fix tests for multiple certificates

The tests now actually check that a specific certificate is being used by only
loading the correct one into the trust chain while running the test. The
problem before was that openssl-req by default generates CA-capable certs which
are not accepted by rustls.

tests/data/multicert/create_certs.sh

@@ -2,27 +2,25 @@
 
 mkdir -p example.com example.org
 
-# create our own CA so we can use rustls without it complaining about using a
-# CA cert as end cert
-openssl req -x509 -newkey rsa:4096 -keyout ca_key.rsa -out ca_cert.pem -days 3650 -nodes -subj "/CN=example CA"
-
 for domain in "example.com" "example.org"
 do
+# create private key
 openssl genpkey -out $domain/key.rsa -algorithm RSA -pkeyopt rsa_keygen_bits:4096
 
+# create config file:
+# the generated certificates must not be CA-capable, otherwise rustls complains
 cat >openssl.conf <<EOT
 [req]
-default_bits       = 4096
+default_bits = 4096
 distinguished_name = req_distinguished_name
-req_extensions     = req_ext
-prompt             = no
+req_extensions = req_ext
+prompt = no
+
+[v3_ca]
+basicConstraints = critical, CA:false
 
 [req_distinguished_name]
-countryName                 = US
-stateOrProvinceName         = CA
-localityName                = Playa Vista
-organizationName            = IANA
-commonName                  = $domain
+commonName = $domain
 
 [req_ext]
 subjectAltName = DNS:$domain
@@ -30,9 +28,9 @@ EOT
 
 openssl req -new -sha256 -out request.csr -key $domain/key.rsa -config openssl.conf
 
-openssl x509 -req -sha256 -days 3650 -in request.csr -CA ca_cert.pem -CAkey ca_key.rsa \
-    -CAcreateserial -out $domain/cert.pem -extensions req_ext -extfile openssl.conf
+openssl x509 -req -sha256 -days 3650 -in request.csr -out $domain/cert.pem \
+	-extensions req_ext -extfile openssl.conf -signkey $domain/key.rsa
 done
 
 # clean up
-rm openssl.conf request.csr ca_cert.srl
+rm openssl.conf request.csr