&nbsp;<a href="http://www.doxygen.org/index.html"><img src="doxygen.png" alt="doxygen" align="middle" border="0"></a> 1.8.13</small></address>
 </body>
 </html>
diff --git a/doc/doxyout/wind/html/index.html b/doc/doxyout/wind/html/index.html
index 30a977fb0680..e61ab4d3485f 100644
--- a/doc/doxyout/wind/html/index.html
+++ b/doc/doxyout/wind/html/index.html
@@ -29,6 +29,6 @@ Introduction</h1>
 <p>The project web page: <a href="http://www.h5l.org/">http://www.h5l.org/</a> </p>
 </div></div><!-- contents -->
 <hr size="1"><address style="text-align: right;"><small>
-Generated on Fri Dec 8 2017 03:49:00 for Heimdalwindlibrary by&nbsp;<a href="http://www.doxygen.org/index.html"><img src="doxygen.png" alt="doxygen" align="middle" border="0"></a> 1.8.13</small></address>
+Generated on Fri Jun 7 2019 02:49:57 for Heimdalwindlibrary by&nbsp;<a href="http://www.doxygen.org/index.html"><img src="doxygen.png" alt="doxygen" align="middle" border="0"></a> 1.8.13</small></address>
 </body>
 </html>
diff --git a/doc/doxyout/wind/html/modules.html b/doc/doxyout/wind/html/modules.html
index cade28c05baf..580f6ec2be34 100644
--- a/doc/doxyout/wind/html/modules.html
+++ b/doc/doxyout/wind/html/modules.html
@@ -30,6 +30,6 @@ $(function() {
 </div><!-- directory -->
 </div><!-- contents -->
 <hr size="1"><address style="text-align: right;"><small>
-Generated on Fri Dec 8 2017 03:49:00 for Heimdalwindlibrary by&nbsp;<a href="http://www.doxygen.org/index.html"><img src="doxygen.png" alt="doxygen" align="middle" border="0"></a> 1.8.13</small></address>
+Generated on Fri Jun 7 2019 02:49:57 for Heimdalwindlibrary by&nbsp;<a href="http://www.doxygen.org/index.html"><img src="doxygen.png" alt="doxygen" align="middle" border="0"></a> 1.8.13</small></address>
 </body>
 </html>
diff --git a/doc/doxyout/wind/man/man3/wind.3 b/doc/doxyout/wind/man/man3/wind.3
index 9e3d382576f3..8657f75cc5c7 100644
--- a/doc/doxyout/wind/man/man3/wind.3
+++ b/doc/doxyout/wind/man/man3/wind.3
@@ -1,4 +1,4 @@
-.TH "wind" 3 "Fri Dec 8 2017" "Version 7.5.0" "Heimdalwindlibrary" \" -*- nroff -*-
+.TH "wind" 3 "Fri Jun 7 2019" "Version 7.7.0" "Heimdalwindlibrary" \" -*- nroff -*-
 .ad l
 .nh
 .SH NAME
diff --git a/doc/heimdal.info b/doc/heimdal.info
index ead13e30e81b..cbf7f5869a29 100644
--- a/doc/heimdal.info
+++ b/doc/heimdal.info
@@ -1,4 +1,4 @@
-This is heimdal.info, produced by makeinfo version 6.5 from
+This is heimdal.info, produced by makeinfo version 4.8 from
 heimdal.texi.
 
 INFO-DIR-SECTION Security
@@ -12,7 +12,7 @@ File: heimdal.info,  Node: Top,  Next: Introduction,  Prev: (dir),  Up: (dir)
 Heimdal
 *******
 
-This manual for version 7.5.0 of Heimdal.
+This manual for version 7.7.0 of Heimdal.
 
 * Menu:
 
@@ -29,7 +29,7 @@ This manual for version 7.5.0 of Heimdal.
 * Acknowledgments::
 * Copyrights and Licenses::
 
- -- The Detailed Node Listing --
+ --- The Detailed Node Listing ---
 
 Setting up a realm
 
@@ -79,7 +79,6 @@ Windows compatibility
 
 Programming with Kerberos
 
-
 
 File: heimdal.info,  Node: Introduction,  Next: What is Kerberos?,  Prev: Top,  Up: Top
 
@@ -89,16 +88,21 @@ File: heimdal.info,  Node: Introduction,  Next: What is Kerberos?,  Prev: Top,
 What is Heimdal?
 ================
 
-Heimdal is a free implementation of Kerberos 5.  The goals are to:
+Heimdal is a free implementation of Kerberos 5. The goals are to:
 
    * have an implementation that can be freely used by anyone
+
    * be protocol compatible with existing implementations and, if not in
      conflict, with RFC 4120 (and any future updated RFC). RFC 4120
      replaced RFC 1510.
+
    * be reasonably compatible with the M.I.T Kerberos V5 API
+
    * have support for Kerberos V5 over GSS-API (RFC1964)
+
    * include the most important and useful application programs (rsh,
      telnet, popper, etc.)
+
    * include enough backwards compatibility with Kerberos V4
 
 Status
@@ -109,23 +113,37 @@ works):
 
    * a stub generator and a library to encode/decode/whatever ASN.1/DER
      stuff
-   * a 'libkrb5' library that should be possible to get to work with
+
+   * a `libkrb5' library that should be possible to get to work with
      simple applications
+
    * a GSS-API library
-   * 'kinit', 'klist', 'kdestroy'
-   * 'telnet', 'telnetd'
-   * 'rsh', 'rshd'
-   * 'popper', 'push' (a movemail equivalent)
-   * 'ftp', and 'ftpd'
-   * a library 'libkafs' for authenticating to AFS and a program
-     'afslog' that uses it
+
+   * `kinit', `klist', `kdestroy'
+
+   * `telnet', `telnetd'
+
+   * `rsh', `rshd'
+
+   * `popper', `push' (a movemail equivalent)
+
+   * `ftp', and `ftpd'
+
+   * a library `libkafs' for authenticating to AFS and a program
+     `afslog' that uses it
+
    * some simple test programs
+
    * a KDC that supports most things,
+
    * simple programs for distributing databases between a KDC master and
      slaves
-   * a password changing daemon 'kpasswdd', library functions for
+
+   * a password changing daemon `kpasswdd', library functions for
      changing passwords and a simple client
+
    * some kind of administration system
+
    * Kerberos V4 support in many of the applications.
 
 Bug reports
@@ -134,12 +152,12 @@ Bug reports
 If you find bugs in this software, make sure it is a genuine bug and not
 just a part of the code that isn't implemented.
 
-Bug reports should be sent to <heimdal-bugs@h5l.org>.  Please include
-information on what machine and operating system (including version) you
-are running, what you are trying to do, what happens, what you think
-should have happened, an example for us to repeat, the output you get
-when trying the example, and a patch for the problem if you have one.
-Please make any patches with 'diff -u' or 'diff -c'.
+Bug reports should be sent to <heimdal-bugs@h5l.org>. Please include
+information on what machine and operating system (including version)
+you are running, what you are trying to do, what happens, what you
+think should have happened, an example for us to repeat, the output you
+get when trying the example, and a patch for the problem if you have
+one. Please make any patches with `diff -u' or `diff -c'.
 
 Suggestions, comments and other non bug reports are also welcome.
 
@@ -156,7 +174,7 @@ Heimdal source code, binaries and the manual
 
 The source code for heimdal, links to binaries and the manual (this
 document) can be found on our web-page at
-<http://www.pdc.kth.se/heimdal/>.
+`http://www.pdc.kth.se/heimdal/'.
 
 
 File: heimdal.info,  Node: What is Kerberos?,  Next: Building and Installing,  Prev: Introduction,  Up: Top
@@ -165,15 +183,15 @@ File: heimdal.info,  Node: What is Kerberos?,  Next: Building and Installing,  P
 *******************
 
      Now this Cerberus had three heads of dogs,
-     the tail of a dragon, and on his back the
-     heads of all sorts of snakes.
-     -- Pseudo-Apollodorus Library 2.5.12
+             the tail of a dragon, and on his back the
+             heads of all sorts of snakes.
+             -- Pseudo-Apollodorus Library 2.5.12
 
 Kerberos is a system for authenticating users and services on a network.
 It is built upon the assumption that the network is "unsafe".  For
 example, data sent over the network can be eavesdropped and altered, and
 addresses can also be faked.  Therefore they cannot be used for
-authentication purposes.
+authentication purposes.  
 
 Kerberos is a trusted third-party service.  That means that there is a
 third party (the kerberos server) that is trusted by all the entities on
@@ -190,37 +208,37 @@ services can authenticate each other.
      works similarly.
 
 In Kerberos, principals use "tickets" to prove that they are who they
-claim to be.  In the following example, A is the initiator of the
+claim to be. In the following example, A is the initiator of the
 authentication exchange, usually a user, and B is the service that A
 wishes to use.
 
 To obtain a ticket for a specific service, A sends a ticket request to
-the kerberos server.  The request contains A's and B's names (along with
-some other fields).  The kerberos server checks that both A and B are
+the kerberos server. The request contains A's and B's names (along with
+some other fields). The kerberos server checks that both A and B are
 valid principals.
 
 Having verified the validity of the principals, it creates a packet
-containing A's and B's names, A's network address (A<ADDR>), the current
-time (T<ISSUE>), the lifetime of the ticket (LIFE), and a secret
-"session key" (K<AB>).  This packet is encrypted with B's secret key
-(K<B>).  The actual ticket (T<AB>) looks like this: ({A, B, A<ADDR>,
-T<ISSUE>, LIFE, K<AB>}K<B>).
+containing A's and B's names, A's network address (A<ADDR>), the
+current time (T<ISSUE>), the lifetime of the ticket (LIFE), and a
+secret "session key" (K<AB>). This packet is encrypted with B's secret
+key (K<B>).  The actual ticket (T<AB>) looks like this: ({A, B,
+A<ADDR>, T<ISSUE>, LIFE, K<AB>}K<B>).
 
 The reply to A consists of the ticket (T<AB>), B's name, the current
 time, the lifetime of the ticket, and the session key, all encrypted in
-A's secret key ({B, T<ISSUE>, LIFE, K<AB>, T<AB>}K<A>).  A decrypts the
+A's secret key ({B, T<ISSUE>, LIFE, K<AB>, T<AB>}K<A>). A decrypts the
 reply and retains it for later use.
 
 
 Before sending a message to B, A creates an authenticator consisting of
 A's name, A's address, the current time, and a "checksum" chosen by A,
 all encrypted with the secret session key ({A, A<ADDR>, T<CURRENT>,
-CHECKSUM}K<AB>).  This is sent together with the ticket received from
+CHECKSUM}K<AB>). This is sent together with the ticket received from
 the kerberos server to B.  Upon reception, B decrypts the ticket using
 B's secret key.  Since the ticket contains the session key that the
 authenticator was encrypted with, B can now also decrypt the
-authenticator.  To verify that A really is A, B now has to compare the
-contents of the ticket with that of the authenticator.  If everything
+authenticator. To verify that A really is A, B now has to compare the
+contents of the ticket with that of the authenticator. If everything
 matches, B now considers A as properly authenticated.
 
 2.2 Different attacks
@@ -230,18 +248,18 @@ Impersonating A
 ---------------
 
 An impostor, C could steal the authenticator and the ticket as it is
-transmitted across the network, and use them to impersonate A.  The
+transmitted across the network, and use them to impersonate A. The
 address in the ticket and the authenticator was added to make it more
 difficult to perform this attack.  To succeed C will have to either use
-the same machine as A or fake the source addresses of the packets.  By
-including the time stamp in the authenticator, C does not have much time
-in which to mount the attack.
+the same machine as A or fake the source addresses of the packets. By
+including the time stamp in the authenticator, C does not have much
+time in which to mount the attack.
 
 Impersonating B
 ---------------
 
 C can hijack B's network address, and when A sends her credentials, C
-just pretend to verify them.  C can't be sure that she is talking to A.
+just pretend to verify them. C can't be sure that she is talking to A.
 
 2.3 Defence strategies
 ======================
@@ -249,33 +267,33 @@ just pretend to verify them.  C can't be sure that she is talking to A.
 It would be possible to add a "replay cache" to the server side.  The
 idea is to save the authenticators sent during the last few minutes, so
 that B can detect when someone is trying to retransmit an already used
-message.  This is somewhat impractical (mostly regarding efficiency),
+message. This is somewhat impractical (mostly regarding efficiency),
 and is not part of Kerberos 4; MIT Kerberos 5 contains it.
 
 To authenticate B, A might request that B sends something back that
-proves that B has access to the session key.  An example of this is the
-checksum that A sent as part of the authenticator.  One typical
-procedure is to add one to the checksum, encrypt it with the session key
-and send it back to A.  This is called "mutual authentication".
+proves that B has access to the session key. An example of this is the
+checksum that A sent as part of the authenticator. One typical
+procedure is to add one to the checksum, encrypt it with the session
+key and send it back to A.  This is called "mutual authentication".
 
 The session key can also be used to add cryptographic checksums to the
 messages sent between A and B (known as "message integrity").
-Encryption can also be added ("message confidentiality").  This is
-probably the best approach in all cases.
+Encryption can also be added ("message confidentiality"). This is
+probably the best approach in all cases.  
 
 2.4 Further reading
 ===================
 
-The original paper on Kerberos from 1988 is 'Kerberos: An Authentication
-Service for Open Network Systems', by Jennifer Steiner, Clifford Neuman
-and Jeffrey I. Schiller.
+The original paper on Kerberos from 1988 is `Kerberos: An
+Authentication Service for Open Network Systems', by Jennifer Steiner,
+Clifford Neuman and Jeffrey I. Schiller.
 
-A less technical description can be found in 'Designing an
+A less technical description can be found in `Designing an
 Authentication System: a Dialogue in Four Scenes' by Bill Bryant, also
 from 1988.
 
 These documents can be found on our web-page at
-<http://www.pdc.kth.se/kth-krb/>.
+`http://www.pdc.kth.se/kth-krb/'.
 
 
 File: heimdal.info,  Node: Building and Installing,  Next: Setting up a realm,  Prev: What is Kerberos?,  Up: Top
@@ -285,11 +303,11 @@ File: heimdal.info,  Node: Building and Installing,  Next: Setting up a realm,
 
 Build and install instructions are located here:
 
-<http://www.h5l.org/compile.html>
+`http://www.h5l.org/compile.html'
 
 Prebuilt packages is located here:
 
-<http://www.h5l.org/binaries.html>
+`http://www.h5l.org/binaries.html'
 
 
 File: heimdal.info,  Node: Setting up a realm,  Next: Applications,  Prev: Building and Installing,  Up: Top
@@ -331,19 +349,19 @@ File: heimdal.info,  Node: Configuration file,  Next: Creating the database,  Pr
 ======================
 
 To setup a realm you will first have to create a configuration file:
-'/etc/krb5.conf'.  The 'krb5.conf' file can contain many configuration
+`/etc/krb5.conf'. The `krb5.conf' file can contain many configuration
 options, some of which are described here.
 
-There is a sample 'krb5.conf' supplied with the distribution.
+There is a sample `krb5.conf' supplied with the distribution.
 
 The configuration file is a hierarchical structure consisting of
 sections, each containing a list of bindings (either variable
-assignments or subsections).  A section starts with '['section-name']'.
-A binding consists of a left hand side, an equal sign ('=') and a right
+assignments or subsections). A section starts with `[`section-name']'.
+A binding consists of a left hand side, an equal sign (`=') and a right
 hand side (the left hand side tag must be separated from the equal sign
-with some whitespace).  Subsections have a '{' as the first
-non-whitespace character after the equal sign.  All other bindings are
-treated as variable assignments.  The value of a variable extends to the
+with some whitespace). Subsections have a `{' as the first
+non-whitespace character after the equal sign. All other bindings are
+treated as variable assignments. The value of a variable extends to the
 end of the line.
 
      [section1]
@@ -359,20 +377,21 @@ end of the line.
              var = yet another value
 
 In this manual, names of sections and bindings will be given as strings
-separated by slashes ('/').  The 'other-var' variable will thus be
-'section1/a-subsection/other-var'.
+separated by slashes (`/'). The `other-var' variable will thus be
+`section1/a-subsection/other-var'.
 
 For in-depth information about the contents of the configuration file,
-refer to the 'krb5.conf' manual page.  Some of the more important
+refer to the `krb5.conf' manual page. Some of the more important
 sections are briefly described here.
 
-The 'libdefaults' section contains a list of library configuration
-parameters, such as the default realm and the timeout for KDC responses.
-The 'realms' section contains information about specific realms, such as
-where they hide their KDC.  This section serves the same purpose as the
-Kerberos 4 'krb.conf' file, but can contain more information.  Finally
-the 'domain_realm' section contains a list of mappings from domains to
-realms, equivalent to the Kerberos 4 'krb.realms' file.
+The `libdefaults' section contains a list of library configuration
+parameters, such as the default realm and the timeout for KDC
+responses. The `realms' section contains information about specific
+realms, such as where they hide their KDC. This section serves the same
+purpose as the Kerberos 4 `krb.conf' file, but can contain more
+information. Finally the `domain_realm' section contains a list of
+mappings from domains to realms, equivalent to the Kerberos 4
+`krb.realms' file.
 
 To continue with the realm setup, you will have to create a
 configuration file, with contents similar to the following.
@@ -389,14 +408,13 @@ configuration file, with contents similar to the following.
      [domain_realm]
              .my.domain = MY.REALM
 
-
 If you use a realm name equal to your domain name, you can omit the
-'libdefaults', and 'domain_realm', sections.  If you have a DNS
+`libdefaults', and `domain_realm', sections. If you have a DNS
 SRV-record for your realm, or your Kerberos server has DNS CNAME
-'kerberos.my.realm', you can omit the 'realms' section too.
+`kerberos.my.realm', you can omit the `realms' section too.
 
 If you want to use a different configuration file then the default you
-can point a file with the environment variable 'KRB5_CONFIG'.
+can point a file with the environment variable `KRB5_CONFIG'.
 
      env KRB5_CONFIG=$HOME/etc/krb5.conf kinit user@REALM
 
@@ -407,18 +425,18 @@ File: heimdal.info,  Node: Creating the database,  Next: Modifying the database,
 =========================
 
 The database library will look for the database in the directory
-'/var/heimdal', so you should probably create that directory.  Make sure
-the directory has restrictive permissions.
+`/var/heimdal', so you should probably create that directory.  Make
+sure the directory has restrictive permissions.
 
      # mkdir /var/heimdal
      # chmod og-rwx /var/heimdal
 
 Heimdal supports various database backends: lmdb (LMDB), db3 (Berkeley
 DB 3.x, 4.x, or 5.x), db1 (Berkeley DB 2.x), sqlite (SQLite3), and ldap
-(LDAP). The default is db3, and is selected at build time from one of
+(LDAP).  The default is db3, and is selected at build time from one of
 lmdb, db3, or db1.
 
-These defaults can be overriden in the 'database' key in the 'kdc'
+These defaults can be overriden in the 'database' key in the `kdc'
 section of the configuration.
 
      [kdc]
@@ -435,32 +453,32 @@ To use LDAP, see *Note Using LDAP to store the database::.
 The keys of all the principals are stored in the database.  If you
 choose to, these can be encrypted with a master key.  You do not have to
 remember this key (or password), but just to enter it once and it will
-be stored in a file ('/var/heimdal/m-key').  If you want to have a
-master key, run 'kstash' to create this master key:
+be stored in a file (`/var/heimdal/m-key').  If you want to have a
+master key, run `kstash' to create this master key:
 
      # kstash
      Master key:
      Verifying password - Master key:
 
 If you want to generate a random master key you can use the
-'--random-key' flag to kstash.  This will make sure you have a good key
+`--random-key' flag to kstash. This will make sure you have a good key
 on which attackers can't do a dictionary attack.
 
-If you have a master key, make sure you make a backup of your master key
-file; without it backups of the database are of no use.
+If you have a master key, make sure you make a backup of your master
+key file; without it backups of the database are of no use.
 
-To initialise the database use the 'kadmin' program, with the '-l'
-option (to enable local database mode).  First issue a 'init MY.REALM'
-command.  This will create the database and insert default principals
-for that realm.  You can have more than one realm in one database, so
-'init' does not destroy any old database.
+To initialise the database use the `kadmin' program, with the `-l'
+option (to enable local database mode). First issue a `init MY.REALM'
+command. This will create the database and insert default principals
+for that realm. You can have more than one realm in one database, so
+`init' does not destroy any old database.
 
-Before creating the database, 'init' will ask you some questions about
+Before creating the database, `init' will ask you some questions about
 maximum ticket lifetimes.
 
-After creating the database you should probably add yourself to it.  You
-do this with the 'add' command.  It takes as argument the name of a
-principal.  The principal should contain a realm, so if you haven't set
+After creating the database you should probably add yourself to it. You
+do this with the `add' command. It takes as argument the name of a
+principal. The principal should contain a realm, so if you haven't set
 up a default realm, you will need to explicitly include the realm.
 
      # kadmin -l
@@ -486,7 +504,7 @@ Now start the KDC and try getting a ticket.
        Issued           Expires          Principal
      Aug 25 07:25:55  Aug 25 17:25:55  krbtgt/MY.REALM@MY.REALM
 
-If you are curious you can use the 'dump' command to list all the
+If you are curious you can use the `dump' command to list all the
 entries in the database.  It should look something similar to the
 following example (note that the entries here are truncated for
 typographical reasons):
@@ -508,7 +526,7 @@ All modifications of principals are done with with kadmin.
 A principal has several attributes and lifetimes associated with it.
 
 Principals are added, renamed, modified, and deleted with the kadmin
-commands 'add', 'rename', 'modify', 'delete'.  Both interactive editing
+commands `add', `rename', `modify', `delete'.  Both interactive editing
 and command line flags can be used (use -help to list the available
 options).
 
@@ -518,10 +536,10 @@ attributes, absolute time times and relative times.
 4.3.1 Attributes
 ----------------
 
-When doing interactive editing, attributes are listed with '?'.
+When doing interactive editing, attributes are listed with `?'.
 
-The attributes are given in a comma (',') separated list.  Attributes
-are removed from the list by prefixing them with '-'.
+The attributes are given in a comma (`,') separated list.  Attributes
+are removed from the list by prefixing them with `-'.
 
      kadmin> modify me
      Max ticket life [1 day]:
@@ -565,15 +583,15 @@ File: heimdal.info,  Node: Checking the setup,  Next: keytabs,  Prev: Modifying
 There are two tools that can check the consistency of the Kerberos
 configuration file and the Kerberos database.
 
-The Kerberos configuration file is checked using 'verify_krb5_conf'.
+The Kerberos configuration file is checked using `verify_krb5_conf'.
 The tool checks for common errors, but commonly there are several
-uncommon configuration entries that are never added to the tool and thus
-generates "unknown entry" warnings.  This is usually nothing to worry
-about.
+uncommon configuration entries that are never added to the tool and
+thus generates "unknown entry" warnings.  This is usually nothing to
+worry about.
 
-The database check is built into the kadmin tool.  It will check for
-common configuration error that will cause problems later.  Common check
-are for existence and flags on important principals.  The database check
+The database check is built into the kadmin tool. It will check for
+common configuration error that will cause problems later. Common check
+are for existence and flags on important principals. The database check
 by run by the following command :
 
      kadmin -l check REALM.EXAMPLE.ORG
@@ -585,9 +603,9 @@ File: heimdal.info,  Node: keytabs,  Next: Remote administration,  Prev: Checkin
 ===========
 
 To extract a service ticket from the database and put it in a keytab,
-you need to first create the principal in the database with 'add' (using
-the '--random-key' flag to get a random key) and then extract it with
-'ext_keytab'.
+you need to first create the principal in the database with `add'
+(using the `--random-key' flag to get a random key) and then extract it
+with `ext_keytab'.
 
      kadmin> add --random-key host/my.host.name
      Max ticket life [unlimited]:
@@ -608,40 +626,39 @@ File: heimdal.info,  Node: Remote administration,  Next: Password changing,  Pre
 4.6 Remote administration
 =========================
 
-The administration server, 'kadmind', can be started by 'inetd' (which
-isn't recommended) or run as a normal daemon.  If you want to start it
-from 'inetd' you should add a line similar to the one below to your
-'/etc/inetd.conf'.
+The administration server, `kadmind', can be started by `inetd' (which
+isn't recommended) or run as a normal daemon. If you want to start it
+from `inetd' you should add a line similar to the one below to your
+`/etc/inetd.conf'.
 
      kerberos-adm stream     tcp     nowait  root /usr/heimdal/libexec/kadmind kadmind
 
-You might need to add 'kerberos-adm' to your '/etc/services' as
-'749/tcp'.
+You might need to add `kerberos-adm' to your `/etc/services' as
+`749/tcp'.
 
 Access to the administration server is controlled by an ACL file,
-(default '/var/heimdal/kadmind.acl'.)  The file has the following
-syntax:
+(default `/var/heimdal/kadmind.acl'.) The file has the following syntax:
      principal       [priv1,priv2,...]       [glob-pattern]
 
 The matching is from top to bottom for matching principals (and if
 given, glob-pattern).  When there is a match, the access rights of that
 line are applied.
 
-The privileges you can assign to a principal are: 'add',
-'change-password' (or 'cpw' for short), 'delete', 'get', 'list', and
-'modify', or the special privilege 'all'.  All of these roughly
-correspond to the different commands in 'kadmin'.
+The privileges you can assign to a principal are: `add',
+`change-password' (or `cpw' for short), `delete', `get', `list', and
+`modify', or the special privilege `all'. All of these roughly
+correspond to the different commands in `kadmin'.
 
-If a GLOB-PATTERN is given on a line, it restricts the access rights for
-the principal to only apply for subjects that match the pattern.  The
-patterns are of the same type as those used in shell globbing, see
+If a GLOB-PATTERN is given on a line, it restricts the access rights
+for the principal to only apply for subjects that match the pattern.
+The patterns are of the same type as those used in shell globbing, see
 fnmatch(3).
 
-In the example below 'lha/admin' can change every principal in the
-database.  'jimmy/admin' can only modify principals that belong to the
-realm 'E.KTH.SE'.  'mille/admin' is working at the help desk, so he
+In the example below `lha/admin' can change every principal in the
+database. `jimmy/admin' can only modify principals that belong to the
+realm `E.KTH.SE'. `mille/admin' is working at the help desk, so he
 should only be able to change the passwords for single component
-principals (ordinary users).  He will not be able to change any '/admin'
+principals (ordinary users). He will not be able to change any `/admin'
 principal.
 
      lha/admin@E.KTH.SE	all
@@ -655,13 +672,13 @@ File: heimdal.info,  Node: Password changing,  Next: Testing clients and servers
 4.7 Password changing
 =====================
 
-To allow users to change their passwords, you should run 'kpasswdd'.  It
-is not run from 'inetd'.
+To allow users to change their passwords, you should run `kpasswdd'.
+It is not run from `inetd'.
 
-You might need to add 'kpasswd' to your '/etc/services' as '464/udp'.
+You might need to add `kpasswd' to your `/etc/services' as `464/udp'.
 If your realm is not setup to use DNS, you might also need to add a
-'kpasswd_server' entry to the realm configuration in '/etc/krb5.conf' on
-client machines:
+`kpasswd_server' entry to the realm configuration in `/etc/krb5.conf'
+on client machines:
 
      [realms]
              MY.REALM = {
@@ -673,22 +690,22 @@ client machines:
 --------------------------------
 
 It is important that users have good passwords, both to make it harder
-to guess them and to avoid off-line attacks (although pre-authentication
-provides some defence against off-line attacks).  To ensure that the
-users choose good passwords, you can enable password quality controls in
-'kpasswdd' and 'kadmind'.  The controls themselves are done in a shared
-library or an external program that is used by 'kpasswdd'.  To configure
-in these controls, add lines similar to the following to your
-'/etc/krb5.conf':
+to guess them and to avoid off-line attacks (although
+pre-authentication provides some defence against off-line attacks).  To
+ensure that the users choose good passwords, you can enable password
+quality controls in `kpasswdd' and `kadmind'.  The controls themselves
+are done in a shared library or an external program that is used by
+`kpasswdd'.  To configure in these controls, add lines similar to the
+following to your `/etc/krb5.conf':
 
      [password_quality]
      	policies = external-check builtin:minimum-length modulename:policyname
      	external_program = /bin/false
      	policy_libraries = LIBRARY1.SO LIBRARY2.SO
 
-In '[password_quality]policies' the module name is optional if the
-policy name is unique in all modules (members of 'policy_libraries').
-All built-in policies can be qualified with a module name of 'builtin'
+In `[password_quality]policies' the module name is optional if the
+policy name is unique in all modules (members of `policy_libraries').
+All built-in policies can be qualified with a module name of `builtin'
 to unambiguously specify the built-in policy and not a policy by the
 same name from a loaded module.
 
@@ -697,17 +714,17 @@ The built-in policies are
    * external-check
 
      Executes the program specified by
-     '[password_quality]external_program'.
+     `[password_quality]external_program'.
 
-     A number of key/value pairs are passed as input to the program, one
-     per line, ending with the string 'end'.  The key/value lines are of
-     the form
+     A number of key/value pairs are passed as input to the program,
+     one per line, ending with the string `end'.  The key/value lines
+     are of the form
           principal: PRINCIPAL
           new-password: PASSWORD
      where PASSWORD is the password to check for the previous PRINCIPAL.
 
      If the external application approves the password, it should return
-     'APPROVED' on standard out and exit with exit code 0.  If it
+     `APPROVED' on standard out and exit with exit code 0.  If it
      doesn't approve the password, an one line error message explaining
      the problem should be returned on standard error and the
      application should exit with exit code 0.  In case of a fatal
@@ -717,40 +734,41 @@ The built-in policies are
    * minimum-length
 
      The minimum length password quality check reads the configuration
-     file stanza '[password_quality]min_length' and requires the
+     file stanza `[password_quality]min_length' and requires the
      password to be at least this length.
 
    * character-class
 
      The character-class password quality check reads the configuration
-     file stanza '[password_quality]min_classes'.  The policy requires
+     file stanza `[password_quality]min_classes'. The policy requires
      the password to have characters from at least that many character
-     classes.  Default value if not given is 3.
+     classes. Default value if not given is 3.
 
      The four different characters classes are, uppercase, lowercase,
      number, special characters.
 
+
 If you want to write your own shared object to check password policies,
-see the manual page 'kadm5_pwcheck(3)'.
+see the manual page `kadm5_pwcheck(3)'.
 
 Code for a password quality checking function that uses the cracklib
-library can be found in 'lib/kadm5/sample_password_check.c' in the
+library can be found in `lib/kadm5/sample_password_check.c' in the
 source code distribution.  It requires that the cracklib library be
 built with the patch available at
-<ftp://ftp.pdc.kth.se/pub/krb/src/cracklib.patch>.
+`ftp://ftp.pdc.kth.se/pub/krb/src/cracklib.patch'.
 
 A sample policy external program is included in
-'lib/kadm5/check-cracklib.pl'.
+`lib/kadm5/check-cracklib.pl'.
 
 If no password quality checking function is configured, the only check
 performed is that the password is at least six characters long.
 
 To check the password policy settings, use the command
-'verify-password-quality' in 'kadmin' program.  The password
+`verify-password-quality' in `kadmin' program. The password
 verification is only performed locally, on the client.  It may be
-convenient to set the environment variable 'KRB5_CONFIG' to point to a
-test version of 'krb5.conf' while you're testing the
-'[password_quality]' stanza that way.
+convenient to set the environment variable `KRB5_CONFIG' to point to a
+test version of `krb5.conf' while you're testing the
+`[password_quality]' stanza that way.
 
 
 File: heimdal.info,  Node: Testing clients and servers,  Next: Slave Servers,  Prev: Password changing,  Up: Setting up a realm
@@ -768,36 +786,37 @@ File: heimdal.info,  Node: Slave Servers,  Next: Incremental propagation,  Prev:
 ===========================================================================================
 
 It is desirable to have at least one backup (slave) server in case the
-master server fails.  It is possible to have any number of such slave
+master server fails. It is possible to have any number of such slave
 servers but more than three usually doesn't buy much more redundancy.
 
 All Kerberos servers for a realm must have the same database so that
-they present the same service to the users.  The 'hprop' program,
+they present the same service to the users.  The `hprop' program,
 running on the master, will propagate the database to the slaves,
-running 'hpropd' processes.
+running `hpropd' processes.
 
 Every slave needs a database directory, the master key (if it was used
-for the database) and a keytab with the principal 'hprop/HOSTNAME'.  Add
-the principal with the 'ktutil' command and start 'hpropd', as follows:
+for the database) and a keytab with the principal `hprop/HOSTNAME'.
+Add the principal with the `ktutil' command and start `hpropd', as
+follows:
 
      slave# ktutil get -p foo/admin hprop/`hostname`
      slave# mkdir /var/heimdal
      slave# hpropd
 
-The master will use the principal 'kadmin/hprop' to authenticate to the
-slaves.  This principal should be added when running 'kadmin -l init'
+The master will use the principal `kadmin/hprop' to authenticate to the
+slaves.  This principal should be added when running `kadmin -l init'
 but if you do not have it in your database for whatever reason, please
-add it with 'kadmin -l add'.
+add it with `kadmin -l add'.
 
-Then run 'hprop' on the master:
+Then run `hprop' on the master:
 
      master# hprop slave
 
 This was just an hands-on example to make sure that everything was
 working properly.  Doing it manually is of course the wrong way, and to
-automate this you will want to start 'hpropd' from 'inetd' on the
-slave(s) and regularly run 'hprop' on the master to regularly propagate
-the database.  Starting the propagation once an hour from 'cron' is
+automate this you will want to start `hpropd' from `inetd' on the
+slave(s) and regularly run `hprop' on the master to regularly propagate
+the database.  Starting the propagation once an hour from `cron' is
 probably a good idea.
 
 
@@ -817,56 +836,56 @@ older version than the oldest one in the log, the whole database has to
 be sent.
 
 Protocol-wise, all the slaves connect to the master and as a greeting
-tell it the latest version that they have ('IHAVE' message).  The master
-then responds by sending all the changes between that version and the
-current version at the master (a series of 'FORYOU' messages) or the
-whole database in a 'TELLYOUEVERYTHING' message.  There is also a
+tell it the latest version that they have (`IHAVE' message).  The
+master then responds by sending all the changes between that version and
+the current version at the master (a series of `FORYOU' messages) or
+the whole database in a `TELLYOUEVERYTHING' message.  There is also a
 keep-alive protocol that makes sure all slaves are up and running.
 
 In addition on listening on the network to get connection from new
-slaves, the ipropd-master also listens on a status unix socket.  kadmind
-and kpasswdd both open that socket when a transation is done and written
-a notification to the socket.  That cause ipropd-master to check for new
-version in the log file.  As a fallback in case a notification is lost
-by the unix socket, the log file is checked after 30 seconds of no
-event.
+slaves, the ipropd-master also listens on a status unix socket. kadmind
+and kpasswdd both open that socket when a transation is done and
+written a notification to the socket. That cause ipropd-master to check
+for new version in the log file. As a fallback in case a notification
+is lost by the unix socket, the log file is checked after 30 seconds of
+no event.
 
 4.10.1 Configuring incremental propagation
 ------------------------------------------
 
-The program that runs on the master is 'ipropd-master' and all clients
-run 'ipropd-slave'.
+The program that runs on the master is `ipropd-master' and all clients
+run `ipropd-slave'.
 
-Create the file '/var/heimdal/slaves' on the master containing all the
+Create the file `/var/heimdal/slaves' on the master containing all the
 slaves that the database should be propagated to.  Each line contains
 the full name of the principal (for example
-'iprop/hemligare.foo.se@FOO.SE').
+`iprop/hemligare.foo.se@FOO.SE').
 
-You should already have 'iprop/tcp' defined as 2121, in your
-'/etc/services'.  Otherwise, or if you need to use a different port for
-some peculiar reason, you can use the '--port' option.  This is useful
+You should already have `iprop/tcp' defined as 2121, in your
+`/etc/services'.  Otherwise, or if you need to use a different port for
+some peculiar reason, you can use the `--port' option.  This is useful
 when you have multiple realms to distribute from one server.
 
 Then you need to create those principals that you added in the
-configuration file.  Create one 'iprop/hostname' for the master and for
+configuration file.  Create one `iprop/hostname' for the master and for
 every slave.
 
      master# /usr/heimdal/sbin/ktutil get iprop/`hostname`
 
      slave# /usr/heimdal/sbin/ktutil get iprop/`hostname`
 
-The next step is to start the 'ipropd-master' process on the master
-server.  The 'ipropd-master' listens on the UNIX domain socket
-'/var/heimdal/signal' to know when changes have been made to the
+The next step is to start the `ipropd-master' process on the master
+server.  The `ipropd-master' listens on the UNIX domain socket
+`/var/heimdal/signal' to know when changes have been made to the
 database so they can be propagated to the slaves.  There is also a
 safety feature of testing the version number regularly (every 30
 seconds) to see if it has been modified by some means that do not raise
-this signal.  Then, start 'ipropd-slave' on all the slaves:
+this signal.  Then, start `ipropd-slave' on all the slaves:
 
      master# /usr/heimdal/libexec/ipropd-master &
      slave#  /usr/heimdal/libexec/ipropd-slave master &
 
-To manage the iprop log file you should use the 'iprop-log' command.
+To manage the iprop log file you should use the `iprop-log' command.
 With it you can dump, truncate and replay the logfile.
 
 4.10.2 Status of iprop master and slave
@@ -875,13 +894,13 @@ With it you can dump, truncate and replay the logfile.
 Both the master and slave provides status of the world as they see it.
 
 The master write outs the current status of the slaves, last seen and
-their version number in '/var/heimdal/slaves-stats'.
+their version number in `/var/heimdal/slaves-stats'.
 
 The slave write out the current status in
-'/var/heimdal/ipropd-slave-status'.
+`/var/heimdal/ipropd-slave-status'.
 
 These locations can be changed with command line options, and in the
-case of 'ipropd_master', the configuration file.
+case of `ipropd_master', the configuration file.
 
 
 File: heimdal.info,  Node: Encryption types and salting,  Next: Credential cache server - KCM,  Prev: Incremental propagation,  Up: Setting up a realm
@@ -890,13 +909,13 @@ File: heimdal.info,  Node: Encryption types and salting,  Next: Credential cache
 =================================
 
 The encryption types that the KDC is going to assign by default is
-possible to change.  Since the keys used for user authentication is
+possible to change. Since the keys used for user authentication is
 salted the encryption types are described together with the salt
 strings.
 
 Salting is used to make it harder to pre-calculate all possible keys.
 Using a salt increases the search space to make it almost impossible to
-pre-calculate all keys.  Salting is the process of mixing a public
+pre-calculate all keys. Salting is the process of mixing a public
 string (the salt) with the password, then sending it through an
 encryption type specific string-to-key function that will output the
 fixed size encryption key.
@@ -904,42 +923,43 @@ fixed size encryption key.
 In Kerberos 5 the salt is determined by the encryption type, except in
 some special cases.
 
-In 'des' there is the Kerberos 4 salt (none at all) or the afs-salt
+In `des' there is the Kerberos 4 salt (none at all) or the afs-salt
 (using the cell (realm in AFS lingo)).
 
-In 'arcfour' (the encryption type that Microsoft Windows 2000 uses)
-there is no salt.  This is to be compatible with NTLM keys in Windows NT
+In `arcfour' (the encryption type that Microsoft Windows 2000 uses)
+there is no salt. This is to be compatible with NTLM keys in Windows NT
 4.
 
-'[kadmin]default_keys' in 'krb5.conf' controls what salting to use.
+`[kadmin]default_keys' in `krb5.conf' controls what salting to use.
 
-The syntax of '[kadmin]default_keys' is
-'[etype:]salt-type[:salt-string]'.  'etype' is the encryption type
-(des-cbc-crc, arcfour-hmac-md5, aes256-cts-hmac-sha1-96), 'salt-type' is
-the type of salt (pw-salt or afs3-salt), and the salt-string is the
+The syntax of `[kadmin]default_keys' is
+`[etype:]salt-type[:salt-string]'. `etype' is the encryption type
+(des-cbc-crc, arcfour-hmac-md5, aes256-cts-hmac-sha1-96), `salt-type'
+is the type of salt (pw-salt or afs3-salt), and the salt-string is the
 string that will be used as salt (remember that if the salt is
 appended/prepended, the empty salt "" is the same thing as no salt at
 all).
 
 Common types of salting include
 
-   * 'v4' (or 'des:pw-salt:')
+   * `v4' (or `des:pw-salt:')
 
-     The Kerberos 4 salting is using no salt at all.  Reason there is
+     The Kerberos 4 salting is using no salt at all. Reason there is
      colon at the end of the salt string is that it makes the salt the
      empty string (same as no salt).
 
-   * 'v5' (or 'pw-salt')
+   * `v5' (or `pw-salt')
 
-     'pw-salt' uses the default salt for each encryption type is
-     specified for.  If the encryption type 'etype' isn't given, all
+     `pw-salt' uses the default salt for each encryption type is
+     specified for. If the encryption type `etype' isn't given, all
      default encryption will be used.
 
-   * 'afs3-salt'
+   * `afs3-salt'
 
-     'afs3-salt' is the salt that is used with Transarc kaserver.  It's
+     `afs3-salt' is the salt that is used with Transarc kaserver. It's
      the cell name appended to the password.
 
+
 
 File: heimdal.info,  Node: Credential cache server - KCM,  Next: Cross realm,  Prev: Encryption types and salting,  Up: Setting up a realm
 
@@ -947,22 +967,22 @@ File: heimdal.info,  Node: Credential cache server - KCM,  Next: Cross realm,  P
 ==================================
 
 When KCM running is easy for users to switch between different kerberos
-principals using 'kswitch' or built in support in application, like
+principals using `kswitch' or built in support in application, like
 OpenSSH's GSSAPIClientIdentity.
 
 Other advantages are that there is the long term credentials are not
-written to disk and on reboot the credential is removed when kcm process
-stopps running.
+written to disk and on reboot the credential is removed when kcm
+process stopps running.
 
 Configure the system startup script to start the kcm process,
-'/usr/heimdal/libexec/kcm' and then configure the system to use kcm in
-'krb5.conf'.
+`/usr/heimdal/libexec/kcm' and then configure the system to use kcm in
+`krb5.conf'.
 
      [libdefaults]
      	default_cc_type = KCM
 
-Now when you run 'kinit' it doesn't overwrite your existing credentials
-but rather just add them to the set of credentials.  'klist -l' lists
+Now when you run `kinit' it doesn't overwrite your existing credentials
+but rather just add them to the set of credentials. `klist -l' lists
 the credentials and the star marks the default credential.
 
      $ kinit lha@KTH.SE
@@ -972,7 +992,7 @@ the credentials and the star marks the default credential.
      lha@KTH.SE   0                        Nov 22 23:09:40   *
      lha@SU.SE    Initial default ccache   Nov 22 14:14:24
 
-When switching between credentials you can use 'kswitch'.
+When switching between credentials you can use `kswitch'.
 
      $ kswitch -i
           Principal
@@ -1004,32 +1024,32 @@ File: heimdal.info,  Node: Cross realm,  Next: Transit policy,  Prev: Credential
 4.13 Cross realm
 ================
 
-Suppose you reside in the realm 'MY.REALM', how do you authenticate to a
-server in 'OTHER.REALM'?  Having valid tickets in 'MY.REALM' allows you
-to communicate with Kerberised services in that realm.  However, the
+Suppose you reside in the realm `MY.REALM', how do you authenticate to
+a server in `OTHER.REALM'? Having valid tickets in `MY.REALM' allows
+you to communicate with Kerberised services in that realm. However, the
 computer in the other realm does not have a secret key shared with the
 Kerberos server in your realm.
 
 It is possible to share keys between two realms that trust each other.
-When a client program, such as 'telnet' or 'ssh', finds that the other
+When a client program, such as `telnet' or `ssh', finds that the other
 computer is in a different realm, it will try to get a ticket granting
-ticket for that other realm, but from the local Kerberos server.  With
+ticket for that other realm, but from the local Kerberos server. With
 that ticket granting ticket, it will then obtain service tickets from
 the Kerberos server in the other realm.
 
-For a two way trust between 'MY.REALM' and 'OTHER.REALM' add the
-following principals to each realm.  The principals should be
-'krbtgt/OTHER.REALM@MY.REALM' and 'krbtgt/MY.REALM@OTHER.REALM' in
-'MY.REALM', and 'krbtgt/MY.REALM@OTHER.REALM' and
-'krbtgt/OTHER.REALM@MY.REALM'in 'OTHER.REALM'.
+For a two way trust between `MY.REALM' and `OTHER.REALM' add the
+following principals to each realm. The principals should be
+`krbtgt/OTHER.REALM@MY.REALM' and `krbtgt/MY.REALM@OTHER.REALM' in
+`MY.REALM', and `krbtgt/MY.REALM@OTHER.REALM' and
+`krbtgt/OTHER.REALM@MY.REALM'in `OTHER.REALM'.
 
-In Kerberos 5 the trust can be configured to be one way.  So that users
-from 'MY.REALM' can authenticate to services in 'OTHER.REALM', but not
-the opposite.  In the example above, the 'krbtgt/MY.REALM@OTHER.REALM'
+In Kerberos 5 the trust can be configured to be one way. So that users
+from `MY.REALM' can authenticate to services in `OTHER.REALM', but not
+the opposite. In the example above, the `krbtgt/MY.REALM@OTHER.REALM'
 then should be removed.
 
 The two principals must have the same key, key version number, and the
-same set of encryption types.  Remember to transfer the two keys in a
+same set of encryption types. Remember to transfer the two keys in a
 safe manner.
 
      vr$ klist
@@ -1059,7 +1079,6 @@ safe manner.
      May  3 13:55:56  May  3 23:55:54  krbtgt/SU.SE@E.KTH.SE
      May  3 14:10:54  May  3 23:55:54  host/hummel.it.su.se@SU.SE
 
-
 
 File: heimdal.info,  Node: Transit policy,  Next: Setting up DNS,  Prev: Cross realm,  Up: Setting up a realm
 
@@ -1068,17 +1087,17 @@ File: heimdal.info,  Node: Transit policy,  Next: Setting up DNS,  Prev: Cross r
 
 Under some circumstances, you may not wish to set up direct cross-realm
 trust with every realm to which you wish to authenticate or from which
-you wish to accept authentications.  Kerberos supports multi-hop
-cross-realm trust where a client principal in realm A authenticates to a
-service in realm C through a realm B with which both A and C have
-cross-realm trust relationships.  In this situation, A and C need not
+you wish to accept authentications. Kerberos supports multi-hop
+cross-realm trust where a client principal in realm A authenticates to
+a service in realm C through a realm B with which both A and C have
+cross-realm trust relationships. In this situation, A and C need not
 set up cross-realm principals between each other.
 
 If you want to use cross-realm authentication through an intermediate
-realm, it must be explicitly allowed by either the KDCs for the realm to
-which the client is authenticating (in this case, realm C), or the
-server receiving the request.  This is done in 'krb5.conf' in the
-'[capaths]' section.
+realm, it must be explicitly allowed by either the KDCs for the realm
+to which the client is authenticating (in this case, realm C), or the
+server receiving the request. This is done in `krb5.conf' in the
+`[capaths]' section.
 
 In addition, the client in realm A need to be configured to know how to
 reach realm C via realm B. This can be done either on the client or via
@@ -1089,28 +1108,28 @@ KDC configuration in the KDC for realm A.
 
 When the ticket transits through a realm to another realm, the
 destination realm adds its peer to the "transited-realms" field in the
-ticket.  The field is unordered, since there is no way to know if know
-if one of the transited-realms changed the order of the list.  For the
-authentication to be accepted by the final destination realm, all of the
-transited realms must be listed as trusted in the '[capaths]'
+ticket. The field is unordered, since there is no way to know if know
+if one of the transited-realms changed the order of the list. For the
+authentication to be accepted by the final destination realm, all of
+the transited realms must be listed as trusted in the `[capaths]'
 configuration, either in the KDC for the destination realm or on the
 server receiving the authentication.
 
-The syntax for '[capaths]' section is:
+The syntax for `[capaths]' section is:
 
      [capaths]
              CLIENT-REALM = {
                      SERVER-REALM = PERMITTED-CROSS-REALMS ...
              }
 
-In the following example, the realm 'STACKEN.KTH.SE' only has direct
-cross-realm set up with 'KTH.SE'.  'KTH.SE' has direct cross-realm set
-up with 'STACKEN.KTH.SE' and 'SU.SE'.  'DSV.SU.SE' only has direct
-cross-realm set up with 'SU.SE'.  The goal is to allow principals in the
-'DSV.SU.SE' or 'SU.SE' realms to authenticate to services in
-'STACKEN.KTH.SE'.  This is done with the following '[capaths]' entry on
+In the following example, the realm `STACKEN.KTH.SE' only has direct
+cross-realm set up with `KTH.SE'.  `KTH.SE' has direct cross-realm set
+up with `STACKEN.KTH.SE' and `SU.SE'.  `DSV.SU.SE' only has direct
+cross-realm set up with `SU.SE'.  The goal is to allow principals in
+the `DSV.SU.SE' or `SU.SE' realms to authenticate to services in
+`STACKEN.KTH.SE'.  This is done with the following `[capaths]' entry on
 either the server accepting authentication or on the KDC for
-'STACKEN.KTH.SE'.
+`STACKEN.KTH.SE'.
 
      [capaths]
      	SU.SE = {
@@ -1121,9 +1140,9 @@ either the server accepting authentication or on the KDC for
      	}
 
 The first entry allows cross-realm authentication from clients in
-'SU.SE' transiting through 'KTH.SE' to 'STACKEN.KTH.SE'.  The second
-entry allows cross-realm authentication from clients in 'DSV.SU.SE'
-transiting through both 'SU.SE' and 'KTH.SE' to 'STACKEN.KTH.SE'.
+`SU.SE' transiting through `KTH.SE' to `STACKEN.KTH.SE'.  The second
+entry allows cross-realm authentication from clients in `DSV.SU.SE'
+transiting through both `SU.SE' and `KTH.SE' to `STACKEN.KTH.SE'.
 
 Be careful of which realm goes where; it's easy to put realms in the
 wrong place.  The block is tagged with the client realm (the realm of
@@ -1132,48 +1151,48 @@ the final destination realm: the realm to which the client is
 authenticating.  After the equal sign go all the realms that the client
 transits through.
 
-The order of the 'PERMITTED-CROSS-REALMS' is not important when doing
+The order of the `PERMITTED-CROSS-REALMS' is not important when doing
 transit cross realm verification.
 
 4.14.2 Configuring client cross-realm transits
 ----------------------------------------------
 
-The '[capaths]' section is also used for another purpose: to tell
-clients which realm to transit through to reach a realm with which their
-local realm does not have cross-realm trust.  This can be done by either
-putting a '[capaths]' entry in the configuration of the client or by
-putting the entry in the configuration of the KDC for the client's local
-realm.  In the latter case, the KDC will then hand back a referral to
-the client when the client requests a cross-realm ticket to the
-destination realm, telling the client to try to go through an
+The `[capaths]' section is also used for another purpose: to tell
+clients which realm to transit through to reach a realm with which
+their local realm does not have cross-realm trust.  This can be done by
+either putting a `[capaths]' entry in the configuration of the client
+or by putting the entry in the configuration of the KDC for the
+client's local realm.  In the latter case, the KDC will then hand back
+a referral to the client when the client requests a cross-realm ticket
+to the destination realm, telling the client to try to go through an
 intermediate realm.
 
-For client configuration, the order of 'PERMITTED-CROSS-REALMS' is
-significant, since only the first realm in this section (after the equal
-sign) is used by the client.
-
-For example, again consider the '[capaths]' entry above for the case of
-a client in the 'SU.SE' realm, and assume that the client or the 'SU.SE'
-KDC has that '[capaths]' entry.  If the client attempts to authenticate
-to a service in the 'STACKEN.KTH.SE' realm, that entry says to first
-authenticate cross-realm to the 'KTH.SE' realm (the first realm listed
-in the 'PERMITTED-CROSS-REALMS' section), and then from there to
-'STACKEN.KTH.SE'.
-
-Each entry in '[capaths]' can only give the next hop, since only the
-first realm in 'PERMITTED-CROSS-REALMS' is used.  If, for instance, a
-client in 'DSV.SU.SE' had a '[capaths]' configuration as above but
-without the first block for 'SU.SE', they would not be able to reach
-'STACKEN.KTH.SE'.  They would get as far as 'SU.SE' based on the
-'DSV.SU.SE' entry in '[capaths]' and then attempt to go directly from
-there to 'STACKEN.KTH.SE' and get stuck (unless, of course, the 'SU.SE'
+For client configuration, the order of `PERMITTED-CROSS-REALMS' is
+significant, since only the first realm in this section (after the
+equal sign) is used by the client.
+
+For example, again consider the `[capaths]' entry above for the case of
+a client in the `SU.SE' realm, and assume that the client or the
+`SU.SE' KDC has that `[capaths]' entry.  If the client attempts to
+authenticate to a service in the `STACKEN.KTH.SE' realm, that entry
+says to first authenticate cross-realm to the `KTH.SE' realm (the first
+realm listed in the `PERMITTED-CROSS-REALMS' section), and then from
+there to `STACKEN.KTH.SE'.
+
+Each entry in `[capaths]' can only give the next hop, since only the
+first realm in `PERMITTED-CROSS-REALMS' is used.  If, for instance, a
+client in `DSV.SU.SE' had a `[capaths]' configuration as above but
+without the first block for `SU.SE', they would not be able to reach
+`STACKEN.KTH.SE'.  They would get as far as `SU.SE' based on the
+`DSV.SU.SE' entry in `[capaths]' and then attempt to go directly from
+there to `STACKEN.KTH.SE' and get stuck (unless, of course, the `SU.SE'
 KDC had the additional entry required to tell the client to go through
-'KTH.SE').
+`KTH.SE').
 
 4.14.3 Active Directory forest example
 --------------------------------------
 
-One common place where a '[capaths]' configuration is desirable is with
+One common place where a `[capaths]' configuration is desirable is with
 Windows Active Directory forests.  One common Active Directory
 configuration is to have one top-level Active Directory realm but then
 divide systems, services, and users into child realms (perhaps based on
@@ -1181,13 +1200,13 @@ organizational unit).  One generally establishes cross-realm trust only
 with the top-level realm, and then uses transit policy to permit
 authentications to and from the child realms.
 
-For example, suppose an organization has a Heimdal realm 'EXAMPLE.COM',
-a Windows Active Directory realm 'WIN.EXAMPLE.COM', and then child
-Active Directory realms 'ENGR.WIN.EXAMPLE.COM' and
-'SALES.WIN.EXAMPLE.COM'.  The goal is to allow users in any of these
+For example, suppose an organization has a Heimdal realm `EXAMPLE.COM',
+a Windows Active Directory realm `WIN.EXAMPLE.COM', and then child
+Active Directory realms `ENGR.WIN.EXAMPLE.COM' and
+`SALES.WIN.EXAMPLE.COM'.  The goal is to allow users in any of these
 realms to authenticate to services in any of these realms.  The
-'EXAMPLE.COM' KDC (and possibly client) configuration should therefore
-contain a '[capaths]' section as follows:
+`EXAMPLE.COM' KDC (and possibly client) configuration should therefore
+contain a `[capaths]' section as follows:
 
      [capaths]
      	ENGR.WIN.EXAMPLE.COM = {
@@ -1201,12 +1220,13 @@ contain a '[capaths]' section as follows:
      		SALES.WIN.EXAMPLE.COM = WIN.EXAMPLE.COM
      	}
 
-The first two blocks allow clients in the 'ENGR.WIN.EXAMPLE.COM' and
-'SALES.WIN.EXAMPLE.COM' realms to authenticate to services in the
-'EXAMPLE.COM' realm.  The third block tells the client (or tells the KDC
-to tell the client via referrals) to transit through 'WIN.EXAMPLE.COM'
-to reach these realms.  Both sides of the configuration are needed for
-bi-directional transited cross-realm authentication.
+The first two blocks allow clients in the `ENGR.WIN.EXAMPLE.COM' and
+`SALES.WIN.EXAMPLE.COM' realms to authenticate to services in the
+`EXAMPLE.COM' realm.  The third block tells the client (or tells the
+KDC to tell the client via referrals) to transit through
+`WIN.EXAMPLE.COM' to reach these realms.  Both sides of the
+configuration are needed for bi-directional transited cross-realm
+authentication.
 
 
 File: heimdal.info,  Node: Setting up DNS,  Next: Using LDAP to store the database,  Prev: Transit policy,  Up: Setting up a realm
@@ -1218,12 +1238,12 @@ File: heimdal.info,  Node: Setting up DNS,  Next: Using LDAP to store the databa
 ----------------------------
 
 If there is information about where to find the KDC or kadmind for a
-realm in the 'krb5.conf' for a realm, that information will be
+realm in the `krb5.conf' for a realm, that information will be
 preferred, and DNS will not be queried.
 
-Heimdal will try to use DNS to find the KDCs for a realm.  First it will
-try to find a 'SRV' resource record (RR) for the realm.  If no SRV RRs
-are found, it will fall back to looking for an 'A' RR for a machine
+Heimdal will try to use DNS to find the KDCs for a realm. First it will
+try to find a `SRV' resource record (RR) for the realm. If no SRV RRs
+are found, it will fall back to looking for an `A' RR for a machine
 named kerberos.REALM, and then kerberos-1.REALM, etc
 
 Adding this information to DNS minimises the client configuration (in
@@ -1233,10 +1253,10 @@ they are running without caring about clients.
 
 The downside of using DNS is that the client might be fooled to use the
 wrong server if someone fakes DNS replies/data, but storing the IP
-addresses of the KDC on all the clients makes it very hard to change the
-infrastructure.
+addresses of the KDC on all the clients makes it very hard to change
+the infrastructure.
 
-An example of the configuration for the realm 'EXAMPLE.COM':
+An example of the configuration for the realm `EXAMPLE.COM':
 
 
      $ORIGIN example.com.
@@ -1247,15 +1267,14 @@ An example of the configuration for the realm 'EXAMPLE.COM':
      _kpasswd._udp           SRV     10 1 464 kerberos.example.com.
      _kerberos-adm._tcp	SRV	10 1 749 kerberos.example.com.
 
-
-More information about DNS SRV resource records can be found in RFC-2782
-(A DNS RR for specifying the location of services (DNS SRV)).
+More information about DNS SRV resource records can be found in
+RFC-2782 (A DNS RR for specifying the location of services (DNS SRV)).
 
 4.15.2 Using DNS to map hostname to Kerberos realm
 --------------------------------------------------
 
-Heimdal also supports a way to lookup a realm from a hostname.  This to
-minimise configuration needed on clients.  Using this has the drawback
+Heimdal also supports a way to lookup a realm from a hostname. This to
+minimise configuration needed on clients. Using this has the drawback
 that clients can be redirected by an attacker to realms within the same
 cross realm trust and made to believe they are talking to the right
 server (since Kerberos authentication will succeed).
@@ -1269,7 +1288,6 @@ EXAMPLE.COM:
      _kerberos.it		TXT     "EXAMPLE.COM"
      _kerberos.srv		TXT     "EXAMPLE.COM"
 
-
 
 File: heimdal.info,  Node: Using LDAP to store the database,  Next: Providing Kerberos credentials to servers and programs,  Prev: Setting up DNS,  Up: Setting up a realm
 
@@ -1278,11 +1296,11 @@ File: heimdal.info,  Node: Using LDAP to store the database,  Next: Providing Ke
 
 This document describes how to install the LDAP backend for Heimdal.
 Note that before attempting to configure such an installation, you
-should be aware of the implications of storing private information (such
-as users' keys) in a directory service primarily designed for public
-information.  Nonetheless, with a suitable authorisation policy, it is
-possible to set this up in a secure fashion.  A knowledge of LDAP,
-Kerberos, and C is necessary to install this backend.  The HDB schema
+should be aware of the implications of storing private information
+(such as users' keys) in a directory service primarily designed for
+public information. Nonetheless, with a suitable authorisation policy,
+it is possible to set this up in a secure fashion. A knowledge of LDAP,
+Kerberos, and C is necessary to install this backend. The HDB schema
 was devised by Leif Johansson.
 
 This assumes, OpenLDAP 2.3 or later.
@@ -1290,25 +1308,25 @@ This assumes, OpenLDAP 2.3 or later.
 Requirements:
 
    * A current release of Heimdal, configured with
-     '--with-openldap=/usr/local' (adjust according to where you have
+     `--with-openldap=/usr/local' (adjust according to where you have
      installed OpenLDAP).
 
      You can verify that you manage to configure LDAP support by running
-     'kdc --builtin-hdb', and checking that 'ldap:' is one entry in the
+     `kdc --builtin-hdb', and checking that `ldap:' is one entry in the
      list.
 
      Its also possible to configure the ldap backend as a shared module,
      see option -hdb-openldap-module to configure.
 
-   * Optionally configure OpenLDAP with '--enable-local' to enable the
+   * Optionally configure OpenLDAP with `--enable-local' to enable the
      local transport.
 
    * Add the hdb schema to the LDAP server, it's included in the
-     source-tree in 'lib/hdb/hdb.schema'.  Example from slapd.conf:
+     source-tree in `lib/hdb/hdb.schema'. Example from slapd.conf:
 
           include /usr/local/etc/openldap/schema/hdb.schema
 
-   * Configure the LDAP server ACLs to accept writes from clients.  For
+   * Configure the LDAP server ACLs to accept writes from clients. For
      example:
 
           access to *
@@ -1318,40 +1336,38 @@ Requirements:
           authz-regexp "gidNumber=.*\\\+uidNumber=0,cn=peercred,cn=external,cn=auth''
           	"uid=heimdal,dc=services,dc=example,dc=com"
 
-
-     The sasl-regexp is for mapping between the SASL/EXTERNAL and a user
-     in a tree.  The user that the key is mapped to should be have a
-     krb5Principal aux object with krb5PrincipalName set so that the
-     "creator" and "modifier" is right in 'kadmin'.
+     The sasl-regexp is for mapping between the SASL/EXTERNAL and a
+     user in a tree.  The user that the key is mapped to should be have
+     a krb5Principal aux object with krb5PrincipalName set so that the
+     "creator" and "modifier" is right in `kadmin'.
 
      Another option is to create an admins group and add the dn to that
      group.
 
      If a non-local LDAP connection is used, the authz-regexp is not
-     needed as Heimdal will bind to LDAP over the network using provided
-     credentials.
+     needed as Heimdal will bind to LDAP over the network using
+     provided credentials.
 
      Since Heimdal talks to the LDAP server over a UNIX domain socket
      when configured for ldapi:///, and uses external sasl
-     authentication, it's not possible to require security layer quality
-     (ssf in cyrus-sasl lingo).  So that requirement has to be turned
-     off in OpenLDAP 'slapd' configuration file 'slapd.conf'.
+     authentication, it's not possible to require security layer
+     quality (ssf in cyrus-sasl lingo).  So that requirement has to be
+     turned off in OpenLDAP `slapd' configuration file `slapd.conf'.
 
           sasl-secprops minssf=0
 
-   * 
-     Start 'slapd' with the local listener (as well as the default
+   *  Start `slapd' with the local listener (as well as the default
      TCP/IP listener on port 389) as follows:
 
               slapd -h "ldapi:/// ldap:///"
 
-     Note: These is a bug in 'slapd' where it appears to corrupt the
-     krb5Key binary attribute on shutdown.  This may be related to our
+     Note: These is a bug in `slapd' where it appears to corrupt the
+     krb5Key binary attribute on shutdown. This may be related to our
      use of the V3 schema definition syntax instead of the old
      UMich-style, V2 syntax.
 
    * You should specify the distinguished name under which your
-     principals will be stored in 'krb5.conf'.  Also you need to enter
+     principals will be stored in `krb5.conf'. Also you need to enter
      the path to the kadmin acl file:
 
           [kdc]
@@ -1367,24 +1383,25 @@ Requirements:
                           mkey_file = /path/to/mkey
                   }
 
-     'mkey_file' can be excluded if you feel that you trust your ldap
+     `mkey_file' can be excluded if you feel that you trust your ldap
      directory to have the raw keys inside it.  The
      hdb-ldap-structural-object is not necessary if you do not need
      Samba comatibility.
 
      If connecting to a server over a non-local transport, the
-     'hdb-ldap-url' and 'hdb-ldap-secret-file' options must be provided.
-     The 'hdb-ldap-secret-file' must contain the bind credentials:
+     `hdb-ldap-url' and `hdb-ldap-secret-file' options must be
+     provided. The `hdb-ldap-secret-file' must contain the bind
+     credentials:
 
           [kdc]
           	hdb-ldap-bind-dn = uid=heimdal,dc=services,dc=example,dc=com
           	hdb-ldap-bind-password = secretBindPassword
 
-     The 'hdb-ldap-secret-file' and should be protected with appropriate
+     The `hdb-ldap-secret-file' and should be protected with appropriate
      file permissions
 
    * Once you have built Heimdal and started the LDAP server, run kadmin
-     (as usual) to initialise the database.  Note that the instructions
+     (as usual) to initialise the database. Note that the instructions
      for stashing a master key are as per any Heimdal installation.
 
           kdc# kadmin -l
@@ -1408,8 +1425,8 @@ Requirements:
            -w secret -b ou=KerberosPrincipals,dc=example,dc=com \
            'objectclass=krb5KDCEntry'
 
-   * Now consider adding indexes to the database to speed up the access,
-     at least theses should be added to slapd.conf.
+   * Now consider adding indexes to the database to speed up the
+     access, at least theses should be added to slapd.conf.
 
           index	objectClass		eq
           index	cn			eq,sub,pres
@@ -1417,6 +1434,7 @@ Requirements:
           index	displayName		eq,sub,pres
           index	krb5PrincipalName	eq
 
+
 4.16.1 smbk5pwd overlay
 -----------------------
 
@@ -1424,12 +1442,12 @@ The smbk5pwd overlay, updates the krb5Key and krb5KeyVersionNumber
 appropriately when it receives an LDAP Password change Extended
 Operation:
 
-<http://www.openldap.org/devel/cvsweb.cgi/contrib/slapd-modules/smbk5pwd/README?hideattic=1&sortbydate=0>
+`http://www.openldap.org/devel/cvsweb.cgi/contrib/slapd-modules/smbk5pwd/README?hideattic=1&sortbydate=0'
 
 4.16.2 Troubleshooting guide
 ----------------------------
 
-<https://sec.miljovern.no/bin/view/Info/TroubleshootingGuide>
+`https://sec.miljovern.no/bin/view/Info/TroubleshootingGuide'
 
 4.16.3 Using Samba LDAP password database
 -----------------------------------------
@@ -1456,19 +1474,20 @@ connections to other services or need to use them when they have
 started.
 
 The easiest way to get tickets for a service is to store the key in a
-keytab.  Both ktutil get and kadmin ext can be used to get a keytab.
+keytab. Both ktutil get and kadmin ext can be used to get a keytab.
 ktutil get is better in that way it changes the key/password for the
-user.  This is also the problem with ktutil.  If ktutil is used for the
-same service principal on several hosts, they keytab will only be useful
-on the last host.  In that case, run the extract command on one host and
-then securely copy the keytab around to all other hosts that need it.
+user. This is also the problem with ktutil. If ktutil is used for the
+same service principal on several hosts, they keytab will only be
+useful on the last host. In that case, run the extract command on one
+host and then securely copy the keytab around to all other hosts that
+need it.
 
      host# ktutil -k /etc/krb5-service.keytab \
            get -p lha/admin@EXAMPLE.ORG service-principal@EXAMPLE.ORG
      lha/admin@EXAMPLE.ORG's Password:
 
 To get a Kerberos credential file for the service, use kinit in the
-'--keytab' mode.  This will not ask for a password but instead fetch the
+`--keytab' mode. This will not ask for a password but instead fetch the
 key from the keytab.
 
      service@host$ kinit --cache=/var/run/service_krb5_cache \
@@ -1476,11 +1495,11 @@ key from the keytab.
             service-principal@EXAMPLE.ORG
 
 Long running services might need credentials longer then the expiration
-time of the tickets.  kinit can run in a mode that refreshes the tickets
-before they expire.  This is useful for services that write into AFS and
-other distributed file systems using Kerberos.  To run the long running
+time of the tickets. kinit can run in a mode that refreshes the tickets
+before they expire. This is useful for services that write into AFS and
+other distributed file systems using Kerberos. To run the long running
 script, just append the program and arguments (if any) after the
-principal.  kinit will stop refreshing credentials and remove the
+principal. kinit will stop refreshing credentials and remove the
 credentials when the script-to-start-service exits.
 
      service@host$ kinit --cache=/var/run/service_krb5_cache \
@@ -1499,12 +1518,12 @@ certificates to get the initial ticket (usually the krbtgt
 ticket-granting ticket).
 
 To use PK-INIT you must first have a PKI. If you don't have one, it is
-time to create it.  You should first read the whole current chapter of
+time to create it. You should first read the whole current chapter of
 the document to see the requirements imposed on the CA software.
 
 A mapping between the PKI certificate and what principals that
-certificate is allowed to use must exist.  There are several ways to do
-this.  The administrator can use a configuration file, store the
+certificate is allowed to use must exist. There are several ways to do
+this. The administrator can use a configuration file, store the
 principal in the SubjectAltName extension of the certificate, or store
 the mapping in the principals entry in the kerberos database.
 
@@ -1515,7 +1534,7 @@ This and following subsection documents the requirements on the KDC and
 client certificates and the format used in the id-pkinit-san OtherName
 extension.
 
-On how to create certificates, you should read *note Use OpenSSL to
+On how to create certificates, you should read *Note Use OpenSSL to
 create certificates::.
 
 4.19.1 KDC certificate
@@ -1524,7 +1543,7 @@ create certificates::.
 The certificate for the KDC has several requirements.
 
 First, the certificate should have an Extended Key Usage (EKU)
-id-pkkdcekuoid (1.3.6.1.5.2.3.5) set.  Second, there must be a
+id-pkkdcekuoid (1.3.6.1.5.2.3.5) set. Second, there must be a
 subjectAltName otherName using OID id-pkinit-san (1.3.6.1.5.2.2) in the
 type field and a DER encoded KRB5PrincipalName that matches the name of
 the TGS of the target realm.  Also, if the certificate has a
@@ -1533,7 +1552,7 @@ it must match the hostname or adress of the KDC.
 
 The client is not required by the standard to check the server
 certificate for this information if the client has external information
-confirming which certificate the KDC is supposed to be using.  However,
+confirming which certificate the KDC is supposed to be using. However,
 adding this information to the KDC certificate removes the need to
 specially configure the client to recognize the KDC certificate.
 
@@ -1562,13 +1581,13 @@ This behavior is controlled by KDC configuration option:
 .................................................
 
 The OtherName extension in the GeneralName is used to do the mapping
-between certificate and principal.  For the KDC certificate, this stores
-the krbtgt principal name for that KDC. For the client certificate, this
-stores the principal for which that certificate is allowed to get
-tickets.
+between certificate and principal.  For the KDC certificate, this
+stores the krbtgt principal name for that KDC.  For the client
+certificate, this stores the principal for which that certificate is
+allowed to get tickets.
 
 The principal is stored in a SubjectAltName in the certificate using
-OtherName.  The OID in the type is id-pkinit-san.
+OtherName. The OID in the type is id-pkinit-san.
 
      id-pkinit-san OBJECT IDENTIFIER ::= { iso (1) org (3) dod (6)
      internet (1) security (5) kerberosv5 (2) 2 }
@@ -1589,35 +1608,33 @@ specification.
 
 hx509 is the X.509 software used in Heimdal to handle certificates.
 hx509 supports several different syntaxes for specifying certificate
-files or formats.  Several formats may be used: PEM, certificates
-embedded in PKCS#12 files, certificates embedded in PKCS#11 devices, and
-raw DER encoded certificates.
+files or formats. Several formats may be used:  PEM, certificates
+embedded in PKCS#12 files, certificates embedded in PKCS#11 devices,
+and raw DER encoded certificates.
 
 Those formats may be specified as follows:
 
 DIR:
-
      DIR specifies a directory which contains certificates in the DER or
      PEM format.
 
      The main feature of DIR is that the directory is read on demand
-     when iterating over certificates.  This allows applications, in
-     some situations, to avoid having to store all certificates in
-     memory.  It's very useful for tests that iterate over large numbers
-     of certificates.
+     when iterating over certificates. This allows applications, in some
+     situations, to avoid having to store all certificates in memory.
+     It's very useful for tests that iterate over large numbers of
+     certificates.
 
      The syntax is:
 
           DIR:/path/to/der/files
 
 FILE:
-
      FILE: specifies a file that contains a certificate or private key.
      The file can be either a PEM (openssl) file or a raw DER encoded
-     certificate.  If it's a PEM file, it can contain several keys and
+     certificate. If it's a PEM file, it can contain several keys and
      certificates and the code will try to match the private key and
-     certificate together.  Multiple files may be specified, separated
-     by commas.
+     certificate together. Multiple files may be specified, separated by
+     commas.
 
      It's useful to have one PEM file that contains all the trust
      anchors.
@@ -1627,9 +1644,8 @@ FILE:
           FILE:certificate.pem,private-key.key,other-cert.pem,....
 
 PKCS11:
-
      PKCS11: is used to handle smartcards via PKCS#11 drivers, such as
-     soft-token, opensc, or muscle.  The argument specifies a shared
+     soft-token, opensc, or muscle. The argument specifies a shared
      object that implements the PKCS#11 API. The default is to use all
      slots on the device/token.
 
@@ -1638,20 +1654,20 @@ PKCS11:
           PKCS11:shared-object.so
 
 PKCS12:
-
-     PKCS12: is used to handle PKCS#12 files.  PKCS#12 files commonly
+     PKCS12: is used to handle PKCS#12 files. PKCS#12 files commonly
      have the extension pfx or p12.
 
      The syntax is:
 
           PKCS12:/path/to/file.pfx
 
+
 4.21 Configure the Kerberos software
 ====================================
 
 First configure the client's trust anchors and what parameters to
-verify.  See the subsections below for how to do that.  Then, you can
-use kinit to get yourself tickets.  For example:
+verify. See the subsections below for how to do that. Then, you can use
+kinit to get yourself tickets. For example:
 
      $ kinit -C FILE:$HOME/.certs/lha.crt,$HOME/.certs/lha.key lha@EXAMPLE.ORG
      Enter your private key passphrase:
@@ -1687,46 +1703,39 @@ Using PKCS#11 it can look like this instead:
      		pkinit_win2k_require_binding = yes
      	}
 
-
 4.23 Configure the KDC
 ======================
 
 Configuration options for the KDC.
 
 enable-pkinit = bool
-
      Enable PKINIT for this KDC.
 
 pkinit_identity = string
-
-     Identity that the KDC will use when talking to clients.  Mandatory.
+     Identity that the KDC will use when talking to clients. Mandatory.
 
 pkinit_anchors = string
-
      Trust anchors that the KDC will use when evaluating the trust of
-     the client certificate.  Mandatory.
+     the client certificate. Mandatory.
 
 pkinit_pool = strings ...
-
      Extra certificate the KDC will use when building trust chains if it
      can't find enough certificates in the request from the client.
 
 pkinit_allow_proxy_certificate = bool
-
-     Allow clients to use proxy certificates.  The root certificate of
+     Allow clients to use proxy certificates. The root certificate of
      the client's End Entity certificate is used for authorisation.
 
 pkinit_win2k_require_binding = bool
-
      Require windows clients up be upgrade to not allow cut and paste
      attack on encrypted data, applies to Windows XP and windows 2000
      servers.
 
 pkinit_principal_in_certificate = bool
-
      Enable the KDC to use id-pkinit-san to determine to determine the
      mapping between a certificate and principal.
 
+
      [kdc]
      	enable-pkinit = yes
      	pkinit_identity = FILE:/secure/kdc.crt,/secure/kdc.key
@@ -1750,8 +1759,8 @@ Note that the file contents are space sensitive.
 4.23.2 Using the Kerberos database
 ----------------------------------
 
-You can also store the subject of the certificate in the principal entry
-in the kerberos database.
+You can also store the subject of the certificate in the principal
+entry in the kerberos database.
 
      kadmin modify --pkinit-acl="CN=baz,DC=test,DC=h5l,DC=se" user@REALM
 
@@ -1761,7 +1770,7 @@ in the kerberos database.
 4.24.1 Generate certificates
 ----------------------------
 
-First, you need to generate a CA certificate.  This example creates a CA
+First, you need to generate a CA certificate. This example creates a CA
 certificate that will be valid for 10 years.
 
 You need to change -subject in the command below to something
@@ -1790,13 +1799,13 @@ to something appropriate for your site.
          --subject="uid=kdc,DC=test,DC=h5l,DC=se" \
          --certificate="FILE:kdc.pem"
 
-The users also needs to have certificates.  For your first client,
-generate a certificate of type "pkinit-client".  The client doesn't need
+The users also needs to have certificates. For your first client,
+generate a certificate of type "pkinit-client". The client doesn't need
 to have the PK-INIT SubjectAltName set; you can have the Subject DN in
 the ACL file (pki-mapping) instead.
 
 You need to change -subject and -pk-init-principal in the command below
-to something appropriate for your site.  You can omit -pk-init-principal
+to something appropriate for your site. You can omit -pk-init-principal
 if you're going to use the ACL file instead.
 
      hxtool issue-certificate \
@@ -1810,10 +1819,10 @@ if you're going to use the ACL file instead.
 4.24.2 Validate the certificate
 -------------------------------
 
-hxtool also contains a tool that will validate certificates according to
-rules from the PKIX document.  These checks are not complete, but they
-provide a good test of whether you got all of the basic bits right in
-your certificates.
+hxtool also contains a tool that will validate certificates according
+to rules from the PKIX document. These checks are not complete, but
+they provide a good test of whether you got all of the basic bits right
+in your certificates.
 
      hxtool validate FILE:user.pem
 
@@ -1827,11 +1836,11 @@ certificates using OpenSSL (or CA software based on OpenSSL).
 ------------------------------------------------------------------
 
 To make OpenSSL create certificates with krb5PrincipalName, use an
-'openssl.cnf' as described below.  To see a complete example of creating
+`openssl.cnf' as described below. To see a complete example of creating
 client and KDC certificates, see the test-data generation script
-'lib/hx509/data/gen-req.sh' in the source-tree.  The certicates it
+`lib/hx509/data/gen-req.sh' in the source-tree. The certicates it
 creates are used to test the PK-INIT functionality in
-'tests/kdc/check-kdc.in'.
+`tests/kdc/check-kdc.in'.
 
 To use this example you have to use OpenSSL 0.9.8a or later.
 
@@ -1850,7 +1859,6 @@ To use this example you have to use OpenSSL 0.9.8a or later.
      [principals]
      princ1 = GeneralString:userid
 
-
 Command usage:
 
      openssl x509 -extensions user_certificate
@@ -1866,7 +1874,7 @@ Clients using a Windows KDC with PK-INIT need configuration since
 windows uses pre-standard format and this can't be autodetected.
 
 The pkinit_win2k_require_binding option requires the reply for the KDC
-to be of the new, secure, type that binds the request to reply.  Before,
+to be of the new, secure, type that binds the request to reply. Before,
 clients could fake the reply from the KDC. To use this option you have
 to apply a fix from Microsoft.
 
@@ -1890,10 +1898,10 @@ includes all the information required to make a Windows KDC happy.
 4.26.3 Configure Windows 2000 CA
 --------------------------------
 
-To enable Microsoft Smartcardlogin for certificates in your Windows 2000
-CA, you want to look at Microsoft Knowledge Base Article - 313274 "HOW
-TO: Configure a Certification Authority to Issue Smart Card Certificates
-in Windows".
+To enable Microsoft Smartcardlogin for certificates in your Windows
+2000 CA, you want to look at Microsoft Knowledge Base Article - 313274
+"HOW TO: Configure a Certification Authority to Issue Smart Card
+Certificates in Windows".
 
 
 File: heimdal.info,  Node: Debugging Kerberos problems,  Prev: Setting up PK-INIT,  Up: Setting up a realm
@@ -1902,7 +1910,7 @@ File: heimdal.info,  Node: Debugging Kerberos problems,  Prev: Setting up PK-INI
 ================================
 
 To debug Kerberos client and server problems you can enable debug
-traceing by adding the following to '/etc/krb5,conf'.  Note that the
+traceing by adding the following to `/etc/krb5,conf'. Note that the
 trace logging is sparse at the moment, but will continue to improve.
 
      [logging]
@@ -1926,11 +1934,11 @@ File: heimdal.info,  Node: Authentication modules,  Next: AFS,  Prev: Applicatio
 ==========================
 
 The problem of having different authentication mechanisms has been
-recognised by several vendors, and several solutions have appeared.  In
+recognised by several vendors, and several solutions have appeared. In
 most cases these solutions involve some kind of shared modules that are
 loaded at run-time.  Modules for some of these systems can be found in
-'lib/auth'.  Presently there are modules for Digital's SIA, and IRIX'
-'login' and 'xdm' (in 'lib/auth/afskauthlib').
+`lib/auth'.  Presently there are modules for Digital's SIA, and IRIX'
+`login' and `xdm' (in `lib/auth/afskauthlib').
 
 * Menu:
 
@@ -1944,86 +1952,93 @@ File: heimdal.info,  Node: Digital SIA,  Next: IRIX,  Prev: Authentication modul
 -----------------
 
 How to install the SIA module depends on which OS version you're
-running.  Tru64 5.0 has a new command, 'siacfg', which makes this
-process quite simple.  If you have this program, you should just be able
+running. Tru64 5.0 has a new command, `siacfg', which makes this
+process quite simple. If you have this program, you should just be able
 to run:
      siacfg -a KRB5 /usr/athena/lib/libsia_krb5.so
 
 On older versions, or if you want to do it by hand, you have to do the
 following (not tested by us on Tru64 5.0):
 
-   * Make sure 'libsia_krb5.so' is available in '/usr/athena/lib'.  If
-     '/usr/athena' is not on local disk, you might want to put it in
-     '/usr/shlib' or someplace else.  If you do, you'll have to edit
-     'krb5_matrix.conf' to reflect the new location (you will also have
+   * Make sure `libsia_krb5.so' is available in `/usr/athena/lib'. If
+     `/usr/athena' is not on local disk, you might want to put it in
+     `/usr/shlib' or someplace else. If you do, you'll have to edit
+     `krb5_matrix.conf' to reflect the new location (you will also have
      to do this if you installed in some other directory than
-     '/usr/athena').  If you built with shared libraries, you will have
-     to copy the shared 'libkrb.so', 'libdes.so', 'libkadm.so', and
-     'libkafs.so' to a place where the loader can find them (such as
-     '/usr/shlib').
-   * Copy (your possibly edited) 'krb5_matrix.conf' to '/etc/sia'.
-   * Apply 'security.patch' to '/sbin/init.d/security'.
-   * Turn on KRB5 security by issuing 'rcmgr set SECURITY KRB5' and
-     'rcmgr set KRB5_MATRIX_CONF krb5_matrix.conf'.
+     `/usr/athena'). If you built with shared libraries, you will have
+     to copy the shared `libkrb.so', `libdes.so', `libkadm.so', and
+     `libkafs.so' to a place where the loader can find them (such as
+     `/usr/shlib').
+
+   * Copy (your possibly edited) `krb5_matrix.conf' to `/etc/sia'.
+
+   * Apply `security.patch' to `/sbin/init.d/security'.
+
+   * Turn on KRB5 security by issuing `rcmgr set SECURITY KRB5' and
+     `rcmgr set KRB5_MATRIX_CONF krb5_matrix.conf'.
+
    * Digital thinks you should reboot your machine, but that really
      shouldn't be necessary.  It's usually sufficient just to run
-     '/sbin/init.d/security start' (and restart any applications that
-     use SIA, like 'xdm'.)
+     `/sbin/init.d/security start' (and restart any applications that
+     use SIA, like `xdm'.)
 
-Users with local passwords (like 'root') should be able to login safely.
+Users with local passwords (like `root') should be able to login safely.
 
-When using Digital's xdm the 'KRB5CCNAME' environment variable isn't
-passed along as it should (since xdm zaps the environment).  Instead you
-have to set 'KRB5CCNAME' to the correct value in
-'/usr/lib/X11/xdm/Xsession'.  Add a line similar to
+When using Digital's xdm the `KRB5CCNAME' environment variable isn't
+passed along as it should (since xdm zaps the environment). Instead you
+have to set `KRB5CCNAME' to the correct value in
+`/usr/lib/X11/xdm/Xsession'. Add a line similar to
      KRB5CCNAME=FILE:/tmp/krb5cc`id -u`_`ps -o ppid= -p $$`; export KRB5CCNAME
-If you use CDE, 'dtlogin' allows you to specify which additional
-environment variables it should export.  To add 'KRB5CCNAME' to this
-list, edit '/usr/dt/config/Xconfig', and look for the definition of
-'exportList'.  You want to add something like:
+If you use CDE, `dtlogin' allows you to specify which additional
+environment variables it should export. To add `KRB5CCNAME' to this
+list, edit `/usr/dt/config/Xconfig', and look for the definition of
+`exportList'. You want to add something like:
      Dtlogin.exportList:     KRB5CCNAME
 
 Notes to users with Enhanced security
 .....................................
 
-Digital's 'ENHANCED' (C2) security, and Kerberos solve two different
-problems.  C2 deals with local security, adds better control of who can
-do what, auditing, and similar things.  Kerberos deals with network
+Digital's `ENHANCED' (C2) security, and Kerberos solve two different
+problems. C2 deals with local security, adds better control of who can
+do what, auditing, and similar things. Kerberos deals with network
 security.
 
 To make C2 security work with Kerberos you will have to do the
 following.
 
-   * Replace all occurrences of 'krb5_matrix.conf' with
-     'krb5+c2_matrix.conf' in the directions above.
-   * You must enable "vouching" in the 'default' database.  This will
+   * Replace all occurrences of `krb5_matrix.conf' with
+     `krb5+c2_matrix.conf' in the directions above.
+
+   * You must enable "vouching" in the `default' database.  This will
      make the OSFC2 module trust other SIA modules, so you can login
-     without giving your C2 password.  To do this use 'edauth' to edit
-     the default entry '/usr/tcb/bin/edauth -dd default', and add a
-     'd_accept_alternate_vouching' capability, if not already present.
+     without giving your C2 password. To do this use `edauth' to edit
+     the default entry `/usr/tcb/bin/edauth -dd default', and add a
+     `d_accept_alternate_vouching' capability, if not already present.
+
    * For each user who does _not_ have a local C2 password, you should
-     set the password expiration field to zero.  You can do this for
-     each user, or in the 'default' table.  To do this use 'edauth' to
-     set (or change) the 'u_exp' capability to 'u_exp#0'.
-   * You also need to be aware that the shipped 'login', 'rcp', and
-     'rshd', don't do any particular C2 magic (such as checking for
+     set the password expiration field to zero. You can do this for each
+     user, or in the `default' table. To do this use `edauth' to set
+     (or change) the `u_exp' capability to `u_exp#0'.
+
+   * You also need to be aware that the shipped `login', `rcp', and
+     `rshd', don't do any particular C2 magic (such as checking for
      various forms of disabled accounts), so if you rely on those
-     features, you shouldn't use those programs.  If you configure with
-     '--enable-osfc2', these programs will, however, set the login UID.
+     features, you shouldn't use those programs. If you configure with
+     `--enable-osfc2', these programs will, however, set the login UID.
      Still: use at your own risk.
 
-At present 'su' does not accept the vouching flag, so it will not work
+At present `su' does not accept the vouching flag, so it will not work
 as expected.
 
-Also, kerberised ftp will not work with C2 passwords.  You can solve
-this by using both Digital's ftpd and our on different ports.
+Also, kerberised ftp will not work with C2 passwords. You can solve this
+by using both Digital's ftpd and our on different ports.
 
 *Remember*, if you do these changes you will get a system that most
-certainly does _not_ fulfil the requirements of a C2 system.  If C2 is
+certainly does _not_ fulfil the requirements of a C2 system. If C2 is
 what you want, for instance if someone else is forcing you to use it,
 you're out of luck.  If you use enhanced security because you want a
 system that is more secure than it would otherwise be, you probably got
-an even more secure system.  Passwords will not be sent in the clear,
+an even more secure system. Passwords will not be sent in the clear,
 for instance.
 
 
@@ -2033,29 +2048,29 @@ File: heimdal.info,  Node: IRIX,  Prev: Digital SIA,  Up: Authentication modules
 ----------
 
 The IRIX support is a module that is compatible with Transarc's
-'afskauthlib.so'.  It should work with all programs that use this
-library.  This should include 'login' and 'xdm'.
+`afskauthlib.so'.  It should work with all programs that use this
+library. This should include `login' and `xdm'.
 
 The interface is not very documented but it seems that you have to copy
-'libkafs.so', 'libkrb.so', and 'libdes.so' to '/usr/lib', or build your
-'afskauthlib.so' statically.
+`libkafs.so', `libkrb.so', and `libdes.so' to `/usr/lib', or build your
+`afskauthlib.so' statically.
 
-The 'afskauthlib.so' itself is able to reside in '/usr/vice/etc',
-'/usr/afsws/lib', or the current directory (wherever that is).
+The `afskauthlib.so' itself is able to reside in `/usr/vice/etc',
+`/usr/afsws/lib', or the current directory (wherever that is).
 
-IRIX 6.4 and newer seem to have all programs (including 'xdm' and
-'login') in the N32 object format, whereas in older versions they were
-O32.  For it to work, the 'afskauthlib.so' library has to be in the same
-object format as the program that tries to load it.  This might require
+IRIX 6.4 and newer seem to have all programs (including `xdm' and
+`login') in the N32 object format, whereas in older versions they were
+O32. For it to work, the `afskauthlib.so' library has to be in the same
+object format as the program that tries to load it. This might require
 that you have to configure and build for O32 in addition to the default
 N32.
 
 Apart from this it should "just work"; there are no configuration files.
 
-Note that recent Irix 6.5 versions (at least 6.5.22) have PAM, including
-a 'pam_krb5.so' module.  Not all relevant programs use PAM, though, e.g.
-'ssh'.  In particular, for console graphical login you need to turn off
-'visuallogin' and turn on 'xdm' with 'chkconfig'.
+Note that recent Irix 6.5 versions (at least 6.5.22) have PAM,
+including a `pam_krb5.so' module.  Not all relevant programs use PAM,
+though, e.g. `ssh'. In particular, for console graphical login you need
+to turn off `visuallogin' and turn on `xdm' with `chkconfig'.
 
 
 File: heimdal.info,  Node: AFS,  Prev: Authentication modules,  Up: Applications
@@ -2065,55 +2080,55 @@ File: heimdal.info,  Node: AFS,  Prev: Authentication modules,  Up: Applications
 
 AFS is a distributed filesystem that uses Kerberos for authentication.
 
-For more information about AFS see OpenAFS <http://www.openafs.org/> and
-Arla <http://www.stacken.kth.se/projekt/arla/>.
+For more information about AFS see OpenAFS `http://www.openafs.org/'
+and Arla `http://www.stacken.kth.se/projekt/arla/'.
 
 5.2.1 kafs and afslog
 ---------------------
 
-'afslog(1)' will obtains AFS tokens for a number of cells.  What cells
+`afslog(1)' will obtains AFS tokens for a number of cells. What cells
 to get tokens for can either be specified as an explicit list, as file
 paths to get tokens for, or be left unspecified, in which case will use
-whatever magic 'kafs(3)' decides upon.
+whatever magic `kafs(3)' decides upon.
 
-If not told what cell to get credentials for, 'kafs(3)' will search for
+If not told what cell to get credentials for, `kafs(3)' will search for
 the files ThisCell and TheseCells in the locations specified in
-'kafs(3)' and try to get tokens for these cells and the cells specified
+`kafs(3)' and try to get tokens for these cells and the cells specified
 in $HOME/.TheseCells.
 
 More usefully it will look at and ~/.TheseCells in your home directory
 and for each line which is a cell get afs token for these cells.
 
 The TheseCells file defines the the cells to which applications on the
-local client machine should try to aquire tokens for.  It must reside in
-the directories searched by 'kafs(3)' on every AFS client machine.
+local client machine should try to aquire tokens for. It must reside in
+the directories searched by `kafs(3)' on every AFS client machine.
 
 The file is in ASCII format and contains one character string, the cell
-name, per line.  Cell names are case sensitive, but most cell names are
+name, per line. Cell names are case sensitive, but most cell names are
 lower case.
 
-See manpage for 'kafs(3)' for search locations of ThisCell and
+See manpage for `kafs(3)' for search locations of ThisCell and
 TheseCells.
 
 5.2.2 How to get a KeyFile
 --------------------------
 
-'ktutil -k AFSKEYFILE:KeyFile get afs@MY.REALM'
+`ktutil -k AFSKEYFILE:KeyFile get afs@MY.REALM'
 
 or you can extract it with kadmin
 
      kadmin> ext -k AFSKEYFILE:/usr/afs/etc/KeyFile afs@My.CELL.NAME
 
-You have to make sure you have a 'des-cbc-md5' encryption type since
+You have to make sure you have a `des-cbc-md5' encryption type since
 that is the enctype that will be converted.
 
 5.2.3 How to convert a srvtab to a KeyFile
 ------------------------------------------
 
-You need a '/usr/vice/etc/ThisCell' containing the cellname of your
+You need a `/usr/vice/etc/ThisCell' containing the cellname of your
 AFS-cell.
 
-'ktutil copy krb4:/root/afs-srvtab AFSKEYFILE:/usr/afs/etc/KeyFile'.
+`ktutil copy krb4:/root/afs-srvtab AFSKEYFILE:/usr/afs/etc/KeyFile'.
 
 If keyfile already exists, this will add the new key in afs-srvtab to
 KeyFile.
@@ -2125,22 +2140,22 @@ KeyFile.
 ------------------
 
 2b is the name of the proposal that was implemented to give basic
-Kerberos 5 support to AFS in rxkad.  It's not real Kerberos 5 support
+Kerberos 5 support to AFS in rxkad. It's not real Kerberos 5 support
 since it still uses fcrypt for data encryption and not Kerberos
 encryption types.
 
 Its only possible (in all cases) to do this for DES encryption types
 because only then the token (the AFS equivalent of a ticket) will be
 smaller than the maximum size that can fit in the token cache in the
-OpenAFS/Transarc client.  It is a so tight fit that some extra wrapping
+OpenAFS/Transarc client. It is a so tight fit that some extra wrapping
 on the ASN1/DER encoding is removed from the Kerberos ticket.
 
-2b uses a Kerberos 5 EncTicketPart instead of a Kerberos 4 ditto for the
-part of the ticket that is encrypted with the service's key.  The client
-doesn't know what's inside the encrypted data so to the client it
-doesn't matter.
+2b uses a Kerberos 5 EncTicketPart instead of a Kerberos 4 ditto for
+the part of the ticket that is encrypted with the service's key. The
+client doesn't know what's inside the encrypted data so to the client
+it doesn't matter.
 
-To differentiate between Kerberos 4 tickets and Kerberos 5 tickets, 2b
+To  differentiate between Kerberos 4 tickets and Kerberos 5 tickets, 2b
 uses a special kvno, 213 for 2b tokens and 255 for Kerberos 5 tokens.
 
 Its a requirement that all AFS servers that support 2b also support
@@ -2150,8 +2165,8 @@ native Kerberos 5 in rxkad.
 ------------------------------------------------
 
 Support for 2b tokens in the kdc are turned on for specific principals
-by adding them to the string list option '[kdc]use_2b' in the kdc's
-'krb5.conf' file.
+by adding them to the string list option `[kdc]use_2b' in the kdc's
+`krb5.conf' file.
 
      [kdc]
      	use_2b = {
@@ -2162,9 +2177,9 @@ by adding them to the string list option '[kdc]use_2b' in the kdc's
 5.3.3 Configuring AFS clients for 2b support
 --------------------------------------------
 
-There is no need to configure AFS clients for 2b support.  The only
+There is no need to configure AFS clients for 2b support. The only
 software that needs to be installed/upgrade is a Kerberos 5 enabled
-'afslog'.
+`afslog'.
 
 
 File: heimdal.info,  Node: Things in search for a better place,  Next: Kerberos 4 issues,  Prev: Applications,  Up: Top
@@ -2176,14 +2191,14 @@ File: heimdal.info,  Node: Things in search for a better place,  Next: Kerberos
 ================================
 
 Modern versions of Cisco IOS has some support for authenticating via
-Kerberos 5.  This can be used both by having the router get a ticket
-when you login (boring), and by using Kerberos authenticated telnet to
-access your router (less boring).  The following has been tested on IOS
-11.2(12), things might be different with other versions.  Old versions
+Kerberos 5. This can be used both by having the router get a ticket when
+you login (boring), and by using Kerberos authenticated telnet to access
+your router (less boring). The following has been tested on IOS
+11.2(12), things might be different with other versions. Old versions
 are known to have bugs.
 
 To make this work, you will first have to configure your router to use
-Kerberos (this is explained in the documentation).  A sample
+Kerberos (this is explained in the documentation). A sample
 configuration looks like the following:
 
      aaa new-model
@@ -2198,27 +2213,27 @@ This tells you (among other things) that when logging in, the router
 should try to authenticate with kerberised telnet, and if that fails try
 to verify a plain text password via a Kerberos ticket exchange (as
 opposed to a local database, RADIUS or something similar), and if that
-fails try the local enable password.  If you're not careful when you
-specify the 'login default' authentication mechanism, you might not be
-able to login at all.  The 'instance map' and 'authorization exec' lines
-says that people with 'admin' instances should be given 'enabled' shells
+fails try the local enable password. If you're not careful when you
+specify the `login default' authentication mechanism, you might not be
+able to login at all. The `instance map' and `authorization exec' lines
+says that people with `admin' instances should be given `enabled' shells
 when logging in.
 
-The numbers after the principal on the 'srvtab' line are principal type,
+The numbers after the principal on the `srvtab' line are principal type,
 time stamp (in seconds since 1970), key version number (4), keytype (1
 == des), key length (always 8 with des), and then the key.
 
 To make the Heimdal KDC produce tickets that the Cisco can decode you
-might have to turn on the 'encode_as_rep_as_tgs_rep' flag in the KDC.
+might have to turn on the `encode_as_rep_as_tgs_rep' flag in the KDC.
 You will also have to specify that the router can't handle anything but
-'des-cbc-crc'.  This can be done with the 'del_enctype' command of
-'kadmin'.
+`des-cbc-crc'. This can be done with the `del_enctype' command of
+`kadmin'.
 
 This all fine and so, but unless you have an IOS version with encryption
-(available only in the U.S) it doesn't really solve any problems.  Sure
+(available only in the U.S) it doesn't really solve any problems. Sure
 you don't have to send your password over the wire, but since the telnet
 connection isn't protected it's still possible for someone to steal your
-session.  This won't be fixed until someone adds integrity to the telnet
+session. This won't be fixed until someone adds integrity to the telnet
 protocol.
 
 A working solution would be to hook up a machine with a real operating
@@ -2246,48 +2261,48 @@ File: heimdal.info,  Node: Principal conversion issues,  Next: Converting a vers
 7.1 Principal conversion issues
 ===============================
 
-First, Kerberos 4 and Kerberos 5 principals are different.  A version 4
-principal consists of a name, an instance, and a realm.  A version 5
+First, Kerberos 4 and Kerberos 5 principals are different. A version 4
+principal consists of a name, an instance, and a realm. A version 5
 principal has one or more components, and a realm (the terms "name" and
 "instance" are still used, for the first and second component,
-respectively).  Also, in some cases the name of a version 4 principal
+respectively).    Also, in some cases the name of a version 4 principal
 differs from the first component of the corresponding version 5
-principal.  One notable example is the "host" type principals, where the
-version 4 name is 'rcmd' (for "remote command"), and the version 5 name
-is 'host'.  For the class of principals that has a hostname as instance,
+principal. One notable example is the "host" type principals, where the
+version 4 name is `rcmd' (for "remote command"), and the version 5 name
+is `host'. For the class of principals that has a hostname as instance,
 there is an other major difference, Kerberos 4 uses only the first
 component of the hostname, whereas Kerberos 5 uses the fully qualified
 hostname.
 
 Because of this it can be hard or impossible to correctly convert a
-version 4 principal to a version 5 principal (1).  The biggest problem
-is to know if the conversion resulted in a valid principal.  To give an
-example, suppose you want to convert the principal 'rcmd.foo'.
-
-The 'rcmd' name suggests that the instance is a hostname (even if there
-are exceptions to this rule).  To correctly convert the instance 'foo'
-to a hostname, you have to know which host it is referring to.  You can
-to this by either guessing (from the realm) which domain name to append,
-or you have to have a list of possible hostnames.  In the simplest cases
-you can cover most principals with the first rule.  If you have several
-domains sharing a single realm this will not usually work.  If the
-exceptions are few you can probably come by with a lookup table for the
-exceptions.
+version 4 principal to a version 5 principal (1). The biggest problem is
+to know if the conversion resulted in a valid principal. To give an
+example, suppose you want to convert the principal `rcmd.foo'.
+
+The `rcmd' name suggests that the instance is a hostname (even if there
+are exceptions to this rule). To correctly convert the instance `foo'
+to a hostname, you have to know which host it is referring to. You can
+to this by either guessing (from the realm) which domain name to
+append, or you have to have a list of possible hostnames. In the
+simplest cases you can cover most principals with the first rule. If you
+have several domains sharing a single realm this will not usually work.
+If the exceptions are few you can probably come by with a lookup table
+for the exceptions.
 
 In a complex scenario you will need some kind of host lookup mechanism.
 Using DNS for this is tempting, but DNS is error prone, slow and unsafe
 (2).
 
 Fortunately, the KDC has a trump on hand: it can easily tell if a
-principal exists in the database.  The KDC will use
-'krb5_425_conv_principal_ext' to convert principals when handling to
+principal exists in the database. The KDC will use
+`krb5_425_conv_principal_ext' to convert principals when handling to
 version 4 requests.
 
-   ---------- Footnotes ----------
+---------- Footnotes ----------
 
-   (1) the other way is not always trivial either, but usually easier
+(1) the other way is not always trivial either, but usually easier
 
-   (2) at least until secure DNS is commonly available
+(2) at least until secure DNS is commonly available
 
 
 File: heimdal.info,  Node: Converting a version 4 database,  Prev: Principal conversion issues,  Up: Kerberos 4 issues
@@ -2299,18 +2314,18 @@ If you want to convert an existing version 4 database, the principal
 conversion issue arises too.
 
 If you decide to convert your database once and for all, you will only
-have to do this conversion once.  It is also possible to run a version 5
+have to do this conversion once. It is also possible to run a version 5
 KDC as a slave to a version 4 KDC. In this case this conversion will
 happen every time the database is propagated.  When doing this
-conversion, there are a few things to look out for.  If you have stale
-entries in the database, these entries will not be converted.  This
-might be because these principals are not used anymore, or it might be
-just because the principal couldn't be converted.
+conversion, there are a few things to look out for. If you have stale
+entries in the database, these entries will not be converted. This might
+be because these principals are not used anymore, or it might be just
+because the principal couldn't be converted.
 
 You might also see problems with a many-to-one mapping of principals.
 For instance, if you are using DNS lookups and you have two principals
-'rcmd.foo' and 'rcmd.bar', where 'foo' is a CNAME for 'bar', the
-resulting principals will be the same.  Since the conversion function
+`rcmd.foo' and `rcmd.bar', where `foo' is a CNAME for `bar', the
+resulting principals will be the same. Since the conversion function
 can't tell which is correct, these conflicts will have to be resolved
 manually.
 
@@ -2325,12 +2340,12 @@ Given the following set of hosts and services:
 
 you have a database that consists of the following principals:
 
-'rcmd.foo', 'rcmd.mail', 'pop.mail', 'rcmd.ftp', and 'ftp.ftp'.
+`rcmd.foo', `rcmd.mail', `pop.mail', `rcmd.ftp', and `ftp.ftp'.
 
-lets say you also got these extra principals: 'rcmd.gone',
-'rcmd.old-mail', where 'gone.foo.se' was a machine that has now passed
-away, and 'old-mail.foo.se' was an old mail machine that is now a CNAME
-for 'mail.foo.se'.
+lets say you also got these extra principals: `rcmd.gone',
+`rcmd.old-mail', where `gone.foo.se' was a machine that has now passed
+away, and `old-mail.foo.se' was an old mail machine that is now a CNAME
+for `mail.foo.se'.
 
 When you convert this database you want the following conversions to be
 done:
@@ -2342,7 +2357,7 @@ done:
      rcmd.gone        removed
      rcmd.old-mail    removed
 
-A 'krb5.conf' that does this looks like:
+A `krb5.conf' that does this looks like:
 
      [realms]
              FOO.SE = {
@@ -2360,37 +2375,37 @@ A 'krb5.conf' that does this looks like:
                      default_domain = foo.se
              }
 
-The 'v4_name_convert' section says which names should be considered
+The `v4_name_convert' section says which names should be considered
 having an instance consisting of a hostname, and it also says how the
-names should be converted (for instance 'rcmd' should be converted to
-'host').  The 'v4_instance_convert' section says how a hostname should
-be qualified (this is just a hosts-file in disguise).  Host-instances
-that aren't covered by 'v4_instance_convert' are qualified by appending
-the contents of the 'default_domain'.
-
-Actually, this example doesn't work.  Or rather, it works to well.
-Since it has no way of knowing which hostnames are valid and which are
-not, it will happily convert 'rcmd.gone' to 'host/gone.foo.se'.  This
-isn't a big problem, but if you have run your kerberos realm for a few
-years, chances are big that you have quite a few 'junk' principals.
-
-If you don't want this you can remove the 'default_domain' statement,
+names should be converted (for instance `rcmd' should be converted to
+`host'). The `v4_instance_convert' section says how a hostname should
+be qualified (this is just a hosts-file in disguise). Host-instances
+that aren't covered by `v4_instance_convert' are qualified by appending
+the contents of the `default_domain'.
+
+Actually, this example doesn't work. Or rather, it works to well. Since
+it has no way of knowing which hostnames are valid and which are not, it
+will happily convert `rcmd.gone' to `host/gone.foo.se'. This isn't a
+big problem, but if you have run your kerberos realm for a few years,
+chances are big that you have quite a few `junk' principals.
+
+If you don't want this you can remove the `default_domain' statement,
 but then you will have to add entries for _all_ your hosts in the
-'v4_instance_convert' section.
+`v4_instance_convert' section.
 
-Instead of doing this you can use DNS to convert instances.  This is not
+Instead of doing this you can use DNS to convert instances. This is not
 a solution without problems, but it is probably easier than adding lots
 of static host entries.
 
-To enable DNS lookup you should turn on 'v4_instance_resolve' in the
-'[libdefaults]' section.
+To enable DNS lookup you should turn on `v4_instance_resolve' in the
+`[libdefaults]' section.
 
 7.2.2 Converting a database
 ---------------------------
 
-The database conversion is done with 'hprop'.  You can run this command
-to propagate the database to the machine called 'slave-server' (which
-should be running a 'hpropd').
+The database conversion is done with `hprop'. You can run this command
+to propagate the database to the machine called `slave-server' (which
+should be running a `hpropd').
 
      hprop --source=krb4-db --master-key=/.m slave-server
 
@@ -2405,17 +2420,18 @@ File: heimdal.info,  Node: Windows compatibility,  Next: Programming with Kerber
 8 Windows compatibility
 ***********************
 
-Microsoft Windows, starting from version 2000 (formerly known as Windows
-NT 5), implements Kerberos 5.  Their implementation, however, has some
-quirks, peculiarities, and bugs.  This chapter is a short summary of the
-compatibility issues between Heimdal and various Windows versions.
+Microsoft Windows, starting from version 2000 (formerly known as
+Windows NT 5), implements Kerberos 5. Their implementation, however,
+has some quirks, peculiarities, and bugs. This chapter is a short
+summary of the compatibility issues between Heimdal and various Windows
+versions.
 
 The big problem with the Kerberos implementation in Windows is that the
-available documentation is more focused on getting things to work rather
-than how they work, and not that useful in figuring out how things
-really work.  It's of course subject to change all the time and mostly
-consists of our not so inspired guesses.  Hopefully it's still somewhat
-useful.
+available documentation is more focused on getting things to work
+rather than how they work, and not that useful in figuring out how
+things really work. It's of course subject to change all the time and
+mostly consists of our not so inspired guesses.  Hopefully it's still
+somewhat useful.
 
 * Menu:
 
@@ -2433,22 +2449,22 @@ File: heimdal.info,  Node: Configuring Windows to use a Heimdal KDC,  Next: Inte
 8.1 Configuring Windows to use a Heimdal KDC
 ============================================
 
-You need the command line program called 'ksetup.exe'.  This program
+You need the command line program called `ksetup.exe'. This program
 comes with the Windows Support Tools, available from either the
-installation CD-ROM ('SUPPORT/TOOLS/SUPPORT.CAB'), or from Microsoft web
-site.  Starting from Windows 2008, it is already installed.  This
+installation CD-ROM (`SUPPORT/TOOLS/SUPPORT.CAB'), or from Microsoft
+web site. Starting from Windows 2008, it is already installed. This
 program is used to configure the Kerberos settings on a Workstation.
 
-'Ksetup' store the domain information under the registry key:
-'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\LSA\Kerberos\Domains'.
+`Ksetup' store the domain information under the registry key:
+`HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\LSA\Kerberos\Domains'.
 
-Use the 'kadmin' program in Heimdal to create a host principal in the
+Use the `kadmin' program in Heimdal to create a host principal in the
 Kerberos realm.
 
      unix% kadmin
      kadmin> ank --password=password host/datan.example.com
 
-The name 'datan.example.com' should be replaced with DNS name of the
+The name `datan.example.com' should be replaced with DNS name of the
 workstation.
 
 You must configure the workstation as a member of a workgroup, as
@@ -2460,25 +2476,25 @@ realm as follows:
 Set the machine password, i.e. create the local keytab:
      C:> ksetup /SetComputerPassword password
 
-The password used in 'ksetup /setmachpassword' must be the same as the
-password used in the 'kadmin ank' command.
+The password used in `ksetup /setmachpassword' must be the same as the
+password used in the `kadmin ank' command.
 
 The workstation must now be rebooted.
 
 A mapping between local NT users and Kerberos principals must be
-specified.  You have two choices.  First:
+specified.  You have two choices. First:
 
      C:> ksetup /mapuser user@MY.REALM nt_user
 
 This will map a user to a specific principal; this allows you to have
-other usernames in the realm than in your NT user database.  (Don't ask
-me why on earth you would want that...)
+other usernames in the realm than in your NT user database. (Don't ask
+me why on earth you would want that....)
 
 You can also say:
      C:> ksetup /mapuser * *
 The Windows machine will now map any user to the corresponding
-principal, for example 'nisse' to the principal 'nisse@MY.REALM'.  (This
-is most likely what you want.)
+principal, for example `nisse' to the principal `nisse@MY.REALM'.
+(This is most likely what you want.)
 
 
 File: heimdal.info,  Node: Inter-Realm keys (trust) between Windows and a Heimdal KDC,  Next: Create account mappings,  Prev: Configuring Windows to use a Heimdal KDC,  Up: Windows compatibility
@@ -2491,57 +2507,59 @@ See also the Step-by-Step guide from Microsoft, referenced below.
 Install Windows, and create a new controller (Active Directory Server)
 for the domain.
 
-By default the trust will be non-transitive.  This means that only users
-directly from the trusted domain may authenticate.  This can be changed
-to transitive by using the 'netdom.exe' tool.  'netdom.exe' can also be
+By default the trust will be non-transitive. This means that only users
+directly from the trusted domain may authenticate. This can be changed
+to transitive by using the `netdom.exe' tool. `netdom.exe' can also be
 used to add the trust between two realms.
 
 You need to tell Windows on what hosts to find the KDCs for the
-non-Windows realm with 'ksetup', see *Note Configuring Windows to use a
+non-Windows realm with `ksetup', see *Note Configuring Windows to use a
 Heimdal KDC::.
 
 This needs to be done on all computers that want enable cross-realm
-login with 'Mapped Names'.
-
-Then you need to add the inter-realm keys on the Windows KDC.  Start the
-Domain Tree Management tool (found in Programs, Administrative tools,
-Active Directory Domains and Trusts).
+login with `Mapped Names'.  Then you need to add the inter-realm keys
+on the Windows KDC. Start the Domain Tree Management tool (found in
+Programs, Administrative tools, Active Directory Domains and Trusts).
 
 Right click on Properties of your domain, select the Trust tab.  Press
-Add on the appropriate trust windows and enter domain name and password.
-When prompted if this is a non-Windows Kerberos realm, press OK.
+Add on the appropriate trust windows and enter domain name and
+password. When prompted if this is a non-Windows Kerberos realm, press
+OK.
 
 Do not forget to add trusts in both directions (if that's what you
 want).
 
-If you want to use 'netdom.exe' instead of the Domain Tree Management
+If you want to use `netdom.exe' instead of the Domain Tree Management
 tool, you do it like this:
 
      netdom trust NT.REALM.EXAMPLE.COM /Domain:EXAMPLE.COM /add /realm /passwordt:TrustPassword
 
 You also need to add the inter-realm keys to the Heimdal KDC. But take
-care to the encryption types and salting used for those keys.  There
-should be no encryption type stronger than the one configured on Windows
-side for this relationship, itself limited to the ones supported by this
-specific version of Windows, nor any Kerberos 4 salted hashes, as
-Windows does not seem to understand them.  Otherwise, the trust will not
-works.
+care to the encryption types and salting used for those keys. There
+should be no encryption type stronger than the one configured on
+Windows side for this relationship, itself limited to the ones
+supported by this specific version of Windows, nor any Kerberos 4
+salted hashes, as Windows does not seem to understand them. Otherwise,
+the trust will not works.
 
 Here are the version-specific needed information:
   1. Windows 2000: maximum encryption type is DES
+
   2. Windows 2003: maximum encryption type is DES
+
   3. Windows 2003RC2: maximum encryption type is RC4, relationship
      defaults to DES
-  4. Windows 2008: maximum encryption type is AES, relationship defaults
-     to RC4
+
+  4. Windows 2008: maximum encryption type is AES, relationship
+     defaults to RC4
 
 For Windows 2003RC2, to change the trust encryption type, you have to
-use the 'ktpass', from the Windows 2003 Resource kit *service pack2*,
+use the `ktpass', from the Windows 2003 Resource kit *service pack2*,
 available from Microsoft web site.
 
      C:> ktpass /MITRealmName UNIX.EXAMPLE.COM /TrustEncryp RC4
 
-For Windows 2008, the same operation can be done with the 'ksetup',
+For Windows 2008, the same operation can be done with the `ksetup',
 installed by default.
 
      C:> ksetup /SetEncTypeAttre EXAMPLE.COM AES256-SHA1
@@ -2562,9 +2580,9 @@ ones for a Windows 2003RC2 server.
      kadmin del_enctype krbtgt/NT.EXAMPLE.COM@EXAMPLE.COM aes256-cts-hmac-sha1-96
      kadmin del_enctype krbtgt/NT.EXAMPLE.COM@EXAMPLE.COM des3-cbc-sha1
 
-Do not forget to reboot before trying the new realm-trust (after running
-'ksetup').  It looks like it might work, but packets are never sent to
-the non-Windows KDC.
+Do not forget to reboot before trying the new realm-trust (after
+running `ksetup'). It looks like it might work, but packets are never
+sent to the non-Windows KDC.
 
 
 File: heimdal.info,  Node: Create account mappings,  Next: Encryption types,  Prev: Inter-Realm keys (trust) between Windows and a Heimdal KDC,  Up: Windows compatibility
@@ -2572,16 +2590,16 @@ File: heimdal.info,  Node: Create account mappings,  Next: Encryption types,  Pr
 8.3 Create account mappings
 ===========================
 
-Start the 'Active Directory Users and Computers' tool.  Select the View
+Start the `Active Directory Users and Computers' tool. Select the View
 menu, that is in the left corner just below the real menu (or press
-Alt-V), and select Advanced Features.  Right click on the user that you
+Alt-V), and select Advanced Features. Right click on the user that you
 are going to do a name mapping for and choose Name mapping.
 
 Click on the Kerberos Names tab and add a new principal from the
 non-Windows domain.
 
-This adds 'authorizationNames' entry to the users LDAP entry to the
-Active Directory LDAP catalog.  When you create users by script you can
+This adds `authorizationNames' entry to the users LDAP entry to the
+Active Directory LDAP catalog. When you create users by script you can
 add this entry instead.
 
 
@@ -2590,10 +2608,10 @@ File: heimdal.info,  Node: Encryption types,  Next: Authorisation data,  Prev: C
 8.4 Encryption types
 ====================
 
-Windows 2000 supports both the standard DES encryptions ('des-cbc-crc'
-and 'des-cbc-md5') and its own proprietary encryption that is based on
+Windows 2000 supports both the standard DES encryptions (`des-cbc-crc'
+and `des-cbc-md5') and its own proprietary encryption that is based on
 MD4 and RC4 that is documented in and is supposed to be described in
-'draft-brezak-win2k-krb-rc4-hmac-03.txt'.  New users will get both MD4
+`draft-brezak-win2k-krb-rc4-hmac-03.txt'.  New users will get both MD4
 and DES keys.  Users that are converted from a NT4 database, will only
 have MD4 passwords and will need a password change to get a DES key.
 
@@ -2612,17 +2630,24 @@ A simple way of getting hold of the data to be able to understand it
 better is described here.
 
   1. Find the client example on using the SSPI in the SDK documentation.
+
   2. Change "AuthSamp" in the source code to lowercase.
+
   3. Build the program.
-  4. Add the "authsamp" principal with a known password to the database.
-     Make sure it has a DES key.
-  5. Run 'ktutil add' to add the key for that principal to a keytab.
-  6. Run 'appl/test/nt_gss_server -p 2000 -s authsamp --dump-auth=FILE'
+
+  4. Add the "authsamp" principal with a known password to the
+     database.  Make sure it has a DES key.
+
+  5. Run `ktutil add' to add the key for that principal to a keytab.
+
+  6. Run `appl/test/nt_gss_server -p 2000 -s authsamp --dump-auth=FILE'
      where FILE is an appropriate file.
+
   7. It should authenticate and dump for you the authorisation data in
      the file.
-  8. The tool 'lib/asn1/asn1_print' is somewhat useful for analysing the
-     data.
+
+  8. The tool `lib/asn1/asn1_print' is somewhat useful for analysing
+     the data.
 
 
 File: heimdal.info,  Node: Quirks of Windows 2000 KDC,  Next: Useful links when reading about the Windows,  Prev: Authorisation data,  Up: Windows compatibility
@@ -2638,14 +2663,14 @@ make sure you keep around keys with all the different types of salts
 that are required.  Microsoft have fixed this issue post Windows 2003.
 
 Microsoft seems also to have forgotten to implement the checksum
-algorithms 'rsa-md4-des' and 'rsa-md5-des'.  This can make Name mapping
-(*note Create account mappings::) fail if a 'des-cbc-md5' key is used.
-To make the KDC return only 'des-cbc-crc' you must delete the
-'des-cbc-md5' key from the kdc using the 'kadmin del_enctype' command.
+algorithms `rsa-md4-des' and `rsa-md5-des'. This can make Name mapping
+(*note Create account mappings::) fail if a `des-cbc-md5' key is used.
+To make the KDC return only `des-cbc-crc' you must delete the
+`des-cbc-md5' key from the kdc using the `kadmin del_enctype' command.
 
      kadmin del_enctype lha des-cbc-md5
 
-You should also add the following entries to the 'krb5.conf' file:
+You should also add the following entries to the `krb5.conf' file:
 
      [libdefaults]
      	default_etypes = des-cbc-crc
@@ -2662,37 +2687,38 @@ File: heimdal.info,  Node: Useful links when reading about the Windows,  Prev: Q
 
 See also our paper presented at the 2001 Usenix Annual Technical
 Conference, available in the proceedings or at
-<http://www.usenix.org/publications/library/proceedings/usenix01/freenix01/westerlund.html>.
+`http://www.usenix.org/publications/library/proceedings/usenix01/freenix01/westerlund.html'.
 
 There are lots of texts about Kerberos on Microsoft's web site, here is
 a short list of the interesting documents that we have managed to find.
 
    * Step-by-Step Guide to Kerberos 5 (krb5 1.0) Interoperability:
-     <http://www.microsoft.com/technet/prodtechnol/windows2000serv/howto/kerbstep.mspx>.
+     `http://www.microsoft.com/technet/prodtechnol/windows2000serv/howto/kerbstep.mspx'.
      Kerberos GSS-API (in Windows-eze SSPI), Windows as a client in a
      non-Windows KDC realm, adding unix clients to a Windows 2000 KDC,
      and adding cross-realm trust (*note Inter-Realm keys (trust)
      between Windows and a Heimdal KDC::).
 
    * Windows 2000 Kerberos Authentication:
-     <www.microsoft.com/technet/prodtechnol/windows2000serv/deploy/confeat/kerberos.mspx>.
+     `www.microsoft.com/technet/prodtechnol/windows2000serv/deploy/confeat/kerberos.mspx'.
      White paper that describes how Kerberos is used in Windows 2000.
 
    * Overview of Kerberos:
-     <http://support.microsoft.com/support/kb/articles/Q248/7/58.ASP>.
+     `http://support.microsoft.com/support/kb/articles/Q248/7/58.ASP'.
      Links to useful other links.
 
    * Event logging for Kerberos:
-     <http://support.microsoft.com/support/kb/articles/Q262/1/77.ASP>.
+     `http://support.microsoft.com/support/kb/articles/Q262/1/77.ASP'.
      Basically it say that you can add a registry key
-     'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters\LogLevel'
+     `HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters\LogLevel'
      with value DWORD equal to 1, and then you'll get logging in the
      Event Logger.
 
+
 Other useful programs include these:
 
    * pwdump2
-     <http://www.bindview.com/Support/RAZOR/Utilities/Windows/pwdump2_readme.cfm>
+     `http://www.bindview.com/Support/RAZOR/Utilities/Windows/pwdump2_readme.cfm'
 
 
 File: heimdal.info,  Node: Programming with Kerberos,  Next: Migration,  Prev: Windows compatibility,  Up: Top
@@ -2713,15 +2739,15 @@ File: heimdal.info,  Node: Migration,  Next: Acknowledgments,  Prev: Programming
 ===========================================
 
 hpropd can read MIT Kerberos dump in "kdb5_util load_dump version 5" or
-version 6 format.  Simply run: 'kdb5_util dump'.
+version 6 format.  Simply run: `kdb5_util dump'.
 
 To load the MIT Kerberos dump file, use the following command:
 
-'/usr/heimdal/libexec/hprop --database=dump-file
+`/usr/heimdal/libexec/hprop --database=dump-file
 --master-key=/var/db/krb5kdc/mit_stash --source=mit-dump --decrypt
 --stdout | /usr/heimdal/libexec/hpropd --stdin'
 
-kadmin can dump in MIT Kerberos format.  Simply run: 'kadmin -l dump -f
+kadmin can dump in MIT Kerberos format.  Simply run: `kadmin -l dump -f
 MIT'.
 
 The Heimdal KDC and kadmind, as well as kadmin -l and the libkadm5srv
@@ -2730,16 +2756,16 @@ build with KDB support requires having a standalone libdb from MIT
 Kerberos and associated headers, then you can configure Heildal as
 follows:
 
-'./configure ... CPPFLAGS=-I/path-to-mit-db-headers
-LDFLAGS="-L/path-to-mit-db-object -Wl,-rpath -Wl,/path-to-mit-db-object"
-LDLIBS=-ldb'
+`./configure ... CPPFLAGS=-I/path-to-mit-db-headers
+LDFLAGS="-L/path-to-mit-db-object -Wl,-rpath
+-Wl,/path-to-mit-db-object" LDLIBS=-ldb'
 
 At this time support for MIT Kerberos KDB dump/load format and direct
 KDB access does not include support for PKINIT, or K/M key history,
 constrained delegation, and other advanced features.
 
 Heimdal supports using multiple HDBs at once, with all write going to
-just one HDB. This allows for entries to be moved to a native HDB from
+just one HDB.  This allows for entries to be moved to a native HDB from
 an MIT KDB over time as those entries are changed.  Or you can use hprop
 and hpropd.
 
@@ -2754,7 +2780,7 @@ When migrating from a Kerberos 4 KDC.
    * Convert the database, check all principals that hprop complains
      about.
 
-     'hprop -n --source=<NNN>| hpropd -n'
+     `hprop -n --source=<NNN>| hpropd -n'
 
      Replace <NNN> with whatever source you have, like krb4-db or
      krb4-dump.
@@ -2767,140 +2793,227 @@ When migrating from a Kerberos 4 KDC.
 
    * Let a small number of controlled users use Kerberos 5 tools.
 
-     Find a sample population of your users and check what programs they
-     use, you can also check the kdc-log to check what ticket are
+     Find a sample population of your users and check what programs
+     they use, you can also check the kdc-log to check what ticket are
      checked out.
 
    * Burn the bridge and change the master.
+
    * Let all users use the Kerberos 5 tools by default.
+
    * Turn off services that do not need Kerberos 4 authentication.
 
      Things that might be hard to get away is old programs with support
-     for Kerberos 4.  Example applications are old Eudora installations
-     using KPOP, and Zephyr.  Eudora can use the Kerberos 4 kerberos in
+     for Kerberos 4. Example applications are old Eudora installations
+     using KPOP, and Zephyr. Eudora can use the Kerberos 4 kerberos in
      the Heimdal kdc.
 
+
 
 File: heimdal.info,  Node: Acknowledgments,  Next: Copyrights and Licenses,  Prev: Migration,  Up: Top
 
 Appendix A Acknowledgments
 **************************
 
-Eric Young wrote "libdes".  Heimdal used to use libdes, without it
-kth-krb would never have existed.  Since there are no longer any Eric
+Eric Young wrote "libdes". Heimdal used to use libdes, without it
+kth-krb would never have existed. Since there are no longer any Eric
 Young code left in the library, we renamed it to libhcrypto.
 
 All functions in libhcrypto have been re-implemented or used available
-public domain code.  The core AES function where written by Vincent
+public domain code. The core AES function where written by Vincent
 Rijmen, Antoon Bosselaers and Paulo Barreto.  The core DES SBOX
-transformation was written by Richard Outerbridge.  'imath' that is used
+transformation was written by Richard Outerbridge. `imath' that is used
 for public key crypto support is written by Michael J. Fromberger.
 
-The University of California at Berkeley initially wrote 'telnet', and
-'telnetd'.  The authentication and encryption code of 'telnet' and
-'telnetd' was added by David Borman (then of Cray Research, Inc).  The
+The University of California at Berkeley initially wrote `telnet', and
+`telnetd'.  The authentication and encryption code of `telnet' and
+`telnetd' was added by David Borman (then of Cray Research, Inc).  The
 encryption code was removed when this was exported and then added back
 by Juha Eskelinen.
 
-The 'popper' was also a Berkeley program initially.
+The `popper' was also a Berkeley program initially.
 
-Some of the functions in 'libroken' also come from Berkeley by way of
+Some of the functions in `libroken' also come from Berkeley by way of
 NetBSD/FreeBSD.
 
-'editline' was written by Simmule Turner and Rich Salz.  Heimdal
+`editline' was written by Simmule Turner and Rich Salz. Heimdal
 contains a modifed copy.
 
-The 'getifaddrs' implementation for Linux was written by Hideaki
+The `getifaddrs' implementation for Linux was written by Hideaki
 YOSHIFUJI for the Usagi project.
 
-The 'pkcs11.h' headerfile was written by the Scute project.
+The `pkcs11.h' headerfile was written by the Scute project.
 
 Bugfixes, documentation, encouragement, and code has been contributed
 by:
 Alexander Boström
+
 Allan McRae
+
 Andrew Bartlett
+
 Andrew Cobaugh
+
 Andrew Tridge
+
 Anton Lundin
+
 Asanka Herath
+
 Björn Grönvall
+
 Björn Sandell
+
 Björn Schlögl
+
 Brandon S. Allbery KF8NH
+
 Brian A May
+
 Buck Huppmann
+
 Cacdric Schieli
+
 Chaskiel M Grundman
+
 Christos Zoulas
+
 Cizzi Storm
+
 Daniel Kouril
+
 David Love
+
 David Markey
+
 David R Boldt
+
 Derrick J Brashear
+
 Donald Norwood
+
 Douglas E Engert
+
 Frank van der Linden
+
 Gabor Gombas
+
 Guido Günther
+
 Guillaume Rousse
+
 Harald Barth
+
 Ingo Schwarze
+
 Jacques A. Vidrine
+
 Jaideep Padhye
+
 Jan Rekorajski
+
 Jason McIntyre
+
 Jeffrey Altman
+
 Jelmer Vernooij
+
 Joerg Pulz
+
 Johan Danielsson
+
 Johan Gadsjö
+
 Johan Ihrén
+
 John Center
+
 Julian Ospald
+
 Jun-ichiro itojun Hagino
+
 KAMADA Ken'ichi
+
 Kamen Mazdrashki
+
 Karolin Seeger
+
 Ken Hornstein
+
 Love Hörnquist Åstrand
+
 Luke Howard
+
 Magnus Ahltorp
+
 Magnus Holmberg
+
 Marc Horowitz
+
 Mario Strasser
+
 Mark Eichin
+
 Martin von Gagern
+
 Matthias Dieter Wallnöfer
+
 Matthieu Patou
+
 Mattias Amnefelt
+
 Michael B Allen
+
 Michael Fromberger
+
 Michal Vocu
+
 Milosz Kmieciak
+
 Miroslav Ruda
+
 Mustafa A. Hashmi
+
 Nicolas Williams
+
 Patrik Lundin
+
 Petr Holub
+
 Phil Fisher
+
 Rafal Malinowski
+
 Ragnar Sundblad
+
 Rainer Toebbicke
+
 Richard Nyberg
+
 Roland C. Dowdeswell
+
 Roman Divacky
+
 Russ Allbery
+
 Sho Hosoda, 細田 将
+
 Simon Wilkinson
+
 Stefan Metzmacher
+
 Ted Percival
+
 Timothy Pearson
+
 Tom Payerle
+
 Victor Guerra
+
 Zeqing Xia
+
 Åke Sandgren
+
 and we hope that those not mentioned here will forgive us.
 
 All bugs were introduced by ourselves.
@@ -2915,7 +3028,8 @@ Kungliga Tekniska Högskolan
 ============================
 
 
-Copyright (c) 1997-2011 Kungliga Tekniska Högskolan 
+
+Copyright (c) 1997-2011 Kungliga Tekniska Högskolan
 (Royal Institute of Technology, Stockholm, Sweden).
 All rights reserved.
 
@@ -2948,13 +3062,13 @@ LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
 OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
 SUCH DAMAGE.
 
-
 Massachusetts Institute of Technology
 =====================================
 
 The parts of the libtelnet that handle Kerberos.
 
 
+
 Copyright (C) 1990 by the Massachusetts Institute of Technology
 
 Export of this software from the United States of America may
@@ -2973,13 +3087,13 @@ permission.  M.I.T. makes no representations about the suitability of
 this software for any purpose.  It is provided "as is" without express
 or implied warranty.
 
-
 The Regents of the University of California
 ===========================================
 
 The parts of the libroken, most of libtelnet, telnet, ftp, and popper.
 
 
+
 Copyright (c) 1988, 1990, 1993
      The Regents of the University of California.  All rights reserved.
 
@@ -3010,13 +3124,13 @@ LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
 OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
 SUCH DAMAGE.
 
-
 The Regents of the University of California.
 ============================================
 
 libedit
 
 
+
 Copyright (c) 1992, 1993
  The Regents of the University of California.  All rights reserved.
 
@@ -3047,15 +3161,14 @@ LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
 OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
 SUCH DAMAGE.
 
-
 TomsFastMath / LibTomMath
 =========================
 
 Tom's fast math (bignum support) and LibTomMath
 
 
-LibTomMath is hereby released into the Public Domain.  
 
+LibTomMath is hereby released into the Public Domain.
 
 Doug Rabson
 ===========
@@ -3063,6 +3176,7 @@ Doug Rabson
 GSS-API mechglue layer.
 
 
+
 Copyright (c) 2005 Doug Rabson
 All rights reserved.
 
@@ -3087,15 +3201,17 @@ LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
 OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
 SUCH DAMAGE.
 
-
 PADL Software Pty Ltd
 =====================
 
 GSS-API CFX, SPNEGO, naming extensions, API extensions.
+
 KCM credential cache.
+
 HDB LDAP backend.
 
 
+
 Copyright (c) 2003-2011, PADL Software Pty Ltd.
 Copyright (c) 2004, Andrew Bartlett.
 Copyright (c) 2003 - 2008, Kungliga Tekniska Högskolan
@@ -3129,13 +3245,13 @@ LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
 OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
 SUCH DAMAGE.
 
-
 Marko Kreen
 ===========
 
 Fortuna in libhcrypto
 
 
+
 Copyright (c) 2005 Marko Kreen
 All rights reserved.
 
@@ -3160,13 +3276,13 @@ LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
 OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
 SUCH DAMAGE.
 
-
 NTT (Nippon Telegraph and Telephone Corporation)
 ================================================
 
 Camellia in libhcrypto
 
 
+
 Copyright (c) 2006,2007
 NTT (Nippon Telegraph and Telephone Corporation) . All rights reserved.
 
@@ -3191,13 +3307,13 @@ THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
 (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 
-
 The NetBSD Foundation, Inc.
 ===========================
 
 vis.c in libroken
 
 
+
 Copyright (c) 1999, 2005 The NetBSD Foundation, Inc.
 All rights reserved.
 
@@ -3222,13 +3338,13 @@ CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
 ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
 POSSIBILITY OF SUCH DAMAGE.
 
-
 Vincent Rijmen, Antoon Bosselaers, Paulo Barreto
 ================================================
 
 AES in libhcrypto
 
 
+
 rijndael-alg-fst.c
 
 @version 3.0 (December 2000)
@@ -3253,13 +3369,13 @@ WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
 OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE,
 EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 
-
 Apple, Inc
 ==========
 
 kdc/announce.c
 
 
+
 Copyright (c) 2008 Apple Inc.  All Rights Reserved.
 
 Export of this software from the United States of America may require
@@ -3282,14 +3398,14 @@ THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR
 IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED
 WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE.
 
-
 Richard Outerbridge
 ===================
 
 DES core in libhcrypto
 
 
-D3DES (V5.09) - 
+
+D3DES (V5.09) -
 
 A portable, public domain, version of the Data Encryption Standard.
 
@@ -3297,19 +3413,18 @@ Written with Symantec's THINK (Lightspeed) C by Richard Outerbridge.
 Thanks to: Dan Hoey for his excellent Initial and Inverse permutation
 code;  Jim Gillogly & Phil Karn for the DES key schedule code; Dennis
 Ferguson, Eric Young and Dana How for comparing notes; and Ray Lau,
-for humouring me on. 
+for humouring me on.
 
 Copyright (c) 1988,1989,1990,1991,1992 by Richard Outerbridge.
 (GEnie : OUTER; CIS : [71755,204]) Graven Imagery, 1992.
 
-
-
 Secure Endpoints Inc
 ====================
 
 Windows support
 
 
+
 Copyright (c) 2009-2015, Secure Endpoints Inc.
 All rights reserved.
 
@@ -3338,13 +3453,13 @@ STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
 ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 OF THE POSSIBILITY OF SUCH DAMAGE.
 
-
 Novell, Inc
 ===========
 
 lib/hcrypto/test_dh.c
 
 
+
 Copyright (c) 2007, Novell, Inc.
 Author: Matthias Koenig <mkoenig@suse.de>
 
@@ -3377,57 +3492,55 @@ ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
 POSSIBILITY OF SUCH DAMAGE.
 
 
-
-
 
 Tag Table:
 Node: Top211
-Node: Introduction1689
-Node: What is Kerberos?4418
-Node: Building and Installing9518
-Node: Setting up a realm9845
-Node: Configuration file10797
-Node: Creating the database13877
-Node: Modifying the database17536
-Node: Checking the setup19129
-Node: keytabs19987
-Node: Remote administration20845
-Node: Password changing22758
-Node: Testing clients and servers26949
-Node: Slave Servers27277
-Node: Incremental propagation29032
-Node: Encryption types and salting32754
-Node: Credential cache server - KCM34937
-Node: Cross realm36922
-Node: Transit policy39476
-Node: Setting up DNS46258
-Node: Using LDAP to store the database48739
-Node: Providing Kerberos credentials to servers and programs55598
-Node: Setting up PK-INIT57705
-Ref: Use OpenSSL to create certificates68970
-Node: Debugging Kerberos problems71512
-Node: Applications71944
-Node: Authentication modules72144
-Node: Digital SIA72739
-Node: IRIX77134
-Node: AFS78428
-Node: Things in search for a better place82188
-Node: Kerberos 4 issues84926
-Node: Principal conversion issues85274
-Ref: Principal conversion issues-Footnote-187518
-Ref: Principal conversion issues-Footnote-287589
-Node: Converting a version 4 database87645
-Node: Windows compatibility91968
-Node: Configuring Windows to use a Heimdal KDC93057
-Node: Inter-Realm keys (trust) between Windows and a Heimdal KDC95132
-Node: Create account mappings98807
-Node: Encryption types99562
-Node: Authorisation data100162
-Node: Quirks of Windows 2000 KDC101301
-Node: Useful links when reading about the Windows102596
-Node: Programming with Kerberos104399
-Node: Migration104649
-Node: Acknowledgments107290
-Node: Copyrights and Licenses110169
+Node: Introduction1690
+Node: What is Kerberos?4436
+Node: Building and Installing9549
+Node: Setting up a realm9876
+Node: Configuration file10828
+Node: Creating the database13897
+Node: Modifying the database17550
+Node: Checking the setup19143
+Node: keytabs19998
+Node: Remote administration20856
+Node: Password changing22762
+Node: Testing clients and servers26950
+Node: Slave Servers27278
+Node: Incremental propagation29031
+Node: Encryption types and salting32750
+Node: Credential cache server - KCM34927
+Node: Cross realm36911
+Node: Transit policy39457
+Node: Setting up DNS46234
+Node: Using LDAP to store the database48709
+Node: Providing Kerberos credentials to servers and programs55560
+Node: Setting up PK-INIT57658
+Ref: Use OpenSSL to create certificates68891
+Node: Debugging Kerberos problems71429
+Node: Applications71860
+Node: Authentication modules72060
+Node: Digital SIA72654
+Node: IRIX77038
+Node: AFS78328
+Node: Things in search for a better place82082
+Node: Kerberos 4 issues84811
+Node: Principal conversion issues85159
+Ref: Principal conversion issues-Footnote-187390
+Ref: Principal conversion issues-Footnote-287458
+Node: Converting a version 4 database87511
+Node: Windows compatibility91824
+Node: Configuring Windows to use a Heimdal KDC92910
+Node: Inter-Realm keys (trust) between Windows and a Heimdal KDC94980
+Node: Create account mappings98651
+Node: Encryption types99403
+Node: Authorisation data100003
+Node: Quirks of Windows 2000 KDC101150
+Node: Useful links when reading about the Windows102444
+Node: Programming with Kerberos104248
+Node: Migration104498
+Node: Acknowledgments107141
+Node: Copyrights and Licenses110099
 
 End Tag Table
diff --git a/doc/hx509.info b/doc/hx509.info
index 65d144367a3c..aeffd6dc30a6 100644
--- a/doc/hx509.info
+++ b/doc/hx509.info
@@ -11,7 +11,7 @@ File: hx509.info,  Node: Top,  Next: Introduction,  Prev: (dir),  Up: (dir)
 Heimdal
 *******
 
-This manual is for version 7.5.0 of hx509.
+This manual is for version 7.7.0 of hx509.
 
 * Menu:
 
diff --git a/doc/mdate-sh b/doc/mdate-sh
index 37171f21fbd9..37171f21fbd9 100755..100644
--- a/doc/mdate-sh
+++ b/doc/mdate-sh
diff --git a/doc/vars.texi b/doc/vars.texi
index da24f01d16af..80fb1fa82df8 100755
--- a/doc/vars.texi
+++ b/doc/vars.texi
@@ -5,4 +5,4 @@
 
 @set dbdir /var/heimdal
 @set dbtype db3
-@set PACKAGE_VERSION 7.5.0
+@set PACKAGE_VERSION 7.7.0
diff --git a/include/config.h.in b/include/config.h.in
index d17b75ef1278..b6f43fd22998 100644
--- a/include/config.h.in
+++ b/include/config.h.in
@@ -1524,6 +1524,9 @@ static /**/const char *const rcsid[] = { (const char *)rcsid, "@(#)" msg }
 /* Define to get POSIX getpwnam_r in some systems. */
 #undef _POSIX_PTHREAD_SEMANTICS
 
+/* Enable C11 prototypes for memset_s and friends */
+#undef _STDC_C11_BCI
+
 /* Enable general extensions on Solaris. */
 #undef __EXTENSIONS__
 
diff --git a/include/heim_threads.h b/include/heim_threads.h
index c1ebbaca30b4..f337ac1677ad 100644
--- a/include/heim_threads.h
+++ b/include/heim_threads.h
@@ -52,7 +52,7 @@
 
 #else
 
-#if defined(__clang__) || defined(__GNUC__) || defined(__SUNPRO_CC)
+#if defined(__clang__) || defined(__GNUC__) || defined(__SUNPRO_C)
 #define HEIMDAL_THREAD_LOCAL __thread
 #else
 #error "thread-local attribute not defined for your compiler"
diff --git a/kadmin/cpw.c b/kadmin/cpw.c
index 425575d8953c..28cd30b52b16 100644
--- a/kadmin/cpw.c
+++ b/kadmin/cpw.c
@@ -76,7 +76,7 @@ set_random_password (krb5_principal principal, int keepold)
 	printf ("%s's password set to \"%s\"\n", princ_name, pw);
 	free (princ_name);
     }
-    memset (pw, 0, sizeof(pw));
+    memset_s(pw, sizeof(pw), 0, sizeof(pw));
     return ret;
 }
 
@@ -108,7 +108,7 @@ set_password (krb5_principal principal, char *password, int keepold)
     if(ret == 0)
 	ret = kadm5_chpass_principal_3(kadm_handle, principal, keepold, 0, NULL,
 				       password);
-    memset(pwbuf, 0, sizeof(pwbuf));
+    memset_s(pwbuf, sizeof(pwbuf), 0, sizeof(pwbuf));
     return ret;
 }
 
diff --git a/kadmin/kadmin.1 b/kadmin/kadmin.1
index ef5c87e434c1..296f9f8004f2 100644
--- a/kadmin/kadmin.1
+++ b/kadmin/kadmin.1
@@ -250,7 +250,7 @@ kadmin -l modify -a -disallow-proxiable user
 Changes the password of an existing principal.
 .Ed
 .Pp
-.Nm password-quality
+.Nm verify-password-quality
 .Ar principal
 .Ar password
 .Bd -ragged -offset indent
@@ -258,7 +258,13 @@ Run the password quality check function locally.
 You can run this on the host that is configured to run the kadmind
 process to verify that your configuration file is correct.
 The verification is done locally, if kadmin is run in remote mode,
-no rpc call is done to the server.
+no rpc call is done to the server. NOTE: if the environment has
+verify-password-quality configured to use a back-end that stores
+password history (such as heimdal-history), running
+verify-quality-password will cause an update to the password
+database meaning that merely verifying the quality of the password
+using verify-quality-password invalidates the use of that
+principal/password in the future.
 .Ed
 .Pp
 .Nm privileges
diff --git a/kadmin/kadmin.cat1 b/kadmin/kadmin.cat1
index 0c6c0405cfd1..e93a1ee6a74a 100644
--- a/kadmin/kadmin.cat1
+++ b/kadmin/kadmin.cat1
@@ -125,13 +125,18 @@ DDEESSCCRRIIPPTTIIOONN
 
            Changes the password of an existing principal.
 
-     ppaasssswwoorrdd--qquuaalliittyy _p_r_i_n_c_i_p_a_l _p_a_s_s_w_o_r_d
+     vveerriiffyy--ppaasssswwoorrdd--qquuaalliittyy _p_r_i_n_c_i_p_a_l _p_a_s_s_w_o_r_d
 
            Run the password quality check function locally.  You can run this
            on the host that is configured to run the kadmind process to verify
            that your configuration file is correct.  The verification is done
            locally, if kadmin is run in remote mode, no rpc call is done to
-           the server.
+           the server. NOTE: if the environment has verify-password-quality
+           configured to use a back-end that stores password history (such as
+           heimdal-history), running verify-quality-password will cause an
+           update to the password database meaning that merely verifying the
+           quality of the password using verify-quality-password invalidates
+           the use of that principal/password in the future.
 
      pprriivviilleeggeess
 
diff --git a/kadmin/kadmind.8 b/kadmin/kadmind.8
index f66615932c3a..411fc5f9a89f 100644
--- a/kadmin/kadmind.8
+++ b/kadmin/kadmind.8
@@ -109,7 +109,7 @@ get
 .It
 get-keys
 .It
-all
+all (everything except get-keys)
 .El
 .Pp
 And the optional
diff --git a/kadmin/kadmind.cat8 b/kadmin/kadmind.cat8
index d1607c9a4e4c..b344db7c270d 100644
--- a/kadmin/kadmind.cat8
+++ b/kadmin/kadmind.cat8
@@ -38,7 +38,7 @@ DDEESSCCRRIIPPTTIIOONN
      ++oo   add
      ++oo   get
      ++oo   get-keys
-     ++oo   all
+     ++oo   all (everything except get-keys)
 
      And the optional _p_r_i_n_c_i_p_a_l_-_p_a_t_t_e_r_n restricts the rights to operations on
      principals that match the glob-style pattern.
diff --git a/kadmin/load.c b/kadmin/load.c
index f448710b8646..a9273dbf20f1 100644
--- a/kadmin/load.c
+++ b/kadmin/load.c
@@ -453,6 +453,7 @@ doit(const char *filename, int mergep)
 	fclose(f);
 	return 1;
     }
+    (void) db->hdb_set_sync(context, db, 0);
     for (lineno = 1;
          (ret2 = my_fgetln(f, &line, &linesz, &linelen)) == 0 && linelen > 0;
 	 ++lineno) {
@@ -608,7 +609,10 @@ doit(const char *filename, int mergep)
     }
     free(line);
     if (ret2)
-        ret = ret2;
+	ret = ret2;
+    ret2 = db->hdb_set_sync(context, db, 1);
+    if (ret2)
+        krb5_err(context, 1, ret, "failed to sync the HDB");
     (void) kadm5_log_end(kadm_handle);
     ret2 = db->hdb_close(context, db);
     if (ret2)
diff --git a/kadmin/random_password.c b/kadmin/random_password.c
index 970e99d34adb..bf8bf8b3f1c0 100644
--- a/kadmin/random_password.c
+++ b/kadmin/random_password.c
@@ -68,7 +68,8 @@ random_password(char *pw, size_t len)
 		      "ABCDEFGHIJKLMNOPQRSTUVWXYZ", 2,
 		      "@$%&*()-+=:,/<>1234567890", 1);
     strlcpy(pw, pass, len);
-    memset(pass, 0, strlen(pass));
+    len = strlen(pass);
+    memset_s(pass, len, 0, len);
     free(pass);
 #endif
 }
@@ -155,7 +156,7 @@ generate_password(char **pw, int num_classes, ...)
 	}
     }
     (*pw)[len] = '\0';
-    memset(rbuf, 0, sizeof(rbuf));
+    memset_s(rbuf, sizeof(rbuf), 0, sizeof(rbuf));
     free(classes);
 }
 #endif
diff --git a/kdc/connect.c b/kdc/connect.c
index 7b45103f6b7a..85e822c9496d 100644
--- a/kdc/connect.c
+++ b/kdc/connect.c
@@ -1132,7 +1132,7 @@ start_kdc(krb5_context context,
      * on their end and be able to cleanly exit.
      */
 
-    if (socketpair(PF_LOCAL, SOCK_STREAM, 0, islive) == -1)
+    if (socketpair(PF_UNIX, SOCK_STREAM, 0, islive) == -1)
 	krb5_errx(context, 1, "socketpair");
     socket_set_nonblocking(islive[1], 1);
 #endif
diff --git a/kdc/hprop.8 b/kdc/hprop.8
index 973235f2ae4c..2746e1d8fccc 100644
--- a/kdc/hprop.8
+++ b/kdc/hprop.8
@@ -115,7 +115,8 @@ The encryption keys in the database can either be in clear, or
 encrypted with a master key. This option transmits the database with
 unencrypted keys.
 .It Fl E , Fl Fl encrypt
-This option transmits the database with encrypted keys.
+This option transmits the database with encrypted keys. This is the
+default if no option is supplied.
 .It Fl n , Fl Fl stdout
 Dump the database on stdout, in a format that can be fed to hpropd.
 .El
diff --git a/kdc/hprop.cat8 b/kdc/hprop.cat8
index 804dcf9db4e3..b56f8d2f80d7 100644
--- a/kdc/hprop.cat8
+++ b/kdc/hprop.cat8
@@ -49,7 +49,8 @@ DDEESSCCRRIIPPTTIIOONN
              with unencrypted keys.
 
      --EE, ----eennccrryypptt
-             This option transmits the database with encrypted keys.
+             This option transmits the database with encrypted keys. This is
+             the default if no option is supplied.
 
      --nn, ----ssttddoouutt
              Dump the database on stdout, in a format that can be fed to
diff --git a/kdc/kdc-private.h b/kdc/kdc-private.h
index c64940492a2a..342fa48b662b 100644
--- a/kdc/kdc-private.h
+++ b/kdc/kdc-private.h
@@ -10,7 +10,7 @@ _kdc_add_KRB5SignedPath (
 	krb5_kdc_configuration */*config*/,
 	hdb_entry_ex */*krbtgt*/,
 	krb5_enctype /*enctype*/,
-	krb5_principal /*client*/,
+	krb5_const_principal /*client*/,
 	krb5_const_principal /*server*/,
 	krb5_principals /*principals*/,
 	EncTicketPart */*tkt*/);
@@ -49,6 +49,13 @@ _kdc_check_addresses (
 	const struct sockaddr */*from*/);
 
 krb5_error_code
+_kdc_check_anon_policy (
+	krb5_context /*context*/,
+	krb5_kdc_configuration */*config*/,
+	hdb_entry_ex */*client*/,
+	hdb_entry_ex */*server*/);
+
+krb5_error_code
 _kdc_db_fetch (
 	krb5_context /*context*/,
 	krb5_kdc_configuration */*config*/,
@@ -173,12 +180,9 @@ _kdc_get_preferred_key (
 	Key **/*key*/);
 
 krb5_boolean
-_kdc_is_anon_request (const KDC_REQ_BODY */*b*/);
-
-krb5_boolean
 _kdc_is_anonymous (
 	krb5_context /*context*/,
-	krb5_principal /*principal*/);
+	krb5_const_principal /*principal*/);
 
 krb5_boolean
 _kdc_is_weak_exception (
diff --git a/kdc/kerberos5.c b/kdc/kerberos5.c
index 675b406b8277..9c3e54f78b12 100644
--- a/kdc/kerberos5.c
+++ b/kdc/kerberos5.c
@@ -116,6 +116,23 @@ is_default_salt_p(const krb5_salt *default_salt, const Key *key)
     return TRUE;
 }
 
+
+static krb5_boolean
+is_anon_as_request_p(kdc_request_t r)
+{
+    KDC_REQ_BODY *b = &r->req.req_body;
+
+    /*
+     * Versions of Heimdal from 0.9rc1 through 1.50 use bit 14 instead
+     * of 16 for request_anonymous, as indicated in the anonymous draft
+     * prior to version 11. Bit 14 is assigned to S4U2Proxy, but S4U2Proxy
+     * requests are only sent to the TGS and, in any case, would have an
+     * additional ticket present.
+     */
+    return b->kdc_options.request_anonymous ||
+	   (b->kdc_options.cname_in_addl_tkt && !b->additional_tickets);
+}
+
 /*
  * return the first appropriate key of `princ' in `ret_key'.  Look for
  * all the etypes in (`etypes', `len'), stopping as soon as we find
@@ -248,18 +265,30 @@ _kdc_find_etype(krb5_context context, krb5_boolean use_strongest_session_key,
 krb5_error_code
 _kdc_make_anonymous_principalname (PrincipalName *pn)
 {
-    pn->name_type = KRB5_NT_PRINCIPAL;
-    pn->name_string.len = 1;
-    pn->name_string.val = malloc(sizeof(*pn->name_string.val));
+    pn->name_type = KRB5_NT_WELLKNOWN;
+    pn->name_string.len = 2;
+    pn->name_string.val = calloc(2, sizeof(*pn->name_string.val));
     if (pn->name_string.val == NULL)
-	return ENOMEM;
-    pn->name_string.val[0] = strdup("anonymous");
-    if (pn->name_string.val[0] == NULL) {
-	free(pn->name_string.val);
-	pn->name_string.val = NULL;
-	return ENOMEM;
-    }
+	goto failed;
+
+    pn->name_string.val[0] = strdup(KRB5_WELLKNOWN_NAME);
+    if (pn->name_string.val[0] == NULL)
+	goto failed;
+
+    pn->name_string.val[1] = strdup(KRB5_ANON_NAME);
+    if (pn->name_string.val[1] == NULL)
+	goto failed;
+
     return 0;
+
+failed:
+    free_PrincipalName(pn);
+
+    pn->name_type = KRB5_NT_UNKNOWN;
+    pn->name_string.len = 0;
+    pn->name_string.val = NULL;
+
+    return ENOMEM;
 }
 
 static void
@@ -422,7 +451,6 @@ static krb5_error_code
 pa_enc_chal_validate(kdc_request_t r, const PA_DATA *pa)
 {
     krb5_data pepper1, pepper2, ts_data;
-    KDC_REQ_BODY *b = &r->req.req_body;
     int invalidPassword = 0;
     EncryptedData enc_data;
     krb5_enctype aenctype;
@@ -433,7 +461,7 @@ pa_enc_chal_validate(kdc_request_t r, const PA_DATA *pa)
 
     heim_assert(r->armor_crypto != NULL, "ENC-CHAL called for non FAST");
     
-    if (_kdc_is_anon_request(b)) {
+    if (is_anon_as_request_p(r)) {
 	ret = KRB5KRB_AP_ERR_BAD_INTEGRITY;
 	kdc_log(r->context, r->config, 0, "ENC-CHALL doesn't support anon");
 	return ret;
@@ -582,12 +610,6 @@ pa_enc_ts_validate(kdc_request_t r, const PA_DATA *pa)
     Key *pa_key;
     char *str;
 	
-    if (_kdc_is_anon_request(&r->req.req_body)) {
-	ret = KRB5KRB_AP_ERR_BAD_INTEGRITY;
-	_kdc_set_e_text(r, "ENC-TS doesn't support anon");
-	goto out;
-    }
-
     ret = decode_EncryptedData(pa->padata_value.data,
 			       pa->padata_value.length,
 			       &enc_data,
@@ -1472,6 +1494,24 @@ _kdc_check_addresses(krb5_context context,
 /*
  *
  */
+krb5_error_code
+_kdc_check_anon_policy (krb5_context context,
+			krb5_kdc_configuration *config,
+			hdb_entry_ex *client,
+			hdb_entry_ex *server)
+{
+    if (!config->allow_anonymous){
+	kdc_log(context, config, 0,
+		"Request for anonymous ticket denied by local policy");
+	return KRB5KDC_ERR_POLICY;
+    }
+
+    return 0;
+}
+
+/*
+ *
+ */
 
 static krb5_boolean
 send_pac_p(krb5_context context, KDC_REQ *req)
@@ -1543,15 +1583,9 @@ generate_pac(kdc_request_t r, Key *skey)
  */
 
 krb5_boolean
-_kdc_is_anonymous(krb5_context context, krb5_principal principal)
+_kdc_is_anonymous(krb5_context context, krb5_const_principal principal)
 {
-    if ((principal->name.name_type != KRB5_NT_WELLKNOWN &&
-	 principal->name.name_type != KRB5_NT_UNKNOWN) ||
-	principal->name.name_string.len != 2 ||
-	strcmp(principal->name.name_string.val[0], KRB5_WELLKNOWN_NAME) != 0 ||
-	strcmp(principal->name.name_string.val[1], KRB5_ANON_NAME) != 0)
-	return 0;
-    return 1;
+    return krb5_principal_is_anonymous(context, principal, KRB5_ANON_MATCH_ANY);
 }
 
 static int
@@ -1695,17 +1729,10 @@ _kdc_as_rep(kdc_request_t r,
      *
      */
 
-    if (_kdc_is_anonymous(context, r->client_princ)) {
-	if (!_kdc_is_anon_request(b)) {
-	    kdc_log(context, config, 0, "Anonymous ticket w/o anonymous flag");
-	    ret = KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN;
-	    goto out;
-	}
-    } else if (_kdc_is_anon_request(b)) {
-	kdc_log(context, config, 0,
-		"Request for a anonymous ticket with non "
-		"anonymous client name: %s", r->client_name);
-	ret = KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN;
+    if (_kdc_is_anonymous(context, r->client_princ) &&
+	!is_anon_as_request_p(r)) {
+	kdc_log(context, config, 0, "Anonymous client w/o anonymous flag");
+	ret = KRB5KDC_ERR_BADOPTION;
 	goto out;
     }
 
@@ -1876,7 +1903,7 @@ _kdc_as_rep(kdc_request_t r,
 	 * send requre preauth is its required or anon is requested,
 	 * anon is today only allowed via preauth mechanisms.
 	 */
-	if (require_preauth_p(r) || _kdc_is_anon_request(b)) {
+	if (require_preauth_p(r) || is_anon_as_request_p(r)) {
 	    ret = KRB5KDC_ERR_PREAUTH_REQUIRED;
 	    _kdc_set_e_text(r, "Need to use PA-ENC-TIMESTAMP/PA-PK-AS-REQ");
 	    goto out;
@@ -1909,6 +1936,16 @@ _kdc_as_rep(kdc_request_t r,
     if(ret)
 	goto out;
 
+    if (is_anon_as_request_p(r)) {
+	ret = _kdc_check_anon_policy(context, config, r->client, r->server);
+	if (ret) {
+	    _kdc_set_e_text(r, "Anonymous ticket requests are disabled");
+	    goto out;
+	}
+
+	r->et.flags.anonymous = 1;
+    }
+
     /*
      * Select the best encryption type for the KDC with out regard to
      * the client since the client never needs to read that data.
@@ -1920,8 +1957,7 @@ _kdc_as_rep(kdc_request_t r,
     if(ret)
 	goto out;
 
-    if(f.renew || f.validate || f.proxy || f.forwarded || f.enc_tkt_in_skey
-       || (_kdc_is_anon_request(b) && !config->allow_anonymous)) {
+    if(f.renew || f.validate || f.proxy || f.forwarded || f.enc_tkt_in_skey) {
 	ret = KRB5KDC_ERR_BADOPTION;
 	_kdc_set_e_text(r, "Bad KDC options");
 	goto out;
@@ -1935,18 +1971,23 @@ _kdc_as_rep(kdc_request_t r,
     rep.msg_type = krb_as_rep;
 
     if (_kdc_is_anonymous(context, r->client_princ)) {
-	Realm anon_realm=KRB5_ANON_REALM;
+	Realm anon_realm = KRB5_ANON_REALM;
 	ret = copy_Realm(&anon_realm, &rep.crealm);
     } else
 	ret = copy_Realm(&r->client->entry.principal->realm, &rep.crealm);
     if (ret)
 	goto out;
-    ret = _krb5_principal2principalname(&rep.cname, r->client->entry.principal);
+    if (r->et.flags.anonymous)
+	ret = _kdc_make_anonymous_principalname(&rep.cname);
+    else
+        ret = _krb5_principal2principalname(&rep.cname, r->client->entry.principal);
     if (ret)
 	goto out;
 
     rep.ticket.tkt_vno = 5;
-    copy_Realm(&r->server->entry.principal->realm, &rep.ticket.realm);
+    ret = copy_Realm(&r->server->entry.principal->realm, &rep.ticket.realm);
+    if (ret)
+	goto out;
     _krb5_principal2principalname(&rep.ticket.sname,
 				  r->server->entry.principal);
     /* java 1.6 expects the name to be the same type, lets allow that
@@ -2044,9 +2085,6 @@ _kdc_as_rep(kdc_request_t r,
 	}
     }
 
-    if (_kdc_is_anon_request(b))
-	r->et.flags.anonymous = 1;
-
     if(b->addresses){
 	ALLOC(r->et.caddr);
 	copy_HostAddresses(b->addresses, r->et.caddr);
@@ -2111,8 +2149,12 @@ _kdc_as_rep(kdc_request_t r,
 	ALLOC(r->ek.renew_till);
 	*r->ek.renew_till = *r->et.renew_till;
     }
-    copy_Realm(&rep.ticket.realm, &r->ek.srealm);
-    copy_PrincipalName(&rep.ticket.sname, &r->ek.sname);
+    ret = copy_Realm(&rep.ticket.realm, &r->ek.srealm);
+    if (ret)
+	goto out;
+    ret = copy_PrincipalName(&rep.ticket.sname, &r->ek.sname);
+    if (ret)
+	goto out;
     if(r->et.caddr){
 	ALLOC(r->ek.caddr);
 	copy_HostAddresses(r->et.caddr, r->ek.caddr);
@@ -2155,24 +2197,34 @@ _kdc_as_rep(kdc_request_t r,
     }
 
     /* Add the PAC */
-    if (send_pac_p(context, req)) {
+    if (send_pac_p(context, req) && !r->et.flags.anonymous) {
 	generate_pac(r, skey);
     }
 
     _kdc_log_timestamp(context, config, "AS-REQ", r->et.authtime, r->et.starttime,
 		       r->et.endtime, r->et.renew_till);
 
-    /* do this as the last thing since this signs the EncTicketPart */
-    ret = _kdc_add_KRB5SignedPath(context,
-				  config,
-				  r->server,
-				  setype,
-				  r->client->entry.principal,
-				  NULL,
-				  NULL,
-				  &r->et);
-    if (ret)
-	goto out;
+    {
+	krb5_principal client_principal;
+
+	ret = _krb5_principalname2krb5_principal(context, &client_principal,
+						 rep.cname, rep.crealm);
+	if (ret)
+	    goto out;
+
+	/* do this as the last thing since this signs the EncTicketPart */
+	ret = _kdc_add_KRB5SignedPath(context,
+				      config,
+				      r->server,
+				      setype,
+				      client_principal,
+				      NULL,
+				      NULL,
+				      &r->et);
+	krb5_free_principal(context, client_principal);
+	if (ret)
+	    goto out;
+    }
 
     log_as_req(context, config, r->reply_key.keytype, setype, b);
 
@@ -2340,14 +2392,3 @@ _kdc_tkt_add_if_relevant_ad(krb5_context context,
 
     return 0;
 }
-
-krb5_boolean
-_kdc_is_anon_request(const KDC_REQ_BODY *b)
-{
-	/* some versions of heimdal use bit 14 instead of 16 for
-	   request_anonymous, as indicated in the anonymous draft prior to
-	   version 11. Bit 14 is assigned to S4U2Proxy, but all S4U2Proxy
-	   requests will have a second ticket; don't consider those anonymous */
-	return (b->kdc_options.request_anonymous ||
-		(b->kdc_options.constrained_delegation && !b->additional_tickets));
-}
diff --git a/kdc/krb5tgs.c b/kdc/krb5tgs.c
index b6ccb68ed3b0..bea20c74b0e8 100644
--- a/kdc/krb5tgs.c
+++ b/kdc/krb5tgs.c
@@ -104,7 +104,7 @@ _kdc_add_KRB5SignedPath(krb5_context context,
 			krb5_kdc_configuration *config,
 			hdb_entry_ex *krbtgt,
 			krb5_enctype enctype,
-			krb5_principal client,
+			krb5_const_principal client,
 			krb5_const_principal server,
 			krb5_principals principals,
 			EncTicketPart *tkt)
@@ -124,7 +124,7 @@ _kdc_add_KRB5SignedPath(krb5_context context,
     {
 	KRB5SignedPathData spd;
 
-	spd.client = client;
+	spd.client = rk_UNCONST(client);
 	spd.authtime = tkt->authtime;
 	spd.delegated = principals;
 	spd.method_data = NULL;
@@ -366,6 +366,24 @@ check_PAC(krb5_context context,
     return 0;
 }
 
+static krb5_boolean
+is_anon_tgs_request_p(const KDC_REQ_BODY *b,
+		      const EncTicketPart *tgt)
+{
+    KDCOptions f = b->kdc_options;
+
+    /*
+     * Versions of Heimdal from 1.0 to 7.6, inclusive, send both the
+     * request-anonymous and cname-in-addl-tkt flags for constrained
+     * delegation requests. A true anonymous TGS request will only
+     * have the request-anonymous flag set. (A corollary of this is
+     * that it is not possible to support anonymous constrained
+     * delegation requests, although they would be of limited utility.)
+     */
+    return tgt->flags.anonymous ||
+	(f.request_anonymous && !f.cname_in_addl_tkt && !b->additional_tickets);
+}
+
 /*
  *
  */
@@ -373,7 +391,10 @@ check_PAC(krb5_context context,
 static krb5_error_code
 check_tgs_flags(krb5_context context,
 		krb5_kdc_configuration *config,
-		KDC_REQ_BODY *b, const EncTicketPart *tgt, EncTicketPart *et)
+		KDC_REQ_BODY *b,
+		krb5_const_principal tgt_name,
+		const EncTicketPart *tgt,
+		EncTicketPart *et)
 {
     KDCOptions f = b->kdc_options;
 
@@ -487,14 +508,25 @@ check_tgs_flags(krb5_context context,
 	    et->endtime = min(*et->renew_till, et->endtime);
     }
 
-#if 0
-    /* checks for excess flags */
-    if(f.request_anonymous && !config->allow_anonymous){
+    /*
+     * RFC 8062 section 3 defines an anonymous ticket as one containing
+     * the anonymous principal and the anonymous ticket flag.
+     */
+    if (tgt->flags.anonymous &&
+	!_kdc_is_anonymous(context, tgt_name)) {
 	kdc_log(context, config, 0,
-		"Request for anonymous ticket");
+		"Anonymous ticket flag set without anonymous principal");
 	return KRB5KDC_ERR_BADOPTION;
     }
-#endif
+
+    /*
+     * RFC 8062 section 4.2 states that if the TGT is anonymous, the
+     * anonymous KDC option SHOULD be set, but it is not required.
+     * Treat an anonymous TGT as if the anonymous flag was set.
+     */
+    if (is_anon_tgs_request_p(b, tgt))
+	et->flags.anonymous = 1;
+
     return 0;
 }
 
@@ -770,7 +802,7 @@ tgs_make_reply(krb5_context context,
     ALLOC(et.starttime);
     *et.starttime = kdc_time;
 
-    ret = check_tgs_flags(context, config, b, tgt, &et);
+    ret = check_tgs_flags(context, config, b, tgt_name, tgt, &et);
     if(ret)
 	goto out;
 
@@ -807,15 +839,26 @@ tgs_make_reply(krb5_context context,
     if(ret)
 	goto out;
 
-    copy_Realm(&server_principal->realm, &rep.ticket.realm);
+    ret = copy_Realm(&server_principal->realm, &rep.ticket.realm);
+    if (ret)
+	goto out;
     _krb5_principal2principalname(&rep.ticket.sname, server_principal);
-    copy_Realm(&tgt_name->realm, &rep.crealm);
-/*
-    if (f.request_anonymous)
-	_kdc_make_anonymous_principalname (&rep.cname);
-    else */
+    ret = copy_Realm(&tgt_name->realm, &rep.crealm);
+    if (ret)
+	goto out;
 
-    copy_PrincipalName(&tgt_name->name, &rep.cname);
+    /*
+     * RFC 8062 states "if the ticket in the TGS request is an anonymous
+     * one, the client and client realm are copied from that ticket". So
+     * whilst the TGT flag check below is superfluous, it is included in
+     * order to follow the specification to its letter.
+     */
+    if (et.flags.anonymous && !tgt->flags.anonymous)
+	_kdc_make_anonymous_principalname(&rep.cname);
+    else
+	ret = copy_PrincipalName(&tgt_name->name, &rep.cname);
+    if (ret)
+	goto out;
     rep.ticket.tkt_vno = 5;
 
     ek.caddr = et.caddr;
@@ -867,10 +910,15 @@ tgs_make_reply(krb5_context context,
 
     et.flags.pre_authent = tgt->flags.pre_authent;
     et.flags.hw_authent  = tgt->flags.hw_authent;
-    et.flags.anonymous   = tgt->flags.anonymous;
     et.flags.ok_as_delegate = server->entry.flags.ok_as_delegate;
 
-    if(rspac->length) {
+    /*
+     * For anonymous tickets, we should filter out positive authorization data
+     * that could reveal the client's identity, and return a policy error for
+     * restrictive authorization data. Policy for unknown authorization types
+     * is implementation dependent.
+     */
+    if (rspac->length && !et.flags.anonymous) {
 	/*
 	 * No not need to filter out the any PAC from the
 	 * auth_data since it's signed by the KDC.
@@ -920,8 +968,8 @@ tgs_make_reply(krb5_context context,
     ret = krb5_copy_keyblock_contents(context, sessionkey, &et.key);
     if (ret)
 	goto out;
-    et.crealm = tgt_name->realm;
-    et.cname = tgt_name->name;
+    et.crealm = rep.crealm;
+    et.cname = rep.cname;
 
     ek.key = et.key;
     /* MIT must have at least one last_req */
@@ -1988,6 +2036,13 @@ server_lookup:
 		goto out;
 	    }
 
+	    if (!krb5_checksum_is_keyed(context, self.cksum.cksumtype)) {
+		free_PA_S4U2Self(&self);
+		kdc_log(context, config, 0, "Reject PA-S4U2Self with unkeyed checksum");
+		ret = KRB5KRB_AP_ERR_INAPP_CKSUM;
+		goto out;
+	    }
+
 	    ret = _krb5_s4u2self_to_checksumdata(context, &self, &datack);
 	    if (ret)
 		goto out;
@@ -2002,12 +2057,29 @@ server_lookup:
 		goto out;
 	    }
 
-	    ret = krb5_verify_checksum(context,
-				       crypto,
-				       KRB5_KU_OTHER_CKSUM,
-				       datack.data,
-				       datack.length,
-				       &self.cksum);
+	    /* Allow HMAC_MD5 checksum with any key type */
+	    if (self.cksum.cksumtype == CKSUMTYPE_HMAC_MD5) {
+		unsigned char csdata[16];
+		Checksum cs;
+
+		cs.checksum.length = sizeof(csdata);
+		cs.checksum.data = &csdata;
+
+		ret = _krb5_HMAC_MD5_checksum(context, &crypto->key,
+					      datack.data, datack.length,
+					      KRB5_KU_OTHER_CKSUM, &cs);
+		if (ret == 0 &&
+		    krb5_data_ct_cmp(&cs.checksum, &self.cksum.checksum) != 0)
+		    ret = KRB5KRB_AP_ERR_BAD_INTEGRITY;
+	    }
+	    else {
+		ret = krb5_verify_checksum(context,
+					   crypto,
+					   KRB5_KU_OTHER_CKSUM,
+					   datack.data,
+					   datack.length,
+					   &self.cksum);
+	    }
 	    krb5_data_free(&datack);
 	    krb5_crypto_destroy(context, crypto);
 	    if (ret) {
@@ -2111,6 +2183,7 @@ server_lookup:
     if (client != NULL
 	&& b->additional_tickets != NULL
 	&& b->additional_tickets->len != 0
+	&& b->kdc_options.cname_in_addl_tkt
 	&& b->kdc_options.enc_tkt_in_skey == 0)
     {
 	int ad_signedpath = 0;
@@ -2279,6 +2352,13 @@ server_lookup:
 	goto out;
     }
 
+    /* check local and per-principal anonymous ticket issuance policy */
+    if (is_anon_tgs_request_p(b, tgt)) {
+	ret = _kdc_check_anon_policy(context, config, client, server);
+	if (ret)
+	    goto out;
+    }
+
     /*
      * If this is an referral, add server referral data to the
      * auth_data reply .
diff --git a/kdc/pkinit.c b/kdc/pkinit.c
index 28333fc565b4..4060c0ba6617 100644
--- a/kdc/pkinit.c
+++ b/kdc/pkinit.c
@@ -477,7 +477,7 @@ _kdc_pk_rd_padata(krb5_context context,
 
 	type = "PK-INIT-Win2k";
 
-	if (_kdc_is_anon_request(&req->req_body)) {
+	if (_kdc_is_anonymous(context, client->entry.principal)) {
 	    ret = KRB5_KDC_ERR_PUBLIC_KEY_ENCRYPTION_NOT_SUPPORTED;
 	    krb5_set_error_message(context, ret,
 				   "Anon not supported in RSA mode");
@@ -623,7 +623,7 @@ _kdc_pk_rd_padata(krb5_context context,
 	hx509_certs signer_certs;
 	int flags = HX509_CMS_VS_ALLOW_DATA_OID_MISMATCH; /* BTMM */
 
-	if (_kdc_is_anon_request(&req->req_body))
+	if (_kdc_is_anonymous(context, client->entry.principal))
 	    flags |= HX509_CMS_VS_ALLOW_ZERO_SIGNER;
 
 	ret = hx509_cms_verify_signed(context->hx509ctx,
@@ -708,7 +708,7 @@ _kdc_pk_rd_padata(krb5_context context,
 	    goto out;
 	}
 
-	if (_kdc_is_anon_request(&req->req_body) &&
+	if (_kdc_is_anonymous(context, client->entry.principal) &&
 	    ap.clientPublicValue == NULL) {
 	    free_AuthPack(&ap);
 	    ret = KRB5_KDC_ERR_PUBLIC_KEY_ENCRYPTION_NOT_SUPPORTED;
@@ -1676,8 +1676,10 @@ _kdc_pk_check_client(krb5_context context,
     size_t i;
 
     if (cp->cert == NULL) {
+	if (!_kdc_is_anonymous(context, client->entry.principal))
+	    return KRB5KDC_ERR_BADOPTION;
 
-	*subject_name = strdup("anonymous client client");
+	*subject_name = strdup("<unauthenticated anonymous client>");
 	if (*subject_name == NULL)
 	    return ENOMEM;
 	return 0;
diff --git a/kuser/kgetcred.1 b/kuser/kgetcred.1
index 5bc5762903fe..c8473ab99a5e 100644
--- a/kuser/kgetcred.1
+++ b/kuser/kgetcred.1
@@ -58,6 +58,7 @@
 .Op Fl Fl no-transit-check
 .Op Fl Fl no-store
 .Op Fl Fl cached-only
+.Op Fl n \*(Ba Fl Fl anonymous
 .Op Fl Fl version
 .Op Fl Fl help
 .Ar principal
@@ -135,6 +136,8 @@ requests that the KDC doesn't do transit checking.
 do not store tickets in the ccache.
 .It Fl Fl cached-only
 do not talk the TGS, search only the ccache.
+.It Fl Fl anonymous
+obtain an anonymous service ticket.
 .It Fl Fl forwardable
 .It Fl Fl debug
 enables debug output to stderr.
diff --git a/kuser/kgetcred.c b/kuser/kgetcred.c
index b95bc9d05e2e..92eb770990c5 100644
--- a/kuser/kgetcred.c
+++ b/kuser/kgetcred.c
@@ -46,6 +46,7 @@ static char *impersonate_str;
 static char *nametype_str;
 static int store_flag = 1;
 static int cached_only_flag;
+static int anonymous_flag;
 static int debug_flag;
 static int version_flag;
 static int help_flag;
@@ -76,6 +77,8 @@ struct getargs args[] = {
       NP_("don't store the tickets obtained in the cache", ""), NULL },
     { "cached-only", 	        0,   arg_flag, &cached_only_flag,
       NP_("don't talk to the KDC, just search the cache", ""), NULL },
+    { "anonymous",      'n',   arg_flag, &anonymous_flag,
+      NP_("request an anonymous ticket", ""), NULL },
     { "debug", 	        0,   arg_flag, &debug_flag, NULL, NULL },
     { "version", 	0,   arg_flag, &version_flag, NULL, NULL },
     { "help",		0,   arg_flag, &help_flag, NULL, NULL }
@@ -176,6 +179,8 @@ main(int argc, char **argv)
 	krb5_get_creds_opt_add_options(context, opt, KRB5_GC_NO_STORE);
     if (cached_only_flag)
 	krb5_get_creds_opt_add_options(context, opt, KRB5_GC_CACHED);
+    if (anonymous_flag)
+	krb5_get_creds_opt_add_options(context, opt, KRB5_GC_ANONYMOUS);
 
     if (delegation_cred_str) {
 	krb5_ccache id;
diff --git a/kuser/kgetcred.cat1 b/kuser/kgetcred.cat1
index c1c6ea212e66..cab2045d7d66 100644
--- a/kuser/kgetcred.cat1
+++ b/kuser/kgetcred.cat1
@@ -8,7 +8,8 @@ SSYYNNOOPPSSIISS
      kkggeettccrreedd [----ccaannoonniiccaalliizzee] [----ccaannoonniiccaall] [--cc --ccaacchhee | ----ccaacchhee==_c_a_c_h_e] [--ee
               _e_n_c_t_y_p_e | ----eennccttyyppee==_e_n_c_t_y_p_e] [----ddeebbuugg] [--HH | ----hhoossttbbaasseedd]
               [----nnaammee--ttyyppee==_n_a_m_e_-_t_y_p_e] [----nnoo--ttrraannssiitt--cchheecckk] [----nnoo--ssttoorree]
-              [----ccaacchheedd--oonnllyy] [----vveerrssiioonn] [----hheellpp] _p_r_i_n_c_i_p_a_l
+              [----ccaacchheedd--oonnllyy] [--nn | ----aannoonnyymmoouuss] [----vveerrssiioonn] [----hheellpp]
+              _p_r_i_n_c_i_p_a_l
      kkggeettccrreedd [options] ----hhoossttbbaasseedd _p_r_i_n_c_i_p_a_l
      kkggeettccrreedd [options] ----hhoossttbbaasseedd _s_e_r_v_i_c_e _h_o_s_t_n_a_m_e _[_e_x_t_r_a_-_c_o_m_p_o_n_e_n_t_s_]
 
@@ -76,6 +77,9 @@ DDEESSCCRRIIPPTTIIOONN
      ----ccaacchheedd--oonnllyy
              do not talk the TGS, search only the ccache.
 
+     ----aannoonnyymmoouuss
+             obtain an anonymous service ticket.
+
      ----ffoorrwwaarrddaabbllee
 
      ----ddeebbuugg
diff --git a/kuser/kimpersonate.c b/kuser/kimpersonate.c
index d2a485b3f939..b1cefea0fd49 100644
--- a/kuser/kimpersonate.c
+++ b/kuser/kimpersonate.c
@@ -82,7 +82,9 @@ encode_ticket(krb5_context context,
     et.flags = cred->flags.b;
     et.key = cred->session;
     et.crealm = cred->client->realm;
-    copy_PrincipalName(&cred->client->name, &et.cname);
+    ret = copy_PrincipalName(&cred->client->name, &et.cname);
+    if (ret)
+	krb5_err(context, 1, ret, "copy_PrincipalName");
     {
 	krb5_data empty_string;
 
@@ -127,7 +129,9 @@ encode_ticket(krb5_context context,
 
     ticket.tkt_vno = 5;
     ticket.realm = cred->server->realm;
-    copy_PrincipalName(&cred->server->name, &ticket.sname);
+    ret = copy_PrincipalName(&cred->server->name, &ticket.sname);
+    if (ret)
+	krb5_err(context, 1, ret, "copy_PrincipalName");
 
     ASN1_MALLOC_ENCODE(Ticket, buf, len, &ticket, &size, ret);
     if(ret)
diff --git a/kuser/kinit.1 b/kuser/kinit.1
index 697f61b0ae2c..65d733d96ee3 100644
--- a/kuser/kinit.1
+++ b/kuser/kinit.1
@@ -82,7 +82,7 @@
 .Op Fl Fl password-file= Ns Ar filename
 .Op Fl Fl fcache-version= Ns Ar version-number
 .Op Fl A | Fl Fl no-addresses
-.Op Fl Fl anonymous
+.Op Fl n | Fl Fl anonymous
 .Op Fl Fl enterprise
 .Op Fl Fl version
 .Op Fl Fl help
@@ -165,10 +165,12 @@ in
 .Xr krb5.conf 5 .
 .It Fl A , Fl Fl no-addresses
 Request a ticket with no addresses.
-.It Fl Fl anonymous
-Request an anonymous ticket (which means that the ticket will be
-issued to an anonymous principal, typically
-.Dq anonymous@REALM ) .
+.It Fl n , Fl Fl anonymous
+Request an anonymous ticket. If the principal is specified as @REALM, then
+anonymous PKINIT will be used to acquire an unauthenticated anonymous ticket
+and both the client name and realm in the returned ticket will be anonymized.
+Otherwise, authentication proceeds as normal and the anonymous ticket will have
+only the client name anonymized.
 .It Fl Fl enterprise
 Parse principal as a enterprise (KRB5-NT-ENTERPRISE) name. Enterprise
 names are email like principals that are stored in the name part of
diff --git a/kuser/kinit.c b/kuser/kinit.c
index 4e93c6905231..4a263511470e 100644
--- a/kuser/kinit.c
+++ b/kuser/kinit.c
@@ -155,7 +155,7 @@ static struct getargs args[] = {
     { "extra-addresses",'a', arg_strings,	&extra_addresses,
       NP_("include these extra addresses", ""), "addresses" },
 
-    { "anonymous",	0,   arg_flag,	&anonymous_flag,
+    { "anonymous",	'n',   arg_flag,	&anonymous_flag,
       NP_("request an anonymous ticket", ""), NULL },
 
     { "request-pac",	0,   arg_flag,	&pac_flag,
@@ -206,6 +206,9 @@ static struct getargs args[] = {
     { "help",		0,   arg_flag, &help_flag, NULL, NULL }
 };
 
+static char *
+get_default_realm(krb5_context context);
+
 static void
 usage(int ret)
 {
@@ -236,7 +239,7 @@ copy_configs(krb5_context context,
 	     krb5_principal start_ticket_server)
 {
     krb5_error_code ret;
-    const char *cfg_names[] = {"realm-config", "FriendlyName", NULL};
+    const char *cfg_names[] = {"realm-config", "FriendlyName", "anon_pkinit_realm", NULL};
     const char *cfg_names_w_pname[] = {"fast_avail", NULL};
     krb5_data cfg_data;
     size_t i;
@@ -277,6 +280,34 @@ copy_configs(krb5_context context,
 }
 
 static krb5_error_code
+get_anon_pkinit_tgs_name(krb5_context context,
+			 krb5_ccache ccache,
+			 krb5_principal *tgs_name)
+{
+    krb5_error_code ret;
+    krb5_data data;
+    char *realm;
+
+    ret = krb5_cc_get_config(context, ccache, NULL, "anon_pkinit_realm", &data);
+    if (ret == 0)
+	realm = strndup(data.data, data.length);
+    else
+	realm = get_default_realm(context);
+
+    krb5_data_free(&data);
+
+    if (realm == NULL)
+	return krb5_enomem(context);
+
+    ret = krb5_make_principal(context, tgs_name, realm,
+			      KRB5_TGS_NAME, realm, NULL);
+
+    free(realm);
+
+    return ret;
+}
+
+static krb5_error_code
 renew_validate(krb5_context context,
 	       int renew,
 	       int validate,
@@ -296,7 +327,13 @@ renew_validate(krb5_context context,
 	krb5_warn(context, ret, "krb5_cc_get_principal");
 	return ret;
     }
-    ret = get_server(context, in.client, server, &in.server);
+
+    if (server == NULL &&
+	krb5_principal_is_anonymous(context, in.client,
+				    KRB5_ANON_MATCH_UNAUTHENTICATED))
+	ret = get_anon_pkinit_tgs_name(context, cache, &in.server);
+    else
+	ret = get_server(context, in.client, server, &in.server);
     if (ret) {
 	krb5_warn(context, ret, "get_server");
 	goto out;
@@ -383,7 +420,7 @@ renew_validate(krb5_context context,
 
 out:
     if (tempccache)
-	krb5_cc_close(context, tempccache);
+	krb5_cc_destroy(context, tempccache);
     if (out)
 	krb5_free_creds(context, out);
     krb5_free_cred_contents(context, &in);
@@ -430,7 +467,8 @@ get_new_tickets(krb5_context context,
 		krb5_principal principal,
 		krb5_ccache ccache,
 		krb5_deltat ticket_life,
-		int interactive)
+		int interactive,
+		int anonymous_pkinit)
 {
     krb5_error_code ret;
     krb5_creds cred;
@@ -528,15 +566,15 @@ get_new_tickets(krb5_context context,
 	krb5_get_init_creds_opt_set_canonicalize(context, opt, TRUE);
     if (pk_enterprise_flag || enterprise_flag || canonicalize_flag || windows_flag)
 	krb5_get_init_creds_opt_set_win2k(context, opt, TRUE);
-    if (pk_user_id || ent_user_id || anonymous_flag) {
+    if (pk_user_id || ent_user_id || anonymous_pkinit) {
 	ret = krb5_get_init_creds_opt_set_pkinit(context, opt,
 						 principal,
 						 pk_user_id,
 						 pk_x509_anchors,
 						 NULL,
 						 NULL,
-						 pk_use_enckey ? 2 : 0 |
-						 anonymous_flag ? 4 : 0,
+						 pk_use_enckey ? KRB5_GIC_OPT_PKINIT_USE_ENCKEY : 0 |
+						 anonymous_pkinit ? KRB5_GIC_OPT_PKINIT_ANONYMOUS : 0,
 						 prompter,
 						 NULL,
 						 passwd);
@@ -628,7 +666,8 @@ get_new_tickets(krb5_context context,
 	    krb5_warn(context, ret, "krb5_init_creds_set_keytab");
 	    goto out;
 	}
-    } else if (pk_user_id || ent_user_id || anonymous_flag) {
+    } else if (pk_user_id || ent_user_id ||
+	       krb5_principal_is_anonymous(context, principal, KRB5_ANON_MATCH_ANY)) {
 
     } else if (!interactive && passwd[0] == '\0') {
 	static int already_warned = 0;
@@ -676,7 +715,7 @@ get_new_tickets(krb5_context context,
     if (ntlm_domain && passwd[0])
 	heim_ntlm_nt_key(passwd, &ntlmkey);
 #endif
-    memset(passwd, 0, sizeof(passwd));
+    memset_s(passwd, sizeof(passwd), 0, sizeof(passwd));
 
     switch(ret){
     case 0:
@@ -774,12 +813,21 @@ get_new_tickets(krb5_context context,
 	krb5_cc_set_config(context, ccache, NULL, "realm-config", &data);
     }
 
+    if (anonymous_pkinit) {
+	krb5_data data;
+
+	data.length = strlen(principal->realm);
+	data.data = principal->realm;
+
+	krb5_cc_set_config(context, ccache, NULL, "anon_pkinit_realm", &data);
+    }
+
 out:
     krb5_get_init_creds_opt_free(context, opt);
     if (ctx)
 	krb5_init_creds_free(context, ctx);
     if (tempccache)
-	krb5_cc_close(context, tempccache);
+	krb5_cc_destroy(context, tempccache);
 
     if (enctype)
 	free(enctype);
@@ -923,7 +971,7 @@ renew_func(void *ptr)
 		       server_str, ctx->ticket_life);
     } else {
 	ret = get_new_tickets(ctx->context, ctx->principal, ctx->ccache,
-			      ctx->ticket_life, 0);
+			      ctx->ticket_life, 0, 0);
     }
     expire = ticket_lifetime(ctx->context, ctx->ccache, ctx->principal,
 			     server_str, &renew_expire);
@@ -1222,6 +1270,8 @@ main(int argc, char **argv)
 #ifdef HAVE_SIGACTION
     struct sigaction sa;
 #endif
+    krb5_boolean unique_ccache = FALSE;
+    int anonymous_pkinit = FALSE;
 
     setprogname(argv[0]);
 
@@ -1271,15 +1321,16 @@ main(int argc, char **argv)
 
 	pk_user_id = NULL;
 
-    } else if (anonymous_flag) {
+    } else if (anonymous_flag && argc && argv[0][0] == '@') {
+	/* If principal argument as @REALM, try anonymous PKINIT */
 
-	ret = krb5_make_principal(context, &principal, argv[0],
+	ret = krb5_make_principal(context, &principal, &argv[0][1],
 				  KRB5_WELLKNOWN_NAME, KRB5_ANON_NAME,
 				  NULL);
 	if (ret)
 	    krb5_err(context, 1, ret, "krb5_make_principal");
 	krb5_principal_set_type(context, principal, KRB5_NT_WELLKNOWN);
-
+	anonymous_pkinit = TRUE;
     } else if (use_keytab || keytab_str) {
 	get_princ_kt(context, &principal, argv[0]);
     } else {
@@ -1311,6 +1362,7 @@ main(int argc, char **argv)
 		     krb5_cc_get_type(context, ccache),
 		     krb5_cc_get_name(context, ccache));
 	    setenv("KRB5CCNAME", s, 1);
+	    unique_ccache = TRUE;
 	} else {
 	    ret = krb5_cc_cache_match(context, principal, &ccache);
 	    if (ret) {
@@ -1330,6 +1382,8 @@ main(int argc, char **argv)
 		    krb5_cc_close(context, ccache);
 		    ret = get_switched_ccache(context, type, principal,
 					      &ccache);
+		    if (ret == 0)
+			unique_ccache = TRUE;
 		}
 	    }
 	}
@@ -1378,12 +1432,18 @@ main(int argc, char **argv)
 	    krb5_afslog(context, ccache, NULL, NULL);
 #endif
 
+	if (unique_ccache)
+	    krb5_cc_destroy(context, ccache);
 	exit(ret != 0);
     }
 
-    ret = get_new_tickets(context, principal, ccache, ticket_life, 1);
-    if (ret)
+    ret = get_new_tickets(context, principal, ccache, ticket_life,
+			  1, anonymous_pkinit);
+    if (ret) {
+	if (unique_ccache)
+	    krb5_cc_destroy(context, ccache);
 	exit(1);
+    }
 
 #ifndef NO_AFS
     if (ret == 0 && server_str == NULL && do_afslog && k_hasafs())
diff --git a/kuser/kinit.cat1 b/kuser/kinit.cat1
index 1a50d4ec462e..0cd20732b253 100644
--- a/kuser/kinit.cat1
+++ b/kuser/kinit.cat1
@@ -13,7 +13,7 @@ SSYYNNOOPPSSIISS
            [--kk | ----uussee--kkeeyyttaabb] [--vv | ----vvaalliiddaattee] [--ee _e_n_c_t_y_p_e_s |
            ----eennccttyyppeess==_e_n_c_t_y_p_e_s] [--aa _a_d_d_r_e_s_s_e_s | ----eexxttrraa--aaddddrreesssseess==_a_d_d_r_e_s_s_e_s]
            [----ppaasssswwoorrdd--ffiillee==_f_i_l_e_n_a_m_e] [----ffccaacchhee--vveerrssiioonn==_v_e_r_s_i_o_n_-_n_u_m_b_e_r]
-           [--AA | ----nnoo--aaddddrreesssseess] [----aannoonnyymmoouuss] [----eenntteerrpprriissee] [----vveerrssiioonn]
+           [--AA | ----nnoo--aaddddrreesssseess] [--nn | ----aannoonnyymmoouuss] [----eenntteerrpprriissee] [----vveerrssiioonn]
            [----hheellpp] [_p_r_i_n_c_i_p_a_l [_c_o_m_m_a_n_d]]
 
 DDEESSCCRRIIPPTTIIOONN
@@ -90,9 +90,13 @@ DDEESSCCRRIIPPTTIIOONN
      --AA, ----nnoo--aaddddrreesssseess
              Request a ticket with no addresses.
 
-     ----aannoonnyymmoouuss
-             Request an anonymous ticket (which means that the ticket will be
-             issued to an anonymous principal, typically ``anonymous@REALM'').
+     --nn, ----aannoonnyymmoouuss
+             Request an anonymous ticket. If the principal is specified as
+             @REALM, then anonymous PKINIT will be used to acquire an unau-
+             thenticated anonymous ticket and both the client name and realm
+             in the returned ticket will be anonymized.  Otherwise, authenti-
+             cation proceeds as normal and the anonymous ticket will have only
+             the client name anonymized.
 
      ----eenntteerrpprriissee
              Parse principal as a enterprise (KRB5-NT-ENTERPRISE) name. Enter-
diff --git a/kuser/klist.c b/kuser/klist.c
index e7fb8998b10e..02db225d3425 100644
--- a/kuser/klist.c
+++ b/kuser/klist.c
@@ -122,6 +122,12 @@ print_cred(krb5_context context, krb5_creds *cred, rtbl_t ct, int do_flags)
 	    *sp++ = 'A';
 	if(cred->flags.b.hw_authent)
 	    *sp++ = 'H';
+	if(cred->flags.b.transited_policy_checked)
+	    *sp++ = 'T';
+	if(cred->flags.b.ok_as_delegate)
+	    *sp++ = 'O';
+	if(cred->flags.b.anonymous)
+	    *sp++ = 'a';
 	*sp = '\0';
 	rtbl_add_column_entry(ct, COL_FLAGS, s);
     }
@@ -403,7 +409,7 @@ display_tokens(int do_verbose)
 	    continue;
 	t[min(parms.out_size,sizeof(t)-1)] = 0;
 	memcpy(&size_secret_tok, r, sizeof(size_secret_tok));
-	/* dont bother about the secret token */
+	/* don't bother about the secret token */
 	r += size_secret_tok + sizeof(size_secret_tok);
 	if (parms.out_size < (r - t) + sizeof(size_public_tok))
 	    continue;
@@ -413,7 +419,7 @@ display_tokens(int do_verbose)
 	    continue;
 	memcpy(&ct, r, size_public_tok);
 	r += size_public_tok;
-	/* there is a int32_t with length of cellname, but we dont read it */
+	/* there is a int32_t with length of cellname, but we don't read it */
 	r += sizeof(int32_t);
 	cell = r;
 
diff --git a/lib/asn1/krb5.asn1 b/lib/asn1/krb5.asn1
index 12986ea4e064..9183fc19a48c 100644
--- a/lib/asn1/krb5.asn1
+++ b/lib/asn1/krb5.asn1
@@ -355,7 +355,7 @@ KDCOptions ::= BIT STRING {
 	allow-postdate(5),
 	postdated(6),
 	renewable(8),
-	constrained-delegation(14), -- ms extension (aka cname-in-addl-tkt)
+	cname-in-addl-tkt(14), -- ms extension
 	canonicalize(15),
 	request-anonymous(16),
 	disable-transited-check(26),
diff --git a/lib/gssapi/gen-oid.pl b/lib/gssapi/gen-oid.pl
index a2341ad9816d..a2341ad9816d 100755..100644
--- a/lib/gssapi/gen-oid.pl
+++ b/lib/gssapi/gen-oid.pl
diff --git a/lib/gssapi/krb5/arcfour.c b/lib/gssapi/krb5/arcfour.c
index 0aa2da0808bf..d88ec4cddc53 100644
--- a/lib/gssapi/krb5/arcfour.c
+++ b/lib/gssapi/krb5/arcfour.c
@@ -304,7 +304,7 @@ _gssapi_get_mic_arcfour(OM_uint32 * minor_status,
     EVP_Cipher(&rc4_key, p, p, 8);
     EVP_CIPHER_CTX_cleanup(&rc4_key);
 
-    memset(k6_data, 0, sizeof(k6_data));
+    memset_s(k6_data, sizeof(k6_data), 0, sizeof(k6_data));
 
     *minor_status = 0;
     return GSS_S_COMPLETE;
@@ -389,7 +389,7 @@ _gssapi_verify_mic_arcfour(OM_uint32 * minor_status,
     else
 	cmp = memcmp(&SND_SEQ[4], "\x00\x00\x00\x00", 4);
 
-    memset(SND_SEQ, 0, sizeof(SND_SEQ));
+    memset_s(SND_SEQ, sizeof(SND_SEQ), 0, sizeof(SND_SEQ));
     if (cmp != 0) {
 	*minor_status = 0;
 	return GSS_S_BAD_MIC;
@@ -516,7 +516,7 @@ _gssapi_wrap_arcfour(OM_uint32 * minor_status,
     ret = arcfour_mic_key(context, &Klocal,
 			  p0 + 8, 4, /* SND_SEQ */
 			  k6_data, sizeof(k6_data));
-    memset(Klocaldata, 0, sizeof(Klocaldata));
+    memset_s(Klocaldata, sizeof(Klocaldata), 0, sizeof(Klocaldata));
     if (ret) {
 	_gsskrb5_release_buffer(minor_status, output_message_buffer);
 	*minor_status = ret;
@@ -550,7 +550,7 @@ _gssapi_wrap_arcfour(OM_uint32 * minor_status,
 	EVP_CipherInit_ex(&rc4_key, EVP_rc4(), NULL, k6_data, NULL, 1);
 	EVP_Cipher(&rc4_key, p0 + 8, p0 + 8 /* SND_SEQ */, 8);
 	EVP_CIPHER_CTX_cleanup(&rc4_key);
-	memset(k6_data, 0, sizeof(k6_data));
+	memset_s(k6_data, sizeof(k6_data), 0, sizeof(k6_data));
     }
 
     if (conf_state)
@@ -650,7 +650,7 @@ OM_uint32 _gssapi_unwrap_arcfour(OM_uint32 *minor_status,
 	EVP_CipherInit_ex(&rc4_key, EVP_rc4(), NULL, k6_data, NULL, 1);
 	EVP_Cipher(&rc4_key, SND_SEQ, p0 + 8, 8);
 	EVP_CIPHER_CTX_cleanup(&rc4_key);
-	memset(k6_data, 0, sizeof(k6_data));
+	memset_s(k6_data, sizeof(k6_data), 0, sizeof(k6_data));
     }
 
     _gsskrb5_decode_be_om_uint32(SND_SEQ, &seq_number);
@@ -678,7 +678,7 @@ OM_uint32 _gssapi_unwrap_arcfour(OM_uint32 *minor_status,
     ret = arcfour_mic_key(context, &Klocal,
 			  SND_SEQ, 4,
 			  k6_data, sizeof(k6_data));
-    memset(Klocaldata, 0, sizeof(Klocaldata));
+    memset_s(Klocaldata, sizeof(Klocaldata), 0, sizeof(Klocaldata));
     if (ret) {
 	*minor_status = ret;
 	return GSS_S_FAILURE;
@@ -1069,7 +1069,7 @@ _gssapi_wrap_iov_arcfour(OM_uint32 *minor_status,
     kret = arcfour_mic_key(context, &Klocal,
 			   p0 + 8, 4, /* SND_SEQ */
 			   k6_data, sizeof(k6_data));
-    memset(Klocaldata, 0, sizeof(Klocaldata));
+    memset_s(Klocaldata, sizeof(Klocaldata), 0, sizeof(Klocaldata));
     if (kret) {
 	*minor_status = kret;
 	major_status = GSS_S_FAILURE;
@@ -1300,7 +1300,7 @@ _gssapi_unwrap_iov_arcfour(OM_uint32 *minor_status,
 			   snd_seq,
 			   4,
 			   k6_data, sizeof(k6_data));
-    memset(Klocaldata, 0, sizeof(Klocaldata));
+    memset_s(Klocaldata, sizeof(Klocaldata), 0, sizeof(Klocaldata));
     if (kret) {
 	*minor_status = kret;
 	return GSS_S_FAILURE;
diff --git a/lib/gssapi/krb5/get_mic.c b/lib/gssapi/krb5/get_mic.c
index 643385d9e892..d9cf9d700737 100644
--- a/lib/gssapi/krb5/get_mic.c
+++ b/lib/gssapi/krb5/get_mic.c
@@ -121,8 +121,8 @@ mic_des
 			       ++seq_number);
   HEIMDAL_MUTEX_unlock(&ctx->ctx_id_mutex);
 
-  memset (deskey, 0, sizeof(deskey));
-  memset (&schedule, 0, sizeof(schedule));
+  memset_s(deskey, sizeof(deskey), 0, sizeof(deskey));
+  memset_s(&schedule, sizeof(schedule), 0, sizeof(schedule));
 
   *minor_status = 0;
   return GSS_S_COMPLETE;
diff --git a/lib/gssapi/krb5/verify_mic.c b/lib/gssapi/krb5/verify_mic.c
index 9968ce403ef7..7070f3de46be 100644
--- a/lib/gssapi/krb5/verify_mic.c
+++ b/lib/gssapi/krb5/verify_mic.c
@@ -89,8 +89,8 @@ verify_mic_des
   DES_cbc_cksum ((void *)hash, (void *)hash, sizeof(hash),
 		 &schedule, &zero);
   if (ct_memcmp (p - 8, hash, 8) != 0) {
-    memset (deskey, 0, sizeof(deskey));
-    memset (&schedule, 0, sizeof(schedule));
+    memset_s(deskey, sizeof(deskey), 0, sizeof(deskey));
+    memset_s(&schedule, sizeof(schedule), 0, sizeof(schedule));
     return GSS_S_BAD_MIC;
   }
 
@@ -105,8 +105,8 @@ verify_mic_des
   EVP_Cipher(&des_ctx, p, p, 8);
   EVP_CIPHER_CTX_cleanup(&des_ctx);
 
-  memset (deskey, 0, sizeof(deskey));
-  memset (&schedule, 0, sizeof(schedule));
+  memset_s(deskey, sizeof(deskey), 0, sizeof(deskey));
+  memset_s(&schedule, sizeof(schedule), 0, sizeof(schedule));
 
   seq = p;
   _gsskrb5_decode_om_uint32(seq, &seq_number);
diff --git a/lib/gssapi/ntlm/init_sec_context.c b/lib/gssapi/ntlm/init_sec_context.c
index 5499a1b814e7..f3198d8a274d 100644
--- a/lib/gssapi/ntlm/init_sec_context.c
+++ b/lib/gssapi/ntlm/init_sec_context.c
@@ -72,11 +72,11 @@ from_file(const char *fn, const char *target_domain,
 
 	heim_ntlm_nt_key(p, key);
 
-	memset(buf, 0, sizeof(buf));
+	memset_s(buf, sizeof(buf), 0, sizeof(buf));
 	fclose(f);
 	return 0;
     }
-    memset(buf, 0, sizeof(buf));
+    memset_s(buf, sizeof(buf), 0, sizeof(buf));
     fclose(f);
     return ENOENT;
 }
@@ -466,7 +466,7 @@ _gss_ntlm_init_sec_context
 	    ret = heim_ntlm_build_ntlm1_master(ntlmv2, sizeof(ntlmv2),
 					       &sessionkey,
 					       &type3.sessionkey);
-	    memset(ntlmv2, 0, sizeof(ntlmv2));
+	    memset_s(ntlmv2, sizeof(ntlmv2), 0, sizeof(ntlmv2));
 	    if (ret) {
 		_gss_ntlm_delete_sec_context(minor_status,
 					     context_handle, NULL);
diff --git a/lib/hcrypto/evp-pkcs11.c b/lib/hcrypto/evp-pkcs11.c
index 93af9b4564c0..325bb0afd104 100644
--- a/lib/hcrypto/evp-pkcs11.c
+++ b/lib/hcrypto/evp-pkcs11.c
@@ -60,7 +60,7 @@
 #include <ref/pkcs11.h>
 
 #if __sun && !defined(PKCS11_MODULE_PATH)
-# if _LP64
+# ifdef _LP64
 # define PKCS11_MODULE_PATH "/usr/lib/64/libpkcs11.so"
 # else
 # define PKCS11_MODULE_PATH "/usr/lib/libpkcs11.so"
@@ -87,7 +87,6 @@ p11_cleanup(EVP_CIPHER_CTX *ctx);
 struct pkcs11_cipher_ctx {
     CK_SESSION_HANDLE hSession;
     CK_OBJECT_HANDLE hSecret;
-    int cipher_init_done;
 };
 
 struct pkcs11_md_ctx {
@@ -95,12 +94,14 @@ struct pkcs11_md_ctx {
 };
 
 static void *pkcs11_module_handle;
-static void
-p11_module_init_once(void *context)
+
+static CK_RV
+p11_module_load(CK_FUNCTION_LIST_PTR_PTR ppFunctionList)
 {
     CK_RV rv;
-    CK_FUNCTION_LIST_PTR module;
     CK_RV (*C_GetFunctionList_fn)(CK_FUNCTION_LIST_PTR_PTR);
+	
+	*ppFunctionList = NULL;
 
     if (!issuid()) {
         char *pkcs11ModulePath = getenv("PKCS11_MODULE_PATH");
@@ -109,7 +110,7 @@ p11_module_init_once(void *context)
 		dlopen(pkcs11ModulePath,
 		       RTLD_LAZY | RTLD_LOCAL | RTLD_GROUP | RTLD_NODELETE);
 	    if (pkcs11_module_handle == NULL)
-                fprintf(stderr, "p11_module_init(%s): %s\n", pkcs11ModulePath, dlerror());
+                fprintf(stderr, "p11_module_load(%s): %s\n", pkcs11ModulePath, dlerror());
         }
     }
 #ifdef PKCS11_MODULE_PATH
@@ -118,47 +119,63 @@ p11_module_init_once(void *context)
 	    dlopen(PKCS11_MODULE_PATH,
 		   RTLD_LAZY | RTLD_LOCAL | RTLD_GROUP | RTLD_NODELETE);
 	if (pkcs11_module_handle == NULL)
-            fprintf(stderr, "p11_module_init(%s): %s\n", PKCS11_MODULE_PATH, dlerror());
+            fprintf(stderr, "p11_module_load(%s): %s\n", PKCS11_MODULE_PATH, dlerror());
     }
 #endif
     if (pkcs11_module_handle == NULL)
-        goto cleanup;
+        return CKR_LIBRARY_LOAD_FAILED;
 
     C_GetFunctionList_fn = (CK_RV (*)(CK_FUNCTION_LIST_PTR_PTR))
 	dlsym(pkcs11_module_handle, "C_GetFunctionList");
-    if (C_GetFunctionList_fn == NULL)
-        goto cleanup;
+    if (C_GetFunctionList_fn == NULL) {
+        dlclose(pkcs11_module_handle);
+        return CKR_LIBRARY_LOAD_FAILED;
+    }
 
-    rv = C_GetFunctionList_fn(&module);
-    if (rv != CKR_OK)
-        goto cleanup;
+    rv = C_GetFunctionList_fn(ppFunctionList);
+    if (rv != CKR_OK) {
+        dlclose(pkcs11_module_handle);
+        return rv;
+    }
 
-    rv = module->C_Initialize(NULL);
-    if (rv == CKR_CRYPTOKI_ALREADY_INITIALIZED)
-        rv = CKR_OK;
-    if (rv == CKR_OK)
-        *((CK_FUNCTION_LIST_PTR_PTR)context) = module;
+    return CKR_OK;
+}
 
-cleanup:
-    if (pkcs11_module_handle != NULL && p11_module == NULL) {
-	dlclose(pkcs11_module_handle);
-	pkcs11_module_handle = NULL;
-    }
-    /* else leak pkcs11_module_handle */
+static void
+p11_module_load_once(void *context)
+{
+    p11_module_load((CK_FUNCTION_LIST_PTR_PTR)context);
 }
 
 static CK_RV
 p11_module_init(void)
 {
-    static heim_base_once_t init_module = HEIM_BASE_ONCE_INIT;
+    static heim_base_once_t once = HEIM_BASE_ONCE_INIT;
+    CK_RV rv;
 
-    heim_base_once_f(&init_module, &p11_module, p11_module_init_once);
+    heim_base_once_f(&once, &p11_module, p11_module_load_once);
 
-    return p11_module != NULL ? CKR_OK : CKR_LIBRARY_LOAD_FAILED;
+    if (p11_module == NULL)
+        return CKR_LIBRARY_LOAD_FAILED;
+
+    /*
+     * Call C_Initialize() on every call, because it will be invalid after fork().
+     * Caching the initialization status using a once control and invalidating it
+     * on fork provided no measurable performance benefit on Solaris 11. Other
+     * approaches would not be thread-safe or would involve more intrusive code
+     * changes, such as exposing heimbase's atomics.
+     */
+    rv = p11_module->C_Initialize(NULL);
+    if (rv == CKR_CRYPTOKI_ALREADY_INITIALIZED)
+        rv = CKR_OK;
+
+    return rv;
 }
 
 static CK_RV
-p11_session_init(CK_MECHANISM_TYPE mechanismType, CK_SESSION_HANDLE_PTR phSession)
+p11_session_init(CK_MECHANISM_TYPE mechanismType,
+                 CK_SESSION_HANDLE_PTR phSession,
+                 CK_FLAGS *pFlags)
 {
     CK_RV rv;
     CK_ULONG i, ulSlotCount = 0;
@@ -168,6 +185,8 @@ p11_session_init(CK_MECHANISM_TYPE mechanismType, CK_SESSION_HANDLE_PTR phSessio
     if (phSession != NULL)
         *phSession = CK_INVALID_HANDLE;
 
+    *pFlags = 0;
+
     rv = p11_module_init();
     if (rv != CKR_OK)
         goto cleanup;
@@ -198,8 +217,10 @@ p11_session_init(CK_MECHANISM_TYPE mechanismType, CK_SESSION_HANDLE_PTR phSessio
      */
     for (i = 0; i < ulSlotCount; i++) {
         rv = p11_module->C_GetMechanismInfo(pSlotList[i], mechanismType, &info);
-        if (rv == CKR_OK)
-            break;
+        if (rv == CKR_OK) {
+	    *pFlags = info.flags;
+	    break;
+	}
     }
 
     if (i == ulSlotCount) {
@@ -220,9 +241,16 @@ cleanup:
 }
 
 static int
-p11_mech_available_p(CK_MECHANISM_TYPE mechanismType)
+p11_mech_available_p(CK_MECHANISM_TYPE mechanismType, CK_FLAGS reqFlags)
 {
-    return p11_session_init(mechanismType, NULL) == CKR_OK;
+    CK_RV rv;
+    CK_FLAGS flags;
+
+    rv = p11_session_init(mechanismType, NULL, &flags);
+    if (rv != CKR_OK)
+	return 0;
+
+    return (flags & reqFlags) == reqFlags;
 }
 
 static CK_KEY_TYPE
@@ -281,20 +309,49 @@ p11_key_init(EVP_CIPHER_CTX *ctx,
         { CKA_VALUE,            (void *)key,    ctx->key_len            },
         { op,                   &bTrue,         sizeof(bTrue)           }
     };
+    CK_MECHANISM mechanism = {
+        mechanismType,
+        ctx->cipher->iv_len ? ctx->iv : NULL,
+        ctx->cipher->iv_len
+    };
     struct pkcs11_cipher_ctx *p11ctx = (struct pkcs11_cipher_ctx *)ctx->cipher_data;
-    p11ctx->cipher_init_done = 0;
+    CK_FLAGS flags;
 
-    rv = p11_session_init(mechanismType, &p11ctx->hSession);
-    if (rv != CKR_OK)
-        goto cleanup;
+    rv = CKR_OK;
 
-    assert(p11_module != NULL);
+    if (p11ctx->hSession != CK_INVALID_HANDLE && key != NULL)
+        p11_cleanup(ctx); /* refresh session with new key */
 
-    rv = p11_module->C_CreateObject(p11ctx->hSession, attributes,
-                                    sizeof(attributes) / sizeof(attributes[0]),
-                                    &p11ctx->hSecret);
-    if (rv != CKR_OK)
-        goto cleanup;
+    if (p11ctx->hSession == CK_INVALID_HANDLE) {
+        rv = p11_session_init(mechanismType, &p11ctx->hSession, &flags);
+        if (rv != CKR_OK)
+            goto cleanup;
+
+	if ((flags & (CKF_ENCRYPT|CKF_DECRYPT)) != (CKF_ENCRYPT|CKF_DECRYPT)) {
+	    rv = CKR_MECHANISM_INVALID;
+	    goto cleanup;
+	}
+    }
+
+    if (key != NULL) {
+        assert(p11_module != NULL);
+        assert(p11ctx->hSecret == CK_INVALID_HANDLE);
+
+        rv = p11_module->C_CreateObject(p11ctx->hSession, attributes,
+                                        sizeof(attributes) / sizeof(attributes[0]),
+                                        &p11ctx->hSecret);
+        if (rv != CKR_OK)
+            goto cleanup;
+    }
+
+    if (p11ctx->hSecret != CK_INVALID_HANDLE) {
+        if (op == CKA_ENCRYPT)
+            rv = p11_module->C_EncryptInit(p11ctx->hSession, &mechanism, p11ctx->hSecret);
+        else
+            rv = p11_module->C_DecryptInit(p11ctx->hSession, &mechanism, p11ctx->hSecret);
+        if (rv != CKR_OK)
+            goto cleanup;
+    }
 
 cleanup:
     if (rv != CKR_OK)
@@ -310,37 +367,17 @@ p11_do_cipher(EVP_CIPHER_CTX *ctx,
               unsigned int size)
 {
     struct pkcs11_cipher_ctx *p11ctx = (struct pkcs11_cipher_ctx *)ctx->cipher_data;
-    CK_RV rv = CKR_OK;
+    CK_RV rv;
     CK_ULONG ulCipherTextLen = size;
-    CK_MECHANISM_TYPE mechanismType = (CK_MECHANISM_TYPE)ctx->cipher->app_data;
-    CK_MECHANISM mechanism = {
-        mechanismType,
-        ctx->cipher->iv_len ? ctx->iv : NULL,
-        ctx->cipher->iv_len
-    };
 
     assert(p11_module != NULL);
-    /* The EVP layer only ever calls us with complete cipher blocks */
     assert(EVP_CIPHER_CTX_mode(ctx) == EVP_CIPH_STREAM_CIPHER ||
            (size % ctx->cipher->block_size) == 0);
 
-    if (ctx->encrypt) {
-        if (!p11ctx->cipher_init_done) {
-            rv = p11_module->C_EncryptInit(p11ctx->hSession, &mechanism, p11ctx->hSecret);
-            if (rv == CKR_OK)
-                p11ctx->cipher_init_done = 1;
-        }
-        if (rv == CKR_OK)
-            rv = p11_module->C_EncryptUpdate(p11ctx->hSession, (unsigned char *)in, size, out, &ulCipherTextLen);
-    } else {
-        if (!p11ctx->cipher_init_done) {
-            rv = p11_module->C_DecryptInit(p11ctx->hSession, &mechanism, p11ctx->hSecret);
-            if (rv == CKR_OK)
-                p11ctx->cipher_init_done = 1;
-        }
-        if (rv == CKR_OK)
-            rv = p11_module->C_DecryptUpdate(p11ctx->hSession, (unsigned char *)in, size, out, &ulCipherTextLen);
-    }
+    if (ctx->encrypt)
+        rv = p11_module->C_EncryptUpdate(p11ctx->hSession, (unsigned char *)in, size, out, &ulCipherTextLen);
+    else
+        rv = p11_module->C_DecryptUpdate(p11ctx->hSession, (unsigned char *)in, size, out, &ulCipherTextLen);
 
     return rv == CKR_OK;
 }
@@ -350,8 +387,6 @@ p11_cleanup(EVP_CIPHER_CTX *ctx)
 {
     struct pkcs11_cipher_ctx *p11ctx = (struct pkcs11_cipher_ctx *)ctx->cipher_data;
 
-    assert(p11_module != NULL);
-
     if (p11ctx->hSecret != CK_INVALID_HANDLE)  {
         p11_module->C_DestroyObject(p11ctx->hSession, p11ctx->hSecret);
         p11ctx->hSecret = CK_INVALID_HANDLE;
@@ -365,20 +400,33 @@ p11_cleanup(EVP_CIPHER_CTX *ctx)
 }
 
 static int
+p11_md_cleanup(EVP_MD_CTX *ctx);
+
+static int
 p11_md_hash_init(CK_MECHANISM_TYPE mechanismType, EVP_MD_CTX *ctx)
 {
     struct pkcs11_md_ctx *p11ctx = (struct pkcs11_md_ctx *)ctx;
     CK_RV rv;
+    CK_FLAGS flags;
+    CK_MECHANISM mechanism = { mechanismType, NULL, 0 };
 
-    rv = p11_session_init(mechanismType, &p11ctx->hSession);
-    if (rv == CKR_OK) {
-        CK_MECHANISM mechanism = { mechanismType, NULL, 0 };
+    if (p11ctx->hSession != CK_INVALID_HANDLE)
+        p11_md_cleanup(ctx);
 
-        assert(p11_module != NULL);
+    rv = p11_session_init(mechanismType, &p11ctx->hSession, &flags);
+    if (rv != CKR_OK)
+	goto cleanup;
 
-        rv = p11_module->C_DigestInit(p11ctx->hSession, &mechanism);
+    if ((flags & CKF_DIGEST) != CKF_DIGEST) {
+	rv = CKR_MECHANISM_INVALID;
+	goto cleanup;
     }
 
+    assert(p11_module != NULL);
+
+    rv = p11_module->C_DigestInit(p11ctx->hSession, &mechanism);
+
+  cleanup:
     return rv == CKR_OK;
 }
 
@@ -389,8 +437,11 @@ p11_md_update(EVP_MD_CTX *ctx, const void *data, size_t length)
     CK_RV rv;
 
     assert(p11_module != NULL);
+    assert(data != NULL || length == 0);
 
-    rv = p11_module->C_DigestUpdate(p11ctx->hSession, (unsigned char *)data, length);
+    rv = p11_module->C_DigestUpdate(p11ctx->hSession,
+                                    data ? (CK_BYTE_PTR)data : (CK_BYTE_PTR)"",
+                                    length);
 
     return rv == CKR_OK;
 }
@@ -435,7 +486,7 @@ p11_md_cleanup(EVP_MD_CTX *ctx)
         block_size,                                                     \
         key_len,                                                        \
         iv_len,                                                         \
-        flags,                                                          \
+        (flags) | EVP_CIPH_ALWAYS_CALL_INIT,                            \
         p11_key_init,                                                   \
         p11_do_cipher,                                                  \
         p11_cleanup,                                                    \
@@ -449,7 +500,7 @@ p11_md_cleanup(EVP_MD_CTX *ctx)
     const EVP_CIPHER *                                                  \
     hc_EVP_pkcs11_##name(void)                                          \
     {                                                                   \
-        if (p11_mech_available_p(mechanismType))                        \
+        if (p11_mech_available_p(mechanismType, CKF_ENCRYPT|CKF_DECRYPT)) \
             return &pkcs11_##name;                                      \
         else                                                            \
             return NULL;                                                \
@@ -499,7 +550,7 @@ p11_md_cleanup(EVP_MD_CTX *ctx)
             p11_md_cleanup                                              \
         };                                                              \
                                                                         \
-        if (p11_mech_available_p(mechanismType))                        \
+        if (p11_mech_available_p(mechanismType, CKF_DIGEST))            \
             return &name;                                               \
         else                                                            \
             return NULL;                                                \
diff --git a/lib/hcrypto/evp-wincng.c b/lib/hcrypto/evp-wincng.c
index 8a8b91cb1ab9..a9b14e3bbeea 100644
--- a/lib/hcrypto/evp-wincng.c
+++ b/lib/hcrypto/evp-wincng.c
@@ -196,6 +196,11 @@ wincng_key_init(EVP_CIPHER_CTX *ctx,
     if (ctx->cipher->app_data == NULL)
 	return 0;
 
+    if (cng->hKey) {
+	BCryptDestroyKey(cng->hKey); /* allow reinitialization */
+	cng->hKey = (BCRYPT_KEY_HANDLE)0;
+    }
+
     /*
      * Note: ctx->key_len not EVP_CIPHER_CTX_key_length() for
      * variable length key support.
@@ -570,6 +575,11 @@ wincng_md_hash_init(BCRYPT_ALG_HANDLE hAlgorithm,
     NTSTATUS status;
     ULONG cbData;
 
+    if (cng->hHash) {
+	BCryptDestroyHash(cng->hHash); /* allow reinitialization */
+	cng->hHash = (BCRYPT_HASH_HANDLE)0;
+    }
+
     status = BCryptGetProperty(hAlgorithm,
 			       BCRYPT_OBJECT_LENGTH,
 			       (PUCHAR)&cng->cbHashObject,
diff --git a/lib/hcrypto/evp.h b/lib/hcrypto/evp.h
index a0369db72847..8893362db23e 100644
--- a/lib/hcrypto/evp.h
+++ b/lib/hcrypto/evp.h
@@ -164,7 +164,7 @@ struct hc_CIPHER {
 #define hc_EVP_CTRL_INIT                        0x0
 
 #define hc_EVP_CIPH_VARIABLE_LENGTH     0x008 /* variable key length */
-#define hc_EVP_CIPH_ALWAYS_CALL_INIT    0x020
+#define hc_EVP_CIPH_ALWAYS_CALL_INIT    0x020 /* backend maintains own cipherstate */
 #define hc_EVP_CIPH_RAND_KEY            0x200
 
     int (*init)(EVP_CIPHER_CTX*,const unsigned char*,const unsigned char*,int);
diff --git a/lib/hcrypto/md2.c b/lib/hcrypto/md2.c
index 25341a93b965..da41e6d83ee0 100644
--- a/lib/hcrypto/md2.c
+++ b/lib/hcrypto/md2.c
@@ -90,7 +90,7 @@ calc(struct md2 *m, const void *v)
     }
 
     memcpy(m->state, x, 16);
-    memset(x, 0, sizeof(x));
+    memset_s(x, sizeof(x), 0, sizeof(x));
 }
 
 int
diff --git a/lib/hcrypto/rand-fortuna.c b/lib/hcrypto/rand-fortuna.c
index 529bf8f301a8..2082f35ec72d 100644
--- a/lib/hcrypto/rand-fortuna.c
+++ b/lib/hcrypto/rand-fortuna.c
@@ -159,7 +159,7 @@ md_result(MD_CTX * ctx, unsigned char *dst)
 
     memcpy(&tmp, ctx, sizeof(*ctx));
     SHA256_Final(dst, &tmp);
-    memset(&tmp, 0, sizeof(tmp));
+    memset_s(&tmp, sizeof(tmp), 0, sizeof(tmp));
 }
 
 /*
@@ -234,7 +234,7 @@ enough_time_passed(FState * st)
     if (ok)
 	memcpy(last, &tv, sizeof(tv));
 
-    memset(&tv, 0, sizeof(tv));
+    memset_s(&tv, sizeof(tv), 0, sizeof(tv));
 
     return ok;
 }
@@ -284,8 +284,8 @@ reseed(FState * st)
     /* use new key */
     ciph_init(&st->ciph, st->key, BLOCK);
 
-    memset(&key_md, 0, sizeof(key_md));
-    memset(buf, 0, BLOCK);
+    memset_s(&key_md, sizeof(key_md), 0, sizeof(key_md));
+    memset_s(buf, sizeof(buf), 0, sizeof(buf));
 }
 
 /*
@@ -335,8 +335,8 @@ add_entropy(FState * st, const unsigned char *data, unsigned len)
     if (pos == 0)
 	st->pool0_bytes += len;
 
-    memset(hash, 0, BLOCK);
-    memset(&md, 0, sizeof(md));
+    memset_s(hash, sizeof(hash), 0, sizeof(hash));
+    memset_s(&md, sizeof(hash), 0, sizeof(md));
 }
 
 /*
@@ -372,7 +372,7 @@ startup_tricks(FState * st)
 	encrypt_counter(st, buf + CIPH_BLOCK);
 	md_update(&st->pool[i], buf, BLOCK);
     }
-    memset(buf, 0, BLOCK);
+    memset_s(buf, sizeof(buf), 0, sizeof(buf));
 
     /* Hide the key. */
     rekey(st);
@@ -468,7 +468,7 @@ fortuna_reseed(void)
 	if ((*hc_rand_unix_method.bytes)(buf, sizeof(buf)) == 1) {
 	    add_entropy(&main_state, buf, sizeof(buf));
 	    entropy_p = 1;
-	    memset(buf, 0, sizeof(buf));
+	    memset_s(buf, sizeof(buf), 0, sizeof(buf));
 	}
     }
 #endif
@@ -509,7 +509,7 @@ fortuna_reseed(void)
 	    close(fd);
 	}
 
-	memset(&u, 0, sizeof(u));
+	memset_s(&u, sizeof(u), 0, sizeof(u));
 
 	entropy_p = 1; /* sure about this ? */
     }
@@ -593,7 +593,7 @@ fortuna_cleanup(void)
 
     init_done = 0;
     have_entropy = 0;
-    memset(&main_state, 0, sizeof(main_state));
+    memset_s(&main_state, sizeof(main_state), 0, sizeof(main_state));
 
     HEIMDAL_MUTEX_unlock(&fortuna_mutex);
 }
diff --git a/lib/hdb/db.c b/lib/hdb/db.c
index c6cf58813814..4cee8d0097a1 100644
--- a/lib/hdb/db.c
+++ b/lib/hdb/db.c
@@ -44,6 +44,7 @@
 typedef struct {
     HDB hdb;            /* generic members */
     int lock_fd;        /* DB-specific */
+    int do_sync;        /* DB-specific */
 } DB1_HDB;
 
 static krb5_error_code
@@ -77,6 +78,25 @@ DB_destroy(krb5_context context, HDB *db)
 }
 
 static krb5_error_code
+DB_set_sync(krb5_context context, HDB *db, int on)
+{
+    DB1_HDB *db1 = (DB1_HDB *)db;
+    DB *d = (DB*)db->hdb_db;
+    krb5_error_code ret = 0;
+
+    db1->do_sync = on;
+    if (on) {
+        ret = (*d->sync)(d, 0);
+        if (ret == -1) {
+            ret = errno;
+            krb5_set_error_message(context, ret, "Database %s put sync error: %s",
+                                   db->hdb_name, strerror(ret));
+        }
+    }
+    return ret;
+}
+
+static krb5_error_code
 DB_lock(krb5_context context, HDB *db, int operation)
 {
 
@@ -203,6 +223,7 @@ static krb5_error_code
 DB__put(krb5_context context, HDB *db, int replace,
 	krb5_data key, krb5_data value)
 {
+    DB1_HDB *db1 = (DB1_HDB *)db;
     DB *d = (DB*)db->hdb_db;
     DBT k, v;
     int code;
@@ -222,19 +243,14 @@ DB__put(krb5_context context, HDB *db, int replace,
     if(code == 1) {
 	return HDB_ERR_EXISTS;
     }
-    code = (*d->sync)(d, 0);
-    if (code == -1) {
-	code = errno;
-	krb5_set_error_message(context, code, "Database %s put sync error: %s",
-			       db->hdb_name, strerror(code));
-	return code;
-    }
-    return 0;
+
+    return db->hdb_set_sync(context, db, db1->do_sync);
 }
 
 static krb5_error_code
 DB__del(krb5_context context, HDB *db, krb5_data key)
 {
+    DB1_HDB *db1 = (DB1_HDB *)db;
     DB *d = (DB*)db->hdb_db;
     DBT k;
     krb5_error_code code;
@@ -250,14 +266,7 @@ DB__del(krb5_context context, HDB *db, krb5_data key)
 			       db->hdb_name, strerror(code));
 	return code;
     }
-    code = (*d->sync)(d, 0);
-    if (code == -1) {
-	code = errno;
-	krb5_set_error_message(context, code, "Database %s del sync error: %s",
-			       db->hdb_name, strerror(code));
-	return code;
-    }
-    return 0;
+    return db->hdb_set_sync(context, db, db1->do_sync);
 }
 
 static DB *
@@ -371,8 +380,10 @@ hdb_db1_create(krb5_context context, HDB **db,
     (*db)->hdb__put = DB__put;
     (*db)->hdb__del = DB__del;
     (*db)->hdb_destroy = DB_destroy;
+    (*db)->hdb_set_sync = DB_set_sync;
 
     (*db1)->lock_fd = -1;
+    (*db1)->do_sync = 1;
     return 0;
 }
 
diff --git a/lib/hdb/db3.c b/lib/hdb/db3.c
index cd2e33f067ad..0d41369d7101 100644
--- a/lib/hdb/db3.c
+++ b/lib/hdb/db3.c
@@ -54,6 +54,7 @@
 typedef struct {
     HDB hdb;            /* generic members */
     int lock_fd;        /* DB3-specific */
+    int do_sync;        /* DB3-specific */
 } DB3_HDB;
 
 
@@ -92,6 +93,32 @@ DB_destroy(krb5_context context, HDB *db)
 }
 
 static krb5_error_code
+DB_set_sync(krb5_context context, HDB *db, int on)
+{
+    DB3_HDB *db3 = (DB3_HDB *)db;
+    DB *d = (DB*)db->hdb_db;
+    krb5_error_code ret = 0;
+
+    db3->do_sync = on;
+    if (on) {
+        ret = (*d->sync)(d, 0);
+        if (ret) {
+            if (ret == EACCES || ret == ENOSPC || ret == EINVAL) {
+                krb5_set_error_message(context, ret,
+                                       "Database %s put sync error: %s",
+                                       db->hdb_name, strerror(ret));
+            } else {
+                ret = HDB_ERR_UK_SERROR;
+                krb5_set_error_message(context, ret,
+                                       "Database %s put sync error: unknown (%d)",
+                                       db->hdb_name, ret);
+            }
+        }
+    }
+    return ret;
+}
+
+static krb5_error_code
 DB_lock(krb5_context context, HDB *db, int operation)
 {
 
@@ -220,6 +247,7 @@ static krb5_error_code
 DB__put(krb5_context context, HDB *db, int replace,
 	krb5_data key, krb5_data value)
 {
+    DB3_HDB *db3 = (DB3_HDB *)db;
     DB *d = (DB*)db->hdb_db;
     DBT k, v;
     int code;
@@ -261,26 +289,13 @@ DB__put(krb5_context context, HDB *db, int replace,
         }
 	return code;
     }
-    code = (*d->sync)(d, 0);
-    if (code) {
-        if (code == EACCES || code == ENOSPC || code == EINVAL) {
-            krb5_set_error_message(context, code,
-                                   "Database %s put sync error: %s",
-                                   db->hdb_name, strerror(code));
-        } else {
-            code = HDB_ERR_UK_SERROR;
-            krb5_set_error_message(context, code,
-                                   "Database %s put sync error: unknown (%d)",
-                                   db->hdb_name, code);
-        }
-        return code;
-    }
-    return 0;
+    return db->hdb_set_sync(context, db, db3->do_sync);
 }
 
 static krb5_error_code
 DB__del(krb5_context context, HDB *db, krb5_data key)
 {
+    DB3_HDB *db3 = (DB3_HDB *)db;
     DB *d = (DB*)db->hdb_db;
     DBT k;
     krb5_error_code code;
@@ -304,21 +319,7 @@ DB__del(krb5_context context, HDB *db, krb5_data key)
         }
 	return code;
     }
-    code = (*d->sync)(d, 0);
-    if (code) {
-        if (code == EACCES || code == ENOSPC || code == EINVAL) {
-            krb5_set_error_message(context, code,
-                                   "Database %s del sync error: %s",
-                                   db->hdb_name, strerror(code));
-        } else {
-            code = HDB_ERR_UK_SERROR;
-            krb5_set_error_message(context, code,
-                                   "Database %s del sync error: unknown (%d)",
-                                   db->hdb_name, code);
-        }
-        return code;
-    }
-    return 0;
+    return db->hdb_set_sync(context, db, db3->do_sync);
 }
 
 #define RD_CACHE_SZ 0x8000     /* Minimal read cache size */
@@ -485,6 +486,7 @@ hdb_db3_create(krb5_context context, HDB **db,
     (*db)->hdb__put = DB__put;
     (*db)->hdb__del = DB__del;
     (*db)->hdb_destroy = DB_destroy;
+    (*db)->hdb_set_sync = DB_set_sync;
 
     (*db3)->lock_fd = -1;
     return 0;
diff --git a/lib/hdb/hdb-ldap.c b/lib/hdb/hdb-ldap.c
index 9ce4ba74f823..2ed7a6ba2596 100644
--- a/lib/hdb/hdb-ldap.c
+++ b/lib/hdb/hdb-ldap.c
@@ -1887,6 +1887,13 @@ LDAP_destroy(krb5_context context, HDB * db)
 }
 
 static krb5_error_code
+LDAP_set_sync(krb5_context context, HDB * db, int on)
+{
+    (void)on;
+    return 0;
+}
+
+static krb5_error_code
 hdb_ldap_common(krb5_context context,
 		HDB ** db,
 		const char *search_base,
@@ -2020,6 +2027,7 @@ hdb_ldap_common(krb5_context context,
     (*db)->hdb__put = NULL;
     (*db)->hdb__del = NULL;
     (*db)->hdb_destroy = LDAP_destroy;
+    (*db)->hdb_set_sync = LDAP_set_sync;
 
     return 0;
 }
diff --git a/lib/hdb/hdb-mdb.c b/lib/hdb/hdb-mdb.c
index 920d7780e844..52d9aed7ac1f 100644
--- a/lib/hdb/hdb-mdb.c
+++ b/lib/hdb/hdb-mdb.c
@@ -76,6 +76,15 @@ DB_destroy(krb5_context context, HDB *db)
 }
 
 static krb5_error_code
+DB_set_sync(krb5_context context, HDB *db, int on)
+{
+    mdb_info *mi = (mdb_info *)db->hdb_db;
+
+    mdb_env_set_flags(mi->e, MDB_NOSYNC, !on);
+    return mdb_env_sync(mi->e, 0);
+}
+
+static krb5_error_code
 DB_lock(krb5_context context, HDB *db, int operation)
 {
     db->lock_count++;
@@ -240,6 +249,10 @@ DB__put(krb5_context context, HDB *db, int replace,
 	mdb_txn_abort(txn);
     else
 	code = mdb_txn_commit(txn);
+    /*
+     * No need to call mdb_env_sync(); it's done automatically if MDB_NOSYNC is
+     * not set.
+     */
     if(code == MDB_KEYEXIST)
 	return HDB_ERR_EXISTS;
     return code;
@@ -265,6 +278,10 @@ DB__del(krb5_context context, HDB *db, krb5_data key)
 	mdb_txn_abort(txn);
     else
 	code = mdb_txn_commit(txn);
+    /*
+     * No need to call mdb_env_sync(); it's done automatically if MDB_NOSYNC is
+     * not set.
+     */
     if(code == MDB_NOTFOUND)
 	return HDB_ERR_NOENTRY;
     return code;
@@ -394,6 +411,7 @@ hdb_mdb_create(krb5_context context, HDB **db,
     (*db)->hdb__put = DB__put;
     (*db)->hdb__del = DB__del;
     (*db)->hdb_destroy = DB_destroy;
+    (*db)->hdb_set_sync = DB_set_sync;
     return 0;
 }
 #endif /* HAVE_LMDB */
diff --git a/lib/hdb/hdb-mitdb.c b/lib/hdb/hdb-mitdb.c
index 4e4fcdc58556..f3f8cf24c271 100644
--- a/lib/hdb/hdb-mitdb.c
+++ b/lib/hdb/hdb-mitdb.c
@@ -91,6 +91,11 @@ salt:
 
 #include "hdb_locl.h"
 
+typedef struct MITDB {
+    HDB db;         /* Generic */
+    int do_sync;    /* MITDB-specific */
+} MITDB;
+
 static void
 attr_to_flags(unsigned attr, HDBFlags *flags)
 {
@@ -698,6 +703,18 @@ mdb_destroy(krb5_context context, HDB *db)
 }
 
 static krb5_error_code
+mdb_set_sync(krb5_context context, HDB *db, int on)
+{
+    MITDB *mdb = (MITDB *)db;
+    DB *d = (DB*)db->hdb_db;
+
+    mdb->do_sync = on;
+    if (on)
+        return fsync((*d->fd)(d));
+    return 0;
+}
+
+static krb5_error_code
 mdb_lock(krb5_context context, HDB *db, int operation)
 {
     DB *d = (DB*)db->hdb_db;
@@ -861,6 +878,7 @@ static krb5_error_code
 mdb__put(krb5_context context, HDB *db, int replace,
 	krb5_data key, krb5_data value)
 {
+    MITDB *mdb = (MITDB *)db;
     DB *d = (DB*)db->hdb_db;
     DBT k, v;
     int code;
@@ -873,6 +891,11 @@ mdb__put(krb5_context context, HDB *db, int replace,
     if(code)
 	return code;
     code = (*d->put)(d, &k, &v, replace ? 0 : R_NOOVERWRITE);
+    if (code == 0) {
+        code = mdb_set_sync(context, db, mdb->do_sync);
+        db->hdb_unlock(context, db);
+        return code;
+    }
     db->hdb_unlock(context, db);
     if(code < 0) {
 	code = errno;
@@ -880,16 +903,14 @@ mdb__put(krb5_context context, HDB *db, int replace,
 			       db->hdb_name, strerror(code));
 	return code;
     }
-    if(code == 1) {
-	krb5_clear_error_message(context);
-	return HDB_ERR_EXISTS;
-    }
-    return 0;
+    krb5_clear_error_message(context);
+    return HDB_ERR_EXISTS;
 }
 
 static krb5_error_code
 mdb__del(krb5_context context, HDB *db, krb5_data key)
 {
+    MITDB *mdb = (MITDB *)db;
     DB *d = (DB*)db->hdb_db;
     DBT k;
     krb5_error_code code;
@@ -899,6 +920,11 @@ mdb__del(krb5_context context, HDB *db, krb5_data key)
     if(code)
 	return code;
     code = (*d->del)(d, &k, 0);
+    if (code == 0) {
+        code = mdb_set_sync(context, db, mdb->do_sync);
+        db->hdb_unlock(context, db);
+        return code;
+    }
     db->hdb_unlock(context, db);
     if(code == 1) {
 	code = errno;
@@ -1090,8 +1116,9 @@ krb5_error_code
 hdb_mitdb_create(krb5_context context, HDB **db,
 		 const char *filename)
 {
-    *db = calloc(1, sizeof(**db));
-    if (*db == NULL) {
+    MITDB **mdb (MITDB **)db;
+    *mdb = calloc(1, sizeof(**mdb));
+    if (*mdb == NULL) {
 	krb5_set_error_message(context, ENOMEM, "malloc: out of memory");
 	return ENOMEM;
     }
@@ -1104,6 +1131,7 @@ hdb_mitdb_create(krb5_context context, HDB **db,
 	krb5_set_error_message(context, ENOMEM, "malloc: out of memory");
 	return ENOMEM;
     }
+    (*mdb)->do_sync = 1;
     (*db)->hdb_master_key_set = 0;
     (*db)->hdb_openp = 0;
     (*db)->hdb_capability_flags = 0;
@@ -1121,6 +1149,7 @@ hdb_mitdb_create(krb5_context context, HDB **db,
     (*db)->hdb__put = mdb__put;
     (*db)->hdb__del = mdb__del;
     (*db)->hdb_destroy = mdb_destroy;
+    (*db)->hdb_set_sync = mdb_set_sync;
     return 0;
 }
 
diff --git a/lib/hdb/hdb-sqlite.c b/lib/hdb/hdb-sqlite.c
index bc176b2bb87e..d5eb3f184e84 100644
--- a/lib/hdb/hdb-sqlite.c
+++ b/lib/hdb/hdb-sqlite.c
@@ -418,6 +418,10 @@ hdb_sqlite_make_database(krb5_context context, HDB *db, const char *filename)
 
         created_file = 1;
 
+        hdb_sqlite_exec_stmt(context, hsdb,
+                             "PRAGMA main.page_size = 8192",
+                             HDB_ERR_UK_SERROR);
+
         ret = hdb_sqlite_exec_stmt(context, hsdb,
                                    HDBSQLITE_CREATE_TABLES,
                                    HDB_ERR_UK_SERROR);
@@ -803,6 +807,15 @@ hdb_sqlite_destroy(krb5_context context, HDB *db)
     return ret ? ret : ret2;
 }
 
+static krb5_error_code
+hdb_sqlite_set_sync(krb5_context context, HDB *db, int on)
+{
+    return hdb_sqlite_exec_stmt(context, (hdb_sqlite_db*)(db->hdb_db),
+                                on ?  "PRAGMA main.synchronous = NORMAL" :
+                                      "PRAGMA main.synchronous = OFF",
+                                HDB_ERR_UK_SERROR);
+}
+
 /*
  * Not sure if this is needed.
  */
@@ -1031,6 +1044,7 @@ hdb_sqlite_create(krb5_context context, HDB **db, const char *filename)
     (*db)->hdb_remove = hdb_sqlite_remove;
     (*db)->hdb_destroy = hdb_sqlite_destroy;
     (*db)->hdb_rename = hdb_sqlite_rename;
+    (*db)->hdb_set_sync = hdb_sqlite_set_sync;
     (*db)->hdb__get = NULL;
     (*db)->hdb__put = NULL;
     (*db)->hdb__del = NULL;
diff --git a/lib/hdb/hdb.h b/lib/hdb/hdb.h
index 892b8e598581..7c6dfcf9d8d2 100644
--- a/lib/hdb/hdb.h
+++ b/lib/hdb/hdb.h
@@ -271,9 +271,17 @@ typedef struct HDB {
      * Check if s4u2self is allowed from this client to this server
      */
     krb5_error_code (*hdb_check_s4u2self)(krb5_context, struct HDB *, hdb_entry_ex *, krb5_const_principal);
+
+    /**
+     * Enable/disable synchronous updates
+     *
+     * Calling this with 0 disables sync.  Calling it with non-zero enables
+     * sync and does an fsync().
+     */
+    krb5_error_code (*hdb_set_sync)(krb5_context, struct HDB *, int);
 }HDB;
 
-#define HDB_INTERFACE_VERSION	9
+#define HDB_INTERFACE_VERSION	10
 
 struct hdb_method {
     int			version;
diff --git a/lib/hdb/mkey.c b/lib/hdb/mkey.c
index 8265776bf7c8..cfc27d424a2f 100644
--- a/lib/hdb/mkey.c
+++ b/lib/hdb/mkey.c
@@ -226,7 +226,7 @@ read_master_encryptionkey(krb5_context context, const char *filename,
     }
 
     ret = decode_EncryptionKey(buf, len, &key, &ret_len);
-    memset(buf, 0, sizeof(buf));
+    memset_s(buf, sizeof(buf), 0, sizeof(buf));
     if(ret)
 	return ret;
 
@@ -279,7 +279,7 @@ read_master_krb4(krb5_context context, const char *filename,
     memset(&key, 0, sizeof(key));
     key.keytype = ETYPE_DES_PCBC_NONE;
     ret = krb5_data_copy(&key.keyvalue, buf, len);
-    memset(buf, 0, sizeof(buf));
+    memset_s(buf, sizeof(buf), 0, sizeof(buf));
     if(ret)
 	return ret;
 
diff --git a/lib/hx509/Makefile.am b/lib/hx509/Makefile.am
index b58deb3e37aa..c7ef53182d83 100644
--- a/lib/hx509/Makefile.am
+++ b/lib/hx509/Makefile.am
@@ -392,7 +392,8 @@ EXTRA_DIST = \
 	data/ocsp-resp2.der \
 	data/ocsp-responder.crt \
 	data/ocsp-responder.key \
-	data/openssl.cnf \
+	data/openssl.1.0.cnf \
+	data/openssl.1.1.cnf \
 	data/pkinit-proxy-chain.crt \
 	data/pkinit-proxy.crt \
 	data/pkinit-proxy.key \
diff --git a/lib/hx509/Makefile.in b/lib/hx509/Makefile.in
index cca95bbc04ae..2ebd99d9f1c5 100644
--- a/lib/hx509/Makefile.in
+++ b/lib/hx509/Makefile.in
@@ -1001,7 +1001,8 @@ EXTRA_DIST = \
 	data/ocsp-resp2.der \
 	data/ocsp-responder.crt \
 	data/ocsp-responder.key \
-	data/openssl.cnf \
+	data/openssl.1.0.cnf \
+	data/openssl.1.1.cnf \
 	data/pkinit-proxy-chain.crt \
 	data/pkinit-proxy.crt \
 	data/pkinit-proxy.key \
diff --git a/lib/hx509/cms.c b/lib/hx509/cms.c
index 7aa159cbb2d6..56dafae51966 100644
--- a/lib/hx509/cms.c
+++ b/lib/hx509/cms.c
@@ -537,7 +537,7 @@ out:
  *
  * @param context A hx509 context.
  * @param flags flags to control the behavior.
- *    - HX509_CMS_EV_NO_KU_CHECK - Dont check KU on certificate
+ *    - HX509_CMS_EV_NO_KU_CHECK - Don't check KU on certificate
  *    - HX509_CMS_EV_ALLOW_WEAK - Allow weak crytpo
  *    - HX509_CMS_EV_ID_NAME - prefer issuer name and serial number
  * @param cert Certificate to encrypt the EnvelopedData encryption key
diff --git a/lib/hx509/data/ca.crt b/lib/hx509/data/ca.crt
index c6c0b2706bd2..b8e7bb789556 100644
--- a/lib/hx509/data/ca.crt
+++ b/lib/hx509/data/ca.crt
@@ -1,15 +1,32 @@
 -----BEGIN CERTIFICATE-----
-MIICbDCCAdWgAwIBAgIJAJky3mEOQBmKMA0GCSqGSIb3DQEBBQUAMCoxGzAZBgNV
-BAMMEmh4NTA5IFRlc3QgUm9vdCBDQTELMAkGA1UEBhMCU0UwHhcNMDkwNDI2MjAy
-OTQwWhcNMTkwNDI0MjAyOTQwWjAqMRswGQYDVQQDDBJoeDUwOSBUZXN0IFJvb3Qg
-Q0ExCzAJBgNVBAYTAlNFMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC50xtn
-HPdeJoE7gv8DpEO1smMLiVhD/j3gOH2TdLutIaQp2TR58xyMWtaw1xnqzK/gqEAC
-HZHxrDaw+wi9zJrht27uCmm/bSvuIIJhBvIYzIkRZH6y/0fRO1Jz61rAA6ZLx0B+
-vOEOZUQ/QIsCglQE2cwsZwG2FoLYM1MX196NXQIDAQABo4GZMIGWMB0GA1UdDgQW
-BBRuSBPcv4uVTBPzH5cw3SeWWZsOaDBaBgNVHSMEUzBRgBRuSBPcv4uVTBPzH5cw
-3SeWWZsOaKEupCwwKjEbMBkGA1UEAwwSaHg1MDkgVGVzdCBSb290IENBMQswCQYD
-VQQGEwJTRYIJAJky3mEOQBmKMAwGA1UdEwQFMAMBAf8wCwYDVR0PBAQDAgHmMA0G
-CSqGSIb3DQEBBQUAA4GBAFKb5A7uwl238bpH4/6vPVEQ/egNFFgFNqfr2AXlJ29R
-uOyQ2QPhvJyTOCFcr05se2xlqZLNlO+orpASFHgtoxWqQvHZRGQsPMC9OkjYgEWL
-0XmC4A/fCDxgIW8xR5iuL8uxobnBo3FeSsJn32YKUbWtYAXbAtQa0rlOAQgrw1ev
+MIIFcTCCA1mgAwIBAgIJAJll+TTDkMFyMA0GCSqGSIb3DQEBCwUAMCoxGzAZBgNV
+BAMMEmh4NTA5IFRlc3QgUm9vdCBDQTELMAkGA1UEBhMCU0UwHhcNMTkwNTIzMTUw
+NTExWhcNMzgwMTE2MTUwNTExWjAqMRswGQYDVQQDDBJoeDUwOSBUZXN0IFJvb3Qg
+Q0ExCzAJBgNVBAYTAlNFMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA
+vQovoPWtDeqaAUSXDD7gFfXXfxbI4M6yho6C+lc9JqnzeVYk5obeyM14Er+HHNS0
+pGJGvgelSeR0UCUmifr12zQT3hne/J225fobuO6UwcRNstTTaRxO1BdYSsIzixq+
+XJzDb3MRCY/TpE3AJZ5SqdXUexfFzCH12FXuMv4wvOlvrq2pbcKiRMBzgrWK756b
+LRR2uD9JjsN7KawVSZCRbc0gudiCX++kZAuIviv2G+kys81gBmZXJAVsVPrb+9+y
+wQXvRq2p7XPn6XpPndMHaQgD/2iNOTXbuBby0v71rheaOWFtYVbMseiB0rsdv6Ik
+Zl/L55usKDGzgLs8w6kPieDpebYmlXQW3V8LW+QyYHWvcdSmNcqej4Y+FiZqDjin
+xPzvqPVJQydVw/yi8gWILNLKB947O5O8NjSxhzHCjB+aIXgLx8uSXXY2EesR8lJz
+2SZKdCawut+kWSgHqH5UYf5IXKo+Skg+f1hWdjc44OZyMveMLzk4hTJZWYqVNxll
+OiBfz/Hke54CXaDKd4S1C3NVbrZ8w6NADaNQTMyFlHy2VEHDXRrqGrl0h0/4HIrF
+7i9ZKkz6uhr209chvFAuSbM4M5dPHE/bIMivVkk4UAm2Y1O9hAnzOMMtpkHnb4M+
+7fTwUXTLT4cSWurzcrAsIG20R3KgApQ95mQlw63gebcCAwEAAaOBmTCBljAdBgNV
+HQ4EFgQU/cZWcrzqghlIALCji/d5P/cm/CMwWgYDVR0jBFMwUYAU/cZWcrzqghlI
+ALCji/d5P/cm/COhLqQsMCoxGzAZBgNVBAMMEmh4NTA5IFRlc3QgUm9vdCBDQTEL
+MAkGA1UEBhMCU0WCCQCZZfk0w5DBcjAMBgNVHRMEBTADAQH/MAsGA1UdDwQEAwIB
+5jANBgkqhkiG9w0BAQsFAAOCAgEAAuwu6a/S/Jc05hjMKWx3VG5leTiUr+DyA+/y
+9kHP+FInHa+qd9xil2Ms1kvW4d+A8709On+Gfv96Tzw/FKIr86kgJScwQ5dWHgDV
+DN+ogZ9MLW7sjbShSGVrUuJti/nCax5nOw0yzBvkq5tBefDIt185pS+j8utNZYQT
+6A1DNVIjWZUywCXZDiAsSXmp+LmAI9fTyUsN5ioLgaVLq/GN8zAUyXmf+VLbNnM3
+k4ZsWmjU98GZYLwuf/cocBiJMf09kwJ3o2NIdb/hgaOjlmY15LehDLVbIuF+FVp3
+hEjohF43zcFxSOLlCLhCVhcM79mzZef+xT9iCtVPiWySEhalmfXIPQ6tTY80doLW
+Ed6HhmiRx0sW3yKFfINb12qk4hZJMCMoxBK1AZlEbaB2mQxzz6Iph3kOthIJxilf
+/2dmGGi76bT66zz/sK3kz8xHUr+DUCUyVSqDdxS8ODOL4fUxT570JjVZQtzQtD3G
+CAq41zsDMGByy+vp61CyU9qrq9OxX2POTQJ7LEegKqLeksGqfFclYnEFKe8VKJRL
+kDKIqCk7CeYF3t/7aaUNAHOfNSOiFyRYXYYZLCGmIQyujJFHDz2ziPn/OD/WMkVP
+090LkDNjg4FW+DT74Iyda7dl4YQAuE9oZdVk5ZBoruJOOIW7J3e8AuL9znmIBzju
+n61nXvY=
 -----END CERTIFICATE-----
diff --git a/lib/hx509/data/ca.key b/lib/hx509/data/ca.key
index 04d2516cf188..e635b57ccd09 100644
--- a/lib/hx509/data/ca.key
+++ b/lib/hx509/data/ca.key
@@ -1,16 +1,52 @@
 -----BEGIN PRIVATE KEY-----
-MIICdwIBADANBgkqhkiG9w0BAQEFAASCAmEwggJdAgEAAoGBALnTG2cc914mgTuC
-/wOkQ7WyYwuJWEP+PeA4fZN0u60hpCnZNHnzHIxa1rDXGerMr+CoQAIdkfGsNrD7
-CL3MmuG3bu4Kab9tK+4ggmEG8hjMiRFkfrL/R9E7UnPrWsADpkvHQH684Q5lRD9A
-iwKCVATZzCxnAbYWgtgzUxfX3o1dAgMBAAECgYAT8QS6zw/4yZcKxOcLBADEKe2Z
-GlcfjNQlEMrhHSDa1oZge0+3WpCQu1rYxWyhlu+04zljQLsdvUZtPbNVcvSX36Br
-RuP/6Z5UCn/9YYv69Hv006PoBUWkVLQ4LFZLX1QD1HcyPGdr7GyDweD6n/CgTkrW
-nZVw8nVP/dStf1aeIQJBANr6LnKHr2Hd5p004XaHJcNjcFronW3QnLFozZH3WKWI
-t1ug6McwBXuk0io+Zz9ituZ8NabV9AdQKTuVVWORPxUCQQDZPgGvIepGaMuthoE4
-D+54BisUjWWkL/w3MTdh2jkwo1foCXvW1kKKBVbLzGNRYlp5lglx33HWekP7wdxe
-0mcpAkEA2HD1PAtVlTyKV9UPDeMjtm8xfQnzobnTR6A5oQ+FNYlfA1iW/Vs/8CjH
-+y1XTFW8RzF6rn9IB3p6ZwSCNDo6yQJAX6D0+tPyHdZpulQYM8aHkdwdQKnRkUny
-O5V1rKR0Ql3VB3aNRhABMGKTR5kMKzohW55ZQAA9S018+ajnyfHSqQJBALSUXIk0
-C+owiDiHu50Q6xFTJr3EmtudKplUCQTZ9xktNxAK08suxJd1UYeOFxkBuviRFvi8
-BuD/JDKYITDMrZA=
+MIIJQwIBADANBgkqhkiG9w0BAQEFAASCCS0wggkpAgEAAoICAQC9Ci+g9a0N6poB
+RJcMPuAV9dd/FsjgzrKGjoL6Vz0mqfN5ViTmht7IzXgSv4cc1LSkYka+B6VJ5HRQ
+JSaJ+vXbNBPeGd78nbbl+hu47pTBxE2y1NNpHE7UF1hKwjOLGr5cnMNvcxEJj9Ok
+TcAlnlKp1dR7F8XMIfXYVe4y/jC86W+uraltwqJEwHOCtYrvnpstFHa4P0mOw3sp
+rBVJkJFtzSC52IJf76RkC4i+K/Yb6TKzzWAGZlckBWxU+tv737LBBe9Grantc+fp
+ek+d0wdpCAP/aI05Ndu4FvLS/vWuF5o5YW1hVsyx6IHSux2/oiRmX8vnm6woMbOA
+uzzDqQ+J4Ol5tiaVdBbdXwtb5DJgda9x1KY1yp6Phj4WJmoOOKfE/O+o9UlDJ1XD
+/KLyBYgs0soH3js7k7w2NLGHMcKMH5oheAvHy5JddjYR6xHyUnPZJkp0JrC636RZ
+KAeoflRh/khcqj5KSD5/WFZ2Nzjg5nIy94wvOTiFMllZipU3GWU6IF/P8eR7ngJd
+oMp3hLULc1VutnzDo0ANo1BMzIWUfLZUQcNdGuoauXSHT/gcisXuL1kqTPq6GvbT
+1yG8UC5Jszgzl08cT9sgyK9WSThQCbZjU72ECfM4wy2mQedvgz7t9PBRdMtPhxJa
+6vNysCwgbbRHcqAClD3mZCXDreB5twIDAQABAoICAGl8N5ufu5NaZ9lxRsAkjbJz
+Xm6ibjFT5bbD6z56U7sxdpUshqbEd6ihTvFXQrPJ1Yss88CyT39uJaFbOaghC/Pn
+mXaEBTP9ZcPqznFhYEzHl3vE2rt6elpLNI9y0oQ6xiKzrzKPiOBHC5hRcnkLYaE3
+mrudRlhkUuUG/kYiJVwk/pcAfNyskRPAODSlzQNtA7YiByVE22z4k89rIO3N5/jX
+T/2kXQvfk2HoNcO4kDp+5DYE0iKAFPwaspqw6PQhnYOsJhrQaVQBK1XTVH4C9c2c
+FW7+Dl/wN8z/sTwf3UPqE7sVLI32e36C+X53v1/hwGIH7qYs7eH36exZjsy3l90o
+jbWvavSNB5U94rNVU42LuQUSL8ftAA9YjpmuqeZlhiumSGaz+ezC/BQ2SE0aUjyg
+/C4ZWTbwkMXif5p8DJng9vNofQJQ4qcLGnykan0tvI1naGNyVpvXcL+qGo5znN8E
+xH9hPZHk/axbV9U5sIhUM8IjGPCHldU9W+t+Ngy+k+yF9cYVQSwBnyeVM0dlWVOb
+Fy4kmXYxG7mZc6HI1aRg1Xd6rQadJ+5RkfPCa+2p2ZafoJIkNr+LbuTsri7AWlrf
+aI8MS27Wp6BmXL5YnofX2pFstLL4tStAknAMzK16RtYSs/dd69gbUdaTrmpVCi1s
+YzOmtNXFLZs+Lh0X+KgBAoIBAQDl6mycpf3clYkJ/sFaY1svX/L0Zs4BJqajKIuJ
+K1SoVCTtmiEcA0n9tZzEBp1rBgpAYdxkI8tWge6weel6Ckbunl8CLYZ0VvmAaYaJ
+/VHBzAorcH/RIlAUV/P5WSdGjtAnPK0TSdAARRppW1k01kO+XmIL/f0Mk+6KD4MX
+wgiKVKyutJ8/SjOkfzhpe/zyqAMZV0W1aDkq5focaIqy2pVZsuX47jWZyZeeCy8i
+OzpYzlCE9os+0sQU107LLcQ3YsmLFP93MA+nsatUaMzeXE5VcHsq1UbqgV3tEPgA
+QALbn7ulw6ChGzHrTyJc93dHWqGfqVi0incienn4NRnHZRYBAoIBAQDSfJQSLPBp
+UQL6kGkIPc0C8y836cNmrj5QZppbIyoTggA2ZTC8E+qKJ0rHrbzKkBZBwhLhmjcs
+qsGwuoOqQfdWW+1AAVIrjrjjoSwrT4CZqOR/vvu/2Rvb1DTxyq8Ysf4Ure/sjDUo
+EenufVQTqeBlYpvaIZirMPrvWNq0Ky7AHi5sUYQ0J6nx5uB4iwboWGB7aBf7KSh9
+hMXivYKI1hiHylkvRzGY91OCOsiHyqGrEC77lH4tMGexbkUxc+VnAhuwxdhDDJ3l
+34O4iMEhS10gBLYc6Gi174YmHQMpPvbjtcNQ8DjNDqWr7wBYhfUVw3aqpRs5D8JX
+Jxco6PRXM7+3AoIBAQC8gGr0NBPjGqb0ju4wEW3ddalYQEF+KBZPhxqAKAqMyBBO
+ziN/OCMd5BzXiyTdbmJRTurHH6HDF1x/TDTkXjCxyx7SRkkKcZS2d85arFqvrX5Z
+By+EY8GMLGBXe4T8EHMQ+GpeehITZpS09LQ64cFA/1kbw+4ItfDJONaeT/N4ltvN
+kUFPPqMAp120/nbw7Fc+G5OHnB/i0BMz33J4GUaB+G8cnRFNOT8Z0MmgIzc/QEg7
++3dG1r7052IuqyNI1bGwWlLpgXoUX1K9Lf9p//wpiMMy5xHxiodbqqHqcpDlSB0t
+VysHa6iN6J+f4TTmR6RjpxCXVT9AAXKm0cKE/JgBAoIBAQDRbUCKoQoHT6KOGddX
+at4rnDkUAdP4u0+nAZ99JIy94jBB7wbBa3OGSDgAWx4n0ZtDjEzrCVzyZWfYZouQ
+gJgO5eI2N9pBGn1dh0SCR1UmDkRj0mt75BHy9L5FAayb/qVWgAXjL1HIb6J5N1vL
+QM/TMHzvWVQkqNRUBu18LCcU4jLAdY77sadG17fqWDHkReKhht2tebMeyFd4FaTm
+b1by7OM1xjlUAGmnfsN9UKDwqmaEzKeKYMobYSMZZD4Q8qkIhqF5fPkx+eV+WxsF
+/I1IyUdFlfxxYUPxchZuGIbf5D7Url9lr7gpTODkM0y6fcP5X9OpP8PWoT9K5hYP
+GZ8bAoIBADA78xaN+InvJYPY/a7mPmLpLm44KsCRvB/aYZmwQl00Cz1miOLZgKC0
+9crfkTdZKt8v/RZSAAduyiYMFNaXMBR9mNYCwmLzFfcNydI4ow6sJYr3nj0SOsN5
+v0XJp+cJxqlC2ZGNlNYZVGcoxXyM00PSAA1AL/oRyplC99o5DgLDhMr01ok1PuPQ
+7K3z06yCKBrAwEFXxzhI7YwdN97iY050TQLvOfO+conf5KIbb3EHycfeF0mM4OdO
+q4WdmPePVkve8PwRBdENjjrdgbUCPJV9Nk9MiAQOf5CpuH6SvuhhaRQTJgSJnxmN
+iW68RMhfob7KD8lBv9mlYZ4ZQSwJRtM=
 -----END PRIVATE KEY-----
diff --git a/lib/hx509/data/crl1.crl b/lib/hx509/data/crl1.crl
index 568f6b696534..606efb7240e5 100644
--- a/lib/hx509/data/crl1.crl
+++ b/lib/hx509/data/crl1.crl
@@ -1,8 +1,16 @@
 -----BEGIN X509 CRL-----
-MIIBBDBvMA0GCSqGSIb3DQEBBQUAMCoxGzAZBgNVBAMMEmh4NTA5IFRlc3QgUm9v
-dCBDQTELMAkGA1UEBhMCU0UXDTA5MDQyNjIwMjk0MVoXDTE5MDMwNTIwMjk0MVow
-FDASAgEDFw0wOTA0MjYyMDI5NDFaMA0GCSqGSIb3DQEBBQUAA4GBAGXXCNeUIctd
-TfKIUIpMbtHnUXYLA8hcB+6Iyc24VR3m+HNYx9XT6Qp6hY4Wg8Qq4p+0KFTxz4JU
-XLTZWduvgB9+AL+ECXIUmx4FHkgwwq5+AyYygDqzYOVJszJ9hNp7HHthobObrRm4
-Q6hn748UG1nd4gp7zKB7ReLvLYff411G
+MIIChTBvMA0GCSqGSIb3DQEBBQUAMCoxGzAZBgNVBAMMEmh4NTA5IFRlc3QgUm9v
+dCBDQTELMAkGA1UEBhMCU0UXDTE5MDUyMzE1MDUzMFoXDTI5MDMzMTE1MDUzMFow
+FDASAgEDFw0xOTA1MjMxNTA1MzBaMA0GCSqGSIb3DQEBBQUAA4ICAQBV451IywmB
+L153EAciLerLs05gqigj3qrqnmzS7AVV9u05u4bq/XYllIIWua7kCnGXmx0xqY+p
+FpFlS3BKrSIOkSHL4gpwMOmZmCssaOivd88/tHCGeOtMKz3q811m4q8MyfzEc+T3
+EHg6yjsCWrWbZmrM+A8MYO2S/XZOPG88N87nQxKYbrZA/SDspNODujdXdKFMI8Qj
+9xY7aqI6w9GYiTYDXrJ+2VGtFacYwVrY1Xk3pt7DoFbq6VwVfpsYHf0zRag/xfGW
+EbIQywJDhLuLWB3gtWTYnZ3MD2LS5uCEfolckuFBw66JOZCmUq66VscTHOE5d59q
+bld2YoPVUme4QJfYMygWgyi8rnN4YkSfYaCxnDPO9vFk968N6PA+py5jHjecyVw9
+ih2rXNIk/Ia2wvyN84MBu/vpC7GyD0bBpB+aMxQvHuNYUDDnIeMRCu+Hs2Td6U57
+lmdFudCxJ8S0kF6eCx5HdOrvyRtHagsGPt1aFLxnNEc2x4ewJa1iggTBcs+X5qXC
+pk6D5FDLN5TXooi9NbLFSCdLWpoMI+KOB40Ma3KaGej0a2pZiJe8j4EPQ6WhR6Og
+nZSdwCtgTyoynI6g6YeGzkD0ZzuPujt8rsyu+cBZOdxnhuAn7F1UtIcwE4jVmmca
+EuMR2oFhjnEH4ooS/kWmgmzGPEMixKSbpA==
 -----END X509 CRL-----
diff --git a/lib/hx509/data/crl1.der b/lib/hx509/data/crl1.der
index c1e08c0b524c..f42512706a12 100644
--- a/lib/hx509/data/crl1.der
+++ b/lib/hx509/data/crl1.der
diff --git a/lib/hx509/data/gen-req.sh b/lib/hx509/data/gen-req.sh
index b832a43d9646..09f0dfb0bcd2 100644..100755
--- a/lib/hx509/data/gen-req.sh
+++ b/lib/hx509/data/gen-req.sh
@@ -7,13 +7,20 @@
 
 openssl=openssl
 
+# workaround until openssl -objects lands
+if ${openssl} version | grep '^OpenSSL 1\.[1-9]' >/dev/null ; then
+    config=openssl.1.1.cnf
+else
+    config=openssl.1.0.cnf
+fi
+
 gen_cert()
 {
-	keytype=${6:-rsa:1024}
+	keytype=${6:-rsa:4096}
 	${openssl} req \
 		-new \
 		-subj "$1" \
-		-config openssl.cnf \
+		-config ${config} \
 		-newkey $keytype \
 		-sha1 \
 		-nodes \
@@ -23,9 +30,9 @@ gen_cert()
         if [ "$3" = "ca" ] ; then
 	    ${openssl} x509 \
 		-req \
-		-days 3650 \
+		-days 182500 \
 		-in cert.req \
-		-extfile openssl.cnf \
+		-extfile ${config} \
 		-extensions $4 \
                 -signkey out.key \
 		-out cert.crt
@@ -39,12 +46,12 @@ gen_cert()
 	    ${openssl} x509 \
 		-req \
 		-in cert.req \
-		-days 3650 \
+		-days 182500 \
 		-out cert.crt \
 		-CA $2.crt \
 		-CAkey $2.key \
 		-CAcreateserial \
-		-extfile openssl.cnf \
+		-extfile ${config} \
 		-extensions $4
 
 		name=$5
@@ -52,14 +59,14 @@ gen_cert()
 
 	    ${openssl} ca \
 		-name $4 \
-		-days 3650 \
+		-days 182500 \
 		-cert $2.crt \
 		-keyfile $2.key \
 		-in cert.req \
 		-out cert.crt \
 		-outdir . \
 		-batch \
-		-config openssl.cnf 
+		-config ${config} 
 
 		name=$3
 	fi
@@ -109,7 +116,7 @@ ${openssl} ca \
     -cert ca.crt \
     -keyfile ca.key \
     -revoke revoke.crt \
-    -config openssl.cnf 
+    -config ${config} 
 
 ${openssl} pkcs12 \
     -export \
@@ -348,6 +355,6 @@ ${openssl} ca \
     -cert ca.crt \
     -crl_reason superseded \
     -out crl1.crl \
-    -config openssl.cnf 
+    -config ${config} 
 
 ${openssl} crl -in crl1.crl -outform der -out crl1.der
diff --git a/lib/hx509/data/https.crt b/lib/hx509/data/https.crt
index 2056c899c8cb..0d393a8e1db0 100644
--- a/lib/hx509/data/https.crt
+++ b/lib/hx509/data/https.crt
@@ -2,25 +2,51 @@ Certificate:
     Data:
         Version: 3 (0x2)
         Serial Number: 9 (0x9)
-        Signature Algorithm: sha1WithRSAEncryption
+    Signature Algorithm: sha1WithRSAEncryption
         Issuer: CN=hx509 Test Root CA, C=SE
         Validity
-            Not Before: Apr 26 20:29:41 2009 GMT
-            Not After : Apr 24 20:29:41 2019 GMT
+            Not Before: May 23 15:05:17 2019 GMT
+            Not After : Jan 16 15:05:17 2038 GMT
         Subject: C=SE, CN=www.test.h5l.se
         Subject Public Key Info:
             Public Key Algorithm: rsaEncryption
-                Public-Key: (1024 bit)
+                Public-Key: (4096 bit)
                 Modulus:
-                    00:c6:f4:94:25:2b:d5:fa:e9:3d:00:a9:46:24:f1:
-                    bf:fe:61:df:bd:cc:da:74:b7:f9:36:c1:ce:51:d2:
-                    01:6f:79:ba:b3:4a:d5:a4:43:5a:c7:ad:e4:e0:50:
-                    e2:a6:bf:54:73:ad:a5:86:0a:bd:56:c4:4f:b5:f5:
-                    7f:7e:fe:10:78:17:e2:35:4c:bb:cc:4b:74:35:d0:
-                    ab:63:b1:02:72:94:a7:9a:dc:10:ef:28:82:a9:6c:
-                    dc:19:8d:b8:3e:5b:21:52:1f:88:51:a6:5a:f8:67:
-                    cd:cb:48:6f:f5:8b:71:7c:4d:52:da:bb:f9:26:8a:
-                    27:9c:7e:8a:d1:99:54:35:7f
+                    00:b5:58:e9:eb:2d:b3:7c:94:b7:a2:08:ec:fd:50:
+                    c2:61:a4:35:c8:eb:ad:d6:93:4c:50:9a:ad:e0:9a:
+                    00:ae:4e:ef:ed:5e:ef:d9:cb:98:a6:5e:65:7f:a6:
+                    38:c0:ee:17:48:90:80:4c:6c:71:7a:11:af:11:22:
+                    1b:17:2c:db:c2:cc:2c:d0:0e:de:ea:95:6a:d0:42:
+                    bb:b0:a1:eb:7c:9e:f0:28:64:dd:44:7f:c8:f6:d5:
+                    48:e4:80:be:f7:58:18:d6:d4:57:7a:09:07:3f:23:
+                    d8:00:53:84:0f:72:e9:0d:a8:b9:49:57:80:f4:00:
+                    9c:92:16:bd:a7:ea:12:81:96:59:48:8b:ff:b9:8b:
+                    9d:68:e6:7c:0d:fb:c8:57:cc:ba:6a:4c:57:cc:e4:
+                    eb:af:cc:6e:38:80:e6:47:a0:f2:e4:09:39:79:fb:
+                    42:c4:29:b2:8d:f1:8f:b9:45:1f:47:c2:e8:30:84:
+                    a5:e7:fa:7c:df:f0:07:89:1e:fd:6f:a5:1d:88:57:
+                    4e:76:bf:91:c7:39:ac:87:6f:b0:29:0b:c0:04:89:
+                    95:9a:8a:b3:4a:22:63:7c:26:e2:ea:fc:e5:f8:43:
+                    b5:67:50:0f:99:e0:9d:e2:2b:3f:fa:19:e4:61:1a:
+                    e4:c7:68:66:43:a1:05:15:24:c4:09:3b:5d:b4:3a:
+                    f8:87:d4:d8:80:cf:6c:ed:fa:b1:b7:7d:2b:68:ca:
+                    3a:26:a6:49:1e:e7:27:fc:4f:89:7b:19:ce:8d:c9:
+                    9d:cd:55:63:72:29:b1:2b:1b:35:a4:07:32:4f:13:
+                    f1:bd:03:1f:b4:fc:f0:05:c4:9e:b0:c8:72:37:2c:
+                    0c:82:bc:d4:a7:87:d3:33:10:f3:80:fe:bf:61:1b:
+                    5e:c0:5b:c0:09:3d:db:c0:9d:91:92:c4:7c:7a:eb:
+                    ec:b0:8e:69:a1:47:66:53:02:51:55:90:d1:e2:9a:
+                    86:70:7b:63:d4:b9:03:18:c8:01:69:c6:e9:63:bc:
+                    2b:b5:75:dc:03:5f:ef:b2:d3:3a:c8:db:3c:b6:3d:
+                    59:91:fc:7d:96:bf:43:97:5a:40:d6:f2:f8:82:44:
+                    fb:9d:36:47:3f:3a:33:43:6d:9c:44:ba:60:1a:9d:
+                    77:02:44:14:d0:73:99:53:6d:ef:70:34:0b:11:b1:
+                    16:c3:c9:4b:41:66:64:4c:88:fe:12:8f:3d:4f:29:
+                    2f:b3:e8:15:8b:26:5a:ba:f9:fc:6b:ec:9d:8a:d9:
+                    65:17:de:e5:ce:a7:84:1b:1e:f1:ad:32:b3:78:15:
+                    7a:08:e3:93:9e:e5:eb:3c:33:9e:d5:2a:21:20:62:
+                    90:c7:d8:3e:d4:1e:0f:06:20:01:6e:22:a4:67:de:
+                    68:f0:b9
                 Exponent: 65537 (0x10001)
         X509v3 extensions:
             X509v3 Basic Constraints: 
@@ -28,26 +54,63 @@ Certificate:
             X509v3 Key Usage: 
                 Digital Signature, Non Repudiation, Key Encipherment
             X509v3 Subject Key Identifier: 
-                8A:BB:2D:06:4B:BD:DE:9A:BA:7C:5A:35:D0:E2:19:37:48:29:0E:9C
+                91:03:3F:14:E3:BD:43:98:B2:D4:7F:46:C2:A7:B7:BB:0F:74:99:F3
     Signature Algorithm: sha1WithRSAEncryption
-        90:35:ec:8c:f2:62:14:76:8a:29:52:99:44:c1:d7:c8:9e:74:
-        ef:90:4f:e7:ea:4d:cf:8f:c1:73:0c:d9:49:06:93:30:b0:19:
-        5e:de:9c:11:93:66:02:4d:8f:e9:8c:52:fc:26:26:9e:09:69:
-        a5:a7:63:d2:2d:40:de:e5:d8:d5:51:c3:32:60:6a:2f:26:13:
-        91:69:36:f6:67:e4:b0:54:9e:77:68:22:5f:51:b8:3c:42:bd:
-        e3:09:dc:11:9b:ed:db:63:df:90:57:38:00:90:be:89:e7:ea:
-        8e:d8:21:cd:96:68:69:4b:a3:15:50:ce:63:80:2a:99:4b:ff:
-        dd:1c
+         27:3f:d8:cb:68:c8:ef:35:ed:a0:50:d7:58:60:77:48:76:45:
+         7a:2c:20:22:81:62:e3:e2:0d:10:48:d7:74:23:95:76:fb:78:
+         c3:98:d2:39:13:13:7f:2a:38:dc:2a:80:ba:33:0a:51:d6:9e:
+         0c:44:04:84:f0:ae:20:1e:e6:e8:89:09:cd:87:66:1b:80:21:
+         e7:bc:03:e0:c7:15:19:23:b7:05:0b:f9:64:50:b6:6f:7d:14:
+         68:96:bb:4d:d6:c0:29:7f:e3:a1:48:c4:ad:6f:a7:bf:d2:63:
+         de:b7:fa:4f:8c:5e:ad:8e:c8:7e:4f:a4:9a:95:71:29:10:64:
+         78:a0:55:ac:ec:9a:f0:27:03:2e:c4:ec:fb:4f:d2:a0:7e:98:
+         90:88:30:02:45:07:10:d5:ad:f6:a8:e7:01:6c:87:c7:2e:0d:
+         d1:35:3a:e6:b0:e9:19:c9:c9:f7:ce:5e:77:d1:50:84:8a:c3:
+         d1:f1:56:2d:6e:65:0d:6f:e2:a0:c5:0e:48:82:6e:da:37:42:
+         fa:cf:5d:92:84:3a:67:bd:41:28:19:b8:81:1c:c3:eb:00:f0:
+         b0:a9:59:17:79:87:4b:d9:4f:e8:cf:30:76:42:55:9c:57:00:
+         d1:b2:2e:19:59:31:24:c2:9c:fa:c1:0b:54:56:a5:29:19:fd:
+         14:82:c0:3f:a8:d1:a1:c9:6d:1e:f4:11:89:50:58:4f:8d:8a:
+         f8:f2:47:29:8c:a8:2d:21:1b:9b:ef:c6:1f:63:90:85:f1:c7:
+         d0:40:a0:53:29:9b:49:6a:73:38:d2:25:95:f7:52:2f:a0:24:
+         1c:af:f1:f9:6e:78:d3:81:03:cd:3d:91:b0:99:45:fb:87:39:
+         6e:b3:7c:fb:f7:60:01:86:71:40:5f:85:8b:7e:fb:cf:95:df:
+         76:cc:7b:2c:06:d9:a5:cf:4d:f7:62:ab:57:2c:da:83:6e:34:
+         bc:bd:d8:d1:d4:5f:1b:94:78:c0:d3:b1:8c:82:d7:b1:f5:2c:
+         e5:30:bf:59:3e:d2:1f:a4:8e:0b:0c:d6:d1:fd:08:24:2c:31:
+         cb:b0:e6:36:3f:d7:b0:46:99:e1:48:18:8f:9f:42:fd:44:cb:
+         6d:cc:b3:07:3b:7c:eb:44:d2:b4:52:12:2a:ba:c3:cb:f8:04:
+         65:02:27:61:b9:35:9c:0d:0b:70:a1:d4:e7:c8:49:91:37:03:
+         9e:8f:6e:a5:91:e8:6e:5e:ec:c4:17:4c:f6:dd:93:11:9d:40:
+         ad:e2:3c:05:dc:22:ff:1a:04:d7:b0:d4:a4:c0:03:e3:ba:4c:
+         5e:b3:7a:bc:08:73:52:92:42:ab:7a:85:e1:64:e1:4e:b5:63:
+         98:a9:b1:fb:23:61:1e:d5
 -----BEGIN CERTIFICATE-----
-MIICADCCAWmgAwIBAgIBCTANBgkqhkiG9w0BAQUFADAqMRswGQYDVQQDDBJoeDUw
-OSBUZXN0IFJvb3QgQ0ExCzAJBgNVBAYTAlNFMB4XDTA5MDQyNjIwMjk0MVoXDTE5
-MDQyNDIwMjk0MVowJzELMAkGA1UEBhMCU0UxGDAWBgNVBAMMD3d3dy50ZXN0Lmg1
-bC5zZTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAxvSUJSvV+uk9AKlGJPG/
-/mHfvczadLf5NsHOUdIBb3m6s0rVpENax63k4FDipr9Uc62lhgq9VsRPtfV/fv4Q
-eBfiNUy7zEt0NdCrY7ECcpSnmtwQ7yiCqWzcGY24PlshUh+IUaZa+GfNy0hv9Ytx
-fE1S2rv5JoonnH6K0ZlUNX8CAwEAAaM5MDcwCQYDVR0TBAIwADALBgNVHQ8EBAMC
-BeAwHQYDVR0OBBYEFIq7LQZLvd6aunxaNdDiGTdIKQ6cMA0GCSqGSIb3DQEBBQUA
-A4GBAJA17IzyYhR2iilSmUTB18iedO+QT+fqTc+PwXMM2UkGkzCwGV7enBGTZgJN
-j+mMUvwmJp4JaaWnY9ItQN7l2NVRwzJgai8mE5FpNvZn5LBUnndoIl9RuDxCveMJ
-3BGb7dtj35BXOACQvonn6o7YIc2WaGlLoxVQzmOAKplL/90c
+MIIFBTCCAu2gAwIBAgIBCTANBgkqhkiG9w0BAQUFADAqMRswGQYDVQQDDBJoeDUw
+OSBUZXN0IFJvb3QgQ0ExCzAJBgNVBAYTAlNFMB4XDTE5MDUyMzE1MDUxN1oXDTM4
+MDExNjE1MDUxN1owJzELMAkGA1UEBhMCU0UxGDAWBgNVBAMMD3d3dy50ZXN0Lmg1
+bC5zZTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBALVY6ests3yUt6II
+7P1QwmGkNcjrrdaTTFCareCaAK5O7+1e79nLmKZeZX+mOMDuF0iQgExscXoRrxEi
+Gxcs28LMLNAO3uqVatBCu7Ch63ye8Chk3UR/yPbVSOSAvvdYGNbUV3oJBz8j2ABT
+hA9y6Q2ouUlXgPQAnJIWvafqEoGWWUiL/7mLnWjmfA37yFfMumpMV8zk66/MbjiA
+5keg8uQJOXn7QsQpso3xj7lFH0fC6DCEpef6fN/wB4ke/W+lHYhXTna/kcc5rIdv
+sCkLwASJlZqKs0oiY3wm4ur85fhDtWdQD5ngneIrP/oZ5GEa5MdoZkOhBRUkxAk7
+XbQ6+IfU2IDPbO36sbd9K2jKOiamSR7nJ/xPiXsZzo3Jnc1VY3IpsSsbNaQHMk8T
+8b0DH7T88AXEnrDIcjcsDIK81KeH0zMQ84D+v2EbXsBbwAk928CdkZLEfHrr7LCO
+aaFHZlMCUVWQ0eKahnB7Y9S5AxjIAWnG6WO8K7V13ANf77LTOsjbPLY9WZH8fZa/
+Q5daQNby+IJE+502Rz86M0NtnES6YBqddwJEFNBzmVNt73A0CxGxFsPJS0FmZEyI
+/hKPPU8pL7PoFYsmWrr5/GvsnYrZZRfe5c6nhBse8a0ys3gVegjjk57l6zwzntUq
+ISBikMfYPtQeDwYgAW4ipGfeaPC5AgMBAAGjOTA3MAkGA1UdEwQCMAAwCwYDVR0P
+BAQDAgXgMB0GA1UdDgQWBBSRAz8U471DmLLUf0bCp7e7D3SZ8zANBgkqhkiG9w0B
+AQUFAAOCAgEAJz/Yy2jI7zXtoFDXWGB3SHZFeiwgIoFi4+INEEjXdCOVdvt4w5jS
+ORMTfyo43CqAujMKUdaeDEQEhPCuIB7m6IkJzYdmG4Ah57wD4McVGSO3BQv5ZFC2
+b30UaJa7TdbAKX/joUjErW+nv9Jj3rf6T4xerY7Ifk+kmpVxKRBkeKBVrOya8CcD
+LsTs+0/SoH6YkIgwAkUHENWt9qjnAWyHxy4N0TU65rDpGcnJ985ed9FQhIrD0fFW
+LW5lDW/ioMUOSIJu2jdC+s9dkoQ6Z71BKBm4gRzD6wDwsKlZF3mHS9lP6M8wdkJV
+nFcA0bIuGVkxJMKc+sELVFalKRn9FILAP6jRocltHvQRiVBYT42K+PJHKYyoLSEb
+m+/GH2OQhfHH0ECgUymbSWpzONIllfdSL6AkHK/x+W5404EDzT2RsJlF+4c5brN8
++/dgAYZxQF+Fi377z5Xfdsx7LAbZpc9N92KrVyzag240vL3Y0dRfG5R4wNOxjILX
+sfUs5TC/WT7SH6SOCwzW0f0IJCwxy7DmNj/XsEaZ4UgYj59C/UTLbcyzBzt860TS
+tFISKrrDy/gEZQInYbk1nA0LcKHU58hJkTcDno9upZHobl7sxBdM9t2TEZ1AreI8
+Bdwi/xoE17DUpMAD47pMXrN6vAhzUpJCq3qF4WThTrVjmKmx+yNhHtU=
 -----END CERTIFICATE-----
diff --git a/lib/hx509/data/https.key b/lib/hx509/data/https.key
index ee6065a0006f..1a1c28e5eac8 100644
--- a/lib/hx509/data/https.key
+++ b/lib/hx509/data/https.key
@@ -1,16 +1,52 @@
 -----BEGIN PRIVATE KEY-----
-MIICeAIBADANBgkqhkiG9w0BAQEFAASCAmIwggJeAgEAAoGBAMb0lCUr1frpPQCp
-RiTxv/5h373M2nS3+TbBzlHSAW95urNK1aRDWset5OBQ4qa/VHOtpYYKvVbET7X1
-f37+EHgX4jVMu8xLdDXQq2OxAnKUp5rcEO8ogqls3BmNuD5bIVIfiFGmWvhnzctI
-b/WLcXxNUtq7+SaKJ5x+itGZVDV/AgMBAAECgYBfO282I7d3NPGYQW5r/LPUBfFd
-HpNqzy0hQr+JdqZtP61YaPe+eucXMWue29jBzE+WV4YllTpwL+Ofy3VNyjsDCIva
-acqVrimYl5EAT1yiqvC1DNC0SvAfEsBlpMJr7w8F4M7wbSxvGIWjRVeZtLd7H4pw
-8ooDNZNlcXPyrBozQQJBAPGxPPiO66EpiN66ffRiqnof1lGUFaZPqBKYF/M3mybt
-X7vMKQsrQpdNQTbtR2u42yBUJGw4trhIn1qDInkgXfECQQDSu61Z/m5xRVlBk3mj
-QMqSVX+FoD3WtSry003lcxGfNsuguJtYHXHHhPbPNMUaDEtErkbUMQHNFX5mEjGp
-0RpvAkEAwbDhhOy8pw5rMtvP3w9HQdHL5tq/MuY5cpVS9EaG335yL0VhSyMjHa/6
-6HLlvs2JRnJIMjaNMEh69IWNFfc7cQJBAIOzIy3BI0jLLHMdNcHfdjpqEJ50fPE4
-nDTR9jbV6Ud1uWEivoMdM8SbxpvMwPn8gPXVbRKj5hpDupEUAdG9iyUCQQCNSVcl
-NREl42G5ZQ2Q+zYtYIJbe9SAxu7WcfzctFleRbmKPLqrcnCLWenWWHtrzZLRgFhw
-rLiglEkVDRXivfhq
+MIIJQwIBADANBgkqhkiG9w0BAQEFAASCCS0wggkpAgEAAoICAQC1WOnrLbN8lLei
+COz9UMJhpDXI663Wk0xQmq3gmgCuTu/tXu/Zy5imXmV/pjjA7hdIkIBMbHF6Ea8R
+IhsXLNvCzCzQDt7qlWrQQruwoet8nvAoZN1Ef8j21UjkgL73WBjW1Fd6CQc/I9gA
+U4QPcukNqLlJV4D0AJySFr2n6hKBlllIi/+5i51o5nwN+8hXzLpqTFfM5OuvzG44
+gOZHoPLkCTl5+0LEKbKN8Y+5RR9HwugwhKXn+nzf8AeJHv1vpR2IV052v5HHOayH
+b7ApC8AEiZWairNKImN8JuLq/OX4Q7VnUA+Z4J3iKz/6GeRhGuTHaGZDoQUVJMQJ
+O120OviH1NiAz2zt+rG3fStoyjompkke5yf8T4l7Gc6NyZ3NVWNyKbErGzWkBzJP
+E/G9Ax+0/PAFxJ6wyHI3LAyCvNSnh9MzEPOA/r9hG17AW8AJPdvAnZGSxHx66+yw
+jmmhR2ZTAlFVkNHimoZwe2PUuQMYyAFpxuljvCu1ddwDX++y0zrI2zy2PVmR/H2W
+v0OXWkDW8viCRPudNkc/OjNDbZxEumAanXcCRBTQc5lTbe9wNAsRsRbDyUtBZmRM
+iP4Sjz1PKS+z6BWLJlq6+fxr7J2K2WUX3uXOp4QbHvGtMrN4FXoI45Oe5es8M57V
+KiEgYpDH2D7UHg8GIAFuIqRn3mjwuQIDAQABAoICAQCmrGPCHSzcEat9J4r5f2JI
+b65nTgVmM9duNdwdlC2QB0kI97qmiDNypUvQOKvs1mdb8EOa+giJ0vr+WkRf1oDc
+1t9REnnbTRzw8ISk4Q0YatP7rEiZjoDcLEdkjNf3aWba/CqyJN4eMAl0s02rDUgZ
+n7s8J0qD+JPuySviyoXbyJ2iydltZV51bXETQRhvaeDjlesUjEn6N4AOOpprtwfG
+gpvq+v3wYQqU3zHjbB5FzGOvRBtfzJ89CtVCN9Ni63TrPKMHDSck3mMtz38vGneP
+NAzmDxidyGF7WBozM+EBfumZXMIaAZHarzmL2oRGo3sls1RaUAHl3va2LXQAFDsa
+vwAZBc5vcoBvnBCmnQCGnOF4NLSvo+x1CBWpDl7hatUfO35D/aLtIPZh6RofEVCy
+IQAM/ScZfk9kGyy7QfoTiPNjzCx+YF8iXQV/04Q2E2/nHRhq5OnyL3gzXd5PWuzM
+SLsEcYZecAJ3K4OJCtXTMguaaPNQqdGbkBKW47/lun216QL2CVAeKcRnqC+xNJ51
+Rv9sQTMrBhByPZvhO7I6m0PA1CU5ACcVYHHx1zkVRNYbC9Wv8KSk3Nj3Yi0br8wO
+akPDFCUcA5VSysQ3Be5VxF5yUiwuAb+sjl1E815l+ElvVFH4I1AY8GyC1kgBg0Q4
+L3lTiKS7EVZJTOvDGgH4iQKCAQEA6ufkBK3t6JOgq1LRl5+XdSZtMklwh7/0E7ma
+Kwma55gpmiOZmEK5mkBowR2J7NS1XXtOJkV2oj9vVU6hFFipU/5eNTEc7FqhJzxs
+WPtsJmVrwzEXq9rTDQ+EsOoyfPamocg3eMeWIfpjtWue7rn779/enamkUVuxal+C
+Tpw7zC/V3cg8jvjOMktafCUGtO4GtsRyxJeiNxWkd1Dfb4WYkc9pye6m7SpciKUJ
+HunNtLzHuXCc0nlt60JffecGgfGl6M2rWDPROYR64WXmYufus4JrP/qdBiWYV9zl
+33NNuTRuLKitFQsPv12+MHB6vUWj2x5SpfH5sJAK0LiMRTQW9wKCAQEAxaHMdh7e
+Votke9cQ8n/AXAkczLEI2XnGUFYkqCirqw+kQhNyzyy0iO36N1bUY5GyaJP2xz4X
+gUYoxcNnnjXghiJ8aEqnrbpcS/4YxvgVf4wMDaBgc3PNFA5zrKplYDVzUT8rYsmR
+6m/q84CGcmPYelP/reVBpMqJKucB4vIY+tbBoF2jre1EPJBTjNggaHavQ+j5Hi6Q
+ec+n18KhXZt+vFKFHmkYxMweHnOFEMNDY5s7q5pwnee93f+2NCtYmcmkNaNRUMRf
+3N4t8HRPLbtObYYp9A3u8C8p3Zcj7GjiWA7uzKOB0hCQaf8zEKmVky5GuvawZhm3
+vT1FSKJ1aQXZzwKCAQA1xLh7nbg8KTZ4oK9a7mvDo/UQsqCwYe6jaTNxsHQlmL3F
+C2sH4BYNybpwoatFa3bMHAJKXlIGV1DLjQDv4E9561pzAHfnXeNPUNRYFcyuiT5+
+YklRy/fNIIU13ZWK5wZDN8oCumSSCHc0OpsZd7bENFEHc6IqATv95ji0d6x0U2q3
+pjK+YxMHjhn7GpqLZYRh51uBxleaFjkcGoXaSBEhJwHG9/p7hNvDZ0tMKSYtvZxV
+xQIQZz0SwZGMBwqFSeO5AwK6YLn+WWWrHCD8+Ku5qRuVfG7ezlItomF3oTPkNa0W
+SdG8ZFjJa9Kx0b02f68+45T1aQrHMGFZXzS0TnUHAoIBAHPAxZF1mQIVmKAUIj/2
+ZUNCrxSQqD9AXNAW9FdtosaJXcq5u2fupjsBL6mT+MfswRMRftvJ2ViFMEJMpfb7
+VWsa7cTj3PwbCA4WYIrBKU5QR4r/oR5d+ALESCocj03fYJB4sD+nEgi+zl0arSR4
+qIVVh45hlaYgXmC7dtZmuAzLFhOIZOLs8ieK3PTEbY7h3Nuoq6hq24INByCPRZYf
+CgbhSki6g6BYcVeij5B23ZSMilGDHmzOG93X9O7vaHCCsuQbqPfmXMNvena4mNuP
+NmtdxlrEgms5JIs+B/Nipxeuf11qcxIHU55Rs6YRvaK72v+Ml1rlu0Fijp7xUFVX
+8O8CggEBALa5eXFkbBLudIrvum4+trQDD1WWjUO6WmR+VuddKSsEsKj4q6ubbCEZ
+Dj4RyRNlDJ4yCaJtMFdfT8bjRcbLrHw5ZVgUpvtPBWGAvuVc9Tr/xq1Hn75w6isu
+BEeWN2DSWSofpWCaAQk20EKzXxkIrzgzt1Ht5t22wsZ9Def07G6eUWlRQy1hRbH+
+G8sv+E5soYm5/3mAcUuUqsbyCqm4zaxSPquvbuywYPjQXyU24tfr8TtQz3XiWpzM
+ZS0Wou4EgiJQUZGcwV8rX5j8ELSTNkm5UnBaLRWT/raG3s30F6B3WjLbsxr926mB
+2zmdO3l0e9ryWpkYHrKaEdZhkQx6ryE=
 -----END PRIVATE KEY-----
diff --git a/lib/hx509/data/kdc.crt b/lib/hx509/data/kdc.crt
index 95ea4a4b8350..6a0e32934a6d 100644
--- a/lib/hx509/data/kdc.crt
+++ b/lib/hx509/data/kdc.crt
@@ -2,25 +2,51 @@ Certificate:
     Data:
         Version: 3 (0x2)
         Serial Number: 8 (0x8)
-        Signature Algorithm: sha1WithRSAEncryption
+    Signature Algorithm: sha1WithRSAEncryption
         Issuer: CN=hx509 Test Root CA, C=SE
         Validity
-            Not Before: Apr 26 20:29:40 2009 GMT
-            Not After : Apr 24 20:29:40 2019 GMT
+            Not Before: May 23 15:05:16 2019 GMT
+            Not After : Jan 16 15:05:16 2038 GMT
         Subject: C=SE, CN=kdc
         Subject Public Key Info:
             Public Key Algorithm: rsaEncryption
-                Public-Key: (1024 bit)
+                Public-Key: (4096 bit)
                 Modulus:
-                    00:d2:41:7a:f8:4b:55:b2:af:11:f9:43:9b:43:81:
-                    09:3b:9a:94:cf:00:f4:85:75:92:d7:2a:a5:11:f1:
-                    a8:50:6e:c6:84:74:24:17:da:84:c8:03:37:b2:20:
-                    f3:ba:b5:59:36:21:4d:ab:70:e2:c3:09:93:68:14:
-                    12:79:c5:bb:9e:1b:4a:f0:c6:24:59:25:c3:1c:a8:
-                    70:66:5b:3e:41:8e:e3:25:71:9a:94:a0:5b:46:91:
-                    6f:dd:58:14:ec:89:e5:8c:96:c5:38:60:e4:ab:f2:
-                    75:ee:6e:62:fc:e1:bd:03:47:ff:c4:be:0f:ca:70:
-                    73:e3:74:58:3a:2f:04:2d:39
+                    00:ab:f2:c2:da:bb:d1:bc:5a:96:c0:76:11:4e:7a:
+                    52:49:8b:84:ae:ca:44:4c:5b:30:ad:9a:6d:94:5b:
+                    1a:52:3f:d5:9b:d9:62:4b:96:51:bd:e3:55:be:5b:
+                    09:65:7b:3a:3b:2a:1f:9b:a2:95:e5:a6:f6:85:1f:
+                    7b:35:b8:2c:55:14:19:13:91:bd:56:6e:5b:f7:49:
+                    03:a8:53:01:16:27:53:8e:3e:71:1d:9c:dc:38:30:
+                    38:c2:55:e3:58:15:bb:de:53:8d:2a:5f:68:b0:49:
+                    e4:7f:dc:38:57:fe:89:1b:6f:5d:52:fc:fd:cc:ef:
+                    37:71:e6:70:13:3f:24:5a:a2:8d:b5:a4:90:4a:2a:
+                    0e:e0:c2:6f:4d:0e:ef:ab:c9:2f:90:0a:ee:20:e8:
+                    be:6b:bb:4e:43:8b:56:9f:50:aa:e0:71:2b:0f:2b:
+                    b6:68:d6:11:c0:c4:31:b0:ab:32:a1:2e:93:54:6d:
+                    ab:d3:c1:84:4f:c3:fc:10:a5:fa:6a:ae:8c:80:05:
+                    7c:54:4c:c1:aa:bc:50:ec:3c:19:9e:aa:df:82:0c:
+                    e7:6e:ed:c9:f4:46:3e:60:6b:81:d9:b3:d7:64:19:
+                    5f:64:bc:b5:a6:f6:38:03:02:ab:f2:b3:ba:2f:4f:
+                    be:e3:c3:34:cb:d8:01:42:3d:43:81:9d:a9:4f:5e:
+                    6f:14:d1:84:05:b6:f3:f0:9b:fa:b5:e8:1f:e6:40:
+                    e2:b9:ce:a9:eb:1c:c4:da:85:b2:6b:b1:c7:a5:91:
+                    0f:a0:79:7a:85:b2:b4:b5:4e:a6:8c:cd:c6:45:5c:
+                    97:d2:e8:3c:01:2a:77:b2:e1:a7:2f:ed:2c:bf:42:
+                    77:94:a4:47:bf:c7:58:43:14:08:66:4e:5d:24:99:
+                    bd:5f:0d:e1:b1:56:f1:c3:db:97:f6:b5:22:92:23:
+                    eb:a5:f5:49:4d:76:80:4a:83:af:a8:17:31:38:b6:
+                    3b:49:1e:37:5e:fb:e7:9e:90:1d:8c:b0:8a:c2:dd:
+                    5e:1d:1c:2f:c4:71:aa:d2:2b:c5:16:09:f1:5d:63:
+                    7c:02:dc:b6:e0:b9:f6:2b:a1:56:1b:20:8f:13:c4:
+                    60:d0:21:c9:91:a4:43:de:f9:64:d8:4a:5c:4a:cd:
+                    51:87:66:55:ec:9c:2d:10:b3:23:6e:0e:48:44:2b:
+                    86:01:73:2e:77:28:5b:6e:43:09:ea:0f:cc:0e:da:
+                    da:88:f9:ef:6b:37:48:bd:e4:47:4a:4f:f9:72:bd:
+                    b9:c4:a0:bc:67:29:ec:5a:55:22:b6:8e:f0:23:9f:
+                    c1:fb:86:9c:18:59:43:4c:eb:b6:bd:2e:18:fb:44:
+                    ae:27:15:e7:3d:6d:9a:c7:6f:61:99:e1:7a:80:de:
+                    64:a8:e7
                 Exponent: 65537 (0x10001)
         X509v3 extensions:
             X509v3 Basic Constraints: 
@@ -28,32 +54,69 @@ Certificate:
             X509v3 Key Usage: 
                 Digital Signature, Non Repudiation, Key Encipherment
             X509v3 Extended Key Usage: 
-                pkkdcekuoid
+                Signing KDC Response
             X509v3 Subject Key Identifier: 
-                3A:D3:73:FF:AB:DB:7D:8D:C6:3A:A2:26:3E:AE:78:95:80:C9:E6:31
+                E6:0A:BC:C8:0C:58:A4:53:82:C7:15:E0:42:D6:73:67:26:2C:39:D1
             X509v3 Subject Alternative Name: 
                 othername:<unsupported>
     Signature Algorithm: sha1WithRSAEncryption
-        83:f4:14:a7:6e:59:ff:80:64:e7:fa:cf:13:80:86:e1:ed:02:
-        38:ad:96:72:25:e5:06:7a:9a:bc:24:74:a9:75:55:b2:49:80:
-        69:45:95:4a:4c:76:a9:e3:4e:49:d3:c2:69:5a:95:03:eb:ba:
-        72:23:9c:fd:3d:8b:c6:07:82:3b:f4:f3:ef:6c:2e:9e:0b:ac:
-        9e:6c:bb:37:4a:a1:9e:73:d1:dc:97:61:ba:fc:d3:49:a6:c2:
-        4c:55:2e:06:37:76:b5:ef:57:e7:57:58:8a:71:63:f3:eb:e7:
-        55:68:0d:f6:46:4c:fb:f9:43:bb:0c:92:4f:4e:22:7b:63:e8:
-        4f:9c
+         31:6b:88:4f:57:8a:4b:7b:25:d8:53:0f:04:e9:52:a7:e3:93:
+         12:ed:bc:96:03:c3:ae:53:6a:10:60:76:18:85:1d:9c:b6:93:
+         d8:92:d1:d8:e5:af:23:d6:64:93:11:f3:23:8e:ed:43:12:dc:
+         5d:1b:d5:49:b8:3d:fd:e7:52:58:a9:26:2c:cb:49:09:d4:54:
+         6e:e6:45:c9:1c:3f:50:b9:f3:13:65:84:45:a7:1c:23:48:ad:
+         93:c0:f9:b2:fa:1e:25:d0:40:d5:8f:7a:c8:8c:72:ba:88:22:
+         19:a7:3a:08:cf:7d:9c:45:da:3e:12:64:3f:b4:e0:c4:36:97:
+         a9:be:ef:e2:4a:1a:cc:c7:f9:8f:4f:30:04:11:f4:16:cf:ff:
+         6e:85:f1:cf:98:3d:09:e9:f1:98:30:ff:a2:3c:d5:96:50:3d:
+         cb:21:db:89:56:8c:f4:a6:87:e3:78:44:49:c5:53:c9:19:a1:
+         ff:a0:0d:4e:a7:89:d9:11:52:39:21:b4:b9:21:e8:af:39:9e:
+         2c:41:3d:82:3e:20:b8:60:8a:b6:de:d6:6c:f3:b7:5a:10:ce:
+         ba:92:a7:6a:0d:5f:22:e6:98:e4:2c:d7:2d:7a:d4:22:bd:15:
+         ce:2c:79:7f:d6:d0:78:f8:d9:a6:e7:87:84:cb:0b:8b:1e:aa:
+         0c:57:4b:8c:3a:a9:e5:66:92:eb:00:b2:2c:05:1f:14:ab:23:
+         7a:61:b0:00:02:bf:24:42:8e:0e:1d:52:20:11:93:94:b5:2a:
+         56:33:f4:bb:63:21:ea:64:cf:d2:92:8c:70:7e:b5:f9:4a:c2:
+         aa:a5:81:36:bb:76:cb:ec:98:bb:3c:8c:67:1a:0c:3e:97:f1:
+         4c:dc:25:e2:59:a2:6d:fd:db:54:ea:9b:14:5f:18:dc:2c:e1:
+         45:89:27:a0:b7:f0:09:57:94:b5:dd:9e:84:51:35:98:12:c7:
+         20:ad:75:4d:42:54:44:30:e2:b9:cb:25:0f:e0:a9:6d:d5:6d:
+         7a:97:b6:fe:b7:54:4e:83:ed:bb:4d:d3:80:99:2b:1b:ee:a1:
+         3b:b8:69:52:64:f7:d2:bc:2f:18:73:d6:8d:04:54:c1:3f:14:
+         05:65:fb:cf:c2:38:25:92:33:cc:f1:48:cf:e5:d1:a6:c2:57:
+         1d:06:d8:1d:a1:0d:d6:e6:8e:ba:b6:d6:88:3c:a7:87:02:bb:
+         32:47:82:aa:d6:5f:8a:69:d8:5e:38:99:a6:1d:09:a8:d5:b8:
+         4c:80:23:ed:83:67:5f:b8:8e:f2:c4:8f:8b:76:b6:a2:09:b5:
+         44:1c:70:d2:5b:61:cb:c6:68:f9:9b:93:72:5a:bc:08:98:80:
+         90:64:a7:d3:a1:f8:ee:b7
 -----BEGIN CERTIFICATE-----
-MIICVDCCAb2gAwIBAgIBCDANBgkqhkiG9w0BAQUFADAqMRswGQYDVQQDDBJoeDUw
-OSBUZXN0IFJvb3QgQ0ExCzAJBgNVBAYTAlNFMB4XDTA5MDQyNjIwMjk0MFoXDTE5
-MDQyNDIwMjk0MFowGzELMAkGA1UEBhMCU0UxDDAKBgNVBAMMA2tkYzCBnzANBgkq
-hkiG9w0BAQEFAAOBjQAwgYkCgYEA0kF6+EtVsq8R+UObQ4EJO5qUzwD0hXWS1yql
-EfGoUG7GhHQkF9qEyAM3siDzurVZNiFNq3DiwwmTaBQSecW7nhtK8MYkWSXDHKhw
-Zls+QY7jJXGalKBbRpFv3VgU7InljJbFOGDkq/J17m5i/OG9A0f/xL4PynBz43RY
-Oi8ELTkCAwEAAaOBmDCBlTAJBgNVHRMEAjAAMAsGA1UdDwQEAwIF4DASBgNVHSUE
-CzAJBgcrBgEFAgMFMB0GA1UdDgQWBBQ603P/q9t9jcY6oiY+rniVgMnmMTBIBgNV
-HREEQTA/oD0GBisGAQUCAqAzMDGgDRsLVEVTVC5INUwuU0WhIDAeoAMCAQGhFzAV
-GwZrcmJ0Z3QbC1RFU1QuSDVMLlNFMA0GCSqGSIb3DQEBBQUAA4GBAIP0FKduWf+A
-ZOf6zxOAhuHtAjitlnIl5QZ6mrwkdKl1VbJJgGlFlUpMdqnjTknTwmlalQPrunIj
-nP09i8YHgjv08+9sLp4LrJ5suzdKoZ5z0dyXYbr800mmwkxVLgY3drXvV+dXWIpx
-Y/Pr51VoDfZGTPv5Q7sMkk9OIntj6E+c
+MIIFWTCCA0GgAwIBAgIBCDANBgkqhkiG9w0BAQUFADAqMRswGQYDVQQDDBJoeDUw
+OSBUZXN0IFJvb3QgQ0ExCzAJBgNVBAYTAlNFMB4XDTE5MDUyMzE1MDUxNloXDTM4
+MDExNjE1MDUxNlowGzELMAkGA1UEBhMCU0UxDDAKBgNVBAMMA2tkYzCCAiIwDQYJ
+KoZIhvcNAQEBBQADggIPADCCAgoCggIBAKvywtq70bxalsB2EU56UkmLhK7KRExb
+MK2abZRbGlI/1ZvZYkuWUb3jVb5bCWV7OjsqH5uileWm9oUfezW4LFUUGRORvVZu
+W/dJA6hTARYnU44+cR2c3DgwOMJV41gVu95TjSpfaLBJ5H/cOFf+iRtvXVL8/czv
+N3HmcBM/JFqijbWkkEoqDuDCb00O76vJL5AK7iDovmu7TkOLVp9QquBxKw8rtmjW
+EcDEMbCrMqEuk1Rtq9PBhE/D/BCl+mqujIAFfFRMwaq8UOw8GZ6q34IM527tyfRG
+PmBrgdmz12QZX2S8tab2OAMCq/Kzui9PvuPDNMvYAUI9Q4GdqU9ebxTRhAW28/Cb
++rXoH+ZA4rnOqescxNqFsmuxx6WRD6B5eoWytLVOpozNxkVcl9LoPAEqd7Lhpy/t
+LL9Cd5SkR7/HWEMUCGZOXSSZvV8N4bFW8cPbl/a1IpIj66X1SU12gEqDr6gXMTi2
+O0keN177556QHYywisLdXh0cL8RxqtIrxRYJ8V1jfALctuC59iuhVhsgjxPEYNAh
+yZGkQ975ZNhKXErNUYdmVeycLRCzI24OSEQrhgFzLncoW25DCeoPzA7a2oj572s3
+SL3kR0pP+XK9ucSgvGcp7FpVIraO8COfwfuGnBhZQ0zrtr0uGPtEricV5z1tmsdv
+YZnheoDeZKjnAgMBAAGjgZgwgZUwCQYDVR0TBAIwADALBgNVHQ8EBAMCBeAwEgYD
+VR0lBAswCQYHKwYBBQIDBTAdBgNVHQ4EFgQU5gq8yAxYpFOCxxXgQtZzZyYsOdEw
+SAYDVR0RBEEwP6A9BgYrBgEFAgKgMzAxoA0bC1RFU1QuSDVMLlNFoSAwHqADAgEB
+oRcwFRsGa3JidGd0GwtURVNULkg1TC5TRTANBgkqhkiG9w0BAQUFAAOCAgEAMWuI
+T1eKS3sl2FMPBOlSp+OTEu28lgPDrlNqEGB2GIUdnLaT2JLR2OWvI9ZkkxHzI47t
+QxLcXRvVSbg9/edSWKkmLMtJCdRUbuZFyRw/ULnzE2WERaccI0itk8D5svoeJdBA
+1Y96yIxyuogiGac6CM99nEXaPhJkP7TgxDaXqb7v4koazMf5j08wBBH0Fs//boXx
+z5g9CenxmDD/ojzVllA9yyHbiVaM9KaH43hEScVTyRmh/6ANTqeJ2RFSOSG0uSHo
+rzmeLEE9gj4guGCKtt7WbPO3WhDOupKnag1fIuaY5CzXLXrUIr0Vzix5f9bQePjZ
+pueHhMsLix6qDFdLjDqp5WaS6wCyLAUfFKsjemGwAAK/JEKODh1SIBGTlLUqVjP0
+u2Mh6mTP0pKMcH61+UrCqqWBNrt2y+yYuzyMZxoMPpfxTNwl4lmibf3bVOqbFF8Y
+3CzhRYknoLfwCVeUtd2ehFE1mBLHIK11TUJURDDiucslD+CpbdVtepe2/rdUToPt
+u03TgJkrG+6hO7hpUmT30rwvGHPWjQRUwT8UBWX7z8I4JZIzzPFIz+XRpsJXHQbY
+HaEN1uaOurbWiDynhwK7MkeCqtZfimnYXjiZph0JqNW4TIAj7YNnX7iO8sSPi3a2
+ogm1RBxw0lthy8Zo+ZuTclq8CJiAkGSn06H47rc=
 -----END CERTIFICATE-----
diff --git a/lib/hx509/data/kdc.key b/lib/hx509/data/kdc.key
index f6be6eb5e123..bdb97b919a9e 100644
--- a/lib/hx509/data/kdc.key
+++ b/lib/hx509/data/kdc.key
@@ -1,16 +1,52 @@
 -----BEGIN PRIVATE KEY-----
-MIICdgIBADANBgkqhkiG9w0BAQEFAASCAmAwggJcAgEAAoGBANJBevhLVbKvEflD
-m0OBCTualM8A9IV1ktcqpRHxqFBuxoR0JBfahMgDN7Ig87q1WTYhTatw4sMJk2gU
-EnnFu54bSvDGJFklwxyocGZbPkGO4yVxmpSgW0aRb91YFOyJ5YyWxThg5Kvyde5u
-YvzhvQNH/8S+D8pwc+N0WDovBC05AgMBAAECgYAw4vS6opmMcFRXhralHW2OJEUR
-VIGGPm4kBVBYOb4O5ZLW3UI/IZnZ/5WFn0/MS7owcdHjWN4Ax0s02eXp1mXm0sua
-gr6JuWTTv5y2Vjrq2AQ9RqNIaRp346gbtqt2/Nhoyl3BMcVPuq69WcbDVq+GPNE5
-K5plwS32AQJsceitWQJBAP6M2xJ4cOh3keOOfYnVvoBRsS++ErViBOtHgjdriJXz
-Hy9uNPp4HGpKExPWBVRozBQ5HMYUY2Wv+Zsku+mlgzsCQQDTdAqkOzzhJ2+uD2et
-MyMDBm2oKiPUrpSBTFo1EiDH6ECrNAJd0FyYFwYvcI5b7BK06SFRmd80GSvBeOMI
-TKIbAkB2zFIpqqA3PiaOJyAbxe+kf3vMJk8g6+AT1knFh6A1K0QwpKSBCLFqQavp
-pAbUwBwOjCELqNRCzwAVEe3JO3+lAkEAhRhedl8/A62R8yqJJJCycf4C2b2kjgNR
-QE1x3kPJ1GqRAfIbpzc2gRjE8OlVAfEHGU5AhZ9nyeAqFX5k0N2DjwJAZpJApfQo
-VoCVZyPPASHV4B6k5b/DUcLo9XnNYkcm5EsdjJXR8TWCrkbBxPM3i1Nn/2Lpa0xp
-FiD4cMhNHreApQ==
+MIIJQgIBADANBgkqhkiG9w0BAQEFAASCCSwwggkoAgEAAoICAQCr8sLau9G8WpbA
+dhFOelJJi4SuykRMWzCtmm2UWxpSP9Wb2WJLllG941W+Wwllezo7Kh+bopXlpvaF
+H3s1uCxVFBkTkb1Wblv3SQOoUwEWJ1OOPnEdnNw4MDjCVeNYFbveU40qX2iwSeR/
+3DhX/okbb11S/P3M7zdx5nATPyRaoo21pJBKKg7gwm9NDu+ryS+QCu4g6L5ru05D
+i1afUKrgcSsPK7Zo1hHAxDGwqzKhLpNUbavTwYRPw/wQpfpqroyABXxUTMGqvFDs
+PBmeqt+CDOdu7cn0Rj5ga4HZs9dkGV9kvLWm9jgDAqvys7ovT77jwzTL2AFCPUOB
+nalPXm8U0YQFtvPwm/q16B/mQOK5zqnrHMTahbJrscelkQ+geXqFsrS1TqaMzcZF
+XJfS6DwBKney4acv7Sy/QneUpEe/x1hDFAhmTl0kmb1fDeGxVvHD25f2tSKSI+ul
+9UlNdoBKg6+oFzE4tjtJHjde++eekB2MsIrC3V4dHC/EcarSK8UWCfFdY3wC3Lbg
+ufYroVYbII8TxGDQIcmRpEPe+WTYSlxKzVGHZlXsnC0QsyNuDkhEK4YBcy53KFtu
+QwnqD8wO2tqI+e9rN0i95EdKT/lyvbnEoLxnKexaVSK2jvAjn8H7hpwYWUNM67a9
+Lhj7RK4nFec9bZrHb2GZ4XqA3mSo5wIDAQABAoICAHA3A/df76ausAd2hiDjL2ST
+ysmPczcppAEH8U+KjQj0Y+FL4xxVQ49bF5AdNWqnGv+Vo/8cAhtX9TY3r18FjNkR
+PrRIvnnzl80wN1TYprLgg2UnVwbuYcHBpqkdCDtqI6sad9wZW+cAskDHZXX3xV7E
+NPF97dyamWKZ8rZ81KrZvwW2Gfxsqj0AZ0aw4rUHnSSyHWoYunzwRklKXAOoz3ue
+H23NJ0QPwJI+9/bGI0qRbNECqcqOVl0AGDZ9O4n30/WQnu0dEp7sOxuQtV+ZQDhN
+V5RLVys11Gt0fc+n0H+hF2JUzW/i6/b6/WBs7qsFrhxSPthxZZDnDnE+hUoo5PBt
+OTn3eeyMBP4SdZmB8z3ekWeDd6qS+EnbEee0Y8CwW3YU2KKo5jRCpL18regVW0HW
+4t2NRjB4ioMLCSVrCukiWM6vPnStaeg5klTnb9GzsO99ruXNDSENjStEcoRCGjfk
+9OPb4inrKIcKiNxvfOOvXNtpi9+7UDR9w15oHscxU13LySMQVPc2TCwACx6G55iD
+MFGPDkDsm9m4Xee96To0abxiu/7Vc1H9lrnOMXfZP0DgNcOWFwa73QfSJvKwTl1w
+kHQTnk9yDYHgn/DPLAbhELxkNkIJNTz66tknhak8pkIFTsrTdEwMOqvdRCr9z7XL
+tStd7GcxCSVQskthkSSxAoIBAQDYYHjCGoEKojMUZzCbNDq+Z3ZiZ7m/sl8xduO5
+zUvY0sWuJi5ijOLfiGwDm+wEIannQhSnhVskevFC6ZXoynYufzSBD1z4wPsLpIwY
+TAxUB1NEHKBONWECiOpXeiEP0itRXxqoV4Gb9SFjrRbA/yvQqonNtMoeWZ/Sco1O
+CAzi20/LRtv/oMUsEzyOnvsDlHORIKgu1hpj/d/ik6e1F+k/1lqtzaRKLwPwgwfA
+LbLlYppu/6MzhAI5E3ujq3NeiqPU29tpxrQJnEOxPaPTrpwKjM/qBLF/H5o5e9Q0
+MkZFkPKQWLVQJFb+AWTWAGJzFdcw6X7KFURoafljsrN7DlPNAoIBAQDLb4YCUUDk
+pIzizpSuhhJCmh6B7/bSvoCr9pMwJadPhuADs9f4AZhaJGv745uxjaNx9seWCP4s
+4tEEhYFASzYyTfi6ChJZb+5+RJlkYkUplx1RVFCrEmi+X0Sy4SlhdTxTsnVd3Qtb
+0Ak7br422pc75YiEGf7Iz2k/ry8xif6pRsU7eeXm3e/rNIAr0x9RZ5aRl9Xg43N9
+GYcjdTK7G2KTUPYkRwFT/u3WK0DulTVnRX1+qraemq+fiyelox/SwY6n0c6K9hiD
+M21LOGBmjEirWU/OtCD6fsIYIilEu+u6RhyoKNWYwRxmdKQoKfow52gpyGU7lCI7
+plFXCFyJxeODAoIBAQDFwlZcQVETYO+ChFV+ZJwUDge7JMY2GFa8pMa5uJLL1sfp
+xOe8Frv8RXlDSyzJEeNxg4nRGicVDnCXEVp76x9cm9Jm6p20lNxd5cRNKKRT4GYP
+6IHzOQIzCOP1k5/ID/SbaGq61U+WNNKRgU88kXuAOX29TrE0UAGsnBnd6amtZXhm
+d5r25f+Pqv079L3CpdmCGPDd7b0tComnUgCDmRkLyWQTWdIAIzxcg8V/tcS9tgMj
+0+1bVhmaBN6J1leZXukh0NeWs481AWc1BPtIq1veoJgecK+xWjbgtvZZxmFHj5TC
+rPD6EFyZxrhchvlz6dBF2gKRvCJLtB/FKTy1CYE5AoIBAGFbqgKJ6EiEB3iz7Kvp
+Nevx3g/JS5Jn4SRrCN3N51hD8AlVlFH4UXUyYQtXTjeW1VXBCJthCmNo2ScUzVp7
+pCBG+HXwQ//RdY2wPsivzvGshDdb5o84bDBPX41L/IXLmWdkzI5zLvBtiz2KLjYK
+Pr5HhyHRXwGzYWc865UFuX5BhDqGh+QI6rzhj0Vp8F8A+CoNRCowMCD6ipYJjJHG
+9VITOPj7kkMkiaYpZRXJCpm1w+1Ovb8BwHLWIc8/VgeC4kamPfZ6+BgyEGgjPt9U
+26JFR9BgnDfFWhY6ow1l8dZfn29Ku44zPOg7giRGkpm85Ti50tjEd+2cFulT8xVs
+QwkCggEAJ5+tgWw3kHch4pK94R8hSzv5OzNQUZvdXYZk751/k92ZSrYeiZ7cj8de
+kcFLiQjY5pkOrkF7oKUKDZXyVU2BQN0jjX5/0Hqpwwj9gBXuXnit4J0mrPDFBEh6
+KcC2Cjw/ul7MdzWlJEdAgu0sR9EPIPmTO9pdziH2k6uNSfj1S+hIAPNQ1tvME4zg
+M+0THn2pVqhAZxBj4VREbGzk8tIBl1LZEx88REdSbe9FKcS/wiGCpnttQqL/WSu0
+9pXx0T27VSdxXoSQF3kVdEdQ9EEsfAi9t95UJqOfpkKamEefao3xDrE5whSddD+q
+HWEzextsObokaNciuMPKlJLizq1W+w==
 -----END PRIVATE KEY-----
diff --git a/lib/hx509/data/mkcert.sh b/lib/hx509/data/mkcert.sh
index 5faa571206a8..c06528dc82ae 100755
--- a/lib/hx509/data/mkcert.sh
+++ b/lib/hx509/data/mkcert.sh
@@ -2,8 +2,7 @@
 
 set -e
 
-# For now, avoid going past the 2038 32-bit clock rollover
-DAYS=$(( ( 0x7fffffff - $(date +%s) ) / 86400 - 1 ))
+DAYS=182500
 
 key() {
     local key=$1; shift
diff --git a/lib/hx509/data/no-proxy-test.crt b/lib/hx509/data/no-proxy-test.crt
index 3c316fd99663..7e38cd9b564f 100644
--- a/lib/hx509/data/no-proxy-test.crt
+++ b/lib/hx509/data/no-proxy-test.crt
@@ -1,13 +1,30 @@
 -----BEGIN CERTIFICATE-----
-MIICDDCCAXWgAwIBAgIJAMJEvwnR1+3VMA0GCSqGSIb3DQEBBQUAMCExCzAJBgNV
-BAYTAlNFMRIwEAYDVQQDDAlUZXN0IGNlcnQwHhcNMDkwNDI2MjAyOTQxWhcNMTkw
-NDI0MjAyOTQxWjA0MQswCQYDVQQGEwJTRTESMBAGA1UEAwwJVGVzdCBjZXJ0MREw
-DwYDVQQDDAhuby1wcm94eTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAoj9n
-WflMrV4pTKogjZSsR0ayv0SnNJDalEKSvEge7NeWJm/qOl63ZFp/Fu76CX5sw0um
-3y08szXc7PQ3bfeaOASI3DRjeq/Bdo91189IudKjRQGmpwvaLaB+geiJ0zxL8MbO
-zYCKZR2HtwmnyAtuVxBzg/JkbRivZNY6eFujez0CAwEAAaM5MDcwCQYDVR0TBAIw
-ADALBgNVHQ8EBAMCBeAwHQYDVR0OBBYEFAsSc5J6beDqU81cycJGR+e284BXMA0G
-CSqGSIb3DQEBBQUAA4GBANmfFhAMyYld728X7ne9GFLKKOSmWNUBlI7imwZcXo3P
-QgCBmjhDiadCLdntQNCGAtBMUUM/jf3SCzWyEUtvCfqNCeFbYuS4CNStrACtDNjb
-iw34aVAORleFr4hzAe9c61UH8nIkQbMYH264yUA/RJC1U01b/26YlKAVq75l3d36
+MIIFETCCAvmgAwIBAgIJAKQmPUkmhyKoMA0GCSqGSIb3DQEBCwUAMCExCzAJBgNV
+BAYTAlNFMRIwEAYDVQQDDAlUZXN0IGNlcnQwHhcNMTkwNTIzMTUwNTI2WhcNMzgw
+MTE2MTUwNTI2WjA0MQswCQYDVQQGEwJTRTESMBAGA1UEAwwJVGVzdCBjZXJ0MREw
+DwYDVQQDDAhuby1wcm94eTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIB
+AJ++Eu48QHbj9zWx743IdmFihU06xR/IAezZPoZYhQsxw0kVQXNnC1sdGqpl7DWe
+IQGmokhpfRq0LPOtK4QhZBAqvpWohdreJfPrEM75U9LdPQXtKcbzV5hfz4tVUbcH
+jvgvH+M5Zyr1SvDWsK7/CEyNC7d9EYfLcVtas+uPtq6YWtRW7A1SeHiZKGPikkQy
+cSwtsqtyrbNyHvz32GdasW1exOLXwqH4dXNeO/C7EQCQu8gv/klWfKC9d3wBp+6h
+LQsXoTh3JqaszucAMhen4RihyRcofsEbWLpmzGIyIDIB2IQ/ZYwF1xfOFi7gTGFF
+Il80EdEvw8x7GcZFVMJUQzYH8rnHEU73bzAuEVJay4vR5SwWjGIgIcZl5gYWSGMq
+4VhLQisIVfo1hcLniPCSQH3GExCQ8QvVi8Ks8tkd+0zs/24B5HFzWHJspKSnuOya
+dZreKjAvNWPPflolipjKDORxocJDojIbW03cgZwHULRP6sU8H/dXnLBw8t9natJk
+zHGslG8rZoR61QHVcalk2qAzP78lhRfOU/XlGTkOX8zbfnaVS/O6IbBxhagtBApc
+Ms2aunf0H6fxyyzSAllAu+fnDsUMBhQWTkQmK2GmEEba8FYbS+K5rbn/fzn+xaS4
++Lh3GaaPI67+2EwcDWdfBAzHC4Mj3UF2i4o3r3fAazHrAgMBAAGjOTA3MAkGA1Ud
+EwQCMAAwCwYDVR0PBAQDAgXgMB0GA1UdDgQWBBQU3CICEd4bSVDR3MKEOFoAqRYt
+8jANBgkqhkiG9w0BAQsFAAOCAgEAMAG64y2s7lZi+1yZtIfvgBe/QwO0s3TrZVc/
+VTSmVgcsI4pOW9A2NYxJR5RwEg1fNAoKPz8+D/9FeZwVED8Q9xUAuvtEsr2npd6d
+ogQblbVBFkuQ+3Wt7ILYBKXgFQB+473yu91o/k7Mg07/2XsWMhkNspMpBo4frUo1
+7JlXH4wLs1pAGbhFZ7e4s+8Xm3zSPa9UuhYNDqwheeVulwiP4v4zf5DZD9iyFcYj
+9COnCYNvY2gSi+GaT712jLR9/0CUfFbiY02e6VS9TI8pvHlCbOaUAqTeYAr8GkpH
+qupkvOmTWwgubeK7BrDvuKJIavK8sN5mqK/KzFpzRjMzzppeuv/ArKMnjbr52BtG
+fZK8LxbeXuxbcqHpxRT2uFIoQAtIxf1oMYoqac2TNZ2V+x3nRMfsgW6JK+huoQpB
+Z9pyRNTGb5B6JNDaW5qeXmJz3zVKWFCRO9kwWajBDmQcd9A2BMukCtcWIDR9PSuO
+zqRXI64gh/Pm+pHrG+U8/m/WhEmMquJHjbeU7lpd7wiRwHyvGqka/pHIKt3Eozkh
+FCthDU5sK1pLWCyQU+DmrL3+LKJaL+Yiok0lKiPT42II3d0yVIeV6BtVHpFQLYBm
+rJHozXOvFEE1i8o4jl7mjvXJHfkUHgmpuny5RicuxOrE12YrdQIq4qyTZiskd4N4
+fDTnu7M=
 -----END CERTIFICATE-----
diff --git a/lib/hx509/data/no-proxy-test.key b/lib/hx509/data/no-proxy-test.key
index 2a6006cdc80e..37d7f29962ff 100644
--- a/lib/hx509/data/no-proxy-test.key
+++ b/lib/hx509/data/no-proxy-test.key
@@ -1,16 +1,52 @@
 -----BEGIN PRIVATE KEY-----
-MIICdQIBADANBgkqhkiG9w0BAQEFAASCAl8wggJbAgEAAoGBAKI/Z1n5TK1eKUyq
-II2UrEdGsr9EpzSQ2pRCkrxIHuzXliZv6jpet2Rafxbu+gl+bMNLpt8tPLM13Oz0
-N233mjgEiNw0Y3qvwXaPddfPSLnSo0UBpqcL2i2gfoHoidM8S/DGzs2AimUdh7cJ
-p8gLblcQc4PyZG0Yr2TWOnhbo3s9AgMBAAECgYBWdSjy1hkZDWM+mi3MpFwFg1P+
-/muHZGVFuhANSvVHyj4V729GeXCKhnrQ0rnk0zzL+QVMSgPdj6dRkXX0IIxJ0iyI
-k7ZVoaCuC8dmc/rF9pJ58saqKYCqQFtjdFO68E3aQbnk89ai69AzgdjegRSVmOQ8
-yJ9ArHcggxbEqGq94QJBANOk9UWdI72KbIRElrTtWAvIrNaF4iixR+AdYuFL2+cJ
-WaGApfFtcNppllmbWxh0IayIDzRpWzSpTILNLQdqF9UCQQDEQDzfZ04+x2RhX28o
-O1Vzqkado6OvyhwVlzp19ZGstMWq6IVNZEJDBYCilk7dkIkjBHojaVEu/k9vMUZS
-KzHJAkBk6xmRUjbCoIjSISqDp1D+fXf86uZGZRJSyXBm4Zc/+XNl0URPdNIFM6ff
-nna3mFiePlqRsVMuLzQugstf57TpAkAYCvqqMADRBiKRH10B48sDQaAnHe4m0i8A
-oidiXjR7oSX6W0RBh//qMBljUeDVmiiC5sCD6BovFK7so2/HD02pAkA9zFWyVTdq
-Y3t01+ZG6TfcxwKGCgpwS3x9OQbMVb34JPQ65U0JzW7ubmYFMD5Fl1RPjDbLc+wm
-uSnStI7RGOt+
+MIIJRAIBADANBgkqhkiG9w0BAQEFAASCCS4wggkqAgEAAoICAQCfvhLuPEB24/c1
+se+NyHZhYoVNOsUfyAHs2T6GWIULMcNJFUFzZwtbHRqqZew1niEBpqJIaX0atCzz
+rSuEIWQQKr6VqIXa3iXz6xDO+VPS3T0F7SnG81eYX8+LVVG3B474Lx/jOWcq9Urw
+1rCu/whMjQu3fRGHy3FbWrPrj7aumFrUVuwNUnh4mShj4pJEMnEsLbKrcq2zch78
+99hnWrFtXsTi18Kh+HVzXjvwuxEAkLvIL/5JVnygvXd8AafuoS0LF6E4dyamrM7n
+ADIXp+EYockXKH7BG1i6ZsxiMiAyAdiEP2WMBdcXzhYu4ExhRSJfNBHRL8PMexnG
+RVTCVEM2B/K5xxFO928wLhFSWsuL0eUsFoxiICHGZeYGFkhjKuFYS0IrCFX6NYXC
+54jwkkB9xhMQkPEL1YvCrPLZHftM7P9uAeRxc1hybKSkp7jsmnWa3iowLzVjz35a
+JYqYygzkcaHCQ6IyG1tN3IGcB1C0T+rFPB/3V5ywcPLfZ2rSZMxxrJRvK2aEetUB
+1XGpZNqgMz+/JYUXzlP15Rk5Dl/M2352lUvzuiGwcYWoLQQKXDLNmrp39B+n8css
+0gJZQLvn5w7FDAYUFk5EJithphBG2vBWG0viua25/385/sWkuPi4dxmmjyOu/thM
+HA1nXwQMxwuDI91BdouKN693wGsx6wIDAQABAoICAQCVA0tHf18nSOrf5PexjFGZ
+8Lym2W7vgbUCC3m++y5Izgf80d43V+WI/jJUyDU7oyHpF1eFMxpn4bGZMm5ImJlu
+V2Fn3EfZbqd6zUnluUHPj2AQejchhvishJvnvxQ2J8/fhp45ad/qe92Hos44wGEu
+f9hxNzM2OLqq3Ia/9FUWs7rvH5KdrtQAs+awnreQ9HkMHCjytEyC+68ajd0KNNkU
+THZfoaPHUi3GDB7gJrDqlRkG2nZcVVh23adrP2Q3P5T0JvvW35dnngZ4CH+x/4IE
+Z09d0gHEA82WPLTl2Rqda4ldfIIux3fple6tlcDKcCJrKvh/6g29XwwhH6W8jbwP
+Xq++ZK8SYY5Fk2puBzDGH/pX+ljxRh0jRD7FpsUwF+9Bk0aqkycbX+75T8R3LLXt
+mi2n/gBs5CyQHRBKnrui85KkM5nCQiYiUQbyilcbZSHOKPQi7bNGBK4/idEcmDjR
+iIwpV/lvAJPMetFJe+3c3CSqU8xHKz3vK97LX1qoQJE/ozUU+iCv6qVMUZjOCiNh
+p/Oa5/UWO1GDrM9rcmeufjwKu/OuZyoivi4Je4GDVVfPHswIyAg72bmhFmx0M8Qu
++G9QidwDfRjezX/hFFtMqaC+PKyabHVfoNKm+bv/XjXq4mbsmUUK67qrZhdwyRyV
+XRIpnsBs6pEjmzUiQI21OQKCAQEAzWsewm+YCfmuY/W61Q88F4ew4CnYjI/saP0J
+kDOLNeKh/1UeWhAaHrZxW0c1F+R57aYMyQtzh92OQ7bd218DXwkzsdX5VXH4ThvK
+jW/hLe178RBABk9lWXYU3u1UndbfDH3FRa3fKfd7uQXoSdK02l9i9WtHFdSqv1uW
+jjXIC4tfBlIaN+H2KSvNAxmejcwfnCEZgdoUGfXbzyOaiIj/J8EORty7n4HdFM8L
+AUT+vNDARHKY/5L01Dp92bsWltibIFuCX53fPZ51ZCfNeDe3e/zgxr+VUL5VVy7P
+6r28ersysIzhDK3YiSMaCl9EI8YOHOedp1Gh6MO/taoRTp0mrQKCAQEAxxOyTG2G
+qzGqXgI1uduPo1DBfNKJYSA9d7lJneANjCtBj4ovMt2mzwojgPOaYj9lit5xnXFU
+qki8wZI1+xM8ylE7AKzUt/Jb7EE02QihUBgItFF1xyVIyvHDGrf9KRO7JVM2/erq
+NeF5Ol5eI61azNEzCAm8X47R5DvyYZApO/+gU2t9U2dNXJ9w+7YU3oeMxj+YMfud
+IZTmIXQgFVezwLf/VMSxJa5eeffCdCW6BKGArYvwk2eg7fbhCw6MDmOtAFOoI5Eu
+8zVlbvg/1IjJ+YEJZZqugzQxVL5x217dCnLdu1Hnf5SxvJ2cfoRbEIqJByVDSSxs
+Qe7PG8O59d+F9wKCAQEAs/Rk1Qc4FX0TZmSOUTpwdVic/jQKjlFDVVJfP2G4UfOB
+4ZJq7ZFvoHpJ4iIGhDDXE/dE+hc7FcplaDLaNuUMqgQAsol2TYFzetHj53YcucRz
+sOKAhEanzfChJg6Z81CaxHGmEX3ZpAU38QYY0htx7mBj7AYYFyrgjpUo1tqMrnhh
+PcNNTql4oebKSi32ddhd1MQ2eUhYFcoJz3QsW/JQPT5mSHP1Ni5pRGKBDJKp6zWh
+ShVurW7LZuT6/XRlvK5zb6xbEXLXcD7SLnSkDu4YotkM/XA22a50StUqtkWTyZ0X
+Mg2o1heyO6lxlaaRphlKoc3SkhL0mVprJzWexdTsXQKCAQAjoNnLJdrxLo1QD9Mv
+tSTK1LwcK83cbRmzIJ0VPTEPgfpUxyVVVCfza9wYywA5TyFMLi1lQRAm/aeSeSli
+CvpZNxp5L3VOinh7Gtxrb0j3faWpJ98NShXyBDynvn/3ZwmaT39LCEzsYbMBiDwO
+5IqYl2Qrrxpge74Cu9vQLC3FCCXYaCdg0t8ckYh19AteHCJMpLsHTwG7LdvV5uOL
+DkwkVInE0QLnPIK6D2ZkxQ+6nnDaHm5q4yQBEqsKAIt+U8Z1hYNVAjnF2yuRJaq+
+zdBf8AEPhxRudNvTT9YurZaftRkL2ke1JJZ+rDKCzgtCNZj6h2e4Y9PoJOY6ENhq
+MZvXAoIBAQCFrLrJwWFpRCAUGRygAVeyEMiSHhWuG38dHLrDd6t+8taoOSy2AsXo
+vPyCKAFwElan0cehYY31WTSg1L9KfnIw2S2e6dMJEiJidMj95v9+Vh5+X4WJeF6F
+WtwmgyN24p/6ymEPSuCeENAZQjyWFj1gT5jp0KjbCFYZ8V2ubERpNzt0CLqZ0zJb
+WTgptd/MKT398ENPU1fQRnFScm74SHnxbvhPzuhRI66vBC6ofx0Irx4KWfQaEGcD
+OzU0LeCarXE7JWSbG3+AHOglPYBRCQ3/KaTOZiDALR3KKaJ6od7EkPqNWzTUd23K
+IMZ41x5JPzpQTmrb056vt40ifw3+I946
 -----END PRIVATE KEY-----
diff --git a/lib/hx509/data/ocsp-req1.der b/lib/hx509/data/ocsp-req1.der
index c975bfeede9f..650c87976956 100644
--- a/lib/hx509/data/ocsp-req1.der
+++ b/lib/hx509/data/ocsp-req1.der
diff --git a/lib/hx509/data/ocsp-req2.der b/lib/hx509/data/ocsp-req2.der
index 1c0cce1b7e1e..1c010149a2f3 100644
--- a/lib/hx509/data/ocsp-req2.der
+++ b/lib/hx509/data/ocsp-req2.der
diff --git a/lib/hx509/data/ocsp-resp1-ca.der b/lib/hx509/data/ocsp-resp1-ca.der
index 6090b61dc6db..38efc09e8cc1 100644
--- a/lib/hx509/data/ocsp-resp1-ca.der
+++ b/lib/hx509/data/ocsp-resp1-ca.der
diff --git a/lib/hx509/data/ocsp-resp1-keyhash.der b/lib/hx509/data/ocsp-resp1-keyhash.der
index e9bf421190f7..b3b3feb76509 100644
--- a/lib/hx509/data/ocsp-resp1-keyhash.der
+++ b/lib/hx509/data/ocsp-resp1-keyhash.der
diff --git a/lib/hx509/data/ocsp-resp1-ocsp-no-cert.der b/lib/hx509/data/ocsp-resp1-ocsp-no-cert.der
index f901f2e08df0..ec51b0c94e4e 100644
--- a/lib/hx509/data/ocsp-resp1-ocsp-no-cert.der
+++ b/lib/hx509/data/ocsp-resp1-ocsp-no-cert.der
diff --git a/lib/hx509/data/ocsp-resp1-ocsp.der b/lib/hx509/data/ocsp-resp1-ocsp.der
index f8e219b5bf42..864f8dc32d35 100644
--- a/lib/hx509/data/ocsp-resp1-ocsp.der
+++ b/lib/hx509/data/ocsp-resp1-ocsp.der
diff --git a/lib/hx509/data/ocsp-resp2.der b/lib/hx509/data/ocsp-resp2.der
index 2a738920c96d..f600bd64d97e 100644
--- a/lib/hx509/data/ocsp-resp2.der
+++ b/lib/hx509/data/ocsp-resp2.der
diff --git a/lib/hx509/data/ocsp-responder.crt b/lib/hx509/data/ocsp-responder.crt
index ceba439062b3..7df15421a7df 100644
--- a/lib/hx509/data/ocsp-responder.crt
+++ b/lib/hx509/data/ocsp-responder.crt
@@ -2,25 +2,51 @@ Certificate:
     Data:
         Version: 3 (0x2)
         Serial Number: 1 (0x1)
-        Signature Algorithm: sha1WithRSAEncryption
+    Signature Algorithm: sha1WithRSAEncryption
         Issuer: CN=hx509 Test Root CA, C=SE
         Validity
-            Not Before: Apr 26 20:29:40 2009 GMT
-            Not After : Apr 24 20:29:40 2019 GMT
+            Not Before: May 23 15:05:11 2019 GMT
+            Not After : Jan 16 15:05:11 2038 GMT
         Subject: C=SE, CN=OCSP responder
         Subject Public Key Info:
             Public Key Algorithm: rsaEncryption
-                Public-Key: (1024 bit)
+                Public-Key: (4096 bit)
                 Modulus:
-                    00:f1:38:9c:a0:5e:b9:0e:73:19:b6:f5:57:2b:9c:
-                    0c:ef:a6:c7:57:0f:8d:3c:05:03:8f:53:28:f0:b6:
-                    f8:d1:0d:c9:dc:13:37:2d:f1:76:36:b7:5c:6b:5d:
-                    a5:22:02:7c:86:84:9e:b5:e3:8b:e6:9e:82:d9:97:
-                    96:02:9f:3c:7b:74:e6:1b:b6:c9:fa:b3:b7:8b:53:
-                    6e:26:fb:b2:3f:ae:2a:7f:f9:67:df:1a:e1:de:87:
-                    97:47:76:80:a3:c4:bf:5c:2c:0d:ab:36:97:13:2d:
-                    b8:c2:65:41:47:e8:34:54:f8:45:fc:38:76:b8:99:
-                    3f:ee:83:f6:49:40:96:16:71
+                    00:a0:76:7e:fa:ce:3d:80:e7:2a:c4:1f:02:27:f1:
+                    4d:72:1f:78:57:3f:30:9d:06:2f:d4:3e:64:15:a2:
+                    16:78:de:9d:f9:db:81:b2:96:50:b4:e8:3b:c1:bd:
+                    6f:80:00:4a:3b:b7:ef:5e:8f:20:dd:1d:6e:36:8f:
+                    e4:05:66:c7:17:7f:ad:5d:e1:1a:a1:fa:5e:d2:84:
+                    24:fa:00:46:26:8b:e8:68:ed:c0:86:3c:45:f5:64:
+                    0f:3b:00:cb:cb:3f:45:3d:98:11:f3:cc:de:e2:cb:
+                    e5:b5:91:59:43:99:41:86:79:75:a2:42:4e:5e:16:
+                    7a:f3:0f:ec:e4:c0:e2:9d:b5:cf:9b:a9:ea:97:70:
+                    7a:20:20:8c:30:56:4b:16:29:04:d5:c6:6e:ad:14:
+                    73:2d:cf:23:a5:38:11:5d:c9:bd:9d:57:f3:1a:c9:
+                    ff:16:64:97:d5:60:0c:08:2b:1f:a9:99:3b:5c:ac:
+                    b2:d7:3e:d5:f3:32:62:6e:20:8a:c2:74:29:6e:aa:
+                    35:72:1b:25:dd:d1:33:94:1e:87:e8:51:9b:35:45:
+                    62:19:70:b7:d7:a7:64:48:02:08:74:c3:aa:2b:21:
+                    f6:bc:3c:b4:74:b7:25:7a:41:23:1a:5e:e3:1b:0f:
+                    1c:cd:98:d0:1a:d3:f6:7a:4a:fb:78:cf:85:6d:02:
+                    c4:e6:be:c7:4d:ba:90:59:c2:33:13:5e:3e:89:3c:
+                    76:9f:bb:68:03:cb:26:e6:bf:fa:fd:8b:54:42:69:
+                    c9:12:e8:57:e3:2d:72:f5:be:7b:35:b4:60:9a:a7:
+                    3d:29:9f:e6:f5:38:5a:96:36:72:ad:d8:9e:26:0c:
+                    d0:2a:58:34:8a:dc:75:ef:ad:a5:f2:36:68:b0:6a:
+                    1c:8e:c3:9f:43:09:5c:53:48:16:6e:58:4c:46:1e:
+                    a6:d0:d8:de:7a:85:d0:59:cb:10:e6:86:5e:a4:71:
+                    d5:8e:8b:4e:d9:a5:8a:8e:91:30:23:fc:22:35:fc:
+                    78:8b:aa:66:2b:e2:f0:2f:c9:72:ee:ab:ec:a9:0f:
+                    1c:ad:7a:15:f3:dc:7d:db:39:bd:e1:ee:88:de:04:
+                    5f:43:d4:3d:7a:1b:f8:b9:9e:38:6b:06:8d:04:28:
+                    5a:93:8b:2d:16:03:99:ac:60:a5:40:c3:94:10:0f:
+                    87:0d:3b:db:74:59:fa:c2:5f:f7:ef:2c:87:29:f0:
+                    76:7e:50:29:86:5c:cc:7b:89:6b:11:e3:b2:9b:aa:
+                    9d:36:58:d1:89:ad:77:53:9f:e3:85:89:65:29:6f:
+                    d8:f7:79:68:49:c6:09:97:e5:fa:a2:79:23:b7:48:
+                    c7:da:98:ea:ba:bc:16:9b:3c:ca:71:0c:6a:10:08:
+                    df:ef:1b
                 Exponent: 65537 (0x10001)
         X509v3 extensions:
             X509v3 Basic Constraints: 
@@ -30,27 +56,64 @@ Certificate:
             X509v3 Extended Key Usage: 
                 OCSP No Check, OCSP Signing
             X509v3 Subject Key Identifier: 
-                FD:2F:3F:35:BC:72:5C:51:52:4F:5F:D6:20:CB:D1:CB:56:2F:BC:0A
+                D4:A0:90:A6:79:F7:F8:6A:CE:29:92:37:2D:36:32:22:B5:41:75:45
     Signature Algorithm: sha1WithRSAEncryption
-        24:95:11:a0:f2:10:58:4d:4e:20:e5:d3:4d:17:b5:4b:37:aa:
-        fe:c8:28:79:e4:ca:15:b1:9e:28:93:fc:45:99:d5:4a:8a:a0:
-        0a:e4:9e:75:64:f9:a4:63:96:dd:2a:9e:c7:0f:03:83:86:44:
-        c5:1c:a4:34:b6:b7:74:e3:ff:e3:97:0f:11:b5:00:bd:10:fd:
-        91:db:ec:2d:14:9b:16:c7:e5:48:b0:08:62:d1:58:be:92:69:
-        a6:5a:3d:7e:58:39:f0:bb:bc:71:08:b9:76:6c:9b:e6:57:1c:
-        25:1b:d6:7a:98:70:9f:95:50:09:17:d9:1a:d9:20:db:d6:8a:
-        be:9e
+         1c:37:c2:22:e7:c3:1e:f9:b5:7a:9b:ee:fe:bc:15:89:cb:34:
+         59:2c:b9:c5:e1:c6:56:3a:da:6a:6b:08:df:f4:69:3c:5d:62:
+         4d:b9:e2:65:8f:23:48:30:8b:9a:a3:55:7b:8a:4b:d2:ab:8b:
+         85:31:78:09:45:2d:9b:fc:59:ad:67:0b:ef:20:b5:70:23:71:
+         21:26:d2:e1:c4:4c:54:8f:02:1e:84:35:ff:7b:67:90:05:7c:
+         25:2e:ca:13:a4:32:ba:0a:9a:aa:6b:79:53:81:6b:3b:95:fe:
+         17:51:57:89:71:22:6b:3e:15:06:6f:1c:d6:8a:9c:e1:49:67:
+         4b:3f:4e:f5:2b:b3:8f:89:5b:f7:c9:94:78:02:b7:f9:db:c3:
+         b9:2f:b9:17:9b:0c:ba:e2:ab:49:e7:5f:0d:85:ef:4b:35:f2:
+         39:e7:4c:ef:6a:88:81:99:7e:a7:8c:b1:f7:d9:ec:fd:70:92:
+         8d:12:1d:22:49:3e:ef:62:54:92:34:e7:67:27:a1:5c:38:d5:
+         1e:b8:95:c2:9b:12:95:4f:8c:64:d6:c5:06:a6:bf:19:fe:c3:
+         b7:fd:68:d7:7f:f2:7d:7f:aa:4f:71:7a:78:c2:af:b6:6a:5a:
+         56:cf:5a:99:82:4b:39:d3:83:03:07:b9:7b:35:31:6c:ac:4c:
+         c6:8c:46:dc:d3:4c:57:3d:01:6d:5e:76:94:53:9c:ba:e8:42:
+         d9:8b:2e:88:4d:9a:8f:12:c7:2b:cc:e2:f9:9f:1d:b1:5f:55:
+         bb:15:4e:e6:f5:bc:7d:03:a1:00:47:b0:1f:26:0e:58:64:24:
+         a8:ef:96:51:d5:66:cc:4b:0d:0b:37:16:33:ef:d3:a6:c2:05:
+         e1:6c:38:b6:21:f2:c3:0f:3e:65:d0:6a:0f:37:4b:c5:db:01:
+         0a:ce:f7:c5:e1:4e:3f:55:aa:8a:51:23:7b:66:59:ab:20:64:
+         7a:0d:bd:dc:cb:79:46:0b:57:51:cf:6f:37:94:03:96:19:a5:
+         61:e4:a8:4d:7c:84:0b:b8:79:ba:22:8c:e0:67:0f:8c:ff:44:
+         02:3b:a2:54:6e:3f:f9:a6:d0:46:b3:ed:e1:d1:18:16:ea:4a:
+         56:b5:9b:a0:b6:ab:40:2e:6b:c4:8d:7f:75:c9:92:b6:ed:31:
+         92:1a:24:94:c7:67:16:fe:6d:9b:d1:f8:2b:25:9d:34:a6:18:
+         21:8f:33:5c:9b:81:31:69:c6:f4:b3:f2:51:2e:7d:17:96:50:
+         33:07:f6:f7:1d:df:62:bf:29:a7:da:8e:15:e2:62:83:36:a5:
+         77:17:f7:29:11:0d:cf:8f:e0:97:b7:24:6c:b6:64:78:8d:e7:
+         f6:97:d0:1a:3d:ea:38:4f
 -----BEGIN CERTIFICATE-----
-MIICHzCCAYigAwIBAgIBATANBgkqhkiG9w0BAQUFADAqMRswGQYDVQQDDBJoeDUw
-OSBUZXN0IFJvb3QgQ0ExCzAJBgNVBAYTAlNFMB4XDTA5MDQyNjIwMjk0MFoXDTE5
-MDQyNDIwMjk0MFowJjELMAkGA1UEBhMCU0UxFzAVBgNVBAMMDk9DU1AgcmVzcG9u
-ZGVyMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDxOJygXrkOcxm29VcrnAzv
-psdXD408BQOPUyjwtvjRDcncEzct8XY2t1xrXaUiAnyGhJ6144vmnoLZl5YCnzx7
-dOYbtsn6s7eLU24m+7I/rip/+WffGuHeh5dHdoCjxL9cLA2rNpcTLbjCZUFH6DRU
-+EX8OHa4mT/ug/ZJQJYWcQIDAQABo1kwVzAJBgNVHRMEAjAAMAsGA1UdDwQEAwIF
-4DAeBgNVHSUEFzAVBgkrBgEFBQcwAQUGCCsGAQUFBwMJMB0GA1UdDgQWBBT9Lz81
-vHJcUVJPX9Ygy9HLVi+8CjANBgkqhkiG9w0BAQUFAAOBgQAklRGg8hBYTU4g5dNN
-F7VLN6r+yCh55MoVsZ4ok/xFmdVKiqAK5J51ZPmkY5bdKp7HDwODhkTFHKQ0trd0
-4//jlw8RtQC9EP2R2+wtFJsWx+VIsAhi0Vi+kmmmWj1+WDnwu7xxCLl2bJvmVxwl
-G9Z6mHCflVAJF9ka2SDb1oq+ng==
+MIIFJDCCAwygAwIBAgIBATANBgkqhkiG9w0BAQUFADAqMRswGQYDVQQDDBJoeDUw
+OSBUZXN0IFJvb3QgQ0ExCzAJBgNVBAYTAlNFMB4XDTE5MDUyMzE1MDUxMVoXDTM4
+MDExNjE1MDUxMVowJjELMAkGA1UEBhMCU0UxFzAVBgNVBAMMDk9DU1AgcmVzcG9u
+ZGVyMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAoHZ++s49gOcqxB8C
+J/FNch94Vz8wnQYv1D5kFaIWeN6d+duBspZQtOg7wb1vgABKO7fvXo8g3R1uNo/k
+BWbHF3+tXeEaofpe0oQk+gBGJovoaO3AhjxF9WQPOwDLyz9FPZgR88ze4svltZFZ
+Q5lBhnl1okJOXhZ68w/s5MDinbXPm6nql3B6ICCMMFZLFikE1cZurRRzLc8jpTgR
+Xcm9nVfzGsn/FmSX1WAMCCsfqZk7XKyy1z7V8zJibiCKwnQpbqo1chsl3dEzlB6H
+6FGbNUViGXC316dkSAIIdMOqKyH2vDy0dLclekEjGl7jGw8czZjQGtP2ekr7eM+F
+bQLE5r7HTbqQWcIzE14+iTx2n7toA8sm5r/6/YtUQmnJEuhX4y1y9b57NbRgmqc9
+KZ/m9ThaljZyrdieJgzQKlg0itx1762l8jZosGocjsOfQwlcU0gWblhMRh6m0Nje
+eoXQWcsQ5oZepHHVjotO2aWKjpEwI/wiNfx4i6pmK+LwL8ly7qvsqQ8crXoV89x9
+2zm94e6I3gRfQ9Q9ehv4uZ44awaNBChak4stFgOZrGClQMOUEA+HDTvbdFn6wl/3
+7yyHKfB2flAphlzMe4lrEeOym6qdNljRia13U5/jhYllKW/Y93loScYJl+X6onkj
+t0jH2pjqurwWmzzKcQxqEAjf7xsCAwEAAaNZMFcwCQYDVR0TBAIwADALBgNVHQ8E
+BAMCBeAwHgYDVR0lBBcwFQYJKwYBBQUHMAEFBggrBgEFBQcDCTAdBgNVHQ4EFgQU
+1KCQpnn3+GrOKZI3LTYyIrVBdUUwDQYJKoZIhvcNAQEFBQADggIBABw3wiLnwx75
+tXqb7v68FYnLNFksucXhxlY62mprCN/0aTxdYk254mWPI0gwi5qjVXuKS9Kri4Ux
+eAlFLZv8Wa1nC+8gtXAjcSEm0uHETFSPAh6ENf97Z5AFfCUuyhOkMroKmqpreVOB
+azuV/hdRV4lxIms+FQZvHNaKnOFJZ0s/TvUrs4+JW/fJlHgCt/nbw7kvuRebDLri
+q0nnXw2F70s18jnnTO9qiIGZfqeMsffZ7P1wko0SHSJJPu9iVJI052cnoVw41R64
+lcKbEpVPjGTWxQamvxn+w7f9aNd/8n1/qk9xenjCr7ZqWlbPWpmCSznTgwMHuXs1
+MWysTMaMRtzTTFc9AW1edpRTnLroQtmLLohNmo8SxyvM4vmfHbFfVbsVTub1vH0D
+oQBHsB8mDlhkJKjvllHVZsxLDQs3FjPv06bCBeFsOLYh8sMPPmXQag83S8XbAQrO
+98XhTj9VqopRI3tmWasgZHoNvdzLeUYLV1HPbzeUA5YZpWHkqE18hAu4eboijOBn
+D4z/RAI7olRuP/mm0Eaz7eHRGBbqSla1m6C2q0Aua8SNf3XJkrbtMZIaJJTHZxb+
+bZvR+CslnTSmGCGPM1ybgTFpxvSz8lEufReWUDMH9vcd32K/KafajhXiYoM2pXcX
+9ykRDc+P4Je3JGy2ZHiN5/aX0Bo96jhP
 -----END CERTIFICATE-----
diff --git a/lib/hx509/data/ocsp-responder.key b/lib/hx509/data/ocsp-responder.key
index c9dcb302e914..98cdf65d0b18 100644
--- a/lib/hx509/data/ocsp-responder.key
+++ b/lib/hx509/data/ocsp-responder.key
@@ -1,16 +1,52 @@
 -----BEGIN PRIVATE KEY-----
-MIICeAIBADANBgkqhkiG9w0BAQEFAASCAmIwggJeAgEAAoGBAPE4nKBeuQ5zGbb1
-VyucDO+mx1cPjTwFA49TKPC2+NENydwTNy3xdja3XGtdpSICfIaEnrXji+aegtmX
-lgKfPHt05hu2yfqzt4tTbib7sj+uKn/5Z98a4d6Hl0d2gKPEv1wsDas2lxMtuMJl
-QUfoNFT4Rfw4driZP+6D9klAlhZxAgMBAAECgYEA0hUg69azSu9ZhOtVeOiWp51T
-3PHxakVfnVKqxEJGnyNoG6AsnXm/H9Y/yk4rhFwwAaO86eJ8NGT2xvTrM+tk6tua
-iNokJ1uWzpt7XPTr5XvkYEYAx7Pf3VmAja2SQkD0m20AXM9QfXsRvyQVwB2RxIhl
-pa45Gm+PjSNXRaTzs0ECQQD/L+doN/fBbooCRcRYM/vNnHq5Hh1IdHSp3hI9MMLb
-yOU1x6iWfg43xPImODCSippAh74Ummo2SPxVDbuu0Mq5AkEA8f1Rsfh8hcd7RsUu
-LKHl4wyVD9fzpjbsFjyuTOq/bDsXLtdktDr1pn37jker/DKm82wHfAELtij74piN
-FYHteQJAET7eh6eIodTjlMW8QC27LakOjiYf2n6sR7KPTv1Vnd7Uxq6okQsR0OkJ
-aFXRyoV9aTEDQocw+Fw0WVclQOoxWQJBAIUaoWUTGOs83kH/E3bZVmmc8iDU1+AF
-NbbFidolBUWy+v143JuGEriRc1y/b4o5EjuyoCtFJ/v6bxIkdvXtkYECQQCxcBgn
-ohgcWmple2sTMOEoWu2IvqmLwexvmVf1Z6R8Nhc2ayQTNwe0nCVaTtOY1NanQP/T
-U/uo7ISsA/8luXu2
+MIIJRQIBADANBgkqhkiG9w0BAQEFAASCCS8wggkrAgEAAoICAQCgdn76zj2A5yrE
+HwIn8U1yH3hXPzCdBi/UPmQVohZ43p3524GyllC06DvBvW+AAEo7t+9ejyDdHW42
+j+QFZscXf61d4Rqh+l7ShCT6AEYmi+ho7cCGPEX1ZA87AMvLP0U9mBHzzN7iy+W1
+kVlDmUGGeXWiQk5eFnrzD+zkwOKdtc+bqeqXcHogIIwwVksWKQTVxm6tFHMtzyOl
+OBFdyb2dV/Mayf8WZJfVYAwIKx+pmTtcrLLXPtXzMmJuIIrCdCluqjVyGyXd0TOU
+HofoUZs1RWIZcLfXp2RIAgh0w6orIfa8PLR0tyV6QSMaXuMbDxzNmNAa0/Z6Svt4
+z4VtAsTmvsdNupBZwjMTXj6JPHafu2gDyybmv/r9i1RCackS6FfjLXL1vns1tGCa
+pz0pn+b1OFqWNnKt2J4mDNAqWDSK3HXvraXyNmiwahyOw59DCVxTSBZuWExGHqbQ
+2N56hdBZyxDmhl6kcdWOi07ZpYqOkTAj/CI1/HiLqmYr4vAvyXLuq+ypDxytehXz
+3H3bOb3h7ojeBF9D1D16G/i5njhrBo0EKFqTiy0WA5msYKVAw5QQD4cNO9t0WfrC
+X/fvLIcp8HZ+UCmGXMx7iWsR47Kbqp02WNGJrXdTn+OFiWUpb9j3eWhJxgmX5fqi
+eSO3SMfamOq6vBabPMpxDGoQCN/vGwIDAQABAoICAQCHnl8H3xPARKCyjXqnA5zv
+HYX6R1/w9u+ptOmmFw5jLdPa/xkJNV4U6ErJHjCEwLn86yKWiuW9vEgQOWEA57LR
+O4ntVHnL+O33gtQ1r9GadpkBRiB3061VDzKILc4Qg/MjccmKgtbGXIpTAPuu1HK7
+EyDG+L9/agSUNhuD4zolDSrgZ6XsRJYTXS7fE6/2lMiPXVzhT+1hBDceRtr2p7Fo
+sJK5S4wbAv4Iy1qf9MKX9vhjBVtJ7MOq/iSO61Ybr03tSFJPlH5WkZ/ESmGXipFh
+Xrjgw5G95K4u5fj7pvvF5LjCs5PZKYm1YCQo/5V2ozk20zbf1dH13jXYD5y3W6XK
+APscRKXMjP4sXBq1GrjSqeWbgHpLeL9Gct3E40ytNw93hkjWDdT8xihlDrekT/hQ
+bUcB+4ok1qXqurZzf7A49UGK9la/5/jHDMNvG0L5Ssecz9zPtEdA5dcTwVZtndmk
+QzrxykvHZPSlcTm4plySGMo0JWvDhBQlAZdnzkEF84OTkT1Irc0SXQ65N0N5ouRI
+p5f8/e6hjPKjhRetg7wYmgZbsR9HHFJQrGiSUeQi83PHmmJtn/EUCgFIiGDNkUge
+djIY4OSwk8vsfwVgw6Alc0X3pqOcc3jJpHtwtKvAHBaeI1+qXywqK6IeXMzKDNyz
+wP2Raxms7IVcTAEXdVs9AQKCAQEA07PS3OfV6of8E7l+kMdN3a2xrlMEtHVjGQ2L
+tzaUbn35mE9xDCCgaEjQcx2VU9imGrSnv24KFNPIzmzH6N2ftyCQ/8XVnerEGmle
+L4AMIEV9VUIIf3Au5oW0zw+pVU6my9Q40cBGnun84oUMW55mEA0QNrfQh4br10H3
++D4Z4NYT64ecyvexX1a7oKGJTSBSWV4+KxS8Yk9Q9llLI9GEr+nXY2IwMKjjYpaJ
+g26AWhsnPy/xkGmus5ed10HkG67+fsHr/zmucDgI8Jj023nsnggiv1NrbrYld6QF
+1CyhA+dvza+o4jriLb77kVHc7wVrfVhxDRwloTmbHfvdgIt12wKCAQEAwgnxrvph
+Ko+kARo+00s0rlEAqHiJ21Ty8YWZQH2LuSN9BK3POWzKSQJpxRFzTKdhXU1FVU5r
+gULdsGlA0MSNoZxSgYkVJFywFR8SYHDekjIYyoLVtRxKepmLqVUHbefbvRDu8NVD
+7elBmgCinGWigPNlCsnxSN9HtQ+exhQAYx6eoLQzZfocyf/i4QVnRnHSj93yTTT5
+u/OmNEJPLEb9Tt5OoYRMHf4IR+rNxm+H474XrYdn01h2nNUkEG2L3W7qJXPocWSZ
+43HnNYuwFUKF78EghO3eGWLv7H4laD0MpF842eJmt2PGOGcWYOLpn2Df8fEPXOZd
+I5xnoY4BxVDPwQKCAQEAq90MjjHXw/JpfknUqgxi9lgQKwlShH3X2XrZtf8lOR4k
+BrZXfBTwpDiYoRufItZ64qtOk2Xt4UKdfpdpI27oPm69yCb/aJgyY46u27kEHx7K
+xPA6ndqg+JwLUR3RxmN3nXnINt/1dQVYOzzv72EEUnuIciN/ssahp7ryaCFiONkS
+it8pNs0mvdNXtuvs3yQiNlL//VF0LgteGuAa1BU/tuAL767CmH5DOsIjGQQYRw5M
+Kkvtu+NP5JRtm1burFrAWH9t62EUcB3NhCVogtTUdub77n72dIaCnEIYSUuB2/2D
+EmRMonxTKfglmq/uwEySGsw12wLCucReXVUfWT/eiQKCAQEAktIdaq4PmbnIegEW
+6qAsQ34NRmy2uxxjG3dgh5i3gaYlscWmWChGQ8osqC3VFXpNROD0BmFpHQywXAy4
+O3+OP2veTh+gvLvZjJHPQOQGtY5sjcdD11+Jx4ypTb6F+ZaIAV5vvhFQ7hMiTVoP
+sNGCjZodqXU2OlKgmpMwK2b1CAsiMi1H+vCumfYiAOwqwfXcQnnJHrxn/tyUtVQ7
+PiCVCPlTfAlz4vnV4Dz96Rl5NE0g82/SkuuMDI2GVVveifWj/CThC/P4MU59iVmi
+KeQFHm3+ojauaH0hV8v3mBEhoLpgdRVHbZp0YTc3iqYH6k3OBe7GFiBE924gR/EA
+zAGiwQKCAQEAtNHidzC/J8qQql9+DPczfpSSu5wiZPf7y3rLK5flByysg/TmnjG1
+21V5JnOETy69sTAqEz4pzuf14lsNHlz4fjUKo8u3LKLtmrYlfaM3XT8B1vGIkZYv
+XZ1U8DReOIgAgjDgs3MTHJZ2JeAo6naHNIheQDWm+PUuRfG2ojz8srfVFvp+6M8l
+yv7UOmSKJZTWc4KFntdsPv5leEw+Mm428mdnw+mqAspEv1i27JC5eJ9c3wi8IBus
+YDwA8sGkOyty1rELE28s8rOJ2LqT2Pf/SoZfvp2O1FUuU0T7Ma/zg+oYJ/heUkPu
+Nv1cW+onrP/nvshX+2f5xy2Yy6uQYK9Khg==
 -----END PRIVATE KEY-----
diff --git a/lib/hx509/data/openssl.cnf b/lib/hx509/data/openssl.1.0.cnf
index b0146564592a..b0146564592a 100644
--- a/lib/hx509/data/openssl.cnf
+++ b/lib/hx509/data/openssl.1.0.cnf
diff --git a/lib/hx509/data/openssl.1.1.cnf b/lib/hx509/data/openssl.1.1.cnf
new file mode 100644
index 000000000000..110073f268f0
--- /dev/null
+++ b/lib/hx509/data/openssl.1.1.cnf
@@ -0,0 +1,185 @@
+[ca]
+
+default_ca = user
+
+[usr]
+database	= index.txt
+serial		= serial
+x509_extensions = usr_cert
+default_md=sha1
+policy		= policy_match
+email_in_dn	= no
+certs		= .
+
+[ocsp]
+database	= index.txt
+serial		= serial
+x509_extensions = ocsp_cert
+default_md=sha1
+policy		= policy_match
+email_in_dn	= no
+certs		= .
+
+[usr_ke]
+database	= index.txt
+serial		= serial
+x509_extensions = usr_cert_ke
+default_md=sha1
+policy		= policy_match
+email_in_dn	= no
+certs		= .
+
+[usr_ds]
+database	= index.txt
+serial		= serial
+x509_extensions = usr_cert_ds
+default_md=sha1
+policy		= policy_match
+email_in_dn	= no
+certs		= .
+
+[pkinit_client]
+database	= index.txt
+serial		= serial
+x509_extensions = pkinit_client_cert
+default_md=sha1
+policy		= policy_match
+email_in_dn	= no
+certs		= .
+
+[pkinit_kdc]
+database	= index.txt
+serial		= serial
+x509_extensions = pkinit_kdc_cert
+default_md=sha1
+policy		= policy_match
+email_in_dn	= no
+certs		= .
+
+[https]
+database	= index.txt
+serial		= serial
+x509_extensions = https_cert
+default_md=sha1
+policy		= policy_match
+email_in_dn	= no
+certs		= .
+
+[subca]
+database	= index.txt
+serial		= serial
+x509_extensions = v3_ca
+default_md=sha1
+policy		= policy_match
+email_in_dn	= no
+certs		= .
+
+
+[req]
+distinguished_name	= req_distinguished_name
+x509_extensions		= v3_ca	# The extensions to add to the self signed cert
+
+string_mask = utf8only
+
+[v3_ca]
+
+subjectKeyIdentifier=hash
+authorityKeyIdentifier=keyid:always,issuer:always
+basicConstraints = CA:true
+keyUsage = cRLSign, keyCertSign, keyEncipherment, nonRepudiation, digitalSignature
+
+[usr_cert]
+basicConstraints=CA:FALSE
+keyUsage = nonRepudiation, digitalSignature, keyEncipherment
+subjectKeyIdentifier	= hash
+
+[usr_cert_ke]
+basicConstraints=CA:FALSE
+keyUsage = nonRepudiation, keyEncipherment
+subjectKeyIdentifier	= hash
+
+[proxy_cert]
+basicConstraints=CA:FALSE
+keyUsage = nonRepudiation, digitalSignature, keyEncipherment
+subjectKeyIdentifier	= hash
+proxyCertInfo=critical,language:id-ppl-anyLanguage,pathlen:0,policy:text:foo
+
+[pkinitc_principals] 
+princ1 = GeneralString:bar
+
+[pkinitc_principal_seq] 
+name_type = EXP:0,INTEGER:1 
+name_string = EXP:1,SEQUENCE:pkinitc_principals
+
+[pkinitc_princ_name] 
+realm = EXP:0,GeneralString:TEST.H5L.SE
+principal_name = EXP:1,SEQUENCE:pkinitc_principal_seq
+
+[pkinit_client_cert]
+basicConstraints=CA:FALSE
+keyUsage = nonRepudiation, digitalSignature, keyEncipherment
+subjectKeyIdentifier	= hash
+subjectAltName=otherName:1.3.6.1.5.2.2;SEQUENCE:pkinitc_princ_name
+
+[https_cert]
+basicConstraints=CA:FALSE
+keyUsage = nonRepudiation, digitalSignature, keyEncipherment
+#extendedKeyUsage = https-server XXX
+subjectKeyIdentifier	= hash
+
+[pkinit_kdc_cert]
+basicConstraints=CA:FALSE
+keyUsage = nonRepudiation, digitalSignature, keyEncipherment
+extendedKeyUsage = 1.3.6.1.5.2.3.5
+subjectKeyIdentifier	= hash
+subjectAltName=otherName:1.3.6.1.5.2.2;SEQUENCE:pkinitkdc_princ_name 
+
+[pkinitkdc_princ_name] 
+realm = EXP:0,GeneralString:TEST.H5L.SE
+principal_name = EXP:1,SEQUENCE:pkinitkdc_principal_seq
+
+[pkinitkdc_principal_seq] 
+name_type = EXP:0,INTEGER:1 
+name_string = EXP:1,SEQUENCE:pkinitkdc_principals
+
+[pkinitkdc_principals] 
+princ1 = GeneralString:krbtgt
+princ2 = GeneralString:TEST.H5L.SE
+
+[proxy10_cert]
+basicConstraints=CA:FALSE
+keyUsage = nonRepudiation, digitalSignature, keyEncipherment
+subjectKeyIdentifier	= hash
+proxyCertInfo=critical,language:id-ppl-anyLanguage,pathlen:10,policy:text:foo
+
+[usr_cert_ds]
+basicConstraints=CA:FALSE
+keyUsage = nonRepudiation, digitalSignature
+subjectKeyIdentifier	= hash
+
+[ocsp_cert]
+basicConstraints=CA:FALSE
+keyUsage = nonRepudiation, digitalSignature, keyEncipherment
+# ocsp-nocheck and kp-OCSPSigning
+extendedKeyUsage	= 1.3.6.1.5.5.7.48.1.5, 1.3.6.1.5.5.7.3.9
+subjectKeyIdentifier	= hash
+
+[req_distinguished_name]
+countryName			= Country Name (2 letter code)
+countryName_default		= SE
+countryName_min			= 2
+countryName_max			= 2
+
+organizationalName		= Organizational Unit Name (eg, section)
+
+commonName			= Common Name (eg, YOUR name)
+commonName_max			= 64
+
+#[req_attributes]
+#challengePassword              = A challenge password
+#challengePassword_min          = 4
+#challengePassword_max          = 20
+
+[policy_match]
+countryName		= match
+commonName		= supplied
diff --git a/lib/hx509/data/pkinit-ec.crt b/lib/hx509/data/pkinit-ec.crt
index 4e8300d0c05f..7029daa66e5a 100644
--- a/lib/hx509/data/pkinit-ec.crt
+++ b/lib/hx509/data/pkinit-ec.crt
@@ -2,50 +2,80 @@ Certificate:
     Data:
         Version: 3 (0x2)
         Serial Number: 7 (0x7)
-        Signature Algorithm: sha1WithRSAEncryption
+    Signature Algorithm: sha1WithRSAEncryption
         Issuer: CN=hx509 Test Root CA, C=SE
         Validity
-            Not Before: Apr 26 20:29:40 2009 GMT
-            Not After : Apr 24 20:29:40 2019 GMT
+            Not Before: May 23 15:05:15 2019 GMT
+            Not After : Jan 16 15:05:15 2038 GMT
         Subject: C=SE, CN=pkinit-ec
         Subject Public Key Info:
             Public Key Algorithm: id-ecPublicKey
                 Public-Key: (256 bit)
-                pub: 
-                    04:df:d7:32:eb:d6:71:78:19:5d:4f:59:6a:85:12:
-                    20:2f:97:61:aa:e8:6e:71:ac:b7:de:42:82:2a:8b:
-                    8b:33:86:d3:fc:4e:a5:49:9a:ca:19:6b:1b:ab:3d:
-                    fd:4d:c5:7a:f4:a0:10:b2:a0:8c:05:3a:d7:55:e5:
-                    c9:f5:89:67:07
+                pub:
+                    04:57:a2:25:14:5b:a7:ac:55:9e:e0:ea:c2:92:98:
+                    c9:13:91:d3:c4:13:00:0c:f9:d6:29:a4:45:c3:53:
+                    f2:f6:92:8e:d9:ce:d4:24:48:56:80:1c:04:8e:13:
+                    ec:49:c1:4d:78:5e:f5:1c:d7:c2:0e:8d:93:da:a4:
+                    79:18:6b:0a:9a
                 ASN1 OID: prime256v1
+                NIST CURVE: P-256
         X509v3 extensions:
             X509v3 Basic Constraints: 
                 CA:FALSE
             X509v3 Key Usage: 
                 Digital Signature, Non Repudiation, Key Encipherment
             X509v3 Subject Key Identifier: 
-                BB:8C:16:71:C8:21:FB:21:0F:81:11:A1:BB:43:12:C8:EF:C8:DA:64
+                1D:2E:2D:D0:63:94:5A:99:95:87:DD:A3:11:F8:82:5A:2A:43:2B:28
             X509v3 Subject Alternative Name: 
                 othername:<unsupported>
     Signature Algorithm: sha1WithRSAEncryption
-        08:6e:66:b5:58:e0:e3:fb:15:04:11:89:f0:73:a0:d1:17:c4:
-        b8:7e:dd:ce:34:fb:7b:ab:ae:bb:af:6f:4d:47:1f:02:f8:e7:
-        7c:c9:33:37:7e:7c:2c:2a:4a:26:38:e1:e5:a9:dd:7c:e1:f8:
-        5a:2c:c7:6f:26:aa:f2:b0:7f:d4:85:0a:33:b7:ec:df:93:fe:
-        e4:04:a0:3e:e2:65:ac:1a:f4:b0:50:d6:cf:9e:bb:ce:90:ca:
-        34:7a:13:f5:6f:30:bd:ec:af:c5:b9:dd:fa:bc:37:b8:34:6e:
-        bb:12:5e:aa:d2:bf:91:64:d8:fe:c0:fb:9a:b0:10:ba:95:02:
-        be:9b
+         b3:3e:84:9b:be:cd:a0:cc:21:dd:f7:12:41:90:8e:9e:25:30:
+         0b:2d:b5:1c:35:a1:15:76:9c:7e:dc:23:33:16:bf:ab:60:82:
+         ad:3a:2e:4f:84:f1:62:21:7c:1c:a1:37:45:01:12:cf:99:aa:
+         a3:b4:72:fe:c9:e3:bd:25:ef:4d:bf:b5:e2:ac:15:3f:b3:b7:
+         df:78:2b:0e:2d:95:71:0b:c7:6c:31:54:c0:c1:e0:8f:00:10:
+         31:20:a6:5e:71:bd:d6:6f:45:cc:25:11:3d:ce:26:75:8b:ba:
+         03:3c:d4:87:89:c7:93:5b:d9:76:b1:20:96:83:07:91:34:05:
+         12:2d:56:e8:18:b2:4a:2d:ba:b0:59:02:65:81:60:3b:92:96:
+         7d:d1:c9:ab:bf:ac:bb:aa:f7:b3:a5:0b:de:e5:cb:0c:16:ac:
+         65:1c:da:6a:c5:16:43:15:b7:14:55:b9:6d:0f:f0:79:ef:b1:
+         d0:6e:bf:85:fb:bb:93:6b:30:69:98:db:da:8c:f2:3a:e8:a3:
+         c9:57:3c:d0:fa:7e:db:cd:48:93:7a:cd:af:a4:71:06:3d:a6:
+         94:b4:99:3a:2e:9c:3a:ac:2f:19:f5:19:1d:71:3d:96:00:74:
+         c9:99:58:40:0d:c2:bf:cf:85:8f:dd:f6:ff:b0:cf:1a:84:6d:
+         02:87:4d:96:7d:db:2f:f1:8a:e5:39:30:8b:89:c4:8d:34:60:
+         05:85:96:92:fc:a0:6a:b9:df:54:53:e6:f3:9a:27:2d:bc:9d:
+         8d:a5:44:bd:81:83:d3:8a:d6:96:b1:71:b3:4b:40:b6:95:e2:
+         45:19:e3:a5:3c:17:af:a8:39:2a:52:68:e4:7c:0f:fa:fd:15:
+         07:fd:e5:e8:1c:cb:b3:2c:d4:97:21:7b:86:fb:fb:78:9a:6a:
+         f2:71:0b:b7:2e:d7:df:96:cb:2e:83:2e:81:29:50:0f:e0:50:
+         0f:d5:34:7d:13:eb:a2:68:d2:a1:26:35:15:08:a9:ac:7e:f5:
+         8d:4c:68:01:a2:01:05:db:5b:7d:ea:ba:45:ea:34:93:db:89:
+         0e:46:58:6e:a3:6f:aa:4a:6c:ac:28:58:a0:48:cc:e2:75:54:
+         e4:79:19:b3:d5:6c:c9:04:b3:d0:9b:51:f5:07:0e:e1:a0:07:
+         61:e9:53:dc:0f:83:3c:7f:54:7b:ca:7e:35:b9:6c:0a:e5:b4:
+         61:48:11:a1:92:27:1d:2e:57:07:67:f0:b0:66:61:0b:a5:15:
+         d1:1a:10:05:34:90:52:a3:c4:a8:19:cf:3e:52:b3:c9:ab:49:
+         e8:84:96:a9:9f:d7:bb:a4:43:2b:ef:b2:bf:8b:01:46:b0:48:
+         e4:80:b8:3e:4a:ab:85:5f
 -----BEGIN CERTIFICATE-----
-MIIB7TCCAVagAwIBAgIBBzANBgkqhkiG9w0BAQUFADAqMRswGQYDVQQDDBJoeDUw
-OSBUZXN0IFJvb3QgQ0ExCzAJBgNVBAYTAlNFMB4XDTA5MDQyNjIwMjk0MFoXDTE5
-MDQyNDIwMjk0MFowITELMAkGA1UEBhMCU0UxEjAQBgNVBAMMCXBraW5pdC1lYzBZ
-MBMGByqGSM49AgEGCCqGSM49AwEHA0IABN/XMuvWcXgZXU9ZaoUSIC+XYarobnGs
-t95CgiqLizOG0/xOpUmayhlrG6s9/U3FevSgELKgjAU611XlyfWJZwejczBxMAkG
-A1UdEwQCMAAwCwYDVR0PBAQDAgXgMB0GA1UdDgQWBBS7jBZxyCH7IQ+BEaG7QxLI
-78jaZDA4BgNVHREEMTAvoC0GBisGAQUCAqAjMCGgDRsLVEVTVC5INUwuU0WhEDAO
-oAMCAQGhBzAFGwNiYXIwDQYJKoZIhvcNAQEFBQADgYEACG5mtVjg4/sVBBGJ8HOg
-0RfEuH7dzjT7e6uuu69vTUcfAvjnfMkzN358LCpKJjjh5andfOH4WizHbyaq8rB/
-1IUKM7fs35P+5ASgPuJlrBr0sFDWz567zpDKNHoT9W8wveyvxbnd+rw3uDRuuxJe
-qtK/kWTY/sD7mrAQupUCvps=
+MIIDbjCCAVagAwIBAgIBBzANBgkqhkiG9w0BAQUFADAqMRswGQYDVQQDDBJoeDUw
+OSBUZXN0IFJvb3QgQ0ExCzAJBgNVBAYTAlNFMB4XDTE5MDUyMzE1MDUxNVoXDTM4
+MDExNjE1MDUxNVowITELMAkGA1UEBhMCU0UxEjAQBgNVBAMMCXBraW5pdC1lYzBZ
+MBMGByqGSM49AgEGCCqGSM49AwEHA0IABFeiJRRbp6xVnuDqwpKYyROR08QTAAz5
+1imkRcNT8vaSjtnO1CRIVoAcBI4T7EnBTXhe9RzXwg6Nk9qkeRhrCpqjczBxMAkG
+A1UdEwQCMAAwCwYDVR0PBAQDAgXgMB0GA1UdDgQWBBQdLi3QY5RamZWH3aMR+IJa
+KkMrKDA4BgNVHREEMTAvoC0GBisGAQUCAqAjMCGgDRsLVEVTVC5INUwuU0WhEDAO
+oAMCAQGhBzAFGwNiYXIwDQYJKoZIhvcNAQEFBQADggIBALM+hJu+zaDMId33EkGQ
+jp4lMAsttRw1oRV2nH7cIzMWv6tggq06Lk+E8WIhfByhN0UBEs+ZqqO0cv7J470l
+702/teKsFT+zt994Kw4tlXELx2wxVMDB4I8AEDEgpl5xvdZvRcwlET3OJnWLugM8
+1IeJx5Nb2XaxIJaDB5E0BRItVugYskoturBZAmWBYDuSln3Ryau/rLuq97OlC97l
+ywwWrGUc2mrFFkMVtxRVuW0P8HnvsdBuv4X7u5NrMGmY29qM8jroo8lXPND6ftvN
+SJN6za+kcQY9ppS0mTounDqsLxn1GR1xPZYAdMmZWEANwr/PhY/d9v+wzxqEbQKH
+TZZ92y/xiuU5MIuJxI00YAWFlpL8oGq531RT5vOaJy28nY2lRL2Bg9OK1paxcbNL
+QLaV4kUZ46U8F6+oOSpSaOR8D/r9FQf95egcy7Ms1Jche4b7+3iaavJxC7cu19+W
+yy6DLoEpUA/gUA/VNH0T66Jo0qEmNRUIqax+9Y1MaAGiAQXbW33qukXqNJPbiQ5G
+WG6jb6pKbKwoWKBIzOJ1VOR5GbPVbMkEs9CbUfUHDuGgB2HpU9wPgzx/VHvKfjW5
+bArltGFIEaGSJx0uVwdn8LBmYQulFdEaEAU0kFKjxKgZzz5Ss8mrSeiElqmf17uk
+Qyvvsr+LAUawSOSAuD5Kq4Vf
 -----END CERTIFICATE-----
diff --git a/lib/hx509/data/pkinit-ec.key b/lib/hx509/data/pkinit-ec.key
index 874b8a53e770..846bb51aae15 100644
--- a/lib/hx509/data/pkinit-ec.key
+++ b/lib/hx509/data/pkinit-ec.key
@@ -1,5 +1,5 @@
 -----BEGIN PRIVATE KEY-----
-MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQgL/JpadcZH3wtaXm9
-hbeKhG4YsKoN/WffC88YldqhFYChRANCAATf1zLr1nF4GV1PWWqFEiAvl2Gq6G5x
-rLfeQoIqi4szhtP8TqVJmsoZaxurPf1NxXr0oBCyoIwFOtdV5cn1iWcH
+MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQgf0P72e36G4JST5z5
+hGIETF9eViQ6rCu3pu3793hC6DuhRANCAARXoiUUW6esVZ7g6sKSmMkTkdPEEwAM
++dYppEXDU/L2ko7ZztQkSFaAHASOE+xJwU14XvUc18IOjZPapHkYawqa
 -----END PRIVATE KEY-----
diff --git a/lib/hx509/data/pkinit-proxy-chain.crt b/lib/hx509/data/pkinit-proxy-chain.crt
index 2d2553fdae74..15fd65fdc846 100644
--- a/lib/hx509/data/pkinit-proxy-chain.crt
+++ b/lib/hx509/data/pkinit-proxy-chain.crt
@@ -1,40 +1,82 @@
 -----BEGIN CERTIFICATE-----
-MIICMTCCAZqgAwIBAgIJAOFd/6I9Oly5MA0GCSqGSIb3DQEBBQUAMB4xCzAJBgNV
-BAYTAlNFMQ8wDQYDVQQDDAZwa2luaXQwHhcNMDkwNDI2MjAyOTQwWhcNMTkwNDI0
-MjAyOTQwWjA1MQswCQYDVQQGEwJTRTEPMA0GA1UEAwwGcGtpbml0MRUwEwYDVQQD
-DAxwa2luaXQtcHJveHkwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBANKxpMj4
-is1Zy+3RQfaZyhIbPkK+1237l10YqJmh5vB4WF+VriouCw8bXK/Q84rnGlr48fYa
-3qquiuT7TzUyBJ/vGMhuBosnO4zI3usM7wcp9zfmykesP/5ef1HRe8Lv2F1HZkLc
-6N4jo5lIGtnlnXe4qJjbjTPsY4x0PVl5QV0DAgMBAAGjYDBeMAkGA1UdEwQCMAAw
-CwYDVR0PBAQDAgXgMB0GA1UdDgQWBBStm+lnDlopIzCh6tdbGhDyHDDdlzAlBggr
-BgEFBQcBDgEB/wQWMBQCAQAwDwYIKwYBBQUHFQAEA2ZvbzANBgkqhkiG9w0BAQUF
-AAOBgQB/udiUzrV5n+klF473NEMaajNvxC/u4/60vHXt6U42U4zHWWRuWTMDkPA/
-6LorSPIk+ZvWLAFHVR2EdeVFZzxbsb9IAsM+giZxv7bYfloBZHhbzc3r8IDSZa1H
-totfxDb/wZrFAbNiuuAdmKuRGxwGYE4ykw3ebLSuoRYPI2Szxw==
+MIIFNjCCAx6gAwIBAgIJAJd7zCsMMPvCMA0GCSqGSIb3DQEBCwUAMB4xCzAJBgNV
+BAYTAlNFMQ8wDQYDVQQDDAZwa2luaXQwHhcNMTkwNTIzMTUwNTE1WhcNMzgwMTE2
+MTUwNTE1WjA1MQswCQYDVQQGEwJTRTEPMA0GA1UEAwwGcGtpbml0MRUwEwYDVQQD
+DAxwa2luaXQtcHJveHkwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQCh
+U0hTlQYhDONlH8153Wn2/H6/OW15S9pvg/RcQ9+Mc7a3kOEnImHt4B/zevv1rfYa
+EernC2mrTxvSSy2Oxx3yNFsV1Kys+kMYiIygswPohTHYhMQKEjqGPTN97E1JcvMQ
+iZy19sl6tG+kLZKa5pSTUoFrlqw2NN9U1WjlgaZ7WnLxwLlatQnZOnA6+MoU1bJe
+pkPUAcjOOQZTd2D/3tAOcBKfQ6z97XFqfxzcnclz+9BXgFdZWTR1efd5yYNy17ny
+8hoEHuc34+a/hrrhfiFiXYKFF6f07YI6lt+ElPOc93oz19fE4wVskXjvxLOwahzM
+q2jRalsj/XlYCEHrZqaYjHvY8MYNFleThQEwJ/zldgQjx2MMnUD3ApxRDutfYM9e
+MFSv0ATDFoKi55mGySMD3dMpI1I/TER459Am5c88SfxJNJXAW/2GJXQAJ7tCL3dM
+sYcqkl5uVZXPJxSQbfFCl95lhlzOtoXZTS1+cxYN0oz9YfLoG3tz3x5Xtxo0eUbI
+NJBq1sWi6bO6+6GyQOxs45sawl906XFqW/qzSywNOOsT/hcuEvc4IGdZKLP/wxF0
+HJzeaqDwfmiT1tz8jArGsbqw/i77xND6tq+56rur5/BhfIapXZ9wKDfawQttpDnX
+PTcaT8BSqQejfZa0RiRvt70pypm98eZ1XRzWhC6bvQIDAQABo2AwXjAJBgNVHRME
+AjAAMAsGA1UdDwQEAwIF4DAdBgNVHQ4EFgQUzoShaVViBQhilqB70YV+yuLcWIEw
+JQYIKwYBBQUHAQ4BAf8EFjAUAgEAMA8GCCsGAQUFBxUABANmb28wDQYJKoZIhvcN
+AQELBQADggIBAL45/vKz88cBG7c11gyePde86H7qWgIKrWocohn6eoXF1p2ZkLvP
+na4o7WVr/WC7t4DiBZVUNVvrqss/nOI3wMVjU9Mn9wrJbycvrVPAWH1nIhlKR3gM
+H8PTcZiHI+Vf14aHTjeRFEXxy0i+K7JxtKRQC/Bi+MuwnBvPwvar3tqFLXprRk4p
+p42I7/ngT8WcAzz/LWj0rWYNl/TEFU3esDBr3rz+B5TFVcp2dLpcZW7ScFRh9bLT
+OwJ/QNhzvnH5cwsWlb8cpDTFVeyTOBgqh9t6ut6SnDfCu03xIBVuCk+P5KhOGWAS
+3cOVqvGn3Y3q1glE2XdKgyYqU2z3itneUyiCeopItFaKZIV52s4WuIuGO+PK8XOi
+QhwtnsWO91toEFUpUNkxf/C6C61G4xuvHeMVLdTzO1Xi5kuHyN9gD8rLAuUfaV1c
+Zv3f2S8WpvEGkSSu8Ap1k3ExfIaFhgxzu3pjGL5e6YV2lK9d/UGXOpDRFZOUuoRm
+dyowQcF3XcH6zTDu+ThXlPSq5bkjrnMnNt2z2LfqGb/GFp1vl11LsXeLgpHmFTq2
+4umDDUwMHVzrmFoa3BtUkgO3BUoSrt2l63TFqTQZgZAf/D042jBcmOhV6Mt5MsDK
+MFZkoYjtv+8jTeRwxP2zi3EceCvGkV1Mf3t2/h4wYGa25J6HFq86VVRU
 -----END CERTIFICATE-----
 Certificate:
     Data:
         Version: 3 (0x2)
         Serial Number: 6 (0x6)
-        Signature Algorithm: sha1WithRSAEncryption
+    Signature Algorithm: sha1WithRSAEncryption
         Issuer: CN=hx509 Test Root CA, C=SE
         Validity
-            Not Before: Apr 26 20:29:40 2009 GMT
-            Not After : Apr 24 20:29:40 2019 GMT
+            Not Before: May 23 15:05:15 2019 GMT
+            Not After : Jan 16 15:05:15 2038 GMT
         Subject: C=SE, CN=pkinit
         Subject Public Key Info:
             Public Key Algorithm: rsaEncryption
-                Public-Key: (1024 bit)
+                Public-Key: (4096 bit)
                 Modulus:
-                    00:b2:47:42:dc:46:f8:94:e3:66:2b:f9:26:14:56:
-                    41:68:e1:7a:04:cd:55:45:ae:e0:a8:48:80:33:58:
-                    fc:86:4f:e8:67:62:89:f7:d4:ba:d1:bb:9a:6a:83:
-                    1b:4e:01:b5:7c:9e:b2:d2:bf:84:21:98:58:1d:b6:
-                    4d:fa:af:f2:e5:e8:d4:d6:78:a3:06:da:69:15:09:
-                    d8:fa:07:09:97:cf:1a:3b:2c:69:b2:58:a2:0b:48:
-                    4e:37:11:2c:f5:7a:8f:50:e4:40:14:29:28:30:ac:
-                    0b:b5:0a:1e:60:b4:9a:d4:8d:bc:38:c9:2f:a9:d1:
-                    35:e7:c9:d4:18:66:1c:15:2d
+                    00:bf:4b:44:8f:d1:dd:56:18:41:5c:c2:c4:2b:ff:
+                    28:e6:7f:68:26:d4:0f:08:e6:af:dd:72:28:9b:ec:
+                    5f:5a:2f:f1:9a:7b:21:0f:c2:01:96:d8:85:32:20:
+                    5c:c7:91:fb:2d:71:33:d7:dc:81:06:32:2e:e5:ec:
+                    61:37:8a:0b:0c:23:57:cd:9c:ae:93:79:58:26:1e:
+                    de:26:18:12:52:c3:76:7a:d1:6a:dc:98:67:13:4d:
+                    73:dc:8f:7f:7b:dc:97:15:dd:eb:6e:0b:54:cc:f7:
+                    ef:db:14:8f:d2:89:47:3e:8c:e7:de:ef:61:34:67:
+                    10:60:8a:87:13:6d:86:91:9d:8a:92:64:72:5c:ef:
+                    64:57:b9:0e:91:ea:41:2c:03:e0:67:c7:51:cf:ea:
+                    09:5a:e9:0e:ba:eb:be:53:10:90:e5:0f:87:33:3b:
+                    e6:53:11:1c:6d:75:34:ea:4a:7c:59:f4:6b:da:82:
+                    30:4d:f5:72:ad:ae:41:f7:c1:ca:b2:7e:74:a4:45:
+                    bd:2d:80:c5:47:d3:ed:c2:02:fb:d9:85:76:00:3d:
+                    a6:ab:da:2a:ef:a4:c7:d6:74:c4:88:02:63:d5:a0:
+                    5f:6b:88:ee:bc:df:0f:43:78:8f:62:1a:c6:c8:e5:
+                    3a:43:aa:75:94:d0:71:15:a4:8a:f9:67:5d:93:93:
+                    bd:78:04:46:39:90:48:22:05:78:17:ec:b9:26:3f:
+                    4f:7b:a9:e2:79:b3:cf:13:ce:34:9f:3c:7a:8f:a8:
+                    b7:b4:12:39:01:4f:26:44:33:b9:7d:eb:c7:0d:c7:
+                    1c:d3:c5:52:2b:cb:65:a2:48:b8:c6:b2:e5:17:d3:
+                    df:ed:ef:e9:ea:21:5f:2e:42:23:40:35:7e:97:23:
+                    28:42:0e:22:25:79:f6:ea:ae:a3:cf:c6:c4:ef:ed:
+                    c3:1f:14:05:5f:66:ab:20:a0:5e:80:11:32:1f:ff:
+                    69:10:e2:8e:d6:70:e4:97:ab:82:89:37:57:74:43:
+                    81:e6:85:ca:6e:3b:1d:ae:3f:ca:7f:da:2b:7b:db:
+                    ee:ab:ad:a1:a1:16:38:9c:b6:f2:af:be:b0:19:e1:
+                    63:14:6f:26:24:f4:a8:3a:04:0e:9a:9c:5a:0a:bd:
+                    22:91:c4:c3:ab:2f:ea:54:d7:ca:ad:ed:b7:a0:98:
+                    8a:c8:94:15:ea:13:22:97:29:df:3a:85:4c:80:0d:
+                    ee:3f:d0:66:3d:9c:0f:41:2b:fd:1e:90:f5:8a:fb:
+                    4c:10:20:3b:91:cc:fc:ab:d8:89:ac:7a:9f:bc:c9:
+                    e4:09:fe:81:ba:53:cf:f5:13:1b:4b:b0:f3:bf:34:
+                    3d:3d:2c:8c:90:89:d6:37:78:cc:7c:f0:a8:97:08:
+                    ac:ea:f5
                 Exponent: 65537 (0x10001)
         X509v3 extensions:
             X509v3 Basic Constraints: 
@@ -42,29 +84,66 @@ Certificate:
             X509v3 Key Usage: 
                 Digital Signature, Non Repudiation, Key Encipherment
             X509v3 Subject Key Identifier: 
-                E8:3F:1A:8B:C2:8A:9C:F9:B4:4F:95:D9:55:29:0C:A5:0B:0E:13:C6
+                76:9F:AA:4D:D1:1E:92:61:23:CE:AE:DC:C3:CD:07:EB:A7:13:43:2F
             X509v3 Subject Alternative Name: 
                 othername:<unsupported>
     Signature Algorithm: sha1WithRSAEncryption
-        b5:ab:c2:d5:f8:30:fc:bb:b3:53:c2:42:a0:f1:4d:a0:5c:92:
-        1a:c7:dc:01:df:42:6a:d2:c8:79:18:ae:a7:09:8e:ea:1c:97:
-        80:93:b1:e3:23:4d:ca:15:f5:f8:c2:d0:38:5d:0d:76:7b:41:
-        47:f1:a4:77:26:86:2c:69:2a:5c:86:32:00:09:da:04:3c:d6:
-        30:9d:a3:0a:e2:b1:a6:36:2f:ff:3c:80:d6:e7:2a:8b:49:dd:
-        d8:24:98:7a:15:0a:29:f0:4b:30:ae:73:b5:af:70:7a:3a:b0:
-        40:27:a7:4e:74:8c:46:1e:2f:bb:cc:57:63:30:bf:b1:38:81:
-        10:bd
+         3d:2f:62:54:90:6a:d1:f1:93:cc:21:b6:45:d2:d8:d3:ae:c8:
+         c4:63:6d:9a:25:a1:c3:33:3a:c0:90:ea:ac:4b:67:a4:af:dd:
+         75:3f:03:13:44:a9:7e:5a:9e:3b:6f:df:06:d0:6d:ae:bf:fc:
+         bf:23:b0:5e:c9:1b:98:d1:e6:6c:20:83:48:2f:b1:8d:ef:c1:
+         33:fd:d1:7f:d0:ca:03:9a:e4:3a:42:17:0d:e6:40:25:2f:f3:
+         80:83:36:c4:cc:8e:4b:7b:90:9d:22:ca:83:c1:a3:d0:c9:13:
+         af:b4:a6:d7:d9:3b:be:fd:d1:5a:da:71:f8:6e:18:c8:8e:82:
+         d0:b8:a6:de:58:c8:9b:8f:c1:20:ab:81:a8:3b:29:81:2d:cb:
+         a2:f3:b2:9b:81:7d:78:c6:55:ed:05:75:7f:4c:64:6b:fe:00:
+         e7:2b:6e:17:d5:32:de:e1:1d:33:f6:ce:89:4b:c6:be:92:54:
+         f7:16:ea:91:b7:af:46:80:41:8f:6c:47:d6:07:d7:62:34:1b:
+         7c:69:e8:6c:ac:6f:39:b2:3c:60:cd:b3:89:95:3a:9e:ef:75:
+         fa:b1:ad:b4:bc:89:69:1c:69:53:dd:94:25:93:7c:64:56:75:
+         0a:a9:8d:2b:6d:ed:9c:e7:cf:9a:ad:02:ca:79:f4:fa:59:4e:
+         51:33:c3:f9:4d:a6:35:62:50:e7:f3:2d:aa:32:b3:60:2f:1e:
+         e3:71:6b:78:98:f7:9f:fe:0f:0f:f1:a5:6a:4f:f7:01:22:52:
+         60:6b:62:b5:5b:15:6d:4f:41:e0:23:a0:43:45:39:70:f3:a0:
+         bd:30:14:63:01:01:f4:1f:fb:65:43:c8:99:57:aa:47:2d:53:
+         0c:f6:c2:65:f3:1a:64:69:67:f3:7b:b1:2f:0f:c1:e8:a2:5e:
+         78:bd:df:a6:d8:3e:ce:6a:fc:bb:c6:14:a1:6b:de:fa:47:5d:
+         ce:6a:24:60:da:1b:5d:fd:c1:5f:27:34:a2:b6:dc:bb:e5:f4:
+         cb:14:88:e6:66:e7:49:e8:a0:22:49:da:af:1a:30:f6:ac:a7:
+         99:56:5e:b4:b0:19:71:67:59:cd:0d:67:4b:82:54:0d:c9:88:
+         cb:ea:36:7f:60:d5:df:8a:74:78:25:2a:b5:ca:89:ac:9a:0b:
+         bc:a4:25:f9:38:c0:13:58:1b:5c:60:0a:b7:9c:74:de:b1:7b:
+         e2:5e:1d:85:50:e0:69:22:c5:2f:e1:1a:1c:ca:cd:a7:ab:0d:
+         a2:ce:f1:88:92:68:10:fa:1d:ca:f4:62:6d:cd:8b:1b:72:2f:
+         67:a1:b6:f6:ef:b9:f1:e8:bd:42:54:d8:4b:e0:8b:9b:6d:2d:
+         1c:ca:c3:eb:79:5c:d7:00
 -----BEGIN CERTIFICATE-----
-MIICMTCCAZqgAwIBAgIBBjANBgkqhkiG9w0BAQUFADAqMRswGQYDVQQDDBJoeDUw
-OSBUZXN0IFJvb3QgQ0ExCzAJBgNVBAYTAlNFMB4XDTA5MDQyNjIwMjk0MFoXDTE5
-MDQyNDIwMjk0MFowHjELMAkGA1UEBhMCU0UxDzANBgNVBAMMBnBraW5pdDCBnzAN
-BgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAskdC3Eb4lONmK/kmFFZBaOF6BM1VRa7g
-qEiAM1j8hk/oZ2KJ99S60buaaoMbTgG1fJ6y0r+EIZhYHbZN+q/y5ejU1nijBtpp
-FQnY+gcJl88aOyxpsliiC0hONxEs9XqPUORAFCkoMKwLtQoeYLSa1I28OMkvqdE1
-58nUGGYcFS0CAwEAAaNzMHEwCQYDVR0TBAIwADALBgNVHQ8EBAMCBeAwHQYDVR0O
-BBYEFOg/GovCipz5tE+V2VUpDKULDhPGMDgGA1UdEQQxMC+gLQYGKwYBBQICoCMw
-IaANGwtURVNULkg1TC5TRaEQMA6gAwIBAaEHMAUbA2JhcjANBgkqhkiG9w0BAQUF
-AAOBgQC1q8LV+DD8u7NTwkKg8U2gXJIax9wB30Jq0sh5GK6nCY7qHJeAk7HjI03K
-FfX4wtA4XQ12e0FH8aR3JoYsaSpchjIACdoEPNYwnaMK4rGmNi//PIDW5yqLSd3Y
-JJh6FQop8EswrnO1r3B6OrBAJ6dOdIxGHi+7zFdjML+xOIEQvQ==
+MIIFNjCCAx6gAwIBAgIBBjANBgkqhkiG9w0BAQUFADAqMRswGQYDVQQDDBJoeDUw
+OSBUZXN0IFJvb3QgQ0ExCzAJBgNVBAYTAlNFMB4XDTE5MDUyMzE1MDUxNVoXDTM4
+MDExNjE1MDUxNVowHjELMAkGA1UEBhMCU0UxDzANBgNVBAMMBnBraW5pdDCCAiIw
+DQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAL9LRI/R3VYYQVzCxCv/KOZ/aCbU
+Dwjmr91yKJvsX1ov8Zp7IQ/CAZbYhTIgXMeR+y1xM9fcgQYyLuXsYTeKCwwjV82c
+rpN5WCYe3iYYElLDdnrRatyYZxNNc9yPf3vclxXd624LVMz379sUj9KJRz6M597v
+YTRnEGCKhxNthpGdipJkclzvZFe5DpHqQSwD4GfHUc/qCVrpDrrrvlMQkOUPhzM7
+5lMRHG11NOpKfFn0a9qCME31cq2uQffByrJ+dKRFvS2AxUfT7cIC+9mFdgA9pqva
+Ku+kx9Z0xIgCY9WgX2uI7rzfD0N4j2IaxsjlOkOqdZTQcRWkivlnXZOTvXgERjmQ
+SCIFeBfsuSY/T3up4nmzzxPONJ88eo+ot7QSOQFPJkQzuX3rxw3HHNPFUivLZaJI
+uMay5RfT3+3v6eohXy5CI0A1fpcjKEIOIiV59uquo8/GxO/twx8UBV9mqyCgXoAR
+Mh//aRDijtZw5Jergok3V3RDgeaFym47Ha4/yn/aK3vb7qutoaEWOJy28q++sBnh
+YxRvJiT0qDoEDpqcWgq9IpHEw6sv6lTXyq3tt6CYisiUFeoTIpcp3zqFTIAN7j/Q
+Zj2cD0Er/R6Q9Yr7TBAgO5HM/KvYiax6n7zJ5An+gbpTz/UTG0uw8780PT0sjJCJ
+1jd4zHzwqJcIrOr1AgMBAAGjczBxMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgXgMB0G
+A1UdDgQWBBR2n6pN0R6SYSPOrtzDzQfrpxNDLzA4BgNVHREEMTAvoC0GBisGAQUC
+AqAjMCGgDRsLVEVTVC5INUwuU0WhEDAOoAMCAQGhBzAFGwNiYXIwDQYJKoZIhvcN
+AQEFBQADggIBAD0vYlSQatHxk8whtkXS2NOuyMRjbZolocMzOsCQ6qxLZ6Sv3XU/
+AxNEqX5anjtv3wbQba6//L8jsF7JG5jR5mwgg0gvsY3vwTP90X/QygOa5DpCFw3m
+QCUv84CDNsTMjkt7kJ0iyoPBo9DJE6+0ptfZO7790VracfhuGMiOgtC4pt5YyJuP
+wSCrgag7KYEty6LzspuBfXjGVe0FdX9MZGv+AOcrbhfVMt7hHTP2zolLxr6SVPcW
+6pG3r0aAQY9sR9YH12I0G3xp6GysbzmyPGDNs4mVOp7vdfqxrbS8iWkcaVPdlCWT
+fGRWdQqpjStt7Zznz5qtAsp59PpZTlEzw/lNpjViUOfzLaoys2AvHuNxa3iY95/+
+Dw/xpWpP9wEiUmBrYrVbFW1PQeAjoENFOXDzoL0wFGMBAfQf+2VDyJlXqkctUwz2
+wmXzGmRpZ/N7sS8PweiiXni936bYPs5q/LvGFKFr3vpHXc5qJGDaG139wV8nNKK2
+3Lvl9MsUiOZm50nooCJJ2q8aMPasp5lWXrSwGXFnWc0NZ0uCVA3JiMvqNn9g1d+K
+dHglKrXKiayaC7ykJfk4wBNYG1xgCrecdN6xe+JeHYVQ4GkixS/hGhzKzaerDaLO
+8YiSaBD6Hcr0Ym3NixtyL2ehtvbvufHovUJU2Evgi5ttLRzKw+t5XNcA
 -----END CERTIFICATE-----
diff --git a/lib/hx509/data/pkinit-proxy.crt b/lib/hx509/data/pkinit-proxy.crt
index 28da269f4bac..3fe393e4193e 100644
--- a/lib/hx509/data/pkinit-proxy.crt
+++ b/lib/hx509/data/pkinit-proxy.crt
@@ -1,14 +1,30 @@
 -----BEGIN CERTIFICATE-----
-MIICMTCCAZqgAwIBAgIJAOFd/6I9Oly5MA0GCSqGSIb3DQEBBQUAMB4xCzAJBgNV
-BAYTAlNFMQ8wDQYDVQQDDAZwa2luaXQwHhcNMDkwNDI2MjAyOTQwWhcNMTkwNDI0
-MjAyOTQwWjA1MQswCQYDVQQGEwJTRTEPMA0GA1UEAwwGcGtpbml0MRUwEwYDVQQD
-DAxwa2luaXQtcHJveHkwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBANKxpMj4
-is1Zy+3RQfaZyhIbPkK+1237l10YqJmh5vB4WF+VriouCw8bXK/Q84rnGlr48fYa
-3qquiuT7TzUyBJ/vGMhuBosnO4zI3usM7wcp9zfmykesP/5ef1HRe8Lv2F1HZkLc
-6N4jo5lIGtnlnXe4qJjbjTPsY4x0PVl5QV0DAgMBAAGjYDBeMAkGA1UdEwQCMAAw
-CwYDVR0PBAQDAgXgMB0GA1UdDgQWBBStm+lnDlopIzCh6tdbGhDyHDDdlzAlBggr
-BgEFBQcBDgEB/wQWMBQCAQAwDwYIKwYBBQUHFQAEA2ZvbzANBgkqhkiG9w0BAQUF
-AAOBgQB/udiUzrV5n+klF473NEMaajNvxC/u4/60vHXt6U42U4zHWWRuWTMDkPA/
-6LorSPIk+ZvWLAFHVR2EdeVFZzxbsb9IAsM+giZxv7bYfloBZHhbzc3r8IDSZa1H
-totfxDb/wZrFAbNiuuAdmKuRGxwGYE4ykw3ebLSuoRYPI2Szxw==
+MIIFNjCCAx6gAwIBAgIJAJd7zCsMMPvCMA0GCSqGSIb3DQEBCwUAMB4xCzAJBgNV
+BAYTAlNFMQ8wDQYDVQQDDAZwa2luaXQwHhcNMTkwNTIzMTUwNTE1WhcNMzgwMTE2
+MTUwNTE1WjA1MQswCQYDVQQGEwJTRTEPMA0GA1UEAwwGcGtpbml0MRUwEwYDVQQD
+DAxwa2luaXQtcHJveHkwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQCh
+U0hTlQYhDONlH8153Wn2/H6/OW15S9pvg/RcQ9+Mc7a3kOEnImHt4B/zevv1rfYa
+EernC2mrTxvSSy2Oxx3yNFsV1Kys+kMYiIygswPohTHYhMQKEjqGPTN97E1JcvMQ
+iZy19sl6tG+kLZKa5pSTUoFrlqw2NN9U1WjlgaZ7WnLxwLlatQnZOnA6+MoU1bJe
+pkPUAcjOOQZTd2D/3tAOcBKfQ6z97XFqfxzcnclz+9BXgFdZWTR1efd5yYNy17ny
+8hoEHuc34+a/hrrhfiFiXYKFF6f07YI6lt+ElPOc93oz19fE4wVskXjvxLOwahzM
+q2jRalsj/XlYCEHrZqaYjHvY8MYNFleThQEwJ/zldgQjx2MMnUD3ApxRDutfYM9e
+MFSv0ATDFoKi55mGySMD3dMpI1I/TER459Am5c88SfxJNJXAW/2GJXQAJ7tCL3dM
+sYcqkl5uVZXPJxSQbfFCl95lhlzOtoXZTS1+cxYN0oz9YfLoG3tz3x5Xtxo0eUbI
+NJBq1sWi6bO6+6GyQOxs45sawl906XFqW/qzSywNOOsT/hcuEvc4IGdZKLP/wxF0
+HJzeaqDwfmiT1tz8jArGsbqw/i77xND6tq+56rur5/BhfIapXZ9wKDfawQttpDnX
+PTcaT8BSqQejfZa0RiRvt70pypm98eZ1XRzWhC6bvQIDAQABo2AwXjAJBgNVHRME
+AjAAMAsGA1UdDwQEAwIF4DAdBgNVHQ4EFgQUzoShaVViBQhilqB70YV+yuLcWIEw
+JQYIKwYBBQUHAQ4BAf8EFjAUAgEAMA8GCCsGAQUFBxUABANmb28wDQYJKoZIhvcN
+AQELBQADggIBAL45/vKz88cBG7c11gyePde86H7qWgIKrWocohn6eoXF1p2ZkLvP
+na4o7WVr/WC7t4DiBZVUNVvrqss/nOI3wMVjU9Mn9wrJbycvrVPAWH1nIhlKR3gM
+H8PTcZiHI+Vf14aHTjeRFEXxy0i+K7JxtKRQC/Bi+MuwnBvPwvar3tqFLXprRk4p
+p42I7/ngT8WcAzz/LWj0rWYNl/TEFU3esDBr3rz+B5TFVcp2dLpcZW7ScFRh9bLT
+OwJ/QNhzvnH5cwsWlb8cpDTFVeyTOBgqh9t6ut6SnDfCu03xIBVuCk+P5KhOGWAS
+3cOVqvGn3Y3q1glE2XdKgyYqU2z3itneUyiCeopItFaKZIV52s4WuIuGO+PK8XOi
+QhwtnsWO91toEFUpUNkxf/C6C61G4xuvHeMVLdTzO1Xi5kuHyN9gD8rLAuUfaV1c
+Zv3f2S8WpvEGkSSu8Ap1k3ExfIaFhgxzu3pjGL5e6YV2lK9d/UGXOpDRFZOUuoRm
+dyowQcF3XcH6zTDu+ThXlPSq5bkjrnMnNt2z2LfqGb/GFp1vl11LsXeLgpHmFTq2
+4umDDUwMHVzrmFoa3BtUkgO3BUoSrt2l63TFqTQZgZAf/D042jBcmOhV6Mt5MsDK
+MFZkoYjtv+8jTeRwxP2zi3EceCvGkV1Mf3t2/h4wYGa25J6HFq86VVRU
 -----END CERTIFICATE-----
diff --git a/lib/hx509/data/pkinit-proxy.key b/lib/hx509/data/pkinit-proxy.key
index 9bb546fcdd81..3567bf5d1d7e 100644
--- a/lib/hx509/data/pkinit-proxy.key
+++ b/lib/hx509/data/pkinit-proxy.key
@@ -1,16 +1,52 @@
 -----BEGIN PRIVATE KEY-----
-MIICdwIBADANBgkqhkiG9w0BAQEFAASCAmEwggJdAgEAAoGBANKxpMj4is1Zy+3R
-QfaZyhIbPkK+1237l10YqJmh5vB4WF+VriouCw8bXK/Q84rnGlr48fYa3qquiuT7
-TzUyBJ/vGMhuBosnO4zI3usM7wcp9zfmykesP/5ef1HRe8Lv2F1HZkLc6N4jo5lI
-GtnlnXe4qJjbjTPsY4x0PVl5QV0DAgMBAAECgYEAo99RWJKferqV92GjmYbh+RVB
-Zq6CZmOhxeHw+JVJRs2Dhsynit0G8vgILiMp2WaIRCuOHiml+EELfK/OWoSNvOGy
-q0ss+mu0Jm3d9bQUYE7O6fBbFtY9zYIYOVWP4YCIyA0su48W3Fk+wQeNewKj396Q
-7tx4aBn5f8DARkZrVRECQQDxX81pSf8VTnNQNhvp76YhANGtBhiJ8OtADCNUoJT+
-sKAPa8HiBTHL2alkBbi/b4whOzePCJSjHTinkEBE+iuJAkEA33XtpR3ACDCtrvAo
-WNdE7zt4yV4tByzmQCK3u3ZxSJOPKinR55tUjZynqghZmpS+XSE5rRwmsx75ZwkP
-oNdlKwJBALcPmZJI9JUMMpia8QCzKKPPIza+cM3tUf35NrJwN5ASFNKdPyZUGjgo
-lDevvzYxO23Yo4JvV4t+FgG/fX7S3UECQFh1/tXWqSaU3qzaNZ612Xw7Nt3AgmLM
-y3moRMPZZ48rmwk99PKS8y38TgNpus8PAy0q8gItmsReBq1bUOyDWHECQDQOIlRO
-k1OWBLD4PLYaxB1c5F59tfCV+cRlm/sYTnDjdDWWu8D2Qhjhz367iLLMJvV2Klyu
-7FwUNyfKI6Tk3oY=
+MIIJQgIBADANBgkqhkiG9w0BAQEFAASCCSwwggkoAgEAAoICAQChU0hTlQYhDONl
+H8153Wn2/H6/OW15S9pvg/RcQ9+Mc7a3kOEnImHt4B/zevv1rfYaEernC2mrTxvS
+Sy2Oxx3yNFsV1Kys+kMYiIygswPohTHYhMQKEjqGPTN97E1JcvMQiZy19sl6tG+k
+LZKa5pSTUoFrlqw2NN9U1WjlgaZ7WnLxwLlatQnZOnA6+MoU1bJepkPUAcjOOQZT
+d2D/3tAOcBKfQ6z97XFqfxzcnclz+9BXgFdZWTR1efd5yYNy17ny8hoEHuc34+a/
+hrrhfiFiXYKFF6f07YI6lt+ElPOc93oz19fE4wVskXjvxLOwahzMq2jRalsj/XlY
+CEHrZqaYjHvY8MYNFleThQEwJ/zldgQjx2MMnUD3ApxRDutfYM9eMFSv0ATDFoKi
+55mGySMD3dMpI1I/TER459Am5c88SfxJNJXAW/2GJXQAJ7tCL3dMsYcqkl5uVZXP
+JxSQbfFCl95lhlzOtoXZTS1+cxYN0oz9YfLoG3tz3x5Xtxo0eUbINJBq1sWi6bO6
++6GyQOxs45sawl906XFqW/qzSywNOOsT/hcuEvc4IGdZKLP/wxF0HJzeaqDwfmiT
+1tz8jArGsbqw/i77xND6tq+56rur5/BhfIapXZ9wKDfawQttpDnXPTcaT8BSqQej
+fZa0RiRvt70pypm98eZ1XRzWhC6bvQIDAQABAoICAGfmvKFgTIdCxr3dgrgnO1Ug
+f/1m3jQN/4xs/xfhevv5lseZXvmWcl4DSHDHV7l+pg9aVOEjf5YeqDuDwb7ATXAt
++jAQPnpV4JrPb0scoLrD9juOHrihzuGgTyad55UTnKqdBrpHTLJjvbeOxmpPcYeE
+zufdLeLnoKMBo8KVAwVVVsyPJJHgIYyvz5Kbo4NRssS07uB/mbYAEiv1qhqBhZyW
+39eFfcg5gh9l6M/KK/IwT5nbheZ8xoWW3SWp/KgdepyXAtx+jsp3VKkr+/a5BoVU
+1ngjqT/dLE/R1fmM+W2yEhmLvWMIF/k5pBtAo75OSWgkSaj+h96hJOLmxpX3EfoO
+UdEYWnToOyovTUqs0mQREolOvPPjQPdgSGJsnuEsNzT3cJGrM9Nq+exQUXXXKCCa
+No06TS46ILykvT+GBXxoyIVkWmpqDHHh4NuBUAcrB5yTYn3MoMeo4y7bvE8pl3C9
+wC/5un+lzNixHNmHRNDzre8uLjhmR0PnP5y7EThOaBS9/DTjzoJqfaw1K2WC9lbe
+vdpWSf/Kwjk3SGCXaneXfaWvLaB+mSHW1JJjtdOuxOdGGGXiJN/qYz8C+pTHzVxj
+uJGNkcz2nlGLG9RdaVBenItO3lUx5Zk7uHJdIZuQf31fmEXTFms4YGTdK9+GQIQv
+N3ivhfvtuBwWoBCHK49hAoIBAQDMOhPQJlQnlPnosdOAFDNOh+2fEPEpeY9SKvGA
+zn3jsO/UphtagulkPWCE7ld4D7b1IBDFSh9CnDGPljzz6uQCGi7FHAlOauTel6eh
+lJp8sp8STc/H2QrLE00BzhSlLPxGIAS+tBBwLG2jXBmi2l/K2aFbheUak7mev7nF
+b4oWTKC9fweygfP87NX0Tsu2Wzfd2TR7gYz3r+/+wkd15pTBtuBUp0YUkCNKfhk/
+qqHOgO3neokb5YZrhq1dM+qhT9/2rM1zon0b9kt3r6+7mbdC4iAy9Ek6LOEGDu4N
+jGNhQSEj+usKJhW7X2m0dcG46JytCMOFLPVmdwTIHm6/O2PZAoIBAQDKOPqv2luX
+49Dat3A+zqQfecVmffdHbRF5EgIRfHYYHXvccJtD8MnkXBrJAwe4Y0UI00SECGzZ
+jK2ReyRWbq+qHQGLk3Zu3ojbXw0wXRR5iivGckSd1IevS5pbmVnc7FzZjxWaoqbT
+Uo7Y1LtUqulfqCJHbDB+l+kIv/kwTQG2rb1WnTY8Y4YEHuy54zh0Ke6t8XFqGME5
+/ASgTWnEIyFSuiptA+CeBm0NVMUH0MDd4j0OkYMNkIQODC72o7Qw9mwvij0xrOWq
+fXaxYocB8Z/hRSTv0r/qnPP8wjNCLtZt0iHcq+y63nANTQYk8v6PS6nl6Ppiz+hu
+M5W7ajwtqByFAoIBAQCnXYEXOBIHTiNv+ytk7ykM1oB5txyr7J7zq5W3BYJNspcZ
+IfeQuXAjYdlTly+/iMFbKSgVRqVPpUlIbssM6hZpUqO5jTxjM17UvFv4IxxnzMpn
+6bS6Bri9q9eT/xsUMkWcAmlhD5fZFc/T7Ipl16hhSPDfXF9g5GdeHalUkBAOLkYc
+hZn9RFp7kGvWhyyTCTZDbNmBza2E3n5DvVtq18hY6FH3jg30lBsX1TdD4cYwwaA1
+70mlvvfl7rzsgLtr71WPhhXpCeSVocY/E49koph5C29v0pqgPl8648la+Q4IiaNr
+JRqxenyczZiG92oG6zpa46+32BxUGH2msqn3teghAoIBAFKQrRn7p4X+iBmk5/lc
+2XnYeBZ+u+W3zHiIN7v3+yehch7xAxPcTjIkwPLtf8tzDI6r47+cyQSSAZPymUWI
+78QfD7BzRtnBllMrHfFvL5roJTNjGEzwp22VCrL3i8892jMhzopSepaxkI1LXikV
+ly9tMIHE1I/7ajQeXZmw91Ak47dnfOtvHxqznafP9A7JyB/RAqN08/++vAzPTq28
+QjDKvePAv4cFzKSyxbeJLhXp90/pbX6uUJyDsPEWqc2L72QBpzaPBz5y93E5bzIF
++2c4mfopLB6Ycq3yhIczJG22bAjzUTaC93EWz7lqVTEgjX/HfeO2S4ojGbFpkKR7
+jRkCggEAE9shCbl5bHJR2l5FgNOr99rkpNs33WJa9ZQpsQ2oXq5yLL2plhIJO2tg
+kKM/ld6PwFinxBoLhd4Knb3X8Kf4mWCALO0lJRzB3qiEu4SP15UYchayDpjGFzNQ
+EejcYcJ59XT6PC0nlckmsBeTSXWTEsjk4vaca01kp0tM1DNuJ4V6iXXJhj70xkqr
+NRlFuTLBxE/PIs8eg6Da/4sQZ5MnZq1WRylbda42xCMebGV6zxuc9HiI348LlAhn
+Kw/dTg2m5gwYznLHSpEH1n0ILrDtMyb5tZ9KfJzVuyz1Glo7UKf5hYoqZY/n/bCN
+gvWFSlv63UgRaUrIlQWr2X01y9IGjw==
 -----END PRIVATE KEY-----
diff --git a/lib/hx509/data/pkinit-pw.key b/lib/hx509/data/pkinit-pw.key
index a0c4adaa04ea..ac89d6af05fa 100644
--- a/lib/hx509/data/pkinit-pw.key
+++ b/lib/hx509/data/pkinit-pw.key
@@ -1,18 +1,54 @@
 -----BEGIN RSA PRIVATE KEY-----
 Proc-Type: 4,ENCRYPTED
-DEK-Info: AES-256-CBC,28C20887B231CD5238D14EE2237F6440
+DEK-Info: AES-256-CBC,EF2C2237F4387D5197FBFEC26EFA3487
 
-CSjnAI3/grUaoUWonmFVrAJpJr8MAUsJ5i5X/56t/SJNnt64GdRR809rsidRUen1
-Poaru3wgOdMO39Xdx1tj95TL3iXMVOckMK/0CDc6I8e4e65ic5ySvLIP7yj06aq2
-iABYy2VnD8yh8neXCl18/tMmIk/mIHkOeey4rrglk5Qs/vohS8KmknuLfOFUdWz3
-2F/Coax+/Itmco4lPNK7FUvVgzyp1fVnZ1upWOnx/HEcXY0t3yE9Y6fWgu6LtqNr
-LWvLogalpFVy7l9yb/EStZJnUoc4R90cdX3hsEkYDqxFM5INAZNgBKNa/qfDKifX
-b2+uOg2LZ+yYHdyFCezNL6fr38TSNleTU6kq2xrhRbjVzArnEKo2f+XNsQXfy3ix
-s1ibkqJXeWA4gPTFVqxKzeO+Pe05hWjUJmPcqwGQe4hGP5SNdiqWuxtL2Z/natva
-u9AyUqap9A963qrp1xZMDqZC7asZEUXAWJSkqkU9iS7a6Vn7G82236/T2OoumNWi
-XVsm2iOpdIqcTCMoBtB6TkTFPPKZ6f0APD3nAia6Uy5RrorvyadbqTG3AVlQicD5
-6myM7zEta7qWL5kPVk1JIbcNHN929kEgAKKKx9c1H+DgHDQrPM5bsHS9vAVYq0S4
-gUhA44LuizSKEXw+hHJJueU5IK/rv3auNo9Dtt487syz5PnEzeTsiyBqTx6pu2hF
-fZ/HkxqQsY34/4pJBdFdnxHfnDMmEuKHY4vt20d1NVU+EP8+R0F4aCTGUWDfUyM9
-oTXJekFmOBfZn3WUkLXXgz+i7a49g9pzl8gFekQ8Cx9s1rkvToklQS8lzspBZwsU
+m1mmDR2qaA0u6ZSC1Xvw6o9Uyt0NvNgKM2Lln0BOvE3UvsbUxE5NEGynlthge4zX
+HfLX6PNZ4vkQASzm+e0M/cwUijDADmuHhsaZP30BriJ8SzZoeYq7WUVkv1EbCZFZ
+o/lsVFBPzW6K2Vfjphj1WRwZZEsgef+kFtwNSQxcHXRmK3njcKaP67fKzsH2rjPE
+HMEo/9vAShCmFH4Tnzxy91SF4Gftdov0xqRQZpG/1maCx0/76RJL7lxpYUYmIOPa
+j2l6SUFSOP742bLWuHQXT36/SyocF2pk9kFzTfNb0lP7lriYrWhSDqqRWtoU0m3M
+Ulku3bcDd/HH0Br70qfDDOvWuGb2ayHRKoDDVlRnwXZ9tzl9BHqzvLIORKEt2vns
+6pHNU+8GwvYgtAlLMaN7KAH6hFUkVRi49lvTJbtrVJjMcGU7Vl5zurcyrfL2eLEZ
+tdyR1lL01JWZW1gz177dn9drcB//r2ZIq6g9Ah0e1ZBj7aEFfSabfRuLgUaF859q
+lWKt8112uuVn9vqOkiOlZVsNMRzP+NUEggVQ7Jn3H8CEqHgC1a0JElaQh/kd6BkP
+RthT1Qz0WyPMz1LE2aInFavnrFXqNyuLkkd8WSb+wo8V+jZL/a2jl8d7thQsxOHt
+OjfRyioX1YmeGBWz7I1ZObk1O0xi7vj7f4LoqabUqnU2Z6FQLCNRBlnO+SJq0DJj
+Ca6r1bN3NPGH9vhL8sd6Ce+C/fMXyDLX3qp9qS6ZmiSDOTIC5si8JmWMeCC8yrim
+RjBWEtTC4ve41ObrPHeDqDQOGdPpnPH5unQZA2jul3xizbr1ToYD4Uk3FuUYd2dH
+Fp/OutvsPUz6Eu6gllOJ/KYwSakncWZknJt7spwHjoyKoqRVbqyIrMWrQDCd491M
+ezZPeFursXyMeTezWcgUvh/NWA7+neQg99CP7hBs4v7LV9GYXJOxcJ97Hwl4m7mF
+u3QZb8Izgu7IVRFju3u5kU13hi/yO+q9Yg2wvZAg5C7znpm2d/QDJCEdjqqUIjE+
+/r+a4QxSCbl7y4fiuHZqY+qTgFK4kQBCDGIixc+tDcZru4wiGKDYoMhcERDvxKLT
+Upwbx3CqA28L42A+6IwapWO+jSBmCdfD6B+GEEWPaf5YzNZmM7td+DLeyOKAEK8w
+GCZkd58hn9x0BZxEvxTcLqWFO0BMC8FSHyjPRnW9Ik5H2a8vllb3Wiq7LFZum1of
+w2s9eb3vY2Lv6WNU2Mug+QwwbCwwmQmEJfROp/CWuHMmDlBudtDvVi2zUhNrqLoI
+LSNBlyxCIHO21R2IWOpZ+xglOh7+Qc4oXZHnhttREsOL7FnE6IYdcP1hfF0uWAtc
+kArTtgvFJurlZO+k840KPS1cfYLBNTgPK+6xssC2qZr3u6zP5Oh30gGgBQeETUxW
+JrMW3LzoMH0I/RcYK3FkEb38KAQpYLvJPKzNRD3/ZU2judjlslobHhvJaXTeOxiK
+B3NoFGi9+BXFBDyuKcHwUuFA7XCM9iIUbGoMzrSKFkc0CsCrJCWVvF/1cRNpJUQz
+SOxKM/HvWD9VdpTyJ8qDoI0lKS0jn+rCcF9lMwvORVPebkypGkXC0RSwvx4+cFnT
+oRjqpfLKzJlcEk+U7hPH5ZjsDUYq+FargGDmNvGZohpGNxsdYV1v6B6l3c7sLcWf
+lShZVLMTYzAlgBpywzsoyPQxm32hVMcpme+nzMq74QB3ZHv/uy/xgTbOCnTTQQZv
+hPvnEYcsNW9IBhGLr4kIsex5O5sLuatgDLh9xWgPObriu5BBVDNNqApze6AcqnIN
+3TW/qzmyc3R95nxHCxVocwU1Pl9ZPGP+Mc+osUQD3seHAKmNQKWPiVzven8NdiBC
+nSIjmBxVRtHdoiVLXk9LkTBoS+w1iPG1ztVsf+Vjg3PUoROD0XuzqwZ4XlkT64IT
+6zcjD0IrSYgbO56Oqga8quibZl3+BVLexj/veFv2SKw31dMZ95ntnwuKpwCv3jHf
+lrxrkPzj9Fsqup+HR3yh36FKyZkgPEU4KUrraXbsQMDdJdcec944QBIftj0p44W0
+T2SeGk0rkHSFZiZqoeyJ6ubKxalnre6PwJwtvVrx0QzREIGdCG5+SyphYEtd+mBr
+ATh0LbMqD6vyJ66t4SuOdiCSfVbEomKaftS3C752Gk2QxFT+XEgNPuSDp5V8DqBR
+W3W8DB03d3DolznjjcHTUJH65A1ADepUFpIteIkhHUrQP6IqQUNaaCIFd462IDCL
+lL/4V7b1kq1pZJcF/yyDvdDAZM/6aTorKXy9l/v3SUN4z6smraISVTwShyof7Olf
+2dQx1Eh/OjYNEATG86eoW15p6EWclO0osvIxR21xeOTFQUuiR9SijtLOOTiNKrTu
+ug4/57HvGI3rI6Lujcx+js2B2aBdk+O8AkpCAcFTM7FkFRQCngP7ayyVt3I6x+M/
+8vxz6L7fdXYX/RYSIVLKlbSKo15f9NyDJiaHpACIpRzYUQLjrXcKsTiAcDoFaFGz
+TLsTLnA3QDbTRptaDSvQfPhrOM5QezKVmhT6MSzCeJFAskpIgRm4XwaOQjZ/XP0J
+ua7IG2WD6k8f62cszlbCEvMZWMBvb8JYVB/UGcBLtolFG8EGvvUrWAHWLWVvngNb
+HCI7t/Z4SqIexcBTAOal1bAT/gcvNrAmSBXkcNg3hMqMXOXuC7W5Qbqtk6Bd1uiN
+5BWMJOnGXrALbpHxNtC4QBjCAC6MshkMOJvIpNn4f30Qq4Of+NyJrIJl1jo/WLqG
+hsHXYzZYI2LcfOi7a+4oSHQ2OfsGvdKWwmJha6Koo1VlF8gnHSJaGAH/soilan0w
+KSOqSW4DJnAc3zry0jfDeLJLktrEn86xen1v2HjnS1WohfkFL5sSk3z5bVqQ6NrK
+9OOeeXIzWC7AETBc6N3TY7rKljH0ZdtiB7axVI/0Vfmiqw9vOzJ3fij9BcLvXBQs
+JKy80AdUvT4o3PGW9DJX/Ki04NBB9Y/Jlmtu2j1Iq2NVERqma/HzUliGosffdwYw
+EswIfbMjKhghu6mbHguE2DdW2vXkKgmbUJcBFb2tnc97ESslJoxssWB3uZJNQqRW
+FLl+I56S4CVUDLg6WmB7ZMyhCWJ0u2d/zvombQBnPN6GEc+VkZUzVE7NFYmK8j2Y
 -----END RSA PRIVATE KEY-----
diff --git a/lib/hx509/data/pkinit.crt b/lib/hx509/data/pkinit.crt
index 4dae0868e9cd..86642369ce41 100644
--- a/lib/hx509/data/pkinit.crt
+++ b/lib/hx509/data/pkinit.crt
@@ -2,25 +2,51 @@ Certificate:
     Data:
         Version: 3 (0x2)
         Serial Number: 6 (0x6)
-        Signature Algorithm: sha1WithRSAEncryption
+    Signature Algorithm: sha1WithRSAEncryption
         Issuer: CN=hx509 Test Root CA, C=SE
         Validity
-            Not Before: Apr 26 20:29:40 2009 GMT
-            Not After : Apr 24 20:29:40 2019 GMT
+            Not Before: May 23 15:05:15 2019 GMT
+            Not After : Jan 16 15:05:15 2038 GMT
         Subject: C=SE, CN=pkinit
         Subject Public Key Info:
             Public Key Algorithm: rsaEncryption
-                Public-Key: (1024 bit)
+                Public-Key: (4096 bit)
                 Modulus:
-                    00:b2:47:42:dc:46:f8:94:e3:66:2b:f9:26:14:56:
-                    41:68:e1:7a:04:cd:55:45:ae:e0:a8:48:80:33:58:
-                    fc:86:4f:e8:67:62:89:f7:d4:ba:d1:bb:9a:6a:83:
-                    1b:4e:01:b5:7c:9e:b2:d2:bf:84:21:98:58:1d:b6:
-                    4d:fa:af:f2:e5:e8:d4:d6:78:a3:06:da:69:15:09:
-                    d8:fa:07:09:97:cf:1a:3b:2c:69:b2:58:a2:0b:48:
-                    4e:37:11:2c:f5:7a:8f:50:e4:40:14:29:28:30:ac:
-                    0b:b5:0a:1e:60:b4:9a:d4:8d:bc:38:c9:2f:a9:d1:
-                    35:e7:c9:d4:18:66:1c:15:2d
+                    00:bf:4b:44:8f:d1:dd:56:18:41:5c:c2:c4:2b:ff:
+                    28:e6:7f:68:26:d4:0f:08:e6:af:dd:72:28:9b:ec:
+                    5f:5a:2f:f1:9a:7b:21:0f:c2:01:96:d8:85:32:20:
+                    5c:c7:91:fb:2d:71:33:d7:dc:81:06:32:2e:e5:ec:
+                    61:37:8a:0b:0c:23:57:cd:9c:ae:93:79:58:26:1e:
+                    de:26:18:12:52:c3:76:7a:d1:6a:dc:98:67:13:4d:
+                    73:dc:8f:7f:7b:dc:97:15:dd:eb:6e:0b:54:cc:f7:
+                    ef:db:14:8f:d2:89:47:3e:8c:e7:de:ef:61:34:67:
+                    10:60:8a:87:13:6d:86:91:9d:8a:92:64:72:5c:ef:
+                    64:57:b9:0e:91:ea:41:2c:03:e0:67:c7:51:cf:ea:
+                    09:5a:e9:0e:ba:eb:be:53:10:90:e5:0f:87:33:3b:
+                    e6:53:11:1c:6d:75:34:ea:4a:7c:59:f4:6b:da:82:
+                    30:4d:f5:72:ad:ae:41:f7:c1:ca:b2:7e:74:a4:45:
+                    bd:2d:80:c5:47:d3:ed:c2:02:fb:d9:85:76:00:3d:
+                    a6:ab:da:2a:ef:a4:c7:d6:74:c4:88:02:63:d5:a0:
+                    5f:6b:88:ee:bc:df:0f:43:78:8f:62:1a:c6:c8:e5:
+                    3a:43:aa:75:94:d0:71:15:a4:8a:f9:67:5d:93:93:
+                    bd:78:04:46:39:90:48:22:05:78:17:ec:b9:26:3f:
+                    4f:7b:a9:e2:79:b3:cf:13:ce:34:9f:3c:7a:8f:a8:
+                    b7:b4:12:39:01:4f:26:44:33:b9:7d:eb:c7:0d:c7:
+                    1c:d3:c5:52:2b:cb:65:a2:48:b8:c6:b2:e5:17:d3:
+                    df:ed:ef:e9:ea:21:5f:2e:42:23:40:35:7e:97:23:
+                    28:42:0e:22:25:79:f6:ea:ae:a3:cf:c6:c4:ef:ed:
+                    c3:1f:14:05:5f:66:ab:20:a0:5e:80:11:32:1f:ff:
+                    69:10:e2:8e:d6:70:e4:97:ab:82:89:37:57:74:43:
+                    81:e6:85:ca:6e:3b:1d:ae:3f:ca:7f:da:2b:7b:db:
+                    ee:ab:ad:a1:a1:16:38:9c:b6:f2:af:be:b0:19:e1:
+                    63:14:6f:26:24:f4:a8:3a:04:0e:9a:9c:5a:0a:bd:
+                    22:91:c4:c3:ab:2f:ea:54:d7:ca:ad:ed:b7:a0:98:
+                    8a:c8:94:15:ea:13:22:97:29:df:3a:85:4c:80:0d:
+                    ee:3f:d0:66:3d:9c:0f:41:2b:fd:1e:90:f5:8a:fb:
+                    4c:10:20:3b:91:cc:fc:ab:d8:89:ac:7a:9f:bc:c9:
+                    e4:09:fe:81:ba:53:cf:f5:13:1b:4b:b0:f3:bf:34:
+                    3d:3d:2c:8c:90:89:d6:37:78:cc:7c:f0:a8:97:08:
+                    ac:ea:f5
                 Exponent: 65537 (0x10001)
         X509v3 extensions:
             X509v3 Basic Constraints: 
@@ -28,29 +54,66 @@ Certificate:
             X509v3 Key Usage: 
                 Digital Signature, Non Repudiation, Key Encipherment
             X509v3 Subject Key Identifier: 
-                E8:3F:1A:8B:C2:8A:9C:F9:B4:4F:95:D9:55:29:0C:A5:0B:0E:13:C6
+                76:9F:AA:4D:D1:1E:92:61:23:CE:AE:DC:C3:CD:07:EB:A7:13:43:2F
             X509v3 Subject Alternative Name: 
                 othername:<unsupported>
     Signature Algorithm: sha1WithRSAEncryption
-        b5:ab:c2:d5:f8:30:fc:bb:b3:53:c2:42:a0:f1:4d:a0:5c:92:
-        1a:c7:dc:01:df:42:6a:d2:c8:79:18:ae:a7:09:8e:ea:1c:97:
-        80:93:b1:e3:23:4d:ca:15:f5:f8:c2:d0:38:5d:0d:76:7b:41:
-        47:f1:a4:77:26:86:2c:69:2a:5c:86:32:00:09:da:04:3c:d6:
-        30:9d:a3:0a:e2:b1:a6:36:2f:ff:3c:80:d6:e7:2a:8b:49:dd:
-        d8:24:98:7a:15:0a:29:f0:4b:30:ae:73:b5:af:70:7a:3a:b0:
-        40:27:a7:4e:74:8c:46:1e:2f:bb:cc:57:63:30:bf:b1:38:81:
-        10:bd
+         3d:2f:62:54:90:6a:d1:f1:93:cc:21:b6:45:d2:d8:d3:ae:c8:
+         c4:63:6d:9a:25:a1:c3:33:3a:c0:90:ea:ac:4b:67:a4:af:dd:
+         75:3f:03:13:44:a9:7e:5a:9e:3b:6f:df:06:d0:6d:ae:bf:fc:
+         bf:23:b0:5e:c9:1b:98:d1:e6:6c:20:83:48:2f:b1:8d:ef:c1:
+         33:fd:d1:7f:d0:ca:03:9a:e4:3a:42:17:0d:e6:40:25:2f:f3:
+         80:83:36:c4:cc:8e:4b:7b:90:9d:22:ca:83:c1:a3:d0:c9:13:
+         af:b4:a6:d7:d9:3b:be:fd:d1:5a:da:71:f8:6e:18:c8:8e:82:
+         d0:b8:a6:de:58:c8:9b:8f:c1:20:ab:81:a8:3b:29:81:2d:cb:
+         a2:f3:b2:9b:81:7d:78:c6:55:ed:05:75:7f:4c:64:6b:fe:00:
+         e7:2b:6e:17:d5:32:de:e1:1d:33:f6:ce:89:4b:c6:be:92:54:
+         f7:16:ea:91:b7:af:46:80:41:8f:6c:47:d6:07:d7:62:34:1b:
+         7c:69:e8:6c:ac:6f:39:b2:3c:60:cd:b3:89:95:3a:9e:ef:75:
+         fa:b1:ad:b4:bc:89:69:1c:69:53:dd:94:25:93:7c:64:56:75:
+         0a:a9:8d:2b:6d:ed:9c:e7:cf:9a:ad:02:ca:79:f4:fa:59:4e:
+         51:33:c3:f9:4d:a6:35:62:50:e7:f3:2d:aa:32:b3:60:2f:1e:
+         e3:71:6b:78:98:f7:9f:fe:0f:0f:f1:a5:6a:4f:f7:01:22:52:
+         60:6b:62:b5:5b:15:6d:4f:41:e0:23:a0:43:45:39:70:f3:a0:
+         bd:30:14:63:01:01:f4:1f:fb:65:43:c8:99:57:aa:47:2d:53:
+         0c:f6:c2:65:f3:1a:64:69:67:f3:7b:b1:2f:0f:c1:e8:a2:5e:
+         78:bd:df:a6:d8:3e:ce:6a:fc:bb:c6:14:a1:6b:de:fa:47:5d:
+         ce:6a:24:60:da:1b:5d:fd:c1:5f:27:34:a2:b6:dc:bb:e5:f4:
+         cb:14:88:e6:66:e7:49:e8:a0:22:49:da:af:1a:30:f6:ac:a7:
+         99:56:5e:b4:b0:19:71:67:59:cd:0d:67:4b:82:54:0d:c9:88:
+         cb:ea:36:7f:60:d5:df:8a:74:78:25:2a:b5:ca:89:ac:9a:0b:
+         bc:a4:25:f9:38:c0:13:58:1b:5c:60:0a:b7:9c:74:de:b1:7b:
+         e2:5e:1d:85:50:e0:69:22:c5:2f:e1:1a:1c:ca:cd:a7:ab:0d:
+         a2:ce:f1:88:92:68:10:fa:1d:ca:f4:62:6d:cd:8b:1b:72:2f:
+         67:a1:b6:f6:ef:b9:f1:e8:bd:42:54:d8:4b:e0:8b:9b:6d:2d:
+         1c:ca:c3:eb:79:5c:d7:00
 -----BEGIN CERTIFICATE-----
-MIICMTCCAZqgAwIBAgIBBjANBgkqhkiG9w0BAQUFADAqMRswGQYDVQQDDBJoeDUw
-OSBUZXN0IFJvb3QgQ0ExCzAJBgNVBAYTAlNFMB4XDTA5MDQyNjIwMjk0MFoXDTE5
-MDQyNDIwMjk0MFowHjELMAkGA1UEBhMCU0UxDzANBgNVBAMMBnBraW5pdDCBnzAN
-BgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAskdC3Eb4lONmK/kmFFZBaOF6BM1VRa7g
-qEiAM1j8hk/oZ2KJ99S60buaaoMbTgG1fJ6y0r+EIZhYHbZN+q/y5ejU1nijBtpp
-FQnY+gcJl88aOyxpsliiC0hONxEs9XqPUORAFCkoMKwLtQoeYLSa1I28OMkvqdE1
-58nUGGYcFS0CAwEAAaNzMHEwCQYDVR0TBAIwADALBgNVHQ8EBAMCBeAwHQYDVR0O
-BBYEFOg/GovCipz5tE+V2VUpDKULDhPGMDgGA1UdEQQxMC+gLQYGKwYBBQICoCMw
-IaANGwtURVNULkg1TC5TRaEQMA6gAwIBAaEHMAUbA2JhcjANBgkqhkiG9w0BAQUF
-AAOBgQC1q8LV+DD8u7NTwkKg8U2gXJIax9wB30Jq0sh5GK6nCY7qHJeAk7HjI03K
-FfX4wtA4XQ12e0FH8aR3JoYsaSpchjIACdoEPNYwnaMK4rGmNi//PIDW5yqLSd3Y
-JJh6FQop8EswrnO1r3B6OrBAJ6dOdIxGHi+7zFdjML+xOIEQvQ==
+MIIFNjCCAx6gAwIBAgIBBjANBgkqhkiG9w0BAQUFADAqMRswGQYDVQQDDBJoeDUw
+OSBUZXN0IFJvb3QgQ0ExCzAJBgNVBAYTAlNFMB4XDTE5MDUyMzE1MDUxNVoXDTM4
+MDExNjE1MDUxNVowHjELMAkGA1UEBhMCU0UxDzANBgNVBAMMBnBraW5pdDCCAiIw
+DQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAL9LRI/R3VYYQVzCxCv/KOZ/aCbU
+Dwjmr91yKJvsX1ov8Zp7IQ/CAZbYhTIgXMeR+y1xM9fcgQYyLuXsYTeKCwwjV82c
+rpN5WCYe3iYYElLDdnrRatyYZxNNc9yPf3vclxXd624LVMz379sUj9KJRz6M597v
+YTRnEGCKhxNthpGdipJkclzvZFe5DpHqQSwD4GfHUc/qCVrpDrrrvlMQkOUPhzM7
+5lMRHG11NOpKfFn0a9qCME31cq2uQffByrJ+dKRFvS2AxUfT7cIC+9mFdgA9pqva
+Ku+kx9Z0xIgCY9WgX2uI7rzfD0N4j2IaxsjlOkOqdZTQcRWkivlnXZOTvXgERjmQ
+SCIFeBfsuSY/T3up4nmzzxPONJ88eo+ot7QSOQFPJkQzuX3rxw3HHNPFUivLZaJI
+uMay5RfT3+3v6eohXy5CI0A1fpcjKEIOIiV59uquo8/GxO/twx8UBV9mqyCgXoAR
+Mh//aRDijtZw5Jergok3V3RDgeaFym47Ha4/yn/aK3vb7qutoaEWOJy28q++sBnh
+YxRvJiT0qDoEDpqcWgq9IpHEw6sv6lTXyq3tt6CYisiUFeoTIpcp3zqFTIAN7j/Q
+Zj2cD0Er/R6Q9Yr7TBAgO5HM/KvYiax6n7zJ5An+gbpTz/UTG0uw8780PT0sjJCJ
+1jd4zHzwqJcIrOr1AgMBAAGjczBxMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgXgMB0G
+A1UdDgQWBBR2n6pN0R6SYSPOrtzDzQfrpxNDLzA4BgNVHREEMTAvoC0GBisGAQUC
+AqAjMCGgDRsLVEVTVC5INUwuU0WhEDAOoAMCAQGhBzAFGwNiYXIwDQYJKoZIhvcN
+AQEFBQADggIBAD0vYlSQatHxk8whtkXS2NOuyMRjbZolocMzOsCQ6qxLZ6Sv3XU/
+AxNEqX5anjtv3wbQba6//L8jsF7JG5jR5mwgg0gvsY3vwTP90X/QygOa5DpCFw3m
+QCUv84CDNsTMjkt7kJ0iyoPBo9DJE6+0ptfZO7790VracfhuGMiOgtC4pt5YyJuP
+wSCrgag7KYEty6LzspuBfXjGVe0FdX9MZGv+AOcrbhfVMt7hHTP2zolLxr6SVPcW
+6pG3r0aAQY9sR9YH12I0G3xp6GysbzmyPGDNs4mVOp7vdfqxrbS8iWkcaVPdlCWT
+fGRWdQqpjStt7Zznz5qtAsp59PpZTlEzw/lNpjViUOfzLaoys2AvHuNxa3iY95/+
+Dw/xpWpP9wEiUmBrYrVbFW1PQeAjoENFOXDzoL0wFGMBAfQf+2VDyJlXqkctUwz2
+wmXzGmRpZ/N7sS8PweiiXni936bYPs5q/LvGFKFr3vpHXc5qJGDaG139wV8nNKK2
+3Lvl9MsUiOZm50nooCJJ2q8aMPasp5lWXrSwGXFnWc0NZ0uCVA3JiMvqNn9g1d+K
+dHglKrXKiayaC7ykJfk4wBNYG1xgCrecdN6xe+JeHYVQ4GkixS/hGhzKzaerDaLO
+8YiSaBD6Hcr0Ym3NixtyL2ehtvbvufHovUJU2Evgi5ttLRzKw+t5XNcA
 -----END CERTIFICATE-----
diff --git a/lib/hx509/data/pkinit.key b/lib/hx509/data/pkinit.key
index 63b4476ca396..804b7dc77d64 100644
--- a/lib/hx509/data/pkinit.key
+++ b/lib/hx509/data/pkinit.key
@@ -1,16 +1,52 @@
 -----BEGIN PRIVATE KEY-----
-MIICdgIBADANBgkqhkiG9w0BAQEFAASCAmAwggJcAgEAAoGBALJHQtxG+JTjZiv5
-JhRWQWjhegTNVUWu4KhIgDNY/IZP6GdiiffUutG7mmqDG04BtXyestK/hCGYWB22
-Tfqv8uXo1NZ4owbaaRUJ2PoHCZfPGjssabJYogtITjcRLPV6j1DkQBQpKDCsC7UK
-HmC0mtSNvDjJL6nRNefJ1BhmHBUtAgMBAAECgYBKqzAkxJDvA0NS3ZqGYA4rWGzb
-wAicE//CXANd/kJeGu/TBWGV7IKGv5WQUPNJu8uAs5NgU5iK3ZzibO3CNpl74KZq
-JALQXVbLmOVNpiL8V4dfWxwPBFFzjcrUi0OEVrM0srXghDBRfuNtaf93IXoW32W3
-4S8KgFfV/bDAWv5VfQJBAOS6bQBtcEGSUPILJzwPvvFNF5OvX/R98PrHjX01aSPW
-j0B1WMi7sceRDdyE/dV4gGwW7mEftLAogg8HSftaa5MCQQDHiO5/R3aktb3pl7ms
-PVZ1xwgF9sPVdiq0p1RhbT3YijktSRVuf7YCb6nqhmC6Il88D9LJg7XTzHkpNUx5
-j3Q/AkEA4cTGbQKZKJA1SAUMUDO2pNYUrJkSHPHnWJJ6rZl304Eo21Y5McJbBALA
-7Od06i5MjOTBnaq/HpaNcioes3UX8wJADQpC4+iMtWj3N1vmE36StvHB8XnWBI5L
-bjD9T7yu7Qbjg7UiBG2uPGyFw0Dy81cpuCgkk2zbJjNXu7yy+cLJSwJAQ6ZxX3ri
-E8Kvc07rFKfrLw1/37MqIbMhEvuneSrsS7GdTcaTGP4vqM9a6GQmVrg/gzGo8Wpe
-geynyqwNsSPReQ==
+MIIJRAIBADANBgkqhkiG9w0BAQEFAASCCS4wggkqAgEAAoICAQC/S0SP0d1WGEFc
+wsQr/yjmf2gm1A8I5q/dciib7F9aL/GaeyEPwgGW2IUyIFzHkfstcTPX3IEGMi7l
+7GE3igsMI1fNnK6TeVgmHt4mGBJSw3Z60WrcmGcTTXPcj3973JcV3etuC1TM9+/b
+FI/SiUc+jOfe72E0ZxBgiocTbYaRnYqSZHJc72RXuQ6R6kEsA+Bnx1HP6gla6Q66
+675TEJDlD4czO+ZTERxtdTTqSnxZ9GvagjBN9XKtrkH3wcqyfnSkRb0tgMVH0+3C
+AvvZhXYAPaar2irvpMfWdMSIAmPVoF9riO683w9DeI9iGsbI5TpDqnWU0HEVpIr5
+Z12Tk714BEY5kEgiBXgX7LkmP097qeJ5s88TzjSfPHqPqLe0EjkBTyZEM7l968cN
+xxzTxVIry2WiSLjGsuUX09/t7+nqIV8uQiNANX6XIyhCDiIlefbqrqPPxsTv7cMf
+FAVfZqsgoF6AETIf/2kQ4o7WcOSXq4KJN1d0Q4HmhcpuOx2uP8p/2it72+6rraGh
+FjictvKvvrAZ4WMUbyYk9Kg6BA6anFoKvSKRxMOrL+pU18qt7begmIrIlBXqEyKX
+Kd86hUyADe4/0GY9nA9BK/0ekPWK+0wQIDuRzPyr2Imsep+8yeQJ/oG6U8/1ExtL
+sPO/ND09LIyQidY3eMx88KiXCKzq9QIDAQABAoICAQC0fcQ3HwEEFua1K2AFUz+4
+HEadPEDjWSZefzQpyqE9azc/VyYexCLTvYAPh9GCzA5/FeygpAFpYzg04Q/pY2qB
+DWfvLQLbSwcNENryfovrY1oLEEUP1wyKfe3wEcVrjPtROo7EyhQ9QUMjJwd80uJR
+9olhI+RHmWcucAZ7IkBybH8vGW9+mLHIw2cn7iuH6DB4OuzKjDw/dt7bJ0vw/BR6
+zGf4w2/SuLZl4M0IszcZeTG6flQteoW1slGz/znNqNtNlC+nG3UJDMGs6TvQRcjM
++V6lj7grXQLhKlO1MOwZyLO/tvfrZVv1gW9oVXNyYjbTWaaPvwy0Kwilwg3dDO0b
+CvBGS8c9PtxkUnU9ZCjkA7rmE/Nr2r78bhhMkBZs38w/MTYDUadmjhIxjnjaNu+3
+pV/kOLn8h0ZDCsLCJXUNAbcqwlz2IEDPFIYzW47+agMM21Y41um1lfLXOFcZ/61I
+vStquOwqyhciydomWyyaT0oyu1QPSaKwuVFYTBMn5fUfP3oYEehaN2VEcQaMCHt9
+OxiiXapiNEF1p4Rf+mt80yFxDhWrM7/VxDxHkS64HpULweW+/zx1J7l+Leqn8rGC
+k2puihHSAGnZ+thSnIkiimIfnijdUGRb09y5mQJoIm/pGopPTz8e6jag84a3tm7J
+08NBhWDMVMk25a6TOsl3AQKCAQEA3v5gi9C8bMcjEipI3fbgQ2mz18CzFFsIdSaE
+qvPyEZ07G6vRZg+i3Z0vOMaSiIr9nKmXIAPInpeCn4n55aJRktO5OxmF2F7qjVt+
+uEm2TPDrrkIILqT8/pINN6R7onwOcKlIb0gfyK7FyCYgjbtQlNjou0b/5CGq8qw0
+Y2E6htBPAtyXEIU8ozW/vnsMSqHsxHZKyzzHZRL8Ii1jjdXCJioKnWn36cLZrZml
+jxlgoh/4p+Jr0+otpQCJCzYjTuKmmOBlkEjoVe5yunD68O7VZWA5N8lb8t/2g6hq
+TS1kYZRlPnmtBi+iQUVbtx1eOpRXQA6YcZnyS4thY5VWj0MBZQKCAQEA25u8ODF6
+AZM33Chs9zQ9nmpsrCzZUq+2Wpv8HmzQbvWQ/OzGqgxi7GlLoi6sevxX+a2t9Qfn
+I3oaV5Fd1zZQT5mH9zlzoZp8QfwXgI9yTTF8tvFFUAMmMFHz9P5U9WLrILyvsMob
+i31y04uRe666YRSx7ra0mf1o6m4WezwQIGPOF3jsug4npuG86v7fRNrp/53bpV+V
+EGsvJN+oHZQ1t2QhYNLPXw5br1EMwjunn9P1JZfynS6VLrKQ2KiA2/1+F55ppA1i
+thtl4ZlU1nF1XkK0YR3KPYfzFSeujhtiZ/rPFW7226rUgvRP0N6YfvT08xyO639Y
+8VnERKtI6gjyUQKCAQAFnT3tBzpXOsRFRs9C115aFCU0/2MC1i/mUyvv6ehkTSMZ
+1T+WZDpjffucYFN8IJO2CAcIBVBdvc7KGX0zLN0E51O4izH1ep5JJM6R8TknwsEM
+SBlQo1LDTgYLKpb6RklOyNRMCPLT6KKOIXecWeTzemqRnH4AzmAxb+h5wA7rKf9z
+QP6EqfYW3dmQACUVE/KUF65WY5dZkhrK+X2SKpmSwGg4Alz9g6xbVIz4h1kJe+iU
+wXyZf0Ha76KDp79H0ykCnFOySEOhNjmpPAL1Ye35eWy3XNh1yvG36tuSSdxHIKdT
+5VhX2YcqQYbHm3Ot4eI4eKWZ5phVEpNHIJFnVfaJAoIBAQCWAbT5tWIffU4kxkBY
+Q4jrksqUeTYhcwDet7nplm5xvK/C9IFnWnqf/fS53aPXhlMZq3ct7q4F37vqoNM2
+1FTbaoYja0z+0CWcdPQgzttGu0zzMa8kzmHhk7lOWgPychUmEXz5B7T0/UXYFnfT
+wjBxa892vbpzjVOC/pvApfBmD4aRJfqdxFl1drCy3FHqGJbKEiwctEOAKZbUWync
+uoZOtMjP+G/KAGbERFqwukrvs7q6aSZCE7W3ZiXmuIL8whTFUWHbu4D335MiHLiE
+mo+PSYUo6U5h5WE3zBlB3JbFa97URy28Mt5ibTuv8ry7y9sdzR4a4qwAgE6+kTmH
+E4FhAoIBAQCqpFY8FPwJkDDe194tARJYXVdgvZhIcL0IP+lbNxAid+vmd1405fpx
+W4qoSHTn5aL1Vuo0qMudoUdzvHyB0fWHlVnWHhWlstkSMTMnl5DU7xhp5MP2ALXL
+LO73drcWe3r2NPYxOPWMzVvFd8o9WlnEtZ03C7s/DYUD1bWd2Z974b0tpiXNlZu0
+hn0+GgeZzmy8pyHbuyOj6+AW3zCIoIy39V68i13PjVzZKLR5vVLBaba1fZdqhYjk
+qHp+tpVdjmF+WgA0ia+hWRKkRGwX+mgi36aRzdjXPDrSxQsnEbp1LvZ80IsXM7jj
+60UoyAUhtvNbBCWkTske6/ey/kjJTUD4
 -----END PRIVATE KEY-----
diff --git a/lib/hx509/data/proxy-level-test.crt b/lib/hx509/data/proxy-level-test.crt
index f39e59dc26a8..24e8a8f6742c 100644
--- a/lib/hx509/data/proxy-level-test.crt
+++ b/lib/hx509/data/proxy-level-test.crt
@@ -1,15 +1,31 @@
 -----BEGIN CERTIFICATE-----
-MIICUDCCAbmgAwIBAgIJAP6hx2RbgHvrMA0GCSqGSIb3DQEBBQUAMDExCzAJBgNV
-BAYTAlNFMRIwEAYDVQQDDAlUZXN0IGNlcnQxDjAMBgNVBAMMBXByb3h5MB4XDTA5
-MDQyNjIwMjk0MVoXDTE5MDQyNDIwMjk0MVowQTELMAkGA1UEBhMCU0UxEjAQBgNV
-BAMMCVRlc3QgY2VydDEOMAwGA1UEAwwFcHJveHkxDjAMBgNVBAMMBWNoaWxkMIGf
-MA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDtyAgFmdic7J7lrcvnVmANvaRVt7Fo
-qYXKocxQjhb/bgzBjrFVqiUxnfsetHCMZlPZaklvicSAKZQvu30LBn9IOdNb+jPt
-IFmG5V/AZUW/OAxKQxHtbtJgktgqoGbHGrb0ajPDfM44KaJv1KU0GJJ5+bqY4XOE
-WOypDs+Z1iedbwIDAQABo2AwXjAJBgNVHRMEAjAAMAsGA1UdDwQEAwIF4DAdBgNV
-HQ4EFgQUMKTcmVatO/m0g9A9Gbsm3aC33a0wJQYIKwYBBQUHAQ4BAf8EFjAUAgEA
-MA8GCCsGAQUFBxUABANmb28wDQYJKoZIhvcNAQEFBQADgYEAhN0C8YaE+sdFfTT4
-3UM8iU6Jx9B/2hi6fXAddf2jaXdW4RpatyMYFryX1098s9dLaFbRpy9GcF8MnsxT
-XnhQELdmXmJr8wIbxXukM6dzVi5JwY3RY83TR2ZJcRk7Mblb81rHePhstfsd2vcr
-AX37v1VJq9L6fJE4K6zayMjbrLM=
+MIIFVTCCAz2gAwIBAgIJAOXO+qv/iXxEMA0GCSqGSIb3DQEBCwUAMDExCzAJBgNV
+BAYTAlNFMRIwEAYDVQQDDAlUZXN0IGNlcnQxDjAMBgNVBAMMBXByb3h5MB4XDTE5
+MDUyMzE1MDUyNFoXDTM4MDExNjE1MDUyNFowQTELMAkGA1UEBhMCU0UxEjAQBgNV
+BAMMCVRlc3QgY2VydDEOMAwGA1UEAwwFcHJveHkxDjAMBgNVBAMMBWNoaWxkMIIC
+IjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEArcTnrpY2+DYyaO9DDllOz237
+auNMA2z86fS3monYx0feQ06cCdwA1xLNk/3BlkAsTH+7Q/Z8SGRFyzMKgbt8i97j
+lyuLuXxwWK87Tz14S94BK6HIGN9yc4wNtZ8p6l3uaIeTlcEZJpltViEc+I/9kjNg
+LK/0+s6OBuSEa6bEXJ5ecPFe7OeaSctN+7CMOS8FQJHFhH6zpq5uCcSnFS7ZxOGK
+wdjziJWn7zd3qEc01cWsR7HZrRII31ctbmDxt0suAGfIZaMm8fkCQkH24w/xuNQH
+ldH3q2/H7AdWvh6copqY5sxTAfaT9TSzOu9MaH129cz7x31+xMo64YxsUDP0yC9s
+fmV3APEGX8Q8PIgs1FJjsknV9F1F78aBFAYTKlBhgMki3Fi+iC64QPfu12sGuzK7
+eoDbtD3Q3p4NpwVeQYZ8972zwhnPTT6tgoh50MaRb6c+5PmSRhKt3QL0aUp+URmY
+SAdO8V0BI+exK5/T89Yd9c0uMn+TOUMHc5OEckBi9Fi/oOsYPBahyKAZxcERHdXo
++mZht5kl8mBVbk2hfQl75eUQ9sWvVQxn1uS4x/j4k8mMqLdbXL5keIXGOyA9S28n
+IodERwwJdxgJ9JKw5WR4wdqeZJjIUw8qe7Du2FSH6L4eHMYOcS6nXlVM6Vl65nJh
+vnqqmW6DQ+L22uBst7sCAwEAAaNgMF4wCQYDVR0TBAIwADALBgNVHQ8EBAMCBeAw
+HQYDVR0OBBYEFFjF34ZepMQe/Lgd/kmm+fXkMFhtMCUGCCsGAQUFBwEOAQH/BBYw
+FAIBADAPBggrBgEFBQcVAAQDZm9vMA0GCSqGSIb3DQEBCwUAA4ICAQBza0sK8s5r
+9PBUTZGQTylDsJgj6+siu6fwEOeUwJpag+9kDbyMHUTnueO4kPbahWdVtx5rwCxg
+NqHtHl0g8GwwLJ1wX0e8bi4fNimx08W9b5PnhOzUzbZnUIuwc2q0YL3yp0yfDo5h
+2R6BlCz/2AKM7i2PqoOsoctwJs5mE3I5E0AQto0tPaKqB2Z1FyU8ArY+2jrsgQq2
+EGbEeKSavjaIiuq3YQ9zyrZH17Npryw0brDkGBOvi2jANfQbvQJWlL7tklh8j/Xa
+61/VAm4wU82P8NGM1LYjxH0Ad46Ca8cUq63Qxa2hb7igdOoUbvlSGNctgtENJPAd
+XeUt1/bxjsBTgPo89tg0Hc1UBb/msd6q8/8a7mA69GrHG6yEEVHOQDal92PbP8WU
+ajv4vAM0OxOHO3eyWqh1nGlYRmwE6iGtbVZypWgh30mKELjxn1q82+HvrKMAeS+S
+4j34v4877EC+EXRPsHw5sGpmTp4eVtuFM87gGtrFLOheGi/2JHBYdgjJkuqPDYoE
+0J4U30+xaz0mtY5hSTt6LknMQEOM1REcQ/NBovq/CsMs7vbaoNtfavu+ZSX9AgvU
+5SKJ38KFndrV4VZq+hzTOXj3IhfLqSBm1EtbTQO1W8vLIR+SK6Ct0D76P+Ht5Ddg
+Z/fMiB95hkiTG72ZnjMTvLn4U9mNFWanTg==
 -----END CERTIFICATE-----
diff --git a/lib/hx509/data/proxy-level-test.key b/lib/hx509/data/proxy-level-test.key
index 52ca3805e5c7..e1c99879af1b 100644
--- a/lib/hx509/data/proxy-level-test.key
+++ b/lib/hx509/data/proxy-level-test.key
@@ -1,16 +1,52 @@
 -----BEGIN PRIVATE KEY-----
-MIICdgIBADANBgkqhkiG9w0BAQEFAASCAmAwggJcAgEAAoGBAO3ICAWZ2JzsnuWt
-y+dWYA29pFW3sWiphcqhzFCOFv9uDMGOsVWqJTGd+x60cIxmU9lqSW+JxIAplC+7
-fQsGf0g501v6M+0gWYblX8BlRb84DEpDEe1u0mCS2CqgZscatvRqM8N8zjgpom/U
-pTQYknn5upjhc4RY7KkOz5nWJ51vAgMBAAECgYBRzwSTiL7yHqb8trL0wM8Daz/j
-DfRH4itZ8BjvjjNzZlWVMpbotkVdsND5W3Ntmrc2kk75xRiKT8PgOE1pQa8AbL7F
-uR1U5itWKbyKCOPA/mzYoh9Pw9IouB4noNFzwDWnilsviV4yshKzKQtjryHPe1ft
-RuF7YdGjsweUJriNoQJBAPeP6+fiT2WO/pXiextMhACU2fkgskgi+CFD+z6r8JtP
-Kysk5+2PM6iSMm1XkBYxmPbCYMJtzShXnm3X41LgUgMCQQD14sSt9s9rIcT4w01P
-oUm5d3MGgLf1khBzUT9VdKqb0ZqmtTBANKmU8GP2jmSguItNRiSbSiyvL3pitoHl
-o0ElAkA5XEaLzvsYi/5fGj/t/lejjtnGiJXmcvvNMWQ4jDxOsBRPhdibSY/toho/
-DYfcLJfFrRogUrKzg0G5L8mDPWijAkA1vOjFKGKuhEPbJjvYQmStbwipjCooNlL4
-EPKph4Td5xJIiuLPtXK2hU8jjH07jvmK2uCXO7/GTbcOqdp7yJEtAkEAhFuJnqk8
-7N+TMUouU6DRCioGI6kg3kGPXD2p0dZn2XoTVvluklv9s4cpH5ht7BxKw6flDPqC
-ity2FjTxEJ88BQ==
+MIIJQwIBADANBgkqhkiG9w0BAQEFAASCCS0wggkpAgEAAoICAQCtxOeuljb4NjJo
+70MOWU7Pbftq40wDbPzp9LeaidjHR95DTpwJ3ADXEs2T/cGWQCxMf7tD9nxIZEXL
+MwqBu3yL3uOXK4u5fHBYrztPPXhL3gErocgY33JzjA21nynqXe5oh5OVwRkmmW1W
+IRz4j/2SM2Asr/T6zo4G5IRrpsRcnl5w8V7s55pJy037sIw5LwVAkcWEfrOmrm4J
+xKcVLtnE4YrB2POIlafvN3eoRzTVxaxHsdmtEgjfVy1uYPG3Sy4AZ8hloybx+QJC
+QfbjD/G41AeV0ferb8fsB1a+HpyimpjmzFMB9pP1NLM670xofXb1zPvHfX7Eyjrh
+jGxQM/TIL2x+ZXcA8QZfxDw8iCzUUmOySdX0XUXvxoEUBhMqUGGAySLcWL6ILrhA
+9+7Xawa7Mrt6gNu0PdDeng2nBV5Bhnz3vbPCGc9NPq2CiHnQxpFvpz7k+ZJGEq3d
+AvRpSn5RGZhIB07xXQEj57Ern9Pz1h31zS4yf5M5Qwdzk4RyQGL0WL+g6xg8FqHI
+oBnFwREd1ej6ZmG3mSXyYFVuTaF9CXvl5RD2xa9VDGfW5LjH+PiTyYyot1tcvmR4
+hcY7ID1Lbycih0RHDAl3GAn0krDlZHjB2p5kmMhTDyp7sO7YVIfovh4cxg5xLqde
+VUzpWXrmcmG+eqqZboND4vba4Gy3uwIDAQABAoICAGTtlieIZhsa14KtXYRLCQRf
+/ASkSnU+61Mz6SRgZkGxE36CfQ0Y9H/3EuKfI76SPWidU/ZwhtVBMGyKk9KwQ/G1
+nvkhuMEebt6DwO4QZPuj0Yg3KlKQDhjgwuG3tY/DyQJ7pJP5mRMbUC8TgpE4iO5O
+2tB5zs+SA1orhmJEdY7aCT6OYzU0fB/absv+SiO4lNNhF5kSQmRQsecIioc6NBAv
+c/mNej3dtrGxxNU/rodvjdYCjc0BSZf3OZL/ycVNbEWeAf5OmgM3P0GesLhHfX19
+4X36e2Dexv7ncFFy1EV5h8+d46SjRGLKnkNf1EBohxzTV3YSBPxl/XcdqZeX5dce
+Q6CYwtjv8tHFqx5vuo5hgwkssbDMqgdPaNFANCJHEVAFj/xPIa7wi4hnSeJCuGXs
+ts7prLqW4thnqd37kT0L1KToKiUVjxf8e1Yn4WiApfjqk77GkmTr7hZ5JWTuRu4e
+dMIdjWtF95NIEz3/wJVRlPOofpNTmIA//8btzNMOTSiC4P3DuwmGdGwwMwNEQFYZ
+n5YeS3+9AN/NeZ9m06eSQ1TRRogA5Unz9o7X2wzOdcB5luNsEIq97IlvTKFK6a+M
+ddt99ExDf8RzWnDQxad/FgcdoBn8u2xfe3eFjGMs++E6BBHy0T2TMcMEfr/S4qhj
+g83I2xhAxa3TvJCcrZuZAoIBAQDjoE1eCqsSPOzsBYVDFzgjMAvPLuOWXGjCmjmd
+2bvUTEKxvucMFKYssNp/GvPH/fwPrNhTewnC7RANZmJ82rsKKk8cYIvb/TTS4LvD
+ILsfaFpakjJ/+vuDqNSwzZLHkwlggDxbs44dydET+jGd4yoQkDI3ZrKI5isy80E7
+EvlgZjX8p6wFPi47YtTFUfiI8oNi3e7RSmT9AZe8o9blaE+0SBQTETu+rWGhNDSQ
+JWEid3yZZ85KQd/EO8AS9OUub1tF8dk+J75wXueTwqffEzFOvCgNlEiECQvqRx/v
+Bk85hFI3JIL71nsC/gaCRBMHjBtFwnqF3GjVm7FCBYaQxbAVAoIBAQDDbf2avR2R
+LZqupSigX8vrnbRLdjkKCfoyeVApMtgf/SwFbwrcMGjIPCJOHq9KG3jsdLhM5Rsz
+BR2T33y4dQxcGN6hE2udoqhtSLaipe60xq5UtPlDhKN44TleAmZH+qiJ1D5dJUWQ
+v5c2bP2bDWyXTUJ5yyjeijf97wompoeCKSAXlEUqqPiMGINPAaSkus28scZb+bKF
++J7YcAwP0ztSc9FAVR7NNv6fGQKBtBpCgLG4eIlaP6maeBV0TbeE0gtRIITMo+uB
+asOvMZGkQki8n1nWrOmdf1icRUrzYyPtUlqO4BJUM3raEUL166B8dekbjUsYGc8N
+yppK8ytz/OyPAoIBAQCZodM2Gss1xws9jchQ7PYFweLmlkYjcQF//unOYWvFsSb+
+otN8st8poMAIM9+/5uvehJGJXqzK9If2E1l73YGKLd4xT/R1qWOixO3VmFzTqPH6
+2VveRz7EsQnEvytHKjWU/Vg/qGPONS25Zw9f+jek8D4EaHstrPQRMl+fiIHqD3J2
+sZCIBVzc1iq3d0jg3ZXR/+q1NZoNraqFNqvPMGVDT7bE28fQPWN8kyi69Y+m3LCr
+NYXlVqq53n4YDVQ10BDxl3dB3T9KxrNUZng5NtH7y0DZUXDUNOrm19R01nRYZLe8
+4hbJ9QwXi+5Gs72IRYcOwWFCwe275pZv8hzNz6+1AoIBADoeYcc86qgcKd46W8Sl
++J0Pf2jZtcjYgsGz9jTqW//XaNoM1ev5sY+q4oDc+0BMvz+CzrR/hgE8SjmJwyuQ
+E6bn9n1sqxpsHy6w6y+frUextnKWh3Ke5YazZD4i9Iv/bVPf/NPym6eacrvK2fjc
+myi730MdOgBElrY7+obYC4CX/mVEwPUY3yG6wIIkePRMYZb2P4lmzsKs14CCgfPK
+299/dgFtzwU0j7B83ZP5Hb4dS70Si7Z9LFE12RuHaUZkuNzdkODS9ty8BYn6cdep
+prwBn9QKBEfEcXO337xWBX80eJ344TqNPMHRVFqSQl4BKtv4vxZhxoPRduVHP+r0
+kt0CggEBAJ+hD8bH6oxb4eCueAA708S88b/6xrULe7Dmt2wcADJMZS4z9bnkc6TD
+INu8RpeLUivji2qRuURrFVBRm4wL1aX1T/MxFoKkWPvp3dR0oA6qfw6KGeEpOtzw
+umneJvAumlfD4Nr6HMYGRpi12FxfhHCYfTmo1l6VSR9Wa4vtDkecqp7hddPYsL/+
+AMyTPnvimlXJEwU1O760wU1zXFKqhP85zY4GOxPS3QG6pyTSC1zpAk49IRo2CXzH
+eOHc7c/DLtJRfKCCWMm8zedEgTC37OZgcbHw3OwYUr+N58xihN9DhvZVBxmxm0eI
+FcKB1ity0sQYMAUGvDAqSodhrsSjn6o=
 -----END PRIVATE KEY-----
diff --git a/lib/hx509/data/proxy-test.crt b/lib/hx509/data/proxy-test.crt
index 9774ed2ad52b..a0d7f9862d73 100644
--- a/lib/hx509/data/proxy-test.crt
+++ b/lib/hx509/data/proxy-test.crt
@@ -1,14 +1,30 @@
 -----BEGIN CERTIFICATE-----
-MIICMDCCAZmgAwIBAgIJAMJEvwnR1+3UMA0GCSqGSIb3DQEBBQUAMCExCzAJBgNV
-BAYTAlNFMRIwEAYDVQQDDAlUZXN0IGNlcnQwHhcNMDkwNDI2MjAyOTQxWhcNMTkw
-NDI0MjAyOTQxWjAxMQswCQYDVQQGEwJTRTESMBAGA1UEAwwJVGVzdCBjZXJ0MQ4w
-DAYDVQQDDAVwcm94eTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAxxP4tpnb
-qS5NjzDgrujdZovK/FHnlgO2Kjha1LQpTLDPwQh4zoymu9Hi/HzYTzdBCwA+auMY
-vog4EE5hIgpbXFlnSP8gFmQvE2evPBf7Y1O2oK0xEih4/7D2oFikQ+QWHfy92EUm
-mDe7fjkx5ipF+qwOSLU+YuG07+ltXW7XH8UCAwEAAaNgMF4wCQYDVR0TBAIwADAL
-BgNVHQ8EBAMCBeAwHQYDVR0OBBYEFM1/xN3+Jz4m3NYEctNo8Y9CnopqMCUGCCsG
-AQUFBwEOAQH/BBYwFAIBADAPBggrBgEFBQcVAAQDZm9vMA0GCSqGSIb3DQEBBQUA
-A4GBAB06t/tkcci9IFnSnmogi3LEare/aVkAxbfWHoFBRCZOyat/K7moDsPng6a1
-v1DZY0LqgVDL4DCyTKXxAbN9352cca5spmnNKWegCSA9UJXGCTNtIJCPA/x4PO8C
-nhAAaxERYu123XhRZ8HhRM6t7uGiyLkAX3JFcWvPhAbWjNbo
+MIIFNTCCAx2gAwIBAgIJAKQmPUkmhyKnMA0GCSqGSIb3DQEBCwUAMCExCzAJBgNV
+BAYTAlNFMRIwEAYDVQQDDAlUZXN0IGNlcnQwHhcNMTkwNTIzMTUwNTIxWhcNMzgw
+MTE2MTUwNTIxWjAxMQswCQYDVQQGEwJTRTESMBAGA1UEAwwJVGVzdCBjZXJ0MQ4w
+DAYDVQQDDAVwcm94eTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAMIM
+AgaAGNSDMgLYghbdvgtiyY4FoxSi2aJ02jC4Ji+QLWW0V9iWOW1IRNyEYRHX3AhE
+1lX+zousMm9Yni6NEtNUERvaN/9hLGJzBQMIH5grWKU4AsUZKFLAa1P/DiLh+U7I
+Blj2YESWh8BFnnfrMA2r94CYQmDCZyXL5xX5d75U5Y14isAUvthC9mbhhROu75C7
+OO2YFgMwDp0mlL02vp7z3NhbWqDxak+09LLuNwqy2H+E+qFou7mUNm1NP9dlUaYS
+tKkk6QaRe6X7tO09mYHMx5AnhsH3NU7hc8nBPIDbToRHaEXzW8gtXukXUa3KwvSq
+blqk0pWU3v/VV2Huwu4yfrzkL/Eb9Fyw6mlAP6Tui2lnqveb6xBPmyGr2UJ/pDfo
+Nd1SNKE8kfwD2MK57xwSa8unVDUQYguCs9LhdJFZ52Cb6UtfffR8OlFuzA8I7BWt
+0/Hh1lUIhTcvS6UaO3jP/7RmqmCwA6/9I5zAIh1bjSzpkJQLpEyPou9Ro+MarUOt
+YSDK1Xq5LTYiP1hZqhOkhtU9XLCCsRd5sDYHo1IsTPLLBRdU+NYjlP4qrCuZHKEM
+fLVSsMk/S8+W4nA/WrqZe+KIbgoxrQ2Zm4wTzdZWZC3ZEvF+IUjrm+nuXWTa/NBu
+fFo8OB5waYS0jrWm27FkPfZwtcWQHpjxdf9YlsifAgMBAAGjYDBeMAkGA1UdEwQC
+MAAwCwYDVR0PBAQDAgXgMB0GA1UdDgQWBBTZHxVeBpBui9FNbSHOWqtVj8r98TAl
+BggrBgEFBQcBDgEB/wQWMBQCAQAwDwYIKwYBBQUHFQAEA2ZvbzANBgkqhkiG9w0B
+AQsFAAOCAgEAXHVRH3wJdrTjJV0ywc1rrI1cH1itMOqzvZtbLUgMEJQuRRnRVHys
+ZG8HxNeesfTiHAH635GeJh66rCbxmJWqczLUoTib/GRO3o+NbtcvAyEpT9SXD201
+x9tVUhEb0lBmZDpnvpfaC7MF3tS/PXMurlFV5xxFRG+xRbUo7+EAQfCEuADgdlRv
+v75YrH5ShohTk5nP2SxYu6NLNqvawIb7a/GRCwD585FklQydJjPlYgPcbFW7FXBz
+nopYKJriBJdttirZ2DW0HrZyjF5FNpGIEUOxkvYoiqTOTqOhTOrm1sziS3S0DbfT
+eoMXIIV8vcFykmSh9ri/k+RKnznje6he7bt0yV3Fb+e/YnAdlxLVPCULWHS6IZtA
+g8SZ6m0pKQByH/yF3dSEzLCP9XyNUybwPIbLXq0LVII46CtjNiAIgFSDDtQ11tS2
+Ja/rhsUsSE1eRggTXSPrYSB2D5J+j5zcT35nqmlTm4ZGuG05T/yh6c6UCwA7hXmj
+YJxo+1BR+pNl6Q83mvPDKnZ7qkZdxCnuxkPEShatf5ntAxVVZPsfTbDwwkcMSCJA
+Wvp2/2Ss6rv2o7+vs2AbygXdF9H7QmOkJj1TgDKwDTkFOLvgggMHZOSZBef8Tluh
+gaX5p1Zxb9fvAhkTiSdTuos1YMPuu2zeQTmWXJqtjpGBJQBnDTA3b9k=
 -----END CERTIFICATE-----
diff --git a/lib/hx509/data/proxy-test.key b/lib/hx509/data/proxy-test.key
index e03895d43eee..a94127e88f68 100644
--- a/lib/hx509/data/proxy-test.key
+++ b/lib/hx509/data/proxy-test.key
@@ -1,16 +1,52 @@
 -----BEGIN PRIVATE KEY-----
-MIICdwIBADANBgkqhkiG9w0BAQEFAASCAmEwggJdAgEAAoGBAMcT+LaZ26kuTY8w
-4K7o3WaLyvxR55YDtio4WtS0KUywz8EIeM6MprvR4vx82E83QQsAPmrjGL6IOBBO
-YSIKW1xZZ0j/IBZkLxNnrzwX+2NTtqCtMRIoeP+w9qBYpEPkFh38vdhFJpg3u345
-MeYqRfqsDki1PmLhtO/pbV1u1x/FAgMBAAECgYBQoyRRQo0ZQComYBQChUx45xL3
-lW2K9EHrZBxWoAtChzP/6qCUeaBn36Jjx2YO4EC2ZgjiXs59Dsw2vqjVkwBh9ujA
-F14krPR0OpCnj3mFyz0CqbZUjB8tvKtGe5Bm5JkwITDIXO+mXacdQ/Mpa2cVDqk6
-D4XxuCU7V8Ft14stQQJBAONXnrKlLa3UmdOdDArj0ZQLQdzWKN5bW+tzRcV3kVyh
-xc7yPHlcPtp+lK9CX+nZkjCj/5e2C6fs+dKfEZPOiO0CQQDgLEI0RbbdCGVp0soK
-HIOQsngSwGrvKN3FFDqMyC/eEqW6t/p64VOzUnKBvAOh/jI6vgE0heEXHNl5/ivU
-T885AkBhATYaDBkdnyW0AcLtsp/uh48m58qwdlMWeC1BQO+pku2QjBP5xL6dBH30
-+mFqqweR8ahR17/Je3htwqoBY5NRAkEAimjJN50TmsVkWEJdnICeeui2Wl2TqLaC
-tvwWanXvmB3LVc3iSZx2IXH2YUPEunBIcxx9ggBnSe32GOxmA2CDgQJBAJqJ+Ucx
-Oc6FYER8gb+yg8eV0IsSrshS2Zq1+vJV6Xnbm6mmkANYIydknqm52hef4hW0al8A
-46U7qh5s6EESzkc=
+MIIJQwIBADANBgkqhkiG9w0BAQEFAASCCS0wggkpAgEAAoICAQDCDAIGgBjUgzIC
+2IIW3b4LYsmOBaMUotmidNowuCYvkC1ltFfYljltSETchGER19wIRNZV/s6LrDJv
+WJ4ujRLTVBEb2jf/YSxicwUDCB+YK1ilOALFGShSwGtT/w4i4flOyAZY9mBElofA
+RZ536zANq/eAmEJgwmcly+cV+Xe+VOWNeIrAFL7YQvZm4YUTru+QuzjtmBYDMA6d
+JpS9Nr6e89zYW1qg8WpPtPSy7jcKsth/hPqhaLu5lDZtTT/XZVGmErSpJOkGkXul
++7TtPZmBzMeQJ4bB9zVO4XPJwTyA206ER2hF81vILV7pF1GtysL0qm5apNKVlN7/
+1Vdh7sLuMn685C/xG/RcsOppQD+k7otpZ6r3m+sQT5shq9lCf6Q36DXdUjShPJH8
+A9jCue8cEmvLp1Q1EGILgrPS4XSRWedgm+lLX330fDpRbswPCOwVrdPx4dZVCIU3
+L0ulGjt4z/+0ZqpgsAOv/SOcwCIdW40s6ZCUC6RMj6LvUaPjGq1DrWEgytV6uS02
+Ij9YWaoTpIbVPVywgrEXebA2B6NSLEzyywUXVPjWI5T+KqwrmRyhDHy1UrDJP0vP
+luJwP1q6mXviiG4KMa0NmZuME83WVmQt2RLxfiFI65vp7l1k2vzQbnxaPDgecGmE
+tI61ptuxZD32cLXFkB6Y8XX/WJbInwIDAQABAoICADcofKbmYKh/xoaCjq/7Rhss
+cIibV5j1FZIVTzRMFCavAAiJ8/KP+TD0OwbH5mPRDS2Yi6iULpgLUabO9N/cn/5M
+RjS5mfNQ5vHxKfqLo5d4stD8E+V82jZzlc6hkJ4fx+M5/nvpRMIaW+oun/YMd3Nb
+b5YxMaUZfYKD7GMVr5D9xuao3h/thbYpiqsB7fcDYfutDGiVM6SiU3UeU2dZmWPL
+g/pINYHMPeD8WhZGmoTDA8Fzxl59S+dblwEI1V3f4g6oAIyX/lksn4419178hJcd
+45g5dBfMsm2CrowqDo2+SRpWxfAkVfGX3AO76i7RlQtBKu8/LNDyKVVlilo/KU9X
+eFstgoWDaux1ffezj2pkxa37wEaQIlPTrxTBZDB/ZO0+JMzvbmchLzBn4fY+1sXs
+CnPdAA+Ls1UQMCGn4jfdIS1B2oBrA58sQ15YX4o7El1NvAQ5CbAOob6Y7TfpWhgR
+2FKOxaRuK5Ep4rFY6bAKrSMigti+PGb1xx4E12hondwuEl15s1rIyB0/qjNQy4/D
+VVjujBFBbPkexI9UQOzzh3bXSfYNtYiSAEqpbp9aYiK2fKMIE+pjWivXaJH3Th61
+bxKZwIsMBBcNa/S9VPiAFL5hIab+WVueI51M9o+eWYIADPq8SgyTqCryQpEyKDic
+UQgM8EMSYnbttvKPE7x5AoIBAQDh4Gynf/FuZ2fbidv5UrnondQerFNfpCgco3gl
+dwKIWfsT/MRrCsv7Q0j0gOZ8C3RjkXzM7+ySTNuGki+XML4B60k7Vj2m/Q1nHffp
+nZUzY8PYctt2GsKnf1vi3X8NN8DsIHi/rFZu10ots5WGRnx4aqogZ0e9C0e5QaFL
+TwxKAYre/brg4zHorgkRCKQFyJkDJcupgUFbgCZvqF1RdbUzQFsJWHci1X5JFSxM
+FDnj7nOm3Eu7cjOMiL60+xHFLoePAISGc4XJvz8sWZdB04yZ+5GeCbOJ2gOiiFiY
+/3a7fHKrok8THu1cChwEjRsJwHWNvslMY7IbEEBBMIHxTu7dAoIBAQDb7OUluo1i
+7OsnRhF+1xGiuTOyeY8+6r1oA0uwHnnMUBjBV0YOWdqJp52tJsWnEgYbYc48P+oP
+h6ljcPH2glPlPQRbnet38Wft3q5P4LqiD3sgfRuu6yw+c2CZwlWeK93ft248QV+G
+v9FEQq0nC2x/aBNXxrWY4pPEAYaWYhG6D700X7+7EyKKgpVp1Gv528g7pTi92k9f
+8Ut3F3hJVoGwTpcyTnz+S4xozL0N3LZQjfw/OgN6UXk/prMj4yUlswWoPkUN/LR3
+xYcOtmPkmiMwXEN8hDCqaQWAfqq8CRCy/iRha87e4Xg9YeNQvVPODLmxkCuP3H/K
+WGlecH+knverAoIBAQCnI/lizLLrfksE0fNbf9KfhcKD3AJpwEAKSRBLsM/H88Vt
+2dnCV5/vUq+2dXeYDKXYU7zkrRkCfSroXl4m42OGagOri7pdSd1UE4HydbAE8erm
+zL8GmvC1HvHwYvRz5HC2iaSwOKdQp7B1NvELBjdup4cyKRqVkbZGKIFhB6JRVOjc
+7yYM6TFyOu3sk9dDjFdlU99rk4C4Y5CNiSlccNxfi1ySAstNlGs5SxiXR1Q7DKS5
+sUO89dmdQUbVBv/0R+T5dWmbT/qM+h6WA8mAZTkibFwpdIZNGG0eJQRiWo8SVxlH
+VfhrbrQ3KifnWj7KrYaPF8E+7HrLue/CDVHqLP1lAoIBAAfJCxOa1wZ5fJmXUWc8
+FdO82qemxftkM/BKrZM+gPFKpJWzkTdQ1vuog1xt0vFnIfA2NibL3G1QUB7FEMu5
+MV8cGdtka8GDOjqhd2o8el7iTWmJBEHc8WQEkZbf2kgPJXuV8sEPT2Jlx/KyqY6I
+SP75oDWrQyJ2YuS9aRZJwnbjt77y5Maqlr5wgPmOG4Rs01nJL4kJAWZUFGfS3N87
+wLuNDK0rOiGGayIKnWawOYQAgr16QEVEPRaTwCO1FsuO2tRp3+fu2jSjOXS74C1n
+h3dezMTLqS1fKmKyGTku2Ph9JqyMNHaPZMJHhNSG30CcErbGc8RT+fIfzxsYwGwD
+dKECggEBAIk5NwbiRe8EJmhLlHUuALYrzBJDgTSSNwrqUBt3lyP46XC3dAyQavzy
+OX1Bznr1AauC1w5JEfr5DHJ2MeRVR2V+Spb+5e7KQGemoe3jaM3724smxfhThW/W
++nmiJ3Gk20lwBVBDZ9KTBnptg3zr4kORlNP2+EooYj/1dvzkflwDm2dLX8taSn8h
+d81XaKBBwrNi6MYBYLDzw/tSbCkMGWK+odUguw+X/IDXiFcKJ1J2lRelJxdv6h7g
+NeeTX0a6esQQO1MMTIVZSib5CubwgMhz18XvMA9mkcDjzifFhCrE7P1KlQLUYIGx
+lUR8W/if6GM2wU/6ijdEVsMAQJUI5cY=
 -----END PRIVATE KEY-----
diff --git a/lib/hx509/data/proxy10-child-child-test.crt b/lib/hx509/data/proxy10-child-child-test.crt
index 18e37d788d73..9ec7112aa3ee 100644
--- a/lib/hx509/data/proxy10-child-child-test.crt
+++ b/lib/hx509/data/proxy10-child-child-test.crt
@@ -1,16 +1,32 @@
 -----BEGIN CERTIFICATE-----
-MIICdDCCAd2gAwIBAgIJANtSso4F/YPoMA0GCSqGSIb3DQEBBQUAMEMxCzAJBgNV
+MIIFeTCCA2GgAwIBAgIJAIZ6hp81I2P7MA0GCSqGSIb3DQEBCwUAMEMxCzAJBgNV
 BAYTAlNFMRIwEAYDVQQDDAlUZXN0IGNlcnQxEDAOBgNVBAMMB3Byb3h5MTAxDjAM
-BgNVBAMMBWNoaWxkMB4XDTA5MDQyNjIwMjk0MVoXDTE5MDQyNDIwMjk0MVowUzEL
+BgNVBAMMBWNoaWxkMB4XDTE5MDUyMzE1MDUzMFoXDTM4MDExNjE1MDUzMFowUzEL
 MAkGA1UEBhMCU0UxEjAQBgNVBAMMCVRlc3QgY2VydDEQMA4GA1UEAwwHcHJveHkx
-MDEOMAwGA1UEAwwFY2hpbGQxDjAMBgNVBAMMBWNoaWxkMIGfMA0GCSqGSIb3DQEB
-AQUAA4GNADCBiQKBgQDcgI+5RZZeSRqK8ydQYyVqk2DGI8dLUkWE68TthxWg5Xjp
-jD9tVt8y3kcQWXIWqeNjmKS6zQHDro/d8oS6oHVMyFakxq4uQD5DvaTeLFjmK/4i
-IrVlJS+T8kUMNoqGgNYY7BppcUU0Nav/whldGlhtEEWEEu4EZ+4UbCj5QCHZwwID
-AQABo2AwXjAJBgNVHRMEAjAAMAsGA1UdDwQEAwIF4DAdBgNVHQ4EFgQUrbpGGsqI
-EM708LMvCSGULkOS0CowJQYIKwYBBQUHAQ4BAf8EFjAUAgEKMA8GCCsGAQUFBxUA
-BANmb28wDQYJKoZIhvcNAQEFBQADgYEAFk/qvmcnH5QqMLxEtUY9O+2A1ag6iJEs
-18sIp87PRLP06OmtWPkijS+7c7Dbs5ttwAWW8tZ9+f+yyXE2ctwrc2ap3TicrTB8
-yI2Fgf+ytxgpZharMjeUi9E10K/xKxU3hsrD7ug3iHp15HKyuP8uFmBP6gcsVsgj
-tsIaPKR43xU=
+MDEOMAwGA1UEAwwFY2hpbGQxDjAMBgNVBAMMBWNoaWxkMIICIjANBgkqhkiG9w0B
+AQEFAAOCAg8AMIICCgKCAgEA5rd/XFWt7tSsRUHIdPgK+CNxME9zqxPFzb0MpToG
+3BJmFnhSA+1qFigBNHEsESN0pCG2nn/j9PXFflYOEvhcMRVd+b/dhTkyrmZScaaG
+4/hrQuHNW/k9CXsq/FEQbWqVxiHbs7KNjmHHYHSdmZ9Y19qS5kTFEE7ma2hySyJr
+7yQ1Fd9yVJyzUr4dSkxx6kGh+aILgVbNqSrd7ElBIhPMl4Qd4UVLadfFyJYmxiG0
+Gur1wXDUN4ElCh8I70elpjQH0fXmBG/FZl8zdMJVnQMSeFG2Ob42Atu/4Ndz0N3w
+9+4hVQW6v8C4TbPRaIYyUB8Lt9jxZWmOfXKAfEF1uQrZaFttQbIBNBxUmu7tRMAQ
+4OEUbNTFJ/+ErhPHHStIx1emP22WaTmQ4v3qVPr7REYuNKBLsLUZJd6qTftlUd79
+x8E81aJaAk23QW+0xldVlt7bAXF02iy2oZnJcj9Uwe/l6XQgHoPuG4Lz6q4OA5WM
+ROG2vgOtu6phY5jY16YiVvMPocW9mdJQCjRAbIGFpmUeYiB6wWr9EGZpp+RVOchG
+zS6GJCGLgyxcxHWmGYSNvdMnEacyXiCnC8DQZMcgVnqsDFBsM6QyICwXZr72qkU1
+QiWswudnspE+hw9xgceZqzNpAKhUw2skiLZOO0rnpLc/Rtd9FR65Hnvscz9Xu+p9
+pCMCAwEAAaNgMF4wCQYDVR0TBAIwADALBgNVHQ8EBAMCBeAwHQYDVR0OBBYEFLD1
+SUEhi6VToeKjUn/AKcXzGbOFMCUGCCsGAQUFBwEOAQH/BBYwFAIBCjAPBggrBgEF
+BQcVAAQDZm9vMA0GCSqGSIb3DQEBCwUAA4ICAQBy1ZfOf9nkMOa4p7Rm2uzJ8hn/
+7htPNcawOUlSiq0JjctHoYBthHAHvUrrkjjR303c21adSdjs1KusOn0sbynaEMgP
+dU2tiLn7/Tb6bAAC61vvBErsqzPwPQJX0/M+qdoqop43DG1Pv53VR5LSISjXB7Sl
+oXbJs4cV7oksxWy0eeSa3IXFEnH+NhmHIC6MtpHqRAY0dXS5IWWo1q2Hiutcdd2l
+Nc2IBgIY38oM8vpFoQp0Z9S23WIBZzKJ/eqyYZewmSKLnJ1zPvlDJX7g9sIDuO6T
+SIod413DgFYSqKAv1u8brT1KnTytyxRQOeXqLTMaJEGB/u4z+CH5Z8U5WlA3X8IO
+dHKAZM4LhGWLloyIGjSJ628Ow8VVdP3ptkKXJ4cVka92SDocCtsEdXFYoU1NA6U1
+D4VkExZTVN1sLmIsBiG8i9O8VltjMpPYvKjlUaoezCczIuEFVefuNpYLx7quoIry
+8FFW6Ccw/kMSgAhaO1l0OlMVcuZTVns1/fmAF1eOscb5ud7u6YvqQeAbouPt3I2d
+eTFG1EJgmfG4JjqTWMXIJdt2VuLutMPUSPAZ0pM0pGsrHW6FVzgHNFlgrO6gOeUq
+ytDsdPEy5H1Dk6dzoPzbfSkMQ7a6HGf1ANeNLsTXV/0+kn/T/RhZAjjRQLWeRzDv
+N0angzihXX4AspaYJg==
 -----END CERTIFICATE-----
diff --git a/lib/hx509/data/proxy10-child-child-test.key b/lib/hx509/data/proxy10-child-child-test.key
index 18e54b0395ba..cd3e0ad4797c 100644
--- a/lib/hx509/data/proxy10-child-child-test.key
+++ b/lib/hx509/data/proxy10-child-child-test.key
@@ -1,16 +1,52 @@
 -----BEGIN PRIVATE KEY-----
-MIICdwIBADANBgkqhkiG9w0BAQEFAASCAmEwggJdAgEAAoGBANyAj7lFll5JGorz
-J1BjJWqTYMYjx0tSRYTrxO2HFaDleOmMP21W3zLeRxBZchap42OYpLrNAcOuj93y
-hLqgdUzIVqTGri5APkO9pN4sWOYr/iIitWUlL5PyRQw2ioaA1hjsGmlxRTQ1q//C
-GV0aWG0QRYQS7gRn7hRsKPlAIdnDAgMBAAECgYAgEiLVU6W3OPK/WvZQ3trGUYE1
-0GZgMisiVhhiY89lg3q+nUNsZ8I259V2L0xEt5j3F3B+KusixvTt1yQu8L+eki1i
-moA5YLtiqcDVHkSX44/f8+yN0QBqmtJDg3WU8mki+Nf4fKEAPvdmmgRhnfFE8hqM
-x6IRyL7B+7bmeUKeIQJBAPXw5KquGiwLjoZ+tHQhWN/3SZEBfB2uPFDAXsMgWnUS
-pShjnECQDaj9ogUYoWeJacFj8/Dyc01P+LyiAtmfLdcCQQDlhVAsQNxMXLpy5HKU
-ZcuZz4il/jQUViq/JRyXlqLccHsfs1P+7b3O+TN7LVNS59vKprkBCIcJoSZ4LaGi
-v331AkEAh+KrVSqQx1kzTFhhd/Cc3FITUY0SeIu2Q5+mPAV6NUkx+5jd0kZFZeON
-S2eKdlxUFEgXlj8/Oa4/7mlNTdRHTQJBANZ41IoFsdXJcJCb2FXDKZX40AAMoi2+
-twMWcrlUEatbkDH3KK43Cf617t1TZWE7N68OTCIjDcx5wbDbMwcZWWECQAQhJrzq
-pdWb5EVvYRP88zJ1vJCISIGWjxQRsde9w0VX8Uu3kyT1EHEuW+JScoNI0avaV1DK
-yIG37HCRGTBiNqI=
+MIIJRQIBADANBgkqhkiG9w0BAQEFAASCCS8wggkrAgEAAoICAQDmt39cVa3u1KxF
+Qch0+Ar4I3EwT3OrE8XNvQylOgbcEmYWeFID7WoWKAE0cSwRI3SkIbaef+P09cV+
+Vg4S+FwxFV35v92FOTKuZlJxpobj+GtC4c1b+T0Jeyr8URBtapXGIduzso2OYcdg
+dJ2Zn1jX2pLmRMUQTuZraHJLImvvJDUV33JUnLNSvh1KTHHqQaH5oguBVs2pKt3s
+SUEiE8yXhB3hRUtp18XIlibGIbQa6vXBcNQ3gSUKHwjvR6WmNAfR9eYEb8VmXzN0
+wlWdAxJ4UbY5vjYC27/g13PQ3fD37iFVBbq/wLhNs9FohjJQHwu32PFlaY59coB8
+QXW5CtloW21BsgE0HFSa7u1EwBDg4RRs1MUn/4SuE8cdK0jHV6Y/bZZpOZDi/epU
++vtERi40oEuwtRkl3qpN+2VR3v3HwTzVoloCTbdBb7TGV1WW3tsBcXTaLLahmcly
+P1TB7+XpdCAeg+4bgvPqrg4DlYxE4ba+A627qmFjmNjXpiJW8w+hxb2Z0lAKNEBs
+gYWmZR5iIHrBav0QZmmn5FU5yEbNLoYkIYuDLFzEdaYZhI290ycRpzJeIKcLwNBk
+xyBWeqwMUGwzpDIgLBdmvvaqRTVCJazC52eykT6HD3GBx5mrM2kAqFTDaySItk47
+Suektz9G130VHrkee+xzP1e76n2kIwIDAQABAoICAQCeoD0Vu+bZVSmYeHEdUskf
+8CZLY+UQE4klOjyugSXkO1YrTtB82MfeseSaLNFyeyEgE/neIeoWKsB9aydEDbQ9
+Hwa8xxjEFx5sX/eBIlCN/ueoVV1/Re6cTS2xyv5zbBvL3M2UUEgZQ8rz21ncHH3V
+8vabEV84JjcwU+B5HhJ9mjRRdI7D8/UrB4FV6xdLS5LU8n/cjlTaYZmxcnAwwNIi
+vnhYwO7nt63Jisrf4J5W/4K2XB/chZN00P+wnF8c1Zsm1V0vYbWj/AKB3XdFe65A
+QVX7f3bdIj9blGaRjXa2z+fk8AqE+jj9W4u3xMRk5+ODpMnbwuZwA8CpLcyFzBrK
+4gWQlZztfvvV8+nIJRo9BNOCtxitsEflq9S9FsfOE23H78+Tr43iJIikaBy2TwjC
+HupNvpuqCSzwBD/Gqkd+zAsZmYJeqAduPyAqUIRDjcnR4srpzU5UGmrSbYCCtRT8
+pnDIUoktcV4GSlpZZRoImpCtX6qkr3JOoDuTaEhqFKAy3vHzzyJYpkBWlPqRatZ0
+elw2zVjmbgaBGkBGNU7HU7pwsiSl38CXVrxv613IlRBTTGyThl4luuZoVxgLEHwN
+c3quCQ+O9fNcD9s/8u2Y20KcPb9cr6eGl1Klj11VRkF/DrpQqUx9yBPnmFxZQD2G
+Vw0piDNSWEntLu2xvASsSQKCAQEA+Ee3TdWSh/tLTw5DMcoZTrUddtEyiI7Pm8li
+LAwxR63M1SebhTD8cQOijGJ70HEftUn0DRlbTYUuJYcH44mHVCmm3crz42aIC0Xq
+yiDoQIGsdhsusRsHqIELUiOphMIlt9Yj9H1r1FPfLNioCsmigZs2soSbBshpUr6t
+VMr1DcDmJdeIk5eiRtnpeTB53fhObMuYN7QbB+NnQyqldwTVX9LHl/Al8QTnuF5R
+m1tSCNV3EeMGp1asFX5C2noDZkXYy3XXp8nmPvOf7PgyexjOD3l6qdlGWKmAsaxT
+NgTdMjidobgmNUsXwSJ6PVpJOvokCdfTQRKMW7a2nz4qDW+OBwKCAQEA7eP6oItP
+yjxGB6wrEKV0U7KEbxMYJ+IAVOZ1sR4SbYKyncDf8msbKfFshIJrI1WpXVCgK4Wu
+nvIEymvga7fsQKKiqPhMYWgFr2oSRAIt7BpfQY6VWjYpnzQXf4drAZjq2wAZQVzt
+JA7RYxrCLixRAJ+oEBo2MxlznW4zlzT/C0w5fYtGDyYU6wl6rdULOgkIGfgMFd+2
+CHCK/szMhUV20xIrwlErj/im9P5uBqa2+UJkf1LOwv+YLTKgqE40Wfk1eITtK8Ol
+bXnZstAAIyokKq3j93jr9O0kgdchV5vEOq5JJroR9eAguhMJOQbhQGfv6U+xBWkD
+1hxsXsULETmyBQKCAQEAqiT7iWuDL40W3uZ3RfepwDZ+Kp7ScqLrw2cO0ADLBMQm
+Sy0Jdw1K8mf7TRlwoDfl8ubrSM7HsyhBp5YR4eytwQ+KOxSKbpwlPxR7Amnqv8od
+1hJqvRQ4+1Dz4SZvVXt3PbSSj0okSy3vE1ymTD5CD2++3DfjxZIyG3Jwdltf9Dzt
+e6FpBzwzCTrstRBzc5pmpEgh2Iqku5MrgOwI2LeHQlPAVG9OkQ07fy2j30OFxGgF
+YUyjkqni5BfS2MYk7kGPgF8RmvrRvvJV9p9geNtW22P0m9E6VChU+W2O2MYcj/4c
+iGcaSAteDA0EmGb3KGOjrtso+r8rUO612AtR5kM8oQKCAQEApuIS1QNF8zJ7UjCW
+eXQIehq2yxETFg92ehi+IYVeGhLg6MgAkphOkwr5PLAdJsmWKY9A/acnS/uuHq60
+3fxFsUYmY/Dj7EVED72SmMEKpCIQBvZWkdWDN1sczOsbxyAWSZH1JaRh+7SlcSe5
+ZxjRrmVSShGJSimlsKA5cu7LqIpNnmPQvxnQ/N1GgaH94TWqyET5fXLVyW/iIkNb
+inajmAicSBIXREWEIkRGvUXBAHVx+NwHjkYt5C8rA0bxdNjdiPF/S/9REs6zSLyg
+DAspGgOo89eRd93QiYF4s3PjoeLYEGHh7aHQc5idFLNd24fOhtbP8WKtPUvtPkJu
+tCPMXQKCAQEAs1/6EmojSIvZB2HjE2AGPGxD3hktqwUcgf3s3xD0MToSbdBVVgc6
+ZeIGQjtfSE5sVhxi3E/lNQFPvwLzIO4HhkOsZ6DRhAO2mixuZwaniSv0v0zAhnxU
+jZoY+mAwhUTM47Bs6Q+G/WYhJHocAG/Lk1ChTSA96bwJaB0CzObnn5loM+7FK95y
+waGm1RXNgPSQaQMylLlrO/KKj0X868PuDgD4+u795G6E6WBWvRGiHrDH92v1eV5J
+u949lT7ltg2iVBUQqENQeHMtomAkeIGGJRtAMjn4QrtbC64UEAPbTd8hYoe3q/XN
+eyMm+IBLsR7OBZ2PvfCkhvJ3qDXzx1+BdQ==
 -----END PRIVATE KEY-----
diff --git a/lib/hx509/data/proxy10-child-test.crt b/lib/hx509/data/proxy10-child-test.crt
index 600bc357c48c..e759447a3ba7 100644
--- a/lib/hx509/data/proxy10-child-test.crt
+++ b/lib/hx509/data/proxy10-child-test.crt
@@ -1,15 +1,31 @@
 -----BEGIN CERTIFICATE-----
-MIICVDCCAb2gAwIBAgIJAONwGxXRj9jiMA0GCSqGSIb3DQEBBQUAMDMxCzAJBgNV
+MIIFWTCCA0GgAwIBAgIJAM764JrT/2XzMA0GCSqGSIb3DQEBCwUAMDMxCzAJBgNV
 BAYTAlNFMRIwEAYDVQQDDAlUZXN0IGNlcnQxEDAOBgNVBAMMB3Byb3h5MTAwHhcN
-MDkwNDI2MjAyOTQxWhcNMTkwNDI0MjAyOTQxWjBDMQswCQYDVQQGEwJTRTESMBAG
+MTkwNTIzMTUwNTI5WhcNMzgwMTE2MTUwNTI5WjBDMQswCQYDVQQGEwJTRTESMBAG
 A1UEAwwJVGVzdCBjZXJ0MRAwDgYDVQQDDAdwcm94eTEwMQ4wDAYDVQQDDAVjaGls
-ZDCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAr982Voxa1DhcIIa22u5oO497
-L2FF0r91yZh2IjY02XSGbLiyFV6OwKULRli587BMryq8G0BBKAmXVvZszOLOe9xV
-eipWkyFxiF2s6ERYJ7muHHXxIQyGgRMxhsDuiqiGc51TZ+2H7A2CIHbzUOdom9qf
-UwXqyd8iD9N/a/Zy3JcCAwEAAaNgMF4wCQYDVR0TBAIwADALBgNVHQ8EBAMCBeAw
-HQYDVR0OBBYEFBBhzv8RTjHAfZxnKZ7bRv1K9MxSMCUGCCsGAQUFBwEOAQH/BBYw
-FAIBCjAPBggrBgEFBQcVAAQDZm9vMA0GCSqGSIb3DQEBBQUAA4GBALT+aUqBtZDM
-W7/F5I9QgZL9+zebGqzjxSTYpIT6iYRop/oA4ZFc6k0UjR5A8A+/u9mISwB9P6R+
-GtQ8CBgcqLgsLsTEUiz/N2XtC+I++ZSkR33b6ZbNefq9vSib+OzQjdqw9vshK9zX
-bajUTjXEGuJrGMeqvv8iwl4SIpCT5f3C
+ZDCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAMyady7cAVLnQae6jZG0
+QWzGcIa+0EJdjG5PyLmw4nJSAWBno68VmIPzqThNPn8aHhJ28aMYdS/oLyi5+Vau
+afOvG7gOW2ayxmPelafk4J0Olbg+dHG0XzfA6Y2Y8gBigXtVR176GR418uy31HpO
+O3BnlvJFU7QkBr9A9zROTnlfUUw0mN/io9I+LAO2GsbdFl+HTbx+T3LDKORf4jWW
+suHBFEdwm0piJbP5nIk72jLp71ulubi4j5E0tVElv0DpF4FaQeCRGMXOfTYwswar
+qg2TzXBTyeq+Kmuk1hslrphEVu1IZc0D8+aAr/hvrsI90oyTysASAfoCYKASnZWN
+vcYi2Vt8Kkb1f4sxISqtm2PmHllD6grHdK1iKfoa9al7VvAu7sGyu0DF1uwmyehJ
+1FNnQl0BIbFlfXiEVv6gRAazOJkxGO3kjneFVWffFwv9F9chdSCcMKO8USOV2qey
+ySHaO+YTP+ImXD65dP7Ks9r1dBKxcU5vxJG0orHSiwstY5cRRqDeKatRdJ1kOavc
+DWTlz/MJkMS8o5QNjsvWd+a8MkW0rkjYIuPzNHkg5ydFtm4lfRj8tZkJ56M8B5Oz
+KFTD8JQ1PgxyPtzC5gnOaDuiTrmZQd+6ob02nvP7S2PgmKLyVbb28987/CG7MczD
+g1BjCYRGsQnUcnvNM5EuMNlLAgMBAAGjYDBeMAkGA1UdEwQCMAAwCwYDVR0PBAQD
+AgXgMB0GA1UdDgQWBBRtG+s2dgue8pi+jKTQONY6Gu0vdjAlBggrBgEFBQcBDgEB
+/wQWMBQCAQowDwYIKwYBBQUHFQAEA2ZvbzANBgkqhkiG9w0BAQsFAAOCAgEAcSYX
+JZ8+DUUab6RvbRAxyK483Bw7DbJuqFy90zy9RNDHV1Og/YdEey1Qvne85sVhUGhb
+PLCRyM6dgT7BRsyBT00CYFp2sjETFm2KCkEevpfUgpbdYmxccV4vlOMguYJ6DWn/
+eV8OBOkdmc4RxZ3ibZ5XvNbs7lR5B01qHviAp8MT7+QFACCnC7gpD2b5lv11ZUac
+STkklsuSY4nPBaD1NcgysG5EAUxoP6x1J7nJM4ukb762H0/svmsaYSo9kk6KGNXM
+D3VbPCF4huNJcT+GkdtFfUmFHKC7yVekLDhs4Nh2GrOLJii3alcZXEOvq2TKq4No
+Tl1nTLFVLZ9pMsWzL4aDySYGPpNDZPvetfqGprw/uLohgd6k3eFdnWWBkOk8jX7y
+V/wLTTQlQHxMENFwj/eguEI7Kav8UcoZNaRWIjUXyZ29pzuM+aRJ4SFB21iq/vTR
+mqTB7I20eh4dcjVpytU9KeQkWhhvxdiUj7dfgIkSViMG3Cy9hvu19S+nUZyvuBGQ
+TwAGQlzfc5hEBbV5qBZhF/iOiDZJfBFcrULke5FfmFE6mW23eSwisqV4l0YfpyBw
+nAhC+u25wG1JC2xXitBLqDnZqoFoX7dSzEMG01ia+c1yn9sK9mRr5ahas/QnSSC7
+2C0QAQMNb+C32deKlAfuSbtk6H5Mwf2YmArqQ38=
 -----END CERTIFICATE-----
diff --git a/lib/hx509/data/proxy10-child-test.key b/lib/hx509/data/proxy10-child-test.key
index 12f49009eb16..357de74a396d 100644
--- a/lib/hx509/data/proxy10-child-test.key
+++ b/lib/hx509/data/proxy10-child-test.key
@@ -1,16 +1,52 @@
 -----BEGIN PRIVATE KEY-----
-MIICdgIBADANBgkqhkiG9w0BAQEFAASCAmAwggJcAgEAAoGBAK/fNlaMWtQ4XCCG
-ttruaDuPey9hRdK/dcmYdiI2NNl0hmy4shVejsClC0ZYufOwTK8qvBtAQSgJl1b2
-bMziznvcVXoqVpMhcYhdrOhEWCe5rhx18SEMhoETMYbA7oqohnOdU2fth+wNgiB2
-81DnaJvan1MF6snfIg/Tf2v2ctyXAgMBAAECgYBbnR/2J7js0csT2nkIRKahWBWo
-UbiIltmpwTTQj4IqQKwBmJiTzyT3r0HXTELZcV4Q5WcFnwwR6iUe1NFKTV+XgrcK
-OMBY43+6InTvsXAKxLH6MZ7tfKWA13forzs90CmvYxTHtEFYS2MnzZ7FFqBk59lA
-gMrcDVKYiOLenjKm6QJBANuEuoq/ZiNC9bJ3JjVyH/yHYqAwi6g8B8kQufecAqIu
-eQBpx2vsry8V6LpTfIsle8dWFKauiE4s5VyBMn7l2kMCQQDNGZHFI9j8SaGVGmbF
-5nDtBnWoyAWCQ3VzTj+uaO/ybkTFFvVkVLU1+3j2cWRVYdnoXK9uL2eH9E35radx
-d6EdAkEAyEI2l1ryh5qPYEb4MWuyqIKtw6tlzI0vIQtETBIkCOZSdsEJL3jVfCQF
-ku2Uwa/pUrlBz6mLKZ4lg5VNhpyT1wJAEfXaQQQ5nSYpgzATreLXIrp9FTGm4dhc
-caN5iiFgWb90QDoZdRbB459I4XPekGeIOIPdTO3TyCEJrwKY9iO+tQJAGdLTwcsz
-o1Ic+rVL8IfXPRCwtvi3e/xVgGxDHhV498/ofY3xgVmOkSRdDjAz2FgZeaotnKj6
-d9og/gBzfNdK2g==
+MIIJQgIBADANBgkqhkiG9w0BAQEFAASCCSwwggkoAgEAAoICAQDMmncu3AFS50Gn
+uo2RtEFsxnCGvtBCXYxuT8i5sOJyUgFgZ6OvFZiD86k4TT5/Gh4SdvGjGHUv6C8o
+uflWrmnzrxu4DltmssZj3pWn5OCdDpW4PnRxtF83wOmNmPIAYoF7VUde+hkeNfLs
+t9R6TjtwZ5byRVO0JAa/QPc0Tk55X1FMNJjf4qPSPiwDthrG3RZfh028fk9ywyjk
+X+I1lrLhwRRHcJtKYiWz+ZyJO9oy6e9bpbm4uI+RNLVRJb9A6ReBWkHgkRjFzn02
+MLMGq6oNk81wU8nqviprpNYbJa6YRFbtSGXNA/PmgK/4b67CPdKMk8rAEgH6AmCg
+Ep2Vjb3GItlbfCpG9X+LMSEqrZtj5h5ZQ+oKx3StYin6GvWpe1bwLu7BsrtAxdbs
+JsnoSdRTZ0JdASGxZX14hFb+oEQGsziZMRjt5I53hVVn3xcL/RfXIXUgnDCjvFEj
+ldqnsskh2jvmEz/iJlw+uXT+yrPa9XQSsXFOb8SRtKKx0osLLWOXEUag3imrUXSd
+ZDmr3A1k5c/zCZDEvKOUDY7L1nfmvDJFtK5I2CLj8zR5IOcnRbZuJX0Y/LWZCeej
+PAeTsyhUw/CUNT4Mcj7cwuYJzmg7ok65mUHfuqG9Np7z+0tj4Jii8lW29vPfO/wh
+uzHMw4NQYwmERrEJ1HJ7zTORLjDZSwIDAQABAoICAQCG+91nf+QrssBBDTW7C+Yi
+AmVYsGircBZm7KIryAQNkgaweI+nwiKl40ogB+4UYsG2Qty2Ujt2CMOcJd3XDyh9
+iWhLLMWmYom6d63aX4jEdUvXivS901cCbHZpYZ8/G737BU8Z3PxXTxZekAVRT22t
+gdo3Kf/IGACPiyfMTWE+d+El2omFI3wbB8N4C1ttGY1aJuTlV5vIxfKjgJK38h1A
+DWb4ntUE5O2k6Cga7e7NqkKs/xAhSzoEfXal+7ZK97z3LPnLU065qbo31zc1TmnZ
+nUprMgxDn4RTEiPjMyAV+vgygZIQCOyPhRUTXXM5WRogfpzDzN2a+JiQ4tcuRJ4O
+/AnCmH2MSwrTsnV1W/IgZo2/Va6eyqe3jfoN91e6q4jmoVvEyTA7oaX3PzJRggP9
+yySPLTiWJPZTgp7i8eoePdaDs1xkQyj7cX64+PtSwcf9GDssWsSUpHVtIgtZLYRH
+NI4Z+nSSDqDQzC++cQsaODKYarNmvIgIaFxGiFVnjlSk6wXFXpe3IT2I1Q02wvxr
+lSVlwwHOpbaTY+oZNE3XTl2YXx2VIVGZpjac3Bz/ML/jty7AlW50NKHgZulG8Dt6
+mV8daKR2YJIoAKMramJ9+h/qXAcpJmQQ4yqnGGRKjweVFOmxCJuCjmkhkkJ9IC9C
+6fZxzPMWcNLzcDoHK06RYQKCAQEA+I5U2Cm0XLU+TYOOpXIOjNJjOU+jUM00CD6o
+hWN54ArJxdGJjmk6V6y4ZY8mYV+PhDJGcop2kzeuEeJm7wlhSZ1nMWUVZ4bB3E25
+YAboVnAhk8uP0LVT/8O2+ENRX4WFXE4GKjytHPrHZ33rZtLg6AVJscsXg/JfKSMz
+NxahI0zYNdNcifXY8ekKvJPC0oCr7TuVp956Cc1OdSEx+j0iDkqcYp8ipDEf5GoA
+MR4FTyamaom/A3wC/WihzFmfSpB9HdvUX4uGwgaAtTEGMQBpJRcNCtZdtbrzwJnS
+ufPpmdr4xMFD8+BMcPzah8j5rOQBY4NaUAzIkKeoMpcd0OKfsQKCAQEA0rsmvfVa
+mY2mDjWZUtsohh9lPo8Upx0Ggxzn+8RMzQFtiUqns+/B/GdoGyVtJiYB0XzXKehz
+LD4+rgFK2kWm7ze6SSr+RaOaJi8eH7xLq2AjfZFhoTIAwIlpkEW2A1LuITBkbW9j
+1v64ssAJpUuM8/ljg2/OImCQk922uLRCayp+/CoyAHCJLgyBRhDy2NNuk/p59Any
+OFzgPsiTAejcigTq/AqQpgv6SDW14zdvt6De9pm2Cq9xYWUPaqkYNwJpsAGPqH+R
+Ncwigo3b9CWJPpfeCAT2qybj8ZE7yUzNeWqo3dnalXFUROpUi0rYUYPGqcg0340K
++h3lBaVFNyEjuwKCAQBd3AGWD0mYqKh6RO+c8lEkRF5LyhL19EdtxZuFo2bmf6xq
+ExJKwNnTOdn4H/JyWs+rMAECR983AJOvFTuhkH04e0P4lx9aFL0oIAGcjX83BOjp
+ErmgKpkpwBJb9a/IznbpwFz7niYRB3I9VoOKNJ/Rfg2yIesjXGcq9avlZZo75kzP
+Jp2PS1M9Jq9zPqkXLJe/4fxFg/G5udmiyYJB6MvvcaVUaJuAPTy52H1yDtAab5Hw
+MUv8WNwYLWbL8BwC4EUe/WBZJCsjIamAwp5/6pPJ+cZnDUQd2Bcr5+p3ZfAUtWez
+hPfQJCc5k4JCPFZsPz13AqccC3fBiE4vrHkJ5EpBAoIBACEcCJ1GBIMlz1ZiM4Hi
+Lz7LhgPLRUpwdAp7qzNSh2Kae9RbZ3gNDqSStre1LK4WwKhifgf2nsnvybdbOqCK
+2wyw69L9L1BPwTOIqaoA0r7NbyYWholmKtoVfQGPAmcJS6LpUI4lN0Gbafej1qAi
++7WFlI4dLf0WwQCKkF/66oid96+1DYAmLleO3Wzd0togdjpH24ttWKJkbVNP/lEJ
+fkUtOqJ5InsEXMGltrtJhYMLgpyqUADjyeOsljyC7uwNs/9Ub3bg/DbAqRdsJIf6
+sdKk19zYssz3Yk8dK5CYQZx3FqssxHxAfyYIz1nHW6+LDda1PyF0rqnXspkte2+L
+BGsCggEAPMUwXKXsMjE77m3jhGtxPGFk6mGOXeVdBjdamuRWcdufqDP2Ctlb6+ki
+gXsotGl/lV+ZQp88nXkHqmhsCIBHDrNLw8um2M1cLernah2qzfNPMqbj1UAntLud
+bYCUoitUFxnkMietqQtEpQlVWDazlgxaWp0AZU4iSfdhxmD+QRSBp14aBwJ+InAg
+HRYkelR8EBB5KU376QOXBViknRBgvW9yieD3n+CkFGDNkQII0D7v9gNXYK2NbVYG
+IClPaF7y+OVlauhIRaRmRjF4a49sssKd3qLNT34sM/JC2G3XXxyX+zPhDjf6dQLP
+wVvqDgPCDWKi204uIah9SC95JGv/BA==
 -----END PRIVATE KEY-----
diff --git a/lib/hx509/data/proxy10-test.crt b/lib/hx509/data/proxy10-test.crt
index 0d9fde88c5b6..bf129830ecc9 100644
--- a/lib/hx509/data/proxy10-test.crt
+++ b/lib/hx509/data/proxy10-test.crt
@@ -1,14 +1,30 @@
 -----BEGIN CERTIFICATE-----
-MIICMjCCAZugAwIBAgIJAMJEvwnR1+3WMA0GCSqGSIb3DQEBBQUAMCExCzAJBgNV
-BAYTAlNFMRIwEAYDVQQDDAlUZXN0IGNlcnQwHhcNMDkwNDI2MjAyOTQxWhcNMTkw
-NDI0MjAyOTQxWjAzMQswCQYDVQQGEwJTRTESMBAGA1UEAwwJVGVzdCBjZXJ0MRAw
-DgYDVQQDDAdwcm94eTEwMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDAwvFE
-RvMpm6Oje46mf4ta4or7w/cUcJ5wrn9f1plR6/ETOiCGKf4i9/9Yj8vr0MFLSNcb
-LpipSq/JDoiQJQuCvfwGe/g/Im0byhcWmqcvmUQJ+tp/qBsrZQqKMAZxBE1rzvBs
-pWqQCFHDOebLzcl1zmTDcrDgwsO0j0EOFRiIkwIDAQABo2AwXjAJBgNVHRMEAjAA
-MAsGA1UdDwQEAwIF4DAdBgNVHQ4EFgQU5aYR98LOKtpDlBTC9W4axWXpg9EwJQYI
-KwYBBQUHAQ4BAf8EFjAUAgEKMA8GCCsGAQUFBxUABANmb28wDQYJKoZIhvcNAQEF
-BQADgYEALsp0p4UR2YqO3HYNEkPFluconjaKOcj4X1y1K0dnQneBfrKJJ812h/Dh
-bs/Kc/SbKWRD8wkNF13WURZiH3emkYgvdB3QIFaWb52gK4n8T2L5PkcEJIv3hFkl
-5TyqSgsy4SlaQ0KnBx+E+l9fDXUBYhpxLEVpaav5u3RLNJhG0jY=
+MIIFNzCCAx+gAwIBAgIJAKQmPUkmhyKpMA0GCSqGSIb3DQEBCwUAMCExCzAJBgNV
+BAYTAlNFMRIwEAYDVQQDDAlUZXN0IGNlcnQwHhcNMTkwNTIzMTUwNTI2WhcNMzgw
+MTE2MTUwNTI2WjAzMQswCQYDVQQGEwJTRTESMBAGA1UEAwwJVGVzdCBjZXJ0MRAw
+DgYDVQQDDAdwcm94eTEwMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA
+1RLpk560fH8JMomm7OaAxwXICdeuqhJZHlu/RegfDIsqo/qGyrEJczQVFGKnISoZ
+rDthg+005e7VtTvVC6caKRhewogFBOiLwk7SmoyzXFHcpAdLGJgUL9UCUnxL42UR
+djmY7jEtgAIcCwtvCwJb7TXZSaOaYtov5iUTeKmjP6Ixu37CjEUL0CSh2f4/5auC
+cRXDfiHmYoUK/9q0BxUaGgDOyCuyrtI25jaMtZMNtCGTGJCWeZJDk+7+/tyNGuQt
+NGNKRmJyENvgx6HXQiytXnxYbDABpLNQ8fw31gQVvSiuSHvE6zZa4VNPPjMFIXXU
+jk4LwFsuw47OZYiHrMJpuSXLY/v62uID0+88NM+naD4R+DYtxkL1RATSwbhHg5zL
+np9i3D1BL9WrPnzlKHEpW4orjeEUljJqu2IVW1OFojAMHC9cqwU2LGIhRqcf2osr
+zltVS0f+ssXPhMu/G0Ib31ow24EYZFR2C3uT5oVgDfZ59mArknUHooWjhb9WqO0q
+LoyI+5YxKDroNm8QnEhZAzye85JRuXmGt/G0xg99kq0WAlFjb2Y88oimgdpVFrDd
+BTzNEjDcG2z2L3IJyekElWeTF/qlweQfExpg+WnseCNUrTWjCVDv94vGKUXvA+Va
+xpnQWNdGnX+741vHbg3CkQhDFiQoAu9pjI3W18YUWKkCAwEAAaNgMF4wCQYDVR0T
+BAIwADALBgNVHQ8EBAMCBeAwHQYDVR0OBBYEFHQh/SEjpZ7xoyS/k1Dzsq4CqoyF
+MCUGCCsGAQUFBwEOAQH/BBYwFAIBCjAPBggrBgEFBQcVAAQDZm9vMA0GCSqGSIb3
+DQEBCwUAA4ICAQCTubaEkl971rzVIKGtzpV6Pa2uYTijFOsCUYUPOPjgtPQ+h45A
+rfgdVYKd9sbujQf9buZb8Tut7Dt3XJvpig4xopzQezkNdLCwLfYOfDEfWWAY4gJE
+ZZ6wrVeB2jgwS+xGGYSjXWWM75wgvpeptQSJ57jvVzX6wCWrPjw9RpemkoGJyqex
+4iMILSQRFCjYYulbK2B8kWfUUxqz38l6mwbB9nk4FR8OQ9b6AhwFaVYNqbTMP7kw
+SDx4s4h54lkWJ3Z4ktxs3DpOmIyIE9yl7rq+T6RZvkgZX9+9Ftm5XfmEmxyzjSyN
+FEjrBAk4v/ryKS3JUDHKjR2MiJmNn171lfxc16MgpRL6assUSJInZ3cEEaUQoK/I
+zKFpwa2vepGkQhZ7E1cO/ynotiRsJY7K1i3H3Ai3fQid+2N+KODPV3mpXPOOWYAg
+oJXsQMUG0EaBVogtDgTsRpnv08OO/OKeXvrTTi9wDrnaedMhdSA2XpHBditBbADX
+31lISHXD/c7Va+ispKnEG1LqR+yo4XhV4qH0v6SX/493/UKZDAUEGQIA2nJ+NvPA
+INiEa2aGsdLmbu66R1OVF8cKpn03a4Dul2XbwfL3zjhHICw6hMACvxrArcN/JLku
+bZWhpWleT0Im/HqqlwS9Qp2CTneyTsvDfnyDzPA57lmUJtpVy8mFq+MHYQ==
 -----END CERTIFICATE-----
diff --git a/lib/hx509/data/proxy10-test.key b/lib/hx509/data/proxy10-test.key
index 47b4ce2309d4..624e90cbaeb1 100644
--- a/lib/hx509/data/proxy10-test.key
+++ b/lib/hx509/data/proxy10-test.key
@@ -1,16 +1,52 @@
 -----BEGIN PRIVATE KEY-----
-MIICdQIBADANBgkqhkiG9w0BAQEFAASCAl8wggJbAgEAAoGBAMDC8URG8ymbo6N7
-jqZ/i1riivvD9xRwnnCuf1/WmVHr8RM6IIYp/iL3/1iPy+vQwUtI1xsumKlKr8kO
-iJAlC4K9/AZ7+D8ibRvKFxaapy+ZRAn62n+oGytlCoowBnEETWvO8GylapAIUcM5
-5svNyXXOZMNysODCw7SPQQ4VGIiTAgMBAAECgYBTMM7nZKd1AZKx75U1Dj6aTsMk
-vQJZc/EtOGIIfplU3bsBTUjUHjNr7BPrqMOdVk7Vqu4K8SU5it4qq3cMnrBETxTA
-k3oLwIM5U/MLF8PCxFFfjARA3iqp5ldCBRbFwBi3iBa3+dxRQgx0TYdhg32LPE4a
-7sAz+GGSHspa8mPR4QJBAP9qA1LSsSi/hargSNaNnCEy/4YW7MIkbJwX3A0INGT5
-cEUhSG+w0UhnkAf0Hi8/Gh19EsvDEOY/Nu6ucSmmnK8CQQDBNCNO2Qae7GJSOPLQ
-T6RpcFThH/7D09gCnF25V5An3jawT2BNue8iHxKztOwneSw16D1xSDm3nIs8m8sJ
-gXNdAkBs9pY6ZEZOIv7seki4t6svAqm+U9Nns9Bd+1PWf3SSy1OZOmzDsYRnRj9N
-FVk3QM1sXSqCoVJ5V+ighO0kHr9jAkARbnvVDF29jwRb+MlnpBfob3spCLL6xi1S
-JvuJ0m2uOy1iAPdma+U4hecxEZzQ/uzPPFH225Zhi51AbaoHBIf9AkBHxYNY9TPW
-nWpEcH7Mq+5KdAgXhXb0uWQbWoK7m/wm7OY8KQMc2Uo1chatb0qxlmUxZvQXva+w
-QxahbNp1Uyun
+MIIJQwIBADANBgkqhkiG9w0BAQEFAASCCS0wggkpAgEAAoICAQDVEumTnrR8fwky
+iabs5oDHBcgJ166qElkeW79F6B8Miyqj+obKsQlzNBUUYqchKhmsO2GD7TTl7tW1
+O9ULpxopGF7CiAUE6IvCTtKajLNcUdykB0sYmBQv1QJSfEvjZRF2OZjuMS2AAhwL
+C28LAlvtNdlJo5pi2i/mJRN4qaM/ojG7fsKMRQvQJKHZ/j/lq4JxFcN+IeZihQr/
+2rQHFRoaAM7IK7Ku0jbmNoy1kw20IZMYkJZ5kkOT7v7+3I0a5C00Y0pGYnIQ2+DH
+oddCLK1efFhsMAGks1Dx/DfWBBW9KK5Ie8TrNlrhU08+MwUhddSOTgvAWy7Djs5l
+iIeswmm5Jctj+/ra4gPT7zw0z6doPhH4Ni3GQvVEBNLBuEeDnMuen2LcPUEv1as+
+fOUocSlbiiuN4RSWMmq7YhVbU4WiMAwcL1yrBTYsYiFGpx/aiyvOW1VLR/6yxc+E
+y78bQhvfWjDbgRhkVHYLe5PmhWAN9nn2YCuSdQeihaOFv1ao7SoujIj7ljEoOug2
+bxCcSFkDPJ7zklG5eYa38bTGD32SrRYCUWNvZjzyiKaB2lUWsN0FPM0SMNwbbPYv
+cgnJ6QSVZ5MX+qXB5B8TGmD5aex4I1StNaMJUO/3i8YpRe8D5VrGmdBY10adf7vj
+W8duDcKRCEMWJCgC72mMjdbXxhRYqQIDAQABAoICAQCuw9ZlyFSNkL0AgLszsFSL
+6YgL2qZexLHoHqSiOCPPbA5LdV89vTvdDCkGEWy33Qo1pHb1eIhc2CrdfffemO7y
+KhT/RgWn4v1PIMvJDALJhDOPLpQ/1e0o1nQTJ/QuzWUnLVLse9WwGwrZXEV2KDcy
+N2rD5bbpwcBr6pkv7SQDO4vDF9OGrdNko8dFQC80uBpDmvA/8po+0JUXClGDRaGl
+FmiE8qKalb2F0dRT0gv5ZVh7W4ywpnFbUzo/3LK4DdOuFoqDdJfOkCqsU2h11KNW
+znLQOgf/CT0pXhCGL8+M2WMp/Kqlqm2cR3LFt59LtJPlLMqiuad/qxBLY1K1Nrjz
+LYJcgyQ00EzKuoY0c5f2b1p7JG4jrsocerUYCmMFMaQc9qDOicUyagjcXnUfggf6
+TyHAPFY0nYRqzGbVHOF4HPx28CJ3aE3egvlgC7G5XrHI7CIHrelazEC0iIkfutbj
+SE6MEKde8XBiXB6R/pXFlJJGUHum8VLtHjHJR8qMlI7LOmasmIsSs9py1j1V8gKr
+lPKLpGHN180RVPoYvULlJiJejmw/ODPWEaOXQQItemTSuYnD118Cb3y/nVev0wys
+yqWwVmqP1WgEixGKAg1msVrQB2iY55aNlT2auZAtc5v3OSSNX0tLNQtsvxZC6hjW
+YcSKPhFie1JxtETHxjgSCQKCAQEA+7c4SOF+V7Xme7FFOwvUb7+P+Lf68aFpKxeC
+tUS2dnL5qfLFNFjMP+qte1xFKy+zQKQbZg7vcJ1v2SLI2rmHFAFNxp+pd4q6C4oj
+eoWn5UgZutFfin6AZCIxO2i/4uVfOS8jEiIkw7eCflEvS6jB9EpieknnoFPjg42H
+Bs2kDCf/1dlUlgcADcun02ffve9WkKBCOU+FOXZFKk0LGN6KQCdrJrGutwToMefv
+ULzc7QVl1D2ARA7INjWB7PYqiWFYwRQXB4oEUVI4v2T0DPrCf+qpHvn+01fle+uN
+W7gE3POLWbS8vuTQ34tdmOzZJoJkJ9/x9tTIOD4aa06mKoo7twKCAQEA2LNSWpmd
+NjOf3W+Q9hyjpikiMJhvhaYO2jgfiNcCDDt8YRbMW2dpbWiGryzxwVMkVXkWMZLc
+1MBjKYnlaAL+NXr7J3Upga5sjXkl801CqEZT8y/J3rzWmgwwvpd8mriqtX2jI78m
+GgA6p4NmChou797GJci3Ai8cNCTzmQmLwWEgnuJKlaPcHZ5eRotGceSQ/CCFtbeC
+TIcpNWaxhvtf5aSbhoAyS4RcpVEUanEE2gPGUNngYq/19ofC7mphChBV528075bi
+661wrmmUlywrbcgsGfjUT+8y0aafWQq9JAmlRql68w0Gi30t/xznQPAlIUG8z2vR
+6POpzeuV6zTOnwKCAQAUFmUJe+VHPp7sFBOASMtlN5ZXtObzzXvFEpU9vgQJo9dE
+trkCGmwCVcoOZCio75+Qcwg0ttBo3keEvn/k5JVhBVGdnjQ58/ow3Y9DQdNKOtzC
+yd6kAMBiPVBMe2mEw+U7fQWBdvQUIlrplbT+hrMjuaPuOmOfqdIoN20lH9gNmEuU
+V0mmx1w7vZrhBhMW5zizRfbC+BObqFKQs6FFFM1XnU2xwtA8jsmw4d95Q/kleR7N
+NzM7OyrDGLYLoQF4ASrCDcZgtaTukG8y5u2K85/98U4ZyL2LRCJuJzgar67DqzPd
+rsy5Ny1sCYUopQ4XQqSXggmfNw/bXSlikt4z2uA1AoIBAFn1/99a3FgvEFP2SADU
+HOATPX1dGxcpvAq9t+GwGMqJO3Z253mesbbY6Oj6SJbQdEoDjcIgzQqJn+ETvSfz
+7iK3nmJgEk4i4i/NNoMN9Pk00Q8pLK4KSTEElIvbCcCVn1DfCoYBicjLhY4bT5Ys
+DoZIPoxbChafBh9jo7lJrDoon0k2em4q62tkXpD8qs8Ha2Uv/zJUL4Sjq+jebB60
+ZrhIIMSyna6aEXgT89zIdJIpdQAFo1B06jBhZfxiL0zlQTRmB1zbj/L1Os09SZGE
+pbbanexeT42rqLY+bPKjMagvVOzD2SXjp27rFdhN4Hcl+tQWnVKi2S7TURAKmF9f
+udMCggEBAJxkdEJ7RDZej/Fw9xbqfslU449Tp3U9B8P+SkJEfGfCLX+3SwbyB5Xz
+J0p8fMvc0iWhJ15bx+JIy6Qmi8/EPxZibZDDhPSpBgok1RrzRMh61cO/Gz8aB9xl
+jciQPCsMaWqt0rFSE2L/xZvX0DUlvPOzBYIVOeWN+5JoeEHbHLxRtDMnTXaky/Vf
+PTBLv6jSvdd4cWPOhoIRovvEBFvE8GqOusHJ5bNjRpY71F2PSJ7sYMP7RfTFfvkO
+moF8U+ZpMIIFR8H5DJSAeocbVXXNLI6iRMbXqCecc4oTYU58kC0Xm7H/3/2Gqzl/
+XnrAAFMk+GLkZE8dvbKiMb+/IIDXWsg=
 -----END PRIVATE KEY-----
diff --git a/lib/hx509/data/revoke.crt b/lib/hx509/data/revoke.crt
index 2c2afc2975e3..07a419938218 100644
--- a/lib/hx509/data/revoke.crt
+++ b/lib/hx509/data/revoke.crt
@@ -2,25 +2,51 @@ Certificate:
     Data:
         Version: 3 (0x2)
         Serial Number: 3 (0x3)
-        Signature Algorithm: sha1WithRSAEncryption
+    Signature Algorithm: sha1WithRSAEncryption
         Issuer: CN=hx509 Test Root CA, C=SE
         Validity
-            Not Before: Apr 26 20:29:40 2009 GMT
-            Not After : Apr 24 20:29:40 2019 GMT
+            Not Before: May 23 15:05:12 2019 GMT
+            Not After : Jan 16 15:05:12 2038 GMT
         Subject: C=SE, CN=Revoke cert
         Subject Public Key Info:
             Public Key Algorithm: rsaEncryption
-                Public-Key: (1024 bit)
+                Public-Key: (4096 bit)
                 Modulus:
-                    00:a6:5f:11:30:35:3a:5f:ed:c2:06:ac:f4:14:27:
-                    c1:db:ae:79:f0:b6:9e:0a:83:e7:82:6a:69:92:a6:
-                    85:9c:5d:e4:8a:0e:6b:32:99:4d:22:b9:ea:a6:8c:
-                    84:9e:62:f0:a3:f1:d2:b0:ef:41:ce:93:ce:d9:49:
-                    43:be:0d:a7:ea:cd:37:bb:ba:4d:ee:75:ed:86:74:
-                    8a:e2:08:77:2b:60:91:30:b2:96:57:4e:42:d1:5e:
-                    6f:0d:f5:b2:d6:98:ed:3f:ab:a0:64:33:8b:52:ad:
-                    b5:7a:4a:fd:70:dc:d8:8b:e1:47:0c:8d:8f:93:5c:
-                    9c:35:3f:cb:21:d7:5c:6c:b3
+                    00:bf:d0:af:36:d0:76:65:eb:21:0c:44:48:66:6e:
+                    43:c8:d4:07:73:4f:2f:36:b7:1b:ec:6a:aa:7b:60:
+                    f2:87:9a:94:bc:ba:91:f8:1c:c8:1a:01:e4:fb:d1:
+                    ac:3f:a6:07:26:2a:b7:8f:79:f8:31:ea:4f:e3:9d:
+                    2d:84:43:0f:ee:d4:1d:5d:e3:f6:16:31:5c:bf:f9:
+                    ce:3e:b8:4a:e3:77:2b:bc:41:ee:84:52:2a:c0:7a:
+                    aa:86:a5:21:9c:c5:a0:2a:e6:d8:46:33:c5:87:14:
+                    76:a5:71:2d:ae:7a:e6:60:0c:3c:35:cb:af:80:6c:
+                    bf:cf:eb:25:f3:0f:be:5b:53:59:cb:b2:9b:c9:17:
+                    86:2d:08:a7:60:1e:42:d5:80:ea:74:b3:d0:7c:3c:
+                    42:33:58:c2:bf:35:5b:e6:7a:8a:9c:fc:7f:fc:c9:
+                    cc:3f:7e:52:d6:8c:33:1a:2b:03:de:a4:fb:04:86:
+                    13:a9:b6:0f:d2:a4:12:1d:88:a6:4d:aa:85:c2:ff:
+                    19:11:bf:04:e0:57:1c:2e:03:97:b8:83:9b:0d:75:
+                    95:d7:15:f4:31:5c:2e:76:39:25:f3:fa:b1:9a:ca:
+                    de:c8:39:cf:03:72:d8:23:0a:00:3a:e9:66:ef:8a:
+                    f2:b0:fc:56:04:3d:b8:e6:dc:f4:a0:ae:73:1b:ae:
+                    e4:03:42:79:f0:ee:14:51:18:8f:bb:d5:7f:cb:5a:
+                    21:6d:b9:9d:b9:3c:9e:15:24:23:2d:bf:c5:a3:66:
+                    45:f6:33:dc:06:7b:e1:68:f7:75:2d:58:9d:e1:73:
+                    06:79:a0:de:68:e2:70:5f:5a:fc:05:a7:26:d6:76:
+                    57:f8:12:7b:48:07:93:65:a8:d1:04:94:a0:42:9e:
+                    a8:8e:ff:3a:c7:aa:54:6d:c1:99:2d:2a:c2:33:65:
+                    49:82:e7:df:bd:18:10:e3:69:df:d6:d7:16:4b:72:
+                    b3:3c:fb:81:72:97:cd:28:35:13:b9:2e:09:55:4d:
+                    40:eb:e0:2e:24:f5:f2:0c:04:e4:38:90:db:1f:7e:
+                    79:42:97:9d:74:7a:87:c3:18:da:ec:9e:8c:00:25:
+                    36:87:88:05:49:77:c2:76:fc:68:76:59:b0:1f:d7:
+                    d5:81:d9:47:f9:e9:62:c6:f5:08:06:d0:21:50:eb:
+                    c7:b6:d4:9e:dc:94:68:d0:0f:df:74:f1:43:2e:38:
+                    3c:76:ed:b1:b8:4d:88:8e:ae:e5:52:a9:9e:29:fa:
+                    da:a6:aa:28:e2:0e:cf:c9:c7:4d:fd:cb:14:a3:aa:
+                    d2:87:bf:e2:9f:09:86:e6:0e:77:14:c8:d8:96:b2:
+                    51:65:d6:bf:23:9b:da:ed:70:47:c5:7a:3e:1e:be:
+                    75:8b:8d
                 Exponent: 65537 (0x10001)
         X509v3 extensions:
             X509v3 Basic Constraints: 
@@ -28,26 +54,63 @@ Certificate:
             X509v3 Key Usage: 
                 Digital Signature, Non Repudiation, Key Encipherment
             X509v3 Subject Key Identifier: 
-                AC:ED:61:9B:1A:7D:7D:27:D4:E3:B9:3D:79:9C:F1:96:10:B3:46:45
+                C0:C4:1E:26:C8:53:2E:80:A5:50:44:F1:79:38:05:B4:12:CA:AA:7F
     Signature Algorithm: sha1WithRSAEncryption
-        71:4d:fc:63:69:bb:b5:cf:0c:50:dc:de:55:ef:9b:90:07:42:
-        98:3e:80:36:e4:94:aa:d5:f3:0b:56:38:12:1d:3d:e6:dc:a3:
-        8b:bf:8a:f6:82:d6:25:8b:9c:88:ce:38:2a:ee:e1:2f:2e:8f:
-        c7:74:c6:42:5f:68:99:a5:48:e7:08:5a:bd:3c:fa:db:14:5a:
-        39:cc:dc:50:c5:ba:05:97:c9:66:9e:39:d8:ce:17:a6:ec:6b:
-        bd:c9:c9:a8:d1:6d:dc:68:c0:79:20:6e:df:04:0a:14:37:06:
-        7b:e8:54:62:60:0c:9f:d5:73:55:b7:d0:4f:cb:e0:14:75:65:
-        b7:d1
+         b1:f4:93:82:51:8f:d2:a0:c0:a7:9a:da:d3:f6:fc:01:aa:ae:
+         e9:a1:05:32:62:9b:63:a2:a3:05:ea:9e:f8:b3:af:d2:50:42:
+         70:6f:35:88:86:f2:f5:bb:6f:44:a7:9b:51:14:c8:e1:9e:13:
+         c4:e6:ab:5a:bb:40:50:c2:ae:d5:b5:64:48:ab:29:30:d6:90:
+         f6:6f:24:b2:e9:aa:8d:12:54:68:5f:70:bc:99:5c:cf:c5:7d:
+         ae:e7:d2:7c:50:c0:7f:a6:a8:ae:0f:3b:9d:1a:e4:18:b3:f8:
+         90:2c:a4:cf:83:41:c8:54:82:20:df:bc:4e:6a:6e:e6:61:dd:
+         d1:fa:95:2e:4b:22:28:84:db:d8:47:fb:a6:d7:65:07:41:64:
+         1f:16:db:39:ea:75:23:63:d5:59:df:03:cf:4f:28:2a:73:07:
+         da:0c:f2:3f:3a:cb:40:3b:73:92:2e:93:79:90:a0:4c:ed:bc:
+         aa:7a:c4:40:54:5f:39:cf:e2:81:59:98:73:ce:5e:71:2a:3a:
+         1f:60:94:fd:c3:c4:7f:24:05:31:66:d2:5f:ba:62:db:5c:ec:
+         40:38:79:ee:5a:6d:90:8d:f7:99:49:cc:e0:1e:8e:47:0e:50:
+         c4:19:c2:43:bc:87:33:c0:fd:8a:cf:af:71:35:0b:fb:14:7a:
+         c4:5b:01:09:86:5e:8a:ab:b9:8b:81:50:bc:a3:d9:59:53:30:
+         2c:97:32:97:da:16:3b:42:78:84:31:13:9a:ad:a9:a4:9d:5c:
+         5d:69:6a:eb:53:71:e8:95:11:04:d7:ef:50:c0:c2:32:55:75:
+         a9:db:0d:4a:5c:b4:10:91:60:88:ec:25:8c:26:52:a9:be:5b:
+         71:5e:ba:e0:df:ad:ac:e0:cd:01:7b:8f:ff:c5:c6:f0:9e:e6:
+         e2:f6:44:31:07:3c:99:d5:8f:43:1d:c4:5e:57:58:0e:72:4b:
+         76:5d:4e:14:f5:03:08:c4:d4:05:71:2b:da:71:8f:c8:ec:b2:
+         1f:cd:c3:52:6e:6d:53:db:9a:40:37:77:53:71:02:1f:a5:12:
+         e6:32:1d:bc:0e:83:b5:03:e4:85:ba:54:b2:3c:2e:c0:70:77:
+         a5:86:21:fc:6e:f7:46:24:84:75:9a:0f:f5:af:fa:12:26:b9:
+         65:e5:8c:89:7e:42:d3:5a:22:22:dc:96:ed:92:17:65:e4:12:
+         21:9c:ae:8d:03:c3:3b:d6:bf:68:b8:ba:08:51:44:8a:77:07:
+         9d:be:de:a1:0e:93:cf:17:29:e3:67:ff:9c:e5:ea:5a:0d:b0:
+         bc:8d:5f:f3:44:d1:f8:12:b3:53:82:09:30:13:e4:12:99:3c:
+         d0:73:09:85:64:95:9e:bb
 -----BEGIN CERTIFICATE-----
-MIIB/DCCAWWgAwIBAgIBAzANBgkqhkiG9w0BAQUFADAqMRswGQYDVQQDDBJoeDUw
-OSBUZXN0IFJvb3QgQ0ExCzAJBgNVBAYTAlNFMB4XDTA5MDQyNjIwMjk0MFoXDTE5
-MDQyNDIwMjk0MFowIzELMAkGA1UEBhMCU0UxFDASBgNVBAMMC1Jldm9rZSBjZXJ0
-MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCmXxEwNTpf7cIGrPQUJ8Hbrnnw
-tp4Kg+eCammSpoWcXeSKDmsymU0iueqmjISeYvCj8dKw70HOk87ZSUO+DafqzTe7
-uk3ude2GdIriCHcrYJEwspZXTkLRXm8N9bLWmO0/q6BkM4tSrbV6Sv1w3NiL4UcM
-jY+TXJw1P8sh11xsswIDAQABozkwNzAJBgNVHRMEAjAAMAsGA1UdDwQEAwIF4DAd
-BgNVHQ4EFgQUrO1hmxp9fSfU47k9eZzxlhCzRkUwDQYJKoZIhvcNAQEFBQADgYEA
-cU38Y2m7tc8MUNzeVe+bkAdCmD6ANuSUqtXzC1Y4Eh095tyji7+K9oLWJYuciM44
-Ku7hLy6Px3TGQl9omaVI5whavTz62xRaOczcUMW6BZfJZp452M4XpuxrvcnJqNFt
-3GjAeSBu3wQKFDcGe+hUYmAMn9VzVbfQT8vgFHVlt9E=
+MIIFATCCAumgAwIBAgIBAzANBgkqhkiG9w0BAQUFADAqMRswGQYDVQQDDBJoeDUw
+OSBUZXN0IFJvb3QgQ0ExCzAJBgNVBAYTAlNFMB4XDTE5MDUyMzE1MDUxMloXDTM4
+MDExNjE1MDUxMlowIzELMAkGA1UEBhMCU0UxFDASBgNVBAMMC1Jldm9rZSBjZXJ0
+MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAv9CvNtB2ZeshDERIZm5D
+yNQHc08vNrcb7Gqqe2Dyh5qUvLqR+BzIGgHk+9GsP6YHJiq3j3n4MepP450thEMP
+7tQdXeP2FjFcv/nOPrhK43crvEHuhFIqwHqqhqUhnMWgKubYRjPFhxR2pXEtrnrm
+YAw8NcuvgGy/z+sl8w++W1NZy7KbyReGLQinYB5C1YDqdLPQfDxCM1jCvzVb5nqK
+nPx//MnMP35S1owzGisD3qT7BIYTqbYP0qQSHYimTaqFwv8ZEb8E4FccLgOXuIOb
+DXWV1xX0MVwudjkl8/qxmsreyDnPA3LYIwoAOulm74rysPxWBD245tz0oK5zG67k
+A0J58O4UURiPu9V/y1ohbbmduTyeFSQjLb/Fo2ZF9jPcBnvhaPd1LVid4XMGeaDe
+aOJwX1r8Bacm1nZX+BJ7SAeTZajRBJSgQp6ojv86x6pUbcGZLSrCM2VJguffvRgQ
+42nf1tcWS3KzPPuBcpfNKDUTuS4JVU1A6+AuJPXyDATkOJDbH355QpeddHqHwxja
+7J6MACU2h4gFSXfCdvxodlmwH9fVgdlH+elixvUIBtAhUOvHttSe3JRo0A/fdPFD
+Ljg8du2xuE2Ijq7lUqmeKfrapqoo4g7PycdN/csUo6rSh7/inwmG5g53FMjYlrJR
+Zda/I5va7XBHxXo+Hr51i40CAwEAAaM5MDcwCQYDVR0TBAIwADALBgNVHQ8EBAMC
+BeAwHQYDVR0OBBYEFMDEHibIUy6ApVBE8Xk4BbQSyqp/MA0GCSqGSIb3DQEBBQUA
+A4ICAQCx9JOCUY/SoMCnmtrT9vwBqq7poQUyYptjoqMF6p74s6/SUEJwbzWIhvL1
+u29Ep5tRFMjhnhPE5qtau0BQwq7VtWRIqykw1pD2bySy6aqNElRoX3C8mVzPxX2u
+59J8UMB/pqiuDzudGuQYs/iQLKTPg0HIVIIg37xOam7mYd3R+pUuSyIohNvYR/um
+12UHQWQfFts56nUjY9VZ3wPPTygqcwfaDPI/OstAO3OSLpN5kKBM7byqesRAVF85
+z+KBWZhzzl5xKjofYJT9w8R/JAUxZtJfumLbXOxAOHnuWm2QjfeZSczgHo5HDlDE
+GcJDvIczwP2Kz69xNQv7FHrEWwEJhl6Kq7mLgVC8o9lZUzAslzKX2hY7QniEMROa
+ramknVxdaWrrU3HolREE1+9QwMIyVXWp2w1KXLQQkWCI7CWMJlKpvltxXrrg362s
+4M0Be4//xcbwnubi9kQxBzyZ1Y9DHcReV1gOckt2XU4U9QMIxNQFcSvacY/I7LIf
+zcNSbm1T25pAN3dTcQIfpRLmMh28DoO1A+SFulSyPC7AcHelhiH8bvdGJIR1mg/1
+r/oSJrll5YyJfkLTWiIi3Jbtkhdl5BIhnK6NA8M71r9ouLoIUUSKdwedvt6hDpPP
+FynjZ/+c5epaDbC8jV/zRNH4ErNTggkwE+QSmTzQcwmFZJWeuw==
 -----END CERTIFICATE-----
diff --git a/lib/hx509/data/revoke.key b/lib/hx509/data/revoke.key
index 0fe2e18b2fb5..374bed15b7b2 100644
--- a/lib/hx509/data/revoke.key
+++ b/lib/hx509/data/revoke.key
@@ -1,16 +1,52 @@
 -----BEGIN PRIVATE KEY-----
-MIICdgIBADANBgkqhkiG9w0BAQEFAASCAmAwggJcAgEAAoGBAKZfETA1Ol/twgas
-9BQnwduuefC2ngqD54JqaZKmhZxd5IoOazKZTSK56qaMhJ5i8KPx0rDvQc6TztlJ
-Q74Np+rNN7u6Te517YZ0iuIIdytgkTCylldOQtFebw31staY7T+roGQzi1KttXpK
-/XDc2IvhRwyNj5NcnDU/yyHXXGyzAgMBAAECgYBeDVZRM3YZrvZGAdZF4qfkAgGr
-hAFaHnFtN60RG5Ri7m15YmdVhnal0AaIOt3qEDLL67RZFBjWqJaCHbnvIhcva5Gw
-OLEQPsvvTBvRq5O7hTwij2f0hTGu7gOHiiW3YCPxvma1qHNOXKRDh5Gi2eG0gKgo
-fUC2pqvPomNaqZERqQJBANFQXr+KQ9Hcv1cp2+FNOXg8x0sC20+Svwaxs+T4gSr2
-AaiWIJgcdYpxkNPke+IGPZ8Bip6jgRpRK1gRLhx7qw0CQQDLercoA7FiwpRMzo1j
-Yvh4188uhodvuSg6Yj/meQ2zQvsjAipZ0XJgEuZZnoifxkl2A6K+tFLwSq1hy18K
-C4a/AkEAnwfCRSMG7i8bDV2XWvGyhWEgRiSwfh/PlYV0WbZZZUut7OnLb+bHg11P
-nT5OxWbacLHaITe3AkjDdtDuyONJDQJAN4RW3rMLPe/q+H3Os9Q4CPiQzZfk8gWp
-xSwzVRWoOEXJMYcQuQrdUvs1IDSSAE3gkzNwvumCS4+EeM89MgdtDwJAN7ucdA1c
-m6MiJgTVxTeva7cgw6PCF4Ph9AGRAB+m/qkg8I8W7G0tXxHVUAXfKdfeirigsrnT
-LKLsQFEQrhuA5A==
+MIIJQwIBADANBgkqhkiG9w0BAQEFAASCCS0wggkpAgEAAoICAQC/0K820HZl6yEM
+REhmbkPI1AdzTy82txvsaqp7YPKHmpS8upH4HMgaAeT70aw/pgcmKrePefgx6k/j
+nS2EQw/u1B1d4/YWMVy/+c4+uErjdyu8Qe6EUirAeqqGpSGcxaAq5thGM8WHFHal
+cS2ueuZgDDw1y6+AbL/P6yXzD75bU1nLspvJF4YtCKdgHkLVgOp0s9B8PEIzWMK/
+NVvmeoqc/H/8ycw/flLWjDMaKwPepPsEhhOptg/SpBIdiKZNqoXC/xkRvwTgVxwu
+A5e4g5sNdZXXFfQxXC52OSXz+rGayt7IOc8DctgjCgA66WbvivKw/FYEPbjm3PSg
+rnMbruQDQnnw7hRRGI+71X/LWiFtuZ25PJ4VJCMtv8WjZkX2M9wGe+Fo93UtWJ3h
+cwZ5oN5o4nBfWvwFpybWdlf4EntIB5NlqNEElKBCnqiO/zrHqlRtwZktKsIzZUmC
+59+9GBDjad/W1xZLcrM8+4Fyl80oNRO5LglVTUDr4C4k9fIMBOQ4kNsffnlCl510
+eofDGNrsnowAJTaHiAVJd8J2/Gh2WbAf19WB2Uf56WLG9QgG0CFQ68e21J7clGjQ
+D9908UMuODx27bG4TYiOruVSqZ4p+tqmqijiDs/Jx039yxSjqtKHv+KfCYbmDncU
+yNiWslFl1r8jm9rtcEfFej4evnWLjQIDAQABAoICACTzfZ1woS5XEmG7kbrxyOsa
+NWk4Ot8ufRmZHshvz6jh1X9Z7Z6/ZKjl7oe4R5dnU389wWjJVU/AVK2DbO5KwPoA
+MLwSmyiBT93HsLySYhLZtTop9VnWPlggCVOw4f3CcG1zVPyJIqc4APc0C1nOYSzl
+jn/Kgj+aM4VJRmFBiikrsGO2P56IgpeQUDYK/lME56Wdsi8MqLAdjD6rd825k5RU
+bA91jHw6yJh+H6YN3Uv5ukWP0p/h68BnTPoVhfv2Ophq7hhmFPlmro4KsSKhb7Az
+E6+Aki8kE+tAbRhIFgi8xhgKUt/WMt7lIVA4AFVrDf+cTLG6djE7JYECujf+A/xq
+jC+BOn2BFzo5CNuc1+B0xZ6wLrQoKYSyAp2N7EbhNEb3xthxE940+PDAB0nfmDDl
+B6LPkjsBFVe7Cd63F85uVHTMclbLC/yfiKaAolNb3pNh4UMWLhHYouLRNiVM+NLY
+u06FTJPFsgUGmBPATFuV6IaHii6sMqMdArN+dU/NqMT1KTBGyZ79g6XwVSWVU2+S
+oDZYRNERihwtr8vImQky17TY2rAbZKk9OK/Re67UOwnxkVSihv1Rt4CDwKkIWrh9
++BPiC8nd/al/XjV4hN3hQeU2CVcHt23uobtPUvaL9Scf+1+e8WToLSSPeGwfD6EM
+jpNBeI/V1IdiNUJnr8e9AoIBAQD/B5AThJW+avTqa2EfqhnB5KsVEKy8LWfUbH5I
+PcUtiStlb+RatZb4yQXVQ1TpSSAFEXL6TZR4uHQsw1wXhRyi8CGWKxSxrxhxkw2V
+RpAcuU2u9sHtmSzJHOn+sRnJPgJOijZ/EAHqc/Hi7VNdaSz6tFfFeYLYmVpeS0EU
+CY/0JqHAQ5IrzGjrl2doG7myFhLA1oAYWElhtVMcE+mowgDxE4a1UOQQyrKA2p7T
+9LuguPhOgvjB4t6uJ35HO2w3hvwAdsnsOb8g0qBdYlUpcATyb1Nl0252+ZWwA3gT
+tVZ8iQ+bibMopyns60GbVnArfVkFn7a3hS/0ZW5Zy8aKI+G3AoIBAQDAi4qTbdVv
+6BS3ePoUwsYDkC/17RGkfoFfH/jXWVhP7UNu5X/UFCM+VJwrYK3f6cpKMBtBIRPw
+uHXeFCh2Mi3x/hrz3VRfY0qrgckByxhNTuXokQBec8mU4TzpPmc5XjADtVmaxnP8
+uU6cny+0s1lJ5xZM3nPvkZ9DMV+CbTbMiWIODJ+3Ak2S6FDB+wNemMpp3ppMrWNZ
+5N0d+o/VSUTEGr/FmNAw0gZhsy8pdcDqoULDceqA40rL8F46kzAk58E4Gvb+rVMR
+bVQcBrwSVOgY6MAtY5qLZcDLHcq9JU+tMB8AJHO1io2k4Xsz5WVBLlzTudHpgmJp
+M5ELOUBwyCzbAoIBAQDrf6pVu6sjiVTcW4f2W3cpiuVIsHsx0aP9jqoWP6Qi5nXC
+V87AzMq6tbbDNkfknHgK9g/8f0NJLttosoYJ2guVkrURHHshkRS7XBXA8MYHID5S
+AN8XbsjidebGH/g10yMCL7MfJkL+o06MRKckrQiyAXLDke934DSIumk//YyG4l2f
+U0ZZV4rTcp40jtWtU6DBndHvqScqKOy0EtdD1NJVy7grGqVftC2du0PLakUQp33z
+0hGvyLXkj+eWE5NcuzNdolPX5YNO5fDcCv+lIiIPVSnn75QkHVlSjgGGAX/5w/87
+m65rLeITOzL8JJe0MS3ReaiaU0zzG+8I0Jln2raFAoIBAAGoMcUbCN8xrBv4Go7b
+LkERmJgRNjmoLQzYhZe02SG29QGbUAJPOg5rQ/zLlDN9G5SP3WwuELHdpIYIvmBm
+Bicy/KBkozk+7YGUWFp/mPHxX+EkflBRxsZVOeT3+INx4A/oG6FNW+os3hRS+mIf
+uQD90B9ROsYxBqHZZu0Ea5hPBl0Als9IYcqF3UwOEPVbc0J9++31AAniAlUjtuEr
+BEB7ynK04fXJmOx2Uk2VCdf7E0wDSvVY/2fJ5cWzRpLKu8rz0HRYoYJg4nxrQmsV
+9/le52h8lvPkKEiXNQtzqr/eziV+KtDBJH7qwdisfLaW442e58OOr7IgE3t5Pqi5
+0EkCggEBAP3J+c6s88lfGnU35CzFK93IkumaYtHlrNj/87EBPMjpL38ykFCkeXXq
+wtKAWI+i9Y7Y38xYvkWwNj8m44hCES7z8yc+blxlyg4UBTg6ms6/AMCF1OkkdAsl
+xyacDGAm7JIj1w/B7qxWOkZOI25c0YY74kq4nBIP8lklHr0iykqc8BhwlYofEh/U
+TMXAg0z+luS9Uiq4SayBeUcEkNguJu5syLtOvy+vR04fyOzHF9YFXqaRbJoCPnZg
+RRx6Jo2dRdiy9yhOHzZRykuAH92M4jACE3V3wJMjlJea+YmZgaDwv5a5xT8dUw2W
+waMpuNHGyfEypx5NFeO8UU95fKkcTWM=
 -----END PRIVATE KEY-----
diff --git a/lib/hx509/data/secp256r1TestCA.cert.pem b/lib/hx509/data/secp256r1TestCA.cert.pem
index 6cac58ee11ff..3522b096d187 100644
--- a/lib/hx509/data/secp256r1TestCA.cert.pem
+++ b/lib/hx509/data/secp256r1TestCA.cert.pem
@@ -1,12 +1,12 @@
 -----BEGIN CERTIFICATE-----
-MIIBuDCCAV6gAwIBAgIBATAKBggqhkjOPQQDAjA2MQswCQYDVQQGEwJTRTEQMA4G
-A1UEChMHSGVpbWRhbDEVMBMGA1UEAxMMQ0Egc2VjcDI1NnIxMB4XDTE0MDMxMDE5
-NDAyM1oXDTM4MDExNzE5NDAyM1owNjELMAkGA1UEBhMCU0UxEDAOBgNVBAoTB0hl
-aW1kYWwxFTATBgNVBAMTDENBIHNlY3AyNTZyMTBZMBMGByqGSM49AgEGCCqGSM49
-AwEHA0IABOUrhSvioYJaKUK9WjI5eGRAWsOB2DNslTkcgTkFsd3vD4/dGxaHBOIM
-kuD9ldGK2sQArEIDKfrOHvP+oFz3jLajXTBbMB0GA1UdDgQWBBTrUd8AqGhfZvHV
-spcznXeb328JgzAfBgNVHSMEGDAWgBTrUd8AqGhfZvHVspcznXeb328JgzAMBgNV
-HRMEBTADAQH/MAsGA1UdDwQEAwIBBjAKBggqhkjOPQQDAgNIADBFAiBd6J2N4B6L
-mtn0ZP/6vOyPkA7YMq2EwbVyTGlnBTwYsQIhALjsLWHQVSkt08rly48ns93DeSbM
-XejBzmT8QXEdib+1
+MIIBuTCCAWCgAwIBAgIBATAKBggqhkjOPQQDAjA2MQswCQYDVQQGEwJTRTEQMA4G
+A1UECgwHSGVpbWRhbDEVMBMGA1UEAwwMQ0Egc2VjcDI1NnIxMCAXDTE5MDMyMjIy
+MjUyNVoYDzI1MTgxMTIxMjIyNTI1WjA2MQswCQYDVQQGEwJTRTEQMA4GA1UECgwH
+SGVpbWRhbDEVMBMGA1UEAwwMQ0Egc2VjcDI1NnIxMFkwEwYHKoZIzj0CAQYIKoZI
+zj0DAQcDQgAE5SuFK+KhglopQr1aMjl4ZEBaw4HYM2yVORyBOQWx3e8Pj90bFocE
+4gyS4P2V0YraxACsQgMp+s4e8/6gXPeMtqNdMFswHQYDVR0OBBYEFOtR3wCoaF9m
+8dWylzOdd5vfbwmDMB8GA1UdIwQYMBaAFOtR3wCoaF9m8dWylzOdd5vfbwmDMAwG
+A1UdEwQFMAMBAf8wCwYDVR0PBAQDAgEGMAoGCCqGSM49BAMCA0cAMEQCIF/JTbEv
+iuYcuREFzWgZ/AgfLe2sRwEgSy6UcAWOYllkAiApMzA3xKjaX1/hhkDGKZnHfcTM
+tRuM0FuTdO+e15ku8w==
 -----END CERTIFICATE-----
diff --git a/lib/hx509/data/secp256r1TestCA.pem b/lib/hx509/data/secp256r1TestCA.pem
index d0c7431880ae..9b1df2c9cf92 100644
--- a/lib/hx509/data/secp256r1TestCA.pem
+++ b/lib/hx509/data/secp256r1TestCA.pem
@@ -4,14 +4,14 @@ gHePPMwGKygIVDXTfjysn9zPiSOhRANCAATlK4Ur4qGCWilCvVoyOXhkQFrDgdgz
 bJU5HIE5BbHd7w+P3RsWhwTiDJLg/ZXRitrEAKxCAyn6zh7z/qBc94y2
 -----END PRIVATE KEY-----
 -----BEGIN CERTIFICATE-----
-MIIBuDCCAV6gAwIBAgIBATAKBggqhkjOPQQDAjA2MQswCQYDVQQGEwJTRTEQMA4G
-A1UEChMHSGVpbWRhbDEVMBMGA1UEAxMMQ0Egc2VjcDI1NnIxMB4XDTE0MDMxMDE5
-NDAyM1oXDTM4MDExNzE5NDAyM1owNjELMAkGA1UEBhMCU0UxEDAOBgNVBAoTB0hl
-aW1kYWwxFTATBgNVBAMTDENBIHNlY3AyNTZyMTBZMBMGByqGSM49AgEGCCqGSM49
-AwEHA0IABOUrhSvioYJaKUK9WjI5eGRAWsOB2DNslTkcgTkFsd3vD4/dGxaHBOIM
-kuD9ldGK2sQArEIDKfrOHvP+oFz3jLajXTBbMB0GA1UdDgQWBBTrUd8AqGhfZvHV
-spcznXeb328JgzAfBgNVHSMEGDAWgBTrUd8AqGhfZvHVspcznXeb328JgzAMBgNV
-HRMEBTADAQH/MAsGA1UdDwQEAwIBBjAKBggqhkjOPQQDAgNIADBFAiBd6J2N4B6L
-mtn0ZP/6vOyPkA7YMq2EwbVyTGlnBTwYsQIhALjsLWHQVSkt08rly48ns93DeSbM
-XejBzmT8QXEdib+1
+MIIBuTCCAWCgAwIBAgIBATAKBggqhkjOPQQDAjA2MQswCQYDVQQGEwJTRTEQMA4G
+A1UECgwHSGVpbWRhbDEVMBMGA1UEAwwMQ0Egc2VjcDI1NnIxMCAXDTE5MDMyMjIy
+MjUyNVoYDzI1MTgxMTIxMjIyNTI1WjA2MQswCQYDVQQGEwJTRTEQMA4GA1UECgwH
+SGVpbWRhbDEVMBMGA1UEAwwMQ0Egc2VjcDI1NnIxMFkwEwYHKoZIzj0CAQYIKoZI
+zj0DAQcDQgAE5SuFK+KhglopQr1aMjl4ZEBaw4HYM2yVORyBOQWx3e8Pj90bFocE
+4gyS4P2V0YraxACsQgMp+s4e8/6gXPeMtqNdMFswHQYDVR0OBBYEFOtR3wCoaF9m
+8dWylzOdd5vfbwmDMB8GA1UdIwQYMBaAFOtR3wCoaF9m8dWylzOdd5vfbwmDMAwG
+A1UdEwQFMAMBAf8wCwYDVR0PBAQDAgEGMAoGCCqGSM49BAMCA0cAMEQCIF/JTbEv
+iuYcuREFzWgZ/AgfLe2sRwEgSy6UcAWOYllkAiApMzA3xKjaX1/hhkDGKZnHfcTM
+tRuM0FuTdO+e15ku8w==
 -----END CERTIFICATE-----
diff --git a/lib/hx509/data/secp256r2TestClient.cert.pem b/lib/hx509/data/secp256r2TestClient.cert.pem
index f0f3a2445c55..5763c5a73e03 100644
--- a/lib/hx509/data/secp256r2TestClient.cert.pem
+++ b/lib/hx509/data/secp256r2TestClient.cert.pem
@@ -1,12 +1,12 @@
 -----BEGIN CERTIFICATE-----
-MIIBrzCCAVWgAwIBAgIBAjAKBggqhkjOPQQDAjA2MQswCQYDVQQGEwJTRTEQMA4G
-A1UEChMHSGVpbWRhbDEVMBMGA1UEAxMMQ0Egc2VjcDI1NnIxMB4XDTE0MDMxMDE5
-NDAyM1oXDTM4MDExNzE5NDAyM1owMDELMAkGA1UEBhMCU0UxEDAOBgNVBAoTB0hl
-aW1kYWwxDzANBgNVBAMTBkNsaWVudDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA
-BO7/MCIBHf8gQLQ5ltp1uyCOCAw8uylZZ7+v/rB3oKHuAIyL6q/QjZXZH3FR5VcI
-zANavN5SAfx9CFJpPk+pUISjWjBYMB0GA1UdDgQWBBSjXg4X3fs5xOQgTumjZQwF
-I13RejAfBgNVHSMEGDAWgBTrUd8AqGhfZvHVspcznXeb328JgzAJBgNVHRMEAjAA
-MAsGA1UdDwQEAwIEsDAKBggqhkjOPQQDAgNIADBFAiAa9d6aCxlioep3ViYqujWv
-A28/16yXOrmLY1a2wcj3awIhAMeVjMiUTP/U4yXfb3uJjJmq8hfyNZ/CAiTQKORx
-JjIt
+MIIBsDCCAVegAwIBAgIBAjAKBggqhkjOPQQDAjA2MQswCQYDVQQGEwJTRTEQMA4G
+A1UECgwHSGVpbWRhbDEVMBMGA1UEAwwMQ0Egc2VjcDI1NnIxMCAXDTE5MDMyMjIy
+MjUyNVoYDzI1MTgxMTIxMjIyNTI1WjAwMQswCQYDVQQGEwJTRTEQMA4GA1UECgwH
+SGVpbWRhbDEPMA0GA1UEAwwGQ2xpZW50MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcD
+QgAE7v8wIgEd/yBAtDmW2nW7II4IDDy7KVlnv6/+sHegoe4AjIvqr9CNldkfcVHl
+VwjMA1q83lIB/H0IUmk+T6lQhKNaMFgwHQYDVR0OBBYEFKNeDhfd+znE5CBO6aNl
+DAUjXdF6MB8GA1UdIwQYMBaAFOtR3wCoaF9m8dWylzOdd5vfbwmDMAkGA1UdEwQC
+MAAwCwYDVR0PBAQDAgSwMAoGCCqGSM49BAMCA0cAMEQCIBVFIAeFxXeB4LURDxv/
+YnGzJJK0b+pjK5hVEPYww8dzAiAmHrccM21Ga7S+/yFWIvMe3BKtAl0O62TTI2Fg
+CHiIWQ==
 -----END CERTIFICATE-----
diff --git a/lib/hx509/data/secp256r2TestClient.pem b/lib/hx509/data/secp256r2TestClient.pem
index acf11b0413ff..9f49adc3e48b 100644
--- a/lib/hx509/data/secp256r2TestClient.pem
+++ b/lib/hx509/data/secp256r2TestClient.pem
@@ -1,14 +1,14 @@
 -----BEGIN CERTIFICATE-----
-MIIBrzCCAVWgAwIBAgIBAjAKBggqhkjOPQQDAjA2MQswCQYDVQQGEwJTRTEQMA4G
-A1UEChMHSGVpbWRhbDEVMBMGA1UEAxMMQ0Egc2VjcDI1NnIxMB4XDTE0MDMxMDE5
-NDAyM1oXDTM4MDExNzE5NDAyM1owMDELMAkGA1UEBhMCU0UxEDAOBgNVBAoTB0hl
-aW1kYWwxDzANBgNVBAMTBkNsaWVudDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA
-BO7/MCIBHf8gQLQ5ltp1uyCOCAw8uylZZ7+v/rB3oKHuAIyL6q/QjZXZH3FR5VcI
-zANavN5SAfx9CFJpPk+pUISjWjBYMB0GA1UdDgQWBBSjXg4X3fs5xOQgTumjZQwF
-I13RejAfBgNVHSMEGDAWgBTrUd8AqGhfZvHVspcznXeb328JgzAJBgNVHRMEAjAA
-MAsGA1UdDwQEAwIEsDAKBggqhkjOPQQDAgNIADBFAiAa9d6aCxlioep3ViYqujWv
-A28/16yXOrmLY1a2wcj3awIhAMeVjMiUTP/U4yXfb3uJjJmq8hfyNZ/CAiTQKORx
-JjIt
+MIIBsDCCAVegAwIBAgIBAjAKBggqhkjOPQQDAjA2MQswCQYDVQQGEwJTRTEQMA4G
+A1UECgwHSGVpbWRhbDEVMBMGA1UEAwwMQ0Egc2VjcDI1NnIxMCAXDTE5MDMyMjIy
+MjUyNVoYDzI1MTgxMTIxMjIyNTI1WjAwMQswCQYDVQQGEwJTRTEQMA4GA1UECgwH
+SGVpbWRhbDEPMA0GA1UEAwwGQ2xpZW50MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcD
+QgAE7v8wIgEd/yBAtDmW2nW7II4IDDy7KVlnv6/+sHegoe4AjIvqr9CNldkfcVHl
+VwjMA1q83lIB/H0IUmk+T6lQhKNaMFgwHQYDVR0OBBYEFKNeDhfd+znE5CBO6aNl
+DAUjXdF6MB8GA1UdIwQYMBaAFOtR3wCoaF9m8dWylzOdd5vfbwmDMAkGA1UdEwQC
+MAAwCwYDVR0PBAQDAgSwMAoGCCqGSM49BAMCA0cAMEQCIBVFIAeFxXeB4LURDxv/
+YnGzJJK0b+pjK5hVEPYww8dzAiAmHrccM21Ga7S+/yFWIvMe3BKtAl0O62TTI2Fg
+CHiIWQ==
 -----END CERTIFICATE-----
 -----BEGIN PRIVATE KEY-----
 MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQg6oD5CbNzN7oAWqcq
diff --git a/lib/hx509/data/secp256r2TestServer.cert.pem b/lib/hx509/data/secp256r2TestServer.cert.pem
index 91acde8f60e5..71935b8822b8 100644
--- a/lib/hx509/data/secp256r2TestServer.cert.pem
+++ b/lib/hx509/data/secp256r2TestServer.cert.pem
@@ -1,12 +1,12 @@
 -----BEGIN CERTIFICATE-----
-MIIBsDCCAVWgAwIBAgIBAjAKBggqhkjOPQQDAjA2MQswCQYDVQQGEwJTRTEQMA4G
-A1UEChMHSGVpbWRhbDEVMBMGA1UEAxMMQ0Egc2VjcDI1NnIxMB4XDTE0MDMxMDE5
-NDAyM1oXDTM4MDExNzE5NDAyM1owMDELMAkGA1UEBhMCU0UxEDAOBgNVBAoTB0hl
-aW1kYWwxDzANBgNVBAMTBlNlcnZlcjBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA
-BItZgn1C8ZBvKkkNoEofWL0JLCTaHT2lJj7d9jRtSKiR2PlOtd5HhteDqP78K4eg
-lRMk5nqsmEooalfbNsFBy8SjWjBYMB0GA1UdDgQWBBTqMDTOezcRsax6lf6E/Xk+
-QzPorjAfBgNVHSMEGDAWgBTrUd8AqGhfZvHVspcznXeb328JgzAJBgNVHRMEAjAA
-MAsGA1UdDwQEAwIEsDAKBggqhkjOPQQDAgNJADBGAiEAsvf//YdUWCD6OLZesENa
-1mH8+b+kZDR6jx1JchRXAEQCIQDkTvTZrlmmxUaWEsf08/4xbxkYbrPAg4+VX2uI
-QcEwUA==
+MIIBsDCCAVegAwIBAgIBAjAKBggqhkjOPQQDAjA2MQswCQYDVQQGEwJTRTEQMA4G
+A1UECgwHSGVpbWRhbDEVMBMGA1UEAwwMQ0Egc2VjcDI1NnIxMCAXDTE5MDMyMjIy
+MjUyNVoYDzI1MTgxMTIxMjIyNTI1WjAwMQswCQYDVQQGEwJTRTEQMA4GA1UECgwH
+SGVpbWRhbDEPMA0GA1UEAwwGU2VydmVyMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcD
+QgAEi1mCfULxkG8qSQ2gSh9YvQksJNodPaUmPt32NG1IqJHY+U613keG14Oo/vwr
+h6CVEyTmeqyYSihqV9s2wUHLxKNaMFgwHQYDVR0OBBYEFOowNM57NxGxrHqV/oT9
+eT5DM+iuMB8GA1UdIwQYMBaAFOtR3wCoaF9m8dWylzOdd5vfbwmDMAkGA1UdEwQC
+MAAwCwYDVR0PBAQDAgSwMAoGCCqGSM49BAMCA0cAMEQCIB2nDbiSg6jTeoSWfCvG
+23Pn4xxbes8Nb+/8+1lDjLWPAiA+KB8wJhUA4hO/Axfu85wKjddpbGtJR0JlxtEe
+whF52Q==
 -----END CERTIFICATE-----
diff --git a/lib/hx509/data/secp256r2TestServer.pem b/lib/hx509/data/secp256r2TestServer.pem
index 0e9edd782bcf..31a354d151b4 100644
--- a/lib/hx509/data/secp256r2TestServer.pem
+++ b/lib/hx509/data/secp256r2TestServer.pem
@@ -1,14 +1,14 @@
 -----BEGIN CERTIFICATE-----
-MIIBsDCCAVWgAwIBAgIBAjAKBggqhkjOPQQDAjA2MQswCQYDVQQGEwJTRTEQMA4G
-A1UEChMHSGVpbWRhbDEVMBMGA1UEAxMMQ0Egc2VjcDI1NnIxMB4XDTE0MDMxMDE5
-NDAyM1oXDTM4MDExNzE5NDAyM1owMDELMAkGA1UEBhMCU0UxEDAOBgNVBAoTB0hl
-aW1kYWwxDzANBgNVBAMTBlNlcnZlcjBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA
-BItZgn1C8ZBvKkkNoEofWL0JLCTaHT2lJj7d9jRtSKiR2PlOtd5HhteDqP78K4eg
-lRMk5nqsmEooalfbNsFBy8SjWjBYMB0GA1UdDgQWBBTqMDTOezcRsax6lf6E/Xk+
-QzPorjAfBgNVHSMEGDAWgBTrUd8AqGhfZvHVspcznXeb328JgzAJBgNVHRMEAjAA
-MAsGA1UdDwQEAwIEsDAKBggqhkjOPQQDAgNJADBGAiEAsvf//YdUWCD6OLZesENa
-1mH8+b+kZDR6jx1JchRXAEQCIQDkTvTZrlmmxUaWEsf08/4xbxkYbrPAg4+VX2uI
-QcEwUA==
+MIIBsDCCAVegAwIBAgIBAjAKBggqhkjOPQQDAjA2MQswCQYDVQQGEwJTRTEQMA4G
+A1UECgwHSGVpbWRhbDEVMBMGA1UEAwwMQ0Egc2VjcDI1NnIxMCAXDTE5MDMyMjIy
+MjUyNVoYDzI1MTgxMTIxMjIyNTI1WjAwMQswCQYDVQQGEwJTRTEQMA4GA1UECgwH
+SGVpbWRhbDEPMA0GA1UEAwwGU2VydmVyMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcD
+QgAEi1mCfULxkG8qSQ2gSh9YvQksJNodPaUmPt32NG1IqJHY+U613keG14Oo/vwr
+h6CVEyTmeqyYSihqV9s2wUHLxKNaMFgwHQYDVR0OBBYEFOowNM57NxGxrHqV/oT9
+eT5DM+iuMB8GA1UdIwQYMBaAFOtR3wCoaF9m8dWylzOdd5vfbwmDMAkGA1UdEwQC
+MAAwCwYDVR0PBAQDAgSwMAoGCCqGSM49BAMCA0cAMEQCIB2nDbiSg6jTeoSWfCvG
+23Pn4xxbes8Nb+/8+1lDjLWPAiA+KB8wJhUA4hO/Axfu85wKjddpbGtJR0JlxtEe
+whF52Q==
 -----END CERTIFICATE-----
 -----BEGIN PRIVATE KEY-----
 MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQgKo/47DaveCl90GxH
diff --git a/lib/hx509/data/sub-ca.crt b/lib/hx509/data/sub-ca.crt
index c63f59d3df47..befbd28d8d65 100644
--- a/lib/hx509/data/sub-ca.crt
+++ b/lib/hx509/data/sub-ca.crt
@@ -2,59 +2,122 @@ Certificate:
     Data:
         Version: 3 (0x2)
         Serial Number: 10 (0xa)
-        Signature Algorithm: sha1WithRSAEncryption
+    Signature Algorithm: sha1WithRSAEncryption
         Issuer: CN=hx509 Test Root CA, C=SE
         Validity
-            Not Before: Apr 26 20:29:41 2009 GMT
-            Not After : Apr 24 20:29:41 2019 GMT
+            Not Before: May 23 15:05:18 2019 GMT
+            Not After : Jan 16 15:05:18 2038 GMT
         Subject: C=SE, CN=Sub CA
         Subject Public Key Info:
             Public Key Algorithm: rsaEncryption
-                Public-Key: (1024 bit)
+                Public-Key: (4096 bit)
                 Modulus:
-                    00:bd:3d:63:78:3e:31:85:d9:1d:b7:f8:04:02:58:
-                    53:12:de:1a:c6:95:9b:51:29:7b:c7:62:76:b9:a6:
-                    63:56:3d:47:c8:2f:bb:6b:9b:7d:d8:f1:a9:3c:0b:
-                    61:66:fd:d1:e7:d7:6d:74:a0:30:9c:a0:7d:80:41:
-                    04:1a:86:61:b4:12:79:9d:9d:b0:3b:fb:0a:4c:69:
-                    8f:06:33:07:85:0e:73:cd:01:fa:96:f9:6b:20:18:
-                    d8:b1:06:03:21:b3:71:7a:ed:43:fd:29:d5:23:fa:
-                    cc:cf:43:fc:83:4a:cb:8b:e6:98:db:b3:49:f1:ba:
-                    2a:97:72:b7:44:83:d6:e7:5f
+                    00:ea:9c:d3:ba:0e:de:f9:c6:3c:2e:ef:7e:91:40:
+                    8e:58:04:16:4f:ff:81:61:0c:fd:b4:d2:86:3c:8a:
+                    6a:f9:33:63:0b:8e:2b:ac:9c:5c:00:28:16:fe:32:
+                    bc:75:55:00:d2:91:0c:92:c9:0a:2d:c7:e2:f4:dd:
+                    14:fe:20:d8:45:79:d1:a0:1e:5d:91:a5:d2:00:17:
+                    a4:bd:44:35:9c:f4:5f:63:dc:b9:19:a5:66:73:b1:
+                    16:ae:e7:d5:59:bd:d3:85:b1:b7:ae:3e:a8:a8:9e:
+                    0d:d9:cd:f5:38:30:d3:56:d9:44:08:11:23:ca:bb:
+                    5e:96:fd:8d:e8:77:7e:c4:8e:58:a8:02:6d:20:77:
+                    9a:9d:4b:bd:6a:6e:c0:a4:77:d2:37:cb:b5:c4:4a:
+                    87:03:a9:aa:a8:22:4b:e9:13:f2:22:64:44:0c:b4:
+                    2b:60:56:9b:c7:76:1e:7d:ba:06:15:9a:ad:ae:36:
+                    9a:9d:f0:df:83:e5:64:4b:18:53:b1:1d:ed:bc:70:
+                    08:48:45:7e:c6:ab:ad:d9:bc:79:03:3d:af:e8:f6:
+                    cd:4e:04:27:ce:8c:d7:09:d9:50:87:f7:76:37:eb:
+                    a3:3b:96:46:b6:05:85:3c:f2:0a:23:3c:d2:8e:0e:
+                    86:08:19:6f:8f:56:2f:bd:90:80:98:a9:8a:c4:9a:
+                    71:9d:25:08:9b:d0:14:23:d4:99:ac:f9:68:44:fd:
+                    01:bd:e4:b0:1f:87:f2:0c:16:88:31:01:5e:af:df:
+                    81:c0:29:d1:05:c8:37:6f:4c:b6:81:b3:d0:f1:f5:
+                    d9:1c:cf:e6:95:40:41:ec:2f:b9:39:d2:1b:48:c9:
+                    03:ca:0a:9f:4b:41:74:ff:31:bd:40:d5:46:cc:c9:
+                    84:94:e9:aa:d3:ae:df:fc:07:0e:4b:6c:68:07:70:
+                    92:aa:ff:9a:21:c0:67:aa:e8:72:7b:db:97:f4:d0:
+                    fb:e9:6d:4c:48:19:55:fb:c4:f3:fa:78:c6:94:2f:
+                    fd:88:b1:c7:58:fd:03:2a:28:51:5e:8e:2d:95:fa:
+                    46:57:b9:6c:93:b5:8a:44:21:82:1d:d2:c7:0b:88:
+                    24:2d:e0:45:0d:8f:3a:23:c4:1f:e2:2d:00:a4:71:
+                    a7:01:c7:17:b8:03:29:fc:2e:92:9b:dd:75:cc:1e:
+                    0e:01:72:71:a7:80:9f:7b:e1:eb:35:42:1f:0c:1d:
+                    ae:69:2c:ee:70:65:19:4c:5b:d7:07:27:c8:2c:ce:
+                    cc:d1:67:39:de:88:0a:e1:21:c9:ad:50:f2:88:79:
+                    15:6d:7a:46:23:4a:93:bd:72:b5:3c:a4:d2:91:27:
+                    ab:d2:f0:f7:5f:17:8c:7e:01:33:6e:2e:3e:8f:48:
+                    18:06:ef
                 Exponent: 65537 (0x10001)
         X509v3 extensions:
             X509v3 Subject Key Identifier: 
-                9B:B5:FE:90:D3:72:49:B1:98:9A:67:76:A3:C9:22:15:F1:5A:AE:11
+                4D:9F:B8:92:F4:98:3B:7E:1F:EA:AE:A3:3C:DF:CF:E7:56:4E:F6:25
             X509v3 Authority Key Identifier: 
-                keyid:6E:48:13:DC:BF:8B:95:4C:13:F3:1F:97:30:DD:27:96:59:9B:0E:68
+                keyid:FD:C6:56:72:BC:EA:82:19:48:00:B0:A3:8B:F7:79:3F:F7:26:FC:23
                 DirName:/CN=hx509 Test Root CA/C=SE
-                serial:99:32:DE:61:0E:40:19:8A
+                serial:99:65:F9:34:C3:90:C1:72
 
             X509v3 Basic Constraints: 
                 CA:TRUE
             X509v3 Key Usage: 
                 Digital Signature, Non Repudiation, Key Encipherment, Certificate Sign, CRL Sign
     Signature Algorithm: sha1WithRSAEncryption
-        25:cb:bf:77:d2:16:0f:a5:ac:4e:42:17:e1:81:03:36:1e:dc:
-        33:1a:49:ba:1f:40:5b:5b:80:9c:20:b7:13:3b:f4:4f:79:c1:
-        b4:6e:14:d5:fd:84:59:58:d5:db:a6:6d:5b:6f:e6:d0:58:d6:
-        8e:41:2c:ef:e9:c8:b7:ca:6f:cb:11:6e:13:45:f7:73:6e:91:
-        71:22:14:18:b9:b4:ad:3b:c4:e9:6f:99:6d:59:59:52:6f:c8:
-        65:67:f1:e4:d9:6f:0b:a3:3c:9f:ac:01:b7:1a:9b:97:74:92:
-        7b:ea:05:a0:5d:09:77:fb:79:17:c2:35:2f:f9:09:fc:10:b3:
-        e0:3e
+         8f:4e:97:f7:a7:87:17:27:af:2f:30:23:97:2e:09:35:03:01:
+         9c:13:38:12:85:49:10:ce:69:c4:74:69:67:6d:61:3a:bb:c5:
+         5a:e7:55:da:f0:a3:06:be:ff:55:eb:89:a2:65:2e:35:ca:24:
+         49:0a:fa:01:3a:c8:50:af:94:ee:cd:e9:67:2a:1b:1b:a3:40:
+         1e:e4:4a:7a:31:93:1c:e6:77:9e:a3:41:19:66:64:dd:f3:73:
+         34:d7:28:38:3f:f5:94:2d:58:3f:bd:24:cd:5b:ed:77:81:53:
+         31:45:67:e4:d7:85:ce:d2:10:f1:b7:0f:03:22:3c:c1:be:aa:
+         8a:d1:92:b6:03:e5:92:a3:4c:d3:76:ee:8a:83:01:c8:a0:0a:
+         53:3a:c6:a4:36:8d:51:35:a5:07:dc:8c:35:c9:03:fa:1d:ec:
+         49:05:f0:b0:0e:fe:24:f5:4e:db:be:f3:00:b0:35:57:d6:31:
+         02:c2:e1:6f:3a:2c:2c:42:f9:87:5b:c3:72:f7:46:6a:1f:0e:
+         16:50:ee:a6:00:42:30:ad:05:07:d4:8e:0a:0d:c6:23:b3:d7:
+         9b:01:57:12:7b:7d:1b:5d:60:b7:fe:78:4f:91:1b:76:df:a6:
+         a7:f5:61:76:3b:1c:6f:7c:c7:57:7f:bf:c7:ac:23:c5:c5:cf:
+         6b:5e:83:1c:4c:7e:83:2d:f6:db:51:85:7c:d3:6b:dc:f6:f7:
+         53:1f:26:3a:8d:91:f1:6a:43:cb:57:1a:24:71:94:48:74:72:
+         a1:58:ea:f8:0d:3e:71:5b:35:2f:30:b4:3a:2c:6e:b4:51:27:
+         7e:66:e5:f8:cc:2b:88:bc:98:cf:24:6b:5f:46:31:3e:ce:58:
+         d4:26:01:87:c8:1b:d9:10:a1:76:3a:f1:8b:16:2f:3f:54:b0:
+         95:ff:c0:4f:3a:67:2d:28:6e:2c:fb:81:87:92:c8:8c:13:45:
+         3e:d0:ec:12:b8:52:0e:71:dc:dc:50:1f:57:44:1d:6f:80:bd:
+         50:db:26:3e:63:27:53:9f:99:46:39:04:2b:66:a7:f9:f3:f3:
+         99:c6:33:4a:44:0b:90:ea:5d:17:1c:41:1e:44:db:73:c5:68:
+         d1:e4:04:01:99:49:59:23:0d:2b:06:5a:fc:db:56:90:67:6d:
+         28:b8:66:6c:56:70:12:ae:36:dd:f0:b9:6d:f1:c9:5c:77:0f:
+         30:d9:46:e1:57:e5:d3:92:92:c1:74:40:99:24:00:ff:57:59:
+         2d:48:e5:1f:97:34:8b:7f:26:3e:24:9e:a6:96:14:16:d7:be:
+         94:1a:55:37:5a:d2:94:1f:df:9d:f2:8a:88:5d:e2:8b:c4:59:
+         60:06:44:52:a9:73:29:ed
 -----BEGIN CERTIFICATE-----
-MIICWDCCAcGgAwIBAgIBCjANBgkqhkiG9w0BAQUFADAqMRswGQYDVQQDDBJoeDUw
-OSBUZXN0IFJvb3QgQ0ExCzAJBgNVBAYTAlNFMB4XDTA5MDQyNjIwMjk0MVoXDTE5
-MDQyNDIwMjk0MVowHjELMAkGA1UEBhMCU0UxDzANBgNVBAMMBlN1YiBDQTCBnzAN
-BgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAvT1jeD4xhdkdt/gEAlhTEt4axpWbUSl7
-x2J2uaZjVj1HyC+7a5t92PGpPAthZv3R59dtdKAwnKB9gEEEGoZhtBJ5nZ2wO/sK
-TGmPBjMHhQ5zzQH6lvlrIBjYsQYDIbNxeu1D/SnVI/rMz0P8g0rLi+aY27NJ8boq
-l3K3RIPW518CAwEAAaOBmTCBljAdBgNVHQ4EFgQUm7X+kNNySbGYmmd2o8kiFfFa
-rhEwWgYDVR0jBFMwUYAUbkgT3L+LlUwT8x+XMN0nllmbDmihLqQsMCoxGzAZBgNV
-BAMMEmh4NTA5IFRlc3QgUm9vdCBDQTELMAkGA1UEBhMCU0WCCQCZMt5hDkAZijAM
-BgNVHRMEBTADAQH/MAsGA1UdDwQEAwIB5jANBgkqhkiG9w0BAQUFAAOBgQAly793
-0hYPpaxOQhfhgQM2HtwzGkm6H0BbW4CcILcTO/RPecG0bhTV/YRZWNXbpm1bb+bQ
-WNaOQSzv6ci3ym/LEW4TRfdzbpFxIhQYubStO8Tpb5ltWVlSb8hlZ/Hk2W8Lozyf
-rAG3GpuXdJJ76gWgXQl3+3kXwjUv+Qn8ELPgPg==
+MIIFXTCCA0WgAwIBAgIBCjANBgkqhkiG9w0BAQUFADAqMRswGQYDVQQDDBJoeDUw
+OSBUZXN0IFJvb3QgQ0ExCzAJBgNVBAYTAlNFMB4XDTE5MDUyMzE1MDUxOFoXDTM4
+MDExNjE1MDUxOFowHjELMAkGA1UEBhMCU0UxDzANBgNVBAMMBlN1YiBDQTCCAiIw
+DQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAOqc07oO3vnGPC7vfpFAjlgEFk//
+gWEM/bTShjyKavkzYwuOK6ycXAAoFv4yvHVVANKRDJLJCi3H4vTdFP4g2EV50aAe
+XZGl0gAXpL1ENZz0X2PcuRmlZnOxFq7n1Vm904Wxt64+qKieDdnN9Tgw01bZRAgR
+I8q7Xpb9jeh3fsSOWKgCbSB3mp1LvWpuwKR30jfLtcRKhwOpqqgiS+kT8iJkRAy0
+K2BWm8d2Hn26BhWara42mp3w34PlZEsYU7Ed7bxwCEhFfsarrdm8eQM9r+j2zU4E
+J86M1wnZUIf3djfrozuWRrYFhTzyCiM80o4OhggZb49WL72QgJipisSacZ0lCJvQ
+FCPUmaz5aET9Ab3ksB+H8gwWiDEBXq/fgcAp0QXIN29MtoGz0PH12RzP5pVAQewv
+uTnSG0jJA8oKn0tBdP8xvUDVRszJhJTpqtOu3/wHDktsaAdwkqr/miHAZ6rocnvb
+l/TQ++ltTEgZVfvE8/p4xpQv/Yixx1j9AyooUV6OLZX6Rle5bJO1ikQhgh3SxwuI
+JC3gRQ2POiPEH+ItAKRxpwHHF7gDKfwukpvddcweDgFycaeAn3vh6zVCHwwdrmks
+7nBlGUxb1wcnyCzOzNFnOd6ICuEhya1Q8oh5FW16RiNKk71ytTyk0pEnq9Lw918X
+jH4BM24uPo9IGAbvAgMBAAGjgZkwgZYwHQYDVR0OBBYEFE2fuJL0mDt+H+quozzf
+z+dWTvYlMFoGA1UdIwRTMFGAFP3GVnK86oIZSACwo4v3eT/3JvwjoS6kLDAqMRsw
+GQYDVQQDDBJoeDUwOSBUZXN0IFJvb3QgQ0ExCzAJBgNVBAYTAlNFggkAmWX5NMOQ
+wXIwDAYDVR0TBAUwAwEB/zALBgNVHQ8EBAMCAeYwDQYJKoZIhvcNAQEFBQADggIB
+AI9Ol/enhxcnry8wI5cuCTUDAZwTOBKFSRDOacR0aWdtYTq7xVrnVdrwowa+/1Xr
+iaJlLjXKJEkK+gE6yFCvlO7N6WcqGxujQB7kSnoxkxzmd56jQRlmZN3zczTXKDg/
+9ZQtWD+9JM1b7XeBUzFFZ+TXhc7SEPG3DwMiPMG+qorRkrYD5ZKjTNN27oqDAcig
+ClM6xqQ2jVE1pQfcjDXJA/od7EkF8LAO/iT1Ttu+8wCwNVfWMQLC4W86LCxC+Ydb
+w3L3RmofDhZQ7qYAQjCtBQfUjgoNxiOz15sBVxJ7fRtdYLf+eE+RG3bfpqf1YXY7
+HG98x1d/v8esI8XFz2tegxxMfoMt9ttRhXzTa9z291MfJjqNkfFqQ8tXGiRxlEh0
+cqFY6vgNPnFbNS8wtDosbrRRJ35m5fjMK4i8mM8ka19GMT7OWNQmAYfIG9kQoXY6
+8YsWLz9UsJX/wE86Zy0obiz7gYeSyIwTRT7Q7BK4Ug5x3NxQH1dEHW+AvVDbJj5j
+J1OfmUY5BCtmp/nz85nGM0pEC5DqXRccQR5E23PFaNHkBAGZSVkjDSsGWvzbVpBn
+bSi4ZmxWcBKuNt3wuW3xyVx3DzDZRuFX5dOSksF0QJkkAP9XWS1I5R+XNIt/Jj4k
+nqaWFBbXvpQaVTda0pQf353yiohd4ovEWWAGRFKpcynt
 -----END CERTIFICATE-----
diff --git a/lib/hx509/data/sub-ca.key b/lib/hx509/data/sub-ca.key
index 19415e8669e6..13570b1e2acf 100644
--- a/lib/hx509/data/sub-ca.key
+++ b/lib/hx509/data/sub-ca.key
@@ -1,16 +1,52 @@
 -----BEGIN PRIVATE KEY-----
-MIICdgIBADANBgkqhkiG9w0BAQEFAASCAmAwggJcAgEAAoGBAL09Y3g+MYXZHbf4
-BAJYUxLeGsaVm1Epe8didrmmY1Y9R8gvu2ubfdjxqTwLYWb90efXbXSgMJygfYBB
-BBqGYbQSeZ2dsDv7CkxpjwYzB4UOc80B+pb5ayAY2LEGAyGzcXrtQ/0p1SP6zM9D
-/INKy4vmmNuzSfG6Kpdyt0SD1udfAgMBAAECgYEAi8GahGLqD/+YgxUXYOP59iUx
-gRdb7UTFtSpypAjNtBLtwFoAACiFeIKAiWeeN4GcU6w1mbv0Krgb92wMq8oyvJIG
-mD+jyzdYSj1C00nQ3WF9b77nasAGP6IzhP82H+c6HjIJOo04MrM0s7lW3ETJbqyq
-CDpgqufEkXSKO4f1eAECQQD8RB3zRZw0+AMy+v8RBSvHGOyH8WPwheDKST9ycr/c
-fizcSjjUVaJOH107/SH/GKn+wrDx4vSJXnQqnFLTRYufAkEAwAp0CeXerZhpxAHf
-SnB/GFRE8xnR7U0sIuAkCupYtr0dQZj4bkeRWuM7dNujKM1EomU/S/ngHlns/KPJ
-kH0MQQJABtkGgxsJoXp2A8VCdUDRrmbjzNDlqJrJvlP8r+ujf6XBK/2ryz/D1yEM
-09sMODOAMdUxHm/NuYjh2GJD8U46+wJAN4OOEcJqgaI6iNfFtZ4Zj23k1KWVItUZ
-OiezI5ik9oZqq6jNwAteQHjJmjlXzBayjYNZLdxY5k02jb3HKcaMQQJAdelGxbOu
-NRR3NdcwRUdRBlqTCVAx1qXlDmYvvUNRsEAr17t9ij7bwfxTrFmIEdCoqTlY5K+Z
-mg1qwSeTGe3x4Q==
+MIIJQgIBADANBgkqhkiG9w0BAQEFAASCCSwwggkoAgEAAoICAQDqnNO6Dt75xjwu
+736RQI5YBBZP/4FhDP200oY8imr5M2MLjiusnFwAKBb+Mrx1VQDSkQySyQotx+L0
+3RT+INhFedGgHl2RpdIAF6S9RDWc9F9j3LkZpWZzsRau59VZvdOFsbeuPqiong3Z
+zfU4MNNW2UQIESPKu16W/Y3od37EjlioAm0gd5qdS71qbsCkd9I3y7XESocDqaqo
+IkvpE/IiZEQMtCtgVpvHdh59ugYVmq2uNpqd8N+D5WRLGFOxHe28cAhIRX7Gq63Z
+vHkDPa/o9s1OBCfOjNcJ2VCH93Y366M7lka2BYU88gojPNKODoYIGW+PVi+9kICY
+qYrEmnGdJQib0BQj1Jms+WhE/QG95LAfh/IMFogxAV6v34HAKdEFyDdvTLaBs9Dx
+9dkcz+aVQEHsL7k50htIyQPKCp9LQXT/Mb1A1UbMyYSU6arTrt/8Bw5LbGgHcJKq
+/5ohwGeq6HJ725f00PvpbUxIGVX7xPP6eMaUL/2IscdY/QMqKFFeji2V+kZXuWyT
+tYpEIYId0scLiCQt4EUNjzojxB/iLQCkcacBxxe4Ayn8LpKb3XXMHg4BcnGngJ97
+4es1Qh8MHa5pLO5wZRlMW9cHJ8gszszRZzneiArhIcmtUPKIeRVtekYjSpO9crU8
+pNKRJ6vS8PdfF4x+ATNuLj6PSBgG7wIDAQABAoICAEljDQeiJzVSQPkdiSW+X8hA
+XwpfDgVhnuq0/7BoS9XvsQeoTRkNP+n8oFSbYkABeuRi4t/3auuvHtshXLOxanUx
+CdVgKjyo9et5edqKP4r9FemS3YOcLVP7DPFhK2eK7WNgl+g1SWSVLBf5SL9u5mzA
+QXuUgPGlco0gewdAebLaI/lJ6QDC6OZTDskAI9pOcL9rRUxFU75dkDhPohciWhdP
+7clbgkX8UXYvCJKjYcvYOoPIKM1Gz2PemWS0E1nP1tGe6bhRpLpYcWUug1v0K9Zf
+fRDuU9VUUN+PzpT5X01WtBSriSrexzKtM2aaW/J7sIlQC4l2mDBfxxn5zqJ4/Rhl
+aOJ6MDrBaA0IiVSJaYtSXS13G6MS3H3zLm7z5ZeTIa5ysqlg0Sb44xVDDhGshb3k
+/seBYviwHfZY8d2b2pp5FVUbwC3gL7wqr4oUN1iE3q8xdDxqRZfqqhvyBWuTOPvS
+TqRjcx+eK+Y4xSdlldgsj/gIiRiWe6MOYwoC0mBOXOqO5hBOKPGWX26FmqUirmJt
+3MCThLYcDTexLYiu+mpOl69YaoGCyXoWtiQpzdaJ/oPCmqLbMyL0O4t6eecK80d6
+mYSHBhqqXzNm03SMI2PyeuGadAjmJUY5GmT2V1+6JKWcVT/luMluEyfqjbZLxU7u
+s8QGchKj1btBN21iQ7RBAoIBAQD5ghu4Jm9X9V+Z4RKrSDIrcep/gkm3LoTQ7jrm
+tcZ0gOf0TLkCNEIMcCHGNj5V1seCbmsk7ysVVw0Ew1UeVBv5JlNroixV2/rF+G62
+MPT0o9BuboFfusM9G1fZP7IoTE2WL/6LXejRyxqxpdXLkT8+a/+52xpcmZzgLAJo
+rd2+4ODywc2a2K97rBYFq+I7XajHs0NI/EMAAVUUmuY3ekyo3+YDPA9ys6sRJnAu
+hhSvXPgeOep0UeDCXJFb3o+lXXnrEp6TUUPwxsmz88BNGrI3T7N5LT/6mV8Wm2i5
+gI0+KSVY2j/2aZmNk04xqVf9sYm+4OJyPqKbOPaJ9i7jzrx5AoIBAQDwt4EBESia
+YLARxkWEJkfKhRcPBC/iYLSikrJh/LwCbAT/T4M/VotBJv4qGZgQLCVSX2lDZy2e
+XPQZqmvcQbcA+rm/JX/jZkU4mW08GY4NtqZf4wAQv2vb7SCML86+QzzP2zTobyga
+a4uXF/vJCFkxQz05fGuYS5NhPYZcCIjLLb6Lx02jy8S40am7JKErrjVzyQZVKxgS
+hhvm5qW9wpbzvnczGkBWWf/bFVfzotO1Ghrdu1iBeJAN88wHNL0g8rFYAnO6ZigA
+tj2l2qSeIzZ8IU43Tqm24DH9/GQNOdw90ML/kZkp/0rr0ZXD3KMxICpGlYdbjMgx
+eZrFRFkT5rSnAoIBADMCDFSrVtvuh+rXfo+RpOAI293RbuyKEBD+gwAjbTzoFYN2
+I+R1doNAcUcqU7gMvqDFnhXg5zfnofu1SzN2EnnvAeLhNpse67eJQGjyvUE+NCA/
+ayd88OkPK/h38x4V606m5Szst+ob0Ys70edZ/EnwnkkKp+sCZHXXyW5JDSo2owY9
+5KChZ86qsZ3bM9bbIOQim8DSAYiAvToHKMVytTVZAJbssmPKo1BQQWLhel0XbooP
+YQUCsCZL8lOLvmYaJBCQr+aCGJeirB2j2U5qBMEWBCTjwU6kCDKA9vnlc/qfQslV
+ZPolQIUW9kdkzV5J61UgeGrOr0N4c75km9VqsFECggEBAJvNCfBY3MDe59b5T7Ey
+3bCU59HOUffhw8idzlthq4adx7ZADqEGMOegh01Ud3mwOQ/RtV3tADfJzix2g41x
+8zLtFSBE8zuJzC/QDkWh/LGfkJvrXvV4ECWumyxhHR1Eg629Icd3eqtvBFBtM4hw
+oNojvRLiFvnhoKiFm9shovhuyS/LddMYZmGBQqxgDvkormwcpr6lP9Vte829Z3Uk
+53MnyhsHWLELW3C/pceJkiFbnhv50FUsZYDCVUIsvmT+8A4YuDLjP+0GB2y70WSR
+QgihvfBKN8qn3XOY0mFFG+nenvevk0T9ec6cPqUgv3dibDp3Ob7lpgVvwd8AV+9r
+mW0CggEAW2N9dnmQ9Wz4l3WNGJsiEOdOgYXgFv4IqmPbUFBvVsr7EjpJ4QiEwwwK
+rAY+RZW0kFrxK0a1IeMG9WYNWwPfnmA+5jarOnVQDctcWzPWTKQMkMm6r9HTK29b
+BS5TNMyr0Tw58zhG65Y2fvqyHnnd+DeOLzAuRBNPiNDolwEHz/3NkygCYZ/vTWv5
+KzIdRRamjt2G3EAcQkmQB338Z16liqBbiAkVNfP6TaJ/f/T4McVXML1poG2Hna/k
+cdhyTVWVjzTR/awu/w27dUG5DbkaACmAmIrvKVcQOLdnCxYsuAwSgyVC5obTkMv8
+FAyxqmq2U5lLkxSX9M7dtz1OfJnbxA==
 -----END PRIVATE KEY-----
diff --git a/lib/hx509/data/sub-cert.crt b/lib/hx509/data/sub-cert.crt
index 236e4d094265..3186c83946e6 100644
--- a/lib/hx509/data/sub-cert.crt
+++ b/lib/hx509/data/sub-cert.crt
@@ -2,25 +2,51 @@ Certificate:
     Data:
         Version: 3 (0x2)
         Serial Number: 11 (0xb)
-        Signature Algorithm: sha1WithRSAEncryption
+    Signature Algorithm: sha1WithRSAEncryption
         Issuer: C=SE, CN=Sub CA
         Validity
-            Not Before: Apr 26 20:29:41 2009 GMT
-            Not After : Apr 24 20:29:41 2019 GMT
+            Not Before: May 23 15:05:20 2019 GMT
+            Not After : Jan 16 15:05:20 2038 GMT
         Subject: C=SE, CN=Test sub cert
         Subject Public Key Info:
             Public Key Algorithm: rsaEncryption
-                Public-Key: (1024 bit)
+                Public-Key: (4096 bit)
                 Modulus:
-                    00:c2:e7:0c:98:23:cd:54:66:28:8c:e4:75:fc:4e:
-                    cd:1c:1d:eb:1f:0c:c4:56:78:07:7d:73:3d:9e:0d:
-                    02:29:a3:c9:f6:46:fa:24:ce:1f:49:f8:1f:0d:ea:
-                    d7:aa:91:ed:0a:8d:69:05:a9:36:94:70:52:e8:05:
-                    42:04:19:6d:55:44:85:c2:d4:3a:2c:a7:ad:aa:42:
-                    54:cb:78:a1:fa:bb:b9:40:41:80:28:c4:27:42:a6:
-                    6b:f2:33:84:a2:c0:3e:f6:fe:b1:70:54:8a:0c:44:
-                    8f:81:1b:27:d8:7c:59:3f:f0:de:ea:dc:08:3f:88:
-                    f8:f2:bf:58:3f:a4:fa:f5:9b
+                    00:b0:b9:77:f4:5d:e2:66:7d:10:16:aa:24:16:3b:
+                    13:8d:ad:b1:00:12:eb:49:14:8d:73:3a:e2:ee:f7:
+                    fe:13:98:da:d9:d6:72:e2:8e:a9:dc:c6:d9:5c:86:
+                    e6:03:fd:29:a5:de:46:05:02:4f:a9:79:25:61:5f:
+                    f7:53:64:03:cd:2e:9d:c8:43:d9:45:48:14:7e:59:
+                    ae:c6:ad:25:78:10:71:57:43:30:45:65:d4:0c:5d:
+                    52:91:97:dc:b8:93:38:64:9a:0b:4f:da:16:f7:1b:
+                    8e:aa:f5:e5:cc:3d:0d:84:ba:d7:fd:f9:5f:4a:ed:
+                    c3:c8:36:66:f4:42:fc:5d:00:2b:7d:7b:8b:51:94:
+                    35:a9:27:3a:71:fb:ac:f5:2f:e4:d2:8b:c6:22:e5:
+                    e5:a3:1b:13:95:3e:0f:0d:3e:07:1f:6e:23:b0:5d:
+                    f7:60:01:e5:08:85:01:ac:48:31:32:38:1e:57:e8:
+                    1b:3c:38:c3:70:3a:81:1b:04:60:3b:c7:20:a9:8a:
+                    fe:b9:c5:4b:c7:10:28:32:0a:7c:1d:f3:8f:5c:d0:
+                    2a:2e:83:97:3a:5f:42:34:95:1b:c4:b1:73:ff:23:
+                    a9:e6:fb:9f:f4:40:2e:2f:c0:ad:9f:d6:c2:45:21:
+                    40:51:f9:2e:98:db:90:34:3e:f6:54:e5:fc:cc:d5:
+                    06:4c:19:81:53:af:bd:a1:8d:83:3a:b5:c7:1b:85:
+                    78:dc:64:65:f8:ed:88:b6:69:4d:c0:3b:da:9b:d5:
+                    eb:32:e0:e0:1c:00:65:e7:f0:5b:f1:bc:e2:e8:8a:
+                    a5:31:9e:d6:da:d3:c3:2f:d0:84:9a:f3:f1:2d:e1:
+                    b3:63:3e:2a:ce:c9:98:45:1b:7e:8a:bc:2f:0a:f1:
+                    39:82:39:70:d0:f7:28:18:3a:74:eb:d0:4c:e7:99:
+                    e5:e6:b1:f7:33:57:60:14:cf:2b:24:59:ed:30:f6:
+                    a5:b1:6b:54:3d:74:ef:68:7c:69:b1:35:e8:1b:9e:
+                    0a:d4:38:27:ea:7c:1e:01:11:46:4e:07:b2:da:00:
+                    f5:8c:a5:a6:d0:7f:24:a7:d9:32:a2:bf:6e:92:a3:
+                    16:83:1d:ed:74:e6:3f:6b:ab:1b:23:65:84:32:51:
+                    94:2f:1e:01:1d:13:b7:b3:6e:c2:2e:67:bd:33:8e:
+                    41:44:14:29:07:92:01:99:2d:f6:ac:51:26:a3:44:
+                    67:5e:cd:0e:35:e7:83:43:3a:20:78:63:23:4c:ee:
+                    f4:5b:32:0f:17:49:14:d6:14:9d:d4:32:2d:b6:15:
+                    42:2a:7e:1f:3a:90:df:df:92:6d:b8:41:e3:39:29:
+                    d9:c2:2c:bf:94:67:9e:a9:8b:10:14:3a:ca:0a:10:
+                    cf:a4:5d
                 Exponent: 65537 (0x10001)
         X509v3 extensions:
             X509v3 Basic Constraints: 
@@ -28,26 +54,63 @@ Certificate:
             X509v3 Key Usage: 
                 Digital Signature, Non Repudiation, Key Encipherment
             X509v3 Subject Key Identifier: 
-                C1:80:37:61:B7:F7:BD:09:84:1C:5C:CF:65:6D:FE:15:0B:78:85:C0
+                C8:FC:4C:74:0D:42:18:8E:0A:4B:7C:61:C7:CD:36:FD:A9:96:8E:64
     Signature Algorithm: sha1WithRSAEncryption
-        97:06:c7:34:4f:17:20:6f:fd:f1:0e:eb:33:f1:eb:fe:49:ee:
-        5d:6c:59:f2:4d:97:c0:ad:5a:2c:85:c2:b5:21:04:b0:ee:d1:
-        2c:2b:54:0e:9c:82:c9:45:81:9c:2a:3a:e2:fa:78:94:52:56:
-        19:99:11:44:78:f4:7d:b0:fc:d2:d3:49:d8:2f:9d:ff:23:5c:
-        83:96:a0:14:a8:49:a1:bd:4a:ef:d2:67:96:5e:b7:36:36:86:
-        cc:ea:17:c3:3e:b7:18:ae:0a:03:43:4a:af:ab:ef:b9:c8:ec:
-        d6:27:39:c7:33:b7:34:54:d6:b5:1b:8c:85:a1:c1:13:b5:cd:
-        0f:b7
+         5c:65:de:68:c8:80:3b:8b:08:74:2d:f4:89:51:42:7e:ac:41:
+         83:d0:7f:ff:cb:d4:95:84:10:52:f9:2f:77:62:04:b9:03:8f:
+         a5:b2:16:92:19:c9:94:62:ae:3a:2b:73:89:59:73:2e:e3:05:
+         05:0a:dc:e4:00:be:6b:fc:1e:ad:92:e2:8d:1d:a8:e2:71:6e:
+         10:3b:50:5d:1c:c1:97:e7:4a:14:c3:1e:9a:a3:4c:e6:5f:4a:
+         fe:21:43:94:e1:e5:11:7c:42:c6:b7:06:d5:11:45:5d:3c:bf:
+         e7:9d:9b:4e:0a:9b:7a:94:09:ed:b1:fb:07:c4:2f:16:a3:8b:
+         92:50:23:b6:5c:33:fa:2c:39:83:3a:6a:92:d2:00:a8:e0:a7:
+         28:25:8a:b6:09:ee:17:6a:f3:be:38:c8:48:04:2e:81:96:9c:
+         08:a2:3b:48:6e:f2:75:d8:5b:07:00:13:64:1f:a5:a1:7e:bf:
+         d1:a4:fa:5f:61:55:40:67:8a:76:31:28:1c:f8:a7:f0:9e:bb:
+         e0:bd:18:89:6c:9c:e7:21:9f:49:ab:3f:1b:43:12:c3:4d:fc:
+         cc:e7:f4:4c:4f:c0:45:5b:30:f7:9b:09:60:a7:46:a5:f0:8b:
+         ea:ab:62:78:3c:7a:cc:ea:09:2b:f7:7c:06:04:b2:f7:31:68:
+         b0:25:e0:7e:bf:50:b5:a3:b6:f3:1d:c0:42:95:d9:79:f6:8e:
+         94:cc:b4:da:f9:e6:fe:7a:44:93:80:0b:25:d9:54:69:8e:d8:
+         7e:08:a8:63:55:67:3c:32:87:52:73:38:fa:0a:e0:4c:ac:1e:
+         b1:7d:bc:89:ee:a5:d6:79:ed:79:2c:97:f0:c6:a4:1f:ff:ca:
+         1e:38:a9:86:22:46:d3:ff:69:44:aa:7c:9d:c0:35:d3:99:03:
+         86:5e:b4:d0:e4:16:c9:f1:83:16:5f:b8:b9:a0:8b:16:c2:31:
+         17:2d:59:de:a7:b0:16:cc:63:10:16:17:20:cf:e3:af:02:92:
+         48:d3:64:38:44:9c:16:a9:62:5b:be:7f:c8:1f:4e:69:d6:44:
+         35:92:cd:69:fc:e5:23:60:4e:a3:93:92:1f:aa:6e:ae:77:cc:
+         63:fe:ff:49:10:10:c4:3c:53:34:1c:d9:51:41:d8:73:86:5e:
+         d5:a8:22:38:b0:20:3a:11:3f:a0:50:ba:4a:ad:8f:1b:34:51:
+         68:6e:66:6a:77:22:ec:a8:8a:14:ff:cc:3d:32:20:76:d9:a5:
+         d1:fc:4c:60:35:dc:1e:38:a4:02:ee:65:8b:79:8e:65:6c:2d:
+         dd:c8:54:70:c2:9e:03:29:a5:99:ac:9b:83:52:c4:19:1b:8e:
+         f1:15:cd:71:c8:1d:0a:de
 -----BEGIN CERTIFICATE-----
-MIIB8jCCAVugAwIBAgIBCzANBgkqhkiG9w0BAQUFADAeMQswCQYDVQQGEwJTRTEP
-MA0GA1UEAwwGU3ViIENBMB4XDTA5MDQyNjIwMjk0MVoXDTE5MDQyNDIwMjk0MVow
-JTELMAkGA1UEBhMCU0UxFjAUBgNVBAMMDVRlc3Qgc3ViIGNlcnQwgZ8wDQYJKoZI
-hvcNAQEBBQADgY0AMIGJAoGBAMLnDJgjzVRmKIzkdfxOzRwd6x8MxFZ4B31zPZ4N
-AimjyfZG+iTOH0n4Hw3q16qR7QqNaQWpNpRwUugFQgQZbVVEhcLUOiynrapCVMt4
-ofq7uUBBgCjEJ0Kma/IzhKLAPvb+sXBUigxEj4EbJ9h8WT/w3urcCD+I+PK/WD+k
-+vWbAgMBAAGjOTA3MAkGA1UdEwQCMAAwCwYDVR0PBAQDAgXgMB0GA1UdDgQWBBTB
-gDdht/e9CYQcXM9lbf4VC3iFwDANBgkqhkiG9w0BAQUFAAOBgQCXBsc0Txcgb/3x
-Dusz8ev+Se5dbFnyTZfArVoshcK1IQSw7tEsK1QOnILJRYGcKjri+niUUlYZmRFE
-ePR9sPzS00nYL53/I1yDlqAUqEmhvUrv0meWXrc2NobM6hfDPrcYrgoDQ0qvq++5
-yOzWJznHM7c0VNa1G4yFocETtc0Ptw==
+MIIE9zCCAt+gAwIBAgIBCzANBgkqhkiG9w0BAQUFADAeMQswCQYDVQQGEwJTRTEP
+MA0GA1UEAwwGU3ViIENBMB4XDTE5MDUyMzE1MDUyMFoXDTM4MDExNjE1MDUyMFow
+JTELMAkGA1UEBhMCU0UxFjAUBgNVBAMMDVRlc3Qgc3ViIGNlcnQwggIiMA0GCSqG
+SIb3DQEBAQUAA4ICDwAwggIKAoICAQCwuXf0XeJmfRAWqiQWOxONrbEAEutJFI1z
+OuLu9/4TmNrZ1nLijqncxtlchuYD/Sml3kYFAk+peSVhX/dTZAPNLp3IQ9lFSBR+
+Wa7GrSV4EHFXQzBFZdQMXVKRl9y4kzhkmgtP2hb3G46q9eXMPQ2Eutf9+V9K7cPI
+Nmb0QvxdACt9e4tRlDWpJzpx+6z1L+TSi8Yi5eWjGxOVPg8NPgcfbiOwXfdgAeUI
+hQGsSDEyOB5X6Bs8OMNwOoEbBGA7xyCpiv65xUvHECgyCnwd849c0Coug5c6X0I0
+lRvEsXP/I6nm+5/0QC4vwK2f1sJFIUBR+S6Y25A0PvZU5fzM1QZMGYFTr72hjYM6
+tccbhXjcZGX47Yi2aU3AO9qb1esy4OAcAGXn8FvxvOLoiqUxntba08Mv0ISa8/Et
+4bNjPirOyZhFG36KvC8K8TmCOXDQ9ygYOnTr0EznmeXmsfczV2AUzyskWe0w9qWx
+a1Q9dO9ofGmxNegbngrUOCfqfB4BEUZOB7LaAPWMpabQfySn2TKiv26SoxaDHe10
+5j9rqxsjZYQyUZQvHgEdE7ezbsIuZ70zjkFEFCkHkgGZLfasUSajRGdezQ4154ND
+OiB4YyNM7vRbMg8XSRTWFJ3UMi22FUIqfh86kN/fkm24QeM5KdnCLL+UZ56pixAU
+OsoKEM+kXQIDAQABozkwNzAJBgNVHRMEAjAAMAsGA1UdDwQEAwIF4DAdBgNVHQ4E
+FgQUyPxMdA1CGI4KS3xhx802/amWjmQwDQYJKoZIhvcNAQEFBQADggIBAFxl3mjI
+gDuLCHQt9IlRQn6sQYPQf//L1JWEEFL5L3diBLkDj6WyFpIZyZRirjorc4lZcy7j
+BQUK3OQAvmv8Hq2S4o0dqOJxbhA7UF0cwZfnShTDHpqjTOZfSv4hQ5Th5RF8Qsa3
+BtURRV08v+edm04Km3qUCe2x+wfELxaji5JQI7ZcM/osOYM6apLSAKjgpyglirYJ
+7hdq8744yEgELoGWnAiiO0hu8nXYWwcAE2QfpaF+v9Gk+l9hVUBninYxKBz4p/Ce
+u+C9GIlsnOchn0mrPxtDEsNN/Mzn9ExPwEVbMPebCWCnRqXwi+qrYng8eszqCSv3
+fAYEsvcxaLAl4H6/ULWjtvMdwEKV2Xn2jpTMtNr55v56RJOACyXZVGmO2H4IqGNV
+Zzwyh1JzOPoK4EysHrF9vInupdZ57Xksl/DGpB//yh44qYYiRtP/aUSqfJ3ANdOZ
+A4ZetNDkFsnxgxZfuLmgixbCMRctWd6nsBbMYxAWFyDP468CkkjTZDhEnBapYlu+
+f8gfTmnWRDWSzWn85SNgTqOTkh+qbq53zGP+/0kQEMQ8UzQc2VFB2HOGXtWoIjiw
+IDoRP6BQukqtjxs0UWhuZmp3IuyoihT/zD0yIHbZpdH8TGA13B44pALuZYt5jmVs
+Ld3IVHDCngMppZmsm4NSxBkbjvEVzXHIHQre
 -----END CERTIFICATE-----
diff --git a/lib/hx509/data/sub-cert.key b/lib/hx509/data/sub-cert.key
index eb42cfcec4ba..e9fcb0d3fb15 100644
--- a/lib/hx509/data/sub-cert.key
+++ b/lib/hx509/data/sub-cert.key
@@ -1,16 +1,52 @@
 -----BEGIN PRIVATE KEY-----
-MIICeAIBADANBgkqhkiG9w0BAQEFAASCAmIwggJeAgEAAoGBAMLnDJgjzVRmKIzk
-dfxOzRwd6x8MxFZ4B31zPZ4NAimjyfZG+iTOH0n4Hw3q16qR7QqNaQWpNpRwUugF
-QgQZbVVEhcLUOiynrapCVMt4ofq7uUBBgCjEJ0Kma/IzhKLAPvb+sXBUigxEj4Eb
-J9h8WT/w3urcCD+I+PK/WD+k+vWbAgMBAAECgYBIFo1h+FwJy39UHWxGVh8nNymv
-4lj8Yojira0suEMEg8A/hyEeW97WzR8vVp1OSYsTTBp8LYoyfRktGETCn2UAbxnZ
-WGF3nx7TPYhX83N8QFT+NuIih051w9KkGcACD8PZqqeCIyt9YEOnNX276WToCzNy
-121aeDYeimlUJopzAQJBAPBL53LfzOyB5EnQIbT9GTciFQEMJvMQPQqd8xo4S62m
-3ydHIFDtGFP/1ZytGevGQWnkF0hxTc/PbUmoFxp+e8kCQQDPo7ddWjR3gxwEuy9M
-5sj52OqTwUyS5V+mMUVua06gTaTIs66yh3yv1QpczQV1sr8o6EJ6v3qJKqIC3qRn
-BBBDAkEA1JAAdDCfANPCEr1nI8gEJy4h8GREjBzgMmUYaChGYZ1Mp10WrB+ftqaH
-2mmRlWwx7y7SncWEtIBjx5VGoqwiaQJBAIeeQeSaR0yL+N/qNrG+xyPRFx3ckhwb
-7sZIxjWhpuAy9l8UZRU8QydBOZx1WIyQbCTW1pz/tZQjoV/IdY7Ha6sCQQCojspS
-iBO6CALYSsdIL6ZX/bXqGmPyXbxszGkYlaJx2FmD2MjSVM2RxPmx5RLNL02EfFLX
-DWUplanFI5eZTZ0N
+MIIJQgIBADANBgkqhkiG9w0BAQEFAASCCSwwggkoAgEAAoICAQCwuXf0XeJmfRAW
+qiQWOxONrbEAEutJFI1zOuLu9/4TmNrZ1nLijqncxtlchuYD/Sml3kYFAk+peSVh
+X/dTZAPNLp3IQ9lFSBR+Wa7GrSV4EHFXQzBFZdQMXVKRl9y4kzhkmgtP2hb3G46q
+9eXMPQ2Eutf9+V9K7cPINmb0QvxdACt9e4tRlDWpJzpx+6z1L+TSi8Yi5eWjGxOV
+Pg8NPgcfbiOwXfdgAeUIhQGsSDEyOB5X6Bs8OMNwOoEbBGA7xyCpiv65xUvHECgy
+Cnwd849c0Coug5c6X0I0lRvEsXP/I6nm+5/0QC4vwK2f1sJFIUBR+S6Y25A0PvZU
+5fzM1QZMGYFTr72hjYM6tccbhXjcZGX47Yi2aU3AO9qb1esy4OAcAGXn8FvxvOLo
+iqUxntba08Mv0ISa8/Et4bNjPirOyZhFG36KvC8K8TmCOXDQ9ygYOnTr0EznmeXm
+sfczV2AUzyskWe0w9qWxa1Q9dO9ofGmxNegbngrUOCfqfB4BEUZOB7LaAPWMpabQ
+fySn2TKiv26SoxaDHe105j9rqxsjZYQyUZQvHgEdE7ezbsIuZ70zjkFEFCkHkgGZ
+LfasUSajRGdezQ4154NDOiB4YyNM7vRbMg8XSRTWFJ3UMi22FUIqfh86kN/fkm24
+QeM5KdnCLL+UZ56pixAUOsoKEM+kXQIDAQABAoICAAxzNIExsAZ6XwzJtbsfNFRx
+3RtdOdgvK3vntR8St4KX7SsVkYhmdo8ILz32fvPe/PUjgJlPvV76GukOQrVMQXxO
+AW2fYgogdtkj5k0224Hm3qVAJYFuGA8679sz8KfML1ffBlb8zUthVJ60rhjCYFZu
+d1L8I3t63qUXOA+TPIYsweOYNYtsvo8JJXPsQBYR5rPyhuXkflYMTUfhVFwhd4z+
+TGNba1cHKyR7gk+p0lVwYKrevjRy50nbxUaq+0Ca2bE4CpP500nV2I8V8AKIKxxl
+yeL3AEtrdJWRv6AOxFZAI/MS3QTvFJHmqBSvo4YNPqPHw0GfjjwwB1iZz0J663OI
+5hZ1dHdaLk3HSb3XdemMnwi5guJru+ojmGv9w4si9gpVdayzRiar4BG3Q2s2u68b
+t/Gr/5grWUFzhZua2BVTRpYzMQ2dX9aX/YNJdXV67Syg1sNb6jasjYXdjMhBhkD7
+UrgyUFgB/dC2M55AuCYtuSXbEdQAlMtrHOgdYfLSNRRj8FLCgnhe/72KB1hAhCrh
+S5NKWdIfd3eDDoRYcCmiiKJ+5dPppy4G1xYxx/CvJep6NybSK18fsVYBDoXD3c00
+YoseUWueKcJshWDn71nYupwvvlbIegvOllvijcLMnFFKCDP0Yxfp8cZBZTYZrCH1
+Y4C/r4dnhCaxbS86Xf0dAoIBAQDrAqNl0BzrOBsDRDpdDy9yJgdiumII76yQFzEh
+xm0OgBleKvx50awbuACDGoVQ9wFExX3NajDX5G5hwQkzy4UnG87RS2NZuaIgkN9o
+IbSqDlswurlGYHG1azfBeOivnaGFMtxx+X0aM9TfXy50WgCnjgogXOcvfKkiCQiQ
+kQuoLwBCEDX730gzrypcfbpECuo8lKP3s3dgan6uDkvmmAVQSW30maZOltToAljq
+Hdf73JB+UNwTUrpCZH5F5EhKXZSRexDBGr5FeaxHi/R+whg73LS8Y6X97mpqs7Hq
+FSmayZ3ILJx3sWJCyV2D+6k2Sk9gBWbMSUdGpS9BmBIZKS1fAoIBAQDAgil3ZhI1
+25DxeHLAS+ZcLVl5v/j3DfZsBfn4F6MjpqI9GAjaWnq/H54nv8PcYSlhWuFsN2dz
+haJYzDJtFevor/I6DPYfrM2Sfxcz9rsi3m8+qGNLdVO/++hg9bxcUrIwiT8kv2Xi
+OJnXvEFil5Ldmb/NM98TaUu//jYg4yr2w6f70rrtyVAsio3q7xrV1r7q2FjpF/Gq
+BFJJ0pBwXtnYHJojaA2im9BnTtRmBxA4Y5/ImVofp7XFIuqI5SfYO9RNd/LX95Lv
+pIg9DofsIMnK9v8Zp09s7UtNh76JbrG35mVvR9c7VZ5bBqbAJuk6WoRKyerkrMOE
+7WfaNPtf4QvDAoIBAGyjk5WFV1kFXrdr2u8aDfzex5tEPf2Tjlot3nCWoeOKJC/7
+/yrxWnaV4Oa6Y9bB2LxJ75X9+QZUexKFghOHic5CdKEcEJlxzxju39frfPEAIfes
+2elGvEn5fpTZp/dHD1vb3zxw8Pwj6cw42+i9kn/ikZvUVqsFHcq2EleCNblRwPTJ
+Oatt1JrP5u1K0ciSoyXOMN5ZAF553IXp5fx7Wjl7OHFSdibuYw29yAyyLx4nIETE
+bHgiTihS/Gyi0yhNiliWY3BhRIQpcxLACA5w+3Lw3DwadKmmhVs+Jojnr4v2mBHp
+TYunXJ0zKR/SPq7yOy9QT+0wEtr9kZLpEbS/7FECggEAO69fadxkovwbOTKN6V7e
+4g9RYXUKnJZgo2dK9AdoFiKQxH5SKFjLG7ySzWIgOJCLQtrpbyLSWTfCeON+cuHM
+DY2XfTYNjQ6HgfcTW5IQvSPXu8Z7Wqbau3g/uOgXaUxeYLv8rskErpm74O5GG2pB
+J6GGnPmLHTqVOMZ5Q8MKzA0nZOUV/alfyR+AFqnhWRFGigtfrY016O+ED81P6PcP
+dXiQtY+KQrMqbw06vxNLjSAeJxSco5ncum0z6BOcQedy0D3zNdBVZyVM9BkwPR6B
+UgM4XlzIPE5p/XSrt3JxeUHeixzr90J5YWFzi7nEr8nmoEVwJUwHJoxwmW+5zCU6
+/wKCAQEAgg9azbPTBLQsvQxp1G+nNeGfQzwe1QrlHFdW8e/rKudsXUoEoBoT77Z/
+xEcErH5uhFPz6twMYv2qaZPTY+mmB0/5q/TCo/KXguahr5eLrunYgkkjtRz4Tw2x
+ebBwoVSorX75txGIw+AZLgzYamkZpYc8ZC46aCLEbpFj8hNAuhibY+s/1oc+zL7P
+eCe+MYKKbk91KajbceSRIzFeyFa9nUOd4EM31Ebp4lxGSaLcp386C8naFa+EowoI
+4TLagaViDshP1ysaHdpiEjt0DnjKC/TlzE17ttpdSFTwFe0GsND2TuV0Fgk0SAjG
+uj2qsRY0KoByw9kyWVQeMxTuF6/EaQ==
 -----END PRIVATE KEY-----
diff --git a/lib/hx509/data/sub-cert.p12 b/lib/hx509/data/sub-cert.p12
index f9d48ed1de06..c929d7c89667 100644
--- a/lib/hx509/data/sub-cert.p12
+++ b/lib/hx509/data/sub-cert.p12
diff --git a/lib/hx509/data/test-ds-only.crt b/lib/hx509/data/test-ds-only.crt
index 7c5b452a6390..95df000b3007 100644
--- a/lib/hx509/data/test-ds-only.crt
+++ b/lib/hx509/data/test-ds-only.crt
@@ -2,25 +2,51 @@ Certificate:
     Data:
         Version: 3 (0x2)
         Serial Number: 5 (0x5)
-        Signature Algorithm: sha1WithRSAEncryption
+    Signature Algorithm: sha1WithRSAEncryption
         Issuer: CN=hx509 Test Root CA, C=SE
         Validity
-            Not Before: Apr 26 20:29:40 2009 GMT
-            Not After : Apr 24 20:29:40 2019 GMT
+            Not Before: May 23 15:05:14 2019 GMT
+            Not After : Jan 16 15:05:14 2038 GMT
         Subject: C=SE, CN=Test cert DigitalSignature
         Subject Public Key Info:
             Public Key Algorithm: rsaEncryption
-                Public-Key: (1024 bit)
+                Public-Key: (4096 bit)
                 Modulus:
-                    00:eb:6c:c9:0d:97:91:ab:88:5c:44:a7:40:ed:25:
-                    b1:d9:0d:cd:22:1e:07:80:15:49:05:b0:7d:f2:bc:
-                    6c:12:7a:4a:74:a8:26:4c:98:0f:29:d0:b2:68:21:
-                    c3:bb:6a:cd:4a:27:71:5b:8b:51:12:ed:47:cc:21:
-                    94:ee:05:11:55:61:2c:88:22:33:c2:4e:12:ca:ed:
-                    63:00:10:4c:4f:7c:62:97:a0:9f:95:2a:99:d7:8e:
-                    a7:8a:d7:53:b2:b2:7d:a8:b7:5f:dd:4c:79:30:e7:
-                    48:0e:0d:9d:6d:85:04:56:63:d4:27:53:09:a9:bc:
-                    b3:c1:67:1e:65:bb:4e:10:a5
+                    00:db:8d:a2:5f:bd:67:a2:66:d7:80:3d:9b:5e:d7:
+                    31:5b:05:06:4f:0c:aa:5c:e8:0b:06:bc:30:8f:f9:
+                    fc:b3:1d:de:4f:c4:18:0d:7a:ab:00:7a:7e:5d:b2:
+                    fd:85:d8:22:9d:d8:b7:e2:e8:98:e6:47:b6:63:01:
+                    90:d5:e9:80:c7:ac:e4:32:bf:df:10:af:73:11:d2:
+                    82:21:bf:5b:76:37:d2:03:67:c5:9a:7b:44:a5:4a:
+                    4e:a6:05:d3:95:09:fb:13:3a:7a:ca:b9:4f:28:24:
+                    e2:cb:75:ee:6d:97:a6:62:fb:bc:57:ed:6e:2f:e9:
+                    0a:7f:61:4b:c7:9a:45:7c:49:5d:03:fe:4e:09:8b:
+                    9c:30:60:67:42:0f:89:44:08:0b:4e:65:96:6f:f8:
+                    83:27:10:de:99:7a:8d:bc:e1:ab:23:cd:d2:83:57:
+                    0f:5a:99:26:dd:6e:16:3b:d5:4d:7e:4d:d1:85:e8:
+                    37:44:69:de:ea:9e:79:af:eb:b3:6f:87:0b:23:97:
+                    53:81:b3:e4:64:2a:1d:f9:2c:6d:54:63:15:8e:39:
+                    9c:70:b0:c1:85:91:be:21:4b:4d:73:21:0a:59:fc:
+                    20:b9:60:6c:7d:ca:ed:ab:e7:22:79:cf:c4:5b:bc:
+                    9e:fe:90:ec:e7:48:c0:0d:60:2c:6d:db:bb:ed:95:
+                    70:cc:14:b4:45:9b:9b:45:92:fa:d2:50:ab:5a:60:
+                    1b:96:6c:81:d7:2a:4f:60:df:29:38:26:9a:7b:ea:
+                    68:e8:cf:dc:c3:25:a8:2a:d4:79:ea:69:7b:96:2d:
+                    2d:aa:8c:39:1e:9c:00:bf:51:8c:66:4b:14:20:f0:
+                    cb:3a:19:b2:03:5c:78:63:72:56:bf:8f:fa:49:19:
+                    98:d0:25:1b:24:ad:85:51:1f:07:d9:72:94:70:7d:
+                    47:b1:9d:88:86:26:d5:01:d6:10:c9:04:60:01:b7:
+                    c5:5d:6f:e6:10:c4:7e:85:87:b6:8b:ce:15:ec:79:
+                    bb:05:83:3d:98:91:90:42:5a:28:f9:1f:65:07:63:
+                    15:97:3d:8d:c2:33:f8:9c:70:c2:a5:53:6d:90:db:
+                    6c:15:30:1e:6f:a1:09:8e:e5:56:79:fd:7e:11:f8:
+                    bd:44:5c:99:35:7c:56:03:1a:bf:15:fa:1f:08:8f:
+                    1f:82:a8:2e:c3:a5:f4:94:a1:4e:9f:ef:4b:c6:6f:
+                    af:12:ee:ee:c0:c0:39:3e:47:bf:17:6e:09:c6:8c:
+                    47:89:b0:a3:26:92:95:91:38:07:c9:eb:5e:2b:8a:
+                    65:c1:26:21:60:68:f1:27:5b:76:7e:a8:81:25:31:
+                    6e:14:06:08:09:62:13:9c:c8:af:01:e8:9b:4a:9e:
+                    18:b1:35
                 Exponent: 65537 (0x10001)
         X509v3 extensions:
             X509v3 Basic Constraints: 
@@ -28,26 +54,64 @@ Certificate:
             X509v3 Key Usage: 
                 Digital Signature, Non Repudiation
             X509v3 Subject Key Identifier: 
-                30:2F:86:11:EA:5A:CD:C6:B4:61:FC:11:59:74:34:7C:16:93:25:52
+                6B:E9:29:4E:C6:18:4A:A0:2F:A9:AC:67:3D:F7:80:7C:CE:8A:97:66
     Signature Algorithm: sha1WithRSAEncryption
-        15:f4:85:10:1a:98:d7:ec:74:4c:2b:55:1f:db:c9:2f:e0:ad:
-        2d:76:83:17:e1:13:d7:17:8d:27:a7:e3:21:1f:63:f2:30:94:
-        ae:9f:1f:b9:4f:6a:6b:ce:50:7d:1a:a7:4e:be:f1:98:33:16:
-        a0:53:a3:06:61:4f:6e:11:8b:55:3f:cd:91:4f:0a:0b:2d:f1:
-        5a:68:13:e2:f9:25:88:00:74:79:e8:f4:a9:c4:5c:9e:df:c0:
-        17:e2:e5:75:54:3d:64:65:52:b4:a5:9c:51:ff:c3:ec:8f:88:
-        06:18:f6:a5:42:b9:d9:75:7b:d1:4c:d1:fa:ab:89:b3:24:5a:
-        14:aa
+         9e:b3:b6:2d:27:65:c4:2e:2a:a2:f1:d6:3c:ba:4b:c6:b9:47:
+         fe:72:5a:fe:f4:f7:92:4c:17:7c:f5:88:91:eb:f9:1a:6a:c3:
+         82:a9:8b:6f:4e:e1:62:d2:15:d8:50:12:aa:cf:ef:2e:73:2a:
+         86:cb:59:49:1a:35:17:4e:c4:2e:ac:65:5a:f0:13:da:35:78:
+         20:59:e7:f9:8c:9a:97:0f:76:cf:cf:2d:79:69:b2:9f:15:77:
+         d9:af:20:ff:ab:07:18:f4:ef:5d:4d:c2:56:bc:fb:a6:52:aa:
+         53:a3:5f:91:5b:83:61:e7:fe:c1:89:4f:57:c3:8a:ba:d2:89:
+         ed:9f:28:b0:f7:18:25:dc:d1:e8:4e:f0:ef:50:70:e5:cf:6d:
+         ba:1e:d9:98:11:13:02:53:15:9b:98:95:b2:8a:60:a4:6c:f9:
+         c6:23:4a:9d:25:ce:31:fe:17:fc:1f:11:43:52:4c:45:ef:f6:
+         38:c5:e7:94:98:34:3c:05:8f:d0:a1:82:71:9d:d1:ec:93:ef:
+         7e:7d:9d:ba:2c:7d:82:14:e7:ce:8a:e1:e9:bf:6a:82:0b:44:
+         1e:5d:1e:85:b4:81:0e:f2:c1:1c:54:8b:b1:e9:35:82:c2:44:
+         23:22:b0:96:3a:ab:0e:6c:f0:24:41:e0:bf:62:86:01:1e:e2:
+         29:af:d0:cd:06:83:84:66:a6:2a:32:d4:f8:f5:31:3f:d4:20:
+         34:07:6e:78:d0:f7:a7:64:fa:d4:81:15:c0:71:bc:10:3c:44:
+         8b:fc:f0:8b:03:7e:ca:9e:6f:e0:d2:f3:14:67:3b:ea:1b:79:
+         59:3c:98:5d:70:3a:b4:87:d8:45:99:91:63:f6:db:7d:35:d3:
+         39:df:ac:31:db:94:fc:90:c8:87:01:11:1b:10:9f:2f:15:53:
+         5c:f2:5f:08:cb:72:d3:f6:ed:63:39:e9:45:b7:ae:bd:db:21:
+         93:4a:fc:42:78:2b:db:ac:cd:ed:ca:f0:06:2a:f9:45:18:ed:
+         de:31:3d:78:fd:94:a2:65:63:ba:ce:13:37:4a:ce:68:8b:39:
+         eb:e1:24:d7:ea:ca:7f:25:d1:a3:63:97:8c:a9:f6:19:f9:68:
+         d3:8a:0b:bf:2e:8a:db:58:9c:97:42:40:de:c3:b5:e8:84:d9:
+         3b:02:56:7e:d7:83:ab:e0:4d:e0:49:4f:8a:bd:c1:e9:aa:90:
+         c7:96:bb:09:e0:6c:77:1c:15:48:20:4e:95:6f:7e:87:59:33:
+         75:da:5f:91:d6:35:65:67:15:a8:1f:1a:ff:23:c8:89:90:8c:
+         38:a6:12:70:5f:78:c2:1b:ea:66:64:23:95:d2:b1:4c:fb:e1:
+         ed:22:24:b0:3b:da:8f:1b
 -----BEGIN CERTIFICATE-----
-MIICCzCCAXSgAwIBAgIBBTANBgkqhkiG9w0BAQUFADAqMRswGQYDVQQDDBJoeDUw
-OSBUZXN0IFJvb3QgQ0ExCzAJBgNVBAYTAlNFMB4XDTA5MDQyNjIwMjk0MFoXDTE5
-MDQyNDIwMjk0MFowMjELMAkGA1UEBhMCU0UxIzAhBgNVBAMMGlRlc3QgY2VydCBE
-aWdpdGFsU2lnbmF0dXJlMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDrbMkN
-l5GriFxEp0DtJbHZDc0iHgeAFUkFsH3yvGwSekp0qCZMmA8p0LJoIcO7as1KJ3Fb
-i1ES7UfMIZTuBRFVYSyIIjPCThLK7WMAEExPfGKXoJ+VKpnXjqeK11Oysn2ot1/d
-THkw50gODZ1thQRWY9QnUwmpvLPBZx5lu04QpQIDAQABozkwNzAJBgNVHRMEAjAA
-MAsGA1UdDwQEAwIGwDAdBgNVHQ4EFgQUMC+GEepazca0YfwRWXQ0fBaTJVIwDQYJ
-KoZIhvcNAQEFBQADgYEAFfSFEBqY1+x0TCtVH9vJL+CtLXaDF+ET1xeNJ6fjIR9j
-8jCUrp8fuU9qa85QfRqnTr7xmDMWoFOjBmFPbhGLVT/NkU8KCy3xWmgT4vkliAB0
-eej0qcRcnt/AF+LldVQ9ZGVStKWcUf/D7I+IBhj2pUK52XV70UzR+quJsyRaFKo=
+MIIFEDCCAvigAwIBAgIBBTANBgkqhkiG9w0BAQUFADAqMRswGQYDVQQDDBJoeDUw
+OSBUZXN0IFJvb3QgQ0ExCzAJBgNVBAYTAlNFMB4XDTE5MDUyMzE1MDUxNFoXDTM4
+MDExNjE1MDUxNFowMjELMAkGA1UEBhMCU0UxIzAhBgNVBAMMGlRlc3QgY2VydCBE
+aWdpdGFsU2lnbmF0dXJlMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA
+242iX71nombXgD2bXtcxWwUGTwyqXOgLBrwwj/n8sx3eT8QYDXqrAHp+XbL9hdgi
+ndi34uiY5ke2YwGQ1emAx6zkMr/fEK9zEdKCIb9bdjfSA2fFmntEpUpOpgXTlQn7
+Ezp6yrlPKCTiy3XubZemYvu8V+1uL+kKf2FLx5pFfEldA/5OCYucMGBnQg+JRAgL
+TmWWb/iDJxDemXqNvOGrI83Sg1cPWpkm3W4WO9VNfk3Rheg3RGne6p55r+uzb4cL
+I5dTgbPkZCod+SxtVGMVjjmccLDBhZG+IUtNcyEKWfwguWBsfcrtq+ciec/EW7ye
+/pDs50jADWAsbdu77ZVwzBS0RZubRZL60lCrWmAblmyB1ypPYN8pOCaae+po6M/c
+wyWoKtR56ml7li0tqow5HpwAv1GMZksUIPDLOhmyA1x4Y3JWv4/6SRmY0CUbJK2F
+UR8H2XKUcH1HsZ2IhibVAdYQyQRgAbfFXW/mEMR+hYe2i84V7Hm7BYM9mJGQQloo
++R9lB2MVlz2NwjP4nHDCpVNtkNtsFTAeb6EJjuVWef1+Efi9RFyZNXxWAxq/Ffof
+CI8fgqguw6X0lKFOn+9Lxm+vEu7uwMA5Pke/F24JxoxHibCjJpKVkTgHyeteK4pl
+wSYhYGjxJ1t2fqiBJTFuFAYICWITnMivAeibSp4YsTUCAwEAAaM5MDcwCQYDVR0T
+BAIwADALBgNVHQ8EBAMCBsAwHQYDVR0OBBYEFGvpKU7GGEqgL6msZz33gHzOipdm
+MA0GCSqGSIb3DQEBBQUAA4ICAQCes7YtJ2XELiqi8dY8ukvGuUf+clr+9PeSTBd8
+9YiR6/kaasOCqYtvTuFi0hXYUBKqz+8ucyqGy1lJGjUXTsQurGVa8BPaNXggWef5
+jJqXD3bPzy15abKfFXfZryD/qwcY9O9dTcJWvPumUqpTo1+RW4Nh5/7BiU9Xw4q6
+0ontnyiw9xgl3NHoTvDvUHDlz226HtmYERMCUxWbmJWyimCkbPnGI0qdJc4x/hf8
+HxFDUkxF7/Y4xeeUmDQ8BY/QoYJxndHsk+9+fZ26LH2CFOfOiuHpv2qCC0QeXR6F
+tIEO8sEcVIux6TWCwkQjIrCWOqsObPAkQeC/YoYBHuIpr9DNBoOEZqYqMtT49TE/
+1CA0B2540PenZPrUgRXAcbwQPESL/PCLA37Knm/g0vMUZzvqG3lZPJhdcDq0h9hF
+mZFj9tt9NdM536wx25T8kMiHAREbEJ8vFVNc8l8Iy3LT9u1jOelFt6692yGTSvxC
+eCvbrM3tyvAGKvlFGO3eMT14/ZSiZWO6zhM3Ss5oiznr4STX6sp/JdGjY5eMqfYZ
++WjTigu/LorbWJyXQkDew7XohNk7AlZ+14Or4E3gSU+KvcHpqpDHlrsJ4Gx3HBVI
+IE6Vb36HWTN12l+R1jVlZxWoHxr/I8iJkIw4phJwX3jCG+pmZCOV0rFM++HtIiSw
+O9qPGw==
 -----END CERTIFICATE-----
diff --git a/lib/hx509/data/test-ds-only.key b/lib/hx509/data/test-ds-only.key
index 24493f8d4daa..236df841bf58 100644
--- a/lib/hx509/data/test-ds-only.key
+++ b/lib/hx509/data/test-ds-only.key
@@ -1,16 +1,52 @@
 -----BEGIN PRIVATE KEY-----
-MIICeAIBADANBgkqhkiG9w0BAQEFAASCAmIwggJeAgEAAoGBAOtsyQ2XkauIXESn
-QO0lsdkNzSIeB4AVSQWwffK8bBJ6SnSoJkyYDynQsmghw7tqzUoncVuLURLtR8wh
-lO4FEVVhLIgiM8JOEsrtYwAQTE98Ypegn5UqmdeOp4rXU7Kyfai3X91MeTDnSA4N
-nW2FBFZj1CdTCam8s8FnHmW7ThClAgMBAAECgYEApDDTq8oYy0Qn7a2kR4Cxn8rT
-VUcSPg8aRYCI5qDo0p49jUy0oVivwp8NvjhGNVDQajZGBe2NFqEsIL8PCk24frfF
-LNUAi0FllQjq4iUKTKJyahqQvUenhVaAUdYJdDfS6wZM4xYc3TxHpKdbp+DVii+F
-HA9dcpGCwumbRv7ZmoECQQD+iQOM/iJAXOJa0QEwqsuAlQbC82S3yoedpX7AAup3
-lme8BreDMPyv5cCVs8UW9z+z9N+4wEB9cmA98vhCxq9FAkEA7MeeLY04wyFH4VBO
-1/GqiTVdOF5mOd3dCfv6xWgO2xUe0h1twIuAmbsST9Bvj7AQM2nAv1EoU88OrhVX
-BY/B4QJAZnqflVqUS7mZ4NqZUhDR0jkt+buo516Bb3U8LO5/nBpQNaG2rPlCI0er
-XBp+1ZpCaZ/Dm0y8KkWsfgSe87OuyQJBANefXRN8VGGWECBGAtax86vplc+8X3l4
-6k6qUg6tGUI3NI8BT64VG/JjImTemomOOuKm/mj7Hi9cErFDK7Eb3eECQQCxNUEt
-Lxdipay7Iz1yAr953GoQAXdgJ4l6dmOyle1wE21Mvsc4okGr6cNAp2K3d/LnOAId
-a09Ph64VsUwGaIEh
+MIIJQwIBADANBgkqhkiG9w0BAQEFAASCCS0wggkpAgEAAoICAQDbjaJfvWeiZteA
+PZte1zFbBQZPDKpc6AsGvDCP+fyzHd5PxBgNeqsAen5dsv2F2CKd2Lfi6JjmR7Zj
+AZDV6YDHrOQyv98Qr3MR0oIhv1t2N9IDZ8Wae0SlSk6mBdOVCfsTOnrKuU8oJOLL
+de5tl6Zi+7xX7W4v6Qp/YUvHmkV8SV0D/k4Ji5wwYGdCD4lECAtOZZZv+IMnEN6Z
+eo284asjzdKDVw9amSbdbhY71U1+TdGF6DdEad7qnnmv67Nvhwsjl1OBs+RkKh35
+LG1UYxWOOZxwsMGFkb4hS01zIQpZ/CC5YGx9yu2r5yJ5z8RbvJ7+kOznSMANYCxt
+27vtlXDMFLRFm5tFkvrSUKtaYBuWbIHXKk9g3yk4Jpp76mjoz9zDJagq1HnqaXuW
+LS2qjDkenAC/UYxmSxQg8Ms6GbIDXHhjcla/j/pJGZjQJRskrYVRHwfZcpRwfUex
+nYiGJtUB1hDJBGABt8Vdb+YQxH6Fh7aLzhXsebsFgz2YkZBCWij5H2UHYxWXPY3C
+M/iccMKlU22Q22wVMB5voQmO5VZ5/X4R+L1EXJk1fFYDGr8V+h8Ijx+CqC7DpfSU
+oU6f70vGb68S7u7AwDk+R78XbgnGjEeJsKMmkpWROAfJ614rimXBJiFgaPEnW3Z+
+qIElMW4UBggJYhOcyK8B6JtKnhixNQIDAQABAoICAFOpQ99xoCT9RU8DqsnX/GGv
+p3jF3cErVtBJM8QZQVbLoeQJWBUC0liLVM3Fn9+5vW8inuejNGhDmVdeyF8K7Fyq
+IAbKoGiOQq3e5mGPtn10xd0wVNcJ8918VD3laHuZYwgvt4y6UlR8wcM//AvcxrVf
+MaTbv6oYBj0FyUeVHLdAiWY1KG1wuqKgiZhdrTO0UQKdqVaffvKK9hfL4GjCIWGy
+U25i5WHjjDDCe0xvemkPpDB/jVfPc/c5TitgCG8OKYt1ZYe+EeCtP+CsMjj+zL72
+awtx/zwzjhzHwgqF45jof1vER3Mjua9Qkw2Rw0QluvxMI0n6qdwu8p8mJRViZalZ
+waaUk4EvlB4ZE3tA3NRKFyrmEn2zehzna0o72Je06NuShtnxPKkGAnw3ieys5noJ
+c8IB7v0R3r9xwJOt5ZO/OEnI68v6ijcGPcPkSTfJP5hlVxwtNCg6n0wCVnojemmm
+nqpEGritdpe53FkDR/EYfX/Idn4yAaJs/Z0SuN6Q2KNVSXJjlSZLg8PHATxlRWtd
+4rX4W+gFVudT59EYWY7cxa0yrrQOJXxLzxiPt0H+aKJTiwQ0mYKLH/HAugl7byhe
+U4QwJ0VNU2JxpX+1OhRQaMhooMH3Y6XSYITq04OIxYzdAlflb2WffZ3JyIpIAv7+
+Tymxyu7/DkQzFpb0QngdAoIBAQD29SgKA3n17R1MJkfmRxE5JlQpkZXRkzw1vDbW
+48b6JYna6jRvb8ktpn738iW+VJ+1j96q5MyofR/SlkO1ZOtsh3V9i1ddZTGt8Zqe
+Bgq6HYxCSZmc24wtq3G4nMNfbvcpOgssSmh/LMQeKTCVQTwmGnf1xLoI9D8qshIT
+vwQTB7/820qHsraiLVdrHpuuBCiaLo/uEy8hRwBeCzgKjo2HvrzrDtjVE8vEafYV
+7MRUtfyhwXAD5TZPhcTT0SvysISCt7NHrUEPyNN+ISs4Eeql+o93Zv7sOTQPfsIk
+ajzguDSu7E71hu4RBW185IbVj8CELi5GnCMMKlI38AosWKPXAoIBAQDjl5q7Yrz+
+nsC47scggwCStU+sXv5cKYi+gLOctj/oBLJKqnsK6o3JI2AyAIBLq/DxrZ7kvtbb
+IFrxaNQWPJKKyx+e2pcCwlgcQCIZ8spQ0cdqW0UcZmMEN/T2b16V3BoaSUnIqBlL
+yye+NsCDNNX9pTf6+8Si3WzbnWRvGO+yMJuzIbPy0I4JupKChNKdjhsZe3yGCcmJ
+dzNy2rJAX2Qtx4NNdunF2jSNqcN9ZYG8wX7cQ+JH+BXa2efqpXC7eZB0QtjVqwIm
+Awpi3FkcWlshgofo4AhcsLfBzkiZ9NyGlm+vZswNqOiTM4mLajlB0/EapEDEgru+
+P3/LIQ5+DrHTAoIBAQDrL4wjBS6H63nERIyinDml0H/EWrZwMSTdE9KyEZg0L726
+cuLe4XmY9P/kB4K0YQj8MvhejajuKMM+nQX8YRDneZWFq0bXVgDa48VZCu36Uxt5
+IXiebmNwNt8Fbp2NbDML2xA67N3Zh3t6McXnzomGzBxEPUbiMiFZ+t3GWlp5+R54
+oyq2UpclmcKv7CVcsu8r7n35v+FZcrHB3jNPsnTMuvRVcv1C5yhedH78YFCVT/84
+2OxheU+gqgdJpeGRrVN03ZdqAnB8pMftTY9IRZ/O0/D/SGIr+0o+G3yui1JQvHzH
+vZpwr0BXi3C6yTQzfEReXVCKxDWIZ2GHjh1SIFRfAoIBAD0mufuJXzCm5S+LcNOK
+f3fr4Zl1+LA4tLZDDH+Z9HfZ8zHetqrLNQeLSsiEm/Q5Icc+GEhsAnzkJ6tfuES1
+R8alJzzejN6/6z7D+KWyN6wZgZRRK7Oiyw4SHu6sI+TuO9E+SeXxTMKxtl8EhRt7
+8ddyMiVsynvcNOiZVKgJMjZVmzA5aQlgAhoZGE6bc5/D1AI3zNCTBqS584fzvRtQ
+xjEKv3vr7IotxBsgNxeVU5OtBfIXB1DBFtYz4H2KsEyfMDIc1/gpN62Q+ZRwkjzt
+BjltwijPMU/+Z5FaZOWBBlPfTej6HO+6p6sNmPJtuy61zL2UzpY+bkWC+EpS+nri
+ZeMCggEBAJRin7+udPZRw43qycfjPSIQs35QmbT922ti4l/7ywOC5RTcmb4/tB4Y
+qMliOl09FPuvBbxoZxIMX4sUVHGsmic6UAy2JxLGTok0inmtOKgwXl7eB2m+5+8C
+j8VbfUNs5mnkD7f60Huo/vLFsdV29j8wNmbEN+fMQUXNa6n//PoNqs+cYLU+2Ysx
+G78x6sdjDKvjyRmz+m43dE5aS5EddDWXSwYRhcKkXI6zqg4jHtqqPHNNsXPzTQKg
+ubXoF0YU1IIV1+HrdlxqfnbHqApB9qF8pA+ovDLMWW4Vzi8MIuebR0N78KRyaF2s
+CB/IgCJRaFy9Ch2Nz4ODay/Vbyj//Js=
 -----END PRIVATE KEY-----
diff --git a/lib/hx509/data/test-enveloped-aes-128 b/lib/hx509/data/test-enveloped-aes-128
index 070174513a79..a4e0c0db8b2d 100644
--- a/lib/hx509/data/test-enveloped-aes-128
+++ b/lib/hx509/data/test-enveloped-aes-128
diff --git a/lib/hx509/data/test-enveloped-aes-256 b/lib/hx509/data/test-enveloped-aes-256
index 0c91acf5a7d5..f94371304eea 100644
--- a/lib/hx509/data/test-enveloped-aes-256
+++ b/lib/hx509/data/test-enveloped-aes-256
diff --git a/lib/hx509/data/test-enveloped-des b/lib/hx509/data/test-enveloped-des
index 404a55bbebb4..a2df2df10b7c 100644
--- a/lib/hx509/data/test-enveloped-des
+++ b/lib/hx509/data/test-enveloped-des
diff --git a/lib/hx509/data/test-enveloped-des-ede3 b/lib/hx509/data/test-enveloped-des-ede3
index c5e7d3db4890..d0e451e189ab 100644
--- a/lib/hx509/data/test-enveloped-des-ede3
+++ b/lib/hx509/data/test-enveloped-des-ede3
diff --git a/lib/hx509/data/test-enveloped-rc2-128 b/lib/hx509/data/test-enveloped-rc2-128
index 75d8a0caa23a..ddc2a27c6609 100644
--- a/lib/hx509/data/test-enveloped-rc2-128
+++ b/lib/hx509/data/test-enveloped-rc2-128
diff --git a/lib/hx509/data/test-enveloped-rc2-40 b/lib/hx509/data/test-enveloped-rc2-40
index 5ce90dddd53a..13c57648bb46 100644
--- a/lib/hx509/data/test-enveloped-rc2-40
+++ b/lib/hx509/data/test-enveloped-rc2-40
diff --git a/lib/hx509/data/test-enveloped-rc2-64 b/lib/hx509/data/test-enveloped-rc2-64
index dad301051231..02fa0f3ecfaf 100644
--- a/lib/hx509/data/test-enveloped-rc2-64
+++ b/lib/hx509/data/test-enveloped-rc2-64
diff --git a/lib/hx509/data/test-ke-only.crt b/lib/hx509/data/test-ke-only.crt
index 7494305beb42..27e759950536 100644
--- a/lib/hx509/data/test-ke-only.crt
+++ b/lib/hx509/data/test-ke-only.crt
@@ -2,25 +2,51 @@ Certificate:
     Data:
         Version: 3 (0x2)
         Serial Number: 4 (0x4)
-        Signature Algorithm: sha1WithRSAEncryption
+    Signature Algorithm: sha1WithRSAEncryption
         Issuer: CN=hx509 Test Root CA, C=SE
         Validity
-            Not Before: Apr 26 20:29:40 2009 GMT
-            Not After : Apr 24 20:29:40 2019 GMT
+            Not Before: May 23 15:05:13 2019 GMT
+            Not After : Jan 16 15:05:13 2038 GMT
         Subject: C=SE, CN=Test cert KeyEncipherment
         Subject Public Key Info:
             Public Key Algorithm: rsaEncryption
-                Public-Key: (1024 bit)
+                Public-Key: (4096 bit)
                 Modulus:
-                    00:c0:85:dd:0b:7f:d7:6a:ee:c0:ab:e3:06:fd:40:
-                    44:10:23:e3:94:62:a0:b8:09:af:cd:01:eb:47:92:
-                    5b:07:c8:7a:84:b8:72:12:cb:42:a4:b1:be:77:08:
-                    5f:e9:6c:d5:05:3f:eb:61:9b:96:68:39:65:79:04:
-                    c1:08:c3:8a:b3:bd:42:79:31:b6:3b:23:1e:d0:04:
-                    b1:dc:80:5b:dd:1f:53:a7:60:78:bd:74:d4:27:70:
-                    1f:0a:e5:1f:42:97:ff:8d:af:c8:03:99:e4:28:f2:
-                    da:b0:ea:34:a0:d4:39:37:59:37:f4:71:1e:bb:55:
-                    ad:d7:91:b2:a1:c0:5e:40:7f
+                    00:cc:e5:88:ad:77:9f:da:7d:88:28:88:b6:0f:e6:
+                    f6:2b:a1:55:da:7e:4e:75:8b:46:8c:e6:9c:f6:c4:
+                    06:ea:68:0e:85:7d:c4:d6:bb:a9:c5:82:3a:88:9e:
+                    d1:e5:71:f9:2b:2e:48:62:f7:ac:7a:de:cc:f4:ae:
+                    07:da:86:2f:07:21:be:ec:f5:de:3b:0c:d0:66:88:
+                    a7:75:0a:ee:17:c6:9e:b3:2f:9b:b0:88:3a:ad:de:
+                    b3:bd:36:2d:20:30:9e:36:f0:3b:9d:e2:5f:4a:d4:
+                    1c:42:49:29:5b:70:35:02:40:79:82:a7:9d:ee:a7:
+                    05:85:d0:75:46:c2:77:4c:b9:20:6f:93:4a:85:8f:
+                    fa:44:08:6a:ef:26:7f:af:20:e7:b3:a2:18:4d:78:
+                    dc:e6:5e:c1:06:aa:54:a3:6c:07:a0:6b:92:14:f0:
+                    52:62:cf:d1:c4:08:81:4e:73:3b:27:19:34:a0:32:
+                    0d:66:70:05:ca:3e:13:18:85:18:d6:9c:30:b9:66:
+                    93:af:df:ff:71:07:ab:77:ab:00:32:d5:c4:64:7f:
+                    af:06:e6:aa:7d:90:e3:7b:82:46:1b:d8:42:f5:7a:
+                    15:5f:b3:ca:b2:4d:e6:8d:65:29:ff:aa:88:73:15:
+                    85:21:69:23:a6:24:48:95:8e:a4:e5:2e:a0:c9:e2:
+                    75:bf:79:85:1d:b9:2a:e8:da:b2:fa:15:f9:c2:1b:
+                    b3:69:3b:01:9c:54:4b:2b:19:ef:b8:f7:60:d9:78:
+                    8b:a8:b8:84:e4:0a:73:21:22:de:d8:27:9b:a7:7d:
+                    61:dc:da:55:8f:c0:36:4e:e4:99:8b:1b:44:03:d2:
+                    51:24:37:d5:2e:a2:32:7c:65:20:0a:4a:9b:9f:8f:
+                    ea:16:7b:ac:fe:cf:57:a3:dc:75:98:4d:35:84:cf:
+                    20:63:39:d4:13:34:7e:f7:10:e5:ec:31:d9:5d:1d:
+                    bd:e3:d9:c1:b7:ef:ce:39:d0:89:0e:b8:84:f5:9e:
+                    5b:1e:da:48:1a:32:d3:0d:95:92:02:e2:bb:19:6f:
+                    09:f6:6e:38:38:3c:56:1a:0c:38:81:d9:a0:d2:ac:
+                    99:18:43:33:e9:0c:1c:cb:f1:80:1c:7d:9e:e3:07:
+                    41:24:51:82:a5:04:00:fb:77:dd:9e:7d:7e:04:32:
+                    40:d6:da:76:1a:88:77:37:64:34:44:e9:b6:c5:45:
+                    50:54:28:bd:dc:aa:a8:53:f3:4c:26:77:89:56:be:
+                    d6:89:82:83:d6:0e:27:0a:8b:ab:7b:aa:51:d8:4d:
+                    e4:d5:4f:b1:27:0d:cf:80:ba:e1:ab:51:f2:47:45:
+                    30:34:e2:55:a8:55:cd:03:c8:f7:12:0c:78:ac:05:
+                    2c:99:47
                 Exponent: 65537 (0x10001)
         X509v3 extensions:
             X509v3 Basic Constraints: 
@@ -28,26 +54,64 @@ Certificate:
             X509v3 Key Usage: 
                 Non Repudiation, Key Encipherment
             X509v3 Subject Key Identifier: 
-                95:66:6F:BD:03:40:04:B1:BA:9B:FC:A6:F1:CF:B6:93:41:B9:AB:61
+                A1:E1:E0:08:58:84:EB:A7:1E:0E:7C:44:D0:E7:CA:B2:BC:93:8F:2B
     Signature Algorithm: sha1WithRSAEncryption
-        3e:d9:cb:96:da:5f:4d:49:10:45:2f:42:cf:32:9a:d7:fe:72:
-        4f:24:d7:60:e1:0e:df:da:03:73:44:4f:27:7e:f9:cf:aa:16:
-        c5:18:8a:ec:0d:56:0a:1f:1e:41:87:0a:67:62:d5:73:20:26:
-        e1:2e:10:6d:cd:ef:c2:28:2b:99:9a:13:5c:73:ad:a2:7d:5c:
-        34:31:42:b2:44:52:ad:4f:96:06:30:b8:31:59:b6:e1:68:5d:
-        a0:ee:0f:83:45:1e:51:9d:8d:bc:8f:43:9f:42:c5:82:90:e4:
-        00:9b:91:13:40:e4:15:60:e6:cd:3a:29:a9:4c:a1:c8:33:0d:
-        d6:24
+         62:5e:48:de:71:64:4f:fd:94:97:49:a0:1d:a0:50:f1:6f:56:
+         d6:90:79:51:a0:8c:04:c5:d3:ec:d2:e0:d6:4d:0e:ab:19:55:
+         0c:9e:e2:5d:e8:5b:8c:cd:14:c3:b6:28:ff:21:f7:21:37:9f:
+         0b:6e:cd:52:22:eb:61:23:4a:28:ce:80:c7:68:41:a7:4b:9a:
+         4f:9d:b2:8f:04:6d:6f:57:f1:91:e9:a4:d7:26:f9:78:c9:c2:
+         6d:e0:d7:25:9c:12:91:73:eb:2b:1e:e7:32:3f:46:1e:58:56:
+         a1:fc:b9:9a:dc:85:8f:1e:51:a8:a8:d8:5b:cb:18:75:ea:1b:
+         9c:75:66:50:a1:9a:95:0f:50:8b:54:1a:7b:5f:4e:5a:c3:31:
+         1a:c4:11:81:31:d2:35:4a:d0:be:13:70:63:9f:b5:0d:6c:ce:
+         08:e9:fa:5e:41:28:92:74:f9:26:37:26:18:ca:44:b6:d7:ca:
+         1b:63:22:c1:71:86:4f:fc:e8:ef:fd:e8:ef:b6:f1:2d:a1:7a:
+         e4:b5:12:f5:8e:60:fe:bc:de:8f:a9:c2:4a:29:60:f4:1b:26:
+         7a:0f:cd:34:94:a4:d2:56:21:b0:33:a9:4d:7f:fc:6c:d8:71:
+         17:8a:1b:d6:e5:78:98:76:f0:8d:d1:0e:85:bc:69:36:ec:99:
+         d6:56:13:22:35:9a:dc:43:b4:f2:d7:6f:25:6d:7c:6e:70:54:
+         53:c4:fb:4f:33:c0:20:f9:fd:4e:51:b1:e9:fa:65:05:cc:09:
+         d6:47:4e:3a:a0:8c:bc:e9:fe:1b:07:b7:06:3c:62:05:17:a5:
+         9e:46:79:04:9c:20:41:77:f9:50:e8:f3:86:0f:72:63:c9:6e:
+         74:1b:1e:dd:ef:e4:b7:a0:e6:83:3d:d7:38:a0:8a:80:c9:3d:
+         1b:ca:7b:96:ce:ac:37:a8:b9:51:30:98:d5:60:b5:26:c8:53:
+         a1:7a:ab:18:2c:36:22:83:9f:95:19:8a:78:2d:17:e4:aa:d5:
+         37:e9:1e:fe:2a:ae:34:64:d4:9d:a7:0a:a9:a8:1b:c3:29:38:
+         89:e7:57:4f:8b:f6:3b:74:4c:39:82:ce:36:2e:24:ab:90:fb:
+         dd:da:ec:eb:81:3a:66:0c:01:d6:03:8c:00:39:b0:83:96:51:
+         7f:27:0e:e5:8c:d4:ba:c7:6b:f4:13:b9:ba:5a:02:71:44:62:
+         21:33:51:6d:93:6b:04:6b:dd:e1:64:f5:3f:ca:98:39:b1:91:
+         94:68:3d:1f:ea:91:b8:db:98:c3:a5:82:aa:24:b2:32:e3:f6:
+         8e:7e:8f:e3:eb:0c:57:1f:27:70:10:d0:97:db:7a:8f:46:d9:
+         8f:db:ff:5f:2d:ff:a2:fd
 -----BEGIN CERTIFICATE-----
-MIICCjCCAXOgAwIBAgIBBDANBgkqhkiG9w0BAQUFADAqMRswGQYDVQQDDBJoeDUw
-OSBUZXN0IFJvb3QgQ0ExCzAJBgNVBAYTAlNFMB4XDTA5MDQyNjIwMjk0MFoXDTE5
-MDQyNDIwMjk0MFowMTELMAkGA1UEBhMCU0UxIjAgBgNVBAMMGVRlc3QgY2VydCBL
-ZXlFbmNpcGhlcm1lbnQwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAMCF3Qt/
-12ruwKvjBv1ARBAj45RioLgJr80B60eSWwfIeoS4chLLQqSxvncIX+ls1QU/62Gb
-lmg5ZXkEwQjDirO9QnkxtjsjHtAEsdyAW90fU6dgeL101CdwHwrlH0KX/42vyAOZ
-5Cjy2rDqNKDUOTdZN/RxHrtVrdeRsqHAXkB/AgMBAAGjOTA3MAkGA1UdEwQCMAAw
-CwYDVR0PBAQDAgVgMB0GA1UdDgQWBBSVZm+9A0AEsbqb/Kbxz7aTQbmrYTANBgkq
-hkiG9w0BAQUFAAOBgQA+2cuW2l9NSRBFL0LPMprX/nJPJNdg4Q7f2gNzRE8nfvnP
-qhbFGIrsDVYKHx5BhwpnYtVzICbhLhBtze/CKCuZmhNcc62ifVw0MUKyRFKtT5YG
-MLgxWbbhaF2g7g+DRR5RnY28j0OfQsWCkOQAm5ETQOQVYObNOimpTKHIMw3WJA==
+MIIFDzCCAvegAwIBAgIBBDANBgkqhkiG9w0BAQUFADAqMRswGQYDVQQDDBJoeDUw
+OSBUZXN0IFJvb3QgQ0ExCzAJBgNVBAYTAlNFMB4XDTE5MDUyMzE1MDUxM1oXDTM4
+MDExNjE1MDUxM1owMTELMAkGA1UEBhMCU0UxIjAgBgNVBAMMGVRlc3QgY2VydCBL
+ZXlFbmNpcGhlcm1lbnQwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQDM
+5Yitd5/afYgoiLYP5vYroVXafk51i0aM5pz2xAbqaA6FfcTWu6nFgjqIntHlcfkr
+Lkhi96x63sz0rgfahi8HIb7s9d47DNBmiKd1Cu4Xxp6zL5uwiDqt3rO9Ni0gMJ42
+8Dud4l9K1BxCSSlbcDUCQHmCp53upwWF0HVGwndMuSBvk0qFj/pECGrvJn+vIOez
+ohhNeNzmXsEGqlSjbAega5IU8FJiz9HECIFOczsnGTSgMg1mcAXKPhMYhRjWnDC5
+ZpOv3/9xB6t3qwAy1cRkf68G5qp9kON7gkYb2EL1ehVfs8qyTeaNZSn/qohzFYUh
+aSOmJEiVjqTlLqDJ4nW/eYUduSro2rL6FfnCG7NpOwGcVEsrGe+492DZeIuouITk
+CnMhIt7YJ5unfWHc2lWPwDZO5JmLG0QD0lEkN9UuojJ8ZSAKSpufj+oWe6z+z1ej
+3HWYTTWEzyBjOdQTNH73EOXsMdldHb3j2cG378450IkOuIT1nlse2kgaMtMNlZIC
+4rsZbwn2bjg4PFYaDDiB2aDSrJkYQzPpDBzL8YAcfZ7jB0EkUYKlBAD7d92efX4E
+MkDW2nYaiHc3ZDRE6bbFRVBUKL3cqqhT80wmd4lWvtaJgoPWDicKi6t7qlHYTeTV
+T7EnDc+AuuGrUfJHRTA04lWoVc0DyPcSDHisBSyZRwIDAQABozkwNzAJBgNVHRME
+AjAAMAsGA1UdDwQEAwIFYDAdBgNVHQ4EFgQUoeHgCFiE66ceDnxE0OfKsryTjysw
+DQYJKoZIhvcNAQEFBQADggIBAGJeSN5xZE/9lJdJoB2gUPFvVtaQeVGgjATF0+zS
+4NZNDqsZVQye4l3oW4zNFMO2KP8h9yE3nwtuzVIi62EjSijOgMdoQadLmk+dso8E
+bW9X8ZHppNcm+XjJwm3g1yWcEpFz6yse5zI/Rh5YVqH8uZrchY8eUaio2FvLGHXq
+G5x1ZlChmpUPUItUGntfTlrDMRrEEYEx0jVK0L4TcGOftQ1szgjp+l5BKJJ0+SY3
+JhjKRLbXyhtjIsFxhk/86O/96O+28S2heuS1EvWOYP683o+pwkopYPQbJnoPzTSU
+pNJWIbAzqU1//GzYcReKG9bleJh28I3RDoW8aTbsmdZWEyI1mtxDtPLXbyVtfG5w
+VFPE+08zwCD5/U5Rsen6ZQXMCdZHTjqgjLzp/hsHtwY8YgUXpZ5GeQScIEF3+VDo
+84YPcmPJbnQbHt3v5Leg5oM91zigioDJPRvKe5bOrDeouVEwmNVgtSbIU6F6qxgs
+NiKDn5UZingtF+Sq1TfpHv4qrjRk1J2nCqmoG8MpOInnV0+L9jt0TDmCzjYuJKuQ
++93a7OuBOmYMAdYDjAA5sIOWUX8nDuWM1LrHa/QTubpaAnFEYiEzUW2TawRr3eFk
+9T/KmDmxkZRoPR/qkbjbmMOlgqoksjLj9o5+j+PrDFcfJ3AQ0Jfbeo9G2Y/b/18t
+/6L9
 -----END CERTIFICATE-----
diff --git a/lib/hx509/data/test-ke-only.key b/lib/hx509/data/test-ke-only.key
index ea8a9e03f9d1..d3617847d84a 100644
--- a/lib/hx509/data/test-ke-only.key
+++ b/lib/hx509/data/test-ke-only.key
@@ -1,16 +1,52 @@
 -----BEGIN PRIVATE KEY-----
-MIICdwIBADANBgkqhkiG9w0BAQEFAASCAmEwggJdAgEAAoGBAMCF3Qt/12ruwKvj
-Bv1ARBAj45RioLgJr80B60eSWwfIeoS4chLLQqSxvncIX+ls1QU/62Gblmg5ZXkE
-wQjDirO9QnkxtjsjHtAEsdyAW90fU6dgeL101CdwHwrlH0KX/42vyAOZ5Cjy2rDq
-NKDUOTdZN/RxHrtVrdeRsqHAXkB/AgMBAAECgYEArZfGYXkLb0MKfbJ+edn5xSfn
-K8PmsSsi1lJ1qJph9Fmjh4qcaS/XzpLqb4Ago2Rbi5lAD0nwS9f9FCriN5nBtJCO
-frm3b4Ct0yQrtwID3kVqGDg6MmMu+11x8IlQAz/zDZ34ik/3+Z+G9N4WRUD2HFRr
-+18SzS5yhZmmjgKYkGkCQQDt/LKcz020nfVednN/6fzx6ZbSFX/x8MehJaI/BEbS
-uqAl6u9pr24I8FaDGySdBsJua4xZJVS6YUE4LXqRFeIFAkEAzxg9PQp7AqK3Cf90
-6pS7IKnHfRraBY6uvioHVIqjU1LYOoLGHKzlrtOhGDpN3E12S/0u6LJZGRAZ/7Aa
-f98LswJAFbvLD/j6jrESNGM63waeW/VKGbtu6MhlYrkOHRUl5p62e1/+JzenI9fW
-/rge2txAK1dVBNsc5rx0+U1l8RP/hQJANZFXhcqINw5Puk5Rt7vxC2nfKAUiD/3w
-RVApxTx3Mr5jH/9jr1cpsicbrGCocyu2RcGfuKEpWspHb1PmBt1y8QJBAJYfAmjL
-B4p8C9TCnb2NosRj/2wLcvdMJV22E8KFWzXAqRL9FKUKASULKxHy+rne4FHytEQD
-w7MMQNWHjQVnFcM=
+MIIJQgIBADANBgkqhkiG9w0BAQEFAASCCSwwggkoAgEAAoICAQDM5Yitd5/afYgo
+iLYP5vYroVXafk51i0aM5pz2xAbqaA6FfcTWu6nFgjqIntHlcfkrLkhi96x63sz0
+rgfahi8HIb7s9d47DNBmiKd1Cu4Xxp6zL5uwiDqt3rO9Ni0gMJ428Dud4l9K1BxC
+SSlbcDUCQHmCp53upwWF0HVGwndMuSBvk0qFj/pECGrvJn+vIOezohhNeNzmXsEG
+qlSjbAega5IU8FJiz9HECIFOczsnGTSgMg1mcAXKPhMYhRjWnDC5ZpOv3/9xB6t3
+qwAy1cRkf68G5qp9kON7gkYb2EL1ehVfs8qyTeaNZSn/qohzFYUhaSOmJEiVjqTl
+LqDJ4nW/eYUduSro2rL6FfnCG7NpOwGcVEsrGe+492DZeIuouITkCnMhIt7YJ5un
+fWHc2lWPwDZO5JmLG0QD0lEkN9UuojJ8ZSAKSpufj+oWe6z+z1ej3HWYTTWEzyBj
+OdQTNH73EOXsMdldHb3j2cG378450IkOuIT1nlse2kgaMtMNlZIC4rsZbwn2bjg4
+PFYaDDiB2aDSrJkYQzPpDBzL8YAcfZ7jB0EkUYKlBAD7d92efX4EMkDW2nYaiHc3
+ZDRE6bbFRVBUKL3cqqhT80wmd4lWvtaJgoPWDicKi6t7qlHYTeTVT7EnDc+AuuGr
+UfJHRTA04lWoVc0DyPcSDHisBSyZRwIDAQABAoICAGWOQz9PcnDWFX2ZvTuGi282
+qRoBzpueK5q81wHMSW03pDLwEncoTs5xbNe4eGqUIh8P8przDY9dDRMdixD5vyd2
+x24lsz9ra4PWqcFuaHJqZNCFgVJvQz5Yipf22UkCL/kk+zeXMwogtdz47EHBDNUP
+5eoncDUQncEkgGxRCNaDT5td0ur+YNoFnhLo7xJ7abx0VD1Z8YtRXbUTCZ5ydhlC
+GAa+0ubdAKh8WrLqlGAdsyLPjCrAzW3fdJGLrrL4eYH7YKokiTSZy5glrpSDtbLm
+QndWLxzLiqT1/g/hEdcf6qYjtAzKZcKhaL6q5LS97t2Pgjbf9wYBzKM3iERoNVmO
+D8sWmSg9fiNRjzZY1b1ulE9PQhQOUB8MWUCBPBeimQtCJKqxC9HoH+WH2OkV+ikV
+cj3pwVqvK/fJtLZ5jC42ZEsLD5YpnDpxtcj3yrrJ0g5ikWhMU94EcOOsIgkpeqCT
+L/G8x/H5rgmdN15rI3qERdJRbkDzq8AEriaNo8lbr9xEWRggzs6vmg1x5scNfpFW
+hFRkGO5iGheScrR9rIwmFVSz+N1g9K4RhKXsgGmmj0pHSn+2NozxKPXsSzNSrgGZ
+YJc1c7Yv3S5Nqwkzzy+o4WICejJAjzGf5y2bUQ+CIA/SUtmyygADYCClLQ0hjpjc
+llslljxigyjVDNFTOV3ZAoIBAQDtcdnK3Iy32+cJ1yuL2t8lWSlu1Bbazmz7heH1
+FSYzPyqidwQKIKuuZEMfRb0dBZGxPszoiWZxn3Dc8oDbHGDp9TwDkfxT2S51fvOE
+PUdc6sAFUn79joTl5kak+rPDjNWiNpax4kQJU4/kUtibs1bHkZx1voYZ3J2ZeWDH
+td3OY+lHMOU6dUpXYoQEYLbc95gU+fCLZRLP/ZVSrvhZm2/Q8HUHohf6Wb9l2ufC
+cGwUkb3iUk+OyboEu3oQgUY5DBX8rQsvje+sbmk0my6vhCO8LuuqNfxUrijSJuzW
+aWSC0khPcOolJpNJLYVDYbuzqckev/GCzCLAj55z60WQA1gVAoIBAQDc6IyFJbn8
+gPWvXPa53e2Me4kdzb6VnYHSyvAeBXMLbxXJTPFmBTa+MV2jpA6JO4pmOyfjdtZw
+a9zEXIRG/RpFitxQCcsHVI5TnARyU/J0tkrdRy/ujHYh1lg3lk2EAPxmmkzRLpES
+VatfjzQLt+teBCNWi08aeQmzwlVcwId5frEkhnz60C2YXqUIPLAHz9peMWrElSbB
+TT9pHnT+gRE/WgqHiov9va7Zz3wFYo5p1GmBIIKTvlIoWHQYIh7ily9O7Oe4kDIQ
+3rFLEtwAeiBrICRsOs3bidcdtAV9H+OTl+H6sILZGuWZfHH9Bhiwhfv0Q6qsD2du
+Jukz/jLcMUbrAoIBADYvwTAWXNaojHUmcX2dGUeArX/pTr3oVd6gkwxHI0yWobgp
+yPY2tnc50keUtq+k0bbNSh3XHVXYuPzzKozWUReTK3r1GcxYx81wh0oqYdrGh8Ov
+K+PZXmLIxl5oCBYcUbSPGJzHshcexruoXF5L8wXgKQCF1jyYqC6aEIgC7PdovZfN
+hMJueeSvSslk+NY8eqxuzYJCMqTcjfMskuiAHGhmN47iYu5zBMbNyg4JceDP0bGQ
+by96wcTKs/SIS+pA49Oh+eeEUKndGI00zNapJS6Q1p8lasw4YoBy+aGEs7dXHcFj
+V0vbHcmZZcwWxasemBM4Ynki9NtU6ygxDNLssHECggEBALXkXN+9IpjAbotIFncQ
+PupvRYVexVBX8m9oXbG6dvGxM9UeH54LKPoNl7aH/NgOSHTIvJ1UWlkS1yJvsxLo
+kFs2bRUSGzQb8Vzyl86zRG3JM3djiBn5WcOew+BxR74rOagZ4KpUl2rrU0JJnWcQ
+tyIgciBucGGxy8VRfAv1Exd8s8sJWZsDEqflNinEHoUwJfNs6SaYUOLVAiNByr9L
+8rGhKA5Wi9IP/wqlBs9ASVbmaUDDTgDssqU5v82nOpsENRXdhya2xCKT2pOgIbna
+1Rqfyp27BYmAw7lXYzWVrkL2ykEqWXL97JMmnoziGi4vBDgqBzvJKzbNnzMKWUJo
+6KUCggEAWseXquzJlsbVLjowrIua9lwfFm+YUyqKMPmZ1TUblMEv9IrkbHGyXv49
+H9jSs85g8GAH/BwB1G9oDZjnP+Yj0Zjsd9ZImFz2+VRcVCSCBUj4Qv1HAxls/Aq/
+/QCUhj0o/TIcbO5V8ImUOlwKUyoNW7rXGEl4b152J+wakxiA1LYTs08usxsv0KtY
+qbqv0VicOBYXjnn3SSSoR7i11vm9CZPa7g3YEBuI0T3QaPvZHRueovgsdmL6OLH/
+hdFb/mA9f8aEsCVUbbDstRnlldZOtfHuqj3f4NbmxcaxX0D95kl7QqRibehFTOGG
+VNAP/Wqk5Tqv9O/YM7QH6VFyharThw==
 -----END PRIVATE KEY-----
diff --git a/lib/hx509/data/test-nopw.p12 b/lib/hx509/data/test-nopw.p12
index bece1f1cce41..9349b0fc7b6f 100644
--- a/lib/hx509/data/test-nopw.p12
+++ b/lib/hx509/data/test-nopw.p12
diff --git a/lib/hx509/data/test-pw.key b/lib/hx509/data/test-pw.key
index fae8e5cee692..066e58170a74 100644
--- a/lib/hx509/data/test-pw.key
+++ b/lib/hx509/data/test-pw.key
@@ -1,18 +1,54 @@
 -----BEGIN RSA PRIVATE KEY-----
 Proc-Type: 4,ENCRYPTED
-DEK-Info: AES-256-CBC,8E591DF1F7BA7038BC8A176AA9C47330
+DEK-Info: AES-256-CBC,AE4D50F1D037E93C416E5EE0BA31DED7
 
-7sslSZnKwAzVwntpdDZkgOP/LOHtI8tck4XJFKWDLRm3YQ88TEOJe4aH6oAYJeil
-imCrnaeTFv/KYYxcn0kNmMDMw2+AC5kKhzxFkBpB66g1IY4PJOWbX52DGPLj82IJ
-ahB5J0eruslPSUv5NhJc5BbWwoGcOKo26vv0QSLgUIOm5k1g2JcsnhR4UptQ2Oa6
-EjbulkE9RvQWYlTfF3KKlpgNkTO+46EcYJ5a3rKYC3z3R7wklKrYw9WWdIIu5BE9
-Yw4BX07+bUDn7qtTIOcmtw3EUYFVRpSCeDequfRV2DHxdaQs12Brba+nzWD/rMZZ
-zCtbkSSk/0O8qmiAtHVfWilE7t7jTxVd1g10ZHrvcOgKfr9Z1UgM7G1EMdjViCkR
-CIAYbmDSVLXkmeONg/MZU14XJHizJR4po0iZDBBeyF6NvsvgU1w2Jfiocp1RT8QB
-AnRIWKgzZ0chKjjSY/2+q0Fkzae7OdXdggRDVf4HMKWiayi0xz8vBxObRuXRPbmp
-QhcyuQUcoiJ69HqFpODBelnwBfNbnMfq2w/u38ytv75Q5jqNoALCsVy22QoFz5RX
-d+RFt+5VFZYUsqApA6yzLAJbvVcyIVIFWv8lQwsMzMBFk5gO2KAle0mHhJW1ufAV
-6p1tMCWRjRxBMXKQ4O2lHWi2jRQjPWJyJMKKCv+yXEHwXSoDRKJYNsO57m/cDE0S
-388gWkry4HT46Gnn2uH+eXavT4Wu/7NWCRuvgV5VLVik/L3OVx086w+3sZEliuk8
-WnfVqctp+BVQEwTk3CT9Bx5TFvAWl2vDs7bxkbAUsYa6yz8JQWIJ7DOsy3UmDKN0
+RwILhdS+r3Tt/J+aXaydLB4AX3vuR/qXW4/Qi3LOgY5bIDEJvoc5m52gTtDgefc4
+H/Evvn9jLq72TkOipLgnnCga9uYbJgiE3/dTZXDwcnCzsorkNIECs2KyGVAR7ouT
+FDoRpx+2zC6Yt2kV3vkI+wgtkB/u+hfrZ0hiC/NjmH+3/6gSmceb6L34cAKcvLb/
+OeaI3beTSlTEQ22CtxNwmFTGSqiEdw9pFYOTjcGus4s39zGNDnFtp17jZAFQf/v/
+dm//a93yGS2ytkAsNuMNOwGTFe54ipwXOWNxenCWUWltvaHH8UbT9qcVnZ/RbKtY
+QzDl8nJGPzatM+R9xdWfjI5VU3DxfrgEzHtEUGlU1Cr17k8MubEzHQPimVYqfU9s
+9GjM3PXuLUw11tXzUS8udWhA9kHZ3VTNie+y7+XlCSibODw4BSAFokBp7uJLe7dF
+G5UH+unv7rsBtuOhqCKSnoRgztc5SsoarCt0cKadJRkLK4trgki1g6Vcq4QdqbyI
+8+qfG787fWISC6CGOQMXnpsQX3XfzpodXpEsaQDpjomAUOKcSmMdEvhf5qHlBnS1
+TNoA8qRb4e08BBez00jTAu/7M46MxgmKDFzavYsWfEqqvwPQVDAFyQkcuT3ZXwtl
+m5Ay7TBB7hh/yDH+BTXfg4l62ZlGWG0rVczhcNTLMWuWj/HErFmRD2ousUmqPJz+
+3B//V3ad0eVVfJv2bLmT4f4VTmcpvGjtFflMtrR/hGzDLaWnlswr69F8ZREdxX40
+7W0fePlUhYpT/OsA5wQylHcYx9GcA+LOS9vXK5JgaL7jH4FP/5z61VG64CBhTMYc
+aAQl4jVwKz9yvQpMCWNf2wIghNRw0p4Ih2ZEFBY1wzjL+n4uzmSNwLhX5yZ0Y9oO
+T6u38KvazXutWn6+jAOZaE/EaacOrj3m3ZCSPs6Gtre8k6lfpniY0EPGcf+x5MON
+oIGZXB43G9CQv6hLBG1Vr49CW3yFxtyX4UQlBcn+62A6CeLR9qoPdrWS3utT/sgF
+PrbhGXNbROIFd+zf/ZDCh7Gfm76+R/yJ32tZQXCAoTHitNf6UPlzQxamoFrWgJ7+
+S5+Xeh/DVvJq1P6mbo8n8Noyci+zrZIQXWMSKyirk3pnMZ9e/MtUnjG6S9fb7V7n
+eRuN3Z1k/jyKLAAPJVPe7myG5L+Cz6BS1rwT9h43Pi/pKW65Le5PU+h/9qCBOHNW
+fEegF2Bqu2/cJZovUAyekXwYQp7XQrSaxLG8EA57SGkC66tBhiyyScW271dDA5hy
+TU8nBMh39xj27uRh5AO9LrK4Q6Wn6l/b+KVMV+Kg3S7iMyuvfsHTL+vM8DlPtcb4
+e4yjGT5V4A4RsiDxs2+rDHQV24eWEgEamlzIMJsyVvFPVwKWPwSPgMd9S6uHMI7T
+Na8SGnO239JzHMav88cq1MVLUv2XH4mmqk7i/JNjl3nzQRwOlXtgICjHjlACJut1
+7vH4U8l1DmfVzrcfh2Vc9XahnTA5aWuQsPjrRv1hFTW3HVcpFwtxV1wTAwCN9dnQ
+cB9nTSe+RosfRypuwPRGOWaiWckUOAFVLJiIThuh2e5/SZkIuMgtID86rjDTAKB6
+0JP1DxMOXa0gv0SdrIwv5cQl2kG+uaXhListTm3pl/XAqpSmCyY53wRm2RWDJuNs
+m8myLHyjDCoYxWPqqhV9LYpU4VFYGgo3eZK/b9Tw4IcOpdosJxhpvGxu1a2ZmQxU
+bkx1hyzKj7ZmfGhvG/f7J+n5tuEloa1EbicAhLZDWi8lBMnKV3rAAADXXm4rhFUO
+ar8sBfJfRC0dGpgE5zoR0pU2Wx8dIFFqLlHvT0DkPIrTDYnxbbmT0CGNHzVgetn+
+N+4tGdP1v8+Vd+BipaQAXor6kd1pn+oywKttx6eZE1jHHnZzJpX6VrqwnIdxtlEJ
+3Pp4l04+bcu+/1WUKRvNXwPLjNzIZjaFJxdKUVjC/9JbB/Vx3nKi/VB+ymy/cCoM
+Zte4Owf0cxnYRXE6pBw4FkZJPitf6b67G21cbnzQPC3ZLpm0TOA6eO+Lsgb+WBo/
+3MGnIhFuT5PmIiSTLiajfKR1H6pP/Sf55P2B/qCX+aTdpvMrytnz1n9rbF8w9mYN
+QPb1UbJyZJDEOCtoYLH9hNTI5msHeBoQMCeTbDML7SqQRNHcFynXY4qqVF/avt36
+ZLrKv6PZuQTRsXr+1JbgJydHQVanqeK4XPwK84FE+guHZWo3ug6+eEgqMKYkzAKA
+GAN3Oinitkcpnt74ZH0XocmMwUGS7qj5UiNm73gIP6MEA1uYXqpb7FnJRALwb33r
+qYJ72qomcNt/iow4M3kkMDSSPlat/2OhtWtWijYKwk3c5yZmV6Bc+QX6MZS3MZXy
+vrk0L/bUV1m8YCCiuSiwuyQslEZUfY6klIJlTJ7NkHHT47vgwmJGYU1LamsuZfwe
+LzH1xeDCxtCUUGgvtngj+dgoNMr7CxB9MemJo/gFOa0XlZq0CezSfM457RgM536A
+b+62dmd12tARkRlvlNj3wck70r16Xz7tUmFWFdsro/ga9wvqnjwKVKUsA/xpZy7H
+nhtLvMnvnk0Zv+wvRWB3D16TC6kHQjnI3PjLGYa7fwMTErmBNDxMz+8JvFwMqrJd
+an4QBQocGTSO+HMsb3krHo9AdBBSsiRNYWNPda9an9qjARy7rbo9Fy5khWyZA89q
++pGDtn5nPrNvbCz48aaGH9FBZlywweDQdCnWe4hNl3+z9NQxxf+pKRIu6AI58iqj
+IWezU+pwyJjPA3e6u5zZ7IiRfmRnuxeouH0c6YcKsgMNlsIM7D/vjo2YXpkbyQqV
+aEpAVzknHcypN1PIsfXU2Zo51jG66AD8y5zQ2nUlZnat7YciryxnpvFVef9Nf62N
+kYxzdJdAT6pfEXk2L7xORX3a97yN3mCzPp2i5jIkhOtVbVdvG7xgGcoPNGEIhMIo
+Al4YdPiMb/dJPmKAkJJptAYKpQAaEvhKtv4t8NZ0c3EEYVwJc8eJaz+cKCsLJEMX
++7OMT8Tj6IMWIY1aWetQix3A/iQjBSUfM7AmqvYRv8Y/F14EM5eC4RLFK5o4RWWf
+Ck9XeE5fG0q1pSpbnrjeopakwy008unT+CILpjWLBnIXJ6kI8fTASeFrLtWurNkv
 -----END RSA PRIVATE KEY-----
diff --git a/lib/hx509/data/test-signed-data b/lib/hx509/data/test-signed-data
index 583c2aa7fc1b..edba3857b3df 100644
--- a/lib/hx509/data/test-signed-data
+++ b/lib/hx509/data/test-signed-data
diff --git a/lib/hx509/data/test-signed-data-noattr b/lib/hx509/data/test-signed-data-noattr
index 6c6d02fffcbb..5d768f88b2a7 100644
--- a/lib/hx509/data/test-signed-data-noattr
+++ b/lib/hx509/data/test-signed-data-noattr
diff --git a/lib/hx509/data/test-signed-data-noattr-nocerts b/lib/hx509/data/test-signed-data-noattr-nocerts
index 7de2f4492885..5f20eeec2cbe 100644
--- a/lib/hx509/data/test-signed-data-noattr-nocerts
+++ b/lib/hx509/data/test-signed-data-noattr-nocerts
diff --git a/lib/hx509/data/test-signed-sha-1 b/lib/hx509/data/test-signed-sha-1
index 583c2aa7fc1b..3580544a0aa9 100644
--- a/lib/hx509/data/test-signed-sha-1
+++ b/lib/hx509/data/test-signed-sha-1
diff --git a/lib/hx509/data/test-signed-sha-256 b/lib/hx509/data/test-signed-sha-256
index 20228788ebce..edba3857b3df 100644
--- a/lib/hx509/data/test-signed-sha-256
+++ b/lib/hx509/data/test-signed-sha-256
diff --git a/lib/hx509/data/test-signed-sha-512 b/lib/hx509/data/test-signed-sha-512
index b4bc5a6ae609..0816fab839c1 100644
--- a/lib/hx509/data/test-signed-sha-512
+++ b/lib/hx509/data/test-signed-sha-512
diff --git a/lib/hx509/data/test.combined.crt b/lib/hx509/data/test.combined.crt
index ae16b63c49c6..2adab3347413 100644
--- a/lib/hx509/data/test.combined.crt
+++ b/lib/hx509/data/test.combined.crt
@@ -2,25 +2,51 @@ Certificate:
     Data:
         Version: 3 (0x2)
         Serial Number: 2 (0x2)
-        Signature Algorithm: sha1WithRSAEncryption
+    Signature Algorithm: sha1WithRSAEncryption
         Issuer: CN=hx509 Test Root CA, C=SE
         Validity
-            Not Before: Apr 26 20:29:40 2009 GMT
-            Not After : Apr 24 20:29:40 2019 GMT
+            Not Before: May 23 15:05:12 2019 GMT
+            Not After : Jan 16 15:05:12 2038 GMT
         Subject: C=SE, CN=Test cert
         Subject Public Key Info:
             Public Key Algorithm: rsaEncryption
-                Public-Key: (1024 bit)
+                Public-Key: (4096 bit)
                 Modulus:
-                    00:e8:6a:8a:12:02:ed:86:e3:1a:b6:79:18:cc:ab:
-                    c3:d4:cf:30:f4:dc:2a:90:71:c3:00:18:20:84:73:
-                    d6:a4:55:b6:71:e4:33:fd:b7:a3:e3:6d:d4:ff:29:
-                    d2:56:7f:40:63:e4:bf:12:8a:16:7e:ff:5b:e9:6a:
-                    ce:50:b4:e3:85:11:a1:22:cd:c2:b4:e5:46:b2:0f:
-                    3e:04:85:7b:a5:4d:3e:7a:b8:c7:7c:d0:2d:fb:95:
-                    60:d1:40:42:bc:28:ae:f1:3c:7c:0e:5f:ca:e4:8f:
-                    fc:4a:2a:1d:ef:10:05:4d:09:54:b7:12:16:79:bb:
-                    bf:cd:a0:92:66:9e:94:e1:ff
+                    00:a9:c9:ce:f8:b7:77:99:3c:72:54:8c:cf:0a:63:
+                    9d:f2:df:0d:07:6f:22:54:17:71:ff:76:a6:d1:9e:
+                    33:f5:05:3f:ac:32:be:58:e5:7c:a7:d3:29:dd:3d:
+                    38:62:64:8d:82:d2:aa:f5:05:36:f3:bc:ad:7f:4e:
+                    b9:c5:56:89:ea:c2:d7:b1:96:69:fd:f7:4e:35:56:
+                    59:7c:03:91:79:60:f4:a1:a8:78:a0:1a:04:2e:0a:
+                    98:b7:cc:be:f3:ea:28:6a:d7:5e:80:8d:74:c7:f4:
+                    d8:96:48:44:94:1b:ce:4f:9a:65:8d:54:c6:c4:69:
+                    b3:be:fb:e4:91:79:5e:c5:ba:f9:df:03:de:14:e2:
+                    68:1a:6a:e9:51:83:01:0f:e6:09:0f:c9:a1:78:b4:
+                    75:45:18:f0:43:7c:11:37:b2:91:cd:50:6e:71:42:
+                    69:c0:36:da:e1:bc:24:fa:bd:8f:c5:ce:ca:d4:af:
+                    b3:f1:d7:20:c1:ac:4d:31:42:c5:cd:6e:6c:41:0c:
+                    8e:8d:08:8f:2c:b0:76:02:18:d7:0d:0f:fe:ca:67:
+                    3f:b6:fe:1b:36:a7:ca:33:bd:01:36:7e:97:f6:e3:
+                    55:9c:4b:a5:fa:48:58:a7:07:ca:c8:71:2c:e9:05:
+                    7e:3a:40:4a:aa:b7:34:13:e1:b0:5a:eb:58:50:0e:
+                    99:31:bd:6f:e9:fb:bd:4b:f8:05:70:5e:01:41:36:
+                    cf:cd:7f:6e:d1:e6:de:e7:23:a9:86:49:61:26:fc:
+                    a9:58:a3:45:37:b2:47:fa:ee:cd:74:e1:a1:28:cc:
+                    50:5f:e9:b0:fe:67:0b:7e:dc:4f:e9:fe:5d:ea:55:
+                    9a:87:d0:13:6d:9e:b9:f1:cd:08:b3:da:c7:d2:3e:
+                    dc:fa:d2:03:58:f7:e6:43:03:5b:c9:0d:ee:d6:26:
+                    b0:fa:eb:36:5e:a3:d0:ae:cb:00:4c:97:bb:9a:63:
+                    09:59:10:6b:c5:f9:e7:4a:3f:76:eb:a2:63:8f:45:
+                    cc:43:8f:4a:15:2f:dc:3e:f2:11:3d:07:03:c4:b8:
+                    c5:e5:65:1a:c7:d2:87:42:53:d3:a9:3f:fb:99:a0:
+                    b8:45:43:45:ec:09:59:c9:bd:55:22:e0:0e:19:ed:
+                    49:fd:b6:db:5c:84:b0:01:89:50:a3:ca:1e:41:ba:
+                    82:87:db:da:b5:2b:71:08:ae:1b:70:41:41:ca:24:
+                    70:6b:9a:c9:db:1d:b2:65:94:01:9d:ed:b8:b5:36:
+                    4c:f0:f0:39:be:bf:e4:49:02:d4:55:ec:11:dd:23:
+                    e3:6f:c1:28:99:77:44:29:70:a2:6e:ec:b2:53:86:
+                    e1:c1:45:3c:67:ea:12:08:b3:be:d2:be:9f:00:b0:
+                    9b:1f:61
                 Exponent: 65537 (0x10001)
         X509v3 extensions:
             X509v3 Basic Constraints: 
@@ -28,42 +54,115 @@ Certificate:
             X509v3 Key Usage: 
                 Digital Signature, Non Repudiation, Key Encipherment
             X509v3 Subject Key Identifier: 
-                CE:77:6E:DE:0B:F4:21:F8:78:C0:1A:7C:C3:B9:66:EC:4C:3D:4A:23
+                D3:E1:59:20:A1:DE:3D:12:57:0A:3D:BA:0A:6E:67:0E:40:A7:9A:88
     Signature Algorithm: sha1WithRSAEncryption
-        45:23:30:f4:ce:b8:c9:b6:a0:2e:4a:a0:64:bd:be:57:d5:64:
-        ed:4a:8d:95:a3:9a:19:3c:56:7b:14:a6:2e:6c:37:37:ae:2a:
-        b1:42:2e:0c:b8:7e:57:f5:5a:38:29:8d:78:53:b3:2d:c8:c2:
-        97:f3:ab:51:6a:c4:df:86:97:ca:68:55:39:e0:f8:99:5a:bd:
-        a4:e1:34:50:34:8f:70:d2:74:2d:b8:90:ef:b8:d2:22:3a:ce:
-        be:82:a8:4b:b3:32:cd:1b:8d:0b:69:7d:0c:d7:b6:33:dc:68:
-        41:76:a1:36:20:8e:ba:34:45:be:71:bd:ab:bf:74:77:87:e6:
-        bf:7f
+         0f:2c:68:90:33:67:b2:86:09:26:ec:65:29:ae:76:d6:a6:2f:
+         53:0e:d3:16:cd:2e:0d:a8:d1:14:22:f5:63:66:a9:3d:78:43:
+         40:a9:db:ef:02:52:d1:a9:c3:0b:ad:24:8e:a0:56:63:1f:ba:
+         23:48:64:74:ac:2c:bd:67:f8:87:6d:bf:d6:83:68:aa:99:ce:
+         4c:0b:30:d6:06:59:7c:74:0e:2c:8b:ee:5a:61:af:ff:f7:3c:
+         51:10:a7:93:44:6f:bb:f4:8b:5a:2b:5e:1c:4c:89:60:71:af:
+         fd:bf:c0:fd:19:04:12:81:a0:ce:ed:b4:dc:64:12:80:36:18:
+         9f:1c:33:25:94:dd:94:51:eb:a1:c6:21:06:b5:16:05:7d:d3:
+         20:53:de:60:5d:40:6c:f1:7b:a1:98:7f:1a:bd:39:46:0a:ec:
+         a6:cc:eb:7a:96:d5:43:6d:e5:c7:61:d2:f9:ed:76:a8:44:3f:
+         c8:9d:45:1a:2c:3b:52:f8:08:7b:67:39:aa:ae:88:4f:eb:90:
+         99:9c:f8:8b:ae:c7:7a:eb:40:b1:ea:78:51:74:e9:11:2c:c2:
+         d7:c0:93:35:c3:27:59:89:dd:1e:e6:4a:ed:fd:dc:1f:08:e2:
+         80:ce:a0:72:ec:04:d7:2c:1d:d6:2c:67:f3:b9:ce:e9:be:70:
+         10:82:b5:bf:45:29:c1:cc:36:11:5d:83:3d:17:11:03:b0:17:
+         e1:3c:05:f0:ea:07:c6:3e:62:ce:2b:d9:55:41:dc:0c:55:82:
+         0f:e0:d5:a8:02:65:fa:c8:bd:60:16:b4:6d:53:08:9b:06:25:
+         94:c7:8f:ee:ac:5d:25:ad:cd:9d:af:7f:a8:5a:99:49:fc:fb:
+         ad:69:8e:c4:c9:57:7c:88:2c:32:2b:ec:11:ed:61:cc:44:92:
+         a7:18:11:19:96:e6:be:88:5d:ed:0f:dc:ca:2a:31:e9:2d:aa:
+         03:75:03:f4:42:5e:6c:86:b9:7f:b7:59:70:ba:09:b1:ba:28:
+         3a:be:68:45:a0:2e:89:0b:ea:a6:d9:85:58:bf:54:1c:02:56:
+         3a:d4:4f:88:7a:5e:c8:21:33:64:76:74:68:36:7a:a4:1c:a6:
+         5b:b8:f1:ef:98:10:82:84:d4:df:2d:34:4b:6d:15:62:55:31:
+         b2:78:93:33:37:20:db:a0:30:85:db:cf:00:7c:b3:b3:a2:a9:
+         31:d7:06:fb:e7:ec:38:4f:3d:61:73:bf:b8:21:b0:c5:f8:3f:
+         98:8d:db:aa:23:01:41:d4:3c:99:cb:ce:4a:ff:10:fe:a7:52:
+         3b:8c:0f:30:6d:a4:4e:53:4d:60:2b:6a:05:ab:ef:b8:61:9c:
+         a4:85:99:ae:b8:63:c8:e3
 -----BEGIN CERTIFICATE-----
-MIIB+jCCAWOgAwIBAgIBAjANBgkqhkiG9w0BAQUFADAqMRswGQYDVQQDDBJoeDUw
-OSBUZXN0IFJvb3QgQ0ExCzAJBgNVBAYTAlNFMB4XDTA5MDQyNjIwMjk0MFoXDTE5
-MDQyNDIwMjk0MFowITELMAkGA1UEBhMCU0UxEjAQBgNVBAMMCVRlc3QgY2VydDCB
-nzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA6GqKEgLthuMatnkYzKvD1M8w9Nwq
-kHHDABgghHPWpFW2ceQz/bej423U/ynSVn9AY+S/EooWfv9b6WrOULTjhRGhIs3C
-tOVGsg8+BIV7pU0+erjHfNAt+5Vg0UBCvCiu8Tx8Dl/K5I/8Siod7xAFTQlUtxIW
-ebu/zaCSZp6U4f8CAwEAAaM5MDcwCQYDVR0TBAIwADALBgNVHQ8EBAMCBeAwHQYD
-VR0OBBYEFM53bt4L9CH4eMAafMO5ZuxMPUojMA0GCSqGSIb3DQEBBQUAA4GBAEUj
-MPTOuMm2oC5KoGS9vlfVZO1KjZWjmhk8VnsUpi5sNzeuKrFCLgy4flf1WjgpjXhT
-sy3Iwpfzq1FqxN+Gl8poVTng+JlavaThNFA0j3DSdC24kO+40iI6zr6CqEuzMs0b
-jQtpfQzXtjPcaEF2oTYgjro0Rb5xvau/dHeH5r9/
+MIIE/zCCAuegAwIBAgIBAjANBgkqhkiG9w0BAQUFADAqMRswGQYDVQQDDBJoeDUw
+OSBUZXN0IFJvb3QgQ0ExCzAJBgNVBAYTAlNFMB4XDTE5MDUyMzE1MDUxMloXDTM4
+MDExNjE1MDUxMlowITELMAkGA1UEBhMCU0UxEjAQBgNVBAMMCVRlc3QgY2VydDCC
+AiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAKnJzvi3d5k8clSMzwpjnfLf
+DQdvIlQXcf92ptGeM/UFP6wyvljlfKfTKd09OGJkjYLSqvUFNvO8rX9OucVWierC
+17GWaf33TjVWWXwDkXlg9KGoeKAaBC4KmLfMvvPqKGrXXoCNdMf02JZIRJQbzk+a
+ZY1UxsRps7775JF5XsW6+d8D3hTiaBpq6VGDAQ/mCQ/JoXi0dUUY8EN8ETeykc1Q
+bnFCacA22uG8JPq9j8XOytSvs/HXIMGsTTFCxc1ubEEMjo0IjyywdgIY1w0P/spn
+P7b+GzanyjO9ATZ+l/bjVZxLpfpIWKcHyshxLOkFfjpASqq3NBPhsFrrWFAOmTG9
+b+n7vUv4BXBeAUE2z81/btHm3ucjqYZJYSb8qVijRTeyR/ruzXThoSjMUF/psP5n
+C37cT+n+XepVmofQE22eufHNCLPax9I+3PrSA1j35kMDW8kN7tYmsPrrNl6j0K7L
+AEyXu5pjCVkQa8X550o/duuiY49FzEOPShUv3D7yET0HA8S4xeVlGsfSh0JT06k/
++5mguEVDRewJWcm9VSLgDhntSf2221yEsAGJUKPKHkG6gofb2rUrcQiuG3BBQcok
+cGuaydsdsmWUAZ3tuLU2TPDwOb6/5EkC1FXsEd0j42/BKJl3RClwom7sslOG4cFF
+PGfqEgizvtK+nwCwmx9hAgMBAAGjOTA3MAkGA1UdEwQCMAAwCwYDVR0PBAQDAgXg
+MB0GA1UdDgQWBBTT4Vkgod49ElcKPboKbmcOQKeaiDANBgkqhkiG9w0BAQUFAAOC
+AgEADyxokDNnsoYJJuxlKa521qYvUw7TFs0uDajRFCL1Y2apPXhDQKnb7wJS0anD
+C60kjqBWYx+6I0hkdKwsvWf4h22/1oNoqpnOTAsw1gZZfHQOLIvuWmGv//c8URCn
+k0Rvu/SLWiteHEyJYHGv/b/A/RkEEoGgzu203GQSgDYYnxwzJZTdlFHrocYhBrUW
+BX3TIFPeYF1AbPF7oZh/Gr05RgrspszrepbVQ23lx2HS+e12qEQ/yJ1FGiw7UvgI
+e2c5qq6IT+uQmZz4i67HeutAsep4UXTpESzC18CTNcMnWYndHuZK7f3cHwjigM6g
+cuwE1ywd1ixn87nO6b5wEIK1v0Upwcw2EV2DPRcRA7AX4TwF8OoHxj5izivZVUHc
+DFWCD+DVqAJl+si9YBa0bVMImwYllMeP7qxdJa3Nna9/qFqZSfz7rWmOxMlXfIgs
+MivsEe1hzESSpxgRGZbmvohd7Q/cyiox6S2qA3UD9EJebIa5f7dZcLoJsbooOr5o
+RaAuiQvqptmFWL9UHAJWOtRPiHpeyCEzZHZ0aDZ6pBymW7jx75gQgoTU3y00S20V
+YlUxsniTMzcg26AwhdvPAHyzs6KpMdcG++fsOE89YXO/uCGwxfg/mI3bqiMBQdQ8
+mcvOSv8Q/qdSO4wPMG2kTlNNYCtqBavvuGGcpIWZrrhjyOM=
 -----END CERTIFICATE-----
 -----BEGIN PRIVATE KEY-----
-MIICdgIBADANBgkqhkiG9w0BAQEFAASCAmAwggJcAgEAAoGBAOhqihIC7YbjGrZ5
-GMyrw9TPMPTcKpBxwwAYIIRz1qRVtnHkM/23o+Nt1P8p0lZ/QGPkvxKKFn7/W+lq
-zlC044URoSLNwrTlRrIPPgSFe6VNPnq4x3zQLfuVYNFAQrworvE8fA5fyuSP/Eoq
-He8QBU0JVLcSFnm7v82gkmaelOH/AgMBAAECgYBSUxqhEqRsORmHNRHRva3aPaHL
-ugjhrUozSFiMUjPfdfTwFrNL1baZopfl4jx9Iwn92FLOEFezmGRII+r8r3Y/SY9k
-9SS1X4IlPBIHggDKun9OJlpkAFKlOU6HDlEdB/rXR/unzGHQYgQ9DqX3OUEEHPFr
-OOxm0Yj5gvLXvCJDgQJBAPipSzTEAQAtNE/xAnTtZzZD6ABiLE62kMCBJ3dd4NBF
-3+u6nssdExpdXBFrRtSqMxpbKZ5C+j2LFUI+1I6Zdd8CQQDvRoJNb5mUg3Xe+xkX
-JZ/ezXv2bq8pJgPPYnMC4F1Z9KqBRIl+6hDZanKkJP6+JKzHzyNALQv8++/4u/PT
-CtfhAkEAhpSp3X8Pw5azr2iTmdE7gUUzdbGspVVt9qJwR8yJdm+7B4xTkT7FLgnF
-YLAc/9C2I9efKMa7RT/XW6lBxYQNJQJAe2SMK+zicbE9pwkszkAL6vVi+RnpYLoG
-+vrVPuV/nrVK/LDgiz+gAs8fYcDmUh5NsBkFH8JbTVKLVWVv/yS3YQJAA7u25lSb
-JMuylkeVzpg52uaOTNK2NtOH8cXZOSMp8q4evQsrvoiVF4MGoZp0zVGpUUYIUaLA
-BN+BKthYPQEPPg==
+MIIJQwIBADANBgkqhkiG9w0BAQEFAASCCS0wggkpAgEAAoICAQCpyc74t3eZPHJU
+jM8KY53y3w0HbyJUF3H/dqbRnjP1BT+sMr5Y5Xyn0yndPThiZI2C0qr1BTbzvK1/
+TrnFVonqwtexlmn99041Vll8A5F5YPShqHigGgQuCpi3zL7z6ihq116AjXTH9NiW
+SESUG85PmmWNVMbEabO+++SReV7FuvnfA94U4mgaaulRgwEP5gkPyaF4tHVFGPBD
+fBE3spHNUG5xQmnANtrhvCT6vY/FzsrUr7Px1yDBrE0xQsXNbmxBDI6NCI8ssHYC
+GNcND/7KZz+2/hs2p8ozvQE2fpf241WcS6X6SFinB8rIcSzpBX46QEqqtzQT4bBa
+61hQDpkxvW/p+71L+AVwXgFBNs/Nf27R5t7nI6mGSWEm/KlYo0U3skf67s104aEo
+zFBf6bD+Zwt+3E/p/l3qVZqH0BNtnrnxzQiz2sfSPtz60gNY9+ZDA1vJDe7WJrD6
+6zZeo9CuywBMl7uaYwlZEGvF+edKP3bromOPRcxDj0oVL9w+8hE9BwPEuMXlZRrH
+0odCU9OpP/uZoLhFQ0XsCVnJvVUi4A4Z7Un9tttchLABiVCjyh5BuoKH29q1K3EI
+rhtwQUHKJHBrmsnbHbJllAGd7bi1Nkzw8Dm+v+RJAtRV7BHdI+NvwSiZd0QpcKJu
+7LJThuHBRTxn6hIIs77Svp8AsJsfYQIDAQABAoICAGR9MKY7z+k9wV0RSaiYdO89
+3HQ97k9e4PWVv/3oaE/oH1tHXSk4CaM6c1ih1zFE2gxHqy8BOxje3sCuU3zcTxxG
+3WoZ3/mT2RHwXV3srrjsDV1wXJRFUZv+YYzG/W1XdTxm42OqVSfTXizz8MLIAj9S
+3i/bsRimht/OLeV7s//LPgAkRdiOd5bLF/RKWOKT/2D8sTjDdXTD4c/PKlGQuoKN
+zA/0gqpkzP81X52Xe/RTA/EFXLcR4C1AUR+KqY+Af0mwqN4H5tVIS0/Ka90rTl10
+5lzj4C9k92PPxVv/aOmSeyTaEQ4kq3OQRRCFC1OPELphOs/3RjdOKBZnnAkl2ryC
+pg2EquKfA4W1LGqI+MbNhKlppnyBef5FNOHK9PsH6luF/KASTtLvc5/Xu/d0Lza5
+flS9ah/srA4ejwDsUnREjajwfroGxpl7Nem9NCneETqOc0yBRsJalDhbsxTbotQ+
+tHq2CqMNtuxXRDk59QHDSszzjUMKnDqkADdKjHy2cWkKkjgBnk4iqL+BKN7pUU50
+R7t0Fh3HNa6EGW8UQwPQFAEE7C9AhhI+keT5zyQZ3F+Dppx+qDbUv3xKwti/9Y53
+IttHyi+N3SBWNTiJZmJ1X1tY5KGXIWvbotuU8jSxXvzebn1nOjQtxcEuNdgJv5Bk
+m7mRe5VjtaFtj0qM0yJRAoIBAQDZWanHESJ/IU1BrYx10tp92CYbgZiV8g+LJB1j
+EdkaMg6ak0mzWPWmeKPKalMEcF6/RwBcicBZYZaOLGVfl3wVd9Qk+O7k5sc7HaV3
+9hIdAlpLgbl3Owf7IcW+D7A48+Cd6dHDx0pWijf17OYaPis2+2m1Kdx+VC4QA1Jb
+w/h8dctUlqrkAFBnrAxHG3RPtE4fk8SknS8MWYwNTqPaVEhHpbS7PRvSX8nAk0EP
+aLlNV+G+twqng4aZWTN/usPYW05eh4kmhnSaSNe93EQIkwcyqk1hASxgFhFxid1c
+QkiwSoJl06ilbNietbEBcdepmJKEHJyzUPFuCBe1bTdRukBbAoIBAQDH+wFG3ADb
+S8CHXVgN+YuOYgKihkPqJxWYwZJaRDg/8Brp3+U4gWy8crwAr3yyu1ZxloRjUoxw
+31Jc0ec6lGLMYWqSVjAOFWs0OL2IG27qVxZ4qiAjO+Y88KFj4b9ZJnZBGBt0bjhk
+ZTDnEJlK1F27IIFiFU1Z/lG9gjEisFf4OFDbCLzgy39IampF6FvteEx9lTcWjFSC
+dQJwGRDwvm5jWF0BYyf6yCrnkQUk80Fc6DXm5gUhFyA6qu0cbm5Z+BpGC9J2+QlE
+vANLTGeol8f3iDv264U6iQ5S6pdzcg+BHcG8F3uXvMmnEKBTKxyJeACAJzlmL/Oc
+VqCdbN5v3mvzAoIBAQDVtJmAR9K5WU8TAscWmmmGTt65MOWMmWK7FplmbYgff5Ro
+W+WdWBzAv+GcBor11F70h6VNV4wu1gsoY3KRWOsCWL3YVILfwiGmeHHXz7TjnQqX
+L0fiecJRJFW/mMFWXkQ+QEalzu/Cw0hen71nlDT9bJn1LOHFvJNF3149KCTMiy2P
+UE1avQxRwxKXX+Eu9UPTPIGesYYvCGTyOJ5W74PaHo3jhCQ050YB+UeBFSENcRlf
+Ya4yItpXMSO3tTUXKD+YJn+tx4oioPivj0G9hIMRR+2pMXQmTcx87GcgbXP3EmvA
+Hyq07J7Y/iC6IOtBr+hvyYoxraaU35QgKPC5hP39AoIBAQCjg1bt62E/7daEWAxx
+kMNNLlJdNU8+m6qK9muGJxWfIeG/rPQtmZWhGGckYFijg44Q3jNtSsfOWqtrfa2F
+NmL6HgUXliVAvr6jOmmuak/siDy1eNVCOe3tkgtEMgdVC5/RZba9Ioo1fI/Zvra4
+eqARK2jfG+/dT5biTxuB85JaQSHLln9phrqSKYCvnGfd6WkRnfonE6Ld8HKH2dcC
+IZL84/lX8w1zfkumf+sm5UdigfPg0d8LyW7uyWeKwbi1E6nX8D6sTMAJVXmUDesL
+7N7yRJBTOwv6aqotnecr2+1Vc1E/TCwgS5rOYUfV+QAiXt556piCN18HS8WUMrpF
+2iWFAoIBAD2Dn6bz86duyuuQ4CPAnawONcEVmUpajbrIKi0hqYEVIN5IF/LshvNY
+Lqtf/PWWWocF9b1K71wDuMs499Tf6Kr0b+AuBRZs9WbMthJhY5+xzU9IqwbRzgFJ
+81BGu796PezbBOS7vVqrGkpi3CBG0nDg3gQ3ZbBLVtEcx0WfX8QMXw9Ib9UxfOOX
+jKVEvNoy1R0p2C21xan5/fUyR5K/Dq5DIylUrpxWMUgC8lIktDulItGKh/3llCq+
+uu+wN91SkXC1pxTG3yDKP49PrcTV6M7G1JYUXkSQaiWgwNEz59f/7pMH7xxFsaHI
+nC68md8aa7+0IQEQqbKOdr+LhyMXCFA=
 -----END PRIVATE KEY-----
diff --git a/lib/hx509/data/test.crt b/lib/hx509/data/test.crt
index dc4d2a273b3a..2c06613ae595 100644
--- a/lib/hx509/data/test.crt
+++ b/lib/hx509/data/test.crt
@@ -2,25 +2,51 @@ Certificate:
     Data:
         Version: 3 (0x2)
         Serial Number: 2 (0x2)
-        Signature Algorithm: sha1WithRSAEncryption
+    Signature Algorithm: sha1WithRSAEncryption
         Issuer: CN=hx509 Test Root CA, C=SE
         Validity
-            Not Before: Apr 26 20:29:40 2009 GMT
-            Not After : Apr 24 20:29:40 2019 GMT
+            Not Before: May 23 15:05:12 2019 GMT
+            Not After : Jan 16 15:05:12 2038 GMT
         Subject: C=SE, CN=Test cert
         Subject Public Key Info:
             Public Key Algorithm: rsaEncryption
-                Public-Key: (1024 bit)
+                Public-Key: (4096 bit)
                 Modulus:
-                    00:e8:6a:8a:12:02:ed:86:e3:1a:b6:79:18:cc:ab:
-                    c3:d4:cf:30:f4:dc:2a:90:71:c3:00:18:20:84:73:
-                    d6:a4:55:b6:71:e4:33:fd:b7:a3:e3:6d:d4:ff:29:
-                    d2:56:7f:40:63:e4:bf:12:8a:16:7e:ff:5b:e9:6a:
-                    ce:50:b4:e3:85:11:a1:22:cd:c2:b4:e5:46:b2:0f:
-                    3e:04:85:7b:a5:4d:3e:7a:b8:c7:7c:d0:2d:fb:95:
-                    60:d1:40:42:bc:28:ae:f1:3c:7c:0e:5f:ca:e4:8f:
-                    fc:4a:2a:1d:ef:10:05:4d:09:54:b7:12:16:79:bb:
-                    bf:cd:a0:92:66:9e:94:e1:ff
+                    00:a9:c9:ce:f8:b7:77:99:3c:72:54:8c:cf:0a:63:
+                    9d:f2:df:0d:07:6f:22:54:17:71:ff:76:a6:d1:9e:
+                    33:f5:05:3f:ac:32:be:58:e5:7c:a7:d3:29:dd:3d:
+                    38:62:64:8d:82:d2:aa:f5:05:36:f3:bc:ad:7f:4e:
+                    b9:c5:56:89:ea:c2:d7:b1:96:69:fd:f7:4e:35:56:
+                    59:7c:03:91:79:60:f4:a1:a8:78:a0:1a:04:2e:0a:
+                    98:b7:cc:be:f3:ea:28:6a:d7:5e:80:8d:74:c7:f4:
+                    d8:96:48:44:94:1b:ce:4f:9a:65:8d:54:c6:c4:69:
+                    b3:be:fb:e4:91:79:5e:c5:ba:f9:df:03:de:14:e2:
+                    68:1a:6a:e9:51:83:01:0f:e6:09:0f:c9:a1:78:b4:
+                    75:45:18:f0:43:7c:11:37:b2:91:cd:50:6e:71:42:
+                    69:c0:36:da:e1:bc:24:fa:bd:8f:c5:ce:ca:d4:af:
+                    b3:f1:d7:20:c1:ac:4d:31:42:c5:cd:6e:6c:41:0c:
+                    8e:8d:08:8f:2c:b0:76:02:18:d7:0d:0f:fe:ca:67:
+                    3f:b6:fe:1b:36:a7:ca:33:bd:01:36:7e:97:f6:e3:
+                    55:9c:4b:a5:fa:48:58:a7:07:ca:c8:71:2c:e9:05:
+                    7e:3a:40:4a:aa:b7:34:13:e1:b0:5a:eb:58:50:0e:
+                    99:31:bd:6f:e9:fb:bd:4b:f8:05:70:5e:01:41:36:
+                    cf:cd:7f:6e:d1:e6:de:e7:23:a9:86:49:61:26:fc:
+                    a9:58:a3:45:37:b2:47:fa:ee:cd:74:e1:a1:28:cc:
+                    50:5f:e9:b0:fe:67:0b:7e:dc:4f:e9:fe:5d:ea:55:
+                    9a:87:d0:13:6d:9e:b9:f1:cd:08:b3:da:c7:d2:3e:
+                    dc:fa:d2:03:58:f7:e6:43:03:5b:c9:0d:ee:d6:26:
+                    b0:fa:eb:36:5e:a3:d0:ae:cb:00:4c:97:bb:9a:63:
+                    09:59:10:6b:c5:f9:e7:4a:3f:76:eb:a2:63:8f:45:
+                    cc:43:8f:4a:15:2f:dc:3e:f2:11:3d:07:03:c4:b8:
+                    c5:e5:65:1a:c7:d2:87:42:53:d3:a9:3f:fb:99:a0:
+                    b8:45:43:45:ec:09:59:c9:bd:55:22:e0:0e:19:ed:
+                    49:fd:b6:db:5c:84:b0:01:89:50:a3:ca:1e:41:ba:
+                    82:87:db:da:b5:2b:71:08:ae:1b:70:41:41:ca:24:
+                    70:6b:9a:c9:db:1d:b2:65:94:01:9d:ed:b8:b5:36:
+                    4c:f0:f0:39:be:bf:e4:49:02:d4:55:ec:11:dd:23:
+                    e3:6f:c1:28:99:77:44:29:70:a2:6e:ec:b2:53:86:
+                    e1:c1:45:3c:67:ea:12:08:b3:be:d2:be:9f:00:b0:
+                    9b:1f:61
                 Exponent: 65537 (0x10001)
         X509v3 extensions:
             X509v3 Basic Constraints: 
@@ -28,26 +54,63 @@ Certificate:
             X509v3 Key Usage: 
                 Digital Signature, Non Repudiation, Key Encipherment
             X509v3 Subject Key Identifier: 
-                CE:77:6E:DE:0B:F4:21:F8:78:C0:1A:7C:C3:B9:66:EC:4C:3D:4A:23
+                D3:E1:59:20:A1:DE:3D:12:57:0A:3D:BA:0A:6E:67:0E:40:A7:9A:88
     Signature Algorithm: sha1WithRSAEncryption
-        45:23:30:f4:ce:b8:c9:b6:a0:2e:4a:a0:64:bd:be:57:d5:64:
-        ed:4a:8d:95:a3:9a:19:3c:56:7b:14:a6:2e:6c:37:37:ae:2a:
-        b1:42:2e:0c:b8:7e:57:f5:5a:38:29:8d:78:53:b3:2d:c8:c2:
-        97:f3:ab:51:6a:c4:df:86:97:ca:68:55:39:e0:f8:99:5a:bd:
-        a4:e1:34:50:34:8f:70:d2:74:2d:b8:90:ef:b8:d2:22:3a:ce:
-        be:82:a8:4b:b3:32:cd:1b:8d:0b:69:7d:0c:d7:b6:33:dc:68:
-        41:76:a1:36:20:8e:ba:34:45:be:71:bd:ab:bf:74:77:87:e6:
-        bf:7f
+         0f:2c:68:90:33:67:b2:86:09:26:ec:65:29:ae:76:d6:a6:2f:
+         53:0e:d3:16:cd:2e:0d:a8:d1:14:22:f5:63:66:a9:3d:78:43:
+         40:a9:db:ef:02:52:d1:a9:c3:0b:ad:24:8e:a0:56:63:1f:ba:
+         23:48:64:74:ac:2c:bd:67:f8:87:6d:bf:d6:83:68:aa:99:ce:
+         4c:0b:30:d6:06:59:7c:74:0e:2c:8b:ee:5a:61:af:ff:f7:3c:
+         51:10:a7:93:44:6f:bb:f4:8b:5a:2b:5e:1c:4c:89:60:71:af:
+         fd:bf:c0:fd:19:04:12:81:a0:ce:ed:b4:dc:64:12:80:36:18:
+         9f:1c:33:25:94:dd:94:51:eb:a1:c6:21:06:b5:16:05:7d:d3:
+         20:53:de:60:5d:40:6c:f1:7b:a1:98:7f:1a:bd:39:46:0a:ec:
+         a6:cc:eb:7a:96:d5:43:6d:e5:c7:61:d2:f9:ed:76:a8:44:3f:
+         c8:9d:45:1a:2c:3b:52:f8:08:7b:67:39:aa:ae:88:4f:eb:90:
+         99:9c:f8:8b:ae:c7:7a:eb:40:b1:ea:78:51:74:e9:11:2c:c2:
+         d7:c0:93:35:c3:27:59:89:dd:1e:e6:4a:ed:fd:dc:1f:08:e2:
+         80:ce:a0:72:ec:04:d7:2c:1d:d6:2c:67:f3:b9:ce:e9:be:70:
+         10:82:b5:bf:45:29:c1:cc:36:11:5d:83:3d:17:11:03:b0:17:
+         e1:3c:05:f0:ea:07:c6:3e:62:ce:2b:d9:55:41:dc:0c:55:82:
+         0f:e0:d5:a8:02:65:fa:c8:bd:60:16:b4:6d:53:08:9b:06:25:
+         94:c7:8f:ee:ac:5d:25:ad:cd:9d:af:7f:a8:5a:99:49:fc:fb:
+         ad:69:8e:c4:c9:57:7c:88:2c:32:2b:ec:11:ed:61:cc:44:92:
+         a7:18:11:19:96:e6:be:88:5d:ed:0f:dc:ca:2a:31:e9:2d:aa:
+         03:75:03:f4:42:5e:6c:86:b9:7f:b7:59:70:ba:09:b1:ba:28:
+         3a:be:68:45:a0:2e:89:0b:ea:a6:d9:85:58:bf:54:1c:02:56:
+         3a:d4:4f:88:7a:5e:c8:21:33:64:76:74:68:36:7a:a4:1c:a6:
+         5b:b8:f1:ef:98:10:82:84:d4:df:2d:34:4b:6d:15:62:55:31:
+         b2:78:93:33:37:20:db:a0:30:85:db:cf:00:7c:b3:b3:a2:a9:
+         31:d7:06:fb:e7:ec:38:4f:3d:61:73:bf:b8:21:b0:c5:f8:3f:
+         98:8d:db:aa:23:01:41:d4:3c:99:cb:ce:4a:ff:10:fe:a7:52:
+         3b:8c:0f:30:6d:a4:4e:53:4d:60:2b:6a:05:ab:ef:b8:61:9c:
+         a4:85:99:ae:b8:63:c8:e3
 -----BEGIN CERTIFICATE-----
-MIIB+jCCAWOgAwIBAgIBAjANBgkqhkiG9w0BAQUFADAqMRswGQYDVQQDDBJoeDUw
-OSBUZXN0IFJvb3QgQ0ExCzAJBgNVBAYTAlNFMB4XDTA5MDQyNjIwMjk0MFoXDTE5
-MDQyNDIwMjk0MFowITELMAkGA1UEBhMCU0UxEjAQBgNVBAMMCVRlc3QgY2VydDCB
-nzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA6GqKEgLthuMatnkYzKvD1M8w9Nwq
-kHHDABgghHPWpFW2ceQz/bej423U/ynSVn9AY+S/EooWfv9b6WrOULTjhRGhIs3C
-tOVGsg8+BIV7pU0+erjHfNAt+5Vg0UBCvCiu8Tx8Dl/K5I/8Siod7xAFTQlUtxIW
-ebu/zaCSZp6U4f8CAwEAAaM5MDcwCQYDVR0TBAIwADALBgNVHQ8EBAMCBeAwHQYD
-VR0OBBYEFM53bt4L9CH4eMAafMO5ZuxMPUojMA0GCSqGSIb3DQEBBQUAA4GBAEUj
-MPTOuMm2oC5KoGS9vlfVZO1KjZWjmhk8VnsUpi5sNzeuKrFCLgy4flf1WjgpjXhT
-sy3Iwpfzq1FqxN+Gl8poVTng+JlavaThNFA0j3DSdC24kO+40iI6zr6CqEuzMs0b
-jQtpfQzXtjPcaEF2oTYgjro0Rb5xvau/dHeH5r9/
+MIIE/zCCAuegAwIBAgIBAjANBgkqhkiG9w0BAQUFADAqMRswGQYDVQQDDBJoeDUw
+OSBUZXN0IFJvb3QgQ0ExCzAJBgNVBAYTAlNFMB4XDTE5MDUyMzE1MDUxMloXDTM4
+MDExNjE1MDUxMlowITELMAkGA1UEBhMCU0UxEjAQBgNVBAMMCVRlc3QgY2VydDCC
+AiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAKnJzvi3d5k8clSMzwpjnfLf
+DQdvIlQXcf92ptGeM/UFP6wyvljlfKfTKd09OGJkjYLSqvUFNvO8rX9OucVWierC
+17GWaf33TjVWWXwDkXlg9KGoeKAaBC4KmLfMvvPqKGrXXoCNdMf02JZIRJQbzk+a
+ZY1UxsRps7775JF5XsW6+d8D3hTiaBpq6VGDAQ/mCQ/JoXi0dUUY8EN8ETeykc1Q
+bnFCacA22uG8JPq9j8XOytSvs/HXIMGsTTFCxc1ubEEMjo0IjyywdgIY1w0P/spn
+P7b+GzanyjO9ATZ+l/bjVZxLpfpIWKcHyshxLOkFfjpASqq3NBPhsFrrWFAOmTG9
+b+n7vUv4BXBeAUE2z81/btHm3ucjqYZJYSb8qVijRTeyR/ruzXThoSjMUF/psP5n
+C37cT+n+XepVmofQE22eufHNCLPax9I+3PrSA1j35kMDW8kN7tYmsPrrNl6j0K7L
+AEyXu5pjCVkQa8X550o/duuiY49FzEOPShUv3D7yET0HA8S4xeVlGsfSh0JT06k/
++5mguEVDRewJWcm9VSLgDhntSf2221yEsAGJUKPKHkG6gofb2rUrcQiuG3BBQcok
+cGuaydsdsmWUAZ3tuLU2TPDwOb6/5EkC1FXsEd0j42/BKJl3RClwom7sslOG4cFF
+PGfqEgizvtK+nwCwmx9hAgMBAAGjOTA3MAkGA1UdEwQCMAAwCwYDVR0PBAQDAgXg
+MB0GA1UdDgQWBBTT4Vkgod49ElcKPboKbmcOQKeaiDANBgkqhkiG9w0BAQUFAAOC
+AgEADyxokDNnsoYJJuxlKa521qYvUw7TFs0uDajRFCL1Y2apPXhDQKnb7wJS0anD
+C60kjqBWYx+6I0hkdKwsvWf4h22/1oNoqpnOTAsw1gZZfHQOLIvuWmGv//c8URCn
+k0Rvu/SLWiteHEyJYHGv/b/A/RkEEoGgzu203GQSgDYYnxwzJZTdlFHrocYhBrUW
+BX3TIFPeYF1AbPF7oZh/Gr05RgrspszrepbVQ23lx2HS+e12qEQ/yJ1FGiw7UvgI
+e2c5qq6IT+uQmZz4i67HeutAsep4UXTpESzC18CTNcMnWYndHuZK7f3cHwjigM6g
+cuwE1ywd1ixn87nO6b5wEIK1v0Upwcw2EV2DPRcRA7AX4TwF8OoHxj5izivZVUHc
+DFWCD+DVqAJl+si9YBa0bVMImwYllMeP7qxdJa3Nna9/qFqZSfz7rWmOxMlXfIgs
+MivsEe1hzESSpxgRGZbmvohd7Q/cyiox6S2qA3UD9EJebIa5f7dZcLoJsbooOr5o
+RaAuiQvqptmFWL9UHAJWOtRPiHpeyCEzZHZ0aDZ6pBymW7jx75gQgoTU3y00S20V
+YlUxsniTMzcg26AwhdvPAHyzs6KpMdcG++fsOE89YXO/uCGwxfg/mI3bqiMBQdQ8
+mcvOSv8Q/qdSO4wPMG2kTlNNYCtqBavvuGGcpIWZrrhjyOM=
 -----END CERTIFICATE-----
diff --git a/lib/hx509/data/test.key b/lib/hx509/data/test.key
index 37203bf0db2d..927813f76062 100644
--- a/lib/hx509/data/test.key
+++ b/lib/hx509/data/test.key
@@ -1,16 +1,52 @@
 -----BEGIN PRIVATE KEY-----
-MIICdgIBADANBgkqhkiG9w0BAQEFAASCAmAwggJcAgEAAoGBAOhqihIC7YbjGrZ5
-GMyrw9TPMPTcKpBxwwAYIIRz1qRVtnHkM/23o+Nt1P8p0lZ/QGPkvxKKFn7/W+lq
-zlC044URoSLNwrTlRrIPPgSFe6VNPnq4x3zQLfuVYNFAQrworvE8fA5fyuSP/Eoq
-He8QBU0JVLcSFnm7v82gkmaelOH/AgMBAAECgYBSUxqhEqRsORmHNRHRva3aPaHL
-ugjhrUozSFiMUjPfdfTwFrNL1baZopfl4jx9Iwn92FLOEFezmGRII+r8r3Y/SY9k
-9SS1X4IlPBIHggDKun9OJlpkAFKlOU6HDlEdB/rXR/unzGHQYgQ9DqX3OUEEHPFr
-OOxm0Yj5gvLXvCJDgQJBAPipSzTEAQAtNE/xAnTtZzZD6ABiLE62kMCBJ3dd4NBF
-3+u6nssdExpdXBFrRtSqMxpbKZ5C+j2LFUI+1I6Zdd8CQQDvRoJNb5mUg3Xe+xkX
-JZ/ezXv2bq8pJgPPYnMC4F1Z9KqBRIl+6hDZanKkJP6+JKzHzyNALQv8++/4u/PT
-CtfhAkEAhpSp3X8Pw5azr2iTmdE7gUUzdbGspVVt9qJwR8yJdm+7B4xTkT7FLgnF
-YLAc/9C2I9efKMa7RT/XW6lBxYQNJQJAe2SMK+zicbE9pwkszkAL6vVi+RnpYLoG
-+vrVPuV/nrVK/LDgiz+gAs8fYcDmUh5NsBkFH8JbTVKLVWVv/yS3YQJAA7u25lSb
-JMuylkeVzpg52uaOTNK2NtOH8cXZOSMp8q4evQsrvoiVF4MGoZp0zVGpUUYIUaLA
-BN+BKthYPQEPPg==
+MIIJQwIBADANBgkqhkiG9w0BAQEFAASCCS0wggkpAgEAAoICAQCpyc74t3eZPHJU
+jM8KY53y3w0HbyJUF3H/dqbRnjP1BT+sMr5Y5Xyn0yndPThiZI2C0qr1BTbzvK1/
+TrnFVonqwtexlmn99041Vll8A5F5YPShqHigGgQuCpi3zL7z6ihq116AjXTH9NiW
+SESUG85PmmWNVMbEabO+++SReV7FuvnfA94U4mgaaulRgwEP5gkPyaF4tHVFGPBD
+fBE3spHNUG5xQmnANtrhvCT6vY/FzsrUr7Px1yDBrE0xQsXNbmxBDI6NCI8ssHYC
+GNcND/7KZz+2/hs2p8ozvQE2fpf241WcS6X6SFinB8rIcSzpBX46QEqqtzQT4bBa
+61hQDpkxvW/p+71L+AVwXgFBNs/Nf27R5t7nI6mGSWEm/KlYo0U3skf67s104aEo
+zFBf6bD+Zwt+3E/p/l3qVZqH0BNtnrnxzQiz2sfSPtz60gNY9+ZDA1vJDe7WJrD6
+6zZeo9CuywBMl7uaYwlZEGvF+edKP3bromOPRcxDj0oVL9w+8hE9BwPEuMXlZRrH
+0odCU9OpP/uZoLhFQ0XsCVnJvVUi4A4Z7Un9tttchLABiVCjyh5BuoKH29q1K3EI
+rhtwQUHKJHBrmsnbHbJllAGd7bi1Nkzw8Dm+v+RJAtRV7BHdI+NvwSiZd0QpcKJu
+7LJThuHBRTxn6hIIs77Svp8AsJsfYQIDAQABAoICAGR9MKY7z+k9wV0RSaiYdO89
+3HQ97k9e4PWVv/3oaE/oH1tHXSk4CaM6c1ih1zFE2gxHqy8BOxje3sCuU3zcTxxG
+3WoZ3/mT2RHwXV3srrjsDV1wXJRFUZv+YYzG/W1XdTxm42OqVSfTXizz8MLIAj9S
+3i/bsRimht/OLeV7s//LPgAkRdiOd5bLF/RKWOKT/2D8sTjDdXTD4c/PKlGQuoKN
+zA/0gqpkzP81X52Xe/RTA/EFXLcR4C1AUR+KqY+Af0mwqN4H5tVIS0/Ka90rTl10
+5lzj4C9k92PPxVv/aOmSeyTaEQ4kq3OQRRCFC1OPELphOs/3RjdOKBZnnAkl2ryC
+pg2EquKfA4W1LGqI+MbNhKlppnyBef5FNOHK9PsH6luF/KASTtLvc5/Xu/d0Lza5
+flS9ah/srA4ejwDsUnREjajwfroGxpl7Nem9NCneETqOc0yBRsJalDhbsxTbotQ+
+tHq2CqMNtuxXRDk59QHDSszzjUMKnDqkADdKjHy2cWkKkjgBnk4iqL+BKN7pUU50
+R7t0Fh3HNa6EGW8UQwPQFAEE7C9AhhI+keT5zyQZ3F+Dppx+qDbUv3xKwti/9Y53
+IttHyi+N3SBWNTiJZmJ1X1tY5KGXIWvbotuU8jSxXvzebn1nOjQtxcEuNdgJv5Bk
+m7mRe5VjtaFtj0qM0yJRAoIBAQDZWanHESJ/IU1BrYx10tp92CYbgZiV8g+LJB1j
+EdkaMg6ak0mzWPWmeKPKalMEcF6/RwBcicBZYZaOLGVfl3wVd9Qk+O7k5sc7HaV3
+9hIdAlpLgbl3Owf7IcW+D7A48+Cd6dHDx0pWijf17OYaPis2+2m1Kdx+VC4QA1Jb
+w/h8dctUlqrkAFBnrAxHG3RPtE4fk8SknS8MWYwNTqPaVEhHpbS7PRvSX8nAk0EP
+aLlNV+G+twqng4aZWTN/usPYW05eh4kmhnSaSNe93EQIkwcyqk1hASxgFhFxid1c
+QkiwSoJl06ilbNietbEBcdepmJKEHJyzUPFuCBe1bTdRukBbAoIBAQDH+wFG3ADb
+S8CHXVgN+YuOYgKihkPqJxWYwZJaRDg/8Brp3+U4gWy8crwAr3yyu1ZxloRjUoxw
+31Jc0ec6lGLMYWqSVjAOFWs0OL2IG27qVxZ4qiAjO+Y88KFj4b9ZJnZBGBt0bjhk
+ZTDnEJlK1F27IIFiFU1Z/lG9gjEisFf4OFDbCLzgy39IampF6FvteEx9lTcWjFSC
+dQJwGRDwvm5jWF0BYyf6yCrnkQUk80Fc6DXm5gUhFyA6qu0cbm5Z+BpGC9J2+QlE
+vANLTGeol8f3iDv264U6iQ5S6pdzcg+BHcG8F3uXvMmnEKBTKxyJeACAJzlmL/Oc
+VqCdbN5v3mvzAoIBAQDVtJmAR9K5WU8TAscWmmmGTt65MOWMmWK7FplmbYgff5Ro
+W+WdWBzAv+GcBor11F70h6VNV4wu1gsoY3KRWOsCWL3YVILfwiGmeHHXz7TjnQqX
+L0fiecJRJFW/mMFWXkQ+QEalzu/Cw0hen71nlDT9bJn1LOHFvJNF3149KCTMiy2P
+UE1avQxRwxKXX+Eu9UPTPIGesYYvCGTyOJ5W74PaHo3jhCQ050YB+UeBFSENcRlf
+Ya4yItpXMSO3tTUXKD+YJn+tx4oioPivj0G9hIMRR+2pMXQmTcx87GcgbXP3EmvA
+Hyq07J7Y/iC6IOtBr+hvyYoxraaU35QgKPC5hP39AoIBAQCjg1bt62E/7daEWAxx
+kMNNLlJdNU8+m6qK9muGJxWfIeG/rPQtmZWhGGckYFijg44Q3jNtSsfOWqtrfa2F
+NmL6HgUXliVAvr6jOmmuak/siDy1eNVCOe3tkgtEMgdVC5/RZba9Ioo1fI/Zvra4
+eqARK2jfG+/dT5biTxuB85JaQSHLln9phrqSKYCvnGfd6WkRnfonE6Ld8HKH2dcC
+IZL84/lX8w1zfkumf+sm5UdigfPg0d8LyW7uyWeKwbi1E6nX8D6sTMAJVXmUDesL
+7N7yRJBTOwv6aqotnecr2+1Vc1E/TCwgS5rOYUfV+QAiXt556piCN18HS8WUMrpF
+2iWFAoIBAD2Dn6bz86duyuuQ4CPAnawONcEVmUpajbrIKi0hqYEVIN5IF/LshvNY
+Lqtf/PWWWocF9b1K71wDuMs499Tf6Kr0b+AuBRZs9WbMthJhY5+xzU9IqwbRzgFJ
+81BGu796PezbBOS7vVqrGkpi3CBG0nDg3gQ3ZbBLVtEcx0WfX8QMXw9Ib9UxfOOX
+jKVEvNoy1R0p2C21xan5/fUyR5K/Dq5DIylUrpxWMUgC8lIktDulItGKh/3llCq+
+uu+wN91SkXC1pxTG3yDKP49PrcTV6M7G1JYUXkSQaiWgwNEz59f/7pMH7xxFsaHI
+nC68md8aa7+0IQEQqbKOdr+LhyMXCFA=
 -----END PRIVATE KEY-----
diff --git a/lib/hx509/data/test.p12 b/lib/hx509/data/test.p12
index c644bb46d983..2184547cdc77 100644
--- a/lib/hx509/data/test.p12
+++ b/lib/hx509/data/test.p12
diff --git a/lib/hx509/hx509-protos.h b/lib/hx509/hx509-protos.h
index 8de7a67ab7df..ed9bfb552db3 100644
--- a/lib/hx509/hx509-protos.h
+++ b/lib/hx509/hx509-protos.h
@@ -1353,7 +1353,7 @@ hx509_cms_decrypt_encrypted (
  *
  * @param context A hx509 context.
  * @param flags flags to control the behavior.
- *    - HX509_CMS_EV_NO_KU_CHECK - Dont check KU on certificate
+ *    - HX509_CMS_EV_NO_KU_CHECK - Don't check KU on certificate
  *    - HX509_CMS_EV_ALLOW_WEAK - Allow weak crytpo
  *    - HX509_CMS_EV_ID_NAME - prefer issuer name and serial number
  * @param cert Certificate to encrypt the EnvelopedData encryption key
diff --git a/lib/hx509/ks_file.c b/lib/hx509/ks_file.c
index 642dd173b53c..d7726f084ad7 100644
--- a/lib/hx509/ks_file.c
+++ b/lib/hx509/ks_file.c
@@ -126,10 +126,10 @@ try_decrypt(hx509_context context,
 					   &clear,
 					   NULL);
 
-    memset(clear.data, 0, clear.length);
+    memset_s(clear.data, clear.length, 0, clear.length);
     free(clear.data);
 out:
-    memset(key, 0, keylen);
+    memset_s(key, keylen, 0, keylen);
     free(key);
     return ret;
 }
@@ -292,7 +292,7 @@ parse_pem_private_key(hx509_context context, const char *fn,
 		ret = try_decrypt(context, c, ai, cipher, ivdata, password,
 				  strlen(password), data, len);
 	    /* XXX add password to lock password collection ? */
-	    memset(password, 0, sizeof(password));
+	    memset_s(password, sizeof(password), 0, sizeof(password));
 	}
 	free(ivdata);
 
diff --git a/lib/hx509/print.c b/lib/hx509/print.c
index 4d2c3e2a421d..01c275455a54 100644
--- a/lib/hx509/print.c
+++ b/lib/hx509/print.c
@@ -234,7 +234,7 @@ validate_print(hx509_validate_ctx ctx, int flags, const char *fmt, ...)
 }
 
 /*
- * Dont Care, SHOULD critical, SHOULD NOT critical, MUST critical,
+ * Don't Care, SHOULD critical, SHOULD NOT critical, MUST critical,
  * MUST NOT critical
  */
 enum critical_flag { D_C = 0, S_C, S_N_C, M_C, M_N_C };
diff --git a/lib/kadm5/check-cracklib.pl b/lib/kadm5/check-cracklib.pl
index a6fbd4c82d49..a6fbd4c82d49 100755..100644
--- a/lib/kadm5/check-cracklib.pl
+++ b/lib/kadm5/check-cracklib.pl
diff --git a/lib/kadm5/init_s.c b/lib/kadm5/init_s.c
index ada584825ba9..926c23510e9e 100644
--- a/lib/kadm5/init_s.c
+++ b/lib/kadm5/init_s.c
@@ -103,7 +103,7 @@ kadm5_s_init_with_context(krb5_context context,
         kadm5_s_destroy(ctx);
     else
         *server_handle = ctx;
-    return 0;
+    return ret;
 }
 
 kadm5_ret_t
diff --git a/lib/kadm5/ipropd_slave.c b/lib/kadm5/ipropd_slave.c
index 868dc35cbb28..0ec529ccf1d4 100644
--- a/lib/kadm5/ipropd_slave.c
+++ b/lib/kadm5/ipropd_slave.c
@@ -512,6 +512,8 @@ receive_everything(krb5_context context, int fd,
     if (ret)
         krb5_err(context, IPROPD_RESTART, ret, "db->open");
 
+    (void) mydb->hdb_set_sync(context, mydb, 0);
+
     sp = NULL;
     krb5_data_zero(&data);
     do {
@@ -563,6 +565,9 @@ receive_everything(krb5_context context, int fd,
 
     reinit_log(context, server_context, vno);
 
+    ret = mydb->hdb_set_sync(context, mydb, 1);
+    if (ret)
+        krb5_err(context, IPROPD_RESTART_SLOW, ret, "failed to sync the received HDB");
     ret = mydb->hdb_close(context, mydb);
     if (ret)
         krb5_err(context, IPROPD_RESTART_SLOW, ret, "db->close");
diff --git a/lib/kdfs/k5dfspag.c b/lib/kdfs/k5dfspag.c
index 66d291a07cf1..9db2555d051d 100644
--- a/lib/kdfs/k5dfspag.c
+++ b/lib/kdfs/k5dfspag.c
@@ -274,7 +274,7 @@ int krb5_dfs_pag(context, flag, principal, luser)
 
    /* test if DFS is running or installed */
    if (krb5_dfs_getpag() == -2)
-     return(0); /* DFS not running, dont try */
+     return(0); /* DFS not running, don't try */
 
   if (pipe(fd) == -1)
      return(0);
@@ -305,7 +305,7 @@ int krb5_dfs_pag(context, flag, principal, luser)
 
   /* parent, wait for child to finish */
 
-  close(fd[1]);  /* dont need this end of pipe */
+  close(fd[1]);  /* don't need this end of pipe */
 
 /* #if defined(sgi) || defined(_sgi) */
   /* wait_status.w_status = 0; */
diff --git a/lib/krb5/build_auth.c b/lib/krb5/build_auth.c
index 003ccae8cc87..cbc67744a4e1 100644
--- a/lib/krb5/build_auth.c
+++ b/lib/krb5/build_auth.c
@@ -117,8 +117,12 @@ _krb5_build_authenticator (krb5_context context,
     memset(&auth, 0, sizeof(auth));
 
     auth.authenticator_vno = 5;
-    copy_Realm(&cred->client->realm, &auth.crealm);
-    copy_PrincipalName(&cred->client->name, &auth.cname);
+    ret = copy_Realm(&cred->client->realm, &auth.crealm);
+    if (ret)
+	goto fail;
+    ret = copy_PrincipalName(&cred->client->name, &auth.cname);
+    if (ret)
+	goto fail;
 
     krb5_us_timeofday (context, &auth.ctime, &auth.cusec);
 
diff --git a/lib/krb5/crypto-arcfour.c b/lib/krb5/crypto-arcfour.c
index e195bd3a0d7b..ae576eccfea5 100644
--- a/lib/krb5/crypto-arcfour.c
+++ b/lib/krb5/crypto-arcfour.c
@@ -180,9 +180,9 @@ ARCFOUR_subencrypt(krb5_context context,
     EVP_Cipher(&ctx, cdata + 16, cdata + 16, len - 16);
     EVP_CIPHER_CTX_cleanup(&ctx);
 
-    memset (k1_c_data, 0, sizeof(k1_c_data));
-    memset (k2_c_data, 0, sizeof(k2_c_data));
-    memset (k3_c_data, 0, sizeof(k3_c_data));
+    memset_s(k1_c_data, sizeof(k1_c_data), 0, sizeof(k1_c_data));
+    memset_s(k2_c_data, sizeof(k2_c_data), 0, sizeof(k2_c_data));
+    memset_s(k3_c_data, sizeof(k3_c_data), 0, sizeof(k3_c_data));
     return 0;
 }
 
@@ -247,9 +247,9 @@ ARCFOUR_subdecrypt(krb5_context context,
     if (ret)
 	krb5_abortx(context, "hmac failed");
 
-    memset (k1_c_data, 0, sizeof(k1_c_data));
-    memset (k2_c_data, 0, sizeof(k2_c_data));
-    memset (k3_c_data, 0, sizeof(k3_c_data));
+    memset_s(k1_c_data, sizeof(k1_c_data), 0, sizeof(k1_c_data));
+    memset_s(k2_c_data, sizeof(k2_c_data), 0, sizeof(k2_c_data));
+    memset_s(k3_c_data, sizeof(k3_c_data), 0, sizeof(k3_c_data));
 
     if (ct_memcmp (cksum.checksum.data, data, 16) != 0) {
 	krb5_clear_error_message (context);
diff --git a/lib/krb5/crypto-des-common.c b/lib/krb5/crypto-des-common.c
index 2565914de830..95f6389d1e84 100644
--- a/lib/krb5/crypto-des-common.c
+++ b/lib/krb5/crypto-des-common.c
@@ -77,7 +77,7 @@ _krb5_des_checksum(krb5_context context,
     EVP_DigestUpdate(m, data, len);
     EVP_DigestFinal_ex (m, p + 8, NULL);
     EVP_MD_CTX_destroy(m);
-    memset (&ivec, 0, sizeof(ivec));
+    memset_s(&ivec, sizeof(ivec), 0, sizeof(ivec));
     EVP_CipherInit_ex(&ctx->ectx, NULL, NULL, NULL, (void *)&ivec, -1);
     EVP_Cipher(&ctx->ectx, p, p, 24);
 
@@ -103,7 +103,7 @@ _krb5_des_verify(krb5_context context,
     if (m == NULL)
 	return krb5_enomem(context);
 
-    memset(&ivec, 0, sizeof(ivec));
+    memset_s(&ivec, sizeof(ivec), 0, sizeof(ivec));
     EVP_CipherInit_ex(&ctx->dctx, NULL, NULL, NULL, (void *)&ivec, -1);
     EVP_Cipher(&ctx->dctx, tmp, C->checksum.data, 24);
 
@@ -116,8 +116,8 @@ _krb5_des_verify(krb5_context context,
 	krb5_clear_error_message (context);
 	ret = KRB5KRB_AP_ERR_BAD_INTEGRITY;
     }
-    memset(tmp, 0, sizeof(tmp));
-    memset(res, 0, sizeof(res));
+    memset_s(tmp, sizeof(tmp), 0, sizeof(tmp));
+    memset_s(res, sizeof(res), 0, sizeof(res));
     return ret;
 }
 
diff --git a/lib/krb5/crypto-pk.c b/lib/krb5/crypto-pk.c
index c5d87a1b566e..24a07cdbdfc7 100644
--- a/lib/krb5/crypto-pk.c
+++ b/lib/krb5/crypto-pk.c
@@ -92,12 +92,12 @@ _krb5_pk_octetstring2key(krb5_context context,
 	offset += sizeof(shaoutput);
 	counter++;
     } while(offset < keylen);
-    memset(shaoutput, 0, sizeof(shaoutput));
+    memset_s(shaoutput, sizeof(shaoutput), 0, sizeof(shaoutput));
 
     EVP_MD_CTX_destroy(m);
 
     ret = krb5_random_to_key(context, type, keydata, keylen, key);
-    memset(keydata, 0, sizeof(keylen));
+    memset_s(keydata, sizeof(keylen), 0, sizeof(keylen));
     free(keydata);
     return ret;
 }
@@ -282,13 +282,13 @@ _krb5_pk_kdf(krb5_context context,
 	offset += EVP_MD_CTX_size(m);
 	counter++;
     } while(offset < keylen);
-    memset(shaoutput, 0, sizeof(shaoutput));
+    memset_s(shaoutput, sizeof(shaoutput), 0, sizeof(shaoutput));
 
     EVP_MD_CTX_destroy(m);
     free(other.data);
 
     ret = krb5_random_to_key(context, enctype, keydata, keylen, key);
-    memset(keydata, 0, sizeof(keylen));
+    memset_s(keydata, sizeof(keylen), 0, sizeof(keylen));
     free(keydata);
 
     return ret;
diff --git a/lib/krb5/deprecated.c b/lib/krb5/deprecated.c
index e3c142d889df..5530e841b3b9 100644
--- a/lib/krb5/deprecated.c
+++ b/lib/krb5/deprecated.c
@@ -207,7 +207,7 @@ krb5_password_key_proc (krb5_context context,
 	password = buf;
     }
     ret = krb5_string_to_key_salt (context, type, password, salt, *key);
-    memset (buf, 0, sizeof(buf));
+    memset_s(buf, sizeof(buf), 0, sizeof(buf));
     return ret;
 }
 
diff --git a/lib/krb5/get_cred.c b/lib/krb5/get_cred.c
index f7318eeb2488..b5dae62b0210 100644
--- a/lib/krb5/get_cred.c
+++ b/lib/krb5/get_cred.c
@@ -558,8 +558,10 @@ get_cred_kdc(krb5_context context,
 	out_creds->times.endtime = in_creds->times.endtime;
 
 	/* XXX should do better testing */
-	if (flags.b.constrained_delegation || impersonate_principal)
+	if (flags.b.cname_in_addl_tkt || impersonate_principal)
 	    eflags |= EXTRACT_TICKET_ALLOW_CNAME_MISMATCH;
+	if (flags.b.request_anonymous)
+	    eflags |= EXTRACT_TICKET_MATCH_ANON;
 
 	ret = _krb5_extract_ticket(context,
 				   &rep,
@@ -1033,7 +1035,7 @@ get_cred_kdc_referral(krb5_context context,
 	char *referral_realm;
 
 	/* Use cache if we are not doing impersonation or contrained deleg */
-	if (impersonate_principal == NULL || flags.b.constrained_delegation) {
+	if (impersonate_principal == NULL || flags.b.cname_in_addl_tkt) {
 	    krb5_cc_clear_mcred(&mcreds);
 	    mcreds.server = referral.server;
 	    krb5_timeofday(context, &mcreds.times.endtime);
@@ -1185,21 +1187,31 @@ check_cc(krb5_context context, krb5_flags options, krb5_ccache ccache,
 {
     krb5_error_code ret;
     krb5_timestamp now;
-    krb5_times save_times = in_creds->times;
-    NAME_TYPE save_type = in_creds->server->name.name_type;
+    krb5_creds mcreds = *in_creds;
 
     krb5_timeofday(context, &now);
 
     if (!(options & KRB5_GC_EXPIRED_OK) &&
-	in_creds->times.endtime < now) {
-	in_creds->times.renew_till = 0;
-	krb5_timeofday(context, &in_creds->times.endtime);
+	mcreds.times.endtime < now) {
+	mcreds.times.renew_till = 0;
+	krb5_timeofday(context, &mcreds.times.endtime);
 	options |= KRB5_TC_MATCH_TIMES;
     }
 
-    if (save_type == KRB5_NT_SRV_HST_NEEDS_CANON) {
+    if (mcreds.server->name.name_type == KRB5_NT_SRV_HST_NEEDS_CANON) {
         /* Avoid name canonicalization in krb5_cc_retrieve_cred() */
-        krb5_principal_set_type(context, in_creds->server, KRB5_NT_SRV_HST);
+        krb5_principal_set_type(context, mcreds.server, KRB5_NT_SRV_HST);
+    }
+
+    if (options & KRB5_GC_ANONYMOUS) {
+	ret = krb5_make_principal(context,
+				  &mcreds.client,
+				  krb5_principal_get_realm(context, mcreds.client),
+				  KRB5_WELLKNOWN_NAME,
+				  KRB5_ANON_NAME,
+				  NULL);
+	if (ret)
+	    return ret;
     }
 
     ret = krb5_cc_retrieve_cred(context, ccache,
@@ -1207,10 +1219,11 @@ check_cc(krb5_context context, krb5_flags options, krb5_ccache ccache,
 				 (KRB5_TC_DONT_MATCH_REALM |
                                   KRB5_TC_MATCH_KEYTYPE |
 				  KRB5_TC_MATCH_TIMES)),
-				in_creds, out_creds);
+				&mcreds, out_creds);
+
+    if (options & KRB5_GC_ANONYMOUS)
+	krb5_free_principal(context, mcreds.client);
 
-    in_creds->server->name.name_type = save_type;
-    in_creds->times = save_times;
     return ret;
 }
 
@@ -1574,10 +1587,10 @@ next_rule:
 	flags.b.forwardable = 1;
     if (options & KRB5_GC_NO_TRANSIT_CHECK)
 	flags.b.disable_transited_check = 1;
-    if (options & KRB5_GC_CONSTRAINED_DELEGATION) {
-	flags.b.request_anonymous = 1; /* XXX ARGH confusion */
-	flags.b.constrained_delegation = 1;
-    }
+    if (options & KRB5_GC_CONSTRAINED_DELEGATION)
+	flags.b.cname_in_addl_tkt = 1;
+    if (options & KRB5_GC_ANONYMOUS)
+	flags.b.request_anonymous = 1;
 
     tgts = NULL;
     ret = _krb5_get_cred_kdc_any(context, flags, ccache,
diff --git a/lib/krb5/get_for_creds.c b/lib/krb5/get_for_creds.c
index 8a00ccec8133..43265d827fe5 100644
--- a/lib/krb5/get_for_creds.c
+++ b/lib/krb5/get_for_creds.c
@@ -355,11 +355,17 @@ krb5_get_forwarded_creds (krb5_context	    context,
 
     krb_cred_info = enc_krb_cred_part.ticket_info.val;
 
-    copy_EncryptionKey (&out_creds->session, &krb_cred_info->key);
+    ret = copy_EncryptionKey (&out_creds->session, &krb_cred_info->key);
+    if (ret)
+	goto out4;
     ALLOC(krb_cred_info->prealm, 1);
-    copy_Realm (&out_creds->client->realm, krb_cred_info->prealm);
+    ret = copy_Realm (&out_creds->client->realm, krb_cred_info->prealm);
+    if (ret)
+	goto out4;
     ALLOC(krb_cred_info->pname, 1);
-    copy_PrincipalName(&out_creds->client->name, krb_cred_info->pname);
+    ret = copy_PrincipalName(&out_creds->client->name, krb_cred_info->pname);
+    if (ret)
+	goto out4;
     ALLOC(krb_cred_info->flags, 1);
     *krb_cred_info->flags          = out_creds->flags.b;
     ALLOC(krb_cred_info->authtime, 1);
@@ -371,11 +377,17 @@ krb5_get_forwarded_creds (krb5_context	    context,
     ALLOC(krb_cred_info->renew_till, 1);
     *krb_cred_info->renew_till = out_creds->times.renew_till;
     ALLOC(krb_cred_info->srealm, 1);
-    copy_Realm (&out_creds->server->realm, krb_cred_info->srealm);
+    ret = copy_Realm (&out_creds->server->realm, krb_cred_info->srealm);
+    if (ret)
+	goto out4;
     ALLOC(krb_cred_info->sname, 1);
-    copy_PrincipalName (&out_creds->server->name, krb_cred_info->sname);
+    ret = copy_PrincipalName (&out_creds->server->name, krb_cred_info->sname);
+    if (ret)
+	goto out4;
     ALLOC(krb_cred_info->caddr, 1);
-    copy_HostAddresses (&out_creds->addresses, krb_cred_info->caddr);
+    ret = copy_HostAddresses (&out_creds->addresses, krb_cred_info->caddr);
+    if (ret)
+	goto out4;
 
     krb5_free_creds (context, out_creds);
 
diff --git a/lib/krb5/get_in_tkt.c b/lib/krb5/get_in_tkt.c
index 471b900a0b97..19a638fb3bf3 100644
--- a/lib/krb5/get_in_tkt.c
+++ b/lib/krb5/get_in_tkt.c
@@ -492,7 +492,7 @@ krb5_get_in_cred(krb5_context context,
     {
 	unsigned flags = EXTRACT_TICKET_TIMESYNC;
 	if (opts.request_anonymous)
-	    flags |= EXTRACT_TICKET_ALLOW_SERVER_MISMATCH;
+	    flags |= EXTRACT_TICKET_ALLOW_SERVER_MISMATCH | EXTRACT_TICKET_MATCH_ANON;
 
 	ret = _krb5_extract_ticket(context,
 				   &rep,
diff --git a/lib/krb5/init_creds.c b/lib/krb5/init_creds.c
index 58734c43f976..b34e3eb325c8 100644
--- a/lib/krb5/init_creds.c
+++ b/lib/krb5/init_creds.c
@@ -366,9 +366,11 @@ krb5_get_init_creds_opt_set_win2k(krb5_context context,
     if (req) {
 	opt->opt_private->flags |= KRB5_INIT_CREDS_NO_C_CANON_CHECK;
 	opt->opt_private->flags |= KRB5_INIT_CREDS_NO_C_NO_EKU_CHECK;
+	opt->opt_private->flags |= KRB5_INIT_CREDS_PKINIT_NO_KRBTGT_OTHERNAME_CHECK;
     } else {
 	opt->opt_private->flags &= ~KRB5_INIT_CREDS_NO_C_CANON_CHECK;
 	opt->opt_private->flags &= ~KRB5_INIT_CREDS_NO_C_NO_EKU_CHECK;
+	opt->opt_private->flags &= ~KRB5_INIT_CREDS_PKINIT_NO_KRBTGT_OTHERNAME_CHECK;
     }
     return 0;
 }
diff --git a/lib/krb5/init_creds_pw.c b/lib/krb5/init_creds_pw.c
index 1eece1760daa..a225a5f44280 100644
--- a/lib/krb5/init_creds_pw.c
+++ b/lib/krb5/init_creds_pw.c
@@ -162,7 +162,9 @@ free_init_creds_ctx(krb5_context context, krb5_init_creds_context ctx)
     if (ctx->keytab_data)
 	free(ctx->keytab_data);
     if (ctx->password) {
-	memset(ctx->password, 0, strlen(ctx->password));
+	size_t len;
+	len = strlen(ctx->password);
+	memset_s(ctx->password, len, 0, len);
 	free(ctx->password);
     }
     /*
@@ -189,7 +191,7 @@ free_init_creds_ctx(krb5_context context, krb5_init_creds_context ctx)
 	free_paid(context, ctx->ppaid);
 	free(ctx->ppaid);
     }
-    memset(ctx, 0, sizeof(*ctx));
+    memset_s(ctx, sizeof(*ctx), 0, sizeof(*ctx));
 }
 
 static int
@@ -629,8 +631,8 @@ change_password (krb5_context context,
     }
 
 out:
-    memset (buf1, 0, sizeof(buf1));
-    memset (buf2, 0, sizeof(buf2));
+    memset_s(buf1, sizeof(buf1), 0, sizeof(buf1));
+    memset_s(buf2, sizeof(buf2), 0, sizeof(buf2));
     krb5_data_free (&result_string);
     krb5_data_free (&result_code_string);
     krb5_free_cred_contents (context, &cpw_cred);
@@ -756,7 +758,7 @@ init_as_req (krb5_context context,
     return 0;
  fail:
     free_AS_REQ(a);
-    memset(a, 0, sizeof(*a));
+    memset_s(a, sizeof(*a), 0, sizeof(*a));
     return ret;
 }
 
@@ -1501,7 +1503,9 @@ krb5_init_creds_set_password(krb5_context context,
 			     const char *password)
 {
     if (ctx->password) {
-	memset(ctx->password, 0, strlen(ctx->password));
+	size_t len;
+	len = strlen(ctx->password);
+	memset_s(ctx->password, len, 0, len);
 	free(ctx->password);
     }
     if (password) {
@@ -2244,6 +2248,8 @@ krb5_init_creds_step(krb5_context context,
 	    }
 	    if (ctx->ic_flags & KRB5_INIT_CREDS_NO_C_CANON_CHECK)
 		eflags |= EXTRACT_TICKET_ALLOW_CNAME_MISMATCH;
+	    if (ctx->flags.request_anonymous)
+		eflags |= EXTRACT_TICKET_MATCH_ANON;
 
 	    ret = process_pa_data_to_key(context, ctx, &ctx->cred,
 					 &ctx->as_req, &rep.kdc_rep,
@@ -2267,6 +2273,26 @@ krb5_init_creds_step(krb5_context context,
 				       &ctx->req_buffer,
 				       NULL,
 				       NULL);
+	    if (ret == 0 && ctx->pk_init_ctx) {
+		PA_DATA *pa_pkinit_kx;
+		int idx = 0;
+
+		pa_pkinit_kx =
+		    krb5_find_padata(rep.kdc_rep.padata->val,
+				     rep.kdc_rep.padata->len,
+				     KRB5_PADATA_PKINIT_KX,
+				     &idx);
+
+		ret = _krb5_pk_kx_confirm(context, ctx->pk_init_ctx,
+					  ctx->fast_state.reply_key,
+					  &ctx->cred.session,
+					  pa_pkinit_kx);
+		if (ret)
+		    krb5_set_error_message(context, ret,
+					   N_("Failed to confirm PA-PKINIT-KX", ""));
+		else if (pa_pkinit_kx != NULL)
+		    ctx->ic_flags |= KRB5_INIT_CREDS_PKINIT_KX_VALID;
+	    }
 	    if (ret == 0)
 		ret = copy_EncKDCRepPart(&rep.enc_part, &ctx->enc_part);
 
@@ -2317,7 +2343,7 @@ krb5_init_creds_step(krb5_context context,
 	    if (ret == KRB5KDC_ERR_PREAUTH_REQUIRED) {
 
 	        free_METHOD_DATA(&ctx->md);
-	        memset(&ctx->md, 0, sizeof(ctx->md));
+		memset_s(&ctx->md, sizeof(ctx->md), 0, sizeof(ctx->md));
 
 		if (ctx->error.e_data) {
 		    ret = decode_METHOD_DATA(ctx->error.e_data->data,
@@ -2371,7 +2397,7 @@ krb5_init_creds_step(krb5_context context,
 		}
 
 		free_AS_REQ(&ctx->as_req);
-		memset(&ctx->as_req, 0, sizeof(ctx->as_req));
+		memset_s(&ctx->as_req, sizeof(ctx->as_req), 0, sizeof(ctx->as_req));
 
 		ctx->used_pa_types = 0;
 	    } else if (ret == KRB5KDC_ERR_KEY_EXP && ctx->runflags.change_password == 0 && ctx->prompter) {
@@ -2685,7 +2711,7 @@ krb5_get_init_creds_password(krb5_context context,
 	ret = (*prompter) (context, data, NULL, NULL, 1, &prompt);
 	free (q);
 	if (ret) {
-	    memset (buf, 0, sizeof(buf));
+	    memset_s(buf, sizeof(buf), 0, sizeof(buf));
 	    ret = KRB5_LIBOS_PWDINTR;
 	    krb5_clear_error_message (context);
 	    goto out;
@@ -2741,8 +2767,8 @@ krb5_get_init_creds_password(krb5_context context,
     if (ctx)
 	krb5_init_creds_free(context, ctx);
 
-    memset(buf, 0, sizeof(buf));
-    memset(buf2, 0, sizeof(buf2));
+    memset_s(buf, sizeof(buf), 0, sizeof(buf));
+    memset_s(buf2, sizeof(buf), 0, sizeof(buf2));
     return ret;
 }
 
diff --git a/lib/krb5/kcm.c b/lib/krb5/kcm.c
index 557dc5fe419c..8e1dfff2d0ca 100644
--- a/lib/krb5/kcm.c
+++ b/lib/krb5/kcm.c
@@ -224,7 +224,7 @@ kcm_free(krb5_context context, krb5_ccache *id)
     if (k != NULL) {
 	if (k->name != NULL)
 	    free(k->name);
-	memset(k, 0, sizeof(*k));
+	memset_s(k, sizeof(*k), 0, sizeof(*k));
 	krb5_data_free(&(*id)->data);
     }
 }
diff --git a/lib/krb5/krb5-private.h b/lib/krb5/krb5-private.h
index b511590ccfd4..79bd27e9397f 100644
--- a/lib/krb5/krb5-private.h
+++ b/lib/krb5/krb5-private.h
@@ -566,6 +566,14 @@ _krb5_pk_kdf (
 	krb5_keyblock */*key*/);
 
 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
+_krb5_pk_kx_confirm (
+	krb5_context /*context*/,
+	krb5_pk_init_ctx /*ctx*/,
+	krb5_keyblock */*reply_key*/,
+	krb5_keyblock */*session_key*/,
+	PA_DATA */*pa_pkinit_kx*/);
+
+KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
 _krb5_pk_load_id (
 	krb5_context /*context*/,
 	struct krb5_pk_identity **/*ret_id*/,
diff --git a/lib/krb5/krb5-protos.h b/lib/krb5/krb5-protos.h
index a312e070fefb..fb2e0eabe140 100644
--- a/lib/krb5/krb5-protos.h
+++ b/lib/krb5/krb5-protos.h
@@ -6483,6 +6483,18 @@ krb5_principal_get_type (
 	krb5_const_principal /*principal*/);
 
 /**
+ * Returns true iff name is WELLKNOWN/ANONYMOUS
+ *
+ * @ingroup krb5_principal
+ */
+
+KRB5_LIB_FUNCTION krb5_boolean KRB5_LIB_CALL
+krb5_principal_is_anonymous (
+	krb5_context /*context*/,
+	krb5_const_principal /*p*/,
+	unsigned int /*flags*/);
+
+/**
  * Returns true iff name is an WELLKNOWN:ORG.H5L.HOSTBASED-SERVICE
  *
  * @ingroup krb5_principal
diff --git a/lib/krb5/krb5.h b/lib/krb5/krb5.h
index 19c89f21ae84..b6745a5b7758 100644
--- a/lib/krb5/krb5.h
+++ b/lib/krb5/krb5.h
@@ -448,6 +448,7 @@ typedef union {
 #define KRB5_GC_NO_TRANSIT_CHECK	(1U << 5)
 #define KRB5_GC_CONSTRAINED_DELEGATION	(1U << 6)
 #define KRB5_GC_CANONICALIZE		(1U << 7)
+#define KRB5_GC_ANONYMOUS		(1U << 8)
 
 /* constants for compare_creds (and cc_retrieve_cred) */
 #define KRB5_TC_DONT_MATCH_REALM	(1U << 31)
@@ -941,6 +942,23 @@ typedef const struct krb5_name_canon_rule_data *krb5_const_name_canon_rule;
 typedef struct krb5_name_canon_iterator_data *krb5_name_canon_iterator;
 
 /*
+ * krb5_get_init_creds_opt_set_pkinit flags
+ */
+
+#define KRB5_GIC_OPT_PKINIT_USE_ENCKEY	    2 /* use RSA, not DH */
+#define KRB5_GIC_OPT_PKINIT_ANONYMOUS	    4 /* anonymous PKINIT */
+#define KRB5_GIC_OPT_PKINIT_BTMM	    8 /* reserved by Apple */
+#define KRB5_GIC_OPT_PKINIT_NO_KDC_ANCHOR   16 /* do not authenticate KDC */
+
+/*
+ * _krb5_principal_is_anonymous() flags 
+ */
+#define KRB5_ANON_MATCH_AUTHENTICATED	1 /* authenticated with anon flag */
+#define KRB5_ANON_MATCH_UNAUTHENTICATED	2 /* anonymous PKINIT */
+#define KRB5_ANON_MATCH_ANY		( KRB5_ANON_MATCH_AUTHENTICATED | KRB5_ANON_MATCH_UNAUTHENTICATED )
+
+
+/*
  *
  */
 
diff --git a/lib/krb5/krb5_locl.h b/lib/krb5/krb5_locl.h
index 4d524ce1bb98..b64f3a9fbd49 100644
--- a/lib/krb5/krb5_locl.h
+++ b/lib/krb5/krb5_locl.h
@@ -208,6 +208,8 @@ struct _krb5_get_init_creds_opt_private {
 #define KRB5_INIT_CREDS_CANONICALIZE		1
 #define KRB5_INIT_CREDS_NO_C_CANON_CHECK	2
 #define KRB5_INIT_CREDS_NO_C_NO_EKU_CHECK	4
+#define KRB5_INIT_CREDS_PKINIT_KX_VALID		32
+#define KRB5_INIT_CREDS_PKINIT_NO_KRBTGT_OTHERNAME_CHECK    64
     struct {
         krb5_gic_process_last_req func;
         void *ctx;
@@ -292,6 +294,7 @@ typedef struct krb5_context_data {
 #define EXTRACT_TICKET_MATCH_REALM			4
 #define EXTRACT_TICKET_AS_REQ				8
 #define EXTRACT_TICKET_TIMESYNC				16
+#define EXTRACT_TICKET_MATCH_ANON			32
 
 /*
  * Configurable options
diff --git a/lib/krb5/libkrb5-exports.def.in b/lib/krb5/libkrb5-exports.def.in
index 01f9f78c3b7c..47aaa8fe4f37 100644
--- a/lib/krb5/libkrb5-exports.def.in
+++ b/lib/krb5/libkrb5-exports.def.in
@@ -497,6 +497,7 @@ EXPORTS
 	krb5_principal_get_num_comp
 	krb5_principal_get_realm
 	krb5_principal_get_type
+	krb5_principal_is_anonymous
 	krb5_principal_is_krbtgt
 	krb5_principal_match
 	krb5_principal_set_comp_string
@@ -766,6 +767,7 @@ EXPORTS
 	_krb5_principalname2krb5_principal
 	_krb5_put_int
 	_krb5_s4u2self_to_checksumdata
+	_krb5_HMAC_MD5_checksum
 	_krb5_expand_path_tokens	;!
 
         ; kinit helper
diff --git a/lib/krb5/pkinit.c b/lib/krb5/pkinit.c
index 0adb65e7afa1..7ede91c3fa9a 100644
--- a/lib/krb5/pkinit.c
+++ b/lib/krb5/pkinit.c
@@ -784,6 +784,8 @@ _krb5_pk_mk_padata(krb5_context context,
 				     req_body->realm,
 				     "pkinit_require_krbtgt_otherName",
 				     NULL);
+    if (ic_flags & KRB5_INIT_CREDS_PKINIT_NO_KRBTGT_OTHERNAME_CHECK)
+	ctx->require_krbtgt_otherName = FALSE;
 
     ctx->require_hostname_match =
 	krb5_config_get_bool_default(context, NULL,
@@ -1220,6 +1222,98 @@ pk_rd_pa_reply_enckey(krb5_context context,
     return ret;
 }
 
+/*
+ * RFC 8062 section 7:
+ *
+ *  The client then decrypts the KDC contribution key and verifies that
+ *  the ticket session key in the returned ticket is the combined key of
+ *  the KDC contribution key and the reply key.
+ */
+KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
+_krb5_pk_kx_confirm(krb5_context context,
+		    krb5_pk_init_ctx ctx,
+		    krb5_keyblock *reply_key,
+		    krb5_keyblock *session_key,
+		    PA_DATA *pa_pkinit_kx)
+{
+    krb5_error_code ret;
+    EncryptedData ed;
+    krb5_keyblock ck, sk_verify;
+    krb5_crypto ck_crypto = NULL;
+    krb5_crypto rk_crypto = NULL;
+    size_t len;
+    krb5_data data;
+    krb5_data p1 = { sizeof("PKINIT") - 1, "PKINIT" };
+    krb5_data p2 = { sizeof("KEYEXCHANGE") - 1, "KEYEXCHANGE" };
+
+    heim_assert(ctx != NULL, "PKINIT context is non-NULL");
+    heim_assert(reply_key != NULL, "reply key is non-NULL");
+    heim_assert(session_key != NULL, "session key is non-NULL");
+
+    /* PA-PKINIT-KX is optional unless anonymous */
+    if (pa_pkinit_kx == NULL)
+	return ctx->anonymous ? KRB5_KDCREP_MODIFIED : 0;
+
+    memset(&ed, 0, sizeof(ed));
+    krb5_keyblock_zero(&ck);
+    krb5_keyblock_zero(&sk_verify);
+    krb5_data_zero(&data);
+
+    ret = decode_EncryptedData(pa_pkinit_kx->padata_value.data,
+			       pa_pkinit_kx->padata_value.length,
+			       &ed, &len);
+    if (ret)
+	goto out;
+
+    if (len != pa_pkinit_kx->padata_value.length) {
+	ret = KRB5_KDCREP_MODIFIED;
+	goto out;
+    }
+
+    ret = krb5_crypto_init(context, reply_key, 0, &rk_crypto);
+    if (ret)
+	goto out;
+
+    ret = krb5_decrypt_EncryptedData(context, rk_crypto,
+				     KRB5_KU_PA_PKINIT_KX,
+				     &ed, &data);
+    if (ret)
+	goto out;
+
+    ret = decode_EncryptionKey(data.data, data.length,
+			       &ck, &len);
+    if (ret)
+	goto out;
+
+    ret = krb5_crypto_init(context, &ck, 0, &ck_crypto);
+    if (ret)
+	goto out;
+
+    ret = krb5_crypto_fx_cf2(context, ck_crypto, rk_crypto,
+			     &p1, &p2, session_key->keytype,
+			     &sk_verify);
+    if (ret)
+	goto out;
+
+    if (sk_verify.keytype != session_key->keytype ||
+	krb5_data_ct_cmp(&sk_verify.keyvalue, &session_key->keyvalue) != 0) {
+	ret = KRB5_KDCREP_MODIFIED;
+	goto out;
+    }
+
+out:
+    free_EncryptedData(&ed);
+    krb5_free_keyblock_contents(context, &ck);
+    krb5_free_keyblock_contents(context, &sk_verify);
+    if (ck_crypto)
+	krb5_crypto_destroy(context, ck_crypto);
+    if (rk_crypto)
+	krb5_crypto_destroy(context, rk_crypto);
+    krb5_data_free(&data);
+
+    return ret;
+}
+
 static krb5_error_code
 pk_rd_pa_reply_dh(krb5_context context,
 		  const heim_octet_string *indata,
@@ -2269,7 +2363,7 @@ krb5_get_init_creds_opt_set_pkinit(krb5_context context,
 	x509_anchors = anchors;
     }
 
-    if (flags & 4)
+    if (flags & KRB5_GIC_OPT_PKINIT_ANONYMOUS)
 	opt->opt_private->pk_init_ctx->anonymous = 1;
 
     ret = _krb5_pk_load_id(context,
@@ -2286,6 +2380,11 @@ krb5_get_init_creds_opt_set_pkinit(krb5_context context,
 	opt->opt_private->pk_init_ctx = NULL;
 	return ret;
     }
+    if (flags & KRB5_GIC_OPT_PKINIT_BTMM)
+	opt->opt_private->pk_init_ctx->id->flags |= PKINIT_BTMM;
+
+    if (principal && krb5_principal_is_lkdc(context, principal))
+	opt->opt_private->pk_init_ctx->id->flags |= PKINIT_BTMM;
 
     if (opt->opt_private->pk_init_ctx->id->certs) {
 	_krb5_pk_set_user_id(context,
@@ -2295,7 +2394,7 @@ krb5_get_init_creds_opt_set_pkinit(krb5_context context,
     } else
 	opt->opt_private->pk_init_ctx->id->cert = NULL;
 
-    if ((flags & 2) == 0) {
+    if ((flags & KRB5_GIC_OPT_PKINIT_USE_ENCKEY) == 0) {
 	hx509_context hx509ctx = context->hx509ctx;
 	hx509_cert cert = opt->opt_private->pk_init_ctx->id->cert;
 
diff --git a/lib/krb5/principal.c b/lib/krb5/principal.c
index 143dd6414b1e..23c459281e5e 100644
--- a/lib/krb5/principal.c
+++ b/lib/krb5/principal.c
@@ -1247,6 +1247,32 @@ krb5_principal_is_root_krbtgt(krb5_context context, krb5_const_principal p)
 	strcmp(p->name.name_string.val[1], p->realm) == 0;
 }
 
+/**
+ * Returns true iff name is WELLKNOWN/ANONYMOUS
+ *
+ * @ingroup krb5_principal
+ */
+
+KRB5_LIB_FUNCTION krb5_boolean KRB5_LIB_CALL
+krb5_principal_is_anonymous(krb5_context context,
+			     krb5_const_principal p,
+			     unsigned int flags)
+{
+    int anon_realm;
+
+    if ((p->name.name_type != KRB5_NT_WELLKNOWN &&
+         p->name.name_type != KRB5_NT_UNKNOWN) ||
+        p->name.name_string.len != 2 ||
+        strcmp(p->name.name_string.val[0], KRB5_WELLKNOWN_NAME) != 0 ||
+        strcmp(p->name.name_string.val[1], KRB5_ANON_NAME) != 0)
+        return FALSE;
+
+    anon_realm = strcmp(p->realm, KRB5_ANON_REALM) == 0;
+
+    return ((flags & KRB5_ANON_MATCH_AUTHENTICATED) && !anon_realm) ||
+	   ((flags & KRB5_ANON_MATCH_UNAUTHENTICATED) && anon_realm);
+}
+
 static int
 tolower_ascii(int c)
 {
diff --git a/lib/krb5/rd_cred.c b/lib/krb5/rd_cred.c
index b9b18ee99846..e38882525ab4 100644
--- a/lib/krb5/rd_cred.c
+++ b/lib/krb5/rd_cred.c
@@ -271,7 +271,11 @@ krb5_rd_cred(krb5_context context,
 	}
 	if(creds->ticket.length != len)
 	    krb5_abortx(context, "internal error in ASN.1 encoder");
-	copy_EncryptionKey (&kci->key, &creds->session);
+	ret = copy_EncryptionKey (&kci->key, &creds->session);
+	if (ret) {
+	    krb5_free_creds(context, creds);
+	    goto out;
+	}
 	if (kci->prealm && kci->pname)
 	    _krb5_principalname2krb5_principal (context,
 						&creds->client,
diff --git a/lib/krb5/salt-des.c b/lib/krb5/salt-des.c
index afcff675b24f..d898d6c20574 100644
--- a/lib/krb5/salt-des.c
+++ b/lib/krb5/salt-des.c
@@ -109,7 +109,7 @@ krb5_DES_AFS3_Transarc_string_to_key (krb5_data pw,
     memset(&schedule, 0, sizeof(schedule));
     memset(&temp_key, 0, sizeof(temp_key));
     memset(&ivec, 0, sizeof(ivec));
-    memset(password, 0, sizeof(password));
+    memset_s(password, sizeof(password), 0, sizeof(password));
 
     DES_set_odd_parity (key);
 }
diff --git a/lib/krb5/salt-des3.c b/lib/krb5/salt-des3.c
index 342bba0d0f6b..8cb73cf465a6 100644
--- a/lib/krb5/salt-des3.c
+++ b/lib/krb5/salt-des3.c
@@ -61,7 +61,7 @@ DES3_string_to_key(krb5_context context,
 
 	ret = _krb5_n_fold(str, len, tmp, 24);
 	if (ret) {
-	    memset(str, 0, len);
+	    memset_s(str, len, 0, len);
 	    free(str);
 	    krb5_set_error_message(context, ret, N_("malloc: out of memory", ""));
 	    return ret;
@@ -74,24 +74,24 @@ DES3_string_to_key(krb5_context context,
 		_krb5_xor8(*(keys + i), (const unsigned char*)"\0\0\0\0\0\0\0\xf0");
 	    DES_set_key_unchecked(keys + i, &s[i]);
 	}
-	memset(&ivec, 0, sizeof(ivec));
+	memset_s(&ivec, sizeof(ivec), 0, sizeof(ivec));
 	DES_ede3_cbc_encrypt(tmp,
 			     tmp, sizeof(tmp),
 			     &s[0], &s[1], &s[2], &ivec, DES_ENCRYPT);
-	memset(s, 0, sizeof(s));
-	memset(&ivec, 0, sizeof(ivec));
+	memset_s(s, sizeof(s), 0, sizeof(s));
+	memset_s(&ivec, sizeof(ivec), 0, sizeof(ivec));
 	for(i = 0; i < 3; i++){
 	    memcpy(keys + i, tmp + i * 8, sizeof(keys[i]));
 	    DES_set_odd_parity(keys + i);
 	    if(DES_is_weak_key(keys + i))
 		_krb5_xor8(*(keys + i), (const unsigned char*)"\0\0\0\0\0\0\0\xf0");
 	}
-	memset(tmp, 0, sizeof(tmp));
+	memset_s(tmp, sizeof(tmp), 0, sizeof(tmp));
     }
     key->keytype = enctype;
     krb5_data_copy(&key->keyvalue, keys, sizeof(keys));
-    memset(keys, 0, sizeof(keys));
-    memset(str, 0, len);
+    memset_s(keys, sizeof(keys), 0, sizeof(keys));
+    memset_s(str, len, 0, len);
     free(str);
     return 0;
 }
@@ -119,7 +119,7 @@ DES3_string_to_key_derived(krb5_context context,
 				     len,
 				     enctype,
 				     key);
-    memset(s, 0, len);
+    memset_s(s, len, 0, len);
     free(s);
     return ret;
 }
diff --git a/lib/krb5/send_to_kdc.c b/lib/krb5/send_to_kdc.c
index 066b849a7576..a920db78b649 100644
--- a/lib/krb5/send_to_kdc.c
+++ b/lib/krb5/send_to_kdc.c
@@ -314,6 +314,7 @@ static void
 debug_host(krb5_context context, int level, struct host *host, const char *fmt, ...)
 {
     const char *proto = "unknown";
+    const char *state;
     char name[NI_MAXHOST], port[NI_MAXSERV];
     char *text = NULL;
     va_list ap;
@@ -339,8 +340,17 @@ debug_host(krb5_context context, int level, struct host *host, const char *fmt,
 		    name, sizeof(name), port, sizeof(port), NI_NUMERICHOST) != 0)
 	name[0] = '\0';
 
-    _krb5_debug(context, level, "%s: %s %s:%s (%s) tid: %08x", text,
-		proto, name, port, host->hi->hostname, host->tid);
+    switch (host->state) {
+    case CONNECT:	state = "CONNECT";		break;
+    case CONNECTING:	state = "CONNECTING";		break;
+    case CONNECTED:	state = "CONNECTED";		break;
+    case WAITING_REPLY:	state = "WAITING_REPLY";	break;
+    case DEAD:		state = "DEAD";			break;
+    default:		state = "unknown";		break;
+    }
+
+    _krb5_debug(context, level, "%s: %s %s:%s (%s) state=%s tid: %08x", text,
+		proto, name, port, host->hi->hostname, state, host->tid);
     free(text);
 }
 
@@ -881,11 +891,18 @@ submit_request(krb5_context context, krb5_sendto_ctx ctx, krb5_krbhst_info *hi)
 	host->tries = host->fun->ntries;
 
 	/*
-	 * Connect directly next host, wait a host_timeout for each next address
+	 * Connect directly next host, wait a host_timeout for each next address.
+	 * We try host_connect() here, checking the return code because as we do
+	 * non-blocking connects, any error here indicates that the address is just
+	 * offline.  That is, it's something like "No route to host" which is not
+	 * worth retrying.  And so, we fail directly and immediately to the next
+	 * address for this host without enqueueing the address for retries.
 	 */
-	if (submitted_host == 0)
+	if (submitted_host == 0) {
 	    host_connect(context, ctx, host);
-	else {
+	    if (host->state == DEAD)
+		continue;
+	} else {
 	    debug_host(context, 5, host,
 		       "Queuing host in future (in %ds), its the %lu address on the same name",
 		       (int)(context->host_timeout * submitted_host), submitted_host + 1);
@@ -893,16 +910,14 @@ submit_request(krb5_context context, krb5_sendto_ctx ctx, krb5_krbhst_info *hi)
 	}
 
 	heim_array_append_value(ctx->hosts, host);
-
 	heim_release(host);
-
 	submitted_host++;
     }
 
     if (freeai)
 	freeaddrinfo(ai);
 
-    if (!submitted_host)
+    if (submitted_host == 0)
 	return KRB5_KDC_UNREACH;
 
     return 0;
@@ -913,7 +928,7 @@ struct wait_ctx {
     krb5_sendto_ctx ctx;
     fd_set rfds;
     fd_set wfds;
-    unsigned max_fd;
+    rk_socket_t max_fd;
     int got_reply;
     time_t timenow;
 };
@@ -924,16 +939,16 @@ wait_setup(heim_object_t obj, void *iter_ctx, int *stop)
     struct wait_ctx *wait_ctx = iter_ctx;
     struct host *h = (struct host *)obj;
 
+    if (h->state == CONNECT) {
+	if (h->timeout >= wait_ctx->timenow)
+	    return;
+	host_connect(wait_ctx->context, wait_ctx->ctx, h);
+    }
+
     /* skip dead hosts */
     if (h->state == DEAD)
 	return;
 
-    if (h->state == CONNECT) {
-	if (h->timeout < wait_ctx->timenow)
-	    host_connect(wait_ctx->context, wait_ctx->ctx, h);
-	return;
-    }
-
     /* if host timed out, dec tries and (retry or kill host) */
     if (h->timeout < wait_ctx->timenow) {
 	heim_assert(h->tries != 0, "tries should not reach 0");
@@ -961,9 +976,10 @@ wait_setup(heim_object_t obj, void *iter_ctx, int *stop)
 	FD_SET(h->fd, &wait_ctx->wfds);
 	break;
     default:
+	debug_host(wait_ctx->context, 5, h, "invalid sendto host state");
 	heim_abort("invalid sendto host state");
     }
-    if (h->fd > wait_ctx->max_fd)
+    if (h->fd > wait_ctx->max_fd || wait_ctx->max_fd == rk_INVALID_SOCKET)
 	wait_ctx->max_fd = h->fd;
 }
 
@@ -975,6 +991,15 @@ wait_filter_dead(heim_object_t obj, void *ctx)
 }
 
 static void
+wait_accelerate(heim_object_t obj, void *ctx, int *stop)
+{
+    struct host *h = (struct host *)obj;
+
+    if (h->state == CONNECT && h->timeout > 0)
+	h->timeout--;
+}
+
+static void
 wait_process(heim_object_t obj, void *ctx, int *stop)
 {
     struct wait_ctx *wait_ctx = ctx;
@@ -1007,7 +1032,7 @@ wait_response(krb5_context context, int *action, krb5_sendto_ctx ctx)
     wait_ctx.ctx = ctx;
     FD_ZERO(&wait_ctx.rfds);
     FD_ZERO(&wait_ctx.wfds);
-    wait_ctx.max_fd = 0;
+    wait_ctx.max_fd = rk_INVALID_SOCKET;
 
     /* oh, we have a reply, it must be a plugin that got it for us */
     if (ctx->response.length) {
@@ -1033,6 +1058,17 @@ wait_response(krb5_context context, int *action, krb5_sendto_ctx ctx)
 	return 0;
     }
 
+    if (wait_ctx.max_fd == rk_INVALID_SOCKET) {
+	/*
+	 * If we don't find a host which can make progress, then
+	 * we accelerate the process by moving all of the contestants
+	 * up by 1s.
+	 */
+	_krb5_debug(context, 5, "wait_response: moving the contestants forward");
+	heim_array_iterate_f(ctx->hosts, &wait_ctx, wait_accelerate);
+	return 0;
+    }
+
     tv.tv_sec = 1;
     tv.tv_usec = 0;
 
@@ -1173,7 +1209,7 @@ krb5_sendto_context(krb5_context context,
 
 	    action = KRB5_SENDTO_CONTINUE;
 	    if (ret == 0) {
-		_krb5_debug(context, 5, "submissing new requests to new host");
+		_krb5_debug(context, 5, "submitting new requests to new host");
 		if (submit_request(context, ctx, hi) != 0)
 		    action = KRB5_SENDTO_TIMEOUT;
 	    } else {
diff --git a/lib/krb5/ticket.c b/lib/krb5/ticket.c
index b8d81c6ad53a..8961c394a492 100644
--- a/lib/krb5/ticket.c
+++ b/lib/krb5/ticket.c
@@ -526,27 +526,62 @@ noreferral:
     return 0;
 }
 
-
 /*
- * Verify referral data
+ * Verify KDC supported anonymous if requested
  */
+static krb5_error_code
+check_client_anonymous(krb5_context context,
+		       krb5_kdc_rep *rep,
+		       krb5_const_principal requested,
+		       krb5_const_principal mapped,
+		       krb5_boolean is_tgs_rep)
+{
+    int flags;
+
+    if (!rep->enc_part.flags.anonymous)
+	return KRB5KDC_ERR_BADOPTION;
+
+    if (is_tgs_rep)
+	flags = KRB5_ANON_MATCH_ANY;
+    else if (krb5_principal_is_anonymous(context, requested, KRB5_ANON_MATCH_ANY))
+	flags = KRB5_ANON_MATCH_UNAUTHENTICATED;
+    else
+	flags = KRB5_ANON_MATCH_AUTHENTICATED;
+
+    if (!krb5_principal_is_anonymous(context, mapped, flags))
+	return KRB5KRB_AP_ERR_MODIFIED;
 
+    return 0;
+}
+
+/*
+ * Verify returned client principal name in anonymous/referral case
+ */
 
 static krb5_error_code
-check_client_referral(krb5_context context,
+check_client_mismatch(krb5_context context,
 		      krb5_kdc_rep *rep,
 		      krb5_const_principal requested,
 		      krb5_const_principal mapped,
 		      krb5_keyblock const * key)
 {
-    if (krb5_principal_compare(context, requested, mapped) == FALSE &&
-	!rep->enc_part.flags.enc_pa_rep)
-    {
-	krb5_set_error_message(context, KRB5KRB_AP_ERR_MODIFIED,
-			       N_("Not same client principal returned "
-				  "as requested", ""));
-	return KRB5KRB_AP_ERR_MODIFIED;
+    if (rep->enc_part.flags.anonymous) {
+	if (!krb5_principal_is_anonymous(context, mapped, KRB5_ANON_MATCH_ANY)) {
+	    krb5_set_error_message(context, KRB5KRB_AP_ERR_MODIFIED,
+				   N_("Anonymous ticket does not contain anonymous "
+				      "principal", ""));
+	    return KRB5KRB_AP_ERR_MODIFIED;
+	}
+    } else {
+	if (krb5_principal_compare(context, requested, mapped) == FALSE &&
+	    !rep->enc_part.flags.enc_pa_rep) {
+	    krb5_set_error_message(context, KRB5KRB_AP_ERR_MODIFIED,
+				   N_("Not same client principal returned "
+				   "as requested", ""));
+	    return KRB5KRB_AP_ERR_MODIFIED;
+	}
     }
+
     return 0;
 }
 
@@ -687,10 +722,21 @@ _krb5_extract_ticket(krb5_context context,
     if (ret)
 	goto out;
 
+    /* check KDC supported anonymous if it was requested */
+    if (flags & EXTRACT_TICKET_MATCH_ANON) {
+	ret = check_client_anonymous(context,rep,
+				     creds->client,
+				     tmp_principal,
+				     request == NULL); /* is TGS */
+	if (ret) {
+	    krb5_free_principal(context, tmp_principal);
+	    goto out;
+	}
+    }
+
     /* check client referral and save principal */
-    /* anonymous here ? */
     if((flags & EXTRACT_TICKET_ALLOW_CNAME_MISMATCH) == 0) {
-	ret = check_client_referral(context, rep,
+	ret = check_client_mismatch(context, rep,
 				    creds->client,
 				    tmp_principal,
 				    &creds->session);
diff --git a/lib/krb5/version-script.map b/lib/krb5/version-script.map
index 6c49368a8a14..4e7225612a7a 100644
--- a/lib/krb5/version-script.map
+++ b/lib/krb5/version-script.map
@@ -494,6 +494,7 @@ HEIMDAL_KRB5_2.0 {
 		krb5_principal_set_comp_string;
 		krb5_principal_set_realm;
 		krb5_principal_set_type;
+		krb5_principal_is_anonymous;
 		krb5_principal_is_krbtgt;
 		krb5_print_address;
 		krb5_program_setup;
@@ -761,6 +762,7 @@ HEIMDAL_KRB5_2.0 {
 		_krb5_principalname2krb5_principal;
 		_krb5_put_int;
 		_krb5_s4u2self_to_checksumdata;
+		_krb5_HMAC_MD5_checksum;
 
 		# kinit helper
 		krb5_get_init_creds_opt_set_pkinit_user_certs;
diff --git a/lib/libedit/configure b/lib/libedit/configure
index 4bc18e334016..68a69d141b8e 100755
--- a/lib/libedit/configure
+++ b/lib/libedit/configure
@@ -586,7 +586,7 @@ MAKEFLAGS=
 
 # Identity of this package.
 PACKAGE_NAME='libedit'
-PACKAGE_TARNAME='libedit-20171208'
+PACKAGE_TARNAME='libedit-20190607'
 PACKAGE_VERSION='3.1'
 PACKAGE_STRING='libedit 3.1'
 PACKAGE_BUGREPORT=''
@@ -1362,7 +1362,7 @@ Fine tuning of the installation directories:
   --localedir=DIR         locale-dependent data [DATAROOTDIR/locale]
   --mandir=DIR            man documentation [DATAROOTDIR/man]
   --docdir=DIR            documentation root
-                          [DATAROOTDIR/doc/libedit-20171208]
+                          [DATAROOTDIR/doc/libedit-20190607]
   --htmldir=DIR           html documentation [DOCDIR]
   --dvidir=DIR            dvi documentation [DOCDIR]
   --pdfdir=DIR            pdf documentation [DOCDIR]
@@ -4208,7 +4208,7 @@ fi
 
 
 # Define the identity of the package.
- PACKAGE='libedit-20171208'
+ PACKAGE='libedit-20190607'
  VERSION='3.1'
 
 
diff --git a/lib/libedit/ltmain.sh b/lib/libedit/ltmain.sh
index 0f0a2da3f9dd..0f0a2da3f9dd 100755..100644
--- a/lib/libedit/ltmain.sh
+++ b/lib/libedit/ltmain.sh
diff --git a/lib/libedit/src/makelist b/lib/libedit/src/makelist
index c8f927651ab3..315d91e2adee 100644
--- a/lib/libedit/src/makelist
+++ b/lib/libedit/src/makelist
@@ -35,7 +35,10 @@
 
 # makelist.sh: Automatically generate header files...
 
-AWK=awk
+if [ "x$AWK" = "x" ]
+then
+    AWK=awk
+fi
 USAGE="Usage: $0 -h|-fc|-fh|-bh <filenames>"
 
 if [ "x$1" = "x" ]
diff --git a/lib/libedit/src/vis.h b/lib/libedit/src/vis.h
index a1b23c920ec0..ddd597b4b173 100644
--- a/lib/libedit/src/vis.h
+++ b/lib/libedit/src/vis.h
@@ -81,7 +81,9 @@
  */
 #define	UNVIS_END	_VIS_END	/* no more characters */
 
+#ifdef HAVE_SYS_CDEFS_H
 #include <sys/cdefs.h>
+#endif
 
 __BEGIN_DECLS
 char	*vis(char *, int, int, int);
diff --git a/lib/ntlm/ntlm.c b/lib/ntlm/ntlm.c
index 7ec0181ff419..42dd09bed5bf 100644
--- a/lib/ntlm/ntlm.c
+++ b/lib/ntlm/ntlm.c
@@ -1192,7 +1192,7 @@ splitandenc(unsigned char *hash,
     EVP_CipherInit_ex(&ctx, EVP_des_cbc(), NULL, key, NULL, 1);
     EVP_Cipher(&ctx, answer, challenge, 8);
     EVP_CIPHER_CTX_cleanup(&ctx);
-    memset(key, 0, sizeof(key));
+    memset_s(key, sizeof(key), 0, sizeof(key));
 }
 
 /**
diff --git a/lib/roken/install-sh b/lib/roken/install-sh
index e9de23842dcd..e9de23842dcd 100755..100644
--- a/lib/roken/install-sh
+++ b/lib/roken/install-sh
diff --git a/lib/roken/missing b/lib/roken/missing
index 7789652e877f..7789652e877f 100755..100644
--- a/lib/roken/missing
+++ b/lib/roken/missing
diff --git a/lib/roken/mkinstalldirs b/lib/roken/mkinstalldirs
index 6b3b5fc5d4d3..6b3b5fc5d4d3 100755..100644
--- a/lib/roken/mkinstalldirs
+++ b/lib/roken/mkinstalldirs
diff --git a/lib/roken/rand.c b/lib/roken/rand.c
index 03239d7dc244..f2617d8ab2bc 100644
--- a/lib/roken/rand.c
+++ b/lib/roken/rand.c
@@ -42,7 +42,7 @@ void ROKEN_LIB_FUNCTION
 rk_random_init(void)
 {
 #if defined(HAVE_ARC4RANDOM)
-    arc4random_stir();
+    /* nothing to do */;
 #elif defined(HAVE_SRANDOMDEV)
     srandomdev();
 #elif defined(HAVE_RANDOM)
diff --git a/lib/wind/UnicodeData.py b/lib/wind/UnicodeData.py
index dd6dfa745d9f..8ce3bcade279 100644
--- a/lib/wind/UnicodeData.py
+++ b/lib/wind/UnicodeData.py
@@ -50,7 +50,7 @@ def read(filename):
             continue
         f = l.split(';')
         key = int(f[0], 0x10)
-	if key in ret:
+        if key in ret:
             raise Exception('Duplicate key in UnicodeData')
         ret[key] = f[1:]
     ud.close()
diff --git a/lib/wind/bidi_table.c b/lib/wind/bidi_table.c
index 916805fdc614..5628c3bd1c73 100644
--- a/lib/wind/bidi_table.c
+++ b/lib/wind/bidi_table.c
@@ -1,5 +1,5 @@
 /* ./bidi_table.c */
-/* Automatically generated at 2017-12-08T03:21:13.199657 */
+/* Automatically generated at 2019-06-07T02:26:41.397837 */
 
 
 #include "bidi_table.h"
diff --git a/lib/wind/bidi_table.h b/lib/wind/bidi_table.h
index 3fc83d2e4e7b..f00ddb1b6763 100644
--- a/lib/wind/bidi_table.h
+++ b/lib/wind/bidi_table.h
@@ -1,5 +1,5 @@
 /* ./bidi_table.h */
-/* Automatically generated at 2017-12-08T03:21:13.199278 */
+/* Automatically generated at 2019-06-07T02:26:41.396770 */
 
 #ifndef BIDI_TABLE_H
 #define BIDI_TABLE_H 1
diff --git a/lib/wind/combining_table.c b/lib/wind/combining_table.c
index a69ef4127693..71218362fc35 100644
--- a/lib/wind/combining_table.c
+++ b/lib/wind/combining_table.c
@@ -1,5 +1,5 @@
 /* ./combining_table.c */
-/* Automatically generated at 2017-12-08T03:21:13.302135 */
+/* Automatically generated at 2019-06-07T02:26:41.530824 */
 
 
 #include "combining_table.h"
diff --git a/lib/wind/combining_table.h b/lib/wind/combining_table.h
index cd2c03264de0..023857adda64 100644
--- a/lib/wind/combining_table.h
+++ b/lib/wind/combining_table.h
@@ -1,5 +1,5 @@
 /* ./combining_table.h */
-/* Automatically generated at 2017-12-08T03:21:13.301786 */
+/* Automatically generated at 2019-06-07T02:26:41.530328 */
 
 #ifndef COMBINING_TABLE_H
 #define COMBINING_TABLE_H 1
diff --git a/lib/wind/errorlist_table.c b/lib/wind/errorlist_table.c
index be0bfce26245..241e39bb05f3 100644
--- a/lib/wind/errorlist_table.c
+++ b/lib/wind/errorlist_table.c
@@ -1,5 +1,5 @@
 /* ./errorlist_table.c */
-/* Automatically generated at 2017-12-08T03:21:13.365706 */
+/* Automatically generated at 2019-06-07T02:26:41.399027 */
 
 
 #include "errorlist_table.h"
diff --git a/lib/wind/errorlist_table.h b/lib/wind/errorlist_table.h
index beebfb55aa82..546048fae751 100644
--- a/lib/wind/errorlist_table.h
+++ b/lib/wind/errorlist_table.h
@@ -1,5 +1,5 @@
 /* ./errorlist_table.h */
-/* Automatically generated at 2017-12-08T03:21:13.365395 */
+/* Automatically generated at 2019-06-07T02:26:41.398369 */
 
 #ifndef ERRORLIST_TABLE_H
 #define ERRORLIST_TABLE_H 1
diff --git a/lib/wind/gen-bidi.py b/lib/wind/gen-bidi.py
index 21839c2550b2..e2efcbb555a2 100644
--- a/lib/wind/gen-bidi.py
+++ b/lib/wind/gen-bidi.py
@@ -42,7 +42,7 @@ import generate
 import rfc3454
 
 if len(sys.argv) != 3:
-    print "usage: %s rfc3454.txt outdir" % sys.argv[0]
+    print("usage: %s rfc3454.txt outdir" % sys.argv[0])
     sys.exit(1)
 
 tables = rfc3454.read(sys.argv[1])
diff --git a/lib/wind/gen-combining.py b/lib/wind/gen-combining.py
index 86cbc6d50f0c..43e0d52eb3cf 100644
--- a/lib/wind/gen-combining.py
+++ b/lib/wind/gen-combining.py
@@ -42,7 +42,7 @@ import generate
 import UnicodeData
 
 if len(sys.argv) != 3:
-    print "usage: %s UnicodeData.txt out-dir" % sys.argv[0]
+    print("usage: %s UnicodeData.txt out-dir" % sys.argv[0])
     sys.exit(1)
 
 ud = UnicodeData.read(sys.argv[1])
@@ -79,8 +79,7 @@ combining_c.file.write(
 const struct translation _wind_combining_table[] = {
 ''')
 
-s = trans.keys()
-s.sort()
+s = sorted(trans)
 for k in s:
     v = trans[k]
     combining_c.file.write("{0x%x, %u}, /* %s */\n"
diff --git a/lib/wind/gen-errorlist.py b/lib/wind/gen-errorlist.py
index f0b9524783b4..97646cf5aed6 100644
--- a/lib/wind/gen-errorlist.py
+++ b/lib/wind/gen-errorlist.py
@@ -44,13 +44,13 @@ import rfc4518
 import stringprep
 
 if len(sys.argv) != 3:
-    print "usage: %s rfc3454.txt out-dir" % sys.argv[0]
+    print("usage: %s rfc3454.txt out-dir" % sys.argv[0])
     sys.exit(1)
 
 tables = rfc3454.read(sys.argv[1])
 t2 = rfc4518.read()
 
-for x in t2.iterkeys():
+for x in t2.keys():
     tables[x] = t2[x]
 
 error_list = stringprep.get_errorlist()
@@ -85,7 +85,7 @@ const struct error_entry _wind_errorlist_table[] = {
 
 trans=[]
 
-for t in error_list.iterkeys():
+for t in error_list.keys():
     for l in tables[t]:
         m = re.search('^ *([0-9A-F]+)-([0-9A-F]+); *(.*) *$', l)
         if m:
@@ -104,7 +104,7 @@ for x in trans:
     (start, length, description, tables) = x
     symbols = stringprep.symbols(error_list, tables)
     if len(symbols) == 0:
-        print "no symbol for %s" % description
+        print("no symbol for %s" % description)
         sys.exit(1)
     errorlist_c.file.write("  {0x%x, 0x%x, %s}, /* %s: %s */\n"
                 % (start, length, symbols, ",".join(tables), description))
diff --git a/lib/wind/gen-map.py b/lib/wind/gen-map.py
index d4f02af1f29d..dc10d6fae7f6 100644
--- a/lib/wind/gen-map.py
+++ b/lib/wind/gen-map.py
@@ -45,13 +45,13 @@ import stringprep
 import util
 
 if len(sys.argv) != 3:
-    print "usage: %s rfc3454.txt out-dir" % sys.argv[0]
+    print("usage: %s rfc3454.txt out-dir" % sys.argv[0])
     sys.exit(1)
 
 tables = rfc3454.read(sys.argv[1])
 t2 = rfc4518.read()
 
-for x in t2.iterkeys():
+for x in t2:
     tables[x] = t2[x]
 
 map_list = stringprep.get_maplist()
@@ -88,7 +88,7 @@ const struct translation _wind_map_table[] = {
 
 trans=[]
 
-for t in map_list.iterkeys():
+for t in map_list:
     for l in tables[t]:
         m = re.search('^ *([0-9A-F]+)-([0-9A-F]+); *([^;]+); *(.*) *$', l)
         if m:
@@ -96,7 +96,7 @@ for t in map_list.iterkeys():
             end   = int(m.group(2), 0x10)
             value = m.group(3)
             desc  = m.group(4)
-            for key in xrange(start,end,1):
+            for key in range(start,end,1):
                 trans.append((key, value, desc, [t]))
             continue
         m = re.search('^ *([^;]+); *([^;]+); *(.*) *$', l)
@@ -114,7 +114,7 @@ trans = stringprep.sort_merge_trans(trans)
 
 for x in trans:
     if x[0] == 0xad:
-        print "fooresult %s" % ",".join(x[3])
+        print("fooresult %s" % ",".join(x[3]))
 
 for x in trans:
     (key, value, description, table) = x
@@ -130,7 +130,7 @@ for x in trans:
     (key, value, description, tables) = x
     symbols = stringprep.symbols(map_list, tables)
     if len(symbols) == 0:
-        print "no symbol for %s %s (%s)" % (key, description, tables)
+        print("no symbol for %s %s (%s)" % (key, description, tables))
         sys.exit(1)
     v = value.split()
     map_c.file.write("  {0x%x, %u, %u, %s}, /* %s: %s */\n"
diff --git a/lib/wind/gen-normalize.py b/lib/wind/gen-normalize.py
index 9b3553c46d0d..daf3c3dc42f1 100644
--- a/lib/wind/gen-normalize.py
+++ b/lib/wind/gen-normalize.py
@@ -43,15 +43,15 @@ import UnicodeData
 import util
 
 if len(sys.argv) != 4:
-    print "usage: %s UnicodeData.txt"
-    " CompositionExclusions-3.2.0.txt out-dir" % sys.argv[0]
+    print("usage: %s UnicodeData.txt"
+    " CompositionExclusions-3.2.0.txt out-dir" % sys.argv[0])
     sys.exit(1)
 
 ud = UnicodeData.read(sys.argv[1])
 
 def sortedKeys(d):
     """Return a sorted list of the keys of a dict"""
-    keys = d.keys()
+    keys = list(d.keys())
     keys.sort()
     return keys
 
@@ -136,7 +136,7 @@ exclusions = UnicodeData.read(sys.argv[2])
 inv = dict([(''.join(["%05x" % int(x, 0x10) for x in v[4].split(' ')]),
              [k, v[0]])
             for k,v in ud.items()
-            if v[4] and not re.search('<[a-zA-Z]+> *', v[4]) and not exclusions.has_key(k)])
+            if v[4] and not re.search('<[a-zA-Z]+> *', v[4]) and not k in exclusions])
 
 table = 0
 
diff --git a/lib/wind/gen-punycode-examples.py b/lib/wind/gen-punycode-examples.py
index 44f5dafe508c..f2eddbb37386 100644
--- a/lib/wind/gen-punycode-examples.py
+++ b/lib/wind/gen-punycode-examples.py
@@ -35,13 +35,12 @@
 # SUCH DAMAGE. 
 
 import re
-import string
 import sys
 
 import generate
 
 if len(sys.argv) != 3:
-    print "usage: %s rfc3492.txt" % sys.argv[0]
+    print("usage: %s rfc3492.txt" % sys.argv[0])
     sys.exit(1)
 
 f = open(sys.argv[1], 'r')
@@ -72,7 +71,7 @@ while True:
             else:
                 m = re.search('^ *([uU]+.*) *$', l)
                 if m:
-                    codes.extend(string.split(m.group(1), ' '))
+                    codes.extend(m.group(1).split(' '))
                 else:
                     m = re.search('^ *Punycode: (.*) *$', l)
                     if m:
@@ -81,7 +80,7 @@ while True:
         if re.match('^7\.1', l):
             start = True
             cases = []
-            
+
 f.close()
 
 examples_h.file.write(
@@ -115,7 +114,7 @@ for x in cases:
     examples_c.file.write(
         "  {%u, {%s}, \"%s\", \"%s\"},\n" %
         (len(cp),
-         string.join([re.sub('[uU]\+', '0x', x) for x in cp], ', '),
+         ",".join([re.sub('[uU]\+', '0x', x) for x in cp]),
          pc,
          desc))
 
diff --git a/lib/wind/generate.py b/lib/wind/generate.py
index 1d708c6a3c47..0a32fcd4d4d8 100644
--- a/lib/wind/generate.py
+++ b/lib/wind/generate.py
@@ -37,6 +37,7 @@
 import datetime
 import string
 import os
+import sys
 
 class GeneratedFile :
     "Represents a generated file"
@@ -56,10 +57,14 @@ class GeneratedFile :
 
 class Header(GeneratedFile) :
     "Represents a generated header file"
-    guardTrans = string.maketrans('-.', '__')
+    if sys.hexversion>0x300000f:
+        guardTrans = bytes.maketrans(b'-.', b'__')
+    else:
+        import string
+        guardTrans = string.maketrans('-.', '__')
     def makeGuard(self) :
         """Return a name to be used as ifdef guard"""
-        return string.upper(string.translate(self.name, self.guardTrans))
+        return self.name.translate(self.guardTrans).upper()
 
     def __init__(self, name) :
         "Create a new Header with name"
diff --git a/lib/wind/map_table.c b/lib/wind/map_table.c
index 9be8c9241f24..abce7bef5fb6 100644
--- a/lib/wind/map_table.c
+++ b/lib/wind/map_table.c
@@ -1,5 +1,5 @@
 /* ./map_table.c */
-/* Automatically generated at 2017-12-08T03:21:13.416181 */
+/* Automatically generated at 2019-06-07T02:26:41.398537 */
 
 
 #include "map_table.h"
diff --git a/lib/wind/map_table.h b/lib/wind/map_table.h
index fb6c773d99c9..ae8e90356825 100644
--- a/lib/wind/map_table.h
+++ b/lib/wind/map_table.h
@@ -1,5 +1,5 @@
 /* ./map_table.h */
-/* Automatically generated at 2017-12-08T03:21:13.415873 */
+/* Automatically generated at 2019-06-07T02:26:41.397498 */
 
 #ifndef MAP_TABLE_H
 #define MAP_TABLE_H 1
diff --git a/lib/wind/normalize_table.c b/lib/wind/normalize_table.c
index 2f9a690e3f2c..0a11b0d29dd1 100644
--- a/lib/wind/normalize_table.c
+++ b/lib/wind/normalize_table.c
@@ -1,5 +1,5 @@
 /* ./normalize_table.c */
-/* Automatically generated at 2017-12-08T03:21:13.608557 */
+/* Automatically generated at 2019-06-07T02:26:41.707824 */
 
 
 #include "normalize_table.h"
diff --git a/lib/wind/normalize_table.h b/lib/wind/normalize_table.h
index 52b1f5292d6e..d82cc26d4c03 100644
--- a/lib/wind/normalize_table.h
+++ b/lib/wind/normalize_table.h
@@ -1,5 +1,5 @@
 /* ./normalize_table.h */
-/* Automatically generated at 2017-12-08T03:21:13.608247 */
+/* Automatically generated at 2019-06-07T02:26:41.685585 */
 
 #ifndef NORMALIZE_TABLE_H
 #define NORMALIZE_TABLE_H 1
diff --git a/lib/wind/punycode_examples.c b/lib/wind/punycode_examples.c
index 6252952e6e45..7336f3eacfea 100644
--- a/lib/wind/punycode_examples.c
+++ b/lib/wind/punycode_examples.c
@@ -1,5 +1,5 @@
 /* ./punycode_examples.c */
-/* Automatically generated at 2017-12-08T03:21:15.326628 */
+/* Automatically generated at 2019-06-07T02:40:18.438604 */
 
 #ifndef PUNYCODE_EXAMPLES_C
 #define PUNYCODE_EXAMPLES_C 1
@@ -8,25 +8,25 @@
 #include "punycode_examples.h"
 
 const struct punycode_example punycode_examples[] = {
-  {17, {0x0644, 0x064A, 0x0647, 0x0645, 0x0627, 0x0628, 0x062A, 0x0643, 0x0644, 0x0645, 0x0648, 0x0634, 0x0639, 0x0631, 0x0628, 0x064A, 0x061F}, "egbpdaj6bu4bxfgehfvwxn", "Arabic (Egyptian):"},
-  {9, {0x4ED6, 0x4EEC, 0x4E3A, 0x4EC0, 0x4E48, 0x4E0D, 0x8BF4, 0x4E2D, 0x6587}, "ihqwcrb4cv8a8dqg056pqjye", "Chinese (simplified):"},
-  {9, {0x4ED6, 0x5011, 0x7232, 0x4EC0, 0x9EBD, 0x4E0D, 0x8AAA, 0x4E2D, 0x6587}, "ihqwctvzc91f659drss3x8bo0yb", "Chinese (traditional):"},
-  {22, {0x0050, 0x0072, 0x006F, 0x010D, 0x0070, 0x0072, 0x006F, 0x0073, 0x0074, 0x011B, 0x006E, 0x0065, 0x006D, 0x006C, 0x0075, 0x0076, 0x00ED, 0x010D, 0x0065, 0x0073, 0x006B, 0x0079}, "Proprostnemluvesky-uyb24dma41a", "Czech: Pro<ccaron>prost<ecaron>nemluv<iacute><ccaron>esky"},
-  {22, {0x05DC, 0x05DE, 0x05D4, 0x05D4, 0x05DD, 0x05E4, 0x05E9, 0x05D5, 0x05D8, 0x05DC, 0x05D0, 0x05DE, 0x05D3, 0x05D1, 0x05E8, 0x05D9, 0x05DD, 0x05E2, 0x05D1, 0x05E8, 0x05D9, 0x05EA}, "4dbcagdahymbxekheh6e0a7fei0b", "Hebrew:"},
-  {30, {0x092F, 0x0939, 0x0932, 0x094B, 0x0917, 0x0939, 0x093F, 0x0928, 0x094D, 0x0926, 0x0940, 0x0915, 0x094D, 0x092F, 0x094B, 0x0902, 0x0928, 0x0939, 0x0940, 0x0902, 0x092C, 0x094B, 0x0932, 0x0938, 0x0915, 0x0924, 0x0947, 0x0939, 0x0948, 0x0902}, "i1baa7eci9glrd9b2ae1bj0hfcgg6iyaf8o0a1dig0cd", "Hindi (Devanagari):"},
-  {18, {0x306A, 0x305C, 0x307F, 0x3093, 0x306A, 0x65E5, 0x672C, 0x8A9E, 0x3092, 0x8A71, 0x3057, 0x3066, 0x304F, 0x308C, 0x306A, 0x3044, 0x306E, 0x304B}, "n8jok5ay5dzabd5bym9f0cm5685rrjetr6pdxa", "Japanese (kanji and hiragana):"},
-  {24, {0xC138, 0xACC4, 0xC758, 0xBAA8, 0xB4E0, 0xC0AC, 0xB78C, 0xB4E4, 0xC774, 0xD55C, 0xAD6D, 0xC5B4, 0xB97C, 0xC774, 0xD574, 0xD55C, 0xB2E4, 0xBA74, 0xC5BC, 0xB9C8, 0xB098, 0xC88B, 0xC744, 0xAE4C}, "989aomsvi5e83db1d2a355cv1e0vak1dwrv93d5xbh15a0dt30a5jpsd879ccm6fea98c", "Korean (Hangul syllables):"},
-  {28, {0x043F, 0x043E, 0x0447, 0x0435, 0x043C, 0x0443, 0x0436, 0x0435, 0x043E, 0x043D, 0x0438, 0x043D, 0x0435, 0x0433, 0x043E, 0x0432, 0x043E, 0x0440, 0x044F, 0x0442, 0x043F, 0x043E, 0x0440, 0x0443, 0x0441, 0x0441, 0x043A, 0x0438}, "b1abfaaepdrnnbgefbaDotcwatmq2g4l", "Russian (Cyrillic):"},
-  {40, {0x0050, 0x006F, 0x0072, 0x0071, 0x0075, 0x00E9, 0x006E, 0x006F, 0x0070, 0x0075, 0x0065, 0x0064, 0x0065, 0x006E, 0x0073, 0x0069, 0x006D, 0x0070, 0x006C, 0x0065, 0x006D, 0x0065, 0x006E, 0x0074, 0x0065, 0x0068, 0x0061, 0x0062, 0x006C, 0x0061, 0x0072, 0x0065, 0x006E, 0x0045, 0x0073, 0x0070, 0x0061, 0x00F1, 0x006F, 0x006C}, "PorqunopuedensimplementehablarenEspaol-fmd56a", "Spanish: Porqu<eacute>nopuedensimplementehablarenEspa<ntilde>ol"},
-  {31, {0x0054, 0x1EA1, 0x0069, 0x0073, 0x0061, 0x006F, 0x0068, 0x1ECD, 0x006B, 0x0068, 0x00F4, 0x006E, 0x0067, 0x0074, 0x0068, 0x1EC3, 0x0063, 0x0068, 0x1EC9, 0x006E, 0x00F3, 0x0069, 0x0074, 0x0069, 0x1EBF, 0x006E, 0x0067, 0x0056, 0x0069, 0x1EC7, 0x0074}, "TisaohkhngthchnitingVit-kjcr8268qyxafd2f1b9g", "Vietnamese:"},
-  {8, {0x0033, 0x5E74, 0x0042, 0x7D44, 0x91D1, 0x516B, 0x5148, 0x751F}, "3B-ww4c5e180e575a65lsy2b", "3<nen>B<gumi><kinpachi><sensei>"},
-  {24, {0x5B89, 0x5BA4, 0x5948, 0x7F8E, 0x6075, 0x002D, 0x0077, 0x0069, 0x0074, 0x0068, 0x002D, 0x0053, 0x0055, 0x0050, 0x0045, 0x0052, 0x002D, 0x004D, 0x004F, 0x004E, 0x004B, 0x0045, 0x0059, 0x0053}, "-with-SUPER-MONKEYS-pc58ag80a8qai00g7n9n", "<amuro><namie>-with-SUPER-MONKEYS"},
-  {25, {0x0048, 0x0065, 0x006C, 0x006C, 0x006F, 0x002D, 0x0041, 0x006E, 0x006F, 0x0074, 0x0068, 0x0065, 0x0072, 0x002D, 0x0057, 0x0061, 0x0079, 0x002D, 0x305D, 0x308C, 0x305E, 0x308C, 0x306E, 0x5834, 0x6240}, "Hello-Another-Way--fc4qua05auwb3674vfr0b", "Hello-Another-Way-<sorezore><no><basho>"},
-  {8, {0x3072, 0x3068, 0x3064, 0x5C4B, 0x6839, 0x306E, 0x4E0B, 0x0032}, "2-u9tlzr9756bt3uc0v", "<hitotsu><yane><no><shita>2"},
-  {13, {0x004D, 0x0061, 0x006A, 0x0069, 0x3067, 0x004B, 0x006F, 0x0069, 0x3059, 0x308B, 0x0035, 0x79D2, 0x524D}, "MajiKoi5-783gue6qz075azm5e", "Maji<de>Koi<suru>5<byou><mae>"},
-  {9, {0x30D1, 0x30D5, 0x30A3, 0x30FC, 0x0064, 0x0065, 0x30EB, 0x30F3, 0x30D0}, "de-jg4avhby1noc0d", "<pafii>de<runba>"},
-  {7, {0x305D, 0x306E, 0x30B9, 0x30D4, 0x30FC, 0x30C9, 0x3067}, "d9juau41awczczp", "<sono><supiido><de>"},
-  {11, {0x002D, 0x003E, 0x0020, 0x0024, 0x0031, 0x002E, 0x0030, 0x0030, 0x0020, 0x003C, 0x002D}, "-> $1.00 <--", "-> $1.00 <-"},
+  {17, {0x0644,0x064A,0x0647,0x0645,0x0627,0x0628,0x062A,0x0643,0x0644,0x0645,0x0648,0x0634,0x0639,0x0631,0x0628,0x064A,0x061F}, "egbpdaj6bu4bxfgehfvwxn", "Arabic (Egyptian):"},
+  {9, {0x4ED6,0x4EEC,0x4E3A,0x4EC0,0x4E48,0x4E0D,0x8BF4,0x4E2D,0x6587}, "ihqwcrb4cv8a8dqg056pqjye", "Chinese (simplified):"},
+  {9, {0x4ED6,0x5011,0x7232,0x4EC0,0x9EBD,0x4E0D,0x8AAA,0x4E2D,0x6587}, "ihqwctvzc91f659drss3x8bo0yb", "Chinese (traditional):"},
+  {22, {0x0050,0x0072,0x006F,0x010D,0x0070,0x0072,0x006F,0x0073,0x0074,0x011B,0x006E,0x0065,0x006D,0x006C,0x0075,0x0076,0x00ED,0x010D,0x0065,0x0073,0x006B,0x0079}, "Proprostnemluvesky-uyb24dma41a", "Czech: Pro<ccaron>prost<ecaron>nemluv<iacute><ccaron>esky"},
+  {22, {0x05DC,0x05DE,0x05D4,0x05D4,0x05DD,0x05E4,0x05E9,0x05D5,0x05D8,0x05DC,0x05D0,0x05DE,0x05D3,0x05D1,0x05E8,0x05D9,0x05DD,0x05E2,0x05D1,0x05E8,0x05D9,0x05EA}, "4dbcagdahymbxekheh6e0a7fei0b", "Hebrew:"},
+  {30, {0x092F,0x0939,0x0932,0x094B,0x0917,0x0939,0x093F,0x0928,0x094D,0x0926,0x0940,0x0915,0x094D,0x092F,0x094B,0x0902,0x0928,0x0939,0x0940,0x0902,0x092C,0x094B,0x0932,0x0938,0x0915,0x0924,0x0947,0x0939,0x0948,0x0902}, "i1baa7eci9glrd9b2ae1bj0hfcgg6iyaf8o0a1dig0cd", "Hindi (Devanagari):"},
+  {18, {0x306A,0x305C,0x307F,0x3093,0x306A,0x65E5,0x672C,0x8A9E,0x3092,0x8A71,0x3057,0x3066,0x304F,0x308C,0x306A,0x3044,0x306E,0x304B}, "n8jok5ay5dzabd5bym9f0cm5685rrjetr6pdxa", "Japanese (kanji and hiragana):"},
+  {24, {0xC138,0xACC4,0xC758,0xBAA8,0xB4E0,0xC0AC,0xB78C,0xB4E4,0xC774,0xD55C,0xAD6D,0xC5B4,0xB97C,0xC774,0xD574,0xD55C,0xB2E4,0xBA74,0xC5BC,0xB9C8,0xB098,0xC88B,0xC744,0xAE4C}, "989aomsvi5e83db1d2a355cv1e0vak1dwrv93d5xbh15a0dt30a5jpsd879ccm6fea98c", "Korean (Hangul syllables):"},
+  {28, {0x043F,0x043E,0x0447,0x0435,0x043C,0x0443,0x0436,0x0435,0x043E,0x043D,0x0438,0x043D,0x0435,0x0433,0x043E,0x0432,0x043E,0x0440,0x044F,0x0442,0x043F,0x043E,0x0440,0x0443,0x0441,0x0441,0x043A,0x0438}, "b1abfaaepdrnnbgefbaDotcwatmq2g4l", "Russian (Cyrillic):"},
+  {40, {0x0050,0x006F,0x0072,0x0071,0x0075,0x00E9,0x006E,0x006F,0x0070,0x0075,0x0065,0x0064,0x0065,0x006E,0x0073,0x0069,0x006D,0x0070,0x006C,0x0065,0x006D,0x0065,0x006E,0x0074,0x0065,0x0068,0x0061,0x0062,0x006C,0x0061,0x0072,0x0065,0x006E,0x0045,0x0073,0x0070,0x0061,0x00F1,0x006F,0x006C}, "PorqunopuedensimplementehablarenEspaol-fmd56a", "Spanish: Porqu<eacute>nopuedensimplementehablarenEspa<ntilde>ol"},
+  {31, {0x0054,0x1EA1,0x0069,0x0073,0x0061,0x006F,0x0068,0x1ECD,0x006B,0x0068,0x00F4,0x006E,0x0067,0x0074,0x0068,0x1EC3,0x0063,0x0068,0x1EC9,0x006E,0x00F3,0x0069,0x0074,0x0069,0x1EBF,0x006E,0x0067,0x0056,0x0069,0x1EC7,0x0074}, "TisaohkhngthchnitingVit-kjcr8268qyxafd2f1b9g", "Vietnamese:"},
+  {8, {0x0033,0x5E74,0x0042,0x7D44,0x91D1,0x516B,0x5148,0x751F}, "3B-ww4c5e180e575a65lsy2b", "3<nen>B<gumi><kinpachi><sensei>"},
+  {24, {0x5B89,0x5BA4,0x5948,0x7F8E,0x6075,0x002D,0x0077,0x0069,0x0074,0x0068,0x002D,0x0053,0x0055,0x0050,0x0045,0x0052,0x002D,0x004D,0x004F,0x004E,0x004B,0x0045,0x0059,0x0053}, "-with-SUPER-MONKEYS-pc58ag80a8qai00g7n9n", "<amuro><namie>-with-SUPER-MONKEYS"},
+  {25, {0x0048,0x0065,0x006C,0x006C,0x006F,0x002D,0x0041,0x006E,0x006F,0x0074,0x0068,0x0065,0x0072,0x002D,0x0057,0x0061,0x0079,0x002D,0x305D,0x308C,0x305E,0x308C,0x306E,0x5834,0x6240}, "Hello-Another-Way--fc4qua05auwb3674vfr0b", "Hello-Another-Way-<sorezore><no><basho>"},
+  {8, {0x3072,0x3068,0x3064,0x5C4B,0x6839,0x306E,0x4E0B,0x0032}, "2-u9tlzr9756bt3uc0v", "<hitotsu><yane><no><shita>2"},
+  {13, {0x004D,0x0061,0x006A,0x0069,0x3067,0x004B,0x006F,0x0069,0x3059,0x308B,0x0035,0x79D2,0x524D}, "MajiKoi5-783gue6qz075azm5e", "Maji<de>Koi<suru>5<byou><mae>"},
+  {9, {0x30D1,0x30D5,0x30A3,0x30FC,0x0064,0x0065,0x30EB,0x30F3,0x30D0}, "de-jg4avhby1noc0d", "<pafii>de<runba>"},
+  {7, {0x305D,0x306E,0x30B9,0x30D4,0x30FC,0x30C9,0x3067}, "d9juau41awczczp", "<sono><supiido><de>"},
+  {11, {0x002D,0x003E,0x0020,0x0024,0x0031,0x002E,0x0030,0x0030,0x0020,0x003C,0x002D}, "-> $1.00 <--", "-> $1.00 <-"},
 };
 
 const size_t punycode_examples_size = 19;
diff --git a/lib/wind/punycode_examples.h b/lib/wind/punycode_examples.h
index a9e527b0e803..3f4ced096b9e 100644
--- a/lib/wind/punycode_examples.h
+++ b/lib/wind/punycode_examples.h
@@ -1,5 +1,5 @@
 /* ./punycode_examples.h */
-/* Automatically generated at 2017-12-08T03:21:15.326321 */
+/* Automatically generated at 2019-06-07T02:40:18.438347 */
 
 #ifndef PUNYCODE_EXAMPLES_H
 #define PUNYCODE_EXAMPLES_H 1
diff --git a/lib/wind/stringprep.py b/lib/wind/stringprep.py
index 249b1dc2a1ca..cff4d02a7b6d 100644
--- a/lib/wind/stringprep.py
+++ b/lib/wind/stringprep.py
@@ -57,7 +57,7 @@ def symbols(tabledict, tables):
         list = list + tabledict.get(x, [])
     if len(list) == 0:
         return ""
-    return "|".join(map(lambda x: "WIND_PROFILE_%s" % (string.upper(x)), list))
+    return "|".join(map(lambda x: "WIND_PROFILE_%s" % (x.upper()), list))
 
 def get_errorlist():
     d = dict()
diff --git a/missing b/missing
index c6e379584baf..c6e379584baf 100644..100755
--- a/missing
+++ b/missing
diff --git a/tests/can/check-can.in b/tests/can/check-can.in
index e168f97efca8..50d01b8d84fb 100644
--- a/tests/can/check-can.in
+++ b/tests/can/check-can.in
@@ -41,7 +41,7 @@ env_setup="@env_setup@"
 
 . ${env_setup}
 
-# If there is no useful db support compile in, disable test
+# If there is no useful db support compiled in, disable test
 ${have_db} || exit 77
 
 ./test_can TEST.H5L.SE heim-0.8 || exit 1
diff --git a/tests/db/add-modify-delete.in b/tests/db/add-modify-delete.in
index 278a63596221..7f3a81908810 100644
--- a/tests/db/add-modify-delete.in
+++ b/tests/db/add-modify-delete.in
@@ -41,7 +41,7 @@ EGREP="@EGREP@"
 default_db_type=@default_db_type@
 db_type=${1:-${default_db_type}}
 
-# If there is no useful db support compile in, disable test
+# If there is no useful db support compiled in, disable test
 ./have-db || exit 77
 
 R=EXAMPLE.ORG
diff --git a/tests/db/check-aliases.in b/tests/db/check-aliases.in
index dbef36dfbed6..5601905e4195 100644
--- a/tests/db/check-aliases.in
+++ b/tests/db/check-aliases.in
@@ -41,7 +41,7 @@ db_type=${1:-${default_db_type}}
 
 testfailed="echo test failed; cat messages.log; exit 1"
 
-# If there is no useful db support compile in, disable test
+# If there is no useful db support compiled in, disable test
 ../db/have-db || exit 77
 
 R=TEST.H5L.SE
diff --git a/tests/db/loaddump-db.in b/tests/db/loaddump-db.in
index 472580aa942b..00d81861c863 100644
--- a/tests/db/loaddump-db.in
+++ b/tests/db/loaddump-db.in
@@ -37,7 +37,7 @@
 srcdir="@srcdir@"
 objdir="@objdir@"
 
-# If there is no useful db support compile in, disable test
+# If there is no useful db support compiled in, disable test
 ./have-db || exit 77
 
 R=EXAMPLE.ORG
diff --git a/tests/gss/check-basic.in b/tests/gss/check-basic.in
index c8064c010e96..bd219b5e06c8 100644
--- a/tests/gss/check-basic.in
+++ b/tests/gss/check-basic.in
@@ -40,7 +40,7 @@ objdir="@objdir@"
 
 . ${env_setup}
 
-# If there is no useful db support compile in, disable test
+# If there is no useful db support compiled in, disable test
 ../db/have-db || exit 77
 
 R=TEST.H5L.SE
diff --git a/tests/gss/check-context.in b/tests/gss/check-context.in
index 32f19d141b8a..ba06aaa02e85 100644
--- a/tests/gss/check-context.in
+++ b/tests/gss/check-context.in
@@ -40,7 +40,7 @@ objdir="@objdir@"
 
 . ${env_setup}
 
-# If there is no useful db support compile in, disable test
+# If there is no useful db support compiled in, disable test
 ../db/have-db || exit 77
 
 R=TEST.H5L.SE
diff --git a/tests/gss/check-gssmask.in b/tests/gss/check-gssmask.in
index c7b7d6f53a75..de806b5977ae 100644
--- a/tests/gss/check-gssmask.in
+++ b/tests/gss/check-gssmask.in
@@ -40,7 +40,7 @@ objdir="@objdir@"
 
 . ${env_setup}
 
-# If there is no useful db support compile in, disable test
+# If there is no useful db support compiled in, disable test
 ../db/have-db || exit 77
 
 R=TEST.H5L.SE
diff --git a/tests/gss/check-ntlm.in b/tests/gss/check-ntlm.in
index 5398b595b1e5..6e03b012f738 100644
--- a/tests/gss/check-ntlm.in
+++ b/tests/gss/check-ntlm.in
@@ -40,7 +40,7 @@ objdir="@objdir@"
 
 . ${env_setup}
 
-# If there is no useful db support compile in, disable test
+# If there is no useful db support compiled in, disable test
 ../db/have-db || exit 77
 
 R=TEST.H5L.SE
diff --git a/tests/gss/check-spnego.in b/tests/gss/check-spnego.in
index 7202da538a12..e2982d4f7281 100644
--- a/tests/gss/check-spnego.in
+++ b/tests/gss/check-spnego.in
@@ -40,7 +40,7 @@ objdir="@objdir@"
 
 . ${env_setup}
 
-# If there is no useful db support compile in, disable test
+# If there is no useful db support compiled in, disable test
 ../db/have-db || exit 77
 
 R=TEST.H5L.SE
diff --git a/tests/kdc/check-canon.in b/tests/kdc/check-canon.in
index ef5d8275eda9..0bb5a413f3cf 100644
--- a/tests/kdc/check-canon.in
+++ b/tests/kdc/check-canon.in
@@ -33,7 +33,7 @@ objdir="@objdir@"
 
 . ${env_setup}
 
-# If there is no useful db support compile in, disable test
+# If there is no useful db support compiled in, disable test
 # (krb5_kt_get_entry() is tested in another test)
 ${have_db} || exit 77
 
diff --git a/tests/kdc/check-cc.in b/tests/kdc/check-cc.in
index 6e02589471df..1543db4f8819 100644
--- a/tests/kdc/check-cc.in
+++ b/tests/kdc/check-cc.in
@@ -43,7 +43,7 @@ unset KRB5CCNAME
 
 testfailed="echo test failed; exit 1"
 
-# If there is no useful db support compile in, disable test
+# If there is no useful db support compiled in, disable test
 ${have_db} || exit 77
 
 R=TEST.H5L.SE
diff --git a/tests/kdc/check-delegation.in b/tests/kdc/check-delegation.in
index 5fa19adba9a2..8657946168ad 100644
--- a/tests/kdc/check-delegation.in
+++ b/tests/kdc/check-delegation.in
@@ -36,7 +36,7 @@ objdir="@objdir@"
 
 . ${env_setup}
 
-# If there is no useful db support compile in, disable test
+# If there is no useful db support compiled in, disable test
 ${have_db} || exit 77
 
 R=TEST.H5L.SE
diff --git a/tests/kdc/check-des.in b/tests/kdc/check-des.in
index 301baa6edf7d..d45b119dfa5d 100644
--- a/tests/kdc/check-des.in
+++ b/tests/kdc/check-des.in
@@ -39,7 +39,7 @@ testfailed="echo test failed; cat messages.log; exit 1"
 
 . ${env_setup}
 
-# If there is no useful db support compile in, disable test
+# If there is no useful db support compiled in, disable test
 ${have_db} || exit 77
 
 R=TEST.H5L.SE
diff --git a/tests/kdc/check-digest.in b/tests/kdc/check-digest.in
index d31ba323ca8c..1623783eba6d 100644
--- a/tests/kdc/check-digest.in
+++ b/tests/kdc/check-digest.in
@@ -40,7 +40,7 @@ testfailed="echo test failed; cat messages.log; exit 1"
 
 . ${env_setup}
 
-# If there is no useful db support compile in, disable test
+# If there is no useful db support compiled in, disable test
 ${have_db} || exit 77
 
 R=TEST.H5L.SE
diff --git a/tests/kdc/check-fast.in b/tests/kdc/check-fast.in
index 96c00c31921f..4d3577c55966 100644
--- a/tests/kdc/check-fast.in
+++ b/tests/kdc/check-fast.in
@@ -42,7 +42,7 @@ export KRB5_CONFIG
 
 testfailed="echo test failed; cat messages.log; exit 1"
 
-# If there is no useful db support compile in, disable test
+# If there is no useful db support compiled in, disable test
 ${have_db} || exit 77
 
 R=TEST.H5L.SE
diff --git a/tests/kdc/check-hdb-mitdb.in b/tests/kdc/check-hdb-mitdb.in
index 13559d9c9eaa..e9de58799a31 100644
--- a/tests/kdc/check-hdb-mitdb.in
+++ b/tests/kdc/check-hdb-mitdb.in
@@ -42,7 +42,7 @@ export KRB5_CONFIG
 
 testfailed="echo test failed; cat messages.log; exit 1"
 
-# If there is no ldap support compile in, disable test
+# If there is no ldap support compiled in, disable test
 if ${kdc} --builtin-hdb | grep mit-db > /dev/null ; then
     :
 else
@@ -50,7 +50,7 @@ else
     exit 77
 fi
 
-# If there is no useful db support compile in, disable test
+# If there is no useful db support compiled in, disable test
 ${have_db} || exit 77
 
 R=TEST.H5L.SE
diff --git a/tests/kdc/check-iprop.in b/tests/kdc/check-iprop.in
index ebdbaf1a459e..af6d9c253ca1 100644
--- a/tests/kdc/check-iprop.in
+++ b/tests/kdc/check-iprop.in
@@ -39,11 +39,11 @@ db_type=@db_type@
 
 . ${env_setup}
 
-# If there is no useful db support compile in, disable test
+# If there is no useful db support compiled in, disable test
 ${have_db} || exit 77
 
 
-# Dont run this test in AFS, since it lacks support for AF_UNIX
+# Don't run this test in AFS, since it lacks support for AF_UNIX
 expr "X`/bin/pwd || pwd`" : "X/afs/.*" > /dev/null 2>/dev/null && exit 77
 
 R=TEST.H5L.SE
@@ -301,7 +301,7 @@ echo "doing changes while slave is down"
 ${kadmin} -l cpw --random-password user@${R} > /dev/null || exit 1
 ${kadmin} -l cpw --random-password user@${R} > /dev/null || exit 1
 
-echo "Makeing a copy of the master log file"
+echo "Making a copy of the master log file"
 cp ${objdir}/current.log ${objdir}/current.log.tmp
 
 # ----------------- checking: checking that master and slaves resyncs
diff --git a/tests/kdc/check-kadmin.in b/tests/kdc/check-kadmin.in
index d40d0ea8812e..e01a1c349cb7 100644
--- a/tests/kdc/check-kadmin.in
+++ b/tests/kdc/check-kadmin.in
@@ -38,7 +38,7 @@ srcdir="@srcdir@"
 
 . ${env_setup}
 
-# If there is no useful db support compile in, disable test
+# If there is no useful db support compiled in, disable test
 ${have_db} || exit 77
 
 R=TEST.H5L.SE
diff --git a/tests/kdc/check-kdc.in b/tests/kdc/check-kdc.in
index f6e78ccaccac..a57253b5ab87 100644
--- a/tests/kdc/check-kdc.in
+++ b/tests/kdc/check-kdc.in
@@ -42,7 +42,7 @@ export KRB5_CONFIG
 
 testfailed="echo test failed; cat messages.log; exit 1"
 
-# If there is no useful db support compile in, disable test
+# If there is no useful db support compiled in, disable test
 ${have_db} || exit 77
 
 R=TEST.H5L.SE
@@ -487,6 +487,30 @@ for a in $enctypes; do
 done
 ${kdestroy}
 
+echo "Getting client authenticated anonymous initial tickets"; > messages.log
+${kinit} -n --password-file=${objdir}/foopassword foo@$R || \
+	{ ec=1 ; eval "${testfailed}"; }
+for a in $enctypes; do
+	echo "Getting tickets ($a)"; > messages.log
+	${kgetcred} -e $a ${server}@${R} || { ec=1 ; eval "${testfailed}"; }
+	${test_ap_req} ${server}@${R} ${keytab} ${cache} || \
+		{ ec=1 ; eval "${testfailed}"; }
+	${kdestroy} --credential=${server}@${R}
+done
+${kdestroy}
+
+echo "Getting client anonymous service tickets"; > messages.log
+${kinit} --password-file=${objdir}/foopassword foo@$R || \
+	{ ec=1 ; eval "${testfailed}"; }
+for a in $enctypes; do
+	echo "Getting tickets ($a)"; > messages.log
+	${kgetcred} -n -e $a ${server}@${R} || { ec=1 ; eval "${testfailed}"; }
+	${test_ap_req} ${server}@${R} ${keytab} ${cache} || \
+		{ ec=1 ; eval "${testfailed}"; }
+	${kdestroy} --credential=${server}@${R}
+done
+${kdestroy}
+
 echo "Getting client initial tickets for cross realm case"; > messages.log
 ${kinit} --password-file=${objdir}/foopassword foo@$R || { ec=1 ; eval "${testfailed}"; }
 for a in $enctypes; do
@@ -713,9 +737,10 @@ fi
 if test "$pkinit" = yes -a "$rsa" = yes ; then
 
     echo "try anonymous pkinit"; > messages.log
-    ${kinit} --anonymous ${R} || \
+    ${kinit} --renewable -n @${R} || \
 	{ ec=1 ; eval "${testfailed}"; }
     ${kgetcred} ${server}@${R} || { ec=1 ; eval "${testfailed}"; }
+    ${kinit} --renew || { ec=1 ; eval "${testfailed}"; }
     ${kdestroy}
 
     for type in "" "--pk-use-enckey"; do
@@ -761,6 +786,14 @@ else
 	echo "no pkinit (pkinit: $pkinit, rsa: $rsa)"; > messages.log
 fi
 
+echo "test impersonate using rc4 based tgt"; > messages.log
+${kinit} -e arcfour-hmac-md5 --forwardable --password-file=${objdir}/foopassword ${ps} || \
+        { ec=1 ; eval "${testfailed}"; }
+${kgetcred_imp} --impersonate=bar@${R} ${ps} || \
+        { ec=1 ; eval "${testfailed}"; }
+${test_ap_req} ${ps} ${keytab} ${ocache} || \
+        { ec=1 ; eval "${testfailed}"; }
+
 echo "tickets for impersonate test case"; > messages.log
 ${kinit} --forwardable --password-file=${objdir}/foopassword ${ps} || \
 	{ ec=1 ; eval "${testfailed}"; }
diff --git a/tests/kdc/check-keys.in b/tests/kdc/check-keys.in
index e8aca2684ae7..6784bb51efa9 100644
--- a/tests/kdc/check-keys.in
+++ b/tests/kdc/check-keys.in
@@ -39,7 +39,7 @@ objdir="."
 
 srcdir="${top_srcdir}/tests/kdc"
 
-# If there is no useful db support compile in, disable test
+# If there is no useful db support compiled in, disable test
 ${have_db} || exit 77
 
 R=TEST.H5L.SE
diff --git a/tests/kdc/check-kinit.in b/tests/kdc/check-kinit.in
index e541a844d167..35ec6deadbfa 100644
--- a/tests/kdc/check-kinit.in
+++ b/tests/kdc/check-kinit.in
@@ -43,7 +43,7 @@ export KRB5CCNAME
 
 testfailed="echo test failed; exit 1"
 
-# If there is no useful db support compile in, disable test
+# If there is no useful db support compiled in, disable test
 ${have_db} || exit 77
 
 R=TEST.H5L.SE
diff --git a/tests/kdc/check-kpasswdd.in b/tests/kdc/check-kpasswdd.in
index 3711ede01d91..4f63ce240fad 100644
--- a/tests/kdc/check-kpasswdd.in
+++ b/tests/kdc/check-kpasswdd.in
@@ -37,12 +37,12 @@ objdir="@objdir@"
 
 . ${env_setup}
 
-# If there is no useful db support compile in, disable test
+# If there is no useful db support compiled in, disable test
 ${have_db} || exit 77
 
 testfailed="echo test failed; cat messages.log; exit \$ec"
 
-# If there is no useful db support compile in, disable test
+# If there is no useful db support compiled in, disable test
 ${have_db} || exit 77
 
 R=TEST.H5L.SE
diff --git a/tests/kdc/check-pkinit.in b/tests/kdc/check-pkinit.in
index 92c515ffbe91..23947bf5fe54 100644
--- a/tests/kdc/check-pkinit.in
+++ b/tests/kdc/check-pkinit.in
@@ -39,7 +39,7 @@ testfailed="echo test failed; cat messages.log; exit 1"
 
 . ${env_setup}
 
-# If there is no useful db support compile in, disable test
+# If there is no useful db support compiled in, disable test
 ${have_db} || exit 77
 
 R=TEST.H5L.SE
diff --git a/tests/kdc/check-referral.in b/tests/kdc/check-referral.in
index bbb72a349b65..92240c9ac9b6 100644
--- a/tests/kdc/check-referral.in
+++ b/tests/kdc/check-referral.in
@@ -39,7 +39,7 @@ objdir="@objdir@"
 
 testfailed="echo test failed; cat messages.log; exit 1"
 
-# If there is no useful db support compile in, disable test
+# If there is no useful db support compiled in, disable test
 ${have_db} || exit 77
 
 R=TEST.H5L.SE
diff --git a/tests/kdc/check-tester.in b/tests/kdc/check-tester.in
index 8f1679f50510..dba154c299b9 100644
--- a/tests/kdc/check-tester.in
+++ b/tests/kdc/check-tester.in
@@ -43,7 +43,7 @@ export KRB5_CONFIG
 
 testfailed="echo test failed; cat messages.log; exit 1"
 
-# If there is no useful db support compile in, disable test
+# If there is no useful db support compiled in, disable test
 ${have_db} || exit 77
 
 R=TEST.H5L.SE
diff --git a/tests/kdc/check-uu.in b/tests/kdc/check-uu.in
index c6607fa239ba..7e819a14ad0d 100644
--- a/tests/kdc/check-uu.in
+++ b/tests/kdc/check-uu.in
@@ -39,7 +39,7 @@ testfailed="echo test failed; cat messages.log; exit 1"
 
 . ${env_setup}
 
-# If there is no useful db support compile in, disable test
+# If there is no useful db support compiled in, disable test
 ${have_db} || exit 77
 
 R=TEST.H5L.SE
diff --git a/tests/ldap/check-ldap.in b/tests/ldap/check-ldap.in
index 3325c5d50102..943fb0e7f3c4 100644
--- a/tests/ldap/check-ldap.in
+++ b/tests/ldap/check-ldap.in
@@ -59,7 +59,7 @@ testfailed="echo test failed; exit 1"
 KRB5_CONFIG="${objdir}/krb5.conf"
 export KRB5_CONFIG
 
-# If there is no ldap support compile in, disable test
+# If there is no ldap support compiled in, disable test
 if ${kdc} --builtin-hdb | grep ldap > /dev/null ; then
    :
 else
diff --git a/tests/plugin/check-pac.in b/tests/plugin/check-pac.in
index 7f0a4c326736..e201ed429ee3 100644
--- a/tests/plugin/check-pac.in
+++ b/tests/plugin/check-pac.in
@@ -43,7 +43,7 @@ EGREP="@EGREP@"
 
 testfailed="echo test failed; cat messages.log; exit 1"
 
-# If there is no useful db support compile in, disable test
+# If there is no useful db support compiled in, disable test
 ../db/have-db || exit 77
 
 R=TEST.H5L.SE
diff --git a/tools/cov.sh b/tools/cov.sh
index 8ceba2d21066..8ceba2d21066 100755..100644
--- a/tools/cov.sh
+++ b/tools/cov.sh
diff --git a/tools/kdc-log-analyze.pl b/tools/kdc-log-analyze.pl
index 6692bf457578..6692bf457578 100755..100644
--- a/tools/kdc-log-analyze.pl
+++ b/tools/kdc-log-analyze.pl
diff --git a/tools/krb5-config.in b/tools/krb5-config.in
index 640853033936..640853033936 100755..100644
--- a/tools/krb5-config.in
+++ b/tools/krb5-config.in
diff --git a/windows/NTMakefile.version b/windows/NTMakefile.version
index be769f1d9223..e5cd382b616b 100644
--- a/windows/NTMakefile.version
+++ b/windows/NTMakefile.version
@@ -7,7 +7,7 @@ VER_PACKAGE_COPYRIGHT=Copyright (C) 1995-2016 Royal Institute of Technology, Sto
 VER_PACKAGE_COMPANY=www.h5l.org
 
 VER_PRODUCT_MAJOR=7
-VER_PRODUCT_MINOR=5
+VER_PRODUCT_MINOR=7
 VER_PRODUCT_AUX=0
 VER_PRODUCT_PATCH=0
 
@@ -24,7 +24,7 @@ VER_OLD_BEGIN_AUX=0
 VER_OLD_BEGIN_PATCH=0
 
 VER_OLD_END_MAJOR=7
-VER_OLD_END_MINOR=4
+VER_OLD_END_MINOR=6
 VER_OLD_END_AUX=65535
 VER_OLD_END_PATCH=65535
 
@@ -36,7 +36,7 @@ VER_DEBUG=1
 !endif
 
 # Define to 1 if this is a pre-release build.  Undefine otherwise
-VER_PRERELEASE=1
+# VER_PRERELEASE=1
 
 # Define to a valid string if this build DOES NOT follow normal
 # release procedures.  I.e. this is a private build whose version