diff --git a/.travis.yml b/.travis.yml
index 8a66ff2cb..78c85296a 100644
--- a/.travis.yml
+++ b/.travis.yml
@@ -19,6 +19,10 @@ addons:
     - axel
     - luarocks
     - daemonize
+    - lsb-release
+    - wget
+    - gnupg
+    - ca-certificates
 
 cache:
   directories:
@@ -33,15 +37,13 @@ env:
     - LUAJIT_INC=$LUAJIT_PREFIX/include/luajit-2.1
     - LUA_INCLUDE_DIR=$LUAJIT_INC
     - LUA_CMODULE_DIR=/lib
-    - PCRE_VER=8.45
-    - PCRE2_VER=10.37
-    - PCRE_PREFIX=/opt/pcre
-    - PCRE2_PREFIX=/opt/pcre2
-    - PCRE_LIB=$PCRE_PREFIX/lib
+    - PCRE2_VER=10.45
+    #- PCRE2_PREFIX=/opt/pcre2
+    - PCRE2_PREFIX=/usr/local/openresty/pcre2
     - PCRE2_LIB=$PCRE2_PREFIX/lib
-    - PCRE_INC=$PCRE_PREFIX/include
     - PCRE2_INC=$PCRE2_PREFIX/include
-    - OPENSSL_PREFIX=/opt/ssl
+    #- OPENSSL_PREFIX=/opt/ssl3
+    - OPENSSL_PREFIX=/usr/local/openresty/openssl3
     - OPENSSL_LIB=$OPENSSL_PREFIX/lib
     - OPENSSL_INC=$OPENSSL_PREFIX/include
     - LD_LIBRARY_PATH=$LUAJIT_LIB:$LD_LIBRARY_PATH
@@ -49,8 +51,7 @@ env:
     - TEST_NGINX_RANDOMIZE=1
     - LUACHECK_VER=0.21.1
   matrix:
-    - NGINX_VERSION=1.27.1 OPENSSL_VER=1.1.1w OPENSSL_PATCH_VER=1.1.1f USE_PCRE2=Y
-    - NGINX_VERSION=1.25.3 OPENSSL_VER=1.1.1w OPENSSL_PATCH_VER=1.1.1f
+    - NGINX_VERSION=1.27.1 OPENSSL_VER=3.5.0 OPENSSL_PATCH_VER=3.5.0
 
 services:
   - memcache
@@ -61,12 +62,15 @@ before_install:
   - '! grep -n -P ''(?<=.{80}).+'' --color `find . -name ''*.lua''` || (echo "ERROR: Found Lua source lines exceeding 80 columns." > /dev/stderr; exit 1)'
   - '! grep -n -P ''\t+'' --color `find . -name ''*.lua''` || (echo "ERROR: Cannot use tabs." > /dev/stderr; exit 1)'
   - cpanm --sudo --notest Test::Nginx IPC::Run > build.log 2>&1 || (cat build.log && exit 1)
+  - wget -O - https://openresty.org/package/pubkey.gpg | sudo apt-key add -
+  - echo "deb http://openresty.org/package/ubuntu $(lsb_release -sc) main" | sudo tee /etc/apt/sources.list.d/openresty.list
+  - sudo apt-get update
+  - sudo DEBIAN_FRONTEND=noninteractive apt-get install -y --no-install-recommends openresty-pcre2 openresty-openssl3 openresty-pcre2-dev openresty-openssl3-dev
 
 install:
   - if [ ! -d download-cache ]; then mkdir download-cache; fi
-  - if [ ! -f download-cache/openssl-$OPENSSL_VER.tar.gz ]; then wget -P download-cache https://www.openssl.org/source/openssl-$OPENSSL_VER.tar.gz || wget -P download-cache https://www.openssl.org/source/old/${OPENSSL_VER//[a-z]/}/openssl-$OPENSSL_VER.tar.gz; fi
-  - if [ "$USE_PCRE2" != "Y" ] && [ ! -f download-cache/pcre-$PCRE_VER.tar.gz ]; then wget -P download-cache http://ftp.cs.stanford.edu/pub/exim/pcre/pcre-$PCRE_VER.tar.gz; fi
-  - if [ "$USE_PCRE2" = "Y" ] && [ ! -f download-cache/pcre2-$PCRE2_VER.tar.gz ]; then wget -P download-cache https://downloads.sourceforge.net/project/pcre/pcre2/${PCRE2_VER}/pcre2-${PCRE2_VER}.tar.gz; fi
+  #- if [ ! -f download-cache/openssl-$OPENSSL_VER.tar.gz ]; then wget -P download-cache https://www.openssl.org/source/openssl-$OPENSSL_VER.tar.gz || wget -P download-cache https://www.openssl.org/source/old/${OPENSSL_VER//[a-z]/}/openssl-$OPENSSL_VER.tar.gz; fi
+  #- if [ ! -f download-cache/pcre2-$PCRE2_VER.tar.gz ]; then wget -P download-cache https://downloads.sourceforge.net/project/pcre/pcre2/${PCRE2_VER}/pcre2-${PCRE2_VER}.tar.gz; fi
   - git clone https://github.com/openresty/openresty.git ../openresty
   - git clone https://github.com/openresty/openresty-devel-utils.git
   - git clone https://github.com/simpl/ngx_devel_kit.git ../ndk-nginx-module
@@ -87,27 +91,15 @@ script:
   - sudo make install PREFIX=$LUAJIT_PREFIX > build.log 2>&1 || (cat build.log && exit 1)
   - cd ..
   - cd lua-resty-lrucache && sudo make DESTDIR=$LUAJIT_PREFIX LUA_LIB_DIR=/share/lua/5.1 install && cd ..
-  - tar zxf download-cache/openssl-$OPENSSL_VER.tar.gz
-  - cd openssl-$OPENSSL_VER/
-  - if [ -n "$OPENSSL_PATCH_VER" ]; then patch -p1 < ../../openresty/patches/openssl-$OPENSSL_PATCH_VER-sess_set_get_cb_yield.patch; fi
-  - ./config no-threads shared enable-ssl3 enable-ssl3-method -g --prefix=$OPENSSL_PREFIX -DPURIFY > build.log 2>&1 || (cat build.log && exit 1)
-  - make -j$JOBS > build.log 2>&1 || (cat build.log && exit 1)
-  - sudo make PATH=$PATH install_sw > build.log 2>&1 || (cat build.log && exit 1)
-  - cd ../mockeagain/ && make CC=$CC -j$JOBS && cd ..
-  - if [ "$USE_PCRE2" != "Y" ]; then tar zxf download-cache/pcre-$PCRE_VER.tar.gz; cd pcre-$PCRE_VER/; ./configure --prefix=$PCRE_PREFIX --enable-jit --enable-utf --enable-unicode-properties > build.log 2>&1 || (cat build.log && exit 1); make -j$JOBS > build.log 2>&1 || (cat build.log && exit 1); sudo PATH=$PATH make install > build.log 2>&1 || (cat build.log && exit 1); cd ..; fi
-  - if [ "$USE_PCRE2" = "Y" ]; then tar zxf download-cache/pcre2-$PCRE2_VER.tar.gz; cd pcre2-$PCRE2_VER/; ./configure --prefix=$PCRE2_PREFIX --enable-jit --enable-utf > build.log 2>&1 || (cat build.log && exit 1); make -j$JOBS > build.log 2>&1 || (cat build.log && exit 1); sudo PATH=$PATH make install > build.log 2>&1 || (cat build.log && exit 1); cd ..; fi
+  #- tar zxf download-cache/openssl-$OPENSSL_VER.tar.gz; cd openssl-$OPENSSL_VER/; if [ -n "$OPENSSL_PATCH_VER" ]; then patch -p1 < ../../openresty/patches/openssl-$OPENSSL_PATCH_VER-sess_set_get_cb_yield.patch; fi; ./config no-threads shared enable-ssl3 enable-ssl3-method -g --prefix=$OPENSSL_PREFIX -DPURIFY > build.log 2>&1 || (cat build.log && exit 1); make -j$JOBS > build.log 2>&1 || (cat build.log && exit 1); sudo make PATH=$PATH install_sw > build.log 2>&1 || (cat build.log && exit 1); cd ..
+  - cd mockeagain/ && make CC=$CC -j$JOBS && cd ..
+  #- tar zxf download-cache/pcre2-$PCRE2_VER.tar.gz; cd pcre2-$PCRE2_VER/; ./configure --prefix=$PCRE2_PREFIX --enable-jit --enable-utf > build.log 2>&1 || (cat build.log && exit 1); make -j$JOBS > build.log 2>&1 || (cat build.log && exit 1); sudo PATH=$PATH make install > build.log 2>&1 || (cat build.log && exit 1); cd ..;
   - export PATH=$PWD/work/nginx/sbin:$PWD/openresty-devel-utils:$PATH
   - export LD_PRELOAD=$PWD/mockeagain/mockeagain.so
   - export LD_LIBRARY_PATH=$PWD/mockeagain:$LD_LIBRARY_PATH
   - export TEST_NGINX_RESOLVER=8.8.4.4
   - export NGX_BUILD_CC=$CC
-  - export add_http3_module=--with-http_v3_module
-  - export disable_pcre2=--without-pcre2
-  - answer=`util/ver-ge "$NGINX_VERSION" 1.25.1`
-  - if [ "$OPENSSL_VER" = "1.1.0l" ] || [ "$answer" = "N" ]; then add_http3_module=""; fi
-  - if [ "$answer" = "N" ] || [ "$USE_PCRE2" = "Y" ]; then disable_pcre2=""; fi
-  - if [ "$USE_PCRE2" = "Y" ]; then PCRE_INC=$PCRE2_INC; PCRE_LIB=$PCRE2_LIB; fi
-  - ngx-build $NGINX_VERSION $disable_pcre2 $add_http3_module --with-http_v2_module --with-http_realip_module --with-http_ssl_module --with-pcre-jit --with-cc-opt="-I$OPENSSL_INC -I$PCRE_INC" --with-ld-opt="-L$OPENSSL_LIB -Wl,-rpath,$OPENSSL_LIB -L$PCRE_LIB -Wl,-rpath,$PCRE_LIB" --add-module=../ndk-nginx-module --add-module=../echo-nginx-module --add-module=../set-misc-nginx-module --add-module=../headers-more-nginx-module --add-module=../lua-nginx-module --with-debug --with-stream_ssl_module --with-stream --with-ipv6 --add-module=../stream-lua-nginx-module > build.log 2>&1 || (cat build.log && exit 1)
+  - ngx-build $NGINX_VERSION --with-http_v3_module --with-http_v2_module --with-http_realip_module --with-http_ssl_module --with-pcre-jit --with-cc-opt="-I$OPENSSL_INC -I$PCRE2_INC" --with-ld-opt="-L$OPENSSL_LIB -Wl,-rpath,$OPENSSL_LIB -L$PCRE2_LIB -Wl,-rpath,$PCRE2_LIB" --add-module=../ndk-nginx-module --add-module=../echo-nginx-module --add-module=../set-misc-nginx-module --add-module=../headers-more-nginx-module --add-module=../lua-nginx-module --with-debug --with-stream_ssl_module --with-stream --with-ipv6 --add-module=../stream-lua-nginx-module > build.log 2>&1 || (cat build.log && exit 1)
   - nginx -V
   - ldd `which nginx`|grep -E 'luajit|ssl|pcre'
   - prove -I. -Itest-nginx/lib -j$JOBS -r t
diff --git a/t/cert/chain/chain.der b/t/cert/chain/chain.der
index 3e7b4ba10..dbaa95331 100644
Binary files a/t/cert/chain/chain.der and b/t/cert/chain/chain.der differ
diff --git a/t/cert/chain/chain.pem b/t/cert/chain/chain.pem
index 35ed8a973..b8a83c09c 100644
--- a/t/cert/chain/chain.pem
+++ b/t/cert/chain/chain.pem
@@ -2,26 +2,52 @@ Certificate:
     Data:
         Version: 3 (0x2)
         Serial Number:
-            3f:84:8f:36:54:84:d0:d8:0c:f8:1b:b0:14:f6:86:65:e4:9a:e4:88
+            28:02:e3:2a:1e:d0:bb:d6:2d:6a:64:c8:f8:20:65:dd:fa:c0:ca:af
         Signature Algorithm: sha256WithRSAEncryption
-        Issuer: C = US, ST = California, O = OpenResty, CN = Signing-CA-2
+        Issuer: C=US, ST=California, O=OpenResty, CN=Signing-CA-2
         Validity
-            Not Before: Dec  9 16:40:27 2024 GMT
-            Not After : Nov 15 16:40:27 2124 GMT
-        Subject: C = US, ST = California, O = OpenResty, CN = test.com
+            Not Before: Jun 21 12:32:49 2025 GMT
+            Not After : May 28 12:32:49 2125 GMT
+        Subject: C=US, ST=California, O=OpenResty, CN=test.com
         Subject Public Key Info:
             Public Key Algorithm: rsaEncryption
-                Public-Key: (1024 bit)
+                Public-Key: (4096 bit)
                 Modulus:
-                    00:9a:44:37:94:1a:5b:fb:70:a5:c4:44:bd:d4:4a:
-                    8b:5d:01:7a:32:c9:97:a0:c2:14:30:ed:2b:ec:6c:
-                    8b:b5:27:06:f5:67:e8:6e:a7:b8:61:14:b7:0e:98:
-                    b7:1f:67:33:40:97:d8:e3:46:57:b5:04:c0:9f:43:
-                    eb:72:11:3b:e2:45:00:02:1d:26:4e:6e:b8:7f:e2:
-                    f4:be:a2:8c:cf:b6:d6:7f:f1:b1:0a:71:c5:a9:ac:
-                    2a:7c:cc:c3:6e:5b:83:e9:6e:bf:f8:98:aa:94:0e:
-                    b6:35:b1:21:22:26:7c:1c:2a:26:12:aa:e4:ac:18:
-                    8c:ec:31:77:e8:db:eb:1a:11
+                    00:cc:1e:6d:ec:9e:f2:3e:3f:17:3d:de:18:5a:d6:
+                    c4:70:99:d3:cd:b1:99:45:e7:ed:82:69:3e:85:d9:
+                    1f:d0:bf:de:f6:49:1a:04:d4:c9:76:5c:96:06:4d:
+                    81:98:cd:0b:97:15:db:73:de:84:8a:16:0e:3d:08:
+                    cc:6f:fc:2c:48:92:4a:2b:98:40:73:f2:4a:5c:ce:
+                    72:cb:06:c1:69:a6:7f:f0:6b:0a:4f:6c:8e:62:c6:
+                    fd:52:d6:fc:5c:a4:1a:1f:b7:81:7a:9b:30:ef:ad:
+                    81:88:ea:b8:c6:95:d8:2a:32:a2:89:d2:b3:9d:d2:
+                    99:a6:2d:5a:e4:42:32:12:56:19:5b:f6:2e:37:44:
+                    da:84:f6:81:71:4a:8a:3a:ac:84:be:7d:85:aa:3d:
+                    e9:ce:45:97:57:2f:5e:21:c3:20:cf:7c:d0:85:4e:
+                    bc:03:61:41:1e:3f:87:30:a3:6c:be:a0:32:6a:4f:
+                    4b:81:22:b4:9b:c4:34:56:55:1d:07:d7:c3:a6:de:
+                    b4:0d:98:e6:58:0d:22:2e:42:72:04:69:93:21:cb:
+                    30:78:04:37:66:c9:c7:38:60:b5:d1:b3:a3:27:8a:
+                    12:59:e1:4c:cb:7d:72:00:12:d0:5b:ee:79:b9:76:
+                    ed:bb:4a:d4:33:a2:c7:e0:4f:af:3c:7f:28:86:e8:
+                    67:c2:c9:03:eb:ed:e9:9a:dc:cd:5a:bd:58:21:07:
+                    27:53:fc:47:91:08:ce:da:93:d7:c4:4f:5f:c1:85:
+                    20:d3:6e:d9:2b:6e:b1:87:46:de:0b:5c:78:b7:9e:
+                    15:b2:5c:c9:4b:e1:56:13:34:49:01:92:dd:9d:e9:
+                    4f:b1:d9:71:d0:4a:5a:7f:70:71:32:33:48:9a:fd:
+                    e6:d2:a4:43:35:45:e9:a7:8d:03:f3:9e:fc:b5:aa:
+                    77:7d:95:2c:5d:4f:16:11:aa:b5:38:64:69:5e:94:
+                    d8:ec:32:c5:ed:af:70:40:61:da:d7:64:d3:f6:1a:
+                    6d:c1:c2:8b:32:d7:b9:df:11:04:1b:b3:d0:93:24:
+                    f3:2c:9f:63:9b:23:77:83:dd:eb:a1:b3:54:45:12:
+                    7a:3c:33:78:f0:61:6c:08:a5:fd:d9:54:fd:d4:69:
+                    2f:52:20:68:e9:45:00:f7:a3:65:d1:9d:f0:e2:67:
+                    10:05:db:8a:56:07:82:eb:ee:e6:63:e5:43:b9:e4:
+                    aa:64:72:1c:14:3c:21:25:f9:b2:5f:ec:f6:f7:82:
+                    d8:7d:d2:a2:7d:fa:c9:8a:f2:33:db:c6:70:66:a5:
+                    e2:68:8d:1a:76:44:31:5d:4b:6b:ce:cb:69:8e:f1:
+                    9e:30:51:b3:f2:41:d8:f0:c1:07:ed:9a:26:f6:8b:
+                    a0:86:43
                 Exponent: 65537 (0x10001)
         X509v3 extensions:
             X509v3 Basic Constraints: 
@@ -31,202 +57,312 @@ Certificate:
             Netscape Comment: 
                 OpenSSL Generated Certificate
             X509v3 Subject Key Identifier: 
-                FB:43:1A:55:61:83:16:15:F4:32:F5:FC:8D:BC:2C:E8:22:F1:CF:8A
+                4C:1D:FF:4A:A0:50:E2:F9:CB:80:E2:5C:DE:75:10:9E:EA:58:29:0B
             X509v3 Authority Key Identifier: 
-                8C:59:76:86:88:23:2C:FA:26:A3:58:10:80:0E:F4:E5:DB:D5:D6:BB
+                92:94:BF:A7:B4:38:25:CB:E6:55:A7:69:47:EC:3F:79:77:0D:64:8E
     Signature Algorithm: sha256WithRSAEncryption
     Signature Value:
-        86:1c:af:66:38:97:5b:a4:80:2c:d3:c3:82:0d:db:0a:c6:ac:
-        18:e2:5d:f8:46:da:0c:cc:a3:4b:3c:5b:0f:95:b8:a6:37:ad:
-        9d:f9:1a:0e:6e:3e:74:36:4c:47:f4:d6:f1:53:50:8a:74:53:
-        7c:e7:15:ad:8c:79:d0:99:a6:6f:31:c5:d8:ac:a6:61:2c:ba:
-        25:65:5c:e4:87:1f:03:d5:56:8d:f8:98:16:2c:eb:e7:08:e1:
-        4f:72:b8:21:a3:d7:fc:bd:d2:a9:ab:3b:c6:49:96:ea:b9:c1:
-        97:ae:06:f0:90:84:cc:df:b7:43:22:85:3f:b0:65:88:77:57:
-        25:a7:64:9a:d1:e6:9d:23:26:7a:39:be:15:28:3c:69:46:ac:
-        10:9c:2a:b3:53:a6:8c:24:0e:77:18:34:a3:36:59:07:e5:60:
-        f5:a9:69:8c:91:f5:9d:4c:e3:51:b9:a4:6d:b6:f4:49:af:d1:
-        e6:84:45:93:e0:27:0d:46:25:51:7a:2c:43:8f:4a:ec:6e:07:
-        f1:97:41:c2:e0:d7:35:cf:11:16:82:40:9f:9f:e5:5e:9f:be:
-        2e:cf:5d:b7:b4:07:a8:16:a5:66:58:1d:d2:db:72:ea:e6:fe:
-        ea:0d:2a:a9:ae:e7:d0:ba:04:bd:d9:a5:9a:45:4b:c4:c0:b6:
-        6a:20:20:c8
+        7f:fa:a5:17:11:25:7e:0a:90:42:06:d9:b9:14:a7:a7:b0:7e:
+        37:32:21:8a:f4:4e:00:71:4b:af:70:b8:47:47:d6:8b:9c:2b:
+        d1:e3:78:c0:fd:4e:f7:bc:d9:56:e7:90:48:78:66:d7:e9:19:
+        a5:7f:73:83:e0:60:ea:c9:f3:d5:2d:cf:6f:a9:87:b4:16:fb:
+        53:c0:43:50:ee:a4:3c:87:34:d2:d4:5b:da:d7:1d:6d:9c:45:
+        be:b9:3d:c4:4a:cc:cb:4a:90:d9:36:9d:09:3d:44:8e:bd:ab:
+        e9:91:3d:f3:23:0c:34:b5:0f:56:ec:8f:db:8c:95:b8:ee:65:
+        5a:31:fc:dc:eb:1e:b0:02:62:e2:42:6f:d9:19:68:06:11:67:
+        34:06:c4:74:92:ac:ad:69:2b:64:65:10:37:20:fe:de:24:00:
+        99:b2:bc:2d:f9:90:0c:8b:80:22:da:ca:f3:de:62:1a:21:52:
+        5e:a8:71:ae:14:23:a7:f5:1c:7f:d2:81:27:6e:fb:a1:07:da:
+        8a:ab:27:f3:85:67:f4:80:e7:6b:d1:57:0f:63:40:7b:a5:31:
+        cb:99:7e:5b:6e:d6:c9:c0:e2:57:42:9a:dd:6a:49:a2:35:49:
+        af:2e:c1:ad:39:8d:c1:ec:8e:06:f8:70:ed:b7:92:d1:10:70:
+        39:04:35:b8:44:fd:de:74:55:8e:99:c1:bc:c6:41:33:aa:9b:
+        5f:0f:d9:7f:6a:7a:fb:ab:7b:f6:e8:af:6a:18:1e:09:b0:54:
+        58:e8:11:79:87:4e:ad:95:7f:d9:ed:24:c2:86:3b:52:d4:69:
+        ce:92:15:f6:5a:c7:64:21:fa:7a:4e:a4:cf:b0:01:2e:90:c6:
+        4a:32:d7:9b:49:77:33:56:dd:4b:50:21:33:9c:49:d4:60:fa:
+        5c:7f:cb:b3:ef:bd:a2:cb:d3:9a:43:c3:6b:a7:18:9d:c9:ed:
+        71:0e:dc:ac:1e:c7:44:ae:45:91:05:69:1e:a8:06:17:ef:f0:
+        3f:01:c1:b1:9d:a0:b6:6a:63:25:cc:71:a8:18:40:58:2a:33:
+        43:77:93:f3:55:52:d1:c9:ad:d6:17:7a:5d:30:f4:ca:35:35:
+        53:d9:23:64:dc:9f:29:6d:7e:ff:a7:c6:2e:99:fe:40:99:5a:
+        f4:ba:48:e8:2f:9b:95:80:3f:7a:76:d5:77:de:20:d3:89:0f:
+        17:80:88:95:ca:3f:20:94:2b:79:67:4b:1c:70:bd:54:95:72:
+        a8:e9:fc:dc:c3:8a:34:d2:a3:db:c1:8f:1e:f2:6f:93:b0:99:
+        a5:52:64:fc:9e:1a:0a:49:4d:3f:a7:c1:d8:46:36:24:cb:57:
+        2a:5b:08:cf:e4:2a:3f:6a
 -----BEGIN CERTIFICATE-----
-MIIDMjCCAhqgAwIBAgIUP4SPNlSE0NgM+BuwFPaGZeSa5IgwDQYJKoZIhvcNAQEL
+MIIFtjCCA56gAwIBAgIUKALjKh7Qu9YtamTI+CBl3frAyq8wDQYJKoZIhvcNAQEL
 BQAwTTELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExEjAQBgNVBAoM
-CU9wZW5SZXN0eTEVMBMGA1UEAwwMU2lnbmluZy1DQS0yMCAXDTI0MTIwOTE2NDAy
-N1oYDzIxMjQxMTE1MTY0MDI3WjBJMQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2Fs
-aWZvcm5pYTESMBAGA1UECgwJT3BlblJlc3R5MREwDwYDVQQDDAh0ZXN0LmNvbTCB
-nzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAmkQ3lBpb+3ClxES91EqLXQF6MsmX
-oMIUMO0r7GyLtScG9Wfobqe4YRS3Dpi3H2czQJfY40ZXtQTAn0PrchE74kUAAh0m
-Tm64f+L0vqKMz7bWf/GxCnHFqawqfMzDbluD6W6/+JiqlA62NbEhIiZ8HComEqrk
-rBiM7DF36NvrGhECAwEAAaOBjzCBjDAJBgNVHRMEAjAAMBEGCWCGSAGG+EIBAQQE
-AwIGQDAsBglghkgBhvhCAQ0EHxYdT3BlblNTTCBHZW5lcmF0ZWQgQ2VydGlmaWNh
-dGUwHQYDVR0OBBYEFPtDGlVhgxYV9DL1/I28LOgi8c+KMB8GA1UdIwQYMBaAFIxZ
-doaIIyz6JqNYEIAO9OXb1da7MA0GCSqGSIb3DQEBCwUAA4IBAQCGHK9mOJdbpIAs
-08OCDdsKxqwY4l34RtoMzKNLPFsPlbimN62d+RoObj50NkxH9NbxU1CKdFN85xWt
-jHnQmaZvMcXYrKZhLLolZVzkhx8D1VaN+JgWLOvnCOFPcrgho9f8vdKpqzvGSZbq
-ucGXrgbwkITM37dDIoU/sGWId1clp2Sa0eadIyZ6Ob4VKDxpRqwQnCqzU6aMJA53
-GDSjNlkH5WD1qWmMkfWdTONRuaRttvRJr9HmhEWT4CcNRiVReixDj0rsbgfxl0HC
-4Nc1zxEWgkCfn+Ven74uz123tAeoFqVmWB3S23Lq5v7qDSqprufQugS92aWaRUvE
-wLZqICDI
+CU9wZW5SZXN0eTEVMBMGA1UEAwwMU2lnbmluZy1DQS0yMCAXDTI1MDYyMTEyMzI0
+OVoYDzIxMjUwNTI4MTIzMjQ5WjBJMQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2Fs
+aWZvcm5pYTESMBAGA1UECgwJT3BlblJlc3R5MREwDwYDVQQDDAh0ZXN0LmNvbTCC
+AiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAMwebeye8j4/Fz3eGFrWxHCZ
+082xmUXn7YJpPoXZH9C/3vZJGgTUyXZclgZNgZjNC5cV23PehIoWDj0IzG/8LEiS
+SiuYQHPySlzOcssGwWmmf/BrCk9sjmLG/VLW/FykGh+3gXqbMO+tgYjquMaV2Coy
+oonSs53SmaYtWuRCMhJWGVv2LjdE2oT2gXFKijqshL59hao96c5Fl1cvXiHDIM98
+0IVOvANhQR4/hzCjbL6gMmpPS4EitJvENFZVHQfXw6betA2Y5lgNIi5CcgRpkyHL
+MHgEN2bJxzhgtdGzoyeKElnhTMt9cgAS0Fvuebl27btK1DOix+BPrzx/KIboZ8LJ
+A+vt6ZrczVq9WCEHJ1P8R5EIztqT18RPX8GFINNu2StusYdG3gtceLeeFbJcyUvh
+VhM0SQGS3Z3pT7HZcdBKWn9wcTIzSJr95tKkQzVF6aeNA/Oe/LWqd32VLF1PFhGq
+tThkaV6U2Owyxe2vcEBh2tdk0/YabcHCizLXud8RBBuz0JMk8yyfY5sjd4Pd66Gz
+VEUSejwzePBhbAil/dlU/dRpL1IgaOlFAPejZdGd8OJnEAXbilYHguvu5mPlQ7nk
+qmRyHBQ8ISX5sl/s9veC2H3Son36yYryM9vGcGal4miNGnZEMV1La87LaY7xnjBR
+s/JB2PDBB+2aJvaLoIZDAgMBAAGjgY8wgYwwCQYDVR0TBAIwADARBglghkgBhvhC
+AQEEBAMCBkAwLAYJYIZIAYb4QgENBB8WHU9wZW5TU0wgR2VuZXJhdGVkIENlcnRp
+ZmljYXRlMB0GA1UdDgQWBBRMHf9KoFDi+cuA4lzedRCe6lgpCzAfBgNVHSMEGDAW
+gBSSlL+ntDgly+ZVp2lH7D95dw1kjjANBgkqhkiG9w0BAQsFAAOCAgEAf/qlFxEl
+fgqQQgbZuRSnp7B+NzIhivROAHFLr3C4R0fWi5wr0eN4wP1O97zZVueQSHhm1+kZ
+pX9zg+Bg6snz1S3Pb6mHtBb7U8BDUO6kPIc00tRb2tcdbZxFvrk9xErMy0qQ2Tad
+CT1Ejr2r6ZE98yMMNLUPVuyP24yVuO5lWjH83OsesAJi4kJv2RloBhFnNAbEdJKs
+rWkrZGUQNyD+3iQAmbK8LfmQDIuAItrK895iGiFSXqhxrhQjp/Ucf9KBJ277oQfa
+iqsn84Vn9IDna9FXD2NAe6Uxy5l+W27WycDiV0Ka3WpJojVJry7BrTmNweyOBvhw
+7beS0RBwOQQ1uET93nRVjpnBvMZBM6qbXw/Zf2p6+6t79uivahgeCbBUWOgReYdO
+rZV/2e0kwoY7UtRpzpIV9lrHZCH6ek6kz7ABLpDGSjLXm0l3M1bdS1AhM5xJ1GD6
+XH/Ls++9osvTmkPDa6cYncntcQ7crB7HRK5FkQVpHqgGF+/wPwHBsZ2gtmpjJcxx
+qBhAWCozQ3eT81VS0cmt1hd6XTD0yjU1U9kjZNyfKW1+/6fGLpn+QJla9LpI6C+b
+lYA/enbVd94g04kPF4CIlco/IJQreWdLHHC9VJVyqOn83MOKNNKj28GPHvJvk7CZ
+pVJk/J4aCklNP6fB2EY2JMtXKlsIz+QqP2o=
 -----END CERTIFICATE-----
 Certificate:
     Data:
         Version: 3 (0x2)
         Serial Number:
-            33:7d:07:a5:4d:f7:13:50:1c:5e:14:cf:4d:5e:b3:fb:e5:91:07:e9
+            44:38:44:78:9a:6b:d5:96:7a:ab:b7:a0:83:a1:b7:01:6c:91:b7:86
         Signature Algorithm: sha256WithRSAEncryption
-        Issuer: C = US, ST = California, O = OpenResty, CN = Signing-CA-1
+        Issuer: C=US, ST=California, L=San Francisco, O=OpenResty, CN=Root CA
         Validity
-            Not Before: Dec  9 16:40:20 2024 GMT
-            Not After : Nov 15 16:40:20 2124 GMT
-        Subject: C = US, ST = California, O = OpenResty, CN = Signing-CA-2
+            Not Before: Jun 21 12:19:06 2025 GMT
+            Not After : May 28 12:19:06 2125 GMT
+        Subject: C=US, ST=California, O=OpenResty, CN=Signing-CA-1
         Subject Public Key Info:
             Public Key Algorithm: rsaEncryption
-                Public-Key: (2048 bit)
+                Public-Key: (4096 bit)
                 Modulus:
-                    00:a1:46:dc:35:81:29:b6:3b:a1:da:9e:61:23:04:
-                    55:ec:2d:42:56:6e:b2:6d:1a:0a:93:cd:54:14:74:
-                    19:c4:22:70:c8:53:38:cc:07:44:3d:4c:de:99:d3:
-                    e6:4c:d4:74:ec:10:8d:53:43:8b:82:23:ae:e2:c7:
-                    2a:ba:df:ab:54:00:f3:dc:f6:0d:60:eb:f6:59:f0:
-                    42:84:5b:76:84:03:06:e1:ff:68:1a:33:bc:f9:7c:
-                    44:dc:d2:7a:aa:f3:6f:ca:7b:26:8f:ff:9a:3d:6a:
-                    53:fc:ae:cc:2d:34:ec:e9:ae:13:92:71:74:3a:a5:
-                    13:40:f1:84:7a:a6:a1:e7:31:7c:a2:32:e3:fb:ba:
-                    4b:56:7a:c8:a7:eb:a9:d3:4f:34:3a:94:d3:38:ba:
-                    12:58:fe:2b:5f:1c:fb:5f:b6:70:f3:6f:1c:c0:34:
-                    c8:d1:86:98:0d:4d:74:78:55:32:7a:4d:05:10:aa:
-                    a3:00:9f:9d:94:eb:da:80:6b:37:b1:e8:7c:19:26:
-                    25:e5:4f:13:ab:85:80:78:a3:b3:a5:e3:8a:90:06:
-                    00:4a:7f:76:70:ce:b0:8a:71:bc:82:fe:1d:02:67:
-                    17:77:e2:db:96:27:53:6c:86:3c:f1:81:2b:61:28:
-                    da:c0:23:04:48:35:46:92:19:11:2a:4d:24:cd:aa:
-                    8d:39
+                    00:9b:b4:55:fe:bc:c5:13:6f:72:2b:3f:f9:d0:e7:
+                    fd:25:e2:2e:9d:f9:62:ad:ad:c4:7f:31:68:ec:0d:
+                    a8:e0:09:88:e5:a3:ea:73:53:95:cd:5c:97:ff:59:
+                    26:d9:88:de:67:1f:ae:54:1f:9e:c7:b6:24:cc:bc:
+                    95:70:36:9a:cb:9b:76:53:f9:52:bc:53:98:11:fc:
+                    4d:08:a5:fc:57:f8:1e:3e:d1:21:b6:0f:41:e1:07:
+                    4e:8b:45:64:05:9a:20:7f:7d:73:cf:6b:39:ad:c3:
+                    36:b6:0f:89:29:74:2e:50:15:6d:80:cd:df:8d:c3:
+                    33:ad:89:92:86:0f:67:4b:9d:bf:a5:b3:59:24:a6:
+                    f0:08:f7:fd:ab:27:dd:fe:aa:c0:a1:7c:c0:4d:67:
+                    77:23:8d:e8:6a:b1:f9:36:11:cf:64:a1:26:d4:82:
+                    30:66:32:bc:9a:61:ab:21:a5:c3:3a:96:8f:21:6a:
+                    09:e2:03:b0:2c:cb:aa:b0:ef:c6:1f:fb:64:b3:fd:
+                    07:04:f9:78:49:ba:be:dc:7f:5e:4a:ab:e6:5d:18:
+                    fc:ab:41:7c:b4:8b:b7:51:57:28:04:2b:82:8b:1d:
+                    ae:b5:8d:9a:42:dc:66:f8:e5:c6:be:37:c0:54:51:
+                    87:33:65:d7:82:95:26:9f:dc:e3:13:52:3b:c1:8b:
+                    91:b3:19:43:85:2e:f7:a9:25:be:a1:95:0a:97:95:
+                    6e:76:8a:7b:8a:5b:12:f2:da:82:5d:03:45:e9:e1:
+                    35:69:df:3e:ad:fc:97:2d:c7:d8:68:e7:0a:88:63:
+                    1f:17:aa:19:7d:ac:e7:f9:4c:f7:31:81:8b:c6:2f:
+                    d1:f9:ab:f7:0e:f1:b2:b8:08:d5:0c:61:ef:65:68:
+                    95:fd:c3:7e:0d:9e:4c:14:3b:af:1a:3f:9c:1e:9d:
+                    5d:1d:9a:e8:11:dd:9a:93:c3:ef:21:04:de:4b:6f:
+                    2c:dc:39:0e:0d:1b:ca:61:83:37:6f:d7:d7:90:fa:
+                    43:e9:8f:e7:54:67:c4:3f:bc:3f:4d:01:6f:66:1c:
+                    1a:c6:4f:56:a1:ab:ca:e5:ca:f3:a5:ac:7f:b4:9a:
+                    6b:da:46:6a:9e:ae:6b:da:c6:9e:a6:05:f1:48:13:
+                    ee:5b:a3:53:cc:fe:81:27:21:1b:e4:ce:7a:6a:bb:
+                    c1:40:14:cd:f1:5c:88:3f:65:05:11:f7:e6:f7:b0:
+                    d4:dd:26:e3:27:07:e3:b3:09:ab:1f:f8:27:b1:11:
+                    d6:03:37:82:9a:69:2b:0a:da:16:35:6f:59:03:6e:
+                    c6:ef:d0:03:b2:39:6e:44:70:13:b5:02:8f:d8:1d:
+                    78:1d:05:52:b8:db:92:18:a8:7b:79:a2:75:ca:2a:
+                    b1:e4:b7
                 Exponent: 65537 (0x10001)
         X509v3 extensions:
             X509v3 Subject Key Identifier: 
-                8C:59:76:86:88:23:2C:FA:26:A3:58:10:80:0E:F4:E5:DB:D5:D6:BB
+                8E:B0:26:BC:3A:A3:FC:09:95:09:11:EC:56:27:F4:50:BA:2D:A4:08
             X509v3 Authority Key Identifier: 
-                18:AE:C9:84:F7:75:DE:3C:F7:99:18:79:65:8E:99:BD:F9:10:90:EE
+                38:EA:6B:B1:87:AD:98:E2:C2:EA:79:60:4E:0E:2C:49:30:5A:5F:1F
             X509v3 Basic Constraints: critical
                 CA:TRUE
     Signature Algorithm: sha256WithRSAEncryption
     Signature Value:
-        07:38:f1:24:cd:0b:9c:50:f5:b4:98:d2:00:db:ef:73:ad:d7:
-        0f:5f:ca:a9:d1:38:65:e0:c6:0e:9d:9a:33:1c:6b:3f:dc:e3:
-        86:37:78:81:f3:7a:61:90:b7:72:55:42:65:ba:c3:4c:b1:67:
-        be:a8:65:30:88:87:7b:5c:22:b4:30:e0:4f:d9:38:2b:29:53:
-        13:b4:0a:ea:f4:3b:13:a0:94:47:92:c8:0d:c8:cb:83:2b:e4:
-        d7:f7:d8:cd:4d:81:14:01:d1:36:52:3f:b7:b7:9d:60:e9:4c:
-        ff:5a:4e:80:52:96:a2:77:b0:7f:b6:3f:37:04:37:7e:8f:9c:
-        cc:86:52:d7:67:8a:8e:fb:11:7b:16:56:c5:cd:47:cd:86:b8:
-        b3:49:ee:e2:79:cc:0c:61:6b:33:70:7b:a7:38:8f:9e:b0:23:
-        be:7e:10:04:c1:08:36:25:47:90:e1:88:63:34:44:bc:de:55:
-        71:e3:f5:e4:f4:5f:14:b3:1d:b6:24:13:db:84:5a:3d:7d:e7:
-        9a:e7:36:9e:49:60:7b:95:2c:8c:df:66:74:2e:f2:87:33:87:
-        16:2b:b4:e2:72:56:d5:21:33:b4:6f:97:d3:43:d3:2a:21:84:
-        18:02:6e:3e:d8:07:62:c6:cf:95:32:4f:42:0a:dc:65:01:0c:
-        74:e5:23:cc
+        0c:01:de:59:f1:a6:10:0e:eb:a1:46:2e:50:0c:e8:a0:2a:22:
+        cb:9a:91:03:06:6c:24:0b:d7:10:ec:bc:19:e7:6c:e5:32:07:
+        0a:61:99:85:3e:50:da:f9:4e:37:73:ad:e9:65:0c:f4:0a:2d:
+        47:ee:2f:2d:c6:cf:58:d3:40:4a:a0:3e:9e:90:40:ab:26:5f:
+        ec:25:56:95:a9:6d:e5:26:bd:e4:be:a5:9e:68:0e:14:c9:2c:
+        f4:38:4a:fd:af:08:4d:5f:d0:6c:6f:bd:a9:57:df:a2:93:c5:
+        74:76:cb:a9:84:6c:60:eb:8c:ff:18:09:e2:af:4d:ec:6c:ba:
+        bf:f8:01:68:d3:61:d6:90:28:0e:78:df:fc:84:93:ab:fc:51:
+        44:c0:97:e9:0e:84:09:a0:c7:22:a8:58:96:f4:da:df:a2:b9:
+        cc:b6:59:03:17:2e:6c:eb:98:e1:89:f1:02:88:18:1a:97:61:
+        c4:6d:e7:e4:90:f7:f1:3d:b0:e0:16:62:ea:33:5d:dc:51:df:
+        ab:67:a4:a9:23:fd:d5:ad:95:0e:a2:c8:5b:97:85:74:c8:cf:
+        aa:28:ef:9b:53:27:26:a3:6b:12:f8:52:ad:74:83:fd:63:37:
+        01:17:92:93:82:df:85:4c:9d:e3:57:2b:f0:b0:3b:f6:24:fd:
+        4b:7a:c0:f7:5b:f8:c6:97:ee:65:d8:7b:d1:ca:be:bf:ba:bf:
+        c7:45:a0:87:20:b0:a2:09:f5:2d:80:0b:db:29:9c:9b:34:62:
+        83:ce:0d:98:32:7b:2e:5e:64:a2:98:c5:d9:03:ca:82:5d:2b:
+        d7:20:cc:dd:ef:15:3a:a6:c8:7d:ea:3d:de:8a:c3:6f:1b:6c:
+        88:9e:94:11:9f:8c:55:1d:3c:f2:73:90:ff:35:e6:ac:6a:8d:
+        e6:00:bd:27:34:df:74:64:42:50:8e:2e:6a:9f:de:7f:3c:4d:
+        a9:de:69:94:61:11:75:7d:34:5e:c2:be:32:60:8c:d1:70:c1:
+        64:a7:db:e1:ed:1a:14:af:05:3f:59:00:e8:43:fd:2a:c0:78:
+        c0:c3:78:88:b7:cb:21:6f:b7:22:7f:d8:b8:72:c4:b0:4f:cb:
+        96:8e:2a:d4:c7:31:85:40:e9:b9:56:97:ba:08:31:fd:9e:d8:
+        59:82:61:0c:08:e1:3b:88:ef:29:ae:c3:46:53:16:0a:e1:e5:
+        97:2a:6e:ef:dd:e7:0f:4d:c1:19:f2:21:4c:6e:ac:d6:e2:e4:
+        37:04:42:dd:fa:ef:36:47:80:80:3c:d1:b9:45:e2:ec:59:07:
+        2f:37:a1:3a:83:c3:73:9d:ca:75:b4:2f:57:93:ff:53:aa:c2:
+        e7:27:12:34:1f:0d:7a:c7
 -----BEGIN CERTIFICATE-----
-MIIDfTCCAmWgAwIBAgIUM30HpU33E1AcXhTPTV6z++WRB+kwDQYJKoZIhvcNAQEL
-BQAwTTELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExEjAQBgNVBAoM
-CU9wZW5SZXN0eTEVMBMGA1UEAwwMU2lnbmluZy1DQS0xMCAXDTI0MTIwOTE2NDAy
-MFoYDzIxMjQxMTE1MTY0MDIwWjBNMQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2Fs
-aWZvcm5pYTESMBAGA1UECgwJT3BlblJlc3R5MRUwEwYDVQQDDAxTaWduaW5nLUNB
-LTIwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQChRtw1gSm2O6HanmEj
-BFXsLUJWbrJtGgqTzVQUdBnEInDIUzjMB0Q9TN6Z0+ZM1HTsEI1TQ4uCI67ixyq6
-36tUAPPc9g1g6/ZZ8EKEW3aEAwbh/2gaM7z5fETc0nqq82/KeyaP/5o9alP8rswt
-NOzprhOScXQ6pRNA8YR6pqHnMXyiMuP7uktWesin66nTTzQ6lNM4uhJY/itfHPtf
-tnDzbxzANMjRhpgNTXR4VTJ6TQUQqqMAn52U69qAazex6HwZJiXlTxOrhYB4o7Ol
-44qQBgBKf3ZwzrCKcbyC/h0CZxd34tuWJ1NshjzxgSthKNrAIwRINUaSGREqTSTN
-qo05AgMBAAGjUzBRMB0GA1UdDgQWBBSMWXaGiCMs+iajWBCADvTl29XWuzAfBgNV
-HSMEGDAWgBQYrsmE93XePPeZGHlljpm9+RCQ7jAPBgNVHRMBAf8EBTADAQH/MA0G
-CSqGSIb3DQEBCwUAA4IBAQAHOPEkzQucUPW0mNIA2+9zrdcPX8qp0Thl4MYOnZoz
-HGs/3OOGN3iB83phkLdyVUJlusNMsWe+qGUwiId7XCK0MOBP2TgrKVMTtArq9DsT
-oJRHksgNyMuDK+TX99jNTYEUAdE2Uj+3t51g6Uz/Wk6AUpaid7B/tj83BDd+j5zM
-hlLXZ4qO+xF7FlbFzUfNhrizSe7iecwMYWszcHunOI+esCO+fhAEwQg2JUeQ4Yhj
-NES83lVx4/Xk9F8Usx22JBPbhFo9feea5zaeSWB7lSyM32Z0LvKHM4cWK7TiclbV
-ITO0b5fTQ9MqIYQYAm4+2Adixs+VMk9CCtxlAQx05SPM
+MIIFkDCCA3igAwIBAgIURDhEeJpr1ZZ6q7egg6G3AWyRt4YwDQYJKoZIhvcNAQEL
+BQAwYDELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFjAUBgNVBAcM
+DVNhbiBGcmFuY2lzY28xEjAQBgNVBAoMCU9wZW5SZXN0eTEQMA4GA1UEAwwHUm9v
+dCBDQTAgFw0yNTA2MjExMjE5MDZaGA8yMTI1MDUyODEyMTkwNlowTTELMAkGA1UE
+BhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExEjAQBgNVBAoMCU9wZW5SZXN0eTEV
+MBMGA1UEAwwMU2lnbmluZy1DQS0xMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIIC
+CgKCAgEAm7RV/rzFE29yKz/50Of9JeIunflira3EfzFo7A2o4AmI5aPqc1OVzVyX
+/1km2YjeZx+uVB+ex7YkzLyVcDaay5t2U/lSvFOYEfxNCKX8V/gePtEhtg9B4QdO
+i0VkBZogf31zz2s5rcM2tg+JKXQuUBVtgM3fjcMzrYmShg9nS52/pbNZJKbwCPf9
+qyfd/qrAoXzATWd3I43oarH5NhHPZKEm1IIwZjK8mmGrIaXDOpaPIWoJ4gOwLMuq
+sO/GH/tks/0HBPl4Sbq+3H9eSqvmXRj8q0F8tIu3UVcoBCuCix2utY2aQtxm+OXG
+vjfAVFGHM2XXgpUmn9zjE1I7wYuRsxlDhS73qSW+oZUKl5Vudop7ilsS8tqCXQNF
+6eE1ad8+rfyXLcfYaOcKiGMfF6oZfazn+Uz3MYGLxi/R+av3DvGyuAjVDGHvZWiV
+/cN+DZ5MFDuvGj+cHp1dHZroEd2ak8PvIQTeS28s3DkODRvKYYM3b9fXkPpD6Y/n
+VGfEP7w/TQFvZhwaxk9WoavK5crzpax/tJpr2kZqnq5r2saepgXxSBPuW6NTzP6B
+JyEb5M56arvBQBTN8VyIP2UFEffm97DU3SbjJwfjswmrH/gnsRHWAzeCmmkrCtoW
+NW9ZA27G79ADsjluRHATtQKP2B14HQVSuNuSGKh7eaJ1yiqx5LcCAwEAAaNTMFEw
+HQYDVR0OBBYEFI6wJrw6o/wJlQkR7FYn9FC6LaQIMB8GA1UdIwQYMBaAFDjqa7GH
+rZjiwup5YE4OLEkwWl8fMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQAD
+ggIBAAwB3lnxphAO66FGLlAM6KAqIsuakQMGbCQL1xDsvBnnbOUyBwphmYU+UNr5
+TjdzrellDPQKLUfuLy3Gz1jTQEqgPp6QQKsmX+wlVpWpbeUmveS+pZ5oDhTJLPQ4
+Sv2vCE1f0GxvvalX36KTxXR2y6mEbGDrjP8YCeKvTexsur/4AWjTYdaQKA543/yE
+k6v8UUTAl+kOhAmgxyKoWJb02t+iucy2WQMXLmzrmOGJ8QKIGBqXYcRt5+SQ9/E9
+sOAWYuozXdxR36tnpKkj/dWtlQ6iyFuXhXTIz6oo75tTJyajaxL4Uq10g/1jNwEX
+kpOC34VMneNXK/CwO/Yk/Ut6wPdb+MaX7mXYe9HKvr+6v8dFoIcgsKIJ9S2AC9sp
+nJs0YoPODZgyey5eZKKYxdkDyoJdK9cgzN3vFTqmyH3qPd6Kw28bbIielBGfjFUd
+PPJzkP815qxqjeYAvSc033RkQlCOLmqf3n88TaneaZRhEXV9NF7CvjJgjNFwwWSn
+2+HtGhSvBT9ZAOhD/SrAeMDDeIi3yyFvtyJ/2LhyxLBPy5aOKtTHMYVA6blWl7oI
+Mf2e2FmCYQwI4TuI7ymuw0ZTFgrh5Zcqbu/d5w9NwRnyIUxurNbi5DcEQt367zZH
+gIA80blF4uxZBy83oTqDw3OdynW0L1eT/1OqwucnEjQfDXrH
 -----END CERTIFICATE-----
 Certificate:
     Data:
         Version: 3 (0x2)
         Serial Number:
-            0c:b5:bf:06:eb:46:8b:03:de:7c:d2:1b:90:8b:34:4b:6b:00:2f:de
+            29:2c:51:02:23:8b:2d:29:88:38:c2:80:f4:87:5f:58:c0:5b:af:ef
         Signature Algorithm: sha256WithRSAEncryption
-        Issuer: C = US, ST = California, L = San Francisco, O = OpenResty, CN = Root CA
+        Issuer: C=US, ST=California, O=OpenResty, CN=Signing-CA-1
         Validity
-            Not Before: Dec  9 16:40:17 2024 GMT
-            Not After : Nov 15 16:40:17 2124 GMT
-        Subject: C = US, ST = California, O = OpenResty, CN = Signing-CA-1
+            Not Before: Jun 21 12:19:16 2025 GMT
+            Not After : May 28 12:19:16 2125 GMT
+        Subject: C=US, ST=California, O=OpenResty, CN=Signing-CA-2
         Subject Public Key Info:
             Public Key Algorithm: rsaEncryption
-                Public-Key: (2048 bit)
+                Public-Key: (4096 bit)
                 Modulus:
-                    00:c8:04:9f:f7:9b:cc:75:83:f1:2e:d6:15:e3:4a:
-                    99:7c:e6:5e:60:2f:1e:7f:a4:91:6b:de:d0:5c:4b:
-                    59:a5:b4:c1:b3:35:90:7d:7a:98:d3:0e:79:48:61:
-                    fb:0f:58:23:fd:b0:f0:7b:77:c8:82:37:d0:6a:4d:
-                    94:72:a1:06:dd:32:a8:60:79:08:16:2b:ed:0b:5b:
-                    ce:a0:f5:48:ea:5f:39:78:21:39:dd:68:f3:b7:ac:
-                    de:7f:a2:fa:9f:ca:9a:a3:ba:33:c1:fc:5f:90:19:
-                    63:36:8f:a6:ae:58:d8:7d:e9:d3:af:b5:b6:44:93:
-                    cc:ed:6c:37:1a:b5:84:ee:f7:6d:e4:85:cf:21:44:
-                    b3:71:34:06:4d:94:10:54:e5:45:7a:c8:e0:0e:b3:
-                    03:04:5a:32:d7:99:d3:f8:2d:d3:97:a2:ed:be:c7:
-                    72:86:a4:17:da:eb:b4:86:fb:e8:13:cd:8a:fa:ec:
-                    f7:59:03:c8:1c:c7:12:0b:91:ca:c7:b1:5d:9f:72:
-                    34:9d:8b:60:0e:9b:56:19:03:98:e3:51:34:5e:66:
-                    c7:6f:b5:48:f7:b7:b6:b9:48:04:a6:46:f4:d8:25:
-                    b5:f4:ee:a0:00:ce:cf:47:90:c4:fe:1e:19:b7:91:
-                    c0:87:84:57:bc:2e:18:ee:1a:a4:1f:b2:b1:58:08:
-                    53:af
+                    00:f9:87:28:d2:24:cf:76:c3:42:a7:18:6c:54:b8:
+                    6f:34:95:84:3c:0f:49:80:83:86:a1:f0:b8:6d:36:
+                    df:63:39:18:e6:8d:0b:9a:04:6b:af:83:a6:6b:56:
+                    2b:9a:8e:8d:a9:7f:3b:4b:96:e9:84:07:9f:c4:13:
+                    2b:92:7c:32:76:2a:3c:df:9d:b1:d4:da:59:9b:5f:
+                    79:b8:eb:55:41:3b:e3:f6:e7:b3:99:fa:99:55:d5:
+                    11:4d:9e:94:fe:42:7d:39:3f:61:0d:df:7a:01:01:
+                    a7:2c:d5:c3:2f:cc:14:e2:38:6b:e7:ac:98:05:50:
+                    84:1e:c8:b7:84:c5:18:a5:9b:9f:27:2c:ab:1a:c5:
+                    8c:3f:58:c0:0f:84:e8:69:5e:01:36:24:1e:7b:e4:
+                    3c:da:09:1b:ff:bf:cf:8b:39:17:3f:9f:dd:7e:ae:
+                    4e:84:a5:29:d7:a0:f5:35:28:87:b4:2b:0c:65:cc:
+                    1f:94:fb:b1:47:7b:8d:05:49:35:c1:68:ee:9a:5d:
+                    96:e6:e7:a8:06:36:fb:1a:df:fb:67:28:4a:ea:36:
+                    ae:16:07:5c:92:43:4c:b1:25:9f:32:f4:e9:8a:60:
+                    6e:ed:1e:f0:ab:2a:f9:f8:a7:68:60:61:38:44:23:
+                    3c:eb:4d:04:c9:e7:ea:f0:c1:6e:f7:28:e1:06:a4:
+                    0f:a9:03:6b:3b:9d:78:97:ac:0c:b7:7f:21:fd:f5:
+                    94:8f:5e:e8:f5:f2:6b:be:92:54:33:db:97:e0:17:
+                    85:96:3e:8d:71:6c:d8:9f:3a:7e:3a:4f:a8:d5:f3:
+                    c2:44:1b:34:de:4b:7e:e1:b1:99:31:c5:20:39:cf:
+                    c7:44:11:5c:b0:07:bc:65:8a:d4:ae:a5:36:19:c9:
+                    4c:0a:f5:02:0e:e8:cd:30:25:7c:43:c9:de:ad:8e:
+                    87:56:3a:40:e8:da:bb:45:4c:a5:39:df:fa:34:8e:
+                    38:4a:e0:b1:b3:9c:de:86:93:44:25:31:fc:54:a4:
+                    c3:e1:b3:9e:78:2c:8c:bd:52:03:9c:16:64:a2:90:
+                    0a:dc:05:b0:7f:6d:18:cc:5b:59:5e:a0:b8:10:ad:
+                    fd:70:18:59:2c:81:87:b2:47:05:8b:d2:c6:af:64:
+                    cb:e6:bc:75:ed:dd:e7:2c:9c:cf:0d:54:b1:20:b9:
+                    6b:e4:72:1a:9c:13:be:bd:f9:08:b7:81:3b:35:c0:
+                    a4:8f:3e:a7:ff:75:26:68:12:b0:00:20:0a:c1:e2:
+                    a3:17:0b:20:0a:44:f9:8a:2c:7b:5a:e1:cb:ce:db:
+                    a3:72:7f:5a:ed:0c:5e:b6:c1:5f:b1:4a:ba:52:eb:
+                    71:89:64:d4:fc:1b:c7:55:6f:f2:6d:18:e3:7a:71:
+                    84:8d:b7
                 Exponent: 65537 (0x10001)
         X509v3 extensions:
             X509v3 Subject Key Identifier: 
-                18:AE:C9:84:F7:75:DE:3C:F7:99:18:79:65:8E:99:BD:F9:10:90:EE
+                92:94:BF:A7:B4:38:25:CB:E6:55:A7:69:47:EC:3F:79:77:0D:64:8E
             X509v3 Authority Key Identifier: 
-                04:50:99:50:3E:93:4D:87:59:5C:D6:56:BD:2C:BC:32:97:42:C5:6E
+                8E:B0:26:BC:3A:A3:FC:09:95:09:11:EC:56:27:F4:50:BA:2D:A4:08
             X509v3 Basic Constraints: critical
                 CA:TRUE
     Signature Algorithm: sha256WithRSAEncryption
     Signature Value:
-        06:6c:e5:3d:e9:c0:f1:d1:59:15:20:e1:01:94:83:27:ca:f5:
-        03:b0:31:48:fd:cb:3f:15:df:50:bb:d7:4c:f8:88:78:10:0a:
-        e1:48:a7:45:e6:69:2a:f1:05:ac:fa:df:1f:ed:63:3f:c6:e4:
-        33:ee:a9:29:ed:25:f3:90:bb:d4:f0:a2:cf:01:0f:e2:34:41:
-        cf:a0:d0:7a:21:d7:3e:b6:5f:8c:ef:ac:68:7b:2e:70:c1:e2:
-        bb:aa:4e:d3:59:e2:09:20:51:42:cd:0c:e2:02:ec:63:38:2b:
-        bc:b5:2b:04:b6:bc:10:b3:ed:6a:aa:7c:18:c0:03:fe:c4:78:
-        c8:67:59:fd:6d:d3:6b:57:a4:9b:c5:75:7f:bf:e9:56:66:51:
-        eb:af:4f:f7:56:61:e3:7f:48:6a:d0:22:72:20:76:df:e7:e1:
-        e9:c4:91:27:7d:34:35:8a:7e:38:93:1d:66:a4:f4:55:df:03:
-        4c:f1:60:14:14:1e:f5:a7:b7:76:6f:7b:56:64:5d:6e:bf:d1:
-        bc:8b:7d:b0:e2:d1:40:53:08:02:da:6c:cf:9c:b2:cc:66:dc:
-        bc:f9:6c:33:77:aa:42:5b:52:af:39:6f:a3:37:ea:b7:66:94:
-        f3:63:80:98:83:68:04:c7:5c:45:20:30:0a:85:02:96:cb:6d:
-        93:40:28:87
+        6b:50:69:d8:2b:98:43:91:75:aa:f4:66:9b:69:70:19:b1:39:
+        97:99:37:fc:f6:83:32:67:63:d4:66:a4:12:e6:33:33:48:92:
+        d3:7e:5d:36:a2:d4:e6:ca:38:62:4f:7b:94:96:ca:d0:86:d4:
+        b9:77:2a:06:6b:8f:ef:dc:a7:df:bf:d3:70:2f:62:9d:0b:50:
+        ec:0c:b6:ac:cf:a3:5c:1b:36:04:74:d3:d5:72:31:e5:32:8c:
+        c3:e6:34:90:51:c5:6b:06:61:76:33:bd:85:d4:b5:e2:17:38:
+        3b:dd:fa:2c:23:bf:3a:75:37:6b:88:d6:d9:9a:1d:ea:a7:e6:
+        b9:fb:05:79:4f:e0:7a:b4:70:b0:85:8b:ff:04:12:a6:71:06:
+        04:c9:8c:84:7f:33:c2:73:b8:80:65:04:b3:44:54:ba:f6:38:
+        6d:73:2b:77:41:a1:90:e0:f8:99:05:07:fc:15:33:3f:d1:41:
+        4e:5a:47:55:de:ec:3d:e2:52:a0:36:82:cb:e2:3f:5e:6c:f7:
+        49:e5:fc:9f:99:89:14:ac:f0:a2:89:10:d1:3f:1c:20:94:ad:
+        e7:18:31:7f:c1:2c:ff:16:fe:09:ee:56:6e:d4:1d:65:cf:36:
+        f5:2f:69:95:49:d3:58:4d:b6:67:7d:9d:fa:c4:75:e4:e7:2e:
+        fe:43:fa:34:67:24:57:ac:f4:41:e8:de:62:e1:98:db:fe:a8:
+        5d:0a:59:75:26:39:2f:06:cb:3f:48:8d:cf:b0:6c:ac:f1:1d:
+        8f:bc:c1:1d:d6:d1:03:13:04:77:52:4d:a1:b1:0c:61:86:db:
+        74:ed:66:01:bc:ed:81:5e:05:6b:45:0d:87:f0:16:35:03:20:
+        32:70:ff:d3:74:7b:28:83:d8:f9:29:30:b8:4d:09:5f:69:44:
+        e0:f5:9f:02:8e:6b:91:ab:f9:1e:9f:24:cb:0d:23:34:c3:16:
+        86:98:28:5d:cf:eb:ed:42:76:91:cc:83:0f:50:58:53:be:f5:
+        85:2e:4c:c6:f3:d2:74:96:cf:8e:1d:d5:92:7c:6f:25:a9:82:
+        54:03:47:43:00:1e:4e:40:12:61:bf:82:02:a0:f3:93:5e:44:
+        fc:a8:4d:ec:2d:36:f0:f6:48:24:b0:4a:ee:ef:4e:aa:42:26:
+        76:2e:eb:b2:34:16:f5:c8:17:3e:a5:0d:33:75:ce:4a:93:03:
+        71:6b:21:8a:be:80:58:29:62:1f:fb:9c:4e:6e:cd:41:f5:64:
+        7d:6a:b7:d1:c4:5b:18:f4:31:71:4e:d0:e2:a7:05:bb:8a:65:
+        ab:f6:cd:6a:ff:a3:28:62:01:00:c7:dd:0a:31:ca:50:22:a4:
+        8e:01:33:fb:a0:d8:4b:8f
 -----BEGIN CERTIFICATE-----
-MIIDkDCCAnigAwIBAgIUDLW/ButGiwPefNIbkIs0S2sAL94wDQYJKoZIhvcNAQEL
-BQAwYDELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFjAUBgNVBAcM
-DVNhbiBGcmFuY2lzY28xEjAQBgNVBAoMCU9wZW5SZXN0eTEQMA4GA1UEAwwHUm9v
-dCBDQTAgFw0yNDEyMDkxNjQwMTdaGA8yMTI0MTExNTE2NDAxN1owTTELMAkGA1UE
-BhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExEjAQBgNVBAoMCU9wZW5SZXN0eTEV
-MBMGA1UEAwwMU2lnbmluZy1DQS0xMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB
-CgKCAQEAyASf95vMdYPxLtYV40qZfOZeYC8ef6SRa97QXEtZpbTBszWQfXqY0w55
-SGH7D1gj/bDwe3fIgjfQak2UcqEG3TKoYHkIFivtC1vOoPVI6l85eCE53Wjzt6ze
-f6L6n8qao7ozwfxfkBljNo+mrljYfenTr7W2RJPM7Ww3GrWE7vdt5IXPIUSzcTQG
-TZQQVOVFesjgDrMDBFoy15nT+C3Tl6LtvsdyhqQX2uu0hvvoE82K+uz3WQPIHMcS
-C5HKx7Fdn3I0nYtgDptWGQOY41E0XmbHb7VI97e2uUgEpkb02CW19O6gAM7PR5DE
-/h4Zt5HAh4RXvC4Y7hqkH7KxWAhTrwIDAQABo1MwUTAdBgNVHQ4EFgQUGK7JhPd1
-3jz3mRh5ZY6ZvfkQkO4wHwYDVR0jBBgwFoAUBFCZUD6TTYdZXNZWvSy8MpdCxW4w
-DwYDVR0TAQH/BAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEABmzlPenA8dFZFSDh
-AZSDJ8r1A7AxSP3LPxXfULvXTPiIeBAK4UinReZpKvEFrPrfH+1jP8bkM+6pKe0l
-85C71PCizwEP4jRBz6DQeiHXPrZfjO+saHsucMHiu6pO01niCSBRQs0M4gLsYzgr
-vLUrBLa8ELPtaqp8GMAD/sR4yGdZ/W3Ta1ekm8V1f7/pVmZR669P91Zh439IatAi
-ciB23+fh6cSRJ300NYp+OJMdZqT0Vd8DTPFgFBQe9ae3dm97VmRdbr/RvIt9sOLR
-QFMIAtpsz5yyzGbcvPlsM3eqQltSrzlvozfqt2aU82OAmINoBMdcRSAwCoUClstt
-k0Aohw==
+MIIFfTCCA2WgAwIBAgIUKSxRAiOLLSmIOMKA9IdfWMBbr+8wDQYJKoZIhvcNAQEL
+BQAwTTELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExEjAQBgNVBAoM
+CU9wZW5SZXN0eTEVMBMGA1UEAwwMU2lnbmluZy1DQS0xMCAXDTI1MDYyMTEyMTkx
+NloYDzIxMjUwNTI4MTIxOTE2WjBNMQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2Fs
+aWZvcm5pYTESMBAGA1UECgwJT3BlblJlc3R5MRUwEwYDVQQDDAxTaWduaW5nLUNB
+LTIwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQD5hyjSJM92w0KnGGxU
+uG80lYQ8D0mAg4ah8LhtNt9jORjmjQuaBGuvg6ZrViuajo2pfztLlumEB5/EEyuS
+fDJ2KjzfnbHU2lmbX3m461VBO+P257OZ+plV1RFNnpT+Qn05P2EN33oBAacs1cMv
+zBTiOGvnrJgFUIQeyLeExRilm58nLKsaxYw/WMAPhOhpXgE2JB575DzaCRv/v8+L
+ORc/n91+rk6EpSnXoPU1KIe0KwxlzB+U+7FHe40FSTXBaO6aXZbm56gGNvsa3/tn
+KErqNq4WB1ySQ0yxJZ8y9OmKYG7tHvCrKvn4p2hgYThEIzzrTQTJ5+rwwW73KOEG
+pA+pA2s7nXiXrAy3fyH99ZSPXuj18mu+klQz25fgF4WWPo1xbNifOn46T6jV88JE
+GzTeS37hsZkxxSA5z8dEEVywB7xlitSupTYZyUwK9QIO6M0wJXxDyd6tjodWOkDo
+2rtFTKU53/o0jjhK4LGznN6Gk0QlMfxUpMPhs554LIy9UgOcFmSikArcBbB/bRjM
+W1leoLgQrf1wGFksgYeyRwWL0savZMvmvHXt3ecsnM8NVLEguWvkchqcE769+Qi3
+gTs1wKSPPqf/dSZoErAAIArB4qMXCyAKRPmKLHta4cvO26Nyf1rtDF62wV+xSrpS
+63GJZNT8G8dVb/JtGON6cYSNtwIDAQABo1MwUTAdBgNVHQ4EFgQUkpS/p7Q4Jcvm
+VadpR+w/eXcNZI4wHwYDVR0jBBgwFoAUjrAmvDqj/AmVCRHsVif0ULotpAgwDwYD
+VR0TAQH/BAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAgEAa1Bp2CuYQ5F1qvRmm2lw
+GbE5l5k3/PaDMmdj1GakEuYzM0iS035dNqLU5so4Yk97lJbK0IbUuXcqBmuP79yn
+37/TcC9inQtQ7Ay2rM+jXBs2BHTT1XIx5TKMw+Y0kFHFawZhdjO9hdS14hc4O936
+LCO/OnU3a4jW2Zod6qfmufsFeU/gerRwsIWL/wQSpnEGBMmMhH8zwnO4gGUEs0RU
+uvY4bXMrd0GhkOD4mQUH/BUzP9FBTlpHVd7sPeJSoDaCy+I/Xmz3SeX8n5mJFKzw
+ookQ0T8cIJSt5xgxf8Es/xb+Ce5WbtQdZc829S9plUnTWE22Z32d+sR15Ocu/kP6
+NGckV6z0QejeYuGY2/6oXQpZdSY5LwbLP0iNz7BsrPEdj7zBHdbRAxMEd1JNobEM
+YYbbdO1mAbztgV4Fa0UNh/AWNQMgMnD/03R7KIPY+SkwuE0JX2lE4PWfAo5rkav5
+Hp8kyw0jNMMWhpgoXc/r7UJ2kcyDD1BYU771hS5MxvPSdJbPjh3VknxvJamCVANH
+QwAeTkASYb+CAqDzk15E/KhN7C028PZIJLBK7u9OqkImdi7rsjQW9cgXPqUNM3XO
+SpMDcWshir6AWCliH/ucTm7NQfVkfWq30cRbGPQxcU7Q4qcFu4plq/bNav+jKGIB
+AMfdCjHKUCKkjgEz+6DYS48=
 -----END CERTIFICATE-----
diff --git a/t/cert/chain/gen-chain-der.sh b/t/cert/chain/gen-chain-der.sh
new file mode 100755
index 000000000..29dbf56dc
--- /dev/null
+++ b/t/cert/chain/gen-chain-der.sh
@@ -0,0 +1,5 @@
+#!/bin/bash
+openssl x509 -in signing-ca-2.crt -outform der -out signing-ca-2.der
+openssl x509 -in signing-ca-1.crt -outform der -out signing-ca-1.der
+cat test.com.der signing-ca-2.der signing-ca-1.der > chain.der
+
diff --git a/t/cert/chain/gen-chain.sh b/t/cert/chain/gen-chain.sh
new file mode 100755
index 000000000..d49bf0295
--- /dev/null
+++ b/t/cert/chain/gen-chain.sh
@@ -0,0 +1,7 @@
+openssl x509 -in test.com.crt  -text -noout > chain.pem
+cat test.com.crt >> chain.pem
+openssl x509 -in signing-ca-1.crt -text -noout >> chain.pem
+cat signing-ca-1.crt >> chain.pem
+openssl x509 -in signing-ca-2.crt -text -noout >> chain.pem
+cat signing-ca-2.crt >> chain.pem
+
diff --git a/t/cert/chain/gen-root-ca.sh b/t/cert/chain/gen-root-ca.sh
new file mode 100755
index 000000000..77d539fd0
--- /dev/null
+++ b/t/cert/chain/gen-root-ca.sh
@@ -0,0 +1,41 @@
+#!/bin/bash
+
+CERT_NAME="root-ca"
+DAYS_VALID=36500
+KEY_SIZE=4096
+COUNTRY="US"
+STATE="California"
+LOCALITY="San Francisco"
+ORGANIZATION="OpenResty"
+COMMON_NAME="Root CA"
+
+openssl genrsa -out ${CERT_NAME}.key ${KEY_SIZE}
+
+cat > ${CERT_NAME}.cnf <<EOF
+[req]
+distinguished_name = req_distinguished_name
+x509_extensions = v3_ca
+prompt = no
+
+[req_distinguished_name]
+C = ${COUNTRY}
+ST = ${STATE}
+L = ${LOCALITY}
+O = ${ORGANIZATION}
+CN = ${COMMON_NAME}
+
+[v3_ca]
+subjectKeyIdentifier = hash
+authorityKeyIdentifier = keyid:always,issuer
+basicConstraints = critical,CA:true
+EOF
+
+openssl req -x509 -new -nodes -key ${CERT_NAME}.key -sha256 -days ${DAYS_VALID} \
+    -out ${CERT_NAME}.crt -config ${CERT_NAME}.cnf
+
+openssl x509 -in ${CERT_NAME}.crt -text -noout
+
+rm ${CERT_NAME}.cnf
+
+echo "Root CA certificate has been generated as ${CERT_NAME}.pem"
+
diff --git a/t/cert/chain/gen-signing-ca1.sh b/t/cert/chain/gen-signing-ca1.sh
new file mode 100755
index 000000000..5edca7f24
--- /dev/null
+++ b/t/cert/chain/gen-signing-ca1.sh
@@ -0,0 +1,55 @@
+#!/bin/bash
+
+# set environment
+ROOT_CA_NAME="root-ca"
+CERT_NAME="signing-ca-1"
+DAYS_VALID=36500  # 100 years
+KEY_SIZE=4096
+COUNTRY="US"
+STATE="California"
+ORGANIZATION="OpenResty"
+COMMON_NAME="Signing-CA-1"
+
+# check root ca exists
+if [ ! -f "${ROOT_CA_NAME}.crt" ] || [ ! -f "${ROOT_CA_NAME}.key" ]; then
+    echo "Root CA certificate or key not found. Please generate them first."
+    exit 1
+fi
+
+# generate private key
+openssl genrsa -out ${CERT_NAME}.key ${KEY_SIZE}
+
+# create certificate request config file (csr)
+cat > ${CERT_NAME}.cnf <<EOF
+[req]
+distinguished_name = req_distinguished_name
+prompt = no
+
+[req_distinguished_name]
+C = ${COUNTRY}
+ST = ${STATE}
+O = ${ORGANIZATION}
+CN = ${COMMON_NAME}
+
+[v3_ca]
+subjectKeyIdentifier = hash
+authorityKeyIdentifier = keyid:always,issuer
+basicConstraints = critical,CA:true
+EOF
+
+# generate certificate request file
+openssl req -new -key ${CERT_NAME}.key -out ${CERT_NAME}.csr -config ${CERT_NAME}.cnf
+
+# sign the csr using the root ca
+openssl x509 -req -in ${CERT_NAME}.csr -CA ${ROOT_CA_NAME}.crt -CAkey ${ROOT_CA_NAME}.key \
+    -CAcreateserial -out ${CERT_NAME}.crt -days ${DAYS_VALID} -sha256 \
+    -extfile ${CERT_NAME}.cnf -extensions v3_ca
+
+# show cert
+openssl x509 -in ${CERT_NAME}.crt -text -noout
+
+# remove tmp files
+rm ${CERT_NAME}.cnf ${CERT_NAME}.csr
+
+echo "Signing CA certificate has been generated as ${CERT_NAME}.crt"
+
diff --git a/t/cert/chain/gen-signing-ca2.sh b/t/cert/chain/gen-signing-ca2.sh
new file mode 100755
index 000000000..ca311b601
--- /dev/null
+++ b/t/cert/chain/gen-signing-ca2.sh
@@ -0,0 +1,55 @@
+#!/bin/bash
+
+# set environment variables
+SIGNING_CA1_NAME="signing-ca-1"
+CERT_NAME="signing-ca-2"
+DAYS_VALID=36500  # 100 years
+KEY_SIZE=4096
+COUNTRY="US"
+STATE="California"
+ORGANIZATION="OpenResty"
+COMMON_NAME="Signing-CA-2"
+
+# check the existance of the middle ca
+if [ ! -f "${SIGNING_CA1_NAME}.crt" ] || [ ! -f "${SIGNING_CA1_NAME}.key" ]; then
+    echo "Signing CA-1 certificate or key not found. Please generate them first."
+    exit 1
+fi
+
+# generate private key
+openssl genrsa -out ${CERT_NAME}.key ${KEY_SIZE}
+
+# generate (certificate signature request) csr config file
+cat > ${CERT_NAME}.cnf <<EOF
+[req]
+distinguished_name = req_distinguished_name
+prompt = no
+
+[req_distinguished_name]
+C = ${COUNTRY}
+ST = ${STATE}
+O = ${ORGANIZATION}
+CN = ${COMMON_NAME}
+
+[v3_ca]
+subjectKeyIdentifier = hash
+authorityKeyIdentifier = keyid:always,issuer
+basicConstraints = critical,CA:true
+EOF
+
+# generate certificate signature request
+openssl req -new -key ${CERT_NAME}.key -out ${CERT_NAME}.csr -config ${CERT_NAME}.cnf
+
+# sign the CA using Signing-CA-1
+openssl x509 -req -in ${CERT_NAME}.csr -CA ${SIGNING_CA1_NAME}.crt -CAkey ${SIGNING_CA1_NAME}.key \
+    -CAcreateserial -out ${CERT_NAME}.crt -days ${DAYS_VALID} -sha256 \
+    -extfile ${CERT_NAME}.cnf -extensions v3_ca
+
+# show certificate
+openssl x509 -in ${CERT_NAME}.crt -text -noout
+
+# rm tmp file
+rm ${CERT_NAME}.cnf ${CERT_NAME}.csr
+
+echo "Signing CA-2 certificate has been generated as ${CERT_NAME}.crt"
+
diff --git a/t/cert/chain/gen-test.com.sh b/t/cert/chain/gen-test.com.sh
new file mode 100755
index 000000000..602b37178
--- /dev/null
+++ b/t/cert/chain/gen-test.com.sh
@@ -0,0 +1,57 @@
+#!/bin/bash
+
+SIGNING_CA2_NAME="signing-ca-2"
+CERT_NAME="test.com"
+DAYS_VALID=36500  # 100 years
+KEY_SIZE=4096
+COUNTRY="US"
+STATE="California"
+ORGANIZATION="OpenResty"
+COMMON_NAME="test.com"
+
+if [ ! -f "${SIGNING_CA2_NAME}.crt" ] || [ ! -f "${SIGNING_CA2_NAME}.key" ]; then
+    echo "Signing CA-2 certificate or key not found. Please generate them first."
+    exit 1
+fi
+
+openssl genrsa -out ${CERT_NAME}.key ${KEY_SIZE}
+
+cat > ${CERT_NAME}.cnf <<EOF
+[req]
+distinguished_name = req_distinguished_name
+prompt = no
+
+[req_distinguished_name]
+C = ${COUNTRY}
+ST = ${STATE}
+O = ${ORGANIZATION}
+CN = ${COMMON_NAME}
+
+[v3_req]
+basicConstraints = CA:FALSE
+nsCertType = server
+nsComment = "OpenSSL Generated Certificate"
+subjectKeyIdentifier = hash
+authorityKeyIdentifier = keyid,issuer
+EOF
+
+openssl req -new -key ${CERT_NAME}.key -out ${CERT_NAME}.csr -config ${CERT_NAME}.cnf
+
+openssl x509 -req -in ${CERT_NAME}.csr -CA ${SIGNING_CA2_NAME}.crt -CAkey ${SIGNING_CA2_NAME}.key \
+    -CAcreateserial -out ${CERT_NAME}.crt -days ${DAYS_VALID} -sha256 \
+    -extfile ${CERT_NAME}.cnf -extensions v3_req
+
+openssl x509 -in ${CERT_NAME}.crt -text -noout
+
+rm ${CERT_NAME}.cnf ${CERT_NAME}.csr
+
+echo "Server certificate for ${CERT_NAME} has been generated as ${CERT_NAME}.crt"
+
+mv ${CERT_NAME}.key ${CERT_NAME}.key.pem
+cp ${CERT_NAME}.key.pem test-com.key.pem
+
+openssl x509 -in test.com.crt -outform der -out test.com.der
+openssl pkey -in test.com.key.pem -outform DER -out test.com.key.der
+
+cp test.com.der test-com.der
+cp test.com.key.der test-com.key.der
diff --git a/t/cert/chain/root-ca.crt b/t/cert/chain/root-ca.crt
index 8cf5fe9d6..6427d8c6d 100644
--- a/t/cert/chain/root-ca.crt
+++ b/t/cert/chain/root-ca.crt
@@ -1,22 +1,33 @@
 -----BEGIN CERTIFICATE-----
-MIIDozCCAougAwIBAgIUdmkIBFh4ZZVGcEYPDjcLqgZbXR8wDQYJKoZIhvcNAQEL
+MIIFozCCA4ugAwIBAgIUW0gKwnXrZy/HqhP/6Kwfw7VBPE4wDQYJKoZIhvcNAQEL
 BQAwYDELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFjAUBgNVBAcM
 DVNhbiBGcmFuY2lzY28xEjAQBgNVBAoMCU9wZW5SZXN0eTEQMA4GA1UEAwwHUm9v
-dCBDQTAgFw0yNDEyMDkxNjQwMDBaGA8yMTI0MTExNTE2NDAwMFowYDELMAkGA1UE
+dCBDQTAgFw0yNTA2MjExMjA3NDdaGA8yMTI1MDUyODEyMDc0N1owYDELMAkGA1UE
 BhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFjAUBgNVBAcMDVNhbiBGcmFuY2lz
-Y28xEjAQBgNVBAoMCU9wZW5SZXN0eTEQMA4GA1UEAwwHUm9vdCBDQTCCASIwDQYJ
-KoZIhvcNAQEBBQADggEPADCCAQoCggEBAL2ecdZcrMxA/smtFMphcAbGtRk0/GOI
-wD2a82CtWzUnuq5RqYhLBI1jQ9xkInHdIdnE50U9PpcOihpzxLXpqvP83m+NEut2
-VlrwSAY+hjOJnPM6KeSz5elbWufT3u+NmsQ9sQawiw6MB65aYhiU5SQ8UuZ1LYtc
-MNSgU+npkMbx4LiRf+X0x5rYzsRWM3GFDmaVYQLwdZlPJGQj8Azr5Cqxjh8Se4yi
-rf0coJVGNGxoCKJH4C6HgwvlELweV4M7cTh0E/9o1NHUQG1zT1c/k1kE+SWN4PKu
-MxwPqtFy4c8IYdMxgmECwWeuZqYXEdoD3Rub2r8+UEtB+ScYC8OtaH0CAwEAAaNT
-MFEwHQYDVR0OBBYEFARQmVA+k02HWVzWVr0svDKXQsVuMB8GA1UdIwQYMBaAFARQ
-mVA+k02HWVzWVr0svDKXQsVuMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQEL
-BQADggEBACHB8S3FK5Q1IMznC6l6gYgIrXMCZ4CwGqUqO0xahyePpQ4RfsMS6tQq
-xO2mOsvyqZ4WdsoM/T7Qrx5nxA2eSjcC2K59SgD7h9TScC3/0e2L0l/gxbm4XR7Q
-yuQK8DiP0ChbMU1okVtFz9yDlxxIIHmgCDXSZVwkp+kPemVRo16EA7T2xpkFZhVR
-BNa43iKJw0PzhKAq80Bg5Zy01qY0na5llSu3g+Je8F7sC+ebK5q7nTittnvaXTuc
-kJHTVhRmopGsZp7DTPDYWDvMh/3vTYszlHC525RZvcFQZZrG+49jQTgAWN+Pblyd
-hh3QAEoDVjE4BUrtWJ2H+MeL6G6kgbU=
+Y28xEjAQBgNVBAoMCU9wZW5SZXN0eTEQMA4GA1UEAwwHUm9vdCBDQTCCAiIwDQYJ
+KoZIhvcNAQEBBQADggIPADCCAgoCggIBALBJ288L3Kmu4pxbpSh83wqQkC6DxZ8o
+A6DzsYrzCJKoDv/Ea6reZr33hyBQPltn8oLNDvwngHeX0c6+8V+N1pCnMtQ2c6Ik
+kzdyIM7/i5lFQ9KLMvuUaaS7sRe3HMOz6Z6KHVt3VRemjTkhgdgK3ghgo/5Zd9yc
+2aiOj70Js+CtWagTJ2s1nJ9jRFR8Z3gpcaoNJMJgPDqQ3/hdITMcRitrfimxUvxm
+aTHCHC493brqkhhV/ej6heY4pVR9R4ZXf0veN6Xw2Z2lYlMwaJH1taESQg+MHScx
+eEsM1h2mcDlcfLR4Hjh8nZNOwNMCpUuX2kRSWxOkflYjvmQuaAlrTZJLCzAhKh5J
+t+F3aRNjCdqnxkzW8Z4LwTYkaYofDqezWDfdDCLrAzIZdr0IWAbV6dnUaYE3PScb
+T1oO8Gq6rPLtA4vqry9qB5I9ZwwFBxjtjmIx7XXUdh+/hp8cOPDqmjvKQfnck3ID
+Vt+iGaDIa9gXsebtGvF/pGZkyDS1O+kTW/tNdxCqKqlpYUl0ZRpm1Vqx7WS4NJKk
+vfbPINSqd3gmM2U1nTWy9v7J3THaodUPB8baCXBOYbenBKZrj6mU/2Tg482DXywy
+DjQBj8RONUMyoF6vFoUIztx0PisXNlKYEP5Hk5V5cG9P9uzaH2ubMPymdi4zfoD2
+ArpPARXyOKJtAgMBAAGjUzBRMB0GA1UdDgQWBBQ46muxh62Y4sLqeWBODixJMFpf
+HzAfBgNVHSMEGDAWgBQ46muxh62Y4sLqeWBODixJMFpfHzAPBgNVHRMBAf8EBTAD
+AQH/MA0GCSqGSIb3DQEBCwUAA4ICAQB1/LTjy7JN8NUCwUZ0lqhxcjdbvrf1mL2w
+YdRu8gkXj6VeHQ7F+DCioXnSsnpkLI+sFDPJpeTOrUIEI+4yvjD3QL8/hQJlc0Uv
+cnRR9hwPaS/4e6VdWKpO3/PIY2XGJufyrvxk4gDvTF/rTvNfzLdSVkN9KDtjF1YV
+ITYOTYwGD75X5XO9qyOhOqZ17YknMHXgcq+Gjw/yDN4psPEK2/TIT144YZkGUL+8
+tiTzxLkomwHEC4Mmm19q/hUd00Daimd5hqYommsJz8izvWBx21KsoTpC/QRTON9c
+Tn1E0XLGPr/YXhOI7pfMd4YWzg5FacDPCNkbhMMrJtxn2BOugZN+b0mbEu90NhEd
+Mr+0EnTWREBjUiawYYWKKzLjcaxesK2cdYDY790rrcD3rh7Qf2UvP6CLgAk5WPpl
+NnHXSUk7dXA4oGyuU6koOlNnsXsPL9coUqigorVtvTFh4U5nHpzFVQIZ4XDVFKpe
+/EU2l0UI3tMoXiQU7+ye0H/jr7G+VRaZPI6bRmlfhDxIAujUvZtSeSCp4zejK2L1
+p7FEg6CYCBrhixRfMXnUg0DGF/xXnSMyH1S1r/6BtFgStDJWJwxPay8DP1HqA0u5
+rCZ1CcT2aExYDs6rfm1qX4k8EAUzTuzOjxRDiBJXQngQJ5Z9hd24GGAj+vtStF6w
+4/hD60/JGw==
 -----END CERTIFICATE-----
diff --git a/t/cert/chain/test-com.key.der b/t/cert/chain/test-com.key.der
index 9a59f17a1..b43d95406 100644
Binary files a/t/cert/chain/test-com.key.der and b/t/cert/chain/test-com.key.der differ
diff --git a/t/cert/chain/test-com.key.pem b/t/cert/chain/test-com.key.pem
index 391e6c49a..72aaa0d27 100644
--- a/t/cert/chain/test-com.key.pem
+++ b/t/cert/chain/test-com.key.pem
@@ -1,16 +1,52 @@
 -----BEGIN PRIVATE KEY-----
-MIICdQIBADANBgkqhkiG9w0BAQEFAASCAl8wggJbAgEAAoGBAJpEN5QaW/twpcRE
-vdRKi10BejLJl6DCFDDtK+xsi7UnBvVn6G6nuGEUtw6Ytx9nM0CX2ONGV7UEwJ9D
-63IRO+JFAAIdJk5uuH/i9L6ijM+21n/xsQpxxamsKnzMw25bg+luv/iYqpQOtjWx
-ISImfBwqJhKq5KwYjOwxd+jb6xoRAgMBAAECgYAj8GiSVGHBfkjgJLOk1YkKLeHu
-GxD8HrrdeyOUfOU/WsxAN+jqfqBx3YWYHPPsmPpTvgyFRkoAng7SC9y6QlGU1Kub
-lT7Xbo/uXx/6vwrqJEozfXI+2jpyx0q90MDsX2oRVk9yTH92qSvOR9L1gXy/lsb4
-CnyUEdRhF6xCzvi7EQJBAMmWi593JvJ8xdJjROzKgT9eJxqtL1LHL7hlf35lndFG
-jPkrNSshimYvA2JVbJXUOcO6ONWrfBkPVmNx1wPNlQ8CQQDD59DALOVmPt0F7poe
-08qfo2ibXLduyJqErcPncAnPjCdm4Uc32d6Fz/mS+8ZkSSpwgXd8e0YoQrebOvHu
-uZ7fAkAI3vsd9VxdZ2g9LekmknLFmxsVbXGbrvBGqRDHOymKwBQMEv6v+zXf8Umw
-1hmFLmWsW1GM9ZLsd2RR0/ymSjG5AkA0JzecoZckhCHFHYMsJ8fufcswaRtwQ7lX
-DwdzSpFiDnbC3cBe7wJdb0OKzLpBInVI5D6SBiNkPnawvZ2ApyvTAkAVcA4NfHFp
-I45ENi28VavfVVjGWq/p3HwkoqC8MAQqRl/wk7lee778OrhGN1rVZUYs2OpT9tkH
-X7WctdP/E07K
+MIIJQgIBADANBgkqhkiG9w0BAQEFAASCCSwwggkoAgEAAoICAQDMHm3snvI+Pxc9
+3hha1sRwmdPNsZlF5+2CaT6F2R/Qv972SRoE1Ml2XJYGTYGYzQuXFdtz3oSKFg49
+CMxv/CxIkkormEBz8kpcznLLBsFppn/wawpPbI5ixv1S1vxcpBoft4F6mzDvrYGI
+6rjGldgqMqKJ0rOd0pmmLVrkQjISVhlb9i43RNqE9oFxSoo6rIS+fYWqPenORZdX
+L14hwyDPfNCFTrwDYUEeP4cwo2y+oDJqT0uBIrSbxDRWVR0H18Om3rQNmOZYDSIu
+QnIEaZMhyzB4BDdmycc4YLXRs6MnihJZ4UzLfXIAEtBb7nm5du27StQzosfgT688
+fyiG6GfCyQPr7ema3M1avVghBydT/EeRCM7ak9fET1/BhSDTbtkrbrGHRt4LXHi3
+nhWyXMlL4VYTNEkBkt2d6U+x2XHQSlp/cHEyM0ia/ebSpEM1RemnjQPznvy1qnd9
+lSxdTxYRqrU4ZGlelNjsMsXtr3BAYdrXZNP2Gm3Bwosy17nfEQQbs9CTJPMsn2Ob
+I3eD3euhs1RFEno8M3jwYWwIpf3ZVP3UaS9SIGjpRQD3o2XRnfDiZxAF24pWB4Lr
+7uZj5UO55KpkchwUPCEl+bJf7Pb3gth90qJ9+smK8jPbxnBmpeJojRp2RDFdS2vO
+y2mO8Z4wUbPyQdjwwQftmib2i6CGQwIDAQABAoICABiKRgP53hI5apVqaLovHOyU
+CetZFp4ux+wdtBcf0gaPstd1qsukO4O1QOeJakh7ymYZNMpFmTYIIyEXuDXJzGx9
+2K33aYmnD7qrABEZraeCjYTS5v6X2gx/yQABzyhiJa6Pf4vFMbPMbojj/gqzWYrv
+4yu3vxbSitzNkiJkNPnltmR11fuYwGmA63IP7fYnkfQG9PV76RVUDOG9/6QGfiDZ
+QYaYFIbsKonfmw9wGR2tS90NIyeSNm2NwA8Vv4jsWgjrYxv0DdQjNsCiBhbdYdjh
+FrbZ0ZaphqqSsflVZAsCZg9pRLQoT6GOTCo+ow13AhY6Ols/jvvls0yOKx9WZ0xE
+OBfaeW/7ymAFYbsFauOFCHQtF01ROa7P54Bt7ALY0ng2698T7fPe6cV31Y81cDwS
+UqPXw71sTMErMlW3GiuRzPaETqiBV1Tq02o0If0PcqERmxhRxUnpHZi4VBhGLa1n
+MAeU+PeYu4Ken4miwbRepa3iyQ9r2vEqhmkJqL39FgQKJktG2tlD8C5SfoqJJAM6
+jXmvCKtn665+25LRacGvxHiyni4ztnRoZX5mexvaa+6l9Ofcj99T4WSxVgNTVvgS
+UiXLrB5zx3p3vFnqTjfqaqNOWaCK5LIrAq8KaCLrDI0841dYH1A/Ggyqrh8w3Drc
+41b4u2uLII2Znovv+OSJAoIBAQDz6Fb0zy9iY+ReLYT8olQSysvfGnrav5Z6yIei
+HrePyBwqzWdjjPObjF2fcMiNi1z/pqTDd+VXYC3Ghq+87PqL/a1fM3OaDi1bjpqn
+0eLvboeP0uJCSUJx5z/uvzR+TgQfQq7/zy7KyJS2f/rSELj3b/3MIfTwd4Z/vDIZ
+VdsFPtigZyreBUc6zfF2pM0Mb+iUqs8quFYuq3hvF94ViML6Zx7xkRa2hu/8XMOS
+ggrROaDgeDkVe1aTaJmxXGzqfrVjggm8flkgfKdLqomT0kXVViLX0uGdJ+hipKYm
+CNqro0DLx57HX0EwebZTDo0nneSAzv1OB3mcdfmj7/+baxaLAoIBAQDWPRgBi/iP
+0/T5c49Q73D+RB2iPZR0YcZW0znGiDNFJc8nVvwbGjYp9K8Re4YtPrJDR9Wu4d6R
+rqKtRBuTSuM04H7I59sdV0WKdsUWIZVD8bn6COU7s/8c60N5SrzReeYxJaC0fA9i
+Vs1/kkQ2ReUj21Iv4GOioamtKiHKOtnDzaxMEfdfTzwDxld6iChg3Qa88H0Nj0vP
+MKY2TtkrhFwyhcFW+AavQZWuy6dcNr3dHUkT+uhyLRZ/W+2zfsyHn6f3hQvxBHUI
+vvunZykFb/qPmuqks6wYlK95fJy+bPOL7OPmc9mnogyl2EdD/iGHFstOS/DZ0BpI
+Y1ZuIh601P4pAoIBAHp2OFq4P9lNwFaM0k2qDz5UNiJxgCeetCY30unSNGXrmkDf
+Wr7AAXwi8Mrh7MAsrefqOqWt6CeDsdgQveHEtlNdbhPzmGJMJffnVL1YA3Il88iB
+oHqZn9PiwNXViLy13Rn4+DaWRq8oIIq1HTEllkkeILbCgeHOkWhHDHxuAAbVNBzt
+T7ejvMzIpCjmu9E3yvYCAPw5C4RpMZHN0QLM5OCmsAGn0FiazZnO1Z8UzeuY3K53
+jmm7wI9IoIpNlp3yOo6Ytty+L2/BRpoWKPdgRxHDKsFkL0UhyWrlsko8fdZZpGns
+c0s1B10YbzOqhbLTcuw9gS8RT7z/+vSVxqe5D9sCggEAFYXdu4oMVqa8nbL2WvMz
+Ltg5Aeud1nNcMazWyRM102SRAyrB+RcRCfYDAIagXDtIPWoiFYerjIc24KFPA+Uq
+Hk3Pbu+cG76AxgBYnHiTPlgyjuQF45GZt5YLGUxg28qbTaSyGG++O+rsijxvjeRH
+uOp3v0eTuury2Oq6qk5vQjSPcrT7XR/gr6BleXHkXJbX7nNanNogi5gfmqUhPDX3
+7TtyyQHx6fl0yDK9hY4aVPR0OwWiBJZzBCiAIOBEO/vWLA+5u2TvPQmyzoaWoG03
+huXRXOqQB4goeNQECz122j/aRXSuESE+lAq+Xh5Rz/iCRENs1vUJLuyL6lSTMSeU
+wQKCAQEA8zDt0mgKxcUEuYhs31n24dXmdctVIeyy4UCBr0O2io3VwJr8NAFirh21
+8/Y9dxI4eHYT7SnWle5zMmLeZAFY79l7ECxEeOHmnJZQ87cTAZu/DmcH4qZpdkfL
+avAbQ5A/aAFCHptaU/E9gnl6581GLOpph5h70LbU9B2oDuy9jPK8StDmxcOY+v9I
+WDVI4RfX05JRz+2UFmwIwIBUppMXYzN+pleHAKFO4i+H6QfIfCx2cbGsuHlPiKNJ
+0o5mGbbxz3aW4MX0F6YNnstNJMkoiAsE7fpapx4P1iTN887u6yoVVseXLvvqhaUP
+83UuGcTxN6GJ8xqlNb6fXp50mDVE4Q==
 -----END PRIVATE KEY-----
diff --git a/t/cert/gen-passphrase.sh b/t/cert/gen-passphrase.sh
new file mode 100644
index 000000000..33d474417
--- /dev/null
+++ b/t/cert/gen-passphrase.sh
@@ -0,0 +1,2 @@
+cp test.crt test_passphrase.crt
+openssl rsa -in test.key -out test_passphrase.key -aes256 -passout pass:123456
diff --git a/t/cert/test_passphrase.crt b/t/cert/test_passphrase.crt
index f4d516ba9..bfcc567ce 100644
--- a/t/cert/test_passphrase.crt
+++ b/t/cert/test_passphrase.crt
@@ -1,17 +1,35 @@
 -----BEGIN CERTIFICATE-----
-MIICozCCAgwCCQDEutRdSs3vZjANBgkqhkiG9w0BAQUFADCBlDELMAkGA1UEBhMC
-Q04xEjAQBgNVBAgMCUd1YW5nZG9uZzERMA8GA1UEBwwIU2hlblpoZW4xEjAQBgNV
-BAoMCU9wZW5SZXN0eTESMBAGA1UECwwJT3BlblJlc3R5MREwDwYDVQQDDAh0ZXN0
-LmNvbTEjMCEGCSqGSIb3DQEJARYUZ3VhbmdsaW5sdkBnbWFpbC5jb20wIBcNMTYw
-NDI4MTQ0MzI4WhgPMjE1MTAzMjcxNDQzMjhaMIGUMQswCQYDVQQGEwJDTjESMBAG
-A1UECAwJR3Vhbmdkb25nMREwDwYDVQQHDAhTaGVuWmhlbjESMBAGA1UECgwJT3Bl
-blJlc3R5MRIwEAYDVQQLDAlPcGVuUmVzdHkxETAPBgNVBAMMCHRlc3QuY29tMSMw
-IQYJKoZIhvcNAQkBFhRndWFuZ2xpbmx2QGdtYWlsLmNvbTCBnzANBgkqhkiG9w0B
-AQEFAAOBjQAwgYkCgYEA2KZ+HdH9R2tarxD8PKqu5EYq2BNGlFRg1xJmrw0XZBRM
-UP/VPb+sIeioooz36uhiXfQjExlpBCA/0zNAN+HbFyqpPPTf1qLGrj/dqeE4MJaN
-Bwzxiv3fZnENT65u2qbiFWIY+ATNHgA20d50nxNNjPTzLbkx/nYXL92r4kuAGk0C
-AwEAATANBgkqhkiG9w0BAQUFAAOBgQCfMo0qbcs3kwl1tcNBO5hCcUUJRzyv041V
-ff/nZ/JPIMo/LSZd12K82G/dLRN7uRT9nzqtm+JRkHALHWWWFKi6bdg1vcdOTWqC
-08bCkJHQoXJQQLvvA6gNvnR+0b7L4CrCmrcyYgKDLXVGNP9Wv/PqSWWbxsmqngkA
-Mvy6CVytFw==
+MIIGETCCA/mgAwIBAgIUE3pqyVuRQL+qGuSFAUCLq4g7pt4wDQYJKoZIhvcNAQEL
+BQAwgZcxCzAJBgNVBAYTAlVTMRMwEQYDVQQIDApDYWxpZm9ybmlhMRYwFAYDVQQH
+DA1TYW4gRnJhbmNpc2NvMRIwEAYDVQQKDAlPcGVuUmVzdHkxEjAQBgNVBAsMCU9w
+ZW5SZXN0eTERMA8GA1UEAwwIdGVzdC5jb20xIDAeBgkqhkiG9w0BCQEWEWFnZW50
+emhAZ21haWwuY29tMB4XDTIyMDUyOTA2MTk1N1oXDTMyMDUyNjA2MTk1N1owgZcx
+CzAJBgNVBAYTAlVTMRMwEQYDVQQIDApDYWxpZm9ybmlhMRYwFAYDVQQHDA1TYW4g
+RnJhbmNpc2NvMRIwEAYDVQQKDAlPcGVuUmVzdHkxEjAQBgNVBAsMCU9wZW5SZXN0
+eTERMA8GA1UEAwwIdGVzdC5jb20xIDAeBgkqhkiG9w0BCQEWEWFnZW50emhAZ21h
+aWwuY29tMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAyLzMbnMBcxYB
+2W0uEqPKo2lOJdUQTnakipVLqRvZIJv7NkZgU76pxdFwoSxPpvJcpJ4rsosBZvhV
+dkGoKmuVfIFU0lYcdaccq88aT7E9XfTXiiyB2tkT6jS6wr+QxDj7KW47zdUBUT9O
+6ClNyY2o1gZldElTG0Bwk4j2sAkXuWGmyncTOJ4ge3mWVksAQYbL5pwfdfyqgDmK
+B4nLJHBkorLbF7nm7pK2HzQCtaEUJpQKpJdCULcOHrydjVAwHUQsZAb9XXjQWPTb
+A0BSplbgMSI6saT9uA2RjLBzpYKj8J1rWGadWteSyQAf6XooQrquTPuR+OWF6t/m
+2vkTcJlh1ukPPAPZBvlAQX9VSLWk5fmAQZA5BxYXNVWcMGVNO7UtilRmjqK1nCmv
+oyDXHzpE5RZPBZH4ecOqTscUgmS72ItPGWMtEtCQYbzWyMAa1cpCvK40YRa4814r
+XgffWgWJQfqyVvRjzpWIUiqwjUX3/p3W3pxX/GNHOv2ZH/pebcODOl7EFxzv5eQc
+z9vW5+RfiCSzs5bGG7qw58dMFROeAJbwR6t2o6GRd0HfgTTwSDcrrpcdLP/PaL+v
+twnrNa9r7rIwXnDWxYo3KiGpqEfG2WwW+lJsUzZOi9eI9kYPyvFmNFLugZbHMi+h
+ICCb8AQB2thON5X4N7FtP5GVfMR9vIkCAwEAAaNTMFEwHQYDVR0OBBYEFDEy866N
+WPHPTJKeL/96VYoczkINMB8GA1UdIwQYMBaAFDEy866NWPHPTJKeL/96VYoczkIN
+MA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggIBAHJgyS6/OyRqzqwd
++6DnntGV+MTo9WBNvNs/fekJghnrr85oG330GasYENQLi0wF20to7FMan2U9kwgV
+cbhDwe70JD0jg8htYof/uXOMBVWT4iZ+eXn60mP3iLsSutwt/drXBBzbxMYbUC12
+CIiadkV8aMPIN6oGnF7TLF4AvBqYYp2qAVGXr/ZQm3L7NPB0jkSktSe6obnaq1tO
+ug18ImhzAqkn1UGnLRiTADOba5HuKtovwWtLblNBODdnv1E7IK1A6jpqwiYjlbU5
+4v9ZzFzEJw+GqYHkTRmJGCA2Uw7HNEUFeno1BTp19Ce9fvrkofTWYmLp/NAvEp6E
+aFnBdCjY4tWzI2Iig7IjDIM7F6igGODybeN9ijD7oSyEDtNE7ECLSuXhgekiQJ8c
+NYALgbbNPxWx8zJcNiYy1NDYdIjO5vYFOpbn+rQObKVCX/X+Al9fT126ciTT1xAF
+fZtkGPpp3Wjgws9UDSzetvWHYt0Rs70m351LFPHyR4tQLHoDFqnA2buG/mSvKZ9U
+to0JQ/8QPRIYv0FUJcF0+/xQRYrIqvmjiCpfL2hwJyRViq7f8z0/tmMoLxFlPo/k
+GC+gvh3WwTB622h9JEqS48lllcYZIQWOX2mbFtUtNFdzUtSRmZMa8RmcYr5So2OH
+9QLIIjC6ntPFjWq+uLJAJ8uazRt7
 -----END CERTIFICATE-----
diff --git a/t/cert/test_passphrase.key b/t/cert/test_passphrase.key
index b8fc97634..92aa16e76 100644
--- a/t/cert/test_passphrase.key
+++ b/t/cert/test_passphrase.key
@@ -1,18 +1,54 @@
------BEGIN RSA PRIVATE KEY-----
-Proc-Type: 4,ENCRYPTED
-DEK-Info: DES-EDE3-CBC,679ACC8E69ACAA92
-
-Ssrjp3VU4somCNPiXkWqcudDnvnwbyj/Q0pS07at3lXKbhQSgI1Tzhg9Pm3BXXj5
-mkLdeGG5ocrj1Q9dhtmZgZeHHQIiynZBhjBu1Y+HPef8jXOWLrCOi8EKiWkJ2qG3
-V1KFM/95CcDt0mRLykUXEL3IpUst05SFb9XwiLokB7ypeu3NhgNUHjL6G+ubB4ri
-TOUjCW4pEoNHjdC22IiqSncwCVhluYSGhr6ktHKehZMhYIXmL1wmSLdhTlsPXCQl
-xvYILQ2vJcKIR1BkeYYPD/OQC6zCZlXIErzfgeZiz2+NTudKYpb9VmsQKsO+R8L7
-tZ/fNaR0vk8bbimMHgStAV4acVsC/7WxsqOjMJ8VTq1iqhYPl6N7kRdR3H3kSSOm
-cN9T3SrOHDVaHbnWgToaOE4mKFjvFSLIOcWgus0iOHWXmY+SLG+Ndag3oVB6R9oB
-cAHX19mq99+GhzA8IV4I0En2UCKQhnGPvkM+9mcCDxhRETlwncDjlMGOHpQ65J9r
-eReVPIpnDkvHxPGTtsR3ZHTdWTZb+C0W2N3QIlJKrOzxFmfoj++yG3tMX42aDY0g
-DVkrXgcKobiWN0AVrJNAwfG7uObKSCFYgz/0RRMCO4cjXRW99nxdjVDZhyc6R0Te
-jzuF04okkOLNb25n2hP+yIULrn+6Nv/uHtFI0j0n3hOzcKh//dNbACSAKgkHni9g
-JKDFJXgLJxf+Wc3So0DF9gYMKJJ+WbcdVT9gkC7RyQHlC90Pn7kNXzHr0ZawUsNI
-ZxSkL4dMhYAfA4lUBJbOkwbSurv97LinOSRffpM0Nmf7VNw/Ue15eg==
------END RSA PRIVATE KEY-----
+-----BEGIN ENCRYPTED PRIVATE KEY-----
+MIIJtTBfBgkqhkiG9w0BBQ0wUjAxBgkqhkiG9w0BBQwwJAQQ+XrpmjLuCV6yioQx
+bDkHGAICCAAwDAYIKoZIhvcNAgkFADAdBglghkgBZQMEASoEEEEZf04dWBguZFEH
+gKET9LwEgglQ4J5lbYUuh8Fe9xN2UEBwGU9RdYQcD8G9aWmenPz6iXdo+XN58sfw
+Ei1L+R3BI3vsbz9+qwBkM/fpj5/+goEWPK3MtBKxX/96gksiK4x7W7D2euS0oSLd
+Ssb/p6EWZO9Oq7x/b9cl1Xf86aZGQLK5i0paDrFWyIAbmn8820uRx6j25yCmef3/
+UnKE3HcBCNpaUulVd8FEaqaeLZqF1B8teccW28JVqrQHVPReGX6NVjuUzuHgpum5
+adlSmdJ+xZKvFDPSijo4v/IshPKHiFTFNAJCVGm+QHTPv3YHYUio8dI1rMutOlBH
+Hpr5o7WmgveCnjeEf8R6fmAtDEgqJm+YjjnhDAToP/xakqF2Weo/N4vtq1CJmW9m
+eO5hlFKqcR5bPGBYjpD+jHj/CHNKkqLVMHmtKvb5QdbbLiCNTu2yY2IhmmXzPMGq
+nA8MHw53ESvOGZ+Ff+uuxosq+bPMvxWoNzpS1GxE8/NejaXoZLh7VJpmURUJQAQO
+xKz/s6UK5OZccGyM3QNwvdQHBbLVDjLL2Tm9eht61+t/yDdMx5WoYS4TDQKJ7HPy
+6G1Bv65NY/SYJGjD4Ah9hzLUJOHNV7NxMgLX0MJgmFblNgCKeV+Uz32NvoySkvNw
+WLueDkatcL3H5lVWf6qufBzg27hvW23JlkG7TZ4oUA240KUbzSCBTKVPQyyX9/sM
+lffIhTJ+oIBav7s2qQbBdfWDx2SuSaO8VH1DaKk1qzLKurkKhD+MID6R4tuBtF+4
+a4q/CiV+pSWEF8WnZNBG+AMONFMbNPe1UoU/Cpda5qy4Ye8+/0zT3gsD6RmX2obq
+NaZjWO98N5SXOUfv7X3PHFtfcnrj6LJJDUvortAKb8j3YONC7eEnhcIyy8RFRbJD
+RgZgS8TQ+9IYkOVv5RRdYD8iVpt6tpErJ22W/UdheN5hEkvKj769Er2L02c+lGZu
+qIPw/l5z7jAViGwjnIPz1zyWUL3z9qNYlxh+nowP53366TiYxOCAiM7ChXpppuwc
+ynkO3eTc8lzHRQ9ylylAxaNE3/BjNmwkXG6bg9sLxFyWbzu3bIbmUG/eH7fNtYOw
+JYbJ4sWYqNdZ+CRD1164bB1WcmDNwaL2YynSlmCZB14EzWZds1k2xuK+IBkwy7c/
+iv+WtBZCc/HV9jcqZ0n1untAYRLve6uwsnqWy/KaqS0mUFpmo6Q/1ZC2swNlA4pv
+w3DR53zloTwFVe4yi2/kk77XUKdAS2TBZP9ry8AMF/A8SEJGQ3peV+yxyRgQOkOP
+CuovcY9uBh84dK9IEpsjPh0DqNEGhs7ypa6Jsihy5HNhNgKv/SeLlkQLASq/os0J
++6D0PhuGGqb9O7V+gDChZ4gTnAziuiQfcC0ofzHy2GIyZ8fsXjIRgbotYA8oe2zS
+qRScqUwbusR19TppDz/uOell9CEQGFJRecGsoNWcgVIhPpUEepvZsEPQ12k3bSq2
+yyo3lqTGMizyfoIRG3XLYKLUme15DwSSuTZzHGx1VXuIqM65O3/Fb3S1mrL+10C9
+BBifmkaL6/6VESVTz4Scp02hzlYNn3ftKIfIVRkMA+sb5XfLmbGDexOmyXLmDzc6
+m3dnGXk2qnUVf0ewjM6k+Kf8kOgL23EcRyQKim4S8WJBNAb93SeV1v/+Ott9XuTu
+ezOKBYDmtGRIhd7xn3sqlydbJJ0Rso6GXKtGDy2P6i1b4mBWez4bxjc6ZWjeGKXS
++2twoJkp07dQn9kq3in2LgK50tAu4kZh66kDYAwvhF7jinf+ncyD/sJWn51UhRNA
+Rq23VvEY/3VFBdVzSxtDuAthHVCj/MXGzCW1/JnlVa7FZk9h8nWfzujzDsQvMyJk
+VA3mwJau+Opq4PQlRwy0Ar7ruHDxu+LsU+7nGcLtSDcFkJFr+XVz6OBwtxS3I9GX
+ZAJO1tvqiNZhG71DegZ5csqK/HqrrxaA4i5dweSjmzIGThK6E6tFXyeS0OGL7t1u
+yXJMmWkfJhZ36dcZOfSSgPgXN/Kkn/Sxw8Glio2e97k4IHlT8mvM/T8DnBNDLDRE
+nmfd606j25Cybos+HpQwfANr1i3J4Fb5jXu8UVMcD/fFgaWDkS/5oFtasC+SFTK/
+GPdxJE0YfCJPtftyub40B+neKf30GjtWwn2scbZZtAiG7dI26mfPJ8gLxzlSce3D
+5BL9OwHr9Z0cNSg7G6oUbezhwpsRg8n4VdBqyKL9iNxh+DXXJqnZ9yrkxggI2Fyf
+8aLG9CzEPd6rv4S5SRqmgK7Vj5pFUjrbWc/PowoAbxK85G4LtHEFH4tlSvRUyh/T
+O4dwuOAbHpC+dmNsQsbnzZAHqoD1gVpzlxIW0TsOk5TNP7Ef3WcQF+6Z0yOdt+WN
+PqSWHjKFobwKX0tNssJMFV8sWHZLoOt+IPedEPmyDQ6t8f2Xu2WnUszWljSn/Lxc
+XpTxENHhUQyiFZWuZ/hWgj3Mp0UQvnKQLMp273Ccwx6KQ+XJwiiYQ37jmkiECnST
+A/8smEz2A+lRoJv0bmKiC2nBd5o/gFMimI/+rAYHfs7oHZ2Z/4UTmYRO3WBUm696
+YODrhBsIm8BNSdcKkaMtfCcPkIy3niC5eccSNZk7xPnOE6GNeL5q9R1btQ/S1aQL
+TEz0sp3M0+Wi8qeGs9jxBoQ2Ll/dsY8GLAGAzfIutJXEVdrED+iilWN+V7cWtrHo
+v0kKQfPcQ5KbLx8RjseI5DpNmC6jrNXD0kB7Ugi0FSd4bTF6b9juh/da/h4zA5Qn
+/pzC7ygtVaRYclil3JEV1oLl8DEeG9T9JR6lwL/AImaMrpoN+F4kT29YlAhwSCvt
+K1RAy5dw39IEy2CStx+zIkh0Lj4QX0Dv1sVr2jsi+zCapufAYoojFF9TGdG4Duz6
+UV19Z2KqCKYZODeZ9Luj2t10r7WecYkTiwCrjxLRt4xun2mAmJXmhYnwYtNdc/SN
++FZsMyQqOvZCQCRiGABIR1L3XlSO4gpr6FEq/e40D7xND5um+kuJqTmEq4Jr3kkJ
+10Awt9ZPvfX4Gu7NAiL4tv1o2JxtKg3DLh/ln2EW/pEOpu9JfsaxpsHSjcsJT2rC
+gKssv5jHbgUaH3fGz5w/PJXKpo4PMKd5Ce23CbIwCq7oPspKRbU19km51NRYvvBd
+r65ljR5xJPWsu1+J1UAq7dIWSfcw/FEtIaSjc19fX9Eva7rUc8mnM3g=
+-----END ENCRYPTED PRIVATE KEY-----
diff --git a/t/ssl.t b/t/ssl.t
index 6dc9ea350..02ec0a913 100644
--- a/t/ssl.t
+++ b/t/ssl.t
@@ -110,7 +110,7 @@ failed to do SSL handshake: handshake failed
 
 --- error_log eval
 ['lua ssl server name: "test.com"',
-qr/sslv3 alert handshake failure|routines:OPENSSL_internal:SSLV3_ALERT_HANDSHAKE_FAILURE:SSL alert number 40/]
+qr/routines::no suitable signature algorithm|sslv3 alert handshake failure|routines:OPENSSL_internal:SSLV3_ALERT_HANDSHAKE_FAILURE:SSL alert number 40/]
 
 --- no_error_log
 [alert]
diff --git a/t/stream/ssl.t b/t/stream/ssl.t
index afc823fac..6b9237993 100644
--- a/t/stream/ssl.t
+++ b/t/stream/ssl.t
@@ -90,8 +90,7 @@ failed to do SSL handshake: handshake failed
 
 --- error_log eval
 ['lua ssl server name: "test.com"',
-qr/sslv3 alert handshake failure|routines:OPENSSL_internal:SSLV3_ALERT_HANDSHAKE_FAILURE:SSL alert number 40/]
-
+qr/routines::no shared cipher|sslv3 alert handshake failure|routines:OPENSSL_internal:SSLV3_ALERT_HANDSHAKE_FAILURE:SSL alert number 40/]
 --- no_error_log
 [alert]
 [emerg]