From 8360d8fc05c2e5560e373cfc2a37df8898e2d4bf Mon Sep 17 00:00:00 2001
From: Stephan Zuercher <stephan@turbinelabs.io>
Date: Wed, 17 Jan 2018 16:54:25 -0800
Subject: [PATCH 1/2] test/common/ssl: check-in expired SSL certs to avoid OS X
 generation failure (fixes #2395)

Signed-off-by: Stephan Zuercher <stephan@turbinelabs.io>
---
 test/common/ssl/context_impl_test.cc          |  4 +--
 test/common/ssl/gen_unittest_certs.sh         | 35 ++++++-------------
 test/common/ssl/test_data/README.md           | 17 ++++++---
 test/common/ssl/test_data/certs.sh            |  5 +++
 .../ssl/test_data/unittest_expired_cert.cfg   | 27 ++++++++++++++
 .../ssl/test_data/unittest_expired_cert.pem   | 16 +++++++++
 .../ssl/test_data/unittest_expired_key.pem    | 15 ++++++++
 7 files changed, 88 insertions(+), 31 deletions(-)
 create mode 100644 test/common/ssl/test_data/unittest_expired_cert.cfg
 create mode 100644 test/common/ssl/test_data/unittest_expired_cert.pem
 create mode 100644 test/common/ssl/test_data/unittest_expired_key.pem

diff --git a/test/common/ssl/context_impl_test.cc b/test/common/ssl/context_impl_test.cc
index 0dd3a2531d8d5..ee6d16e56e55f 100644
--- a/test/common/ssl/context_impl_test.cc
+++ b/test/common/ssl/context_impl_test.cc
@@ -109,8 +109,8 @@ TEST_F(SslContextImplTest, TestExpiringCert) {
 TEST_F(SslContextImplTest, TestExpiredCert) {
   std::string json = R"EOF(
   {
-      "cert_chain_file": "{{ test_tmpdir }}/unittestcert_expired.pem",
-      "private_key_file": "{{ test_tmpdir }}/unittestkey_expired.pem"
+      "cert_chain_file": "{{ test_rundir }}/test/common/ssl/test_data/unittest_expired_cert.pem",
+      "private_key_file": "{{ test_rundir }}/test/common/ssl/test_data/unittest_expired_key.pem"
   }
   )EOF";
 
diff --git a/test/common/ssl/gen_unittest_certs.sh b/test/common/ssl/gen_unittest_certs.sh
index 59d0b4420aedd..32e3c7ba8ed91 100755
--- a/test/common/ssl/gen_unittest_certs.sh
+++ b/test/common/ssl/gen_unittest_certs.sh
@@ -1,11 +1,14 @@
 #!/bin/bash
 #
-# Create a test certificate with a 15-day expiration for SSL tests
+# Create a test certificate with a 15-day expiration for SSL tests.
 
 set -e
 
-TEST_CERT_DIR=$TEST_TMPDIR
-export OPENSSL_CONF="$TEST_CERT_DIR"/openssl.cnf
+TEST_CERT_DIR="${TEST_TMPDIR}"
+
+mkdir -p "${TEST_CERT_DIR}"
+
+export OPENSSL_CONF="${TEST_CERT_DIR}"/openssl.cnf
 (cat << EOF
 [ req ]
 default_bits            = 2048
@@ -33,24 +36,10 @@ commonName_max                  = 64
 emailAddress                    = Email Address
 emailAddress_max                = 64
 EOF
-) > "$OPENSSL_CONF"
+) > "${OPENSSL_CONF}"
 
-mkdir -p $TEST_CERT_DIR
-openssl genrsa -out $TEST_CERT_DIR/unittestkey.pem 1024
-openssl genrsa -out $TEST_CERT_DIR/unittestkey_expired.pem 1024
-openssl req -new -key $TEST_CERT_DIR/unittestkey.pem -out $TEST_CERT_DIR/unittestcert.csr \
-    -sha256 <<EOF
-US
-California
-San Francisco
-Lyft
-Test
-Unit Test CA
-unittest@lyft.com
-
-
-EOF
-openssl req -new -key $TEST_CERT_DIR/unittestkey_expired.pem -out $TEST_CERT_DIR/unittestcert_expired.csr \
+openssl genrsa -out "${TEST_CERT_DIR}/unittestkey.pem" 1024
+openssl req -new -key "${TEST_CERT_DIR}/unittestkey.pem" -out "${TEST_CERT_DIR}/unittestcert.csr" \
     -sha256 <<EOF
 US
 California
@@ -62,7 +51,5 @@ unittest@lyft.com
 
 
 EOF
-openssl x509 -req -days 15 -in $TEST_CERT_DIR/unittestcert.csr -sha256 -signkey \
-    $TEST_CERT_DIR/unittestkey.pem -out $TEST_CERT_DIR/unittestcert.pem
-openssl x509 -req -days -365 -in $TEST_CERT_DIR/unittestcert_expired.csr -sha256 -signkey \
-    $TEST_CERT_DIR/unittestkey_expired.pem -out $TEST_CERT_DIR/unittestcert_expired.pem
+openssl x509 -req -days 15 -in "${TEST_CERT_DIR}/unittestcert.csr" -sha256 \
+    -signkey "${TEST_CERT_DIR}/unittestkey.pem" -out "${TEST_CERT_DIR}/unittestcert.pem"
diff --git a/test/common/ssl/test_data/README.md b/test/common/ssl/test_data/README.md
index 6ac2c16ff40c8..b4a2d668f434b 100644
--- a/test/common/ssl/test_data/README.md
+++ b/test/common/ssl/test_data/README.md
@@ -1,11 +1,11 @@
 # What are the identities, certificates and keys
-There are 6 identities:
+There are 8 identities:
 - **CA**: Certificate Authority for **No SAN**, **SAN With URI** and **SAN With
   DNS**. It has the self-signed certificate *ca_cert.pem*. *ca_key.pem* is its
   private key.
--- **Fake CA**: Fake Certificate Authority used to validate verification logic.
--  It has the self-signed certificate *fake_ca_cert.pem"*. *fake_ca_key.pem" is
--  its private key.
+- **Fake CA**: Fake Certificate Authority used to validate verification logic.
+  It has the self-signed certificate *fake_ca_cert.pem"*. *fake_ca_key.pem" is
+  its private key.
 - **No SAN**: It has the certificate *no_san_cert.pem*, signed by the **CA**.
   The certificate does not have SAN field. *no_san_key.pem* is its private key.
 - **SAN With URI**: It has the certificate *san_uri_cert.pem*, which is signed
@@ -21,11 +21,18 @@ There are 6 identities:
 - **SAN only**: Same as *SAN With DNS* except that the certificate doesn't have the
   CommonName set. It has certificate *san_only_dns_cert.pem*, *san_only_dns_key.pem*
   is its private key.
-- **Self-signed**: The self-signed certificate *selfsigned_cert.pem", using the
+- **Self-signed**: The self-signed certificate *selfsigned_cert.pem*, using the
   config *selfsigned_cert.cfg*. *selfsigned_key.pem* is its private key.
+- **Unit Test Expired**: A self-signed, expired certificate *unittest_expired_cert.pem*,
+  using the config *unittest_expired_cert.cnf*. *unitest_expired_key.pem* is its private
+  key.
+
 
 # How to update certificates
 **certs.sh** has the commands to generate all files except the private key
 files. Running certs.sh directly will cause the certificate files to be
 regenerated. So if you want to regenerate a particular file, please copy the
 corresponding commands from certs.sh and execute them in command line.
+
+Note that Mac OS is unable to generate the expired unit test cert starting
+with its switch from OpenSSL to LibreSSL in High Sierra (10.13).
diff --git a/test/common/ssl/test_data/certs.sh b/test/common/ssl/test_data/certs.sh
index 969857d7e4004..482f805846f81 100755
--- a/test/common/ssl/test_data/certs.sh
+++ b/test/common/ssl/test_data/certs.sh
@@ -11,6 +11,7 @@ set -e
 # openssl genrsa -out san_multiple_dns_key.pem 1024
 # openssl genrsa -out san_uri_key.pem 1024
 # openssl genrsa -out selfsigned_key.pem 1024
+# openssl genrsa -out unittest_expired_key.pem 1024
 
 # Generate ca_cert.pem.
 openssl req -new -key ca_key.pem -out ca_cert.csr -config ca_cert.cfg -batch -sha256
@@ -55,5 +56,9 @@ openssl rand 80 > ticket_key_a
 openssl rand 80 > ticket_key_b
 openssl rand 79 > ticket_key_wrong_len
 
+# Generate unittest_expired_cert.pem (will fail on Mac OS 10.13+, see README.md).
+openssl req -new -key unittest_expired_key.pem -out unittest_expired_cert.csr -config unittest_expired_cert.cfg -batch -sha256
+openssl x509 -req -days -365 -in unittest_expired_cert.csr -signkey unittest_expired_key.pem -out unittest_expired_cert.pem
+
 rm *csr
 rm *srl
diff --git a/test/common/ssl/test_data/unittest_expired_cert.cfg b/test/common/ssl/test_data/unittest_expired_cert.cfg
new file mode 100644
index 0000000000000..2cc5193ec4fc7
--- /dev/null
+++ b/test/common/ssl/test_data/unittest_expired_cert.cfg
@@ -0,0 +1,27 @@
+[ req ]
+default_bits            = 2048
+distinguished_name      = req_distinguished_name
+
+[ req_distinguished_name ]
+countryName                     = Country Name (2 letter code)
+countryName_default             = US
+countryName_min                 = 2
+countryName_max                 = 2
+
+stateOrProvinceName             = State or Province Name (full name)
+stateOrProvinceName_default     = California
+
+localityName                    = Locality Name (eg, city)
+localityName_default            = San Francisco
+0.organizationName              = Organization Name (eg, company)
+0.organizationName_default      = Lyft
+
+organizationalUnitName          = Organizational Unit Name (eg, section)
+organizationalUnitName_default  = Test
+commonName                      = Common Name (e.g. server FQDN or YOUR name)
+commonName_max                  = 64
+commonName_default              = Unit Test CA
+
+emailAddress                    = Email Address
+emailAddress_max                = 64
+emailAddress_default            = unittest@lyft.com
diff --git a/test/common/ssl/test_data/unittest_expired_cert.pem b/test/common/ssl/test_data/unittest_expired_cert.pem
new file mode 100644
index 0000000000000..61c79d454e1e4
--- /dev/null
+++ b/test/common/ssl/test_data/unittest_expired_cert.pem
@@ -0,0 +1,16 @@
+-----BEGIN CERTIFICATE-----
+MIICmzCCAgQCCQChJeVNFMOzyDANBgkqhkiG9w0BAQsFADCBkTELMAkGA1UEBhMC
+VVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFjAUBgNVBAcMDVNhbiBGcmFuY2lzY28x
+DTALBgNVBAoMBEx5ZnQxDTALBgNVBAsMBFRlc3QxFTATBgNVBAMMDFVuaXQgVGVz
+dCBDQTEgMB4GCSqGSIb3DQEJARYRdW5pdHRlc3RAbHlmdC5jb20wHhcNMTgwMTE4
+MDEwMDE5WhcNMTcwMTE4MDEwMDE5WjCBkTELMAkGA1UEBhMCVVMxEzARBgNVBAgM
+CkNhbGlmb3JuaWExFjAUBgNVBAcMDVNhbiBGcmFuY2lzY28xDTALBgNVBAoMBEx5
+ZnQxDTALBgNVBAsMBFRlc3QxFTATBgNVBAMMDFVuaXQgVGVzdCBDQTEgMB4GCSqG
+SIb3DQEJARYRdW5pdHRlc3RAbHlmdC5jb20wgZ8wDQYJKoZIhvcNAQEBBQADgY0A
+MIGJAoGBAL9RYeyNkS3mXJwsmRJgl2M6hMeAP1O11uSwbru9sWitb1brdhCRQGIc
+4OopVXoyg97mm0DjuC61+OJwpFrMlIxu56i1Lf5n7CEL1WDncO5SEf6ihsK+fUcA
+eX9kBw1Puuj9bYlYFHFu1O8r+N1R2mHI/zrwh5oPk81erZ279dxLAgMBAAEwDQYJ
+KoZIhvcNAQELBQADgYEAAoDpwg3mH37Rf/EK0VGnV31Obwls6F34Xd0+AcfCQQA/
+h9vWox2AXWQqZ0ypCdPSsR5G47E3s8JY51NVamKcwMoy4kMsgn/DFY/t7wV85o2Y
+Z48tMPR86GbhwPEYrYH7yM56FGi0X+MoekRPG7TCMTpJUJDnSJyBKo2r4nSq2oU=
+-----END CERTIFICATE-----
diff --git a/test/common/ssl/test_data/unittest_expired_key.pem b/test/common/ssl/test_data/unittest_expired_key.pem
new file mode 100644
index 0000000000000..c4b956e1f1101
--- /dev/null
+++ b/test/common/ssl/test_data/unittest_expired_key.pem
@@ -0,0 +1,15 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIICXQIBAAKBgQC/UWHsjZEt5lycLJkSYJdjOoTHgD9TtdbksG67vbForW9W63YQ
+kUBiHODqKVV6MoPe5ptA47gutfjicKRazJSMbueotS3+Z+whC9Vg53DuUhH+oobC
+vn1HAHl/ZAcNT7ro/W2JWBRxbtTvK/jdUdphyP868IeaD5PNXq2du/XcSwIDAQAB
+AoGAcVkaFzhYh0UwIScbGZQ4nQWSnVASNNpLEvqk4H4mmcoHaQvfyzkDWB2b85/B
+kMBU+L7PxMYl3Sba6e2qslD6wKEZRmxbGpssgLHWlWr/h8CXEVEmEh60I2VrDIcx
+3h4Fdb4Rhx6d3EPnYaK2Zj+7m+LP1ipeAbLPMwABsPdIKcECQQD31ruLp+ido/cR
+2fTTptGEo2LJ4xvySkB1LofL+9bzz5I0hCoMMGEXJ0egezAT8T+vTbweonbyny65
+YKXzAhxpAkEAxZ4ujkirfjqVOAq5J4KSUYpyH4h+ErSAdHbdatn+AFRiE1BZkpb1
+Fny/0gLnxnTU/zeKns9aVQteEGwOEEGskwJAFymle4bk0Z7aX3u8Su+jUz8l43Jr
+UTipT4pavLC7xSuYIXpcp6j52f0cz53Tv3ljl1GvjDlo3oIMDt0+hTikSQJBALYU
+aRDwJBLKJ3Lbbn3Y8Lfwt/YV7ROO/ExSuPAaqs3i8fqZre5C6M8vYg4+Xw+b1iTR
+KAfrRW/WaXT4Gn0gBcECQQDK6bFpQuoEZTFqThfmvfurnNZDnfWaK6As9DW0F6lA
+FMr1bcuJqVxW85hWwnf7is8sEHXUNUV3z56GFTW4S5PC
+-----END RSA PRIVATE KEY-----

From 04dfd793a6d3e3f8f2ace01da7ef704a6f4431a1 Mon Sep 17 00:00:00 2001
From: Stephan Zuercher <stephan@turbinelabs.io>
Date: Thu, 18 Jan 2018 10:18:47 -0800
Subject: [PATCH 2/2] address review comments

Signed-off-by: Stephan Zuercher <stephan@turbinelabs.io>
---
 test/common/ssl/context_impl_test.cc          |  4 +--
 test/common/ssl/test_data/README.md           | 11 ++++----
 test/common/ssl/test_data/certs.sh            | 10 +++----
 test/common/ssl/test_data/expired_cert.pem    | 15 +++++++++++
 ...ittest_expired_key.pem => expired_key.pem} |  0
 .../ssl/test_data/unittest_expired_cert.cfg   | 27 -------------------
 .../ssl/test_data/unittest_expired_cert.pem   | 16 -----------
 7 files changed, 28 insertions(+), 55 deletions(-)
 create mode 100644 test/common/ssl/test_data/expired_cert.pem
 rename test/common/ssl/test_data/{unittest_expired_key.pem => expired_key.pem} (100%)
 delete mode 100644 test/common/ssl/test_data/unittest_expired_cert.cfg
 delete mode 100644 test/common/ssl/test_data/unittest_expired_cert.pem

diff --git a/test/common/ssl/context_impl_test.cc b/test/common/ssl/context_impl_test.cc
index ee6d16e56e55f..b842a5a09ccc9 100644
--- a/test/common/ssl/context_impl_test.cc
+++ b/test/common/ssl/context_impl_test.cc
@@ -109,8 +109,8 @@ TEST_F(SslContextImplTest, TestExpiringCert) {
 TEST_F(SslContextImplTest, TestExpiredCert) {
   std::string json = R"EOF(
   {
-      "cert_chain_file": "{{ test_rundir }}/test/common/ssl/test_data/unittest_expired_cert.pem",
-      "private_key_file": "{{ test_rundir }}/test/common/ssl/test_data/unittest_expired_key.pem"
+      "cert_chain_file": "{{ test_rundir }}/test/common/ssl/test_data/expired_cert.pem",
+      "private_key_file": "{{ test_rundir }}/test/common/ssl/test_data/expired_key.pem"
   }
   )EOF";
 
diff --git a/test/common/ssl/test_data/README.md b/test/common/ssl/test_data/README.md
index b4a2d668f434b..7905bf545a3c0 100644
--- a/test/common/ssl/test_data/README.md
+++ b/test/common/ssl/test_data/README.md
@@ -1,5 +1,5 @@
 # What are the identities, certificates and keys
-There are 8 identities:
+There are 9 identities:
 - **CA**: Certificate Authority for **No SAN**, **SAN With URI** and **SAN With
   DNS**. It has the self-signed certificate *ca_cert.pem*. *ca_key.pem* is its
   private key.
@@ -23,11 +23,10 @@ There are 8 identities:
   is its private key.
 - **Self-signed**: The self-signed certificate *selfsigned_cert.pem*, using the
   config *selfsigned_cert.cfg*. *selfsigned_key.pem* is its private key.
-- **Unit Test Expired**: A self-signed, expired certificate *unittest_expired_cert.pem*,
-  using the config *unittest_expired_cert.cnf*. *unitest_expired_key.pem* is its private
+- **Expired**: A self-signed, expired certificate *expired_cert.pem*,
+  using the config *selfsigned_cert.cfg*. *expired_key.pem* is its private
   key.
 
-
 # How to update certificates
 **certs.sh** has the commands to generate all files except the private key
 files. Running certs.sh directly will cause the certificate files to be
@@ -35,4 +34,6 @@ regenerated. So if you want to regenerate a particular file, please copy the
 corresponding commands from certs.sh and execute them in command line.
 
 Note that Mac OS is unable to generate the expired unit test cert starting
-with its switch from OpenSSL to LibreSSL in High Sierra (10.13).
+with its switch from OpenSSL to LibreSSL in High Sierra (10.13). Specifically,
+that version of the openssl command will not accept a non-positive "-days"
+parameter.
diff --git a/test/common/ssl/test_data/certs.sh b/test/common/ssl/test_data/certs.sh
index 482f805846f81..589a3ab8cf590 100755
--- a/test/common/ssl/test_data/certs.sh
+++ b/test/common/ssl/test_data/certs.sh
@@ -11,7 +11,7 @@ set -e
 # openssl genrsa -out san_multiple_dns_key.pem 1024
 # openssl genrsa -out san_uri_key.pem 1024
 # openssl genrsa -out selfsigned_key.pem 1024
-# openssl genrsa -out unittest_expired_key.pem 1024
+# openssl genrsa -out expired_key.pem 1024
 
 # Generate ca_cert.pem.
 openssl req -new -key ca_key.pem -out ca_cert.csr -config ca_cert.cfg -batch -sha256
@@ -51,14 +51,14 @@ openssl x509 -req -days 730 -in san_uri_cert.csr -sha256 -CA ca_cert.pem -CAkey
 # Generate selfsigned_cert.pem.
 openssl req -new -x509 -days 730 -key selfsigned_key.pem -out selfsigned_cert.pem -config selfsigned_cert.cfg -batch -sha256
 
+# Generate expired_cert.pem (will fail on Mac OS 10.13+ because of negative days value).
+openssl req -new -key expired_key.pem -out expired_cert.csr -config selfsigned_cert.cfg -batch -sha256
+openssl x509 -req -days -365 -in expired_cert.csr -signkey expired_key.pem -out expired_cert.pem
+
 # Write session ticket key files
 openssl rand 80 > ticket_key_a
 openssl rand 80 > ticket_key_b
 openssl rand 79 > ticket_key_wrong_len
 
-# Generate unittest_expired_cert.pem (will fail on Mac OS 10.13+, see README.md).
-openssl req -new -key unittest_expired_key.pem -out unittest_expired_cert.csr -config unittest_expired_cert.cfg -batch -sha256
-openssl x509 -req -days -365 -in unittest_expired_cert.csr -signkey unittest_expired_key.pem -out unittest_expired_cert.pem
-
 rm *csr
 rm *srl
diff --git a/test/common/ssl/test_data/expired_cert.pem b/test/common/ssl/test_data/expired_cert.pem
new file mode 100644
index 0000000000000..30962058a9237
--- /dev/null
+++ b/test/common/ssl/test_data/expired_cert.pem
@@ -0,0 +1,15 @@
+-----BEGIN CERTIFICATE-----
+MIICazCCAdQCCQDsBjAJnQmA2DANBgkqhkiG9w0BAQsFADB6MQswCQYDVQQGEwJV
+UzETMBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNU2FuIEZyYW5jaXNjbzEN
+MAsGA1UECgwETHlmdDEZMBcGA1UECwwQTHlmdCBFbmdpbmVlcmluZzEUMBIGA1UE
+AwwLVGVzdCBTZXJ2ZXIwHhcNMTgwMTE4MDEyMTEwWhcNMTcwMTE4MDEyMTEwWjB6
+MQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNU2Fu
+IEZyYW5jaXNjbzENMAsGA1UECgwETHlmdDEZMBcGA1UECwwQTHlmdCBFbmdpbmVl
+cmluZzEUMBIGA1UEAwwLVGVzdCBTZXJ2ZXIwgZ8wDQYJKoZIhvcNAQEBBQADgY0A
+MIGJAoGBAL9RYeyNkS3mXJwsmRJgl2M6hMeAP1O11uSwbru9sWitb1brdhCRQGIc
+4OopVXoyg97mm0DjuC61+OJwpFrMlIxu56i1Lf5n7CEL1WDncO5SEf6ihsK+fUcA
+eX9kBw1Puuj9bYlYFHFu1O8r+N1R2mHI/zrwh5oPk81erZ279dxLAgMBAAEwDQYJ
+KoZIhvcNAQELBQADgYEADbFxNpKsTBbe2s8oBvIpOzk2hMurd3flI+w+I4pt5etn
+3PBpVKewwxwnjUoJ01im9UL0G6u7n4DdSSftaiazXV5peSMU4dHq3x+4bAUsQQFI
+r76dCksa1N85UA0lxE9tTIxYEDbDHvmJ2rUhvaNh1hipeL77RdNPmkDvEcUHwOY=
+-----END CERTIFICATE-----
diff --git a/test/common/ssl/test_data/unittest_expired_key.pem b/test/common/ssl/test_data/expired_key.pem
similarity index 100%
rename from test/common/ssl/test_data/unittest_expired_key.pem
rename to test/common/ssl/test_data/expired_key.pem
diff --git a/test/common/ssl/test_data/unittest_expired_cert.cfg b/test/common/ssl/test_data/unittest_expired_cert.cfg
deleted file mode 100644
index 2cc5193ec4fc7..0000000000000
--- a/test/common/ssl/test_data/unittest_expired_cert.cfg
+++ /dev/null
@@ -1,27 +0,0 @@
-[ req ]
-default_bits            = 2048
-distinguished_name      = req_distinguished_name
-
-[ req_distinguished_name ]
-countryName                     = Country Name (2 letter code)
-countryName_default             = US
-countryName_min                 = 2
-countryName_max                 = 2
-
-stateOrProvinceName             = State or Province Name (full name)
-stateOrProvinceName_default     = California
-
-localityName                    = Locality Name (eg, city)
-localityName_default            = San Francisco
-0.organizationName              = Organization Name (eg, company)
-0.organizationName_default      = Lyft
-
-organizationalUnitName          = Organizational Unit Name (eg, section)
-organizationalUnitName_default  = Test
-commonName                      = Common Name (e.g. server FQDN or YOUR name)
-commonName_max                  = 64
-commonName_default              = Unit Test CA
-
-emailAddress                    = Email Address
-emailAddress_max                = 64
-emailAddress_default            = unittest@lyft.com
diff --git a/test/common/ssl/test_data/unittest_expired_cert.pem b/test/common/ssl/test_data/unittest_expired_cert.pem
deleted file mode 100644
index 61c79d454e1e4..0000000000000
--- a/test/common/ssl/test_data/unittest_expired_cert.pem
+++ /dev/null
@@ -1,16 +0,0 @@
------BEGIN CERTIFICATE-----
-MIICmzCCAgQCCQChJeVNFMOzyDANBgkqhkiG9w0BAQsFADCBkTELMAkGA1UEBhMC
-VVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFjAUBgNVBAcMDVNhbiBGcmFuY2lzY28x
-DTALBgNVBAoMBEx5ZnQxDTALBgNVBAsMBFRlc3QxFTATBgNVBAMMDFVuaXQgVGVz
-dCBDQTEgMB4GCSqGSIb3DQEJARYRdW5pdHRlc3RAbHlmdC5jb20wHhcNMTgwMTE4
-MDEwMDE5WhcNMTcwMTE4MDEwMDE5WjCBkTELMAkGA1UEBhMCVVMxEzARBgNVBAgM
-CkNhbGlmb3JuaWExFjAUBgNVBAcMDVNhbiBGcmFuY2lzY28xDTALBgNVBAoMBEx5
-ZnQxDTALBgNVBAsMBFRlc3QxFTATBgNVBAMMDFVuaXQgVGVzdCBDQTEgMB4GCSqG
-SIb3DQEJARYRdW5pdHRlc3RAbHlmdC5jb20wgZ8wDQYJKoZIhvcNAQEBBQADgY0A
-MIGJAoGBAL9RYeyNkS3mXJwsmRJgl2M6hMeAP1O11uSwbru9sWitb1brdhCRQGIc
-4OopVXoyg97mm0DjuC61+OJwpFrMlIxu56i1Lf5n7CEL1WDncO5SEf6ihsK+fUcA
-eX9kBw1Puuj9bYlYFHFu1O8r+N1R2mHI/zrwh5oPk81erZ279dxLAgMBAAEwDQYJ
-KoZIhvcNAQELBQADgYEAAoDpwg3mH37Rf/EK0VGnV31Obwls6F34Xd0+AcfCQQA/
-h9vWox2AXWQqZ0ypCdPSsR5G47E3s8JY51NVamKcwMoy4kMsgn/DFY/t7wV85o2Y
-Z48tMPR86GbhwPEYrYH7yM56FGi0X+MoekRPG7TCMTpJUJDnSJyBKo2r4nSq2oU=
------END CERTIFICATE-----