Reject certificates that are valid for too long.

This is in conformance with the CA/Browser Forum Baseline Requirements for
certificate issuance.

This CL is adapted from a diff provided by sigbjorn@opera.com. Thanks!

BUG=119211
TBR=abarth

Review URL: https://codereview.chromium.org/20628006

Cr-Commit-Position: refs/heads/master@{#303286}
diff --git a/chrome/app/generated_resources.grd b/chrome/app/generated_resources.grd
index 0887e8b..c391ebb 100644
--- a/chrome/app/generated_resources.grd
+++ b/chrome/app/generated_resources.grd
@@ -2659,6 +2659,12 @@
       <message name="IDS_CERT_ERROR_NAME_CONSTRAINT_VIOLATION_DESCRIPTION" desc="Description of the error page for a certificate that contains a name outside of its scope">
         Server's certificate violates name constraints.
       </message>
+      <message name="IDS_CERT_ERROR_VALIDITY_TOO_LONG_DETAILS" desc="Details of the error page for a certificate whose validity period is too long">
+        You attempted to reach <ph name="DOMAIN">&lt;strong&gt;$1<ex>paypal.com</ex>&lt;/strong&gt;</ph>, but the server presented a certificate for which the period is too long.
+      </message>
+      <message name="IDS_CERT_ERROR_VALIDITY_TOO_LONG_DESCRIPTION" desc="Description of the error page for a certificate whose validity period is too long">
+        The server certificate has a validity period that is too long.
+      </message>
 
       <message name="IDS_CERT_ERROR_UNKNOWN_ERROR_DETAILS" desc="Details of the error page for an unknown ssl error">
         An unknown error has occurred.
diff --git a/chrome/browser/ssl/ssl_error_info.cc b/chrome/browser/ssl/ssl_error_info.cc
index 9737bdf..80aaf9b 100644
--- a/chrome/browser/ssl/ssl_error_info.cc
+++ b/chrome/browser/ssl/ssl_error_info.cc
@@ -145,6 +145,13 @@
       short_description = l10n_util::GetStringUTF16(
           IDS_CERT_ERROR_NAME_CONSTRAINT_VIOLATION_DESCRIPTION);
       break;
+    case CERT_VALIDITY_TOO_LONG:
+      details =
+          l10n_util::GetStringFUTF16(IDS_CERT_ERROR_VALIDITY_TOO_LONG_DETAILS,
+                                     UTF8ToUTF16(request_url.host()));
+      short_description = l10n_util::GetStringUTF16(
+          IDS_CERT_ERROR_VALIDITY_TOO_LONG_DESCRIPTION);
+      break;
     case CERT_PINNED_KEY_MISSING:
       details = l10n_util::GetStringUTF16(
           IDS_ERRORPAGES_SUMMARY_PINNING_FAILURE);
@@ -191,6 +198,8 @@
       return CERT_WEAK_KEY;
     case net::ERR_CERT_NAME_CONSTRAINT_VIOLATION:
       return CERT_NAME_CONSTRAINT_VIOLATION;
+    case net::ERR_CERT_VALIDITY_TOO_LONG:
+      return CERT_VALIDITY_TOO_LONG;
     case net::ERR_SSL_WEAK_SERVER_EPHEMERAL_DH_KEY:
       return CERT_WEAK_KEY_DH;
     case net::ERR_SSL_PINNED_KEY_NOT_IN_CERT_CHAIN:
@@ -207,29 +216,31 @@
                                          const GURL& url,
                                          std::vector<SSLErrorInfo>* errors) {
   const net::CertStatus kErrorFlags[] = {
-    net::CERT_STATUS_COMMON_NAME_INVALID,
-    net::CERT_STATUS_DATE_INVALID,
-    net::CERT_STATUS_AUTHORITY_INVALID,
-    net::CERT_STATUS_NO_REVOCATION_MECHANISM,
-    net::CERT_STATUS_UNABLE_TO_CHECK_REVOCATION,
-    net::CERT_STATUS_REVOKED,
-    net::CERT_STATUS_INVALID,
-    net::CERT_STATUS_WEAK_SIGNATURE_ALGORITHM,
-    net::CERT_STATUS_WEAK_KEY,
-    net::CERT_STATUS_NAME_CONSTRAINT_VIOLATION,
+      net::CERT_STATUS_COMMON_NAME_INVALID,
+      net::CERT_STATUS_DATE_INVALID,
+      net::CERT_STATUS_AUTHORITY_INVALID,
+      net::CERT_STATUS_NO_REVOCATION_MECHANISM,
+      net::CERT_STATUS_UNABLE_TO_CHECK_REVOCATION,
+      net::CERT_STATUS_REVOKED,
+      net::CERT_STATUS_INVALID,
+      net::CERT_STATUS_WEAK_SIGNATURE_ALGORITHM,
+      net::CERT_STATUS_WEAK_KEY,
+      net::CERT_STATUS_NAME_CONSTRAINT_VIOLATION,
+      net::CERT_STATUS_VALIDITY_TOO_LONG,
   };
 
   const ErrorType kErrorTypes[] = {
-    CERT_COMMON_NAME_INVALID,
-    CERT_DATE_INVALID,
-    CERT_AUTHORITY_INVALID,
-    CERT_NO_REVOCATION_MECHANISM,
-    CERT_UNABLE_TO_CHECK_REVOCATION,
-    CERT_REVOKED,
-    CERT_INVALID,
-    CERT_WEAK_SIGNATURE_ALGORITHM,
-    CERT_WEAK_KEY,
-    CERT_NAME_CONSTRAINT_VIOLATION,
+      CERT_COMMON_NAME_INVALID,
+      CERT_DATE_INVALID,
+      CERT_AUTHORITY_INVALID,
+      CERT_NO_REVOCATION_MECHANISM,
+      CERT_UNABLE_TO_CHECK_REVOCATION,
+      CERT_REVOKED,
+      CERT_INVALID,
+      CERT_WEAK_SIGNATURE_ALGORITHM,
+      CERT_WEAK_KEY,
+      CERT_NAME_CONSTRAINT_VIOLATION,
+      CERT_VALIDITY_TOO_LONG,
   };
   DCHECK(arraysize(kErrorFlags) == arraysize(kErrorTypes));
 
@@ -243,9 +254,10 @@
             cert_id, &cert);
         DCHECK(r);
       }
-      if (errors)
+      if (errors) {
         errors->push_back(
             SSLErrorInfo::CreateError(kErrorTypes[i], cert.get(), url));
+      }
     }
   }
   return count;
diff --git a/chrome/browser/ssl/ssl_error_info.h b/chrome/browser/ssl/ssl_error_info.h
index bcc169a..29803059 100644
--- a/chrome/browser/ssl/ssl_error_info.h
+++ b/chrome/browser/ssl/ssl_error_info.h
@@ -33,6 +33,7 @@
     CERT_WEAK_SIGNATURE_ALGORITHM,
     CERT_WEAK_KEY,
     CERT_NAME_CONSTRAINT_VIOLATION,
+    CERT_VALIDITY_TOO_LONG,
     UNKNOWN,
     CERT_WEAK_KEY_DH,
     CERT_PINNED_KEY_MISSING,
diff --git a/content/browser/ssl/ssl_policy.cc b/content/browser/ssl/ssl_policy.cc
index 51ae7b2..610f741 100644
--- a/content/browser/ssl/ssl_policy.cc
+++ b/content/browser/ssl/ssl_policy.cc
@@ -56,6 +56,7 @@
     case net::ERR_CERT_WEAK_SIGNATURE_ALGORITHM:
     case net::ERR_CERT_WEAK_KEY:
     case net::ERR_CERT_NAME_CONSTRAINT_VIOLATION:
+    case net::ERR_CERT_VALIDITY_TOO_LONG:
       if (!handler->fatal())
         options_mask |= OVERRIDABLE;
       else
diff --git a/net/base/net_error_list.h b/net/base/net_error_list.h
index 89fbfff..4b61e0e 100644
--- a/net/base/net_error_list.h
+++ b/net/base/net_error_list.h
@@ -444,13 +444,16 @@
 // The certificate claimed DNS names that are in violation of name constraints.
 NET_ERROR(CERT_NAME_CONSTRAINT_VIOLATION, -212)
 
+// The certificate's validity period is too long.
+NET_ERROR(CERT_VALIDITY_TOO_LONG, -213)
+
 // Add new certificate error codes here.
 //
 // Update the value of CERT_END whenever you add a new certificate error
 // code.
 
 // The value immediately past the last certificate error code.
-NET_ERROR(CERT_END, -213)
+NET_ERROR(CERT_END, -214)
 
 // The URL is invalid.
 NET_ERROR(INVALID_URL, -300)
diff --git a/net/cert/cert_status_flags.cc b/net/cert/cert_status_flags.cc
index d278ea4..e8d9aab0c 100644
--- a/net/cert/cert_status_flags.cc
+++ b/net/cert/cert_status_flags.cc
@@ -49,6 +49,8 @@
       return CERT_STATUS_PINNED_KEY_MISSING;
     case ERR_CERT_NAME_CONSTRAINT_VIOLATION:
       return CERT_STATUS_NAME_CONSTRAINT_VIOLATION;
+    case ERR_CERT_VALIDITY_TOO_LONG:
+      return CERT_STATUS_VALIDITY_TOO_LONG;
     default:
       return 0;
   }
@@ -81,6 +83,8 @@
     return ERR_CERT_WEAK_KEY;
   if (cert_status & CERT_STATUS_DATE_INVALID)
     return ERR_CERT_DATE_INVALID;
+  if (cert_status & CERT_STATUS_VALIDITY_TOO_LONG)
+    return ERR_CERT_VALIDITY_TOO_LONG;
 
   // Unknown status.  Give it the benefit of the doubt.
   if (cert_status & CERT_STATUS_UNABLE_TO_CHECK_REVOCATION)
diff --git a/net/cert/cert_status_flags_list.h b/net/cert/cert_status_flags_list.h
index c660a7b..932e938cc 100644
--- a/net/cert/cert_status_flags_list.h
+++ b/net/cert/cert_status_flags_list.h
@@ -24,6 +24,7 @@
 // 1 << 12 was used for CERT_STATUS_WEAK_DH_KEY
 CERT_STATUS_FLAG(PINNED_KEY_MISSING, 1 << 13)
 CERT_STATUS_FLAG(NAME_CONSTRAINT_VIOLATION, 1 << 14)
+CERT_STATUS_FLAG(VALIDITY_TOO_LONG, 1 << 15)
 
 // Bits 16 to 31 are for non-error statuses.
 CERT_STATUS_FLAG(IS_EV, 1 << 16)
diff --git a/net/cert/cert_verify_proc.cc b/net/cert/cert_verify_proc.cc
index 222ba47..981bea0 100644
--- a/net/cert/cert_verify_proc.cc
+++ b/net/cert/cert_verify_proc.cc
@@ -4,10 +4,13 @@
 
 #include "net/cert/cert_verify_proc.h"
 
+#include <stdint.h>
+
 #include "base/basictypes.h"
 #include "base/metrics/histogram.h"
 #include "base/sha1.h"
 #include "base/strings/stringprintf.h"
+#include "base/time/time.h"
 #include "build/build_config.h"
 #include "net/base/net_errors.h"
 #include "net/base/net_util.h"
@@ -33,7 +36,6 @@
 #error Implement certificate verification.
 #endif
 
-
 namespace net {
 
 namespace {
@@ -276,6 +278,13 @@
     // now treat it as a warning and do not map it to an error return value.
   }
 
+  // Flag certificates using too long validity periods.
+  if (verify_result->is_issued_by_known_root && HasTooLongValidity(*cert)) {
+    verify_result->cert_status |= CERT_STATUS_VALIDITY_TOO_LONG;
+    if (rv == OK)
+      rv = MapCertStatusToNetError(verify_result->cert_status);
+  }
+
   return rv;
 }
 
@@ -614,4 +623,41 @@
   return false;
 }
 
+// static
+bool CertVerifyProc::HasTooLongValidity(const X509Certificate& cert) {
+  const base::Time& start = cert.valid_start();
+  const base::Time& expiry = cert.valid_expiry();
+  if (start.is_max() || start.is_null() || expiry.is_max() ||
+      expiry.is_null() || start > expiry) {
+    return true;
+  }
+
+  base::Time::Exploded exploded_start;
+  base::Time::Exploded exploded_expiry;
+  cert.valid_start().UTCExplode(&exploded_start);
+  cert.valid_expiry().UTCExplode(&exploded_expiry);
+
+  if (exploded_expiry.year - exploded_start.year > 10)
+    return true;
+  int month_diff = (exploded_expiry.year - exploded_start.year) * 12 +
+                   (exploded_expiry.month - exploded_start.month);
+
+  // Add any remainder as a full month.
+  if (exploded_expiry.day_of_month > exploded_start.day_of_month)
+    ++month_diff;
+
+  static const base::Time time_2015_04_01 =
+      base::Time::FromInternalValue(INT64_C(1427871600));
+  static const base::Time time_2012_07_01 =
+      base::Time::FromInternalValue(INT64_C(1341126000));
+  static const base::Time time_2019_07_01 =
+      base::Time::FromInternalValue(INT64_C(1561964400));
+
+  if (start >= time_2015_04_01)
+    return month_diff > 39;
+  if (start >= time_2012_07_01)
+    return month_diff > 60;
+  return month_diff > 120 || expiry > time_2019_07_01;
+}
+
 }  // namespace net
diff --git a/net/cert/cert_verify_proc.h b/net/cert/cert_verify_proc.h
index 95e464e..f60ed6d 100644
--- a/net/cert/cert_verify_proc.h
+++ b/net/cert/cert_verify_proc.h
@@ -73,6 +73,7 @@
  private:
   friend class base::RefCountedThreadSafe<CertVerifyProc>;
   FRIEND_TEST_ALL_PREFIXES(CertVerifyProcTest, DigiNotarCerts);
+  FRIEND_TEST_ALL_PREFIXES(CertVerifyProcTest, TestHasTooLongValidity);
 
   // Performs the actual verification using the desired underlying
   // cryptographic library.
@@ -99,6 +100,18 @@
       const std::vector<std::string>& dns_names,
       const std::vector<std::string>& ip_addrs);
 
+  // The CA/Browser Forum's Baseline Requirements specify maximum validity
+  // periods (https://cabforum.org/Baseline_Requirements_V1.pdf):
+  //
+  // For certificates issued after 1 July 2012: 60 months.
+  // For certificates issued after 1 April 2015: 39 months.
+  //
+  // For certificates issued before the BRs took effect, there were no
+  // guidelines, but clamp them at a maximum of 10 year validity, with the
+  // requirement they expire within 7 years after the effective date of the BRs
+  // (i.e. by 1 July 2019).
+  static bool HasTooLongValidity(const X509Certificate& cert);
+
   DISALLOW_COPY_AND_ASSIGN(CertVerifyProc);
 };
 
diff --git a/net/cert/cert_verify_proc_unittest.cc b/net/cert/cert_verify_proc_unittest.cc
index 10a880b..a004f98 100644
--- a/net/cert/cert_verify_proc_unittest.cc
+++ b/net/cert/cert_verify_proc_unittest.cc
@@ -615,16 +615,36 @@
             verify_result.cert_status & CERT_STATUS_NAME_CONSTRAINT_VIOLATION);
 }
 
+TEST_F(CertVerifyProcTest, TestHasTooLongValidity) {
+  base::FilePath certs_dir = GetTestCertsDirectory();
+
+  scoped_refptr<X509Certificate> twitter =
+      ImportCertFromFile(certs_dir, "twitter-chain.pem");
+  EXPECT_FALSE(CertVerifyProc::HasTooLongValidity(*twitter));
+
+  scoped_refptr<X509Certificate> eleven_years =
+      ImportCertFromFile(certs_dir, "11_year_validity.pem");
+  EXPECT_TRUE(CertVerifyProc::HasTooLongValidity(*eleven_years));
+
+  scoped_refptr<X509Certificate> forty_months =
+      ImportCertFromFile(certs_dir, "40_months_after_2015_04.pem");
+  EXPECT_TRUE(CertVerifyProc::HasTooLongValidity(*forty_months));
+
+  scoped_refptr<X509Certificate> sixty_one_months =
+      ImportCertFromFile(certs_dir, "61_months_after_2012_07.pem");
+  EXPECT_TRUE(CertVerifyProc::HasTooLongValidity(*sixty_one_months));
+}
+
 TEST_F(CertVerifyProcTest, TestKnownRoot) {
   if (!SupportsDetectingKnownRoots()) {
-    LOG(INFO) << "Skipping this test in this platform.";
+    LOG(INFO) << "Skipping this test on this platform.";
     return;
   }
 
   base::FilePath certs_dir = GetTestCertsDirectory();
   CertificateList certs = CreateCertificateListFromFile(
-      certs_dir, "satveda.pem", X509Certificate::FORMAT_AUTO);
-  ASSERT_EQ(2U, certs.size());
+      certs_dir, "twitter-chain.pem", X509Certificate::FORMAT_AUTO);
+  ASSERT_EQ(3U, certs.size());
 
   X509Certificate::OSCertHandles intermediates;
   intermediates.push_back(certs[1]->os_cert_handle());
@@ -635,20 +655,18 @@
 
   int flags = 0;
   CertVerifyResult verify_result;
-  // This will blow up, May 24th, 2019. Sorry! Please disable and file a bug
+  // This will blow up, May 9th, 2016. Sorry! Please disable and file a bug
   // against agl. See also PublicKeyHashes.
   int error = Verify(cert_chain.get(),
-                     "satveda.com",
+                     "twitter.com",
                      flags,
                      NULL,
                      empty_cert_list_,
                      &verify_result);
   EXPECT_EQ(OK, error);
-  EXPECT_EQ(CERT_STATUS_SHA1_SIGNATURE_PRESENT, verify_result.cert_status);
   EXPECT_TRUE(verify_result.is_issued_by_known_root);
 }
 
-// The certse.pem certificate has been revoked. crbug.com/259723.
 TEST_F(CertVerifyProcTest, PublicKeyHashes) {
   if (!SupportsReturningVerifiedChain()) {
     LOG(INFO) << "Skipping this test in this platform.";
@@ -657,8 +675,8 @@
 
   base::FilePath certs_dir = GetTestCertsDirectory();
   CertificateList certs = CreateCertificateListFromFile(
-      certs_dir, "satveda.pem", X509Certificate::FORMAT_AUTO);
-  ASSERT_EQ(2U, certs.size());
+      certs_dir, "twitter-chain.pem", X509Certificate::FORMAT_AUTO);
+  ASSERT_EQ(3U, certs.size());
 
   X509Certificate::OSCertHandles intermediates;
   intermediates.push_back(certs[1]->os_cert_handle());
@@ -669,17 +687,16 @@
   int flags = 0;
   CertVerifyResult verify_result;
 
-  // This will blow up, May 24th, 2019. Sorry! Please disable and file a bug
+  // This will blow up, May 9th, 2016. Sorry! Please disable and file a bug
   // against agl. See also TestKnownRoot.
   int error = Verify(cert_chain.get(),
-                     "satveda.com",
+                     "twitter.com",
                      flags,
                      NULL,
                      empty_cert_list_,
                      &verify_result);
   EXPECT_EQ(OK, error);
-  EXPECT_EQ(CERT_STATUS_SHA1_SIGNATURE_PRESENT, verify_result.cert_status);
-  ASSERT_LE(2U, verify_result.public_key_hashes.size());
+  ASSERT_LE(3U, verify_result.public_key_hashes.size());
 
   HashValueVector sha1_hashes;
   for (size_t i = 0; i < verify_result.public_key_hashes.size(); ++i) {
@@ -687,10 +704,10 @@
       continue;
     sha1_hashes.push_back(verify_result.public_key_hashes[i]);
   }
-  ASSERT_LE(2u, sha1_hashes.size());
+  ASSERT_LE(3u, sha1_hashes.size());
 
-  for (size_t i = 0; i < 2; ++i) {
-    EXPECT_EQ(HexEncode(kSatvedaSPKIs[i], base::kSHA1Length),
+  for (size_t i = 0; i < 3; ++i) {
+    EXPECT_EQ(HexEncode(kTwitterSPKIs[i], base::kSHA1Length),
               HexEncode(sha1_hashes[i].data(), base::kSHA1Length));
   }
 
@@ -700,10 +717,10 @@
       continue;
     sha256_hashes.push_back(verify_result.public_key_hashes[i]);
   }
-  ASSERT_LE(2u, sha256_hashes.size());
+  ASSERT_LE(3u, sha256_hashes.size());
 
-  for (size_t i = 0; i < 2; ++i) {
-    EXPECT_EQ(HexEncode(kSatvedaSPKIsSHA256[i], crypto::kSHA256Length),
+  for (size_t i = 0; i < 3; ++i) {
+    EXPECT_EQ(HexEncode(kTwitterSPKIsSHA256[i], crypto::kSHA256Length),
               HexEncode(sha256_hashes[i].data(), crypto::kSHA256Length));
   }
 }
@@ -810,7 +827,7 @@
   }
 
   CertificateList cert_list = CreateCertificateListFromFile(
-      GetTestCertsDirectory(), "ok_cert.pem",
+      GetTestCertsDirectory(), "reject_intranet_hosts.pem",
       X509Certificate::FORMAT_AUTO);
   ASSERT_EQ(1U, cert_list.size());
   scoped_refptr<X509Certificate> cert(cert_list[0]);
diff --git a/net/data/ssl/certificates/11_year_validity.pem b/net/data/ssl/certificates/11_year_validity.pem
new file mode 100644
index 0000000..742da09
--- /dev/null
+++ b/net/data/ssl/certificates/11_year_validity.pem
@@ -0,0 +1,81 @@
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number: 5 (0x5)
+    Signature Algorithm: sha256WithRSAEncryption
+        Issuer: CN=Test Root CA
+        Validity
+            Not Before: Oct 30 00:00:00 2014 GMT
+            Not After : Oct 27 19:26:19 2025 GMT
+        Subject: CN=xn--wgv71a119e.com
+        Subject Public Key Info:
+            Public Key Algorithm: rsaEncryption
+                Public-Key: (2048 bit)
+                Modulus:
+                    00:bc:20:51:b0:06:00:cb:4d:f0:82:41:9e:a7:df:
+                    e0:15:cf:bc:e5:4b:13:5c:19:51:9d:6c:18:9b:e6:
+                    77:4e:94:01:64:41:57:33:0d:9b:67:23:2d:8c:22:
+                    3f:c2:a1:db:d0:ec:20:af:88:95:29:62:0c:74:76:
+                    fc:5b:26:d6:6d:f7:36:cf:b2:ed:64:5d:cc:c0:f6:
+                    54:3a:c3:89:b1:2a:6f:28:c9:11:05:74:f4:3e:bc:
+                    1f:e2:e6:04:ab:ad:8f:59:05:f2:03:3d:8e:fb:0c:
+                    9d:18:c1:12:f8:60:98:b3:e2:a5:ba:00:59:e5:e4:
+                    19:a1:d9:3b:b1:0a:77:10:e2:72:90:0e:93:50:d8:
+                    b2:f9:39:4b:14:80:4a:18:93:c8:d7:fb:b3:32:0c:
+                    af:c7:f3:d1:d5:48:87:9f:8f:ef:ff:8c:13:61:a5:
+                    17:32:9d:63:91:c6:93:e9:7c:66:ad:27:b7:9a:fa:
+                    49:b8:4c:68:c6:ff:18:94:62:4a:f5:03:e4:20:5a:
+                    7b:96:fd:d6:76:a7:73:9a:e6:ac:1e:9c:83:de:5c:
+                    ce:7d:67:2d:71:ad:33:fc:7e:ba:4a:1d:15:22:32:
+                    05:9c:65:c5:9d:fa:a5:16:9e:d2:85:fc:c7:a1:cb:
+                    ca:84:d2:bb:8d:11:7b:c3:0c:5f:e5:25:c3:4c:a2:
+                    cb:cb
+                Exponent: 65537 (0x10001)
+        X509v3 extensions:
+            X509v3 Basic Constraints: critical
+                CA:FALSE
+            X509v3 Subject Key Identifier: 
+                C1:6A:E8:21:0E:C3:F4:D7:73:21:43:E3:B1:FA:65:2C:6F:2D:46:01
+            X509v3 Authority Key Identifier: 
+                keyid:CC:56:4D:CF:92:F0:A5:B8:36:08:B0:46:B5:84:E2:4A:00:56:20:57
+
+            X509v3 Extended Key Usage: 
+                TLS Web Server Authentication, TLS Web Client Authentication
+            X509v3 Subject Alternative Name: 
+                IP Address:127.0.0.1
+    Signature Algorithm: sha256WithRSAEncryption
+         d0:30:42:a6:35:ce:60:1c:10:56:d0:de:14:d2:8e:6b:97:4b:
+         0c:bc:5b:a0:ad:95:99:c1:a3:0b:61:06:e2:7b:7d:4f:94:09:
+         f1:d6:ca:2f:c9:c6:b3:96:4c:3e:0b:be:15:b2:1d:85:7c:f7:
+         c4:02:33:e5:c5:1b:99:c5:24:a6:34:e1:19:53:ff:7e:5b:0c:
+         be:cf:b7:32:86:6c:91:8a:ee:db:8e:ad:44:cf:d7:bc:97:a3:
+         ff:aa:d0:73:52:21:63:e1:7e:1e:06:58:c1:ac:76:ee:67:a8:
+         37:bd:a6:51:3d:53:ec:f5:a9:a3:e0:b1:3b:d3:7e:f7:2d:4e:
+         91:b0:77:a5:40:47:98:d9:04:66:83:71:dd:6f:91:f4:e7:6e:
+         f4:3c:89:a9:65:51:82:ac:43:f0:c0:e7:cf:4f:17:40:dd:10:
+         22:d7:e1:37:2d:44:31:d0:d7:d6:73:9f:83:ce:69:bd:50:0e:
+         e3:12:e4:21:84:da:ca:e0:10:5e:7c:4d:48:d4:72:49:d9:cd:
+         35:d3:34:92:d0:4c:a6:33:cc:a5:a4:a0:03:fe:0f:37:1b:f6:
+         59:aa:8d:c1:3a:0d:b7:f0:dc:d9:0d:b4:a8:8a:eb:d3:b1:e4:
+         d0:56:bf:99:6a:f4:a1:09:ff:6e:fd:c0:78:02:03:51:54:ee:
+         3a:a7:5e:3f
+-----BEGIN CERTIFICATE-----
+MIIDMDCCAhigAwIBAgIBBTANBgkqhkiG9w0BAQsFADAXMRUwEwYDVQQDDAxUZXN0
+IFJvb3QgQ0EwHhcNMTQxMDMwMDAwMDAwWhcNMjUxMDI3MTkyNjE5WjAdMRswGQYD
+VQQDDBJ4bi0td2d2NzFhMTE5ZS5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAw
+ggEKAoIBAQC8IFGwBgDLTfCCQZ6n3+AVz7zlSxNcGVGdbBib5ndOlAFkQVczDZtn
+Iy2MIj/CodvQ7CCviJUpYgx0dvxbJtZt9zbPsu1kXczA9lQ6w4mxKm8oyREFdPQ+
+vB/i5gSrrY9ZBfIDPY77DJ0YwRL4YJiz4qW6AFnl5Bmh2TuxCncQ4nKQDpNQ2LL5
+OUsUgEoYk8jX+7MyDK/H89HVSIefj+//jBNhpRcynWORxpPpfGatJ7ea+km4TGjG
+/xiUYkr1A+QgWnuW/dZ2p3Oa5qwenIPeXM59Zy1xrTP8frpKHRUiMgWcZcWd+qUW
+ntKF/Mehy8qE0ruNEXvDDF/lJcNMosvLAgMBAAGjgYAwfjAMBgNVHRMBAf8EAjAA
+MB0GA1UdDgQWBBTBaughDsP013MhQ+Ox+mUsby1GATAfBgNVHSMEGDAWgBTMVk3P
+kvCluDYIsEa1hOJKAFYgVzAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIw
+DwYDVR0RBAgwBocEfwAAATANBgkqhkiG9w0BAQsFAAOCAQEA0DBCpjXOYBwQVtDe
+FNKOa5dLDLxboK2VmcGjC2EG4nt9T5QJ8dbKL8nGs5ZMPgu+FbIdhXz3xAIz5cUb
+mcUkpjThGVP/flsMvs+3MoZskYru246tRM/XvJej/6rQc1IhY+F+HgZYwax27meo
+N72mUT1T7PWpo+CxO9N+9y1OkbB3pUBHmNkEZoNx3W+R9Odu9DyJqWVRgqxD8MDn
+z08XQN0QItfhNy1EMdDX1nOfg85pvVAO4xLkIYTayuAQXnxNSNRySdnNNdM0ktBM
+pjPMpaSgA/4PNxv2WaqNwToNt/Dc2Q20qIrr07Hk0Fa/mWr0oQn/bv3AeAIDUVTu
+OqdePw==
+-----END CERTIFICATE-----
diff --git a/net/data/ssl/certificates/40_months_after_2015_04.pem b/net/data/ssl/certificates/40_months_after_2015_04.pem
new file mode 100644
index 0000000..34128a96
--- /dev/null
+++ b/net/data/ssl/certificates/40_months_after_2015_04.pem
@@ -0,0 +1,81 @@
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number: 6 (0x6)
+    Signature Algorithm: sha256WithRSAEncryption
+        Issuer: CN=Test Root CA
+        Validity
+            Not Before: Apr  2 00:00:00 2015 GMT
+            Not After : Sep  1 00:00:00 2018 GMT
+        Subject: CN=xn--wgv71a119e.com
+        Subject Public Key Info:
+            Public Key Algorithm: rsaEncryption
+                Public-Key: (2048 bit)
+                Modulus:
+                    00:c1:86:e0:72:bf:df:69:da:78:b1:87:99:03:40:
+                    19:d1:8b:a9:a3:80:2e:75:25:27:c7:bc:dd:4b:8c:
+                    8d:11:b1:dd:24:68:12:8d:46:b8:45:19:fc:24:e8:
+                    2a:15:21:84:9d:a2:08:6b:3e:38:34:3f:29:00:5f:
+                    04:68:ed:33:4e:35:41:c3:06:54:f3:41:8b:61:83:
+                    3e:1b:78:59:6b:d2:c3:83:ea:16:99:1f:a7:1c:13:
+                    34:b5:25:c6:01:6d:34:b5:90:0f:7c:70:f0:ab:18:
+                    0c:59:a8:7f:ec:20:21:a7:7e:3b:b9:0c:bb:ef:a9:
+                    ce:1b:75:6d:ac:23:c1:56:c1:28:95:70:85:99:a3:
+                    94:86:ee:c6:45:97:af:29:e1:86:ee:b6:b3:95:97:
+                    4e:38:9a:03:a8:50:a8:21:ae:48:ae:dd:9a:89:0c:
+                    81:c6:98:b1:07:5f:55:44:26:6a:3a:cb:8c:d4:07:
+                    67:71:5d:b1:33:25:2a:ef:f8:af:6b:72:78:f1:9b:
+                    95:c6:3e:0c:57:77:5f:63:1f:99:1d:b0:a3:ac:f6:
+                    7d:65:04:7d:aa:f2:99:b9:6f:e7:75:01:34:ec:c5:
+                    60:b0:c1:bc:c1:f0:d9:10:28:fb:10:ac:ad:3f:ba:
+                    2f:40:96:c7:59:57:d8:f0:f2:c2:3d:96:bf:86:1f:
+                    95:55
+                Exponent: 65537 (0x10001)
+        X509v3 extensions:
+            X509v3 Basic Constraints: critical
+                CA:FALSE
+            X509v3 Subject Key Identifier: 
+                DF:3C:D7:74:E3:7F:2B:EC:C9:44:98:6A:8B:E8:9B:46:23:9B:A4:3C
+            X509v3 Authority Key Identifier: 
+                keyid:98:AF:9A:51:3C:AB:23:88:17:DB:39:AB:FA:17:91:96:8B:83:C5:F1
+
+            X509v3 Extended Key Usage: 
+                TLS Web Server Authentication, TLS Web Client Authentication
+            X509v3 Subject Alternative Name: 
+                IP Address:127.0.0.1
+    Signature Algorithm: sha256WithRSAEncryption
+         45:0b:b9:a7:3d:d4:a7:c9:0e:d8:a1:df:bf:e0:93:26:c1:da:
+         48:ac:70:3b:15:82:30:c9:4d:0f:02:fc:ba:03:24:ab:df:10:
+         47:8e:14:ab:e9:20:95:91:56:41:bd:0c:2e:c9:7c:61:d9:69:
+         6c:9f:fb:25:eb:34:d4:7a:70:9c:36:ba:64:80:8b:4a:c4:8c:
+         23:92:8b:7c:b5:47:e9:f7:37:4c:e0:db:22:ad:67:d0:66:b6:
+         9e:01:9e:9f:6e:63:e1:5d:97:90:3f:e0:5c:4c:d5:f5:23:11:
+         b1:2e:db:c9:79:0f:37:7a:78:67:86:87:14:1b:ab:5b:65:67:
+         61:44:ab:43:c5:6e:19:83:99:64:23:d5:61:bc:4c:36:a2:59:
+         88:4a:69:18:57:33:c5:38:22:4b:33:64:77:43:81:47:55:f2:
+         b2:0f:dc:d3:0e:62:4f:19:6b:6b:89:37:33:3b:6a:d5:15:b6:
+         be:7f:03:ad:88:d2:e2:8e:9e:77:44:39:8e:93:b4:87:87:f6:
+         5a:5a:d1:20:94:cc:de:d9:9d:5c:7f:42:dd:81:ce:fa:77:23:
+         05:11:bd:8c:2e:06:c3:94:65:cf:8f:9b:db:9a:58:d7:e7:36:
+         ff:49:4a:9c:99:c7:3a:9a:d1:32:bb:a4:66:d2:80:7d:80:d7:
+         c9:1d:d7:e7
+-----BEGIN CERTIFICATE-----
+MIIDMDCCAhigAwIBAgIBBjANBgkqhkiG9w0BAQsFADAXMRUwEwYDVQQDDAxUZXN0
+IFJvb3QgQ0EwHhcNMTUwNDAyMDAwMDAwWhcNMTgwOTAxMDAwMDAwWjAdMRswGQYD
+VQQDDBJ4bi0td2d2NzFhMTE5ZS5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAw
+ggEKAoIBAQDBhuByv99p2nixh5kDQBnRi6mjgC51JSfHvN1LjI0Rsd0kaBKNRrhF
+Gfwk6CoVIYSdoghrPjg0PykAXwRo7TNONUHDBlTzQYthgz4beFlr0sOD6haZH6cc
+EzS1JcYBbTS1kA98cPCrGAxZqH/sICGnfju5DLvvqc4bdW2sI8FWwSiVcIWZo5SG
+7sZFl68p4YbutrOVl044mgOoUKghrkiu3ZqJDIHGmLEHX1VEJmo6y4zUB2dxXbEz
+JSrv+K9rcnjxm5XGPgxXd19jH5kdsKOs9n1lBH2q8pm5b+d1ATTsxWCwwbzB8NkQ
+KPsQrK0/ui9AlsdZV9jw8sI9lr+GH5VVAgMBAAGjgYAwfjAMBgNVHRMBAf8EAjAA
+MB0GA1UdDgQWBBTfPNd0438r7MlEmGqL6JtGI5ukPDAfBgNVHSMEGDAWgBSYr5pR
+PKsjiBfbOav6F5GWi4PF8TAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIw
+DwYDVR0RBAgwBocEfwAAATANBgkqhkiG9w0BAQsFAAOCAQEARQu5pz3Up8kO2KHf
+v+CTJsHaSKxwOxWCMMlNDwL8ugMkq98QR44Uq+kglZFWQb0MLsl8YdlpbJ/7Jes0
+1HpwnDa6ZICLSsSMI5KLfLVH6fc3TODbIq1n0Ga2ngGen25j4V2XkD/gXEzV9SMR
+sS7byXkPN3p4Z4aHFBurW2VnYUSrQ8VuGYOZZCPVYbxMNqJZiEppGFczxTgiSzNk
+d0OBR1Xysg/c0w5iTxlra4k3Mztq1RW2vn8DrYjS4o6ed0Q5jpO0h4f2WlrRIJTM
+3tmdXH9C3YHO+ncjBRG9jC4Gw5Rlz4+b25pY1+c2/0lKnJnHOprRMrukZtKAfYDX
+yR3X5w==
+-----END CERTIFICATE-----
diff --git a/net/data/ssl/certificates/61_months_after_2012_07.pem b/net/data/ssl/certificates/61_months_after_2012_07.pem
new file mode 100644
index 0000000..49dc04e
--- /dev/null
+++ b/net/data/ssl/certificates/61_months_after_2012_07.pem
@@ -0,0 +1,81 @@
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number: 7 (0x7)
+    Signature Algorithm: sha256WithRSAEncryption
+        Issuer: CN=Test Root CA
+        Validity
+            Not Before: Oct 30 00:00:00 2014 GMT
+            Not After : Nov  3 19:26:20 2019 GMT
+        Subject: CN=xn--wgv71a119e.com
+        Subject Public Key Info:
+            Public Key Algorithm: rsaEncryption
+                Public-Key: (2048 bit)
+                Modulus:
+                    00:ca:83:f9:aa:c5:28:81:20:c9:a9:62:66:9b:10:
+                    75:c1:e7:9a:15:5b:ef:13:ce:c6:d1:aa:be:23:7b:
+                    ca:28:7b:bc:62:27:4a:9d:16:e0:ac:db:07:54:f1:
+                    3a:79:4f:24:4d:52:2c:35:12:aa:fd:cb:f7:98:5d:
+                    40:03:56:01:36:b1:1a:34:71:9c:98:5d:76:96:2f:
+                    91:ca:9f:49:e2:f0:1e:86:fc:d3:66:37:1a:27:b4:
+                    db:4d:b3:ca:85:04:59:b5:2f:35:32:d5:59:a6:31:
+                    f5:85:35:63:88:e5:0a:1b:3b:9a:7c:29:e2:6d:b3:
+                    ed:23:19:36:6d:62:fd:be:77:10:cc:69:2d:32:ce:
+                    98:59:29:ec:e4:27:e9:c2:ae:86:79:37:76:cb:ba:
+                    ee:86:5f:39:02:25:b2:50:aa:43:7e:77:fe:03:16:
+                    d1:05:56:b5:31:a0:0b:41:88:3e:69:b4:b9:89:70:
+                    d1:e5:7d:a7:77:ed:8d:13:db:20:3b:4b:c0:a0:6e:
+                    48:61:47:c2:6f:57:f4:4a:ac:bd:28:e3:0f:e4:40:
+                    3f:a3:05:86:46:1a:95:13:d1:be:76:69:92:d5:6b:
+                    71:59:1d:a0:fc:b7:4c:9a:e6:2b:f6:82:50:a9:35:
+                    19:9b:b4:3c:0d:0b:7a:10:0e:3d:84:2f:c3:68:61:
+                    2f:03
+                Exponent: 65537 (0x10001)
+        X509v3 extensions:
+            X509v3 Basic Constraints: critical
+                CA:FALSE
+            X509v3 Subject Key Identifier: 
+                74:7C:2F:56:AE:BF:08:E2:6F:5B:D4:6C:B0:4C:04:3F:11:59:15:0E
+            X509v3 Authority Key Identifier: 
+                keyid:CC:56:4D:CF:92:F0:A5:B8:36:08:B0:46:B5:84:E2:4A:00:56:20:57
+
+            X509v3 Extended Key Usage: 
+                TLS Web Server Authentication, TLS Web Client Authentication
+            X509v3 Subject Alternative Name: 
+                IP Address:127.0.0.1
+    Signature Algorithm: sha256WithRSAEncryption
+         19:42:64:03:f7:2a:90:ee:82:93:de:69:49:28:32:42:ba:db:
+         37:16:0d:db:b3:81:ad:50:a8:b2:f7:20:35:e4:bb:89:7d:f3:
+         e5:75:7f:3e:bd:41:05:24:eb:5a:94:18:cc:c4:ac:d2:0a:24:
+         39:4b:2e:6d:a4:2f:99:6b:19:9e:c8:44:53:3f:15:52:c7:51:
+         af:37:64:a2:d7:27:74:72:6a:d0:cc:c0:ac:8b:7e:7c:0c:f1:
+         ee:e9:bf:03:19:20:e3:44:88:56:a2:1f:36:59:7f:35:22:13:
+         d1:48:a0:7a:59:16:85:df:31:e9:30:ae:df:54:b7:8b:78:a8:
+         20:27:5c:cc:0c:8b:43:65:4f:71:41:c2:5b:42:4a:a7:1b:f8:
+         44:e3:6b:50:1f:85:0f:e3:30:9a:5f:01:8a:19:80:b1:9d:d8:
+         34:c4:54:87:ff:ad:8a:56:d7:3b:9f:13:dd:0c:a5:b7:0d:a9:
+         a8:66:91:4a:0e:d4:7d:5c:40:39:5a:12:e1:ab:fc:88:9f:b7:
+         26:c7:11:f0:1b:7d:2d:29:77:20:97:0c:ea:14:d4:24:13:9f:
+         8f:b2:49:eb:3b:2b:79:d3:d2:ef:65:82:d7:75:09:26:61:9b:
+         ef:45:0d:95:65:1b:42:76:f6:db:98:fa:3f:45:c0:7b:8d:94:
+         9a:62:8a:88
+-----BEGIN CERTIFICATE-----
+MIIDMDCCAhigAwIBAgIBBzANBgkqhkiG9w0BAQsFADAXMRUwEwYDVQQDDAxUZXN0
+IFJvb3QgQ0EwHhcNMTQxMDMwMDAwMDAwWhcNMTkxMTAzMTkyNjIwWjAdMRswGQYD
+VQQDDBJ4bi0td2d2NzFhMTE5ZS5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAw
+ggEKAoIBAQDKg/mqxSiBIMmpYmabEHXB55oVW+8TzsbRqr4je8ooe7xiJ0qdFuCs
+2wdU8Tp5TyRNUiw1Eqr9y/eYXUADVgE2sRo0cZyYXXaWL5HKn0ni8B6G/NNmNxon
+tNtNs8qFBFm1LzUy1VmmMfWFNWOI5QobO5p8KeJts+0jGTZtYv2+dxDMaS0yzphZ
+KezkJ+nCroZ5N3bLuu6GXzkCJbJQqkN+d/4DFtEFVrUxoAtBiD5ptLmJcNHlfad3
+7Y0T2yA7S8CgbkhhR8JvV/RKrL0o4w/kQD+jBYZGGpUT0b52aZLVa3FZHaD8t0ya
+5iv2glCpNRmbtDwNC3oQDj2EL8NoYS8DAgMBAAGjgYAwfjAMBgNVHRMBAf8EAjAA
+MB0GA1UdDgQWBBR0fC9Wrr8I4m9b1GywTAQ/EVkVDjAfBgNVHSMEGDAWgBTMVk3P
+kvCluDYIsEa1hOJKAFYgVzAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIw
+DwYDVR0RBAgwBocEfwAAATANBgkqhkiG9w0BAQsFAAOCAQEAGUJkA/cqkO6Ck95p
+SSgyQrrbNxYN27OBrVCosvcgNeS7iX3z5XV/Pr1BBSTrWpQYzMSs0gokOUsubaQv
+mWsZnshEUz8VUsdRrzdkotcndHJq0MzArIt+fAzx7um/Axkg40SIVqIfNll/NSIT
+0UigelkWhd8x6TCu31S3i3ioICdczAyLQ2VPcUHCW0JKpxv4RONrUB+FD+Mwml8B
+ihmAsZ3YNMRUh/+tilbXO58T3Qyltw2pqGaRSg7UfVxAOVoS4av8iJ+3JscR8Bt9
+LSl3IJcM6hTUJBOfj7JJ6zsredPS72WC13UJJmGb70UNlWUbQnb225j6P0XAe42U
+mmKKiA==
+-----END CERTIFICATE-----
diff --git a/net/data/ssl/certificates/README b/net/data/ssl/certificates/README
index 5d1faf2..c9e1dc5 100644
--- a/net/data/ssl/certificates/README
+++ b/net/data/ssl/certificates/README
@@ -129,8 +129,8 @@
 - expired_cert.pem
 - ok_cert.pem
 - root_ca_cert.pem
-     These certificates are the common certificates used by the Python test
-     server for simulating HTTPS connections.
+    These certificates are the common certificates used by the Python test
+    server for simulating HTTPS connections.
 
 - name_constraint_bad.pem
 - name_constraint_good.pem
@@ -147,6 +147,12 @@
 - punycodetest.pem : A test self-signed server certificate with punycode name.
      The common name is "xn--wgv71a119e.com" (日本語.com)
 
+- 40_months_after_2015_04.pem
+- 61_months_after_2012_07.pem
+- 11_year_validity.pem
+    Certs to test that the maximum validity durations set by the CA/Browser
+    Forum Baseline Requirements are enforced.
+
 ===== From net/data/ssl/scripts/generate-weak-test-chains.sh
 - 2048-rsa-root.pem
 - {768-rsa,1024-rsa,2048-rsa,prime256v1-ecdsa}-intermediate.pem
@@ -252,5 +258,3 @@
      containing the intermediate, which can be served via a URLRequestFilter.
      aia-intermediate.der is stored in DER form for convenience, since that is
      the form expected of certificates discovered via AIA.
-
-
diff --git a/net/data/ssl/certificates/reject_intranet_hosts.pem b/net/data/ssl/certificates/reject_intranet_hosts.pem
new file mode 100644
index 0000000..d5040cc
--- /dev/null
+++ b/net/data/ssl/certificates/reject_intranet_hosts.pem
@@ -0,0 +1,69 @@
+Certificate:
+    Data:
+        Version: 1 (0x0)
+        Serial Number: 15207369410964614739 (0xd30b6de83cafee53)
+    Signature Algorithm: sha256WithRSAEncryption
+        Issuer: C=US, ST=California, L=Mountain View, O=Test CA, CN=127.0.0.1
+        Validity
+            Not Before: Oct 31 19:51:55 2014 GMT
+            Not After : Oct 30 19:51:55 2017 GMT
+        Subject: C=US, ST=California, L=Mountain View, O=Test CA, CN=127.0.0.1
+        Subject Public Key Info:
+            Public Key Algorithm: rsaEncryption
+                Public-Key: (2048 bit)
+                Modulus:
+                    00:a0:5c:e4:0d:5d:e4:01:47:d8:8c:06:41:12:f8:
+                    63:a9:d9:41:3d:e9:75:ad:80:ae:e9:32:2a:d6:6a:
+                    42:7c:be:f5:1b:02:99:36:a4:dd:02:db:32:36:ab:
+                    ac:8b:c5:78:cb:a2:03:28:db:95:83:56:9a:03:f4:
+                    37:70:dc:16:56:d9:0a:c6:34:23:f5:58:36:21:c8:
+                    fd:b7:41:1e:2f:85:50:50:d9:76:c0:7d:9e:0d:d7:
+                    ad:df:94:06:c1:b6:a4:c9:ee:61:16:5a:54:c2:1d:
+                    5e:d9:79:73:4a:21:d0:d3:fe:88:ee:27:3a:5f:e6:
+                    a3:cf:89:44:93:80:64:53:50:36:98:c5:da:1f:87:
+                    1e:a1:2e:e0:5a:60:c7:80:a7:93:eb:b8:39:33:c3:
+                    d7:e7:2b:bd:9b:48:5d:a4:af:ee:7d:93:5a:d0:9f:
+                    3b:6d:a8:52:95:ce:d1:bf:0b:a4:60:34:ee:77:80:
+                    50:35:0d:af:eb:0f:48:69:ab:c7:87:a8:31:44:69:
+                    9c:21:d6:01:de:61:04:95:a4:85:d0:d6:2e:a6:7c:
+                    d1:fd:61:45:51:fd:bb:bc:be:6b:d3:87:54:50:b8:
+                    36:f8:f0:0f:a4:07:e0:28:86:13:5b:72:ae:5d:b3:
+                    a2:fa:b7:54:8d:c9:6a:b3:82:88:4f:40:6d:36:1a:
+                    f5:2d
+                Exponent: 65537 (0x10001)
+    Signature Algorithm: sha256WithRSAEncryption
+         47:0d:cd:15:ec:51:89:2f:e0:d1:4e:04:7a:8e:cf:f5:16:ec:
+         11:55:bc:48:92:3b:98:60:ba:f1:97:98:a7:22:bf:9e:00:ac:
+         4a:5b:a7:e1:b5:aa:b7:20:c5:fc:85:d5:3f:cf:53:da:60:94:
+         75:93:78:87:e0:99:d7:f0:c7:35:e5:6d:82:f7:e7:23:e1:fe:
+         88:4d:f0:bf:3b:68:70:61:c1:e8:8d:e1:2a:c9:75:c9:28:66:
+         71:79:ff:58:a7:79:c3:1c:97:db:9c:3c:25:84:e0:c2:da:77:
+         08:9e:4e:9a:5a:c8:48:83:fe:74:41:73:13:46:c2:69:27:31:
+         71:d9:7d:40:46:43:59:6d:cd:54:d8:63:44:5b:5f:22:b9:8e:
+         2b:ba:99:d1:38:89:0c:ac:b8:f2:c2:b9:a2:67:ae:3d:56:b6:
+         c7:c0:cd:4c:e6:70:ce:8e:50:67:3c:93:c5:20:c2:45:66:e5:
+         79:7b:29:54:0e:fc:eb:39:75:51:54:5d:fc:69:ad:80:dc:88:
+         b0:6c:be:0c:e4:9f:e3:81:3c:aa:6b:b6:a6:34:b6:1e:f7:a9:
+         8a:3f:bd:3f:2e:e4:da:c0:27:cb:50:fd:8a:7f:44:bd:a3:70:
+         ad:4e:e4:1b:16:9a:fd:82:4d:55:26:06:ca:c7:25:49:fc:2b:
+         9e:54:87:7f
+-----BEGIN CERTIFICATE-----
+MIIDPDCCAiQCCQDTC23oPK/uUzANBgkqhkiG9w0BAQsFADBgMQswCQYDVQQGEwJV
+UzETMBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNTW91bnRhaW4gVmlldzEQ
+MA4GA1UECgwHVGVzdCBDQTESMBAGA1UEAwwJMTI3LjAuMC4xMB4XDTE0MTAzMTE5
+NTE1NVoXDTE3MTAzMDE5NTE1NVowYDELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNh
+bGlmb3JuaWExFjAUBgNVBAcMDU1vdW50YWluIFZpZXcxEDAOBgNVBAoMB1Rlc3Qg
+Q0ExEjAQBgNVBAMMCTEyNy4wLjAuMTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC
+AQoCggEBAKBc5A1d5AFH2IwGQRL4Y6nZQT3pda2ArukyKtZqQny+9RsCmTak3QLb
+MjarrIvFeMuiAyjblYNWmgP0N3DcFlbZCsY0I/VYNiHI/bdBHi+FUFDZdsB9ng3X
+rd+UBsG2pMnuYRZaVMIdXtl5c0oh0NP+iO4nOl/mo8+JRJOAZFNQNpjF2h+HHqEu
+4Fpgx4Cnk+u4OTPD1+crvZtIXaSv7n2TWtCfO22oUpXO0b8LpGA07neAUDUNr+sP
+SGmrx4eoMURpnCHWAd5hBJWkhdDWLqZ80f1hRVH9u7y+a9OHVFC4NvjwD6QH4CiG
+E1tyrl2zovq3VI3JarOCiE9AbTYa9S0CAwEAATANBgkqhkiG9w0BAQsFAAOCAQEA
+Rw3NFexRiS/g0U4Eeo7P9RbsEVW8SJI7mGC68ZeYpyK/ngCsSlun4bWqtyDF/IXV
+P89T2mCUdZN4h+CZ1/DHNeVtgvfnI+H+iE3wvztocGHB6I3hKsl1yShmcXn/WKd5
+wxyX25w8JYTgwtp3CJ5OmlrISIP+dEFzE0bCaScxcdl9QEZDWW3NVNhjRFtfIrmO
+K7qZ0TiJDKy48sK5omeuPVa2x8DNTOZwzo5QZzyTxSDCRWbleXspVA786zl1UVRd
+/GmtgNyIsGy+DOSf44E8qmu2pjS2Hvepij+9Py7k2sAny1D9in9EvaNwrU7kGxaa
+/YJNVSYGysclSfwrnlSHfw==
+-----END CERTIFICATE-----
diff --git a/net/data/ssl/certificates/satveda.pem b/net/data/ssl/certificates/satveda.pem
deleted file mode 100644
index 4f79703..0000000
--- a/net/data/ssl/certificates/satveda.pem
+++ /dev/null
@@ -1,207 +0,0 @@
-Certificate:
-    Data:
-        Version: 3 (0x2)
-        Serial Number: 21120020890699950 (0x4b088c0ed6c8ae)
-    Signature Algorithm: sha1WithRSAEncryption
-        Issuer: C=US, ST=Arizona, L=Scottsdale, O=GoDaddy.com, Inc., OU=http://certificates.godaddy.com/repository, CN=Go Daddy Secure Certification Authority/serialNumber=07969287
-        Validity
-            Not Before: Mar  9 07:19:24 2013 GMT
-            Not After : May 24 09:39:06 2019 GMT
-        Subject: OU=Domain Control Validated, CN=www.satveda.com
-        Subject Public Key Info:
-            Public Key Algorithm: rsaEncryption
-                Public-Key: (2048 bit)
-                Modulus:
-                    00:bb:e0:ea:82:8e:50:bf:ba:94:89:e3:f4:dc:b4:
-                    a1:06:91:c1:46:bc:33:37:74:e0:c6:71:e7:f0:09:
-                    ec:d8:8e:ac:48:82:3f:b6:b4:49:80:98:04:04:61:
-                    f7:ea:d2:ad:23:ed:2b:28:54:f2:14:e2:f4:84:88:
-                    9c:4f:d1:b1:1b:52:98:a6:3e:85:e3:eb:22:df:09:
-                    86:ff:14:9c:41:46:dd:13:ed:d9:f0:5d:a5:fe:7f:
-                    6f:31:6b:a0:50:a5:f2:9a:ba:ea:8c:77:4d:1c:64:
-                    82:7a:ea:f4:54:5b:f3:92:81:5e:5c:b1:04:da:c1:
-                    d6:72:7d:e1:e5:ec:ad:53:ae:3d:14:21:44:2e:67:
-                    f3:a2:c9:7d:9e:0b:98:4d:89:fc:c8:1e:a6:00:45:
-                    8b:b6:a7:b9:dc:5e:5a:ff:0c:52:c6:92:7e:60:08:
-                    d4:8d:34:6c:00:98:bc:43:e9:7b:e1:92:0b:f5:81:
-                    f0:48:09:18:5a:35:8a:e2:74:f2:9d:da:48:b0:7d:
-                    02:f8:a4:2b:5e:a0:22:cf:a0:15:9f:fb:ca:4d:8c:
-                    f3:26:cb:62:74:a3:04:6e:e2:38:aa:0a:19:42:e8:
-                    e3:57:a5:d3:97:64:38:31:89:3e:af:93:af:d6:e3:
-                    60:c1:c3:6a:9c:58:da:16:60:c7:78:01:cf:dc:7c:
-                    e1:11
-                Exponent: 65537 (0x10001)
-        X509v3 extensions:
-            X509v3 Basic Constraints: critical
-                CA:FALSE
-            X509v3 Extended Key Usage: 
-                TLS Web Server Authentication, TLS Web Client Authentication
-            X509v3 Key Usage: critical
-                Digital Signature, Key Encipherment
-            X509v3 CRL Distribution Points: 
-
-                Full Name:
-                  URI:http://crl.godaddy.com/gds1-87.crl
-
-            X509v3 Certificate Policies: 
-                Policy: 2.16.840.1.114413.1.7.23.1
-                  CPS: http://certificates.godaddy.com/repository/
-
-            Authority Information Access: 
-                OCSP - URI:http://ocsp.godaddy.com/
-                CA Issuers - URI:http://certificates.godaddy.com/repository/gd_intermediate.crt
-
-            X509v3 Authority Key Identifier: 
-                keyid:FD:AC:61:32:93:6C:45:D6:E2:EE:85:5F:9A:BA:E7:76:99:68:CC:E7
-
-            X509v3 Subject Alternative Name: 
-                DNS:www.satveda.com, DNS:satveda.com
-            X509v3 Subject Key Identifier: 
-                A7:39:2E:DC:0F:22:D5:D6:C6:B1:3B:35:65:3D:0D:B1:75:5B:F7:69
-    Signature Algorithm: sha1WithRSAEncryption
-         15:a9:fd:28:f6:cd:d1:f0:2d:d7:1c:df:b5:48:5c:c5:2c:44:
-         59:ad:ba:3d:bc:08:30:6f:50:a4:9f:0b:05:28:d7:5e:62:87:
-         f9:5d:24:c0:b1:ce:a1:d2:eb:aa:77:9b:01:21:1b:56:dd:e5:
-         32:18:38:44:24:60:76:14:4d:4a:6a:d2:37:8b:64:45:5a:ba:
-         4f:bf:b0:33:dd:f6:59:dc:fd:47:a9:3b:4f:29:65:3d:a4:0e:
-         c7:89:22:48:e7:6b:e4:38:b7:d4:e2:27:1f:22:9c:99:b0:bd:
-         b4:59:6d:8d:53:30:fa:28:ef:6c:66:b8:af:6c:9b:93:52:72:
-         37:b3:2f:c1:bd:73:22:b4:2e:fa:08:fd:0c:95:89:21:eb:01:
-         34:82:18:15:12:3c:a1:2c:d9:fc:f3:f9:48:1f:09:44:18:b8:
-         7a:5b:57:ea:10:62:59:90:8c:dc:6f:52:f2:2a:a2:da:fc:2d:
-         b4:8a:fb:11:cd:60:da:f9:dd:31:08:31:04:11:81:4e:4b:8a:
-         81:40:70:5e:00:99:87:cb:d6:e0:d8:85:fe:4a:2e:97:99:a0:
-         3d:6e:6f:26:a9:4d:e6:97:cb:c5:09:ef:49:24:c7:96:27:7e:
-         bf:e4:cb:02:f8:00:63:43:7f:ca:05:75:d2:89:7a:f0:25:52:
-         ac:47:fb:e6
------BEGIN CERTIFICATE-----
-MIIFRTCCBC2gAwIBAgIHSwiMDtbIrjANBgkqhkiG9w0BAQUFADCByjELMAkGA1UE
-BhMCVVMxEDAOBgNVBAgTB0FyaXpvbmExEzARBgNVBAcTClNjb3R0c2RhbGUxGjAY
-BgNVBAoTEUdvRGFkZHkuY29tLCBJbmMuMTMwMQYDVQQLEypodHRwOi8vY2VydGlm
-aWNhdGVzLmdvZGFkZHkuY29tL3JlcG9zaXRvcnkxMDAuBgNVBAMTJ0dvIERhZGR5
-IFNlY3VyZSBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTERMA8GA1UEBRMIMDc5Njky
-ODcwHhcNMTMwMzA5MDcxOTI0WhcNMTkwNTI0MDkzOTA2WjA9MSEwHwYDVQQLExhE
-b21haW4gQ29udHJvbCBWYWxpZGF0ZWQxGDAWBgNVBAMTD3d3dy5zYXR2ZWRhLmNv
-bTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALvg6oKOUL+6lInj9Ny0
-oQaRwUa8Mzd04MZx5/AJ7NiOrEiCP7a0SYCYBARh9+rSrSPtKyhU8hTi9ISInE/R
-sRtSmKY+hePrIt8Jhv8UnEFG3RPt2fBdpf5/bzFroFCl8pq66ox3TRxkgnrq9FRb
-85KBXlyxBNrB1nJ94eXsrVOuPRQhRC5n86LJfZ4LmE2J/MgepgBFi7anudxeWv8M
-UsaSfmAI1I00bACYvEPpe+GSC/WB8EgJGFo1iuJ08p3aSLB9AvikK16gIs+gFZ/7
-yk2M8ybLYnSjBG7iOKoKGULo41el05dkODGJPq+Tr9bjYMHDapxY2hZgx3gBz9x8
-4RECAwEAAaOCAbowggG2MA8GA1UdEwEB/wQFMAMBAQAwHQYDVR0lBBYwFAYIKwYB
-BQUHAwEGCCsGAQUFBwMCMA4GA1UdDwEB/wQEAwIFoDAzBgNVHR8ELDAqMCigJqAk
-hiJodHRwOi8vY3JsLmdvZGFkZHkuY29tL2dkczEtODcuY3JsMFMGA1UdIARMMEow
-SAYLYIZIAYb9bQEHFwEwOTA3BggrBgEFBQcCARYraHR0cDovL2NlcnRpZmljYXRl
-cy5nb2RhZGR5LmNvbS9yZXBvc2l0b3J5LzCBgAYIKwYBBQUHAQEEdDByMCQGCCsG
-AQUFBzABhhhodHRwOi8vb2NzcC5nb2RhZGR5LmNvbS8wSgYIKwYBBQUHMAKGPmh0
-dHA6Ly9jZXJ0aWZpY2F0ZXMuZ29kYWRkeS5jb20vcmVwb3NpdG9yeS9nZF9pbnRl
-cm1lZGlhdGUuY3J0MB8GA1UdIwQYMBaAFP2sYTKTbEXW4u6FX5q653aZaMznMCcG
-A1UdEQQgMB6CD3d3dy5zYXR2ZWRhLmNvbYILc2F0dmVkYS5jb20wHQYDVR0OBBYE
-FKc5LtwPItXWxrE7NWU9DbF1W/dpMA0GCSqGSIb3DQEBBQUAA4IBAQAVqf0o9s3R
-8C3XHN+1SFzFLERZrbo9vAgwb1CknwsFKNdeYof5XSTAsc6h0uuqd5sBIRtW3eUy
-GDhEJGB2FE1KatI3i2RFWrpPv7Az3fZZ3P1HqTtPKWU9pA7HiSJI52vkOLfU4icf
-IpyZsL20WW2NUzD6KO9sZrivbJuTUnI3sy/BvXMitC76CP0MlYkh6wE0ghgVEjyh
-LNn88/lIHwlEGLh6W1fqEGJZkIzcb1LyKqLa/C20ivsRzWDa+d0xCDEEEYFOS4qB
-QHBeAJmHy9bg2IX+Si6XmaA9bm8mqU3ml8vFCe9JJMeWJ36/5MsC+ABjQ3/KBXXS
-iXrwJVKsR/vm
------END CERTIFICATE-----
-Certificate:
-    Data:
-        Version: 3 (0x2)
-        Serial Number: 769 (0x301)
-    Signature Algorithm: sha1WithRSAEncryption
-        Issuer: C=US, O=The Go Daddy Group, Inc., OU=Go Daddy Class 2 Certification Authority
-        Validity
-            Not Before: Nov 16 01:54:37 2006 GMT
-            Not After : Nov 16 01:54:37 2026 GMT
-        Subject: C=US, ST=Arizona, L=Scottsdale, O=GoDaddy.com, Inc., OU=http://certificates.godaddy.com/repository, CN=Go Daddy Secure Certification Authority/serialNumber=07969287
-        Subject Public Key Info:
-            Public Key Algorithm: rsaEncryption
-                Public-Key: (2048 bit)
-                Modulus:
-                    00:c4:2d:d5:15:8c:9c:26:4c:ec:32:35:eb:5f:b8:
-                    59:01:5a:a6:61:81:59:3b:70:63:ab:e3:dc:3d:c7:
-                    2a:b8:c9:33:d3:79:e4:3a:ed:3c:30:23:84:8e:b3:
-                    30:14:b6:b2:87:c3:3d:95:54:04:9e:df:99:dd:0b:
-                    25:1e:21:de:65:29:7e:35:a8:a9:54:eb:f6:f7:32:
-                    39:d4:26:55:95:ad:ef:fb:fe:58:86:d7:9e:f4:00:
-                    8d:8c:2a:0c:bd:42:04:ce:a7:3f:04:f6:ee:80:f2:
-                    aa:ef:52:a1:69:66:da:be:1a:ad:5d:da:2c:66:ea:
-                    1a:6b:bb:e5:1a:51:4a:00:2f:48:c7:98:75:d8:b9:
-                    29:c8:ee:f8:66:6d:0a:9c:b3:f3:fc:78:7c:a2:f8:
-                    a3:f2:b5:c3:f3:b9:7a:91:c1:a7:e6:25:2e:9c:a8:
-                    ed:12:65:6e:6a:f6:12:44:53:70:30:95:c3:9c:2b:
-                    58:2b:3d:08:74:4a:f2:be:51:b0:bf:87:d0:4c:27:
-                    58:6b:b5:35:c5:9d:af:17:31:f8:0b:8f:ee:ad:81:
-                    36:05:89:08:98:cf:3a:af:25:87:c0:49:ea:a7:fd:
-                    67:f7:45:8e:97:cc:14:39:e2:36:85:b5:7e:1a:37:
-                    fd:16:f6:71:11:9a:74:30:16:fe:13:94:a3:3f:84:
-                    0d:4f
-                Exponent: 65537 (0x10001)
-        X509v3 extensions:
-            X509v3 Subject Key Identifier: 
-                FD:AC:61:32:93:6C:45:D6:E2:EE:85:5F:9A:BA:E7:76:99:68:CC:E7
-            X509v3 Authority Key Identifier: 
-                keyid:D2:C4:B0:D2:91:D4:4C:11:71:B3:61:CB:3D:A1:FE:DD:A8:6A:D4:E3
-
-            X509v3 Basic Constraints: critical
-                CA:TRUE, pathlen:0
-            Authority Information Access: 
-                OCSP - URI:http://ocsp.godaddy.com
-
-            X509v3 CRL Distribution Points: 
-
-                Full Name:
-                  URI:http://certificates.godaddy.com/repository/gdroot.crl
-
-            X509v3 Certificate Policies: 
-                Policy: X509v3 Any Policy
-                  CPS: http://certificates.godaddy.com/repository
-
-            X509v3 Key Usage: critical
-                Certificate Sign, CRL Sign
-    Signature Algorithm: sha1WithRSAEncryption
-         d2:86:c0:ec:bd:f9:a1:b6:67:ee:66:0b:a2:06:3a:04:50:8e:
-         15:72:ac:4a:74:95:53:cb:37:cb:44:49:ef:07:90:6b:33:d9:
-         96:f0:94:56:a5:13:30:05:3c:85:32:21:7b:c9:c7:0a:a8:24:
-         a4:90:de:46:d3:25:23:14:03:67:c2:10:d6:6f:0f:5d:7b:7a:
-         cc:9f:c5:58:2a:c1:c4:9e:21:a8:5a:f3:ac:a4:46:f3:9e:e4:
-         63:cb:2f:90:a4:29:29:01:d9:72:2c:29:df:37:01:27:bc:4f:
-         ee:68:d3:21:8f:c0:b3:e4:f5:09:ed:d2:10:aa:53:b4:be:f0:
-         cc:59:0b:d6:3b:96:1c:95:24:49:df:ce:ec:fd:a7:48:91:14:
-         45:0e:3a:36:6f:da:45:b3:45:a2:41:c9:d4:d7:44:4e:3e:b9:
-         74:76:d5:a2:13:55:2c:c6:87:a3:b5:99:ac:06:84:87:7f:75:
-         06:fc:bf:14:4c:0e:cc:6e:c4:df:3d:b7:12:71:f4:e8:f1:51:
-         40:22:28:49:e0:1d:4b:87:a8:34:cc:06:a2:dd:12:5a:d1:86:
-         36:64:03:35:6f:6f:77:6e:eb:f2:85:50:98:5e:ab:03:53:ad:
-         91:23:63:1f:16:9c:cd:b9:b2:05:63:3a:e1:f4:68:1b:17:05:
-         35:95:53:ee
------BEGIN CERTIFICATE-----
-MIIE3jCCA8agAwIBAgICAwEwDQYJKoZIhvcNAQEFBQAwYzELMAkGA1UEBhMCVVMx
-ITAfBgNVBAoTGFRoZSBHbyBEYWRkeSBHcm91cCwgSW5jLjExMC8GA1UECxMoR28g
-RGFkZHkgQ2xhc3MgMiBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTAeFw0wNjExMTYw
-MTU0MzdaFw0yNjExMTYwMTU0MzdaMIHKMQswCQYDVQQGEwJVUzEQMA4GA1UECBMH
-QXJpem9uYTETMBEGA1UEBxMKU2NvdHRzZGFsZTEaMBgGA1UEChMRR29EYWRkeS5j
-b20sIEluYy4xMzAxBgNVBAsTKmh0dHA6Ly9jZXJ0aWZpY2F0ZXMuZ29kYWRkeS5j
-b20vcmVwb3NpdG9yeTEwMC4GA1UEAxMnR28gRGFkZHkgU2VjdXJlIENlcnRpZmlj
-YXRpb24gQXV0aG9yaXR5MREwDwYDVQQFEwgwNzk2OTI4NzCCASIwDQYJKoZIhvcN
-AQEBBQADggEPADCCAQoCggEBAMQt1RWMnCZM7DI161+4WQFapmGBWTtwY6vj3D3H
-KrjJM9N55DrtPDAjhI6zMBS2sofDPZVUBJ7fmd0LJR4h3mUpfjWoqVTr9vcyOdQm
-VZWt7/v+WIbXnvQAjYwqDL1CBM6nPwT27oDyqu9SoWlm2r4arV3aLGbqGmu75RpR
-SgAvSMeYddi5Kcju+GZtCpyz8/x4fKL4o/K1w/O5epHBp+YlLpyo7RJlbmr2EkRT
-cDCVw5wrWCs9CHRK8r5RsL+H0EwnWGu1NcWdrxcx+AuP7q2BNgWJCJjPOq8lh8BJ
-6qf9Z/dFjpfMFDniNoW1fho3/Rb2cRGadDAW/hOUoz+EDU8CAwEAAaOCATIwggEu
-MB0GA1UdDgQWBBT9rGEyk2xF1uLuhV+auud2mWjM5zAfBgNVHSMEGDAWgBTSxLDS
-kdRMEXGzYcs9of7dqGrU4zASBgNVHRMBAf8ECDAGAQH/AgEAMDMGCCsGAQUFBwEB
-BCcwJTAjBggrBgEFBQcwAYYXaHR0cDovL29jc3AuZ29kYWRkeS5jb20wRgYDVR0f
-BD8wPTA7oDmgN4Y1aHR0cDovL2NlcnRpZmljYXRlcy5nb2RhZGR5LmNvbS9yZXBv
-c2l0b3J5L2dkcm9vdC5jcmwwSwYDVR0gBEQwQjBABgRVHSAAMDgwNgYIKwYBBQUH
-AgEWKmh0dHA6Ly9jZXJ0aWZpY2F0ZXMuZ29kYWRkeS5jb20vcmVwb3NpdG9yeTAO
-BgNVHQ8BAf8EBAMCAQYwDQYJKoZIhvcNAQEFBQADggEBANKGwOy9+aG2Z+5mC6IG
-OgRQjhVyrEp0lVPLN8tESe8HkGsz2ZbwlFalEzAFPIUyIXvJxwqoJKSQ3kbTJSMU
-A2fCENZvD117esyfxVgqwcSeIaha86ykRvOe5GPLL5CkKSkB2XIsKd83ASe8T+5o
-0yGPwLPk9Qnt0hCqU7S+8MxZC9Y7lhyVJEnfzuz9p0iRFEUOOjZv2kWzRaJBydTX
-RE4+uXR21aITVSzGh6O1mawGhId/dQb8vxRMDsxuxN89txJx9OjxUUAiKEngHUuH
-qDTMBqLdElrRhjZkAzVvb3du6/KFUJheqwNTrZEjYx8WnM25sgVjOuH0aBsXBTWV
-U+4=
------END CERTIFICATE-----
diff --git a/net/data/ssl/certificates/twitter-chain.pem b/net/data/ssl/certificates/twitter-chain.pem
new file mode 100644
index 0000000..0d66f4a
--- /dev/null
+++ b/net/data/ssl/certificates/twitter-chain.pem
@@ -0,0 +1,302 @@
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number:
+            1a:c8:5e:b7:ae:c3:51:3c:d8:0d:85:38:5e:cf:d2:08
+    Signature Algorithm: sha256WithRSAEncryption
+        Issuer: C=US, O=Symantec Corporation, OU=Symantec Trust Network, CN=Symantec Class 3 EV SSL CA - G3
+        Validity
+            Not Before: Sep 10 00:00:00 2014 GMT
+            Not After : May  9 23:59:59 2016 GMT
+        Subject: 1.3.6.1.4.1.311.60.2.1.3=US/1.3.6.1.4.1.311.60.2.1.2=Delaware/businessCategory=Private Organization/serialNumber=4337446, C=US/postalCode=94103-1307, ST=California, L=San Francisco/street=1355 Market St, O=Twitter, Inc., OU=Twitter Security, CN=twitter.com
+        Subject Public Key Info:
+            Public Key Algorithm: rsaEncryption
+                Public-Key: (2048 bit)
+                Modulus:
+                    00:e3:ac:59:34:07:dc:11:f8:1c:ca:b3:0f:93:44:
+                    8a:54:34:76:90:6a:c0:22:00:be:95:9a:da:58:3c:
+                    6c:38:31:a2:a2:1f:3b:64:e2:9d:e0:f5:c2:ab:07:
+                    90:5b:7c:fe:f9:88:8c:6a:9d:69:3b:e0:23:65:b7:
+                    11:d6:e8:88:d6:3e:6d:8b:ed:ca:ea:58:0b:fe:4d:
+                    bf:2a:95:ca:bb:21:bb:ce:d6:e2:10:02:11:21:68:
+                    26:f7:92:7e:9c:a3:80:b1:82:d7:e5:a6:a0:86:47:
+                    42:1a:c6:5b:04:d9:c3:b5:b2:9b:38:d4:a1:6d:3b:
+                    bd:d8:05:f0:51:9b:bd:95:77:7f:e9:02:8e:60:a3:
+                    7a:65:20:52:23:db:8d:01:27:24:c2:00:66:0d:14:
+                    66:b3:52:2b:cc:6b:5b:a5:44:2f:e2:40:6d:da:21:
+                    a1:92:5a:57:12:d3:47:01:ef:e9:df:af:c6:91:8c:
+                    21:af:77:65:13:36:1c:63:7a:2d:05:e6:63:c5:0b:
+                    d8:39:e9:ac:f2:3b:ff:9d:c5:a7:46:0a:6e:1a:66:
+                    10:1e:4a:e7:ba:c7:89:79:1f:ae:f1:f3:84:03:ca:
+                    e7:50:8a:19:63:bf:3c:20:10:78:c5:f4:53:3c:7d:
+                    5e:0d:af:96:70:89:92:b9:7f:9a:19:0c:f6:78:6a:
+                    8f:73
+                Exponent: 65537 (0x10001)
+        X509v3 extensions:
+            X509v3 Subject Alternative Name: 
+                DNS:twitter.com, DNS:www.twitter.com
+            X509v3 Basic Constraints: 
+                CA:FALSE
+            X509v3 Key Usage: critical
+                Digital Signature, Key Encipherment
+            X509v3 Extended Key Usage: 
+                TLS Web Server Authentication, TLS Web Client Authentication
+            X509v3 Certificate Policies: 
+                Policy: 2.16.840.1.113733.1.7.23.6
+                  CPS: https://d.symcb.com/cps
+                  User Notice:
+                    Explicit Text: https://d.symcb.com/rpa
+
+            X509v3 Authority Key Identifier: 
+                keyid:01:59:AB:E7:DD:3A:0B:59:A6:64:63:D6:CF:20:07:57:D5:91:E7:6A
+
+            X509v3 CRL Distribution Points: 
+
+                Full Name:
+                  URI:http://sr.symcb.com/sr.crl
+
+            Authority Information Access: 
+                OCSP - URI:http://sr.symcd.com
+                CA Issuers - URI:http://sr.symcb.com/sr.crt
+
+    Signature Algorithm: sha256WithRSAEncryption
+         d1:53:68:e9:d6:20:d0:56:7a:10:80:b8:e9:7e:00:c9:9e:d5:
+         35:4a:a2:d2:a0:16:8a:e2:fb:eb:96:88:77:c2:6e:35:f4:a7:
+         a9:aa:dc:35:7b:c6:7d:5e:3c:f6:c9:5b:a0:d1:58:ae:7d:96:
+         e7:54:02:5c:69:1b:56:92:26:ad:06:2c:c1:5a:ff:59:f3:8a:
+         8c:94:32:0d:1a:42:d1:6e:bc:1c:bd:a8:c6:08:01:1b:73:17:
+         93:28:30:ae:ce:4d:4e:2d:4b:bf:22:af:9a:61:32:7a:a8:68:
+         25:19:3c:6d:fb:67:cc:29:3f:5b:f5:d1:af:4c:bf:67:a3:60:
+         c4:dd:b0:fb:83:55:6d:b5:2c:a9:7d:34:ad:b0:08:c7:2c:f0:
+         cb:4c:d8:2b:79:f4:e9:da:7f:6e:c0:de:55:7c:d6:d6:47:cf:
+         c4:90:ef:4f:be:eb:c9:3d:05:71:6b:5e:c7:36:8d:4f:0c:3c:
+         47:83:a5:11:88:22:f8:46:e0:f8:9b:1a:fe:e9:a2:df:90:81:
+         10:71:f3:97:9c:b7:69:60:77:20:d6:87:85:ee:5a:77:d2:92:
+         ec:d9:5d:1f:31:3b:3a:e2:5b:35:d1:92:36:db:44:d4:79:d9:
+         6c:03:24:87:5d:c3:86:c6:10:e2:ea:65:7c:cf:b8:ef:c2:31:
+         02:55:72:12
+-----BEGIN CERTIFICATE-----
+MIIFjTCCBHWgAwIBAgIQGshet67DUTzYDYU4Xs/SCDANBgkqhkiG9w0BAQsFADB3
+MQswCQYDVQQGEwJVUzEdMBsGA1UEChMUU3ltYW50ZWMgQ29ycG9yYXRpb24xHzAd
+BgNVBAsTFlN5bWFudGVjIFRydXN0IE5ldHdvcmsxKDAmBgNVBAMTH1N5bWFudGVj
+IENsYXNzIDMgRVYgU1NMIENBIC0gRzMwHhcNMTQwOTEwMDAwMDAwWhcNMTYwNTA5
+MjM1OTU5WjCCARIxEzARBgsrBgEEAYI3PAIBAxMCVVMxGTAXBgsrBgEEAYI3PAIB
+AgwIRGVsYXdhcmUxHTAbBgNVBA8TFFByaXZhdGUgT3JnYW5pemF0aW9uMRAwDgYD
+VQQFEwc0MzM3NDQ2MQswCQYDVQQGEwJVUzETMBEGA1UEEQwKOTQxMDMtMTMwNzET
+MBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNU2FuIEZyYW5jaXNjbzEXMBUG
+A1UECQwOMTM1NSBNYXJrZXQgU3QxFjAUBgNVBAoMDVR3aXR0ZXIsIEluYy4xGTAX
+BgNVBAsMEFR3aXR0ZXIgU2VjdXJpdHkxFDASBgNVBAMMC3R3aXR0ZXIuY29tMIIB
+IjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA46xZNAfcEfgcyrMPk0SKVDR2
+kGrAIgC+lZraWDxsODGioh87ZOKd4PXCqweQW3z++YiMap1pO+AjZbcR1uiI1j5t
+i+3K6lgL/k2/KpXKuyG7ztbiEAIRIWgm95J+nKOAsYLX5aaghkdCGsZbBNnDtbKb
+ONShbTu92AXwUZu9lXd/6QKOYKN6ZSBSI9uNASckwgBmDRRms1IrzGtbpUQv4kBt
+2iGhklpXEtNHAe/p36/GkYwhr3dlEzYcY3otBeZjxQvYOems8jv/ncWnRgpuGmYQ
+HkrnuseJeR+u8fOEA8rnUIoZY788IBB4xfRTPH1eDa+WcImSuX+aGQz2eGqPcwID
+AQABo4IBdjCCAXIwJwYDVR0RBCAwHoILdHdpdHRlci5jb22CD3d3dy50d2l0dGVy
+LmNvbTAJBgNVHRMEAjAAMA4GA1UdDwEB/wQEAwIFoDAdBgNVHSUEFjAUBggrBgEF
+BQcDAQYIKwYBBQUHAwIwZgYDVR0gBF8wXTBbBgtghkgBhvhFAQcXBjBMMCMGCCsG
+AQUFBwIBFhdodHRwczovL2Quc3ltY2IuY29tL2NwczAlBggrBgEFBQcCAjAZGhdo
+dHRwczovL2Quc3ltY2IuY29tL3JwYTAfBgNVHSMEGDAWgBQBWavn3ToLWaZkY9bP
+IAdX1ZHnajArBgNVHR8EJDAiMCCgHqAchhpodHRwOi8vc3Iuc3ltY2IuY29tL3Ny
+LmNybDBXBggrBgEFBQcBAQRLMEkwHwYIKwYBBQUHMAGGE2h0dHA6Ly9zci5zeW1j
+ZC5jb20wJgYIKwYBBQUHMAKGGmh0dHA6Ly9zci5zeW1jYi5jb20vc3IuY3J0MA0G
+CSqGSIb3DQEBCwUAA4IBAQDRU2jp1iDQVnoQgLjpfgDJntU1SqLSoBaK4vvrloh3
+wm419Kepqtw1e8Z9Xjz2yVug0ViufZbnVAJcaRtWkiatBizBWv9Z84qMlDINGkLR
+brwcvajGCAEbcxeTKDCuzk1OLUu/Iq+aYTJ6qGglGTxt+2fMKT9b9dGvTL9no2DE
+3bD7g1VttSypfTStsAjHLPDLTNgrefTp2n9uwN5VfNbWR8/EkO9PvuvJPQVxa17H
+No1PDDxHg6URiCL4RuD4mxr+6aLfkIEQcfOXnLdpYHcg1oeF7lp30pLs2V0fMTs6
+4ls10ZI220TUedlsAySHXcOGxhDi6mV8z7jvwjECVXIS
+-----END CERTIFICATE-----
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number:
+            7e:e1:4a:6f:6f:ef:f2:d3:7f:3f:ad:65:4d:3a:da:b4
+    Signature Algorithm: sha256WithRSAEncryption
+        Issuer: C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c) 2006 VeriSign, Inc. - For authorized use only, CN=VeriSign Class 3 Public Primary Certification Authority - G5
+        Validity
+            Not Before: Oct 31 00:00:00 2013 GMT
+            Not After : Oct 30 23:59:59 2023 GMT
+        Subject: C=US, O=Symantec Corporation, OU=Symantec Trust Network, CN=Symantec Class 3 EV SSL CA - G3
+        Subject Public Key Info:
+            Public Key Algorithm: rsaEncryption
+                Public-Key: (2048 bit)
+                Modulus:
+                    00:d8:a1:65:74:23:e8:2b:64:e2:32:d7:33:37:3d:
+                    8e:f5:34:16:48:dd:4f:7f:87:1c:f8:44:23:13:8e:
+                    fb:11:d8:44:5a:18:71:8e:60:16:26:92:9b:fd:17:
+                    0b:e1:71:70:42:fe:bf:fa:1c:c0:aa:a3:a7:b5:71:
+                    e8:ff:18:83:f6:df:10:0a:13:62:c8:3d:9c:a7:de:
+                    2e:3f:0c:d9:1d:e7:2e:fb:2a:ce:c8:9a:7f:87:bf:
+                    d8:4c:04:15:32:c9:d1:cc:95:71:a0:4e:28:4f:84:
+                    d9:35:fb:e3:86:6f:94:53:e6:72:8a:63:67:2e:be:
+                    69:f6:f7:6e:8e:9c:60:04:eb:29:fa:c4:47:42:d2:
+                    78:98:e3:ec:0b:a5:92:dc:b7:9a:bd:80:64:2b:38:
+                    7c:38:09:5b:66:f6:2d:95:7a:86:b2:34:2e:85:9e:
+                    90:0e:5f:b7:5d:a4:51:72:46:70:13:bf:67:f2:b6:
+                    a7:4d:14:1e:6c:b9:53:ee:23:1a:4e:8d:48:55:43:
+                    41:b1:89:75:6a:40:28:c5:7d:dd:d2:6e:d2:02:19:
+                    2f:7b:24:94:4b:eb:f1:1a:a9:9b:e3:23:9a:ea:fa:
+                    33:ab:0a:2c:b7:f4:60:08:dd:9f:1c:cd:dd:2d:01:
+                    66:80:af:b3:2f:29:1d:23:b8:8a:e1:a1:70:07:0c:
+                    34:0f
+                Exponent: 65537 (0x10001)
+        X509v3 extensions:
+            Authority Information Access: 
+                OCSP - URI:http://s2.symcb.com
+
+            X509v3 Basic Constraints: critical
+                CA:TRUE, pathlen:0
+            X509v3 Certificate Policies: 
+                Policy: X509v3 Any Policy
+                  CPS: http://www.symauth.com/cps
+                  User Notice:
+                    Explicit Text: http://www.symauth.com/rpa
+
+            X509v3 CRL Distribution Points: 
+
+                Full Name:
+                  URI:http://s1.symcb.com/pca3-g5.crl
+
+            X509v3 Key Usage: critical
+                Certificate Sign, CRL Sign
+            X509v3 Subject Alternative Name: 
+                DirName:/CN=SymantecPKI-1-533
+            X509v3 Subject Key Identifier: 
+                01:59:AB:E7:DD:3A:0B:59:A6:64:63:D6:CF:20:07:57:D5:91:E7:6A
+            X509v3 Authority Key Identifier: 
+                keyid:7F:D3:65:A7:C2:DD:EC:BB:F0:30:09:F3:43:39:FA:02:AF:33:31:33
+
+    Signature Algorithm: sha256WithRSAEncryption
+         42:01:55:7b:d0:16:1a:5d:58:e8:bb:9b:a8:4d:d7:f3:d7:eb:
+         13:94:86:d6:7f:21:0b:47:bc:57:9b:92:5d:4f:05:9f:38:a4:
+         10:7c:cf:83:be:06:43:46:8d:08:bc:6a:d7:10:a6:fa:ab:af:
+         2f:61:a8:63:f2:65:df:7f:4c:88:12:88:4f:b3:69:d9:ff:27:
+         c0:0a:97:91:8f:56:fb:89:c4:a8:bb:92:2d:1b:73:b0:c6:ab:
+         36:f4:96:6c:20:08:ef:0a:1e:66:24:45:4f:67:00:40:c8:07:
+         54:74:33:3b:a6:ad:bb:23:9f:66:ed:a2:44:70:34:fb:0e:ea:
+         01:fd:cf:78:74:df:a7:ad:55:b7:5f:4d:f6:d6:3f:e0:86:ce:
+         24:c7:42:a9:13:14:44:35:4b:b6:df:c9:60:ac:0c:7f:d9:93:
+         21:4b:ee:9c:e4:49:02:98:d3:60:7b:5c:bc:d5:30:2f:07:ce:
+         44:42:c4:0b:99:fe:e6:9f:fc:b0:78:86:51:6d:d1:2c:9d:c6:
+         96:fb:85:82:bb:04:2f:f7:62:80:ef:62:da:7f:f6:0e:ac:90:
+         b8:56:bd:79:3f:f2:80:6e:a3:d9:b9:0f:5d:3a:07:1d:91:93:
+         86:4b:29:4c:e1:dc:b5:e1:e0:33:9d:b3:cb:36:91:4b:fe:a1:
+         b4:ee:f0:f9
+-----BEGIN CERTIFICATE-----
+MIIFKzCCBBOgAwIBAgIQfuFKb2/v8tN/P61lTTratDANBgkqhkiG9w0BAQsFADCB
+yjELMAkGA1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMR8wHQYDVQQL
+ExZWZXJpU2lnbiBUcnVzdCBOZXR3b3JrMTowOAYDVQQLEzEoYykgMjAwNiBWZXJp
+U2lnbiwgSW5jLiAtIEZvciBhdXRob3JpemVkIHVzZSBvbmx5MUUwQwYDVQQDEzxW
+ZXJpU2lnbiBDbGFzcyAzIFB1YmxpYyBQcmltYXJ5IENlcnRpZmljYXRpb24gQXV0
+aG9yaXR5IC0gRzUwHhcNMTMxMDMxMDAwMDAwWhcNMjMxMDMwMjM1OTU5WjB3MQsw
+CQYDVQQGEwJVUzEdMBsGA1UEChMUU3ltYW50ZWMgQ29ycG9yYXRpb24xHzAdBgNV
+BAsTFlN5bWFudGVjIFRydXN0IE5ldHdvcmsxKDAmBgNVBAMTH1N5bWFudGVjIENs
+YXNzIDMgRVYgU1NMIENBIC0gRzMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK
+AoIBAQDYoWV0I+grZOIy1zM3PY71NBZI3U9/hxz4RCMTjvsR2ERaGHGOYBYmkpv9
+FwvhcXBC/r/6HMCqo6e1cej/GIP23xAKE2LIPZyn3i4/DNkd5y77Ks7Imn+Hv9hM
+BBUyydHMlXGgTihPhNk1++OGb5RT5nKKY2cuvmn2926OnGAE6yn6xEdC0niY4+wL
+pZLct5q9gGQrOHw4CVtm9i2VeoayNC6FnpAOX7ddpFFyRnATv2fytqdNFB5suVPu
+IxpOjUhVQ0GxiXVqQCjFfd3SbtICGS97JJRL6/EaqZvjI5rq+jOrCiy39GAI3Z8c
+zd0tAWaAr7MvKR0juIrhoXAHDDQPAgMBAAGjggFdMIIBWTAvBggrBgEFBQcBAQQj
+MCEwHwYIKwYBBQUHMAGGE2h0dHA6Ly9zMi5zeW1jYi5jb20wEgYDVR0TAQH/BAgw
+BgEB/wIBADBlBgNVHSAEXjBcMFoGBFUdIAAwUjAmBggrBgEFBQcCARYaaHR0cDov
+L3d3dy5zeW1hdXRoLmNvbS9jcHMwKAYIKwYBBQUHAgIwHBoaaHR0cDovL3d3dy5z
+eW1hdXRoLmNvbS9ycGEwMAYDVR0fBCkwJzAloCOgIYYfaHR0cDovL3MxLnN5bWNi
+LmNvbS9wY2EzLWc1LmNybDAOBgNVHQ8BAf8EBAMCAQYwKQYDVR0RBCIwIKQeMBwx
+GjAYBgNVBAMTEVN5bWFudGVjUEtJLTEtNTMzMB0GA1UdDgQWBBQBWavn3ToLWaZk
+Y9bPIAdX1ZHnajAfBgNVHSMEGDAWgBR/02Wnwt3su/AwCfNDOfoCrzMxMzANBgkq
+hkiG9w0BAQsFAAOCAQEAQgFVe9AWGl1Y6LubqE3X89frE5SG1n8hC0e8V5uSXU8F
+nzikEHzPg74GQ0aNCLxq1xCm+quvL2GoY/Jl339MiBKIT7Np2f8nwAqXkY9W+4nE
+qLuSLRtzsMarNvSWbCAI7woeZiRFT2cAQMgHVHQzO6atuyOfZu2iRHA0+w7qAf3P
+eHTfp61Vt19N9tY/4IbOJMdCqRMURDVLtt/JYKwMf9mTIUvunORJApjTYHtcvNUw
+LwfORELEC5n+5p/8sHiGUW3RLJ3GlvuFgrsEL/digO9i2n/2DqyQuFa9eT/ygG6j
+2bkPXToHHZGThkspTOHcteHgM52zyzaRS/6htO7w+Q==
+-----END CERTIFICATE-----
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number:
+            18:da:d1:9e:26:7d:e8:bb:4a:21:58:cd:cc:6b:3b:4a
+    Signature Algorithm: sha1WithRSAEncryption
+        Issuer: C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c) 2006 VeriSign, Inc. - For authorized use only, CN=VeriSign Class 3 Public Primary Certification Authority - G5
+        Validity
+            Not Before: Nov  8 00:00:00 2006 GMT
+            Not After : Jul 16 23:59:59 2036 GMT
+        Subject: C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c) 2006 VeriSign, Inc. - For authorized use only, CN=VeriSign Class 3 Public Primary Certification Authority - G5
+        Subject Public Key Info:
+            Public Key Algorithm: rsaEncryption
+                Public-Key: (2048 bit)
+                Modulus:
+                    00:af:24:08:08:29:7a:35:9e:60:0c:aa:e7:4b:3b:
+                    4e:dc:7c:bc:3c:45:1c:bb:2b:e0:fe:29:02:f9:57:
+                    08:a3:64:85:15:27:f5:f1:ad:c8:31:89:5d:22:e8:
+                    2a:aa:a6:42:b3:8f:f8:b9:55:b7:b1:b7:4b:b3:fe:
+                    8f:7e:07:57:ec:ef:43:db:66:62:15:61:cf:60:0d:
+                    a4:d8:de:f8:e0:c3:62:08:3d:54:13:eb:49:ca:59:
+                    54:85:26:e5:2b:8f:1b:9f:eb:f5:a1:91:c2:33:49:
+                    d8:43:63:6a:52:4b:d2:8f:e8:70:51:4d:d1:89:69:
+                    7b:c7:70:f6:b3:dc:12:74:db:7b:5d:4b:56:d3:96:
+                    bf:15:77:a1:b0:f4:a2:25:f2:af:1c:92:67:18:e5:
+                    f4:06:04:ef:90:b9:e4:00:e4:dd:3a:b5:19:ff:02:
+                    ba:f4:3c:ee:e0:8b:eb:37:8b:ec:f4:d7:ac:f2:f6:
+                    f0:3d:af:dd:75:91:33:19:1d:1c:40:cb:74:24:19:
+                    21:93:d9:14:fe:ac:2a:52:c7:8f:d5:04:49:e4:8d:
+                    63:47:88:3c:69:83:cb:fe:47:bd:2b:7e:4f:c5:95:
+                    ae:0e:9d:d4:d1:43:c0:67:73:e3:14:08:7e:e5:3f:
+                    9f:73:b8:33:0a:cf:5d:3f:34:87:96:8a:ee:53:e8:
+                    25:15
+                Exponent: 65537 (0x10001)
+        X509v3 extensions:
+            X509v3 Basic Constraints: critical
+                CA:TRUE
+            X509v3 Key Usage: critical
+                Certificate Sign, CRL Sign
+            1.3.6.1.5.5.7.1.12: 
+                0_.].[0Y0W0U..image/gif0!0.0...+..............k...j.H.,{..0%.#http://logo.verisign.com/vslogo.gif
+            X509v3 Subject Key Identifier: 
+                7F:D3:65:A7:C2:DD:EC:BB:F0:30:09:F3:43:39:FA:02:AF:33:31:33
+    Signature Algorithm: sha1WithRSAEncryption
+         93:24:4a:30:5f:62:cf:d8:1a:98:2f:3d:ea:dc:99:2d:bd:77:
+         f6:a5:79:22:38:ec:c4:a7:a0:78:12:ad:62:0e:45:70:64:c5:
+         e7:97:66:2d:98:09:7e:5f:af:d6:cc:28:65:f2:01:aa:08:1a:
+         47:de:f9:f9:7c:92:5a:08:69:20:0d:d9:3e:6d:6e:3c:0d:6e:
+         d8:e6:06:91:40:18:b9:f8:c1:ed:df:db:41:aa:e0:96:20:c9:
+         cd:64:15:38:81:c9:94:ee:a2:84:29:0b:13:6f:8e:db:0c:dd:
+         25:02:db:a4:8b:19:44:d2:41:7a:05:69:4a:58:4f:60:ca:7e:
+         82:6a:0b:02:aa:25:17:39:b5:db:7f:e7:84:65:2a:95:8a:bd:
+         86:de:5e:81:16:83:2d:10:cc:de:fd:a8:82:2a:6d:28:1f:0d:
+         0b:c4:e5:e7:1a:26:19:e1:f4:11:6f:10:b5:95:fc:e7:42:05:
+         32:db:ce:9d:51:5e:28:b6:9e:85:d3:5b:ef:a5:7d:45:40:72:
+         8e:b7:0e:6b:0e:06:fb:33:35:48:71:b8:9d:27:8b:c4:65:5f:
+         0d:86:76:9c:44:7a:f6:95:5c:f6:5d:32:08:33:a4:54:b6:18:
+         3f:68:5c:f2:42:4a:85:38:54:83:5f:d1:e8:2c:f2:ac:11:d6:
+         a8:ed:63:6a
+-----BEGIN CERTIFICATE-----
+MIIE0zCCA7ugAwIBAgIQGNrRniZ96LtKIVjNzGs7SjANBgkqhkiG9w0BAQUFADCB
+yjELMAkGA1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMR8wHQYDVQQL
+ExZWZXJpU2lnbiBUcnVzdCBOZXR3b3JrMTowOAYDVQQLEzEoYykgMjAwNiBWZXJp
+U2lnbiwgSW5jLiAtIEZvciBhdXRob3JpemVkIHVzZSBvbmx5MUUwQwYDVQQDEzxW
+ZXJpU2lnbiBDbGFzcyAzIFB1YmxpYyBQcmltYXJ5IENlcnRpZmljYXRpb24gQXV0
+aG9yaXR5IC0gRzUwHhcNMDYxMTA4MDAwMDAwWhcNMzYwNzE2MjM1OTU5WjCByjEL
+MAkGA1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMR8wHQYDVQQLExZW
+ZXJpU2lnbiBUcnVzdCBOZXR3b3JrMTowOAYDVQQLEzEoYykgMjAwNiBWZXJpU2ln
+biwgSW5jLiAtIEZvciBhdXRob3JpemVkIHVzZSBvbmx5MUUwQwYDVQQDEzxWZXJp
+U2lnbiBDbGFzcyAzIFB1YmxpYyBQcmltYXJ5IENlcnRpZmljYXRpb24gQXV0aG9y
+aXR5IC0gRzUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCvJAgIKXo1
+nmAMqudLO07cfLw8RRy7K+D+KQL5VwijZIUVJ/XxrcgxiV0i6CqqpkKzj/i5Vbex
+t0uz/o9+B1fs70PbZmIVYc9gDaTY3vjgw2IIPVQT60nKWVSFJuUrjxuf6/WhkcIz
+SdhDY2pSS9KP6HBRTdGJaXvHcPaz3BJ023tdS1bTlr8Vd6Gw9KIl8q8ckmcY5fQG
+BO+QueQA5N06tRn/Arr0PO7gi+s3i+z016zy9vA9r911kTMZHRxAy3QkGSGT2RT+
+rCpSx4/VBEnkjWNHiDxpg8v+R70rfk/Fla4OndTRQ8Bnc+MUCH7lP59zuDMKz10/
+NIeWiu5T6CUVAgMBAAGjgbIwga8wDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8E
+BAMCAQYwbQYIKwYBBQUHAQwEYTBfoV2gWzBZMFcwVRYJaW1hZ2UvZ2lmMCEwHzAH
+BgUrDgMCGgQUj+XTGoasjY5rw8+AatRIGCx7GS4wJRYjaHR0cDovL2xvZ28udmVy
+aXNpZ24uY29tL3ZzbG9nby5naWYwHQYDVR0OBBYEFH/TZafC3ey78DAJ80M5+gKv
+MzEzMA0GCSqGSIb3DQEBBQUAA4IBAQCTJEowX2LP2BqYLz3q3JktvXf2pXkiOOzE
+p6B4Eq1iDkVwZMXnl2YtmAl+X6/WzChl8gGqCBpH3vn5fJJaCGkgDdk+bW48DW7Y
+5gaRQBi5+MHt39tBquCWIMnNZBU4gcmU7qKEKQsTb47bDN0lAtukixlE0kF6BWlK
+WE9gyn6CagsCqiUXObXbf+eEZSqVir2G3l6BFoMtEMze/aiCKm0oHw0LxOXnGiYZ
+4fQRbxC1lfznQgUy286dUV4otp6F01vvpX1FQHKOtw5rDgb7MzVIcbidJ4vEZV8N
+hnacRHr2lVz2XTIIM6RUthg/aFzyQkqFOFSDX9HoLPKsEdao7WNq
+-----END CERTIFICATE-----
diff --git a/net/data/ssl/scripts/generate-test-certs.sh b/net/data/ssl/scripts/generate-test-certs.sh
index d62bb988a..c94ca6c 100755
--- a/net/data/ssl/scripts/generate-test-certs.sh
+++ b/net/data/ssl/scripts/generate-test-certs.sh
@@ -124,7 +124,51 @@
 SUBJECT_NAME="req_punycode_dn" \
   try openssl req -x509 -days 3650 -extensions req_punycode \
     -config ../scripts/ee.cnf -newkey rsa:2048 -text \
-     -out ../certificates/punycodetest.pem
+    -out ../certificates/punycodetest.pem
+
+## Reject intranet hostnames in "publicly" trusted certs
+# 365 * 3 = 1095
+SUBJECT_NAME="req_dn" \
+  try openssl req -x509 -days 1095 \
+    -config ../scripts/ee.cnf -newkey rsa:2048 -text \
+    -out ../certificates/reject_intranet_hosts.pem
+
+## Validity too long
+# 365 * 11 = 4015
+try openssl req -config ../scripts/ee.cnf \
+  -newkey rsa:2048 -text -out ../certificates/11_year_validity.req
+CA_COMMON_NAME="Test Root CA" \
+  try openssl ca \
+    -batch \
+    -extensions user_cert \
+    -startdate 141030000000Z \
+    -days 4015 \
+    -in ../certificates/11_year_validity.req \
+    -out ../certificates/11_year_validity.pem \
+    -config ca.cnf
+try openssl req -config ../scripts/ee.cnf \
+  -newkey rsa:2048 -text -out ../certificates/40_months_after_2015_04.req
+CA_COMMON_NAME="Test Root CA" \
+  try openssl ca \
+    -batch \
+    -extensions user_cert \
+    -startdate 150402000000Z \
+    -enddate 180901000000Z \
+    -in ../certificates/40_months_after_2015_04.req \
+    -out ../certificates/40_months_after_2015_04.pem \
+    -config ca.cnf
+try openssl req -config ../scripts/ee.cnf \
+  -newkey rsa:2048 -text -out ../certificates/61_months_after_2012_07.req
+# 30 * 61 = 1830
+CA_COMMON_NAME="Test Root CA" \
+  try openssl ca \
+    -batch \
+    -extensions user_cert \
+    -startdate 141030000000Z \
+    -days 1830 \
+    -in ../certificates/61_months_after_2012_07.req \
+    -out ../certificates/61_months_after_2012_07.pem \
+    -config ca.cnf
 
 # Regenerate CRLSets
 ## Block a leaf cert directly by SPKI
diff --git a/net/test/test_certificate_data.h b/net/test/test_certificate_data.h
index 3ccda5e..17de41f 100644
--- a/net/test/test_certificate_data.h
+++ b/net/test/test_certificate_data.h
@@ -9,22 +9,26 @@
     "\x15\x60\xde\x65\x4e\x03\x9f\xd0\x08\x82"
     "\xa9\x6a\xc4\x65\x8e\x6f\x92\x06\x84\x35";
 
-// kSatvedaSPKIs contains the SHA1 hashes of the SPKIs of the satveda.pem
+// kTwitterSPKIs contains the SHA1 hashes of the SPKIs of the twitter-chain.pem
 // certificate chain, in order.
-static const char kSatvedaSPKIs[2][21] = {
-  "\xd6\x2d\x7a\x12\x02\x7f\x9b\x8e\x4f\x2b"
-  "\x07\xc5\xfb\xf9\x2a\x2e\x9a\xcc\x0e\xe3",
-  "\xba\x2e\xb5\xa8\x3e\x13\x23\xd9\x53\x4b"
-  "\x5e\x65\xbc\xe7\xa3\x13\x5d\xd0\xa9\x96",
+static const char kTwitterSPKIs[3][21] = {
+  "\x26\x9a\x19\xa3\x88\x28\xc1\xdd\x70\x1b"
+  "\xa0\xca\x2c\x98\xdb\xc6\xe1\x4f\x37\x3e",
+  "\x47\x49\xdf\x16\x57\xf4\x6c\x8b\xd2\x8c"
+  "\x79\x1b\x99\xfb\x9f\x28\x81\x2a\x60\xe0",
+  "\xb1\x81\x08\x1a\x19\xa4\xc0\x94\x1f\xfa"
+  "\xe8\x95\x28\xc1\x24\xc9\x9b\x34\xac\xc7",
 };
 
-// kSatvedaSPKIsSHA256 contains the SHA256 hashes of the SPKIs of the
-// satveda.pem certificate chain, in order.
-static const char kSatvedaSPKIsSHA256[2][33] = {
-  "\xb9\x42\xab\xf2\x08\x63\xef\x81\x70\x88\x45\xc4\x39\xa2\x6e\x9c"
-  "\x2f\x9a\xf9\xf4\xcb\x23\x61\xd4\x83\x97\x61\x6d\xf2\x5b\x27\xa8",
-  "\x32\xb6\x4b\x66\x72\x7a\x20\x63\xe4\x06\x6f\x3b\x95\x8c\xb0\xaa"
-  "\xee\x57\x6a\x5e\xce\xfd\x95\x33\x99\xbb\x88\x74\x73\x1d\x95\x87",
+// kTwitterSPKIsSHA256 contains the SHA256 hashes of the SPKIs of the
+// twitter-chain.pem certificate chain, in order.
+static const char kTwitterSPKIsSHA256[3][33] = {
+  "\x20\xec\x5d\x0a\xfb\xc6\xc0\xe2\xe1\x95\x56\xc5\x35\x2b\x3c\x60"
+  "\x78\xa6\xed\x95\x55\xc2\xfa\x86\x82\x40\x4f\xdb\x55\x29\xd3\xad",
+  "\x80\xcc\x56\x3a\xb5\xf8\x3c\xc4\x1e\xb0\xaf\x6a\x14\xd6\xd8\x07"
+  "\x18\xc1\x7e\x35\x2f\x96\x49\xff\xbc\xdd\x67\xf8\xbf\x65\x13\x91",
+  "\x25\xb4\x1b\x50\x6e\x49\x30\x95\x28\x23\xa6\xeb\x9f\x1d\x31\xde"
+  "\xf6\x45\xea\x38\xa5\xc6\xc6\xa9\x6d\x71\x95\x7e\x38\x4d\xf0\x58",
 };
 
 // Certificates for test data. They're obtained with: