diff --git a/tests/data/cert_missing/key.rsa b/tests/data/cert_missing/key.rsa
new file mode 100644
index 0000000..a713c8e
--- /dev/null
+++ b/tests/data/cert_missing/key.rsa
@@ -0,0 +1,52 @@
+-----BEGIN PRIVATE KEY-----
+MIIJQgIBADANBgkqhkiG9w0BAQEFAASCCSwwggkoAgEAAoICAQD7f6oYIWWsoyrI
+KXu47tAn4gtnH3izCVzFo7VWjamVq7+ssWSw1Ob0R5PmR+i+ATxQhfK7BBZk6jE6
+i5pffS3dJS3WqEza0nD5uSA34zTYtJeLrsBuOoldZ4mz7JAvrhFV0zdzXdCjDoQG
+qQ49JWIhI22nT0Yq58qB49bqm1vx+TajXIDuKdCJwJfthF/9sXirmqM4GsOOzAMf
+xbU3lWfxdU1rXJ0tBlZSH/b31ZnuNCAuAgWIn1Ev2qG2X0WVK83fJ5GefLcBfhuT
+4jrrq+aV6oAHznv1AJPvBwYhVq09fvVvTFnFrIJkc3NxZMjidkjYI7lvhPzwX2rO
+0zw3MEL8680pU8CJOsXAyeXGDeipt70S+p6nZS3+floqOSB5YMdQjntWgBYkR89Y
+8q4mEg+eaiR/lFHOOoZreKe+K+djMPYmdrRExQ18DcKNWl239zj/n2QpTdnzjy7N
+kuvDZyZf4pmm/0u4Kd9So6cSybCGjGtlpmpvzC4Xuebto/A7zlJeIghl2mmbo3VM
+hlM44nQekO61mIqz2dkqgGgf7kqQKSvvo/Rj5u8D4N3FnRXQm/JqvlCyQlpzeFuk
+7vFJz1yA1fK3CxfuK6xuclMhjo2vgNCwaiBFjb/eAnrM+/btUfKTGXIx4nedErls
+TuTqukJRCOulVdv0ZVsVnW6/0t4h+QIDAQABAoICAF7c+LvBXSiRI0H8474N1lY0
+3Tg4lr5xeZzS80OCi8T404PAJcrNg5AAr7jcxt1keeulmrkQAaJu88Kxhbke7n3L
+2E5vjQ288wA+4/gwq25SMBdwAwWQ7t9cfoRvZrOVZNSKpw/NAzV99C7O9Z/6ydjW
+FDZXoI/ufmQgHKDBmRzcc8+KxNcQzqgnDSd6FvsKRgn0ejxfXAQwz7zcRk6A/IQH
+SvyEIoUpLsYraGxzFWzUHI8+E/hEn8r9HKI9rXFm5HCX7EVrpVvaxWwymSbr4D4M
+Bd7r87WmUiaG77kDiLT5fnpMwk/dkhFxusm6ykshcriUQQ3fi8jfNNpusvfeLGWa
+4IcwkWPGd5EWNjM1eqeCfh79FAdJe8sEYf2pAkT8LVNT23J/jsL5dsLy3VFQ6svV
+NReDnaWBxw92Xh/zqmo7L7/zGaLKXJPSQYHlnDUuYBOxoKhnzDY7P1XWk3STKDan
+1rwSelBb/9Z/KGgeg92YlHrYOspw7JaCaYbzpsi8vCS+ZrTrbQ0UoHUAVKgRkTsG
+pgUvlbX+RL1+nweGmjenDYEGn5MsPhoKgJFhJLgqqdo3ZTruEazU9Q5xLZDhWz82
+hxJKm3WFAqIL8Q5Wd22z7+DjS9YLuHYB+o9dSbqR0UOiyvYb+eL8gkvPtlvnE0yC
+iWl1SDg25iWmbQz1X7EBAoIBAQD+AImpGYgRhIglB2MSz9LPLEC9lGZX6ZznfS91
+1tc5iPcqqKQ3VBCJWnCNOTh5RXlau0s/+vE6zKytSiWrzgkTBMkd18xPTy6c5O4J
+XUCArZHx+GoXooOkSPxcLM1IGElTpHT/4Ua4KrGzMpdI8khHLDfiXeUL9mlgYrho
+rLjArOo/1pBURYfNSay+bmTB/CzoS+0EXYc6fCNhNvE8fOkCCdPiwrpUjuZyYzmR
+pkU1XVOzgqLEqBadywXfp6NeyRBVWO9OxWcJ63smwWCJz/KcTYhBAG5TH/959O6z
+115Q7tst+amhBZLgOvHnYJ1S/dK1fU4PDRAm6dEW7kqeFd11AoIBAQD9ehX2SVdo
+RHT69H4ItMpYWiBUtAwOEE5d5RPVrjtFtSh/V1pZ+jjGTyqTL5+885o1A6q2Nkrc
+d8kYG5VVaGkjJEibCk6px0TWN2Lt73Q0ixNbBmcjxsjRp4EfHvMR/5IqvSZNuUjy
+8j3dFHgeB6/PFY283Z9XbMrcFZeEsL4rljF+/XCX2ZeMIUBU93cbZr80o1LgcwpI
+Qw61g6Kfjwm6jJEws3doxcmAGSkbR4PzZyRI8lLlIEWWccRG1k34J7s2eDfk8O6F
+awv/pgcyFQQwl3zMXmCDNvdHkHV7EDu0gZc8WEuKBTA9tOfokkQmp4rbvMGqtJJm
+OfYFZZR/YU31AoIBAHUulFPiRocmaJUEum1kWbJgjSGpRCoMyel2NJ4d1r9hc/5H
+PTOVYeesRL6yhl5Uce8s90N2JzJkWMm9qnF/pWoTzCErfMOeGTgi2bqSPf7flLRY
+UcHDpQ326g4wUSiQo8ul1KB0MucmM0Mj9O2fcT78pG+Xt+Lz9JuWD9Oi0714SL3Y
+5E8soMFR2xMj5PIlwCYPWTKpX4jY2o2wBk1Mp0bcd9dm1QXLw39ETbvnRIihHMt1
+Wlh137E+h+At+83v3swxMn5Zzfain/c6QapyuE/p6RFr/Hn3Cisel716f7XA7Hdi
+diKmaqNuLkn7pbkzBrHaNFf3Q9tgBamZl+0k0z0CggEAAuOgWnVNjL+zAaVFxn2h
+DM7CLZT7yjE/Y2yYBEh/HnVJJ+JsAjiK6x+94X2aeYHhURdgm8EUq1ymKyMtWZLe
+F+ty9Glyqha+Xx60fvfKwEqRhukUxeCfK1yYaS1mId9i4B/Vzu78uOAv+lQgZl86
+Dsc1HWD9TvbLfSS13GpTUJXerI7g+KofQxah8BX+Ao7yQPxXln1ZMaeqBEGi2eS8
+fKbbhM2W39fZSx9+S3ROObkEPdydO0VZ5bQYQ6JvsxNo298U7AQfA+BLe7d9v4Fj
+0dX4MzAkM3qt6N/ppuRxecY8XhC3k7Qpb5qfRhRcuIASYhzNrE9wl7+zYS5eOfF2
+/QKCAQEAyOKjglWIpOul3EIOF2D0O6fkulxLfUya6URok00p3CxFXlFdDXwTzC9R
+TNYMVE0WrxnXk1KT7ave4PJRFKMNk/PxbMQbtji9m3mWlZsM2vNNQ9nuWnrfOAha
+plI7XBPJ4NNapl/RAFVhu3WVHG4CaYiqWPR3dMBi1/2Uk7EhZjhuJ8/AsJz5v7iO
+Nv0ydQX7ZisNwf1eksL7odZjGcm/PNOxdAnFI67DuXo4YvyMjzovhTgm0s4yrecC
+OMkrvwvefnzUQKV8m9na8pPG+ZJd518oK8nuk9UMgwsJnCWEVgzVjzRIxv7AElrO
+tPwNvAOh6tUMmDlbRt+xdpFmU238jA==
+-----END PRIVATE KEY-----
diff --git a/tests/data/key_missing/cert.pem b/tests/data/key_missing/cert.pem
new file mode 100644
index 0000000..df3fbd8
--- /dev/null
+++ b/tests/data/key_missing/cert.pem
@@ -0,0 +1,29 @@
+-----BEGIN CERTIFICATE-----
+MIIFCTCCAvGgAwIBAgIUP60wPmdZzVFdc9c1ReFbzcWk9CwwDQYJKoZIhvcNAQEL
+BQAwFDESMBAGA1UEAwwJbG9jYWxob3N0MB4XDTIwMTEwODE0MzE1NloXDTMwMTEw
+NjE0MzE1NlowFDESMBAGA1UEAwwJbG9jYWxob3N0MIICIjANBgkqhkiG9w0BAQEF
+AAOCAg8AMIICCgKCAgEA+3+qGCFlrKMqyCl7uO7QJ+ILZx94swlcxaO1Vo2plau/
+rLFksNTm9EeT5kfovgE8UIXyuwQWZOoxOouaX30t3SUt1qhM2tJw+bkgN+M02LSX
+i67AbjqJXWeJs+yQL64RVdM3c13Qow6EBqkOPSViISNtp09GKufKgePW6ptb8fk2
+o1yA7inQicCX7YRf/bF4q5qjOBrDjswDH8W1N5Vn8XVNa1ydLQZWUh/299WZ7jQg
+LgIFiJ9RL9qhtl9FlSvN3yeRnny3AX4bk+I666vmleqAB8579QCT7wcGIVatPX71
+b0xZxayCZHNzcWTI4nZI2CO5b4T88F9qztM8NzBC/OvNKVPAiTrFwMnlxg3oqbe9
+Evqep2Ut/n5aKjkgeWDHUI57VoAWJEfPWPKuJhIPnmokf5RRzjqGa3invivnYzD2
+Jna0RMUNfA3CjVpdt/c4/59kKU3Z848uzZLrw2cmX+KZpv9LuCnfUqOnEsmwhoxr
+ZaZqb8wuF7nm7aPwO85SXiIIZdppm6N1TIZTOOJ0HpDutZiKs9nZKoBoH+5KkCkr
+76P0Y+bvA+DdxZ0V0Jvyar5QskJac3hbpO7xSc9cgNXytwsX7iusbnJTIY6Nr4DQ
+sGogRY2/3gJ6zPv27VHykxlyMeJ3nRK5bE7k6rpCUQjrpVXb9GVbFZ1uv9LeIfkC
+AwEAAaNTMFEwHQYDVR0OBBYEFI7IjwaA0gwpeZXl5x7Knw8i4STDMB8GA1UdIwQY
+MBaAFI7IjwaA0gwpeZXl5x7Knw8i4STDMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZI
+hvcNAQELBQADggIBANQJ+WuQ8UZsk86t7jTS9K2Igit22ImXhdddDHHbBrbdLXoN
+g4IXij8mEJqfPyqZhT49S23booihvJOyhT/RgRB6LI/hBuV1vTwARmIRU4WhZAh0
+xIwVCqniDp6Rgf6OEOYgLGk11CEv7vMfPZYbLddDY1HvmSl8l087CLEQ37WRb51M
+5Quhsrny441s6aTn8I7c9WY2H/CUmlF8byoLuIl2MpR5bQN17binfsJZPYkKaMyJ
+5URM0nCVUEr+o/1znYsQJYa+GSVEsJJ6OyS7TMSoFJlVFslOxbdPzNkdcL6jxpXN
+B0rCrC1gTaQynxTOoQ56N8Z74V9xoXNd0ZwaSgEWfeM++YOyk3qgfvhobd0F8rTD
+8+dvMN7eI+N8P+S+VCnX9YzrQIZyTwEhHK9fXLlcqoiAhpizgGhlGctiZ1MmpzT2
+aqFmLOCKpcQLyofsSLSFbhV2/w8rJbS1kTlrzwQLzaJvtLVy+ZZdQFP49Vj8Lb7n
+3Oos/YeNoGhJoTWX7S2nQBChYMsSUA15+IS7RN0b+cJroHESsqCkbp07M20zhztz
+fDWdYFh+o4V2lF9ecnqV7MwTvz9WxpchcUfQgENrJ3dgTn35hsZOMM2anwFWrmG+
+KVyFMhWNnZB1E530Nsu9cNHntqc3sFBdJebrFED9gOFErt5Vou8btjIqPm/Y
+-----END CERTIFICATE-----
diff --git a/tests/data/multicert/ca_cert.pem b/tests/data/multicert/ca_cert.pem
new file mode 100644
index 0000000..7cca683
--- /dev/null
+++ b/tests/data/multicert/ca_cert.pem
@@ -0,0 +1,29 @@
+-----BEGIN CERTIFICATE-----
+MIIFCzCCAvOgAwIBAgIUIBGuqsV2UiwpjgNTBhsCWSEofMEwDQYJKoZIhvcNAQEL
+BQAwFTETMBEGA1UEAwwKZXhhbXBsZSBDQTAeFw0yMTAzMDMxNzI1MjFaFw0zMTAz
+MDExNzI1MjFaMBUxEzARBgNVBAMMCmV4YW1wbGUgQ0EwggIiMA0GCSqGSIb3DQEB
+AQUAA4ICDwAwggIKAoICAQDAYjrXvFY9MpJ0Cy9Jte42u9peeUQ+4isGIDmnSAmA
+hngVqoDlqvr6mXXU+N0c7jDkLEcs7EySORP/k1rRrAtQPSZeMSVQ47aJirmIlcnb
+P9/ivyYv8lyndZCZikOAOz7D1beRV66MX2q1/plnW1QuWHbk83IqNniZcL8QRTWw
+EYy8CxNd9UO9TlzF/kuIadNlFEywiQ6pbZiIhPChCtg2vKx/abQukYSGDoQxTIEp
+T6uqoHevAMZFMhwhURG5kUX65xQcIDSobvxyziSc3fKW/fxzu/ORkLHBB5T3jcQJ
++BL4pb+hZl7Xe/r4TvfhSpdzu5hoLFAqLWhQUHymMG8kmqJ6Q9lfuQO4A/HuqCQN
+cYtEce88uOaF/TPt99qhvg/7V1LXxZ9UNnyc2cQUroT8jx+5NtWBPQvekKSoufxX
+4Kv4kdtaPyGRVZcshLQKog6kD49nzlCJhYV9UUiGQMUrzb7H5n+Y2puN87B5oUVY
+djNJ65h7y27fKeXfrpvTJ+kqi9A6hrwNR6INTkRJ+l6mnpX0tnTmGmSiChsW+xCF
+R2bIl04y4efqYToG3fQk0vzn+rGx57DqnpgDavIYJxsNWzJ4qWWxdN08QV8OsmEo
+0u6Ks9+EVv6sHmY+WWsOB+8Jgwa0p2HcQ2nu0KrIDNVxUS29jPA/Iw7g/w95az/X
+2wIDAQABo1MwUTAdBgNVHQ4EFgQUtyhzhR/wxqDZlRxR4odCXFhSwtEwHwYDVR0j
+BBgwFoAUtyhzhR/wxqDZlRxR4odCXFhSwtEwDwYDVR0TAQH/BAUwAwEB/zANBgkq
+hkiG9w0BAQsFAAOCAgEAZYiHTpAsWvOdqsMa9KhiWgOYAtJ/vERaTkWowxfqpBrx
+nC9k5PAU4r5mAa38RX9hbRWEpXA2oEET/txg4a9oHkYPCk8+Nq/K7JwoY32gdsuC
+EeAFIFhsfV5aDnoMxEfjOo7erFa89UBLup9bw3VupQ6+9B7UJP5Q1g8aapdcw2Io
+nFiof56TNBUNSSJc0ErfBInCQ+T2yIbbyXvsNhbENidlP8nDv9cwHEQewUPbH9/y
+k4MqsZVsdrm00m0ZWgdQfZnTgM5/TBp+tTyHJOQqfekPiqob7lPGgakMhkpGHJvu
+EnkQJecgHA1/k2ETM4Ja162kbshN8LjLLrXi9aEwDYTW1xFbvK9MrHKcSOTq+FJs
+WV3RK1J56pqq3iNJLXkXjSuo6bNIA4fjxJk8scRdsANAYfV9I3pJUY1EB/LvycSo
+zCUgpp+tnqT+lgvCZ3aFi/Iajb0TgoNb/xgHo2MJmRNLj6RQlJkLDEYBQTE1iiru
+bWZW2jf7LEBM9MwT2+I2AbmCLyPoA04ZT7GH2yeugU1YrxO5Erj6m3JBdwuKIU7g
+DJH2DttPIm1ay00tFBapYoODfXwqqIPtYRSAhSxxuWRV1fl5kVgyT2TjEvv9b/8j
+SMRrGvo4Ws2H8W8Fcf0EVIywkVxpE2YlzztEWhVJEmltM74slX82QZ2ppWCmepg=
+-----END CERTIFICATE-----
diff --git a/tests/data/multicert/ca_key.rsa b/tests/data/multicert/ca_key.rsa
new file mode 100644
index 0000000..b5fb859
--- /dev/null
+++ b/tests/data/multicert/ca_key.rsa
@@ -0,0 +1,52 @@
+-----BEGIN PRIVATE KEY-----
+MIIJQgIBADANBgkqhkiG9w0BAQEFAASCCSwwggkoAgEAAoICAQDAYjrXvFY9MpJ0
+Cy9Jte42u9peeUQ+4isGIDmnSAmAhngVqoDlqvr6mXXU+N0c7jDkLEcs7EySORP/
+k1rRrAtQPSZeMSVQ47aJirmIlcnbP9/ivyYv8lyndZCZikOAOz7D1beRV66MX2q1
+/plnW1QuWHbk83IqNniZcL8QRTWwEYy8CxNd9UO9TlzF/kuIadNlFEywiQ6pbZiI
+hPChCtg2vKx/abQukYSGDoQxTIEpT6uqoHevAMZFMhwhURG5kUX65xQcIDSobvxy
+ziSc3fKW/fxzu/ORkLHBB5T3jcQJ+BL4pb+hZl7Xe/r4TvfhSpdzu5hoLFAqLWhQ
+UHymMG8kmqJ6Q9lfuQO4A/HuqCQNcYtEce88uOaF/TPt99qhvg/7V1LXxZ9UNnyc
+2cQUroT8jx+5NtWBPQvekKSoufxX4Kv4kdtaPyGRVZcshLQKog6kD49nzlCJhYV9
+UUiGQMUrzb7H5n+Y2puN87B5oUVYdjNJ65h7y27fKeXfrpvTJ+kqi9A6hrwNR6IN
+TkRJ+l6mnpX0tnTmGmSiChsW+xCFR2bIl04y4efqYToG3fQk0vzn+rGx57DqnpgD
+avIYJxsNWzJ4qWWxdN08QV8OsmEo0u6Ks9+EVv6sHmY+WWsOB+8Jgwa0p2HcQ2nu
+0KrIDNVxUS29jPA/Iw7g/w95az/X2wIDAQABAoICAQCSyuEHN+e9rlbdQKOGZNEs
+5k2LBJC0QrJ9bB1RrL/DV9dNANp1Y+85Q9sK9BETQBQCJl7wwiTy9aZyvqbvkYzY
+XrBl8q38eKQRcs56j4CEUMquIxgqQY29IRGCdmNm9s2/c9Uri3HeHfg4gdnfaWpk
+KpAdxjv4RbPjsIm5CnYasGloGjNe4AQd8CsN0CkmH0lzuPeDRDDxynQ2xuksmC++
+JFyio68eUV6DQ5ROYYe0U9wyx1pLKBYhOkkIiukxZM220pcflttXIchyeSSqpRez
+an00edcx3Owk03oxIfTRfn5LR31e09POLAWlbevp9ZZ2ck+qPRW1+Qu9LIzP6ekC
++9vTOA9Q9B8b/Yw8Mmi7J8ACLUFi5+B/cDUSYg2TJbpiIfFukFeXQpOzQBSOjdki
+tKY0RgxftFZaKhu3dyhyucQHde+iUnSNfoK746fnIPTFPF/fb7Ot54xX/PuUvrBR
+6RFi5Bj8aU8XqpOks6rFKNgyY/uJgPklPAR/z9wEDVRbwT2BbEUvu5A26T15/1lO
+Z2tKMH+VsSClJmuJxB3pl/aoZiYG7bwrTn0AUAHPAizYZtit+8O/Z5e0SukBprKK
+RmqUySo5Em7GWuJdizzsMq8Yf6IWk7lxHhOGAGCLfNTBGtw24zchuKdz6rO2nedV
+haBmpghW7seHKe/WLTvREQKCAQEA6t+gWSA68nyl+ylqk40VAycT6uZNeMYOXdL5
+OSgeow5XaQvf5myzlTj3eXTXUYAbxqicrNiYC9z0MOsJKwG12tBizexazlAFUw9y
+i8f/PBY6oh+ramkLVcE9BAvKWEND5mGvvweWRk1vJsPgdOgBHOtok1Ek5ae8yQx7
+NaUoA/6/YgS0LlWuPRdizdBIvOjgbuMPQUyb0rlYHhkXldyPf/47QBqzyY3D5wwM
+6WdcdB/wjFnVCnLYABu6HZ519ZyoDGayow6miv9KlAMgozC56u99vDtS7trbaeNQ
+AGNm/1mpkMvV0GerMJrDNE/SeNt8P0AT2UlI3XxAcsM1l6SHLwKCAQEA0bAzb1++
+ZqGG4DSzOgc1x4tsxrOqTm72EVqn+qVBy8K+iieNmDYpcIXUjr5L4T5/wFdd1zH4
+MDM2lseSFw2A6NuRiXRQxuwQyoNABC+OEkTX4KMvyyqzxSDneTxGUIclIn8D/yYt
+4KiA0WRQUVbq0dsY46YxrVFlyNCmQTl8uJc+VwigWlo1I+niWMlButj9N0wsOAh3
+kpg+Q8ViFq74XBg05NzUejqrxcAZm7+aTnDfdBJGm6TfzrRVfkgnLQ8ynFmtP4yR
+2NH4jJTDXZ2kkdSVnDoED2u9Ahj61u7qklhNBEYvg5J6d1E4ZfApgtOi8z5AOD/c
+5PUVXWtxATsPFQKCAQBy27M9go5xINXGkoVk7LxW01hhKgi+xBQoe9CWy/DXil7i
+pwTyWTwlADu9cI8PcxeiObiMqksImh/sgDP2jRqSjA+VZj0t4WIJMWexxbciejho
+KhaYrg/1+s7M2Ls2GIbu9dyNDbfGX324tldgtEg/DTwRtr/VcwbWRr1GCaMc+Qo8
+c9JtSkcv5uzRe0bm4vdGItHF/CHDlhHqfhjTl42xaPEusyAys5oWtgTmaz6CJ1Bq
+Qk/1kR3iR6znaSOEXfysO9il9rcpCBk/cpwWUfDJXB7f2x7+YZalHJ114yZuPzm1
+7oh8JwZHeZd2UIa7xZHoGHzcaIMylN2rgZ0GsFXPAoIBAAOS6j2Ctz8Oj7rwiwF5
+L/x3ruHwG/38PCttjSFjgayUZCT8qZgnjCtDzKymJ6ruIsVHd+z8CAviQ5LsUdwc
+uc6+N0vNdLb/PQYGmKe5m8VJ8Rf+EAl5b9jzR560XUpwEzz0R0ApCW0j0hY/jHLm
+dVggUNtIcN5QXdi/XaYM8cg/o6teFUWU9gTnrpjuzTT/D8nKfZJy6n7QI3eKPLLA
+RrFjJDumW+S9bUIQlR8nc9zUZaqXySZL+BiQ0Eg3uJs3ABjUGnTT04SLh531xyKo
+Vi66Hdas0nbk0jLf9B6Hse3OnXluLM8kRvwToU9zeXGmY8ebjwKmbABnAPc3ppRr
+ykUCggEAK4a/LUhibMxyid61Y6AQe7DQZZv7n3FfK70/fgD2OYdhZzWvaZPf7fef
+95vBwXdxnOZMOC/7iP0vaYB2Qij4r+m9XPWQ/R5UGMBEQuI3zn1jey00ItK49HDi
+jq4xRltBFI3y5mvw8u5v2uoWvjNcpTFDam1f/hAB0wsMrcccXklzsiE8SEc0QWme
+VVhppfd4WJG1/P7juyn3yvPOGrwQ73P6ZTigL6qfEJ94AH4dHnCiOqgHZ7rHQlpa
+g+AxEsZ4BHt49gxtabg6sHue5Di9NCvA/MaGr+d9yaSyaAz/k7qsFJL0TVuBJE2h
+uabNtK2No3EmpBOK31TRSIKWx7bFnw==
+-----END PRIVATE KEY-----
diff --git a/tests/data/multicert/create_certs.sh b/tests/data/multicert/create_certs.sh
new file mode 100755
index 0000000..8b5e0e7
--- /dev/null
+++ b/tests/data/multicert/create_certs.sh
@@ -0,0 +1,38 @@
+#!/bin/bash
+
+mkdir -p example.com example.org
+
+# create our own CA so we can use rustls without it complaining about using a
+# CA cert as end cert
+openssl req -x509 -newkey rsa:4096 -keyout ca_key.rsa -out ca_cert.pem -days 3650 -nodes -subj "/CN=example CA"
+
+for domain in "example.com" "example.org"
+do
+openssl genpkey -out $domain/key.rsa -algorithm RSA -pkeyopt rsa_keygen_bits:4096
+
+cat >openssl.conf <<EOT
+[req]
+default_bits       = 4096
+distinguished_name = req_distinguished_name
+req_extensions     = req_ext
+prompt             = no
+
+[req_distinguished_name]
+countryName                 = US
+stateOrProvinceName         = CA
+localityName                = Playa Vista
+organizationName            = IANA
+commonName                  = $domain
+
+[req_ext]
+subjectAltName = DNS:$domain
+EOT
+
+openssl req -new -sha256 -out request.csr -key $domain/key.rsa -config openssl.conf
+
+openssl x509 -req -sha256 -days 3650 -in request.csr -CA ca_cert.pem -CAkey ca_key.rsa \
+    -CAcreateserial -out $domain/cert.pem -extensions req_ext -extfile openssl.conf
+done
+
+# clean up
+rm openssl.conf request.csr ca_cert.srl
diff --git a/tests/data/multicert/example.com/cert.pem b/tests/data/multicert/example.com/cert.pem
new file mode 100644
index 0000000..729f066
--- /dev/null
+++ b/tests/data/multicert/example.com/cert.pem
@@ -0,0 +1,30 @@
+-----BEGIN CERTIFICATE-----
+MIIFEjCCAvqgAwIBAgIUfZVNYuF33/AJqeSsnS5rRwozd5QwDQYJKoZIhvcNAQEL
+BQAwFTETMBEGA1UEAwwKZXhhbXBsZSBDQTAeFw0yMTAzMDMxNzI1MjNaFw0zMTAz
+MDExNzI1MjNaMFUxCzAJBgNVBAYTAlVTMQswCQYDVQQIDAJDQTEUMBIGA1UEBwwL
+UGxheWEgVmlzdGExDTALBgNVBAoMBElBTkExFDASBgNVBAMMC2V4YW1wbGUuY29t
+MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAou96HEovfkmfMU75y78Z
+bEMItLDFG/3xHKbVHYCyt4DyOpXj6rztg94aDkE/LsIK8g4M52x5i4CVgX5/5+QZ
+2ZX1rlbhGBpMi82JeArW3qZE+o+Ygu/7Kta2WfnZExcwcXHAsNHVJM3o1qOLo0fR
+0MqR3zyN2gD8/JPRXnHQx9HIE06P1dMfHE1GEOrP7Fivb9I50hzEUrwAVig0GvYF
+azlEBzw2CNmBCaa3t69t/PS+xT4u+G3B/RxjIJIwD0Krm2Q07eLDwU9EWwjWjzCP
+FADCuT2rOiCfDgZzDXO/EbCSvWYI1ZBhej9aYV2YdU4kWu00ITK/Gyt2ksJNl9OG
+0B+1ZSirgHkSjrptaD9X6iSULRUdwAitwyJ+dhvkBXVeEGt2no8Z4Q1B93OvNwZi
+Q7VJlP2qYEYwgoeUMX8jx9WRPlO58VctUUDG6CjVcoDPnHeM3/DnF6NC7FTxhEPQ
+23fOBMOgrlR/a6q4EYdjUlfzEo9Pfhiz2Yetet4LApzjZRQKYhnf/InDN+v9w/5z
+FkHd7atHW2HeuNgJ3hgcc4vBeWZIae8gd+J1Yp4MjVkjqRr0cuUZ49gpXNDk/w4v
+MmSuwJ1PSbV7sw6PHAxT+NGxidETUE3CvWxi2jLF37eSUW3oYjFsqYpHxdzSniaS
+WPacD7l35wqKULt+wql9PvkCAwEAAaMaMBgwFgYDVR0RBA8wDYILZXhhbXBsZS5j
+b20wDQYJKoZIhvcNAQELBQADggIBAEa4xORywXbIN+sLHVocO8pSVAdzd2dS0aME
+cPtLNc+W7eNE2NcTm8Tr4+qSWXwOxqa1Ax/UBaVOOvfmARNG3SEBE5POC0WCCKde
+samGCuRtVjIxvmgHAwKvJoe8CtiWuOxeXfuqSRN5ej6ViMIz67Y2c1hJuzXnTjK1
+6cyMBVNN0tw7tyO6EuOpsp6daua2jQMO9lxR6m8Vtrk02Ze1YtGlLfC1flGuj/qe
+HB6LHEA9fvgnjFpls1Dlxy4LWFMH5ggiMeAFaCz4+2I1gbZJjqJfYwIQk2ksePv+
+IAhaAfhaWANyGrd4I5STQCWcfypTsHdMsU+XsWr4/aPrw4s1aTvPezUS97YVyXyO
+H4sQ70I1QR6Ln73ZTCNL8io25cVSMh5NVfvBXu2zkeOq0wm2Yxiks+lIJFYZRusn
+KL4Spwcc0dxD4kcy3w2MZtvvPtqmteWkei+6v00SU5uCFUIqYBPZh6SPi45+XkSy
+hxz2bxFKEvjPfDasd9t2MxGV4NVxix0IXpKs8LxJ54utnCvE5DeQU+VuB92WUzvd
+SROSk+lWeBao9CdLpJ9bXF8MQHhzgfyzTrfCyexPPxk5CSzO5vcOhCCWdWhzr60Q
+HXq3kDzGIwb0sN6b9OWZGTi0D4GG6CfysyX+UP8dzzxAv2+xKFpTbzfUNCqdlDZd
+BxvkUq5c
+-----END CERTIFICATE-----
diff --git a/tests/data/multicert/example.com/key.rsa b/tests/data/multicert/example.com/key.rsa
new file mode 100644
index 0000000..d58eb19
--- /dev/null
+++ b/tests/data/multicert/example.com/key.rsa
@@ -0,0 +1,52 @@
+-----BEGIN PRIVATE KEY-----
+MIIJRAIBADANBgkqhkiG9w0BAQEFAASCCS4wggkqAgEAAoICAQCi73ocSi9+SZ8x
+TvnLvxlsQwi0sMUb/fEcptUdgLK3gPI6lePqvO2D3hoOQT8uwgryDgznbHmLgJWB
+fn/n5BnZlfWuVuEYGkyLzYl4CtbepkT6j5iC7/sq1rZZ+dkTFzBxccCw0dUkzejW
+o4ujR9HQypHfPI3aAPz8k9FecdDH0cgTTo/V0x8cTUYQ6s/sWK9v0jnSHMRSvABW
+KDQa9gVrOUQHPDYI2YEJpre3r2389L7FPi74bcH9HGMgkjAPQqubZDTt4sPBT0Rb
+CNaPMI8UAMK5Pas6IJ8OBnMNc78RsJK9ZgjVkGF6P1phXZh1TiRa7TQhMr8bK3aS
+wk2X04bQH7VlKKuAeRKOum1oP1fqJJQtFR3ACK3DIn52G+QFdV4Qa3aejxnhDUH3
+c683BmJDtUmU/apgRjCCh5QxfyPH1ZE+U7nxVy1RQMboKNVygM+cd4zf8OcXo0Ls
+VPGEQ9Dbd84Ew6CuVH9rqrgRh2NSV/MSj09+GLPZh6163gsCnONlFApiGd/8icM3
+6/3D/nMWQd3tq0dbYd642AneGBxzi8F5Zkhp7yB34nVingyNWSOpGvRy5Rnj2Clc
+0OT/Di8yZK7AnU9JtXuzDo8cDFP40bGJ0RNQTcK9bGLaMsXft5JRbehiMWypikfF
+3NKeJpJY9pwPuXfnCopQu37CqX0++QIDAQABAoICAF/RDLJOPhe6G8/XbbaPrten
+pBr+SSvo7j23LmSnJnIbdldVhi6o49REbHYtkIZiviUSdiwx8lhDSahZR8aKsVjv
+gwb/OGgALzuXp1vco/dTOAVRJJL7pWzPz3SiJTHA1VAhYPuaqgl2vZJbouZmedCb
+D6WD6rdlFWFDXEB6FhksGMihzpwkB4uRNb8FFzkZ/jF4I2CYYit1O41vHxUr0Iv5
+pTPMCMqzfdq7HBb9J2U2WGmN4/lcMlQyuWiSD4kp39kF2Mp8LDol70DJtcOG/tz4
+hYqB5YvNWzvYNxiWFKrGd8TBmDhfK7PERdY0QE/boC2IiLttKE1GBfjQIulCD2is
+x0DmcU4bry/k92itU47DOpDONqVkMNvVj0pwzJve0yJOdvWrw5SbIBg7UDsgZiZJ
+7uiWxBpLGXHolGOYxOQyq73Bm8h7/5lQgy1Kx0Iy2NJZsXi6G4I4uDJlphPB6zkP
+AC2X4GyoHLpbZDwkmF1J8G2SLv/uzEHTwMaT2p6xNopPtoKKFz7jvO06c7F0tXhd
+MiC2blxulKF/WuRDT9kxVOyk8WIYjqFhHiwbgY4WT76pyxqpX/B20VoFAThgksla
+dF4Hy/fX6yRdvbj6gf8OHifLPSH4DeXhCKGSOS7hXibNqvGOVdcjeWI19ahkmhKj
+x/hjq+IG3iQbLHnwK1dxAoIBAQDMsROJ/o2OFoXXXTgUdGNaBoGyvLTFVOSzx0NM
+1cRQa3c5os2sHlUKOqcnKNM7VM5MTmgMDs0bBy2cXZUxknae6MyxHXWjkdwfPclv
+UgsIa3UxsoSSv5hBUVbqI2f7vAGYUF3H0az5ulv9iPgkG6H/gYPfZP8MUPn/E2Y8
+2+sXdaWqu4Xhi2EHXlQuKJxnem+c5sW9yjk2lzz2FpZAWPbjWYjSDeH/fWtpXycx
+F+gjeuQJ2CS/D6Y2f33/G3f5Y857TDjbYspvH8owHSdBEVZmLqzFKp+ls747RZsD
+xvZk3L6CFKWntoaoT3CtNMzKz5kthtgcar4X5IzbzvlPe3W3AoIBAQDLxu5zOCT4
+BYysEYF3WudvAvmS88qnLnabtD/NBCB+ai56zmUTLAH9hiK1hpYPHazH7wQzfwgp
+JNWwbPigFxb5tQ/L1l1p2VRzDGp9HdJEUihfQT7jRHTcBA43wupNxi9Ht0c5yFUt
+wFeMCMMVZozpotj8TOWRvSBqvygTFKoia+QW20RDbMC9iikekTCRUa3hV5CpgLpa
+x2q+xPIIyL6R1Y26GowfCFi0EyRTRza06ppwTGTBnY7dFo/WoMKqVbn2hod20wTl
+JZldwPTs4L2uCK7OSZUEGOUASfJMVkrKbQmHrIZM7Hz/q+7zJP1DaAt/QTBqWruD
+4H2/Uh7gH3DPAoIBAQC9p/i1rHEWTRIX+RyD/08q08qKhMRt7nm1hZR69bpe1SPz
++D/fEX+z6aKE6xPE7o/zLdbEDVbHi0AcmK0q8E0Och9uoCAmvXgaTlJ83aSxWXeN
+451opzN4mdgRO1sWaR2FNjmeck12WdDwOl/IfP390tAQRfD3RXRNfnkFPLM32l70
+samb0FvHywPufNxmGJCf7Ucc0elvBnSKg2UWHBgtkQDvt8NFybyjNnIGz+LcNPpj
+kKyDhwl3h2uD2rywC2T+4yHvTDrK+caKDAkaBelq5iZYzWR80O0a2CSIPGqCC/JM
+brsKiVl9S5XYNormA7Im98D3m4OkebR12fEwTvFDAoIBAQCGonTBI4Mpa2E5/obv
+eNwX+Hs0oGZwdr5euYS9y9A8NaNn+B3HwPe/rXQZQ0a5zf1uS3kXHQMjS/bzjcvm
+2dqQORSqtIMbgD/Pk5B4Ac/+29lYth76wSwEgZlzNhDgOeTbGTix8K52f/JXzyI1
+bYAEjVeXuqai17YnUQ0FLk4KWAZnI4/CjIP7tuDcFUllefXMQLKPi0GU4NSiHjVb
+oGZorBPrtcaGallRAKSrcQ2wEqDfOVoIojTV1iZKxARZzjIDs3alB17glyrxSp+I
+MiSga5QzL2KJRnlm63RvA0R+4fO99Dr3b/hWZB6H/xRmCMQv275FRpVF2Hi8g2Fq
+6tr5AoIBAQDH31/WmdsBsKvpdjLBQcjIcbv/aYgQgEIhSoUkfPK/Hq2GW2vJutOJ
+V0IUWZKGwk/NZfB2Wi6lajqJBiDFdN8c3HNznj4WlOyOD2Z3LpVmfc8vJyaPeV/d
+rCc3UsFRDp+Fu3QeTyzlIieOT5N7KYI31U/iSiV27+zBcHuigZvTmNd6QaRYiygd
+J3f/NghVcNPOLhwykhf8m3emlYcWAzyU2eprYGhkpkSM/+o38qRG3AZGWTZV1T1d
+hZP5ts6s3H2rqwM8ljco0YFAcbGSTutrXXD0jxzqcRTgI4nhUDy82A0tg4BLrGuV
+InJUrZvi2SewLbqRM6VqYRNUJFIdHkUM
+-----END PRIVATE KEY-----
diff --git a/tests/data/multicert/example.org/cert.pem b/tests/data/multicert/example.org/cert.pem
new file mode 100644
index 0000000..c6638b8
--- /dev/null
+++ b/tests/data/multicert/example.org/cert.pem
@@ -0,0 +1,30 @@
+-----BEGIN CERTIFICATE-----
+MIIFEjCCAvqgAwIBAgIUfZVNYuF33/AJqeSsnS5rRwozd5UwDQYJKoZIhvcNAQEL
+BQAwFTETMBEGA1UEAwwKZXhhbXBsZSBDQTAeFw0yMTAzMDMxNzI1MjRaFw0zMTAz
+MDExNzI1MjRaMFUxCzAJBgNVBAYTAlVTMQswCQYDVQQIDAJDQTEUMBIGA1UEBwwL
+UGxheWEgVmlzdGExDTALBgNVBAoMBElBTkExFDASBgNVBAMMC2V4YW1wbGUub3Jn
+MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA06+1Ae1TNlSNsh+UIyzb
+3I4d6RAzNbk0H6xpyvYkj7xq/RvyeTjCJRqPIdbQcG5xbWdTYxLUUCcVAbti6Pmc
+SGE7PbBBZshNNNvfUG1umApxMKCF61xVU4m9zUJ/znAfoRzvYbIz6XOkRedBl79r
+kiMfX6AWCdyS5LDBBCKDzTCxDQIjUTzbX41LmHs32+pKXxyfQAkn7p9YJkCWnEyg
+CaMh+fpdQ2SfIRgozn2Qs2egfWtz7IkWTKfCV5b6LKuNFf9Umn/BIqKbKJoto7KZ
+ufD6XUygri5xhpgr2NNvkkV2DX4JZ4L0PgSemUkboWs72+uuhL9qEQXfX3esUcQm
+jUMPkCA1kg2ZPSACtUOWlYrkzTTQSex+XYhSjdlcmcthwGS7SZCerllQ/tEhZhed
+aQ1VYnXkYn1/WUivj/DIsGrXbf4PerSsbEBVf7B5Keg4e6rA8ULx9ZkT5Z85ensS
+KX/cz/Orf/Al4ehKyDqRucpWkQPnRxT+wM/hgNXH/s1ufDuiTqVJoJt0rtuCWxjz
+0l+KbQkOt9tjfTrIF/LQADkoUUt/PvRX12AVH9Zndffh3mlQwM6tFuisAg0XIjSH
+AlB7hIawywCo36dAZjzq4IRieFVYSyXLE1aTm9glZSKM0KSUVfpIeCgKYUjlCayP
+fiQhqWmIA7qxpqeM5WJBt9sCAwEAAaMaMBgwFgYDVR0RBA8wDYILZXhhbXBsZS5v
+cmcwDQYJKoZIhvcNAQELBQADggIBAExu3Kgf8bmNO706rq8Efubre8KBxx4rvUu3
+nPsfqPZFCIsupYZdZRWOinSP1LmdkOYhN0LCSZ+YvEqU1WCfM8kdGzBqCdq+mDu9
+OC7jfI//MlRbUUcnGnujI+6bNWhV+aT/Hplg4bBJAgyTszd4aWTWQgTXUaBkJFSb
+pIMUvBJH4k0VHON4JexaE93e6TQXh1f3sMU7ypEx7Ub5T3WLh94b6NHm9eNR9FkL
+pGmBlKwML0YJzzRg9sE/vz4PWqoMa673dnnauj/mugTO96GW4paUBgJsvoUM2jZu
+FOzRYVXQbfTK7GM+pc1dxUTg3GzHT/UTCXazXZUJyL+NEP0+RFNp5eU/3l4Ra0gf
+fOV+WrKp+RqL5hIrNp/b9f95pQlkNIfi/iosG7sqGHkLp4REm934wsvMjN2DFE1l
+jG5W0AgAT8y9dA8Neb9B5jYVuuo5u2jdQLFowQqgpvR2MNcqkdhroepJf1pALWoY
+1OYOmV1QRLh/LjQ1v75e3aHIcUYbm3AkVbliyLCpVB1ijWhIP5qOb1I2Gc9LPnLN
+ovneqby+tntKA4WJuUTyi8/OVJbZ6/QvGYJ7JvycUYi6JQb3+gzsVzPN+/oU0lRe
+dCSzZXsOdh5tkg4m2FWm9gi/xz3lNNTeFldW+ZLsT+MvX27MNrCShMsoP7J9uRU3
+x2Ehf7/D
+-----END CERTIFICATE-----
diff --git a/tests/data/multicert/example.org/key.rsa b/tests/data/multicert/example.org/key.rsa
new file mode 100644
index 0000000..92905c2
--- /dev/null
+++ b/tests/data/multicert/example.org/key.rsa
@@ -0,0 +1,52 @@
+-----BEGIN PRIVATE KEY-----
+MIIJQgIBADANBgkqhkiG9w0BAQEFAASCCSwwggkoAgEAAoICAQDTr7UB7VM2VI2y
+H5QjLNvcjh3pEDM1uTQfrGnK9iSPvGr9G/J5OMIlGo8h1tBwbnFtZ1NjEtRQJxUB
+u2Lo+ZxIYTs9sEFmyE00299QbW6YCnEwoIXrXFVTib3NQn/OcB+hHO9hsjPpc6RF
+50GXv2uSIx9foBYJ3JLksMEEIoPNMLENAiNRPNtfjUuYezfb6kpfHJ9ACSfun1gm
+QJacTKAJoyH5+l1DZJ8hGCjOfZCzZ6B9a3PsiRZMp8JXlvosq40V/1Saf8Eiopso
+mi2jspm58PpdTKCuLnGGmCvY02+SRXYNfglngvQ+BJ6ZSRuhazvb666Ev2oRBd9f
+d6xRxCaNQw+QIDWSDZk9IAK1Q5aViuTNNNBJ7H5diFKN2VyZy2HAZLtJkJ6uWVD+
+0SFmF51pDVVideRifX9ZSK+P8Miwatdt/g96tKxsQFV/sHkp6Dh7qsDxQvH1mRPl
+nzl6exIpf9zP86t/8CXh6ErIOpG5ylaRA+dHFP7Az+GA1cf+zW58O6JOpUmgm3Su
+24JbGPPSX4ptCQ6322N9OsgX8tAAOShRS38+9FfXYBUf1md19+HeaVDAzq0W6KwC
+DRciNIcCUHuEhrDLAKjfp0BmPOrghGJ4VVhLJcsTVpOb2CVlIozQpJRV+kh4KAph
+SOUJrI9+JCGpaYgDurGmp4zlYkG32wIDAQABAoICAAIjZjqswQhtdjj0ZLSuQVJL
+BTZTeZDzW/lt7mukbN4e0x3XaG2dCykAya1X1Cculmq6fncju41Lt8SatfcQfmmk
+wcpvu1lkcJM2HV1cnZ9fi6EoHfIwrpP3cjlekJfvPgKMnkZoXGnhRymFmn4D6vxA
+6pI2tcJHvhwdRPXbu2UZNtCg0uaBLN4cOUVDCV9pUHMBgQJOlV6tsWBBisPtajhu
+s2spAkQqAgl9ivv6/LkzNMXPjg43nEgN8cKcvc4xtW0hdSNSYwsMhXC1jfx3U2Iz
+cvP6UC0yPudTJi48hIX/uZ+NRF8NTZZKyadWu7a3tJUWHl8s589gNc9rEAyLZLBH
+5oHo+/+Fcn2+e6KDq23RzcMvcL9WlSbi9EOkTMZadLD2cC0dPQtvfxTo4iP2KMBS
+S4z0fesxQ34gXlu53wwp7gR7cw0rjnF6W1Jzr6V7AT9Cohztldn67TBfL6p3PAZx
+yjMx0v1QhPrz4u/W6t9KJ+z8ppvCzfUcFUXqxEB61SA7Hrwbw7tx3aYac7Y7x7ma
+JZpoxW2bn1CDUkaa0pPNKhtQCETA+nUWMPUyE+TQ/i7tKzPkifg3ROUEiYNQeB37
+fljsWOeXjP2J4nnwJpuE8vUbIXGXFnDHLIbK6uQDqQdCuNiXLa2oEXF5cAs0Ccvu
+9/B3P3QugHGlxEYH0j6hAoIBAQDwoOZK44oTTkUqoCjcCqC2hxa6cHKo3ZVD7nwi
++Rro3SHPvBxXWjKrM/VnArY0m7l4YRMeagiMHBTJt0eL6Rg0kxBRiSZiFzbDEfHX
+0hfVel0TDnvqNXqCnHMnkahftwu7+N/ghRE2qw8XUSoRmJ0ilK9r8WN8yUoRq3nD
+RwIJyBQj0WCxeUcgw2IMdaVEOlwwNXsa85N6ifPRGcur8J/7D5BvEr0pryK62NIU
+EBirr8w7S8gk6KgegrzXqQSi8bdfYQXUW7GoUIGdDx+bPrA0sS/u+IJlJ3dmcBWy
+6fItkLN0q3i9gApSdC0P9rTPIfmluklc+fVOf3LQvEGqi/MzAoIBAQDhNYEJ8rSp
+2lzmKCghMB4eAIVJrOGT36JUMAUeo2+2zYuVVGzet3YOlxRBfwl8o+q65q2uiSsU
+sypA6MclJ4ItsHwLD8HpjE0n4QSP6egOmB6jimkWsdIuw4NWYlkbKoPtZ8+VAzBE
+lIzftm/PwViVf7L3PzRBsgRDFxdMcc98pf7QSeFieUJuqx/pas061MUfZb69cZ4r
+5qHqiTPgUyWQHTWXwIFPN8MW6QMcaM6lhmeBf4ieOCcoFpj1CBURapSREpl/WolQ
+YsYcv6cQ1U6lW2mfZOtZw178yEYqxMGh04pVxAGUEyCXSdAcgEJFc7c+QnhW1W5X
+2G3DgppmZSi5AoIBAQC6kEV9MsXPChReZCbJ1AOfAUYB70U23/Xm4XSluPXALhMU
++QgQQgKe8n4GC/gw+bvnNXyZTCSsXOlRLCTwuRznRk6UqP11eAIhZDxZ1K5d+a1I
+JSa2BBikQ6CUwT4GV+llKCSL8x/RfvcIYQl48xaBxT3tNw6npXkkEgsp+FgANXxH
++QI7F4iqQlI2ztAAAi+PwSddUhS6IVNEf/eFq96dzQdy1tiLBRqsO4dFvuUh1/9E
+yhC3bRtL7Jl1q7nIjBhcfuECMMWhdinIF/2tZAFCGU7MvSh8PQk6BxULzo7R/Srl
+/jxy0F8wZpq5kdHF9tWURMa0q6gh4HaomA1hqXg5AoIBAFHPPNvfRc+52itlhQZh
+U190svaLjbpI79ADTajOmCNg0Ybij1XscT9llF8ihdC4Pum8KHWRsIupdfz0Untl
+ub1dMgJWrAtqAxEshZq9zqWWjvK7secjm4WPUmOMAHCE5j3UiyzHZr5S9EXEISPo
+SYStSdbVJ+eBgljYx4bmhQfzyPfjDrPV9tL66PHC8WCgsCbyr/JjlqC9/C2Vv7mK
+mseaRMCmlpKvX/gvlwi37fFlPK5nJLrNDTRb2R6R3A1imSuGBSqlOeJwryT8XfUY
+d6RL67eSUoheF2BeZFbe+LQPg14agLRIqnsqviXMVcai/XrpbIumppnUrjLqe6oc
+r0kCggEAGHcAznWzia75hu6LYD+dxqeMxCkBYiaO4p4sJPKkJ6v9ydEFFBC8YakT
+rbHrrRRdLCh4m0lRNb0pNmgRVwFr6Qklivn2s0IgqwlGuTKWJZX9DE+XbpvgUkJg
+L6ykeUVmg5xIqvqMnDI2sEOiqMqNi/Jcjo4SIOmCkkY9JClIB0wnJQKwb4NIAzhX
+KlJKFVpi5319/hqK42U73uNLx82ovUf3vOLMg7hq38mMBQ/zY3XNbafHTnGba6k4
+CX3+tamjFXYa764LFfRGDMEfObj//xNc8mzgeriHvnXq2wKiUQFhL2eWctzoCc0U
+qfiBmJzFlawFcVPsqJ+vKe8KGEXNQw==
+-----END PRIVATE KEY-----
diff --git a/tests/tests.rs b/tests/tests.rs
index 73252e7..18fdff5 100644
--- a/tests/tests.rs
+++ b/tests/tests.rs
@@ -1,3 +1,4 @@
+use anyhow::anyhow;
 use gemini_fetch::{Header, Page, Status};
 use std::io::Read;
 use std::net::{SocketAddr, ToSocketAddrs};
@@ -19,6 +20,8 @@ fn addr(port: u16) -> SocketAddr {
 struct Server {
     server: std::process::Child,
     buf: u8,
+    // is set when output is collected by stop()
+    output: Option<Result<(), String>>,
 }
 
 impl Server {
@@ -44,17 +47,20 @@ impl Server {
         Self {
             server,
             buf: buffer[0],
+            output: None,
         }
     }
-}
 
-impl Drop for Server {
-    fn drop(&mut self) {
-        // try to stop the server again
-        match self.server.try_wait() {
-            Err(e) => panic!("cannot access orchestrated program: {:?}", e),
+    pub fn stop(&mut self) -> Result<(), String> {
+        // try to stop the server
+        if let Some(output) = self.output.clone() {
+            return output;
+        }
+
+        self.output = Some(match self.server.try_wait() {
+            Err(e) => Err(format!("cannot access orchestrated program: {:?}", e)),
             // everything fine, still running as expected, kill it now
-            Ok(None) => self.server.kill().unwrap(),
+            Ok(None) => Ok(self.server.kill().unwrap()),
             Ok(Some(_)) => {
                 // forward stderr so we have a chance to understand the problem
                 let buffer = std::iter::once(Ok(self.buf))
@@ -62,23 +68,37 @@ impl Drop for Server {
                     .collect::<Result<Vec<u8>, _>>()
                     .unwrap();
 
-                eprintln!("{}", String::from_utf8_lossy(&buffer));
-                // make the test fail
-                panic!("program had crashed");
+                Err(String::from_utf8_lossy(&buffer).into_owned())
             }
+        });
+        return self.output.clone().unwrap();
+    }
+}
+
+impl Drop for Server {
+    fn drop(&mut self) {
+        if self.output.is_none() && !std::thread::panicking() {
+            // a potential error message was not yet handled
+            self.stop().unwrap();
+        } else if self.output.is_some() {
+            // error was already handled, ignore it
+            self.stop().unwrap_or(());
+        } else {
+            // we are panicking and a potential error was not handled
+            self.stop().unwrap_or_else(|e| eprintln!("{:?}", e));
         }
     }
 }
 
 fn get(args: &[&str], addr: SocketAddr, url: &str) -> Result<Page, anyhow::Error> {
-    let _server = Server::new(args);
+    let mut server = Server::new(args);
 
     // actually perform the request
     let page = tokio::runtime::Runtime::new()
         .unwrap()
         .block_on(async { Page::fetch_from(&Url::parse(url).unwrap(), addr, None).await });
 
-    page
+    server.stop().map_err(|e| anyhow!(e)).and(page)
 }
 
 #[test]
@@ -298,65 +318,161 @@ fn explicit_tls_version() {
     tls.read(&mut buf).unwrap();
 }
 
-#[test]
-/// - simple vhosts are enabled when multiple hostnames are supplied
-/// - the vhosts access the correct files
-fn vhosts_example_com() {
-    let page = get(
-        &[
-            "--addr",
-            "[::]:1977",
-            "--hostname",
-            "example.com",
-            "--hostname",
-            "example.org",
-        ],
-        addr(1977),
-        "gemini://example.com/",
-    )
-    .expect("could not get page");
+mod vhosts {
+    use super::*;
 
-    assert_eq!(page.header.status, Status::Success);
-
-    assert_eq!(
-        page.body,
-        Some(
-            std::fs::read_to_string(concat!(
-                env!("CARGO_MANIFEST_DIR"),
-                "/tests/data/content/example.com/index.gmi"
-            ))
-            .unwrap()
+    #[test]
+    /// - simple vhosts are enabled when multiple hostnames are supplied
+    /// - the vhosts access the correct files
+    fn example_com() {
+        let page = get(
+            &[
+                "--addr",
+                "[::]:1977",
+                "--hostname",
+                "example.com",
+                "--hostname",
+                "example.org",
+            ],
+            addr(1977),
+            "gemini://example.com/",
         )
-    );
+        .expect("could not get page");
+
+        assert_eq!(page.header.status, Status::Success);
+
+        assert_eq!(
+            page.body,
+            Some(
+                std::fs::read_to_string(concat!(
+                    env!("CARGO_MANIFEST_DIR"),
+                    "/tests/data/content/example.com/index.gmi"
+                ))
+                .unwrap()
+            )
+        );
+    }
+
+    #[test]
+    /// - the vhosts access the correct files
+    fn example_org() {
+        let page = get(
+            &[
+                "--addr",
+                "[::]:1978",
+                "--hostname",
+                "example.com",
+                "--hostname",
+                "example.org",
+            ],
+            addr(1978),
+            "gemini://example.org/",
+        )
+        .expect("could not get page");
+
+        assert_eq!(page.header.status, Status::Success);
+
+        assert_eq!(
+            page.body,
+            Some(
+                std::fs::read_to_string(concat!(
+                    env!("CARGO_MANIFEST_DIR"),
+                    "/tests/data/content/example.org/index.gmi"
+                ))
+                .unwrap()
+            )
+        );
+    }
 }
 
-#[test]
-/// - the vhosts access the correct files
-fn vhosts_example_org() {
-    let page = get(
-        &[
-            "--addr",
-            "[::]:1978",
-            "--hostname",
-            "example.com",
-            "--hostname",
-            "example.org",
-        ],
-        addr(1978),
-        "gemini://example.org/",
-    )
-    .expect("could not get page");
+mod multicert {
+    use super::*;
 
-    assert_eq!(page.header.status, Status::Success);
+    #[test]
+    fn cert_missing() {
+        let mut server = Server::new(&["--addr", "[::]:1979", "--certs", "cert_missing"]);
 
-    assert_eq!(
-        page.body,
-        Some(
-            std::fs::read_to_string(concat!(
+        // wait for the server to stop, it should crash
+        let _ = server.server.wait();
+
+        assert!(server
+            .stop()
+            .unwrap_err()
+            .to_string()
+            .contains("certificate file for fallback is missing"));
+    }
+
+    #[test]
+    fn key_missing() {
+        let mut server = Server::new(&["--addr", "[::]:1980", "--certs", "key_missing"]);
+
+        // wait for the server to stop, it should crash
+        let _ = server.server.wait();
+
+        assert!(server
+            .stop()
+            .unwrap_err()
+            .to_string()
+            .contains("key file for fallback is missing"));
+    }
+
+    #[test]
+    fn example_com() {
+        use rustls::ClientSession;
+        use std::io::{Cursor, Write};
+        use std::net::TcpStream;
+
+        let mut server = Server::new(&["--addr", "[::]:1981", "--certs", "multicert"]);
+
+        let mut config = rustls::ClientConfig::new();
+        config
+            .root_store
+            .add_pem_file(&mut Cursor::new(include_bytes!(concat!(
                 env!("CARGO_MANIFEST_DIR"),
-                "/tests/data/content/example.org/index.gmi"
-            ))
-            .unwrap()
-        )
-    );
+                "/tests/data/multicert/ca_cert.pem"
+            ))))
+            .unwrap();
+
+        let dns_name = webpki::DNSNameRef::try_from_ascii_str("example.com").unwrap();
+        let mut session = ClientSession::new(&std::sync::Arc::new(config), dns_name);
+        let mut tcp = TcpStream::connect(addr(1981)).unwrap();
+        let mut tls = rustls::Stream::new(&mut session, &mut tcp);
+
+        write!(tls, "gemini://example.com/\r\n").unwrap();
+
+        let mut buf = [0; 10];
+        tls.read(&mut buf).unwrap();
+
+        server.stop().unwrap()
+    }
+
+    #[test]
+    fn example_org() {
+        use rustls::ClientSession;
+        use std::io::{Cursor, Write};
+        use std::net::TcpStream;
+
+        let mut server = Server::new(&["--addr", "[::]:1982", "--certs", "multicert"]);
+
+        let mut config = rustls::ClientConfig::new();
+        config
+            .root_store
+            .add_pem_file(&mut Cursor::new(include_bytes!(concat!(
+                env!("CARGO_MANIFEST_DIR"),
+                "/tests/data/multicert/ca_cert.pem"
+            ))))
+            .unwrap();
+
+        let dns_name = webpki::DNSNameRef::try_from_ascii_str("example.org").unwrap();
+        let mut session = ClientSession::new(&std::sync::Arc::new(config), dns_name);
+        let mut tcp = TcpStream::connect(addr(1982)).unwrap();
+        let mut tls = rustls::Stream::new(&mut session, &mut tcp);
+
+        write!(tls, "gemini://example.org/\r\n").unwrap();
+
+        let mut buf = [0; 10];
+        tls.read(&mut buf).unwrap();
+
+        server.stop().unwrap()
+    }
 }