diff --git a/pki/pki_test.go b/pki/pki_test.go
index 5722015d4c..1404102cb9 100644
--- a/pki/pki_test.go
+++ b/pki/pki_test.go
@@ -20,11 +20,12 @@ package pki
 
 import (
 	"context"
+	"testing"
+	"time"
+
 	"github.com/nuts-foundation/nuts-node/core"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
-	"testing"
-	"time"
 )
 
 func Test_New(t *testing.T) {
@@ -125,11 +126,6 @@ func TestPKI_CheckHealth(t *testing.T) {
 	})
 
 	t.Run("crl + denylist outdated", func(t *testing.T) {
-		nowFunc = func() time.Time {
-			return time.Date(2024, 1, 1, 0, 0, 0, 0, time.UTC)
-		}
-		defer func() { nowFunc = time.Now }()
-
 		// Check health
 		results := e.CheckHealth()
 		assert.Len(t, results, 2)
diff --git a/pki/test/A-expired.pem b/pki/test/A-expired.pem
index 6de2a1f690..62c94ff1ae 100644
--- a/pki/test/A-expired.pem
+++ b/pki/test/A-expired.pem
@@ -1,49 +1,49 @@
 -----BEGIN CERTIFICATE-----
-MIIDcTCCAlmgAwIBAgIBBjANBgkqhkiG9w0BAQsFADAcMRowGAYDVQQDDBFJbnRl
-cm1lZGlhdGUgQSBDQTAeFw0yMzAzMjkwOTMyMjdaFw0yMzAzMzAwOTMyMjdaMBgx
+MIIDcTCCAlmgAwIBAgIBBzANBgkqhkiG9w0BAQsFADAcMRowGAYDVQQDDBFJbnRl
+cm1lZGlhdGUgQSBDQTAeFw0yNDA1MjkxMDQ5MTdaFw0yNDA1MzAxMDQ5MTdaMBgx
 FjAUBgNVBAMMDUNlcnRBIEV4cGlyZWQwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAw
-ggEKAoIBAQCjfWDpNWcZZ3lD5Im7kAcgUhkm/t8/c8xZWW60StDxvm12M+ay1fGy
-sl2v8yhhnqTQjl1oDO5RxrOPMJrINPc/rV808fbPJbushSEVEYNmxQThf2e0Ny3G
-/qGeCxRcxFauKHGn9VIQBoB+VFcuoA4a3M4Jha9fI/lXdpEMzemgIcE6kLSB1G9z
-W9EWoCw6Pgpl9EwQ/QiMuA3sKk8emg4UdtAx56JssulzLdsKMUT8GBMehlQR2uAt
-vcMoTM/A9aPUXYDZA65xKXgLSvvFiRLGscyrUiAr/76G6HRsrKiroEisghD6gMve
-yUqLJczn/SEOBO98V8Mtg71beennO6JzAgMBAAGjgcEwgb4wHwYDVR0jBBgwFoAU
-ztiGHqF4fGSAh7rqQzOoxAkcdj4wDAYDVR0TAQH/BAIwADA/BgNVHR8EODA2MDSg
-MqAwhi5odHRwOi8vY2VydHMubnV0cy5ubC9JbnRlcm1lZGlhdGVDQUFMYXRlc3Qu
-Y3JsMB0GA1UdJQQWMBQGCCsGAQUFBwMCBggrBgEFBQcDATAOBgNVHQ8BAf8EBAMC
-BPAwHQYDVR0OBBYEFEmfM+D2ucMX2xKntnVgtX+QrkaQMA0GCSqGSIb3DQEBCwUA
-A4IBAQCeaaLCOKOLIJBQY0fDlDVgtYuRwYwl3+BOIm9k7fZ6HR6A6puCLs1/dQdY
-yX0UHyhr7cPRz+EzYtU5Wdcgs7rDlVrp6u0AG/0tI5ISDXRU4I182DcjxOZc9kfE
-yUAbhSA5yEkFPep5Jm1vSJ3hy5y6Spj8Hx2e0xjiZzRz2ssGhK8Xqh7k71BuYXMM
-UDZQFOgDQuyYH5T0FOFlefszoryljWx1QXt1G+ZUwhbyvsv+FPmcpykNBl2Y4t2/
-6rNNQjY2SvAd1j+cwjMDlL5cHMvDJi1Bb21KFyS5ODifh4u8x3K5GxG9MW+iYCML
-Pu8VM7mJwOFZsiovYy3fzr+GWCR4
+ggEKAoIBAQC+wPpSgxKjeE8MKcQMsRHHW5bRsLREumQmFChrqsJD6YoiS3yB4HwY
++IXdckjpN/WoPBUKW6Nz4IWKw69N+02lJF+nAve1VXWXcQzHy3RERx3roYaGo31A
+MjZLP/r9PmCpYgjGf5Z2k1jWjkTP4i/Be01BtzcptMWyn346SzsHOgKaZH0ATsEs
+v/uvNqlgptb+jbUpzWc0KAcmhNhQQuo1vAXcchSqIvpTVubX4JCosjUe+i46fFIS
+jXM0ajE7dSg9arUSaXFpR5eNbeVn1duQzfzxpWSWOIOKgNVKv1UTnYam4h/eWVcb
+8ihimqPCxuXDIPBS0Z+8CWF82dKzZaSVAgMBAAGjgcEwgb4wHQYDVR0OBBYEFG/L
+bmIFFRcuQG9lSuLE60q7Zk2QMAwGA1UdEwEB/wQCMAAwPwYDVR0fBDgwNjA0oDKg
+MIYuaHR0cDovL2NlcnRzLm51dHMubmwvSW50ZXJtZWRpYXRlQ0FBTGF0ZXN0LmNy
+bDAdBgNVHSUEFjAUBggrBgEFBQcDAgYIKwYBBQUHAwEwDgYDVR0PAQH/BAQDAgTw
+MB8GA1UdIwQYMBaAFLt0u72r+nM9Yz/oByhOrLzil/SJMA0GCSqGSIb3DQEBCwUA
+A4IBAQCfnjWVnXnOFv8XTBk0qtWZbmgbyS+sWQoi41x2w2sDHHFK88EeOp5LzwoL
+KVK+1W9PZKORGkAIVugkzvpHsrGey3bBMugSPvZJMq4wVU8O1Y8RWbny/1HPG/wm
+ZuWAiez0ioKRW38X7f95+WK612Ot7vsessqkeBzAVQcnQQ7MvPSYeE7kkU6Gde7S
+lRR8Du8uJKwnMObfUTiHXRuTwG4seVKRyCQV7++Dj8Y6Yri/YHmEsEacEP0+MqKm
+aIt7m0irf5RmSSUw6Qkwfus+9PJCyZyTM7SO6U/c56jF5E2QF/1VZ9kYGmqoO7SO
+4DZsx6HcuDceIQUxRuoaxV/xeoCG
 -----END CERTIFICATE-----
 -----BEGIN PRIVATE KEY-----
-MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQCjfWDpNWcZZ3lD
-5Im7kAcgUhkm/t8/c8xZWW60StDxvm12M+ay1fGysl2v8yhhnqTQjl1oDO5RxrOP
-MJrINPc/rV808fbPJbushSEVEYNmxQThf2e0Ny3G/qGeCxRcxFauKHGn9VIQBoB+
-VFcuoA4a3M4Jha9fI/lXdpEMzemgIcE6kLSB1G9zW9EWoCw6Pgpl9EwQ/QiMuA3s
-Kk8emg4UdtAx56JssulzLdsKMUT8GBMehlQR2uAtvcMoTM/A9aPUXYDZA65xKXgL
-SvvFiRLGscyrUiAr/76G6HRsrKiroEisghD6gMveyUqLJczn/SEOBO98V8Mtg71b
-eennO6JzAgMBAAECggEBAIv8R+WHP08GRVP3tGMwMJnhEf5Mz3TyPu/mXp7rTLsh
-VXKXgBpyi/B5PzTv3AyyHOcibyIvqEPHAmpBsNZqW6ZfWZzo7W5zHZ3bo/b5Nuzh
-F4vJXk91y7GOx22eiQHhb2LR6Hdq26gzGQSSTM/0Zf9kPtryZ7XsBIx6TjqLeVYN
-Emkl5jEGTHNjYr7zHuo4au7DSZQdLSjoWCdSpKuBrBV3pXaZ8uAPLFrJa3l9Wqmy
-No2UVFbyc0DAu/6+aibjD5bulEPvSPmyzmXf5h82vOgjh0lgql191ajMPLhbQ1sx
-1hQw8yDAr64sAfLyxRItIqx/F6mLxIJuRCRnmfx4RLkCgYEA0/csMJ9g+rJxpKGa
-TQx9MLzA+1S45HGOTxpmClwdTCDd8OZyHzj7bsyq/luV6uka55D3p6B4p2b+x84P
-hwF9hfPDFSxRV+utZJkYAI19pt6x0NhlLzUg3nk0PCBJwQ/yfY8MVPsU/yPtgSwq
-HbH43yvJB/hkZ9c+2AcpYLND8k0CgYEAxXQmiJH12MFfJ0S+RoMr/CY32AyBOvdZ
-PZ+VvqcYXLuEWQzqdpsrmr16RT6w8FbN9fagbMmHOBv/Ttvb/VXwTCVTR2iPTBVg
-qqqI4DTaEGRSvfjReD84Ku/WLp1vnIKM2FAgQhZQeb8nIg7D4ZcPUQSL27liUcv8
-J90rHubwx78CgYBcjJS/2icW7ykNj/32XFihGhlM484i+K4BPe6F4XhtUAB3+bak
-iVXHKBgVHVoVCpjTuQlZKIjl1uOxy/gdo3nyLd/k88fEksPPo8TGIQFXBe8v1/w+
-I31phhRXmGV7pYHkbrwcstCVIlPGTclJ0/ZtQwnwr/TvHh1zZ5UagstNFQKBgBg2
-30beR3z2cdnZ90+kZG9+rFiFaA+4J6yD9pQz36v3nwpgqBw1eUp3tBfr0T0YGBfy
-z8enizqZTFz6X2cY8+gSp7zZGMGm2Xz0fuan9JoQA4miiuWpMxUo5mY/DmHuLKGW
-ae5Q2Dul8oGdt+3hXZJ88T3X5TPMxTaKS/B1N8/3AoGACWNxKo0ibyXrFmiVsh9k
-c6lVQw60A0wdGdGjN9uTgWALdFEHZNdR1Fq2GK8YKFglQ0ZhQFINuDdfSeywGeqH
-l4PHq2UnI8pojJDRw83H4x7LJO2erxkcYZFyIU4amcNQb36RbbCcTKW3cyYKUJeN
-wu+bOwdDZApeXFExHPd6FfY=
+MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQC+wPpSgxKjeE8M
+KcQMsRHHW5bRsLREumQmFChrqsJD6YoiS3yB4HwY+IXdckjpN/WoPBUKW6Nz4IWK
+w69N+02lJF+nAve1VXWXcQzHy3RERx3roYaGo31AMjZLP/r9PmCpYgjGf5Z2k1jW
+jkTP4i/Be01BtzcptMWyn346SzsHOgKaZH0ATsEsv/uvNqlgptb+jbUpzWc0KAcm
+hNhQQuo1vAXcchSqIvpTVubX4JCosjUe+i46fFISjXM0ajE7dSg9arUSaXFpR5eN
+beVn1duQzfzxpWSWOIOKgNVKv1UTnYam4h/eWVcb8ihimqPCxuXDIPBS0Z+8CWF8
+2dKzZaSVAgMBAAECggEASUnEg0onsZXKLR6o28V2UrV+Qy9Ue2lvi+/HveIcBFKo
+h1egTRgOJdvqNrQvjic5Y3s+DD48FQvI0xEu+9OXN+E7POQXftyIMvi009h34bm/
+JaZoFLegqjcAhDXfPUgnhDyNqZIgoYsoITsE9ifteDVi7+IwN/5jzKaZrVT1J2d3
+6xd3yFU+tMkO6yEsr6E9Gzb7DDC4juhV28CWEWEsJECwu5aST1LCvRKJV6B7h6gL
+BqyvgR4Hyt5hTh72/bFkc8AjmFIg400iWKFNaj49Gsj9If6jJa+g21kJOosCcoTA
+OIzEm6sRqLu6J579p4Cq/cN1kqwMRrsDRGZtX41CCwKBgQD3oVsllr1WhA1kDlSi
+lhOzyMPWNFzXmd1U1FZk1lHX+n96pY0+pHNTZHZh3aJZCGB7OArzraWNPCx7QgWP
+jEab/OF11hjAvK1wiFNlp88iy4WSt4cAkPQNgFqcpmqoww/+tj3K8mNVoxU++FUo
+/UwHFUNiYn9ZQFjNJQp9iuKo5wKBgQDFM34pXOuFct7vAHJao/tJMH2cVSjGOT5m
+5ry1p1hWVKp26HkEGaIRfsH0BmEO2Z6l2b2bWif1Wax2Oy0IPgjSXL5YgtybNRLW
+mz+OqiUy6q+yf9N1XgXFW5U+f09unvqlWuw7LKgopcgqyl0DbRcBKUcw9c9yZtrJ
+rMYG7bBrIwKBgFCBGpq7yM4pnBjdN9Krq7gVGuW2nEBTe0sqxPN/YZgvjeYXkDW/
+TObdkEb8wNzlBkjIzXavC1VBLMzdh+VFG2d27O1cLyvpqxEcoNA5n/OV6tTp6W/b
+sBv7kHnA+Ifo8nhCUxB5gKXEoRGZtkXfIypiVUfU8cXYT4ZR9nkd/9YdAoGBAKBf
+ujCFYv0KaIdSg613QrtI9j6XeyuKDle9Oqc4yzyaam99rD1LY2R7A90i+vgKv1z9
+8ZdQAMMmBH26rmrPmHkL97kf461Nwl5Jr6ykbtAz0GOIVT5UErloO72x57V9ETY8
+9XVCYhd8i4dRP8ezhkvpd/43Slgtka0GF54224ylAoGAAUYjR9C7F2kBtZbQTynn
+k28k+kNkqqiGOeeEgrbkliQk3kmcodkjkQsCVLwSSNLCb7LehFcZiQo8uP9uO8Qm
+oaXb7jeN/SJEQbPmhaGzcoFOpG50Y4vvtq+MSEVIrTclLeAaW67f51G5lboiq3E/
+F9s08fvYqIL+MVx2Dyq80xo=
 -----END PRIVATE KEY-----
diff --git a/pki/test/A-revoked.pem b/pki/test/A-revoked.pem
index 9e63ce1d29..5cc1bdc79f 100644
--- a/pki/test/A-revoked.pem
+++ b/pki/test/A-revoked.pem
@@ -1,49 +1,49 @@
 -----BEGIN CERTIFICATE-----
-MIIDcTCCAlmgAwIBAgIBBTANBgkqhkiG9w0BAQsFADAcMRowGAYDVQQDDBFJbnRl
-cm1lZGlhdGUgQSBDQTAeFw0yMzAzMjkwOTMyMjdaFw0zMzAzMjYwOTMyMjdaMBgx
+MIIDcTCCAlmgAwIBAgIBBjANBgkqhkiG9w0BAQsFADAcMRowGAYDVQQDDBFJbnRl
+cm1lZGlhdGUgQSBDQTAeFw0yNDA1MjkxMDQ5MTdaFw0zNDA1MjcxMDQ5MTdaMBgx
 FjAUBgNVBAMMDUNlcnRBIFJldm9rZWQwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAw
-ggEKAoIBAQDLB4Bih5WWBgmIAYX6t2tLjowWs3P7Q19NA3aBLbrbWkjCBFKnrNdS
-suO2isyqAZBYVe5kRGLsL5Z+0LOFRNTmxeVZCYQoQR23/2JrhrBQBXIEMUZZ3mlk
-BjG8wtrgTadtSGc2HA3Y4h+7EIHf+FxoyypAojZB/zcAMjhYn35EpgEYStPvh4/0
-InW3BCwDSayDOZBxxzbCAcMNbconVQ++5wULuiE1yLI0nihUDdH37uSxnDDJTC0b
-9InTbs3p1Q8911D0ziEpdhCBX5+7yHMRaBoqYg1/0cCSBfInMN/Lku82nUKCTh2e
-cIs2/Q8q1BADTah87hvUpLbChRDReZNVAgMBAAGjgcEwgb4wHwYDVR0jBBgwFoAU
-ztiGHqF4fGSAh7rqQzOoxAkcdj4wDAYDVR0TAQH/BAIwADA/BgNVHR8EODA2MDSg
-MqAwhi5odHRwOi8vY2VydHMubnV0cy5ubC9JbnRlcm1lZGlhdGVDQUFMYXRlc3Qu
-Y3JsMB0GA1UdJQQWMBQGCCsGAQUFBwMCBggrBgEFBQcDATAOBgNVHQ8BAf8EBAMC
-BPAwHQYDVR0OBBYEFPTg+JBIV5RbEth7Cn7+XTh6tP76MA0GCSqGSIb3DQEBCwUA
-A4IBAQBA/u6FBadZfb4wAoEGLDEvN6vNMpnTeXSvTcB3wX26sLlC1pVozcA/zS3i
-YQ4YlmRNgaPIOPAvzUsEfnOYsDNfvZk+moSr1dcpiEOWnwoLxB+4Us0BBqZVWQTJ
-0cdD7JLI5m+umBdxx3uhu5//IWu+q6Hhx/6rHRkuLywAQvfIzsLEXByOTb8EeY8Y
-7Kx1y8NpoC+S6jYqocs3R9BiuekhdBYeNMBPH+GFDV2nvgWBrT3jYMd6My6vQyLP
-BC2jriZuOSVG24zf5NiZPtV5IKdivgohjrGyRvBtd7P/cpYrYwCIEHcIz/Bs2G+v
-f7MBzl0I/Ae6I3vtfWnoKzAZbfTz
+ggEKAoIBAQDZBjQmqTqzBmtyzAFtcrBZBHYMD3bbb3LBKc6NvTXceFWqK25dt1xq
+hlvLdyTiLltB7vQisOaMuCdc5nzWpl9sODzDPZ6FfxjmPu7ST5KbNTTWK9WpWkOh
+9fdxX8AIa5fNB37ooX66MiN/5i7k8tQwHNZuBW59OHOP2khBBxM34EcLgNPHpNwW
++TMxtd3/3/HTGyhs2j/22UwyuHtycszUPibYK7fhL6DCBOFvyuiVqH56i5UN6jGu
+/NBbgf+o6tfBQ5gB89H9ZtZ2rLbTchxi63Y2efVemXKaEY+TgL2AfGouXeLQHOP0
+Eai0qopJCaNVtEMyXl87f769KR02BkNlAgMBAAGjgcEwgb4wHQYDVR0OBBYEFJGf
+VgJL05hcPfpIiTfnNyYtumGQMAwGA1UdEwEB/wQCMAAwPwYDVR0fBDgwNjA0oDKg
+MIYuaHR0cDovL2NlcnRzLm51dHMubmwvSW50ZXJtZWRpYXRlQ0FBTGF0ZXN0LmNy
+bDAdBgNVHSUEFjAUBggrBgEFBQcDAgYIKwYBBQUHAwEwDgYDVR0PAQH/BAQDAgTw
+MB8GA1UdIwQYMBaAFLt0u72r+nM9Yz/oByhOrLzil/SJMA0GCSqGSIb3DQEBCwUA
+A4IBAQAS7VUPtiHbTeKPvKqmXJ2Qu76HlaJ6GSzbeP/7LZ2o5BSfN2HiLMV5fNSg
+AuR4htUfOHZ4zlvXjjdD7A986MAAgRx5tkQjQ703xRtA4ahh0ZlM4mAtybr5ThKK
+7zQgzkeskAVNel8N0doq84aa103wk93F7RqeRuFYKACHUprH05wyr0qqgiZdn7Pp
+663mTUIbKzCN+RsLjsfI3Ef+7WQ9HZ+LJ0IvRE1qnrBI5K9cBJimZ+5oe6HzfIqK
+ok2oEJj0t/o45vWUMXRJ9XYUABa7HWVwCiRQIpYrvmFk3R4bf1rUwRZnU4joCQwy
+XFGIsOdv+yEN9IDy6POVr/dhO/ia
 -----END CERTIFICATE-----
 -----BEGIN PRIVATE KEY-----
-MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQDLB4Bih5WWBgmI
-AYX6t2tLjowWs3P7Q19NA3aBLbrbWkjCBFKnrNdSsuO2isyqAZBYVe5kRGLsL5Z+
-0LOFRNTmxeVZCYQoQR23/2JrhrBQBXIEMUZZ3mlkBjG8wtrgTadtSGc2HA3Y4h+7
-EIHf+FxoyypAojZB/zcAMjhYn35EpgEYStPvh4/0InW3BCwDSayDOZBxxzbCAcMN
-bconVQ++5wULuiE1yLI0nihUDdH37uSxnDDJTC0b9InTbs3p1Q8911D0ziEpdhCB
-X5+7yHMRaBoqYg1/0cCSBfInMN/Lku82nUKCTh2ecIs2/Q8q1BADTah87hvUpLbC
-hRDReZNVAgMBAAECggEBAJAth5Jwzl13dBVNX6On1V4WoI0OavKn6Wl7aBBcNTHI
-b5q4Dypbp51mxCbBco3YBnV0sJIrrkQjly//bTzaoIYxSqlsBJnBhCVCCtZpE5QA
-CfPIOjlfpGAPtgpiJaTcAGWu4Pyf94VpLzdchZ5TdOxGOn8jsnwzjQ9qmnD08mo0
-ZNewToKM4ISA6TXXbBkzWiFOf6aXp95JWMfCIoldV0MfaC69opHKxHLh+M9XxE41
-2NaaUsilQMk9UnGNOuwWTDueuQm6vCOHihfrqentWwl9rZRAcLm7PJ8UFQ5+ea5O
-Jmjb3UGOxk+ASP3pE6jBWATYd6mVljM2Sn+G3m2ks5ECgYEA7GOnIt6tlODQrERo
-LFn0o7nQ0T19ak3ta1tTNQvJzvcnK5uWOJbgtd/YpJfDPcmcdNNXLBa7fVacW1Nf
-n6gv7mBJD3FAgiDLa/CItjlU8udkc9um8hO3xQZBiX5oz0DMhW8GWFKXRpW709iz
-+G1cS6bQhAk3Na2aWpKqSrtbcYcCgYEA299cswIimCqRfzfFX/abtdVaZVyZzvkZ
-sb8Ge0HfhPxXx+8msh+dKiGlb7/8DbZaJKOSQwO14pVHe8HqMRZnO733OgIt5lTt
-5VKEvpLkIGSrUHyjn/9z9dAD7fVw6VRGjWKhEX9GftturerIV9Xt32Px7eV1/hvh
-6PMNzxrJe0MCgYBGbQYNYHQsh7IDsLmshPxajvCEdiJYOnFCa8nlYuaz73RPDKJ7
-p4+4/8CmgMRdMySWtaQh8X/YPqaEmtlBUrU8+piprh7+5dBVDytbxsblO0T1M3qQ
-Yol8fHmoAe4t2OtV0Zb9V1XUZKW53rT3jXVS4Jb8z1YQevEijNGJRDphHwKBgBMU
-W9/wxH292+hVN5xvMu3heLmpAnPSa+dfszlI6xOILjncR9hXI/U+/DMpTr8F3ual
-BxEnpkXmPFDB8AeYcRbfEjAHdmIxZn9q3LgI2SDye2c9mZlNuotPJLgmf0jQFls4
-fs+c4sopUn5nDEGK/9xNuPWy3r1RQBZN2RnqsicvAoGAbALn6koaHXnmgpjxmVrY
-a9OHC1bjxvb5UBq83BvP1D3MBO7pvvOjicLjs4BhZBw2D3hNK1GA3XXtN/q9l1ln
-b+NhE5DwSMdbEJffdAFYmKooiMo2CzO1N+zkFwEybn794/bbc/S+EJIizKeZB7vc
-2FFpgbHZKcqB1fuu1nVbqu8=
+MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQDZBjQmqTqzBmty
+zAFtcrBZBHYMD3bbb3LBKc6NvTXceFWqK25dt1xqhlvLdyTiLltB7vQisOaMuCdc
+5nzWpl9sODzDPZ6FfxjmPu7ST5KbNTTWK9WpWkOh9fdxX8AIa5fNB37ooX66MiN/
+5i7k8tQwHNZuBW59OHOP2khBBxM34EcLgNPHpNwW+TMxtd3/3/HTGyhs2j/22Uwy
+uHtycszUPibYK7fhL6DCBOFvyuiVqH56i5UN6jGu/NBbgf+o6tfBQ5gB89H9ZtZ2
+rLbTchxi63Y2efVemXKaEY+TgL2AfGouXeLQHOP0Eai0qopJCaNVtEMyXl87f769
+KR02BkNlAgMBAAECggEAJWoq4oFpY8TXEF74XgiYO3iH63NdD96qX3/YItp8Zyp9
+xk0fhVufvKO2PqEnRDEuvXK3NyXdUWRMMPlxi0X6jHsziotcgXJUdhlibfKW+VgW
+aFf9SWmM4Ga5xpt1zV3TOV8x82QoJ2yObzXdXs44Y6UNGMGp9z+cuK+upjtUhly8
+R5JpJ4/rrZ+E+n4hsdlQrAVkXDqsMJBofPL6WmN7L8tFLgmRX2kyqYt3gGB5sWTi
+eVJEqTadn+lshhoX5tsxYAAO2l63ksz205KYjYqBXRr23LWTVCbgaNCsEMap0aek
+Y9lxE1ndsMzYAdyIiaa8riCM1w88p2++ZOMEFQlFQQKBgQDxJmIAW/NiT1HwvuDK
+w6kyNocc9Hi+yQQhomGn54YuS/xr2h/fxTa78Go01BOPcMhvjm1G8ZiT8BEswbmb
+wFDv2+d/joI+wRAM4/eLalTyeSxVLPeptrlzoHaiNY16VghZfk5ytAoA5/UxPzzW
+LEMukCyhMraMsvIDg68Xgl7exQKBgQDmY32KvwQRzUpqp5ma9NGUoiOs/tfh7Dxk
+9NbEvSBm8j1tEKGmFMbaLOazosCDAeaqgmFCcTYre0NQrwKzQfNMGJRTCNY2HIbJ
+BGJOj6o72wjBrXORKjt/mXRjjTiAr6MiyqRNRyLqmZYQggxMtYF3e3ejGFbtzz+f
+RegSgJYcIQKBgCLT0UmN/huPqxzi5GJEWdZHq8HRyPJ845zb79CpDmb3UHBfI0VV
+HS+NbDlO+7g2qKv73OpnEAslm8VkASNuZgION2PjuAnKJkBGWEUJSVVvjKiMgwQ+
+wI/jd967b0Bg1nneVQQZ3mv9FBtVr7qaz+UUq21ofpbZbTx2sz3o9TylAoGAMiaS
+G3O9NQrVGiZln3+PZ6Vr0qqe38UG2IsbfTQWK5KroGQwa/C14KRJi+zvrxTo21EK
+TuZJ/mkUnCmcktzWU0g+cVzJFHpdNMDJjYRkcCcb3t0c/QqObRZAabNCC3EwN9CY
+t2G2zg6kxe8pMkGIbzPnNQ+FTLsChG85N13aT0ECgYEA68828IGkExHu4q1GEIKa
+2IN11OkE2g78+8FNo3YwyqKz9nnR057v9qVgWKUOeXWHdcNtcZ1YPxGVWasEUmex
+Ig6XSbLVerrNr2acDliWIHWcSrSO0E/RujGe8uu2Olat8ElE78sLdBImxrcL1X5j
+AdTJGc9r7jdppcD2WtJtYAc=
 -----END PRIVATE KEY-----
diff --git a/pki/test/A-valid.pem b/pki/test/A-valid.pem
index 8de384e470..714f743761 100644
--- a/pki/test/A-valid.pem
+++ b/pki/test/A-valid.pem
@@ -1,49 +1,49 @@
 -----BEGIN CERTIFICATE-----
-MIIDbzCCAlegAwIBAgIBBDANBgkqhkiG9w0BAQsFADAcMRowGAYDVQQDDBFJbnRl
-cm1lZGlhdGUgQSBDQTAeFw0yMzAzMjkwOTMyMjdaFw0zMzAzMjYwOTMyMjdaMBYx
+MIIDbzCCAlegAwIBAgIBBTANBgkqhkiG9w0BAQsFADAcMRowGAYDVQQDDBFJbnRl
+cm1lZGlhdGUgQSBDQTAeFw0yNDA1MjkxMDQ5MTdaFw0zNDA1MjcxMDQ5MTdaMBYx
 FDASBgNVBAMMC0NlcnRBIFZhbGlkMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB
-CgKCAQEAuAq8DYAMQ+ZnEcTxO9shZ/riC3tifPA4IR0v+Llhxg3Fgigdj2IZEZAF
-yDpEVdHVsh+i6v/zoNX2jIo6SyLFjL/i0ls4In++qgp/qWvYaEgvy8ZQf1nWDZO5
-92ZPMAqm+im7c4QHLiSm8KfSo8FCNZp92GOtUIyl2h/db3g5rTzy8RYhw/UZA2Nk
-G35TDafeJpY+Hl9R9oh0953ZFnjT/n6R3d2yftresjBtrJk53gUVhui38rdJ5KZ5
-a0OCxVd24VMwmvwH5GcwHWd4OcpvHQ1WoFBE24jqc70PyVfIwHOBhxv5rJkckX31
-1EipneRRjZGJyk7SNibCIi7+BFkt7wIDAQABo4HBMIG+MB8GA1UdIwQYMBaAFM7Y
-hh6heHxkgIe66kMzqMQJHHY+MAwGA1UdEwEB/wQCMAAwPwYDVR0fBDgwNjA0oDKg
-MIYuaHR0cDovL2NlcnRzLm51dHMubmwvSW50ZXJtZWRpYXRlQ0FBTGF0ZXN0LmNy
-bDAdBgNVHSUEFjAUBggrBgEFBQcDAgYIKwYBBQUHAwEwDgYDVR0PAQH/BAQDAgTw
-MB0GA1UdDgQWBBSfOvv2S8oYsJdqxFZaY2AUOMKPvjANBgkqhkiG9w0BAQsFAAOC
-AQEADkKMGRfRvL1pvow8knIc0CByO7CPLTeWLAY0NEooSUrayZ63oIHhdmN3YqxC
-5NCvje2O9+e8Yzt69bmzpUMdZHNu0n3Ofp/QmRAYudxqrsLFfA28ER5Ki5oWCpIU
-NAGGpLf5mH11VJ7lHKfdZTeWpdXc76/jcVx6aCHiH3WkLbIeC78JlYS6EyMpMfVV
-QlgJkQ/G6GdIWv0SMT0JKC7MVMkuuWqq3PzDhuxiqncyPb47E0cS2H+386sYx3Hg
-IZZEdnw/aVoOCsri8+tBjggbVRlY0V9fJ56jEa0NlQFhoFHC0SN96BpoPJTkn3UF
-NwPac8Hv3JTxKo5S0Q3nibGSFA==
+CgKCAQEAzYihuvkp7ysyyQYDyFXCXPEYmMURpZr+uG3y3f95vV0gncZqmo59WbC+
+Cy+ajupMMfuoWsqhQiLf74NBY2ijTm+NW6vTQfiHkINu+AZJGOekqpBaorM74wbJ
+FxoV3YQfnOLWgoftXx2LnKBR5rEbZ8w3iu2bCEBk+x/K9BJtsrt67x3tOzknpd4r
+n09b5qkcqPDHOn5SFl6defAJ0u9kRHp6koFEERAkYBJLQcIA7FY6msjk+o37rDyx
+Ci+X3jnCy0zjYNOYovQALwb+GpXAj1VHMv5B9MI2MhWYAtWia240zF+3VfC8Obmo
+1TRj8SqiD239aMBFxLsmdq3eHLyqMwIDAQABo4HBMIG+MB0GA1UdDgQWBBSjyc/w
+dTwwlDjcQjpp/Utw7meXcjAMBgNVHRMBAf8EAjAAMD8GA1UdHwQ4MDYwNKAyoDCG
+Lmh0dHA6Ly9jZXJ0cy5udXRzLm5sL0ludGVybWVkaWF0ZUNBQUxhdGVzdC5jcmww
+HQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUFBwMBMA4GA1UdDwEB/wQEAwIE8DAf
+BgNVHSMEGDAWgBS7dLu9q/pzPWM/6AcoTqy84pf0iTANBgkqhkiG9w0BAQsFAAOC
+AQEASlZ9lcAveCnUGRyEEfd6lcsOG46N/yNEvFAzOykd6ZIZ90O0vDd1TWJNVjVZ
+JmZQ50uTjMi8gIzZVGNBnUsoqkQq8ffscQ56DZeQ13zew1fxDA8IYZVsAfU3aVxs
+O5AxO3oesjpHCmg0d4lWpr/PGuS2DmXEFpW54YJWmITjRAzQ+vlFf2lABXCutsPv
+HYE8BPmDJHhxnlacHTr9f2M593pC5+CLbjF8WmTahQ4l6eMAoIKbOuhDjAj/PDkJ
+4mCWUeLxnKHpWxU1HOdiG19JG0kMeBeTX75eta14pL1q05yYX/nWg/zd7StoN9dg
++YCS18ecPeaL33TvTQf+LMukLg==
 -----END CERTIFICATE-----
 -----BEGIN PRIVATE KEY-----
-MIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQC4CrwNgAxD5mcR
-xPE72yFn+uILe2J88DghHS/4uWHGDcWCKB2PYhkRkAXIOkRV0dWyH6Lq//Og1faM
-ijpLIsWMv+LSWzgif76qCn+pa9hoSC/LxlB/WdYNk7n3Zk8wCqb6KbtzhAcuJKbw
-p9KjwUI1mn3YY61QjKXaH91veDmtPPLxFiHD9RkDY2QbflMNp94mlj4eX1H2iHT3
-ndkWeNP+fpHd3bJ+2t6yMG2smTneBRWG6Lfyt0nkpnlrQ4LFV3bhUzCa/AfkZzAd
-Z3g5ym8dDVagUETbiOpzvQ/JV8jAc4GHG/msmRyRffXUSKmd5FGNkYnKTtI2JsIi
-Lv4EWS3vAgMBAAECggEATQ1Bei139R2LXWck0DiIHe5toP0BWOmBtmtv4CRNCQxO
-+pUs+xDJCg9QPGoYng2B+FdCcDzElTu/Q0vD6B0gtDLKFePW9qqg+rP2isn6Cn7e
-c+QNY6QK+Bg3LZsJ4EU1b1r1fgFyuCDkO7EngSOyQprxwRzKPQUFkvLwVHDzRNGf
-ozsi+iJ6vXKE4CgDduH0VW+8H4vwvsLrJ4ChJZkuEX5LWZSFIwbZGIQ3gPvKLV9j
-IekQamPKobk5ssWAoSfy58WQdDrHsZq7wIqYMI8biJL8az7qkyKBUvq6a0wP5ZZX
-dSjZVoQ0fY4UDZ2gmdsugyBEFpEleIfcBG3iRd+f0QKBgQDljWC53CcGBnF1CGZs
-IoTKYD2gZ198qUtmQ1lAyxHf+Tc0VqNLtJrun6Y7CIaIORTr3xE3o1j+qSq63ZJ0
-8fuxifqKGBjAwhR1hhwTuHH1V1p07t1EOE1iLeYKByP1ST0lSIuYymrr5YmQlclf
-1nDulUJSPuJCsYnL5NOIAQwunQKBgQDNPwi0C85Aq0aqxZIErFnHGwHQDFnKo+GV
-7lv9IeYR6HbF7vr3+JVTcbaqPe7y3qPDT4omw7tTCXAbEi/WXHf3R1TXdYP7DXnF
-qc1fgx/4uI6dj/qbtC9Eq+k4y03dVxiIEDWEXNHjGm/MpLiXgP3cY6xbjReLTcbi
-56uZp/9C+wKBgQCV17+4Ezl1+Wa+WolhNPcxk7kmp9Pw8CHD01rDrMsyROAATj2y
-AWbRNW2xQ1NuQLSjc60tgHdrZMn7yP79T6hYsBTXZ/tgeFAalzxksxXQbQEjK3lM
-OuRonkV3bknOp8w+NijJx/gbnG4770rQQI7fbpcoUNwpZPLqIajjMqvdEQKBgQCk
-DREI0DLgb8ZBMz/eKmBsC8MsJuMSXGEwNOAj+RdrEvL0jGrfDztUAh0t/+jhCWG9
-9/KFv4cX/QA1Mxk3bpuY89P1j4GZhhDiFDIKeMVySRn9CJsYHzJ04i+87ItlMnty
-LfqIvKQqsPPRj4vX1QuUP7sBRkoeV2Fz9har76LRRwKBgQDMgauB6A379dZXfdd5
-zBbCHwg6na7UNgDJeEwA9gfTD80dYf+9kCuE6cW6DYxUg/mCMKnM91xPB75etvKA
-yj3ALGoWiTDI1ZUZQmRQyF1qJxuUgByjltsVH1kn4R2kltIiXpKbC+7/Zsv2hGgU
-HGys67Azaiu/aQhq7m4v4dSskQ==
+MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQDNiKG6+SnvKzLJ
+BgPIVcJc8RiYxRGlmv64bfLd/3m9XSCdxmqajn1ZsL4LL5qO6kwx+6hayqFCIt/v
+g0FjaKNOb41bq9NB+IeQg274BkkY56SqkFqiszvjBskXGhXdhB+c4taCh+1fHYuc
+oFHmsRtnzDeK7ZsIQGT7H8r0Em2yu3rvHe07OSel3iufT1vmqRyo8Mc6flIWXp15
+8AnS72REenqSgUQRECRgEktBwgDsVjqayOT6jfusPLEKL5feOcLLTONg05ii9AAv
+Bv4alcCPVUcy/kH0wjYyFZgC1aJrbjTMX7dV8Lw5uajVNGPxKqIPbf1owEXEuyZ2
+rd4cvKozAgMBAAECggEAC1hS4RC21VpTk9AOrmS5dUrjmi8qkbMUA1ciVEmxTRgS
+YFMe+EgMOEKuwsxOYjwhl5K2EMjljNKC/OQIXHXeqcozic9aumX/CaWPnwYty7+h
+kb6lGhz9ncL2n51TfqY33n+Q6qSZICpv1eXtj2fQRPL7T+Jcr+BqEoiHOeC4iGiC
+hgAVaD34DjvTBKC5CcQ+qI84pOwoszfTE+E0T47JwD6wQ8Z3wgtAVu6QMpCLA2i/
+KrzzPCfMOWqLaQsf2OYUV1mG2f+tTihk5FpURKzCPx6zsbIT95ZGXg2tt0N0lgJA
+oil9QL2IMUs37y8DVCFVgOhXBcVOQFQTmiJ1roMiJQKBgQDn6uhm+blyeb/UYXmY
+LIzo/grwogdYTWhGAY3SHmiHo5MvRS2JBoi19dLCy9rRMFdeqw2AnfbWmkvAdJjH
+fxk+zHkn4j0+MlotuCGpP5kEdC5IQd0MNJWlDYF5uzUdqmATcdrBwnE8PfPS4YVv
+Uq4W3sOEnbZfXNcxhBcOWBoH5QKBgQDi4FujmeVO5kempUeL22vkEYTESsbByBNx
+ALJP/sEm7oD/5vs76D3gjKXaZlpInMTTIISDmQ7/VgkVaZHMFqqr4LCMAgkChf5p
+/qWY3MEnigM8ey1Vwtia4rDv00YWv8r2VU8uq0FxIn0bPWQeU39LTkH0KvC0k4fS
+rm+en1GYNwKBgQCbTAz1r7GDu409/Uu8H9D3z+2pdwZuFd+GSVIbaqtacKmFlNBK
+Gmr/Va4dLP7I55MJ3Ib9IkoBKG8jX7BSnoRcLfXPREr4VCVYyh0YRXMErXu0fQ41
+Nx0h2ipiRn7p74XIX4w6BSdoTJ/yDXwZsIbM37yTGDzgHL4o9SevPkWoFQKBgFmN
+r/6DB8W+FjhMc1JcWVkcJSkKTyw8mpf3a2syJvIEIP1iIndCM/KH8gukbSzOXM7t
+vgDoEMhvIITIOBm0NMhFl8qcHwxU8djLAHi3YrMFwkNEZ9+7Wp7ArpDr93WRXT8g
+63GDfgB3WaS/9d4WnV+PU29a58qPlYRvAHY/cwi/AoGBANsxNhunezts2neJtnNB
+U7hA4PLGgiXQU6SZB1089KNedTVvtFhPE6d2xhQbqsRdlt8xcta8AbDb8RdtgP43
+fBKGzrB1NjUNiEWyFX+T8BojamjB1SsZbqvJTSwdron1MVgiJqm/6cJmYpvVT182
+bOmksYjXFqg/LbZ10iDh2CYx
 -----END PRIVATE KEY-----
diff --git a/pki/test/B-valid_revoked-CA.pem b/pki/test/B-valid_revoked-CA.pem
index 53c69c9c93..6f928f6bea 100644
--- a/pki/test/B-valid_revoked-CA.pem
+++ b/pki/test/B-valid_revoked-CA.pem
@@ -1,49 +1,49 @@
 -----BEGIN CERTIFICATE-----
-MIIDbzCCAlegAwIBAgIBBzANBgkqhkiG9w0BAQsFADAcMRowGAYDVQQDDBFJbnRl
-cm1lZGlhdGUgQiBDQTAeFw0yMzAzMjkwOTMyMjdaFw0zMzAzMjYwOTMyMjdaMBYx
+MIIDbzCCAlegAwIBAgIBCDANBgkqhkiG9w0BAQsFADAcMRowGAYDVQQDDBFJbnRl
+cm1lZGlhdGUgQiBDQTAeFw0yNDA1MjkxMDQ5MThaFw0zNDA1MjcxMDQ5MThaMBYx
 FDASBgNVBAMMC0NlcnRCIFZhbGlkMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB
-CgKCAQEAr8GDOUOS+S1bBoTiHx1svnenRhZppLur7v/8VrJaKiP4+mS2JKMOGDY/
-t6/yLWpdlhdtNabTx6lX6vWwQWZcE3WsUQQa6cIoTD3ZMM5jTdx7o0P+PVm3Cc1w
-eNdgJGZmHLv3qkuDIoM+zuGPvIVbxE2/qH+eSBJjHgc2/MgbhqNz5SDOB5AGbJ6k
-3rSr0g4lh/kr97LEiBp5CzgB/npJNnHn6UN0UJL8o/BXhs9FMn/3k2XvDGqaKe++
-Bq8+6swi4jGQZXE9BdjHh1Bu2gkI0erA4niFC0t1W8VTB/dH9+ezAs0GkcmdhTRp
-08Ko8uskQmimbqM5BrkX1uCzC8F7HwIDAQABo4HBMIG+MB8GA1UdIwQYMBaAFAGI
-z3z+b5a/pH4T2Fhn3PNjxbeqMAwGA1UdEwEB/wQCMAAwPwYDVR0fBDgwNjA0oDKg
-MIYuaHR0cDovL2NlcnRzLm51dHMubmwvSW50ZXJtZWRpYXRlQ0FCTGF0ZXN0LmNy
-bDAdBgNVHSUEFjAUBggrBgEFBQcDAgYIKwYBBQUHAwEwDgYDVR0PAQH/BAQDAgTw
-MB0GA1UdDgQWBBQjd5iy97yowybhl1lylzUWNgFLzTANBgkqhkiG9w0BAQsFAAOC
-AQEAgzwPILTOySQ0pNgEjpRhqwSnUvyjO4cHTLfey89D42nQjKJpONir3puygfiM
-oMn+lLKkxosg7YuADZYGZNVpOJ4rZdFIBtvokxo4zmyk7VH8qNR0mpYBBq5NOBT/
-CUdfOvaJ+SxhDKC8ejhtwcKsL/e95oetFa+02JZrRnltA6OwZCtMQ6WGF7cI18W0
-YYXXNe+VsYNnqnaL77g0d+d96i6F1DNREygCwDeM5fuXMTRBNOZITPiX5h6kTMMW
-ALk9AnUdOetEgAMhZCrYJRdyeDdOr5glYbCacU5h1/4kSNGQyaGEcD7bOFZHOhfJ
-d48i0wMXl+1VLYziJ8qOveOxaw==
+CgKCAQEAmiU5SuDuAaLw5y7FDsVVJW8r5gg7Tpsn1gvibWQa/sugokZeAWE4+psO
+cjwHwFpW3Ff9B+VYZ1gETffrOaVvWDj2Um2kdRbSEzpwh/0mXStZJg7RiO6SsaW9
+/x2nQ1to9kYBUwcvliHg1FZOO6doExvLgs4IdCtMnW1xPZvMo8ShhYEbKKB5mYGY
+cOW0fw4V2XtlyLFRtgpKcspRD3qx/IAplljlGtnlFG8P5H1Ezg3kQneNu/zzTJ5s
+JMKqGEXX5A5NbBM96j/YfU0boUyaYR5UhlMuozqet2wto6s9nxkU0vDru5ZAuwrT
+pXm6VIvzLqjs4nce9eu1N6uhxhyz0wIDAQABo4HBMIG+MB0GA1UdDgQWBBRDbl+m
+ZN2O/RqQV0vmO1B88MuRTDAMBgNVHRMBAf8EAjAAMD8GA1UdHwQ4MDYwNKAyoDCG
+Lmh0dHA6Ly9jZXJ0cy5udXRzLm5sL0ludGVybWVkaWF0ZUNBQkxhdGVzdC5jcmww
+HQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUFBwMBMA4GA1UdDwEB/wQEAwIE8DAf
+BgNVHSMEGDAWgBRx4atsoLFyKucLouqlimo9gSSFADANBgkqhkiG9w0BAQsFAAOC
+AQEAKRX300xlmfsxJYEyA5NWlnge+0dbD1C4mKstwiNxJKEU9b5DytugQ6PTaX+G
+vXtE7fLWS8UnUJCjAr/DnahfKM+WWT8gq7uNxI22ueBvBXVwEddHd7EBr1BsHgvb
+qLbOypWNTKqc5ysgFjyDRqQr1cym/buTWtUKj22OgwRHlTniwNUTH3WSljHiHj22
+88jMm/EwVU0FkdztiJvczbFFfNZPdzXK32o7BLFmfSTyATL1PQe5dxiJ5c1vxJMo
+vAqFYSeitHhcey1+FvsEX2qJqo8xDycRNcJEAok3kFphid6uZio+u13udOM8xeQD
+3aGLxxFfjjfUD45rU1SQYpQS0g==
 -----END CERTIFICATE-----
 -----BEGIN PRIVATE KEY-----
-MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQCvwYM5Q5L5LVsG
-hOIfHWy+d6dGFmmku6vu//xWsloqI/j6ZLYkow4YNj+3r/Ital2WF201ptPHqVfq
-9bBBZlwTdaxRBBrpwihMPdkwzmNN3HujQ/49WbcJzXB412AkZmYcu/eqS4Migz7O
-4Y+8hVvETb+of55IEmMeBzb8yBuGo3PlIM4HkAZsnqTetKvSDiWH+Sv3ssSIGnkL
-OAH+ekk2cefpQ3RQkvyj8FeGz0Uyf/eTZe8Mapop774Grz7qzCLiMZBlcT0F2MeH
-UG7aCQjR6sDieIULS3VbxVMH90f357MCzQaRyZ2FNGnTwqjy6yRCaKZuozkGuRfW
-4LMLwXsfAgMBAAECggEBAJbjQ409/kf+ME+AdcDQujMq9mithTTwCcO98R1dMRtM
-lswg+l6pvcf7iuhgHUHwNzhMFG4jM14OfHQzSYZcImByfeVv6MsW7RHHZ1cHWSnX
-SC36iaKSCxpXTV/xR5D4eGHi3dVNzt8qXhmufIAU3ZvCQ/Cc335wireU6hhKk5cZ
-/5ATD8vbwGyX0PU/c/LjeNykOwYfj4NKIuMq0ytmQZvQhc5Zifkk9Wo94Hh0RvDM
-B6mBJ9CYBIn/POnwx8m0fTx4+A9AhVzj5X7nnj7YBMcGCWfivpziqrYshVOLdDv0
-jyLqFs7bC03JK3zjGGGFJU3Nis9C1PoGfp7S6e1y4oECgYEA5CA3P2/C5KWB0Z4Q
-svnMKK0T86FDwnmF1WGTz6ZdN2p8/o7AqdX3sRYJ1cp2JjDVB05rk56E5ZrxgzN2
-jfAg/IJJF/q7aqR/W3ZY1NVgggGVqzNZDp4K4u8VS7O82Jd2zaNkb8Y0WbDEmmQ4
-NQ4OVtazoe3EEGBb5s5KOgOAyxcCgYEAxTsp1vXzlkrFCjrHPPAs0oWDvitJvtBB
-sUCHcsesK72IXCCaDIhMPcMsvwEV91gRQaJgTpvMWQD67B+P+GJje8Om23WzSgnN
-Tu8E79siTdDm5oTz+L1mGh6KaWPNyFcxHALf5lxo2Ot1Hm6jJOv4w0nE/oxigaln
-4+DLuOmLtTkCgYBw9hLlcq4LEnmKFr8mINObgLjUdxJahlpjIwJSXIrkGfLzCjUU
-5ELWiZctKif/GUcjaw2R93jPST42PZGDD1kGMG2JVjrfv7zgyWWLXm1/ctFuCOsc
-dd3mKYVeCw6EIdxOT444WukpUILKAL5kZyVqkr44fMgNY+meDKBswbdQ2QKBgDCE
-v2QsGQIt3o8Hqp+pDb20LpaHm5qfLKnoD+oCiK4x7+uJ8ZuHpAnFi6ppH/g65/PX
-eA2ecgSrIw8XLJmTyplVpiRyrepWwvTaA8Lli2jNLSAkMMhN/2IJhU8ryCGyoVgc
-tOu8a+aA9czItsWMbyPLb/SWoFz5SZ9bW4JfoYixAoGANICUJlTT7ZEWtlivm4m2
-DYxmO69x+yn+j4F544ZRgVvnCQGP1B1AR60QBQ7OMJ/3i7P+xNaARJ5ZIwlFfEPL
-r5XLWd5y5n229nVdjj7QqbTvxT9TXnqV3+mOvPkgfNdRSTYoiROwVCygTUPRdi7l
-Pqiv2Sv/PoQqhx8HjsBC81E=
+MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQCaJTlK4O4BovDn
+LsUOxVUlbyvmCDtOmyfWC+JtZBr+y6CiRl4BYTj6mw5yPAfAWlbcV/0H5VhnWARN
+9+s5pW9YOPZSbaR1FtITOnCH/SZdK1kmDtGI7pKxpb3/HadDW2j2RgFTBy+WIeDU
+Vk47p2gTG8uCzgh0K0ydbXE9m8yjxKGFgRsooHmZgZhw5bR/DhXZe2XIsVG2Ckpy
+ylEPerH8gCmWWOUa2eUUbw/kfUTODeRCd427/PNMnmwkwqoYRdfkDk1sEz3qP9h9
+TRuhTJphHlSGUy6jOp63bC2jqz2fGRTS8Ou7lkC7CtOlebpUi/MuqOzidx7167U3
+q6HGHLPTAgMBAAECggEALTR4alSvh+xUkL+/C5dkYo+JRLMqTWGkG5oto54Faq6l
+46EWRXpRHvFlGawwK8Fykrj9HBkuxVPjI0hvA99X2XwPBNphrfLs1bXANalQXGdv
+hAE5gtpQS+fK4eu81zyR+hNKpSJI2tMBn9PVqpnsJBp1It2wTf06wTpMyOANcgMt
+/dOtZGzqm0IKh/LBrNSL8vK9uZdAQssPB+zsOMtWj0AAA3TKRRgARlD3DKtTgA+z
+HoIpHpjAMehvK5zo1GBfF/AS5WdHXAtg2+zCMYNu6x73zVwISlsFSwvxikCLLMv0
+U+NyWEFwHOIzwhM6niyOiPDp+6I9U6XxRIFnZ1MjqQKBgQDU7P4r9nmOyu8Dldn9
+F79erDvy/arCMlYKNl0/i7unXEHOHFG8bkiz72jrQ3+Aa4q2pePGcKO24UO0Dzfb
+TI4KxKO1wtGt8L43GmYGF8erEqf4JwjAV1Ed/ySztpxn0fge8o8TFwzhmIWJxPXm
+OfNaVouffcwMdhQ75FBW3XyO6wKBgQC5VBys4A7Vpxqh/TbB+nLLkBJU+OY8Q91b
+se1laBLU6aQ+YVDQfDZwcVmWN+gFMZ6RZOj6F7dRCv9HDu2I8xaxI+33xvT6B37j
+SDOZIhv5wwaFqMWLNx9W6HeUYGSdnSLByOpsqAd/pOrX8vMiBqrV8ua5tZHddGqX
+oP0i2KlEuQKBgQCn6+Oj/jTtpSOMe1C4ZlMZMdHxl5ZkotfyI9+0btnmaj7HctQP
+PBaAOW5QJCJYv/dchkW1ST4Dy3HefiX6AE0BNwU5IlTEzdjlkh8l7Pkd9I+diANB
+1Vr2wjJKvNhqlFAO8BJf5szU2blu5nNbRxahhyGD/ey/YxwgA7ZMW06RUwKBgGcw
+4WKUw03NZLPrtPCfTgnwZ3SuviuyMe/bi26aW1n32f7t2ryrXPiQ9KwC5wr1TPBx
++pM+X1EdyXQ8aKCHkgwCEH+VZVROliVhT3Gln2QbZmdHyO6yO539hI+2eG+WTgMO
+pxDnIn29SxIA8cXxZnAIdtXStqxTJQLWnfwoHV/pAoGBAL4Twu+AaDO55LJG20Fo
+aM/bc2HDA5UKzKm+jfqLLiU+m0kWjwMN7n4YDNzwXVFBj2hBVbTEoDPEbf3LrUXq
+weP/r4p/xAhF75U99tdglrCUJHy+r9Nxzi2hTZAcGlqF3BT5QLO9giIKPVN2z+R3
+HJ0f1RrJiXP5beATZKPQmrS4
 -----END PRIVATE KEY-----
diff --git a/pki/test/C-valid.pem b/pki/test/C-valid.pem
new file mode 100644
index 0000000000..f5a1b6caa7
--- /dev/null
+++ b/pki/test/C-valid.pem
@@ -0,0 +1,49 @@
+-----BEGIN CERTIFICATE-----
+MIIDbzCCAlegAwIBAgIBCTANBgkqhkiG9w0BAQsFADAcMRowGAYDVQQDDBFJbnRl
+cm1lZGlhdGUgQyBDQTAeFw0yNDA1MjkxMDQ5MThaFw0zNDA1MjcxMDQ5MThaMBYx
+FDASBgNVBAMMC0NlcnRDIFZhbGlkMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB
+CgKCAQEAyfYSSzW8Wx+PrRZC37ov8ZzyOnPEmKxoXwxskJwXtGXODm3uKchBMTDi
+D1syEuAe3GGmrbF7RDtko3/OXzuZcq6PyXvNVzch0XhfOAjD6cycmA1iS7RIf16u
+3YuVwUI9C7RCn6zyQjdz/X7ODw4oDLgudhAMUSArNfXqMBxQEVsUUKMSEdd1uDHq
+yxx10MVxnDZjTEOfJogLwwGL1vkFezT2X51JE69sg8/Waq965h2SXTKXUrKDoZHr
+/rpgW3IumKSKQeSMc1cv/CD12TlXjbxoydzsOQ6PUgaO03l0hrKRx7lCQySwvbq8
+NRmXLw/1fbFbOg5hU/aiM5ILi6Y/oQIDAQABo4HBMIG+MB0GA1UdDgQWBBQQfuco
+t6H8JKg2ebjgkHYhxEKK7jAMBgNVHRMBAf8EAjAAMD8GA1UdHwQ4MDYwNKAyoDCG
+Lmh0dHA6Ly9jZXJ0cy5udXRzLm5sL0ludGVybWVkaWF0ZUNBQ0xhdGVzdC5jcmww
+HQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUFBwMBMA4GA1UdDwEB/wQEAwIE8DAf
+BgNVHSMEGDAWgBQwfd7312RksoFuwTG9PL16jnF/uTANBgkqhkiG9w0BAQsFAAOC
+AQEAZV469ddsPQ3QNXbpVHLWcvvHEJDegMti+OA+7LIVueEWfUNX7vQOTnxIMx1K
+LQ9+w0UepEcGv8E4goiVk0H9f+oZSj0aD+QIgXLDRWMx4olPwcgUkBMmAFWRdqPz
+TmyMLmskPPzngypCRWm0OgCdW2nhV3nUsNQbmE/5J1a0OuajqaFtDJnCWadBZToA
+jhaF8JGkfBpgtfOs3DPf1yRT+AoQMS8dgQjY8J/CpcpQdl1GzKJ7jeDenqd30Ysu
+b9wjB7Hzdwwd5vRe2H+klz4mwhxtgGrz9a6nDMK6Gb+g2mJmBATRQ2RVa4MG9/GY
+qh8iW9rHrSQW/LHoT1lopMHV3w==
+-----END CERTIFICATE-----
+-----BEGIN PRIVATE KEY-----
+MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQDJ9hJLNbxbH4+t
+FkLfui/xnPI6c8SYrGhfDGyQnBe0Zc4Obe4pyEExMOIPWzIS4B7cYaatsXtEO2Sj
+f85fO5lyro/Je81XNyHReF84CMPpzJyYDWJLtEh/Xq7di5XBQj0LtEKfrPJCN3P9
+fs4PDigMuC52EAxRICs19eowHFARWxRQoxIR13W4MerLHHXQxXGcNmNMQ58miAvD
+AYvW+QV7NPZfnUkTr2yDz9Zqr3rmHZJdMpdSsoOhkev+umBbci6YpIpB5IxzVy/8
+IPXZOVeNvGjJ3Ow5Do9SBo7TeXSGspHHuUJDJLC9urw1GZcvD/V9sVs6DmFT9qIz
+kguLpj+hAgMBAAECggEAAYib1PRggh9NkQE/8BZS3OErObm9VBzNt225uVNmHq7o
+j1V9tIAvy+F/e0xe/KO1DZ60NvzHtISa8V7mwJ8MPZcJF9JChJdc62FK9SWj5Izy
+4iNf4WFKF6WEFcHvQ4YZk+gs2qzj3hAxEktkjIViqni6Pu1E8AIa3JBfKeRdJfST
++9jMXB0SI8oAUy3WoQiIADJRGBdXpSv30eaOGoe6+GIjPrEzBGA2AVI4xMLGrGDm
+m8eI34VBCnSuVyZfWwsG9hXdqmGJXZTnKyzIIcODQjfK7Ws3Azkvo02ZcW0nFP98
+mAVDgeY3Ufx10Vt55PaS9rsqTekVyBGJhQ0SjEngAQKBgQDkN6xS3hM8aeWXgBRU
+MxN5hUNslNJ2+lfCok4R2nliU6W4O9zsc9iT2DyRbXSWByu+t04W/48gKi3eZ+K5
+kw+WUlczG/vHjtXdS3A/1W6XGr6oCKQdcOxtgcID9fY/pcPZVOcDPV7nDNeORIcp
+osIUUUI2Miu5f5Xv+JbbFDxtAQKBgQDijCFV94gUgzV2LfhImt6Ibutw7x2d4Jlm
+LFbh2fKbCX9Q6sR0gV9PORcU0OIFtoaqqROpcstPCiNX6928WGROqExwkdRSzmtV
+DPcGqqP9HZMGmr14/o698I2L4X4k2s9hbOSqGwFYazac+P5+eABqBMJJr40Uoc1y
+UEgKjtuyoQKBgDNl9oGTUnHAx9yfE/UCq9gqk0zZF62EJE/JjhunQL9MZ35evRrj
+3Fsv0DRQmnlPlCKX1haH6Awuc7YrX3y8Cj6ovMrd+o6vNKtqWhWGVCnj9ByUFaIr
+1JO1LaUGuDcNdlZ0MLMiF0WiNsnr1SUjauJ4ipj6I67bdUFek1sz64gBAoGALMMN
+TyQSgiMOrCQXG5lmAMURxgWo72nSRWrbW9KpadKtkjpgyLhLMacRFW7USdavswan
+OOLSovJY22ViMXWxlA0S1Wcq8ZWRhYODR5Dtx/RQ+YwXhdGeOI9QGGRcfUGymghf
+AfFGCcddShS0jB5/znLURKToFjyGEGEmatehNyECgYEAlvBwniZHFDuL834Z4ncw
+O7q1TYfb8msJIantXKj8mMhIeiMGxacz4INxeKzYLriswzyTekMtLBmoGtHIKCzY
+hxVh5Y3xTK1tSGBXFe4CO1w+4RxzrTD4orNEOcLRZzRn0hQXWDhmT5SNJM2c7IPz
+u+PxL/QocZkg2jN27S8PSd8=
+-----END PRIVATE KEY-----
diff --git a/pki/test/IntermediateCAALatest.crl b/pki/test/IntermediateCAALatest.crl
index c3a97d0a98..a63b373566 100644
Binary files a/pki/test/IntermediateCAALatest.crl and b/pki/test/IntermediateCAALatest.crl differ
diff --git a/pki/test/IntermediateCABLatest.crl b/pki/test/IntermediateCABLatest.crl
index 6371895c51..6b68eb7aa9 100644
Binary files a/pki/test/IntermediateCABLatest.crl and b/pki/test/IntermediateCABLatest.crl differ
diff --git a/pki/test/IntermediateCACLatest.crl b/pki/test/IntermediateCACLatest.crl
new file mode 100644
index 0000000000..0dfa4d2fda
Binary files /dev/null and b/pki/test/IntermediateCACLatest.crl differ
diff --git a/pki/test/README.md b/pki/test/README.md
index 9f6bbcd130..58d610ef02 100644
--- a/pki/test/README.md
+++ b/pki/test/README.md
@@ -1,6 +1,7 @@
 
 # Generate chain
 `sh generate.sh` creates the trust chain using the configuration in `openssl.conf`. 
+Set your machine time 1+ hours in the past to ensure Intermediate C's CRL is expired immediately.
 
 All sub/intermediate CAs use the same config and therefore same certificate administration. 
 Revocations are currently only generated correctly because of the order of revocation and CRL generation.
@@ -44,30 +45,43 @@ Intermediate B CA
 - Issues: CertB Valid
 - File: truststore.pem
 
-CertA Valid
+Intermediate C CA
 - serial: 04
 - status: valid
+- CRL: IntermediateCACLatest.crl that expires after 1 hour
+- Issues: CertC Valid
+- File: truststore.pem
+
+CertA Valid
+- serial: 05
+- status: valid
 - File: A-valid.pem
 
 CertA Revoked
-- serial: 05
+- serial: 06
 - status: revoked
 - File: A-revoked.pem
 
 CertA Expired
-- serial: 06
+- serial: 07
 - status: expired
 - File: A-expired.pem
 
 CertB Valid
-- serial: 07
+- serial: 08
 - status: valid (but CA is revoked)
 - File: B-valid_revoked-CA.pem
+
+CertC Valid
+- serial: 09
+- status: valid (but CRL is expired)
+- File: C-valid.pem
 ```
 
 `truststore.pem` contains in order:
 - `Intermediate A CA`
 - `Intermediate B CA`
+- `Intermediate C CA`
 - `Root CA`
 
 It also creates `truststore_withPKIOverheid.pem` that appends the following files
diff --git a/pki/test/RootCALatest.crl b/pki/test/RootCALatest.crl
index 4204793727..c36fae43aa 100644
Binary files a/pki/test/RootCALatest.crl and b/pki/test/RootCALatest.crl differ
diff --git a/pki/test/generate.sh b/pki/test/generate.sh
index ec59b9c629..37fc78b34d 100644
--- a/pki/test/generate.sh
+++ b/pki/test/generate.sh
@@ -48,26 +48,33 @@ openssl req -new \
     -out intB-ca.csr \
     -keyout private/intB-ca.key
 
-# sign 02,03
+# serial 04 - Root-IntC
+openssl req -new \
+    -subj "/CN=Intermediate C CA" \
+    -config root-ca.conf \
+    -out intC-ca.csr \
+    -keyout private/intC-ca.key
+
+# sign 02,03,04
 openssl ca -notext -batch \
     -config root-ca.conf \
     -extensions sub_ca_ext \
-    -infiles intA-ca.csr intB-ca.csr > int-ca.crt
+    -infiles intA-ca.csr intB-ca.csr intC-ca.csr > int-ca.crt
 
 ## Generate Leaf Certs
-# serial 04 - Root-IntA-Valid
+# serial 05 - Root-IntA-Valid
 openssl req -new \
     -subj "/CN=CertA Valid" \
     -config root-ca.conf \
     -out leafA1.csr \
     -keyout private/leafA1.key
-# serial 05 - Root-IntA-Revoked
+# serial 06 - Root-IntA-Revoked
 openssl req -new \
     -subj "/CN=CertA Revoked" \
     -config root-ca.conf \
     -out leafA2.csr \
     -keyout private/leafA2.key
-# sign 04,05 (writes to db/indexSub that is used for the sub-ca CRLs)
+# sign 05,06 (writes to db/indexSub that is used for the sub-ca CRLs)
 openssl ca -notext -batch \
     -name sub-ca \
     -config root-ca.conf \
@@ -76,13 +83,13 @@ openssl ca -notext -batch \
     -outdir certs \
     -infiles leafA1.csr leafA2.csr > /dev/null
 
-# serial 06 - Root-IntA-Expired
+# serial 07 - Root-IntA-Expired
 openssl req -new \
     -subj "/CN=CertA Expired" \
     -config root-ca.conf \
     -out leafA3.csr \
     -keyout private/leafA3.key
-# sign 06
+# sign 07
 openssl ca -notext -batch \
     -name sub-ca \
     -days 1 \
@@ -93,7 +100,7 @@ openssl ca -notext -batch \
     -infiles leafA3.csr > /dev/null
 
 
-# serial 07 - Root-IntB-Valid
+# serial 08 - Root-IntB-Valid
 openssl req -new \
     -subj "/CN=CertB Valid" \
     -config root-ca.conf \
@@ -108,8 +115,32 @@ openssl ca \
     -notext -batch \
     -in leafB1.csr  > /dev/null
 
+# serial 09 - Root-IntC-Valid
+openssl req -new \
+    -subj "/CN=CertC Valid" \
+    -config root-ca.conf \
+    -out leafC1.csr \
+    -keyout private/leafC1.key
+openssl ca \
+    -name sub-ca \
+    -config root-ca.conf \
+    -keyfile private/intC-ca.key -cert certs/04.pem \
+    -extensions intC_ext \
+    -outdir certs \
+    -notext -batch \
+    -in leafC1.csr  > /dev/null
 
 ## Generate CRLs
+# generate CLR for Intermediate C
+#################################################################################################
+# set machine time to 1+ hours in the past to immediately produce an expired CRL, or wait an hour
+#################################################################################################
+openssl ca -gencrl \
+    -name sub-ca-expired-crl \
+    -keyfile private/intC-ca.key -cert certs/04.pem \
+    -config root-ca.conf \
+    -out intC.crl
+
 # generate empty CRL for Intermediate B
 openssl ca -gencrl \
     -name sub-ca \
@@ -117,12 +148,12 @@ openssl ca -gencrl \
     -keyfile private/intB-ca.key -cert certs/03.pem \
     -out intB.crl
 
-# revoke 05 and generate CRL for Intermediate A
+# revoke 06 and generate CRL for Intermediate A
 openssl ca \
     -name sub-ca \
     -config root-ca.conf \
     -keyfile private/intA-ca.key -cert certs/02.pem \
-    -revoke certs/05.pem \
+    -revoke certs/06.pem \
     -crl_reason keyCompromise
 openssl ca -gencrl \
     -name sub-ca \
@@ -144,10 +175,11 @@ openssl ca -gencrl \
 popd
 cat gen-crl-data/int-ca.crt gen-crl-data/root-ca.crt > truststore.pem
 cat truststore.pem pkioverheid-server-bundle.pem > truststore_withPKIOverheid.pem
-cat gen-crl-data/certs/04.pem gen-crl-data/private/leafA1.key > A-valid.pem
-cat gen-crl-data/certs/05.pem gen-crl-data/private/leafA2.key > A-revoked.pem
-cat gen-crl-data/certs/06.pem gen-crl-data/private/leafA3.key > A-expired.pem
-cat gen-crl-data/certs/07.pem gen-crl-data/private/leafB1.key > B-valid_revoked-CA.pem
+cat gen-crl-data/certs/05.pem gen-crl-data/private/leafA1.key > A-valid.pem
+cat gen-crl-data/certs/06.pem gen-crl-data/private/leafA2.key > A-revoked.pem
+cat gen-crl-data/certs/07.pem gen-crl-data/private/leafA3.key > A-expired.pem
+cat gen-crl-data/certs/08.pem gen-crl-data/private/leafB1.key > B-valid_revoked-CA.pem
+cat gen-crl-data/certs/09.pem gen-crl-data/private/leafC1.key > C-valid.pem
 
 openssl crl \
     -inform pem -in gen-crl-data/root-ca.crl \
@@ -161,4 +193,8 @@ openssl crl \
     -inform pem -in gen-crl-data/intB.crl \
     -outform der -out IntermediateCABLatest.crl
 
+openssl crl \
+    -inform pem -in gen-crl-data/intC.crl \
+    -outform der -out IntermediateCACLatest.crl
+
 rm -r gen-crl-data
diff --git a/pki/test/openssl.conf b/pki/test/openssl.conf
index 07ad6ade8a..28b1c06d73 100644
--- a/pki/test/openssl.conf
+++ b/pki/test/openssl.conf
@@ -36,6 +36,19 @@ default_crl_days        = 3650
 default_md              = sha256
 policy                  = policy_default
 
+[sub-ca-expired-crl]
+home                    = .
+database                = $home/db/indexSub
+serial                  = $home/db/serial
+crlnumber               = $home/db/crlnumber
+new_certs_dir           = $home/certs
+unique_subject          = yes
+copy_extensions         = copy
+default_days            = 3650
+default_crl_hours       = 1
+default_md              = sha256
+policy                  = policy_default
+
 [policy_default]
 commonName              = supplied
 countryName             = optional
@@ -81,6 +94,14 @@ extendedKeyUsage        = clientAuth,serverAuth
 keyUsage                = critical,digitalSignature,keyEncipherment,nonRepudiation,dataEncipherment
 subjectKeyIdentifier    = hash
 
+[intC_ext]
+authorityKeyIdentifier  = keyid:always
+basicConstraints        = critical,CA:false
+crlDistributionPoints   = @crl_intC
+extendedKeyUsage        = clientAuth,serverAuth
+keyUsage                = critical,digitalSignature,keyEncipherment,nonRepudiation,dataEncipherment
+subjectKeyIdentifier    = hash
+
 [crl_info]
 URI.0                   = http://certs.nuts.nl/RootCALatest.crl
 
@@ -88,4 +109,7 @@ URI.0                   = http://certs.nuts.nl/RootCALatest.crl
 URI.0                   = http://certs.nuts.nl/IntermediateCAALatest.crl
 
 [crl_intB]
-URI.0                   = http://certs.nuts.nl/IntermediateCABLatest.crl
\ No newline at end of file
+URI.0                   = http://certs.nuts.nl/IntermediateCABLatest.crl
+
+[crl_intC]
+URI.0                   = http://certs.nuts.nl/IntermediateCACLatest.crl
\ No newline at end of file
diff --git a/pki/test/truststore.pem b/pki/test/truststore.pem
index 18e7d61c41..0bebdf2dfc 100644
--- a/pki/test/truststore.pem
+++ b/pki/test/truststore.pem
@@ -1,64 +1,86 @@
 -----BEGIN CERTIFICATE-----
 MIIDjzCCAnegAwIBAgIBAjANBgkqhkiG9w0BAQsFADA5MRAwDgYDVQQDDAdSb290
-IENBMQswCQYDVQQGEwJOTDEYMBYGA1UECgwPTnV0cyBGb3VuZGF0aW9uMB4XDTIz
-MDMyOTA5MzIyN1oXDTMzMDMyNjA5MzIyN1owHDEaMBgGA1UEAwwRSW50ZXJtZWRp
-YXRlIEEgQ0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCyKjnq4iww
-coSGDKbM6D86eWG7BzMjPynwMTVdDiQKaHn/SZ2yys86z2ICNwPp+h1FHx/ABLko
-qpEuDg7hkcy6Z1HVaXfK5tTCs1V7h6hkueuPCPeQFTu341S0XWghE+iGagZgNY6j
-kL2H07mRMvZp1Y+6azJnCfn2DLa+fviXN3bA+2rE8BJBqPx4QbvnSdBTC56g6PJ8
-iUlL4xx/+8X2J20TeRPqTCZphcgDsvc3L22r+bTpmLJEh20DlSoZ4YHvaAJfXhwB
-addylz99MFV+5hc7HYWcMkZy8IjyI9eFY/epG/3L61bTVq2B+rKV5RXR7l9g+X6s
-gKHNYTmAcjPRAgMBAAGjgb4wgbswHwYDVR0jBBgwFoAUugOOjnBD1aID7WoezmSH
-jYJ1t+8wEgYDVR0TAQH/BAgwBgEB/wIBADA2BgNVHR8ELzAtMCugKaAnhiVodHRw
-Oi8vY2VydHMubnV0cy5ubC9Sb290Q0FMYXRlc3QuY3JsMB0GA1UdJQQWMBQGCCsG
-AQUFBwMCBggrBgEFBQcDATAOBgNVHQ8BAf8EBAMCAQYwHQYDVR0OBBYEFM7Yhh6h
-eHxkgIe66kMzqMQJHHY+MA0GCSqGSIb3DQEBCwUAA4IBAQCfnKMA2DhxtWox+rKr
-u1t/UTQfhL8oY//kcJSU6gZ7mNeBcUy/l19ghEoLW8FCoGlsYSVKRGeFs1bxsVSC
-8My8xzQwJAuW+IyzOwpsZfomGDQGRtK+BeTZzghwP5Zuyy9oqDK2TtiOKvJETGG4
-wopMcfmqe8R3LhmiGACU24yBqbgIl5Q9arq5Fl2a1HmbzG48yTbQB2RZRvOjR1xE
-pG/seDdDncJWLlAdZ3DRsa/qgRX9zroNKdv/WLxZ4KO8El2voTJ5c2zQUhJCA/W5
-2xDWxJyr7WEBvDgjAvSwdvgTnjAmtaUwBU22hPRmZ4pgOzRkN+pkjAgedZ69dtms
-/wdX
+IENBMQswCQYDVQQGEwJOTDEYMBYGA1UECgwPTnV0cyBGb3VuZGF0aW9uMB4XDTI0
+MDUyOTEwNDkxN1oXDTM0MDUyNzEwNDkxN1owHDEaMBgGA1UEAwwRSW50ZXJtZWRp
+YXRlIEEgQ0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCtwHPYpYxq
+nFbS/HSvszvMUcY1ju3DIeOOGswRBKAQC9JmIkYjAgAXeMRRNXbEsR9CZq2YtmHT
+c+fQ+vIVJqkvIzlX1jUT5Jx7WjOOBHKegsK2mg7YflXC5Wd90vnzMmyZrT6nGxVR
+rUj0UTsopqcZ1guKOAk+XntD5MFPwHyoYFagYL+qoy4q6gDbeePQyb3DQ5SSB/8T
+TlhPQEcu2cJudS+9CiSFsQvHVhkHMxJ+gEgY3a10Vb1Elobh3iVuD3d2ddM6bRvw
+HwrdxAJr8KDOAr3VQGbV4kRBFjRFM/Mf7HwlUg8VGVWrpVUOrFTBE0pkNMsVoNah
+uC1zlCS2vSHvAgMBAAGjgb4wgbswHQYDVR0OBBYEFLt0u72r+nM9Yz/oByhOrLzi
+l/SJMBIGA1UdEwEB/wQIMAYBAf8CAQAwNgYDVR0fBC8wLTAroCmgJ4YlaHR0cDov
+L2NlcnRzLm51dHMubmwvUm9vdENBTGF0ZXN0LmNybDAdBgNVHSUEFjAUBggrBgEF
+BQcDAgYIKwYBBQUHAwEwDgYDVR0PAQH/BAQDAgEGMB8GA1UdIwQYMBaAFGKIafsg
+yWVPCcSc1uxT5GUEjLnjMA0GCSqGSIb3DQEBCwUAA4IBAQAlsnuIKvekE0L0DrkL
+KNFM+djDr3AwOKrjpOIK2F/TB/YAJlE1PRCjFSjGXUkQ74R504CQ7fsL63j9OH9M
+UQD4zsTzCvaMtfziRKv+r33d7fiN0IE24gJLyIymPGvGEt/ftaNoHSUxxmE1sBmQ
+dnIE+2aMZSrGq5UBlBo5RHHqgpclPejZRrCJ7x9XbbMexnq+KZ9sLpF4BI5XdXre
+i5OP/KgKc4ho0GAnEwcc8OeTM6x5XJePHwcCfWV9o0ZHLMWoJMTDJdMcarkwAW8X
+XAmK6FOGZz6iC1bj0Y1hd0JIiRqWXXsIKZp+b0+3I++F+ryiDAZdfN5w2HRBO9pe
+qYYI
 -----END CERTIFICATE-----
 -----BEGIN CERTIFICATE-----
 MIIDjzCCAnegAwIBAgIBAzANBgkqhkiG9w0BAQsFADA5MRAwDgYDVQQDDAdSb290
-IENBMQswCQYDVQQGEwJOTDEYMBYGA1UECgwPTnV0cyBGb3VuZGF0aW9uMB4XDTIz
-MDMyOTA5MzIyN1oXDTMzMDMyNjA5MzIyN1owHDEaMBgGA1UEAwwRSW50ZXJtZWRp
-YXRlIEIgQ0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDHeTQ1m9Wv
-h3I7eum9n//0GGwpcrKcWu5Gr4LqudyIYJ9m6xDqDNwK/SyI2d3UhsZbafvcI9hF
-rnmjH7Tv00lgIIEkxwgx5HOdTWwStYjyIFREyJztE7e5FfON8kpN8k4UTQ5Ybwvc
-BZvXzCnjBgnP3qeIqUPrRwKmmiEn0bFzC/EMBk/dnGPuXoD7RkL61AU+0DjIdyZK
-i4eC6tzEGSNwU9yJxGbhgObDUU4z10k31Is3zRbtO8SO0dEsHJR3mjvXG4pKj/52
-ZMG0kRpBL/J8qHOdXeTB5eAXnnZZPjGJ+4vXhND3Qt3G156ULrh3VYZlqmfrgats
-Mur2/xYhat6DAgMBAAGjgb4wgbswHwYDVR0jBBgwFoAUugOOjnBD1aID7WoezmSH
-jYJ1t+8wEgYDVR0TAQH/BAgwBgEB/wIBADA2BgNVHR8ELzAtMCugKaAnhiVodHRw
-Oi8vY2VydHMubnV0cy5ubC9Sb290Q0FMYXRlc3QuY3JsMB0GA1UdJQQWMBQGCCsG
-AQUFBwMCBggrBgEFBQcDATAOBgNVHQ8BAf8EBAMCAQYwHQYDVR0OBBYEFAGIz3z+
-b5a/pH4T2Fhn3PNjxbeqMA0GCSqGSIb3DQEBCwUAA4IBAQA4YZCNnlKNzF86B235
-B5BVbZ2nlAmGFv6tH5U/Gyh480ABjpxLzO51DaqUEH8GR9dTlGGPEFORykahcrtu
-z1A6DUkyQAW9WxCRmhIWPF9M+/CyKzJYdcHutENy8g1qbd6sjlkzWt79F1ofr2ti
-uexlnKViyI3GBIUEh5lrcupxAzbCyxjYy3SW7gmljxyxeAaHgEVdlmzLpINomgpB
-eWuCE4t7yD9a/m1upVhYaMLanPJXQhcYHQzGMkZz9kBy/RfCjSQPUI2GNz1jMsuc
-xeZyPVWs+XIBSu5KUmgoR+4YVHushHNYi0mWPue6HTJ2VZV5WnSp0tjsE+62vyXj
-BCzo
+IENBMQswCQYDVQQGEwJOTDEYMBYGA1UECgwPTnV0cyBGb3VuZGF0aW9uMB4XDTI0
+MDUyOTEwNDkxN1oXDTM0MDUyNzEwNDkxN1owHDEaMBgGA1UEAwwRSW50ZXJtZWRp
+YXRlIEIgQ0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCy971S5RT3
+2SL0MsQnb+90Ja/PHvUyKLOIjmL5VabDw/wmw044H90xdoYaDPWItf0GfIVyEtLX
+u1PAznsb28JiFbF4DAA335a1DBu94EEE3gd7G48QN5drbHxkTgtrF2E9MKz3XXtQ
+RpsnP39JA6msCPaTbRi1NKUPlHM/DELoZflxweV1dBiDrg3qqmsPGAgtG4K7cZfD
+mDqsoIpMNj41WBtGQEvS0tyolgFqu++pYmr20kus7ksma+V7PXic/8wJzZk9GizD
+d4NETz2+01hsCmmhb1AQxA44jOvHZ3teP43b5YaYBeXjsI5NRfCekm5LQFqP+7fe
+XjFE8+eCpy2vAgMBAAGjgb4wgbswHQYDVR0OBBYEFHHhq2ygsXIq5wui6qWKaj2B
+JIUAMBIGA1UdEwEB/wQIMAYBAf8CAQAwNgYDVR0fBC8wLTAroCmgJ4YlaHR0cDov
+L2NlcnRzLm51dHMubmwvUm9vdENBTGF0ZXN0LmNybDAdBgNVHSUEFjAUBggrBgEF
+BQcDAgYIKwYBBQUHAwEwDgYDVR0PAQH/BAQDAgEGMB8GA1UdIwQYMBaAFGKIafsg
+yWVPCcSc1uxT5GUEjLnjMA0GCSqGSIb3DQEBCwUAA4IBAQCWq8eq3zc89GYPOShL
+3ucwoDzHJ5/giytPYz1hx5ZmypD0SZvjP/j3KTqLMImylB6SA1fhgkVYtFMxriph
+MUiBUMe+l5IllFjqItJrpQEjaVrVDWN0WGwmArchim1os0bRPaI1lejZhv5/ME4T
+At1WUrv0U4EzllkcDEdra47QbWXDxtGY3fA3QtybfVg2zOVAx7fcJ2lso/hURuN+
+FaGtBOuksVsDdP0CNZRz2jcxGBBqA8Bi3J5SDA016FdumE9Ej1JaH3H9v951u1AU
+qDa2xjvOEslhNxU2Z34Mc7MJ0Elcfs5Tuyvu/J9Vf7ZISLogfEH/vCMzJOyESWCn
+bNvj
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIIDjzCCAnegAwIBAgIBBDANBgkqhkiG9w0BAQsFADA5MRAwDgYDVQQDDAdSb290
+IENBMQswCQYDVQQGEwJOTDEYMBYGA1UECgwPTnV0cyBGb3VuZGF0aW9uMB4XDTI0
+MDUyOTEwNDkxN1oXDTM0MDUyNzEwNDkxN1owHDEaMBgGA1UEAwwRSW50ZXJtZWRp
+YXRlIEMgQ0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCsv3oiCXkZ
+dpgbzqUA27Va4ROBlPbMntPp9ANaPhgcp33SbPTe3oNgePfiBLprmhWzK/u9RbB3
+reuJdLlp+3Ta6wzQD0VY+pOQ4cq8uZTjBAqAZDwpBop1d5DVOvi3hE4VnFecOJnS
+tq2qRnnU2JDNlFsYKAOSdR06xMAAL8wSzwGELeGdY7LGNsilmzTSKYJsOUw2Cs5L
+Y3hgxL9Z70jkFQ0HYEbK+fQ3b17yqQ4pu2Rv8gPRWT0H9ii9dRjNB4V6HAoL3SWa
+rag+fXo8mSvuYOreOCU99NF6MJQyFcLq2BHeH069XsmSKj6Sx3PbD7nOma3UnA7j
+jqn1uzs/CuqRAgMBAAGjgb4wgbswHQYDVR0OBBYEFDB93vfXZGSygW7BMb08vXqO
+cX+5MBIGA1UdEwEB/wQIMAYBAf8CAQAwNgYDVR0fBC8wLTAroCmgJ4YlaHR0cDov
+L2NlcnRzLm51dHMubmwvUm9vdENBTGF0ZXN0LmNybDAdBgNVHSUEFjAUBggrBgEF
+BQcDAgYIKwYBBQUHAwEwDgYDVR0PAQH/BAQDAgEGMB8GA1UdIwQYMBaAFGKIafsg
+yWVPCcSc1uxT5GUEjLnjMA0GCSqGSIb3DQEBCwUAA4IBAQCP9g8tI6Xi6Dp25VxJ
+vK8FGPW48+HMZR70IC/TPCw8QJsZHHT1aez2La18f+C7JMV/HBjXVSsrL83hfS4Z
+VKWduaoKbyhDmzbuZwlGFL3Seh0jbObIG+3gsGFtdtOIjyg85+8A8yR2cWwYHer8
+eryK8Zda/64pK624Aln+IR187daN+S2HAquK/BXtbgqiqOXEzTYn5vUbiEAdo4Sc
+Z5qdDbUs0HK9HOLbQuxVbiTHjlvehsTrQ9owuu9Te2eDUUmF5d0SNNmIo9O0Z1+o
++oIqtxYtwMk7igJdedomIS61eK4tzVMpSHffqkodXEv20dmKrPOYDK5Sc0Ex8twu
+PmXE
 -----END CERTIFICATE-----
 -----BEGIN CERTIFICATE-----
 MIIDLzCCAhegAwIBAgIBATANBgkqhkiG9w0BAQsFADA5MRAwDgYDVQQDDAdSb290
-IENBMQswCQYDVQQGEwJOTDEYMBYGA1UECgwPTnV0cyBGb3VuZGF0aW9uMB4XDTIz
-MDMyOTA5MzIyNloXDTMzMDMyNjA5MzIyNlowOTEQMA4GA1UEAwwHUm9vdCBDQTEL
+IENBMQswCQYDVQQGEwJOTDEYMBYGA1UECgwPTnV0cyBGb3VuZGF0aW9uMB4XDTI0
+MDUyOTEwNDkxN1oXDTM0MDUyNzEwNDkxN1owOTEQMA4GA1UEAwwHUm9vdCBDQTEL
 MAkGA1UEBhMCTkwxGDAWBgNVBAoMD051dHMgRm91bmRhdGlvbjCCASIwDQYJKoZI
-hvcNAQEBBQADggEPADCCAQoCggEBALmMCqmptZFO/Ff4AwVkkYHOPEzNCSLzIurR
-BazmX0xjGEdWL6ekDKfepIZc83X5qwaOAntD6a2Nk7m0c/rDh8gHkNtmZoik06iL
-hpmBp4LCZ+FL8fm1hY02ZtefiZePTxr4QxR+fbjF/f6T/H00A8///cXvBxcdPF/w
-taxIManevvfC5N1eTCGvNqm14XI2A0Jd8z/cvvyerKZqkQUk/0V9Rn8YdEpG7FYb
-moRABPpvvKrZnSVBM2GFVLeESDOzQ32fcBbokuBaEM87JCu0UO9qejVWDi/43yz4
-U+8f28MYuunk2WjXWR2Vxfh1XpcxtykR7LuWaAf5nSafmGgjBpMCAwEAAaNCMEAw
-DwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAQYwHQYDVR0OBBYEFLoDjo5w
-Q9WiA+1qHs5kh42CdbfvMA0GCSqGSIb3DQEBCwUAA4IBAQAgjvIAp29UuyEwySP3
-27rpGTS8WMpLRdOC7S1jK1YR1kSGhVB25AH/iR0MYJgdGABeAGjycj0T7f330JHs
-2S/Cg5JKvgxIq9E+rTnxP5cZX6q3+iH22LnOlcrylUWDrgq5s9fzkU5m2d/VKUEb
-QoDFZgApdQgDauKsADaQE5D2/DO4o4XHGiVx07IeX7iv4go15TU0ru5dWcl9IdjT
-WAJjYWFWuz+vgdbDi00Z/E16YeckQkWq3muHSkp5OcKCyqY8NPMsS8QrxrTwTyvm
-RV6ad6/Z7DIYyfUvqKzR5b98LN1gGDTZMKbCDC14Y5id2GAeJagyZniskeriO0/K
-Fd7D
+hvcNAQEBBQADggEPADCCAQoCggEBAK77t2lQ3/OY1Xih7On8l5URBe721aIKO3zE
+lASEbJdVmcQ+TvjT39XW9GNNgKhlJlLgDeaNrvmu5sPDux5KUGBRAbEdnGlUXCQP
+lsTVAqAYOXgpIO+MvpcaSESiGqrFilw43E9AsJGb0iS/IC+AzZEocLPPIHfGChUs
+bZIxVhBrdo3Zro14K2Vlvp/LWiE4zXr3MqDIKQ1A0URijWY5orqthmOO1E9nc7Th
+gNdU4Yx19f304IQl+6i9mOfnGfqcp2JemzTLrxeXL/HIoN/4aK8gc11xXRBJwcd1
+B6WtsOfv80Xu7Rkyh5XX1goeQ5eLYEkdc+WdRIJD4pLtyPrWTCMCAwEAAaNCMEAw
+DwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAQYwHQYDVR0OBBYEFGKIafsg
+yWVPCcSc1uxT5GUEjLnjMA0GCSqGSIb3DQEBCwUAA4IBAQBAqPlRDJ0/V05W37fg
+8FO276uybikjKlY+2LpGwuieoGL/GG4udKk3Q7itOmI2vAddAq/SL7x5tj8SuWvX
+xV0Kh7/goyWxZGSRG4YopP/Yxpl2tujmJ1wxyCZjp5ITFh5b3lbVuxEPUZICM3go
+RDjFQlPl/jWWNokk749phNH4e5xFhpalzFPNhp2JhNHxnwjwL7aYP8KjBNddSyXM
+0jY8ISK+f0PQTk0VsMe2DwwHDITRWJ8NBIv6gx3HrAPm4kQif+8Kd3gLX6SmH1cf
+GoPHrghJ8FVAsmrCyBcIBFpzuPl2aNhnSDar0zSrMWEBPqB+2frGHcfC7wFUEoR+
+SJVQ
 -----END CERTIFICATE-----
diff --git a/pki/test/truststore_withPKIOverheid.pem b/pki/test/truststore_withPKIOverheid.pem
index 2c9ffcf63a..447b03c85f 100644
--- a/pki/test/truststore_withPKIOverheid.pem
+++ b/pki/test/truststore_withPKIOverheid.pem
@@ -1,66 +1,88 @@
 -----BEGIN CERTIFICATE-----
 MIIDjzCCAnegAwIBAgIBAjANBgkqhkiG9w0BAQsFADA5MRAwDgYDVQQDDAdSb290
-IENBMQswCQYDVQQGEwJOTDEYMBYGA1UECgwPTnV0cyBGb3VuZGF0aW9uMB4XDTIz
-MDMyOTA5MzIyN1oXDTMzMDMyNjA5MzIyN1owHDEaMBgGA1UEAwwRSW50ZXJtZWRp
-YXRlIEEgQ0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCyKjnq4iww
-coSGDKbM6D86eWG7BzMjPynwMTVdDiQKaHn/SZ2yys86z2ICNwPp+h1FHx/ABLko
-qpEuDg7hkcy6Z1HVaXfK5tTCs1V7h6hkueuPCPeQFTu341S0XWghE+iGagZgNY6j
-kL2H07mRMvZp1Y+6azJnCfn2DLa+fviXN3bA+2rE8BJBqPx4QbvnSdBTC56g6PJ8
-iUlL4xx/+8X2J20TeRPqTCZphcgDsvc3L22r+bTpmLJEh20DlSoZ4YHvaAJfXhwB
-addylz99MFV+5hc7HYWcMkZy8IjyI9eFY/epG/3L61bTVq2B+rKV5RXR7l9g+X6s
-gKHNYTmAcjPRAgMBAAGjgb4wgbswHwYDVR0jBBgwFoAUugOOjnBD1aID7WoezmSH
-jYJ1t+8wEgYDVR0TAQH/BAgwBgEB/wIBADA2BgNVHR8ELzAtMCugKaAnhiVodHRw
-Oi8vY2VydHMubnV0cy5ubC9Sb290Q0FMYXRlc3QuY3JsMB0GA1UdJQQWMBQGCCsG
-AQUFBwMCBggrBgEFBQcDATAOBgNVHQ8BAf8EBAMCAQYwHQYDVR0OBBYEFM7Yhh6h
-eHxkgIe66kMzqMQJHHY+MA0GCSqGSIb3DQEBCwUAA4IBAQCfnKMA2DhxtWox+rKr
-u1t/UTQfhL8oY//kcJSU6gZ7mNeBcUy/l19ghEoLW8FCoGlsYSVKRGeFs1bxsVSC
-8My8xzQwJAuW+IyzOwpsZfomGDQGRtK+BeTZzghwP5Zuyy9oqDK2TtiOKvJETGG4
-wopMcfmqe8R3LhmiGACU24yBqbgIl5Q9arq5Fl2a1HmbzG48yTbQB2RZRvOjR1xE
-pG/seDdDncJWLlAdZ3DRsa/qgRX9zroNKdv/WLxZ4KO8El2voTJ5c2zQUhJCA/W5
-2xDWxJyr7WEBvDgjAvSwdvgTnjAmtaUwBU22hPRmZ4pgOzRkN+pkjAgedZ69dtms
-/wdX
+IENBMQswCQYDVQQGEwJOTDEYMBYGA1UECgwPTnV0cyBGb3VuZGF0aW9uMB4XDTI0
+MDUyOTEwNDkxN1oXDTM0MDUyNzEwNDkxN1owHDEaMBgGA1UEAwwRSW50ZXJtZWRp
+YXRlIEEgQ0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCtwHPYpYxq
+nFbS/HSvszvMUcY1ju3DIeOOGswRBKAQC9JmIkYjAgAXeMRRNXbEsR9CZq2YtmHT
+c+fQ+vIVJqkvIzlX1jUT5Jx7WjOOBHKegsK2mg7YflXC5Wd90vnzMmyZrT6nGxVR
+rUj0UTsopqcZ1guKOAk+XntD5MFPwHyoYFagYL+qoy4q6gDbeePQyb3DQ5SSB/8T
+TlhPQEcu2cJudS+9CiSFsQvHVhkHMxJ+gEgY3a10Vb1Elobh3iVuD3d2ddM6bRvw
+HwrdxAJr8KDOAr3VQGbV4kRBFjRFM/Mf7HwlUg8VGVWrpVUOrFTBE0pkNMsVoNah
+uC1zlCS2vSHvAgMBAAGjgb4wgbswHQYDVR0OBBYEFLt0u72r+nM9Yz/oByhOrLzi
+l/SJMBIGA1UdEwEB/wQIMAYBAf8CAQAwNgYDVR0fBC8wLTAroCmgJ4YlaHR0cDov
+L2NlcnRzLm51dHMubmwvUm9vdENBTGF0ZXN0LmNybDAdBgNVHSUEFjAUBggrBgEF
+BQcDAgYIKwYBBQUHAwEwDgYDVR0PAQH/BAQDAgEGMB8GA1UdIwQYMBaAFGKIafsg
+yWVPCcSc1uxT5GUEjLnjMA0GCSqGSIb3DQEBCwUAA4IBAQAlsnuIKvekE0L0DrkL
+KNFM+djDr3AwOKrjpOIK2F/TB/YAJlE1PRCjFSjGXUkQ74R504CQ7fsL63j9OH9M
+UQD4zsTzCvaMtfziRKv+r33d7fiN0IE24gJLyIymPGvGEt/ftaNoHSUxxmE1sBmQ
+dnIE+2aMZSrGq5UBlBo5RHHqgpclPejZRrCJ7x9XbbMexnq+KZ9sLpF4BI5XdXre
+i5OP/KgKc4ho0GAnEwcc8OeTM6x5XJePHwcCfWV9o0ZHLMWoJMTDJdMcarkwAW8X
+XAmK6FOGZz6iC1bj0Y1hd0JIiRqWXXsIKZp+b0+3I++F+ryiDAZdfN5w2HRBO9pe
+qYYI
 -----END CERTIFICATE-----
 -----BEGIN CERTIFICATE-----
 MIIDjzCCAnegAwIBAgIBAzANBgkqhkiG9w0BAQsFADA5MRAwDgYDVQQDDAdSb290
-IENBMQswCQYDVQQGEwJOTDEYMBYGA1UECgwPTnV0cyBGb3VuZGF0aW9uMB4XDTIz
-MDMyOTA5MzIyN1oXDTMzMDMyNjA5MzIyN1owHDEaMBgGA1UEAwwRSW50ZXJtZWRp
-YXRlIEIgQ0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDHeTQ1m9Wv
-h3I7eum9n//0GGwpcrKcWu5Gr4LqudyIYJ9m6xDqDNwK/SyI2d3UhsZbafvcI9hF
-rnmjH7Tv00lgIIEkxwgx5HOdTWwStYjyIFREyJztE7e5FfON8kpN8k4UTQ5Ybwvc
-BZvXzCnjBgnP3qeIqUPrRwKmmiEn0bFzC/EMBk/dnGPuXoD7RkL61AU+0DjIdyZK
-i4eC6tzEGSNwU9yJxGbhgObDUU4z10k31Is3zRbtO8SO0dEsHJR3mjvXG4pKj/52
-ZMG0kRpBL/J8qHOdXeTB5eAXnnZZPjGJ+4vXhND3Qt3G156ULrh3VYZlqmfrgats
-Mur2/xYhat6DAgMBAAGjgb4wgbswHwYDVR0jBBgwFoAUugOOjnBD1aID7WoezmSH
-jYJ1t+8wEgYDVR0TAQH/BAgwBgEB/wIBADA2BgNVHR8ELzAtMCugKaAnhiVodHRw
-Oi8vY2VydHMubnV0cy5ubC9Sb290Q0FMYXRlc3QuY3JsMB0GA1UdJQQWMBQGCCsG
-AQUFBwMCBggrBgEFBQcDATAOBgNVHQ8BAf8EBAMCAQYwHQYDVR0OBBYEFAGIz3z+
-b5a/pH4T2Fhn3PNjxbeqMA0GCSqGSIb3DQEBCwUAA4IBAQA4YZCNnlKNzF86B235
-B5BVbZ2nlAmGFv6tH5U/Gyh480ABjpxLzO51DaqUEH8GR9dTlGGPEFORykahcrtu
-z1A6DUkyQAW9WxCRmhIWPF9M+/CyKzJYdcHutENy8g1qbd6sjlkzWt79F1ofr2ti
-uexlnKViyI3GBIUEh5lrcupxAzbCyxjYy3SW7gmljxyxeAaHgEVdlmzLpINomgpB
-eWuCE4t7yD9a/m1upVhYaMLanPJXQhcYHQzGMkZz9kBy/RfCjSQPUI2GNz1jMsuc
-xeZyPVWs+XIBSu5KUmgoR+4YVHushHNYi0mWPue6HTJ2VZV5WnSp0tjsE+62vyXj
-BCzo
+IENBMQswCQYDVQQGEwJOTDEYMBYGA1UECgwPTnV0cyBGb3VuZGF0aW9uMB4XDTI0
+MDUyOTEwNDkxN1oXDTM0MDUyNzEwNDkxN1owHDEaMBgGA1UEAwwRSW50ZXJtZWRp
+YXRlIEIgQ0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCy971S5RT3
+2SL0MsQnb+90Ja/PHvUyKLOIjmL5VabDw/wmw044H90xdoYaDPWItf0GfIVyEtLX
+u1PAznsb28JiFbF4DAA335a1DBu94EEE3gd7G48QN5drbHxkTgtrF2E9MKz3XXtQ
+RpsnP39JA6msCPaTbRi1NKUPlHM/DELoZflxweV1dBiDrg3qqmsPGAgtG4K7cZfD
+mDqsoIpMNj41WBtGQEvS0tyolgFqu++pYmr20kus7ksma+V7PXic/8wJzZk9GizD
+d4NETz2+01hsCmmhb1AQxA44jOvHZ3teP43b5YaYBeXjsI5NRfCekm5LQFqP+7fe
+XjFE8+eCpy2vAgMBAAGjgb4wgbswHQYDVR0OBBYEFHHhq2ygsXIq5wui6qWKaj2B
+JIUAMBIGA1UdEwEB/wQIMAYBAf8CAQAwNgYDVR0fBC8wLTAroCmgJ4YlaHR0cDov
+L2NlcnRzLm51dHMubmwvUm9vdENBTGF0ZXN0LmNybDAdBgNVHSUEFjAUBggrBgEF
+BQcDAgYIKwYBBQUHAwEwDgYDVR0PAQH/BAQDAgEGMB8GA1UdIwQYMBaAFGKIafsg
+yWVPCcSc1uxT5GUEjLnjMA0GCSqGSIb3DQEBCwUAA4IBAQCWq8eq3zc89GYPOShL
+3ucwoDzHJ5/giytPYz1hx5ZmypD0SZvjP/j3KTqLMImylB6SA1fhgkVYtFMxriph
+MUiBUMe+l5IllFjqItJrpQEjaVrVDWN0WGwmArchim1os0bRPaI1lejZhv5/ME4T
+At1WUrv0U4EzllkcDEdra47QbWXDxtGY3fA3QtybfVg2zOVAx7fcJ2lso/hURuN+
+FaGtBOuksVsDdP0CNZRz2jcxGBBqA8Bi3J5SDA016FdumE9Ej1JaH3H9v951u1AU
+qDa2xjvOEslhNxU2Z34Mc7MJ0Elcfs5Tuyvu/J9Vf7ZISLogfEH/vCMzJOyESWCn
+bNvj
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIIDjzCCAnegAwIBAgIBBDANBgkqhkiG9w0BAQsFADA5MRAwDgYDVQQDDAdSb290
+IENBMQswCQYDVQQGEwJOTDEYMBYGA1UECgwPTnV0cyBGb3VuZGF0aW9uMB4XDTI0
+MDUyOTEwNDkxN1oXDTM0MDUyNzEwNDkxN1owHDEaMBgGA1UEAwwRSW50ZXJtZWRp
+YXRlIEMgQ0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCsv3oiCXkZ
+dpgbzqUA27Va4ROBlPbMntPp9ANaPhgcp33SbPTe3oNgePfiBLprmhWzK/u9RbB3
+reuJdLlp+3Ta6wzQD0VY+pOQ4cq8uZTjBAqAZDwpBop1d5DVOvi3hE4VnFecOJnS
+tq2qRnnU2JDNlFsYKAOSdR06xMAAL8wSzwGELeGdY7LGNsilmzTSKYJsOUw2Cs5L
+Y3hgxL9Z70jkFQ0HYEbK+fQ3b17yqQ4pu2Rv8gPRWT0H9ii9dRjNB4V6HAoL3SWa
+rag+fXo8mSvuYOreOCU99NF6MJQyFcLq2BHeH069XsmSKj6Sx3PbD7nOma3UnA7j
+jqn1uzs/CuqRAgMBAAGjgb4wgbswHQYDVR0OBBYEFDB93vfXZGSygW7BMb08vXqO
+cX+5MBIGA1UdEwEB/wQIMAYBAf8CAQAwNgYDVR0fBC8wLTAroCmgJ4YlaHR0cDov
+L2NlcnRzLm51dHMubmwvUm9vdENBTGF0ZXN0LmNybDAdBgNVHSUEFjAUBggrBgEF
+BQcDAgYIKwYBBQUHAwEwDgYDVR0PAQH/BAQDAgEGMB8GA1UdIwQYMBaAFGKIafsg
+yWVPCcSc1uxT5GUEjLnjMA0GCSqGSIb3DQEBCwUAA4IBAQCP9g8tI6Xi6Dp25VxJ
+vK8FGPW48+HMZR70IC/TPCw8QJsZHHT1aez2La18f+C7JMV/HBjXVSsrL83hfS4Z
+VKWduaoKbyhDmzbuZwlGFL3Seh0jbObIG+3gsGFtdtOIjyg85+8A8yR2cWwYHer8
+eryK8Zda/64pK624Aln+IR187daN+S2HAquK/BXtbgqiqOXEzTYn5vUbiEAdo4Sc
+Z5qdDbUs0HK9HOLbQuxVbiTHjlvehsTrQ9owuu9Te2eDUUmF5d0SNNmIo9O0Z1+o
++oIqtxYtwMk7igJdedomIS61eK4tzVMpSHffqkodXEv20dmKrPOYDK5Sc0Ex8twu
+PmXE
 -----END CERTIFICATE-----
 -----BEGIN CERTIFICATE-----
 MIIDLzCCAhegAwIBAgIBATANBgkqhkiG9w0BAQsFADA5MRAwDgYDVQQDDAdSb290
-IENBMQswCQYDVQQGEwJOTDEYMBYGA1UECgwPTnV0cyBGb3VuZGF0aW9uMB4XDTIz
-MDMyOTA5MzIyNloXDTMzMDMyNjA5MzIyNlowOTEQMA4GA1UEAwwHUm9vdCBDQTEL
+IENBMQswCQYDVQQGEwJOTDEYMBYGA1UECgwPTnV0cyBGb3VuZGF0aW9uMB4XDTI0
+MDUyOTEwNDkxN1oXDTM0MDUyNzEwNDkxN1owOTEQMA4GA1UEAwwHUm9vdCBDQTEL
 MAkGA1UEBhMCTkwxGDAWBgNVBAoMD051dHMgRm91bmRhdGlvbjCCASIwDQYJKoZI
-hvcNAQEBBQADggEPADCCAQoCggEBALmMCqmptZFO/Ff4AwVkkYHOPEzNCSLzIurR
-BazmX0xjGEdWL6ekDKfepIZc83X5qwaOAntD6a2Nk7m0c/rDh8gHkNtmZoik06iL
-hpmBp4LCZ+FL8fm1hY02ZtefiZePTxr4QxR+fbjF/f6T/H00A8///cXvBxcdPF/w
-taxIManevvfC5N1eTCGvNqm14XI2A0Jd8z/cvvyerKZqkQUk/0V9Rn8YdEpG7FYb
-moRABPpvvKrZnSVBM2GFVLeESDOzQ32fcBbokuBaEM87JCu0UO9qejVWDi/43yz4
-U+8f28MYuunk2WjXWR2Vxfh1XpcxtykR7LuWaAf5nSafmGgjBpMCAwEAAaNCMEAw
-DwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAQYwHQYDVR0OBBYEFLoDjo5w
-Q9WiA+1qHs5kh42CdbfvMA0GCSqGSIb3DQEBCwUAA4IBAQAgjvIAp29UuyEwySP3
-27rpGTS8WMpLRdOC7S1jK1YR1kSGhVB25AH/iR0MYJgdGABeAGjycj0T7f330JHs
-2S/Cg5JKvgxIq9E+rTnxP5cZX6q3+iH22LnOlcrylUWDrgq5s9fzkU5m2d/VKUEb
-QoDFZgApdQgDauKsADaQE5D2/DO4o4XHGiVx07IeX7iv4go15TU0ru5dWcl9IdjT
-WAJjYWFWuz+vgdbDi00Z/E16YeckQkWq3muHSkp5OcKCyqY8NPMsS8QrxrTwTyvm
-RV6ad6/Z7DIYyfUvqKzR5b98LN1gGDTZMKbCDC14Y5id2GAeJagyZniskeriO0/K
-Fd7D
+hvcNAQEBBQADggEPADCCAQoCggEBAK77t2lQ3/OY1Xih7On8l5URBe721aIKO3zE
+lASEbJdVmcQ+TvjT39XW9GNNgKhlJlLgDeaNrvmu5sPDux5KUGBRAbEdnGlUXCQP
+lsTVAqAYOXgpIO+MvpcaSESiGqrFilw43E9AsJGb0iS/IC+AzZEocLPPIHfGChUs
+bZIxVhBrdo3Zro14K2Vlvp/LWiE4zXr3MqDIKQ1A0URijWY5orqthmOO1E9nc7Th
+gNdU4Yx19f304IQl+6i9mOfnGfqcp2JemzTLrxeXL/HIoN/4aK8gc11xXRBJwcd1
+B6WtsOfv80Xu7Rkyh5XX1goeQ5eLYEkdc+WdRIJD4pLtyPrWTCMCAwEAAaNCMEAw
+DwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAQYwHQYDVR0OBBYEFGKIafsg
+yWVPCcSc1uxT5GUEjLnjMA0GCSqGSIb3DQEBCwUAA4IBAQBAqPlRDJ0/V05W37fg
+8FO276uybikjKlY+2LpGwuieoGL/GG4udKk3Q7itOmI2vAddAq/SL7x5tj8SuWvX
+xV0Kh7/goyWxZGSRG4YopP/Yxpl2tujmJ1wxyCZjp5ITFh5b3lbVuxEPUZICM3go
+RDjFQlPl/jWWNokk749phNH4e5xFhpalzFPNhp2JhNHxnwjwL7aYP8KjBNddSyXM
+0jY8ISK+f0PQTk0VsMe2DwwHDITRWJ8NBIv6gx3HrAPm4kQif+8Kd3gLX6SmH1cf
+GoPHrghJ8FVAsmrCyBcIBFpzuPl2aNhnSDar0zSrMWEBPqB+2frGHcfC7wFUEoR+
+SJVQ
 -----END CERTIFICATE-----
 -----BEGIN CERTIFICATE-----
 MIIFcDCCA1igAwIBAgIEAJiWjTANBgkqhkiG9w0BAQsFADBYMQswCQYDVQQGEwJO
@@ -172,4 +194,4 @@ sqoARBG1xNkgN/uGLZYoEhgZzZxAlPIRDAZxpiRJuLYSZ5r7aSxox1oCMoQl75Gw
 dLfpc2zTum9TPgMzgRliYRzLDkni/4bc4r0nIQi7CPdNeuxUB9xYOTA/lMDSz4zO
 zrnx18CqKcOq3hx/AIhQA4iMSAEcuokyfdE+ZLTYqNXwPupxruDdu2Is5IGrkcDi
 vrcYSG+C0eK7/mdR/NknVYtyofAs1M+UCuVecOqrQP+r
------END CERTIFICATE-----
\ No newline at end of file
+-----END CERTIFICATE-----
diff --git a/pki/validator_test.go b/pki/validator_test.go
index c2581cece7..081275afd1 100644
--- a/pki/validator_test.go
+++ b/pki/validator_test.go
@@ -27,18 +27,17 @@ import (
 	"crypto/x509"
 	"encoding/pem"
 	"errors"
-	"github.com/nuts-foundation/nuts-node/core"
-	"go.uber.org/goleak"
-	"go.uber.org/mock/gomock"
 	"math/big"
 	"net/http"
 	"os"
 	"sync"
 	"testing"
-	"time"
 
+	"github.com/nuts-foundation/nuts-node/core"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
+	"go.uber.org/goleak"
+	"go.uber.org/mock/gomock"
 )
 
 const (
@@ -54,6 +53,7 @@ var crlPathMap = map[string]string{
 	"/RootCALatest.crl":          testdatapath + "/RootCALatest.crl",
 	"/IntermediateCAALatest.crl": testdatapath + "/IntermediateCAALatest.crl",
 	"/IntermediateCABLatest.crl": "does not exist",
+	"/IntermediateCACLatest.crl": testdatapath + "/IntermediateCACLatest.crl",
 }
 
 func TestValidator_Start(t *testing.T) {
@@ -93,6 +93,7 @@ func TestValidator_Validate(t *testing.T) {
 	validCertA := loadCert(t, testdatapath+"/A-valid.pem")
 	revokedCertA := loadCert(t, testdatapath+"/A-revoked.pem")
 	validCertBWithRevokedCA := loadCert(t, testdatapath+"/B-valid_revoked-CA.pem")
+	validCertC := loadCert(t, testdatapath+"/C-valid.pem")
 
 	block, _ := pem.Decode([]byte(bannedTestCertificate))
 	bannedCert, err := x509.ParseCertificate(block.Bytes)
@@ -131,10 +132,7 @@ func TestValidator_Validate(t *testing.T) {
 		testSoftHard(t, val, validCertBWithRevokedCA, nil, ErrCRLMissing)
 	})
 	t.Run("expired crl", func(t *testing.T) {
-		nowFunc = func() time.Time { return time.Date(2100, 1, 1, 0, 0, 0, 0, time.UTC) }
-		defer func() { nowFunc = time.Now }()
-
-		testSoftHard(t, val, validCertA, nil, ErrCRLExpired)
+		testSoftHard(t, val, validCertC, nil, ErrCRLExpired)
 	})
 	t.Run("blocked cert", func(t *testing.T) {
 		ts := denylistTestServer(trustedDenylist(t))
@@ -321,7 +319,7 @@ func Test_ValidatorDownloadCRL(t *testing.T) {
 func Test_ValidatorVerifyCRL(t *testing.T) {
 	v := newValidatorStarted(t)
 	trustStore, _ := core.LoadTrustStore(truststore)
-	issuer := trustStore.Certificates()[2] // rootCA
+	issuer := trustStore.Certificates()[3] // rootCA
 
 	t.Run("ok", func(t *testing.T) {
 		data, err := os.ReadFile(testdatapath + "/RootCALatest.crl")
@@ -391,7 +389,7 @@ func Test_ValidatorUpdateCRL(t *testing.T) {
 func testValidator(t *testing.T) *validator {
 	store, err := core.LoadTrustStore(truststore)
 	require.NoError(t, err)
-	require.Len(t, store.Certificates(), 3)
+	require.Len(t, store.Certificates(), 4)
 	val, err := newValidatorWithHTTPClient(DefaultConfig(), newClient())
 	require.NoError(t, err)
 	require.NoError(t, val.AddTruststore(store.Certificates()))