Fixup cert package tests (#1253)

2025-11-12 00:13:59 +01:00 · 2024-10-31 15:41:52 -05:00 · 2024-10-31 15:41:52 -05:00 · f30085eab8
commit f30085eab8
parent f2c32421c4
14 changed files with 1320 additions and 816 deletions
--- a/.gitignore
+++ b/.gitignore
@ -5,7 +5,8 @@
 /nebula-darwin
 /nebula.exe
 /nebula-cert.exe
-/coverage.out
+**/coverage.out
 **/cover.out
 /cpu.pprof
 /build
 /*.tar.gz
--- a/cert/ca_pool_test.go
+++ b/cert/ca_pool_test.go
@ -1,7 +1,9 @@
 package cert
 import (
 	"net/netip"
 	"testing"
 	"time"
 	"github.com/stretchr/testify/assert"
 )
@ -10,15 +12,15 @@ func TestNewCAPoolFromBytes(t *testing.T) {
 	noNewLines := `
 # Current provisional, Remove once everything moves over to the real root.
 -----BEGIN NEBULA CERTIFICATE-----
-CkAKDm5lYnVsYSByb290IGNhKJfap9AFMJfg1+YGOiCUQGByMuNRhIlQBOyzXWbL
+Cj4KDm5lYnVsYSByb290IGNhKM0cMM24zPCvBzogV24YEw5YiqeI/oYo8XXFsoo+
-vcKBwDhov900phEfJ5DN3kABEkDCq5R8qBiu8sl54yVfgRcQXEDt3cHr8UTSLszv
+PBmiOafNJhLacf9rsspAARJAz9OAnh8TKAUKix1kKVMyQU4iM3LsFfZRf6ODWXIf
-bzBEr00kERQxxTzTsH8cpYEgRoipvmExvg8WP8NdAJEYJosB
+2qWMpB6fpd3PSoVYziPoOt2bIHIFLlgRLPJz3I3xBEdBCQ==
 -----END NEBULA CERTIFICATE-----
 # root-ca01
 -----BEGIN NEBULA CERTIFICATE-----
-CkMKEW5lYnVsYSByb290IGNhIDAxKJL2u9EFMJL86+cGOiDPXMH4oU6HZTk/CqTG
+CkEKEW5lYnVsYSByb290IGNhIDAxKM0cMM24zPCvBzogPzbWTxt8ZgXPQEwup7Br
-BVG+oJpAoqokUBbI4U0N8CSfpUABEkB/Pm5A2xyH/nc8mg/wvGUWG3pZ7nHzaDMf
+BrtIt1O0q5AuTRT3+t2x1VJAARJAZ+2ib23qBXjdy49oU1YysrwuKkWWKrtJ7Jye
-8/phAUt+FLzqTECzQKisYswKvE3pl9mbEYKbOdIHrxdIp95mo4sF
+rFBQpDXikOukhQD/mfkloFwJ+Yjsfru7IpTN4ZfjXL+kN/2sCA==
 -----END NEBULA CERTIFICATE-----
 `
@ -26,18 +28,18 @@ BVG+oJpAoqokUBbI4U0N8CSfpUABEkB/Pm5A2xyH/nc8mg/wvGUWG3pZ7nHzaDMf
 # Current provisional, Remove once everything moves over to the real root.
 -----BEGIN NEBULA CERTIFICATE-----
-CkAKDm5lYnVsYSByb290IGNhKJfap9AFMJfg1+YGOiCUQGByMuNRhIlQBOyzXWbL
+Cj4KDm5lYnVsYSByb290IGNhKM0cMM24zPCvBzogV24YEw5YiqeI/oYo8XXFsoo+
-vcKBwDhov900phEfJ5DN3kABEkDCq5R8qBiu8sl54yVfgRcQXEDt3cHr8UTSLszv
+PBmiOafNJhLacf9rsspAARJAz9OAnh8TKAUKix1kKVMyQU4iM3LsFfZRf6ODWXIf
-bzBEr00kERQxxTzTsH8cpYEgRoipvmExvg8WP8NdAJEYJosB
+2qWMpB6fpd3PSoVYziPoOt2bIHIFLlgRLPJz3I3xBEdBCQ==
 -----END NEBULA CERTIFICATE-----
 # root-ca01
 -----BEGIN NEBULA CERTIFICATE-----
-CkMKEW5lYnVsYSByb290IGNhIDAxKJL2u9EFMJL86+cGOiDPXMH4oU6HZTk/CqTG
+CkEKEW5lYnVsYSByb290IGNhIDAxKM0cMM24zPCvBzogPzbWTxt8ZgXPQEwup7Br
-BVG+oJpAoqokUBbI4U0N8CSfpUABEkB/Pm5A2xyH/nc8mg/wvGUWG3pZ7nHzaDMf
+BrtIt1O0q5AuTRT3+t2x1VJAARJAZ+2ib23qBXjdy49oU1YysrwuKkWWKrtJ7Jye
-8/phAUt+FLzqTECzQKisYswKvE3pl9mbEYKbOdIHrxdIp95mo4sF
+rFBQpDXikOukhQD/mfkloFwJ+Yjsfru7IpTN4ZfjXL+kN/2sCA==
 -----END NEBULA CERTIFICATE-----
 `
@ -45,19 +47,19 @@ BVG+oJpAoqokUBbI4U0N8CSfpUABEkB/Pm5A2xyH/nc8mg/wvGUWG3pZ7nHzaDMf
 	expired := `
 # expired certificate
 -----BEGIN NEBULA CERTIFICATE-----
-CjkKB2V4cGlyZWQouPmWjQYwufmWjQY6ILCRaoCkJlqHgv5jfDN4lzLHBvDzaQm4
+CjMKB2V4cGlyZWQozRwwzRw6ICJSG94CqX8wn5I65Pwn25V6HftVfWeIySVtp2DA
-vZxfu144hmgjQAESQG4qlnZi8DncvD/LDZnLgJHOaX1DWCHHEh59epVsC+BNgTie
+7TY/QAESQMaAk5iJT5EnQwK524ZaaHGEJLUqqbh5yyOHhboIGiVTWkFeH3HccTW8
-WH1M9n4O7cFtGlM6sJJOS+rCVVEJ3ABS7+MPdQs=
+Tq5a8AyWDQdfXbtEZ1FwabeHfH5Asw0=
 -----END NEBULA CERTIFICATE-----
 `
 	p256 := `
 # p256 certificate
 -----BEGIN NEBULA CERTIFICATE-----
-CmYKEG5lYnVsYSBQMjU2IHRlc3Qo4s+7mgYw4tXrsAc6QQRkaW2jFmllYvN4+/k2
+CmQKEG5lYnVsYSBQMjU2IHRlc3QozRwwzbjM8K8HOkEEdrmmg40zQp44AkMq6DZp
-6tctO9sPT3jOx8ES6M1nIqOhpTmZeabF/4rELDqPV4aH5jfJut798DUXql0FlF8H
+k+coOv04r+zh33ISyhbsafnYduN17p2eD7CmHvHuerguXD9f32gcxo/KsFCKEjMe
-76gvQAGgBgESRzBFAiEAib0/te6eMiZOKD8gdDeloMTS0wGuX2t0C7TFdUhAQzgC
+0ABoAYBEkcwRQIgVoTg38L7uWku9xQgsr06kxZ/viQLOO/w1Qj1vFUEnhcCIQCq
-IBNWYMep3ysx9zCgknfG5dKtwGTaqF++BWKDYdyl34KX
+75SjTiV92kv/1GcbT3wWpAZQQDBiUHVMVmh1822szA==
 -----END NEBULA CERTIFICATE-----
 `
@ -81,29 +83,477 @@ IBNWYMep3ysx9zCgknfG5dKtwGTaqF++BWKDYdyl34KX
 	p, err := NewCAPoolFromPEM([]byte(noNewLines))
 	assert.Nil(t, err)
-	assert.Equal(t, p.CAs[string("c9bfaf7ce8e84b2eeda2e27b469f4b9617bde192efd214b68891ecda6ed49522")].Certificate.Name(), rootCA.details.name)
+	assert.Equal(t, p.CAs["ce4e6c7a596996eb0d82a8875f0f0137a4b53ce22d2421c9fd7150e7a26f6300"].Certificate.Name(), rootCA.details.name)
-	assert.Equal(t, p.CAs[string("5c9c3f23e7ee7fe97637cbd3a0a5b854154d1d9aaaf7b566a51f4a88f76b64cd")].Certificate.Name(), rootCA01.details.name)
+	assert.Equal(t, p.CAs["04c585fcd9a49b276df956a22b7ebea3bf23f1fca5a17c0b56ce2e626631969e"].Certificate.Name(), rootCA01.details.name)
 	pp, err := NewCAPoolFromPEM([]byte(withNewLines))
 	assert.Nil(t, err)
-	assert.Equal(t, pp.CAs[string("c9bfaf7ce8e84b2eeda2e27b469f4b9617bde192efd214b68891ecda6ed49522")].Certificate.Name(), rootCA.details.name)
+	assert.Equal(t, pp.CAs["ce4e6c7a596996eb0d82a8875f0f0137a4b53ce22d2421c9fd7150e7a26f6300"].Certificate.Name(), rootCA.details.name)
-	assert.Equal(t, pp.CAs[string("5c9c3f23e7ee7fe97637cbd3a0a5b854154d1d9aaaf7b566a51f4a88f76b64cd")].Certificate.Name(), rootCA01.details.name)
+	assert.Equal(t, pp.CAs["04c585fcd9a49b276df956a22b7ebea3bf23f1fca5a17c0b56ce2e626631969e"].Certificate.Name(), rootCA01.details.name)
 	// expired cert, no valid certs
 	ppp, err := NewCAPoolFromPEM([]byte(expired))
 	assert.Equal(t, ErrExpired, err)
-	assert.Equal(t, ppp.CAs[string("152070be6bb19bc9e3bde4c2f0e7d8f4ff5448b4c9856b8eccb314fade0229b0")].Certificate.Name(), "expired")
+	assert.Equal(t, ppp.CAs["c39b35a0e8f246203fe4f32b9aa8bfd155f1ae6a6be9d78370641e43397f48f5"].Certificate.Name(), "expired")
 	// expired cert, with valid certs
 	pppp, err := NewCAPoolFromPEM(append([]byte(expired), noNewLines...))
 	assert.Equal(t, ErrExpired, err)
-	assert.Equal(t, pppp.CAs[string("c9bfaf7ce8e84b2eeda2e27b469f4b9617bde192efd214b68891ecda6ed49522")].Certificate.Name(), rootCA.details.name)
+	assert.Equal(t, pppp.CAs["ce4e6c7a596996eb0d82a8875f0f0137a4b53ce22d2421c9fd7150e7a26f6300"].Certificate.Name(), rootCA.details.name)
-	assert.Equal(t, pppp.CAs[string("5c9c3f23e7ee7fe97637cbd3a0a5b854154d1d9aaaf7b566a51f4a88f76b64cd")].Certificate.Name(), rootCA01.details.name)
+	assert.Equal(t, pppp.CAs["04c585fcd9a49b276df956a22b7ebea3bf23f1fca5a17c0b56ce2e626631969e"].Certificate.Name(), rootCA01.details.name)
-	assert.Equal(t, pppp.CAs[string("152070be6bb19bc9e3bde4c2f0e7d8f4ff5448b4c9856b8eccb314fade0229b0")].Certificate.Name(), "expired")
+	assert.Equal(t, pppp.CAs["c39b35a0e8f246203fe4f32b9aa8bfd155f1ae6a6be9d78370641e43397f48f5"].Certificate.Name(), "expired")
 	assert.Equal(t, len(pppp.CAs), 3)
 	ppppp, err := NewCAPoolFromPEM([]byte(p256))
 	assert.Nil(t, err)
-	assert.Equal(t, ppppp.CAs[string("a7938893ec8c4ef769b06d7f425e5e46f7a7f5ffa49c3bcf4a86b608caba9159")].Certificate.Name(), rootCAP256.details.name)
+	assert.Equal(t, ppppp.CAs["552bf7d99bec1fc775a0e4c324bf6d8f789b3078f1919c7960d2e5e0c351ee97"].Certificate.Name(), rootCAP256.details.name)
 	assert.Equal(t, len(ppppp.CAs), 1)
 }
 func TestCertificateV1_Verify(t *testing.T) {
 	ca, _, caKey, _ := NewTestCaCert(Version1, Curve_CURVE25519, time.Now(), time.Now().Add(10*time.Minute), nil, nil, nil)
 	c, _, _, _ := NewTestCert(Version1, Curve_CURVE25519, ca, caKey, "test cert", time.Now(), time.Now().Add(5*time.Minute), nil, nil, nil)
 	caPool := NewCAPool()
 	assert.NoError(t, caPool.AddCA(ca))
 	f, err := c.Fingerprint()
 	assert.Nil(t, err)
 	caPool.BlocklistFingerprint(f)
 	_, err = caPool.VerifyCertificate(time.Now(), c)
 	assert.EqualError(t, err, "certificate is in the block list")
 	caPool.ResetCertBlocklist()
 	_, err = caPool.VerifyCertificate(time.Now(), c)
 	assert.Nil(t, err)
 	_, err = caPool.VerifyCertificate(time.Now().Add(time.Hour*1000), c)
 	assert.EqualError(t, err, "root certificate is expired")
 	assert.PanicsWithError(t, "certificate is valid before the signing certificate", func() {
 		NewTestCert(Version1, Curve_CURVE25519, ca, caKey, "test cert2", time.Time{}, time.Time{}, nil, nil, nil)
 	})
 	// Test group assertion
 	ca, _, caKey, _ = NewTestCaCert(Version1, Curve_CURVE25519, time.Now(), time.Now().Add(10*time.Minute), nil, nil, []string{"test1", "test2"})
 	caPem, err := ca.MarshalPEM()
 	assert.Nil(t, err)
 	caPool = NewCAPool()
 	b, err := caPool.AddCAFromPEM(caPem)
 	assert.NoError(t, err)
 	assert.Empty(t, b)
 	assert.PanicsWithError(t, "certificate contained a group not present on the signing ca: bad", func() {
 		NewTestCert(Version1, Curve_CURVE25519, ca, caKey, "test", time.Now(), time.Now().Add(5*time.Minute), nil, nil, []string{"test1", "bad"})
 	})
 	c, _, _, _ = NewTestCert(Version1, Curve_CURVE25519, ca, caKey, "test2", time.Now(), time.Now().Add(5*time.Minute), nil, nil, []string{"test1"})
 	assert.Nil(t, err)
 	_, err = caPool.VerifyCertificate(time.Now(), c)
 	assert.Nil(t, err)
 }
 func TestCertificateV1_VerifyP256(t *testing.T) {
 	ca, _, caKey, _ := NewTestCaCert(Version1, Curve_P256, time.Now(), time.Now().Add(10*time.Minute), nil, nil, nil)
 	c, _, _, _ := NewTestCert(Version1, Curve_P256, ca, caKey, "test", time.Now(), time.Now().Add(5*time.Minute), nil, nil, nil)
 	caPool := NewCAPool()
 	assert.NoError(t, caPool.AddCA(ca))
 	f, err := c.Fingerprint()
 	assert.Nil(t, err)
 	caPool.BlocklistFingerprint(f)
 	_, err = caPool.VerifyCertificate(time.Now(), c)
 	assert.EqualError(t, err, "certificate is in the block list")
 	caPool.ResetCertBlocklist()
 	_, err = caPool.VerifyCertificate(time.Now(), c)
 	assert.Nil(t, err)
 	_, err = caPool.VerifyCertificate(time.Now().Add(time.Hour*1000), c)
 	assert.EqualError(t, err, "root certificate is expired")
 	assert.PanicsWithError(t, "certificate is valid before the signing certificate", func() {
 		NewTestCert(Version1, Curve_P256, ca, caKey, "test", time.Time{}, time.Time{}, nil, nil, nil)
 	})
 	// Test group assertion
 	ca, _, caKey, _ = NewTestCaCert(Version1, Curve_P256, time.Now(), time.Now().Add(10*time.Minute), nil, nil, []string{"test1", "test2"})
 	caPem, err := ca.MarshalPEM()
 	assert.Nil(t, err)
 	caPool = NewCAPool()
 	b, err := caPool.AddCAFromPEM(caPem)
 	assert.NoError(t, err)
 	assert.Empty(t, b)
 	assert.PanicsWithError(t, "certificate contained a group not present on the signing ca: bad", func() {
 		NewTestCert(Version1, Curve_P256, ca, caKey, "test", time.Now(), time.Now().Add(5*time.Minute), nil, nil, []string{"test1", "bad"})
 	})
 	c, _, _, _ = NewTestCert(Version1, Curve_P256, ca, caKey, "test", time.Now(), time.Now().Add(5*time.Minute), nil, nil, []string{"test1"})
 	_, err = caPool.VerifyCertificate(time.Now(), c)
 	assert.Nil(t, err)
 }
 func TestCertificateV1_Verify_IPs(t *testing.T) {
 	caIp1 := mustParsePrefixUnmapped("10.0.0.0/16")
 	caIp2 := mustParsePrefixUnmapped("192.168.0.0/24")
 	ca, _, caKey, _ := NewTestCaCert(Version1, Curve_CURVE25519, time.Now(), time.Now().Add(10*time.Minute), []netip.Prefix{caIp1, caIp2}, nil, []string{"test"})
 	caPem, err := ca.MarshalPEM()
 	assert.Nil(t, err)
 	caPool := NewCAPool()
 	b, err := caPool.AddCAFromPEM(caPem)
 	assert.NoError(t, err)
 	assert.Empty(t, b)
 	// ip is outside the network
 	cIp1 := mustParsePrefixUnmapped("10.1.0.0/24")
 	cIp2 := mustParsePrefixUnmapped("192.168.0.1/16")
 	assert.PanicsWithError(t, "certificate contained a network assignment outside the limitations of the signing ca: 10.1.0.0/24", func() {
 		NewTestCert(Version1, Curve_CURVE25519, ca, caKey, "test", time.Now(), time.Now().Add(5*time.Minute), []netip.Prefix{cIp1, cIp2}, nil, []string{"test"})
 	})
 	// ip is outside the network reversed order of above
 	cIp1 = mustParsePrefixUnmapped("192.168.0.1/24")
 	cIp2 = mustParsePrefixUnmapped("10.1.0.0/24")
 	assert.PanicsWithError(t, "certificate contained a network assignment outside the limitations of the signing ca: 10.1.0.0/24", func() {
 		NewTestCert(Version1, Curve_CURVE25519, ca, caKey, "test", time.Now(), time.Now().Add(5*time.Minute), []netip.Prefix{cIp1, cIp2}, nil, []string{"test"})
 	})
 	// ip is within the network but mask is outside
 	cIp1 = mustParsePrefixUnmapped("10.0.1.0/15")
 	cIp2 = mustParsePrefixUnmapped("192.168.0.1/24")
 	assert.PanicsWithError(t, "certificate contained a network assignment outside the limitations of the signing ca: 10.0.1.0/15", func() {
 		NewTestCert(Version1, Curve_CURVE25519, ca, caKey, "test", time.Now(), time.Now().Add(5*time.Minute), []netip.Prefix{cIp1, cIp2}, nil, []string{"test"})
 	})
 	// ip is within the network but mask is outside reversed order of above
 	cIp1 = mustParsePrefixUnmapped("192.168.0.1/24")
 	cIp2 = mustParsePrefixUnmapped("10.0.1.0/15")
 	assert.PanicsWithError(t, "certificate contained a network assignment outside the limitations of the signing ca: 10.0.1.0/15", func() {
 		NewTestCert(Version1, Curve_CURVE25519, ca, caKey, "test", time.Now(), time.Now().Add(5*time.Minute), []netip.Prefix{cIp1, cIp2}, nil, []string{"test"})
 	})
 	// ip and mask are within the network
 	cIp1 = mustParsePrefixUnmapped("10.0.1.0/16")
 	cIp2 = mustParsePrefixUnmapped("192.168.0.1/25")
 	c, _, _, _ := NewTestCert(Version1, Curve_CURVE25519, ca, caKey, "test", time.Now(), time.Now().Add(5*time.Minute), []netip.Prefix{cIp1, cIp2}, nil, []string{"test"})
 	_, err = caPool.VerifyCertificate(time.Now(), c)
 	assert.Nil(t, err)
 	// Exact matches
 	c, _, _, _ = NewTestCert(Version1, Curve_CURVE25519, ca, caKey, "test", time.Now(), time.Now().Add(5*time.Minute), []netip.Prefix{caIp1, caIp2}, nil, []string{"test"})
 	assert.Nil(t, err)
 	_, err = caPool.VerifyCertificate(time.Now(), c)
 	assert.Nil(t, err)
 	// Exact matches reversed
 	c, _, _, _ = NewTestCert(Version1, Curve_CURVE25519, ca, caKey, "test", time.Now(), time.Now().Add(5*time.Minute), []netip.Prefix{caIp2, caIp1}, nil, []string{"test"})
 	assert.Nil(t, err)
 	_, err = caPool.VerifyCertificate(time.Now(), c)
 	assert.Nil(t, err)
 	// Exact matches reversed with just 1
 	c, _, _, _ = NewTestCert(Version1, Curve_CURVE25519, ca, caKey, "test", time.Now(), time.Now().Add(5*time.Minute), []netip.Prefix{caIp1}, nil, []string{"test"})
 	assert.Nil(t, err)
 	_, err = caPool.VerifyCertificate(time.Now(), c)
 	assert.Nil(t, err)
 }
 func TestCertificateV1_Verify_Subnets(t *testing.T) {
 	caIp1 := mustParsePrefixUnmapped("10.0.0.0/16")
 	caIp2 := mustParsePrefixUnmapped("192.168.0.0/24")
 	ca, _, caKey, _ := NewTestCaCert(Version1, Curve_CURVE25519, time.Now(), time.Now().Add(10*time.Minute), nil, []netip.Prefix{caIp1, caIp2}, []string{"test"})
 	caPem, err := ca.MarshalPEM()
 	assert.Nil(t, err)
 	caPool := NewCAPool()
 	b, err := caPool.AddCAFromPEM(caPem)
 	assert.NoError(t, err)
 	assert.Empty(t, b)
 	// ip is outside the network
 	cIp1 := mustParsePrefixUnmapped("10.1.0.0/24")
 	cIp2 := mustParsePrefixUnmapped("192.168.0.1/16")
 	assert.PanicsWithError(t, "certificate contained an unsafe network assignment outside the limitations of the signing ca: 10.1.0.0/24", func() {
 		NewTestCert(Version1, Curve_CURVE25519, ca, caKey, "test", time.Now(), time.Now().Add(5*time.Minute), nil, []netip.Prefix{cIp1, cIp2}, []string{"test"})
 	})
 	// ip is outside the network reversed order of above
 	cIp1 = mustParsePrefixUnmapped("192.168.0.1/24")
 	cIp2 = mustParsePrefixUnmapped("10.1.0.0/24")
 	assert.PanicsWithError(t, "certificate contained an unsafe network assignment outside the limitations of the signing ca: 10.1.0.0/24", func() {
 		NewTestCert(Version1, Curve_CURVE25519, ca, caKey, "test", time.Now(), time.Now().Add(5*time.Minute), nil, []netip.Prefix{cIp1, cIp2}, []string{"test"})
 	})
 	// ip is within the network but mask is outside
 	cIp1 = mustParsePrefixUnmapped("10.0.1.0/15")
 	cIp2 = mustParsePrefixUnmapped("192.168.0.1/24")
 	assert.PanicsWithError(t, "certificate contained an unsafe network assignment outside the limitations of the signing ca: 10.0.1.0/15", func() {
 		NewTestCert(Version1, Curve_CURVE25519, ca, caKey, "test", time.Now(), time.Now().Add(5*time.Minute), nil, []netip.Prefix{cIp1, cIp2}, []string{"test"})
 	})
 	// ip is within the network but mask is outside reversed order of above
 	cIp1 = mustParsePrefixUnmapped("192.168.0.1/24")
 	cIp2 = mustParsePrefixUnmapped("10.0.1.0/15")
 	assert.PanicsWithError(t, "certificate contained an unsafe network assignment outside the limitations of the signing ca: 10.0.1.0/15", func() {
 		NewTestCert(Version1, Curve_CURVE25519, ca, caKey, "test", time.Now(), time.Now().Add(5*time.Minute), nil, []netip.Prefix{cIp1, cIp2}, []string{"test"})
 	})
 	// ip and mask are within the network
 	cIp1 = mustParsePrefixUnmapped("10.0.1.0/16")
 	cIp2 = mustParsePrefixUnmapped("192.168.0.1/25")
 	c, _, _, _ := NewTestCert(Version1, Curve_CURVE25519, ca, caKey, "test", time.Now(), time.Now().Add(5*time.Minute), nil, []netip.Prefix{cIp1, cIp2}, []string{"test"})
 	assert.Nil(t, err)
 	_, err = caPool.VerifyCertificate(time.Now(), c)
 	assert.Nil(t, err)
 	// Exact matches
 	c, _, _, _ = NewTestCert(Version1, Curve_CURVE25519, ca, caKey, "test", time.Now(), time.Now().Add(5*time.Minute), nil, []netip.Prefix{caIp1, caIp2}, []string{"test"})
 	assert.Nil(t, err)
 	_, err = caPool.VerifyCertificate(time.Now(), c)
 	assert.Nil(t, err)
 	// Exact matches reversed
 	c, _, _, _ = NewTestCert(Version1, Curve_CURVE25519, ca, caKey, "test", time.Now(), time.Now().Add(5*time.Minute), nil, []netip.Prefix{caIp2, caIp1}, []string{"test"})
 	assert.Nil(t, err)
 	_, err = caPool.VerifyCertificate(time.Now(), c)
 	assert.Nil(t, err)
 	// Exact matches reversed with just 1
 	c, _, _, _ = NewTestCert(Version1, Curve_CURVE25519, ca, caKey, "test", time.Now(), time.Now().Add(5*time.Minute), nil, []netip.Prefix{caIp1}, []string{"test"})
 	assert.Nil(t, err)
 	_, err = caPool.VerifyCertificate(time.Now(), c)
 	assert.Nil(t, err)
 }
 func TestCertificateV2_Verify(t *testing.T) {
 	ca, _, caKey, _ := NewTestCaCert(Version2, Curve_CURVE25519, time.Now(), time.Now().Add(10*time.Minute), nil, nil, nil)
 	c, _, _, _ := NewTestCert(Version2, Curve_CURVE25519, ca, caKey, "test cert", time.Now(), time.Now().Add(5*time.Minute), nil, nil, nil)
 	caPool := NewCAPool()
 	assert.NoError(t, caPool.AddCA(ca))
 	f, err := c.Fingerprint()
 	assert.Nil(t, err)
 	caPool.BlocklistFingerprint(f)
 	_, err = caPool.VerifyCertificate(time.Now(), c)
 	assert.EqualError(t, err, "certificate is in the block list")
 	caPool.ResetCertBlocklist()
 	_, err = caPool.VerifyCertificate(time.Now(), c)
 	assert.Nil(t, err)
 	_, err = caPool.VerifyCertificate(time.Now().Add(time.Hour*1000), c)
 	assert.EqualError(t, err, "root certificate is expired")
 	assert.PanicsWithError(t, "certificate is valid before the signing certificate", func() {
 		NewTestCert(Version2, Curve_CURVE25519, ca, caKey, "test cert2", time.Time{}, time.Time{}, nil, nil, nil)
 	})
 	// Test group assertion
 	ca, _, caKey, _ = NewTestCaCert(Version2, Curve_CURVE25519, time.Now(), time.Now().Add(10*time.Minute), nil, nil, []string{"test1", "test2"})
 	caPem, err := ca.MarshalPEM()
 	assert.Nil(t, err)
 	caPool = NewCAPool()
 	b, err := caPool.AddCAFromPEM(caPem)
 	assert.NoError(t, err)
 	assert.Empty(t, b)
 	assert.PanicsWithError(t, "certificate contained a group not present on the signing ca: bad", func() {
 		NewTestCert(Version2, Curve_CURVE25519, ca, caKey, "test", time.Now(), time.Now().Add(5*time.Minute), nil, nil, []string{"test1", "bad"})
 	})
 	c, _, _, _ = NewTestCert(Version2, Curve_CURVE25519, ca, caKey, "test2", time.Now(), time.Now().Add(5*time.Minute), nil, nil, []string{"test1"})
 	assert.Nil(t, err)
 	_, err = caPool.VerifyCertificate(time.Now(), c)
 	assert.Nil(t, err)
 }
 func TestCertificateV2_VerifyP256(t *testing.T) {
 	ca, _, caKey, _ := NewTestCaCert(Version2, Curve_P256, time.Now(), time.Now().Add(10*time.Minute), nil, nil, nil)
 	c, _, _, _ := NewTestCert(Version2, Curve_P256, ca, caKey, "test", time.Now(), time.Now().Add(5*time.Minute), nil, nil, nil)
 	caPool := NewCAPool()
 	assert.NoError(t, caPool.AddCA(ca))
 	f, err := c.Fingerprint()
 	assert.Nil(t, err)
 	caPool.BlocklistFingerprint(f)
 	_, err = caPool.VerifyCertificate(time.Now(), c)
 	assert.EqualError(t, err, "certificate is in the block list")
 	caPool.ResetCertBlocklist()
 	_, err = caPool.VerifyCertificate(time.Now(), c)
 	assert.Nil(t, err)
 	_, err = caPool.VerifyCertificate(time.Now().Add(time.Hour*1000), c)
 	assert.EqualError(t, err, "root certificate is expired")
 	assert.PanicsWithError(t, "certificate is valid before the signing certificate", func() {
 		NewTestCert(Version2, Curve_P256, ca, caKey, "test", time.Time{}, time.Time{}, nil, nil, nil)
 	})
 	// Test group assertion
 	ca, _, caKey, _ = NewTestCaCert(Version2, Curve_P256, time.Now(), time.Now().Add(10*time.Minute), nil, nil, []string{"test1", "test2"})
 	caPem, err := ca.MarshalPEM()
 	assert.Nil(t, err)
 	caPool = NewCAPool()
 	b, err := caPool.AddCAFromPEM(caPem)
 	assert.NoError(t, err)
 	assert.Empty(t, b)
 	assert.PanicsWithError(t, "certificate contained a group not present on the signing ca: bad", func() {
 		NewTestCert(Version2, Curve_P256, ca, caKey, "test", time.Now(), time.Now().Add(5*time.Minute), nil, nil, []string{"test1", "bad"})
 	})
 	c, _, _, _ = NewTestCert(Version2, Curve_P256, ca, caKey, "test", time.Now(), time.Now().Add(5*time.Minute), nil, nil, []string{"test1"})
 	_, err = caPool.VerifyCertificate(time.Now(), c)
 	assert.Nil(t, err)
 }
 func TestCertificateV2_Verify_IPs(t *testing.T) {
 	caIp1 := mustParsePrefixUnmapped("10.0.0.0/16")
 	caIp2 := mustParsePrefixUnmapped("192.168.0.0/24")
 	ca, _, caKey, _ := NewTestCaCert(Version2, Curve_CURVE25519, time.Now(), time.Now().Add(10*time.Minute), []netip.Prefix{caIp1, caIp2}, nil, []string{"test"})
 	caPem, err := ca.MarshalPEM()
 	assert.Nil(t, err)
 	caPool := NewCAPool()
 	b, err := caPool.AddCAFromPEM(caPem)
 	assert.NoError(t, err)
 	assert.Empty(t, b)
 	// ip is outside the network
 	cIp1 := mustParsePrefixUnmapped("10.1.0.0/24")
 	cIp2 := mustParsePrefixUnmapped("192.168.0.1/16")
 	assert.PanicsWithError(t, "certificate contained a network assignment outside the limitations of the signing ca: 10.1.0.0/24", func() {
 		NewTestCert(Version2, Curve_CURVE25519, ca, caKey, "test", time.Now(), time.Now().Add(5*time.Minute), []netip.Prefix{cIp1, cIp2}, nil, []string{"test"})
 	})
 	// ip is outside the network reversed order of above
 	cIp1 = mustParsePrefixUnmapped("192.168.0.1/24")
 	cIp2 = mustParsePrefixUnmapped("10.1.0.0/24")
 	assert.PanicsWithError(t, "certificate contained a network assignment outside the limitations of the signing ca: 10.1.0.0/24", func() {
 		NewTestCert(Version2, Curve_CURVE25519, ca, caKey, "test", time.Now(), time.Now().Add(5*time.Minute), []netip.Prefix{cIp1, cIp2}, nil, []string{"test"})
 	})
 	// ip is within the network but mask is outside
 	cIp1 = mustParsePrefixUnmapped("10.0.1.0/15")
 	cIp2 = mustParsePrefixUnmapped("192.168.0.1/24")
 	assert.PanicsWithError(t, "certificate contained a network assignment outside the limitations of the signing ca: 10.0.1.0/15", func() {
 		NewTestCert(Version2, Curve_CURVE25519, ca, caKey, "test", time.Now(), time.Now().Add(5*time.Minute), []netip.Prefix{cIp1, cIp2}, nil, []string{"test"})
 	})
 	// ip is within the network but mask is outside reversed order of above
 	cIp1 = mustParsePrefixUnmapped("192.168.0.1/24")
 	cIp2 = mustParsePrefixUnmapped("10.0.1.0/15")
 	assert.PanicsWithError(t, "certificate contained a network assignment outside the limitations of the signing ca: 10.0.1.0/15", func() {
 		NewTestCert(Version2, Curve_CURVE25519, ca, caKey, "test", time.Now(), time.Now().Add(5*time.Minute), []netip.Prefix{cIp1, cIp2}, nil, []string{"test"})
 	})
 	// ip and mask are within the network
 	cIp1 = mustParsePrefixUnmapped("10.0.1.0/16")
 	cIp2 = mustParsePrefixUnmapped("192.168.0.1/25")
 	c, _, _, _ := NewTestCert(Version2, Curve_CURVE25519, ca, caKey, "test", time.Now(), time.Now().Add(5*time.Minute), []netip.Prefix{cIp1, cIp2}, nil, []string{"test"})
 	_, err = caPool.VerifyCertificate(time.Now(), c)
 	assert.Nil(t, err)
 	// Exact matches
 	c, _, _, _ = NewTestCert(Version2, Curve_CURVE25519, ca, caKey, "test", time.Now(), time.Now().Add(5*time.Minute), []netip.Prefix{caIp1, caIp2}, nil, []string{"test"})
 	assert.Nil(t, err)
 	_, err = caPool.VerifyCertificate(time.Now(), c)
 	assert.Nil(t, err)
 	// Exact matches reversed
 	c, _, _, _ = NewTestCert(Version2, Curve_CURVE25519, ca, caKey, "test", time.Now(), time.Now().Add(5*time.Minute), []netip.Prefix{caIp2, caIp1}, nil, []string{"test"})
 	assert.Nil(t, err)
 	_, err = caPool.VerifyCertificate(time.Now(), c)
 	assert.Nil(t, err)
 	// Exact matches reversed with just 1
 	c, _, _, _ = NewTestCert(Version2, Curve_CURVE25519, ca, caKey, "test", time.Now(), time.Now().Add(5*time.Minute), []netip.Prefix{caIp1}, nil, []string{"test"})
 	assert.Nil(t, err)
 	_, err = caPool.VerifyCertificate(time.Now(), c)
 	assert.Nil(t, err)
 }
 func TestCertificateV2_Verify_Subnets(t *testing.T) {
 	caIp1 := mustParsePrefixUnmapped("10.0.0.0/16")
 	caIp2 := mustParsePrefixUnmapped("192.168.0.0/24")
 	ca, _, caKey, _ := NewTestCaCert(Version2, Curve_CURVE25519, time.Now(), time.Now().Add(10*time.Minute), nil, []netip.Prefix{caIp1, caIp2}, []string{"test"})
 	caPem, err := ca.MarshalPEM()
 	assert.Nil(t, err)
 	caPool := NewCAPool()
 	b, err := caPool.AddCAFromPEM(caPem)
 	assert.NoError(t, err)
 	assert.Empty(t, b)
 	// ip is outside the network
 	cIp1 := mustParsePrefixUnmapped("10.1.0.0/24")
 	cIp2 := mustParsePrefixUnmapped("192.168.0.1/16")
 	assert.PanicsWithError(t, "certificate contained an unsafe network assignment outside the limitations of the signing ca: 10.1.0.0/24", func() {
 		NewTestCert(Version2, Curve_CURVE25519, ca, caKey, "test", time.Now(), time.Now().Add(5*time.Minute), nil, []netip.Prefix{cIp1, cIp2}, []string{"test"})
 	})
 	// ip is outside the network reversed order of above
 	cIp1 = mustParsePrefixUnmapped("192.168.0.1/24")
 	cIp2 = mustParsePrefixUnmapped("10.1.0.0/24")
 	assert.PanicsWithError(t, "certificate contained an unsafe network assignment outside the limitations of the signing ca: 10.1.0.0/24", func() {
 		NewTestCert(Version2, Curve_CURVE25519, ca, caKey, "test", time.Now(), time.Now().Add(5*time.Minute), nil, []netip.Prefix{cIp1, cIp2}, []string{"test"})
 	})
 	// ip is within the network but mask is outside
 	cIp1 = mustParsePrefixUnmapped("10.0.1.0/15")
 	cIp2 = mustParsePrefixUnmapped("192.168.0.1/24")
 	assert.PanicsWithError(t, "certificate contained an unsafe network assignment outside the limitations of the signing ca: 10.0.1.0/15", func() {
 		NewTestCert(Version2, Curve_CURVE25519, ca, caKey, "test", time.Now(), time.Now().Add(5*time.Minute), nil, []netip.Prefix{cIp1, cIp2}, []string{"test"})
 	})
 	// ip is within the network but mask is outside reversed order of above
 	cIp1 = mustParsePrefixUnmapped("192.168.0.1/24")
 	cIp2 = mustParsePrefixUnmapped("10.0.1.0/15")
 	assert.PanicsWithError(t, "certificate contained an unsafe network assignment outside the limitations of the signing ca: 10.0.1.0/15", func() {
 		NewTestCert(Version2, Curve_CURVE25519, ca, caKey, "test", time.Now(), time.Now().Add(5*time.Minute), nil, []netip.Prefix{cIp1, cIp2}, []string{"test"})
 	})
 	// ip and mask are within the network
 	cIp1 = mustParsePrefixUnmapped("10.0.1.0/16")
 	cIp2 = mustParsePrefixUnmapped("192.168.0.1/25")
 	c, _, _, _ := NewTestCert(Version2, Curve_CURVE25519, ca, caKey, "test", time.Now(), time.Now().Add(5*time.Minute), nil, []netip.Prefix{cIp1, cIp2}, []string{"test"})
 	assert.Nil(t, err)
 	_, err = caPool.VerifyCertificate(time.Now(), c)
 	assert.Nil(t, err)
 	// Exact matches
 	c, _, _, _ = NewTestCert(Version2, Curve_CURVE25519, ca, caKey, "test", time.Now(), time.Now().Add(5*time.Minute), nil, []netip.Prefix{caIp1, caIp2}, []string{"test"})
 	assert.Nil(t, err)
 	_, err = caPool.VerifyCertificate(time.Now(), c)
 	assert.Nil(t, err)
 	// Exact matches reversed
 	c, _, _, _ = NewTestCert(Version2, Curve_CURVE25519, ca, caKey, "test", time.Now(), time.Now().Add(5*time.Minute), nil, []netip.Prefix{caIp2, caIp1}, []string{"test"})
 	assert.Nil(t, err)
 	_, err = caPool.VerifyCertificate(time.Now(), c)
 	assert.Nil(t, err)
 	// Exact matches reversed with just 1
 	c, _, _, _ = NewTestCert(Version2, Curve_CURVE25519, ca, caKey, "test", time.Now(), time.Now().Add(5*time.Minute), nil, []netip.Prefix{caIp1}, []string{"test"})
 	assert.Nil(t, err)
 	_, err = caPool.VerifyCertificate(time.Now(), c)
 	assert.Nil(t, err)
 }
--- a/cert/cert_test.go
+++ b/cert/cert_test.go
@ -1,695 +0,0 @@
 package cert
 import (
 	"crypto/ecdh"
 	"crypto/ecdsa"
 	"crypto/elliptic"
 	"crypto/rand"
 	"fmt"
 	"io"
 	"net/netip"
 	"testing"
 	"time"
 	"github.com/slackhq/nebula/test"
 	"github.com/stretchr/testify/assert"
 	"golang.org/x/crypto/curve25519"
 	"golang.org/x/crypto/ed25519"
 )
 func TestMarshalingNebulaCertificate(t *testing.T) {
 	before := time.Now().Add(time.Second * -60).Round(time.Second)
 	after := time.Now().Add(time.Second * 60).Round(time.Second)
 	pubKey := []byte("1234567890abcedfghij1234567890ab")
 	nc := certificateV1{
 		details: detailsV1{
 			name: "testing",
 			networks: []netip.Prefix{
 				mustParsePrefixUnmapped("10.1.1.1/24"),
 				mustParsePrefixUnmapped("10.1.1.2/16"),
 			},
 			unsafeNetworks: []netip.Prefix{
 				mustParsePrefixUnmapped("9.1.1.2/24"),
 				mustParsePrefixUnmapped("9.1.1.3/16"),
 			},
 			groups:    []string{"test-group1", "test-group2", "test-group3"},
 			notBefore: before,
 			notAfter:  after,
 			publicKey: pubKey,
 			isCA:      false,
 			issuer:    "1234567890abcedfghij1234567890ab",
 		},
 		signature: []byte("1234567890abcedfghij1234567890ab"),
 	}
 	b, err := nc.Marshal()
 	assert.Nil(t, err)
 	//t.Log("Cert size:", len(b))
 	nc2, err := unmarshalCertificateV1(b, nil)
 	assert.Nil(t, err)
 	assert.Equal(t, nc.signature, nc2.Signature())
 	assert.Equal(t, nc.details.name, nc2.Name())
 	assert.Equal(t, nc.details.notBefore, nc2.NotBefore())
 	assert.Equal(t, nc.details.notAfter, nc2.NotAfter())
 	assert.Equal(t, nc.details.publicKey, nc2.PublicKey())
 	assert.Equal(t, nc.details.isCA, nc2.IsCA())
 	assert.Equal(t, nc.details.networks, nc2.Networks())
 	assert.Equal(t, nc.details.unsafeNetworks, nc2.UnsafeNetworks())
 	assert.Equal(t, nc.details.groups, nc2.Groups())
 }
 //func TestNebulaCertificate_Sign(t *testing.T) {
 //	before := time.Now().Add(time.Second * -60).Round(time.Second)
 //	after := time.Now().Add(time.Second * 60).Round(time.Second)
 //	pubKey := []byte("1234567890abcedfghij1234567890ab")
 //
 //	nc := certificateV1{
 //		details: detailsV1{
 //			Name: "testing",
 //			Ips: []netip.Prefix{
 //				mustParsePrefixUnmapped("10.1.1.1/24"),
 //				mustParsePrefixUnmapped("10.1.1.2/16"),
 //				//TODO: netip cant do it
 //				//{IP: net.ParseIP("10.1.1.3"), Mask: net.IPMask(net.ParseIP("255.0.255.0"))},
 //			},
 //			Subnets: []netip.Prefix{
 //				//TODO: netip cant do it
 //				//{IP: net.ParseIP("9.1.1.1"), Mask: net.IPMask(net.ParseIP("255.0.255.0"))},
 //				mustParsePrefixUnmapped("9.1.1.2/24"),
 //				mustParsePrefixUnmapped("9.1.1.3/24"),
 //			},
 //			Groups:    []string{"test-group1", "test-group2", "test-group3"},
 //			NotBefore: before,
 //			NotAfter:  after,
 //			PublicKey: pubKey,
 //			IsCA:      false,
 //			Issuer:    "1234567890abcedfghij1234567890ab",
 //		},
 //	}
 //
 //	pub, priv, err := ed25519.GenerateKey(rand.Reader)
 //	assert.Nil(t, err)
 //	assert.False(t, nc.CheckSignature(pub))
 //	assert.Nil(t, nc.Sign(Curve_CURVE25519, priv))
 //	assert.True(t, nc.CheckSignature(pub))
 //
 //	_, err = nc.Marshal()
 //	assert.Nil(t, err)
 //	//t.Log("Cert size:", len(b))
 //}
 //func TestNebulaCertificate_SignP256(t *testing.T) {
 //	before := time.Now().Add(time.Second * -60).Round(time.Second)
 //	after := time.Now().Add(time.Second * 60).Round(time.Second)
 //	pubKey := []byte("01234567890abcedfghij1234567890ab1234567890abcedfghij1234567890ab")
 //
 //	nc := certificateV1{
 //		details: detailsV1{
 //			Name: "testing",
 //			Ips: []netip.Prefix{
 //				mustParsePrefixUnmapped("10.1.1.1/24"),
 //				mustParsePrefixUnmapped("10.1.1.2/16"),
 //				//TODO: netip no can do
 //				//{IP: net.ParseIP("10.1.1.3"), Mask: net.IPMask(net.ParseIP("255.0.255.0"))},
 //			},
 //			Subnets: []netip.Prefix{
 //				//TODO: netip bad
 //				//{IP: net.ParseIP("9.1.1.1"), Mask: net.IPMask(net.ParseIP("255.0.255.0"))},
 //				mustParsePrefixUnmapped("9.1.1.2/24"),
 //				mustParsePrefixUnmapped("9.1.1.3/16"),
 //			},
 //			Groups:    []string{"test-group1", "test-group2", "test-group3"},
 //			NotBefore: before,
 //			NotAfter:  after,
 //			PublicKey: pubKey,
 //			IsCA:      false,
 //			Curve:     Curve_P256,
 //			Issuer:    "1234567890abcedfghij1234567890ab",
 //		},
 //	}
 //
 //	priv, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
 //	pub := elliptic.Marshal(elliptic.P256(), priv.PublicKey.X, priv.PublicKey.Y)
 //	rawPriv := priv.D.FillBytes(make([]byte, 32))
 //
 //	assert.Nil(t, err)
 //	assert.False(t, nc.CheckSignature(pub))
 //	assert.Nil(t, nc.Sign(Curve_P256, rawPriv))
 //	assert.True(t, nc.CheckSignature(pub))
 //
 //	_, err = nc.Marshal()
 //	assert.Nil(t, err)
 //	//t.Log("Cert size:", len(b))
 //}
 func TestNebulaCertificate_Expired(t *testing.T) {
 	nc := certificateV1{
 		details: detailsV1{
 			notBefore: time.Now().Add(time.Second * -60).Round(time.Second),
 			notAfter:  time.Now().Add(time.Second * 60).Round(time.Second),
 		},
 	}
 	assert.True(t, nc.Expired(time.Now().Add(time.Hour)))
 	assert.True(t, nc.Expired(time.Now().Add(-time.Hour)))
 	assert.False(t, nc.Expired(time.Now()))
 }
 func TestNebulaCertificate_MarshalJSON(t *testing.T) {
 	time.Local = time.UTC
 	pubKey := []byte("1234567890abcedfghij1234567890ab")
 	nc := certificateV1{
 		details: detailsV1{
 			name: "testing",
 			networks: []netip.Prefix{
 				mustParsePrefixUnmapped("10.1.1.1/24"),
 				mustParsePrefixUnmapped("10.1.1.2/16"),
 			},
 			unsafeNetworks: []netip.Prefix{
 				mustParsePrefixUnmapped("9.1.1.2/24"),
 				mustParsePrefixUnmapped("9.1.1.3/16"),
 			},
 			groups:    []string{"test-group1", "test-group2", "test-group3"},
 			notBefore: time.Date(1, 0, 0, 1, 0, 0, 0, time.UTC),
 			notAfter:  time.Date(1, 0, 0, 2, 0, 0, 0, time.UTC),
 			publicKey: pubKey,
 			isCA:      false,
 			issuer:    "1234567890abcedfghij1234567890ab",
 		},
 		signature: []byte("1234567890abcedfghij1234567890ab"),
 	}
 	b, err := nc.MarshalJSON()
 	assert.Nil(t, err)
 	assert.Equal(
 		t,
 		"{\"details\":{\"curve\":\"CURVE25519\",\"groups\":[\"test-group1\",\"test-group2\",\"test-group3\"],\"isCa\":false,\"issuer\":\"1234567890abcedfghij1234567890ab\",\"name\":\"testing\",\"networks\":[\"10.1.1.1/24\",\"10.1.1.2/16\"],\"notAfter\":\"0000-11-30T02:00:00Z\",\"notBefore\":\"0000-11-30T01:00:00Z\",\"publicKey\":\"313233343536373839306162636564666768696a313233343536373839306162\",\"unsafeNetworks\":[\"9.1.1.2/24\",\"9.1.1.3/16\"]},\"fingerprint\":\"3944c53d4267a229295b56cb2d27d459164c010ac97d655063ba421e0670f4ba\",\"signature\":\"313233343536373839306162636564666768696a313233343536373839306162\",\"version\":1}",
 		string(b),
 	)
 }
 func TestNebulaCertificate_Verify(t *testing.T) {
 	ca, _, caKey, err := newTestCaCert(time.Now(), time.Now().Add(10*time.Minute), nil, nil, nil)
 	assert.Nil(t, err)
 	c, _, _, err := newTestCert(ca, caKey, time.Now(), time.Now().Add(5*time.Minute), nil, nil, nil)
 	assert.Nil(t, err)
 	caPool := NewCAPool()
 	assert.NoError(t, caPool.AddCA(ca))
 	f, err := c.Fingerprint()
 	assert.Nil(t, err)
 	caPool.BlocklistFingerprint(f)
 	_, err = caPool.VerifyCertificate(time.Now(), c)
 	assert.EqualError(t, err, "certificate is in the block list")
 	caPool.ResetCertBlocklist()
 	_, err = caPool.VerifyCertificate(time.Now(), c)
 	assert.Nil(t, err)
 	_, err = caPool.VerifyCertificate(time.Now().Add(time.Hour*1000), c)
 	assert.EqualError(t, err, "root certificate is expired")
 	c, _, _, err = newTestCert(ca, caKey, time.Time{}, time.Time{}, nil, nil, nil)
 	assert.EqualError(t, err, "certificate is valid before the signing certificate")
 	// Test group assertion
 	ca, _, caKey, err = newTestCaCert(time.Now(), time.Now().Add(10*time.Minute), nil, nil, []string{"test1", "test2"})
 	assert.Nil(t, err)
 	caPem, err := ca.MarshalPEM()
 	assert.Nil(t, err)
 	caPool = NewCAPool()
 	b, err := caPool.AddCAFromPEM(caPem)
 	assert.NoError(t, err)
 	assert.Empty(t, b)
 	c, _, _, err = newTestCert(ca, caKey, time.Now(), time.Now().Add(5*time.Minute), nil, nil, []string{"test1", "bad"})
 	assert.EqualError(t, err, "certificate contained a group not present on the signing ca: bad")
 	c, _, _, err = newTestCert(ca, caKey, time.Now(), time.Now().Add(5*time.Minute), nil, nil, []string{"test1"})
 	assert.Nil(t, err)
 	_, err = caPool.VerifyCertificate(time.Now(), c)
 	assert.Nil(t, err)
 }
 func TestNebulaCertificate_VerifyP256(t *testing.T) {
 	ca, _, caKey, err := newTestCaCertP256(time.Now(), time.Now().Add(10*time.Minute), nil, nil, nil)
 	assert.Nil(t, err)
 	c, _, _, err := newTestCert(ca, caKey, time.Now(), time.Now().Add(5*time.Minute), nil, nil, nil)
 	assert.Nil(t, err)
 	caPool := NewCAPool()
 	assert.NoError(t, caPool.AddCA(ca))
 	f, err := c.Fingerprint()
 	assert.Nil(t, err)
 	caPool.BlocklistFingerprint(f)
 	_, err = caPool.VerifyCertificate(time.Now(), c)
 	assert.EqualError(t, err, "certificate is in the block list")
 	caPool.ResetCertBlocklist()
 	_, err = caPool.VerifyCertificate(time.Now(), c)
 	assert.Nil(t, err)
 	_, err = caPool.VerifyCertificate(time.Now().Add(time.Hour*1000), c)
 	assert.EqualError(t, err, "root certificate is expired")
 	c, _, _, err = newTestCert(ca, caKey, time.Time{}, time.Time{}, nil, nil, nil)
 	assert.EqualError(t, err, "certificate is valid before the signing certificate")
 	// Test group assertion
 	ca, _, caKey, err = newTestCaCertP256(time.Now(), time.Now().Add(10*time.Minute), nil, nil, []string{"test1", "test2"})
 	assert.Nil(t, err)
 	caPem, err := ca.MarshalPEM()
 	assert.Nil(t, err)
 	caPool = NewCAPool()
 	b, err := caPool.AddCAFromPEM(caPem)
 	assert.NoError(t, err)
 	assert.Empty(t, b)
 	c, _, _, err = newTestCert(ca, caKey, time.Now(), time.Now().Add(5*time.Minute), nil, nil, []string{"test1", "bad"})
 	assert.EqualError(t, err, "certificate contained a group not present on the signing ca: bad")
 	c, _, _, err = newTestCert(ca, caKey, time.Now(), time.Now().Add(5*time.Minute), nil, nil, []string{"test1"})
 	assert.Nil(t, err)
 	_, err = caPool.VerifyCertificate(time.Now(), c)
 	assert.Nil(t, err)
 }
 func TestNebulaCertificate_Verify_IPs(t *testing.T) {
 	caIp1 := mustParsePrefixUnmapped("10.0.0.0/16")
 	caIp2 := mustParsePrefixUnmapped("192.168.0.0/24")
 	ca, _, caKey, err := newTestCaCert(time.Now(), time.Now().Add(10*time.Minute), []netip.Prefix{caIp1, caIp2}, nil, []string{"test"})
 	assert.Nil(t, err)
 	caPem, err := ca.MarshalPEM()
 	assert.Nil(t, err)
 	caPool := NewCAPool()
 	b, err := caPool.AddCAFromPEM(caPem)
 	assert.NoError(t, err)
 	assert.Empty(t, b)
 	// ip is outside the network
 	cIp1 := mustParsePrefixUnmapped("10.1.0.0/24")
 	cIp2 := mustParsePrefixUnmapped("192.168.0.1/16")
 	c, _, _, err := newTestCert(ca, caKey, time.Now(), time.Now().Add(5*time.Minute), []netip.Prefix{cIp1, cIp2}, nil, []string{"test"})
 	assert.EqualError(t, err, "certificate contained a network assignment outside the limitations of the signing ca: 10.1.0.0/24")
 	// ip is outside the network reversed order of above
 	cIp1 = mustParsePrefixUnmapped("192.168.0.1/24")
 	cIp2 = mustParsePrefixUnmapped("10.1.0.0/24")
 	c, _, _, err = newTestCert(ca, caKey, time.Now(), time.Now().Add(5*time.Minute), []netip.Prefix{cIp1, cIp2}, nil, []string{"test"})
 	assert.EqualError(t, err, "certificate contained a network assignment outside the limitations of the signing ca: 10.1.0.0/24")
 	// ip is within the network but mask is outside
 	cIp1 = mustParsePrefixUnmapped("10.0.1.0/15")
 	cIp2 = mustParsePrefixUnmapped("192.168.0.1/24")
 	c, _, _, err = newTestCert(ca, caKey, time.Now(), time.Now().Add(5*time.Minute), []netip.Prefix{cIp1, cIp2}, nil, []string{"test"})
 	assert.EqualError(t, err, "certificate contained a network assignment outside the limitations of the signing ca: 10.0.1.0/15")
 	// ip is within the network but mask is outside reversed order of above
 	cIp1 = mustParsePrefixUnmapped("192.168.0.1/24")
 	cIp2 = mustParsePrefixUnmapped("10.0.1.0/15")
 	c, _, _, err = newTestCert(ca, caKey, time.Now(), time.Now().Add(5*time.Minute), []netip.Prefix{cIp1, cIp2}, nil, []string{"test"})
 	assert.EqualError(t, err, "certificate contained a network assignment outside the limitations of the signing ca: 10.0.1.0/15")
 	// ip and mask are within the network
 	cIp1 = mustParsePrefixUnmapped("10.0.1.0/16")
 	cIp2 = mustParsePrefixUnmapped("192.168.0.1/25")
 	c, _, _, err = newTestCert(ca, caKey, time.Now(), time.Now().Add(5*time.Minute), []netip.Prefix{cIp1, cIp2}, nil, []string{"test"})
 	assert.Nil(t, err)
 	_, err = caPool.VerifyCertificate(time.Now(), c)
 	assert.Nil(t, err)
 	// Exact matches
 	c, _, _, err = newTestCert(ca, caKey, time.Now(), time.Now().Add(5*time.Minute), []netip.Prefix{caIp1, caIp2}, nil, []string{"test"})
 	assert.Nil(t, err)
 	_, err = caPool.VerifyCertificate(time.Now(), c)
 	assert.Nil(t, err)
 	// Exact matches reversed
 	c, _, _, err = newTestCert(ca, caKey, time.Now(), time.Now().Add(5*time.Minute), []netip.Prefix{caIp2, caIp1}, nil, []string{"test"})
 	assert.Nil(t, err)
 	_, err = caPool.VerifyCertificate(time.Now(), c)
 	assert.Nil(t, err)
 	// Exact matches reversed with just 1
 	c, _, _, err = newTestCert(ca, caKey, time.Now(), time.Now().Add(5*time.Minute), []netip.Prefix{caIp1}, nil, []string{"test"})
 	assert.Nil(t, err)
 	_, err = caPool.VerifyCertificate(time.Now(), c)
 	assert.Nil(t, err)
 }
 func TestNebulaCertificate_Verify_Subnets(t *testing.T) {
 	caIp1 := mustParsePrefixUnmapped("10.0.0.0/16")
 	caIp2 := mustParsePrefixUnmapped("192.168.0.0/24")
 	ca, _, caKey, err := newTestCaCert(time.Now(), time.Now().Add(10*time.Minute), nil, []netip.Prefix{caIp1, caIp2}, []string{"test"})
 	assert.Nil(t, err)
 	caPem, err := ca.MarshalPEM()
 	assert.Nil(t, err)
 	caPool := NewCAPool()
 	b, err := caPool.AddCAFromPEM(caPem)
 	assert.NoError(t, err)
 	assert.Empty(t, b)
 	// ip is outside the network
 	cIp1 := mustParsePrefixUnmapped("10.1.0.0/24")
 	cIp2 := mustParsePrefixUnmapped("192.168.0.1/16")
 	c, _, _, err := newTestCert(ca, caKey, time.Now(), time.Now().Add(5*time.Minute), nil, []netip.Prefix{cIp1, cIp2}, []string{"test"})
 	assert.EqualError(t, err, "certificate contained an unsafe network assignment outside the limitations of the signing ca: 10.1.0.0/24")
 	// ip is outside the network reversed order of above
 	cIp1 = mustParsePrefixUnmapped("192.168.0.1/24")
 	cIp2 = mustParsePrefixUnmapped("10.1.0.0/24")
 	c, _, _, err = newTestCert(ca, caKey, time.Now(), time.Now().Add(5*time.Minute), nil, []netip.Prefix{cIp1, cIp2}, []string{"test"})
 	assert.EqualError(t, err, "certificate contained an unsafe network assignment outside the limitations of the signing ca: 10.1.0.0/24")
 	// ip is within the network but mask is outside
 	cIp1 = mustParsePrefixUnmapped("10.0.1.0/15")
 	cIp2 = mustParsePrefixUnmapped("192.168.0.1/24")
 	c, _, _, err = newTestCert(ca, caKey, time.Now(), time.Now().Add(5*time.Minute), nil, []netip.Prefix{cIp1, cIp2}, []string{"test"})
 	assert.EqualError(t, err, "certificate contained an unsafe network assignment outside the limitations of the signing ca: 10.0.1.0/15")
 	// ip is within the network but mask is outside reversed order of above
 	cIp1 = mustParsePrefixUnmapped("192.168.0.1/24")
 	cIp2 = mustParsePrefixUnmapped("10.0.1.0/15")
 	c, _, _, err = newTestCert(ca, caKey, time.Now(), time.Now().Add(5*time.Minute), nil, []netip.Prefix{cIp1, cIp2}, []string{"test"})
 	assert.EqualError(t, err, "certificate contained an unsafe network assignment outside the limitations of the signing ca: 10.0.1.0/15")
 	// ip and mask are within the network
 	cIp1 = mustParsePrefixUnmapped("10.0.1.0/16")
 	cIp2 = mustParsePrefixUnmapped("192.168.0.1/25")
 	c, _, _, err = newTestCert(ca, caKey, time.Now(), time.Now().Add(5*time.Minute), nil, []netip.Prefix{cIp1, cIp2}, []string{"test"})
 	assert.Nil(t, err)
 	_, err = caPool.VerifyCertificate(time.Now(), c)
 	assert.Nil(t, err)
 	// Exact matches
 	c, _, _, err = newTestCert(ca, caKey, time.Now(), time.Now().Add(5*time.Minute), nil, []netip.Prefix{caIp1, caIp2}, []string{"test"})
 	assert.Nil(t, err)
 	_, err = caPool.VerifyCertificate(time.Now(), c)
 	assert.Nil(t, err)
 	// Exact matches reversed
 	c, _, _, err = newTestCert(ca, caKey, time.Now(), time.Now().Add(5*time.Minute), nil, []netip.Prefix{caIp2, caIp1}, []string{"test"})
 	assert.Nil(t, err)
 	_, err = caPool.VerifyCertificate(time.Now(), c)
 	assert.Nil(t, err)
 	// Exact matches reversed with just 1
 	c, _, _, err = newTestCert(ca, caKey, time.Now(), time.Now().Add(5*time.Minute), nil, []netip.Prefix{caIp1}, []string{"test"})
 	assert.Nil(t, err)
 	_, err = caPool.VerifyCertificate(time.Now(), c)
 	assert.Nil(t, err)
 }
 func TestNebulaCertificate_VerifyPrivateKey(t *testing.T) {
 	ca, _, caKey, err := newTestCaCert(time.Time{}, time.Time{}, nil, nil, nil)
 	assert.Nil(t, err)
 	err = ca.VerifyPrivateKey(Curve_CURVE25519, caKey)
 	assert.Nil(t, err)
 	_, _, caKey2, err := newTestCaCert(time.Time{}, time.Time{}, nil, nil, nil)
 	assert.Nil(t, err)
 	err = ca.VerifyPrivateKey(Curve_CURVE25519, caKey2)
 	assert.NotNil(t, err)
 	c, _, priv, err := newTestCert(ca, caKey, time.Time{}, time.Time{}, nil, nil, nil)
 	err = c.VerifyPrivateKey(Curve_CURVE25519, priv)
 	assert.Nil(t, err)
 	_, priv2 := x25519Keypair()
 	err = c.VerifyPrivateKey(Curve_CURVE25519, priv2)
 	assert.NotNil(t, err)
 }
 func TestNebulaCertificate_VerifyPrivateKeyP256(t *testing.T) {
 	ca, _, caKey, err := newTestCaCertP256(time.Time{}, time.Time{}, nil, nil, nil)
 	assert.Nil(t, err)
 	err = ca.VerifyPrivateKey(Curve_P256, caKey)
 	assert.Nil(t, err)
 	_, _, caKey2, err := newTestCaCertP256(time.Time{}, time.Time{}, nil, nil, nil)
 	assert.Nil(t, err)
 	err = ca.VerifyPrivateKey(Curve_P256, caKey2)
 	assert.NotNil(t, err)
 	c, _, priv, err := newTestCert(ca, caKey, time.Time{}, time.Time{}, nil, nil, nil)
 	err = c.VerifyPrivateKey(Curve_P256, priv)
 	assert.Nil(t, err)
 	_, priv2 := p256Keypair()
 	err = c.VerifyPrivateKey(Curve_P256, priv2)
 	assert.NotNil(t, err)
 }
 func appendByteSlices(b ...[]byte) []byte {
 	retSlice := []byte{}
 	for _, v := range b {
 		retSlice = append(retSlice, v...)
 	}
 	return retSlice
 }
 // Ensure that upgrading the protobuf library does not change how certificates
 // are marshalled, since this would break signature verification
 //TODO: since netip cant represent 255.0.255.0 netmask we can't verify the old certs are ok
 //func TestMarshalingNebulaCertificateConsistency(t *testing.T) {
 //	before := time.Date(2009, time.November, 10, 23, 0, 0, 0, time.UTC)
 //	after := time.Date(2017, time.January, 18, 28, 40, 0, 0, time.UTC)
 //	pubKey := []byte("1234567890abcedfghij1234567890ab")
 //
 //	nc := certificateV1{
 //		details: detailsV1{
 //			Name: "testing",
 //			Ips: []netip.Prefix{
 //				mustParsePrefixUnmapped("10.1.1.1/24"),
 //				mustParsePrefixUnmapped("10.1.1.2/16"),
 //				//TODO: netip bad
 //				//{IP: net.ParseIP("10.1.1.3"), Mask: net.IPMask(net.ParseIP("255.0.255.0"))},
 //			},
 //			Subnets: []netip.Prefix{
 //				//TODO: netip bad
 //				//{IP: net.ParseIP("9.1.1.1"), Mask: net.IPMask(net.ParseIP("255.0.255.0"))},
 //				mustParsePrefixUnmapped("9.1.1.2/24"),
 //				mustParsePrefixUnmapped("9.1.1.3/16"),
 //			},
 //			Groups:    []string{"test-group1", "test-group2", "test-group3"},
 //			NotBefore: before,
 //			NotAfter:  after,
 //			PublicKey: pubKey,
 //			IsCA:      false,
 //			Issuer:    "1234567890abcedfghij1234567890ab",
 //		},
 //		signature: []byte("1234567890abcedfghij1234567890ab"),
 //	}
 //
 //	b, err := nc.Marshal()
 //	assert.Nil(t, err)
 //	//t.Log("Cert size:", len(b))
 //	assert.Equal(t, "0aa2010a0774657374696e67121b8182845080feffff0f828284508080fcff0f8382845080fe83f80f1a1b8182844880fe83f80f8282844880feffff0f838284488080fcff0f220b746573742d67726f757031220b746573742d67726f757032220b746573742d67726f75703328f0e0e7d70430a08681c4053a20313233343536373839306162636564666768696a3132333435363738393061624a081234567890abcedf1220313233343536373839306162636564666768696a313233343536373839306162", fmt.Sprintf("%x", b))
 //
 //	b, err = proto.Marshal(nc.getRawDetails())
 //	assert.Nil(t, err)
 //	//t.Log("Raw cert size:", len(b))
 //	assert.Equal(t, "0a0774657374696e67121b8182845080feffff0f828284508080fcff0f8382845080fe83f80f1a1b8182844880fe83f80f8282844880feffff0f838284488080fcff0f220b746573742d67726f757031220b746573742d67726f757032220b746573742d67726f75703328f0e0e7d70430a08681c4053a20313233343536373839306162636564666768696a3132333435363738393061624a081234567890abcedf", fmt.Sprintf("%x", b))
 //}
 func TestNebulaCertificate_Copy(t *testing.T) {
 	ca, _, caKey, err := newTestCaCert(time.Now(), time.Now().Add(10*time.Minute), nil, nil, nil)
 	assert.Nil(t, err)
 	c, _, _, err := newTestCert(ca, caKey, time.Now(), time.Now().Add(5*time.Minute), nil, nil, nil)
 	assert.Nil(t, err)
 	cc := c.Copy()
 	test.AssertDeepCopyEqual(t, c, cc)
 }
 func TestUnmarshalNebulaCertificate(t *testing.T) {
 	// Test that we don't panic with an invalid certificate (#332)
 	data := []byte("\x98\x00\x00")
 	_, err := unmarshalCertificateV1(data, nil)
 	assert.EqualError(t, err, "encoded Details was nil")
 }
 func newTestCaCert(before, after time.Time, ips, subnets []netip.Prefix, groups []string) (Certificate, []byte, []byte, error) {
 	pub, priv, err := ed25519.GenerateKey(rand.Reader)
 	if before.IsZero() {
 		before = time.Now().Add(time.Second * -60).Round(time.Second)
 	}
 	if after.IsZero() {
 		after = time.Now().Add(time.Second * 60).Round(time.Second)
 	}
 	tbs := &TBSCertificate{
 		Version:   Version1,
 		Name:      "test ca",
 		IsCA:      true,
 		NotBefore: time.Unix(before.Unix(), 0),
 		NotAfter:  time.Unix(after.Unix(), 0),
 		PublicKey: pub,
 	}
 	if len(ips) > 0 {
 		tbs.Networks = ips
 	}
 	if len(subnets) > 0 {
 		tbs.UnsafeNetworks = subnets
 	}
 	if len(groups) > 0 {
 		tbs.Groups = groups
 	}
 	nc, err := tbs.Sign(nil, Curve_CURVE25519, priv)
 	if err != nil {
 		return nil, nil, nil, err
 	}
 	return nc, pub, priv, nil
 }
 func newTestCaCertP256(before, after time.Time, ips, subnets []netip.Prefix, groups []string) (Certificate, []byte, []byte, error) {
 	priv, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
 	pub := elliptic.Marshal(elliptic.P256(), priv.PublicKey.X, priv.PublicKey.Y)
 	rawPriv := priv.D.FillBytes(make([]byte, 32))
 	if before.IsZero() {
 		before = time.Now().Add(time.Second * -60).Round(time.Second)
 	}
 	if after.IsZero() {
 		after = time.Now().Add(time.Second * 60).Round(time.Second)
 	}
 	tbs := &TBSCertificate{
 		Version:   Version1,
 		Name:      "test ca",
 		IsCA:      true,
 		NotBefore: time.Unix(before.Unix(), 0),
 		NotAfter:  time.Unix(after.Unix(), 0),
 		PublicKey: pub,
 		Curve:     Curve_P256,
 	}
 	if len(ips) > 0 {
 		tbs.Networks = ips
 	}
 	if len(subnets) > 0 {
 		tbs.UnsafeNetworks = subnets
 	}
 	if len(groups) > 0 {
 		tbs.Groups = groups
 	}
 	nc, err := tbs.Sign(nil, Curve_P256, rawPriv)
 	if err != nil {
 		return nil, nil, nil, err
 	}
 	return nc, pub, rawPriv, nil
 }
 func newTestCert(ca Certificate, key []byte, before, after time.Time, ips, subnets []netip.Prefix, groups []string) (Certificate, []byte, []byte, error) {
 	if before.IsZero() {
 		before = time.Now().Add(time.Second * -60).Round(time.Second)
 	}
 	if after.IsZero() {
 		after = time.Now().Add(time.Second * 60).Round(time.Second)
 	}
 	if len(groups) == 0 {
 		groups = []string{"test-group1", "test-group2", "test-group3"}
 	}
 	if len(ips) == 0 {
 		ips = []netip.Prefix{
 			mustParsePrefixUnmapped("10.1.1.1/24"),
 			mustParsePrefixUnmapped("10.1.1.2/16"),
 		}
 	}
 	if len(subnets) == 0 {
 		subnets = []netip.Prefix{
 			mustParsePrefixUnmapped("9.1.1.2/24"),
 			mustParsePrefixUnmapped("9.1.1.3/16"),
 		}
 	}
 	var pub, rawPriv []byte
 	switch ca.Curve() {
 	case Curve_CURVE25519:
 		pub, rawPriv = x25519Keypair()
 	case Curve_P256:
 		pub, rawPriv = p256Keypair()
 	default:
 		return nil, nil, nil, fmt.Errorf("unknown curve: %v", ca.Curve())
 	}
 	tbs := &TBSCertificate{
 		Version:        Version1,
 		Name:           "testing",
 		Networks:       ips,
 		UnsafeNetworks: subnets,
 		Groups:         groups,
 		IsCA:           false,
 		NotBefore:      time.Unix(before.Unix(), 0),
 		NotAfter:       time.Unix(after.Unix(), 0),
 		PublicKey:      pub,
 		Curve:          ca.Curve(),
 	}
 	nc, err := tbs.Sign(ca, ca.Curve(), key)
 	if err != nil {
 		return nil, nil, nil, err
 	}
 	return nc, pub, rawPriv, nil
 }
 func x25519Keypair() ([]byte, []byte) {
 	privkey := make([]byte, 32)
 	if _, err := io.ReadFull(rand.Reader, privkey); err != nil {
 		panic(err)
 	}
 	pubkey, err := curve25519.X25519(privkey, curve25519.Basepoint)
 	if err != nil {
 		panic(err)
 	}
 	return pubkey, privkey
 }
 func p256Keypair() ([]byte, []byte) {
 	privkey, err := ecdh.P256().GenerateKey(rand.Reader)
 	if err != nil {
 		panic(err)
 	}
 	pubkey := privkey.PublicKey()
 	return pubkey.Bytes(), privkey.Bytes()
 }
 func mustParsePrefixUnmapped(s string) netip.Prefix {
 	prefix := netip.MustParsePrefix(s)
 	return netip.PrefixFrom(prefix.Addr().Unmap(), prefix.Bits())
 }
--- a/cert/cert_v1.go
+++ b/cert/cert_v1.go
@ -210,7 +210,7 @@ func (c *certificateV1) getRawDetails() *RawNebulaCertificateDetails {
 func (c *certificateV1) String() string {
 	b, err := json.MarshalIndent(c.marshalJSON(), "", "\t")
 	if err != nil {
-		return "<error marshalling certificate>"
+		return fmt.Sprintf("<error marshalling certificate: %v>", err)
 	}
 	return string(b)
 }
@ -272,9 +272,6 @@ func (c *certificateV1) Copy() Certificate {
 	nc := &certificateV1{
 		details: detailsV1{
 			name:      c.details.name,
 			groups:         make([]string, len(c.details.groups)),
 			networks:       make([]netip.Prefix, len(c.details.networks)),
 			unsafeNetworks: make([]netip.Prefix, len(c.details.unsafeNetworks)),
 			notBefore: c.details.notBefore,
 			notAfter:  c.details.notAfter,
 			publicKey: make([]byte, len(c.details.publicKey)),
@ -285,11 +282,23 @@ func (c *certificateV1) Copy() Certificate {
 		signature: make([]byte, len(c.signature)),
 	}
-	copy(nc.signature, c.signature)
+	if c.details.groups != nil {
 		nc.details.groups = make([]string, len(c.details.groups))
 		copy(nc.details.groups, c.details.groups)
-	copy(nc.details.publicKey, c.details.publicKey)
+	}
 	if c.details.networks != nil {
 		nc.details.networks = make([]netip.Prefix, len(c.details.networks))
 		copy(nc.details.networks, c.details.networks)
 	}
 	if c.details.unsafeNetworks != nil {
 		nc.details.unsafeNetworks = make([]netip.Prefix, len(c.details.unsafeNetworks))
 		copy(nc.details.unsafeNetworks, c.details.unsafeNetworks)
 	}
 	copy(nc.signature, c.signature)
 	copy(nc.details.publicKey, c.details.publicKey)
 	return nc
 }
@ -392,8 +401,6 @@ func unmarshalCertificateV1(b []byte, publicKey []byte) (*certificateV1, error)
 		}
 	}
 	//do not sort the subnets field for V1 certs
 	return &nc, nil
 }
--- a/cert/cert_v1_test.go
+++ b/cert/cert_v1_test.go
@ -0,0 +1,218 @@
 package cert
 import (
 	"fmt"
 	"net/netip"
 	"testing"
 	"time"
 	"github.com/slackhq/nebula/test"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 	"google.golang.org/protobuf/proto"
 )
 func TestCertificateV1_Marshal(t *testing.T) {
 	before := time.Now().Add(time.Second * -60).Round(time.Second)
 	after := time.Now().Add(time.Second * 60).Round(time.Second)
 	pubKey := []byte("1234567890abcedfghij1234567890ab")
 	nc := certificateV1{
 		details: detailsV1{
 			name: "testing",
 			networks: []netip.Prefix{
 				mustParsePrefixUnmapped("10.1.1.1/24"),
 				mustParsePrefixUnmapped("10.1.1.2/16"),
 			},
 			unsafeNetworks: []netip.Prefix{
 				mustParsePrefixUnmapped("9.1.1.2/24"),
 				mustParsePrefixUnmapped("9.1.1.3/16"),
 			},
 			groups:    []string{"test-group1", "test-group2", "test-group3"},
 			notBefore: before,
 			notAfter:  after,
 			publicKey: pubKey,
 			isCA:      false,
 			issuer:    "1234567890abcedfghij1234567890ab",
 		},
 		signature: []byte("1234567890abcedfghij1234567890ab"),
 	}
 	b, err := nc.Marshal()
 	assert.Nil(t, err)
 	//t.Log("Cert size:", len(b))
 	nc2, err := unmarshalCertificateV1(b, nil)
 	assert.Nil(t, err)
 	assert.Equal(t, nc.Version(), Version1)
 	assert.Equal(t, nc.Curve(), Curve_CURVE25519)
 	assert.Equal(t, nc.Signature(), nc2.Signature())
 	assert.Equal(t, nc.Name(), nc2.Name())
 	assert.Equal(t, nc.NotBefore(), nc2.NotBefore())
 	assert.Equal(t, nc.NotAfter(), nc2.NotAfter())
 	assert.Equal(t, nc.PublicKey(), nc2.PublicKey())
 	assert.Equal(t, nc.IsCA(), nc2.IsCA())
 	assert.Equal(t, nc.Networks(), nc2.Networks())
 	assert.Equal(t, nc.UnsafeNetworks(), nc2.UnsafeNetworks())
 	assert.Equal(t, nc.Groups(), nc2.Groups())
 }
 func TestCertificateV1_Expired(t *testing.T) {
 	nc := certificateV1{
 		details: detailsV1{
 			notBefore: time.Now().Add(time.Second * -60).Round(time.Second),
 			notAfter:  time.Now().Add(time.Second * 60).Round(time.Second),
 		},
 	}
 	assert.True(t, nc.Expired(time.Now().Add(time.Hour)))
 	assert.True(t, nc.Expired(time.Now().Add(-time.Hour)))
 	assert.False(t, nc.Expired(time.Now()))
 }
 func TestCertificateV1_MarshalJSON(t *testing.T) {
 	time.Local = time.UTC
 	pubKey := []byte("1234567890abcedfghij1234567890ab")
 	nc := certificateV1{
 		details: detailsV1{
 			name: "testing",
 			networks: []netip.Prefix{
 				mustParsePrefixUnmapped("10.1.1.1/24"),
 				mustParsePrefixUnmapped("10.1.1.2/16"),
 			},
 			unsafeNetworks: []netip.Prefix{
 				mustParsePrefixUnmapped("9.1.1.2/24"),
 				mustParsePrefixUnmapped("9.1.1.3/16"),
 			},
 			groups:    []string{"test-group1", "test-group2", "test-group3"},
 			notBefore: time.Date(1, 0, 0, 1, 0, 0, 0, time.UTC),
 			notAfter:  time.Date(1, 0, 0, 2, 0, 0, 0, time.UTC),
 			publicKey: pubKey,
 			isCA:      false,
 			issuer:    "1234567890abcedfghij1234567890ab",
 		},
 		signature: []byte("1234567890abcedfghij1234567890ab"),
 	}
 	b, err := nc.MarshalJSON()
 	assert.Nil(t, err)
 	assert.Equal(
 		t,
 		"{\"details\":{\"curve\":\"CURVE25519\",\"groups\":[\"test-group1\",\"test-group2\",\"test-group3\"],\"isCa\":false,\"issuer\":\"1234567890abcedfghij1234567890ab\",\"name\":\"testing\",\"networks\":[\"10.1.1.1/24\",\"10.1.1.2/16\"],\"notAfter\":\"0000-11-30T02:00:00Z\",\"notBefore\":\"0000-11-30T01:00:00Z\",\"publicKey\":\"313233343536373839306162636564666768696a313233343536373839306162\",\"unsafeNetworks\":[\"9.1.1.2/24\",\"9.1.1.3/16\"]},\"fingerprint\":\"3944c53d4267a229295b56cb2d27d459164c010ac97d655063ba421e0670f4ba\",\"signature\":\"313233343536373839306162636564666768696a313233343536373839306162\",\"version\":1}",
 		string(b),
 	)
 }
 func TestCertificateV1_VerifyPrivateKey(t *testing.T) {
 	ca, _, caKey, _ := NewTestCaCert(Version1, Curve_CURVE25519, time.Time{}, time.Time{}, nil, nil, nil)
 	err := ca.VerifyPrivateKey(Curve_CURVE25519, caKey)
 	assert.Nil(t, err)
 	_, _, caKey2, _ := NewTestCaCert(Version1, Curve_CURVE25519, time.Time{}, time.Time{}, nil, nil, nil)
 	assert.Nil(t, err)
 	err = ca.VerifyPrivateKey(Curve_CURVE25519, caKey2)
 	assert.NotNil(t, err)
 	c, _, priv, _ := NewTestCert(Version1, Curve_CURVE25519, ca, caKey, "test", time.Time{}, time.Time{}, nil, nil, nil)
 	rawPriv, b, curve, err := UnmarshalPrivateKeyFromPEM(priv)
 	assert.NoError(t, err)
 	assert.Empty(t, b)
 	assert.Equal(t, Curve_CURVE25519, curve)
 	err = c.VerifyPrivateKey(Curve_CURVE25519, rawPriv)
 	assert.Nil(t, err)
 	_, priv2 := X25519Keypair()
 	err = c.VerifyPrivateKey(Curve_CURVE25519, priv2)
 	assert.NotNil(t, err)
 }
 func TestCertificateV1_VerifyPrivateKeyP256(t *testing.T) {
 	ca, _, caKey, _ := NewTestCaCert(Version1, Curve_P256, time.Time{}, time.Time{}, nil, nil, nil)
 	err := ca.VerifyPrivateKey(Curve_P256, caKey)
 	assert.Nil(t, err)
 	_, _, caKey2, _ := NewTestCaCert(Version1, Curve_P256, time.Time{}, time.Time{}, nil, nil, nil)
 	assert.Nil(t, err)
 	err = ca.VerifyPrivateKey(Curve_P256, caKey2)
 	assert.NotNil(t, err)
 	c, _, priv, _ := NewTestCert(Version1, Curve_P256, ca, caKey, "test", time.Time{}, time.Time{}, nil, nil, nil)
 	rawPriv, b, curve, err := UnmarshalPrivateKeyFromPEM(priv)
 	assert.NoError(t, err)
 	assert.Empty(t, b)
 	assert.Equal(t, Curve_P256, curve)
 	err = c.VerifyPrivateKey(Curve_P256, rawPriv)
 	assert.Nil(t, err)
 	_, priv2 := P256Keypair()
 	err = c.VerifyPrivateKey(Curve_P256, priv2)
 	assert.NotNil(t, err)
 }
 // Ensure that upgrading the protobuf library does not change how certificates
 // are marshalled, since this would break signature verification
 func TestMarshalingCertificateV1Consistency(t *testing.T) {
 	before := time.Date(1970, time.January, 1, 1, 1, 1, 1, time.UTC)
 	after := time.Date(9999, time.January, 1, 1, 1, 1, 1, time.UTC)
 	pubKey := []byte("1234567890abcedfghij1234567890ab")
 	nc := certificateV1{
 		details: detailsV1{
 			name: "testing",
 			networks: []netip.Prefix{
 				mustParsePrefixUnmapped("10.1.1.2/16"),
 				mustParsePrefixUnmapped("10.1.1.1/24"),
 			},
 			unsafeNetworks: []netip.Prefix{
 				mustParsePrefixUnmapped("9.1.1.3/16"),
 				mustParsePrefixUnmapped("9.1.1.2/24"),
 			},
 			groups:    []string{"test-group1", "test-group2", "test-group3"},
 			notBefore: before,
 			notAfter:  after,
 			publicKey: pubKey,
 			isCA:      false,
 			issuer:    "1234567890abcedfghij1234567890ab",
 		},
 		signature: []byte("1234567890abcedfghij1234567890ab"),
 	}
 	b, err := nc.Marshal()
 	require.Nil(t, err)
 	assert.Equal(t, "0a8e010a0774657374696e671212828284508080fcff0f8182845080feffff0f1a12838284488080fcff0f8282844880feffff0f220b746573742d67726f757031220b746573742d67726f757032220b746573742d67726f75703328cd1c30cdb8ccf0af073a20313233343536373839306162636564666768696a3132333435363738393061624a081234567890abcedf1220313233343536373839306162636564666768696a313233343536373839306162", fmt.Sprintf("%x", b))
 	b, err = proto.Marshal(nc.getRawDetails())
 	assert.Nil(t, err)
 	assert.Equal(t, "0a0774657374696e671212828284508080fcff0f8182845080feffff0f1a12838284488080fcff0f8282844880feffff0f220b746573742d67726f757031220b746573742d67726f757032220b746573742d67726f75703328cd1c30cdb8ccf0af073a20313233343536373839306162636564666768696a3132333435363738393061624a081234567890abcedf", fmt.Sprintf("%x", b))
 }
 func TestCertificateV1_Copy(t *testing.T) {
 	ca, _, caKey, _ := NewTestCaCert(Version1, Curve_CURVE25519, time.Now(), time.Now().Add(10*time.Minute), nil, nil, nil)
 	c, _, _, _ := NewTestCert(Version1, Curve_CURVE25519, ca, caKey, "test", time.Now(), time.Now().Add(5*time.Minute), nil, nil, nil)
 	cc := c.Copy()
 	test.AssertDeepCopyEqual(t, c, cc)
 }
 func TestUnmarshalCertificateV1(t *testing.T) {
 	// Test that we don't panic with an invalid certificate (#332)
 	data := []byte("\x98\x00\x00")
 	_, err := unmarshalCertificateV1(data, nil)
 	assert.EqualError(t, err, "encoded Details was nil")
 }
 func appendByteSlices(b ...[]byte) []byte {
 	retSlice := []byte{}
 	for _, v := range b {
 		retSlice = append(retSlice, v...)
 	}
 	return retSlice
 }
 func mustParsePrefixUnmapped(s string) netip.Prefix {
 	prefix := netip.MustParsePrefix(s)
 	return netip.PrefixFrom(prefix.Addr().Unmap(), prefix.Bits())
 }
--- a/cert/cert_v2.go
+++ b/cert/cert_v2.go
@ -20,8 +20,6 @@ import (
 	"golang.org/x/crypto/curve25519"
 )
 //TODO: should we avoid hex encoding shit on output? Just let it be base64?
 const (
 	classConstructed     = 0x20
 	classContextSpecific = 0x80
@ -125,8 +123,11 @@ func (c *certificateV2) UnsafeNetworks() []netip.Prefix {
 }
 func (c *certificateV2) Fingerprint() (string, error) {
-	b := make([]byte, len(c.rawDetails)+1+len(c.publicKey))
+	if len(c.rawDetails) == 0 {
-	//TODO: double check this, panic on empty raw details
+		return "", ErrMissingDetails
 	}
 	b := make([]byte, len(c.rawDetails)+1+len(c.publicKey)+len(c.signature))
 	copy(b, c.rawDetails)
 	b[len(c.rawDetails)] = byte(c.curve)
 	copy(b[len(c.rawDetails)+1:], c.publicKey)
@ -162,27 +163,27 @@ func (c *certificateV2) Expired(t time.Time) bool {
 func (c *certificateV2) VerifyPrivateKey(curve Curve, key []byte) error {
 	if curve != c.curve {
-		return fmt.Errorf("curve in cert and private key supplied don't match")
+		return ErrPublicPrivateCurveMismatch
 	}
 	if c.details.isCA {
 		switch curve {
 		case Curve_CURVE25519:
 			// the call to PublicKey below will panic slice bounds out of range otherwise
 			if len(key) != ed25519.PrivateKeySize {
-				return fmt.Errorf("key was not 64 bytes, is invalid ed25519 private key")
+				return ErrInvalidPrivateKey
 			}
 			if !ed25519.PublicKey(c.publicKey).Equal(ed25519.PrivateKey(key).Public()) {
-				return fmt.Errorf("public key in cert and private key supplied don't match")
+				return ErrPublicPrivateKeyMismatch
 			}
 		case Curve_P256:
 			privkey, err := ecdh.P256().NewPrivateKey(key)
 			if err != nil {
-				return fmt.Errorf("cannot parse private key as P256")
+				return ErrInvalidPrivateKey
 			}
 			pub := privkey.PublicKey().Bytes()
 			if !bytes.Equal(pub, c.publicKey) {
-				return fmt.Errorf("public key in cert and private key supplied don't match")
+				return ErrPublicPrivateKeyMismatch
 			}
 		default:
 			return fmt.Errorf("invalid curve: %s", curve)
@ -196,28 +197,33 @@ func (c *certificateV2) VerifyPrivateKey(curve Curve, key []byte) error {
 		var err error
 		pub, err = curve25519.X25519(key, curve25519.Basepoint)
 		if err != nil {
-			return err
+			return ErrInvalidPrivateKey
 		}
 	case Curve_P256:
 		privkey, err := ecdh.P256().NewPrivateKey(key)
 		if err != nil {
-			return err
+			return ErrInvalidPrivateKey
 		}
 		pub = privkey.PublicKey().Bytes()
 	default:
 		return fmt.Errorf("invalid curve: %s", curve)
 	}
 	if !bytes.Equal(pub, c.publicKey) {
-		return fmt.Errorf("public key in cert and private key supplied don't match")
+		return ErrPublicPrivateKeyMismatch
 	}
 	return nil
 }
 func (c *certificateV2) String() string {
-	b, err := json.MarshalIndent(c.marshalJSON(), "", "\t")
+	mb, err := c.marshalJSON()
 	if err != nil {
-		return "<error marshalling certificate>"
+		return fmt.Sprintf("<error marshalling certificate: %v>", err)
 	}
 	b, err := json.MarshalIndent(mb, "", "\t")
 	if err != nil {
 		return fmt.Sprintf("<error marshalling certificate: %v>", err)
 	}
 	return string(b)
 }
@ -282,11 +288,19 @@ func (c *certificateV2) MarshalPEM() ([]byte, error) {
 }
 func (c *certificateV2) MarshalJSON() ([]byte, error) {
-	return json.Marshal(c.marshalJSON())
+	b, err := c.marshalJSON()
 	if err != nil {
 		return nil, err
 	}
 	return json.Marshal(b)
 }
-func (c *certificateV2) marshalJSON() m {
+func (c *certificateV2) marshalJSON() (m, error) {
-	fp, _ := c.Fingerprint()
+	fp, err := c.Fingerprint()
 	if err != nil {
 		return nil, err
 	}
 	return m{
 		"details": m{
 			"name":           c.details.name,
@ -303,16 +317,13 @@ func (c *certificateV2) marshalJSON() m {
 		"curve":       c.curve.String(),
 		"fingerprint": fp,
 		"signature":   fmt.Sprintf("%x", c.Signature()),
-	}
+	}, nil
 }
 func (c *certificateV2) Copy() Certificate {
 	nc := &certificateV2{
 		details: detailsV2{
 			name:      c.details.name,
 			groups:         make([]string, len(c.details.groups)),
 			networks:       make([]netip.Prefix, len(c.details.networks)),
 			unsafeNetworks: make([]netip.Prefix, len(c.details.unsafeNetworks)),
 			notBefore: c.details.notBefore,
 			notAfter:  c.details.notAfter,
 			isCA:      c.details.isCA,
@ -321,13 +332,27 @@ func (c *certificateV2) Copy() Certificate {
 		curve:      c.curve,
 		publicKey:  make([]byte, len(c.publicKey)),
 		signature:  make([]byte, len(c.signature)),
 		rawDetails: make([]byte, len(c.rawDetails)),
 	}
-	copy(nc.signature, c.signature)
+	if c.details.groups != nil {
 		nc.details.groups = make([]string, len(c.details.groups))
 		copy(nc.details.groups, c.details.groups)
-	copy(nc.publicKey, c.publicKey)
+	}
 	if c.details.networks != nil {
 		nc.details.networks = make([]netip.Prefix, len(c.details.networks))
 		copy(nc.details.networks, c.details.networks)
 	}
 	if c.details.unsafeNetworks != nil {
 		nc.details.unsafeNetworks = make([]netip.Prefix, len(c.details.unsafeNetworks))
 		copy(nc.details.unsafeNetworks, c.details.unsafeNetworks)
 	}
 	copy(nc.rawDetails, c.rawDetails)
 	copy(nc.signature, c.signature)
 	copy(nc.publicKey, c.publicKey)
 	return nc
 }
--- a/cert/cert_v2_test.go
+++ b/cert/cert_v2_test.go
@ -0,0 +1,226 @@
 package cert
 import (
 	"crypto/ed25519"
 	"crypto/rand"
 	"net/netip"
 	"slices"
 	"testing"
 	"time"
 	"github.com/slackhq/nebula/test"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 )
 func TestCertificateV2_Marshal(t *testing.T) {
 	before := time.Now().Add(time.Second * -60).Round(time.Second)
 	after := time.Now().Add(time.Second * 60).Round(time.Second)
 	pubKey := []byte("1234567890abcedfghij1234567890ab")
 	nc := certificateV2{
 		details: detailsV2{
 			name: "testing",
 			networks: []netip.Prefix{
 				mustParsePrefixUnmapped("10.1.1.2/16"),
 				mustParsePrefixUnmapped("10.1.1.1/24"),
 			},
 			unsafeNetworks: []netip.Prefix{
 				mustParsePrefixUnmapped("9.1.1.3/16"),
 				mustParsePrefixUnmapped("9.1.1.2/24"),
 			},
 			groups:    []string{"test-group1", "test-group2", "test-group3"},
 			notBefore: before,
 			notAfter:  after,
 			isCA:      false,
 			issuer:    "1234567890abcdef1234567890abcdef",
 		},
 		signature: []byte("1234567890abcdef1234567890abcdef"),
 		publicKey: pubKey,
 	}
 	db, err := nc.details.Marshal()
 	require.NoError(t, err)
 	nc.rawDetails = db
 	b, err := nc.Marshal()
 	require.Nil(t, err)
 	//t.Log("Cert size:", len(b))
 	nc2, err := unmarshalCertificateV2(b, nil, Curve_CURVE25519)
 	assert.Nil(t, err)
 	assert.Equal(t, nc.Version(), Version2)
 	assert.Equal(t, nc.Curve(), Curve_CURVE25519)
 	assert.Equal(t, nc.Signature(), nc2.Signature())
 	assert.Equal(t, nc.Name(), nc2.Name())
 	assert.Equal(t, nc.NotBefore(), nc2.NotBefore())
 	assert.Equal(t, nc.NotAfter(), nc2.NotAfter())
 	assert.Equal(t, nc.PublicKey(), nc2.PublicKey())
 	assert.Equal(t, nc.IsCA(), nc2.IsCA())
 	assert.Equal(t, nc.Issuer(), nc2.Issuer())
 	// unmarshalling will sort networks and unsafeNetworks, we need to do the same
 	// but first make sure it fails
 	assert.NotEqual(t, nc.Networks(), nc2.Networks())
 	assert.NotEqual(t, nc.UnsafeNetworks(), nc2.UnsafeNetworks())
 	slices.SortFunc(nc.details.networks, comparePrefix)
 	slices.SortFunc(nc.details.unsafeNetworks, comparePrefix)
 	assert.Equal(t, nc.Networks(), nc2.Networks())
 	assert.Equal(t, nc.UnsafeNetworks(), nc2.UnsafeNetworks())
 	assert.Equal(t, nc.Groups(), nc2.Groups())
 }
 func TestCertificateV2_Expired(t *testing.T) {
 	nc := certificateV2{
 		details: detailsV2{
 			notBefore: time.Now().Add(time.Second * -60).Round(time.Second),
 			notAfter:  time.Now().Add(time.Second * 60).Round(time.Second),
 		},
 	}
 	assert.True(t, nc.Expired(time.Now().Add(time.Hour)))
 	assert.True(t, nc.Expired(time.Now().Add(-time.Hour)))
 	assert.False(t, nc.Expired(time.Now()))
 }
 func TestCertificateV2_MarshalJSON(t *testing.T) {
 	time.Local = time.UTC
 	pubKey := []byte("1234567890abcedf1234567890abcedf")
 	nc := certificateV2{
 		details: detailsV2{
 			name: "testing",
 			networks: []netip.Prefix{
 				mustParsePrefixUnmapped("10.1.1.1/24"),
 				mustParsePrefixUnmapped("10.1.1.2/16"),
 			},
 			unsafeNetworks: []netip.Prefix{
 				mustParsePrefixUnmapped("9.1.1.2/24"),
 				mustParsePrefixUnmapped("9.1.1.3/16"),
 			},
 			groups:    []string{"test-group1", "test-group2", "test-group3"},
 			notBefore: time.Date(1, 0, 0, 1, 0, 0, 0, time.UTC),
 			notAfter:  time.Date(1, 0, 0, 2, 0, 0, 0, time.UTC),
 			isCA:      false,
 			issuer:    "1234567890abcedf1234567890abcedf",
 		},
 		publicKey: pubKey,
 		signature: []byte("1234567890abcedf1234567890abcedf1234567890abcedf1234567890abcedf"),
 	}
 	b, err := nc.MarshalJSON()
 	assert.ErrorIs(t, err, ErrMissingDetails)
 	rd, err := nc.details.Marshal()
 	assert.NoError(t, err)
 	nc.rawDetails = rd
 	b, err = nc.MarshalJSON()
 	assert.Nil(t, err)
 	assert.Equal(
 		t,
 		"{\"curve\":\"CURVE25519\",\"details\":{\"groups\":[\"test-group1\",\"test-group2\",\"test-group3\"],\"isCa\":false,\"issuer\":\"1234567890abcedf1234567890abcedf\",\"name\":\"testing\",\"networks\":[\"10.1.1.1/24\",\"10.1.1.2/16\"],\"notAfter\":\"0000-11-30T02:00:00Z\",\"notBefore\":\"0000-11-30T01:00:00Z\",\"unsafeNetworks\":[\"9.1.1.2/24\",\"9.1.1.3/16\"]},\"fingerprint\":\"152d9a7400c1e001cb76cffd035215ebb351f69eeb797f7f847dd086e15e56dd\",\"publicKey\":\"3132333435363738393061626365646631323334353637383930616263656466\",\"signature\":\"31323334353637383930616263656466313233343536373839306162636564663132333435363738393061626365646631323334353637383930616263656466\",\"version\":2}",
 		string(b),
 	)
 }
 func TestCertificateV2_VerifyPrivateKey(t *testing.T) {
 	ca, _, caKey, _ := NewTestCaCert(Version2, Curve_CURVE25519, time.Time{}, time.Time{}, nil, nil, nil)
 	err := ca.VerifyPrivateKey(Curve_CURVE25519, caKey)
 	assert.Nil(t, err)
 	err = ca.VerifyPrivateKey(Curve_CURVE25519, caKey[:16])
 	assert.ErrorIs(t, err, ErrInvalidPrivateKey)
 	_, caKey2, err := ed25519.GenerateKey(rand.Reader)
 	require.Nil(t, err)
 	err = ca.VerifyPrivateKey(Curve_CURVE25519, caKey2)
 	assert.ErrorIs(t, err, ErrPublicPrivateKeyMismatch)
 	c, _, priv, _ := NewTestCert(Version2, Curve_CURVE25519, ca, caKey, "test", time.Time{}, time.Time{}, nil, nil, nil)
 	rawPriv, b, curve, err := UnmarshalPrivateKeyFromPEM(priv)
 	assert.NoError(t, err)
 	assert.Empty(t, b)
 	assert.Equal(t, Curve_CURVE25519, curve)
 	err = c.VerifyPrivateKey(Curve_CURVE25519, rawPriv)
 	assert.Nil(t, err)
 	_, priv2 := X25519Keypair()
 	err = c.VerifyPrivateKey(Curve_P256, priv2)
 	assert.ErrorIs(t, err, ErrPublicPrivateCurveMismatch)
 	err = c.VerifyPrivateKey(Curve_CURVE25519, priv2)
 	assert.ErrorIs(t, err, ErrPublicPrivateKeyMismatch)
 	err = c.VerifyPrivateKey(Curve_CURVE25519, priv2[:16])
 	assert.ErrorIs(t, err, ErrInvalidPrivateKey)
 	ac, ok := c.(*certificateV2)
 	require.True(t, ok)
 	ac.curve = Curve(99)
 	err = c.VerifyPrivateKey(Curve(99), priv2)
 	assert.EqualError(t, err, "invalid curve: 99")
 	ca2, _, caKey2, _ := NewTestCaCert(Version2, Curve_P256, time.Time{}, time.Time{}, nil, nil, nil)
 	err = ca.VerifyPrivateKey(Curve_CURVE25519, caKey)
 	assert.Nil(t, err)
 	err = ca2.VerifyPrivateKey(Curve_P256, caKey2[:16])
 	assert.ErrorIs(t, err, ErrInvalidPrivateKey)
 	c, _, priv, _ = NewTestCert(Version2, Curve_P256, ca2, caKey2, "test", time.Time{}, time.Time{}, nil, nil, nil)
 	rawPriv, b, curve, err = UnmarshalPrivateKeyFromPEM(priv)
 	err = c.VerifyPrivateKey(Curve_P256, priv[:16])
 	assert.ErrorIs(t, err, ErrInvalidPrivateKey)
 	err = c.VerifyPrivateKey(Curve_P256, priv)
 	assert.ErrorIs(t, err, ErrInvalidPrivateKey)
 	aCa, ok := ca2.(*certificateV2)
 	require.True(t, ok)
 	aCa.curve = Curve(99)
 	err = aCa.VerifyPrivateKey(Curve(99), priv2)
 	assert.EqualError(t, err, "invalid curve: 99")
 }
 func TestCertificateV2_VerifyPrivateKeyP256(t *testing.T) {
 	ca, _, caKey, _ := NewTestCaCert(Version2, Curve_P256, time.Time{}, time.Time{}, nil, nil, nil)
 	err := ca.VerifyPrivateKey(Curve_P256, caKey)
 	assert.Nil(t, err)
 	_, _, caKey2, _ := NewTestCaCert(Version2, Curve_P256, time.Time{}, time.Time{}, nil, nil, nil)
 	assert.Nil(t, err)
 	err = ca.VerifyPrivateKey(Curve_P256, caKey2)
 	assert.NotNil(t, err)
 	c, _, priv, _ := NewTestCert(Version2, Curve_P256, ca, caKey, "test", time.Time{}, time.Time{}, nil, nil, nil)
 	rawPriv, b, curve, err := UnmarshalPrivateKeyFromPEM(priv)
 	assert.NoError(t, err)
 	assert.Empty(t, b)
 	assert.Equal(t, Curve_P256, curve)
 	err = c.VerifyPrivateKey(Curve_P256, rawPriv)
 	assert.Nil(t, err)
 	_, priv2 := P256Keypair()
 	err = c.VerifyPrivateKey(Curve_P256, priv2)
 	assert.NotNil(t, err)
 }
 func TestCertificateV2_Copy(t *testing.T) {
 	ca, _, caKey, _ := NewTestCaCert(Version2, Curve_CURVE25519, time.Now(), time.Now().Add(10*time.Minute), nil, nil, nil)
 	c, _, _, _ := NewTestCert(Version2, Curve_CURVE25519, ca, caKey, "test", time.Now(), time.Now().Add(5*time.Minute), nil, nil, nil)
 	cc := c.Copy()
 	test.AssertDeepCopyEqual(t, c, cc)
 }
 func TestUnmarshalCertificateV2(t *testing.T) {
 	data := []byte("\x98\x00\x00")
 	_, err := unmarshalCertificateV2(data, nil, Curve_CURVE25519)
 	assert.EqualError(t, err, "bad wire format")
 }
--- a/cert/errors.go
+++ b/cert/errors.go
@ -13,8 +13,10 @@ var (
 	ErrBlockListed                = errors.New("certificate is in the block list")
 	ErrFingerprintMismatch        = errors.New("certificate fingerprint did not match")
 	ErrSignatureMismatch          = errors.New("certificate signature did not match")
-	ErrInvalidPublicKeyLength  = errors.New("invalid public key length")
+	ErrInvalidPublicKey           = errors.New("invalid public key")
-	ErrInvalidPrivateKeyLength = errors.New("invalid private key length")
+	ErrInvalidPrivateKey          = errors.New("invalid private key")
 	ErrPublicPrivateCurveMismatch = errors.New("public key does not match private key curve")
 	ErrPublicPrivateKeyMismatch   = errors.New("public key and private key are not a pair")
 	ErrPrivateKeyEncrypted = errors.New("private key must be decrypted")
@ -27,4 +29,6 @@ var (
 	ErrNoPeerStaticKey = errors.New("no peer static key was present")
 	ErrNoPayload       = errors.New("provided payload was empty")
 	ErrMissingDetails = errors.New("certificate did not contain details")
 )
--- a/cert/helper_test.go
+++ b/cert/helper_test.go
@ -0,0 +1,137 @@
 package cert
 import (
 	"crypto/ecdh"
 	"crypto/ecdsa"
 	"crypto/elliptic"
 	"crypto/rand"
 	"io"
 	"net/netip"
 	"time"
 	"golang.org/x/crypto/curve25519"
 	"golang.org/x/crypto/ed25519"
 )
 // NewTestCaCert will create a new ca certificate
 func NewTestCaCert(version Version, curve Curve, before, after time.Time, networks, unsafeNetworks []netip.Prefix, groups []string) (Certificate, []byte, []byte, []byte) {
 	var err error
 	var pub, priv []byte
 	switch curve {
 	case Curve_CURVE25519:
 		pub, priv, err = ed25519.GenerateKey(rand.Reader)
 	case Curve_P256:
 		privk, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
 		if err != nil {
 			panic(err)
 		}
 		pub = elliptic.Marshal(elliptic.P256(), privk.PublicKey.X, privk.PublicKey.Y)
 		priv = privk.D.FillBytes(make([]byte, 32))
 	default:
 		// There is no default to allow the underlying lib to respond with an error
 	}
 	if before.IsZero() {
 		before = time.Now().Add(time.Second * -60).Round(time.Second)
 	}
 	if after.IsZero() {
 		after = time.Now().Add(time.Second * 60).Round(time.Second)
 	}
 	t := &TBSCertificate{
 		Curve:          curve,
 		Version:        version,
 		Name:           "test ca",
 		NotBefore:      time.Unix(before.Unix(), 0),
 		NotAfter:       time.Unix(after.Unix(), 0),
 		PublicKey:      pub,
 		Networks:       networks,
 		UnsafeNetworks: unsafeNetworks,
 		Groups:         groups,
 		IsCA:           true,
 	}
 	c, err := t.Sign(nil, curve, priv)
 	if err != nil {
 		panic(err)
 	}
 	pem, err := c.MarshalPEM()
 	if err != nil {
 		panic(err)
 	}
 	return c, pub, priv, pem
 }
 // NewTestCert will generate a signed certificate with the provided details.
 // Expiry times are defaulted if you do not pass them in
 func NewTestCert(v Version, curve Curve, ca Certificate, key []byte, name string, before, after time.Time, networks, unsafeNetworks []netip.Prefix, groups []string) (Certificate, []byte, []byte, []byte) {
 	if before.IsZero() {
 		before = time.Now().Add(time.Second * -60).Round(time.Second)
 	}
 	if after.IsZero() {
 		after = time.Now().Add(time.Second * 60).Round(time.Second)
 	}
 	var pub, priv []byte
 	switch curve {
 	case Curve_CURVE25519:
 		pub, priv = X25519Keypair()
 	case Curve_P256:
 		pub, priv = P256Keypair()
 	default:
 		panic("unknown curve")
 	}
 	nc := &TBSCertificate{
 		Version:        v,
 		Curve:          curve,
 		Name:           name,
 		Networks:       networks,
 		UnsafeNetworks: unsafeNetworks,
 		Groups:         groups,
 		NotBefore:      time.Unix(before.Unix(), 0),
 		NotAfter:       time.Unix(after.Unix(), 0),
 		PublicKey:      pub,
 		IsCA:           false,
 	}
 	c, err := nc.Sign(ca, ca.Curve(), key)
 	if err != nil {
 		panic(err)
 	}
 	pem, err := c.MarshalPEM()
 	if err != nil {
 		panic(err)
 	}
 	return c, pub, MarshalPrivateKeyToPEM(curve, priv), pem
 }
 func X25519Keypair() ([]byte, []byte) {
 	privkey := make([]byte, 32)
 	if _, err := io.ReadFull(rand.Reader, privkey); err != nil {
 		panic(err)
 	}
 	pubkey, err := curve25519.X25519(privkey, curve25519.Basepoint)
 	if err != nil {
 		panic(err)
 	}
 	return pubkey, privkey
 }
 func P256Keypair() ([]byte, []byte) {
 	privkey, err := ecdh.P256().GenerateKey(rand.Reader)
 	if err != nil {
 		panic(err)
 	}
 	pubkey := privkey.PublicKey()
 	return pubkey.Bytes(), privkey.Bytes()
 }
--- a/cert/sign_test.go
+++ b/cert/sign_test.go
@ -0,0 +1,89 @@
 package cert
 import (
 	"crypto/ecdsa"
 	"crypto/ed25519"
 	"crypto/elliptic"
 	"crypto/rand"
 	"net/netip"
 	"testing"
 	"time"
 	"github.com/stretchr/testify/assert"
 )
 func TestCertificateV1_Sign(t *testing.T) {
 	before := time.Now().Add(time.Second * -60).Round(time.Second)
 	after := time.Now().Add(time.Second * 60).Round(time.Second)
 	pubKey := []byte("1234567890abcedfghij1234567890ab")
 	tbs := TBSCertificate{
 		Version: Version1,
 		Name:    "testing",
 		Networks: []netip.Prefix{
 			mustParsePrefixUnmapped("10.1.1.1/24"),
 			mustParsePrefixUnmapped("10.1.1.2/16"),
 		},
 		UnsafeNetworks: []netip.Prefix{
 			mustParsePrefixUnmapped("9.1.1.2/24"),
 			mustParsePrefixUnmapped("9.1.1.3/24"),
 		},
 		Groups:    []string{"test-group1", "test-group2", "test-group3"},
 		NotBefore: before,
 		NotAfter:  after,
 		PublicKey: pubKey,
 		IsCA:      false,
 	}
 	pub, priv, err := ed25519.GenerateKey(rand.Reader)
 	c, err := tbs.Sign(&certificateV1{details: detailsV1{notBefore: before, notAfter: after}}, Curve_CURVE25519, priv)
 	assert.Nil(t, err)
 	assert.NotNil(t, c)
 	assert.True(t, c.CheckSignature(pub))
 	b, err := c.Marshal()
 	assert.Nil(t, err)
 	uc, err := unmarshalCertificateV1(b, nil)
 	assert.Nil(t, err)
 	assert.NotNil(t, uc)
 }
 func TestCertificateV1_SignP256(t *testing.T) {
 	before := time.Now().Add(time.Second * -60).Round(time.Second)
 	after := time.Now().Add(time.Second * 60).Round(time.Second)
 	pubKey := []byte("01234567890abcedfghij1234567890ab1234567890abcedfghij1234567890ab")
 	tbs := TBSCertificate{
 		Version: Version1,
 		Name:    "testing",
 		Networks: []netip.Prefix{
 			mustParsePrefixUnmapped("10.1.1.1/24"),
 			mustParsePrefixUnmapped("10.1.1.2/16"),
 		},
 		UnsafeNetworks: []netip.Prefix{
 			mustParsePrefixUnmapped("9.1.1.2/24"),
 			mustParsePrefixUnmapped("9.1.1.3/16"),
 		},
 		Groups:    []string{"test-group1", "test-group2", "test-group3"},
 		NotBefore: before,
 		NotAfter:  after,
 		PublicKey: pubKey,
 		IsCA:      false,
 		Curve:     Curve_P256,
 	}
 	priv, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
 	pub := elliptic.Marshal(elliptic.P256(), priv.PublicKey.X, priv.PublicKey.Y)
 	rawPriv := priv.D.FillBytes(make([]byte, 32))
 	c, err := tbs.Sign(&certificateV1{details: detailsV1{notBefore: before, notAfter: after}}, Curve_P256, rawPriv)
 	assert.Nil(t, err)
 	assert.NotNil(t, c)
 	assert.True(t, c.CheckSignature(pub))
 	b, err := c.Marshal()
 	assert.Nil(t, err)
 	uc, err := unmarshalCertificateV1(b, nil)
 	assert.Nil(t, err)
 	assert.NotNil(t, uc)
 }
--- a/cert_test/cert.go
+++ b/cert_test/cert.go
@ -1,6 +1,9 @@
-package e2e
+package cert_test
 import (
 	"crypto/ecdh"
 	"crypto/ecdsa"
 	"crypto/elliptic"
 	"crypto/rand"
 	"io"
 	"net/netip"
@ -11,9 +14,26 @@ import (
 	"golang.org/x/crypto/ed25519"
 )
-// NewTestCaCert will generate a CA cert
+// NewTestCaCert will create a new ca certificate
-func NewTestCaCert(before, after time.Time, networks, unsafeNetworks []netip.Prefix, groups []string) (cert.Certificate, []byte, []byte, []byte) {
+func NewTestCaCert(version cert.Version, curve cert.Curve, before, after time.Time, networks, unsafeNetworks []netip.Prefix, groups []string) (cert.Certificate, []byte, []byte, []byte) {
-	pub, priv, err := ed25519.GenerateKey(rand.Reader)
+	var err error
 	var pub, priv []byte
 	switch curve {
 	case cert.Curve_CURVE25519:
 		pub, priv, err = ed25519.GenerateKey(rand.Reader)
 	case cert.Curve_P256:
 		privk, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
 		if err != nil {
 			panic(err)
 		}
 		pub = elliptic.Marshal(elliptic.P256(), privk.PublicKey.X, privk.PublicKey.Y)
 		priv = privk.D.FillBytes(make([]byte, 32))
 	default:
 		// There is no default to allow the underlying lib to respond with an error
 	}
 	if before.IsZero() {
 		before = time.Now().Add(time.Second * -60).Round(time.Second)
 	}
@ -22,7 +42,8 @@ func NewTestCaCert(before, after time.Time, networks, unsafeNetworks []netip.Pre
 	}
 	t := &cert.TBSCertificate{
-		Version:        cert.Version1,
+		Curve:          curve,
 		Version:        version,
 		Name:           "test ca",
 		NotBefore:      time.Unix(before.Unix(), 0),
 		NotAfter:       time.Unix(after.Unix(), 0),
@ -33,7 +54,7 @@ func NewTestCaCert(before, after time.Time, networks, unsafeNetworks []netip.Pre
 		IsCA:           true,
 	}
-	c, err := t.Sign(nil, cert.Curve_CURVE25519, priv)
+	c, err := t.Sign(nil, curve, priv)
 	if err != nil {
 		panic(err)
 	}
@ -48,7 +69,7 @@ func NewTestCaCert(before, after time.Time, networks, unsafeNetworks []netip.Pre
 // NewTestCert will generate a signed certificate with the provided details.
 // Expiry times are defaulted if you do not pass them in
-func NewTestCert(v cert.Version, ca cert.Certificate, key []byte, name string, before, after time.Time, networks, unsafeNetworks []netip.Prefix, groups []string) (cert.Certificate, []byte, []byte, []byte) {
+func NewTestCert(v cert.Version, curve cert.Curve, ca cert.Certificate, key []byte, name string, before, after time.Time, networks, unsafeNetworks []netip.Prefix, groups []string) (cert.Certificate, []byte, []byte, []byte) {
 	if before.IsZero() {
 		before = time.Now().Add(time.Second * -60).Round(time.Second)
 	}
@ -57,9 +78,19 @@ func NewTestCert(v cert.Version, ca cert.Certificate, key []byte, name string, b
 		after = time.Now().Add(time.Second * 60).Round(time.Second)
 	}
-	pub, rawPriv := x25519Keypair()
+	var pub, priv []byte
 	switch curve {
 	case cert.Curve_CURVE25519:
 		pub, priv = X25519Keypair()
 	case cert.Curve_P256:
 		pub, priv = P256Keypair()
 	default:
 		panic("unknown curve")
 	}
 	nc := &cert.TBSCertificate{
 		Version:        v,
 		Curve:          curve,
 		Name:           name,
 		Networks:       networks,
 		UnsafeNetworks: unsafeNetworks,
@ -80,10 +111,10 @@ func NewTestCert(v cert.Version, ca cert.Certificate, key []byte, name string, b
 		panic(err)
 	}
-	return c, pub, cert.MarshalPrivateKeyToPEM(cert.Curve_CURVE25519, rawPriv), pem
+	return c, pub, cert.MarshalPrivateKeyToPEM(curve, priv), pem
 }
-func x25519Keypair() ([]byte, []byte) {
+func X25519Keypair() ([]byte, []byte) {
 	privkey := make([]byte, 32)
 	if _, err := io.ReadFull(rand.Reader, privkey); err != nil {
 		panic(err)
@ -96,3 +127,12 @@ func x25519Keypair() ([]byte, []byte) {
 	return pubkey, privkey
 }
 func P256Keypair() ([]byte, []byte) {
 	privkey, err := ecdh.P256().GenerateKey(rand.Reader)
 	if err != nil {
 		panic(err)
 	}
 	pubkey := privkey.PublicKey()
 	return pubkey.Bytes(), privkey.Bytes()
 }
--- a/e2e/handshakes_test.go
+++ b/e2e/handshakes_test.go
@ -12,6 +12,7 @@ import (
 	"github.com/sirupsen/logrus"
 	"github.com/slackhq/nebula"
 	"github.com/slackhq/nebula/cert"
 	"github.com/slackhq/nebula/cert_test"
 	"github.com/slackhq/nebula/e2e/router"
 	"github.com/slackhq/nebula/header"
 	"github.com/slackhq/nebula/udp"
@ -20,7 +21,7 @@ import (
 )
 func BenchmarkHotPath(b *testing.B) {
-	ca, _, caKey, _ := NewTestCaCert(time.Now(), time.Now().Add(10*time.Minute), nil, nil, []string{})
+	ca, _, caKey, _ := cert_test.NewTestCaCert(cert.Version1, cert.Curve_CURVE25519, time.Now(), time.Now().Add(10*time.Minute), nil, nil, []string{})
 	myControl, myVpnIpNet, _, _ := newSimpleServer(cert.Version1, ca, caKey, "me", "10.128.0.1/24", nil)
 	theirControl, theirVpnIpNet, theirUdpAddr, _ := newSimpleServer(cert.Version1, ca, caKey, "them", "10.128.0.2/24", nil)
@ -44,7 +45,7 @@ func BenchmarkHotPath(b *testing.B) {
 }
 func TestGoodHandshake(t *testing.T) {
-	ca, _, caKey, _ := NewTestCaCert(time.Now(), time.Now().Add(10*time.Minute), nil, nil, []string{})
+	ca, _, caKey, _ := cert_test.NewTestCaCert(cert.Version1, cert.Curve_CURVE25519, time.Now(), time.Now().Add(10*time.Minute), nil, nil, []string{})
 	myControl, myVpnIpNet, myUdpAddr, _ := newSimpleServer(cert.Version1, ca, caKey, "me", "10.128.0.1/24", nil)
 	theirControl, theirVpnIpNet, theirUdpAddr, _ := newSimpleServer(cert.Version1, ca, caKey, "them", "10.128.0.2/24", nil)
@ -95,7 +96,7 @@ func TestGoodHandshake(t *testing.T) {
 }
 func TestWrongResponderHandshake(t *testing.T) {
-	ca, _, caKey, _ := NewTestCaCert(time.Now(), time.Now().Add(10*time.Minute), nil, nil, []string{})
+	ca, _, caKey, _ := cert_test.NewTestCaCert(cert.Version1, cert.Curve_CURVE25519, time.Now(), time.Now().Add(10*time.Minute), nil, nil, []string{})
 	myControl, myVpnIpNet, myUdpAddr, _ := newSimpleServer(cert.Version1, ca, caKey, "me", "10.128.0.100/24", nil)
 	theirControl, theirVpnIpNet, theirUdpAddr, _ := newSimpleServer(cert.Version1, ca, caKey, "them", "10.128.0.99/24", nil)
@ -174,7 +175,7 @@ func TestWrongResponderHandshake(t *testing.T) {
 }
 func TestWrongResponderHandshakeStaticHostMap(t *testing.T) {
-	ca, _, caKey, _ := NewTestCaCert(time.Now(), time.Now().Add(10*time.Minute), nil, nil, []string{})
+	ca, _, caKey, _ := cert_test.NewTestCaCert(cert.Version1, cert.Curve_CURVE25519, time.Now(), time.Now().Add(10*time.Minute), nil, nil, []string{})
 	theirControl, theirVpnIpNet, theirUdpAddr, _ := newSimpleServer(cert.Version1, ca, caKey, "them", "10.128.0.99/24", nil)
 	evilControl, evilVpnIp, evilUdpAddr, _ := newSimpleServer(cert.Version1, ca, caKey, "evil", "10.128.0.2/24", nil)
@ -262,7 +263,7 @@ func TestStage1Race(t *testing.T) {
 	// This tests ensures that two hosts handshaking with each other at the same time will allow traffic to flow
 	// But will eventually collapse down to a single tunnel
-	ca, _, caKey, _ := NewTestCaCert(time.Now(), time.Now().Add(10*time.Minute), nil, nil, []string{})
+	ca, _, caKey, _ := cert_test.NewTestCaCert(cert.Version1, cert.Curve_CURVE25519, time.Now(), time.Now().Add(10*time.Minute), nil, nil, []string{})
 	myControl, myVpnIpNet, myUdpAddr, _ := newSimpleServer(cert.Version1, ca, caKey, "me  ", "10.128.0.1/24", nil)
 	theirControl, theirVpnIpNet, theirUdpAddr, _ := newSimpleServer(cert.Version1, ca, caKey, "them", "10.128.0.2/24", nil)
@ -339,7 +340,7 @@ func TestStage1Race(t *testing.T) {
 }
 func TestUncleanShutdownRaceLoser(t *testing.T) {
-	ca, _, caKey, _ := NewTestCaCert(time.Now(), time.Now().Add(10*time.Minute), nil, nil, []string{})
+	ca, _, caKey, _ := cert_test.NewTestCaCert(cert.Version1, cert.Curve_CURVE25519, time.Now(), time.Now().Add(10*time.Minute), nil, nil, []string{})
 	myControl, myVpnIpNet, myUdpAddr, _ := newSimpleServer(cert.Version1, ca, caKey, "me  ", "10.128.0.1/24", nil)
 	theirControl, theirVpnIpNet, theirUdpAddr, _ := newSimpleServer(cert.Version1, ca, caKey, "them", "10.128.0.2/24", nil)
@ -388,7 +389,7 @@ func TestUncleanShutdownRaceLoser(t *testing.T) {
 }
 func TestUncleanShutdownRaceWinner(t *testing.T) {
-	ca, _, caKey, _ := NewTestCaCert(time.Now(), time.Now().Add(10*time.Minute), nil, nil, []string{})
+	ca, _, caKey, _ := cert_test.NewTestCaCert(cert.Version1, cert.Curve_CURVE25519, time.Now(), time.Now().Add(10*time.Minute), nil, nil, []string{})
 	myControl, myVpnIpNet, myUdpAddr, _ := newSimpleServer(cert.Version1, ca, caKey, "me  ", "10.128.0.1/24", nil)
 	theirControl, theirVpnIpNet, theirUdpAddr, _ := newSimpleServer(cert.Version1, ca, caKey, "them", "10.128.0.2/24", nil)
@ -439,7 +440,7 @@ func TestUncleanShutdownRaceWinner(t *testing.T) {
 }
 func TestRelays(t *testing.T) {
-	ca, _, caKey, _ := NewTestCaCert(time.Now(), time.Now().Add(10*time.Minute), nil, nil, []string{})
+	ca, _, caKey, _ := cert_test.NewTestCaCert(cert.Version1, cert.Curve_CURVE25519, time.Now(), time.Now().Add(10*time.Minute), nil, nil, []string{})
 	myControl, myVpnIpNet, _, _ := newSimpleServer(cert.Version1, ca, caKey, "me     ", "10.128.0.1/24", m{"relay": m{"use_relays": true}})
 	relayControl, relayVpnIpNet, relayUdpAddr, _ := newSimpleServer(cert.Version1, ca, caKey, "relay  ", "10.128.0.128/24", m{"relay": m{"am_relay": true}})
 	theirControl, theirVpnIpNet, theirUdpAddr, _ := newSimpleServer(cert.Version1, ca, caKey, "them   ", "10.128.0.2/24", m{"relay": m{"use_relays": true}})
@ -470,7 +471,7 @@ func TestRelays(t *testing.T) {
 func TestStage1RaceRelays(t *testing.T) {
 	//NOTE: this is a race between me and relay resulting in a full tunnel from me to them via relay
-	ca, _, caKey, _ := NewTestCaCert(time.Now(), time.Now().Add(10*time.Minute), nil, nil, []string{})
+	ca, _, caKey, _ := cert_test.NewTestCaCert(cert.Version1, cert.Curve_CURVE25519, time.Now(), time.Now().Add(10*time.Minute), nil, nil, []string{})
 	myControl, myVpnIpNet, myUdpAddr, _ := newSimpleServer(cert.Version1, ca, caKey, "me     ", "10.128.0.1/24", m{"relay": m{"use_relays": true}})
 	relayControl, relayVpnIpNet, relayUdpAddr, _ := newSimpleServer(cert.Version1, ca, caKey, "relay  ", "10.128.0.128/24", m{"relay": m{"am_relay": true}})
 	theirControl, theirVpnIpNet, theirUdpAddr, _ := newSimpleServer(cert.Version1, ca, caKey, "them   ", "10.128.0.2/24", m{"relay": m{"use_relays": true}})
@ -519,7 +520,7 @@ func TestStage1RaceRelays(t *testing.T) {
 func TestStage1RaceRelays2(t *testing.T) {
 	//NOTE: this is a race between me and relay resulting in a full tunnel from me to them via relay
-	ca, _, caKey, _ := NewTestCaCert(time.Now(), time.Now().Add(10*time.Minute), nil, nil, []string{})
+	ca, _, caKey, _ := cert_test.NewTestCaCert(cert.Version1, cert.Curve_CURVE25519, time.Now(), time.Now().Add(10*time.Minute), nil, nil, []string{})
 	myControl, myVpnIpNet, myUdpAddr, _ := newSimpleServer(cert.Version1, ca, caKey, "me     ", "10.128.0.1/24", m{"relay": m{"use_relays": true}})
 	relayControl, relayVpnIpNet, relayUdpAddr, _ := newSimpleServer(cert.Version1, ca, caKey, "relay  ", "10.128.0.128/24", m{"relay": m{"am_relay": true}})
 	theirControl, theirVpnIpNet, theirUdpAddr, _ := newSimpleServer(cert.Version1, ca, caKey, "them   ", "10.128.0.2/24", m{"relay": m{"use_relays": true}})
@ -607,7 +608,7 @@ func TestStage1RaceRelays2(t *testing.T) {
 }
 func TestRehandshakingRelays(t *testing.T) {
-	ca, _, caKey, _ := NewTestCaCert(time.Now(), time.Now().Add(10*time.Minute), nil, nil, []string{})
+	ca, _, caKey, _ := cert_test.NewTestCaCert(cert.Version1, cert.Curve_CURVE25519, time.Now(), time.Now().Add(10*time.Minute), nil, nil, []string{})
 	myControl, myVpnIpNet, _, _ := newSimpleServer(cert.Version1, ca, caKey, "me     ", "10.128.0.1/24", m{"relay": m{"use_relays": true}})
 	relayControl, relayVpnIpNet, relayUdpAddr, relayConfig := newSimpleServer(cert.Version1, ca, caKey, "relay  ", "10.128.0.128/24", m{"relay": m{"am_relay": true}})
 	theirControl, theirVpnIpNet, theirUdpAddr, _ := newSimpleServer(cert.Version1, ca, caKey, "them   ", "10.128.0.2/24", m{"relay": m{"use_relays": true}})
@ -637,7 +638,7 @@ func TestRehandshakingRelays(t *testing.T) {
 	// When I update the certificate for the relay, both me and them will have 2 host infos for the relay,
 	// and the main host infos will not have any relay state to handle the me<->relay<->them tunnel.
 	r.Log("Renew relay certificate and spin until me and them sees it")
-	_, _, myNextPrivKey, myNextPEM := NewTestCert(cert.Version1, ca, caKey, "relay", time.Now(), time.Now().Add(5*time.Minute), relayVpnIpNet, nil, []string{"new group"})
+	_, _, myNextPrivKey, myNextPEM := cert_test.NewTestCert(cert.Version1, cert.Curve_CURVE25519, ca, caKey, "relay", time.Now(), time.Now().Add(5*time.Minute), relayVpnIpNet, nil, []string{"new group"})
 	caB, err := ca.MarshalPEM()
 	if err != nil {
@ -711,7 +712,7 @@ func TestRehandshakingRelays(t *testing.T) {
 func TestRehandshakingRelaysPrimary(t *testing.T) {
 	// This test is the same as TestRehandshakingRelays but one of the terminal types is a primary swap winner
-	ca, _, caKey, _ := NewTestCaCert(time.Now(), time.Now().Add(10*time.Minute), nil, nil, []string{})
+	ca, _, caKey, _ := cert_test.NewTestCaCert(cert.Version1, cert.Curve_CURVE25519, time.Now(), time.Now().Add(10*time.Minute), nil, nil, []string{})
 	myControl, myVpnIpNet, _, _ := newSimpleServer(cert.Version1, ca, caKey, "me     ", "10.128.0.128/24", m{"relay": m{"use_relays": true}})
 	relayControl, relayVpnIpNet, relayUdpAddr, relayConfig := newSimpleServer(cert.Version1, ca, caKey, "relay  ", "10.128.0.1/24", m{"relay": m{"am_relay": true}})
 	theirControl, theirVpnIpNet, theirUdpAddr, _ := newSimpleServer(cert.Version1, ca, caKey, "them   ", "10.128.0.2/24", m{"relay": m{"use_relays": true}})
@ -741,7 +742,7 @@ func TestRehandshakingRelaysPrimary(t *testing.T) {
 	// When I update the certificate for the relay, both me and them will have 2 host infos for the relay,
 	// and the main host infos will not have any relay state to handle the me<->relay<->them tunnel.
 	r.Log("Renew relay certificate and spin until me and them sees it")
-	_, _, myNextPrivKey, myNextPEM := NewTestCert(cert.Version1, ca, caKey, "relay", time.Now(), time.Now().Add(5*time.Minute), relayVpnIpNet, nil, []string{"new group"})
+	_, _, myNextPrivKey, myNextPEM := cert_test.NewTestCert(cert.Version1, cert.Curve_CURVE25519, ca, caKey, "relay", time.Now(), time.Now().Add(5*time.Minute), relayVpnIpNet, nil, []string{"new group"})
 	caB, err := ca.MarshalPEM()
 	if err != nil {
@ -814,7 +815,7 @@ func TestRehandshakingRelaysPrimary(t *testing.T) {
 }
 func TestRehandshaking(t *testing.T) {
-	ca, _, caKey, _ := NewTestCaCert(time.Now(), time.Now().Add(10*time.Minute), nil, nil, []string{})
+	ca, _, caKey, _ := cert_test.NewTestCaCert(cert.Version1, cert.Curve_CURVE25519, time.Now(), time.Now().Add(10*time.Minute), nil, nil, []string{})
 	myControl, myVpnIpNet, myUdpAddr, myConfig := newSimpleServer(cert.Version1, ca, caKey, "me  ", "10.128.0.2/24", nil)
 	theirControl, theirVpnIpNet, theirUdpAddr, theirConfig := newSimpleServer(cert.Version1, ca, caKey, "them", "10.128.0.1/24", nil)
@ -836,7 +837,7 @@ func TestRehandshaking(t *testing.T) {
 	r.RenderHostmaps("Starting hostmaps", myControl, theirControl)
 	r.Log("Renew my certificate and spin until their sees it")
-	_, _, myNextPrivKey, myNextPEM := NewTestCert(cert.Version1, ca, caKey, "me", time.Now(), time.Now().Add(5*time.Minute), myVpnIpNet, nil, []string{"new group"})
+	_, _, myNextPrivKey, myNextPEM := cert_test.NewTestCert(cert.Version1, cert.Curve_CURVE25519, ca, caKey, "me", time.Now(), time.Now().Add(5*time.Minute), myVpnIpNet, nil, []string{"new group"})
 	caB, err := ca.MarshalPEM()
 	if err != nil {
@ -911,7 +912,7 @@ func TestRehandshaking(t *testing.T) {
 func TestRehandshakingLoser(t *testing.T) {
 	// The purpose of this test is that the race loser renews their certificate and rehandshakes. The final tunnel
 	// Should be the one with the new certificate
-	ca, _, caKey, _ := NewTestCaCert(time.Now(), time.Now().Add(10*time.Minute), nil, nil, []string{})
+	ca, _, caKey, _ := cert_test.NewTestCaCert(cert.Version1, cert.Curve_CURVE25519, time.Now(), time.Now().Add(10*time.Minute), nil, nil, []string{})
 	myControl, myVpnIpNet, myUdpAddr, myConfig := newSimpleServer(cert.Version1, ca, caKey, "me  ", "10.128.0.2/24", nil)
 	theirControl, theirVpnIpNet, theirUdpAddr, theirConfig := newSimpleServer(cert.Version1, ca, caKey, "them", "10.128.0.1/24", nil)
@ -933,7 +934,7 @@ func TestRehandshakingLoser(t *testing.T) {
 	r.RenderHostmaps("Starting hostmaps", myControl, theirControl)
 	r.Log("Renew their certificate and spin until mine sees it")
-	_, _, theirNextPrivKey, theirNextPEM := NewTestCert(cert.Version1, ca, caKey, "them", time.Now(), time.Now().Add(5*time.Minute), theirVpnIpNet, nil, []string{"their new group"})
+	_, _, theirNextPrivKey, theirNextPEM := cert_test.NewTestCert(cert.Version1, cert.Curve_CURVE25519, ca, caKey, "them", time.Now(), time.Now().Add(5*time.Minute), theirVpnIpNet, nil, []string{"their new group"})
 	caB, err := ca.MarshalPEM()
 	if err != nil {
@ -1007,7 +1008,7 @@ func TestRaceRegression(t *testing.T) {
 	// This test forces stage 1, stage 2, stage 1 to be received by me from them
 	// We had a bug where we were not finding the duplicate handshake and responding to the final stage 1 which
 	// caused a cross-linked hostinfo
-	ca, _, caKey, _ := NewTestCaCert(time.Now(), time.Now().Add(10*time.Minute), nil, nil, []string{})
+	ca, _, caKey, _ := cert_test.NewTestCaCert(cert.Version1, cert.Curve_CURVE25519, time.Now(), time.Now().Add(10*time.Minute), nil, nil, []string{})
 	myControl, myVpnIpNet, myUdpAddr, _ := newSimpleServer(cert.Version1, ca, caKey, "me", "10.128.0.1/24", nil)
 	theirControl, theirVpnIpNet, theirUdpAddr, _ := newSimpleServer(cert.Version1, ca, caKey, "them", "10.128.0.2/24", nil)
@ -1065,7 +1066,7 @@ func TestRaceRegression(t *testing.T) {
 }
 func TestV2NonPrimaryWithLighthouse(t *testing.T) {
-	ca, _, caKey, _ := NewTestCaCert(time.Now(), time.Now().Add(10*time.Minute), nil, nil, []string{})
+	ca, _, caKey, _ := cert_test.NewTestCaCert(cert.Version2, cert.Curve_CURVE25519, time.Now(), time.Now().Add(10*time.Minute), nil, nil, []string{})
 	lhControl, lhVpnIpNet, lhUdpAddr, _ := newSimpleServer(cert.Version2, ca, caKey, "lh  ", "10.128.0.1/24, ff::1/64", m{"lighthouse": m{"am_lighthouse": true}})
 	o := m{
--- a/e2e/helpers_test.go
+++ b/e2e/helpers_test.go
@ -18,6 +18,7 @@ import (
 	"github.com/sirupsen/logrus"
 	"github.com/slackhq/nebula"
 	"github.com/slackhq/nebula/cert"
 	"github.com/slackhq/nebula/cert_test"
 	"github.com/slackhq/nebula/config"
 	"github.com/slackhq/nebula/e2e/router"
 	"github.com/stretchr/testify/assert"
@ -55,7 +56,7 @@ func newSimpleServer(v cert.Version, caCrt cert.Certificate, caKey []byte, name
 		budpIp[3] = 239
 		udpAddr = netip.AddrPortFrom(netip.AddrFrom16(budpIp), 4242)
 	}
-	_, _, myPrivKey, myPEM := NewTestCert(v, caCrt, caKey, name, time.Now(), time.Now().Add(5*time.Minute), vpnNetworks, nil, []string{})
+	_, _, myPrivKey, myPEM := cert_test.NewTestCert(v, cert.Curve_CURVE25519, caCrt, caKey, name, time.Now(), time.Now().Add(5*time.Minute), vpnNetworks, nil, []string{})
 	caB, err := caCrt.MarshalPEM()
 	if err != nil {
--- a/service/service_test.go
+++ b/service/service_test.go
@ -10,8 +10,8 @@ import (
 	"dario.cat/mergo"
 	"github.com/slackhq/nebula/cert"
 	"github.com/slackhq/nebula/cert_test"
 	"github.com/slackhq/nebula/config"
 	"github.com/slackhq/nebula/e2e"
 	"golang.org/x/sync/errgroup"
 	"gopkg.in/yaml.v2"
 )
@ -19,7 +19,7 @@ import (
 type m map[string]interface{}
 func newSimpleService(caCrt cert.Certificate, caKey []byte, name string, udpIp netip.Addr, overrides m) *Service {
-	_, _, myPrivKey, myPEM := e2e.NewTestCert(cert.Version2, caCrt, caKey, "a", time.Now(), time.Now().Add(5*time.Minute), []netip.Prefix{netip.PrefixFrom(udpIp, 24)}, nil, []string{})
+	_, _, myPrivKey, myPEM := cert_test.NewTestCert(cert.Version2, cert.Curve_CURVE25519, caCrt, caKey, "a", time.Now(), time.Now().Add(5*time.Minute), []netip.Prefix{netip.PrefixFrom(udpIp, 24)}, nil, []string{})
 	caB, err := caCrt.MarshalPEM()
 	if err != nil {
 		panic(err)
@ -79,7 +79,7 @@ func newSimpleService(caCrt cert.Certificate, caKey []byte, name string, udpIp n
 }
 func TestService(t *testing.T) {
-	ca, _, caKey, _ := e2e.NewTestCaCert(time.Now(), time.Now().Add(10*time.Minute), nil, nil, []string{})
+	ca, _, caKey, _ := cert_test.NewTestCaCert(cert.Version2, cert.Curve_CURVE25519, time.Now(), time.Now().Add(10*time.Minute), nil, nil, []string{})
 	a := newSimpleService(ca, caKey, "a", netip.MustParseAddr("10.0.0.1"), m{
 		"static_host_map": m{},
 		"lighthouse": m{