b.rootCertBytes = copyBytes(rootCertBytes)
	// cert and privKey are always reset to point to new addresses. This avoids modifying the pointed structs that
	// could be still used outside of the class.
	b.cert, _ = ParsePemEncodedCertificate(certBytes)
	privKey, _ := ParsePemEncodedKey(privKeyBytes)
	b.privKey = &privKey
	b.mutex.Unlock()
}

// CertOptions returns the certificate config based on currently stored cert.

			pem:           certRSA,
		},
		"Parse ECDSA certificate": {
			publicKeyAlgo: x509.ECDSA,
			pem:           certECDSA,
		},
	}

	for id, c := range testCases {
		cert, err := ParsePemEncodedCertificate([]byte(c.pem))
		if c.errMsg != "" {
			if err == nil {
				t.Errorf("%s: no error is returned", id)
			} else if c.errMsg != err.Error() {

		IsSelfSigned: true,
		TTL:          time.Hour,
		RSAKeySize:   2048,
	})
	if err != nil {
		t.Errorf("failed to gen root cert for Citadel self signed cert %v", err)
	}

	rootCert, err := ParsePemEncodedCertificate(rootCertBytes)
	if err != nil {
		t.Errorf("failed to parsing pem for root cert %v", err)
	}

	rootKey, err := ParsePemEncodedKey(rootKeyBytes)
	if err != nil {

			}, retry.Timeout(10*time.Second))

			close(stop)
			if err != nil {
				t.Fatalf("expect certRotated is %v while actual certRotated is %v", tt.certRotated, certRotated)
			}
			cert, certErr := util.ParsePemEncodedCertificate(rotatedCertBytes)
			if certErr != nil {
				t.Fatalf("rotated cert is not valid")
			}
			currTime := time.Now()
			timeToExpire := cert.NotAfter.Sub(currTime)
			if timeToExpire < 0 {