diff --git a/Makefile.local b/Makefile.local
index 88130b7..8a455d0 100644
--- a/Makefile.local
+++ b/Makefile.local
@@ -12,7 +12,7 @@ server client:
 
 .PHONY: test
 test:
-	$(GO) test -v -race ./...
+	$(GO) test -v -count=1 -race ./...
 
 .PHONY: fmt
 fmt:
diff --git a/client/client.go b/client/client.go
new file mode 100644
index 0000000..ec3534e
--- /dev/null
+++ b/client/client.go
@@ -0,0 +1,22 @@
+package client
+
+import (
+	"context"
+	"time"
+
+	"google.golang.org/grpc"
+)
+
+func DialContextWithTimeout(ctx context.Context, timeout time.Duration, target string, opts ...grpc.DialOption) (*grpc.ClientConn, error) {
+	ctxWithTimeout, cancel := context.WithTimeout(ctx, timeout)
+	defer cancel()
+
+	return grpc.DialContext(
+		ctxWithTimeout,
+		target,
+		append(
+			opts,
+			grpc.WithReturnConnectionError(),
+		)...,
+	)
+}
diff --git a/cmd/client/main.go b/cmd/client/main.go
index da29a2c..fa8b1cd 100644
--- a/cmd/client/main.go
+++ b/cmd/client/main.go
@@ -1,4 +1,50 @@
 package main
 
+import (
+	"context"
+	"flag"
+	"log"
+	"time"
+
+	"google.golang.org/grpc"
+
+	"github.com/andrejtokarcik/jobworker/client"
+	"github.com/andrejtokarcik/jobworker/mtls"
+)
+
+var (
+	serverAddress string
+	connTimeout   time.Duration
+	credsFiles    mtls.CredsFiles
+)
+
+func init() {
+	flag.StringVar(&serverAddress, "server", "127.0.0.1:50051", "Address of the server to connect to")
+	flag.DurationVar(&connTimeout, "timeout", 5*time.Second, "Connection timeout")
+
+	flag.StringVar(&credsFiles.Cert, "client-cert", "client.crt", "Certificate file to use for the client")
+	flag.StringVar(&credsFiles.Key, "client-key", "client.key", "Private key file to use for the client")
+	flag.StringVar(&credsFiles.PeerCACert, "server-ca-cert", "server-ca.crt", "Certificate file of the CA to authenticate the server")
+}
+
 func main() {
+	flag.Parse()
+
+	creds, err := mtls.NewClientCreds(credsFiles)
+	if err != nil {
+		log.Fatal("Failed to load mTLS credentials: ", err)
+	}
+
+	conn, err := client.DialContextWithTimeout(
+		context.Background(),
+		connTimeout,
+		serverAddress,
+		grpc.WithTransportCredentials(creds),
+	)
+	if err != nil {
+		log.Fatal("Failed to dial server: ", err)
+	}
+	defer conn.Close()
+
+	log.Print("Successfully connected to server at ", serverAddress)
 }
diff --git a/cmd/server/main.go b/cmd/server/main.go
index da29a2c..5b4c5b4 100644
--- a/cmd/server/main.go
+++ b/cmd/server/main.go
@@ -1,4 +1,46 @@
 package main
 
+import (
+	"flag"
+	"fmt"
+	"log"
+	"net"
+
+	"google.golang.org/grpc"
+
+	"github.com/andrejtokarcik/jobworker/mtls"
+	"github.com/andrejtokarcik/jobworker/server"
+)
+
+var (
+	grpcPort   int
+	credsFiles mtls.CredsFiles
+)
+
+func init() {
+	flag.IntVar(&grpcPort, "grpc-port", 50051, "Port to expose the gRPC server on")
+
+	flag.StringVar(&credsFiles.Cert, "server-cert", "server.crt", "Certificate file to use for the server")
+	flag.StringVar(&credsFiles.Key, "server-key", "server.key", "Private key file to use for the server")
+	flag.StringVar(&credsFiles.PeerCACert, "client-ca-cert", "client-ca.crt", "Certificate file of the CA to authenticate the clients")
+}
+
 func main() {
+	flag.Parse()
+
+	creds, err := mtls.NewServerCreds(credsFiles)
+	if err != nil {
+		log.Fatal("Failed to load mTLS credentials: ", err)
+	}
+	grpcServer := server.New(grpc.Creds(creds))
+
+	listener, err := net.Listen("tcp", fmt.Sprintf(":%d", grpcPort))
+	if err != nil {
+		log.Fatal("Failed to listen: ", err)
+	}
+
+	log.Print("Starting gRPC server at ", listener.Addr())
+	if err := grpcServer.Serve(listener); err != nil {
+		log.Fatal("Failed to serve: ", err)
+	}
 }
diff --git a/go.mod b/go.mod
index 51063ba..8706143 100644
--- a/go.mod
+++ b/go.mod
@@ -4,5 +4,6 @@ go 1.15
 
 require (
 	github.com/gogo/protobuf v1.3.1
-	google.golang.org/grpc v1.33.0
+	github.com/stretchr/testify v1.6.1
+	google.golang.org/grpc v1.33.1
 )
diff --git a/go.sum b/go.sum
index 1067d83..e184124 100644
--- a/go.sum
+++ b/go.sum
@@ -3,12 +3,15 @@ github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03
 github.com/census-instrumentation/opencensus-proto v0.2.1/go.mod h1:f6KPmirojxKA12rnyqOA5BBL4O983OfeGPqjHWSTneU=
 github.com/client9/misspell v0.3.4/go.mod h1:qj6jICC3Q7zFZvVWo7KLAzC3yx5G7kyvSDkc90ppPyw=
 github.com/cncf/udpa/go v0.0.0-20191209042840-269d4d468f6f/go.mod h1:M8M6+tZqaGXZJjfX53e64911xZQV5JYwmTeXPW+k8Sc=
+github.com/davecgh/go-spew v1.1.0 h1:ZDRjVQ15GmhC3fiQ8ni8+OwkZQO4DARzQgrnXU1Liz8=
+github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/envoyproxy/go-control-plane v0.9.0/go.mod h1:YTl/9mNaCwkRvm6d1a2C3ymFceY/DCBVvsKhRF0iEA4=
 github.com/envoyproxy/go-control-plane v0.9.4/go.mod h1:6rpuAdCZL397s3pYoYcLgu1mIlRU8Am5FuJP05cCM98=
 github.com/envoyproxy/protoc-gen-validate v0.1.0/go.mod h1:iSmxcyjqTsJpI2R4NaDN7+kN2VEUnK/pcBlmesArF7c=
 github.com/gogo/protobuf v1.3.1 h1:DqDEcV5aeaTmdFBePNpYsp3FlcVH/2ISVVM9Qf8PSls=
 github.com/gogo/protobuf v1.3.1/go.mod h1:SlYgWuQ5SjCEi6WLHjHCa1yvBfUnHcTbrrZtXPKa29o=
 github.com/golang/glog v0.0.0-20160126235308-23def4e6c14b/go.mod h1:SBH7ygxi8pfUlaOkMMuAQtPIUF8ecWP5IEl/CR7VP2Q=
+github.com/golang/mock v1.1.1 h1:G5FRp8JnTd7RQH5kemVNlMeyXQAztQ3mOWV95KxsXH8=
 github.com/golang/mock v1.1.1/go.mod h1:oTYuIxOrZwtPieC+H1uAHpcLFnEyAGVDL/k47Jfbm0A=
 github.com/golang/protobuf v1.2.0/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U=
 github.com/golang/protobuf v1.3.2/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U=
@@ -17,10 +20,17 @@ github.com/golang/protobuf v1.3.3/go.mod h1:vzj43D7+SQXF/4pzW/hwtAqwc6iTitCiVSaW
 github.com/google/go-cmp v0.2.0/go.mod h1:oXzfMopK8JAjlY9xF4vHSVASa0yLyX7SntLO5aqRK0M=
 github.com/google/go-cmp v0.4.0 h1:xsAVV57WRhGj6kEIi8ReJzQlHHqcBYCElAvkovg3B/4=
 github.com/google/go-cmp v0.4.0/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
+github.com/google/uuid v1.1.2 h1:EVhdT+1Kseyi1/pUmXKaFxYsDNy9RQYkMWRH68J/W7Y=
 github.com/google/uuid v1.1.2/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
 github.com/kisielk/errcheck v1.2.0/go.mod h1:/BMXB+zMLi60iA8Vv6Ksmxu/1UDYcXs4uQLJ+jE2L00=
 github.com/kisielk/gotool v1.0.0/go.mod h1:XhKaO+MFFWcvkIS/tQcRk01m1F5IRFswLeQ+oQHNcck=
+github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
+github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
 github.com/prometheus/client_model v0.0.0-20190812154241-14fe0d1b01d4/go.mod h1:xMI15A0UPsDsEKsMN9yxemIoYk6Tm2C1GtYGdfGttqA=
+github.com/stretchr/objx v0.1.0 h1:4G4v2dO3VZwixGIRoQ5Lfboy6nUhCyYzaqnIAPPhYs4=
+github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
+github.com/stretchr/testify v1.6.1 h1:hDPOHmpOpP40lSULcqw7IrRb/u7w6RpDC9399XyoNd0=
+github.com/stretchr/testify v1.6.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
 golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
 golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
 golang.org/x/lint v0.0.0-20181026193005-c67002cb31c3/go.mod h1:UVdnD1Gm6xHRNCYTkRU2/jEulfH38KcIWyp/GAMgvoE=
@@ -55,7 +65,11 @@ google.golang.org/genproto v0.0.0-20190819201941-24fa4b261c55/go.mod h1:DMBHOl98
 google.golang.org/grpc v1.19.0/go.mod h1:mqu4LbDTu4XGKhr4mRzUsmM4RtVoemTSY81AxZiDr8c=
 google.golang.org/grpc v1.23.0/go.mod h1:Y5yQAOtifL1yxbo5wqy6BxZv8vAUGQwXBOALyacEbxg=
 google.golang.org/grpc v1.25.1/go.mod h1:c3i+UQWmh7LiEpx4sFZnkU36qjEYZ0imhYfXVyQciAY=
-google.golang.org/grpc v1.33.0 h1:IBKSUNL2uBS2DkJBncPP+TwT0sp9tgA8A75NjHt6umg=
-google.golang.org/grpc v1.33.0/go.mod h1:fr5YgcSWrqhRRxogOsw7RzIpsmvOZ6IcH4kBYTpR3n0=
+google.golang.org/grpc v1.33.1 h1:DGeFlSan2f+WEtCERJ4J9GJWk15TxUi8QGagfI87Xyc=
+google.golang.org/grpc v1.33.1/go.mod h1:fr5YgcSWrqhRRxogOsw7RzIpsmvOZ6IcH4kBYTpR3n0=
+gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405 h1:yhCVgyC4o1eVCa2tZl7eS0r+SDo693bJlVdllGtEeKM=
+gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
+gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c h1:dUUwHk2QECo/6vqA44rthZ8ie2QXMNeKRTHCNY2nXvo=
+gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
 honnef.co/go/tools v0.0.0-20190102054323-c2f93a96b099/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
 honnef.co/go/tools v0.0.0-20190523083050-ea95bdfd59fc/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
diff --git a/mtls/bufconn_test.go b/mtls/bufconn_test.go
new file mode 100644
index 0000000..65f77ed
--- /dev/null
+++ b/mtls/bufconn_test.go
@@ -0,0 +1,65 @@
+package mtls_test
+
+import (
+	"context"
+	"net"
+	"time"
+
+	"github.com/stretchr/testify/suite"
+	"google.golang.org/grpc"
+	"google.golang.org/grpc/test/bufconn"
+
+	"github.com/andrejtokarcik/jobworker/client"
+	"github.com/andrejtokarcik/jobworker/server"
+)
+
+type BufconnConfig struct {
+	BufSize       int
+	ClientTimeout time.Duration
+}
+
+type BufconnSuite struct {
+	suite.Suite
+	BufconnConfig
+	grpcServer *grpc.Server
+	listener   *bufconn.Listener
+}
+
+func NewBufconnSuite() (suite BufconnSuite) {
+	suite.BufconnConfig = BufconnConfig{
+		BufSize:       1024 * 1024,
+		ClientTimeout: 1 * time.Second,
+	}
+	return
+}
+
+func (suite *BufconnSuite) SetupBufconn(opts ...grpc.ServerOption) {
+	suite.grpcServer = server.New(opts...)
+	suite.listener = bufconn.Listen(suite.BufSize)
+	go func() {
+		if err := suite.grpcServer.Serve(suite.listener); err != nil {
+			panic(err)
+		}
+	}()
+}
+
+func (suite *BufconnSuite) TearDownBufconn() {
+	suite.listener.Close()
+	suite.grpcServer.Stop()
+}
+
+func (suite *BufconnSuite) contextDialer(context.Context, string) (net.Conn, error) {
+	return suite.listener.Dial()
+}
+
+func (suite *BufconnSuite) DialBufconn(serverName string, opts ...grpc.DialOption) (*grpc.ClientConn, error) {
+	return client.DialContextWithTimeout(
+		context.Background(),
+		suite.ClientTimeout,
+		serverName,
+		append(
+			opts,
+			grpc.WithContextDialer(suite.contextDialer),
+		)...,
+	)
+}
diff --git a/mtls/creds.go b/mtls/creds.go
new file mode 100644
index 0000000..46c970e
--- /dev/null
+++ b/mtls/creds.go
@@ -0,0 +1,65 @@
+package mtls
+
+import (
+	"crypto/tls"
+	"crypto/x509"
+	"errors"
+	"io/ioutil"
+
+	"google.golang.org/grpc/credentials"
+)
+
+type CredsFiles struct {
+	Cert, Key, PeerCACert string
+}
+
+type loadedCredsFiles struct {
+	cert       tls.Certificate
+	peerCAPool *x509.CertPool
+}
+
+func loadCredsFiles(credsFiles CredsFiles) (*loadedCredsFiles, error) {
+	cert, err := tls.LoadX509KeyPair(credsFiles.Cert, credsFiles.Key)
+	if err != nil {
+		return nil, err
+	}
+
+	peerCACert, err := ioutil.ReadFile(credsFiles.PeerCACert)
+	if err != nil {
+		return nil, err
+	}
+
+	peerCAPool := x509.NewCertPool()
+	if ok := peerCAPool.AppendCertsFromPEM(peerCACert); !ok {
+		return nil, errors.New("failed to append to peer CA cert pool")
+	}
+
+	return &loadedCredsFiles{cert, peerCAPool}, nil
+}
+
+func NewServerCreds(serverFiles CredsFiles) (credentials.TransportCredentials, error) {
+	loaded, err := loadCredsFiles(serverFiles)
+	if err != nil {
+		return nil, err
+	}
+
+	config := &tls.Config{
+		Certificates: []tls.Certificate{loaded.cert},
+		ClientAuth:   tls.RequireAndVerifyClientCert,
+		ClientCAs:    loaded.peerCAPool,
+	}
+	return credentials.NewTLS(config), nil
+}
+
+func NewClientCreds(clientFiles CredsFiles) (credentials.TransportCredentials, error) {
+	loaded, err := loadCredsFiles(clientFiles)
+	if err != nil {
+		return nil, err
+	}
+
+	config := &tls.Config{
+		Certificates: []tls.Certificate{loaded.cert},
+		RootCAs:      loaded.peerCAPool,
+	}
+	return credentials.NewTLS(config), nil
+}
diff --git a/mtls/mtls_test.go b/mtls/mtls_test.go
new file mode 100644
index 0000000..3b6d4e0
--- /dev/null
+++ b/mtls/mtls_test.go
@@ -0,0 +1,101 @@
+package mtls_test
+
+import (
+	"errors"
+	"testing"
+
+	"github.com/stretchr/testify/suite"
+	"google.golang.org/grpc"
+
+	"github.com/andrejtokarcik/jobworker/mtls"
+)
+
+type mTLSTestSuite struct {
+	BufconnSuite
+}
+
+type mTLSTestCase struct {
+	clientCredsFiles mtls.CredsFiles
+	serverName       string
+	expectedErr      error
+}
+
+func (suite *mTLSTestSuite) SetupSuite() {
+	serverCreds, err := mtls.NewServerCreds(mtls.CredsFiles{
+		Cert:       "testdata/server-ca/server1.crt",
+		Key:        "testdata/server-ca/server1.key",
+		PeerCACert: "testdata/client-ca.crt",
+	})
+	if err != nil {
+		panic(err)
+	}
+
+	suite.SetupBufconn(grpc.Creds(serverCreds))
+}
+
+func (suite *mTLSTestSuite) TearDownSuite() {
+	suite.TearDownBufconn()
+}
+
+func (suite *mTLSTestSuite) runTestCase(tc mTLSTestCase) {
+	clientCreds, err := mtls.NewClientCreds(tc.clientCredsFiles)
+	suite.Require().Nil(err, err)
+
+	conn, err := suite.DialBufconn(
+		tc.serverName,
+		grpc.WithTransportCredentials(clientCreds),
+	)
+	if conn != nil {
+		defer conn.Close()
+	}
+
+	if tc.expectedErr == nil {
+		suite.Require().Nil(err, err)
+	} else {
+		suite.Require().NotNil(err)
+		suite.Assert().Contains(err.Error(), tc.expectedErr.Error())
+	}
+}
+
+func validTestCase() mTLSTestCase {
+	return mTLSTestCase{
+		clientCredsFiles: mtls.CredsFiles{
+			Cert:       "testdata/client-ca/client1.crt",
+			Key:        "testdata/client-ca/client1.key",
+			PeerCACert: "testdata/server-ca.crt",
+		},
+		serverName:  "server1",
+		expectedErr: nil,
+	}
+}
+
+func (suite *mTLSTestSuite) TestValidCreds() {
+	tc := validTestCase()
+	suite.runTestCase(tc)
+}
+
+func (suite *mTLSTestSuite) TestWrongServerCA() {
+	tc := validTestCase()
+	tc.clientCredsFiles.PeerCACert = "testdata/server-ca2.crt"
+	tc.expectedErr = errors.New("x509: certificate signed by unknown authority")
+	suite.runTestCase(tc)
+}
+
+func (suite *mTLSTestSuite) TestSelfSignedClientCert() {
+	tc := validTestCase()
+	tc.clientCredsFiles.Cert = "testdata/self-signed.crt"
+	tc.clientCredsFiles.Key = "testdata/self-signed.key"
+	tc.expectedErr = errors.New("context deadline exceeded")
+	suite.runTestCase(tc)
+}
+
+func (suite *mTLSTestSuite) TestInvalidServerName() {
+	tc := validTestCase()
+	tc.serverName = "server2"
+	tc.expectedErr = errors.New("x509: certificate is valid for server1, not server2")
+	suite.runTestCase(tc)
+}
+
+func TestMutualTLS(t *testing.T) {
+	suite.Run(t, &mTLSTestSuite{NewBufconnSuite()})
+}
diff --git a/mtls/testdata/Makefile.local b/mtls/testdata/Makefile.local
new file mode 100644
index 0000000..23469eb
--- /dev/null
+++ b/mtls/testdata/Makefile.local
@@ -0,0 +1,51 @@
+OPENSSL ?= openssl
+KEY_LENGTH := 4096
+
+CA_CERTS ?= client-ca.crt server-ca.crt server-ca2.crt
+CA_SIGNED_CERTS ?= client-ca/client1.crt server-ca/server1.crt
+SELF_SIGNED_CERTS ?= self-signed.crt
+ALL_SIGNING_REQUESTS = $(patsubst %.crt, %.csr, $(CA_SIGNED_CERTS) $(SELF_SIGNED_CERTS))
+
+CA_CERT_DAYS := 365
+CA_SIGNED_CERT_DAYS := 60
+SELF_SIGNED_CERT_DAYS := 365
+
+.PHONY: all
+all: $(CA_CERT) $(CA_SIGNED_CERTS) $(SELF_SIGNED_CERTS)
+
+%.key:
+	mkdir -p $(@D)
+	$(OPENSSL) genpkey -algorithm RSA \
+		-pkeyopt rsa_keygen_bits:$(KEY_LENGTH) \
+		-out $@
+
+$(CA_CERTS): %.crt: %.key
+	$(OPENSSL) req -new -x509 \
+		-days $(CA_CERT_DAYS) \
+		-subj "/CN=$(*F)" \
+		-out $@ -key $<
+
+$(ALL_SIGNING_REQUESTS): %.csr: %.key
+	$(OPENSSL) req -new \
+		-subj "/CN=$(*F)" \
+		-out $@ -key $<
+
+$(CA_SIGNED_CERTS): $(CA_CERTS)
+$(CA_SIGNED_CERTS): %.crt: %.csr
+	DNSNAME=$(*F) $(OPENSSL) x509 -req \
+		-days $(CA_SIGNED_CERT_DAYS) \
+		-CA $(@D).crt -CAkey $(@D).key -CAcreateserial \
+		-extfile san.cnf \
+		-out $@ -in $<
+
+$(SELF_SIGNED_CERTS): %.crt: %.csr
+	DNSNAME=$(*F) $(OPENSSL) x509 -req \
+		-days $(SELF_SIGNED_CERT_DAYS) \
+		-signkey $(@:.crt=.key) \
+		-extfile san.cnf \
+		-out $@ -in $<
+
+.PHONY: clean
+clean:
+	-rm -f *.key *.crt *.csr *.srl
+	-rm -f **/*.key **/*.crt **/*.csr **/*.srl
diff --git a/mtls/testdata/client-ca.crt b/mtls/testdata/client-ca.crt
new file mode 100644
index 0000000..ea2e944
--- /dev/null
+++ b/mtls/testdata/client-ca.crt
@@ -0,0 +1,29 @@
+-----BEGIN CERTIFICATE-----
+MIIE+zCCAuOgAwIBAgIJAJBicsoEHYpfMA0GCSqGSIb3DQEBCwUAMBQxEjAQBgNV
+BAMMCWNsaWVudC1jYTAeFw0yMDEwMjgyMTM0MDlaFw0yMTEwMjgyMTM0MDlaMBQx
+EjAQBgNVBAMMCWNsaWVudC1jYTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoC
+ggIBANFrcUW7km1FF4nOqsv9jr6BAjh6JPQSpruSUOgLBkpfh0vv0POUK3OSP7Go
+HAzjwqUjWW3b1yxvzb61RIWychCetriCIt1KsbWRABQzYz2FNqjzhRxhcbO6YzjF
+8KIJOvV8mpm9HbqYNNm64ZI1n+eAzxkHcpssogjRzZTN3kW8w+deF3yG2eCh/NGe
+6mVprlSGLj/RgtUcdjbwQ2YYeOKiuUMfZ/H+nGcOL1A1gB4DqAT/QoCg3pxWaBJX
+TNzfegFqZSiXheqi//ohwBGhgNRb+tysUShTkrA/nB55oIoDQkYi/PLEv+S0/nBS
+mMDRG029PDOKNQH1qw7zlrUd9jX2MctdTOjdiveNXJxYIARA9zGxLUpZA8uJSF+E
+/3uM4fKKwg+RbapoN2PAvje1gO2ARel89E7kyriKanPZ5RtQ+MIE+KW/H86cUk2J
+Sduv/xZVrzDqOphQTJucjQ1Dckn2taYqNjWprIzkS2LBlKn9sYm0e7fZCzZV+452
+sKP9UpBnX2Z4ojW0cajiCrntbbl9uIGfq8PTi5LuufxBuup7vtEFiLh/e3MUdxrD
+4WsMzCAHeoEVET1EE6tHvaOPo/qmydAzJsjKguH0oGITAo/WX10CjdVOHc8GXwyo
+SrzXGatvYPpg+9YuznpN2EtkdXfE+Q9K1+q2LILppCXbua+PAgMBAAGjUDBOMB0G
+A1UdDgQWBBT6cT4yWFLUCqwUTHGJSykTRMTGYTAfBgNVHSMEGDAWgBT6cT4yWFLU
+CqwUTHGJSykTRMTGYTAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBCwUAA4ICAQAz
+LF5cO+m3gnwgz8ZVCKe4QT0o/fPBIieJH0xuoY3SzvA0MgQCFIR/3jiN+EVPPohX
+cWmrsGIfVOUCdALWI2VHGr1fnswML5/EASUTjpkeXhpz9xuFbLxNnlWLUf3Xqjnw
+8nnobbCl8Kaq/Qye/4C8dWtU6jo/YrC0st9F353n4/caCwfx/9KbQdOQb+Mwtzbu
+9KduAyGB60AeHMdNivdGRGHvEp3lGn7p1II11WkBvoSJJh5icwqfClJmysP2NFDY
+B3/c7uQoV4RYFzqqBP1NP9Bo38nf9wRd6L19m8Y5hZsYLQ1zI05MEzP+wbwnd8r3
+8OFcfQ8gHQzCAPvihk+qMSZ3BVz1HShYtr+B7DczfGrXc2I44PlpgD5tMgZHujSl
+9W3nwzbeoiQRjuiuYI1ltdR+0wTvnvSp2oRwDne8O5e8e3OiAIP3El+ezLUSarv6
+pZaaszlfm70g4wwGXymkAnIkzpBGyp/7gtfKkpmQTomQMhzKaq+SZDKlyxFGZ/JT
+qv3xG6pCjiO0iOpDl7LhHW4AwZQr5FswqazA+ixR+1xy9zfLE4wz8zLywOoVooxN
+klE6geWxmw+crWpcoGUKv5toZx3ZWsaRJjhGkpFynbii/CQqpQeJaqkAAPrQQIcy
+R9ykM8X9/jTxk3KwO7lvfUNMcw53YYDNSwKKfuNCvQ==
+-----END CERTIFICATE-----
diff --git a/mtls/testdata/client-ca.key b/mtls/testdata/client-ca.key
new file mode 100644
index 0000000..31c1ffb
--- /dev/null
+++ b/mtls/testdata/client-ca.key
@@ -0,0 +1,52 @@
+-----BEGIN PRIVATE KEY-----
+MIIJQgIBADANBgkqhkiG9w0BAQEFAASCCSwwggkoAgEAAoICAQDRa3FFu5JtRReJ
+zqrL/Y6+gQI4eiT0Eqa7klDoCwZKX4dL79DzlCtzkj+xqBwM48KlI1lt29csb82+
+tUSFsnIQnra4giLdSrG1kQAUM2M9hTao84UcYXGzumM4xfCiCTr1fJqZvR26mDTZ
+uuGSNZ/ngM8ZB3KbLKII0c2Uzd5FvMPnXhd8htngofzRnuplaa5Uhi4/0YLVHHY2
+8ENmGHjiorlDH2fx/pxnDi9QNYAeA6gE/0KAoN6cVmgSV0zc33oBamUol4Xqov/6
+IcARoYDUW/rcrFEoU5KwP5weeaCKA0JGIvzyxL/ktP5wUpjA0RtNvTwzijUB9asO
+85a1HfY19jHLXUzo3Yr3jVycWCAEQPcxsS1KWQPLiUhfhP97jOHyisIPkW2qaDdj
+wL43tYDtgEXpfPRO5Mq4impz2eUbUPjCBPilvx/OnFJNiUnbr/8WVa8w6jqYUEyb
+nI0NQ3JJ9rWmKjY1qayM5EtiwZSp/bGJtHu32Qs2VfuOdrCj/VKQZ19meKI1tHGo
+4gq57W25fbiBn6vD04uS7rn8Qbrqe77RBYi4f3tzFHcaw+FrDMwgB3qBFRE9RBOr
+R72jj6P6psnQMybIyoLh9KBiEwKP1l9dAo3VTh3PBl8MqEq81xmrb2D6YPvWLs56
+TdhLZHV3xPkPStfqtiyC6aQl27mvjwIDAQABAoICADpZSVI4lO/FFG3dG1GC8Ea8
+AzZhMfKfT71rYweEKtiGDVhnFT0Ix6KH2R9Sy537x7vjQYOOgUFsVVMRhmoJ8iYX
+UqnN+JDXwvPn1rHKL5hwiW5Bi5EAxYFiKUskO4uqLrc/ZIP5YVMgHXmczETElC0Y
+gptiq9f4c50pd7JCOfAMTDkmyjx0BjjEaYCuWnivHVeHm1NEuMNQDs/32Y+UufnL
+hPriwT93xXQhS6V5gpzaP/JEfO8B44SDvrN9h3jy+zdxwYWx0ioyCEhVJwLCkPaa
+OidKC8LEplZdIs6K7OQHTGvmS7wIfb7nfw0ktlLi8EyUsTVbCLHnFSYxUIheNL8K
+4j+ZTtcGVEAyzCyJPozRnRnVc17K0spSdD2Vv/peIzXhPwn5eUw803u/dvaI8PvZ
+VxA/ZWvXNCCSOQGQ+ZJDYrLsFzf1G4AI16zDt7IweMNxkVWHLCUPpocmxPagRMbc
+1ladOq9uoXIp/3/2nZrFv3jNX/FGyEM72QWLXx0tmbS+69iJ3jm4jPWyB0IFv9L1
+Q7wz2OWY3fKbhzyIxphxVrLDyB6WINlo7gCRalmlVb9jW57iqsnXZmJOx2We7UAu
+StNIbJ5yQds/4r96ELNi8xtQY0i/7wicnoosZXNmN2LElGNEsoImEiLwbJOu1MCh
+yBQTSonk4gWOKioY9FVBAoIBAQD4s/AB3EeNYVJ2VHFKEASSRuyhAaxLh+MYxkmt
+PTDW6WEs0NJDZX+Tp5o79KorsW5WyH2poXpoqX/OpHpbyPSfKzU/IRMgg9vhrodm
+bpa8TgCiZf4zKTeNfBp85RHmAraTvPobvwt2YhSzgQTHaP2ONtldyWDu3F0Y0UME
+mfl03fx61FP6FKQRNiY501neOT4o31sM28Eli8am24Hs6SaWlfPuv25505i/KeEA
+UmzEnjfTzFI9tYWzVf+rNDY4TcEi7fJP9rw+L6U2DTlKFrJWLfDsZpbWujwfwKQj
+yaC/F+YEP7TBod30REDclXJfLkmSt+EV+aRNTrYcwdxDXDLZAoIBAQDXkHCzj84o
+6unMxzz689F4mgOjsm11JtH9kQ7OF2r7iu70yBaoxxeCaPj55eaXx+o9eCClNA2t
+MwB0FRrU7qA0OpdGyx9feNOoFOsoHxkYjNvoC5SCcUUBPGq64X/OVLnj4T0jehJZ
+MBnuCIfzXPKLCeDkHflH7N8gKzqBG8L5MIVyZSumVIrehryZymnNkR03QcX0mUHb
+F86diB2To9HNuw9NB7pRCJhqZUMxfQFQiyfysusQ3yilUZUbiBNbq7OMkKSV2zew
+RHeorROhuECY1TJjcxpOdFVxe2A7m2nhPCKtmGK2UaFMXnf9k8SdwBgQ0le2tdNY
+Cz7rDuwuHiSnAoIBAEXRTclX64ZXEe1CG2OtR3tBCeDRNWsmxKwJzlkh2noanjsU
+jFJ7RetPm87FCpilgNJACnb6bADBxK1gIzFtIq8kVBha0qHIIowikMRCu3I1e5wb
+gdce9Qd1FYKGVBX8IQEshhIP+cnMEv+pcowAf13TLAZWKC4mEsSKyoOaLhuOzfg1
+bzW/YaerSePl306xRy/2M/tSHdDKgoQJD1pQwZJ4mjgl6X+t1S2lNhL/EKXJvOZq
+b5P/R39m3xVS3P3FZjjGD8Y+/+19NqYL5E9WO85Rq1bSHfo94e8QB4Q8cDH1JY9/
+yuCo7kRKfOLv2WG6/tB/amLe6C8Dr8A28/y8/1ECggEBAICxdPdehUAcbxSYZimU
+YpxTppSWM47bbEar0WDsziv6mAp/YjfFFJ4AuZPH01EOQyQLkcHPP9MFPeIPr4Ms
+K2zDBgl3vvUql4Ijavj7B+qGPctdDn6JzR6dyUJk2f5+yrPnhq6ldErW0sQvR6rc
+9NhZP3AxDOAJ5HO6GyV1Q4Otmh3flJ2qn3WWjwZpt5zIY97XX61VyeFZZzrZRn8c
+MGdYpBvi3zL9pLDwX5st/Bjv2xukAX6DHCsGd7SGGriB26GxwPDOfYK4fY+wNKY5
+8CbOMVT6JNxty40CkUNE14NmeXWWImiid1+2joBPNfTP+A4i5cbo6pIHtLp0oEAw
+MsUCggEAPhTGtlZMNZHafp+cmfsycZpakbQbpQ9UAvaPYKf8qv1aNk5fewhxTcPf
+mbX5Woh0jg9pa3GRjFoiub9YayKzi6ffTJZLmHSLpj9oR87keSDgZa9dC97xBmXw
+C8trV1n36nfALqbrs5BHMuIHg4L7dB68scyxaHzOIoBgNreMAFe5YQzysfEju6Ea
+ghu2QKtBC+Nv8cxjsh/FEkCHF093GACugAiVw3kd0PviCt4Y/oK9LJOJTwLuC8YH
+wGhmoEcStd5Yl4Q/F9bQlzQDKR9308nyrnxVPm2cScde6uut+sNOaaX+EySjBdjQ
+Wdp5DO5V6/vkmBP/VFxIHDJ0F7dCBg==
+-----END PRIVATE KEY-----
diff --git a/mtls/testdata/client-ca.srl b/mtls/testdata/client-ca.srl
new file mode 100644
index 0000000..33716fc
--- /dev/null
+++ b/mtls/testdata/client-ca.srl
@@ -0,0 +1 @@
+8E86E7BAC20F4E9F
diff --git a/mtls/testdata/client-ca/client1.crt b/mtls/testdata/client-ca/client1.crt
new file mode 100644
index 0000000..ccf8cdf
--- /dev/null
+++ b/mtls/testdata/client-ca/client1.crt
@@ -0,0 +1,28 @@
+-----BEGIN CERTIFICATE-----
+MIIExTCCAq2gAwIBAgIJAI6G57rCD06fMA0GCSqGSIb3DQEBCwUAMBQxEjAQBgNV
+BAMMCWNsaWVudC1jYTAeFw0yMDEwMjgyMTM0MTFaFw0yMDEyMjcyMTM0MTFaMBIx
+EDAOBgNVBAMMB2NsaWVudDEwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoIC
+AQCzeC4FhkosyIndcn+FFU/CSnjyucyIgRTKLLipKQlVrBaIzBGABh3nkm0M1Jxm
+3krebV3ioIYGB8H8GbHljiOUbVRH7voLXDdVpCLXRJmz7VuV6M1Ia8Dx7+boAru3
+eEalpYKH1U2fDFjvqod/Dmka2Wxoq9UV867DtRDv3nIN4zBN0XgwvhbPIqYpoEEi
+4a3OnQBr4nvfRaXrc0DkRjQWfAbRnjyThoOW0YqKVoQnpBX2+T8wyB78gmbNFtKx
+ukzReIk5rtZP+rbJIlFTvNxKH8EYoeNWfac9lSbE8dMCa/+T+S0jF/VZcJ61YIcx
+u7mWTWORKzCgVrOf9iugWzRYXb69t/tGqQt7xhqY+lWCn0h8LEsBKJdzyd7yXUmJ
+6lY59sdg14LthZx7ZPvsJi8FlqZLHlO5Xg1j7QYCs33dETRcAP5DL02GXYkBo7/2
+DN1AnFA4bOsuAUnTpQQ3EblQT/VGdKSlOKFIuHKegZiCaCQDkAJwe8ZZrLjy1kBC
+4QBDzIs233IXBYQwOMpK0SVcTEWpJc0Df6art25g09aQkVdfn+J366NY7x3q7sAT
+ZMR9FAVJpayULXNxGlolrRATWRwBREYR9jWtNkun7SF1gePvkOZMoQqXPoJ+0fNl
+EJ8jUQyAVAROG8Y/Pi+WD2Qfgzio/6Nd2e7DI8ZaOJzzPQIDAQABoxwwGjAYBgNV
+HREEETAPggdjbGllbnQxhwR/AAABMA0GCSqGSIb3DQEBCwUAA4ICAQB1+VlAXOX5
+wRijnz1dz1iUEOM3TXxh2QgP/Bdl68XbLKOsDL8VfsP5xS2t960X9XFusMb03rRB
+dyHvUYK2MtkSCeC9dcrz+fmqbyEd5NrMePB96nSQ0nB47ZisFWQtom8qxP4MhOMo
+2Jgkjku2zEAEeLpJaC8B5SZw0rUrwwvYvSxefd6YuLRmHlj+5Qai+CkLA4sEHHdj
+811FNpfJn7C38AQ+NJK7BHWKQ6IZEmFSYfK/YLIXDDLJkvks1pRe7F97uy0VHOLT
+pXmibPO5MC0TKWcmqHysfX8SEgVyqBM3EAFeQOh2DiTfAb98CysW3VK/ydee7Ko9
+q1rr4F/AOo29SCEApsppWL0bCwEkSHb22ly/AwtFSTOkwyF7WY5dLnuDtbpkQbN3
+m1PMBvghgeEga1ISzFfoe40PvbRiQjy0qFvvrg8idOzE8I0dRSjiGA/2JJuW5n/D
+zlYsY6ud8vUpCdu74jRy1JiegT5L4ThknfHjVxJsOmMYilAaiO/4SrKrNElff4TF
+kmykZAMiKyx/3tbfxWS0W84xKip4f4fztZXkwINYvF/HMklAFPnxhVnmvBAgX0uB
+elVuraOq+VSIZDg/0CGmgIcWZjCASzdYUy6Z1wKXd4wGuHWjwKcmcx8qLTIyHga3
+YjZfQ48+9UxTwVRDns6KY6Dl8+ekWUr5KQ==
+-----END CERTIFICATE-----
diff --git a/mtls/testdata/client-ca/client1.csr b/mtls/testdata/client-ca/client1.csr
new file mode 100644
index 0000000..ecc29c3
--- /dev/null
+++ b/mtls/testdata/client-ca/client1.csr
@@ -0,0 +1,26 @@
+-----BEGIN CERTIFICATE REQUEST-----
+MIIEVzCCAj8CAQAwEjEQMA4GA1UEAwwHY2xpZW50MTCCAiIwDQYJKoZIhvcNAQEB
+BQADggIPADCCAgoCggIBALN4LgWGSizIid1yf4UVT8JKePK5zIiBFMosuKkpCVWs
+FojMEYAGHeeSbQzUnGbeSt5tXeKghgYHwfwZseWOI5RtVEfu+gtcN1WkItdEmbPt
+W5XozUhrwPHv5ugCu7d4RqWlgofVTZ8MWO+qh38OaRrZbGir1RXzrsO1EO/ecg3j
+ME3ReDC+Fs8ipimgQSLhrc6dAGvie99FpetzQORGNBZ8BtGePJOGg5bRiopWhCek
+Ffb5PzDIHvyCZs0W0rG6TNF4iTmu1k/6tskiUVO83EofwRih41Z9pz2VJsTx0wJr
+/5P5LSMX9VlwnrVghzG7uZZNY5ErMKBWs5/2K6BbNFhdvr23+0apC3vGGpj6VYKf
+SHwsSwEol3PJ3vJdSYnqVjn2x2DXgu2FnHtk++wmLwWWpkseU7leDWPtBgKzfd0R
+NFwA/kMvTYZdiQGjv/YM3UCcUDhs6y4BSdOlBDcRuVBP9UZ0pKU4oUi4cp6BmIJo
+JAOQAnB7xlmsuPLWQELhAEPMizbfchcFhDA4ykrRJVxMRaklzQN/pqu3bmDT1pCR
+V1+f4nfro1jvHeruwBNkxH0UBUmlrJQtc3EaWiWtEBNZHAFERhH2Na02S6ftIXWB
+4++Q5kyhCpc+gn7R82UQnyNRDIBUBE4bxj8+L5YPZB+DOKj/o13Z7sMjxlo4nPM9
+AgMBAAGgADANBgkqhkiG9w0BAQsFAAOCAgEAUQIHOHnnYIlmugIm1ONc7IlYyUVT
+lx9AGJZ5xdI3RtMOqJzBOPybV4swNyqNNBN5i853Pkg5xXpWCq+gvKkmZSu4XDq4
+NjP5pYruOTbMTIRAgImdr9IKjUB5b4Faod5iqYgOdn9D2jiQHAi9EkWuSpvNzK0A
+3lJlTx35neLX0Ayo+C0fuEdOUvyaUleS6QrFpA5cL69j3Jw/UWHSum5AsURtNWb6
+L+QKnNsoE8GE+VK1Z5KC0CUonyRGz/PvZG7Zv4InG4d5VzaV1zT6rr5NlQFzgthD
+HEsZk53AAW0ngTCshvnCtlf7vHTDmv+jen737u5k9i8V+hF73G5K42eDaA4S+5LN
+hHIZcBiiivn4RjyBFkb72pER3WpLUmba4I7fOa3IZupeMAPyJNqh0ltedh35D8Pc
+MqUW48gS3XGZleiPWPDs0LiyZPLHpBojHL8imqV17ETnD29v6kNDzD63GiEDC9qB
+NL40yrXLtsQevc2IoxCeV9YPhAF8lorg3qmSWHQr07MWDVteReNYMNnTpV8iUug4
+qQlCpKCu74DbK4YI27snNj1lVJiLRIWJ1TSyTL34rI5mxPpRlpgEHp7mQEkn/MZ5
+YXGHhemHuQyaFfcmEczZE2eKFjqtGpzVBEbXsyMuRXovTu1JV9lt+9SWbQJiUnTD
+jyDnT1l1hHkMz0g=
+-----END CERTIFICATE REQUEST-----
diff --git a/mtls/testdata/client-ca/client1.key b/mtls/testdata/client-ca/client1.key
new file mode 100644
index 0000000..ac4f9db
--- /dev/null
+++ b/mtls/testdata/client-ca/client1.key
@@ -0,0 +1,52 @@
+-----BEGIN PRIVATE KEY-----
+MIIJQgIBADANBgkqhkiG9w0BAQEFAASCCSwwggkoAgEAAoICAQCzeC4FhkosyInd
+cn+FFU/CSnjyucyIgRTKLLipKQlVrBaIzBGABh3nkm0M1Jxm3krebV3ioIYGB8H8
+GbHljiOUbVRH7voLXDdVpCLXRJmz7VuV6M1Ia8Dx7+boAru3eEalpYKH1U2fDFjv
+qod/Dmka2Wxoq9UV867DtRDv3nIN4zBN0XgwvhbPIqYpoEEi4a3OnQBr4nvfRaXr
+c0DkRjQWfAbRnjyThoOW0YqKVoQnpBX2+T8wyB78gmbNFtKxukzReIk5rtZP+rbJ
+IlFTvNxKH8EYoeNWfac9lSbE8dMCa/+T+S0jF/VZcJ61YIcxu7mWTWORKzCgVrOf
+9iugWzRYXb69t/tGqQt7xhqY+lWCn0h8LEsBKJdzyd7yXUmJ6lY59sdg14LthZx7
+ZPvsJi8FlqZLHlO5Xg1j7QYCs33dETRcAP5DL02GXYkBo7/2DN1AnFA4bOsuAUnT
+pQQ3EblQT/VGdKSlOKFIuHKegZiCaCQDkAJwe8ZZrLjy1kBC4QBDzIs233IXBYQw
+OMpK0SVcTEWpJc0Df6art25g09aQkVdfn+J366NY7x3q7sATZMR9FAVJpayULXNx
+GlolrRATWRwBREYR9jWtNkun7SF1gePvkOZMoQqXPoJ+0fNlEJ8jUQyAVAROG8Y/
+Pi+WD2Qfgzio/6Nd2e7DI8ZaOJzzPQIDAQABAoICAEZnyTYlnoe/DEaxmlEtMSL5
+cEVYmmKasPs3XCIQlTbk0dpMpDjjLWwhR2KXLdw1LI3hvckgTDOla3Zo5h82CcM6
+uKuXlsRKIvMX9wsYQGwTm7BNqerVStYe1SkDmXy6VIy7R1/eUBsrDuDGt20izBza
+WusdLfT0qgTgzYosa/YCwHpmyI3mpLAR2bnOwn7apgK+GOI58Xp/qj2Z80UaPWjs
+swgc2YrOZGUQQxdOJX4fovZGhYGvoGhTB91BLNrISUaL0NmuOykZJAf3zIvbNVhm
+6KuvJq5RkQBZuOHeNHdowtTcFdcEmR3DTp+9BIyAJqhOJ9dVaDgei00fl7HK1deE
+F8mzm7AoH6cEoY8BFiz73FOqWp46QuCfrFowY+OSwBPefWD0puhys0nuirQnU/97
+JnSnEQSxMVSZs0NQnLI35Kxx1ukA5R5ohH9dHVz7D3mTlPoBwwtgEx/oFmrOfTaF
+iTwGtrkQ3hxFpKwkCXZHdays42iSv8tR7M8ojriuFEa4lLwEIzHRhZ0ePdgipgti
+W60IibcC8pb6q/1lu90sfgLVPsEbgL3GaNmrFcYUNseYKSF6nYrSHQuDqNtvPatF
+vozrkxGf2b3JsX3ufeMZjB1svjpFtRiOCq3t6EOMZLCyUFa3Vxon6Bae1WbgwDzm
+g/v84JqR8ASiPn3YRA1JAoIBAQDnG5/4kPX/v8F9o2/sDg6705K0If4fjsFRYlM4
+LWBDn2VdpFzVervPI+Esk7hVjNvsWqElAvVqxk9Zwpo9mM4R6XmV7mfSotudo6Di
+ZCT/6hu6ra++L4t/XYgbe5+qYfEgRalEOabLrmGT9vWgr1POxFrO3xz7x5mdiHQs
+nNVOmEOBwBgZDb3nQuHgvIoFyLLSkOfCRwkZM4z6dGjFMa6S3xPPmr3QrRD9UquM
+JE2eR0+YNAXay3t7sxM0nX1ioJDyEWQB1KcFHOANnYideMaxQTuhbV6vwBTVPUZT
+Z++RlwdMYmRCikVdWYSSvFBzrBeP6CJmbFx9GQRngEXtUrZ/AoIBAQDGzLgwrLtn
+j2fLb9r8GvuqK3PO4n0zmZsLuXETU12pTnkBjj2Pchur4RZPEDaplGnq6yQDp4Pd
+EqXSInCG8P+8pmNMnoP1oND4EMrnMFeq/HUqdNqz5nWb91Pt1t27f94iIG8CEdG4
+xXJi/CtuNSwe3E1hpcBKezwRvLiuADeJPHC4cp1Sjr8Sq6miFgOK6sVkNTWlptdn
+aNhO5lUo8D/3d9hHCLbWOAuxICRcqN1aqehKpDjSefcaJOsfn97BeRpgF9SzN/Pi
+WLr2dpCVqPIhoqdC5btXMxFJMiSYDaAG4rME8/EtABAzo30Vywmk98zvvbYqXYFj
+GiU7fu8gUNBDAoIBAQC55lnGy2xmHexZ0Ncdza0CX0z5wwI0hlNw0KPaY320x4n1
+Slo2irR6CgV+IxE7F8RsGfbX28pn6j84F7aUZ88TT3gzJ4OyRrhb1Jx8n0u346wM
+fNwKIxqWCDmMyeOEXaZlbEOdErbdzlbFe/jXGVFT2FSnZYdd7I/fzTyOClX3E7nx
+rAB2XrxsQzuI2IA56NgXUuJqP1PNRs9XQ75nKPChSfoYnAOl0SECdLZzU1xwPjKD
+Xw16kwWwWjrPrwOGC1ysq1qDsnfrP+/mY9rZuKYzPSLnVh+9Rcg8Qz7HpqpptU/0
+nIzDjZAAaBqhIgOhGEQXyQWq1+2J307QprkZDtinAoIBACFYm5jGkJTZcC6mr5PU
+Ltynd0B/q0KphGFeFMKKHE7W8+M36cmS+WNGWUifzpt5Yp7eHGdkhPDjPN9XmYp5
+CFyriEKE4FumQwcpQe+vozTyLfEWMs00XgvwW6qsfPsDgs40pIozVPtqWzqRU/Oj
+hagTigNUG0IjE7th7ZR6QtaJRdsalpsPiKtoEgc3LBb0NHIPntUPfFhDNO1fI2+/
+hOtMtgGMS6b5NbTbUF4ekSqxD17d1w4vGSzQfoQKfAH1/1+Y/7ukKguQmKPY1X3V
+HfBYaTgGcvs4fLDLcWnz9yDQi/jLtmu29ADFbqjmKtL6Ie0g5FqM3rQx4YbuTswb
+4iMCggEAZ1BDI/6KnWBrJa1uh4Hs5UAEIf8nJDCqc7o6nt2WIKCvTpHLdGxZF1sn
+84pfmaaU684AyVd+MOip6EUQFKu6trCveVfhGX4/XMDGd4QJW1koaVXb881ToXrD
+0ojGxteU1g4cv+HNnCwFIsT5wEiM/jHQnwFI7OHFow7h/cxbVd1RLsr/QPyQ41Gg
+JrMAoYd7ZshmpTqBCga/v61t3UqTEsVeal7LKVHuRfcTBiGpPDQpiH1ifaMUu+t2
+Wnm1J9u568hfervcQJ3bqdkcsj+6yZRwuFrOLFRsJttGlqnOyqPuUnUuMrwUhaDU
+Q5GZ562YJqqFLzBUpY5UGaK176cdAA==
+-----END PRIVATE KEY-----
diff --git a/mtls/testdata/san.cnf b/mtls/testdata/san.cnf
new file mode 100644
index 0000000..bd32639
--- /dev/null
+++ b/mtls/testdata/san.cnf
@@ -0,0 +1,5 @@
+subjectAltName = @alt_names
+
+[alt_names]
+DNS.1 = $ENV::DNSNAME
+IP.1 = 127.0.0.1
diff --git a/mtls/testdata/self-signed.crt b/mtls/testdata/self-signed.crt
new file mode 100644
index 0000000..3e78613
--- /dev/null
+++ b/mtls/testdata/self-signed.crt
@@ -0,0 +1,28 @@
+-----BEGIN CERTIFICATE-----
+MIIEzzCCAregAwIBAgIJAINPxRTRZ1VvMA0GCSqGSIb3DQEBCwUAMBYxFDASBgNV
+BAMMC3NlbGYtc2lnbmVkMB4XDTIwMTAyODIxMzQxNFoXDTIxMTAyODIxMzQxNFow
+FjEUMBIGA1UEAwwLc2VsZi1zaWduZWQwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAw
+ggIKAoICAQDE+FlgXEebgGDHSEx+nCqYvsHvPV/M/xkWupPCOkKwX8bk3HjC9gbu
+9xovAOflKvxhBkMR/rXdk1AaYTVZJKVf0fHv7crB/KYNZqW6fJ0osJGzajWJFKbf
+drilrTTi6TPohFWXq6mfWyG7mZZujcbLDXPGWlTnoTVXmIQu8yId+UkFZGcCY0jb
+hr18yWeIYbKszGQa9rHuZRApbU9yaaN8628uZaXb5JL7vZf2lZwWZ0yg8boPvTgx
+FAA4nMV9PjIov0/ys+g+vqBkQDHbQjqGiXeSniRVZYn/eLThA0RIRHVv01kkiCu+
+cQldbEF1oCVuAgdmNeNh+AE0E0s+1Q4WbQ6myq2tyZZctiQdCvsrahdgq/h4b6G4
+xwfMfiLaPAIDuvXLmM1e57ynz0tzF7p1q9yLQb75R105mKT7RR4qIJg4DSpRNZQF
+8D9K+9SzsZUcBdhB5Tp6iHS7CDwvjQSNN9qRB0fGuNKsZ0SEn9ideyd/WbU6BgSB
+K9nuDU1UyVejUtu3H2aPrq15By/Mz1PPgvt5jqkULetY8g06t9Ahuk3t5xEBQOBB
+48uWv0JWSARb2skkY5g4LJ6EQ7ZpEONUJ6zFOZRnvCMUrN7wRUF7woRZ6BPr8R0z
+4TKwleRJIbW4tkrKdHVW3Ub1Nkcdmi5cFI3O4QmO9sitfV1TEt0JDQIDAQABoyAw
+HjAcBgNVHREEFTATggtzZWxmLXNpZ25lZIcEfwAAATANBgkqhkiG9w0BAQsFAAOC
+AgEAg5NsMIZmCArhWMytmwG+xf0piN5Q6+vNvTp4egjYZGy35XnH6TCIVAcT2saY
+oE29ev0X/3k44A+hHyPpv5ncDSDy9ytG5oXhuXyTnyB2HZaFut8TbPIjMJbsf5c6
+rtPhP0tHTc5a8BlBO3tTj/4OHjMtoPyS6B2THAn0FvxLlu/UNMpnoMlushZoSJC8
+CXseZnD0wBEe3kfiJYLDwvL+C2nHAVSWyDuiyHRWjFIXTUWAC2n39nByqwvmus5j
+8yiK/6Zk+ea1pQwFI2HGFxz2xQuDUKR0gSDV3pjK/KKWrg4/+kSVtAbPfwK/YNeM
+bmErxzhcLlhyvHYdS06tZHF7QQFlgZPP4Nsx4rWYgRzq0ZUgB5M48NtfqPHGjh9m
+GTACy754EKO79BiPxeEJTWax8cO4HLi61RisUkNKYjkbbHVSJqYVuqtz8Tw7OME4
+f5aRjK+qYdiE8bSb3h18vDgcu1dWHlVOQQmpTJSbv36mmqXlTLUg7tgD3VrUZa1Q
+N7oG9myixgJMZB1qdLm9gECj669ccNKzIUrBsxAfRYLVg44YZy+HT0UPWAkIrLQi
+JV3lGEeoEG89vuX6A88OvGics/OCKj0edNq6zpvFV4J/Tmb09SECwtx49pBW1ram
+7W1lf84ogSJA4kdEEMyOHKsL9ZTFM5iyOkaGhfqozkvvtno=
+-----END CERTIFICATE-----
diff --git a/mtls/testdata/self-signed.csr b/mtls/testdata/self-signed.csr
new file mode 100644
index 0000000..187f8eb
--- /dev/null
+++ b/mtls/testdata/self-signed.csr
@@ -0,0 +1,26 @@
+-----BEGIN CERTIFICATE REQUEST-----
+MIIEWzCCAkMCAQAwFjEUMBIGA1UEAwwLc2VsZi1zaWduZWQwggIiMA0GCSqGSIb3
+DQEBAQUAA4ICDwAwggIKAoICAQDE+FlgXEebgGDHSEx+nCqYvsHvPV/M/xkWupPC
+OkKwX8bk3HjC9gbu9xovAOflKvxhBkMR/rXdk1AaYTVZJKVf0fHv7crB/KYNZqW6
+fJ0osJGzajWJFKbfdrilrTTi6TPohFWXq6mfWyG7mZZujcbLDXPGWlTnoTVXmIQu
+8yId+UkFZGcCY0jbhr18yWeIYbKszGQa9rHuZRApbU9yaaN8628uZaXb5JL7vZf2
+lZwWZ0yg8boPvTgxFAA4nMV9PjIov0/ys+g+vqBkQDHbQjqGiXeSniRVZYn/eLTh
+A0RIRHVv01kkiCu+cQldbEF1oCVuAgdmNeNh+AE0E0s+1Q4WbQ6myq2tyZZctiQd
+Cvsrahdgq/h4b6G4xwfMfiLaPAIDuvXLmM1e57ynz0tzF7p1q9yLQb75R105mKT7
+RR4qIJg4DSpRNZQF8D9K+9SzsZUcBdhB5Tp6iHS7CDwvjQSNN9qRB0fGuNKsZ0SE
+n9ideyd/WbU6BgSBK9nuDU1UyVejUtu3H2aPrq15By/Mz1PPgvt5jqkULetY8g06
+t9Ahuk3t5xEBQOBB48uWv0JWSARb2skkY5g4LJ6EQ7ZpEONUJ6zFOZRnvCMUrN7w
+RUF7woRZ6BPr8R0z4TKwleRJIbW4tkrKdHVW3Ub1Nkcdmi5cFI3O4QmO9sitfV1T
+Et0JDQIDAQABoAAwDQYJKoZIhvcNAQELBQADggIBACBvlNqbeyqIBoOjVOGSFPRd
+FOPzQl+sDgtwxtw7feguhNXVCne64MoKuvr0+XADzRF4jw2SjtW2Fq581BDfKCRC
+Sc11yjT0v9BzVAaDiSRCbx+Lks8WyAtD3O+eoSNiBIuDlh/B0HLyP2dT9DJj/tm6
+0GqvrKqrbtqEX+Z3H+jloHS7datcISXVv8u0EgV2kKpRwLtZKKMEO3CbZPHA4F70
+aQJIhAmN10PknOnY46mD21Jclbv+OGkGCB+daVK9bO2U21NSb8SxLobfrW2guZnA
+bHkwTQfmhZwFwRP/Zybm5m6+utHeksBWKa0zE8+0xE2l3uslN02AIpaBDOAhv8QO
+PNAlqaCLgGCBltJPG/AnPpJfePW4oicMEUcv2Uxwya8kgJ1YQ+udig5RwtxyKFtk
+he7vs/utsOOLLBVTQrIvjUNAOLihEn3Z4niMYMHyjqR5sKCx/ZtXSRjGpg9TJFlK
+O5CDcl1JGzLwtS2MoiLOTUklUJDjwCdJWDy8MWpJn8ICpm+9lVEayWW5QqEHM+U3
+Yk1prV67BuXQ08/BVv0ZjTX2i9jTBbKGsZBxqVuFid93Wbak7OgPurXdEMjXvbJ0
+BmCSuL85azNLO0BILUmrCEIWqEy72pGAEDs5yIc42MzbJOToOsb1rav8d5WO6KOG
+frfIPFSV5Sc9k3EL27Fw
+-----END CERTIFICATE REQUEST-----
diff --git a/mtls/testdata/self-signed.key b/mtls/testdata/self-signed.key
new file mode 100644
index 0000000..de877a4
--- /dev/null
+++ b/mtls/testdata/self-signed.key
@@ -0,0 +1,52 @@
+-----BEGIN PRIVATE KEY-----
+MIIJQgIBADANBgkqhkiG9w0BAQEFAASCCSwwggkoAgEAAoICAQDE+FlgXEebgGDH
+SEx+nCqYvsHvPV/M/xkWupPCOkKwX8bk3HjC9gbu9xovAOflKvxhBkMR/rXdk1Aa
+YTVZJKVf0fHv7crB/KYNZqW6fJ0osJGzajWJFKbfdrilrTTi6TPohFWXq6mfWyG7
+mZZujcbLDXPGWlTnoTVXmIQu8yId+UkFZGcCY0jbhr18yWeIYbKszGQa9rHuZRAp
+bU9yaaN8628uZaXb5JL7vZf2lZwWZ0yg8boPvTgxFAA4nMV9PjIov0/ys+g+vqBk
+QDHbQjqGiXeSniRVZYn/eLThA0RIRHVv01kkiCu+cQldbEF1oCVuAgdmNeNh+AE0
+E0s+1Q4WbQ6myq2tyZZctiQdCvsrahdgq/h4b6G4xwfMfiLaPAIDuvXLmM1e57yn
+z0tzF7p1q9yLQb75R105mKT7RR4qIJg4DSpRNZQF8D9K+9SzsZUcBdhB5Tp6iHS7
+CDwvjQSNN9qRB0fGuNKsZ0SEn9ideyd/WbU6BgSBK9nuDU1UyVejUtu3H2aPrq15
+By/Mz1PPgvt5jqkULetY8g06t9Ahuk3t5xEBQOBB48uWv0JWSARb2skkY5g4LJ6E
+Q7ZpEONUJ6zFOZRnvCMUrN7wRUF7woRZ6BPr8R0z4TKwleRJIbW4tkrKdHVW3Ub1
+Nkcdmi5cFI3O4QmO9sitfV1TEt0JDQIDAQABAoICAHZJYnswz7v9y6DBtVZveFFE
+dXiz1d1o8OsqXuPMUxJSYkI8eLU0RJOrh2jk1V5VgzzNIugim5sWBYviBsSi8kFp
+9i4NEq+OhzYTB8HHZiXya31gcggBg/k89cRhERqXy5l+J1yvNW1CsC5WHPYFZHW6
+fWWIB+cWc89IA1Gip0Fy3DxFwGq5rx5Oe2r+FJPdgAyvrgpXTiGJRbxrLcPa1tiF
+Fr65QnKcgPx3LlRiIlt965HXuNIM4zrt9PgKhbsh58N6qItrKTTNC8tIlehDjJwQ
+3+MH32/9S3NFTPK4IIB5xEDEnosGz6ZNgb897M2zv+ahh0oFYKkL48UfNRfloNAd
+KlLcGiAERw070b98R9yfm25NfFipnnpuRSWzkjvA9sHz/wbt/ELnuClLsWtJFoVP
+Fxh8yupge2Hnb8bFmF7wj6oA8ClPCHY0XOr498I4vKRzwoiDPf9kDRm2UsetsDoq
+itu3TFxdY3aIKrFT3Z6M1r48wyFMwUrzDAyV5nKM25+85lYJQeH630gsNdvWD+Te
+hG0rh+oeNVwvAZmQZw1SKULP1zD+TxvkpK6jBdczvRvuoMKIrYfY3romaAgYkp7l
+40Mru0vP/7ZJ3E1FjT7jqX3PbJ6OtiU4M2rhmATDWbmN5WCkUyWTDDPl+iXjR2X8
+bK6RwOCds4isl1XZyRatAoIBAQD+AC7Fgu8UJjwNBxDML16K8KRCErrV5IcX6bCF
+fznAg/6Q05nGZqlSf7bDvEKnAG0GcbN1s6yy/q3IIXBZw2aQ/hf/xYWg+N2w2J8B
+VbzQd2u1vM8AZuV554yqxUAQw7YqOL7a3Th/H4ZLTu/NapbI9XVuBSUWx1rbIi4J
+LK07xBPdQn/86gB0TfdK9Icwpzl9g1iIgptUQzLLxSjFw+eA9OOSlJkVm65Q7AxC
+pxztBxPLhpAaDha4vPBC8EbDxcA4hAi6M5t6kDcs3P3WwYtXkJRs3aZEe1VtgA3P
+SHsff20pMNJBi4kHLcU4gWZaKGxEAgRz2AOK3Ez5LHh1EVHzAoIBAQDGhT+adbI8
+pC/PgOW5oD8Rt6h/Sw+rN0PNB0CeqXjtR5wtEuIkE+aEU2UttCD2ct8NUY5UKZb7
+jypMn3jNPncw+5el07jv6X8hVhA/PpFnrTyUxqWmgMMW3HJ9uVjX241OWIhM2PQC
+qMmhOSkW/qVW3pkGMrFlXu+wExvoCL2lpGPrwoa4fR+z0WoTMoKPws5ZIq/nSsa8
+KyX4tkRDx7J6nFzb9oL4lxXjQLlJ+m4J4cnxw46gHWdNcs/Uw07IMK9ppT1fWmZ9
+iSvr+r7e9dMuLXoPu/44NzHRkvBHD7NevH3IKCO0DLpJ8jFm0G4Bhoe8fqHNf0WP
+D1zT1SZZI/j/AoIBAFCNXkflLk0FkyXOh9U5cJI/ntgVeIs83lsHEaREpNwZADKN
+6May6B/xwNRyb/Dmgaz5giBhyvM5MYO2lxrgjTaOXq4OxkI2qpfbGxIhTrAOL2qD
+ZmKKP1xZwpKl25t1deAN/vkKD1DBfqWDcymCFC/HKGar2wdOUdINFOxz7rx1gpc4
+774Vt+8qirKKuhUD84eKkBk60mf2p7VX4YZWiqSrBUEHP0VLCg0/zuOUe+fvxqdV
+FX4t2abcxJV1/fs4S62gsePbWgOUmOrxas8gskAi6e9cm848DuubIMYMBoAGuWfG
+w+dliR9ttI4m+368MxmeSisy5myzUPX01H7L72ECggEAWV5c/qzjWzdSqqhNQp5o
+JhK20O86k4pihGcyaPrEDJWDMithEHrA+GsOjl+bwzZ9QWKonyzF4mNV2H6mBEeN
+oshwQV+pzp8f8yLqV35UOQcc0aEHq4glyyHcjMqmuy4EU/O5EFdOqe/QLTstS0PB
+rPSykL67a3YskuhXVMKylWIG9Xhx65WwcuPgS9oeOpepCyl5ZLcd9lG6W1e6LYU1
+zMqdZwx3c2+Yk+BsSWhqpxo1LhgqGdyCx7Pa6d4uliKMpROVKFrq7rKUyjvsNzUV
+J6GjZHft/uKiE8WBU4w25HwYZ8XiJMjiCC32nWFRVHB6pJmhP4B/EOMKl/ZJuDFg
+gwKCAQEAg7Ff4zawbhaoEJELXA+VTT+ELP/1hQuEf9hwo4ewmJW54smuDomEY+9Y
+cNY4ggC31ud2z3qFqqrXsziQ2Fzy3SC+2enaQDZQcBDCe9yJMS1qGSrzdPmW6t/k
+HeKc9ga3EHAUXyg1lNAKeFhXn/ufTbRE8k02OCgUFGzkZ1Yvk5GBjoAxNbyVHwxH
+pJyTp3INEIgkmzT32qkEdvBnFj/FvAbz49yOkLuKQ1Yo59rdf4Z7qdejRUxqg4e+
+r/N2rkDFxnJdq2HJfGN1b+kgEcMdoRQOnYisZY6/eyJt/UsfWubIMfTsWAnYVbRw
+69s9pTXG9NldH4TN1Pad1kX0/o/yuw==
+-----END PRIVATE KEY-----
diff --git a/mtls/testdata/server-ca.crt b/mtls/testdata/server-ca.crt
new file mode 100644
index 0000000..a9f6aec
--- /dev/null
+++ b/mtls/testdata/server-ca.crt
@@ -0,0 +1,29 @@
+-----BEGIN CERTIFICATE-----
+MIIE+zCCAuOgAwIBAgIJANYmi99JAnbYMA0GCSqGSIb3DQEBCwUAMBQxEjAQBgNV
+BAMMCXNlcnZlci1jYTAeFw0yMDEwMjgyMTM0MTBaFw0yMTEwMjgyMTM0MTBaMBQx
+EjAQBgNVBAMMCXNlcnZlci1jYTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoC
+ggIBAKlh3hmdbgBl+VHZ/eAzzFQnTQxwSAZC95fdd6ymjn1WJG9aYt8DZHIR0tlM
+k/b2P6v6nAy8NS52/PuYBVh9LZdoMjH2CNJ2hnbzWzy3Ehb070b1tukIqCjRaYwJ
+ZJZtKyZUx+++akhMJ7yfYsPu5rrcObUkZowwIhJm3n0bbA3HQSAhl+HoNYbU/AEe
+NoJv2NZ5v3AZIimy18tiSCzifx0ItE6EivwM9oX/xc9mElIOlq+0Fx1J1JYyscXp
+nIUZR5Ii1XtCQAqwTAfMOOSAGhho3WQQwvJ128ZkUftPUmmDK8p18v9KAscGUWdK
+0j3xgSXdMn4WSRWrzdzVhmglacN0RMSg5HOJSErRBuMoYpLGQApa8pC+htDFcd9G
+6BUQwueaxUYh38ifwwMaWyLXkdctZ7hLWANOWCclhtL18h0ucA0XlnwI9DxdSy7k
+9Wj+v66vwRH32vf8MV3ABKqawFLXhTFhoXjpvYAna3NUdMTaf5WqL589KcPgUdnR
+u4TgieyqJ211eD/nbNFn0ohYEZNPcopJda9Hv04UwyqZrN869HN/1WWewYZ1EEOE
+2LA4yRj0xLyxnM9cU+Z5Q0jLkU/VLldTE0sRpHGvahbYgzYPK4F7KfD/z8WUmosX
+clNomhXUNYxJm8Ya0JhKHNfYZ3zXb+/42TxYbZkNWBE8tLAlAgMBAAGjUDBOMB0G
+A1UdDgQWBBTZ4oDOmLFV6go/+d8ZR28Eh9iWJzAfBgNVHSMEGDAWgBTZ4oDOmLFV
+6go/+d8ZR28Eh9iWJzAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBCwUAA4ICAQCR
+ILq+tVa0tuG8Ol/mB6omHCe5nVCGu67bflwkWsIH9cTiNQMGumn5ADLqsK6UwP8Q
+A10AvzTNAZ2B4bapXFKWuo8dn9OxzbmryGE1gS3Ze+jebLZM+1dKeMDqTGMNdSKq
+xC0nVBK62GPTcgihaU7cVhJYv8KS4pbi3JCHQ+KCccXjpDlKHHwTmpjMu5mT8ilQ
+yR08cxpkOKHZj8iZ32+Z3PDKETQKi2QnMpOC1NTkD723OnwQh/i1Rk6CvbyYvQVK
+81N6+UZT1qaFgJTbk1e+bFIkcr7M5qNQroOPmaCoufuXckgob4jolFZ35afhTxB+
+Cr+Dua75D4LyDvOUWimHvz0eQSfMzFlXL6i/efPNAUPV4MrbkbC8Bl46X4KBIKie
+qCHsbhDkF8ZjIyIvaZqG48vCQ035y0s1wpjP/thwhUdHkNp5xIgGFozvn5wJ5yfD
+x8bsW1JQd4xiUatqvdbERa7viY7I171WVXubp4uml8u8knZQwLMu77GCK2PBuXq5
+XZLYVgA777/gLDkRSKnvs3kGzH0GMY10cA6ldLCKhOyXHBJil2y2OfDLi4jl5ee8
+v2G1jb8nfPiGqKn6+hPuFc/m0j6NpXmIoL4QQKMYS2tFyP9xuSnwP138K/JAe6Wm
+GsHbcn0j/Q9gqaBoDtYq4cs2efrhFxEYZIVsF0SwXQ==
+-----END CERTIFICATE-----
diff --git a/mtls/testdata/server-ca.key b/mtls/testdata/server-ca.key
new file mode 100644
index 0000000..18deaa0
--- /dev/null
+++ b/mtls/testdata/server-ca.key
@@ -0,0 +1,52 @@
+-----BEGIN PRIVATE KEY-----
+MIIJQwIBADANBgkqhkiG9w0BAQEFAASCCS0wggkpAgEAAoICAQCpYd4ZnW4AZflR
+2f3gM8xUJ00McEgGQveX3Xespo59ViRvWmLfA2RyEdLZTJP29j+r+pwMvDUudvz7
+mAVYfS2XaDIx9gjSdoZ281s8txIW9O9G9bbpCKgo0WmMCWSWbSsmVMfvvmpITCe8
+n2LD7ua63Dm1JGaMMCISZt59G2wNx0EgIZfh6DWG1PwBHjaCb9jWeb9wGSIpstfL
+Ykgs4n8dCLROhIr8DPaF/8XPZhJSDpavtBcdSdSWMrHF6ZyFGUeSItV7QkAKsEwH
+zDjkgBoYaN1kEMLyddvGZFH7T1JpgyvKdfL/SgLHBlFnStI98YEl3TJ+FkkVq83c
+1YZoJWnDdETEoORziUhK0QbjKGKSxkAKWvKQvobQxXHfRugVEMLnmsVGId/In8MD
+Glsi15HXLWe4S1gDTlgnJYbS9fIdLnANF5Z8CPQ8XUsu5PVo/r+ur8ER99r3/DFd
+wASqmsBS14UxYaF46b2AJ2tzVHTE2n+Vqi+fPSnD4FHZ0buE4InsqidtdXg/52zR
+Z9KIWBGTT3KKSXWvR79OFMMqmazfOvRzf9VlnsGGdRBDhNiwOMkY9MS8sZzPXFPm
+eUNIy5FP1S5XUxNLEaRxr2oW2IM2DyuBeynw/8/FlJqLF3JTaJoV1DWMSZvGGtCY
+ShzX2Gd812/v+Nk8WG2ZDVgRPLSwJQIDAQABAoICAGhyLN5msVoVh3PtlBsYVbre
+sSgmZINX8Az5R75yxhKLd9QiTC1wjhO44eeUzPjQR9rooilINRL91GngCAvUxLRE
+UA92w2HkLG5VCcGasdDuIE4FXlC8QdVJrGfpstj/YEg2p0Myi58hNq+dKO3g9u3q
+trr4QzPWymvGexNyQWMNpx8FF/75jWgjFXIrCznLdk5qrJ2XIfXMjjyf0hm7YN6q
+a2SvXnSmGa3vVi7ZphprXIfj6QzqZehoQi7kKtv4BqYaTMHAzHTK2VdFmx9rzquW
+nk4B9/RCsM7ZNaRd+VeOxwYFTV4WaTgIsVGcVaBUt2p9x5DwdQij9EFkeYjm6RvX
++BD5ygehZ5LvXq3qJBpFnB7jYnHutaK1Qp2A8MOpUwe/8uQkg17Llzbrk47CENz0
+uJ0gDiwnqFfzxUZ8+J/TF/L4XpvzwRP32zWW2YJXhofYq2eOMTP9S8RYGtk9XLWO
+XFz/Y3EOKcUx0eZFb5djDpCF4icPlQ5S6zoQp/Yeu5+duLZbDz3ULIZGnYST2Nzp
+QqhnSTqfRYzeqjQv6U7/Iyain3rUqiFvDQ5xPE+f3q3HIYZnTFRzRFtscMJUBEXo
+PJwoZ/q10Rs2R0X5V1nh45ShV580XL+VcsQxzKzrLruc32utYZs8g67iSBG7OHRr
+2ayP8OUYMjxcuPMYOiNRAoIBAQDb8nQl8hh7bYsV8uehp/A4yJFtHph81eFmYIlX
+JgP7XdHVfeKKsoQwGAXdX4MvSTQbM7CW89FYNlCOVvxY5cGNq/DN0yTtZ9cXxR/R
+2zYk9jRjUrsX5Wc4Rwk8HyuEeGTqWfEmaIQ/Od2g+2KoQzdx0udz62dTuSSO0yEU
+uSHoiMFWufK7dA6tVUBcpblN9kydPK3TVq8uM+Anm+DObEU/Gw9PQh2iaDOwYc+G
+6lP0501sSnUPI5iisDGoDq2mkkkxOI2wWKRstmKETnNMG48WwxAuC+bljNeHjQZb
++udLMR6Fhbq0mymPdky6bj2AethyRgLJWClEwlYlz2nRVPyfAoIBAQDFJZXFTDLl
+NzvzBDAs8K4ynHbUOidURHMkJWl5ymZClSV2QU6dFXp3Lk4tvQv/JfQ/S/a5KNmR
+QSJndzq2smy7zeDXPv4aH3cHPt9ZJSM1wxilp4cvq8O0yh0megZyWb/kL9Dkr95v
+ABQsVoXYK5euA9lv/0PV5x7s/Zz3rn80Ztb9OOaFLKcvB4LvbhzL1ugeFM7+fDxg
+y/4HKDuqrqfd4ocLhCuA95pRcv+R6zaCRwOSUEiKqbBa3dEkI4+IykIIKPHRH7vd
+8aAjAlLW/poDpjQAFc0CpVJUMJpEUSSo50njwyYbntMI/YhpwZTs52Y2GJERauV1
+rzxsmyCVRti7AoIBAQCwCURm3nYzy4AHaCt12fjNKdIjONqpB3How5kItDd5pyR7
+r85yXeCosYF4JarUXM2ke+F5X9mMtaQR2JMN/43Devs3cSfcD0E7GB2Yk8+pE5jo
+ad2uiX/srgY5JWVqGAYE/0mgCQTXqdO1tZ3HuEyXAEsZHy7K9qLI4ThX4ri96T58
+0ETzPTdGCbaCsG04dcnqCxfAz19UJlbgvMTX0hY2JM1DDVK0mpvMLuyvObtKhxoT
+cyBvpnjStRx5Oo5HhEuqZm4Y10l6bRs6c6OaJXCHskWv5Py/etNB/WA6m/0k1EJu
+cZL2XD2OQgu1Juh4fVnhVCGEztfw3W2fw3sY/OFXAoIBAGNGm/bweiim+c9UapYW
+1QGzfLs+VZO/rGOlW0nzPC+HP4gfNuEvca4WaVPrAOGJUUeWjzWKdpUIwbRse+qI
+Suz/rZt2oyqwcZX6eSpA40wtZHn2tMKysiiWJru7cweeXl0gHwcp8M7gsUfqghfr
+S8RbN+GIH7bVXeNliufGvVO7/cMiJiMl60Jpe+vp/SJApD6Rp/LKyPTNhKxB/Fnk
+/a9kZTDNa8LT7KfbSwtF8PsFm6zQNNduv9niHXEfXyY5A6tsQulWG5qWFFfM0b5m
+E1SHG2R3lfchHSY8G1MPsXBEmBbTrJr4DblXQpxO2Rm7JONU16h3tfjfN4RRUcUa
+GgUCggEBAJ1HVY2WsOQAs/W/qe8guxYYJZrYxyBuDq1A4hU9ipt9c+SzVON6qH4y
+mAb6mogDPnbzuh/o8icoWtx0yqemb0//bKhfNqWZApQ6t6MbTaXL7T32rQpSF9a3
+P2U+QGBJ87nGbRHNjoCR4/vIq8t/t/3fFbgYlHh5oHm246UYwxs5Ben/C4z2GPff
+0kFewrP01KwjxmGbySguwfavib+2fUopwBrx0iHmP4U20PPMWUKS5g229bZFGNV2
+rsWcy9NwdgQ+MbdunsH/uTGGekY0jWTFHKDLtA21K4P/Om+rq9/a8RWJEM31aeyT
+zDxSV1iMEkqK8tc3rKKTuryVgLq/5u0=
+-----END PRIVATE KEY-----
diff --git a/mtls/testdata/server-ca.srl b/mtls/testdata/server-ca.srl
new file mode 100644
index 0000000..19afa92
--- /dev/null
+++ b/mtls/testdata/server-ca.srl
@@ -0,0 +1 @@
+9A58F81179D545AA
diff --git a/mtls/testdata/server-ca/server1.crt b/mtls/testdata/server-ca/server1.crt
new file mode 100644
index 0000000..3be913c
--- /dev/null
+++ b/mtls/testdata/server-ca/server1.crt
@@ -0,0 +1,28 @@
+-----BEGIN CERTIFICATE-----
+MIIExTCCAq2gAwIBAgIJAJpY+BF51UWqMA0GCSqGSIb3DQEBCwUAMBQxEjAQBgNV
+BAMMCXNlcnZlci1jYTAeFw0yMDEwMjgyMTM0MTFaFw0yMDEyMjcyMTM0MTFaMBIx
+EDAOBgNVBAMMB3NlcnZlcjEwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoIC
+AQCdaU/81YF5a4XWdleCzBW2mQTlBaVxJdoV3CMubwToZ8YjSvtWvjyT6N+oGwg/
+goKYlNfujk2ewkH1k76vppBED9BYaLe5T2F4m6NfF5pV0YUFGyo3RsO8rXx7k1mQ
+Ei+PyCX3uuqT5umrwKbyf/S0m7q88miPX2Sb2N8w8RAAMqYyNrJ7F0BduZ1Btw3U
+7xX4UAU8yyJ1y+YVaawEvyTsBgSmJqhMASNCZuROy3lRyLcMxkQu8UnDxKNwroHr
+t09/MWI2fLCsy1z2k/rGAxU1g2UCebq6P9Z5oYXBQoAL1R5heMseYsYyse6iUutR
+HM8EVNmuRvQjZyp5A+C0LBb50InWD3kVylbBXGjcsNB7/DcBIUc51kjDzBbK+VbF
+XFcw2tWv1b2nB9XOQR64sH6GN5dbPq/HpsNIsC5Dnyqwx+wus8MzuCTyi1qs4g9K
+LhkvmpbtepgpbAGdMLZSOjoNUTYLcuFzJvojcAzIJqn/9V/D8kpAVGvRm+U9zI9O
+eIWX6hTtiLqzpC8dHj+MuDCPY8FRipu32QF2ENlGZ78BgzYf6WzgoitwDk0JVTBg
+SVnrmkslazmEhPYjtkhIoD9Y9ShzwPlaaEV6rxiBPRdKNzfM/5RjAjSIf9R959Pu
+nIr+ogkviCpv1ovydvKlUHyrPwA5JRKpqgOOZGzk4mmYowIDAQABoxwwGjAYBgNV
+HREEETAPggdzZXJ2ZXIxhwR/AAABMA0GCSqGSIb3DQEBCwUAA4ICAQATbu7ppZpE
+5+sI7jL4JnTDPsv/BXYFt905cKVhAeRYU5roBsGvMI0qV1GkZ1gcXQXP0m5ugI2r
+GC6UvcmeiK2GKPQauDO52OUu/6xAbaczOhGmUpNF9WxQDMWKgMOdgi1gUeT1UkvA
+2nSlhsiTMOXXuObm1DaODqUjM63Cgh6zEBHMCEZDdNaRFQ4e4aKCLP03ywTfXdlS
+SHED+3OqGboryXaD11zLb3SOUDOqMouphW/7kP23L6r8woEiVJ3JHmY6G8+PU4p9
+wiHXa3MCVaPXiUAn25yVHFFP67ydQCz4Rv5Pbcil9lZQIuxvTCXxnJJ7XVz03RPE
+CUcIPitF9uH4v2muEvH7dPm09J+xV8SwbbeCX1NQC839tLbpLw7I0+YHT4NriWA4
+SoNpHgjsVUT5EP+NehBYoeand5yE4p8oWJi643pRqqYaqXxgf5CJ7opUIxtasprg
+aBauVGfc4sqye8NFcA6vkbbjwDXx7xN7qqWLdGwJgzoSBHimr/cT7Hfaan4kfbLQ
+Nlk0UVZoafIcC66rg1oesE0AcxQj+zeb8spnfwyntbCpYxrTj3DbVZWIcUueOZnv
+3kP/vsV3XameOpYTR04LBTQyg10OuH2u6lP4DfxRM6VOKEH4xtlPQtIudAY0x3d6
+A+Du1BA2XJEDyjqPpH4VdSLzd1vCrnI6kA==
+-----END CERTIFICATE-----
diff --git a/mtls/testdata/server-ca/server1.csr b/mtls/testdata/server-ca/server1.csr
new file mode 100644
index 0000000..5666812
--- /dev/null
+++ b/mtls/testdata/server-ca/server1.csr
@@ -0,0 +1,26 @@
+-----BEGIN CERTIFICATE REQUEST-----
+MIIEVzCCAj8CAQAwEjEQMA4GA1UEAwwHc2VydmVyMTCCAiIwDQYJKoZIhvcNAQEB
+BQADggIPADCCAgoCggIBAJ1pT/zVgXlrhdZ2V4LMFbaZBOUFpXEl2hXcIy5vBOhn
+xiNK+1a+PJPo36gbCD+CgpiU1+6OTZ7CQfWTvq+mkEQP0Fhot7lPYXibo18XmlXR
+hQUbKjdGw7ytfHuTWZASL4/IJfe66pPm6avApvJ/9LSburzyaI9fZJvY3zDxEAAy
+pjI2snsXQF25nUG3DdTvFfhQBTzLInXL5hVprAS/JOwGBKYmqEwBI0Jm5E7LeVHI
+twzGRC7xScPEo3Cugeu3T38xYjZ8sKzLXPaT+sYDFTWDZQJ5uro/1nmhhcFCgAvV
+HmF4yx5ixjKx7qJS61EczwRU2a5G9CNnKnkD4LQsFvnQidYPeRXKVsFcaNyw0Hv8
+NwEhRznWSMPMFsr5VsVcVzDa1a/VvacH1c5BHriwfoY3l1s+r8emw0iwLkOfKrDH
+7C6zwzO4JPKLWqziD0ouGS+alu16mClsAZ0wtlI6Og1RNgty4XMm+iNwDMgmqf/1
+X8PySkBUa9Gb5T3Mj054hZfqFO2IurOkLx0eP4y4MI9jwVGKm7fZAXYQ2UZnvwGD
+Nh/pbOCiK3AOTQlVMGBJWeuaSyVrOYSE9iO2SEigP1j1KHPA+VpoRXqvGIE9F0o3
+N8z/lGMCNIh/1H3n0+6civ6iCS+IKm/Wi/J28qVQfKs/ADklEqmqA45kbOTiaZij
+AgMBAAGgADANBgkqhkiG9w0BAQsFAAOCAgEAg7xWlsP4wAlspAdXJIBezaFZuTD/
+RJQ8KWPasf05fhf/7RkbRGN5nDNInH+x3ZNrcZZtaeJyY4njvk4ZmtOeh4psYMMb
+w+R/YGPpfA7gL6yWBSe3K+1qWOuyHCdwT5sDAQeKqwRq4Nk5B0lj66E9DfJ94xfv
+40AccNug5dqAQcP0mrNU/GKst4E2yv/KZE9NcWi/0L0pjL33jTOtf4+FWCgqDi/L
+hl0Q2B8/nUBvC3IxBEwbH7dBjNIIg+zLRfFvwSsUCyiQxPspvDsIhUf6cdww4bRq
+L3D9niT4wlPOXHFWhrM4AO4KSt8//WWIq0pAtPYnnVFDLK09LNksMrTKME7zBTOK
+PyObCnkqlugW3K5Uui/LKjY1UoGFKF2M3TlhGAD1xnsXoCiI3gNLSDVEAVdIDjIC
++CPL/O3zyPpiDuBLZmBvJ6C3aApqCd5WbAxJuSUM/mi9dvafQ5aDotzvJCQh77Io
+HaaXby0ABaytrJJOYOQ9w5WwsDHcdhtlpN+8ZGE/Ve4oBjaR0slH7Fjg/3TOBlvJ
+/aewOwswwx95wg+Pk4e6kC8s1d+mmWeneUJ86iY81q2xVfNsXyDCJqjBOIgdM6zT
+QLYFQLYKUnZzeZ0pSa9PINloMRdak+P4aSiX3OfEfDXvcCIr8jOvNyQptrhS8Zar
+/i8qV9fMnVBuei8=
+-----END CERTIFICATE REQUEST-----
diff --git a/mtls/testdata/server-ca/server1.key b/mtls/testdata/server-ca/server1.key
new file mode 100644
index 0000000..7330dcb
--- /dev/null
+++ b/mtls/testdata/server-ca/server1.key
@@ -0,0 +1,52 @@
+-----BEGIN PRIVATE KEY-----
+MIIJQgIBADANBgkqhkiG9w0BAQEFAASCCSwwggkoAgEAAoICAQCdaU/81YF5a4XW
+dleCzBW2mQTlBaVxJdoV3CMubwToZ8YjSvtWvjyT6N+oGwg/goKYlNfujk2ewkH1
+k76vppBED9BYaLe5T2F4m6NfF5pV0YUFGyo3RsO8rXx7k1mQEi+PyCX3uuqT5umr
+wKbyf/S0m7q88miPX2Sb2N8w8RAAMqYyNrJ7F0BduZ1Btw3U7xX4UAU8yyJ1y+YV
+aawEvyTsBgSmJqhMASNCZuROy3lRyLcMxkQu8UnDxKNwroHrt09/MWI2fLCsy1z2
+k/rGAxU1g2UCebq6P9Z5oYXBQoAL1R5heMseYsYyse6iUutRHM8EVNmuRvQjZyp5
+A+C0LBb50InWD3kVylbBXGjcsNB7/DcBIUc51kjDzBbK+VbFXFcw2tWv1b2nB9XO
+QR64sH6GN5dbPq/HpsNIsC5Dnyqwx+wus8MzuCTyi1qs4g9KLhkvmpbtepgpbAGd
+MLZSOjoNUTYLcuFzJvojcAzIJqn/9V/D8kpAVGvRm+U9zI9OeIWX6hTtiLqzpC8d
+Hj+MuDCPY8FRipu32QF2ENlGZ78BgzYf6WzgoitwDk0JVTBgSVnrmkslazmEhPYj
+tkhIoD9Y9ShzwPlaaEV6rxiBPRdKNzfM/5RjAjSIf9R959PunIr+ogkviCpv1ovy
+dvKlUHyrPwA5JRKpqgOOZGzk4mmYowIDAQABAoICAFGArr69mZ1Rs+mYOrVpkDCM
+SEGAy+mq7KF26uxm5UakPK4Xa829EEaRRASZgorHu3DfWHKXUc9Ky7YouoneF0J2
+Yaz1A3O6i0BUbaGV6f5XTqWXLCOUy1JNDXA6mhwDnoa23hnHuR+9Zu3cAVT8Naqy
+G10rskHR5ZjgEKgZmOxRTUYglgcvwc8FhUv6SPoglOKOJDgXAY+2dDpQDZYjli1y
+7ENPLsKzsBr4hWva5MUYxNajbbhUjJoFnY6BfJmcv1efLTgDFcNSRJ8Tfbu66udb
+UhiXCLzYwucVX9jx4rS9s05Kqfjgsbib8nAvuNG1teaLPG6FJHGUQCSKgnUngvkk
+RLYZYVcGqvTDC+J6MC1ELPI8HVDC/WfSDeDxFeBb5yBZ8tyLWvgAgzL2q5wIWn4Y
+VdYNMxurrbHOeXwNThKP4Al3OL2jMuGxbBg9j1vbFJMShY/ePIyxIimZ9sGplNGJ
+RbFqaEIP2HCZtkwY46N+AKQ7eMLnUdphaItkQkMEVJMFUbI+JqXHGC2au1U6+vhJ
+oi31wJnV5qOCZa/rBwHRouAYiT9v9TjJ2QDutcx/05C793dKkvRbFR/ylhF9ndU4
+5mrsGntxYiaxctpwUxqy9mcMVdCqt2xFXhQKeh7FWdYPXfGW7GngvxRg1jpSgGF5
+ue7u5YibMUHrRD3KOsvZAoIBAQDJGe8m2DBCkceL1HRtQnAfvitNeLO6yR1fEqxt
+yA3BA4T6rcR4r0aECgig0Q8uZopSWDkfuBmXYtmRAW5WzJqbt1XayUkbgMDyH3XS
+n0f2p+Spt7Y9+WiYR2LFJoYVj2MN5gdBOKjW/EouYTtO6/ccOjvhjccmwWAB5Ei0
+8xx57l0Enh4aL3aqUGWODz5fE8mJYM37PPf2vdCuPT1O9I+Vcd30B62cBclbkcOP
+aP9Nybd3UKyRBJiqEn4DZVO0V7lPEybHDLckW824CM3wIEIhk7FJzEU3m6Txl206
+ojulfMOpoMPXoEkfpW1+xjzEAYET46Xz3DOiTf9Cr48NgjdVAoIBAQDIYhXsiHrx
+2YQCxkNyf3uBn0kM+R6qXvRijAHDlSoKPygVg9e7TY7B86etJ4z52urNLGATBhFd
+9IRdfRmsVAnkF/zU8i9D6MHIUwUTE6+p7Hl9BlZjfh4CQvw/Lv34e9Y85AHenUge
+vR94UGi/38zEr33wqmEcjLbJxlE1l/21Syp+8nERsoG2w5MzU58Aaa1eB1f2UKrg
+dSQVYoIOcMwrKB+PpJ3hLsQ9tM0cjh2+S7R19sX/9seU9Swh6HS3ZtYis8rPlyJj
+K/tSrrZFkUYwQ5geAcb7oHaj9LRzeqxK2GYZdZfijuXoa+LfqkLGzuQr+eOR/Lp7
+Pkpv63P5nCAXAoIBABhOQyJtxL93ASg8YGoIOqcLhA5UBV0RC7S+/Ao0wLzQYRUv
+RWzUunAhClPtkKkqCZPUR+s2hBlRADzPcHebOSCS8xSDeYuSbz+UX9g6GieMuU1t
+/9/TsjmdfymW82PNtcorQDs4zudVDN44MEPkrzRBMZWcXjKn8qOn5MXCEHIIRkPV
+nIvLqssA9pVJ8F7rdFNfWOYBw3KWFI/KpQtS8bu9THc/KlOOO30OzBUcOqc7Nyp7
+nK/WX2FG5OYiLBDC/Ym6JdivB7+kPOP+ZG2eaH/IawghYUhMTo5IoBITI6RnxPpO
+jP0VyWDCzM4ixZtnFyPBQwCLX85BIRX9RAv87hUCggEBAKc65J0gUaqhI0DFgeh+
+Z+6HpomDJop88GuF+LrnM8yVZLh/7XzNf0RyOg+SIF8syiQs0olN2RSWShlTnCdr
+g02ujzyQWc3M5FxwnJ2NIl8nkUQ8E8C4sgalLKr2ZtIHV4Y9qynEDTpKD4dzY9gt
+yFClPO+q4ZzX+nxuW7vkesHgVzjW0HI6jXKfyateMCZCC4ObkVdpfxIP8Os/6NZw
+YJPrylswwOn7A5+T0lHwcPYtbA++wQObSnkQG6K4wx+EXVVcwvd4ZCRrwjUAxfFN
+CkyhPMReK1g4VIsEX8y4Ji3YZ2z77KQRKeJMl2yeRVhxtY7V34woZOER3UGGOKWq
+HEUCggEAVojX5vNL2hs7Y767qQXWGTrvhVgP7zpHQgzmTT4/+6esZvbs1mx1b4Kg
+uXEcgokmZPgN58QEP+KAxXW539F+tVKREtj/k0iND9HwYFIxOZ+AD1B1dh4YF1DU
+KjqqQz7h5Y/VBdnt87Ls9VoV02H8yhtwdD3d8hXH3fHQXcSXDfzYZ7C+f3607m6K
+I4uEJ4XorcIcnaEF8/A65Bl2MeS0vkeVQqLXD/coe4wRp+DK+0mi5Nx2ZioD4QY+
+GeLgF4NkEnAZN6rUkd5eeHRXZrSCyawdf6z0WolR7wWgvG79tM9ovFbtLHWplfBt
+bgc/m41WMFUv6zYl5zmwlY285KJYNQ==
+-----END PRIVATE KEY-----
diff --git a/mtls/testdata/server-ca2.crt b/mtls/testdata/server-ca2.crt
new file mode 100644
index 0000000..2c01237
--- /dev/null
+++ b/mtls/testdata/server-ca2.crt
@@ -0,0 +1,29 @@
+-----BEGIN CERTIFICATE-----
+MIIE/TCCAuWgAwIBAgIJAPFW4IC7IqxSMA0GCSqGSIb3DQEBCwUAMBUxEzARBgNV
+BAMMCnNlcnZlci1jYTIwHhcNMjAxMDI4MjEzNDExWhcNMjExMDI4MjEzNDExWjAV
+MRMwEQYDVQQDDApzZXJ2ZXItY2EyMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIIC
+CgKCAgEAzwA2TcQQzf/F9jaNGlXfftPZqlxCTekBjtOejlGz0B4m65dBaHrDH4m7
+0jKB0S7zRXEghpM8uvFKvC00BQCt5SCAhmB51rnGjOfGjgfcrfuY7+JCTVYnnquY
+Je7uMraHH29JXV+r/KU13LS2rpeUtZxYwTOkvoXifPKnlLWxYcEBgI03+Qn+sVYw
+qMpbfHo1jubQcYYs4qRRzLREWNd53AEM2u24IpWmnQfzX9PhIDWKUlkaBYFGsSap
+O8ni4315g/2Go4BZF5lIVE56JlL7Wiq+f+zwzVeLoM8pyBvzY5DSGv1KOVTMUURP
+RhUwbzumttES6UkRLtii4kkjAP9kkNJWmhJRJwdd31Qp0TgJggxhvnW5n3IrR40z
+Lm+cjtTbCbupcS58Z+ZIDewtsMug5FqfO5nu6VjpDCWdWBxisuVkGUZq61I+C3Hs
+g+aTb3lUYUNdAo1DwDMwId38S0ljMBWvgN2LY8LBus5taW9EXH2nm1+LX4xebO0z
+6X6OMA39N3WKHGnrDagheWC3NGYAzuReoeeRfA4tpDpQ4M1jxDsE2cOgFgx3F524
+5I9vBG67B0SLKjA+tpqc8e6ekB6sqGcOfNMFm8uMDx5egMy5mLri/imPsFwlHZhT
+LLLsioGtqzSJQa6c3bL5UbB1HkiljZUo5YRGNZxTq8+rfRBAg3sCAwEAAaNQME4w
+HQYDVR0OBBYEFB6nhLwdEmoxvA23jnnXqpFFXd99MB8GA1UdIwQYMBaAFB6nhLwd
+EmoxvA23jnnXqpFFXd99MAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQELBQADggIB
+AMWP6EUnzGqM8VbKrr8J1h4UmneyNWH7lPorZvsXWSYguTU0nsG33P8WSMTTiTZr
+fuCQywTNs8QvUKUD3gFHj0HMimutcDLwiLm9CbKqkaCR5EcyeNZqSTysQ5oPAoGo
+pplWqTR5M3v32T3jj0dVNObf6qAr8ZqF1yZuUp0J9e5S6rufTtn0HgeRAfy0awZ5
+rADv6GYt//bwsFkvwVO4z8jOLlVU01C7QGBA5EHNJ4qti5c4l4DmnET2l5mIf0GL
+1XVkkqDnQYLfgKxTQskN/VmSL60qXWpVMRLigeHKGoaNDY9GfZ4FKIWi8yscISX+
+zKMykKDsdQQ2MxJ2A3YUk+YWlnJ3F2wcBYGmb3RCaeEeVjyOhODfZy631+8ueSzM
+QkNwy1/XX0eDk8VZTEXVsZYhDQDQqdGFDYGk2fyXS5delNM4vgC6MB/Ri388qO+T
+lE4382mJfn9KE0CmF6+3KJiT4Jrs6re8gwwNTCnU+K1gICQHFfMbtDA71kHfYom5
+BUi+yDsa8x8DzPOSRUmf9/xS3ZgGyT4LmkKBpRZEggK6wYzN5ky2r682yl/Grsk8
+InfJIeoF3mPXMaNB8B67BcKvVJpmYsdaSv7Td3DC7JR4BpN6T07Vbbi/m8F8RsRa
+MDaBB28GNwtowqZTO6Kxy1HcD+n1jFa3RfyS6BuM23NP
+-----END CERTIFICATE-----
diff --git a/mtls/testdata/server-ca2.key b/mtls/testdata/server-ca2.key
new file mode 100644
index 0000000..0c81317
--- /dev/null
+++ b/mtls/testdata/server-ca2.key
@@ -0,0 +1,52 @@
+-----BEGIN PRIVATE KEY-----
+MIIJQgIBADANBgkqhkiG9w0BAQEFAASCCSwwggkoAgEAAoICAQDPADZNxBDN/8X2
+No0aVd9+09mqXEJN6QGO056OUbPQHibrl0FoesMfibvSMoHRLvNFcSCGkzy68Uq8
+LTQFAK3lIICGYHnWucaM58aOB9yt+5jv4kJNVieeq5gl7u4ytocfb0ldX6v8pTXc
+tLaul5S1nFjBM6S+heJ88qeUtbFhwQGAjTf5Cf6xVjCoylt8ejWO5tBxhizipFHM
+tERY13ncAQza7bgilaadB/Nf0+EgNYpSWRoFgUaxJqk7yeLjfXmD/YajgFkXmUhU
+TnomUvtaKr5/7PDNV4ugzynIG/NjkNIa/Uo5VMxRRE9GFTBvO6a20RLpSREu2KLi
+SSMA/2SQ0laaElEnB13fVCnROAmCDGG+dbmfcitHjTMub5yO1NsJu6lxLnxn5kgN
+7C2wy6DkWp87me7pWOkMJZ1YHGKy5WQZRmrrUj4LceyD5pNveVRhQ10CjUPAMzAh
+3fxLSWMwFa+A3YtjwsG6zm1pb0RcfaebX4tfjF5s7TPpfo4wDf03dYocaesNqCF5
+YLc0ZgDO5F6h55F8Di2kOlDgzWPEOwTZw6AWDHcXnbjkj28EbrsHRIsqMD62mpzx
+7p6QHqyoZw580wWby4wPHl6AzLmYuuL+KY+wXCUdmFMssuyKga2rNIlBrpzdsvlR
+sHUeSKWNlSjlhEY1nFOrz6t9EECDewIDAQABAoICAB2UZS4lp1UYiJxPXUh3HvHL
+qh37AwqJEkzrlou1xyElPeCKg7E/YaSfFPTLfNt8fwzcRo6UeagpFMnhF77jQvYr
+99G79Y0mjOXTtP7Uxsch3c/hoCHW/uBgmuRIyUb76EEosO4j3rrCjPjV5gj65igx
+iElLbO5AyYWbUzEf6ZITd3h8NZRjxj5nF5r3F62o9QBPoVenmcBlRL8gv2eGmwZC
+LCkYsShYBDAKU8/Mwi3NGM/9pYdF2ukzohlGFyL06ilfUB8LFzAVGk3ZzQCu+PYA
+h6pWHG7rZKt9DvZmcBg5OJzctv+MS4oNXdqg6oPqnT8gjzhA1bDBCj2Vv+fDlwYN
+CphDEpLOrJHCrAiKx8i6MNiPuG2uHorUUNXxumEUBrJPrGD+0MPrWyhgSEcvIIVK
+/aBk6J236VJw1jJkL9ACRQbV7e4wjcW8lwa6Gf01hQL7diPOcf28U38s1VwvCIOy
+idaY4uGOCj05BCP7Y1TDWmfNSq7FSW+/NZ6GrB85pnpxq1e0RAAMR3n2sQ6Ts8To
+vJwB1bqejWSuNpDQRJxSJIqD0/x+DJHpaJHNGNSEJbwMm33fnBoIkX3OByhb1PF9
+V+GA6zd0Z56dI/jMcTNP2w3bmf2jyRS56W5oMJo+deCG8p749CC2XYhtdEOmlOMC
+mpbF1Yk6acHfDL/9WqYxAoIBAQDq+8KuUW5pjKsYBKbJoNYAcbcdBdeAPEZ304Ot
+rCjzo1pa2nR/IpCY7q1o06ozZuj/nfuAXlNg7t7JACKt4C/zB4K1FMxxYNOgdHtR
+LaoCD9fRknYBa/mze0FzKbcSyT/xu0jM/98P23uaaP0Wg2f7FqAKxFfS7XMJQCqY
+AEMiPQTYMmV+kiyWcOGvmUZ94H+7zsXvl68nzp8HppNqb2MtATouKxhWTItV+a0W
+vAtq1LsQPaDyplQxzc5x+8TYqHyIftqKBhwrMLYqI7vrQCgmrRdtTz+C+tLTTtkQ
+2ecvk63HxT3dGfWcWKeh7Bp217gTp2zNRrPXlsJkCbUOIzT5AoIBAQDhg8E6+Or2
+WP8dZeQg7iOWPcBQAn9MfbnZp3GcO+6hOwLFB7fLGnTczjC30Y11YaJ5BZYVb9IC
+1Ba5LuAGKdQowk1IFTHdEMP1iAQt1HIT5V3+tDxTs1vvZPXW6884d+mNEqra9CXY
+feYb16yuR2p5BYKY25XDHM7mnvwK+a+j5JtAixh92RNcAGgReaI4be0eS/3MWuKD
+zD92GJMD83YAL523Av3t5vmRyVpAc7pqs+mROtpC3yqnQdRc32oRTfgkZNuIJsUY
+2eJutJRELx7Q4tXn6UKhKWdA9AaccP1H++S+0uNF55D0pHg5Uv8YO9gy3x0g1X1z
+agyUX2iodn0TAoIBAQDBFjcWvlsX6Dr+9XOH4t12Z/qroo0+FklhVTCymPDdorEw
+TqnDfkeLIzTjGmqU6k8zHEH5bYjd8eqnB7F3Zux/qwBAg+Kql4HOK2jZf8hfAV26
+G7tT18HLNdDGLNT+XthobhiYOvi0MwoSC4tL4JakwCaqMkRoUi1gwJU/aZfAnptI
+e8DijIKO7BrHDA/ch4jubi4/fkizURlkVAB2SSkZZhTEsyzAXQ1xjEQqlkJbeops
+Afgq63nros2s49EQpwINtw8ks3iaFODbJ5nW6VUU0s6ZR7FMk4aBlBzRt/w8IAGA
+UhdPg3FLE55Lc5MbbI8Zt020MBC/amY5hbB8+XkhAoIBAFeGp4yX57nNONbUIQKW
+6sD5HpbvITEy6tsLHhEhQbDaEm0eXbs6fXjlngr6Dgks575I6MNRLxVh85/UDabW
+vT1EjHIZp8zBIQ0+yUBwYAZQ03ZzxaZGyrvTV4ce5sJn6AGU6TMp5zZrRtAvmRnb
+Jfvqo5FoSGv91l+z/ObVmdHmfEtEsTDG+7iNf9aoesmkAI/ttoeGDrxQnaDcUNML
+vxS7Zl8NjjizmNF4cMrrH8MiKNjxGp0xuIBKEH4rSCOHO3QEoR/qzDyk9Dk7ZQBB
+uZghMhxccDvUsfqHu7kkMWmq3lEh0IvlIGGTJAY7rD5fm73C0q9XrOUKl+9OSHR5
+6HkCggEACErmpQw050hIeazwXcXTtBR2hGpo8VlLnZErLiHOGS/wiejAn9t2qXCo
+KOoVrxZbSwEKCZ4NRlHclRAE/tDKZGCbMhHqCAr0cNLkC61NLqTwon7+Hh4mvG64
+WT+h4cXB0M+9DIs7AaMBJM6wjpGAtypMGERI6/YeS+eHP0kaAi/J4w6tVTtxvQ0s
+f/f9WK2pzZU+n7ZgPj6YG06jCuoJ5wl6z77zpXjGm0MOTWCk/eF9f1qA72AjRjAJ
+OxAx35eNCTnSXENLZ3ICOfGSOhnNB1UPm6OoGdx033L6YDsWIMTb4dpkD56WVnSm
+uJW1plFQ7It+qJJNeQidhuWDlOveXA==
+-----END PRIVATE KEY-----
diff --git a/run_with_testdata.sh b/run_with_testdata.sh
new file mode 100755
index 0000000..794182e
--- /dev/null
+++ b/run_with_testdata.sh
@@ -0,0 +1,19 @@
+#!/bin/bash
+
+trap 'kill $SERVER_PID' TERM INT EXIT
+export GRPC_GO_LOG_SEVERITY_LEVEL=warning
+
+CERT_DIR=${CERT_DIR:-./mtls/testdata}
+
+./bin/server \
+    -server-cert $CERT_DIR/server-ca/server1.crt \
+    -server-key $CERT_DIR/server-ca/server1.key \
+    -client-ca-cert $CERT_DIR/client-ca.crt &
+SERVER_PID=$!
+
+sleep 1
+
+./bin/client \
+    -client-cert $CERT_DIR/client-ca/client1.crt \
+    -client-key $CERT_DIR/client-ca/client1.key \
+    -server-ca-cert $CERT_DIR/server-ca.crt $@
diff --git a/server/authn.go b/server/authn.go
new file mode 100644
index 0000000..5b836ca
--- /dev/null
+++ b/server/authn.go
@@ -0,0 +1,32 @@
+package server
+
+import (
+	"context"
+
+	"google.golang.org/grpc"
+	"google.golang.org/grpc/codes"
+	"google.golang.org/grpc/credentials"
+	"google.golang.org/grpc/peer"
+	"google.golang.org/grpc/status"
+)
+
+type clientSubjectKey struct{}
+
+func AttachClientSubject(ctx context.Context, req interface{}, info *grpc.UnaryServerInfo, handler grpc.UnaryHandler) (interface{}, error) {
+	p, ok := peer.FromContext(ctx)
+	if !ok {
+		return nil, status.Error(codes.Unauthenticated, "no peer found")
+	}
+
+	tlsAuth, ok := p.AuthInfo.(credentials.TLSInfo)
+	if !ok {
+		return nil, status.Error(codes.Unauthenticated, "unexpected peer transport credentials")
+	}
+
+	if len(tlsAuth.State.PeerCertificates) == 0 {
+		return nil, status.Error(codes.Unauthenticated, "could not verify peer certificate")
+	}
+
+	newCtx := context.WithValue(ctx, clientSubjectKey{}, tlsAuth.State.PeerCertificates[0].Subject)
+	return handler(newCtx, req)
+}
diff --git a/server/server.go b/server/server.go
new file mode 100644
index 0000000..911ecaa
--- /dev/null
+++ b/server/server.go
@@ -0,0 +1,14 @@
+package server
+
+import (
+	"google.golang.org/grpc"
+)
+
+func New(opts ...grpc.ServerOption) *grpc.Server {
+	return grpc.NewServer(
+		append(
+			opts,
+			grpc.UnaryInterceptor(AttachClientSubject),
+		)...,
+	)
+}