diff --git a/server-ca/CA.sh b/server-ca/CA.sh
new file mode 100755
index 000000000..7ad6b8c52
--- /dev/null
+++ b/server-ca/CA.sh
@@ -0,0 +1,198 @@
+#!/bin/sh
+#
+# CA - wrapper around ca to make it easier to use ... basically ca requires
+#      some setup stuff to be done before you can use it and this makes
+#      things easier between now and when Eric is convinced to fix it :-)
+#
+# CA -newca ... will setup the right stuff
+# CA -newreq ... will generate a certificate request
+# CA -sign ... will sign the generated request and output
+#
+# At the end of that grab newreq.pem and newcert.pem (one has the key
+# and the other the certificate) and cat them together and that is what
+# you want/need ... I'll make even this a little cleaner later.
+#
+#
+# 12-Jan-96 tjh    Added more things ... including CA -signcert which
+#                  converts a certificate to a request and then signs it.
+# 10-Jan-96 eay    Fixed a few more bugs and added the SSLEAY_CONFIG
+#                  environment variable so this can be driven from
+#                  a script.
+# 25-Jul-96 eay    Cleaned up filenames some more.
+# 11-Jun-96 eay    Fixed a few filename missmatches.
+# 03-May-96 eay    Modified to use 'ssleay cmd' instead of 'cmd'.
+# 18-Apr-96 tjh    Original hacking
+#
+# Tim Hudson
+# tjh@cryptsoft.com
+#
+
+# default openssl.cnf file has setup as per the following
+# demoCA ... where everything is stored
+cp_pem() {
+    infile=$1
+    outfile=$2
+    bound=$3
+    flag=0
+    exec <$infile;
+    while read line; do
+	if [ $flag -eq 1 ]; then
+		echo $line|grep "^-----END.*$bound"  2>/dev/null 1>/dev/null
+		if [ $? -eq 0 ] ; then
+			echo $line >>$outfile
+			break
+		else
+			echo $line >>$outfile
+		fi
+	fi
+
+	echo $line|grep "^-----BEGIN.*$bound"  2>/dev/null 1>/dev/null
+	if [ $? -eq 0 ]; then
+		echo $line >$outfile
+		flag=1
+	fi
+    done
+}
+
+usage() {
+ echo "usage: $0 -newcert|-newreq|-newreq-nodes|-newca|-sign|-verify" >&2
+}
+
+if [ -z "$OPENSSL" ]; then OPENSSL=openssl; fi
+
+if [ -z "$DAYS" ] ; then DAYS="-days 365" ; fi	# 1 year
+CADAYS="-days 1095"	# 3 years
+REQ="$OPENSSL req $SSLEAY_CONFIG"
+CA="$OPENSSL ca $SSLEAY_CONFIG"
+VERIFY="$OPENSSL verify"
+X509="$OPENSSL x509"
+PKCS12="openssl pkcs12"
+
+if [ -z "$CATOP" ] ; then CATOP=./demoCA ; fi
+CAKEY=./cakey.pem
+CAREQ=./careq.pem
+CACERT=./cacert.pem
+
+RET=0
+
+while [ "$1" != "" ] ; do
+case $1 in
+-\?|-h|-help)
+    usage
+    exit 0
+    ;;
+-newcert)
+    # create a certificate
+    $REQ -new -x509 -keyout newkey.pem -out newcert.pem $DAYS
+    RET=$?
+    echo "Certificate is in newcert.pem, private key is in newkey.pem"
+    ;;
+-newreq)
+    # create a certificate request
+    $REQ -new -keyout newkey.pem -out newreq.pem $DAYS
+    RET=$?
+    echo "Request is in newreq.pem, private key is in newkey.pem"
+    ;;
+-newreq-nodes) 
+    # create a certificate request
+    $REQ -new -nodes -keyout newreq.pem -out newreq.pem $DAYS
+    RET=$?
+    echo "Request (and private key) is in newreq.pem"
+    ;;
+-newca)
+    # if explicitly asked for or it doesn't exist then setup the directory
+    # structure that Eric likes to manage things
+    NEW="1"
+    if [ "$NEW" -o ! -f ${CATOP}/serial ]; then
+	# create the directory hierarchy
+	mkdir -p ${CATOP}
+	mkdir -p ${CATOP}/certs
+	mkdir -p ${CATOP}/crl
+	mkdir -p ${CATOP}/newcerts
+	mkdir -p ${CATOP}/private
+	touch ${CATOP}/index.txt
+    fi
+    if [ ! -f ${CATOP}/private/$CAKEY ]; then
+	echo "CA certificate filename (or enter to create)"
+	read FILE
+
+	# ask user for existing CA certificate
+	if [ "$FILE" ]; then
+	    cp_pem $FILE ${CATOP}/private/$CAKEY PRIVATE
+	    cp_pem $FILE ${CATOP}/$CACERT CERTIFICATE
+	    RET=$?
+	    if [ ! -f "${CATOP}/serial" ]; then
+		$X509 -in ${CATOP}/$CACERT -noout -next_serial \
+		      -out ${CATOP}/serial
+	    fi
+	else
+	    echo "Making CA certificate ..."
+	    $REQ -new -keyout ${CATOP}/private/$CAKEY \
+			   -out ${CATOP}/$CAREQ
+	    $CA -create_serial -out ${CATOP}/$CACERT $CADAYS -batch \
+			   -keyfile ${CATOP}/private/$CAKEY -selfsign \
+			   -extensions v3_ca \
+			   -infiles ${CATOP}/$CAREQ
+	    RET=$?
+	fi
+    fi
+    ;;
+-xsign)
+    $CA -policy policy_anything -infiles newreq.pem
+    RET=$?
+    ;;
+-pkcs12)
+    if [ -z "$2" ] ; then
+	CNAME="My Certificate"
+    else
+	CNAME="$2"
+    fi
+    $PKCS12 -in newcert.pem -inkey newreq.pem -certfile ${CATOP}/$CACERT \
+	    -out newcert.p12 -export -name "$CNAME"
+    RET=$?
+    exit $RET
+    ;;
+-sign|-signreq)
+    $CA -policy policy_anything -out newcert.pem -infiles newreq.pem
+    RET=$?
+    cat newcert.pem
+    echo "Signed certificate is in newcert.pem"
+    ;;
+-signCA)
+    $CA -policy policy_anything -out newcert.pem -extensions v3_ca -infiles newreq.pem
+    RET=$?
+    echo "Signed CA certificate is in newcert.pem"
+    ;;
+-signcert)
+    echo "Cert passphrase will be requested twice - bug?"
+    $X509 -x509toreq -in newreq.pem -signkey newreq.pem -out tmp.pem
+    $CA -policy policy_anything -out newcert.pem -infiles tmp.pem
+    RET=$?
+    cat newcert.pem
+    echo "Signed certificate is in newcert.pem"
+    ;;
+-verify)
+    shift
+    if [ -z "$1" ]; then
+	    $VERIFY -CAfile $CATOP/$CACERT newcert.pem
+	    RET=$?
+    else
+	for j
+	do
+	    $VERIFY -CAfile $CATOP/$CACERT $j
+	    if [ $? != 0 ]; then
+		    RET=$?
+	    fi
+	done
+    fi
+    exit $RET
+    ;;
+*)
+    echo "Unknown arg $i" >&2
+    usage
+    exit 1
+    ;;
+esac
+shift
+done
+exit $RET
diff --git a/server-ca/demoCA/7f587c91.0 b/server-ca/demoCA/7f587c91.0
deleted file mode 120000
index 1310cfcff..000000000
--- a/server-ca/demoCA/7f587c91.0
+++ /dev/null
@@ -1 +0,0 @@
-cacert.pem
\ No newline at end of file
diff --git a/server-ca/demoCA/README b/server-ca/demoCA/README
index 50ad9f89d..43d18615c 100644
--- a/server-ca/demoCA/README
+++ b/server-ca/demoCA/README
@@ -1,3 +1,6 @@
-Made with CA.sh from the openssl source.
+This is a toy CA for us to play with.  The password is "dang".  The way to use
+it is:
 
-passphrase is "dang"
+cd ..
+cp $YOUR_CSR_FILE newreq.pem
+./CA.sh -sign
diff --git a/server-ca/demoCA/ca-privkey.pem b/server-ca/demoCA/ca-privkey.pem
deleted file mode 100644
index 916644ad6..000000000
--- a/server-ca/demoCA/ca-privkey.pem
+++ /dev/null
@@ -1,18 +0,0 @@
------BEGIN RSA PRIVATE KEY-----
-Proc-Type: 4,ENCRYPTED
-DEK-Info: DES-EDE3-CBC,73428722CE82FB30
-
-XUiQuQsiUGRwtddWRfkHUSMPEmZxoeLQsIS3cZsq4bC3MFyLClh8G+oD8n9qnSL+
-CT2onGo3bDZ5WI3fex8o2VSoc7pHAKuQ9itSsNcxA9OP+ja9+7lkIzS8apj84zEj
-S+AFbplkP9uDnOokyhv3rIlZ6qG/o5MtmOKXO/mmsA8A0uQv8yxW6lkTczblIODM
-snOCL+vldyPVOs7OmC0hT4vdbwsR2NDx3BA/QSKqYzLA0/P9lWSqIzpc/6BzR3WF
-aT6TtLQWL3JeF3nylv8le/oVwuj1eOGhEYRFUCQybdrtJqKNtHw0roSkG4V/5Qpk
-HSf2Y6efGTHXQ2Y5/7eiLM3DypPmwanD0YtHkpA3grAGoanIlG7HBRenuxx2q0nA
-sPOwzYzEK4FsxvBDXvPiG0fa230K8/OVHMfHO2DDw7Mb6pT5C6Fl6pLF1qbPNqFU
-H+XJPJqDtuSdjk59XRUUuWEfX8cHecX5biidJi8YCZSBgBa6UOOAB4/+Nlazw4e9
-UhNCEu4a7Y7sE7RQwQh0h3KRoRYsnEzxDGs7N2af3z2RswRwt/l+8eGsOp/RdTIM
-WnrB/SRT2gp0McFj6BEZxtoK0iKZxJZ5krgiSd1BOqWFUa25piALc8YP/C8luO3s
-sb6WF2mPVPTk8oPzRtxbWYOPi9riAQsaSDbb2B8smfShR8VPgpUiinysAHLn/VoG
-PaxcqVyDQZkuSIFVspH88zyAFZGTq7JYQ+NDVdv148XL0BUCIi1uTqR7Z6JiTxaW
-vCyNJeQuGEl2fa7j7u+EJFYAlG8Z42HaX22n8QVKsvRXCfRVlZ+a+g==
------END RSA PRIVATE KEY-----
diff --git a/server-ca/demoCA/cacert.pem b/server-ca/demoCA/cacert.pem
index 4406daaf1..51f4cd459 100644
--- a/server-ca/demoCA/cacert.pem
+++ b/server-ca/demoCA/cacert.pem
@@ -1,21 +1,81 @@
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number:
+            93:a5:80:a1:e0:d9:b5:c2
+    Signature Algorithm: sha1WithRSAEncryption
+        Issuer: C=US, ST=CA, O=Internet Widgits Pty Ltd, CN=notreally.eff.org/emailAddress=notreally@eff.org
+        Validity
+            Not Before: Jul  7 20:07:59 2012 GMT
+            Not After : Jul  7 20:07:59 2015 GMT
+        Subject: C=US, ST=CA, O=Internet Widgits Pty Ltd, CN=notreally.eff.org/emailAddress=notreally@eff.org
+        Subject Public Key Info:
+            Public Key Algorithm: rsaEncryption
+                Public-Key: (2048 bit)
+                Modulus:
+                    00:a8:17:94:8f:63:55:21:48:73:bf:df:58:65:08:
+                    f8:23:eb:0a:6d:53:2e:f4:92:93:05:ba:0b:c5:f8:
+                    c6:ce:dd:cc:64:53:2e:90:66:ae:84:63:64:d3:af:
+                    3b:e1:f0:1c:57:34:c2:cd:f6:ec:ea:cd:07:b3:2e:
+                    5c:32:13:62:aa:06:ac:1d:41:ee:26:7c:6f:c1:d7:
+                    ab:3e:cf:8f:49:89:0b:bd:89:78:a7:2d:c6:74:91:
+                    6f:cb:70:0a:79:ea:b3:bd:2a:58:e7:44:07:93:19:
+                    a8:e2:06:24:be:3c:5d:6d:25:1a:85:f8:96:3e:f1:
+                    b3:08:8c:86:c5:0f:01:0e:0f:34:06:d4:94:73:5d:
+                    8d:b9:45:b3:22:47:f7:c0:3d:b9:e5:a5:c8:2d:cf:
+                    00:c5:5c:48:bb:dd:95:40:47:95:a3:54:ee:85:98:
+                    14:1e:ad:15:59:20:cd:1e:48:9c:de:dc:09:55:8c:
+                    5a:d4:b6:67:32:c3:55:ed:a6:26:c7:0f:67:03:c6:
+                    3d:d8:c2:89:e4:d1:a6:92:c1:d4:71:01:ec:f6:ab:
+                    31:88:64:26:70:15:8d:fa:20:5f:9f:b5:e8:f0:f7:
+                    73:2d:20:0c:12:77:36:90:63:f3:7f:76:8d:64:7c:
+                    3a:20:a2:67:35:10:90:83:8b:a6:90:8b:4d:45:7a:
+                    70:95
+                Exponent: 65537 (0x10001)
+        X509v3 extensions:
+            X509v3 Subject Key Identifier: 
+                F8:53:C1:EA:D3:29:34:D2:3F:B5:E5:ED:D0:C1:79:34:DA:13:BC:E8
+            X509v3 Authority Key Identifier: 
+                keyid:F8:53:C1:EA:D3:29:34:D2:3F:B5:E5:ED:D0:C1:79:34:DA:13:BC:E8
+
+            X509v3 Basic Constraints: 
+                CA:TRUE
+    Signature Algorithm: sha1WithRSAEncryption
+         1b:6b:1a:ea:04:75:29:1e:37:fd:17:b7:a7:2c:9d:4d:f8:8d:
+         00:e4:38:24:70:88:78:32:d2:41:04:c5:08:b2:25:b3:e3:c9:
+         16:2c:9f:9c:96:38:ae:e3:92:bd:5b:5a:c3:91:16:11:e3:56:
+         8d:b1:fb:0e:a7:cb:52:8e:d4:f8:a6:17:6d:f4:78:ef:24:2a:
+         0c:58:16:89:37:7f:aa:a4:52:51:96:44:ff:f5:ac:57:b3:fb:
+         50:13:e1:08:a0:79:c4:f0:8d:5d:f3:bd:a8:43:73:02:0e:a7:
+         18:7b:7c:e1:7c:6d:21:4b:0b:e2:2b:c6:70:81:10:ec:e9:b9:
+         db:e1:0e:fd:c3:54:4c:0a:f4:c7:4c:0a:c3:f3:f5:7e:d0:03:
+         31:1d:0a:a7:87:da:9d:78:35:de:30:cf:bb:d6:91:95:b5:7d:
+         dc:0e:fe:e4:db:68:90:8c:3a:ec:3f:57:57:ce:5f:07:c1:9b:
+         43:cb:39:d9:41:38:d7:55:10:f1:cd:74:70:ba:0a:11:8a:5f:
+         e8:e6:ef:98:da:fc:ff:09:a2:68:2b:e7:96:88:98:4b:0c:17:
+         0d:dc:59:3b:92:a1:23:ad:32:fc:1d:19:85:01:db:9d:ee:af:
+         b7:bb:c7:8a:c5:7b:2b:51:f0:44:00:b7:4c:df:8a:cd:ff:cc:
+         05:44:b0:79
 -----BEGIN CERTIFICATE-----
-MIIDijCCAvOgAwIBAgIJALzlsISJE3nVMA0GCSqGSIb3DQEBBQUAMIGLMQswCQYD
-VQQGEwJVUzELMAkGA1UECBMCQ0ExFjAUBgNVBAcTDVNhbiBGcmFuY2lzY28xJzAl
-BgNVBAoTHkV4cGVyaW1lbnRhbCBDZXJ0aWZpY2F0ZXMsIEluYzEXMBUGA1UECxMO
-R2l0IFJlcG9zaXRvcnkxFTATBgNVBAMTDHNwdXJpb3VzLmNvbTAeFw0xMTA3MjEx
-OTE2MzlaFw0xMjA3MjAxOTE2MzlaMIGLMQswCQYDVQQGEwJVUzELMAkGA1UECBMC
-Q0ExFjAUBgNVBAcTDVNhbiBGcmFuY2lzY28xJzAlBgNVBAoTHkV4cGVyaW1lbnRh
-bCBDZXJ0aWZpY2F0ZXMsIEluYzEXMBUGA1UECxMOR2l0IFJlcG9zaXRvcnkxFTAT
-BgNVBAMTDHNwdXJpb3VzLmNvbTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA
-8Xr7TYScEKeMdmqbbxUtmz0p1bfXB/u3Pd7b7aLhkbVFv0/hYKNAycN8zgHdbhxO
-/HDjSfS6mrGh8+rbGEjUwy8PD7UFQM+6yuym0iYaYFaecjCjg72aLlRi3NzGKlXo
-9a/UyI3S3DKI0sY/vfpugMxJETZNCUTlKVaMM5jUGbsCAwEAAaOB8zCB8DAdBgNV
-HQ4EFgQUhsDgLczgpid+fhLQb/cN7FaSBgwwgcAGA1UdIwSBuDCBtYAUhsDgLczg
-pid+fhLQb/cN7FaSBgyhgZGkgY4wgYsxCzAJBgNVBAYTAlVTMQswCQYDVQQIEwJD
-QTEWMBQGA1UEBxMNU2FuIEZyYW5jaXNjbzEnMCUGA1UEChMeRXhwZXJpbWVudGFs
-IENlcnRpZmljYXRlcywgSW5jMRcwFQYDVQQLEw5HaXQgUmVwb3NpdG9yeTEVMBMG
-A1UEAxMMc3B1cmlvdXMuY29tggkAvOWwhIkTedUwDAYDVR0TBAUwAwEB/zANBgkq
-hkiG9w0BAQUFAAOBgQAjLd8dme3QyWUFvBWkSnqeeccGU/Q0kt3oPeCDCWKEamiZ
-naFNIp/UpCgCQMOqtiXt3Id4euTj25avWtCE1Tc0fa2AaOEcQKL6NE8BSGZm0Ajj
-uq/qxxgb4RKdnd7ALapqm3FnyfxAURpA2TJEvJlmp8Rm3+zn7pMCUbwMYDeDqA==
+MIIDyTCCArGgAwIBAgIJAJOlgKHg2bXCMA0GCSqGSIb3DQEBBQUAMHsxCzAJBgNV
+BAYTAlVTMQswCQYDVQQIDAJDQTEhMB8GA1UECgwYSW50ZXJuZXQgV2lkZ2l0cyBQ
+dHkgTHRkMRowGAYDVQQDDBFub3RyZWFsbHkuZWZmLm9yZzEgMB4GCSqGSIb3DQEJ
+ARYRbm90cmVhbGx5QGVmZi5vcmcwHhcNMTIwNzA3MjAwNzU5WhcNMTUwNzA3MjAw
+NzU5WjB7MQswCQYDVQQGEwJVUzELMAkGA1UECAwCQ0ExITAfBgNVBAoMGEludGVy
+bmV0IFdpZGdpdHMgUHR5IEx0ZDEaMBgGA1UEAwwRbm90cmVhbGx5LmVmZi5vcmcx
+IDAeBgkqhkiG9w0BCQEWEW5vdHJlYWxseUBlZmYub3JnMIIBIjANBgkqhkiG9w0B
+AQEFAAOCAQ8AMIIBCgKCAQEAqBeUj2NVIUhzv99YZQj4I+sKbVMu9JKTBboLxfjG
+zt3MZFMukGauhGNk06874fAcVzTCzfbs6s0Hsy5cMhNiqgasHUHuJnxvwderPs+P
+SYkLvYl4py3GdJFvy3AKeeqzvSpY50QHkxmo4gYkvjxdbSUahfiWPvGzCIyGxQ8B
+Dg80BtSUc12NuUWzIkf3wD255aXILc8AxVxIu92VQEeVo1TuhZgUHq0VWSDNHkic
+3twJVYxa1LZnMsNV7aYmxw9nA8Y92MKJ5NGmksHUcQHs9qsxiGQmcBWN+iBfn7Xo
+8PdzLSAMEnc2kGPzf3aNZHw6IKJnNRCQg4umkItNRXpwlQIDAQABo1AwTjAdBgNV
+HQ4EFgQU+FPB6tMpNNI/teXt0MF5NNoTvOgwHwYDVR0jBBgwFoAU+FPB6tMpNNI/
+teXt0MF5NNoTvOgwDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQUFAAOCAQEAG2sa
+6gR1KR43/Re3pyydTfiNAOQ4JHCIeDLSQQTFCLIls+PJFiyfnJY4ruOSvVtaw5EW
+EeNWjbH7DqfLUo7U+KYXbfR47yQqDFgWiTd/qqRSUZZE//WsV7P7UBPhCKB5xPCN
+XfO9qENzAg6nGHt84XxtIUsL4ivGcIEQ7Om52+EO/cNUTAr0x0wKw/P1ftADMR0K
+p4fanXg13jDPu9aRlbV93A7+5NtokIw67D9XV85fB8GbQ8s52UE411UQ8c10cLoK
+EYpf6ObvmNr8/wmiaCvnloiYSwwXDdxZO5KhI60y/B0ZhQHbne6vt7vHisV7K1Hw
+RAC3TN+Kzf/MBUSweQ==
 -----END CERTIFICATE-----
diff --git a/server-ca/demoCA/careq.pem b/server-ca/demoCA/careq.pem
new file mode 100644
index 000000000..38cdb1148
--- /dev/null
+++ b/server-ca/demoCA/careq.pem
@@ -0,0 +1,18 @@
+-----BEGIN CERTIFICATE REQUEST-----
+MIIC0jCCAboCAQAwgYwxCzAJBgNVBAYTAlVTMQswCQYDVQQIDAJDQTEPMA0GA1UE
+BwwGRnJpc2NvMSEwHwYDVQQKDBhJbnRlcm5ldCBXaWRnaXRzIFB0eSBMdGQxGjAY
+BgNVBAMMEW5vdHJlYWxseS5lZmYub3JnMSAwHgYJKoZIhvcNAQkBFhFub3RyZWFs
+bHlAZWZmLm9yZzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKgXlI9j
+VSFIc7/fWGUI+CPrCm1TLvSSkwW6C8X4xs7dzGRTLpBmroRjZNOvO+HwHFc0ws32
+7OrNB7MuXDITYqoGrB1B7iZ8b8HXqz7Pj0mJC72JeKctxnSRb8twCnnqs70qWOdE
+B5MZqOIGJL48XW0lGoX4lj7xswiMhsUPAQ4PNAbUlHNdjblFsyJH98A9ueWlyC3P
+AMVcSLvdlUBHlaNU7oWYFB6tFVkgzR5InN7cCVWMWtS2ZzLDVe2mJscPZwPGPdjC
+ieTRppLB1HEB7ParMYhkJnAVjfogX5+16PD3cy0gDBJ3NpBj8392jWR8OiCiZzUQ
+kIOLppCLTUV6cJUCAwEAAaAAMA0GCSqGSIb3DQEBBQUAA4IBAQAQc//VdI0lwSd4
+lmSGFvOTaA7q4QDQsFw5qrc6JL5EnUY51nbipetna1N/sgOEHJEZbKfsxK0cgVb6
+mbSG7qXKJ8HM7Xd/fLJTwmoDDFndlhDHIAmAOjA38RtzJKeeY0wLZZtPyGVMcxet
+72BiLRBlsmjTQY/TwdL0mftDjvMpJUJVbTMt+jOFyS6RYRbTO83KXpk7PW70Xg13
+TfngO7wnaFlmmtey6bRbNmFOLRVeRYslD1AfUbCU0cq5DGWJ8xZ+ifd+uzVcSeA6
+chMXg4Hb3SzmPyqQCEHPa7FqNrkqlfTr+hvY0cu2SAdpIsN6L1qruo4I3AHYRjPD
+i1xY9ZEo
+-----END CERTIFICATE REQUEST-----
diff --git a/server-ca/demoCA/certs/.emptyfile b/server-ca/demoCA/certs/.emptyfile
deleted file mode 100644
index e69de29bb..000000000
diff --git a/server-ca/demoCA/crl/.emptyfile b/server-ca/demoCA/crl/.emptyfile
deleted file mode 100644
index e69de29bb..000000000
diff --git a/server-ca/demoCA/examp.ly-cert.pem b/server-ca/demoCA/examp.ly-cert.pem
deleted file mode 100644
index ad7748e71..000000000
--- a/server-ca/demoCA/examp.ly-cert.pem
+++ /dev/null
@@ -1,62 +0,0 @@
-Certificate:
-    Data:
-        Version: 3 (0x2)
-        Serial Number:
-            bc:e5:b0:84:89:13:79:d6
-        Signature Algorithm: sha1WithRSAEncryption
-        Issuer: C=US, ST=CA, L=San Francisco, O=Experimental Certificates, Inc, OU=Git Repository, CN=spurious.com
-        Validity
-            Not Before: Jul 21 19:25:32 2011 GMT
-            Not After : Jul 20 19:25:32 2012 GMT
-        Subject: C=LY, ST=Tarabulus, L=Tripoli, O=Internet Security Examples, CN=examp.ly
-        Subject Public Key Info:
-            Public Key Algorithm: rsaEncryption
-            RSA Public Key: (1024 bit)
-                Modulus (1024 bit):
-                    00:a7:60:50:48:54:59:8c:8a:3f:13:df:3e:b9:c3:
-                    ea:7a:97:9f:fa:66:f3:6e:d3:cc:6b:5e:e0:c6:e7:
-                    87:58:3f:3d:6d:2d:dc:7b:7d:fb:f1:48:48:bf:0c:
-                    30:d5:9c:59:2b:36:01:57:39:f4:1e:bc:d5:e3:4f:
-                    35:0b:4a:bc:24:77:44:67:f6:bb:0a:2e:27:55:b5:
-                    a4:94:ed:5e:85:ac:ed:31:95:97:f2:05:0e:48:84:
-                    b5:cd:69:13:7d:c0:02:05:2a:9f:ad:c6:28:b7:c2:
-                    0e:bf:84:63:4d:86:de:5a:f0:0e:a7:4d:23:6d:6c:
-                    e4:82:2c:e5:1c:8a:76:fd:a1
-                Exponent: 65537 (0x10001)
-        X509v3 extensions:
-            X509v3 Basic Constraints: 
-                CA:FALSE
-            Netscape Comment: 
-                OpenSSL Generated Certificate
-            X509v3 Subject Key Identifier: 
-                1A:2C:51:B5:B1:C9:69:8A:0C:E0:13:7F:44:4D:8F:E0:80:4D:BE:B4
-            X509v3 Authority Key Identifier: 
-                keyid:86:C0:E0:2D:CC:E0:A6:27:7E:7E:12:D0:6F:F7:0D:EC:56:92:06:0C
-
-    Signature Algorithm: sha1WithRSAEncryption
-        1a:d1:3b:5f:b7:29:98:35:62:f1:25:ba:84:f7:76:cc:c3:c8:
-        2e:32:8f:3e:ca:22:81:fd:17:ff:be:f2:fd:ae:05:94:20:ad:
-        f9:e4:97:ef:81:f2:f6:05:1a:4b:ab:7d:d5:69:ca:63:c0:91:
-        b5:09:a9:21:6d:e9:ab:10:24:bc:1e:7e:69:40:04:c7:03:7b:
-        a8:c1:d4:b9:70:7b:7f:d3:a3:03:d2:99:b4:3b:b2:9d:aa:43:
-        2b:b5:d8:df:47:26:58:ce:60:e5:12:5f:6c:01:01:84:a9:5c:
-        60:74:2b:cb:6c:02:7b:05:d0:28:f8:f4:26:2f:5e:47:9d:cd:
-        69:3c
------BEGIN CERTIFICATE-----
-MIIC8DCCAlmgAwIBAgIJALzlsISJE3nWMA0GCSqGSIb3DQEBBQUAMIGLMQswCQYD
-VQQGEwJVUzELMAkGA1UECBMCQ0ExFjAUBgNVBAcTDVNhbiBGcmFuY2lzY28xJzAl
-BgNVBAoTHkV4cGVyaW1lbnRhbCBDZXJ0aWZpY2F0ZXMsIEluYzEXMBUGA1UECxMO
-R2l0IFJlcG9zaXRvcnkxFTATBgNVBAMTDHNwdXJpb3VzLmNvbTAeFw0xMTA3MjEx
-OTI1MzJaFw0xMjA3MjAxOTI1MzJaMGsxCzAJBgNVBAYTAkxZMRIwEAYDVQQIEwlU
-YXJhYnVsdXMxEDAOBgNVBAcTB1RyaXBvbGkxIzAhBgNVBAoTGkludGVybmV0IFNl
-Y3VyaXR5IEV4YW1wbGVzMREwDwYDVQQDEwhleGFtcC5seTCBnzANBgkqhkiG9w0B
-AQEFAAOBjQAwgYkCgYEAp2BQSFRZjIo/E98+ucPqepef+mbzbtPMa17gxueHWD89
-bS3ce3378UhIvwww1ZxZKzYBVzn0HrzV4081C0q8JHdEZ/a7Ci4nVbWklO1ehazt
-MZWX8gUOSIS1zWkTfcACBSqfrcYot8IOv4RjTYbeWvAOp00jbWzkgizlHIp2/aEC
-AwEAAaN7MHkwCQYDVR0TBAIwADAsBglghkgBhvhCAQ0EHxYdT3BlblNTTCBHZW5l
-cmF0ZWQgQ2VydGlmaWNhdGUwHQYDVR0OBBYEFBosUbWxyWmKDOATf0RNj+CATb60
-MB8GA1UdIwQYMBaAFIbA4C3M4KYnfn4S0G/3DexWkgYMMA0GCSqGSIb3DQEBBQUA
-A4GBABrRO1+3KZg1YvEluoT3dszDyC4yjz7KIoH9F/++8v2uBZQgrfnkl++B8vYF
-GkurfdVpymPAkbUJqSFt6asQJLwefmlABMcDe6jB1Llwe3/TowPSmbQ7sp2qQyu1
-2N9HJljOYOUSX2wBAYSpXGB0K8tsAnsF0Cj49CYvXkedzWk8
------END CERTIFICATE-----
diff --git a/server-ca/demoCA/examp.ly-key.pem b/server-ca/demoCA/examp.ly-key.pem
deleted file mode 100644
index 8cbd2db74..000000000
--- a/server-ca/demoCA/examp.ly-key.pem
+++ /dev/null
@@ -1,18 +0,0 @@
------BEGIN RSA PRIVATE KEY-----
-Proc-Type: 4,ENCRYPTED
-DEK-Info: DES-EDE3-CBC,069A43447F1D56CF
-
-eWn0Cj1yqfsveUvkTDSdIUOk2DHh2tWAo/KVxHrueKetD8K4xelqmrjZsNAQnwdU
-tikrhP4AgMK9ygCvoMA2LAa0xqu3NWU3GVCcPn7i6iY4cwBveDn8kEeuMxVKWddB
-n72zBiAjwvtd1FXpDQD+IUQqkxj62wS5/XkMx5uW6zLoi8MCBdHF+rK5coBxtmv9
-0Jv7s5Qvmg+O+Ko8Z+87/YMii4DcYIZ1kO3+7aBexkxq6jYRQYLHfcB/JVqrFw6y
-pPEW2+xvL5kZjxF0WReFnO0qyRCc2fUPEox+8HNF9WLZu2bQZpVW+w42pkmsPitX
-KNTNFXjwKvRbpyUMn0nl0eWx7QQv4E/CDLWH8PL1jEZ15Ur/zh41fQMKOXvN6N3A
-LOO28W7Or4afoBjqpIxACxZvhKWfPCp7/nIKGTp0PPAz0meX46e52IM0QpL+Q6bd
-9xplClqENRw2MxmbnyELy848UqopkrffHH/ulrkxEhfV3Ozn6VAyrUIa6i8uAkWn
-qouih8WSEDterNW04ldbpfhKsYH5ZYomuH3oqzQ4PKocVkz2JbvgBq4wF16lrjo2
-3pWkMiqxYZsAQGtHQRIvyi1bWFOMypewB2NkswOPDOfGIGJ99lxT9yXDe4Z4BA+I
-m4YYmSKbueX+LS8/dny1xl2CkaoUHFOo7GbtWZLwG/Ep3oq362lD2QkDnF7ML1kx
-7RD1goSWTysJ/dNDjGytfNJUKlmQj+hXFrYdKc8R1g2T77E/ilmN50JVoZysgZIT
-HY//M7OwE/iYTm52WiBJIITRe8LJQiTA8MLNMrePCP4B+LTm+2gupA==
------END RSA PRIVATE KEY-----
diff --git a/server-ca/demoCA/index.txt b/server-ca/demoCA/index.txt
index e69de29bb..4a9dcdbea 100644
--- a/server-ca/demoCA/index.txt
+++ b/server-ca/demoCA/index.txt
@@ -0,0 +1,2 @@
+V	150707200759Z		93A580A1E0D9B5C2	unknown	/C=US/ST=CA/O=Internet Widgits Pty Ltd/CN=notreally.eff.org/emailAddress=notreally@eff.org
+V	130707200943Z		93A580A1E0D9B5C3	unknown	/C=US/ST=CA/L=San Francisco/O=I/OU=I/CN=example.com
diff --git a/server-ca/demoCA/index.txt.attr b/server-ca/demoCA/index.txt.attr
new file mode 100644
index 000000000..8f7e63a34
--- /dev/null
+++ b/server-ca/demoCA/index.txt.attr
@@ -0,0 +1 @@
+unique_subject = yes
diff --git a/server-ca/demoCA/index.txt.attr.old b/server-ca/demoCA/index.txt.attr.old
new file mode 100644
index 000000000..8f7e63a34
--- /dev/null
+++ b/server-ca/demoCA/index.txt.attr.old
@@ -0,0 +1 @@
+unique_subject = yes
diff --git a/server-ca/demoCA/index.txt.old b/server-ca/demoCA/index.txt.old
new file mode 100644
index 000000000..68e322d23
--- /dev/null
+++ b/server-ca/demoCA/index.txt.old
@@ -0,0 +1 @@
+V	150707200759Z		93A580A1E0D9B5C2	unknown	/C=US/ST=CA/O=Internet Widgits Pty Ltd/CN=notreally.eff.org/emailAddress=notreally@eff.org
diff --git a/server-ca/demoCA/newcerts/93A580A1E0D9B5C2.pem b/server-ca/demoCA/newcerts/93A580A1E0D9B5C2.pem
new file mode 100644
index 000000000..51f4cd459
--- /dev/null
+++ b/server-ca/demoCA/newcerts/93A580A1E0D9B5C2.pem
@@ -0,0 +1,81 @@
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number:
+            93:a5:80:a1:e0:d9:b5:c2
+    Signature Algorithm: sha1WithRSAEncryption
+        Issuer: C=US, ST=CA, O=Internet Widgits Pty Ltd, CN=notreally.eff.org/emailAddress=notreally@eff.org
+        Validity
+            Not Before: Jul  7 20:07:59 2012 GMT
+            Not After : Jul  7 20:07:59 2015 GMT
+        Subject: C=US, ST=CA, O=Internet Widgits Pty Ltd, CN=notreally.eff.org/emailAddress=notreally@eff.org
+        Subject Public Key Info:
+            Public Key Algorithm: rsaEncryption
+                Public-Key: (2048 bit)
+                Modulus:
+                    00:a8:17:94:8f:63:55:21:48:73:bf:df:58:65:08:
+                    f8:23:eb:0a:6d:53:2e:f4:92:93:05:ba:0b:c5:f8:
+                    c6:ce:dd:cc:64:53:2e:90:66:ae:84:63:64:d3:af:
+                    3b:e1:f0:1c:57:34:c2:cd:f6:ec:ea:cd:07:b3:2e:
+                    5c:32:13:62:aa:06:ac:1d:41:ee:26:7c:6f:c1:d7:
+                    ab:3e:cf:8f:49:89:0b:bd:89:78:a7:2d:c6:74:91:
+                    6f:cb:70:0a:79:ea:b3:bd:2a:58:e7:44:07:93:19:
+                    a8:e2:06:24:be:3c:5d:6d:25:1a:85:f8:96:3e:f1:
+                    b3:08:8c:86:c5:0f:01:0e:0f:34:06:d4:94:73:5d:
+                    8d:b9:45:b3:22:47:f7:c0:3d:b9:e5:a5:c8:2d:cf:
+                    00:c5:5c:48:bb:dd:95:40:47:95:a3:54:ee:85:98:
+                    14:1e:ad:15:59:20:cd:1e:48:9c:de:dc:09:55:8c:
+                    5a:d4:b6:67:32:c3:55:ed:a6:26:c7:0f:67:03:c6:
+                    3d:d8:c2:89:e4:d1:a6:92:c1:d4:71:01:ec:f6:ab:
+                    31:88:64:26:70:15:8d:fa:20:5f:9f:b5:e8:f0:f7:
+                    73:2d:20:0c:12:77:36:90:63:f3:7f:76:8d:64:7c:
+                    3a:20:a2:67:35:10:90:83:8b:a6:90:8b:4d:45:7a:
+                    70:95
+                Exponent: 65537 (0x10001)
+        X509v3 extensions:
+            X509v3 Subject Key Identifier: 
+                F8:53:C1:EA:D3:29:34:D2:3F:B5:E5:ED:D0:C1:79:34:DA:13:BC:E8
+            X509v3 Authority Key Identifier: 
+                keyid:F8:53:C1:EA:D3:29:34:D2:3F:B5:E5:ED:D0:C1:79:34:DA:13:BC:E8
+
+            X509v3 Basic Constraints: 
+                CA:TRUE
+    Signature Algorithm: sha1WithRSAEncryption
+         1b:6b:1a:ea:04:75:29:1e:37:fd:17:b7:a7:2c:9d:4d:f8:8d:
+         00:e4:38:24:70:88:78:32:d2:41:04:c5:08:b2:25:b3:e3:c9:
+         16:2c:9f:9c:96:38:ae:e3:92:bd:5b:5a:c3:91:16:11:e3:56:
+         8d:b1:fb:0e:a7:cb:52:8e:d4:f8:a6:17:6d:f4:78:ef:24:2a:
+         0c:58:16:89:37:7f:aa:a4:52:51:96:44:ff:f5:ac:57:b3:fb:
+         50:13:e1:08:a0:79:c4:f0:8d:5d:f3:bd:a8:43:73:02:0e:a7:
+         18:7b:7c:e1:7c:6d:21:4b:0b:e2:2b:c6:70:81:10:ec:e9:b9:
+         db:e1:0e:fd:c3:54:4c:0a:f4:c7:4c:0a:c3:f3:f5:7e:d0:03:
+         31:1d:0a:a7:87:da:9d:78:35:de:30:cf:bb:d6:91:95:b5:7d:
+         dc:0e:fe:e4:db:68:90:8c:3a:ec:3f:57:57:ce:5f:07:c1:9b:
+         43:cb:39:d9:41:38:d7:55:10:f1:cd:74:70:ba:0a:11:8a:5f:
+         e8:e6:ef:98:da:fc:ff:09:a2:68:2b:e7:96:88:98:4b:0c:17:
+         0d:dc:59:3b:92:a1:23:ad:32:fc:1d:19:85:01:db:9d:ee:af:
+         b7:bb:c7:8a:c5:7b:2b:51:f0:44:00:b7:4c:df:8a:cd:ff:cc:
+         05:44:b0:79
+-----BEGIN CERTIFICATE-----
+MIIDyTCCArGgAwIBAgIJAJOlgKHg2bXCMA0GCSqGSIb3DQEBBQUAMHsxCzAJBgNV
+BAYTAlVTMQswCQYDVQQIDAJDQTEhMB8GA1UECgwYSW50ZXJuZXQgV2lkZ2l0cyBQ
+dHkgTHRkMRowGAYDVQQDDBFub3RyZWFsbHkuZWZmLm9yZzEgMB4GCSqGSIb3DQEJ
+ARYRbm90cmVhbGx5QGVmZi5vcmcwHhcNMTIwNzA3MjAwNzU5WhcNMTUwNzA3MjAw
+NzU5WjB7MQswCQYDVQQGEwJVUzELMAkGA1UECAwCQ0ExITAfBgNVBAoMGEludGVy
+bmV0IFdpZGdpdHMgUHR5IEx0ZDEaMBgGA1UEAwwRbm90cmVhbGx5LmVmZi5vcmcx
+IDAeBgkqhkiG9w0BCQEWEW5vdHJlYWxseUBlZmYub3JnMIIBIjANBgkqhkiG9w0B
+AQEFAAOCAQ8AMIIBCgKCAQEAqBeUj2NVIUhzv99YZQj4I+sKbVMu9JKTBboLxfjG
+zt3MZFMukGauhGNk06874fAcVzTCzfbs6s0Hsy5cMhNiqgasHUHuJnxvwderPs+P
+SYkLvYl4py3GdJFvy3AKeeqzvSpY50QHkxmo4gYkvjxdbSUahfiWPvGzCIyGxQ8B
+Dg80BtSUc12NuUWzIkf3wD255aXILc8AxVxIu92VQEeVo1TuhZgUHq0VWSDNHkic
+3twJVYxa1LZnMsNV7aYmxw9nA8Y92MKJ5NGmksHUcQHs9qsxiGQmcBWN+iBfn7Xo
+8PdzLSAMEnc2kGPzf3aNZHw6IKJnNRCQg4umkItNRXpwlQIDAQABo1AwTjAdBgNV
+HQ4EFgQU+FPB6tMpNNI/teXt0MF5NNoTvOgwHwYDVR0jBBgwFoAU+FPB6tMpNNI/
+teXt0MF5NNoTvOgwDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQUFAAOCAQEAG2sa
+6gR1KR43/Re3pyydTfiNAOQ4JHCIeDLSQQTFCLIls+PJFiyfnJY4ruOSvVtaw5EW
+EeNWjbH7DqfLUo7U+KYXbfR47yQqDFgWiTd/qqRSUZZE//WsV7P7UBPhCKB5xPCN
+XfO9qENzAg6nGHt84XxtIUsL4ivGcIEQ7Om52+EO/cNUTAr0x0wKw/P1ftADMR0K
+p4fanXg13jDPu9aRlbV93A7+5NtokIw67D9XV85fB8GbQ8s52UE411UQ8c10cLoK
+EYpf6ObvmNr8/wmiaCvnloiYSwwXDdxZO5KhI60y/B0ZhQHbne6vt7vHisV7K1Hw
+RAC3TN+Kzf/MBUSweQ==
+-----END CERTIFICATE-----
diff --git a/server-ca/demoCA/newcerts/93A580A1E0D9B5C3.pem b/server-ca/demoCA/newcerts/93A580A1E0D9B5C3.pem
new file mode 100644
index 000000000..8acf705f0
--- /dev/null
+++ b/server-ca/demoCA/newcerts/93A580A1E0D9B5C3.pem
@@ -0,0 +1,83 @@
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number:
+            93:a5:80:a1:e0:d9:b5:c3
+    Signature Algorithm: sha1WithRSAEncryption
+        Issuer: C=US, ST=CA, O=Internet Widgits Pty Ltd, CN=notreally.eff.org/emailAddress=notreally@eff.org
+        Validity
+            Not Before: Jul  7 20:09:43 2012 GMT
+            Not After : Jul  7 20:09:43 2013 GMT
+        Subject: C=US, ST=CA, L=San Francisco, O=I, OU=I, CN=example.com
+        Subject Public Key Info:
+            Public Key Algorithm: rsaEncryption
+                Public-Key: (2048 bit)
+                Modulus:
+                    00:cb:e5:99:e2:d7:c3:b4:01:10:63:6f:a0:5b:ce:
+                    68:dc:06:6b:76:96:a2:b7:d7:a3:6e:1e:bf:48:f0:
+                    0b:bd:d7:2b:08:46:56:2b:5d:55:60:47:44:c4:2c:
+                    9f:3d:22:91:a7:97:02:3a:f4:af:88:b3:76:89:1b:
+                    74:53:7b:b5:36:c6:28:a0:0d:cb:11:14:1c:8f:2f:
+                    c7:ed:b0:b1:4a:49:0e:18:b4:f4:c5:0a:75:63:72:
+                    f7:d4:68:c5:36:cb:8f:f2:11:db:48:0f:17:8f:cb:
+                    4a:df:f0:6d:28:a5:c9:f3:33:b6:af:2c:3d:f3:5c:
+                    88:32:39:d8:0e:e2:4d:23:2b:be:81:b0:2c:29:74:
+                    b7:f8:61:81:a7:0b:e8:0f:0e:bf:8a:04:4b:bf:0a:
+                    00:11:c6:f0:b7:83:95:6d:52:87:20:15:f7:2b:da:
+                    da:ab:61:fc:94:14:f1:ba:f2:ad:7a:18:f1:b6:a2:
+                    ba:13:2b:41:cd:4f:97:82:1f:c7:8e:29:7d:bb:86:
+                    50:13:7e:78:6c:74:e6:9d:0b:65:1b:7e:b7:17:8b:
+                    9f:2e:99:1e:d9:d8:54:5f:47:9c:c9:96:f8:86:3d:
+                    87:41:fd:67:71:e9:48:17:30:d5:b2:ef:cc:9e:90:
+                    a4:4c:32:fa:93:b2:21:66:92:95:62:5b:4d:e0:80:
+                    ff:25
+                Exponent: 65537 (0x10001)
+        X509v3 extensions:
+            X509v3 Basic Constraints: 
+                CA:FALSE
+            Netscape Comment: 
+                OpenSSL Generated Certificate
+            X509v3 Subject Key Identifier: 
+                1A:3F:00:7C:09:C8:12:FC:EF:A8:E9:B5:71:EC:D0:A1:AA:20:1E:55
+            X509v3 Authority Key Identifier: 
+                keyid:F8:53:C1:EA:D3:29:34:D2:3F:B5:E5:ED:D0:C1:79:34:DA:13:BC:E8
+
+    Signature Algorithm: sha1WithRSAEncryption
+         4b:db:6c:c8:4f:4c:be:54:e3:90:fb:9a:6e:9c:ec:4e:af:ca:
+         17:b5:3a:e7:d8:10:b1:cc:77:30:3d:20:3a:f7:b6:61:ce:1d:
+         62:09:a9:58:27:ab:35:ef:be:63:e4:18:3a:63:04:41:a9:99:
+         80:ba:1d:b1:1c:1d:9c:f7:0b:ca:3a:8b:86:ea:39:95:bf:ca:
+         27:1d:21:13:c8:c3:f0:a4:81:04:6f:6d:8f:8c:7d:ce:31:38:
+         d7:1f:05:3d:3b:05:3c:f0:da:e9:3c:b3:1b:36:4d:b7:39:82:
+         6e:42:8c:c5:05:02:2a:ab:3e:ef:09:34:1c:8b:08:26:d3:de:
+         4b:ee:a8:d5:25:ce:18:47:89:3f:0c:3c:04:03:a6:35:a3:21:
+         14:b6:fc:7a:04:76:b6:69:8b:ce:5c:90:34:f5:25:de:f1:c0:
+         20:a3:38:6d:c3:ef:b4:1a:36:8b:34:a6:91:f0:d6:be:60:39:
+         c6:b7:1b:00:da:80:dc:c0:cd:96:66:9c:d5:f9:f3:a2:47:6c:
+         bf:45:9f:98:41:3d:57:9a:aa:0a:87:1b:a7:d2:48:60:a3:5d:
+         2d:45:4f:6f:e1:8b:5b:14:93:73:10:d8:d7:ff:ed:50:87:36:
+         70:23:b3:e5:5e:4d:1c:21:76:3c:c7:b5:a5:da:fc:19:a6:8d:
+         0e:5e:dd:14
+-----BEGIN CERTIFICATE-----
+MIID2TCCAsGgAwIBAgIJAJOlgKHg2bXDMA0GCSqGSIb3DQEBBQUAMHsxCzAJBgNV
+BAYTAlVTMQswCQYDVQQIDAJDQTEhMB8GA1UECgwYSW50ZXJuZXQgV2lkZ2l0cyBQ
+dHkgTHRkMRowGAYDVQQDDBFub3RyZWFsbHkuZWZmLm9yZzEgMB4GCSqGSIb3DQEJ
+ARYRbm90cmVhbGx5QGVmZi5vcmcwHhcNMTIwNzA3MjAwOTQzWhcNMTMwNzA3MjAw
+OTQzWjBgMQswCQYDVQQGEwJVUzELMAkGA1UECBMCQ0ExFjAUBgNVBAcTDVNhbiBG
+cmFuY2lzY28xCjAIBgNVBAoTAUkxCjAIBgNVBAsTAUkxFDASBgNVBAMTC2V4YW1w
+bGUuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAy+WZ4tfDtAEQ
+Y2+gW85o3AZrdpait9ejbh6/SPALvdcrCEZWK11VYEdExCyfPSKRp5cCOvSviLN2
+iRt0U3u1NsYooA3LERQcjy/H7bCxSkkOGLT0xQp1Y3L31GjFNsuP8hHbSA8Xj8tK
+3/BtKKXJ8zO2ryw981yIMjnYDuJNIyu+gbAsKXS3+GGBpwvoDw6/igRLvwoAEcbw
+t4OVbVKHIBX3K9raq2H8lBTxuvKtehjxtqK6EytBzU+Xgh/Hjil9u4ZQE354bHTm
+nQtlG363F4ufLpke2dhUX0ecyZb4hj2HQf1ncelIFzDVsu/MnpCkTDL6k7IhZpKV
+YltN4ID/JQIDAQABo3sweTAJBgNVHRMEAjAAMCwGCWCGSAGG+EIBDQQfFh1PcGVu
+U1NMIEdlbmVyYXRlZCBDZXJ0aWZpY2F0ZTAdBgNVHQ4EFgQUGj8AfAnIEvzvqOm1
+cezQoaogHlUwHwYDVR0jBBgwFoAU+FPB6tMpNNI/teXt0MF5NNoTvOgwDQYJKoZI
+hvcNAQEFBQADggEBAEvbbMhPTL5U45D7mm6c7E6vyhe1OufYELHMdzA9IDr3tmHO
+HWIJqVgnqzXvvmPkGDpjBEGpmYC6HbEcHZz3C8o6i4bqOZW/yicdIRPIw/CkgQRv
+bY+Mfc4xONcfBT07BTzw2uk8sxs2Tbc5gm5CjMUFAiqrPu8JNByLCCbT3kvuqNUl
+zhhHiT8MPAQDpjWjIRS2/HoEdrZpi85ckDT1Jd7xwCCjOG3D77QaNos0ppHw1r5g
+Oca3GwDagNzAzZZmnNX586JHbL9Fn5hBPVeaqgqHG6fSSGCjXS1FT2/hi1sUk3MQ
+2Nf/7VCHNnAjs+VeTRwhdjzHtaXa/BmmjQ5e3RQ=
+-----END CERTIFICATE-----
diff --git a/server-ca/demoCA/private/.emptyfile b/server-ca/demoCA/private/.emptyfile
deleted file mode 100644
index e69de29bb..000000000
diff --git a/server-ca/demoCA/private/cakey.pem b/server-ca/demoCA/private/cakey.pem
new file mode 100644
index 000000000..e08e997ae
--- /dev/null
+++ b/server-ca/demoCA/private/cakey.pem
@@ -0,0 +1,30 @@
+-----BEGIN ENCRYPTED PRIVATE KEY-----
+MIIFDjBABgkqhkiG9w0BBQ0wMzAbBgkqhkiG9w0BBQwwDgQILkKoXhp8VbACAggA
+MBQGCCqGSIb3DQMHBAgNTj9llxbfLwSCBMhNvE0ThgFyGPghkO3647mzazCU0p1w
+kHaGZieGk7RHFWcG1M0SQ4uxJ7o6mQSDdcBdhoqqph5mjrEor8lOgNXGGd3UMJxH
+Z6VxXriGxSpfF1gQS+z6tJKa9bNJBSAXMhrwc1iVYMxhxvcdO5FTCr0wOJQfEOQR
+T2rwxgIHtHhVEVRTO+VSu1OKEFTGZME8LIa1exaE9aORlfRwm9IBlCSOzg7LefNi
+nVBhLD8iMPFcUy82mlloMlN1Q6lJAKzlsm86VA3OMDIQt6SZlc9v6L6BV8CZTR7o
+48TiRwBi4z6/MLakTrUuiPFSfd2vSbKwj8rZZ9ZKKfFGyYfrTkx6uaBC2lYKfTSz
+kAmU970N/JuCDGfFS16VF4coIWlI7WNflhxdDUu/O5cnWL/NTFQBHcZBheTv9Pzr
+/9Ab5x41fqhq0llQjCb2rVZ9J86S8ffX4YEoApqtZNhnn4yRhX2BNr29VpjZy5kN
+lRAZemgPZ3B3XosQeY7vaVqzB1TxCtbi9N5wEk0TI3F3i64Xj30qEuAaMRXTXTVZ
+HZJSUZ8rYrBe9Hvhg/6ckm7mTtyD52D0RpgY7iCwi13qh+ZhbJ42VIYgxupO7/F1
+EKcQLYj8bJzZ5VGPZnrfX51rQnfYzodXx822wt3zbdjJQl5e+diHU+ROBipVxf6y
+XeD6j6uVfGbFxpOmP27WEoF/jUDjBcIyI5k5SlcMV71PFQjKlh5Z7fxeNKCrV1hD
+PfHtL73dbVvibUkoTKVWPUlgPuTWanTvjpGn0rpqCq24WpayJSm1PcKxMMQzMcvh
+90bqRL0PgKPjIf+w8uk/LRX8RMtFGnQ7YCkET0utq33tjgKPiervgXLsXo/eZuK2
+RHPfYaeRy0MP4tmtOPIJJJ9eG7CC8S9pvqkknOA5N2jSrvNJLog+RAbFJOUruUgH
+pSJCqk6QkQ+n7hGcL4PZXJ49A4VKt8i1MfOSnlnNXKctiZUS1HNS6VOvRhkbCRX2
+FZHiupfuzmXAgf0NBEoltPxLvAC4aeomIO/6LGUf3OIoBDN8Ul8NXW0Nf9iZn2kJ
+/Wd55syza1KR3JGtvUl6+hdod/m7mH5z3qZV1x0LfncRsQxSNmCydzA7CqU7yINt
+MF786roXhgvcbTAuvxexpw4/QtWUHkRxidmifxlq9Xf6jK6yPiMQVX4HkwixMxFY
+OGf8SCCRYBhwWbrs3B3IJ6i/iND5a7lZcNSCz9WvLECxmXq0bume5UTW1g+9vnPV
+f8zxeWC4OJTNmu+iH1KwxJXpAb+JqmeHPdFlN03QQLrHw0TyFBvrJv7/mU+2PYSM
+AhjIgSn/jdSl5yDq+Tw6Hua2SaV8k7RGFWU40MlHaMk4dC5+aQ8wVVVhOA7agVWI
+iakA0XJm67JWtJCJUn66dexQqC5YtLp5SNC8Kl/xS8o4tDeMCpPOydtiVoiZKlTV
+WA7qdd/o08vsmyOX68XgcbERhm9//QxRt/ygXni9ygUMmmJYx1QGcSUV6XEJYe/j
+/ZY35N2bBvJmmNOZr9jZihQkt2I+Js91A5I3HhSh4aXqt+hBzp9TcvLRvDiRcOSs
+H0rVWeNWmt4EqTFRzEXv7w+hmTgchxyFZiSIiZjy4U53wT4taTGJAsTW7wvnbnsz
+JMw=
+-----END ENCRYPTED PRIVATE KEY-----
diff --git a/server-ca/demoCA/serial b/server-ca/demoCA/serial
index 2922c92d8..c5f6d09e2 100644
--- a/server-ca/demoCA/serial
+++ b/server-ca/demoCA/serial
@@ -1 +1 @@
-BCE5B084891379D6
+93A580A1E0D9B5C4
diff --git a/server-ca/demoCA/serial.old b/server-ca/demoCA/serial.old
new file mode 100644
index 000000000..a5e8704c0
--- /dev/null
+++ b/server-ca/demoCA/serial.old
@@ -0,0 +1 @@
+93A580A1E0D9B5C3