diff --git a/Cargo.lock b/Cargo.lock
index 61a27793..cb96e34f 100644
--- a/Cargo.lock
+++ b/Cargo.lock
@@ -207,6 +207,15 @@ dependencies = [
  "cc",
 ]
 
+[[package]]
+name = "deranged"
+version = "0.3.11"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "b42b6fa04a440b495c8b04d0e71b707c585f83cb9cb28cf8cd0d976c315e31b4"
+dependencies = [
+ "powerfmt",
+]
+
 [[package]]
 name = "dunce"
 version = "1.0.4"
@@ -426,6 +435,12 @@ dependencies = [
  "minimal-lexical",
 ]
 
+[[package]]
+name = "num-conv"
+version = "0.1.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "51d515d32fb182ee37cda2ccdcb92950d6a3c2893aa280e540671c2cd0f3b1d9"
+
 [[package]]
 name = "num_cpus"
 version = "1.16.0"
@@ -480,6 +495,16 @@ version = "1.0.15"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "57c0d7b74b563b49d38dae00a0c37d4d6de9b432382b2892f0574ddcae73fd0a"
 
+[[package]]
+name = "pem"
+version = "3.0.4"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "8e459365e590736a54c3fa561947c84837534b8e9af6fc5bf781307e82658fae"
+dependencies = [
+ "base64",
+ "serde",
+]
+
 [[package]]
 name = "pin-project-lite"
 version = "0.2.14"
@@ -492,6 +517,12 @@ version = "0.1.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "8b870d8c151b6f2fb93e84a13146138f05d02ed11c7e7c54f8826aaaf7c9f184"
 
+[[package]]
+name = "powerfmt"
+version = "0.2.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "439ee305def115ba05938db6eb1644ff94165c5ab5e9420d1c1bcedbba909391"
+
 [[package]]
 name = "prettyplease"
 version = "0.2.20"
@@ -520,6 +551,19 @@ dependencies = [
  "proc-macro2",
 ]
 
+[[package]]
+name = "rcgen"
+version = "0.13.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "54077e1872c46788540de1ea3d7f4ccb1983d12f9aa909b234468676c1a36779"
+dependencies = [
+ "pem",
+ "ring",
+ "rustls-pki-types",
+ "time",
+ "yasna",
+]
+
 [[package]]
 name = "redox_syscall"
 version = "0.5.2"
@@ -731,6 +775,25 @@ dependencies = [
  "unicode-ident",
 ]
 
+[[package]]
+name = "time"
+version = "0.3.36"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "5dfd88e563464686c916c7e46e623e520ddc6d79fa6641390f2e3fa86e83e885"
+dependencies = [
+ "deranged",
+ "num-conv",
+ "powerfmt",
+ "serde",
+ "time-core",
+]
+
+[[package]]
+name = "time-core"
+version = "0.1.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "ef927ca75afb808a4d64dd374f00a2adf8d0fcff8e7b184af886c3c87ec4a3f3"
+
 [[package]]
 name = "tokio"
 version = "1.38.0"
@@ -768,6 +831,7 @@ dependencies = [
  "argh",
  "futures-util",
  "lazy_static",
+ "rcgen",
  "rustls",
  "rustls-pemfile",
  "rustls-pki-types",
@@ -953,6 +1017,15 @@ version = "0.52.6"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "589f6da84c646204747d1270a2a5661ea66ed1cced2631d546fdfb155959f9ec"
 
+[[package]]
+name = "yasna"
+version = "0.5.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "e17bb3549cc1321ae1296b9cdc2698e2b6cb1992adfa19a8c72e5b7a738f44cd"
+dependencies = [
+ "time",
+]
+
 [[package]]
 name = "zeroize"
 version = "1.8.1"
diff --git a/Cargo.toml b/Cargo.toml
index 84c356f4..50f35696 100644
--- a/Cargo.toml
+++ b/Cargo.toml
@@ -29,6 +29,7 @@ tls12 = ["rustls/tls12"]
 
 [dev-dependencies]
 argh = "0.1.1"
+rcgen = { version = "0.13", features = ["pem"] }
 tokio = { version = "1.0", features = ["full"] }
 futures-util = "0.3.1"
 lazy_static = "1.1"
diff --git a/tests/certs/chain.pem b/tests/certs/chain.pem
new file mode 100644
index 00000000..4c36531e
--- /dev/null
+++ b/tests/certs/chain.pem
@@ -0,0 +1,23 @@
+-----BEGIN CERTIFICATE-----
+MIIBsjCCAVmgAwIBAgIUB4Geg6rz4UzdIkSmPjAxGgVhu4MwCgYIKoZIzj0EAwIw
+JjEkMCIGA1UEAwwbUnVzdGxzIFJvYnVzdCBSb290IC0gUnVuZyAyMCAXDTc1MDEw
+MTAwMDAwMFoYDzQwOTYwMTAxMDAwMDAwWjAhMR8wHQYDVQQDDBZyY2dlbiBzZWxm
+IHNpZ25lZCBjZXJ0MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEV2z0vS2Nvj1X
+k2ZkZNimz/tpEyFIHqHBAMu1ok1q6rioZm0wfKgaVfo2E+/PccibK6AuiK1ZnQ5L
+Wr3avkB+bqNoMGYwFQYDVR0RBA4wDIIKZm9vYmFyLmNvbTAdBgNVHSUEFjAUBggr
+BgEFBQcDAQYIKwYBBQUHAwIwHQYDVR0OBBYEFJ8xoDmF470si+tMAE2wYQMHHdOT
+MA8GA1UdEwEB/wQFMAMBAQAwCgYIKoZIzj0EAwIDRwAwRAIgCEDfPgdEtKoUYtOp
+YUd7uSDv2VJd749Avwls04C1MaUCIGTikBJzN3dnQbRARkzdOY4gFp4nczCiYaZZ
+ucFJ3PiC
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIIBiDCCAS+gAwIBAgIUIKoi4tHahiNaO6Vuw5V97xyOVXQwCgYIKoZIzj0EAwIw
+HTEbMBkGA1UEAwwSUnVzdGxzIFJvYnVzdCBSb290MCAXDTc1MDEwMTAwMDAwMFoY
+DzQwOTYwMTAxMDAwMDAwWjAmMSQwIgYDVQQDDBtSdXN0bHMgUm9idXN0IFJvb3Qg
+LSBSdW5nIDIwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAASJs6dcYkh6yXeD72J3
+1JJWfiNkNL4DGhWj5LZhwtq5NxrE2sK/TnQdUHYMhVxKXN0RaRcBZRxoUFD4UFkm
+mdIKo0IwQDAOBgNVHQ8BAf8EBAMCAoQwHQYDVR0OBBYEFOhbF/Vi9OjAC+bv6NTU
+JMLLV621MA8GA1UdEwEB/wQFMAMBAf8wCgYIKoZIzj0EAwIDRwAwRAIgWtRDzAcl
+DpVplxAT6/ZmSmYtjttIFs2fM65z6H+LpOQCIB/PcAK3NZ+Mjs3rtVMV5UmXW3Jf
+UaorChZwaCiO3vT8
+-----END CERTIFICATE-----
diff --git a/tests/certs/end.cert b/tests/certs/end.cert
deleted file mode 100644
index 8ac217ee..00000000
--- a/tests/certs/end.cert
+++ /dev/null
@@ -1,31 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIFUDCCAzigAwIBAgIJAJaxEZDuHyedMA0GCSqGSIb3DQEBCwUAMEUxCzAJBgNV
-BAYTAkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMSEwHwYDVQQKDBhJbnRlcm5ldCBX
-aWRnaXRzIFB0eSBMdGQwHhcNMjMwODA0MDkwNTUwWhcNMjQwODAzMDkwNTUwWjBa
-MQswCQYDVQQGEwJBVTETMBEGA1UECAwKU29tZS1TdGF0ZTEhMB8GA1UECgwYSW50
-ZXJuZXQgV2lkZ2l0cyBQdHkgTHRkMRMwEQYDVQQDDApmb29iYXIuY29tMIICIjAN
-BgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAq7NIGBTw7i/JY43Z53EwugTF6IKP
-6m7zQumtEUXWNQ3nQ7f81GeA+VAz7LZzeMuChjtR1lGcOZmx1PlwEmTr/Drfsip6
-Ryd4kjWiphp0mSUAKbKaX5Y9CFXNLQRqE01P8SEWZWhAKrI2iWtfjGetIqX/mt6E
-OTGl/PaTKes1a+Nucbq3aUCffsQiRhHbwWlmrq3/Nxi8q5ekjEN9ls2djBzy/+cN
-RUrq4e8uUN7LMW1HjQlY2Sod7eO3yZnB+Myq2zzi6odaq4yCi5D6VuPVMYBSrlfz
-G2CLcSl0ncztSkqO08Bda6WZQQKqXlX2NhldxHxSo4S9mQliv+LWCCIBcqWsXojr
-DYwQChJzTBpjPbQzhWDNdxokR9G9NzUcqYFNLPkxHa1ME+nGJYNX8wXXUL8q62zd
-LYNcFEX89luaE/gxcSwWpfVfeMgK0f9dDKCPgn7Db2dv8FPbBLhaUiKCaL8phwJ8
-8K+zXCoiTOUxuni48T4q92DUToGw4uyQKd5s71gjZvaaoIsv+kTgF9J3wVzvmUCc
-JE5FY1m6oJ2GIvsfFt+OsN3+KV3riCf5+Ivae/1tuDU9FHhCdgg8UzW2EHe1iPZI
-48gx533NYQzItbgUII0aTIRtAbzOAvG1qiUBxgStR9H8duVKGQDE52MX7805E7az
-R+1fIOamrngx1q8CAwEAAaMuMCwwEwYDVR0lBAwwCgYIKwYBBQUHAwEwFQYDVR0R
-BA4wDIIKZm9vYmFyLmNvbTANBgkqhkiG9w0BAQsFAAOCAgEALySenJ0pGGjo0W1n
-2pwbzDxkZ6SsjHNDDZsfpA8NadJ6/CCtbNhT2pc87to+zssqocRZg71D46kbLBfC
-KtQlg7O1FtS3yLOwnKix96USc562t9kMewAPH2krRr2BLF+mV8DR9plmyVNiqRbo
-M6zt7ikUzoxojAcRDaVFNUCqRNKYGwcpvXQBgZ62u33mr0g2rfPq5KHfDtqyZvGm
-GhFQiii5qvPgpwbZ/8xuyDx9HM1IqejZ8QtHsDYq2da2pLjEsw6xanN2HpaDqIv8
-y6RkBPkpZa9q/maXYmu6iMdT3sKJ4fmCRltpIEFoYB6B3cUDUH8n/0WUV/WH/0Hk
-O9m7/zilJIJ6BRkgY48PTfh5rn/CD0BFrkLzGvAd2mJoAGSu//eUMYjt5O/ydZuk
-Dc0q50DTKzuN0EycFLK58yJmdmvEt2+Y2bGN4vLqljU4+wdqLvxGXR9iwarq0uWF
-5C7YeI4co2FDp0boOzge81gv/s0MBerQK82jUccJT47YgwbY5cyXK6AYiBdqdiZY
-4ye88mon2gSZkiptT+iqLFvguNLvo0vS7cGcT/fegRc9Kp9E5eOI9fvevfT4pK7O
-VVPX/NyOYTVucB3pnv33X50jsoecDDROdDicylj7T3jRykiHJRkCB7rUySmHcYo7
-HZCD6YHQc2aYKd2yGp0kXUn9C+E=
------END CERTIFICATE-----
diff --git a/tests/certs/end.chain b/tests/certs/end.chain
deleted file mode 100644
index f1a1ea9e..00000000
--- a/tests/certs/end.chain
+++ /dev/null
@@ -1,62 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIFUDCCAzigAwIBAgIJAJaxEZDuHyedMA0GCSqGSIb3DQEBCwUAMEUxCzAJBgNV
-BAYTAkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMSEwHwYDVQQKDBhJbnRlcm5ldCBX
-aWRnaXRzIFB0eSBMdGQwHhcNMjMwODA0MDkwNTUwWhcNMjQwODAzMDkwNTUwWjBa
-MQswCQYDVQQGEwJBVTETMBEGA1UECAwKU29tZS1TdGF0ZTEhMB8GA1UECgwYSW50
-ZXJuZXQgV2lkZ2l0cyBQdHkgTHRkMRMwEQYDVQQDDApmb29iYXIuY29tMIICIjAN
-BgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAq7NIGBTw7i/JY43Z53EwugTF6IKP
-6m7zQumtEUXWNQ3nQ7f81GeA+VAz7LZzeMuChjtR1lGcOZmx1PlwEmTr/Drfsip6
-Ryd4kjWiphp0mSUAKbKaX5Y9CFXNLQRqE01P8SEWZWhAKrI2iWtfjGetIqX/mt6E
-OTGl/PaTKes1a+Nucbq3aUCffsQiRhHbwWlmrq3/Nxi8q5ekjEN9ls2djBzy/+cN
-RUrq4e8uUN7LMW1HjQlY2Sod7eO3yZnB+Myq2zzi6odaq4yCi5D6VuPVMYBSrlfz
-G2CLcSl0ncztSkqO08Bda6WZQQKqXlX2NhldxHxSo4S9mQliv+LWCCIBcqWsXojr
-DYwQChJzTBpjPbQzhWDNdxokR9G9NzUcqYFNLPkxHa1ME+nGJYNX8wXXUL8q62zd
-LYNcFEX89luaE/gxcSwWpfVfeMgK0f9dDKCPgn7Db2dv8FPbBLhaUiKCaL8phwJ8
-8K+zXCoiTOUxuni48T4q92DUToGw4uyQKd5s71gjZvaaoIsv+kTgF9J3wVzvmUCc
-JE5FY1m6oJ2GIvsfFt+OsN3+KV3riCf5+Ivae/1tuDU9FHhCdgg8UzW2EHe1iPZI
-48gx533NYQzItbgUII0aTIRtAbzOAvG1qiUBxgStR9H8duVKGQDE52MX7805E7az
-R+1fIOamrngx1q8CAwEAAaMuMCwwEwYDVR0lBAwwCgYIKwYBBQUHAwEwFQYDVR0R
-BA4wDIIKZm9vYmFyLmNvbTANBgkqhkiG9w0BAQsFAAOCAgEALySenJ0pGGjo0W1n
-2pwbzDxkZ6SsjHNDDZsfpA8NadJ6/CCtbNhT2pc87to+zssqocRZg71D46kbLBfC
-KtQlg7O1FtS3yLOwnKix96USc562t9kMewAPH2krRr2BLF+mV8DR9plmyVNiqRbo
-M6zt7ikUzoxojAcRDaVFNUCqRNKYGwcpvXQBgZ62u33mr0g2rfPq5KHfDtqyZvGm
-GhFQiii5qvPgpwbZ/8xuyDx9HM1IqejZ8QtHsDYq2da2pLjEsw6xanN2HpaDqIv8
-y6RkBPkpZa9q/maXYmu6iMdT3sKJ4fmCRltpIEFoYB6B3cUDUH8n/0WUV/WH/0Hk
-O9m7/zilJIJ6BRkgY48PTfh5rn/CD0BFrkLzGvAd2mJoAGSu//eUMYjt5O/ydZuk
-Dc0q50DTKzuN0EycFLK58yJmdmvEt2+Y2bGN4vLqljU4+wdqLvxGXR9iwarq0uWF
-5C7YeI4co2FDp0boOzge81gv/s0MBerQK82jUccJT47YgwbY5cyXK6AYiBdqdiZY
-4ye88mon2gSZkiptT+iqLFvguNLvo0vS7cGcT/fegRc9Kp9E5eOI9fvevfT4pK7O
-VVPX/NyOYTVucB3pnv33X50jsoecDDROdDicylj7T3jRykiHJRkCB7rUySmHcYo7
-HZCD6YHQc2aYKd2yGp0kXUn9C+E=
------END CERTIFICATE-----
------BEGIN CERTIFICATE-----
-MIIFajCCA1KgAwIBAgIJAN9o7WeFfW8fMA0GCSqGSIb3DQEBCwUAMEUxCzAJBgNV
-BAYTAkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMSEwHwYDVQQKDBhJbnRlcm5ldCBX
-aWRnaXRzIFB0eSBMdGQwHhcNMjMwODA0MDkwNTQ5WhcNMjQwODAzMDkwNTQ5WjBF
-MQswCQYDVQQGEwJBVTETMBEGA1UECAwKU29tZS1TdGF0ZTEhMB8GA1UECgwYSW50
-ZXJuZXQgV2lkZ2l0cyBQdHkgTHRkMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIIC
-CgKCAgEAyTfVP7gwXhZyYRxx2j8CGAHkzAWXLfzdmaJ/+1szvR18YxJISVG8XGAY
-l4wAJGkd5hTYYhrw9ja6KhS65K55aQ0bpNDUSZALmsKIR1vsfXMRZHdqguVLMY1r
-Wqw2uZkSxD2y7Qui86SHsgBCltYqPThxyQsdGyueHcl4HMCK4hJ+xbc+32Z/p5it
-j8GsygnYJBo9ZLeV69Ug3rTPJrWJIntuobMjcDg/JksHtagtgh5Ai89H57ELv4fM
-a0VBm1oeaXLp7QuLTnybrQIFvMg7Lxk2Fk5/AGIoniskqq3jcDp7b6Atm5VT1tVl
-+J4rxWjjHWb/tXIUBBREU4rAak/ezF3DjhLDwK/iUI3SZHv4XRc0FnhLGeIwJAAa
-5ECGtXa9IqIcYbBYnftGUcUhHPFRiYyam6W3ZrlFn/NXE3p4mMVup+cYE7aFOOy+
-q0ZcA+0JKnrWQVusnmnGJth5CiabttLZrmJ9DRluZeEv4O6eJAnTAQoxBGuAhnvO
-JKN8qjYXdnA38WnV0W0pOe6DiCQcC9tVISwmu78dfLN6qz+x1M9vkLqT7IOtsL9e
-4vG2gJY3xGxoraBEIMr01mHsuXxAG7Esk78lGz0+RVwXIs3OZaqJSJqGfBelZLwi
-8wPxXYlGaulz9LVH1lVEBivAgBMKvdResmgH7O2QmygpLTi/VG0CAwEAAaNdMFsw
-DAYDVR0TBAUwAwEB/zALBgNVHQ8EBAMCAcYwHQYDVR0OBBYEFB8wxB4pPgS7M557
-r2uN7Joao5KxMB8GA1UdIwQYMBaAFB8wxB4pPgS7M557r2uN7Joao5KxMA0GCSqG
-SIb3DQEBCwUAA4ICAQByL1ztEnZfIkbkt51z13EZc5o5tw6OXiktzHgRXnOMdiYL
-kMQo+NDHqXNW+U4R/AOXzKUXH/nIY9cfC9P7duznpw+muQJfdwGFsATrjplKNLJK
-YOgPpVGzC6CwR6nvw3cRtQQWAc7nQ5zUFIIJOM0TRlqZ13OdRK50Tt9jysp0xoMB
-lzMzgmYQ/O+RASTKk0UQw9kpP7LMihDc96fdxBFJHE+LTM0RfYZuJ1qj2psnkYvM
-kmYRw8xCh8GxRX4b6ErrIeCr7rTc5A5FoL5MsQptsv71TW/FDGENlXZl7G4mXFQM
-KqDnIdouakbyc+sX2C+663Mr/lDBCxXFvljVg4IfOreih6WeMorjtRdxCrJlLI++
-UJIl1r0b73jUx9fFCf+PA9b5o7/Y/hMwEBVQztGiIgTFaWSVs2gxZfnsupnz1ura
-66GxYdB+5In6Y5Tsly4NB0RyWrljtWOMSciOrNb5czKfks3JjxPMJ9Mp9KSCEV9l
-jcB7wYV5XTs5S2IPde/R7ILb/BHvF79Hw7SDf46g7VX3IZcnH7Mq6RbBJ4MPgScf
-afVCX4Q1EqO6wPln5hwRNFELd5Utb1RDTRY+398SY+9QGJd0UUZ2xdK8wEmP8A2p
-r4K5vcf8QuqXVvz3Kdi855R8mBlqDEIjm+QbXUwgiR2RAUYNZVDsjH0bx0HN5A==
------END CERTIFICATE-----
diff --git a/tests/certs/end.key b/tests/certs/end.key
new file mode 100644
index 00000000..c3238930
--- /dev/null
+++ b/tests/certs/end.key
@@ -0,0 +1,5 @@
+-----BEGIN PRIVATE KEY-----
+MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQg1UjNBQsUBVfNWWtI
+uwNhUpyPeV1e3IjRm41VQauX1XOhRANCAARXbPS9LY2+PVeTZmRk2KbP+2kTIUge
+ocEAy7WiTWrquKhmbTB8qBpV+jYT789xyJsroC6IrVmdDktavdq+QH5u
+-----END PRIVATE KEY-----
diff --git a/tests/certs/end.rsa b/tests/certs/end.rsa
deleted file mode 100644
index f775da20..00000000
--- a/tests/certs/end.rsa
+++ /dev/null
@@ -1,51 +0,0 @@
------BEGIN RSA PRIVATE KEY-----
-MIIJKgIBAAKCAgEAq7NIGBTw7i/JY43Z53EwugTF6IKP6m7zQumtEUXWNQ3nQ7f8
-1GeA+VAz7LZzeMuChjtR1lGcOZmx1PlwEmTr/Drfsip6Ryd4kjWiphp0mSUAKbKa
-X5Y9CFXNLQRqE01P8SEWZWhAKrI2iWtfjGetIqX/mt6EOTGl/PaTKes1a+Nucbq3
-aUCffsQiRhHbwWlmrq3/Nxi8q5ekjEN9ls2djBzy/+cNRUrq4e8uUN7LMW1HjQlY
-2Sod7eO3yZnB+Myq2zzi6odaq4yCi5D6VuPVMYBSrlfzG2CLcSl0ncztSkqO08Bd
-a6WZQQKqXlX2NhldxHxSo4S9mQliv+LWCCIBcqWsXojrDYwQChJzTBpjPbQzhWDN
-dxokR9G9NzUcqYFNLPkxHa1ME+nGJYNX8wXXUL8q62zdLYNcFEX89luaE/gxcSwW
-pfVfeMgK0f9dDKCPgn7Db2dv8FPbBLhaUiKCaL8phwJ88K+zXCoiTOUxuni48T4q
-92DUToGw4uyQKd5s71gjZvaaoIsv+kTgF9J3wVzvmUCcJE5FY1m6oJ2GIvsfFt+O
-sN3+KV3riCf5+Ivae/1tuDU9FHhCdgg8UzW2EHe1iPZI48gx533NYQzItbgUII0a
-TIRtAbzOAvG1qiUBxgStR9H8duVKGQDE52MX7805E7azR+1fIOamrngx1q8CAwEA
-AQKCAgEAkiVUvSK9/I9yRKnOCwC+b+d2KTVQmEP+DTtnU2d1L814xpxJuOWs0wkg
-WWDnIq9elzDQtLLcXe7jfhse+JksgJIAK9+aGwyOxSygF/A2xM/ItrVOTwRLSNf3
-f1TdkTZiUCVQsdotm+n7H7bkKldo+DABQ+oY87G9znZ2xtxsqTt5m5ZJXW5jE/yQ
-C8JRoew8OXzi2hvVI908cyNTN9QmQMe3UnhxRETDbrIuYylwHM8ecv68wIPn27/T
-hOa6QzK6T0ghAW1akOBVkcRCQUlGAw9t0PYNeIURy610lIiEhZK2xahcHC9lJf/F
-0ewrWNr4hDEqCgMHesaRZjEG6v8+6Nj8Jx+uFQMrIPPJHOK6pzj+VZl4FlcqQGJN
-NSlXP2gt8t+6WzLEGy0sPiQNghwEqLO1cIt8lbWeFChDgRuiuipQFgD3bgBeEcSJ
-rQG520EtQbwysTPtD3MAa1BwYFNMbWQHi0++tPK2wosaYPfGI/L33c8EjTxgDJgw
-Z6GRx9P2PWSzcgKs0EQsSyh/9QI1cAmG7kr4D0BWj4Jn6tJITQOj6Ajy5irnQ2Yr
-qOtwV9cFznzy0M75WF5Jh4uli/Wpwh+62Auc9srK20oAdWS5lboV+KXD8Ftc6PzK
-X1EEY6EqMoLCx6mmtJip6Ufpd0EzgUh0bI8xyTwhVtHB7IDnm8ECggEBANYwPLmV
-N8PakybVPEiduK0SQBllA6fmpEF5oKoPdrV84m5ckejPXpXV0jlpVNCMPGV5jR6f
-G6PcnxpirngcZUh1pLWmAYwYpTWAm2CnQ/lGgrDWlVIqB3w8UmjPYJuRkghKaOF4
-g0bJEfk1p8V9ndpuDYvyXlAPMrPKUsi8y1r9wU7xcMnI39IQ8YIfkUiW75g0f/VK
-coANPABlsvwutpXIhWc0h0XiG6yY4qr1s+KH94uih7JRvwC2L/oMhRRH2uuB1iHT
-oEMwA/dAQpbJSFSUltziXA7QtnilPryDDUEk9oNf6BGlLwM45CQjgaKgcE+T1W9L
-zOvUO1uNF3gZr+ECggEBAM03wvFGslop2nAVsLacMaqb4Lwbx6XgORYxXxD2fyr4
-JMZKp32KhtVTOK8MPZkn1L8tkwD/Cmol6yqj9lxTXby3Hu44lczUgjGYaO39Rk5Q
-/CBYcbGtQu7LyLmehH0quVBSQmtMVk91ziU1X+Bj6qVaAeAX23jDyE/KAoH/vY6i
-4ViLGpJR2znT45IbGuXaZw5CZOk+/Of6vdfXMSVToHTFpHYAuQkVtuK/lbEbjEnE
-c42AgXrWQ2HxQWRYHAW2hIx34H2PsO/JQxnl8io+Zfze/ElpsxYk/u9tTkpydaeF
-EPrEpnlEIP4N8sqxQJ8986AmBWW7lJYwaCSIQerLmI8CggEBAJSzOoVxNhzwE3dD
-VS3o6fymDgBTY/1eH60hPsyyHa0UPbN26wmhZj5KC0A2g16h7ZBZmgKnXa4ejgro
-dc4HkL2Eh0xhKvPTbGc/mR+6IHPgYv1YjKRVb4rt6hy/1IdMwgClgDkAzMsI70R/
-3rE6a6vo+dit9JJKat3tWhnpEJlkUJ94+d/taI5TmwfG2Lt3pnGaCTgHboS+K2jv
-MhroZ3SHmS40hrGar7HdFoiwOinMUa0Msn63SA67bYWAyadx12fnZP1pCft7S1WN
-tG0w4tltq2tAb78NYZFSz8JajYormkVNATW243OuPJ1mVSrNjguBTA2Pp34Wgvsl
-ciS8WKECggEAVxd0Fvs+077xYiICZe0xsssGfC558y6Oa5m2U7eYzn6S9MhX/pJc
-mIoCA1/5gFcEFcJcoc6a9+Nxwx3kftgubtl0Ofsvr8b8HdolpeKYBMKfzYZbceEr
-B7baT9QzO/92t9zBLVIvSvee7fGR5+PfgB8LrrPRQ5YrG5mKqOsE4lTDt9UJCNHO
-bOM8sBPqvWOL2uRYeRhvMnAaQ1CjHck4znXWTvINlQpvHBnciFY9mkzSEVpZGO13
-mUhOzSwLcG0+IXL6ha8Gkyzh2krZFA55L/DeNrWx+BLpUmkcEcIzpk11oEb2s34z
-Vj5LLLQ+zZX4H54jKkKKU5bli6N7/g47hwKCAQEAhTwxs7xWQ7GEzR6svN1FpiwN
-hP2SlY3i5ed8PIsRSASWJ6rJpJJKgEccXdcnAO3MscleL/cO4s6FSHsGyHFyZ4/D
-EsXY/eo5q3Bjv5/hvQt7nnCp1LwNQ0durj2bKdpj7P6Kjli38OF1CDU1E31pVOWJ
-kKi/YUIFgJq/rN9Uyx2Y8Km6ubohjuVRVWmva2xOe1mX1ZEOGu8aFliW/1h/m8Ct
-B+ywtn4mUDDJqNJ6W5k54SyJXWceMrW8i5t8qOCN5Yd3NYHNFMMBg/XhpIsc+bDL
-0ekvo9w0gfJFnNH1V4uNinGaNBJp7xZSC0TK0I0hvMyRoQQ+M5iGpMBEVYZnAw==
------END RSA PRIVATE KEY-----
diff --git a/tests/certs/main.rs b/tests/certs/main.rs
new file mode 100644
index 00000000..1dbbc97f
--- /dev/null
+++ b/tests/certs/main.rs
@@ -0,0 +1,66 @@
+//! An ignored-by-default integration test that regenerates vendored certs.
+//! Run with `cargo test -- --ignored` when test certificates need updating.
+//! Suitable for test certificates only. Not a production CA ;-)
+
+use rcgen::{
+    BasicConstraints, CertificateParams, DistinguishedName, DnType, ExtendedKeyUsagePurpose, IsCa,
+    KeyPair, KeyUsagePurpose,
+};
+use std::fs::File;
+use std::io::Write;
+
+#[test]
+#[ignore]
+fn regenerate_certs() {
+    let root_key = KeyPair::generate().unwrap();
+    let root_ca = issuer_params("Rustls Robust Root")
+        .self_signed(&root_key)
+        .unwrap();
+
+    let mut root_file = File::create("tests/certs/root.pem").unwrap();
+    root_file.write_all(root_ca.pem().as_bytes()).unwrap();
+
+    let intermediate_key = KeyPair::generate().unwrap();
+    let intermediate_ca = issuer_params("Rustls Robust Root - Rung 2")
+        .signed_by(&intermediate_key, &root_ca, &root_key)
+        .unwrap();
+
+    let end_entity_key = KeyPair::generate().unwrap();
+    let mut end_entity_params =
+        CertificateParams::new(vec![utils::TEST_SERVER_DOMAIN.to_string()]).unwrap();
+    end_entity_params.is_ca = IsCa::ExplicitNoCa;
+    end_entity_params.extended_key_usages = vec![
+        ExtendedKeyUsagePurpose::ServerAuth,
+        ExtendedKeyUsagePurpose::ClientAuth,
+    ];
+    let end_entity = end_entity_params
+        .signed_by(&end_entity_key, &intermediate_ca, &intermediate_key)
+        .unwrap();
+
+    let mut chain_file = File::create("tests/certs/chain.pem").unwrap();
+    chain_file.write_all(end_entity.pem().as_bytes()).unwrap();
+    chain_file
+        .write_all(intermediate_ca.pem().as_bytes())
+        .unwrap();
+
+    let mut key_file = File::create("tests/certs/end.key").unwrap();
+    key_file
+        .write_all(end_entity_key.serialize_pem().as_bytes())
+        .unwrap();
+}
+
+fn issuer_params(common_name: &str) -> CertificateParams {
+    let mut issuer_name = DistinguishedName::new();
+    issuer_name.push(DnType::CommonName, common_name);
+    let mut issuer_params = CertificateParams::default();
+    issuer_params.distinguished_name = issuer_name;
+    issuer_params.is_ca = IsCa::Ca(BasicConstraints::Unconstrained);
+    issuer_params.key_usages = vec![
+        KeyUsagePurpose::KeyCertSign,
+        KeyUsagePurpose::DigitalSignature,
+    ];
+    issuer_params
+}
+
+// For the server name constant.
+include!("../utils.rs");
diff --git a/tests/certs/root.pem b/tests/certs/root.pem
new file mode 100644
index 00000000..a906347e
--- /dev/null
+++ b/tests/certs/root.pem
@@ -0,0 +1,11 @@
+-----BEGIN CERTIFICATE-----
+MIIBgDCCASagAwIBAgIUDKVcG8WKAVxMrpkvWBsSKu6G9swwCgYIKoZIzj0EAwIw
+HTEbMBkGA1UEAwwSUnVzdGxzIFJvYnVzdCBSb290MCAXDTc1MDEwMTAwMDAwMFoY
+DzQwOTYwMTAxMDAwMDAwWjAdMRswGQYDVQQDDBJSdXN0bHMgUm9idXN0IFJvb3Qw
+WTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAQjrQmsnBwZUT8iraiF5EAJFMZE3rgA
+oqDL6clNl7YtjKqH/E/BiVs+k+70Dz74Ibrm/z80f51fK/Ug2h5pSOp5o0IwQDAO
+BgNVHQ8BAf8EBAMCAoQwHQYDVR0OBBYEFMwwAap72bFsxZxK0ThGymdrjBfYMA8G
+A1UdEwEB/wQFMAMBAf8wCgYIKoZIzj0EAwIDSAAwRQIhAJR/PB88zHsy0iotwCcG
+SPPOowWXb0Uzj6CPHBks25woAiB5Bg4+395Lr2K4UIh3zv0BFuSyXrFqvj+WMhUy
+4Z+WRw==
+-----END CERTIFICATE-----
diff --git a/tests/utils.rs b/tests/utils.rs
index 04923f3c..e9641e97 100644
--- a/tests/utils.rs
+++ b/tests/utils.rs
@@ -7,14 +7,19 @@ mod utils {
 
     #[allow(dead_code)]
     pub fn make_configs() -> (ServerConfig, ClientConfig) {
-        const CERT: &str = include_str!("certs/end.cert");
-        const CHAIN: &str = include_str!("certs/end.chain");
-        const RSA: &str = include_str!("certs/end.rsa");
+        // A test root certificate that is the trust anchor for the CHAIN.
+        const ROOT: &str = include_str!("certs/root.pem");
+        // A server certificate chain that includes both an end-entity server certificate
+        // and the intermediate certificate that issued it. The ROOT is configured
+        // out-of-band.
+        const CHAIN: &str = include_str!("certs/chain.pem");
+        // A private key corresponding to the end-entity server certificate in CHAIN.
+        const EE_KEY: &str = include_str!("certs/end.key");
 
-        let cert = certs(&mut BufReader::new(Cursor::new(CERT)))
+        let cert = certs(&mut BufReader::new(Cursor::new(CHAIN)))
             .map(|result| result.unwrap())
             .collect();
-        let key = private_key(&mut BufReader::new(Cursor::new(RSA)))
+        let key = private_key(&mut BufReader::new(Cursor::new(EE_KEY)))
             .unwrap()
             .unwrap();
         let sconfig = ServerConfig::builder()
@@ -23,9 +28,9 @@ mod utils {
             .unwrap();
 
         let mut client_root_cert_store = RootCertStore::empty();
-        let mut chain = BufReader::new(Cursor::new(CHAIN));
-        for cert in certs(&mut chain) {
-            client_root_cert_store.add(cert.unwrap()).unwrap();
+        let mut roots = BufReader::new(Cursor::new(ROOT));
+        for root in certs(&mut roots) {
+            client_root_cert_store.add(root.unwrap()).unwrap();
         }
 
         let cconfig = ClientConfig::builder()