Bug 1523562 [wpt PR 14206] - Add name constraints to CA, a=testonly
authorFranziskus Kiefer <franziskuskiefer@gmail.com>
Thu, 31 Jan 2019 12:13:54 +0000
changeset 456874 8b75680ebcf2ae5918b3854fb7047c2a199f5519
parent 456873 c4aa393a81c2abd2677d64b20dd34565a7657294
child 456875 dbf16d0e43d49f59847e60d4514493edb9872c35
push id35505
push usercsabou@mozilla.com
push dateTue, 05 Feb 2019 21:59:22 +0000
treeherdermozilla-central@476293c6700f [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewerstestonly
bugs1523562, 14206, 11075
milestone67.0a1
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
Bug 1523562 [wpt PR 14206] - Add name constraints to CA, a=testonly Automatic update from web-platform-tests Fix #11075: Add name constraints to CA (#14206) Co-Authored-By: jgraham <james@hoppipolla.co.uk> Co-Authored-By: Geoffrey Sneddon <me@gsnedders.com> -- wpt-commits: d742ec337ef7041b0f3433814ce02a4c4be04749 wpt-pr: 14206
testing/web-platform/tests/.gitignore
testing/web-platform/tests/tools/certs/README.md
testing/web-platform/tests/tools/certs/cacert.key
testing/web-platform/tests/tools/certs/cacert.pem
testing/web-platform/tests/tools/certs/config.json
testing/web-platform/tests/tools/certs/web-platform.test.key
testing/web-platform/tests/tools/certs/web-platform.test.pem
testing/web-platform/tests/tools/serve/serve.py
testing/web-platform/tests/tools/wptserve/wptserve/config.py
testing/web-platform/tests/tools/wptserve/wptserve/sslutils/base.py
testing/web-platform/tests/tools/wptserve/wptserve/sslutils/openssl.py
testing/web-platform/tests/tools/wptserve/wptserve/sslutils/pregenerated.py
--- a/testing/web-platform/tests/.gitignore
+++ b/testing/web-platform/tests/.gitignore
@@ -10,16 +10,21 @@
 # Node
 node_modules/
 
 # WPT repo stuff
 /MANIFEST.json
 .wptcache/
 /config.json
 
+# Files generated when regenerating pre-generated certs
+/tools/certs/0*.pem
+/tools/certs/index.txt*
+/tools/certs/serial*
+
 # Various OS/editor specific files
 *#
 *.sw[po]
 *~
 \#*
 scratch
 .idea/
 .vscode/
--- a/testing/web-platform/tests/tools/certs/README.md
+++ b/testing/web-platform/tests/tools/certs/README.md
@@ -1,7 +1,11 @@
 To enable https://web-platform.test:8443/, add cacert.pem to your browser as Certificate Authority.
 
 For Firefox, go to about:preferences and search for "certificates".
 
 For browsers that use the Certificate Authorities of the underlying OS, such as Chrome and Safari,
 you need to adjust the OS. For macOS, go to Keychain Access and add the certificate under
 **login**.
+
+### Updating these certs
+
+From the root, run `./wpt serve --config tools/certs/config.json` and terminate it after it has started up.
--- a/testing/web-platform/tests/tools/certs/cacert.key
+++ b/testing/web-platform/tests/tools/certs/cacert.key
@@ -1,30 +1,30 @@
 -----BEGIN ENCRYPTED PRIVATE KEY-----
-MIIFDjBABgkqhkiG9w0BBQ0wMzAbBgkqhkiG9w0BBQwwDgQIb9ES7h6YGBcCAggA
-MBQGCCqGSIb3DQMHBAi2ZVLgq1XvagSCBMjAmGEVvjwXvF00veuQmJsmcjVHB/qP
-VqSXjCQ94orZb89UfFnPO9zXdvLWxrwb5WP6bbQv+Sh4htExXCD5XZi1AzWNCybe
-da0vvQGgjdzUh2fCrG4K7J0w20lrYgw3HVSj/WtmdbdZFdoX+BgXrxcqkE3M5opZ
-3UD3yIQeXSxUkh3iv6zzZaWujxjDI2JpwxRmMVbrr8OeBrKJsqB2DnKmq+emmvEF
-iXTN3Ww/Aj6GIqfPZ8jpVdwcVN5QpeHAh7b2lszt7GEOGcBhutPq4Aqy8PIiDR80
-sUYI7V8OXm+Y45DnfkvsogZEifOiUrQ2U+aGDu+Zt88661wVzjq+voJlz8EaIPCE
-B/NS2SgNqI2/DrjEEecn6hjgHWIUBwOfeNoSi1Tri6KZFyxG26LE/V8Cd50yodx9
-pBgFxdCbmYLeRcVeXW2bu0ZMjPddRlR5MHfrkM5ZAze7nRxoiyWnB/U8pPf+bQvx
-K4P9KcwCOeHigkaCYZKq7nmZyEy4km89zIugT/YWhMWyVwylTpagaiiJwYLjug8n
-CbFZWAkORBIl2g/YCuTBUJtC2IWX8kw+nYVwqBszpZyC6nbha2UmhQDfMAowQA5v
-n1LnV8I6f7u6HidbB8WX2UZoh03A4beCBz+dq2VaUquLTL4KQTIz+6rw7nEysrnH
-TIb8SlwsYAlzzwyyM9dSWt7iQeNjmH7zL0MozMs3LKHIrsWi7ZZh8BUYnT2vKdNV
-2ZLOMcR0tYVmVZ8uYkR9kny/fbZcKN54xScohA2UX261W+sWiEgN+RaBsQ79pFgi
-vYldfjaGNSvftXa590xn2tlS6/suB5MxiW5g3PuBg5XtVZ95l0f1n376Xh41sJv8
-YHrCtFHOlSpDJULGiXVh/wXBmS7qJ8DhnUUG699EdlsFf6Qg22WB3AZRvEJdYC4z
-P8W+jZ15NTDbHg3Hv7/CFYVzbXv2w0jkiqQgDF/wc6t/EdLD+2hzcN+nJGjtxZbn
-xjbXcg98CUMU+dc/aD4N45K9e9rPg3+iZLwvsRvwx+MszmgxxPv05pNyRO7RVk8r
-gkyyp9/CJFme+4nFKUc0dUy2yNXZtklTX0XKm/YNKin6uUMlIArIa54Cfvt9QslV
-iD+SxU1ZHmzwKT82+5ZeIRLNWvFV/9E4nD+BTagK2Fdwnsu1S2k7ItD9lK/cBPGS
-0tz1HWv4Auj3wMPZklp3SQluOl6eAIVqqI9GaX/d42DctBQWLTa27YibWyNIcw7o
-3N8GDREMawTBdDRwlZ3oT+yiGLX1c8ds2o0/4IcJlOkDoxXErmdlZo9oVe6z4R7g
-62yR53atVTLoUnAjxHXx0bJiyayv9Y3wjOEvuhuqdd9F+HOhTtAHr/BJQNhEk+z8
-531CZTJjb1p11PbOtHGV2IeB0S82mxkkXRykEXOb89ZpDHNRiMinThRkoCmuRI9r
-dTiES9B02yMPxJ3sLQyDxCoS5mwfcAqKTeK+yCvTvBy+t5tw63DbWlMp/7Ahy65K
-rWMHdwqwfoB+ZYw5sYZdPvuBVAT01I2JbOqX36RacQultFns2OinxOJHa1HjtXyS
-cPVEkMa7ci3Ym9j5RQNLVsgJe7YK9HixX5HjQFAowAH2pXZ5pKJIJYxPIUKtZlsz
-qbM=
+MIIFHzBJBgkqhkiG9w0BBQ0wPDAbBgkqhkiG9w0BBQwwDgQILCSlhTzkRTICAggA
+MB0GCWCGSAFlAwQBKgQQgcOfWGRpzftycTbFVXO4mgSCBNDv5/+mh+AabEQwzjk/
+RIVjff2flwV0TooLISvRZYPEi60EsqsDhBpJ5iC6N8GFYXgoz06BaMQsuMGA8cRe
+qcL6uGNdwexoReO7SGD2p3jBQU+r6SpDdVicMDUzYWt8P+kYemFVoCoFrhCiCx2k
+p9ylcERn4JlUP3fW/FZslN77Nyx/M+hPowGmSBsCyFz9FiENeCRLMlyQpyG8Zp9Q
+hNbWmXp5HL/Yato/wySxtDFwC/93sus1TbgSpmmp3csiDE1TIZ2FtlDCjqd0puY8
+UVhhq+0ce01vZgOT4SWXaiMfXOt9tZ6vqsgTakQzQDXKPbPlM3ppFtTMUyNUPmol
+Fj36DxrVEArb7CT/tgbNfd/cdVonDtJJF7vxrAWWKzbhXpLfKAx4j54gdDz/ng0D
+LDvJwlCtMqS5qz30kOJLvSQu+ifG9ib+GBkiihG5VeYKjfvjxWl/3bHamIrwV8Lp
+ijHF2rsSSdzlKksSga+84jmDgAlqCsFdEAzGL8Dg4zk55Wlkr6+EshOQJN8vQz+f
+7O7fyLCS6hjjskmYTTXlHvtLiro870jd+nRXmwNlZ9DDayJCfUMayoihHqeIX4u6
+ZQhjk+54Ln9vEMUlhkiGL/1rE6APVCBnlPzJfX/K2BXHWdu/NRT4rHG6zGQLViJr
+yaaLV6F2bxCACjyjQmYzdGb238ApG5ubY50Eu4UfuB8N1zGDxqU7KQpRXLECmfKw
+qa7lHHpuakC5gFddKHI62rQc9Tw5jLRohFTFA2e54d+rN5axiSBoeYY0Ky+Y6Id4
+xGLkJoNeleyrXKj09ercxcUhg2EL/B4wHiyBLKikZiA4gUaCnCZ7WRPsGpJ5wo/K
+TXiAj1W0QQELGo+k8xmXP9y6Qb4ZcJsnWJ35Spn5CeuI/y/Bms/o2klqbhn9h+gz
+4w4Zo4PoKEfjnFublCoCa7F9jvxSM7GTeaRPf8E6/wYBV8Xdu/rAd3ypCXBRULR1
+xqXvhp6u/k8XmAyd62mAwHRG1RDHZ2Kg1pspV8YGnYYE0pXRSsVKT1+Yu6pQ65n8
+SG0YmZRN2/In0cyTkNwWwl9Bpdd7mghwiZ8uTed00Q7UvxBZxRe8I1VOwBrvA8Jo
+HZ25f0fuzNYkGmLq80jVE6k4dPowOQVp7dKcH8EvGJunUJKeAZrh0B9At52XzqJX
+9uibQrDyJvFKTepH7Gm/NuUQK1XG0tkJbysnvUk3Ezj6nihxL903IfyLhNI/R22P
+45nQeqRzrxLq4pfjW/KY+7IkX8tdabfPDHmtjLi3DhpYlDQ8JTDMn6dElN6wNIpe
+w8wh6c9srD5zbaguaMRy+5R46zyLkDIY/SOMDgXqg6rTsSSnEXc5RD1F2amBXRJF
+g8evdUJ7klx6pDh91Sspn9B/RJs1se5H37Wq9AFvrSHvktNVS0kqim+dimNKRFQr
+kJ8eqxoqJ268wTlnppn14LSig9iwE8a/+yEhfXfoZ12mYCVjT9Y8+ZtrzI+TqIDh
+ThfExeBYbPe+KTcsmuaYHw4Dbf4j8EMh7TJZlVx0o3Aqiw5MOAti5nIYt4kqJx/T
++pNPJPhMEq0nGyE/iInxrYgH6JdNJqctexhxj5ZdfmrwpFPpDq5ZZ49HT1XFP5jE
+WgiOtgAhQ01A0xiCr0EZbFczHg==
 -----END ENCRYPTED PRIVATE KEY-----
--- a/testing/web-platform/tests/tools/certs/cacert.pem
+++ b/testing/web-platform/tests/tools/certs/cacert.pem
@@ -1,83 +1,116 @@
 Certificate:
     Data:
         Version: 3 (0x2)
-        Serial Number: 753560 (0xb7f98)
+        Serial Number: 372738 (0x5b002)
     Signature Algorithm: sha256WithRSAEncryption
         Issuer: CN=web-platform-tests
         Validity
-            Not Before: Jul 13 12:59:12 2018 GMT
-            Not After : Jul 10 12:59:12 2028 GMT
+            Not Before: Dec 20 12:20:35 2018 GMT
+            Not After : Dec 17 12:20:35 2028 GMT
         Subject: CN=web-platform-tests
         Subject Public Key Info:
             Public Key Algorithm: rsaEncryption
                 Public-Key: (2048 bit)
                 Modulus:
-                    00:d3:94:10:b7:70:cf:1b:2b:1e:7f:6c:22:4f:15:
-                    be:c9:95:03:45:e2:7c:26:78:d2:5b:3c:b5:3c:86:
-                    ac:ab:ba:e9:c1:28:91:83:a7:28:92:26:79:00:c2:
-                    bd:e6:ef:bb:6b:d7:fa:2e:39:fa:16:c8:e5:24:8e:
-                    6e:e9:b1:15:83:ab:98:56:99:42:49:4d:5d:16:3a:
-                    28:fe:4d:2e:29:1a:3c:78:78:09:aa:73:26:62:c2:
-                    a5:2c:48:92:65:12:70:7e:3f:7e:c7:c4:ea:0a:c8:
-                    60:ef:6a:b0:65:dc:da:10:31:c9:88:3a:56:35:fd:
-                    85:bd:11:a4:51:7d:7f:71:5f:16:38:64:06:78:25:
-                    3b:15:e1:a6:19:2f:7b:ff:92:11:ad:0e:60:1a:d4:
-                    61:8e:46:45:00:9b:7b:c6:1f:5b:0e:bb:9d:6c:fd:
-                    7a:29:96:82:25:3d:d5:19:80:b7:30:6e:61:2a:1f:
-                    cb:50:dc:ac:f4:ff:4b:02:67:60:58:04:17:b6:69:
-                    93:93:c8:92:f8:a0:5e:f1:56:fd:e8:24:21:bd:f4:
-                    be:d4:ee:1f:df:6e:d3:4d:55:1b:58:c4:66:9b:93:
-                    b6:b2:10:e8:0e:fb:6b:90:4f:f9:5f:99:58:0a:aa:
-                    8d:5f:39:33:75:83:41:45:71:53:0b:f0:81:75:dc:
-                    73:6d
+                    00:a5:c0:b9:6d:f2:13:01:17:f3:ec:bf:91:db:4f:
+                    cd:4a:73:c7:d1:6a:b8:0d:c0:1e:7a:06:df:f2:f6:
+                    08:c1:36:a2:11:da:fb:0a:7a:2a:4f:a9:c0:6f:19:
+                    0b:e2:6d:26:3a:f9:3e:71:29:45:a4:4f:27:1d:6d:
+                    ef:40:98:dc:01:7f:2c:4f:e2:35:4d:2b:8e:97:c5:
+                    41:9e:cd:f4:0e:60:fc:65:a4:39:5c:88:36:05:60:
+                    e8:7f:b4:b4:32:9c:70:47:08:15:51:c8:cb:d8:21:
+                    ba:54:48:73:72:e3:8a:95:61:e6:00:ef:e3:5f:f6:
+                    18:b6:4e:24:b5:41:7f:ce:b2:d7:28:33:ee:06:21:
+                    4f:cb:d6:4f:55:3a:bb:4f:74:e9:b6:e8:3b:cc:a7:
+                    bb:f3:86:7a:c8:71:e1:f4:f2:2b:fe:1f:71:5e:1f:
+                    49:12:f9:c3:8a:7e:dc:5f:75:38:4d:7b:4a:a2:e5:
+                    6e:bf:ce:d9:9c:99:af:a7:6e:38:97:3c:b5:3f:13:
+                    0c:63:7e:78:ee:e4:ad:d8:18:c7:ec:da:38:44:49:
+                    af:fb:44:8d:79:29:db:cf:4c:0a:6a:fd:5a:54:15:
+                    e0:cd:ac:4d:17:5d:ef:58:c8:3d:84:fd:20:79:55:
+                    9f:14:c7:c8:5f:c8:98:5c:3c:ff:53:89:c5:1f:e7:
+                    83:a3
                 Exponent: 65537 (0x10001)
         X509v3 extensions:
             X509v3 Basic Constraints: 
                 CA:TRUE
             X509v3 Subject Key Identifier: 
-                5B:DA:C8:C1:09:F3:4D:92:30:BC:EF:43:FB:26:93:1E:AE:0D:9A:0F
+                7A:EA:6A:75:AA:23:78:B5:5E:06:61:4A:56:CF:56:A9:6D:B0:54:02
             X509v3 Authority Key Identifier: 
-                keyid:5B:DA:C8:C1:09:F3:4D:92:30:BC:EF:43:FB:26:93:1E:AE:0D:9A:0F
+                keyid:7A:EA:6A:75:AA:23:78:B5:5E:06:61:4A:56:CF:56:A9:6D:B0:54:02
                 DirName:/CN=web-platform-tests
-                serial:0B:7F:98
+                serial:05:B0:02
 
             X509v3 Key Usage: 
                 Certificate Sign
+            X509v3 Name Constraints: 
+                Permitted:
+                  DNS:web-platform.test
+                  DNS:not-web-platform.test
+                  DNS:www.web-platform.test
+                  DNS:www1.web-platform.test
+                  DNS:www2.web-platform.test
+                  DNS:www.not-web-platform.test
+                  DNS:www2.not-web-platform.test
+                  DNS:www1.not-web-platform.test
+                  DNS:xn--lve-6lad.web-platform.test
+                  DNS:xn--lve-6lad.not-web-platform.test
+                  DNS:xn--n8j6ds53lwwkrqhv28a.web-platform.test
+                  DNS:xn--n8j6ds53lwwkrqhv28a.not-web-platform.test
+
             X509v3 Extended Key Usage: 
                 TLS Web Server Authentication
+            X509v3 Subject Alternative Name: 
+                DNS:web-platform.test, DNS:not-web-platform.test, DNS:www.web-platform.test, DNS:www1.web-platform.test, DNS:www2.web-platform.test, DNS:www.not-web-platform.test, DNS:www2.not-web-platform.test, DNS:www1.not-web-platform.test, DNS:xn--lve-6lad.web-platform.test, DNS:xn--lve-6lad.not-web-platform.test, DNS:xn--n8j6ds53lwwkrqhv28a.web-platform.test, DNS:xn--n8j6ds53lwwkrqhv28a.not-web-platform.test
     Signature Algorithm: sha256WithRSAEncryption
-         97:e3:f0:b9:63:07:e5:de:d9:1f:7f:de:be:f8:e4:98:d6:25:
-         97:e9:d3:ad:7c:6d:30:7d:0d:8e:c5:9b:ef:eb:a8:c5:59:b2:
-         2c:73:08:46:22:ab:f7:61:01:19:9e:00:0c:72:bc:2a:bd:86:
-         11:1f:3d:80:aa:19:58:6f:cd:05:b6:5a:27:ff:2e:39:1a:44:
-         08:a2:e8:a6:e2:2c:03:52:2f:63:6b:3a:3b:93:c6:b8:53:cd:
-         f4:ec:63:5c:24:5a:65:a4:e3:93:9e:96:f0:00:cf:82:fc:dc:
-         28:18:86:f1:a2:7e:78:80:9f:f4:11:b1:8e:c8:10:b5:18:9d:
-         fd:9e:8a:cb:6d:8e:15:22:3b:1f:0d:79:53:bd:2b:f7:d0:09:
-         2a:a6:a9:f1:3e:4c:d0:aa:81:ae:2b:34:b0:52:16:d0:78:e2:
-         25:c1:e2:92:47:1b:2f:a6:a2:29:6f:87:9a:3c:5d:44:b0:8f:
-         95:3c:e7:ad:d1:83:1c:38:b7:3d:85:2b:b8:dc:45:81:ba:71:
-         a7:1c:96:9b:c1:38:3e:a9:a6:c7:38:71:4d:37:6e:ca:b8:e8:
-         ab:cc:07:4e:21:43:88:21:c0:49:11:9e:d6:c4:13:2c:57:75:
-         1d:8e:54:1f:63:9a:46:19:52:40:c5:1e:2c:38:d2:b8:62:43:
-         a5:84:c8:e4
+         57:8e:97:2b:a5:3f:82:be:c9:80:b3:ef:0f:c8:b9:4c:f2:a6:
+         91:40:ab:1f:70:0e:31:fb:74:ae:17:23:ea:b1:c8:19:f7:29:
+         13:da:59:aa:61:7f:24:17:24:84:22:81:4c:23:b1:e6:a8:d8:
+         65:95:b0:a9:2e:2d:b8:8f:86:67:69:b8:d2:7a:87:d3:75:67:
+         6a:24:2a:a9:af:31:a6:33:2a:50:46:c4:2e:37:f0:e0:e0:a1:
+         e0:fe:bb:2f:6a:8d:9c:a6:45:cd:3f:8f:cd:fd:95:b1:70:24:
+         b8:2b:39:56:3f:81:0d:42:59:0a:8e:b2:c4:a7:1b:8a:73:98:
+         51:4d:f5:14:ab:8b:95:dc:5e:6a:bc:30:57:79:16:3e:6c:73:
+         09:f9:be:1b:4b:bf:cb:f4:ae:3a:ad:0e:57:20:e7:2f:f5:1f:
+         b3:7b:cf:1a:77:73:94:c6:f5:08:d5:24:29:12:9c:f1:0a:75:
+         99:43:7b:91:c7:69:6f:ff:86:10:54:94:22:73:f9:00:c2:91:
+         3d:6d:52:e5:5a:c6:43:e2:37:84:4c:59:02:b7:59:6c:b0:c5:
+         18:72:03:61:94:00:11:e6:a3:cb:18:99:3e:8e:a2:00:82:4a:
+         65:c3:08:3b:c9:10:19:c3:09:44:3c:a9:b0:2a:c3:84:2c:46:
+         43:ba:dc:bf
 -----BEGIN CERTIFICATE-----
-MIIDUzCCAjugAwIBAgIDC3+YMA0GCSqGSIb3DQEBCwUAMB0xGzAZBgNVBAMMEndl
-Yi1wbGF0Zm9ybS10ZXN0czAeFw0xODA3MTMxMjU5MTJaFw0yODA3MTAxMjU5MTJa
+MIIGVzCCBT+gAwIBAgIDBbACMA0GCSqGSIb3DQEBCwUAMB0xGzAZBgNVBAMMEndl
+Yi1wbGF0Zm9ybS10ZXN0czAeFw0xODEyMjAxMjIwMzVaFw0yODEyMTcxMjIwMzVa
 MB0xGzAZBgNVBAMMEndlYi1wbGF0Zm9ybS10ZXN0czCCASIwDQYJKoZIhvcNAQEB
-BQADggEPADCCAQoCggEBANOUELdwzxsrHn9sIk8VvsmVA0XifCZ40ls8tTyGrKu6
-6cEokYOnKJImeQDCvebvu2vX+i45+hbI5SSObumxFYOrmFaZQklNXRY6KP5NLika
-PHh4CapzJmLCpSxIkmUScH4/fsfE6grIYO9qsGXc2hAxyYg6VjX9hb0RpFF9f3Ff
-FjhkBnglOxXhphkve/+SEa0OYBrUYY5GRQCbe8YfWw67nWz9eimWgiU91RmAtzBu
-YSofy1DcrPT/SwJnYFgEF7Zpk5PIkvigXvFW/egkIb30vtTuH99u001VG1jEZpuT
-trIQ6A77a5BP+V+ZWAqqjV85M3WDQUVxUwvwgXXcc20CAwEAAaOBmzCBmDAMBgNV
-HRMEBTADAQH/MB0GA1UdDgQWBBRb2sjBCfNNkjC870P7JpMerg2aDzBHBgNVHSME
-QDA+gBRb2sjBCfNNkjC870P7JpMerg2aD6EhpB8wHTEbMBkGA1UEAwwSd2ViLXBs
-YXRmb3JtLXRlc3RzggMLf5gwCwYDVR0PBAQDAgIEMBMGA1UdJQQMMAoGCCsGAQUF
-BwMBMA0GCSqGSIb3DQEBCwUAA4IBAQCX4/C5Ywfl3tkff96++OSY1iWX6dOtfG0w
-fQ2OxZvv66jFWbIscwhGIqv3YQEZngAMcrwqvYYRHz2AqhlYb80Ftlon/y45GkQI
-ouim4iwDUi9jazo7k8a4U8307GNcJFplpOOTnpbwAM+C/NwoGIbxon54gJ/0EbGO
-yBC1GJ39norLbY4VIjsfDXlTvSv30AkqpqnxPkzQqoGuKzSwUhbQeOIlweKSRxsv
-pqIpb4eaPF1EsI+VPOet0YMcOLc9hSu43EWBunGnHJabwTg+qabHOHFNN27KuOir
-zAdOIUOIIcBJEZ7WxBMsV3UdjlQfY5pGGVJAxR4sONK4YkOlhMjk
+BQADggEPADCCAQoCggEBAKXAuW3yEwEX8+y/kdtPzUpzx9FquA3AHnoG3/L2CME2
+ohHa+wp6Kk+pwG8ZC+JtJjr5PnEpRaRPJx1t70CY3AF/LE/iNU0rjpfFQZ7N9A5g
+/GWkOVyINgVg6H+0tDKccEcIFVHIy9ghulRIc3LjipVh5gDv41/2GLZOJLVBf86y
+1ygz7gYhT8vWT1U6u0906bboO8ynu/OGeshx4fTyK/4fcV4fSRL5w4p+3F91OE17
+SqLlbr/O2ZyZr6duOJc8tT8TDGN+eO7krdgYx+zaOERJr/tEjXkp289MCmr9WlQV
+4M2sTRdd71jIPYT9IHlVnxTHyF/ImFw8/1OJxR/ng6MCAwEAAaOCA54wggOaMAwG
+A1UdEwQFMAMBAf8wHQYDVR0OBBYEFHrqanWqI3i1XgZhSlbPVqltsFQCMEcGA1Ud
+IwRAMD6AFHrqanWqI3i1XgZhSlbPVqltsFQCoSGkHzAdMRswGQYDVQQDDBJ3ZWIt
+cGxhdGZvcm0tdGVzdHOCAwWwAjALBgNVHQ8EBAMCAgQwggGLBgNVHR4EggGCMIIB
+fqCCAXowE4IRd2ViLXBsYXRmb3JtLnRlc3QwF4IVbm90LXdlYi1wbGF0Zm9ybS50
+ZXN0MBeCFXd3dy53ZWItcGxhdGZvcm0udGVzdDAYghZ3d3cxLndlYi1wbGF0Zm9y
+bS50ZXN0MBiCFnd3dzIud2ViLXBsYXRmb3JtLnRlc3QwG4IZd3d3Lm5vdC13ZWIt
+cGxhdGZvcm0udGVzdDAcghp3d3cyLm5vdC13ZWItcGxhdGZvcm0udGVzdDAcghp3
+d3cxLm5vdC13ZWItcGxhdGZvcm0udGVzdDAggh54bi0tbHZlLTZsYWQud2ViLXBs
+YXRmb3JtLnRlc3QwJIIieG4tLWx2ZS02bGFkLm5vdC13ZWItcGxhdGZvcm0udGVz
+dDArgil4bi0tbjhqNmRzNTNsd3drcnFodjI4YS53ZWItcGxhdGZvcm0udGVzdDAv
+gi14bi0tbjhqNmRzNTNsd3drcnFodjI4YS5ub3Qtd2ViLXBsYXRmb3JtLnRlc3Qw
+EwYDVR0lBAwwCgYIKwYBBQUHAwEwggFvBgNVHREEggFmMIIBYoIRd2ViLXBsYXRm
+b3JtLnRlc3SCFW5vdC13ZWItcGxhdGZvcm0udGVzdIIVd3d3LndlYi1wbGF0Zm9y
+bS50ZXN0ghZ3d3cxLndlYi1wbGF0Zm9ybS50ZXN0ghZ3d3cyLndlYi1wbGF0Zm9y
+bS50ZXN0ghl3d3cubm90LXdlYi1wbGF0Zm9ybS50ZXN0ghp3d3cyLm5vdC13ZWIt
+cGxhdGZvcm0udGVzdIIad3d3MS5ub3Qtd2ViLXBsYXRmb3JtLnRlc3SCHnhuLS1s
+dmUtNmxhZC53ZWItcGxhdGZvcm0udGVzdIIieG4tLWx2ZS02bGFkLm5vdC13ZWIt
+cGxhdGZvcm0udGVzdIIpeG4tLW44ajZkczUzbHd3a3JxaHYyOGEud2ViLXBsYXRm
+b3JtLnRlc3SCLXhuLS1uOGo2ZHM1M2x3d2tycWh2MjhhLm5vdC13ZWItcGxhdGZv
+cm0udGVzdDANBgkqhkiG9w0BAQsFAAOCAQEAV46XK6U/gr7JgLPvD8i5TPKmkUCr
+H3AOMft0rhcj6rHIGfcpE9pZqmF/JBckhCKBTCOx5qjYZZWwqS4tuI+GZ2m40nqH
+03VnaiQqqa8xpjMqUEbELjfw4OCh4P67L2qNnKZFzT+Pzf2VsXAkuCs5Vj+BDUJZ
+Co6yxKcbinOYUU31FKuLldxearwwV3kWPmxzCfm+G0u/y/SuOq0OVyDnL/Ufs3vP
+GndzlMb1CNUkKRKc8Qp1mUN7kcdpb/+GEFSUInP5AMKRPW1S5VrGQ+I3hExZArdZ
+bLDFGHIDYZQAEeajyxiZPo6iAIJKZcMIO8kQGcMJRDypsCrDhCxGQ7rcvw==
 -----END CERTIFICATE-----
new file mode 100644
--- /dev/null
+++ b/testing/web-platform/tests/tools/certs/config.json
@@ -0,0 +1,17 @@
+{
+    "ports": {
+        "http": [],
+        "https": ["auto"],
+        "ws": [],
+        "wss": []
+    },
+    "check_subdomains": false,
+    "ssl": {
+        "type": "openssl",
+        "openssl": {
+            "duration": 3650,
+            "force_regenerate": true,
+            "base_path": "tools/certs"
+        }
+    }
+}
--- a/testing/web-platform/tests/tools/certs/web-platform.test.key
+++ b/testing/web-platform/tests/tools/certs/web-platform.test.key
@@ -1,28 +1,28 @@
 -----BEGIN PRIVATE KEY-----
-MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQDYU2g7VdKOVTxP
-uIB0uB1JjDzStbUVIjeBJULnWKq2qr4OMI6gl0/3gNnpofTrWD+jlii42lqqDUHf
-bB1Srs3IFgKwCnCRV36l2xCk/Tv3BtW1iWqSNsZmxabSbHb1T0rLbsOTLb7SP70U
-p0o5WvAY3EEbcIBlgYVFo6oZ8P5V7RDZVmyNVGlL3kUBD1Chh9cMQyKdG06y7G52
-46z2wdmwaegwGrs9053jjHBBdyICXLEzK4Le2rgY9NKYGmrwoCRWqArpDCLPOGxD
-mib2hdm1H23kz+05I1Pbo45+JuthG05drLBCvh5cThiAY2wNCWgIBqH0BAvDN5Lo
-qg7F0UvBAgMBAAECggEBAJWsH9Ht72DLWI9P+JDJUnowrWSclE2q/vw7665lirgY
-KqdmsUgraQi1/g/IHs02odFtc39ylIhT49/RzfgHOhnWIMXsczYcc2QNzdZZ38Nq
-1zJjgXjorR0uY93zbdsMoZNfb7HFVOHjd89yb8h/Qt/whJuXmz6f/rXQJ0ELnO2V
-csBa0WWRdKNYSuDXXAXrTmJs4Pp7NNWAoYBaMoHQcHE9wsN3XnJdYYyABbpj6wIP
-7LXxUN3OZj4CY9+ahCgrEA8NEvCU/SUagEX0YG4z+sV+Dfjnus7vMYSqZv2sdPN2
-ze092+AZBDpdjNdLyrB6cMFRh/23MaCLGHPGjJkCdgECgYEA9bK+NRqPUqcRJ/Bd
-7PAPi1PLjkgP66v0oXsW6yl7BnxgjrUvoWUI9/40kEvQDztIrUFbLoxwnLtAKjQG
-F+2vkD/DWt452Z8bQXbxteGLXkNtwo9DwTBrz4OonmnrxcOjwtIErqEyhMPRCe0w
-KFtRLgK5xXx+JlQNzRxY4TUGjg0CgYEA4WVjixfhTf1vFpmfhX4ewLaBrWch4h6x
-wQ3j9MV90wNbnnyT1GrKiR1XDJ1vN8emFrNQvhr0eOEuDY0ZXJJM8PvPW6+KqmsO
-rwreyQzp/b1Ads/qL7M05REu5y5RQ2zNWjObTvdsUh/LmtUvGRQm92E+t4aFz0Jg
-jZ5A6oq+u4UCgYAtX8geuHv1cKMLdCl0Y1ULjvsNmKNQC56O39N4tF1i8j9Gu5FD
-Rgxk+A4vA8E1vuYKEQLM0uTNHQuZf6gMbTm58vyZ4GZgmTCIY3X59+AsFVnEz35c
-xBt05ESUlM0U5a9tgCmbMmvI9vy4z5PQMCUK0TgLj5UgcO9njK+hT5CZVQKBgGZl
-VjShc6SnpukAf3z4z+XCw+TP/o+oXB6VPeM8OS48z0mP1OTiYwKphptfhmAz3htf
-+SV0P24O9ooHeOcaO8Qa0ZgYholnO3OAH7f8muzAJmITkJN8+WG7TbCO1TIpYp1A
-5qSYOOiSM0Ay60OcaRtnXUOo5G9E+3I628jxoTa1AoGAQK3MjN/BzG5gXG3PX5TV
-tFY+K2SgID33d+STRLUzAgOb+7aqUOdwYfCdiQspED9HRkg/DCLp7gNp02p1kscB
-w/PWCMUO01inIljR4f/YO+kID8Zrovch8d8JLGvNsYFzVAP/ceYW6/OMLQLNGfBC
-xHpdj0Im0e9/WMxC4ZEYfoc=
+MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQCpxFZDnnjgGrPj
+2OirthoMrhDXhgQ0MupElcIG3ZtE9PNAqT20Ysr7cYgg1vQdylSo1aK3ZcBbtfuQ
+8Yfa7+o6TiTcKiEmTWB34rJPx1t37rJz7nWC0JjIOArtpSIAI8yIXkAtw5TnHcL5
+AAC7alliVMyF15UVxdeTUgmvw5IUGzfRX9HUVhCFvxtsS+GTOoDLHFqYGH4Qc6sg
+dOEtzUPuRS51zKTwaG4QopCKfkvj3MLZ19/k0aJPibvLNACpkMlPFYZZekvt+WsB
+AUjtixXM8f9Yon2XV9F7MXvDsaZUgebuYt7qxaG0xGNez8riLIhQB8wGSIJ18Ziy
+VN62q9/bAgMBAAECggEAO9k7kBsOAfNn96tAW0iXZmD3DwPv93b7n7Ir9L+rPWQd
+XW5MkotBg+NCWlFtPhNWRS8Lbhww9CPzy+VaP5TUvjlORU+U4CvnFlyVAAsH8//y
+aWxngPaI5gzbzWup0OLN+EVB2uBYXiHf2mhl2axkVoYOlCCsLkDQ/t6tC4mmte9P
+JB8VuMWKDc+Q0bMyGQ9V/qgQuw38mYyuBrbS3pwG9/1S7qADZ4/HK85CtEY6f0wQ
+dyK7Rxjpo4eq/MWPTlrLYRZcPKkllFLLbU+346OPD06spMOxleYkMVLMhW9CZVSM
+cRqxa7MLel7XumUK+7oC5bXuBICrAu69XtW8E6fsAQKBgQDfp+e+gb/ISu5CPgFu
+/y2i191lr6uIIYTB8URx92WWqabim7U8YiSzaexY9qTNvMjxnn/qLnKvEtxLPjSx
+3J+3ewoE62G7QjNSzwTRNTrhDDzh9MhzIr3YtLvPwpobd++TpbtVHxYOEzT9dI/w
+jSIztVzLK+Md2ID7sqkwPxBmWQKBgQDCUWC99hi7mvmjoGsGpy5iZ5EL66GHlA9y
+ivgg+DCoFQ7twiASqmrsVwztFvEV2P/JZVMleHOvMumOSRdI6CG3GpXRWi4rSrS5
+K02bUS8GGE/Aobh2q6bNQfM2ujl+k/wlIIJHxlFb0JqLOEpuLft0Kf52odtLC8fV
+lGDsabwZUwKBgHYoH19e7rHjHDJ0zY8VUsfIIRf6kbVud9N6If3PhKTu5dKsDjhj
+ZR4/5HQvgWuLw+EaKlvOxBnH7gf2SiJ4+wwU/XsR22TxmWmzIslfxMZmD7gT+N4S
+yZc2DE67cWz3lOM82FYlASLYdNM+BFlCRoJo2yge/HKlEadngMiTWJepAoGAB9Ja
+wIq9aB/O2KVGaZglJ9TfY8lyURDGpmetoTYcT0e5uBxOSjIN58GBRbHctnJrqWGo
+vSNiFLVJ7W5Hv6mIYeRyD2E/5oI1UBbMIupbqDUmUKyxziUOq8hxz8wjMFMonR33
+4Ie9EqMM9XmolVLIgl6GXaQaPaUVwCUe2aVP6v0CgYEAtxJq1dY+w+79WXu6/pDj
+fX7Np07DRgrkmWL4db+ytQpONvbxXZwduSfb4dv3lfCiPzib+WXdxpGDOR94d/qL
+zhrQq25s44TtvdeUzdn5+lZYn+15ZtNgUTYDal82dxwIR56fCRdLWC26CwaBevXX
+lK3MgwivpX6mQ3nr7s/4x2A=
 -----END PRIVATE KEY-----
--- a/testing/web-platform/tests/tools/certs/web-platform.test.pem
+++ b/testing/web-platform/tests/tools/certs/web-platform.test.pem
@@ -1,90 +1,90 @@
 Certificate:
     Data:
         Version: 3 (0x2)
-        Serial Number: 753561 (0xb7f99)
+        Serial Number: 372739 (0x5b003)
     Signature Algorithm: sha256WithRSAEncryption
         Issuer: CN=web-platform-tests
         Validity
-            Not Before: Jul 13 12:59:12 2018 GMT
-            Not After : Jul 10 12:59:12 2028 GMT
+            Not Before: Dec 20 12:20:36 2018 GMT
+            Not After : Dec 17 12:20:36 2028 GMT
         Subject: CN=web-platform.test
         Subject Public Key Info:
             Public Key Algorithm: rsaEncryption
                 Public-Key: (2048 bit)
                 Modulus:
-                    00:d8:53:68:3b:55:d2:8e:55:3c:4f:b8:80:74:b8:
-                    1d:49:8c:3c:d2:b5:b5:15:22:37:81:25:42:e7:58:
-                    aa:b6:aa:be:0e:30:8e:a0:97:4f:f7:80:d9:e9:a1:
-                    f4:eb:58:3f:a3:96:28:b8:da:5a:aa:0d:41:df:6c:
-                    1d:52:ae:cd:c8:16:02:b0:0a:70:91:57:7e:a5:db:
-                    10:a4:fd:3b:f7:06:d5:b5:89:6a:92:36:c6:66:c5:
-                    a6:d2:6c:76:f5:4f:4a:cb:6e:c3:93:2d:be:d2:3f:
-                    bd:14:a7:4a:39:5a:f0:18:dc:41:1b:70:80:65:81:
-                    85:45:a3:aa:19:f0:fe:55:ed:10:d9:56:6c:8d:54:
-                    69:4b:de:45:01:0f:50:a1:87:d7:0c:43:22:9d:1b:
-                    4e:b2:ec:6e:76:e3:ac:f6:c1:d9:b0:69:e8:30:1a:
-                    bb:3d:d3:9d:e3:8c:70:41:77:22:02:5c:b1:33:2b:
-                    82:de:da:b8:18:f4:d2:98:1a:6a:f0:a0:24:56:a8:
-                    0a:e9:0c:22:cf:38:6c:43:9a:26:f6:85:d9:b5:1f:
-                    6d:e4:cf:ed:39:23:53:db:a3:8e:7e:26:eb:61:1b:
-                    4e:5d:ac:b0:42:be:1e:5c:4e:18:80:63:6c:0d:09:
-                    68:08:06:a1:f4:04:0b:c3:37:92:e8:aa:0e:c5:d1:
-                    4b:c1
+                    00:a9:c4:56:43:9e:78:e0:1a:b3:e3:d8:e8:ab:b6:
+                    1a:0c:ae:10:d7:86:04:34:32:ea:44:95:c2:06:dd:
+                    9b:44:f4:f3:40:a9:3d:b4:62:ca:fb:71:88:20:d6:
+                    f4:1d:ca:54:a8:d5:a2:b7:65:c0:5b:b5:fb:90:f1:
+                    87:da:ef:ea:3a:4e:24:dc:2a:21:26:4d:60:77:e2:
+                    b2:4f:c7:5b:77:ee:b2:73:ee:75:82:d0:98:c8:38:
+                    0a:ed:a5:22:00:23:cc:88:5e:40:2d:c3:94:e7:1d:
+                    c2:f9:00:00:bb:6a:59:62:54:cc:85:d7:95:15:c5:
+                    d7:93:52:09:af:c3:92:14:1b:37:d1:5f:d1:d4:56:
+                    10:85:bf:1b:6c:4b:e1:93:3a:80:cb:1c:5a:98:18:
+                    7e:10:73:ab:20:74:e1:2d:cd:43:ee:45:2e:75:cc:
+                    a4:f0:68:6e:10:a2:90:8a:7e:4b:e3:dc:c2:d9:d7:
+                    df:e4:d1:a2:4f:89:bb:cb:34:00:a9:90:c9:4f:15:
+                    86:59:7a:4b:ed:f9:6b:01:01:48:ed:8b:15:cc:f1:
+                    ff:58:a2:7d:97:57:d1:7b:31:7b:c3:b1:a6:54:81:
+                    e6:ee:62:de:ea:c5:a1:b4:c4:63:5e:cf:ca:e2:2c:
+                    88:50:07:cc:06:48:82:75:f1:98:b2:54:de:b6:ab:
+                    df:db
                 Exponent: 65537 (0x10001)
         X509v3 extensions:
             X509v3 Basic Constraints: 
                 CA:FALSE
             X509v3 Subject Key Identifier: 
-                DC:27:6C:74:E6:47:31:95:D8:CC:96:5B:E4:94:6E:8C:22:2F:2B:EA
+                F7:EE:CA:20:37:0F:BC:CF:F3:B7:DC:12:76:D1:D1:CA:40:67:3A:6D
             X509v3 Authority Key Identifier: 
-                keyid:5B:DA:C8:C1:09:F3:4D:92:30:BC:EF:43:FB:26:93:1E:AE:0D:9A:0F
+                keyid:7A:EA:6A:75:AA:23:78:B5:5E:06:61:4A:56:CF:56:A9:6D:B0:54:02
 
             X509v3 Key Usage: 
                 Digital Signature, Non Repudiation, Key Encipherment
             X509v3 Extended Key Usage: 
                 TLS Web Server Authentication
             X509v3 Subject Alternative Name: 
                 DNS:web-platform.test, DNS:not-web-platform.test, DNS:www.web-platform.test, DNS:www1.web-platform.test, DNS:www2.web-platform.test, DNS:www.not-web-platform.test, DNS:www2.not-web-platform.test, DNS:www1.not-web-platform.test, DNS:xn--lve-6lad.web-platform.test, DNS:xn--lve-6lad.not-web-platform.test, DNS:xn--n8j6ds53lwwkrqhv28a.web-platform.test, DNS:xn--n8j6ds53lwwkrqhv28a.not-web-platform.test
     Signature Algorithm: sha256WithRSAEncryption
-         15:98:68:69:25:f6:f7:d6:09:0b:5b:d6:ac:d6:49:06:0e:24:
-         e1:ee:b9:44:9e:d1:03:03:ed:3a:b3:f9:23:c4:14:e8:fe:53:
-         70:70:21:a6:d4:e3:ee:8d:ba:84:38:cd:71:32:c7:4a:c0:f1:
-         33:eb:bd:bc:ed:f2:d8:dc:c3:a7:a7:a6:47:6a:69:6c:16:ea:
-         e6:4d:7c:77:18:0d:3e:86:29:91:2b:49:d5:c9:19:1a:53:16:
-         a7:f0:02:f4:70:a2:e5:8b:bc:aa:a6:6f:4f:5b:40:24:04:68:
-         11:9d:9e:26:20:f2:e3:68:36:9a:fa:8f:7c:b0:29:08:37:c4:
-         06:08:fc:e4:45:bb:4c:78:ae:2c:f1:c1:bf:d9:23:17:e5:43:
-         18:0e:06:d8:4c:b4:2a:ef:f9:7c:bf:02:d2:62:51:82:ed:9d:
-         64:83:3d:03:cd:61:38:c0:57:c6:5e:5b:3a:41:91:db:3e:83:
-         05:4b:88:84:e3:ae:be:4d:5d:f9:59:07:0c:21:16:fa:7e:af:
-         23:97:05:25:4c:bb:02:d3:11:4a:85:68:c3:a3:cf:d0:0c:15:
-         49:f6:32:0b:f6:2a:01:91:3c:ad:c7:31:da:da:43:e2:2c:db:
-         52:c5:37:a0:c3:cc:3a:5b:2b:76:e5:74:74:20:1b:c3:f7:0c:
-         fe:6d:bf:bb
+         63:c9:58:a8:38:b5:1f:2d:41:9f:06:a3:50:bc:a4:da:f5:e9:
+         c6:05:64:0e:d6:7e:ee:31:8d:81:00:c1:90:fd:71:4d:3c:92:
+         44:7f:c5:b6:be:fe:8d:c0:85:90:04:5c:20:08:88:47:8c:b6:
+         0d:b4:1f:22:a8:10:a9:e7:0d:9d:a0:79:44:0b:f3:3a:77:e6:
+         e2:89:f9:a4:ee:dc:e9:6c:6c:2c:1c:6f:c6:fb:e3:2c:36:a3:
+         72:89:4e:c2:9c:51:23:cc:af:2f:9d:67:82:d2:59:ea:ff:fd:
+         ef:7c:bc:c8:ff:a7:19:43:64:e6:5f:82:28:c9:de:8e:97:e6:
+         42:e0:ca:74:e6:c8:e0:d3:6a:bc:04:ca:bb:53:f0:64:b1:31:
+         98:af:e1:b8:6b:7d:0c:ad:b3:e0:29:00:1b:50:af:30:b3:fa:
+         d4:d3:0e:45:4b:12:0d:5a:ea:11:cd:29:be:32:ea:4f:4f:7c:
+         58:7d:e2:33:37:b9:ce:0f:94:00:6d:16:e4:91:6f:e6:4c:47:
+         a7:cd:b7:f1:ab:86:68:e2:6e:c5:e9:60:b7:24:b1:aa:1b:f6:
+         f5:ce:a4:03:bf:ed:20:92:a9:f7:ad:57:61:ef:d8:9a:b6:df:
+         cb:2f:4d:3b:ab:8f:71:c4:f2:87:93:25:48:89:c5:9c:c8:d8:
+         46:c5:5e:ac
 -----BEGIN CERTIFICATE-----
-MIIEnDCCA4SgAwIBAgIDC3+ZMA0GCSqGSIb3DQEBCwUAMB0xGzAZBgNVBAMMEndl
-Yi1wbGF0Zm9ybS10ZXN0czAeFw0xODA3MTMxMjU5MTJaFw0yODA3MTAxMjU5MTJa
+MIIEnDCCA4SgAwIBAgIDBbADMA0GCSqGSIb3DQEBCwUAMB0xGzAZBgNVBAMMEndl
+Yi1wbGF0Zm9ybS10ZXN0czAeFw0xODEyMjAxMjIwMzZaFw0yODEyMTcxMjIwMzZa
 MBwxGjAYBgNVBAMMEXdlYi1wbGF0Zm9ybS50ZXN0MIIBIjANBgkqhkiG9w0BAQEF
-AAOCAQ8AMIIBCgKCAQEA2FNoO1XSjlU8T7iAdLgdSYw80rW1FSI3gSVC51iqtqq+
-DjCOoJdP94DZ6aH061g/o5YouNpaqg1B32wdUq7NyBYCsApwkVd+pdsQpP079wbV
-tYlqkjbGZsWm0mx29U9Ky27Dky2+0j+9FKdKOVrwGNxBG3CAZYGFRaOqGfD+Ve0Q
-2VZsjVRpS95FAQ9QoYfXDEMinRtOsuxuduOs9sHZsGnoMBq7PdOd44xwQXciAlyx
-MyuC3tq4GPTSmBpq8KAkVqgK6QwizzhsQ5om9oXZtR9t5M/tOSNT26OOfibrYRtO
-XaywQr4eXE4YgGNsDQloCAah9AQLwzeS6KoOxdFLwQIDAQABo4IB5DCCAeAwCQYD
-VR0TBAIwADAdBgNVHQ4EFgQU3CdsdOZHMZXYzJZb5JRujCIvK+owHwYDVR0jBBgw
-FoAUW9rIwQnzTZIwvO9D+yaTHq4Nmg8wCwYDVR0PBAQDAgXgMBMGA1UdJQQMMAoG
+AAOCAQ8AMIIBCgKCAQEAqcRWQ5544Bqz49joq7YaDK4Q14YENDLqRJXCBt2bRPTz
+QKk9tGLK+3GIINb0HcpUqNWit2XAW7X7kPGH2u/qOk4k3CohJk1gd+KyT8dbd+6y
+c+51gtCYyDgK7aUiACPMiF5ALcOU5x3C+QAAu2pZYlTMhdeVFcXXk1IJr8OSFBs3
+0V/R1FYQhb8bbEvhkzqAyxxamBh+EHOrIHThLc1D7kUudcyk8GhuEKKQin5L49zC
+2dff5NGiT4m7yzQAqZDJTxWGWXpL7flrAQFI7YsVzPH/WKJ9l1fRezF7w7GmVIHm
+7mLe6sWhtMRjXs/K4iyIUAfMBkiCdfGYslTetqvf2wIDAQABo4IB5DCCAeAwCQYD
+VR0TBAIwADAdBgNVHQ4EFgQU9+7KIDcPvM/zt9wSdtHRykBnOm0wHwYDVR0jBBgw
+FoAUeupqdaojeLVeBmFKVs9WqW2wVAIwCwYDVR0PBAQDAgXgMBMGA1UdJQQMMAoG
 CCsGAQUFBwMBMIIBbwYDVR0RBIIBZjCCAWKCEXdlYi1wbGF0Zm9ybS50ZXN0ghVu
 b3Qtd2ViLXBsYXRmb3JtLnRlc3SCFXd3dy53ZWItcGxhdGZvcm0udGVzdIIWd3d3
 MS53ZWItcGxhdGZvcm0udGVzdIIWd3d3Mi53ZWItcGxhdGZvcm0udGVzdIIZd3d3
 Lm5vdC13ZWItcGxhdGZvcm0udGVzdIIad3d3Mi5ub3Qtd2ViLXBsYXRmb3JtLnRl
 c3SCGnd3dzEubm90LXdlYi1wbGF0Zm9ybS50ZXN0gh54bi0tbHZlLTZsYWQud2Vi
 LXBsYXRmb3JtLnRlc3SCInhuLS1sdmUtNmxhZC5ub3Qtd2ViLXBsYXRmb3JtLnRl
 c3SCKXhuLS1uOGo2ZHM1M2x3d2tycWh2MjhhLndlYi1wbGF0Zm9ybS50ZXN0gi14
 bi0tbjhqNmRzNTNsd3drcnFodjI4YS5ub3Qtd2ViLXBsYXRmb3JtLnRlc3QwDQYJ
-KoZIhvcNAQELBQADggEBABWYaGkl9vfWCQtb1qzWSQYOJOHuuUSe0QMD7Tqz+SPE
-FOj+U3BwIabU4+6NuoQ4zXEyx0rA8TPrvbzt8tjcw6enpkdqaWwW6uZNfHcYDT6G
-KZErSdXJGRpTFqfwAvRwouWLvKqmb09bQCQEaBGdniYg8uNoNpr6j3ywKQg3xAYI
-/ORFu0x4rizxwb/ZIxflQxgOBthMtCrv+Xy/AtJiUYLtnWSDPQPNYTjAV8ZeWzpB
-kds+gwVLiITjrr5NXflZBwwhFvp+ryOXBSVMuwLTEUqFaMOjz9AMFUn2Mgv2KgGR
-PK3HMdraQ+Is21LFN6DDzDpbK3bldHQgG8P3DP5tv7s=
+KoZIhvcNAQELBQADggEBAGPJWKg4tR8tQZ8Go1C8pNr16cYFZA7Wfu4xjYEAwZD9
+cU08kkR/xba+/o3AhZAEXCAIiEeMtg20HyKoEKnnDZ2geUQL8zp35uKJ+aTu3Ols
+bCwcb8b74yw2o3KJTsKcUSPMry+dZ4LSWer//e98vMj/pxlDZOZfgijJ3o6X5kLg
+ynTmyODTarwEyrtT8GSxMZiv4bhrfQyts+ApABtQrzCz+tTTDkVLEg1a6hHNKb4y
+6k9PfFh94jM3uc4PlABtFuSRb+ZMR6fNt/GrhmjibsXpYLcksaob9vXOpAO/7SCS
+qfetV2Hv2Jq238svTTurj3HE8oeTJUiJxZzI2EbFXqw=
 -----END CERTIFICATE-----
--- a/testing/web-platform/tests/tools/serve/serve.py
+++ b/testing/web-platform/tests/tools/serve/serve.py
@@ -754,17 +754,19 @@ class ConfigBuilder(config.ConfigBuilder
         "log_level": "debug",
         "bind_address": True,
         "ssl": {
             "type": "pregenerated",
             "encrypt_after_connect": False,
             "openssl": {
                 "openssl_binary": "openssl",
                 "base_path": "_certs",
+                "password": "web-platform-tests",
                 "force_regenerate": False,
+                "duration": 30,
                 "base_conf_path": None
             },
             "pregenerated": {
                 "host_key_path": os.path.join(repo_root, "tools", "certs", "web-platform.test.key"),
                 "host_cert_path": os.path.join(repo_root, "tools", "certs", "web-platform.test.pem")
             },
             "none": {}
         },
--- a/testing/web-platform/tests/tools/wptserve/wptserve/config.py
+++ b/testing/web-platform/tests/tools/wptserve/wptserve/config.py
@@ -121,17 +121,19 @@ class ConfigBuilder(object):
         "bind_address": True,
         "ssl": {
             "type": "none",
             "encrypt_after_connect": False,
             "none": {},
             "openssl": {
                 "openssl_binary": "openssl",
                 "base_path": "_certs",
+                "password": "web-platform-tests",
                 "force_regenerate": False,
+                "duration": 30,
                 "base_conf_path": None
             },
             "pregenerated": {
                 "host_key_path": None,
                 "host_cert_path": None,
             },
         },
         "aliases": []
@@ -311,13 +313,13 @@ class ConfigBuilder(object):
     def _get_ssl_config(self, data):
         ssl_type = data["ssl"]["type"]
         ssl_cls = sslutils.get_cls(ssl_type)
         kwargs = data["ssl"].get(ssl_type, {})
         self._ssl_env = ssl_cls(self.logger, **kwargs)
         self._ssl_env.__enter__()
         if self._ssl_env.ssl_enabled:
             key_path, cert_path = self._ssl_env.host_cert_path(data["domains_set"])
-            ca_cert_path = self._ssl_env.ca_cert_path()
+            ca_cert_path = self._ssl_env.ca_cert_path(data["domains_set"])
             return {"key_path": key_path,
                     "ca_cert_path": ca_cert_path,
                     "cert_path": cert_path,
                     "encrypt_after_connect": data["ssl"].get("encrypt_after_connect", False)}
--- a/testing/web-platform/tests/tools/wptserve/wptserve/sslutils/base.py
+++ b/testing/web-platform/tests/tools/wptserve/wptserve/sslutils/base.py
@@ -8,10 +8,10 @@ class NoSSLEnvironment(object):
         return self
 
     def __exit__(self, *args, **kwargs):
         pass
 
     def host_cert_path(self, hosts):
         return None, None
 
-    def ca_cert_path(self):
+    def ca_cert_path(self, hosts):
         return None
--- a/testing/web-platform/tests/tools/wptserve/wptserve/sslutils/openssl.py
+++ b/testing/web-platform/tests/tools/wptserve/wptserve/sslutils/openssl.py
@@ -109,26 +109,28 @@ def make_subject(common_name,
     for var, key in args:
         value = locals()[var]
         if value is not None:
             rv.append("/%s=%s" % (key, value.replace("/", "\\/")))
 
     return "".join(rv)
 
 def make_alt_names(hosts):
-    rv = []
-    for name in hosts:
-        rv.append("DNS:%s" % name)
-    return ",".join(rv)
+    return ",".join("DNS:%s" % host for host in hosts)
+
+def make_name_constraints(hosts):
+    return ",".join("permitted;DNS:%s" % host for host in hosts)
 
 def get_config(root_dir, hosts, duration=30):
     if hosts is None:
         san_line = ""
+        constraints_line = ""
     else:
         san_line = "subjectAltName = %s" % make_alt_names(hosts)
+        constraints_line = "nameConstraints = " + make_name_constraints(hosts)
 
     if os.path.sep == "\\":
         # This seems to be needed for the Shining Light OpenSSL on
         # Windows, at least.
         root_dir = root_dir.replace("\\", "\\\\")
 
     rv = """[ ca ]
 default_ca = CA_default
@@ -208,19 +210,21 @@ keyUsage = nonRepudiation, digitalSignat
 extendedKeyUsage = serverAuth
 %(san_line)s
 
 [ v3_ca ]
 basicConstraints = CA:true
 subjectKeyIdentifier=hash
 authorityKeyIdentifier=keyid:always,issuer:always
 keyUsage = keyCertSign
+%(constraints_line)s
 """ % {"root_dir": root_dir,
        "san_line": san_line,
        "duration": duration,
+       "constraints_line": constraints_line,
        "sep": os.path.sep.replace("\\", "\\\\")}
 
     return rv
 
 class OpenSSLEnvironment(object):
     ssl_enabled = True
 
     def __init__(self, logger, openssl_binary="openssl", base_path=None,
@@ -282,23 +286,23 @@ class OpenSSLEnvironment(object):
         if self.temporary:
             shutil.rmtree(self.base_path)
 
     def _config_openssl(self, hosts):
         conf_path = self.path("openssl.cfg")
         return OpenSSL(self.logger, self.binary, self.base_path, conf_path, hosts,
                        self.duration, self.base_conf_path)
 
-    def ca_cert_path(self):
+    def ca_cert_path(self, hosts):
         """Get the path to the CA certificate file, generating a
         new one if needed"""
         if self._ca_cert_path is None and not self.force_regenerate:
             self._load_ca_cert()
         if self._ca_cert_path is None:
-            self._generate_ca()
+            self._generate_ca(hosts)
         return self._ca_cert_path
 
     def _load_ca_cert(self):
         key_path = self.path("cacert.key")
         cert_path = self.path("cacert.pem")
 
         if self.check_key_cert(key_path, cert_path, None):
             self.logger.info("Using existing CA cert")
@@ -321,25 +325,25 @@ class OpenSSLEnvironment(object):
             # always in terms of UTC, so the current time should be calculated
             # accordingly.
             if end_date < datetime.utcnow() + time_buffer:
                 return False
 
         #TODO: check the key actually signed the cert.
         return True
 
-    def _generate_ca(self):
+    def _generate_ca(self, hosts):
         path = self.path
         self.logger.info("Generating new CA in %s" % self.base_path)
 
         key_path = path("cacert.key")
         req_path = path("careq.pem")
         cert_path = path("cacert.pem")
 
-        with self._config_openssl(None) as openssl:
+        with self._config_openssl(hosts) as openssl:
             openssl("req",
                     "-batch",
                     "-new",
                     "-newkey", "rsa:2048",
                     "-keyout", key_path,
                     "-out", req_path,
                     "-subj", make_subject("web-platform-tests"),
                     "-passout", "pass:%s" % self.password)
@@ -386,17 +390,17 @@ class OpenSSLEnvironment(object):
         # TODO: check that this cert was signed by the CA cert
         if self.check_key_cert(key_path, cert_path, hosts):
             self.logger.info("Using existing host cert")
             return key_path, cert_path
 
     def _generate_host_cert(self, hosts):
         host = hosts[0]
         if self._ca_key_path is None:
-            self._generate_ca()
+            self._generate_ca(hosts)
         ca_key_path = self._ca_key_path
 
         assert os.path.exists(ca_key_path)
 
         path = self.path
 
         req_path = path("wpt.req")
         cert_path = path("%s.pem" % host)
--- a/testing/web-platform/tests/tools/wptserve/wptserve/sslutils/pregenerated.py
+++ b/testing/web-platform/tests/tools/wptserve/wptserve/sslutils/pregenerated.py
@@ -15,12 +15,12 @@ class PregeneratedSSLEnvironment(object)
 
     def __exit__(self, *args, **kwargs):
         pass
 
     def host_cert_path(self, hosts):
         """Return the key and certificate paths for the host"""
         return self._host_key_path, self._host_cert_path
 
-    def ca_cert_path(self):
+    def ca_cert_path(self, hosts):
         """Return the certificate path of the CA that signed the
         host certificates, or None if that isn't known"""
         return self._ca_cert_path