if err != nil {
		t.Fatalf("failed to parse certificate: %s", err)
	}

	want := []string{
		"http://epscd.catcert.net/crl/ec-acc.crl",
		"http://epscd2.catcert.net/crl/ec-acc.crl",
	}
	if got := cert.CRLDistributionPoints; !reflect.DeepEqual(got, want) {
		t.Errorf("CRL distribution points = %#v, want #%v", got, want)
	}
}

			},
		},
		{
			name: "mesh SDS enabled, tls mode ISTIO_MUTUAL, CRL specified",
			server: &networking.Server{
				Hosts: []string{"httpbin.example.com"},
				Port: &networking.Port{
					Protocol: string(protocol.HTTPS),
				},
				Tls: &networking.ServerTLSSettings{
					Mode:  networking.ServerTLSSettings_ISTIO_MUTUAL,
					CaCrl: "/custom/path/to/crl.pem",
				},
			},
			result: &auth.DownstreamTlsContext{

			},
			"requires a private key", "not-a-cipher-suite",
		},
		{
			"crl specified for SIMPLE TLS",
			&networking.ServerTLSSettings{
				Mode:  networking.ServerTLSSettings_SIMPLE,
				CaCrl: "crl",
			},
			"CRL is not supported with SIMPLE TLS", "",
		},
		{
			"crl specified for CredentialName",
			&networking.ServerTLSSettings{

		}
	}
	if tls.CaCrl != "" {
		if tls.CredentialName != "" {
			v = AppendValidation(v, fmt.Errorf("CRL is not supported with credentialName. CRL has to be specified in the credential"))
		}
		if tls.Mode == networking.ServerTLSSettings_SIMPLE {
			v = AppendValidation(v, fmt.Errorf("CRL is not supported with SIMPLE TLS"))
		}
	}
	return
}

// ValidateDestinationRule checks proxy policies

typically request: \"key encipherment\", \"digital signature\", \"server auth\".\n\nValid values are:\n \"signing\", \"digital signature\", \"content commitment\",\n \"key encipherment\", \"key agreement\", \"data encipherment\",\n \"cert sign\", \"crl sign\", \"encipher only\", \"decipher only\", \"any\",\n \"server auth\", \"client auth\",\n \"code signing\", \"email protection\", \"s/mime\",\n \"ipsec end system\", \"ipsec tunnel\", \"ipsec user\",\n \"timestamping\", \"ocsp signing\", \"microsoft...