diff --git a/t/certs/README.md b/t/certs/README.md
index cc7b034facf5486b0daa4444d6eb0817f5f258dc..9114ce6ef65f1a46b05fdc54a5aff213e91bd36e 100644
--- a/t/certs/README.md
+++ b/t/certs/README.md
@@ -22,7 +22,7 @@ The following certificates and proxy certificates are used in these tests:
* `0.pem`: long-lived proxy certificate, without any Attribute Certificate (AC). Obtained with:
```shell
- voms-proxy-init -cert t/certs/test0.p12 --valid 10000:0 --vomsdir t/vomsdir --certdir t/trust-anchors --vomses t/vomses
+ voms-proxy-init -cert t/certs/test0.p12 --valid 100:0
```
* `1.pem`: long-lived proxy certificate, with an expired AC. Obtained with:
@@ -40,7 +40,7 @@ The following certificates and proxy certificates are used in these tests:
* `3.pem`: long-lived proxy with valid VOMS attributes. Obtained with:
```shell
- $ VOMS_CLIENTS_JAVA_OPTIONS="-Dvoms.fake.vo=test.vo -Dvoms.fake=true -Dvoms.fake.aaCert=t/certs/star.test.example.cert.pem -Dvoms.fake.aaKey=t/certs/star.test.example.key.pem -Dvoms.fake.notAfter=2031-12-31T00:00:00 -Dvoms.fake.notBefore=2022-12-10T00:00:00 -Dvoms.fake.gas=nickname=sd,nickname=cnaf -Dvoms.fake.fqans=/test.vo/exp1,/test.vo/exp2,/test.vo/exp3/Role=PIPPO -Dvoms.fake.serial=123456" voms-proxy-init -voms test.vo -cert t/certs/test0.p12 --valid 10000:0 --vomsdir t/vomsdir --certdir t/trust-anchors --vomses t/vomses
+ $ VOMS_CLIENTS_JAVA_OPTIONS="-Dvoms.fake.vo=test.vo -Dvoms.fake=true -Dvoms.fake.aaCert=t/certs/star_test_example.cert.pem -Dvoms.fake.aaKey=t/certs/star_test_example.key.pem -Dvoms.fake.notAfter=2031-12-31T00:00:00 -Dvoms.fake.notBefore=2022-12-10T00:00:00 -Dvoms.fake.gas=nickname=sd,nickname=cnaf -Dvoms.fake.fqans=/test.vo/exp1,/test.vo/exp2,/test.vo/exp3/Role=PIPPO -Dvoms.fake.serial=123456" voms-proxy-init -voms test.vo -cert t/certs/test0.p12 --valid 10000:0 --vomsdir t/vomsdir --certdir t/trust-anchors --vomses t/vomses
```
* `4.pem`: long-lived proxy with VOMS generic attributes containing special characters. Obtained with:
diff --git a/t/conf.d/ephemeral_ca.conf b/t/conf.d/ephemeral_ca.conf
new file mode 100644
index 0000000000000000000000000000000000000000..eb76c6eb05409a371249c185be8140f5ca4866f6
--- /dev/null
+++ b/t/conf.d/ephemeral_ca.conf
@@ -0,0 +1,34 @@
+
+[ ephemeral_ca ]
+
+dir = ${ENV::CA_NAME}
+certs = $dir/certs
+database = $dir/index.txt
+serial = $dir/serial
+certificate = $dir/ca.crt
+private_key = $dir/private/ca.key
+default_crl_days = 30
+default_md = sha512
+
+[ ephemeral_ca_cert ]
+
+default_bits = 2048
+default_keyfile = ${ENV::CA_NAME}/private/ca.key
+distinguished_name = ${ENV::CA_NAME}_dn
+prompt = no
+encrypt_key = no
+default_md = sha512
+x509_extensions = ${ENV::CA_NAME}_extensions
+
+[ ephemeral_ca_dn ]
+
+C = IT
+O = IGI
+CN = Ephemeral CA
+
+[ ephemeral_ca_extensions ]
+
+subjectKeyIdentifier = hash
+authorityKeyIdentifier = keyid:always, issuer:always
+basicConstraints = critical, CA:true
+keyUsage = critical, cRLSign, keyCertSign
diff --git a/t/conf.d/expired.conf b/t/conf.d/expired.conf
new file mode 100644
index 0000000000000000000000000000000000000000..e3d6431ff45db48c9c4ff0e8d70c2cdeb6cfd7ad
--- /dev/null
+++ b/t/conf.d/expired.conf
@@ -0,0 +1,26 @@
+
+[ expired ]
+
+default_bits = 2048
+default_keyfile = ${ENV::CA_NAME}/certs/expired.key.pem
+distinguished_name = expired_dn
+prompt = no
+output_password = pass
+default_md = sha512
+x509_extensions = expired_extensions
+
+[ expired_dn ]
+
+C = IT
+O = IGI
+CN = Expired
+
+[ expired_extensions ]
+
+basicConstraints = critical,CA:FALSE
+subjectKeyIdentifier = hash
+keyUsage = critical, nonRepudiation, digitalSignature, keyEncipherment
+authorityKeyIdentifier = keyid, issuer
+subjectAltName = email:expired@cnaf.infn.it
+
+
diff --git a/t/conf.d/igi_test_ca.conf b/t/conf.d/igi_test_ca.conf
new file mode 100644
index 0000000000000000000000000000000000000000..38bb87059dbe5df324a14e717b2bec25ea3fe99d
--- /dev/null
+++ b/t/conf.d/igi_test_ca.conf
@@ -0,0 +1,34 @@
+
+[ igi_test_ca ]
+
+dir = ${ENV::CA_NAME}
+certs = $dir/certs
+database = $dir/index.txt
+serial = $dir/serial
+certificate = $dir/ca.crt
+private_key = $dir/private/ca.key
+default_crl_days = 30
+default_md = sha512
+
+[ igi_test_ca_cert ]
+
+default_bits = 2048
+default_keyfile = ${ENV::CA_NAME}/private/ca.key
+distinguished_name = ${ENV::CA_NAME}_dn
+prompt = no
+encrypt_key = no
+default_md = sha512
+x509_extensions = ${ENV::CA_NAME}_extensions
+
+[ igi_test_ca_dn ]
+
+C = IT
+O = IGI
+CN = Test CA
+
+[ igi_test_ca_extensions ]
+
+subjectKeyIdentifier = hash
+authorityKeyIdentifier = keyid:always, issuer:always
+basicConstraints = critical, CA:true
+keyUsage = critical, cRLSign, keyCertSign
diff --git a/t/conf.d/igi_test_ca2.conf b/t/conf.d/igi_test_ca2.conf
new file mode 100644
index 0000000000000000000000000000000000000000..fa25b31bc3500e00b85733c762f4fc6175d94119
--- /dev/null
+++ b/t/conf.d/igi_test_ca2.conf
@@ -0,0 +1,34 @@
+
+[ igi_test_ca2 ]
+
+dir = ${ENV::CA_NAME}
+certs = $dir/certs
+database = $dir/index.txt
+serial = $dir/serial
+certificate = $dir/ca.crt
+private_key = $dir/private/ca.key
+default_crl_days = 30
+default_md = sha512
+
+[ igi_test_ca2_cert ]
+
+default_bits = 2048
+default_keyfile = ${ENV::CA_NAME}/private/ca.key
+distinguished_name = ${ENV::CA_NAME}_dn
+prompt = no
+encrypt_key = no
+default_md = sha512
+x509_extensions = ${ENV::CA_NAME}_extensions
+
+[ igi_test_ca2_dn ]
+
+C = IT
+O = IGI
+CN = Test CA 2
+
+[ igi_test_ca2_extensions ]
+
+subjectKeyIdentifier = hash
+authorityKeyIdentifier = keyid:always, issuer:always
+basicConstraints = critical, CA:true
+keyUsage = critical, cRLSign, keyCertSign
diff --git a/t/conf.d/revoked.conf b/t/conf.d/revoked.conf
new file mode 100644
index 0000000000000000000000000000000000000000..7188f3068b7eba632e03f35258149f4e26045efa
--- /dev/null
+++ b/t/conf.d/revoked.conf
@@ -0,0 +1,26 @@
+
+[ revoked ]
+
+default_bits = 2048
+default_keyfile = ${ENV::CA_NAME}/certs/revoked.key.pem
+distinguished_name = revoked_dn
+prompt = no
+output_password = pass
+default_md = sha512
+x509_extensions = revoked_extensions
+
+[ revoked_dn ]
+
+C = IT
+O = IGI
+CN = Revoked
+
+[ revoked_extensions ]
+
+basicConstraints = critical,CA:FALSE
+subjectKeyIdentifier = hash
+keyUsage = critical, nonRepudiation, digitalSignature, keyEncipherment
+authorityKeyIdentifier = keyid, issuer
+subjectAltName = email:revoked@cnaf.infn.it
+
+
diff --git a/t/conf.d/star_test_example.conf b/t/conf.d/star_test_example.conf
new file mode 100644
index 0000000000000000000000000000000000000000..b6e92e08c60e14bfc75649b1c118437fe2032103
--- /dev/null
+++ b/t/conf.d/star_test_example.conf
@@ -0,0 +1,25 @@
+
+[ star_test_example ]
+
+default_bits = 2048
+default_keyfile = ${ENV::CA_NAME}/certs/star_test_example.key.pem
+distinguished_name = star_test_example_dn
+prompt = no
+encrypt_key = no
+default_md = sha512
+x509_extensions = star_test_example_extensions
+
+[ star_test_example_dn ]
+
+C = IT
+O = IGI
+CN = *.test.example
+
+[ star_test_example_extensions ]
+
+basicConstraints = critical,CA:FALSE
+subjectKeyIdentifier = hash
+keyUsage = critical, digitalSignature
+extendedKeyUsage = serverAuth, clientAuth
+authorityKeyIdentifier = keyid, issuer
+subjectAltName = DNS:*.test.example
diff --git a/t/conf.d/test0.conf b/t/conf.d/test0.conf
new file mode 100644
index 0000000000000000000000000000000000000000..7a1133938b4cf07ba9fe8e927374e53777ca21ce
--- /dev/null
+++ b/t/conf.d/test0.conf
@@ -0,0 +1,26 @@
+
+[ test0 ]
+
+default_bits = 2048
+default_keyfile = ${ENV::CA_NAME}/certs/test0.key.pem
+distinguished_name = test0_dn
+prompt = no
+encrypt_key = no
+default_md = sha512
+x509_extensions = test0_extensions
+
+[ test0_dn ]
+
+C = IT
+O = IGI
+CN = Test0
+
+[ test0_extensions ]
+
+basicConstraints = critical,CA:FALSE
+subjectKeyIdentifier = hash
+keyUsage = critical, nonRepudiation, digitalSignature, keyEncipherment
+authorityKeyIdentifier = keyid, issuer
+subjectAltName = email:test0@cnaf.infn.it
+
+
diff --git a/t/conf.d/test1.conf b/t/conf.d/test1.conf
new file mode 100644
index 0000000000000000000000000000000000000000..0955d1856bf51e2e3093a3be58c0837e7a3d485e
--- /dev/null
+++ b/t/conf.d/test1.conf
@@ -0,0 +1,26 @@
+
+[ test1 ]
+
+default_bits = 2048
+default_keyfile = ${ENV::CA_NAME}/certs/test1.key.pem
+distinguished_name = test1_dn
+prompt = no
+encrypt_key = no
+default_md = sha512
+x509_extensions = test1_extensions
+
+[ test1_dn ]
+
+C = IT
+O = IGI
+CN = Test1
+
+[ test1_extensions ]
+
+basicConstraints = critical,CA:FALSE
+subjectKeyIdentifier = hash
+keyUsage = critical, nonRepudiation, digitalSignature, keyEncipherment
+authorityKeyIdentifier = keyid, issuer
+subjectAltName = email:test1@cnaf.infn.it
+
+
diff --git a/t/openssl.conf b/t/openssl.conf
new file mode 100644
index 0000000000000000000000000000000000000000..7b147ea9d841225ab31dd5b09c285c8bde5914fd
--- /dev/null
+++ b/t/openssl.conf
@@ -0,0 +1,8 @@
+
+config_diagnostics = 1
+
+[ ca ]
+
+default_ca = ${ENV::CA_NAME}
+
+.include conf.d
diff --git a/t/setup.sh b/t/setup.sh
new file mode 100755
index 0000000000000000000000000000000000000000..6f359e18d593c9609d4b140f52c72ab1b4ed618f
--- /dev/null
+++ b/t/setup.sh
@@ -0,0 +1,27 @@
+#!/bin/bash
+
+set -e
+
+env CA_NAME=igi_test_ca2 make_ca.sh
+env CA_NAME=igi_test_ca2 make_crl.sh
+install_ca.sh igi_test_ca2 trust-anchors
+
+export CA_NAME=igi_test_ca
+make_ca.sh
+
+make_cert.sh test0
+cp igi_test_ca/certs/test0.* certs
+
+make_cert.sh star_test_example
+cp igi_test_ca/certs/star_test_example.* certs
+
+# test 1
+echo | voms-proxy-init -cert certs/test0.p12 --valid 10:0 --out certs/0.pem --pwstdin
+awk '/BEGIN RSA PRIVATE KEY/,/END RSA PRIVATE KEY/' certs/0.pem > certs/0.key.pem
+awk '/BEGIN CERTIFICATE/,/END CERTIFICATE/' certs/0.pem > certs/0.cert.pem
+
+# test 3
+cat certs/test0.cert.pem trust-anchors/igi_test_ca.pem > certs/test0+ca.pem
+
+make_crl.sh
+install_ca.sh igi_test_ca trust-anchors