diff --git a/pkg/acceptance/cluster/certs.go b/pkg/acceptance/cluster/certs.go
index 3cfe9279ab11..79ca3b9a2323 100644
--- a/pkg/acceptance/cluster/certs.go
+++ b/pkg/acceptance/cluster/certs.go
@@ -53,12 +53,12 @@ func GenerateCerts(ctx context.Context) func() {
 	// Root user.
 	maybePanic(security.CreateClientPair(
 		certsDir, filepath.Join(certsDir, security.EmbeddedCAKey),
-		2048, 48*time.Hour, false, security.RootUserName(), true /* generate pk8 key */))
+		2048, 48*time.Hour, false, security.RootUserName(), "" /* tenantID */, true /* generate pk8 key */))
 
 	// Test user.
 	maybePanic(security.CreateClientPair(
 		certsDir, filepath.Join(certsDir, security.EmbeddedCAKey),
-		1024, 48*time.Hour, false, security.TestUserName(), true /* generate pk8 key */))
+		1024, 48*time.Hour, false, security.TestUserName(), "" /* tenantID */, true /* generate pk8 key */))
 
 	// Certs for starting a cockroach server. Key size is from cli/cert.go:defaultKeySize.
 	maybePanic(security.CreateNodePair(
diff --git a/pkg/cli/cert.go b/pkg/cli/cert.go
index 51580c3782ae..0182bf3131d6 100644
--- a/pkg/cli/cert.go
+++ b/pkg/cli/cert.go
@@ -177,6 +177,7 @@ func runCreateClientCert(cmd *cobra.Command, args []string) error {
 			certCtx.certificateLifetime,
 			certCtx.overwriteFiles,
 			username,
+			certCtx.tenantScope,
 			certCtx.generatePKCS8Key),
 		"failed to generate client certificate and key")
 }
diff --git a/pkg/cli/client_url.go b/pkg/cli/client_url.go
index c5116388c1ae..1fa945e5b281 100644
--- a/pkg/cli/client_url.go
+++ b/pkg/cli/client_url.go
@@ -16,7 +16,6 @@ import (
 	"path/filepath"
 
 	"github.com/cockroachdb/cockroach/pkg/cli/cliflags"
-	"github.com/cockroachdb/cockroach/pkg/roachpb"
 	"github.com/cockroachdb/cockroach/pkg/rpc"
 	"github.com/cockroachdb/cockroach/pkg/security"
 	"github.com/cockroachdb/cockroach/pkg/server/pgurl"
@@ -360,7 +359,7 @@ func (cliCtx *cliContext) makeClientConnURL() (*pgurl.URL, error) {
 		userName = security.RootUserName()
 	}
 
-	sCtx := rpc.MakeSecurityContext(cliCtx.Config, security.CommandTLSSettings{}, roachpb.SystemTenantID)
+	sCtx := rpc.MakeSecurityContext(cliCtx.Config, security.CommandTLSSettings{}, cliCtx.tenantID)
 	if err := sCtx.LoadSecurityOptions(purl, userName); err != nil {
 		return nil, err
 	}
diff --git a/pkg/cli/cliflags/flags.go b/pkg/cli/cliflags/flags.go
index c35d6b1c8d07..b38a4135873f 100644
--- a/pkg/cli/cliflags/flags.go
+++ b/pkg/cli/cliflags/flags.go
@@ -734,6 +734,14 @@ Note: that --external-io-disable-http or --external-io-disable-implicit-credenti
 		Description: `Certificate and key files are overwritten if they exist.`,
 	}
 
+	TenantScope = FlagInfo{
+		Name: "tenant-scope",
+		Description: `Assign a tenant scope to the certificate.
+This will allow for the certificate to only be used specifically for a particular
+tenant. This flag is optional, when omitted, the certificate is not tied
+for usage on a specific tenant.`,
+	}
+
 	GeneratePKCS8Key = FlagInfo{
 		Name:        "also-generate-pkcs8-key",
 		Description: `Also write the key in pkcs8 format to <certs-dir>/client.<username>.key.pk8.`,
@@ -1465,6 +1473,14 @@ Can be set to 1 to ensure only one node is polled for data at a time.
 `,
 	}
 
+	ZipTenant = FlagInfo{
+		Name: "tenant-id",
+		Description: `
+Specify the tenant ID of the server. This is required to be set while
+running debug zip against a SQL only server for a tenant.
+`,
+	}
+
 	StmtDiagDeleteAll = FlagInfo{
 		Name:        "all",
 		Description: `Delete all bundles.`,
diff --git a/pkg/cli/context.go b/pkg/cli/context.go
index 25c3da5d0621..bbfd8e32ebc5 100644
--- a/pkg/cli/context.go
+++ b/pkg/cli/context.go
@@ -26,6 +26,7 @@ import (
 	"github.com/cockroachdb/cockroach/pkg/cli/clisqlshell"
 	"github.com/cockroachdb/cockroach/pkg/cli/democluster"
 	"github.com/cockroachdb/cockroach/pkg/config/zonepb"
+	"github.com/cockroachdb/cockroach/pkg/roachpb"
 	"github.com/cockroachdb/cockroach/pkg/security"
 	"github.com/cockroachdb/cockroach/pkg/server"
 	"github.com/cockroachdb/cockroach/pkg/server/pgurl"
@@ -200,6 +201,10 @@ type cliContext struct {
 
 	// For `cockroach version --build-tag`.
 	showVersionUsingOnlyBuildTag bool
+
+	// tenantID indicates the tenant to run the CLI utility against.
+	// Default value is the system tenant.
+	tenantID roachpb.TenantID
 }
 
 // cliCtx captures the command-line parameters common to most CLI utilities.
@@ -233,6 +238,7 @@ func setCliContextDefaults() {
 	// TODO(knz): Deprecated in v21.1. Remove this.
 	cliCtx.deprecatedLogOverrides.reset()
 	cliCtx.showVersionUsingOnlyBuildTag = false
+	cliCtx.tenantID = roachpb.SystemTenantID
 }
 
 // sqlConnContext captures the connection configuration for all SQL
@@ -266,6 +272,10 @@ var certCtx struct {
 	// This configuration flag is only used for 'cert' commands
 	// that generate certificates.
 	certPrincipalMap []string
+	// tenantScope indicates the ID of the tenant that a certificate is being
+	// scoped to. By creating a tenant-scoped certicate, the usage of that certificate
+	// is restricted to a specific tenant.
+	tenantScope string
 }
 
 func setCertContextDefaults() {
@@ -278,6 +288,7 @@ func setCertContextDefaults() {
 	certCtx.overwriteFiles = false
 	certCtx.generatePKCS8Key = false
 	certCtx.certPrincipalMap = nil
+	certCtx.tenantScope = ""
 }
 
 var sqlExecCtx = clisqlexec.Context{
@@ -345,6 +356,10 @@ type zipContext struct {
 
 	// The log/heap/etc files to include.
 	files fileSelection
+
+	// tenantID of the server being connected to. This flag should
+	// be set while running debug zip against a tenant SQL server.
+	tenantID roachpb.TenantID
 }
 
 // setZipContextDefaults set the default values in zipCtx.  This
@@ -364,6 +379,7 @@ func setZipContextDefaults() {
 	now := timeutil.Now()
 	zipCtx.files.startTimestamp = timestampValue(now.Add(-48 * time.Hour))
 	zipCtx.files.endTimestamp = timestampValue(now.Add(24 * time.Hour))
+	zipCtx.tenantID = roachpb.SystemTenantID
 }
 
 // dumpCtx captures the command-line parameters of the `dump` command.
diff --git a/pkg/cli/democluster/demo_cluster.go b/pkg/cli/democluster/demo_cluster.go
index 394b26c5539e..e9298066d6e3 100644
--- a/pkg/cli/democluster/demo_cluster.go
+++ b/pkg/cli/democluster/demo_cluster.go
@@ -1073,6 +1073,7 @@ func (demoCtx *Context) generateCerts(certsDir string) (err error) {
 		demoCtx.DefaultCertLifetime,
 		false, /* overwrite */
 		security.RootUserName(),
+		"",    /* tenantID */
 		false, /* generatePKCS8Key */
 	); err != nil {
 		return err
diff --git a/pkg/cli/flags.go b/pkg/cli/flags.go
index 27d72e1653d9..ccf3ea3c25c1 100644
--- a/pkg/cli/flags.go
+++ b/pkg/cli/flags.go
@@ -271,6 +271,33 @@ func (f *keyTypeFilter) Set(v string) error {
 	return nil
 }
 
+// tenantIDSetter wraps the tenantID variable within zipContext
+// and verifies its value during execution.
+type tenantIDSetter struct {
+	tenantID *roachpb.TenantID
+}
+
+// String implements the pflag.Value interface.
+func (t tenantIDSetter) String() string { return t.tenantID.String() }
+
+// Type implements the pflag.Value interface.
+func (t tenantIDSetter) Type() string { return "<uint>" }
+
+// Set implements the pflag.Value interface.
+func (t tenantIDSetter) Set(v string) error {
+	if v == "" {
+		*t.tenantID = roachpb.SystemTenantID
+		return nil
+	}
+
+	tID, err := roachpb.ParseTenantID(v)
+	if err != nil {
+		return err
+	}
+	*t.tenantID = tID
+	return nil
+}
+
 const backgroundEnvVar = "COCKROACH_BACKGROUND_RESTART"
 
 // flagSetForCmd is a replacement for cmd.Flag() that properly merges
@@ -580,6 +607,7 @@ func init() {
 		stringFlag(f, &certCtx.caKey, cliflags.CAKey)
 		intFlag(f, &certCtx.keySize, cliflags.KeySize)
 		boolFlag(f, &certCtx.overwriteFiles, cliflags.OverwriteFiles)
+		stringFlag(f, &certCtx.tenantScope, cliflags.TenantScope)
 
 		if strings.HasSuffix(cmd.Name(), "-ca") {
 			// CA-only commands.
@@ -684,6 +712,7 @@ func init() {
 		boolFlag(f, &zipCtx.redactLogs, cliflags.ZipRedactLogs)
 		durationFlag(f, &zipCtx.cpuProfDuration, cliflags.ZipCPUProfileDuration)
 		intFlag(f, &zipCtx.concurrency, cliflags.ZipConcurrency)
+		varFlag(f, tenantIDSetter{&zipCtx.tenantID}, cliflags.ZipTenant)
 	}
 	// List-files + Zip commands.
 	for _, cmd := range []*cobra.Command{debugZipCmd, debugListFilesCmd} {
diff --git a/pkg/cli/start.go b/pkg/cli/start.go
index e44047f80a3f..2e7a75ec4c98 100644
--- a/pkg/cli/start.go
+++ b/pkg/cli/start.go
@@ -1263,7 +1263,7 @@ func getClientGRPCConn(
 	stopper := stop.NewStopper(stop.WithTracer(tracer))
 	rpcContext := rpc.NewContext(ctx,
 		rpc.ContextOptions{
-			TenantID: roachpb.SystemTenantID,
+			TenantID: cfg.TenantID,
 			Config:   cfg.Config,
 			Clock:    clock,
 			Stopper:  stopper,
diff --git a/pkg/cli/testdata/zip/testzip_tenant b/pkg/cli/testdata/zip/testzip_tenant
index 10a2c3a09043..316c9024c282 100644
--- a/pkg/cli/testdata/zip/testzip_tenant
+++ b/pkg/cli/testdata/zip/testzip_tenant
@@ -1,6 +1,6 @@
 zip
 ----
-debug zip --concurrency=1 --cpu-profile-duration=1s /dev/null
+debug zip --concurrency=1 --cpu-profile-duration=1s --tenant-id=10 /dev/null
 [cluster] establishing RPC connection to ...
 [cluster] retrieving the node status to get the SQL address... done
 [cluster] using SQL address: ...
diff --git a/pkg/cli/testutils.go b/pkg/cli/testutils.go
index 7d411763c07e..8b27159e6bca 100644
--- a/pkg/cli/testutils.go
+++ b/pkg/cli/testutils.go
@@ -328,18 +328,30 @@ func isSQLCommand(args []string) (bool, error) {
 	return false, nil
 }
 
-func (c TestCLI) getRPCAddr() string {
-	if c.tenant != nil {
-		return c.tenant.RPCAddr()
+func (c TestCLI) getRPCAddr(tenantID roachpb.TenantID) (string, error) {
+	if tenantID == roachpb.SystemTenantID {
+		return c.ServingRPCAddr(), nil
 	}
-	return c.ServingRPCAddr()
+	if c.tenant == nil {
+		return "", errors.Errorf("cannot run CLI for tenant %d on system tenant", tenantID)
+	}
+	if c.tenant.RPCContext().TenantID != tenantID {
+		return "", errors.Errorf("cannot run CLI for tenant %d on tenant %d", tenantID, c.tenant.RPCContext().TenantID)
+	}
+	return c.tenant.RPCAddr(), nil
 }
 
-func (c TestCLI) getSQLAddr() string {
-	if c.tenant != nil {
-		return c.tenant.SQLAddr()
+func (c TestCLI) getSQLAddr(tenantID roachpb.TenantID) (string, error) {
+	if tenantID == roachpb.SystemTenantID {
+		return c.ServingSQLAddr(), nil
+	}
+	if c.tenant == nil {
+		return "", errors.Errorf("cannot run CLI for tenant %d on system tenant", tenantID)
 	}
-	return c.ServingSQLAddr()
+	if c.tenant.RPCContext().TenantID != tenantID {
+		return "", errors.Errorf("cannot run CLI for tenant %d on tenant %d", tenantID, c.tenant.RPCContext().TenantID)
+	}
+	return c.tenant.SQLAddr(), nil
 }
 
 // RunWithArgs add args according to TestCLI cfg.
@@ -349,11 +361,21 @@ func (c TestCLI) RunWithArgs(origArgs []string) {
 	if err := func() error {
 		args := append([]string(nil), origArgs[:1]...)
 		if c.TestServer != nil {
-			addr := c.getRPCAddr()
+			tenantID, err := getTenantID(origArgs)
+			if err != nil {
+				return err
+			}
+			addr, err := c.getRPCAddr(tenantID)
+			if err != nil {
+				return err
+			}
 			if isSQL, err := isSQLCommand(origArgs); err != nil {
 				return err
 			} else if isSQL {
-				addr = c.getSQLAddr()
+				addr, err = c.getSQLAddr(tenantID)
+				if err != nil {
+					return err
+				}
 			}
 			h, p, err := net.SplitHostPort(addr)
 			if err != nil {
@@ -526,3 +548,20 @@ func MatchCSV(csvStr string, matchColRow [][]string) (err error) {
 	}
 	return err
 }
+
+func getTenantID(args []string) (roachpb.TenantID, error) {
+	for _, arg := range args {
+		if strings.HasPrefix(arg, "--tenant-id") {
+			parts := strings.Split(arg, "=")
+			if len(parts) != 2 {
+				return roachpb.TenantID{}, errors.Errorf("invalid tenant-id argument %s", arg)
+			}
+			tenantID, err := roachpb.ParseTenantID(parts[1])
+			if err != nil {
+				return roachpb.TenantID{}, nil
+			}
+			return tenantID, nil
+		}
+	}
+	return roachpb.SystemTenantID, nil
+}
diff --git a/pkg/cli/zip.go b/pkg/cli/zip.go
index aed5db2dbf2e..459544d9d803 100644
--- a/pkg/cli/zip.go
+++ b/pkg/cli/zip.go
@@ -166,6 +166,7 @@ func runDebugZip(_ *cobra.Command, args []string) (retErr error) {
 	zr := zipCtx.newZipReporter("cluster")
 
 	s := zr.start("establishing RPC connection to %s", serverCfg.AdvertiseAddr)
+	serverCfg.TenantID = zipCtx.tenantID
 	conn, _, finish, err := getClientGRPCConn(ctx, serverCfg)
 	if err != nil {
 		return s.fail(err)
@@ -192,6 +193,7 @@ func runDebugZip(_ *cobra.Command, args []string) (retErr error) {
 	s = zr.start("using SQL address: %s", sqlAddr.AddressField)
 
 	cliCtx.clientConnHost, cliCtx.clientConnPort, err = net.SplitHostPort(sqlAddr.AddressField)
+	cliCtx.tenantID = zipCtx.tenantID
 	if err != nil {
 		return s.fail(err)
 	}
diff --git a/pkg/cli/zip_tenant_test.go b/pkg/cli/zip_tenant_test.go
index 099fff97a0a6..a6225c6b5668 100644
--- a/pkg/cli/zip_tenant_test.go
+++ b/pkg/cli/zip_tenant_test.go
@@ -11,6 +11,7 @@
 package cli
 
 import (
+	"fmt"
 	"os"
 	"testing"
 
@@ -34,8 +35,9 @@ func TestTenantZip(t *testing.T) {
 	skip.UnderRace(t, "test too slow under race")
 	tenantDir, tenantDirCleanupFn := testutils.TempDir(t)
 	defer tenantDirCleanupFn()
+	tenantID := serverutils.TestTenantID()
 	tenantArgs := base.TestTenantArgs{
-		TenantID:             serverutils.TestTenantID(),
+		TenantID:             tenantID,
 		HeapProfileDirName:   tenantDir,
 		GoroutineDumpDirName: tenantDir,
 	}
@@ -53,7 +55,8 @@ func TestTenantZip(t *testing.T) {
 	})
 	defer c.Cleanup()
 
-	out, err := c.RunWithCapture("debug zip --concurrency=1 --cpu-profile-duration=1s " + os.DevNull)
+	zipCmd := fmt.Sprintf("debug zip --concurrency=1 --cpu-profile-duration=1s --tenant-id=%d %s", tenantID.ToUint64(), os.DevNull)
+	out, err := c.RunWithCapture(zipCmd)
 	if err != nil {
 		t.Fatal(err)
 	}
diff --git a/pkg/roachpb/tenant.go b/pkg/roachpb/tenant.go
index 191a1fc69985..1ce4bc94877f 100644
--- a/pkg/roachpb/tenant.go
+++ b/pkg/roachpb/tenant.go
@@ -14,6 +14,8 @@ import (
 	"context"
 	"math"
 	"strconv"
+
+	"github.com/cockroachdb/errors"
 )
 
 // SystemTenantID is the ID associated with the system's internal tenant in a
@@ -97,5 +99,14 @@ func TenantFromContext(ctx context.Context) (tenID TenantID, ok bool) {
 	return
 }
 
+// ParseTenantID parses a tenant ID contained a string.
+func ParseTenantID(tenantID string) (TenantID, error) {
+	tID, err := strconv.ParseUint(tenantID, 10, 64)
+	if err != nil {
+		return TenantID{}, errors.Wrapf(err, "invalid tenant ID %s, tenant ID should be an unsigned int greater than 0", tenantID)
+	}
+	return MakeTenantID(tID), nil
+}
+
 // Silence unused warning.
 var _ = TenantFromContext
diff --git a/pkg/rpc/pg.go b/pkg/rpc/pg.go
index 56933e81ee25..f39aaa1ead99 100644
--- a/pkg/rpc/pg.go
+++ b/pkg/rpc/pg.go
@@ -77,34 +77,28 @@ func (ctx *SecurityContext) LoadSecurityOptions(u *pgurl.URL, username security.
 		// (Re)populate the transport information.
 		u.WithTransport(pgurl.TransportTLS(tlsMode, caCertPath))
 
-		var missing bool // certs found on file system?
-		loader := security.GetAssetLoader()
-
 		// Fetch client certs, but don't fail if they're absent, we may be
 		// using a password.
 		certPath := ctx.ClientCertPath(username)
 		keyPath := ctx.ClientKeyPath(username)
-		_, err1 := loader.Stat(certPath)
-		_, err2 := loader.Stat(keyPath)
-		if err1 != nil || err2 != nil {
-			missing = true
+		certsAvailable := checkCertAndKeyAvailable(certPath, keyPath)
+		if !certsAvailable {
+			// Fetch tenant scoped client certs, if any.
+			certPath = ctx.ClientForTenantCertPath(username, ctx.tenID.String())
+			keyPath = ctx.ClientForTenantKeyPath(username, ctx.tenID.String())
+			certsAvailable = checkCertAndKeyAvailable(certPath, keyPath)
 		}
 		// If the command specifies user node, and we did not find
 		// client.node.crt, try with just node.crt.
-		if missing && username.IsNodeUser() {
-			missing = false
+		if !certsAvailable && username.IsNodeUser() {
 			certPath = ctx.NodeCertPath()
 			keyPath = ctx.NodeKeyPath()
-			_, err1 = loader.Stat(certPath)
-			_, err2 = loader.Stat(keyPath)
-			if err1 != nil || err2 != nil {
-				missing = true
-			}
+			certsAvailable = checkCertAndKeyAvailable(certPath, keyPath)
 		}
 
 		// If we found some certs, add them to the URL authentication
 		// method.
-		if !missing {
+		if certsAvailable {
 			pwEnabled, hasPw, pwd := u.GetAuthnPassword()
 			if !pwEnabled {
 				u.WithAuthn(pgurl.AuthnClientCert(certPath, keyPath))
@@ -130,3 +124,10 @@ func (ctx *SecurityContext) PGURL(user *url.Userinfo) (*pgurl.URL, error) {
 	}
 	return u, nil
 }
+
+func checkCertAndKeyAvailable(certPath string, keyPath string) bool {
+	loader := security.GetAssetLoader()
+	_, err1 := loader.Stat(certPath)
+	_, err2 := loader.Stat(keyPath)
+	return err1 == nil && err2 == nil
+}
diff --git a/pkg/security/BUILD.bazel b/pkg/security/BUILD.bazel
index 756adbb8c1d0..911d2bcaec2b 100644
--- a/pkg/security/BUILD.bazel
+++ b/pkg/security/BUILD.bazel
@@ -23,6 +23,7 @@ go_library(
     visibility = ["//visibility:public"],
     deps = [
         "//pkg/clusterversion",
+        "//pkg/roachpb",
         "//pkg/server/telemetry",
         "//pkg/settings",
         "//pkg/settings/cluster",
diff --git a/pkg/security/auth.go b/pkg/security/auth.go
index 0e38efdb3e7a..e7cc43d5142a 100644
--- a/pkg/security/auth.go
+++ b/pkg/security/auth.go
@@ -17,6 +17,7 @@ import (
 	"fmt"
 	"strings"
 
+	"github.com/cockroachdb/cockroach/pkg/roachpb"
 	"github.com/cockroachdb/cockroach/pkg/util/syncutil"
 	"github.com/cockroachdb/errors"
 )
@@ -108,15 +109,22 @@ func Contains(sl []string, s string) bool {
 
 // UserAuthCertHook builds an authentication hook based on the security
 // mode and client certificate.
-func UserAuthCertHook(insecureMode bool, tlsState *tls.ConnectionState) (UserAuthHook, error) {
+func UserAuthCertHook(
+	insecureMode bool, tlsState *tls.ConnectionState, tenantID roachpb.TenantID,
+) (UserAuthHook, error) {
 	var certUsers []string
-
+	var certTenantID roachpb.TenantID
+	var isTenantScopedCert bool
 	if !insecureMode {
 		var err error
 		certUsers, err = GetCertificateUsers(tlsState)
 		if err != nil {
 			return nil, err
 		}
+		certTenantID, isTenantScopedCert, err = maybeGetTenantScopeFromClientCert(tlsState)
+		if err != nil {
+			return nil, err
+		}
 	}
 
 	return func(ctx context.Context, systemIdentity SQLUsername, clientConnection bool) error {
@@ -141,8 +149,19 @@ func UserAuthCertHook(insecureMode bool, tlsState *tls.ConnectionState) (UserAut
 			return errors.Errorf("using tenant client certificate as user certificate is not allowed")
 		}
 
-		// The client certificate user must match the requested user.
-		if !Contains(certUsers, systemIdentity.Normalized()) {
+		// If the certificate is a tenant scoped client certificate, we should enforce that the tenant ID
+		// and client name matches with the certificate. Otherwise, it is sufficient to just check that the
+		// client name matches the certificate.
+		// TODO(rima): Should we enforce always using tenant scoped client cert for non-system tenants?
+		if isTenantScopedCert {
+			// Enforce that the tenant ID *and* user matches the certificate
+			if tenantID != certTenantID {
+				return errors.Errorf("certificate is for tenant ID %s, but current tenant ID is %s", certTenantID, tenantID)
+			}
+			if !Contains(certUsers, systemIdentity.Normalized()) {
+				return errors.Errorf("requested user is %s, but certificate is for %s", systemIdentity, certUsers)
+			}
+		} else if !Contains(certUsers, systemIdentity.Normalized()) {
 			return errors.Errorf("requested user is %s, but certificate is for %s", systemIdentity, certUsers)
 		}
 
@@ -220,3 +239,37 @@ func (i *PasswordUserAuthError) Format(s fmt.State, verb rune) { errors.FormatEr
 func (i *PasswordUserAuthError) FormatError(p errors.Printer) error {
 	return i.err
 }
+
+// maybeGetTenantScopeFromClientCert returns a tenantID if the client certificate is scoped
+// to a tenant. It returns a bool value which is set to true if the certificate is a tenant
+// scoped client certificate.
+func maybeGetTenantScopeFromClientCert(
+	tlsState *tls.ConnectionState,
+) (tenantScope roachpb.TenantID, isTenantScopedCert bool, _ error) {
+	if tlsState == nil {
+		return roachpb.TenantID{}, false, errors.Errorf("request is not using TLS")
+	}
+	if len(tlsState.PeerCertificates) == 0 {
+		return roachpb.TenantID{}, false, errors.Errorf("no client certificates in request")
+	}
+	// The go server handshake code verifies the first certificate, using
+	// any following certificates as intermediates. See:
+	// https://github.com/golang/go/blob/go1.8.1/src/crypto/tls/handshake_server.go#L723:L742
+	peerCert := tlsState.PeerCertificates[0]
+	uris := peerCert.URIs
+	var tenantID roachpb.TenantID
+	var err error
+	for _, uri := range uris {
+		if uri.Host == "tenant" {
+			tenantInfo := strings.TrimPrefix(uri.Path, "/")
+			tenantID, err = roachpb.ParseTenantID(tenantInfo)
+			if err != nil {
+				return roachpb.TenantID{}, true, errors.Wrapf(err, "tenant ID: %s contained in cert is invalid", tenantInfo)
+			}
+			return tenantID, true, nil
+		}
+	}
+
+	// No tenant info contained within cert, return default system tenant
+	return roachpb.SystemTenantID, false, nil
+}
diff --git a/pkg/security/auth_test.go b/pkg/security/auth_test.go
index def5a48a6aa7..fa981e4a6353 100644
--- a/pkg/security/auth_test.go
+++ b/pkg/security/auth_test.go
@@ -15,9 +15,11 @@ import (
 	"crypto/tls"
 	"crypto/x509"
 	"crypto/x509/pkix"
+	"net/url"
 	"strings"
 	"testing"
 
+	"github.com/cockroachdb/cockroach/pkg/roachpb"
 	"github.com/cockroachdb/cockroach/pkg/security"
 	"github.com/cockroachdb/cockroach/pkg/testutils"
 	"github.com/cockroachdb/cockroach/pkg/util/leaktest"
@@ -25,18 +27,24 @@ import (
 )
 
 // Construct a fake tls.ConnectionState object. The spec is a semicolon
-// separated list if peer certificate specifications. Each peer certificate
+// separated list of peer certificate specifications. Each peer certificate
 // specification can have an optional OU in parenthesis followed by
 // a comma separated list of names where the first name is the
-// CommonName and the remaining names are SubjectAlternateNames. For example,
+// CommonName and the remaining names are SubjectAlternateNames.
+// The SubjectAlternateNames can go under DNSNames or URIs. To distinguish
+// the two, prefix the SAN with the type dns: or uri:. For example,
 // "foo" creates a single peer certificate with the CommonName "foo". The spec
-// "foo,bar" creates a single peer certificate with the CommonName "foo" and a
-// single SubjectAlternateName "bar". "(Tenants)foo,bar" creates a single
-// tenant client certificate with OU=Tenants, CN=foo and subjectAlternativeName=bar
+// "foo,dns:bar,dns:blah" creates a single peer certificate with the CommonName "foo" and a
+// DNSNames "bar" and "blah". "(Tenants)foo,dns:bar" creates a single
+// tenant client certificate with OU=Tenants, CN=foo and DNSName=bar.
+// A spec with "foo,dns:bar,uri:crdb://tenant/123" creates a single peer certificate
+// with CommonName foo, DNSName bar and URI set to crdb://tenant/123.
 // Contrast that with "foo;bar" which creates two peer certificates with the
 // CommonNames "foo" and "bar" respectively.
-func makeFakeTLSState(spec string) *tls.ConnectionState {
+func makeFakeTLSState(t *testing.T, spec string) *tls.ConnectionState {
 	tls := &tls.ConnectionState{}
+	uriPrefix := "uri:"
+	dnsPrefix := "dns:"
 	if spec != "" {
 		for _, peerSpec := range strings.Split(spec, ";") {
 			var ou []string
@@ -54,7 +62,20 @@ func makeFakeTLSState(spec string) *tls.ConnectionState {
 				CommonName:         names[0],
 				OrganizationalUnit: ou,
 			}
-			peerCert.DNSNames = names[1:]
+			for i := 1; i < len(names); i++ {
+				if strings.HasPrefix(names[i], dnsPrefix) {
+					peerCert.DNSNames = append(peerCert.DNSNames, strings.TrimPrefix(names[i], dnsPrefix))
+				} else if strings.HasPrefix(names[i], uriPrefix) {
+					rawURI := strings.TrimPrefix(names[i], uriPrefix)
+					url, err := url.Parse(rawURI)
+					if err != nil {
+						t.Fatalf("unable to create tls spec due to invalid URI %s", rawURI)
+					}
+					peerCert.URIs = append(peerCert.URIs, url)
+				} else {
+					t.Fatalf("subject altername names are expected to have uri: or dns: prefix")
+				}
+			}
 			tls.PeerCertificates = append(tls.PeerCertificates, peerCert)
 		}
 	}
@@ -69,33 +90,33 @@ func TestGetCertificateUsers(t *testing.T) {
 	}
 
 	// No certificates.
-	if _, err := security.GetCertificateUsers(makeFakeTLSState("")); err == nil {
+	if _, err := security.GetCertificateUsers(makeFakeTLSState(t, "")); err == nil {
 		t.Error("unexpected success")
 	}
 
 	// Good request: single certificate.
-	if names, err := security.GetCertificateUsers(makeFakeTLSState("foo")); err != nil {
+	if names, err := security.GetCertificateUsers(makeFakeTLSState(t, "foo")); err != nil {
 		t.Error(err)
 	} else {
 		require.EqualValues(t, names, []string{"foo"})
 	}
 
 	// Request with multiple certs, but only one chain (eg: origin certs are client and CA).
-	if names, err := security.GetCertificateUsers(makeFakeTLSState("foo;CA")); err != nil {
+	if names, err := security.GetCertificateUsers(makeFakeTLSState(t, "foo;CA")); err != nil {
 		t.Error(err)
 	} else {
 		require.EqualValues(t, names, []string{"foo"})
 	}
 
 	// Always use the first certificate.
-	if names, err := security.GetCertificateUsers(makeFakeTLSState("foo;bar")); err != nil {
+	if names, err := security.GetCertificateUsers(makeFakeTLSState(t, "foo;bar")); err != nil {
 		t.Error(err)
 	} else {
 		require.EqualValues(t, names, []string{"foo"})
 	}
 
 	// Extract all of the principals from the first certificate.
-	if names, err := security.GetCertificateUsers(makeFakeTLSState("foo,bar,blah;CA")); err != nil {
+	if names, err := security.GetCertificateUsers(makeFakeTLSState(t, "foo,dns:bar,dns:blah;CA")); err != nil {
 		t.Error(err)
 	} else {
 		require.EqualValues(t, names, []string{"foo", "bar", "blah"})
@@ -145,11 +166,11 @@ func TestGetCertificateUsersMapped(t *testing.T) {
 		// The last mapping for a principal takes precedence.
 		{"foo", "foo:bar,foo:blah", "blah"},
 		// First principal mapped, second principal unmapped.
-		{"foo,bar", "foo:blah", "blah,bar"},
+		{"foo,dns:bar", "foo:blah", "blah,bar"},
 		// First principal unmapped, second principal mapped.
-		{"bar,foo", "foo:blah", "bar,blah"},
+		{"bar,dns:foo", "foo:blah", "bar,blah"},
 		// Both principals mapped.
-		{"foo,bar", "foo:bar,bar:foo", "bar,foo"},
+		{"foo,dns:bar", "foo:bar,bar:foo", "bar,foo"},
 		// Verify desired string splits.
 		{"foo:has:colon", "foo:has:colon:bar", "bar"},
 	}
@@ -159,7 +180,7 @@ func TestGetCertificateUsersMapped(t *testing.T) {
 			if err := security.SetCertPrincipalMap(vals); err != nil {
 				t.Fatal(err)
 			}
-			names, err := security.GetCertificateUsers(makeFakeTLSState(c.spec))
+			names, err := security.GetCertificateUsers(makeFakeTLSState(t, c.spec))
 			if err != nil {
 				t.Fatal(err)
 			}
@@ -184,29 +205,34 @@ func TestAuthenticationHook(t *testing.T) {
 		buildHookSuccess   bool
 		publicHookSuccess  bool
 		privateHookSuccess bool
+		tenantID           roachpb.TenantID
 	}{
 		// Insecure mode, empty username.
-		{true, "", security.SQLUsername{}, "", true, false, false},
+		{true, "", security.SQLUsername{}, "", true, false, false, roachpb.SystemTenantID},
 		// Insecure mode, non-empty username.
-		{true, "", fooUser, "", true, true, false},
+		{true, "", fooUser, "", true, true, false, roachpb.SystemTenantID},
 		// Secure mode, no TLS state.
-		{false, "", security.SQLUsername{}, "", false, false, false},
+		{false, "", security.SQLUsername{}, "", false, false, false, roachpb.SystemTenantID},
 		// Secure mode, bad user.
-		{false, "foo", security.NodeUserName(), "", true, false, false},
+		{false, "foo", security.NodeUserName(), "", true, false, false, roachpb.SystemTenantID},
 		// Secure mode, node user.
-		{false, security.NodeUser, security.NodeUserName(), "", true, true, true},
+		{false, security.NodeUser, security.NodeUserName(), "", true, true, true, roachpb.SystemTenantID},
 		// Secure mode, node cert and unrelated user.
-		{false, security.NodeUser, fooUser, "", true, false, false},
+		{false, security.NodeUser, fooUser, "", true, false, false, roachpb.SystemTenantID},
 		// Secure mode, root user.
-		{false, security.RootUser, security.NodeUserName(), "", true, false, false},
+		{false, security.RootUser, security.NodeUserName(), "", true, false, false, roachpb.SystemTenantID},
 		// Secure mode, tenant cert, foo user.
-		{false, "(Tenants)foo", fooUser, "", true, false, false},
+		{false, "(Tenants)foo", fooUser, "", true, false, false, roachpb.SystemTenantID},
 		// Secure mode, multiple cert principals.
-		{false, "foo,bar", fooUser, "", true, true, false},
-		{false, "foo,bar", barUser, "", true, true, false},
+		{false, "foo,dns:bar", fooUser, "", true, true, false, roachpb.SystemTenantID},
+		{false, "foo,dns:bar", barUser, "", true, true, false, roachpb.SystemTenantID},
 		// Secure mode, principal map.
-		{false, "foo,bar", blahUser, "foo:blah", true, true, false},
-		{false, "foo,bar", blahUser, "bar:blah", true, true, false},
+		{false, "foo,dns:bar", blahUser, "foo:blah", true, true, false, roachpb.SystemTenantID},
+		{false, "foo,dns:bar", blahUser, "bar:blah", true, true, false, roachpb.SystemTenantID},
+		{false, "foo,uri:crdb://tenant/123", fooUser, "", true, true, false, roachpb.MakeTenantID(123)},
+		{false, "foo,uri:crdb://tenant/123", fooUser, "", true, false, false, roachpb.SystemTenantID},
+		{false, "foo", fooUser, "", true, true, false, roachpb.MakeTenantID(123)},
+		{false, "foo,uri:crdb://tenant/123", blahUser, "", true, false, false, roachpb.MakeTenantID(123)},
 	}
 
 	ctx := context.Background()
@@ -217,7 +243,7 @@ func TestAuthenticationHook(t *testing.T) {
 			if err != nil {
 				t.Fatal(err)
 			}
-			hook, err := security.UserAuthCertHook(tc.insecure, makeFakeTLSState(tc.tlsSpec))
+			hook, err := security.UserAuthCertHook(tc.insecure, makeFakeTLSState(t, tc.tlsSpec), tc.tenantID)
 			if (err == nil) != tc.buildHookSuccess {
 				t.Fatalf("expected success=%t, got err=%v", tc.buildHookSuccess, err)
 			}
diff --git a/pkg/security/certificate_loader.go b/pkg/security/certificate_loader.go
index 653c1b5e0b49..891097e1be89 100644
--- a/pkg/security/certificate_loader.go
+++ b/pkg/security/certificate_loader.go
@@ -20,6 +20,7 @@ import (
 	"strings"
 	"time"
 
+	"github.com/cockroachdb/cockroach/pkg/roachpb"
 	"github.com/cockroachdb/cockroach/pkg/util/envutil"
 	"github.com/cockroachdb/cockroach/pkg/util/log"
 	"github.com/cockroachdb/cockroach/pkg/util/sysutil"
@@ -93,6 +94,9 @@ const (
 	UIPem
 	// ClientPem describes a client certificate.
 	ClientPem
+	// TenantScopedClientPem describes a tenant scoped client certificate.
+	// This certificate can only be used to authenticate a client for a specific tenant.
+	TenantScopedClientPem
 	// TenantPem describes a SQL tenant client certificate.
 	TenantPem
 	// TenantSigningPem describes a SQL tenant signing certificate.
@@ -226,7 +230,16 @@ func CertInfoFromFilename(filename string) (*CertInfo, error) {
 		fileUsage = ClientPem
 		// Strip prefix and suffix and re-join middle parts.
 		name = strings.Join(parts[1:numParts-1], `.`)
-		if len(name) == 0 {
+		if strings.Contains(name, "@tenant") {
+			// This is a tenant scoped client certificate, drop tenant ID from the name and update file usage.
+			fileUsage = TenantScopedClientPem
+			nameParts := strings.Split(name, "@")
+			if len(nameParts) != 2 || len(nameParts[0]) == 0 {
+				return nil, errors.Errorf("tenant scoped client certificate filename should match <user>@tenant-<tenant-id>")
+			}
+			name = nameParts[0]
+		} else if len(name) == 0 {
+			// This is not a tenant scoped client certificate, enforce that username is not empty.
 			return nil, errors.Errorf("client certificate filename should match client.<user>%s", certExtension)
 		}
 	case `client-tenant`:
@@ -506,3 +519,26 @@ func validateCockroachCertificate(ci *CertInfo, cert *x509.Certificate) error {
 	}
 	return nil
 }
+
+func extractTenantAndUserFromCertName(filename string) (SQLUsername, roachpb.TenantID, error) {
+	tenantScopeFilenameError := errors.Errorf("expected tenant scoped cert name format is client.<user>@tenant-<tenant-id>.crt")
+	// Expected certificate filename format to be client.<user>@tenant-<tenant_id>.crt
+	parts := strings.Split(filename, ".")
+	if len(parts) != 3 {
+		return SQLUsername{}, roachpb.TenantID{}, tenantScopeFilenameError
+	}
+	userTenantPair := strings.Split(parts[1], "@")
+	if len(userTenantPair) != 2 {
+		return SQLUsername{}, roachpb.TenantID{}, tenantScopeFilenameError
+	}
+	username := MakeSQLUsernameFromPreNormalizedString(userTenantPair[0])
+	tenantInfo := strings.Split(userTenantPair[1], "-")
+	if len(tenantInfo) != 2 {
+		return SQLUsername{}, roachpb.TenantID{}, tenantScopeFilenameError
+	}
+	tenantID, err := roachpb.ParseTenantID(tenantInfo[1])
+	if err != nil {
+		return SQLUsername{}, roachpb.TenantID{}, errors.Errorf("invalid tenant id %s", tenantInfo[1])
+	}
+	return username, tenantID, nil
+}
diff --git a/pkg/security/certificate_loader_test.go b/pkg/security/certificate_loader_test.go
index 386314b62eec..ea3b95d096fa 100644
--- a/pkg/security/certificate_loader_test.go
+++ b/pkg/security/certificate_loader_test.go
@@ -53,6 +53,7 @@ func TestCertNomenclature(t *testing.T) {
 		{"client.root.crt", "", security.ClientPem, "root"},
 		{"client.foo-bar.crt", "", security.ClientPem, "foo-bar"},
 		{"client....foo.bar.baz.how.many.dots.do.you.need...really....crt", "", security.ClientPem, "...foo.bar.baz.how.many.dots.do.you.need...really..."},
+		{"client.foo-bar@tenant-123.crt", "", security.TenantScopedClientPem, "foo-bar"},
 
 		// Bad names. This function is only called on filenames ending with '.crt'.
 		{"crt", "not enough parts found", 0, ""},
@@ -68,6 +69,7 @@ func TestCertNomenclature(t *testing.T) {
 		{"client2.crt", "unknown prefix \"client2\"", 0, ""},
 		{"client.crt", "client certificate filename should match client.<user>.crt", 0, ""},
 		{"root.crt", "unknown prefix \"root\"", 0, ""},
+		{"client.foo-bar@tenant-123@456.crt", "tenant scoped client certificate filename should match <user>@tenant-<tenant-id>", 0, ""},
 	}
 
 	for i, tc := range testCases {
diff --git a/pkg/security/certificate_manager.go b/pkg/security/certificate_manager.go
index 1d8c244a25e5..86b63b21f4f8 100644
--- a/pkg/security/certificate_manager.go
+++ b/pkg/security/certificate_manager.go
@@ -117,13 +117,14 @@ type CertificateManager struct {
 	initialized bool
 
 	// Set of certs. These are swapped in during Load(), and never mutated afterwards.
-	caCert         *CertInfo // default CA certificate
-	clientCACert   *CertInfo // optional: certificate to verify client certificates
-	uiCACert       *CertInfo // optional: certificate to verify UI certificates
-	nodeCert       *CertInfo // certificate for nodes (always server cert, sometimes client cert)
-	nodeClientCert *CertInfo // optional: client certificate for 'node' user. Also included in 'clientCerts'
-	uiCert         *CertInfo // optional: server certificate for the admin UI.
-	clientCerts    map[SQLUsername]*CertInfo
+	caCert                  *CertInfo // default CA certificate
+	clientCACert            *CertInfo // optional: certificate to verify client certificates
+	uiCACert                *CertInfo // optional: certificate to verify UI certificates
+	nodeCert                *CertInfo // certificate for nodes (always server cert, sometimes client cert)
+	nodeClientCert          *CertInfo // optional: client certificate for 'node' user. Also included in 'clientCerts'
+	uiCert                  *CertInfo // optional: server certificate for the admin UI.
+	clientCerts             map[SQLUsername]*CertInfo
+	tenantScopedClientCerts map[SQLUsername]*CertInfo
 
 	// Certs only used with multi-tenancy.
 	tenantCACert, tenantCert, tenantSigningCert *CertInfo
@@ -431,6 +432,16 @@ func ClientCertFilename(user SQLUsername) string {
 	return "client." + user.Normalized() + certExtension
 }
 
+// ClientForTenantCertPath returns the expected file path for the user's tenant scoped certificate.
+func (cl CertsLocator) ClientForTenantCertPath(user SQLUsername, tenantID string) string {
+	return filepath.Join(cl.certsDir, ClientForTenantCertFilename(user, tenantID))
+}
+
+// ClientForTenantCertFilename returns the expected file name for the user's tenant scoped certificate.
+func ClientForTenantCertFilename(user SQLUsername, tenantID string) string {
+	return "client." + user.Normalized() + "@tenant-" + tenantID + certExtension
+}
+
 // ClientKeyPath returns the expected file path for the user's key.
 func (cl CertsLocator) ClientKeyPath(user SQLUsername) string {
 	return filepath.Join(cl.certsDir, ClientKeyFilename(user))
@@ -441,6 +452,16 @@ func ClientKeyFilename(user SQLUsername) string {
 	return "client." + user.Normalized() + keyExtension
 }
 
+// ClientForTenantKeyPath returns the expected file path for the user's tenant scoped key
+func (cl CertsLocator) ClientForTenantKeyPath(user SQLUsername, tenantID string) string {
+	return filepath.Join(cl.certsDir, ClientForTenantKeyFilename(user, tenantID))
+}
+
+// ClientForTenantKeyFilename returns the expected file name for the user's key.
+func ClientForTenantKeyFilename(user SQLUsername, tenantID string) string {
+	return "client." + user.Normalized() + "@tenant-" + tenantID + keyExtension
+}
+
 // SQLServiceCertPath returns the expected file path for the
 // SQL service certificate
 func (cl CertsLocator) SQLServiceCertPath() string {
@@ -589,6 +610,14 @@ func (cm *CertificateManager) ClientCerts() map[SQLUsername]*CertInfo {
 	return cm.clientCerts
 }
 
+// TenantScopedClientCerts returns the tenant scoped client certs.
+// Callers should check for internal Error fields.
+func (cm *CertificateManager) TenantScopedClientCerts() map[SQLUsername]*CertInfo {
+	cm.mu.RLock()
+	defer cm.mu.RUnlock()
+	return cm.tenantScopedClientCerts
+}
+
 // Error is the error type for this package.
 // TODO(knz): make this an error wrapper.
 type Error struct {
@@ -623,6 +652,7 @@ func (cm *CertificateManager) LoadCertificates() error {
 	var caCert, clientCACert, uiCACert, nodeCert, uiCert, nodeClientCert *CertInfo
 	var tenantCACert, tenantCert, tenantSigningCert *CertInfo
 	clientCerts := make(map[SQLUsername]*CertInfo)
+	tenantScopedClientCerts := make(map[SQLUsername]*CertInfo)
 	for _, ci := range cl.Certificates() {
 		switch ci.FileUsage {
 		case CAPem:
@@ -665,6 +695,14 @@ func (cm *CertificateManager) LoadCertificates() error {
 			if username.IsNodeUser() {
 				nodeClientCert = ci
 			}
+		case TenantScopedClientPem:
+			username, tenantID, err := extractTenantAndUserFromCertName(ci.Filename)
+			if err != nil {
+				return err
+			}
+			if cm.tenantIdentifier == tenantID.ToUint64() {
+				tenantScopedClientCerts[username] = ci
+			}
 		default:
 			return errors.Errorf("unsupported certificate %v", ci.Filename)
 		}
@@ -722,6 +760,7 @@ func (cm *CertificateManager) LoadCertificates() error {
 	cm.nodeClientCert = nodeClientCert
 	cm.uiCert = uiCert
 	cm.clientCerts = clientCerts
+	cm.tenantScopedClientCerts = tenantScopedClientCerts
 
 	cm.initialized = true
 
@@ -982,6 +1021,14 @@ func (cm *CertificateManager) getClientCertLocked(user SQLUsername) (*CertInfo,
 	return ci, nil
 }
 
+func (cm *CertificateManager) getTenantScopedClientCertLocked(user SQLUsername) (*CertInfo, error) {
+	ci := cm.tenantScopedClientCerts[user]
+	if err := checkCertIsValid(ci); err != nil {
+		return nil, makeErrorf(err, "problem with client cert for user %s", user)
+	}
+	return ci, nil
+}
+
 // getNodeClientCertLocked returns the client cert/key for the node user.
 // Use the client certificate for 'node' if it exists, otherwise use
 // the node certificate which should be a combined client/server certificate.
@@ -1086,6 +1133,7 @@ func (cm *CertificateManager) GetTenantSigningCert() (*CertInfo, error) {
 // GetClientTLSConfig returns the most up-to-date client tls.Config.
 // Returns the dual-purpose node certs if user == NodeUser and there is no
 // separate client cert for 'node'.
+// Returns the tenant-scoped client certificate if there is no separate client certificate.
 func (cm *CertificateManager) GetClientTLSConfig(user SQLUsername) (*tls.Config, error) {
 	cm.mu.Lock()
 	defer cm.mu.Unlock()
@@ -1112,7 +1160,6 @@ func (cm *CertificateManager) GetClientTLSConfig(user SQLUsername) (*tls.Config,
 		if err != nil {
 			return nil, err
 		}
-
 		cfg, err := newClientTLSConfig(
 			cm.tlsSettings,
 			clientCert.FileContents,
diff --git a/pkg/security/certificate_manager_test.go b/pkg/security/certificate_manager_test.go
index 922d13f3baf1..e7c493e723c2 100644
--- a/pkg/security/certificate_manager_test.go
+++ b/pkg/security/certificate_manager_test.go
@@ -26,7 +26,7 @@ import (
 
 func TestManagerWithEmbedded(t *testing.T) {
 	defer leaktest.AfterTest(t)()
-	cm, err := security.NewCertificateManager("test_certs", security.CommandTLSSettings{})
+	cm, err := security.NewCertificateManager(security.EmbeddedCertsDir, security.CommandTLSSettings{})
 	if err != nil {
 		t.Error(err)
 	}
@@ -43,6 +43,10 @@ func TestManagerWithEmbedded(t *testing.T) {
 		t.Errorf("expected %d client certs, found %d", e, a)
 	}
 
+	// Verify that there are no embedded tenant scoped certificates for system tenant.
+	tenantScopedClientCerts := cm.TenantScopedClientCerts()
+	require.Equal(t, 0, len(tenantScopedClientCerts))
+
 	if _, ok := clientCerts[security.RootUserName()]; !ok {
 		t.Error("no client cert for root user found")
 	}
@@ -68,6 +72,17 @@ func TestManagerWithEmbedded(t *testing.T) {
 		security.MakeSQLUsernameFromPreNormalizedString("my-random-user")); err == nil {
 		t.Error("unexpected success")
 	}
+
+	// Verify tenant scoped certificates embedded certificates are loaded.
+	tenant := security.EmbeddedTenantIDs()[0]
+	cm, err = security.NewCertificateManager(security.EmbeddedCertsDir, security.CommandTLSSettings{}, security.ForTenant(tenant))
+	require.NoError(t, err)
+	tenantScopedClientCerts = cm.TenantScopedClientCerts()
+	require.Equal(t, 1, len(tenantScopedClientCerts))
+
+	if _, ok := tenantScopedClientCerts[security.TestUserName()]; !ok {
+		t.Errorf("no tenant scoped client cert for %s user found for tenant %d", security.TestUser, tenant)
+	}
 }
 
 func TestManagerWithPrincipalMap(t *testing.T) {
@@ -91,7 +106,7 @@ func TestManagerWithPrincipalMap(t *testing.T) {
 		certsDir, caKey, testKeySize, time.Hour*96, true, true,
 	))
 	require.NoError(t, security.CreateClientPair(
-		certsDir, caKey, testKeySize, time.Hour*48, true, security.TestUserName(), false,
+		certsDir, caKey, testKeySize, time.Hour*48, true, security.TestUserName(), "", false,
 	))
 	require.NoError(t, security.CreateNodePair(
 		certsDir, caKey, testKeySize, time.Hour*48, true, []string{"127.0.0.1", "foo"},
diff --git a/pkg/security/certs.go b/pkg/security/certs.go
index 926bfa6a54d3..8bfaa9112143 100644
--- a/pkg/security/certs.go
+++ b/pkg/security/certs.go
@@ -26,6 +26,7 @@ import (
 	"path/filepath"
 	"time"
 
+	"github.com/cockroachdb/cockroach/pkg/roachpb"
 	"github.com/cockroachdb/cockroach/pkg/util/envutil"
 	"github.com/cockroachdb/cockroach/pkg/util/log"
 	"github.com/cockroachdb/errors"
@@ -377,12 +378,16 @@ func CreateUIPair(
 // exist in the CA cert, the first one is used.
 // If a client CA exists, this is used instead.
 // If wantPKCS8Key is true, the private key in PKCS#8 encoding is written as well.
+// If the client certificate being created needs to be scoped to a specific tenant,
+// the tenantScope should be set to the tenant ID. Otherwise, the tenantScope
+// should be set to an empty string.
 func CreateClientPair(
 	certsDir, caKeyPath string,
 	keySize int,
 	lifetime time.Duration,
 	overwrite bool,
 	user SQLUsername,
+	tenantScope string,
 	wantPKCS8Key bool,
 ) error {
 	if len(caKeyPath) == 0 {
@@ -391,6 +396,12 @@ func CreateClientPair(
 	if len(certsDir) == 0 {
 		return errors.New("the path to the certs directory is required")
 	}
+	if len(tenantScope) != 0 {
+		// Confirm tenantID is valid.
+		if _, err := roachpb.ParseTenantID(tenantScope); err != nil {
+			return errors.Wrapf(err, "tenant scope %s is invalid", tenantScope)
+		}
+	}
 
 	// The certificate manager expands the env for the certs directory.
 	// For consistency, we need to do this for the key as well.
@@ -423,18 +434,26 @@ func CreateClientPair(
 		return errors.Wrap(err, "could not generate new client key")
 	}
 
-	clientCert, err := GenerateClientCert(caCert, caPrivateKey, clientKey.Public(), lifetime, user)
+	clientCert, err := GenerateClientCert(caCert, caPrivateKey, clientKey.Public(), lifetime, user, tenantScope)
 	if err != nil {
 		return errors.Wrap(err, "error creating client certificate and key")
 	}
 
-	certPath := cm.ClientCertPath(user)
+	var certPath string
+	var keyPath string
+
+	if tenantScope != "" {
+		certPath = cm.ClientForTenantCertPath(user, tenantScope)
+		keyPath = cm.ClientForTenantKeyPath(user, tenantScope)
+	} else {
+		certPath = cm.ClientCertPath(user)
+		keyPath = cm.ClientKeyPath(user)
+	}
 	if err := writeCertificateToFile(certPath, clientCert, overwrite); err != nil {
 		return errors.Wrapf(err, "error writing client certificate to %s", certPath)
 	}
 	log.Infof(context.Background(), "generated client certificate: %s", certPath)
 
-	keyPath := cm.ClientKeyPath(user)
 	if err := writeKeyToFile(keyPath, clientKey, overwrite); err != nil {
 		return errors.Wrapf(err, "error writing client key to %s", keyPath)
 	}
diff --git a/pkg/security/certs_test.go b/pkg/security/certs_test.go
index 6b3cdec44dfa..0e7ac5d51074 100644
--- a/pkg/security/certs_test.go
+++ b/pkg/security/certs_test.go
@@ -170,6 +170,78 @@ func TestGenerateTenantCerts(t *testing.T) {
 	}, infos)
 }
 
+// TestGenerateClientCerts tests client certificates are generated as expected:
+// - Regular client certificates have the username set correctly.
+// - Tenant scoped client certificates have the username set correctly and also
+//   have the tenant ID embedded as a SAN.
+func TestGenerateClientCerts(t *testing.T) {
+	defer leaktest.AfterTest(t)()
+	// Do not mock cert access for this test.
+	security.ResetAssetLoader()
+	defer ResetTest()
+
+	certsDir := t.TempDir()
+
+	caKeyFile := certsDir + "/ca.key"
+	// Generate CA key and crt.
+	require.NoError(t, security.CreateCAPair(certsDir, caKeyFile, testKeySize,
+		time.Hour*72, false /* allowReuse */, false /* overwrite */))
+	username := "test-user"
+	tenantScope := "123"
+	// Create tenant-scoped client cert.
+	require.NoError(t, security.CreateClientPair(
+		certsDir,
+		caKeyFile,
+		testKeySize,
+		48*time.Hour,
+		false, /*overwrite */
+		security.MakeSQLUsernameFromPreNormalizedString(username),
+		tenantScope,
+		false /* wantPKCS8Key */))
+
+	// Create a regular client cert that is not scoped to a specific tenant.
+	require.NoError(t, security.CreateClientPair(
+		certsDir,
+		caKeyFile,
+		testKeySize,
+		48*time.Hour,
+		false, /*overwrite */
+		security.MakeSQLUsernameFromPreNormalizedString(username),
+		"", /* tenantScope */
+		false /* wantPKCS8Key */))
+
+	// Load and verify the certificates.
+	cl := security.NewCertificateLoader(certsDir)
+	require.NoError(t, cl.Load())
+	infos := cl.Certificates()
+	for _, info := range infos {
+		require.NoError(t, info.Error)
+	}
+
+	// We expect three certificates: the CA certificate, the tenant scoped client certificate
+	// and the regular client certificate.
+	require.Equal(t, len(infos), 3)
+	expectedClientCrtName := fmt.Sprintf("client.%s.crt", username)
+	expectedTenantScopedClientCrtName := fmt.Sprintf("client.%s@tenant-%s.crt", username, tenantScope)
+	for _, info := range infos {
+		if info.Filename == "ca.crt" {
+			continue
+		}
+		if info.Filename == expectedClientCrtName {
+			require.Equal(t, info.FileUsage, security.ClientPem)
+			require.Equal(t, username, info.Name)
+		} else if info.Filename == expectedTenantScopedClientCrtName {
+			require.Equal(t, info.FileUsage, security.TenantScopedClientPem)
+			require.Equal(t, username, info.Name)
+			require.Equal(t, 1, len(info.ParsedCertificates))
+			require.Equal(t, 1, len(info.ParsedCertificates[0].URIs))
+			require.Equal(t, "crdb://tenant/123", info.ParsedCertificates[0].URIs[0].String())
+		} else {
+			t.Fatalf("Unexpected cert %s", info.Filename)
+		}
+	}
+}
+
 func TestGenerateNodeCerts(t *testing.T) {
 	defer leaktest.AfterTest(t)()
 	// Do not mock cert access for this test.
@@ -227,7 +299,7 @@ func generateBaseCerts(certsDir string) error {
 
 		if err := security.CreateClientPair(
 			certsDir, caKey,
-			testKeySize, time.Hour*48, true, security.RootUserName(), false,
+			testKeySize, time.Hour*48, true, security.RootUserName(), "", false,
 		); err != nil {
 			return err
 		}
@@ -281,14 +353,14 @@ func generateSplitCACerts(certsDir string) error {
 
 	if err := security.CreateClientPair(
 		certsDir, filepath.Join(certsDir, security.EmbeddedClientCAKey),
-		testKeySize, time.Hour*48, true, security.NodeUserName(), false,
+		testKeySize, time.Hour*48, true, security.NodeUserName(), "", false,
 	); err != nil {
 		return errors.Wrap(err, "could not generate Client pair")
 	}
 
 	if err := security.CreateClientPair(
 		certsDir, filepath.Join(certsDir, security.EmbeddedClientCAKey),
-		testKeySize, time.Hour*48, true, security.RootUserName(), false,
+		testKeySize, time.Hour*48, true, security.RootUserName(), "", false,
 	); err != nil {
 		return errors.Wrap(err, "could not generate Client pair")
 	}
diff --git a/pkg/security/securitytest/test_certs/ca-client-tenant.crt b/pkg/security/securitytest/test_certs/ca-client-tenant.crt
index 80516c312dc1..76486aaa949d 100644
--- a/pkg/security/securitytest/test_certs/ca-client-tenant.crt
+++ b/pkg/security/securitytest/test_certs/ca-client-tenant.crt
@@ -1,19 +1,19 @@
 -----BEGIN CERTIFICATE-----
-MIIDJjCCAg6gAwIBAgIRAP3ot2EqZmVMs9ZW7K+ge8cwDQYJKoZIhvcNAQELBQAw
+MIIDJjCCAg6gAwIBAgIRAIB1w/vjXWICyZP8tNsASaEwDQYJKoZIhvcNAQELBQAw
 KzESMBAGA1UEChMJQ29ja3JvYWNoMRUwEwYDVQQDEwxDb2Nrcm9hY2ggQ0EwHhcN
-MjIwMTEwMTkwMTIwWhcNMzIwMTE5MTkwMTIwWjArMRIwEAYDVQQKEwlDb2Nrcm9h
+MjIwNDEwMjAwNDM3WhcNMzIwNDE4MjAwNDM3WjArMRIwEAYDVQQKEwlDb2Nrcm9h
 Y2gxFTATBgNVBAMTDENvY2tyb2FjaCBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEP
-ADCCAQoCggEBAMeGaYPQCNgFEeW30pFfUzuge7AX96mHjgcAwkwonBfYWFL4LduV
-/bry0uGuXfr079sULQFSaB5BQUvWWjGSW9lPQ3oQAw0PXqFCj0euBaypMAQgTQcw
-MQOis1OWOs+8gIAb17dXPxMC0DsRj/aEjt7WIEfQFpkHjdl9CjFfXn6FgQMDpp6/
-W1WEXG0AU8l4XRyrT3450VaPRudi/88muPdvSWPuRNxolepEgzpCQHJptaPBn0Tr
-gZQHxfoY93vvoEJJjh6QC9JqgTpwS8Dmv4bKkkAsSpVVXR5tKW3wtqGGh2fTWmcl
-cIcNEFudTJ2Nry5/mY9zB4Xiqx/IAgrJatMCAwEAAaNFMEMwDgYDVR0PAQH/BAQD
-AgLkMBIGA1UdEwEB/wQIMAYBAf8CAQEwHQYDVR0OBBYEFAw9X1Nmta6HSkIVuZTb
-D9czNUg6MA0GCSqGSIb3DQEBCwUAA4IBAQDEeaGEFc49osHz81rb6+j6K9GWqWuP
-v9ktK+A3sBG8xbF763OFPF7yXWtSPxe9g3sqpAursQ2wPCm6R3j4gd2ekoT8aE86
-WZNcVJ0oLy/HWOjPtiKlbbh4rQIZNhV2f1UXkkfLANbjdZhtlD1ljuSC7IOtdRuy
-g0y9Rxp9BChA1s5M1GQevW0qzUSiZbhDiQ2zjB5Uq0GIjhUrKgh4H7w9Ra2uozRO
-v2u8GNXRBRsTIWYaHT80Kb9wZIqEsXQ3YlrjTO1WY/Blv0WtTCkeU3wwV6NzHmCr
-isRyL6YpvKCbdvWXWd5Q7LV4zKHxi7yy9gkxvmuXbvL6asqdHeWcvvSX
+ADCCAQoCggEBALItc0WreTLL2dRVi5T6qq0KyXVQQTNKLJwJQYOFOmL0GXZnHCAF
+IBDBYEXekFxDk6bbUvofqBtmyuoY+8F3KKF4ycVhFnJX8BjcBc6dYqKsw+L3tjOc
+4DpjR7p1QNdI3tSA5oDAZ/3ZXMzGhwRNehv3yzlrk+qkhXEmOJriz5/hGP4p+EyL
+sN2A8bJlFkc1CHH3GSrKCffax3hRkwOxs34nCgjLVOPDZKEEvQoCpYTRQb/gjpRs
+jRHGlMOwP/IjLmQ53Fzfkt+maY6H8vBjjBABdCMRdpEh/mWO4HdT0DtNtXONosqZ
+lkqlnjJagwVvXMTpeio+2/Ca1751N0JhcscCAwEAAaNFMEMwDgYDVR0PAQH/BAQD
+AgLkMBIGA1UdEwEB/wQIMAYBAf8CAQEwHQYDVR0OBBYEFMsdl2EGWPecLB+3N0ry
+HPl5HQarMA0GCSqGSIb3DQEBCwUAA4IBAQCbEV0KWbOCOTC4NwXPg0K1lz8Sjk4U
+jepBsoq+hVmd6QDo5VRG4Lac6Eo0MsNaZV7apqpj7EkYeqYnqHv7AUSa0ffv1i2S
++Lr9/Rvt7Zg3xO3zBS97NDnGZ22lyLRh6wcq/Slgaotsz2gPRqUlv6FM3SDTV7U5
+wInIBmeH6IlgT/MOLmWRKFUJFjXnFci+m+7BWdjb+Sg488XT9Qisoz5z3pF35iQQ
+w3eeMebxzsuCN+f/0PuH/HNN3BmsDwX2sxlvmKHC5tBxAekNq5RvkEQYQuzZ9leT
+44/u7rnHpUEFQ8U1fN+TtnH1AdsbrWzFNGS5yQqNI3MMgzyf79uV7S0X
 -----END CERTIFICATE-----
diff --git a/pkg/security/securitytest/test_certs/ca-client-tenant.key b/pkg/security/securitytest/test_certs/ca-client-tenant.key
index 6c017817d5d6..00b0e064ed46 100644
--- a/pkg/security/securitytest/test_certs/ca-client-tenant.key
+++ b/pkg/security/securitytest/test_certs/ca-client-tenant.key
@@ -1,27 +1,27 @@
 -----BEGIN RSA PRIVATE KEY-----
-MIIEowIBAAKCAQEAx4Zpg9AI2AUR5bfSkV9TO6B7sBf3qYeOBwDCTCicF9hYUvgt
-25X9uvLS4a5d+vTv2xQtAVJoHkFBS9ZaMZJb2U9DehADDQ9eoUKPR64FrKkwBCBN
-BzAxA6KzU5Y6z7yAgBvXt1c/EwLQOxGP9oSO3tYgR9AWmQeN2X0KMV9efoWBAwOm
-nr9bVYRcbQBTyXhdHKtPfjnRVo9G52L/zya4929JY+5E3GiV6kSDOkJAcmm1o8Gf
-ROuBlAfF+hj3e++gQkmOHpAL0mqBOnBLwOa/hsqSQCxKlVVdHm0pbfC2oYaHZ9Na
-ZyVwhw0QW51MnY2vLn+Zj3MHheKrH8gCCslq0wIDAQABAoIBAAaVBpIUoNYPhMGh
-SM8G6AYFi08J21+6WxMcEUzV4iBfQLqr+UdPMWmjbRWI3QzUW71McxeiElE9MdxA
-nAUaoPEQTleOg6tAoIyNV5CzyvghNLZOInxkOJm4GlZdlF8aBtszD/C6bhhAdYId
-WDR3twbe5X24/aXau/E60MVEMifWTLn9Pto1XGapbyaf+2hGL9raji3DBP4JiM2d
-Xdf7TOqrVIF7qmiADvFVnsSSWMr04VH45FojBdEZKHXbVoCLwC9qn8nptTlPFojd
-ihnBUy9QXLr8R+YUgTGpQZmbiWapEqHYa3eS8vwsbB8i4YHrm504lvybdzBgi0x8
-E3OMeAECgYEA6TgW61JLCtOiuDmupDyThP8QEHHs/9k57b7PplVEimbVuIlUNs+u
-c2isHRiM3rts+/CZUrP7I4Om5qMA1HatquBxL2Hawh1M2ztSNFJTEB2OTOQQ4Iz9
-oThi988xSBAIDQ94gpj0B1ZlgtQSVGj4imOVU4BAHawcDSBFjaIWsNMCgYEA2wPD
-qZoa9kbu7OWCOsTUua4ERWeR4Tsy6QH0RakckcuJy/ZKBfpv1wiDyKAJhvpIPMvC
-5xYaw2hb85YcmAWzi2Lu9jymO9oFv5QRMGGetE8Alm2/qThec2moPR80iYrOmydy
-Ie4dNxasulcdAofPdL0n0lm+L7sFaYofPFPeHgECgYB2+zmeJqbISD581FjHy2vL
-b0En0qeBw7YtF6rihh/oqBwjAFTpfbzXfjBIy8yamW45fn8KVW4rqS/N/J0gx8dE
-JSs5bCfp3n7mXfZLYTClSR7fFX+Sv/tpc9Xx7U+MHzmsSBdIMXZWA/rX6w/K5p7e
-I338UrLjMHpDLBKv9mCzJwKBgQDCW8nUhfStX2+CfX4fhzM8gCg8K1gzJ6TbUKek
-9hlrbNQhU7SHL6L2khDZBuTNiuh2Q2D4UA56IO+Q8EL5yf12kdp8XIAtFyMIy26h
-n9AGNSHRXR28H1D6XOY3L60g7jTBTbUkVTpJ++5XAx20dC9varmfG5MCqpZ3/WIQ
-2GCCAQKBgHgUmqRxe2Hg4r5lrlVE1K71kT50GlQzuS/aegu087J3vFyhV3ySRJMH
-hyi4zW3g2YKH0/piwp+x8jq5Sm2GZKYPyciYQe7fRrLSK56HnlD+OUakbKO4I19m
-UJfNlyGITsqzAPe6Ax7ETLt6MIaAV1KG6PwG3xFJJ7wYQtNFgogO
+MIIEowIBAAKCAQEAsi1zRat5MsvZ1FWLlPqqrQrJdVBBM0osnAlBg4U6YvQZdmcc
+IAUgEMFgRd6QXEOTpttS+h+oG2bK6hj7wXcooXjJxWEWclfwGNwFzp1ioqzD4ve2
+M5zgOmNHunVA10je1IDmgMBn/dlczMaHBE16G/fLOWuT6qSFcSY4muLPn+EY/in4
+TIuw3YDxsmUWRzUIcfcZKsoJ99rHeFGTA7GzficKCMtU48NkoQS9CgKlhNFBv+CO
+lGyNEcaUw7A/8iMuZDncXN+S36Zpjofy8GOMEAF0IxF2kSH+ZY7gd1PQO021c42i
+ypmWSqWeMlqDBW9cxOl6Kj7b8JrXvnU3QmFyxwIDAQABAoIBAHAsxSHbrtYYGO/h
+W5tTpRiEbgj5mdLco/EosqJGwleCLnWovMA7+dASrrXORTyRHugxtK/cNk3qDV4M
+lJNcnavrC7zEPwmF65b7DnziATNBaaH/KiqcXV7lGkd9gnEHY6KN9JCikdXzfsU9
+R8uhq3roKn3gCKP1KD3wPjrlCKoyUv5f5gUyALUP+On4ukgLDTdq/lrmuEGGUPaz
+nQqib2MEO4V6wpzLcvCF9nePEDbyBzw8wPSOq8BlYG2KZC4z7O5OmKI1O32GF1Gs
+teWyh0mAZ/q5ATqx75gFg940DcxJZPEF1sUHvrXptSE2aymUEf2uTp+UbEnzoE0L
+gIgyC8ECgYEAwZ4ABq9GYaj0laPE62cDHq0KidzyO1aE+HCvtrj1yJLB5WNL3fbT
+HAK4SB5zvuH37odAgMSI3+5gQ6tZWq5ANJMx45L2DRHhURdl3o9jmVgPNr6N0GM5
+kUynuR8c4JAGf16SHtU5Woxp07uomrUKhQ7BQIpvDj20CJKrRn9RBt8CgYEA65Xz
+qfUT1bnRZEKJArC1nZyRfZ8qaE2be5wEUOYZcevxhivmNiC/C8Ok/VYkmxoPz/fm
+O4TkGKgYgavKtigQkoJcPHzjwRos56yXZeRPdajIwmYfD6idSYVG+kBqFij2cfQO
+Z0aQx4isWPOoU0fWHZ0WwE0S3PjdXUarDou0GRkCgYBb8Dry8afqF+CMbgfEAFZq
+6qBmdpRPuPXLQzcs/Qc5Bvcrhcswy1PTqTb4h/1OVt70VSU8ABc+vmLXvzXe6X9z
+d7Ho7pAIBMWJTCMDW/NfjYEr7bBJk9RyOoQqU6vStpFfSfj4yydA6AwYjrOxQuaL
+6EW78ABsMsCakYrjHvHK4QKBgH00+gaXIU6S7o2ZqxXJ8wxsXQrl3/UFYiBlAAo6
+8MUSQBAuHrEf4EmRVovqD5R7WnIOb8esTkoodLXeJuN/Eae8Luda/PTxQ3Jx0Rkv
+KWgAJ4riGZoJ5GZhtiJkv709UhWoP0t2PpY9tlOkVA7G/C5LAf98Nw1IGuZrG5ik
+eThpAoGBAKY1jD2/uaTFg1VyJijNHqXwd/jmz6x0YquJsPKqbRvnjpg3tw7eeNx0
+prvwb5/YzAFTaMKXLjp8ssInhfPQy/Qmg7qLoykGnkF5QJMGRMQpyZe0RWWUosHB
+Hxd9xATUvuIs7Z8cjGkizKDgn1f8IfCAM2c+aMHI5lqsEOIG3VzR
 -----END RSA PRIVATE KEY-----
diff --git a/pkg/security/securitytest/test_certs/ca.crt b/pkg/security/securitytest/test_certs/ca.crt
index 33eeefe9e2a9..e1d68800f19d 100644
--- a/pkg/security/securitytest/test_certs/ca.crt
+++ b/pkg/security/securitytest/test_certs/ca.crt
@@ -1,19 +1,19 @@
 -----BEGIN CERTIFICATE-----
-MIIDJTCCAg2gAwIBAgIQVTqh0bKWaGc9mXyKQM1r3DANBgkqhkiG9w0BAQsFADAr
-MRIwEAYDVQQKEwlDb2Nrcm9hY2gxFTATBgNVBAMTDENvY2tyb2FjaCBDQTAeFw0y
-MjAxMTAxOTAxMThaFw0zMjAxMTkxOTAxMThaMCsxEjAQBgNVBAoTCUNvY2tyb2Fj
-aDEVMBMGA1UEAxMMQ29ja3JvYWNoIENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A
-MIIBCgKCAQEAySkLp2+7YudQOZYTc/fmF0RHeLXgcDSY2Y+2wb2lZ616lSsgmXGP
-aWVHLza9E2vsS2C9BaY2qrK/lUlxMOFXnT3GVnRPdbJVt6uPz0K9hzcKZHT+6WjC
-0R1tfUBK6GNmlvsby9+U1WMkThR2f7KH5ARrv7Lihm062INZQzJljkYcFVEEEmoL
-+eYT0y1+SrJfuYrQeIdVYSC+4IhAHzryVxDA14lzInBXgVxVuC1b6uGOry/f++s/
-pBFo0FRUOs4noT30gFkJ434oX/YCMIld/frnLcpwR/qkbZZA6mLwOrFeniJsz7kh
-sP3u76Cz6lUHPwyHJzW7oa8PR4udYdvibQIDAQABo0UwQzAOBgNVHQ8BAf8EBAMC
-AuQwEgYDVR0TAQH/BAgwBgEB/wIBATAdBgNVHQ4EFgQUizkuY+BH48avRNXEnr/N
-Ei9cteowDQYJKoZIhvcNAQELBQADggEBAIu67a1RKpmdD/DTB3Qxg+uSgyeTpcIe
-fUNwyym4h8C6Mtp0jjYqrHNH6h6aGhuDj9vTPBLdAtp/s5gH5EMydFvr+2LiuyOo
-N5LAszEN+A+6TrCN3EpcsRR+YpF/fGbvgdTibFdnnqCfpaPxZd1+8Nse2bFm6xjj
-0mRDSzNU+Ti6kAKvYtFSmFXSOMWtGImHJXR46CV54CF+rOhvRllKsjSgZcKBikrQ
-fyJBU8TtjpDA6xVTCTMJg0dp+c9rvYET40lEvuGMOxRmgkOOKdbsrSv2KD5FPrIk
-y2gzRhcB2HnC44lhPBX1AxBbKdH7dsKeAQFaBzdIpLBMLPW19XsJmaI=
+MIIDJjCCAg6gAwIBAgIRAOn+8zquSiVxaR1YePQs+2gwDQYJKoZIhvcNAQELBQAw
+KzESMBAGA1UEChMJQ29ja3JvYWNoMRUwEwYDVQQDEwxDb2Nrcm9hY2ggQ0EwHhcN
+MjIwNDEwMjAwNDM2WhcNMzIwNDE4MjAwNDM2WjArMRIwEAYDVQQKEwlDb2Nrcm9h
+Y2gxFTATBgNVBAMTDENvY2tyb2FjaCBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEP
+ADCCAQoCggEBAJy54SHa5tts/hmXO928UOd9NhxFWN9sIha8b4mJJYWaYtnyZM0h
+wU4bh/aTBgo5f2MFk7FNiytJI2VUyc3OYI40TxMspQb9a2BBZsPgr5qhIKJPcmCm
+2t+lAGoa3uWKbOttiQv69T4O7DftnVroP+03MSLxaVZ8WDpmdUWC/EpL+/JD2u/g
+p4O6vJW7ZXPhz5+/I2TTP1GFi63glNTVe/a0VdtDbll1mdA97k0UPgG6VUiusxik
+909ZVwbHRB8mfWizFP9jWtFggW8nLs0uutDc9f8lwhfpd9eSw97HhjvR+V+MaF+P
+LnK48VDrUHCDkCzzPG0bCcK2bnyhBugCICECAwEAAaNFMEMwDgYDVR0PAQH/BAQD
+AgLkMBIGA1UdEwEB/wQIMAYBAf8CAQEwHQYDVR0OBBYEFEK0fDrlBvtbh8HRFAqF
+kkBzdY/MMA0GCSqGSIb3DQEBCwUAA4IBAQCXFrsfgf6/cfVUePR/1M8iJiho58hK
+RtuDSamES1bjTFE0cno9N3TX91PZs+vn3A6o9D8gmfPXV2KLQUeA54KN+W/cilzo
+ECI++9NH4WKRi/S704obj8lgS0/ZiuQrvJ2YMhoZGR/FKhZqQJq8kqb3/H9+dV+T
+wc8yH8hHikjSgqFoqcPC0GhLJUWyhuxtd1wzUtwC9zwLcHY97C3LBDqMOBLOIoQI
+A7Qcj04cEfb/VxCFcyBMdE7iYBSnuhiMofBwS1jKzviNJYc98mKSBuVK1JMZVjxH
+29YemYXBbRLv7kjmO2OlOSw5A+JyOmqPnW3xb381hf1myqfzrPF3pcUj
 -----END CERTIFICATE-----
diff --git a/pkg/security/securitytest/test_certs/ca.key b/pkg/security/securitytest/test_certs/ca.key
index fc771f664b18..52ae40f998e3 100644
--- a/pkg/security/securitytest/test_certs/ca.key
+++ b/pkg/security/securitytest/test_certs/ca.key
@@ -1,27 +1,27 @@
 -----BEGIN RSA PRIVATE KEY-----
-MIIEpAIBAAKCAQEAySkLp2+7YudQOZYTc/fmF0RHeLXgcDSY2Y+2wb2lZ616lSsg
-mXGPaWVHLza9E2vsS2C9BaY2qrK/lUlxMOFXnT3GVnRPdbJVt6uPz0K9hzcKZHT+
-6WjC0R1tfUBK6GNmlvsby9+U1WMkThR2f7KH5ARrv7Lihm062INZQzJljkYcFVEE
-EmoL+eYT0y1+SrJfuYrQeIdVYSC+4IhAHzryVxDA14lzInBXgVxVuC1b6uGOry/f
-++s/pBFo0FRUOs4noT30gFkJ434oX/YCMIld/frnLcpwR/qkbZZA6mLwOrFeniJs
-z7khsP3u76Cz6lUHPwyHJzW7oa8PR4udYdvibQIDAQABAoIBAQCVYeHBqXuiatxs
-p0Iy8Hjx9kaNIaNWL/kCN3MkVM0sPOu3Mpu211oEjq1aJnAqqA6Fu4UjWNdn0+3p
-0uw3vF/v6RwMv7ryUEjPaJwW8h0E+J7DEw7qDl3+JLhWNxRplsdsf3WY5KQGAuXH
-BfMpyU6YyZ+qcBFAeoUknAYBnL9F8wFupYvlO4Gd9pKoli5gho26pw74A1NB21mh
-dDyc9tmNpq8Nvz5qMdUrV1opK6a965qqxMG/wGVlUjg8iN4y1lQXyQv5/RyPOwZC
-IaK3CbMgiQQjmQzpteeW2HlOyWZktg5AXs+JOusVKbURpXFSblONic1rMcLiD2Zn
-/EMi2tYBAoGBAN3SrbmDg5aZe0nIgOGv8p9r+ONDxs6UP2wpr3DC8u0Sm8Hbnt83
-KoP7+BRCZ+iauTD8sRl1T+OOpi6na3dZCqXPXgUymMdNSPyYObbHC6Uqjx0j7ytA
-wbimYqhi/FCgv6TjsG5ocOP3CkDoqyEmBSAfHGZWJfgCGdmba/bHpS/hAoGBAOgn
-X+1a6YlWGzXxIGyYyZCz+Ffi6dU7r9antX4+Mjr7MVN1n6bTr15spS3IzwY7FXKO
-lQM5m7t+TtB1cwAgVd7e9LlcY7XjEibZxI8d7rK7v+08boItsM2Uvv0LGawL1Y7F
-l1dXbP9MeVFDT7H93Bs+KoVn9+9zo2N1suWflvQNAoGBAIwDyoJZn/q0YFy/QZKz
-M6srRQt2oYuNicblPQcpFptL7qLb1JlCwgRTTFDFZb8two1IQyU1pjqVtRGnva60
-toLYtJkFSegrQVGnaG6VjyUvCuyy3OlpU54Q8B8nc+oUvUMAMUJPjEpoicFU24ft
-7rhKyutRn1+/O7/eWbSIah0hAoGAQCFgZnkOulmG+se5ZUZvqAGPQPf2EGmEkY+S
-m2UjCxgI8D019SfU8gihOJyYU+hObG7myxVG5+xkaUGImyhTkFWW1P2orb4kbYcK
-vV5PaiBjTG29OUjV5nSIre47EUPTorUCsaX8/ilp+gDWKx0tiHkL1f56hzMyl28U
-FEqZsKECgYA2FAfuoOXotKOSNYKfyPWu+LjK4ii6soDlFIgu6DOgspy9sjz9nXYV
-6GCMl6mKLqPmC/chTmKaQBnONw905Hu4GOTVSQ8JlQBwmE1xis0r0Mzc0fl0viH3
-1p2fxauenvPwMTQtTbHxdCpXe7g7p2KanscOPxOsuvRvBCHSdFu9UA==
+MIIEpAIBAAKCAQEAnLnhIdrm22z+GZc73bxQ5302HEVY32wiFrxviYklhZpi2fJk
+zSHBThuH9pMGCjl/YwWTsU2LK0kjZVTJzc5gjjRPEyylBv1rYEFmw+CvmqEgok9y
+YKba36UAahre5Yps622JC/r1Pg7sN+2dWug/7TcxIvFpVnxYOmZ1RYL8Skv78kPa
+7+Cng7q8lbtlc+HPn78jZNM/UYWLreCU1NV79rRV20NuWXWZ0D3uTRQ+AbpVSK6z
+GKT3T1lXBsdEHyZ9aLMU/2Na0WCBbycuzS660Nz1/yXCF+l315LD3seGO9H5X4xo
+X48ucrjxUOtQcIOQLPM8bRsJwrZufKEG6AIgIQIDAQABAoIBAEHSPx781F/rUnxk
+65ugb0oJaCRPa5fJzjdGRIG6u6t0v3dROcx9FLY9EckYzjyVEU8BFJouOvie6uKv
+zWFF/385sMwYv+ZDoEj4rrQtNRL4AMCqJRs6eEnc/mORjXNRw5TMl/YUG9NIaSTE
+AoYfbFmwCE7onJjZ+CPuy+m5rUN2JcFm4JaHQpygnMZOO/QwCr70l2EEOPgFBhg3
+EjHNjp9SiI/AlvdFW4Zg9LeHsW5DKb+bhLperJHqvX7hKCdbgIzKXu6TwIBo2QmF
+g4tC6FtPvt7AkW5NMt0ODu0EXl2acgCtXosZmXTYmZEPqfVbDo1+LwzgGg+YPZfZ
+8QFaMsECgYEAy1lDWBxYmob99947v9LXgMBGhsBSY5EACnTIrwCgEif007b/yWy5
+xC9ypbstKMZoqKq4vYjlT4y7O+sZFIrM+DFquo+y/KRNXmeW0Qimo36jpZWLQQtK
+ctBAGGv/JcXnexVW9gEgeS5I66dAQd2MSrZotCzf21QR/YjtGB5IsM0CgYEAxU5K
+aqr7CZDHZUyCapBfekyYqPEvLWmOtjCZmvdxa1MlX6tqT54U6WxLfxs36wY5OzGc
+exGYhtRLve87+pirJYZZ13hCESAT+qQrKWoj+p3Itv9kQlWEL074FBMGxgJHW5+/
+EjrKL/FqpG78d9oEEgFEgmssH6pCP8R+1bgY3KUCgYEAyll+ESzL4qFYEhJcBItL
+lTxAMhEpKxj8IGuL09FceBS4pQDiUc7WoGnSvSagToX5WXXhNgIGpf1Vx88veuiQ
+BJ4wJYufQZZBwyJzynjAUctQDxLbqpMQt2WRknvNPwpLSYi3qz790HiFabJZ1/Ed
+jK8tS7Wn4PosmM1rmWdxUDUCgYEAgO9fjAM914tn8hekZhUAf8BMRqKNzORdIUvz
+JSSsVpFYLAOtjmfkjIF7eI2F5i0D+125P2dJQFq9QFp03JclyHjafwcUTXKj+7eK
+iR7WcjDn+EY+82ZE4lF9pkiktYLJtONYjoYimF/v65Kno36yCD4R0hRNGkg90MQM
+iocqoA0CgYA/TLgR1Pcds/ewj0PBKuoexnKfp3Fw3jLza3BUB4guZ7UOnxNyEDSQ
+XaCJKlu5I74KRvQeHgHUxmbMAdkhJISC8yi6ha8Xdevp/ZXbMkaBg6Juhc5wthJh
+aJU/uubU08+F/d5xrXG8E6mgNLp2qPMHwTkxVxqAz1kgDAr9kaoj0w==
 -----END RSA PRIVATE KEY-----
diff --git a/pkg/security/securitytest/test_certs/client-tenant.10.crt b/pkg/security/securitytest/test_certs/client-tenant.10.crt
index 22bfa6b2d7ec..99fa7c73211f 100644
--- a/pkg/security/securitytest/test_certs/client-tenant.10.crt
+++ b/pkg/security/securitytest/test_certs/client-tenant.10.crt
@@ -1,21 +1,21 @@
 -----BEGIN CERTIFICATE-----
-MIIDdDCCAlygAwIBAgIRANJrz/fSnAE8mJrPPyNpr7IwDQYJKoZIhvcNAQELBQAw
-KzESMBAGA1UEChMJQ29ja3JvYWNoMRUwEwYDVQQDEwxDb2Nrcm9hY2ggQ0EwHhcN
-MjIwMTEwMTkwMTIxWhcNMjcwMTE1MTkwMTIxWjAzMRIwEAYDVQQKEwlDb2Nrcm9h
-Y2gxEDAOBgNVBAsTB1RlbmFudHMxCzAJBgNVBAMTAjEwMIIBIjANBgkqhkiG9w0B
-AQEFAAOCAQ8AMIIBCgKCAQEAz1f7YcFm2Kkg4ZGGdX2HDKRoLgvwSjiqZ+LzBD86
-ZPu6lMrd8nr0LGdP/omKIbgqTdIUUbRdjay4oyVAjj8gi/VnqC12nL6lHkoP/Shd
-Nhzz26o5s5mKry3P8G2Dw7KfrOJoGXFOGferEP598Dpl8kPR6AgU2ByxmnLQ89yV
-SdSlxtWScXuzS+a6Rk7jgcjMLhsirkewonPlo7pllc5QW7n9AenpVl6TigC1uepa
-UO+f/BsmecBwXV5RDp809GtdvxmTcETj3geLVJyaNFGUEhyiRpq5CoRbJcJyXnGA
-a+JB+mibaNhGYNwFsStbRt2tWAKhzcs3N946iRfCif1Q1QIDAQABo4GKMIGHMA4G
-A1UdDwEB/wQEAwIFoDAdBgNVHSUEFjAUBggrBgEFBQcDAgYIKwYBBQUHAwEwHwYD
-VR0jBBgwFoAUDD1fU2a1rodKQhW5lNsP1zM1SDowNQYDVR0RBC4wLIIJbG9jYWxo
-b3N0ggcqLmxvY2FshwR/AAABhxAAAAAAAAAAAAAAAAAAAAABMA0GCSqGSIb3DQEB
-CwUAA4IBAQABsIoGVpxCdZPFEq8lgBUaFombn/5x7SJ0RCn1RM4hw3x4xvOStiIS
-KKHU7je+4eXR8m2WhT16NvF6nCDEJOCyDDGAPmzAYXRAyMR019C5TmCL+8SIKW8S
-eR/gPSTYlQ6KZdIrSsQkPX0ytXdcifZHGQh5PIa9WQY999DheH7sSf0OQcstRG1W
-ZX/kQzkBRf9wO6qY8Vhr05WWcFjug28/u2Ah7IbXxRxtAU6INu7bO65NOv2fRgxG
-MvDDCtcjMEH+6wzlBz5aGj/DWqtrbxag43/HB4A+tNqQZRm9VRoEbH4ll/xskiuv
-b1gpWAxDkoSK3eGmtVJkkLhWEhl2RDcR
+MIIDczCCAlugAwIBAgIQTktcO7d/objpPjW3mjQQnDANBgkqhkiG9w0BAQsFADAr
+MRIwEAYDVQQKEwlDb2Nrcm9hY2gxFTATBgNVBAMTDENvY2tyb2FjaCBDQTAeFw0y
+MjA0MTAyMDA0MzhaFw0yNzA0MTUyMDA0MzhaMDMxEjAQBgNVBAoTCUNvY2tyb2Fj
+aDEQMA4GA1UECxMHVGVuYW50czELMAkGA1UEAxMCMTAwggEiMA0GCSqGSIb3DQEB
+AQUAA4IBDwAwggEKAoIBAQDlcjABzGbkx7I66tGSRPxOQWLtEHZDSvQdXvf3Zjx6
+t4TsXxXdh6zi6Gr4T/LF7mSxUAEvqQntddgGrCBdaE4A3sEJwO913iuJNl2yjOjo
++oJ++wsRKvZFo8i09V7zLor3LEs6VcJGvNE4I+5G89eeHCx6Y1Y7keNzY1lnPgxG
+B4mOPasWa/CaZ3JJiwQcBAgxq3IxnoeLKniTrU5rsAaGzHKvDt5b3HyNjvW2pDzR
+cj4lifknZgZMvJjMHqTr2wiGliRzK+3OEVESqJTaDG105JMQlWnt1HWABzBAlY83
+70hkLwu3OvZesSc7X9IJW7Z07seiF8lBVRulY+QCveHxAgMBAAGjgYowgYcwDgYD
+VR0PAQH/BAQDAgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMCBggrBgEFBQcDATAfBgNV
+HSMEGDAWgBTLHZdhBlj3nCwftzdK8hz5eR0GqzA1BgNVHREELjAsgglsb2NhbGhv
+c3SCByoubG9jYWyHBH8AAAGHEAAAAAAAAAAAAAAAAAAAAAEwDQYJKoZIhvcNAQEL
+BQADggEBACQuF64kqyuS7zSKuLQOl4sxTN/b2Jmc7fEAD/MB1Ai9G7EGam0p0QFn
+AXdq3dYMe4i2pyE0qhI4sVbX53KYiUVc94n+LfBTRZ4uVdi8FOXeL983Ham0Q+XX
+k4bn2PstMcSobGT58UtjY/2wTWYok4VDf0EgUGJEc8gXkX+u88jvDCujPApMRYQO
+/xSKusztT8OPBvc3f1n2kCxG06CySeAE2KznvXqF5WmS1w4n3tTaS0DYi1+kUbPS
+yDZtTuWDlvcLZZL89HvhriCWgv65TlTlfI2wB0XXbGsHNAfB3PH9Y7TxBBBP76/H
+fOKslm9rPdod6qig2RNl2xUsNK1Rh7A=
 -----END CERTIFICATE-----
diff --git a/pkg/security/securitytest/test_certs/client-tenant.10.key b/pkg/security/securitytest/test_certs/client-tenant.10.key
index 617a69d7f628..75e7c3b29670 100644
--- a/pkg/security/securitytest/test_certs/client-tenant.10.key
+++ b/pkg/security/securitytest/test_certs/client-tenant.10.key
@@ -1,27 +1,27 @@
 -----BEGIN RSA PRIVATE KEY-----
-MIIEpAIBAAKCAQEAz1f7YcFm2Kkg4ZGGdX2HDKRoLgvwSjiqZ+LzBD86ZPu6lMrd
-8nr0LGdP/omKIbgqTdIUUbRdjay4oyVAjj8gi/VnqC12nL6lHkoP/ShdNhzz26o5
-s5mKry3P8G2Dw7KfrOJoGXFOGferEP598Dpl8kPR6AgU2ByxmnLQ89yVSdSlxtWS
-cXuzS+a6Rk7jgcjMLhsirkewonPlo7pllc5QW7n9AenpVl6TigC1uepaUO+f/Bsm
-ecBwXV5RDp809GtdvxmTcETj3geLVJyaNFGUEhyiRpq5CoRbJcJyXnGAa+JB+mib
-aNhGYNwFsStbRt2tWAKhzcs3N946iRfCif1Q1QIDAQABAoIBAQCnEaadux+qvoSf
-HQpxyyaxehvz1mzU8VnlgYn9RxE/Y1KRJ/G0u3vZ95kOaTbjOqjjsb3ro+CqEp1n
-39FnjNglziSq748ed8NGZ7kAbLDGtIeN3VjHLZYA13IwsZ21Z02gGYJ11cVvyQ+P
-DvDdS8Dvd9RAGZrqFBzLbW6OwJOOO5T1DNsCspjivbrAi6EiZ1rE4pxmFl34z6+o
-n/BTxrKhtgTuWBvMkCxflY3fAfSSsW5i16qAweDT5XHGoWRi4plQKdJF5jrvSS/x
-NH4Y7rSBCHnhNBhUVdwyQ5Sxhqnxa5YoqpmVf2ev//QRocyBc54ZKr/XSFwYUb04
-OADjXIbVAoGBAPcBALZzxI6scMXm5QASZhk68clak9Z58QEDodRCiqq7M74FICQ8
-mtpLPYDfkL5Lw1zGiShOJFTcy5Svdz+kIZ/lU4XuVsgOzIM/0w2f6t4byOHpFuY4
-RnXUtIt/+//PysZ/wi44rD6JKSYEr5W6qz0UR6AiGsLKna6jjqvD5SpHAoGBANbl
-MqttdIklZ1YAh6Goz4q8X8xryarMfv49Z9IH4VNvS9dKVEbkvS3o36f/A94hxnAl
-vehkTHHh1sbhp4J++QxeE1DIS0ow7vQJz0cfYoyaCLZMQbm3kCz1GfzaeiisoAnU
-dSHn0qZrGpzEDyZ26Nh6zEFO4Zc3aG/O9UDlGp4DAoGADx70mDbGFaXg0XytEDAQ
-KAM/wf/VhQ+5/UHnqkLYklMbe8p8iTtcj3iDr1wAVGX287sDsn/2IWvS2qtTNYYq
-uMslLdHFZkHhqzdBCFh93FL/HTVTvYw8ZAI9ezy+hI6H71bq4EF/6eQjrLwks5nV
-2ctgByGPWdVlicdheIppgQkCgYEAh0+WUh7/jAPDR4HZ5U7YL/FhGOSd/S/6nren
-kbZoiRLBXHRvEJyjCi9h9PQ8SThXLPJ228eb4vFjPaOEyESPKNxrqSgVUEfzjjJH
-E++NLB8pcTAfCoOtAsHqdS5UURwxQT9H6euA1k0GWsORDpU9FGJuDolOvtqiphRY
-lV4tHmUCgYB+Zn1kMM7MlpoWzgbOP/f1jixSWrwHfb2X5uRhjpqvqAWOcQF8WtFk
-87tUe2XJHwWjoF+eKaTSOpqHL0spS12oPyLznAgpmqg3TG1j97Luo54zbgPamlR0
-zDnAJIDiDcudkFCwdF+3+zwySE0kNIHKv0gSa9kIljXtNqGXHfjU/A==
+MIIEowIBAAKCAQEA5XIwAcxm5MeyOurRkkT8TkFi7RB2Q0r0HV7392Y8ereE7F8V
+3Yes4uhq+E/yxe5ksVABL6kJ7XXYBqwgXWhOAN7BCcDvdd4riTZdsozo6PqCfvsL
+ESr2RaPItPVe8y6K9yxLOlXCRrzROCPuRvPXnhwsemNWO5Hjc2NZZz4MRgeJjj2r
+FmvwmmdySYsEHAQIMatyMZ6Hiyp4k61Oa7AGhsxyrw7eW9x8jY71tqQ80XI+JYn5
+J2YGTLyYzB6k69sIhpYkcyvtzhFREqiU2gxtdOSTEJVp7dR1gAcwQJWPN+9IZC8L
+tzr2XrEnO1/SCVu2dO7HohfJQVUbpWPkAr3h8QIDAQABAoIBAB1ycTzZ2d7EzlgH
+aQwntGXquGKKeVMbnIbkeFiVE3AAe5vGfEzpK8QXZhsmT5cdiGjFRtGyFScXt7jr
+gF/ckh5EeGvjChiLgfTjOFVBBmdYN0VKvNngNKktYwXuc9gsAgPE+IatGPjxJLza
+x6rtgp+1J/QxKZENoS5e8stwSCz4bmyQBcxDeX5PYTNUvaOWpgI3ewgOZtynBLi0
+h6HZN7sloqyrfbfF35vqDIC7hEEk8GNAYu5kOf0ucqcdPgp5bDO++HbqxtOOQye2
+QLsk3SV5kTgSTG8G504dQL2nOJqGLXeMLcl1BjxtSlrfqwEY4deEdRYnN3yeC34j
+qjIJJL0CgYEA+wEtsmuZc6hr5ihLSVvi2B9uzK7DOjoyv+vQf8HUGowHCADGZ6vT
+IerqKXozxXN4dirpD/dKMEd/pAD/0+ZKqVrv+hcOGzD8XNTeUsAf3OO5FOjxtiLL
+3sREBUrrrMv8jGeZmKzH1k8Kdmb/9YNUIYNm5xsRFDPEYO79BDeGB9sCgYEA6gMs
+FWP1SMDkhaAUNNneuiJxz634xFIY8ke03VKC6Id3mLD019zhtt0nHQ0cOAoWWD3O
+9Ju6EBxq1C3UHvpRnzQTHwKv7Mda752m8Ea9GwrFkiHPdFLMvak1rHgVnwsbPs91
+HaXFpcEUNRIJq2BC9wcSEe/97A52VnMaMePFHSMCgYA4Di9SZU1D0x0lrWIC5A5p
+DbwE4hKfclfbHKLXpUXlF9iKJQIqLOld7cSVtsDRG9SPL04VTri2x4Dt83suq4OJ
+BtIJHBT+ZZY2dSOhf16eSg0PamZwspytB0/Zjr3LPVMNWCWpPwzyA3zmrGIFRmsH
+gPz+J8FMrbLxou3Gf0/jeQKBgQCHT7RC3hyrp9W7qndkpAIUsOwMQTVSF4KTPYFI
+ZHiLiiFOaiv5UaA2Q6RlOPpzMOoAtiSf7hflTvk6nRFFpEpj+xF/Yedly1Q6r3cj
+AlRAebcKK4Cwa1w14szFYF5oK1ziscSvkvY5RO6xTS/IJ44xFqaNNq8luqsUi9O+
+u0xz7wKBgFJP5dFqv88sjWqzmacgmd4Va1q5NW9/RL0BY4nNEbPsJa3JQXdFeVkZ
+hyb6SyhljxgqZwX5cGzqhXdOQ/H4ZkYx5W2PH5O5O4cI3ALxmHHf1n7wfZMHrOsU
+LdhDd3QwcQ3wCL7FVNotnjU+Xd2oAxvwwQVU28CPRj7WId825x2e
 -----END RSA PRIVATE KEY-----
diff --git a/pkg/security/securitytest/test_certs/client-tenant.11.crt b/pkg/security/securitytest/test_certs/client-tenant.11.crt
index c5e90fbc9441..02931f11ed1c 100644
--- a/pkg/security/securitytest/test_certs/client-tenant.11.crt
+++ b/pkg/security/securitytest/test_certs/client-tenant.11.crt
@@ -1,21 +1,21 @@
 -----BEGIN CERTIFICATE-----
-MIIDczCCAlugAwIBAgIQMrEKZlCQe8qOSmFZrdjGXzANBgkqhkiG9w0BAQsFADAr
-MRIwEAYDVQQKEwlDb2Nrcm9hY2gxFTATBgNVBAMTDENvY2tyb2FjaCBDQTAeFw0y
-MjAxMTAxOTAxMjFaFw0yNzAxMTUxOTAxMjFaMDMxEjAQBgNVBAoTCUNvY2tyb2Fj
-aDEQMA4GA1UECxMHVGVuYW50czELMAkGA1UEAxMCMTEwggEiMA0GCSqGSIb3DQEB
-AQUAA4IBDwAwggEKAoIBAQC1hIfulxvujaZPaFH+m7CZxfO0EpfdFDy07uyw0p3V
-JXnK9Lrk/ynhX/hhg2wR50sjaZH5bSjaFXQY6UIOaBjncG8a344S0788gvsDoTm1
-n9+GglVF5hvCsvnWTiZgWBH/sZ+rLzRXIVuc8ItJL9nhI5Y0n4pwvhuK7UN1B1gm
-Yx+SwJvsLpnXNHxj8SYva/X0bstDkaP5gZfIHt6kHZJXVjasAWTYNdeCnPWoyErF
-0yCl4W6NSocDa9MPtmDNlI0WS7KMyCymqPs+DKoMzV+6XfrrSrhJnuQkLhmXDKij
-1b/0PvsHSxy+nPcRTQd2d1PI/2zdIxZDWSGuL7iV38HxAgMBAAGjgYowgYcwDgYD
-VR0PAQH/BAQDAgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMCBggrBgEFBQcDATAfBgNV
-HSMEGDAWgBQMPV9TZrWuh0pCFbmU2w/XMzVIOjA1BgNVHREELjAsgglsb2NhbGhv
-c3SCByoubG9jYWyHBH8AAAGHEAAAAAAAAAAAAAAAAAAAAAEwDQYJKoZIhvcNAQEL
-BQADggEBADbOdSWk3gD9Xhdi9ESXzaDzJHNx1gljzBZFZW/qWuJEYJJ9H2GPGZpf
-Y4Pkq79xsQ40tsSdqp+vpNqIkM+QvdbT+G+B0PA/Y9sgNzr5UBAaRQN5ISfvhxFv
-/uiOrOuDxiiGg7xmPEY7PnW78iezzIOZHQSNuPev+t7UocrEMzj10znOA76Mh2wQ
-pBnZP7LUEAOZ+Bjly6fzdNGv9sCnGF0ZlAfASUz/V1rEGY9GXRTgg6O4C69qBw+d
-4KkI/9vkfcPosqobAcAUKA5mvkQkAfHP2W0n+bD5iBgJ8uEQt4qktjLQNhdAhpVE
-Eb23bdtWe6a/7WmRfbMky7R1xFt2uqQ=
+MIIDdDCCAlygAwIBAgIRAMlXMnnNPC2qd3f2KhqqY7EwDQYJKoZIhvcNAQELBQAw
+KzESMBAGA1UEChMJQ29ja3JvYWNoMRUwEwYDVQQDEwxDb2Nrcm9hY2ggQ0EwHhcN
+MjIwNDEwMjAwNDM4WhcNMjcwNDE1MjAwNDM4WjAzMRIwEAYDVQQKEwlDb2Nrcm9h
+Y2gxEDAOBgNVBAsTB1RlbmFudHMxCzAJBgNVBAMTAjExMIIBIjANBgkqhkiG9w0B
+AQEFAAOCAQ8AMIIBCgKCAQEA0tIn59qoyBo3D43SRld43H/S5c7qEZa+NPwN/3uH
+o/ouFWIkzD4E0+Y39gJJX0mQ67EwLeW1ZtWvgqHyiXkKBzUal56oQCEzEi5okYNW
+YaiCR2FkDwOwjjEU4MipcjU79sFaO2niAT8CyhnKWNWEOXULIZyJvo85R1xwhqSe
+acwv3uUtQ+BAe3dY9i3YeUfXWbQfocoEdBEs8A/ssdCZ9WkvbYFSJEG7ZuwCfZzm
+wxN5X7a5j0RTWp3gDQN6hSmBPXCFceX0JpjuqmRnzV8ShXKdlZOGM58Vo5GDJTqN
+NSSVpbL/3n7Mw2sWUbrqJv8CtYy5taes9Rh/jz89P7l9HwIDAQABo4GKMIGHMA4G
+A1UdDwEB/wQEAwIFoDAdBgNVHSUEFjAUBggrBgEFBQcDAgYIKwYBBQUHAwEwHwYD
+VR0jBBgwFoAUyx2XYQZY95wsH7c3SvIc+XkdBqswNQYDVR0RBC4wLIIJbG9jYWxo
+b3N0ggcqLmxvY2FshwR/AAABhxAAAAAAAAAAAAAAAAAAAAABMA0GCSqGSIb3DQEB
+CwUAA4IBAQCt94Rrh6cvrX1miFx0YCAq2mpRuPP0P+DjRu99JWnj588VYeuvAX7E
+rtUMWzr3937aY3bWWh58RSqXYfFY3hPehpdMdeTBQHLgJBSizzH6GuZMd7Ar+EWI
+R78OfiEAxylTFU/1+OOoBFSycQ4mOFmgK+yWW+AUFMOk8v12/8kOKqYK+QwFHVhz
+YuucOz9aBD4klH3nUzeH6gow9DRpD3ukz/j7Q2J8Fgrlz04/C9abklG2j3uCv7Bf
+TCDQ2Ko+EeDNJydRZCaECRsfme95PnC+Vr4Nd4/mYqsG/TtEshv1e9TklbhESqy3
+1jeeZ18fFJTyPx1tzMRTZmpLTA8ymr3s
 -----END CERTIFICATE-----
diff --git a/pkg/security/securitytest/test_certs/client-tenant.11.key b/pkg/security/securitytest/test_certs/client-tenant.11.key
index c57f734ed3de..a3296737fe52 100644
--- a/pkg/security/securitytest/test_certs/client-tenant.11.key
+++ b/pkg/security/securitytest/test_certs/client-tenant.11.key
@@ -1,27 +1,27 @@
 -----BEGIN RSA PRIVATE KEY-----
-MIIEpAIBAAKCAQEAtYSH7pcb7o2mT2hR/puwmcXztBKX3RQ8tO7ssNKd1SV5yvS6
-5P8p4V/4YYNsEedLI2mR+W0o2hV0GOlCDmgY53BvGt+OEtO/PIL7A6E5tZ/fhoJV
-ReYbwrL51k4mYFgR/7Gfqy80VyFbnPCLSS/Z4SOWNJ+KcL4biu1DdQdYJmMfksCb
-7C6Z1zR8Y/EmL2v19G7LQ5Gj+YGXyB7epB2SV1Y2rAFk2DXXgpz1qMhKxdMgpeFu
-jUqHA2vTD7ZgzZSNFkuyjMgspqj7PgyqDM1ful3660q4SZ7kJC4Zlwyoo9W/9D77
-B0scvpz3EU0HdndTyP9s3SMWQ1khri+4ld/B8QIDAQABAoIBAGQiBT6oG1+AwqMB
-gGH9DvH1Ulge/amWtVp2hxmQRkND1ikQ0lzrKfZLE+DvN9m0hy202jMHdcbAmPf5
-DViXMk3SJ2hitKRMLS27b69z7Dr2Q7+W/GV/6AaC5vHC0MbLLrqoCNXNR4ldPIWZ
-6Kxp+j6JfB3xeNRy+wyrkE/pykX570JXazZIBiBTBZkbwcVv2BvWOh+1fmBST/To
-WQuhni3zoU1pIve4nYwu0S/Tm7xASiRSkYep/vsdRHTxBJMlko8OHFpYkh5rGNDp
-v2I1dIOqBPoAvhQgLFaIbpB7jGXAfCyOvr/bQDhvgJuThe8vbbOSC2dQN/+ZGmJS
-KC+IKNUCgYEA8Cyhb2u5B5+ghtLd2BDpbpcLR1fKJR+hCh+C6XANAwX7WTL8c294
-AR9XAET5Ahg0KD0RmXFNMlNzCRrD7q21Z4c0YQckcQLBirecALaqSAkoxKHDDnv7
-BunT9e27PBmDafJNYGM+As1zROj1lgXznkpuaC14KSQc8Ufh0cLcUmsCgYEAwXp0
-IpG6asCLhrvT/NBGQiSeKuuP/nAqt8vT+eCC1anltwlkG/PxcSbkD5XIKdsEZzOm
-TaeorgVNrA1dugRTUej1Z5GvV7EYLwEizbgTZVlQgw1oMdZu1MZ5D7jL3qm2bTnX
-hcMAlrDG82pp4rPS9eOg6IXAMDdIEjXS5pth7BMCgYEAo+LQhedL6xfRwi5Bkx53
-Ky+GUrhlB8/9Y5r9Ca2cM2Pxj3xrJ5n4mUt5YoWuJO+/J3YEfGAD/UNUS/InoMaH
-8o0gANWO2E65Ip8HpLUAnQci+oonP8r6EE2ehUIjcW83bSQaCJuvxNnMvkj4y9Zj
-1q+ThyL/y5MI7NvQDAKbtOECgYB6NxXhOFifUl1QkJlKG24mHedjiUV+HfB+BV0z
-fKRov1eCFYaNOb0MEtsBFUZJWjYf0rp8VynwMx1rT04jUNQo65UJBTfTluSF3JvV
-gy+NV6vJ/NASmzeLZIvYaI0va9j2ihEgR5u5lJU38cJNF/ZsqIteFg7e5iy6hBFi
-5kgmzQKBgQCvqra2081hOAgLiIth4wF0MaPFoP78508XHNt6Rw0NB7nJU4vcVdTK
-XXxl9ZI+em8joFCJ1g5xrA80ACHxodcESePNrPB30jwJc3Iw6Jc3Ivn4iL55pkN9
-beOVq4tCdXJHp5FwRwIiiv/h16eZwlli4oJwj5zrO/7qCk4cXEtvUg==
+MIIEpAIBAAKCAQEA0tIn59qoyBo3D43SRld43H/S5c7qEZa+NPwN/3uHo/ouFWIk
+zD4E0+Y39gJJX0mQ67EwLeW1ZtWvgqHyiXkKBzUal56oQCEzEi5okYNWYaiCR2Fk
+DwOwjjEU4MipcjU79sFaO2niAT8CyhnKWNWEOXULIZyJvo85R1xwhqSeacwv3uUt
+Q+BAe3dY9i3YeUfXWbQfocoEdBEs8A/ssdCZ9WkvbYFSJEG7ZuwCfZzmwxN5X7a5
+j0RTWp3gDQN6hSmBPXCFceX0JpjuqmRnzV8ShXKdlZOGM58Vo5GDJTqNNSSVpbL/
+3n7Mw2sWUbrqJv8CtYy5taes9Rh/jz89P7l9HwIDAQABAoIBAGIxim6+dNDHDRBM
+kT08LsodK2DokDNjD/Lj161AnzvsIhzJmrQayurblwMZq40bWcm9vOAT1vsv2lCx
+F6OaYeZbgKhQOLOuAvib7w6fqtNPxmZy4UTxBgIksEHGlM3iJ6zWAC4eMis8axMx
+EgNwZ+bPMkEUhT/hu98WGj9MW5CQtpvYV4ks7Hb2J1K8JeUJkgkn1uNwGd3+hacx
+7dASC8tjVGJvrF7EnKBk5HyTHhlpEqgh3s66cqkOP/Ciecu5FJQn+B64HR/g+mRs
+lZM45KAfqmdKtF81yytwCUGnZe5uwAyfGCxc4ZcbLmMDKOeuZTiGqLWQeEvKAnyk
+2auJ/GECgYEA9UoJEgeHpm8sT8L8GUYabSB0wixC97J+Xt6FmeQVgOfv0YwGVd1T
+/akpzEXLe/x2LvY5wD56A+0tA7jDl/7dkeahJHhakBv3Wa/N3uJlV3zZKybntV6I
+DEh+K7y73SxLfw0yLKeu6Z+1ryp6WZ8PO5yOfYUgRIZQWOzlcTKdQa8CgYEA3AbR
+IAuXU/IWmckMylXxt/6cFAYjITOpO8z99ReViz+3i/EYgOx4pyogIkvICQak+OJv
+UjEAxxulvO5GFloXkRBO2AzF3yO/gucFuVXMuJ49Dl9dYQX7d3pUoANn9IMm6V0k
+UqtZ8oVDWZDCUFmU4GRl0vP59hRn1lXwG148h5ECgYEAnavUfslmUf7effr5cAmX
+DRSy2On4th3/i14AhTaO+AifKJSYsfMOfVyS6KLotS9IjNFrt/6xEfsQV3caC4ch
+yBp29OmEVWQUsIsIi7/9oqo3MrzUbspwK20h5V1xaS+C7A2AdiHnlnc6I3nrodZT
+xV7SXS8I2eN4nGDS79u4KDMCgYAaFgzROc6VO0yGqxmDG7Fu2Rb0IM4lb5SO7Hzn
+hAZM3h8KzmjTUDX1y77HkiiDOXBxuZbtLbYj5Rk/TxisKb5FiqNuZgVHsVtRT8aT
+9KIy+T/P5mqRyD3KKozB8+VtTeddH5fg3UPqxvX3NnxzPkuyVvTjj92A2WZ+OO4g
+sImIoQKBgQCtHJi0BWbWa0uu3OoK0eDpljr5Efs3BIhEuv5UZALhSRYuwoWPMUzE
+19BC9t++SPf5cVaepk1VpHsFr8Gj5ez9ZCzXwbAiMi3ulq1DKxWoJmLm+bIRMijJ
+Th/7BqzlDl4AWvSePSDU4oT455kE9PaIKWseqHrG6D7n5REnbbxgUg==
 -----END RSA PRIVATE KEY-----
diff --git a/pkg/security/securitytest/test_certs/client-tenant.20.crt b/pkg/security/securitytest/test_certs/client-tenant.20.crt
index 66f1b80bcfcf..5bc17c9a314c 100644
--- a/pkg/security/securitytest/test_certs/client-tenant.20.crt
+++ b/pkg/security/securitytest/test_certs/client-tenant.20.crt
@@ -1,21 +1,21 @@
 -----BEGIN CERTIFICATE-----
-MIIDczCCAlugAwIBAgIQQwcxVR4R88JtcUteJru52TANBgkqhkiG9w0BAQsFADAr
+MIIDczCCAlugAwIBAgIQee3huhR2tVgRzSYD9j0R7zANBgkqhkiG9w0BAQsFADAr
 MRIwEAYDVQQKEwlDb2Nrcm9hY2gxFTATBgNVBAMTDENvY2tyb2FjaCBDQTAeFw0y
-MjAxMTAxOTAxMjFaFw0yNzAxMTUxOTAxMjFaMDMxEjAQBgNVBAoTCUNvY2tyb2Fj
+MjA0MTAyMDA0MzlaFw0yNzA0MTUyMDA0MzlaMDMxEjAQBgNVBAoTCUNvY2tyb2Fj
 aDEQMA4GA1UECxMHVGVuYW50czELMAkGA1UEAxMCMjAwggEiMA0GCSqGSIb3DQEB
-AQUAA4IBDwAwggEKAoIBAQDGVVmuxLLyjdTpKfrWfdm038n329OYn1GFxfeLGeRc
-18rN6XczYkI+yAJyH0mweSMjq7x5X85J7CC6IOQOLcrAwBs/oNYHU+xK0uSCgOoU
-G9PXu5Gz/Q6VdBKqXXH5Uy3XlDAz8eE1x9RePMdPHJ7Qoq4UJjbRx0QX0LaZ8ZCV
-epDEJoRfhDTZYyEKkS4xjErKUzMlydRw4IYOycvbz5PAZ611WG9L+BZCa5az1xBL
-FEUyMfMeAuMvAkmzD9IPfx7/p797l8uW1p2zCbQ6nnqDIiDQk2yUye6jmB6qwVBj
-UYUxHeopGCtHTWPqSDga8ylg+s8g0dtuDsCm7+GYUJ61AgMBAAGjgYowgYcwDgYD
+AQUAA4IBDwAwggEKAoIBAQDM7Shix/hkZl5JF4ngLwftfVB06WbHNLwM4D/nIdTi
+JtSMRaXO0UKPnserDbEJMZVQEGXwZyeNCsAYTGpcIhvp7Fv17gQsrxk2IvDYSrjF
+ap0CYsBz4YGPPnLkJt7pPCflnvNT2gdpJMA9C61y8p+xKwZJn6BstpWRQlvpponY
+n8kSE6ykTwVN2SBZstjDPlHCkZPsF/zeCt0u/ALdKfPwZnJ1LdZYsQ75TjdQrf0b
+QqaTKKIhzxRHkd01hUQh5DxCozKFt/CKuRRS95+FEnnjMMQSK63R+zpqXDFsluld
+924RiC6qIvB0DCpGA1nTox6+A0LUBb9hVNiuFSKpZ1wrAgMBAAGjgYowgYcwDgYD
 VR0PAQH/BAQDAgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMCBggrBgEFBQcDATAfBgNV
-HSMEGDAWgBQMPV9TZrWuh0pCFbmU2w/XMzVIOjA1BgNVHREELjAsgglsb2NhbGhv
+HSMEGDAWgBTLHZdhBlj3nCwftzdK8hz5eR0GqzA1BgNVHREELjAsgglsb2NhbGhv
 c3SCByoubG9jYWyHBH8AAAGHEAAAAAAAAAAAAAAAAAAAAAEwDQYJKoZIhvcNAQEL
-BQADggEBAHQPeU7HlsBiWZiIKQstSCcoevqeHtyEtA9hrRIef9EcZHLOKOeyYVpf
-C9lLigYMrhAlYt6Q387sldzBvKBuC961jGhG7FvAFdYLHSon3aHnZmq1NIYesJmw
-YdUt7OPJtpzW6tpBhmqeDZBXKrN9BYxcrUFBJzOpDPB5zBnhdtMn5krAjJzrQJ5V
-29AACpttr+fWzFZchPgDU2jxbATHUZTUCbaf8KBSBQOgbwhrEoAXKAsEpTdBD0f/
-QN+Miof/WEOT869KOmFtp+gFlfTJUidi3pg5y77FiXwasUYwgzvmoHGfAzHHztzI
-rzPaKSUAFwZBduzsUghQChXoT1vLvKE=
+BQADggEBACd4zYK92utMHRv6o8Pm7G8wRmOA60nERPXB0VrrWR1vFaAo0/YoAusk
+pCXT5JWw1cqtmrL8OmqDPVDHRoHsRQvxEEuQxfPpzjYbLFqsAdcO3eqCRDF0wzjf
+LF6Uk962j3Vmaa+GQnn5JOKNgfiR9IWtApmEt5FYdd1eQ921ZUlnktR3NMuZM76+
+iQ5B/FenIjhh0PbhmFhy9kpVBX8Z0+Ljwruoklvl5NceNw0DxdXNQm82axxdPvDO
+f5hUBB12tO+Sma49pIZRkSzMHuHCR+Z3ASYNdgPGPxTJcRI29qRoDKQonCvQgwso
+Tf1rv4+aK0IZ9qOh6IiDUxPUAmAvGZI=
 -----END CERTIFICATE-----
diff --git a/pkg/security/securitytest/test_certs/client-tenant.20.key b/pkg/security/securitytest/test_certs/client-tenant.20.key
index 23bfda906ae3..49096084f699 100644
--- a/pkg/security/securitytest/test_certs/client-tenant.20.key
+++ b/pkg/security/securitytest/test_certs/client-tenant.20.key
@@ -1,27 +1,27 @@
 -----BEGIN RSA PRIVATE KEY-----
-MIIEowIBAAKCAQEAxlVZrsSy8o3U6Sn61n3ZtN/J99vTmJ9RhcX3ixnkXNfKzel3
-M2JCPsgCch9JsHkjI6u8eV/OSewguiDkDi3KwMAbP6DWB1PsStLkgoDqFBvT17uR
-s/0OlXQSql1x+VMt15QwM/HhNcfUXjzHTxye0KKuFCY20cdEF9C2mfGQlXqQxCaE
-X4Q02WMhCpEuMYxKylMzJcnUcOCGDsnL28+TwGetdVhvS/gWQmuWs9cQSxRFMjHz
-HgLjLwJJsw/SD38e/6e/e5fLltadswm0Op56gyIg0JNslMnuo5geqsFQY1GFMR3q
-KRgrR01j6kg4GvMpYPrPINHbbg7Apu/hmFCetQIDAQABAoIBAHooq9p3kPjQ3yjW
-EIf4cBV2GYIuxf+lcaMBslzdD8kXqPR3LlJZ3Q+qRcdg+hRWKIyaBLaFihwB8o5y
-H8WT8uQR7zabq/hLeqkDiHfRS1wjX7Hq9+1ymn73RV/luoOk9gFoZuA3xU1IzcdV
-jDVwHWnIKYyDlRRUtd4tUas0HKfUBmRNJrH8YCKOZMCXE+jKi483UtQQ/ASakRVn
-K+nZe/aisZVOPO/pzWgZMUoakq5mMUbCu4cJ7JM3NUCnriDcJUSsDnhdZ3cN8R4y
-f+3RwwbIoj5onKrEZZCHBAFLiPcm8OJ8ZSbZZYby8TrIqFvevBPCESQsGK7AnqwA
-Zch0ysECgYEA1zyxj9XLMkko0Jo0xaaPlh3xxoeuqq2kYSgwxmgljsVC9ESbOZxr
-8rrQsVjfvY+RtvRr299Mwlwy8SDAEOX7bco842AANkdUqTNOMJf3BaStUWKwOfXR
-C3+JzQnYzG9Ig3klTqNIHr25wbdqr1eLJoriHPzJN7MyP79pm90uUH0CgYEA6+Ue
-NBPLFXgf/JrAdMVk0DYy3Hss+8k0kuVnYXRkFNXPeSYv6/c4PSOjnRlxFYN6vo+i
-yiDH42APSGM/ihxFSVJuDIUMFhm0xA7fiSnd7b5UfC2MkoC6GYLToHuOlasaZWsF
-r9wfmatgXSympMDgEJ7h4gIo5u/O/HEp8oTX1JkCgYBp0FnOx6FUwGjDXPxSqxbu
-CxygqHWzTRiB9zs7X1oPfWT0J4JUaVUciMEuXu3oCFvvoOwhtP7Mkn0s1Bf4dsgL
-6p/SfJC+HoU9hY6MDzmO2a2nVCgk5nd1+qZpWczufEse74DqzxUWn9lhpeVZ/GTZ
-du/ApnnZ20v50QV/bdZmFQKBgQC5gM60o1ATzQhSbBumeEgkGEr86XxhcEOAtRgM
-IixF2jGykp4i0KGQKsOSWhx8j41p56hbjVXDb5n1Ed84q6ys0T6rZ8Eua/6kIxIU
-WjEksYTctjESUFqIj0H+tMtW1VwHnxa0ycSr4oIAI4nUi7xoNZlqUsp5eOHr0M3s
-4hycGQKBgAo75A02xiRf0fvUxisVXvk6avQ4ToN6MDRppgcLoMFd9XRgLHhTZ7Bc
-K2KVFoKxOd9Y9+7lG6AzPUz1QF3YvaOIEMPKR4Im1VT+EFrFaSn4vdKzMQU8K1RX
-m8w+SbNa/2moEvnFZDoTHec6NbezmSRWtIVbogONwHjgJh39J5zG
+MIIEpAIBAAKCAQEAzO0oYsf4ZGZeSReJ4C8H7X1QdOlmxzS8DOA/5yHU4ibUjEWl
+ztFCj57Hqw2xCTGVUBBl8GcnjQrAGExqXCIb6exb9e4ELK8ZNiLw2Eq4xWqdAmLA
+c+GBjz5y5Cbe6Twn5Z7zU9oHaSTAPQutcvKfsSsGSZ+gbLaVkUJb6aaJ2J/JEhOs
+pE8FTdkgWbLYwz5RwpGT7Bf83grdLvwC3Snz8GZydS3WWLEO+U43UK39G0Kmkyii
+Ic8UR5HdNYVEIeQ8QqMyhbfwirkUUvefhRJ54zDEEiut0fs6alwxbJbpXfduEYgu
+qiLwdAwqRgNZ06MevgNC1AW/YVTYrhUiqWdcKwIDAQABAoIBAQDJlKR8fv7dLEGl
+Hq12xGzE9dc2Gf4LCNnOxKy3nPT/PXkpPr26sugJxQPeRIqYY5jf+DF+iMpEGIYb
+oNejJ75Tnjhbs7WRivB+62IFMYOOVrB6D1AG7ZX3pVN5EK+HuK/6VSBApKFTkV40
+7o7BGt9xdMQrmgVBy11XVXJ6ZWMFnW0vwmNgTqG9FoSPeYNMuk9YvmuJXWivNvJ7
+kxaXcDCaZKEA/QUi7KaPJYNMCGCns7vV5NeCa3YZPwsQdmcc/OY5pFXA/Wgp/Lcf
+N3tT0yCfLbnlseVVrq+Mw9kOJx8Vp8hb2fpsWCy8Mz1/3bdVNL0x8jLDbJAnEWcw
+gwM8uOlxAoGBANtRgMTtnB3qim3u4UtvbMILYrAjcaBaKSneylBMIqFiit3KOJym
+Xx6cgtATb8AxMxGjLgibmyJx3v7amhI8w/JkfKAVX3WAZzqHbO2sEcEEQ5q+SkTt
+njsl/srLZ/ZgtUTGgVM0sl02IAi5Q8peviaX9P3dF4qyrgw/zKbxI5mzAoGBAO8z
+b/m4MSFv/WZJ7iTytnV3hUhCbfDdvUuYklwKL3ckDYfZ0eMBX0F8wcyxWGFkTaaW
+DGRrLyZLC74p/WljdtYPBA/wE7KqM5pgy1Y8JD/G9bwNJT4eK1zFXa79V5uIR9Ho
+fg/1WBPdpyfS1whFd9sdIJfFFbwrys2E6ceCAQepAoGBAKxtbqTk/rmSfVUi2yQY
+rVP96Y/7vcjJOdW+YCczRILHW9A1vb6DGwORH1OCBHkA9VqnhXilBhnVlvGdYkZ2
+WcPHdyfQxeU2l3IvqNdPUgIDXTda5j885gswuxorQ0g0Di/NNT36j0SzWgohxgdj
+53GmRKoWWfzkr+vXeQnDSi77AoGAKsevSiEoIEvQLSAhyFfkTAPxQWgoE4EE3uVN
+n8pujMdU6CwLvqa7K5Itcvdw0BJJVPbXBoqo5xda5UrLOLMCSOxslJEiZLzN99lB
+5I1jCkkCH/zV4VMx/CiMRcSni3iHJ8KF8UK22u60e4nYzXDnK7f84UftSDco0TLp
+QLY+iukCgYAkbBq4jAB40s+SVIRRIjRFdOsT9hgzpsbPkTK9tbIvvt1SaDybYhKc
+hTXBsnXovYnI3hgrS2paSnOxVvxDec1kNfzN33DwFeYs2A1p5uD1KOmGLXiOp3QM
+uu4zedmZ/V5ziiRbo/h4YPxFRYr7szwuBKnPhUnAWzFZIfaGqhwb7g==
 -----END RSA PRIVATE KEY-----
diff --git a/pkg/security/securitytest/test_certs/client.root.crt b/pkg/security/securitytest/test_certs/client.root.crt
index f704030710e0..957fcc7cb80a 100644
--- a/pkg/security/securitytest/test_certs/client.root.crt
+++ b/pkg/security/securitytest/test_certs/client.root.crt
@@ -1,19 +1,19 @@
 -----BEGIN CERTIFICATE-----
-MIIDIDCCAgigAwIBAgIQcgkmM8M7za0dPIlRWKOCMDANBgkqhkiG9w0BAQsFADAr
-MRIwEAYDVQQKEwlDb2Nrcm9hY2gxFTATBgNVBAMTDENvY2tyb2FjaCBDQTAeFw0y
-MjAxMTAxOTAxMTlaFw0yNzAxMTUxOTAxMTlaMCMxEjAQBgNVBAoTCUNvY2tyb2Fj
-aDENMAsGA1UEAxMEcm9vdDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB
-AKNJzS0UydhoR9W74/Ikkw/oO4eS2FIJT99YHhHriUQJ8L/SZCtp48sVZmPlNzU6
-qt9cJTgx8tCJ6vu97fRjpyLT4/78objzt4jb0o3+xk+zZ9yaLQlQdI5Ff/QVuNcU
-Jc7CFCbcHgepyHovY9kkU2Fl1V2+r9IzafpiicoHHlM0OHmTjmiF3KfY3OdUsANS
-USr7f+c5yKy7/6kd1RzeqqRGS+bNpgAb1LP6EQGCzqrjG7nojvWSMq+TZbxGtPvw
-iYPKQS52Sil4upJwEsNywcrxGa63Aqo6JLWdYqxw1zCAB2SQmMUOW7th1zvOjyNj
-P95LfrgQHpzqDYmvDDFXoekCAwEAAaNIMEYwDgYDVR0PAQH/BAQDAgWgMBMGA1Ud
-JQQMMAoGCCsGAQUFBwMCMB8GA1UdIwQYMBaAFIs5LmPgR+PGr0TVxJ6/zRIvXLXq
-MA0GCSqGSIb3DQEBCwUAA4IBAQAVtCgQR5MqTcCchlanTM+FDGDl3TYKCsQQvKDa
-c7qlUu1Hg3FTI0Ahw2D8X4aHd7kcujTslh8P0pDe1vi/mP3rS27bpx/d/0LEI3Vk
-miavTUhixkl3Tw9Ovd1waCNMiysCuHV1V/bvKhn406qNO9hYFjK1saUhfPa+rZzv
-HuuVyK3+OSgU23Pc2ifQXg3XDAabHldreCHt+x4YEAlwVqeurGClyrMiqqvRRsdi
-6kvis/xYoZesT0nMmUi9fmjw/Ot6gZy/YMKJzQ1qqxUd0L1yW1h5uhDJE1JYXREb
-dV34oUpjHI1y9K40bMHeQ6lwzWwfydIGDliSVmlXYuiuXPwr
+MIIDITCCAgmgAwIBAgIRAOIAvv/cEkioeGjZo+qfSwQwDQYJKoZIhvcNAQELBQAw
+KzESMBAGA1UEChMJQ29ja3JvYWNoMRUwEwYDVQQDEwxDb2Nrcm9hY2ggQ0EwHhcN
+MjIwNDEwMjAwNDM3WhcNMjcwNDE1MjAwNDM3WjAjMRIwEAYDVQQKEwlDb2Nrcm9h
+Y2gxDTALBgNVBAMTBHJvb3QwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB
+AQClf5C+KX39aACduNsdbDiVEUCxeQEab4YaCCLzWo/kCAwrr+Hm8S0Ia89+9aCI
+hqnG6DfOgCYd/tv7Sll4pIh5jRA6/hAG94MMVGexAIVJhP/jW21Om7MGG5yKSCf8
+I0/Y/7ubTunR075vX36ekfHYkHlbax6UZhYaxSQtodEAAo2T7sEJ+eunroxyfmiD
+joPqNjGqCBEB8ADv2qtILrGBM6z6a+BiaXmFtVgdz6PNEzmc0vKcWhD3uocRT4/l
+JNbNOUFXZULJXW6O1+DshcpWL1fwq8Ni9+EWvRicvr7Y+qh4t+mtyA5AWIaWIbHu
++yRoWqLjspkDBvxxkZyJVu41AgMBAAGjSDBGMA4GA1UdDwEB/wQEAwIFoDATBgNV
+HSUEDDAKBggrBgEFBQcDAjAfBgNVHSMEGDAWgBRCtHw65Qb7W4fB0RQKhZJAc3WP
+zDANBgkqhkiG9w0BAQsFAAOCAQEAft5/12m/PJiH6ONWqIJpu77x6HL5IJQdWTEj
+OZMCT7Z0STfQhd9fIAbcnqSCH0niJcoq6Zt9oTZO/F+57tW0dFNWYqoT7ZX4yc23
+mRoODnfUKUQg2R/2C3RcpXMpVVhgNh/PH8x2cz2KTWOIBiwsH9urgxPXYEbXlMRK
+rVt/iXtjMk8L/fFufXQsLZXhe25cWZ1mnU3MaIY4a6HQ1OSzCIZx+K5sPWRBrd2w
+D2O85znWy1ZQHf/zXT8nA6OQk4wNa+4u1c5FlBVPrRoWfcBkyvh6X+T8JZGZt01b
+Cn80SwYNM6Gxt4davGQqLXdNK8BLzGnS25dPCSQiq16rEmpvjQ==
 -----END CERTIFICATE-----
diff --git a/pkg/security/securitytest/test_certs/client.root.key b/pkg/security/securitytest/test_certs/client.root.key
index 77d6f803b5cb..25e89dc00bfb 100644
--- a/pkg/security/securitytest/test_certs/client.root.key
+++ b/pkg/security/securitytest/test_certs/client.root.key
@@ -1,27 +1,27 @@
 -----BEGIN RSA PRIVATE KEY-----
-MIIEogIBAAKCAQEAo0nNLRTJ2GhH1bvj8iSTD+g7h5LYUglP31geEeuJRAnwv9Jk
-K2njyxVmY+U3NTqq31wlODHy0Inq+73t9GOnItPj/vyhuPO3iNvSjf7GT7Nn3Jot
-CVB0jkV/9BW41xQlzsIUJtweB6nIei9j2SRTYWXVXb6v0jNp+mKJygceUzQ4eZOO
-aIXcp9jc51SwA1JRKvt/5znIrLv/qR3VHN6qpEZL5s2mABvUs/oRAYLOquMbueiO
-9ZIyr5NlvEa0+/CJg8pBLnZKKXi6knASw3LByvEZrrcCqjoktZ1irHDXMIAHZJCY
-xQ5bu2HXO86PI2M/3kt+uBAenOoNia8MMVeh6QIDAQABAoIBADmk9CnWDOu45KMv
-kWkKQGB9O4bA8F0FrIzMLtFktTCv0a3mODabSy+Gfn8FjFfePjRb80fDWlUEW1BD
-3J1KENbatsJtrSn93+0QrWQzbQ715tSaGQwQuxT+tA0XHgnPswkqurJ9Qpyx83Qv
-BrDBgi4AJTLS/n7WZ7Nc1gfcO3hjhp2JBK6EECAB0JrNNXsbJIzJ5w/gqoplCRlA
-floHgZS2PNtR3V72Vb23QLR6D65S46fpnIbzxektIOvj9UqoAzSpc4iOiyjbUqOS
-XgBSOpIYBcAx6cKZ1HKV8FJSmkFLcfav/na34deTiqSK/vAoBxV3Rrg2fHYxxCGM
-3ytuN4ECgYEA0zrOD+wkVsFMHgaI7hO6+z+qP29cBOUR2CDdYwaPH8jbbNwtGD0J
-sgwWh9gEp4+n1cQ2AZTD7MOzlG+qwCu+DqO+XPZAzph6SynOCiRgNQJfeEqQtwTV
-aXJKD1jhlHfbmyisRgcv8r2VmNheY+AiAYlgdxwO5J3Iz3ypmhh/wVcCgYEAxeW5
-bkq2hHBxTDGM57sA2vcyOiniE1Nan/A+xKYAoY9heISfN+NtnPIaFOTb8CGTmCn0
-XK+V1QDojs8199aZt9BTrdiVkwfkox3d2xeiXO9P3JvVGdkMqiE4B3Y6JGd+rVxy
-E0l7tD1LsCLBkaVCDG8jXuVUj4swLTIC9YvFbr8CgYAD0OwoHXwKlTNq13Nh2bln
-EJ9ixgBDll/cJ7vYLiYnzNkp/lBSP8gND2rYyW5MGKxPkFvpa2aewGpeJCZRkni8
-ivjFdS12jgqnkPnH9SBH1OMkqTQ0GkJAxW/RFyn8JK4y/2kdWsPi/snVGRObelEi
-9fhoLnmWZ8NY/EeUIR0twQKBgAqjXcN7CrK15LFG3J88Y0BiF3Ye+EM3sOB2Jrml
-ftUwgvnaj0CO3j6YmSRUZSpUc72zS6qL2c8YfGfo5arMA3lpHoZy5R+BRh4qpdl4
-PMcoKi/exKbeDxs6K+vixB9e3OVu2ccFpTu8K8xtIeC1dIZ8lvcr9s68mbtkO9p9
-SAC7AoGAZU+UvgKzN7Ln8RhvKl9IwBiPOYUJtAY+YCpLW0kbW9peDZOEhJcyFa54
-HwetoUZOig0162y8rb6//VCyDBSmsBb9yv5hilZG00wba5BW0SjlR1xk+j9V9ZYH
-kVJOMLxqGQGtHgJjuzYJx7/SG2L1wkFcrcZIezzsrfxwmAOh7DE=
+MIIEpAIBAAKCAQEApX+Qvil9/WgAnbjbHWw4lRFAsXkBGm+GGggi81qP5AgMK6/h
+5vEtCGvPfvWgiIapxug3zoAmHf7b+0pZeKSIeY0QOv4QBveDDFRnsQCFSYT/41tt
+TpuzBhucikgn/CNP2P+7m07p0dO+b19+npHx2JB5W2selGYWGsUkLaHRAAKNk+7B
+Cfnrp66Mcn5og46D6jYxqggRAfAA79qrSC6xgTOs+mvgYml5hbVYHc+jzRM5nNLy
+nFoQ97qHEU+P5STWzTlBV2VCyV1ujtfg7IXKVi9X8KvDYvfhFr0YnL6+2PqoeLfp
+rcgOQFiGliGx7vskaFqi47KZAwb8cZGciVbuNQIDAQABAoIBAQCJ8pnQmD9HUUBq
+N2KU1NcZEedtxuHvihQqcKvJUqxrs3WJmLJg0Jjr0wmC1vS3uB+eB4Q04UZkbEIq
+5N9NG0ASqU1lDs6HMBqQ1W4U8M0o6e5tMZEcG9YOekdyUBDcLwboZsmW/CET4D51
+ERE21YnULSCq3dAAfFNifv7X9nCCY0bX6Tn5arqJLvlfBcWo8uBGfNtZ+mIrDAYG
+K9j2vO14Jum6I10Pxri6tUF4Yz9sgRGhJ+GQV/cPeoVaau4dKLAcOZcJYGxVyhoz
+/cTtNyd4WkyeGmFskuP9+6OgokNgZBs2UJ7BeA1C6mgksRAmBu/1nlsMLmWB8B4X
+u7nB8oMFAoGBANgoouzI3viOvp2NwgDvs1MCsiky+d4lGyHqTicRXeA3WDNmm3uj
+uTLiNjZ8beYA14j6pBR+ZflwdI+0XEF3KlwHr9symUiTDZH6/bFwGTFYppXrz40a
+jrGYsvpSVHs/78vYjOMpNeh6cEYu8ZWNMeNzdky9M43PacjJVnsAkVDvAoGBAMQA
+iWJy0uvEtlEecokXPoffG5zyipseCUOUeR1LgZ9QKc/nbCDtqlOc8ysuzDhnE5Q+
+Id1JVkcnSjexTZACeGeU3uBam5QPAEFJScuicHceshw0mY5SBpeHhsDGFBK0/UrF
+aAqGNRLb9TyzTpY4rC88KP4nFt9y0M2DwOLGyOsbAoGAItza+imjnJ8ZKzwT0CbY
+20iSB4cLOcLuT1gE5tQsOd9zQEcKSLStSAGoEL2c0/3KxXL3R77jH4n9orfKMVzQ
+3ir3N/k/M69T/vlmNVoJFiZgJ8nynaVs4kPoiesBaSd0u4HfpzucUDR/KzKjECXH
+qBGVQOc7C2Iqg5HFeu0qgs0CgYA/PE0WziTunBCWK1SYlj8+ZuTpxfaiBRbIDubk
+ZK/1Tk+vG+Lu3L7PKxvpGrgYmmjesw0J79c+LZbsUO/NPn7KLGWbzJ/VLOHQLmz4
+nffa9rRQFUhVenFWAguftkhToMD3lqjyfEozQ3PjmZYJMU+cDbTMCqB+hvSG2bMp
+dyjrcQKBgQDX5k6x0cwA4nFZxN9W5NFoHjNcuIj9Yxw0U50wiFkj05vcOFO35Qi+
+fx2OJhMDiAcD+e35aH2OMfLA6JbFEcg2vYLmtshnJeRlwABjEBO+5thA6jvbL0Og
+6LhYa2EpmbUX73fZJ/RcAfRaK5Ndk/M2STAl1BfgZPn9rTwY2L6ddA==
 -----END RSA PRIVATE KEY-----
diff --git a/pkg/security/securitytest/test_certs/client.testuser.crt b/pkg/security/securitytest/test_certs/client.testuser.crt
index 1445eea84a8a..d36fee272558 100644
--- a/pkg/security/securitytest/test_certs/client.testuser.crt
+++ b/pkg/security/securitytest/test_certs/client.testuser.crt
@@ -1,19 +1,19 @@
 -----BEGIN CERTIFICATE-----
-MIIDJTCCAg2gAwIBAgIRAKDLzHuf1H4wP0HR3GmF9ZwwDQYJKoZIhvcNAQELBQAw
-KzESMBAGA1UEChMJQ29ja3JvYWNoMRUwEwYDVQQDEwxDb2Nrcm9hY2ggQ0EwHhcN
-MjIwMTEwMTkwMTIwWhcNMjcwMTE1MTkwMTIwWjAnMRIwEAYDVQQKEwlDb2Nrcm9h
-Y2gxETAPBgNVBAMTCHRlc3R1c2VyMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB
-CgKCAQEA3/uh9wMNN8SeFzDg7ZHowA6Oo9Hf2CFRZjscNxV2bK+Qm2HSiuEzj3HB
-20b0nkbPXQBUF2vVTfMrsrI4Tfn00Ja4FddFp8z+y3Ol5mpXcM9mtn10hnJcXWIx
-d+ApLbfsugEmZst00GsbvyKVDV24owJLllFMnHMZtymdbd068KNt2w4jgbTNpl2w
-7e/8mE+fcdTm9Q3sXPDTTbbW/Lbvgc5oPpazPBNfVg/JkC+kzxjTbBiLfooi+Srj
-TdJ/Bqk6I0+sntxq0O8xd/mzLdwqGuHoUm001pzw8E6SsmaErQdZVwYv2tm7lvRU
-0iTzTRW/UzbP/g1g3AM7AmaPJfKvSwIDAQABo0gwRjAOBgNVHQ8BAf8EBAMCBaAw
-EwYDVR0lBAwwCgYIKwYBBQUHAwIwHwYDVR0jBBgwFoAUizkuY+BH48avRNXEnr/N
-Ei9cteowDQYJKoZIhvcNAQELBQADggEBAHRZZfTFulWx4oeGoamhGZ/jiOEaM5ii
-MV8K1DwTOk9sWGANEFRV78utEJyHTvONcoSDYO97Iar0Hc3SmRG8iKtNqCAsGTqV
-+BbUxKqEkkIBXJ3jZ0obEdNIJ73u34Fm0iJeGcqUwqmSWsqLV/NJrs3F/QlTPK4p
-JGcW9wkT7kLFugsUKaTxPrVHjfbYMdQ9mYFFOd74Eem/gCS3O8XmEunIH+pAo3wR
-7lcv1bHz3b31+eHh82vbFMj4tUUqRq7Z0vLsGHpy3JzI0/aWcBqJi96jYmRRCf9a
-i0jsTsUzMBxTp1rOrzjAf9OPxG/8ZvqjIrgv8NXsBtSZDyAH71Jo0Xc=
+MIIDJDCCAgygAwIBAgIQWHu+HW36tPMHhJReQZWUljANBgkqhkiG9w0BAQsFADAr
+MRIwEAYDVQQKEwlDb2Nrcm9hY2gxFTATBgNVBAMTDENvY2tyb2FjaCBDQTAeFw0y
+MjA0MTAyMDA0MzdaFw0yNzA0MTUyMDA0MzdaMCcxEjAQBgNVBAoTCUNvY2tyb2Fj
+aDERMA8GA1UEAxMIdGVzdHVzZXIwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK
+AoIBAQDVgJDt+y85S9FAT9PNRtizbct49YeTKbhZoGpwKiWNh5LTtxBl6SoCdhVB
+w/HBAkN29EsbZqWOb9C5xSD5qpz7Pcd7mzlix+4MR6vJd8BX6hnWrnW0fnIKQSWl
+TnaBvuEOPugbZ4eY3vYKtzQN5qfqSILf1NHjbMeFdgK+VP6LJTegyuAMSNOC7iwm
+J4r5AH8Rd+wlFd0YNry0tuT9/4G2cdrSnBZOyFqKyv350PbLzmRes3YmBcuOxjOp
+XXjq8Zlu6mOIy6lcYkcJEW0l7IBKAqqhJ00D/14xx7NwskGyMBptVtHNUYXaY0pF
+F5AtoizK5RjzVXhBJj9orkIKAAklAgMBAAGjSDBGMA4GA1UdDwEB/wQEAwIFoDAT
+BgNVHSUEDDAKBggrBgEFBQcDAjAfBgNVHSMEGDAWgBRCtHw65Qb7W4fB0RQKhZJA
+c3WPzDANBgkqhkiG9w0BAQsFAAOCAQEAOCDIkd/1CnSszihUop7zv9CqLYCFYbHi
+2QSFpWNSJm3ngTKsGUiSSiNAmlR34pYwcY0BqaEF2g1yPioJ4SAyOfREHNw1dI04
+aCNalKGrLukPlMJUkW5a8WqxoazpsA4ZHwJZIAz1R2FmJlpJ0XXVu1cESM1jZvm5
+CWc8iDbUMycoJE1BMIQ+eVhSgNbuFML4iBP1Ub9oMBh4UrV5NxvgQ6bArtDvImE5
+lgoNv/+Q5Y9Y1AW2EE747SQBnKm0LR/1VwixdErXCkhPEM6hfbcIRrmA9vTCYF3a
+REq8zljHOncQkdW3nuZ9wAHZ4Ha3wR/0XbXZkrwHw03mD81zY2CvQA==
 -----END CERTIFICATE-----
diff --git a/pkg/security/securitytest/test_certs/client.testuser.key b/pkg/security/securitytest/test_certs/client.testuser.key
index 62e3c9a413de..ab7b7d0c91f3 100644
--- a/pkg/security/securitytest/test_certs/client.testuser.key
+++ b/pkg/security/securitytest/test_certs/client.testuser.key
@@ -1,27 +1,27 @@
 -----BEGIN RSA PRIVATE KEY-----
-MIIEpAIBAAKCAQEA3/uh9wMNN8SeFzDg7ZHowA6Oo9Hf2CFRZjscNxV2bK+Qm2HS
-iuEzj3HB20b0nkbPXQBUF2vVTfMrsrI4Tfn00Ja4FddFp8z+y3Ol5mpXcM9mtn10
-hnJcXWIxd+ApLbfsugEmZst00GsbvyKVDV24owJLllFMnHMZtymdbd068KNt2w4j
-gbTNpl2w7e/8mE+fcdTm9Q3sXPDTTbbW/Lbvgc5oPpazPBNfVg/JkC+kzxjTbBiL
-fooi+SrjTdJ/Bqk6I0+sntxq0O8xd/mzLdwqGuHoUm001pzw8E6SsmaErQdZVwYv
-2tm7lvRU0iTzTRW/UzbP/g1g3AM7AmaPJfKvSwIDAQABAoIBAASGZONEoIO76SW2
-yxSBmh4nLSKKHueS5L4X+53xRQ81DMrW0xYTLqN7PNtdN5vq+k16sDg46XpFq2BU
-0WZh4lxEbzuhubqGHa+mind5NoME7aJKLox4yvzn+u/dC3fs+09WrpvtCFMdltXp
-sPEwL4a7iSNkSRPwD1jv8kpB6erqmJ9+SY35hLqtf0EsAxgY8AGds9MxvAk2/B7/
-Kor7wuKHriPOUaDoRigpLSOWrw4pOPitSBhbUcjODJpD29HuDW8mmsjv803MJTGJ
-wyd74Qlbcz34GBIWviUXUWfljuGL4M6gG3sXBYsKqBcGNvilpyhdwrmZGFHg6ic3
-iVuyX8ECgYEA/3bfbATAUF3z4KHnBDAWWYzl29AVcvmXuwK8mw2g6nR3GhLg6e+6
-hDZADrl+/F4vb5eQ1JyK+scI/WB8KhjdLLNv5ygPXVKIlc4QkgMwX6jEbHXbI4h4
-PB2zQ8298Pf6XkVPdKkZe4E4Psmxqqxxb736d/iJEs9RFAC8MtK33KkCgYEA4HPc
-iEJa1KQE5W/A/czC66884TTpJ5v/Ht7WXABt0+JOqxRrQt+zhrzxgjtEpGkfslnl
-JfAIBiQ+PgkXSDVczcjPJ8a1B73tYI8LBqEwt6UQ/ktMEOIYSVmr1yp3UJfmoN59
-3WE4AdAWvk/upOJC5gIcCUHgvmSgW5K9lbS7UNMCgYEAn0jgT/q6aqHaMSLh5zOQ
-i++VVrRs206S89DmBou93NIXfRNuV47ZLhyhXkz8x6B2VU8cx+R/p5O4oDurz5fH
-OFr9mBTbV6Xhcf6VSGVioRKavsHRjFtIFLu0Db/YAcqsumDfBO926xIMHuIlvDRf
-WnwLEwjNdwP7GszGi63lZFkCgYBLoV7HHyzCB/6KXQy3uH5ZsjOeYxjJOvxNJ6Mt
-Xwui4NfHN9sorn4swY/TZSstBysiCr52+RmLED1U4/VPZIO/55E+AuvPDwVkiu6Z
-LklfKCTAuxiHe9fZJ3kKyIlpw7V3sWDR7sdTfQ2c1QxBzOfj3wQZbnRPU1LhaGGv
-hzWy9wKBgQCD1VELtjlzZZ4A+9lOOPLM90OHggmfVtsk2dGKGTg/5e+VWeqX8z7g
-NXdSWKTG8S0wp/Yoc+o/cqwjes5BXXPry35wB9pFsGm415cGIOtM5oCwUJfsZ0H6
-0shHW67yAvWwqSxA5DjNnfBPGRSiDueSkGrF2ZxLbKhVAws/XccSUA==
+MIIEowIBAAKCAQEA1YCQ7fsvOUvRQE/TzUbYs23LePWHkym4WaBqcColjYeS07cQ
+ZekqAnYVQcPxwQJDdvRLG2aljm/QucUg+aqc+z3He5s5YsfuDEeryXfAV+oZ1q51
+tH5yCkElpU52gb7hDj7oG2eHmN72Crc0Dean6kiC39TR42zHhXYCvlT+iyU3oMrg
+DEjTgu4sJieK+QB/EXfsJRXdGDa8tLbk/f+BtnHa0pwWTshaisr9+dD2y85kXrN2
+JgXLjsYzqV146vGZbupjiMupXGJHCRFtJeyASgKqoSdNA/9eMcezcLJBsjAabVbR
+zVGF2mNKRReQLaIsyuUY81V4QSY/aK5CCgAJJQIDAQABAoIBAQCSqqBlK8H0LVZR
+RMVuZjXlhQ5bSOhauzVONLoJ1Zo4kKLX2BFmwPc/+5h8tju0aHaqGAYki649nCia
+BYaynHb8zSLlkeupJUktnGqxmxdCDaq0ZOKtHJQA4WIYHj+gv9zhKWvPr55h8QC6
+ucIDrqk5c5icZRnOjuK9lyUpVUALm0KwjCEs6YCpVTlebFhlgDMcu6IXOhQj4sNL
+Rh5GrTdtFj5hIEKMHeO/XZ8XXHQ1HUlZYxDsrnim0uKuYQrSte2H2tuRRJAqv3IV
++fe6oLJBuBG0XuJ3x7ylofMkWHSCIUJSFiGOb+GKilBcCcmQ+iNy1BSrPSQWv+qj
+ZmtYJWtBAoGBAPkp9eiXFgSOxvaTFLoS98/SPUOI8oxtY/yU1kSwSbqiye1pWUtY
+osSQMafCIDdVasgVHWSf8CgVdFlmxAAHEjkTlbXt4qc4oJOs3HomxeA47RyH/mu2
+UVGlYVwGlt6Ti0XCgf1IzT7E/zWu0z27U1wNfS0YjEthc/JVM+6QrWcVAoGBANtc
+IV/IbgKeqr1BekcwsNiGFMFUKpMIEoa6OluHmsGNwLAz0t9ckJcXijEWJmA1h3K9
+b2liGv+xDCdNK/oYG5S0mjrScmh3p0/PEYgEpaUhfLTngoNc8Mky1R3FfLDdQOSA
+YwFPgdO4BKHAX2QKg1S++l+HJHReErKXNHAhG53RAoGACSqVBGCCi9pg0XNpwMqv
+2TJn1JM2MRpZIlKra018+OPCP/yvL0lse4S+fuhyXPbEfeXg9fG4WREo/Zz9Ou8H
+qZfh2xaMTxCTP7uNROUmRHBzsKgEIRxM8478/PC1Hi0ZY5CbTaEfA98lcGklFlFM
+6McKQt1zU9aa+GBQD8e8yV0CgYA1nhBeTCxvoX7UYbPUwNcJJcTe+Iarh7aXjd+D
+zeKK2u41Y4VwqTyCYfOaSfK5Y3wnFJyt4pf81bbFyHwuVkQvlfF43UWvuUeBH3kG
+iTQ/566GvWvOViJY237yFvqCdKJO9/67LEbsjDc9njryxgsR5NhoDy1e8DubwY/E
+tKL+cQKBgDKDXDUhXFxMc26danCgrKI3GUsA2wSQno0jLrtn/Xqh+08C0tLoh2Er
+lrFcGtSvB+OFrbyneoRdbP6dnFzPJb1++czIMDCijkG6+7L6puNQDmLwz0F4246T
+7vf5RzXBgUB6qfl92rf4P9irgzyB6oO8NxaMj5BbhhHjlWnsTRsW
 -----END RSA PRIVATE KEY-----
diff --git a/pkg/security/securitytest/test_certs/client.testuser2.crt b/pkg/security/securitytest/test_certs/client.testuser2.crt
index c35f0a72143c..d925e0ecfd3b 100644
--- a/pkg/security/securitytest/test_certs/client.testuser2.crt
+++ b/pkg/security/securitytest/test_certs/client.testuser2.crt
@@ -1,19 +1,19 @@
 -----BEGIN CERTIFICATE-----
-MIIDJjCCAg6gAwIBAgIRAKFvTOA9+71Z6FxeIzdsUMgwDQYJKoZIhvcNAQELBQAw
+MIIDJjCCAg6gAwIBAgIRAP4mmXEPPNVv7a+f3Ihxj0MwDQYJKoZIhvcNAQELBQAw
 KzESMBAGA1UEChMJQ29ja3JvYWNoMRUwEwYDVQQDEwxDb2Nrcm9hY2ggQ0EwHhcN
-MjIwMTEwMTkwMTIwWhcNMjcwMTE1MTkwMTIwWjAoMRIwEAYDVQQKEwlDb2Nrcm9h
+MjIwNDEwMjAwNDM3WhcNMjcwNDE1MjAwNDM3WjAoMRIwEAYDVQQKEwlDb2Nrcm9h
 Y2gxEjAQBgNVBAMTCXRlc3R1c2VyMjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC
-AQoCggEBALiduQvG/etVIE4hrs6m9IR/+fdpVhcEmBetr0h4C9Du84bQn4q+zAhB
-j/hrUaN6HR01hFaNLU0RpJBdTi8A/AwFX8KT0BV6EYSRkAbrt5qvw9kmd+AdHogV
-YVSGH0amHUH9Z9VBy5/mmO9ONaor/rCvuXdq3YLXTrEyF4q8ChaE0LQZ4+knMX6Z
-0CnQXFAXRQE+jFpBhklqgwIpeaY1wQjI02WZtxTL15j1z1BFrDNlF16yPoNVUjOt
-1p8LM1418PvOE+KWWUAP1WmxOzGyCFv3VQiCxFfUeFANt4DqQnMufZURDnxTLydm
-VFvqJPTTPj0JHoxoWBPzCdZX8jkS0xkCAwEAAaNIMEYwDgYDVR0PAQH/BAQDAgWg
-MBMGA1UdJQQMMAoGCCsGAQUFBwMCMB8GA1UdIwQYMBaAFIs5LmPgR+PGr0TVxJ6/
-zRIvXLXqMA0GCSqGSIb3DQEBCwUAA4IBAQC/2EZcZwiB0zxVaUh+ZssB9FZbipSZ
-kENeSLTNAG3POM/4FdvkWh+YsLJfu6rASmzde9lt5gDb/3Jo/i453X33n/SUNaLf
-ISBYM8H1BraGLD0IyySy69JWL760YyM3CxQurf+Gl/27FfWx2mj0q2LcTzV60NED
-gL+BMKvwCd83UeYhzcnDmZ52QIB5rwifqfDhEWpdoIkJAtki5bZiCSD4gc61TuPi
-Ov3x/o+PgdD1bceemv90MZv9Y3oE/X6Ft9bU34vWB08ZJqliY8zjBmwWfCK5Ke18
-NO9gDuBh6MgyOMylERufsrt5QEcwGODH9DQkNqxq1njL4bKiqFuHUDeR
+AQoCggEBAN4xdwMibmNy5HlNsxeQj5oW58eVTp8XrCiLqyeG0b5Kea//tu3QIFe+
+3cRyzuNgFmPPubI0l4BTn4/233X1JwGsMHZ64j8dkh5MndZWSNTrryYWlhrEYven
+NvEodutqldPJ2WFPLXexLd6KtRg8JgRyl5YklYtolWh2m/zM0ZN/G/4sqGa6UdoM
+l8LwLvO/H8R0mMLFm+/PyuZTnPa4jIVj/TZCWLyJMXkzIMtwfo8NMv2DjifPGuwc
+LkC02R6McOd8yVH+3AtC0SaFWz8I3rFG2QLMWEf4eTSRo4183kzo3s9RBxQAK153
+jSP4lnTsueD8Ryd5WWS7Mc9nQiaMguECAwEAAaNIMEYwDgYDVR0PAQH/BAQDAgWg
+MBMGA1UdJQQMMAoGCCsGAQUFBwMCMB8GA1UdIwQYMBaAFEK0fDrlBvtbh8HRFAqF
+kkBzdY/MMA0GCSqGSIb3DQEBCwUAA4IBAQBejgrM66cuusRjCW9bZ/0mZ3fGI6SN
+VN/C9gvQlD+yyyICQ1zFlH09xeUkFgwHUnRIdI153WRYE/neoLzKMzASmTOX9na5
+/VxFbYJ0+xFlvFgSaQC20shEY4Nai3JDpzilwRzbnuCowng0Zf9NCFhAMqNQVFuw
+MluUuyWDXDcygBm/VrH1XrtbNTfrsn9gtFHAkVhuUWfkqgkVN90o49YBOtVaq4Uk
+xkdX+j8ixvOiTM5bbQ/UNcDUTgie/U3zDBF0ejvylW4h0HEkytEuoJHp2REloJiu
+wZsR2AM5nVX1ZR6nLWk9dr3jbGy6TRqwYiSZZV0lD6ZnnDD6Whbl7TZB
 -----END CERTIFICATE-----
diff --git a/pkg/security/securitytest/test_certs/client.testuser2.key b/pkg/security/securitytest/test_certs/client.testuser2.key
index 8483635b843f..2a0c2a5083c8 100644
--- a/pkg/security/securitytest/test_certs/client.testuser2.key
+++ b/pkg/security/securitytest/test_certs/client.testuser2.key
@@ -1,27 +1,27 @@
 -----BEGIN RSA PRIVATE KEY-----
-MIIEpQIBAAKCAQEAuJ25C8b961UgTiGuzqb0hH/592lWFwSYF62vSHgL0O7zhtCf
-ir7MCEGP+GtRo3odHTWEVo0tTRGkkF1OLwD8DAVfwpPQFXoRhJGQBuu3mq/D2SZ3
-4B0eiBVhVIYfRqYdQf1n1UHLn+aY7041qiv+sK+5d2rdgtdOsTIXirwKFoTQtBnj
-6ScxfpnQKdBcUBdFAT6MWkGGSWqDAil5pjXBCMjTZZm3FMvXmPXPUEWsM2UXXrI+
-g1VSM63WnwszXjXw+84T4pZZQA/VabE7MbIIW/dVCILEV9R4UA23gOpCcy59lREO
-fFMvJ2ZUW+ok9NM+PQkejGhYE/MJ1lfyORLTGQIDAQABAoIBAQCpl9phw0+HXA/t
-NmwLUrvU7GuIqK95PbMqLVeUTxMrwBbehc/J+TQdcXz8TDoW3xrXtk335ID1B3wR
-UmV8MH9Z26X4bSj+UcC986pHcUqdQ1G6ref5bUaa5Gkg6ITatcay1EMKWQLhxUhA
-rawGw5uYXBUYaodKpteXV9jgjZUG0TJsecpyP1igRLEiU9M5P+IP5QhrPGsM+QPz
-X+tQlin4utROuaW3avPxBuS/UaJ9hGQjgurpR9WBwAf428/rTxArSzmPHWkh+S5x
-WK3MfZn0YSq3RTIWeIb6spni0CDzOx4hsGUwk1zxEHptvmcr/o3DpqHsPb/tAown
-SCw7rvkxAoGBAMX6qC/qsLRHTQzERhTg46fNf01NI/m9Ua8+X/z2vLNJiM0YmCdS
-Tuuu1U9uRFNaWD/wmzczHW0PFxdslRMxootc6rCIgkFwuCl8MJaY3tkDDujoelBO
-SSCeXNcx3VxotpueoiQlh4oy2PPXcj88uJTCPbg4tT8sfxvc8yryF6ujAoGBAO64
-gfwyQ57YGIXuTdtoHNvy3LilcWjswgb1sQiu2rDIDqkaT7t3yEX+Ukbgdt7Ufx3q
-QitwdJZ4ZuBtuJwjZTQDS0HnDVbl+KzrpvwI0EzQsBfLIBKhDENsQQ7BAEMU+r4s
-L/zKHPCtQx5cUu7pJnnHCyAIwpMZ0o/Sj6SLu/ITAoGAbBGdSTq05lOdbYCeOLth
-ybFU8h9Pqf1730sPHoiZDMzxDfOE6sH1LpWq/sbUKSPB1HVEZOdUArogArtUzLtl
-XOmFeoOphos/G/Ycl7guvQr8UorEaZ2yMUoAp78idFT8iQoYu954lCmZX9GVHYvJ
-vfohsrPRzABACjebzS+FWD0CgYEArt37YclUHVyAgkMxRyJ52WiK5LtUWx7rdnut
-ZgXn7o1tp9O9Sj8RNqx4irDMgqg4QaqjM/zZeovSGF5nWADZloM/MpRVAi3NvqWU
-mZS/OTW5eIR0BxFv0UfQVEVusrUAhCQMNum6z1asDuZkXdvuMlBqxtmD5ouI4Y/F
-ZyxwzX8CgYEAjuuYnHXJWhRA8JPns8PZ4y6vfI3RUkj4sjBZAzxN3Zwn1FTnbKQf
-ODG2HuOCXbvLe/3vqyItnHTx0yeIc1CE9Fz6MjLUcmTVuwdcIY2VprTok0SMIsea
-oX240ucbS2rp3p1j/MZXXHQJtRzf1BzsylpdxShQzeb7M5g/XBlQqbU=
+MIIEpgIBAAKCAQEA3jF3AyJuY3LkeU2zF5CPmhbnx5VOnxesKIurJ4bRvkp5r/+2
+7dAgV77dxHLO42AWY8+5sjSXgFOfj/bfdfUnAawwdnriPx2SHkyd1lZI1OuvJhaW
+GsRi96c28Sh262qV08nZYU8td7Et3oq1GDwmBHKXliSVi2iVaHab/MzRk38b/iyo
+ZrpR2gyXwvAu878fxHSYwsWb78/K5lOc9riMhWP9NkJYvIkxeTMgy3B+jw0y/YOO
+J88a7BwuQLTZHoxw53zJUf7cC0LRJoVbPwjesUbZAsxYR/h5NJGjjXzeTOjez1EH
+FAArXneNI/iWdOy54PxHJ3lZZLsxz2dCJoyC4QIDAQABAoIBAQC2/Zn8dODg+oB7
+/qfeYmpCB1dAIhEsKTzZ75034mrfA0sQzdMELIJWgZT28268CCioby2KPJIBV91z
+nWgQJ6TGVd9b1Hx8aogqeAMNwOYepTQMdFGPHeo79/Thy+eUnqViVTy4TZMunjce
+rrHSkcblptJ9DwgyViGmdPimzLBVfbLckFHVqP+jYJBFUaas2X8uNQlJYq1E958z
+sPitlJnS3Nz0D/8YJ28gxtevjQuRhUbzNTBaV3/ig0t8fpsXEWqCikiPqXoya+Wg
+8bey8tRtt2RRS2HnzlAGghnyKKx0cT5eiFIWcJ1FRCd7uNdB4/AVzosUxlCq/e2x
+B6xBRTlZAoGBAOv/FwcE/BJOPZrXec0eHMufCw1R8/X/hMU0sult1fogyDpqe9GT
+cgPfATm3FZ7P4/tUXoqHw5xDKxUQQeC91styFcQDN2YZvPRPb5v+8dZx+Y3oYj6k
+Uw5ClDtTW/H4RY/0ozjZSJdnZL4/hrbwWB9xUUmZD72M0EwxdrdT+gL3AoGBAPEG
+24Hqq5objyYF/Fz3PgrDcuZ8XRcK4NM7ONimp9sk4L6NJOPDOhI77DdIPX2LYdPz
+WANj52/tk8ZPhmPgDq8zc59aGId29AYelZtB0srjkC3pTn10jm8RXBD2suar8IBr
+fVt9821FqJu5ptasZbHjDaG0xHpv1XSJ6HkZH1rnAoGBAOdN7Fn67r1aZlMfosgC
+HaMNzR1PF9giixVmo3zbJIC2JMnsmFM/Ot7EckUJR22SwRcTCF6q1nSP+Of6OTd3
+mdFpjh/CL0gpLeQe/3tcE9hleX03KSPQl39AjlzfRR0Sg8umsVwEy3tp4Xn+daFU
+TGr0/AEwvhbAr2Aekwb4jfDdAoGBANnfMgMRBwdqDA758DJ1B+8g17dDCb7vhWVL
+rkog87CjeEinO4ZrDg43foJGWdcnbEn0OUXvQ+CoaCEl97xGZ9+1abnM7kldnJ3/
+fYr3iD0AUW8+60V6W9pIXemzpune2Kqs/4b5plbLVetWeVqqQc74CHV4+vYWK2SJ
+2MvGitJXAoGBANxUA/gbx4WWhiP6Majn69SVLbvimKfQqawt9p1tvEkuJWfgwnvO
+lrOxGj68QfEPTsiIOgrb1XIOJENYjhWiGecPxVTs+Pe1+n2VLxPMnhcPteaj94FO
+nMDrOnX2HPu4nCA9aR4Kvi84qfL1W9I2H30jAC4wzWbIhNkTwA5xE1MB
 -----END RSA PRIVATE KEY-----
diff --git a/pkg/security/securitytest/test_certs/client.testuser@tenant-10.crt b/pkg/security/securitytest/test_certs/client.testuser@tenant-10.crt
new file mode 100644
index 000000000000..1b2cd503fe21
--- /dev/null
+++ b/pkg/security/securitytest/test_certs/client.testuser@tenant-10.crt
@@ -0,0 +1,20 @@
+-----BEGIN CERTIFICATE-----
+MIIDQTCCAimgAwIBAgIQR12t05hguq4c9puVarEMjTANBgkqhkiG9w0BAQsFADAr
+MRIwEAYDVQQKEwlDb2Nrcm9hY2gxFTATBgNVBAMTDENvY2tyb2FjaCBDQTAeFw0y
+MjA0MTAyMDA0MzhaFw0yNzA0MTUyMDA0MzhaMCcxEjAQBgNVBAoTCUNvY2tyb2Fj
+aDERMA8GA1UEAxMIdGVzdHVzZXIwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK
+AoIBAQDV5p7i/eqfWvfpaYItjcUNSpXyVRWjEKI0PIeOFFSkf5Zj1ReSEhoW1qbl
+snn2UMsgeMCWt9nIF2/QiHPgOpvuEbBJpeWdSizMRVllLuxyeCMWG8DlIR1sLvIv
+0VuN7ZDDfYg4nWjYL+vL0pfmlQr2Gaa5HRSW/W3tt1dbUsB7tJz4BFf0fSvw41oR
+8gXwv/dPnw2XAVx12pdyU5FrZZc2nBYnjDrxNiw8/r2o6PJLQ6C7fCQ+N7W259QO
+nV/j7K1F1arxHHiNaUNYLfVXOIAqsMXy8HsnLyfDC9cDFpQ6nhlL9x/PHMy2dnXH
+nayAwS1xQdQ2MsK6whTqV5pYrVhPAgMBAAGjZTBjMA4GA1UdDwEB/wQEAwIFoDAT
+BgNVHSUEDDAKBggrBgEFBQcDAjAfBgNVHSMEGDAWgBRCtHw65Qb7W4fB0RQKhZJA
+c3WPzDAbBgNVHREEFDAShhBjcmRiOi8vdGVuYW50LzEwMA0GCSqGSIb3DQEBCwUA
+A4IBAQAtBz44UEL1EMIkiU1rXhgXd46+gvAUC1tRPjCC+63jqYJ8hicyJOcSVVDM
+pLB+VomX/MlmpfbKJo/1WSzpX67E4wyTaTjQrlpOsDU6H4280gSkPCnmXUYX61Cd
+p9QH3hzKE+qcXqKCtZMXicSWDJFXS1fwHKmltY7uQ7nqBdjkZmEIjPT1Hi2f5Y6t
+AdliKIX9FRo9oi868QWHdCCnUcxDwdOTjM4rTjI/jT+jLR35z0nSTGGXA7ha3TZO
+v7NxhfWRFcmxwq8Pk6qj15XHmEBWe/Ggbjn3e58H3zA6mB6PHCa+9OuGVGTzHvHE
+5Y3CzdgXRfM0TV839kN1AimN3XRx
+-----END CERTIFICATE-----
diff --git a/pkg/security/securitytest/test_certs/client.testuser@tenant-10.key b/pkg/security/securitytest/test_certs/client.testuser@tenant-10.key
new file mode 100644
index 000000000000..8daa4b0b2dfd
--- /dev/null
+++ b/pkg/security/securitytest/test_certs/client.testuser@tenant-10.key
@@ -0,0 +1,27 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIEpAIBAAKCAQEA1eae4v3qn1r36WmCLY3FDUqV8lUVoxCiNDyHjhRUpH+WY9UX
+khIaFtam5bJ59lDLIHjAlrfZyBdv0Ihz4Dqb7hGwSaXlnUoszEVZZS7scngjFhvA
+5SEdbC7yL9Fbje2Qw32IOJ1o2C/ry9KX5pUK9hmmuR0Ulv1t7bdXW1LAe7Sc+ARX
+9H0r8ONaEfIF8L/3T58NlwFcddqXclORa2WXNpwWJ4w68TYsPP69qOjyS0Ogu3wk
+Pje1tufUDp1f4+ytRdWq8Rx4jWlDWC31VziAKrDF8vB7Jy8nwwvXAxaUOp4ZS/cf
+zxzMtnZ1x52sgMEtcUHUNjLCusIU6leaWK1YTwIDAQABAoIBAFG/tSO9tWi35J3B
+ZC4yy4e75LjcCcvrdIKQS6JiZMMFvB1leH+sCWqHGPwajQA1epxrafdwRnxxcJt7
+OwYMgEGpYv2SuMG3co2TR4ojN9y7y3UMoFkxocQR4R+jXOFOVRBRrrksd8B/+BdK
+4iEO/0R1I0IGOjNGojfC5VESvFvKRSm0xzEtzTemxoGAI044QpxHMzBrnxcbB+82
+a46rY+kPUOkwihaf7H9+gE5IV6lvfPFeXOGzkcRei8qNlQMijjFA7DOkUFzkp6eN
+INDix/wcIrxpXDD+75MSyA6T7dlvD9JVGOC9goJcYz1IjeaqXHwFOrm1fcQtZrpV
+t9Y8iJkCgYEA2/cP+7k9I2tKRnJ1qtYzZFtD/RcZThP1TEh0oHKlAD+PjGwizXx4
+NKpmph4uNNNade3ss02BN0pHdKYvTep2+ZV8sVFowrs90wjSs+j8vMGPaAUzUbCc
+hRVwRRFrbjBYj5qUAqdzTm1ctrN/hOvw9SB0mT7fBE7KeCfYcKbu+DUCgYEA+PE8
+TjBDSie1u++hbbuH6kPitb4xoWFp//d9Lo0OchqyXtxmYQFj4Txm+RDUalB6PLYU
+fie00BbKArG1jHFan6sVKm66m/XUbwz8IyA2S+kNbX/iix5/vdrprQ5bwmd50yVK
+rIDLKHPlY7AMVoCvmprihdge8DskDaQLYUu8hvMCgYEAorBhCfU/2uqHzQLrNKeo
+6xj1eEOVW8I3M2yDlgg1MbHRIjL4qrLc1VcTBNpdooSP65lF8HfqklJF92jSo/Y+
+eOqvhxaHPT/vwh5MePRhudoPjwgJpOnTWjs5BlyT8LOhTNUvk6b2CZOpdxfbwRwg
+46xVkOKHYFBGQAh4dRmCteECgYEAmdH9sFZ0DasRyUmdVr+MkP1XZXNbGVum8snK
+6Oux5GGIm8LV49THEZKQEhALIJIPpdngOb9xIy8hrZ5/DoOwOn6s+mYnGl1A4UmF
+tnKd+jPL30ApDEtRJU/SGeOIYUws44HkbUi7v4g1Um6igQTM/Nv9YjSTkV8JvQAD
+JCB3Im8CgYAeIy9INBvcFqVxRc2AFkc4c0YorQBxdVPMFb/CYOODvEsFgQezsk2J
+wUvAgsxcdkfY0KKQ175wriJUCYBnSFkFPS+omKCLIIByhWQCC7za8sVYDZQbcqyz
+hyAR2w4UiEBur6cPbiwz3EKk4+k+8tfakGB8Hf5MvDaJZk04BGsvNw==
+-----END RSA PRIVATE KEY-----
diff --git a/pkg/security/securitytest/test_certs/client.testuser@tenant-11.crt b/pkg/security/securitytest/test_certs/client.testuser@tenant-11.crt
new file mode 100644
index 000000000000..52af62372364
--- /dev/null
+++ b/pkg/security/securitytest/test_certs/client.testuser@tenant-11.crt
@@ -0,0 +1,20 @@
+-----BEGIN CERTIFICATE-----
+MIIDQjCCAiqgAwIBAgIRAJk9fleT4N9lYz+SMu1xYLswDQYJKoZIhvcNAQELBQAw
+KzESMBAGA1UEChMJQ29ja3JvYWNoMRUwEwYDVQQDEwxDb2Nrcm9hY2ggQ0EwHhcN
+MjIwNDEwMjAwNDM4WhcNMjcwNDE1MjAwNDM4WjAnMRIwEAYDVQQKEwlDb2Nrcm9h
+Y2gxETAPBgNVBAMTCHRlc3R1c2VyMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB
+CgKCAQEAuTbZpiOjj0qy75n/HICQwcI6+MJWbdXi7/T/hE+z9abjArLuNx+wFFHp
+av5Q9Coh1iIjgRYILFbb+mhCwtbtFzYggIqgAmsx/A3OjJLHY3Wh5klkRhv386/h
+rcvtuh7v0jd3va423hbhWdQHhuE/LQ8PhNxZNqObrwStOxGOwLW1bLlhkmpcA+l6
+sJr5KeZbuh43tYoJDy2gRtaP8CNqCD1UcjuvVCXSiqYoKvs0smAqxJLx3Dv33dvL
+LOWbDNuX8tMlzKPpwbNcTOs8Y+uPnH79Y+BCr4RcE5dWFN/eOo84RndQNaYthPOe
+p1TE49fUSRUH3kx09X4RPrqma36KowIDAQABo2UwYzAOBgNVHQ8BAf8EBAMCBaAw
+EwYDVR0lBAwwCgYIKwYBBQUHAwIwHwYDVR0jBBgwFoAUQrR8OuUG+1uHwdEUCoWS
+QHN1j8wwGwYDVR0RBBQwEoYQY3JkYjovL3RlbmFudC8xMTANBgkqhkiG9w0BAQsF
+AAOCAQEAQvL4RMipUEV7w/5d3PsPkte4r5+w6uvaCP8NjnRpaYME4LgU4zTpF8P+
+Yd3MDMWjo3RDhGwPncfu/VxiFxHh0MR8LcXt2IvIiLhsYj6ZqbTNUj3OTeQJ61Da
+igl/1AiCGsEOoB484AGjmya6a5praGIt6z4vWRMUgggGbr8DFqfb0T2ZoHXJ/wmv
+Erj9TvWbfuZaVbO9CI648SyN2F4IBErtW0CmDjOpTUb+0zKqVbkBY5xlXqCJNov1
+MlEQc5s+jtyA4E/0R6SuBYQ+rGJWLpExhk4T1c077ghg626cUIBTIPP30SVy16sW
+LRU6W7UocMO1p9KThV3M+nRdpbuGkA==
+-----END CERTIFICATE-----
diff --git a/pkg/security/securitytest/test_certs/client.testuser@tenant-11.key b/pkg/security/securitytest/test_certs/client.testuser@tenant-11.key
new file mode 100644
index 000000000000..351ef28c86e9
--- /dev/null
+++ b/pkg/security/securitytest/test_certs/client.testuser@tenant-11.key
@@ -0,0 +1,27 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIEowIBAAKCAQEAuTbZpiOjj0qy75n/HICQwcI6+MJWbdXi7/T/hE+z9abjArLu
+Nx+wFFHpav5Q9Coh1iIjgRYILFbb+mhCwtbtFzYggIqgAmsx/A3OjJLHY3Wh5klk
+Rhv386/hrcvtuh7v0jd3va423hbhWdQHhuE/LQ8PhNxZNqObrwStOxGOwLW1bLlh
+kmpcA+l6sJr5KeZbuh43tYoJDy2gRtaP8CNqCD1UcjuvVCXSiqYoKvs0smAqxJLx
+3Dv33dvLLOWbDNuX8tMlzKPpwbNcTOs8Y+uPnH79Y+BCr4RcE5dWFN/eOo84RndQ
+NaYthPOep1TE49fUSRUH3kx09X4RPrqma36KowIDAQABAoIBAAkwCl3ueKecCgJO
+vlP4oLWr3+cFJOpv6MEEg0RZ+9BcxfgVTjHX1ZE8evq+wN9L07/ek6pMoH0qleD3
+GRC3Pq2fFr+poMRd8u3Q9YUNpuxtImndDCdaLdOdzvEjI5jO/hCMhdkX8krUEbu2
+A+WR+ONQUvHBSH+oYAmvjrRWa6FtjIFN5dMQukYptdOr/SxIuRA/hF73x/gxQpfe
+Ke5wZrAmX2Xmf8fLzHi+n8FUbwO32cV3NicUQBQBA6xUcDrNe5G03vTwMYRbpcMC
+vp36CN7hOAOPLLejjjEb/KNUOshA7yCVDi/8yMjSA6MPi1DZR00nvS595Hs+QXF0
+/H2a7oECgYEA48XbyDSmh49sbWOIo3WToMKAsHwOkvow3JwFp6lfbIaOcgI4ZCKi
+mLKo6+qAvk+Qakj4oEQAplwzMk+HgJdfqU8uD6H1d3u2P1Najnj/IyL8EF97POqX
+08dxEM56F7xy5v0UM7ybSprACi0RuclcMbfA2vtj1ly9TFu7d3dIu2MCgYEA0CrP
+flwRXfPSBMQ6MSUsRoFzvp9x8COJf58aJ+8EeO9y6psEBw5EmkN39Z8JR1z+uV7w
+47j1ORNUXYrprJc1qZCh9prhmEOI4EoU18DSh1VcRTqilE/3VXRfxjwDfiqpytQK
+71k7VSBQrfwtR7TGvvXiDBw6rIYcc/WgJG8tN8ECgYBWj3jo6ulmlyDzqWHiDOrf
+q0tQxrSbMq2jCUA06W80RSaZOTLJC0iTk0IS9fmbWY1edwDVl0JP9rYWJpcuTViz
+dT3h/wDUOZWXF0xQ3LbJWaBFcKPbEKRGfYMAihdoMdvQ4NjumHzDq2/T7jDQVC/P
+TS/jiKn2ayQdgrcJvbFMVQKBgQCoge8jD24zipp4p0uf2sKDdGj4ZuN5i5rTRzyK
+FO6e4t44UTGqcH9SDMl/d7SwIvRDpDoFbQR8pkwFyNwtjN2wnFavZGK3ufuD7BQB
+LqJ9ULj3hWZz/mNttl2M/6moKOr3ODx90dK4rwcAQAF7aTf0/t90BCnu3EUODUgM
+Fj8ZQQKBgDIaqGj/nT3aUDXbel0gnCEbqj6CjWPY9s4V4REP2XAFCuU+z5HaVCeJ
+NW/0/S9otEWhS2TLXk8vYdVrk3608zjEpjeN23TrKaWp8BupXElR4IZwjbE7YGjb
+nEIc3VzHI8M7nUbfG120Z6gfddR54A3xktXcw6GLxsWdoOPptaX/
+-----END RSA PRIVATE KEY-----
diff --git a/pkg/security/securitytest/test_certs/client.testuser@tenant-20.crt b/pkg/security/securitytest/test_certs/client.testuser@tenant-20.crt
new file mode 100644
index 000000000000..f1854373a9b7
--- /dev/null
+++ b/pkg/security/securitytest/test_certs/client.testuser@tenant-20.crt
@@ -0,0 +1,20 @@
+-----BEGIN CERTIFICATE-----
+MIIDQTCCAimgAwIBAgIQNDA7sb05Go8JF2cEbT5kKDANBgkqhkiG9w0BAQsFADAr
+MRIwEAYDVQQKEwlDb2Nrcm9hY2gxFTATBgNVBAMTDENvY2tyb2FjaCBDQTAeFw0y
+MjA0MTAyMDA0MzlaFw0yNzA0MTUyMDA0MzlaMCcxEjAQBgNVBAoTCUNvY2tyb2Fj
+aDERMA8GA1UEAxMIdGVzdHVzZXIwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK
+AoIBAQC96hlu4JfE8+ABA4/rLcbA3HL6fPSPcdpeZQlXS6g+EQ9Bf2ObMSomJUBF
+WmkBQKCppvi0IAK+V68FBAHhn820bfZY5vbR4Gfh0MGa0dyCF/mwEjti6l3D/qds
+hGDUdWSRhGBizufxKFlaVRsyoJkD4QKpBSzm65a1vfGLSmtUp1CEPs8O40pILo7c
+sU3l+qgWZ1vwBuNu9U6xs2L2hD6+S/sLNIJVwIcxE0IQAxVqC3771RxFrhZugjIS
+S2pxyZCosYP4nOzsTSEoqCV2zMb+vCHEbrjdnf+SbSTE9L9vb/hYkBxSTPQstISy
+mkgMDS/mS/P4yiJX3Mr63+zG0pc7AgMBAAGjZTBjMA4GA1UdDwEB/wQEAwIFoDAT
+BgNVHSUEDDAKBggrBgEFBQcDAjAfBgNVHSMEGDAWgBRCtHw65Qb7W4fB0RQKhZJA
+c3WPzDAbBgNVHREEFDAShhBjcmRiOi8vdGVuYW50LzIwMA0GCSqGSIb3DQEBCwUA
+A4IBAQCBAK2CubNhP5wTNdod12w6vvFxz4hx+vnsKmryhVQtuDj15SmhYl5e21R0
+8RRNgC98o4VFWOZ+pSAMMqJ/LzJXb4dSlaPn08xk8y/lRYoLx7LKurQ8y5iu4tSj
+voxqtIvYDPiRWIWm0MAUgCxH0jxfXazp2QzSusFgg5/1g3RjD8RACaOQDh+i9qrx
+GJm8EV93E745AWnuB7Q52awax0ckFaFgAoMr51V9H4UtNTzkg1ISgLLJCvyBRJus
+rAQWbGFEdoeU3YZ1Av/W2OxYvakjCdSqLrfZTOcTHZhOdCsLcIPVVo1Z+OR5VX83
+2dqEuJc/NNAPu6+nZolzvGMETwqy
+-----END CERTIFICATE-----
diff --git a/pkg/security/securitytest/test_certs/client.testuser@tenant-20.key b/pkg/security/securitytest/test_certs/client.testuser@tenant-20.key
new file mode 100644
index 000000000000..3d3d1f46d0ec
--- /dev/null
+++ b/pkg/security/securitytest/test_certs/client.testuser@tenant-20.key
@@ -0,0 +1,27 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIEogIBAAKCAQEAveoZbuCXxPPgAQOP6y3GwNxy+nz0j3HaXmUJV0uoPhEPQX9j
+mzEqJiVARVppAUCgqab4tCACvlevBQQB4Z/NtG32WOb20eBn4dDBmtHcghf5sBI7
+Yupdw/6nbIRg1HVkkYRgYs7n8ShZWlUbMqCZA+ECqQUs5uuWtb3xi0prVKdQhD7P
+DuNKSC6O3LFN5fqoFmdb8AbjbvVOsbNi9oQ+vkv7CzSCVcCHMRNCEAMVagt++9Uc
+Ra4WboIyEktqccmQqLGD+Jzs7E0hKKgldszG/rwhxG643Z3/km0kxPS/b2/4WJAc
+Ukz0LLSEsppIDA0v5kvz+MoiV9zK+t/sxtKXOwIDAQABAoIBACQTMOuX7Bx0euuW
+YqM42dVOyuR8EfShmuptZN3ZOEc59Fzrtt8G8su2LcQ+zU14mkw/tGR65CqF+3AH
+d9gFBA0vCimPDfmGGBWUEwK2tJ1dsodYn0FF5bPSTrlVWBNjjUv7Clgal4J+uKJp
+IjZ2vTo4Zsn2erYOsF0rjJN5+nNk1Q4kIGJWyB0/Ng2pim1L9JOQ5DTUAlL0tb9L
+fAF4MOR+ESqMGwHOlyAtVFHrlbAZg8+KRbpXjZ7tB8hJm9Qmt0U7xMBou7A3yeUW
+KrrEliGE6B35n8ErPsPUWkhwSprJjCXWyMD/rqWla9Pa0b2Uw+m7VJHpQS6qBTsn
+NzE2yKECgYEA58BdwB4dNp8Vz2j8vLkaomYfr/x/yLBJMImfizYm667YYr7h0gYU
+RZZKKDM73ALl6/ca7KRFlrRrZKEWZWkw+hEUl/oE4DT7Ll/RPkQ5KJh/61wZUsTb
+GJJOwIem0FHkltBAhf+zqrt95/IeB6MXHG7v9LrxV+TD/9cCZF2kfIsCgYEA0ckZ
+P6raYnX31uW9kn6mXRhS3PX4bdLdifkVkGAExNOMuyQtOv73xK8IGT2IiG+9AjoW
+wlyjAQXaiSSZOaQWzQFfUA4HB/I/FsYfrrr9tcH9lRYQEBpNuwiG5R4jaDGsYyts
+1mI35033JHKI7WKjQUr/fpF73FJAi7JntxUDNhECgYAFyBvOpjGuYiumIAVmI+wR
+LyENP+xkMlmxF03eqDwyVwtY81Ao8DPjRIuXEygkJgJcb67BRpvh1aB0QzyOzSAG
+rRRpcjha65d0oblTp1oRtDREx+ht0zFwHH5QeVHlEpX0WT+y2B1AXisW9UhggmYa
+NH5SCbPpsHBfWprZrChlXwKBgAiShRua6a2YUHZRkPuJfVbUhZ5N1sb2FONscDsk
+EU3RrzB+e/KrNIiu9k/BufCJUFnk8cUjb+28xX9RJYm7cMsTwUdOK29hsL5Hfkfv
+kCp7MNeEvUdLK932rTxzjNLXJMownhPsk4g6IV016O56V111qRcM7tjD66tJsP9E
+NothAoGAIez7YxtTAFaig/J7ftn9cII+yZFlzUQDn4E7c8DNw2kHH05O7GRHcLR+
+dffR5cE/VmXFMygXZ4YQ/9mDAe9TgBsvJpoK4XkiJn1T46Y49H01xbB8QS/1QNYk
+S2SzKNtR0ORTq7286PjAtg9NoKfuelju4qO9TsDY9mm7MSEB5No=
+-----END RSA PRIVATE KEY-----
diff --git a/pkg/security/securitytest/test_certs/node.crt b/pkg/security/securitytest/test_certs/node.crt
index 2c513d3a0930..b1714197b1f3 100644
--- a/pkg/security/securitytest/test_certs/node.crt
+++ b/pkg/security/securitytest/test_certs/node.crt
@@ -1,21 +1,21 @@
 -----BEGIN CERTIFICATE-----
-MIIDZDCCAkygAwIBAgIRAN83bo8ZydHRqc6pm2T0rIgwDQYJKoZIhvcNAQELBQAw
-KzESMBAGA1UEChMJQ29ja3JvYWNoMRUwEwYDVQQDEwxDb2Nrcm9hY2ggQ0EwHhcN
-MjIwMTEwMTkwMTE5WhcNMjcwMTE1MTkwMTE5WjAjMRIwEAYDVQQKEwlDb2Nrcm9h
-Y2gxDTALBgNVBAMTBG5vZGUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB
-AQC2ymvgVD1xJh7Gy8qNJrlVgM3TNezpnW5hbPa6NHEV0Asj4+hq2hEaDBsG1aUA
-MA6B355uzeonlcSLffUogKi4vMCjHS6s/Nv5Nwo/JowtS9Af4udrnQN30R6dDJpU
-NprHFv2BRCRnWmQWnq8ALsitB6svi4QJf9Q3qwCgoOTaZody57glus6ABZsmIsPg
-BaTqKyzkif8GVVfZrGBJKp1vnl5R493RV7vP8t6tIZd/PW2uw90LTaVdqhjBYggm
-jVy1pjklXOVX0XdQIdd588868Qd8TLzV8vvR26uPyKZ7rCQltCvf01N3fgo4aiz8
-4xZ9VAv82Oo0IEbFc+S1IENFAgMBAAGjgYowgYcwDgYDVR0PAQH/BAQDAgWgMB0G
-A1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAfBgNVHSMEGDAWgBSLOS5j4Efj
-xq9E1cSev80SL1y16jA1BgNVHREELjAsgglsb2NhbGhvc3SCByoubG9jYWyHBH8A
-AAGHEAAAAAAAAAAAAAAAAAAAAAEwDQYJKoZIhvcNAQELBQADggEBALuPAJKeSDhU
-Vt3w3EeSlKnxL34WHxX8mOZzGkZAaZyBFUvFAdglVStLS4U3tKmtOH6b9vk41pbo
-n8vW56aChzAoyJITEpeZriBXIPb48WIb2L039nHFW/dnXJrgV1EPk+7XdGvDBeqO
-VgHqrfnLZO6wP/yMWa48tAa6PRH+x62VvjEd/fm6ZxKiy62jnhNV874kPhT4H/jE
-vD790LHzzilpKp2Rjv18BbnwVu3wv93V5Ka9FXYwP7OMtMArRFQPKQBnAYyCxNAA
-G5V042U1CbTLKM+xbJ7AL7ZhF1Aqn4c0x2EX08D4pF4of+9ubpSvrbjSEseZjrBx
-txBzRZsA8rQ=
+MIIDYzCCAkugAwIBAgIQNQoOmY9e9DvbaBekNM1gXTANBgkqhkiG9w0BAQsFADAr
+MRIwEAYDVQQKEwlDb2Nrcm9hY2gxFTATBgNVBAMTDENvY2tyb2FjaCBDQTAeFw0y
+MjA0MTAyMDA0MzZaFw0yNzA0MTUyMDA0MzZaMCMxEjAQBgNVBAoTCUNvY2tyb2Fj
+aDENMAsGA1UEAxMEbm9kZTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB
+AMVKoR+nCmilfK7EzC23uoLsbSCcAaAW11fW+FcNZQSLCRmADj/AnhhzLPaAmOPT
+RrVR8QFRXxHp4yBbdUQRBhsHZ1nUXc+B7F1btoD4p7R4MbflQmHrQzU9IawNQ1pS
+CuY4SBOB1WO0WrKxdSpqRp3k7r85wspWtPFz+IqwE8m4sGlU/ZF4gUf8ahZvwp10
+mzSL41icFqz2h0yHwnzDEyhBd9I0z5b60Xe6p1mSk2SzlwXw09Om5AhD6BudPZUR
+Z9GNdzLpVoKFRQJ/TE887M8AqS7NeDyqgF4cDhKwuSRwEF8LeHdP2t207PGjzRUW
+LZUrY/yn69pYdhfy7Kzj1JECAwEAAaOBijCBhzAOBgNVHQ8BAf8EBAMCBaAwHQYD
+VR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMB8GA1UdIwQYMBaAFEK0fDrlBvtb
+h8HRFAqFkkBzdY/MMDUGA1UdEQQuMCyCCWxvY2FsaG9zdIIHKi5sb2NhbIcEfwAA
+AYcQAAAAAAAAAAAAAAAAAAAAATANBgkqhkiG9w0BAQsFAAOCAQEAKztJWZzj3aev
+3eCT4a6FKlcke0lo71Tj5u62+QBHme8ClNEd9yG7xr3IWmwPesD3fYz/gfeb0CUT
+73W6u9jp6uj+IL1BcMrXHkPd0lTSo8yDTOPQpiCNrIV4luIYc211fj7asANS4U2u
+rMpUpKPfVvZ5x3TeYc3Xg+2hJmtKHWwVzdIcgW3UzhJqDdCfLPNJVpvsCGQNuWAc
+HXdvk6vFdgMfM03CpjwG31dCNJnQV9e6PagzUEFt3UFOpkLo83rnYA5W7V3ZjH0e
+nKhjQAbeIGb+BCr94HjogUgJflsrBSQk1R/ViwyZnCa1j5e6RyAvvuYwq0FI111H
+tm/C1Lbbkw==
 -----END CERTIFICATE-----
diff --git a/pkg/security/securitytest/test_certs/node.key b/pkg/security/securitytest/test_certs/node.key
index c1a9595c7c52..79102e2b2478 100644
--- a/pkg/security/securitytest/test_certs/node.key
+++ b/pkg/security/securitytest/test_certs/node.key
@@ -1,27 +1,27 @@
 -----BEGIN RSA PRIVATE KEY-----
-MIIEogIBAAKCAQEAtspr4FQ9cSYexsvKjSa5VYDN0zXs6Z1uYWz2ujRxFdALI+Po
-atoRGgwbBtWlADAOgd+ebs3qJ5XEi331KICouLzAox0urPzb+TcKPyaMLUvQH+Ln
-a50Dd9EenQyaVDaaxxb9gUQkZ1pkFp6vAC7IrQerL4uECX/UN6sAoKDk2maHcue4
-JbrOgAWbJiLD4AWk6iss5In/BlVX2axgSSqdb55eUePd0Ve7z/LerSGXfz1trsPd
-C02lXaoYwWIIJo1ctaY5JVzlV9F3UCHXefPPOvEHfEy81fL70durj8ime6wkJbQr
-39NTd34KOGos/OMWfVQL/NjqNCBGxXPktSBDRQIDAQABAoIBADd9VahBCnHp55fj
-z7Zv1f1d353JlgUJVLPgtzmpp9a+VFNt4WVmk6B7oky92Jwo+o50iw0KF5Yywfqy
-nxTPkeia7EPYHQ5IqKKMEeE/23f4ttKnOCeT/7SE2C1G4SbFeNENaqGuRPrXFuFD
-BM8iZKsaU95YFRopIwxPLh6VGUQvLha1/kP53aV8cKOiVCDN1L6KaVNn9vUW6Caf
-mg5+fMW4u+CGEYWeI738EEkqjMaYsSCR08HLC3k0LW+kMidpvsPKOm5ZMEAMztX1
-yc8GAaFBq6nz5+BtNOG0Hocg4rXFy6+Tnil/NEaDnkpVPAMRpO5trGVTrNPL057k
-WKSoZtUCgYEA6lwuyDui2Vrvk54UoK2nI0DwLeMNYl3ETNxfJYT/kW2n1uzT9sJ1
-5KjzTsSIuKdZYq+aqSi2qESUPcv/1GE/BrdQqh0AlKegAdY6lp9ej2LgGytkmFxI
-3GPoS/ABpp8OHlH3q+fMmAgl0z4qWTwHWUvGpV8eQDdBzWUdUIgrM2sCgYEAx6s9
-GaGlxpkwWtXGkjqrVOPaYBgG6GIhnqNIkBBmwwUsYoALzBd+tERM2qPwIEkrtLdm
-MNCNUlru4lV/AKCSB6LVR3tMaoKnd/0EA+pftkK/REH8aTw1QXPUxYGY/LawqXWA
-2WjlUWw7ZNna3SfXgW+KWn6xE2E9jBBKIQYYwA8CgYAf6YWFRnmaV0OgOjpc1siX
-iFQsK2q7JkGApdFe7olOaDwejAkg5MHg7RCUfTaQzljhkz/gIOceapg1Af5IESXf
-6D5Xq7NUiq7DEUTRFcpug+w4RuRfytExEXmkPX48DhSCFG9BPUMiwJlF9oUVuZLW
-mfbmtdkMrXmMWmRvfttDGQKBgGVfGfk+aYTn13X2nQc2xC+oMwGgkTlAQSNicP+7
-ZADVSpCDw/mNYCWzm3VR0CMEIy1wA3D7IRTT1/6PO5ic7Sb1U+Ujw0s8JDw19+jp
-AEjvoF3ORpFDISKm5TqVLo/3TL/sSUuYBv0MvybXuFeZ177+WzbQpaRaNT48MvaL
-OtufAoGAe7nk37VP/HZ/xqMYUYqdQ6Udn28WK6uVZQ1wG6pF4rUXjJ7qzQTzvYps
-cLK50EQH/g1W59BU72dwHgOkC9pLzTr3n2bmL15zcW0LjZ6hob2b/f7yPYz1Euf2
-HMp85FpxKx5Jhs+mwxb0XGAkQj9iUc4GCInB7AkColQBaY921V0=
+MIIEpQIBAAKCAQEAxUqhH6cKaKV8rsTMLbe6guxtIJwBoBbXV9b4Vw1lBIsJGYAO
+P8CeGHMs9oCY49NGtVHxAVFfEenjIFt1RBEGGwdnWdRdz4HsXVu2gPintHgxt+VC
+YetDNT0hrA1DWlIK5jhIE4HVY7RasrF1KmpGneTuvznCyla08XP4irATybiwaVT9
+kXiBR/xqFm/CnXSbNIvjWJwWrPaHTIfCfMMTKEF30jTPlvrRd7qnWZKTZLOXBfDT
+06bkCEPoG509lRFn0Y13MulWgoVFAn9MTzzszwCpLs14PKqAXhwOErC5JHAQXwt4
+d0/a3bTs8aPNFRYtlStj/Kfr2lh2F/LsrOPUkQIDAQABAoIBAD/KP4qCcgUf7M59
+Zx8pFq8aTraKeqQOfpYyNZ3AAPeVFN4f33uRhgyVwOX68nRHbcdWtTwd2UVrgDqI
+F8RoVLcMj8gluCdN9OTCsKHGxEK/0iOJhwsuDE78cxS0PSDJAikp7XQROLPCLsk0
+Q5PxRN/sk51UybyuiFbBjo0ZHWzNLzhOpN/v9hNaA4KZAEdCVRGU+hM/k9p543zJ
+zSlhFVjybxXQ7ofZlciJJI21mvIq3pvMlgpuLKouYJlcGR3OZxYX4HAsXalNC9xR
+EXTVpOTK8fx6d9WwL0OCbgEQES9/s+wwinzXHpgf4Cjiyfsq70H0AXBnYea/uqRv
+eICjwAECgYEA4YDjYhUYumMIS6PYwlhCDv33GpirbxEXoW3RMK0DD446aN9rbOQe
+FPQwytlOYMxeUYqrRljZRbLrdXNUxmW8d2uAk6/SQY2M7jNx5FzlyTLgnOaMtOMy
+2Ruf6mv3wyRaSSEe5NW/AJ9R8kZqJLQ2Aj1MCifXM5lPS/Kv3e6gYpECgYEA3/kF
+UlbjY5huLTpC4aEahsDo+Exske9CD4SGE4yNN08Hwjrc2y/UFzfBFVIQ6s+9VEjz
+hgBSWmijfJdcavvrjmoS5hKa0SMiwQ7tJu1NI6D1qGbvBKJdbPvcsqZug4Y/cO9w
+clGX3c4AfXNNVu19SrgrFUDujnnML60/CQohUgECgYEAubeCjQa+5NImxNTd8cDq
+NpqmZbsShVhYU9SzkhkLCkaiiDhoqrd8ptktTgKF8GafzxwbTsZhumtOS95+FR84
+hkl9DSSiTuabCJpJ1D9F59wE7HNbsqXi/LcpjtD4rjhEOzIR1XjL42FTBetEA5J/
+YHzHIR4KuC4tBmmKuYaLhGECgYEAiTPQSb+GbpWLMNOW8wcw68mzLaALhl6OFll1
+lPYt7+rO8vICJ5emEk8KThhG2sFF1yMVY0pBKLcfJ4zFhZgrlcNvLlfJVUJz4NZW
++ti1v5SzyGS+GRWpq8CiUyJXYuTTakiTlsRbBvpSHIeMoiq77RDi+5MaUFdWeQJl
+MhFtlgECgYEA0D/yAYS6gKz2dT7+3n/mC+1ZSkCKFM7M7Kx+HnBz3+RZ8o/O5cHm
+AxigiWGxKisWWxhq06z/CsnDa19tQVWhyOi2fMh09Y/Kgfp2JLNOizTSo4liaVpd
+JtVj+v8wf9Unu74EKRqKs42hRY7B0zxdgaRl77oJ2t1PBHvUK+X4+b8=
 -----END RSA PRIVATE KEY-----
diff --git a/pkg/security/securitytest/test_certs/regenerate.sh b/pkg/security/securitytest/test_certs/regenerate.sh
index 06936c49b49e..4377b44a618d 100755
--- a/pkg/security/securitytest/test_certs/regenerate.sh
+++ b/pkg/security/securitytest/test_certs/regenerate.sh
@@ -14,6 +14,7 @@ rm -f "${dir_n}"/*.{crt,key}
 for id in 10 11 20; do
 ./cockroach mt cert --certs-dir="${dir_n}" --ca-key="${dir_n}/ca-client-tenant.key" create-tenant-client "${id}" 127.0.0.1 ::1 localhost *.local
 ./cockroach mt cert --certs-dir="${dir_n}" create-tenant-signing "${id}"
+./cockroach cert --certs-dir="${dir_n}" --ca-key="${dir_n}/ca.key" --tenant-scope "${id}" create-client testuser
 done
 
 make generate PKG=./pkg/security/securitytest
diff --git a/pkg/security/securitytest/test_certs/tenant-signing.10.crt b/pkg/security/securitytest/test_certs/tenant-signing.10.crt
index 58fa08c455a0..a2c4e821f312 100644
--- a/pkg/security/securitytest/test_certs/tenant-signing.10.crt
+++ b/pkg/security/securitytest/test_certs/tenant-signing.10.crt
@@ -1,9 +1,9 @@
 -----BEGIN CERTIFICATE-----
-MIIBJjCB2aADAgECAhEAwYXboWr0rlxwzYhqt/W0FDAFBgMrZXAwKzESMBAGA1UE
-ChMJQ29ja3JvYWNoMRUwEwYDVQQDEwxDb2Nrcm9hY2ggQ0EwHhcNMjIwMTEwMTkw
-MTIxWhcNMjcwMTE1MTkwMTIxWjArMRIwEAYDVQQKEwlDb2Nrcm9hY2gxFTATBgNV
-BAMTDENvY2tyb2FjaCBDQTAqMAUGAytlcAMhAF0oSVEnZtHsrEsPTaVLsqP+N1s7
-QJFlo+i8Yk0ewtTSoxIwEDAOBgNVHQ8BAf8EBAMCBaAwBQYDK2VwA0EAoUoP7SQF
-OXPyWEsDcxXxIG7MRDhVV90R7AYUTjOv7OB7foyTtxCXfTZCi9PLL5JQ92qKCgz/
-MB/5DKB+KudkDA==
+MIIBKjCB3aADAgECAgEBMAUGAytlcDAuMSwwKgYDVQQDEyNUZW5hbnQgMTAgVG9r
+ZW4gU2lnbmluZyBDZXJ0aWZpY2F0ZTAeFw0yMjA0MTAyMDA0MzhaFw0yNzA0MTUy
+MDA0MzhaMC4xLDAqBgNVBAMTI1RlbmFudCAxMCBUb2tlbiBTaWduaW5nIENlcnRp
+ZmljYXRlMCowBQYDK2VwAyEA8YctiQALuxqPOg4PwRE5j2IrCmmGWjNpu68xpzhm
+4/yjIDAeMA4GA1UdDwEB/wQEAwIHgDAMBgNVHRMBAf8EAjAAMAUGAytlcANBALyh
+VZSA3sPxDoUeYvhA9q6LVUXvwY/s6tKorT1nJ51RoK77NvyJwJSkeXeqxq0qKQPl
+t72c5TK9HjklhLLWcAw=
 -----END CERTIFICATE-----
diff --git a/pkg/security/securitytest/test_certs/tenant-signing.10.key b/pkg/security/securitytest/test_certs/tenant-signing.10.key
index 6b3d066ac488..f32ea2026044 100644
--- a/pkg/security/securitytest/test_certs/tenant-signing.10.key
+++ b/pkg/security/securitytest/test_certs/tenant-signing.10.key
@@ -1,3 +1,3 @@
 -----BEGIN PRIVATE KEY-----
-MC4CAQAwBQYDK2VwBCIEIFAgC7O1AQOgd49BJJGHO3PezuEGV5OeG7DnoLiaPE5L
+MC4CAQAwBQYDK2VwBCIEIFkIdOrjPpLcIOtoQkAtdPdSw8mFS8QSQAJ/QQQoBgxY
 -----END PRIVATE KEY-----
diff --git a/pkg/security/securitytest/test_certs/tenant-signing.11.crt b/pkg/security/securitytest/test_certs/tenant-signing.11.crt
index cd3be4714e4a..68d6c0f59bb3 100644
--- a/pkg/security/securitytest/test_certs/tenant-signing.11.crt
+++ b/pkg/security/securitytest/test_certs/tenant-signing.11.crt
@@ -1,9 +1,9 @@
 -----BEGIN CERTIFICATE-----
-MIIBJTCB2KADAgECAhBqyjNPz4jSnANHz/6OIzgaMAUGAytlcDArMRIwEAYDVQQK
-EwlDb2Nrcm9hY2gxFTATBgNVBAMTDENvY2tyb2FjaCBDQTAeFw0yMjAxMTAxOTAx
-MjFaFw0yNzAxMTUxOTAxMjFaMCsxEjAQBgNVBAoTCUNvY2tyb2FjaDEVMBMGA1UE
-AxMMQ29ja3JvYWNoIENBMCowBQYDK2VwAyEA6LLJUILUOGqH/GBtYwC/5SeDYwbw
-xjrJUeaZA2l9Ia+jEjAQMA4GA1UdDwEB/wQEAwIFoDAFBgMrZXADQQDNiES6JpRA
-R5S6h/6Pz/MOT4uS7eZ91JY/YJoaaw2t4+QvBXqm+y57t3DBf2EGUK3SHmdFgHPi
-etrC0zm+bSgM
+MIIBKjCB3aADAgECAgEBMAUGAytlcDAuMSwwKgYDVQQDEyNUZW5hbnQgMTEgVG9r
+ZW4gU2lnbmluZyBDZXJ0aWZpY2F0ZTAeFw0yMjA0MTAyMDA0MzhaFw0yNzA0MTUy
+MDA0MzhaMC4xLDAqBgNVBAMTI1RlbmFudCAxMSBUb2tlbiBTaWduaW5nIENlcnRp
+ZmljYXRlMCowBQYDK2VwAyEAfW4dxH9rfcK4SERSpPb7NrHkowYa7ETmqYFTCQcr
+VVOjIDAeMA4GA1UdDwEB/wQEAwIHgDAMBgNVHRMBAf8EAjAAMAUGAytlcANBABU8
+q3orNXzlE9LvHxr9Zr+KV9/yWIw9PeuyKw7uXbyPV4eeCTylOxsEPAfWRLGLgQ/e
+CCRQmueLDnsGxrVEGA0=
 -----END CERTIFICATE-----
diff --git a/pkg/security/securitytest/test_certs/tenant-signing.11.key b/pkg/security/securitytest/test_certs/tenant-signing.11.key
index a11bf6881898..d27dc47d0921 100644
--- a/pkg/security/securitytest/test_certs/tenant-signing.11.key
+++ b/pkg/security/securitytest/test_certs/tenant-signing.11.key
@@ -1,3 +1,3 @@
 -----BEGIN PRIVATE KEY-----
-MC4CAQAwBQYDK2VwBCIEILAan5LFiNxCE40Ac7oGWUS1nQuBcYHY28bJu0booQI0
+MC4CAQAwBQYDK2VwBCIEIAni2hU0+rqRi0zFCblwsJH7Pwjv4Ldhukbo6NP1HhBz
 -----END PRIVATE KEY-----
diff --git a/pkg/security/securitytest/test_certs/tenant-signing.20.crt b/pkg/security/securitytest/test_certs/tenant-signing.20.crt
index c4c88f3e056b..9a5d4953fdc9 100644
--- a/pkg/security/securitytest/test_certs/tenant-signing.20.crt
+++ b/pkg/security/securitytest/test_certs/tenant-signing.20.crt
@@ -1,9 +1,9 @@
 -----BEGIN CERTIFICATE-----
-MIIBJjCB2aADAgECAhEAuH7vVx4nwdKhJsaZRGuirDAFBgMrZXAwKzESMBAGA1UE
-ChMJQ29ja3JvYWNoMRUwEwYDVQQDEwxDb2Nrcm9hY2ggQ0EwHhcNMjIwMTEwMTkw
-MTIxWhcNMjcwMTE1MTkwMTIxWjArMRIwEAYDVQQKEwlDb2Nrcm9hY2gxFTATBgNV
-BAMTDENvY2tyb2FjaCBDQTAqMAUGAytlcAMhABI/EmtjPSxifwP8zHg09u59Ai2v
-pMbQ1R0Tf4mwZMw1oxIwEDAOBgNVHQ8BAf8EBAMCBaAwBQYDK2VwA0EAhGkpAAeX
-R92VWUazcfN+Dq9IX8PJ8fxgb3KU+JuK652uog1rwM4/NK7RfMtlIH3dQ8/GMBpR
-SUCl7JGgrI+LDQ==
+MIIBKjCB3aADAgECAgEBMAUGAytlcDAuMSwwKgYDVQQDEyNUZW5hbnQgMjAgVG9r
+ZW4gU2lnbmluZyBDZXJ0aWZpY2F0ZTAeFw0yMjA0MTAyMDA0MzlaFw0yNzA0MTUy
+MDA0MzlaMC4xLDAqBgNVBAMTI1RlbmFudCAyMCBUb2tlbiBTaWduaW5nIENlcnRp
+ZmljYXRlMCowBQYDK2VwAyEAsVrI/TDf0D/Fe+h1k4NRqPde3Qwec2/VBYsIMHlO
++9yjIDAeMA4GA1UdDwEB/wQEAwIHgDAMBgNVHRMBAf8EAjAAMAUGAytlcANBAHRW
+77cSMghfk3qBppHDECqjCF/GIqL/9mHLvzaZWcahjXm1G9ep2oJsdBHwfEoqi/1C
+AgfvdKXUZCSECBzyZw8=
 -----END CERTIFICATE-----
diff --git a/pkg/security/securitytest/test_certs/tenant-signing.20.key b/pkg/security/securitytest/test_certs/tenant-signing.20.key
index 767343a82f92..98b3fd7c1f7a 100644
--- a/pkg/security/securitytest/test_certs/tenant-signing.20.key
+++ b/pkg/security/securitytest/test_certs/tenant-signing.20.key
@@ -1,3 +1,3 @@
 -----BEGIN PRIVATE KEY-----
-MC4CAQAwBQYDK2VwBCIEIHPb1nVztKWqTGLk22FoU23W8e9q469cYQd/CPZuKaWS
+MC4CAQAwBQYDK2VwBCIEICaAPXx2U72309PpKIQySgdF71B9g/Aocm8S5GC7BD+b
 -----END PRIVATE KEY-----
diff --git a/pkg/security/x509.go b/pkg/security/x509.go
index b530298d6f65..7d0fa67119e6 100644
--- a/pkg/security/x509.go
+++ b/pkg/security/x509.go
@@ -18,6 +18,7 @@ import (
 	"fmt"
 	"math/big"
 	"net"
+	"net/url"
 	"time"
 
 	"github.com/cockroachdb/cockroach/pkg/util/timeutil"
@@ -247,6 +248,7 @@ func GenerateClientCert(
 	clientPublicKey crypto.PublicKey,
 	lifetime time.Duration,
 	user SQLUsername,
+	tenantID string,
 ) ([]byte, error) {
 
 	// TODO(marc): should we add extra checks?
@@ -268,7 +270,14 @@ func GenerateClientCert(
 	// Set client-specific fields.
 	// Client authentication only.
 	template.ExtKeyUsage = []x509.ExtKeyUsage{x509.ExtKeyUsageClientAuth}
-
+	if tenantID != "" {
+		var url *url.URL
+		url, err := makeTenantURISAN(tenantID)
+		if err != nil {
+			return nil, err
+		}
+		template.URIs = append(template.URIs, url)
+	}
 	certBytes, err := x509.CreateCertificate(rand.Reader, template, caCert, clientPublicKey, caPrivateKey)
 	if err != nil {
 		return nil, err
@@ -308,3 +317,7 @@ func GenerateTenantSigningCert(
 
 	return certBytes, nil
 }
+
+func makeTenantURISAN(tenantID string) (*url.URL, error) {
+	return url.Parse(fmt.Sprintf("crdb://tenant/%s", tenantID))
+}
diff --git a/pkg/security/x509_test.go b/pkg/security/x509_test.go
index a03a2abefc02..580c3d9fa16b 100644
--- a/pkg/security/x509_test.go
+++ b/pkg/security/x509_test.go
@@ -86,14 +86,14 @@ func TestGenerateCertLifetime(t *testing.T) {
 
 	// Create a Client certificate expiring in 4 days. Should get reduced to the CA lifetime.
 	clientDuration := time.Hour * 96
-	_, err = security.GenerateClientCert(caCert, testKey, testKey.Public(), clientDuration, security.TestUserName())
+	_, err = security.GenerateClientCert(caCert, testKey, testKey.Public(), clientDuration, security.TestUserName(), "" /* tenantID */)
 	if !testutils.IsError(err, "CA lifetime is .*, shorter than the requested .*") {
 		t.Fatal(err)
 	}
 
 	// Try again, but expiring before the CA cert.
 	clientDuration = time.Hour * 24
-	clientBytes, err := security.GenerateClientCert(caCert, testKey, testKey.Public(), clientDuration, security.TestUserName())
+	clientBytes, err := security.GenerateClientCert(caCert, testKey, testKey.Public(), clientDuration, security.TestUserName(), "" /* tenantID */)
 	if err != nil {
 		t.Fatal(err)
 	}
diff --git a/pkg/sql/pgwire/auth_methods.go b/pkg/sql/pgwire/auth_methods.go
index 7d5efdd0ddad..b5ddc2d4998c 100644
--- a/pkg/sql/pgwire/auth_methods.go
+++ b/pkg/sql/pgwire/auth_methods.go
@@ -408,7 +408,7 @@ func authCert(
 	_ context.Context,
 	_ AuthConn,
 	tlsState tls.ConnectionState,
-	_ *sql.ExecutorConfig,
+	execCfg *sql.ExecutorConfig,
 	hbaEntry *hba.Entry,
 	identMap *identmap.Conf,
 ) (*AuthBehaviors, error) {
@@ -427,7 +427,7 @@ func authCert(
 		tlsState.PeerCertificates[0].Subject.CommonName = tree.Name(
 			tlsState.PeerCertificates[0].Subject.CommonName,
 		).Normalize()
-		hook, err := security.UserAuthCertHook(false /*insecure*/, &tlsState)
+		hook, err := security.UserAuthCertHook(false /*insecure*/, &tlsState, execCfg.RPCContext.TenantID)
 		if err != nil {
 			return err
 		}