qpid-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From oru...@apache.org
Subject [qpid-broker-j] branch master updated: QPID-8367: Add certificate revocation
Date Tue, 28 Jan 2020 15:44:06 GMT
This is an automated email from the ASF dual-hosted git repository.

orudyy pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/qpid-broker-j.git


The following commit(s) were added to refs/heads/master by this push:
     new 5ea3157  QPID-8367: Add certificate revocation
5ea3157 is described below

commit 5ea315776fad7b4892b25150cc930af390af5bb9
Author: Tomas Vavricka <tomas.vavricka@deutsche-boerse.com>
AuthorDate: Thu Jan 16 11:47:56 2020 +0100

    QPID-8367: Add certificate revocation
    
    This closes #44
---
 .../qpid/server/model/AttributeValueConverter.java |  17 +-
 .../org/apache/qpid/server/model/TrustStore.java   |  39 +-
 .../qpid/server/security/AbstractTrustStore.java   | 218 ++++++++
 .../AutoGeneratedSelfSignedKeyStoreImpl.java       |   4 +-
 .../qpid/server/security/FileTrustStore.java       |   4 +-
 .../qpid/server/security/FileTrustStoreImpl.java   |  25 +-
 .../ManagedPeerCertificateTrustStoreImpl.java      |  13 +-
 .../server/security/NonJavaTrustStoreImpl.java     |  33 +-
 .../security/SiteSpecificTrustStoreImpl.java       |  14 +-
 .../transport/network/security/ssl/SSLUtil.java    |  29 +-
 .../qpid/server/security/FileKeyStoreTest.java     | 294 ++++-------
 .../qpid/server/security/FileTrustStoreTest.java   | 334 ++++++------
 ...toreTestHelper.java => KeyStoreTestHelper.java} |  27 +-
 .../qpid/server/security/NonJavaKeyStoreTest.java  |  93 ++--
 .../server/security/NonJavaTrustStoreTest.java     | 121 +++--
 .../security/SiteSpecificTrustStoreTest.java       | 145 +++---
 .../manager/oauth2/OAuth2MockEndpointHolder.java   |  14 +-
 .../apache/qpid/server/ssl/TrustManagerTest.java   |  69 ++-
 broker-core/src/test/resources/ssl/expired.crt     |  17 -
 broker-core/src/test/resources/ssl/java_broker.crt |  21 -
 broker-core/src/test/resources/ssl/java_broker.req |  18 -
 .../ssl/java_broker_expired_truststore.pkcs12      | Bin 1002 -> 0 bytes
 .../test/resources/ssl/java_broker_keystore.pkcs12 | Bin 4425 -> 0 bytes
 .../resources/ssl/java_broker_peerstore.pkcs12     | Bin 1162 -> 0 bytes
 .../resources/ssl/java_broker_truststore.pkcs12    | Bin 1082 -> 0 bytes
 .../ssl/java_client_expired_keystore.pkcs12        | Bin 2397 -> 0 bytes
 .../test/resources/ssl/java_client_keystore.pkcs12 | Bin 7641 -> 0 bytes
 .../resources/ssl/java_client_truststore.pkcs12    | Bin 1082 -> 0 bytes
 .../ssl/java_client_untrusted_keystore.pkcs12      | Bin 2467 -> 0 bytes
 .../resources/ssl/test_cert_only_keystore.pkcs12   | Bin 1106 -> 0 bytes
 .../src/test/resources/ssl/test_empty_keystore.jks | Bin 88 -> 0 bytes
 .../src/test/resources/ssl/test_keystore.jks       | Bin 6361 -> 0 bytes
 .../resources/ssl/test_pk_only_keystore.pkcs12     | Bin 3521 -> 0 bytes
 .../ssl/test_symmetric_key_keystore.pkcs12         | Bin 4637 -> 0 bytes
 .../resources/js/qpid/management/TrustStore.js     |  18 +-
 .../java/resources/js/qpid/management/addStore.js  |   3 +-
 .../src/main/java/resources/showTrustStore.html    |  24 +
 .../src/main/java/resources/store/truststore.html  |  90 +++-
 ...Java-Broker-Management-Managing-Truststores.xml |  34 +-
 qpid-test-utils/pom.xml                            |   1 -
 .../apache/qpid/test/utils/TestSSLConstants.java   |  91 +++-
 .../main/resources/ssl/certificates/MyRootCA.crl   | Bin 0 -> 501 bytes
 .../resources/ssl/certificates/MyRootCA.crl.pem    |  13 +
 .../main/resources/ssl/certificates/MyRootCA.crt   |  21 +
 .../resources/ssl/certificates/MyRootCA.empty.crl  | Bin 0 -> 415 bytes
 .../ssl/certificates/MyRootCA.empty.crl.pem        |  11 +
 .../main/resources/ssl/certificates/MyRootCA.key   |  30 ++
 .../resources/ssl/certificates/allowed_by_ca.crt   |  80 +++
 .../resources/ssl/certificates/allowed_by_ca.csr   |  17 +
 .../resources/ssl/certificates/allowed_by_ca.jks   | Bin 0 -> 3496 bytes
 .../ssl/certificates/allowed_by_ca.self.crt        |  22 +
 .../ssl/certificates/allowed_by_ca.self.key        |  30 ++
 .../allowed_by_ca_with_intermediate.crt            |  81 +++
 .../allowed_by_ca_with_intermediate.csr            |  17 +
 .../allowed_by_ca_with_intermediate.jks            | Bin 0 -> 4628 bytes
 .../allowed_by_ca_with_intermediate.self.crt       |  23 +
 .../allowed_by_ca_with_intermediate.self.key       |  30 ++
 .../src/main/resources/ssl/certificates/app1.crt   |  74 +++
 .../src/main/resources/ssl/certificates/app1.csr   |  17 +
 .../src/main/resources/ssl/certificates/app1.jks   | Bin 0 -> 3398 bytes
 .../main/resources/ssl/certificates/app1.self.crt  |  22 +
 .../main/resources/ssl/certificates/app1.self.key  |  30 ++
 .../src/main/resources/ssl/certificates/app2.crt   |  74 +++
 .../src/main/resources/ssl/certificates/app2.csr   |  17 +
 .../src/main/resources/ssl/certificates/app2.jks   | Bin 0 -> 3398 bytes
 .../main/resources/ssl/certificates/app2.self.crt  |  22 +
 .../main/resources/ssl/certificates/app2.self.key  |  30 ++
 .../src/main/resources/ssl/certificates/broker.crt |  74 +++
 .../src/main/resources/ssl/certificates/broker.csr |  17 +
 .../src/main/resources/ssl/certificates/broker.jks | Bin 0 -> 3410 bytes
 .../resources/ssl/certificates/broker.self.crt     |  22 +
 .../resources/ssl/certificates/broker.self.key     |  30 ++
 .../ssl/certificates/broker_expired_truststore.jks | Bin 0 -> 1002 bytes
 .../resources/ssl/certificates/broker_keystore.jks | Bin 0 -> 4503 bytes
 .../ssl/certificates/broker_peerstore.jks          | Bin 0 -> 1122 bytes
 .../ssl/certificates/broker_truststore.jks         | Bin 0 -> 1162 bytes
 .../ssl/certificates/chain_with_intermediate.crt   | 105 ++++
 .../resources/ssl/certificates/client_expired.crt  |  17 +
 .../ssl/certificates/client_expired_keystore.jks   | Bin 0 -> 2397 bytes
 .../resources/ssl/certificates/client_keystore.jks | Bin 0 -> 26195 bytes
 .../ssl/certificates/client_truststore.jks         | Bin 0 -> 1162 bytes
 .../ssl/certificates/client_untrusted_keystore.jks | Bin 0 -> 2467 bytes
 .../resources/ssl/certificates/intermediate_ca.crl | Bin 0 -> 458 bytes
 .../ssl/certificates/intermediate_ca.crl.pem       |  12 +
 .../resources/ssl/certificates/intermediate_ca.crt |  84 +++
 .../resources/ssl/certificates/intermediate_ca.csr |  17 +
 .../resources/ssl/certificates/intermediate_ca.jks | Bin 0 -> 3564 bytes
 .../ssl/certificates/intermediate_ca.self.crt      |  22 +
 .../ssl/certificates/intermediate_ca.self.key      |  30 ++
 .../resources/ssl/certificates/revoked_by_ca.crt   |  80 +++
 .../resources/ssl/certificates/revoked_by_ca.csr   |  17 +
 .../resources/ssl/certificates/revoked_by_ca.jks   | Bin 0 -> 3496 bytes
 .../ssl/certificates/revoked_by_ca.self.crt        |  22 +
 .../ssl/certificates/revoked_by_ca.self.key        |  30 ++
 .../ssl/certificates/revoked_by_ca_empty_crl.crt   |  80 +++
 .../ssl/certificates/revoked_by_ca_empty_crl.csr   |  17 +
 .../ssl/certificates/revoked_by_ca_empty_crl.jks   | Bin 0 -> 3548 bytes
 .../certificates/revoked_by_ca_empty_crl.self.crt  |  23 +
 .../certificates/revoked_by_ca_empty_crl.self.key  |  30 ++
 .../revoked_by_ca_invalid_crl_path.crt             |  80 +++
 .../revoked_by_ca_invalid_crl_path.csr             |  17 +
 .../revoked_by_ca_invalid_crl_path.jks             | Bin 0 -> 3578 bytes
 .../revoked_by_ca_invalid_crl_path.self.crt        |  23 +
 .../revoked_by_ca_invalid_crl_path.self.key        |  30 ++
 .../ssl/certificates/test_cert_only_keystore.jks   | Bin 0 -> 1186 bytes
 .../ssl/certificates/test_empty_keystore.jks       | Bin 0 -> 88 bytes
 .../resources/ssl/certificates/test_keystore.jks   | Bin 0 -> 6375 bytes
 .../ssl/certificates/test_pk_only_keystore.jks     | Bin 0 -> 3535 bytes
 .../certificates/test_symmetric_key_keystore.jks   | Bin 0 -> 4739 bytes
 .../main/resources/ssl/generate_certificates.sh    | 370 ++++++++++++++
 .../src/main/resources/ssl/openssl.conf            | 380 ++++++++++++++
 .../qpid/tests/http/endtoend/port/PortTest.java    |   2 +-
 .../extensions/management/AmqpManagementTest.java  |  12 +-
 .../extensions/sasl/AuthenticationTest.java        | 564 ++++++++++++++-------
 .../systests/jms_1_1/extensions/tls/TlsTest.java   | 109 ++--
 test-profiles/test_resources/ssl/CA_db/cert9.db    | Bin 28672 -> 0 bytes
 test-profiles/test_resources/ssl/CA_db/key4.db     | Bin 36864 -> 0 bytes
 test-profiles/test_resources/ssl/CA_db/pkcs11.txt  |   5 -
 test-profiles/test_resources/ssl/CA_db/rootca.crt  |  19 -
 test-profiles/test_resources/ssl/app1.crt          |  21 -
 test-profiles/test_resources/ssl/app1.req          |  18 -
 test-profiles/test_resources/ssl/app2.crt          |  21 -
 test-profiles/test_resources/ssl/app2.req          |  18 -
 test-profiles/test_resources/ssl/expired.crt       |  17 -
 .../test_resources/ssl/generate-java-keystores.sh  | 129 -----
 .../test_resources/ssl/generate-root-ca.sh         |  49 --
 test-profiles/test_resources/ssl/java_broker.crt   |  21 -
 test-profiles/test_resources/ssl/java_broker.req   |  18 -
 .../ssl/java_broker_expired_truststore.jks         | Bin 1002 -> 0 bytes
 .../test_resources/ssl/java_broker_keystore.jks    | Bin 4425 -> 0 bytes
 .../test_resources/ssl/java_broker_peerstore.jks   | Bin 1162 -> 0 bytes
 .../test_resources/ssl/java_broker_truststore.jks  | Bin 1082 -> 0 bytes
 .../ssl/java_client_expired_keystore.jks           | Bin 2397 -> 0 bytes
 .../test_resources/ssl/java_client_keystore.jks    | Bin 7641 -> 0 bytes
 .../test_resources/ssl/java_client_truststore.jks  | Bin 1082 -> 0 bytes
 .../ssl/java_client_untrusted_keystore.jks         | Bin 2467 -> 0 bytes
 test-profiles/test_resources/ssl/pfile             |   1 -
 .../test_resources/ssl/server_db/cert9.db          | Bin 28672 -> 0 bytes
 test-profiles/test_resources/ssl/server_db/key4.db | Bin 36864 -> 0 bytes
 .../test_resources/ssl/server_db/pkcs11.txt        |   5 -
 .../test_resources/ssl/server_db/server.crt        |  20 -
 .../test_resources/ssl/server_db/server.req        |  26 -
 142 files changed, 3725 insertions(+), 1450 deletions(-)

diff --git a/broker-core/src/main/java/org/apache/qpid/server/model/AttributeValueConverter.java b/broker-core/src/main/java/org/apache/qpid/server/model/AttributeValueConverter.java
index 43fe10e..13f951b 100644
--- a/broker-core/src/main/java/org/apache/qpid/server/model/AttributeValueConverter.java
+++ b/broker-core/src/main/java/org/apache/qpid/server/model/AttributeValueConverter.java
@@ -35,7 +35,6 @@ import java.nio.charset.StandardCharsets;
 import java.security.Principal;
 import java.security.cert.Certificate;
 import java.security.cert.CertificateException;
-import java.security.cert.CertificateFactory;
 import java.time.LocalDate;
 import java.time.LocalDateTime;
 import java.time.LocalTime;
@@ -64,6 +63,7 @@ import com.fasterxml.jackson.databind.ObjectMapper;
 import com.google.common.base.Defaults;
 
 import org.apache.qpid.server.model.preferences.GenericPrincipal;
+import org.apache.qpid.server.transport.network.security.ssl.SSLUtil;
 import org.apache.qpid.server.util.ServerScopedRuntimeException;
 import org.apache.qpid.server.util.Strings;
 
@@ -192,19 +192,6 @@ abstract class AttributeValueConverter<T>
 
     static final AttributeValueConverter<Certificate> CERTIFICATE_CONVERTER = new AttributeValueConverter<Certificate>()
     {
-        private final CertificateFactory _certFactory;
-
-        {
-            try
-            {
-                _certFactory = CertificateFactory.getInstance("X.509");
-            }
-            catch (CertificateException e)
-            {
-                throw new ServerScopedRuntimeException(e);
-            }
-        }
-
         @Override
         public Certificate convert(final Object value, final ConfiguredObject object)
         {
@@ -216,7 +203,7 @@ abstract class AttributeValueConverter<T>
             {
                 try(ByteArrayInputStream is = new ByteArrayInputStream((byte[])value))
                 {
-                    return _certFactory.generateCertificate(is);
+                    return SSLUtil.getCertificateFactory().generateCertificate(is);
                 }
                 catch (IOException | CertificateException e)
                 {
diff --git a/broker-core/src/main/java/org/apache/qpid/server/model/TrustStore.java b/broker-core/src/main/java/org/apache/qpid/server/model/TrustStore.java
index 768d26a..e35d5da 100644
--- a/broker-core/src/main/java/org/apache/qpid/server/model/TrustStore.java
+++ b/broker-core/src/main/java/org/apache/qpid/server/model/TrustStore.java
@@ -48,23 +48,54 @@ public interface TrustStore<X extends TrustStore<X>> extends ConfiguredObject<X>
     @ManagedContextDefault(name = "qpid.truststore.trustAnchorValidityEnforced")
     boolean DEFAULT_TRUST_ANCHOR_VALIDITY_ENFORCED = false;
 
+    String CERTIFICATE_REVOCATION_CHECK_ENABLED = "certificateRevocationCheckEnabled";
+    String CERTIFICATE_REVOCATION_CHECK_WITH_IGNORING_SOFT_FAILURES =
+            "certificateRevocationCheckWithIgnoringSoftFailures";
+    String CERTIFICATE_REVOCATION_CHECK_WITH_PREFERRING_CERTIFICATE_REVOCATION_LIST =
+            "certificateRevocationCheckWithPreferringCertificateRevocationList";
+    String CERTIFICATE_REVOCATION_CHECK_WITH_NO_FALLBACK = "certificateRevocationCheckWithNoFallback";
+    String CERTIFICATE_REVOCATION_CHECK_OF_ONLY_END_ENTITY_CERTIFICATES =
+            "certificateRevocationCheckOfOnlyEndEntityCertificates";
+    String CERTIFICATE_REVOCATION_LIST_URL = "certificateRevocationListUrl";
+
     @Override
     @ManagedAttribute(immutable = true)
     String getName();
 
-    @ManagedAttribute( defaultValue = "false", description = "If true the Trust Store will expose its certificates as a special artificial message source.")
+    @ManagedAttribute(defaultValue = "false", description = "If true the Trust Store will expose its certificates as a special artificial message source.")
     boolean isExposedAsMessageSource();
 
-    @ManagedAttribute( defaultValue = "[]", description = "If 'exposedAsMessageSource' is true, the trust store will expose its certificates only to VirtualHostNodes in this list or if this list is empty to all VirtualHostNodes who are not in the 'excludedVirtualHostNodeMessageSources' list." )
+    @ManagedAttribute(defaultValue = "[]", description = "If 'exposedAsMessageSource' is true, the trust store will expose its certificates only to VirtualHostNodes in this list or if this list is empty to all VirtualHostNodes who are not in the 'excludedVirtualHostNodeMessageSources' list." )
     List<VirtualHostNode<?>> getIncludedVirtualHostNodeMessageSources();
 
-    @ManagedAttribute( defaultValue = "[]", description = "If 'exposedAsMessageSource' is true and 'includedVirtualHostNodeMessageSources' is empty, the trust store will expose its certificates only to VirtualHostNodes who are not in this list." )
+    @ManagedAttribute(defaultValue = "[]", description = "If 'exposedAsMessageSource' is true and 'includedVirtualHostNodeMessageSources' is empty, the trust store will expose its certificates only to VirtualHostNodes who are not in this list." )
     List<VirtualHostNode<?>> getExcludedVirtualHostNodeMessageSources();
 
-    @ManagedAttribute( defaultValue = "${qpid.truststore.trustAnchorValidityEnforced}",
+    @ManagedAttribute(defaultValue = "${qpid.truststore.trustAnchorValidityEnforced}",
                        description = "If true, the trust anchor's validity dates will be enforced.")
     boolean isTrustAnchorValidityEnforced();
 
+    @ManagedAttribute(defaultValue = "false", description = "If true, enable certificates revocation.")
+    boolean isCertificateRevocationCheckEnabled();
+
+    @ManagedAttribute(defaultValue = "false", description = "If true, check the revocation status of only end-entity certificates.")
+    boolean isCertificateRevocationCheckOfOnlyEndEntityCertificates();
+
+    @ManagedAttribute(defaultValue = "true", description = "If true, prefer CRL (specified in certificate distribution points) to OCSP, if false prefer OCSP to CRL.")
+    boolean isCertificateRevocationCheckWithPreferringCertificateRevocationList();
+
+    @ManagedAttribute(defaultValue = "true", description = "If true, disable fallback to CRL/OCSP (if 'certificateRevocationCheckWithPreferringCertificateRevocationList' set to true, disable fallback to OCSP, otherwise disable fallback to CRL in certificate distribution points).")
+    boolean isCertificateRevocationCheckWithNoFallback();
+
+    @ManagedAttribute(defaultValue = "false", description = "If true, revocation check will succeed if CRL/OCSP response cannot be obtained because of network error or OCSP responder returns internalError or tryLater.")
+    boolean isCertificateRevocationCheckWithIgnoringSoftFailures();
+
+    @ManagedAttribute(oversize = true, description = "If set, certificates will be validated only against CRL file (CRL in distribution points and OCSP will be ignored).", oversizedAltText = OVER_SIZED_ATTRIBUTE_ALTERNATIVE_TEXT)
+    String getCertificateRevocationListUrl();
+
+    @DerivedAttribute
+    String getCertificateRevocationListPath();
+
     @DerivedAttribute(description = "List of details about the certificates like validity dates, SANs, issuer and subject names, etc.")
     List<CertificateDetails> getCertificateDetails();
 
diff --git a/broker-core/src/main/java/org/apache/qpid/server/security/AbstractTrustStore.java b/broker-core/src/main/java/org/apache/qpid/server/security/AbstractTrustStore.java
index 4d19ada..7285aa8 100644
--- a/broker-core/src/main/java/org/apache/qpid/server/security/AbstractTrustStore.java
+++ b/broker-core/src/main/java/org/apache/qpid/server/security/AbstractTrustStore.java
@@ -19,16 +19,35 @@
  */
 package org.apache.qpid.server.security;
 
+import java.io.File;
+import java.io.IOException;
+import java.io.InputStream;
+import java.net.MalformedURLException;
+import java.net.URL;
 import java.security.GeneralSecurityException;
+import java.security.InvalidAlgorithmParameterException;
 import java.security.InvalidKeyException;
+import java.security.KeyStore;
+import java.security.KeyStoreException;
+import java.security.NoSuchAlgorithmException;
 import java.security.PublicKey;
 import java.security.SignatureException;
+import java.security.cert.CRL;
+import java.security.cert.CRLException;
+import java.security.cert.CertPathBuilder;
+import java.security.cert.CertPathParameters;
+import java.security.cert.CertStore;
 import java.security.cert.Certificate;
 import java.security.cert.CertificateExpiredException;
 import java.security.cert.CertificateNotYetValidException;
+import java.security.cert.CollectionCertStoreParameters;
+import java.security.cert.PKIXBuilderParameters;
+import java.security.cert.PKIXRevocationChecker;
 import java.security.cert.TrustAnchor;
+import java.security.cert.X509CertSelector;
 import java.security.cert.X509Certificate;
 import java.util.Arrays;
+import java.util.Collection;
 import java.util.Collections;
 import java.util.Date;
 import java.util.HashSet;
@@ -39,12 +58,15 @@ import java.util.concurrent.ScheduledFuture;
 import java.util.concurrent.TimeUnit;
 import java.util.stream.Collectors;
 
+import javax.net.ssl.CertPathTrustManagerParameters;
 import javax.net.ssl.TrustManager;
+import javax.net.ssl.TrustManagerFactory;
 import javax.net.ssl.X509TrustManager;
 
 import com.google.common.collect.Sets;
 import com.google.common.util.concurrent.Futures;
 import com.google.common.util.concurrent.ListenableFuture;
+import org.apache.qpid.server.transport.network.security.ssl.SSLUtil;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 
@@ -78,6 +100,19 @@ public abstract class AbstractTrustStore<X extends AbstractTrustStore<X>>
     private List<VirtualHostNode<?>> _excludedVirtualHostNodeMessageSources;
     @ManagedAttributeField
     private boolean _trustAnchorValidityEnforced;
+    @ManagedAttributeField
+    private boolean _certificateRevocationCheckEnabled;
+    @ManagedAttributeField
+    private boolean _certificateRevocationCheckOfOnlyEndEntityCertificates;
+    @ManagedAttributeField
+    private boolean _certificateRevocationCheckWithPreferringCertificateRevocationList;
+    @ManagedAttributeField
+    private boolean _certificateRevocationCheckWithNoFallback;
+    @ManagedAttributeField
+    private boolean _certificateRevocationCheckWithIgnoringSoftFailures;
+    @ManagedAttributeField(afterSet = "postSetCertificateRevocationListUrl")
+    private volatile String _certificateRevocationListUrl;
+    private volatile String _certificateRevocationListPath;
 
     private ScheduledFuture<?> _checkExpiryTaskFuture;
 
@@ -100,6 +135,34 @@ public abstract class AbstractTrustStore<X extends AbstractTrustStore<X>>
         return _eventLogger;
     }
 
+    protected abstract void initialize();
+
+    @Override
+    protected void changeAttributes(final Map<String, Object> attributes)
+    {
+        super.changeAttributes(attributes);
+        if (attributes.containsKey(CERTIFICATE_REVOCATION_LIST_URL))
+        {
+            initialize();
+        }
+    }
+
+    @Override
+    public void onValidate()
+    {
+        super.onValidate();
+        getCRLs();
+    }
+
+    protected void validateChange(final ConfiguredObject<?> proxyForValidation, final Set<String> changedAttributes)
+    {
+        super.validateChange(proxyForValidation, changedAttributes);
+        if (changedAttributes.contains(CERTIFICATE_REVOCATION_LIST_URL))
+        {
+            getCRLs((String) proxyForValidation.getAttribute(CERTIFICATE_REVOCATION_LIST_URL));
+        }
+    }
+
     @Override
     protected ListenableFuture<Void> onClose()
     {
@@ -252,6 +315,106 @@ public abstract class AbstractTrustStore<X extends AbstractTrustStore<X>>
 
     protected abstract TrustManager[] getTrustManagersInternal() throws GeneralSecurityException;
 
+    protected TrustManager[] getTrustManagers(KeyStore ts)
+    {
+        try
+        {
+            final TrustManagerFactory tmf = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
+            tmf.init(new CertPathTrustManagerParameters(getParameters(ts)));
+            return tmf.getTrustManagers();
+        }
+        catch (NoSuchAlgorithmException | InvalidAlgorithmParameterException e)
+        {
+            throw new IllegalConfigurationException("Cannot create trust manager factory for truststore '" +
+                    getName() + "' :" + e, e);
+        }
+    }
+
+    private CertPathParameters getParameters(KeyStore trustStore)
+    {
+        try
+        {
+            final PKIXBuilderParameters parameters = new PKIXBuilderParameters(trustStore, new X509CertSelector());
+            parameters.setRevocationEnabled(_certificateRevocationCheckEnabled);
+            if (_certificateRevocationCheckEnabled)
+            {
+                if (_certificateRevocationListUrl != null)
+                {
+                    parameters.addCertStore(
+                            CertStore.getInstance("Collection", new CollectionCertStoreParameters(getCRLs())));
+                }
+                final PKIXRevocationChecker revocationChecker = (PKIXRevocationChecker) CertPathBuilder
+                        .getInstance(TrustManagerFactory.getDefaultAlgorithm()).getRevocationChecker();
+                final Set<PKIXRevocationChecker.Option> options = new HashSet<>();
+                if (_certificateRevocationCheckOfOnlyEndEntityCertificates)
+                {
+                    options.add(PKIXRevocationChecker.Option.ONLY_END_ENTITY);
+                }
+                if (_certificateRevocationCheckWithPreferringCertificateRevocationList)
+                {
+                    options.add(PKIXRevocationChecker.Option.PREFER_CRLS);
+                }
+                if (_certificateRevocationCheckWithNoFallback)
+                {
+                    options.add(PKIXRevocationChecker.Option.NO_FALLBACK);
+                }
+                if (_certificateRevocationCheckWithIgnoringSoftFailures)
+                {
+                    options.add(PKIXRevocationChecker.Option.SOFT_FAIL);
+                }
+                revocationChecker.setOptions(options);
+                parameters.addCertPathChecker(revocationChecker);
+            }
+            return parameters;
+        }
+        catch (NoSuchAlgorithmException | KeyStoreException | InvalidAlgorithmParameterException e)
+        {
+            throw new IllegalConfigurationException("Cannot create trust manager factory parameters for truststore '" +
+                    getName() + "' :" + e, e);
+        }
+    }
+
+    private Collection<? extends CRL> getCRLs()
+    {
+        return getCRLs(_certificateRevocationListUrl);
+    }
+
+    /**
+     * Load the collection of CRLs.
+     */
+    private Collection<? extends CRL> getCRLs(String crlUrl)
+    {
+        Collection<? extends CRL> crls = Collections.emptyList();
+        if (crlUrl != null)
+        {
+            try (InputStream is = getUrlFromString(crlUrl).openStream())
+            {
+                crls = SSLUtil.getCertificateFactory().generateCRLs(is);
+            }
+            catch (IOException | CRLException e)
+            {
+                throw new IllegalConfigurationException("Unable to load certificate revocation list '" + crlUrl +
+                        "' for truststore '" + getName() + "' :" + e, e);
+            }
+        }
+        return crls;
+    }
+
+    protected static URL getUrlFromString(String urlString) throws MalformedURLException
+    {
+        URL url;
+        try
+        {
+            url = new URL(urlString);
+        }
+        catch (MalformedURLException e)
+        {
+            final File file = new File(urlString);
+            url = file.toURI().toURL();
+        }
+        return url;
+    }
+
     @Override
     public final int getCertificateExpiryWarnPeriod()
     {
@@ -289,6 +452,61 @@ public abstract class AbstractTrustStore<X extends AbstractTrustStore<X>>
     }
 
     @Override
+    public boolean isCertificateRevocationCheckEnabled()
+    {
+        return _certificateRevocationCheckEnabled;
+    }
+
+    @Override
+    public boolean isCertificateRevocationCheckOfOnlyEndEntityCertificates()
+    {
+        return _certificateRevocationCheckOfOnlyEndEntityCertificates;
+    }
+
+    @Override
+    public boolean isCertificateRevocationCheckWithPreferringCertificateRevocationList()
+    {
+        return _certificateRevocationCheckWithPreferringCertificateRevocationList;
+    }
+
+    @Override
+    public boolean isCertificateRevocationCheckWithNoFallback()
+    {
+        return _certificateRevocationCheckWithNoFallback;
+    }
+
+    @Override
+    public boolean isCertificateRevocationCheckWithIgnoringSoftFailures()
+    {
+        return _certificateRevocationCheckWithIgnoringSoftFailures;
+    }
+
+    @Override
+    public String getCertificateRevocationListUrl()
+    {
+        return _certificateRevocationListUrl;
+    }
+
+    @Override
+    public String getCertificateRevocationListPath()
+    {
+        return _certificateRevocationListPath;
+    }
+
+    @SuppressWarnings(value = "unused")
+    private void postSetCertificateRevocationListUrl()
+    {
+        if (_certificateRevocationListUrl != null && !_certificateRevocationListUrl.startsWith("data:"))
+        {
+            _certificateRevocationListPath = _certificateRevocationListUrl;
+        }
+        else
+        {
+            _certificateRevocationListPath = null;
+        }
+    }
+
+    @Override
     public boolean isExposedAsMessageSource()
     {
         return _exposedAsMessageSource;
diff --git a/broker-core/src/main/java/org/apache/qpid/server/security/AutoGeneratedSelfSignedKeyStoreImpl.java b/broker-core/src/main/java/org/apache/qpid/server/security/AutoGeneratedSelfSignedKeyStoreImpl.java
index f5feecf..1ff9803 100644
--- a/broker-core/src/main/java/org/apache/qpid/server/security/AutoGeneratedSelfSignedKeyStoreImpl.java
+++ b/broker-core/src/main/java/org/apache/qpid/server/security/AutoGeneratedSelfSignedKeyStoreImpl.java
@@ -40,7 +40,6 @@ import java.security.SecureRandom;
 import java.security.cert.Certificate;
 import java.security.cert.CertificateEncodingException;
 import java.security.cert.CertificateException;
-import java.security.cert.CertificateFactory;
 import java.security.cert.X509Certificate;
 import java.security.spec.InvalidKeySpecException;
 import java.util.Arrays;
@@ -184,8 +183,7 @@ public class AutoGeneratedSelfSignedKeyStoreImpl
 
         try(ByteArrayInputStream input = new ByteArrayInputStream(certificateEncoded))
         {
-            CertificateFactory cf = CertificateFactory.getInstance("X.509");
-            _certificate = (X509Certificate) cf.generateCertificate(input);
+            _certificate = (X509Certificate) SSLUtil.getCertificateFactory().generateCertificate(input);
         }
         catch (CertificateException | IOException e)
         {
diff --git a/broker-core/src/main/java/org/apache/qpid/server/security/FileTrustStore.java b/broker-core/src/main/java/org/apache/qpid/server/security/FileTrustStore.java
index 6842130..9f73700 100644
--- a/broker-core/src/main/java/org/apache/qpid/server/security/FileTrustStore.java
+++ b/broker-core/src/main/java/org/apache/qpid/server/security/FileTrustStore.java
@@ -22,7 +22,7 @@ package org.apache.qpid.server.security;
 
 import static org.apache.qpid.server.model.Initialization.materialize;
 
-import javax.net.ssl.KeyManagerFactory;
+import javax.net.ssl.TrustManagerFactory;
 
 import org.apache.qpid.server.model.DerivedAttribute;
 import org.apache.qpid.server.model.ManagedAttribute;
@@ -42,7 +42,7 @@ public interface FileTrustStore<X extends FileTrustStore<X>> extends TrustStore<
     String DEFAULT_TRUSTSTORE_TYPE = java.security.KeyStore.getDefaultType();
 
     @ManagedContextDefault(name = "trustStoreFile.trustManagerFactoryAlgorithm")
-    String DEFAULT_TRUST_MANAGER_FACTORY_ALGORITHM = KeyManagerFactory.getDefaultAlgorithm();
+    String DEFAULT_TRUST_MANAGER_FACTORY_ALGORITHM = TrustManagerFactory.getDefaultAlgorithm();
     String PEERS_ONLY = "peersOnly";
 
     @Override
diff --git a/broker-core/src/main/java/org/apache/qpid/server/security/FileTrustStoreImpl.java b/broker-core/src/main/java/org/apache/qpid/server/security/FileTrustStoreImpl.java
index 508e464..161c8d4 100644
--- a/broker-core/src/main/java/org/apache/qpid/server/security/FileTrustStoreImpl.java
+++ b/broker-core/src/main/java/org/apache/qpid/server/security/FileTrustStoreImpl.java
@@ -259,22 +259,6 @@ public class FileTrustStoreImpl extends AbstractTrustStore<FileTrustStoreImpl> i
         return certificates == null ? new Certificate[0] : Arrays.copyOf(certificates, certificates.length);
     }
 
-    private static URL getUrlFromString(String urlString) throws MalformedURLException
-    {
-        URL url;
-        try
-        {
-            url = new URL(urlString);
-        }
-        catch (MalformedURLException e)
-        {
-            File file = new File(urlString);
-            url = file.toURI().toURL();
-
-        }
-        return url;
-    }
-
     @SuppressWarnings(value = "unused")
     private void postSetStoreUrl()
     {
@@ -288,7 +272,7 @@ public class FileTrustStoreImpl extends AbstractTrustStore<FileTrustStoreImpl> i
         }
     }
 
-    private void initialize()
+    protected void initialize()
     {
         try
         {
@@ -304,12 +288,9 @@ public class FileTrustStoreImpl extends AbstractTrustStore<FileTrustStoreImpl> i
         }
     }
 
-    private TrustManager[] createTrustManagers(final KeyStore ts) throws NoSuchAlgorithmException, KeyStoreException
+    private TrustManager[] createTrustManagers(final KeyStore ts) throws KeyStoreException
     {
-        final TrustManagerFactory tmf = TrustManagerFactory.getInstance(_trustManagerFactoryAlgorithm);
-        tmf.init(ts);
-
-        TrustManager[] delegateManagers = tmf.getTrustManagers();
+        final TrustManager[] delegateManagers = getTrustManagers(ts);
         if (delegateManagers.length == 0)
         {
             throw new IllegalStateException("Truststore " + this + " defines no trust managers");
diff --git a/broker-core/src/main/java/org/apache/qpid/server/security/ManagedPeerCertificateTrustStoreImpl.java b/broker-core/src/main/java/org/apache/qpid/server/security/ManagedPeerCertificateTrustStoreImpl.java
index 5361ba0..616fb2d 100644
--- a/broker-core/src/main/java/org/apache/qpid/server/security/ManagedPeerCertificateTrustStoreImpl.java
+++ b/broker-core/src/main/java/org/apache/qpid/server/security/ManagedPeerCertificateTrustStoreImpl.java
@@ -38,7 +38,6 @@ import java.util.Map;
 import java.util.Set;
 
 import javax.net.ssl.TrustManager;
-import javax.net.ssl.TrustManagerFactory;
 import javax.net.ssl.X509TrustManager;
 
 import com.google.common.util.concurrent.Futures;
@@ -64,7 +63,7 @@ public class ManagedPeerCertificateTrustStoreImpl
 
     private volatile TrustManager[] _trustManagers = new TrustManager[0];
 
-    @ManagedAttributeField( afterSet = "updateTrustManagers")
+    @ManagedAttributeField(afterSet = "initialize")
     private final List<Certificate> _storedCertificates = new ArrayList<>();
 
     @ManagedObjectFactoryConstructor
@@ -100,7 +99,7 @@ public class ManagedPeerCertificateTrustStoreImpl
     }
 
     @SuppressWarnings("unused")
-    private void updateTrustManagers()
+    protected void initialize()
     {
         try
         {
@@ -114,14 +113,10 @@ public class ManagedPeerCertificateTrustStoreImpl
                 inMemoryKeyStore.setCertificateEntry(String.valueOf(i++), cert);
             }
 
-
-            TrustManagerFactory tmf = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
-            tmf.init(inMemoryKeyStore);
-
             final Collection<TrustManager> trustManagersCol = new ArrayList<>();
             final QpidMultipleTrustManager mulTrustManager = new QpidMultipleTrustManager();
-            TrustManager[] delegateManagers = tmf.getTrustManagers();
-            for (TrustManager tm : delegateManagers)
+            final TrustManager[] delegateManagers = getTrustManagers(inMemoryKeyStore);
+            for (final TrustManager tm : delegateManagers)
             {
                 if (tm instanceof X509TrustManager)
                 {
diff --git a/broker-core/src/main/java/org/apache/qpid/server/security/NonJavaTrustStoreImpl.java b/broker-core/src/main/java/org/apache/qpid/server/security/NonJavaTrustStoreImpl.java
index be0836e..be5a1a7 100644
--- a/broker-core/src/main/java/org/apache/qpid/server/security/NonJavaTrustStoreImpl.java
+++ b/broker-core/src/main/java/org/apache/qpid/server/security/NonJavaTrustStoreImpl.java
@@ -28,15 +28,10 @@ import java.security.GeneralSecurityException;
 import java.security.cert.Certificate;
 import java.security.cert.X509Certificate;
 import java.util.Arrays;
-import java.util.Collections;
-import java.util.Date;
-import java.util.List;
 import java.util.Map;
 import java.util.Set;
-import java.util.stream.Collectors;
 
 import javax.net.ssl.TrustManager;
-import javax.net.ssl.TrustManagerFactory;
 
 import com.google.common.util.concurrent.Futures;
 import com.google.common.util.concurrent.ListenableFuture;
@@ -51,7 +46,6 @@ import org.apache.qpid.server.model.ManagedObject;
 import org.apache.qpid.server.model.ManagedObjectFactoryConstructor;
 import org.apache.qpid.server.model.State;
 import org.apache.qpid.server.model.StateTransition;
-import org.apache.qpid.server.model.VirtualHostNode;
 import org.apache.qpid.server.transport.network.security.ssl.SSLUtil;
 import org.apache.qpid.server.util.urlstreamhandler.data.Handler;
 
@@ -66,7 +60,7 @@ public class NonJavaTrustStoreImpl
         Handler.register();
     }
 
-    @ManagedAttributeField( afterSet = "updateTrustManagers" )
+    @ManagedAttributeField( afterSet = "initialize" )
     private String _certificatesUrl;
 
     private volatile TrustManager[] _trustManagers = new TrustManager[0];
@@ -139,7 +133,7 @@ public class NonJavaTrustStoreImpl
     }
 
     @SuppressWarnings("unused")
-    private void updateTrustManagers()
+    protected void initialize()
     {
         try
         {
@@ -155,11 +149,7 @@ public class NonJavaTrustStoreImpl
                     inMemoryKeyStore.setCertificateEntry(String.valueOf(i++), cert);
                 }
 
-
-
-                TrustManagerFactory tmf = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
-                tmf.init(inMemoryKeyStore);
-                _trustManagers = tmf.getTrustManagers();
+                _trustManagers = getTrustManagers(inMemoryKeyStore);
                 _certificates = certs;
             }
 
@@ -169,21 +159,4 @@ public class NonJavaTrustStoreImpl
             throw new IllegalConfigurationException("Cannot load certificate(s) :" + e, e);
         }
     }
-
-    private URL getUrlFromString(String urlString) throws MalformedURLException
-    {
-        URL url;
-
-        try
-        {
-            url = new URL(urlString);
-        }
-        catch (MalformedURLException e)
-        {
-            File file = new File(urlString);
-            url = file.toURI().toURL();
-
-        }
-        return url;
-    }
 }
diff --git a/broker-core/src/main/java/org/apache/qpid/server/security/SiteSpecificTrustStoreImpl.java b/broker-core/src/main/java/org/apache/qpid/server/security/SiteSpecificTrustStoreImpl.java
index 983a2a1..211d9e6 100644
--- a/broker-core/src/main/java/org/apache/qpid/server/security/SiteSpecificTrustStoreImpl.java
+++ b/broker-core/src/main/java/org/apache/qpid/server/security/SiteSpecificTrustStoreImpl.java
@@ -29,7 +29,6 @@ import java.security.GeneralSecurityException;
 import java.security.cert.Certificate;
 import java.security.cert.CertificateEncodingException;
 import java.security.cert.CertificateException;
-import java.security.cert.CertificateFactory;
 import java.security.cert.X509Certificate;
 import java.util.Arrays;
 import java.util.Base64;
@@ -42,7 +41,6 @@ import javax.net.ssl.KeyManager;
 import javax.net.ssl.SSLContext;
 import javax.net.ssl.SSLSocket;
 import javax.net.ssl.TrustManager;
-import javax.net.ssl.TrustManagerFactory;
 import javax.net.ssl.X509TrustManager;
 
 import com.google.common.util.concurrent.FutureCallback;
@@ -85,6 +83,11 @@ public class SiteSpecificTrustStoreImpl
         super(attributes, broker);
     }
 
+    protected void initialize()
+    {
+        generateTrustManagers();
+    }
+
     @Override
     public String getSiteUrl()
     {
@@ -287,8 +290,7 @@ public class SiteSpecificTrustStoreImpl
 
         try(ByteArrayInputStream input = new ByteArrayInputStream(certificateEncoded))
         {
-            CertificateFactory cf = CertificateFactory.getInstance("X.509");
-            _x509Certificate = (X509Certificate) cf.generateCertificate(input);
+            _x509Certificate = (X509Certificate) SSLUtil.getCertificateFactory().generateCertificate(input);
         }
         catch (CertificateException | IOException e)
         {
@@ -306,9 +308,7 @@ public class SiteSpecificTrustStoreImpl
             inMemoryKeyStore.load(null, null);
             inMemoryKeyStore.setCertificateEntry("1", _x509Certificate);
 
-            TrustManagerFactory tmf = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
-            tmf.init(inMemoryKeyStore);
-            _trustManagers = tmf.getTrustManagers();
+            _trustManagers = getTrustManagers(inMemoryKeyStore);;
 
         }
         catch (IOException | GeneralSecurityException e)
diff --git a/broker-core/src/main/java/org/apache/qpid/server/transport/network/security/ssl/SSLUtil.java b/broker-core/src/main/java/org/apache/qpid/server/transport/network/security/ssl/SSLUtil.java
index 01c11d3..e664c2e 100644
--- a/broker-core/src/main/java/org/apache/qpid/server/transport/network/security/ssl/SSLUtil.java
+++ b/broker-core/src/main/java/org/apache/qpid/server/transport/network/security/ssl/SSLUtil.java
@@ -75,6 +75,7 @@ import javax.net.ssl.StandardConstants;
 import javax.net.ssl.TrustManager;
 import javax.net.ssl.X509TrustManager;
 
+import org.apache.qpid.server.util.ServerScopedRuntimeException;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 
@@ -106,11 +107,10 @@ public class SSLUtil
     private static final Method SET_EXTENSION_METHOD;
     private static final Method EXTENSION_GET_NAME_METHOD;
     private static final boolean CAN_GENERATE_CERTS;
-
+    private static final CertificateFactory CERTIFICATE_FACTORY;
 
     static
     {
-
         Constructor<?> constructor = null;
         Method generateMethod = null;
         Method getPrivateKeyMethod = null;
@@ -125,7 +125,8 @@ public class SSLUtil
         Constructor<?> certificateExtensionsConstructor = null;
         Method setExtensionMethod = null;
         Method extensionGetNameMethod = null;
-        boolean canGenerateCerrts = false;
+        boolean canGenerateCerts = false;
+        CertificateFactory certificateFactory = null;
 
         try
         {
@@ -160,10 +161,10 @@ public class SSLUtil
             certificateExtensionsConstructor = certificateExtensionsClass.getConstructor();
             setExtensionMethod = certificateExtensionsClass.getMethod("set", String.class, Object.class);
             extensionGetNameMethod = extensionClass.getMethod("getName");
-            canGenerateCerrts = true;
-
+            canGenerateCerts = true;
+            certificateFactory = CertificateFactory.getInstance("X.509");
         }
-        catch (ClassNotFoundException | LinkageError | NoSuchMethodException e)
+        catch (ClassNotFoundException | LinkageError | CertificateException | NoSuchMethodException e)
         {
             // ignore
         }
@@ -181,14 +182,23 @@ public class SSLUtil
         CERTIFICATE_EXTENSIONS_CONSTRUCTOR = certificateExtensionsConstructor;
         SET_EXTENSION_METHOD = setExtensionMethod;
         EXTENSION_GET_NAME_METHOD = extensionGetNameMethod;
-        CAN_GENERATE_CERTS = canGenerateCerrts;
+        CAN_GENERATE_CERTS = canGenerateCerts;
+        CERTIFICATE_FACTORY = certificateFactory;
     }
 
-
     private SSLUtil()
     {
     }
 
+    public static CertificateFactory getCertificateFactory()
+    {
+        if (CERTIFICATE_FACTORY == null)
+        {
+            throw new ServerScopedRuntimeException("Certificate factory is null");
+        }
+        return CERTIFICATE_FACTORY;
+    }
+
     public static void verifyHostname(SSLEngine engine,String hostnameExpected)
     {
         try
@@ -456,8 +466,7 @@ public class SSLUtil
         {
             do
             {
-                CertificateFactory cf = CertificateFactory.getInstance("X.509");
-                crt.add( (X509Certificate) cf.generateCertificate(input));
+                crt.add( (X509Certificate) getCertificateFactory().generateCertificate(input));
             } while(input.available() != 0);
         }
         catch(CertificateException e)
diff --git a/broker-core/src/test/java/org/apache/qpid/server/security/FileKeyStoreTest.java b/broker-core/src/test/java/org/apache/qpid/server/security/FileKeyStoreTest.java
index 18b2d37..834531c 100644
--- a/broker-core/src/test/java/org/apache/qpid/server/security/FileKeyStoreTest.java
+++ b/broker-core/src/test/java/org/apache/qpid/server/security/FileKeyStoreTest.java
@@ -20,9 +20,7 @@
 package org.apache.qpid.server.security;
 
 
-import static org.apache.qpid.server.security.FileTrustStoreTest.SYMMETRIC_KEY_KEYSTORE_RESOURCE;
 import static org.apache.qpid.server.security.FileTrustStoreTest.createDataUrlForFile;
-import static org.apache.qpid.test.utils.TestSSLConstants.JAVA_KEYSTORE_TYPE;
 import static org.hamcrest.CoreMatchers.equalTo;
 import static org.hamcrest.CoreMatchers.is;
 import static org.junit.Assert.assertEquals;
@@ -31,80 +29,47 @@ import static org.junit.Assert.assertNull;
 import static org.junit.Assert.assertTrue;
 import static org.junit.Assert.fail;
 import static org.junit.Assume.assumeThat;
-import static org.mockito.Mockito.mock;
-import static org.mockito.Mockito.when;
 
 import java.io.File;
-import java.net.URL;
-import java.security.cert.Certificate;
-import java.security.cert.X509Certificate;
 import java.util.HashMap;
 import java.util.List;
 import java.util.Map;
 
 import javax.net.ssl.KeyManager;
 
-import org.junit.Before;
-import org.junit.Test;
-
-import org.apache.qpid.server.configuration.IllegalConfigurationException;
-import org.apache.qpid.server.configuration.updater.CurrentThreadTaskExecutor;
-import org.apache.qpid.server.configuration.updater.TaskExecutor;
-import org.apache.qpid.server.logging.EventLogger;
 import org.apache.qpid.server.model.Broker;
 import org.apache.qpid.server.model.BrokerModel;
+import org.apache.qpid.server.model.BrokerTestHelper;
 import org.apache.qpid.server.model.ConfiguredObjectFactory;
+import org.apache.qpid.test.utils.UnitTestBase;
+import org.junit.Test;
+
+import org.apache.qpid.server.configuration.IllegalConfigurationException;
 import org.apache.qpid.server.model.KeyStore;
-import org.apache.qpid.server.model.Model;
 import org.apache.qpid.server.transport.network.security.ssl.SSLUtil;
 import org.apache.qpid.server.util.DataUrlUtils;
 import org.apache.qpid.test.utils.TestFileUtils;
 import org.apache.qpid.test.utils.TestSSLConstants;
-import org.apache.qpid.test.utils.UnitTestBase;
 
 public class FileKeyStoreTest extends UnitTestBase
 {
-    static final String EMPTY_KEYSTORE_RESOURCE = "/ssl/test_empty_keystore.jks";
-    private static final String KEYSTORE_CERTIFICATE_ONLY_RESOURCE = "/ssl/test_cert_only_keystore.pkcs12";
-    private static final String BROKER_KEYSTORE = "ssl/java_broker_keystore.pkcs12";
-    private static final String BROKER_KEYSTORE_PATH = "classpath:" + BROKER_KEYSTORE;
-    private static final String BROKER_KEYSTORE_PASSWORD = TestSSLConstants.BROKER_KEYSTORE_PASSWORD;
-    private static final String CLIENT_KEYSTORE_PATH = "classpath:ssl/java_client_keystore.pkcs12";
-    private static final String CLIENT_KEYSTORE_PASSWORD = TestSSLConstants.KEYSTORE_PASSWORD;
-    private static final String BROKER_KEYSTORE_ALIAS = TestSSLConstants.BROKER_KEYSTORE_ALIAS;
-
-    private final Broker _broker = mock(Broker.class);
-    private final TaskExecutor _taskExecutor = CurrentThreadTaskExecutor.newStartedInstance();
-    private final Model _model = BrokerModel.getInstance();
-    private final ConfiguredObjectFactory _factory = _model.getObjectFactory();
-
-
-    @Before
-    public void setUp() throws Exception
-    {
-
-        when(_broker.getTaskExecutor()).thenReturn(_taskExecutor);
-        when(_broker.getChildExecutor()).thenReturn(_taskExecutor);
-        when(_broker.getModel()).thenReturn(_model);
-        when(_broker.getCategoryClass()).thenReturn(Broker.class);
-        when(_broker.getEventLogger()).thenReturn(new EventLogger());
-        when(_broker.getTypeClass()).thenReturn(Broker.class);
-    }
+    private static final Broker BROKER = BrokerTestHelper.createBrokerMock();
+    private static final ConfiguredObjectFactory FACTORY = BrokerModel.getInstance().getObjectFactory();
 
     @Test
     public void testCreateKeyStoreFromFile_Success() throws Exception
     {
         Map<String,Object> attributes = new HashMap<>();
         attributes.put(FileKeyStore.NAME, "myFileKeyStore");
-        attributes.put(FileKeyStore.STORE_URL, BROKER_KEYSTORE_PATH);
-        attributes.put(FileKeyStore.PASSWORD, BROKER_KEYSTORE_PASSWORD);
-        attributes.put(FileKeyStore.KEY_STORE_TYPE, JAVA_KEYSTORE_TYPE);
+        attributes.put(FileKeyStore.STORE_URL, TestSSLConstants.BROKER_KEYSTORE);
+        attributes.put(FileKeyStore.PASSWORD, TestSSLConstants.PASSWORD);
+        attributes.put(FileKeyStore.KEY_STORE_TYPE, TestSSLConstants.JAVA_KEYSTORE_TYPE);
 
-        FileKeyStoreImpl fileKeyStore = (FileKeyStoreImpl) _factory.create(KeyStore.class, attributes,  _broker);
+        FileKeyStoreImpl fileKeyStore = (FileKeyStoreImpl) FACTORY.create(KeyStore.class, attributes, BROKER);
 
         KeyManager[] keyManager = fileKeyStore.getKeyManagers();
         assertNotNull(keyManager);
-        assertEquals("Unexpected number of key managers", (long) 1, (long) keyManager.length);
+        assertEquals("Unexpected number of key managers", 1, keyManager.length);
         assertNotNull("Key manager unexpected null", keyManager[0]);
     }
 
@@ -113,272 +78,192 @@ public class FileKeyStoreTest extends UnitTestBase
     {
         Map<String,Object> attributes = new HashMap<>();
         attributes.put(FileKeyStore.NAME, "myFileKeyStore");
-        attributes.put(FileKeyStore.STORE_URL, BROKER_KEYSTORE_PATH);
-        attributes.put(FileKeyStore.PASSWORD, BROKER_KEYSTORE_PASSWORD);
-        attributes.put(FileKeyStore.CERTIFICATE_ALIAS, BROKER_KEYSTORE_ALIAS);
-        attributes.put(FileKeyStore.KEY_STORE_TYPE, JAVA_KEYSTORE_TYPE);
+        attributes.put(FileKeyStore.STORE_URL, TestSSLConstants.BROKER_KEYSTORE);
+        attributes.put(FileKeyStore.PASSWORD, TestSSLConstants.PASSWORD);
+        attributes.put(FileKeyStore.CERTIFICATE_ALIAS, TestSSLConstants.BROKER_KEYSTORE_ALIAS);
+        attributes.put(FileKeyStore.KEY_STORE_TYPE, TestSSLConstants.JAVA_KEYSTORE_TYPE);
 
-        FileKeyStoreImpl fileKeyStore = (FileKeyStoreImpl) _factory.create(KeyStore.class, attributes,  _broker);
+        FileKeyStoreImpl fileKeyStore = (FileKeyStoreImpl) FACTORY.create(KeyStore.class, attributes, BROKER);
 
         KeyManager[] keyManager = fileKeyStore.getKeyManagers();
         assertNotNull(keyManager);
-        assertEquals("Unexpected number of key managers", (long) 1, (long) keyManager.length);
+        assertEquals("Unexpected number of key managers", 1, keyManager.length);
         assertNotNull("Key manager unexpected null", keyManager[0]);
     }
 
     @Test
-    public void testCreateKeyStoreFromFile_WrongPassword() throws Exception
+    public void testCreateKeyStoreFromFile_WrongPassword()
     {
         Map<String,Object> attributes = new HashMap<>();
         attributes.put(FileKeyStore.NAME, "myFileKeyStore");
-        attributes.put(FileKeyStore.STORE_URL, BROKER_KEYSTORE_PATH);
+        attributes.put(FileKeyStore.STORE_URL, TestSSLConstants.BROKER_KEYSTORE);
         attributes.put(FileKeyStore.PASSWORD, "wrong");
-        attributes.put(FileKeyStore.KEY_STORE_TYPE, JAVA_KEYSTORE_TYPE);
-
-        try
-        {
-            _factory.create(KeyStore.class, attributes,  _broker);
-            fail("Exception not thrown");
-        }
-        catch (IllegalConfigurationException ice)
-        {
-            String message = ice.getMessage();
-            assertTrue("Exception text not as unexpected:" + message,
-                              message.contains("Check key store password"));
+        attributes.put(FileKeyStore.KEY_STORE_TYPE, TestSSLConstants.JAVA_KEYSTORE_TYPE);
 
-        }
+        KeyStoreTestHelper.checkExceptionThrownDuringKeyStoreCreation(FACTORY, BROKER, KeyStore.class, attributes,
+                "Check key store password");
     }
 
     @Test
-    public void testCreateKeyStoreFromFile_UnknownAlias() throws Exception
+    public void testCreateKeyStoreFromFile_UnknownAlias()
     {
         Map<String,Object> attributes = new HashMap<>();
         attributes.put(FileKeyStore.NAME, "myFileKeyStore");
-        attributes.put(FileKeyStore.STORE_URL, CLIENT_KEYSTORE_PATH);
-        attributes.put(FileKeyStore.PASSWORD, CLIENT_KEYSTORE_PASSWORD);
+        attributes.put(FileKeyStore.STORE_URL, TestSSLConstants.CLIENT_KEYSTORE);
+        attributes.put(FileKeyStore.PASSWORD, TestSSLConstants.PASSWORD);
         attributes.put(FileKeyStore.CERTIFICATE_ALIAS, "notknown");
-        attributes.put(FileKeyStore.KEY_STORE_TYPE, JAVA_KEYSTORE_TYPE);
+        attributes.put(FileKeyStore.KEY_STORE_TYPE, TestSSLConstants.JAVA_KEYSTORE_TYPE);
 
-        try
-        {
-            _factory.create(KeyStore.class, attributes,  _broker);
-            fail("Exception not thrown");
-        }
-        catch (IllegalConfigurationException ice)
-        {
-            String message = ice.getMessage();
-            assertTrue("Exception text not as unexpected:" + message,
-                              message.contains("Cannot find a certificate with alias 'notknown' in key store"));
-        }
+        KeyStoreTestHelper.checkExceptionThrownDuringKeyStoreCreation(FACTORY, BROKER, KeyStore.class, attributes,
+                "Cannot find a certificate with alias 'notknown' in key store");
     }
 
     @Test
-    public void testCreateKeyStoreFromFile_NonKeyAlias() throws Exception
+    public void testCreateKeyStoreFromFile_NonKeyAlias()
     {
         Map<String,Object> attributes = new HashMap<>();
         attributes.put(FileKeyStore.NAME, "myFileKeyStore");
-        attributes.put(FileKeyStore.STORE_URL, CLIENT_KEYSTORE_PATH);
-        attributes.put(FileKeyStore.PASSWORD, CLIENT_KEYSTORE_PASSWORD);
-        attributes.put(FileKeyStore.CERTIFICATE_ALIAS, "rootca");
-        attributes.put(FileKeyStore.KEY_STORE_TYPE, JAVA_KEYSTORE_TYPE);
+        attributes.put(FileKeyStore.STORE_URL, TestSSLConstants.CLIENT_KEYSTORE);
+        attributes.put(FileKeyStore.PASSWORD, TestSSLConstants.PASSWORD);
+        attributes.put(FileKeyStore.CERTIFICATE_ALIAS, TestSSLConstants.CERT_ALIAS_ROOT_CA);
+        attributes.put(FileKeyStore.KEY_STORE_TYPE, TestSSLConstants.JAVA_KEYSTORE_TYPE);
 
-        try
-        {
-            _factory.create(KeyStore.class, attributes,  _broker);
-            fail("Exception not thrown");
-        }
-        catch (IllegalConfigurationException ice)
-        {
-            String message = ice.getMessage();
-            assertTrue("Exception text not as unexpected:" + message,
-                              message.contains("does not identify a private key"));
-        }
+        KeyStoreTestHelper.checkExceptionThrownDuringKeyStoreCreation(FACTORY, BROKER, KeyStore.class, attributes,
+                "does not identify a private key");
     }
 
     @Test
     public void testCreateKeyStoreFromDataUrl_Success() throws Exception
     {
-        String trustStoreAsDataUrl = createDataUrlForFile(BROKER_KEYSTORE);
+        String trustStoreAsDataUrl = createDataUrlForFile(TestSSLConstants.BROKER_KEYSTORE);
 
         Map<String,Object> attributes = new HashMap<>();
         attributes.put(FileKeyStore.NAME, "myFileKeyStore");
         attributes.put(FileKeyStore.STORE_URL, trustStoreAsDataUrl);
-        attributes.put(FileKeyStore.PASSWORD, BROKER_KEYSTORE_PASSWORD);
-        attributes.put(FileKeyStore.KEY_STORE_TYPE, JAVA_KEYSTORE_TYPE);
+        attributes.put(FileKeyStore.PASSWORD, TestSSLConstants.PASSWORD);
+        attributes.put(FileKeyStore.KEY_STORE_TYPE, TestSSLConstants.JAVA_KEYSTORE_TYPE);
 
-        FileKeyStoreImpl fileKeyStore = (FileKeyStoreImpl) _factory.create(KeyStore.class, attributes,  _broker);
+        FileKeyStoreImpl fileKeyStore = (FileKeyStoreImpl) FACTORY.create(KeyStore.class, attributes, BROKER);
 
         KeyManager[] keyManagers = fileKeyStore.getKeyManagers();
         assertNotNull(keyManagers);
-        assertEquals("Unexpected number of key managers", (long) 1, (long) keyManagers.length);
+        assertEquals("Unexpected number of key managers", 1, keyManagers.length);
         assertNotNull("Key manager unexpected null", keyManagers[0]);
     }
 
     @Test
     public void testCreateKeyStoreWithAliasFromDataUrl_Success() throws Exception
     {
-        String trustStoreAsDataUrl = createDataUrlForFile(BROKER_KEYSTORE);
+        String trustStoreAsDataUrl = createDataUrlForFile(TestSSLConstants.BROKER_KEYSTORE);
 
         Map<String,Object> attributes = new HashMap<>();
         attributes.put(FileKeyStore.NAME, "myFileKeyStore");
         attributes.put(FileKeyStore.STORE_URL, trustStoreAsDataUrl);
-        attributes.put(FileKeyStore.PASSWORD, BROKER_KEYSTORE_PASSWORD);
-        attributes.put(FileKeyStore.CERTIFICATE_ALIAS, BROKER_KEYSTORE_ALIAS);
-        attributes.put(FileKeyStore.KEY_STORE_TYPE, JAVA_KEYSTORE_TYPE);
+        attributes.put(FileKeyStore.PASSWORD, TestSSLConstants.PASSWORD);
+        attributes.put(FileKeyStore.CERTIFICATE_ALIAS, TestSSLConstants.BROKER_KEYSTORE_ALIAS);
+        attributes.put(FileKeyStore.KEY_STORE_TYPE, TestSSLConstants.JAVA_KEYSTORE_TYPE);
 
-        FileKeyStoreImpl fileKeyStore = (FileKeyStoreImpl) _factory.create(KeyStore.class, attributes,  _broker);
+        FileKeyStoreImpl fileKeyStore = (FileKeyStoreImpl) FACTORY.create(KeyStore.class, attributes, BROKER);
 
         KeyManager[] keyManagers = fileKeyStore.getKeyManagers();
         assertNotNull(keyManagers);
-        assertEquals("Unexpected number of key managers", (long) 1, (long) keyManagers.length);
+        assertEquals("Unexpected number of key managers", 1, keyManagers.length);
         assertNotNull("Key manager unexpected null", keyManagers[0]);
     }
 
     @Test
     public void testCreateKeyStoreFromDataUrl_WrongPassword() throws Exception
     {
-        String keyStoreAsDataUrl = createDataUrlForFile(BROKER_KEYSTORE);
+        String keyStoreAsDataUrl = createDataUrlForFile(TestSSLConstants.BROKER_KEYSTORE);
 
         Map<String,Object> attributes = new HashMap<>();
         attributes.put(FileKeyStore.NAME, "myFileKeyStore");
         attributes.put(FileKeyStore.PASSWORD, "wrong");
         attributes.put(FileKeyStore.STORE_URL, keyStoreAsDataUrl);
-        attributes.put(FileKeyStore.KEY_STORE_TYPE, JAVA_KEYSTORE_TYPE);
+        attributes.put(FileKeyStore.KEY_STORE_TYPE, TestSSLConstants.JAVA_KEYSTORE_TYPE);
 
-        try
-        {
-            _factory.create(KeyStore.class, attributes,  _broker);
-            fail("Exception not thrown");
-        }
-        catch (IllegalConfigurationException ice)
-        {
-            String message = ice.getMessage();
-            assertTrue("Exception text not as unexpected:" + message,
-                              message.contains("Check key store password"));
-        }
+        KeyStoreTestHelper.checkExceptionThrownDuringKeyStoreCreation(FACTORY, BROKER, KeyStore.class, attributes,
+                "Check key store password");
     }
 
     @Test
-    public void testCreateKeyStoreFromDataUrl_BadKeystoreBytes() throws Exception
+    public void testCreateKeyStoreFromDataUrl_BadKeystoreBytes()
     {
         String keyStoreAsDataUrl = DataUrlUtils.getDataUrlForBytes("notatruststore".getBytes());
 
         Map<String,Object> attributes = new HashMap<>();
         attributes.put(FileKeyStore.NAME, "myFileKeyStore");
-        attributes.put(FileKeyStore.PASSWORD, BROKER_KEYSTORE_PASSWORD);
+        attributes.put(FileKeyStore.PASSWORD, TestSSLConstants.PASSWORD);
         attributes.put(FileKeyStore.STORE_URL, keyStoreAsDataUrl);
 
-        try
-        {
-            _factory.create(KeyStore.class, attributes,  _broker);
-            fail("Exception not thrown");
-        }
-        catch (IllegalConfigurationException ice)
-        {
-            String message = ice.getMessage();
-            assertTrue("Exception text not as unexpected:" + message,
-                              message.contains("Cannot instantiate key store"));
-        }
+        KeyStoreTestHelper.checkExceptionThrownDuringKeyStoreCreation(FACTORY, BROKER, KeyStore.class, attributes,
+                "Cannot instantiate key store");
     }
 
     @Test
     public void testCreateKeyStoreFromDataUrl_UnknownAlias() throws Exception
     {
-        String keyStoreAsDataUrl = createDataUrlForFile(BROKER_KEYSTORE);
+        String keyStoreAsDataUrl = createDataUrlForFile(TestSSLConstants.BROKER_KEYSTORE);
 
         Map<String,Object> attributes = new HashMap<>();
         attributes.put(FileKeyStore.NAME, "myFileKeyStore");
-        attributes.put(FileKeyStore.PASSWORD, BROKER_KEYSTORE_PASSWORD);
+        attributes.put(FileKeyStore.PASSWORD, TestSSLConstants.PASSWORD);
         attributes.put(FileKeyStore.STORE_URL, keyStoreAsDataUrl);
         attributes.put(FileKeyStore.CERTIFICATE_ALIAS, "notknown");
-        attributes.put(FileKeyStore.KEY_STORE_TYPE, JAVA_KEYSTORE_TYPE);
+        attributes.put(FileKeyStore.KEY_STORE_TYPE, TestSSLConstants.JAVA_KEYSTORE_TYPE);
 
-        try
-        {
-            _factory.create(KeyStore.class, attributes,  _broker);
-            fail("Exception not thrown");
-        }
-        catch (IllegalConfigurationException ice)
-        {
-            String message = ice.getMessage();
-            assertTrue("Exception text not as unexpected:" + message,
-                              message.contains("Cannot find a certificate with alias 'notknown' in key store"));
-        }
+        KeyStoreTestHelper.checkExceptionThrownDuringKeyStoreCreation(FACTORY, BROKER, KeyStore.class, attributes,
+                "Cannot find a certificate with alias 'notknown' in key store");
     }
 
     @Test
-    public void testEmptyKeystoreRejected() throws Exception
+    public void testEmptyKeystoreRejected()
     {
-        final URL emptyKeystore = getClass().getResource(EMPTY_KEYSTORE_RESOURCE);
-        assertNotNull("Empty keystore not found", emptyKeystore);
-
         Map<String,Object> attributes = new HashMap<>();
         attributes.put(FileKeyStore.NAME, "myFileKeyStore");
-        attributes.put(FileKeyStore.PASSWORD, BROKER_KEYSTORE_PASSWORD);
-        attributes.put(FileKeyStore.STORE_URL, emptyKeystore);
+        attributes.put(FileKeyStore.PASSWORD, TestSSLConstants.PASSWORD);
+        attributes.put(FileKeyStore.STORE_URL, TestSSLConstants.TEST_EMPTY_KEYSTORE);
 
-        try
-        {
-            _factory.create(KeyStore.class, attributes,  _broker);
-            fail("Exception not thrown");
-        }
-        catch (IllegalConfigurationException ice)
-        {
-            // pass
-        }
+        KeyStoreTestHelper.checkExceptionThrownDuringKeyStoreCreation(FACTORY, BROKER, KeyStore.class, attributes,
+                "must contain at least one private key");
     }
 
     @Test
     public void testKeystoreWithNoPrivateKeyRejected()
     {
-        final URL keystoreUrl = getClass().getResource(KEYSTORE_CERTIFICATE_ONLY_RESOURCE);
-        assertNotNull("Keystore not found", keystoreUrl);
-
         Map<String,Object> attributes = new HashMap<>();
         attributes.put(FileKeyStore.NAME, getTestName());
-        attributes.put(FileKeyStore.PASSWORD, BROKER_KEYSTORE_PASSWORD);
-        attributes.put(FileKeyStore.STORE_URL, keystoreUrl);
-        attributes.put(FileKeyStore.KEY_STORE_TYPE, JAVA_KEYSTORE_TYPE);
+        attributes.put(FileKeyStore.PASSWORD, TestSSLConstants.PASSWORD);
+        attributes.put(FileKeyStore.STORE_URL, TestSSLConstants.TEST_CERT_ONLY_KEYSTORE);
+        attributes.put(FileKeyStore.KEY_STORE_TYPE, TestSSLConstants.JAVA_KEYSTORE_TYPE);
 
-        try
-        {
-            _factory.create(KeyStore.class, attributes,  _broker);
-            fail("Exception not thrown");
-        }
-        catch (IllegalConfigurationException ice)
-        {
-            String message = ice.getMessage();
-            assertTrue("Exception text not as unexpected:" + message,
-                              message.contains("must contain at least one private key"));
-        }
+        KeyStoreTestHelper.checkExceptionThrownDuringKeyStoreCreation(FACTORY, BROKER, KeyStore.class, attributes,
+                "must contain at least one private key");
     }
 
     @Test
     public void testSymmetricKeysIgnored()
     {
-        final URL keystoreUrl = getClass().getResource(SYMMETRIC_KEY_KEYSTORE_RESOURCE);
-        assertNotNull("Keystore not found", keystoreUrl);
-
         Map<String,Object> attributes = new HashMap<>();
         attributes.put(FileKeyStore.NAME, "myFileKeyStore");
-        attributes.put(FileKeyStore.PASSWORD, BROKER_KEYSTORE_PASSWORD);
-        attributes.put(FileKeyStore.STORE_URL, keystoreUrl);
-        attributes.put(FileKeyStore.KEY_STORE_TYPE, JAVA_KEYSTORE_TYPE);
+        attributes.put(FileKeyStore.PASSWORD, TestSSLConstants.PASSWORD);
+        attributes.put(FileKeyStore.STORE_URL, TestSSLConstants.TEST_SYMMETRIC_KEY_KEYSTORE);
+        attributes.put(FileKeyStore.KEY_STORE_TYPE, TestSSLConstants.JAVA_KEYSTORE_TYPE);
 
-        KeyStore keyStore = _factory.create(KeyStore.class, attributes,  _broker);
+        KeyStore keyStore = (KeyStore) FACTORY.create(KeyStore.class, attributes, BROKER);
         assertNotNull(keyStore);
     }
 
     @Test
-    public void testUpdateKeyStore_Success() throws Exception
+    public void testUpdateKeyStore_Success()
     {
         Map<String,Object> attributes = new HashMap<>();
         attributes.put(FileKeyStore.NAME, "myFileKeyStore");
-        attributes.put(FileKeyStore.STORE_URL, BROKER_KEYSTORE_PATH);
-        attributes.put(FileKeyStore.PASSWORD, BROKER_KEYSTORE_PASSWORD);
-        attributes.put(FileKeyStore.KEY_STORE_TYPE, JAVA_KEYSTORE_TYPE);
+        attributes.put(FileKeyStore.STORE_URL, TestSSLConstants.BROKER_KEYSTORE);
+        attributes.put(FileKeyStore.PASSWORD, TestSSLConstants.PASSWORD);
+        attributes.put(FileKeyStore.KEY_STORE_TYPE, TestSSLConstants.JAVA_KEYSTORE_TYPE);
 
-        FileKeyStoreImpl fileKeyStore = (FileKeyStoreImpl) _factory.create(KeyStore.class, attributes,  _broker);
+        FileKeyStoreImpl fileKeyStore = (FileKeyStoreImpl) FACTORY.create(KeyStore.class, attributes, BROKER);
 
         assertNull("Unexpected alias value before change", fileKeyStore.getCertificateAlias());
 
@@ -390,9 +275,9 @@ public class FileKeyStoreTest extends UnitTestBase
             fileKeyStore.setAttributes(unacceptableAttributes);
             fail("Exception not thrown");
         }
-        catch (IllegalConfigurationException ice)
+        catch (IllegalConfigurationException e)
         {
-            String message = ice.getMessage();
+            String message = e.getMessage();
             assertTrue("Exception text not as unexpected:" + message,
                               message.contains("Cannot find a certificate with alias 'notknown' in key store"));
         }
@@ -400,13 +285,12 @@ public class FileKeyStoreTest extends UnitTestBase
         assertNull("Unexpected alias value after failed change", fileKeyStore.getCertificateAlias());
 
         Map<String,Object> changedAttributes = new HashMap<>();
-        changedAttributes.put(FileKeyStore.CERTIFICATE_ALIAS, BROKER_KEYSTORE_ALIAS);
+        changedAttributes.put(FileKeyStore.CERTIFICATE_ALIAS, TestSSLConstants.BROKER_KEYSTORE_ALIAS);
 
         fileKeyStore.setAttributes(changedAttributes);
 
         assertEquals("Unexpected alias value after change that is expected to be successful",
-                     BROKER_KEYSTORE_ALIAS,
-                            fileKeyStore.getCertificateAlias());
+                TestSSLConstants.BROKER_KEYSTORE_ALIAS, fileKeyStore.getCertificateAlias());
 
     }
 
@@ -415,8 +299,8 @@ public class FileKeyStoreTest extends UnitTestBase
     {
         assumeThat(SSLUtil.canGenerateCerts(), is(equalTo(true)));
 
-        final SSLUtil.KeyCertPair selfSigned1 = KeystoreTestHelper.generateSelfSigned("CN=foo");
-        final SSLUtil.KeyCertPair selfSigned2 = KeystoreTestHelper.generateSelfSigned("CN=bar");
+        final SSLUtil.KeyCertPair selfSigned1 = KeyStoreTestHelper.generateSelfSigned("CN=foo");
+        final SSLUtil.KeyCertPair selfSigned2 = KeyStoreTestHelper.generateSelfSigned("CN=bar");
 
         final File keyStoreFile = TestFileUtils.createTempFile(this, ".ks");
         final String dummy = "changit";
@@ -426,7 +310,7 @@ public class FileKeyStoreTest extends UnitTestBase
         try
         {
             final java.security.KeyStore keyStore =
-                    KeystoreTestHelper.saveKeyStore(selfSigned1, certificateAlias, keyAlias, pass, keyStoreFile);
+                    KeyStoreTestHelper.saveKeyStore(selfSigned1, certificateAlias, keyAlias, pass, keyStoreFile);
 
             final Map<String, Object> attributes = new HashMap<>();
             attributes.put(FileKeyStore.NAME, getTestName());
@@ -434,14 +318,14 @@ public class FileKeyStoreTest extends UnitTestBase
             attributes.put(FileKeyStore.PASSWORD, dummy);
             attributes.put(FileKeyStore.KEY_STORE_TYPE, keyStore.getType());
 
-            final FileKeyStore keyStoreObject = (FileKeyStore) _factory.create(KeyStore.class, attributes, _broker);
+            final FileKeyStore keyStoreObject = (FileKeyStore) FACTORY.create(KeyStore.class, attributes, BROKER);
 
             final CertificateDetails certificate = getCertificate(keyStoreObject);
             assertEquals("CN=foo", certificate.getIssuerName());
 
             assertTrue(keyStoreFile.delete());
             assertTrue(keyStoreFile.createNewFile());keyStoreFile.deleteOnExit();
-            KeystoreTestHelper.saveKeyStore(selfSigned2, certificateAlias, keyAlias, pass, keyStoreFile);
+            KeyStoreTestHelper.saveKeyStore(selfSigned2, certificateAlias, keyAlias, pass, keyStoreFile);
 
             keyStoreObject.reload();
 
@@ -454,7 +338,7 @@ public class FileKeyStoreTest extends UnitTestBase
         }
     }
 
-    public CertificateDetails getCertificate(final FileKeyStore keyStore) throws java.security.GeneralSecurityException
+    public CertificateDetails getCertificate(final FileKeyStore keyStore)
     {
         final List<CertificateDetails> certificates = keyStore.getCertificateDetails();
 
diff --git a/broker-core/src/test/java/org/apache/qpid/server/security/FileTrustStoreTest.java b/broker-core/src/test/java/org/apache/qpid/server/security/FileTrustStoreTest.java
index 427e0b7..6ca59a8 100644
--- a/broker-core/src/test/java/org/apache/qpid/server/security/FileTrustStoreTest.java
+++ b/broker-core/src/test/java/org/apache/qpid/server/security/FileTrustStoreTest.java
@@ -20,10 +20,8 @@
 package org.apache.qpid.server.security;
 
 
-import static org.apache.qpid.server.security.FileKeyStoreTest.EMPTY_KEYSTORE_RESOURCE;
 import static org.apache.qpid.server.transport.network.security.ssl.SSLUtil.getInitializedKeyStore;
 import static org.apache.qpid.test.utils.JvmVendor.IBM;
-import static org.apache.qpid.test.utils.TestSSLConstants.JAVA_KEYSTORE_TYPE;
 import static org.hamcrest.CoreMatchers.equalTo;
 import static org.hamcrest.CoreMatchers.is;
 import static org.hamcrest.CoreMatchers.not;
@@ -32,14 +30,11 @@ import static org.junit.Assert.assertNotNull;
 import static org.junit.Assert.assertTrue;
 import static org.junit.Assert.fail;
 import static org.junit.Assume.assumeThat;
-import static org.mockito.Mockito.mock;
-import static org.mockito.Mockito.when;
 
 import java.io.File;
 import java.io.FileInputStream;
 import java.io.IOException;
 import java.io.InputStream;
-import java.net.URL;
 import java.security.KeyStore;
 import java.security.cert.Certificate;
 import java.security.cert.CertificateException;
@@ -53,99 +48,69 @@ import javax.net.ssl.TrustManager;
 import javax.net.ssl.X509TrustManager;
 
 import com.google.common.io.ByteStreams;
-import org.junit.Before;
-import org.junit.Test;
-
-import org.apache.qpid.server.configuration.IllegalConfigurationException;
-import org.apache.qpid.server.configuration.updater.CurrentThreadTaskExecutor;
-import org.apache.qpid.server.configuration.updater.TaskExecutor;
-import org.apache.qpid.server.logging.EventLogger;
 import org.apache.qpid.server.model.Broker;
 import org.apache.qpid.server.model.BrokerModel;
+import org.apache.qpid.server.model.BrokerTestHelper;
 import org.apache.qpid.server.model.ConfiguredObjectFactory;
-import org.apache.qpid.server.model.Model;
+import org.apache.qpid.test.utils.UnitTestBase;
+import org.junit.Test;
+
+import org.apache.qpid.server.configuration.IllegalConfigurationException;
 import org.apache.qpid.server.model.TrustStore;
 import org.apache.qpid.server.transport.network.security.ssl.QpidPeersOnlyTrustManager;
 import org.apache.qpid.server.transport.network.security.ssl.SSLUtil;
 import org.apache.qpid.server.util.DataUrlUtils;
 import org.apache.qpid.test.utils.TestFileUtils;
 import org.apache.qpid.test.utils.TestSSLConstants;
-import org.apache.qpid.test.utils.UnitTestBase;
 
 public class FileTrustStoreTest extends UnitTestBase
 {
-    static final String SYMMETRIC_KEY_KEYSTORE_RESOURCE = "/ssl/test_symmetric_key_keystore.pkcs12";
-    private static final String KEYSTORE_PK_ONLY_RESOURCE = "/ssl/test_pk_only_keystore.pkcs12";
-    private static final String TRUSTSTORE_PASSWORD = TestSSLConstants.TRUSTSTORE_PASSWORD;
-    private static final String PEER_STORE_PASSWORD = TestSSLConstants.BROKER_PEERSTORE_PASSWORD;
-    private static final String KEYSTORE_PASSWORD = TestSSLConstants.KEYSTORE_PASSWORD;
-    private static final String KEYSTORE_RESOURCE = "/ssl/test_keystore.jks";
-    private static final String TRUST_STORE_PATH = "classpath:ssl/java_client_truststore.pkcs12";
-    private static final String PEER_STORE_PATH = "classpath:ssl/java_broker_peerstore.pkcs12";
-    private static final String EXPIRED_TRUST_STORE_PATH = "classpath:ssl/java_broker_expired_truststore.pkcs12";
-    private static final String EXPIRED_KEYSTORE_PATH = "ssl/java_client_expired_keystore.pkcs12";
-    private static final String TRUST_STORE = "ssl/java_client_truststore.pkcs12";
-    private static final String BROKER_TRUST_STORE_PATH = "classpath:ssl/java_broker_truststore.pkcs12";
-    private static final String BROKER_TRUST_STORE_PASSWORD = TestSSLConstants.BROKER_TRUSTSTORE_PASSWORD;
-    private static final String BROKER_KEYSTORE_PASSWORD = TestSSLConstants.BROKER_KEYSTORE_PASSWORD;
-
-
-    private final Broker _broker = mock(Broker.class);
-    private final TaskExecutor _taskExecutor = CurrentThreadTaskExecutor.newStartedInstance();
-    private final Model _model = BrokerModel.getInstance();
-    private final ConfiguredObjectFactory _factory = _model.getObjectFactory();
-
-    @Before
-    public void setUp() throws Exception
-    {
-
-        when(_broker.getTaskExecutor()).thenReturn(_taskExecutor);
-        when(_broker.getChildExecutor()).thenReturn(_taskExecutor);
-
-        when(_broker.getModel()).thenReturn(_model);
-        when(_broker.getCategoryClass()).thenReturn(Broker.class);
-        when(_broker.getEventLogger()).thenReturn(new EventLogger());
-        when(_broker.getTypeClass()).thenReturn(Broker.class);
-    }
+    private static final Broker BROKER = BrokerTestHelper.createBrokerMock();
+    private static final ConfiguredObjectFactory FACTORY = BrokerModel.getInstance().getObjectFactory();
 
     @Test
     public void testCreateTrustStoreFromFile_Success() throws Exception
     {
         Map<String,Object> attributes = new HashMap<>();
         attributes.put(FileTrustStore.NAME, "myFileTrustStore");
-        attributes.put(FileTrustStore.STORE_URL, TRUST_STORE_PATH);
-        attributes.put(FileTrustStore.PASSWORD, TRUSTSTORE_PASSWORD);
-        attributes.put(FileTrustStore.TRUST_STORE_TYPE, JAVA_KEYSTORE_TYPE);
+        attributes.put(FileTrustStore.STORE_URL, TestSSLConstants.CLIENT_TRUSTSTORE);
+        attributes.put(FileTrustStore.PASSWORD, TestSSLConstants.PASSWORD);
+        attributes.put(FileTrustStore.CERTIFICATE_REVOCATION_CHECK_ENABLED, true);
+        attributes.put(FileTrustStore.CERTIFICATE_REVOCATION_LIST_URL, TestSSLConstants.CA_CRL);
 
-        TrustStore<?> fileTrustStore = _factory.create(TrustStore.class, attributes,  _broker);
+        TrustStore<?> fileTrustStore = FACTORY.create(TrustStore.class, attributes, BROKER);
 
         TrustManager[] trustManagers = fileTrustStore.getTrustManagers();
         assertNotNull(trustManagers);
-        assertEquals("Unexpected number of trust managers", (long) 1, (long) trustManagers.length);
+        assertEquals("Unexpected number of trust managers", 1, trustManagers.length);
         assertNotNull("Trust manager unexpected null", trustManagers[0]);
     }
 
     @Test
-    public void testCreateTrustStoreFromFile_WrongPassword() throws Exception
+    public void testCreateTrustStoreFromFile_WrongPassword()
     {
         Map<String,Object> attributes = new HashMap<>();
         attributes.put(FileTrustStore.NAME, "myFileTrustStore");
-        attributes.put(FileTrustStore.STORE_URL, TRUST_STORE_PATH);
+        attributes.put(FileTrustStore.STORE_URL, TestSSLConstants.CLIENT_TRUSTSTORE);
         attributes.put(FileTrustStore.PASSWORD, "wrong");
-        attributes.put(FileTrustStore.TRUST_STORE_TYPE, JAVA_KEYSTORE_TYPE);
+        attributes.put(FileTrustStore.TRUST_STORE_TYPE, TestSSLConstants.JAVA_KEYSTORE_TYPE);
 
-        try
-        {
-            _factory.create(TrustStore.class, attributes,  _broker);
-            fail("Exception not thrown");
-        }
-        catch (IllegalConfigurationException ice)
-        {
-            String message = ice.getMessage();
-            assertTrue("Exception text not as unexpected:" + message,
-                              message.contains("Check trust store password"));
+        KeyStoreTestHelper.checkExceptionThrownDuringKeyStoreCreation(FACTORY, BROKER, TrustStore.class, attributes,
+                "Check trust store password");
+    }
 
-        }
+    @Test
+    public void testCreateTrustStoreFromFile_MissingCrlFile()
+    {
+        Map<String,Object> attributes = new HashMap<>();
+        attributes.put(FileTrustStore.NAME, "myFileTrustStore");
+        attributes.put(FileTrustStore.STORE_URL, TestSSLConstants.CLIENT_TRUSTSTORE);
+        attributes.put(FileTrustStore.PASSWORD, TestSSLConstants.PASSWORD);
+        attributes.put(FileTrustStore.TRUST_STORE_TYPE, TestSSLConstants.JAVA_KEYSTORE_TYPE);
+        attributes.put(FileTrustStore.CERTIFICATE_REVOCATION_LIST_URL, "/not/a/crl");
+
+        KeyStoreTestHelper.checkExceptionThrownDuringKeyStoreCreation(FACTORY, BROKER, TrustStore.class, attributes,
+                "Unable to load certificate revocation list '/not/a/crl' for truststore 'myFileTrustStore'");
     }
 
     @Test
@@ -153,16 +118,18 @@ public class FileTrustStoreTest extends UnitTestBase
     {
         Map<String,Object> attributes = new HashMap<>();
         attributes.put(FileTrustStore.NAME, "myFileTrustStore");
-        attributes.put(FileTrustStore.STORE_URL, PEER_STORE_PATH);
-        attributes.put(FileTrustStore.PASSWORD, PEER_STORE_PASSWORD);
+        attributes.put(FileTrustStore.STORE_URL, TestSSLConstants.BROKER_PEERSTORE);
+        attributes.put(FileTrustStore.PASSWORD, TestSSLConstants.PASSWORD);
         attributes.put(FileTrustStore.PEERS_ONLY, true);
-        attributes.put(FileTrustStore.TRUST_STORE_TYPE, JAVA_KEYSTORE_TYPE);
+        attributes.put(FileTrustStore.TRUST_STORE_TYPE, TestSSLConstants.JAVA_KEYSTORE_TYPE);
+        attributes.put(FileTrustStore.CERTIFICATE_REVOCATION_CHECK_ENABLED, true);
+        attributes.put(FileTrustStore.CERTIFICATE_REVOCATION_LIST_URL, TestSSLConstants.CA_CRL);
 
-        TrustStore<?> fileTrustStore = _factory.create(TrustStore.class, attributes,  _broker);
+        TrustStore<?> fileTrustStore = (TrustStore) FACTORY.create(TrustStore.class, attributes, BROKER);
 
         TrustManager[] trustManagers = fileTrustStore.getTrustManagers();
         assertNotNull(trustManagers);
-        assertEquals("Unexpected number of trust managers", (long) 1, (long) trustManagers.length);
+        assertEquals("Unexpected number of trust managers", 1, trustManagers.length);
         assertNotNull("Trust manager unexpected null", trustManagers[0]);
         final boolean condition = trustManagers[0] instanceof QpidPeersOnlyTrustManager;
         assertTrue("Trust manager unexpected null", condition);
@@ -178,22 +145,22 @@ public class FileTrustStoreTest extends UnitTestBase
 
         Map<String,Object> attributes = new HashMap<>();
         attributes.put(FileTrustStore.NAME, "myFileTrustStore");
-        attributes.put(FileTrustStore.STORE_URL, EXPIRED_TRUST_STORE_PATH);
-        attributes.put(FileTrustStore.PASSWORD, BROKER_TRUST_STORE_PASSWORD);
-        attributes.put(FileTrustStore.TRUST_STORE_TYPE, JAVA_KEYSTORE_TYPE);
+        attributes.put(FileTrustStore.STORE_URL, TestSSLConstants.BROKER_EXPIRED_TRUSTSTORE);
+        attributes.put(FileTrustStore.PASSWORD, TestSSLConstants.PASSWORD);
+        attributes.put(FileTrustStore.TRUST_STORE_TYPE, TestSSLConstants.JAVA_KEYSTORE_TYPE);
 
-        TrustStore trustStore = _factory.create(TrustStore.class, attributes, _broker);
+        TrustStore trustStore = (TrustStore) FACTORY.create(TrustStore.class, attributes, BROKER);
 
         TrustManager[] trustManagers = trustStore.getTrustManagers();
         assertNotNull(trustManagers);
-        assertEquals("Unexpected number of trust managers", (long) 1, (long) trustManagers.length);
+        assertEquals("Unexpected number of trust managers", 1, trustManagers.length);
         final boolean condition = trustManagers[0] instanceof X509TrustManager;
         assertTrue("Unexpected trust manager type", condition);
         X509TrustManager trustManager = (X509TrustManager) trustManagers[0];
 
-        KeyStore clientStore = getInitializedKeyStore(EXPIRED_KEYSTORE_PATH,
-                                                      KEYSTORE_PASSWORD,
-                                                      JAVA_KEYSTORE_TYPE);
+        KeyStore clientStore = getInitializedKeyStore(TestSSLConstants.CLIENT_EXPIRED_KEYSTORE,
+                                                      TestSSLConstants.PASSWORD,
+                                                      TestSSLConstants.JAVA_KEYSTORE_TYPE);
         String alias = clientStore.aliases().nextElement();
         X509Certificate certificate = (X509Certificate) clientStore.getCertificate(alias);
 
@@ -205,23 +172,23 @@ public class FileTrustStoreTest extends UnitTestBase
     {
         Map<String,Object> attributes = new HashMap<>();
         attributes.put(FileTrustStore.NAME, "myFileTrustStore");
-        attributes.put(FileTrustStore.STORE_URL, EXPIRED_TRUST_STORE_PATH);
-        attributes.put(FileTrustStore.PASSWORD, BROKER_TRUST_STORE_PASSWORD);
+        attributes.put(FileTrustStore.STORE_URL, TestSSLConstants.BROKER_EXPIRED_TRUSTSTORE);
+        attributes.put(FileTrustStore.PASSWORD, TestSSLConstants.PASSWORD);
         attributes.put(FileTrustStore.TRUST_ANCHOR_VALIDITY_ENFORCED, true);
-        attributes.put(FileTrustStore.TRUST_STORE_TYPE, JAVA_KEYSTORE_TYPE);
+        attributes.put(FileTrustStore.TRUST_STORE_TYPE, TestSSLConstants.JAVA_KEYSTORE_TYPE);
 
-        TrustStore trustStore = _factory.create(TrustStore.class, attributes, _broker);
+        TrustStore trustStore = (TrustStore) FACTORY.create(TrustStore.class, attributes, BROKER);
 
         TrustManager[] trustManagers = trustStore.getTrustManagers();
         assertNotNull(trustManagers);
-        assertEquals("Unexpected number of trust managers", (long) 1, (long) trustManagers.length);
+        assertEquals("Unexpected number of trust managers", 1, trustManagers.length);
         final boolean condition = trustManagers[0] instanceof X509TrustManager;
         assertTrue("Unexpected trust manager type", condition);
         X509TrustManager trustManager = (X509TrustManager) trustManagers[0];
 
-        KeyStore clientStore = getInitializedKeyStore(EXPIRED_KEYSTORE_PATH,
-                                                      KEYSTORE_PASSWORD,
-                                                      JAVA_KEYSTORE_TYPE);
+        KeyStore clientStore = getInitializedKeyStore(TestSSLConstants.CLIENT_EXPIRED_KEYSTORE,
+                                                      TestSSLConstants.PASSWORD,
+                                                      TestSSLConstants.JAVA_KEYSTORE_TYPE);
         String alias = clientStore.aliases().nextElement();
         X509Certificate certificate = (X509Certificate) clientStore.getCertificate(alias);
 
@@ -248,83 +215,70 @@ public class FileTrustStoreTest extends UnitTestBase
     @Test
     public void testCreateTrustStoreFromDataUrl_Success() throws Exception
     {
-        String trustStoreAsDataUrl = createDataUrlForFile(TRUST_STORE);
+        String trustStoreAsDataUrl = createDataUrlForFile(TestSSLConstants.CLIENT_TRUSTSTORE);
+        String crlAsDataUrl = createDataUrlForFile(TestSSLConstants.CA_CRL);
 
         Map<String,Object> attributes = new HashMap<>();
         attributes.put(FileTrustStore.NAME, "myFileTrustStore");
         attributes.put(FileTrustStore.STORE_URL, trustStoreAsDataUrl);
-        attributes.put(FileTrustStore.PASSWORD, TRUSTSTORE_PASSWORD);
-        attributes.put(FileTrustStore.TRUST_STORE_TYPE, JAVA_KEYSTORE_TYPE);
+        attributes.put(FileTrustStore.PASSWORD, TestSSLConstants.PASSWORD);
+        attributes.put(FileTrustStore.TRUST_STORE_TYPE, TestSSLConstants.JAVA_KEYSTORE_TYPE);
+        attributes.put(FileTrustStore.CERTIFICATE_REVOCATION_CHECK_ENABLED, true);
+        attributes.put(FileTrustStore.CERTIFICATE_REVOCATION_LIST_URL, crlAsDataUrl);
 
-        TrustStore<?> fileTrustStore = _factory.create(TrustStore.class, attributes,  _broker);
+        TrustStore<?> fileTrustStore = (TrustStore) FACTORY.create(TrustStore.class, attributes, BROKER);
 
         TrustManager[] trustManagers = fileTrustStore.getTrustManagers();
         assertNotNull(trustManagers);
-        assertEquals("Unexpected number of trust managers", (long) 1, (long) trustManagers.length);
+        assertEquals("Unexpected number of trust managers", 1, trustManagers.length);
         assertNotNull("Trust manager unexpected null", trustManagers[0]);
     }
 
     @Test
     public void testCreateTrustStoreFromDataUrl_WrongPassword() throws Exception
     {
-        String trustStoreAsDataUrl = createDataUrlForFile(TRUST_STORE);
+        String trustStoreAsDataUrl = createDataUrlForFile(TestSSLConstants.CLIENT_TRUSTSTORE);
 
         Map<String,Object> attributes = new HashMap<>();
         attributes.put(FileTrustStore.NAME, "myFileTrustStore");
         attributes.put(FileTrustStore.PASSWORD, "wrong");
         attributes.put(FileTrustStore.STORE_URL, trustStoreAsDataUrl);
-        attributes.put(FileTrustStore.TRUST_STORE_TYPE, JAVA_KEYSTORE_TYPE);
+        attributes.put(FileTrustStore.TRUST_STORE_TYPE, TestSSLConstants.JAVA_KEYSTORE_TYPE);
 
-        try
-        {
-            _factory.create(TrustStore.class, attributes,  _broker);
-            fail("Exception not thrown");
-        }
-        catch (IllegalConfigurationException ice)
-        {
-            String message = ice.getMessage();
-            assertTrue("Exception text not as unexpected:" + message,
-                              message.contains("Check trust store password"));
-        }
+        KeyStoreTestHelper.checkExceptionThrownDuringKeyStoreCreation(FACTORY, BROKER, TrustStore.class, attributes,
+                "Check trust store password");
     }
 
     @Test
-    public void testCreateTrustStoreFromDataUrl_BadTruststoreBytes() throws Exception
+    public void testCreateTrustStoreFromDataUrl_BadTruststoreBytes()
     {
         String trustStoreAsDataUrl = DataUrlUtils.getDataUrlForBytes("notatruststore".getBytes());
 
         Map<String,Object> attributes = new HashMap<>();
         attributes.put(FileTrustStore.NAME, "myFileTrustStore");
-        attributes.put(FileTrustStore.PASSWORD, TRUSTSTORE_PASSWORD);
+        attributes.put(FileTrustStore.PASSWORD, TestSSLConstants.PASSWORD);
         attributes.put(FileTrustStore.STORE_URL, trustStoreAsDataUrl);
-        attributes.put(FileTrustStore.TRUST_STORE_TYPE, JAVA_KEYSTORE_TYPE);
+        attributes.put(FileTrustStore.TRUST_STORE_TYPE, TestSSLConstants.JAVA_KEYSTORE_TYPE);
 
-        try
-        {
-            _factory.create(TrustStore.class, attributes,  _broker);
-            fail("Exception not thrown");
-        }
-        catch (IllegalConfigurationException ice)
-        {
-            String message = ice.getMessage();
-            assertTrue("Exception text not as unexpected:" + message,
-                              message.contains("Cannot instantiate trust store"));
-        }
+        KeyStoreTestHelper.checkExceptionThrownDuringKeyStoreCreation(FACTORY, BROKER, TrustStore.class, attributes,
+                "Cannot instantiate trust store");
     }
 
     @Test
-    public void testUpdateTrustStore_Success() throws Exception
+    public void testUpdateTrustStore_Success()
     {
         Map<String,Object> attributes = new HashMap<>();
         attributes.put(FileTrustStore.NAME, "myFileTrustStore");
-        attributes.put(FileTrustStore.STORE_URL, TRUST_STORE_PATH);
-        attributes.put(FileTrustStore.PASSWORD, TRUSTSTORE_PASSWORD);
-        attributes.put(FileTrustStore.TRUST_STORE_TYPE, JAVA_KEYSTORE_TYPE);
+        attributes.put(FileTrustStore.STORE_URL, TestSSLConstants.CLIENT_TRUSTSTORE);
+        attributes.put(FileTrustStore.PASSWORD, TestSSLConstants.PASSWORD);
+        attributes.put(FileTrustStore.TRUST_STORE_TYPE, TestSSLConstants.JAVA_KEYSTORE_TYPE);
+        attributes.put(FileTrustStore.CERTIFICATE_REVOCATION_CHECK_ENABLED, true);
+        attributes.put(FileTrustStore.CERTIFICATE_REVOCATION_LIST_URL, TestSSLConstants.CA_CRL);
 
-        FileTrustStore<?> fileTrustStore = (FileTrustStore<?>) _factory.create(TrustStore.class, attributes,  _broker);
+        FileTrustStore<?> fileTrustStore = (FileTrustStore<?>) FACTORY.create(TrustStore.class, attributes, BROKER);
 
         assertEquals("Unexpected path value before change",
-                            TRUST_STORE_PATH,
+                            TestSSLConstants.CLIENT_TRUSTSTORE,
                             fileTrustStore.getStoreUrl());
 
 
@@ -336,114 +290,112 @@ public class FileTrustStoreTest extends UnitTestBase
             fileTrustStore.setAttributes(unacceptableAttributes);
             fail("Exception not thrown");
         }
-        catch (IllegalConfigurationException ice)
+        catch (IllegalConfigurationException e)
         {
-            String message = ice.getMessage();
+            String message = e.getMessage();
             assertTrue("Exception text not as unexpected:" + message,
                               message.contains("Cannot instantiate trust store"));
         }
 
-        assertEquals("Unexpected path value after failed change",
-                            TRUST_STORE_PATH,
-                            fileTrustStore.getStoreUrl());
+        assertEquals("Unexpected keystore path value after failed change",
+                TestSSLConstants.CLIENT_TRUSTSTORE,
+                fileTrustStore.getStoreUrl());
+
+        try
+        {
+            Map<String,Object> unacceptableAttributes = new HashMap<>();
+            unacceptableAttributes.put(FileTrustStore.CERTIFICATE_REVOCATION_LIST_URL, "/not/a/crl");
+
+            fileTrustStore.setAttributes(unacceptableAttributes);
+            fail("Exception not thrown");
+        }
+        catch (IllegalConfigurationException e)
+        {
+            String message = e.getMessage();
+            assertTrue("Exception text not as unexpected:" + message,
+                    message.contains("Unable to load certificate revocation list '/not/a/crl' for truststore " +
+                            "'myFileTrustStore'"));
+        }
+
+        assertEquals("Unexpected CRL path value after failed change",
+                            TestSSLConstants.CA_CRL,
+                            fileTrustStore.getCertificateRevocationListUrl());
 
         Map<String,Object> changedAttributes = new HashMap<>();
-        changedAttributes.put(FileTrustStore.STORE_URL, BROKER_TRUST_STORE_PATH);
-        changedAttributes.put(FileTrustStore.PASSWORD, BROKER_TRUST_STORE_PASSWORD);
+        changedAttributes.put(FileTrustStore.STORE_URL, TestSSLConstants.BROKER_TRUSTSTORE);
+        changedAttributes.put(FileTrustStore.PASSWORD, TestSSLConstants.PASSWORD);
+        changedAttributes.put(FileTrustStore.CERTIFICATE_REVOCATION_LIST_URL, TestSSLConstants.CA_CRL_EMPTY);
 
         fileTrustStore.setAttributes(changedAttributes);
 
-        assertEquals("Unexpected path value after change that is expected to be successful",
-                     BROKER_TRUST_STORE_PATH,
+        assertEquals("Unexpected keystore path value after change that is expected to be successful",
+                            TestSSLConstants.BROKER_TRUSTSTORE,
                             fileTrustStore.getStoreUrl());
+        assertEquals("Unexpected CRL path value after change that is expected to be successful",
+                TestSSLConstants.CA_CRL_EMPTY,
+                fileTrustStore.getCertificateRevocationListUrl());
     }
 
     @Test
     public void testEmptyTrustStoreRejected()
     {
-        final URL emptyKeystore = getClass().getResource(EMPTY_KEYSTORE_RESOURCE);
-        assertNotNull("Empty keystore not found", emptyKeystore);
-
         Map<String,Object> attributes = new HashMap<>();
         attributes.put(FileKeyStore.NAME, "myFileTrustStore");
-        attributes.put(FileKeyStore.PASSWORD, KEYSTORE_PASSWORD);
-        attributes.put(FileKeyStore.STORE_URL, emptyKeystore);
+        attributes.put(FileKeyStore.PASSWORD, TestSSLConstants.PASSWORD);
+        attributes.put(FileKeyStore.STORE_URL, TestSSLConstants.TEST_EMPTY_KEYSTORE);
         attributes.put(FileTrustStore.TRUST_STORE_TYPE, "jks");
 
-        try
-        {
-            _factory.create(TrustStore.class, attributes, _broker);
-            fail("Exception not thrown");
-        }
-        catch (IllegalConfigurationException ice)
-        {
-            // pass
-        }
+        KeyStoreTestHelper.checkExceptionThrownDuringKeyStoreCreation(FACTORY, BROKER, TrustStore.class, attributes,
+                "must contain at least one certificate");
     }
 
     @Test
     public void testTrustStoreWithNoCertificateRejected()
     {
-        final URL keystoreUrl = getClass().getResource(KEYSTORE_PK_ONLY_RESOURCE);
-        assertNotNull("Keystore not found", keystoreUrl);
-
         Map<String,Object> attributes = new HashMap<>();
         attributes.put(FileTrustStore.NAME, getTestName());
-        attributes.put(FileTrustStore.PASSWORD, TRUSTSTORE_PASSWORD);
-        attributes.put(FileTrustStore.STORE_URL, keystoreUrl);
-        attributes.put(FileTrustStore.TRUST_STORE_TYPE, JAVA_KEYSTORE_TYPE);
+        attributes.put(FileTrustStore.PASSWORD, TestSSLConstants.PASSWORD);
+        attributes.put(FileTrustStore.STORE_URL, TestSSLConstants.TEST_PK_ONLY_KEYSTORE);
+        attributes.put(FileTrustStore.TRUST_STORE_TYPE, TestSSLConstants.JAVA_KEYSTORE_TYPE);
 
-        try
-        {
-            _factory.create(TrustStore.class, attributes, _broker);
-            fail("Exception not thrown");
-        }
-        catch (IllegalConfigurationException ice)
-        {
-            String message = ice.getMessage();
-            assertTrue("Exception text not as unexpected:" + message,
-                              message.contains("must contain at least one certificate"));
-        }
+        KeyStoreTestHelper.checkExceptionThrownDuringKeyStoreCreation(FACTORY, BROKER, TrustStore.class, attributes,
+                "must contain at least one certificate");
     }
 
     @Test
     public void testSymmetricKeyEntryIgnored() throws Exception
     {
-        final URL keystoreUrl = getClass().getResource(SYMMETRIC_KEY_KEYSTORE_RESOURCE);
-        assertNotNull("Symmetric key keystore not found", keystoreUrl);
-
         Map<String, Object> attributes = new HashMap<>();
         attributes.put(FileTrustStore.NAME, getTestName());
-        attributes.put(FileTrustStore.PASSWORD, TRUSTSTORE_PASSWORD);
-        attributes.put(FileTrustStore.STORE_URL, keystoreUrl);
-        attributes.put(FileTrustStore.TRUST_STORE_TYPE, JAVA_KEYSTORE_TYPE);
+        attributes.put(FileTrustStore.PASSWORD, TestSSLConstants.PASSWORD);
+        attributes.put(FileTrustStore.STORE_URL, TestSSLConstants.TEST_SYMMETRIC_KEY_KEYSTORE);
+        attributes.put(FileTrustStore.TRUST_STORE_TYPE, TestSSLConstants.JAVA_KEYSTORE_TYPE);
 
-        TrustStore trustStore = _factory.create(TrustStore.class, attributes, _broker);
+        TrustStore trustStore = (TrustStore) FACTORY.create(TrustStore.class, attributes, BROKER);
 
         Certificate[] certificates = trustStore.getCertificates();
         assertEquals("Unexpected number of certificates",
-                            (long) getNumberOfCertificates(keystoreUrl, JAVA_KEYSTORE_TYPE),
-                            (long) certificates.length);
+                            getNumberOfCertificates(TestSSLConstants.TEST_SYMMETRIC_KEY_KEYSTORE,
+                                    TestSSLConstants.JAVA_KEYSTORE_TYPE),
+                            certificates.length);
     }
 
     @Test
     public void testPrivateKeyEntryIgnored() throws Exception
     {
-        final URL keystoreUrl = getClass().getResource(KEYSTORE_RESOURCE);
-        assertNotNull("Keystore not found", keystoreUrl);
-
         Map<String, Object> attributes = new HashMap<>();
         attributes.put(FileTrustStore.NAME, getTestName());
-        attributes.put(FileTrustStore.PASSWORD, BROKER_KEYSTORE_PASSWORD);
-        attributes.put(FileTrustStore.STORE_URL, keystoreUrl);
-        attributes.put(FileTrustStore.TRUST_STORE_TYPE, JAVA_KEYSTORE_TYPE);
+        attributes.put(FileTrustStore.PASSWORD, TestSSLConstants.PASSWORD);
+        attributes.put(FileTrustStore.STORE_URL, TestSSLConstants.TEST_KEYSTORE);
+        attributes.put(FileTrustStore.TRUST_STORE_TYPE, TestSSLConstants.JAVA_KEYSTORE_TYPE);
 
-        TrustStore trustStore = _factory.create(TrustStore.class, attributes, _broker);
+        TrustStore trustStore = (TrustStore) FACTORY.create(TrustStore.class, attributes, BROKER);
 
         Certificate[] certificates = trustStore.getCertificates();
         assertEquals("Unexpected number of certificates",
-                            (long) getNumberOfCertificates(keystoreUrl, JAVA_KEYSTORE_TYPE),
-                            (long) certificates.length);
+                            getNumberOfCertificates(TestSSLConstants.TEST_KEYSTORE,
+                                    TestSSLConstants.JAVA_KEYSTORE_TYPE),
+                            certificates.length);
     }
 
     @Test
@@ -451,8 +403,8 @@ public class FileTrustStoreTest extends UnitTestBase
     {
         assumeThat(SSLUtil.canGenerateCerts(), is(equalTo(true)));
 
-        final SSLUtil.KeyCertPair selfSigned1 = KeystoreTestHelper.generateSelfSigned("CN=foo");
-        final SSLUtil.KeyCertPair selfSigned2 = KeystoreTestHelper.generateSelfSigned("CN=bar");
+        final SSLUtil.KeyCertPair selfSigned1 = KeyStoreTestHelper.generateSelfSigned("CN=foo");
+        final SSLUtil.KeyCertPair selfSigned2 = KeyStoreTestHelper.generateSelfSigned("CN=bar");
 
         final File keyStoreFile = TestFileUtils.createTempFile(this, ".ks");
         final String dummy = "changit";
@@ -461,7 +413,7 @@ public class FileTrustStoreTest extends UnitTestBase
         try
         {
             final java.security.KeyStore keyStore =
-                    KeystoreTestHelper.saveKeyStore(alias, selfSigned1.getCertificate(), pass, keyStoreFile);
+                    KeyStoreTestHelper.saveKeyStore(alias, selfSigned1.getCertificate(), pass, keyStoreFile);
 
             final Map<String, Object> attributes = new HashMap<>();
             attributes.put(FileTrustStore.NAME, getTestName());
@@ -469,12 +421,12 @@ public class FileTrustStoreTest extends UnitTestBase
             attributes.put(FileTrustStore.STORE_URL, keyStoreFile.getAbsolutePath());
             attributes.put(FileTrustStore.TRUST_STORE_TYPE, keyStore.getType());
 
-            final FileTrustStore trustStore = (FileTrustStore) _factory.create(TrustStore.class, attributes, _broker);
+            final FileTrustStore trustStore = (FileTrustStore) FACTORY.create(TrustStore.class, attributes, BROKER);
 
             final X509Certificate certificate = getCertificate(trustStore);
             assertEquals("CN=foo", certificate.getIssuerX500Principal().getName());
 
-            KeystoreTestHelper.saveKeyStore(alias, selfSigned2.getCertificate(), pass, keyStoreFile);
+            KeyStoreTestHelper.saveKeyStore(alias, selfSigned2.getCertificate(), pass, keyStoreFile);
 
             trustStore.reload();
 
@@ -499,12 +451,12 @@ public class FileTrustStoreTest extends UnitTestBase
         return (X509Certificate)certificate;
     }
 
-    private int getNumberOfCertificates(URL url, String type) throws Exception
+    private int getNumberOfCertificates(String keystore, String type) throws Exception
     {
         KeyStore ks = KeyStore.getInstance(type);
-        try(InputStream is = url.openStream())
+        try(InputStream is = new FileInputStream(keystore))
         {
-            ks.load(is, BROKER_KEYSTORE_PASSWORD.toCharArray());
+            ks.load(is, TestSSLConstants.PASSWORD.toCharArray());
         }
 
         int result = 0;
diff --git a/broker-core/src/test/java/org/apache/qpid/server/security/KeystoreTestHelper.java b/broker-core/src/test/java/org/apache/qpid/server/security/KeyStoreTestHelper.java
similarity index 82%
rename from broker-core/src/test/java/org/apache/qpid/server/security/KeystoreTestHelper.java
rename to broker-core/src/test/java/org/apache/qpid/server/security/KeyStoreTestHelper.java
index 6278f33..d2324dd 100644
--- a/broker-core/src/test/java/org/apache/qpid/server/security/KeystoreTestHelper.java
+++ b/broker-core/src/test/java/org/apache/qpid/server/security/KeyStoreTestHelper.java
@@ -32,10 +32,17 @@ import java.time.Duration;
 import java.time.Instant;
 import java.time.temporal.ChronoUnit;
 import java.util.Collections;
+import java.util.Map;
 
+import org.apache.qpid.server.configuration.IllegalConfigurationException;
+import org.apache.qpid.server.model.Broker;
+import org.apache.qpid.server.model.ConfiguredObjectFactory;
 import org.apache.qpid.server.transport.network.security.ssl.SSLUtil;
 
-public class KeystoreTestHelper
+import static org.junit.Assert.assertTrue;
+import static org.junit.Assert.fail;
+
+public class KeyStoreTestHelper
 {
     public static KeyStore saveKeyStore(final String alias,
                                         final X509Certificate certificate,
@@ -78,6 +85,24 @@ public class KeystoreTestHelper
                                                      Collections.emptySet());
     }
 
+    public static void checkExceptionThrownDuringKeyStoreCreation(ConfiguredObjectFactory factory, Broker broker,
+                                                              Class keystoreClass, Map<String, Object> attributes,
+                                                              String expectedExceptionMessage)
+    {
+        try
+        {
+            factory.create(keystoreClass, attributes, broker);
+            fail("Exception not thrown");
+        }
+        catch (IllegalConfigurationException e)
+        {
+            final String message = e.getMessage();
+            assertTrue("Exception text not as expected:" + message,
+                    message.contains(expectedExceptionMessage));
+
+        }
+    }
+
 
     private static File saveKeyStore(final KeyStore ks, final char[] pass, final File storeFile)
             throws IOException, KeyStoreException, NoSuchAlgorithmException, CertificateException
diff --git a/broker-core/src/test/java/org/apache/qpid/server/security/NonJavaKeyStoreTest.java b/broker-core/src/test/java/org/apache/qpid/server/security/NonJavaKeyStoreTest.java
index d4d6390..6df02d7 100644
--- a/broker-core/src/test/java/org/apache/qpid/server/security/NonJavaKeyStoreTest.java
+++ b/broker-core/src/test/java/org/apache/qpid/server/security/NonJavaKeyStoreTest.java
@@ -21,8 +21,6 @@ package org.apache.qpid.server.security;
 
 
 import static java.nio.charset.StandardCharsets.UTF_8;
-import static org.apache.qpid.test.utils.TestSSLConstants.JAVA_KEYSTORE_TYPE;
-import static org.apache.qpid.test.utils.TestSSLConstants.KEYSTORE_PASSWORD;
 import static org.hamcrest.CoreMatchers.is;
 import static org.junit.Assert.assertEquals;
 import static org.junit.Assert.assertNotNull;
@@ -38,6 +36,7 @@ import static org.mockito.Mockito.when;
 import static org.mockito.internal.verification.VerificationModeFactory.times;
 
 import java.io.File;
+import java.io.FileInputStream;
 import java.io.FileOutputStream;
 import java.io.InputStream;
 import java.security.Key;
@@ -57,6 +56,12 @@ import java.util.concurrent.TimeUnit;
 
 import javax.net.ssl.KeyManager;
 
+import org.apache.qpid.server.model.Broker;
+import org.apache.qpid.server.model.BrokerModel;
+import org.apache.qpid.server.model.BrokerTestHelper;
+import org.apache.qpid.server.model.ConfiguredObjectFactory;
+import org.apache.qpid.test.utils.TestSSLConstants;
+import org.apache.qpid.test.utils.UnitTestBase;
 import org.junit.After;
 import org.junit.Before;
 import org.junit.Test;
@@ -67,21 +72,16 @@ import org.apache.qpid.server.logging.EventLogger;
 import org.apache.qpid.server.logging.LogMessage;
 import org.apache.qpid.server.logging.MessageLogger;
 import org.apache.qpid.server.logging.messages.KeyStoreMessages;
-import org.apache.qpid.server.model.Broker;
-import org.apache.qpid.server.model.BrokerTestHelper;
-import org.apache.qpid.server.model.ConfiguredObjectFactory;
 import org.apache.qpid.server.model.KeyStore;
 import org.apache.qpid.server.transport.network.security.ssl.SSLUtil;
 import org.apache.qpid.server.util.DataUrlUtils;
 import org.apache.qpid.test.utils.TestFileUtils;
 import org.apache.qpid.test.utils.TestSSLUtils;
-import org.apache.qpid.test.utils.UnitTestBase;
 
 public class NonJavaKeyStoreTest extends UnitTestBase
 {
-    private static final String KEYSTORE = "/ssl/java_broker_keystore.pkcs12";
-    private Broker<?> _broker;
-    private ConfiguredObjectFactory _factory;
+    private static final Broker BROKER = BrokerTestHelper.createBrokerMock();
+    private static final ConfiguredObjectFactory FACTORY = BrokerModel.getInstance().getObjectFactory();
     private List<File> _testResources;
     private MessageLogger _messageLogger;
 
@@ -89,9 +89,7 @@ public class NonJavaKeyStoreTest extends UnitTestBase
     public void setUp() throws Exception
     {
         _messageLogger = mock(MessageLogger.class);
-        _broker = BrokerTestHelper.createBrokerMock();
-        when(_broker.getEventLogger()).thenReturn(new EventLogger(_messageLogger));
-        _factory = _broker.getObjectFactory();
+        when(BROKER.getEventLogger()).thenReturn(new EventLogger(_messageLogger));
         _testResources = new ArrayList<>();
     }
 
@@ -113,17 +111,17 @@ public class NonJavaKeyStoreTest extends UnitTestBase
 
     private File[] extractResourcesFromTestKeyStore(boolean pem, final String storeResource) throws Exception
     {
-        java.security.KeyStore ks = java.security.KeyStore.getInstance(JAVA_KEYSTORE_TYPE);
-        try(InputStream is = getClass().getResourceAsStream(storeResource))
+        java.security.KeyStore ks = java.security.KeyStore.getInstance(TestSSLConstants.JAVA_KEYSTORE_TYPE);
+        try(InputStream is = new FileInputStream(storeResource))
         {
-            ks.load(is, KEYSTORE_PASSWORD.toCharArray() );
+            ks.load(is, TestSSLConstants.PASSWORD.toCharArray());
         }
 
 
         File privateKeyFile = TestFileUtils.createTempFile(this, ".private-key.der");
         try(FileOutputStream kos = new FileOutputStream(privateKeyFile))
         {
-            Key pvt = ks.getKey("java-broker", KEYSTORE_PASSWORD.toCharArray());
+            Key pvt = ks.getKey(TestSSLConstants.BROKER_KEYSTORE_ALIAS, TestSSLConstants.PASSWORD.toCharArray());
             if (pem)
             {
                 kos.write(TestSSLUtils.privateKeyToPEM(pvt).getBytes(UTF_8));
@@ -139,7 +137,7 @@ public class NonJavaKeyStoreTest extends UnitTestBase
 
         try(FileOutputStream cos = new FileOutputStream(certificateFile))
         {
-            Certificate pub = ks.getCertificate("java-broker");
+            Certificate pub = ks.getCertificate(TestSSLConstants.BROKER_KEYSTORE_ALIAS);
             if (pem)
             {
                 cos.write(TestSSLUtils.certificateToPEM(pub).getBytes(UTF_8));
@@ -168,7 +166,7 @@ public class NonJavaKeyStoreTest extends UnitTestBase
 
     private void runTestCreationOfTrustStoreFromValidPrivateKeyAndCertificateInDerFormat(boolean isPEM)throws Exception
     {
-        File[] resources = extractResourcesFromTestKeyStore(isPEM, KEYSTORE);
+        File[] resources = extractResourcesFromTestKeyStore(isPEM, TestSSLConstants.BROKER_KEYSTORE);
         _testResources.addAll(Arrays.asList(resources));
 
         Map<String,Object> attributes = new HashMap<>();
@@ -178,18 +176,18 @@ public class NonJavaKeyStoreTest extends UnitTestBase
         attributes.put(NonJavaKeyStore.TYPE, "NonJavaKeyStore");
 
         NonJavaKeyStoreImpl fileTrustStore =
-                (NonJavaKeyStoreImpl) _factory.create(KeyStore.class, attributes,  _broker);
+                (NonJavaKeyStoreImpl) FACTORY.create(KeyStore.class, attributes, BROKER);
 
         KeyManager[] keyManagers = fileTrustStore.getKeyManagers();
         assertNotNull(keyManagers);
-        assertEquals("Unexpected number of key managers", (long) 1, (long) keyManagers.length);
+        assertEquals("Unexpected number of key managers", 1, keyManagers.length);
         assertNotNull("Key manager is null", keyManagers[0]);
     }
 
     @Test
     public void testCreationOfTrustStoreFromValidPrivateKeyAndInvalidCertificate()throws Exception
     {
-        File[] resources = extractResourcesFromTestKeyStore(true, KEYSTORE);
+        File[] resources = extractResourcesFromTestKeyStore(true, TestSSLConstants.BROKER_KEYSTORE);
         _testResources.addAll(Arrays.asList(resources));
 
         File invalidCertificate = TestFileUtils.createTempFile(this, ".invalid.cert", "content");
@@ -201,21 +199,15 @@ public class NonJavaKeyStoreTest extends UnitTestBase
         attributes.put("certificateUrl", invalidCertificate.toURI().toURL().toExternalForm());
         attributes.put(NonJavaKeyStore.TYPE, "NonJavaKeyStore");
 
-        try
-        {
-            _factory.create(KeyStore.class, attributes, _broker);
-            fail("Created key store from invalid certificate");
-        }
-        catch(IllegalConfigurationException e)
-        {
-            // pass
-        }
+        KeyStoreTestHelper.checkExceptionThrownDuringKeyStoreCreation(FACTORY, BROKER, KeyStore.class, attributes,
+                "Cannot load private key or certificate(s): java.security.cert.CertificateException: " +
+                        "Could not parse certificate: java.io.IOException: Empty input");
     }
 
     @Test
     public void testCreationOfTrustStoreFromInvalidPrivateKeyAndValidCertificate()throws Exception
     {
-        File[] resources = extractResourcesFromTestKeyStore(true, KEYSTORE);
+        File[] resources = extractResourcesFromTestKeyStore(true, TestSSLConstants.BROKER_KEYSTORE);
         _testResources.addAll(Arrays.asList(resources));
 
         File invalidPrivateKey = TestFileUtils.createTempFile(this, ".invalid.pk", "content");
@@ -227,15 +219,9 @@ public class NonJavaKeyStoreTest extends UnitTestBase
         attributes.put("certificateUrl", resources[1].toURI().toURL().toExternalForm());
         attributes.put(NonJavaKeyStore.TYPE, "NonJavaKeyStore");
 
-        try
-        {
-            _factory.create(KeyStore.class, attributes, _broker);
-            fail("Created key store from invalid certificate");
-        }
-        catch(IllegalConfigurationException e)
-        {
-            // pass
-        }
+        KeyStoreTestHelper.checkExceptionThrownDuringKeyStoreCreation(FACTORY, BROKER, KeyStore.class, attributes,
+                "Cannot load private key or certificate(s): java.security.spec.InvalidKeySpecException: " +
+                        "Unable to parse key as PKCS#1 format");
     }
 
     @Test
@@ -258,15 +244,15 @@ public class NonJavaKeyStoreTest extends UnitTestBase
 
     private void doCertExpiryChecking(final int expiryOffset) throws Exception
     {
-        when(_broker.scheduleHouseKeepingTask(anyLong(), any(TimeUnit.class), any(Runnable.class))).thenReturn(mock(ScheduledFuture.class));
+        when(BROKER.scheduleHouseKeepingTask(anyLong(), any(TimeUnit.class), any(Runnable.class))).thenReturn(mock(ScheduledFuture.class));
 
-        java.security.KeyStore ks = java.security.KeyStore.getInstance(JAVA_KEYSTORE_TYPE);
-        final String storeLocation = KEYSTORE;
-        try(InputStream is = getClass().getResourceAsStream(storeLocation))
+        java.security.KeyStore ks = java.security.KeyStore.getInstance(TestSSLConstants.JAVA_KEYSTORE_TYPE);
+        final String storeLocation = TestSSLConstants.BROKER_KEYSTORE;
+        try(InputStream is = new FileInputStream(storeLocation))
         {
-            ks.load(is, KEYSTORE_PASSWORD.toCharArray() );
+            ks.load(is, TestSSLConstants.PASSWORD.toCharArray());
         }
-        X509Certificate cert = (X509Certificate) ks.getCertificate("rootca");
+        X509Certificate cert = (X509Certificate) ks.getCertificate(TestSSLConstants.CERT_ALIAS_ROOT_CA);
         int expiryDays = (int)((cert.getNotAfter().getTime() - System.currentTimeMillis()) / (24l * 60l * 60l * 1000l));
 
         File[] resources = extractResourcesFromTestKeyStore(false, storeLocation);
@@ -278,7 +264,7 @@ public class NonJavaKeyStoreTest extends UnitTestBase
         attributes.put("certificateUrl", resources[1].toURI().toURL().toExternalForm());
         attributes.put("context", Collections.singletonMap(KeyStore.CERTIFICATE_EXPIRY_WARN_PERIOD, expiryDays + expiryOffset));
         attributes.put(NonJavaKeyStore.TYPE, "NonJavaKeyStore");
-        _factory.create(KeyStore.class, attributes, _broker);
+        FACTORY.create(KeyStore.class, attributes, BROKER);
     }
 
     @Test
@@ -297,15 +283,8 @@ public class NonJavaKeyStoreTest extends UnitTestBase
                        DataUrlUtils.getDataUrlForBytes(TestSSLUtils.certificateToPEM(keyCertPair2.getCertificate()).getBytes(UTF_8)));
         attributes.put(NonJavaKeyStore.TYPE, "NonJavaKeyStore");
 
-        try
-        {
-            _factory.create(KeyStore.class, attributes, _broker);
-            fail("Created key store from invalid certificate");
-        }
-        catch(IllegalConfigurationException e)
-        {
-            // pass
-        }
+        KeyStoreTestHelper.checkExceptionThrownDuringKeyStoreCreation(FACTORY, BROKER, KeyStore.class, attributes,
+                "Private key does not match certificate");
     }
 
     @Test
@@ -324,7 +303,7 @@ public class NonJavaKeyStoreTest extends UnitTestBase
                        DataUrlUtils.getDataUrlForBytes(TestSSLUtils.certificateToPEM(keyCertPair.getCertificate()).getBytes(UTF_8)));
         attributes.put(NonJavaKeyStore.TYPE, "NonJavaKeyStore");
 
-        final KeyStore trustStore = _factory.create(KeyStore.class, attributes, _broker);
+        final KeyStore trustStore = (KeyStore) FACTORY.create(KeyStore.class, attributes, BROKER);
         try
         {
             final String certUrl = DataUrlUtils.getDataUrlForBytes(TestSSLUtils.certificateToPEM(keyCertPair2.getCertificate()).getBytes(UTF_8));
diff --git a/broker-core/src/test/java/org/apache/qpid/server/security/NonJavaTrustStoreTest.java b/broker-core/src/test/java/org/apache/qpid/server/security/NonJavaTrustStoreTest.java
index 69262dc..6ac9699 100644
--- a/broker-core/src/test/java/org/apache/qpid/server/security/NonJavaTrustStoreTest.java
+++ b/broker-core/src/test/java/org/apache/qpid/server/security/NonJavaTrustStoreTest.java
@@ -19,13 +19,10 @@
 
 package org.apache.qpid.server.security;
 
-import static org.apache.qpid.test.utils.TestSSLConstants.JAVA_KEYSTORE_TYPE;
 import static org.junit.Assert.assertEquals;
 import static org.junit.Assert.assertNotNull;
 import static org.junit.Assert.assertTrue;
 import static org.junit.Assert.fail;
-import static org.mockito.Mockito.mock;
-import static org.mockito.Mockito.when;
 
 import java.security.KeyStore;
 import java.security.cert.CertificateException;
@@ -37,79 +34,101 @@ import java.util.Map;
 import javax.net.ssl.TrustManager;
 import javax.net.ssl.X509TrustManager;
 
-import org.junit.Before;
-import org.junit.Test;
-
 import org.apache.qpid.server.configuration.IllegalConfigurationException;
-import org.apache.qpid.server.configuration.updater.CurrentThreadTaskExecutor;
-import org.apache.qpid.server.configuration.updater.TaskExecutor;
-import org.apache.qpid.server.logging.EventLogger;
 import org.apache.qpid.server.model.Broker;
 import org.apache.qpid.server.model.BrokerModel;
+import org.apache.qpid.server.model.BrokerTestHelper;
 import org.apache.qpid.server.model.ConfiguredObjectFactory;
-import org.apache.qpid.server.model.Model;
+import org.apache.qpid.test.utils.UnitTestBase;
+import org.junit.Test;
+
 import org.apache.qpid.server.model.TrustStore;
 import org.apache.qpid.server.transport.network.security.ssl.SSLUtil;
 import org.apache.qpid.test.utils.TestSSLConstants;
-import org.apache.qpid.test.utils.UnitTestBase;
 
 public class NonJavaTrustStoreTest extends UnitTestBase
 {
-    private static final String EXPIRED_KEYSTORE = "ssl/java_client_expired_keystore.pkcs12";
-    private static final String KEYSTORE_PASSWORD = TestSSLConstants.KEYSTORE_PASSWORD;
-    private final Broker<?> _broker = mock(Broker.class);
-    private final TaskExecutor _taskExecutor = CurrentThreadTaskExecutor.newStartedInstance();
-    private final Model _model = BrokerModel.getInstance();
-    private final ConfiguredObjectFactory _factory = _model.getObjectFactory();
-
-    @Before
-    public void setUp() throws Exception
-    {
-
-        when(_broker.getTaskExecutor()).thenReturn(_taskExecutor);
-        when(_broker.getChildExecutor()).thenReturn(_taskExecutor);
-        when(_broker.getModel()).thenReturn(_model);
-        when(_broker.getEventLogger()).thenReturn(new EventLogger());
-        when(((Broker) _broker).getCategoryClass()).thenReturn(Broker.class);
-    }
+    private static final Broker BROKER = BrokerTestHelper.createBrokerMock();
+    private static final ConfiguredObjectFactory FACTORY = BrokerModel.getInstance().getObjectFactory();
 
     @Test
     public void testCreationOfTrustStoreFromValidCertificate() throws Exception
     {
         Map<String,Object> attributes = new HashMap<>();
         attributes.put(NonJavaTrustStore.NAME, "myTestTrustStore");
-        attributes.put(NonJavaTrustStore.CERTIFICATES_URL, getClass().getResource("/ssl/java_broker.crt").toExternalForm());
+        attributes.put(NonJavaTrustStore.CERTIFICATES_URL, TestSSLConstants.BROKER_CRT);
         attributes.put(NonJavaTrustStore.TYPE, "NonJavaTrustStore");
+        attributes.put(NonJavaTrustStore.CERTIFICATE_REVOCATION_CHECK_ENABLED, true);
+        attributes.put(NonJavaTrustStore.CERTIFICATE_REVOCATION_LIST_URL, TestSSLConstants.CA_CRL);
 
-        TrustStore trustStore = _factory.create(TrustStore.class, attributes, _broker);
+        TrustStore trustStore = (TrustStore) FACTORY.create(TrustStore.class, attributes, BROKER);
 
         TrustManager[] trustManagers = trustStore.getTrustManagers();
         assertNotNull(trustManagers);
-        assertEquals("Unexpected number of trust managers", (long) 1, (long) trustManagers.length);
+        assertEquals("Unexpected number of trust managers", 1, trustManagers.length);
         assertNotNull("Trust manager unexpected null", trustManagers[0]);
     }
 
     @Test
+    public void testChangeOfCrlInTrustStoreFromValidCertificate()
+    {
+        Map<String,Object> attributes = new HashMap<>();
+        attributes.put(NonJavaTrustStore.NAME, "myTestTrustStore");
+        attributes.put(NonJavaTrustStore.CERTIFICATES_URL, TestSSLConstants.BROKER_CRT);
+        attributes.put(NonJavaTrustStore.TYPE, "NonJavaTrustStore");
+        attributes.put(NonJavaTrustStore.CERTIFICATE_REVOCATION_CHECK_ENABLED, true);
+        attributes.put(NonJavaTrustStore.CERTIFICATE_REVOCATION_LIST_URL, TestSSLConstants.CA_CRL);
+
+        TrustStore trustStore = (TrustStore) FACTORY.create(TrustStore.class, attributes, BROKER);
+
+        try
+        {
+            Map<String,Object> unacceptableAttributes = new HashMap<>();
+            unacceptableAttributes.put(FileTrustStore.CERTIFICATE_REVOCATION_LIST_URL, "/not/a/crl");
+
+            trustStore.setAttributes(unacceptableAttributes);
+            fail("Exception not thrown");
+        }
+        catch (IllegalConfigurationException e)
+        {
+            String message = e.getMessage();
+            assertTrue("Exception text not as unexpected:" + message,
+                    message.contains("Unable to load certificate revocation list '/not/a/crl' for truststore 'myTestTrustStore'"));
+        }
+
+        assertEquals("Unexpected CRL path value after failed change",
+                TestSSLConstants.CA_CRL, trustStore.getCertificateRevocationListUrl());
+
+        Map<String,Object> changedAttributes = new HashMap<>();
+        changedAttributes.put(FileTrustStore.CERTIFICATE_REVOCATION_LIST_URL, TestSSLConstants.CA_CRL_EMPTY);
+
+        trustStore.setAttributes(changedAttributes);
+
+        assertEquals("Unexpected CRL path value after change that is expected to be successful",
+                TestSSLConstants.CA_CRL_EMPTY, trustStore.getCertificateRevocationListUrl());
+    }
+
+    @Test
     public void testUseOfExpiredTrustAnchorDenied() throws Exception
     {
         Map<String,Object> attributes = new HashMap<>();
         attributes.put(NonJavaTrustStore.NAME, "myTestTrustStore");
         attributes.put(NonJavaTrustStore.TRUST_ANCHOR_VALIDITY_ENFORCED, true);
-        attributes.put(NonJavaTrustStore.CERTIFICATES_URL, getClass().getResource("/ssl/expired.crt").toExternalForm());
+        attributes.put(NonJavaTrustStore.CERTIFICATES_URL, TestSSLConstants.CLIENT_EXPIRED_CRT);
         attributes.put(NonJavaTrustStore.TYPE, "NonJavaTrustStore");
 
-        TrustStore trustStore = _factory.create(TrustStore.class, attributes, _broker);
+        TrustStore trustStore = (TrustStore) FACTORY.create(TrustStore.class, attributes, BROKER);
 
         TrustManager[] trustManagers = trustStore.getTrustManagers();
         assertNotNull(trustManagers);
-        assertEquals("Unexpected number of trust managers", (long) 1, (long) trustManagers.length);
+        assertEquals("Unexpected number of trust managers", 1, trustManagers.length);
         final boolean condition = trustManagers[0] instanceof X509TrustManager;
         assertTrue("Unexpected trust manager type", condition);
         X509TrustManager trustManager = (X509TrustManager) trustManagers[0];
 
-        KeyStore clientStore = SSLUtil.getInitializedKeyStore(EXPIRED_KEYSTORE,
-                                                              KEYSTORE_PASSWORD,
-                                                              JAVA_KEYSTORE_TYPE);
+        KeyStore clientStore = SSLUtil.getInitializedKeyStore(TestSSLConstants.CLIENT_EXPIRED_KEYSTORE,
+                                                              TestSSLConstants.PASSWORD,
+                                                              TestSSLConstants.JAVA_KEYSTORE_TYPE);
         String alias = clientStore.aliases().nextElement();
         X509Certificate certificate = (X509Certificate) clientStore.getCertificate(alias);
 
@@ -134,22 +153,28 @@ public class NonJavaTrustStoreTest extends UnitTestBase
     }
 
     @Test
-    public void testCreationOfTrustStoreFromNonCertificate() throws Exception
+    public void testCreationOfTrustStoreFromNonCertificate()
     {
         Map<String,Object> attributes = new HashMap<>();
         attributes.put(NonJavaTrustStore.NAME, "myTestTrustStore");
-        attributes.put(NonJavaTrustStore.CERTIFICATES_URL, getClass().getResource("/ssl/java_broker.req").toExternalForm());
+        attributes.put(NonJavaTrustStore.CERTIFICATES_URL, TestSSLConstants.BROKER_CSR);
         attributes.put(NonJavaTrustStore.TYPE, "NonJavaTrustStore");
 
-        try
-        {
-            _factory.create(TrustStore.class, attributes, _broker);
-            fail("Trust store is created from certificate request file");
-        }
-        catch (IllegalConfigurationException e)
-        {
-            // pass
-        }
+        KeyStoreTestHelper.checkExceptionThrownDuringKeyStoreCreation(FACTORY, BROKER, TrustStore.class, attributes,
+                "Cannot load certificate(s)");
     }
 
+    @Test
+    public void testCreationOfTrustStoreFromValidCertificate_MissingCrlFile()
+    {
+        Map<String,Object> attributes = new HashMap<>();
+        attributes.put(NonJavaTrustStore.NAME, "myTestTrustStore");
+        attributes.put(NonJavaTrustStore.CERTIFICATES_URL, TestSSLConstants.BROKER_CRT);
+        attributes.put(NonJavaTrustStore.TYPE, "NonJavaTrustStore");
+        attributes.put(NonJavaTrustStore.CERTIFICATE_REVOCATION_CHECK_ENABLED, true);
+        attributes.put(NonJavaTrustStore.CERTIFICATE_REVOCATION_LIST_URL, "/not/a/crl");
+
+        KeyStoreTestHelper.checkExceptionThrownDuringKeyStoreCreation(FACTORY, BROKER, TrustStore.class, attributes,
+                "Unable to load certificate revocation list '/not/a/crl' for truststore 'myTestTrustStore'");
+    }
 }
diff --git a/broker-core/src/test/java/org/apache/qpid/server/security/SiteSpecificTrustStoreTest.java b/broker-core/src/test/java/org/apache/qpid/server/security/SiteSpecificTrustStoreTest.java
index bca9b79..d7a0454 100644
--- a/broker-core/src/test/java/org/apache/qpid/server/security/SiteSpecificTrustStoreTest.java
+++ b/broker-core/src/test/java/org/apache/qpid/server/security/SiteSpecificTrustStoreTest.java
@@ -21,13 +21,12 @@
 package org.apache.qpid.server.security;
 
 
-import static org.apache.qpid.test.utils.TestSSLConstants.JAVA_KEYSTORE_TYPE;
 import static org.junit.Assert.assertEquals;
+import static org.junit.Assert.assertTrue;
 import static org.junit.Assert.fail;
-import static org.mockito.Mockito.mock;
-import static org.mockito.Mockito.when;
 
 import java.io.Closeable;
+import java.io.FileInputStream;
 import java.io.IOException;
 import java.io.InputStream;
 import java.net.ServerSocket;
@@ -46,47 +45,34 @@ import javax.net.ssl.KeyManagerFactory;
 import javax.net.ssl.SSLContext;
 import javax.net.ssl.SSLServerSocketFactory;
 
-import org.junit.After;
-import org.junit.Before;
-import org.junit.Test;
-
 import org.apache.qpid.server.configuration.IllegalConfigurationException;
-import org.apache.qpid.server.configuration.updater.CurrentThreadTaskExecutor;
-import org.apache.qpid.server.configuration.updater.TaskExecutor;
-import org.apache.qpid.server.logging.EventLogger;
 import org.apache.qpid.server.model.Broker;
 import org.apache.qpid.server.model.BrokerModel;
+import org.apache.qpid.server.model.BrokerTestHelper;
 import org.apache.qpid.server.model.ConfiguredObjectFactory;
-import org.apache.qpid.server.model.Model;
 import org.apache.qpid.server.model.TrustStore;
-import org.apache.qpid.test.utils.TestSSLConstants;
 import org.apache.qpid.test.utils.UnitTestBase;
+import org.junit.After;
+import org.junit.Before;
+import org.junit.Test;
+
+import org.apache.qpid.test.utils.TestSSLConstants;
 
 public class SiteSpecificTrustStoreTest extends UnitTestBase
 {
-    private static final String EXPECTED_SUBJECT = "CN=localhost,OU=Unknown,O=Unknown,L=Unknown,ST=Unknown,C=Unknown";
+    private static final Broker BROKER = BrokerTestHelper.createBrokerMock();
+    private static final ConfiguredObjectFactory FACTORY = BrokerModel.getInstance().getObjectFactory();
+    private static final String EXPECTED_SUBJECT = "CN=localhost,OU=Unknown,O=Unknown,L=Unknown,ST=Unknown,C=CA";
     private static final String EXPECTED_ISSUER = "CN=MyRootCA,O=ACME,ST=Ontario,C=CA";
-    private static final String KEYSTORE = "/ssl/java_broker_keystore.pkcs12";
-    private static final String KEYSTORE_PASSWORD = TestSSLConstants.KEYSTORE_PASSWORD;
-    private final Broker<?> _broker = mock(Broker.class);
-    private final TaskExecutor _taskExecutor = CurrentThreadTaskExecutor.newStartedInstance();
-    private final Model _model = BrokerModel.getInstance();
-    private final ConfiguredObjectFactory _factory = _model.getObjectFactory();
     private TestPeer _testPeer;
 
     @Before
-    public void setUp() throws Exception
+    public void setUpSiteSpecificTrustStore()
     {
         int connectTimeout = Integer.getInteger("SiteSpecificTrustStoreTest.connectTimeout", 1000);
         int readTimeout = Integer.getInteger("SiteSpecificTrustStoreTest.readTimeout", 1000);
         setTestSystemProperty(SiteSpecificTrustStore.TRUST_STORE_SITE_SPECIFIC_CONNECT_TIMEOUT, String.valueOf(connectTimeout));
         setTestSystemProperty(SiteSpecificTrustStore.TRUST_STORE_SITE_SPECIFIC_READ_TIMEOUT, String.valueOf(readTimeout));
-
-        when(_broker.getTaskExecutor()).thenReturn(_taskExecutor);
-        when(_broker.getChildExecutor()).thenReturn(_taskExecutor);
-        when(_broker.getModel()).thenReturn(_model);
-        when(_broker.getEventLogger()).thenReturn(new EventLogger());
-        when(((Broker) _broker).getCategoryClass()).thenReturn(Broker.class);
     }
 
     @After
@@ -105,41 +91,27 @@ public class SiteSpecificTrustStoreTest extends UnitTestBase
     }
 
     @Test
-    public void testMalformedSiteUrl() throws Exception
+    public void testMalformedSiteUrl()
     {
         Map<String,Object> attributes = new HashMap<>();
         attributes.put(SiteSpecificTrustStore.NAME, "mySiteSpecificTrustStore");
         attributes.put(SiteSpecificTrustStore.TYPE, "SiteSpecificTrustStore");
         attributes.put("siteUrl", "notaurl:541");
 
-        try
-        {
-            _factory.create(TrustStore.class, attributes, _broker);
-            fail("Exception not thrown");
-        }
-        catch (IllegalConfigurationException e)
-        {
-            // PASS
-        }
+        KeyStoreTestHelper.checkExceptionThrownDuringKeyStoreCreation(FACTORY, BROKER, TrustStore.class, attributes,
+                "'notaurl:541' is not a valid URL");
     }
 
     @Test
-    public void testSiteUrlDoesNotSupplyHostPort() throws Exception
+    public void testSiteUrlDoesNotSupplyHostPort()
     {
         Map<String,Object> attributes = new HashMap<>();
         attributes.put(SiteSpecificTrustStore.NAME, "mySiteSpecificTrustStore");
         attributes.put(SiteSpecificTrustStore.TYPE, "SiteSpecificTrustStore");
         attributes.put("siteUrl", "file:/not/a/host");
 
-        try
-        {
-            _factory.create(TrustStore.class, attributes, _broker);
-            fail("Exception not thrown");
-        }
-        catch (IllegalConfigurationException e)
-        {
-            // PASS
-        }
+        KeyStoreTestHelper.checkExceptionThrownDuringKeyStoreCreation(FACTORY, BROKER, TrustStore.class, attributes,
+                "URL 'file:/not/a/host' does not provide a hostname and port number");
     }
 
     @Test
@@ -148,18 +120,10 @@ public class SiteSpecificTrustStoreTest extends UnitTestBase
         _testPeer = new TestPeer();
         _testPeer.setAccept(false);
         int listeningPort = _testPeer.start();
-
         Map<String, Object> attributes = getTrustStoreAttributes(listeningPort);
 
-        try
-        {
-            _factory.create(TrustStore.class, attributes, _broker);
-            fail("Exception not thrown");
-        }
-        catch (IllegalConfigurationException e)
-        {
-            // PASS
-        }
+        KeyStoreTestHelper.checkExceptionThrownDuringKeyStoreCreation(FACTORY, BROKER, TrustStore.class, attributes,
+                "Unable to get certificate for 'mySiteSpecificTrustStore' from");
     }
 
     @Test
@@ -169,12 +133,14 @@ public class SiteSpecificTrustStoreTest extends UnitTestBase
         int listeningPort = _testPeer.start();
 
         Map<String, Object> attributes = getTrustStoreAttributes(listeningPort);
+        attributes.put(SiteSpecificTrustStore.CERTIFICATE_REVOCATION_CHECK_ENABLED, true);
+        attributes.put(SiteSpecificTrustStore.CERTIFICATE_REVOCATION_LIST_URL, TestSSLConstants.CA_CRL);
 
         final SiteSpecificTrustStore trustStore =
-                (SiteSpecificTrustStore) _factory.create(TrustStore.class, attributes, _broker);
+                (SiteSpecificTrustStore) FACTORY.create(TrustStore.class, attributes, BROKER);
 
         List<CertificateDetails> certDetails = trustStore.getCertificateDetails();
-        assertEquals("Unexpected number of certificates", (long) 1, (long) certDetails.size());
+        assertEquals("Unexpected number of certificates", 1, certDetails.size());
         CertificateDetails certificateDetails = certDetails.get(0);
 
         assertEquals("Unexpected certificate subject", EXPECTED_SUBJECT, certificateDetails.getSubjectName());
@@ -182,6 +148,59 @@ public class SiteSpecificTrustStoreTest extends UnitTestBase
     }
 
     @Test
+    public void testChangeOfCrlInValidSiteUrl() throws Exception
+    {
+        _testPeer = new TestPeer();
+        int listeningPort = _testPeer.start();
+
+        Map<String, Object> attributes = getTrustStoreAttributes(listeningPort);
+        attributes.put(SiteSpecificTrustStore.CERTIFICATE_REVOCATION_CHECK_ENABLED, true);
+        attributes.put(SiteSpecificTrustStore.CERTIFICATE_REVOCATION_LIST_URL, TestSSLConstants.CA_CRL);
+
+        final SiteSpecificTrustStore trustStore =
+                (SiteSpecificTrustStore) FACTORY.create(TrustStore.class, attributes, BROKER);
+
+        try
+        {
+            Map<String,Object> unacceptableAttributes = new HashMap<>();
+            unacceptableAttributes.put(FileTrustStore.CERTIFICATE_REVOCATION_LIST_URL, "/not/a/crl");
+
+            trustStore.setAttributes(unacceptableAttributes);
+            fail("Exception not thrown");
+        }
+        catch (IllegalConfigurationException e)
+        {
+            String message = e.getMessage();
+            assertTrue("Exception text not as unexpected:" + message,
+                    message.contains("Unable to load certificate revocation list '/not/a/crl' for truststore 'mySiteSpecificTrustStore'"));
+        }
+
+        assertEquals("Unexpected CRL path value after failed change",
+                TestSSLConstants.CA_CRL, trustStore.getCertificateRevocationListUrl());
+
+        Map<String,Object> changedAttributes = new HashMap<>();
+        changedAttributes.put(FileTrustStore.CERTIFICATE_REVOCATION_LIST_URL, TestSSLConstants.CA_CRL_EMPTY);
+
+        trustStore.setAttributes(changedAttributes);
+
+        assertEquals("Unexpected CRL path value after change that is expected to be successful",
+                TestSSLConstants.CA_CRL_EMPTY, trustStore.getCertificateRevocationListUrl());
+    }
+
+    @Test
+    public void testValidSiteUrl_MissingCrlFile() throws Exception
+    {
+        _testPeer = new TestPeer();
+        int listeningPort = _testPeer.start();
+        Map<String, Object> attributes = getTrustStoreAttributes(listeningPort);
+        attributes.put(SiteSpecificTrustStore.CERTIFICATE_REVOCATION_CHECK_ENABLED, true);
+        attributes.put(SiteSpecificTrustStore.CERTIFICATE_REVOCATION_LIST_URL, "/not/a/crl");
+
+        KeyStoreTestHelper.checkExceptionThrownDuringKeyStoreCreation(FACTORY, BROKER, TrustStore.class, attributes,
+                "Unable to load certificate revocation list '/not/a/crl' for truststore 'mySiteSpecificTrustStore'");
+    }
+
+    @Test
     public void testRefreshCertificate() throws Exception
     {
         _testPeer = new TestPeer();
@@ -190,10 +209,10 @@ public class SiteSpecificTrustStoreTest extends UnitTestBase
         Map<String, Object> attributes = getTrustStoreAttributes(listeningPort);
 
         final SiteSpecificTrustStore trustStore =
-                (SiteSpecificTrustStore) _factory.create(TrustStore.class, attributes, _broker);
+                (SiteSpecificTrustStore) FACTORY.create(TrustStore.class, attributes, BROKER);
 
         List<CertificateDetails> certDetails = trustStore.getCertificateDetails();
-        assertEquals("Unexpected number of certificates", (long) 1, (long) certDetails.size());
+        assertEquals("Unexpected number of certificates", 1, certDetails.size());
 
         CertificateDetails certificateDetails = certDetails.get(0);
 
@@ -260,10 +279,10 @@ public class SiteSpecificTrustStoreTest extends UnitTestBase
 
         private ServerSocket createTestSSLServerSocket() throws Exception
         {
-            char[] keyPassword = KEYSTORE_PASSWORD.toCharArray();
-            try(InputStream inputStream = getClass().getResourceAsStream(KEYSTORE))
+            char[] keyPassword = TestSSLConstants.PASSWORD.toCharArray();
+            try(InputStream inputStream = new FileInputStream(TestSSLConstants.BROKER_KEYSTORE))
             {
-                KeyStore keyStore = KeyStore.getInstance(JAVA_KEYSTORE_TYPE);
+                KeyStore keyStore = KeyStore.getInstance(TestSSLConstants.JAVA_KEYSTORE_TYPE);
                 KeyManagerFactory keyManagerFactory = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm());
                 keyStore.load(inputStream, keyPassword);
                 keyManagerFactory.init(keyStore, keyPassword);
diff --git a/broker-core/src/test/java/org/apache/qpid/server/security/auth/manager/oauth2/OAuth2MockEndpointHolder.java b/broker-core/src/test/java/org/apache/qpid/server/security/auth/manager/oauth2/OAuth2MockEndpointHolder.java
index afd4c4d..0dc987a 100644
--- a/broker-core/src/test/java/org/apache/qpid/server/security/auth/manager/oauth2/OAuth2MockEndpointHolder.java
+++ b/broker-core/src/test/java/org/apache/qpid/server/security/auth/manager/oauth2/OAuth2MockEndpointHolder.java
@@ -21,7 +21,6 @@
 package org.apache.qpid.server.security.auth.manager.oauth2;
 
 import static java.nio.charset.StandardCharsets.UTF_8;
-import static org.apache.qpid.test.utils.TestSSLConstants.JAVA_KEYSTORE_TYPE;
 
 import java.io.IOException;
 import java.util.Arrays;
@@ -37,6 +36,7 @@ import javax.servlet.http.HttpServletResponse;
 import com.fasterxml.jackson.core.type.TypeReference;
 import com.fasterxml.jackson.databind.ObjectMapper;
 import junit.framework.TestCase;
+import org.apache.qpid.test.utils.TestSSLConstants;
 import org.eclipse.jetty.server.Request;
 import org.eclipse.jetty.server.Server;
 import org.eclipse.jetty.server.ServerConnector;
@@ -49,18 +49,16 @@ import org.apache.qpid.server.transport.network.security.ssl.SSLUtil;
 
 class OAuth2MockEndpointHolder
 {
-    private static final String KEYSTORE_PASSWORD = "password";
-    private static final String KEYSTORE_RESOURCE = "ssl/test_keystore.jks";
     private final Server _server;
     private final ServerConnector _connector;
     private volatile Map<String, OAuth2MockEndpoint> _endpoints;
 
-    OAuth2MockEndpointHolder()
+    OAuth2MockEndpointHolder() throws IOException
     {
         this(Collections.<String, OAuth2MockEndpoint>emptyMap());
     }
 
-    OAuth2MockEndpointHolder(final Map<String, OAuth2MockEndpoint> endpoints)
+    OAuth2MockEndpointHolder(final Map<String, OAuth2MockEndpoint> endpoints) throws IOException
     {
         _endpoints = endpoints;
         final List<String> protocolWhiteList =
@@ -87,9 +85,9 @@ class OAuth2MockEndpointHolder
                                                       SSLUtil.updateEnabledTlsProtocols(sslEngine, protocolWhiteList, protocolBlackList);
                                                   }
                                               };
-        sslContextFactory.setKeyStorePassword(KEYSTORE_PASSWORD);
-        sslContextFactory.setKeyStoreResource(Resource.newClassPathResource(KEYSTORE_RESOURCE));
-        sslContextFactory.setKeyStoreType(JAVA_KEYSTORE_TYPE);
+        sslContextFactory.setKeyStorePassword(TestSSLConstants.PASSWORD);
+        sslContextFactory.setKeyStoreResource(Resource.newResource(TestSSLConstants.TEST_KEYSTORE));
+        sslContextFactory.setKeyStoreType(TestSSLConstants.JAVA_KEYSTORE_TYPE);
 
         // override default jetty excludes as valid IBM JDK are excluded
         // causing SSL handshake failure (due to default exclude '^SSL_.*$')
diff --git a/broker-core/src/test/java/org/apache/qpid/server/ssl/TrustManagerTest.java b/broker-core/src/test/java/org/apache/qpid/server/ssl/TrustManagerTest.java
index df2611d..191d7cf 100644
--- a/broker-core/src/test/java/org/apache/qpid/server/ssl/TrustManagerTest.java
+++ b/broker-core/src/test/java/org/apache/qpid/server/ssl/TrustManagerTest.java
@@ -43,27 +43,16 @@ import org.apache.qpid.test.utils.UnitTestBase;
 
 public class TrustManagerTest extends UnitTestBase
 {
-    private static final String STORE_TYPE = TestSSLConstants.JAVA_KEYSTORE_TYPE;
     private static final String DEFAULT_TRUST_MANAGER_ALGORITHM = TrustManagerFactory.getDefaultAlgorithm();
-    private static final String KEYSTORE_PASSWORD = TestSSLConstants.KEYSTORE_PASSWORD;
-    private static final String PEER_STORE = "ssl/java_broker_peerstore.pkcs12";
-    private static final String PEER_STORE_PASSWORD = TestSSLConstants.BROKER_PEERSTORE_PASSWORD;
-    private static final String KEYSTORE = "ssl/java_client_keystore.pkcs12";
-    private static final String CERT_ALIAS_APP_1 = TestSSLConstants.CERT_ALIAS_APP1;
-    private static final String CERT_ALIAS_APP_2 = TestSSLConstants.CERT_ALIAS_APP2;
-    private static final String TRUST_STORE = "ssl/java_broker_truststore.pkcs12";
-    private static final String TRUST_STORE_PASSWORD = TestSSLConstants.BROKER_TRUSTSTORE_PASSWORD;
-    private static final String CERT_ALIAS_UNTRUSTED_CLIENT = TestSSLConstants.CERT_ALIAS_UNTRUSTED_CLIENT;
-    private static final String UNTRUSTED_KEYSTORE = "ssl/java_client_untrusted_keystore.pkcs12";
 
     // retrieves the client certificate's chain from store and returns it as an array
     private X509Certificate[] getClientChain(final String storePath, final String alias) throws Exception
     {
-        final KeyStore ks = SSLUtil.getInitializedKeyStore(storePath, KEYSTORE_PASSWORD, STORE_TYPE);
+        final KeyStore ks = SSLUtil.getInitializedKeyStore(storePath, TestSSLConstants.PASSWORD, TestSSLConstants.JAVA_KEYSTORE_TYPE);
         final Certificate[] chain = ks.getCertificateChain(alias);
         return Arrays.copyOf(chain, chain.length, X509Certificate[].class);
     }
-    
+
     // verifies that peer store is loaded only with client's (peer's) app1 certificate (no CA)
     private void noCAinPeerStore(final KeyStore ps) throws KeyStoreException
     {
@@ -71,7 +60,7 @@ public class TrustManagerTest extends UnitTestBase
         while (aliases.hasMoreElements())
         {
             final String alias = aliases.nextElement();
-            if (!alias.equalsIgnoreCase(CERT_ALIAS_APP_1))
+            if (!alias.equalsIgnoreCase(TestSSLConstants.CERT_ALIAS_APP1))
             {
                 fail("Broker's peer store contains other certificate than client's  app1 public key");
             }
@@ -86,7 +75,7 @@ public class TrustManagerTest extends UnitTestBase
     public void testQpidPeersOnlyTrustManager() throws Exception
     {
         // first let's check that peer manager loaded with the PEERstore succeeds
-        final KeyStore ps = SSLUtil.getInitializedKeyStore(PEER_STORE, PEER_STORE_PASSWORD, STORE_TYPE);
+        final KeyStore ps = SSLUtil.getInitializedKeyStore(TestSSLConstants.BROKER_PEERSTORE, TestSSLConstants.PASSWORD, TestSSLConstants.JAVA_KEYSTORE_TYPE);
         this.noCAinPeerStore(ps);
         final TrustManagerFactory pmf = TrustManagerFactory.getInstance(DEFAULT_TRUST_MANAGER_ALGORITHM);
         pmf.init(ps);
@@ -106,7 +95,7 @@ public class TrustManagerTest extends UnitTestBase
         try
         {
             // since broker's peerstore contains the client's app1 certificate, the check should succeed
-            peerManager.checkClientTrusted(this.getClientChain(KEYSTORE, CERT_ALIAS_APP_1), "RSA");
+            peerManager.checkClientTrusted(this.getClientChain(TestSSLConstants.CLIENT_KEYSTORE, TestSSLConstants.CERT_ALIAS_APP1), "RSA");
         }
         catch (CertificateException e)
         {
@@ -116,7 +105,7 @@ public class TrustManagerTest extends UnitTestBase
         try
         {
             // since broker's peerstore does not contain the client's app2 certificate, the check should fail
-            peerManager.checkClientTrusted(this.getClientChain(KEYSTORE, CERT_ALIAS_APP_2), "RSA");
+            peerManager.checkClientTrusted(this.getClientChain(TestSSLConstants.CLIENT_KEYSTORE, TestSSLConstants.CERT_ALIAS_APP2), "RSA");
             fail("Untrusted client's validation against the broker's peer store manager succeeded.");
         }
         catch (CertificateException e)
@@ -127,7 +116,7 @@ public class TrustManagerTest extends UnitTestBase
         // now let's check that peer manager loaded with the brokers TRUSTstore fails because
         // it does not have the clients certificate in it (though it does have a CA-cert that
         // would otherwise trust the client cert when using the regular trust manager).
-        final KeyStore ts = SSLUtil.getInitializedKeyStore(TRUST_STORE, TRUST_STORE_PASSWORD, STORE_TYPE);
+        final KeyStore ts = SSLUtil.getInitializedKeyStore(TestSSLConstants.BROKER_TRUSTSTORE, TestSSLConstants.PASSWORD, TestSSLConstants.JAVA_KEYSTORE_TYPE);
         final TrustManagerFactory tmf = TrustManagerFactory.getInstance(DEFAULT_TRUST_MANAGER_ALGORITHM);
         tmf.init(ts);
         final TrustManager[] delegateTrustManagers = tmf.getTrustManagers();
@@ -147,7 +136,7 @@ public class TrustManagerTest extends UnitTestBase
         {
             // since broker's truststore doesn't contain the client's app1 certificate, the check should fail
             // despite the fact that the truststore does have a CA that would otherwise trust the cert
-            peerManager.checkClientTrusted(this.getClientChain(KEYSTORE, CERT_ALIAS_APP_1), "RSA");
+            peerManager.checkClientTrusted(this.getClientChain(TestSSLConstants.CLIENT_KEYSTORE, TestSSLConstants.CERT_ALIAS_APP1), "RSA");
             fail("Client's validation against the broker's peer store manager didn't fail.");
         }
         catch (CertificateException e)
@@ -159,7 +148,7 @@ public class TrustManagerTest extends UnitTestBase
         {
             // since broker's truststore doesn't contain the client's app2 certificate, the check should fail
             // despite the fact that the truststore does have a CA that would otherwise trust the cert
-            peerManager.checkClientTrusted(this.getClientChain(KEYSTORE, CERT_ALIAS_APP_2), "RSA");
+            peerManager.checkClientTrusted(this.getClientChain(TestSSLConstants.CLIENT_KEYSTORE, TestSSLConstants.CERT_ALIAS_APP2), "RSA");
             fail("Client's validation against the broker's peer store manager didn't fail.");
         }
         catch (CertificateException e)
@@ -176,7 +165,7 @@ public class TrustManagerTest extends UnitTestBase
     public void testQpidMultipleTrustManagerWithRegularTrustStore() throws Exception
     {
         final QpidMultipleTrustManager mulTrustManager = new QpidMultipleTrustManager();
-        final KeyStore ts = SSLUtil.getInitializedKeyStore(TRUST_STORE, TRUST_STORE_PASSWORD, STORE_TYPE);
+        final KeyStore ts = SSLUtil.getInitializedKeyStore(TestSSLConstants.BROKER_TRUSTSTORE, TestSSLConstants.PASSWORD, TestSSLConstants.JAVA_KEYSTORE_TYPE);
         final TrustManagerFactory tmf = TrustManagerFactory.getInstance(DEFAULT_TRUST_MANAGER_ALGORITHM);
         tmf.init(ts);
         final TrustManager[] delegateTrustManagers = tmf.getTrustManagers();
@@ -195,7 +184,7 @@ public class TrustManagerTest extends UnitTestBase
         try
         {
             // verify the CA-trusted app1 cert (should succeed)
-            mulTrustManager.checkClientTrusted(this.getClientChain(KEYSTORE, CERT_ALIAS_APP_1), "RSA");
+            mulTrustManager.checkClientTrusted(this.getClientChain(TestSSLConstants.CLIENT_KEYSTORE, TestSSLConstants.CERT_ALIAS_APP1), "RSA");
         }
         catch (CertificateException ex)
         {
@@ -205,7 +194,7 @@ public class TrustManagerTest extends UnitTestBase
         try
         {
             // verify the CA-trusted app2 cert (should succeed)
-            mulTrustManager.checkClientTrusted(this.getClientChain(KEYSTORE, CERT_ALIAS_APP_2), "RSA");
+            mulTrustManager.checkClientTrusted(this.getClientChain(TestSSLConstants.CLIENT_KEYSTORE, TestSSLConstants.CERT_ALIAS_APP2), "RSA");
         }
         catch (CertificateException ex)
         {
@@ -215,8 +204,8 @@ public class TrustManagerTest extends UnitTestBase
         try
         {
             // verify the untrusted cert (should fail)
-            mulTrustManager.checkClientTrusted(this.getClientChain(UNTRUSTED_KEYSTORE,
-                                                                   CERT_ALIAS_UNTRUSTED_CLIENT), "RSA");
+            mulTrustManager.checkClientTrusted(this.getClientChain(TestSSLConstants.CLIENT_UNTRUSTED_KEYSTORE,
+                                                                   TestSSLConstants.CERT_ALIAS_UNTRUSTED_CLIENT), "RSA");
             fail("Untrusted client's validation against the broker's multi store manager unexpectedly passed.");
         }
         catch (CertificateException ex)
@@ -233,7 +222,7 @@ public class TrustManagerTest extends UnitTestBase
     public void testQpidMultipleTrustManagerWithPeerStore() throws Exception
     {
         final QpidMultipleTrustManager mulTrustManager = new QpidMultipleTrustManager();
-        final KeyStore ps = SSLUtil.getInitializedKeyStore(PEER_STORE, PEER_STORE_PASSWORD, STORE_TYPE);
+        final KeyStore ps = SSLUtil.getInitializedKeyStore(TestSSLConstants.BROKER_PEERSTORE, TestSSLConstants.PASSWORD, TestSSLConstants.JAVA_KEYSTORE_TYPE);
         final TrustManagerFactory pmf = TrustManagerFactory.getInstance(DEFAULT_TRUST_MANAGER_ALGORITHM);
         pmf.init(ps);
         final TrustManager[] delegatePeerManagers = pmf.getTrustManagers();
@@ -252,8 +241,8 @@ public class TrustManagerTest extends UnitTestBase
         try
         {
             // verify the trusted app1 cert (should succeed as the key is in the peerstore)
-            mulTrustManager.checkClientTrusted(this.getClientChain(KEYSTORE,
-                                                                   CERT_ALIAS_APP_1), "RSA");
+            mulTrustManager.checkClientTrusted(this.getClientChain(TestSSLConstants.CLIENT_KEYSTORE,
+                                                                   TestSSLConstants.CERT_ALIAS_APP1), "RSA");
         }
         catch (CertificateException ex)
         {
@@ -263,8 +252,8 @@ public class TrustManagerTest extends UnitTestBase
         try
         {
             // verify the untrusted app2 cert (should fail as the key is not in the peerstore)
-            mulTrustManager.checkClientTrusted(this.getClientChain(KEYSTORE,
-                                                                   CERT_ALIAS_APP_2), "RSA");
+            mulTrustManager.checkClientTrusted(this.getClientChain(TestSSLConstants.CLIENT_KEYSTORE,
+                                                                   TestSSLConstants.CERT_ALIAS_APP2), "RSA");
             fail("Untrusted client's validation against the broker's multi store manager unexpectedly passed.");
         }
         catch (CertificateException ex)
@@ -275,8 +264,8 @@ public class TrustManagerTest extends UnitTestBase
         try
         {
             // verify the untrusted cert (should fail as the key is not in the peerstore)
-            mulTrustManager.checkClientTrusted(this.getClientChain(UNTRUSTED_KEYSTORE,
-                                                                   CERT_ALIAS_UNTRUSTED_CLIENT), "RSA");
+            mulTrustManager.checkClientTrusted(this.getClientChain(TestSSLConstants.CLIENT_UNTRUSTED_KEYSTORE,
+                                                                   TestSSLConstants.CERT_ALIAS_UNTRUSTED_CLIENT), "RSA");
             fail("Untrusted client's validation against the broker's multi store manager unexpectedly passed.");
         }
         catch (CertificateException ex)
@@ -294,7 +283,7 @@ public class TrustManagerTest extends UnitTestBase
     public void testQpidMultipleTrustManagerWithTrustAndPeerStores() throws Exception
     {
         final QpidMultipleTrustManager mulTrustManager = new QpidMultipleTrustManager();
-        final KeyStore ts = SSLUtil.getInitializedKeyStore(TRUST_STORE, TRUST_STORE_PASSWORD, STORE_TYPE);
+        final KeyStore ts = SSLUtil.getInitializedKeyStore(TestSSLConstants.BROKER_TRUSTSTORE, TestSSLConstants.PASSWORD, TestSSLConstants.JAVA_KEYSTORE_TYPE);
         final TrustManagerFactory tmf = TrustManagerFactory.getInstance(DEFAULT_TRUST_MANAGER_ALGORITHM);
         tmf.init(ts);
         final TrustManager[] delegateTrustManagers = tmf.getTrustManagers();
@@ -310,7 +299,7 @@ public class TrustManagerTest extends UnitTestBase
         }
         assertTrue("The regular trust manager for the trust store was not added", trustManagerAdded);
 
-        final KeyStore ps = SSLUtil.getInitializedKeyStore(PEER_STORE, PEER_STORE_PASSWORD, STORE_TYPE);
+        final KeyStore ps = SSLUtil.getInitializedKeyStore(TestSSLConstants.BROKER_PEERSTORE, TestSSLConstants.PASSWORD, TestSSLConstants.JAVA_KEYSTORE_TYPE);
         final TrustManagerFactory pmf = TrustManagerFactory.getInstance(DEFAULT_TRUST_MANAGER_ALGORITHM);
         pmf.init(ps);
         final TrustManager[] delegatePeerManagers = pmf.getTrustManagers();
@@ -329,8 +318,8 @@ public class TrustManagerTest extends UnitTestBase
         try
         {
             // verify the CA-trusted app1 cert (should succeed)
-            mulTrustManager.checkClientTrusted(this.getClientChain(KEYSTORE,
-                                                                   CERT_ALIAS_APP_1), "RSA");
+            mulTrustManager.checkClientTrusted(this.getClientChain(TestSSLConstants.CLIENT_KEYSTORE,
+                                                                   TestSSLConstants.CERT_ALIAS_APP1), "RSA");
         }
         catch (CertificateException ex)
         {
@@ -340,8 +329,8 @@ public class TrustManagerTest extends UnitTestBase
         try
         {
             // verify the CA-trusted app2 cert (should succeed)
-            mulTrustManager.checkClientTrusted(this.getClientChain(KEYSTORE,
-                                                                   CERT_ALIAS_APP_2), "RSA");
+            mulTrustManager.checkClientTrusted(this.getClientChain(TestSSLConstants.CLIENT_KEYSTORE,
+                                                                   TestSSLConstants.CERT_ALIAS_APP2), "RSA");
         }
         catch (CertificateException ex)
         {
@@ -351,8 +340,8 @@ public class TrustManagerTest extends UnitTestBase
         try
         {
             // verify the untrusted cert (should fail)
-            mulTrustManager.checkClientTrusted(this.getClientChain(UNTRUSTED_KEYSTORE,
-                                                                   CERT_ALIAS_UNTRUSTED_CLIENT), "RSA");
+            mulTrustManager.checkClientTrusted(this.getClientChain(TestSSLConstants.CLIENT_UNTRUSTED_KEYSTORE,
+                                                                   TestSSLConstants.CERT_ALIAS_UNTRUSTED_CLIENT), "RSA");
             fail("Untrusted client's validation against the broker's multi store manager unexpectedly passed.");
         }
         catch (CertificateException ex)
diff --git a/broker-core/src/test/resources/ssl/expired.crt b/broker-core/src/test/resources/ssl/expired.crt
deleted file mode 100644
index 933330a..0000000
--- a/broker-core/src/test/resources/ssl/expired.crt
+++ /dev/null
@@ -1,17 +0,0 @@
------BEGIN CERTIFICATE-----
-MIICvzCCAaegAwIBAgIEAjtn8zANBgkqhkiG9w0BAQ0FADAQMQ4wDAYDVQQDEwVV
-U0VSMTAeFw0xMDAxMDEyMjQ0MjVaFw0xMDAxMDIyMjQ0MjVaMBAxDjAMBgNVBAMT
-BVVTRVIxMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAj2wa5um63bXJ
-j7jv3pfhDgkvwE9hfM/DLv1rmkq2Psepefb40VJng61WiTeLNWdXrAJ+ui5iHTCn
-8n+iqaucaPv4mOwH3j57CCLRvFrFSp/cUx2oZ3Zx1DfaSgfIc5F8AJQvYrtCxa6m
-eYCoUJ3BZqARiKc6fk/RtACB1YI9mCDYOgnntNhEwMkRTuPqholyaL1fmw51EDGH
-iGCQwsxj+YMLkuK2aQAs498NcA6fzui0Ey3MJ6LmLYbOSKqZ1cBzC4YfSGH921Ic
-4YDgsvQ1io1zN4AJFHj8ld5rlDCTElgUFmkm2wCLvQAQ9+5MB4fDVLFldpHHBgX2
-0097qFSAEwIDAQABoyEwHzAdBgNVHQ4EFgQUZ30jJvIgSSRkltqIKv7UgEYnlvUw
-DQYJKoZIhvcNAQENBQADggEBABYZ+ZwbRnJvfjnFq9c+GV5/7FJOTlO0SVAVZrYJ
-HzquTr3mFDkhOc6aDlaNGiFAJcs6Udj3MvV7J+Uuai9oJDmVCt94HZL3k09G+z1b
-A3BorBKWDYm2L9CKpjUgD0VY40Tc2yNVyrzCbdjVnBkrLKiAirSrb5NJK2lnJg4Y
-TB7TiAnSydfRWUyUo8/wEMgIo4o0vuB7AnBQFhCd0XRmxBNoBZ19f+R041I6CQ0L
-9jc172XWHL1o111/RS7M8qLcWxi11DN62p6IKNT32DnhVV0RFnfVTQDaQ9qsPFmg
-Dngy+2weYwc6hEKhnunGrv0LNoqp6lQbOZO4c4v0/ynBHf4=
------END CERTIFICATE-----
diff --git a/broker-core/src/test/resources/ssl/java_broker.crt b/broker-core/src/test/resources/ssl/java_broker.crt
deleted file mode 100644
index 4e5c086..0000000
--- a/broker-core/src/test/resources/ssl/java_broker.crt
+++ /dev/null
@@ -1,21 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIDbzCCAlegAwIBAgIFALBcS4MwDQYJKoZIhvcNAQELBQAwQTELMAkGA1UEBhMC
-Q0ExEDAOBgNVBAgTB09udGFyaW8xDTALBgNVBAoTBEFDTUUxETAPBgNVBAMTCE15
-Um9vdENBMB4XDTE5MDIyNzE2MDY0M1oXDTI0MDIyNzE2MDY0M1owbjEQMA4GA1UE
-BhMHVW5rbm93bjEQMA4GA1UECBMHVW5rbm93bjEQMA4GA1UEBxMHVW5rbm93bjEQ
-MA4GA1UEChMHVW5rbm93bjEQMA4GA1UECxMHVW5rbm93bjESMBAGA1UEAxMJbG9j
-YWxob3N0MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAq1zWGLqSHqno
-In5HjqSLSNQb5TV7qTeoKeVGJdfP13oXMllzy4JTCiXBen3l3YhpSxqGYccyEYee
-UlMSWH1snv9kW5sh+fF8HjJrabQco+vkUqUirvotaBQP71X1V+05AFxFhWfgdINw
-Kzu6az5i2S6DWJ0Xkseuolo3cM/J+M245NJj3as0dX2bOu0qbqk4izDqqV1uiyUP
-Udn0jICC52ZLd2v9lBbUQD/ZvwMYWIiBw9pfPxvIw2OsqsKeh+I7RUoGBxDUdDvj
-lbNeJV7AmeoszI/3bHkncdCiObFMXdXmUVwcRJYDAq5eBhgK59WcwKPIqlOLismQ
-wjN4ZxxvqQIDAQABo0EwPzAdBgNVHQ4EFgQU8NpCddyhoagntgXuH6eMGKnNxJsw
-CQYDVR0TBAIwADATBgNVHSUEDDAKBggrBgEFBQcDATANBgkqhkiG9w0BAQsFAAOC
-AQEAjFSD0UPN7ZqMKA0Sk2oailI+AU11VEmwIw18sXSEFMWSH8uAgkyTOvNQv4Nu
-WHgNOx20r18bYVrTqTznRa9oM7xemtR2pKqJYUQKqvk9vcF8mY7ibK1AH1vlm/gh
-7EfEmobfwHutXyTbUppgqf4QLn9AYLokD/w0la1mxDQ5Qc5FefgxLGaN2DZALFOc
-8lcpA9E2hTau2znxMlqqrG73E6R2XoE7BVMHVemVAAvusBuuP9OW/iC/KTPDFNoy
-NnDViQfIh03aBH2N5XCcnsdsxDULh6pjdZWf9FB+8OBDKyajNdFZku7AFLkt+QIa
-FVo105jdjqfMxt8FRNuQ05vYEQ==
------END CERTIFICATE-----
diff --git a/broker-core/src/test/resources/ssl/java_broker.req b/broker-core/src/test/resources/ssl/java_broker.req
deleted file mode 100644
index c618dd3..0000000
--- a/broker-core/src/test/resources/ssl/java_broker.req
+++ /dev/null
@@ -1,18 +0,0 @@
------BEGIN NEW CERTIFICATE REQUEST-----
-MIIC4zCCAcsCAQAwbjEQMA4GA1UEBhMHVW5rbm93bjEQMA4GA1UECBMHVW5rbm93
-bjEQMA4GA1UEBxMHVW5rbm93bjEQMA4GA1UEChMHVW5rbm93bjEQMA4GA1UECxMH
-VW5rbm93bjESMBAGA1UEAxMJbG9jYWxob3N0MIIBIjANBgkqhkiG9w0BAQEFAAOC
-AQ8AMIIBCgKCAQEAq1zWGLqSHqnoIn5HjqSLSNQb5TV7qTeoKeVGJdfP13oXMllz
-y4JTCiXBen3l3YhpSxqGYccyEYeeUlMSWH1snv9kW5sh+fF8HjJrabQco+vkUqUi
-rvotaBQP71X1V+05AFxFhWfgdINwKzu6az5i2S6DWJ0Xkseuolo3cM/J+M245NJj
-3as0dX2bOu0qbqk4izDqqV1uiyUPUdn0jICC52ZLd2v9lBbUQD/ZvwMYWIiBw9pf
-PxvIw2OsqsKeh+I7RUoGBxDUdDvjlbNeJV7AmeoszI/3bHkncdCiObFMXdXmUVwc
-RJYDAq5eBhgK59WcwKPIqlOLismQwjN4ZxxvqQIDAQABoDAwLgYJKoZIhvcNAQkO
-MSEwHzAdBgNVHQ4EFgQU8NpCddyhoagntgXuH6eMGKnNxJswDQYJKoZIhvcNAQEN
-BQADggEBAHsfAScjTeIM+Mkmq7z29wl0+NdWyoDKt0PjG0/WffExGXG1FD6JrbP7
-UEeBY60WdypO9/Nx7I/sw/UOsOH297NuCMkFDitAk5/5XDVSYpywBi85XK72ODmv
-hWYn2MGP9YnfL3qOd75kpNgVBKt9+IVFFNgdUMfzDQpTQgmzdaRepM4HUuxJnNGN
-jcjA6b7rT0XQu7EJqM/Q1beJTVmwtv/3ZsBduJfksr2+fyC7wd344Equ8kfhZtd9
-YocJYdlZ//0RjWMv10hXNMD2Y+Nk4ldoFOXwv93JMcBn4Uy0TeZ9O/eI/jETT5TL
-FZUUWdHvGqN2/9L4EZ0rAyH87HpHV7I=
------END NEW CERTIFICATE REQUEST-----
diff --git a/broker-core/src/test/resources/ssl/java_broker_expired_truststore.pkcs12 b/broker-core/src/test/resources/ssl/java_broker_expired_truststore.pkcs12
deleted file mode 100644
index 9bfe301..0000000
Binary files a/broker-core/src/test/resources/ssl/java_broker_expired_truststore.pkcs12 and /dev/null differ
diff --git a/broker-core/src/test/resources/ssl/java_broker_keystore.pkcs12 b/broker-core/src/test/resources/ssl/java_broker_keystore.pkcs12
deleted file mode 100644
index b45991f..0000000
Binary files a/broker-core/src/test/resources/ssl/java_broker_keystore.pkcs12 and /dev/null differ
diff --git a/broker-core/src/test/resources/ssl/java_broker_peerstore.pkcs12 b/broker-core/src/test/resources/ssl/java_broker_peerstore.pkcs12
deleted file mode 100644
index a5b307f..0000000
Binary files a/broker-core/src/test/resources/ssl/java_broker_peerstore.pkcs12 and /dev/null differ
diff --git a/broker-core/src/test/resources/ssl/java_broker_truststore.pkcs12 b/broker-core/src/test/resources/ssl/java_broker_truststore.pkcs12
deleted file mode 100644
index 4184adf..0000000
Binary files a/broker-core/src/test/resources/ssl/java_broker_truststore.pkcs12 and /dev/null differ
diff --git a/broker-core/src/test/resources/ssl/java_client_expired_keystore.pkcs12 b/broker-core/src/test/resources/ssl/java_client_expired_keystore.pkcs12
deleted file mode 100644
index cb9b876..0000000
Binary files a/broker-core/src/test/resources/ssl/java_client_expired_keystore.pkcs12 and /dev/null differ
diff --git a/broker-core/src/test/resources/ssl/java_client_keystore.pkcs12 b/broker-core/src/test/resources/ssl/java_client_keystore.pkcs12
deleted file mode 100644
index 9422d9a..0000000
Binary files a/broker-core/src/test/resources/ssl/java_client_keystore.pkcs12 and /dev/null differ
diff --git a/broker-core/src/test/resources/ssl/java_client_truststore.pkcs12 b/broker-core/src/test/resources/ssl/java_client_truststore.pkcs12
deleted file mode 100644
index 1b45a23..0000000
Binary files a/broker-core/src/test/resources/ssl/java_client_truststore.pkcs12 and /dev/null differ
diff --git a/broker-core/src/test/resources/ssl/java_client_untrusted_keystore.pkcs12 b/broker-core/src/test/resources/ssl/java_client_untrusted_keystore.pkcs12
deleted file mode 100644
index 8b0b023..0000000
Binary files a/broker-core/src/test/resources/ssl/java_client_untrusted_keystore.pkcs12 and /dev/null differ
diff --git a/broker-core/src/test/resources/ssl/test_cert_only_keystore.pkcs12 b/broker-core/src/test/resources/ssl/test_cert_only_keystore.pkcs12
deleted file mode 100644
index f480819..0000000
Binary files a/broker-core/src/test/resources/ssl/test_cert_only_keystore.pkcs12 and /dev/null differ
diff --git a/broker-core/src/test/resources/ssl/test_empty_keystore.jks b/broker-core/src/test/resources/ssl/test_empty_keystore.jks
deleted file mode 100644
index ed88075..0000000
Binary files a/broker-core/src/test/resources/ssl/test_empty_keystore.jks and /dev/null differ
diff --git a/broker-core/src/test/resources/ssl/test_keystore.jks b/broker-core/src/test/resources/ssl/test_keystore.jks
deleted file mode 100644
index afa9d02..0000000
Binary files a/broker-core/src/test/resources/ssl/test_keystore.jks and /dev/null differ
diff --git a/broker-core/src/test/resources/ssl/test_pk_only_keystore.pkcs12 b/broker-core/src/test/resources/ssl/test_pk_only_keystore.pkcs12
deleted file mode 100644
index 64ca340..0000000
Binary files a/broker-core/src/test/resources/ssl/test_pk_only_keystore.pkcs12 and /dev/null differ
diff --git a/broker-core/src/test/resources/ssl/test_symmetric_key_keystore.pkcs12 b/broker-core/src/test/resources/ssl/test_symmetric_key_keystore.pkcs12
deleted file mode 100644
index f39dcf4..0000000
Binary files a/broker-core/src/test/resources/ssl/test_symmetric_key_keystore.pkcs12 and /dev/null differ
diff --git a/broker-plugins/management-http/src/main/java/resources/js/qpid/management/TrustStore.js b/broker-plugins/management-http/src/main/java/resources/js/qpid/management/TrustStore.js
index 8e5dfcd..9f8e1d1 100644
--- a/broker-plugins/management-http/src/main/java/resources/js/qpid/management/TrustStore.js
+++ b/broker-plugins/management-http/src/main/java/resources/js/qpid/management/TrustStore.js
@@ -126,7 +126,11 @@ define(["dojo/_base/lang",
                 }
             }
 
-            storeNodes(["name", "type", "state", "exposedAsMessageSource", "trustAnchorValidityEnforced"]);
+            storeNodes(["name", "type", "state", "exposedAsMessageSource", "trustAnchorValidityEnforced",
+                "certificateRevocationCheckEnabled", "certificateRevocationCheckOfOnlyEndEntityCertificates",
+                "certificateRevocationCheckWithPreferringCertificateRevocationList",
+                "certificateRevocationCheckWithNoFallback", "certificateRevocationCheckWithIgnoringSoftFailures",
+                "certificateRevocationListUrl"]);
 
         }
 
@@ -139,6 +143,18 @@ define(["dojo/_base/lang",
                 entities.encode(String(this.trustStoreData["exposedAsMessageSource"]));
             this.trustAnchorValidityEnforced.innerHTML =
                 entities.encode(String(this.trustStoreData["trustAnchorValidityEnforced"]));
+            this.certificateRevocationCheckEnabled.innerHTML =
+                entities.encode(String(this.trustStoreData["certificateRevocationCheckEnabled"]));
+            this.certificateRevocationCheckOfOnlyEndEntityCertificates.innerHTML =
+                entities.encode(String(this.trustStoreData["certificateRevocationCheckOfOnlyEndEntityCertificates"]));
+            this.certificateRevocationCheckWithPreferringCertificateRevocationList.innerHTML =
+                entities.encode(String(this.trustStoreData["certificateRevocationCheckWithPreferringCertificateRevocationList"]));
+            this.certificateRevocationCheckWithNoFallback.innerHTML =
+                entities.encode(String(this.trustStoreData["certificateRevocationCheckWithNoFallback"]));
+            this.certificateRevocationCheckWithIgnoringSoftFailures.innerHTML =
+                entities.encode(String(this.trustStoreData["certificateRevocationCheckWithIgnoringSoftFailures"]));
+            this.certificateRevocationListUrl.innerHTML = this.trustStoreData["certificateRevocationListUrl"] ?
+                entities.encode(String(this.trustStoreData["certificateRevocationListUrl"])) : "";
         };
 
         KeyStoreUpdater.prototype.update = function (callback)
diff --git a/broker-plugins/management-http/src/main/java/resources/js/qpid/management/addStore.js b/broker-plugins/management-http/src/main/java/resources/js/qpid/management/addStore.js
index 42329dd..f98a947 100644
--- a/broker-plugins/management-http/src/main/java/resources/js/qpid/management/addStore.js
+++ b/broker-plugins/management-http/src/main/java/resources/js/qpid/management/addStore.js
@@ -114,6 +114,7 @@ define(["dojo/_base/lang",
                 this.storeType.set("disabled", !!initialData);
                 if (!effectiveData)
                 {
+                    this.initialData = {};
                     this.dialog.set("title", "Add " + this.category);
                 }
                 else
@@ -164,7 +165,7 @@ define(["dojo/_base/lang",
 
                     var storeData = util.getFormWidgetValues(this.storeForm, this.initialData);
 
-                    if (this.initialData)
+                    if (this.initialData && this.initialData.id)
                     {
                         // update request
                         this.management.update(this.modelObj, storeData)
diff --git a/broker-plugins/management-http/src/main/java/resources/showTrustStore.html b/broker-plugins/management-http/src/main/java/resources/showTrustStore.html
index eb82307..e3a5b5c 100644
--- a/broker-plugins/management-http/src/main/java/resources/showTrustStore.html
+++ b/broker-plugins/management-http/src/main/java/resources/showTrustStore.html
@@ -40,6 +40,30 @@
                 <div class="trustAnchorValidityEnforced"></div>
             </div>
             <div class="clear">
+                <div class="formLabel-labelCell">Revocation Enabled:</div>
+                <div class="certificateRevocationCheckEnabled"></div>
+            </div>
+            <div class="clear">
+                <div class="formLabel-labelCell">Revocation Check Of Only End Entity:</div>
+                <div class="certificateRevocationCheckOfOnlyEndEntityCertificates"></div>
+            </div>
+            <div class="clear">
+                <div class="formLabel-labelCell">Revocation Check With Preferring CRL:</div>
+                <div class="certificateRevocationCheckWithPreferringCertificateRevocationList"></div>
+            </div>
+            <div class="clear">
+                <div class="formLabel-labelCell">Revocation Check With No Fallback:</div>
+                <div class="certificateRevocationCheckWithNoFallback"></div>
+            </div>
+            <div class="clear">
+                <div class="formLabel-labelCell">Revocation Check With Ignoring Soft Failures:</div>
+                <div class="certificateRevocationCheckWithIgnoringSoftFailures"></div>
+            </div>
+            <div class="clear">
+                <div class="formLabel-labelCell">Certificate Revocation List URL:</div>
+                <div class="certificateRevocationListUrl"></div>
+            </div>
+            <div class="clear">
                 <div class="typeFieldsContainer"></div>
             </div>
             <div class="clear">
diff --git a/broker-plugins/management-http/src/main/java/resources/store/truststore.html b/broker-plugins/management-http/src/main/java/resources/store/truststore.html
index 8c3047b..439f7fc 100644
--- a/broker-plugins/management-http/src/main/java/resources/store/truststore.html
+++ b/broker-plugins/management-http/src/main/java/resources/store/truststore.html
@@ -24,8 +24,7 @@
         <div class="formLabel-controlCell tableContainer-valueCell">
             <input type="text" id="addStore.exposedAsMessageSource"
                    data-dojo-type="dijit/form/CheckBox"
-                   data-dojo-props="
-                              name: 'exposedAsMessageSource'" />
+                   data-dojo-props="name: 'exposedAsMessageSource'" />
             <div data-dojo-type="dijit/Tooltip"
                  data-dojo-props="connectId: ['addStore.exposedAsMessageSource'],
                                       label: 'Expose trust store as message source'">
@@ -36,12 +35,95 @@
         <div class="formLabel-controlCell tableContainer-valueCell">
             <input type="text" id="addStore.trustAnchorValidityEnforced"
                    data-dojo-type="dijit/form/CheckBox"
-                   data-dojo-props="
-                              name: 'trustAnchorValidityEnforced'" />
+                   data-dojo-props="name: 'trustAnchorValidityEnforced'" />
             <div data-dojo-type="dijit/Tooltip"
                  data-dojo-props="connectId: ['addStore.trustAnchorValidityEnforced'],
                                       label: 'If true, trust anchor validity dates will be enforced'">
             </div>
         </div>
     </div>
+    <div class="clear formBox">
+        <fieldset>
+            <legend>Revocation</legend>
+            <div class="clear">
+                <div id="addStore.certificateRevocationCheckEnabledLabel"
+                     class="formLabel-labelCell tableContainer-labelCell">Enabled:</div>
+                <div class="formLabel-controlCell tableContainer-valueCell">
+                    <input type="text" id="addStore.certificateRevocationCheckEnabled"
+                           data-dojo-type="dijit/form/CheckBox"
+                           data-dojo-props="name: 'certificateRevocationCheckEnabled'" />
+                    <div data-dojo-type="dijit/Tooltip"
+                         data-dojo-props="connectId: ['addStore.certificateRevocationCheckEnabled'],
+                                      label: 'If enabled, enable certificates revocation check'">
+                    </div>
+                </div>
+            </div>
+            <div class="clear">
+                <div id="addStore.certificateRevocationCheckOfOnlyEndEntityCertificatesLabel"
+                     class="formLabel-labelCell tableContainer-labelCell">Only End Entity:</div>
+                <div class="formLabel-controlCell tableContainer-valueCell">
+                    <input type="text" id="addStore.certificateRevocationCheckOfOnlyEndEntityCertificates"
+                           data-dojo-type="dijit/form/CheckBox"
+                           data-dojo-props="name: 'certificateRevocationCheckOfOnlyEndEntityCertificates'" />
+                    <div data-dojo-type="dijit/Tooltip"
+                         data-dojo-props="connectId: ['addStore.certificateRevocationCheckOfOnlyEndEntityCertificates'],
+                                      label: 'If enabled, only check the revocation status of end-entity certificates'">
+                    </div>
+                </div>
+            </div>
+            <div class="clear">
+                <div id="addStore.certificateRevocationCheckWithPreferringCertificateRevocationListLabel"
+                     class="formLabel-labelCell tableContainer-labelCell">Prefer CRLs:</div>
+                <div class="formLabel-controlCell tableContainer-valueCell">
+                    <input type="text" id="addStore.certificateRevocationCheckWithPreferringCertificateRevocationList"
+                           data-dojo-type="dijit/form/CheckBox"
+                           data-dojo-props="name: 'certificateRevocationCheckWithPreferringCertificateRevocationList'" />
+                    <div data-dojo-type="dijit/Tooltip"
+                         data-dojo-props="connectId: ['addStore.certificateRevocationCheckWithPreferringCertificateRevocationList'],
+                                      label: 'If enabled, prefer CRL (specified in certificate distribution points) to OCSP, if false prefer OCSP to CRL'">
+                    </div>
+                </div>
+            </div>
+            <div class="clear">
+                <div id="addStore.certificateRevocationCheckWithNoFallbackLabel"
+                     class="formLabel-labelCell tableContainer-labelCell">No Fallback:</div>
+                <div class="formLabel-controlCell tableContainer-valueCell">
+                    <input type="text" id="addStore.certificateRevocationCheckWithNoFallback"
+                           data-dojo-type="dijit/form/CheckBox"
+                           data-dojo-props="name: 'certificateRevocationCheckWithNoFallback'" />
+                    <div data-dojo-type="dijit/Tooltip"
+                         data-dojo-props="connectId: ['addStore.certificateRevocationCheckWithNoFallback'],
+                                      label: 'If enabled, disable fallback to CRL/OCSP (if 'Prefer CRLs' set to true, disable fallback to OCSP, otherwise disable fallback to CRL in certificate distribution points)'">
+                    </div>
+                </div>
+            </div>
+            <div class="clear">
+                <div id="addStore.certificateRevocationCheckWithIgnoringSoftFailuresLabel"
+                     class="formLabel-labelCell tableContainer-labelCell">Ignore Soft Failures:</div>
+                <div class="formLabel-controlCell tableContainer-valueCell">
+                    <input type="text" id="addStore.certificateRevocationCheckWithIgnoringSoftFailures"
+                           data-dojo-type="dijit/form/CheckBox"
+                           data-dojo-props="name: 'certificateRevocationCheckWithIgnoringSoftFailures'" />
+                    <div data-dojo-type="dijit/Tooltip"
+                         data-dojo-props="connectId: ['addStore.certificateRevocationCheckWithIgnoringSoftFailures'],
+                                      label: 'If enabled, revocation check will succeed if CRL/OCSP response cannot be obtained because of network error or OCSP responder returns internalError or tryLater'">
+                    </div>
+                </div>
+            </div>
+            <div class="clear">
+                <div id="addStore.certificateRevocationListUrlLabel"
+                     class="formLabel-labelCell tableContainer-labelCell">Server CRL Path Or Upload:</div>
+                <div class="formLabel-controlCell tableContainer-valueCell">
+                    <input type="text" id="addStore.certificateRevocationListUrl"
+                           data-dojo-type="qpid/common/ResourceWidget"
+                           data-dojo-props="
+                          name: 'certificateRevocationListUrl',
+                          placeHolder: 'certificate revocation list file server path',
+                          promptMessage: 'Location of the certificate revocation list file on the server (overrides revocation done by CRL distribution points and OCSP)',
+                          title: 'Enter the certificate revocation list file path'" />
+                </div>
+            </div>
+        </fieldset>
+        <div class="clear"></div>
+    </div>
 </div>
diff --git a/doc/java-broker/src/docbkx/management/managing/Java-Broker-Management-Managing-Truststores.xml b/doc/java-broker/src/docbkx/management/managing/Java-Broker-Management-Managing-Truststores.xml
index 3c03019..18e36c6 100644
--- a/doc/java-broker/src/docbkx/management/managing/Java-Broker-Management-Managing-Truststores.xml
+++ b/doc/java-broker/src/docbkx/management/managing/Java-Broker-Management-Managing-Truststores.xml
@@ -78,7 +78,7 @@
                 </listitem>
                 <listitem>
                     <para><emphasis>Exposed as Message Source</emphasis>. If enabled, the Broker
-                        will distribute certificates contained within the trustore to clients.
+                        will distribute certificates contained within the truststore to clients.
                         Used by the end to end message encryption feature.</para>
                 </listitem>
                 <listitem>
@@ -87,6 +87,38 @@
                 </listitem>
             </itemizedlist>
         </para>
+        <para>Revocation attributes.</para>
+        <para>
+            <itemizedlist>
+                <listitem>
+                    <para><emphasis>Enabled</emphasis>. If set to true certificate revocation check is performed when
+                        client tries to connect.</para>
+                </listitem>
+                <listitem>
+                    <para><emphasis>Only End Entity</emphasis>. If enabled, check only the revocation status of
+                        end-entity certificates.</para>
+                </listitem>
+                <listitem>
+                    <para><emphasis>Prefer CRLs</emphasis>. If enabled, prefer CRL (specified in certificate
+                        distribution points) to OCSP, if disabled prefer OCSP to CRL.</para>
+                </listitem>
+                <listitem>
+                    <para><emphasis>No Fallback</emphasis>. If enabled, disable fallback to CRL/OCSP (if
+                        <emphasis>Prefer CRLs</emphasis> set to true, disable fallback to OCSP,
+                        otherwise disable fallback to CRL in certificate distribution points).</para>
+                </listitem>
+                <listitem>
+                    <para><emphasis>Ignore Soft Failures</emphasis>. If enabled, revocation check will succeed
+                        if CRL/OCSP response cannot be obtained because of network error or OCSP responder returns
+                        internalError or tryLater.</para>
+                </listitem>
+                <listitem>
+                    <para><emphasis>Server CRL Path Or Upload</emphasis>. Path to Certificate Revocation List file.
+                        If set, certificate revocation check uses only set CRL file and ignores CRL Distribution Points
+                        in certificate.</para>
+                </listitem>
+            </itemizedlist>
+        </para>
         <para>The following attributes apply to <emphasis>File Trust Stores</emphasis> only.</para>
         <para>
             <itemizedlist>
diff --git a/qpid-test-utils/pom.xml b/qpid-test-utils/pom.xml
index 5e8bd75..d3faf81 100644
--- a/qpid-test-utils/pom.xml
+++ b/qpid-test-utils/pom.xml
@@ -56,5 +56,4 @@
         <artifactId>guava</artifactId>
     </dependency>
   </dependencies>
-
 </project>
diff --git a/qpid-test-utils/src/main/java/org/apache/qpid/test/utils/TestSSLConstants.java b/qpid-test-utils/src/main/java/org/apache/qpid/test/utils/TestSSLConstants.java
index 9bdb282..329920b 100644
--- a/qpid-test-utils/src/main/java/org/apache/qpid/test/utils/TestSSLConstants.java
+++ b/qpid-test-utils/src/main/java/org/apache/qpid/test/utils/TestSSLConstants.java
@@ -18,27 +18,82 @@
  */
 package org.apache.qpid.test.utils;
 
-public interface TestSSLConstants
-{
-    String KEYSTORE = "test-profiles/test_resources/ssl/java_client_keystore.jks";
-    String EXPIRED_KEYSTORE = "test-profiles/test_resources/ssl/java_client_expired_keystore.jks";
-    String KEYSTORE_PASSWORD = "password";
-    String TRUSTSTORE = "test-profiles/test_resources/ssl/java_client_truststore.jks";
-    String TRUSTSTORE_PASSWORD = "password";
+import java.nio.file.Paths;
 
-    String CERT_ALIAS_APP1 = "app1";
-    String CERT_ALIAS_APP2 = "app2";
-    String CERT_ALIAS_UNTRUSTED_CLIENT = "untrusted_client";
+public final class TestSSLConstants
+{
+    public static final String JAVA_KEYSTORE_TYPE = "pkcs12";
+    public static final String PASSWORD = "password";
+    private static final String TEST_CERTIFICATES_DIRECTORY;
+    static
+    {
+        final String testCertificatesDirectoryPrefix;
+        if (System.getProperty("user.dir").contains("systests"))
+        {
+            testCertificatesDirectoryPrefix = Paths.get(System.getProperty("user.dir"), "..", "..").toString();
+        }
+        else if (System.getProperty("user.dir").contains(".."))
+        {
+            testCertificatesDirectoryPrefix = System.getProperty("user.dir");
+        }
+        else
+        {
+            testCertificatesDirectoryPrefix = Paths.get(System.getProperty("user.dir"), "..").toString();
+        }
+        TEST_CERTIFICATES_DIRECTORY =
+                Paths.get(testCertificatesDirectoryPrefix,
+                        "qpid-test-utils", "src", "main", "resources", "ssl", "certificates").toString();
+    }
+    public static final String CLIENT_KEYSTORE =
+            Paths.get(TEST_CERTIFICATES_DIRECTORY, "client_keystore.jks").toString();
+    public static final String CLIENT_TRUSTSTORE =
+            Paths.get(TEST_CERTIFICATES_DIRECTORY, "client_truststore.jks").toString();
+    public static final String CLIENT_EXPIRED_KEYSTORE =
+            Paths.get(TEST_CERTIFICATES_DIRECTORY, "client_expired_keystore.jks").toString();
+    public static final String CLIENT_EXPIRED_CRT =
+            Paths.get(TEST_CERTIFICATES_DIRECTORY, "client_expired.crt").toString();
+    public static final String CLIENT_UNTRUSTED_KEYSTORE =
+            Paths.get(TEST_CERTIFICATES_DIRECTORY, "client_untrusted_keystore.jks").toString();
 
-    String BROKER_KEYSTORE = "test-profiles/test_resources/ssl/java_broker_keystore.jks";
-    String BROKER_KEYSTORE_PASSWORD = "password";
-    String BROKER_KEYSTORE_ALIAS = "java-broker";
+    public static final String CERT_ALIAS_ROOT_CA = "rootca";
+    public static final String CERT_ALIAS_APP1 = "app1";
+    public static final String CERT_ALIAS_APP2 = "app2";
+    public static final String CERT_ALIAS_ALLOWED = "allowed_by_ca";
+    public static final String CERT_ALIAS_REVOKED = "revoked_by_ca";
+    public static final String CERT_ALIAS_REVOKED_EMPTY_CRL = "revoked_by_ca_empty_crl";
+    public static final String CERT_ALIAS_REVOKED_INVALID_CRL_PATH = "revoked_by_ca_invalid_crl_path";
+    public static final String CERT_ALIAS_ALLOWED_WITH_INTERMEDIATE = "allowed_by_ca_with_intermediate";
+    public static final String CERT_ALIAS_UNTRUSTED_CLIENT = "untrusted_client";
 
-    String BROKER_PEERSTORE = "test-profiles/test_resources/ssl/java_broker_peerstore.jks";
-    String BROKER_PEERSTORE_PASSWORD = "password";
+    public static final String BROKER_KEYSTORE =
+            Paths.get(TEST_CERTIFICATES_DIRECTORY, "broker_keystore.jks").toString();
+    public static final String BROKER_CRT =
+            Paths.get(TEST_CERTIFICATES_DIRECTORY, "broker.crt").toString();
+    public static final String BROKER_CSR =
+            Paths.get(TEST_CERTIFICATES_DIRECTORY, "broker.csr").toString();
+    public static final String BROKER_TRUSTSTORE =
+            Paths.get(TEST_CERTIFICATES_DIRECTORY, "broker_truststore.jks").toString();
+    public static final String BROKER_PEERSTORE =
+            Paths.get(TEST_CERTIFICATES_DIRECTORY, "broker_peerstore.jks").toString();
+    public static final String BROKER_EXPIRED_TRUSTSTORE =
+            Paths.get(TEST_CERTIFICATES_DIRECTORY, "broker_expired_truststore.jks").toString();
+    public static final String BROKER_KEYSTORE_ALIAS = "broker";
 
-    String BROKER_TRUSTSTORE = "test-profiles/test_resources/ssl/java_broker_truststore.jks";
-    String BROKER_TRUSTSTORE_PASSWORD = "password";
+    public static final String TEST_EMPTY_KEYSTORE =
+            Paths.get(TEST_CERTIFICATES_DIRECTORY, "test_empty_keystore.jks").toString();
+    public static final String TEST_KEYSTORE =
+            Paths.get(TEST_CERTIFICATES_DIRECTORY, "test_keystore.jks").toString();
+    public static final String TEST_CERT_ONLY_KEYSTORE =
+            Paths.get(TEST_CERTIFICATES_DIRECTORY, "test_cert_only_keystore.jks").toString();
+    public static final String TEST_PK_ONLY_KEYSTORE =
+            Paths.get(TEST_CERTIFICATES_DIRECTORY, "test_pk_only_keystore.jks").toString();
+    public static final String TEST_SYMMETRIC_KEY_KEYSTORE =
+            Paths.get(TEST_CERTIFICATES_DIRECTORY, "test_symmetric_key_keystore.jks").toString();
 
-    String JAVA_KEYSTORE_TYPE = "pkcs12";
+    public static final String CA_CRL_EMPTY =
+            Paths.get(TEST_CERTIFICATES_DIRECTORY, "MyRootCA.empty.crl").toString();
+    public static final String CA_CRL =
+            Paths.get(TEST_CERTIFICATES_DIRECTORY, "MyRootCA.crl").toString();
+    public static final String INTERMEDIATE_CA_CRL =
+            Paths.get(TEST_CERTIFICATES_DIRECTORY, "intermediate_ca.crl").toString();
 }
diff --git a/qpid-test-utils/src/main/resources/ssl/certificates/MyRootCA.crl b/qpid-test-utils/src/main/resources/ssl/certificates/MyRootCA.crl
new file mode 100644
index 0000000..2d7b8d9
Binary files /dev/null and b/qpid-test-utils/src/main/resources/ssl/certificates/MyRootCA.crl differ
diff --git a/qpid-test-utils/src/main/resources/ssl/certificates/MyRootCA.crl.pem b/qpid-test-utils/src/main/resources/ssl/certificates/MyRootCA.crl.pem
new file mode 100644
index 0000000..0430e10
--- /dev/null
+++ b/qpid-test-utils/src/main/resources/ssl/certificates/MyRootCA.crl.pem
@@ -0,0 +1,13 @@
+-----BEGIN X509 CRL-----
+MIIB8TCB2gIBATANBgkqhkiG9w0BAQsFADBBMQswCQYDVQQGEwJDQTEQMA4GA1UE
+CAwHT250YXJpbzENMAsGA1UECgwEQUNNRTERMA8GA1UEAwwITXlSb290Q0EXDTIw
+MDExNzEyMTQwM1oXDTIwMDIxNjEyMTQwM1owVDATAgISOBcNMjAwMTE3MTIxNDAz
+WjATAgISORcNMjAwMTE3MTIxNDAzWjATAgISOxcNMjAwMTE3MTIxNDAzWjATAgIS
+PBcNMjAwMTE3MTIxNDAzWqAPMA0wCwYDVR0UBAQCAhI2MA0GCSqGSIb3DQEBCwUA
+A4IBAQCP9fF88j+7OLHZqq6kkxB8IZSN0lCRXXk590V3rx/NWJYmhGjlOjvEe+dG
+fiTFYUxtYuGU/rsYOezMg2/uO9l+PdPq2blWcYKvDvBK89oHaFnX0U1vCiOLD/H0
+09a70Lo3p7tHRBiPcaximmq3DA2dZRSRlo3oRoHAQ1tdMbbAm+D+N6uEu6xARycH
+OmAkx1ofx1SW+Up02R/56QINfYKG+Teqk+g/2uj+fbCx7Hdt+ocoPH8D3FrPv/QQ
+wmDlvPktb552EyOAHuhv/VSYhBB9yLKeqxb4/K7+lSCibM7gO0aPpzr33eykftbR
+aMRSNPr1t5tw2psBHoQ63U920dXu
+-----END X509 CRL-----
diff --git a/qpid-test-utils/src/main/resources/ssl/certificates/MyRootCA.crt b/qpid-test-utils/src/main/resources/ssl/certificates/MyRootCA.crt
new file mode 100644
index 0000000..0614c37
--- /dev/null
+++ b/qpid-test-utils/src/main/resources/ssl/certificates/MyRootCA.crt
@@ -0,0 +1,21 @@
+-----BEGIN CERTIFICATE-----
+MIIDYzCCAkugAwIBAgIUAzgWkwkl4wOLx+GiJZVnG3I2cNEwDQYJKoZIhvcNAQEN
+BQAwQTELMAkGA1UEBhMCQ0ExEDAOBgNVBAgMB09udGFyaW8xDTALBgNVBAoMBEFD
+TUUxETAPBgNVBAMMCE15Um9vdENBMB4XDTIwMDExNzEyMTM0OVoXDTI0MDExNzEy
+MTM0OVowQTELMAkGA1UEBhMCQ0ExEDAOBgNVBAgMB09udGFyaW8xDTALBgNVBAoM
+BEFDTUUxETAPBgNVBAMMCE15Um9vdENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A
+MIIBCgKCAQEA+CXc5ld4yp+N6ns0HA8aPI2AUDPcbhs558F713/amq6KzueuVBJ4
+UBMdFqGI2Ul2RbEJuy/qxYqTDqtPNMorzLgK47NrDnZ0cdE/DlavSyCQmNoE0Ksr
+XBTbIk0uEKKObJSYiW+8ise6cc+5Q83woG5OzUj6E/uX/TFYsSbsaLaG74HY8ajI
+bHDEPOnRlqWV/Z8ADvjpplxXuAXyhA7YYMA/WlXAp3knLFEZTJduVeH+U9gn3lif
+9zjUxuaNBioTJcnHnbanc3z2q5CvTbzhlUjOuWJ28dJ+QHr60bw4EEwM+akavU+O
+9GK2Dh2oqLAOJ/z11I5F6LX7NEOprpt0owIDAQABo1MwUTAdBgNVHQ4EFgQU2DTy
+TKWsAaQ7VGaq99vDwfK/5swwHwYDVR0jBBgwFoAU2DTyTKWsAaQ7VGaq99vDwfK/
+5swwDwYDVR0TAQH/BAUwAwEB/zANBgkqhkiG9w0BAQ0FAAOCAQEA8p51vGg8YT6y
+Aiyeps/ggms5/vkuH3AdI2OqC1RbIIx2Duia1EiH+Vxw0I1B7jJ9tZOsZfJVLmcr
+qlToReTTceGSRt22JvV7vpB/mn7y1z5Pz9Inw/eWTC32frzzLdayGv3/EhArsu+B
+eW6EemnXN4UxRc4rkCcYqz3WJJ/NollBwzqhpmFqo0sArZ7CSkz9+2U6sayZsxA3
+zT+4aj6vIp6Yv/USgX86VrdO1sBhJKlosEOlJqyorpjutv4fl4hR04/yU+Kw/sdG
+9ZA5Q9zrV0ooZ+635K1Z4Xr2rCH/38ltUZnFWD7D0w/z+QhonxXdnwbudtedSybo
+VPvWVRUaVA==
+-----END CERTIFICATE-----
diff --git a/qpid-test-utils/src/main/resources/ssl/certificates/MyRootCA.empty.crl b/qpid-test-utils/src/main/resources/ssl/certificates/MyRootCA.empty.crl
new file mode 100644
index 0000000..7c4a5df
Binary files /dev/null and b/qpid-test-utils/src/main/resources/ssl/certificates/MyRootCA.empty.crl differ
diff --git a/qpid-test-utils/src/main/resources/ssl/certificates/MyRootCA.empty.crl.pem b/qpid-test-utils/src/main/resources/ssl/certificates/MyRootCA.empty.crl.pem
new file mode 100644
index 0000000..88a02d0
--- /dev/null
+++ b/qpid-test-utils/src/main/resources/ssl/certificates/MyRootCA.empty.crl.pem
@@ -0,0 +1,11 @@
+-----BEGIN X509 CRL-----
+MIIBmzCBhAIBATANBgkqhkiG9w0BAQsFADBBMQswCQYDVQQGEwJDQTEQMA4GA1UE
+CAwHT250YXJpbzENMAsGA1UECgwEQUNNRTERMA8GA1UEAwwITXlSb290Q0EXDTIw
+MDExNzEyMTQwM1oXDTIwMDIxNjEyMTQwM1qgDzANMAsGA1UdFAQEAgISNTANBgkq
+hkiG9w0BAQsFAAOCAQEAvXMYfesUZM9b/MRG36pyFXdW6Ntn7KcldzYphHMeUiw9
+L+SI2kSzQrfvMFC5URAMpchnKZWzNcjoERpaFmt/io9W+GxFfrfUDPgu14p3n1b9
+Z4xQx/f+ZbEuw4Xuv5TPdGYzkxtaMCabHrcZbJvYcT+6ogshsxIqduiqx9EEnyYY
+WhrsOyAhjhEAeU+CaNjL0xo+71xpzyRbV2BRxwyNNJEVTc9SGUtwro2jdCSB72KM
+S85RSUshg5aWEXz99jV41w1Zx1UWfwAN9K5aJxwNp3x06C/SxHc2yMfN9h3BIr/f
+kdBgB/Larrwq+luogS4e9JA522/V3yYeYajuxH7JEQ==
+-----END X509 CRL-----
diff --git a/qpid-test-utils/src/main/resources/ssl/certificates/MyRootCA.key b/qpid-test-utils/src/main/resources/ssl/certificates/MyRootCA.key
new file mode 100644
index 0000000..742071d
--- /dev/null
+++ b/qpid-test-utils/src/main/resources/ssl/certificates/MyRootCA.key
@@ -0,0 +1,30 @@
+-----BEGIN ENCRYPTED PRIVATE KEY-----
+MIIFHDBOBgkqhkiG9w0BBQ0wQTApBgkqhkiG9w0BBQwwHAQIoKxdp44hlPICAggA
+MAwGCCqGSIb3DQIJBQAwFAYIKoZIhvcNAwcECIjUETc4sXyDBIIEyMQ/YTalgLpr
+OcHUsyfkMGThRYoMvDC1TT8SYR5iqm0ARFxIh6tnU1Y0JvWMdzQgR4qzZXbyZLwm
+L/0xeL4ErEkhgfc6UUv7ldv5uja3dKUbTZaxD/Pl/w7ZboVWj62RfiSMmoNmvMaw
+0c7BIFxXACdrVSjBN11cJOYI9nKwqge5WWEgTVYSyKGC0zf6BdSSRmaFX5mQ7E0D
+9tuegWmes57TEZXh9ObzsrKegFC6FJ26DUXZ7h7lAOkHrjRm+5pvY+YOHtGgBLCz
+h1DkssCQ9uyE+39REcdX4cEkY2L4kqirJ69v6YdT6u7NwF2eGCJwANDCI5+1WFO2
+Prc2SNAgA4TtASnwi6vE7z/Vg2Ah+WUx41m4kp5zw4rUIA6w9pvUnuZBhACEcqtt
+HncoVRr0dxX7tN7Hxsw5I2Wx0szuHCpSXt9den/4rcyl4dpVViNOc7lah0C8uS2t
+tt1DE4JdA1gm0uKVUkS+57049R0ojMisjMmJBs3V0+lPvRwHGZ+UGer4lw1FPMXr
+fDLXuOCs5V9pR2d5OtHttFNKVGwcRtPElSKCvJjxvl/frBTfng97S/jIAUJc4NMQ
+tBoI18TeNnALRp/JWtJf5VqQFyNvp/Th/Qk2VgUa6x5jKE6ksLlaVDxZ4rZbFyfl
+WkVbJ3OABNfEzrucOEFoncqHPM8BT1unTkRTOlsJMbgzJYby+RLznMzKwGS20A6P
+f2f4L840zqHSFHfD/HhW0CZ5ZwXbW6Kta6D0+DWDzHzA/6GMFtggpXtMXKbi/2dV
+wPR7sHQwxE+Qbq4SxxAx7CYhiz6L2x/EMX/BehAJic6XTQJEmluaiq3o1954OuTZ
+eUAnOV9iv2iEKf02D06yCJsyLop4CtN88HenGD7EiZ71IuF7U/VDoy2lVcbiW0DT
+efTsbns5euSqe335SHafd9OGIe8p7shsSsoh6smfUpYdYlKq+wG2P+h7CSMoIGh6
+bKq0k3xnyi4CH22Ukyt3IIg0REGTvFgdZGRuwJe2cylzYeuj+KJclVLTmJ2jQJ2D
+xd1M5gNqbZOzihCNOnG6Owik93RJBi6qynhfhOt6YHBeUmeIFx+ygLQqtNjlX/V9
++rsBtovzMZhfFK6ozSm0fQG+2rB5QrnsEw3gzzZ22fBPy+SQ1GPK2FJNNHO3REaD
++5Yt0Iny4jFA9UiveR8pxvYdPwoPEiEii1VfOAkR+0dcEeKX1gQvCF84XNRSiMXw
+ITHOI9QmmYqyjTAv1ZMB7TV3dnxQuyifHZciEFK5R7Kkn0Z78diXxFjWvPVVhsLG
+yzFHArQs0lDUsRlZxJ68SkwJ3dw2m8XpwUPkWlTZ5SoJTSN0JOa9fn5Htm7X1ZYK
+A4x80z3t6oeTGJxmDxQHOL+NCkeRQv1fN/JS4b7I6p9sQT+60gT5dJ0R6/CU2Vpf
+xM+DcHGW8oo8yQ2CjSOaf1Bp+Sp/arcrK0KOP6sbABlnXeTeRgWOb3xwRnwWP0am
+wAooVJgifFOAnEA7rfi7XgnQkALtwki4TPhy2g+eoHDo2PiX5j0QxdVpGlfzZVkC
+9j8fgea3hy5Y78Ju8N/fhZWgYIoyosVnFhXHtHpebPdDpktseOR388PNvMEa+6vT
+nKxFX9Uw8/IoAkO1WGG+rg==
+-----END ENCRYPTED PRIVATE KEY-----
diff --git a/qpid-test-utils/src/main/resources/ssl/certificates/allowed_by_ca.crt b/qpid-test-utils/src/main/resources/ssl/certificates/allowed_by_ca.crt
new file mode 100644
index 0000000..171ec80
--- /dev/null
+++ b/qpid-test-utils/src/main/resources/ssl/certificates/allowed_by_ca.crt
@@ -0,0 +1,80 @@
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number: 4663 (0x1237)
+        Signature Algorithm: sha512WithRSAEncryption
+        Issuer: C=CA, ST=Ontario, O=ACME, CN=MyRootCA
+        Validity
+            Not Before: Jan 17 12:14:00 2020 GMT
+            Not After : Jan 17 12:14:00 2024 GMT
+        Subject: C=CA, ST=ON, L=Toronto, O=acme, OU=art, CN=allowed_by_ca@acme.org
+        Subject Public Key Info:
+            Public Key Algorithm: rsaEncryption
+                RSA Public-Key: (2048 bit)
+                Modulus:
+                    00:ae:43:c8:3b:d5:08:7c:69:6f:48:96:bd:ae:cf:
+                    d9:ab:f6:3a:68:64:e6:f5:57:14:45:42:40:e5:c5:
+                    7f:97:6d:13:4f:d1:26:28:14:0d:30:e5:9e:55:67:
+                    b8:3a:7d:d8:8d:b4:9e:07:f0:62:e4:95:63:41:b9:
+                    04:2b:53:51:86:46:36:25:6f:82:60:74:e0:81:73:
+                    c3:ce:1c:76:3e:97:35:da:82:28:22:cc:ac:62:22:
+                    d7:0d:8d:38:44:c0:de:29:ca:15:b9:13:39:81:04:
+                    4b:0d:71:9f:ff:1c:36:4e:2e:57:54:85:83:f4:f4:
+                    a8:f9:bb:f5:a5:66:b1:9a:40:a2:1a:33:5e:b2:37:
+                    31:a5:73:fb:f4:39:fe:d1:52:ec:f2:b1:fc:84:1a:
+                    c7:2b:98:81:e3:62:ae:51:e6:5b:6e:c4:f9:ff:c0:
+                    e4:64:88:3a:c1:a2:20:95:3c:71:c6:eb:da:d3:de:
+                    aa:42:98:1f:e9:da:06:fc:f9:0d:23:1c:8b:ae:3e:
+                    ee:6c:b8:ac:a1:a3:da:c9:21:8d:c4:48:26:23:8e:
+                    40:44:55:dc:0b:fc:b8:a7:0c:c8:4b:f6:21:7a:1e:
+                    57:ff:1c:ce:a7:e3:8a:c4:26:02:93:f3:e8:4a:45:
+                    a5:3e:02:5b:25:6b:f8:58:1b:ce:18:3e:da:62:86:
+                    34:ff
+                Exponent: 65537 (0x10001)
+        X509v3 extensions:
+            X509v3 CRL Distribution Points: 
+
+                Full Name:
+                  URI:http://localhost:8186/MyRootCA.crl
+
+            X509v3 Basic Constraints: 
+                CA:FALSE
+            X509v3 Key Usage: 
+                Digital Signature, Non Repudiation, Key Encipherment
+    Signature Algorithm: sha512WithRSAEncryption
+         c8:28:31:d7:11:ba:e1:ea:b0:18:ec:74:6b:66:7d:da:31:1f:
+         2a:a2:c4:e8:af:a2:ba:92:56:d9:7b:f4:fe:e1:20:5c:5c:5e:
+         3f:39:31:0a:b3:a5:19:f0:60:86:ef:98:eb:e1:c7:1a:1d:0a:
+         51:d6:25:9b:29:a4:71:9d:da:d6:cf:96:82:07:ca:38:71:62:
+         93:6b:b1:44:87:49:42:28:66:53:34:f1:fa:3e:48:49:ed:2a:
+         ed:56:b2:49:cb:5b:0c:46:59:68:2d:d9:95:47:c4:0c:fa:57:
+         93:e1:0b:52:ed:75:2a:fe:a9:e7:e7:a3:c8:68:7a:fc:14:92:
+         8b:8b:34:94:28:f1:23:7b:2c:bd:26:48:fe:bf:6e:ec:71:9b:
+         43:e8:e3:64:48:36:af:9e:8e:bd:e5:c7:b2:76:a5:c6:ca:98:
+         22:6b:aa:93:82:fd:cf:6b:08:df:40:43:fc:03:1a:12:12:85:
+         8e:dc:d2:06:80:cd:d9:ba:fd:f8:4e:3f:8a:99:46:db:df:67:
+         c2:67:b5:39:96:a5:71:12:be:03:f1:99:c0:b9:df:51:b5:37:
+         dd:a7:5a:75:32:a0:da:d7:09:83:1b:96:30:81:0e:b4:9d:10:
+         81:cc:05:65:a8:e6:3f:2a:de:b5:d3:6e:d3:ed:4a:a0:e3:a2:
+         56:ea:ef:3a
+-----BEGIN CERTIFICATE-----
+MIIDdjCCAl6gAwIBAgICEjcwDQYJKoZIhvcNAQENBQAwQTELMAkGA1UEBhMCQ0Ex
+EDAOBgNVBAgMB09udGFyaW8xDTALBgNVBAoMBEFDTUUxETAPBgNVBAMMCE15Um9v
+dENBMB4XDTIwMDExNzEyMTQwMFoXDTI0MDExNzEyMTQwMFowajELMAkGA1UEBhMC
+Q0ExCzAJBgNVBAgMAk9OMRAwDgYDVQQHDAdUb3JvbnRvMQ0wCwYDVQQKDARhY21l
+MQwwCgYDVQQLDANhcnQxHzAdBgNVBAMMFmFsbG93ZWRfYnlfY2FAYWNtZS5vcmcw
+ggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCuQ8g71Qh8aW9Ilr2uz9mr
+9jpoZOb1VxRFQkDlxX+XbRNP0SYoFA0w5Z5VZ7g6fdiNtJ4H8GLklWNBuQQrU1GG
+RjYlb4JgdOCBc8POHHY+lzXagigizKxiItcNjThEwN4pyhW5EzmBBEsNcZ//HDZO
+LldUhYP09Kj5u/WlZrGaQKIaM16yNzGlc/v0Of7RUuzysfyEGscrmIHjYq5R5ltu
+xPn/wORkiDrBoiCVPHHG69rT3qpCmB/p2gb8+Q0jHIuuPu5suKyho9rJIY3ESCYj
+jkBEVdwL/LinDMhL9iF6Hlf/HM6n44rEJgKT8+hKRaU+Alsla/hYG84YPtpihjT/
+AgMBAAGjTzBNMDMGA1UdHwQsMCowKKAmoCSGImh0dHA6Ly9sb2NhbGhvc3Q6ODE4
+Ni9NeVJvb3RDQS5jcmwwCQYDVR0TBAIwADALBgNVHQ8EBAMCBeAwDQYJKoZIhvcN
+AQENBQADggEBAMgoMdcRuuHqsBjsdGtmfdoxHyqixOivorqSVtl79P7hIFxcXj85
+MQqzpRnwYIbvmOvhxxodClHWJZsppHGd2tbPloIHyjhxYpNrsUSHSUIoZlM08fo+
+SEntKu1WsknLWwxGWWgt2ZVHxAz6V5PhC1LtdSr+qefno8hoevwUkouLNJQo8SN7
+LL0mSP6/buxxm0Po42RINq+ejr3lx7J2pcbKmCJrqpOC/c9rCN9AQ/wDGhIShY7c
+0gaAzdm6/fhOP4qZRtvfZ8JntTmWpXESvgPxmcC531G1N92nWnUyoNrXCYMbljCB
+DrSdEIHMBWWo5j8q3rXTbtPtSqDjolbq7zo=
+-----END CERTIFICATE-----
diff --git a/qpid-test-utils/src/main/resources/ssl/certificates/allowed_by_ca.csr b/qpid-test-utils/src/main/resources/ssl/certificates/allowed_by_ca.csr
new file mode 100644
index 0000000..f2a51e4
--- /dev/null
+++ b/qpid-test-utils/src/main/resources/ssl/certificates/allowed_by_ca.csr
@@ -0,0 +1,17 @@
+-----BEGIN CERTIFICATE REQUEST-----
+MIICrzCCAZcCAQAwajELMAkGA1UEBhMCQ0ExCzAJBgNVBAgMAk9OMRAwDgYDVQQH
+DAdUb3JvbnRvMQ0wCwYDVQQKDARhY21lMQwwCgYDVQQLDANhcnQxHzAdBgNVBAMM
+FmFsbG93ZWRfYnlfY2FAYWNtZS5vcmcwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAw
+ggEKAoIBAQCuQ8g71Qh8aW9Ilr2uz9mr9jpoZOb1VxRFQkDlxX+XbRNP0SYoFA0w
+5Z5VZ7g6fdiNtJ4H8GLklWNBuQQrU1GGRjYlb4JgdOCBc8POHHY+lzXagigizKxi
+ItcNjThEwN4pyhW5EzmBBEsNcZ//HDZOLldUhYP09Kj5u/WlZrGaQKIaM16yNzGl
+c/v0Of7RUuzysfyEGscrmIHjYq5R5ltuxPn/wORkiDrBoiCVPHHG69rT3qpCmB/p
+2gb8+Q0jHIuuPu5suKyho9rJIY3ESCYjjkBEVdwL/LinDMhL9iF6Hlf/HM6n44rE
+JgKT8+hKRaU+Alsla/hYG84YPtpihjT/AgMBAAGgADANBgkqhkiG9w0BAQ0FAAOC
+AQEABftyaBKWipsliFRs8LYjFnKbGkc1vOJNHfr1Upa0JhxhEXXOr0fJ+q1moY6a
+9QdYOuZ3iM5M3B3L7aYM9wXSKkSyujRl/S2hDlaMuXVXHYvL+e6t1REe4lSCKZRV
+OfdpPWUCW35WhuE9M0h6hAnb+HLsxc3OPQo8KH4yQkSyh4aPj20X0WXp1QrvfpVL
+fzicwCaxJET8rcu3gduXqysD2IkHnbx4OX0JsqgDuVnjRRtL800UJ/YDJcuobUpp
+/euptiVCaO+q6W2l46GA2e6bQuCxv1+o5M4U2JH0Chldx2yTMnAgFtV+E1JtrzVS
+jObVTUz819aBFrzwL6OIcQEvUw==
+-----END CERTIFICATE REQUEST-----
diff --git a/qpid-test-utils/src/main/resources/ssl/certificates/allowed_by_ca.jks b/qpid-test-utils/src/main/resources/ssl/certificates/allowed_by_ca.jks
new file mode 100644
index 0000000..dae314d
Binary files /dev/null and b/qpid-test-utils/src/main/resources/ssl/certificates/allowed_by_ca.jks differ
diff --git a/qpid-test-utils/src/main/resources/ssl/certificates/allowed_by_ca.self.crt b/qpid-test-utils/src/main/resources/ssl/certificates/allowed_by_ca.self.crt
new file mode 100644
index 0000000..7129f68
--- /dev/null
+++ b/qpid-test-utils/src/main/resources/ssl/certificates/allowed_by_ca.self.crt
@@ -0,0 +1,22 @@
+-----BEGIN CERTIFICATE-----
+MIIDtTCCAp2gAwIBAgIUA/JhLTYgfW18ejOVXRiPJdhGoFswDQYJKoZIhvcNAQEN
+BQAwajELMAkGA1UEBhMCQ0ExCzAJBgNVBAgMAk9OMRAwDgYDVQQHDAdUb3JvbnRv
+MQ0wCwYDVQQKDARhY21lMQwwCgYDVQQLDANhcnQxHzAdBgNVBAMMFmFsbG93ZWRf
+YnlfY2FAYWNtZS5vcmcwHhcNMjAwMTE3MTIxNDAwWhcNMjAwMjE2MTIxNDAwWjBq
+MQswCQYDVQQGEwJDQTELMAkGA1UECAwCT04xEDAOBgNVBAcMB1Rvcm9udG8xDTAL
+BgNVBAoMBGFjbWUxDDAKBgNVBAsMA2FydDEfMB0GA1UEAwwWYWxsb3dlZF9ieV9j
+YUBhY21lLm9yZzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAK5DyDvV
+CHxpb0iWva7P2av2Omhk5vVXFEVCQOXFf5dtE0/RJigUDTDlnlVnuDp92I20ngfw
+YuSVY0G5BCtTUYZGNiVvgmB04IFzw84cdj6XNdqCKCLMrGIi1w2NOETA3inKFbkT
+OYEESw1xn/8cNk4uV1SFg/T0qPm79aVmsZpAohozXrI3MaVz+/Q5/tFS7PKx/IQa
+xyuYgeNirlHmW27E+f/A5GSIOsGiIJU8ccbr2tPeqkKYH+naBvz5DSMci64+7my4
+rKGj2skhjcRIJiOOQERV3Av8uKcMyEv2IXoeV/8czqfjisQmApPz6EpFpT4CWyVr
++Fgbzhg+2mKGNP8CAwEAAaNTMFEwHQYDVR0OBBYEFBqvhbkUgk3fCKONHHOGxRLU
+FefzMB8GA1UdIwQYMBaAFBqvhbkUgk3fCKONHHOGxRLUFefzMA8GA1UdEwEB/wQF
+MAMBAf8wDQYJKoZIhvcNAQENBQADggEBAEgQYqFZBnZ3PJN/LP/S9dR3PDYp2YkW
+n8DSwpj+cP+Gt4kPydRSKl5DdV+eYd6cZ4xF2P6/peZCKYgYZkmbEWIYD87C7J+T
+rpcT1M4u7ACk5QfwoGAZFbTqy6iK3yFqQ/V7YvTjLAx8wqICqrDoed8GTgJ1AmWE
+GCIz3D/8e/ml+Sp+MVRi4KNVfA6zK/e29oswmQxYXmMCXswwHuAmsDoXKS9PYvX7
+Ho035mFmR+yhBnPHX9deuAsTifiiw1TCczq1K4SPX6exXw38nZwLVHErYnaypqP0
+pJNqTIBGlr6K0tryTA83tQVAIJqL2fVlfNUKxuHPOVyGkJcGlCPxjKw=
+-----END CERTIFICATE-----
diff --git a/qpid-test-utils/src/main/resources/ssl/certificates/allowed_by_ca.self.key b/qpid-test-utils/src/main/resources/ssl/certificates/allowed_by_ca.self.key
new file mode 100644
index 0000000..c465086
--- /dev/null
+++ b/qpid-test-utils/src/main/resources/ssl/certificates/allowed_by_ca.self.key
@@ -0,0 +1,30 @@
+-----BEGIN ENCRYPTED PRIVATE KEY-----
+MIIFHDBOBgkqhkiG9w0BBQ0wQTApBgkqhkiG9w0BBQwwHAQIWa+PHUaIhGECAggA
+MAwGCCqGSIb3DQIJBQAwFAYIKoZIhvcNAwcECEV7nV0bqTYVBIIEyNROaXQgS6RZ
+mSJcMeFAINaeZytR/Fq/vdlYE8qsnToVuySFqVft76Q1ZIs5ZsmwAPZxF6rAQZ9z
+9WsIVV7ZTZPCndP7R3/V1h11YGJpklu/wFDNPgkhJiP39A4gv99nWqdjPh3k6rJk
+5rshuHiVuPQ+lQxCJMnNNBzse1NAf7aCq3DONUAYrbxOPQODGAk9ilZtSirVNeCK
+8s9TwPi5vWaxkdgMkb8l+CtXKAYMIGXwslr4cs/02pOSSKMeSYn118aE05yRVI5a
+QrF6yk07huT94ZnVd7DS5sts1/igJk72mGc4zqAP7k2USYkvvzQ6/Lzt6jmdxlaV
+ovTnMpvrnS8Vt/27+XxH64cSC2of8a1N7nHKR/mjwzXwFfCqx36AAKNsnGpbX2vE
+PYgsMCAJrZY8DTgGnBKzJZTSbjfpeVDcWKrZtCIpcUCtHfzibwwo7FoFVi9f4Exq
+S+FkK1VX4JnWWxhNXKbUWWV24se/1NejY5op8TvunrT4xamV81v+Y3rAhORxZzZo
+QooLLY0EZVVGRA0qbg4TQZ87G4wxTKbeLv/vkJYt4+ElEkJZEm+f1U3OBKzBVC2h
+sA0bSo+vB7n322VMZQkGVXi3MCiJBlQYM2Dcp4+gC0GfkJhuNStp/QvfRIjjo+tR
++aP0/8dkdDaUSe7gUp+1du+bA4YhcdX06diHD0VZrFKOhfR9EJ4lGjlObCA/V6aA
+WGtinv/yglGv1ajX1/9PcKsbFh3uP9eDM2U1wGbkJIYbw9ttABS9IEGi2Gr7QcLh
+273v5H346t9aXOCk0D14qEe3fRZCHWYsFkIytSQy9iHFmn67XnROoAicKIktUtSK
+j5rnGz8NcY7lQNElcEdAcogd50vyBy8Xn/Y29vl8CcyP6Mh6WIgnF/QuJo0+A6lH
+T57lmQ7aQYQuqNk3TeSSpRU2ADY6OldxrUIarrhoV+K3CLNhoI/Ch/7jbPfv6Z2s
+IwfOr7uOsA1YoLYHuV4hn8X2EMOONpcH57zNnQdCDzMJO6E92ElpqmyKkos5uDe7
+dIVFEpQ/9oeLgc00izZtQjkiI6ar1Dk7jkqAUAELsPcw8pwklqVy90ku1wgUl4BQ
+TR/Sk+HqOj9epQfUOBWi0zz3F8kkOo6Y/1JtzMFp9xauInr4oFssJ0A+kRypLL4V
+LrPi59SgHwwNTacivYjoeT2UH2mTCc7MfS6z3czwn/Ds/c6WfKYxNA4WLlOTJV+v
+4Y4aE0a9GTlGIXYTyP+l7T40MaDhTLfnhqi74TBN8QQNnxcLLcVY9sUREdJHbDgQ
+o5GjffduqezL94D1ENLO2ekIspjgpsGnFp1Us9A53CeDdo/P0/OcLeNfUlun8yWm
+fKG7vwW/lQw3jc6G5xKTO70HR3V3VLWP297gdMMZBiD1byY6Sk52Xz9hShr7DoEg
+l5L0vkhK1MjGYfxmlL4j94XZ1VhE/xni/rDeq/mK+MjmJ68G1yBn6dv62py3g5Qk
+tnl6Rg2tho6M6IOr9KGJxkooqjj/ruyWqp+NePYqFq9hU0wwQ7kuJ6ASulkJRShD
+fcg59h1HkTkCpnPPA3fmkxdDy3umOW7maZnLVjf0Nmt0BOA+jg2V0KK83kuJCqlz
+cBTyMqk8rkW1zR2YuVr+TQ==
+-----END ENCRYPTED PRIVATE KEY-----
diff --git a/qpid-test-utils/src/main/resources/ssl/certificates/allowed_by_ca_with_intermediate.crt b/qpid-test-utils/src/main/resources/ssl/certificates/allowed_by_ca_with_intermediate.crt
new file mode 100644
index 0000000..f884155
--- /dev/null
+++ b/qpid-test-utils/src/main/resources/ssl/certificates/allowed_by_ca_with_intermediate.crt
@@ -0,0 +1,81 @@
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number: 4666 (0x123a)
+        Signature Algorithm: sha512WithRSAEncryption
+        Issuer: C=CA, ST=ON, L=Toronto, O=acme, OU=art, CN=intermediate_ca@acme.org
+        Validity
+            Not Before: Jan 17 12:14:01 2020 GMT
+            Not After : Jan 17 12:14:01 2024 GMT
+        Subject: C=CA, ST=ON, L=Toronto, O=acme, OU=art, CN=allowed_by_ca_with_intermediate@acme.org
+        Subject Public Key Info:
+            Public Key Algorithm: rsaEncryption
+                RSA Public-Key: (2048 bit)
+                Modulus:
+                    00:c9:ec:61:2e:56:70:b4:b4:32:52:6b:62:c6:cd:
+                    64:87:65:e1:71:3b:87:fb:eb:dd:77:98:8e:44:aa:
+                    6d:df:2d:22:78:0a:9a:54:87:bf:23:28:cd:9e:64:
+                    fa:2d:40:ef:e3:09:37:be:12:65:aa:3f:4e:ef:2e:
+                    85:f1:19:42:00:79:51:95:a7:84:7a:9b:be:64:e3:
+                    f8:96:a7:5c:7a:ec:4b:4d:89:28:b2:2c:4f:e2:77:
+                    fd:26:48:84:07:63:db:e9:70:dc:aa:8e:74:05:23:
+                    89:db:9d:79:20:5a:83:bd:bb:a8:1e:1e:e8:38:8a:
+                    c8:2e:19:5d:47:0f:ee:0c:7a:88:d7:15:62:60:73:
+                    b0:cb:a7:a0:c2:89:0a:7e:33:89:67:f3:93:3c:d2:
+                    6b:90:f6:a6:6d:af:be:9d:38:2c:ae:b1:af:f0:23:
+                    19:3e:2c:90:a2:ad:77:8e:d6:40:e7:65:40:54:2f:
+                    5d:66:56:77:a1:71:47:13:d1:6d:d9:70:f9:14:c0:
+                    b4:5d:5d:32:7f:a2:af:49:45:7b:7c:44:c8:39:53:
+                    61:0d:25:c7:1e:a0:a4:7d:d0:21:60:22:7f:ec:55:
+                    36:af:87:30:fc:27:c5:a1:34:2a:a7:2a:b1:a3:9d:
+                    d8:18:88:d0:7e:53:49:2f:ea:6f:03:da:54:79:0c:
+                    26:e3
+                Exponent: 65537 (0x10001)
+        X509v3 extensions:
+            X509v3 CRL Distribution Points: 
+
+                Full Name:
+                  URI:http://localhost:8186/intermediate_ca.crl
+
+            X509v3 Basic Constraints: 
+                CA:FALSE
+            X509v3 Key Usage: 
+                Digital Signature, Non Repudiation, Key Encipherment
+    Signature Algorithm: sha512WithRSAEncryption
+         17:7d:7c:c2:32:03:78:c5:76:87:37:54:38:c6:1f:f1:c6:05:
+         96:48:fb:f1:ad:da:41:76:7b:d0:cb:ee:7b:5d:78:9d:a6:b3:
+         75:32:85:37:91:d2:58:aa:a5:27:ac:71:4c:12:01:6c:14:19:
+         23:52:09:b9:13:3d:17:4d:a2:b0:56:95:38:66:a7:39:f2:b8:
+         78:50:2a:1d:12:63:46:1f:5e:d4:12:4b:f2:88:72:44:d9:43:
+         29:da:80:a0:14:0e:dd:d3:69:f3:ad:05:0e:bb:5a:5b:f4:aa:
+         06:5a:f5:8c:7f:78:ba:d3:50:e0:68:9f:11:b0:33:3c:f9:5c:
+         22:cd:70:68:ba:8c:39:92:e3:c4:88:1f:85:79:b5:1c:94:e1:
+         79:c9:56:4e:2c:1e:41:e8:fd:40:0e:61:46:dc:74:4b:f0:bf:
+         6d:e7:c1:34:fa:6a:fc:51:72:c5:a4:46:e0:db:94:09:4d:14:
+         eb:88:41:bb:82:63:e2:8d:c8:f1:a3:69:49:1b:89:12:d7:f8:
+         c1:7e:cc:90:70:80:2e:9d:e7:69:7f:80:46:f9:af:a2:19:ba:
+         02:40:1b:dc:b7:9f:ab:3e:06:b5:33:7b:61:57:8a:4a:b0:57:
+         2b:77:50:13:11:78:5f:62:45:b9:9b:21:2c:28:9b:44:2b:ef:
+         7f:e0:f4:18
+-----BEGIN CERTIFICATE-----
+MIIDujCCAqKgAwIBAgICEjowDQYJKoZIhvcNAQENBQAwbDELMAkGA1UEBhMCQ0Ex
+CzAJBgNVBAgMAk9OMRAwDgYDVQQHDAdUb3JvbnRvMQ0wCwYDVQQKDARhY21lMQww
+CgYDVQQLDANhcnQxITAfBgNVBAMMGGludGVybWVkaWF0ZV9jYUBhY21lLm9yZzAe
+Fw0yMDAxMTcxMjE0MDFaFw0yNDAxMTcxMjE0MDFaMHwxCzAJBgNVBAYTAkNBMQsw
+CQYDVQQIDAJPTjEQMA4GA1UEBwwHVG9yb250bzENMAsGA1UECgwEYWNtZTEMMAoG
+A1UECwwDYXJ0MTEwLwYDVQQDDChhbGxvd2VkX2J5X2NhX3dpdGhfaW50ZXJtZWRp
+YXRlQGFjbWUub3JnMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAyexh
+LlZwtLQyUmtixs1kh2XhcTuH++vdd5iORKpt3y0ieAqaVIe/IyjNnmT6LUDv4wk3
+vhJlqj9O7y6F8RlCAHlRlaeEepu+ZOP4lqdceuxLTYkosixP4nf9JkiEB2Pb6XDc
+qo50BSOJ2515IFqDvbuoHh7oOIrILhldRw/uDHqI1xViYHOwy6egwokKfjOJZ/OT
+PNJrkPamba++nTgsrrGv8CMZPiyQoq13jtZA52VAVC9dZlZ3oXFHE9Ft2XD5FMC0
+XV0yf6KvSUV7fETIOVNhDSXHHqCkfdAhYCJ/7FU2r4cw/CfFoTQqpyqxo53YGIjQ
+flNJL+pvA9pUeQwm4wIDAQABo1YwVDA6BgNVHR8EMzAxMC+gLaArhilodHRwOi8v
+bG9jYWxob3N0OjgxODYvaW50ZXJtZWRpYXRlX2NhLmNybDAJBgNVHRMEAjAAMAsG
+A1UdDwQEAwIF4DANBgkqhkiG9w0BAQ0FAAOCAQEAF318wjIDeMV2hzdUOMYf8cYF
+lkj78a3aQXZ70Mvue114naazdTKFN5HSWKqlJ6xxTBIBbBQZI1IJuRM9F02isFaV
+OGanOfK4eFAqHRJjRh9e1BJL8ohyRNlDKdqAoBQO3dNp860FDrtaW/SqBlr1jH94
+utNQ4GifEbAzPPlcIs1waLqMOZLjxIgfhXm1HJTheclWTiweQej9QA5hRtx0S/C/
+befBNPpq/FFyxaRG4NuUCU0U64hBu4Jj4o3I8aNpSRuJEtf4wX7MkHCALp3naX+A
+Rvmvohm6AkAb3Lefqz4GtTN7YVeKSrBXK3dQExF4X2JFuZshLCibRCvvf+D0GA==
+-----END CERTIFICATE-----
diff --git a/qpid-test-utils/src/main/resources/ssl/certificates/allowed_by_ca_with_intermediate.csr b/qpid-test-utils/src/main/resources/ssl/certificates/allowed_by_ca_with_intermediate.csr
new file mode 100644
index 0000000..8ddce61
--- /dev/null
+++ b/qpid-test-utils/src/main/resources/ssl/certificates/allowed_by_ca_with_intermediate.csr
@@ -0,0 +1,17 @@
+-----BEGIN CERTIFICATE REQUEST-----
+MIICwTCCAakCAQAwfDELMAkGA1UEBhMCQ0ExCzAJBgNVBAgMAk9OMRAwDgYDVQQH
+DAdUb3JvbnRvMQ0wCwYDVQQKDARhY21lMQwwCgYDVQQLDANhcnQxMTAvBgNVBAMM
+KGFsbG93ZWRfYnlfY2Ffd2l0aF9pbnRlcm1lZGlhdGVAYWNtZS5vcmcwggEiMA0G
+CSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDJ7GEuVnC0tDJSa2LGzWSHZeFxO4f7
+6913mI5Eqm3fLSJ4CppUh78jKM2eZPotQO/jCTe+EmWqP07vLoXxGUIAeVGVp4R6
+m75k4/iWp1x67EtNiSiyLE/id/0mSIQHY9vpcNyqjnQFI4nbnXkgWoO9u6geHug4
+isguGV1HD+4MeojXFWJgc7DLp6DCiQp+M4ln85M80muQ9qZtr76dOCyusa/wIxk+
+LJCirXeO1kDnZUBUL11mVnehcUcT0W3ZcPkUwLRdXTJ/oq9JRXt8RMg5U2ENJcce
+oKR90CFgIn/sVTavhzD8J8WhNCqnKrGjndgYiNB+U0kv6m8D2lR5DCbjAgMBAAGg
+ADANBgkqhkiG9w0BAQ0FAAOCAQEAd3e3VVDF9/DEkkN2OblChD35ElxBO10cn9/h
+JdtcDLa6DRK/ke4wpA2GfXdyGTez/tsCaVFLC/D6toxPYYtqW60OqavVNwAB/pwY
+NpdU7b9MNP3m0Xl3Kecevj8l5y+2dqzQdccqpPZxagArbp6Q1Jq9IE/NTFrcJFOl
+3TUK5xlunjLUxc3z9wCInDWAJukLzjhWR4VLMyHSXnI9nrA71rkss0Jnp5CHPk16
+fal0DF35awqwThnHXjtHxxLpNutYdfQNLMc5ROzVPeJkRQ3M4N3nQLmm1Cya3z/B
+GfIKmFM17FRVnpV7UmuStRmvMWAceObm6onE4ZFEIVZKnZgCdw==
+-----END CERTIFICATE REQUEST-----
diff --git a/qpid-test-utils/src/main/resources/ssl/certificates/allowed_by_ca_with_intermediate.jks b/qpid-test-utils/src/main/resources/ssl/certificates/allowed_by_ca_with_intermediate.jks
new file mode 100644
index 0000000..b4e40d8
Binary files /dev/null and b/qpid-test-utils/src/main/resources/ssl/certificates/allowed_by_ca_with_intermediate.jks differ
diff --git a/qpid-test-utils/src/main/resources/ssl/certificates/allowed_by_ca_with_intermediate.self.crt b/qpid-test-utils/src/main/resources/ssl/certificates/allowed_by_ca_with_intermediate.self.crt
new file mode 100644
index 0000000..e124e38
--- /dev/null
+++ b/qpid-test-utils/src/main/resources/ssl/certificates/allowed_by_ca_with_intermediate.self.crt
@@ -0,0 +1,23 @@
+-----BEGIN CERTIFICATE-----
+MIID2TCCAsGgAwIBAgIUNnlaQs0dlbECoaCEl6BoAMhbdRYwDQYJKoZIhvcNAQEN
+BQAwfDELMAkGA1UEBhMCQ0ExCzAJBgNVBAgMAk9OMRAwDgYDVQQHDAdUb3JvbnRv
+MQ0wCwYDVQQKDARhY21lMQwwCgYDVQQLDANhcnQxMTAvBgNVBAMMKGFsbG93ZWRf
+YnlfY2Ffd2l0aF9pbnRlcm1lZGlhdGVAYWNtZS5vcmcwHhcNMjAwMTE3MTIxNDAx
+WhcNMjAwMjE2MTIxNDAxWjB8MQswCQYDVQQGEwJDQTELMAkGA1UECAwCT04xEDAO
+BgNVBAcMB1Rvcm9udG8xDTALBgNVBAoMBGFjbWUxDDAKBgNVBAsMA2FydDExMC8G
+A1UEAwwoYWxsb3dlZF9ieV9jYV93aXRoX2ludGVybWVkaWF0ZUBhY21lLm9yZzCC
+ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMnsYS5WcLS0MlJrYsbNZIdl
+4XE7h/vr3XeYjkSqbd8tIngKmlSHvyMozZ5k+i1A7+MJN74SZao/Tu8uhfEZQgB5
+UZWnhHqbvmTj+JanXHrsS02JKLIsT+J3/SZIhAdj2+lw3KqOdAUjidudeSBag727
+qB4e6DiKyC4ZXUcP7gx6iNcVYmBzsMunoMKJCn4ziWfzkzzSa5D2pm2vvp04LK6x
+r/AjGT4skKKtd47WQOdlQFQvXWZWd6FxRxPRbdlw+RTAtF1dMn+ir0lFe3xEyDlT
+YQ0lxx6gpH3QIWAif+xVNq+HMPwnxaE0KqcqsaOd2BiI0H5TSS/qbwPaVHkMJuMC
+AwEAAaNTMFEwHQYDVR0OBBYEFPjCNnLHyR9AJfM6BRMuGgmFF3dPMB8GA1UdIwQY
+MBaAFPjCNnLHyR9AJfM6BRMuGgmFF3dPMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZI
+hvcNAQENBQADggEBAMZES6PIFa3+peqB18Af82We4bxIHDSMnpkU518Uf/cSwKLl
+LKdSGbIX2dr2uiqJuNQwrSbQwe0O24WBeuFnv8VWwjQrHPqX7et7LT3mBthaW3qP
+beRz0CHvYg09plniqWaaxZ0o+XDoG5/vs1rwSXhKdB89hBLBgdXWnIu05ISicj3Q
+wFv7Aad8s+29qd83ZTq3GPiAGAlHzBZoGfORxgw8Zkl5J8wpDY2IzHoFK65TltIg
+vEhmxsaY2q9ogDPU1g3vXOryobUcZXCk6Wmq7/AQ8Yb6pVOHU+B1GBWlDK+88RkI
+sejtPiVWiQixQbZsgjF0kzcXdW+v83vnK9C7Ehs=
+-----END CERTIFICATE-----
diff --git a/qpid-test-utils/src/main/resources/ssl/certificates/allowed_by_ca_with_intermediate.self.key b/qpid-test-utils/src/main/resources/ssl/certificates/allowed_by_ca_with_intermediate.self.key
new file mode 100644
index 0000000..9768e71
--- /dev/null
+++ b/qpid-test-utils/src/main/resources/ssl/certificates/allowed_by_ca_with_intermediate.self.key
@@ -0,0 +1,30 @@
+-----BEGIN ENCRYPTED PRIVATE KEY-----
+MIIFHDBOBgkqhkiG9w0BBQ0wQTApBgkqhkiG9w0BBQwwHAQIvh0cf2QI9TkCAggA
+MAwGCCqGSIb3DQIJBQAwFAYIKoZIhvcNAwcECNBC7yqVSYFxBIIEyK44083ll8aW
+4B3wIWPEVbHexUgeHhPnyv8N89VB+sgl5ndKlm60/n83O2COdXEFrbUbyEaxEMII
+VvNVbY4G0BAbsY5qJfmiRNCKRc2OO4HRBI0dLrzcIYETtAtunmta3CbngRpSgNv2
+zPPGp06jEcrh285NGmL6+k4OkDkdOhLBIlSQadibNOWPpRSSmp93pjPUFSVdUarU
+2qZi1Xxd65iu8iNG00E9mYHvIesN2tGvWqH7+pAFWKLz2PxEMBjKS/wz0r2sqpAi
+u605tebtg2mKB16VpPLKHkGHjAJNehfBPAWpjrLLj+cdpAC6gU8hQZseZJRh4kr3
+DZvS6hSNPXKE6+mDosrj1CuyMOfOaqezgixY/3AihqGt/qgZXu5Fs4WepWPACDtH
+hHBPAc0DXFlC4E6B3Xb+HQWI0ADqI//sSip/UsDMpp5Z99EqA/0UgG6xNEcvyMJo
+/jHpSBeJZbKB+UXsPpwQQzMHzlqLZ0b0egB8U2Q383bNctNtWX5GOgs9WzHbrvXe
+Ia29s7kCima1r5JO+/fNzhRlgoENbxa31APNzdNfvHzvRRN7JGE1yS57aL8ZVXv5
+I+rg1ct71nIJ8SpfeP3fmib9NDw8QuwFZ1KfXuEp+Q2nHP7QGIpCbMJJqY7aAr0H
+m2KRUEQqrGv3XycU8VDveOPj2UR9JQANSZK5pwwcgL+jtEYo9AJxtnThePaPLi0f
+KNjkqd1/BictpdNu+o+jQS+REOVxqKR01XcjIsKe9b19qIBgxLwcaOMfaxulOe8e
+SOBUqsHOJmYxZ6IjeEVG2dGxDADdmFPBrfIQnAbRBEwgjSBMCP/h6elo0MRQ3LaX
+lmDmjCNlY1FHuSaAX5xWJ87Ui8y1Sx8vljOOYA6b2zoWoj8pmz7lZy4ChZaFb7sW
+WAE0O0e7DrwLvVfluVwRdQ6KcWBkILzVw+VLrQE1s8yAVc0mPtAyEpjaMpqlWpeE
+CngpUa1yaBcY17R/30aAYXGVxc2qoZBQuGkr4q2TQoElBk7ERyQ51a8TJ+bQ4DAp
+lLED5xLmED1F/TL8PaQhQuDVkaoIUPKwAnXjRWf11DImmuUm8ens9w9np0Na334P
+XcJ5zZq00FyXsUoYnuyvXulqRo+Sps67kcGjlK7t0cpvAaG5CbzEkJ3IcAzOcldA
+Nq1W/yd+RBdCqbcDUIFYWhdtJ6zDg0jTa8vUm/Pn8DZMQOB2tOn5TDvrT+4iy5Ng
+Y5xbvvWyXCWy4JdyoFoXjzXLChQA5YNd+P37UfJUT+R/l7GD84SiGdNtHsxP+Hnr
+KRDu4v0p32jKjY27U2GHRBVNPjR+GUgVcKa4WE84DAPfaJY2mep2gxhmYMg2YNR5
+/evAYC6AfVqrKahnXvAZ6cWLIAbdhOg+dbyj1KITuIZ7VUfpVrIeAx4/IBJ5nJbJ
+EC9/8uaswGXKqPdLM8sR9FEbq9r2WBVSuaVmMqwV7wcQwO+KBemeUPoeY/aEm6bj
+jD7AaMSFl67ouabm2pZdWz8as1qNImn0aR/3AW/Rusi/mVOweGd+WcC/GlIv5T0E
+eKnyOExk94ddyBqasKCewSPx0BV4ki1fX77yUbaDeJ4w8Ppw1dfJCc4VaQhJ5gNn
+uMU30mtTpiOBN9muNRrYCg==
+-----END ENCRYPTED PRIVATE KEY-----
diff --git a/qpid-test-utils/src/main/resources/ssl/certificates/app1.crt b/qpid-test-utils/src/main/resources/ssl/certificates/app1.crt
new file mode 100644
index 0000000..867005d
--- /dev/null
+++ b/qpid-test-utils/src/main/resources/ssl/certificates/app1.crt
@@ -0,0 +1,74 @@
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number: 4660 (0x1234)
+        Signature Algorithm: sha512WithRSAEncryption
+        Issuer: C=CA, ST=Ontario, O=ACME, CN=MyRootCA
+        Validity
+            Not Before: Jan 17 12:13:51 2020 GMT
+            Not After : Jan 17 12:13:51 2024 GMT
+        Subject: C=CA, ST=ON, L=Toronto, O=acme, OU=art, CN=app1@acme.org
+        Subject Public Key Info:
+            Public Key Algorithm: rsaEncryption
+                RSA Public-Key: (2048 bit)
+                Modulus:
+                    00:d9:72:36:d1:3a:19:ce:4a:c0:58:95:21:1a:9f:
+                    90:e5:48:b9:06:e5:47:0c:8c:59:7d:45:9b:df:a7:
+                    5f:5d:42:e9:62:c6:95:d6:63:e2:03:ae:29:1c:3f:
+                    a2:c5:89:32:72:b7:34:22:c8:fa:b5:c8:e4:59:47:
+                    3d:3c:4d:cf:c6:00:bd:76:69:d7:b7:a0:1f:4c:ea:
+                    a3:fa:54:4d:cb:d8:c4:af:2c:57:5e:bf:c0:5a:a6:
+                    58:bb:4d:c5:46:41:e3:ec:c8:0e:f3:2c:28:ce:37:
+                    66:b9:7c:02:a1:7c:cd:95:16:96:b6:0d:9a:50:ed:
+                    e7:a0:25:c7:88:59:bb:46:dc:9e:61:8c:46:5f:8e:
+                    6b:e4:ac:b2:4f:95:b2:b3:71:e5:5a:b9:2c:52:24:
+                    15:d8:57:98:aa:b5:17:2c:58:61:9f:cb:79:83:1d:
+                    2f:1f:73:37:b9:7a:ce:7d:f6:0c:74:26:24:fd:40:
+                    7e:a9:4d:69:21:30:8f:1d:5d:40:98:54:33:44:4c:
+                    ae:14:f2:94:ab:d8:9f:93:9b:43:c4:12:96:0a:89:
+                    65:b7:de:37:0c:69:16:96:89:91:45:85:20:b3:50:
+                    44:89:29:ae:c9:8b:04:4b:a8:85:cd:6b:e6:7b:94:
+                    44:2b:02:ad:8e:42:c3:3a:41:2d:60:d4:13:0c:6a:
+                    47:73
+                Exponent: 65537 (0x10001)
+        X509v3 extensions:
+            X509v3 Basic Constraints: 
+                CA:FALSE
+            X509v3 Key Usage: 
+                Digital Signature, Non Repudiation, Key Encipherment
+    Signature Algorithm: sha512WithRSAEncryption
+         48:74:83:6d:ee:96:77:ec:05:03:0d:63:9f:a7:4b:61:f9:c2:
+         c7:06:3e:ca:5f:db:1d:2b:0f:d2:06:5d:13:e7:a6:9b:9c:28:
+         9a:d9:7b:e2:70:00:6b:f1:7c:a3:ce:82:84:c8:a8:cf:15:0c:
+         b2:03:8e:ab:c1:47:4c:c4:d2:6e:2f:e6:f7:60:f1:f9:92:d2:
+         f7:a5:60:a3:86:6b:a5:3f:95:ba:25:7a:2f:5c:b3:b2:30:44:
+         c5:df:e4:fd:74:c0:44:f3:c6:43:a7:fd:06:ed:b9:ab:a5:fb:
+         ce:9b:f2:5e:64:52:bc:bf:88:df:ca:d4:d5:e2:07:e9:86:15:
+         ea:40:01:4f:6d:e4:ed:5b:25:dc:30:28:c5:e4:98:e3:ba:e5:
+         90:7a:4c:b5:d4:7c:ee:31:4d:64:bf:e9:c7:94:bb:87:88:3d:
+         c5:e3:6c:ab:96:26:de:a9:a3:af:fa:ca:e0:04:e0:50:d1:a0:
+         40:79:26:8a:8e:bd:cd:f8:8d:58:14:2f:cf:17:48:5c:62:14:
+         02:c4:5f:61:18:1a:b3:6e:c4:a0:03:5d:33:00:5a:e7:09:74:
+         25:c9:9d:4a:cf:d3:5d:fe:4a:33:06:d7:ab:37:02:4f:5e:f3:
+         8e:82:cc:1a:5b:6e:99:b6:96:0e:b7:f9:d8:03:91:04:a6:f3:
+         22:84:85:b9
+-----BEGIN CERTIFICATE-----
+MIIDODCCAiCgAwIBAgICEjQwDQYJKoZIhvcNAQENBQAwQTELMAkGA1UEBhMCQ0Ex
+EDAOBgNVBAgMB09udGFyaW8xDTALBgNVBAoMBEFDTUUxETAPBgNVBAMMCE15Um9v
+dENBMB4XDTIwMDExNzEyMTM1MVoXDTI0MDExNzEyMTM1MVowYTELMAkGA1UEBhMC
+Q0ExCzAJBgNVBAgMAk9OMRAwDgYDVQQHDAdUb3JvbnRvMQ0wCwYDVQQKDARhY21l
+MQwwCgYDVQQLDANhcnQxFjAUBgNVBAMMDWFwcDFAYWNtZS5vcmcwggEiMA0GCSqG
+SIb3DQEBAQUAA4IBDwAwggEKAoIBAQDZcjbROhnOSsBYlSEan5DlSLkG5UcMjFl9
+RZvfp19dQulixpXWY+IDrikcP6LFiTJytzQiyPq1yORZRz08Tc/GAL12ade3oB9M
+6qP6VE3L2MSvLFdev8Bapli7TcVGQePsyA7zLCjON2a5fAKhfM2VFpa2DZpQ7eeg
+JceIWbtG3J5hjEZfjmvkrLJPlbKzceVauSxSJBXYV5iqtRcsWGGfy3mDHS8fcze5
+es599gx0JiT9QH6pTWkhMI8dXUCYVDNETK4U8pSr2J+Tm0PEEpYKiWW33jcMaRaW
+iZFFhSCzUESJKa7JiwRLqIXNa+Z7lEQrAq2OQsM6QS1g1BMMakdzAgMBAAGjGjAY
+MAkGA1UdEwQCMAAwCwYDVR0PBAQDAgXgMA0GCSqGSIb3DQEBDQUAA4IBAQBIdINt
+7pZ37AUDDWOfp0th+cLHBj7KX9sdKw/SBl0T56abnCia2XvicABr8XyjzoKEyKjP
+FQyyA46rwUdMxNJuL+b3YPH5ktL3pWCjhmulP5W6JXovXLOyMETF3+T9dMBE88ZD
+p/0G7bmrpfvOm/JeZFK8v4jfytTV4gfphhXqQAFPbeTtWyXcMCjF5JjjuuWQeky1
+1HzuMU1kv+nHlLuHiD3F42yrlibeqaOv+srgBOBQ0aBAeSaKjr3N+I1YFC/PF0hc
+YhQCxF9hGBqzbsSgA10zAFrnCXQlyZ1Kz9Nd/kozBterNwJPXvOOgswaW26ZtpYO
+t/nYA5EEpvMihIW5
+-----END CERTIFICATE-----
diff --git a/qpid-test-utils/src/main/resources/ssl/certificates/app1.csr b/qpid-test-utils/src/main/resources/ssl/certificates/app1.csr
new file mode 100644
index 0000000..4fdf611
--- /dev/null
+++ b/qpid-test-utils/src/main/resources/ssl/certificates/app1.csr
@@ -0,0 +1,17 @@
+-----BEGIN CERTIFICATE REQUEST-----
+MIICpjCCAY4CAQAwYTELMAkGA1UEBhMCQ0ExCzAJBgNVBAgMAk9OMRAwDgYDVQQH
+DAdUb3JvbnRvMQ0wCwYDVQQKDARhY21lMQwwCgYDVQQLDANhcnQxFjAUBgNVBAMM
+DWFwcDFAYWNtZS5vcmcwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDZ
+cjbROhnOSsBYlSEan5DlSLkG5UcMjFl9RZvfp19dQulixpXWY+IDrikcP6LFiTJy
+tzQiyPq1yORZRz08Tc/GAL12ade3oB9M6qP6VE3L2MSvLFdev8Bapli7TcVGQePs
+yA7zLCjON2a5fAKhfM2VFpa2DZpQ7eegJceIWbtG3J5hjEZfjmvkrLJPlbKzceVa
+uSxSJBXYV5iqtRcsWGGfy3mDHS8fcze5es599gx0JiT9QH6pTWkhMI8dXUCYVDNE
+TK4U8pSr2J+Tm0PEEpYKiWW33jcMaRaWiZFFhSCzUESJKa7JiwRLqIXNa+Z7lEQr
+Aq2OQsM6QS1g1BMMakdzAgMBAAGgADANBgkqhkiG9w0BAQ0FAAOCAQEAg+tk9HSB
+Gyf0fBAsiIO7+eMbZF0tlefffheB9PpqqiIs1/JodRTGqRVYLbtDCXH1TJwdUOvt
+7Gl/mvsatHtQdjnErBCdJP5y0xCzilv1hUIxWlq2yyu1hkXuPmRzqsUYKGMX0v45
+/U/ZpzMsBMtKi7wJIl66JCmXpYvT81ZVhQgVMhHzmiEpm/4KlTeeEWf7Jxj3UjRf
++9aO2OQuOPSpHr+G6uNqGTWRV7NydA810cjBb18NEg9/XIcJj4/2TarX0SyDzBGv
+r6+gQRbf22hcyaDmcgt9vlw8SFs7TYwNXy4ictWd8MHYxGHiPe9D+MhzkJUTrBma
+1zG8+NNJ0DygLw==
+-----END CERTIFICATE REQUEST-----
diff --git a/qpid-test-utils/src/main/resources/ssl/certificates/app1.jks b/qpid-test-utils/src/main/resources/ssl/certificates/app1.jks
new file mode 100644
index 0000000..b421e69
Binary files /dev/null and b/qpid-test-utils/src/main/resources/ssl/certificates/app1.jks differ
diff --git a/qpid-test-utils/src/main/resources/ssl/certificates/app1.self.crt b/qpid-test-utils/src/main/resources/ssl/certificates/app1.self.crt
new file mode 100644
index 0000000..63b33ae
--- /dev/null
+++ b/qpid-test-utils/src/main/resources/ssl/certificates/app1.self.crt
@@ -0,0 +1,22 @@
+-----BEGIN CERTIFICATE-----
+MIIDozCCAougAwIBAgIUYSaDt/eFmu0ZczpaY+2K7kJc4eEwDQYJKoZIhvcNAQEN
+BQAwYTELMAkGA1UEBhMCQ0ExCzAJBgNVBAgMAk9OMRAwDgYDVQQHDAdUb3JvbnRv
+MQ0wCwYDVQQKDARhY21lMQwwCgYDVQQLDANhcnQxFjAUBgNVBAMMDWFwcDFAYWNt
+ZS5vcmcwHhcNMjAwMTE3MTIxMzUxWhcNMjAwMjE2MTIxMzUxWjBhMQswCQYDVQQG
+EwJDQTELMAkGA1UECAwCT04xEDAOBgNVBAcMB1Rvcm9udG8xDTALBgNVBAoMBGFj
+bWUxDDAKBgNVBAsMA2FydDEWMBQGA1UEAwwNYXBwMUBhY21lLm9yZzCCASIwDQYJ
+KoZIhvcNAQEBBQADggEPADCCAQoCggEBANlyNtE6Gc5KwFiVIRqfkOVIuQblRwyM
+WX1Fm9+nX11C6WLGldZj4gOuKRw/osWJMnK3NCLI+rXI5FlHPTxNz8YAvXZp17eg
+H0zqo/pUTcvYxK8sV16/wFqmWLtNxUZB4+zIDvMsKM43Zrl8AqF8zZUWlrYNmlDt
+56Alx4hZu0bcnmGMRl+Oa+Sssk+VsrNx5Vq5LFIkFdhXmKq1FyxYYZ/LeYMdLx9z
+N7l6zn32DHQmJP1AfqlNaSEwjx1dQJhUM0RMrhTylKvYn5ObQ8QSlgqJZbfeNwxp
+FpaJkUWFILNQRIkprsmLBEuohc1r5nuURCsCrY5CwzpBLWDUEwxqR3MCAwEAAaNT
+MFEwHQYDVR0OBBYEFDYEXqxKZ8d1O/lU0TTKZlwxBGPQMB8GA1UdIwQYMBaAFDYE
+XqxKZ8d1O/lU0TTKZlwxBGPQMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQEN
+BQADggEBALif7Y38a6ReCr+T/ZinfDpBySzVSFQXIqtz//hevSnkTHeVDlVl3Hn9
+gySwZvZ1pppJJVa8e16ogi1ohZI/EigxL39LxTKF+KdPldM2CCTT9BXu1COacjwD
+nSvwoCHWy9i92H5IUL9OTh5fbpJ4Ju+pwKa/7/1B23azmQ/IPuAHe8/p16pLpcUF
+yYSX+h72gP2MKzKFojMwM4qV0UtJwAk9+F0697laptLuKqO8chAP5BJIRWf9H8nk
+RVXym7gWu5WOrzzqQwsKDQk++QypGrP+TF2CurPPgv2sr2p0SsNjmxvw6D06s/7Z
+PQPRnjhce4CF3krMgMp8Nhp2faQS8Ko=
+-----END CERTIFICATE-----
diff --git a/qpid-test-utils/src/main/resources/ssl/certificates/app1.self.key b/qpid-test-utils/src/main/resources/ssl/certificates/app1.self.key
new file mode 100644
index 0000000..8fe81d7
--- /dev/null
+++ b/qpid-test-utils/src/main/resources/ssl/certificates/app1.self.key
@@ -0,0 +1,30 @@
+-----BEGIN ENCRYPTED PRIVATE KEY-----
+MIIFHDBOBgkqhkiG9w0BBQ0wQTApBgkqhkiG9w0BBQwwHAQIMs/xmAFq910CAggA
+MAwGCCqGSIb3DQIJBQAwFAYIKoZIhvcNAwcECFQMuA97cPERBIIEyAdrCuP9AqXI
+BbH4JYW+D602QDOVO6xxi2FEhVyhd8k8ClQzSf0/G504i6uJu9WDYytjHYYqK5VR
+ZMIHBnjJQ2DDFRn0A0wrWutzAbN4eYgbCUoMqKOv+GoV6kc6KOXuEXfZIDgPVPGT
+qSD7gBX/UZMRHbs507Z88xHlKvT0bdHfMG0lRryJqKskT7ryx5baWT5uPJKlskx/
+e7xvwmyfLBGiyA2DohXtUZiD+I4/jVdYvf/Fv8+oA1XW8rwhVhFB/+GigOmMHoqG
+CF10bbnlwq2S9/LyuNfnVBGX3qGiWcV6n7gGz0G3dx0hgcGWGzsIsx225DaL2ncO
+4mQ/1y1aUb6xfXdsvI6awyGbqSrkp/55uQGJz91b0s4nPi6wnxQiGKx01WGdb0bO
+wgZJWKS2sfWjOfoBIUe8tuebKbMUH8aZ5eQH1Ltd3PHDaSjRGVLJNSLiTJYmvNvi
+qh+A6zzxtJDLfBRNV0llAliTWXA1R9b/FOZiVS+nTEZGzuhSRt5EWMooLVe9amLf
+NcughTy/WguIQ3YfIsqkBfbMMmGPAf+ZPx25MpLL03vOUP33kZnyWIO+NMDmmhbx
+oHyxdAcVYZOPv2wf5hsEULn3gLNtODBoeYMovlBTni7peYZisgtiwoJGijIHsCYH
+vTnrsZx7yysY02U4PRou6XYt4NWikmPQQO1Jc8IDmfnn6mh0tTJDWRtO2Q7MGvMk
+aZzwB2Im6/+HA78g5uI+gIoTeVyCXfwoMslnfmhfbb5k3V4NdJF/4nyJi1UlpDuY
+rpJxSjbM9vObUcPTV8yM8zk3cOXjClqmWvv7uOW160pYHTjIyGY+RSKoZ4Hw+USo
+igfkucH2EGiDljmRjmfS4qvTxT/4Vexqj7Rxnz7qQ1enOpVtGwM67eKFiY77VXIF
+Ubm+GraXpNdoe+IJOH8ZlH/9fQO2qsu+d3k/7Gd8yl1nlagzDQSf9lGcCAvzWAD0
+FlbPJWxsMV7uAFtwNsk33VGOmVGiat7+E4o2UXa3LMGz9xwj0N5nSwWsUdVpbWtx
+fim2PvcOmDex0ERPkD7I2gI0MF5YEGJ/UQwIeOOfnrgtI87W19yZMBH5CtyKIs4d
+cQLhQUsQpc9QUA0eplH41wDJeSPoLiP1/4drOd/t9tOBU9TQLcOk5SiuTlvL7SII
+gw1clk1LGhDkqbVTG1dDyNFlJ4yiqYJ9SfW1vCTAAQvpa0t1aVISVEDqyAxdgtyL
+710+Nta62J1U2ErX8cXVUA+C1IWSYvR19KIAMArDYEHc7g5nsuOQ2PBKNqYUkXv5
+hBH1L+eYjuvxyy/K2ZizhELaCoZ5PSd18B0FbO2mt2qTe8RHPMgN83iUXoIXpaDw
+67s9h2lrYUWNWjOsDv0r7e7l7TwiODNU9IojKBPmzWcIi4ghmsN15SsvWcVeqm26
+mRK/cs5tChLEtllmzuxzZJ1BRE7XbghuWk9y69mbTaEc0o3zjyJFWHNSNCjq/iKc
+HSIauh/LPnHiFJmRxWwlDqUt1hbjlVp+1nFmMMbHlPZkW9dA+4O7rjG5b+8eA1zw
+cp98RXTesA8Sg45+uwUHr2MlH88TQNenaxW0RsJJALl2zuqUt3VZIu122ccXcj3Q
+Z2GhZP3EKpwXmoQEeiTwFg==
+-----END ENCRYPTED PRIVATE KEY-----
diff --git a/qpid-test-utils/src/main/resources/ssl/certificates/app2.crt b/qpid-test-utils/src/main/resources/ssl/certificates/app2.crt
new file mode 100644
index 0000000..564fd86
--- /dev/null
+++ b/qpid-test-utils/src/main/resources/ssl/certificates/app2.crt
@@ -0,0 +1,74 @@
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number: 4661 (0x1235)
+        Signature Algorithm: sha512WithRSAEncryption
+        Issuer: C=CA, ST=Ontario, O=ACME, CN=MyRootCA
+        Validity
+            Not Before: Jan 17 12:13:52 2020 GMT
+            Not After : Jan 17 12:13:52 2024 GMT
+        Subject: C=CA, ST=ON, L=Toronto, O=acme, OU=art, CN=app2@acme.org
+        Subject Public Key Info:
+            Public Key Algorithm: rsaEncryption
+                RSA Public-Key: (2048 bit)
+                Modulus:
+                    00:b7:16:85:6e:de:f5:77:42:63:ec:72:b8:e3:a9:
+                    2f:b3:34:1a:68:5b:39:1b:74:8d:52:08:42:2f:a7:
+                    30:84:10:96:7c:83:13:52:f3:ef:47:23:8e:25:4f:
+                    32:2f:b8:1d:55:ec:fb:fb:95:75:9a:b5:04:83:67:
+                    7b:58:0a:29:71:c7:2d:ee:9c:44:02:90:62:dc:1e:
+                    e4:d4:9e:c9:ac:3b:3e:74:cb:97:9f:c0:1b:ff:75:
+                    36:9b:4c:db:da:3f:eb:40:6e:f8:1c:a9:01:54:02:
+                    f9:2f:1c:59:51:61:84:51:68:b0:64:2c:11:0c:2b:
+                    08:22:9f:c1:00:06:36:15:02:bb:ad:9c:3b:b8:93:
+                    15:59:cd:d7:62:80:9f:20:a4:a2:7d:46:a5:00:98:
+                    16:20:48:49:be:08:d7:b2:9d:cf:40:3b:e2:a0:2d:
+                    be:bb:3d:e1:2b:cc:e4:f8:29:f0:a8:5b:cc:18:35:
+                    f7:13:a8:2e:16:32:65:35:94:73:7e:34:a3:97:65:
+                    53:42:41:85:73:eb:36:8f:88:fc:4e:2d:79:ac:12:
+                    df:60:fc:49:d9:71:3f:88:f3:b4:21:66:4e:34:91:
+                    6e:ca:5f:93:81:c6:f6:b8:b0:55:fd:73:bb:3f:4b:
+                    d3:2a:a9:d9:57:88:d1:4b:14:10:1e:d3:eb:fb:0c:
+                    b9:d3
+                Exponent: 65537 (0x10001)
+        X509v3 extensions:
+            X509v3 Basic Constraints: 
+                CA:FALSE
+            X509v3 Key Usage: 
+                Digital Signature, Non Repudiation, Key Encipherment
+    Signature Algorithm: sha512WithRSAEncryption
+         f0:b6:a8:e1:86:fd:b9:2c:1b:72:d1:0f:8c:10:97:d0:15:e5:
+         cd:aa:4a:c0:71:fd:3d:48:fc:ca:d9:1e:53:06:c2:7f:a6:f8:
+         57:02:c3:7c:a9:1b:7c:17:d6:2e:48:50:8a:6b:ff:90:2e:19:
+         03:c7:b7:31:27:04:ce:8c:e0:2d:43:6d:ca:d6:bd:b3:c9:ea:
+         66:6e:48:d8:ca:1c:ca:ee:2c:41:58:40:08:55:0e:4c:38:4d:
+         f6:16:14:fd:78:30:c6:73:88:cd:ba:ce:5d:25:df:cf:79:45:
+         d7:b8:51:b9:c6:9d:db:8a:82:35:ac:09:ee:2e:73:7e:86:8d:
+         23:d0:39:16:40:5e:10:4b:ba:d9:63:18:b3:40:43:19:35:49:
+         5d:7b:55:0a:9e:3a:f3:ae:33:0e:9b:4f:d1:07:16:33:32:d7:
+         4f:c2:43:35:31:4d:e6:39:f2:8a:12:fa:6b:ab:4b:dc:aa:18:
+         cb:db:df:b5:9f:58:ff:54:bc:de:af:c9:55:04:6a:60:47:68:
+         4d:18:15:51:2b:87:c3:aa:d9:86:f0:2d:42:ea:23:f8:30:59:
+         c7:4f:5d:84:e9:b0:5c:35:a6:63:c4:e0:66:c7:d8:fa:2c:17:
+         50:af:59:a9:38:9a:d8:3b:53:e6:3e:ea:bd:c0:51:d3:e3:fd:
+         9d:3b:94:51
+-----BEGIN CERTIFICATE-----
+MIIDODCCAiCgAwIBAgICEjUwDQYJKoZIhvcNAQENBQAwQTELMAkGA1UEBhMCQ0Ex
+EDAOBgNVBAgMB09udGFyaW8xDTALBgNVBAoMBEFDTUUxETAPBgNVBAMMCE15Um9v
+dENBMB4XDTIwMDExNzEyMTM1MloXDTI0MDExNzEyMTM1MlowYTELMAkGA1UEBhMC
+Q0ExCzAJBgNVBAgMAk9OMRAwDgYDVQQHDAdUb3JvbnRvMQ0wCwYDVQQKDARhY21l
+MQwwCgYDVQQLDANhcnQxFjAUBgNVBAMMDWFwcDJAYWNtZS5vcmcwggEiMA0GCSqG
+SIb3DQEBAQUAA4IBDwAwggEKAoIBAQC3FoVu3vV3QmPscrjjqS+zNBpoWzkbdI1S
+CEIvpzCEEJZ8gxNS8+9HI44lTzIvuB1V7Pv7lXWatQSDZ3tYCilxxy3unEQCkGLc
+HuTUnsmsOz50y5efwBv/dTabTNvaP+tAbvgcqQFUAvkvHFlRYYRRaLBkLBEMKwgi
+n8EABjYVArutnDu4kxVZzddigJ8gpKJ9RqUAmBYgSEm+CNeync9AO+KgLb67PeEr
+zOT4KfCoW8wYNfcTqC4WMmU1lHN+NKOXZVNCQYVz6zaPiPxOLXmsEt9g/EnZcT+I
+87QhZk40kW7KX5OBxva4sFX9c7s/S9MqqdlXiNFLFBAe0+v7DLnTAgMBAAGjGjAY
+MAkGA1UdEwQCMAAwCwYDVR0PBAQDAgXgMA0GCSqGSIb3DQEBDQUAA4IBAQDwtqjh
+hv25LBty0Q+MEJfQFeXNqkrAcf09SPzK2R5TBsJ/pvhXAsN8qRt8F9YuSFCKa/+Q
+LhkDx7cxJwTOjOAtQ23K1r2zyepmbkjYyhzK7ixBWEAIVQ5MOE32FhT9eDDGc4jN
+us5dJd/PeUXXuFG5xp3bioI1rAnuLnN+ho0j0DkWQF4QS7rZYxizQEMZNUlde1UK
+njrzrjMOm0/RBxYzMtdPwkM1MU3mOfKKEvprq0vcqhjL29+1n1j/VLzer8lVBGpg
+R2hNGBVRK4fDqtmG8C1C6iP4MFnHT12E6bBcNaZjxOBmx9j6LBdQr1mpOJrYO1Pm
+Puq9wFHT4/2dO5RR
+-----END CERTIFICATE-----
diff --git a/qpid-test-utils/src/main/resources/ssl/certificates/app2.csr b/qpid-test-utils/src/main/resources/ssl/certificates/app2.csr
new file mode 100644
index 0000000..d97b9ff
--- /dev/null
+++ b/qpid-test-utils/src/main/resources/ssl/certificates/app2.csr
@@ -0,0 +1,17 @@
+-----BEGIN CERTIFICATE REQUEST-----
+MIICpjCCAY4CAQAwYTELMAkGA1UEBhMCQ0ExCzAJBgNVBAgMAk9OMRAwDgYDVQQH
+DAdUb3JvbnRvMQ0wCwYDVQQKDARhY21lMQwwCgYDVQQLDANhcnQxFjAUBgNVBAMM
+DWFwcDJAYWNtZS5vcmcwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC3
+FoVu3vV3QmPscrjjqS+zNBpoWzkbdI1SCEIvpzCEEJZ8gxNS8+9HI44lTzIvuB1V
+7Pv7lXWatQSDZ3tYCilxxy3unEQCkGLcHuTUnsmsOz50y5efwBv/dTabTNvaP+tA
+bvgcqQFUAvkvHFlRYYRRaLBkLBEMKwgin8EABjYVArutnDu4kxVZzddigJ8gpKJ9
+RqUAmBYgSEm+CNeync9AO+KgLb67PeErzOT4KfCoW8wYNfcTqC4WMmU1lHN+NKOX
+ZVNCQYVz6zaPiPxOLXmsEt9g/EnZcT+I87QhZk40kW7KX5OBxva4sFX9c7s/S9Mq
+qdlXiNFLFBAe0+v7DLnTAgMBAAGgADANBgkqhkiG9w0BAQ0FAAOCAQEAYykrDIFO
+fbRXKcoh07aCAkW2KBX1L+wkCDWBQO2NQH0uvRducLHLQTF7EYjTUQ2WbOXDJLCT
+1NbtANvxU5xNJsforHGTZCGvQqMSMMlwe8mr82ttCMcQwGkmpq8FlGsD+3JpYZPI
+Yb20yvmXk2jIvCK44axyMgHUgHMdoT6BrX5YFC993gjfKu3CpEEIMuFidulM/vEY
+WiNhnlBBpHN3ijrWn8BVc81VI6jP0z23nKMYgayaGIZ7GQOI3Rmk/WIowU68D+Ac
+X4AhDZaofAGejybD2yABPE07/2IPHEXotWgKSHwDJCLU6VpUX3MePqLwDjA8tW8y
+jfmnHdB1vIy8NQ==
+-----END CERTIFICATE REQUEST-----
diff --git a/qpid-test-utils/src/main/resources/ssl/certificates/app2.jks b/qpid-test-utils/src/main/resources/ssl/certificates/app2.jks
new file mode 100644
index 0000000..56d2a8a
Binary files /dev/null and b/qpid-test-utils/src/main/resources/ssl/certificates/app2.jks differ
diff --git a/qpid-test-utils/src/main/resources/ssl/certificates/app2.self.crt b/qpid-test-utils/src/main/resources/ssl/certificates/app2.self.crt
new file mode 100644
index 0000000..c472d16
--- /dev/null
+++ b/qpid-test-utils/src/main/resources/ssl/certificates/app2.self.crt
@@ -0,0 +1,22 @@
+-----BEGIN CERTIFICATE-----
+MIIDozCCAougAwIBAgIULw9lb2weHwTmE11idVFtoGtBm+YwDQYJKoZIhvcNAQEN
+BQAwYTELMAkGA1UEBhMCQ0ExCzAJBgNVBAgMAk9OMRAwDgYDVQQHDAdUb3JvbnRv
+MQ0wCwYDVQQKDARhY21lMQwwCgYDVQQLDANhcnQxFjAUBgNVBAMMDWFwcDJAYWNt
+ZS5vcmcwHhcNMjAwMTE3MTIxMzUyWhcNMjAwMjE2MTIxMzUyWjBhMQswCQYDVQQG
+EwJDQTELMAkGA1UECAwCT04xEDAOBgNVBAcMB1Rvcm9udG8xDTALBgNVBAoMBGFj
+bWUxDDAKBgNVBAsMA2FydDEWMBQGA1UEAwwNYXBwMkBhY21lLm9yZzCCASIwDQYJ
+KoZIhvcNAQEBBQADggEPADCCAQoCggEBALcWhW7e9XdCY+xyuOOpL7M0GmhbORt0
+jVIIQi+nMIQQlnyDE1Lz70cjjiVPMi+4HVXs+/uVdZq1BINne1gKKXHHLe6cRAKQ
+Ytwe5NSeyaw7PnTLl5/AG/91NptM29o/60Bu+BypAVQC+S8cWVFhhFFosGQsEQwr
+CCKfwQAGNhUCu62cO7iTFVnN12KAnyCkon1GpQCYFiBISb4I17Kdz0A74qAtvrs9
+4SvM5Pgp8KhbzBg19xOoLhYyZTWUc340o5dlU0JBhXPrNo+I/E4teawS32D8Sdlx
+P4jztCFmTjSRbspfk4HG9riwVf1zuz9L0yqp2VeI0UsUEB7T6/sMudMCAwEAAaNT
+MFEwHQYDVR0OBBYEFGRnSSgAdfPDfjACvy7JWsifafjeMB8GA1UdIwQYMBaAFGRn
+SSgAdfPDfjACvy7JWsifafjeMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQEN
+BQADggEBADAWS3rkEAo9y3hsXRMy9nfEx0LIRzMILeRSCc87QlUKKxYGph9AQ0QJ
+JWljYjM0Dg11ByrNVBODL7E62MX3hWKxYRPv44J6jQgbg9pBINdxFR1MwvtRSYtz
+069YduP0Ws8FVB35U8dvSFOgOBWhXCh5QTPznkAmopPr/QQxcjQnPWWpmadjNc3x
+EBDwoHyigne+zBcUVQiaKgN2YbvTbB7WzEidHWrPOcXv7JH/PbZNfwGrG4SJLH92
+uvgBwyOi/dwplcTAfDE+PuRDLOBAyht30XCwpWHjG2HINx0N2esvG8g/v5J3USRo
+jU0wSLthobqjv6/mJkIAfdbkPSrY9p0=
+-----END CERTIFICATE-----
diff --git a/qpid-test-utils/src/main/resources/ssl/certificates/app2.self.key b/qpid-test-utils/src/main/resources/ssl/certificates/app2.self.key
new file mode 100644
index 0000000..64544a9
--- /dev/null
+++ b/qpid-test-utils/src/main/resources/ssl/certificates/app2.self.key
@@ -0,0 +1,30 @@
+-----BEGIN ENCRYPTED PRIVATE KEY-----
+MIIFHDBOBgkqhkiG9w0BBQ0wQTApBgkqhkiG9w0BBQwwHAQIEndyItP4BKwCAggA
+MAwGCCqGSIb3DQIJBQAwFAYIKoZIhvcNAwcECBjmbsUCrUCTBIIEyDtTeDzGARWT
+w5X6wVjcwmvf/Vw2cczX8MUBWNkIHGSNTDHv6IlFxYA6SXCMy12OpaJiHr6CGp9A
+juyBn6C8AsKHxSgoMrImSt5RGRCQSSkq9bCpPGQR7/l6X+Z5yVG9XJYRxK6vXIG4
+mfkcIq2E5sV89v79aISvotXvTeVUfd++6CPahzpf6zZ6rKLp7AWIcZF5qQG+5Gdk
+1q5iOCcZtT04LQsAcEJCM8GQoXNDNTHwDvWi9DZ+yry0kTn0Lz8QMXOhVqf8gJKa
+/vded9cixbXk5QNQgFswZOSeEB7hWpT88VLoKl6VJOCGPERtyUMhwal/IvMX98Ad
+LDUBGd13WjP3EA3yAOI/W4V3TPJVJZD4xKgqhU+gnohfl1XU+evOu5+HxbDczAp1
+QyN0ni325c/jgXfcihN9AZrAviMz4GZLj55uTSmtCUaug8CCwRu5uxdmmA4BJCl1
+iFJmZzZIvqw5R9BIsu63/xHZYiYAvNDdIvBmJqPz2ka+vSWbGRT1bqkrpos/6LtU
+griby3OtfvyvNbWokQymDBHVxYZokio26UIrc4Z2IUsS0354J+GyOiZ0oFe1DfTs
+1taEQGgTWsfJpRs+xNjaImhPN5AJZRKLgzsOqXLZofYiv/Rexq1AaZTGMzr6xt3Y
+QL0+q7KJ3DBAQxkST4ARo6bVNb9MPgOjXDpvvjJOfbuwR1jlgSHBFM4OBEEI5xV3
+avurI3pE+GnXY+lJCeuSwATnxeUJoHzcUn6QmdkB8Li20ovzXJs8PgBq/dD2rG4d
+tkMUnwsd0dwmYaDVstM9awkP1+EvzZ2O3wiHzqE2jE1bRNIj+8bKSWxSCrF9tGi1
+YCDLCGk0BTaNCaaIFFxNTxgE81GsrgqQvfLCsUljF04Lbj/ZvzcLdW82FkFSjUBa
+Z7sXwq8NOJsGjVp8Akwf4Z702PZVnj/lV25PLj53ayRcvnO2PLkLdwdVLJyFt6ES
+CelAz1d2ejww1NKj+ipJuQ9Yun1d+21HBLQGYCnST/rzet+JcuQMw0QIQBvVioLZ
+KS1V/yi/u5Rvos7x3RQyIJITY4HP9tvTKftdIW3M5nEkMNuHHAcZUrv83YJkzt1T
+1Sd/qVOupGHA/DYvUVPn0v48XxRjWF/jpf1Jdd4EeuYIYRmZH0I3wRvuc0qyT6nV
+CxoART7gzaLeWYLx67gaSguojYbCzWRnBSBAq/Wy2fcHMKZ7DywMWJwn0dqofeuM
+ZABB2jWKGuHLrM3wfzcGJLIlaHG0RESn8ThqwMODRaqTgxQP0y4E2CabDSeco6fK
+g8InlTKlHxB6u2AcDpPTeBh9om7AXvs7iT0rWrhEU7FxCr7NjAHaQBMmltS4uv9q
+wNZ0uqg++s5wIr9dzkBNjEJvk89HKtkLwYQgie9OdbaQEz0xV3S06ChvaH0nXtQu
++/K4Gw2yR8mLA3TCHSlNe/q5daRNhjXzmX2erK5u8UsZFU6Ln6M+kvbYvtlG6rSR
+N7njPcUwCa+juvP8LxQEJUE3OgWeLM/0S2LiJz69XnCHz886VAoMETIs7sgfI0lP
+I2qgD/sB7eFgsPPstZyIf41PVssf+03vZ8lCLUqnZuDLLZO/l//CDRdBWIZvJ8pk
+pRdP0ZJdSqZryf9eSBfnRQ==
+-----END ENCRYPTED PRIVATE KEY-----
diff --git a/qpid-test-utils/src/main/resources/ssl/certificates/broker.crt b/qpid-test-utils/src/main/resources/ssl/certificates/broker.crt
new file mode 100644
index 0000000..ca6dc2f
--- /dev/null
+++ b/qpid-test-utils/src/main/resources/ssl/certificates/broker.crt
@@ -0,0 +1,74 @@
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number: 4662 (0x1236)
+        Signature Algorithm: sha512WithRSAEncryption
+        Issuer: C=CA, ST=Ontario, O=ACME, CN=MyRootCA
+        Validity
+            Not Before: Jan 17 12:13:57 2020 GMT
+            Not After : Jan 17 12:13:57 2024 GMT
+        Subject: C=CA, ST=Unknown, L=Unknown, O=Unknown, OU=Unknown, CN=localhost
+        Subject Public Key Info:
+            Public Key Algorithm: rsaEncryption
+                RSA Public-Key: (2048 bit)
+                Modulus:
+                    00:d2:28:a5:31:6e:85:97:8a:39:c0:8a:21:ab:bf:
+                    cf:93:39:03:cb:63:6b:f3:47:6d:3f:50:24:06:bb:
+                    3d:25:14:cc:b2:d3:50:62:1a:71:18:5a:98:97:8f:
+                    fa:45:70:ca:b8:98:9c:60:78:03:c8:a7:2a:b2:d7:
+                    53:e3:b2:71:52:b0:7a:0f:12:42:63:a7:2f:d9:c0:
+                    bc:50:da:5b:3c:52:ac:bf:fa:6e:c4:80:f7:b7:e2:
+                    e9:53:53:55:95:24:72:de:63:2f:59:dd:8e:8a:13:
+                    11:17:44:03:41:c0:95:f9:8b:dc:05:e9:1e:ab:3b:
+                    72:e8:b1:5c:c0:0a:ed:c9:11:6e:30:79:65:71:e8:
+                    3d:2c:c0:0a:5c:dc:92:22:1b:f7:06:2e:f4:7d:1f:
+                    ea:c5:a5:57:91:1d:f2:f6:44:f1:bd:25:f2:1d:fe:
+                    a0:68:d1:38:7e:5f:0a:5d:37:47:f9:ca:9b:c0:0c:
+                    a9:ae:7f:e4:0b:cd:85:e5:8b:91:6e:35:74:f7:6b:
+                    04:a3:10:67:1c:fd:bf:c2:1c:2a:dc:a7:04:93:98:
+                    48:03:cc:8f:fc:d7:65:8c:d1:9f:07:63:0b:04:86:
+                    01:d7:37:c7:a2:6d:4e:04:cb:a0:2f:ea:23:2a:59:
+                    ff:f0:b7:16:fc:fb:56:9c:4a:2f:e2:8b:3f:ad:25:
+                    53:19
+                Exponent: 65537 (0x10001)
+        X509v3 extensions:
+            X509v3 Basic Constraints: 
+                CA:FALSE
+            X509v3 Key Usage: 
+                Digital Signature, Non Repudiation, Key Encipherment
+    Signature Algorithm: sha512WithRSAEncryption
+         dc:c9:fd:ca:91:81:b8:18:33:c5:bb:0d:f0:cf:88:ba:92:21:
+         73:1f:9d:bb:98:9b:e6:09:fd:92:ff:c2:58:23:01:97:a4:09:
+         8b:d7:63:b6:63:f4:fd:96:f7:ef:5a:f3:be:15:92:72:15:2c:
+         7c:e7:d5:e1:13:cc:70:19:87:c5:c9:13:83:7c:28:ad:02:16:
+         11:6a:ab:b6:80:41:ca:6e:5b:89:48:42:27:74:e3:44:a1:51:
+         3b:f3:e0:b9:11:45:75:f8:d1:eb:9a:1d:04:7c:e1:26:be:55:
+         b5:98:d5:0b:38:24:67:78:3e:f0:52:5a:2c:72:77:02:0a:78:
+         f5:73:24:26:73:c6:1a:62:8c:e1:5d:61:71:40:e7:1f:de:f6:
+         39:a4:c5:84:c8:b6:d8:2f:b1:1d:19:bf:25:75:9f:1f:a9:7d:
+         09:52:80:dc:6c:8a:40:d9:cc:cb:99:db:e8:85:6b:dc:49:fd:
+         68:2e:71:d1:a8:ad:10:cb:28:1a:cd:04:c6:63:cf:11:30:18:
+         7c:4f:71:f3:70:84:ed:8d:e8:b8:2e:df:b2:a3:7d:68:64:28:
+         26:5c:1f:ec:1e:db:90:09:7f:40:cd:55:bd:1b:27:bd:34:6f:
+         82:9b:a9:83:fb:0a:67:66:50:32:5d:c6:06:82:cc:83:35:22:
+         ee:88:7d:b8
+-----BEGIN CERTIFICATE-----
+MIIDQDCCAiigAwIBAgICEjYwDQYJKoZIhvcNAQENBQAwQTELMAkGA1UEBhMCQ0Ex
+EDAOBgNVBAgMB09udGFyaW8xDTALBgNVBAoMBEFDTUUxETAPBgNVBAMMCE15Um9v
+dENBMB4XDTIwMDExNzEyMTM1N1oXDTI0MDExNzEyMTM1N1owaTELMAkGA1UEBhMC
+Q0ExEDAOBgNVBAgMB1Vua25vd24xEDAOBgNVBAcMB1Vua25vd24xEDAOBgNVBAoM
+B1Vua25vd24xEDAOBgNVBAsMB1Vua25vd24xEjAQBgNVBAMMCWxvY2FsaG9zdDCC
+ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBANIopTFuhZeKOcCKIau/z5M5
+A8tja/NHbT9QJAa7PSUUzLLTUGIacRhamJeP+kVwyriYnGB4A8inKrLXU+OycVKw
+eg8SQmOnL9nAvFDaWzxSrL/6bsSA97fi6VNTVZUkct5jL1ndjooTERdEA0HAlfmL
+3AXpHqs7cuixXMAK7ckRbjB5ZXHoPSzAClzckiIb9wYu9H0f6sWlV5Ed8vZE8b0l
+8h3+oGjROH5fCl03R/nKm8AMqa5/5AvNheWLkW41dPdrBKMQZxz9v8IcKtynBJOY
+SAPMj/zXZYzRnwdjCwSGAdc3x6JtTgTLoC/qIypZ//C3Fvz7VpxKL+KLP60lUxkC
+AwEAAaMaMBgwCQYDVR0TBAIwADALBgNVHQ8EBAMCBeAwDQYJKoZIhvcNAQENBQAD
+ggEBANzJ/cqRgbgYM8W7DfDPiLqSIXMfnbuYm+YJ/ZL/wlgjAZekCYvXY7Zj9P2W
+9+9a874VknIVLHzn1eETzHAZh8XJE4N8KK0CFhFqq7aAQcpuW4lIQid040ShUTvz
+4LkRRXX40euaHQR84Sa+VbWY1Qs4JGd4PvBSWixydwIKePVzJCZzxhpijOFdYXFA
+5x/e9jmkxYTIttgvsR0ZvyV1nx+pfQlSgNxsikDZzMuZ2+iFa9xJ/WgucdGorRDL
+KBrNBMZjzxEwGHxPcfNwhO2N6Lgu37KjfWhkKCZcH+we25AJf0DNVb0bJ700b4Kb
+qYP7CmdmUDJdxgaCzIM1Iu6Ifbg=
+-----END CERTIFICATE-----
diff --git a/qpid-test-utils/src/main/resources/ssl/certificates/broker.csr b/qpid-test-utils/src/main/resources/ssl/certificates/broker.csr
new file mode 100644
index 0000000..d459aab
--- /dev/null
+++ b/qpid-test-utils/src/main/resources/ssl/certificates/broker.csr
@@ -0,0 +1,17 @@
+-----BEGIN CERTIFICATE REQUEST-----
+MIICrjCCAZYCAQAwaTELMAkGA1UEBhMCQ0ExEDAOBgNVBAgMB1Vua25vd24xEDAO
+BgNVBAcMB1Vua25vd24xEDAOBgNVBAoMB1Vua25vd24xEDAOBgNVBAsMB1Vua25v
+d24xEjAQBgNVBAMMCWxvY2FsaG9zdDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC
+AQoCggEBANIopTFuhZeKOcCKIau/z5M5A8tja/NHbT9QJAa7PSUUzLLTUGIacRha
+mJeP+kVwyriYnGB4A8inKrLXU+OycVKweg8SQmOnL9nAvFDaWzxSrL/6bsSA97fi
+6VNTVZUkct5jL1ndjooTERdEA0HAlfmL3AXpHqs7cuixXMAK7ckRbjB5ZXHoPSzA
+ClzckiIb9wYu9H0f6sWlV5Ed8vZE8b0l8h3+oGjROH5fCl03R/nKm8AMqa5/5AvN
+heWLkW41dPdrBKMQZxz9v8IcKtynBJOYSAPMj/zXZYzRnwdjCwSGAdc3x6JtTgTL
+oC/qIypZ//C3Fvz7VpxKL+KLP60lUxkCAwEAAaAAMA0GCSqGSIb3DQEBDQUAA4IB
+AQCteBfB/t9udR7E2RYZHdSICnrrXC7oOcMbNXv/eq2FtHV5XnqglvGsyzzHkE2/
+aGqZUvyOJqrA+m2QCg0Qtq6WvDV10Qbaebr921tQMlVQxeLd/AkGBZOC0Z9Wi+ne
+r/9ODUm/MBp3PbiKOdEhb3gXIsa+CqSHl6qaCtwIcGtY2UW/jr078H0eTML0rh6C
++BW275y6ApXSiSS5IKrCd6Dfto7Vh0ZakCIOmz3cCM3+VGTn0cXF6mFDyu7bA6gw
+8QdBET9nzbyrwfnH/vSVh5YxNHIj+A1NZlphHyJslYaW4lg2GAbGsdqAK1dW11Ph
+OGI7Qjr59HrsFYjFRr4+42Se
+-----END CERTIFICATE REQUEST-----
diff --git a/qpid-test-utils/src/main/resources/ssl/certificates/broker.jks b/qpid-test-utils/src/main/resources/ssl/certificates/broker.jks
new file mode 100644
index 0000000..af8d5d2
Binary files /dev/null and b/qpid-test-utils/src/main/resources/ssl/certificates/broker.jks differ
diff --git a/qpid-test-utils/src/main/resources/ssl/certificates/broker.self.crt b/qpid-test-utils/src/main/resources/ssl/certificates/broker.self.crt
new file mode 100644
index 0000000..03db86e
--- /dev/null
+++ b/qpid-test-utils/src/main/resources/ssl/certificates/broker.self.crt
@@ -0,0 +1,22 @@
+-----BEGIN CERTIFICATE-----
+MIIDszCCApugAwIBAgIUOJtin1zcTHJQCk3RtZJyDaL0O+QwDQYJKoZIhvcNAQEL
+BQAwaTELMAkGA1UEBhMCQ0ExEDAOBgNVBAgMB1Vua25vd24xEDAOBgNVBAcMB1Vu
+a25vd24xEDAOBgNVBAoMB1Vua25vd24xEDAOBgNVBAsMB1Vua25vd24xEjAQBgNV
+BAMMCWxvY2FsaG9zdDAeFw0yMDAxMTcxMjEzNTdaFw0yMDAyMTYxMjEzNTdaMGkx
+CzAJBgNVBAYTAkNBMRAwDgYDVQQIDAdVbmtub3duMRAwDgYDVQQHDAdVbmtub3du
+MRAwDgYDVQQKDAdVbmtub3duMRAwDgYDVQQLDAdVbmtub3duMRIwEAYDVQQDDAls
+b2NhbGhvc3QwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDSKKUxboWX
+ijnAiiGrv8+TOQPLY2vzR20/UCQGuz0lFMyy01BiGnEYWpiXj/pFcMq4mJxgeAPI
+pyqy11PjsnFSsHoPEkJjpy/ZwLxQ2ls8Uqy/+m7EgPe34ulTU1WVJHLeYy9Z3Y6K
+ExEXRANBwJX5i9wF6R6rO3LosVzACu3JEW4weWVx6D0swApc3JIiG/cGLvR9H+rF
+pVeRHfL2RPG9JfId/qBo0Th+XwpdN0f5ypvADKmuf+QLzYXli5FuNXT3awSjEGcc
+/b/CHCrcpwSTmEgDzI/812WM0Z8HYwsEhgHXN8eibU4Ey6Av6iMqWf/wtxb8+1ac
+Si/iiz+tJVMZAgMBAAGjUzBRMB0GA1UdDgQWBBR++4fRzlzZ2FNRkZ4QomvvNKVS
+ITAfBgNVHSMEGDAWgBR++4fRzlzZ2FNRkZ4QomvvNKVSITAPBgNVHRMBAf8EBTAD
+AQH/MA0GCSqGSIb3DQEBCwUAA4IBAQAb0ajrigWwT+KZwq2vfuZX8Xt4XQGclH8E
+PoNgT3johckZMmTYUccCPN/+qWbNigmOWpo8VKHAAAqHU+RoGG4/eVdd6Il4Q10b
+wgHVY1JA3LOmDmjGEV6kVNOiIuCEhoiN5YLG9THUY9a/SJj+MGMsKpmdDUmmX02b
+9PHOgc6pAwCm3/hO/XyUjQZxuaB7aDUpaL+pA//6lEVk/n5PzG8IAi33Cp9AEMlZ
++6/eCb/eMZ4yoR5cQNi+l6l3ifONEDe6uJ+Wk7ahSbKTi5Maoddt5BER2jmRCDbr
+yNfRBcK2iMHVtTPMI3P9OOmudEYSFOJOdRUZpmGmAuTeuCganQjb
+-----END CERTIFICATE-----
diff --git a/qpid-test-utils/src/main/resources/ssl/certificates/broker.self.key b/qpid-test-utils/src/main/resources/ssl/certificates/broker.self.key
new file mode 100644
index 0000000..5ccb683
--- /dev/null
+++ b/qpid-test-utils/src/main/resources/ssl/certificates/broker.self.key
@@ -0,0 +1,30 @@
+-----BEGIN ENCRYPTED PRIVATE KEY-----
+MIIFHDBOBgkqhkiG9w0BBQ0wQTApBgkqhkiG9w0BBQwwHAQIuBQNMa898kwCAggA
+MAwGCCqGSIb3DQIJBQAwFAYIKoZIhvcNAwcECCeLmeQ7xDnuBIIEyMsJVjaLP/XS
+nEhHrGp0Xr0AkP0ZhqN8ZUPoaL8RQCXe14tYY4LjB3NANSxCLO8i6yKyvlG6KZyK
+e5vyqlH4q41AUG5lo4Q3fDFNMP0ilgKusFE06ju1UhKf4TiElO6xxhq+ZuOsunME
+y2akyYz4khl6YrqQl6vDIN0/WYFprbh0iT66WCwe8/Bc0JBCn053pwWiqUNJXoXn
+EXytxqTYVP2H/H87M/I0vrweu5rZyxnk3HvBoJbyBrJTsZn4VFS+cIC2E4YADjD7
+qfq7iIyv94/EdqvJmQH5XttfZ/7amj+XvxLOoYtyuOOagSWrlDJm6vATSJd7G1mj
+soxHdd5hGZ4lpvFFrXjWR35PeBUUqihfkZ1cnGs4TRJZL3T+bvYdcfAEA3oxdSLh
+QKwbsY3j/LJRqGHIAzE4z82F/nEltHTHohwYKDE0D5nn58wqhD1IImHmd2uQu6SJ
+kGmHLlzbZiFz4mvqk1Tk63zoeKwioQgXj0OA2KJSV7Oz5nPB4O+/5jfu7jiL31Hh
+FEleRvTfBslTwnF6NSR74uVGSQt/CsWDOR/Ok70oSa2Ddy8Lty9e4LXSmhNGqaf1
+fFAt1E35ZQrZ5TIMjwlU2AgOS8znhMBLuAfZdCPogSbmPYMAI5b7yYwPih/2qywc
+Qxq9SBdqGditdyTliBYPpmJrx8lrhcO6aXjFVuUH5X5NGXs+xiY2V6ppFdlVepXa
+c5WfZzLqYrNdGp5nd8n831/7m1LS9zqXSgb3uz3axppIgT94BSamlyBLPv2xKVaZ
+wxZlh5rtgV9Udl2ocFyOUnXBLRapMEje57e44ShcoLr8F1S7Yi5q7gCg7eqfnrm2
+AOqJ3ZpYnDPRvo3PyW1mg6q/k/RF6BEdXcb8lM+KhGBRwufC8ym12RKwjcI8EK5w
+OB5LxjpH6we5RpVdTPnpJl0TvBEqh2LiWMpshHoK7NWCtr7vNI4KAn4nu01uofwC
+lEYFdr57I+0SawADff/ENRNqXgMsAbPvwFsaoq9cLZc71ugu4vrD+drkPrwO9eXR
+ailGVJfdgp6UqreLuVvDuQIQNr3Qagj0ujWw10usrBK9qdtpN60Eeuhch2l4ajLh
+WjwzJrRZ6g1bC5hH9U94XW0mJ7f/6BMzdGKDoBQ7zbxLSrsc/oTpTFaki5ICW9Mv
+WhF9yRCVS0Gcxu+sOZcvjZsVqGV5zqSRtWnjURMDddX79XGPEvAOSubsYjOhK49U
+78R/m/4FfrRQl4pTuTCGYUqDnLXPTxWMJJ5vEDrWTx26cGrBTsiBg7/gbn5CqSAA
+l0vDfpFNCJ9vyHoeEhEc8aBRz9hklHCDm1wIWXfwYnsE4L3V2qp/0WKvj9NHXE5C
+6FWYzr33ImsqEuavLXsFer2ZVF/Y38f8HNj9z5hg77YTbZNCg5jHYfMPunEGikCo
+B5jwen7DSt6zZOH91dncir8XcgGOXY0XocE6aalDGit01lFDPFPNc0aGsyA2m6Be
+4CNxVbfNkHZBtY8A4Q+Invij7vVUG0Afc7vDc595JsJ4m0sHmkQ3xLJVfhV8APXD
+pQXbv9o0HDPjb45irIex8WMitj/lU60FuSMjDd0DElA18ImR+4tBPWjXvxZeRkgd
+k/8a1P4XOl42rFaN1YOWhw==
+-----END ENCRYPTED PRIVATE KEY-----
diff --git a/qpid-test-utils/src/main/resources/ssl/certificates/broker_expired_truststore.jks b/qpid-test-utils/src/main/resources/ssl/certificates/broker_expired_truststore.jks
new file mode 100644
index 0000000..077274a
Binary files /dev/null and b/qpid-test-utils/src/main/resources/ssl/certificates/broker_expired_truststore.jks differ
diff --git a/qpid-test-utils/src/main/resources/ssl/certificates/broker_keystore.jks b/qpid-test-utils/src/main/resources/ssl/certificates/broker_keystore.jks
new file mode 100644
index 0000000..e789738
Binary files /dev/null and b/qpid-test-utils/src/main/resources/ssl/certificates/broker_keystore.jks differ
diff --git a/qpid-test-utils/src/main/resources/ssl/certificates/broker_peerstore.jks b/qpid-test-utils/src/main/resources/ssl/certificates/broker_peerstore.jks
new file mode 100644
index 0000000..b306a9f
Binary files /dev/null and b/qpid-test-utils/src/main/resources/ssl/certificates/broker_peerstore.jks differ
diff --git a/qpid-test-utils/src/main/resources/ssl/certificates/broker_truststore.jks b/qpid-test-utils/src/main/resources/ssl/certificates/broker_truststore.jks
new file mode 100644
index 0000000..2bc0f4f
Binary files /dev/null and b/qpid-test-utils/src/main/resources/ssl/certificates/broker_truststore.jks differ
diff --git a/qpid-test-utils/src/main/resources/ssl/certificates/chain_with_intermediate.crt b/qpid-test-utils/src/main/resources/ssl/certificates/chain_with_intermediate.crt
new file mode 100644
index 0000000..f9dd3e3
--- /dev/null
+++ b/qpid-test-utils/src/main/resources/ssl/certificates/chain_with_intermediate.crt
@@ -0,0 +1,105 @@
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number: 4665 (0x1239)
+        Signature Algorithm: sha512WithRSAEncryption
+        Issuer: C=CA, ST=Ontario, O=ACME, CN=MyRootCA
+        Validity
+            Not Before: Jan 17 12:14:01 2020 GMT
+            Not After : Jan 17 12:14:01 2024 GMT
+        Subject: C=CA, ST=ON, L=Toronto, O=acme, OU=art, CN=intermediate_ca@acme.org
+        Subject Public Key Info:
+            Public Key Algorithm: rsaEncryption
+                RSA Public-Key: (2048 bit)
+                Modulus:
+                    00:cd:1b:03:cd:bb:56:19:11:47:00:bd:f2:60:d8:
+                    31:34:9e:06:cf:9c:1e:59:27:c1:99:c0:73:b3:14:
+                    90:09:c5:8b:3c:fa:27:5f:54:fb:0a:0c:49:1c:f4:
+                    6f:7e:82:8b:c9:d8:a3:6b:a3:9b:0d:f4:4c:ec:95:
+                    47:f1:55:d7:a3:e3:61:0f:dd:32:07:cf:d9:ed:01:
+                    58:aa:4f:d8:be:0a:18:cd:08:f6:6c:ee:5b:20:9c:
+                    fe:55:97:08:99:52:86:2c:d0:6e:5a:db:6d:14:17:
+                    87:e4:e0:d9:ec:9d:22:7c:04:89:d4:5f:b4:fd:73:
+                    9f:82:29:92:97:30:c7:9c:73:d1:a2:8b:0a:02:39:
+                    02:7e:c2:c6:c7:05:1d:16:97:e7:40:54:8b:cb:33:
+                    44:41:b0:44:5b:64:c6:21:8e:89:75:1d:c2:84:a0:
+                    90:48:c6:9b:ab:36:b5:06:cc:c4:48:d6:64:c6:af:
+                    f8:c1:40:ee:10:18:6a:20:ca:ca:d9:11:78:8f:56:
+                    50:8c:04:01:28:a4:da:f4:d4:d1:50:03:47:3f:9b:
+                    b5:5b:e6:25:9f:85:4d:2b:b6:ad:21:4d:97:d2:53:
+                    00:bf:51:63:c2:4d:aa:49:04:81:ab:b5:97:c6:bf:
+                    82:02:94:ef:04:b7:bd:43:50:26:cc:53:eb:ab:75:
+                    d4:0b
+                Exponent: 65537 (0x10001)
+        X509v3 extensions:
+            X509v3 CRL Distribution Points: 
+
+                Full Name:
+                  URI:http://localhost:8186/MyRootCA.crl
+
+            X509v3 Subject Key Identifier: 
+                FF:6A:19:05:FF:1A:9B:17:7C:72:5F:9F:8C:42:B0:15:DC:6F:D4:E2
+            X509v3 Authority Key Identifier: 
+                keyid:D8:34:F2:4C:A5:AC:01:A4:3B:54:66:AA:F7:DB:C3:C1:F2:BF:E6:CC
+
+            X509v3 Basic Constraints: critical
+                CA:TRUE
+    Signature Algorithm: sha512WithRSAEncryption
+         4a:7b:89:b1:f3:db:79:bf:c6:2d:6c:82:f3:3c:4e:33:ca:72:
+         a8:5c:68:a8:f5:09:81:03:07:90:c1:dc:29:06:17:c4:f4:b7:
+         cb:7b:65:2f:68:23:68:ce:b6:f6:96:2e:6d:84:35:6a:9f:e4:
+         c2:46:50:81:df:e5:cc:fb:2e:73:6b:83:2d:41:9f:92:14:32:
+         d5:52:60:32:13:02:3e:c3:35:0b:fa:58:c2:3b:4a:17:a5:87:
+         c8:ca:ba:c6:11:94:9c:1a:d5:d9:23:22:62:0d:a6:19:b4:54:
+         cb:0f:a4:a4:d0:24:a3:bc:3c:7d:af:e7:cb:45:22:ac:b8:f4:
+         b7:f2:64:09:1a:27:b7:ab:1a:26:3b:f1:b2:8a:5f:36:21:a2:
+         30:9d:ed:8a:3b:7a:2b:ab:97:99:aa:d0:7d:b6:85:46:11:d2:
+         d7:5b:ba:64:6b:b1:27:85:55:10:be:44:bf:4b:80:75:ff:cf:
+         7a:6b:65:86:4f:50:40:7c:38:e4:3a:3b:9d:1d:be:79:31:5e:
+         b5:30:ae:b2:2c:bb:de:a0:ae:f1:90:d3:69:f9:d8:3a:82:d4:
+         71:aa:92:0f:f1:33:60:2b:3c:76:e5:08:4c:e5:32:23:45:97:
+         68:aa:11:92:88:48:02:bf:e2:59:8d:67:91:a8:8c:b0:3f:ed:
+         15:cc:57:ee
+-----BEGIN CERTIFICATE-----
+MIIDszCCApugAwIBAgICEjkwDQYJKoZIhvcNAQENBQAwQTELMAkGA1UEBhMCQ0Ex
+EDAOBgNVBAgMB09udGFyaW8xDTALBgNVBAoMBEFDTUUxETAPBgNVBAMMCE15Um9v
+dENBMB4XDTIwMDExNzEyMTQwMVoXDTI0MDExNzEyMTQwMVowbDELMAkGA1UEBhMC
+Q0ExCzAJBgNVBAgMAk9OMRAwDgYDVQQHDAdUb3JvbnRvMQ0wCwYDVQQKDARhY21l
+MQwwCgYDVQQLDANhcnQxITAfBgNVBAMMGGludGVybWVkaWF0ZV9jYUBhY21lLm9y
+ZzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAM0bA827VhkRRwC98mDY
+MTSeBs+cHlknwZnAc7MUkAnFizz6J19U+woMSRz0b36Ci8nYo2ujmw30TOyVR/FV
+16PjYQ/dMgfP2e0BWKpP2L4KGM0I9mzuWyCc/lWXCJlShizQblrbbRQXh+Tg2eyd
+InwEidRftP1zn4Ipkpcwx5xz0aKLCgI5An7CxscFHRaX50BUi8szREGwRFtkxiGO
+iXUdwoSgkEjGm6s2tQbMxEjWZMav+MFA7hAYaiDKytkReI9WUIwEASik2vTU0VAD
+Rz+btVvmJZ+FTSu2rSFNl9JTAL9RY8JNqkkEgau1l8a/ggKU7wS3vUNQJsxT66t1
+1AsCAwEAAaOBiTCBhjAzBgNVHR8ELDAqMCigJqAkhiJodHRwOi8vbG9jYWxob3N0
+OjgxODYvTXlSb290Q0EuY3JsMB0GA1UdDgQWBBT/ahkF/xqbF3xyX5+MQrAV3G/U
+4jAfBgNVHSMEGDAWgBTYNPJMpawBpDtUZqr328PB8r/mzDAPBgNVHRMBAf8EBTAD
+AQH/MA0GCSqGSIb3DQEBDQUAA4IBAQBKe4mx89t5v8YtbILzPE4zynKoXGio9QmB
+AweQwdwpBhfE9LfLe2UvaCNozrb2li5thDVqn+TCRlCB3+XM+y5za4MtQZ+SFDLV
+UmAyEwI+wzUL+ljCO0oXpYfIyrrGEZScGtXZIyJiDaYZtFTLD6Sk0CSjvDx9r+fL
+RSKsuPS38mQJGie3qxomO/Gyil82IaIwne2KO3orq5eZqtB9toVGEdLXW7pka7En
+hVUQvkS/S4B1/896a2WGT1BAfDjkOjudHb55MV61MK6yLLveoK7xkNNp+dg6gtRx
+qpIP8TNgKzx25QhM5TIjRZdoqhGSiEgCv+JZjWeRqIywP+0VzFfu
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIIDYzCCAkugAwIBAgIUAzgWkwkl4wOLx+GiJZVnG3I2cNEwDQYJKoZIhvcNAQEN
+BQAwQTELMAkGA1UEBhMCQ0ExEDAOBgNVBAgMB09udGFyaW8xDTALBgNVBAoMBEFD
+TUUxETAPBgNVBAMMCE15Um9vdENBMB4XDTIwMDExNzEyMTM0OVoXDTI0MDExNzEy
+MTM0OVowQTELMAkGA1UEBhMCQ0ExEDAOBgNVBAgMB09udGFyaW8xDTALBgNVBAoM
+BEFDTUUxETAPBgNVBAMMCE15Um9vdENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A
+MIIBCgKCAQEA+CXc5ld4yp+N6ns0HA8aPI2AUDPcbhs558F713/amq6KzueuVBJ4
+UBMdFqGI2Ul2RbEJuy/qxYqTDqtPNMorzLgK47NrDnZ0cdE/DlavSyCQmNoE0Ksr
+XBTbIk0uEKKObJSYiW+8ise6cc+5Q83woG5OzUj6E/uX/TFYsSbsaLaG74HY8ajI
+bHDEPOnRlqWV/Z8ADvjpplxXuAXyhA7YYMA/WlXAp3knLFEZTJduVeH+U9gn3lif
+9zjUxuaNBioTJcnHnbanc3z2q5CvTbzhlUjOuWJ28dJ+QHr60bw4EEwM+akavU+O
+9GK2Dh2oqLAOJ/z11I5F6LX7NEOprpt0owIDAQABo1MwUTAdBgNVHQ4EFgQU2DTy
+TKWsAaQ7VGaq99vDwfK/5swwHwYDVR0jBBgwFoAU2DTyTKWsAaQ7VGaq99vDwfK/
+5swwDwYDVR0TAQH/BAUwAwEB/zANBgkqhkiG9w0BAQ0FAAOCAQEA8p51vGg8YT6y
+Aiyeps/ggms5/vkuH3AdI2OqC1RbIIx2Duia1EiH+Vxw0I1B7jJ9tZOsZfJVLmcr
+qlToReTTceGSRt22JvV7vpB/mn7y1z5Pz9Inw/eWTC32frzzLdayGv3/EhArsu+B
+eW6EemnXN4UxRc4rkCcYqz3WJJ/NollBwzqhpmFqo0sArZ7CSkz9+2U6sayZsxA3
+zT+4aj6vIp6Yv/USgX86VrdO1sBhJKlosEOlJqyorpjutv4fl4hR04/yU+Kw/sdG
+9ZA5Q9zrV0ooZ+635K1Z4Xr2rCH/38ltUZnFWD7D0w/z+QhonxXdnwbudtedSybo
+VPvWVRUaVA==
+-----END CERTIFICATE-----
diff --git a/qpid-test-utils/src/main/resources/ssl/certificates/client_expired.crt b/qpid-test-utils/src/main/resources/ssl/certificates/client_expired.crt
new file mode 100644
index 0000000..7bc29f1
--- /dev/null
+++ b/qpid-test-utils/src/main/resources/ssl/certificates/client_expired.crt
@@ -0,0 +1,17 @@
+-----BEGIN CERTIFICATE-----
+MIICvzCCAaegAwIBAgIETVtknTANBgkqhkiG9w0BAQ0FADAQMQ4wDAYDVQQDEwVV
+U0VSMTAeFw0xMDAxMDExMTAwMDBaFw0xNDAxMDExMTAwMDBaMBAxDjAMBgNVBAMT
+BVVTRVIxMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAmNDDbMbSISBF
+2ztm8e3Gp02s0rW8pjG7sEYKLMgkXNVRMX6nOFQ1Tuj6yuBk/qlBuSyYigfTPjNx
+qjz0pxLXPbFQfzaTzLQx+AIx1JRhdpHxY//M7vfIJaLOj7MvngWvjFX6MwwKlvkG
+z/H6+R4S3QE852XkUQvvxMVa7kHuUdzDUx7ARhsUME28/XzsJldEGiuPJZYLPpdg
+GAvJPO47+gr9zUWksL4fjXgYV2lZiAWcb1WcL6/zssBLnseRkQe/g+b7q0tT0FAX
+rqCfVaVZSRntrLu4AK88JUWfQkEKDRux2XZ5cAYofelZiiIikRBubuHlhlt0bqwo
+AJiAh4ANowIDAQABoyEwHzAdBgNVHQ4EFgQUTHUNeU67sKZ+bWeh521ZpK/wzckw
+DQYJKoZIhvcNAQENBQADggEBAIs6DQA+3v8L+TdVEHlk8eTOUo46Z0e9fpQgSfLb
+0aM/gpdq1ZBxP/RkDouSvZpDBxZnWZNo8I9/cQ2tc7K8rWv4lyq6tDbSgIuRIBk8
+v50ujPMPiKSeTdJXTVi1f2TAsYwnG4cSxDBF0Gu7qXEckRtktDs6uHC0D1Rzcirr
+3gANGDk/S3yS6vumooRKZ22AOiBp6uE0awa1jTZAyLvC+LY47XKfFUTf/9+E0umz
+3a3sIzET20YSf8xrK6kFBIrqAM7sF3303+nHsfx12BIA19tUjlHKBTbCCrL1u2GL
+gD0wA9jYPAhbtKSh8GbZtNhDhJxfopwhIuFFSfcKbO8OeUY=
+-----END CERTIFICATE-----
diff --git a/qpid-test-utils/src/main/resources/ssl/certificates/client_expired_keystore.jks b/qpid-test-utils/src/main/resources/ssl/certificates/client_expired_keystore.jks
new file mode 100644
index 0000000..a3c29eb
Binary files /dev/null and b/qpid-test-utils/src/main/resources/ssl/certificates/client_expired_keystore.jks differ
diff --git a/qpid-test-utils/src/main/resources/ssl/certificates/client_keystore.jks b/qpid-test-utils/src/main/resources/ssl/certificates/client_keystore.jks
new file mode 100644
index 0000000..1d21f01
Binary files /dev/null and b/qpid-test-utils/src/main/resources/ssl/certificates/client_keystore.jks differ
diff --git a/qpid-test-utils/src/main/resources/ssl/certificates/client_truststore.jks b/qpid-test-utils/src/main/resources/ssl/certificates/client_truststore.jks
new file mode 100644
index 0000000..51593d6
Binary files /dev/null and b/qpid-test-utils/src/main/resources/ssl/certificates/client_truststore.jks differ
diff --git a/qpid-test-utils/src/main/resources/ssl/certificates/client_untrusted_keystore.jks b/qpid-test-utils/src/main/resources/ssl/certificates/client_untrusted_keystore.jks
new file mode 100644
index 0000000..b788861
Binary files /dev/null and b/qpid-test-utils/src/main/resources/ssl/certificates/client_untrusted_keystore.jks differ
diff --git a/qpid-test-utils/src/main/resources/ssl/certificates/intermediate_ca.crl b/qpid-test-utils/src/main/resources/ssl/certificates/intermediate_ca.crl
new file mode 100644
index 0000000..d32bdf9
Binary files /dev/null and b/qpid-test-utils/src/main/resources/ssl/certificates/intermediate_ca.crl differ
diff --git a/qpid-test-utils/src/main/resources/ssl/certificates/intermediate_ca.crl.pem b/qpid-test-utils/src/main/resources/ssl/certificates/intermediate_ca.crl.pem
new file mode 100644
index 0000000..ded7194
--- /dev/null
+++ b/qpid-test-utils/src/main/resources/ssl/certificates/intermediate_ca.crl.pem
@@ -0,0 +1,12 @@
+-----BEGIN X509 CRL-----
+MIIBxjCBrwIBATANBgkqhkiG9w0BAQsFADBsMQswCQYDVQQGEwJDQTELMAkGA1UE
+CAwCT04xEDAOBgNVBAcMB1Rvcm9udG8xDTALBgNVBAoMBGFjbWUxDDAKBgNVBAsM
+A2FydDEhMB8GA1UEAwwYaW50ZXJtZWRpYXRlX2NhQGFjbWUub3JnFw0yMDAxMTcx
+MjE0MDFaFw0yMDAyMTYxMjE0MDFaoA8wDTALBgNVHRQEBAICEjQwDQYJKoZIhvcN
+AQELBQADggEBAI31QLg89gCYaB3yGaPAJG45ENz4L6sKf8X7H6sZfnnEECIfMDeF
+Wuu5ummkvSKyHVDj5m5FT9W6mKj8JkXUfGS64ssR361BixlBfmsVj5y3upXmuEta
+x03Ewqp888NaZyxK749J+1pfo5XOq0OUTe0+J1gTrS+JSWO3194MohtqkOQ11FHc
+9nDqZo49Bi+gqvulu+t1uPfM7i2RHgVl3e+gMc7XuguC1obGyuSoFSCW3IcqjuOt
+d1xTz/p/Cx3TqlMFI0uGzXzl11jLu/CDHtMvax5YJ65lV1wK86z6tpENR3Din4X1
+tHZMxga+hGrJikOeu/WZrw2cC1hx9OZU4Fw=
+-----END X509 CRL-----
diff --git a/qpid-test-utils/src/main/resources/ssl/certificates/intermediate_ca.crt b/qpid-test-utils/src/main/resources/ssl/certificates/intermediate_ca.crt
new file mode 100644
index 0000000..19d97a9
--- /dev/null
+++ b/qpid-test-utils/src/main/resources/ssl/certificates/intermediate_ca.crt
@@ -0,0 +1,84 @@
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number: 4665 (0x1239)
+        Signature Algorithm: sha512WithRSAEncryption
+        Issuer: C=CA, ST=Ontario, O=ACME, CN=MyRootCA
+        Validity
+            Not Before: Jan 17 12:14:01 2020 GMT
+            Not After : Jan 17 12:14:01 2024 GMT
+        Subject: C=CA, ST=ON, L=Toronto, O=acme, OU=art, CN=intermediate_ca@acme.org
+        Subject Public Key Info:
+            Public Key Algorithm: rsaEncryption
+                RSA Public-Key: (2048 bit)
+                Modulus:
+                    00:cd:1b:03:cd:bb:56:19:11:47:00:bd:f2:60:d8:
+                    31:34:9e:06:cf:9c:1e:59:27:c1:99:c0:73:b3:14:
+                    90:09:c5:8b:3c:fa:27:5f:54:fb:0a:0c:49:1c:f4:
+                    6f:7e:82:8b:c9:d8:a3:6b:a3:9b:0d:f4:4c:ec:95:
+                    47:f1:55:d7:a3:e3:61:0f:dd:32:07:cf:d9:ed:01:
+                    58:aa:4f:d8:be:0a:18:cd:08:f6:6c:ee:5b:20:9c:
+                    fe:55:97:08:99:52:86:2c:d0:6e:5a:db:6d:14:17:
+                    87:e4:e0:d9:ec:9d:22:7c:04:89:d4:5f:b4:fd:73:
+                    9f:82:29:92:97:30:c7:9c:73:d1:a2:8b:0a:02:39:
+                    02:7e:c2:c6:c7:05:1d:16:97:e7:40:54:8b:cb:33:
+                    44:41:b0:44:5b:64:c6:21:8e:89:75:1d:c2:84:a0:
+                    90:48:c6:9b:ab:36:b5:06:cc:c4:48:d6:64:c6:af:
+                    f8:c1:40:ee:10:18:6a:20:ca:ca:d9:11:78:8f:56:
+                    50:8c:04:01:28:a4:da:f4:d4:d1:50:03:47:3f:9b:
+                    b5:5b:e6:25:9f:85:4d:2b:b6:ad:21:4d:97:d2:53:
+                    00:bf:51:63:c2:4d:aa:49:04:81:ab:b5:97:c6:bf:
+                    82:02:94:ef:04:b7:bd:43:50:26:cc:53:eb:ab:75:
+                    d4:0b
+                Exponent: 65537 (0x10001)
+        X509v3 extensions:
+            X509v3 CRL Distribution Points: 
+
+                Full Name:
+                  URI:http://localhost:8186/MyRootCA.crl
+
+            X509v3 Subject Key Identifier: 
+                FF:6A:19:05:FF:1A:9B:17:7C:72:5F:9F:8C:42:B0:15:DC:6F:D4:E2
+            X509v3 Authority Key Identifier: 
+                keyid:D8:34:F2:4C:A5:AC:01:A4:3B:54:66:AA:F7:DB:C3:C1:F2:BF:E6:CC
+
+            X509v3 Basic Constraints: critical
+                CA:TRUE
+    Signature Algorithm: sha512WithRSAEncryption
+         4a:7b:89:b1:f3:db:79:bf:c6:2d:6c:82:f3:3c:4e:33:ca:72:
+         a8:5c:68:a8:f5:09:81:03:07:90:c1:dc:29:06:17:c4:f4:b7:
+         cb:7b:65:2f:68:23:68:ce:b6:f6:96:2e:6d:84:35:6a:9f:e4:
+         c2:46:50:81:df:e5:cc:fb:2e:73:6b:83:2d:41:9f:92:14:32:
+         d5:52:60:32:13:02:3e:c3:35:0b:fa:58:c2:3b:4a:17:a5:87:
+         c8:ca:ba:c6:11:94:9c:1a:d5:d9:23:22:62:0d:a6:19:b4:54:
+         cb:0f:a4:a4:d0:24:a3:bc:3c:7d:af:e7:cb:45:22:ac:b8:f4:
+         b7:f2:64:09:1a:27:b7:ab:1a:26:3b:f1:b2:8a:5f:36:21:a2:
+         30:9d:ed:8a:3b:7a:2b:ab:97:99:aa:d0:7d:b6:85:46:11:d2:
+         d7:5b:ba:64:6b:b1:27:85:55:10:be:44:bf:4b:80:75:ff:cf:
+         7a:6b:65:86:4f:50:40:7c:38:e4:3a:3b:9d:1d:be:79:31:5e:
+         b5:30:ae:b2:2c:bb:de:a0:ae:f1:90:d3:69:f9:d8:3a:82:d4:
+         71:aa:92:0f:f1:33:60:2b:3c:76:e5:08:4c:e5:32:23:45:97:
+         68:aa:11:92:88:48:02:bf:e2:59:8d:67:91:a8:8c:b0:3f:ed:
+         15:cc:57:ee
+-----BEGIN CERTIFICATE-----
+MIIDszCCApugAwIBAgICEjkwDQYJKoZIhvcNAQENBQAwQTELMAkGA1UEBhMCQ0Ex
+EDAOBgNVBAgMB09udGFyaW8xDTALBgNVBAoMBEFDTUUxETAPBgNVBAMMCE15Um9v
+dENBMB4XDTIwMDExNzEyMTQwMVoXDTI0MDExNzEyMTQwMVowbDELMAkGA1UEBhMC
+Q0ExCzAJBgNVBAgMAk9OMRAwDgYDVQQHDAdUb3JvbnRvMQ0wCwYDVQQKDARhY21l
+MQwwCgYDVQQLDANhcnQxITAfBgNVBAMMGGludGVybWVkaWF0ZV9jYUBhY21lLm9y
+ZzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAM0bA827VhkRRwC98mDY
+MTSeBs+cHlknwZnAc7MUkAnFizz6J19U+woMSRz0b36Ci8nYo2ujmw30TOyVR/FV
+16PjYQ/dMgfP2e0BWKpP2L4KGM0I9mzuWyCc/lWXCJlShizQblrbbRQXh+Tg2eyd
+InwEidRftP1zn4Ipkpcwx5xz0aKLCgI5An7CxscFHRaX50BUi8szREGwRFtkxiGO
+iXUdwoSgkEjGm6s2tQbMxEjWZMav+MFA7hAYaiDKytkReI9WUIwEASik2vTU0VAD
+Rz+btVvmJZ+FTSu2rSFNl9JTAL9RY8JNqkkEgau1l8a/ggKU7wS3vUNQJsxT66t1
+1AsCAwEAAaOBiTCBhjAzBgNVHR8ELDAqMCigJqAkhiJodHRwOi8vbG9jYWxob3N0
+OjgxODYvTXlSb290Q0EuY3JsMB0GA1UdDgQWBBT/ahkF/xqbF3xyX5+MQrAV3G/U
+4jAfBgNVHSMEGDAWgBTYNPJMpawBpDtUZqr328PB8r/mzDAPBgNVHRMBAf8EBTAD
+AQH/MA0GCSqGSIb3DQEBDQUAA4IBAQBKe4mx89t5v8YtbILzPE4zynKoXGio9QmB
+AweQwdwpBhfE9LfLe2UvaCNozrb2li5thDVqn+TCRlCB3+XM+y5za4MtQZ+SFDLV
+UmAyEwI+wzUL+ljCO0oXpYfIyrrGEZScGtXZIyJiDaYZtFTLD6Sk0CSjvDx9r+fL
+RSKsuPS38mQJGie3qxomO/Gyil82IaIwne2KO3orq5eZqtB9toVGEdLXW7pka7En
+hVUQvkS/S4B1/896a2WGT1BAfDjkOjudHb55MV61MK6yLLveoK7xkNNp+dg6gtRx
+qpIP8TNgKzx25QhM5TIjRZdoqhGSiEgCv+JZjWeRqIywP+0VzFfu
+-----END CERTIFICATE-----
diff --git a/qpid-test-utils/src/main/resources/ssl/certificates/intermediate_ca.csr b/qpid-test-utils/src/main/resources/ssl/certificates/intermediate_ca.csr
new file mode 100644
index 0000000..31d625f
--- /dev/null
+++ b/qpid-test-utils/src/main/resources/ssl/certificates/intermediate_ca.csr
@@ -0,0 +1,17 @@
+-----BEGIN CERTIFICATE REQUEST-----
+MIICsTCCAZkCAQAwbDELMAkGA1UEBhMCQ0ExCzAJBgNVBAgMAk9OMRAwDgYDVQQH
+DAdUb3JvbnRvMQ0wCwYDVQQKDARhY21lMQwwCgYDVQQLDANhcnQxITAfBgNVBAMM
+GGludGVybWVkaWF0ZV9jYUBhY21lLm9yZzCCASIwDQYJKoZIhvcNAQEBBQADggEP
+ADCCAQoCggEBAM0bA827VhkRRwC98mDYMTSeBs+cHlknwZnAc7MUkAnFizz6J19U
++woMSRz0b36Ci8nYo2ujmw30TOyVR/FV16PjYQ/dMgfP2e0BWKpP2L4KGM0I9mzu
+WyCc/lWXCJlShizQblrbbRQXh+Tg2eydInwEidRftP1zn4Ipkpcwx5xz0aKLCgI5
+An7CxscFHRaX50BUi8szREGwRFtkxiGOiXUdwoSgkEjGm6s2tQbMxEjWZMav+MFA
+7hAYaiDKytkReI9WUIwEASik2vTU0VADRz+btVvmJZ+FTSu2rSFNl9JTAL9RY8JN
+qkkEgau1l8a/ggKU7wS3vUNQJsxT66t11AsCAwEAAaAAMA0GCSqGSIb3DQEBDQUA
+A4IBAQDE2KIYrHiujyjWAJAWkJFwaxjeM0MojdOmdzpTEwwcWIWhSvDIGylAIjs+
+s/xZidCBLlmH5Fu4G/P/ZmAe/PSRULn5RNh+Vr/2rvBwrO6o1tr/iqN+Iu9D9gpD
+xsVqy03M3Dda/4hJ1fd14Nvw/3ipQCX0ODKQQnCEN6YDDMII7NNHhThJ9JXtmsDK
+aCWM5s6V1VcEHmsOaghuuEe0CSLNyIoKGqm/Go/sZ6beXiq6lzPOSW+Ugvb1j+yd
+Kb89oZy871V7c8BQJgYAZNm81TFpwS4XEa7tO12hxrEndMdKqjW5S2E7TVQPcTud
+1T3W7szSBmOf3sPFToLx3oOky0a9
+-----END CERTIFICATE REQUEST-----
diff --git a/qpid-test-utils/src/main/resources/ssl/certificates/intermediate_ca.jks b/qpid-test-utils/src/main/resources/ssl/certificates/intermediate_ca.jks
new file mode 100644
index 0000000..251089d
Binary files /dev/null and b/qpid-test-utils/src/main/resources/ssl/certificates/intermediate_ca.jks differ
diff --git a/qpid-test-utils/src/main/resources/ssl/certificates/intermediate_ca.self.crt b/qpid-test-utils/src/main/resources/ssl/certificates/intermediate_ca.self.crt
new file mode 100644
index 0000000..d4d1fad
--- /dev/null
+++ b/qpid-test-utils/src/main/resources/ssl/certificates/intermediate_ca.self.crt
@@ -0,0 +1,22 @@
+-----BEGIN CERTIFICATE-----
+MIIDuTCCAqGgAwIBAgIUU+PWvuydNdPTMUerarnvKb2eT74wDQYJKoZIhvcNAQEN
+BQAwbDELMAkGA1UEBhMCQ0ExCzAJBgNVBAgMAk9OMRAwDgYDVQQHDAdUb3JvbnRv
+MQ0wCwYDVQQKDARhY21lMQwwCgYDVQQLDANhcnQxITAfBgNVBAMMGGludGVybWVk
+aWF0ZV9jYUBhY21lLm9yZzAeFw0yMDAxMTcxMjE0MDFaFw0yMDAyMTYxMjE0MDFa
+MGwxCzAJBgNVBAYTAkNBMQswCQYDVQQIDAJPTjEQMA4GA1UEBwwHVG9yb250bzEN
+MAsGA1UECgwEYWNtZTEMMAoGA1UECwwDYXJ0MSEwHwYDVQQDDBhpbnRlcm1lZGlh
+dGVfY2FAYWNtZS5vcmcwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDN
+GwPNu1YZEUcAvfJg2DE0ngbPnB5ZJ8GZwHOzFJAJxYs8+idfVPsKDEkc9G9+govJ
+2KNro5sN9EzslUfxVdej42EP3TIHz9ntAViqT9i+ChjNCPZs7lsgnP5VlwiZUoYs
+0G5a220UF4fk4NnsnSJ8BInUX7T9c5+CKZKXMMecc9GiiwoCOQJ+wsbHBR0Wl+dA
+VIvLM0RBsERbZMYhjol1HcKEoJBIxpurNrUGzMRI1mTGr/jBQO4QGGogysrZEXiP
+VlCMBAEopNr01NFQA0c/m7Vb5iWfhU0rtq0hTZfSUwC/UWPCTapJBIGrtZfGv4IC
+lO8Et71DUCbMU+urddQLAgMBAAGjUzBRMB0GA1UdDgQWBBT/ahkF/xqbF3xyX5+M
+QrAV3G/U4jAfBgNVHSMEGDAWgBT/ahkF/xqbF3xyX5+MQrAV3G/U4jAPBgNVHRMB
+Af8EBTADAQH/MA0GCSqGSIb3DQEBDQUAA4IBAQBNx3DvYk5rFFz7gtRSMpINJuoI
+thCEsFT43at08M98PrFHmZvfvdxwsIO0aJYVsTnEf4tqjXKQ6c3+eV9u3aWKuJYs
+PHJ4oxLlVwWWZLP/QC5SknscQlu5b6lhje328qKSYFzi8EE75FpG7sehvymNQhLS
+IU4r52VUqzZ6bBaQpPV4psG3yC6ONGppiy2QSP1s0jqmH1EDDp2qAQEME4bPYCAg
+Tryp2EjUmBpCuiwreY3Wsy9Zj6fQdFuxUiE4XWbsoNx1oDj9M8OuAeKQ5magJysm
+j/f2SF6cuNsg5AwuPg3DX+QC+WckLe+3M4uXfZa65bf/EJgKjJc1WjrDG16x
+-----END CERTIFICATE-----
diff --git a/qpid-test-utils/src/main/resources/ssl/certificates/intermediate_ca.self.key b/qpid-test-utils/src/main/resources/ssl/certificates/intermediate_ca.self.key
new file mode 100644
index 0000000..f2392c8
--- /dev/null
+++ b/qpid-test-utils/src/main/resources/ssl/certificates/intermediate_ca.self.key
@@ -0,0 +1,30 @@
+-----BEGIN ENCRYPTED PRIVATE KEY-----
+MIIFHDBOBgkqhkiG9w0BBQ0wQTApBgkqhkiG9w0BBQwwHAQIrFQQzoVuNVgCAggA
+MAwGCCqGSIb3DQIJBQAwFAYIKoZIhvcNAwcECIWesfDR2OA7BIIEyB+WEIidNRox
+k5SvY9Hyi77Y1Jh/u1WJVWmQalZvWOAX8lnhQTDMVlCZ9zOku+0CWPIfEPcTBPbc
+WkTdNFmnlpUwrrjZ+ijwyv9eF6WaIvAyBAlSXDUULkkiaweKT22KGmCKWGY92UJq
+UtnsyZupQ95oWRcJ6x8/83dhaQM9yVf8a2jZzpIkCM5bdNXrSSObM2Oz1WhpcPEg
+yJzVceZTxASB3BnvIayNqFvMMiFQR4QcDTMkudBWGro3q5qm+LINQrG3nXmTwDvp
+u3PXxP8c0nEXxQYB9PPDL3qWQ5QkjaZWm5QUFWvUFGYc3bbuNXkzivBFp9W478wY
+W41x9WI6DVDkcrTv5n5X268xh3Gs5/nYERjuB657rGC3R5mNeL4unohPBsamyhrE
+ZFgzaMB0hhh0w57suFoVbrqkcKWQx7vhNwvOqbyiOg/qLk5sHrNAVdZtKA5iHux3
+JMbzHzG73wduXCWOOJcBYZD5cA7ifNwmNAz7sg9z2CY1XGHRrm+l9QZK5SLrQGIC
+p17ZREm2rnUMmZFqmIdRYyWUmfZmZ1eejT7Nf93GyutdabLNc1ROANY/mElW68qK
+RlEszYEJskw9vclg8PogulnGVND5ES5zxG4qUWJtkvx7QM1NqgUq77rK93Q/1AkC
+tB2A2/wwZmmPQMYR/7qSr0HLkTLYqmtEC5FVXB9STVdHYEgs4G7yNArY1a10ApaS
+Avf+TJD+SH8ZJMc4xVOJwc/NyKqaI+LFc64m/8oC+Mt6wpos5nvPoGqIGW10Oqcv
+N4IREavDgHEcbfRsj4Cdt55YaAk0C7MNn21PvTRI7aS8aWScTD5sMlJZDFe/V2ZL
+IxdW4LnZfyRt/s2qsx6mrbrKsaBB+o4BKC0AQax/o6GNTP89aug4OIUr3h7qGf1C
+oKLGLHjXuZcw0NKK+ufRqimvgHz6segsfgxLBsLoZ2EkhHqdWxyVI6dB/TdB2+Mu
+x3I0iQ/lC22Ky+hGpcb2iU0eB1NYA6/Wns880EJGd6/w6vmJOjG+BG0zoOELgLXH
+j0nGK2gh/2fxg2i+UjMvK7lGLjyiit/rPgH5B0e7QqJrwC0KHkxQO/dIp9aQ5BZD
+7PyGEX3ThaBSXyor3JoRtF0sLFhib2vqws7WNke7kJqDcoi9AZEQJ8gl2DLUqWbl
+ci0s32YNxXKQWB20eKJDhiLOPxZmwfQlyFAnJQrYOEhKG/BJD/O+q7MtBwJ674kG
+TcJ3AxKJhw6rOM8tjvuUfbBBNG8O0ngkbNPN36EYDkWb7ro1W4+MDayFt0P8nXgt
++liJEFp9yFDm3OMiMrHJmihZKGqr7VC9sDm+EjFMpa/Er7KWBBzvWip3pIZslHrv
+HIYILJS8C6OgiwQF24+pW9O7tqUVKrjpZ5Tl/QuR4Qm4L3kWO/63nFMH+PP/ODYQ
+0cB/g8cEGVWClUlxp/2D7IrNh6d59mQuvhrF+fkMoNV8AeU9+IinDlF3ik00n9cF
+5U9shoMgSuyj5d9L2FCJi/t67LiAWsp3aGwcfHPfanSIpS/EvpCyvT9py1zE0IFC
+Hzz76V2V5VrRkYGwT2M8b+RtgHUles5e8sXxkWTW9AvbtfJtADit5mEX0eXJJAfP
+aRZsBte7k0++5afbuVkCug==
+-----END ENCRYPTED PRIVATE KEY-----
diff --git a/qpid-test-utils/src/main/resources/ssl/certificates/revoked_by_ca.crt b/qpid-test-utils/src/main/resources/ssl/certificates/revoked_by_ca.crt
new file mode 100644
index 0000000..dd4073e
--- /dev/null
+++ b/qpid-test-utils/src/main/resources/ssl/certificates/revoked_by_ca.crt
@@ -0,0 +1,80 @@
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number: 4664 (0x1238)
+        Signature Algorithm: sha512WithRSAEncryption
+        Issuer: C=CA, ST=Ontario, O=ACME, CN=MyRootCA
+        Validity
+            Not Before: Jan 17 12:14:00 2020 GMT
+            Not After : Jan 17 12:14:00 2024 GMT
+        Subject: C=CA, ST=ON, L=Toronto, O=acme, OU=art, CN=revoked_by_ca@acme.org
+        Subject Public Key Info:
+            Public Key Algorithm: rsaEncryption
+                RSA Public-Key: (2048 bit)
+                Modulus:
+                    00:ab:54:29:44:85:72:57:4f:8d:9f:60:77:5c:77:
+                    b0:45:bd:34:7a:e5:37:9f:0f:26:ac:e1:68:1a:b3:
+                    86:bf:55:48:82:ad:31:df:ed:89:a9:7e:25:b8:4d:
+                    5c:95:c1:4a:9e:b2:a3:51:57:e8:dd:18:75:e5:db:
+                    f0:aa:ea:eb:5f:0f:e0:09:e2:7c:a6:1c:5c:e5:db:
+                    2c:c1:f2:d7:40:21:f7:fa:ef:e0:3e:f5:3d:10:52:
+                    ec:b7:cd:9a:d8:3d:36:9a:3f:cd:1a:1f:e7:de:09:
+                    c3:8f:08:4f:c1:c4:cb:d3:65:81:c4:e3:28:ed:f4:
+                    a9:43:f2:c6:84:d9:16:22:65:55:17:e3:8b:7a:45:
+                    9d:5f:7d:e5:87:d6:a5:fb:fe:0f:86:c0:d4:e0:9b:
+                    2c:3a:99:df:4d:42:df:30:38:56:2d:f3:e5:8b:0f:
+                    fc:99:e3:1f:62:cb:85:78:a3:40:43:d6:42:3b:bc:
+                    e8:6c:45:19:3d:ca:43:86:1a:4b:ae:e9:3b:51:b0:
+                    0d:0a:bb:de:26:34:b3:cf:dc:fc:99:c8:7e:42:7d:
+                    2c:67:ea:2c:7d:2e:bf:ff:7f:21:9a:17:f1:87:1d:
+                    aa:d6:a4:06:bb:c1:65:ac:7d:7a:51:fd:3f:d0:ac:
+                    9b:85:17:51:5b:99:16:b8:c7:72:00:2d:0b:54:78:
+                    16:5b
+                Exponent: 65537 (0x10001)
+        X509v3 extensions:
+            X509v3 CRL Distribution Points: 
+
+                Full Name:
+                  URI:http://localhost:8186/MyRootCA.crl
+
+            X509v3 Basic Constraints: 
+                CA:FALSE
+            X509v3 Key Usage: 
+                Digital Signature, Non Repudiation, Key Encipherment
+    Signature Algorithm: sha512WithRSAEncryption
+         3a:d1:40:59:30:54:80:6a:b6:a9:76:f3:d1:05:c9:a1:d7:b0:
+         ff:70:48:65:1d:1c:e5:82:b9:c5:62:78:eb:7a:0f:77:2d:26:
+         8d:a7:16:34:a5:57:4e:da:51:b5:3e:65:a3:db:a4:ba:43:70:
+         93:d4:d5:82:e4:c8:59:f0:f9:2c:7f:d6:d9:87:b8:5e:a9:4c:
+         a5:cc:c3:ac:87:c8:3e:46:7e:6d:40:c1:bf:9f:03:68:ea:e1:
+         97:30:43:bf:d7:a4:1a:58:e2:72:cf:0d:6f:31:1b:4a:72:4d:
+         42:6d:7b:21:42:23:c0:7a:50:14:b9:f9:a5:95:53:77:c1:89:
+         ff:3e:a0:1a:b2:88:69:13:93:c8:14:c4:c5:24:47:a0:9e:43:
+         70:9d:ac:0e:7f:a6:b5:45:47:35:f9:e9:6d:32:15:54:26:81:
+         84:ae:d8:27:c9:f3:65:64:7a:72:14:02:9f:8a:73:cf:04:c0:
+         53:a8:01:56:a6:a6:b8:fe:06:b1:71:c0:cc:64:07:d5:33:a8:
+         69:01:5e:06:b8:24:ec:1e:c4:9e:58:45:60:2b:70:d4:db:7a:
+         8c:42:21:e6:e6:33:c9:66:35:6c:06:ad:0f:47:74:24:cb:65:
+         af:e1:a6:d0:b3:06:4a:97:5f:b2:83:cf:ac:0d:81:c2:07:7a:
+         06:c1:45:90
+-----BEGIN CERTIFICATE-----
+MIIDdjCCAl6gAwIBAgICEjgwDQYJKoZIhvcNAQENBQAwQTELMAkGA1UEBhMCQ0Ex
+EDAOBgNVBAgMB09udGFyaW8xDTALBgNVBAoMBEFDTUUxETAPBgNVBAMMCE15Um9v
+dENBMB4XDTIwMDExNzEyMTQwMFoXDTI0MDExNzEyMTQwMFowajELMAkGA1UEBhMC
+Q0ExCzAJBgNVBAgMAk9OMRAwDgYDVQQHDAdUb3JvbnRvMQ0wCwYDVQQKDARhY21l
+MQwwCgYDVQQLDANhcnQxHzAdBgNVBAMMFnJldm9rZWRfYnlfY2FAYWNtZS5vcmcw
+ggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCrVClEhXJXT42fYHdcd7BF
+vTR65TefDyas4Wgas4a/VUiCrTHf7YmpfiW4TVyVwUqesqNRV+jdGHXl2/Cq6utf
+D+AJ4nymHFzl2yzB8tdAIff67+A+9T0QUuy3zZrYPTaaP80aH+feCcOPCE/BxMvT
+ZYHE4yjt9KlD8saE2RYiZVUX44t6RZ1ffeWH1qX7/g+GwNTgmyw6md9NQt8wOFYt
+8+WLD/yZ4x9iy4V4o0BD1kI7vOhsRRk9ykOGGkuu6TtRsA0Ku94mNLPP3PyZyH5C
+fSxn6ix9Lr//fyGaF/GHHarWpAa7wWWsfXpR/T/QrJuFF1FbmRa4x3IALQtUeBZb
+AgMBAAGjTzBNMDMGA1UdHwQsMCowKKAmoCSGImh0dHA6Ly9sb2NhbGhvc3Q6ODE4
+Ni9NeVJvb3RDQS5jcmwwCQYDVR0TBAIwADALBgNVHQ8EBAMCBeAwDQYJKoZIhvcN
+AQENBQADggEBADrRQFkwVIBqtql289EFyaHXsP9wSGUdHOWCucVieOt6D3ctJo2n
+FjSlV07aUbU+ZaPbpLpDcJPU1YLkyFnw+Sx/1tmHuF6pTKXMw6yHyD5Gfm1Awb+f
+A2jq4ZcwQ7/XpBpY4nLPDW8xG0pyTUJteyFCI8B6UBS5+aWVU3fBif8+oBqyiGkT
+k8gUxMUkR6CeQ3CdrA5/prVFRzX56W0yFVQmgYSu2CfJ82VkenIUAp+Kc88EwFOo
+AVamprj+BrFxwMxkB9UzqGkBXga4JOwexJ5YRWArcNTbeoxCIebmM8lmNWwGrQ9H
+dCTLZa/hptCzBkqXX7KDz6wNgcIHegbBRZA=
+-----END CERTIFICATE-----
diff --git a/qpid-test-utils/src/main/resources/ssl/certificates/revoked_by_ca.csr b/qpid-test-utils/src/main/resources/ssl/certificates/revoked_by_ca.csr
new file mode 100644
index 0000000..7a8a730
--- /dev/null
+++ b/qpid-test-utils/src/main/resources/ssl/certificates/revoked_by_ca.csr
@@ -0,0 +1,17 @@
+-----BEGIN CERTIFICATE REQUEST-----
+MIICrzCCAZcCAQAwajELMAkGA1UEBhMCQ0ExCzAJBgNVBAgMAk9OMRAwDgYDVQQH
+DAdUb3JvbnRvMQ0wCwYDVQQKDARhY21lMQwwCgYDVQQLDANhcnQxHzAdBgNVBAMM
+FnJldm9rZWRfYnlfY2FAYWNtZS5vcmcwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAw
+ggEKAoIBAQCrVClEhXJXT42fYHdcd7BFvTR65TefDyas4Wgas4a/VUiCrTHf7Ymp
+fiW4TVyVwUqesqNRV+jdGHXl2/Cq6utfD+AJ4nymHFzl2yzB8tdAIff67+A+9T0Q
+Uuy3zZrYPTaaP80aH+feCcOPCE/BxMvTZYHE4yjt9KlD8saE2RYiZVUX44t6RZ1f
+feWH1qX7/g+GwNTgmyw6md9NQt8wOFYt8+WLD/yZ4x9iy4V4o0BD1kI7vOhsRRk9
+ykOGGkuu6TtRsA0Ku94mNLPP3PyZyH5CfSxn6ix9Lr//fyGaF/GHHarWpAa7wWWs
+fXpR/T/QrJuFF1FbmRa4x3IALQtUeBZbAgMBAAGgADANBgkqhkiG9w0BAQ0FAAOC
+AQEAle9ozcWOV+gW4zVToxUl/Cumqe3zqg7YE1SV4/QssVEVfJjb4s4/2JnjDQvQ
+BExP4yeiLVtIjjEaFy+fu4LZ7Qx7+GlhBCOaBuS/hNRmuJPNv+GwommABYkDvx86
+QeztX5oU/Gcn9tx+IjiBfn6pUsF4tX1Qd9ueucPUDR7xHMAFBBNnC1ahhki6rOVB
+9fxbduViyr2RKl9gDao650PsVn3+9MtKaU/oHluuyOjbCsrdjY5uGTWGJjWXGWBv
+whtYRomEofuvZk7vsmhBtJUixFuo4mVXA3Q6jCH3nre57YsQFR8+oFkIDogtXUNj
+rOtgaueA6Rd50L4j8hoQKBAkFA==
+-----END CERTIFICATE REQUEST-----
diff --git a/qpid-test-utils/src/main/resources/ssl/certificates/revoked_by_ca.jks b/qpid-test-utils/src/main/resources/ssl/certificates/revoked_by_ca.jks
new file mode 100644
index 0000000..cd38ca0
Binary files /dev/null and b/qpid-test-utils/src/main/resources/ssl/certificates/revoked_by_ca.jks differ
diff --git a/qpid-test-utils/src/main/resources/ssl/certificates/revoked_by_ca.self.crt b/qpid-test-utils/src/main/resources/ssl/certificates/revoked_by_ca.self.crt
new file mode 100644
index 0000000..47696f6
--- /dev/null
+++ b/qpid-test-utils/src/main/resources/ssl/certificates/revoked_by_ca.self.crt
@@ -0,0 +1,22 @@
+-----BEGIN CERTIFICATE-----
+MIIDtTCCAp2gAwIBAgIUHVCN1hW4l8SlUG15T552XxvHr4owDQYJKoZIhvcNAQEN
+BQAwajELMAkGA1UEBhMCQ0ExCzAJBgNVBAgMAk9OMRAwDgYDVQQHDAdUb3JvbnRv
+MQ0wCwYDVQQKDARhY21lMQwwCgYDVQQLDANhcnQxHzAdBgNVBAMMFnJldm9rZWRf
+YnlfY2FAYWNtZS5vcmcwHhcNMjAwMTE3MTIxNDAwWhcNMjAwMjE2MTIxNDAwWjBq
+MQswCQYDVQQGEwJDQTELMAkGA1UECAwCT04xEDAOBgNVBAcMB1Rvcm9udG8xDTAL
+BgNVBAoMBGFjbWUxDDAKBgNVBAsMA2FydDEfMB0GA1UEAwwWcmV2b2tlZF9ieV9j
+YUBhY21lLm9yZzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKtUKUSF
+cldPjZ9gd1x3sEW9NHrlN58PJqzhaBqzhr9VSIKtMd/tial+JbhNXJXBSp6yo1FX
+6N0YdeXb8Krq618P4AnifKYcXOXbLMHy10Ah9/rv4D71PRBS7LfNmtg9Npo/zRof
+594Jw48IT8HEy9NlgcTjKO30qUPyxoTZFiJlVRfji3pFnV995YfWpfv+D4bA1OCb
+LDqZ301C3zA4Vi3z5YsP/JnjH2LLhXijQEPWQju86GxFGT3KQ4YaS67pO1GwDQq7
+3iY0s8/c/JnIfkJ9LGfqLH0uv/9/IZoX8YcdqtakBrvBZax9elH9P9Csm4UXUVuZ
+FrjHcgAtC1R4FlsCAwEAAaNTMFEwHQYDVR0OBBYEFMU9e8zrbXHC342Uby8gqhgM
+YvLxMB8GA1UdIwQYMBaAFMU9e8zrbXHC342Uby8gqhgMYvLxMA8GA1UdEwEB/wQF
+MAMBAf8wDQYJKoZIhvcNAQENBQADggEBAB/EApL8yOgY/Moi9zfCG22GRosPydBS
+87rlGBuWieIuHTUjZfo4Cso/Gss7BKNPVpS68g6QXh5t/mlWLes8lXVHj8V2RHUg
+JMJZ6FZVXGaR/3wvRT8i5xag4kYye585P52ovvzI8TyWRf2f4UQhNXIH6If8fYkJ
+CI/bp7Wd+b2+Vrnacx8gc5uzYXSsbUujd0b7X//gAu0YBPVqdkiJGpB1N4XPFhaF
+NPauaic9wtzETHc2ETmvKWoqxW0mwX8AuDY/GVa04s/jiy1JuH0uqfQCiGi1dkRF
+yYXQNXuPWiQ5K8Eg2bPaSSnCpQZgH4DG7315ne6XFaSQK/iJU9p05cA=
+-----END CERTIFICATE-----
diff --git a/qpid-test-utils/src/main/resources/ssl/certificates/revoked_by_ca.self.key b/qpid-test-utils/src/main/resources/ssl/certificates/revoked_by_ca.self.key
new file mode 100644
index 0000000..2bed0ac
--- /dev/null
+++ b/qpid-test-utils/src/main/resources/ssl/certificates/revoked_by_ca.self.key
@@ -0,0 +1,30 @@
+-----BEGIN ENCRYPTED PRIVATE KEY-----
+MIIFHDBOBgkqhkiG9w0BBQ0wQTApBgkqhkiG9w0BBQwwHAQIHVqo76e8ifcCAggA
+MAwGCCqGSIb3DQIJBQAwFAYIKoZIhvcNAwcECKGXAXrxjyphBIIEyEJR6oHjGXr+
+PoIs2CnsQucjXIqQuEltc+xiLetRV6VQ0fytpC1qw6gTcMYYqmXC0oeBZqbux+hj
+Uj91rd2PnIhQ1t3uLkCCwR3hAOrFLHC6eg1HmgAfAI8HUoHeiSQor0rLHA2PKTgT
+LtNV573XyBh0bbrQZnMh2zb+RZ8dFHE5Fu7OiTYYFAIkH3EyB0QRUuskGhmMvgT1
+6LlzmaSRfSx9x6YBW0AH3649hAZj6sf7axXm9sScrIFpha7FJzKV/EUScDfBzTld
+5LqTUoF+W6b95PzvF/ylpbUM43FgTaI0KqyGSxtMr5CQjxuVUD+LsT6vc6lVQ2iQ
+GtqFAooBatfDXlm4HBNTFznDoYa50TUK1af6+0X4uQrETnIWA8iw49L+BownU6+M
+yfuMJ689IggheL9n+EBoJ5+LhjBlcxjcaIZBKgxVAxpSxnVY7H0R5JHYTHSy5GjA
+xtGmOkqGPgRlPXzYtSrih47tUAkO7MTiIUE5Xuned2pTFWAhsS/kpdc6K1IKhDAG
+ARG5dIADIZH+b3dYpxo/MXBQYusm6Q1KaLE1cG98QoiWdTwXNN4jNH6IiUg52Pcg
+nD/AAOdEcCA7wXFXLTBvYMGvetCDkrXf9DSOguGlvgfeZN/6P0QdN/TErTW9lHSV
+DioKOfDSpvS2X3X/1pDBYK29d+JqwW8sgRtyeJtSVzPnm+PFyz/1oDwIk7muhAs5
++Ruf2mh/k01InahsJ9aBwBneCDvRibQGMv8wl/8Lz5NmpPjfYv/Jws0rS7rDNLOi
+yGSNBL8rOfLl3C7z3R+2xJocplccb7S42I8lSHNu7lwKPAPLkTtz+SymtAQJvqoR
+2SmoYtodPttQDXLMVwzQ87sBQ/wN9sw3BCRSL6BfBIsYavLMLnZ8hChpA9RF7Okm
+l8jNSs8HNN851G3XrKnI3CNsTKEQdEDw/Y68hJ0sSFRhICW2vKGJ6Lp1IPF4mngI
+BzGnpQrsOBfrMOpfqwgxFFZRFbBbOl2IPRcvz8GYyfXToGgS53Nz0TkHTtsTFIoo
+afUE6cOm0EzYn4rtNaB5K8gIxLhWZMsS6CH/nfEVi7sOFeUdkxoEUvnRTEy0pj7Q
+h085aWIFHHAtgBCdzqsmu0Q8z7Xp6G+S5nrJCnewRAGKKyGTkZsSjZXpB+nauYDM
+B4ZpoWZTS9AtPmCM9nV13fYTFWXz9DXtYAuMLZhYyBVNBlubpDwzV66+ygLqaTIz
+OkC/EjmA1OOZlaI0TfH5rvFdKsqmXxmvlH9aCOzMxytTSOd52MwJN72nAslKz9xI
+RoO/RE0EYLMOT81S44QzfWGZ2CP7oRTfT3IoktTUm9Snp2qjebcfhRrti8aEZCm+
+mtssZ0IiqLPje6GJ2kOUmU4+KZ+cNswPZmV+zm4NJcu5XBG13wHqyLac6iQPDXie
+4IuzbLEOjYr+ZLGnBpw11jn6R1yxbOiKUbg/eEp8/688XJbVdSaCd4w7JwxL8dlI
+h7y8UTG0BI3nZk4kdpusz5f18F8EoX+RIDP7Ev3qPt/8eYkSZggkrrnIaCIeXEOL
+VwmtXIe7Fo2E7zRTSgJXU42iTYwp4tWmB83qxKVaQQpgmX1hs845GdWbfcSZh9eZ
+50gsztDpcC1mAtp3brgOig==
+-----END ENCRYPTED PRIVATE KEY-----
diff --git a/qpid-test-utils/src/main/resources/ssl/certificates/revoked_by_ca_empty_crl.crt b/qpid-test-utils/src/main/resources/ssl/certificates/revoked_by_ca_empty_crl.crt
new file mode 100644
index 0000000..7a80d78
--- /dev/null
+++ b/qpid-test-utils/src/main/resources/ssl/certificates/revoked_by_ca_empty_crl.crt
@@ -0,0 +1,80 @@
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number: 4667 (0x123b)
+        Signature Algorithm: sha512WithRSAEncryption
+        Issuer: C=CA, ST=Ontario, O=ACME, CN=MyRootCA
+        Validity
+            Not Before: Jan 17 12:14:02 2020 GMT
+            Not After : Jan 17 12:14:02 2024 GMT
+        Subject: C=CA, ST=ON, L=Toronto, O=acme, OU=art, CN=revoked_by_ca_empty_crl@acme.org
+        Subject Public Key Info:
+            Public Key Algorithm: rsaEncryption
+                RSA Public-Key: (2048 bit)
+                Modulus:
+                    00:cd:03:6c:76:ba:58:04:33:52:0c:45:ba:80:87:
+                    be:ce:3d:94:76:45:79:29:b1:15:15:c9:95:e0:5e:
+                    03:34:a5:5f:ab:b6:8a:03:57:b4:60:2d:fe:2e:27:
+                    c1:51:7f:bd:25:fe:0d:d3:48:72:0a:09:ed:ef:df:
+                    18:98:17:e1:bf:44:07:6f:f5:72:98:73:0a:ca:7c:
+                    7f:a6:8e:1b:e1:f5:e9:cc:d5:37:96:1e:8b:f1:8b:
+                    cb:4f:3b:ad:e5:b9:73:b2:6f:2c:e2:70:c9:a7:28:
+                    ee:d2:4e:79:02:ef:11:f0:8d:77:41:46:d4:98:72:
+                    cd:73:66:a4:f2:ea:81:42:b5:e1:95:0c:d3:23:e7:
+                    dc:0e:2c:02:cf:bc:8f:dd:53:ea:2c:08:1d:8b:07:
+                    52:47:25:dd:9d:99:5c:56:86:2d:38:2a:2f:15:57:
+                    dd:e2:c0:79:a5:aa:e6:3f:c3:b9:78:97:cf:47:fa:
+                    c6:9f:55:73:42:cb:27:17:35:b3:5c:91:bd:f9:f0:
+                    00:a6:d2:5b:eb:34:2e:43:6a:ca:38:f6:14:32:4c:
+                    c8:35:92:b7:4c:f7:da:86:70:55:0c:ca:67:82:5e:
+                    31:7f:e1:d2:76:22:d8:92:03:d6:47:df:43:55:33:
+                    29:e3:44:d0:2e:45:b4:e5:fb:78:95:53:3e:21:33:
+                    01:3d
+                Exponent: 65537 (0x10001)
+        X509v3 extensions:
+            X509v3 CRL Distribution Points: 
+
+                Full Name:
+                  URI:http://localhost:8186/MyRootCA.empty.crl
+
+            X509v3 Basic Constraints: 
+                CA:FALSE
+            X509v3 Key Usage: 
+                Digital Signature, Non Repudiation, Key Encipherment
+    Signature Algorithm: sha512WithRSAEncryption
+         bf:be:61:4f:7a:a3:ff:9f:76:1a:d5:80:57:e8:29:d5:7b:31:
+         f2:15:de:11:a2:f4:67:97:05:70:52:84:0c:6d:aa:bc:b4:f1:
+         ed:92:f7:e3:ca:0f:4e:19:c4:82:38:e2:f1:30:74:42:8e:c8:
+         7e:9f:b5:df:59:8b:e7:70:84:4d:fc:6b:4e:25:33:65:ac:f6:
+         da:3e:a4:32:fd:cb:f7:dc:f3:5a:3f:e3:8b:85:8d:9b:5a:e1:
+         f4:17:3c:d5:67:13:25:78:d0:3f:9d:cc:b8:1f:3c:9c:55:11:
+         12:1f:13:2f:55:4b:3d:e0:cf:bf:10:ce:de:04:a3:b1:60:26:
+         3e:41:bf:8f:3b:86:ef:7f:69:4b:5b:2e:45:a2:5a:b5:34:2e:
+         ff:28:01:81:15:03:53:86:31:77:ac:41:f5:b3:c1:54:e9:ab:
+         cf:d3:3f:36:94:4e:ed:07:39:4e:ad:fb:0c:26:87:62:30:51:
+         da:70:8a:f2:9b:9f:9f:a4:25:d8:df:90:27:ab:0e:b6:81:fc:
+         a1:24:16:4d:aa:91:d7:c9:0b:f0:49:1a:80:7c:86:7f:0f:4e:
+         32:59:86:41:32:92:00:b1:f0:32:50:84:72:35:f3:b2:7f:c1:
+         2a:69:6c:9e:74:43:8e:d0:15:b3:0d:ed:34:b9:14:fe:24:17:
+         f7:4c:e0:0f
+-----BEGIN CERTIFICATE-----
+MIIDhjCCAm6gAwIBAgICEjswDQYJKoZIhvcNAQENBQAwQTELMAkGA1UEBhMCQ0Ex
+EDAOBgNVBAgMB09udGFyaW8xDTALBgNVBAoMBEFDTUUxETAPBgNVBAMMCE15Um9v
+dENBMB4XDTIwMDExNzEyMTQwMloXDTI0MDExNzEyMTQwMlowdDELMAkGA1UEBhMC
+Q0ExCzAJBgNVBAgMAk9OMRAwDgYDVQQHDAdUb3JvbnRvMQ0wCwYDVQQKDARhY21l
+MQwwCgYDVQQLDANhcnQxKTAnBgNVBAMMIHJldm9rZWRfYnlfY2FfZW1wdHlfY3Js
+QGFjbWUub3JnMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAzQNsdrpY
+BDNSDEW6gIe+zj2UdkV5KbEVFcmV4F4DNKVfq7aKA1e0YC3+LifBUX+9Jf4N00hy
+Cgnt798YmBfhv0QHb/VymHMKynx/po4b4fXpzNU3lh6L8YvLTzut5blzsm8s4nDJ
+pyju0k55Au8R8I13QUbUmHLNc2ak8uqBQrXhlQzTI+fcDiwCz7yP3VPqLAgdiwdS
+RyXdnZlcVoYtOCovFVfd4sB5parmP8O5eJfPR/rGn1VzQssnFzWzXJG9+fAAptJb
+6zQuQ2rKOPYUMkzINZK3TPfahnBVDMpngl4xf+HSdiLYkgPWR99DVTMp40TQLkW0
+5ft4lVM+ITMBPQIDAQABo1UwUzA5BgNVHR8EMjAwMC6gLKAqhihodHRwOi8vbG9j
+YWxob3N0OjgxODYvTXlSb290Q0EuZW1wdHkuY3JsMAkGA1UdEwQCMAAwCwYDVR0P
+BAQDAgXgMA0GCSqGSIb3DQEBDQUAA4IBAQC/vmFPeqP/n3Ya1YBX6CnVezHyFd4R
+ovRnlwVwUoQMbaq8tPHtkvfjyg9OGcSCOOLxMHRCjsh+n7XfWYvncIRN/GtOJTNl
+rPbaPqQy/cv33PNaP+OLhY2bWuH0FzzVZxMleNA/ncy4HzycVRESHxMvVUs94M+/
+EM7eBKOxYCY+Qb+PO4bvf2lLWy5Folq1NC7/KAGBFQNThjF3rEH1s8FU6avP0z82
+lE7tBzlOrfsMJodiMFHacIrym5+fpCXY35Anqw62gfyhJBZNqpHXyQvwSRqAfIZ/
+D04yWYZBMpIAsfAyUIRyNfOyf8EqaWyedEOO0BWzDe00uRT+JBf3TOAP
+-----END CERTIFICATE-----
diff --git a/qpid-test-utils/src/main/resources/ssl/certificates/revoked_by_ca_empty_crl.csr b/qpid-test-utils/src/main/resources/ssl/certificates/revoked_by_ca_empty_crl.csr
new file mode 100644
index 0000000..7275fc2
--- /dev/null
+++ b/qpid-test-utils/src/main/resources/ssl/certificates/revoked_by_ca_empty_crl.csr
@@ -0,0 +1,17 @@
+-----BEGIN CERTIFICATE REQUEST-----
+MIICuTCCAaECAQAwdDELMAkGA1UEBhMCQ0ExCzAJBgNVBAgMAk9OMRAwDgYDVQQH
+DAdUb3JvbnRvMQ0wCwYDVQQKDARhY21lMQwwCgYDVQQLDANhcnQxKTAnBgNVBAMM
+IHJldm9rZWRfYnlfY2FfZW1wdHlfY3JsQGFjbWUub3JnMIIBIjANBgkqhkiG9w0B
+AQEFAAOCAQ8AMIIBCgKCAQEAzQNsdrpYBDNSDEW6gIe+zj2UdkV5KbEVFcmV4F4D
+NKVfq7aKA1e0YC3+LifBUX+9Jf4N00hyCgnt798YmBfhv0QHb/VymHMKynx/po4b
+4fXpzNU3lh6L8YvLTzut5blzsm8s4nDJpyju0k55Au8R8I13QUbUmHLNc2ak8uqB
+QrXhlQzTI+fcDiwCz7yP3VPqLAgdiwdSRyXdnZlcVoYtOCovFVfd4sB5parmP8O5
+eJfPR/rGn1VzQssnFzWzXJG9+fAAptJb6zQuQ2rKOPYUMkzINZK3TPfahnBVDMpn
+gl4xf+HSdiLYkgPWR99DVTMp40TQLkW05ft4lVM+ITMBPQIDAQABoAAwDQYJKoZI
+hvcNAQENBQADggEBAIclK9KXAk1U1l9zzy9FpjqZYXzqCF5vBD9yDDk6DODqLAfa
+twBoA90Ae5z5wEY2Gtj2p39P4FvWHV2tKMe3M6Wnf9b0IE2VYZ8aIuK/dzMY17pX
+caDKJEhG/hVa4qIyKbh5y0gITfoFTx10ip0DoSAzkjbG6fsSplX5x/r0DS1ZVGQj
+aTqKor1pBW9rBGkgDaKetl+0/x9EcwXM8Vlv2uidofK1HRrBijdzj/vaVERatNGf
+IMfBGnTfF+CAKN/kR8F1jhcM4XXOA/lvtWkmmsuBweEM4iTh5T7/L/rbUr7WpFjT
+J8yrjAyUM4e9UR+lif/RXN2zvAvUh9wUin/rvlk=
+-----END CERTIFICATE REQUEST-----
diff --git a/qpid-test-utils/src/main/resources/ssl/certificates/revoked_by_ca_empty_crl.jks b/qpid-test-utils/src/main/resources/ssl/certificates/revoked_by_ca_empty_crl.jks
new file mode 100644
index 0000000..7e0ab14
Binary files /dev/null and b/qpid-test-utils/src/main/resources/ssl/certificates/revoked_by_ca_empty_crl.jks differ
diff --git a/qpid-test-utils/src/main/resources/ssl/certificates/revoked_by_ca_empty_crl.self.crt b/qpid-test-utils/src/main/resources/ssl/certificates/revoked_by_ca_empty_crl.self.crt
new file mode 100644
index 0000000..876f462
--- /dev/null
+++ b/qpid-test-utils/src/main/resources/ssl/certificates/revoked_by_ca_empty_crl.self.crt
@@ -0,0 +1,23 @@
+-----BEGIN CERTIFICATE-----
+MIIDyTCCArGgAwIBAgIURa7KfSxOy6INMZLGbza+/AKlMMgwDQYJKoZIhvcNAQEN
+BQAwdDELMAkGA1UEBhMCQ0ExCzAJBgNVBAgMAk9OMRAwDgYDVQQHDAdUb3JvbnRv
+MQ0wCwYDVQQKDARhY21lMQwwCgYDVQQLDANhcnQxKTAnBgNVBAMMIHJldm9rZWRf
+YnlfY2FfZW1wdHlfY3JsQGFjbWUub3JnMB4XDTIwMDExNzEyMTQwMloXDTIwMDIx
+NjEyMTQwMlowdDELMAkGA1UEBhMCQ0ExCzAJBgNVBAgMAk9OMRAwDgYDVQQHDAdU
+b3JvbnRvMQ0wCwYDVQQKDARhY21lMQwwCgYDVQQLDANhcnQxKTAnBgNVBAMMIHJl
+dm9rZWRfYnlfY2FfZW1wdHlfY3JsQGFjbWUub3JnMIIBIjANBgkqhkiG9w0BAQEF
+AAOCAQ8AMIIBCgKCAQEAzQNsdrpYBDNSDEW6gIe+zj2UdkV5KbEVFcmV4F4DNKVf
+q7aKA1e0YC3+LifBUX+9Jf4N00hyCgnt798YmBfhv0QHb/VymHMKynx/po4b4fXp
+zNU3lh6L8YvLTzut5blzsm8s4nDJpyju0k55Au8R8I13QUbUmHLNc2ak8uqBQrXh
+lQzTI+fcDiwCz7yP3VPqLAgdiwdSRyXdnZlcVoYtOCovFVfd4sB5parmP8O5eJfP
+R/rGn1VzQssnFzWzXJG9+fAAptJb6zQuQ2rKOPYUMkzINZK3TPfahnBVDMpngl4x
+f+HSdiLYkgPWR99DVTMp40TQLkW05ft4lVM+ITMBPQIDAQABo1MwUTAdBgNVHQ4E
+FgQUJBs8fXPCO0HfB5qCdnNIr+LKofAwHwYDVR0jBBgwFoAUJBs8fXPCO0HfB5qC
+dnNIr+LKofAwDwYDVR0TAQH/BAUwAwEB/zANBgkqhkiG9w0BAQ0FAAOCAQEAKlMt
+n4ZrNl91i2HJUhy1qQEed6r2IFzTiVCIlV5tL/e3JyOksKxHeoV8JcN4mFNDzVZM
+vk+ZuCty1wJQLs6OOCfdXwSekSJblV/IXqKosvJj+RN6EHLeEYUoVJlKkU1E/wXZ
+LbjioYtv7LAdDXuZro3P5W9IBiNGPitOWqdZYTkYgrDdyn9MBucm7UMTftvS8buK
+sBjOhKQNO4Q34VJlOgKjoPEQr/R/JnNFbFh3dKYfDFABwy3dgp6kehzazb68An+j
+K/qljEqmAGwn92pSQDxNW/opQ3iMMjTiUie7f5PpCphFD/noIXgSyVutV8dFEBtw
+uTTPMl1O2ogZSriu3A==
+-----END CERTIFICATE-----
diff --git a/qpid-test-utils/src/main/resources/ssl/certificates/revoked_by_ca_empty_crl.self.key b/qpid-test-utils/src/main/resources/ssl/certificates/revoked_by_ca_empty_crl.self.key
new file mode 100644
index 0000000..9576760
--- /dev/null
+++ b/qpid-test-utils/src/main/resources/ssl/certificates/revoked_by_ca_empty_crl.self.key
@@ -0,0 +1,30 @@
+-----BEGIN ENCRYPTED PRIVATE KEY-----
+MIIFHDBOBgkqhkiG9w0BBQ0wQTApBgkqhkiG9w0BBQwwHAQIFZ8yTs+qbG0CAggA
+MAwGCCqGSIb3DQIJBQAwFAYIKoZIhvcNAwcECCIuCWBoRzWlBIIEyEJvOIUqC7LU
+XAcbfwBQgC+6bmxO+2A+KGmMoWua1om7bO7YkzoTesXg1sDN5xO8S0T02/laHE+n
+h4SKtG+Ocvc75hznd2dkz+QrvUHfxYBWS5zayDYvO/V2GjbI/LUhBxTh17KRRGwD
+FvJmfYyQ7C4jguscRrTpnKxknuIbQYQMUlTVquB3htAtf9ORQSC34QiKl6Ahm2F9
+S5iRxOQI3y5+g6BXVTktBjFMg+EIlVgi7UrOtplj/GAC6m0tF+G2Cl2R+IYcU4Uj
+iZO6XBeVGUaDCy6b5jdeiBXTbqYWrLaMrCQabZTfw3utJQHAPFaBE+y25Wq4SdJ7
+/S8BmCDa1x9doH7ShJ8ykync1PfOIaTbzqWMx4zIgAFQ2/azZD2aB6GWo8lpQWOp
++yRRNQsYQNiVZ8895KVfsLJvf7nEZ0gtrKYxUiwdzIXspNdt2ymzhcKf1bYeG8TX
+XgegkqB2zzp/BviBlGWo5RSGDyaXTHrdWK3yJBkuP4oGMrk71+W/kDUzTCR++AqM
+1TpbYXLIbqMlE5DEHejgYYOclx3pmMBYcJJsPW8mKd2C7G3fj67lUQwXr+iLS1Fl
+Zekh3ZcaQSptQyUaJ6XXaa8A5qx42FpEGIxTLF3YktyT/u3rMsYD62hohR7zCNUK
+J8Wsmjmeu78OoPv68DxD8Hi88rcYg/cKTELjBx+GQOKGite7ogxPcdfFIrprVNTQ
+WLYLk9STn42RhUELKt2uKYmVJ6GzfBf7Lfgmsi9QVIPbswZE02fF/pC5Gcl1FEA8
+X0wcxcv9MAbFm497CMkdw9wxj4rV7XruBrUAB24QRj/r3Hsk4LS/0MI8/OawzaP+
+UAXYExWPuOremVl4/esbXOi5UXPcz/4aDtYyo3/PYOS8TWGnhJ0P3VykdTQ2a6Cq
+A/qI5c1HN0Llg918Eff/Lrw3WDpe7tcuQz0UZDUw9wEdglMTl1xQ9tZPQcMmKc08
+32dUUxPNX+wsKM1k5VBYRx/Vltr+odNaW4eTgVhsQ68D1vvA+AHLrHOUTGMknVTh
+89ZTtycV908axGVot7fz0wpc+n0nF/d6Q75NpqTwGQdwe6LMyYed6dOotYn9rWAV
+rPIxw9gsT3AGFyzos/ZB4RehHWIX/uumPw3H67vG2q+A2q2zzJFmH72mgMIpf/hY
+1SoCO3Uhlv58zbASfchyIFlMNNxSN9+6uffXbB9kR/C3ClKZB9vDwyhpMFU/LMqz
+2/ffsESVa5KSRdzwJuzbHQC/cymQZYoe3SayObmKoTIzo6lQoTCX7yREUFaT346A
+XkjN40YsO4dQ64r4qKdCRmhK1GHo3zXzT/50maVxzUsJafhuARvLxckpidq0mdT9
+2zBl5aM7GTwqCs9eqV1EJJASeBoFdu2iAKOI5O0Y7uVKNRZbiElnroR9IgfINepc
+7OenXrQbwrXD0PYORY04axr3hfM7GEy90TC+9WGLZWBTyKRdTdIdNCTvh1q84OZo
+Qp4zEhWsHT6C1FKmpu+uhPKHEqgqrgWFfsSr21uYFuEybXY2B9euyB222wYjX8K4
+u9C1+YGNQIhDcfqaefLdIBfgUErK/xjTDBP8Xk85NJIxab98aJkhclH0k8qOv6pr
+35/tH3UEUjR1FlIgzU46cg==
+-----END ENCRYPTED PRIVATE KEY-----
diff --git a/qpid-test-utils/src/main/resources/ssl/certificates/revoked_by_ca_invalid_crl_path.crt b/qpid-test-utils/src/main/resources/ssl/certificates/revoked_by_ca_invalid_crl_path.crt
new file mode 100644
index 0000000..35b1e6a
--- /dev/null
+++ b/qpid-test-utils/src/main/resources/ssl/certificates/revoked_by_ca_invalid_crl_path.crt
@@ -0,0 +1,80 @@
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number: 4668 (0x123c)
+        Signature Algorithm: sha512WithRSAEncryption
+        Issuer: C=CA, ST=Ontario, O=ACME, CN=MyRootCA
+        Validity
+            Not Before: Jan 17 12:14:02 2020 GMT
+            Not After : Jan 17 12:14:02 2024 GMT
+        Subject: C=CA, ST=ON, L=Toronto, O=acme, OU=art, CN=revoked_by_ca_invalid_crl_path@acme.org
+        Subject Public Key Info:
+            Public Key Algorithm: rsaEncryption
+                RSA Public-Key: (2048 bit)
+                Modulus:
+                    00:cc:e3:11:32:ee:d9:ba:67:5b:0b:e2:52:4b:9c:
+                    e7:54:d7:e4:c7:a9:92:7e:6a:39:e0:bb:d3:cc:9f:
+                    6f:38:73:96:c5:62:bf:bc:8d:69:e5:e8:67:3f:18:
+                    d8:aa:ab:67:93:cb:c1:71:ac:7d:1e:7e:40:a7:d6:
+                    0a:8a:d2:17:7e:3b:be:d0:0e:1b:54:7c:be:0f:de:
+                    46:9b:4c:5a:64:de:87:08:45:b9:4f:32:df:26:6c:
+                    42:66:06:bd:61:cb:95:ae:a7:94:ee:4f:61:ff:da:
+                    18:b5:4a:41:9a:c5:c4:bd:2b:ae:8f:9d:13:82:04:
+                    df:23:31:4a:5d:62:2c:0f:83:87:18:4a:7c:ce:12:
+                    bc:02:67:b4:1e:d9:9b:4c:9a:33:ab:0c:34:eb:dc:
+                    8e:36:0a:54:ac:c1:88:84:26:15:9e:a5:08:0b:e2:
+                    95:ef:3b:71:29:d9:c7:39:79:05:ef:4e:dd:52:ea:
+                    42:05:b3:7b:2b:b4:ee:3e:da:4f:78:a7:e3:39:da:
+                    6e:56:2e:74:52:27:7f:e5:e9:c3:11:79:c9:5f:6f:
+                    ae:58:31:d0:d1:89:b3:01:09:01:5d:44:53:6b:21:
+                    af:fc:07:e6:68:9e:76:ab:c9:56:b0:20:5d:36:fe:
+                    e0:06:8c:bb:70:6c:e3:3b:92:a0:5b:0d:e9:ce:e4:
+                    fb:ff
+                Exponent: 65537 (0x10001)
+        X509v3 extensions:
+            X509v3 CRL Distribution Points: 
+
+                Full Name:
+                  URI:http://localhost:8186/not/a/crl
+
+            X509v3 Basic Constraints: 
+                CA:FALSE
+            X509v3 Key Usage: 
+                Digital Signature, Non Repudiation, Key Encipherment
+    Signature Algorithm: sha512WithRSAEncryption
+         70:bd:f9:c8:9e:b5:40:c4:cd:af:33:9a:35:10:25:ef:2d:00:
+         c1:e3:7a:b3:54:f3:e7:86:b5:a7:3a:7c:4e:c3:fe:c3:b3:f6:
+         e9:e1:4b:48:27:40:dc:36:e1:18:cc:79:93:44:c8:96:78:1c:
+         c2:e3:3c:58:a3:3e:4c:d7:68:7e:e3:83:c4:40:f1:2a:d1:17:
+         a5:89:5f:5d:72:b9:3f:9e:75:7a:a2:d9:73:82:09:4d:45:40:
+         84:ed:e7:9a:15:81:e2:3e:43:eb:c4:f8:ff:40:a4:b9:1c:d0:
+         3f:e9:c4:17:26:74:10:86:52:c5:34:b8:a7:d4:1c:b5:53:ac:
+         af:35:35:61:c7:7c:f0:ce:bb:4e:24:49:01:3b:88:57:70:73:
+         ad:19:52:ee:b0:57:5e:01:ac:18:1a:ab:73:d5:12:c1:55:0c:
+         7b:42:33:ad:5c:a9:5a:75:61:dc:65:08:b0:b5:ab:d0:56:2f:
+         1b:fa:88:2f:53:2f:04:bb:e3:d6:42:73:0a:03:a3:28:79:a9:
+         ba:45:4e:ac:65:9e:0f:6a:f2:b7:9a:3a:df:fd:07:cb:4b:78:
+         6a:32:91:59:d4:f6:ea:aa:0d:71:da:21:14:cf:b9:73:bd:c6:
+         f2:b3:8b:b2:30:7a:83:3a:7f:09:d3:11:ef:13:dd:da:1d:b9:
+         01:11:fe:ad
+-----BEGIN CERTIFICATE-----
+MIIDhDCCAmygAwIBAgICEjwwDQYJKoZIhvcNAQENBQAwQTELMAkGA1UEBhMCQ0Ex
+EDAOBgNVBAgMB09udGFyaW8xDTALBgNVBAoMBEFDTUUxETAPBgNVBAMMCE15Um9v
+dENBMB4XDTIwMDExNzEyMTQwMloXDTI0MDExNzEyMTQwMlowezELMAkGA1UEBhMC
+Q0ExCzAJBgNVBAgMAk9OMRAwDgYDVQQHDAdUb3JvbnRvMQ0wCwYDVQQKDARhY21l
+MQwwCgYDVQQLDANhcnQxMDAuBgNVBAMMJ3Jldm9rZWRfYnlfY2FfaW52YWxpZF9j
+cmxfcGF0aEBhY21lLm9yZzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB
+AMzjETLu2bpnWwviUkuc51TX5Mepkn5qOeC708yfbzhzlsViv7yNaeXoZz8Y2Kqr
+Z5PLwXGsfR5+QKfWCorSF347vtAOG1R8vg/eRptMWmTehwhFuU8y3yZsQmYGvWHL
+la6nlO5PYf/aGLVKQZrFxL0rro+dE4IE3yMxSl1iLA+DhxhKfM4SvAJntB7Zm0ya
+M6sMNOvcjjYKVKzBiIQmFZ6lCAvile87cSnZxzl5Be9O3VLqQgWzeyu07j7aT3in
+4znablYudFInf+XpwxF5yV9vrlgx0NGJswEJAV1EU2shr/wH5miedqvJVrAgXTb+
+4AaMu3Bs4zuSoFsN6c7k+/8CAwEAAaNMMEowMAYDVR0fBCkwJzAloCOgIYYfaHR0
+cDovL2xvY2FsaG9zdDo4MTg2L25vdC9hL2NybDAJBgNVHRMEAjAAMAsGA1UdDwQE
+AwIF4DANBgkqhkiG9w0BAQ0FAAOCAQEAcL35yJ61QMTNrzOaNRAl7y0AweN6s1Tz
+54a1pzp8TsP+w7P26eFLSCdA3DbhGMx5k0TIlngcwuM8WKM+TNdofuODxEDxKtEX
+pYlfXXK5P551eqLZc4IJTUVAhO3nmhWB4j5D68T4/0CkuRzQP+nEFyZ0EIZSxTS4
+p9QctVOsrzU1Ycd88M67TiRJATuIV3BzrRlS7rBXXgGsGBqrc9USwVUMe0IzrVyp
+WnVh3GUIsLWr0FYvG/qIL1MvBLvj1kJzCgOjKHmpukVOrGWeD2ryt5o63/0Hy0t4
+ajKRWdT26qoNcdohFM+5c73G8rOLsjB6gzp/CdMR7xPd2h25ARH+rQ==
+-----END CERTIFICATE-----
diff --git a/qpid-test-utils/src/main/resources/ssl/certificates/revoked_by_ca_invalid_crl_path.csr b/qpid-test-utils/src/main/resources/ssl/certificates/revoked_by_ca_invalid_crl_path.csr
new file mode 100644
index 0000000..5c04ce9
--- /dev/null
+++ b/qpid-test-utils/src/main/resources/ssl/certificates/revoked_by_ca_invalid_crl_path.csr
@@ -0,0 +1,17 @@
+-----BEGIN CERTIFICATE REQUEST-----
+MIICwDCCAagCAQAwezELMAkGA1UEBhMCQ0ExCzAJBgNVBAgMAk9OMRAwDgYDVQQH
+DAdUb3JvbnRvMQ0wCwYDVQQKDARhY21lMQwwCgYDVQQLDANhcnQxMDAuBgNVBAMM
+J3Jldm9rZWRfYnlfY2FfaW52YWxpZF9jcmxfcGF0aEBhY21lLm9yZzCCASIwDQYJ
+KoZIhvcNAQEBBQADggEPADCCAQoCggEBAMzjETLu2bpnWwviUkuc51TX5Mepkn5q
+OeC708yfbzhzlsViv7yNaeXoZz8Y2KqrZ5PLwXGsfR5+QKfWCorSF347vtAOG1R8
+vg/eRptMWmTehwhFuU8y3yZsQmYGvWHLla6nlO5PYf/aGLVKQZrFxL0rro+dE4IE
+3yMxSl1iLA+DhxhKfM4SvAJntB7Zm0yaM6sMNOvcjjYKVKzBiIQmFZ6lCAvile87
+cSnZxzl5Be9O3VLqQgWzeyu07j7aT3in4znablYudFInf+XpwxF5yV9vrlgx0NGJ
+swEJAV1EU2shr/wH5miedqvJVrAgXTb+4AaMu3Bs4zuSoFsN6c7k+/8CAwEAAaAA
+MA0GCSqGSIb3DQEBDQUAA4IBAQAMYJv3za9w6iCfl3/X17EWRpCxfB2uylVoF+Qn
+pk6cAaPZtPNLmzyGGsZ5Vpvm9LuISuU5ZcPCL+ocZ9yjghtiEUg5tslujuuhXyfE
+KhTj0UzSrWAKjm6KJcMu5dtxyM97sToVuU7MBR44KVdSxnzFWgL4afiVULxuJFFb
+DwTDgZZWYSeh2WeQt4bRL8dwhqvh0J+/Xilwh8kvY2yv8TXa0jgbguzPPtfcOJLN
+N9N4VvkrIXgkZSKut2U1G4eESWnCG9PP638I6j9ntA/cHbJ8TC46cEdQcYl1pPPG
+C5FC+aOr2NN/wVME/8Iib5FUKUcHJNZBrBZ3FHf1qjJcbuso
+-----END CERTIFICATE REQUEST-----
diff --git a/qpid-test-utils/src/main/resources/ssl/certificates/revoked_by_ca_invalid_crl_path.jks b/qpid-test-utils/src/main/resources/ssl/certificates/revoked_by_ca_invalid_crl_path.jks
new file mode 100644
index 0000000..a61e890
Binary files /dev/null and b/qpid-test-utils/src/main/resources/ssl/certificates/revoked_by_ca_invalid_crl_path.jks differ
diff --git a/qpid-test-utils/src/main/resources/ssl/certificates/revoked_by_ca_invalid_crl_path.self.crt b/qpid-test-utils/src/main/resources/ssl/certificates/revoked_by_ca_invalid_crl_path.self.crt
new file mode 100644
index 0000000..c7418d2
--- /dev/null
+++ b/qpid-test-utils/src/main/resources/ssl/certificates/revoked_by_ca_invalid_crl_path.self.crt
@@ -0,0 +1,23 @@
+-----BEGIN CERTIFICATE-----
+MIID1zCCAr+gAwIBAgIUBlNXdtg4SxQN24k7fss2AhXXmcQwDQYJKoZIhvcNAQEN
+BQAwezELMAkGA1UEBhMCQ0ExCzAJBgNVBAgMAk9OMRAwDgYDVQQHDAdUb3JvbnRv
+MQ0wCwYDVQQKDARhY21lMQwwCgYDVQQLDANhcnQxMDAuBgNVBAMMJ3Jldm9rZWRf
+YnlfY2FfaW52YWxpZF9jcmxfcGF0aEBhY21lLm9yZzAeFw0yMDAxMTcxMjE0MDJa
+Fw0yMDAyMTYxMjE0MDJaMHsxCzAJBgNVBAYTAkNBMQswCQYDVQQIDAJPTjEQMA4G
+A1UEBwwHVG9yb250bzENMAsGA1UECgwEYWNtZTEMMAoGA1UECwwDYXJ0MTAwLgYD
+VQQDDCdyZXZva2VkX2J5X2NhX2ludmFsaWRfY3JsX3BhdGhAYWNtZS5vcmcwggEi
+MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDM4xEy7tm6Z1sL4lJLnOdU1+TH
+qZJ+ajngu9PMn284c5bFYr+8jWnl6Gc/GNiqq2eTy8FxrH0efkCn1gqK0hd+O77Q
+DhtUfL4P3kabTFpk3ocIRblPMt8mbEJmBr1hy5Wup5TuT2H/2hi1SkGaxcS9K66P
+nROCBN8jMUpdYiwPg4cYSnzOErwCZ7Qe2ZtMmjOrDDTr3I42ClSswYiEJhWepQgL
+4pXvO3Ep2cc5eQXvTt1S6kIFs3srtO4+2k94p+M52m5WLnRSJ3/l6cMReclfb65Y
+MdDRibMBCQFdRFNrIa/8B+ZonnaryVawIF02/uAGjLtwbOM7kqBbDenO5Pv/AgMB
+AAGjUzBRMB0GA1UdDgQWBBQTrfcuZNAq9PBU2mYtEYj4Mx9spDAfBgNVHSMEGDAW
+gBQTrfcuZNAq9PBU2mYtEYj4Mx9spDAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3
+DQEBDQUAA4IBAQCWVNzJRocgQdD7JYE1X7eoet9ex2luAlu8zZVZfeNKv27QjeRg
+1n3Jz1eXMXoVlcRtuXSX6Pw1qZLtAZ07/vPPHBTnMKi5Tvc+4ho/P+UZ1vhVViV9
+Qg0+qNZ0HqiTX9i/gYhUSj8L28iOW01PYP89WDJYhh8kQJhXQbbwE84Y+r75NX7y
+TUZ+ozXJqM2dxrVVnr46bh0qTmTPlWIBKnlkemWe0VlNFFtJlDOXqEkZBaaTqKrE
+iKcxAy1wrlAyvLS69LzZnt2UrR68oQXAQITtdbY4VWSfyxOh9i56OVgw2E6seUuG
+ZdWX9oXeI01B9vV6EqFLiPn6eTPPYOukkjGg
+-----END CERTIFICATE-----
diff --git a/qpid-test-utils/src/main/resources/ssl/certificates/revoked_by_ca_invalid_crl_path.self.key b/qpid-test-utils/src/main/resources/ssl/certificates/revoked_by_ca_invalid_crl_path.self.key
new file mode 100644
index 0000000..cfaeb30
--- /dev/null
+++ b/qpid-test-utils/src/main/resources/ssl/certificates/revoked_by_ca_invalid_crl_path.self.key
@@ -0,0 +1,30 @@
+-----BEGIN ENCRYPTED PRIVATE KEY-----
+MIIFHDBOBgkqhkiG9w0BBQ0wQTApBgkqhkiG9w0BBQwwHAQIkqodAjKk8vECAggA
+MAwGCCqGSIb3DQIJBQAwFAYIKoZIhvcNAwcECAO1t0BIS+B/BIIEyMK0wAf8UrpJ
+YTJ31fURI5LQ44dkuyvRWu/lIRD/kA081HXXm5eFMW3F4CvKpfbKQKHOEWYjlBbo
+tfsbZyPA2rRT3SAWZY1OZw4zLW5hXlX7yrTTEMWzrKF6i8Fia+cVTRR9D4g0aiEu
+/1RKQPoehCJm7QNKG7mxSzmUoZ/WjSmVIYTCH9cXKnbZE18Hlcc+fDIOlAxWO0nt
+n+IK+U8QzCy5Nk2LvVZSQZMPBFM/ZpTSwrTJe9iP6q+LCv59z3bzgX1i1MZJNTp/
+nYt7+C0JnFcIcnuuOWuKCkRK6txu94AxeZq3JQHRgMmdpmKvsOJ54Um2qSIblphH
+F+7D21ag/ebBLDHRnwkPzlhbP8CLR0J4XZ2KvEjhZjFGV+CokeYRcZI1fAqw7C9r
+V9EWCZxsqjPIKZd3W44TWVUrk8ij21sYJ/l3wVLeTUNCiEub1gDpWtlctGEKL6mU
+guCfMIK8ZZ04KQjKHqeiPmSEdJoHWrT6EyFzi+ZOL/bjeJ5uA5jrgYDWuy0Nhii4
+DbMVCm3EItAKDUq0bDJEGkDSiP7gVEiLThc++skeM/kqqECAwFNRiNPCI/XLuUoe
+JEGoubfc4XTfUPwJbfgrXE+QsgP/k5m38LjOITmkIsevzUxDV1ymHE6J9aQFwh6T
+lUeRq9zy7RsGze4letY7OXgoq2ISwPwqvgUfDBE3Upo1ZzLtfwlGkAgbyUmqA0oF
+fC3UU6QZizk1qh/OnjaIpElRjGnEnH0yo/jasypZ2V3zUaAJ1UJh2Q5OQrBkyzGM
+C7LNcRPC1o18LrO19rtgtk6ysHG21oqwXe5W/xxwif5ouL880vJYsq2fEHLHkcfw
+u9tG02p1dtZUSbgBoLRlhP/S5gwf9mzIKgtOL10zliTw0fiklh+dDsWij5s56jLr
+IuIm1s9XrQFaSAJEEw1xtMNGkasKnXDZjvfSqBOLaXn6AhqrJRknTDsJr6bbVTiY
+SL6Gjo9Jpjcqo6rKN0cutFqGx7JfNsjwaVEwi0UkpJ7NuF6AKuHqZP0WWDLOWUgB
+f2ocal3AzCRienQRWhqwIaVnt0jTWwOTx69dHeaHSwsH7B9Ka8w61dcCLnE4bQHQ
+qpxDqDMh1T0G4nwodcR0ZBA88IBbx59lSvvIKFtJJ2CTcwDibhjs14iWopIP6DHR
+aiS8xxjlVhBnn2GuKSKs8hJn0+JxUJquh8C0zp0PWE0HC9gUBNfx4Y1i2qL/dd6n
+5vtWaq7mjpaXR6Nk+EPQ4kGBelx5ELzSbhc2bS0dnyWtGzTrMu3m3J89bBMFPLe1
+QaU5b/1hRDCJdLAnsAg6P6ekpC+NSECRQhd18PQqgWexEM99O31+aWz6+JTXkCxY
+PutnAU4OwcW+80h1Xt0tXrshMEJJ9U6DnvJ30yP0pClp+jhA4mPggMf4Rabo4VGq
+jI2P6l2ksxe8WEquwpw5AbpKS9pYjjo52nFVzKF7G3T88eWcfaX3lYyN13iXh2EA
+BcH+ad2Ux1eOPtSVrCLyWd2MXehZ5gmdeUsOnwccOB3gppTQNAK9Cq2mqfRx0foO
+GDC+Bpl5xdzEkg3YQ9n+aXYmY7vCGO9B3nWDp31J6JVv3x2m1UdCXzr35xIXE2K5
+5nrg58gwOIVCLeQlazWIeA==
+-----END ENCRYPTED PRIVATE KEY-----
diff --git a/qpid-test-utils/src/main/resources/ssl/certificates/test_cert_only_keystore.jks b/qpid-test-utils/src/main/resources/ssl/certificates/test_cert_only_keystore.jks
new file mode 100644
index 0000000..a4648a0
Binary files /dev/null and b/qpid-test-utils/src/main/resources/ssl/certificates/test_cert_only_keystore.jks differ
diff --git a/qpid-test-utils/src/main/resources/ssl/certificates/test_empty_keystore.jks b/qpid-test-utils/src/main/resources/ssl/certificates/test_empty_keystore.jks
new file mode 100644
index 0000000..4eebca7
Binary files /dev/null and b/qpid-test-utils/src/main/resources/ssl/certificates/test_empty_keystore.jks differ
diff --git a/qpid-test-utils/src/main/resources/ssl/certificates/test_keystore.jks b/qpid-test-utils/src/main/resources/ssl/certificates/test_keystore.jks
new file mode 100644
index 0000000..c6dd178
Binary files /dev/null and b/qpid-test-utils/src/main/resources/ssl/certificates/test_keystore.jks differ
diff --git a/qpid-test-utils/src/main/resources/ssl/certificates/test_pk_only_keystore.jks b/qpid-test-utils/src/main/resources/ssl/certificates/test_pk_only_keystore.jks
new file mode 100644
index 0000000..6e7fc6c
Binary files /dev/null and b/qpid-test-utils/src/main/resources/ssl/certificates/test_pk_only_keystore.jks differ
diff --git a/qpid-test-utils/src/main/resources/ssl/certificates/test_symmetric_key_keystore.jks b/qpid-test-utils/src/main/resources/ssl/certificates/test_symmetric_key_keystore.jks
new file mode 100644
index 0000000..129593a
Binary files /dev/null and b/qpid-test-utils/src/main/resources/ssl/certificates/test_symmetric_key_keystore.jks differ
diff --git a/qpid-test-utils/src/main/resources/ssl/generate_certificates.sh b/qpid-test-utils/src/main/resources/ssl/generate_certificates.sh
new file mode 100755
index 0000000..636d6d5
--- /dev/null
+++ b/qpid-test-utils/src/main/resources/ssl/generate_certificates.sh
@@ -0,0 +1,370 @@
+#!/bin/sh
+#
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements.  See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership.  The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License.  You may obtain a copy of the License at
+#
+#   http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied.  See the License for the
+# specific language governing permissions and limitations
+# under the License.
+#
+
+MY_PATH="$(dirname "$(readlink -f "$0")")"
+CRL_HTTP_PORT=8186
+PASSWORD=password
+ROOT_CA=MyRootCA
+INTERMEDIATE_CA=intermediate_ca
+OPENSSL_DIR="$MY_PATH/openssl"
+OPENSSL_CONF="$OPENSSL_DIR/openssl.conf"
+CERTIFICATES_DIR="$MY_PATH/certificates"
+VALID_DAYS=1461
+
+CLIENT_KEYSTORE="$CERTIFICATES_DIR/client_keystore.jks"
+CLIENT_TRUSTSTORE="$CERTIFICATES_DIR/client_truststore.jks"
+CLIENT_EXPIRED_KEYSTORE="$CERTIFICATES_DIR/client_expired_keystore.jks"
+CLIENT_EXPIRED_CRT="$CERTIFICATES_DIR/client_expired.crt"
+CLIENT_UNTRUSTED_KEYSTORE="$CERTIFICATES_DIR/client_untrusted_keystore.jks"
+
+BROKER_KEYSTORE="$CERTIFICATES_DIR/broker_keystore.jks"
+BROKER_TRUSTSTORE="$CERTIFICATES_DIR/broker_truststore.jks"
+BROKER_PEERSTORE="$CERTIFICATES_DIR/broker_peerstore.jks"
+BROKER_EXPIRED_TRUSTSTORE="$CERTIFICATES_DIR/broker_expired_truststore.jks"
+BROKER_CRT="$CERTIFICATES_DIR/broker.crt"
+BROKER_CSR="$CERTIFICATES_DIR/broker.csr"
+BROKER_ALIAS="broker"
+
+TEST_KEYSTORE="$CERTIFICATES_DIR/test_keystore.jks"
+TEST_PK_ONLY_KEYSTORE="$CERTIFICATES_DIR/test_pk_only_keystore.jks"
+TEST_CERT_ONLY_KEYSTORE="$CERTIFICATES_DIR/test_cert_only_keystore.jks"
+TEST_SYMMETRIC_KEY_KEYSTORE="$CERTIFICATES_DIR/test_symmetric_key_keystore.jks"
+TEST_EMPTY_KEYSTORE="$CERTIFICATES_DIR/test_empty_keystore.jks"
+
+# set to true for debug
+DEBUG=false
+
+generate_selfsigned_ca()
+{
+    echo "Generating selfsigned CA certificate"
+    openssl req -x509 -newkey rsa:2048 -keyout "$CERTIFICATES_DIR/$ROOT_CA.key" -out "$CERTIFICATES_DIR/$ROOT_CA.crt" -days 1461 -subj '/C=CA/ST=Ontario/O=ACME/CN=MyRootCA' -passout pass:$PASSWORD -sha512 && \
+    keytool -import -alias rootca -file "$CERTIFICATES_DIR/$ROOT_CA.crt" -storepass "$PASSWORD" -noprompt -deststoretype PKCS12 -keystore "$CLIENT_KEYSTORE" && \
+    keytool -import -alias rootca -file "$CERTIFICATES_DIR/$ROOT_CA.crt" -storepass "$PASSWORD" -noprompt -deststoretype PKCS12 -keystore "$CLIENT_TRUSTSTORE" && \
+    keytool -import -alias rootca -file "$CERTIFICATES_DIR/$ROOT_CA.crt" -storepass "$PASSWORD" -noprompt -deststoretype PKCS12 -keystore "$BROKER_KEYSTORE" && \
+    keytool -import -alias rootca -file "$CERTIFICATES_DIR/$ROOT_CA.crt" -storepass "$PASSWORD" -noprompt -deststoretype PKCS12 -keystore "$BROKER_TRUSTSTORE"
+    _rc=$?
+    if [ $_rc -eq 0 ]; then
+        echo "Selfsigned CA certificate successfully generated"
+    else
+        echo "Failed to generate selfsigned CA certificate" >&2
+    fi
+    return $_rc
+}
+
+prepare_openssl_environment()
+{
+    echo "Preparing openssl environment"
+    rm -rf "$CERTIFICATES_DIR" && \
+    mkdir "$CERTIFICATES_DIR" && \
+    rm -rf "$OPENSSL_DIR" && \
+    mkdir "$OPENSSL_DIR" && \
+    cp "$MY_PATH/openssl.conf" "$OPENSSL_DIR" && \
+    sed -i "s|^dir             = .|dir             = $OPENSSL_DIR|" "$OPENSSL_CONF" && \
+    echo 1234 > "$OPENSSL_DIR"/serial && \
+    echo 1234 > "$OPENSSL_DIR"/crlnumber && \
+    touch "$OPENSSL_DIR"/index.txt && \
+    echo "unique_subject = no" > "$OPENSSL_DIR"/index.txt.attr && \
+    mkdir "$OPENSSL_DIR"/newcerts
+    _rc=$?
+    if [ $_rc -eq 0 ]; then
+        echo "Openssl environment successfully prepared"
+    else
+        echo "Failed to prepare openssl environment" >&2
+    fi
+    return $_rc
+}
+
+# $1 - alias
+generate_signed_certificate()
+{
+    _alias=$1
+    _subject="/C=CA/ST=ON/L=Toronto/O=acme/OU=art/CN=$_alias@acme.org"
+    echo "Generating CA signed certificate '$_alias'"
+    openssl req -x509 -newkey rsa:2048 -keyout "$CERTIFICATES_DIR/$_alias.self.key" -out "$CERTIFICATES_DIR/$_alias.self.crt" -subj "$_subject" -sha512 -passout pass:$PASSWORD && \
+    openssl req -config "$OPENSSL_CONF" -new -key "$CERTIFICATES_DIR/$_alias.self.key" -out "$CERTIFICATES_DIR/$_alias.csr" -sha512 -subj "$_subject" -passin pass:$PASSWORD && \
+    openssl ca -config "$OPENSSL_CONF" -md sha512 -extensions v3_req -batch -passin pass:$PASSWORD -out "$CERTIFICATES_DIR/$_alias.crt" -keyfile "$CERTIFICATES_DIR/$ROOT_CA.key" -cert "$CERTIFICATES_DIR/$ROOT_CA.crt" -days $VALID_DAYS -infiles "$CERTIFICATES_DIR/$_alias.csr" && \
+    openssl pkcs12 -export -chain -CAfile "$CERTIFICATES_DIR/$ROOT_CA.crt" -in "$CERTIFICATES_DIR/$_alias.crt" -inkey "$CERTIFICATES_DIR/$_alias.self.key" -out "$CERTIFICATES_DIR/$_alias.jks" -name $_alias -passin pass:"$PASSWORD" -passout pass:"$PASSWORD" && \
+    keytool -importkeystore -srckeystore "$CERTIFICATES_DIR/$_alias.jks" -srcstoretype PKCS12 -storepass "$PASSWORD" -srcstorepass "$PASSWORD" -alias $_alias -deststoretype PKCS12 -destkeystore "$CLIENT_KEYSTORE"
+    _rc=$?
+    if [ $_rc -eq 0 ]; then
+        echo "CA signed certificate '$_alias' successfully generated"
+    else
+        echo "Failed to generate CA signed certificate '$_alias'" >&2
+    fi
+    return $_rc
+}
+
+# $1 - certificate alias
+generate_signed_certificate_with_intermediate_signed_certificate()
+{
+    _alias=$1
+    _intermediate_ca_subject="/C=CA/ST=ON/L=Toronto/O=acme/OU=art/CN=$INTERMEDIATE_CA@acme.org"
+    _subject="/C=CA/ST=ON/L=Toronto/O=acme/OU=art/CN=$_alias@acme.org"
+    echo "Generating CA signed certificate '$_alias' with intermediate CA certificate '$INTERMEDIATE_CA'"
+    openssl req -x509 -newkey rsa:2048 -keyout "$CERTIFICATES_DIR/$INTERMEDIATE_CA.self.key" -out "$CERTIFICATES_DIR/$INTERMEDIATE_CA.self.crt" -subj "$_intermediate_ca_subject" -sha512 -passout pass:$PASSWORD && \
+    openssl req -config "$OPENSSL_CONF" -verbose -new -key "$CERTIFICATES_DIR/$INTERMEDIATE_CA.self.key" -out "$CERTIFICATES_DIR/$INTERMEDIATE_CA.csr" -sha512 -subj "$_intermediate_ca_subject" -passin pass:$PASSWORD && \
+    openssl ca -config "$OPENSSL_CONF" -md sha512 -extensions v3_ca -batch -passin pass:$PASSWORD -out "$CERTIFICATES_DIR/$INTERMEDIATE_CA.crt" -keyfile "$CERTIFICATES_DIR/$ROOT_CA.key" -cert "$CERTIFICATES_DIR/$ROOT_CA.crt" -days $VALID_DAYS -infiles "$CERTIFICATES_DIR/$INTERMEDIATE_CA.csr" && \
+    openssl pkcs12 -export -chain -CAfile "$CERTIFICATES_DIR/$ROOT_CA.crt" -in "$CERTIFICATES_DIR/$INTERMEDIATE_CA.crt" -inkey "$CERTIFICATES_DIR/$INTERMEDIATE_CA.self.key" -out "$CERTIFICATES_DIR/$INTERMEDIATE_CA.jks" -name $INTERMEDIATE_CA -passin pass:"$PASSWORD" -passout pass:"$PASSWORD"
+    echo "Generating CA signed certificate for '$_alias'" && \
+    openssl req -x509 -newkey rsa:2048 -keyout "$CERTIFICATES_DIR/$_alias.self.key" -out "$CERTIFICATES_DIR/$_alias.self.crt" -subj "$_subject" -sha512 -passout pass:$PASSWORD && \
+    openssl req -config "$OPENSSL_CONF" -verbose -new -key "$CERTIFICATES_DIR/$_alias.self.key" -out "$CERTIFICATES_DIR/$_alias.csr" -sha512 -subj "$_subject" -passin pass:$PASSWORD && \
+    openssl ca -config "$OPENSSL_CONF" -md sha512 -extensions v3_req -batch -passin pass:$PASSWORD -out "$CERTIFICATES_DIR/$_alias.crt" -keyfile "$CERTIFICATES_DIR/$INTERMEDIATE_CA.self.key" -cert "$CERTIFICATES_DIR/$INTERMEDIATE_CA.crt" -days $VALID_DAYS -infiles "$CERTIFICATES_DIR/$_alias.csr" && \
+    cat "$CERTIFICATES_DIR/$INTERMEDIATE_CA.crt" "$CERTIFICATES_DIR/$ROOT_CA.crt" > "$CERTIFICATES_DIR/chain_with_intermediate.crt"
+    openssl pkcs12 -export -chain -CAfile "$CERTIFICATES_DIR/chain_with_intermediate.crt" -in "$CERTIFICATES_DIR/$_alias.crt" -inkey "$CERTIFICATES_DIR/$_alias.self.key" -out "$CERTIFICATES_DIR/$_alias.jks" -name $_alias -passin pass:"$PASSWORD" -passout pass:"$PASSWORD" && \
+    keytool -importkeystore -srckeystore "$CERTIFICATES_DIR/$_alias.jks" -srcstoretype PKCS12 -storepass "$PASSWORD" -srcstorepass "$PASSWORD" -alias $_alias -deststoretype PKCS12 -destkeystore "$CLIENT_KEYSTORE"
+    _rc=$?
+    if [ $_rc -eq 0 ]; then
+        echo "CA signed certificate '$_alias' with intermediate CA certificate '$INTERMEDIATE_CA' successfully generated"
+    else
+        echo "Failed to generate CA signed certificate '$_alias' with intermediate CA certificate '$INTERMEDIATE_CA'" >&2
+    fi
+    return $_rc
+}
+
+generate_expired_certificate()
+{
+    _alias=user1
+    echo "Generating expired certificate '$_alias'"
+    keytool -genkeypair -alias $_alias -dname CN=USER1 -startdate "2010/01/01 12:00:00" -validity $VALID_DAYS -keysize 2048 -keyalg RSA -sigalg SHA512withRSA -keypass "$PASSWORD" -storepass "$PASSWORD" -deststoretype PKCS12 -keystore "$CLIENT_EXPIRED_KEYSTORE" && \
+    keytool -exportcert -keystore "$CLIENT_EXPIRED_KEYSTORE" -storepass "$PASSWORD" -alias $_alias -rfc -file "$CLIENT_EXPIRED_CRT" && \
+    keytool -import -alias $_alias -file "$CLIENT_EXPIRED_CRT" -storepass "$PASSWORD" -noprompt -deststoretype PKCS12 -sigalg SHA512withRSA -keystore "$BROKER_EXPIRED_TRUSTSTORE"
+    _rc=$?
+    if [ $_rc -eq 0 ]; then
+        echo "Expired certificate '$_alias' successfully generated"
+    else
+        echo "Failed to generate expired certificate '$_alias'" >&2
+    fi
+    return $_rc
+}
+
+generate_signed_broker_certificate()
+{
+    _subject="/C=CA/ST=Unknown/L=Unknown/O=Unknown/OU=Unknown/CN=localhost"
+    echo "Generating CA signed certificate '$BROKER_ALIAS'"
+    openssl req -x509 -newkey rsa:2048 -keyout "$CERTIFICATES_DIR/$BROKER_ALIAS.self.key" -out "$CERTIFICATES_DIR/$BROKER_ALIAS.self.crt" -subj "$_subject" -passout pass:$PASSWORD && \
+    openssl req -config "$OPENSSL_CONF" -verbose -new -key "$CERTIFICATES_DIR/$BROKER_ALIAS.self.key" -out "$BROKER_CSR" -sha512 -subj "$_subject" -passin pass:$PASSWORD && \
+    openssl ca -config "$OPENSSL_CONF" -md sha512 -extensions v3_req -batch -passin pass:$PASSWORD -out "$BROKER_CRT" -keyfile "$CERTIFICATES_DIR/$ROOT_CA.key" -cert "$CERTIFICATES_DIR/$ROOT_CA.crt" -days $VALID_DAYS -infiles "$BROKER_CSR" && \
+    openssl pkcs12 -export -chain -CAfile "$CERTIFICATES_DIR/$ROOT_CA.crt" -in "$BROKER_CRT" -inkey "$CERTIFICATES_DIR/$BROKER_ALIAS.self.key" -out "$CERTIFICATES_DIR/$BROKER_ALIAS.jks" -name $BROKER_ALIAS -passin pass:"$PASSWORD" -passout pass:"$PASSWORD" && \
+    keytool -importkeystore -srckeystore "$CERTIFICATES_DIR/$BROKER_ALIAS.jks" -srcstoretype PKCS12 -storepass "$PASSWORD" -srcstorepass "$PASSWORD" -alias $BROKER_ALIAS -deststoretype PKCS12 -destkeystore "$BROKER_KEYSTORE"
+    _rc=$?
+    if [ $_rc -eq 0 ]; then
+        echo "CA signed certificate '$BROKER_ALIAS' successfully generated"
+    else
+        echo "Failed to generate CA signed certificate '$BROKER_ALIAS'" >&2
+    fi
+    return $_rc
+}
+
+# $1 - certificate alias
+# $2 - keystore where certificate will be imported
+import_to_keystore()
+{
+    _alias=$1
+    _keystore="$2"
+
+    echo "Importing certificate '$_alias' to keystore '$_keystore'"
+    keytool -import -alias $_alias -file "$CERTIFICATES_DIR/$_alias.crt" -storepass "$PASSWORD" -noprompt -deststoretype PKCS12 -sigalg SHA512withRSA -keystore "$_keystore"
+    _rc=$?
+    if [ $_rc -eq 0 ]; then
+        echo "Certificate '$_alias' successfully imported to keystore '$_keystore'"
+    else
+        echo "Failed to import certificate '$_alias' to keystore '$_keystore'" >&2
+    fi
+    return $_rc
+}
+
+generate_untrusted_client_certificate()
+{
+    _alias=untrusted_client
+
+    echo "Generating untrusted certificate '$_alias'"
+    keytool -genkeypair -alias $_alias -dname CN=$_alias -validity $VALID_DAYS -keysize 2048 -keyalg RSA -sigalg SHA512withRSA -keypass "$PASSWORD" -storepass "$PASSWORD" -deststoretype PKCS12 -keystore "$CLIENT_UNTRUSTED_KEYSTORE"
+    _rc=$?
+    if [ $_rc -eq 0 ]; then
+        echo "Untrusted certificate '$_alias' successfully generated"
+    else
+        echo "Failed to generate untrusted certificate '$_alias'" >&2
+    fi
+    return $_rc
+}
+
+add_certificate_crl_distribution_point()
+{
+    echo "Add CRL distribution points to openssl configuration"
+    sed -i "/\[ v3_req \]/a crlDistributionPoints=URI:http://localhost:$CRL_HTTP_PORT/$ROOT_CA.crl" "$OPENSSL_CONF" && \
+    sed -i "/\[ v3_ca \]/a crlDistributionPoints=URI:http://localhost:$CRL_HTTP_PORT/$ROOT_CA.crl" "$OPENSSL_CONF"
+    _rc=$?
+    if [ $_rc -eq 0 ]; then
+        echo "CRL distribution points successfully addded"
+    else
+        echo "Failed to add CRL distribution points" >&2
+    fi
+    return $_rc
+}
+
+set_certificate_crl_distribution_point_to_intermediate_ca()
+{
+    echo "Setting CRL distribution point for intermediate CA certificate '$INTERMEDIATE_CA'"
+    sed -i -z "s|crlDistributionPoints=URI:http://localhost:$CRL_HTTP_PORT/$ROOT_CA.crl|crlDistributionPoints=URI:http://localhost:$CRL_HTTP_PORT/$INTERMEDIATE_CA.crl|" "$OPENSSL_CONF"
+    _rc=$?
+    if [ $_rc -eq 0 ]; then
+        echo "CRL distribution point for intermediate CA certificate '$INTERMEDIATE_CA' successfully set"
+    else
+        echo "Failed to set CRL distribution point for intermediate CA certificate '$INTERMEDIATE_CA'" >&2
+    fi
+    return $_rc
+}
+
+set_certificate_crl_distribution_point_to_empty_crl()
+{
+    echo "Setting CRL distribution point to empty CRL"
+    sed -i -z "s|crlDistributionPoints=URI:http://localhost:$CRL_HTTP_PORT/$INTERMEDIATE_CA.crl|crlDistributionPoints=URI:http://localhost:$CRL_HTTP_PORT/$ROOT_CA.empty.crl|" "$OPENSSL_CONF"
+    _rc=$?
+    if [ $_rc -eq 0 ]; then
+        echo "CRL distribution point to empty CRL successfully set"
+    else
+        echo "Failed to set CRL distribution to empty CRL" >&2
+    fi
+    return $_rc
+}
+
+set_certificate_crl_distribution_point_to_invalid_crl_path()
+{
+    echo "Setting CRL distribution point to invalid CRL path"
+    sed -i "s|crlDistributionPoints=URI:http://localhost:$CRL_HTTP_PORT/$ROOT_CA.empty.crl|crlDistributionPoints=URI:http://localhost:$CRL_HTTP_PORT/not/a/crl|" "$OPENSSL_CONF"
+    _rc=$?
+    if [ $_rc -eq 0 ]; then
+        echo "CRL distribution point to invalid CRL path successfully set"
+    else
+        echo "Failed to set CRL distribution to invalid CRL path" >&2
+    fi
+    return $_rc
+}
+
+generate_intermediate_crl()
+{
+    echo "Generating intermediate CA certificate '$INTERMEDIATE_CA' CRL"
+    openssl ca -config "$OPENSSL_CONF" -passin pass:$PASSWORD -gencrl -keyfile "$CERTIFICATES_DIR/$INTERMEDIATE_CA.self.key" -cert "$CERTIFICATES_DIR/$INTERMEDIATE_CA.crt" -out "$CERTIFICATES_DIR/$INTERMEDIATE_CA.crl.pem" && \
+    openssl crl -inform PEM -in "$CERTIFICATES_DIR/$INTERMEDIATE_CA.crl.pem" -outform DER -out "$CERTIFICATES_DIR/$INTERMEDIATE_CA.crl"
+    _rc=$?
+    if [ $_rc -eq 0 ]; then
+        echo "Intermediate CA certificate '$INTERMEDIATE_CA' CRL successfully generated"
+    else
+        echo "Failed to generate intermediate CA certificate '$INTERMEDIATE_CA' CRL" >&2
+    fi
+    return $_rc
+}
+
+
+# $1 - part of CRL file name
+generate_crl()
+{
+    _crl_name_part=$1
+    _crl_path_prefix=
+    if [ -n "$_crl_name_part" ]; then
+        _crl_path_prefix="$CERTIFICATES_DIR/$ROOT_CA.$_crl_name_part"
+    else
+        _crl_path_prefix="$CERTIFICATES_DIR/$ROOT_CA"
+    fi
+
+    echo "Generating certificate '$ROOT_CA' CRL to '$_crl_path_prefix'"
+    openssl ca -config "$OPENSSL_CONF" -passin pass:$PASSWORD -gencrl -keyfile "$CERTIFICATES_DIR/$ROOT_CA.key" -cert "$CERTIFICATES_DIR/$ROOT_CA.crt" -out "$_crl_path_prefix.crl.pem" && \
+    openssl crl -inform PEM -in "$_crl_path_prefix.crl.pem" -outform DER -out "$_crl_path_prefix.crl"
+    _rc=$?
+    if [ $_rc -eq 0 ]; then
+        echo "Certificate '$ROOT_CA' CRL successfully generated to '$_crl_path_prefix'"
+    else
+        echo "Failed to generate certificate '$ROOT_CA' CRL to '$_crl_path_prefix'" >&2
+    fi
+    return $_rc
+}
+
+revoke_certificate()
+{
+    _alias=$1
+
+    echo "Revoking certificate '$_alias'"
+    openssl ca -config "$OPENSSL_CONF" -passin pass:$PASSWORD -revoke "$CERTIFICATES_DIR/$_alias.crt" -keyfile "$CERTIFICATES_DIR/$ROOT_CA.key" -cert "$CERTIFICATES_DIR/$ROOT_CA.crt"
+    _rc=$?
+    if [ $_rc -eq 0 ]; then
+        echo "Certificate '$_alias' successfully revoked"
+    else
+        echo "Failed to revoke certificate '$_alias'" >&2
+    fi
+    return $_rc
+}
+
+prepare_test_keystores()
+{
+    echo "Preparing test keystores"
+    cp "$BROKER_KEYSTORE" "$TEST_KEYSTORE" && \
+    import_to_keystore "app1" "$TEST_KEYSTORE" && \
+    import_to_keystore "app2" "$TEST_KEYSTORE" && \
+    cp "$BROKER_KEYSTORE" "$TEST_PK_ONLY_KEYSTORE" && \
+    keytool -delete -v -alias rootca -storepass password -keystore "$TEST_PK_ONLY_KEYSTORE" && \
+    cp "$BROKER_KEYSTORE" "$TEST_CERT_ONLY_KEYSTORE" && \
+    keytool -delete -v -alias $BROKER_ALIAS -storepass password -keystore "$TEST_CERT_ONLY_KEYSTORE" && \
+    cp "$BROKER_KEYSTORE" "$TEST_SYMMETRIC_KEY_KEYSTORE" && \
+    keytool -genseckey -alias testalias -keyalg AES -keysize 256 -storetype PKCS12 -storepass "$PASSWORD" -keystore "$TEST_SYMMETRIC_KEY_KEYSTORE" && \
+    cp "$TEST_PK_ONLY_KEYSTORE" "$TEST_EMPTY_KEYSTORE"
+    keytool -delete -v -alias $BROKER_ALIAS -storepass password -keystore "$TEST_EMPTY_KEYSTORE" && \
+    _rc=$?
+    if [ $_rc -eq 0 ]; then
+        echo "Test keystores prepared"
+    else
+        echo "Failed to prepare keystores" >&2
+    fi
+    return $_rc
+}
+
+main()
+{
+    prepare_openssl_environment && \
+    generate_selfsigned_ca && \
+    generate_signed_certificate "app1" && \
+    generate_signed_certificate "app2" && \
+    generate_expired_certificate && \
+    generate_signed_broker_certificate && \
+    import_to_keystore "app1" "$BROKER_PEERSTORE" && \
+    generate_untrusted_client_certificate && \
+    add_certificate_crl_distribution_point && \
+    generate_signed_certificate "allowed_by_ca" && \
+    generate_signed_certificate "revoked_by_ca" && \
+    set_certificate_crl_distribution_point_to_intermediate_ca && \
+    generate_signed_certificate_with_intermediate_signed_certificate "allowed_by_ca_with_intermediate" && \
+    generate_intermediate_crl && \
+    set_certificate_crl_distribution_point_to_empty_crl && \
+    generate_signed_certificate "revoked_by_ca_empty_crl" && \
+    set_certificate_crl_distribution_point_to_invalid_crl_path && \
+    generate_signed_certificate "revoked_by_ca_invalid_crl_path" && \
+    generate_crl "empty" && \
+    revoke_certificate "$INTERMEDIATE_CA" && \
+    revoke_certificate "revoked_by_ca" && \
+    revoke_certificate "revoked_by_ca_empty_crl" && \
+    revoke_certificate "revoked_by_ca_invalid_crl_path" && \
+    generate_crl && \
+    prepare_test_keystores
+}
+
+if [ "$DEBUG" = true ]; then
+    main
+else
+    main 2>/dev/null 1>&2
+fi
diff --git a/qpid-test-utils/src/main/resources/ssl/openssl.conf b/qpid-test-utils/src/main/resources/ssl/openssl.conf
new file mode 100644
index 0000000..ad224d7
--- /dev/null
+++ b/qpid-test-utils/src/main/resources/ssl/openssl.conf
@@ -0,0 +1,380 @@
+#
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements.  See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership.  The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License.  You may obtain a copy of the License at
+#
+#   http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied.  See the License for the
+# specific language governing permissions and limitations
+# under the License.
+#
+
+#
+# OpenSSL example configuration file.
+# This is mostly being used for generation of certificate requests.
+#
+
+# Note that you can include other files from the main configuration
+# file using the .include directive.
+#.include filename
+
+# This definition stops the following lines choking if HOME isn't
+# defined.
+HOME			= .
+
+# Extra OBJECT IDENTIFIER info:
+#oid_file		= $ENV::HOME/.oid
+oid_section		= new_oids
+
+# System default
+openssl_conf = default_conf
+
+# To use this configuration file with the "-extfile" option of the
+# "openssl x509" utility, name here the section containing the
+# X.509v3 extensions to use:
+# extensions		=
+# (Alternatively, use a configuration file that has only
+# X.509v3 extensions in its main [= default] section.)
+
+[ new_oids ]
+
+# We can add new OIDs in here for use by 'ca', 'req' and 'ts'.
+# Add a simple OID like this:
+# testoid1=1.2.3.4
+# Or use config file substitution like this:
+# testoid2=${testoid1}.5.6
+
+# Policies used by the TSA examples.
+tsa_policy1 = 1.2.3.4.1
+tsa_policy2 = 1.2.3.4.5.6
+tsa_policy3 = 1.2.3.4.5.7
+
+####################################################################
+[ ca ]
+default_ca	= CA_default		# The default ca section
+
+####################################################################
+[ CA_default ]
+
+dir             = .
+certs		= $dir/certs		# Where the issued certs are kept
+crl_dir		= $dir/crl		# Where the issued crl are kept
+database	= $dir/index.txt	# database index file.
+#unique_subject	= no			# Set to 'no' to allow creation of
+					# several certs with same subject.
+new_certs_dir	= $dir/newcerts		# default place for new certs.
+
+certificate	= $dir/cacert.pem 	# The CA certificate
+serial		= $dir/serial 		# The current serial number
+crlnumber	= $dir/crlnumber	# the current crl number
+					# must be commented out to leave a V1 CRL
+crl		= $dir/crl.pem 		# The current CRL
+private_key	= $dir/private/cakey.pem# The private key
+
+x509_extensions	= usr_cert		# The extensions to add to the cert
+
+# Comment out the following two lines for the "traditional"
+# (and highly broken) format.
+name_opt 	= ca_default		# Subject Name options
+cert_opt 	= ca_default		# Certificate field options
+
+# Extension copying option: use with caution.
+# copy_extensions = copy
+
+# Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs
+# so this is commented out by default to leave a V1 CRL.
+# crlnumber must also be commented out to leave a V1 CRL.
+# crl_extensions	= crl_ext
+
+default_days	= 365			# how long to certify for
+default_crl_days= 30			# how long before next CRL
+default_md	= default		# use public key default MD
+preserve	= no			# keep passed DN ordering
+
+# A few difference way of specifying how similar the request should look
+# For type CA, the listed attributes must be the same, and the optional
+# and supplied fields are just that :-)
+policy		= policy_match
+
+# For the CA policy
+[ policy_match ]
+countryName = optional
+stateOrProvinceName = optional
+localityName = optional
+organizationName = optional
+organizationalUnitName = optional
+commonName		= supplied
+emailAddress		= optional
+
+# For the 'anything' policy
+# At this point in time, you must list all acceptable 'object'
+# types.
+[ policy_anything ]
+countryName		= optional
+stateOrProvinceName	= optional
+localityName = optional
+organizationName	= optional
+organizationalUnitName	= optional
+commonName		= supplied
+emailAddress		= optional
+
+####################################################################
+[ req ]
+default_bits		= 2048
+default_keyfile 	= privkey.pem
+distinguished_name	= req_distinguished_name
+attributes		= req_attributes
+x509_extensions	= v3_ca	# The extensions to add to the self signed cert
+
+# Passwords for private keys if not present they will be prompted for
+# input_password = secret
+# output_password = secret
+
+# This sets a mask for permitted string types. There are several options.
+# default: PrintableString, T61String, BMPString.
+# pkix	 : PrintableString, BMPString (PKIX recommendation before 2004)
+# utf8only: only UTF8Strings (PKIX recommendation after 2004).
+# nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings).
+# MASK:XXXX a literal mask value.
+# WARNING: ancient versions of Netscape crash on BMPStrings or UTF8Strings.
+string_mask = utf8only
+
+# req_extensions = v3_req # The extensions to add to a certificate request
+
+[ req_distinguished_name ]
+countryName			= Country Name (2 letter code)
+countryName_default		= AU
+countryName_min			= 2
+countryName_max			= 2
+
+stateOrProvinceName		= State or Province Name (full name)
+stateOrProvinceName_default	= Some-State
+
+localityName			= Locality Name (eg, city)
+
+0.organizationName		= Organization Name (eg, company)
+0.organizationName_default	= Internet Widgits Pty Ltd
+
+# we can do this but it is not needed normally :-)
+#1.organizationName		= Second Organization Name (eg, company)
+#1.organizationName_default	= World Wide Web Pty Ltd
+
+organizationalUnitName		= Organizational Unit Name (eg, section)
+#organizationalUnitName_default	=
+
+commonName			= Common Name (e.g. server FQDN or YOUR name)
+commonName_max			= 64
+
+emailAddress			= Email Address
+emailAddress_max		= 64
+
+# SET-ex3			= SET extension number 3
+
+[ req_attributes ]
+challengePassword		= A challenge password
+challengePassword_min		= 4
+challengePassword_max		= 20
+
+unstructuredName		= An optional company name
+
+[ usr_cert ]
+
+# These extensions are added when 'ca' signs a request.
+
+# This goes against PKIX guidelines but some CAs do it and some software
+# requires this to avoid interpreting an end user certificate as a CA.
+
+basicConstraints=CA:FALSE
+
+# Here are some examples of the usage of nsCertType. If it is omitted
+# the certificate can be used for anything *except* object signing.
+
+# This is OK for an SSL server.
+# nsCertType			= server
+
+# For an object signing certificate this would be used.
+# nsCertType = objsign
+
+# For normal client use this is typical
+# nsCertType = client, email
+
+# and for everything including object signing:
+# nsCertType = client, email, objsign
+
+# This is typical in keyUsage for a client certificate.
+# keyUsage = nonRepudiation, digitalSignature, keyEncipherment
+
+# This will be displayed in Netscape's comment listbox.
+nsComment			= "OpenSSL Generated Certificate"
+
+# PKIX recommendations harmless if included in all certificates.
+subjectKeyIdentifier=hash
+authorityKeyIdentifier=keyid,issuer
+
+# This stuff is for subjectAltName and issuerAltname.
+# Import the email address.
+# subjectAltName=email:copy
+# An alternative to produce certificates that aren't
+# deprecated according to PKIX.
+# subjectAltName=email:move
+
+# Copy subject details
+# issuerAltName=issuer:copy
+
+#nsCaRevocationUrl
+#nsBaseUrl
+#nsRevocationUrl
+#nsRenewalUrl
+#nsCaPolicyUrl
+#nsSslServerName
+
+# This is required for TSA certificates.
+# extendedKeyUsage = critical,timeStamping
+
+[ v3_req ]
+
+# Extensions to add to a certificate request
+
+basicConstraints = CA:FALSE
+keyUsage = nonRepudiation, digitalSignature, keyEncipherment
+
+[ v3_ca ]
+
+# Extensions for a typical CA
+
+# PKIX recommendation.
+
+subjectKeyIdentifier=hash
+
+authorityKeyIdentifier=keyid:always,issuer
+
+basicConstraints = critical,CA:true
+
+# Key usage: this is typical for a CA certificate. However since it will
+# prevent it being used as an test self-signed certificate it is best
+# left out by default.
+# keyUsage = cRLSign, keyCertSign
+
+# Some might want this also
+# nsCertType = sslCA, emailCA
+
+# Include email address in subject alt name: another PKIX recommendation
+# subjectAltName=email:copy
+# Copy issuer details
+# issuerAltName=issuer:copy
+
+# DER hex encoding of an extension: beware experts only!
+# obj=DER:02:03
+# Where 'obj' is a standard or added object
+# You can even override a supported extension:
+# basicConstraints= critical, DER:30:03:01:01:FF
+
+[ crl_ext ]
+
+# CRL extensions.
+# Only issuerAltName and authorityKeyIdentifier make any sense in a CRL.
+
+# issuerAltName=issuer:copy
+authorityKeyIdentifier=keyid:always
+
+[ proxy_cert_ext ]
+# These extensions should be added when creating a proxy certificate
+
+# This goes against PKIX guidelines but some CAs do it and some software
+# requires this to avoid interpreting an end user certificate as a CA.
+
+basicConstraints=CA:FALSE
+
+# Here are some examples of the usage of nsCertType. If it is omitted
+# the certificate can be used for anything *except* object signing.
+
+# This is OK for an SSL server.
+# nsCertType			= server
+
+# For an object signing certificate this would be used.
+# nsCertType = objsign
+
+# For normal client use this is typical
+# nsCertType = client, email
+
+# and for everything including object signing:
+# nsCertType = client, email, objsign
+
+# This is typical in keyUsage for a client certificate.
+# keyUsage = nonRepudiation, digitalSignature, keyEncipherment
+
+# This will be displayed in Netscape's comment listbox.
+nsComment			= "OpenSSL Generated Certificate"
+
+# PKIX recommendations harmless if included in all certificates.
+subjectKeyIdentifier=hash
+authorityKeyIdentifier=keyid,issuer
+
+# This stuff is for subjectAltName and issuerAltname.
+# Import the email address.
+# subjectAltName=email:copy
+# An alternative to produce certificates that aren't
+# deprecated according to PKIX.
+# subjectAltName=email:move
+
+# Copy subject details
+# issuerAltName=issuer:copy
+
+#nsCaRevocationUrl		= http://www.domain.dom/ca-crl.pem
+#nsBaseUrl
+#nsRevocationUrl
+#nsRenewalUrl
+#nsCaPolicyUrl
+#nsSslServerName
+
+# This really needs to be in place for it to be a proxy certificate.
+proxyCertInfo=critical,language:id-ppl-anyLanguage,pathlen:3,policy:foo
+
+####################################################################
+[ tsa ]
+
+default_tsa = tsa_config1	# the default TSA section
+
+[ tsa_config1 ]
+
+# These are used by the TSA reply generation only.
+dir		= ./demoCA		# TSA root directory
+serial		= $dir/tsaserial	# The current serial number (mandatory)
+crypto_device	= builtin		# OpenSSL engine to use for signing
+signer_cert	= $dir/tsacert.pem 	# The TSA signing certificate
+					# (optional)
+certs		= $dir/cacert.pem	# Certificate chain to include in reply
+					# (optional)
+signer_key	= $dir/private/tsakey.pem # The TSA private key (optional)
+signer_digest  = sha512			# Signing digest to use. (Optional)
+default_policy	= tsa_policy1		# Policy if request did not specify it
+					# (optional)
+other_policies	= tsa_policy2, tsa_policy3	# acceptable policies (optional)
+digests     = sha1, sha256, sha384, sha512  # Acceptable message digests (mandatory)
+accuracy	= secs:1, millisecs:500, microsecs:100	# (optional)
+clock_precision_digits  = 0	# number of digits after dot. (optional)
+ordering		= yes	# Is ordering defined for timestamps?
+				# (optional, default: no)
+tsa_name		= yes	# Must the TSA name be included in the reply?
+				# (optional, default: no)
+ess_cert_id_chain	= no	# Must the ESS cert id chain be included?
+				# (optional, default: no)
+ess_cert_id_alg		= sha1	# algorithm to compute certificate
+				# identifier (optional, default: sha1)
+[default_conf]
+ssl_conf = ssl_sect
+
+[ssl_sect]
+system_default = system_default_sect
+
+[system_default_sect]
+MinProtocol = TLSv1.2
+CipherString = DEFAULT@SECLEVEL=2
diff --git a/systests/qpid-systests-http-management/src/test/java/org/apache/qpid/tests/http/endtoend/port/PortTest.java b/systests/qpid-systests-http-management/src/test/java/org/apache/qpid/tests/http/endtoend/port/PortTest.java
index 81d7881..5302ea3 100644
--- a/systests/qpid-systests-http-management/src/test/java/org/apache/qpid/tests/http/endtoend/port/PortTest.java
+++ b/systests/qpid-systests-http-management/src/test/java/org/apache/qpid/tests/http/endtoend/port/PortTest.java
@@ -333,7 +333,7 @@ public class PortTest extends HttpTestBase
         final java.security.KeyStore ks = java.security.KeyStore.getInstance(JAVA_KEYSTORE_TYPE);
         ks.load(null);
         ks.setCertificateEntry("certificate", certificate);
-        final File storeFile = File.createTempFile(getTestName(), ".pkcs12");
+        final File storeFile = File.createTempFile(getTestName(), ".jks");
         try (FileOutputStream fos = new FileOutputStream(storeFile))
         {
             ks.store(fos, PASS.toCharArray());
diff --git a/systests/qpid-systests-jms_1.1/src/test/java/org/apache/qpid/systests/jms_1_1/extensions/management/AmqpManagementTest.java b/systests/qpid-systests-jms_1.1/src/test/java/org/apache/qpid/systests/jms_1_1/extensions/management/AmqpManagementTest.java
index d6aa747..6b55c87 100644
--- a/systests/qpid-systests-jms_1.1/src/test/java/org/apache/qpid/systests/jms_1_1/extensions/management/AmqpManagementTest.java
+++ b/systests/qpid-systests-jms_1.1/src/test/java/org/apache/qpid/systests/jms_1_1/extensions/management/AmqpManagementTest.java
@@ -22,9 +22,6 @@ package org.apache.qpid.systests.jms_1_1.extensions.management;
 
 import static java.nio.charset.StandardCharsets.UTF_8;
 import static org.apache.qpid.server.model.Queue.ALERT_THRESHOLD_QUEUE_DEPTH_MESSAGES;
-import static org.apache.qpid.systests.jms_1_1.extensions.tls.TlsTest.TRUSTSTORE;
-import static org.apache.qpid.test.utils.TestSSLConstants.JAVA_KEYSTORE_TYPE;
-import static org.apache.qpid.test.utils.TestSSLConstants.TRUSTSTORE_PASSWORD;
 import static org.hamcrest.CoreMatchers.is;
 import static org.junit.Assert.assertEquals;
 import static org.junit.Assert.assertNotNull;
@@ -55,6 +52,7 @@ import javax.jms.Session;
 import javax.naming.NamingException;
 
 import com.fasterxml.jackson.databind.ObjectMapper;
+import org.apache.qpid.test.utils.TestSSLConstants;
 import org.junit.AfterClass;
 import org.junit.BeforeClass;
 import org.junit.Test;
@@ -81,8 +79,8 @@ public class AmqpManagementTest extends JmsTestBase
         // legacy client keystore/truststore types can only be configured with JVM settings
         if (getProtocol() != Protocol.AMQP_1_0)
         {
-            System.setProperty("javax.net.ssl.trustStoreType", JAVA_KEYSTORE_TYPE);
-            System.setProperty("javax.net.ssl.keyStoreType", JAVA_KEYSTORE_TYPE);
+            System.setProperty("javax.net.ssl.trustStoreType", TestSSLConstants.JAVA_KEYSTORE_TYPE);
+            System.setProperty("javax.net.ssl.keyStoreType", TestSSLConstants.JAVA_KEYSTORE_TYPE);
         }
     }
 
@@ -693,8 +691,8 @@ public class AmqpManagementTest extends JmsTestBase
 
         Connection connection = getConnectionBuilder().setTls(true)
                                                       .setPort(tlsPort)
-                                                      .setTrustStoreLocation(TRUSTSTORE)
-                                                      .setTrustStorePassword(TRUSTSTORE_PASSWORD)
+                                                      .setTrustStoreLocation(TestSSLConstants.CLIENT_TRUSTSTORE)
+                                                      .setTrustStorePassword(TestSSLConstants.PASSWORD)
                                                       .build();
         try
         {
diff --git a/systests/qpid-systests-jms_1.1/src/test/java/org/apache/qpid/systests/jms_1_1/extensions/sasl/AuthenticationTest.java b/systests/qpid-systests-jms_1.1/src/test/java/org/apache/qpid/systests/jms_1_1/extensions/sasl/AuthenticationTest.java
index e5f033f..c808b45 100644
--- a/systests/qpid-systests-jms_1.1/src/test/java/org/apache/qpid/systests/jms_1_1/extensions/sasl/AuthenticationTest.java
+++ b/systests/qpid-systests-jms_1.1/src/test/java/org/apache/qpid/systests/jms_1_1/extensions/sasl/AuthenticationTest.java
@@ -20,21 +20,6 @@
  */
 package org.apache.qpid.systests.jms_1_1.extensions.sasl;
 
-import static org.apache.qpid.systests.jms_1_1.extensions.tls.TlsTest.BROKER_KEYSTORE;
-import static org.apache.qpid.systests.jms_1_1.extensions.tls.TlsTest.BROKER_TRUSTSTORE;
-import static org.apache.qpid.systests.jms_1_1.extensions.tls.TlsTest.KEYSTORE;
-import static org.apache.qpid.systests.jms_1_1.extensions.tls.TlsTest.TEST_PROFILE_RESOURCE_BASE;
-import static org.apache.qpid.systests.jms_1_1.extensions.tls.TlsTest.TRUSTSTORE;
-import static org.apache.qpid.test.utils.TestSSLConstants.BROKER_KEYSTORE_PASSWORD;
-import static org.apache.qpid.test.utils.TestSSLConstants.BROKER_PEERSTORE;
-import static org.apache.qpid.test.utils.TestSSLConstants.BROKER_PEERSTORE_PASSWORD;
-import static org.apache.qpid.test.utils.TestSSLConstants.BROKER_TRUSTSTORE_PASSWORD;
-import static org.apache.qpid.test.utils.TestSSLConstants.CERT_ALIAS_APP1;
-import static org.apache.qpid.test.utils.TestSSLConstants.CERT_ALIAS_APP2;
-import static org.apache.qpid.test.utils.TestSSLConstants.EXPIRED_KEYSTORE;
-import static org.apache.qpid.test.utils.TestSSLConstants.KEYSTORE_PASSWORD;
-import static org.apache.qpid.test.utils.TestSSLConstants.TRUSTSTORE_PASSWORD;
-import static org.apache.qpid.test.utils.TestSSLConstants.JAVA_KEYSTORE_TYPE;
 import static org.hamcrest.CoreMatchers.anyOf;
 import static org.hamcrest.CoreMatchers.equalTo;
 import static org.hamcrest.CoreMatchers.is;
@@ -44,6 +29,11 @@ import static org.junit.Assert.assertNotNull;
 import static org.junit.Assert.fail;
 import static org.junit.Assume.assumeThat;
 
+import java.io.IOException;
+import java.io.OutputStream;
+import java.nio.file.Files;
+import java.nio.file.Path;
+import java.nio.file.Paths;
 import java.util.Collections;
 import java.util.HashMap;
 import java.util.List;
@@ -53,7 +43,17 @@ import javax.jms.Connection;
 import javax.jms.JMSException;
 import javax.jms.Session;
 import javax.jms.TemporaryQueue;
-
+import javax.naming.NamingException;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+
+import org.apache.qpid.server.security.FileTrustStoreTest;
+import org.eclipse.jetty.server.Request;
+import org.eclipse.jetty.server.Server;
+import org.eclipse.jetty.server.ServerConnector;
+import org.eclipse.jetty.server.handler.AbstractHandler;
+import org.eclipse.jetty.server.handler.ContextHandler;
+import org.eclipse.jetty.server.handler.HandlerCollection;
 import org.junit.AfterClass;
 import org.junit.BeforeClass;
 import org.junit.Test;
@@ -81,6 +81,11 @@ public class AuthenticationTest extends JmsTestBase
     private static final Logger LOGGER = LoggerFactory.getLogger(AuthenticationTest.class);
     private static final String USER = "user";
     private static final String USER_PASSWORD = "user";
+    // see how port is specified when certificates are generated in script
+    // test-profiles/test_resources/ssl/generate_certificates.sh
+    private static final int CRL_HTTP_PORT = 8186;
+    private static final Server CRL_SERVER = new Server();
+    private static final HandlerCollection HANDLERS = new HandlerCollection();
 
     @BeforeClass
     public static void setUp() throws Exception
@@ -96,9 +101,18 @@ public class AuthenticationTest extends JmsTestBase
         // legacy client keystore/truststore types can only be configured with JVM settings
         if (getProtocol() != Protocol.AMQP_1_0)
         {
-            System.setProperty("javax.net.ssl.trustStoreType", JAVA_KEYSTORE_TYPE);
-            System.setProperty("javax.net.ssl.keyStoreType", JAVA_KEYSTORE_TYPE);
-        }
+            System.setProperty("javax.net.ssl.trustStoreType", TestSSLConstants.JAVA_KEYSTORE_TYPE);
+            System.setProperty("javax.net.ssl.keyStoreType", TestSSLConstants.JAVA_KEYSTORE_TYPE);
+        }
+        final ServerConnector connector = new ServerConnector(CRL_SERVER);
+        connector.setPort(CRL_HTTP_PORT);
+        connector.setHost("localhost");
+        CRL_SERVER.addConnector(connector);
+        createContext(Paths.get(TestSSLConstants.CA_CRL));
+        createContext(Paths.get(TestSSLConstants.CA_CRL_EMPTY));
+        createContext(Paths.get(TestSSLConstants.INTERMEDIATE_CA_CRL));
+        CRL_SERVER.setHandler(HANDLERS);
+        CRL_SERVER.start();
     }
 
     @AfterClass
@@ -115,6 +129,7 @@ public class AuthenticationTest extends JmsTestBase
             System.clearProperty("javax.net.ssl.trustStoreType");
             System.clearProperty("javax.net.ssl.keyStoreType");
         }
+        CRL_SERVER.stop();
     }
 
 
@@ -125,49 +140,49 @@ public class AuthenticationTest extends JmsTestBase
                    getProtocol(),
                    is(not(equalTo(Protocol.AMQP_1_0))));
 
-        int port = createAuthenticationProviderAndUserAndPort(getTestName(), "MD5", USER, USER_PASSWORD);
+        final int port = createAuthenticationProviderAndUserAndPort(getTestName(), "MD5", USER, USER_PASSWORD);
 
-        assertConnectivity(port, USER, USER_PASSWORD, CramMd5HashedNegotiator.MECHANISM);
+        assertPlainConnectivity(port, USER, USER_PASSWORD, CramMd5HashedNegotiator.MECHANISM);
     }
 
     @Test
     public void sha256() throws Exception
     {
-        int port = createAuthenticationProviderAndUserAndPort(getTestName(),
+        final int port = createAuthenticationProviderAndUserAndPort(getTestName(),
                                                               ScramSHA256AuthenticationManager.PROVIDER_TYPE,
                                                               USER,
                                                               USER_PASSWORD);
 
-        assertConnectivity(port, USER, USER_PASSWORD, ScramSHA256AuthenticationManager.MECHANISM);
+        assertPlainConnectivity(port, USER, USER_PASSWORD, ScramSHA256AuthenticationManager.MECHANISM);
     }
 
     @Test
     public void sha1() throws Exception
     {
-        int port = createAuthenticationProviderAndUserAndPort(getTestName(),
+        final int port = createAuthenticationProviderAndUserAndPort(getTestName(),
                                                               ScramSHA1AuthenticationManager.PROVIDER_TYPE,
                                                               USER,
                                                               USER_PASSWORD);
 
-        assertConnectivity(port, USER, USER_PASSWORD, ScramSHA1AuthenticationManager.MECHANISM);
+        assertPlainConnectivity(port, USER, USER_PASSWORD, ScramSHA1AuthenticationManager.MECHANISM);
     }
 
     @Test
     public void external() throws Exception
     {
-        int port = createExternalProviderAndTlsPort();
+        final int port = createExternalProviderAndTlsPort();
 
         Connection connection = getConnectionBuilder().setPort(port)
                                                       .setTls(true)
                                                       .setSaslMechanisms(ExternalAuthenticationManagerImpl.MECHANISM_NAME)
-                                                      .setKeyStoreLocation(KEYSTORE)
-                                                      .setKeyStorePassword(KEYSTORE_PASSWORD)
-                                                      .setTrustStoreLocation(TRUSTSTORE)
-                                                      .setTrustStorePassword(TRUSTSTORE_PASSWORD)
+                                                      .setKeyStoreLocation(TestSSLConstants.CLIENT_KEYSTORE)
+                                                      .setKeyStorePassword(TestSSLConstants.PASSWORD)
+                                                      .setTrustStoreLocation(TestSSLConstants.CLIENT_TRUSTSTORE)
+                                                      .setTrustStorePassword(TestSSLConstants.PASSWORD)
                                                       .build();
         try
         {
-            Session session = connection.createSession(false, Session.AUTO_ACKNOWLEDGE);
+            final Session session = connection.createSession(false, Session.AUTO_ACKNOWLEDGE);
             assertNotNull("Temporary queue was not created", session.createTemporaryQueue());
         }
         finally
@@ -176,30 +191,191 @@ public class AuthenticationTest extends JmsTestBase
         }
     }
 
+    public void externalWithRevocationWithDataUrlCrlFileAndAllowedCertificate() throws Exception
+    {
+        final Map<String, Object> trustStoreAttributes = getBrokerTrustStoreAttributes();
+        trustStoreAttributes.put(FileTrustStore.CERTIFICATE_REVOCATION_CHECK_ENABLED, true);
+        trustStoreAttributes.put(FileTrustStore.CERTIFICATE_REVOCATION_LIST_URL,
+                FileTrustStoreTest.createDataUrlForFile(TestSSLConstants.CA_CRL));
+        final int port = createExternalProviderAndTlsPort(trustStoreAttributes);
+        assertTlsConnectivity(port, TestSSLConstants.CERT_ALIAS_ALLOWED);
+    }
+
     @Test
-    public void externalDeniesUntrustedClientCert() throws Exception
+    public void externalWithRevocationWithDataUrlCrlFileAndRevokedCertificate() throws Exception
     {
-        assumeThat("QPID-8069", getProtocol(), is(anyOf(equalTo(Protocol.AMQP_1_0), equalTo(Protocol.AMQP_0_10))));
+        final Map<String, Object> trustStoreAttributes = getBrokerTrustStoreAttributes();
+        trustStoreAttributes.put(FileTrustStore.CERTIFICATE_REVOCATION_CHECK_ENABLED, true);
+        trustStoreAttributes.put(FileTrustStore.CERTIFICATE_REVOCATION_LIST_URL,
+                FileTrustStoreTest.createDataUrlForFile(TestSSLConstants.CA_CRL));
+        final int port = createExternalProviderAndTlsPort(trustStoreAttributes);
+        assertNoTlsConnectivity(port, TestSSLConstants.CERT_ALIAS_REVOKED);
+    }
 
-        int port = createExternalProviderAndTlsPort();
+    @Test
+    public void externalWithRevocationWithCrlFileAndAllowedCertificate() throws Exception
+    {
+        final Map<String, Object> trustStoreAttributes = getBrokerTrustStoreAttributes();
+        trustStoreAttributes.put(FileTrustStore.CERTIFICATE_REVOCATION_CHECK_ENABLED, true);
+        trustStoreAttributes.put(FileTrustStore.CERTIFICATE_REVOCATION_LIST_URL, TestSSLConstants.CA_CRL);
+        final int port = createExternalProviderAndTlsPort(trustStoreAttributes);
+        assertTlsConnectivity(port, TestSSLConstants.CERT_ALIAS_ALLOWED);
+    }
 
-        try
-        {
-            getConnectionBuilder().setPort(port)
-                                  .setTls(true)
-                                  .setSaslMechanisms(ExternalAuthenticationManagerImpl.MECHANISM_NAME)
-                                  .setKeyStoreLocation(KEYSTORE)
-                                  .setKeyStorePassword(KEYSTORE_PASSWORD)
-                                  .setTrustStoreLocation(TRUSTSTORE)
-                                  .setTrustStorePassword(TRUSTSTORE_PASSWORD)
-                                  .setKeyAlias(TestSSLConstants.CERT_ALIAS_UNTRUSTED_CLIENT)
-                                  .build();
-            fail("Connection should not succeed");
-        }
-        catch (JMSException e)
-        {
-            // pass
-        }
+    @Test
+    public void externalWithRevocationWithCrlFileAndAllowedCertificateWithoutPreferCrls() throws Exception
+    {
+        final Map<String, Object> trustStoreAttributes = getBrokerTrustStoreAttributes();
+        trustStoreAttributes.put(FileTrustStore.CERTIFICATE_REVOCATION_CHECK_ENABLED, true);
+        trustStoreAttributes.put(FileTrustStore.CERTIFICATE_REVOCATION_LIST_URL, TestSSLConstants.CA_CRL);
+        trustStoreAttributes.put(FileTrustStore.CERTIFICATE_REVOCATION_CHECK_WITH_PREFERRING_CERTIFICATE_REVOCATION_LIST, false);
+        final int port = createExternalProviderAndTlsPort(trustStoreAttributes);
+        assertNoTlsConnectivity(port, TestSSLConstants.CERT_ALIAS_ALLOWED);
+    }
+
+    @Test
+    public void externalWithRevocationWithCrlFileAndRevokedCertificate() throws Exception
+    {
+        final Map<String, Object> trustStoreAttributes = getBrokerTrustStoreAttributes();
+        trustStoreAttributes.put(FileTrustStore.CERTIFICATE_REVOCATION_CHECK_ENABLED, true);
+        trustStoreAttributes.put(FileTrustStore.CERTIFICATE_REVOCATION_LIST_URL, TestSSLConstants.CA_CRL);
+        final int port = createExternalProviderAndTlsPort(trustStoreAttributes);
+        assertNoTlsConnectivity(port, TestSSLConstants.CERT_ALIAS_REVOKED);
+    }
+
+    @Test
+    public void externalWithRevocationWithEmptyCrlFileAndRevokedCertificate() throws Exception
+    {
+        final Map<String, Object> trustStoreAttributes = getBrokerTrustStoreAttributes();
+        trustStoreAttributes.put(FileTrustStore.CERTIFICATE_REVOCATION_CHECK_ENABLED, true);
+        trustStoreAttributes.put(FileTrustStore.CERTIFICATE_REVOCATION_LIST_URL, TestSSLConstants.CA_CRL_EMPTY);
+        final int port = createExternalProviderAndTlsPort(trustStoreAttributes);
+        assertTlsConnectivity(port, TestSSLConstants.CERT_ALIAS_ALLOWED);
+    }
+
+    @Test
+    public void externalWithRevocationAndAllowedCertificateWithCrlUrl() throws Exception
+    {
+        assumeThat("HTTP server failed to bind to port '" + CRL_HTTP_PORT + "'",
+                CRL_SERVER, is(not(equalTo(null))));
+        final Map<String, Object> trustStoreAttributes = getBrokerTrustStoreAttributes();
+        trustStoreAttributes.put(FileTrustStore.CERTIFICATE_REVOCATION_CHECK_ENABLED, true);
+        final int port = createExternalProviderAndTlsPort(trustStoreAttributes);
+        assertTlsConnectivity(port, TestSSLConstants.CERT_ALIAS_ALLOWED);
+    }
+
+    @Test
+    public void externalWithRevocationAndRevokedCertificateWithCrlUrl() throws Exception
+    {
+        assumeThat("HTTP server failed to bind to port '" + CRL_HTTP_PORT + "'",
+                CRL_SERVER, is(not(equalTo(null))));
+        final Map<String, Object> trustStoreAttributes = getBrokerTrustStoreAttributes();
+        trustStoreAttributes.put(FileTrustStore.CERTIFICATE_REVOCATION_CHECK_ENABLED, true);
+        final int port = createExternalProviderAndTlsPort(trustStoreAttributes);
+        assertNoTlsConnectivity(port, TestSSLConstants.CERT_ALIAS_REVOKED);
+    }
+
+    @Test
+    public void externalWithRevocationAndRevokedCertificateWithCrlUrlWithEmptyCrl() throws Exception
+    {
+        assumeThat("HTTP server failed to bind to port '" + CRL_HTTP_PORT + "'",
+                CRL_SERVER, is(not(equalTo(null))));
+        final Map<String, Object> trustStoreAttributes = getBrokerTrustStoreAttributes();
+        trustStoreAttributes.put(FileTrustStore.CERTIFICATE_REVOCATION_CHECK_ENABLED, true);
+        final int port = createExternalProviderAndTlsPort(trustStoreAttributes);
+        assertTlsConnectivity(port, TestSSLConstants.CERT_ALIAS_REVOKED_EMPTY_CRL);
+    }
+
+    @Test
+    public void externalWithRevocationDisabledWithCrlFileAndRevokedCertificate() throws Exception
+    {
+        final Map<String, Object> trustStoreAttributes = getBrokerTrustStoreAttributes();
+        trustStoreAttributes.put(FileTrustStore.CERTIFICATE_REVOCATION_CHECK_ENABLED, false);
+        trustStoreAttributes.put(FileTrustStore.CERTIFICATE_REVOCATION_LIST_URL, TestSSLConstants.CA_CRL);
+        final int port = createExternalProviderAndTlsPort(trustStoreAttributes);
+        assertTlsConnectivity(port, TestSSLConstants.CERT_ALIAS_REVOKED);
+    }
+
+    @Test
+    public void externalWithRevocationDisabledWithCrlUrlInRevokedCertificate() throws Exception
+    {
+        assumeThat("HTTP server failed to bind to port '" + CRL_HTTP_PORT + "'",
+                CRL_SERVER, is(not(equalTo(null))));
+        final Map<String, Object> trustStoreAttributes = getBrokerTrustStoreAttributes();
+        trustStoreAttributes.put(FileTrustStore.CERTIFICATE_REVOCATION_CHECK_ENABLED, false);
+        final int port = createExternalProviderAndTlsPort(trustStoreAttributes);
+        assertTlsConnectivity(port, TestSSLConstants.CERT_ALIAS_REVOKED);
+    }
+
+    @Test
+    public void externalWithRevocationAndRevokedCertificateWithCrlUrlWithSoftFail() throws Exception
+    {
+        assumeThat("HTTP server failed to bind to port '" + CRL_HTTP_PORT + "'",
+                CRL_SERVER, is(not(equalTo(null))));
+        final Map<String, Object> trustStoreAttributes = getBrokerTrustStoreAttributes();
+        trustStoreAttributes.put(FileTrustStore.CERTIFICATE_REVOCATION_CHECK_ENABLED, true);
+        trustStoreAttributes.put(FileTrustStore.CERTIFICATE_REVOCATION_CHECK_WITH_IGNORING_SOFT_FAILURES, true);
+        final int port = createExternalProviderAndTlsPort(trustStoreAttributes);
+        assertTlsConnectivity(port, TestSSLConstants.CERT_ALIAS_REVOKED_INVALID_CRL_PATH);
+    }
+
+    @Test
+    public void externalWithRevocationAndRevokedCertificateWithCrlUrlWithoutPreferCrls() throws Exception
+    {
+        assumeThat("HTTP server failed to bind to port '" + CRL_HTTP_PORT + "'",
+                CRL_SERVER, is(not(equalTo(null))));
+        final Map<String, Object> trustStoreAttributes = getBrokerTrustStoreAttributes();
+        trustStoreAttributes.put(FileTrustStore.CERTIFICATE_REVOCATION_CHECK_ENABLED, true);
+        trustStoreAttributes.put(FileTrustStore.CERTIFICATE_REVOCATION_CHECK_WITH_PREFERRING_CERTIFICATE_REVOCATION_LIST, false);
+        final int port = createExternalProviderAndTlsPort(trustStoreAttributes);
+        assertNoTlsConnectivity(port, TestSSLConstants.CERT_ALIAS_ALLOWED);
+    }
+
+    @Test
+    public void externalWithRevocationAndRevokedCertificateWithCrlUrlWithoutPreferCrlsWithFallback() throws Exception
+    {
+        assumeThat("HTTP server failed to bind to port '" + CRL_HTTP_PORT + "'",
+                CRL_SERVER, is(not(equalTo(null))));
+        final Map<String, Object> trustStoreAttributes = getBrokerTrustStoreAttributes();
+        trustStoreAttributes.put(FileTrustStore.CERTIFICATE_REVOCATION_CHECK_ENABLED, true);
+        trustStoreAttributes.put(FileTrustStore.CERTIFICATE_REVOCATION_CHECK_WITH_PREFERRING_CERTIFICATE_REVOCATION_LIST, false);
+        trustStoreAttributes.put(FileTrustStore.CERTIFICATE_REVOCATION_CHECK_WITH_NO_FALLBACK, false);
+        final int port = createExternalProviderAndTlsPort(trustStoreAttributes);
+        assertTlsConnectivity(port, TestSSLConstants.CERT_ALIAS_ALLOWED);
+    }
+
+    @Test
+    public void externalWithRevocationAndRevokedIntermediateCertificateWithCrlUrl() throws Exception
+    {
+        assumeThat("HTTP server failed to bind to port '" + CRL_HTTP_PORT + "'",
+                CRL_SERVER, is(not(equalTo(null))));
+        final Map<String, Object> trustStoreAttributes = getBrokerTrustStoreAttributes();
+        trustStoreAttributes.put(FileTrustStore.CERTIFICATE_REVOCATION_CHECK_ENABLED, true);
+        trustStoreAttributes.put(FileTrustStore.CERTIFICATE_REVOCATION_CHECK_OF_ONLY_END_ENTITY_CERTIFICATES, false);
+        trustStoreAttributes.put(FileTrustStore.CERTIFICATE_REVOCATION_CHECK_WITH_IGNORING_SOFT_FAILURES, true);
+        final int port = createExternalProviderAndTlsPort(trustStoreAttributes);
+        assertNoTlsConnectivity(port, TestSSLConstants.CERT_ALIAS_ALLOWED_WITH_INTERMEDIATE);
+    }
+
+    @Test
+    public void externalWithRevocationAndRevokedIntermediateCertificateWithCrlUrlOnlyEndEntity() throws Exception
+    {
+        assumeThat("HTTP server failed to bind to port '" + CRL_HTTP_PORT + "'",
+                CRL_SERVER, is(not(equalTo(null))));
+        final Map<String, Object> trustStoreAttributes = getBrokerTrustStoreAttributes();
+        trustStoreAttributes.put(FileTrustStore.CERTIFICATE_REVOCATION_CHECK_ENABLED, true);
+        trustStoreAttributes.put(FileTrustStore.CERTIFICATE_REVOCATION_CHECK_OF_ONLY_END_ENTITY_CERTIFICATES, true);
+        trustStoreAttributes.put(FileTrustStore.CERTIFICATE_REVOCATION_CHECK_WITH_IGNORING_SOFT_FAILURES, true);
+        final int port = createExternalProviderAndTlsPort(trustStoreAttributes);
+        assertTlsConnectivity(port, TestSSLConstants.CERT_ALIAS_ALLOWED_WITH_INTERMEDIATE);
+    }
+
+    @Test
+    public void externalDeniesUntrustedClientCert() throws Exception
+    {
+        assumeThat("QPID-8069", getProtocol(), is(anyOf(equalTo(Protocol.AMQP_1_0), equalTo(Protocol.AMQP_0_10))));
+        final int port = createExternalProviderAndTlsPort();
+        assertNoTlsConnectivity(port, TestSSLConstants.CERT_ALIAS_UNTRUSTED_CLIENT);
     }
 
     @Test
@@ -207,21 +383,21 @@ public class AuthenticationTest extends JmsTestBase
     {
         assumeThat("QPID-8069", getProtocol(), is(anyOf(equalTo(Protocol.AMQP_1_0), equalTo(Protocol.AMQP_0_10))));
 
-        Map<String, Object> trustStoreAttributes = new HashMap<>();
-        trustStoreAttributes.put(FileTrustStore.STORE_URL, TEST_PROFILE_RESOURCE_BASE + BROKER_PEERSTORE);
-        trustStoreAttributes.put(FileTrustStore.PASSWORD, BROKER_PEERSTORE_PASSWORD);
+        final Map<String, Object> trustStoreAttributes = new HashMap<>();
+        trustStoreAttributes.put(FileTrustStore.STORE_URL, TestSSLConstants.BROKER_PEERSTORE);
+        trustStoreAttributes.put(FileTrustStore.PASSWORD, TestSSLConstants.PASSWORD);
         trustStoreAttributes.put(FileTrustStore.TRUST_ANCHOR_VALIDITY_ENFORCED, true);
-        int port = createExternalProviderAndTlsPort(trustStoreAttributes);
+        final int port = createExternalProviderAndTlsPort(trustStoreAttributes);
 
         try
         {
             getConnectionBuilder().setPort(port)
                                   .setTls(true)
                                   .setSaslMechanisms(ExternalAuthenticationManagerImpl.MECHANISM_NAME)
-                                  .setKeyStoreLocation(TEST_PROFILE_RESOURCE_BASE + EXPIRED_KEYSTORE)
-                                  .setKeyStorePassword(KEYSTORE_PASSWORD)
-                                  .setTrustStoreLocation(TRUSTSTORE)
-                                  .setTrustStorePassword(TRUSTSTORE_PASSWORD)
+                                  .setKeyStoreLocation(TestSSLConstants.CLIENT_EXPIRED_KEYSTORE)
+                                  .setKeyStorePassword(TestSSLConstants.PASSWORD)
+                                  .setTrustStoreLocation(TestSSLConstants.CLIENT_TRUSTSTORE)
+                                  .setTrustStorePassword(TestSSLConstants.PASSWORD)
                                   .build();
             fail("Connection should not succeed");
         }
@@ -234,64 +410,27 @@ public class AuthenticationTest extends JmsTestBase
     @Test
     public void externalWithPeersOnlyTrustStore() throws Exception
     {
-        Map<String, Object> trustStoreAttributes = new HashMap<>();
-        trustStoreAttributes.put(FileTrustStore.STORE_URL, TEST_PROFILE_RESOURCE_BASE + BROKER_PEERSTORE);
-        trustStoreAttributes.put(FileTrustStore.PASSWORD, BROKER_PEERSTORE_PASSWORD);
+        final Map<String, Object> trustStoreAttributes = new HashMap<>();
+        trustStoreAttributes.put(FileTrustStore.STORE_URL, TestSSLConstants.BROKER_PEERSTORE);
+        trustStoreAttributes.put(FileTrustStore.PASSWORD, TestSSLConstants.PASSWORD);
         trustStoreAttributes.put(FileTrustStore.PEERS_ONLY, true);
-        int port = createExternalProviderAndTlsPort(trustStoreAttributes);
-
-        Connection connection = getConnectionBuilder().setPort(port)
-                                                      .setTls(true)
-                                                      .setSaslMechanisms(ExternalAuthenticationManagerImpl.MECHANISM_NAME)
-                                                      .setKeyStoreLocation(KEYSTORE)
-                                                      .setKeyStorePassword(KEYSTORE_PASSWORD)
-                                                      .setTrustStoreLocation(TRUSTSTORE)
-                                                      .setTrustStorePassword(TRUSTSTORE_PASSWORD)
-                                                      .setKeyAlias(CERT_ALIAS_APP1)
-                                                      .build();
-        try
-        {
-            connection.createSession(false, Session.AUTO_ACKNOWLEDGE).close();
-        }
-        finally
-        {
-            connection.close();
-        }
+        final int port = createExternalProviderAndTlsPort(trustStoreAttributes);
+        assertTlsConnectivity(port, TestSSLConstants.CERT_ALIAS_APP1);
 
         assumeThat("QPID-8069", getProtocol(), is(anyOf(equalTo(Protocol.AMQP_1_0), equalTo(Protocol.AMQP_0_10))));
-        try
-        {
-
-            getConnectionBuilder().setPort(port)
-                                  .setTls(true)
-                                  .setSaslMechanisms(ExternalAuthenticationManagerImpl.MECHANISM_NAME)
-                                  .setKeyStoreLocation(KEYSTORE)
-                                  .setKeyStorePassword(KEYSTORE_PASSWORD)
-                                  .setTrustStoreLocation(TRUSTSTORE)
-                                  .setTrustStorePassword(TRUSTSTORE_PASSWORD)
-                                  .setKeyAlias(CERT_ALIAS_APP2)
-                                  .build();
-            fail("app2 certificate is NOT in the peerstore");
-        }
-        catch (JMSException e)
-        {
-            // pass
-        }
-
+        assertNoTlsConnectivity(port, TestSSLConstants.CERT_ALIAS_APP2);
     }
 
     @Test
     public void externalWithRegularAndPeersOnlyTrustStores() throws Exception
     {
-        String trustStoreName = getTestName() + "RegularTrustStore";
-        Connection brokerConnection = getConnectionBuilder().setVirtualHost("$management").build();
+        final String trustStoreName = getTestName() + "RegularTrustStore";
+        final Connection brokerConnection = getConnectionBuilder().setVirtualHost("$management").build();
         try
         {
             brokerConnection.start();
 
-            Map<String, Object> trustStoreAttributes = new HashMap<>();
-            trustStoreAttributes.put(FileTrustStore.STORE_URL, BROKER_TRUSTSTORE);
-            trustStoreAttributes.put(FileTrustStore.PASSWORD, BROKER_TRUSTSTORE_PASSWORD);
+            final Map<String, Object> trustStoreAttributes = getBrokerTrustStoreAttributes();
             trustStoreAttributes.put(FileTrustStore.TRUST_STORE_TYPE, TestSSLConstants.JAVA_KEYSTORE_TYPE);
 
             createEntity(trustStoreName,
@@ -305,68 +444,32 @@ public class AuthenticationTest extends JmsTestBase
             brokerConnection.close();
         }
 
-        Map<String, Object> trustStoreAttributes = new HashMap<>();
-        trustStoreAttributes.put(FileTrustStore.STORE_URL, TEST_PROFILE_RESOURCE_BASE + BROKER_PEERSTORE);
-        trustStoreAttributes.put(FileTrustStore.PASSWORD, BROKER_PEERSTORE_PASSWORD);
+        final Map<String, Object> trustStoreAttributes = new HashMap<>();
+        trustStoreAttributes.put(FileTrustStore.STORE_URL, TestSSLConstants.BROKER_PEERSTORE);
+        trustStoreAttributes.put(FileTrustStore.PASSWORD,TestSSLConstants.PASSWORD);
         trustStoreAttributes.put(FileTrustStore.PEERS_ONLY, true);
-        int port = createExternalProviderAndTlsPort(trustStoreAttributes, trustStoreName, false);
-
-        Connection connection = getConnectionBuilder().setPort(port)
-                                                      .setTls(true)
-                                                      .setSaslMechanisms(ExternalAuthenticationManagerImpl.MECHANISM_NAME)
-                                                      .setKeyStoreLocation(KEYSTORE)
-                                                      .setKeyStorePassword(KEYSTORE_PASSWORD)
-                                                      .setTrustStoreLocation(TRUSTSTORE)
-                                                      .setTrustStorePassword(TRUSTSTORE_PASSWORD)
-                                                      .setKeyAlias(CERT_ALIAS_APP1)
-                                                      .build();
-        try
-        {
-            connection.createSession(false, Session.AUTO_ACKNOWLEDGE).close();
-        }
-        finally
-        {
-            connection.close();
-        }
+        final int port = createExternalProviderAndTlsPort(trustStoreAttributes, trustStoreName, false);
+        assertTlsConnectivity(port, TestSSLConstants.CERT_ALIAS_APP1);
 
         //use the app2 cert, which is NOT in the peerstore (but is signed by the same CA as app1)
-        Connection connection2 = getConnectionBuilder().setPort(port)
-                              .setTls(true)
-                              .setSaslMechanisms(ExternalAuthenticationManagerImpl.MECHANISM_NAME)
-                              .setKeyStoreLocation(KEYSTORE)
-                              .setKeyStorePassword(KEYSTORE_PASSWORD)
-                              .setTrustStoreLocation(TRUSTSTORE)
-                              .setTrustStorePassword(TRUSTSTORE_PASSWORD)
-                              .setKeyAlias(CERT_ALIAS_APP2)
-                              .build();
-
-        try
-        {
-            connection2.createSession(false, Session.AUTO_ACKNOWLEDGE).createTemporaryQueue();
-        }
-        finally
-        {
-            connection2.close();
-        }
+        assertTlsConnectivity(port, TestSSLConstants.CERT_ALIAS_APP2);
     }
 
     @Test
     public void externalUsernameAsDN() throws Exception
     {
-        Map<String, Object> trustStoreAttributes = new HashMap<>();
-        trustStoreAttributes.put(FileTrustStore.STORE_URL, BROKER_TRUSTSTORE);
-        trustStoreAttributes.put(FileTrustStore.PASSWORD, BROKER_TRUSTSTORE_PASSWORD);
+        final Map<String, Object> trustStoreAttributes = getBrokerTrustStoreAttributes();
 
-        String clientId = getTestName();
-        int port = createExternalProviderAndTlsPort(trustStoreAttributes, null, true);
-        Connection connection = getConnectionBuilder().setPort(port)
+        final String clientId = getTestName();
+        final int port = createExternalProviderAndTlsPort(trustStoreAttributes, null, true);
+        final Connection connection = getConnectionBuilder().setPort(port)
                                                       .setTls(true)
                                                       .setSaslMechanisms(ExternalAuthenticationManagerImpl.MECHANISM_NAME)
-                                                      .setKeyStoreLocation(KEYSTORE)
-                                                      .setKeyStorePassword(KEYSTORE_PASSWORD)
-                                                      .setTrustStoreLocation(TRUSTSTORE)
-                                                      .setTrustStorePassword(TRUSTSTORE_PASSWORD)
-                                                      .setKeyAlias(CERT_ALIAS_APP2)
+                                                      .setKeyStoreLocation(TestSSLConstants.CLIENT_KEYSTORE)
+                                                      .setKeyStorePassword(TestSSLConstants.PASSWORD)
+                                                      .setTrustStoreLocation(TestSSLConstants.CLIENT_TRUSTSTORE)
+                                                      .setTrustStorePassword(TestSSLConstants.PASSWORD)
+                                                      .setKeyAlias(TestSSLConstants.CERT_ALIAS_APP2)
                                                       .setClientId(clientId)
                                                       .build();
         try
@@ -386,20 +489,18 @@ public class AuthenticationTest extends JmsTestBase
     @Test
     public void externalUsernameAsCN() throws Exception
     {
-        Map<String, Object> trustStoreAttributes = new HashMap<>();
-        trustStoreAttributes.put(FileTrustStore.STORE_URL, BROKER_TRUSTSTORE);
-        trustStoreAttributes.put(FileTrustStore.PASSWORD, BROKER_TRUSTSTORE_PASSWORD);
+        final Map<String, Object> trustStoreAttributes = getBrokerTrustStoreAttributes();
 
-        String clientId = getTestName();
-        int port = createExternalProviderAndTlsPort(trustStoreAttributes, null, false);
-        Connection connection = getConnectionBuilder().setPort(port)
+        final String clientId = getTestName();
+        final int port = createExternalProviderAndTlsPort(trustStoreAttributes, null, false);
+        final Connection connection = getConnectionBuilder().setPort(port)
                                                       .setTls(true)
                                                       .setSaslMechanisms(ExternalAuthenticationManagerImpl.MECHANISM_NAME)
-                                                      .setKeyStoreLocation(KEYSTORE)
-                                                      .setKeyStorePassword(KEYSTORE_PASSWORD)
-                                                      .setTrustStoreLocation(TRUSTSTORE)
-                                                      .setTrustStorePassword(TRUSTSTORE_PASSWORD)
-                                                      .setKeyAlias(CERT_ALIAS_APP2)
+                                                      .setKeyStoreLocation(TestSSLConstants.CLIENT_KEYSTORE)
+                                                      .setKeyStorePassword(TestSSLConstants.PASSWORD)
+                                                      .setTrustStoreLocation(TestSSLConstants.CLIENT_TRUSTSTORE)
+                                                      .setTrustStorePassword(TestSSLConstants.PASSWORD)
+                                                      .setKeyAlias(TestSSLConstants.CERT_ALIAS_APP2)
                                                       .setClientId(clientId)
                                                       .build();
         try
@@ -418,17 +519,17 @@ public class AuthenticationTest extends JmsTestBase
 
     private void assertConnectionPrincipal(final String clientId, final String expectedPrincipal) throws Exception
     {
-        Connection brokerConnection = getConnectionBuilder().setVirtualHost("$management").build();
+        final Connection brokerConnection = getConnectionBuilder().setVirtualHost("$management").build();
         try
         {
             brokerConnection.start();
 
             String principal = null;
-            List<Map<String, Object>> connections = queryEntitiesUsingAmqpManagement("org.apache.qpid.Connection", brokerConnection);
-            for (Map<String, Object> connection : connections)
+            final List<Map<String, Object>> connections = queryEntitiesUsingAmqpManagement("org.apache.qpid.Connection", brokerConnection);
+            for (final Map<String, Object> connection : connections)
             {
-                String name = String.valueOf(connection.get(ConfiguredObject.NAME));
-                Map<String, Object> attributes;
+                final String name = String.valueOf(connection.get(ConfiguredObject.NAME));
+                final Map<String, Object> attributes;
                 try
                 {
                     attributes = readEntityUsingAmqpManagement(
@@ -460,12 +561,17 @@ public class AuthenticationTest extends JmsTestBase
         }
     }
 
+    private Map<String, Object> getBrokerTrustStoreAttributes()
+    {
+        final Map<String, Object> trustStoreAttributes = new HashMap<>();
+        trustStoreAttributes.put(FileTrustStore.STORE_URL, TestSSLConstants.BROKER_TRUSTSTORE);
+        trustStoreAttributes.put(FileTrustStore.PASSWORD, TestSSLConstants.PASSWORD);
+        return trustStoreAttributes;
+    }
+
     private int createExternalProviderAndTlsPort() throws Exception
     {
-        Map<String, Object> trustStoreAttributes = new HashMap<>();
-        trustStoreAttributes.put(FileTrustStore.STORE_URL, BROKER_TRUSTSTORE);
-        trustStoreAttributes.put(FileTrustStore.PASSWORD, BROKER_TRUSTSTORE_PASSWORD);
-        return createExternalProviderAndTlsPort(trustStoreAttributes);
+        return createExternalProviderAndTlsPort(getBrokerTrustStoreAttributes());
     }
 
     private int createExternalProviderAndTlsPort(final Map<String, Object> trustStoreAttributes) throws Exception
@@ -478,12 +584,12 @@ public class AuthenticationTest extends JmsTestBase
                                                  final boolean useFullDN) throws Exception
     {
         final String providerName = getTestName();
-        Connection connection = getConnectionBuilder().setVirtualHost("$management").build();
+        final Connection connection = getConnectionBuilder().setVirtualHost("$management").build();
         try
         {
             connection.start();
 
-            Map<String, Object> providerAttributes = new HashMap<>();
+            final Map<String, Object> providerAttributes = new HashMap<>();
             providerAttributes.put("qpid-type", ExternalAuthenticationManager.PROVIDER_TYPE);
             providerAttributes.put(ExternalAuthenticationManager.ATTRIBUTE_USE_FULL_DN, useFullDN);
             createEntity(providerName,
@@ -492,8 +598,8 @@ public class AuthenticationTest extends JmsTestBase
                          connection);
 
             final Map<String, Object> keyStoreAttributes = new HashMap<>();
-            keyStoreAttributes.put("storeUrl", BROKER_KEYSTORE);
-            keyStoreAttributes.put("password", BROKER_KEYSTORE_PASSWORD);
+            keyStoreAttributes.put("storeUrl", TestSSLConstants.BROKER_KEYSTORE);
+            keyStoreAttributes.put("password", TestSSLConstants.PASSWORD);
             keyStoreAttributes.put("keyStoreType", TestSSLConstants.JAVA_KEYSTORE_TYPE);
 
             final String keyStoreName = providerName + "KeyStore";
@@ -502,7 +608,7 @@ public class AuthenticationTest extends JmsTestBase
                          keyStoreAttributes,
                          connection);
 
-            Map<String, Object> trustStoreSettings = new HashMap<>(trustStoreAttributes);
+            final Map<String, Object> trustStoreSettings = new HashMap<>(trustStoreAttributes);
             trustStoreSettings.put("trustStoreType", TestSSLConstants.JAVA_KEYSTORE_TYPE);
             final String trustStoreName = providerName + "TrustStore";
             createEntity(trustStoreName,
@@ -510,8 +616,8 @@ public class AuthenticationTest extends JmsTestBase
                          trustStoreSettings,
                          connection);
 
-            String portName = getPortName();
-            Map<String, Object> sslPortAttributes = new HashMap<>();
+            final String portName = getPortName();
+            final Map<String, Object> sslPortAttributes = new HashMap<>();
             sslPortAttributes.put(Port.TRANSPORTS, "[\"SSL\"]");
             sslPortAttributes.put(Port.PORT, 0);
             sslPortAttributes.put(Port.AUTHENTICATION_PROVIDER, providerName);
@@ -519,7 +625,7 @@ public class AuthenticationTest extends JmsTestBase
             sslPortAttributes.put(Port.WANT_CLIENT_AUTH, false);
             sslPortAttributes.put(Port.NAME, portName);
             sslPortAttributes.put(Port.KEY_STORE, keyStoreName);
-            String trustStores = additionalTrustStore == null
+            final String trustStores = additionalTrustStore == null
                     ? "[\"" + trustStoreName + "\"]"
                     : "[\"" + trustStoreName + "\",\"" + additionalTrustStore + "\"]";
             sslPortAttributes.put(Port.TRUST_STORES, trustStores);
@@ -529,7 +635,7 @@ public class AuthenticationTest extends JmsTestBase
                          sslPortAttributes,
                          connection);
 
-            Map<String, Object> portEffectiveAttributes =
+            final Map<String, Object> portEffectiveAttributes =
                     readEntityUsingAmqpManagement(portName, "org.apache.qpid.AmqpPort", false, connection);
             if (portEffectiveAttributes.containsKey("boundPort"))
             {
@@ -553,7 +659,7 @@ public class AuthenticationTest extends JmsTestBase
                                                            final String userName,
                                                            final String userPassword) throws Exception
     {
-        Connection connection = getConnectionBuilder().setVirtualHost("$management").build();
+        final Connection connection = getConnectionBuilder().setVirtualHost("$management").build();
         try
         {
             connection.start();
@@ -568,13 +674,13 @@ public class AuthenticationTest extends JmsTestBase
             userAttributes.put("object-path", providerName);
             createEntity(userName, User.class.getName(), userAttributes, connection);
 
-            String portName = providerName + "Port";
+            final String portName = providerName + "Port";
             final Map<String, Object> portAttributes = new HashMap<>();
             portAttributes.put(Port.AUTHENTICATION_PROVIDER, providerName);
             portAttributes.put(Port.PORT, 0);
             createEntity(portName, "org.apache.qpid.AmqpPort", portAttributes, connection);
 
-            Map<String, Object> portEffectiveAttributes =
+            final Map<String, Object> portEffectiveAttributes =
                     readEntityUsingAmqpManagement(portName, "org.apache.qpid.AmqpPort", false, connection);
             if (portEffectiveAttributes.containsKey("boundPort"))
             {
@@ -588,20 +694,60 @@ public class AuthenticationTest extends JmsTestBase
         }
     }
 
-    private void assertConnectivity(final int port,
-                                    final String userName,
-                                    final String userPassword,
-                                    final String mechanism) throws Exception
+    private Connection getConnection(int port, String certificateAlias) throws NamingException, JMSException
     {
-        Connection connection = getConnectionBuilder().setPort(port)
+        return getConnectionBuilder().setPort(port)
+                .setTls(true)
+                .setSaslMechanisms(ExternalAuthenticationManagerImpl.MECHANISM_NAME)
+                .setKeyStoreLocation(TestSSLConstants.CLIENT_KEYSTORE)
+                .setKeyStorePassword(TestSSLConstants.PASSWORD)
+                .setKeyAlias(certificateAlias)
+                .setTrustStoreLocation(TestSSLConstants.CLIENT_TRUSTSTORE)
+                .setTrustStorePassword(TestSSLConstants.PASSWORD)
+                .build();
+    }
+
+    private void assertTlsConnectivity(int port, String certificateAlias) throws NamingException, JMSException
+    {
+        final Connection connection = getConnection(port, certificateAlias);
+        try
+        {
+            Session session = connection.createSession(false, Session.AUTO_ACKNOWLEDGE);
+            assertNotNull("Temporary queue was not created", session.createTemporaryQueue());
+        }
+        finally
+        {
+            connection.close();
+        }
+    }
+
+    private void assertNoTlsConnectivity(int port, String certificateAlias) throws NamingException
+    {
+        try
+        {
+            getConnection(port, certificateAlias);
+            fail("Connection should not succeed");
+        }
+        catch (JMSException e)
+        {
+            // pass
+        }
+    }
+
+    private void assertPlainConnectivity(final int port,
+                                         final String userName,
+                                         final String userPassword,
+                                         final String mechanism) throws Exception
+    {
+        final Connection connection = getConnectionBuilder().setPort(port)
                                                       .setUsername(userName)
                                                       .setPassword(userPassword)
                                                       .setSaslMechanisms(mechanism)
                                                       .build();
         try
         {
-            Session session = connection.createSession(false, Session.AUTO_ACKNOWLEDGE);
-            TemporaryQueue queue = session.createTemporaryQueue();
+            final Session session = connection.createSession(false, Session.AUTO_ACKNOWLEDGE);
+            final TemporaryQueue queue = session.createTemporaryQueue();
             assertNotNull("Temporary queue was not created", queue);
         }
         finally
@@ -637,4 +783,32 @@ public class AuthenticationTest extends JmsTestBase
             // pass
         }
     }
+
+    private static void createContext(Path crlPath)
+    {
+        final ContextHandler contextHandler = new ContextHandler();
+        contextHandler.setContextPath("/" + crlPath.getFileName());
+        contextHandler.setHandler(new CrlServerHandler(crlPath));
+        HANDLERS.addHandler(contextHandler);
+    }
+
+    private static class CrlServerHandler extends AbstractHandler
+    {
+        final Path crlPath;
+        public CrlServerHandler(Path crlPath)
+        {
+            this.crlPath = crlPath;
+        }
+
+        @Override
+        public void handle(String target, Request baseRequest, HttpServletRequest request, HttpServletResponse response)
+                throws IOException
+        {
+            final byte[] crlBytes = Files.readAllBytes(crlPath);
+            response.setStatus(HttpServletResponse.SC_OK);
+            final OutputStream responseBody = response.getOutputStream();
+            responseBody.write(crlBytes);
+            responseBody.close();
+        }
+    }
 }
diff --git a/systests/qpid-systests-jms_1.1/src/test/java/org/apache/qpid/systests/jms_1_1/extensions/tls/TlsTest.java b/systests/qpid-systests-jms_1.1/src/test/java/org/apache/qpid/systests/jms_1_1/extensions/tls/TlsTest.java
index 01d69f3..da61319 100644
--- a/systests/qpid-systests-jms_1.1/src/test/java/org/apache/qpid/systests/jms_1_1/extensions/tls/TlsTest.java
+++ b/systests/qpid-systests-jms_1.1/src/test/java/org/apache/qpid/systests/jms_1_1/extensions/tls/TlsTest.java
@@ -21,11 +21,6 @@
 package org.apache.qpid.systests.jms_1_1.extensions.tls;
 
 import static java.nio.charset.StandardCharsets.UTF_8;
-import static org.apache.qpid.test.utils.TestSSLConstants.JAVA_KEYSTORE_TYPE;
-import static org.apache.qpid.test.utils.TestSSLConstants.BROKER_KEYSTORE_PASSWORD;
-import static org.apache.qpid.test.utils.TestSSLConstants.BROKER_TRUSTSTORE_PASSWORD;
-import static org.apache.qpid.test.utils.TestSSLConstants.KEYSTORE_PASSWORD;
-import static org.apache.qpid.test.utils.TestSSLConstants.TRUSTSTORE_PASSWORD;
 import static org.hamcrest.CoreMatchers.anyOf;
 import static org.hamcrest.CoreMatchers.equalTo;
 import static org.hamcrest.CoreMatchers.is;
@@ -72,18 +67,8 @@ import org.apache.qpid.tests.utils.BrokerAdmin;
 
 public class TlsTest extends JmsTestBase
 {
-    public static final String TEST_PROFILE_RESOURCE_BASE = System.getProperty("java.io.tmpdir") + "/";
-    public static final String BROKER_KEYSTORE =
-            TEST_PROFILE_RESOURCE_BASE + org.apache.qpid.test.utils.TestSSLConstants.BROKER_KEYSTORE;
-    public static final String BROKER_TRUSTSTORE =
-            TEST_PROFILE_RESOURCE_BASE + org.apache.qpid.test.utils.TestSSLConstants.BROKER_TRUSTSTORE;
-    public static final String KEYSTORE =
-            TEST_PROFILE_RESOURCE_BASE + org.apache.qpid.test.utils.TestSSLConstants.KEYSTORE;
-    public static final String TRUSTSTORE =
-            TEST_PROFILE_RESOURCE_BASE + org.apache.qpid.test.utils.TestSSLConstants.TRUSTSTORE;
-
     @BeforeClass
-    public static void setUp() throws Exception
+    public static void setUp()
     {
         System.setProperty("javax.net.debug", "ssl");
 
@@ -96,13 +81,13 @@ public class TlsTest extends JmsTestBase
         // legacy client keystore/truststore types can only be configured with JVM settings
         if (getProtocol() != Protocol.AMQP_1_0)
         {
-            System.setProperty("javax.net.ssl.trustStoreType", JAVA_KEYSTORE_TYPE);
-            System.setProperty("javax.net.ssl.keyStoreType", JAVA_KEYSTORE_TYPE);
+            System.setProperty("javax.net.ssl.trustStoreType", TestSSLConstants.JAVA_KEYSTORE_TYPE);
+            System.setProperty("javax.net.ssl.keyStoreType", TestSSLConstants.JAVA_KEYSTORE_TYPE);
         }
     }
 
     @AfterClass
-    public static void tearDown() throws Exception
+    public static void tearDown()
     {
         System.clearProperty("javax.net.debug");
         if (getProtocol() != Protocol.AMQP_1_0)
@@ -127,10 +112,10 @@ public class TlsTest extends JmsTestBase
         Connection connection = getConnectionBuilder().setPort(port)
                                                       .setHost(brokerAddress.getHostName())
                                                       .setTls(true)
-                                                      .setKeyStoreLocation(KEYSTORE)
-                                                      .setKeyStorePassword(KEYSTORE_PASSWORD)
-                                                      .setTrustStoreLocation(TRUSTSTORE)
-                                                      .setTrustStorePassword(TRUSTSTORE_PASSWORD)
+                                                      .setKeyStoreLocation(TestSSLConstants.CLIENT_KEYSTORE)
+                                                      .setKeyStorePassword(TestSSLConstants.PASSWORD)
+                                                      .setTrustStoreLocation(TestSSLConstants.CLIENT_TRUSTSTORE)
+                                                      .setTrustStorePassword(TestSSLConstants.PASSWORD)
                                                       .build();
         try
         {
@@ -208,10 +193,10 @@ public class TlsTest extends JmsTestBase
             getConnectionBuilder().setPort(port)
                                   .setHost("127.0.0.1")
                                   .setTls(true)
-                                  .setKeyStoreLocation(KEYSTORE)
-                                  .setKeyStorePassword(KEYSTORE_PASSWORD)
-                                  .setTrustStoreLocation(TRUSTSTORE)
-                                  .setTrustStorePassword(TRUSTSTORE_PASSWORD)
+                                  .setKeyStoreLocation(TestSSLConstants.CLIENT_KEYSTORE)
+                                  .setKeyStorePassword(TestSSLConstants.PASSWORD)
+                                  .setTrustStoreLocation(TestSSLConstants.CLIENT_TRUSTSTORE)
+                                  .setTrustStorePassword(TestSSLConstants.PASSWORD)
                                   .build();
             fail("Exception not thrown");
         }
@@ -223,10 +208,10 @@ public class TlsTest extends JmsTestBase
         Connection connection = getConnectionBuilder().setPort(port)
                                                       .setHost("127.0.0.1")
                                                       .setTls(true)
-                                                      .setKeyStoreLocation(KEYSTORE)
-                                                      .setKeyStorePassword(KEYSTORE_PASSWORD)
-                                                      .setTrustStoreLocation(TRUSTSTORE)
-                                                      .setTrustStorePassword(TRUSTSTORE_PASSWORD)
+                                                      .setKeyStoreLocation(TestSSLConstants.CLIENT_KEYSTORE)
+                                                      .setKeyStorePassword(TestSSLConstants.PASSWORD)
+                                                      .setTrustStoreLocation(TestSSLConstants.CLIENT_TRUSTSTORE)
+                                                      .setTrustStorePassword(TestSSLConstants.PASSWORD)
                                                       .setVerifyHostName(false)
                                                       .build();
         try
@@ -372,8 +357,8 @@ public class TlsTest extends JmsTestBase
         Connection connection = getConnectionBuilder().setPort(port)
                                                       .setHost(brokerAddress.getHostName())
                                                       .setTls(true)
-                                                      .setTrustStoreLocation(TRUSTSTORE)
-                                                      .setTrustStorePassword(TRUSTSTORE_PASSWORD)
+                                                      .setTrustStoreLocation(TestSSLConstants.CLIENT_TRUSTSTORE)
+                                                      .setTrustStorePassword(TestSSLConstants.PASSWORD)
                                                       .build();
         try
         {
@@ -398,8 +383,8 @@ public class TlsTest extends JmsTestBase
             getConnectionBuilder().setPort(port)
                                   .setHost(getBrokerAdmin().getBrokerAddress(BrokerAdmin.PortType.AMQP).getHostName())
                                   .setTls(true)
-                                  .setTrustStoreLocation(TRUSTSTORE)
-                                  .setTrustStorePassword(TRUSTSTORE_PASSWORD)
+                                  .setTrustStoreLocation(TestSSLConstants.CLIENT_TRUSTSTORE)
+                                  .setTrustStorePassword(TestSSLConstants.PASSWORD)
                                   .build();
             fail("Connection was established successfully");
         }
@@ -419,8 +404,8 @@ public class TlsTest extends JmsTestBase
         Connection connection = getConnectionBuilder().setPort(port)
                                                       .setHost(brokerAddress.getHostName())
                                                       .setTls(true)
-                                                      .setTrustStoreLocation(TRUSTSTORE)
-                                                      .setTrustStorePassword(TRUSTSTORE_PASSWORD)
+                                                      .setTrustStoreLocation(TestSSLConstants.CLIENT_TRUSTSTORE)
+                                                      .setTrustStorePassword(TestSSLConstants.PASSWORD)
                                                       .build();
         try
         {
@@ -444,8 +429,8 @@ public class TlsTest extends JmsTestBase
             getConnectionBuilder().setPort(port)
                                   .setHost(getBrokerAdmin().getBrokerAddress(BrokerAdmin.PortType.AMQP).getHostName())
                                   .setTls(true)
-                                  .setTrustStoreLocation(TRUSTSTORE)
-                                  .setTrustStorePassword(TRUSTSTORE_PASSWORD)
+                                  .setTrustStoreLocation(TestSSLConstants.CLIENT_TRUSTSTORE)
+                                  .setTrustStorePassword(TestSSLConstants.PASSWORD)
                                   .build();
             fail("Connection was established successfully");
         }
@@ -466,10 +451,10 @@ public class TlsTest extends JmsTestBase
         Connection connection = getConnectionBuilder().setPort(port)
                                                       .setHost(brokerAddress.getHostName())
                                                       .setTls(true)
-                                                      .setKeyStoreLocation(KEYSTORE)
-                                                      .setKeyStorePassword(KEYSTORE_PASSWORD)
-                                                      .setTrustStoreLocation(TRUSTSTORE)
-                                                      .setTrustStorePassword(TRUSTSTORE_PASSWORD)
+                                                      .setKeyStoreLocation(TestSSLConstants.CLIENT_KEYSTORE)
+                                                      .setKeyStorePassword(TestSSLConstants.PASSWORD)
+                                                      .setTrustStoreLocation(TestSSLConstants.CLIENT_TRUSTSTORE)
+                                                      .setTrustStorePassword(TestSSLConstants.PASSWORD)
                                                       .build();
         try
         {
@@ -516,8 +501,8 @@ public class TlsTest extends JmsTestBase
         Connection connection = getConnectionBuilder().setPort(port)
                                                       .setHost(brokerAddress.getHostName())
                                                       .setTls(true)
-                                                      .setTrustStoreLocation(TRUSTSTORE)
-                                                      .setTrustStorePassword(TRUSTSTORE_PASSWORD)
+                                                      .setTrustStoreLocation(TestSSLConstants.CLIENT_TRUSTSTORE)
+                                                      .setTrustStorePassword(TestSSLConstants.PASSWORD)
                                                       .setVerifyHostName(false)
                                                       .setOptions(options)
                                                       .build();
@@ -600,9 +585,9 @@ public class TlsTest extends JmsTestBase
             try
             {
                 final Map<String, Object> keyStoreAttributes = new HashMap<>();
-                keyStoreAttributes.put("storeUrl", BROKER_KEYSTORE);
-                keyStoreAttributes.put("password", BROKER_KEYSTORE_PASSWORD);
-                keyStoreAttributes.put("keyStoreType", JAVA_KEYSTORE_TYPE);
+                keyStoreAttributes.put("storeUrl", TestSSLConstants.BROKER_KEYSTORE);
+                keyStoreAttributes.put("password", TestSSLConstants.PASSWORD);
+                keyStoreAttributes.put("keyStoreType", TestSSLConstants.JAVA_KEYSTORE_TYPE);
                 managementFacade.createEntityAndAssertResponse(keyStoreName,
                                                                FileKeyStore.class.getName(),
                                                                keyStoreAttributes,
@@ -617,9 +602,9 @@ public class TlsTest extends JmsTestBase
             try
             {
                 final Map<String, Object> trustStoreAttributes = new HashMap<>();
-                trustStoreAttributes.put("storeUrl", BROKER_TRUSTSTORE);
-                trustStoreAttributes.put("password", BROKER_TRUSTSTORE_PASSWORD);
-                trustStoreAttributes.put("trustStoreType", JAVA_KEYSTORE_TYPE);
+                trustStoreAttributes.put("storeUrl", TestSSLConstants.BROKER_TRUSTSTORE);
+                trustStoreAttributes.put("password", TestSSLConstants.PASSWORD);
+                trustStoreAttributes.put("trustStoreType", TestSSLConstants.JAVA_KEYSTORE_TYPE);
                 managementFacade.createEntityAndAssertResponse(trustStoreName,
                                                                FileTrustStore.class.getName(),
                                                                trustStoreAttributes,
@@ -680,10 +665,10 @@ public class TlsTest extends JmsTestBase
 
     private void setSslStoreSystemProperties()
     {
-        System.setProperty("javax.net.ssl.keyStore", KEYSTORE);
-        System.setProperty("javax.net.ssl.keyStorePassword", KEYSTORE_PASSWORD);
-        System.setProperty("javax.net.ssl.trustStore", TRUSTSTORE);
-        System.setProperty("javax.net.ssl.trustStorePassword", TRUSTSTORE_PASSWORD);
+        System.setProperty("javax.net.ssl.keyStore", TestSSLConstants.CLIENT_KEYSTORE);
+        System.setProperty("javax.net.ssl.keyStorePassword", TestSSLConstants.PASSWORD);
+        System.setProperty("javax.net.ssl.trustStore", TestSSLConstants.CLIENT_TRUSTSTORE);
+        System.setProperty("javax.net.ssl.trustStorePassword", TestSSLConstants.PASSWORD);
     }
 
     private void clearSslStoreSystemProperties()
@@ -696,16 +681,16 @@ public class TlsTest extends JmsTestBase
 
     private File[] extractResourcesFromTestKeyStore() throws Exception
     {
-        java.security.KeyStore ks = java.security.KeyStore.getInstance(JAVA_KEYSTORE_TYPE);
-        try (InputStream is = new FileInputStream(KEYSTORE))
+        java.security.KeyStore ks = java.security.KeyStore.getInstance(TestSSLConstants.JAVA_KEYSTORE_TYPE);
+        try (InputStream is = new FileInputStream(TestSSLConstants.CLIENT_KEYSTORE))
         {
-            ks.load(is, KEYSTORE_PASSWORD.toCharArray());
+            ks.load(is, TestSSLConstants.PASSWORD.toCharArray());
         }
 
         File privateKeyFile = Files.createTempFile(getTestName(), ".private-key.der").toFile();
         try (FileOutputStream kos = new FileOutputStream(privateKeyFile))
         {
-            Key pvt = ks.getKey(TestSSLConstants.CERT_ALIAS_APP1, KEYSTORE_PASSWORD.toCharArray());
+            Key pvt = ks.getKey(TestSSLConstants.CERT_ALIAS_APP1, TestSSLConstants.PASSWORD.toCharArray());
             kos.write(TestSSLUtils.privateKeyToPEM(pvt).getBytes(UTF_8));
         }
 
@@ -725,10 +710,10 @@ public class TlsTest extends JmsTestBase
 
     private File extractCertFileFromTestTrustStore() throws Exception
     {
-        java.security.KeyStore ks = java.security.KeyStore.getInstance(JAVA_KEYSTORE_TYPE);
-        try (InputStream is = new FileInputStream(TRUSTSTORE))
+        java.security.KeyStore ks = java.security.KeyStore.getInstance(TestSSLConstants.JAVA_KEYSTORE_TYPE);
+        try (InputStream is = new FileInputStream(TestSSLConstants.CLIENT_TRUSTSTORE))
         {
-            ks.load(is, TRUSTSTORE_PASSWORD.toCharArray());
+            ks.load(is, TestSSLConstants.PASSWORD.toCharArray());
         }
 
         File certificateFile = Files.createTempFile(getTestName(), ".crt").toFile();
diff --git a/test-profiles/test_resources/ssl/CA_db/cert9.db b/test-profiles/test_resources/ssl/CA_db/cert9.db
deleted file mode 100644
index 2bed63c..0000000
Binary files a/test-profiles/test_resources/ssl/CA_db/cert9.db and /dev/null differ
diff --git a/test-profiles/test_resources/ssl/CA_db/key4.db b/test-profiles/test_resources/ssl/CA_db/key4.db
deleted file mode 100644
index 4562b1a..0000000
Binary files a/test-profiles/test_resources/ssl/CA_db/key4.db and /dev/null differ
diff --git a/test-profiles/test_resources/ssl/CA_db/pkcs11.txt b/test-profiles/test_resources/ssl/CA_db/pkcs11.txt
deleted file mode 100644
index beb8e0f..0000000
--- a/test-profiles/test_resources/ssl/CA_db/pkcs11.txt
+++ /dev/null
@@ -1,5 +0,0 @@
-library=
-name=NSS Internal PKCS #11 Module
-parameters=configdir='CA_db' certPrefix='' keyPrefix='' secmod='secmod.db' flags= updatedir='' updateCertPrefix='' updateKeyPrefix='' updateid='' updateTokenDescription='' 
-NSS=Flags=internal,critical trustOrder=75 cipherOrder=100 slotParams=(1={slotFlags=[ECC,RSA,DSA,DH,RC2,RC4,DES,RANDOM,SHA1,MD5,MD2,SSL,TLS,AES,Camellia,SEED,SHA256,SHA512] askpw=any timeout=30})
-
diff --git a/test-profiles/test_resources/ssl/CA_db/rootca.crt b/test-profiles/test_resources/ssl/CA_db/rootca.crt
deleted file mode 100644
index b9356b6..0000000
--- a/test-profiles/test_resources/ssl/CA_db/rootca.crt
+++ /dev/null
@@ -1,19 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIDETCCAfmgAwIBAgIFALBcSiAwDQYJKoZIhvcNAQENBQAwQTELMAkGA1UEBhMC
-Q0ExEDAOBgNVBAgTB09udGFyaW8xDTALBgNVBAoTBEFDTUUxETAPBgNVBAMTCE15
-Um9vdENBMB4XDTE5MDIyNzE2MDM1OVoXDTI0MDIyNzE2MDM1OVowQTELMAkGA1UE
-BhMCQ0ExEDAOBgNVBAgTB09udGFyaW8xDTALBgNVBAoTBEFDTUUxETAPBgNVBAMT
-CE15Um9vdENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAx7wfxIsA
-yM7HhpEfHy0rEBrhfwCTf/dO/x6DFKjYfxKuhbFcHuBWHhq60mn04Wfo0kwCSZSE
-sabJvba5iHAztzHUeLBTyg9fy57tlNs0sQMqXCD3bwa1HBGgMt5A05zSmi9ZklwH
-xrfB8nbSePD/V1tmwjXvWYx/G2xnRHZbs8dS000DteI2yq8O1i/NJst8KrifxgE2
-RzfNqSLxrmEzZAe5lt2eGIxr+UatR/AKXFixfKEK523Rq9CnJ7Fdgzt0WebbhUwg
-4A0AIJk4h6WKTB+RwdWT9Dgzc+qSkjHco9vqToF92QfQOygPjDSjWKHwPyTskuYf
-W9EohouHZWjsXQIDAQABoxAwDjAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBDQUA
-A4IBAQCYi9vsfbIRihVyVQ8R1xBD+v7HZ31Se4v3ODQ9xD4DBE4qcE4kYTmFdRoD
-5WIm9O2w20Iz4icVr1iyOlund9psL3CSklPVUqGIGQXfzxfI9Dgi+NicIWDFhHra
-hfeYl2Tg4lkkodTewVMdiigh7MBdWnr3j/xEIWxcvD3x5ymXPV6PU9mzn8r/tcNC
-A+07I0eCqcAYHDTEQxumiTBObymnnABYr0lDa+baWrW2YuLx+I5I+rHFEnuy9vDn
-rN0kZuG32V5cIAavDZWkUrxR87TsJ0gxv/cbFU+J2x4Z6X8ryI2HhLujxqXmTzSH
-5Bq18bki5O4kqJFY4CA/N+035Yta
------END CERTIFICATE-----
diff --git a/test-profiles/test_resources/ssl/app1.crt b/test-profiles/test_resources/ssl/app1.crt
deleted file mode 100644
index edc890f..0000000
--- a/test-profiles/test_resources/ssl/app1.crt
+++ /dev/null
@@ -1,21 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIDYjCCAkqgAwIBAgIFALBcS8MwDQYJKoZIhvcNAQENBQAwQTELMAkGA1UEBhMC
-Q0ExEDAOBgNVBAgTB09udGFyaW8xDTALBgNVBAoTBEFDTUUxETAPBgNVBAMTCE15
-Um9vdENBMB4XDTE5MDIyNzE2MDcxNloXDTI0MDIyNzE2MDcxNlowYTELMAkGA1UE
-BhMCQ0ExCzAJBgNVBAgTAk9OMRAwDgYDVQQHEwdUb3JvbnRvMQ0wCwYDVQQKEwRh
-Y21lMQwwCgYDVQQLEwNhcnQxFjAUBgNVBAMMDWFwcDFAYWNtZS5vcmcwggEiMA0G
-CSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCXNdGrF7GBnVVvkrwzu9xo7scIEUll
-82cRZ2yQ+Ua4dkg+mmrVwZjSN/fkUNsrecruhfx4jcmaEXwdixuDpCnw1fZ1xfC7
-AO2FdZrGtdFeaBfVyZ6g2hihcWK2FPlJRhvG2Fm6FlZAwQyhfagnA4VBxthFlhGw
-D7su+rp3bVGHXh0RYtc6eCE5FK9/tnGQgLVBVnENmdCg4Xd3WtnPV/boWSUR6Obk
-M7CfDOkFDz4DrJmUEaMMzGScustNsZuU/qZ2ei1eaY0GMnRquW4hyYYw8JXVO3Ji
-JtchVlUo7SL2gDuGmpk+/yceitJWn2e482lgURuVRFSwSgSqEkZrjCSpAgMBAAGj
-QTA/MB0GA1UdDgQWBBTDC6GBKI/QRwIZlVC8SJN6V/6OxDAJBgNVHRMEAjAAMBMG
-A1UdJQQMMAoGCCsGAQUFBwMCMA0GCSqGSIb3DQEBDQUAA4IBAQBjNo/6CYFVU21q
-TWW88eG1J/I6e+vv9hjNWuxtsOuWUzoepNFAa7gY1C5jMHMe1hXl9hK4mHm/D1o2
-5i3FERDyLz5x6a0oQP6T8F+BLfg8YGfbrcCuZPInPKgw5bc2xRVJc8zaZM5EBw1+
-U80+o5Er2XU/MSfJ6vfsNjZ7aGOo/ssQwBarKGHUwQTazgwRy+kVh9aZf+Vadbnx
-u3mtV6md9EMLfRzOKfTrdlHrS1CgUTKn+LmwSsBNomxXJcW0gpWIx4hoCd07vJCj
-WAvAeHdzAVSiAKkJ42ikOd7g5pXUFkpcNlIyfLpJGwTZYNSCx0eXuSUt3cLA+7V/
-2wXQNMED
------END CERTIFICATE-----
diff --git a/test-profiles/test_resources/ssl/app1.req b/test-profiles/test_resources/ssl/app1.req
deleted file mode 100644
index f1f90e0..0000000
--- a/test-profiles/test_resources/ssl/app1.req
+++ /dev/null
@@ -1,18 +0,0 @@
------BEGIN NEW CERTIFICATE REQUEST-----
-MIIC1jCCAb4CAQAwYTELMAkGA1UEBhMCQ0ExCzAJBgNVBAgTAk9OMRAwDgYDVQQH
-EwdUb3JvbnRvMQ0wCwYDVQQKEwRhY21lMQwwCgYDVQQLEwNhcnQxFjAUBgNVBAMM
-DWFwcDFAYWNtZS5vcmcwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCX
-NdGrF7GBnVVvkrwzu9xo7scIEUll82cRZ2yQ+Ua4dkg+mmrVwZjSN/fkUNsrecru
-hfx4jcmaEXwdixuDpCnw1fZ1xfC7AO2FdZrGtdFeaBfVyZ6g2hihcWK2FPlJRhvG
-2Fm6FlZAwQyhfagnA4VBxthFlhGwD7su+rp3bVGHXh0RYtc6eCE5FK9/tnGQgLVB
-VnENmdCg4Xd3WtnPV/boWSUR6ObkM7CfDOkFDz4DrJmUEaMMzGScustNsZuU/qZ2
-ei1eaY0GMnRquW4hyYYw8JXVO3JiJtchVlUo7SL2gDuGmpk+/yceitJWn2e482lg
-URuVRFSwSgSqEkZrjCSpAgMBAAGgMDAuBgkqhkiG9w0BCQ4xITAfMB0GA1UdDgQW
-BBTDC6GBKI/QRwIZlVC8SJN6V/6OxDANBgkqhkiG9w0BAQ0FAAOCAQEAVQ6eZDo+
-aW/JjTsK1duwqkpxWcGWyNApOaEETnunCFUsTYcN3zId7107gNMlKSQrQOztYFNc
-OKjDOicKHSoYoh+qRxprB4CPrhdNMXrtjFUOCDA+eLvf7kHn9hcOzg8XkgDOFVOs
-x61krLsN5jo2pfqdiPj13ilas7lBy4/WjEnazg/g/ckWAbYp2Rec47UnAGi5LB9h
-cgO/+vZUpmCCfHCURBC1qwk9UdbXlaDZcbITszvR86PZ6ztkDO9dxbDDvCHydvcD
-jaEHdvpSlC2WiWc4R/Tjq+xYQkRayPHYzHF1w3YYEbpuQOZwiuzYlQrZnOyH+oVC
-/0qy57VDVqP/HA==
------END NEW CERTIFICATE REQUEST-----
diff --git a/test-profiles/test_resources/ssl/app2.crt b/test-profiles/test_resources/ssl/app2.crt
deleted file mode 100644
index 5693e43..0000000
--- a/test-profiles/test_resources/ssl/app2.crt
+++ /dev/null
@@ -1,21 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIDZTCCAk2gAwIBAgIFALBcS6owDQYJKoZIhvcNAQENBQAwQTELMAkGA1UEBhMC
-Q0ExEDAOBgNVBAgTB09udGFyaW8xDTALBgNVBAoTBEFDTUUxETAPBgNVBAMTCE15
-Um9vdENBMB4XDTE5MDIyNzE2MDcwM1oXDTI0MDIyNzE2MDcwM1owYTELMAkGA1UE
-BhMCQ0ExCzAJBgNVBAgTAk9OMRAwDgYDVQQHEwdUb3JvbnRvMQ0wCwYDVQQKEwRh
-Y21lMQwwCgYDVQQLEwNhcnQxFjAUBgNVBAMMDWFwcDJAYWNtZS5vcmcwggEiMA0G
-CSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCXMCZtW+a6JxuA2fN45Ta/0ilUqfme
-r+aGG2yTtwdRkduUssBogCYq1Pxk+l4nDgNWjscgGhtxeY9nw3u+NaxFJxuQrKLu
-nnsdh+htzTUsq/iWKwcU6A4MX1aC++Ic6poTeunv6MHVdujehJOCph6zDEANjT2f
-gHHjxBMPO+fe0mEtsWwezp+xJJAOCAkMivoziQ0OopIqFSF/FhFZDK4bJFruAJJc
-0CZNBM7Ox2sNAK1cX8mxZhzWfUGQs2hfobri9J/GUlnXmN9nk6v5FybDjH6u9jcd
-9bY2f03PC9whclIzar5TiWLfg7MZHctUv2MZZWy1c7hfzktCvjW5Y7R7AgMBAAGj
-RDBCMB0GA1UdDgQWBBTzMIzbe9uahZhnVxRWUyelP3jc9TAMBgNVHRMBAf8EAjAA
-MBMGA1UdJQQMMAoGCCsGAQUFBwMCMA0GCSqGSIb3DQEBDQUAA4IBAQAJMyC3QdIH
-ZwdUYKiwAl7W89CarMjCEH960fhHAcyliGYTtRj7aMEkWpFvR16yuRHfbiE4XZ71
-ClySvZxVl9DBcpSx69PBiRELd1wpRk5YP/1mxPtS85JlRCMVG92dizL0jSvugDcp
-pfTR9ifCK9skHrHMRvsmh7w4L2YX1IJXSORjzTHTOpqLM1vDERximf16C5ZPMhbJ
-F3jP8+k74/o3gDTttR/89M8bg5Xi/7VW4CWcBZTWnp43y8UlncbWRRwYMnJ7UAva
-7Dg0un/Nu4K/ggALmzsB3x4XBMvzIFf0orhRuFqS7BCqFg5ZavpMPHwDX7dFEjIC
-BsUjFnrzaxHI
------END CERTIFICATE-----
diff --git a/test-profiles/test_resources/ssl/app2.req b/test-profiles/test_resources/ssl/app2.req
deleted file mode 100644
index 61235b0..0000000
--- a/test-profiles/test_resources/ssl/app2.req
+++ /dev/null
@@ -1,18 +0,0 @@
------BEGIN NEW CERTIFICATE REQUEST-----
-MIIC1jCCAb4CAQAwYTELMAkGA1UEBhMCQ0ExCzAJBgNVBAgTAk9OMRAwDgYDVQQH
-EwdUb3JvbnRvMQ0wCwYDVQQKEwRhY21lMQwwCgYDVQQLEwNhcnQxFjAUBgNVBAMM
-DWFwcDJAYWNtZS5vcmcwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCX
-MCZtW+a6JxuA2fN45Ta/0ilUqfmer+aGG2yTtwdRkduUssBogCYq1Pxk+l4nDgNW
-jscgGhtxeY9nw3u+NaxFJxuQrKLunnsdh+htzTUsq/iWKwcU6A4MX1aC++Ic6poT
-eunv6MHVdujehJOCph6zDEANjT2fgHHjxBMPO+fe0mEtsWwezp+xJJAOCAkMivoz
-iQ0OopIqFSF/FhFZDK4bJFruAJJc0CZNBM7Ox2sNAK1cX8mxZhzWfUGQs2hfobri
-9J/GUlnXmN9nk6v5FybDjH6u9jcd9bY2f03PC9whclIzar5TiWLfg7MZHctUv2MZ
-ZWy1c7hfzktCvjW5Y7R7AgMBAAGgMDAuBgkqhkiG9w0BCQ4xITAfMB0GA1UdDgQW
-BBTzMIzbe9uahZhnVxRWUyelP3jc9TANBgkqhkiG9w0BAQ0FAAOCAQEAKstPTwyn
-rn7dC+5SeP1ww6bMp77+KdQFu7aJ3Ul2xt6ICp0GkH5motvFx+dw5im8la4NH6Y7
-ZQS9eeoT6Zfi76Ve1wSVE2Gu0k9KgGXXW8ZodKml5vK89jf/3Fsy/058coOjsUDI
-iZqGajqiZshpmIpCJP3PPGA1Db30RY93U3iJAEwJCAXhGEd7EXV5iP3HA8wzuwws
-7osIz2oixsM/6Btf0+7FBt7AtqkknuDcw1Z/ZoUc5iIpMnGTtoajXnpNs7VgpngU
-bjMhgJSEOyjZrPn1VxtP23KVWm3+aAs/3gGW058ku3NYXg9H8FLysUNackZlnxqz
-dvTNaLl4FIUgiw==
------END NEW CERTIFICATE REQUEST-----
diff --git a/test-profiles/test_resources/ssl/expired.crt b/test-profiles/test_resources/ssl/expired.crt
deleted file mode 100644
index 933330a..0000000
--- a/test-profiles/test_resources/ssl/expired.crt
+++ /dev/null
@@ -1,17 +0,0 @@
------BEGIN CERTIFICATE-----
-MIICvzCCAaegAwIBAgIEAjtn8zANBgkqhkiG9w0BAQ0FADAQMQ4wDAYDVQQDEwVV
-U0VSMTAeFw0xMDAxMDEyMjQ0MjVaFw0xMDAxMDIyMjQ0MjVaMBAxDjAMBgNVBAMT
-BVVTRVIxMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAj2wa5um63bXJ
-j7jv3pfhDgkvwE9hfM/DLv1rmkq2Psepefb40VJng61WiTeLNWdXrAJ+ui5iHTCn
-8n+iqaucaPv4mOwH3j57CCLRvFrFSp/cUx2oZ3Zx1DfaSgfIc5F8AJQvYrtCxa6m
-eYCoUJ3BZqARiKc6fk/RtACB1YI9mCDYOgnntNhEwMkRTuPqholyaL1fmw51EDGH
-iGCQwsxj+YMLkuK2aQAs498NcA6fzui0Ey3MJ6LmLYbOSKqZ1cBzC4YfSGH921Ic
-4YDgsvQ1io1zN4AJFHj8ld5rlDCTElgUFmkm2wCLvQAQ9+5MB4fDVLFldpHHBgX2
-0097qFSAEwIDAQABoyEwHzAdBgNVHQ4EFgQUZ30jJvIgSSRkltqIKv7UgEYnlvUw
-DQYJKoZIhvcNAQENBQADggEBABYZ+ZwbRnJvfjnFq9c+GV5/7FJOTlO0SVAVZrYJ
-HzquTr3mFDkhOc6aDlaNGiFAJcs6Udj3MvV7J+Uuai9oJDmVCt94HZL3k09G+z1b
-A3BorBKWDYm2L9CKpjUgD0VY40Tc2yNVyrzCbdjVnBkrLKiAirSrb5NJK2lnJg4Y
-TB7TiAnSydfRWUyUo8/wEMgIo4o0vuB7AnBQFhCd0XRmxBNoBZ19f+R041I6CQ0L
-9jc172XWHL1o111/RS7M8qLcWxi11DN62p6IKNT32DnhVV0RFnfVTQDaQ9qsPFmg
-Dngy+2weYwc6hEKhnunGrv0LNoqp6lQbOZO4c4v0/ynBHf4=
------END CERTIFICATE-----
diff --git a/test-profiles/test_resources/ssl/generate-java-keystores.sh b/test-profiles/test_resources/ssl/generate-java-keystores.sh
deleted file mode 100755
index f6c8e82..0000000
--- a/test-profiles/test_resources/ssl/generate-java-keystores.sh
+++ /dev/null
@@ -1,129 +0,0 @@
-#!/usr/bin/env bash
-#
-# Licensed to the Apache Software Foundation (ASF) under one
-# or more contributor license agreements.  See the NOTICE file
-# distributed with this work for additional information
-# regarding copyright ownership.  The ASF licenses this file
-# to you under the Apache License, Version 2.0 (the
-# "License"); you may not use this file except in compliance
-# with the License.  You may obtain a copy of the License at
-#
-#   http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing,
-# software distributed under the License is distributed on an
-# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
-# KIND, either express or implied.  See the License for the
-# specific language governing permissions and limitations
-# under the License.
-#
-
-echo "Remove existing keystore for Apache Qpid Broker-J "
-rm java_broker_keystore.jks
-echo "Re-create keystore for Apache Qpid Broker-J  by importing RootCA certificate"
-keytool -importcert -v -keystore java_broker_keystore.jks -keysize 2048 -storepass password -alias RootCA -file CA_db/rootca.crt -storetype pkcs12 -noprompt
-echo "Generate certificate key 'java-broker'"
-keytool -genkey -alias java-broker -keyalg RSA -keysize 2048 -sigalg SHA512withRSA -validity 720 -keystore java_broker_keystore.jks -storepass password -dname "CN=localhost, OU=Unknown, O=Unknown, L=Unknown, ST=Unknown, C=Unknown"  -storetype pkcs12
-echo "Export certificate signing request"
-keytool -certreq -alias java-broker -sigalg SHA512withRSA -keystore java_broker_keystore.jks -storepass password -v -file java_broker.req  -storetype pkcs12
-echo "Sign certificate by entering:"
-echo "  n for 'Is this a CA certificate [y/N]?'"
-echo "  [Enter] for 'Enter the path length constraint, enter to skip [<0 for unlimited path]: >'"
-echo "  n for 'Is this a critical extension [y/N]?'"
-echo "  password which was specified on creation root CA database."
-certutil -C -d CA_db -c "MyRootCA" -a -i java_broker.req -o java_broker.crt -2 -6 --extKeyUsage serverAuth -v 60 -g 4096
-echo "Import signed certificate"
-keytool -importcert -v -alias java-broker -keystore java_broker_keystore.jks -storepass password -file java_broker.crt  -storetype pkcs12 -noprompt
-echo "List keystore entries"
-keytool --list --keystore java_broker_keystore.jks -storepass password  -storetype pkcs12
-
-read -p "Press [Enter] key to continue..."
-echo "Remove existing client keystore"
-rm java_client_keystore.jks
-echo "Re-create client keystore by importing RootCA certificate"
-keytool -importcert -v -keystore java_client_keystore.jks -storepass password -alias RootCA -file CA_db/rootca.crt  -storetype pkcs12 -noprompt
-
-echo "Generate key for certificate 'app2'"
-keytool -genkey -alias app2 -keyalg RSA -keysize 2048 -sigalg SHA512withRSA -validity 720 -keystore java_client_keystore.jks -storepass password  -dname "CN=app2@acme.org, OU=art, O=acme, L=Toronto, ST=ON, C=CA"  -storetype pkcs12
-echo "Export certificate signing request for 'app2'"
-keytool -certreq -alias app2 -sigalg SHA512withRSA -keystore java_client_keystore.jks -storepass password -v -file app2.req  -storetype pkcs12
-echo "Sign certificate 'app2' by entering:"
-echo "  n for 'Is this a CA certificate [y/N]?'"
-echo "  '-1' for 'Enter the path length constraint, enter to skip [<0 for unlimited path]: >'"
-echo "  n for 'Is this a critical extension [y/N]?'"
-echo "  password which was specified on creation root CA database."
-certutil -C -d CA_db -c "MyRootCA" -a -i app2.req -o app2.crt -2 -6  --extKeyUsage clientAuth -v 60 -Z SHA512
-echo "Import signed certificate 'app2'"
-keytool -importcert -v -alias app2 -keystore java_client_keystore.jks -storepass password -file app2.crt  -storetype pkcs12 -noprompt
-
-echo "Generate key for certificate 'app1'"
-keytool -genkey -alias app1 -keyalg RSA -keysize 2048 -sigalg SHA512withRSA -validity 720 -keystore java_client_keystore.jks -storepass password  -dname "CN=app1@acme.org, OU=art, O=acme, L=Toronto, ST=ON, C=CA"  -storetype pkcs12
-echo "Export certificate signing request for 'app1'"
-keytool -certreq -alias app1 -sigalg SHA512withRSA -keystore java_client_keystore.jks -storepass password -v -file app1.req
-echo "Sign certificate 'app1' by entering:"
-echo "  n for 'Is this a CA certificate [y/N]?'"
-echo "  '-1' for 'Enter the path length constraint, enter to skip [<0 for unlimited path]: >'"
-echo "  n for 'Is this a critical extension [y/N]?'"
-echo "  password which was specified on creation of root CA database."
-certutil -C -d CA_db -c "MyRootCA" -a -i app1.req -o app1.crt -2 -6  --extKeyUsage clientAuth -v 60 -Z SHA512
-echo "Import signed certificate 'app1'"
-keytool -importcert -v -alias app1 -keystore java_client_keystore.jks -storepass password -file app1.crt  -storetype pkcs12 -noprompt
-echo "List entries in client keystore"
-keytool --list --keystore java_client_keystore.jks  -storepass password
-
-read -p "Press [Enter] key to continue..."
-echo "Remove existing client truststore"
-rm java_client_truststore.jks 
-echo "Re-create client truststore by importing RootCA certificate"
-keytool -importcert -v -keystore java_client_truststore.jks -storepass password -alias RootCA -file CA_db/rootca.crt  -storetype pkcs12 -noprompt
-echo "List entries in client trusttore"
-keytool --list --keystore java_client_truststore.jks  -storepass password  -storetype pkcs12
-
-read -p "Press [Enter] key to continue..."
-echo "Remove existing broker truststore"
-rm java_broker_truststore.jks
-echo "Re-create broker truststore by importing RootCA certificate"
-keytool -importcert -v -keystore java_broker_truststore.jks -storepass password -alias RootCA -file CA_db/rootca.crt  -storetype pkcs12 -noprompt
-echo "List entries in broker truststore"
-keytool --list --keystore java_broker_truststore.jks  -storepass password  -storetype pkcs12
-
-read -p "Press [Enter] key to continue..."
-echo "Remove existing broker peerstore"
-rm java_broker_peerstore.jks 
-echo "Re-create broker peerstore by importing app1 certificate"
-keytool -importcert -v -keystore java_broker_peerstore.jks -storepass password -alias app1 -file app1.crt  -storetype pkcs12 -noprompt
-echo "List entries in broker peerstore"
-keytool --list --keystore java_broker_peerstore.jks  -storepass password  -storetype pkcs12
-
-cp java_broker_keystore.jks ../../../broker-core/src/test/resources/ssl/test_keystore.jks
-keytool -importcert -v -alias app1 -keystore ../../../broker-core/src/test/resources/ssl/test_keystore.jks -storepass password -file app1.crt  -storetype pkcs12 -noprompt
-keytool -importcert -v -alias app2 -keystore ../../../broker-core/src/test/resources/ssl/test_keystore.jks -storepass password -file app2.crt  -storetype pkcs12 -noprompt
-
-cp java_broker_keystore.jks ../../../broker-core/src/test/resources/ssl/test_pk_only_keystore.pkcs12
-keytool -delete -v -alias rootca  -keystore ../../../broker-core/src/test/resources/ssl/test_pk_only_keystore.pkcs12 -storepass password
-
-cp java_broker_keystore.jks ../../../broker-core/src/test/resources/ssl/test_cert_only_keystore.pkcs12
-keytool -delete -v -alias java-broker  -keystore ../../../broker-core/src/test/resources/ssl/test_cert_only_keystore.pkcs12 -storepass password
-
-cp java_broker_keystore.jks ../../../broker-core/src/test/resources/ssl/test_symmetric_key_keystore.pkcs12
-keytool -genseckey -alias testalias -keyalg AES -keysize 256 -storetype pkcs12 -keystore ../../../broker-core/src/test/resources/ssl/test_symmetric_key_keystore.pkcs12 -storepass password
-
-cp java_broker.req ../../../broker-core/src/test/resources/ssl/java_broker.req
-cp java_broker.crt ../../../broker-core/src/test/resources/ssl/java_broker.crt
-
-cp expired.crt ../../../broker-core/src/test/resources/ssl/expired.crt
-cp java_client_expired_keystore.jks ../../../broker-core/src/test/resources/ssl/java_client_expired_keystore.pkcs12
-cp java_broker_expired_truststore.jks ../../../broker-core/src/test/resources/ssl/java_broker_expired_truststore.pkcs12
-
-cp java_broker_peerstore.jks ../../../broker-core/src/test/resources/ssl/java_broker_peerstore.pkcs12
-cp java_broker_truststore.jks  ../../../broker-core/src/test/resources/ssl/java_broker_truststore.pkcs12
-cp java_broker_keystore.jks  ../../../broker-core/src/test/resources/ssl/java_broker_keystore.pkcs12
-cp java_broker_keystore.jks  ../../../systests/qpid-systests-http-management/src/main/resources/java_broker_keystore.jks
-cp java_client_keystore.jks  ../../../broker-core/src/test/resources/ssl/java_client_keystore.pkcs12
-cp java_client_truststore.jks  ../../../broker-core/src/test/resources/ssl/java_client_truststore.pkcs12
-
-rm java_client_untrusted_keystore.jks
-keytool -genkey -keystore java_client_untrusted_keystore.jks -keyalg RSA -keysize 2048 -sigalg SHA512withRSA -alias untrusted_client -storepass password  -storetype pkcs12 -dname "CN=untrusted_client"
-cp java_client_untrusted_keystore.jks  ../../../broker-core/src/test/resources/ssl/java_client_untrusted_keystore.pkcs12
-
-
diff --git a/test-profiles/test_resources/ssl/generate-root-ca.sh b/test-profiles/test_resources/ssl/generate-root-ca.sh
deleted file mode 100755
index 14d760c..0000000
--- a/test-profiles/test_resources/ssl/generate-root-ca.sh
+++ /dev/null
@@ -1,49 +0,0 @@
-#!/usr/bin/env bash
-#
-# Licensed to the Apache Software Foundation (ASF) under one
-# or more contributor license agreements.  See the NOTICE file
-# distributed with this work for additional information
-# regarding copyright ownership.  The ASF licenses this file
-# to you under the Apache License, Version 2.0 (the
-# "License"); you may not use this file except in compliance
-# with the License.  You may obtain a copy of the License at
-#
-#   http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing,
-# software distributed under the License is distributed on an
-# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
-# KIND, either express or implied.  See the License for the
-# specific language governing permissions and limitations
-# under the License.
-#
-
-echo "Create a new certificate database for root CA"
-rm -fr CA_db; mkdir CA_db
-certutil -N -d CA_db
-                 
-echo "Create the self-signed Root CA certificate by entering:"
-echo "  password which was specified on creation of root CA database."
-echo "  y for 'Is this a CA certificate [y/N]?'"
-echo "  [Enter] for 'Enter the path length constraint, enter to skip [<0 for unlimited path]: >'"
-echo "  n for 'Is this a critical extension [y/N]?'"
-certutil -S -d CA_db -n "MyRootCA" -s "CN=MyRootCA,O=ACME,ST=Ontario,C=CA" -t "CT,," -x -2 -Z SHA512 -v 60 -g 2048
-echo "Extract the CA certificate from the CA’s certificate database to a file."
-certutil -L -d CA_db -n "MyRootCA" -a -o CA_db/rootca.crt
-              
-
-echo "Create a certificate database for the Qpid Broker."
-rm -fr server_db; mkdir server_db
-certutil -N -d server_db
-echo "Import the CA certificate into the broker’s certificate database"
-certutil -A -d server_db -n "MyRootCA" -t "TC,," -a -i CA_db/rootca.crt
-echo "Create the server certificate request"
-certutil -R -d server_db -s "CN=localhost.localdomain,O=ACME,ST=Ontario,C=CA" -a -o server_db/server.req -Z SHA512
-echo "Sign and issue a new server certificate by entering:"
-echo "  n for 'Is this a CA certificate [y/N]?'"
-echo "  '-1' for 'Enter the path length constraint, enter to skip [<0 for unlimited path]: >'"
-echo "  n for 'Is this a critical extension [y/N]?'"
-echo "  password which was specified on creation of root CA database."
-certutil -C -d CA_db -c "MyRootCA" -a -i server_db/server.req -o server_db/server.crt -2 -6  --extKeyUsage serverAuth -v 60 -Z SHA512 -g 2048
-echo "Import signed certificate to the broker’s certificate database"
-certutil -A -d server_db -n localhost.localdomain -a -i server_db/server.crt -t ",,"
diff --git a/test-profiles/test_resources/ssl/java_broker.crt b/test-profiles/test_resources/ssl/java_broker.crt
deleted file mode 100644
index 4e5c086..0000000
--- a/test-profiles/test_resources/ssl/java_broker.crt
+++ /dev/null
@@ -1,21 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIDbzCCAlegAwIBAgIFALBcS4MwDQYJKoZIhvcNAQELBQAwQTELMAkGA1UEBhMC
-Q0ExEDAOBgNVBAgTB09udGFyaW8xDTALBgNVBAoTBEFDTUUxETAPBgNVBAMTCE15
-Um9vdENBMB4XDTE5MDIyNzE2MDY0M1oXDTI0MDIyNzE2MDY0M1owbjEQMA4GA1UE
-BhMHVW5rbm93bjEQMA4GA1UECBMHVW5rbm93bjEQMA4GA1UEBxMHVW5rbm93bjEQ
-MA4GA1UEChMHVW5rbm93bjEQMA4GA1UECxMHVW5rbm93bjESMBAGA1UEAxMJbG9j
-YWxob3N0MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAq1zWGLqSHqno
-In5HjqSLSNQb5TV7qTeoKeVGJdfP13oXMllzy4JTCiXBen3l3YhpSxqGYccyEYee
-UlMSWH1snv9kW5sh+fF8HjJrabQco+vkUqUirvotaBQP71X1V+05AFxFhWfgdINw
-Kzu6az5i2S6DWJ0Xkseuolo3cM/J+M245NJj3as0dX2bOu0qbqk4izDqqV1uiyUP
-Udn0jICC52ZLd2v9lBbUQD/ZvwMYWIiBw9pfPxvIw2OsqsKeh+I7RUoGBxDUdDvj
-lbNeJV7AmeoszI/3bHkncdCiObFMXdXmUVwcRJYDAq5eBhgK59WcwKPIqlOLismQ
-wjN4ZxxvqQIDAQABo0EwPzAdBgNVHQ4EFgQU8NpCddyhoagntgXuH6eMGKnNxJsw
-CQYDVR0TBAIwADATBgNVHSUEDDAKBggrBgEFBQcDATANBgkqhkiG9w0BAQsFAAOC
-AQEAjFSD0UPN7ZqMKA0Sk2oailI+AU11VEmwIw18sXSEFMWSH8uAgkyTOvNQv4Nu
-WHgNOx20r18bYVrTqTznRa9oM7xemtR2pKqJYUQKqvk9vcF8mY7ibK1AH1vlm/gh
-7EfEmobfwHutXyTbUppgqf4QLn9AYLokD/w0la1mxDQ5Qc5FefgxLGaN2DZALFOc
-8lcpA9E2hTau2znxMlqqrG73E6R2XoE7BVMHVemVAAvusBuuP9OW/iC/KTPDFNoy
-NnDViQfIh03aBH2N5XCcnsdsxDULh6pjdZWf9FB+8OBDKyajNdFZku7AFLkt+QIa
-FVo105jdjqfMxt8FRNuQ05vYEQ==
------END CERTIFICATE-----
diff --git a/test-profiles/test_resources/ssl/java_broker.req b/test-profiles/test_resources/ssl/java_broker.req
deleted file mode 100644
index c618dd3..0000000
--- a/test-profiles/test_resources/ssl/java_broker.req
+++ /dev/null
@@ -1,18 +0,0 @@
------BEGIN NEW CERTIFICATE REQUEST-----
-MIIC4zCCAcsCAQAwbjEQMA4GA1UEBhMHVW5rbm93bjEQMA4GA1UECBMHVW5rbm93
-bjEQMA4GA1UEBxMHVW5rbm93bjEQMA4GA1UEChMHVW5rbm93bjEQMA4GA1UECxMH
-VW5rbm93bjESMBAGA1UEAxMJbG9jYWxob3N0MIIBIjANBgkqhkiG9w0BAQEFAAOC
-AQ8AMIIBCgKCAQEAq1zWGLqSHqnoIn5HjqSLSNQb5TV7qTeoKeVGJdfP13oXMllz
-y4JTCiXBen3l3YhpSxqGYccyEYeeUlMSWH1snv9kW5sh+fF8HjJrabQco+vkUqUi
-rvotaBQP71X1V+05AFxFhWfgdINwKzu6az5i2S6DWJ0Xkseuolo3cM/J+M245NJj
-3as0dX2bOu0qbqk4izDqqV1uiyUPUdn0jICC52ZLd2v9lBbUQD/ZvwMYWIiBw9pf
-PxvIw2OsqsKeh+I7RUoGBxDUdDvjlbNeJV7AmeoszI/3bHkncdCiObFMXdXmUVwc
-RJYDAq5eBhgK59WcwKPIqlOLismQwjN4ZxxvqQIDAQABoDAwLgYJKoZIhvcNAQkO
-MSEwHzAdBgNVHQ4EFgQU8NpCddyhoagntgXuH6eMGKnNxJswDQYJKoZIhvcNAQEN
-BQADggEBAHsfAScjTeIM+Mkmq7z29wl0+NdWyoDKt0PjG0/WffExGXG1FD6JrbP7
-UEeBY60WdypO9/Nx7I/sw/UOsOH297NuCMkFDitAk5/5XDVSYpywBi85XK72ODmv
-hWYn2MGP9YnfL3qOd75kpNgVBKt9+IVFFNgdUMfzDQpTQgmzdaRepM4HUuxJnNGN
-jcjA6b7rT0XQu7EJqM/Q1beJTVmwtv/3ZsBduJfksr2+fyC7wd344Equ8kfhZtd9
-YocJYdlZ//0RjWMv10hXNMD2Y+Nk4ldoFOXwv93JMcBn4Uy0TeZ9O/eI/jETT5TL
-FZUUWdHvGqN2/9L4EZ0rAyH87HpHV7I=
------END NEW CERTIFICATE REQUEST-----
diff --git a/test-profiles/test_resources/ssl/java_broker_expired_truststore.jks b/test-profiles/test_resources/ssl/java_broker_expired_truststore.jks
deleted file mode 100644
index 9bfe301..0000000
Binary files a/test-profiles/test_resources/ssl/java_broker_expired_truststore.jks and /dev/null differ
diff --git a/test-profiles/test_resources/ssl/java_broker_keystore.jks b/test-profiles/test_resources/ssl/java_broker_keystore.jks
deleted file mode 100644
index b45991f..0000000
Binary files a/test-profiles/test_resources/ssl/java_broker_keystore.jks and /dev/null differ
diff --git a/test-profiles/test_resources/ssl/java_broker_peerstore.jks b/test-profiles/test_resources/ssl/java_broker_peerstore.jks
deleted file mode 100644
index a5b307f..0000000
Binary files a/test-profiles/test_resources/ssl/java_broker_peerstore.jks and /dev/null differ
diff --git a/test-profiles/test_resources/ssl/java_broker_truststore.jks b/test-profiles/test_resources/ssl/java_broker_truststore.jks
deleted file mode 100644
index 4184adf..0000000
Binary files a/test-profiles/test_resources/ssl/java_broker_truststore.jks and /dev/null differ
diff --git a/test-profiles/test_resources/ssl/java_client_expired_keystore.jks b/test-profiles/test_resources/ssl/java_client_expired_keystore.jks
deleted file mode 100644
index cb9b876..0000000
Binary files a/test-profiles/test_resources/ssl/java_client_expired_keystore.jks and /dev/null differ
diff --git a/test-profiles/test_resources/ssl/java_client_keystore.jks b/test-profiles/test_resources/ssl/java_client_keystore.jks
deleted file mode 100644
index 9422d9a..0000000
Binary files a/test-profiles/test_resources/ssl/java_client_keystore.jks and /dev/null differ
diff --git a/test-profiles/test_resources/ssl/java_client_truststore.jks b/test-profiles/test_resources/ssl/java_client_truststore.jks
deleted file mode 100644
index 1b45a23..0000000
Binary files a/test-profiles/test_resources/ssl/java_client_truststore.jks and /dev/null differ
diff --git a/test-profiles/test_resources/ssl/java_client_untrusted_keystore.jks b/test-profiles/test_resources/ssl/java_client_untrusted_keystore.jks
deleted file mode 100644
index 8b0b023..0000000
Binary files a/test-profiles/test_resources/ssl/java_client_untrusted_keystore.jks and /dev/null differ
diff --git a/test-profiles/test_resources/ssl/pfile b/test-profiles/test_resources/ssl/pfile
deleted file mode 100644
index f3097ab..0000000
--- a/test-profiles/test_resources/ssl/pfile
+++ /dev/null
@@ -1 +0,0 @@
-password
diff --git a/test-profiles/test_resources/ssl/server_db/cert9.db b/test-profiles/test_resources/ssl/server_db/cert9.db
deleted file mode 100644
index 9a5f864..0000000
Binary files a/test-profiles/test_resources/ssl/server_db/cert9.db and /dev/null differ
diff --git a/test-profiles/test_resources/ssl/server_db/key4.db b/test-profiles/test_resources/ssl/server_db/key4.db
deleted file mode 100644
index f08d318..0000000
Binary files a/test-profiles/test_resources/ssl/server_db/key4.db and /dev/null differ
diff --git a/test-profiles/test_resources/ssl/server_db/pkcs11.txt b/test-profiles/test_resources/ssl/server_db/pkcs11.txt
deleted file mode 100644
index 440f523..0000000
--- a/test-profiles/test_resources/ssl/server_db/pkcs11.txt
+++ /dev/null
@@ -1,5 +0,0 @@
-library=
-name=NSS Internal PKCS #11 Module
-parameters=configdir='server_db' certPrefix='' keyPrefix='' secmod='secmod.db' flags= updatedir='' updateCertPrefix='' updateKeyPrefix='' updateid='' updateTokenDescription='' 
-NSS=Flags=internal,critical trustOrder=75 cipherOrder=100 slotParams=(1={slotFlags=[ECC,RSA,DSA,DH,RC2,RC4,DES,RANDOM,SHA1,MD5,MD2,SSL,TLS,AES,Camellia,SEED,SHA256,SHA512] askpw=any timeout=30})
-
diff --git a/test-profiles/test_resources/ssl/server_db/server.crt b/test-profiles/test_resources/ssl/server_db/server.crt
deleted file mode 100644
index fb51ff1..0000000
--- a/test-profiles/test_resources/ssl/server_db/server.crt
+++ /dev/null
@@ -1,20 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIDMDCCAhigAwIBAgIFALBcSo0wDQYJKoZIhvcNAQENBQAwQTELMAkGA1UEBhMC
-Q0ExEDAOBgNVBAgTB09udGFyaW8xDTALBgNVBAoTBEFDTUUxETAPBgNVBAMTCE15
-Um9vdENBMB4XDTE5MDIyNzE2MDQzNFoXDTI0MDIyNzE2MDQzNFowTjELMAkGA1UE
-BhMCQ0ExEDAOBgNVBAgTB09udGFyaW8xDTALBgNVBAoTBEFDTUUxHjAcBgNVBAMT
-FWxvY2FsaG9zdC5sb2NhbGRvbWFpbjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC
-AQoCggEBAMZvr9ZVPPPPgXlL/3tN57SmQRD8KKbK6F2DxPKPpV3FuhPxKRLVbDTp
-VgJ6geTSQXWlcCzZ7pr+J1Z7jU8tFb963i+kpFD21Z4xcaLTaHQvyiXMXgYJ/AU+
-0AQDrQN16Bkx/nbvXCtnfahp6Li3KUffEYjjLleuP5WwUSZJQ3oR74YQOKFZiDMU
-p5iUBiFWJ6Svey5usHOzycAeQVJYF8cdbTo3BL1mNFV8Q0aFD/qOsZoKNHZR8vb1
-ioBs1P9TdNO/fai/YZVkqq3I/wY9JoN7OmSPTtThuwZniSvOqsy2zkkEqG26HOnl
-BlRWshzyPaket8j4CrxZeVB4xmIbHvcCAwEAAaMiMCAwCQYDVR0TBAIwADATBgNV
-HSUEDDAKBggrBgEFBQcDATANBgkqhkiG9w0BAQ0FAAOCAQEASvcXQIq2cyhujhoh
-DKZhenA1MqGTpWsrAo41obxVpzch/z7qrQsGUG/7qXm7XIQ8wPXKUJhQd5+ga5U0
-YV/QNu8Kz+5rxgCxv/hqHaajNfeOs8C3Oxk1IIg+9OC2bIRmR9SF84XBM2YrJuTe
-BlGszTNnOXQGoR0gOMl2EH+4kh00vVnRwrsSGHEWNqNprPFgauZ14bvCeeFJhsYd
-IjmrQgbGvt4463Kaw4gUstSrwQGOTGjqhEcUR6MER83HzDu0qoAHtQLNXh1NJ3M0
-BQg6Aaral1kfgWKbB88SgAAPMHBzIqG1ubYmRykEf+G6OOgBACp1CSiCskbJ59Wc
-2tbblQ==
------END CERTIFICATE-----
diff --git a/test-profiles/test_resources/ssl/server_db/server.req b/test-profiles/test_resources/ssl/server_db/server.req
deleted file mode 100644
index f2042ce..0000000
--- a/test-profiles/test_resources/ssl/server_db/server.req
+++ /dev/null
@@ -1,26 +0,0 @@
-
-Certificate request generated by Netscape certutil
-Phone: (not specified)
-
-Common Name: localhost.localdomain
-Email: (not specified)
-Organization: ACME
-State: Ontario
-Country: CA
-
------BEGIN NEW CERTIFICATE REQUEST-----
-MIICkzCCAXsCAQAwTjELMAkGA1UEBhMCQ0ExEDAOBgNVBAgTB09udGFyaW8xDTAL
-BgNVBAoTBEFDTUUxHjAcBgNVBAMTFWxvY2FsaG9zdC5sb2NhbGRvbWFpbjCCASIw
-DQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMZvr9ZVPPPPgXlL/3tN57SmQRD8
-KKbK6F2DxPKPpV3FuhPxKRLVbDTpVgJ6geTSQXWlcCzZ7pr+J1Z7jU8tFb963i+k
-pFD21Z4xcaLTaHQvyiXMXgYJ/AU+0AQDrQN16Bkx/nbvXCtnfahp6Li3KUffEYjj
-LleuP5WwUSZJQ3oR74YQOKFZiDMUp5iUBiFWJ6Svey5usHOzycAeQVJYF8cdbTo3
-BL1mNFV8Q0aFD/qOsZoKNHZR8vb1ioBs1P9TdNO/fai/YZVkqq3I/wY9JoN7OmSP
-TtThuwZniSvOqsy2zkkEqG26HOnlBlRWshzyPaket8j4CrxZeVB4xmIbHvcCAwEA
-AaAAMA0GCSqGSIb3DQEBDQUAA4IBAQB65l4W5FqmHN0KIPS81qwdpncPw0XLM5Wf
-dVY8Q0GZ9AWm5pTBl472AdoL/2FtQEsLnIfDDR9WFDfREqP2grO+98vbMPofNLPH
-es9dOEXRAGMziqFUhFofyWIXZUBQI9nWn9kuNZRtK2JfftG+eMtT8KlibFgVdaHc
-C8/HwlnmoQVtXQeqnEMYK8hN1+4hp9OzwkiwSMBpTNtB9jejnYQe4U2DnWpWD1ko
-w0kAQpb36zSOkZZ0ZMaT7aTLpDmsOvj6bAj6nUxjcGFvSqVIaxyQb2y0JflM+IN7
-K0PL2I1Wi2AGA3WlBs/nY+Ol2NfcD/nsdZdtVNn6WV9DsfnyfS6L
------END NEW CERTIFICATE REQUEST-----


---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@qpid.apache.org
For additional commands, e-mail: commits-help@qpid.apache.org


Mime
View raw message