}
	defer os.RemoveAll(tmpdir)

	rootCert2, rootKey2, err := NewCertificateAuthority(&CertConfig{
		Config: certutil.Config{CommonName: "Root CA 2"},
	})
	if err != nil {
		t.Errorf("failed to create root CA cert and key with an error: %v", err)
	}

	intCert2, intKey2, err := NewIntermediateCertificateAuthority(rootCert2, rootKey2, &CertConfig{
		Config: certutil.Config{

	rootCert, err := util.ParsePemEncodedCertificate(rootCertBytes)
	if err != nil {
		t.Error(err)
	}
	// Root cert and siging cert are the same for self-signed CA.
	if !rootCert.Equal(signingCert) {
		t.Error("CA root cert does not match signing cert")
	}

	if ttl := rootCert.NotAfter.Sub(rootCert.NotBefore); ttl != caCertTTL {

	defer cancel()
	if err := b.RetryWithContext(ctx, certValid); err != nil {
		return nil, err
	}

	// Set the rootCert only if it is workload root cert.
	if workload {
		sc.cache.SetRoot(rootCert)
	}
	return &security.SecretItem{
		ResourceName: resourceName,
		RootCert:     rootCert,
	}, nil
}

// Generate a key and certificate item from the existing key certificate files from the passed in file paths.

			rootCerts, err := util.AppendRootCerts(caSecret.Data[CACertFile], rotator.config.rootCertFile)
			if err != nil {
				rootCertRotatorLog.Errorf("failed to append root certificates from file: %s", err.Error())
				return
			}

			if err := rotator.ca.GetCAKeyCertBundle().VerifyAndSetAll(caSecret.Data[CACertFile],
				caSecret.Data[CAPrivateKeyFile], nil, rootCerts); err != nil {

			}

			rootCerts, err := util.AppendRootCerts(pemCert, rootCertFile)
			if err != nil {
				pkiCaLog.Warnf("failed to append root certificates (%v)", err)
				return fmt.Errorf("failed to append root certificates (%v)", err)
			}
			if caOpts.KeyCertBundle, err = util.NewVerifiedKeyCertBundleFromPem(pemCert, pemKey, nil, rootCerts); err != nil {

	if expectedSecret.ResourceName == security.RootCertReqResourceName || (ok && cfg.IsRootCertificate()) {
		if !bytes.Equal(expectedSecret.RootCert, gotSecret.RootCert) {
			t.Fatalf("root cert: expected %v but got %v", expectedSecret.RootCert,
				gotSecret.RootCert)
		}
	} else {
		if !bytes.Equal(expectedSecret.CertificateChain, gotSecret.CertificateChain) {

			CredFetcher: plugin.CreateTokenPlugin("testdata/token"),
			ProvCert:    certDir,
		}
		rootCert := path.Join(certDir, constants.RootCertFilename)
		key := path.Join(certDir, constants.KeyFilename)
		cert := path.Join(certDir, constants.CertChainFilename)
		tlsOpts := &TLSOptions{
			RootCert: rootCert,
			Key:      key,
			Cert:     cert,
		}
		cli, err := NewCitadelClient(opts, tlsOpts)
		if err != nil {

			SignedCert:    []byte("cert"),
			KeyCertBundle: util.NewKeyCertBundleFromPem(nil, nil, []byte("cert_chain"), []byte("root_cert")),
		},
		Authenticators: []security.Authenticator{auth},
		monitoring:     newMonitoringMetrics(),
	}
	mockCertChain := []string{"cert", "cert_chain", "root_cert"}
	mockIPAddr := &net.IPAddr{IP: net.IPv4(192, 168, 1, 1)}
	testCerts := map[string]struct {
		certChain    [][]*x509.Certificate

	s.t.Helper()
	s.store.Set(name, secret)
	s.server.OnSecretUpdate(name)
}

type Expectation struct {
	ResourceName string
	CertChain    []byte
	Key          []byte
	RootCert     []byte
}

func (s *TestServer) extractPrivateKeyProvider(provider *tlsv3.PrivateKeyProvider) []byte {
	var cmb cryptomb.CryptoMbPrivateKeyMethodConfig
	provider.GetTypedConfig().UnmarshalTo(&cmb)

	XDSSAN string

	// XDSRootCAFile explicitly set the root CA to be used for the XDS connection.
	// Mirrors Envoy file.
	XDSRootCAFile string

	// RootCert contains the XDS root certificate. Used mainly for tests, apps will normally use
	// XDSRootCAFile
	RootCert []byte

	// InsecureSkipVerify skips client verification the server's certificate chain and host name.
	InsecureSkipVerify bool