diff --git a/Makefile b/Makefile
index b2adc4a38..45815c12a 100644
--- a/Makefile
+++ b/Makefile
@@ -139,6 +139,9 @@ container-tests: ldap-tests
 ldap-tests:
 	@scripts/run_ldap_tests
 
+fvt-tests:
+	@scripts/run_fvt_tests
+
 %-docker-clean:
 	$(eval TARGET = ${patsubst %-docker-clean,%,${@}})
 	-docker images -q $(DOCKER_ORG)/$(TARGET):latest | xargs -I '{}' docker rmi -f '{}'
diff --git a/scripts/fvt/README.md b/scripts/fvt/README.md
new file mode 100644
index 000000000..e083d6d5d
--- /dev/null
+++ b/scripts/fvt/README.md
@@ -0,0 +1,47 @@
+# Fabric CA FVT tests for Continuous Integration
+
+The tests that will run are in ``$GOPATH/src/github.com/hyperledger/fabric-ca/scripts/fvt``
+
+Once the prerequites have been satisfied (see below), run
+
+``make fvt-tests``
+
+from the ``$GOPATH/src/github.com/hyperledger/fabric-ca/`` directory.
+Depending on the security settings and options requested, root authority may be required. Precede the
+
+``su -c 'make fvt-tests'``
+
+This is also true of the ``fabric-ca_setup.sh`` documented below.
+
+Tests have been verified to run on Ubuntu linux.
+
+### Prerequisites
+* Go 1.6+ installation or later
+* GOPATH environment variable is set correctly
+* ``fabric-ca`` executable is in ``$GOPATH/src/github.com/hyperledger/fabric-ca/bin/``
+* haproxy for high availability testing
+* python 2.7
+* jq for JSON processing
+
+Optionally, to run the tests using external database support (postgres, mysql), install the appropriate packages (mysql-server, mysql-server-core, mysql-common, postgresql)
+
+All of the above prerequisites can met by running the setup script ``fabric-ca_setup.sh`` in ``$GOPATH/src/github.com/hyperledger/fabric-ca/scripts/``:
+```
+   fabric-ca_setup.sh -I   # install prerequsites
+   fabric-ca_setup.sh -B   # build the CA executable
+```
+
+For example, to initialze the fabric-ca server, run haproxy, and four instances of the server using postgres:
+```
+   fabric-ca_setup.sh -X -S -I -d postgres -n4
+```
+
+To list all running instances of the server and the active database from the above command:
+```
+   fabric-ca_setup.sh -L -d postgress
+```
+
+To stop haproxy and all running instances of the server:
+```
+   fabric-ca_setup.sh -R
+```
\ No newline at end of file
diff --git a/scripts/fvt/auth_test.sh b/scripts/fvt/auth_test.sh
new file mode 100755
index 000000000..30608bbd9
--- /dev/null
+++ b/scripts/fvt/auth_test.sh
@@ -0,0 +1,93 @@
+#!/bin/bash
+FABRIC_CA="$GOPATH/src/github.com/hyperledger/fabric-ca"
+SCRIPTDIR="$FABRIC_CA/scripts/fvt"
+. $SCRIPTDIR/fabric-ca_utils
+RC=0
+HOST="localhost:10888"
+SERVERCONFIG="/tmp/config.json.$RANDOM"
+
+# default value
+cat > "$SERVERCONFIG" <<EOF
+{
+ "tls_disable":true,
+ "driver":"sqlite3",
+ "data_source":"fabric-ca.db",
+ "users": {
+    "admin": {
+      "pass": "adminpw",
+      "type": "client",
+      "group": "bank_a",
+      "attrs": [{"name":"hf.Registrar.Roles","value":"client,user,peer,validator,auditor"},
+                {"name":"hf.Registrar.DelegateRoles", "value": "client,user,validator,auditor"},
+                {"name":"hf.Revoker", "value": "true"}]
+    }
+ },
+ "groups": {
+   "banks_and_institutions": {
+     "banks": ["bank_a"]
+   }
+ },
+ "signing": {
+    "default": {
+       "usages": ["cert sign"],
+       "expiry": "8000h",
+       "ca_constraint": {"is_ca": true, "max_path_len":1},
+       "ocsp_no_check": true,
+       "not_before": "2016-12-30T00:00:00Z"
+    },
+    "expiry": {
+       "usages": ["cert sign"],
+       "expiry": "1s"
+    }
+ }
+}
+EOF
+trap "rm $SERVERCONFIG; CleanUp" INT
+#for driver in sqlite3 postgres mysql; do
+for driver in sqlite3 ; do
+
+   # - auth enabled
+   $SCRIPTDIR/fabric-ca_setup.sh -R
+   $SCRIPTDIR/fabric-ca_setup.sh -I -S -X -d $driver
+   test $? -ne 0 && ErrorExit "Failed to setup server"
+   # Success case - send passwd
+   $SCRIPTDIR/enroll.sh -u admin -p adminpw
+   RC=$((RC+$?))
+   # Fail case - send null passwd
+   $SCRIPTDIR/enroll.sh -u admin -p ""
+   test $? -eq 0 && RC=$((RC+1))
+   # Fail case - send bogus passwd
+   $SCRIPTDIR/enroll.sh -u admin -p xxxxxx
+   test $? -eq 0 && RC=$((RC+1))
+
+   # - auth disabled
+   $SCRIPTDIR/fabric-ca_setup.sh -R
+   $SCRIPTDIR/fabric-ca_setup.sh -A -I -S -X -d $driver
+   # Success case - send correct passwd
+   $SCRIPTDIR/enroll.sh -u admin -p adminpw
+   RC=$((RC+$?))
+   # Success case - send null passwd
+   $SCRIPTDIR/enroll.sh -u admin -p ""
+   RC=$((RC+$?))
+   # Success case - send bogus passwd
+   $SCRIPTDIR/enroll.sh -u admin -p xxxxxx
+   RC=$((RC+$?))
+
+   # - default (auth enabled)
+   $SCRIPTDIR/fabric-ca_setup.sh -R
+   $SCRIPTDIR/fabric-ca_setup.sh -I -S -X -d $driver -g "$SERVERCONFIG"
+   test $? -ne 0 && ErrorExit "Failed to setup server"
+   # Success case - send passwd
+   $SCRIPTDIR/enroll.sh -u admin -p adminpw
+   RC=$((RC+$?))
+   # Fail case - send null passwd
+   $SCRIPTDIR/enroll.sh -u admin -p ""
+   test $? -eq 0 && RC=$((RC+1))
+   # Fail case - send bogus passwd
+   $SCRIPTDIR/enroll.sh -u admin -p xxxxxx
+   test $? -eq 0 && RC=$((RC+1))
+
+done
+rm $SERVERCONFIG
+CleanUp $RC
+exit $RC
diff --git a/scripts/fvt/enrollments_test.sh b/scripts/fvt/enrollments_test.sh
new file mode 100755
index 000000000..674abfd0f
--- /dev/null
+++ b/scripts/fvt/enrollments_test.sh
@@ -0,0 +1,125 @@
+#!/bin/bash
+FABRIC_CA="$GOPATH/src/github.com/hyperledger/fabric-ca"
+SCRIPTDIR="$FABRIC_CA/scripts/fvt"
+TESTDATA="$FABRIC_CA/testdata"
+. $SCRIPTDIR/fabric-ca_utils
+RC=0
+HOST="localhost:10888"
+SERVERCONFIG="/tmp/serverConfig.json"
+export FABRIC_CA_HOME="$HOME/fabric-ca"
+CLIENTCONFIG="$FABRIC_CA_HOME/fabric-ca/fabric-ca_client.json"
+CLIENTCERT="$FABRIC_CA_HOME/cert.pem"
+PKI="$SCRIPTDIR/utils/pki"
+
+MAX_ENROLL="$1"
+: ${MAX_ENROLL:="32"}
+UNLIMITED=100
+
+# default value
+cat > "$SERVERCONFIG" <<EOF
+{
+ "tls_disable":true,
+ "authentication": true,
+ "driver":"sqlite3",
+ "data_source":"fabric-ca.db",
+ "users": {
+    "admin": {
+      "pass": "adminpw",
+      "type": "client",
+      "group": "bank_a",
+      "attrs": [{"name":"hf.Registrar.Roles","value":"client,user,peer,validator,auditor"},
+                {"name":"hf.Registrar.DelegateRoles", "value": "client,user,validator,auditor"},
+                {"name":"hf.Revoker", "value": "true"}]
+    }
+ },
+ "groups": {
+   "banks_and_institutions": {
+     "banks": ["bank_a"]
+   }
+ },
+ "signing": {
+    "default": {
+       "usages": ["cert sign"],
+       "expiry": "8000h",
+       "ca_constraint": {"is_ca": true, "max_path_len":1},
+       "ocsp_no_check": true,
+       "not_before": "2016-12-30T00:00:00Z"
+    },
+    "expiry": {
+       "usages": ["cert sign"],
+       "expiry": "1s"
+    }
+ }
+}
+EOF
+
+trap "rm $SERVERCONFIG; CleanUp" INT
+# explicitly set value
+   # user can only enroll MAX_ENROLL times
+   $SCRIPTDIR/fabric-ca_setup.sh -R
+   $SCRIPTDIR/fabric-ca_setup.sh -I -S -X -m $MAX_ENROLL
+   i=0
+   while test $((i++)) -lt "$MAX_ENROLL"; do
+      $SCRIPTDIR/enroll.sh
+      RC=$((RC+$?))
+      currId=$($PKI -f display -c $CLIENTCERT | awk '/Subject Key Identifier:/ {getline;print $1}')
+      test "$currId" == "$prevId" && RC=$((RC+1))
+      prevId="$currId"
+   done
+   # max reached -- should fail
+   $SCRIPTDIR/enroll.sh
+   test "$?" -eq 0 && RC=$((RC+1))
+   currId=$($PKI -f display -c $CLIENTCERT | awk '/Subject Key Identifier:/ {getline;print $1}')
+   test "$currId" != "$prevId" && RC=$((RC+1))
+   prevId="$currId"
+
+
+# explicitly set value to '1'
+   # user can only enroll once
+   MAX_ENROLL=1
+   $SCRIPTDIR/fabric-ca_setup.sh -R
+   $SCRIPTDIR/fabric-ca_setup.sh -I -S -X -m $MAX_ENROLL
+   i=0
+   while test $((i++)) -lt "$MAX_ENROLL"; do
+      $SCRIPTDIR/enroll.sh
+      RC=$((RC+$?))
+      currId=$($PKI -f display -c $CLIENTCERT | awk '/Subject Key Identifier:/ {getline;print $1}')
+      test "$currId" == "$prevId" && RC=$((RC+1))
+      prevId="$currId"
+   done
+   # max reached -- should fail
+   $SCRIPTDIR/enroll.sh
+   test "$?" -eq 0 && RC=$((RC+1))
+   currId=$($PKI -f display -c $CLIENTCERT | awk '/Subject Key Identifier:/ {getline;print $1}')
+   test "$currId" != "$prevId" && RC=$((RC+1))
+   prevId="$currId"
+
+# explicitly set value to '0'
+   # user enrollment unlimited
+   MAX_ENROLL=0
+   $SCRIPTDIR/fabric-ca_setup.sh -R
+   $SCRIPTDIR/fabric-ca_setup.sh -I -S -X -m $MAX_ENROLL
+   i=0
+   while test $((i++)) -lt "$UNLIMITED"; do
+      $SCRIPTDIR/enroll.sh
+      RC=$((RC+$?))
+      currId=$($PKI -f display -c $CLIENTCERT | awk '/Subject Key Identifier:/ {getline;print $1}')
+      test "$currId" == "$prevId" && RC=$((RC+1))
+      prevId="$currId"
+   done
+
+# implicitly set value to '0' (default)
+   # user enrollment unlimited
+   $SCRIPTDIR/fabric-ca_setup.sh -R
+   $SCRIPTDIR/fabric-ca_setup.sh -I -S -X -g $SERVERCONFIG
+   i=0
+   while test $((i++)) -lt "$UNLIMITED"; do
+      $SCRIPTDIR/enroll.sh
+      RC=$((RC+$?))
+      currId=$($PKI -f display -c $CLIENTCERT | awk '/Subject Key Identifier:/ {getline;print $1}')
+      test "$currId" == "$prevId" && RC=$((RC+1))
+      prevId="$currId"
+   done
+rm $SERVERCONFIG
+CleanUp $RC
+exit $RC
diff --git a/scripts/fvt/group_test.sh b/scripts/fvt/group_test.sh
new file mode 100755
index 000000000..fbb2563cb
--- /dev/null
+++ b/scripts/fvt/group_test.sh
@@ -0,0 +1,48 @@
+#!/bin/bash
+FABRIC_CA="$GOPATH/src/github.com/hyperledger/fabric-ca"
+SCRIPTDIR="$FABRIC_CA/scripts/fvt"
+TESTDATA="$FABRIC_CA/testdata"
+. $SCRIPTDIR/fabric-ca_utils
+RC=0
+HOST="localhost:10888"
+HTTP_PORT="3755"
+
+
+cd $TESTDATA
+python -m SimpleHTTPServer $HTTP_PORT &
+HTTP_PID=$!
+pollServer python localhost "$HTTP_PORT" || ErrorExit "Failed to start HTTP server"
+echo $HTTP_PID
+trap "kill $HTTP_PID; CleanUp" INT
+#
+# group is required if the type is client or peer.
+$SCRIPTDIR/fabric-ca_setup.sh -R
+$SCRIPTDIR/fabric-ca_setup.sh -I -S -X
+export FABRIC_CA_HOME=/tmp/keyStore/admin
+$SCRIPTDIR/enroll.sh -u admin -p adminpw -x /tmp/keyStore/admin
+$SCRIPTDIR/register.sh -u user1 -t client -g bank_a
+RC=$((RC+$?))
+$SCRIPTDIR/register.sh -u user2 -t peer -g bank_a
+RC=$((RC+$?))
+$SCRIPTDIR/register.sh -u user3 -t client -g bogus
+test "$?" -eq 0 && RC=$((RC+1))
+$SCRIPTDIR/register.sh -u user4 -t peer -g bogus
+test "$?" -eq 0 && RC=$((RC+1))
+
+# group is not required if the type is validator or auditor.
+$SCRIPTDIR/register.sh -u user5 -t validator -g bank_a
+RC=$((RC+$?))
+$SCRIPTDIR/register.sh -u user6 -t auditor -g bank_a
+RC=$((RC+$?))
+$SCRIPTDIR/register.sh -u user7 -t validator -g bogus
+RC=$((RC+$?))
+$SCRIPTDIR/register.sh -u user8 -t auditor -g bogus
+RC=$((RC+$?))
+
+# however, one is expected to at least sumbit a group with request
+$SCRIPTDIR/register.sh -u user9 -t auditor -g ''
+test "$?" -eq 0 && RC=$((RC+1))
+kill $HTTP_PID
+wait $HTTP_PID
+CleanUp $RC
+exit $RC
diff --git a/scripts/fvt/keys_test.sh b/scripts/fvt/keys_test.sh
new file mode 100755
index 000000000..b0ff30abb
--- /dev/null
+++ b/scripts/fvt/keys_test.sh
@@ -0,0 +1,75 @@
+#!/bin/bash
+FABRIC_CA="$GOPATH/src/github.com/hyperledger/fabric-ca"
+TESTDATA="$FABRIC_CA/testdata"
+SCRIPTDIR="$FABRIC_CA/scripts/fvt"
+CA_KEY="$TESTDATA/fabric-ca-key.pem"
+EE_KEY="$HOME/fabric-ca/key.pem"
+EE_CERT="$HOME/abric-ca/cert.pem"
+RC=0
+. $SCRIPTDIR/fabric-ca_utils
+
+ecl=(256 384 521)
+ecl=256
+ecOid[256]="prime256v1"
+ecOid[384]="secp384r1"
+ecOid[521]="secp521r1"
+rsal=(2048 3072 4096)
+
+function VerifyKey() {
+   local key=$1
+   local ktype=$2
+   local klen=$3
+   local koid=$4
+   local sslcmd=rsa
+
+   test $ktype = "rsa" || sslcmd="ec"
+   openssl $sslcmd -in $key -text 2>/dev/null|
+      awk -v kt=$koid -v kl=$klen -v rc=0 '
+         $1~/Private-Key/ {gsub(/\(/,"");l=$2}
+         $0~/ASN1 OID/ {k=$3}
+         END {
+                if (kt!=k) { print "Wrong keytype...FAILED"; rc+=1 }
+                if (kl!=l) { print "Wrong keylength...FAILED"; rc+=1 }
+                exit rc
+         }'
+   return $?
+}
+
+
+echo "------> Testing EC varitions"
+ktype=ecdsa
+for len in ${ecl[*]}; do
+   echo "------> Testing keylenth $len"
+   $SCRIPTDIR/fabric-ca_setup.sh -R
+   $SCRIPTDIR/fabric-ca_setup.sh -I -X -S -n 1 -t $ktype -l $len
+   # verify CA key type and length
+   VerifyKey $CA_KEY $ktype $len ${ecOid[$len]} || let RC+=1
+   $SCRIPTDIR/enroll.sh -t $ktype -l $len
+   # verify EE key type and length
+   VerifyKey $EE_KEY $ktype $len ${ecOid[$len]} || let RC+=1
+done
+ktype=rsa
+echo ""
+echo "**********************************************"
+echo ""
+echo "------> Testing RSA varitions"
+for len in ${rsal[*]}; do
+   echo "------> Testing keylenth $len"
+   $SCRIPTDIR/fabric-ca_setup.sh -R
+   $SCRIPTDIR/fabric-ca_setup.sh -I -X -S -n 1 -t $ktype -l $len
+   # verify CA key type and length
+   VerifyKey $CA_KEY $ktype $len "" || let RC+=1
+   $SCRIPTDIR/enroll.sh -t $ktype -l $len
+   # verify EE key type and length
+   VerifyKey $EE_KEY $ktype $len "" || let RC+=1
+   echo ""
+   echo ""
+done
+
+echo ""
+echo "**********************************************"
+echo ""
+
+$SCRIPTDIR/fabric-ca_setup.sh -R
+CleanUp $RC
+exit $RC
diff --git a/scripts/fvt/reenroll_test.sh b/scripts/fvt/reenroll_test.sh
new file mode 100755
index 000000000..c48e31ff4
--- /dev/null
+++ b/scripts/fvt/reenroll_test.sh
@@ -0,0 +1,118 @@
+#!/bin/bash
+FABRIC_CA="$GOPATH/src/github.com/hyperledger/fabric-ca"
+SCRIPTDIR="$FABRIC_CA/scripts/fvt"
+TESTDATA="$FABRIC_CA/testdata"
+KEYSTORE="/tmp/keyStore"
+RC=0
+
+. $SCRIPTDIR/fabric-ca_utils
+
+function enrollUser() {
+   local USERNAME=$1
+   mkdir -p $KEYSTORE/$USERNAME
+   export FABRIC_CA_HOME=$KEYSTORE/admin
+   OUT=$($SCRIPTDIR/register.sh -u $USERNAME -t $USERTYPE -g $USERGRP -x $FABRIC_CA_HOME)
+   echo "$OUT"
+   PASSWD="$(echo "$OUT" | head -n1 | awk '{print $NF}')"
+   export FABRIC_CA_HOME=$KEYSTORE/$USERNAME
+   test -d $FABRIC_CA_HOME || mkdir -p $FABRIC_CA_HOME
+   $SCRIPTDIR/enroll.sh -u $USERNAME -p $PASSWD -x $FABRIC_CA_HOME
+}
+
+while getopts "du:t:k:l:" option; do
+  case "$option" in
+     d)   FABRIC_CA_DEBUG="true" ;;
+     u)   USERNAME="$OPTARG" ;;
+     t)   USERTYPE="$OPTARG" ;;
+     g)   USERGRP="$OPTARG" ;;
+     k)   KEYTYPE="$OPTARG" ;;
+     l)   KEYLEN="$OPTARG" ;;
+  esac
+done
+
+: ${FABRIC_CA_DEBUG="false"}
+: ${USERNAME="newclient"}
+: ${USERTYPE="client"}
+: ${USERGRP="bank_a"}
+: ${KEYTYPE="ecdsa"}
+: ${KEYLEN="256"}
+: ${HOST="localhost:10888"}
+
+HTTP_PORT="3755"
+
+cd $TESTDATA
+python -m SimpleHTTPServer $HTTP_PORT &
+HTTP_PID=$!
+pollServer python localhost "$HTTP_PORT" || ErrorExit "Failed to start HTTP server"
+echo $HTTP_PID
+trap "kill $HTTP_PID; CleanUp" INT
+
+export FABRIC_CA_DEBUG
+mkdir -p $KEYSTORE/admin
+export FABRIC_CA_HOME=$KEYSTORE/admin
+test -d $FABRIC_CA_HOME || mkdir -p $FABRIC_CA_HOME
+
+#for driver in sqlite3 postgres mysql; do
+for driver in sqlite3 ; do
+   echo ""
+   echo ""
+   echo ""
+   echo "------> BEGIN TESTING $driver <----------"
+   $SCRIPTDIR/fabric-ca_setup.sh -R -x $KEYSTORE
+   $SCRIPTDIR/fabric-ca_setup.sh -I -S -X -n4 -d $driver
+   if test $? -ne 0; then
+      echo "Failed to setup server"
+      RC=$((RC+1))
+      continue
+   fi
+
+   FABRIC_CA_HOME=$KEYSTORE/admin
+   $SCRIPTDIR/enroll.sh -u admin -p adminpw -x $FABRIC_CA_HOME
+   if test $? -ne 0; then
+      echo "Failed to enroll admin"
+      RC=$((RC+1))
+      continue
+   fi
+
+   for i in {1..4}; do
+      enrollUser user${i}
+      if test $? -ne 0; then
+         echo "Failed to enroll user${i}"
+      else
+         FABRIC_CA_HOME=$KEYSTORE/user${i}
+         test -d $FABRIC_CA_HOME || mkdir -p $FABRIC_CA_HOME
+         $SCRIPTDIR/reenroll.sh -x $FABRIC_CA_HOME
+         if test $? -ne 0; then
+            echo "Failed to reenroll user${i}"
+            RC=$((RC+1))
+         fi
+      fi
+      sleep 1
+   done
+
+   $SCRIPTDIR/reenroll.sh -x /tmp/keyStore/admin
+   $SCRIPTDIR/reenroll.sh -x /tmp/keyStore/admin
+   $SCRIPTDIR/reenroll.sh -x /tmp/keyStore/admin
+
+   for s in {1..4}; do
+      curl -s http://${HOST}/ | awk -v s="server${s}" '$0~s'|html2text|grep HTTP
+      verifyServerTraffic $HOST server${s} 4
+      if test $? -ne 0; then
+         echo "Distributed traffic to server FAILED"
+         RC=$((RC+1))
+      fi
+      sleep 1
+   done
+   echo "------> END TESTING $driver <----------"
+   echo "***************************************"
+   echo ""
+   echo ""
+   echo ""
+   echo ""
+
+   $SCRIPTDIR/fabric-ca_setup.sh -R -x $KEYSTORE
+done
+kill $HTTP_PID
+wait $HTTP_PID
+CleanUp $RC
+exit $RC
diff --git a/scripts/fvt/reregister_test.sh b/scripts/fvt/reregister_test.sh
new file mode 100755
index 000000000..8c9773f11
--- /dev/null
+++ b/scripts/fvt/reregister_test.sh
@@ -0,0 +1,94 @@
+#!/bin/bash
+FABRIC_CA="$GOPATH/src/github.com/hyperledger/fabric-ca"
+SCRIPTDIR="$FABRIC_CA/scripts/fvt"
+TESTDATA="$FABRIC_CA/testdata"
+KEYSTORE="/tmp/keyStore"
+HOST="localhost:10888"
+HTTP_PORT="3755"
+RC=0
+
+. $SCRIPTDIR/fabric-ca_utils
+
+function enrollUser() {
+   local USERNAME=$1
+   mkdir -p $KEYSTORE/$USERNAME
+   export FABRIC_CA_HOME=$KEYSTORE/admin
+   OUT=$($SCRIPTDIR/register.sh -u $USERNAME -t $USERTYPE -g $USERGRP -x $FABRIC_CA_HOME)
+   echo "$OUT"
+   PASSWD="$(echo $OUT | tail -n1 | awk '{print $NF}')"
+   export FABRIC_CA_HOME=$KEYSTORE/$USERNAME
+   $SCRIPTDIR/enroll.sh -u $USERNAME -p $PASSWD -x $FABRIC_CA_HOME
+}
+
+while getopts "du:t:k:l:" option; do
+  case "$option" in
+     d)   FABRIC_CA_DEBUG="true" ;;
+     u)   USERNAME="$OPTARG" ;;
+     t)   USERTYPE="$OPTARG" ;;
+     g)   USERGRP="$OPTARG" ;;
+     k)   KEYTYPE="$OPTARG" ;;
+     l)   KEYLEN="$OPTARG" ;;
+  esac
+done
+
+: ${FABRIC_CA_DEBUG="false"}
+: ${USERNAME="newclient"}
+: ${USERTYPE="client"}
+: ${USERGRP="bank_a"}
+: ${KEYTYPE="ecdsa"}
+: ${KEYLEN="256"}
+: ${HOST="localhost:10888"}
+
+
+cd $TESTDATA
+python -m SimpleHTTPServer $HTTP_PORT &
+HTTP_PID=$!
+pollServer python localhost "$HTTP_PORT" || ErrorExit "Failed to start HTTP server"
+echo $HTTP_PID
+trap "kill $HTTP_PID; CleanUp" INT
+
+export FABRIC_CA_DEBUG
+mkdir -p $KEYSTORE/admin
+export FABRIC_CA_HOME=$KEYSTORE/admin
+
+#for driver in sqlite3 postgres mysql; do
+for driver in sqlite3 ; do
+   $SCRIPTDIR/fabric-ca_setup.sh -R -x $FABRIC_CA_HOME
+   $SCRIPTDIR/fabric-ca_setup.sh -I -S -X -n4 -t rsa -l 2048 -d $driver
+   RC=$((RC+$?))
+
+   $SCRIPTDIR/enroll.sh -u admin -p adminpw -x $FABRIC_CA_HOME
+   if test $? -ne 0; then
+      echo "Failed to enroll admin"
+      RC=$((RC+1))
+      continue
+   fi
+
+
+   $SCRIPTDIR/register.sh -u ${USERNAME} -t $USERTYPE -g $USERGRP -x $FABRIC_CA_HOME
+   if test $? -ne 0; then
+      echo "Failed to register $USERNAME"
+      RC=$((RC+1))
+      continue
+   fi
+
+   for i in {2..8}; do
+      $SCRIPTDIR/register.sh -u $USERNAME -t $USERTYPE -g $USERGRP -x $FABRIC_CA_HOME
+      if test $? -eq 0; then
+         echo "Duplicate registration of " $USERNAME
+         RC=$((RC+1))
+      fi
+   done
+
+   for s in {1..4}; do
+      verifyServerTraffic $HOST server${s} 10 "" "" lt
+      RC=$((RC+$?))
+      sleep 1
+   done
+
+   $SCRIPTDIR/fabric-ca_setup.sh -R -x $FABRIC_CA_HOME
+done
+kill $HTTP_PID
+wait $HTTP_PID
+CleanUp "$RC"
+exit $RC
diff --git a/scripts/fvt/roundrobin_test.sh b/scripts/fvt/roundrobin_test.sh
new file mode 100755
index 000000000..dd0ac7820
--- /dev/null
+++ b/scripts/fvt/roundrobin_test.sh
@@ -0,0 +1,35 @@
+#!/bin/bash
+FABRIC_CA="$GOPATH/src/github.com/hyperledger/fabric-ca"
+SCRIPTDIR="$FABRIC_CA/scripts/fvt"
+TESTDATA="$FABRIC_CA/testdata"
+. $SCRIPTDIR/fabric-ca_utils
+RC=0
+HOST="localhost:10888"
+HTTP_PORT="3755"
+
+cd $TESTDATA
+python -m SimpleHTTPServer $HTTP_PORT &
+HTTP_PID=$!
+pollServer python localhost "$HTTP_PORT" || ErrorExit "Failed to start HTTP server"
+echo $HTTP_PID
+trap "kill $HTTP_PID; CleanUp" INT
+
+#for driver in sqlite3 postgres mysql; do
+for driver in sqlite3 ; do
+   $SCRIPTDIR/fabric-ca_setup.sh -R
+   $SCRIPTDIR/fabric-ca_setup.sh -I -S -X -n4 -t rsa -l 2048 -d $driver
+   test $? -ne 0 && ErrorExit "Failed to setup server"
+   $SCRIPTDIR/registerAndEnroll.sh -u 'user1 user2 user3 user4 user5 user6 user7 user8 user9'
+   RC=$((RC+$?))
+   $SCRIPTDIR/reenroll.sh -x /tmp/keyStore/admin
+   for s in 1 2 3 4; do
+      curl -s http://${HOST}/ | awk -v s="server${s}" '$0~s'|html2text | egrep "HTTP|server${s}"
+      verifyServerTraffic $HOST server${s} 5
+      RC=$((RC+$?))
+   done
+   $SCRIPTDIR/fabric-ca_setup.sh -R
+done
+kill $HTTP_PID
+wait $HTTP_PID
+CleanUp $RC
+exit $RC
diff --git a/scripts/run_fvt_tests b/scripts/run_fvt_tests
new file mode 100755
index 000000000..6667db8d1
--- /dev/null
+++ b/scripts/run_fvt_tests
@@ -0,0 +1,35 @@
+#!/bin/bash
+FABRIC_CA=$GOPATH/src/github.com/hyperledger/fabric-ca
+SCRIPTDIR="$FABRIC_CA/scripts/fvt"
+export TESTCASE="fabric-ca-fvt"
+export RESULTLOG="/tmp/fvt-test.results"
+export STARTIME=$SECONDS
+export RC=0
+. $SCRIPTDIR/fabric-ca_utils
+> $RESULTLOG
+
+(
+TimeStamp
+echo "Running fvt tests ..."
+export PATH=$PATH:$GOPATH/bin
+tests="$(find $SCRIPTDIR -name "*test*.sh")"
+for cmd in $tests; do 
+  echo ""
+  echo "*******************"
+  TESTCASE="${cmd##*/}"
+  echo "${cmd}"
+  echo "*******************"
+  ${cmd} 2>&1 
+  RC=$((RC+$?))
+  $SCRIPTDIR/fabric-ca_setup.sh -R
+  echo ""
+  echo ""
+  echo ""
+done
+echo "Finished running fvt tests"
+grep RC: $RESULTLOG
+echo $RC >> $RESULTLOG
+) | tee -a $RESULTLOG 2>&1
+RC=$(tail -n1 $RESULTLOG)
+CleanUp "$RC"
+exit "$RC"
diff --git a/testdata/TestCRL.crl b/testdata/TestCRL.crl
new file mode 100644
index 000000000..1a9fc7dd3
Binary files /dev/null and b/testdata/TestCRL.crl differ
diff --git a/testdata/keyparms/dsa1024 b/testdata/keyparms/dsa1024
new file mode 100644
index 000000000..c5a81c2e2
--- /dev/null
+++ b/testdata/keyparms/dsa1024
@@ -0,0 +1,9 @@
+-----BEGIN DSA PARAMETERS-----
+MIIBHwKBgQDfBrpf2b5/HytOqE0UIQax37sE5RpFcacykO62Rg5KnelA/cBXIvGN
+IatCfPyVkA+Tq33jq+obDQumr3rMrfBo2clFhOUQZM2PgQ6lYkY8Lrx2wVaFxDZw
+9pCa3nLCEcy5JjNy6u17k/d4smjiudXNXAFf/B1FUoMEJkjC3PJl/wIVAN1zvcy+
+DKOKwfu1mNoXyM2M6SydAoGBAMmuYuy5xO5nkNqoqwT/f5kTknJkLLU9m0DnOKCa
+lNyhIN4PczuyHoDZyyUrsMw9YIBmH1cWajd+TTwEwUFGeiNjrRJlteo7jVlua+ff
+8KkisTcDP/Np4hNwOm4eBB0MRhYO5lndUsGtlttEDWJK+nXBAAwH3msAxB3bHkVM
+JiFE
+-----END DSA PARAMETERS-----
diff --git a/testdata/keyparms/dsa2048 b/testdata/keyparms/dsa2048
new file mode 100644
index 000000000..21508b663
--- /dev/null
+++ b/testdata/keyparms/dsa2048
@@ -0,0 +1,14 @@
+-----BEGIN DSA PARAMETERS-----
+MIICIQKCAQEA+Hh7Ep7UGw1/OTkPurPk5DDWenkiPskAq2VEljQ+BcE4QJZN7vPT
+oaVCr6ee7ZHqgP1Eff8A9DaMkZQyl0/bC7HLbBHppwmEdHR7SHV7X2DlZKl1xvZ6
+9fVWZV8dtxkVAQ3xeuAFjLtiUx4IbTrvAI5AcHRhYeDxY1m1hr6S4IJZ9vg9pJHl
+JmX/mvsH7xt51HdioAiSdBQsPKk4YK3b2q0m5xMoevsOagoMjAyJV8Ijs3S66hhm
+dIjv8q9WaYRKuroUdcrwsmWgVONo3arhPBUjOz+dUBHYJMdJBZuDPjGesqxQpzSM
+gotQcXaIBCSBYeFO/bXoqJ65Y1NmOIQnqwIVAO74oq7fICducZ9X/m7+wQkcgHkT
+AoIBAQCVuYKNCSUq4B9xFyRWtnzmO4euB5K7k3TfXgomjPIMlGOs0m9lW04ZJik0
+Af3bhoXbahYu30M4kgk2xKAv9yxB4La1jtYc/noM/lkBoRPSm65UXaIgX9LFGrVr
+7d6Vgu/ymTG6RfZjybyw6oU8CSWPVFb63t8/8z3gfIBskEZCTHROyZbAkUchEDbL
+MUOK/GFNoJJAN4sbIIC9Ht0FNJR553SJ0Yva9SQ5oNXOBumY+dtC4ksS0GtWZLLx
+2FRxxxSMysfNxnCCRw1uvpY4h+n4j+9cT4U+XaGzHYE4sEZ4yDORXgVIuNBtbVXH
+0RtA0biP3tK3Zc4Mt5qag7qdu54I
+-----END DSA PARAMETERS-----
diff --git a/testdata/keyparms/dsa256 b/testdata/keyparms/dsa256
new file mode 100644
index 000000000..ef5198c7f
--- /dev/null
+++ b/testdata/keyparms/dsa256
@@ -0,0 +1,6 @@
+-----BEGIN DSA PARAMETERS-----
+MIGdAkEA4E0Odj1UNZI36B6vY6BcsOqTabp7Tz77AwqWU9eM16TWJkk13Xj000yY
+yvdKOkQ4WhDUo3fcgBoLTSUPXPb8GwIVAKRttAJUevFhXd8rR4ZrviRa1XP5AkEA
+j3JKdRG7bPaJqN+mQHMfSQ9Jh/uHRf0bzNJwCRccGy8+2WcL4Kibg/CQOzqhLqH0
+c7nX19np3jWIFrxX2FCq1w==
+-----END DSA PARAMETERS-----
diff --git a/testdata/keyparms/dsa4096 b/testdata/keyparms/dsa4096
new file mode 100644
index 000000000..324eaedf8
--- /dev/null
+++ b/testdata/keyparms/dsa4096
@@ -0,0 +1,25 @@
+-----BEGIN DSA PARAMETERS-----
+MIIELAKCAgEAhTQ8LtNckGwQBnJ9CeKCNN3DyHI73CDTtDz5DrG+sYnpx8FXHLNs
+cDaLhCrncsCzI/atWe8ZlSgB1fpd5G2LeAJy5cBFhHLCrBnK2EW7uHi96JHdPq4C
+0eJ5F9NeSKXt8+Oum2PoD6LjOsOG/in4qtJtafzUVeOuhOkQemAHtUi5HNxribvt
+ehCEas0qpQvsnWLPaBfKpPQF7g4NfeYnJK5bEcAWWZinq1F7qTgF5W6r/XkTg+7W
+OXcSuNWBJAwGrMidhq1z48Q4CfGijIwhzEuPoz3JQJI3aNATYzBzJ1XLLygBbE/G
+Q9fuELDoWsTZBF+98OzWXosSy180m/jMCiuKNsv/v3mzD9QUZteJdLIgaX8/rm9H
+YCjOofcP/tgBInQYbZiNQ0YoIH/ZtY85E0qkUDITlZIQlPLtjhVKsX6tetAOSv/y
+sNHbYkoQQ+FLOPcL0oOcOMBhz0QcaZDZNwUrYrd19CzcstsjX+JTOmmPOXk4hujx
+0bzipl3Ggzpz49ondrhIYz5TYOI0PHkq0/YUA66nxa3nuBmw3+F2tB6PLm/XbQ3L
+iHBxl9638oNY20yr7Wka8CKYkbsklEWpHqR9KcYM/uL4sad6sZF1q8PkC2Ck7OSw
+bIN3Auh2hb5IpVt3pgTUyHhsogvS2u7OATylaUK+rb7f64yYkBONJnECIQDbu2wY
+usl0FMJWEdtoK2a6CA3zrNvyU4f9R5x6uCBt8wKCAgAEcgUIM7ULyYusO39iOrP3
+VTirjh0m39/+/KyDYXP6hALutJdw5QAHNflFWyRQTl+UY6gLXLgGbAqqz7DdmqPd
+KxpafpWuxH9Dywx+Gvwn5UOS+qquRWS3yGNX33m4MnGFwuZDMyJzlCF0NrCZcFX1
+UQ6e0MGYo+ZkXuyJL5GkPUlXVktqfbQm1IBRoh+vK8+T/EQhlSEhvZduigCJW+Xx
+61IC7sMRotEcWpNKCtbL3EULtdmowWW3uMRIxgOHqLRtZNypmJL2opKc44xBbQJb
+kWEf/5KkulJ7W8/wWNnaKtxDLgdwulD42T4v6UtRfcLSl35n1BzwGzgGUHktFssI
+UcuG9JTgBgLYxWDsgGoyvQzLN5ME58XVddv+9eqlmJvwpZ+dIUsOHeKY4DWyHrBK
+g5HhknH7NSZUlgaj0Adhx8+HAN8/DP6Y/LN2IigtdupTrvelTUa5Wj+VTB62/y+8
+0DfQTApH4xndObLUj48Gb0CCwTM+UwTxppFXGHLlyv7Swp+FnMQ0uBwFtTBX/1J0
+tQrT1HThChpjftF+TBvTJY9BZIiazR10e+RRgkoj//ftTWwQBZrL9NwTroEcDX8q
+5pdqnNOaQBpCA3QbrSh2fSiUCLn1ZyP4KpRkZFEDpAhgSjKKlw/qa+pIH1q9TPtO
+PIy443x7kGbBfzkipxcqaA==
+-----END DSA PARAMETERS-----
diff --git a/testdata/keyparms/dsa512 b/testdata/keyparms/dsa512
new file mode 100644
index 000000000..6b2dd9317
--- /dev/null
+++ b/testdata/keyparms/dsa512
@@ -0,0 +1,6 @@
+-----BEGIN DSA PARAMETERS-----
+MIGdAkEA6CFK4Ru5WWBFNo5zfwYq+Ynu1xjK+wvP5crJudFPI4H0W3Dy7SM9z9kx
+tOJDOamf6NuqRp6L42P/Hydj5mnggQIVAJowFDTP0r/VhmkjC6vXgZjwECCrAkEA
+ys61KuTEMrA4OZztgPQyzt+49LH6HFFtAxlF0BdtFpyou2VISUSFxu8M6kei/ns8
+d6KaNNdFClZ4I81/JOJrKA==
+-----END DSA PARAMETERS-----
diff --git a/testdata/keyparms/ec160 b/testdata/keyparms/ec160
new file mode 100644
index 000000000..3546d9957
--- /dev/null
+++ b/testdata/keyparms/ec160
@@ -0,0 +1,3 @@
+-----BEGIN EC PARAMETERS-----
+BgUrgQQACA==
+-----END EC PARAMETERS-----
diff --git a/testdata/keyparms/ec224 b/testdata/keyparms/ec224
new file mode 100644
index 000000000..9728ddda9
--- /dev/null
+++ b/testdata/keyparms/ec224
@@ -0,0 +1,3 @@
+-----BEGIN EC PARAMETERS-----
+BgUrgQQAIQ==
+-----END EC PARAMETERS-----
diff --git a/testdata/keyparms/ec256 b/testdata/keyparms/ec256
new file mode 100644
index 000000000..a76e47d95
--- /dev/null
+++ b/testdata/keyparms/ec256
@@ -0,0 +1,3 @@
+-----BEGIN EC PARAMETERS-----
+BggqhkjOPQMBBw==
+-----END EC PARAMETERS-----
diff --git a/testdata/keyparms/ec384 b/testdata/keyparms/ec384
new file mode 100644
index 000000000..ceed209a5
--- /dev/null
+++ b/testdata/keyparms/ec384
@@ -0,0 +1,3 @@
+-----BEGIN EC PARAMETERS-----
+BgUrgQQAIg==
+-----END EC PARAMETERS-----
diff --git a/testdata/keyparms/ec521 b/testdata/keyparms/ec521
new file mode 100644
index 000000000..cdca78c8e
--- /dev/null
+++ b/testdata/keyparms/ec521
@@ -0,0 +1,3 @@
+-----BEGIN EC PARAMETERS-----
+BgUrgQQAIw==
+-----END EC PARAMETERS-----
diff --git a/testdata/keyparms/ec570 b/testdata/keyparms/ec570
new file mode 100644
index 000000000..20b18d6eb
--- /dev/null
+++ b/testdata/keyparms/ec570
@@ -0,0 +1,3 @@
+-----BEGIN EC PARAMETERS-----
+BgUrgQQAJw==
+-----END EC PARAMETERS-----
diff --git a/testdata/keyparms/key.pem b/testdata/keyparms/key.pem
new file mode 100644
index 000000000..a76e47d95
--- /dev/null
+++ b/testdata/keyparms/key.pem
@@ -0,0 +1,3 @@
+-----BEGIN EC PARAMETERS-----
+BggqhkjOPQMBBw==
+-----END EC PARAMETERS-----
diff --git a/testdata/openssl.cnf.base b/testdata/openssl.cnf.base
new file mode 100644
index 000000000..1a7a3053b
--- /dev/null
+++ b/testdata/openssl.cnf.base
@@ -0,0 +1,297 @@
+#HOME                    = .
+#RANDFILE                = $ENV::HOME/.rnd
+DOMAIN                  = FVT
+SUBALT                  = IP:9.37.17.64
+KEYUSE                  = nonRepudiation,digitalSignature,keyEncipherment
+HTTP_PORT               = 3755
+#EXTKEYUSE               = "ipsecEndSystem"
+
+####################################################################
+# CA Definition
+[ ca ]
+default_ca      = CA_default            # The default ca section
+
+####################################################################
+# Per the above, this is where we define CA values
+[ CA_default ]
+
+dir             = /tmp/CAs/$DOMAIN # Where everything is kept
+certs           = $dir/certsdb          # Where the issued certs are kept
+new_certs_dir   = $certs                # default place for new certs.
+database        = $dir/index.txt        # database index file.
+certificate     = $dir/cacert.pem       # The CA certificate
+private_key     = $dir/private/cakey.pem# The private key
+serial          = $dir/serial           # The current serial number
+RANDFILE        = $dir/private/.rand    # private random number file
+
+crldir          = $dir/crl
+crlnumber       = $dir/crlnumber        # the current crl number
+crl             = $crldir/crl.pem       # The current CRL
+unique_subject	= no                    # allows for mulitple certs with
+                                        # the same SubjectName
+
+# By default we use "user certificate" extensions when signing
+x509_extensions = usr_cert              # The extentions to add to the cert
+
+# Honor extensions requested of us
+copy_extensions	= copy
+
+# Comment out the following two lines for the "traditional"
+# (and highly broken) format.
+name_opt        = ca_default            # Subject Name options
+cert_opt        = ca_default            # Certificate field options
+
+# Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs
+# so this is commented out by default to leave a V1 CRL.
+# crlnumber must also be commented out to leave a V1 CRL.
+crl_extensions        = crl_ext
+default_days    = 365                   # how long to certify for
+default_crl_days= 30                    # how long before next CRL
+default_md      = sha1                  # which md to use.
+preserve        = no                    # keep passed DN ordering
+
+# A few difference way of specifying how similar the request should look
+# For type CA, the listed attributes must be the same, and the optional
+# and supplied fields are just that :-)
+policy          = policy_match
+
+####################################################################
+# The default policy for the CA when signing requests, requires some
+# resemblence to the CA cert
+#
+[ policy_match ]
+countryName             = optional      # Must be the same as the CA
+stateOrProvinceName     = optional      # Must be the same as the CA
+organizationName        = optional      # Must be the same as the CA
+organizationalUnitName  = optional      # not required
+commonName              = supplied      # must be there, whatever it is
+emailAddress            = optional      # not required
+
+####################################################################
+# An alternative policy not referred to anywhere in this file. Can
+# be used by specifying '-policy policy_anything' to ca(8).
+#
+[ policy_anything ]
+countryName             = optional
+stateOrProvinceName     = optional
+localityName            = optional
+organizationName        = optional
+organizationalUnitName  = optional
+commonName              = supplied
+emailAddress            = optional
+
+####################################################################
+# This is where we define how to generate CSRs
+[ req ]
+default_bits            = 1024
+default_keyfile         = privkey.pem
+distinguished_name      = req_distinguished_name # where to get DN for reqs
+attributes              = req_attributes         # req attributes
+x509_extensions		= v3_ca  # The extentions to add to self signed certs
+req_extensions		= v3_req # The extensions to add to req's
+
+# This sets a mask for permitted string types. There are several options. 
+# default: PrintableString, T61String, BMPString.
+# pkix   : PrintableString, BMPString.
+# utf8only: only UTF8Strings.
+# nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings).
+# MASK:XXXX a literal mask value.
+# WARNING: current versions of Netscape crash on BMPStrings or UTF8Strings
+# so use this option with caution!
+string_mask = nombstr
+
+
+####################################################################
+# Per "req" section, this is where we define DN info
+[ req_distinguished_name ]
+countryName                     = Country Name (2 letter code)
+countryName_default             = US
+countryName_min                 = 2
+countryName_max                 = 2
+
+stateOrProvinceName             = State or Province Name (full name)
+stateOrProvinceName_default     = NC
+
+localityName                    = Locality Name (eg, city)
+localityName_default            = RTP
+
+0.organizationName              = Organization Name (eg, company)
+0.organizationName_default      = IBM
+
+organizationalUnitName          = Organizational Unit Name (eg, section)
+organizationalUnitName_default  = FVT
+
+commonName                      = Common Name (eg, YOUR name)
+commonName_max                  = 64
+
+#emailAddress                    = Email Address
+#emailAddress_max                = 64
+
+
+####################################################################
+# We don't want these, but the section must exist
+[ req_attributes ]
+#challengePassword              = A challenge password
+#challengePassword_min          = 4
+#challengePassword_max          = 20
+#unstructuredName               = An optional company name
+
+
+####################################################################
+# Extensions for when we sign normal certs (specified as default)
+[ usr_cert ]
+crlDistributionPoints=cdp_section
+# User certs aren't CAs, by definition
+basicConstraints=CA:false
+nsComment                     = "OpenSSL Generated Certificate"
+# Here are some examples of the usage of nsCertType. If it is omitted
+# the certificate can be used for anything *except* object signing.
+# This is OK for an SSL server.
+#nsCertType = server
+# For an object signing certificate this would be used.
+#nsCertType = objsign
+# For normal client use this is typical
+#nsCertType = client, email
+# and for everything including object signing:
+#nsCertType = client, email, objsign
+
+# keyUsage -- the supported names are:
+# digitalSignature
+# nonRepudiation
+# keyEncipherment
+# dataEncipherment
+# keyAgreement
+# keyCertSign
+# cRLSign
+# encipherOnly
+# decipherOnly
+# This is typical in keyUsage for a client certificate.
+#keyUsage = nonRepudiation, digitalSignature, keyEncipherment
+keyUsage = $KEYUSE
+
+# extendedKeyUsage -- the supported names are:
+# serverAuth
+# clientAuth
+# codeSigning
+# emailProtection
+# ipsecEndSystem -- obsolete
+# ipsecTunnel    -- obsolete
+# ipsecUser      -- obsolete
+# timeStamping 
+# OCSPSigning
+#extendedKeyUsage = $EXTKEYUSE
+
+# PKIX recommendations harmless if included in all certificates.
+subjectKeyIdentifier=hash
+authorityKeyIdentifier=keyid,issuer
+
+# This stuff is for subjectAltName and issuerAltname.
+# Import the email address.
+#subjectAltName=email:copy
+# An alternative to produce certificates that aren't
+# deprecated according to PKIX.
+#subjectAltName=email:move
+subjectAltName=$SUBALT 
+
+####################################################################
+# Same as above, but cert req already has SubjectAltNames
+[ usr_cert_has_san ]
+crlDistributionPoints=cdp_section
+basicConstraints=CA:false
+nsComment                     = "OpenSSL Generated Certificate"
+#nsCertType = server
+#nsCertType = objsign
+#nsCertType = client, email
+#nsCertType = client, email, objsign
+subjectKeyIdentifier=hash
+authorityKeyIdentifier=keyid,issuer
+#subjectAltName=email:move
+keyUsage = $KEYUSE
+#extendedKeyUsage = $EXTKEYUSE
+
+
+####################################################################
+# Extension for requests
+[ v3_req ]
+# Lets at least make our requests PKIX complaint
+#subjectAltName=email:move
+
+subjectAltName=$SUBALT 
+
+####################################################################
+# subjectAltName section
+[ alt_section ]
+#DNS.1=amphion.raleigh.ibm.com
+#IP.1=9.42.105.138
+#IP.2=13::17
+#email.1=eabailey@us.ibm.com
+
+####################################################################
+# An alternative section of extensions, not referred to anywhere
+# else in the config. We'll use this via '-extensions v3_ca' when
+# using ca(8) to sign another CA.
+#
+[ v3_ca ]
+crlDistributionPoints=cdp_section
+# PKIX recommendation.
+subjectKeyIdentifier=hash
+authorityKeyIdentifier=keyid:always,issuer:always
+
+# This is what PKIX recommends but some broken software chokes on critical
+# extensions.
+basicConstraints = critical,CA:true
+# So we do this instead.
+#basicConstraints = CA:true
+
+# Key usage: this is typical for a CA certificate. However since it will
+# prevent it being used as an test self-signed certificate it is best
+# left out by default.
+keyUsage = cRLSign, keyCertSign
+
+# Some might want this also
+# nsCertType = sslCA, emailCA
+
+# Include email address in subject alt name: another PKIX recommendation
+#subjectAltName=email:move
+# Copy issuer details
+#issuerAltName=issuer:copy
+subjectAltName=email:move
+certificatePolicies=2.5.29.32.0
+
+[ v3_ca_has_san ]
+crlDistributionPoints=cdp_section
+# Same as above, but CA req already has SubjectAltNames
+subjectKeyIdentifier=hash
+authorityKeyIdentifier=keyid:always,issuer:always
+basicConstraints = critical,CA:true
+#basicConstraints = CA:true 
+keyUsage = cRLSign, keyCertSign
+# nsCertType = sslCA, emailCA
+# Copy issuer details
+#issuerAltName=issuer:copy
+certificatePolicies=2.5.29.32.0
+
+
+[ crl_ext ]
+# CRL extensions.
+# Only issuerAltName and authorityKeyIdentifier make any sense in a CRL.
+# issuerAltName=issuer:copy
+authorityKeyIdentifier=keyid:always,issuer:always
+issuingDistributionPoint=critical,@idp_section
+
+[ idp_section ]
+fullname=URI:http://localhost:$HTTP_PORT/$DOMAIN/crl/crl.der
+#onlysomereasons=$IDPREASON
+
+[ cdp_section ]
+fullname=URI:http://localhost:$HTTP_PORT/$DOMAIN/crl/crl.der
+# revocation reason, where reason is one of: 
+#    unspecified
+#    keyCompromise
+#    CACompromise
+#    affiliationChanged
+#    superseded
+#    cessationOfOperation
+#    certificateHold
+#    removeFromCRL
+#reasons=$CDPREASON