Google Git
Sign in
apache / qpid-broker-j / 2c624d4dc58811960f6c36e5752c4859848bcfbf^! / .
commit2c624d4dc58811960f6c36e5752c4859848bcfbf[log] [tgz]
authorAlex Rudyy <orudyy@apache.org>Wed Jan 22 10:37:34 2020 +0000
committerAlex Rudyy <orudyy@apache.org>Tue Feb 04 18:30:47 2020 +0000
tree6b80652815679f3e6b02ca03c49170130b98d4e4
parent7e4408615a64838e0b9cb3d205f550b3c3c1c053 [diff]
QPID-8402: [Broker-J] Generate TLS resources on the fly

diff --git a/broker-core/pom.xml b/broker-core/pom.xml
index 04aa668..32dc4f3 100644
--- a/broker-core/pom.xml
+++ b/broker-core/pom.xml

@@ -94,7 +94,67 @@
 
     <dependency>
       <groupId>org.apache.directory.server</groupId>
-      <artifactId>apacheds-all</artifactId>
+      <artifactId>apacheds-core</artifactId>
+      <scope>test</scope>
+    </dependency>
+
+    <dependency>
+      <groupId>org.apache.directory.server</groupId>
+      <artifactId>apacheds-core-annotations</artifactId>
+      <scope>test</scope>
+    </dependency>
+
+    <dependency>
+      <groupId>org.apache.directory.server</groupId>
+      <artifactId>apacheds-core-api</artifactId>
+      <scope>test</scope>
+    </dependency>
+
+    <dependency>
+      <groupId>org.apache.directory.server</groupId>
+      <artifactId>apacheds-interceptor-kerberos</artifactId>
+      <scope>test</scope>
+    </dependency>
+
+    <dependency>
+      <groupId>org.apache.directory.server</groupId>
+      <artifactId>apacheds-kerberos-codec</artifactId>
+      <scope>test</scope>
+    </dependency>
+
+    <dependency>
+      <groupId>org.apache.directory.server</groupId>
+      <artifactId>apacheds-protocol-kerberos</artifactId>
+      <scope>test</scope>
+    </dependency>
+
+    <dependency>
+      <groupId>org.apache.directory.server</groupId>
+      <artifactId>apacheds-protocol-ldap</artifactId>
+      <scope>test</scope>
+    </dependency>
+
+    <dependency>
+      <groupId>org.apache.directory.server</groupId>
+      <artifactId>apacheds-protocol-shared</artifactId>
+      <scope>test</scope>
+    </dependency>
+
+    <dependency>
+      <groupId>org.apache.directory.server</groupId>
+      <artifactId>apacheds-server-annotations</artifactId>
+      <scope>test</scope>
+    </dependency>
+
+    <dependency>
+      <groupId>org.apache.directory.server</groupId>
+      <artifactId>apacheds-server-config</artifactId>
+      <scope>test</scope>
+    </dependency>
+
+    <dependency>
+      <groupId>org.apache.directory.server</groupId>
+      <artifactId>apacheds-test-framework</artifactId>
       <scope>test</scope>
     </dependency>
 

diff --git a/broker-core/src/test/java/org/apache/qpid/server/security/FileKeyStoreTest.java b/broker-core/src/test/java/org/apache/qpid/server/security/FileKeyStoreTest.java
index 834531c..4281201 100644
--- a/broker-core/src/test/java/org/apache/qpid/server/security/FileKeyStoreTest.java
+++ b/broker-core/src/test/java/org/apache/qpid/server/security/FileKeyStoreTest.java

@@ -20,52 +20,63 @@
 package org.apache.qpid.server.security;
 
 
-import static org.apache.qpid.server.security.FileTrustStoreTest.createDataUrlForFile;
-import static org.hamcrest.CoreMatchers.equalTo;
-import static org.hamcrest.CoreMatchers.is;
 import static org.junit.Assert.assertEquals;
 import static org.junit.Assert.assertNotNull;
 import static org.junit.Assert.assertNull;
 import static org.junit.Assert.assertTrue;
 import static org.junit.Assert.fail;
-import static org.junit.Assume.assumeThat;
 
-import java.io.File;
+import java.nio.file.Files;
+import java.nio.file.Path;
+import java.nio.file.StandardCopyOption;
 import java.util.HashMap;
 import java.util.List;
 import java.util.Map;
 
 import javax.net.ssl.KeyManager;
 
+import org.junit.ClassRule;
+import org.junit.Test;
+
+import org.apache.qpid.server.configuration.IllegalConfigurationException;
 import org.apache.qpid.server.model.Broker;
 import org.apache.qpid.server.model.BrokerModel;
 import org.apache.qpid.server.model.BrokerTestHelper;
 import org.apache.qpid.server.model.ConfiguredObjectFactory;
-import org.apache.qpid.test.utils.UnitTestBase;
-import org.junit.Test;
-
-import org.apache.qpid.server.configuration.IllegalConfigurationException;
 import org.apache.qpid.server.model.KeyStore;
-import org.apache.qpid.server.transport.network.security.ssl.SSLUtil;
+import org.apache.qpid.test.utils.tls.CertificateEntry;
+import org.apache.qpid.test.utils.tls.KeyCertificatePair;
+import org.apache.qpid.test.utils.tls.PrivateKeyEntry;
+import org.apache.qpid.test.utils.tls.SecretKeyEntry;
+import org.apache.qpid.test.utils.tls.TlsResource;
 import org.apache.qpid.server.util.DataUrlUtils;
-import org.apache.qpid.test.utils.TestFileUtils;
-import org.apache.qpid.test.utils.TestSSLConstants;
+import org.apache.qpid.test.utils.UnitTestBase;
+import org.apache.qpid.test.utils.tls.TlsResourceBuilder;
+import org.apache.qpid.test.utils.tls.TlsResourceHelper;
 
 public class FileKeyStoreTest extends UnitTestBase
 {
+    @ClassRule
+    public static final TlsResource TLS_RESOURCE = new TlsResource();
+
     private static final Broker BROKER = BrokerTestHelper.createBrokerMock();
     private static final ConfiguredObjectFactory FACTORY = BrokerModel.getInstance().getObjectFactory();
+    private static final String DN_FOO = "CN=foo";
+    private static final String DN_BAR = "CN=bar";
+    private static final String NAME = "myFileKeyStore";
+    private static final String SECRET_KEY_ALIAS = "secret-key-alias";
 
     @Test
     public void testCreateKeyStoreFromFile_Success() throws Exception
     {
-        Map<String,Object> attributes = new HashMap<>();
-        attributes.put(FileKeyStore.NAME, "myFileKeyStore");
-        attributes.put(FileKeyStore.STORE_URL, TestSSLConstants.BROKER_KEYSTORE);
-        attributes.put(FileKeyStore.PASSWORD, TestSSLConstants.PASSWORD);
-        attributes.put(FileKeyStore.KEY_STORE_TYPE, TestSSLConstants.JAVA_KEYSTORE_TYPE);
+        final Path keyStoreFile = TLS_RESOURCE.createSelfSignedKeyStore(DN_FOO);
+        Map<String, Object> attributes = new HashMap<>();
+        attributes.put(FileKeyStore.NAME, NAME);
+        attributes.put(FileKeyStore.STORE_URL, keyStoreFile.toFile().getAbsolutePath());
+        attributes.put(FileKeyStore.PASSWORD, TLS_RESOURCE.getSecret());
+        attributes.put(FileKeyStore.KEY_STORE_TYPE, TLS_RESOURCE.getKeyStoreType());
 
-        FileKeyStoreImpl fileKeyStore = (FileKeyStoreImpl) FACTORY.create(KeyStore.class, attributes, BROKER);
+        final KeyStore<?> fileKeyStore = createFileKeyStore(attributes);
 
         KeyManager[] keyManager = fileKeyStore.getKeyManagers();
         assertNotNull(keyManager);
@@ -76,14 +87,15 @@
     @Test
     public void testCreateKeyStoreWithAliasFromFile_Success() throws Exception
     {
-        Map<String,Object> attributes = new HashMap<>();
-        attributes.put(FileKeyStore.NAME, "myFileKeyStore");
-        attributes.put(FileKeyStore.STORE_URL, TestSSLConstants.BROKER_KEYSTORE);
-        attributes.put(FileKeyStore.PASSWORD, TestSSLConstants.PASSWORD);
-        attributes.put(FileKeyStore.CERTIFICATE_ALIAS, TestSSLConstants.BROKER_KEYSTORE_ALIAS);
-        attributes.put(FileKeyStore.KEY_STORE_TYPE, TestSSLConstants.JAVA_KEYSTORE_TYPE);
+        final Path keyStoreFile = TLS_RESOURCE.createSelfSignedKeyStore(DN_FOO);
+        Map<String, Object> attributes = new HashMap<>();
+        attributes.put(FileKeyStore.NAME, NAME);
+        attributes.put(FileKeyStore.STORE_URL, keyStoreFile.toFile().getAbsolutePath());
+        attributes.put(FileKeyStore.PASSWORD, TLS_RESOURCE.getSecret());
+        attributes.put(FileKeyStore.CERTIFICATE_ALIAS, TLS_RESOURCE.getPrivateKeyAlias());
+        attributes.put(FileKeyStore.KEY_STORE_TYPE, TLS_RESOURCE.getKeyStoreType());
 
-        FileKeyStoreImpl fileKeyStore = (FileKeyStoreImpl) FACTORY.create(KeyStore.class, attributes, BROKER);
+        final KeyStore<?> fileKeyStore = createFileKeyStore(attributes);
 
         KeyManager[] keyManager = fileKeyStore.getKeyManagers();
         assertNotNull(keyManager);
@@ -92,58 +104,69 @@
     }
 
     @Test
-    public void testCreateKeyStoreFromFile_WrongPassword()
+    public void testCreateKeyStoreFromFile_WrongPassword() throws Exception
     {
-        Map<String,Object> attributes = new HashMap<>();
-        attributes.put(FileKeyStore.NAME, "myFileKeyStore");
-        attributes.put(FileKeyStore.STORE_URL, TestSSLConstants.BROKER_KEYSTORE);
-        attributes.put(FileKeyStore.PASSWORD, "wrong");
-        attributes.put(FileKeyStore.KEY_STORE_TYPE, TestSSLConstants.JAVA_KEYSTORE_TYPE);
+        final Path keyStoreFile = TLS_RESOURCE.createSelfSignedKeyStore(DN_FOO);
+        Map<String, Object> attributes = new HashMap<>();
+        attributes.put(FileKeyStore.NAME, NAME);
+        attributes.put(FileKeyStore.STORE_URL, keyStoreFile.toFile().getAbsolutePath());
+        attributes.put(FileKeyStore.PASSWORD, TLS_RESOURCE.getSecret() + "_");
+        attributes.put(FileKeyStore.KEY_STORE_TYPE, TLS_RESOURCE.getKeyStoreType());
 
-        KeyStoreTestHelper.checkExceptionThrownDuringKeyStoreCreation(FACTORY, BROKER, KeyStore.class, attributes,
-                "Check key store password");
+        KeyStoreTestHelper.checkExceptionThrownDuringKeyStoreCreation(FACTORY,
+                                                                      BROKER,
+                                                                      KeyStore.class, attributes,
+                                                                      "Check key store password");
     }
 
     @Test
-    public void testCreateKeyStoreFromFile_UnknownAlias()
+    public void testCreateKeyStoreFromFile_UnknownAlias() throws Exception
     {
-        Map<String,Object> attributes = new HashMap<>();
-        attributes.put(FileKeyStore.NAME, "myFileKeyStore");
-        attributes.put(FileKeyStore.STORE_URL, TestSSLConstants.CLIENT_KEYSTORE);
-        attributes.put(FileKeyStore.PASSWORD, TestSSLConstants.PASSWORD);
-        attributes.put(FileKeyStore.CERTIFICATE_ALIAS, "notknown");
-        attributes.put(FileKeyStore.KEY_STORE_TYPE, TestSSLConstants.JAVA_KEYSTORE_TYPE);
+        final Path keyStoreFile = TLS_RESOURCE.createSelfSignedKeyStore(DN_FOO);
+        final String unknownAlias = TLS_RESOURCE.getPrivateKeyAlias() + "_";
+        Map<String, Object> attributes = new HashMap<>();
+        attributes.put(FileKeyStore.NAME, NAME);
+        attributes.put(FileKeyStore.STORE_URL, keyStoreFile.toFile().getAbsolutePath());
+        attributes.put(FileKeyStore.PASSWORD, TLS_RESOURCE.getSecret());
+        attributes.put(FileKeyStore.CERTIFICATE_ALIAS, unknownAlias);
+        attributes.put(FileKeyStore.KEY_STORE_TYPE, TLS_RESOURCE.getKeyStoreType());
 
-        KeyStoreTestHelper.checkExceptionThrownDuringKeyStoreCreation(FACTORY, BROKER, KeyStore.class, attributes,
-                "Cannot find a certificate with alias 'notknown' in key store");
+        KeyStoreTestHelper.checkExceptionThrownDuringKeyStoreCreation(FACTORY,
+                                                                      BROKER,
+                                                                      KeyStore.class,
+                                                                      attributes,
+                                                                      String.format(
+                                                                              "Cannot find a certificate with alias '%s' in key store",
+                                                                              unknownAlias));
     }
 
     @Test
-    public void testCreateKeyStoreFromFile_NonKeyAlias()
+    public void testCreateKeyStoreFromFile_NonKeyAlias() throws Exception
     {
-        Map<String,Object> attributes = new HashMap<>();
-        attributes.put(FileKeyStore.NAME, "myFileKeyStore");
-        attributes.put(FileKeyStore.STORE_URL, TestSSLConstants.CLIENT_KEYSTORE);
-        attributes.put(FileKeyStore.PASSWORD, TestSSLConstants.PASSWORD);
-        attributes.put(FileKeyStore.CERTIFICATE_ALIAS, TestSSLConstants.CERT_ALIAS_ROOT_CA);
-        attributes.put(FileKeyStore.KEY_STORE_TYPE, TestSSLConstants.JAVA_KEYSTORE_TYPE);
+        final Path keyStoreFile = TLS_RESOURCE.createSelfSignedTrustStore(DN_FOO);
+        Map<String, Object> attributes = new HashMap<>();
+        attributes.put(FileKeyStore.NAME, NAME);
+        attributes.put(FileKeyStore.STORE_URL, keyStoreFile.toFile().getAbsolutePath());
+        attributes.put(FileKeyStore.PASSWORD, TLS_RESOURCE.getSecret());
+        attributes.put(FileKeyStore.CERTIFICATE_ALIAS, TLS_RESOURCE.getCertificateAlias());
+        attributes.put(FileKeyStore.KEY_STORE_TYPE, TLS_RESOURCE.getKeyStoreType());
 
         KeyStoreTestHelper.checkExceptionThrownDuringKeyStoreCreation(FACTORY, BROKER, KeyStore.class, attributes,
-                "does not identify a private key");
+                                                                      "does not identify a private key");
     }
 
     @Test
     public void testCreateKeyStoreFromDataUrl_Success() throws Exception
     {
-        String trustStoreAsDataUrl = createDataUrlForFile(TestSSLConstants.BROKER_KEYSTORE);
+        final String keyStoreAsDataUrl = TLS_RESOURCE.createSelfSignedKeyStoreAsDataUrl(DN_FOO);
 
-        Map<String,Object> attributes = new HashMap<>();
-        attributes.put(FileKeyStore.NAME, "myFileKeyStore");
-        attributes.put(FileKeyStore.STORE_URL, trustStoreAsDataUrl);
-        attributes.put(FileKeyStore.PASSWORD, TestSSLConstants.PASSWORD);
-        attributes.put(FileKeyStore.KEY_STORE_TYPE, TestSSLConstants.JAVA_KEYSTORE_TYPE);
+        Map<String, Object> attributes = new HashMap<>();
+        attributes.put(FileKeyStore.NAME, NAME);
+        attributes.put(FileKeyStore.STORE_URL, keyStoreAsDataUrl);
+        attributes.put(FileKeyStore.PASSWORD, TLS_RESOURCE.getSecret());
+        attributes.put(FileKeyStore.KEY_STORE_TYPE, TLS_RESOURCE.getKeyStoreType());
 
-        FileKeyStoreImpl fileKeyStore = (FileKeyStoreImpl) FACTORY.create(KeyStore.class, attributes, BROKER);
+        final KeyStore<?> fileKeyStore = createFileKeyStore(attributes);
 
         KeyManager[] keyManagers = fileKeyStore.getKeyManagers();
         assertNotNull(keyManagers);
@@ -154,16 +177,16 @@
     @Test
     public void testCreateKeyStoreWithAliasFromDataUrl_Success() throws Exception
     {
-        String trustStoreAsDataUrl = createDataUrlForFile(TestSSLConstants.BROKER_KEYSTORE);
+        final String keyStoreAsDataUrl = TLS_RESOURCE.createSelfSignedKeyStoreAsDataUrl(DN_FOO);
 
-        Map<String,Object> attributes = new HashMap<>();
-        attributes.put(FileKeyStore.NAME, "myFileKeyStore");
-        attributes.put(FileKeyStore.STORE_URL, trustStoreAsDataUrl);
-        attributes.put(FileKeyStore.PASSWORD, TestSSLConstants.PASSWORD);
-        attributes.put(FileKeyStore.CERTIFICATE_ALIAS, TestSSLConstants.BROKER_KEYSTORE_ALIAS);
-        attributes.put(FileKeyStore.KEY_STORE_TYPE, TestSSLConstants.JAVA_KEYSTORE_TYPE);
+        Map<String, Object> attributes = new HashMap<>();
+        attributes.put(FileKeyStore.NAME, NAME);
+        attributes.put(FileKeyStore.STORE_URL, keyStoreAsDataUrl);
+        attributes.put(FileKeyStore.PASSWORD, TLS_RESOURCE.getSecret());
+        attributes.put(FileKeyStore.CERTIFICATE_ALIAS, TLS_RESOURCE.getPrivateKeyAlias());
+        attributes.put(FileKeyStore.KEY_STORE_TYPE, TLS_RESOURCE.getKeyStoreType());
 
-        FileKeyStoreImpl fileKeyStore = (FileKeyStoreImpl) FACTORY.create(KeyStore.class, attributes, BROKER);
+        final KeyStore<?> fileKeyStore = createFileKeyStore(attributes);
 
         KeyManager[] keyManagers = fileKeyStore.getKeyManagers();
         assertNotNull(keyManagers);
@@ -174,16 +197,15 @@
     @Test
     public void testCreateKeyStoreFromDataUrl_WrongPassword() throws Exception
     {
-        String keyStoreAsDataUrl = createDataUrlForFile(TestSSLConstants.BROKER_KEYSTORE);
+        final String keyStoreAsDataUrl = TLS_RESOURCE.createSelfSignedKeyStoreAsDataUrl(DN_FOO);
 
-        Map<String,Object> attributes = new HashMap<>();
-        attributes.put(FileKeyStore.NAME, "myFileKeyStore");
-        attributes.put(FileKeyStore.PASSWORD, "wrong");
+        Map<String, Object> attributes = new HashMap<>();
+        attributes.put(FileKeyStore.NAME, NAME);
+        attributes.put(FileKeyStore.PASSWORD, TLS_RESOURCE.getSecret() + "_");
         attributes.put(FileKeyStore.STORE_URL, keyStoreAsDataUrl);
-        attributes.put(FileKeyStore.KEY_STORE_TYPE, TestSSLConstants.JAVA_KEYSTORE_TYPE);
 
         KeyStoreTestHelper.checkExceptionThrownDuringKeyStoreCreation(FACTORY, BROKER, KeyStore.class, attributes,
-                "Check key store password");
+                                                                      "Check key store password");
     }
 
     @Test
@@ -191,87 +213,105 @@
     {
         String keyStoreAsDataUrl = DataUrlUtils.getDataUrlForBytes("notatruststore".getBytes());
 
-        Map<String,Object> attributes = new HashMap<>();
-        attributes.put(FileKeyStore.NAME, "myFileKeyStore");
-        attributes.put(FileKeyStore.PASSWORD, TestSSLConstants.PASSWORD);
+        Map<String, Object> attributes = new HashMap<>();
+        attributes.put(FileKeyStore.NAME, NAME);
+        attributes.put(FileKeyStore.PASSWORD, TLS_RESOURCE.getSecret());
         attributes.put(FileKeyStore.STORE_URL, keyStoreAsDataUrl);
 
         KeyStoreTestHelper.checkExceptionThrownDuringKeyStoreCreation(FACTORY, BROKER, KeyStore.class, attributes,
-                "Cannot instantiate key store");
+                                                                      "Cannot instantiate key store");
     }
 
     @Test
     public void testCreateKeyStoreFromDataUrl_UnknownAlias() throws Exception
     {
-        String keyStoreAsDataUrl = createDataUrlForFile(TestSSLConstants.BROKER_KEYSTORE);
+        final String keyStoreAsDataUrl = TLS_RESOURCE.createSelfSignedKeyStoreAsDataUrl(DN_FOO);
+        final String unknownAlias = TLS_RESOURCE.getPrivateKeyAlias() + "_";
 
-        Map<String,Object> attributes = new HashMap<>();
-        attributes.put(FileKeyStore.NAME, "myFileKeyStore");
-        attributes.put(FileKeyStore.PASSWORD, TestSSLConstants.PASSWORD);
+        Map<String, Object> attributes = new HashMap<>();
+        attributes.put(FileKeyStore.NAME, NAME);
+        attributes.put(FileKeyStore.PASSWORD, TLS_RESOURCE.getSecret());
         attributes.put(FileKeyStore.STORE_URL, keyStoreAsDataUrl);
-        attributes.put(FileKeyStore.CERTIFICATE_ALIAS, "notknown");
-        attributes.put(FileKeyStore.KEY_STORE_TYPE, TestSSLConstants.JAVA_KEYSTORE_TYPE);
+        attributes.put(FileKeyStore.CERTIFICATE_ALIAS, unknownAlias);
+        attributes.put(FileKeyStore.KEY_STORE_TYPE, TLS_RESOURCE.getKeyStoreType());
 
-        KeyStoreTestHelper.checkExceptionThrownDuringKeyStoreCreation(FACTORY, BROKER, KeyStore.class, attributes,
-                "Cannot find a certificate with alias 'notknown' in key store");
+        KeyStoreTestHelper.checkExceptionThrownDuringKeyStoreCreation(FACTORY,
+                                                                      BROKER,
+                                                                      KeyStore.class,
+                                                                      attributes,
+                                                                      String.format(
+                                                                              "Cannot find a certificate with alias '%s' in key store",
+                                                                              unknownAlias));
     }
 
     @Test
-    public void testEmptyKeystoreRejected()
+    public void testEmptyKeystoreRejected() throws Exception
     {
-        Map<String,Object> attributes = new HashMap<>();
-        attributes.put(FileKeyStore.NAME, "myFileKeyStore");
-        attributes.put(FileKeyStore.PASSWORD, TestSSLConstants.PASSWORD);
-        attributes.put(FileKeyStore.STORE_URL, TestSSLConstants.TEST_EMPTY_KEYSTORE);
+        final Path keyStoreFile = TLS_RESOURCE.createKeyStore();
 
-        KeyStoreTestHelper.checkExceptionThrownDuringKeyStoreCreation(FACTORY, BROKER, KeyStore.class, attributes,
-                "must contain at least one private key");
+        Map<String, Object> attributes = new HashMap<>();
+        attributes.put(FileKeyStore.NAME, NAME);
+        attributes.put(FileKeyStore.PASSWORD, TLS_RESOURCE.getSecret());
+        attributes.put(FileKeyStore.STORE_URL, keyStoreFile.toFile().getAbsolutePath());
+
+        KeyStoreTestHelper.checkExceptionThrownDuringKeyStoreCreation(FACTORY,
+                                                                      BROKER,
+                                                                      KeyStore.class,
+                                                                      attributes,
+                                                                      "must contain at least one private key");
     }
 
     @Test
-    public void testKeystoreWithNoPrivateKeyRejected()
+    public void testKeystoreWithNoPrivateKeyRejected() throws Exception
     {
-        Map<String,Object> attributes = new HashMap<>();
+        final Path keyStoreFile = TLS_RESOURCE.createSelfSignedTrustStore(DN_FOO);
+
+        Map<String, Object> attributes = new HashMap<>();
         attributes.put(FileKeyStore.NAME, getTestName());
-        attributes.put(FileKeyStore.PASSWORD, TestSSLConstants.PASSWORD);
-        attributes.put(FileKeyStore.STORE_URL, TestSSLConstants.TEST_CERT_ONLY_KEYSTORE);
-        attributes.put(FileKeyStore.KEY_STORE_TYPE, TestSSLConstants.JAVA_KEYSTORE_TYPE);
+        attributes.put(FileKeyStore.PASSWORD, TLS_RESOURCE.getSecret());
+        attributes.put(FileKeyStore.STORE_URL, keyStoreFile.toFile().getAbsolutePath());
+        attributes.put(FileKeyStore.KEY_STORE_TYPE, TLS_RESOURCE.getKeyStoreType());
 
         KeyStoreTestHelper.checkExceptionThrownDuringKeyStoreCreation(FACTORY, BROKER, KeyStore.class, attributes,
-                "must contain at least one private key");
+                                                                      "must contain at least one private key");
     }
 
     @Test
-    public void testSymmetricKeysIgnored()
+    public void testSymmetricKeysIgnored() throws Exception
     {
-        Map<String,Object> attributes = new HashMap<>();
-        attributes.put(FileKeyStore.NAME, "myFileKeyStore");
-        attributes.put(FileKeyStore.PASSWORD, TestSSLConstants.PASSWORD);
-        attributes.put(FileKeyStore.STORE_URL, TestSSLConstants.TEST_SYMMETRIC_KEY_KEYSTORE);
-        attributes.put(FileKeyStore.KEY_STORE_TYPE, TestSSLConstants.JAVA_KEYSTORE_TYPE);
+        final String keyStoreType = "jceks"; // or jks
+        final Path keyStoreFile = createSelfSignedKeyStoreWithSecretKeyAndCertificate(keyStoreType, DN_FOO);
 
-        KeyStore keyStore = (KeyStore) FACTORY.create(KeyStore.class, attributes, BROKER);
+        Map<String, Object> attributes = new HashMap<>();
+        attributes.put(FileKeyStore.NAME, NAME);
+        attributes.put(FileKeyStore.PASSWORD, TLS_RESOURCE.getSecret());
+        attributes.put(FileKeyStore.STORE_URL, keyStoreFile);
+        attributes.put(FileKeyStore.KEY_STORE_TYPE, keyStoreType);
+
+        KeyStore<?> keyStore = createFileKeyStore(attributes);
         assertNotNull(keyStore);
     }
 
     @Test
-    public void testUpdateKeyStore_Success()
+    public void testUpdateKeyStore_Success() throws Exception
     {
-        Map<String,Object> attributes = new HashMap<>();
-        attributes.put(FileKeyStore.NAME, "myFileKeyStore");
-        attributes.put(FileKeyStore.STORE_URL, TestSSLConstants.BROKER_KEYSTORE);
-        attributes.put(FileKeyStore.PASSWORD, TestSSLConstants.PASSWORD);
-        attributes.put(FileKeyStore.KEY_STORE_TYPE, TestSSLConstants.JAVA_KEYSTORE_TYPE);
+        final Path keyStoreFile = TLS_RESOURCE.createSelfSignedKeyStore(DN_FOO);
+        Map<String, Object> attributes = new HashMap<>();
+        attributes.put(FileKeyStore.NAME, NAME);
 
-        FileKeyStoreImpl fileKeyStore = (FileKeyStoreImpl) FACTORY.create(KeyStore.class, attributes, BROKER);
+        attributes.put(FileKeyStore.STORE_URL, keyStoreFile.toFile().getAbsolutePath());
+        attributes.put(FileKeyStore.PASSWORD, TLS_RESOURCE.getSecret());
+        attributes.put(FileKeyStore.KEY_STORE_TYPE, TLS_RESOURCE.getKeyStoreType());
+
+        final FileKeyStore<?> fileKeyStore = createFileKeyStore(attributes);
 
         assertNull("Unexpected alias value before change", fileKeyStore.getCertificateAlias());
 
+        String unknownAlias = TLS_RESOURCE.getSecret() + "_";
+        Map<String, Object> unacceptableAttributes = new HashMap<>();
+        unacceptableAttributes.put(FileKeyStore.CERTIFICATE_ALIAS, unknownAlias);
         try
         {
-            Map<String,Object> unacceptableAttributes = new HashMap<>();
-            unacceptableAttributes.put(FileKeyStore.CERTIFICATE_ALIAS, "notknown");
-
             fileKeyStore.setAttributes(unacceptableAttributes);
             fail("Exception not thrown");
         }
@@ -279,66 +319,52 @@
         {
             String message = e.getMessage();
             assertTrue("Exception text not as unexpected:" + message,
-                              message.contains("Cannot find a certificate with alias 'notknown' in key store"));
+                       message.contains(String.format("Cannot find a certificate with alias '%s' in key store",
+                                                      unknownAlias)));
         }
 
         assertNull("Unexpected alias value after failed change", fileKeyStore.getCertificateAlias());
 
-        Map<String,Object> changedAttributes = new HashMap<>();
-        changedAttributes.put(FileKeyStore.CERTIFICATE_ALIAS, TestSSLConstants.BROKER_KEYSTORE_ALIAS);
+        Map<String, Object> changedAttributes = new HashMap<>();
+        changedAttributes.put(FileKeyStore.CERTIFICATE_ALIAS, TLS_RESOURCE.getPrivateKeyAlias());
 
         fileKeyStore.setAttributes(changedAttributes);
 
         assertEquals("Unexpected alias value after change that is expected to be successful",
-                TestSSLConstants.BROKER_KEYSTORE_ALIAS, fileKeyStore.getCertificateAlias());
-
+                     TLS_RESOURCE.getPrivateKeyAlias(),
+                     fileKeyStore.getCertificateAlias());
     }
 
     @Test
     public void testReloadKeystore() throws Exception
     {
-        assumeThat(SSLUtil.canGenerateCerts(), is(equalTo(true)));
+        final Path keyStorePath = TLS_RESOURCE.createSelfSignedKeyStoreWithCertificate(DN_FOO);
+        final Path keyStorePath2 = TLS_RESOURCE.createSelfSignedKeyStoreWithCertificate(DN_BAR);
+        final Map<String, Object> attributes = new HashMap<>();
+        attributes.put(FileKeyStore.NAME, getTestName());
+        attributes.put(FileKeyStore.STORE_URL, keyStorePath.toFile().getAbsolutePath());
+        attributes.put(FileKeyStore.PASSWORD, TLS_RESOURCE.getSecret());
 
-        final SSLUtil.KeyCertPair selfSigned1 = KeyStoreTestHelper.generateSelfSigned("CN=foo");
-        final SSLUtil.KeyCertPair selfSigned2 = KeyStoreTestHelper.generateSelfSigned("CN=bar");
+        final FileKeyStore<?> keyStoreObject = createFileKeyStore(attributes);
 
-        final File keyStoreFile = TestFileUtils.createTempFile(this, ".ks");
-        final String dummy = "changit";
-        final char[] pass = dummy.toCharArray();
-        final String certificateAlias = "test1";
-        final String keyAlias = "test2";
-        try
-        {
-            final java.security.KeyStore keyStore =
-                    KeyStoreTestHelper.saveKeyStore(selfSigned1, certificateAlias, keyAlias, pass, keyStoreFile);
+        final CertificateDetails certificate = getCertificate(keyStoreObject);
+        assertEquals(DN_FOO, certificate.getIssuerName());
 
-            final Map<String, Object> attributes = new HashMap<>();
-            attributes.put(FileKeyStore.NAME, getTestName());
-            attributes.put(FileKeyStore.STORE_URL, keyStoreFile.getAbsolutePath());
-            attributes.put(FileKeyStore.PASSWORD, dummy);
-            attributes.put(FileKeyStore.KEY_STORE_TYPE, keyStore.getType());
+        Files.copy(keyStorePath2, keyStorePath, StandardCopyOption.REPLACE_EXISTING);
 
-            final FileKeyStore keyStoreObject = (FileKeyStore) FACTORY.create(KeyStore.class, attributes, BROKER);
+        keyStoreObject.reload();
 
-            final CertificateDetails certificate = getCertificate(keyStoreObject);
-            assertEquals("CN=foo", certificate.getIssuerName());
-
-            assertTrue(keyStoreFile.delete());
-            assertTrue(keyStoreFile.createNewFile());keyStoreFile.deleteOnExit();
-            KeyStoreTestHelper.saveKeyStore(selfSigned2, certificateAlias, keyAlias, pass, keyStoreFile);
-
-            keyStoreObject.reload();
-
-            final CertificateDetails certificate2 = getCertificate(keyStoreObject);
-            assertEquals("CN=bar", certificate2.getIssuerName());
-        }
-        finally
-        {
-            assertTrue(keyStoreFile.delete());
-        }
+        final CertificateDetails certificate2 = getCertificate(keyStoreObject);
+        assertEquals(DN_BAR, certificate2.getIssuerName());
     }
 
-    public CertificateDetails getCertificate(final FileKeyStore keyStore)
+    @SuppressWarnings("unchecked")
+    private FileKeyStore<?> createFileKeyStore(final Map<String, Object> attributes)
+    {
+        return (FileKeyStore<?>) FACTORY.create(KeyStore.class, attributes, BROKER);
+    }
+
+    private CertificateDetails getCertificate(final FileKeyStore<?> keyStore)
     {
         final List<CertificateDetails> certificates = keyStore.getCertificateDetails();
 
@@ -347,4 +373,17 @@
 
         return certificates.get(0);
     }
+
+
+    public Path createSelfSignedKeyStoreWithSecretKeyAndCertificate(final String keyStoreType, final String dn)
+            throws Exception
+    {
+        final KeyCertificatePair keyCertPair = TlsResourceBuilder.createSelfSigned(dn);
+
+        return TLS_RESOURCE.createKeyStore(keyStoreType, new PrivateKeyEntry(TLS_RESOURCE.getPrivateKeyAlias(),
+                                                                             keyCertPair.getPrivateKey(),
+                                                                             keyCertPair.getCertificate()),
+                                           new CertificateEntry(TLS_RESOURCE.getCertificateAlias(), keyCertPair.getCertificate()),
+                                           new SecretKeyEntry(SECRET_KEY_ALIAS, TlsResourceHelper.createAESSecretKey()));
+    }
 }

diff --git a/broker-core/src/test/java/org/apache/qpid/server/security/FileTrustStoreTest.java b/broker-core/src/test/java/org/apache/qpid/server/security/FileTrustStoreTest.java
index 6ca59a8..c5cf7a1 100644
--- a/broker-core/src/test/java/org/apache/qpid/server/security/FileTrustStoreTest.java
+++ b/broker-core/src/test/java/org/apache/qpid/server/security/FileTrustStoreTest.java

@@ -31,15 +31,19 @@
 import static org.junit.Assert.fail;
 import static org.junit.Assume.assumeThat;
 
-import java.io.File;
 import java.io.FileInputStream;
-import java.io.IOException;
 import java.io.InputStream;
+import java.nio.file.Files;
+import java.nio.file.Path;
+import java.nio.file.StandardCopyOption;
 import java.security.KeyStore;
 import java.security.cert.Certificate;
 import java.security.cert.CertificateException;
 import java.security.cert.CertificateExpiredException;
 import java.security.cert.X509Certificate;
+import java.time.Instant;
+import java.time.temporal.ChronoUnit;
+import java.util.Collections;
 import java.util.Enumeration;
 import java.util.HashMap;
 import java.util.Map;
@@ -47,38 +51,55 @@
 import javax.net.ssl.TrustManager;
 import javax.net.ssl.X509TrustManager;
 
-import com.google.common.io.ByteStreams;
+import org.junit.ClassRule;
+import org.junit.Test;
+
+import org.apache.qpid.server.configuration.IllegalConfigurationException;
 import org.apache.qpid.server.model.Broker;
 import org.apache.qpid.server.model.BrokerModel;
 import org.apache.qpid.server.model.BrokerTestHelper;
 import org.apache.qpid.server.model.ConfiguredObjectFactory;
-import org.apache.qpid.test.utils.UnitTestBase;
-import org.junit.Test;
-
-import org.apache.qpid.server.configuration.IllegalConfigurationException;
 import org.apache.qpid.server.model.TrustStore;
+import org.apache.qpid.test.utils.tls.CertificateEntry;
+import org.apache.qpid.test.utils.tls.KeyCertificatePair;
+import org.apache.qpid.test.utils.tls.PrivateKeyEntry;
+import org.apache.qpid.test.utils.tls.SecretKeyEntry;
+import org.apache.qpid.test.utils.tls.TlsResource;
 import org.apache.qpid.server.transport.network.security.ssl.QpidPeersOnlyTrustManager;
-import org.apache.qpid.server.transport.network.security.ssl.SSLUtil;
+import org.apache.qpid.test.utils.tls.TlsResourceBuilder;
 import org.apache.qpid.server.util.DataUrlUtils;
-import org.apache.qpid.test.utils.TestFileUtils;
-import org.apache.qpid.test.utils.TestSSLConstants;
+import org.apache.qpid.test.utils.UnitTestBase;
+import org.apache.qpid.test.utils.tls.TlsResourceHelper;
 
 public class FileTrustStoreTest extends UnitTestBase
 {
+    @ClassRule
+    public static final TlsResource TLS_RESOURCE = new TlsResource();
+
     private static final Broker BROKER = BrokerTestHelper.createBrokerMock();
     private static final ConfiguredObjectFactory FACTORY = BrokerModel.getInstance().getObjectFactory();
+    private static final String DN_FOO = "CN=foo";
+    private static final String DN_BAR = "CN=bar";
+    private static final String DN_CA = "CN=CA";
+    private static final String CERTIFICATE_ALIAS_A = "a";
+    private static final String CERTIFICATE_ALIAS_B = "b";
+    private static final String NOT_A_CRL = "/not/a/crl";
+    private static final String NAME = "myFileTrustStore";
+    private static final String NOT_A_TRUSTSTORE = "/not/a/truststore";
+    private static final String SECRET_KEY_ALIAS = "secret-key-alias";
 
     @Test
-    public void testCreateTrustStoreFromFile_Success() throws Exception
+    public void testCreateFileTrustStoreWithoutCRL() throws Exception
     {
-        Map<String,Object> attributes = new HashMap<>();
-        attributes.put(FileTrustStore.NAME, "myFileTrustStore");
-        attributes.put(FileTrustStore.STORE_URL, TestSSLConstants.CLIENT_TRUSTSTORE);
-        attributes.put(FileTrustStore.PASSWORD, TestSSLConstants.PASSWORD);
-        attributes.put(FileTrustStore.CERTIFICATE_REVOCATION_CHECK_ENABLED, true);
-        attributes.put(FileTrustStore.CERTIFICATE_REVOCATION_LIST_URL, TestSSLConstants.CA_CRL);
+        final Path keyStoreFile = TLS_RESOURCE.createSelfSignedTrustStore(DN_FOO);
 
-        TrustStore<?> fileTrustStore = FACTORY.create(TrustStore.class, attributes, BROKER);
+        Map<String, Object> attributes = new HashMap<>();
+        attributes.put(FileTrustStore.NAME, NAME);
+        attributes.put(FileTrustStore.STORE_URL, keyStoreFile.toFile().getAbsolutePath());
+        attributes.put(FileTrustStore.PASSWORD, TLS_RESOURCE.getSecret());
+        attributes.put(FileTrustStore.CERTIFICATE_REVOCATION_CHECK_ENABLED, false);
+
+        final FileTrustStore<?> fileTrustStore = createFileTrustStore(attributes);
 
         TrustManager[] trustManagers = fileTrustStore.getTrustManagers();
         assertNotNull(trustManagers);
@@ -87,45 +108,75 @@
     }
 
     @Test
-    public void testCreateTrustStoreFromFile_WrongPassword()
+    public void testCreateFileTrustStoreFromWithExplicitlySetCRL() throws Exception
     {
-        Map<String,Object> attributes = new HashMap<>();
-        attributes.put(FileTrustStore.NAME, "myFileTrustStore");
-        attributes.put(FileTrustStore.STORE_URL, TestSSLConstants.CLIENT_TRUSTSTORE);
-        attributes.put(FileTrustStore.PASSWORD, "wrong");
-        attributes.put(FileTrustStore.TRUST_STORE_TYPE, TestSSLConstants.JAVA_KEYSTORE_TYPE);
+        final StoreAndCrl<Path> data = generateTrustStoreAndCrl();
 
-        KeyStoreTestHelper.checkExceptionThrownDuringKeyStoreCreation(FACTORY, BROKER, TrustStore.class, attributes,
-                "Check trust store password");
+        Map<String, Object> attributes = new HashMap<>();
+        attributes.put(FileTrustStore.NAME, NAME);
+        attributes.put(FileTrustStore.STORE_URL, data.getStore().toFile().getAbsolutePath());
+        attributes.put(FileTrustStore.PASSWORD, TLS_RESOURCE.getSecret());
+        attributes.put(FileTrustStore.CERTIFICATE_REVOCATION_CHECK_ENABLED, true);
+        attributes.put(FileTrustStore.CERTIFICATE_REVOCATION_LIST_URL, data.getCrl().toFile().getPath());
+
+        final FileTrustStore<?> fileTrustStore = createFileTrustStore(attributes);
+
+        TrustManager[] trustManagers = fileTrustStore.getTrustManagers();
+        assertNotNull(trustManagers);
+        assertEquals("Unexpected number of trust managers", 1, trustManagers.length);
+        assertNotNull("Trust manager unexpected null", trustManagers[0]);
     }
 
     @Test
-    public void testCreateTrustStoreFromFile_MissingCrlFile()
+    public void testCreateTrustStoreFromFile_WrongPassword() throws Exception
     {
-        Map<String,Object> attributes = new HashMap<>();
-        attributes.put(FileTrustStore.NAME, "myFileTrustStore");
-        attributes.put(FileTrustStore.STORE_URL, TestSSLConstants.CLIENT_TRUSTSTORE);
-        attributes.put(FileTrustStore.PASSWORD, TestSSLConstants.PASSWORD);
-        attributes.put(FileTrustStore.TRUST_STORE_TYPE, TestSSLConstants.JAVA_KEYSTORE_TYPE);
-        attributes.put(FileTrustStore.CERTIFICATE_REVOCATION_LIST_URL, "/not/a/crl");
+        final Path keyStoreFile = TLS_RESOURCE.createSelfSignedTrustStore(DN_FOO);
+
+        Map<String, Object> attributes = new HashMap<>();
+        attributes.put(FileTrustStore.NAME, NAME);
+        attributes.put(FileTrustStore.STORE_URL, keyStoreFile.toFile().getAbsolutePath());
+        attributes.put(FileTrustStore.PASSWORD, TLS_RESOURCE.getSecret() + "_");
+        attributes.put(FileTrustStore.TRUST_STORE_TYPE, TLS_RESOURCE.getKeyStoreType());
 
         KeyStoreTestHelper.checkExceptionThrownDuringKeyStoreCreation(FACTORY, BROKER, TrustStore.class, attributes,
-                "Unable to load certificate revocation list '/not/a/crl' for truststore 'myFileTrustStore'");
+                                                                      "Check trust store password");
+    }
+
+    @Test
+    public void testCreateTrustStoreFromFile_MissingCrlFile() throws Exception
+    {
+        final Path keyStoreFile = TLS_RESOURCE.createSelfSignedTrustStore(DN_FOO);
+
+        Map<String, Object> attributes = new HashMap<>();
+        attributes.put(FileTrustStore.NAME, NAME);
+        attributes.put(FileTrustStore.STORE_URL, keyStoreFile.toFile().getAbsolutePath());
+        attributes.put(FileTrustStore.PASSWORD, TLS_RESOURCE.getSecret());
+        attributes.put(FileTrustStore.TRUST_STORE_TYPE, TLS_RESOURCE.getKeyStoreType());
+        attributes.put(FileTrustStore.CERTIFICATE_REVOCATION_LIST_URL, NOT_A_CRL);
+
+        KeyStoreTestHelper.checkExceptionThrownDuringKeyStoreCreation(FACTORY,
+                                                                      BROKER,
+                                                                      TrustStore.class,
+                                                                      attributes,
+                                                                      String.format(
+                                                                              "Unable to load certificate revocation list '%s' for truststore 'myFileTrustStore'",
+                                                                              NOT_A_CRL));
     }
 
     @Test
     public void testCreatePeersOnlyTrustStoreFromFile_Success() throws Exception
     {
-        Map<String,Object> attributes = new HashMap<>();
-        attributes.put(FileTrustStore.NAME, "myFileTrustStore");
-        attributes.put(FileTrustStore.STORE_URL, TestSSLConstants.BROKER_PEERSTORE);
-        attributes.put(FileTrustStore.PASSWORD, TestSSLConstants.PASSWORD);
-        attributes.put(FileTrustStore.PEERS_ONLY, true);
-        attributes.put(FileTrustStore.TRUST_STORE_TYPE, TestSSLConstants.JAVA_KEYSTORE_TYPE);
-        attributes.put(FileTrustStore.CERTIFICATE_REVOCATION_CHECK_ENABLED, true);
-        attributes.put(FileTrustStore.CERTIFICATE_REVOCATION_LIST_URL, TestSSLConstants.CA_CRL);
+        final KeyCertificatePair keyPairAndRootCA = TlsResourceBuilder.createKeyPairAndRootCA(DN_CA);
+        final Path keyStoreFile = TLS_RESOURCE.createTrustStore(DN_FOO, keyPairAndRootCA);
 
-        TrustStore<?> fileTrustStore = (TrustStore) FACTORY.create(TrustStore.class, attributes, BROKER);
+        Map<String, Object> attributes = new HashMap<>();
+        attributes.put(FileTrustStore.NAME, NAME);
+        attributes.put(FileTrustStore.STORE_URL, keyStoreFile.toFile().getAbsolutePath());
+        attributes.put(FileTrustStore.PASSWORD, TLS_RESOURCE.getSecret());
+        attributes.put(FileTrustStore.PEERS_ONLY, true);
+        attributes.put(FileTrustStore.TRUST_STORE_TYPE, TLS_RESOURCE.getKeyStoreType());
+
+        final FileTrustStore<?> fileTrustStore = createFileTrustStore(attributes);
 
         TrustManager[] trustManagers = fileTrustStore.getTrustManagers();
         assertNotNull(trustManagers);
@@ -140,16 +191,18 @@
     {
         // https://www.ibm.com/support/knowledgecenter/en/SSYKE2_8.0.0/com.ibm.java.security.component.80.doc/security-
         assumeThat("IBMJSSE2 trust factory (IbmX509) validates the entire chain, including trusted certificates.",
-                getJvmVendor(),
-                is(not(equalTo(IBM))));
+                   getJvmVendor(),
+                   is(not(equalTo(IBM))));
 
-        Map<String,Object> attributes = new HashMap<>();
-        attributes.put(FileTrustStore.NAME, "myFileTrustStore");
-        attributes.put(FileTrustStore.STORE_URL, TestSSLConstants.BROKER_EXPIRED_TRUSTSTORE);
-        attributes.put(FileTrustStore.PASSWORD, TestSSLConstants.PASSWORD);
-        attributes.put(FileTrustStore.TRUST_STORE_TYPE, TestSSLConstants.JAVA_KEYSTORE_TYPE);
+        final Path keyStoreFile = createTrustStoreWithExpiredCertificate();
 
-        TrustStore trustStore = (TrustStore) FACTORY.create(TrustStore.class, attributes, BROKER);
+        Map<String, Object> attributes = new HashMap<>();
+        attributes.put(FileTrustStore.NAME, NAME);
+        attributes.put(FileTrustStore.STORE_URL, keyStoreFile.toFile().getAbsolutePath());
+        attributes.put(FileTrustStore.PASSWORD, TLS_RESOURCE.getSecret());
+        attributes.put(FileTrustStore.TRUST_STORE_TYPE, TLS_RESOURCE.getKeyStoreType());
+
+        FileTrustStore<?> trustStore = createFileTrustStore(attributes);
 
         TrustManager[] trustManagers = trustStore.getTrustManagers();
         assertNotNull(trustManagers);
@@ -158,26 +211,29 @@
         assertTrue("Unexpected trust manager type", condition);
         X509TrustManager trustManager = (X509TrustManager) trustManagers[0];
 
-        KeyStore clientStore = getInitializedKeyStore(TestSSLConstants.CLIENT_EXPIRED_KEYSTORE,
-                                                      TestSSLConstants.PASSWORD,
-                                                      TestSSLConstants.JAVA_KEYSTORE_TYPE);
+        KeyStore clientStore = getInitializedKeyStore(keyStoreFile.toFile().getAbsolutePath(),
+                                                      TLS_RESOURCE.getSecret(),
+                                                      TLS_RESOURCE.getKeyStoreType());
+
         String alias = clientStore.aliases().nextElement();
         X509Certificate certificate = (X509Certificate) clientStore.getCertificate(alias);
 
-        trustManager.checkClientTrusted(new X509Certificate[] {certificate}, "NULL");
+        trustManager.checkClientTrusted(new X509Certificate[]{certificate}, "NULL");
     }
 
     @Test
     public void testUseOfExpiredTrustAnchorDenied() throws Exception
     {
-        Map<String,Object> attributes = new HashMap<>();
-        attributes.put(FileTrustStore.NAME, "myFileTrustStore");
-        attributes.put(FileTrustStore.STORE_URL, TestSSLConstants.BROKER_EXPIRED_TRUSTSTORE);
-        attributes.put(FileTrustStore.PASSWORD, TestSSLConstants.PASSWORD);
-        attributes.put(FileTrustStore.TRUST_ANCHOR_VALIDITY_ENFORCED, true);
-        attributes.put(FileTrustStore.TRUST_STORE_TYPE, TestSSLConstants.JAVA_KEYSTORE_TYPE);
+        final Path keyStoreFile = createTrustStoreWithExpiredCertificate();
 
-        TrustStore trustStore = (TrustStore) FACTORY.create(TrustStore.class, attributes, BROKER);
+        Map<String, Object> attributes = new HashMap<>();
+        attributes.put(FileTrustStore.NAME, NAME);
+        attributes.put(FileTrustStore.TRUST_ANCHOR_VALIDITY_ENFORCED, true);
+        attributes.put(FileTrustStore.STORE_URL, keyStoreFile.toFile().getAbsolutePath());
+        attributes.put(FileTrustStore.PASSWORD, TLS_RESOURCE.getSecret());
+        attributes.put(FileTrustStore.TRUST_STORE_TYPE, TLS_RESOURCE.getKeyStoreType());
+
+        final TrustStore<?> trustStore = createFileTrustStore(attributes);
 
         TrustManager[] trustManagers = trustStore.getTrustManagers();
         assertNotNull(trustManagers);
@@ -186,15 +242,15 @@
         assertTrue("Unexpected trust manager type", condition);
         X509TrustManager trustManager = (X509TrustManager) trustManagers[0];
 
-        KeyStore clientStore = getInitializedKeyStore(TestSSLConstants.CLIENT_EXPIRED_KEYSTORE,
-                                                      TestSSLConstants.PASSWORD,
-                                                      TestSSLConstants.JAVA_KEYSTORE_TYPE);
+        KeyStore clientStore = getInitializedKeyStore(keyStoreFile.toFile().getAbsolutePath(),
+                                                      TLS_RESOURCE.getSecret(),
+                                                      TLS_RESOURCE.getKeyStoreType());
         String alias = clientStore.aliases().nextElement();
         X509Certificate certificate = (X509Certificate) clientStore.getCertificate(alias);
 
         try
         {
-            trustManager.checkClientTrusted(new X509Certificate[] {certificate}, "NULL");
+            trustManager.checkClientTrusted(new X509Certificate[]{certificate}, "NULL");
             fail("Exception not thrown");
         }
         catch (CertificateException e)
@@ -202,31 +258,29 @@
             if (e instanceof CertificateExpiredException || "Certificate expired".equals(e.getMessage()))
             {
                 // IBMJSSE2 does not throw CertificateExpiredException, it throws a CertificateException
-                // PASS
+                // ignore
             }
             else
             {
                 throw e;
             }
-
         }
     }
 
     @Test
     public void testCreateTrustStoreFromDataUrl_Success() throws Exception
     {
-        String trustStoreAsDataUrl = createDataUrlForFile(TestSSLConstants.CLIENT_TRUSTSTORE);
-        String crlAsDataUrl = createDataUrlForFile(TestSSLConstants.CA_CRL);
+        final StoreAndCrl<String> data = generateTrustStoreAndCrlAsDataUrl();
 
-        Map<String,Object> attributes = new HashMap<>();
-        attributes.put(FileTrustStore.NAME, "myFileTrustStore");
-        attributes.put(FileTrustStore.STORE_URL, trustStoreAsDataUrl);
-        attributes.put(FileTrustStore.PASSWORD, TestSSLConstants.PASSWORD);
-        attributes.put(FileTrustStore.TRUST_STORE_TYPE, TestSSLConstants.JAVA_KEYSTORE_TYPE);
+        Map<String, Object> attributes = new HashMap<>();
+        attributes.put(FileTrustStore.NAME, NAME);
+        attributes.put(FileTrustStore.STORE_URL, data.getStore());
+        attributes.put(FileTrustStore.PASSWORD, TLS_RESOURCE.getSecret());
+        attributes.put(FileTrustStore.TRUST_STORE_TYPE, TLS_RESOURCE.getKeyStoreType());
         attributes.put(FileTrustStore.CERTIFICATE_REVOCATION_CHECK_ENABLED, true);
-        attributes.put(FileTrustStore.CERTIFICATE_REVOCATION_LIST_URL, crlAsDataUrl);
+        attributes.put(FileTrustStore.CERTIFICATE_REVOCATION_LIST_URL, data.getCrl());
 
-        TrustStore<?> fileTrustStore = (TrustStore) FACTORY.create(TrustStore.class, attributes, BROKER);
+        FileTrustStore<?> fileTrustStore = createFileTrustStore(attributes);
 
         TrustManager[] trustManagers = fileTrustStore.getTrustManagers();
         assertNotNull(trustManagers);
@@ -237,16 +291,16 @@
     @Test
     public void testCreateTrustStoreFromDataUrl_WrongPassword() throws Exception
     {
-        String trustStoreAsDataUrl = createDataUrlForFile(TestSSLConstants.CLIENT_TRUSTSTORE);
+        String trustStoreAsDataUrl = TLS_RESOURCE.createSelfSignedTrustStoreAsDataUrl(DN_FOO);
 
-        Map<String,Object> attributes = new HashMap<>();
-        attributes.put(FileTrustStore.NAME, "myFileTrustStore");
-        attributes.put(FileTrustStore.PASSWORD, "wrong");
+        Map<String, Object> attributes = new HashMap<>();
+        attributes.put(FileTrustStore.NAME, NAME);
+        attributes.put(FileTrustStore.PASSWORD, TLS_RESOURCE.getSecret() + "_");
         attributes.put(FileTrustStore.STORE_URL, trustStoreAsDataUrl);
-        attributes.put(FileTrustStore.TRUST_STORE_TYPE, TestSSLConstants.JAVA_KEYSTORE_TYPE);
+        attributes.put(FileTrustStore.TRUST_STORE_TYPE, TLS_RESOURCE.getKeyStoreType());
 
         KeyStoreTestHelper.checkExceptionThrownDuringKeyStoreCreation(FACTORY, BROKER, TrustStore.class, attributes,
-                "Check trust store password");
+                                                                      "Check trust store password");
     }
 
     @Test
@@ -254,192 +308,192 @@
     {
         String trustStoreAsDataUrl = DataUrlUtils.getDataUrlForBytes("notatruststore".getBytes());
 
-        Map<String,Object> attributes = new HashMap<>();
-        attributes.put(FileTrustStore.NAME, "myFileTrustStore");
-        attributes.put(FileTrustStore.PASSWORD, TestSSLConstants.PASSWORD);
+        Map<String, Object> attributes = new HashMap<>();
+        attributes.put(FileTrustStore.NAME, NAME);
+        attributes.put(FileTrustStore.PASSWORD, TLS_RESOURCE.getSecret());
         attributes.put(FileTrustStore.STORE_URL, trustStoreAsDataUrl);
-        attributes.put(FileTrustStore.TRUST_STORE_TYPE, TestSSLConstants.JAVA_KEYSTORE_TYPE);
+        attributes.put(FileTrustStore.TRUST_STORE_TYPE, TLS_RESOURCE.getKeyStoreType());
 
         KeyStoreTestHelper.checkExceptionThrownDuringKeyStoreCreation(FACTORY, BROKER, TrustStore.class, attributes,
-                "Cannot instantiate trust store");
+                                                                      "Cannot instantiate trust store");
     }
 
     @Test
-    public void testUpdateTrustStore_Success()
+    public void testUpdateTrustStore_Success() throws Exception
     {
-        Map<String,Object> attributes = new HashMap<>();
-        attributes.put(FileTrustStore.NAME, "myFileTrustStore");
-        attributes.put(FileTrustStore.STORE_URL, TestSSLConstants.CLIENT_TRUSTSTORE);
-        attributes.put(FileTrustStore.PASSWORD, TestSSLConstants.PASSWORD);
-        attributes.put(FileTrustStore.TRUST_STORE_TYPE, TestSSLConstants.JAVA_KEYSTORE_TYPE);
-        attributes.put(FileTrustStore.CERTIFICATE_REVOCATION_CHECK_ENABLED, true);
-        attributes.put(FileTrustStore.CERTIFICATE_REVOCATION_LIST_URL, TestSSLConstants.CA_CRL);
+        final StoreAndCrl<Path> data = generateTrustStoreAndCrl();
 
-        FileTrustStore<?> fileTrustStore = (FileTrustStore<?>) FACTORY.create(TrustStore.class, attributes, BROKER);
+        Map<String, Object> attributes = new HashMap<>();
+        attributes.put(FileTrustStore.NAME, NAME);
+        attributes.put(FileTrustStore.STORE_URL, data.getStore().toFile().getAbsolutePath());
+        attributes.put(FileTrustStore.PASSWORD, TLS_RESOURCE.getSecret());
+        attributes.put(FileTrustStore.TRUST_STORE_TYPE, TLS_RESOURCE.getKeyStoreType());
+        attributes.put(FileTrustStore.CERTIFICATE_REVOCATION_CHECK_ENABLED, true);
+        attributes.put(FileTrustStore.CERTIFICATE_REVOCATION_LIST_URL, data.getCrl().toFile().getAbsolutePath());
+
+        final FileTrustStore<?> fileTrustStore = createFileTrustStore(attributes);
 
         assertEquals("Unexpected path value before change",
-                            TestSSLConstants.CLIENT_TRUSTSTORE,
-                            fileTrustStore.getStoreUrl());
-
+                     data.getStore().toFile().getAbsolutePath(),
+                     fileTrustStore.getStoreUrl());
 
         try
         {
-            Map<String,Object> unacceptableAttributes = new HashMap<>();
-            unacceptableAttributes.put(FileTrustStore.STORE_URL, "/not/a/truststore");
-
-            fileTrustStore.setAttributes(unacceptableAttributes);
+            fileTrustStore.setAttributes(Collections.singletonMap(FileTrustStore.STORE_URL, NOT_A_TRUSTSTORE));
             fail("Exception not thrown");
         }
         catch (IllegalConfigurationException e)
         {
             String message = e.getMessage();
             assertTrue("Exception text not as unexpected:" + message,
-                              message.contains("Cannot instantiate trust store"));
+                       message.contains("Cannot instantiate trust store"));
         }
 
         assertEquals("Unexpected keystore path value after failed change",
-                TestSSLConstants.CLIENT_TRUSTSTORE,
-                fileTrustStore.getStoreUrl());
+                     data.getStore().toFile().getAbsolutePath(),
+                     fileTrustStore.getStoreUrl());
 
         try
         {
-            Map<String,Object> unacceptableAttributes = new HashMap<>();
-            unacceptableAttributes.put(FileTrustStore.CERTIFICATE_REVOCATION_LIST_URL, "/not/a/crl");
 
-            fileTrustStore.setAttributes(unacceptableAttributes);
+            fileTrustStore.setAttributes(Collections.singletonMap(FileTrustStore.CERTIFICATE_REVOCATION_LIST_URL, NOT_A_CRL));
             fail("Exception not thrown");
         }
         catch (IllegalConfigurationException e)
         {
             String message = e.getMessage();
             assertTrue("Exception text not as unexpected:" + message,
-                    message.contains("Unable to load certificate revocation list '/not/a/crl' for truststore " +
-                            "'myFileTrustStore'"));
+                       message.contains(String.format(
+                               "Unable to load certificate revocation list '%s' for truststore '%s'", NOT_A_CRL, NAME)));
         }
 
         assertEquals("Unexpected CRL path value after failed change",
-                            TestSSLConstants.CA_CRL,
-                            fileTrustStore.getCertificateRevocationListUrl());
+                     data.getCrl().toFile().getAbsolutePath(),
+                     fileTrustStore.getCertificateRevocationListUrl());
 
-        Map<String,Object> changedAttributes = new HashMap<>();
-        changedAttributes.put(FileTrustStore.STORE_URL, TestSSLConstants.BROKER_TRUSTSTORE);
-        changedAttributes.put(FileTrustStore.PASSWORD, TestSSLConstants.PASSWORD);
-        changedAttributes.put(FileTrustStore.CERTIFICATE_REVOCATION_LIST_URL, TestSSLConstants.CA_CRL_EMPTY);
+        assertEquals("Unexpected path value after failed change",
+                     data.getStore().toFile().getAbsolutePath(),
+                     fileTrustStore.getStoreUrl());
+
+        final Path keyStoreFile2 = TLS_RESOURCE.createTrustStore(DN_FOO, data.getCa());
+        final Path emptyCrl = TLS_RESOURCE.createCrl(data.getCa());
+
+        Map<String, Object> changedAttributes = new HashMap<>();
+        changedAttributes.put(FileTrustStore.STORE_URL, keyStoreFile2.toFile().getAbsolutePath());
+        changedAttributes.put(FileTrustStore.PASSWORD, TLS_RESOURCE.getSecret());
+        changedAttributes.put(FileTrustStore.CERTIFICATE_REVOCATION_LIST_URL, emptyCrl.toFile().getAbsolutePath());
 
         fileTrustStore.setAttributes(changedAttributes);
 
         assertEquals("Unexpected keystore path value after change that is expected to be successful",
-                            TestSSLConstants.BROKER_TRUSTSTORE,
-                            fileTrustStore.getStoreUrl());
+                     keyStoreFile2.toFile().getAbsolutePath(),
+                     fileTrustStore.getStoreUrl());
         assertEquals("Unexpected CRL path value after change that is expected to be successful",
-                TestSSLConstants.CA_CRL_EMPTY,
-                fileTrustStore.getCertificateRevocationListUrl());
+                     emptyCrl.toFile().getAbsolutePath(),
+                     fileTrustStore.getCertificateRevocationListUrl());
     }
 
     @Test
-    public void testEmptyTrustStoreRejected()
+    public void testEmptyTrustStoreRejected() throws Exception
     {
-        Map<String,Object> attributes = new HashMap<>();
-        attributes.put(FileKeyStore.NAME, "myFileTrustStore");
-        attributes.put(FileKeyStore.PASSWORD, TestSSLConstants.PASSWORD);
-        attributes.put(FileKeyStore.STORE_URL, TestSSLConstants.TEST_EMPTY_KEYSTORE);
-        attributes.put(FileTrustStore.TRUST_STORE_TYPE, "jks");
+
+        final Path path = TLS_RESOURCE.createKeyStore();
+
+        Map<String, Object> attributes = new HashMap<>();
+        attributes.put(FileKeyStore.NAME, NAME);
+        attributes.put(FileKeyStore.PASSWORD, TLS_RESOURCE.getSecret());
+        attributes.put(FileKeyStore.STORE_URL, path.toFile().getAbsolutePath());
+        attributes.put(FileTrustStore.TRUST_STORE_TYPE, TLS_RESOURCE.getKeyStoreType());
 
         KeyStoreTestHelper.checkExceptionThrownDuringKeyStoreCreation(FACTORY, BROKER, TrustStore.class, attributes,
-                "must contain at least one certificate");
+                                                                      "must contain at least one certificate");
     }
 
     @Test
-    public void testTrustStoreWithNoCertificateRejected()
+    public void testTrustStoreWithNoCertificateRejected() throws Exception
     {
-        Map<String,Object> attributes = new HashMap<>();
+        final Path path = TLS_RESOURCE.createSelfSignedKeyStore(DN_FOO);
+
+        Map<String, Object> attributes = new HashMap<>();
         attributes.put(FileTrustStore.NAME, getTestName());
-        attributes.put(FileTrustStore.PASSWORD, TestSSLConstants.PASSWORD);
-        attributes.put(FileTrustStore.STORE_URL, TestSSLConstants.TEST_PK_ONLY_KEYSTORE);
-        attributes.put(FileTrustStore.TRUST_STORE_TYPE, TestSSLConstants.JAVA_KEYSTORE_TYPE);
+        attributes.put(FileTrustStore.PASSWORD, TLS_RESOURCE.getSecret());
+        attributes.put(FileTrustStore.STORE_URL, path.toFile().getAbsolutePath());
+        attributes.put(FileTrustStore.TRUST_STORE_TYPE, TLS_RESOURCE.getKeyStoreType());
 
         KeyStoreTestHelper.checkExceptionThrownDuringKeyStoreCreation(FACTORY, BROKER, TrustStore.class, attributes,
-                "must contain at least one certificate");
+                                                                      "must contain at least one certificate");
     }
 
     @Test
     public void testSymmetricKeyEntryIgnored() throws Exception
     {
+        final String keyStoreType = "jceks";
+        final Path keyStoreFile = createSelfSignedKeyStoreWithSecretKeyAndCertificate(keyStoreType, DN_FOO);
         Map<String, Object> attributes = new HashMap<>();
         attributes.put(FileTrustStore.NAME, getTestName());
-        attributes.put(FileTrustStore.PASSWORD, TestSSLConstants.PASSWORD);
-        attributes.put(FileTrustStore.STORE_URL, TestSSLConstants.TEST_SYMMETRIC_KEY_KEYSTORE);
-        attributes.put(FileTrustStore.TRUST_STORE_TYPE, TestSSLConstants.JAVA_KEYSTORE_TYPE);
+        attributes.put(FileTrustStore.PASSWORD, TLS_RESOURCE.getSecret());
+        attributes.put(FileTrustStore.STORE_URL, keyStoreFile.toFile().getAbsolutePath());
+        attributes.put(FileTrustStore.TRUST_STORE_TYPE, keyStoreType);
 
-        TrustStore trustStore = (TrustStore) FACTORY.create(TrustStore.class, attributes, BROKER);
+        FileTrustStore<?> trustStore = createFileTrustStore(attributes);
 
         Certificate[] certificates = trustStore.getCertificates();
         assertEquals("Unexpected number of certificates",
-                            getNumberOfCertificates(TestSSLConstants.TEST_SYMMETRIC_KEY_KEYSTORE,
-                                    TestSSLConstants.JAVA_KEYSTORE_TYPE),
-                            certificates.length);
+                     (long) getNumberOfCertificates(keyStoreFile, keyStoreType),
+                     (long) certificates.length);
     }
 
     @Test
     public void testPrivateKeyEntryIgnored() throws Exception
     {
+        final Path keyStoreFile = TLS_RESOURCE.createSelfSignedKeyStoreWithCertificate(DN_FOO);
+
         Map<String, Object> attributes = new HashMap<>();
         attributes.put(FileTrustStore.NAME, getTestName());
-        attributes.put(FileTrustStore.PASSWORD, TestSSLConstants.PASSWORD);
-        attributes.put(FileTrustStore.STORE_URL, TestSSLConstants.TEST_KEYSTORE);
-        attributes.put(FileTrustStore.TRUST_STORE_TYPE, TestSSLConstants.JAVA_KEYSTORE_TYPE);
+        attributes.put(FileTrustStore.PASSWORD, TLS_RESOURCE.getSecret());
+        attributes.put(FileTrustStore.STORE_URL, keyStoreFile.toFile().getAbsolutePath());
+        attributes.put(FileTrustStore.TRUST_STORE_TYPE, TLS_RESOURCE.getKeyStoreType());
 
-        TrustStore trustStore = (TrustStore) FACTORY.create(TrustStore.class, attributes, BROKER);
+        FileTrustStore<?> trustStore = createFileTrustStore(attributes);
 
         Certificate[] certificates = trustStore.getCertificates();
         assertEquals("Unexpected number of certificates",
-                            getNumberOfCertificates(TestSSLConstants.TEST_KEYSTORE,
-                                    TestSSLConstants.JAVA_KEYSTORE_TYPE),
-                            certificates.length);
+                     (long) getNumberOfCertificates(keyStoreFile, TLS_RESOURCE.getKeyStoreType()),
+                     (long) certificates.length);
     }
 
     @Test
     public void testReloadKeystore() throws Exception
     {
-        assumeThat(SSLUtil.canGenerateCerts(), is(equalTo(true)));
+        final Path keyStorePath = TLS_RESOURCE.createSelfSignedKeyStoreWithCertificate(DN_FOO);
+        final Path keyStorePath2 = TLS_RESOURCE.createSelfSignedKeyStoreWithCertificate(DN_BAR);
 
-        final SSLUtil.KeyCertPair selfSigned1 = KeyStoreTestHelper.generateSelfSigned("CN=foo");
-        final SSLUtil.KeyCertPair selfSigned2 = KeyStoreTestHelper.generateSelfSigned("CN=bar");
+        final Map<String, Object> attributes = new HashMap<>();
+        attributes.put(FileTrustStore.NAME, getTestName());
+        attributes.put(FileTrustStore.STORE_URL, keyStorePath.toFile().getAbsolutePath());
+        attributes.put(FileTrustStore.PASSWORD, TLS_RESOURCE.getSecret());
 
-        final File keyStoreFile = TestFileUtils.createTempFile(this, ".ks");
-        final String dummy = "changit";
-        final char[] pass = dummy.toCharArray();
-        final String alias = "test";
-        try
-        {
-            final java.security.KeyStore keyStore =
-                    KeyStoreTestHelper.saveKeyStore(alias, selfSigned1.getCertificate(), pass, keyStoreFile);
+        final FileTrustStore<?> trustStoreObject = createFileTrustStore(attributes);
 
-            final Map<String, Object> attributes = new HashMap<>();
-            attributes.put(FileTrustStore.NAME, getTestName());
-            attributes.put(FileTrustStore.PASSWORD, dummy);
-            attributes.put(FileTrustStore.STORE_URL, keyStoreFile.getAbsolutePath());
-            attributes.put(FileTrustStore.TRUST_STORE_TYPE, keyStore.getType());
+        final X509Certificate certificate = getCertificate(trustStoreObject);
+        assertEquals(DN_FOO, certificate.getIssuerX500Principal().getName());
 
-            final FileTrustStore trustStore = (FileTrustStore) FACTORY.create(TrustStore.class, attributes, BROKER);
+        Files.copy(keyStorePath2, keyStorePath, StandardCopyOption.REPLACE_EXISTING);
 
-            final X509Certificate certificate = getCertificate(trustStore);
-            assertEquals("CN=foo", certificate.getIssuerX500Principal().getName());
+        trustStoreObject.reload();
 
-            KeyStoreTestHelper.saveKeyStore(alias, selfSigned2.getCertificate(), pass, keyStoreFile);
-
-            trustStore.reload();
-
-            final X509Certificate certificate2 = getCertificate(trustStore);
-            assertEquals("CN=bar", certificate2.getIssuerX500Principal().getName());
-        }
-        finally
-        {
-            assertTrue(keyStoreFile.delete());
-        }
+        final X509Certificate certificate2 = getCertificate(trustStoreObject);
+        assertEquals(DN_BAR, certificate2.getIssuerX500Principal().getName());
     }
 
-    public X509Certificate getCertificate(final FileTrustStore trustStore) throws java.security.GeneralSecurityException
+    @SuppressWarnings("unchecked")
+    private FileTrustStore<?> createFileTrustStore(final Map<String, Object> attributes)
+    {
+        return (FileTrustStore<?>) FACTORY.create(TrustStore.class, attributes, BROKER);
+    }
+
+    private X509Certificate getCertificate(final FileTrustStore trustStore)
+            throws java.security.GeneralSecurityException
     {
         Certificate[] certificates = trustStore.getCertificates();
 
@@ -448,15 +502,15 @@
 
         Certificate certificate = certificates[0];
         assertTrue(certificate instanceof X509Certificate);
-        return (X509Certificate)certificate;
+        return (X509Certificate) certificate;
     }
 
-    private int getNumberOfCertificates(String keystore, String type) throws Exception
+    private int getNumberOfCertificates(Path keystore, String type) throws Exception
     {
         KeyStore ks = KeyStore.getInstance(type);
-        try(InputStream is = new FileInputStream(keystore))
+        try (InputStream is = new FileInputStream(keystore.toFile()))
         {
-            ks.load(is, TestSSLConstants.PASSWORD.toCharArray());
+            ks.load(is, TLS_RESOURCE.getSecret().toCharArray());
         }
 
         int result = 0;
@@ -472,29 +526,85 @@
         return result;
     }
 
-    public  static String createDataUrlForFile(String filename) throws IOException
+    private Path createTrustStoreWithExpiredCertificate() throws Exception
     {
-        InputStream in = null;
-        try
+        final Instant from = Instant.now().minus(10, ChronoUnit.DAYS);
+        final Instant to = Instant.now().minus(5, ChronoUnit.DAYS);
+        return TLS_RESOURCE.createSelfSignedTrustStore(DN_FOO, from, to);
+    }
+
+    public Path createSelfSignedKeyStoreWithSecretKeyAndCertificate(final String keyStoreType, final String dn)
+            throws Exception
+    {
+        final KeyCertificatePair keyCertPair = TlsResourceBuilder.createSelfSigned(dn);
+
+        return TLS_RESOURCE.createKeyStore(keyStoreType, new PrivateKeyEntry(TLS_RESOURCE.getPrivateKeyAlias(),
+                                                                keyCertPair.getPrivateKey(),
+                                                                keyCertPair.getCertificate()),
+                              new CertificateEntry(TLS_RESOURCE.getCertificateAlias(), keyCertPair.getCertificate()),
+                              new SecretKeyEntry(SECRET_KEY_ALIAS, TlsResourceHelper.createAESSecretKey()));
+    }
+
+
+    private StoreAndCrl<Path> generateTrustStoreAndCrl() throws Exception
+    {
+        final KeyCertificatePair caPair = TlsResourceBuilder.createKeyPairAndRootCA(DN_CA);
+        final KeyCertificatePair keyCertPair1 = TlsResourceBuilder.createKeyPairAndCertificate(DN_FOO, caPair);
+        final KeyCertificatePair keyCertPair2 = TlsResourceBuilder.createKeyPairAndCertificate(DN_BAR, caPair);
+        final Path keyStoreFile = TLS_RESOURCE.createKeyStore(new CertificateEntry(
+                                                                           CERTIFICATE_ALIAS_A,
+                                                                           keyCertPair1.getCertificate()),
+                                                                   new CertificateEntry(
+                                                                           CERTIFICATE_ALIAS_B,
+                                                                           keyCertPair2.getCertificate()));
+
+        final Path clrFile = TLS_RESOURCE.createCrl(caPair, keyCertPair2.getCertificate());
+        return new StoreAndCrl<>(keyStoreFile, clrFile, caPair);
+    }
+
+    private StoreAndCrl<String> generateTrustStoreAndCrlAsDataUrl() throws Exception
+    {
+        final KeyCertificatePair caPair = TlsResourceBuilder.createKeyPairAndRootCA(DN_CA);
+        final KeyCertificatePair keyCertPair1 = TlsResourceBuilder.createKeyPairAndCertificate(DN_FOO, caPair);
+        final KeyCertificatePair keyCertPair2 = TlsResourceBuilder.createKeyPairAndCertificate(DN_BAR, caPair);
+        final String trustStoreAsDataUrl =
+                TLS_RESOURCE.createKeyStoreAsDataUrl(new CertificateEntry(
+                                                                  CERTIFICATE_ALIAS_A,
+                                                                  keyCertPair1.getCertificate()),
+                                                          new CertificateEntry(
+                                                                  CERTIFICATE_ALIAS_B,
+                                                                  keyCertPair2.getCertificate()));
+
+        final String crlAsDataUrl = TLS_RESOURCE.createCrlAsDataUrl(caPair, keyCertPair2.getCertificate());
+        return new StoreAndCrl<>(trustStoreAsDataUrl, crlAsDataUrl, caPair);
+    }
+
+    private static class StoreAndCrl<T>
+    {
+        private T _store;
+        private T _crl;
+        private KeyCertificatePair _ca;
+
+        private StoreAndCrl(final T store, final T crl, KeyCertificatePair ca)
         {
-            File f = new File(filename);
-            if (f.exists())
-            {
-                in = new FileInputStream(f);
-            }
-            else
-            {
-                in = Thread.currentThread().getContextClassLoader().getResourceAsStream(filename);
-            }
-            byte[] fileAsBytes = ByteStreams.toByteArray(in);
-            return DataUrlUtils.getDataUrlForBytes(fileAsBytes);
+            _store = store;
+            _crl = crl;
+            _ca = ca;
         }
-        finally
+
+        T getStore()
         {
-            if (in != null)
-            {
-                in.close();
-            }
+            return _store;
+        }
+
+        T getCrl()
+        {
+            return _crl;
+        }
+
+        KeyCertificatePair getCa()
+        {
+            return _ca;
         }
     }
 }

diff --git a/broker-core/src/test/java/org/apache/qpid/server/security/KeyStoreTestHelper.java b/broker-core/src/test/java/org/apache/qpid/server/security/KeyStoreTestHelper.java
index d2324dd..91c92ce 100644
--- a/broker-core/src/test/java/org/apache/qpid/server/security/KeyStoreTestHelper.java
+++ b/broker-core/src/test/java/org/apache/qpid/server/security/KeyStoreTestHelper.java

@@ -19,75 +19,22 @@
 
 package org.apache.qpid.server.security;
 
-import java.io.File;
-import java.io.FileOutputStream;
-import java.io.IOException;
-import java.lang.reflect.InvocationTargetException;
-import java.security.KeyStore;
-import java.security.KeyStoreException;
-import java.security.NoSuchAlgorithmException;
-import java.security.cert.CertificateException;
-import java.security.cert.X509Certificate;
-import java.time.Duration;
-import java.time.Instant;
-import java.time.temporal.ChronoUnit;
-import java.util.Collections;
+import static org.junit.Assert.assertTrue;
+import static org.junit.Assert.fail;
+
 import java.util.Map;
 
 import org.apache.qpid.server.configuration.IllegalConfigurationException;
 import org.apache.qpid.server.model.Broker;
 import org.apache.qpid.server.model.ConfiguredObjectFactory;
-import org.apache.qpid.server.transport.network.security.ssl.SSLUtil;
-
-import static org.junit.Assert.assertTrue;
-import static org.junit.Assert.fail;
 
 public class KeyStoreTestHelper
 {
-    public static KeyStore saveKeyStore(final String alias,
-                                        final X509Certificate certificate,
-                                        final char[] pass,
-                                        final File file)
-            throws KeyStoreException, IOException, NoSuchAlgorithmException, CertificateException
-    {
-        final KeyStore ks = createEmptyKeyStore();
-        ks.setCertificateEntry(alias, certificate);
-        saveKeyStore(ks, pass, file);
-        return ks;
-    }
-
-    public static KeyStore saveKeyStore(final SSLUtil.KeyCertPair keyCertPair,
-                                        final String keyAlias,
-                                        final String certificateAlias,
-                                        final char[] pass,
-                                        final File file)
-            throws KeyStoreException, IOException, NoSuchAlgorithmException, CertificateException
-    {
-        final KeyStore ks = createKeyStore(keyCertPair, keyAlias, certificateAlias, pass);
-        saveKeyStore(ks, pass, file);
-        return ks;
-    }
-
-
-    public static SSLUtil.KeyCertPair generateSelfSigned(final String cn)
-            throws IllegalAccessException, InvocationTargetException, InstantiationException
-    {
-        return SSLUtil.generateSelfSignedCertificate("RSA",
-                                                     "SHA256WithRSA",
-                                                     2048,
-                                                     Instant.now()
-                                                            .minus(1, ChronoUnit.DAYS)
-                                                            .toEpochMilli(),
-                                                     Duration.of(365, ChronoUnit.DAYS)
-                                                             .getSeconds(),
-                                                     cn,
-                                                     Collections.emptySet(),
-                                                     Collections.emptySet());
-    }
-
-    public static void checkExceptionThrownDuringKeyStoreCreation(ConfiguredObjectFactory factory, Broker broker,
-                                                              Class keystoreClass, Map<String, Object> attributes,
-                                                              String expectedExceptionMessage)
+    public static void checkExceptionThrownDuringKeyStoreCreation(ConfiguredObjectFactory factory,
+                                                                  Broker broker,
+                                                                  Class keystoreClass,
+                                                                  Map<String, Object> attributes,
+                                                                  String expectedExceptionMessage)
     {
         try
         {
@@ -98,42 +45,8 @@
         {
             final String message = e.getMessage();
             assertTrue("Exception text not as expected:" + message,
-                    message.contains(expectedExceptionMessage));
-
+                       message.contains(expectedExceptionMessage));
         }
     }
 
-
-    private static File saveKeyStore(final KeyStore ks, final char[] pass, final File storeFile)
-            throws IOException, KeyStoreException, NoSuchAlgorithmException, CertificateException
-    {
-        try (FileOutputStream fos = new FileOutputStream(storeFile))
-        {
-            ks.store(fos, pass);
-        }
-        return storeFile;
-    }
-
-    private static KeyStore createKeyStore(final SSLUtil.KeyCertPair keyCertPair,
-                                           final String keyAlias,
-                                           final String certificateAlias,
-                                           final char[] pass)
-            throws KeyStoreException, IOException, NoSuchAlgorithmException, CertificateException
-    {
-        final KeyStore ks = createEmptyKeyStore();
-        ks.setCertificateEntry(certificateAlias, keyCertPair.getCertificate());
-        ks.setKeyEntry(keyAlias,
-                       keyCertPair.getPrivateKey(),
-                       pass,
-                       new X509Certificate[]{keyCertPair.getCertificate()});
-        return ks;
-    }
-
-    private static KeyStore createEmptyKeyStore()
-            throws KeyStoreException, IOException, NoSuchAlgorithmException, CertificateException
-    {
-        final KeyStore ks = KeyStore.getInstance(KeyStore.getDefaultType());
-        ks.load(null);
-        return ks;
-    }
 }

diff --git a/broker-core/src/test/java/org/apache/qpid/server/security/NonJavaKeyStoreTest.java b/broker-core/src/test/java/org/apache/qpid/server/security/NonJavaKeyStoreTest.java
index 6df02d7..1908f0c 100644
--- a/broker-core/src/test/java/org/apache/qpid/server/security/NonJavaKeyStoreTest.java
+++ b/broker-core/src/test/java/org/apache/qpid/server/security/NonJavaKeyStoreTest.java

@@ -21,11 +21,9 @@
 
 
 import static java.nio.charset.StandardCharsets.UTF_8;
-import static org.hamcrest.CoreMatchers.is;
 import static org.junit.Assert.assertEquals;
 import static org.junit.Assert.assertNotNull;
 import static org.junit.Assert.fail;
-import static org.junit.Assume.assumeThat;
 import static org.mockito.ArgumentMatchers.any;
 import static org.mockito.ArgumentMatchers.anyLong;
 import static org.mockito.ArgumentMatchers.argThat;
@@ -35,35 +33,22 @@
 import static org.mockito.Mockito.when;
 import static org.mockito.internal.verification.VerificationModeFactory.times;
 
-import java.io.File;
-import java.io.FileInputStream;
-import java.io.FileOutputStream;
-import java.io.InputStream;
-import java.security.Key;
-import java.security.cert.Certificate;
+import java.nio.file.Path;
+import java.security.PrivateKey;
+import java.security.cert.CertificateEncodingException;
 import java.security.cert.X509Certificate;
-import java.time.Duration;
 import java.time.Instant;
 import java.time.temporal.ChronoUnit;
-import java.util.ArrayList;
-import java.util.Arrays;
 import java.util.Collections;
 import java.util.HashMap;
-import java.util.List;
 import java.util.Map;
 import java.util.concurrent.ScheduledFuture;
 import java.util.concurrent.TimeUnit;
 
 import javax.net.ssl.KeyManager;
 
-import org.apache.qpid.server.model.Broker;
-import org.apache.qpid.server.model.BrokerModel;
-import org.apache.qpid.server.model.BrokerTestHelper;
-import org.apache.qpid.server.model.ConfiguredObjectFactory;
-import org.apache.qpid.test.utils.TestSSLConstants;
-import org.apache.qpid.test.utils.UnitTestBase;
-import org.junit.After;
 import org.junit.Before;
+import org.junit.ClassRule;
 import org.junit.Test;
 import org.mockito.ArgumentMatcher;
 
@@ -72,111 +57,64 @@
 import org.apache.qpid.server.logging.LogMessage;
 import org.apache.qpid.server.logging.MessageLogger;
 import org.apache.qpid.server.logging.messages.KeyStoreMessages;
+import org.apache.qpid.server.model.Broker;
+import org.apache.qpid.server.model.BrokerModel;
+import org.apache.qpid.server.model.BrokerTestHelper;
+import org.apache.qpid.server.model.ConfiguredObjectFactory;
 import org.apache.qpid.server.model.KeyStore;
-import org.apache.qpid.server.transport.network.security.ssl.SSLUtil;
+import org.apache.qpid.test.utils.tls.KeyCertificatePair;
+import org.apache.qpid.test.utils.tls.TlsResource;
+import org.apache.qpid.test.utils.tls.TlsResourceBuilder;
 import org.apache.qpid.server.util.DataUrlUtils;
-import org.apache.qpid.test.utils.TestFileUtils;
-import org.apache.qpid.test.utils.TestSSLUtils;
+import org.apache.qpid.test.utils.UnitTestBase;
+import org.apache.qpid.test.utils.tls.TlsResourceHelper;
 
 public class NonJavaKeyStoreTest extends UnitTestBase
 {
+    @ClassRule
+    public static final TlsResource TLS_RESOURCE = new TlsResource();
+
+    private static final String DN_FOO = "CN=foo";
+    private static final String NAME = "myTestTrustStore";
+    private static final String NON_JAVA_KEY_STORE = "NonJavaKeyStore";
     private static final Broker BROKER = BrokerTestHelper.createBrokerMock();
     private static final ConfiguredObjectFactory FACTORY = BrokerModel.getInstance().getObjectFactory();
-    private List<File> _testResources;
     private MessageLogger _messageLogger;
+    private KeyCertificatePair _keyCertPair;
 
     @Before
     public void setUp() throws Exception
     {
         _messageLogger = mock(MessageLogger.class);
         when(BROKER.getEventLogger()).thenReturn(new EventLogger(_messageLogger));
-        _testResources = new ArrayList<>();
-    }
-
-    @After
-    public void tearDown() throws Exception
-    {
-        for (File resource: _testResources)
-        {
-            try
-            {
-                resource.delete();
-            }
-            catch (Exception e)
-            {
-                e.printStackTrace();
-            }
-        }
-    }
-
-    private File[] extractResourcesFromTestKeyStore(boolean pem, final String storeResource) throws Exception
-    {
-        java.security.KeyStore ks = java.security.KeyStore.getInstance(TestSSLConstants.JAVA_KEYSTORE_TYPE);
-        try(InputStream is = new FileInputStream(storeResource))
-        {
-            ks.load(is, TestSSLConstants.PASSWORD.toCharArray());
-        }
-
-
-        File privateKeyFile = TestFileUtils.createTempFile(this, ".private-key.der");
-        try(FileOutputStream kos = new FileOutputStream(privateKeyFile))
-        {
-            Key pvt = ks.getKey(TestSSLConstants.BROKER_KEYSTORE_ALIAS, TestSSLConstants.PASSWORD.toCharArray());
-            if (pem)
-            {
-                kos.write(TestSSLUtils.privateKeyToPEM(pvt).getBytes(UTF_8));
-            }
-            else
-            {
-                kos.write(pvt.getEncoded());
-            }
-            kos.flush();
-        }
-
-        File certificateFile = TestFileUtils.createTempFile(this, ".certificate.der");
-
-        try(FileOutputStream cos = new FileOutputStream(certificateFile))
-        {
-            Certificate pub = ks.getCertificate(TestSSLConstants.BROKER_KEYSTORE_ALIAS);
-            if (pem)
-            {
-                cos.write(TestSSLUtils.certificateToPEM(pub).getBytes(UTF_8));
-            }
-            else
-            {
-                cos.write(pub.getEncoded());
-            }
-            cos.flush();
-        }
-
-        return new File[]{privateKeyFile,certificateFile};
+        _keyCertPair = generateSelfSignedCertificate();
     }
 
     @Test
     public void testCreationOfTrustStoreFromValidPrivateKeyAndCertificateInDERFormat() throws Exception
     {
-        runTestCreationOfTrustStoreFromValidPrivateKeyAndCertificateInDerFormat(false);
+        final Path privateKeyFile = TLS_RESOURCE.savePrivateKeyAsDer(_keyCertPair.getPrivateKey());
+        final Path certificateFile = TLS_RESOURCE.saveCertificateAsDer(_keyCertPair.getCertificate());
+        assertCreationOfTrustStoreFromValidPrivateKeyAndCertificate(privateKeyFile, certificateFile);
     }
 
     @Test
     public void testCreationOfTrustStoreFromValidPrivateKeyAndCertificateInPEMFormat() throws Exception
     {
-        runTestCreationOfTrustStoreFromValidPrivateKeyAndCertificateInDerFormat(true);
+        final Path privateKeyFile = TLS_RESOURCE.savePrivateKeyAsPem(_keyCertPair.getPrivateKey());
+        final Path certificateFile = TLS_RESOURCE.saveCertificateAsPem(_keyCertPair.getCertificate());
+        assertCreationOfTrustStoreFromValidPrivateKeyAndCertificate(privateKeyFile, certificateFile);
     }
 
-    private void runTestCreationOfTrustStoreFromValidPrivateKeyAndCertificateInDerFormat(boolean isPEM)throws Exception
+    private void assertCreationOfTrustStoreFromValidPrivateKeyAndCertificate(Path privateKeyFile, Path certificateFile) throws Exception
     {
-        File[] resources = extractResourcesFromTestKeyStore(isPEM, TestSSLConstants.BROKER_KEYSTORE);
-        _testResources.addAll(Arrays.asList(resources));
-
         Map<String,Object> attributes = new HashMap<>();
-        attributes.put(NonJavaKeyStore.NAME, "myTestTrustStore");
-        attributes.put("privateKeyUrl", resources[0].toURI().toURL().toExternalForm());
-        attributes.put("certificateUrl", resources[1].toURI().toURL().toExternalForm());
-        attributes.put(NonJavaKeyStore.TYPE, "NonJavaKeyStore");
+        attributes.put(NonJavaKeyStore.NAME, NAME);
+        attributes.put("privateKeyUrl", privateKeyFile.toFile().getAbsolutePath());
+        attributes.put("certificateUrl", certificateFile.toFile().getAbsolutePath());
+        attributes.put(NonJavaKeyStore.TYPE, NON_JAVA_KEY_STORE);
 
-        NonJavaKeyStoreImpl fileTrustStore =
-                (NonJavaKeyStoreImpl) FACTORY.create(KeyStore.class, attributes, BROKER);
+        final NonJavaKeyStore<?> fileTrustStore = (NonJavaKeyStore<?>)  createTestKeyStore(attributes);
 
         KeyManager[] keyManagers = fileTrustStore.getKeyManagers();
         assertNotNull(keyManagers);
@@ -187,17 +125,14 @@
     @Test
     public void testCreationOfTrustStoreFromValidPrivateKeyAndInvalidCertificate()throws Exception
     {
-        File[] resources = extractResourcesFromTestKeyStore(true, TestSSLConstants.BROKER_KEYSTORE);
-        _testResources.addAll(Arrays.asList(resources));
-
-        File invalidCertificate = TestFileUtils.createTempFile(this, ".invalid.cert", "content");
-        _testResources.add(invalidCertificate);
+        final Path privateKeyFile = TLS_RESOURCE.savePrivateKeyAsPem(_keyCertPair.getPrivateKey());
+        final Path certificateFile = TLS_RESOURCE.createFile(".cer");
 
         Map<String,Object> attributes = new HashMap<>();
-        attributes.put(NonJavaKeyStore.NAME, "myTestTrustStore");
-        attributes.put("privateKeyUrl", resources[0].toURI().toURL().toExternalForm());
-        attributes.put("certificateUrl", invalidCertificate.toURI().toURL().toExternalForm());
-        attributes.put(NonJavaKeyStore.TYPE, "NonJavaKeyStore");
+        attributes.put(NonJavaKeyStore.NAME, NAME);
+        attributes.put("privateKeyUrl", privateKeyFile.toFile().getAbsolutePath());
+        attributes.put("certificateUrl", certificateFile.toFile().getAbsolutePath());
+        attributes.put(NonJavaKeyStore.TYPE, NON_JAVA_KEY_STORE);
 
         KeyStoreTestHelper.checkExceptionThrownDuringKeyStoreCreation(FACTORY, BROKER, KeyStore.class, attributes,
                 "Cannot load private key or certificate(s): java.security.cert.CertificateException: " +
@@ -207,17 +142,14 @@
     @Test
     public void testCreationOfTrustStoreFromInvalidPrivateKeyAndValidCertificate()throws Exception
     {
-        File[] resources = extractResourcesFromTestKeyStore(true, TestSSLConstants.BROKER_KEYSTORE);
-        _testResources.addAll(Arrays.asList(resources));
-
-        File invalidPrivateKey = TestFileUtils.createTempFile(this, ".invalid.pk", "content");
-        _testResources.add(invalidPrivateKey);
+        final Path privateKeyFile =  TLS_RESOURCE.createFile(".pk");
+        final Path certificateFile = TLS_RESOURCE.saveCertificateAsPem(_keyCertPair.getCertificate());
 
         Map<String,Object> attributes = new HashMap<>();
-        attributes.put(NonJavaKeyStore.NAME, "myTestTrustStore");
-        attributes.put("privateKeyUrl", invalidPrivateKey.toURI().toURL().toExternalForm());
-        attributes.put("certificateUrl", resources[1].toURI().toURL().toExternalForm());
-        attributes.put(NonJavaKeyStore.TYPE, "NonJavaKeyStore");
+        attributes.put(NonJavaKeyStore.NAME, NAME);
+        attributes.put("privateKeyUrl", privateKeyFile.toFile().getAbsolutePath());
+        attributes.put("certificateUrl", certificateFile.toFile().getAbsolutePath());
+        attributes.put(NonJavaKeyStore.TYPE, NON_JAVA_KEY_STORE);
 
         KeyStoreTestHelper.checkExceptionThrownDuringKeyStoreCreation(FACTORY, BROKER, KeyStore.class, attributes,
                 "Cannot load private key or certificate(s): java.security.spec.InvalidKeySpecException: " +
@@ -246,42 +178,29 @@
     {
         when(BROKER.scheduleHouseKeepingTask(anyLong(), any(TimeUnit.class), any(Runnable.class))).thenReturn(mock(ScheduledFuture.class));
 
-        java.security.KeyStore ks = java.security.KeyStore.getInstance(TestSSLConstants.JAVA_KEYSTORE_TYPE);
-        final String storeLocation = TestSSLConstants.BROKER_KEYSTORE;
-        try(InputStream is = new FileInputStream(storeLocation))
-        {
-            ks.load(is, TestSSLConstants.PASSWORD.toCharArray());
-        }
-        X509Certificate cert = (X509Certificate) ks.getCertificate(TestSSLConstants.CERT_ALIAS_ROOT_CA);
-        int expiryDays = (int)((cert.getNotAfter().getTime() - System.currentTimeMillis()) / (24l * 60l * 60l * 1000l));
-
-        File[] resources = extractResourcesFromTestKeyStore(false, storeLocation);
-        _testResources.addAll(Arrays.asList(resources));
+        final Path privateKeyFile =  TLS_RESOURCE.savePrivateKeyAsDer(_keyCertPair.getPrivateKey());
+        final Path certificateFile = TLS_RESOURCE.saveCertificateAsDer(_keyCertPair.getCertificate());
+        final long expiryDays = ChronoUnit.DAYS.between(Instant.now(), _keyCertPair.getCertificate().getNotAfter().toInstant());
 
         Map<String,Object> attributes = new HashMap<>();
-        attributes.put(NonJavaKeyStore.NAME, "myTestTrustStore");
-        attributes.put("privateKeyUrl", resources[0].toURI().toURL().toExternalForm());
-        attributes.put("certificateUrl", resources[1].toURI().toURL().toExternalForm());
+        attributes.put(NonJavaKeyStore.NAME, NAME);
+        attributes.put("privateKeyUrl", privateKeyFile.toFile().getAbsolutePath());
+        attributes.put("certificateUrl", certificateFile.toFile().getAbsolutePath());
         attributes.put("context", Collections.singletonMap(KeyStore.CERTIFICATE_EXPIRY_WARN_PERIOD, expiryDays + expiryOffset));
-        attributes.put(NonJavaKeyStore.TYPE, "NonJavaKeyStore");
-        FACTORY.create(KeyStore.class, attributes, BROKER);
+        attributes.put(NonJavaKeyStore.TYPE, NON_JAVA_KEY_STORE);
+        createTestKeyStore(attributes);
     }
 
     @Test
     public void testCreationOfKeyStoreWithNonMatchingPrivateKeyAndCertificate()throws Exception
     {
-        assumeThat(SSLUtil.canGenerateCerts(), is(true));
-
-        final SSLUtil.KeyCertPair keyCertPair = generateSelfSignedCertificate();
-        final SSLUtil.KeyCertPair keyCertPair2 = generateSelfSignedCertificate();
+        final KeyCertificatePair keyCertPair2 = generateSelfSignedCertificate();
 
         final Map<String,Object> attributes = new HashMap<>();
-        attributes.put(NonJavaKeyStore.NAME, "myTestTrustStore");
-        attributes.put(NonJavaKeyStore.PRIVATE_KEY_URL,
-                       DataUrlUtils.getDataUrlForBytes(TestSSLUtils.privateKeyToPEM(keyCertPair.getPrivateKey()).getBytes(UTF_8)));
-        attributes.put(NonJavaKeyStore.CERTIFICATE_URL,
-                       DataUrlUtils.getDataUrlForBytes(TestSSLUtils.certificateToPEM(keyCertPair2.getCertificate()).getBytes(UTF_8)));
-        attributes.put(NonJavaKeyStore.TYPE, "NonJavaKeyStore");
+        attributes.put(NonJavaKeyStore.NAME, NAME);
+        attributes.put(NonJavaKeyStore.PRIVATE_KEY_URL, getPrivateKeyAsDataUrl(_keyCertPair.getPrivateKey()));
+        attributes.put(NonJavaKeyStore.CERTIFICATE_URL, getCertificateAsDataUrl(keyCertPair2.getCertificate()));
+        attributes.put(NonJavaKeyStore.TYPE, NON_JAVA_KEY_STORE);
 
         KeyStoreTestHelper.checkExceptionThrownDuringKeyStoreCreation(FACTORY, BROKER, KeyStore.class, attributes,
                 "Private key does not match certificate");
@@ -290,23 +209,18 @@
     @Test
     public void testUpdateKeyStoreToNonMatchingCertificate()throws Exception
     {
-        assumeThat(SSLUtil.canGenerateCerts(), is(true));
-
-        final SSLUtil.KeyCertPair keyCertPair = generateSelfSignedCertificate();
-        final SSLUtil.KeyCertPair keyCertPair2 = generateSelfSignedCertificate();
-
         final Map<String,Object> attributes = new HashMap<>();
         attributes.put(NonJavaKeyStore.NAME, getTestName());
-        attributes.put(NonJavaKeyStore.PRIVATE_KEY_URL,
-                       DataUrlUtils.getDataUrlForBytes(TestSSLUtils.privateKeyToPEM(keyCertPair.getPrivateKey()).getBytes(UTF_8)));
-        attributes.put(NonJavaKeyStore.CERTIFICATE_URL,
-                       DataUrlUtils.getDataUrlForBytes(TestSSLUtils.certificateToPEM(keyCertPair.getCertificate()).getBytes(UTF_8)));
-        attributes.put(NonJavaKeyStore.TYPE, "NonJavaKeyStore");
+        attributes.put(NonJavaKeyStore.PRIVATE_KEY_URL, getPrivateKeyAsDataUrl(_keyCertPair.getPrivateKey()));
+        attributes.put(NonJavaKeyStore.CERTIFICATE_URL, getCertificateAsDataUrl(_keyCertPair.getCertificate()));
+        attributes.put(NonJavaKeyStore.TYPE, NON_JAVA_KEY_STORE);
 
-        final KeyStore trustStore = (KeyStore) FACTORY.create(KeyStore.class, attributes, BROKER);
+        final KeyStore<?> trustStore = createTestKeyStore(attributes);
+
+        final KeyCertificatePair keyCertPair2 = generateSelfSignedCertificate();
         try
         {
-            final String certUrl = DataUrlUtils.getDataUrlForBytes(TestSSLUtils.certificateToPEM(keyCertPair2.getCertificate()).getBytes(UTF_8));
+            final String certUrl = getCertificateAsDataUrl(keyCertPair2.getCertificate());
             trustStore.setAttributes(Collections.singletonMap("certificateUrl", certUrl));
             fail("Created key store from invalid certificate");
         }
@@ -316,19 +230,25 @@
         }
     }
 
-    private SSLUtil.KeyCertPair generateSelfSignedCertificate() throws Exception
+    @SuppressWarnings("unchecked")
+    private KeyStore<?> createTestKeyStore(final Map<String, Object> attributes)
     {
-        return SSLUtil.generateSelfSignedCertificate("RSA",
-                                                     "SHA256WithRSA",
-                                                     2048,
-                                                     Instant.now()
-                                                            .minus(1, ChronoUnit.DAYS)
-                                                            .toEpochMilli(),
-                                                     Duration.of(365, ChronoUnit.DAYS)
-                                                             .getSeconds(),
-                                                     "CN=foo",
-                                                     Collections.emptySet(),
-                                                     Collections.emptySet());
+        return (KeyStore<?>) FACTORY.create(KeyStore.class, attributes, BROKER);
+    }
+
+    private String getCertificateAsDataUrl(final X509Certificate certificate) throws CertificateEncodingException
+    {
+        return DataUrlUtils.getDataUrlForBytes(TlsResourceHelper.toPEM(certificate).getBytes(UTF_8));
+    }
+
+    private String getPrivateKeyAsDataUrl(final PrivateKey privateKey)
+    {
+        return DataUrlUtils.getDataUrlForBytes(TlsResourceHelper.toPEM(privateKey).getBytes(UTF_8));
+    }
+
+    private KeyCertificatePair generateSelfSignedCertificate() throws Exception
+    {
+        return TlsResourceBuilder.createSelfSigned(DN_FOO);
     }
 
     private static class LogMessageArgumentMatcher implements ArgumentMatcher<LogMessage>

diff --git a/broker-core/src/test/java/org/apache/qpid/server/security/NonJavaTrustStoreTest.java b/broker-core/src/test/java/org/apache/qpid/server/security/NonJavaTrustStoreTest.java
index 6ac9699..f94430d 100644
--- a/broker-core/src/test/java/org/apache/qpid/server/security/NonJavaTrustStoreTest.java
+++ b/broker-core/src/test/java/org/apache/qpid/server/security/NonJavaTrustStoreTest.java

@@ -24,44 +24,82 @@
 import static org.junit.Assert.assertTrue;
 import static org.junit.Assert.fail;
 
-import java.security.KeyStore;
+import java.io.File;
+import java.nio.file.Path;
 import java.security.cert.CertificateException;
 import java.security.cert.CertificateExpiredException;
 import java.security.cert.X509Certificate;
+import java.time.Instant;
+import java.time.temporal.ChronoUnit;
+import java.util.Collections;
 import java.util.HashMap;
 import java.util.Map;
 
 import javax.net.ssl.TrustManager;
 import javax.net.ssl.X509TrustManager;
 
+import org.junit.ClassRule;
+import org.junit.Test;
+
 import org.apache.qpid.server.configuration.IllegalConfigurationException;
 import org.apache.qpid.server.model.Broker;
 import org.apache.qpid.server.model.BrokerModel;
 import org.apache.qpid.server.model.BrokerTestHelper;
 import org.apache.qpid.server.model.ConfiguredObjectFactory;
-import org.apache.qpid.test.utils.UnitTestBase;
-import org.junit.Test;
-
 import org.apache.qpid.server.model.TrustStore;
-import org.apache.qpid.server.transport.network.security.ssl.SSLUtil;
-import org.apache.qpid.test.utils.TestSSLConstants;
+import org.apache.qpid.test.utils.tls.KeyCertificatePair;
+import org.apache.qpid.test.utils.tls.TlsResource;
+import org.apache.qpid.test.utils.tls.TlsResourceBuilder;
+import org.apache.qpid.test.utils.UnitTestBase;
 
 public class NonJavaTrustStoreTest extends UnitTestBase
 {
+    @ClassRule
+    public static final TlsResource TLS_RESOURCE = new TlsResource();
+
     private static final Broker BROKER = BrokerTestHelper.createBrokerMock();
     private static final ConfiguredObjectFactory FACTORY = BrokerModel.getInstance().getObjectFactory();
+    private static final String NAME = "myTestTrustStore";
+    private static final String NON_JAVA_TRUST_STORE = "NonJavaTrustStore";
+    private static final String DN_FOO = "CN=foo";
+    private static final String DN_CA = "CN=CA";
+    private static final String DN_BAR = "CN=bar";
+    private static final String NOT_A_CRL = "/not/a/crl";
+
+    @Test
+    public void testCreationOfTrustStoreWithoutCRL() throws Exception
+    {
+        final KeyCertificatePair keyCertPair = TlsResourceBuilder.createSelfSigned(DN_FOO);
+        final Path certificateFile = TLS_RESOURCE.saveCertificateAsPem(keyCertPair.getCertificate());
+
+        Map<String, Object> attributes = new HashMap<>();
+        attributes.put(NonJavaTrustStore.NAME, NAME);
+        attributes.put(NonJavaTrustStore.CERTIFICATES_URL, certificateFile.toFile().getAbsolutePath());
+        attributes.put(NonJavaTrustStore.TYPE, NON_JAVA_TRUST_STORE);
+        attributes.put(NonJavaTrustStore.CERTIFICATE_REVOCATION_CHECK_ENABLED, false);
+
+        TrustStore<?> trustStore = createTestTrustStore(attributes);
+
+        TrustManager[] trustManagers = trustStore.getTrustManagers();
+        assertNotNull(trustManagers);
+        assertEquals("Unexpected number of trust managers", 1, trustManagers.length);
+        assertNotNull("Trust manager unexpected null", trustManagers[0]);
+    }
+
 
     @Test
     public void testCreationOfTrustStoreFromValidCertificate() throws Exception
     {
-        Map<String,Object> attributes = new HashMap<>();
-        attributes.put(NonJavaTrustStore.NAME, "myTestTrustStore");
-        attributes.put(NonJavaTrustStore.CERTIFICATES_URL, TestSSLConstants.BROKER_CRT);
-        attributes.put(NonJavaTrustStore.TYPE, "NonJavaTrustStore");
-        attributes.put(NonJavaTrustStore.CERTIFICATE_REVOCATION_CHECK_ENABLED, true);
-        attributes.put(NonJavaTrustStore.CERTIFICATE_REVOCATION_LIST_URL, TestSSLConstants.CA_CRL);
+        final CertificateAndCrl<File> data = generateCertificateAndCrl();
 
-        TrustStore trustStore = (TrustStore) FACTORY.create(TrustStore.class, attributes, BROKER);
+        Map<String, Object> attributes = new HashMap<>();
+        attributes.put(NonJavaTrustStore.NAME, NAME);
+        attributes.put(NonJavaTrustStore.CERTIFICATES_URL, data.getCertificate().getAbsolutePath());
+        attributes.put(NonJavaTrustStore.TYPE, NON_JAVA_TRUST_STORE);
+        attributes.put(NonJavaTrustStore.CERTIFICATE_REVOCATION_CHECK_ENABLED, true);
+        attributes.put(NonJavaTrustStore.CERTIFICATE_REVOCATION_LIST_URL, data.getCrl().getAbsolutePath());
+
+        TrustStore<?> trustStore = createTestTrustStore(attributes);
 
         TrustManager[] trustManagers = trustStore.getTrustManagers();
         assertNotNull(trustManagers);
@@ -70,54 +108,59 @@
     }
 
     @Test
-    public void testChangeOfCrlInTrustStoreFromValidCertificate()
+    public void testChangeOfCrlInTrustStoreFromValidCertificate() throws Exception
     {
-        Map<String,Object> attributes = new HashMap<>();
-        attributes.put(NonJavaTrustStore.NAME, "myTestTrustStore");
-        attributes.put(NonJavaTrustStore.CERTIFICATES_URL, TestSSLConstants.BROKER_CRT);
-        attributes.put(NonJavaTrustStore.TYPE, "NonJavaTrustStore");
-        attributes.put(NonJavaTrustStore.CERTIFICATE_REVOCATION_CHECK_ENABLED, true);
-        attributes.put(NonJavaTrustStore.CERTIFICATE_REVOCATION_LIST_URL, TestSSLConstants.CA_CRL);
+        final CertificateAndCrl<File> data = generateCertificateAndCrl();
 
-        TrustStore trustStore = (TrustStore) FACTORY.create(TrustStore.class, attributes, BROKER);
+        Map<String, Object> attributes = new HashMap<>();
+        attributes.put(NonJavaTrustStore.NAME, NAME);
+        attributes.put(NonJavaTrustStore.CERTIFICATES_URL, data.getCertificate().getAbsolutePath());
+        attributes.put(NonJavaTrustStore.TYPE, NON_JAVA_TRUST_STORE);
+        attributes.put(NonJavaTrustStore.CERTIFICATE_REVOCATION_CHECK_ENABLED, true);
+        attributes.put(NonJavaTrustStore.CERTIFICATE_REVOCATION_LIST_URL, data.getCrl().getAbsolutePath());
+
+        TrustStore<?> trustStore = createTestTrustStore(attributes);
 
         try
         {
-            Map<String,Object> unacceptableAttributes = new HashMap<>();
-            unacceptableAttributes.put(FileTrustStore.CERTIFICATE_REVOCATION_LIST_URL, "/not/a/crl");
-
-            trustStore.setAttributes(unacceptableAttributes);
+            trustStore.setAttributes(Collections.singletonMap(FileTrustStore.CERTIFICATE_REVOCATION_LIST_URL,
+                                                              NOT_A_CRL));
             fail("Exception not thrown");
         }
         catch (IllegalConfigurationException e)
         {
             String message = e.getMessage();
             assertTrue("Exception text not as unexpected:" + message,
-                    message.contains("Unable to load certificate revocation list '/not/a/crl' for truststore 'myTestTrustStore'"));
+                       message.contains(String.format(
+                               "Unable to load certificate revocation list '%s' for truststore '%s'",
+                               NOT_A_CRL,
+                               NAME)));
         }
 
         assertEquals("Unexpected CRL path value after failed change",
-                TestSSLConstants.CA_CRL, trustStore.getCertificateRevocationListUrl());
+                     data.getCrl().getAbsolutePath(), trustStore.getCertificateRevocationListUrl());
 
-        Map<String,Object> changedAttributes = new HashMap<>();
-        changedAttributes.put(FileTrustStore.CERTIFICATE_REVOCATION_LIST_URL, TestSSLConstants.CA_CRL_EMPTY);
-
-        trustStore.setAttributes(changedAttributes);
+        final Path emptyCrl = TLS_RESOURCE.createCrl(data.getCa());
+        trustStore.setAttributes(Collections.singletonMap(FileTrustStore.CERTIFICATE_REVOCATION_LIST_URL,
+                                                          emptyCrl.toFile().getAbsolutePath()));
 
         assertEquals("Unexpected CRL path value after change that is expected to be successful",
-                TestSSLConstants.CA_CRL_EMPTY, trustStore.getCertificateRevocationListUrl());
+                     emptyCrl.toFile().getAbsolutePath(), trustStore.getCertificateRevocationListUrl());
     }
 
     @Test
     public void testUseOfExpiredTrustAnchorDenied() throws Exception
     {
-        Map<String,Object> attributes = new HashMap<>();
-        attributes.put(NonJavaTrustStore.NAME, "myTestTrustStore");
-        attributes.put(NonJavaTrustStore.TRUST_ANCHOR_VALIDITY_ENFORCED, true);
-        attributes.put(NonJavaTrustStore.CERTIFICATES_URL, TestSSLConstants.CLIENT_EXPIRED_CRT);
-        attributes.put(NonJavaTrustStore.TYPE, "NonJavaTrustStore");
+        final KeyCertificatePair keyCertPair = createExpiredCertificate();
+        final Path certificatePath = TLS_RESOURCE.saveCertificateAsPem(keyCertPair.getCertificate());
 
-        TrustStore trustStore = (TrustStore) FACTORY.create(TrustStore.class, attributes, BROKER);
+        Map<String, Object> attributes = new HashMap<>();
+        attributes.put(NonJavaTrustStore.NAME, NAME);
+        attributes.put(NonJavaTrustStore.TRUST_ANCHOR_VALIDITY_ENFORCED, true);
+        attributes.put(NonJavaTrustStore.CERTIFICATES_URL, certificatePath.toFile().getAbsolutePath());
+        attributes.put(NonJavaTrustStore.TYPE, NON_JAVA_TRUST_STORE);
+
+        TrustStore<?> trustStore = createTestTrustStore(attributes);
 
         TrustManager[] trustManagers = trustStore.getTrustManagers();
         assertNotNull(trustManagers);
@@ -126,15 +169,9 @@
         assertTrue("Unexpected trust manager type", condition);
         X509TrustManager trustManager = (X509TrustManager) trustManagers[0];
 
-        KeyStore clientStore = SSLUtil.getInitializedKeyStore(TestSSLConstants.CLIENT_EXPIRED_KEYSTORE,
-                                                              TestSSLConstants.PASSWORD,
-                                                              TestSSLConstants.JAVA_KEYSTORE_TYPE);
-        String alias = clientStore.aliases().nextElement();
-        X509Certificate certificate = (X509Certificate) clientStore.getCertificate(alias);
-
         try
         {
-            trustManager.checkClientTrusted(new X509Certificate[] {certificate}, "NULL");
+            trustManager.checkClientTrusted(new X509Certificate[]{keyCertPair.getCertificate()}, "NULL");
             fail("Exception not thrown");
         }
         catch (CertificateException e)
@@ -148,33 +185,93 @@
             {
                 throw e;
             }
-
         }
     }
 
     @Test
-    public void testCreationOfTrustStoreFromNonCertificate()
+    public void testCreationOfTrustStoreWithoutCertificate() throws Exception
     {
-        Map<String,Object> attributes = new HashMap<>();
-        attributes.put(NonJavaTrustStore.NAME, "myTestTrustStore");
-        attributes.put(NonJavaTrustStore.CERTIFICATES_URL, TestSSLConstants.BROKER_CSR);
-        attributes.put(NonJavaTrustStore.TYPE, "NonJavaTrustStore");
+        final CertificateAndCrl<File> data = generateCertificateAndCrl();
+
+        Map<String, Object> attributes = new HashMap<>();
+        attributes.put(NonJavaTrustStore.NAME, NAME);
+        attributes.put(NonJavaTrustStore.CERTIFICATES_URL, data.getCrl().getAbsolutePath());
+        attributes.put(NonJavaTrustStore.TYPE, NON_JAVA_TRUST_STORE);
 
         KeyStoreTestHelper.checkExceptionThrownDuringKeyStoreCreation(FACTORY, BROKER, TrustStore.class, attributes,
-                "Cannot load certificate(s)");
+                                                                      "Cannot load certificate(s)");
     }
 
     @Test
-    public void testCreationOfTrustStoreFromValidCertificate_MissingCrlFile()
+    public void testCreationOfTrustStoreFromValidCertificate_MissingCrlFile() throws Exception
     {
-        Map<String,Object> attributes = new HashMap<>();
-        attributes.put(NonJavaTrustStore.NAME, "myTestTrustStore");
-        attributes.put(NonJavaTrustStore.CERTIFICATES_URL, TestSSLConstants.BROKER_CRT);
-        attributes.put(NonJavaTrustStore.TYPE, "NonJavaTrustStore");
+        final KeyCertificatePair keyCertPair = TlsResourceBuilder.createSelfSigned(DN_FOO);
+        final Path certificateFile = TLS_RESOURCE.saveCertificateAsPem(keyCertPair.getCertificate());
+
+        Map<String, Object> attributes = new HashMap<>();
+        attributes.put(NonJavaTrustStore.NAME, NAME);
+        attributes.put(NonJavaTrustStore.CERTIFICATES_URL, certificateFile.toFile().getAbsolutePath());
+        attributes.put(NonJavaTrustStore.TYPE, NON_JAVA_TRUST_STORE);
         attributes.put(NonJavaTrustStore.CERTIFICATE_REVOCATION_CHECK_ENABLED, true);
-        attributes.put(NonJavaTrustStore.CERTIFICATE_REVOCATION_LIST_URL, "/not/a/crl");
+        attributes.put(NonJavaTrustStore.CERTIFICATE_REVOCATION_LIST_URL, NOT_A_CRL);
 
         KeyStoreTestHelper.checkExceptionThrownDuringKeyStoreCreation(FACTORY, BROKER, TrustStore.class, attributes,
-                "Unable to load certificate revocation list '/not/a/crl' for truststore 'myTestTrustStore'");
+                                                                      String.format(
+                                                                              "Unable to load certificate revocation list '%s' for truststore '%s'",
+                                                                              NOT_A_CRL,
+                                                                              NAME));
+    }
+
+    private KeyCertificatePair createExpiredCertificate() throws Exception
+    {
+        final Instant from = Instant.now().minus(10, ChronoUnit.DAYS);
+        final Instant to = Instant.now().minus(5, ChronoUnit.DAYS);
+        return TlsResourceBuilder.createSelfSigned(DN_FOO, from, to);
+    }
+
+    @SuppressWarnings("unchecked")
+    private NonJavaTrustStore<?> createTestTrustStore(final Map<String, Object> attributes)
+    {
+        return (NonJavaTrustStore<?>) FACTORY.create(TrustStore.class, attributes, BROKER);
+    }
+
+    private CertificateAndCrl<File> generateCertificateAndCrl() throws Exception
+    {
+        final KeyCertificatePair caPair = TlsResourceBuilder.createKeyPairAndRootCA(DN_CA);
+        final KeyCertificatePair keyCertPair1 = TlsResourceBuilder.createKeyPairAndCertificate(DN_FOO, caPair);
+        final KeyCertificatePair keyCertPair2 = TlsResourceBuilder.createKeyPairAndCertificate(DN_BAR, caPair);
+        final Path clrFile =
+                TLS_RESOURCE.createCrl(caPair, keyCertPair1.getCertificate(), keyCertPair2.getCertificate());
+        final Path caCertificateFile = TLS_RESOURCE.saveCertificateAsPem(caPair.getCertificate());
+        return new CertificateAndCrl<>(caCertificateFile.toFile(), clrFile.toFile(), caPair);
+    }
+
+    private static class CertificateAndCrl<T>
+    {
+        private T _certificate;
+        private T _crl;
+        private KeyCertificatePair _ca;
+
+        private CertificateAndCrl(final T certificate, final T crl, KeyCertificatePair ca)
+        {
+            _certificate = certificate;
+            _crl = crl;
+            _ca = ca;
+        }
+
+        T getCertificate()
+        {
+            return _certificate;
+        }
+
+        T getCrl()
+        {
+            return _crl;
+        }
+
+        KeyCertificatePair getCa()
+        {
+            return _ca;
+        }
     }
 }

diff --git a/broker-core/src/test/java/org/apache/qpid/server/security/SiteSpecificTrustStoreTest.java b/broker-core/src/test/java/org/apache/qpid/server/security/SiteSpecificTrustStoreTest.java
index d7a0454..1da3c38 100644
--- a/broker-core/src/test/java/org/apache/qpid/server/security/SiteSpecificTrustStoreTest.java
+++ b/broker-core/src/test/java/org/apache/qpid/server/security/SiteSpecificTrustStoreTest.java

@@ -26,13 +26,13 @@
 import static org.junit.Assert.fail;
 
 import java.io.Closeable;
-import java.io.FileInputStream;
 import java.io.IOException;
 import java.io.InputStream;
 import java.net.ServerSocket;
 import java.net.Socket;
-import java.security.KeyStore;
+import java.nio.file.Path;
 import java.security.SecureRandom;
+import java.util.Collections;
 import java.util.HashMap;
 import java.util.List;
 import java.util.Map;
@@ -45,6 +45,11 @@
 import javax.net.ssl.SSLContext;
 import javax.net.ssl.SSLServerSocketFactory;
 
+import org.junit.After;
+import org.junit.Before;
+import org.junit.ClassRule;
+import org.junit.Test;
+
 import org.apache.qpid.server.configuration.IllegalConfigurationException;
 import org.apache.qpid.server.model.Broker;
 import org.apache.qpid.server.model.BrokerModel;
@@ -52,66 +57,89 @@
 import org.apache.qpid.server.model.ConfiguredObjectFactory;
 import org.apache.qpid.server.model.TrustStore;
 import org.apache.qpid.test.utils.UnitTestBase;
-import org.junit.After;
-import org.junit.Before;
-import org.junit.Test;
-
-import org.apache.qpid.test.utils.TestSSLConstants;
+import org.apache.qpid.test.utils.tls.KeyCertificatePair;
+import org.apache.qpid.test.utils.tls.PrivateKeyEntry;
+import org.apache.qpid.test.utils.tls.TlsResource;
+import org.apache.qpid.test.utils.tls.TlsResourceBuilder;
+import org.apache.qpid.test.utils.tls.TlsResourceHelper;
 
 public class SiteSpecificTrustStoreTest extends UnitTestBase
 {
+
+    @ClassRule
+    public static final TlsResource TLS_RESOURCE = new TlsResource();
+
+
     private static final Broker BROKER = BrokerTestHelper.createBrokerMock();
     private static final ConfiguredObjectFactory FACTORY = BrokerModel.getInstance().getObjectFactory();
-    private static final String EXPECTED_SUBJECT = "CN=localhost,OU=Unknown,O=Unknown,L=Unknown,ST=Unknown,C=CA";
-    private static final String EXPECTED_ISSUER = "CN=MyRootCA,O=ACME,ST=Ontario,C=CA";
+    private static final String EXPECTED_SUBJECT = "CN=localhost";
+    private static final String EXPECTED_ISSUER = "CN=MyRootCA";
+    private static final String DN_BAR = "CN=bar";
+    private static final String NAME = "mySiteSpecificTrustStore";
+    private static final String SITE_SPECIFIC_TRUST_STORE = "SiteSpecificTrustStore";
+    private static final String NOT_SUPPORTED_URL = "file:/not/a/host";
+    private static final String INVALID_URL = "notaurl:541";
+    private static final String NOT_A_CRL = "/not/a/crl";
     private TestPeer _testPeer;
+    private String _clrUrl;
+    private KeyCertificatePair _caKeyCertPair;
+    private KeyCertificatePair _keyCertPair;
 
     @Before
-    public void setUpSiteSpecificTrustStore()
+    public void setUpSiteSpecificTrustStore() throws Exception
     {
         int connectTimeout = Integer.getInteger("SiteSpecificTrustStoreTest.connectTimeout", 1000);
         int readTimeout = Integer.getInteger("SiteSpecificTrustStoreTest.readTimeout", 1000);
-        setTestSystemProperty(SiteSpecificTrustStore.TRUST_STORE_SITE_SPECIFIC_CONNECT_TIMEOUT, String.valueOf(connectTimeout));
-        setTestSystemProperty(SiteSpecificTrustStore.TRUST_STORE_SITE_SPECIFIC_READ_TIMEOUT, String.valueOf(readTimeout));
+        setTestSystemProperty(SiteSpecificTrustStore.TRUST_STORE_SITE_SPECIFIC_CONNECT_TIMEOUT,
+                              String.valueOf(connectTimeout));
+        setTestSystemProperty(SiteSpecificTrustStore.TRUST_STORE_SITE_SPECIFIC_READ_TIMEOUT,
+                              String.valueOf(readTimeout));
+
+        _caKeyCertPair = TlsResourceBuilder.createKeyPairAndRootCA(EXPECTED_ISSUER);
+        _keyCertPair = TlsResourceBuilder.createKeyPairAndCertificate(EXPECTED_SUBJECT, _caKeyCertPair);
+        final KeyCertificatePair keyCertPair2 = TlsResourceBuilder.createKeyPairAndCertificate(DN_BAR, _caKeyCertPair);
+        _clrUrl = TLS_RESOURCE.createCrlAsDataUrl(_caKeyCertPair, keyCertPair2.getCertificate());
     }
 
     @After
     public void tearDown() throws Exception
     {
-        try
+        if (_testPeer != null)
         {
-        }
-        finally
-        {
-            if (_testPeer != null)
-            {
-                _testPeer.close();
-            }
+            _testPeer.close();
         }
     }
 
     @Test
     public void testMalformedSiteUrl()
     {
-        Map<String,Object> attributes = new HashMap<>();
-        attributes.put(SiteSpecificTrustStore.NAME, "mySiteSpecificTrustStore");
-        attributes.put(SiteSpecificTrustStore.TYPE, "SiteSpecificTrustStore");
-        attributes.put("siteUrl", "notaurl:541");
+        Map<String, Object> attributes = new HashMap<>();
+        attributes.put(SiteSpecificTrustStore.NAME, NAME);
+        attributes.put(SiteSpecificTrustStore.TYPE, SITE_SPECIFIC_TRUST_STORE);
+        attributes.put("siteUrl", INVALID_URL);
 
-        KeyStoreTestHelper.checkExceptionThrownDuringKeyStoreCreation(FACTORY, BROKER, TrustStore.class, attributes,
-                "'notaurl:541' is not a valid URL");
+        KeyStoreTestHelper.checkExceptionThrownDuringKeyStoreCreation(FACTORY,
+                                                                      BROKER,
+                                                                      TrustStore.class,
+                                                                      attributes,
+                                                                      String.format("'%s' is not a valid URL",
+                                                                                    INVALID_URL));
     }
 
     @Test
     public void testSiteUrlDoesNotSupplyHostPort()
     {
-        Map<String,Object> attributes = new HashMap<>();
-        attributes.put(SiteSpecificTrustStore.NAME, "mySiteSpecificTrustStore");
-        attributes.put(SiteSpecificTrustStore.TYPE, "SiteSpecificTrustStore");
-        attributes.put("siteUrl", "file:/not/a/host");
+        Map<String, Object> attributes = new HashMap<>();
+        attributes.put(SiteSpecificTrustStore.NAME, NAME);
+        attributes.put(SiteSpecificTrustStore.TYPE, SITE_SPECIFIC_TRUST_STORE);
+        attributes.put("siteUrl", NOT_SUPPORTED_URL);
 
-        KeyStoreTestHelper.checkExceptionThrownDuringKeyStoreCreation(FACTORY, BROKER, TrustStore.class, attributes,
-                "URL 'file:/not/a/host' does not provide a hostname and port number");
+        KeyStoreTestHelper.checkExceptionThrownDuringKeyStoreCreation(FACTORY, BROKER,
+                                                                      TrustStore.class,
+                                                                      attributes,
+                                                                      String.format(
+                                                                              "URL '%s' does not provide a hostname and port number",
+                                                                              NOT_SUPPORTED_URL));
     }
 
     @Test
@@ -122,8 +150,11 @@
         int listeningPort = _testPeer.start();
         Map<String, Object> attributes = getTrustStoreAttributes(listeningPort);
 
-        KeyStoreTestHelper.checkExceptionThrownDuringKeyStoreCreation(FACTORY, BROKER, TrustStore.class, attributes,
-                "Unable to get certificate for 'mySiteSpecificTrustStore' from");
+        KeyStoreTestHelper.checkExceptionThrownDuringKeyStoreCreation(FACTORY, BROKER,
+                                                                      TrustStore.class,
+                                                                      attributes,
+                                                                      String.format(
+                                                                              "Unable to get certificate for '%s' from", NAME));
     }
 
     @Test
@@ -134,10 +165,9 @@
 
         Map<String, Object> attributes = getTrustStoreAttributes(listeningPort);
         attributes.put(SiteSpecificTrustStore.CERTIFICATE_REVOCATION_CHECK_ENABLED, true);
-        attributes.put(SiteSpecificTrustStore.CERTIFICATE_REVOCATION_LIST_URL, TestSSLConstants.CA_CRL);
+        attributes.put(SiteSpecificTrustStore.CERTIFICATE_REVOCATION_LIST_URL, _clrUrl);
 
-        final SiteSpecificTrustStore trustStore =
-                (SiteSpecificTrustStore) FACTORY.create(TrustStore.class, attributes, BROKER);
+        final SiteSpecificTrustStore<?> trustStore = createTestTrustStore(attributes);
 
         List<CertificateDetails> certDetails = trustStore.getCertificateDetails();
         assertEquals("Unexpected number of certificates", 1, certDetails.size());
@@ -155,36 +185,34 @@
 
         Map<String, Object> attributes = getTrustStoreAttributes(listeningPort);
         attributes.put(SiteSpecificTrustStore.CERTIFICATE_REVOCATION_CHECK_ENABLED, true);
-        attributes.put(SiteSpecificTrustStore.CERTIFICATE_REVOCATION_LIST_URL, TestSSLConstants.CA_CRL);
+        attributes.put(SiteSpecificTrustStore.CERTIFICATE_REVOCATION_LIST_URL, _clrUrl);
 
-        final SiteSpecificTrustStore trustStore =
-                (SiteSpecificTrustStore) FACTORY.create(TrustStore.class, attributes, BROKER);
+        final SiteSpecificTrustStore<?> trustStore = createTestTrustStore(attributes);
 
         try
         {
-            Map<String,Object> unacceptableAttributes = new HashMap<>();
-            unacceptableAttributes.put(FileTrustStore.CERTIFICATE_REVOCATION_LIST_URL, "/not/a/crl");
-
-            trustStore.setAttributes(unacceptableAttributes);
+            trustStore.setAttributes(Collections.singletonMap(FileTrustStore.CERTIFICATE_REVOCATION_LIST_URL,
+                                                              NOT_A_CRL));
             fail("Exception not thrown");
         }
         catch (IllegalConfigurationException e)
         {
             String message = e.getMessage();
             assertTrue("Exception text not as unexpected:" + message,
-                    message.contains("Unable to load certificate revocation list '/not/a/crl' for truststore 'mySiteSpecificTrustStore'"));
+                       message.contains(
+                               String.format("Unable to load certificate revocation list '%s' for truststore '%s'", NOT_A_CRL, NAME)));
         }
 
         assertEquals("Unexpected CRL path value after failed change",
-                TestSSLConstants.CA_CRL, trustStore.getCertificateRevocationListUrl());
+                     _clrUrl, trustStore.getCertificateRevocationListUrl());
 
-        Map<String,Object> changedAttributes = new HashMap<>();
-        changedAttributes.put(FileTrustStore.CERTIFICATE_REVOCATION_LIST_URL, TestSSLConstants.CA_CRL_EMPTY);
+        final Path emptyCrl = TLS_RESOURCE.createCrl(_caKeyCertPair);
+        trustStore.setAttributes(Collections.singletonMap(FileTrustStore.CERTIFICATE_REVOCATION_LIST_URL,
+                                                          emptyCrl.toFile().getAbsolutePath()));
 
-        trustStore.setAttributes(changedAttributes);
 
         assertEquals("Unexpected CRL path value after change that is expected to be successful",
-                TestSSLConstants.CA_CRL_EMPTY, trustStore.getCertificateRevocationListUrl());
+                     emptyCrl.toFile().getAbsolutePath(), trustStore.getCertificateRevocationListUrl());
     }
 
     @Test
@@ -194,10 +222,13 @@
         int listeningPort = _testPeer.start();
         Map<String, Object> attributes = getTrustStoreAttributes(listeningPort);
         attributes.put(SiteSpecificTrustStore.CERTIFICATE_REVOCATION_CHECK_ENABLED, true);
-        attributes.put(SiteSpecificTrustStore.CERTIFICATE_REVOCATION_LIST_URL, "/not/a/crl");
+        attributes.put(SiteSpecificTrustStore.CERTIFICATE_REVOCATION_LIST_URL, NOT_A_CRL);
 
-        KeyStoreTestHelper.checkExceptionThrownDuringKeyStoreCreation(FACTORY, BROKER, TrustStore.class, attributes,
-                "Unable to load certificate revocation list '/not/a/crl' for truststore 'mySiteSpecificTrustStore'");
+        KeyStoreTestHelper.checkExceptionThrownDuringKeyStoreCreation(FACTORY, BROKER,
+                                                                      TrustStore.class,
+                                                                      attributes,
+                                                                      String.format(
+                                                                              "Unable to load certificate revocation list '%s' for truststore '%s'", NOT_A_CRL, NAME));
     }
 
     @Test
@@ -208,8 +239,7 @@
 
         Map<String, Object> attributes = getTrustStoreAttributes(listeningPort);
 
-        final SiteSpecificTrustStore trustStore =
-                (SiteSpecificTrustStore) FACTORY.create(TrustStore.class, attributes, BROKER);
+        final SiteSpecificTrustStore<?> trustStore = createTestTrustStore(attributes);
 
         List<CertificateDetails> certDetails = trustStore.getCertificateDetails();
         assertEquals("Unexpected number of certificates", 1, certDetails.size());
@@ -228,11 +258,17 @@
         assertEquals("Unexpected certificate issuer", EXPECTED_ISSUER, certificateDetails.getIssuerName());
     }
 
+    @SuppressWarnings("unchecked")
+    private SiteSpecificTrustStore createTestTrustStore(final Map<String, Object> attributes)
+    {
+        return (SiteSpecificTrustStore) FACTORY.create(TrustStore.class, attributes, BROKER);
+    }
+
     private Map<String, Object> getTrustStoreAttributes(final int listeningPort)
     {
-        Map<String,Object> attributes = new HashMap<>();
-        attributes.put(SiteSpecificTrustStore.NAME, "mySiteSpecificTrustStore");
-        attributes.put(SiteSpecificTrustStore.TYPE, "SiteSpecificTrustStore");
+        Map<String, Object> attributes = new HashMap<>();
+        attributes.put(SiteSpecificTrustStore.NAME, NAME);
+        attributes.put(SiteSpecificTrustStore.TYPE, SITE_SPECIFIC_TRUST_STORE);
         attributes.put("siteUrl", String.format("https://localhost:%d", listeningPort));
         return attributes;
     }
@@ -279,22 +315,24 @@
 
         private ServerSocket createTestSSLServerSocket() throws Exception
         {
-            char[] keyPassword = TestSSLConstants.PASSWORD.toCharArray();
-            try(InputStream inputStream = new FileInputStream(TestSSLConstants.BROKER_KEYSTORE))
-            {
-                KeyStore keyStore = KeyStore.getInstance(TestSSLConstants.JAVA_KEYSTORE_TYPE);
-                KeyManagerFactory keyManagerFactory = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm());
-                keyStore.load(inputStream, keyPassword);
-                keyManagerFactory.init(keyStore, keyPassword);
-                KeyManager keyManagers[] = keyManagerFactory.getKeyManagers();
-                SSLContext sslContext = SSLContext.getInstance("SSL");
-                sslContext.init(keyManagers, null, new SecureRandom());
-                SSLServerSocketFactory socketFactory = sslContext.getServerSocketFactory();
-                ServerSocket serverSocket = socketFactory.createServerSocket(0);
-                serverSocket.setSoTimeout(100);
+            char[] secret = "".toCharArray();
 
-                return serverSocket;
-            }
+            java.security.KeyStore inMemoryKeyStore =
+                    TlsResourceHelper.createKeyStore(java.security.KeyStore.getDefaultType(),
+                                                     secret,
+                                                     new PrivateKeyEntry("1",
+                                                                         _keyCertPair.getPrivateKey(),
+                                                                         _keyCertPair.getCertificate()));
+
+            KeyManagerFactory kmf = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm());
+            kmf.init(inMemoryKeyStore, secret);
+            KeyManager[] keyManagers = kmf.getKeyManagers();
+            SSLContext sslContext = SSLContext.getInstance("TLS");
+            sslContext.init(keyManagers, null, new SecureRandom());
+            SSLServerSocketFactory socketFactory = sslContext.getServerSocketFactory();
+            ServerSocket serverSocket = socketFactory.createServerSocket(0);
+            serverSocket.setSoTimeout(100);
+            return serverSocket;
         }
 
         private class AcceptingRunnable implements Runnable
@@ -309,6 +347,7 @@
                         final InputStream inputStream = sock.getInputStream();
                         while (inputStream.read() != -1)
                         {
+                            // ignore
                         }
                     }
                     catch (IOException e)

diff --git a/broker-core/src/test/java/org/apache/qpid/server/security/auth/manager/oauth2/OAuth2AuthenticationProviderImplTest.java b/broker-core/src/test/java/org/apache/qpid/server/security/auth/manager/oauth2/OAuth2AuthenticationProviderImplTest.java
index f4348dd..e52942b 100644
--- a/broker-core/src/test/java/org/apache/qpid/server/security/auth/manager/oauth2/OAuth2AuthenticationProviderImplTest.java
+++ b/broker-core/src/test/java/org/apache/qpid/server/security/auth/manager/oauth2/OAuth2AuthenticationProviderImplTest.java

@@ -26,6 +26,7 @@
 import static org.mockito.Mockito.when;
 
 import java.nio.charset.StandardCharsets;
+import java.nio.file.Path;
 import java.util.Collections;
 import java.util.HashMap;
 import java.util.Map;
@@ -39,6 +40,7 @@
 
 import org.junit.After;
 import org.junit.Before;
+import org.junit.ClassRule;
 import org.junit.Test;
 
 import org.apache.qpid.server.configuration.updater.CurrentThreadTaskExecutor;
@@ -53,10 +55,14 @@
 import org.apache.qpid.server.security.auth.manager.oauth2.cloudfoundry.CloudFoundryOAuth2IdentityResolverService;
 import org.apache.qpid.server.security.auth.sasl.SaslNegotiator;
 import org.apache.qpid.server.security.auth.sasl.oauth2.OAuth2Negotiator;
+import org.apache.qpid.test.utils.tls.TlsResource;
 import org.apache.qpid.test.utils.UnitTestBase;
 
 public class OAuth2AuthenticationProviderImplTest extends UnitTestBase
 {
+    @ClassRule
+    public static final TlsResource TLS_RESOURCE = new TlsResource();
+
     static final String UTF8 = StandardCharsets.UTF_8.name();
 
     private static final String TEST_ENDPOINT_HOST = "localhost";
@@ -90,7 +96,10 @@
     @Before
     public void setUp() throws Exception
     {
-        _server = new OAuth2MockEndpointHolder();
+        Path keyStore = TLS_RESOURCE.createSelfSignedKeyStore("CN=foo");
+        _server = new OAuth2MockEndpointHolder(keyStore.toFile().getAbsolutePath(),
+                                               TLS_RESOURCE.getSecret(),
+                                               TLS_RESOURCE.getKeyStoreType());
         _server.start();
 
         Broker broker = BrokerTestHelper.createBrokerMock();

diff --git a/broker-core/src/test/java/org/apache/qpid/server/security/auth/manager/oauth2/OAuth2MockEndpointHolder.java b/broker-core/src/test/java/org/apache/qpid/server/security/auth/manager/oauth2/OAuth2MockEndpointHolder.java
index 0dc987a..636def9 100644
--- a/broker-core/src/test/java/org/apache/qpid/server/security/auth/manager/oauth2/OAuth2MockEndpointHolder.java
+++ b/broker-core/src/test/java/org/apache/qpid/server/security/auth/manager/oauth2/OAuth2MockEndpointHolder.java

@@ -36,7 +36,6 @@
 import com.fasterxml.jackson.core.type.TypeReference;
 import com.fasterxml.jackson.databind.ObjectMapper;
 import junit.framework.TestCase;
-import org.apache.qpid.test.utils.TestSSLConstants;
 import org.eclipse.jetty.server.Request;
 import org.eclipse.jetty.server.Server;
 import org.eclipse.jetty.server.ServerConnector;
@@ -53,12 +52,15 @@
     private final ServerConnector _connector;
     private volatile Map<String, OAuth2MockEndpoint> _endpoints;
 
-    OAuth2MockEndpointHolder() throws IOException
+    OAuth2MockEndpointHolder(final String keyStorePath, final String keyStorePassword, final String keyStoreType) throws IOException
     {
-        this(Collections.<String, OAuth2MockEndpoint>emptyMap());
+        this(Collections.emptyMap(), keyStorePath, keyStorePassword, keyStoreType);
     }
 
-    OAuth2MockEndpointHolder(final Map<String, OAuth2MockEndpoint> endpoints) throws IOException
+    private OAuth2MockEndpointHolder(final Map<String, OAuth2MockEndpoint> endpoints,
+                                     final String keyStorePath,
+                                     final String keyStorePassword,
+                                     final String keyStoreType) throws IOException
     {
         _endpoints = endpoints;
         final List<String> protocolWhiteList =
@@ -85,9 +87,9 @@
                                                       SSLUtil.updateEnabledTlsProtocols(sslEngine, protocolWhiteList, protocolBlackList);
                                                   }
                                               };
-        sslContextFactory.setKeyStorePassword(TestSSLConstants.PASSWORD);
-        sslContextFactory.setKeyStoreResource(Resource.newResource(TestSSLConstants.TEST_KEYSTORE));
-        sslContextFactory.setKeyStoreType(TestSSLConstants.JAVA_KEYSTORE_TYPE);
+        sslContextFactory.setKeyStorePassword(keyStorePassword);
+        sslContextFactory.setKeyStoreResource(Resource.newResource(keyStorePath));
+        sslContextFactory.setKeyStoreType(keyStoreType);
 
         // override default jetty excludes as valid IBM JDK are excluded
         // causing SSL handshake failure (due to default exclude '^SSL_.*$')

diff --git a/broker-core/src/test/java/org/apache/qpid/server/ssl/TrustManagerTest.java b/broker-core/src/test/java/org/apache/qpid/server/ssl/TrustManagerTest.java
index 191d7cf..4c493d0 100644
--- a/broker-core/src/test/java/org/apache/qpid/server/ssl/TrustManagerTest.java
+++ b/broker-core/src/test/java/org/apache/qpid/server/ssl/TrustManagerTest.java

@@ -18,84 +18,74 @@
 
 package org.apache.qpid.server.ssl;
 
-import static org.junit.Assert.assertTrue;
+import static org.junit.Assert.assertNotNull;
 import static org.junit.Assert.fail;
 
+import java.security.KeyPair;
 import java.security.KeyStore;
-import java.security.KeyStoreException;
-import java.security.cert.Certificate;
 import java.security.cert.CertificateException;
 import java.security.cert.X509Certificate;
-import java.util.Arrays;
-import java.util.Enumeration;
 
 import javax.net.ssl.TrustManager;
 import javax.net.ssl.TrustManagerFactory;
 import javax.net.ssl.X509TrustManager;
 
+import org.junit.BeforeClass;
 import org.junit.Test;
 
 import org.apache.qpid.server.transport.network.security.ssl.QpidMultipleTrustManager;
 import org.apache.qpid.server.transport.network.security.ssl.QpidPeersOnlyTrustManager;
-import org.apache.qpid.server.transport.network.security.ssl.SSLUtil;
-import org.apache.qpid.test.utils.TestSSLConstants;
 import org.apache.qpid.test.utils.UnitTestBase;
+import org.apache.qpid.test.utils.tls.CertificateEntry;
+import org.apache.qpid.test.utils.tls.KeyCertificatePair;
+import org.apache.qpid.test.utils.tls.TlsResourceBuilder;
+import org.apache.qpid.test.utils.tls.TlsResourceHelper;
 
 public class TrustManagerTest extends UnitTestBase
 {
     private static final String DEFAULT_TRUST_MANAGER_ALGORITHM = TrustManagerFactory.getDefaultAlgorithm();
 
-    // retrieves the client certificate's chain from store and returns it as an array
-    private X509Certificate[] getClientChain(final String storePath, final String alias) throws Exception
+    private static final String TEST_ALIAS = "test";
+    private static final String DN_CA = "CN=MyRootCA,O=ACME,ST=Ontario,C=CA";
+    private static final String DN_APP1 = "CN=app1@acme.org,OU=art,O=acme,L=Toronto,ST=ON,C=CA";
+    private static final String DN_APP2 = "CN=app2@acme.org,OU=art,O=acme,L=Toronto,ST=ON,C=CA";
+    private static final String DN_UNTRUSTED = "CN=untrusted_client";
+
+    private static X509Certificate _ca;
+    private static X509Certificate _app1;
+    private static X509Certificate _app2;
+    private static X509Certificate _untrusted;
+
+    @BeforeClass
+    public static void setUp() throws Exception
     {
-        final KeyStore ks = SSLUtil.getInitializedKeyStore(storePath, TestSSLConstants.PASSWORD, TestSSLConstants.JAVA_KEYSTORE_TYPE);
-        final Certificate[] chain = ks.getCertificateChain(alias);
-        return Arrays.copyOf(chain, chain.length, X509Certificate[].class);
+        final KeyCertificatePair caPair = TlsResourceBuilder.createKeyPairAndRootCA(DN_CA);
+        final KeyPair keyPair1 = TlsResourceBuilder.createRSAKeyPair();
+        final KeyPair keyPair2 = TlsResourceBuilder.createRSAKeyPair();
+        final KeyCertificatePair untrustedKeyCertPair = TlsResourceBuilder.createSelfSigned(DN_UNTRUSTED);
+
+        _ca = caPair.getCertificate();
+        _app1 = TlsResourceBuilder.createCertificateForClientAuthorization(keyPair1, caPair, DN_APP1);
+        _app2 = TlsResourceBuilder.createCertificateForClientAuthorization(keyPair2, caPair, DN_APP2);
+        _untrusted = untrustedKeyCertPair.getCertificate();
     }
 
-    // verifies that peer store is loaded only with client's (peer's) app1 certificate (no CA)
-    private void noCAinPeerStore(final KeyStore ps) throws KeyStoreException
-    {
-        final Enumeration<String> aliases = ps.aliases();
-        while (aliases.hasMoreElements())
-        {
-            final String alias = aliases.nextElement();
-            if (!alias.equalsIgnoreCase(TestSSLConstants.CERT_ALIAS_APP1))
-            {
-                fail("Broker's peer store contains other certificate than client's  app1 public key");
-            }
-        }
-    }
 
     /**
      * Tests that the QpidPeersOnlyTrustManager gives the expected behaviour when loaded separately
-     * with the broker peerstore and truststore.
+     * with the peer certificate and CA root certificate.
      */
     @Test
     public void testQpidPeersOnlyTrustManager() throws Exception
     {
-        // first let's check that peer manager loaded with the PEERstore succeeds
-        final KeyStore ps = SSLUtil.getInitializedKeyStore(TestSSLConstants.BROKER_PEERSTORE, TestSSLConstants.PASSWORD, TestSSLConstants.JAVA_KEYSTORE_TYPE);
-        this.noCAinPeerStore(ps);
-        final TrustManagerFactory pmf = TrustManagerFactory.getInstance(DEFAULT_TRUST_MANAGER_ALGORITHM);
-        pmf.init(ps);
-        final TrustManager[] delegatePeerManagers = pmf.getTrustManagers();
-
-        X509TrustManager peerManager = null;
-        for (final TrustManager tm : delegatePeerManagers)
-        {
-            if (tm instanceof X509TrustManager)
-            {
-                // peer manager is supposed to trust only clients which peers certificates
-                // are directly in the store. CA signing will not be considered.
-                peerManager = new QpidPeersOnlyTrustManager(ps, (X509TrustManager) tm);
-            }
-        }
+        // peer manager is supposed to trust only clients which peers certificates
+        // are directly in the store. CA signing will not be considered.
+        X509TrustManager peerManager = createPeerManager(_app1);
 
         try
         {
-            // since broker's peerstore contains the client's app1 certificate, the check should succeed
-            peerManager.checkClientTrusted(this.getClientChain(TestSSLConstants.CLIENT_KEYSTORE, TestSSLConstants.CERT_ALIAS_APP1), "RSA");
+            // since peer manager contains the client's app1 certificate, the check should succeed
+            peerManager.checkClientTrusted(new X509Certificate[]{_app1, _ca }, "RSA");
         }
         catch (CertificateException e)
         {
@@ -104,8 +94,8 @@
 
         try
         {
-            // since broker's peerstore does not contain the client's app2 certificate, the check should fail
-            peerManager.checkClientTrusted(this.getClientChain(TestSSLConstants.CLIENT_KEYSTORE, TestSSLConstants.CERT_ALIAS_APP2), "RSA");
+            // since peer manager does not contain the client's app2 certificate, the check should fail
+            peerManager.checkClientTrusted(new X509Certificate[]{_app2, _ca }, "RSA");
             fail("Untrusted client's validation against the broker's peer store manager succeeded.");
         }
         catch (CertificateException e)
@@ -113,30 +103,16 @@
             //expected
         }
 
-        // now let's check that peer manager loaded with the brokers TRUSTstore fails because
+        // now let's check that peer manager loaded with the CA certificate fails because
         // it does not have the clients certificate in it (though it does have a CA-cert that
         // would otherwise trust the client cert when using the regular trust manager).
-        final KeyStore ts = SSLUtil.getInitializedKeyStore(TestSSLConstants.BROKER_TRUSTSTORE, TestSSLConstants.PASSWORD, TestSSLConstants.JAVA_KEYSTORE_TYPE);
-        final TrustManagerFactory tmf = TrustManagerFactory.getInstance(DEFAULT_TRUST_MANAGER_ALGORITHM);
-        tmf.init(ts);
-        final TrustManager[] delegateTrustManagers = tmf.getTrustManagers();
-
-        peerManager = null;
-        for (final TrustManager tm : delegateTrustManagers)
-        {
-            if (tm instanceof X509TrustManager)
-            {
-                // peer manager is supposed to trust only clients which peers certificates
-                // are directly in the store. CA signing will not be considered.
-                peerManager = new QpidPeersOnlyTrustManager(ts, (X509TrustManager) tm);
-            }
-        }
+        peerManager = createPeerManager(_ca);
 
         try
         {
-            // since broker's truststore doesn't contain the client's app1 certificate, the check should fail
+            // since trust manager doesn't contain the client's app1 certificate, the check should fail
             // despite the fact that the truststore does have a CA that would otherwise trust the cert
-            peerManager.checkClientTrusted(this.getClientChain(TestSSLConstants.CLIENT_KEYSTORE, TestSSLConstants.CERT_ALIAS_APP1), "RSA");
+            peerManager.checkClientTrusted(new X509Certificate[]{_app1, _ca }, "RSA");
             fail("Client's validation against the broker's peer store manager didn't fail.");
         }
         catch (CertificateException e)
@@ -146,9 +122,9 @@
 
         try
         {
-            // since broker's truststore doesn't contain the client's app2 certificate, the check should fail
+            // since  trust manager doesn't contain the client's app2 certificate, the check should fail
             // despite the fact that the truststore does have a CA that would otherwise trust the cert
-            peerManager.checkClientTrusted(this.getClientChain(TestSSLConstants.CLIENT_KEYSTORE, TestSSLConstants.CERT_ALIAS_APP2), "RSA");
+            peerManager.checkClientTrusted(new X509Certificate[]{_app2, _ca }, "RSA");
             fail("Client's validation against the broker's peer store manager didn't fail.");
         }
         catch (CertificateException e)
@@ -159,32 +135,21 @@
 
     /**
      * Tests that the QpidMultipleTrustManager gives the expected behaviour when wrapping a
-     * regular TrustManager against the broker truststore.
+     * regular CA root certificate.
      */
     @Test
     public void testQpidMultipleTrustManagerWithRegularTrustStore() throws Exception
     {
         final QpidMultipleTrustManager mulTrustManager = new QpidMultipleTrustManager();
-        final KeyStore ts = SSLUtil.getInitializedKeyStore(TestSSLConstants.BROKER_TRUSTSTORE, TestSSLConstants.PASSWORD, TestSSLConstants.JAVA_KEYSTORE_TYPE);
-        final TrustManagerFactory tmf = TrustManagerFactory.getInstance(DEFAULT_TRUST_MANAGER_ALGORITHM);
-        tmf.init(ts);
-        final TrustManager[] delegateTrustManagers = tmf.getTrustManagers();
-        boolean trustManagerAdded = false;
-        for (final TrustManager tm : delegateTrustManagers)
-        {
-            if (tm instanceof X509TrustManager)
-            {
-                // add broker's trust manager
-                mulTrustManager.addTrustManager((X509TrustManager) tm);
-                trustManagerAdded = true;
-            }
-        }
-        assertTrue("The regular trust manager for the trust store was not added", trustManagerAdded);
+        final X509TrustManager tm = createTrustManager(_ca);
+        assertNotNull("The regular trust manager for the trust store was not found", tm);
+
+        mulTrustManager.addTrustManager(tm);
 
         try
         {
             // verify the CA-trusted app1 cert (should succeed)
-            mulTrustManager.checkClientTrusted(this.getClientChain(TestSSLConstants.CLIENT_KEYSTORE, TestSSLConstants.CERT_ALIAS_APP1), "RSA");
+            mulTrustManager.checkClientTrusted(new X509Certificate[]{_app1, _ca }, "RSA");
         }
         catch (CertificateException ex)
         {
@@ -194,7 +159,7 @@
         try
         {
             // verify the CA-trusted app2 cert (should succeed)
-            mulTrustManager.checkClientTrusted(this.getClientChain(TestSSLConstants.CLIENT_KEYSTORE, TestSSLConstants.CERT_ALIAS_APP2), "RSA");
+            mulTrustManager.checkClientTrusted(new X509Certificate[]{_app2, _ca }, "RSA");
         }
         catch (CertificateException ex)
         {
@@ -204,8 +169,7 @@
         try
         {
             // verify the untrusted cert (should fail)
-            mulTrustManager.checkClientTrusted(this.getClientChain(TestSSLConstants.CLIENT_UNTRUSTED_KEYSTORE,
-                                                                   TestSSLConstants.CERT_ALIAS_UNTRUSTED_CLIENT), "RSA");
+            mulTrustManager.checkClientTrusted(new X509Certificate[]{_untrusted}, "RSA");
             fail("Untrusted client's validation against the broker's multi store manager unexpectedly passed.");
         }
         catch (CertificateException ex)
@@ -216,33 +180,21 @@
 
     /**
      * Tests that the QpidMultipleTrustManager gives the expected behaviour when wrapping a
-     * QpidPeersOnlyTrustManager against the broker peerstore.
+     * QpidPeersOnlyTrustManager against the peer certificate
      */
     @Test
     public void testQpidMultipleTrustManagerWithPeerStore() throws Exception
     {
         final QpidMultipleTrustManager mulTrustManager = new QpidMultipleTrustManager();
-        final KeyStore ps = SSLUtil.getInitializedKeyStore(TestSSLConstants.BROKER_PEERSTORE, TestSSLConstants.PASSWORD, TestSSLConstants.JAVA_KEYSTORE_TYPE);
-        final TrustManagerFactory pmf = TrustManagerFactory.getInstance(DEFAULT_TRUST_MANAGER_ALGORITHM);
-        pmf.init(ps);
-        final TrustManager[] delegatePeerManagers = pmf.getTrustManagers();
-        boolean peerManagerAdded = false;
-        for (final TrustManager tm : delegatePeerManagers)
-        {
-            if (tm instanceof X509TrustManager)
-            {
-                // add broker's peer manager
-                mulTrustManager.addTrustManager(new QpidPeersOnlyTrustManager(ps, (X509TrustManager) tm));
-                peerManagerAdded = true;
-            }
-        }
-        assertTrue("The QpidPeersOnlyTrustManager for the peerstore was not added", peerManagerAdded);
+        final KeyStore ps = createKeyStore(_app1);
+        final X509TrustManager tm = getX509TrustManager(ps);
+        assertNotNull("The regular trust manager for the trust store was not found", tm);
 
+        mulTrustManager.addTrustManager(new QpidPeersOnlyTrustManager(ps, tm));
         try
         {
             // verify the trusted app1 cert (should succeed as the key is in the peerstore)
-            mulTrustManager.checkClientTrusted(this.getClientChain(TestSSLConstants.CLIENT_KEYSTORE,
-                                                                   TestSSLConstants.CERT_ALIAS_APP1), "RSA");
+            mulTrustManager.checkClientTrusted(new X509Certificate[]{_app1, _ca }, "RSA");
         }
         catch (CertificateException ex)
         {
@@ -252,8 +204,7 @@
         try
         {
             // verify the untrusted app2 cert (should fail as the key is not in the peerstore)
-            mulTrustManager.checkClientTrusted(this.getClientChain(TestSSLConstants.CLIENT_KEYSTORE,
-                                                                   TestSSLConstants.CERT_ALIAS_APP2), "RSA");
+            mulTrustManager.checkClientTrusted(new X509Certificate[]{_app2, _ca }, "RSA");
             fail("Untrusted client's validation against the broker's multi store manager unexpectedly passed.");
         }
         catch (CertificateException ex)
@@ -264,8 +215,7 @@
         try
         {
             // verify the untrusted cert (should fail as the key is not in the peerstore)
-            mulTrustManager.checkClientTrusted(this.getClientChain(TestSSLConstants.CLIENT_UNTRUSTED_KEYSTORE,
-                                                                   TestSSLConstants.CERT_ALIAS_UNTRUSTED_CLIENT), "RSA");
+            mulTrustManager.checkClientTrusted(new X509Certificate[]{_untrusted }, "RSA");
             fail("Untrusted client's validation against the broker's multi store manager unexpectedly passed.");
         }
         catch (CertificateException ex)
@@ -276,50 +226,28 @@
 
     /**
      * Tests that the QpidMultipleTrustManager gives the expected behaviour when wrapping a
-     * QpidPeersOnlyTrustManager against the broker peerstore, a regular TrustManager
-     * against the broker truststore.
+     * QpidPeersOnlyTrustManager against the peer certificate, a regular TrustManager
+     * against the CA root certificate.
      */
     @Test
     public void testQpidMultipleTrustManagerWithTrustAndPeerStores() throws Exception
     {
         final QpidMultipleTrustManager mulTrustManager = new QpidMultipleTrustManager();
-        final KeyStore ts = SSLUtil.getInitializedKeyStore(TestSSLConstants.BROKER_TRUSTSTORE, TestSSLConstants.PASSWORD, TestSSLConstants.JAVA_KEYSTORE_TYPE);
-        final TrustManagerFactory tmf = TrustManagerFactory.getInstance(DEFAULT_TRUST_MANAGER_ALGORITHM);
-        tmf.init(ts);
-        final TrustManager[] delegateTrustManagers = tmf.getTrustManagers();
-        boolean trustManagerAdded = false;
-        for (final TrustManager tm : delegateTrustManagers)
-        {
-            if (tm instanceof X509TrustManager)
-            {
-                // add broker's trust manager
-                mulTrustManager.addTrustManager((X509TrustManager) tm);
-                trustManagerAdded = true;
-            }
-        }
-        assertTrue("The regular trust manager for the trust store was not added", trustManagerAdded);
+        final KeyStore ts = createKeyStore(_ca);
+        final X509TrustManager tm = getX509TrustManager(ts);
+        assertNotNull("The regular trust manager for the trust store was not found", tm);
 
-        final KeyStore ps = SSLUtil.getInitializedKeyStore(TestSSLConstants.BROKER_PEERSTORE, TestSSLConstants.PASSWORD, TestSSLConstants.JAVA_KEYSTORE_TYPE);
-        final TrustManagerFactory pmf = TrustManagerFactory.getInstance(DEFAULT_TRUST_MANAGER_ALGORITHM);
-        pmf.init(ps);
-        final TrustManager[] delegatePeerManagers = pmf.getTrustManagers();
-        boolean peerManagerAdded = false;
-        for (final TrustManager tm : delegatePeerManagers)
-        {
-            if (tm instanceof X509TrustManager)
-            {
-                // add broker's peer manager
-                mulTrustManager.addTrustManager(new QpidPeersOnlyTrustManager(ps, (X509TrustManager) tm));
-                peerManagerAdded = true;
-            }
-        }
-        assertTrue("The QpidPeersOnlyTrustManager for the peerstore was not added", peerManagerAdded);
+        mulTrustManager.addTrustManager(tm);
+
+        final KeyStore ps = createKeyStore(_app1);
+        final X509TrustManager tm2 = getX509TrustManager(ts);
+        assertNotNull("The regular trust manager for the peer store was not found", tm2);
+        mulTrustManager.addTrustManager(new QpidPeersOnlyTrustManager(ps, tm2));
 
         try
         {
             // verify the CA-trusted app1 cert (should succeed)
-            mulTrustManager.checkClientTrusted(this.getClientChain(TestSSLConstants.CLIENT_KEYSTORE,
-                                                                   TestSSLConstants.CERT_ALIAS_APP1), "RSA");
+            mulTrustManager.checkClientTrusted(new X509Certificate[]{_app1, _ca }, "RSA");
         }
         catch (CertificateException ex)
         {
@@ -329,8 +257,7 @@
         try
         {
             // verify the CA-trusted app2 cert (should succeed)
-            mulTrustManager.checkClientTrusted(this.getClientChain(TestSSLConstants.CLIENT_KEYSTORE,
-                                                                   TestSSLConstants.CERT_ALIAS_APP2), "RSA");
+            mulTrustManager.checkClientTrusted(new X509Certificate[]{_app2, _ca }, "RSA");
         }
         catch (CertificateException ex)
         {
@@ -340,8 +267,7 @@
         try
         {
             // verify the untrusted cert (should fail)
-            mulTrustManager.checkClientTrusted(this.getClientChain(TestSSLConstants.CLIENT_UNTRUSTED_KEYSTORE,
-                                                                   TestSSLConstants.CERT_ALIAS_UNTRUSTED_CLIENT), "RSA");
+            mulTrustManager.checkClientTrusted(new X509Certificate[]{_untrusted }, "RSA");
             fail("Untrusted client's validation against the broker's multi store manager unexpectedly passed.");
         }
         catch (CertificateException ex)
@@ -349,4 +275,40 @@
             // expected
         }
     }
+
+    private KeyStore createKeyStore(X509Certificate certificate)
+            throws Exception
+    {
+        return TlsResourceHelper.createKeyStore(KeyStore.getDefaultType(),
+                                                new char[]{},
+                                                new CertificateEntry(TEST_ALIAS, certificate));
+    }
+
+    private X509TrustManager createTrustManager(final X509Certificate certificate) throws Exception
+    {
+        return getX509TrustManager(createKeyStore(certificate));
+    }
+
+    private X509TrustManager getX509TrustManager(final KeyStore ps) throws Exception
+    {
+        final TrustManagerFactory pmf = TrustManagerFactory.getInstance(DEFAULT_TRUST_MANAGER_ALGORITHM);
+        pmf.init(ps);
+        final TrustManager[] delegateTrustManagers = pmf.getTrustManagers();
+        X509TrustManager trustManager = null;
+        for (final TrustManager tm : delegateTrustManagers)
+        {
+            if (tm instanceof X509TrustManager)
+            {
+                trustManager = (X509TrustManager) tm;
+            }
+        }
+        return trustManager;
+    }
+
+    private X509TrustManager createPeerManager(final X509Certificate certificate) throws Exception
+    {
+        final KeyStore ps = createKeyStore(certificate);
+        final X509TrustManager tm = createTrustManager(certificate);
+        return new QpidPeersOnlyTrustManager(ps, tm);
+    }
 }

diff --git a/broker-core/src/test/java/org/apache/qpid/server/transport/SNITest.java b/broker-core/src/test/java/org/apache/qpid/server/transport/SNITest.java
index 8039e5a..6a08ee4 100644
--- a/broker-core/src/test/java/org/apache/qpid/server/transport/SNITest.java
+++ b/broker-core/src/test/java/org/apache/qpid/server/transport/SNITest.java

@@ -23,11 +23,9 @@
 import static org.junit.Assert.assertEquals;
 
 import java.io.File;
-import java.io.FileOutputStream;
 import java.net.InetSocketAddress;
 import java.security.cert.Certificate;
 import java.security.cert.X509Certificate;
-import java.time.Duration;
 import java.time.Instant;
 import java.time.temporal.ChronoUnit;
 import java.util.Collections;
@@ -46,6 +44,7 @@
 import com.fasterxml.jackson.databind.ObjectMapper;
 import org.junit.After;
 import org.junit.Before;
+import org.junit.ClassRule;
 import org.junit.Test;
 
 import org.apache.qpid.server.SystemLauncher;
@@ -62,19 +61,26 @@
 import org.apache.qpid.server.security.FileKeyStore;
 import org.apache.qpid.server.security.auth.manager.AnonymousAuthenticationManager;
 import org.apache.qpid.server.transport.network.security.ssl.SSLUtil;
-import org.apache.qpid.server.transport.network.security.ssl.SSLUtil.KeyCertPair;
 import org.apache.qpid.test.utils.TestFileUtils;
 import org.apache.qpid.test.utils.UnitTestBase;
+import org.apache.qpid.test.utils.tls.AltNameType;
+import org.apache.qpid.test.utils.tls.AlternativeName;
+import org.apache.qpid.test.utils.tls.KeyCertificatePair;
+import org.apache.qpid.test.utils.tls.PrivateKeyEntry;
+import org.apache.qpid.test.utils.tls.TlsResource;
+import org.apache.qpid.test.utils.tls.TlsResourceBuilder;
 
 public class SNITest extends UnitTestBase
 {
+    @ClassRule
+    public static final TlsResource TLS_RESOURCE = new TlsResource();
+
     private static final int SOCKET_TIMEOUT = 10000;
-    private static final String KEYSTORE_PASSWORD = "password";
 
     private File _keyStoreFile;
-    private KeyCertPair _fooValid;
-    private KeyCertPair _fooInvalid;
-    private KeyCertPair _barInvalid;
+    private KeyCertificatePair _fooValid;
+    private KeyCertificatePair _fooInvalid;
+    private KeyCertificatePair _barInvalid;
     private SystemLauncher _systemLauncher;
     private Broker<?> _broker;
     private int _boundPort;
@@ -83,85 +89,47 @@
     @Before
     public void setUp() throws Exception
     {
-        if(SSLUtil.canGenerateCerts())
-        {
+        final Instant yesterday = Instant.now().minus(1, ChronoUnit.DAYS);
+        final Instant inOneHour = Instant.now().plus(1, ChronoUnit.HOURS);
+        _fooValid = TlsResourceBuilder.createSelfSigned("CN=foo",
+                                                        yesterday,
+                                                        yesterday.plus(365, ChronoUnit.DAYS));
+        _fooInvalid = TlsResourceBuilder.createSelfSigned("CN=foo",
+                                                          inOneHour,
+                                                          inOneHour.plus(365, ChronoUnit.DAYS));
 
-            _fooValid = SSLUtil.generateSelfSignedCertificate("RSA",
-                                                              "SHA256WithRSA",
-                                                              2048,
-                                                              Instant.now().minus(1, ChronoUnit.DAYS).toEpochMilli(),
-                                                              Duration.of(365, ChronoUnit.DAYS).getSeconds(),
-                                                              "CN=foo",
-                                                              Collections.emptySet(),
-                                                              Collections.emptySet());
-            _fooInvalid = SSLUtil.generateSelfSignedCertificate("RSA",
-                                                                "SHA256WithRSA",
-                                                                2048,
-                                                                Instant.now().plus(1, ChronoUnit.HOURS).toEpochMilli(),
-                                                                Duration.of(365, ChronoUnit.DAYS).getSeconds(),
-                                                                "CN=foo",
-                                                                Collections.emptySet(),
-                                                                Collections.emptySet());
+        _barInvalid = TlsResourceBuilder.createSelfSigned("CN=Qpid",
+                                                          inOneHour,
+                                                          inOneHour.plus(365, ChronoUnit.DAYS),
+                                                          new AlternativeName(
+                                                                  AltNameType.DNS_NAME, "bar"));
 
-            _barInvalid = SSLUtil.generateSelfSignedCertificate("RSA",
-                                                                "SHA256WithRSA",
-                                                                2048,
-                                                                Instant.now().plus(1, ChronoUnit.HOURS).toEpochMilli(),
-                                                                Duration.of(365, ChronoUnit.DAYS).getSeconds(),
-                                                                "CN=Qpid",
-                                                                Collections.singleton("bar"),
-                                                                Collections.emptySet());
 
-            java.security.KeyStore inMemoryKeyStore =
-                    java.security.KeyStore.getInstance(java.security.KeyStore.getDefaultType());
 
-            inMemoryKeyStore.load(null, KEYSTORE_PASSWORD.toCharArray());
-            inMemoryKeyStore.setKeyEntry("foovalid",
-                                         _fooValid.getPrivateKey(),
-                                         KEYSTORE_PASSWORD.toCharArray(),
-                                         new X509Certificate[]{_fooValid.getCertificate()});
 
-            inMemoryKeyStore.setKeyEntry("fooinvalid",
-                                         _fooInvalid.getPrivateKey(),
-                                         KEYSTORE_PASSWORD.toCharArray(),
-                                         new X509Certificate[]{_fooInvalid.getCertificate()});
-
-            inMemoryKeyStore.setKeyEntry("barinvalid",
-                                         _barInvalid.getPrivateKey(),
-                                         KEYSTORE_PASSWORD.toCharArray(),
-                                         new X509Certificate[]{_barInvalid.getCertificate()});
-
-            _keyStoreFile = File.createTempFile("keyStore", "jks");
-            try (FileOutputStream os = new FileOutputStream(_keyStoreFile))
-            {
-                inMemoryKeyStore.store(os, KEYSTORE_PASSWORD.toCharArray());
-            }
-        }
+        _keyStoreFile = TLS_RESOURCE.createKeyStore(new PrivateKeyEntry("foovalid",
+                                                                        _fooValid.getPrivateKey(),
+                                                                        _fooValid.getCertificate()),
+                                                    new PrivateKeyEntry("fooinvalid",
+                                                                        _fooInvalid.getPrivateKey(),
+                                                                        _fooInvalid.getCertificate()),
+                                                    new PrivateKeyEntry("barinvalid",
+                                                                        _barInvalid.getPrivateKey(),
+                                                                        _barInvalid.getCertificate())).toFile();
     }
 
     @After
     public void tearDown() throws Exception
     {
-        try
+        if (_systemLauncher != null)
         {
-            if (_systemLauncher != null)
-            {
-                _systemLauncher.shutdown();
-            }
-
-            if (_brokerWork != null)
-            {
-                _brokerWork.delete();
-            }
-            if (_keyStoreFile != null)
-            {
-                _keyStoreFile.delete();
-            }
-        }
-        finally
-        {
+            _systemLauncher.shutdown();
         }
 
+        if (_brokerWork != null)
+        {
+            _brokerWork.delete();
+        }
     }
 
     @Test
@@ -192,10 +160,8 @@
     private void performTest(final boolean useMatching,
                              final String defaultAlias,
                              final String sniHostName,
-                             final KeyCertPair expectedCert) throws Exception
+                             final KeyCertificatePair expectedCert) throws Exception
     {
-        if (SSLUtil.canGenerateCerts())
-        {
             doBrokerStartup(useMatching, defaultAlias);
             SSLContext context = SSLUtil.tryGetSSLContext();
             context.init(null,
@@ -238,7 +204,6 @@
                 assertEquals((long) 1, (long) certs.length);
                 assertEquals(expectedCert.getCertificate(), certs[0]);
             }
-        }
     }
 
     private void doBrokerStartup(boolean useMatching, String defaultAlias) throws Exception
@@ -272,7 +237,7 @@
         Map<String, Object> keyStoreAttr = new HashMap<>();
         keyStoreAttr.put(FileKeyStore.NAME, "myKeyStore");
         keyStoreAttr.put(FileKeyStore.STORE_URL, _keyStoreFile.toURI().toURL().toString());
-        keyStoreAttr.put(FileKeyStore.PASSWORD, KEYSTORE_PASSWORD);
+        keyStoreAttr.put(FileKeyStore.PASSWORD, TLS_RESOURCE.getSecret());
         keyStoreAttr.put(FileKeyStore.USE_HOST_NAME_MATCHING, useMatching);
         keyStoreAttr.put(FileKeyStore.CERTIFICATE_ALIAS, defaultAlias);
 

diff --git a/pom.xml b/pom.xml
index def3997..4f8aa0e 100644
--- a/pom.xml
+++ b/pom.xml

@@ -154,6 +154,8 @@
     <h2.version>1.4.199</h2.version>
     <apache-directory-version>2.0.0-M23</apache-directory-version>
     <kerby-version>1.0.1</kerby-version>
+    <bcprov-version>1.64</bcprov-version>
+    <bcpkix-version>1.64</bcpkix-version>
   </properties>
 
   <modules>
@@ -726,23 +728,85 @@
         <artifactId>maven-resolver-transport-http</artifactId>
         <version>${maven-resolver-version}</version>
       </dependency>
-      <!-- apacheds test dependency -->
+
+      <!-- apacheds test dependencies -->
       <dependency>
         <groupId>org.apache.directory.server</groupId>
-        <artifactId>apacheds-all</artifactId>
+        <artifactId>apacheds-core</artifactId>
         <version>${apache-directory-version}</version>
         <scope>test</scope>
-        <exclusions>
-           <exclusion>
-            <groupId>org.apache.directory.shared</groupId>
-            <artifactId>shared-ldap-schema</artifactId>
-          </exclusion>
-          <exclusion>
-            <groupId>org.apache.directory.api</groupId>
-            <artifactId>api-ldap-schema-data</artifactId>
-          </exclusion>
-        </exclusions>
       </dependency>
+
+      <dependency>
+        <groupId>org.apache.directory.server</groupId>
+        <artifactId>apacheds-core-annotations</artifactId>
+        <version>${apache-directory-version}</version>
+        <scope>test</scope>
+      </dependency>
+
+      <dependency>
+        <groupId>org.apache.directory.server</groupId>
+        <artifactId>apacheds-core-api</artifactId>
+        <version>${apache-directory-version}</version>
+        <scope>test</scope>
+      </dependency>
+
+      <dependency>
+        <groupId>org.apache.directory.server</groupId>
+        <artifactId>apacheds-interceptor-kerberos</artifactId>
+        <version>${apache-directory-version}</version>
+        <scope>test</scope>
+      </dependency>
+
+      <dependency>
+        <groupId>org.apache.directory.server</groupId>
+        <artifactId>apacheds-kerberos-codec</artifactId>
+        <version>${apache-directory-version}</version>
+        <scope>test</scope>
+      </dependency>
+
+      <dependency>
+        <groupId>org.apache.directory.server</groupId>
+        <artifactId>apacheds-protocol-kerberos</artifactId>
+        <version>${apache-directory-version}</version>
+        <scope>test</scope>
+      </dependency>
+
+      <dependency>
+        <groupId>org.apache.directory.server</groupId>
+        <artifactId>apacheds-protocol-ldap</artifactId>
+        <version>${apache-directory-version}</version>
+        <scope>test</scope>
+      </dependency>
+
+      <dependency>
+        <groupId>org.apache.directory.server</groupId>
+        <artifactId>apacheds-protocol-shared</artifactId>
+        <version>${apache-directory-version}</version>
+        <scope>test</scope>
+      </dependency>
+
+      <dependency>
+        <groupId>org.apache.directory.server</groupId>
+        <artifactId>apacheds-server-annotations</artifactId>
+        <version>${apache-directory-version}</version>
+        <scope>test</scope>
+      </dependency>
+
+      <dependency>
+        <groupId>org.apache.directory.server</groupId>
+        <artifactId>apacheds-server-config</artifactId>
+        <version>${apache-directory-version}</version>
+        <scope>test</scope>
+      </dependency>
+
+      <dependency>
+        <groupId>org.apache.directory.server</groupId>
+        <artifactId>apacheds-test-framework</artifactId>
+        <version>${apache-directory-version}</version>
+        <scope>test</scope>
+      </dependency>
+
       <!-- kerby test dependency -->
       <dependency>
         <groupId>org.apache.kerby</groupId>
@@ -750,6 +814,18 @@
         <scope>test</scope>
         <version>${kerby-version}</version>
       </dependency>
+
+      <dependency>
+        <groupId>org.bouncycastle</groupId>
+        <artifactId>bcprov-jdk15on</artifactId>
+        <version>${bcprov-version}</version>
+      </dependency>
+
+      <dependency>
+        <groupId>org.bouncycastle</groupId>
+        <artifactId>bcpkix-jdk15on</artifactId>
+        <version>${bcpkix-version}</version>
+      </dependency>
     </dependencies>
   </dependencyManagement>
 

diff --git a/qpid-test-utils/pom.xml b/qpid-test-utils/pom.xml
index b06fd29..b31fca3 100644
--- a/qpid-test-utils/pom.xml
+++ b/qpid-test-utils/pom.xml

@@ -55,6 +55,16 @@
         <groupId>com.google.guava</groupId>
         <artifactId>guava</artifactId>
     </dependency>
+
+    <dependency>
+      <groupId>org.bouncycastle</groupId>
+      <artifactId>bcprov-jdk15on</artifactId>
+    </dependency>
+
+    <dependency>
+      <groupId>org.bouncycastle</groupId>
+      <artifactId>bcpkix-jdk15on</artifactId>
+    </dependency>
   </dependencies>
 
   <build>

diff --git a/qpid-test-utils/src/main/java/org/apache/qpid/test/utils/TestSSLConstants.java b/qpid-test-utils/src/main/java/org/apache/qpid/test/utils/TestSSLConstants.java
deleted file mode 100644
index 329920b..0000000
--- a/qpid-test-utils/src/main/java/org/apache/qpid/test/utils/TestSSLConstants.java
+++ /dev/null

@@ -1,99 +0,0 @@
-/*
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements.  See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership.  The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License.  You may obtain a copy of the License at
- *
- *   http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing,
- * software distributed under the License is distributed on an
- * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- * KIND, either express or implied.  See the License for the
- * specific language governing permissions and limitations
- * under the License.
- */
-package org.apache.qpid.test.utils;
-
-import java.nio.file.Paths;
-
-public final class TestSSLConstants
-{
-    public static final String JAVA_KEYSTORE_TYPE = "pkcs12";
-    public static final String PASSWORD = "password";
-    private static final String TEST_CERTIFICATES_DIRECTORY;
-    static
-    {
-        final String testCertificatesDirectoryPrefix;
-        if (System.getProperty("user.dir").contains("systests"))
-        {
-            testCertificatesDirectoryPrefix = Paths.get(System.getProperty("user.dir"), "..", "..").toString();
-        }
-        else if (System.getProperty("user.dir").contains(".."))
-        {
-            testCertificatesDirectoryPrefix = System.getProperty("user.dir");
-        }
-        else
-        {
-            testCertificatesDirectoryPrefix = Paths.get(System.getProperty("user.dir"), "..").toString();
-        }
-        TEST_CERTIFICATES_DIRECTORY =
-                Paths.get(testCertificatesDirectoryPrefix,
-                        "qpid-test-utils", "src", "main", "resources", "ssl", "certificates").toString();
-    }
-    public static final String CLIENT_KEYSTORE =
-            Paths.get(TEST_CERTIFICATES_DIRECTORY, "client_keystore.jks").toString();
-    public static final String CLIENT_TRUSTSTORE =
-            Paths.get(TEST_CERTIFICATES_DIRECTORY, "client_truststore.jks").toString();
-    public static final String CLIENT_EXPIRED_KEYSTORE =
-            Paths.get(TEST_CERTIFICATES_DIRECTORY, "client_expired_keystore.jks").toString();
-    public static final String CLIENT_EXPIRED_CRT =
-            Paths.get(TEST_CERTIFICATES_DIRECTORY, "client_expired.crt").toString();
-    public static final String CLIENT_UNTRUSTED_KEYSTORE =
-            Paths.get(TEST_CERTIFICATES_DIRECTORY, "client_untrusted_keystore.jks").toString();
-
-    public static final String CERT_ALIAS_ROOT_CA = "rootca";
-    public static final String CERT_ALIAS_APP1 = "app1";
-    public static final String CERT_ALIAS_APP2 = "app2";
-    public static final String CERT_ALIAS_ALLOWED = "allowed_by_ca";
-    public static final String CERT_ALIAS_REVOKED = "revoked_by_ca";
-    public static final String CERT_ALIAS_REVOKED_EMPTY_CRL = "revoked_by_ca_empty_crl";
-    public static final String CERT_ALIAS_REVOKED_INVALID_CRL_PATH = "revoked_by_ca_invalid_crl_path";
-    public static final String CERT_ALIAS_ALLOWED_WITH_INTERMEDIATE = "allowed_by_ca_with_intermediate";
-    public static final String CERT_ALIAS_UNTRUSTED_CLIENT = "untrusted_client";
-
-    public static final String BROKER_KEYSTORE =
-            Paths.get(TEST_CERTIFICATES_DIRECTORY, "broker_keystore.jks").toString();
-    public static final String BROKER_CRT =
-            Paths.get(TEST_CERTIFICATES_DIRECTORY, "broker.crt").toString();
-    public static final String BROKER_CSR =
-            Paths.get(TEST_CERTIFICATES_DIRECTORY, "broker.csr").toString();
-    public static final String BROKER_TRUSTSTORE =
-            Paths.get(TEST_CERTIFICATES_DIRECTORY, "broker_truststore.jks").toString();
-    public static final String BROKER_PEERSTORE =
-            Paths.get(TEST_CERTIFICATES_DIRECTORY, "broker_peerstore.jks").toString();
-    public static final String BROKER_EXPIRED_TRUSTSTORE =
-            Paths.get(TEST_CERTIFICATES_DIRECTORY, "broker_expired_truststore.jks").toString();
-    public static final String BROKER_KEYSTORE_ALIAS = "broker";
-
-    public static final String TEST_EMPTY_KEYSTORE =
-            Paths.get(TEST_CERTIFICATES_DIRECTORY, "test_empty_keystore.jks").toString();
-    public static final String TEST_KEYSTORE =
-            Paths.get(TEST_CERTIFICATES_DIRECTORY, "test_keystore.jks").toString();
-    public static final String TEST_CERT_ONLY_KEYSTORE =
-            Paths.get(TEST_CERTIFICATES_DIRECTORY, "test_cert_only_keystore.jks").toString();
-    public static final String TEST_PK_ONLY_KEYSTORE =
-            Paths.get(TEST_CERTIFICATES_DIRECTORY, "test_pk_only_keystore.jks").toString();
-    public static final String TEST_SYMMETRIC_KEY_KEYSTORE =
-            Paths.get(TEST_CERTIFICATES_DIRECTORY, "test_symmetric_key_keystore.jks").toString();
-
-    public static final String CA_CRL_EMPTY =
-            Paths.get(TEST_CERTIFICATES_DIRECTORY, "MyRootCA.empty.crl").toString();
-    public static final String CA_CRL =
-            Paths.get(TEST_CERTIFICATES_DIRECTORY, "MyRootCA.crl").toString();
-    public static final String INTERMEDIATE_CA_CRL =
-            Paths.get(TEST_CERTIFICATES_DIRECTORY, "intermediate_ca.crl").toString();
-}

diff --git a/qpid-test-utils/src/main/java/org/apache/qpid/test/utils/TestSSLUtils.java b/qpid-test-utils/src/main/java/org/apache/qpid/test/utils/TestSSLUtils.java
deleted file mode 100644
index fedf4ca..0000000
--- a/qpid-test-utils/src/main/java/org/apache/qpid/test/utils/TestSSLUtils.java
+++ /dev/null

@@ -1,52 +0,0 @@
-/*
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements.  See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership.  The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License.  You may obtain a copy of the License at
- *
- *   http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing,
- * software distributed under the License is distributed on an
- * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- * KIND, either express or implied.  See the License for the
- * specific language governing permissions and limitations
- * under the License.
- */
-package org.apache.qpid.test.utils;
-
-import java.security.Key;
-import java.security.cert.Certificate;
-import java.security.cert.CertificateEncodingException;
-import java.util.Base64;
-
-public class TestSSLUtils
-{
-    public static String certificateToPEM(final Certificate pub) throws CertificateEncodingException
-    {
-        return toPEM(pub.getEncoded(), "-----BEGIN CERTIFICATE-----", "-----END CERTIFICATE-----");
-    }
-
-    public static String privateKeyToPEM(final Key key)
-    {
-        return toPEM(key.getEncoded(), "-----BEGIN PRIVATE KEY-----", "-----END PRIVATE KEY-----");
-    }
-
-    private static String toPEM(final byte[] bytes, final String header, final String footer)
-    {
-        StringBuilder pem = new StringBuilder();
-        pem.append(header).append("\n");
-        String base64encoded = Base64.getEncoder().encodeToString(bytes);
-        while (base64encoded.length() > 76)
-        {
-            pem.append(base64encoded, 0, 76).append("\n");
-            base64encoded = base64encoded.substring(76);
-        }
-        pem.append(base64encoded).append("\n");
-        pem.append(footer).append("\n");
-        return pem.toString();
-    }
-}

diff --git a/qpid-test-utils/src/main/java/org/apache/qpid/test/utils/tls/AltNameType.java b/qpid-test-utils/src/main/java/org/apache/qpid/test/utils/tls/AltNameType.java
new file mode 100644
index 0000000..8bdf490
--- /dev/null
+++ b/qpid-test-utils/src/main/java/org/apache/qpid/test/utils/tls/AltNameType.java

@@ -0,0 +1,35 @@
+/*
+ *
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ *
+ */
+
+package org.apache.qpid.test.utils.tls;
+
+public enum AltNameType
+{
+    OTHER_NAME,
+    RFC822_NAME,
+    DNS_NAME,
+    X400_ADDRESS,
+    DIRECTORY_NAME,
+    EDI_PARTY_NAME,
+    UNIFORM_RESOURCE_IDENTIFIER,
+    IP_ADDRESS,
+    REGISTERED_ID
+}

diff --git a/qpid-test-utils/src/main/java/org/apache/qpid/test/utils/tls/AlternativeName.java b/qpid-test-utils/src/main/java/org/apache/qpid/test/utils/tls/AlternativeName.java
new file mode 100644
index 0000000..c7b9c47
--- /dev/null
+++ b/qpid-test-utils/src/main/java/org/apache/qpid/test/utils/tls/AlternativeName.java

@@ -0,0 +1,52 @@
+/*
+ *
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ *
+ */
+package org.apache.qpid.test.utils.tls;
+
+public class AlternativeName
+{
+    private final AltNameType _type;
+    private final String _name;
+
+    public AlternativeName(final AltNameType type, final String name)
+    {
+        _type = type;
+        _name = name;
+    }
+
+    public AltNameType getType()
+    {
+        return _type;
+    }
+
+    public String getName()
+    {
+        return _name;
+    }
+
+    @Override
+    public String toString()
+    {
+        return "AlternativeName{" +
+               "_type=" + _type +
+               ", _name='" + _name + '\'' +
+               '}';
+    }
+}

diff --git a/qpid-test-utils/src/main/java/org/apache/qpid/test/utils/tls/CertificateEntry.java b/qpid-test-utils/src/main/java/org/apache/qpid/test/utils/tls/CertificateEntry.java
new file mode 100644
index 0000000..c5ac4b2
--- /dev/null
+++ b/qpid-test-utils/src/main/java/org/apache/qpid/test/utils/tls/CertificateEntry.java

@@ -0,0 +1,54 @@
+/*
+ *
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ *
+ */
+
+package org.apache.qpid.test.utils.tls;
+
+import java.security.KeyStore;
+import java.security.KeyStoreException;
+import java.security.cert.Certificate;
+
+public final class CertificateEntry implements KeyStoreEntry
+{
+    private final String _alias;
+    private final Certificate _certificate;
+
+    public CertificateEntry(final String alias, final Certificate certificate)
+    {
+        _alias = alias;
+        _certificate = certificate;
+    }
+
+    String getAlias()
+    {
+        return _alias;
+    }
+
+    @Override
+    public void addEntryToKeyStore(final KeyStore keyStore, final char[] secret) throws KeyStoreException
+    {
+        keyStore.setCertificateEntry(getAlias(), getCertificate());
+    }
+
+    Certificate getCertificate()
+    {
+        return _certificate;
+    }
+}

diff --git a/qpid-test-utils/src/main/java/org/apache/qpid/test/utils/tls/KeyCertificatePair.java b/qpid-test-utils/src/main/java/org/apache/qpid/test/utils/tls/KeyCertificatePair.java
new file mode 100644
index 0000000..80a847c
--- /dev/null
+++ b/qpid-test-utils/src/main/java/org/apache/qpid/test/utils/tls/KeyCertificatePair.java

@@ -0,0 +1,46 @@
+/*
+ *
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ *
+ */
+package org.apache.qpid.test.utils.tls;
+
+import java.security.PrivateKey;
+import java.security.cert.X509Certificate;
+
+public class KeyCertificatePair
+{
+    private final PrivateKey _privateKey;
+    private final X509Certificate _certificate;
+
+    public KeyCertificatePair(final PrivateKey privateKey, final X509Certificate certificate)
+    {
+        _privateKey = privateKey;
+        _certificate = certificate;
+    }
+
+    public PrivateKey getPrivateKey()
+    {
+        return _privateKey;
+    }
+
+    public X509Certificate getCertificate()
+    {
+        return _certificate;
+    }
+}

diff --git a/qpid-test-utils/src/main/java/org/apache/qpid/test/utils/tls/KeyStoreEntry.java b/qpid-test-utils/src/main/java/org/apache/qpid/test/utils/tls/KeyStoreEntry.java
new file mode 100644
index 0000000..f824429
--- /dev/null
+++ b/qpid-test-utils/src/main/java/org/apache/qpid/test/utils/tls/KeyStoreEntry.java

@@ -0,0 +1,30 @@
+/*
+ *
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ *
+ */
+
+package org.apache.qpid.test.utils.tls;
+
+import java.security.KeyStore;
+import java.security.KeyStoreException;
+
+public interface KeyStoreEntry
+{
+    void addEntryToKeyStore(final KeyStore keyStore, final char[] secret) throws KeyStoreException;
+}

diff --git a/qpid-test-utils/src/main/java/org/apache/qpid/test/utils/tls/PrivateKeyEntry.java b/qpid-test-utils/src/main/java/org/apache/qpid/test/utils/tls/PrivateKeyEntry.java
new file mode 100644
index 0000000..46dec17
--- /dev/null
+++ b/qpid-test-utils/src/main/java/org/apache/qpid/test/utils/tls/PrivateKeyEntry.java

@@ -0,0 +1,66 @@
+/*
+ *
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ *
+ */
+
+package org.apache.qpid.test.utils.tls;
+
+import java.security.KeyStore;
+import java.security.KeyStoreException;
+import java.security.PrivateKey;
+import java.security.cert.Certificate;
+
+public final class PrivateKeyEntry implements KeyStoreEntry
+{
+    private final String _alias;
+    private final PrivateKey _privateKey;
+    private final Certificate[] _certificates;
+
+    public PrivateKeyEntry(final String alias, final PrivateKey privateKey, Certificate... certificate)
+    {
+        _alias = alias;
+        _privateKey = privateKey;
+        _certificates = certificate;
+    }
+
+    String getAlias()
+    {
+        return _alias;
+    }
+
+    @Override
+    public void addEntryToKeyStore(final KeyStore keyStore, final char[] secret) throws KeyStoreException
+    {
+        keyStore.setKeyEntry(getAlias(),
+                       getPrivateKey(),
+                             secret,
+                       getCertificates());
+    }
+
+    PrivateKey getPrivateKey()
+    {
+        return _privateKey;
+    }
+
+    Certificate[] getCertificates()
+    {
+        return _certificates;
+    }
+
+}

diff --git a/qpid-test-utils/src/main/java/org/apache/qpid/test/utils/tls/SecretKeyEntry.java b/qpid-test-utils/src/main/java/org/apache/qpid/test/utils/tls/SecretKeyEntry.java
new file mode 100644
index 0000000..6d72d07
--- /dev/null
+++ b/qpid-test-utils/src/main/java/org/apache/qpid/test/utils/tls/SecretKeyEntry.java

@@ -0,0 +1,55 @@
+/*
+ *
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ *
+ */
+package org.apache.qpid.test.utils.tls;
+
+import java.security.KeyStore;
+import java.security.KeyStoreException;
+
+import javax.crypto.SecretKey;
+
+public class SecretKeyEntry implements KeyStoreEntry
+{
+    private final String _alias;
+    private final SecretKey _secretKey;
+
+    public SecretKeyEntry(final String alias, final SecretKey secretKey)
+    {
+        _alias = alias;
+        _secretKey = secretKey;
+    }
+
+    @Override
+    public void addEntryToKeyStore(final KeyStore keyStore, char[] secret) throws KeyStoreException
+    {
+        keyStore.setKeyEntry(getAlias(), getSecretKey(), secret, null);
+    }
+
+    public String getAlias()
+    {
+        return _alias;
+    }
+
+    public SecretKey getSecretKey()
+    {
+        return _secretKey;
+    }
+
+}

diff --git a/qpid-test-utils/src/main/java/org/apache/qpid/test/utils/tls/TlsResource.java b/qpid-test-utils/src/main/java/org/apache/qpid/test/utils/tls/TlsResource.java
new file mode 100644
index 0000000..be8fc1d
--- /dev/null
+++ b/qpid-test-utils/src/main/java/org/apache/qpid/test/utils/tls/TlsResource.java

@@ -0,0 +1,284 @@
+/*
+ *
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ *
+ */
+package org.apache.qpid.test.utils.tls;
+
+import java.io.FileOutputStream;
+import java.io.IOException;
+import java.nio.file.FileSystems;
+import java.nio.file.Files;
+import java.nio.file.Path;
+import java.security.KeyStore;
+import java.security.KeyStoreException;
+import java.security.NoSuchAlgorithmException;
+import java.security.PrivateKey;
+import java.security.cert.CRLException;
+import java.security.cert.CertificateEncodingException;
+import java.security.cert.CertificateException;
+import java.security.cert.X509CRL;
+import java.security.cert.X509Certificate;
+import java.time.Instant;
+import java.util.Comparator;
+
+import org.junit.rules.ExternalResource;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+
+public class TlsResource extends ExternalResource
+{
+    private static final String PRIVATE_KEY_ALIAS = "private-key-alias";
+    private static final String CERTIFICATE_ALIAS = "certificate-alias";
+    private static final String SECRET = "secret";
+
+    private static final Logger LOGGER = LoggerFactory.getLogger(TlsResource.class);
+
+    private Path _keystoreDirectory;
+
+    private final String _privateKeyAlias;
+    private final String _certificateAlias;
+    private final String _secret;
+    private final String _keyStoreType;
+
+    public TlsResource()
+    {
+        this(PRIVATE_KEY_ALIAS, CERTIFICATE_ALIAS, SECRET, KeyStore.getDefaultType());
+    }
+
+    public TlsResource(final String privateKeyAlias,
+                       final String certificateAlias,
+                       final String secret,
+                       final String defaultType)
+    {
+        _privateKeyAlias = privateKeyAlias;
+        _certificateAlias = certificateAlias;
+        _secret = secret;
+        _keyStoreType = defaultType;
+    }
+
+    @Override
+    public void before() throws Exception
+    {
+        final Path targetDir = FileSystems.getDefault().getPath("target");
+        _keystoreDirectory = Files.createTempDirectory(targetDir, "test-tls-resources-");
+        LOGGER.debug("Test keystore directory is created : '{}'", _keystoreDirectory);
+    }
+
+    @Override
+    public void after()
+    {
+        try
+        {
+            Files.walk(_keystoreDirectory).sorted(Comparator.reverseOrder())
+                 .map(Path::toFile)
+                 .forEach(f -> {
+                     if (!f.delete())
+                     {
+                         LOGGER.warn("Could not delete file at {}", f.getAbsolutePath());
+                     }
+                 });
+        }
+        catch (Exception e)
+        {
+            LOGGER.warn("Failure to clean up test resources", e);
+        }
+    }
+
+    public String getSecret()
+    {
+        return _secret;
+    }
+
+    public char[] getSecretAsCharacters()
+    {
+        return _secret == null ? new char[]{} : _secret.toCharArray();
+    }
+
+    public String getPrivateKeyAlias()
+    {
+        return _privateKeyAlias;
+    }
+
+    public String getCertificateAlias()
+    {
+        return _certificateAlias;
+    }
+
+
+    public String getKeyStoreType()
+    {
+        return _keyStoreType;
+    }
+
+
+    public Path createKeyStore(KeyStoreEntry... entries) throws Exception
+    {
+        return createKeyStore(getKeyStoreType(), entries);
+    }
+
+    public Path createKeyStore(final String keyStoreType, final KeyStoreEntry... entries)
+            throws KeyStoreException, CertificateException, NoSuchAlgorithmException, IOException
+    {
+        final KeyStore ks = TlsResourceHelper.createKeyStore(keyStoreType, getSecretAsCharacters(), entries);
+        return saveKeyStore(keyStoreType, ks);
+    }
+
+    public String createKeyStoreAsDataUrl(KeyStoreEntry... entries) throws Exception
+    {
+        return TlsResourceHelper.createKeyStoreAsDataUrl(getKeyStoreType(), getSecretAsCharacters(), entries);
+    }
+
+    public Path createSelfSignedKeyStore(String dn) throws Exception
+    {
+        final KeyCertificatePair keyCertPair = TlsResourceBuilder.createSelfSigned(dn);
+        return createKeyStore(new PrivateKeyEntry(_privateKeyAlias,
+                                                  keyCertPair.getPrivateKey(),
+                                                  keyCertPair.getCertificate()));
+    }
+
+    public String createSelfSignedKeyStoreAsDataUrl(String dn) throws Exception
+    {
+        final KeyCertificatePair keyCertPair = TlsResourceBuilder.createSelfSigned(dn);
+        return createKeyStoreAsDataUrl(new PrivateKeyEntry(_privateKeyAlias,
+                                                           keyCertPair.getPrivateKey(),
+                                                           keyCertPair.getCertificate()));
+    }
+
+    public Path createSelfSignedTrustStore(final String dn) throws Exception
+    {
+        final KeyCertificatePair keyCertPair = TlsResourceBuilder.createSelfSigned(dn);
+        return createKeyStore(new CertificateEntry(_certificateAlias, keyCertPair.getCertificate()));
+    }
+
+    public Path createSelfSignedTrustStore(final String dn, Instant from, Instant to) throws Exception
+    {
+        final KeyCertificatePair keyCertPair = TlsResourceBuilder.createSelfSigned(dn, from, to);
+        return createKeyStore(new CertificateEntry(_certificateAlias, keyCertPair.getCertificate()));
+    }
+
+    public String createSelfSignedTrustStoreAsDataUrl(String dn) throws Exception
+    {
+        final KeyCertificatePair keyCertPair = TlsResourceBuilder.createSelfSigned(dn);
+        return createKeyStoreAsDataUrl(new CertificateEntry(_certificateAlias, keyCertPair.getCertificate()));
+    }
+
+    public Path createTrustStore(final String dn, KeyCertificatePair ca) throws Exception
+    {
+        final KeyCertificatePair keyCertPair = TlsResourceBuilder.createKeyPairAndCertificate(dn, ca);
+        final String keyStoreType = getKeyStoreType();
+        return createKeyStore(keyStoreType, new CertificateEntry(_certificateAlias, keyCertPair.getCertificate()));
+    }
+
+    public Path createSelfSignedKeyStoreWithCertificate(final String dn) throws Exception
+    {
+        final KeyCertificatePair keyCertPair = TlsResourceBuilder.createSelfSigned(dn);
+        return createKeyStore(new PrivateKeyEntry(_privateKeyAlias,
+                                                  keyCertPair.getPrivateKey(),
+                                                  keyCertPair.getCertificate()),
+                              new CertificateEntry(_certificateAlias, keyCertPair.getCertificate()));
+    }
+
+    public Path createCrl(final KeyCertificatePair caPair, final X509Certificate... certificate) throws CRLException
+    {
+        final X509CRL crl = TlsResourceBuilder.createCertificateRevocationList(caPair, certificate);
+
+        try
+        {
+            final Path pkFile = createFile(".crl");
+            try (FileOutputStream out = new FileOutputStream(pkFile.toFile()))
+            {
+                TlsResourceHelper.saveCrlAsPem(out, crl);
+            }
+            return pkFile;
+        }
+        catch (IOException e)
+        {
+            throw new CRLException(e);
+        }
+    }
+
+    public Path createCrlAsDer(final KeyCertificatePair caPair, final X509Certificate... certificate)
+            throws CRLException, IOException
+    {
+        final X509CRL crl = TlsResourceBuilder.createCertificateRevocationList(caPair, certificate);
+        return saveBytes(crl.getEncoded(), ".crl");
+    }
+
+    public String createCrlAsDataUrl(final KeyCertificatePair caPair, final X509Certificate... certificate)
+            throws CRLException
+    {
+        final X509CRL crl = TlsResourceBuilder.createCertificateRevocationList(caPair, certificate);
+        return TlsResourceHelper.getDataUrlForBytes(crl.getEncoded());
+    }
+
+    public Path savePrivateKeyAsPem(final PrivateKey privateKey) throws IOException
+    {
+        final Path pkFile = createFile(".pk.pem");
+        try (FileOutputStream out = new FileOutputStream(pkFile.toFile()))
+        {
+            TlsResourceHelper.savePrivateKeyAsPem(out, privateKey);
+        }
+        return pkFile;
+    }
+
+    public Path saveCertificateAsPem(final X509Certificate... certificate)
+            throws IOException, CertificateEncodingException
+    {
+        final Path certificateFile = createFile(".cer.pem");
+        try (FileOutputStream out = new FileOutputStream(certificateFile.toFile()))
+        {
+            TlsResourceHelper.saveCertificateAsPem(out, certificate);
+        }
+        return certificateFile;
+    }
+
+    public Path savePrivateKeyAsDer(final PrivateKey privateKey) throws IOException
+    {
+        return saveBytes(privateKey.getEncoded(), ".pk.der");
+    }
+
+    public Path saveCertificateAsDer(final X509Certificate certificate) throws CertificateEncodingException, IOException
+    {
+        return saveBytes(certificate.getEncoded(), ".cer.der");
+    }
+
+    public Path createFile(String suffix) throws IOException
+    {
+        return Files.createTempFile(_keystoreDirectory, "tls", suffix);
+    }
+
+    private Path saveBytes(final byte[] bytes, final String extension) throws IOException
+    {
+        final Path pkFile = createFile(extension);
+        try (FileOutputStream out = new FileOutputStream(pkFile.toFile()))
+        {
+            out.write(bytes);
+        }
+        return pkFile;
+    }
+
+    private Path saveKeyStore(final String keyStoreType, final KeyStore ks)
+            throws IOException, KeyStoreException, NoSuchAlgorithmException, CertificateException
+    {
+        final Path storeFile = createFile("." + keyStoreType);
+        TlsResourceHelper.saveKeyStoreIntoFile(ks, getSecretAsCharacters(), storeFile.toFile());
+        return storeFile;
+    }
+}

diff --git a/qpid-test-utils/src/main/java/org/apache/qpid/test/utils/tls/TlsResourceBuilder.java b/qpid-test-utils/src/main/java/org/apache/qpid/test/utils/tls/TlsResourceBuilder.java
new file mode 100644
index 0000000..1d2fff4
--- /dev/null
+++ b/qpid-test-utils/src/main/java/org/apache/qpid/test/utils/tls/TlsResourceBuilder.java

@@ -0,0 +1,533 @@
+/*
+ *
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ *
+ */
+package org.apache.qpid.test.utils.tls;
+
+import java.io.IOException;
+import java.math.BigInteger;
+import java.security.KeyPair;
+import java.security.KeyPairGenerator;
+import java.security.NoSuchAlgorithmException;
+import java.security.PrivateKey;
+import java.security.PublicKey;
+import java.security.SecureRandom;
+import java.security.Security;
+import java.security.cert.CRLException;
+import java.security.cert.CertificateException;
+import java.security.cert.X509CRL;
+import java.security.cert.X509Certificate;
+import java.time.Instant;
+import java.time.temporal.ChronoUnit;
+import java.util.Arrays;
+import java.util.Date;
+
+import org.bouncycastle.asn1.x500.X500Name;
+import org.bouncycastle.asn1.x500.style.RFC4519Style;
+import org.bouncycastle.asn1.x509.BasicConstraints;
+import org.bouncycastle.asn1.x509.CRLDistPoint;
+import org.bouncycastle.asn1.x509.CRLNumber;
+import org.bouncycastle.asn1.x509.DistributionPoint;
+import org.bouncycastle.asn1.x509.DistributionPointName;
+import org.bouncycastle.asn1.x509.ExtendedKeyUsage;
+import org.bouncycastle.asn1.x509.Extension;
+import org.bouncycastle.asn1.x509.GeneralName;
+import org.bouncycastle.asn1.x509.GeneralNames;
+import org.bouncycastle.asn1.x509.KeyPurposeId;
+import org.bouncycastle.asn1.x509.KeyUsage;
+import org.bouncycastle.cert.X509CRLHolder;
+import org.bouncycastle.cert.X509v2CRLBuilder;
+import org.bouncycastle.cert.X509v3CertificateBuilder;
+import org.bouncycastle.cert.jcajce.JcaX509CRLConverter;
+import org.bouncycastle.cert.jcajce.JcaX509CertificateConverter;
+import org.bouncycastle.cert.jcajce.JcaX509ExtensionUtils;
+import org.bouncycastle.cert.jcajce.JcaX509v3CertificateBuilder;
+import org.bouncycastle.jce.provider.BouncyCastleProvider;
+import org.bouncycastle.operator.ContentSigner;
+import org.bouncycastle.operator.OperatorCreationException;
+import org.bouncycastle.operator.OperatorException;
+import org.bouncycastle.operator.jcajce.JcaContentSignerBuilder;
+
+public class TlsResourceBuilder
+{
+    private static final int RSA_KEY_SIZE = 2048;
+    private static final int VALIDITY_DURATION = 365;
+    private static final String SIGNATURE_ALGORITHM_SHA_512_WITH_RSA = "SHA512WithRSA";
+
+    static
+    {
+        Security.addProvider(new BouncyCastleProvider());
+    }
+
+    private TlsResourceBuilder()
+    {
+        super();
+    }
+
+    public static KeyPair createRSAKeyPair()
+    {
+        KeyPairGenerator keyPairGenerator;
+        try
+        {
+            keyPairGenerator = KeyPairGenerator.getInstance("RSA");
+        }
+        catch (NoSuchAlgorithmException e)
+        {
+            throw new IllegalStateException("RSA generator is not found");
+        }
+
+        keyPairGenerator.initialize(RSA_KEY_SIZE);
+        return keyPairGenerator.genKeyPair();
+    }
+
+    public static KeyCertificatePair createKeyPairAndRootCA(final String dn) throws CertificateException
+    {
+        return createKeyPairAndRootCA(dn, createValidityPeriod());
+    }
+
+    public static KeyCertificatePair createKeyPairAndIntermediateCA(final String dn,
+                                                                    final KeyCertificatePair rootCA,
+                                                                    final String crlUri)
+            throws CertificateException
+    {
+        return createKeyPairAndIntermediateCA(dn, createValidityPeriod(), rootCA, crlUri);
+    }
+
+    public static KeyCertificatePair createSelfSigned(final String dn,
+                                                      final Instant validFrom,
+                                                      final Instant validTo,
+                                                      final AlternativeName... alternativeName)
+            throws CertificateException
+    {
+        return createSelfSigned(dn, new ValidityPeriod(validFrom, validTo), alternativeName);
+    }
+
+    public static KeyCertificatePair createSelfSigned(final String dn, final AlternativeName... alternativeName)
+            throws CertificateException
+    {
+        return createSelfSigned(dn, createValidityPeriod(), alternativeName);
+    }
+
+    public static KeyCertificatePair createKeyPairAndCertificate(final String dn,
+                                                                 final KeyCertificatePair ca,
+                                                                 final AlternativeName... alternativeName)
+            throws CertificateException
+    {
+        return createKeyPairAndCertificate(dn, createValidityPeriod(), ca, alternativeName);
+    }
+
+    public static X509Certificate createCertificate(final KeyPair keyPair,
+                                                    final KeyCertificatePair ca,
+                                                    final String dn,
+                                                    final Instant from,
+                                                    final Instant to,
+                                                    final AlternativeName... alternativeName)
+            throws CertificateException
+    {
+        return createCertificate(keyPair,
+                                 ca,
+                                 dn,
+                                 new ValidityPeriod(from, to),
+                                 createKeyUsageExtension(),
+                                 createAlternateNamesExtension(alternativeName));
+    }
+
+
+    public static X509Certificate createCertificateForClientAuthorization(final KeyPair keyPair,
+                                                                          final KeyCertificatePair ca,
+                                                                          final String dn,
+                                                                          final AlternativeName... alternativeName)
+            throws CertificateException
+    {
+        return createCertificate(keyPair,
+                                 ca,
+                                 dn,
+                                 createValidityPeriod(),
+                                 createExtendedUsageExtension(new ExtendedKeyUsage(new KeyPurposeId[]{KeyPurposeId.id_kp_clientAuth})),
+                                 createAuthorityKeyExtension(ca.getCertificate().getPublicKey()),
+                                 createSubjectKeyExtension(keyPair.getPublic()),
+                                 createAlternateNamesExtension(alternativeName));
+    }
+
+    public static X509Certificate createCertificateForServerAuthorization(final KeyPair keyPair,
+                                                                          final KeyCertificatePair ca,
+                                                                          final String dn,
+                                                                          final AlternativeName... alternativeName)
+            throws CertificateException
+    {
+        return createCertificate(keyPair,
+                                 ca,
+                                 dn,
+                                 createValidityPeriod(),
+                                 createExtendedUsageExtension(new ExtendedKeyUsage(new KeyPurposeId[]{KeyPurposeId.id_kp_serverAuth})),
+                                 createAuthorityKeyExtension(ca.getCertificate().getPublicKey()),
+                                 createSubjectKeyExtension(keyPair.getPublic()),
+                                 createAlternateNamesExtension(alternativeName));
+    }
+
+    public static X509Certificate createCertificateWithCrlDistributionPoint(final KeyPair keyPair,
+                                                                            final KeyCertificatePair caPair,
+                                                                            final String dn,
+                                                                            final String crlUri)
+            throws CertificateException
+    {
+        return createCertificate(keyPair,
+                                 caPair,
+                                 dn,
+                                 createValidityPeriod(),
+                                 createKeyUsageExtension(),
+                                 createDistributionPointExtension(crlUri));
+    }
+
+    private static X509Certificate createCertificate(final KeyPair keyPair,
+                                                     final KeyCertificatePair ca,
+                                                     final String dn,
+                                                     final ValidityPeriod validityPeriod,
+                                                     final Extension... extensions)
+            throws CertificateException
+    {
+        try
+        {
+            final X509v3CertificateBuilder builder = new JcaX509v3CertificateBuilder(
+                    ca.getCertificate(),
+                    generateSerialNumber(),
+                    new Date(validityPeriod.getFrom().toEpochMilli()),
+                    new Date(validityPeriod.getTo().toEpochMilli()),
+                    new X500Name(RFC4519Style.INSTANCE, dn),
+                    keyPair.getPublic());
+
+            builder.addExtension(Extension.basicConstraints, false, new BasicConstraints(false));
+            for (Extension e : extensions)
+            {
+                builder.addExtension(e);
+            }
+            return buildX509Certificate(builder, ca.getPrivateKey());
+        }
+        catch (OperatorException | IOException e)
+        {
+            throw new CertificateException(e);
+        }
+    }
+
+    private static X509Certificate createSelfSignedCertificate(final KeyPair keyPair,
+                                                               final String dn,
+                                                               final ValidityPeriod period,
+                                                               final AlternativeName... alternativeName)
+            throws CertificateException
+    {
+        try
+        {
+            final X509v3CertificateBuilder builder = new JcaX509v3CertificateBuilder(
+                    new X500Name(RFC4519Style.INSTANCE, dn),
+                    generateSerialNumber(),
+                    new Date(period.getFrom().toEpochMilli()),
+                    new Date(period.getTo().toEpochMilli()),
+                    new X500Name(RFC4519Style.INSTANCE, dn),
+                    keyPair.getPublic());
+            builder.addExtension(Extension.basicConstraints, false, new BasicConstraints(false));
+            builder.addExtension(createKeyUsageExtension());
+            builder.addExtension(createSubjectKeyExtension(keyPair.getPublic()));
+            builder.addExtension(createAlternateNamesExtension(alternativeName));
+            return buildX509Certificate(builder, keyPair.getPrivate());
+        }
+        catch (OperatorException | IOException e)
+        {
+            throw new CertificateException(e);
+        }
+    }
+
+    static X509CRL createCertificateRevocationList(final KeyCertificatePair ca, X509Certificate... certificate)
+            throws CRLException
+    {
+        try
+        {
+            final X500Name issuerName = X500Name.getInstance(RFC4519Style.INSTANCE,
+                                                             ca.getCertificate()
+                                                               .getSubjectX500Principal()
+                                                               .getEncoded());
+
+            final Instant nextUpdate = Instant.now().plus(10, ChronoUnit.DAYS);
+
+            final Date now = new Date();
+            final X509v2CRLBuilder crlBuilder = new X509v2CRLBuilder(issuerName, now);
+            crlBuilder.setNextUpdate(new Date(nextUpdate.toEpochMilli()));
+
+            for (X509Certificate c : certificate)
+            {
+                // crlBuilder.addCRLEntry(c.getSerialNumber(), now, CRLReason.privilegeWithdrawn);
+                crlBuilder.addCRLEntry(c.getSerialNumber(), now, 0);
+            }
+
+            crlBuilder.addExtension(createAuthorityKeyExtension(ca.getCertificate().getPublicKey()));
+            crlBuilder.addExtension(Extension.cRLNumber, false, new CRLNumber(generateSerialNumber()));
+
+            final ContentSigner contentSigner = createContentSigner(ca.getPrivateKey());
+            final X509CRLHolder crl = crlBuilder.build(contentSigner);
+
+            return new JcaX509CRLConverter().getCRL(crl);
+
+
+            /*
+
+            JcaContentSignerBuilder contentSignerBuilder =
+                    new JcaContentSignerBuilder(SIGNATURE_ALGORITHM_SHA_512_WITH_RSA); //"SHA256WithRSAEncryption"
+
+            contentSignerBuilder.setProvider("BC");
+
+            X509CRLHolder crlHolder = crlBuilder.build(contentSignerBuilder.build(ca.getPrivateKey()));
+
+            JcaX509CRLConverter converter = new JcaX509CRLConverter();
+
+            converter.setProvider("BC");
+
+            return converter.getCRL(crlHolder);
+            */
+        }
+        catch (OperatorException | IOException | CertificateException e)
+        {
+            throw new CRLException(e);
+        }
+    }
+
+    private static X509Certificate createRootCACertificate(final KeyPair keyPair,
+                                                           final String dn,
+                                                           final ValidityPeriod validityPeriod)
+            throws CertificateException
+    {
+        try
+        {
+            final X509v3CertificateBuilder builder = new JcaX509v3CertificateBuilder(
+                    new X500Name(RFC4519Style.INSTANCE, dn),
+                    generateSerialNumber(),
+                    new Date(validityPeriod.getFrom().toEpochMilli()),
+                    new Date(validityPeriod.getTo().toEpochMilli()),
+                    new X500Name(RFC4519Style.INSTANCE, dn),
+                    keyPair.getPublic());
+
+            builder.addExtension(Extension.basicConstraints, false, new BasicConstraints(true));
+            builder.addExtension(createSubjectKeyExtension(keyPair.getPublic()));
+            builder.addExtension(createAuthorityKeyExtension(keyPair.getPublic()));
+            return buildX509Certificate(builder, keyPair.getPrivate());
+        }
+        catch (OperatorException | IOException e)
+        {
+            throw new CertificateException(e);
+        }
+    }
+
+    private static X509Certificate generateIntermediateCertificate(final KeyPair keyPair,
+                                                                   final KeyCertificatePair rootCA,
+                                                                   final String dn,
+                                                                   final ValidityPeriod validityPeriod,
+                                                                   final String crlUri)
+            throws CertificateException
+    {
+        try
+        {
+            final X509v3CertificateBuilder builder = new JcaX509v3CertificateBuilder(
+                    rootCA.getCertificate(),
+                    generateSerialNumber(),
+                    new Date(validityPeriod.getFrom().toEpochMilli()),
+                    new Date(validityPeriod.getTo().toEpochMilli()),
+                    new X500Name(RFC4519Style.INSTANCE, dn),
+                    keyPair.getPublic());
+            //builder.addExtension(Extension.keyUsage, false, new KeyUsage(KeyUsage.keyCertSign));
+            builder.addExtension(Extension.basicConstraints, false, new BasicConstraints(true));
+            builder.addExtension(createSubjectKeyExtension(keyPair.getPublic()));
+            builder.addExtension(createAuthorityKeyExtension(rootCA.getCertificate().getPublicKey()));
+            if (crlUri != null)
+            {
+                builder.addExtension(createDistributionPointExtension(crlUri));
+            }
+
+            return buildX509Certificate(builder, rootCA.getPrivateKey());
+        }
+        catch (OperatorException | IOException e)
+        {
+            throw new CertificateException(e);
+        }
+    }
+
+    private static KeyCertificatePair createKeyPairAndRootCA(final String dn,
+                                                             final ValidityPeriod validityPeriod)
+            throws CertificateException
+    {
+        final KeyPair keyPair = createRSAKeyPair();
+        final X509Certificate rootCA = createRootCACertificate(keyPair, dn, validityPeriod);
+        return new KeyCertificatePair(keyPair.getPrivate(), rootCA);
+    }
+
+    private static KeyCertificatePair createKeyPairAndIntermediateCA(final String dn,
+                                                                     final ValidityPeriod validityPeriod,
+                                                                     final KeyCertificatePair rootCA,
+                                                                     final String crlUri)
+            throws CertificateException
+    {
+        final KeyPair keyPair = createRSAKeyPair();
+        final X509Certificate intermediateCA = generateIntermediateCertificate(keyPair, rootCA, dn, validityPeriod, crlUri);
+        return new KeyCertificatePair(keyPair.getPrivate(), intermediateCA);
+    }
+
+    private static KeyCertificatePair createKeyPairAndCertificate(final String dn,
+                                                                  final ValidityPeriod validityPeriod,
+                                                                  final KeyCertificatePair ca,
+                                                                  final AlternativeName... alternativeName)
+            throws CertificateException
+    {
+        final KeyPair keyPair = createRSAKeyPair();
+        final X509Certificate certificate = createCertificate(keyPair, ca, dn, validityPeriod, alternativeName);
+        return new KeyCertificatePair(keyPair.getPrivate(), certificate);
+    }
+
+    private static X509Certificate createCertificate(final KeyPair keyPair,
+                                                     final KeyCertificatePair ca,
+                                                     final String dn,
+                                                     final ValidityPeriod validityPeriod,
+                                                     final AlternativeName... alternativeName)
+            throws CertificateException
+    {
+        return createCertificate(keyPair,
+                                 ca,
+                                 dn,
+                                 validityPeriod,
+                                 createKeyUsageExtension(),
+                                 createAlternateNamesExtension(alternativeName));
+    }
+
+    private static KeyCertificatePair createSelfSigned(final String dn,
+                                                       final ValidityPeriod validityPeriod,
+                                                       final AlternativeName... alternativeName)
+            throws CertificateException
+    {
+        final KeyPair keyPair = createRSAKeyPair();
+        final X509Certificate certificate = createSelfSignedCertificate(keyPair, dn, validityPeriod, alternativeName);
+        return new KeyCertificatePair(keyPair.getPrivate(), certificate);
+    }
+
+    private static ValidityPeriod createValidityPeriod()
+    {
+        final Instant from = Instant.now().minus(1, ChronoUnit.DAYS);
+        final Instant to = from.plus(VALIDITY_DURATION, ChronoUnit.DAYS);
+        return new ValidityPeriod(from, to);
+    }
+
+    private static Extension createAuthorityKeyExtension(final PublicKey publicKey)
+            throws CertificateException
+    {
+        try
+        {
+            return new Extension(Extension.authorityKeyIdentifier,
+                                 false,
+                                 new JcaX509ExtensionUtils().createAuthorityKeyIdentifier(publicKey).getEncoded());
+        }
+        catch (IOException | NoSuchAlgorithmException e)
+        {
+            throw new CertificateException(e);
+        }
+    }
+
+    private static Extension createSubjectKeyExtension(final PublicKey publicKey)
+            throws CertificateException
+    {
+        try
+        {
+            return new Extension(Extension.subjectKeyIdentifier,
+                                 false,
+                                 new JcaX509ExtensionUtils().createSubjectKeyIdentifier(publicKey).getEncoded());
+        }
+        catch (IOException | NoSuchAlgorithmException e)
+        {
+            throw new CertificateException(e);
+        }
+    }
+
+    private static Extension createExtendedUsageExtension(final ExtendedKeyUsage extendedKeyUsage)
+            throws CertificateException
+    {
+        try
+        {
+            return new Extension(Extension.extendedKeyUsage, false, extendedKeyUsage.getEncoded());
+        }
+        catch (IOException e)
+        {
+            throw new CertificateException(e);
+        }
+    }
+
+    private static Extension createKeyUsageExtension()
+    {
+        return new Extension(Extension.keyUsage,
+                             false,
+                             new KeyUsage(KeyUsage.digitalSignature
+                                          | KeyUsage.nonRepudiation
+                                          | KeyUsage.keyEncipherment).getBytes());
+    }
+
+    private static Extension createDistributionPointExtension(final String crlUri) throws CertificateException
+    {
+        try
+        {
+            final GeneralName generalName = new GeneralName(GeneralName.uniformResourceIdentifier, crlUri);
+            final DistributionPointName pointName = new DistributionPointName(new GeneralNames(generalName));
+            final DistributionPoint[] points = new DistributionPoint[]{new DistributionPoint(pointName, null, null)};
+            return new Extension(Extension.cRLDistributionPoints, false, new CRLDistPoint(points).getEncoded());
+        }
+        catch (IOException e)
+        {
+            throw new CertificateException(e);
+        }
+    }
+
+    private static Extension createAlternateNamesExtension(final AlternativeName[] alternativeName)
+            throws CertificateException
+    {
+        try
+        {
+            final GeneralName[] generalNames = Arrays.stream(alternativeName)
+                                                     .map(an -> new GeneralName(an.getType().ordinal(),
+                                                                                an.getName()))
+                                                     .toArray(GeneralName[]::new);
+            return new Extension(Extension.subjectAlternativeName,
+                                 false,
+                                 new GeneralNames(generalNames).getEncoded());
+        }
+        catch (IOException e)
+        {
+            throw new CertificateException(e);
+        }
+    }
+
+    private static BigInteger generateSerialNumber()
+    {
+        return new BigInteger(64, new SecureRandom());
+    }
+
+    private static X509Certificate buildX509Certificate(final X509v3CertificateBuilder builder, final PrivateKey pk)
+            throws OperatorCreationException, CertificateException
+    {
+        ContentSigner contentSigner = createContentSigner(pk);
+        return new JcaX509CertificateConverter().getCertificate(builder.build(contentSigner));
+    }
+
+    private static ContentSigner createContentSigner(final PrivateKey privateKey)
+            throws OperatorCreationException
+    {
+        return new JcaContentSignerBuilder(SIGNATURE_ALGORITHM_SHA_512_WITH_RSA).setProvider("BC").build(privateKey);
+    }
+}

diff --git a/qpid-test-utils/src/main/java/org/apache/qpid/test/utils/tls/TlsResourceHelper.java b/qpid-test-utils/src/main/java/org/apache/qpid/test/utils/tls/TlsResourceHelper.java
new file mode 100644
index 0000000..559e102
--- /dev/null
+++ b/qpid-test-utils/src/main/java/org/apache/qpid/test/utils/tls/TlsResourceHelper.java

@@ -0,0 +1,163 @@
+/*
+ *
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ *
+ */
+package org.apache.qpid.test.utils.tls;
+
+import static java.nio.charset.StandardCharsets.UTF_8;
+
+import java.io.ByteArrayOutputStream;
+import java.io.File;
+import java.io.FileOutputStream;
+import java.io.IOException;
+import java.io.OutputStream;
+import java.security.KeyStore;
+import java.security.KeyStoreException;
+import java.security.NoSuchAlgorithmException;
+import java.security.PrivateKey;
+import java.security.cert.CRLException;
+import java.security.cert.Certificate;
+import java.security.cert.CertificateEncodingException;
+import java.security.cert.CertificateException;
+import java.security.cert.X509CRL;
+import java.security.cert.X509Certificate;
+import java.util.Base64;
+
+import javax.crypto.KeyGenerator;
+import javax.crypto.SecretKey;
+
+public class TlsResourceHelper
+{
+    private static final byte[] LINE_SEPARATOR = new byte[]{'\r', '\n'};
+    private static final String BEGIN_X_509_CRL = "-----BEGIN X509 CRL-----";
+    private static final String END_X_509_CRL = "-----END X509 CRL-----";
+    private static final String BEGIN_PRIVATE_KEY = "-----BEGIN PRIVATE KEY-----";
+    private static final String END_PRIVATE_KEY = "-----END PRIVATE KEY-----";
+    private static final String BEGIN_CERTIFICATE = "-----BEGIN CERTIFICATE-----";
+    private static final String END_CERTIFICATE = "-----END CERTIFICATE-----";
+    private static final int PEM_LINE_LENGTH = 76;
+
+    public static KeyStore createKeyStore(final String keyStoreType, char[] secret, final KeyStoreEntry... entries)
+            throws KeyStoreException, CertificateException, NoSuchAlgorithmException, IOException
+    {
+        final KeyStore ks = createKeyStoreOfType(keyStoreType);
+        for (KeyStoreEntry e : entries)
+        {
+            e.addEntryToKeyStore(ks, secret);
+        }
+        return ks;
+    }
+
+    public static String createKeyStoreAsDataUrl(final String keyStoreType,  char[] secret, KeyStoreEntry... entries) throws Exception
+    {
+        final KeyStore ks = createKeyStore(keyStoreType, secret, entries);
+        return toDataUrl(ks, secret);
+    }
+
+    public static KeyStore createKeyStoreOfType(final String keyStoreType)
+            throws KeyStoreException, IOException, NoSuchAlgorithmException, CertificateException
+    {
+        final KeyStore ks = KeyStore.getInstance(keyStoreType);
+        ks.load(null, null);
+        return ks;
+    }
+
+    public static void saveKeyStoreIntoFile(final KeyStore ks, final char[] secret, final File storeFile)
+            throws IOException, KeyStoreException, NoSuchAlgorithmException, CertificateException
+    {
+        try (FileOutputStream fos = new FileOutputStream(storeFile))
+        {
+            ks.store(fos, secret);
+        }
+    }
+
+    public static String toDataUrl(final KeyStore ks, char[] secret)
+            throws IOException, KeyStoreException, NoSuchAlgorithmException, CertificateException
+    {
+        final String result;
+        try (ByteArrayOutputStream os = new ByteArrayOutputStream())
+        {
+            ks.store(os, secret);
+            result = getDataUrlForBytes(os.toByteArray());
+        }
+        return result;
+    }
+
+    public static String getDataUrlForBytes(final byte[] bytes)
+    {
+        return new StringBuilder("data:;base64,").append(Base64.getEncoder().encodeToString(bytes)).toString();
+    }
+
+    public static SecretKey createAESSecretKey() throws NoSuchAlgorithmException
+    {
+        KeyGenerator keyGen = KeyGenerator.getInstance("AES");
+        keyGen.init(256);
+        return keyGen.generateKey();
+    }
+
+    public static void saveBytesAsPem(final byte[] bytes, final String header, final String footer, final OutputStream out)
+            throws IOException
+    {
+        out.write(header.getBytes(UTF_8));
+        out.write(LINE_SEPARATOR);
+        out.write(Base64.getMimeEncoder(PEM_LINE_LENGTH, LINE_SEPARATOR).encode(bytes));
+        out.write(LINE_SEPARATOR);
+        out.write(footer.getBytes(UTF_8));
+        out.write(LINE_SEPARATOR);
+    }
+
+    public static void saveCertificateAsPem(final OutputStream os, final X509Certificate... certificate) throws IOException,
+                                                                                                         CertificateEncodingException
+    {
+        for (X509Certificate b : certificate)
+        {
+            saveBytesAsPem(b.getEncoded(), BEGIN_CERTIFICATE, END_CERTIFICATE, os);
+        }
+    }
+
+    public static void savePrivateKeyAsPem(final OutputStream os, final PrivateKey key) throws IOException
+    {
+        saveBytesAsPem(key.getEncoded(), BEGIN_PRIVATE_KEY, END_PRIVATE_KEY, os);
+    }
+
+    public static void saveCrlAsPem(final OutputStream os, final X509CRL crl) throws CRLException, IOException
+    {
+        saveBytesAsPem(crl.getEncoded(), BEGIN_X_509_CRL, END_X_509_CRL, os);
+    }
+
+
+    public static String toPEM(final Certificate pub) throws CertificateEncodingException
+    {
+        return toPEM(pub.getEncoded(), BEGIN_CERTIFICATE, END_CERTIFICATE);
+    }
+
+    public static String toPEM(final PrivateKey key)
+    {
+        return toPEM(key.getEncoded(), BEGIN_PRIVATE_KEY, END_PRIVATE_KEY);
+    }
+
+    private static String toPEM(final byte[] bytes, final String header, final String footer)
+    {
+        final StringBuilder pem = new StringBuilder();
+        pem.append(header).append(new String(LINE_SEPARATOR, UTF_8));
+        pem.append(Base64.getMimeEncoder(PEM_LINE_LENGTH, LINE_SEPARATOR).encodeToString(bytes));
+        pem.append(new String(LINE_SEPARATOR, UTF_8)).append(footer).append(new String(LINE_SEPARATOR, UTF_8));
+        return pem.toString();
+    }
+}

diff --git a/qpid-test-utils/src/main/java/org/apache/qpid/test/utils/tls/ValidityPeriod.java b/qpid-test-utils/src/main/java/org/apache/qpid/test/utils/tls/ValidityPeriod.java
new file mode 100644
index 0000000..c661b84
--- /dev/null
+++ b/qpid-test-utils/src/main/java/org/apache/qpid/test/utils/tls/ValidityPeriod.java

@@ -0,0 +1,92 @@
+/*
+ *
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ *
+ */
+
+package org.apache.qpid.test.utils.tls;
+
+import java.time.Instant;
+
+class ValidityPeriod
+{
+    private final Instant _from;
+    private final Instant _to;
+
+    ValidityPeriod(final Instant from, final Instant to)
+    {
+        if (from == null || to == null)
+        {
+            throw new IllegalArgumentException("Both 'to' and 'from' parameters cannot be null");
+        }
+        if (to.compareTo(from) < 0)
+        {
+            throw new IllegalArgumentException("Parameter 'to' cannot be less than 'from' value");
+        }
+        _from = from;
+        _to = to;
+    }
+
+    public Instant getFrom()
+    {
+        return _from;
+    }
+
+    public Instant getTo()
+    {
+        return _to;
+    }
+
+    @Override
+    public boolean equals(final Object o)
+    {
+        if (this == o)
+        {
+            return true;
+        }
+        if (o == null || getClass() != o.getClass())
+        {
+            return false;
+        }
+
+        final ValidityPeriod that = (ValidityPeriod) o;
+
+        if (!_from.equals(that._from))
+        {
+            return false;
+        }
+        return _to.equals(that._to);
+    }
+
+    @Override
+    public int hashCode()
+    {
+        int result = _from.hashCode();
+        result = 31 * result + _to.hashCode();
+        return result;
+    }
+
+    @Override
+    public String toString()
+    {
+        return "ValidityPeriod{" +
+               "_from=" + _from +
+               ", _to=" + _to +
+               '}';
+    }
+}

diff --git a/qpid-test-utils/src/main/resources/ssl/certificates/MyRootCA.crl b/qpid-test-utils/src/main/resources/ssl/certificates/MyRootCA.crl
deleted file mode 100644
index 2d7b8d9..0000000
--- a/qpid-test-utils/src/main/resources/ssl/certificates/MyRootCA.crl
+++ /dev/null
Binary files differ

diff --git a/qpid-test-utils/src/main/resources/ssl/certificates/MyRootCA.crl.pem b/qpid-test-utils/src/main/resources/ssl/certificates/MyRootCA.crl.pem
deleted file mode 100644
index 0430e10..0000000
--- a/qpid-test-utils/src/main/resources/ssl/certificates/MyRootCA.crl.pem
+++ /dev/null

@@ -1,13 +0,0 @@
------BEGIN X509 CRL-----
-MIIB8TCB2gIBATANBgkqhkiG9w0BAQsFADBBMQswCQYDVQQGEwJDQTEQMA4GA1UE
-CAwHT250YXJpbzENMAsGA1UECgwEQUNNRTERMA8GA1UEAwwITXlSb290Q0EXDTIw
-MDExNzEyMTQwM1oXDTIwMDIxNjEyMTQwM1owVDATAgISOBcNMjAwMTE3MTIxNDAz
-WjATAgISORcNMjAwMTE3MTIxNDAzWjATAgISOxcNMjAwMTE3MTIxNDAzWjATAgIS
-PBcNMjAwMTE3MTIxNDAzWqAPMA0wCwYDVR0UBAQCAhI2MA0GCSqGSIb3DQEBCwUA
-A4IBAQCP9fF88j+7OLHZqq6kkxB8IZSN0lCRXXk590V3rx/NWJYmhGjlOjvEe+dG
-fiTFYUxtYuGU/rsYOezMg2/uO9l+PdPq2blWcYKvDvBK89oHaFnX0U1vCiOLD/H0
-09a70Lo3p7tHRBiPcaximmq3DA2dZRSRlo3oRoHAQ1tdMbbAm+D+N6uEu6xARycH
-OmAkx1ofx1SW+Up02R/56QINfYKG+Teqk+g/2uj+fbCx7Hdt+ocoPH8D3FrPv/QQ
-wmDlvPktb552EyOAHuhv/VSYhBB9yLKeqxb4/K7+lSCibM7gO0aPpzr33eykftbR
-aMRSNPr1t5tw2psBHoQ63U920dXu
------END X509 CRL-----

diff --git a/qpid-test-utils/src/main/resources/ssl/certificates/MyRootCA.crt b/qpid-test-utils/src/main/resources/ssl/certificates/MyRootCA.crt
deleted file mode 100644
index 0614c37..0000000
--- a/qpid-test-utils/src/main/resources/ssl/certificates/MyRootCA.crt
+++ /dev/null

@@ -1,21 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIDYzCCAkugAwIBAgIUAzgWkwkl4wOLx+GiJZVnG3I2cNEwDQYJKoZIhvcNAQEN
-BQAwQTELMAkGA1UEBhMCQ0ExEDAOBgNVBAgMB09udGFyaW8xDTALBgNVBAoMBEFD
-TUUxETAPBgNVBAMMCE15Um9vdENBMB4XDTIwMDExNzEyMTM0OVoXDTI0MDExNzEy
-MTM0OVowQTELMAkGA1UEBhMCQ0ExEDAOBgNVBAgMB09udGFyaW8xDTALBgNVBAoM
-BEFDTUUxETAPBgNVBAMMCE15Um9vdENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A
-MIIBCgKCAQEA+CXc5ld4yp+N6ns0HA8aPI2AUDPcbhs558F713/amq6KzueuVBJ4
-UBMdFqGI2Ul2RbEJuy/qxYqTDqtPNMorzLgK47NrDnZ0cdE/DlavSyCQmNoE0Ksr
-XBTbIk0uEKKObJSYiW+8ise6cc+5Q83woG5OzUj6E/uX/TFYsSbsaLaG74HY8ajI
-bHDEPOnRlqWV/Z8ADvjpplxXuAXyhA7YYMA/WlXAp3knLFEZTJduVeH+U9gn3lif
-9zjUxuaNBioTJcnHnbanc3z2q5CvTbzhlUjOuWJ28dJ+QHr60bw4EEwM+akavU+O
-9GK2Dh2oqLAOJ/z11I5F6LX7NEOprpt0owIDAQABo1MwUTAdBgNVHQ4EFgQU2DTy
-TKWsAaQ7VGaq99vDwfK/5swwHwYDVR0jBBgwFoAU2DTyTKWsAaQ7VGaq99vDwfK/
-5swwDwYDVR0TAQH/BAUwAwEB/zANBgkqhkiG9w0BAQ0FAAOCAQEA8p51vGg8YT6y
-Aiyeps/ggms5/vkuH3AdI2OqC1RbIIx2Duia1EiH+Vxw0I1B7jJ9tZOsZfJVLmcr
-qlToReTTceGSRt22JvV7vpB/mn7y1z5Pz9Inw/eWTC32frzzLdayGv3/EhArsu+B
-eW6EemnXN4UxRc4rkCcYqz3WJJ/NollBwzqhpmFqo0sArZ7CSkz9+2U6sayZsxA3
-zT+4aj6vIp6Yv/USgX86VrdO1sBhJKlosEOlJqyorpjutv4fl4hR04/yU+Kw/sdG
-9ZA5Q9zrV0ooZ+635K1Z4Xr2rCH/38ltUZnFWD7D0w/z+QhonxXdnwbudtedSybo
-VPvWVRUaVA==
------END CERTIFICATE-----

diff --git a/qpid-test-utils/src/main/resources/ssl/certificates/MyRootCA.empty.crl b/qpid-test-utils/src/main/resources/ssl/certificates/MyRootCA.empty.crl
deleted file mode 100644
index 7c4a5df..0000000
--- a/qpid-test-utils/src/main/resources/ssl/certificates/MyRootCA.empty.crl
+++ /dev/null
Binary files differ

diff --git a/qpid-test-utils/src/main/resources/ssl/certificates/MyRootCA.empty.crl.pem b/qpid-test-utils/src/main/resources/ssl/certificates/MyRootCA.empty.crl.pem
deleted file mode 100644
index 88a02d0..0000000
--- a/qpid-test-utils/src/main/resources/ssl/certificates/MyRootCA.empty.crl.pem
+++ /dev/null

@@ -1,11 +0,0 @@
------BEGIN X509 CRL-----
-MIIBmzCBhAIBATANBgkqhkiG9w0BAQsFADBBMQswCQYDVQQGEwJDQTEQMA4GA1UE
-CAwHT250YXJpbzENMAsGA1UECgwEQUNNRTERMA8GA1UEAwwITXlSb290Q0EXDTIw
-MDExNzEyMTQwM1oXDTIwMDIxNjEyMTQwM1qgDzANMAsGA1UdFAQEAgISNTANBgkq
-hkiG9w0BAQsFAAOCAQEAvXMYfesUZM9b/MRG36pyFXdW6Ntn7KcldzYphHMeUiw9
-L+SI2kSzQrfvMFC5URAMpchnKZWzNcjoERpaFmt/io9W+GxFfrfUDPgu14p3n1b9
-Z4xQx/f+ZbEuw4Xuv5TPdGYzkxtaMCabHrcZbJvYcT+6ogshsxIqduiqx9EEnyYY
-WhrsOyAhjhEAeU+CaNjL0xo+71xpzyRbV2BRxwyNNJEVTc9SGUtwro2jdCSB72KM
-S85RSUshg5aWEXz99jV41w1Zx1UWfwAN9K5aJxwNp3x06C/SxHc2yMfN9h3BIr/f
-kdBgB/Larrwq+luogS4e9JA522/V3yYeYajuxH7JEQ==
------END X509 CRL-----

diff --git a/qpid-test-utils/src/main/resources/ssl/certificates/MyRootCA.key b/qpid-test-utils/src/main/resources/ssl/certificates/MyRootCA.key
deleted file mode 100644
index 742071d..0000000
--- a/qpid-test-utils/src/main/resources/ssl/certificates/MyRootCA.key
+++ /dev/null

@@ -1,30 +0,0 @@
------BEGIN ENCRYPTED PRIVATE KEY-----
-MIIFHDBOBgkqhkiG9w0BBQ0wQTApBgkqhkiG9w0BBQwwHAQIoKxdp44hlPICAggA
-MAwGCCqGSIb3DQIJBQAwFAYIKoZIhvcNAwcECIjUETc4sXyDBIIEyMQ/YTalgLpr
-OcHUsyfkMGThRYoMvDC1TT8SYR5iqm0ARFxIh6tnU1Y0JvWMdzQgR4qzZXbyZLwm
-L/0xeL4ErEkhgfc6UUv7ldv5uja3dKUbTZaxD/Pl/w7ZboVWj62RfiSMmoNmvMaw
-0c7BIFxXACdrVSjBN11cJOYI9nKwqge5WWEgTVYSyKGC0zf6BdSSRmaFX5mQ7E0D
-9tuegWmes57TEZXh9ObzsrKegFC6FJ26DUXZ7h7lAOkHrjRm+5pvY+YOHtGgBLCz
-h1DkssCQ9uyE+39REcdX4cEkY2L4kqirJ69v6YdT6u7NwF2eGCJwANDCI5+1WFO2
-Prc2SNAgA4TtASnwi6vE7z/Vg2Ah+WUx41m4kp5zw4rUIA6w9pvUnuZBhACEcqtt
-HncoVRr0dxX7tN7Hxsw5I2Wx0szuHCpSXt9den/4rcyl4dpVViNOc7lah0C8uS2t
-tt1DE4JdA1gm0uKVUkS+57049R0ojMisjMmJBs3V0+lPvRwHGZ+UGer4lw1FPMXr
-fDLXuOCs5V9pR2d5OtHttFNKVGwcRtPElSKCvJjxvl/frBTfng97S/jIAUJc4NMQ
-tBoI18TeNnALRp/JWtJf5VqQFyNvp/Th/Qk2VgUa6x5jKE6ksLlaVDxZ4rZbFyfl
-WkVbJ3OABNfEzrucOEFoncqHPM8BT1unTkRTOlsJMbgzJYby+RLznMzKwGS20A6P
-f2f4L840zqHSFHfD/HhW0CZ5ZwXbW6Kta6D0+DWDzHzA/6GMFtggpXtMXKbi/2dV
-wPR7sHQwxE+Qbq4SxxAx7CYhiz6L2x/EMX/BehAJic6XTQJEmluaiq3o1954OuTZ
-eUAnOV9iv2iEKf02D06yCJsyLop4CtN88HenGD7EiZ71IuF7U/VDoy2lVcbiW0DT
-efTsbns5euSqe335SHafd9OGIe8p7shsSsoh6smfUpYdYlKq+wG2P+h7CSMoIGh6
-bKq0k3xnyi4CH22Ukyt3IIg0REGTvFgdZGRuwJe2cylzYeuj+KJclVLTmJ2jQJ2D
-xd1M5gNqbZOzihCNOnG6Owik93RJBi6qynhfhOt6YHBeUmeIFx+ygLQqtNjlX/V9
-+rsBtovzMZhfFK6ozSm0fQG+2rB5QrnsEw3gzzZ22fBPy+SQ1GPK2FJNNHO3REaD
-+5Yt0Iny4jFA9UiveR8pxvYdPwoPEiEii1VfOAkR+0dcEeKX1gQvCF84XNRSiMXw
-ITHOI9QmmYqyjTAv1ZMB7TV3dnxQuyifHZciEFK5R7Kkn0Z78diXxFjWvPVVhsLG
-yzFHArQs0lDUsRlZxJ68SkwJ3dw2m8XpwUPkWlTZ5SoJTSN0JOa9fn5Htm7X1ZYK
-A4x80z3t6oeTGJxmDxQHOL+NCkeRQv1fN/JS4b7I6p9sQT+60gT5dJ0R6/CU2Vpf
-xM+DcHGW8oo8yQ2CjSOaf1Bp+Sp/arcrK0KOP6sbABlnXeTeRgWOb3xwRnwWP0am
-wAooVJgifFOAnEA7rfi7XgnQkALtwki4TPhy2g+eoHDo2PiX5j0QxdVpGlfzZVkC
-9j8fgea3hy5Y78Ju8N/fhZWgYIoyosVnFhXHtHpebPdDpktseOR388PNvMEa+6vT
-nKxFX9Uw8/IoAkO1WGG+rg==
------END ENCRYPTED PRIVATE KEY-----

diff --git a/qpid-test-utils/src/main/resources/ssl/certificates/allowed_by_ca.crt b/qpid-test-utils/src/main/resources/ssl/certificates/allowed_by_ca.crt
deleted file mode 100644
index 171ec80..0000000
--- a/qpid-test-utils/src/main/resources/ssl/certificates/allowed_by_ca.crt
+++ /dev/null

@@ -1,80 +0,0 @@
-Certificate:
-    Data:
-        Version: 3 (0x2)
-        Serial Number: 4663 (0x1237)
-        Signature Algorithm: sha512WithRSAEncryption
-        Issuer: C=CA, ST=Ontario, O=ACME, CN=MyRootCA
-        Validity
-            Not Before: Jan 17 12:14:00 2020 GMT
-            Not After : Jan 17 12:14:00 2024 GMT
-        Subject: C=CA, ST=ON, L=Toronto, O=acme, OU=art, CN=allowed_by_ca@acme.org
-        Subject Public Key Info:
-            Public Key Algorithm: rsaEncryption
-                RSA Public-Key: (2048 bit)
-                Modulus:
-                    00:ae:43:c8:3b:d5:08:7c:69:6f:48:96:bd:ae:cf:
-                    d9:ab:f6:3a:68:64:e6:f5:57:14:45:42:40:e5:c5:
-                    7f:97:6d:13:4f:d1:26:28:14:0d:30:e5:9e:55:67:
-                    b8:3a:7d:d8:8d:b4:9e:07:f0:62:e4:95:63:41:b9:
-                    04:2b:53:51:86:46:36:25:6f:82:60:74:e0:81:73:
-                    c3:ce:1c:76:3e:97:35:da:82:28:22:cc:ac:62:22:
-                    d7:0d:8d:38:44:c0:de:29:ca:15:b9:13:39:81:04:
-                    4b:0d:71:9f:ff:1c:36:4e:2e:57:54:85:83:f4:f4:
-                    a8:f9:bb:f5:a5:66:b1:9a:40:a2:1a:33:5e:b2:37:
-                    31:a5:73:fb:f4:39:fe:d1:52:ec:f2:b1:fc:84:1a:
-                    c7:2b:98:81:e3:62:ae:51:e6:5b:6e:c4:f9:ff:c0:
-                    e4:64:88:3a:c1:a2:20:95:3c:71:c6:eb:da:d3:de:
-                    aa:42:98:1f:e9:da:06:fc:f9:0d:23:1c:8b:ae:3e:
-                    ee:6c:b8:ac:a1:a3:da:c9:21:8d:c4:48:26:23:8e:
-                    40:44:55:dc:0b:fc:b8:a7:0c:c8:4b:f6:21:7a:1e:
-                    57:ff:1c:ce:a7:e3:8a:c4:26:02:93:f3:e8:4a:45:
-                    a5:3e:02:5b:25:6b:f8:58:1b:ce:18:3e:da:62:86:
-                    34:ff
-                Exponent: 65537 (0x10001)
-        X509v3 extensions:
-            X509v3 CRL Distribution Points: 
-
-                Full Name:
-                  URI:http://localhost:8186/MyRootCA.crl
-
-            X509v3 Basic Constraints: 
-                CA:FALSE
-            X509v3 Key Usage: 
-                Digital Signature, Non Repudiation, Key Encipherment
-    Signature Algorithm: sha512WithRSAEncryption
-         c8:28:31:d7:11:ba:e1:ea:b0:18:ec:74:6b:66:7d:da:31:1f:
-         2a:a2:c4:e8:af:a2:ba:92:56:d9:7b:f4:fe:e1:20:5c:5c:5e:
-         3f:39:31:0a:b3:a5:19:f0:60:86:ef:98:eb:e1:c7:1a:1d:0a:
-         51:d6:25:9b:29:a4:71:9d:da:d6:cf:96:82:07:ca:38:71:62:
-         93:6b:b1:44:87:49:42:28:66:53:34:f1:fa:3e:48:49:ed:2a:
-         ed:56:b2:49:cb:5b:0c:46:59:68:2d:d9:95:47:c4:0c:fa:57:
-         93:e1:0b:52:ed:75:2a:fe:a9:e7:e7:a3:c8:68:7a:fc:14:92:
-         8b:8b:34:94:28:f1:23:7b:2c:bd:26:48:fe:bf:6e:ec:71:9b:
-         43:e8:e3:64:48:36:af:9e:8e:bd:e5:c7:b2:76:a5:c6:ca:98:
-         22:6b:aa:93:82:fd:cf:6b:08:df:40:43:fc:03:1a:12:12:85:
-         8e:dc:d2:06:80:cd:d9:ba:fd:f8:4e:3f:8a:99:46:db:df:67:
-         c2:67:b5:39:96:a5:71:12:be:03:f1:99:c0:b9:df:51:b5:37:
-         dd:a7:5a:75:32:a0:da:d7:09:83:1b:96:30:81:0e:b4:9d:10:
-         81:cc:05:65:a8:e6:3f:2a:de:b5:d3:6e:d3:ed:4a:a0:e3:a2:
-         56:ea:ef:3a
------BEGIN CERTIFICATE-----
-MIIDdjCCAl6gAwIBAgICEjcwDQYJKoZIhvcNAQENBQAwQTELMAkGA1UEBhMCQ0Ex
-EDAOBgNVBAgMB09udGFyaW8xDTALBgNVBAoMBEFDTUUxETAPBgNVBAMMCE15Um9v
-dENBMB4XDTIwMDExNzEyMTQwMFoXDTI0MDExNzEyMTQwMFowajELMAkGA1UEBhMC
-Q0ExCzAJBgNVBAgMAk9OMRAwDgYDVQQHDAdUb3JvbnRvMQ0wCwYDVQQKDARhY21l
-MQwwCgYDVQQLDANhcnQxHzAdBgNVBAMMFmFsbG93ZWRfYnlfY2FAYWNtZS5vcmcw
-ggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCuQ8g71Qh8aW9Ilr2uz9mr
-9jpoZOb1VxRFQkDlxX+XbRNP0SYoFA0w5Z5VZ7g6fdiNtJ4H8GLklWNBuQQrU1GG
-RjYlb4JgdOCBc8POHHY+lzXagigizKxiItcNjThEwN4pyhW5EzmBBEsNcZ//HDZO
-LldUhYP09Kj5u/WlZrGaQKIaM16yNzGlc/v0Of7RUuzysfyEGscrmIHjYq5R5ltu
-xPn/wORkiDrBoiCVPHHG69rT3qpCmB/p2gb8+Q0jHIuuPu5suKyho9rJIY3ESCYj
-jkBEVdwL/LinDMhL9iF6Hlf/HM6n44rEJgKT8+hKRaU+Alsla/hYG84YPtpihjT/
-AgMBAAGjTzBNMDMGA1UdHwQsMCowKKAmoCSGImh0dHA6Ly9sb2NhbGhvc3Q6ODE4
-Ni9NeVJvb3RDQS5jcmwwCQYDVR0TBAIwADALBgNVHQ8EBAMCBeAwDQYJKoZIhvcN
-AQENBQADggEBAMgoMdcRuuHqsBjsdGtmfdoxHyqixOivorqSVtl79P7hIFxcXj85
-MQqzpRnwYIbvmOvhxxodClHWJZsppHGd2tbPloIHyjhxYpNrsUSHSUIoZlM08fo+
-SEntKu1WsknLWwxGWWgt2ZVHxAz6V5PhC1LtdSr+qefno8hoevwUkouLNJQo8SN7
-LL0mSP6/buxxm0Po42RINq+ejr3lx7J2pcbKmCJrqpOC/c9rCN9AQ/wDGhIShY7c
-0gaAzdm6/fhOP4qZRtvfZ8JntTmWpXESvgPxmcC531G1N92nWnUyoNrXCYMbljCB
-DrSdEIHMBWWo5j8q3rXTbtPtSqDjolbq7zo=
------END CERTIFICATE-----

diff --git a/qpid-test-utils/src/main/resources/ssl/certificates/allowed_by_ca.csr b/qpid-test-utils/src/main/resources/ssl/certificates/allowed_by_ca.csr
deleted file mode 100644
index f2a51e4..0000000
--- a/qpid-test-utils/src/main/resources/ssl/certificates/allowed_by_ca.csr
+++ /dev/null

@@ -1,17 +0,0 @@
------BEGIN CERTIFICATE REQUEST-----
-MIICrzCCAZcCAQAwajELMAkGA1UEBhMCQ0ExCzAJBgNVBAgMAk9OMRAwDgYDVQQH
-DAdUb3JvbnRvMQ0wCwYDVQQKDARhY21lMQwwCgYDVQQLDANhcnQxHzAdBgNVBAMM
-FmFsbG93ZWRfYnlfY2FAYWNtZS5vcmcwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAw
-ggEKAoIBAQCuQ8g71Qh8aW9Ilr2uz9mr9jpoZOb1VxRFQkDlxX+XbRNP0SYoFA0w
-5Z5VZ7g6fdiNtJ4H8GLklWNBuQQrU1GGRjYlb4JgdOCBc8POHHY+lzXagigizKxi
-ItcNjThEwN4pyhW5EzmBBEsNcZ//HDZOLldUhYP09Kj5u/WlZrGaQKIaM16yNzGl
-c/v0Of7RUuzysfyEGscrmIHjYq5R5ltuxPn/wORkiDrBoiCVPHHG69rT3qpCmB/p
-2gb8+Q0jHIuuPu5suKyho9rJIY3ESCYjjkBEVdwL/LinDMhL9iF6Hlf/HM6n44rE
-JgKT8+hKRaU+Alsla/hYG84YPtpihjT/AgMBAAGgADANBgkqhkiG9w0BAQ0FAAOC
-AQEABftyaBKWipsliFRs8LYjFnKbGkc1vOJNHfr1Upa0JhxhEXXOr0fJ+q1moY6a
-9QdYOuZ3iM5M3B3L7aYM9wXSKkSyujRl/S2hDlaMuXVXHYvL+e6t1REe4lSCKZRV
-OfdpPWUCW35WhuE9M0h6hAnb+HLsxc3OPQo8KH4yQkSyh4aPj20X0WXp1QrvfpVL
-fzicwCaxJET8rcu3gduXqysD2IkHnbx4OX0JsqgDuVnjRRtL800UJ/YDJcuobUpp
-/euptiVCaO+q6W2l46GA2e6bQuCxv1+o5M4U2JH0Chldx2yTMnAgFtV+E1JtrzVS
-jObVTUz819aBFrzwL6OIcQEvUw==
------END CERTIFICATE REQUEST-----

diff --git a/qpid-test-utils/src/main/resources/ssl/certificates/allowed_by_ca.jks b/qpid-test-utils/src/main/resources/ssl/certificates/allowed_by_ca.jks
deleted file mode 100644
index dae314d..0000000
--- a/qpid-test-utils/src/main/resources/ssl/certificates/allowed_by_ca.jks
+++ /dev/null
Binary files differ

diff --git a/qpid-test-utils/src/main/resources/ssl/certificates/allowed_by_ca.self.crt b/qpid-test-utils/src/main/resources/ssl/certificates/allowed_by_ca.self.crt
deleted file mode 100644
index 7129f68..0000000
--- a/qpid-test-utils/src/main/resources/ssl/certificates/allowed_by_ca.self.crt
+++ /dev/null

@@ -1,22 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIDtTCCAp2gAwIBAgIUA/JhLTYgfW18ejOVXRiPJdhGoFswDQYJKoZIhvcNAQEN
-BQAwajELMAkGA1UEBhMCQ0ExCzAJBgNVBAgMAk9OMRAwDgYDVQQHDAdUb3JvbnRv
-MQ0wCwYDVQQKDARhY21lMQwwCgYDVQQLDANhcnQxHzAdBgNVBAMMFmFsbG93ZWRf
-YnlfY2FAYWNtZS5vcmcwHhcNMjAwMTE3MTIxNDAwWhcNMjAwMjE2MTIxNDAwWjBq
-MQswCQYDVQQGEwJDQTELMAkGA1UECAwCT04xEDAOBgNVBAcMB1Rvcm9udG8xDTAL
-BgNVBAoMBGFjbWUxDDAKBgNVBAsMA2FydDEfMB0GA1UEAwwWYWxsb3dlZF9ieV9j
-YUBhY21lLm9yZzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAK5DyDvV
-CHxpb0iWva7P2av2Omhk5vVXFEVCQOXFf5dtE0/RJigUDTDlnlVnuDp92I20ngfw
-YuSVY0G5BCtTUYZGNiVvgmB04IFzw84cdj6XNdqCKCLMrGIi1w2NOETA3inKFbkT
-OYEESw1xn/8cNk4uV1SFg/T0qPm79aVmsZpAohozXrI3MaVz+/Q5/tFS7PKx/IQa
-xyuYgeNirlHmW27E+f/A5GSIOsGiIJU8ccbr2tPeqkKYH+naBvz5DSMci64+7my4
-rKGj2skhjcRIJiOOQERV3Av8uKcMyEv2IXoeV/8czqfjisQmApPz6EpFpT4CWyVr
-+Fgbzhg+2mKGNP8CAwEAAaNTMFEwHQYDVR0OBBYEFBqvhbkUgk3fCKONHHOGxRLU
-FefzMB8GA1UdIwQYMBaAFBqvhbkUgk3fCKONHHOGxRLUFefzMA8GA1UdEwEB/wQF
-MAMBAf8wDQYJKoZIhvcNAQENBQADggEBAEgQYqFZBnZ3PJN/LP/S9dR3PDYp2YkW
-n8DSwpj+cP+Gt4kPydRSKl5DdV+eYd6cZ4xF2P6/peZCKYgYZkmbEWIYD87C7J+T
-rpcT1M4u7ACk5QfwoGAZFbTqy6iK3yFqQ/V7YvTjLAx8wqICqrDoed8GTgJ1AmWE
-GCIz3D/8e/ml+Sp+MVRi4KNVfA6zK/e29oswmQxYXmMCXswwHuAmsDoXKS9PYvX7
-Ho035mFmR+yhBnPHX9deuAsTifiiw1TCczq1K4SPX6exXw38nZwLVHErYnaypqP0
-pJNqTIBGlr6K0tryTA83tQVAIJqL2fVlfNUKxuHPOVyGkJcGlCPxjKw=
------END CERTIFICATE-----

diff --git a/qpid-test-utils/src/main/resources/ssl/certificates/allowed_by_ca.self.key b/qpid-test-utils/src/main/resources/ssl/certificates/allowed_by_ca.self.key
deleted file mode 100644
index c465086..0000000
--- a/qpid-test-utils/src/main/resources/ssl/certificates/allowed_by_ca.self.key
+++ /dev/null

@@ -1,30 +0,0 @@
------BEGIN ENCRYPTED PRIVATE KEY-----
-MIIFHDBOBgkqhkiG9w0BBQ0wQTApBgkqhkiG9w0BBQwwHAQIWa+PHUaIhGECAggA
-MAwGCCqGSIb3DQIJBQAwFAYIKoZIhvcNAwcECEV7nV0bqTYVBIIEyNROaXQgS6RZ
-mSJcMeFAINaeZytR/Fq/vdlYE8qsnToVuySFqVft76Q1ZIs5ZsmwAPZxF6rAQZ9z
-9WsIVV7ZTZPCndP7R3/V1h11YGJpklu/wFDNPgkhJiP39A4gv99nWqdjPh3k6rJk
-5rshuHiVuPQ+lQxCJMnNNBzse1NAf7aCq3DONUAYrbxOPQODGAk9ilZtSirVNeCK
-8s9TwPi5vWaxkdgMkb8l+CtXKAYMIGXwslr4cs/02pOSSKMeSYn118aE05yRVI5a
-QrF6yk07huT94ZnVd7DS5sts1/igJk72mGc4zqAP7k2USYkvvzQ6/Lzt6jmdxlaV
-ovTnMpvrnS8Vt/27+XxH64cSC2of8a1N7nHKR/mjwzXwFfCqx36AAKNsnGpbX2vE
-PYgsMCAJrZY8DTgGnBKzJZTSbjfpeVDcWKrZtCIpcUCtHfzibwwo7FoFVi9f4Exq
-S+FkK1VX4JnWWxhNXKbUWWV24se/1NejY5op8TvunrT4xamV81v+Y3rAhORxZzZo
-QooLLY0EZVVGRA0qbg4TQZ87G4wxTKbeLv/vkJYt4+ElEkJZEm+f1U3OBKzBVC2h
-sA0bSo+vB7n322VMZQkGVXi3MCiJBlQYM2Dcp4+gC0GfkJhuNStp/QvfRIjjo+tR
-+aP0/8dkdDaUSe7gUp+1du+bA4YhcdX06diHD0VZrFKOhfR9EJ4lGjlObCA/V6aA
-WGtinv/yglGv1ajX1/9PcKsbFh3uP9eDM2U1wGbkJIYbw9ttABS9IEGi2Gr7QcLh
-273v5H346t9aXOCk0D14qEe3fRZCHWYsFkIytSQy9iHFmn67XnROoAicKIktUtSK
-j5rnGz8NcY7lQNElcEdAcogd50vyBy8Xn/Y29vl8CcyP6Mh6WIgnF/QuJo0+A6lH
-T57lmQ7aQYQuqNk3TeSSpRU2ADY6OldxrUIarrhoV+K3CLNhoI/Ch/7jbPfv6Z2s
-IwfOr7uOsA1YoLYHuV4hn8X2EMOONpcH57zNnQdCDzMJO6E92ElpqmyKkos5uDe7
-dIVFEpQ/9oeLgc00izZtQjkiI6ar1Dk7jkqAUAELsPcw8pwklqVy90ku1wgUl4BQ
-TR/Sk+HqOj9epQfUOBWi0zz3F8kkOo6Y/1JtzMFp9xauInr4oFssJ0A+kRypLL4V
-LrPi59SgHwwNTacivYjoeT2UH2mTCc7MfS6z3czwn/Ds/c6WfKYxNA4WLlOTJV+v
-4Y4aE0a9GTlGIXYTyP+l7T40MaDhTLfnhqi74TBN8QQNnxcLLcVY9sUREdJHbDgQ
-o5GjffduqezL94D1ENLO2ekIspjgpsGnFp1Us9A53CeDdo/P0/OcLeNfUlun8yWm
-fKG7vwW/lQw3jc6G5xKTO70HR3V3VLWP297gdMMZBiD1byY6Sk52Xz9hShr7DoEg
-l5L0vkhK1MjGYfxmlL4j94XZ1VhE/xni/rDeq/mK+MjmJ68G1yBn6dv62py3g5Qk
-tnl6Rg2tho6M6IOr9KGJxkooqjj/ruyWqp+NePYqFq9hU0wwQ7kuJ6ASulkJRShD
-fcg59h1HkTkCpnPPA3fmkxdDy3umOW7maZnLVjf0Nmt0BOA+jg2V0KK83kuJCqlz
-cBTyMqk8rkW1zR2YuVr+TQ==
------END ENCRYPTED PRIVATE KEY-----

diff --git a/qpid-test-utils/src/main/resources/ssl/certificates/allowed_by_ca_with_intermediate.crt b/qpid-test-utils/src/main/resources/ssl/certificates/allowed_by_ca_with_intermediate.crt
deleted file mode 100644
index f884155..0000000
--- a/qpid-test-utils/src/main/resources/ssl/certificates/allowed_by_ca_with_intermediate.crt
+++ /dev/null

@@ -1,81 +0,0 @@
-Certificate:
-    Data:
-        Version: 3 (0x2)
-        Serial Number: 4666 (0x123a)
-        Signature Algorithm: sha512WithRSAEncryption
-        Issuer: C=CA, ST=ON, L=Toronto, O=acme, OU=art, CN=intermediate_ca@acme.org
-        Validity
-            Not Before: Jan 17 12:14:01 2020 GMT
-            Not After : Jan 17 12:14:01 2024 GMT
-        Subject: C=CA, ST=ON, L=Toronto, O=acme, OU=art, CN=allowed_by_ca_with_intermediate@acme.org
-        Subject Public Key Info:
-            Public Key Algorithm: rsaEncryption
-                RSA Public-Key: (2048 bit)
-                Modulus:
-                    00:c9:ec:61:2e:56:70:b4:b4:32:52:6b:62:c6:cd:
-                    64:87:65:e1:71:3b:87:fb:eb:dd:77:98:8e:44:aa:
-                    6d:df:2d:22:78:0a:9a:54:87:bf:23:28:cd:9e:64:
-                    fa:2d:40:ef:e3:09:37:be:12:65:aa:3f:4e:ef:2e:
-                    85:f1:19:42:00:79:51:95:a7:84:7a:9b:be:64:e3:
-                    f8:96:a7:5c:7a:ec:4b:4d:89:28:b2:2c:4f:e2:77:
-                    fd:26:48:84:07:63:db:e9:70:dc:aa:8e:74:05:23:
-                    89:db:9d:79:20:5a:83:bd:bb:a8:1e:1e:e8:38:8a:
-                    c8:2e:19:5d:47:0f:ee:0c:7a:88:d7:15:62:60:73:
-                    b0:cb:a7:a0:c2:89:0a:7e:33:89:67:f3:93:3c:d2:
-                    6b:90:f6:a6:6d:af:be:9d:38:2c:ae:b1:af:f0:23:
-                    19:3e:2c:90:a2:ad:77:8e:d6:40:e7:65:40:54:2f:
-                    5d:66:56:77:a1:71:47:13:d1:6d:d9:70:f9:14:c0:
-                    b4:5d:5d:32:7f:a2:af:49:45:7b:7c:44:c8:39:53:
-                    61:0d:25:c7:1e:a0:a4:7d:d0:21:60:22:7f:ec:55:
-                    36:af:87:30:fc:27:c5:a1:34:2a:a7:2a:b1:a3:9d:
-                    d8:18:88:d0:7e:53:49:2f:ea:6f:03:da:54:79:0c:
-                    26:e3
-                Exponent: 65537 (0x10001)
-        X509v3 extensions:
-            X509v3 CRL Distribution Points: 
-
-                Full Name:
-                  URI:http://localhost:8186/intermediate_ca.crl
-
-            X509v3 Basic Constraints: 
-                CA:FALSE
-            X509v3 Key Usage: 
-                Digital Signature, Non Repudiation, Key Encipherment
-    Signature Algorithm: sha512WithRSAEncryption
-         17:7d:7c:c2:32:03:78:c5:76:87:37:54:38:c6:1f:f1:c6:05:
-         96:48:fb:f1:ad:da:41:76:7b:d0:cb:ee:7b:5d:78:9d:a6:b3:
-         75:32:85:37:91:d2:58:aa:a5:27:ac:71:4c:12:01:6c:14:19:
-         23:52:09:b9:13:3d:17:4d:a2:b0:56:95:38:66:a7:39:f2:b8:
-         78:50:2a:1d:12:63:46:1f:5e:d4:12:4b:f2:88:72:44:d9:43:
-         29:da:80:a0:14:0e:dd:d3:69:f3:ad:05:0e:bb:5a:5b:f4:aa:
-         06:5a:f5:8c:7f:78:ba:d3:50:e0:68:9f:11:b0:33:3c:f9:5c:
-         22:cd:70:68:ba:8c:39:92:e3:c4:88:1f:85:79:b5:1c:94:e1:
-         79:c9:56:4e:2c:1e:41:e8:fd:40:0e:61:46:dc:74:4b:f0:bf:
-         6d:e7:c1:34:fa:6a:fc:51:72:c5:a4:46:e0:db:94:09:4d:14:
-         eb:88:41:bb:82:63:e2:8d:c8:f1:a3:69:49:1b:89:12:d7:f8:
-         c1:7e:cc:90:70:80:2e:9d:e7:69:7f:80:46:f9:af:a2:19:ba:
-         02:40:1b:dc:b7:9f:ab:3e:06:b5:33:7b:61:57:8a:4a:b0:57:
-         2b:77:50:13:11:78:5f:62:45:b9:9b:21:2c:28:9b:44:2b:ef:
-         7f:e0:f4:18
------BEGIN CERTIFICATE-----
-MIIDujCCAqKgAwIBAgICEjowDQYJKoZIhvcNAQENBQAwbDELMAkGA1UEBhMCQ0Ex
-CzAJBgNVBAgMAk9OMRAwDgYDVQQHDAdUb3JvbnRvMQ0wCwYDVQQKDARhY21lMQww
-CgYDVQQLDANhcnQxITAfBgNVBAMMGGludGVybWVkaWF0ZV9jYUBhY21lLm9yZzAe
-Fw0yMDAxMTcxMjE0MDFaFw0yNDAxMTcxMjE0MDFaMHwxCzAJBgNVBAYTAkNBMQsw
-CQYDVQQIDAJPTjEQMA4GA1UEBwwHVG9yb250bzENMAsGA1UECgwEYWNtZTEMMAoG
-A1UECwwDYXJ0MTEwLwYDVQQDDChhbGxvd2VkX2J5X2NhX3dpdGhfaW50ZXJtZWRp
-YXRlQGFjbWUub3JnMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAyexh
-LlZwtLQyUmtixs1kh2XhcTuH++vdd5iORKpt3y0ieAqaVIe/IyjNnmT6LUDv4wk3
-vhJlqj9O7y6F8RlCAHlRlaeEepu+ZOP4lqdceuxLTYkosixP4nf9JkiEB2Pb6XDc
-qo50BSOJ2515IFqDvbuoHh7oOIrILhldRw/uDHqI1xViYHOwy6egwokKfjOJZ/OT
-PNJrkPamba++nTgsrrGv8CMZPiyQoq13jtZA52VAVC9dZlZ3oXFHE9Ft2XD5FMC0
-XV0yf6KvSUV7fETIOVNhDSXHHqCkfdAhYCJ/7FU2r4cw/CfFoTQqpyqxo53YGIjQ
-flNJL+pvA9pUeQwm4wIDAQABo1YwVDA6BgNVHR8EMzAxMC+gLaArhilodHRwOi8v
-bG9jYWxob3N0OjgxODYvaW50ZXJtZWRpYXRlX2NhLmNybDAJBgNVHRMEAjAAMAsG
-A1UdDwQEAwIF4DANBgkqhkiG9w0BAQ0FAAOCAQEAF318wjIDeMV2hzdUOMYf8cYF
-lkj78a3aQXZ70Mvue114naazdTKFN5HSWKqlJ6xxTBIBbBQZI1IJuRM9F02isFaV
-OGanOfK4eFAqHRJjRh9e1BJL8ohyRNlDKdqAoBQO3dNp860FDrtaW/SqBlr1jH94
-utNQ4GifEbAzPPlcIs1waLqMOZLjxIgfhXm1HJTheclWTiweQej9QA5hRtx0S/C/
-befBNPpq/FFyxaRG4NuUCU0U64hBu4Jj4o3I8aNpSRuJEtf4wX7MkHCALp3naX+A
-Rvmvohm6AkAb3Lefqz4GtTN7YVeKSrBXK3dQExF4X2JFuZshLCibRCvvf+D0GA==
------END CERTIFICATE-----

diff --git a/qpid-test-utils/src/main/resources/ssl/certificates/allowed_by_ca_with_intermediate.csr b/qpid-test-utils/src/main/resources/ssl/certificates/allowed_by_ca_with_intermediate.csr
deleted file mode 100644
index 8ddce61..0000000
--- a/qpid-test-utils/src/main/resources/ssl/certificates/allowed_by_ca_with_intermediate.csr
+++ /dev/null

@@ -1,17 +0,0 @@
------BEGIN CERTIFICATE REQUEST-----
-MIICwTCCAakCAQAwfDELMAkGA1UEBhMCQ0ExCzAJBgNVBAgMAk9OMRAwDgYDVQQH
-DAdUb3JvbnRvMQ0wCwYDVQQKDARhY21lMQwwCgYDVQQLDANhcnQxMTAvBgNVBAMM
-KGFsbG93ZWRfYnlfY2Ffd2l0aF9pbnRlcm1lZGlhdGVAYWNtZS5vcmcwggEiMA0G
-CSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDJ7GEuVnC0tDJSa2LGzWSHZeFxO4f7
-6913mI5Eqm3fLSJ4CppUh78jKM2eZPotQO/jCTe+EmWqP07vLoXxGUIAeVGVp4R6
-m75k4/iWp1x67EtNiSiyLE/id/0mSIQHY9vpcNyqjnQFI4nbnXkgWoO9u6geHug4
-isguGV1HD+4MeojXFWJgc7DLp6DCiQp+M4ln85M80muQ9qZtr76dOCyusa/wIxk+
-LJCirXeO1kDnZUBUL11mVnehcUcT0W3ZcPkUwLRdXTJ/oq9JRXt8RMg5U2ENJcce
-oKR90CFgIn/sVTavhzD8J8WhNCqnKrGjndgYiNB+U0kv6m8D2lR5DCbjAgMBAAGg
-ADANBgkqhkiG9w0BAQ0FAAOCAQEAd3e3VVDF9/DEkkN2OblChD35ElxBO10cn9/h
-JdtcDLa6DRK/ke4wpA2GfXdyGTez/tsCaVFLC/D6toxPYYtqW60OqavVNwAB/pwY
-NpdU7b9MNP3m0Xl3Kecevj8l5y+2dqzQdccqpPZxagArbp6Q1Jq9IE/NTFrcJFOl
-3TUK5xlunjLUxc3z9wCInDWAJukLzjhWR4VLMyHSXnI9nrA71rkss0Jnp5CHPk16
-fal0DF35awqwThnHXjtHxxLpNutYdfQNLMc5ROzVPeJkRQ3M4N3nQLmm1Cya3z/B
-GfIKmFM17FRVnpV7UmuStRmvMWAceObm6onE4ZFEIVZKnZgCdw==
------END CERTIFICATE REQUEST-----

diff --git a/qpid-test-utils/src/main/resources/ssl/certificates/allowed_by_ca_with_intermediate.jks b/qpid-test-utils/src/main/resources/ssl/certificates/allowed_by_ca_with_intermediate.jks
deleted file mode 100644
index b4e40d8..0000000
--- a/qpid-test-utils/src/main/resources/ssl/certificates/allowed_by_ca_with_intermediate.jks
+++ /dev/null
Binary files differ

diff --git a/qpid-test-utils/src/main/resources/ssl/certificates/allowed_by_ca_with_intermediate.self.crt b/qpid-test-utils/src/main/resources/ssl/certificates/allowed_by_ca_with_intermediate.self.crt
deleted file mode 100644
index e124e38..0000000
--- a/qpid-test-utils/src/main/resources/ssl/certificates/allowed_by_ca_with_intermediate.self.crt
+++ /dev/null

@@ -1,23 +0,0 @@
------BEGIN CERTIFICATE-----
-MIID2TCCAsGgAwIBAgIUNnlaQs0dlbECoaCEl6BoAMhbdRYwDQYJKoZIhvcNAQEN
-BQAwfDELMAkGA1UEBhMCQ0ExCzAJBgNVBAgMAk9OMRAwDgYDVQQHDAdUb3JvbnRv
-MQ0wCwYDVQQKDARhY21lMQwwCgYDVQQLDANhcnQxMTAvBgNVBAMMKGFsbG93ZWRf
-YnlfY2Ffd2l0aF9pbnRlcm1lZGlhdGVAYWNtZS5vcmcwHhcNMjAwMTE3MTIxNDAx
-WhcNMjAwMjE2MTIxNDAxWjB8MQswCQYDVQQGEwJDQTELMAkGA1UECAwCT04xEDAO
-BgNVBAcMB1Rvcm9udG8xDTALBgNVBAoMBGFjbWUxDDAKBgNVBAsMA2FydDExMC8G
-A1UEAwwoYWxsb3dlZF9ieV9jYV93aXRoX2ludGVybWVkaWF0ZUBhY21lLm9yZzCC
-ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMnsYS5WcLS0MlJrYsbNZIdl
-4XE7h/vr3XeYjkSqbd8tIngKmlSHvyMozZ5k+i1A7+MJN74SZao/Tu8uhfEZQgB5
-UZWnhHqbvmTj+JanXHrsS02JKLIsT+J3/SZIhAdj2+lw3KqOdAUjidudeSBag727
-qB4e6DiKyC4ZXUcP7gx6iNcVYmBzsMunoMKJCn4ziWfzkzzSa5D2pm2vvp04LK6x
-r/AjGT4skKKtd47WQOdlQFQvXWZWd6FxRxPRbdlw+RTAtF1dMn+ir0lFe3xEyDlT
-YQ0lxx6gpH3QIWAif+xVNq+HMPwnxaE0KqcqsaOd2BiI0H5TSS/qbwPaVHkMJuMC
-AwEAAaNTMFEwHQYDVR0OBBYEFPjCNnLHyR9AJfM6BRMuGgmFF3dPMB8GA1UdIwQY
-MBaAFPjCNnLHyR9AJfM6BRMuGgmFF3dPMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZI
-hvcNAQENBQADggEBAMZES6PIFa3+peqB18Af82We4bxIHDSMnpkU518Uf/cSwKLl
-LKdSGbIX2dr2uiqJuNQwrSbQwe0O24WBeuFnv8VWwjQrHPqX7et7LT3mBthaW3qP
-beRz0CHvYg09plniqWaaxZ0o+XDoG5/vs1rwSXhKdB89hBLBgdXWnIu05ISicj3Q
-wFv7Aad8s+29qd83ZTq3GPiAGAlHzBZoGfORxgw8Zkl5J8wpDY2IzHoFK65TltIg
-vEhmxsaY2q9ogDPU1g3vXOryobUcZXCk6Wmq7/AQ8Yb6pVOHU+B1GBWlDK+88RkI
-sejtPiVWiQixQbZsgjF0kzcXdW+v83vnK9C7Ehs=
------END CERTIFICATE-----

diff --git a/qpid-test-utils/src/main/resources/ssl/certificates/allowed_by_ca_with_intermediate.self.key b/qpid-test-utils/src/main/resources/ssl/certificates/allowed_by_ca_with_intermediate.self.key
deleted file mode 100644
index 9768e71..0000000
--- a/qpid-test-utils/src/main/resources/ssl/certificates/allowed_by_ca_with_intermediate.self.key
+++ /dev/null

@@ -1,30 +0,0 @@
------BEGIN ENCRYPTED PRIVATE KEY-----
-MIIFHDBOBgkqhkiG9w0BBQ0wQTApBgkqhkiG9w0BBQwwHAQIvh0cf2QI9TkCAggA
-MAwGCCqGSIb3DQIJBQAwFAYIKoZIhvcNAwcECNBC7yqVSYFxBIIEyK44083ll8aW
-4B3wIWPEVbHexUgeHhPnyv8N89VB+sgl5ndKlm60/n83O2COdXEFrbUbyEaxEMII
-VvNVbY4G0BAbsY5qJfmiRNCKRc2OO4HRBI0dLrzcIYETtAtunmta3CbngRpSgNv2
-zPPGp06jEcrh285NGmL6+k4OkDkdOhLBIlSQadibNOWPpRSSmp93pjPUFSVdUarU
-2qZi1Xxd65iu8iNG00E9mYHvIesN2tGvWqH7+pAFWKLz2PxEMBjKS/wz0r2sqpAi
-u605tebtg2mKB16VpPLKHkGHjAJNehfBPAWpjrLLj+cdpAC6gU8hQZseZJRh4kr3
-DZvS6hSNPXKE6+mDosrj1CuyMOfOaqezgixY/3AihqGt/qgZXu5Fs4WepWPACDtH
-hHBPAc0DXFlC4E6B3Xb+HQWI0ADqI//sSip/UsDMpp5Z99EqA/0UgG6xNEcvyMJo
-/jHpSBeJZbKB+UXsPpwQQzMHzlqLZ0b0egB8U2Q383bNctNtWX5GOgs9WzHbrvXe
-Ia29s7kCima1r5JO+/fNzhRlgoENbxa31APNzdNfvHzvRRN7JGE1yS57aL8ZVXv5
-I+rg1ct71nIJ8SpfeP3fmib9NDw8QuwFZ1KfXuEp+Q2nHP7QGIpCbMJJqY7aAr0H
-m2KRUEQqrGv3XycU8VDveOPj2UR9JQANSZK5pwwcgL+jtEYo9AJxtnThePaPLi0f
-KNjkqd1/BictpdNu+o+jQS+REOVxqKR01XcjIsKe9b19qIBgxLwcaOMfaxulOe8e
-SOBUqsHOJmYxZ6IjeEVG2dGxDADdmFPBrfIQnAbRBEwgjSBMCP/h6elo0MRQ3LaX
-lmDmjCNlY1FHuSaAX5xWJ87Ui8y1Sx8vljOOYA6b2zoWoj8pmz7lZy4ChZaFb7sW
-WAE0O0e7DrwLvVfluVwRdQ6KcWBkILzVw+VLrQE1s8yAVc0mPtAyEpjaMpqlWpeE
-CngpUa1yaBcY17R/30aAYXGVxc2qoZBQuGkr4q2TQoElBk7ERyQ51a8TJ+bQ4DAp
-lLED5xLmED1F/TL8PaQhQuDVkaoIUPKwAnXjRWf11DImmuUm8ens9w9np0Na334P
-XcJ5zZq00FyXsUoYnuyvXulqRo+Sps67kcGjlK7t0cpvAaG5CbzEkJ3IcAzOcldA
-Nq1W/yd+RBdCqbcDUIFYWhdtJ6zDg0jTa8vUm/Pn8DZMQOB2tOn5TDvrT+4iy5Ng
-Y5xbvvWyXCWy4JdyoFoXjzXLChQA5YNd+P37UfJUT+R/l7GD84SiGdNtHsxP+Hnr
-KRDu4v0p32jKjY27U2GHRBVNPjR+GUgVcKa4WE84DAPfaJY2mep2gxhmYMg2YNR5
-/evAYC6AfVqrKahnXvAZ6cWLIAbdhOg+dbyj1KITuIZ7VUfpVrIeAx4/IBJ5nJbJ
-EC9/8uaswGXKqPdLM8sR9FEbq9r2WBVSuaVmMqwV7wcQwO+KBemeUPoeY/aEm6bj
-jD7AaMSFl67ouabm2pZdWz8as1qNImn0aR/3AW/Rusi/mVOweGd+WcC/GlIv5T0E
-eKnyOExk94ddyBqasKCewSPx0BV4ki1fX77yUbaDeJ4w8Ppw1dfJCc4VaQhJ5gNn
-uMU30mtTpiOBN9muNRrYCg==
------END ENCRYPTED PRIVATE KEY-----

diff --git a/qpid-test-utils/src/main/resources/ssl/certificates/app1.crt b/qpid-test-utils/src/main/resources/ssl/certificates/app1.crt
deleted file mode 100644
index 867005d..0000000
--- a/qpid-test-utils/src/main/resources/ssl/certificates/app1.crt
+++ /dev/null

@@ -1,74 +0,0 @@
-Certificate:
-    Data:
-        Version: 3 (0x2)
-        Serial Number: 4660 (0x1234)
-        Signature Algorithm: sha512WithRSAEncryption
-        Issuer: C=CA, ST=Ontario, O=ACME, CN=MyRootCA
-        Validity
-            Not Before: Jan 17 12:13:51 2020 GMT
-            Not After : Jan 17 12:13:51 2024 GMT
-        Subject: C=CA, ST=ON, L=Toronto, O=acme, OU=art, CN=app1@acme.org
-        Subject Public Key Info:
-            Public Key Algorithm: rsaEncryption
-                RSA Public-Key: (2048 bit)
-                Modulus:
-                    00:d9:72:36:d1:3a:19:ce:4a:c0:58:95:21:1a:9f:
-                    90:e5:48:b9:06:e5:47:0c:8c:59:7d:45:9b:df:a7:
-                    5f:5d:42:e9:62:c6:95:d6:63:e2:03:ae:29:1c:3f:
-                    a2:c5:89:32:72:b7:34:22:c8:fa:b5:c8:e4:59:47:
-                    3d:3c:4d:cf:c6:00:bd:76:69:d7:b7:a0:1f:4c:ea:
-                    a3:fa:54:4d:cb:d8:c4:af:2c:57:5e:bf:c0:5a:a6:
-                    58:bb:4d:c5:46:41:e3:ec:c8:0e:f3:2c:28:ce:37:
-                    66:b9:7c:02:a1:7c:cd:95:16:96:b6:0d:9a:50:ed:
-                    e7:a0:25:c7:88:59:bb:46:dc:9e:61:8c:46:5f:8e:
-                    6b:e4:ac:b2:4f:95:b2:b3:71:e5:5a:b9:2c:52:24:
-                    15:d8:57:98:aa:b5:17:2c:58:61:9f:cb:79:83:1d:
-                    2f:1f:73:37:b9:7a:ce:7d:f6:0c:74:26:24:fd:40:
-                    7e:a9:4d:69:21:30:8f:1d:5d:40:98:54:33:44:4c:
-                    ae:14:f2:94:ab:d8:9f:93:9b:43:c4:12:96:0a:89:
-                    65:b7:de:37:0c:69:16:96:89:91:45:85:20:b3:50:
-                    44:89:29:ae:c9:8b:04:4b:a8:85:cd:6b:e6:7b:94:
-                    44:2b:02:ad:8e:42:c3:3a:41:2d:60:d4:13:0c:6a:
-                    47:73
-                Exponent: 65537 (0x10001)
-        X509v3 extensions:
-            X509v3 Basic Constraints: 
-                CA:FALSE
-            X509v3 Key Usage: 
-                Digital Signature, Non Repudiation, Key Encipherment
-    Signature Algorithm: sha512WithRSAEncryption
-         48:74:83:6d:ee:96:77:ec:05:03:0d:63:9f:a7:4b:61:f9:c2:
-         c7:06:3e:ca:5f:db:1d:2b:0f:d2:06:5d:13:e7:a6:9b:9c:28:
-         9a:d9:7b:e2:70:00:6b:f1:7c:a3:ce:82:84:c8:a8:cf:15:0c:
-         b2:03:8e:ab:c1:47:4c:c4:d2:6e:2f:e6:f7:60:f1:f9:92:d2:
-         f7:a5:60:a3:86:6b:a5:3f:95:ba:25:7a:2f:5c:b3:b2:30:44:
-         c5:df:e4:fd:74:c0:44:f3:c6:43:a7:fd:06:ed:b9:ab:a5:fb:
-         ce:9b:f2:5e:64:52:bc:bf:88:df:ca:d4:d5:e2:07:e9:86:15:
-         ea:40:01:4f:6d:e4:ed:5b:25:dc:30:28:c5:e4:98:e3:ba:e5:
-         90:7a:4c:b5:d4:7c:ee:31:4d:64:bf:e9:c7:94:bb:87:88:3d:
-         c5:e3:6c:ab:96:26:de:a9:a3:af:fa:ca:e0:04:e0:50:d1:a0:
-         40:79:26:8a:8e:bd:cd:f8:8d:58:14:2f:cf:17:48:5c:62:14:
-         02:c4:5f:61:18:1a:b3:6e:c4:a0:03:5d:33:00:5a:e7:09:74:
-         25:c9:9d:4a:cf:d3:5d:fe:4a:33:06:d7:ab:37:02:4f:5e:f3:
-         8e:82:cc:1a:5b:6e:99:b6:96:0e:b7:f9:d8:03:91:04:a6:f3:
-         22:84:85:b9
------BEGIN CERTIFICATE-----
-MIIDODCCAiCgAwIBAgICEjQwDQYJKoZIhvcNAQENBQAwQTELMAkGA1UEBhMCQ0Ex
-EDAOBgNVBAgMB09udGFyaW8xDTALBgNVBAoMBEFDTUUxETAPBgNVBAMMCE15Um9v
-dENBMB4XDTIwMDExNzEyMTM1MVoXDTI0MDExNzEyMTM1MVowYTELMAkGA1UEBhMC
-Q0ExCzAJBgNVBAgMAk9OMRAwDgYDVQQHDAdUb3JvbnRvMQ0wCwYDVQQKDARhY21l
-MQwwCgYDVQQLDANhcnQxFjAUBgNVBAMMDWFwcDFAYWNtZS5vcmcwggEiMA0GCSqG
-SIb3DQEBAQUAA4IBDwAwggEKAoIBAQDZcjbROhnOSsBYlSEan5DlSLkG5UcMjFl9
-RZvfp19dQulixpXWY+IDrikcP6LFiTJytzQiyPq1yORZRz08Tc/GAL12ade3oB9M
-6qP6VE3L2MSvLFdev8Bapli7TcVGQePsyA7zLCjON2a5fAKhfM2VFpa2DZpQ7eeg
-JceIWbtG3J5hjEZfjmvkrLJPlbKzceVauSxSJBXYV5iqtRcsWGGfy3mDHS8fcze5
-es599gx0JiT9QH6pTWkhMI8dXUCYVDNETK4U8pSr2J+Tm0PEEpYKiWW33jcMaRaW
-iZFFhSCzUESJKa7JiwRLqIXNa+Z7lEQrAq2OQsM6QS1g1BMMakdzAgMBAAGjGjAY
-MAkGA1UdEwQCMAAwCwYDVR0PBAQDAgXgMA0GCSqGSIb3DQEBDQUAA4IBAQBIdINt
-7pZ37AUDDWOfp0th+cLHBj7KX9sdKw/SBl0T56abnCia2XvicABr8XyjzoKEyKjP
-FQyyA46rwUdMxNJuL+b3YPH5ktL3pWCjhmulP5W6JXovXLOyMETF3+T9dMBE88ZD
-p/0G7bmrpfvOm/JeZFK8v4jfytTV4gfphhXqQAFPbeTtWyXcMCjF5JjjuuWQeky1
-1HzuMU1kv+nHlLuHiD3F42yrlibeqaOv+srgBOBQ0aBAeSaKjr3N+I1YFC/PF0hc
-YhQCxF9hGBqzbsSgA10zAFrnCXQlyZ1Kz9Nd/kozBterNwJPXvOOgswaW26ZtpYO
-t/nYA5EEpvMihIW5
------END CERTIFICATE-----

diff --git a/qpid-test-utils/src/main/resources/ssl/certificates/app1.csr b/qpid-test-utils/src/main/resources/ssl/certificates/app1.csr
deleted file mode 100644
index 4fdf611..0000000
--- a/qpid-test-utils/src/main/resources/ssl/certificates/app1.csr
+++ /dev/null

@@ -1,17 +0,0 @@
------BEGIN CERTIFICATE REQUEST-----
-MIICpjCCAY4CAQAwYTELMAkGA1UEBhMCQ0ExCzAJBgNVBAgMAk9OMRAwDgYDVQQH
-DAdUb3JvbnRvMQ0wCwYDVQQKDARhY21lMQwwCgYDVQQLDANhcnQxFjAUBgNVBAMM
-DWFwcDFAYWNtZS5vcmcwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDZ
-cjbROhnOSsBYlSEan5DlSLkG5UcMjFl9RZvfp19dQulixpXWY+IDrikcP6LFiTJy
-tzQiyPq1yORZRz08Tc/GAL12ade3oB9M6qP6VE3L2MSvLFdev8Bapli7TcVGQePs
-yA7zLCjON2a5fAKhfM2VFpa2DZpQ7eegJceIWbtG3J5hjEZfjmvkrLJPlbKzceVa
-uSxSJBXYV5iqtRcsWGGfy3mDHS8fcze5es599gx0JiT9QH6pTWkhMI8dXUCYVDNE
-TK4U8pSr2J+Tm0PEEpYKiWW33jcMaRaWiZFFhSCzUESJKa7JiwRLqIXNa+Z7lEQr
-Aq2OQsM6QS1g1BMMakdzAgMBAAGgADANBgkqhkiG9w0BAQ0FAAOCAQEAg+tk9HSB
-Gyf0fBAsiIO7+eMbZF0tlefffheB9PpqqiIs1/JodRTGqRVYLbtDCXH1TJwdUOvt
-7Gl/mvsatHtQdjnErBCdJP5y0xCzilv1hUIxWlq2yyu1hkXuPmRzqsUYKGMX0v45
-/U/ZpzMsBMtKi7wJIl66JCmXpYvT81ZVhQgVMhHzmiEpm/4KlTeeEWf7Jxj3UjRf
-+9aO2OQuOPSpHr+G6uNqGTWRV7NydA810cjBb18NEg9/XIcJj4/2TarX0SyDzBGv
-r6+gQRbf22hcyaDmcgt9vlw8SFs7TYwNXy4ictWd8MHYxGHiPe9D+MhzkJUTrBma
-1zG8+NNJ0DygLw==
------END CERTIFICATE REQUEST-----

diff --git a/qpid-test-utils/src/main/resources/ssl/certificates/app1.jks b/qpid-test-utils/src/main/resources/ssl/certificates/app1.jks
deleted file mode 100644
index b421e69..0000000
--- a/qpid-test-utils/src/main/resources/ssl/certificates/app1.jks
+++ /dev/null
Binary files differ

diff --git a/qpid-test-utils/src/main/resources/ssl/certificates/app1.self.crt b/qpid-test-utils/src/main/resources/ssl/certificates/app1.self.crt
deleted file mode 100644
index 63b33ae..0000000
--- a/qpid-test-utils/src/main/resources/ssl/certificates/app1.self.crt
+++ /dev/null

@@ -1,22 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIDozCCAougAwIBAgIUYSaDt/eFmu0ZczpaY+2K7kJc4eEwDQYJKoZIhvcNAQEN
-BQAwYTELMAkGA1UEBhMCQ0ExCzAJBgNVBAgMAk9OMRAwDgYDVQQHDAdUb3JvbnRv
-MQ0wCwYDVQQKDARhY21lMQwwCgYDVQQLDANhcnQxFjAUBgNVBAMMDWFwcDFAYWNt
-ZS5vcmcwHhcNMjAwMTE3MTIxMzUxWhcNMjAwMjE2MTIxMzUxWjBhMQswCQYDVQQG
-EwJDQTELMAkGA1UECAwCT04xEDAOBgNVBAcMB1Rvcm9udG8xDTALBgNVBAoMBGFj
-bWUxDDAKBgNVBAsMA2FydDEWMBQGA1UEAwwNYXBwMUBhY21lLm9yZzCCASIwDQYJ
-KoZIhvcNAQEBBQADggEPADCCAQoCggEBANlyNtE6Gc5KwFiVIRqfkOVIuQblRwyM
-WX1Fm9+nX11C6WLGldZj4gOuKRw/osWJMnK3NCLI+rXI5FlHPTxNz8YAvXZp17eg
-H0zqo/pUTcvYxK8sV16/wFqmWLtNxUZB4+zIDvMsKM43Zrl8AqF8zZUWlrYNmlDt
-56Alx4hZu0bcnmGMRl+Oa+Sssk+VsrNx5Vq5LFIkFdhXmKq1FyxYYZ/LeYMdLx9z
-N7l6zn32DHQmJP1AfqlNaSEwjx1dQJhUM0RMrhTylKvYn5ObQ8QSlgqJZbfeNwxp
-FpaJkUWFILNQRIkprsmLBEuohc1r5nuURCsCrY5CwzpBLWDUEwxqR3MCAwEAAaNT
-MFEwHQYDVR0OBBYEFDYEXqxKZ8d1O/lU0TTKZlwxBGPQMB8GA1UdIwQYMBaAFDYE
-XqxKZ8d1O/lU0TTKZlwxBGPQMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQEN
-BQADggEBALif7Y38a6ReCr+T/ZinfDpBySzVSFQXIqtz//hevSnkTHeVDlVl3Hn9
-gySwZvZ1pppJJVa8e16ogi1ohZI/EigxL39LxTKF+KdPldM2CCTT9BXu1COacjwD
-nSvwoCHWy9i92H5IUL9OTh5fbpJ4Ju+pwKa/7/1B23azmQ/IPuAHe8/p16pLpcUF
-yYSX+h72gP2MKzKFojMwM4qV0UtJwAk9+F0697laptLuKqO8chAP5BJIRWf9H8nk
-RVXym7gWu5WOrzzqQwsKDQk++QypGrP+TF2CurPPgv2sr2p0SsNjmxvw6D06s/7Z
-PQPRnjhce4CF3krMgMp8Nhp2faQS8Ko=
------END CERTIFICATE-----

diff --git a/qpid-test-utils/src/main/resources/ssl/certificates/app1.self.key b/qpid-test-utils/src/main/resources/ssl/certificates/app1.self.key
deleted file mode 100644
index 8fe81d7..0000000
--- a/qpid-test-utils/src/main/resources/ssl/certificates/app1.self.key
+++ /dev/null

@@ -1,30 +0,0 @@
------BEGIN ENCRYPTED PRIVATE KEY-----
-MIIFHDBOBgkqhkiG9w0BBQ0wQTApBgkqhkiG9w0BBQwwHAQIMs/xmAFq910CAggA
-MAwGCCqGSIb3DQIJBQAwFAYIKoZIhvcNAwcECFQMuA97cPERBIIEyAdrCuP9AqXI
-BbH4JYW+D602QDOVO6xxi2FEhVyhd8k8ClQzSf0/G504i6uJu9WDYytjHYYqK5VR
-ZMIHBnjJQ2DDFRn0A0wrWutzAbN4eYgbCUoMqKOv+GoV6kc6KOXuEXfZIDgPVPGT
-qSD7gBX/UZMRHbs507Z88xHlKvT0bdHfMG0lRryJqKskT7ryx5baWT5uPJKlskx/
-e7xvwmyfLBGiyA2DohXtUZiD+I4/jVdYvf/Fv8+oA1XW8rwhVhFB/+GigOmMHoqG
-CF10bbnlwq2S9/LyuNfnVBGX3qGiWcV6n7gGz0G3dx0hgcGWGzsIsx225DaL2ncO
-4mQ/1y1aUb6xfXdsvI6awyGbqSrkp/55uQGJz91b0s4nPi6wnxQiGKx01WGdb0bO
-wgZJWKS2sfWjOfoBIUe8tuebKbMUH8aZ5eQH1Ltd3PHDaSjRGVLJNSLiTJYmvNvi
-qh+A6zzxtJDLfBRNV0llAliTWXA1R9b/FOZiVS+nTEZGzuhSRt5EWMooLVe9amLf
-NcughTy/WguIQ3YfIsqkBfbMMmGPAf+ZPx25MpLL03vOUP33kZnyWIO+NMDmmhbx
-oHyxdAcVYZOPv2wf5hsEULn3gLNtODBoeYMovlBTni7peYZisgtiwoJGijIHsCYH
-vTnrsZx7yysY02U4PRou6XYt4NWikmPQQO1Jc8IDmfnn6mh0tTJDWRtO2Q7MGvMk
-aZzwB2Im6/+HA78g5uI+gIoTeVyCXfwoMslnfmhfbb5k3V4NdJF/4nyJi1UlpDuY
-rpJxSjbM9vObUcPTV8yM8zk3cOXjClqmWvv7uOW160pYHTjIyGY+RSKoZ4Hw+USo
-igfkucH2EGiDljmRjmfS4qvTxT/4Vexqj7Rxnz7qQ1enOpVtGwM67eKFiY77VXIF
-Ubm+GraXpNdoe+IJOH8ZlH/9fQO2qsu+d3k/7Gd8yl1nlagzDQSf9lGcCAvzWAD0
-FlbPJWxsMV7uAFtwNsk33VGOmVGiat7+E4o2UXa3LMGz9xwj0N5nSwWsUdVpbWtx
-fim2PvcOmDex0ERPkD7I2gI0MF5YEGJ/UQwIeOOfnrgtI87W19yZMBH5CtyKIs4d
-cQLhQUsQpc9QUA0eplH41wDJeSPoLiP1/4drOd/t9tOBU9TQLcOk5SiuTlvL7SII
-gw1clk1LGhDkqbVTG1dDyNFlJ4yiqYJ9SfW1vCTAAQvpa0t1aVISVEDqyAxdgtyL
-710+Nta62J1U2ErX8cXVUA+C1IWSYvR19KIAMArDYEHc7g5nsuOQ2PBKNqYUkXv5
-hBH1L+eYjuvxyy/K2ZizhELaCoZ5PSd18B0FbO2mt2qTe8RHPMgN83iUXoIXpaDw
-67s9h2lrYUWNWjOsDv0r7e7l7TwiODNU9IojKBPmzWcIi4ghmsN15SsvWcVeqm26
-mRK/cs5tChLEtllmzuxzZJ1BRE7XbghuWk9y69mbTaEc0o3zjyJFWHNSNCjq/iKc
-HSIauh/LPnHiFJmRxWwlDqUt1hbjlVp+1nFmMMbHlPZkW9dA+4O7rjG5b+8eA1zw
-cp98RXTesA8Sg45+uwUHr2MlH88TQNenaxW0RsJJALl2zuqUt3VZIu122ccXcj3Q
-Z2GhZP3EKpwXmoQEeiTwFg==
------END ENCRYPTED PRIVATE KEY-----

diff --git a/qpid-test-utils/src/main/resources/ssl/certificates/app2.crt b/qpid-test-utils/src/main/resources/ssl/certificates/app2.crt
deleted file mode 100644
index 564fd86..0000000
--- a/qpid-test-utils/src/main/resources/ssl/certificates/app2.crt
+++ /dev/null

@@ -1,74 +0,0 @@
-Certificate:
-    Data:
-        Version: 3 (0x2)
-        Serial Number: 4661 (0x1235)
-        Signature Algorithm: sha512WithRSAEncryption
-        Issuer: C=CA, ST=Ontario, O=ACME, CN=MyRootCA
-        Validity
-            Not Before: Jan 17 12:13:52 2020 GMT
-            Not After : Jan 17 12:13:52 2024 GMT
-        Subject: C=CA, ST=ON, L=Toronto, O=acme, OU=art, CN=app2@acme.org
-        Subject Public Key Info:
-            Public Key Algorithm: rsaEncryption
-                RSA Public-Key: (2048 bit)
-                Modulus:
-                    00:b7:16:85:6e:de:f5:77:42:63:ec:72:b8:e3:a9:
-                    2f:b3:34:1a:68:5b:39:1b:74:8d:52:08:42:2f:a7:
-                    30:84:10:96:7c:83:13:52:f3:ef:47:23:8e:25:4f:
-                    32:2f:b8:1d:55:ec:fb:fb:95:75:9a:b5:04:83:67:
-                    7b:58:0a:29:71:c7:2d:ee:9c:44:02:90:62:dc:1e:
-                    e4:d4:9e:c9:ac:3b:3e:74:cb:97:9f:c0:1b:ff:75:
-                    36:9b:4c:db:da:3f:eb:40:6e:f8:1c:a9:01:54:02:
-                    f9:2f:1c:59:51:61:84:51:68:b0:64:2c:11:0c:2b:
-                    08:22:9f:c1:00:06:36:15:02:bb:ad:9c:3b:b8:93:
-                    15:59:cd:d7:62:80:9f:20:a4:a2:7d:46:a5:00:98:
-                    16:20:48:49:be:08:d7:b2:9d:cf:40:3b:e2:a0:2d:
-                    be:bb:3d:e1:2b:cc:e4:f8:29:f0:a8:5b:cc:18:35:
-                    f7:13:a8:2e:16:32:65:35:94:73:7e:34:a3:97:65:
-                    53:42:41:85:73:eb:36:8f:88:fc:4e:2d:79:ac:12:
-                    df:60:fc:49:d9:71:3f:88:f3:b4:21:66:4e:34:91:
-                    6e:ca:5f:93:81:c6:f6:b8:b0:55:fd:73:bb:3f:4b:
-                    d3:2a:a9:d9:57:88:d1:4b:14:10:1e:d3:eb:fb:0c:
-                    b9:d3
-                Exponent: 65537 (0x10001)
-        X509v3 extensions:
-            X509v3 Basic Constraints: 
-                CA:FALSE
-            X509v3 Key Usage: 
-                Digital Signature, Non Repudiation, Key Encipherment
-    Signature Algorithm: sha512WithRSAEncryption
-         f0:b6:a8:e1:86:fd:b9:2c:1b:72:d1:0f:8c:10:97:d0:15:e5:
-         cd:aa:4a:c0:71:fd:3d:48:fc:ca:d9:1e:53:06:c2:7f:a6:f8:
-         57:02:c3:7c:a9:1b:7c:17:d6:2e:48:50:8a:6b:ff:90:2e:19:
-         03:c7:b7:31:27:04:ce:8c:e0:2d:43:6d:ca:d6:bd:b3:c9:ea:
-         66:6e:48:d8:ca:1c:ca:ee:2c:41:58:40:08:55:0e:4c:38:4d:
-         f6:16:14:fd:78:30:c6:73:88:cd:ba:ce:5d:25:df:cf:79:45:
-         d7:b8:51:b9:c6:9d:db:8a:82:35:ac:09:ee:2e:73:7e:86:8d:
-         23:d0:39:16:40:5e:10:4b:ba:d9:63:18:b3:40:43:19:35:49:
-         5d:7b:55:0a:9e:3a:f3:ae:33:0e:9b:4f:d1:07:16:33:32:d7:
-         4f:c2:43:35:31:4d:e6:39:f2:8a:12:fa:6b:ab:4b:dc:aa:18:
-         cb:db:df:b5:9f:58:ff:54:bc:de:af:c9:55:04:6a:60:47:68:
-         4d:18:15:51:2b:87:c3:aa:d9:86:f0:2d:42:ea:23:f8:30:59:
-         c7:4f:5d:84:e9:b0:5c:35:a6:63:c4:e0:66:c7:d8:fa:2c:17:
-         50:af:59:a9:38:9a:d8:3b:53:e6:3e:ea:bd:c0:51:d3:e3:fd:
-         9d:3b:94:51
------BEGIN CERTIFICATE-----
-MIIDODCCAiCgAwIBAgICEjUwDQYJKoZIhvcNAQENBQAwQTELMAkGA1UEBhMCQ0Ex
-EDAOBgNVBAgMB09udGFyaW8xDTALBgNVBAoMBEFDTUUxETAPBgNVBAMMCE15Um9v
-dENBMB4XDTIwMDExNzEyMTM1MloXDTI0MDExNzEyMTM1MlowYTELMAkGA1UEBhMC
-Q0ExCzAJBgNVBAgMAk9OMRAwDgYDVQQHDAdUb3JvbnRvMQ0wCwYDVQQKDARhY21l
-MQwwCgYDVQQLDANhcnQxFjAUBgNVBAMMDWFwcDJAYWNtZS5vcmcwggEiMA0GCSqG
-SIb3DQEBAQUAA4IBDwAwggEKAoIBAQC3FoVu3vV3QmPscrjjqS+zNBpoWzkbdI1S
-CEIvpzCEEJZ8gxNS8+9HI44lTzIvuB1V7Pv7lXWatQSDZ3tYCilxxy3unEQCkGLc
-HuTUnsmsOz50y5efwBv/dTabTNvaP+tAbvgcqQFUAvkvHFlRYYRRaLBkLBEMKwgi
-n8EABjYVArutnDu4kxVZzddigJ8gpKJ9RqUAmBYgSEm+CNeync9AO+KgLb67PeEr
-zOT4KfCoW8wYNfcTqC4WMmU1lHN+NKOXZVNCQYVz6zaPiPxOLXmsEt9g/EnZcT+I
-87QhZk40kW7KX5OBxva4sFX9c7s/S9MqqdlXiNFLFBAe0+v7DLnTAgMBAAGjGjAY
-MAkGA1UdEwQCMAAwCwYDVR0PBAQDAgXgMA0GCSqGSIb3DQEBDQUAA4IBAQDwtqjh
-hv25LBty0Q+MEJfQFeXNqkrAcf09SPzK2R5TBsJ/pvhXAsN8qRt8F9YuSFCKa/+Q
-LhkDx7cxJwTOjOAtQ23K1r2zyepmbkjYyhzK7ixBWEAIVQ5MOE32FhT9eDDGc4jN
-us5dJd/PeUXXuFG5xp3bioI1rAnuLnN+ho0j0DkWQF4QS7rZYxizQEMZNUlde1UK
-njrzrjMOm0/RBxYzMtdPwkM1MU3mOfKKEvprq0vcqhjL29+1n1j/VLzer8lVBGpg
-R2hNGBVRK4fDqtmG8C1C6iP4MFnHT12E6bBcNaZjxOBmx9j6LBdQr1mpOJrYO1Pm
-Puq9wFHT4/2dO5RR
------END CERTIFICATE-----

diff --git a/qpid-test-utils/src/main/resources/ssl/certificates/app2.csr b/qpid-test-utils/src/main/resources/ssl/certificates/app2.csr
deleted file mode 100644
index d97b9ff..0000000
--- a/qpid-test-utils/src/main/resources/ssl/certificates/app2.csr
+++ /dev/null

@@ -1,17 +0,0 @@
------BEGIN CERTIFICATE REQUEST-----
-MIICpjCCAY4CAQAwYTELMAkGA1UEBhMCQ0ExCzAJBgNVBAgMAk9OMRAwDgYDVQQH
-DAdUb3JvbnRvMQ0wCwYDVQQKDARhY21lMQwwCgYDVQQLDANhcnQxFjAUBgNVBAMM
-DWFwcDJAYWNtZS5vcmcwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC3
-FoVu3vV3QmPscrjjqS+zNBpoWzkbdI1SCEIvpzCEEJZ8gxNS8+9HI44lTzIvuB1V
-7Pv7lXWatQSDZ3tYCilxxy3unEQCkGLcHuTUnsmsOz50y5efwBv/dTabTNvaP+tA
-bvgcqQFUAvkvHFlRYYRRaLBkLBEMKwgin8EABjYVArutnDu4kxVZzddigJ8gpKJ9
-RqUAmBYgSEm+CNeync9AO+KgLb67PeErzOT4KfCoW8wYNfcTqC4WMmU1lHN+NKOX
-ZVNCQYVz6zaPiPxOLXmsEt9g/EnZcT+I87QhZk40kW7KX5OBxva4sFX9c7s/S9Mq
-qdlXiNFLFBAe0+v7DLnTAgMBAAGgADANBgkqhkiG9w0BAQ0FAAOCAQEAYykrDIFO
-fbRXKcoh07aCAkW2KBX1L+wkCDWBQO2NQH0uvRducLHLQTF7EYjTUQ2WbOXDJLCT
-1NbtANvxU5xNJsforHGTZCGvQqMSMMlwe8mr82ttCMcQwGkmpq8FlGsD+3JpYZPI
-Yb20yvmXk2jIvCK44axyMgHUgHMdoT6BrX5YFC993gjfKu3CpEEIMuFidulM/vEY
-WiNhnlBBpHN3ijrWn8BVc81VI6jP0z23nKMYgayaGIZ7GQOI3Rmk/WIowU68D+Ac
-X4AhDZaofAGejybD2yABPE07/2IPHEXotWgKSHwDJCLU6VpUX3MePqLwDjA8tW8y
-jfmnHdB1vIy8NQ==
------END CERTIFICATE REQUEST-----

diff --git a/qpid-test-utils/src/main/resources/ssl/certificates/app2.jks b/qpid-test-utils/src/main/resources/ssl/certificates/app2.jks
deleted file mode 100644
index 56d2a8a..0000000
--- a/qpid-test-utils/src/main/resources/ssl/certificates/app2.jks
+++ /dev/null
Binary files differ

diff --git a/qpid-test-utils/src/main/resources/ssl/certificates/app2.self.crt b/qpid-test-utils/src/main/resources/ssl/certificates/app2.self.crt
deleted file mode 100644
index c472d16..0000000
--- a/qpid-test-utils/src/main/resources/ssl/certificates/app2.self.crt
+++ /dev/null

@@ -1,22 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIDozCCAougAwIBAgIULw9lb2weHwTmE11idVFtoGtBm+YwDQYJKoZIhvcNAQEN
-BQAwYTELMAkGA1UEBhMCQ0ExCzAJBgNVBAgMAk9OMRAwDgYDVQQHDAdUb3JvbnRv
-MQ0wCwYDVQQKDARhY21lMQwwCgYDVQQLDANhcnQxFjAUBgNVBAMMDWFwcDJAYWNt
-ZS5vcmcwHhcNMjAwMTE3MTIxMzUyWhcNMjAwMjE2MTIxMzUyWjBhMQswCQYDVQQG
-EwJDQTELMAkGA1UECAwCT04xEDAOBgNVBAcMB1Rvcm9udG8xDTALBgNVBAoMBGFj
-bWUxDDAKBgNVBAsMA2FydDEWMBQGA1UEAwwNYXBwMkBhY21lLm9yZzCCASIwDQYJ
-KoZIhvcNAQEBBQADggEPADCCAQoCggEBALcWhW7e9XdCY+xyuOOpL7M0GmhbORt0
-jVIIQi+nMIQQlnyDE1Lz70cjjiVPMi+4HVXs+/uVdZq1BINne1gKKXHHLe6cRAKQ
-Ytwe5NSeyaw7PnTLl5/AG/91NptM29o/60Bu+BypAVQC+S8cWVFhhFFosGQsEQwr
-CCKfwQAGNhUCu62cO7iTFVnN12KAnyCkon1GpQCYFiBISb4I17Kdz0A74qAtvrs9
-4SvM5Pgp8KhbzBg19xOoLhYyZTWUc340o5dlU0JBhXPrNo+I/E4teawS32D8Sdlx
-P4jztCFmTjSRbspfk4HG9riwVf1zuz9L0yqp2VeI0UsUEB7T6/sMudMCAwEAAaNT
-MFEwHQYDVR0OBBYEFGRnSSgAdfPDfjACvy7JWsifafjeMB8GA1UdIwQYMBaAFGRn
-SSgAdfPDfjACvy7JWsifafjeMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQEN
-BQADggEBADAWS3rkEAo9y3hsXRMy9nfEx0LIRzMILeRSCc87QlUKKxYGph9AQ0QJ
-JWljYjM0Dg11ByrNVBODL7E62MX3hWKxYRPv44J6jQgbg9pBINdxFR1MwvtRSYtz
-069YduP0Ws8FVB35U8dvSFOgOBWhXCh5QTPznkAmopPr/QQxcjQnPWWpmadjNc3x
-EBDwoHyigne+zBcUVQiaKgN2YbvTbB7WzEidHWrPOcXv7JH/PbZNfwGrG4SJLH92
-uvgBwyOi/dwplcTAfDE+PuRDLOBAyht30XCwpWHjG2HINx0N2esvG8g/v5J3USRo
-jU0wSLthobqjv6/mJkIAfdbkPSrY9p0=
------END CERTIFICATE-----

diff --git a/qpid-test-utils/src/main/resources/ssl/certificates/app2.self.key b/qpid-test-utils/src/main/resources/ssl/certificates/app2.self.key
deleted file mode 100644
index 64544a9..0000000
--- a/qpid-test-utils/src/main/resources/ssl/certificates/app2.self.key
+++ /dev/null

@@ -1,30 +0,0 @@
------BEGIN ENCRYPTED PRIVATE KEY-----
-MIIFHDBOBgkqhkiG9w0BBQ0wQTApBgkqhkiG9w0BBQwwHAQIEndyItP4BKwCAggA
-MAwGCCqGSIb3DQIJBQAwFAYIKoZIhvcNAwcECBjmbsUCrUCTBIIEyDtTeDzGARWT
-w5X6wVjcwmvf/Vw2cczX8MUBWNkIHGSNTDHv6IlFxYA6SXCMy12OpaJiHr6CGp9A
-juyBn6C8AsKHxSgoMrImSt5RGRCQSSkq9bCpPGQR7/l6X+Z5yVG9XJYRxK6vXIG4
-mfkcIq2E5sV89v79aISvotXvTeVUfd++6CPahzpf6zZ6rKLp7AWIcZF5qQG+5Gdk
-1q5iOCcZtT04LQsAcEJCM8GQoXNDNTHwDvWi9DZ+yry0kTn0Lz8QMXOhVqf8gJKa
-/vded9cixbXk5QNQgFswZOSeEB7hWpT88VLoKl6VJOCGPERtyUMhwal/IvMX98Ad
-LDUBGd13WjP3EA3yAOI/W4V3TPJVJZD4xKgqhU+gnohfl1XU+evOu5+HxbDczAp1
-QyN0ni325c/jgXfcihN9AZrAviMz4GZLj55uTSmtCUaug8CCwRu5uxdmmA4BJCl1
-iFJmZzZIvqw5R9BIsu63/xHZYiYAvNDdIvBmJqPz2ka+vSWbGRT1bqkrpos/6LtU
-griby3OtfvyvNbWokQymDBHVxYZokio26UIrc4Z2IUsS0354J+GyOiZ0oFe1DfTs
-1taEQGgTWsfJpRs+xNjaImhPN5AJZRKLgzsOqXLZofYiv/Rexq1AaZTGMzr6xt3Y
-QL0+q7KJ3DBAQxkST4ARo6bVNb9MPgOjXDpvvjJOfbuwR1jlgSHBFM4OBEEI5xV3
-avurI3pE+GnXY+lJCeuSwATnxeUJoHzcUn6QmdkB8Li20ovzXJs8PgBq/dD2rG4d
-tkMUnwsd0dwmYaDVstM9awkP1+EvzZ2O3wiHzqE2jE1bRNIj+8bKSWxSCrF9tGi1
-YCDLCGk0BTaNCaaIFFxNTxgE81GsrgqQvfLCsUljF04Lbj/ZvzcLdW82FkFSjUBa
-Z7sXwq8NOJsGjVp8Akwf4Z702PZVnj/lV25PLj53ayRcvnO2PLkLdwdVLJyFt6ES
-CelAz1d2ejww1NKj+ipJuQ9Yun1d+21HBLQGYCnST/rzet+JcuQMw0QIQBvVioLZ
-KS1V/yi/u5Rvos7x3RQyIJITY4HP9tvTKftdIW3M5nEkMNuHHAcZUrv83YJkzt1T
-1Sd/qVOupGHA/DYvUVPn0v48XxRjWF/jpf1Jdd4EeuYIYRmZH0I3wRvuc0qyT6nV
-CxoART7gzaLeWYLx67gaSguojYbCzWRnBSBAq/Wy2fcHMKZ7DywMWJwn0dqofeuM
-ZABB2jWKGuHLrM3wfzcGJLIlaHG0RESn8ThqwMODRaqTgxQP0y4E2CabDSeco6fK
-g8InlTKlHxB6u2AcDpPTeBh9om7AXvs7iT0rWrhEU7FxCr7NjAHaQBMmltS4uv9q
-wNZ0uqg++s5wIr9dzkBNjEJvk89HKtkLwYQgie9OdbaQEz0xV3S06ChvaH0nXtQu
-+/K4Gw2yR8mLA3TCHSlNe/q5daRNhjXzmX2erK5u8UsZFU6Ln6M+kvbYvtlG6rSR
-N7njPcUwCa+juvP8LxQEJUE3OgWeLM/0S2LiJz69XnCHz886VAoMETIs7sgfI0lP
-I2qgD/sB7eFgsPPstZyIf41PVssf+03vZ8lCLUqnZuDLLZO/l//CDRdBWIZvJ8pk
-pRdP0ZJdSqZryf9eSBfnRQ==
------END ENCRYPTED PRIVATE KEY-----

diff --git a/qpid-test-utils/src/main/resources/ssl/certificates/broker.crt b/qpid-test-utils/src/main/resources/ssl/certificates/broker.crt
deleted file mode 100644
index ca6dc2f..0000000
--- a/qpid-test-utils/src/main/resources/ssl/certificates/broker.crt
+++ /dev/null

@@ -1,74 +0,0 @@
-Certificate:
-    Data:
-        Version: 3 (0x2)
-        Serial Number: 4662 (0x1236)
-        Signature Algorithm: sha512WithRSAEncryption
-        Issuer: C=CA, ST=Ontario, O=ACME, CN=MyRootCA
-        Validity
-            Not Before: Jan 17 12:13:57 2020 GMT
-            Not After : Jan 17 12:13:57 2024 GMT
-        Subject: C=CA, ST=Unknown, L=Unknown, O=Unknown, OU=Unknown, CN=localhost
-        Subject Public Key Info:
-            Public Key Algorithm: rsaEncryption
-                RSA Public-Key: (2048 bit)
-                Modulus:
-                    00:d2:28:a5:31:6e:85:97:8a:39:c0:8a:21:ab:bf:
-                    cf:93:39:03:cb:63:6b:f3:47:6d:3f:50:24:06:bb:
-                    3d:25:14:cc:b2:d3:50:62:1a:71:18:5a:98:97:8f:
-                    fa:45:70:ca:b8:98:9c:60:78:03:c8:a7:2a:b2:d7:
-                    53:e3:b2:71:52:b0:7a:0f:12:42:63:a7:2f:d9:c0:
-                    bc:50:da:5b:3c:52:ac:bf:fa:6e:c4:80:f7:b7:e2:
-                    e9:53:53:55:95:24:72:de:63:2f:59:dd:8e:8a:13:
-                    11:17:44:03:41:c0:95:f9:8b:dc:05:e9:1e:ab:3b:
-                    72:e8:b1:5c:c0:0a:ed:c9:11:6e:30:79:65:71:e8:
-                    3d:2c:c0:0a:5c:dc:92:22:1b:f7:06:2e:f4:7d:1f:
-                    ea:c5:a5:57:91:1d:f2:f6:44:f1:bd:25:f2:1d:fe:
-                    a0:68:d1:38:7e:5f:0a:5d:37:47:f9:ca:9b:c0:0c:
-                    a9:ae:7f:e4:0b:cd:85:e5:8b:91:6e:35:74:f7:6b:
-                    04:a3:10:67:1c:fd:bf:c2:1c:2a:dc:a7:04:93:98:
-                    48:03:cc:8f:fc:d7:65:8c:d1:9f:07:63:0b:04:86:
-                    01:d7:37:c7:a2:6d:4e:04:cb:a0:2f:ea:23:2a:59:
-                    ff:f0:b7:16:fc:fb:56:9c:4a:2f:e2:8b:3f:ad:25:
-                    53:19
-                Exponent: 65537 (0x10001)
-        X509v3 extensions:
-            X509v3 Basic Constraints: 
-                CA:FALSE
-            X509v3 Key Usage: 
-                Digital Signature, Non Repudiation, Key Encipherment
-    Signature Algorithm: sha512WithRSAEncryption
-         dc:c9:fd:ca:91:81:b8:18:33:c5:bb:0d:f0:cf:88:ba:92:21:
-         73:1f:9d:bb:98:9b:e6:09:fd:92:ff:c2:58:23:01:97:a4:09:
-         8b:d7:63:b6:63:f4:fd:96:f7:ef:5a:f3:be:15:92:72:15:2c:
-         7c:e7:d5:e1:13:cc:70:19:87:c5:c9:13:83:7c:28:ad:02:16:
-         11:6a:ab:b6:80:41:ca:6e:5b:89:48:42:27:74:e3:44:a1:51:
-         3b:f3:e0:b9:11:45:75:f8:d1:eb:9a:1d:04:7c:e1:26:be:55:
-         b5:98:d5:0b:38:24:67:78:3e:f0:52:5a:2c:72:77:02:0a:78:
-         f5:73:24:26:73:c6:1a:62:8c:e1:5d:61:71:40:e7:1f:de:f6:
-         39:a4:c5:84:c8:b6:d8:2f:b1:1d:19:bf:25:75:9f:1f:a9:7d:
-         09:52:80:dc:6c:8a:40:d9:cc:cb:99:db:e8:85:6b:dc:49:fd:
-         68:2e:71:d1:a8:ad:10:cb:28:1a:cd:04:c6:63:cf:11:30:18:
-         7c:4f:71:f3:70:84:ed:8d:e8:b8:2e:df:b2:a3:7d:68:64:28:
-         26:5c:1f:ec:1e:db:90:09:7f:40:cd:55:bd:1b:27:bd:34:6f:
-         82:9b:a9:83:fb:0a:67:66:50:32:5d:c6:06:82:cc:83:35:22:
-         ee:88:7d:b8
------BEGIN CERTIFICATE-----
-MIIDQDCCAiigAwIBAgICEjYwDQYJKoZIhvcNAQENBQAwQTELMAkGA1UEBhMCQ0Ex
-EDAOBgNVBAgMB09udGFyaW8xDTALBgNVBAoMBEFDTUUxETAPBgNVBAMMCE15Um9v
-dENBMB4XDTIwMDExNzEyMTM1N1oXDTI0MDExNzEyMTM1N1owaTELMAkGA1UEBhMC
-Q0ExEDAOBgNVBAgMB1Vua25vd24xEDAOBgNVBAcMB1Vua25vd24xEDAOBgNVBAoM
-B1Vua25vd24xEDAOBgNVBAsMB1Vua25vd24xEjAQBgNVBAMMCWxvY2FsaG9zdDCC
-ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBANIopTFuhZeKOcCKIau/z5M5
-A8tja/NHbT9QJAa7PSUUzLLTUGIacRhamJeP+kVwyriYnGB4A8inKrLXU+OycVKw
-eg8SQmOnL9nAvFDaWzxSrL/6bsSA97fi6VNTVZUkct5jL1ndjooTERdEA0HAlfmL
-3AXpHqs7cuixXMAK7ckRbjB5ZXHoPSzAClzckiIb9wYu9H0f6sWlV5Ed8vZE8b0l
-8h3+oGjROH5fCl03R/nKm8AMqa5/5AvNheWLkW41dPdrBKMQZxz9v8IcKtynBJOY
-SAPMj/zXZYzRnwdjCwSGAdc3x6JtTgTLoC/qIypZ//C3Fvz7VpxKL+KLP60lUxkC
-AwEAAaMaMBgwCQYDVR0TBAIwADALBgNVHQ8EBAMCBeAwDQYJKoZIhvcNAQENBQAD
-ggEBANzJ/cqRgbgYM8W7DfDPiLqSIXMfnbuYm+YJ/ZL/wlgjAZekCYvXY7Zj9P2W
-9+9a874VknIVLHzn1eETzHAZh8XJE4N8KK0CFhFqq7aAQcpuW4lIQid040ShUTvz
-4LkRRXX40euaHQR84Sa+VbWY1Qs4JGd4PvBSWixydwIKePVzJCZzxhpijOFdYXFA
-5x/e9jmkxYTIttgvsR0ZvyV1nx+pfQlSgNxsikDZzMuZ2+iFa9xJ/WgucdGorRDL
-KBrNBMZjzxEwGHxPcfNwhO2N6Lgu37KjfWhkKCZcH+we25AJf0DNVb0bJ700b4Kb
-qYP7CmdmUDJdxgaCzIM1Iu6Ifbg=
------END CERTIFICATE-----

diff --git a/qpid-test-utils/src/main/resources/ssl/certificates/broker.csr b/qpid-test-utils/src/main/resources/ssl/certificates/broker.csr
deleted file mode 100644
index d459aab..0000000
--- a/qpid-test-utils/src/main/resources/ssl/certificates/broker.csr
+++ /dev/null

@@ -1,17 +0,0 @@
------BEGIN CERTIFICATE REQUEST-----
-MIICrjCCAZYCAQAwaTELMAkGA1UEBhMCQ0ExEDAOBgNVBAgMB1Vua25vd24xEDAO
-BgNVBAcMB1Vua25vd24xEDAOBgNVBAoMB1Vua25vd24xEDAOBgNVBAsMB1Vua25v
-d24xEjAQBgNVBAMMCWxvY2FsaG9zdDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC
-AQoCggEBANIopTFuhZeKOcCKIau/z5M5A8tja/NHbT9QJAa7PSUUzLLTUGIacRha
-mJeP+kVwyriYnGB4A8inKrLXU+OycVKweg8SQmOnL9nAvFDaWzxSrL/6bsSA97fi
-6VNTVZUkct5jL1ndjooTERdEA0HAlfmL3AXpHqs7cuixXMAK7ckRbjB5ZXHoPSzA
-ClzckiIb9wYu9H0f6sWlV5Ed8vZE8b0l8h3+oGjROH5fCl03R/nKm8AMqa5/5AvN
-heWLkW41dPdrBKMQZxz9v8IcKtynBJOYSAPMj/zXZYzRnwdjCwSGAdc3x6JtTgTL
-oC/qIypZ//C3Fvz7VpxKL+KLP60lUxkCAwEAAaAAMA0GCSqGSIb3DQEBDQUAA4IB
-AQCteBfB/t9udR7E2RYZHdSICnrrXC7oOcMbNXv/eq2FtHV5XnqglvGsyzzHkE2/
-aGqZUvyOJqrA+m2QCg0Qtq6WvDV10Qbaebr921tQMlVQxeLd/AkGBZOC0Z9Wi+ne
-r/9ODUm/MBp3PbiKOdEhb3gXIsa+CqSHl6qaCtwIcGtY2UW/jr078H0eTML0rh6C
-+BW275y6ApXSiSS5IKrCd6Dfto7Vh0ZakCIOmz3cCM3+VGTn0cXF6mFDyu7bA6gw
-8QdBET9nzbyrwfnH/vSVh5YxNHIj+A1NZlphHyJslYaW4lg2GAbGsdqAK1dW11Ph
-OGI7Qjr59HrsFYjFRr4+42Se
------END CERTIFICATE REQUEST-----

diff --git a/qpid-test-utils/src/main/resources/ssl/certificates/broker.jks b/qpid-test-utils/src/main/resources/ssl/certificates/broker.jks
deleted file mode 100644
index af8d5d2..0000000
--- a/qpid-test-utils/src/main/resources/ssl/certificates/broker.jks
+++ /dev/null
Binary files differ

diff --git a/qpid-test-utils/src/main/resources/ssl/certificates/broker.self.crt b/qpid-test-utils/src/main/resources/ssl/certificates/broker.self.crt
deleted file mode 100644
index 03db86e..0000000
--- a/qpid-test-utils/src/main/resources/ssl/certificates/broker.self.crt
+++ /dev/null

@@ -1,22 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIDszCCApugAwIBAgIUOJtin1zcTHJQCk3RtZJyDaL0O+QwDQYJKoZIhvcNAQEL
-BQAwaTELMAkGA1UEBhMCQ0ExEDAOBgNVBAgMB1Vua25vd24xEDAOBgNVBAcMB1Vu
-a25vd24xEDAOBgNVBAoMB1Vua25vd24xEDAOBgNVBAsMB1Vua25vd24xEjAQBgNV
-BAMMCWxvY2FsaG9zdDAeFw0yMDAxMTcxMjEzNTdaFw0yMDAyMTYxMjEzNTdaMGkx
-CzAJBgNVBAYTAkNBMRAwDgYDVQQIDAdVbmtub3duMRAwDgYDVQQHDAdVbmtub3du
-MRAwDgYDVQQKDAdVbmtub3duMRAwDgYDVQQLDAdVbmtub3duMRIwEAYDVQQDDAls
-b2NhbGhvc3QwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDSKKUxboWX
-ijnAiiGrv8+TOQPLY2vzR20/UCQGuz0lFMyy01BiGnEYWpiXj/pFcMq4mJxgeAPI
-pyqy11PjsnFSsHoPEkJjpy/ZwLxQ2ls8Uqy/+m7EgPe34ulTU1WVJHLeYy9Z3Y6K
-ExEXRANBwJX5i9wF6R6rO3LosVzACu3JEW4weWVx6D0swApc3JIiG/cGLvR9H+rF
-pVeRHfL2RPG9JfId/qBo0Th+XwpdN0f5ypvADKmuf+QLzYXli5FuNXT3awSjEGcc
-/b/CHCrcpwSTmEgDzI/812WM0Z8HYwsEhgHXN8eibU4Ey6Av6iMqWf/wtxb8+1ac
-Si/iiz+tJVMZAgMBAAGjUzBRMB0GA1UdDgQWBBR++4fRzlzZ2FNRkZ4QomvvNKVS
-ITAfBgNVHSMEGDAWgBR++4fRzlzZ2FNRkZ4QomvvNKVSITAPBgNVHRMBAf8EBTAD
-AQH/MA0GCSqGSIb3DQEBCwUAA4IBAQAb0ajrigWwT+KZwq2vfuZX8Xt4XQGclH8E
-PoNgT3johckZMmTYUccCPN/+qWbNigmOWpo8VKHAAAqHU+RoGG4/eVdd6Il4Q10b
-wgHVY1JA3LOmDmjGEV6kVNOiIuCEhoiN5YLG9THUY9a/SJj+MGMsKpmdDUmmX02b
-9PHOgc6pAwCm3/hO/XyUjQZxuaB7aDUpaL+pA//6lEVk/n5PzG8IAi33Cp9AEMlZ
-+6/eCb/eMZ4yoR5cQNi+l6l3ifONEDe6uJ+Wk7ahSbKTi5Maoddt5BER2jmRCDbr
-yNfRBcK2iMHVtTPMI3P9OOmudEYSFOJOdRUZpmGmAuTeuCganQjb
------END CERTIFICATE-----

diff --git a/qpid-test-utils/src/main/resources/ssl/certificates/broker.self.key b/qpid-test-utils/src/main/resources/ssl/certificates/broker.self.key
deleted file mode 100644
index 5ccb683..0000000
--- a/qpid-test-utils/src/main/resources/ssl/certificates/broker.self.key
+++ /dev/null

@@ -1,30 +0,0 @@
------BEGIN ENCRYPTED PRIVATE KEY-----
-MIIFHDBOBgkqhkiG9w0BBQ0wQTApBgkqhkiG9w0BBQwwHAQIuBQNMa898kwCAggA
-MAwGCCqGSIb3DQIJBQAwFAYIKoZIhvcNAwcECCeLmeQ7xDnuBIIEyMsJVjaLP/XS
-nEhHrGp0Xr0AkP0ZhqN8ZUPoaL8RQCXe14tYY4LjB3NANSxCLO8i6yKyvlG6KZyK
-e5vyqlH4q41AUG5lo4Q3fDFNMP0ilgKusFE06ju1UhKf4TiElO6xxhq+ZuOsunME
-y2akyYz4khl6YrqQl6vDIN0/WYFprbh0iT66WCwe8/Bc0JBCn053pwWiqUNJXoXn
-EXytxqTYVP2H/H87M/I0vrweu5rZyxnk3HvBoJbyBrJTsZn4VFS+cIC2E4YADjD7
-qfq7iIyv94/EdqvJmQH5XttfZ/7amj+XvxLOoYtyuOOagSWrlDJm6vATSJd7G1mj
-soxHdd5hGZ4lpvFFrXjWR35PeBUUqihfkZ1cnGs4TRJZL3T+bvYdcfAEA3oxdSLh
-QKwbsY3j/LJRqGHIAzE4z82F/nEltHTHohwYKDE0D5nn58wqhD1IImHmd2uQu6SJ
-kGmHLlzbZiFz4mvqk1Tk63zoeKwioQgXj0OA2KJSV7Oz5nPB4O+/5jfu7jiL31Hh
-FEleRvTfBslTwnF6NSR74uVGSQt/CsWDOR/Ok70oSa2Ddy8Lty9e4LXSmhNGqaf1
-fFAt1E35ZQrZ5TIMjwlU2AgOS8znhMBLuAfZdCPogSbmPYMAI5b7yYwPih/2qywc
-Qxq9SBdqGditdyTliBYPpmJrx8lrhcO6aXjFVuUH5X5NGXs+xiY2V6ppFdlVepXa
-c5WfZzLqYrNdGp5nd8n831/7m1LS9zqXSgb3uz3axppIgT94BSamlyBLPv2xKVaZ
-wxZlh5rtgV9Udl2ocFyOUnXBLRapMEje57e44ShcoLr8F1S7Yi5q7gCg7eqfnrm2
-AOqJ3ZpYnDPRvo3PyW1mg6q/k/RF6BEdXcb8lM+KhGBRwufC8ym12RKwjcI8EK5w
-OB5LxjpH6we5RpVdTPnpJl0TvBEqh2LiWMpshHoK7NWCtr7vNI4KAn4nu01uofwC
-lEYFdr57I+0SawADff/ENRNqXgMsAbPvwFsaoq9cLZc71ugu4vrD+drkPrwO9eXR
-ailGVJfdgp6UqreLuVvDuQIQNr3Qagj0ujWw10usrBK9qdtpN60Eeuhch2l4ajLh
-WjwzJrRZ6g1bC5hH9U94XW0mJ7f/6BMzdGKDoBQ7zbxLSrsc/oTpTFaki5ICW9Mv
-WhF9yRCVS0Gcxu+sOZcvjZsVqGV5zqSRtWnjURMDddX79XGPEvAOSubsYjOhK49U
-78R/m/4FfrRQl4pTuTCGYUqDnLXPTxWMJJ5vEDrWTx26cGrBTsiBg7/gbn5CqSAA
-l0vDfpFNCJ9vyHoeEhEc8aBRz9hklHCDm1wIWXfwYnsE4L3V2qp/0WKvj9NHXE5C
-6FWYzr33ImsqEuavLXsFer2ZVF/Y38f8HNj9z5hg77YTbZNCg5jHYfMPunEGikCo
-B5jwen7DSt6zZOH91dncir8XcgGOXY0XocE6aalDGit01lFDPFPNc0aGsyA2m6Be
-4CNxVbfNkHZBtY8A4Q+Invij7vVUG0Afc7vDc595JsJ4m0sHmkQ3xLJVfhV8APXD
-pQXbv9o0HDPjb45irIex8WMitj/lU60FuSMjDd0DElA18ImR+4tBPWjXvxZeRkgd
-k/8a1P4XOl42rFaN1YOWhw==
------END ENCRYPTED PRIVATE KEY-----

diff --git a/qpid-test-utils/src/main/resources/ssl/certificates/broker_expired_truststore.jks b/qpid-test-utils/src/main/resources/ssl/certificates/broker_expired_truststore.jks
deleted file mode 100644
index 077274a..0000000
--- a/qpid-test-utils/src/main/resources/ssl/certificates/broker_expired_truststore.jks
+++ /dev/null
Binary files differ

diff --git a/qpid-test-utils/src/main/resources/ssl/certificates/broker_keystore.jks b/qpid-test-utils/src/main/resources/ssl/certificates/broker_keystore.jks
deleted file mode 100644
index e789738..0000000
--- a/qpid-test-utils/src/main/resources/ssl/certificates/broker_keystore.jks
+++ /dev/null
Binary files differ

diff --git a/qpid-test-utils/src/main/resources/ssl/certificates/broker_peerstore.jks b/qpid-test-utils/src/main/resources/ssl/certificates/broker_peerstore.jks
deleted file mode 100644
index b306a9f..0000000
--- a/qpid-test-utils/src/main/resources/ssl/certificates/broker_peerstore.jks
+++ /dev/null
Binary files differ

diff --git a/qpid-test-utils/src/main/resources/ssl/certificates/broker_truststore.jks b/qpid-test-utils/src/main/resources/ssl/certificates/broker_truststore.jks
deleted file mode 100644
index 2bc0f4f..0000000
--- a/qpid-test-utils/src/main/resources/ssl/certificates/broker_truststore.jks
+++ /dev/null
Binary files differ

diff --git a/qpid-test-utils/src/main/resources/ssl/certificates/chain_with_intermediate.crt b/qpid-test-utils/src/main/resources/ssl/certificates/chain_with_intermediate.crt
deleted file mode 100644
index f9dd3e3..0000000
--- a/qpid-test-utils/src/main/resources/ssl/certificates/chain_with_intermediate.crt
+++ /dev/null

@@ -1,105 +0,0 @@
-Certificate:
-    Data:
-        Version: 3 (0x2)
-        Serial Number: 4665 (0x1239)
-        Signature Algorithm: sha512WithRSAEncryption
-        Issuer: C=CA, ST=Ontario, O=ACME, CN=MyRootCA
-        Validity
-            Not Before: Jan 17 12:14:01 2020 GMT
-            Not After : Jan 17 12:14:01 2024 GMT
-        Subject: C=CA, ST=ON, L=Toronto, O=acme, OU=art, CN=intermediate_ca@acme.org
-        Subject Public Key Info:
-            Public Key Algorithm: rsaEncryption
-                RSA Public-Key: (2048 bit)
-                Modulus:
-                    00:cd:1b:03:cd:bb:56:19:11:47:00:bd:f2:60:d8:
-                    31:34:9e:06:cf:9c:1e:59:27:c1:99:c0:73:b3:14:
-                    90:09:c5:8b:3c:fa:27:5f:54:fb:0a:0c:49:1c:f4:
-                    6f:7e:82:8b:c9:d8:a3:6b:a3:9b:0d:f4:4c:ec:95:
-                    47:f1:55:d7:a3:e3:61:0f:dd:32:07:cf:d9:ed:01:
-                    58:aa:4f:d8:be:0a:18:cd:08:f6:6c:ee:5b:20:9c:
-                    fe:55:97:08:99:52:86:2c:d0:6e:5a:db:6d:14:17:
-                    87:e4:e0:d9:ec:9d:22:7c:04:89:d4:5f:b4:fd:73:
-                    9f:82:29:92:97:30:c7:9c:73:d1:a2:8b:0a:02:39:
-                    02:7e:c2:c6:c7:05:1d:16:97:e7:40:54:8b:cb:33:
-                    44:41:b0:44:5b:64:c6:21:8e:89:75:1d:c2:84:a0:
-                    90:48:c6:9b:ab:36:b5:06:cc:c4:48:d6:64:c6:af:
-                    f8:c1:40:ee:10:18:6a:20:ca:ca:d9:11:78:8f:56:
-                    50:8c:04:01:28:a4:da:f4:d4:d1:50:03:47:3f:9b:
-                    b5:5b:e6:25:9f:85:4d:2b:b6:ad:21:4d:97:d2:53:
-                    00:bf:51:63:c2:4d:aa:49:04:81:ab:b5:97:c6:bf:
-                    82:02:94:ef:04:b7:bd:43:50:26:cc:53:eb:ab:75:
-                    d4:0b
-                Exponent: 65537 (0x10001)
-        X509v3 extensions:
-            X509v3 CRL Distribution Points: 
-
-                Full Name:
-                  URI:http://localhost:8186/MyRootCA.crl
-
-            X509v3 Subject Key Identifier: 
-                FF:6A:19:05:FF:1A:9B:17:7C:72:5F:9F:8C:42:B0:15:DC:6F:D4:E2
-            X509v3 Authority Key Identifier: 
-                keyid:D8:34:F2:4C:A5:AC:01:A4:3B:54:66:AA:F7:DB:C3:C1:F2:BF:E6:CC
-
-            X509v3 Basic Constraints: critical
-                CA:TRUE
-    Signature Algorithm: sha512WithRSAEncryption
-         4a:7b:89:b1:f3:db:79:bf:c6:2d:6c:82:f3:3c:4e:33:ca:72:
-         a8:5c:68:a8:f5:09:81:03:07:90:c1:dc:29:06:17:c4:f4:b7:
-         cb:7b:65:2f:68:23:68:ce:b6:f6:96:2e:6d:84:35:6a:9f:e4:
-         c2:46:50:81:df:e5:cc:fb:2e:73:6b:83:2d:41:9f:92:14:32:
-         d5:52:60:32:13:02:3e:c3:35:0b:fa:58:c2:3b:4a:17:a5:87:
-         c8:ca:ba:c6:11:94:9c:1a:d5:d9:23:22:62:0d:a6:19:b4:54:
-         cb:0f:a4:a4:d0:24:a3:bc:3c:7d:af:e7:cb:45:22:ac:b8:f4:
-         b7:f2:64:09:1a:27:b7:ab:1a:26:3b:f1:b2:8a:5f:36:21:a2:
-         30:9d:ed:8a:3b:7a:2b:ab:97:99:aa:d0:7d:b6:85:46:11:d2:
-         d7:5b:ba:64:6b:b1:27:85:55:10:be:44:bf:4b:80:75:ff:cf:
-         7a:6b:65:86:4f:50:40:7c:38:e4:3a:3b:9d:1d:be:79:31:5e:
-         b5:30:ae:b2:2c:bb:de:a0:ae:f1:90:d3:69:f9:d8:3a:82:d4:
-         71:aa:92:0f:f1:33:60:2b:3c:76:e5:08:4c:e5:32:23:45:97:
-         68:aa:11:92:88:48:02:bf:e2:59:8d:67:91:a8:8c:b0:3f:ed:
-         15:cc:57:ee
------BEGIN CERTIFICATE-----
-MIIDszCCApugAwIBAgICEjkwDQYJKoZIhvcNAQENBQAwQTELMAkGA1UEBhMCQ0Ex
-EDAOBgNVBAgMB09udGFyaW8xDTALBgNVBAoMBEFDTUUxETAPBgNVBAMMCE15Um9v
-dENBMB4XDTIwMDExNzEyMTQwMVoXDTI0MDExNzEyMTQwMVowbDELMAkGA1UEBhMC
-Q0ExCzAJBgNVBAgMAk9OMRAwDgYDVQQHDAdUb3JvbnRvMQ0wCwYDVQQKDARhY21l
-MQwwCgYDVQQLDANhcnQxITAfBgNVBAMMGGludGVybWVkaWF0ZV9jYUBhY21lLm9y
-ZzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAM0bA827VhkRRwC98mDY
-MTSeBs+cHlknwZnAc7MUkAnFizz6J19U+woMSRz0b36Ci8nYo2ujmw30TOyVR/FV
-16PjYQ/dMgfP2e0BWKpP2L4KGM0I9mzuWyCc/lWXCJlShizQblrbbRQXh+Tg2eyd
-InwEidRftP1zn4Ipkpcwx5xz0aKLCgI5An7CxscFHRaX50BUi8szREGwRFtkxiGO
-iXUdwoSgkEjGm6s2tQbMxEjWZMav+MFA7hAYaiDKytkReI9WUIwEASik2vTU0VAD
-Rz+btVvmJZ+FTSu2rSFNl9JTAL9RY8JNqkkEgau1l8a/ggKU7wS3vUNQJsxT66t1
-1AsCAwEAAaOBiTCBhjAzBgNVHR8ELDAqMCigJqAkhiJodHRwOi8vbG9jYWxob3N0
-OjgxODYvTXlSb290Q0EuY3JsMB0GA1UdDgQWBBT/ahkF/xqbF3xyX5+MQrAV3G/U
-4jAfBgNVHSMEGDAWgBTYNPJMpawBpDtUZqr328PB8r/mzDAPBgNVHRMBAf8EBTAD
-AQH/MA0GCSqGSIb3DQEBDQUAA4IBAQBKe4mx89t5v8YtbILzPE4zynKoXGio9QmB
-AweQwdwpBhfE9LfLe2UvaCNozrb2li5thDVqn+TCRlCB3+XM+y5za4MtQZ+SFDLV
-UmAyEwI+wzUL+ljCO0oXpYfIyrrGEZScGtXZIyJiDaYZtFTLD6Sk0CSjvDx9r+fL
-RSKsuPS38mQJGie3qxomO/Gyil82IaIwne2KO3orq5eZqtB9toVGEdLXW7pka7En
-hVUQvkS/S4B1/896a2WGT1BAfDjkOjudHb55MV61MK6yLLveoK7xkNNp+dg6gtRx
-qpIP8TNgKzx25QhM5TIjRZdoqhGSiEgCv+JZjWeRqIywP+0VzFfu
------END CERTIFICATE-----
------BEGIN CERTIFICATE-----
-MIIDYzCCAkugAwIBAgIUAzgWkwkl4wOLx+GiJZVnG3I2cNEwDQYJKoZIhvcNAQEN
-BQAwQTELMAkGA1UEBhMCQ0ExEDAOBgNVBAgMB09udGFyaW8xDTALBgNVBAoMBEFD
-TUUxETAPBgNVBAMMCE15Um9vdENBMB4XDTIwMDExNzEyMTM0OVoXDTI0MDExNzEy
-MTM0OVowQTELMAkGA1UEBhMCQ0ExEDAOBgNVBAgMB09udGFyaW8xDTALBgNVBAoM
-BEFDTUUxETAPBgNVBAMMCE15Um9vdENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A
-MIIBCgKCAQEA+CXc5ld4yp+N6ns0HA8aPI2AUDPcbhs558F713/amq6KzueuVBJ4
-UBMdFqGI2Ul2RbEJuy/qxYqTDqtPNMorzLgK47NrDnZ0cdE/DlavSyCQmNoE0Ksr
-XBTbIk0uEKKObJSYiW+8ise6cc+5Q83woG5OzUj6E/uX/TFYsSbsaLaG74HY8ajI
-bHDEPOnRlqWV/Z8ADvjpplxXuAXyhA7YYMA/WlXAp3knLFEZTJduVeH+U9gn3lif
-9zjUxuaNBioTJcnHnbanc3z2q5CvTbzhlUjOuWJ28dJ+QHr60bw4EEwM+akavU+O
-9GK2Dh2oqLAOJ/z11I5F6LX7NEOprpt0owIDAQABo1MwUTAdBgNVHQ4EFgQU2DTy
-TKWsAaQ7VGaq99vDwfK/5swwHwYDVR0jBBgwFoAU2DTyTKWsAaQ7VGaq99vDwfK/
-5swwDwYDVR0TAQH/BAUwAwEB/zANBgkqhkiG9w0BAQ0FAAOCAQEA8p51vGg8YT6y
-Aiyeps/ggms5/vkuH3AdI2OqC1RbIIx2Duia1EiH+Vxw0I1B7jJ9tZOsZfJVLmcr
-qlToReTTceGSRt22JvV7vpB/mn7y1z5Pz9Inw/eWTC32frzzLdayGv3/EhArsu+B
-eW6EemnXN4UxRc4rkCcYqz3WJJ/NollBwzqhpmFqo0sArZ7CSkz9+2U6sayZsxA3
-zT+4aj6vIp6Yv/USgX86VrdO1sBhJKlosEOlJqyorpjutv4fl4hR04/yU+Kw/sdG
-9ZA5Q9zrV0ooZ+635K1Z4Xr2rCH/38ltUZnFWD7D0w/z+QhonxXdnwbudtedSybo
-VPvWVRUaVA==
------END CERTIFICATE-----

diff --git a/qpid-test-utils/src/main/resources/ssl/certificates/client_expired.crt b/qpid-test-utils/src/main/resources/ssl/certificates/client_expired.crt
deleted file mode 100644
index 7bc29f1..0000000
--- a/qpid-test-utils/src/main/resources/ssl/certificates/client_expired.crt
+++ /dev/null

@@ -1,17 +0,0 @@
------BEGIN CERTIFICATE-----
-MIICvzCCAaegAwIBAgIETVtknTANBgkqhkiG9w0BAQ0FADAQMQ4wDAYDVQQDEwVV

-U0VSMTAeFw0xMDAxMDExMTAwMDBaFw0xNDAxMDExMTAwMDBaMBAxDjAMBgNVBAMT

-BVVTRVIxMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAmNDDbMbSISBF

-2ztm8e3Gp02s0rW8pjG7sEYKLMgkXNVRMX6nOFQ1Tuj6yuBk/qlBuSyYigfTPjNx

-qjz0pxLXPbFQfzaTzLQx+AIx1JRhdpHxY//M7vfIJaLOj7MvngWvjFX6MwwKlvkG

-z/H6+R4S3QE852XkUQvvxMVa7kHuUdzDUx7ARhsUME28/XzsJldEGiuPJZYLPpdg

-GAvJPO47+gr9zUWksL4fjXgYV2lZiAWcb1WcL6/zssBLnseRkQe/g+b7q0tT0FAX

-rqCfVaVZSRntrLu4AK88JUWfQkEKDRux2XZ5cAYofelZiiIikRBubuHlhlt0bqwo

-AJiAh4ANowIDAQABoyEwHzAdBgNVHQ4EFgQUTHUNeU67sKZ+bWeh521ZpK/wzckw

-DQYJKoZIhvcNAQENBQADggEBAIs6DQA+3v8L+TdVEHlk8eTOUo46Z0e9fpQgSfLb

-0aM/gpdq1ZBxP/RkDouSvZpDBxZnWZNo8I9/cQ2tc7K8rWv4lyq6tDbSgIuRIBk8

-v50ujPMPiKSeTdJXTVi1f2TAsYwnG4cSxDBF0Gu7qXEckRtktDs6uHC0D1Rzcirr

-3gANGDk/S3yS6vumooRKZ22AOiBp6uE0awa1jTZAyLvC+LY47XKfFUTf/9+E0umz

-3a3sIzET20YSf8xrK6kFBIrqAM7sF3303+nHsfx12BIA19tUjlHKBTbCCrL1u2GL

-gD0wA9jYPAhbtKSh8GbZtNhDhJxfopwhIuFFSfcKbO8OeUY=
------END CERTIFICATE-----

diff --git a/qpid-test-utils/src/main/resources/ssl/certificates/client_expired_keystore.jks b/qpid-test-utils/src/main/resources/ssl/certificates/client_expired_keystore.jks
deleted file mode 100644
index a3c29eb..0000000
--- a/qpid-test-utils/src/main/resources/ssl/certificates/client_expired_keystore.jks
+++ /dev/null
Binary files differ

diff --git a/qpid-test-utils/src/main/resources/ssl/certificates/client_keystore.jks b/qpid-test-utils/src/main/resources/ssl/certificates/client_keystore.jks
deleted file mode 100644
index 1d21f01..0000000
--- a/qpid-test-utils/src/main/resources/ssl/certificates/client_keystore.jks
+++ /dev/null
Binary files differ

diff --git a/qpid-test-utils/src/main/resources/ssl/certificates/client_truststore.jks b/qpid-test-utils/src/main/resources/ssl/certificates/client_truststore.jks
deleted file mode 100644
index 51593d6..0000000
--- a/qpid-test-utils/src/main/resources/ssl/certificates/client_truststore.jks
+++ /dev/null
Binary files differ

diff --git a/qpid-test-utils/src/main/resources/ssl/certificates/client_untrusted_keystore.jks b/qpid-test-utils/src/main/resources/ssl/certificates/client_untrusted_keystore.jks
deleted file mode 100644
index b788861..0000000
--- a/qpid-test-utils/src/main/resources/ssl/certificates/client_untrusted_keystore.jks
+++ /dev/null
Binary files differ

diff --git a/qpid-test-utils/src/main/resources/ssl/certificates/intermediate_ca.crl b/qpid-test-utils/src/main/resources/ssl/certificates/intermediate_ca.crl
deleted file mode 100644
index d32bdf9..0000000
--- a/qpid-test-utils/src/main/resources/ssl/certificates/intermediate_ca.crl
+++ /dev/null
Binary files differ

diff --git a/qpid-test-utils/src/main/resources/ssl/certificates/intermediate_ca.crl.pem b/qpid-test-utils/src/main/resources/ssl/certificates/intermediate_ca.crl.pem
deleted file mode 100644
index ded7194..0000000
--- a/qpid-test-utils/src/main/resources/ssl/certificates/intermediate_ca.crl.pem
+++ /dev/null

@@ -1,12 +0,0 @@
------BEGIN X509 CRL-----
-MIIBxjCBrwIBATANBgkqhkiG9w0BAQsFADBsMQswCQYDVQQGEwJDQTELMAkGA1UE
-CAwCT04xEDAOBgNVBAcMB1Rvcm9udG8xDTALBgNVBAoMBGFjbWUxDDAKBgNVBAsM
-A2FydDEhMB8GA1UEAwwYaW50ZXJtZWRpYXRlX2NhQGFjbWUub3JnFw0yMDAxMTcx
-MjE0MDFaFw0yMDAyMTYxMjE0MDFaoA8wDTALBgNVHRQEBAICEjQwDQYJKoZIhvcN
-AQELBQADggEBAI31QLg89gCYaB3yGaPAJG45ENz4L6sKf8X7H6sZfnnEECIfMDeF
-Wuu5ummkvSKyHVDj5m5FT9W6mKj8JkXUfGS64ssR361BixlBfmsVj5y3upXmuEta
-x03Ewqp888NaZyxK749J+1pfo5XOq0OUTe0+J1gTrS+JSWO3194MohtqkOQ11FHc
-9nDqZo49Bi+gqvulu+t1uPfM7i2RHgVl3e+gMc7XuguC1obGyuSoFSCW3IcqjuOt
-d1xTz/p/Cx3TqlMFI0uGzXzl11jLu/CDHtMvax5YJ65lV1wK86z6tpENR3Din4X1
-tHZMxga+hGrJikOeu/WZrw2cC1hx9OZU4Fw=
------END X509 CRL-----

diff --git a/qpid-test-utils/src/main/resources/ssl/certificates/intermediate_ca.crt b/qpid-test-utils/src/main/resources/ssl/certificates/intermediate_ca.crt
deleted file mode 100644
index 19d97a9..0000000
--- a/qpid-test-utils/src/main/resources/ssl/certificates/intermediate_ca.crt
+++ /dev/null

@@ -1,84 +0,0 @@
-Certificate:
-    Data:
-        Version: 3 (0x2)
-        Serial Number: 4665 (0x1239)
-        Signature Algorithm: sha512WithRSAEncryption
-        Issuer: C=CA, ST=Ontario, O=ACME, CN=MyRootCA
-        Validity
-            Not Before: Jan 17 12:14:01 2020 GMT
-            Not After : Jan 17 12:14:01 2024 GMT
-        Subject: C=CA, ST=ON, L=Toronto, O=acme, OU=art, CN=intermediate_ca@acme.org
-        Subject Public Key Info:
-            Public Key Algorithm: rsaEncryption
-                RSA Public-Key: (2048 bit)
-                Modulus:
-                    00:cd:1b:03:cd:bb:56:19:11:47:00:bd:f2:60:d8:
-                    31:34:9e:06:cf:9c:1e:59:27:c1:99:c0:73:b3:14:
-                    90:09:c5:8b:3c:fa:27:5f:54:fb:0a:0c:49:1c:f4:
-                    6f:7e:82:8b:c9:d8:a3:6b:a3:9b:0d:f4:4c:ec:95:
-                    47:f1:55:d7:a3:e3:61:0f:dd:32:07:cf:d9:ed:01:
-                    58:aa:4f:d8:be:0a:18:cd:08:f6:6c:ee:5b:20:9c:
-                    fe:55:97:08:99:52:86:2c:d0:6e:5a:db:6d:14:17:
-                    87:e4:e0:d9:ec:9d:22:7c:04:89:d4:5f:b4:fd:73:
-                    9f:82:29:92:97:30:c7:9c:73:d1:a2:8b:0a:02:39:
-                    02:7e:c2:c6:c7:05:1d:16:97:e7:40:54:8b:cb:33:
-                    44:41:b0:44:5b:64:c6:21:8e:89:75:1d:c2:84:a0:
-                    90:48:c6:9b:ab:36:b5:06:cc:c4:48:d6:64:c6:af:
-                    f8:c1:40:ee:10:18:6a:20:ca:ca:d9:11:78:8f:56:
-                    50:8c:04:01:28:a4:da:f4:d4:d1:50:03:47:3f:9b:
-                    b5:5b:e6:25:9f:85:4d:2b:b6:ad:21:4d:97:d2:53:
-                    00:bf:51:63:c2:4d:aa:49:04:81:ab:b5:97:c6:bf:
-                    82:02:94:ef:04:b7:bd:43:50:26:cc:53:eb:ab:75:
-                    d4:0b
-                Exponent: 65537 (0x10001)
-        X509v3 extensions:
-            X509v3 CRL Distribution Points: 
-
-                Full Name:
-                  URI:http://localhost:8186/MyRootCA.crl
-
-            X509v3 Subject Key Identifier: 
-                FF:6A:19:05:FF:1A:9B:17:7C:72:5F:9F:8C:42:B0:15:DC:6F:D4:E2
-            X509v3 Authority Key Identifier: 
-                keyid:D8:34:F2:4C:A5:AC:01:A4:3B:54:66:AA:F7:DB:C3:C1:F2:BF:E6:CC
-
-            X509v3 Basic Constraints: critical
-                CA:TRUE
-    Signature Algorithm: sha512WithRSAEncryption
-         4a:7b:89:b1:f3:db:79:bf:c6:2d:6c:82:f3:3c:4e:33:ca:72:
-         a8:5c:68:a8:f5:09:81:03:07:90:c1:dc:29:06:17:c4:f4:b7:
-         cb:7b:65:2f:68:23:68:ce:b6:f6:96:2e:6d:84:35:6a:9f:e4:
-         c2:46:50:81:df:e5:cc:fb:2e:73:6b:83:2d:41:9f:92:14:32:
-         d5:52:60:32:13:02:3e:c3:35:0b:fa:58:c2:3b:4a:17:a5:87:
-         c8:ca:ba:c6:11:94:9c:1a:d5:d9:23:22:62:0d:a6:19:b4:54:
-         cb:0f:a4:a4:d0:24:a3:bc:3c:7d:af:e7:cb:45:22:ac:b8:f4:
-         b7:f2:64:09:1a:27:b7:ab:1a:26:3b:f1:b2:8a:5f:36:21:a2:
-         30:9d:ed:8a:3b:7a:2b:ab:97:99:aa:d0:7d:b6:85:46:11:d2:
-         d7:5b:ba:64:6b:b1:27:85:55:10:be:44:bf:4b:80:75:ff:cf:
-         7a:6b:65:86:4f:50:40:7c:38:e4:3a:3b:9d:1d:be:79:31:5e:
-         b5:30:ae:b2:2c:bb:de:a0:ae:f1:90:d3:69:f9:d8:3a:82:d4:
-         71:aa:92:0f:f1:33:60:2b:3c:76:e5:08:4c:e5:32:23:45:97:
-         68:aa:11:92:88:48:02:bf:e2:59:8d:67:91:a8:8c:b0:3f:ed:
-         15:cc:57:ee
------BEGIN CERTIFICATE-----
-MIIDszCCApugAwIBAgICEjkwDQYJKoZIhvcNAQENBQAwQTELMAkGA1UEBhMCQ0Ex
-EDAOBgNVBAgMB09udGFyaW8xDTALBgNVBAoMBEFDTUUxETAPBgNVBAMMCE15Um9v
-dENBMB4XDTIwMDExNzEyMTQwMVoXDTI0MDExNzEyMTQwMVowbDELMAkGA1UEBhMC
-Q0ExCzAJBgNVBAgMAk9OMRAwDgYDVQQHDAdUb3JvbnRvMQ0wCwYDVQQKDARhY21l
-MQwwCgYDVQQLDANhcnQxITAfBgNVBAMMGGludGVybWVkaWF0ZV9jYUBhY21lLm9y
-ZzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAM0bA827VhkRRwC98mDY
-MTSeBs+cHlknwZnAc7MUkAnFizz6J19U+woMSRz0b36Ci8nYo2ujmw30TOyVR/FV
-16PjYQ/dMgfP2e0BWKpP2L4KGM0I9mzuWyCc/lWXCJlShizQblrbbRQXh+Tg2eyd
-InwEidRftP1zn4Ipkpcwx5xz0aKLCgI5An7CxscFHRaX50BUi8szREGwRFtkxiGO
-iXUdwoSgkEjGm6s2tQbMxEjWZMav+MFA7hAYaiDKytkReI9WUIwEASik2vTU0VAD
-Rz+btVvmJZ+FTSu2rSFNl9JTAL9RY8JNqkkEgau1l8a/ggKU7wS3vUNQJsxT66t1
-1AsCAwEAAaOBiTCBhjAzBgNVHR8ELDAqMCigJqAkhiJodHRwOi8vbG9jYWxob3N0
-OjgxODYvTXlSb290Q0EuY3JsMB0GA1UdDgQWBBT/ahkF/xqbF3xyX5+MQrAV3G/U
-4jAfBgNVHSMEGDAWgBTYNPJMpawBpDtUZqr328PB8r/mzDAPBgNVHRMBAf8EBTAD
-AQH/MA0GCSqGSIb3DQEBDQUAA4IBAQBKe4mx89t5v8YtbILzPE4zynKoXGio9QmB
-AweQwdwpBhfE9LfLe2UvaCNozrb2li5thDVqn+TCRlCB3+XM+y5za4MtQZ+SFDLV
-UmAyEwI+wzUL+ljCO0oXpYfIyrrGEZScGtXZIyJiDaYZtFTLD6Sk0CSjvDx9r+fL
-RSKsuPS38mQJGie3qxomO/Gyil82IaIwne2KO3orq5eZqtB9toVGEdLXW7pka7En
-hVUQvkS/S4B1/896a2WGT1BAfDjkOjudHb55MV61MK6yLLveoK7xkNNp+dg6gtRx
-qpIP8TNgKzx25QhM5TIjRZdoqhGSiEgCv+JZjWeRqIywP+0VzFfu
------END CERTIFICATE-----

diff --git a/qpid-test-utils/src/main/resources/ssl/certificates/intermediate_ca.csr b/qpid-test-utils/src/main/resources/ssl/certificates/intermediate_ca.csr
deleted file mode 100644
index 31d625f..0000000
--- a/qpid-test-utils/src/main/resources/ssl/certificates/intermediate_ca.csr
+++ /dev/null

@@ -1,17 +0,0 @@
------BEGIN CERTIFICATE REQUEST-----
-MIICsTCCAZkCAQAwbDELMAkGA1UEBhMCQ0ExCzAJBgNVBAgMAk9OMRAwDgYDVQQH
-DAdUb3JvbnRvMQ0wCwYDVQQKDARhY21lMQwwCgYDVQQLDANhcnQxITAfBgNVBAMM
-GGludGVybWVkaWF0ZV9jYUBhY21lLm9yZzCCASIwDQYJKoZIhvcNAQEBBQADggEP
-ADCCAQoCggEBAM0bA827VhkRRwC98mDYMTSeBs+cHlknwZnAc7MUkAnFizz6J19U
-+woMSRz0b36Ci8nYo2ujmw30TOyVR/FV16PjYQ/dMgfP2e0BWKpP2L4KGM0I9mzu
-WyCc/lWXCJlShizQblrbbRQXh+Tg2eydInwEidRftP1zn4Ipkpcwx5xz0aKLCgI5
-An7CxscFHRaX50BUi8szREGwRFtkxiGOiXUdwoSgkEjGm6s2tQbMxEjWZMav+MFA
-7hAYaiDKytkReI9WUIwEASik2vTU0VADRz+btVvmJZ+FTSu2rSFNl9JTAL9RY8JN
-qkkEgau1l8a/ggKU7wS3vUNQJsxT66t11AsCAwEAAaAAMA0GCSqGSIb3DQEBDQUA
-A4IBAQDE2KIYrHiujyjWAJAWkJFwaxjeM0MojdOmdzpTEwwcWIWhSvDIGylAIjs+
-s/xZidCBLlmH5Fu4G/P/ZmAe/PSRULn5RNh+Vr/2rvBwrO6o1tr/iqN+Iu9D9gpD
-xsVqy03M3Dda/4hJ1fd14Nvw/3ipQCX0ODKQQnCEN6YDDMII7NNHhThJ9JXtmsDK
-aCWM5s6V1VcEHmsOaghuuEe0CSLNyIoKGqm/Go/sZ6beXiq6lzPOSW+Ugvb1j+yd
-Kb89oZy871V7c8BQJgYAZNm81TFpwS4XEa7tO12hxrEndMdKqjW5S2E7TVQPcTud
-1T3W7szSBmOf3sPFToLx3oOky0a9
------END CERTIFICATE REQUEST-----

diff --git a/qpid-test-utils/src/main/resources/ssl/certificates/intermediate_ca.jks b/qpid-test-utils/src/main/resources/ssl/certificates/intermediate_ca.jks
deleted file mode 100644
index 251089d..0000000
--- a/qpid-test-utils/src/main/resources/ssl/certificates/intermediate_ca.jks
+++ /dev/null
Binary files differ

diff --git a/qpid-test-utils/src/main/resources/ssl/certificates/intermediate_ca.self.crt b/qpid-test-utils/src/main/resources/ssl/certificates/intermediate_ca.self.crt
deleted file mode 100644
index d4d1fad..0000000
--- a/qpid-test-utils/src/main/resources/ssl/certificates/intermediate_ca.self.crt
+++ /dev/null

@@ -1,22 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIDuTCCAqGgAwIBAgIUU+PWvuydNdPTMUerarnvKb2eT74wDQYJKoZIhvcNAQEN
-BQAwbDELMAkGA1UEBhMCQ0ExCzAJBgNVBAgMAk9OMRAwDgYDVQQHDAdUb3JvbnRv
-MQ0wCwYDVQQKDARhY21lMQwwCgYDVQQLDANhcnQxITAfBgNVBAMMGGludGVybWVk
-aWF0ZV9jYUBhY21lLm9yZzAeFw0yMDAxMTcxMjE0MDFaFw0yMDAyMTYxMjE0MDFa
-MGwxCzAJBgNVBAYTAkNBMQswCQYDVQQIDAJPTjEQMA4GA1UEBwwHVG9yb250bzEN
-MAsGA1UECgwEYWNtZTEMMAoGA1UECwwDYXJ0MSEwHwYDVQQDDBhpbnRlcm1lZGlh
-dGVfY2FAYWNtZS5vcmcwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDN
-GwPNu1YZEUcAvfJg2DE0ngbPnB5ZJ8GZwHOzFJAJxYs8+idfVPsKDEkc9G9+govJ
-2KNro5sN9EzslUfxVdej42EP3TIHz9ntAViqT9i+ChjNCPZs7lsgnP5VlwiZUoYs
-0G5a220UF4fk4NnsnSJ8BInUX7T9c5+CKZKXMMecc9GiiwoCOQJ+wsbHBR0Wl+dA
-VIvLM0RBsERbZMYhjol1HcKEoJBIxpurNrUGzMRI1mTGr/jBQO4QGGogysrZEXiP
-VlCMBAEopNr01NFQA0c/m7Vb5iWfhU0rtq0hTZfSUwC/UWPCTapJBIGrtZfGv4IC
-lO8Et71DUCbMU+urddQLAgMBAAGjUzBRMB0GA1UdDgQWBBT/ahkF/xqbF3xyX5+M
-QrAV3G/U4jAfBgNVHSMEGDAWgBT/ahkF/xqbF3xyX5+MQrAV3G/U4jAPBgNVHRMB
-Af8EBTADAQH/MA0GCSqGSIb3DQEBDQUAA4IBAQBNx3DvYk5rFFz7gtRSMpINJuoI
-thCEsFT43at08M98PrFHmZvfvdxwsIO0aJYVsTnEf4tqjXKQ6c3+eV9u3aWKuJYs
-PHJ4oxLlVwWWZLP/QC5SknscQlu5b6lhje328qKSYFzi8EE75FpG7sehvymNQhLS
-IU4r52VUqzZ6bBaQpPV4psG3yC6ONGppiy2QSP1s0jqmH1EDDp2qAQEME4bPYCAg
-Tryp2EjUmBpCuiwreY3Wsy9Zj6fQdFuxUiE4XWbsoNx1oDj9M8OuAeKQ5magJysm
-j/f2SF6cuNsg5AwuPg3DX+QC+WckLe+3M4uXfZa65bf/EJgKjJc1WjrDG16x
------END CERTIFICATE-----

diff --git a/qpid-test-utils/src/main/resources/ssl/certificates/intermediate_ca.self.key b/qpid-test-utils/src/main/resources/ssl/certificates/intermediate_ca.self.key
deleted file mode 100644
index f2392c8..0000000
--- a/qpid-test-utils/src/main/resources/ssl/certificates/intermediate_ca.self.key
+++ /dev/null

@@ -1,30 +0,0 @@
------BEGIN ENCRYPTED PRIVATE KEY-----
-MIIFHDBOBgkqhkiG9w0BBQ0wQTApBgkqhkiG9w0BBQwwHAQIrFQQzoVuNVgCAggA
-MAwGCCqGSIb3DQIJBQAwFAYIKoZIhvcNAwcECIWesfDR2OA7BIIEyB+WEIidNRox
-k5SvY9Hyi77Y1Jh/u1WJVWmQalZvWOAX8lnhQTDMVlCZ9zOku+0CWPIfEPcTBPbc
-WkTdNFmnlpUwrrjZ+ijwyv9eF6WaIvAyBAlSXDUULkkiaweKT22KGmCKWGY92UJq
-UtnsyZupQ95oWRcJ6x8/83dhaQM9yVf8a2jZzpIkCM5bdNXrSSObM2Oz1WhpcPEg
-yJzVceZTxASB3BnvIayNqFvMMiFQR4QcDTMkudBWGro3q5qm+LINQrG3nXmTwDvp
-u3PXxP8c0nEXxQYB9PPDL3qWQ5QkjaZWm5QUFWvUFGYc3bbuNXkzivBFp9W478wY
-W41x9WI6DVDkcrTv5n5X268xh3Gs5/nYERjuB657rGC3R5mNeL4unohPBsamyhrE
-ZFgzaMB0hhh0w57suFoVbrqkcKWQx7vhNwvOqbyiOg/qLk5sHrNAVdZtKA5iHux3
-JMbzHzG73wduXCWOOJcBYZD5cA7ifNwmNAz7sg9z2CY1XGHRrm+l9QZK5SLrQGIC
-p17ZREm2rnUMmZFqmIdRYyWUmfZmZ1eejT7Nf93GyutdabLNc1ROANY/mElW68qK
-RlEszYEJskw9vclg8PogulnGVND5ES5zxG4qUWJtkvx7QM1NqgUq77rK93Q/1AkC
-tB2A2/wwZmmPQMYR/7qSr0HLkTLYqmtEC5FVXB9STVdHYEgs4G7yNArY1a10ApaS
-Avf+TJD+SH8ZJMc4xVOJwc/NyKqaI+LFc64m/8oC+Mt6wpos5nvPoGqIGW10Oqcv
-N4IREavDgHEcbfRsj4Cdt55YaAk0C7MNn21PvTRI7aS8aWScTD5sMlJZDFe/V2ZL
-IxdW4LnZfyRt/s2qsx6mrbrKsaBB+o4BKC0AQax/o6GNTP89aug4OIUr3h7qGf1C
-oKLGLHjXuZcw0NKK+ufRqimvgHz6segsfgxLBsLoZ2EkhHqdWxyVI6dB/TdB2+Mu
-x3I0iQ/lC22Ky+hGpcb2iU0eB1NYA6/Wns880EJGd6/w6vmJOjG+BG0zoOELgLXH
-j0nGK2gh/2fxg2i+UjMvK7lGLjyiit/rPgH5B0e7QqJrwC0KHkxQO/dIp9aQ5BZD
-7PyGEX3ThaBSXyor3JoRtF0sLFhib2vqws7WNke7kJqDcoi9AZEQJ8gl2DLUqWbl
-ci0s32YNxXKQWB20eKJDhiLOPxZmwfQlyFAnJQrYOEhKG/BJD/O+q7MtBwJ674kG
-TcJ3AxKJhw6rOM8tjvuUfbBBNG8O0ngkbNPN36EYDkWb7ro1W4+MDayFt0P8nXgt
-+liJEFp9yFDm3OMiMrHJmihZKGqr7VC9sDm+EjFMpa/Er7KWBBzvWip3pIZslHrv
-HIYILJS8C6OgiwQF24+pW9O7tqUVKrjpZ5Tl/QuR4Qm4L3kWO/63nFMH+PP/ODYQ
-0cB/g8cEGVWClUlxp/2D7IrNh6d59mQuvhrF+fkMoNV8AeU9+IinDlF3ik00n9cF
-5U9shoMgSuyj5d9L2FCJi/t67LiAWsp3aGwcfHPfanSIpS/EvpCyvT9py1zE0IFC
-Hzz76V2V5VrRkYGwT2M8b+RtgHUles5e8sXxkWTW9AvbtfJtADit5mEX0eXJJAfP
-aRZsBte7k0++5afbuVkCug==
------END ENCRYPTED PRIVATE KEY-----

diff --git a/qpid-test-utils/src/main/resources/ssl/certificates/revoked_by_ca.crt b/qpid-test-utils/src/main/resources/ssl/certificates/revoked_by_ca.crt
deleted file mode 100644
index dd4073e..0000000
--- a/qpid-test-utils/src/main/resources/ssl/certificates/revoked_by_ca.crt
+++ /dev/null

@@ -1,80 +0,0 @@
-Certificate:
-    Data:
-        Version: 3 (0x2)
-        Serial Number: 4664 (0x1238)
-        Signature Algorithm: sha512WithRSAEncryption
-        Issuer: C=CA, ST=Ontario, O=ACME, CN=MyRootCA
-        Validity
-            Not Before: Jan 17 12:14:00 2020 GMT
-            Not After : Jan 17 12:14:00 2024 GMT
-        Subject: C=CA, ST=ON, L=Toronto, O=acme, OU=art, CN=revoked_by_ca@acme.org
-        Subject Public Key Info:
-            Public Key Algorithm: rsaEncryption
-                RSA Public-Key: (2048 bit)
-                Modulus:
-                    00:ab:54:29:44:85:72:57:4f:8d:9f:60:77:5c:77:
-                    b0:45:bd:34:7a:e5:37:9f:0f:26:ac:e1:68:1a:b3:
-                    86:bf:55:48:82:ad:31:df:ed:89:a9:7e:25:b8:4d:
-                    5c:95:c1:4a:9e:b2:a3:51:57:e8:dd:18:75:e5:db:
-                    f0:aa:ea:eb:5f:0f:e0:09:e2:7c:a6:1c:5c:e5:db:
-                    2c:c1:f2:d7:40:21:f7:fa:ef:e0:3e:f5:3d:10:52:
-                    ec:b7:cd:9a:d8:3d:36:9a:3f:cd:1a:1f:e7:de:09:
-                    c3:8f:08:4f:c1:c4:cb:d3:65:81:c4:e3:28:ed:f4:
-                    a9:43:f2:c6:84:d9:16:22:65:55:17:e3:8b:7a:45:
-                    9d:5f:7d:e5:87:d6:a5:fb:fe:0f:86:c0:d4:e0:9b:
-                    2c:3a:99:df:4d:42:df:30:38:56:2d:f3:e5:8b:0f:
-                    fc:99:e3:1f:62:cb:85:78:a3:40:43:d6:42:3b:bc:
-                    e8:6c:45:19:3d:ca:43:86:1a:4b:ae:e9:3b:51:b0:
-                    0d:0a:bb:de:26:34:b3:cf:dc:fc:99:c8:7e:42:7d:
-                    2c:67:ea:2c:7d:2e:bf:ff:7f:21:9a:17:f1:87:1d:
-                    aa:d6:a4:06:bb:c1:65:ac:7d:7a:51:fd:3f:d0:ac:
-                    9b:85:17:51:5b:99:16:b8:c7:72:00:2d:0b:54:78:
-                    16:5b
-                Exponent: 65537 (0x10001)
-        X509v3 extensions:
-            X509v3 CRL Distribution Points: 
-
-                Full Name:
-                  URI:http://localhost:8186/MyRootCA.crl
-
-            X509v3 Basic Constraints: 
-                CA:FALSE
-            X509v3 Key Usage: 
-                Digital Signature, Non Repudiation, Key Encipherment
-    Signature Algorithm: sha512WithRSAEncryption
-         3a:d1:40:59:30:54:80:6a:b6:a9:76:f3:d1:05:c9:a1:d7:b0:
-         ff:70:48:65:1d:1c:e5:82:b9:c5:62:78:eb:7a:0f:77:2d:26:
-         8d:a7:16:34:a5:57:4e:da:51:b5:3e:65:a3:db:a4:ba:43:70:
-         93:d4:d5:82:e4:c8:59:f0:f9:2c:7f:d6:d9:87:b8:5e:a9:4c:
-         a5:cc:c3:ac:87:c8:3e:46:7e:6d:40:c1:bf:9f:03:68:ea:e1:
-         97:30:43:bf:d7:a4:1a:58:e2:72:cf:0d:6f:31:1b:4a:72:4d:
-         42:6d:7b:21:42:23:c0:7a:50:14:b9:f9:a5:95:53:77:c1:89:
-         ff:3e:a0:1a:b2:88:69:13:93:c8:14:c4:c5:24:47:a0:9e:43:
-         70:9d:ac:0e:7f:a6:b5:45:47:35:f9:e9:6d:32:15:54:26:81:
-         84:ae:d8:27:c9:f3:65:64:7a:72:14:02:9f:8a:73:cf:04:c0:
-         53:a8:01:56:a6:a6:b8:fe:06:b1:71:c0:cc:64:07:d5:33:a8:
-         69:01:5e:06:b8:24:ec:1e:c4:9e:58:45:60:2b:70:d4:db:7a:
-         8c:42:21:e6:e6:33:c9:66:35:6c:06:ad:0f:47:74:24:cb:65:
-         af:e1:a6:d0:b3:06:4a:97:5f:b2:83:cf:ac:0d:81:c2:07:7a:
-         06:c1:45:90
------BEGIN CERTIFICATE-----
-MIIDdjCCAl6gAwIBAgICEjgwDQYJKoZIhvcNAQENBQAwQTELMAkGA1UEBhMCQ0Ex
-EDAOBgNVBAgMB09udGFyaW8xDTALBgNVBAoMBEFDTUUxETAPBgNVBAMMCE15Um9v
-dENBMB4XDTIwMDExNzEyMTQwMFoXDTI0MDExNzEyMTQwMFowajELMAkGA1UEBhMC
-Q0ExCzAJBgNVBAgMAk9OMRAwDgYDVQQHDAdUb3JvbnRvMQ0wCwYDVQQKDARhY21l
-MQwwCgYDVQQLDANhcnQxHzAdBgNVBAMMFnJldm9rZWRfYnlfY2FAYWNtZS5vcmcw
-ggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCrVClEhXJXT42fYHdcd7BF
-vTR65TefDyas4Wgas4a/VUiCrTHf7YmpfiW4TVyVwUqesqNRV+jdGHXl2/Cq6utf
-D+AJ4nymHFzl2yzB8tdAIff67+A+9T0QUuy3zZrYPTaaP80aH+feCcOPCE/BxMvT
-ZYHE4yjt9KlD8saE2RYiZVUX44t6RZ1ffeWH1qX7/g+GwNTgmyw6md9NQt8wOFYt
-8+WLD/yZ4x9iy4V4o0BD1kI7vOhsRRk9ykOGGkuu6TtRsA0Ku94mNLPP3PyZyH5C
-fSxn6ix9Lr//fyGaF/GHHarWpAa7wWWsfXpR/T/QrJuFF1FbmRa4x3IALQtUeBZb
-AgMBAAGjTzBNMDMGA1UdHwQsMCowKKAmoCSGImh0dHA6Ly9sb2NhbGhvc3Q6ODE4
-Ni9NeVJvb3RDQS5jcmwwCQYDVR0TBAIwADALBgNVHQ8EBAMCBeAwDQYJKoZIhvcN
-AQENBQADggEBADrRQFkwVIBqtql289EFyaHXsP9wSGUdHOWCucVieOt6D3ctJo2n
-FjSlV07aUbU+ZaPbpLpDcJPU1YLkyFnw+Sx/1tmHuF6pTKXMw6yHyD5Gfm1Awb+f
-A2jq4ZcwQ7/XpBpY4nLPDW8xG0pyTUJteyFCI8B6UBS5+aWVU3fBif8+oBqyiGkT
-k8gUxMUkR6CeQ3CdrA5/prVFRzX56W0yFVQmgYSu2CfJ82VkenIUAp+Kc88EwFOo
-AVamprj+BrFxwMxkB9UzqGkBXga4JOwexJ5YRWArcNTbeoxCIebmM8lmNWwGrQ9H
-dCTLZa/hptCzBkqXX7KDz6wNgcIHegbBRZA=
------END CERTIFICATE-----

diff --git a/qpid-test-utils/src/main/resources/ssl/certificates/revoked_by_ca.csr b/qpid-test-utils/src/main/resources/ssl/certificates/revoked_by_ca.csr
deleted file mode 100644
index 7a8a730..0000000
--- a/qpid-test-utils/src/main/resources/ssl/certificates/revoked_by_ca.csr
+++ /dev/null

@@ -1,17 +0,0 @@
------BEGIN CERTIFICATE REQUEST-----
-MIICrzCCAZcCAQAwajELMAkGA1UEBhMCQ0ExCzAJBgNVBAgMAk9OMRAwDgYDVQQH
-DAdUb3JvbnRvMQ0wCwYDVQQKDARhY21lMQwwCgYDVQQLDANhcnQxHzAdBgNVBAMM
-FnJldm9rZWRfYnlfY2FAYWNtZS5vcmcwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAw
-ggEKAoIBAQCrVClEhXJXT42fYHdcd7BFvTR65TefDyas4Wgas4a/VUiCrTHf7Ymp
-fiW4TVyVwUqesqNRV+jdGHXl2/Cq6utfD+AJ4nymHFzl2yzB8tdAIff67+A+9T0Q
-Uuy3zZrYPTaaP80aH+feCcOPCE/BxMvTZYHE4yjt9KlD8saE2RYiZVUX44t6RZ1f
-feWH1qX7/g+GwNTgmyw6md9NQt8wOFYt8+WLD/yZ4x9iy4V4o0BD1kI7vOhsRRk9
-ykOGGkuu6TtRsA0Ku94mNLPP3PyZyH5CfSxn6ix9Lr//fyGaF/GHHarWpAa7wWWs
-fXpR/T/QrJuFF1FbmRa4x3IALQtUeBZbAgMBAAGgADANBgkqhkiG9w0BAQ0FAAOC
-AQEAle9ozcWOV+gW4zVToxUl/Cumqe3zqg7YE1SV4/QssVEVfJjb4s4/2JnjDQvQ
-BExP4yeiLVtIjjEaFy+fu4LZ7Qx7+GlhBCOaBuS/hNRmuJPNv+GwommABYkDvx86
-QeztX5oU/Gcn9tx+IjiBfn6pUsF4tX1Qd9ueucPUDR7xHMAFBBNnC1ahhki6rOVB
-9fxbduViyr2RKl9gDao650PsVn3+9MtKaU/oHluuyOjbCsrdjY5uGTWGJjWXGWBv
-whtYRomEofuvZk7vsmhBtJUixFuo4mVXA3Q6jCH3nre57YsQFR8+oFkIDogtXUNj
-rOtgaueA6Rd50L4j8hoQKBAkFA==
------END CERTIFICATE REQUEST-----

diff --git a/qpid-test-utils/src/main/resources/ssl/certificates/revoked_by_ca.jks b/qpid-test-utils/src/main/resources/ssl/certificates/revoked_by_ca.jks
deleted file mode 100644
index cd38ca0..0000000
--- a/qpid-test-utils/src/main/resources/ssl/certificates/revoked_by_ca.jks
+++ /dev/null
Binary files differ

diff --git a/qpid-test-utils/src/main/resources/ssl/certificates/revoked_by_ca.self.crt b/qpid-test-utils/src/main/resources/ssl/certificates/revoked_by_ca.self.crt
deleted file mode 100644
index 47696f6..0000000
--- a/qpid-test-utils/src/main/resources/ssl/certificates/revoked_by_ca.self.crt
+++ /dev/null

@@ -1,22 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIDtTCCAp2gAwIBAgIUHVCN1hW4l8SlUG15T552XxvHr4owDQYJKoZIhvcNAQEN
-BQAwajELMAkGA1UEBhMCQ0ExCzAJBgNVBAgMAk9OMRAwDgYDVQQHDAdUb3JvbnRv
-MQ0wCwYDVQQKDARhY21lMQwwCgYDVQQLDANhcnQxHzAdBgNVBAMMFnJldm9rZWRf
-YnlfY2FAYWNtZS5vcmcwHhcNMjAwMTE3MTIxNDAwWhcNMjAwMjE2MTIxNDAwWjBq
-MQswCQYDVQQGEwJDQTELMAkGA1UECAwCT04xEDAOBgNVBAcMB1Rvcm9udG8xDTAL
-BgNVBAoMBGFjbWUxDDAKBgNVBAsMA2FydDEfMB0GA1UEAwwWcmV2b2tlZF9ieV9j
-YUBhY21lLm9yZzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKtUKUSF
-cldPjZ9gd1x3sEW9NHrlN58PJqzhaBqzhr9VSIKtMd/tial+JbhNXJXBSp6yo1FX
-6N0YdeXb8Krq618P4AnifKYcXOXbLMHy10Ah9/rv4D71PRBS7LfNmtg9Npo/zRof
-594Jw48IT8HEy9NlgcTjKO30qUPyxoTZFiJlVRfji3pFnV995YfWpfv+D4bA1OCb
-LDqZ301C3zA4Vi3z5YsP/JnjH2LLhXijQEPWQju86GxFGT3KQ4YaS67pO1GwDQq7
-3iY0s8/c/JnIfkJ9LGfqLH0uv/9/IZoX8YcdqtakBrvBZax9elH9P9Csm4UXUVuZ
-FrjHcgAtC1R4FlsCAwEAAaNTMFEwHQYDVR0OBBYEFMU9e8zrbXHC342Uby8gqhgM
-YvLxMB8GA1UdIwQYMBaAFMU9e8zrbXHC342Uby8gqhgMYvLxMA8GA1UdEwEB/wQF
-MAMBAf8wDQYJKoZIhvcNAQENBQADggEBAB/EApL8yOgY/Moi9zfCG22GRosPydBS
-87rlGBuWieIuHTUjZfo4Cso/Gss7BKNPVpS68g6QXh5t/mlWLes8lXVHj8V2RHUg
-JMJZ6FZVXGaR/3wvRT8i5xag4kYye585P52ovvzI8TyWRf2f4UQhNXIH6If8fYkJ
-CI/bp7Wd+b2+Vrnacx8gc5uzYXSsbUujd0b7X//gAu0YBPVqdkiJGpB1N4XPFhaF
-NPauaic9wtzETHc2ETmvKWoqxW0mwX8AuDY/GVa04s/jiy1JuH0uqfQCiGi1dkRF
-yYXQNXuPWiQ5K8Eg2bPaSSnCpQZgH4DG7315ne6XFaSQK/iJU9p05cA=
------END CERTIFICATE-----

diff --git a/qpid-test-utils/src/main/resources/ssl/certificates/revoked_by_ca.self.key b/qpid-test-utils/src/main/resources/ssl/certificates/revoked_by_ca.self.key
deleted file mode 100644
index 2bed0ac..0000000
--- a/qpid-test-utils/src/main/resources/ssl/certificates/revoked_by_ca.self.key
+++ /dev/null

@@ -1,30 +0,0 @@
------BEGIN ENCRYPTED PRIVATE KEY-----
-MIIFHDBOBgkqhkiG9w0BBQ0wQTApBgkqhkiG9w0BBQwwHAQIHVqo76e8ifcCAggA
-MAwGCCqGSIb3DQIJBQAwFAYIKoZIhvcNAwcECKGXAXrxjyphBIIEyEJR6oHjGXr+
-PoIs2CnsQucjXIqQuEltc+xiLetRV6VQ0fytpC1qw6gTcMYYqmXC0oeBZqbux+hj
-Uj91rd2PnIhQ1t3uLkCCwR3hAOrFLHC6eg1HmgAfAI8HUoHeiSQor0rLHA2PKTgT
-LtNV573XyBh0bbrQZnMh2zb+RZ8dFHE5Fu7OiTYYFAIkH3EyB0QRUuskGhmMvgT1
-6LlzmaSRfSx9x6YBW0AH3649hAZj6sf7axXm9sScrIFpha7FJzKV/EUScDfBzTld
-5LqTUoF+W6b95PzvF/ylpbUM43FgTaI0KqyGSxtMr5CQjxuVUD+LsT6vc6lVQ2iQ
-GtqFAooBatfDXlm4HBNTFznDoYa50TUK1af6+0X4uQrETnIWA8iw49L+BownU6+M
-yfuMJ689IggheL9n+EBoJ5+LhjBlcxjcaIZBKgxVAxpSxnVY7H0R5JHYTHSy5GjA
-xtGmOkqGPgRlPXzYtSrih47tUAkO7MTiIUE5Xuned2pTFWAhsS/kpdc6K1IKhDAG
-ARG5dIADIZH+b3dYpxo/MXBQYusm6Q1KaLE1cG98QoiWdTwXNN4jNH6IiUg52Pcg
-nD/AAOdEcCA7wXFXLTBvYMGvetCDkrXf9DSOguGlvgfeZN/6P0QdN/TErTW9lHSV
-DioKOfDSpvS2X3X/1pDBYK29d+JqwW8sgRtyeJtSVzPnm+PFyz/1oDwIk7muhAs5
-+Ruf2mh/k01InahsJ9aBwBneCDvRibQGMv8wl/8Lz5NmpPjfYv/Jws0rS7rDNLOi
-yGSNBL8rOfLl3C7z3R+2xJocplccb7S42I8lSHNu7lwKPAPLkTtz+SymtAQJvqoR
-2SmoYtodPttQDXLMVwzQ87sBQ/wN9sw3BCRSL6BfBIsYavLMLnZ8hChpA9RF7Okm
-l8jNSs8HNN851G3XrKnI3CNsTKEQdEDw/Y68hJ0sSFRhICW2vKGJ6Lp1IPF4mngI
-BzGnpQrsOBfrMOpfqwgxFFZRFbBbOl2IPRcvz8GYyfXToGgS53Nz0TkHTtsTFIoo
-afUE6cOm0EzYn4rtNaB5K8gIxLhWZMsS6CH/nfEVi7sOFeUdkxoEUvnRTEy0pj7Q
-h085aWIFHHAtgBCdzqsmu0Q8z7Xp6G+S5nrJCnewRAGKKyGTkZsSjZXpB+nauYDM
-B4ZpoWZTS9AtPmCM9nV13fYTFWXz9DXtYAuMLZhYyBVNBlubpDwzV66+ygLqaTIz
-OkC/EjmA1OOZlaI0TfH5rvFdKsqmXxmvlH9aCOzMxytTSOd52MwJN72nAslKz9xI
-RoO/RE0EYLMOT81S44QzfWGZ2CP7oRTfT3IoktTUm9Snp2qjebcfhRrti8aEZCm+
-mtssZ0IiqLPje6GJ2kOUmU4+KZ+cNswPZmV+zm4NJcu5XBG13wHqyLac6iQPDXie
-4IuzbLEOjYr+ZLGnBpw11jn6R1yxbOiKUbg/eEp8/688XJbVdSaCd4w7JwxL8dlI
-h7y8UTG0BI3nZk4kdpusz5f18F8EoX+RIDP7Ev3qPt/8eYkSZggkrrnIaCIeXEOL
-VwmtXIe7Fo2E7zRTSgJXU42iTYwp4tWmB83qxKVaQQpgmX1hs845GdWbfcSZh9eZ
-50gsztDpcC1mAtp3brgOig==
------END ENCRYPTED PRIVATE KEY-----

diff --git a/qpid-test-utils/src/main/resources/ssl/certificates/revoked_by_ca_empty_crl.crt b/qpid-test-utils/src/main/resources/ssl/certificates/revoked_by_ca_empty_crl.crt
deleted file mode 100644
index 7a80d78..0000000
--- a/qpid-test-utils/src/main/resources/ssl/certificates/revoked_by_ca_empty_crl.crt
+++ /dev/null

@@ -1,80 +0,0 @@
-Certificate:
-    Data:
-        Version: 3 (0x2)
-        Serial Number: 4667 (0x123b)
-        Signature Algorithm: sha512WithRSAEncryption
-        Issuer: C=CA, ST=Ontario, O=ACME, CN=MyRootCA
-        Validity
-            Not Before: Jan 17 12:14:02 2020 GMT
-            Not After : Jan 17 12:14:02 2024 GMT
-        Subject: C=CA, ST=ON, L=Toronto, O=acme, OU=art, CN=revoked_by_ca_empty_crl@acme.org
-        Subject Public Key Info:
-            Public Key Algorithm: rsaEncryption
-                RSA Public-Key: (2048 bit)
-                Modulus:
-                    00:cd:03:6c:76:ba:58:04:33:52:0c:45:ba:80:87:
-                    be:ce:3d:94:76:45:79:29:b1:15:15:c9:95:e0:5e:
-                    03:34:a5:5f:ab:b6:8a:03:57:b4:60:2d:fe:2e:27:
-                    c1:51:7f:bd:25:fe:0d:d3:48:72:0a:09:ed:ef:df:
-                    18:98:17:e1:bf:44:07:6f:f5:72:98:73:0a:ca:7c:
-                    7f:a6:8e:1b:e1:f5:e9:cc:d5:37:96:1e:8b:f1:8b:
-                    cb:4f:3b:ad:e5:b9:73:b2:6f:2c:e2:70:c9:a7:28:
-                    ee:d2:4e:79:02:ef:11:f0:8d:77:41:46:d4:98:72:
-                    cd:73:66:a4:f2:ea:81:42:b5:e1:95:0c:d3:23:e7:
-                    dc:0e:2c:02:cf:bc:8f:dd:53:ea:2c:08:1d:8b:07:
-                    52:47:25:dd:9d:99:5c:56:86:2d:38:2a:2f:15:57:
-                    dd:e2:c0:79:a5:aa:e6:3f:c3:b9:78:97:cf:47:fa:
-                    c6:9f:55:73:42:cb:27:17:35:b3:5c:91:bd:f9:f0:
-                    00:a6:d2:5b:eb:34:2e:43:6a:ca:38:f6:14:32:4c:
-                    c8:35:92:b7:4c:f7:da:86:70:55:0c:ca:67:82:5e:
-                    31:7f:e1:d2:76:22:d8:92:03:d6:47:df:43:55:33:
-                    29:e3:44:d0:2e:45:b4:e5:fb:78:95:53:3e:21:33:
-                    01:3d
-                Exponent: 65537 (0x10001)
-        X509v3 extensions:
-            X509v3 CRL Distribution Points: 
-
-                Full Name:
-                  URI:http://localhost:8186/MyRootCA.empty.crl
-
-            X509v3 Basic Constraints: 
-                CA:FALSE
-            X509v3 Key Usage: 
-                Digital Signature, Non Repudiation, Key Encipherment
-    Signature Algorithm: sha512WithRSAEncryption
-         bf:be:61:4f:7a:a3:ff:9f:76:1a:d5:80:57:e8:29:d5:7b:31:
-         f2:15:de:11:a2:f4:67:97:05:70:52:84:0c:6d:aa:bc:b4:f1:
-         ed:92:f7:e3:ca:0f:4e:19:c4:82:38:e2:f1:30:74:42:8e:c8:
-         7e:9f:b5:df:59:8b:e7:70:84:4d:fc:6b:4e:25:33:65:ac:f6:
-         da:3e:a4:32:fd:cb:f7:dc:f3:5a:3f:e3:8b:85:8d:9b:5a:e1:
-         f4:17:3c:d5:67:13:25:78:d0:3f:9d:cc:b8:1f:3c:9c:55:11:
-         12:1f:13:2f:55:4b:3d:e0:cf:bf:10:ce:de:04:a3:b1:60:26:
-         3e:41:bf:8f:3b:86:ef:7f:69:4b:5b:2e:45:a2:5a:b5:34:2e:
-         ff:28:01:81:15:03:53:86:31:77:ac:41:f5:b3:c1:54:e9:ab:
-         cf:d3:3f:36:94:4e:ed:07:39:4e:ad:fb:0c:26:87:62:30:51:
-         da:70:8a:f2:9b:9f:9f:a4:25:d8:df:90:27:ab:0e:b6:81:fc:
-         a1:24:16:4d:aa:91:d7:c9:0b:f0:49:1a:80:7c:86:7f:0f:4e:
-         32:59:86:41:32:92:00:b1:f0:32:50:84:72:35:f3:b2:7f:c1:
-         2a:69:6c:9e:74:43:8e:d0:15:b3:0d:ed:34:b9:14:fe:24:17:
-         f7:4c:e0:0f
------BEGIN CERTIFICATE-----
-MIIDhjCCAm6gAwIBAgICEjswDQYJKoZIhvcNAQENBQAwQTELMAkGA1UEBhMCQ0Ex
-EDAOBgNVBAgMB09udGFyaW8xDTALBgNVBAoMBEFDTUUxETAPBgNVBAMMCE15Um9v
-dENBMB4XDTIwMDExNzEyMTQwMloXDTI0MDExNzEyMTQwMlowdDELMAkGA1UEBhMC
-Q0ExCzAJBgNVBAgMAk9OMRAwDgYDVQQHDAdUb3JvbnRvMQ0wCwYDVQQKDARhY21l
-MQwwCgYDVQQLDANhcnQxKTAnBgNVBAMMIHJldm9rZWRfYnlfY2FfZW1wdHlfY3Js
-QGFjbWUub3JnMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAzQNsdrpY
-BDNSDEW6gIe+zj2UdkV5KbEVFcmV4F4DNKVfq7aKA1e0YC3+LifBUX+9Jf4N00hy
-Cgnt798YmBfhv0QHb/VymHMKynx/po4b4fXpzNU3lh6L8YvLTzut5blzsm8s4nDJ
-pyju0k55Au8R8I13QUbUmHLNc2ak8uqBQrXhlQzTI+fcDiwCz7yP3VPqLAgdiwdS
-RyXdnZlcVoYtOCovFVfd4sB5parmP8O5eJfPR/rGn1VzQssnFzWzXJG9+fAAptJb
-6zQuQ2rKOPYUMkzINZK3TPfahnBVDMpngl4xf+HSdiLYkgPWR99DVTMp40TQLkW0
-5ft4lVM+ITMBPQIDAQABo1UwUzA5BgNVHR8EMjAwMC6gLKAqhihodHRwOi8vbG9j
-YWxob3N0OjgxODYvTXlSb290Q0EuZW1wdHkuY3JsMAkGA1UdEwQCMAAwCwYDVR0P
-BAQDAgXgMA0GCSqGSIb3DQEBDQUAA4IBAQC/vmFPeqP/n3Ya1YBX6CnVezHyFd4R
-ovRnlwVwUoQMbaq8tPHtkvfjyg9OGcSCOOLxMHRCjsh+n7XfWYvncIRN/GtOJTNl
-rPbaPqQy/cv33PNaP+OLhY2bWuH0FzzVZxMleNA/ncy4HzycVRESHxMvVUs94M+/
-EM7eBKOxYCY+Qb+PO4bvf2lLWy5Folq1NC7/KAGBFQNThjF3rEH1s8FU6avP0z82
-lE7tBzlOrfsMJodiMFHacIrym5+fpCXY35Anqw62gfyhJBZNqpHXyQvwSRqAfIZ/
-D04yWYZBMpIAsfAyUIRyNfOyf8EqaWyedEOO0BWzDe00uRT+JBf3TOAP
------END CERTIFICATE-----

diff --git a/qpid-test-utils/src/main/resources/ssl/certificates/revoked_by_ca_empty_crl.csr b/qpid-test-utils/src/main/resources/ssl/certificates/revoked_by_ca_empty_crl.csr
deleted file mode 100644
index 7275fc2..0000000
--- a/qpid-test-utils/src/main/resources/ssl/certificates/revoked_by_ca_empty_crl.csr
+++ /dev/null

@@ -1,17 +0,0 @@
------BEGIN CERTIFICATE REQUEST-----
-MIICuTCCAaECAQAwdDELMAkGA1UEBhMCQ0ExCzAJBgNVBAgMAk9OMRAwDgYDVQQH
-DAdUb3JvbnRvMQ0wCwYDVQQKDARhY21lMQwwCgYDVQQLDANhcnQxKTAnBgNVBAMM
-IHJldm9rZWRfYnlfY2FfZW1wdHlfY3JsQGFjbWUub3JnMIIBIjANBgkqhkiG9w0B
-AQEFAAOCAQ8AMIIBCgKCAQEAzQNsdrpYBDNSDEW6gIe+zj2UdkV5KbEVFcmV4F4D
-NKVfq7aKA1e0YC3+LifBUX+9Jf4N00hyCgnt798YmBfhv0QHb/VymHMKynx/po4b
-4fXpzNU3lh6L8YvLTzut5blzsm8s4nDJpyju0k55Au8R8I13QUbUmHLNc2ak8uqB
-QrXhlQzTI+fcDiwCz7yP3VPqLAgdiwdSRyXdnZlcVoYtOCovFVfd4sB5parmP8O5
-eJfPR/rGn1VzQssnFzWzXJG9+fAAptJb6zQuQ2rKOPYUMkzINZK3TPfahnBVDMpn
-gl4xf+HSdiLYkgPWR99DVTMp40TQLkW05ft4lVM+ITMBPQIDAQABoAAwDQYJKoZI
-hvcNAQENBQADggEBAIclK9KXAk1U1l9zzy9FpjqZYXzqCF5vBD9yDDk6DODqLAfa
-twBoA90Ae5z5wEY2Gtj2p39P4FvWHV2tKMe3M6Wnf9b0IE2VYZ8aIuK/dzMY17pX
-caDKJEhG/hVa4qIyKbh5y0gITfoFTx10ip0DoSAzkjbG6fsSplX5x/r0DS1ZVGQj
-aTqKor1pBW9rBGkgDaKetl+0/x9EcwXM8Vlv2uidofK1HRrBijdzj/vaVERatNGf
-IMfBGnTfF+CAKN/kR8F1jhcM4XXOA/lvtWkmmsuBweEM4iTh5T7/L/rbUr7WpFjT
-J8yrjAyUM4e9UR+lif/RXN2zvAvUh9wUin/rvlk=
------END CERTIFICATE REQUEST-----

diff --git a/qpid-test-utils/src/main/resources/ssl/certificates/revoked_by_ca_empty_crl.jks b/qpid-test-utils/src/main/resources/ssl/certificates/revoked_by_ca_empty_crl.jks
deleted file mode 100644
index 7e0ab14..0000000
--- a/qpid-test-utils/src/main/resources/ssl/certificates/revoked_by_ca_empty_crl.jks
+++ /dev/null
Binary files differ

diff --git a/qpid-test-utils/src/main/resources/ssl/certificates/revoked_by_ca_empty_crl.self.crt b/qpid-test-utils/src/main/resources/ssl/certificates/revoked_by_ca_empty_crl.self.crt
deleted file mode 100644
index 876f462..0000000
--- a/qpid-test-utils/src/main/resources/ssl/certificates/revoked_by_ca_empty_crl.self.crt
+++ /dev/null

@@ -1,23 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIDyTCCArGgAwIBAgIURa7KfSxOy6INMZLGbza+/AKlMMgwDQYJKoZIhvcNAQEN
-BQAwdDELMAkGA1UEBhMCQ0ExCzAJBgNVBAgMAk9OMRAwDgYDVQQHDAdUb3JvbnRv
-MQ0wCwYDVQQKDARhY21lMQwwCgYDVQQLDANhcnQxKTAnBgNVBAMMIHJldm9rZWRf
-YnlfY2FfZW1wdHlfY3JsQGFjbWUub3JnMB4XDTIwMDExNzEyMTQwMloXDTIwMDIx
-NjEyMTQwMlowdDELMAkGA1UEBhMCQ0ExCzAJBgNVBAgMAk9OMRAwDgYDVQQHDAdU
-b3JvbnRvMQ0wCwYDVQQKDARhY21lMQwwCgYDVQQLDANhcnQxKTAnBgNVBAMMIHJl
-dm9rZWRfYnlfY2FfZW1wdHlfY3JsQGFjbWUub3JnMIIBIjANBgkqhkiG9w0BAQEF
-AAOCAQ8AMIIBCgKCAQEAzQNsdrpYBDNSDEW6gIe+zj2UdkV5KbEVFcmV4F4DNKVf
-q7aKA1e0YC3+LifBUX+9Jf4N00hyCgnt798YmBfhv0QHb/VymHMKynx/po4b4fXp
-zNU3lh6L8YvLTzut5blzsm8s4nDJpyju0k55Au8R8I13QUbUmHLNc2ak8uqBQrXh
-lQzTI+fcDiwCz7yP3VPqLAgdiwdSRyXdnZlcVoYtOCovFVfd4sB5parmP8O5eJfP
-R/rGn1VzQssnFzWzXJG9+fAAptJb6zQuQ2rKOPYUMkzINZK3TPfahnBVDMpngl4x
-f+HSdiLYkgPWR99DVTMp40TQLkW05ft4lVM+ITMBPQIDAQABo1MwUTAdBgNVHQ4E
-FgQUJBs8fXPCO0HfB5qCdnNIr+LKofAwHwYDVR0jBBgwFoAUJBs8fXPCO0HfB5qC
-dnNIr+LKofAwDwYDVR0TAQH/BAUwAwEB/zANBgkqhkiG9w0BAQ0FAAOCAQEAKlMt
-n4ZrNl91i2HJUhy1qQEed6r2IFzTiVCIlV5tL/e3JyOksKxHeoV8JcN4mFNDzVZM
-vk+ZuCty1wJQLs6OOCfdXwSekSJblV/IXqKosvJj+RN6EHLeEYUoVJlKkU1E/wXZ
-LbjioYtv7LAdDXuZro3P5W9IBiNGPitOWqdZYTkYgrDdyn9MBucm7UMTftvS8buK
-sBjOhKQNO4Q34VJlOgKjoPEQr/R/JnNFbFh3dKYfDFABwy3dgp6kehzazb68An+j
-K/qljEqmAGwn92pSQDxNW/opQ3iMMjTiUie7f5PpCphFD/noIXgSyVutV8dFEBtw
-uTTPMl1O2ogZSriu3A==
------END CERTIFICATE-----

diff --git a/qpid-test-utils/src/main/resources/ssl/certificates/revoked_by_ca_empty_crl.self.key b/qpid-test-utils/src/main/resources/ssl/certificates/revoked_by_ca_empty_crl.self.key
deleted file mode 100644
index 9576760..0000000
--- a/qpid-test-utils/src/main/resources/ssl/certificates/revoked_by_ca_empty_crl.self.key
+++ /dev/null

@@ -1,30 +0,0 @@
------BEGIN ENCRYPTED PRIVATE KEY-----
-MIIFHDBOBgkqhkiG9w0BBQ0wQTApBgkqhkiG9w0BBQwwHAQIFZ8yTs+qbG0CAggA
-MAwGCCqGSIb3DQIJBQAwFAYIKoZIhvcNAwcECCIuCWBoRzWlBIIEyEJvOIUqC7LU
-XAcbfwBQgC+6bmxO+2A+KGmMoWua1om7bO7YkzoTesXg1sDN5xO8S0T02/laHE+n
-h4SKtG+Ocvc75hznd2dkz+QrvUHfxYBWS5zayDYvO/V2GjbI/LUhBxTh17KRRGwD
-FvJmfYyQ7C4jguscRrTpnKxknuIbQYQMUlTVquB3htAtf9ORQSC34QiKl6Ahm2F9
-S5iRxOQI3y5+g6BXVTktBjFMg+EIlVgi7UrOtplj/GAC6m0tF+G2Cl2R+IYcU4Uj
-iZO6XBeVGUaDCy6b5jdeiBXTbqYWrLaMrCQabZTfw3utJQHAPFaBE+y25Wq4SdJ7
-/S8BmCDa1x9doH7ShJ8ykync1PfOIaTbzqWMx4zIgAFQ2/azZD2aB6GWo8lpQWOp
-+yRRNQsYQNiVZ8895KVfsLJvf7nEZ0gtrKYxUiwdzIXspNdt2ymzhcKf1bYeG8TX
-XgegkqB2zzp/BviBlGWo5RSGDyaXTHrdWK3yJBkuP4oGMrk71+W/kDUzTCR++AqM
-1TpbYXLIbqMlE5DEHejgYYOclx3pmMBYcJJsPW8mKd2C7G3fj67lUQwXr+iLS1Fl
-Zekh3ZcaQSptQyUaJ6XXaa8A5qx42FpEGIxTLF3YktyT/u3rMsYD62hohR7zCNUK
-J8Wsmjmeu78OoPv68DxD8Hi88rcYg/cKTELjBx+GQOKGite7ogxPcdfFIrprVNTQ
-WLYLk9STn42RhUELKt2uKYmVJ6GzfBf7Lfgmsi9QVIPbswZE02fF/pC5Gcl1FEA8
-X0wcxcv9MAbFm497CMkdw9wxj4rV7XruBrUAB24QRj/r3Hsk4LS/0MI8/OawzaP+
-UAXYExWPuOremVl4/esbXOi5UXPcz/4aDtYyo3/PYOS8TWGnhJ0P3VykdTQ2a6Cq
-A/qI5c1HN0Llg918Eff/Lrw3WDpe7tcuQz0UZDUw9wEdglMTl1xQ9tZPQcMmKc08
-32dUUxPNX+wsKM1k5VBYRx/Vltr+odNaW4eTgVhsQ68D1vvA+AHLrHOUTGMknVTh
-89ZTtycV908axGVot7fz0wpc+n0nF/d6Q75NpqTwGQdwe6LMyYed6dOotYn9rWAV
-rPIxw9gsT3AGFyzos/ZB4RehHWIX/uumPw3H67vG2q+A2q2zzJFmH72mgMIpf/hY
-1SoCO3Uhlv58zbASfchyIFlMNNxSN9+6uffXbB9kR/C3ClKZB9vDwyhpMFU/LMqz
-2/ffsESVa5KSRdzwJuzbHQC/cymQZYoe3SayObmKoTIzo6lQoTCX7yREUFaT346A
-XkjN40YsO4dQ64r4qKdCRmhK1GHo3zXzT/50maVxzUsJafhuARvLxckpidq0mdT9
-2zBl5aM7GTwqCs9eqV1EJJASeBoFdu2iAKOI5O0Y7uVKNRZbiElnroR9IgfINepc
-7OenXrQbwrXD0PYORY04axr3hfM7GEy90TC+9WGLZWBTyKRdTdIdNCTvh1q84OZo
-Qp4zEhWsHT6C1FKmpu+uhPKHEqgqrgWFfsSr21uYFuEybXY2B9euyB222wYjX8K4
-u9C1+YGNQIhDcfqaefLdIBfgUErK/xjTDBP8Xk85NJIxab98aJkhclH0k8qOv6pr
-35/tH3UEUjR1FlIgzU46cg==
------END ENCRYPTED PRIVATE KEY-----

diff --git a/qpid-test-utils/src/main/resources/ssl/certificates/revoked_by_ca_invalid_crl_path.crt b/qpid-test-utils/src/main/resources/ssl/certificates/revoked_by_ca_invalid_crl_path.crt
deleted file mode 100644
index 35b1e6a..0000000
--- a/qpid-test-utils/src/main/resources/ssl/certificates/revoked_by_ca_invalid_crl_path.crt
+++ /dev/null

@@ -1,80 +0,0 @@
-Certificate:
-    Data:
-        Version: 3 (0x2)
-        Serial Number: 4668 (0x123c)
-        Signature Algorithm: sha512WithRSAEncryption
-        Issuer: C=CA, ST=Ontario, O=ACME, CN=MyRootCA
-        Validity
-            Not Before: Jan 17 12:14:02 2020 GMT
-            Not After : Jan 17 12:14:02 2024 GMT
-        Subject: C=CA, ST=ON, L=Toronto, O=acme, OU=art, CN=revoked_by_ca_invalid_crl_path@acme.org
-        Subject Public Key Info:
-            Public Key Algorithm: rsaEncryption
-                RSA Public-Key: (2048 bit)
-                Modulus:
-                    00:cc:e3:11:32:ee:d9:ba:67:5b:0b:e2:52:4b:9c:
-                    e7:54:d7:e4:c7:a9:92:7e:6a:39:e0:bb:d3:cc:9f:
-                    6f:38:73:96:c5:62:bf:bc:8d:69:e5:e8:67:3f:18:
-                    d8:aa:ab:67:93:cb:c1:71:ac:7d:1e:7e:40:a7:d6:
-                    0a:8a:d2:17:7e:3b:be:d0:0e:1b:54:7c:be:0f:de:
-                    46:9b:4c:5a:64:de:87:08:45:b9:4f:32:df:26:6c:
-                    42:66:06:bd:61:cb:95:ae:a7:94:ee:4f:61:ff:da:
-                    18:b5:4a:41:9a:c5:c4:bd:2b:ae:8f:9d:13:82:04:
-                    df:23:31:4a:5d:62:2c:0f:83:87:18:4a:7c:ce:12:
-                    bc:02:67:b4:1e:d9:9b:4c:9a:33:ab:0c:34:eb:dc:
-                    8e:36:0a:54:ac:c1:88:84:26:15:9e:a5:08:0b:e2:
-                    95:ef:3b:71:29:d9:c7:39:79:05:ef:4e:dd:52:ea:
-                    42:05:b3:7b:2b:b4:ee:3e:da:4f:78:a7:e3:39:da:
-                    6e:56:2e:74:52:27:7f:e5:e9:c3:11:79:c9:5f:6f:
-                    ae:58:31:d0:d1:89:b3:01:09:01:5d:44:53:6b:21:
-                    af:fc:07:e6:68:9e:76:ab:c9:56:b0:20:5d:36:fe:
-                    e0:06:8c:bb:70:6c:e3:3b:92:a0:5b:0d:e9:ce:e4:
-                    fb:ff
-                Exponent: 65537 (0x10001)
-        X509v3 extensions:
-            X509v3 CRL Distribution Points: 
-
-                Full Name:
-                  URI:http://localhost:8186/not/a/crl
-
-            X509v3 Basic Constraints: 
-                CA:FALSE
-            X509v3 Key Usage: 
-                Digital Signature, Non Repudiation, Key Encipherment
-    Signature Algorithm: sha512WithRSAEncryption
-         70:bd:f9:c8:9e:b5:40:c4:cd:af:33:9a:35:10:25:ef:2d:00:
-         c1:e3:7a:b3:54:f3:e7:86:b5:a7:3a:7c:4e:c3:fe:c3:b3:f6:
-         e9:e1:4b:48:27:40:dc:36:e1:18:cc:79:93:44:c8:96:78:1c:
-         c2:e3:3c:58:a3:3e:4c:d7:68:7e:e3:83:c4:40:f1:2a:d1:17:
-         a5:89:5f:5d:72:b9:3f:9e:75:7a:a2:d9:73:82:09:4d:45:40:
-         84:ed:e7:9a:15:81:e2:3e:43:eb:c4:f8:ff:40:a4:b9:1c:d0:
-         3f:e9:c4:17:26:74:10:86:52:c5:34:b8:a7:d4:1c:b5:53:ac:
-         af:35:35:61:c7:7c:f0:ce:bb:4e:24:49:01:3b:88:57:70:73:
-         ad:19:52:ee:b0:57:5e:01:ac:18:1a:ab:73:d5:12:c1:55:0c:
-         7b:42:33:ad:5c:a9:5a:75:61:dc:65:08:b0:b5:ab:d0:56:2f:
-         1b:fa:88:2f:53:2f:04:bb:e3:d6:42:73:0a:03:a3:28:79:a9:
-         ba:45:4e:ac:65:9e:0f:6a:f2:b7:9a:3a:df:fd:07:cb:4b:78:
-         6a:32:91:59:d4:f6:ea:aa:0d:71:da:21:14:cf:b9:73:bd:c6:
-         f2:b3:8b:b2:30:7a:83:3a:7f:09:d3:11:ef:13:dd:da:1d:b9:
-         01:11:fe:ad
------BEGIN CERTIFICATE-----
-MIIDhDCCAmygAwIBAgICEjwwDQYJKoZIhvcNAQENBQAwQTELMAkGA1UEBhMCQ0Ex
-EDAOBgNVBAgMB09udGFyaW8xDTALBgNVBAoMBEFDTUUxETAPBgNVBAMMCE15Um9v
-dENBMB4XDTIwMDExNzEyMTQwMloXDTI0MDExNzEyMTQwMlowezELMAkGA1UEBhMC
-Q0ExCzAJBgNVBAgMAk9OMRAwDgYDVQQHDAdUb3JvbnRvMQ0wCwYDVQQKDARhY21l
-MQwwCgYDVQQLDANhcnQxMDAuBgNVBAMMJ3Jldm9rZWRfYnlfY2FfaW52YWxpZF9j
-cmxfcGF0aEBhY21lLm9yZzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB
-AMzjETLu2bpnWwviUkuc51TX5Mepkn5qOeC708yfbzhzlsViv7yNaeXoZz8Y2Kqr
-Z5PLwXGsfR5+QKfWCorSF347vtAOG1R8vg/eRptMWmTehwhFuU8y3yZsQmYGvWHL
-la6nlO5PYf/aGLVKQZrFxL0rro+dE4IE3yMxSl1iLA+DhxhKfM4SvAJntB7Zm0ya
-M6sMNOvcjjYKVKzBiIQmFZ6lCAvile87cSnZxzl5Be9O3VLqQgWzeyu07j7aT3in
-4znablYudFInf+XpwxF5yV9vrlgx0NGJswEJAV1EU2shr/wH5miedqvJVrAgXTb+
-4AaMu3Bs4zuSoFsN6c7k+/8CAwEAAaNMMEowMAYDVR0fBCkwJzAloCOgIYYfaHR0
-cDovL2xvY2FsaG9zdDo4MTg2L25vdC9hL2NybDAJBgNVHRMEAjAAMAsGA1UdDwQE
-AwIF4DANBgkqhkiG9w0BAQ0FAAOCAQEAcL35yJ61QMTNrzOaNRAl7y0AweN6s1Tz
-54a1pzp8TsP+w7P26eFLSCdA3DbhGMx5k0TIlngcwuM8WKM+TNdofuODxEDxKtEX
-pYlfXXK5P551eqLZc4IJTUVAhO3nmhWB4j5D68T4/0CkuRzQP+nEFyZ0EIZSxTS4
-p9QctVOsrzU1Ycd88M67TiRJATuIV3BzrRlS7rBXXgGsGBqrc9USwVUMe0IzrVyp
-WnVh3GUIsLWr0FYvG/qIL1MvBLvj1kJzCgOjKHmpukVOrGWeD2ryt5o63/0Hy0t4
-ajKRWdT26qoNcdohFM+5c73G8rOLsjB6gzp/CdMR7xPd2h25ARH+rQ==
------END CERTIFICATE-----

diff --git a/qpid-test-utils/src/main/resources/ssl/certificates/revoked_by_ca_invalid_crl_path.csr b/qpid-test-utils/src/main/resources/ssl/certificates/revoked_by_ca_invalid_crl_path.csr
deleted file mode 100644
index 5c04ce9..0000000
--- a/qpid-test-utils/src/main/resources/ssl/certificates/revoked_by_ca_invalid_crl_path.csr
+++ /dev/null

@@ -1,17 +0,0 @@
------BEGIN CERTIFICATE REQUEST-----
-MIICwDCCAagCAQAwezELMAkGA1UEBhMCQ0ExCzAJBgNVBAgMAk9OMRAwDgYDVQQH
-DAdUb3JvbnRvMQ0wCwYDVQQKDARhY21lMQwwCgYDVQQLDANhcnQxMDAuBgNVBAMM
-J3Jldm9rZWRfYnlfY2FfaW52YWxpZF9jcmxfcGF0aEBhY21lLm9yZzCCASIwDQYJ
-KoZIhvcNAQEBBQADggEPADCCAQoCggEBAMzjETLu2bpnWwviUkuc51TX5Mepkn5q
-OeC708yfbzhzlsViv7yNaeXoZz8Y2KqrZ5PLwXGsfR5+QKfWCorSF347vtAOG1R8
-vg/eRptMWmTehwhFuU8y3yZsQmYGvWHLla6nlO5PYf/aGLVKQZrFxL0rro+dE4IE
-3yMxSl1iLA+DhxhKfM4SvAJntB7Zm0yaM6sMNOvcjjYKVKzBiIQmFZ6lCAvile87
-cSnZxzl5Be9O3VLqQgWzeyu07j7aT3in4znablYudFInf+XpwxF5yV9vrlgx0NGJ
-swEJAV1EU2shr/wH5miedqvJVrAgXTb+4AaMu3Bs4zuSoFsN6c7k+/8CAwEAAaAA
-MA0GCSqGSIb3DQEBDQUAA4IBAQAMYJv3za9w6iCfl3/X17EWRpCxfB2uylVoF+Qn
-pk6cAaPZtPNLmzyGGsZ5Vpvm9LuISuU5ZcPCL+ocZ9yjghtiEUg5tslujuuhXyfE
-KhTj0UzSrWAKjm6KJcMu5dtxyM97sToVuU7MBR44KVdSxnzFWgL4afiVULxuJFFb
-DwTDgZZWYSeh2WeQt4bRL8dwhqvh0J+/Xilwh8kvY2yv8TXa0jgbguzPPtfcOJLN
-N9N4VvkrIXgkZSKut2U1G4eESWnCG9PP638I6j9ntA/cHbJ8TC46cEdQcYl1pPPG
-C5FC+aOr2NN/wVME/8Iib5FUKUcHJNZBrBZ3FHf1qjJcbuso
------END CERTIFICATE REQUEST-----

diff --git a/qpid-test-utils/src/main/resources/ssl/certificates/revoked_by_ca_invalid_crl_path.jks b/qpid-test-utils/src/main/resources/ssl/certificates/revoked_by_ca_invalid_crl_path.jks
deleted file mode 100644
index a61e890..0000000
--- a/qpid-test-utils/src/main/resources/ssl/certificates/revoked_by_ca_invalid_crl_path.jks
+++ /dev/null
Binary files differ

diff --git a/qpid-test-utils/src/main/resources/ssl/certificates/revoked_by_ca_invalid_crl_path.self.crt b/qpid-test-utils/src/main/resources/ssl/certificates/revoked_by_ca_invalid_crl_path.self.crt
deleted file mode 100644
index c7418d2..0000000
--- a/qpid-test-utils/src/main/resources/ssl/certificates/revoked_by_ca_invalid_crl_path.self.crt
+++ /dev/null

@@ -1,23 +0,0 @@
------BEGIN CERTIFICATE-----
-MIID1zCCAr+gAwIBAgIUBlNXdtg4SxQN24k7fss2AhXXmcQwDQYJKoZIhvcNAQEN
-BQAwezELMAkGA1UEBhMCQ0ExCzAJBgNVBAgMAk9OMRAwDgYDVQQHDAdUb3JvbnRv
-MQ0wCwYDVQQKDARhY21lMQwwCgYDVQQLDANhcnQxMDAuBgNVBAMMJ3Jldm9rZWRf
-YnlfY2FfaW52YWxpZF9jcmxfcGF0aEBhY21lLm9yZzAeFw0yMDAxMTcxMjE0MDJa
-Fw0yMDAyMTYxMjE0MDJaMHsxCzAJBgNVBAYTAkNBMQswCQYDVQQIDAJPTjEQMA4G
-A1UEBwwHVG9yb250bzENMAsGA1UECgwEYWNtZTEMMAoGA1UECwwDYXJ0MTAwLgYD
-VQQDDCdyZXZva2VkX2J5X2NhX2ludmFsaWRfY3JsX3BhdGhAYWNtZS5vcmcwggEi
-MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDM4xEy7tm6Z1sL4lJLnOdU1+TH
-qZJ+ajngu9PMn284c5bFYr+8jWnl6Gc/GNiqq2eTy8FxrH0efkCn1gqK0hd+O77Q
-DhtUfL4P3kabTFpk3ocIRblPMt8mbEJmBr1hy5Wup5TuT2H/2hi1SkGaxcS9K66P
-nROCBN8jMUpdYiwPg4cYSnzOErwCZ7Qe2ZtMmjOrDDTr3I42ClSswYiEJhWepQgL
-4pXvO3Ep2cc5eQXvTt1S6kIFs3srtO4+2k94p+M52m5WLnRSJ3/l6cMReclfb65Y
-MdDRibMBCQFdRFNrIa/8B+ZonnaryVawIF02/uAGjLtwbOM7kqBbDenO5Pv/AgMB
-AAGjUzBRMB0GA1UdDgQWBBQTrfcuZNAq9PBU2mYtEYj4Mx9spDAfBgNVHSMEGDAW
-gBQTrfcuZNAq9PBU2mYtEYj4Mx9spDAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3
-DQEBDQUAA4IBAQCWVNzJRocgQdD7JYE1X7eoet9ex2luAlu8zZVZfeNKv27QjeRg
-1n3Jz1eXMXoVlcRtuXSX6Pw1qZLtAZ07/vPPHBTnMKi5Tvc+4ho/P+UZ1vhVViV9
-Qg0+qNZ0HqiTX9i/gYhUSj8L28iOW01PYP89WDJYhh8kQJhXQbbwE84Y+r75NX7y
-TUZ+ozXJqM2dxrVVnr46bh0qTmTPlWIBKnlkemWe0VlNFFtJlDOXqEkZBaaTqKrE
-iKcxAy1wrlAyvLS69LzZnt2UrR68oQXAQITtdbY4VWSfyxOh9i56OVgw2E6seUuG
-ZdWX9oXeI01B9vV6EqFLiPn6eTPPYOukkjGg
------END CERTIFICATE-----

diff --git a/qpid-test-utils/src/main/resources/ssl/certificates/revoked_by_ca_invalid_crl_path.self.key b/qpid-test-utils/src/main/resources/ssl/certificates/revoked_by_ca_invalid_crl_path.self.key
deleted file mode 100644
index cfaeb30..0000000
--- a/qpid-test-utils/src/main/resources/ssl/certificates/revoked_by_ca_invalid_crl_path.self.key
+++ /dev/null

@@ -1,30 +0,0 @@
------BEGIN ENCRYPTED PRIVATE KEY-----
-MIIFHDBOBgkqhkiG9w0BBQ0wQTApBgkqhkiG9w0BBQwwHAQIkqodAjKk8vECAggA
-MAwGCCqGSIb3DQIJBQAwFAYIKoZIhvcNAwcECAO1t0BIS+B/BIIEyMK0wAf8UrpJ
-YTJ31fURI5LQ44dkuyvRWu/lIRD/kA081HXXm5eFMW3F4CvKpfbKQKHOEWYjlBbo
-tfsbZyPA2rRT3SAWZY1OZw4zLW5hXlX7yrTTEMWzrKF6i8Fia+cVTRR9D4g0aiEu
-/1RKQPoehCJm7QNKG7mxSzmUoZ/WjSmVIYTCH9cXKnbZE18Hlcc+fDIOlAxWO0nt
-n+IK+U8QzCy5Nk2LvVZSQZMPBFM/ZpTSwrTJe9iP6q+LCv59z3bzgX1i1MZJNTp/
-nYt7+C0JnFcIcnuuOWuKCkRK6txu94AxeZq3JQHRgMmdpmKvsOJ54Um2qSIblphH
-F+7D21ag/ebBLDHRnwkPzlhbP8CLR0J4XZ2KvEjhZjFGV+CokeYRcZI1fAqw7C9r
-V9EWCZxsqjPIKZd3W44TWVUrk8ij21sYJ/l3wVLeTUNCiEub1gDpWtlctGEKL6mU
-guCfMIK8ZZ04KQjKHqeiPmSEdJoHWrT6EyFzi+ZOL/bjeJ5uA5jrgYDWuy0Nhii4
-DbMVCm3EItAKDUq0bDJEGkDSiP7gVEiLThc++skeM/kqqECAwFNRiNPCI/XLuUoe
-JEGoubfc4XTfUPwJbfgrXE+QsgP/k5m38LjOITmkIsevzUxDV1ymHE6J9aQFwh6T
-lUeRq9zy7RsGze4letY7OXgoq2ISwPwqvgUfDBE3Upo1ZzLtfwlGkAgbyUmqA0oF
-fC3UU6QZizk1qh/OnjaIpElRjGnEnH0yo/jasypZ2V3zUaAJ1UJh2Q5OQrBkyzGM
-C7LNcRPC1o18LrO19rtgtk6ysHG21oqwXe5W/xxwif5ouL880vJYsq2fEHLHkcfw
-u9tG02p1dtZUSbgBoLRlhP/S5gwf9mzIKgtOL10zliTw0fiklh+dDsWij5s56jLr
-IuIm1s9XrQFaSAJEEw1xtMNGkasKnXDZjvfSqBOLaXn6AhqrJRknTDsJr6bbVTiY
-SL6Gjo9Jpjcqo6rKN0cutFqGx7JfNsjwaVEwi0UkpJ7NuF6AKuHqZP0WWDLOWUgB
-f2ocal3AzCRienQRWhqwIaVnt0jTWwOTx69dHeaHSwsH7B9Ka8w61dcCLnE4bQHQ
-qpxDqDMh1T0G4nwodcR0ZBA88IBbx59lSvvIKFtJJ2CTcwDibhjs14iWopIP6DHR
-aiS8xxjlVhBnn2GuKSKs8hJn0+JxUJquh8C0zp0PWE0HC9gUBNfx4Y1i2qL/dd6n
-5vtWaq7mjpaXR6Nk+EPQ4kGBelx5ELzSbhc2bS0dnyWtGzTrMu3m3J89bBMFPLe1
-QaU5b/1hRDCJdLAnsAg6P6ekpC+NSECRQhd18PQqgWexEM99O31+aWz6+JTXkCxY
-PutnAU4OwcW+80h1Xt0tXrshMEJJ9U6DnvJ30yP0pClp+jhA4mPggMf4Rabo4VGq
-jI2P6l2ksxe8WEquwpw5AbpKS9pYjjo52nFVzKF7G3T88eWcfaX3lYyN13iXh2EA
-BcH+ad2Ux1eOPtSVrCLyWd2MXehZ5gmdeUsOnwccOB3gppTQNAK9Cq2mqfRx0foO
-GDC+Bpl5xdzEkg3YQ9n+aXYmY7vCGO9B3nWDp31J6JVv3x2m1UdCXzr35xIXE2K5
-5nrg58gwOIVCLeQlazWIeA==
------END ENCRYPTED PRIVATE KEY-----

diff --git a/qpid-test-utils/src/main/resources/ssl/certificates/test_cert_only_keystore.jks b/qpid-test-utils/src/main/resources/ssl/certificates/test_cert_only_keystore.jks
deleted file mode 100644
index a4648a0..0000000
--- a/qpid-test-utils/src/main/resources/ssl/certificates/test_cert_only_keystore.jks
+++ /dev/null
Binary files differ

diff --git a/qpid-test-utils/src/main/resources/ssl/certificates/test_empty_keystore.jks b/qpid-test-utils/src/main/resources/ssl/certificates/test_empty_keystore.jks
deleted file mode 100644
index 4eebca7..0000000
--- a/qpid-test-utils/src/main/resources/ssl/certificates/test_empty_keystore.jks
+++ /dev/null
Binary files differ

diff --git a/qpid-test-utils/src/main/resources/ssl/certificates/test_keystore.jks b/qpid-test-utils/src/main/resources/ssl/certificates/test_keystore.jks
deleted file mode 100644
index c6dd178..0000000
--- a/qpid-test-utils/src/main/resources/ssl/certificates/test_keystore.jks
+++ /dev/null
Binary files differ

diff --git a/qpid-test-utils/src/main/resources/ssl/certificates/test_pk_only_keystore.jks b/qpid-test-utils/src/main/resources/ssl/certificates/test_pk_only_keystore.jks
deleted file mode 100644
index 6e7fc6c..0000000
--- a/qpid-test-utils/src/main/resources/ssl/certificates/test_pk_only_keystore.jks
+++ /dev/null
Binary files differ

diff --git a/qpid-test-utils/src/main/resources/ssl/certificates/test_symmetric_key_keystore.jks b/qpid-test-utils/src/main/resources/ssl/certificates/test_symmetric_key_keystore.jks
deleted file mode 100644
index 129593a..0000000
--- a/qpid-test-utils/src/main/resources/ssl/certificates/test_symmetric_key_keystore.jks
+++ /dev/null
Binary files differ

diff --git a/qpid-test-utils/src/main/resources/ssl/generate_certificates.sh b/qpid-test-utils/src/main/resources/ssl/generate_certificates.sh
deleted file mode 100755
index 636d6d5..0000000
--- a/qpid-test-utils/src/main/resources/ssl/generate_certificates.sh
+++ /dev/null

@@ -1,370 +0,0 @@
-#!/bin/sh
-#
-# Licensed to the Apache Software Foundation (ASF) under one
-# or more contributor license agreements.  See the NOTICE file
-# distributed with this work for additional information
-# regarding copyright ownership.  The ASF licenses this file
-# to you under the Apache License, Version 2.0 (the
-# "License"); you may not use this file except in compliance
-# with the License.  You may obtain a copy of the License at
-#
-#   http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing,
-# software distributed under the License is distributed on an
-# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
-# KIND, either express or implied.  See the License for the
-# specific language governing permissions and limitations
-# under the License.
-#
-
-MY_PATH="$(dirname "$(readlink -f "$0")")"
-CRL_HTTP_PORT=8186
-PASSWORD=password
-ROOT_CA=MyRootCA
-INTERMEDIATE_CA=intermediate_ca
-OPENSSL_DIR="$MY_PATH/openssl"
-OPENSSL_CONF="$OPENSSL_DIR/openssl.conf"
-CERTIFICATES_DIR="$MY_PATH/certificates"
-VALID_DAYS=1461
-
-CLIENT_KEYSTORE="$CERTIFICATES_DIR/client_keystore.jks"
-CLIENT_TRUSTSTORE="$CERTIFICATES_DIR/client_truststore.jks"
-CLIENT_EXPIRED_KEYSTORE="$CERTIFICATES_DIR/client_expired_keystore.jks"
-CLIENT_EXPIRED_CRT="$CERTIFICATES_DIR/client_expired.crt"
-CLIENT_UNTRUSTED_KEYSTORE="$CERTIFICATES_DIR/client_untrusted_keystore.jks"
-
-BROKER_KEYSTORE="$CERTIFICATES_DIR/broker_keystore.jks"
-BROKER_TRUSTSTORE="$CERTIFICATES_DIR/broker_truststore.jks"
-BROKER_PEERSTORE="$CERTIFICATES_DIR/broker_peerstore.jks"
-BROKER_EXPIRED_TRUSTSTORE="$CERTIFICATES_DIR/broker_expired_truststore.jks"
-BROKER_CRT="$CERTIFICATES_DIR/broker.crt"
-BROKER_CSR="$CERTIFICATES_DIR/broker.csr"
-BROKER_ALIAS="broker"
-
-TEST_KEYSTORE="$CERTIFICATES_DIR/test_keystore.jks"
-TEST_PK_ONLY_KEYSTORE="$CERTIFICATES_DIR/test_pk_only_keystore.jks"
-TEST_CERT_ONLY_KEYSTORE="$CERTIFICATES_DIR/test_cert_only_keystore.jks"
-TEST_SYMMETRIC_KEY_KEYSTORE="$CERTIFICATES_DIR/test_symmetric_key_keystore.jks"
-TEST_EMPTY_KEYSTORE="$CERTIFICATES_DIR/test_empty_keystore.jks"
-
-# set to true for debug
-DEBUG=false
-
-generate_selfsigned_ca()
-{
-    echo "Generating selfsigned CA certificate"
-    openssl req -x509 -newkey rsa:2048 -keyout "$CERTIFICATES_DIR/$ROOT_CA.key" -out "$CERTIFICATES_DIR/$ROOT_CA.crt" -days 1461 -subj '/C=CA/ST=Ontario/O=ACME/CN=MyRootCA' -passout pass:$PASSWORD -sha512 && \
-    keytool -import -alias rootca -file "$CERTIFICATES_DIR/$ROOT_CA.crt" -storepass "$PASSWORD" -noprompt -deststoretype PKCS12 -keystore "$CLIENT_KEYSTORE" && \
-    keytool -import -alias rootca -file "$CERTIFICATES_DIR/$ROOT_CA.crt" -storepass "$PASSWORD" -noprompt -deststoretype PKCS12 -keystore "$CLIENT_TRUSTSTORE" && \
-    keytool -import -alias rootca -file "$CERTIFICATES_DIR/$ROOT_CA.crt" -storepass "$PASSWORD" -noprompt -deststoretype PKCS12 -keystore "$BROKER_KEYSTORE" && \
-    keytool -import -alias rootca -file "$CERTIFICATES_DIR/$ROOT_CA.crt" -storepass "$PASSWORD" -noprompt -deststoretype PKCS12 -keystore "$BROKER_TRUSTSTORE"
-    _rc=$?
-    if [ $_rc -eq 0 ]; then
-        echo "Selfsigned CA certificate successfully generated"
-    else
-        echo "Failed to generate selfsigned CA certificate" >&2
-    fi
-    return $_rc
-}
-
-prepare_openssl_environment()
-{
-    echo "Preparing openssl environment"
-    rm -rf "$CERTIFICATES_DIR" && \
-    mkdir "$CERTIFICATES_DIR" && \
-    rm -rf "$OPENSSL_DIR" && \
-    mkdir "$OPENSSL_DIR" && \
-    cp "$MY_PATH/openssl.conf" "$OPENSSL_DIR" && \
-    sed -i "s|^dir             = .|dir             = $OPENSSL_DIR|" "$OPENSSL_CONF" && \
-    echo 1234 > "$OPENSSL_DIR"/serial && \
-    echo 1234 > "$OPENSSL_DIR"/crlnumber && \
-    touch "$OPENSSL_DIR"/index.txt && \
-    echo "unique_subject = no" > "$OPENSSL_DIR"/index.txt.attr && \
-    mkdir "$OPENSSL_DIR"/newcerts
-    _rc=$?
-    if [ $_rc -eq 0 ]; then
-        echo "Openssl environment successfully prepared"
-    else
-        echo "Failed to prepare openssl environment" >&2
-    fi
-    return $_rc
-}
-
-# $1 - alias
-generate_signed_certificate()
-{
-    _alias=$1
-    _subject="/C=CA/ST=ON/L=Toronto/O=acme/OU=art/CN=$_alias@acme.org"
-    echo "Generating CA signed certificate '$_alias'"
-    openssl req -x509 -newkey rsa:2048 -keyout "$CERTIFICATES_DIR/$_alias.self.key" -out "$CERTIFICATES_DIR/$_alias.self.crt" -subj "$_subject" -sha512 -passout pass:$PASSWORD && \
-    openssl req -config "$OPENSSL_CONF" -new -key "$CERTIFICATES_DIR/$_alias.self.key" -out "$CERTIFICATES_DIR/$_alias.csr" -sha512 -subj "$_subject" -passin pass:$PASSWORD && \
-    openssl ca -config "$OPENSSL_CONF" -md sha512 -extensions v3_req -batch -passin pass:$PASSWORD -out "$CERTIFICATES_DIR/$_alias.crt" -keyfile "$CERTIFICATES_DIR/$ROOT_CA.key" -cert "$CERTIFICATES_DIR/$ROOT_CA.crt" -days $VALID_DAYS -infiles "$CERTIFICATES_DIR/$_alias.csr" && \
-    openssl pkcs12 -export -chain -CAfile "$CERTIFICATES_DIR/$ROOT_CA.crt" -in "$CERTIFICATES_DIR/$_alias.crt" -inkey "$CERTIFICATES_DIR/$_alias.self.key" -out "$CERTIFICATES_DIR/$_alias.jks" -name $_alias -passin pass:"$PASSWORD" -passout pass:"$PASSWORD" && \
-    keytool -importkeystore -srckeystore "$CERTIFICATES_DIR/$_alias.jks" -srcstoretype PKCS12 -storepass "$PASSWORD" -srcstorepass "$PASSWORD" -alias $_alias -deststoretype PKCS12 -destkeystore "$CLIENT_KEYSTORE"
-    _rc=$?
-    if [ $_rc -eq 0 ]; then
-        echo "CA signed certificate '$_alias' successfully generated"
-    else
-        echo "Failed to generate CA signed certificate '$_alias'" >&2
-    fi
-    return $_rc
-}
-
-# $1 - certificate alias
-generate_signed_certificate_with_intermediate_signed_certificate()
-{
-    _alias=$1
-    _intermediate_ca_subject="/C=CA/ST=ON/L=Toronto/O=acme/OU=art/CN=$INTERMEDIATE_CA@acme.org"
-    _subject="/C=CA/ST=ON/L=Toronto/O=acme/OU=art/CN=$_alias@acme.org"
-    echo "Generating CA signed certificate '$_alias' with intermediate CA certificate '$INTERMEDIATE_CA'"
-    openssl req -x509 -newkey rsa:2048 -keyout "$CERTIFICATES_DIR/$INTERMEDIATE_CA.self.key" -out "$CERTIFICATES_DIR/$INTERMEDIATE_CA.self.crt" -subj "$_intermediate_ca_subject" -sha512 -passout pass:$PASSWORD && \
-    openssl req -config "$OPENSSL_CONF" -verbose -new -key "$CERTIFICATES_DIR/$INTERMEDIATE_CA.self.key" -out "$CERTIFICATES_DIR/$INTERMEDIATE_CA.csr" -sha512 -subj "$_intermediate_ca_subject" -passin pass:$PASSWORD && \
-    openssl ca -config "$OPENSSL_CONF" -md sha512 -extensions v3_ca -batch -passin pass:$PASSWORD -out "$CERTIFICATES_DIR/$INTERMEDIATE_CA.crt" -keyfile "$CERTIFICATES_DIR/$ROOT_CA.key" -cert "$CERTIFICATES_DIR/$ROOT_CA.crt" -days $VALID_DAYS -infiles "$CERTIFICATES_DIR/$INTERMEDIATE_CA.csr" && \
-    openssl pkcs12 -export -chain -CAfile "$CERTIFICATES_DIR/$ROOT_CA.crt" -in "$CERTIFICATES_DIR/$INTERMEDIATE_CA.crt" -inkey "$CERTIFICATES_DIR/$INTERMEDIATE_CA.self.key" -out "$CERTIFICATES_DIR/$INTERMEDIATE_CA.jks" -name $INTERMEDIATE_CA -passin pass:"$PASSWORD" -passout pass:"$PASSWORD"
-    echo "Generating CA signed certificate for '$_alias'" && \
-    openssl req -x509 -newkey rsa:2048 -keyout "$CERTIFICATES_DIR/$_alias.self.key" -out "$CERTIFICATES_DIR/$_alias.self.crt" -subj "$_subject" -sha512 -passout pass:$PASSWORD && \
-    openssl req -config "$OPENSSL_CONF" -verbose -new -key "$CERTIFICATES_DIR/$_alias.self.key" -out "$CERTIFICATES_DIR/$_alias.csr" -sha512 -subj "$_subject" -passin pass:$PASSWORD && \
-    openssl ca -config "$OPENSSL_CONF" -md sha512 -extensions v3_req -batch -passin pass:$PASSWORD -out "$CERTIFICATES_DIR/$_alias.crt" -keyfile "$CERTIFICATES_DIR/$INTERMEDIATE_CA.self.key" -cert "$CERTIFICATES_DIR/$INTERMEDIATE_CA.crt" -days $VALID_DAYS -infiles "$CERTIFICATES_DIR/$_alias.csr" && \
-    cat "$CERTIFICATES_DIR/$INTERMEDIATE_CA.crt" "$CERTIFICATES_DIR/$ROOT_CA.crt" > "$CERTIFICATES_DIR/chain_with_intermediate.crt"
-    openssl pkcs12 -export -chain -CAfile "$CERTIFICATES_DIR/chain_with_intermediate.crt" -in "$CERTIFICATES_DIR/$_alias.crt" -inkey "$CERTIFICATES_DIR/$_alias.self.key" -out "$CERTIFICATES_DIR/$_alias.jks" -name $_alias -passin pass:"$PASSWORD" -passout pass:"$PASSWORD" && \
-    keytool -importkeystore -srckeystore "$CERTIFICATES_DIR/$_alias.jks" -srcstoretype PKCS12 -storepass "$PASSWORD" -srcstorepass "$PASSWORD" -alias $_alias -deststoretype PKCS12 -destkeystore "$CLIENT_KEYSTORE"
-    _rc=$?
-    if [ $_rc -eq 0 ]; then
-        echo "CA signed certificate '$_alias' with intermediate CA certificate '$INTERMEDIATE_CA' successfully generated"
-    else
-        echo "Failed to generate CA signed certificate '$_alias' with intermediate CA certificate '$INTERMEDIATE_CA'" >&2
-    fi
-    return $_rc
-}
-
-generate_expired_certificate()
-{
-    _alias=user1
-    echo "Generating expired certificate '$_alias'"
-    keytool -genkeypair -alias $_alias -dname CN=USER1 -startdate "2010/01/01 12:00:00" -validity $VALID_DAYS -keysize 2048 -keyalg RSA -sigalg SHA512withRSA -keypass "$PASSWORD" -storepass "$PASSWORD" -deststoretype PKCS12 -keystore "$CLIENT_EXPIRED_KEYSTORE" && \
-    keytool -exportcert -keystore "$CLIENT_EXPIRED_KEYSTORE" -storepass "$PASSWORD" -alias $_alias -rfc -file "$CLIENT_EXPIRED_CRT" && \
-    keytool -import -alias $_alias -file "$CLIENT_EXPIRED_CRT" -storepass "$PASSWORD" -noprompt -deststoretype PKCS12 -sigalg SHA512withRSA -keystore "$BROKER_EXPIRED_TRUSTSTORE"
-    _rc=$?
-    if [ $_rc -eq 0 ]; then
-        echo "Expired certificate '$_alias' successfully generated"
-    else
-        echo "Failed to generate expired certificate '$_alias'" >&2
-    fi
-    return $_rc
-}
-
-generate_signed_broker_certificate()
-{
-    _subject="/C=CA/ST=Unknown/L=Unknown/O=Unknown/OU=Unknown/CN=localhost"
-    echo "Generating CA signed certificate '$BROKER_ALIAS'"
-    openssl req -x509 -newkey rsa:2048 -keyout "$CERTIFICATES_DIR/$BROKER_ALIAS.self.key" -out "$CERTIFICATES_DIR/$BROKER_ALIAS.self.crt" -subj "$_subject" -passout pass:$PASSWORD && \
-    openssl req -config "$OPENSSL_CONF" -verbose -new -key "$CERTIFICATES_DIR/$BROKER_ALIAS.self.key" -out "$BROKER_CSR" -sha512 -subj "$_subject" -passin pass:$PASSWORD && \
-    openssl ca -config "$OPENSSL_CONF" -md sha512 -extensions v3_req -batch -passin pass:$PASSWORD -out "$BROKER_CRT" -keyfile "$CERTIFICATES_DIR/$ROOT_CA.key" -cert "$CERTIFICATES_DIR/$ROOT_CA.crt" -days $VALID_DAYS -infiles "$BROKER_CSR" && \
-    openssl pkcs12 -export -chain -CAfile "$CERTIFICATES_DIR/$ROOT_CA.crt" -in "$BROKER_CRT" -inkey "$CERTIFICATES_DIR/$BROKER_ALIAS.self.key" -out "$CERTIFICATES_DIR/$BROKER_ALIAS.jks" -name $BROKER_ALIAS -passin pass:"$PASSWORD" -passout pass:"$PASSWORD" && \
-    keytool -importkeystore -srckeystore "$CERTIFICATES_DIR/$BROKER_ALIAS.jks" -srcstoretype PKCS12 -storepass "$PASSWORD" -srcstorepass "$PASSWORD" -alias $BROKER_ALIAS -deststoretype PKCS12 -destkeystore "$BROKER_KEYSTORE"
-    _rc=$?
-    if [ $_rc -eq 0 ]; then
-        echo "CA signed certificate '$BROKER_ALIAS' successfully generated"
-    else
-        echo "Failed to generate CA signed certificate '$BROKER_ALIAS'" >&2
-    fi
-    return $_rc
-}
-
-# $1 - certificate alias
-# $2 - keystore where certificate will be imported
-import_to_keystore()
-{
-    _alias=$1
-    _keystore="$2"
-
-    echo "Importing certificate '$_alias' to keystore '$_keystore'"
-    keytool -import -alias $_alias -file "$CERTIFICATES_DIR/$_alias.crt" -storepass "$PASSWORD" -noprompt -deststoretype PKCS12 -sigalg SHA512withRSA -keystore "$_keystore"
-    _rc=$?
-    if [ $_rc -eq 0 ]; then
-        echo "Certificate '$_alias' successfully imported to keystore '$_keystore'"
-    else
-        echo "Failed to import certificate '$_alias' to keystore '$_keystore'" >&2
-    fi
-    return $_rc
-}
-
-generate_untrusted_client_certificate()
-{
-    _alias=untrusted_client
-
-    echo "Generating untrusted certificate '$_alias'"
-    keytool -genkeypair -alias $_alias -dname CN=$_alias -validity $VALID_DAYS -keysize 2048 -keyalg RSA -sigalg SHA512withRSA -keypass "$PASSWORD" -storepass "$PASSWORD" -deststoretype PKCS12 -keystore "$CLIENT_UNTRUSTED_KEYSTORE"
-    _rc=$?
-    if [ $_rc -eq 0 ]; then
-        echo "Untrusted certificate '$_alias' successfully generated"
-    else
-        echo "Failed to generate untrusted certificate '$_alias'" >&2
-    fi
-    return $_rc
-}
-
-add_certificate_crl_distribution_point()
-{
-    echo "Add CRL distribution points to openssl configuration"
-    sed -i "/\[ v3_req \]/a crlDistributionPoints=URI:http://localhost:$CRL_HTTP_PORT/$ROOT_CA.crl" "$OPENSSL_CONF" && \
-    sed -i "/\[ v3_ca \]/a crlDistributionPoints=URI:http://localhost:$CRL_HTTP_PORT/$ROOT_CA.crl" "$OPENSSL_CONF"
-    _rc=$?
-    if [ $_rc -eq 0 ]; then
-        echo "CRL distribution points successfully addded"
-    else
-        echo "Failed to add CRL distribution points" >&2
-    fi
-    return $_rc
-}
-
-set_certificate_crl_distribution_point_to_intermediate_ca()
-{
-    echo "Setting CRL distribution point for intermediate CA certificate '$INTERMEDIATE_CA'"
-    sed -i -z "s|crlDistributionPoints=URI:http://localhost:$CRL_HTTP_PORT/$ROOT_CA.crl|crlDistributionPoints=URI:http://localhost:$CRL_HTTP_PORT/$INTERMEDIATE_CA.crl|" "$OPENSSL_CONF"
-    _rc=$?
-    if [ $_rc -eq 0 ]; then
-        echo "CRL distribution point for intermediate CA certificate '$INTERMEDIATE_CA' successfully set"
-    else
-        echo "Failed to set CRL distribution point for intermediate CA certificate '$INTERMEDIATE_CA'" >&2
-    fi
-    return $_rc
-}
-
-set_certificate_crl_distribution_point_to_empty_crl()
-{
-    echo "Setting CRL distribution point to empty CRL"
-    sed -i -z "s|crlDistributionPoints=URI:http://localhost:$CRL_HTTP_PORT/$INTERMEDIATE_CA.crl|crlDistributionPoints=URI:http://localhost:$CRL_HTTP_PORT/$ROOT_CA.empty.crl|" "$OPENSSL_CONF"
-    _rc=$?
-    if [ $_rc -eq 0 ]; then
-        echo "CRL distribution point to empty CRL successfully set"
-    else
-        echo "Failed to set CRL distribution to empty CRL" >&2
-    fi
-    return $_rc
-}
-
-set_certificate_crl_distribution_point_to_invalid_crl_path()
-{
-    echo "Setting CRL distribution point to invalid CRL path"
-    sed -i "s|crlDistributionPoints=URI:http://localhost:$CRL_HTTP_PORT/$ROOT_CA.empty.crl|crlDistributionPoints=URI:http://localhost:$CRL_HTTP_PORT/not/a/crl|" "$OPENSSL_CONF"
-    _rc=$?
-    if [ $_rc -eq 0 ]; then
-        echo "CRL distribution point to invalid CRL path successfully set"
-    else
-        echo "Failed to set CRL distribution to invalid CRL path" >&2
-    fi
-    return $_rc
-}
-
-generate_intermediate_crl()
-{
-    echo "Generating intermediate CA certificate '$INTERMEDIATE_CA' CRL"
-    openssl ca -config "$OPENSSL_CONF" -passin pass:$PASSWORD -gencrl -keyfile "$CERTIFICATES_DIR/$INTERMEDIATE_CA.self.key" -cert "$CERTIFICATES_DIR/$INTERMEDIATE_CA.crt" -out "$CERTIFICATES_DIR/$INTERMEDIATE_CA.crl.pem" && \
-    openssl crl -inform PEM -in "$CERTIFICATES_DIR/$INTERMEDIATE_CA.crl.pem" -outform DER -out "$CERTIFICATES_DIR/$INTERMEDIATE_CA.crl"
-    _rc=$?
-    if [ $_rc -eq 0 ]; then
-        echo "Intermediate CA certificate '$INTERMEDIATE_CA' CRL successfully generated"
-    else
-        echo "Failed to generate intermediate CA certificate '$INTERMEDIATE_CA' CRL" >&2
-    fi
-    return $_rc
-}
-
-
-# $1 - part of CRL file name
-generate_crl()
-{
-    _crl_name_part=$1
-    _crl_path_prefix=
-    if [ -n "$_crl_name_part" ]; then
-        _crl_path_prefix="$CERTIFICATES_DIR/$ROOT_CA.$_crl_name_part"
-    else
-        _crl_path_prefix="$CERTIFICATES_DIR/$ROOT_CA"
-    fi
-
-    echo "Generating certificate '$ROOT_CA' CRL to '$_crl_path_prefix'"
-    openssl ca -config "$OPENSSL_CONF" -passin pass:$PASSWORD -gencrl -keyfile "$CERTIFICATES_DIR/$ROOT_CA.key" -cert "$CERTIFICATES_DIR/$ROOT_CA.crt" -out "$_crl_path_prefix.crl.pem" && \
-    openssl crl -inform PEM -in "$_crl_path_prefix.crl.pem" -outform DER -out "$_crl_path_prefix.crl"
-    _rc=$?
-    if [ $_rc -eq 0 ]; then
-        echo "Certificate '$ROOT_CA' CRL successfully generated to '$_crl_path_prefix'"
-    else
-        echo "Failed to generate certificate '$ROOT_CA' CRL to '$_crl_path_prefix'" >&2
-    fi
-    return $_rc
-}
-
-revoke_certificate()
-{
-    _alias=$1
-
-    echo "Revoking certificate '$_alias'"
-    openssl ca -config "$OPENSSL_CONF" -passin pass:$PASSWORD -revoke "$CERTIFICATES_DIR/$_alias.crt" -keyfile "$CERTIFICATES_DIR/$ROOT_CA.key" -cert "$CERTIFICATES_DIR/$ROOT_CA.crt"
-    _rc=$?
-    if [ $_rc -eq 0 ]; then
-        echo "Certificate '$_alias' successfully revoked"
-    else
-        echo "Failed to revoke certificate '$_alias'" >&2
-    fi
-    return $_rc
-}
-
-prepare_test_keystores()
-{
-    echo "Preparing test keystores"
-    cp "$BROKER_KEYSTORE" "$TEST_KEYSTORE" && \
-    import_to_keystore "app1" "$TEST_KEYSTORE" && \
-    import_to_keystore "app2" "$TEST_KEYSTORE" && \
-    cp "$BROKER_KEYSTORE" "$TEST_PK_ONLY_KEYSTORE" && \
-    keytool -delete -v -alias rootca -storepass password -keystore "$TEST_PK_ONLY_KEYSTORE" && \
-    cp "$BROKER_KEYSTORE" "$TEST_CERT_ONLY_KEYSTORE" && \
-    keytool -delete -v -alias $BROKER_ALIAS -storepass password -keystore "$TEST_CERT_ONLY_KEYSTORE" && \
-    cp "$BROKER_KEYSTORE" "$TEST_SYMMETRIC_KEY_KEYSTORE" && \
-    keytool -genseckey -alias testalias -keyalg AES -keysize 256 -storetype PKCS12 -storepass "$PASSWORD" -keystore "$TEST_SYMMETRIC_KEY_KEYSTORE" && \
-    cp "$TEST_PK_ONLY_KEYSTORE" "$TEST_EMPTY_KEYSTORE"
-    keytool -delete -v -alias $BROKER_ALIAS -storepass password -keystore "$TEST_EMPTY_KEYSTORE" && \
-    _rc=$?
-    if [ $_rc -eq 0 ]; then
-        echo "Test keystores prepared"
-    else
-        echo "Failed to prepare keystores" >&2
-    fi
-    return $_rc
-}
-
-main()
-{
-    prepare_openssl_environment && \
-    generate_selfsigned_ca && \
-    generate_signed_certificate "app1" && \
-    generate_signed_certificate "app2" && \
-    generate_expired_certificate && \
-    generate_signed_broker_certificate && \
-    import_to_keystore "app1" "$BROKER_PEERSTORE" && \
-    generate_untrusted_client_certificate && \
-    add_certificate_crl_distribution_point && \
-    generate_signed_certificate "allowed_by_ca" && \
-    generate_signed_certificate "revoked_by_ca" && \
-    set_certificate_crl_distribution_point_to_intermediate_ca && \
-    generate_signed_certificate_with_intermediate_signed_certificate "allowed_by_ca_with_intermediate" && \
-    generate_intermediate_crl && \
-    set_certificate_crl_distribution_point_to_empty_crl && \
-    generate_signed_certificate "revoked_by_ca_empty_crl" && \
-    set_certificate_crl_distribution_point_to_invalid_crl_path && \
-    generate_signed_certificate "revoked_by_ca_invalid_crl_path" && \
-    generate_crl "empty" && \
-    revoke_certificate "$INTERMEDIATE_CA" && \
-    revoke_certificate "revoked_by_ca" && \
-    revoke_certificate "revoked_by_ca_empty_crl" && \
-    revoke_certificate "revoked_by_ca_invalid_crl_path" && \
-    generate_crl && \
-    prepare_test_keystores
-}
-
-if [ "$DEBUG" = true ]; then
-    main
-else
-    main 2>/dev/null 1>&2
-fi

diff --git a/qpid-test-utils/src/main/resources/ssl/openssl.conf b/qpid-test-utils/src/main/resources/ssl/openssl.conf
deleted file mode 100644
index ad224d7..0000000
--- a/qpid-test-utils/src/main/resources/ssl/openssl.conf
+++ /dev/null

@@ -1,380 +0,0 @@
-#
-# Licensed to the Apache Software Foundation (ASF) under one
-# or more contributor license agreements.  See the NOTICE file
-# distributed with this work for additional information
-# regarding copyright ownership.  The ASF licenses this file
-# to you under the Apache License, Version 2.0 (the
-# "License"); you may not use this file except in compliance
-# with the License.  You may obtain a copy of the License at
-#
-#   http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing,
-# software distributed under the License is distributed on an
-# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
-# KIND, either express or implied.  See the License for the
-# specific language governing permissions and limitations
-# under the License.
-#
-
-#
-# OpenSSL example configuration file.
-# This is mostly being used for generation of certificate requests.
-#
-
-# Note that you can include other files from the main configuration
-# file using the .include directive.
-#.include filename
-
-# This definition stops the following lines choking if HOME isn't
-# defined.
-HOME			= .
-
-# Extra OBJECT IDENTIFIER info:
-#oid_file		= $ENV::HOME/.oid
-oid_section		= new_oids
-
-# System default
-openssl_conf = default_conf
-
-# To use this configuration file with the "-extfile" option of the
-# "openssl x509" utility, name here the section containing the
-# X.509v3 extensions to use:
-# extensions		=
-# (Alternatively, use a configuration file that has only
-# X.509v3 extensions in its main [= default] section.)
-
-[ new_oids ]
-
-# We can add new OIDs in here for use by 'ca', 'req' and 'ts'.
-# Add a simple OID like this:
-# testoid1=1.2.3.4
-# Or use config file substitution like this:
-# testoid2=${testoid1}.5.6
-
-# Policies used by the TSA examples.
-tsa_policy1 = 1.2.3.4.1
-tsa_policy2 = 1.2.3.4.5.6
-tsa_policy3 = 1.2.3.4.5.7
-
-####################################################################
-[ ca ]
-default_ca	= CA_default		# The default ca section
-
-####################################################################
-[ CA_default ]
-
-dir             = .
-certs		= $dir/certs		# Where the issued certs are kept
-crl_dir		= $dir/crl		# Where the issued crl are kept
-database	= $dir/index.txt	# database index file.
-#unique_subject	= no			# Set to 'no' to allow creation of
-					# several certs with same subject.
-new_certs_dir	= $dir/newcerts		# default place for new certs.
-
-certificate	= $dir/cacert.pem 	# The CA certificate
-serial		= $dir/serial 		# The current serial number
-crlnumber	= $dir/crlnumber	# the current crl number
-					# must be commented out to leave a V1 CRL
-crl		= $dir/crl.pem 		# The current CRL
-private_key	= $dir/private/cakey.pem# The private key
-
-x509_extensions	= usr_cert		# The extensions to add to the cert
-
-# Comment out the following two lines for the "traditional"
-# (and highly broken) format.
-name_opt 	= ca_default		# Subject Name options
-cert_opt 	= ca_default		# Certificate field options
-
-# Extension copying option: use with caution.
-# copy_extensions = copy
-
-# Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs
-# so this is commented out by default to leave a V1 CRL.
-# crlnumber must also be commented out to leave a V1 CRL.
-# crl_extensions	= crl_ext
-
-default_days	= 365			# how long to certify for
-default_crl_days= 30			# how long before next CRL
-default_md	= default		# use public key default MD
-preserve	= no			# keep passed DN ordering
-
-# A few difference way of specifying how similar the request should look
-# For type CA, the listed attributes must be the same, and the optional
-# and supplied fields are just that :-)
-policy		= policy_match
-
-# For the CA policy
-[ policy_match ]
-countryName = optional
-stateOrProvinceName = optional
-localityName = optional
-organizationName = optional
-organizationalUnitName = optional
-commonName		= supplied
-emailAddress		= optional
-
-# For the 'anything' policy
-# At this point in time, you must list all acceptable 'object'
-# types.
-[ policy_anything ]
-countryName		= optional
-stateOrProvinceName	= optional
-localityName = optional
-organizationName	= optional
-organizationalUnitName	= optional
-commonName		= supplied
-emailAddress		= optional
-
-####################################################################
-[ req ]
-default_bits		= 2048
-default_keyfile 	= privkey.pem
-distinguished_name	= req_distinguished_name
-attributes		= req_attributes
-x509_extensions	= v3_ca	# The extensions to add to the self signed cert
-
-# Passwords for private keys if not present they will be prompted for
-# input_password = secret
-# output_password = secret
-
-# This sets a mask for permitted string types. There are several options.
-# default: PrintableString, T61String, BMPString.
-# pkix	 : PrintableString, BMPString (PKIX recommendation before 2004)
-# utf8only: only UTF8Strings (PKIX recommendation after 2004).
-# nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings).
-# MASK:XXXX a literal mask value.
-# WARNING: ancient versions of Netscape crash on BMPStrings or UTF8Strings.
-string_mask = utf8only
-
-# req_extensions = v3_req # The extensions to add to a certificate request
-
-[ req_distinguished_name ]
-countryName			= Country Name (2 letter code)
-countryName_default		= AU
-countryName_min			= 2
-countryName_max			= 2
-
-stateOrProvinceName		= State or Province Name (full name)
-stateOrProvinceName_default	= Some-State
-
-localityName			= Locality Name (eg, city)
-
-0.organizationName		= Organization Name (eg, company)
-0.organizationName_default	= Internet Widgits Pty Ltd
-
-# we can do this but it is not needed normally :-)
-#1.organizationName		= Second Organization Name (eg, company)
-#1.organizationName_default	= World Wide Web Pty Ltd
-
-organizationalUnitName		= Organizational Unit Name (eg, section)
-#organizationalUnitName_default	=
-
-commonName			= Common Name (e.g. server FQDN or YOUR name)
-commonName_max			= 64
-
-emailAddress			= Email Address
-emailAddress_max		= 64
-
-# SET-ex3			= SET extension number 3
-
-[ req_attributes ]
-challengePassword		= A challenge password
-challengePassword_min		= 4
-challengePassword_max		= 20
-
-unstructuredName		= An optional company name
-
-[ usr_cert ]
-
-# These extensions are added when 'ca' signs a request.
-
-# This goes against PKIX guidelines but some CAs do it and some software
-# requires this to avoid interpreting an end user certificate as a CA.
-
-basicConstraints=CA:FALSE
-
-# Here are some examples of the usage of nsCertType. If it is omitted
-# the certificate can be used for anything *except* object signing.
-
-# This is OK for an SSL server.
-# nsCertType			= server
-
-# For an object signing certificate this would be used.
-# nsCertType = objsign
-
-# For normal client use this is typical
-# nsCertType = client, email
-
-# and for everything including object signing:
-# nsCertType = client, email, objsign
-
-# This is typical in keyUsage for a client certificate.
-# keyUsage = nonRepudiation, digitalSignature, keyEncipherment
-
-# This will be displayed in Netscape's comment listbox.
-nsComment			= "OpenSSL Generated Certificate"
-
-# PKIX recommendations harmless if included in all certificates.
-subjectKeyIdentifier=hash
-authorityKeyIdentifier=keyid,issuer
-
-# This stuff is for subjectAltName and issuerAltname.
-# Import the email address.
-# subjectAltName=email:copy
-# An alternative to produce certificates that aren't
-# deprecated according to PKIX.
-# subjectAltName=email:move
-
-# Copy subject details
-# issuerAltName=issuer:copy
-
-#nsCaRevocationUrl
-#nsBaseUrl
-#nsRevocationUrl
-#nsRenewalUrl
-#nsCaPolicyUrl
-#nsSslServerName
-
-# This is required for TSA certificates.
-# extendedKeyUsage = critical,timeStamping
-
-[ v3_req ]
-
-# Extensions to add to a certificate request
-
-basicConstraints = CA:FALSE
-keyUsage = nonRepudiation, digitalSignature, keyEncipherment
-
-[ v3_ca ]
-
-# Extensions for a typical CA
-
-# PKIX recommendation.
-
-subjectKeyIdentifier=hash
-
-authorityKeyIdentifier=keyid:always,issuer
-
-basicConstraints = critical,CA:true
-
-# Key usage: this is typical for a CA certificate. However since it will
-# prevent it being used as an test self-signed certificate it is best
-# left out by default.
-# keyUsage = cRLSign, keyCertSign
-
-# Some might want this also
-# nsCertType = sslCA, emailCA
-
-# Include email address in subject alt name: another PKIX recommendation
-# subjectAltName=email:copy
-# Copy issuer details
-# issuerAltName=issuer:copy
-
-# DER hex encoding of an extension: beware experts only!
-# obj=DER:02:03
-# Where 'obj' is a standard or added object
-# You can even override a supported extension:
-# basicConstraints= critical, DER:30:03:01:01:FF
-
-[ crl_ext ]
-
-# CRL extensions.
-# Only issuerAltName and authorityKeyIdentifier make any sense in a CRL.
-
-# issuerAltName=issuer:copy
-authorityKeyIdentifier=keyid:always
-
-[ proxy_cert_ext ]
-# These extensions should be added when creating a proxy certificate
-
-# This goes against PKIX guidelines but some CAs do it and some software
-# requires this to avoid interpreting an end user certificate as a CA.
-
-basicConstraints=CA:FALSE
-
-# Here are some examples of the usage of nsCertType. If it is omitted
-# the certificate can be used for anything *except* object signing.
-
-# This is OK for an SSL server.
-# nsCertType			= server
-
-# For an object signing certificate this would be used.
-# nsCertType = objsign
-
-# For normal client use this is typical
-# nsCertType = client, email
-
-# and for everything including object signing:
-# nsCertType = client, email, objsign
-
-# This is typical in keyUsage for a client certificate.
-# keyUsage = nonRepudiation, digitalSignature, keyEncipherment
-
-# This will be displayed in Netscape's comment listbox.
-nsComment			= "OpenSSL Generated Certificate"
-
-# PKIX recommendations harmless if included in all certificates.
-subjectKeyIdentifier=hash
-authorityKeyIdentifier=keyid,issuer
-
-# This stuff is for subjectAltName and issuerAltname.
-# Import the email address.
-# subjectAltName=email:copy
-# An alternative to produce certificates that aren't
-# deprecated according to PKIX.
-# subjectAltName=email:move
-
-# Copy subject details
-# issuerAltName=issuer:copy
-
-#nsCaRevocationUrl		= http://www.domain.dom/ca-crl.pem
-#nsBaseUrl
-#nsRevocationUrl
-#nsRenewalUrl
-#nsCaPolicyUrl
-#nsSslServerName
-
-# This really needs to be in place for it to be a proxy certificate.
-proxyCertInfo=critical,language:id-ppl-anyLanguage,pathlen:3,policy:foo
-
-####################################################################
-[ tsa ]
-
-default_tsa = tsa_config1	# the default TSA section
-
-[ tsa_config1 ]
-
-# These are used by the TSA reply generation only.
-dir		= ./demoCA		# TSA root directory
-serial		= $dir/tsaserial	# The current serial number (mandatory)
-crypto_device	= builtin		# OpenSSL engine to use for signing
-signer_cert	= $dir/tsacert.pem 	# The TSA signing certificate
-					# (optional)
-certs		= $dir/cacert.pem	# Certificate chain to include in reply
-					# (optional)
-signer_key	= $dir/private/tsakey.pem # The TSA private key (optional)
-signer_digest  = sha512			# Signing digest to use. (Optional)
-default_policy	= tsa_policy1		# Policy if request did not specify it
-					# (optional)
-other_policies	= tsa_policy2, tsa_policy3	# acceptable policies (optional)
-digests     = sha1, sha256, sha384, sha512  # Acceptable message digests (mandatory)
-accuracy	= secs:1, millisecs:500, microsecs:100	# (optional)
-clock_precision_digits  = 0	# number of digits after dot. (optional)
-ordering		= yes	# Is ordering defined for timestamps?
-				# (optional, default: no)
-tsa_name		= yes	# Must the TSA name be included in the reply?
-				# (optional, default: no)
-ess_cert_id_chain	= no	# Must the ESS cert id chain be included?
-				# (optional, default: no)
-ess_cert_id_alg		= sha1	# algorithm to compute certificate
-				# identifier (optional, default: sha1)
-[default_conf]
-ssl_conf = ssl_sect
-
-[ssl_sect]
-system_default = system_default_sect
-
-[system_default_sect]
-MinProtocol = TLSv1.2
-CipherString = DEFAULT@SECLEVEL=2

diff --git a/systests/qpid-systests-http-management/src/main/java/org/apache/qpid/tests/http/HttpTestHelper.java b/systests/qpid-systests-http-management/src/main/java/org/apache/qpid/tests/http/HttpTestHelper.java
index a2b94ad..4addf67 100644
--- a/systests/qpid-systests-http-management/src/main/java/org/apache/qpid/tests/http/HttpTestHelper.java
+++ b/systests/qpid-systests-http-management/src/main/java/org/apache/qpid/tests/http/HttpTestHelper.java

@@ -21,7 +21,6 @@
 package org.apache.qpid.tests.http;
 
 import static java.nio.charset.StandardCharsets.UTF_8;
-import static org.apache.qpid.test.utils.TestSSLConstants.JAVA_KEYSTORE_TYPE;
 
 import java.io.ByteArrayInputStream;
 import java.io.IOException;
@@ -349,11 +348,11 @@
             try
             {
                 URL ks = new URL(keystore);
-                _keyStore = SSLUtil.getInitializedKeyStore(ks, password, JAVA_KEYSTORE_TYPE);
+                _keyStore = SSLUtil.getInitializedKeyStore(ks, password, KeyStore.getDefaultType());
             }
             catch (MalformedURLException e)
             {
-                _keyStore = SSLUtil.getInitializedKeyStore(keystore, password, JAVA_KEYSTORE_TYPE);
+                _keyStore = SSLUtil.getInitializedKeyStore(keystore, password, KeyStore.getDefaultType());
             }
         }
         else

diff --git a/systests/qpid-systests-http-management/src/test/java/org/apache/qpid/tests/http/authentication/PreemptiveAuthenticationTest.java b/systests/qpid-systests-http-management/src/test/java/org/apache/qpid/tests/http/authentication/PreemptiveAuthenticationTest.java
index ded03df..06d87e2 100644
--- a/systests/qpid-systests-http-management/src/test/java/org/apache/qpid/tests/http/authentication/PreemptiveAuthenticationTest.java
+++ b/systests/qpid-systests-http-management/src/test/java/org/apache/qpid/tests/http/authentication/PreemptiveAuthenticationTest.java

@@ -23,9 +23,6 @@
 import static javax.servlet.http.HttpServletResponse.SC_CREATED;
 import static javax.servlet.http.HttpServletResponse.SC_OK;
 import static javax.servlet.http.HttpServletResponse.SC_UNAUTHORIZED;
-import static org.apache.qpid.server.transport.network.security.ssl.SSLUtil.canGenerateCerts;
-import static org.apache.qpid.server.transport.network.security.ssl.SSLUtil.generateSelfSignedCertificate;
-import static org.apache.qpid.test.utils.TestSSLConstants.JAVA_KEYSTORE_TYPE;
 import static org.hamcrest.Matchers.equalTo;
 import static org.hamcrest.Matchers.greaterThan;
 import static org.hamcrest.Matchers.hasKey;
@@ -34,18 +31,11 @@
 import static org.hamcrest.Matchers.startsWith;
 import static org.junit.Assert.assertThat;
 import static org.junit.Assert.fail;
-import static org.junit.Assume.assumeThat;
 
-import java.io.ByteArrayOutputStream;
 import java.net.HttpURLConnection;
 import java.net.InetAddress;
 import java.net.SocketException;
-import java.net.URL;
 import java.security.KeyStore;
-import java.security.cert.Certificate;
-import java.time.Duration;
-import java.time.Instant;
-import java.time.temporal.ChronoUnit;
 import java.util.ArrayDeque;
 import java.util.Base64;
 import java.util.Collections;
@@ -69,9 +59,13 @@
 import org.apache.qpid.server.security.ManagedPeerCertificateTrustStore;
 import org.apache.qpid.server.security.auth.manager.AnonymousAuthenticationManager;
 import org.apache.qpid.server.security.auth.manager.ExternalAuthenticationManager;
-import org.apache.qpid.server.transport.network.security.ssl.SSLUtil.KeyCertPair;
 import org.apache.qpid.server.util.BaseAction;
-import org.apache.qpid.server.util.DataUrlUtils;
+import org.apache.qpid.test.utils.tls.AltNameType;
+import org.apache.qpid.test.utils.tls.AlternativeName;
+import org.apache.qpid.test.utils.tls.KeyCertificatePair;
+import org.apache.qpid.test.utils.tls.PrivateKeyEntry;
+import org.apache.qpid.test.utils.tls.TlsResourceBuilder;
+import org.apache.qpid.test.utils.tls.TlsResourceHelper;
 import org.apache.qpid.tests.http.HttpTestBase;
 import org.apache.qpid.tests.http.HttpTestHelper;
 
@@ -81,7 +75,7 @@
     private static final String STORE_PASSWORD = "password";
 
     private Deque<BaseAction<Void, Exception>> _tearDownActions;
-    private String _keyStore;
+
 
     @After
     public void tearDown() throws Exception
@@ -111,7 +105,6 @@
     @Test
     public void clientAuthSuccess() throws Exception
     {
-        assumeThat(canGenerateCerts(), is(true));
         HttpTestHelper helper = configForClientAuth("CN=foo");
 
         String userId = helper.getJson("broker/getUser", STRING_TYPE_REF, SC_OK);
@@ -121,7 +114,6 @@
     @Test
     public void clientAuthenticationWebManagementConsole() throws Exception
     {
-        assumeThat(canGenerateCerts(), is(true));
         HttpTestHelper helper = configForClientAuth("CN=foo");
 
         HttpURLConnection authenticateConnection = helper.openManagementConnection("/index.html", "GET");
@@ -144,10 +136,9 @@
     @Test
     public void clientAuthUnrecognisedCert() throws Exception
     {
-        assumeThat(canGenerateCerts(), is(true));
         HttpTestHelper helper = configForClientAuth("CN=foo");
 
-        String keyStore = createKeyStoreDataUrl(getKeyCertPair("CN=bar"), STORE_PASSWORD);
+        String keyStore = createKeyStoreDataUrl(getKeyCertPair("CN=bar"));
         helper.setKeyStore(keyStore, STORE_PASSWORD);
 
         try
@@ -252,10 +243,12 @@
 
     private HttpTestHelper configForClientAuth(final String x500Name) throws Exception
     {
-        final KeyCertPair keyCertPair = getKeyCertPair(x500Name);
-        final byte[] cert = keyCertPair.getCertificate().getEncoded();
+        final KeyCertificatePair clientKeyCertPair = getKeyCertPair(x500Name);
+        final byte[] clientCertificate = clientKeyCertPair.getCertificate().getEncoded();
+        final String clientKeyStore = createKeyStoreDataUrl(clientKeyCertPair);
 
-        _keyStore = createKeyStoreDataUrl(keyCertPair, STORE_PASSWORD);
+        final KeyCertificatePair brokerKeyCertPair = getKeyCertPair(x500Name);
+        final String brokerKeyStore = createKeyStoreDataUrl(brokerKeyCertPair);
 
         final Deque<BaseAction<Void,Exception>> deleteActions = new ArrayDeque<>();
 
@@ -269,16 +262,16 @@
 
         final Map<String, Object> keystoreAttr = new HashMap<>();
         keystoreAttr.put(FileKeyStore.TYPE, "FileKeyStore");
-        keystoreAttr.put(FileKeyStore.STORE_URL, "classpath:java_broker_keystore.jks");
+        keystoreAttr.put(FileKeyStore.STORE_URL, brokerKeyStore);
         keystoreAttr.put(FileKeyStore.PASSWORD, STORE_PASSWORD);
-        keystoreAttr.put(FileKeyStore.KEY_STORE_TYPE, JAVA_KEYSTORE_TYPE);
+        keystoreAttr.put(FileKeyStore.KEY_STORE_TYPE, KeyStore.getDefaultType());
 
         getHelper().submitRequest("keystore/mykeystore","PUT", keystoreAttr, SC_CREATED);
         deleteActions.add(object -> getHelper().submitRequest("keystore/mykeystore", "DELETE", SC_OK));
 
         final Map<String, Object> truststoreAttr = new HashMap<>();
         truststoreAttr.put(ManagedPeerCertificateTrustStore.TYPE, ManagedPeerCertificateTrustStore.TYPE_NAME);
-        truststoreAttr.put(ManagedPeerCertificateTrustStore.STORED_CERTIFICATES, Collections.singletonList(Base64.getEncoder().encodeToString(cert)));
+        truststoreAttr.put(ManagedPeerCertificateTrustStore.STORED_CERTIFICATES, Collections.singletonList(Base64.getEncoder().encodeToString(clientCertificate)));
 
 
         getHelper().submitRequest("truststore/mytruststore","PUT", truststoreAttr, SC_CREATED);
@@ -306,7 +299,7 @@
 
         HttpTestHelper helper = new HttpTestHelper(getBrokerAdmin(), null, boundPort);
         helper.setTls(true);
-        helper.setKeyStore(_keyStore, STORE_PASSWORD);
+        helper.setKeyStore(clientKeyStore, STORE_PASSWORD);
         return helper;
     }
 
@@ -339,35 +332,27 @@
         _tearDownActions = deleteActions;
 
         HttpTestHelper helper = new HttpTestHelper(getBrokerAdmin(), null, boundPort);
-        helper.setKeyStore(_keyStore, STORE_PASSWORD);
         helper.setPassword(null);
         helper.setUserName(null);
         return helper;
 
     }
 
-    private String createKeyStoreDataUrl(final KeyCertPair keyCertPair, final String password) throws Exception
+    private String createKeyStoreDataUrl(final KeyCertificatePair keyCertPair) throws Exception
     {
-        final KeyStore keyStore = KeyStore.getInstance(JAVA_KEYSTORE_TYPE);
-        keyStore.load(null, null);
-        Certificate[] certChain = new Certificate[] {keyCertPair.getCertificate()};
-        keyStore.setKeyEntry("key1", keyCertPair.getPrivateKey(), password.toCharArray(), certChain);
-        try (ByteArrayOutputStream bos = new ByteArrayOutputStream())
-        {
-            keyStore.store(bos, password.toCharArray());
-            bos.toByteArray();
-            return DataUrlUtils.getDataUrlForBytes(bos.toByteArray());
-        }
+        return TlsResourceHelper.createKeyStoreAsDataUrl(KeyStore.getDefaultType(),
+                                                         STORE_PASSWORD.toCharArray(),
+                                                         new PrivateKeyEntry("key1",
+                                                                             keyCertPair.getPrivateKey(),
+                                                                             keyCertPair.getCertificate()));
     }
 
-    private KeyCertPair getKeyCertPair(final String x500Name) throws Exception
+    private KeyCertificatePair getKeyCertPair(final String x500Name) throws Exception
     {
-        return generateSelfSignedCertificate("RSA", "SHA256WithRSA",
-                                             2048, Instant.now().toEpochMilli(),
-                                             Duration.of(365, ChronoUnit.DAYS).getSeconds(),
-                                             x500Name,
-                                             Collections.emptySet(),
-                                             Collections.singleton(InetAddress.getLoopbackAddress()));
+        final String loopbackAddress = InetAddress.getLoopbackAddress().getHostAddress();
+        return TlsResourceBuilder.createSelfSigned(x500Name,
+                                                   new AlternativeName(AltNameType.IP_ADDRESS,
+                                                                       loopbackAddress));
     }
 
 }

diff --git a/systests/qpid-systests-http-management/src/test/java/org/apache/qpid/tests/http/endtoend/port/PortTest.java b/systests/qpid-systests-http-management/src/test/java/org/apache/qpid/tests/http/endtoend/port/PortTest.java
index 5302ea3..1c5d1de 100644
--- a/systests/qpid-systests-http-management/src/test/java/org/apache/qpid/tests/http/endtoend/port/PortTest.java
+++ b/systests/qpid-systests-http-management/src/test/java/org/apache/qpid/tests/http/endtoend/port/PortTest.java

@@ -23,7 +23,6 @@
 import static java.nio.charset.StandardCharsets.UTF_8;
 import static javax.servlet.http.HttpServletResponse.SC_CREATED;
 import static javax.servlet.http.HttpServletResponse.SC_OK;
-import static org.apache.qpid.test.utils.TestSSLConstants.JAVA_KEYSTORE_TYPE;
 import static org.hamcrest.Matchers.equalTo;
 import static org.hamcrest.Matchers.instanceOf;
 import static org.hamcrest.Matchers.notNullValue;
@@ -34,24 +33,12 @@
 import static org.junit.Assume.assumeThat;
 
 import java.io.File;
-import java.io.FileOutputStream;
 import java.io.IOException;
-import java.security.KeyStoreException;
-import java.security.NoSuchAlgorithmException;
-import java.security.PrivateKey;
-import java.security.cert.Certificate;
-import java.security.cert.CertificateEncodingException;
-import java.security.cert.CertificateException;
+import java.nio.file.Path;
 import java.security.cert.X509Certificate;
-import java.time.Duration;
-import java.time.Instant;
-import java.time.temporal.ChronoUnit;
-import java.util.Base64;
 import java.util.Collections;
 import java.util.HashMap;
-import java.util.HashSet;
 import java.util.Map;
-import java.util.Set;
 
 import javax.jms.Connection;
 import javax.jms.JMSException;
@@ -63,8 +50,8 @@
 import javax.naming.NamingException;
 
 import com.fasterxml.jackson.core.type.TypeReference;
-import org.junit.After;
 import org.junit.Before;
+import org.junit.ClassRule;
 import org.junit.Test;
 
 import org.apache.qpid.server.model.ConfiguredObject;
@@ -73,50 +60,48 @@
 import org.apache.qpid.server.model.Transport;
 import org.apache.qpid.server.security.NonJavaKeyStore;
 import org.apache.qpid.server.security.auth.manager.AnonymousAuthenticationManager;
-import org.apache.qpid.server.transport.network.security.ssl.SSLUtil;
 import org.apache.qpid.server.util.DataUrlUtils;
 import org.apache.qpid.systests.ConnectionBuilder;
+import org.apache.qpid.test.utils.tls.CertificateEntry;
+import org.apache.qpid.test.utils.tls.TlsResourceBuilder;
+import org.apache.qpid.test.utils.tls.KeyCertificatePair;
+import org.apache.qpid.test.utils.tls.TlsResource;
+import org.apache.qpid.test.utils.tls.TlsResourceHelper;
 import org.apache.qpid.tests.http.HttpTestBase;
 import org.apache.qpid.tests.http.HttpTestHelper;
 
 public class PortTest extends HttpTestBase
 {
-    private static final String PASS = "changeit";
+    @ClassRule
+    public static final TlsResource TLS_RESOURCE = new TlsResource();
+
     private static final String QUEUE_NAME = "testQueue";
     private static final TypeReference<Boolean> BOOLEAN = new TypeReference<Boolean>()
     {
     };
+    private static final String CERTIFICATE_ALIAS = "certificate";
     private String _portName;
     private String _authenticationProvider;
     private String _keyStoreName;
-    private Set<File> _storeFiles;
+
     private File _storeFile;
 
     @Before
     public void setUp() throws Exception
     {
-        assumeThat(SSLUtil.canGenerateCerts(), is(true));
 
         _portName = getTestName();
         _authenticationProvider = _portName + "AuthenticationProvider";
         _keyStoreName = _portName + "KeyStore";
         createAnonymousAuthenticationProvider();
-        final SSLUtil.KeyCertPair keyCertPair = createKeyStore(_keyStoreName);
+        final KeyCertificatePair keyCertPair = generateSelfSignedCertificate();
         final X509Certificate certificate = keyCertPair.getCertificate();
-
-        _storeFiles = new HashSet<>();
-        _storeFile = createTrustStore(certificate);
+        submitKeyStoreAttributes(_keyStoreName, SC_CREATED, keyCertPair);
+        _storeFile = TLS_RESOURCE.createKeyStore(new CertificateEntry(CERTIFICATE_ALIAS, certificate)).toFile();
 
         getBrokerAdmin().createQueue(QUEUE_NAME);
     }
 
-
-    @After
-    public void tearDown()
-    {
-        _storeFiles.forEach(f -> assertTrue(f.delete()));
-    }
-
     @Test
     public void testSwapKeyStoreAndUpdateTlsOnAmqpPort() throws Exception
     {
@@ -128,8 +113,8 @@
             final MessageProducer producer = session.createProducer(session.createQueue(QUEUE_NAME));
             producer.send(session.createTextMessage("A"));
 
-            final SSLUtil.KeyCertPair keyCertPair = createKeyStoreAndUpdatePortTLS();
-            final File storeFile = createTrustStore(keyCertPair.getCertificate());
+            final File storeFile = createNewKeyStoreAndSetItOnPort();
+
             final Connection connection2 = createConnection(port, storeFile.getAbsolutePath());
             try
             {
@@ -164,9 +149,8 @@
             final MessageProducer producer = session.createProducer(session.createQueue(QUEUE_NAME));
             producer.send(session.createTextMessage("A"));
 
-            final SSLUtil.KeyCertPair keyCertPair = updateKeyStoreAndUpdatePortTLS();
-            final File storeFile = createTrustStore(keyCertPair.getCertificate());
-            final Connection connection2 = createConnection(port, storeFile.getAbsolutePath());
+            final File trustStoreFile = updateKeyStoreAndUpdatePortTls();
+            final Connection connection2 = createConnection(port, trustStoreFile.getAbsolutePath());
             try
             {
                 producer.send(session.createTextMessage("B"));
@@ -202,8 +186,7 @@
             final MessageProducer producer = session.createProducer(session.createQueue(QUEUE_NAME));
             producer.send(session.createTextMessage("A"));
 
-            final SSLUtil.KeyCertPair keyCertPair = createKeyStoreAndUpdatePortTLS();
-            final File storeFile = createTrustStore(keyCertPair.getCertificate());
+            final File storeFile = createNewKeyStoreAndSetItOnPort();
             final Connection connection2 = createConnectionBuilder(port, storeFile.getAbsolutePath())
                     .setTransport("amqpws").build();
             try
@@ -235,15 +218,14 @@
 
         HttpTestHelper helper = new HttpTestHelper(getBrokerAdmin(), null, port);
         helper.setTls(true);
-        helper.setKeyStore(_storeFile.getAbsolutePath(), PASS);
+        helper.setKeyStore(_storeFile.getAbsolutePath(), TLS_RESOURCE.getSecret());
 
         final Map<String, Object> attributes = getHelper().getJsonAsMap("port/" + _portName);
         final Map<String, Object> ownAttributes = helper.getJsonAsMap("port/" + _portName);
         assertEquals(attributes, ownAttributes);
 
-        final SSLUtil.KeyCertPair keyCertPair = createKeyStoreAndUpdatePortTLS();
-        final File storeFile = createTrustStore(keyCertPair.getCertificate());
-        helper.setKeyStore(storeFile.getAbsolutePath(), PASS);
+        final File storeFile = createNewKeyStoreAndSetItOnPort();
+        helper.setKeyStore(storeFile.getAbsolutePath(), TLS_RESOURCE.getSecret());
 
         final Map<String, Object> attributes2 = getHelper().getJsonAsMap("port/" + _portName);
         final Map<String, Object> ownAttributes2 = helper.getJsonAsMap("port/" + _portName);
@@ -257,25 +239,22 @@
         getHelper().submitRequest("authenticationprovider/" + _authenticationProvider, "PUT", data, SC_CREATED);
     }
 
-    private SSLUtil.KeyCertPair createKeyStore(final String keyStoreName) throws Exception
+    private void submitKeyStoreAttributes(final String keyStoreName,
+                                          final int status,
+                                          final KeyCertificatePair keyCertPair) throws Exception
     {
-        return submitKeyStoreAttributes(keyStoreName, SC_CREATED);
-    }
-
-    private SSLUtil.KeyCertPair submitKeyStoreAttributes(final String keyStoreName, final int status) throws Exception
-    {
-        final SSLUtil.KeyCertPair keyCertPair = generateSelfSignedCertificate();
 
         final Map<String, Object> attributes = new HashMap<>();
         attributes.put(NonJavaKeyStore.NAME, keyStoreName);
         attributes.put(NonJavaKeyStore.PRIVATE_KEY_URL,
-                       DataUrlUtils.getDataUrlForBytes(toPEM(keyCertPair.getPrivateKey()).getBytes(UTF_8)));
+                       DataUrlUtils.getDataUrlForBytes(TlsResourceHelper.toPEM(keyCertPair.getPrivateKey())
+                                                                        .getBytes(UTF_8)));
         attributes.put(NonJavaKeyStore.CERTIFICATE_URL,
-                       DataUrlUtils.getDataUrlForBytes(toPEM(keyCertPair.getCertificate()).getBytes(UTF_8)));
+                       DataUrlUtils.getDataUrlForBytes(TlsResourceHelper.toPEM(keyCertPair.getCertificate())
+                                                                        .getBytes(UTF_8)));
         attributes.put(NonJavaKeyStore.TYPE, "NonJavaKeyStore");
 
         getHelper().submitRequest("keystore/" + keyStoreName, "PUT", attributes, status);
-        return keyCertPair;
     }
 
     private ConnectionBuilder createConnectionBuilder(final int port, final String absolutePath)
@@ -284,7 +263,7 @@
                                      .setTls(true)
                                      .setVerifyHostName(false)
                                      .setTrustStoreLocation(absolutePath)
-                                     .setTrustStorePassword(PASS);
+                                     .setTrustStorePassword(TLS_RESOURCE.getSecret());
     }
 
     private Connection createConnection(final int port, final String absolutePath)
@@ -327,62 +306,9 @@
         return ((Number) attributes.get("boundPort")).intValue();
     }
 
-    private File createTrustStore(final X509Certificate certificate)
-            throws KeyStoreException, IOException, NoSuchAlgorithmException, CertificateException
+    private KeyCertificatePair generateSelfSignedCertificate() throws Exception
     {
-        final java.security.KeyStore ks = java.security.KeyStore.getInstance(JAVA_KEYSTORE_TYPE);
-        ks.load(null);
-        ks.setCertificateEntry("certificate", certificate);
-        final File storeFile = File.createTempFile(getTestName(), ".jks");
-        try (FileOutputStream fos = new FileOutputStream(storeFile))
-        {
-            ks.store(fos, PASS.toCharArray());
-        }
-        finally
-        {
-            _storeFiles.add(storeFile);
-        }
-        return storeFile;
-    }
-
-    private SSLUtil.KeyCertPair generateSelfSignedCertificate() throws Exception
-    {
-        return SSLUtil.generateSelfSignedCertificate("RSA",
-                                                     "SHA256WithRSA",
-                                                     2048,
-                                                     Instant.now()
-                                                            .minus(1, ChronoUnit.DAYS)
-                                                            .toEpochMilli(),
-                                                     Duration.of(365, ChronoUnit.DAYS)
-                                                             .getSeconds(),
-                                                     "CN=foo",
-                                                     Collections.emptySet(),
-                                                     Collections.emptySet());
-    }
-
-    private String toPEM(final Certificate pub) throws CertificateEncodingException
-    {
-        return toPEM(pub.getEncoded(), "-----BEGIN CERTIFICATE-----", "-----END CERTIFICATE-----");
-    }
-
-    private String toPEM(final PrivateKey key)
-    {
-        return toPEM(key.getEncoded(), "-----BEGIN PRIVATE KEY-----", "-----END PRIVATE KEY-----");
-    }
-
-    private String toPEM(final byte[] bytes, final String header, final String footer)
-    {
-        StringBuilder pem = new StringBuilder();
-        pem.append(header).append("\n");
-        String base64encoded = Base64.getEncoder().encodeToString(bytes);
-        while (base64encoded.length() > 76)
-        {
-            pem.append(base64encoded, 0, 76).append("\n");
-            base64encoded = base64encoded.substring(76);
-        }
-        pem.append(base64encoded).append("\n");
-        pem.append(footer).append("\n");
-        return pem.toString();
+        return TlsResourceBuilder.createSelfSigned("CN=foo");
     }
 
     private void assertMessage(final Message messageA, final String a) throws JMSException
@@ -392,29 +318,41 @@
         assertThat(((TextMessage) messageA).getText(), is(equalTo(a)));
     }
 
-    private SSLUtil.KeyCertPair createKeyStoreAndUpdatePortTLS() throws Exception
+    private File createNewKeyStoreAndSetItOnPort() throws Exception
     {
-        final SSLUtil.KeyCertPair keyCertPair = createKeyStore(_keyStoreName + "_2");
-        final Map<String, Object> data = Collections.singletonMap(Port.KEY_STORE, _keyStoreName + "_2");
-        getHelper().submitRequest("port/" + _portName, "POST", data, SC_OK);
-        final boolean response = getHelper().postJson("port/" + _portName + "/updateTLS",
-                                                      Collections.emptyMap(),
-                                                      BOOLEAN,
-                                                      SC_OK);
-        assertTrue(response);
-
-        return keyCertPair;
+        String newKeyStoreName = _keyStoreName + "_2";
+        final KeyCertificatePair keyCertPair = generateSelfSignedCertificate();
+        submitKeyStoreAttributes(newKeyStoreName, SC_CREATED, keyCertPair);
+        getHelper().submitRequest("port/" + _portName, "POST",
+                                  Collections.<String, Object>singletonMap(Port.KEY_STORE, newKeyStoreName), SC_OK);
+        updatePortTls();
+        return createTrustStore(keyCertPair);
     }
 
-    private SSLUtil.KeyCertPair updateKeyStoreAndUpdatePortTLS() throws Exception
+    private File updateKeyStoreAndUpdatePortTls() throws Exception
     {
-        final SSLUtil.KeyCertPair keyCertPair = submitKeyStoreAttributes(_keyStoreName, SC_OK);
+        final KeyCertificatePair keyCertPair = generateSelfSignedCertificate();
+        submitKeyStoreAttributes(_keyStoreName, SC_OK, keyCertPair);
+        updatePortTls();
+        return createTrustStore(keyCertPair);
+    }
+
+    private File createTrustStore(final KeyCertificatePair keyCertPair) throws Exception
+    {
+        CertificateEntry entry = new CertificateEntry(
+                CERTIFICATE_ALIAS,
+                keyCertPair.getCertificate());
+        Path keyStore = TLS_RESOURCE.createKeyStore(entry);
+        return keyStore.toFile();
+    }
+
+    private void updatePortTls() throws Exception
+    {
         final boolean response = getHelper().postJson("port/" + _portName + "/updateTLS",
                                                       Collections.emptyMap(),
                                                       BOOLEAN,
                                                       SC_OK);
         assertTrue(response);
 
-        return keyCertPair;
     }
 }

diff --git a/systests/qpid-systests-http-management/src/test/java/org/apache/qpid/tests/http/rest/model/ReadTest.java b/systests/qpid-systests-http-management/src/test/java/org/apache/qpid/tests/http/rest/model/ReadTest.java
index ac4e897..7a76363 100644
--- a/systests/qpid-systests-http-management/src/test/java/org/apache/qpid/tests/http/rest/model/ReadTest.java
+++ b/systests/qpid-systests-http-management/src/test/java/org/apache/qpid/tests/http/rest/model/ReadTest.java

@@ -31,13 +31,9 @@
 import static org.hamcrest.Matchers.containsInAnyOrder;
 import static org.hamcrest.Matchers.greaterThanOrEqualTo;
 import static org.hamcrest.Matchers.oneOf;
-import static org.junit.Assume.assumeThat;
 
 import java.io.ByteArrayInputStream;
 import java.io.File;
-import java.time.Duration;
-import java.time.Instant;
-import java.time.temporal.ChronoUnit;
 import java.util.Collections;
 import java.util.HashMap;
 import java.util.List;
@@ -56,10 +52,10 @@
 import org.apache.qpid.server.model.User;
 import org.apache.qpid.server.security.NonJavaKeyStore;
 import org.apache.qpid.server.security.NonJavaTrustStore;
-import org.apache.qpid.server.transport.network.security.ssl.SSLUtil;
-import org.apache.qpid.server.transport.network.security.ssl.SSLUtil.KeyCertPair;
+import org.apache.qpid.test.utils.tls.TlsResourceBuilder;
 import org.apache.qpid.server.util.DataUrlUtils;
 import org.apache.qpid.server.util.FileUtils;
+import org.apache.qpid.test.utils.tls.KeyCertificatePair;
 import org.apache.qpid.tests.http.HttpRequestConfig;
 import org.apache.qpid.tests.http.HttpTestBase;
 
@@ -240,9 +236,8 @@
     @HttpRequestConfig(useVirtualHostAsHost = false)
     public void valueFilteredSecureAttributes() throws Exception
     {
-        assumeThat(SSLUtil.canGenerateCerts(), is(equalTo(true)));
 
-        final KeyCertPair keyCertPair = generateCertKeyPair();
+        final KeyCertificatePair keyCertPair = generateCertKeyPair();
         final byte[] privateKey = keyCertPair.getPrivateKey().getEncoded();
         final byte[] cert = keyCertPair.getCertificate().getEncoded();
         final String privateKeyUrl = DataUrlUtils.getDataUrlForBytes(privateKey);
@@ -295,7 +290,6 @@
     @HttpRequestConfig(useVirtualHostAsHost = false)
     public void oversizeAttribute() throws Exception
     {
-        assumeThat(SSLUtil.canGenerateCerts(), is(equalTo(true)));
 
         final byte[] encodedCert = generateCertKeyPair().getCertificate().getEncoded();
         final String dataUrl = DataUrlUtils.getDataUrlForBytes(encodedCert);
@@ -337,13 +331,8 @@
         return ((String) object.get(ConfiguredObject.ID));
     }
 
-    private KeyCertPair generateCertKeyPair() throws Exception
+    private KeyCertificatePair generateCertKeyPair() throws Exception
     {
-        return SSLUtil.generateSelfSignedCertificate("RSA", "SHA256WithRSA",
-                                                     2048, Instant.now().toEpochMilli(),
-                                                     Duration.of(365, ChronoUnit.DAYS).getSeconds(),
-                                                     "CN=foo",
-                                                     Collections.emptySet(),
-                                                     Collections.emptySet());
+        return TlsResourceBuilder.createSelfSigned("CN=foo");
     }
 }

diff --git a/systests/qpid-systests-jms-core/src/main/java/org/apache/qpid/systests/QpidJmsClientConnectionBuilder.java b/systests/qpid-systests-jms-core/src/main/java/org/apache/qpid/systests/QpidJmsClientConnectionBuilder.java
index dc39edb..30cef33 100644
--- a/systests/qpid-systests-jms-core/src/main/java/org/apache/qpid/systests/QpidJmsClientConnectionBuilder.java
+++ b/systests/qpid-systests-jms-core/src/main/java/org/apache/qpid/systests/QpidJmsClientConnectionBuilder.java

@@ -22,6 +22,7 @@
 
 import java.io.UnsupportedEncodingException;
 import java.net.URLEncoder;
+import java.security.KeyStore;
 import java.util.ArrayList;
 import java.util.HashMap;
 import java.util.Hashtable;
@@ -39,8 +40,6 @@
 import javax.naming.InitialContext;
 import javax.naming.NamingException;
 
-import org.apache.qpid.test.utils.TestSSLConstants;
-
 public class QpidJmsClientConnectionBuilder implements ConnectionBuilder
 {
     private static final AtomicInteger CLIENTID_COUNTER = new AtomicInteger();
@@ -165,7 +164,7 @@
         _enableTls = enableTls;
         if (enableTls)
         {
-            _options.put("transport.storeType", TestSSLConstants.JAVA_KEYSTORE_TYPE);
+            _options.put("transport.storeType", KeyStore.getDefaultType());
         }
         else
         {

diff --git a/systests/qpid-systests-jms_1.1/src/test/java/org/apache/qpid/systests/jms_1_1/extensions/BrokerManagementHelper.java b/systests/qpid-systests-jms_1.1/src/test/java/org/apache/qpid/systests/jms_1_1/extensions/BrokerManagementHelper.java
new file mode 100644
index 0000000..33dde20
--- /dev/null
+++ b/systests/qpid-systests-jms_1.1/src/test/java/org/apache/qpid/systests/jms_1_1/extensions/BrokerManagementHelper.java

@@ -0,0 +1,283 @@
+/*
+ *
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ *
+ */
+package org.apache.qpid.systests.jms_1_1.extensions;
+
+
+import java.io.Closeable;
+import java.util.Collections;
+import java.util.HashMap;
+import java.util.List;
+import java.util.Map;
+
+import javax.jms.Connection;
+import javax.jms.JMSException;
+import javax.jms.Session;
+import javax.naming.NamingException;
+
+import com.fasterxml.jackson.core.JsonProcessingException;
+import com.fasterxml.jackson.databind.ObjectMapper;
+
+import org.apache.qpid.server.model.AuthenticationProvider;
+import org.apache.qpid.server.model.ConfiguredObject;
+import org.apache.qpid.server.model.Port;
+import org.apache.qpid.server.model.User;
+import org.apache.qpid.server.security.FileKeyStore;
+import org.apache.qpid.server.security.FileTrustStore;
+import org.apache.qpid.server.security.auth.manager.ExternalAuthenticationManager;
+import org.apache.qpid.systests.AmqpManagementFacade;
+import org.apache.qpid.systests.ConnectionBuilder;
+
+public class BrokerManagementHelper implements Closeable
+{
+    private final ConnectionBuilder _connectionBuilder;
+    private final AmqpManagementFacade _managementFacade;
+    private Connection _connection;
+
+    public BrokerManagementHelper(final ConnectionBuilder connectionBuilder,
+                                  final AmqpManagementFacade managementFacade)
+    {
+        _connectionBuilder = connectionBuilder;
+        _managementFacade = managementFacade;
+    }
+
+    public BrokerManagementHelper openManagementConnection() throws JMSException, NamingException
+    {
+        _connection = _connectionBuilder.setVirtualHost("$management").build();
+        _connection.start();
+        return this;
+    }
+
+    public BrokerManagementHelper createKeyStore(final String keyStoreName,
+                                                 final String keyStoreLocation,
+                                                 final String keyStorePassword)
+            throws JMSException
+    {
+        final Map<String, Object> keyStoreAttributes = new HashMap<>();
+        keyStoreAttributes.put("storeUrl", keyStoreLocation);
+        keyStoreAttributes.put("password", keyStorePassword);
+        keyStoreAttributes.put("keyStoreType", java.security.KeyStore.getDefaultType());
+        return createEntity(keyStoreName, FileKeyStore.class.getName(), keyStoreAttributes);
+    }
+
+    public BrokerManagementHelper createTrustStore(final String trustStoreName,
+                                                   final String trustStoreLocation,
+                                                   final String trustStorePassword) throws JMSException
+    {
+        final Map<String, Object> trustStoreAttributes = new HashMap<>();
+        trustStoreAttributes.put("storeUrl", trustStoreLocation);
+        trustStoreAttributes.put("password", trustStorePassword);
+        trustStoreAttributes.put("trustStoreType", java.security.KeyStore.getDefaultType());
+        return createEntity(trustStoreName, FileTrustStore.class.getName(), trustStoreAttributes);
+    }
+
+    public BrokerManagementHelper createAmqpTlsPort(final String portName,
+                                                    final String authenticationProvider,
+                                                    final String keyStoreName,
+                                                    final boolean plainAndSsl,
+                                                    final boolean needClientAuth,
+                                                    final boolean wantClientAuth,
+                                                    final String... trustStoreName) throws JMSException
+    {
+        try
+        {
+            final Map<String, Object> sslPortAttributes = new HashMap<>();
+            sslPortAttributes.put(Port.TRANSPORTS, plainAndSsl ? "[\"SSL\",\"TCP\"]" : "[\"SSL\"]");
+            sslPortAttributes.put(Port.PORT, 0);
+            sslPortAttributes.put(Port.AUTHENTICATION_PROVIDER, authenticationProvider);
+            sslPortAttributes.put(Port.NEED_CLIENT_AUTH, needClientAuth);
+            sslPortAttributes.put(Port.WANT_CLIENT_AUTH, wantClientAuth);
+            sslPortAttributes.put(Port.NAME, portName);
+            sslPortAttributes.put(Port.KEY_STORE, keyStoreName);
+            sslPortAttributes.put(Port.TRUST_STORES, new ObjectMapper().writeValueAsString(trustStoreName));
+            createEntity(portName, "org.apache.qpid.AmqpPort", sslPortAttributes);
+        }
+        catch (JsonProcessingException e)
+        {
+            throw new RuntimeException("Unexpected json processing exception", e);
+        }
+
+        return this;
+    }
+
+    public BrokerManagementHelper createExternalAuthenticationProvider(String providerName, boolean useFullDN)
+            throws JMSException
+    {
+        final Map<String, Object> providerAttributes = new HashMap<>();
+        providerAttributes.put("qpid-type", ExternalAuthenticationManager.PROVIDER_TYPE);
+        providerAttributes.put(ExternalAuthenticationManager.ATTRIBUTE_USE_FULL_DN, useFullDN);
+        return createEntity(providerName,
+                            AuthenticationProvider.class.getName(),
+                            providerAttributes);
+    }
+
+
+    public BrokerManagementHelper createAuthenticationProvider(final String providerName, final String providerType)
+            throws JMSException
+    {
+        return createEntity(providerName,
+                            AuthenticationProvider.class.getName(),
+                            Collections.singletonMap("qpid-type", providerType));
+    }
+
+    public BrokerManagementHelper createUser(final String providerName,
+                                             final String userName,
+                                             final String userPassword)
+            throws JMSException
+    {
+        final Map<String, Object> userAttributes = new HashMap<>();
+        userAttributes.put("qpid-type", "managed");
+        userAttributes.put(User.PASSWORD, userPassword);
+        userAttributes.put("object-path", providerName);
+        return createEntity(userName, User.class.getName(), userAttributes);
+    }
+
+
+    public BrokerManagementHelper createEntity(final String name,
+                                               final String type,
+                                               final Map<String, Object> attributes) throws JMSException
+    {
+        final Session session = _connection.createSession(false, Session.AUTO_ACKNOWLEDGE);
+        try
+        {
+
+            _managementFacade.createEntityAndAssertResponse(name, type, attributes, session);
+        }
+        finally
+        {
+            session.close();
+        }
+        return this;
+    }
+
+    public int getAmqpBoundPort(final String portName) throws JMSException
+    {
+        return (int) getEffectiveAttribute(portName, "org.apache.qpid.AmqpPort", "boundPort");
+    }
+
+    public Object getEffectiveAttribute(final String name, final String type, String attributeName) throws JMSException
+    {
+        final Map<String, Object> effectiveAttributes = getEffectiveAttributes(name, type);
+        if (effectiveAttributes.containsKey(attributeName))
+        {
+            return effectiveAttributes.get(attributeName);
+        }
+        throw new RuntimeException(String.format("Attribute '%s' is not found", attributeName));
+    }
+
+    public Map<String, Object> getEffectiveAttributes(final String name, final String type) throws JMSException
+    {
+        final Session session = _connection.createSession(false, Session.AUTO_ACKNOWLEDGE);
+        try
+        {
+            return _managementFacade.readEntityUsingAmqpManagement(session, type, name, false);
+        }
+        finally
+        {
+            session.close();
+        }
+    }
+
+    protected List<Map<String, Object>> queryEntitiesUsingAmqpManagement(final String type)
+            throws JMSException
+    {
+        Session session = _connection.createSession(false, Session.AUTO_ACKNOWLEDGE);
+        try
+        {
+            return _managementFacade.managementQueryObjects(session, type);
+        }
+        finally
+        {
+            session.close();
+        }
+    }
+
+    public String getConnectionPrincipalByClientId(String portName, String clientId) throws JMSException
+    {
+        final List<Map<String, Object>> connections = queryEntitiesUsingAmqpManagement("org.apache.qpid.Connection");
+        for (final Map<String, Object> connection : connections)
+        {
+            final String name = String.valueOf(connection.get(ConfiguredObject.NAME));
+
+            final Map<String, Object> attributes =
+                    getEffectiveAttributes(portName + "/" + name, "org.apache.qpid.Connection");
+            if (attributes.get(org.apache.qpid.server.model.Connection.CLIENT_ID).equals(clientId))
+            {
+                return String.valueOf(attributes.get(org.apache.qpid.server.model.Connection.PRINCIPAL));
+            }
+        }
+        return null;
+    }
+
+
+    public void close()
+    {
+        if (_connection != null)
+        {
+            try
+            {
+                _connection.close();
+            }
+            catch (JMSException e)
+            {
+                throw new RuntimeException("Failure to close JMS connection", e);
+            }
+        }
+    }
+
+    public String getAuthenticationProviderNameForAmqpPort(final int brokerPort)
+            throws JMSException
+    {
+        String authenticationProvider = null;
+        Session session = _connection.createSession(false, Session.AUTO_ACKNOWLEDGE);
+        try
+        {
+            List<Map<String, Object>> ports =
+                    _managementFacade.managementQueryObjects(session, "org.apache.qpid.AmqpPort");
+            for (Map<String, Object> port : ports)
+            {
+                String name = String.valueOf(port.get(Port.NAME));
+
+                Session s = _connection.createSession(false, Session.AUTO_ACKNOWLEDGE);
+                try
+                {
+                    Map<String, Object> attributes = _managementFacade.readEntityUsingAmqpManagement(s,
+                                                                                                     "org.apache.qpid.AmqpPort",
+                                                                                                     name,
+                                                                                                     false);
+                    if (attributes.get("boundPort").equals(brokerPort))
+                    {
+                        authenticationProvider = String.valueOf(attributes.get(Port.AUTHENTICATION_PROVIDER));
+                        break;
+                    }
+                }
+                finally
+                {
+                    s.close();
+                }
+            }
+        }
+        finally
+        {
+            session.close();
+        }
+        return authenticationProvider;
+    }
+}

diff --git a/systests/qpid-systests-jms_1.1/src/test/java/org/apache/qpid/systests/jms_1_1/extensions/TlsHelper.java b/systests/qpid-systests-jms_1.1/src/test/java/org/apache/qpid/systests/jms_1_1/extensions/TlsHelper.java
new file mode 100644
index 0000000..0884c4a
--- /dev/null
+++ b/systests/qpid-systests-jms_1.1/src/test/java/org/apache/qpid/systests/jms_1_1/extensions/TlsHelper.java

@@ -0,0 +1,134 @@
+/*
+ *
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ *
+ */
+package org.apache.qpid.systests.jms_1_1.extensions;
+
+import java.nio.file.Path;
+import java.security.KeyPair;
+import java.security.PrivateKey;
+import java.security.cert.X509Certificate;
+
+import org.apache.qpid.test.utils.tls.CertificateEntry;
+import org.apache.qpid.test.utils.tls.PrivateKeyEntry;
+import org.apache.qpid.test.utils.tls.TlsResourceBuilder;
+import org.apache.qpid.test.utils.tls.KeyCertificatePair;
+import org.apache.qpid.test.utils.tls.TlsResource;
+
+public class TlsHelper
+{
+    private static final String DN_CA = "CN=MyRootCA,O=ACME,ST=Ontario,C=CA";
+    private static final String DN_BROKER = "CN=localhost,OU=Unknown,O=Unknown,L=Unknown,ST=Unknown,C=Unknown";
+    private static final String DN_CLIENT_APP1 = "CN=app1@acme.org,OU=art,O=acme,L=Toronto,ST=ON,C=CA";
+    private static final String DN_CLIENT_APP2 = "CN=app2@acme.org,OU=art,O=acme,L=Toronto,ST=ON,C=CA";
+    private static final String CERT_ALIAS_ROOT_CA = "rootca";
+    public static final String CERT_ALIAS_APP1 = "app1";
+    public static final String CERT_ALIAS_APP2 = "app2";
+    private static final String BROKER_ALIAS = "java-broker";
+
+    private Path _brokerKeyStore;
+    private Path _brokerTrustStore;
+    private Path _clientKeyStore;
+    private Path _clientTrustStore;
+    private X509Certificate _caCertificate;
+    private KeyCertificatePair _clientKeyPair1;
+    private final KeyCertificatePair _caPair;
+
+    public TlsHelper(TlsResource tlsResource) throws Exception
+    {
+        _caPair = TlsResourceBuilder.createKeyPairAndRootCA(DN_CA);
+        final KeyPair brokerKeyPair = TlsResourceBuilder.createRSAKeyPair();
+        final KeyPair clientKeyPair1 = TlsResourceBuilder.createRSAKeyPair();
+        final KeyPair clientKeyPair2 = TlsResourceBuilder.createRSAKeyPair();
+
+        final X509Certificate brokerCertificate =
+                TlsResourceBuilder.createCertificateForServerAuthorization(brokerKeyPair, _caPair, DN_BROKER);
+        final X509Certificate clientCertificate1 =
+                TlsResourceBuilder.createCertificateForClientAuthorization(clientKeyPair1, _caPair, DN_CLIENT_APP1);
+        final X509Certificate clientCertificate2 =
+                TlsResourceBuilder.createCertificateForClientAuthorization(clientKeyPair2, _caPair, DN_CLIENT_APP2);
+
+        final PrivateKey privateKey = clientKeyPair1.getPrivate();
+        final X509Certificate certificate = clientCertificate1;
+        _clientKeyPair1 = new KeyCertificatePair(privateKey, certificate);
+        _caCertificate = _caPair.getCertificate();
+
+        _brokerKeyStore = tlsResource.createKeyStore(new PrivateKeyEntry(BROKER_ALIAS,
+                                                                         brokerKeyPair.getPrivate(),
+                                                                         brokerCertificate,
+                                                                         _caCertificate));
+        _brokerTrustStore = tlsResource.createKeyStore(new CertificateEntry(CERT_ALIAS_ROOT_CA,
+                                                                            _caCertificate));
+        _clientKeyStore =
+                tlsResource.createKeyStore(new PrivateKeyEntry(CERT_ALIAS_APP1,
+                                                               clientKeyPair1.getPrivate(),
+                                                               clientCertificate1,
+                                                               _caCertificate),
+                                           new PrivateKeyEntry(CERT_ALIAS_APP2,
+                                                               clientKeyPair2.getPrivate(),
+                                                               clientCertificate2,
+                                                               _caCertificate));
+
+        _clientTrustStore = tlsResource.createKeyStore(new CertificateEntry(CERT_ALIAS_ROOT_CA,
+                                                                            _caCertificate));
+    }
+
+
+    public String getClientKeyStore()
+    {
+        return _clientKeyStore.toFile().getAbsolutePath();
+    }
+
+    public String getClientTrustStore()
+    {
+        return _clientTrustStore.toFile().getAbsolutePath();
+    }
+
+    public X509Certificate getCaCertificate()
+    {
+        return _caCertificate;
+    }
+
+    public PrivateKey getClientPrivateKey()
+    {
+        return _clientKeyPair1.getPrivateKey();
+    }
+
+    public X509Certificate getClientCerificate()
+    {
+        return _clientKeyPair1.getCertificate();
+    }
+
+    public String getBrokerKeyStore()
+    {
+        return _brokerKeyStore.toFile().getAbsolutePath();
+    }
+
+    public String getBrokerTrustStore()
+    {
+        return _brokerTrustStore.toFile().getAbsolutePath();
+    }
+
+    public KeyCertificatePair getCaKeyCertPair()
+    {
+        final PrivateKey privateKey = _caPair.getPrivateKey();
+        final X509Certificate certificate = _caCertificate;
+        return new KeyCertificatePair(privateKey, certificate);
+    }
+}

diff --git a/systests/qpid-systests-jms_1.1/src/test/java/org/apache/qpid/systests/jms_1_1/extensions/management/AmqpManagementTest.java b/systests/qpid-systests-jms_1.1/src/test/java/org/apache/qpid/systests/jms_1_1/extensions/management/AmqpManagementTest.java
index 6b55c87..1fbb23a 100644
--- a/systests/qpid-systests-jms_1.1/src/test/java/org/apache/qpid/systests/jms_1_1/extensions/management/AmqpManagementTest.java
+++ b/systests/qpid-systests-jms_1.1/src/test/java/org/apache/qpid/systests/jms_1_1/extensions/management/AmqpManagementTest.java

@@ -52,9 +52,8 @@
 import javax.naming.NamingException;
 
 import com.fasterxml.jackson.databind.ObjectMapper;
-import org.apache.qpid.test.utils.TestSSLConstants;
-import org.junit.AfterClass;
 import org.junit.BeforeClass;
+import org.junit.ClassRule;
 import org.junit.Test;
 
 import org.apache.qpid.server.exchange.ExchangeDefaults;
@@ -63,11 +62,18 @@
 import org.apache.qpid.server.queue.PriorityQueue;
 import org.apache.qpid.systests.AmqpManagementFacade;
 import org.apache.qpid.systests.JmsTestBase;
-import org.apache.qpid.systests.jms_1_1.extensions.tls.TlsTest;
+import org.apache.qpid.systests.jms_1_1.extensions.BrokerManagementHelper;
+import org.apache.qpid.systests.jms_1_1.extensions.TlsHelper;
+import org.apache.qpid.test.utils.tls.TlsResource;
 import org.apache.qpid.tests.utils.BrokerAdmin;
 
 public class AmqpManagementTest extends JmsTestBase
 {
+    @ClassRule
+    public static final TlsResource TLS_RESOURCE = new TlsResource();
+
+    private static TlsHelper _tlsHelper;
+
     private Session _session;
     private Queue _replyAddress;
     private MessageConsumer _consumer;
@@ -76,22 +82,7 @@
     @BeforeClass
     public static void setUp() throws Exception
     {
-        // legacy client keystore/truststore types can only be configured with JVM settings
-        if (getProtocol() != Protocol.AMQP_1_0)
-        {
-            System.setProperty("javax.net.ssl.trustStoreType", TestSSLConstants.JAVA_KEYSTORE_TYPE);
-            System.setProperty("javax.net.ssl.keyStoreType", TestSSLConstants.JAVA_KEYSTORE_TYPE);
-        }
-    }
-
-    @AfterClass
-    public static void tearDown() throws Exception
-    {
-        if (getProtocol() != Protocol.AMQP_1_0)
-        {
-            System.clearProperty("javax.net.ssl.trustStoreType");
-            System.clearProperty("javax.net.ssl.keyStoreType");
-        }
+        _tlsHelper = new TlsHelper(TLS_RESOURCE);
     }
 
     private void setUp(final Connection connection) throws Exception
@@ -681,18 +672,36 @@
             unsecuredConnection.close();
         }
 
-        int tlsPort = TlsTest.createTlsPort(getTestName() + "TlsPort",
-                                            false,
-                                            false,
-                                            false,
-                                            getConnectionBuilder(),
-                                            new AmqpManagementFacade(getProtocol()),
-                                            getBrokerAdmin().getBrokerAddress(BrokerAdmin.PortType.AMQP).getPort());
+        int tlsPort = 0;
+        final String portName = getTestName() + "TlsPort";
+        final String keyStoreName = portName + "KeyStore";
+        final String trustStoreName = portName + "TrustStore";
+        try (final BrokerManagementHelper helper = new BrokerManagementHelper(getConnectionBuilder(),
+                                                                              new AmqpManagementFacade(getProtocol())))
+        {
+            helper.openManagementConnection();
+
+            final String authenticationManager =
+                    helper.getAuthenticationProviderNameForAmqpPort(getBrokerAdmin().getBrokerAddress(
+                            BrokerAdmin.PortType.AMQP)
+                                                                                    .getPort());
+            tlsPort = helper.createKeyStore(keyStoreName, _tlsHelper.getBrokerKeyStore(), TLS_RESOURCE.getSecret())
+                            .createTrustStore(trustStoreName,
+                                              _tlsHelper.getBrokerTrustStore(),
+                                              TLS_RESOURCE.getSecret())
+                            .createAmqpTlsPort(portName,
+                                               authenticationManager,
+                                               keyStoreName,
+                                               false,
+                                               false,
+                                               false,
+                                               trustStoreName).getAmqpBoundPort(portName);
+        }
 
         Connection connection = getConnectionBuilder().setTls(true)
                                                       .setPort(tlsPort)
-                                                      .setTrustStoreLocation(TestSSLConstants.CLIENT_TRUSTSTORE)
-                                                      .setTrustStorePassword(TestSSLConstants.PASSWORD)
+                                                      .setTrustStoreLocation(_tlsHelper.getClientTrustStore())
+                                                      .setTrustStorePassword(TLS_RESOURCE.getSecret())
                                                       .build();
         try
         {

diff --git a/systests/qpid-systests-jms_1.1/src/test/java/org/apache/qpid/systests/jms_1_1/extensions/sasl/AuthenticationTest.java b/systests/qpid-systests-jms_1.1/src/test/java/org/apache/qpid/systests/jms_1_1/extensions/sasl/AuthenticationTest.java
index c808b45..ac74cd7 100644
--- a/systests/qpid-systests-jms_1.1/src/test/java/org/apache/qpid/systests/jms_1_1/extensions/sasl/AuthenticationTest.java
+++ b/systests/qpid-systests-jms_1.1/src/test/java/org/apache/qpid/systests/jms_1_1/extensions/sasl/AuthenticationTest.java

@@ -33,10 +33,12 @@
 import java.io.OutputStream;
 import java.nio.file.Files;
 import java.nio.file.Path;
-import java.nio.file.Paths;
-import java.util.Collections;
+import java.nio.file.StandardCopyOption;
+import java.security.KeyPair;
+import java.security.cert.X509Certificate;
+import java.time.Instant;
+import java.time.temporal.ChronoUnit;
 import java.util.HashMap;
-import java.util.List;
 import java.util.Map;
 
 import javax.jms.Connection;
@@ -47,7 +49,6 @@
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
 
-import org.apache.qpid.server.security.FileTrustStoreTest;
 import org.eclipse.jetty.server.Request;
 import org.eclipse.jetty.server.Server;
 import org.eclipse.jetty.server.ServerConnector;
@@ -56,41 +57,82 @@
 import org.eclipse.jetty.server.handler.HandlerCollection;
 import org.junit.AfterClass;
 import org.junit.BeforeClass;
+import org.junit.ClassRule;
 import org.junit.Test;
-import org.slf4j.Logger;
-import org.slf4j.LoggerFactory;
 
-import org.apache.qpid.server.model.AuthenticationProvider;
-import org.apache.qpid.server.model.ConfiguredObject;
 import org.apache.qpid.server.model.Port;
 import org.apache.qpid.server.model.Protocol;
-import org.apache.qpid.server.model.User;
-import org.apache.qpid.server.security.FileKeyStore;
 import org.apache.qpid.server.security.FileTrustStore;
-import org.apache.qpid.server.security.auth.manager.ExternalAuthenticationManager;
 import org.apache.qpid.server.security.auth.manager.ExternalAuthenticationManagerImpl;
 import org.apache.qpid.server.security.auth.manager.ScramSHA1AuthenticationManager;
 import org.apache.qpid.server.security.auth.manager.ScramSHA256AuthenticationManager;
 import org.apache.qpid.server.security.auth.sasl.crammd5.CramMd5HashedNegotiator;
+import org.apache.qpid.server.util.DataUrlUtils;
 import org.apache.qpid.systests.AmqpManagementFacade;
+import org.apache.qpid.systests.ConnectionBuilder;
 import org.apache.qpid.systests.JmsTestBase;
-import org.apache.qpid.test.utils.TestSSLConstants;
+import org.apache.qpid.systests.jms_1_1.extensions.BrokerManagementHelper;
+import org.apache.qpid.test.utils.tls.CertificateEntry;
+import org.apache.qpid.test.utils.tls.KeyCertificatePair;
+import org.apache.qpid.test.utils.tls.PrivateKeyEntry;
+import org.apache.qpid.test.utils.tls.TlsResource;
+import org.apache.qpid.test.utils.tls.TlsResourceBuilder;
 
 public class AuthenticationTest extends JmsTestBase
 {
-    private static final Logger LOGGER = LoggerFactory.getLogger(AuthenticationTest.class);
+    @ClassRule
+    public static final TlsResource TLS_RESOURCE = new TlsResource();
+
+    private static final String DN_CA = "CN=MyRootCA,O=ACME,ST=Ontario,C=CA";
+    private static final String DN_BROKER = "CN=localhost,OU=Unknown,O=Unknown,L=Unknown,ST=Unknown,C=Unknown";
+    private static final String DN_INTERMEDIATE = "CN=intermediate_ca@acme.org,OU=art,O=acme,L=Toronto,ST=ON,C=CA";
+    private static final String DN_CLIENT_APP1 = "CN=app1@acme.org,OU=art,O=acme,L=Toronto,ST=ON,C=CA";
+    private static final String DN_CLIENT_APP2 = "CN=app2@acme.org,OU=art,O=acme,L=Toronto,ST=ON,C=CA";
+    private static final String DN_CLIENT_INT =
+            "CN=allowed_by_ca_with_intermediate@acme.org,OU=art,O=acme,L=Toronto,ST=ON,C=CA";
+    private static final String DN_CLIENT_ALLOWED = "CN=allowed_by_ca@acme.org,OU=art,O=acme,L=Toronto,ST=ON,C=CA";
+    private static final String DN_CLIENT_REVOKED = "CN=revoked_by_ca@acme.org,OU=art,O=acme,L=Toronto,ST=ON,C=CA";
+    private static final String DN_CLIENT_REVOKED_BY_EMPTY =
+            "CN=revoked_by_ca_empty_crl@acme.org,OU=art,O=acme,L=Toronto,ST=ON,C=CA";
+    private static final String DN_CLIENT_REVOKED_INVALID_CRL =
+            "CN=revoked_by_ca_invalid_crl_path@acme.org,OU=art,O=acme,L=Toronto,ST=ON,C=CA";
+    private static final String DN_CLIENT_UNTRUSTED = "CN=untrusted_client";
+    private static final String CERT_ALIAS_ROOT_CA = "rootca";
+    private static final String CERT_ALIAS_APP1 = "app1";
+    private static final String CERT_ALIAS_APP2 = "app2";
+    private static final String CERT_ALIAS_ALLOWED = "allowed_by_ca";
+    private static final String CERT_ALIAS_REVOKED = "revoked_by_ca";
+    private static final String CERT_ALIAS_REVOKED_EMPTY_CRL = "revoked_by_ca_empty_crl";
+    private static final String CERT_ALIAS_REVOKED_INVALID_CRL_PATH = "revoked_by_ca_invalid_crl_path";
+    private static final String CERT_ALIAS_ALLOWED_WITH_INTERMEDIATE = "allowed_by_ca_with_intermediate";
+    private static final String CERT_ALIAS_UNTRUSTED_CLIENT = "untrusted_client";
+
     private static final String USER = "user";
     private static final String USER_PASSWORD = "user";
-    // see how port is specified when certificates are generated in script
-    // test-profiles/test_resources/ssl/generate_certificates.sh
-    private static final int CRL_HTTP_PORT = 8186;
+
     private static final Server CRL_SERVER = new Server();
     private static final HandlerCollection HANDLERS = new HandlerCollection();
 
+    private static final String CRL_TEMPLATE = "http://localhost:%d/%s";
+
+    private static int crlHttpPort = -1;
+    private static String _brokerKeyStore;
+    private static String _brokerTrustStore;
+    private static String _clientKeyStore;
+    private static String _clientTrustStore;
+    private static String _brokerPeerStore;
+    private static String _clientExpiredKeyStore;
+    private static String _clientUntrustedKeyStore;
+    private static Path _crlFile;
+    private static Path _emptyCrlFile;
+    private static Path _intermediateCrlFile;
+
     @BeforeClass
     public static void setUp() throws Exception
     {
-        System.setProperty("javax.net.debug", "ssl");
+        _crlFile = TLS_RESOURCE.createFile(".crl");
+        _emptyCrlFile = TLS_RESOURCE.createFile("-empty.crl");
+        _intermediateCrlFile = TLS_RESOURCE.createFile("-intermediate.crl");
 
         // workaround for QPID-8069
         if (getProtocol() != Protocol.AMQP_1_0 && getProtocol() != Protocol.AMQP_0_10)
@@ -98,21 +140,168 @@
             System.setProperty("amqj.MaximumStateWait", "4000");
         }
 
-        // legacy client keystore/truststore types can only be configured with JVM settings
-        if (getProtocol() != Protocol.AMQP_1_0)
-        {
-            System.setProperty("javax.net.ssl.trustStoreType", TestSSLConstants.JAVA_KEYSTORE_TYPE);
-            System.setProperty("javax.net.ssl.keyStoreType", TestSSLConstants.JAVA_KEYSTORE_TYPE);
-        }
         final ServerConnector connector = new ServerConnector(CRL_SERVER);
-        connector.setPort(CRL_HTTP_PORT);
+        connector.setPort(0);
         connector.setHost("localhost");
+
         CRL_SERVER.addConnector(connector);
-        createContext(Paths.get(TestSSLConstants.CA_CRL));
-        createContext(Paths.get(TestSSLConstants.CA_CRL_EMPTY));
-        createContext(Paths.get(TestSSLConstants.INTERMEDIATE_CA_CRL));
+        createContext(_crlFile);
+        createContext(_emptyCrlFile);
+        createContext(_intermediateCrlFile);
         CRL_SERVER.setHandler(HANDLERS);
         CRL_SERVER.start();
+        crlHttpPort = connector.getLocalPort();
+
+        buildTlsResources();
+
+        System.setProperty("javax.net.debug", "ssl");
+    }
+
+    private static void buildTlsResources() throws Exception
+    {
+        final String crlUri = String.format(CRL_TEMPLATE, crlHttpPort, _crlFile.toFile().getName());
+        final String emptyCrlUri = String.format(CRL_TEMPLATE, crlHttpPort, _emptyCrlFile.toFile().getName());
+        final String intermediateCrlUri = String.format(CRL_TEMPLATE, crlHttpPort, _intermediateCrlFile.toFile().getName());
+        final String nonExistingCrlUri = String.format(CRL_TEMPLATE, crlHttpPort, "not/a/crl");
+
+        final KeyCertificatePair caPair = TlsResourceBuilder.createKeyPairAndRootCA(DN_CA);
+        final KeyPair brokerKeyPair = TlsResourceBuilder.createRSAKeyPair();
+        final X509Certificate brokerCertificate =
+                TlsResourceBuilder.createCertificateForServerAuthorization(brokerKeyPair, caPair, DN_BROKER);
+
+        _brokerKeyStore = TLS_RESOURCE.createKeyStore(new PrivateKeyEntry("java-broker",
+                                                                          brokerKeyPair.getPrivate(),
+                                                                          brokerCertificate,
+                                                                          caPair.getCertificate()),
+                                                      new CertificateEntry(CERT_ALIAS_ROOT_CA,
+                                                                           caPair.getCertificate()))
+                                      .toFile()
+                                      .getAbsolutePath();
+        _brokerTrustStore = TLS_RESOURCE.createKeyStore(new CertificateEntry(CERT_ALIAS_ROOT_CA,
+                                                                             caPair.getCertificate()))
+                                        .toFile()
+                                        .getAbsolutePath();
+
+        final KeyPair clientApp1KeyPair = TlsResourceBuilder.createRSAKeyPair();
+        final X509Certificate clientApp1Certificate =
+                TlsResourceBuilder.createCertificateForClientAuthorization(clientApp1KeyPair,
+                                                                           caPair, DN_CLIENT_APP1);
+
+        _brokerPeerStore = TLS_RESOURCE.createKeyStore(new CertificateEntry(DN_CLIENT_APP1,
+                                                                            clientApp1Certificate))
+                                       .toFile()
+                                       .getAbsolutePath();
+
+        final KeyPair clientApp2KeyPair = TlsResourceBuilder.createRSAKeyPair();
+        final X509Certificate clientApp2Certificate =
+                TlsResourceBuilder.createCertificateForClientAuthorization(clientApp2KeyPair,
+                                                                           caPair, DN_CLIENT_APP2);
+
+        final KeyPair clientAllowedKeyPair = TlsResourceBuilder.createRSAKeyPair();
+        final X509Certificate clientAllowedCertificate =
+                TlsResourceBuilder.createCertificateWithCrlDistributionPoint(clientAllowedKeyPair,
+                                                                             caPair,
+                                                                             DN_CLIENT_ALLOWED,
+                                                                             crlUri);
+
+        final KeyPair clientRevokedKeyPair = TlsResourceBuilder.createRSAKeyPair();
+        final X509Certificate clientRevokedCertificate =
+                TlsResourceBuilder.createCertificateWithCrlDistributionPoint(clientRevokedKeyPair,
+                                                                             caPair,
+                                                                             DN_CLIENT_REVOKED,
+                                                                             crlUri);
+
+        final KeyPair clientKeyPairRevokedByEmpty = TlsResourceBuilder.createRSAKeyPair();
+        final X509Certificate clientCertificateRevokedByEmpty =
+                TlsResourceBuilder.createCertificateWithCrlDistributionPoint(clientKeyPairRevokedByEmpty,
+                                                                             caPair,
+                                                                             DN_CLIENT_REVOKED_BY_EMPTY,
+                                                                             emptyCrlUri);
+
+        final KeyPair clientKeyPairInvalidClr = TlsResourceBuilder.createRSAKeyPair();
+        final X509Certificate clientCertificateInvalidClr =
+                TlsResourceBuilder.createCertificateWithCrlDistributionPoint(clientKeyPairInvalidClr,
+                                                                             caPair,
+                                                                             DN_CLIENT_REVOKED_INVALID_CRL,
+                                                                             nonExistingCrlUri);
+
+        final KeyCertificatePair intermediateCA =
+                TlsResourceBuilder.createKeyPairAndIntermediateCA(DN_INTERMEDIATE, caPair, crlUri);
+        final KeyPair clientKeyPairIntermediate = TlsResourceBuilder.createRSAKeyPair();
+        final X509Certificate clientCertificateIntermediate =
+                TlsResourceBuilder.createCertificateWithCrlDistributionPoint(clientKeyPairIntermediate,
+                                                                             intermediateCA,
+                                                                             DN_CLIENT_INT,
+                                                                             intermediateCrlUri);
+
+        final KeyPair clientKeyPairExpired = TlsResourceBuilder.createRSAKeyPair();
+        final Instant from = Instant.now().minus(10, ChronoUnit.DAYS);
+        final Instant to = Instant.now().minus(5, ChronoUnit.DAYS);
+        final X509Certificate clientCertificateExpired = TlsResourceBuilder.createCertificate(clientKeyPairExpired,
+                                                                                              caPair,
+                                                                                              "CN=user1",
+                                                                                              from,
+                                                                                              to);
+        _clientExpiredKeyStore =
+                TLS_RESOURCE.createKeyStore(
+                        new PrivateKeyEntry("user1",
+                                            clientKeyPairExpired.getPrivate(),
+                                            clientCertificateExpired,
+                                            caPair.getCertificate())).toFile().getAbsolutePath();
+
+        _clientKeyStore = TLS_RESOURCE.createKeyStore(
+                new PrivateKeyEntry(CERT_ALIAS_APP1,
+                                    clientApp1KeyPair.getPrivate(),
+                                    clientApp1Certificate,
+                                    caPair.getCertificate()),
+                new PrivateKeyEntry(CERT_ALIAS_APP2,
+                                    clientApp2KeyPair.getPrivate(),
+                                    clientApp2Certificate,
+                                    caPair.getCertificate()),
+                new PrivateKeyEntry(CERT_ALIAS_ALLOWED,
+                                    clientAllowedKeyPair.getPrivate(),
+                                    clientAllowedCertificate,
+                                    caPair.getCertificate()),
+                new PrivateKeyEntry(CERT_ALIAS_REVOKED,
+                                    clientRevokedKeyPair.getPrivate(),
+                                    clientRevokedCertificate,
+                                    caPair.getCertificate()),
+                new PrivateKeyEntry(CERT_ALIAS_REVOKED_EMPTY_CRL,
+                                    clientKeyPairRevokedByEmpty.getPrivate(),
+                                    clientCertificateRevokedByEmpty,
+                                    caPair.getCertificate()),
+                new PrivateKeyEntry(CERT_ALIAS_REVOKED_INVALID_CRL_PATH,
+                                    clientKeyPairInvalidClr.getPrivate(),
+                                    clientCertificateInvalidClr,
+                                    caPair.getCertificate()),
+                new PrivateKeyEntry(CERT_ALIAS_ALLOWED_WITH_INTERMEDIATE,
+                                    clientKeyPairIntermediate.getPrivate(),
+                                    clientCertificateIntermediate,
+                                    intermediateCA.getCertificate(),
+                                    caPair.getCertificate()),
+                new CertificateEntry(CERT_ALIAS_ROOT_CA, caPair.getCertificate())).toFile().getAbsolutePath();
+
+        _clientTrustStore = TLS_RESOURCE.createKeyStore(new CertificateEntry(CERT_ALIAS_ROOT_CA,
+                                                                             caPair.getCertificate()))
+                                        .toFile()
+                                        .getAbsolutePath();
+
+        final Path crl = TLS_RESOURCE.createCrlAsDer(caPair, clientRevokedCertificate, intermediateCA.getCertificate());
+        Files.copy(crl, _crlFile, StandardCopyOption.REPLACE_EXISTING);
+
+        final Path emptyCrl = TLS_RESOURCE.createCrlAsDer(caPair);
+        Files.copy(emptyCrl, _emptyCrlFile, StandardCopyOption.REPLACE_EXISTING);
+
+        final Path intermediateCrl = TLS_RESOURCE.createCrlAsDer(caPair);
+        Files.copy(intermediateCrl, _intermediateCrlFile, StandardCopyOption.REPLACE_EXISTING);
+
+        final KeyCertificatePair clientKeyPairUntrusted = TlsResourceBuilder.createSelfSigned(DN_CLIENT_UNTRUSTED);
+        _clientUntrustedKeyStore = TLS_RESOURCE.createKeyStore(
+                new PrivateKeyEntry(CERT_ALIAS_APP1,
+                                    clientKeyPairUntrusted.getPrivateKey(),
+                                    clientKeyPairUntrusted.getCertificate()))
+                                               .toFile()
+                                               .getAbsolutePath();
     }
 
     @AfterClass
@@ -124,11 +313,6 @@
             System.clearProperty("amqj.MaximumStateWait");
         }
 
-        if (getProtocol() != Protocol.AMQP_1_0)
-        {
-            System.clearProperty("javax.net.ssl.trustStoreType");
-            System.clearProperty("javax.net.ssl.keyStoreType");
-        }
         CRL_SERVER.stop();
     }
 
@@ -140,65 +324,45 @@
                    getProtocol(),
                    is(not(equalTo(Protocol.AMQP_1_0))));
 
-        final int port = createAuthenticationProviderAndUserAndPort(getTestName(), "MD5", USER, USER_PASSWORD);
+        final int port = createAuthenticationProviderAndUserAndPort(getTestName(), "MD5");
 
-        assertPlainConnectivity(port, USER, USER_PASSWORD, CramMd5HashedNegotiator.MECHANISM);
+        assertPlainConnectivity(port, CramMd5HashedNegotiator.MECHANISM);
     }
 
     @Test
     public void sha256() throws Exception
     {
         final int port = createAuthenticationProviderAndUserAndPort(getTestName(),
-                                                              ScramSHA256AuthenticationManager.PROVIDER_TYPE,
-                                                              USER,
-                                                              USER_PASSWORD);
+                                                                    ScramSHA256AuthenticationManager.PROVIDER_TYPE);
 
-        assertPlainConnectivity(port, USER, USER_PASSWORD, ScramSHA256AuthenticationManager.MECHANISM);
+        assertPlainConnectivity(port, ScramSHA256AuthenticationManager.MECHANISM);
     }
 
     @Test
     public void sha1() throws Exception
     {
         final int port = createAuthenticationProviderAndUserAndPort(getTestName(),
-                                                              ScramSHA1AuthenticationManager.PROVIDER_TYPE,
-                                                              USER,
-                                                              USER_PASSWORD);
+                                                                    ScramSHA1AuthenticationManager.PROVIDER_TYPE);
 
-        assertPlainConnectivity(port, USER, USER_PASSWORD, ScramSHA1AuthenticationManager.MECHANISM);
+        assertPlainConnectivity(port, ScramSHA1AuthenticationManager.MECHANISM);
     }
 
     @Test
     public void external() throws Exception
     {
-        final int port = createExternalProviderAndTlsPort();
 
-        Connection connection = getConnectionBuilder().setPort(port)
-                                                      .setTls(true)
-                                                      .setSaslMechanisms(ExternalAuthenticationManagerImpl.MECHANISM_NAME)
-                                                      .setKeyStoreLocation(TestSSLConstants.CLIENT_KEYSTORE)
-                                                      .setKeyStorePassword(TestSSLConstants.PASSWORD)
-                                                      .setTrustStoreLocation(TestSSLConstants.CLIENT_TRUSTSTORE)
-                                                      .setTrustStorePassword(TestSSLConstants.PASSWORD)
-                                                      .build();
-        try
-        {
-            final Session session = connection.createSession(false, Session.AUTO_ACKNOWLEDGE);
-            assertNotNull("Temporary queue was not created", session.createTemporaryQueue());
-        }
-        finally
-        {
-            connection.close();
-        }
+        final int port = createExternalProviderAndTlsPort(getBrokerTrustStoreAttributes(), null, false);
+        assertTlsConnectivity(port, CERT_ALIAS_ALLOWED);
     }
 
+    @Test
     public void externalWithRevocationWithDataUrlCrlFileAndAllowedCertificate() throws Exception
     {
         final Map<String, Object> trustStoreAttributes = getBrokerTrustStoreAttributes();
         trustStoreAttributes.put(FileTrustStore.CERTIFICATE_REVOCATION_CHECK_ENABLED, true);
-        trustStoreAttributes.put(FileTrustStore.CERTIFICATE_REVOCATION_LIST_URL,
-                FileTrustStoreTest.createDataUrlForFile(TestSSLConstants.CA_CRL));
-        final int port = createExternalProviderAndTlsPort(trustStoreAttributes);
-        assertTlsConnectivity(port, TestSSLConstants.CERT_ALIAS_ALLOWED);
+        trustStoreAttributes.put(FileTrustStore.CERTIFICATE_REVOCATION_LIST_URL, createDataUrlForFile(_crlFile));
+        final int port = createExternalProviderAndTlsPort(trustStoreAttributes, null, false);
+        assertTlsConnectivity(port, CERT_ALIAS_ALLOWED);
     }
 
     @Test
@@ -206,10 +370,9 @@
     {
         final Map<String, Object> trustStoreAttributes = getBrokerTrustStoreAttributes();
         trustStoreAttributes.put(FileTrustStore.CERTIFICATE_REVOCATION_CHECK_ENABLED, true);
-        trustStoreAttributes.put(FileTrustStore.CERTIFICATE_REVOCATION_LIST_URL,
-                FileTrustStoreTest.createDataUrlForFile(TestSSLConstants.CA_CRL));
-        final int port = createExternalProviderAndTlsPort(trustStoreAttributes);
-        assertNoTlsConnectivity(port, TestSSLConstants.CERT_ALIAS_REVOKED);
+        trustStoreAttributes.put(FileTrustStore.CERTIFICATE_REVOCATION_LIST_URL, createDataUrlForFile(_crlFile));
+        final int port = createExternalProviderAndTlsPort(trustStoreAttributes, null, false);
+        assertNoTlsConnectivity(port, CERT_ALIAS_REVOKED);
     }
 
     @Test
@@ -217,9 +380,9 @@
     {
         final Map<String, Object> trustStoreAttributes = getBrokerTrustStoreAttributes();
         trustStoreAttributes.put(FileTrustStore.CERTIFICATE_REVOCATION_CHECK_ENABLED, true);
-        trustStoreAttributes.put(FileTrustStore.CERTIFICATE_REVOCATION_LIST_URL, TestSSLConstants.CA_CRL);
-        final int port = createExternalProviderAndTlsPort(trustStoreAttributes);
-        assertTlsConnectivity(port, TestSSLConstants.CERT_ALIAS_ALLOWED);
+        trustStoreAttributes.put(FileTrustStore.CERTIFICATE_REVOCATION_LIST_URL, _crlFile.toFile().getAbsolutePath());
+        final int port = createExternalProviderAndTlsPort(trustStoreAttributes, null, false);
+        assertTlsConnectivity(port, CERT_ALIAS_ALLOWED);
     }
 
     @Test
@@ -227,10 +390,11 @@
     {
         final Map<String, Object> trustStoreAttributes = getBrokerTrustStoreAttributes();
         trustStoreAttributes.put(FileTrustStore.CERTIFICATE_REVOCATION_CHECK_ENABLED, true);
-        trustStoreAttributes.put(FileTrustStore.CERTIFICATE_REVOCATION_LIST_URL, TestSSLConstants.CA_CRL);
-        trustStoreAttributes.put(FileTrustStore.CERTIFICATE_REVOCATION_CHECK_WITH_PREFERRING_CERTIFICATE_REVOCATION_LIST, false);
-        final int port = createExternalProviderAndTlsPort(trustStoreAttributes);
-        assertNoTlsConnectivity(port, TestSSLConstants.CERT_ALIAS_ALLOWED);
+        trustStoreAttributes.put(FileTrustStore.CERTIFICATE_REVOCATION_LIST_URL, _crlFile.toFile().getAbsolutePath());
+        trustStoreAttributes.put(FileTrustStore.CERTIFICATE_REVOCATION_CHECK_WITH_PREFERRING_CERTIFICATE_REVOCATION_LIST,
+                                 false);
+        final int port = createExternalProviderAndTlsPort(trustStoreAttributes, null, false);
+        assertNoTlsConnectivity(port, CERT_ALIAS_ALLOWED);
     }
 
     @Test
@@ -238,9 +402,9 @@
     {
         final Map<String, Object> trustStoreAttributes = getBrokerTrustStoreAttributes();
         trustStoreAttributes.put(FileTrustStore.CERTIFICATE_REVOCATION_CHECK_ENABLED, true);
-        trustStoreAttributes.put(FileTrustStore.CERTIFICATE_REVOCATION_LIST_URL, TestSSLConstants.CA_CRL);
-        final int port = createExternalProviderAndTlsPort(trustStoreAttributes);
-        assertNoTlsConnectivity(port, TestSSLConstants.CERT_ALIAS_REVOKED);
+        trustStoreAttributes.put(FileTrustStore.CERTIFICATE_REVOCATION_LIST_URL, _crlFile.toFile().getAbsolutePath());
+        final int port = createExternalProviderAndTlsPort(trustStoreAttributes, null, false);
+        assertNoTlsConnectivity(port, CERT_ALIAS_REVOKED);
     }
 
     @Test
@@ -248,42 +412,37 @@
     {
         final Map<String, Object> trustStoreAttributes = getBrokerTrustStoreAttributes();
         trustStoreAttributes.put(FileTrustStore.CERTIFICATE_REVOCATION_CHECK_ENABLED, true);
-        trustStoreAttributes.put(FileTrustStore.CERTIFICATE_REVOCATION_LIST_URL, TestSSLConstants.CA_CRL_EMPTY);
-        final int port = createExternalProviderAndTlsPort(trustStoreAttributes);
-        assertTlsConnectivity(port, TestSSLConstants.CERT_ALIAS_ALLOWED);
+        trustStoreAttributes.put(FileTrustStore.CERTIFICATE_REVOCATION_LIST_URL,
+                                 _emptyCrlFile.toFile().getAbsolutePath());
+        final int port = createExternalProviderAndTlsPort(trustStoreAttributes, null, false);
+        assertTlsConnectivity(port, CERT_ALIAS_ALLOWED);
     }
 
     @Test
     public void externalWithRevocationAndAllowedCertificateWithCrlUrl() throws Exception
     {
-        assumeThat("HTTP server failed to bind to port '" + CRL_HTTP_PORT + "'",
-                CRL_SERVER, is(not(equalTo(null))));
         final Map<String, Object> trustStoreAttributes = getBrokerTrustStoreAttributes();
         trustStoreAttributes.put(FileTrustStore.CERTIFICATE_REVOCATION_CHECK_ENABLED, true);
-        final int port = createExternalProviderAndTlsPort(trustStoreAttributes);
-        assertTlsConnectivity(port, TestSSLConstants.CERT_ALIAS_ALLOWED);
+        final int port = createExternalProviderAndTlsPort(trustStoreAttributes, null, false);
+        assertTlsConnectivity(port, CERT_ALIAS_ALLOWED);
     }
 
     @Test
     public void externalWithRevocationAndRevokedCertificateWithCrlUrl() throws Exception
     {
-        assumeThat("HTTP server failed to bind to port '" + CRL_HTTP_PORT + "'",
-                CRL_SERVER, is(not(equalTo(null))));
         final Map<String, Object> trustStoreAttributes = getBrokerTrustStoreAttributes();
         trustStoreAttributes.put(FileTrustStore.CERTIFICATE_REVOCATION_CHECK_ENABLED, true);
-        final int port = createExternalProviderAndTlsPort(trustStoreAttributes);
-        assertNoTlsConnectivity(port, TestSSLConstants.CERT_ALIAS_REVOKED);
+        final int port = createExternalProviderAndTlsPort(trustStoreAttributes, null, false);
+        assertNoTlsConnectivity(port, CERT_ALIAS_REVOKED);
     }
 
     @Test
     public void externalWithRevocationAndRevokedCertificateWithCrlUrlWithEmptyCrl() throws Exception
     {
-        assumeThat("HTTP server failed to bind to port '" + CRL_HTTP_PORT + "'",
-                CRL_SERVER, is(not(equalTo(null))));
         final Map<String, Object> trustStoreAttributes = getBrokerTrustStoreAttributes();
         trustStoreAttributes.put(FileTrustStore.CERTIFICATE_REVOCATION_CHECK_ENABLED, true);
-        final int port = createExternalProviderAndTlsPort(trustStoreAttributes);
-        assertTlsConnectivity(port, TestSSLConstants.CERT_ALIAS_REVOKED_EMPTY_CRL);
+        final int port = createExternalProviderAndTlsPort(trustStoreAttributes, null, false);
+        assertTlsConnectivity(port, CERT_ALIAS_REVOKED_EMPTY_CRL);
     }
 
     @Test
@@ -291,91 +450,93 @@
     {
         final Map<String, Object> trustStoreAttributes = getBrokerTrustStoreAttributes();
         trustStoreAttributes.put(FileTrustStore.CERTIFICATE_REVOCATION_CHECK_ENABLED, false);
-        trustStoreAttributes.put(FileTrustStore.CERTIFICATE_REVOCATION_LIST_URL, TestSSLConstants.CA_CRL);
-        final int port = createExternalProviderAndTlsPort(trustStoreAttributes);
-        assertTlsConnectivity(port, TestSSLConstants.CERT_ALIAS_REVOKED);
+        trustStoreAttributes.put(FileTrustStore.CERTIFICATE_REVOCATION_LIST_URL, _crlFile.toFile().getAbsolutePath());
+        final int port = createExternalProviderAndTlsPort(trustStoreAttributes, null, false);
+        assertTlsConnectivity(port, CERT_ALIAS_REVOKED);
     }
 
     @Test
     public void externalWithRevocationDisabledWithCrlUrlInRevokedCertificate() throws Exception
     {
-        assumeThat("HTTP server failed to bind to port '" + CRL_HTTP_PORT + "'",
-                CRL_SERVER, is(not(equalTo(null))));
         final Map<String, Object> trustStoreAttributes = getBrokerTrustStoreAttributes();
         trustStoreAttributes.put(FileTrustStore.CERTIFICATE_REVOCATION_CHECK_ENABLED, false);
-        final int port = createExternalProviderAndTlsPort(trustStoreAttributes);
-        assertTlsConnectivity(port, TestSSLConstants.CERT_ALIAS_REVOKED);
+        final int port = createExternalProviderAndTlsPort(trustStoreAttributes, null, false);
+        assertTlsConnectivity(port, CERT_ALIAS_REVOKED);
     }
 
     @Test
     public void externalWithRevocationAndRevokedCertificateWithCrlUrlWithSoftFail() throws Exception
     {
-        assumeThat("HTTP server failed to bind to port '" + CRL_HTTP_PORT + "'",
-                CRL_SERVER, is(not(equalTo(null))));
         final Map<String, Object> trustStoreAttributes = getBrokerTrustStoreAttributes();
         trustStoreAttributes.put(FileTrustStore.CERTIFICATE_REVOCATION_CHECK_ENABLED, true);
         trustStoreAttributes.put(FileTrustStore.CERTIFICATE_REVOCATION_CHECK_WITH_IGNORING_SOFT_FAILURES, true);
-        final int port = createExternalProviderAndTlsPort(trustStoreAttributes);
-        assertTlsConnectivity(port, TestSSLConstants.CERT_ALIAS_REVOKED_INVALID_CRL_PATH);
+        final int port = createExternalProviderAndTlsPort(trustStoreAttributes, null, false);
+        assertTlsConnectivity(port, CERT_ALIAS_REVOKED_INVALID_CRL_PATH);
     }
 
     @Test
     public void externalWithRevocationAndRevokedCertificateWithCrlUrlWithoutPreferCrls() throws Exception
     {
-        assumeThat("HTTP server failed to bind to port '" + CRL_HTTP_PORT + "'",
-                CRL_SERVER, is(not(equalTo(null))));
         final Map<String, Object> trustStoreAttributes = getBrokerTrustStoreAttributes();
         trustStoreAttributes.put(FileTrustStore.CERTIFICATE_REVOCATION_CHECK_ENABLED, true);
-        trustStoreAttributes.put(FileTrustStore.CERTIFICATE_REVOCATION_CHECK_WITH_PREFERRING_CERTIFICATE_REVOCATION_LIST, false);
-        final int port = createExternalProviderAndTlsPort(trustStoreAttributes);
-        assertNoTlsConnectivity(port, TestSSLConstants.CERT_ALIAS_ALLOWED);
+        trustStoreAttributes.put(FileTrustStore.CERTIFICATE_REVOCATION_CHECK_WITH_PREFERRING_CERTIFICATE_REVOCATION_LIST,
+                                 false);
+        final int port = createExternalProviderAndTlsPort(trustStoreAttributes, null, false);
+        assertNoTlsConnectivity(port, CERT_ALIAS_ALLOWED);
     }
 
     @Test
     public void externalWithRevocationAndRevokedCertificateWithCrlUrlWithoutPreferCrlsWithFallback() throws Exception
     {
-        assumeThat("HTTP server failed to bind to port '" + CRL_HTTP_PORT + "'",
-                CRL_SERVER, is(not(equalTo(null))));
         final Map<String, Object> trustStoreAttributes = getBrokerTrustStoreAttributes();
         trustStoreAttributes.put(FileTrustStore.CERTIFICATE_REVOCATION_CHECK_ENABLED, true);
-        trustStoreAttributes.put(FileTrustStore.CERTIFICATE_REVOCATION_CHECK_WITH_PREFERRING_CERTIFICATE_REVOCATION_LIST, false);
+        trustStoreAttributes.put(FileTrustStore.CERTIFICATE_REVOCATION_CHECK_WITH_PREFERRING_CERTIFICATE_REVOCATION_LIST,
+                                 false);
         trustStoreAttributes.put(FileTrustStore.CERTIFICATE_REVOCATION_CHECK_WITH_NO_FALLBACK, false);
-        final int port = createExternalProviderAndTlsPort(trustStoreAttributes);
-        assertTlsConnectivity(port, TestSSLConstants.CERT_ALIAS_ALLOWED);
+        final int port = createExternalProviderAndTlsPort(trustStoreAttributes, null, false);
+        assertTlsConnectivity(port, CERT_ALIAS_ALLOWED);
     }
 
     @Test
     public void externalWithRevocationAndRevokedIntermediateCertificateWithCrlUrl() throws Exception
     {
-        assumeThat("HTTP server failed to bind to port '" + CRL_HTTP_PORT + "'",
-                CRL_SERVER, is(not(equalTo(null))));
         final Map<String, Object> trustStoreAttributes = getBrokerTrustStoreAttributes();
         trustStoreAttributes.put(FileTrustStore.CERTIFICATE_REVOCATION_CHECK_ENABLED, true);
         trustStoreAttributes.put(FileTrustStore.CERTIFICATE_REVOCATION_CHECK_OF_ONLY_END_ENTITY_CERTIFICATES, false);
         trustStoreAttributes.put(FileTrustStore.CERTIFICATE_REVOCATION_CHECK_WITH_IGNORING_SOFT_FAILURES, true);
-        final int port = createExternalProviderAndTlsPort(trustStoreAttributes);
-        assertNoTlsConnectivity(port, TestSSLConstants.CERT_ALIAS_ALLOWED_WITH_INTERMEDIATE);
+        final int port = createExternalProviderAndTlsPort(trustStoreAttributes, null, false);
+        assertNoTlsConnectivity(port, CERT_ALIAS_ALLOWED_WITH_INTERMEDIATE);
     }
 
     @Test
     public void externalWithRevocationAndRevokedIntermediateCertificateWithCrlUrlOnlyEndEntity() throws Exception
     {
-        assumeThat("HTTP server failed to bind to port '" + CRL_HTTP_PORT + "'",
-                CRL_SERVER, is(not(equalTo(null))));
         final Map<String, Object> trustStoreAttributes = getBrokerTrustStoreAttributes();
         trustStoreAttributes.put(FileTrustStore.CERTIFICATE_REVOCATION_CHECK_ENABLED, true);
         trustStoreAttributes.put(FileTrustStore.CERTIFICATE_REVOCATION_CHECK_OF_ONLY_END_ENTITY_CERTIFICATES, true);
         trustStoreAttributes.put(FileTrustStore.CERTIFICATE_REVOCATION_CHECK_WITH_IGNORING_SOFT_FAILURES, true);
-        final int port = createExternalProviderAndTlsPort(trustStoreAttributes);
-        assertTlsConnectivity(port, TestSSLConstants.CERT_ALIAS_ALLOWED_WITH_INTERMEDIATE);
+        final int port = createExternalProviderAndTlsPort(trustStoreAttributes, null, false);
+        assertTlsConnectivity(port, CERT_ALIAS_ALLOWED_WITH_INTERMEDIATE);
     }
 
     @Test
     public void externalDeniesUntrustedClientCert() throws Exception
     {
         assumeThat("QPID-8069", getProtocol(), is(anyOf(equalTo(Protocol.AMQP_1_0), equalTo(Protocol.AMQP_0_10))));
-        final int port = createExternalProviderAndTlsPort();
-        assertNoTlsConnectivity(port, TestSSLConstants.CERT_ALIAS_UNTRUSTED_CLIENT);
+
+        final int port = createExternalProviderAndTlsPort(getBrokerTrustStoreAttributes(), null, false);
+
+        try
+        {
+            getConnectionBuilder(port, CERT_ALIAS_UNTRUSTED_CLIENT).setKeyStoreLocation(_clientUntrustedKeyStore)
+                                                                   .build()
+                                                                   .close();
+            fail("Should not be able to create a connection to the SSL port");
+        }
+        catch (JMSException e)
+        {
+            // pass
+        }
     }
 
     @Test
@@ -384,26 +545,26 @@
         assumeThat("QPID-8069", getProtocol(), is(anyOf(equalTo(Protocol.AMQP_1_0), equalTo(Protocol.AMQP_0_10))));
 
         final Map<String, Object> trustStoreAttributes = new HashMap<>();
-        trustStoreAttributes.put(FileTrustStore.STORE_URL, TestSSLConstants.BROKER_PEERSTORE);
-        trustStoreAttributes.put(FileTrustStore.PASSWORD, TestSSLConstants.PASSWORD);
+        trustStoreAttributes.put(FileTrustStore.STORE_URL, _brokerPeerStore);
+        trustStoreAttributes.put(FileTrustStore.PASSWORD, TLS_RESOURCE.getSecret());
         trustStoreAttributes.put(FileTrustStore.TRUST_ANCHOR_VALIDITY_ENFORCED, true);
-        final int port = createExternalProviderAndTlsPort(trustStoreAttributes);
+        final int port = createExternalProviderAndTlsPort(trustStoreAttributes, null, false);
 
         try
         {
             getConnectionBuilder().setPort(port)
                                   .setTls(true)
                                   .setSaslMechanisms(ExternalAuthenticationManagerImpl.MECHANISM_NAME)
-                                  .setKeyStoreLocation(TestSSLConstants.CLIENT_EXPIRED_KEYSTORE)
-                                  .setKeyStorePassword(TestSSLConstants.PASSWORD)
-                                  .setTrustStoreLocation(TestSSLConstants.CLIENT_TRUSTSTORE)
-                                  .setTrustStorePassword(TestSSLConstants.PASSWORD)
+                                  .setKeyStoreLocation(_clientExpiredKeyStore)
+                                  .setKeyStorePassword(TLS_RESOURCE.getSecret())
+                                  .setTrustStoreLocation(_clientTrustStore)
+                                  .setTrustStorePassword(TLS_RESOURCE.getSecret())
                                   .build();
             fail("Connection should not succeed");
         }
         catch (JMSException e)
         {
-            e.printStackTrace();
+            // pass
         }
     }
 
@@ -411,48 +572,38 @@
     public void externalWithPeersOnlyTrustStore() throws Exception
     {
         final Map<String, Object> trustStoreAttributes = new HashMap<>();
-        trustStoreAttributes.put(FileTrustStore.STORE_URL, TestSSLConstants.BROKER_PEERSTORE);
-        trustStoreAttributes.put(FileTrustStore.PASSWORD, TestSSLConstants.PASSWORD);
+        trustStoreAttributes.put(FileTrustStore.STORE_URL, _brokerPeerStore);
+        trustStoreAttributes.put(FileTrustStore.PASSWORD, TLS_RESOURCE.getSecret());
         trustStoreAttributes.put(FileTrustStore.PEERS_ONLY, true);
-        final int port = createExternalProviderAndTlsPort(trustStoreAttributes);
-        assertTlsConnectivity(port, TestSSLConstants.CERT_ALIAS_APP1);
+        final int port = createExternalProviderAndTlsPort(trustStoreAttributes, null, false);
+        assertTlsConnectivity(port, CERT_ALIAS_APP1);
 
         assumeThat("QPID-8069", getProtocol(), is(anyOf(equalTo(Protocol.AMQP_1_0), equalTo(Protocol.AMQP_0_10))));
-        assertNoTlsConnectivity(port, TestSSLConstants.CERT_ALIAS_APP2);
+        assertNoTlsConnectivity(port, CERT_ALIAS_APP2);
     }
 
     @Test
     public void externalWithRegularAndPeersOnlyTrustStores() throws Exception
     {
         final String trustStoreName = getTestName() + "RegularTrustStore";
-        final Connection brokerConnection = getConnectionBuilder().setVirtualHost("$management").build();
-        try
-        {
-            brokerConnection.start();
 
+        try (final BrokerManagementHelper helper = new BrokerManagementHelper(getConnectionBuilder(),
+                                                                              new AmqpManagementFacade(getProtocol())))
+        {
             final Map<String, Object> trustStoreAttributes = getBrokerTrustStoreAttributes();
-            trustStoreAttributes.put(FileTrustStore.TRUST_STORE_TYPE, TestSSLConstants.JAVA_KEYSTORE_TYPE);
-
-            createEntity(trustStoreName,
-                         FileTrustStore.class.getName(),
-                         trustStoreAttributes,
-                         brokerConnection);
-
-        }
-        finally
-        {
-            brokerConnection.close();
+            helper.openManagementConnection()
+                  .createEntity(trustStoreName, FileTrustStore.class.getName(), trustStoreAttributes);
         }
 
         final Map<String, Object> trustStoreAttributes = new HashMap<>();
-        trustStoreAttributes.put(FileTrustStore.STORE_URL, TestSSLConstants.BROKER_PEERSTORE);
-        trustStoreAttributes.put(FileTrustStore.PASSWORD,TestSSLConstants.PASSWORD);
+        trustStoreAttributes.put(FileTrustStore.STORE_URL, _brokerPeerStore);
+        trustStoreAttributes.put(FileTrustStore.PASSWORD, TLS_RESOURCE.getSecret());
         trustStoreAttributes.put(FileTrustStore.PEERS_ONLY, true);
         final int port = createExternalProviderAndTlsPort(trustStoreAttributes, trustStoreName, false);
-        assertTlsConnectivity(port, TestSSLConstants.CERT_ALIAS_APP1);
+        assertTlsConnectivity(port, CERT_ALIAS_APP1);
 
         //use the app2 cert, which is NOT in the peerstore (but is signed by the same CA as app1)
-        assertTlsConnectivity(port, TestSSLConstants.CERT_ALIAS_APP2);
+        assertTlsConnectivity(port, CERT_ALIAS_APP2);
     }
 
     @Test
@@ -462,19 +613,16 @@
 
         final String clientId = getTestName();
         final int port = createExternalProviderAndTlsPort(trustStoreAttributes, null, true);
-        final Connection connection = getConnectionBuilder().setPort(port)
-                                                      .setTls(true)
-                                                      .setSaslMechanisms(ExternalAuthenticationManagerImpl.MECHANISM_NAME)
-                                                      .setKeyStoreLocation(TestSSLConstants.CLIENT_KEYSTORE)
-                                                      .setKeyStorePassword(TestSSLConstants.PASSWORD)
-                                                      .setTrustStoreLocation(TestSSLConstants.CLIENT_TRUSTSTORE)
-                                                      .setTrustStorePassword(TestSSLConstants.PASSWORD)
-                                                      .setKeyAlias(TestSSLConstants.CERT_ALIAS_APP2)
-                                                      .setClientId(clientId)
-                                                      .build();
+        final Connection connection = getConnectionBuilder(port, CERT_ALIAS_APP2).setClientId(clientId).build();
         try
         {
-            assertConnectionPrincipal( clientId, "CN=app2@acme.org,OU=art,O=acme,L=Toronto,ST=ON,C=CA");
+            try (final BrokerManagementHelper helper = new BrokerManagementHelper(getConnectionBuilder(),
+                                                                                  new AmqpManagementFacade(getProtocol())))
+            {
+                String principal =
+                        helper.openManagementConnection().getConnectionPrincipalByClientId(getPortName(), clientId);
+                assertEquals("Unexpected principal", "CN=app2@acme.org,OU=art,O=acme,L=Toronto,ST=ON,C=CA", principal);
+            }
         }
         catch (JMSException e)
         {
@@ -493,19 +641,16 @@
 
         final String clientId = getTestName();
         final int port = createExternalProviderAndTlsPort(trustStoreAttributes, null, false);
-        final Connection connection = getConnectionBuilder().setPort(port)
-                                                      .setTls(true)
-                                                      .setSaslMechanisms(ExternalAuthenticationManagerImpl.MECHANISM_NAME)
-                                                      .setKeyStoreLocation(TestSSLConstants.CLIENT_KEYSTORE)
-                                                      .setKeyStorePassword(TestSSLConstants.PASSWORD)
-                                                      .setTrustStoreLocation(TestSSLConstants.CLIENT_TRUSTSTORE)
-                                                      .setTrustStorePassword(TestSSLConstants.PASSWORD)
-                                                      .setKeyAlias(TestSSLConstants.CERT_ALIAS_APP2)
-                                                      .setClientId(clientId)
-                                                      .build();
+        final Connection connection = getConnectionBuilder(port, CERT_ALIAS_APP2).setClientId(clientId).build();
         try
         {
-            assertConnectionPrincipal( clientId, "app2@acme.org");
+            try (final BrokerManagementHelper helper = new BrokerManagementHelper(getConnectionBuilder(),
+                                                                                  new AmqpManagementFacade(getProtocol())))
+            {
+                String principal =
+                        helper.openManagementConnection().getConnectionPrincipalByClientId(getPortName(), clientId);
+                assertEquals("Unexpected principal", "app2@acme.org", principal);
+            }
         }
         catch (JMSException e)
         {
@@ -517,135 +662,38 @@
         }
     }
 
-    private void assertConnectionPrincipal(final String clientId, final String expectedPrincipal) throws Exception
-    {
-        final Connection brokerConnection = getConnectionBuilder().setVirtualHost("$management").build();
-        try
-        {
-            brokerConnection.start();
-
-            String principal = null;
-            final List<Map<String, Object>> connections = queryEntitiesUsingAmqpManagement("org.apache.qpid.Connection", brokerConnection);
-            for (final Map<String, Object> connection : connections)
-            {
-                final String name = String.valueOf(connection.get(ConfiguredObject.NAME));
-                final Map<String, Object> attributes;
-                try
-                {
-                    attributes = readEntityUsingAmqpManagement(
-                            getPortName() + "/" + name,
-                            "org.apache.qpid.Connection",
-                            false,
-                            brokerConnection);
-                }
-                catch (AmqpManagementFacade.OperationUnsuccessfulException e)
-                {
-                    LOGGER.error("Read operation failed for an existing object '{}' having attributes '{}': {}",
-                                 getPortName() + "/" + name,
-                                 connection,
-                                 e.getMessage(),
-                                 e);
-                    throw e;
-                }
-                if (attributes.get(org.apache.qpid.server.model.Connection.CLIENT_ID).equals(clientId))
-                {
-                    principal = String.valueOf(attributes.get(org.apache.qpid.server.model.Connection.PRINCIPAL));
-                    break;
-                }
-            }
-            assertEquals("Unexpected principal", expectedPrincipal, principal);
-        }
-        finally
-        {
-            brokerConnection.close();
-        }
-    }
-
     private Map<String, Object> getBrokerTrustStoreAttributes()
     {
         final Map<String, Object> trustStoreAttributes = new HashMap<>();
-        trustStoreAttributes.put(FileTrustStore.STORE_URL, TestSSLConstants.BROKER_TRUSTSTORE);
-        trustStoreAttributes.put(FileTrustStore.PASSWORD, TestSSLConstants.PASSWORD);
+        trustStoreAttributes.put(FileTrustStore.STORE_URL, _brokerTrustStore);
+        trustStoreAttributes.put(FileTrustStore.PASSWORD, TLS_RESOURCE.getSecret());
+        trustStoreAttributes.put(FileTrustStore.TRUST_STORE_TYPE, TLS_RESOURCE.getKeyStoreType());
         return trustStoreAttributes;
     }
 
-    private int createExternalProviderAndTlsPort() throws Exception
-    {
-        return createExternalProviderAndTlsPort(getBrokerTrustStoreAttributes());
-    }
-
-    private int createExternalProviderAndTlsPort(final Map<String, Object> trustStoreAttributes) throws Exception
-    {
-        return createExternalProviderAndTlsPort(trustStoreAttributes, null, false);
-    }
-
     private int createExternalProviderAndTlsPort(final Map<String, Object> trustStoreAttributes,
                                                  final String additionalTrustStore,
                                                  final boolean useFullDN) throws Exception
     {
         final String providerName = getTestName();
-        final Connection connection = getConnectionBuilder().setVirtualHost("$management").build();
-        try
+        final String keyStoreName = providerName + "KeyStore";
+        final String trustStoreName = providerName + "TrustStore";
+        final String portName = getPortName();
+        final Map<String, Object> trustStoreSettings = new HashMap<>(trustStoreAttributes);
+
+        final String[] trustStores = additionalTrustStore == null
+                ? new String[]{trustStoreName}
+                : new String[]{trustStoreName, additionalTrustStore};
+
+        try (BrokerManagementHelper helper = new BrokerManagementHelper(getConnectionBuilder(),
+                                                                        new AmqpManagementFacade(getProtocol())))
         {
-            connection.start();
-
-            final Map<String, Object> providerAttributes = new HashMap<>();
-            providerAttributes.put("qpid-type", ExternalAuthenticationManager.PROVIDER_TYPE);
-            providerAttributes.put(ExternalAuthenticationManager.ATTRIBUTE_USE_FULL_DN, useFullDN);
-            createEntity(providerName,
-                         AuthenticationProvider.class.getName(),
-                         providerAttributes,
-                         connection);
-
-            final Map<String, Object> keyStoreAttributes = new HashMap<>();
-            keyStoreAttributes.put("storeUrl", TestSSLConstants.BROKER_KEYSTORE);
-            keyStoreAttributes.put("password", TestSSLConstants.PASSWORD);
-            keyStoreAttributes.put("keyStoreType", TestSSLConstants.JAVA_KEYSTORE_TYPE);
-
-            final String keyStoreName = providerName + "KeyStore";
-            createEntity(keyStoreName,
-                         FileKeyStore.class.getName(),
-                         keyStoreAttributes,
-                         connection);
-
-            final Map<String, Object> trustStoreSettings = new HashMap<>(trustStoreAttributes);
-            trustStoreSettings.put("trustStoreType", TestSSLConstants.JAVA_KEYSTORE_TYPE);
-            final String trustStoreName = providerName + "TrustStore";
-            createEntity(trustStoreName,
-                         FileTrustStore.class.getName(),
-                         trustStoreSettings,
-                         connection);
-
-            final String portName = getPortName();
-            final Map<String, Object> sslPortAttributes = new HashMap<>();
-            sslPortAttributes.put(Port.TRANSPORTS, "[\"SSL\"]");
-            sslPortAttributes.put(Port.PORT, 0);
-            sslPortAttributes.put(Port.AUTHENTICATION_PROVIDER, providerName);
-            sslPortAttributes.put(Port.NEED_CLIENT_AUTH, true);
-            sslPortAttributes.put(Port.WANT_CLIENT_AUTH, false);
-            sslPortAttributes.put(Port.NAME, portName);
-            sslPortAttributes.put(Port.KEY_STORE, keyStoreName);
-            final String trustStores = additionalTrustStore == null
-                    ? "[\"" + trustStoreName + "\"]"
-                    : "[\"" + trustStoreName + "\",\"" + additionalTrustStore + "\"]";
-            sslPortAttributes.put(Port.TRUST_STORES, trustStores);
-
-            createEntity(portName,
-                         "org.apache.qpid.AmqpPort",
-                         sslPortAttributes,
-                         connection);
-
-            final Map<String, Object> portEffectiveAttributes =
-                    readEntityUsingAmqpManagement(portName, "org.apache.qpid.AmqpPort", false, connection);
-            if (portEffectiveAttributes.containsKey("boundPort"))
-            {
-                return (int) portEffectiveAttributes.get("boundPort");
-            }
-            throw new RuntimeException("Bound port is not found");
-        }
-        finally
-        {
-            connection.close();
+            return helper.openManagementConnection()
+                         .createExternalAuthenticationProvider(providerName, useFullDN)
+                         .createKeyStore(keyStoreName, _brokerKeyStore, TLS_RESOURCE.getSecret())
+                         .createEntity(trustStoreName, FileTrustStore.class.getName(), trustStoreSettings)
+                         .createAmqpTlsPort(portName, providerName, keyStoreName, false, true, false, trustStores)
+                         .getAmqpBoundPort(portName);
         }
     }
 
@@ -655,56 +703,40 @@
     }
 
     private int createAuthenticationProviderAndUserAndPort(final String providerName,
-                                                           final String providerType,
-                                                           final String userName,
-                                                           final String userPassword) throws Exception
+                                                           final String providerType) throws Exception
     {
-        final Connection connection = getConnectionBuilder().setVirtualHost("$management").build();
-        try
+
+        final String portName = providerName + "Port";
+        final Map<String, Object> portAttributes = new HashMap<>();
+        portAttributes.put(Port.AUTHENTICATION_PROVIDER, providerName);
+        portAttributes.put(Port.PORT, 0);
+
+        try (BrokerManagementHelper helper = new BrokerManagementHelper(getConnectionBuilder(),
+                                                                        new AmqpManagementFacade(getProtocol())))
         {
-            connection.start();
-
-            createEntity(providerName,
-                         AuthenticationProvider.class.getName(),
-                         Collections.singletonMap("qpid-type", providerType),
-                         connection);
-            final Map<String, Object> userAttributes = new HashMap<>();
-            userAttributes.put("qpid-type", "managed");
-            userAttributes.put(User.PASSWORD, userPassword);
-            userAttributes.put("object-path", providerName);
-            createEntity(userName, User.class.getName(), userAttributes, connection);
-
-            final String portName = providerName + "Port";
-            final Map<String, Object> portAttributes = new HashMap<>();
-            portAttributes.put(Port.AUTHENTICATION_PROVIDER, providerName);
-            portAttributes.put(Port.PORT, 0);
-            createEntity(portName, "org.apache.qpid.AmqpPort", portAttributes, connection);
-
-            final Map<String, Object> portEffectiveAttributes =
-                    readEntityUsingAmqpManagement(portName, "org.apache.qpid.AmqpPort", false, connection);
-            if (portEffectiveAttributes.containsKey("boundPort"))
-            {
-                return (int) portEffectiveAttributes.get("boundPort");
-            }
-            throw new RuntimeException("Bound port is not found");
-        }
-        finally
-        {
-            connection.close();
+            return helper.openManagementConnection()
+                         .createAuthenticationProvider(providerName, providerType)
+                         .createUser(providerName, USER, USER_PASSWORD)
+                         .createEntity(portName, "org.apache.qpid.AmqpPort", portAttributes)
+                         .getAmqpBoundPort(portName);
         }
     }
 
     private Connection getConnection(int port, String certificateAlias) throws NamingException, JMSException
     {
+        return getConnectionBuilder(port, certificateAlias).build();
+    }
+
+    private ConnectionBuilder getConnectionBuilder(int port, String certificateAlias)
+    {
         return getConnectionBuilder().setPort(port)
-                .setTls(true)
-                .setSaslMechanisms(ExternalAuthenticationManagerImpl.MECHANISM_NAME)
-                .setKeyStoreLocation(TestSSLConstants.CLIENT_KEYSTORE)
-                .setKeyStorePassword(TestSSLConstants.PASSWORD)
-                .setKeyAlias(certificateAlias)
-                .setTrustStoreLocation(TestSSLConstants.CLIENT_TRUSTSTORE)
-                .setTrustStorePassword(TestSSLConstants.PASSWORD)
-                .build();
+                                     .setTls(true)
+                                     .setSaslMechanisms(ExternalAuthenticationManagerImpl.MECHANISM_NAME)
+                                     .setKeyStoreLocation(_clientKeyStore)
+                                     .setKeyStorePassword(TLS_RESOURCE.getSecret())
+                                     .setKeyAlias(certificateAlias)
+                                     .setTrustStoreLocation(_clientTrustStore)
+                                     .setTrustStorePassword(TLS_RESOURCE.getSecret());
     }
 
     private void assertTlsConnectivity(int port, String certificateAlias) throws NamingException, JMSException
@@ -734,16 +766,15 @@
         }
     }
 
+
     private void assertPlainConnectivity(final int port,
-                                         final String userName,
-                                         final String userPassword,
                                          final String mechanism) throws Exception
     {
         final Connection connection = getConnectionBuilder().setPort(port)
-                                                      .setUsername(userName)
-                                                      .setPassword(userPassword)
-                                                      .setSaslMechanisms(mechanism)
-                                                      .build();
+                                                            .setUsername(USER)
+                                                            .setPassword(USER_PASSWORD)
+                                                            .setSaslMechanisms(mechanism)
+                                                            .build();
         try
         {
             final Session session = connection.createSession(false, Session.AUTO_ACKNOWLEDGE);
@@ -758,8 +789,8 @@
         try
         {
             getConnectionBuilder().setPort(port)
-                                  .setUsername(userName)
-                                  .setPassword("invalid" + userPassword)
+                                  .setUsername(USER)
+                                  .setPassword("invalid" + USER_PASSWORD)
                                   .setSaslMechanisms(mechanism)
                                   .build();
             fail("Connection is established for invalid password");
@@ -772,8 +803,8 @@
         try
         {
             getConnectionBuilder().setPort(port)
-                                  .setUsername("invalid" + userName)
-                                  .setPassword(userPassword)
+                                  .setUsername("invalid" + AuthenticationTest.USER)
+                                  .setPassword(USER_PASSWORD)
                                   .setSaslMechanisms(mechanism)
                                   .build();
             fail("Connection is established for invalid user name");
@@ -792,10 +823,17 @@
         HANDLERS.addHandler(contextHandler);
     }
 
+
+    public static String createDataUrlForFile(Path file) throws IOException
+    {
+        return DataUrlUtils.getDataUrlForBytes(Files.readAllBytes(file));
+    }
+
     private static class CrlServerHandler extends AbstractHandler
     {
         final Path crlPath;
-        public CrlServerHandler(Path crlPath)
+
+        CrlServerHandler(Path crlPath)
         {
             this.crlPath = crlPath;
         }
@@ -806,9 +844,10 @@
         {
             final byte[] crlBytes = Files.readAllBytes(crlPath);
             response.setStatus(HttpServletResponse.SC_OK);
-            final OutputStream responseBody = response.getOutputStream();
-            responseBody.write(crlBytes);
-            responseBody.close();
+            try (final OutputStream responseBody = response.getOutputStream())
+            {
+                responseBody.write(crlBytes);
+            }
         }
     }
 }

diff --git a/systests/qpid-systests-jms_1.1/src/test/java/org/apache/qpid/systests/jms_1_1/extensions/tls/TlsTest.java b/systests/qpid-systests-jms_1.1/src/test/java/org/apache/qpid/systests/jms_1_1/extensions/tls/TlsTest.java
index da61319..ac07103 100644
--- a/systests/qpid-systests-jms_1.1/src/test/java/org/apache/qpid/systests/jms_1_1/extensions/tls/TlsTest.java
+++ b/systests/qpid-systests-jms_1.1/src/test/java/org/apache/qpid/systests/jms_1_1/extensions/tls/TlsTest.java

@@ -20,7 +20,6 @@
  */
 package org.apache.qpid.systests.jms_1_1.extensions.tls;
 
-import static java.nio.charset.StandardCharsets.UTF_8;
 import static org.hamcrest.CoreMatchers.anyOf;
 import static org.hamcrest.CoreMatchers.equalTo;
 import static org.hamcrest.CoreMatchers.is;
@@ -30,20 +29,12 @@
 import static org.junit.Assume.assumeThat;
 
 import java.io.File;
-import java.io.FileInputStream;
-import java.io.FileOutputStream;
-import java.io.InputStream;
 import java.io.UnsupportedEncodingException;
 import java.net.InetSocketAddress;
 import java.net.URLEncoder;
 import java.nio.charset.StandardCharsets;
-import java.nio.file.Files;
-import java.security.Key;
-import java.security.cert.Certificate;
-import java.util.Base64;
 import java.util.Collections;
 import java.util.HashMap;
-import java.util.List;
 import java.util.Map;
 
 import javax.jms.Connection;
@@ -52,24 +43,29 @@
 
 import org.junit.AfterClass;
 import org.junit.BeforeClass;
+import org.junit.ClassRule;
 import org.junit.Test;
 
-import org.apache.qpid.server.model.Port;
 import org.apache.qpid.server.model.Protocol;
-import org.apache.qpid.server.security.FileKeyStore;
-import org.apache.qpid.server.security.FileTrustStore;
+import org.apache.qpid.test.utils.tls.TlsResource;
 import org.apache.qpid.systests.AmqpManagementFacade;
-import org.apache.qpid.systests.ConnectionBuilder;
 import org.apache.qpid.systests.JmsTestBase;
-import org.apache.qpid.test.utils.TestSSLConstants;
-import org.apache.qpid.test.utils.TestSSLUtils;
+import org.apache.qpid.systests.jms_1_1.extensions.BrokerManagementHelper;
+import org.apache.qpid.systests.jms_1_1.extensions.TlsHelper;
 import org.apache.qpid.tests.utils.BrokerAdmin;
 
 public class TlsTest extends JmsTestBase
 {
+    @ClassRule
+    public static final TlsResource TLS_RESOURCE = new TlsResource();
+
+    private static TlsHelper _tlsHelper;
+
     @BeforeClass
-    public static void setUp()
+    public static void setUp() throws Exception
     {
+        _tlsHelper = new TlsHelper(TLS_RESOURCE);
+
         System.setProperty("javax.net.debug", "ssl");
 
         // workaround for QPID-8069
@@ -78,12 +74,6 @@
             System.setProperty("amqj.MaximumStateWait", "4000");
         }
 
-        // legacy client keystore/truststore types can only be configured with JVM settings
-        if (getProtocol() != Protocol.AMQP_1_0)
-        {
-            System.setProperty("javax.net.ssl.trustStoreType", TestSSLConstants.JAVA_KEYSTORE_TYPE);
-            System.setProperty("javax.net.ssl.keyStoreType", TestSSLConstants.JAVA_KEYSTORE_TYPE);
-        }
     }
 
     @AfterClass
@@ -94,12 +84,6 @@
         {
             System.clearProperty("amqj.MaximumStateWait");
         }
-
-        if (getProtocol() != Protocol.AMQP_1_0)
-        {
-            System.clearProperty("javax.net.ssl.trustStoreType");
-            System.clearProperty("javax.net.ssl.keyStoreType");
-        }
     }
 
     @Test
@@ -112,10 +96,10 @@
         Connection connection = getConnectionBuilder().setPort(port)
                                                       .setHost(brokerAddress.getHostName())
                                                       .setTls(true)
-                                                      .setKeyStoreLocation(TestSSLConstants.CLIENT_KEYSTORE)
-                                                      .setKeyStorePassword(TestSSLConstants.PASSWORD)
-                                                      .setTrustStoreLocation(TestSSLConstants.CLIENT_TRUSTSTORE)
-                                                      .setTrustStorePassword(TestSSLConstants.PASSWORD)
+                                                      .setKeyStoreLocation(_tlsHelper.getClientKeyStore())
+                                                      .setKeyStorePassword(TLS_RESOURCE.getSecret())
+                                                      .setTrustStoreLocation(_tlsHelper.getClientTrustStore())
+                                                      .setTrustStorePassword(TLS_RESOURCE.getSecret())
                                                       .build();
         try
         {
@@ -135,7 +119,7 @@
                    is(not(equalTo(Protocol.AMQP_1_0))));
 
         int port = configureTlsPort(getTestPortName(), false, false, false);
-        File trustCertFile = extractCertFileFromTestTrustStore();
+        File trustCertFile = TLS_RESOURCE.saveCertificateAsPem(_tlsHelper.getCaCertificate()).toFile();
 
         InetSocketAddress brokerAddress = getBrokerAdmin().getBrokerAddress(BrokerAdmin.PortType.AMQP);
         Connection connection = getConnectionBuilder().setPort(port)
@@ -193,10 +177,10 @@
             getConnectionBuilder().setPort(port)
                                   .setHost("127.0.0.1")
                                   .setTls(true)
-                                  .setKeyStoreLocation(TestSSLConstants.CLIENT_KEYSTORE)
-                                  .setKeyStorePassword(TestSSLConstants.PASSWORD)
-                                  .setTrustStoreLocation(TestSSLConstants.CLIENT_TRUSTSTORE)
-                                  .setTrustStorePassword(TestSSLConstants.PASSWORD)
+                                  .setKeyStoreLocation(_tlsHelper.getClientKeyStore())
+                                  .setKeyStorePassword(TLS_RESOURCE.getSecret())
+                                  .setTrustStoreLocation(_tlsHelper.getClientTrustStore())
+                                  .setTrustStorePassword(TLS_RESOURCE.getSecret())
                                   .build();
             fail("Exception not thrown");
         }
@@ -208,10 +192,10 @@
         Connection connection = getConnectionBuilder().setPort(port)
                                                       .setHost("127.0.0.1")
                                                       .setTls(true)
-                                                      .setKeyStoreLocation(TestSSLConstants.CLIENT_KEYSTORE)
-                                                      .setKeyStorePassword(TestSSLConstants.PASSWORD)
-                                                      .setTrustStoreLocation(TestSSLConstants.CLIENT_TRUSTSTORE)
-                                                      .setTrustStorePassword(TestSSLConstants.PASSWORD)
+                                                      .setKeyStoreLocation(_tlsHelper.getClientKeyStore())
+                                                      .setKeyStorePassword(TLS_RESOURCE.getSecret())
+                                                      .setTrustStoreLocation(_tlsHelper.getClientTrustStore())
+                                                      .setTrustStorePassword(TLS_RESOURCE.getSecret())
                                                       .setVerifyHostName(false)
                                                       .build();
         try
@@ -261,7 +245,7 @@
             Connection connection = getConnectionBuilder().setClientId(getTestName())
                                                           .setPort(port)
                                                           .setTls(true)
-                                                          .setKeyAlias(TestSSLConstants.CERT_ALIAS_APP1)
+                                                          .setKeyAlias(TlsHelper.CERT_ALIAS_APP1)
                                                           .build();
             try
             {
@@ -274,7 +258,7 @@
 
             Connection connection2 = getConnectionBuilder().setPort(port)
                                                            .setTls(true)
-                                                           .setKeyAlias(TestSSLConstants.CERT_ALIAS_APP2)
+                                                           .setKeyAlias(TlsHelper.CERT_ALIAS_APP2)
                                                            .build();
             try
             {
@@ -357,8 +341,8 @@
         Connection connection = getConnectionBuilder().setPort(port)
                                                       .setHost(brokerAddress.getHostName())
                                                       .setTls(true)
-                                                      .setTrustStoreLocation(TestSSLConstants.CLIENT_TRUSTSTORE)
-                                                      .setTrustStorePassword(TestSSLConstants.PASSWORD)
+                                                      .setTrustStoreLocation(_tlsHelper.getClientTrustStore())
+                                                      .setTrustStorePassword(TLS_RESOURCE.getSecret())
                                                       .build();
         try
         {
@@ -383,8 +367,8 @@
             getConnectionBuilder().setPort(port)
                                   .setHost(getBrokerAdmin().getBrokerAddress(BrokerAdmin.PortType.AMQP).getHostName())
                                   .setTls(true)
-                                  .setTrustStoreLocation(TestSSLConstants.CLIENT_TRUSTSTORE)
-                                  .setTrustStorePassword(TestSSLConstants.PASSWORD)
+                                  .setTrustStoreLocation(_tlsHelper.getClientTrustStore())
+                                  .setTrustStorePassword(TLS_RESOURCE.getSecret())
                                   .build();
             fail("Connection was established successfully");
         }
@@ -404,8 +388,8 @@
         Connection connection = getConnectionBuilder().setPort(port)
                                                       .setHost(brokerAddress.getHostName())
                                                       .setTls(true)
-                                                      .setTrustStoreLocation(TestSSLConstants.CLIENT_TRUSTSTORE)
-                                                      .setTrustStorePassword(TestSSLConstants.PASSWORD)
+                                                      .setTrustStoreLocation(_tlsHelper.getClientTrustStore())
+                                                      .setTrustStorePassword(TLS_RESOURCE.getSecret())
                                                       .build();
         try
         {
@@ -429,8 +413,8 @@
             getConnectionBuilder().setPort(port)
                                   .setHost(getBrokerAdmin().getBrokerAddress(BrokerAdmin.PortType.AMQP).getHostName())
                                   .setTls(true)
-                                  .setTrustStoreLocation(TestSSLConstants.CLIENT_TRUSTSTORE)
-                                  .setTrustStorePassword(TestSSLConstants.PASSWORD)
+                                  .setTrustStoreLocation(_tlsHelper.getClientTrustStore())
+                                  .setTrustStorePassword(TLS_RESOURCE.getSecret())
                                   .build();
             fail("Connection was established successfully");
         }
@@ -451,10 +435,10 @@
         Connection connection = getConnectionBuilder().setPort(port)
                                                       .setHost(brokerAddress.getHostName())
                                                       .setTls(true)
-                                                      .setKeyStoreLocation(TestSSLConstants.CLIENT_KEYSTORE)
-                                                      .setKeyStorePassword(TestSSLConstants.PASSWORD)
-                                                      .setTrustStoreLocation(TestSSLConstants.CLIENT_TRUSTSTORE)
-                                                      .setTrustStorePassword(TestSSLConstants.PASSWORD)
+                                                      .setKeyStoreLocation(_tlsHelper.getClientKeyStore())
+                                                      .setKeyStorePassword(TLS_RESOURCE.getSecret())
+                                                      .setTrustStoreLocation(_tlsHelper.getClientTrustStore())
+                                                      .setTrustStorePassword(TLS_RESOURCE.getSecret())
                                                       .build();
         try
         {
@@ -493,16 +477,18 @@
         int port = configureTlsPort(getTestPortName(), true, false, false);
 
         clearSslStoreSystemProperties();
-        File[] certAndKeyFiles = extractResourcesFromTestKeyStore();
+
         final Map<String, String> options = new HashMap<>();
-        options.put("client_cert_path", encodePathOption(certAndKeyFiles[1].getCanonicalPath()));
-        options.put("client_cert_priv_key_path", encodePathOption(certAndKeyFiles[0].getCanonicalPath()));
+        File keyFile = TLS_RESOURCE.savePrivateKeyAsPem(_tlsHelper.getClientPrivateKey()).toFile();
+        File certificateFile = TLS_RESOURCE.saveCertificateAsPem(_tlsHelper.getClientCerificate(), _tlsHelper.getCaCertificate()).toFile();
+        options.put("client_cert_path", encodePathOption(certificateFile.getCanonicalPath()));
+        options.put("client_cert_priv_key_path", encodePathOption(keyFile.getCanonicalPath()));
         InetSocketAddress brokerAddress = getBrokerAdmin().getBrokerAddress(BrokerAdmin.PortType.AMQP);
         Connection connection = getConnectionBuilder().setPort(port)
                                                       .setHost(brokerAddress.getHostName())
                                                       .setTls(true)
-                                                      .setTrustStoreLocation(TestSSLConstants.CLIENT_TRUSTSTORE)
-                                                      .setTrustStorePassword(TestSSLConstants.PASSWORD)
+                                                      .setTrustStoreLocation(_tlsHelper.getClientTrustStore())
+                                                      .setTrustStorePassword(TLS_RESOURCE.getSecret())
                                                       .setVerifyHostName(false)
                                                       .setOptions(options)
                                                       .build();
@@ -523,152 +509,33 @@
                                  final boolean samePort) throws Exception
     {
 
-        return createTlsPort(portName,
-                             needClientAuth,
-                             wantClientAuth,
-                             samePort,
-                             getConnectionBuilder(),
-                             new AmqpManagementFacade(getProtocol()),
-                             getBrokerAdmin().getBrokerAddress(BrokerAdmin.PortType.AMQP).getPort());
-    }
-
-    public static int createTlsPort(final String portName,
-                                    final boolean needClientAuth,
-                                    final boolean wantClientAuth,
-                                    final boolean plainAndSsl,
-                                    final ConnectionBuilder connectionBuilder,
-                                    final AmqpManagementFacade managementFacade,
-                                    final int brokerPort) throws Exception
-    {
-        Connection connection = connectionBuilder.setVirtualHost("$management").build();
-        try
+        final String keyStoreName = portName + "KeyStore";
+        final String trustStoreName = portName + "TrustStore";
+        try (final BrokerManagementHelper helper = new BrokerManagementHelper(getConnectionBuilder(),
+                                                                              new AmqpManagementFacade(getProtocol())))
         {
-            connection.start();
-            String keyStoreName = portName + "KeyStore";
-            String trustStoreName = portName + "TrustStore";
-            String authenticationProvider = null;
+            helper.openManagementConnection();
 
-            Session session = connection.createSession(false, Session.AUTO_ACKNOWLEDGE);
-            try
-            {
-                List<Map<String, Object>> ports =
-                        managementFacade.managementQueryObjects(session, "org.apache.qpid.AmqpPort");
-                for (Map<String, Object> port : ports)
-                {
-                    String name = String.valueOf(port.get(Port.NAME));
-
-                    Session s = connection.createSession(false, Session.AUTO_ACKNOWLEDGE);
-                    try
-                    {
-                        Map<String, Object> attributes = managementFacade.readEntityUsingAmqpManagement(s,
-                                                                                                        "org.apache.qpid.AmqpPort",
-                                                                                                        name,
-                                                                                                        false);
-                        if (attributes.get("boundPort").equals(brokerPort))
-                        {
-                            authenticationProvider = String.valueOf(attributes.get(Port.AUTHENTICATION_PROVIDER));
-                            break;
-                        }
-                    }
-                    finally
-                    {
-                        s.close();
-                    }
-                }
-            }
-            finally
-            {
-                session.close();
-            }
-
-            session = connection.createSession(false, Session.AUTO_ACKNOWLEDGE);
-            try
-            {
-                final Map<String, Object> keyStoreAttributes = new HashMap<>();
-                keyStoreAttributes.put("storeUrl", TestSSLConstants.BROKER_KEYSTORE);
-                keyStoreAttributes.put("password", TestSSLConstants.PASSWORD);
-                keyStoreAttributes.put("keyStoreType", TestSSLConstants.JAVA_KEYSTORE_TYPE);
-                managementFacade.createEntityAndAssertResponse(keyStoreName,
-                                                               FileKeyStore.class.getName(),
-                                                               keyStoreAttributes,
-                                                               session);
-            }
-            finally
-            {
-                session.close();
-            }
-
-            session = connection.createSession(false, Session.AUTO_ACKNOWLEDGE);
-            try
-            {
-                final Map<String, Object> trustStoreAttributes = new HashMap<>();
-                trustStoreAttributes.put("storeUrl", TestSSLConstants.BROKER_TRUSTSTORE);
-                trustStoreAttributes.put("password", TestSSLConstants.PASSWORD);
-                trustStoreAttributes.put("trustStoreType", TestSSLConstants.JAVA_KEYSTORE_TYPE);
-                managementFacade.createEntityAndAssertResponse(trustStoreName,
-                                                               FileTrustStore.class.getName(),
-                                                               trustStoreAttributes,
-                                                               session);
-            }
-            finally
-            {
-                session.close();
-            }
-
-            session = connection.createSession(false, Session.AUTO_ACKNOWLEDGE);
-            try
-            {
-                Map<String, Object> sslPortAttributes = new HashMap<>();
-                sslPortAttributes.put(Port.TRANSPORTS, plainAndSsl ? "[\"SSL\",\"TCP\"]" : "[\"SSL\"]");
-                sslPortAttributes.put(Port.PORT, 0);
-                sslPortAttributes.put(Port.AUTHENTICATION_PROVIDER, authenticationProvider);
-                sslPortAttributes.put(Port.NEED_CLIENT_AUTH, needClientAuth);
-                sslPortAttributes.put(Port.WANT_CLIENT_AUTH, wantClientAuth);
-                sslPortAttributes.put(Port.NAME, portName);
-                sslPortAttributes.put(Port.KEY_STORE, keyStoreName);
-                sslPortAttributes.put(Port.TRUST_STORES, "[\"" + trustStoreName + "\"]");
-
-                managementFacade.createEntityAndAssertResponse(portName,
-                                                               "org.apache.qpid.AmqpPort",
-                                                               sslPortAttributes,
-                                                               session);
-            }
-            finally
-            {
-                session.close();
-            }
-
-            session = connection.createSession(false, Session.AUTO_ACKNOWLEDGE);
-            try
-            {
-                Map<String, Object> portEffectiveAttributes =
-                        managementFacade.readEntityUsingAmqpManagement(session,
-                                                                       "org.apache.qpid.AmqpPort",
-                                                                       portName,
-                                                                       false);
-                if (portEffectiveAttributes.containsKey("boundPort"))
-                {
-                    return (int) portEffectiveAttributes.get("boundPort");
-                }
-                throw new RuntimeException("Bound port is not found");
-            }
-            finally
-            {
-                session.close();
-            }
-        }
-        finally
-        {
-            connection.close();
+            final String authenticationManager = helper.getAuthenticationProviderNameForAmqpPort(getBrokerAdmin().getBrokerAddress(
+                    BrokerAdmin.PortType.AMQP).getPort());
+            return helper.createKeyStore(keyStoreName, _tlsHelper.getBrokerKeyStore(), TLS_RESOURCE.getSecret())
+                         .createTrustStore(trustStoreName, _tlsHelper.getBrokerTrustStore(), TLS_RESOURCE.getSecret())
+                         .createAmqpTlsPort(portName,
+                                            authenticationManager,
+                                            keyStoreName,
+                                            samePort,
+                                            needClientAuth,
+                                            wantClientAuth,
+                                            trustStoreName).getAmqpBoundPort(portName);
         }
     }
 
     private void setSslStoreSystemProperties()
     {
-        System.setProperty("javax.net.ssl.keyStore", TestSSLConstants.CLIENT_KEYSTORE);
-        System.setProperty("javax.net.ssl.keyStorePassword", TestSSLConstants.PASSWORD);
-        System.setProperty("javax.net.ssl.trustStore", TestSSLConstants.CLIENT_TRUSTSTORE);
-        System.setProperty("javax.net.ssl.trustStorePassword", TestSSLConstants.PASSWORD);
+        System.setProperty("javax.net.ssl.keyStore", _tlsHelper.getClientKeyStore());
+        System.setProperty("javax.net.ssl.keyStorePassword", TLS_RESOURCE.getSecret());
+        System.setProperty("javax.net.ssl.trustStore", _tlsHelper.getClientTrustStore());
+        System.setProperty("javax.net.ssl.trustStorePassword", TLS_RESOURCE.getSecret());
     }
 
     private void clearSslStoreSystemProperties()
@@ -679,69 +546,6 @@
         System.clearProperty("javax.net.ssl.trustStorePassword");
     }
 
-    private File[] extractResourcesFromTestKeyStore() throws Exception
-    {
-        java.security.KeyStore ks = java.security.KeyStore.getInstance(TestSSLConstants.JAVA_KEYSTORE_TYPE);
-        try (InputStream is = new FileInputStream(TestSSLConstants.CLIENT_KEYSTORE))
-        {
-            ks.load(is, TestSSLConstants.PASSWORD.toCharArray());
-        }
-
-        File privateKeyFile = Files.createTempFile(getTestName(), ".private-key.der").toFile();
-        try (FileOutputStream kos = new FileOutputStream(privateKeyFile))
-        {
-            Key pvt = ks.getKey(TestSSLConstants.CERT_ALIAS_APP1, TestSSLConstants.PASSWORD.toCharArray());
-            kos.write(TestSSLUtils.privateKeyToPEM(pvt).getBytes(UTF_8));
-        }
-
-        File certificateFile = Files.createTempFile(getTestName(), ".certificate.der").toFile();
-        try (FileOutputStream cos = new FileOutputStream(certificateFile))
-        {
-            Certificate[] chain = ks.getCertificateChain(TestSSLConstants.CERT_ALIAS_APP1);
-            for (Certificate pub : chain)
-            {
-                cos.write(TestSSLUtils.certificateToPEM(pub).getBytes(UTF_8));
-            }
-            cos.flush();
-        }
-
-        return new File[]{privateKeyFile, certificateFile};
-    }
-
-    private File extractCertFileFromTestTrustStore() throws Exception
-    {
-        java.security.KeyStore ks = java.security.KeyStore.getInstance(TestSSLConstants.JAVA_KEYSTORE_TYPE);
-        try (InputStream is = new FileInputStream(TestSSLConstants.CLIENT_TRUSTSTORE))
-        {
-            ks.load(is, TestSSLConstants.PASSWORD.toCharArray());
-        }
-
-        File certificateFile = Files.createTempFile(getTestName(), ".crt").toFile();
-
-        try (FileOutputStream cos = new FileOutputStream(certificateFile))
-        {
-
-            for (String alias : Collections.list(ks.aliases()))
-            {
-                Certificate pub = ks.getCertificate(alias);
-                cos.write("-----BEGIN CERTIFICATE-----\n".getBytes());
-                String base64encoded = Base64.getEncoder().encodeToString(pub.getEncoded());
-                while (base64encoded.length() > 76)
-                {
-                    cos.write(base64encoded.substring(0, 76).getBytes());
-                    cos.write("\n".getBytes());
-                    base64encoded = base64encoded.substring(76);
-                }
-                cos.write(base64encoded.getBytes());
-
-                cos.write("\n-----END CERTIFICATE-----\n".getBytes());
-            }
-            cos.flush();
-        }
-
-        return certificateFile;
-    }
-
     private String getTestPortName()
     {
         return getTestName() + "TlsPort";